Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

$string-with-combiners.NFD segfaults #4263

Closed
p6rt opened this issue May 25, 2015 · 5 comments
Closed

$string-with-combiners.NFD segfaults #4263

p6rt opened this issue May 25, 2015 · 5 comments
Labels

Comments

@p6rt
Copy link

p6rt commented May 25, 2015

Migrated from rt.perl.org#125248 (status was 'resolved')

Searchable as RT125248$

@p6rt
Copy link
Author

p6rt commented May 25, 2015

From @FROGGS

$ perl6-gdb-m -e 'say "N̴͔̈F̷͚́G̶͔̈́ ̷̃͜i̴̡͘s̴̰͘ ̶̫̉a̵̬͆w̴̢͒ę̴̏s̴̱̋o̴̫̓m̸̜͐e̶̥̋".NFD'

This is Rakudo Perl 6 running in the GNU debugger, which often allwos to generate useful back-
traces to debug or report issues in Rakudo, the MoarVM backend or the currently running code.

This Rakudo version is 2015.5.13.g.73.d.6.f.72 built on MoarVM version 2015.5.3.gd.3713.c.9,
running on ubuntu (14.4.2.LTS.Trusty.Tahr) / linux (89.Ubuntu.SMP.Wed.May.20.10.34.39.UTC.2015)

Type `bt full` to generate a backtrace if applicable, type `q` to quite or `help` for help.


Reading symbols from /home/froggs/dev/nqp/install/bin/moar...done.
Starting program​: /home/froggs/dev/nqp/install/bin/moar --execname=/home/froggs/dev/nqp/install/bin/perl6-gdb-m --libpath=/home/froggs/dev/nqp/install/share/nqp/lib --libpath=/home/froggs/dev/nqp/install/share/perl6/lib --libpath=/home/froggs/dev/nqp/install/share/perl6/runtime /home/froggs/dev/nqp/install/share/perl6/runtime/perl6.moarvm -e say\ \"N̴͔̈F̷͚́G̶͔̈́\ ̷̃͜i̴̡͘s̴̰͘\ ̶̫̉a̵̬͆w̴̢͒ę̴̏s̴̱̋o̴̫̓m̸̜͐e̶̥̋\".NFD
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff748e12f in _int_free (av=0x7ffff77cd760 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c​:3996
3996 malloc.c​: Datei oder Verzeichnis nicht gefunden.
(gdb) bt full
#​0 0x00007ffff748e12f in _int_free (av=0x7ffff77cd760 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c​:3996
  size = 272
  fb = <optimized out>
  nextchunk = 0x25d9830
  nextsize = 192
  nextinuse = 0
  prevsize = <optimized out>
  bck = 0x30800000354
  fwd = 0x3340000004e
  errstr = 0x0
  locked = <optimized out>
#​1 0x00007ffff79afe44 in MVM_unicode_string_to_codepoints (tc=0x603700, s=<optimized out>, form=<optimized out>, out=0x7ffff654f280) at src/strings/normalize.c​:177
  norm = {form = MVM_NORMALIZE_NFD, buffer = 0x25d9730, buffer_size = 64, buffer_start = 56, buffer_end = 56, buffer_norm_end = 56, first_significant = 192, quick_check_property = 66}
  ready = <optimized out>
  result = <optimized out>
  result_pos = <optimized out>
  result_alloc = <optimized out>
  ci = {gi = {active_blob = {blob_32 = 0xece410, blob_ascii = 0xece410 "s", blob_8 = 0xece410 "s", any = 0xece410}, blob_type = 0, strands_remaining = 0, pos = 19, end = 19,
  start = 5, repetitions = 0, next_strand = <optimized out>}, synth_codes = <optimized out>, visited_synth_codes = <optimized out>, total_synth_codes = <optimized out>}
#​2 0x00007ffff791d036 in MVM_interp_run (tc=0x7ffff77cd760 <main_arena>, tc@​entry=0x603700, initial_invoke=0x3340000004e, invoke_data=0x30800000354) at src/core/interp.c​:4512

The call to MVM_unicode_normalizer_cleanup explodes.

@p6rt
Copy link
Author

p6rt commented Jun 5, 2015

From @nwc10

On Mon May 25 11​:01​:34 2015, FROGGS.de wrote​:

$ perl6-gdb-m -e 'say "N̴͔̈F̷͚́G̶͔̈́ ̷̃͜i̴̡͘s̴̰͘
̶̫̉a̵̬͆w̴̢͒ę̴̏s̴̱̋o̴̫̓m̸̜͐e̶̥̋".NFD'

$ ./perl6-m -Ilib -e 'say "N̴͔̈F̷͚́G̶͔̈́ ̷̃͜i̴̡͘s̴̰͘ ̶̫̉a̵̬͆w̴̢͒ę̴̏s̴̱̋o̴̫̓m̸̜͐e̶̥̋".NFD'

==15371==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x610000046cf8 at pc 0x7f72204de7ff bp 0x7fff46d5ee70 sp 0x7fff46d5ee68
WRITE of size 4 at 0x610000046cf8 thread T0
  #​0 0x7f72204de7fe in MVM_unicode_string_to_codepoints src/strings/normalize.c​:176
  #​1 0x7f722029d50d in MVM_interp_run src/core/interp.c​:4512
  #​2 0x7f72204f806c in MVM_vm_run_file src/moar.c​:218
  #​3 0x401a4f in main src/main.c​:189
  #​4 0x7f721facdd5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
  #​5 0x401058 (/home/nicholas/Sandpit/moar-san/bin/moar+0x401058)

