Closed 5225225 closed 2 years ago
ah dang, this is a really good find, thank you. your assessment is correct, unfortunately "mask registers" above 24 be totally arbitrary. 0-7 are correct and get names k0-k7
, 8-15 are buggy and would get names eip
or BUG
, 16-23 are the same but for eflags
, and 24+ is where things go off the rails.
the bound for fn mask(num: u8)
should be 8 for 32- and 16-bit modes, but instead it's a copy-paste error. sigh.
thankfully, x86 doesn't have mask registers above k7
so (barring another bug) this is only reachable by users creating bogus mask registers. given that this was once correct, and eventually became incorrect through refactors, i added some tests that these helpers panic for invalid register numbers as they should. that also caught that the 64-bit RegSpec::rb
helper had an incorrect limit (18 instead of 16...?) so that's fixed too. in that case it would just display as cr0
or cr1
. they wouldn't compare equal to the control registers same as how the invalid mask registers won't make for invalid logic working with other mask registers - except for the Display
impl.
as for get_unchecked
, it's pretty noticeable when benchmarking display impl performance. i'd actually like to make the MEM_SIZE_STRINGS
lookup also a get_unchecked
, but as you've noticed in #15 there's more fuzzing to do first.
... incidentally, i really appreciate that you've reported these bugs, even if it has turned out that yaxpeax-x86 keels over at the lightest of attention. would you like attribution for these in the release notes? and if so, how would you like me to attribute you?
as for
get_unchecked
, it's pretty noticeable when benchmarking display impl performance.
That's fair, but maybe have a get_kinda_checked
helper method that is still unsafe
, but does a debug_assert
that it's in bounds? And then never use the "normal" get_unchecked, but instead always use that one. Would make it less likely to go unnoticed, and would be zero cost in release mode, since the debug assert gets removed. Could also do the same thing for the use of unreachable_unchecked.
In a perfect world, the stdlib would do that for you, but :shrug:
... incidentally, i really appreciate that you've reported these bugs, even if it has turned out that yaxpeax-x86 keels over at the lightest of attention. would you like attribution for these in the release notes? and if so, how would you like me to attribute you?
:sweat_smile: no worries, fuzzers are just really good at finding bugs (citation: my 30-40+ bugs reported over the last year or so). Thankfully, none of the ones found through parsing malformed input seem exploitable or anything, it's just a panic.
https://github.com/pyfisch/httpdate/releases/tag/v1.0.2 just said
See
#8
, thank you @5225225!
If you mean what name I use, just use @5225225 that's cool and good, and yeah, fine to attribute me in the release notes ty ty
also the default branch name on this repo is great i love it
one of the more creative ones i've seen so far :D
If you mean what name I use, just use @5225225 that's cool and good, and yeah, fine to attribute me in the release notes ty ty
done, though i was also wondering if you prefer github @, another name, an email, whichever you prefer.
That's fair, but maybe have a
get_kinda_checked
helper method that is stillunsafe
, but does adebug_assert
that it's in bounds? And then never use the "normal" get_unchecked, but instead always use that one.
well overdue for doing this too. noted in #16 and, well, we'll see when it's actually done :D
though i was also wondering if you prefer github @, another name, an email, whichever you prefer.
Nah, if it's just a link to my github profile then I can keep whatever info I have on my github up to date
thanks for asking though :3
In miri:
Outside of miri:
This presumably just interprets some arbitrary 16 byte chunk of memory near
REG_NAMES
as a (pointer, length).This wasn't a fuzzer bug, this was me just looking for dubious
unsafe
and this was the first one I looked at. Is this function performance critical?Honestly I'd be inclined to drop the
get_unchecked
and just pay the cost of the bounds check. (This goes for all places that use get_unchecked to avoid a bounds check, not just here).