GNU bug report logs - #13074
VM Segfaults with Bad `Call' Instruction

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: tracker <at> debbugs.gnu.org
Subject: bug#13074: closed (VM Segfaults with Bad `Call' Instruction)
Date: Tue, 11 Dec 2012 09:43:01 +0000

[Message part 1 (text/plain, inline)]

Your message dated Tue, 11 Dec 2012 10:42:09 +0100
with message-id <878v95exhq.fsf <at> gnu.org>
and subject line Re: bug#13074: VM Segfaults with Bad `Call' Instruction
has caused the debbugs.gnu.org bug report #13074,
regarding VM Segfaults with Bad `Call' Instruction
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
13074: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=13074
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Noah Lavine <noah.b.lavine <at> gmail.com>
To: bug-guile <at> gnu.org
Subject: VM Segfaults with Bad `Call' Instruction
Date: Mon, 3 Dec 2012 22:06:28 -0500

[Message part 3 (text/plain, inline)]

Hello,

This is an interesting bug, because the only way to hit it (as far as I can
tell) is to mess up when writing a compiler. However, I did mess up, and I
discover that I can generate a `call' instruction in the trunk VM where the
procedure to call will be 0x0. Then the VM will try to check whether the
procedure is really a procedure, and Guile will segfault at line 796 of
v-i-system.c.

I think the correct behavior would be to throw a `vm-bad-instruction' error
instead. The fix should be pretty simple - just check if program is 0x0 and
jump to vm-bad-instruction in that case.

Noah

[Message part 4 (text/html, inline)]

[Message part 5 (message/rfc822, inline)]

From: ludo <at> gnu.org (Ludovic Courtès)
To: Noah Lavine <noah.b.lavine <at> gmail.com>
Cc: 13074-done <at> debbugs.gnu.org
Subject: Re: bug#13074: VM Segfaults with Bad `Call' Instruction
Date: Tue, 11 Dec 2012 10:42:09 +0100

Hi!

Noah Lavine <noah.b.lavine <at> gmail.com> skribis:

> In general, I do think there should at least be an option for having full
> error-checking in the VM. It would have been much, much harder for me to
> find this without having patched the VM, because it would have taken me a
> very long time to try each new thing I tried, because I would have had to
> restart Guile. I am happy for it not to be on the regular code-path,
> though. I also realize that writing a compiler is an unusual application,
> so maybe it should even be a compile-time option for users who prefer their
> Guile slow. How does that sound?

The VM does full error checking.  But there’s a difference between
checking whether an object has the expected type, and checking whether
an object is a well-formed ‘SCM’ object (and NULL is not a valid ‘SCM’
object.)

Guile never does the latter, and as a rule of thumb I would keep things
this way.

The brave hacker working on a compiler can easily figure out what how to
debug all sorts of crazy things.  :-)

So I’m closing it for now.

Thanks,
Ludo’.

PS: It’s still unclear to me how you ended up forging an invalid SCM
    object.  I think you either have to generate invalid bytecode, or to
    use (pointer->scm %null-pointer), or variants thereof.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.