holyjit icon indicating copy to clipboard operation
holyjit copied to clipboard
verified publisher icon nbp

Jitted code doesn't check if slice index is in bounds

Open mateon1 opened this issue 8 years ago • 1 comments

With this program eval(jc, "-[>-[>-<-]<-]<-]".into()), the brainfuck interpreter panics, because it sees an unknown symbol at the program counter (garbage memory) With eval(jc, "-[>-[>-[>-<-]<-]<-]<-]".into()) - the program receives a SIGSEGV, caused by a read of one byte before an allocated page.

I'll try to run these with ASAN and report the results

EDIT: I can't build with ASAN, ~~because kernel32-sys fails to link~~. Brainfart, I need to pass the --target flag, but holyjit also fails to link. EDIT2: I just realized the brackets in these programs are mismatched, which means bounds checks aren't emitted properly under jit!()

mateon1 avatar Oct 23 '17 05:10 mateon1

I usually use rr to debug the generate code, as you can walk the code execution backward.

I can reproduce this issue. I got a SEGV which corresponds to the panic with the message "Unknown Symbol". The problem likely comes from the code which is being produced by the array access[1], which is probably always checked, but never appear in the MIR.

[1] https://github.com/nbp/holyjit/blob/e4ed3be729ae91c5aa8ce93ca0c648afb642feb9/plugin/src/trans.rs#L586

nbp avatar Oct 23 '17 10:10 nbp