0x610000046cf8 is located 0 bytes to the right of 184-byte region [0x610000046c40,0x610000046cf8)
allocated by thread T0 here​:
  #​0 0x7f7220da98e6 in __interceptor_realloc ../../.././libsanitizer/asan/asan_malloc_linux.cc​:93
  #​1 0x7f72204db820 in MVM_realloc src/core/alloc.h​:20
  #​2 0x7f72204dd532 in maybe_grow_result src/strings/normalize.c​:28
  #​3 0x7f72204de789 in MVM_unicode_string_to_codepoints src/strings/normalize.c​:174
  #​4 0x7f722029d50d in MVM_interp_run src/core/interp.c​:4512
  #​5 0x7f72204f806c in MVM_vm_run_file src/moar.c​:218
  #​6 0x401a4f in main src/main.c​:189
  #​7 0x7f721facdd5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)

SUMMARY​: AddressSanitizer​: heap-buffer-overflow src/strings/normalize.c​:176 MVM_unicode_string_to_codepoints
Shadow bytes around the buggy address​:
  0x0c2080000d40​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2080000d50​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2080000d60​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2080000d70​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2080000d80​: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c2080000d90​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0c2080000da0​: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080000db0​: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2080000dc0​: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2080000dd0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2080000de0​: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Contiguous container OOB​:fc
  ASan internal​: fe
==15371==ABORTING

@p6rt
Copy link
Author

p6rt commented Jun 5, 2015

The RT System itself - Status changed from 'new' to 'open'

@p6rt
Copy link
Author

p6rt commented Jun 5, 2015

From @jnthn

On Mon May 25 11​:01​:34 2015, FROGGS.de wrote​:

$ perl6-gdb-m -e 'say "N̴͔̈F̷͚́G̶͔̈́ ̷̃͜i̴̡͘s̴̰͘
̶̫̉a̵̬͆w̴̢͒ę̴̏s̴̱̋o̴̫̓m̸̜͐e̶̥̋".NFD'

This is Rakudo Perl 6 running in the GNU debugger, which often allwos
to generate useful back-
traces to debug or report issues in Rakudo, the MoarVM backend or the
currently running code.

This Rakudo version is 2015.5.13.g.73.d.6.f.72 built on MoarVM version
2015.5.3.gd.3713.c.9,
running on ubuntu (14.4.2.LTS.Trusty.Tahr) / linux
(89.Ubuntu.SMP.Wed.May.20.10.34.39.UTC.2015)

Type `bt full` to generate a backtrace if applicable, type `q` to
quite or `help` for help.
------------------------------------------------------------------------------------------------
Reading symbols from /home/froggs/dev/nqp/install/bin/moar...done.
Starting program​: /home/froggs/dev/nqp/install/bin/moar
--execname=/home/froggs/dev/nqp/install/bin/perl6-gdb-m
--libpath=/home/froggs/dev/nqp/install/share/nqp/lib
--libpath=/home/froggs/dev/nqp/install/share/perl6/lib
--libpath=/home/froggs/dev/nqp/install/share/perl6/runtime
/home/froggs/dev/nqp/install/share/perl6/runtime/perl6.moarvm -e say\
\"N̴͔̈F̷͚́G̶͔̈́\ ̷̃͜i̴̡͘s̴̰͘\ ̶̫̉a̵̬͆w̴̢͒ę̴̏s̴̱̋o̴̫̓m̸̜͐e̶̥̋\".NFD
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-
gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff748e12f in _int_free (av=0x7ffff77cd760 <main_arena>,
p=<optimized out>, have_lock=0) at malloc.c​:3996
3996 malloc.c​: Datei oder Verzeichnis nicht gefunden.
(gdb) bt full
#​0 0x00007ffff748e12f in _int_free (av=0x7ffff77cd760 <main_arena>,
p=<optimized out>, have_lock=0) at malloc.c​:3996
size = 272
fb = <optimized out>
nextchunk = 0x25d9830
nextsize = 192
nextinuse = 0
prevsize = <optimized out>
bck = 0x30800000354
fwd = 0x3340000004e
errstr = 0x0
locked = <optimized out>
#​1 0x00007ffff79afe44 in MVM_unicode_string_to_codepoints
(tc=0x603700, s=<optimized out>, form=<optimized out>,
out=0x7ffff654f280) at src/strings/normalize.c​:177
norm = {form = MVM_NORMALIZE_NFD, buffer = 0x25d9730,
buffer_size = 64, buffer_start = 56, buffer_end = 56, buffer_norm_end
= 56, first_significant = 192, quick_check_property = 66}
ready = <optimized out>
result = <optimized out>
result_pos = <optimized out>
result_alloc = <optimized out>
ci = {gi = {active_blob = {blob_32 = 0xece410, blob_ascii =
0xece410 "s", blob_8 = 0xece410 "s", any = 0xece410}, blob_type = 0,
strands_remaining = 0, pos = 19, end = 19,
start = 5, repetitions = 0, next_strand = <optimized
out>}, synth_codes = <optimized out>, visited_synth_codes = <optimized
out>, total_synth_codes = <optimized out>}
#​2 0x00007ffff791d036 in MVM_interp_run (tc=0x7ffff77cd760
<main_arena>, tc@​entry=0x603700, initial_invoke=0x3340000004e,
invoke_data=0x30800000354) at src/core/interp.c​:4512

The call to MVM_unicode_normalizer_cleanup explodes.

Added tests in S15-nfg/many-combiners.t, and fixed the problem.

@p6rt
Copy link
Author

p6rt commented Jun 5, 2015

@jnthn - Status changed from 'open' to 'resolved'

@p6rt p6rt closed this as completed Jun 5, 2015
@p6rt p6rt added the Bug label Jan 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant