From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Noah Lavine Newsgroups: gmane.lisp.guile.bugs Subject: bug#13074: VM Segfaults with Bad `Call' Instruction Date: Tue, 4 Dec 2012 22:26:52 -0500 Message-ID: References: NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=f46d042de423ba4b1f04d0128df8 X-Trace: ger.gmane.org 1354678082 23408 80.91.229.3 (5 Dec 2012 03:28:02 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 5 Dec 2012 03:28:02 +0000 (UTC) To: 13074@debbugs.gnu.org Original-X-From: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Wed Dec 05 04:28:13 2012 Return-path: Envelope-to: guile-bugs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Tg5ef-0001Ee-FJ for guile-bugs@m.gmane.org; Wed, 05 Dec 2012 04:28:13 +0100 Original-Received: from localhost ([::1]:56400 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tg5eT-00020J-Bv for guile-bugs@m.gmane.org; Tue, 04 Dec 2012 22:28:01 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:33630) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tg5eQ-00020B-QU for bug-guile@gnu.org; Tue, 04 Dec 2012 22:27:59 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Tg5eP-0004qO-IV for bug-guile@gnu.org; Tue, 04 Dec 2012 22:27:58 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:43680) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tg5eP-0004qK-FS for bug-guile@gnu.org; Tue, 04 Dec 2012 22:27:57 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72) (envelope-from ) id 1Tg5eU-0006O3-4q for bug-guile@gnu.org; Tue, 04 Dec 2012 22:28:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Noah Lavine Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-guile@gnu.org Resent-Date: Wed, 05 Dec 2012 03:28:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 13074 X-GNU-PR-Package: guile X-GNU-PR-Keywords: Original-Received: via spool by 13074-submit@debbugs.gnu.org id=B13074.135467802424482 (code B ref 13074); Wed, 05 Dec 2012 03:28:01 +0000 Original-Received: (at 13074) by debbugs.gnu.org; 5 Dec 2012 03:27:04 +0000 Original-Received: from localhost ([127.0.0.1]:53931 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1Tg5dX-0006Mp-Sy for submit@debbugs.gnu.org; Tue, 04 Dec 2012 22:27:04 -0500 Original-Received: from mail-pb0-f44.google.com ([209.85.160.44]:37440) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1Tg5dT-0006MO-MX for 13074@debbugs.gnu.org; Tue, 04 Dec 2012 22:27:00 -0500 Original-Received: by mail-pb0-f44.google.com with SMTP id uo1so3144212pbc.3 for <13074@debbugs.gnu.org>; Tue, 04 Dec 2012 19:26:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=gxMM9hI+p01BnYjkXLWNYJcmz20N3PBpt7loKwNKDRA=; b=uZbje4eZu9SshC6hrvOG1Ek/SzlasbiplewUgG48kr2mjeEnlVTD5io4clLVVUXpnS smqoPYMbLSkPqAxt2OXIC4VZyoC0omCTiOx8maOWGwSB4ltJkbmIEGwrmXLRfHGI/WAc kLVbK1pStHG06U5RlOhsDXdFz0J4dFoDoy3AND6krM8Fm50YlrJcWRBF7ZZ8huh3RiGm hzaHZQuFHCWWRr+75QVyDlfzMD4jqTvommCIhLs6B6szCKVbOt/5a0cYMDkKHWG9e0hm NlSPk39wEWvEuGMQBf/Wbiug3MvjqnVtBVLBGXKruCYh68VTMrVxOV9miM//Fr3HqQqZ +7CQ== Original-Received: by 10.66.88.198 with SMTP id bi6mr40633464pab.54.1354678012627; Tue, 04 Dec 2012 19:26:52 -0800 (PST) Original-Received: by 10.68.81.194 with HTTP; Tue, 4 Dec 2012 19:26:52 -0800 (PST) In-Reply-To: X-Google-Sender-Auth: fWXVL2U4g4qQFe1vbYouzdLOANU X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 140.186.70.43 X-BeenThere: bug-guile@gnu.org List-Id: "Bug reports for GUILE, GNU's Ubiquitous Extension Language" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Original-Sender: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.lisp.guile.bugs:6639 Archived-At: --f46d042de423ba4b1f04d0128df8 Content-Type: text/plain; charset=ISO-8859-1 The following patch fixes the problem for me: diff --git a/libguile/vm-i-system.c b/libguile/vm-i-system.c index 7153ab5..dff2ab2 100644 --- a/libguile/vm-i-system.c +++ b/libguile/vm-i-system.c @@ -793,7 +793,9 @@ VM_DEFINE_INSTRUCTION (55, call, "call", 1, -1, 1) VM_HANDLE_INTERRUPTS; - if (SCM_UNLIKELY (!SCM_PROGRAM_P (program))) + if (SCM_UNLIKELY (program == NULL)) + goto vm_error_bad_instruction; + else if (SCM_UNLIKELY (!SCM_PROGRAM_P (program))) { if (SCM_STRUCTP (program) && SCM_STRUCT_APPLICABLE_P (program)) { Any objections if I apply it to stable-2.0? (Or master?) Noah On Mon, Dec 3, 2012 at 10:06 PM, Noah Lavine wrote: > Hello, > > This is an interesting bug, because the only way to hit it (as far as I > can tell) is to mess up when writing a compiler. However, I did mess up, > and I discover that I can generate a `call' instruction in the trunk VM > where the procedure to call will be 0x0. Then the VM will try to check > whether the procedure is really a procedure, and Guile will segfault at > line 796 of v-i-system.c. > > I think the correct behavior would be to throw a `vm-bad-instruction' > error instead. The fix should be pretty simple - just check if program is > 0x0 and jump to vm-bad-instruction in that case. > > Noah > > --f46d042de423ba4b1f04d0128df8 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable The following patch fixes the problem for me:

diff = --git a/libguile/vm-i-system.c b/libguile/vm-i-system.c
index 715= 3ab5..dff2ab2 100644
--- a/libguile/vm-i-system.c
+++ b= /libguile/vm-i-system.c
@@ -793,7 +793,9 @@ VM_DEFINE_INSTRUCTION (55, call, "call",= 1, -1, 1)
=A0
=A0 =A0VM_HANDLE_INTERRUPTS;
= =A0
- =A0if (SCM_UNLIKELY (!SCM_PROGRAM_P (program)))
+= =A0if (SCM_UNLIKELY (program =3D=3D NULL))
+ =A0 =A0goto vm_error_bad_instruction;
+ =A0else if (SCM_UN= LIKELY (!SCM_PROGRAM_P (program)))
=A0 =A0 =A0{
=A0 =A0= =A0 =A0if (SCM_STRUCTP (program) && SCM_STRUCT_APPLICABLE_P (progr= am))
=A0 =A0 =A0 =A0 =A0{

Any objections if I apply it to stable-2.0? (Or m= aster?)

Noah

<= br>
On Mon, Dec 3, 2012 at 10:06 PM, Noah Lavine = <noah.b.lavine@gmail.com> wrote:
Hello,

This is an interes= ting bug, because the only way to hit it (as far as I can tell) is to mess = up when writing a compiler.=A0However, I did mess up, and I discover that I= can generate a `call' instruction in the trunk VM where the procedure = to call will be 0x0. Then the VM will try to check whether the procedure is= really a procedure, and Guile will segfault at line 796 of v-i-system.c.

I think the correct behavior would be to throw a `vm-ba= d-instruction' error instead. The fix should be pretty simple - just ch= eck if program is 0x0 and jump to vm-bad-instruction in that case.

Noah


--f46d042de423ba4b1f04d0128df8--