Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

out-of-range bugs in globroots.c #4234

Closed
vicuna opened this issue Mar 19, 2007 · 2 comments
Closed

out-of-range bugs in globroots.c #4234

vicuna opened this issue Mar 19, 2007 · 2 comments
Labels

Comments

@vicuna
Copy link

vicuna commented Mar 19, 2007

Original bug ID: 4234
Reporter: MatthewFluet
Status: closed (set by @damiendoligez on 2007-03-26T18:00:23Z)
Resolution: fixed
Priority: normal
Severity: minor
Fixed in version: 3.10+dev
Category: ~DO NOT USE (was: OCaml general)
Monitored by: @mmottl

Bug description

There appear to be a a bug in the management of global roots, related to registering very many global roots.

I see a segmentation fault (on both amd64-linux and x86-darwin) with the following program:

crash.c:
/**********/
#include <stdlib.h>

#include "caml/mlvalues.h"
#include "caml/memory.h"

struct crash_s {
value v;
};

void crash_fn(value v) {
struct crash_s* p;
p = (struct crash_s*) malloc(sizeof(struct crash_s));
caml_register_global_root(&(p->v));
caml_remove_global_root(&(p->v));
free(p);
return;
}
/**********/

crash.ml
(**********)
external crash_fn : unit -> unit = "crash_fn"

let rec crashLoop () = (crash_fn (); crashLoop ())

let _ = crashLoop ()
(**********)

Additional information

I believe that the issue arises from the fact that random_level function of byterun/globroots.c may return the value 15 (or 16), but all of the arrays have size MAX_LEVEL (= 15), so accessing index 15 (or 16) yields undefined results.

Furthermore, despite the Assert in the random_level function, random_level may return the value 16 (observed by repeatedly calling random_level).

Indeed, if r is set equal to 0xFFFFFFFFU by the PRNG, then random_level will return 16.

Nonetheless, the fix seems clear:
Change
#define MAX_LEVELS 15
to
#define MAX_LEVELS 16
and change array declarations
ty arr[MAX_LEVELS];
to
ty arr[MAX_LEVELS+1];

@vicuna
Copy link
Author

vicuna commented Mar 19, 2007

Comment author: MatthewFluet

Oops, failed to change Category to "OCaml general".

@vicuna
Copy link
Author

vicuna commented Mar 26, 2007

Comment author: @damiendoligez

This will be fixed for 3.10.
Thanks for the nice report.

@vicuna vicuna closed this as completed Mar 26, 2007
@vicuna vicuna added the bug label Mar 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant