Closed ee7 closed 3 weeks ago
As of https://github.com/crashappsec/libcon4m/commit/f7752b2e004d46be14864341a21f3e43a0fac92c, a reduction:
$ cat tests/foo.c4m
"""
Test of initializing a list after a variable, then printing both.
"""
"""
$output:
1
[2]
"""
x = 1
l = [2]
print(x)
print(l)
prints incorrect value of x
:
$ ./debug/c4test tests/foo.c4m
[...]
FAIL: test foo.c4m: output mismatch.
Expected output
1
[2]
Actual
120304245453328
[2]
and initializing l
before x
:
l = [2]
x = 1
print(l)
produces a segfault:
(gdb) bt
#0 0x0000000100084737 in c4m_get_my_type (user_object=0x1) at ../include/con4m/type.h:144
#1 0x0000000100086089 in _c4m_print (first=0x1) at ../src/con4m/streams.c:652
#2 0x000000010009d617 in c4m_vm_runloop (tstate_arg=0x7fffd879fba0) at ../src/con4m/vm.c:1353
#3 0x000000010009e714 in c4m_vmthread_run (tstate=0x7fffd879fba0) at ../src/con4m/vm.c:1641
#4 0x0000000100013163 in test_compiler (fname=0x7fffd78d7a60, kat=0x7fffd7a5efc0) at ../src/tests/test.c:452
#5 0x0000000100013409 in main (argc=2, argv=0x7fffffffe6a8, envp=0x7fffffffe6c0) at ../src/tests/test.c:501
(gdb) x/i $pc
=> 0x100084737 <c4m_get_my_type+32>: mov 0x8(%rax),%rax
(gdb) i r rax
rax 0xffffffffffffffe1 -31
Invalid read of size 8
Address 0xffffffffffffffe9 is not stack'd, malloc'd or (recently) free'd
Process terminating with default action of signal 11 (SIGSEGV): dumping core
Access not within mapped region at address 0xFFFFFFFFFFFFFFE9
With ASan:
../include/con4m/object.h:8:12: runtime error: pointer index expression with base 0x000000000005 overflowed to 0xffffffffffffffe5
../include/con4m/type.h:144:15: runtime error: member access within misaligned address 0xffffffffffffffe5 for type 'struct c4m_base_obj_t', which requires 16 byte alignment
I can confirm that switching to clang 17.0.6 makes c4test basic11.c4m
pass on my machine.
But with UBSan:
../src/con4m/object.c:502:13: runtime error: call to function c4m_sha_init through pointer to incorrect function type 'void (*)(void **, struct __va_list_tag *)'
/foo/libcon4m/debug/../src/con4m/crypto/sha.c:30: note: c4m_sha_init defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/con4m/object.c:502:13 in
../src/con4m/format.c:387:29: runtime error: call to function c4m_string_format through pointer to incorrect function type 'struct c4m_str_t *(*)(void *, struct c4m_fmt_spec_t *)'
/foo/libcon4m/debug/../src/con4m/string.c:1309: note: c4m_string_format defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/con4m/format.c:387:29 in
../src/con4m/object.c:590:12: runtime error: call to function c4m_str_to_str through pointer to incorrect function type 'struct c4m_str_t *(*)(void *)'
/foo/libcon4m/debug/../src/con4m/string.c:1201: note: c4m_str_to_str defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/con4m/object.c:590:12 in
info: Compiling: /foo/libcon4m/tests/basic11.c4m
../src/con4m/object.c:930:12: runtime error: call to function to_list_lit through pointer to incorrect function type 'void *(*)(struct c4m_type_t *, c4m_xlist_t *, struct c4m_str_t *)'
/foo/libcon4m/debug/../src/con4m/lists.c:359: note: to_list_lit defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/con4m/object.c:930:12 in
info: Done processing: /foo/libcon4m/tests/basic11.c4m
../src/con4m/marshal.c:267:5: runtime error: call to function c4m_string_marshal through pointer to incorrect function type 'void (*)(void *, c4m_stream_t *, struct hatrack_dict_t *, long *)'
/foo/libcon4m/debug/../src/con4m/string.c:1126: note: c4m_string_marshal defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/con4m/marshal.c:267:5 in
../src/con4m/object.c:690:12: runtime error: call to function c4m_xlist_len through pointer to incorrect function type 'long (*)(void *)'
/foo/libcon4m/debug/../src/con4m/xlist.c:185: note: c4m_xlist_len defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/con4m/object.c:690:12 in
../src/con4m/tree_pattern.c:292:12: runtime error: call to function tcmp through pointer to incorrect function type 'bool (*)(void *, void *)'
/foo/libcon4m/debug/../src/con4m/compiler/ast_utils.c:6: note: tcmp defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/con4m/tree_pattern.c:292:12 in
../src/con4m/marshal.c:349:5: runtime error: call to function c4m_string_unmarshal through pointer to incorrect function type 'void (*)(void *, c4m_stream_t *, struct hatrack_dict_t *)'
/foo/libcon4m/debug/../src/con4m/string.c:1148: note: c4m_string_unmarshal defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/con4m/marshal.c:349:5 in
****STARTING PROGRAM EXECUTION*****
../src/con4m/object.c:602:12: runtime error: call to function list_copy through pointer to incorrect function type 'void *(*)(void *)'
/foo/libcon4m/debug/../src/con4m/lists.c:171: note: list_copy defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/con4m/object.c:602:12 in
../src/con4m/object.c:718:5: runtime error: call to function list_set through pointer to incorrect function type 'void (*)(void *, void *, void *)'
/foo/libcon4m/debug/../src/con4m/lists.c:226: note: list_set defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/con4m/object.c:718:5 in
../src/con4m/object.c:704:12: runtime error: call to function list_get through pointer to incorrect function type 'void *(*)(void *, void *)'
/foo/libcon4m/debug/../src/con4m/lists.c:191: note: list_get defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/con4m/object.c:704:12 in
../src/con4m/object.c:539:12: runtime error: call to function signed_repr through pointer to incorrect function type 'struct c4m_str_t *(*)(void *)'
/foo/libcon4m/debug/../src/con4m/numbers.c:22: note: signed_repr defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/con4m/object.c:539:12 in
5
[0, 1, 5, 3, 4, 5]
****PROGRAM EXECUTION FINISHED*****
../src/con4m/box.c:40:12: runtime error: call to function u64_fmt through pointer to incorrect function type 'struct c4m_str_t *(*)(void *, struct c4m_fmt_spec_t *)'
/foo/libcon4m/debug/../src/con4m/numbers.c:690: note: u64_fmt defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/con4m/box.c:40:12 in
Passed 1 out of 1 run tests.
Related to the previous https://github.com/crashappsec/libcon4m/issues/37.
With:
if we fetch the latest libcon4m commit on
main
(https://github.com/crashappsec/libcon4m/commit/833300442d95e6ca7b49104417873c0c671caa00) and run./dev debug
:then run
c4test
withbasic11.c4m
:https://github.com/crashappsec/libcon4m/blob/833300442d95e6ca7b49104417873c0c671caa00/tests/basic11.c4m#L1-L14
we see a segfault:
The stack trace:
c4m_get_my_type()
intype.h
is: https://github.com/crashappsec/libcon4m/blob/833300442d95e6ca7b49104417873c0c671caa00/include/con4m/type.h#L159-L165