www.digitalmars.com         C & C++   DMDScript  

digitalmars.D.bugs - [Issue 18717] New: Segfault in BitManip

https://issues.dlang.org/show_bug.cgi?id=18717

          Issue ID: 18717
           Summary: Segfault in BitManip
           Product: D
           Version: D2
          Hardware: x86_64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P1
         Component: phobos
          Assignee: nobody puremagic.com
          Reporter: cpicard openmailbox.org

The following program segfaults with dmd v2.079.0 when compiled with no
arguments in x86_64:

```
import std.bitmanip;

void main(string[] args) {
    auto barray   = BitArray();
    ulong evilVal = 2534886795;
    barray.length = evilVal + 1;
    barray[evilVal];
}
```

The segfault happens there:


╭ (fcn) sym._D4core5bitop2btFNaNbNixPmmZi 13                                 
  
│   sym._D4core5bitop2btFNaNbNixPmmZi ();                                    
  
│           0x5558709cde6c      55             push rbp                      
  
│           0x5558709cde6d      488bec         mov rbp, rsp                  
  
|           ;-- rip:                                                            
│           0x5558709cde70      0fa33e         bt dword [rsi], edi           
  
│           0x5558709cde73      19c0           sbb eax, eax                  
  
│           0x5558709cde75      f7d8           neg eax                       
  
│           0x5558709cde77      5d             pop rbp                       
  
╰           0x5558709cde78      c3             ret                           
  
            0x5558709cde79      0000           add byte [rax], al               
            0x5558709cde7b  ~   005548         add byte [rbp + 0x48], dl


At that point we have:
rsi = 0x7f40163e2010   -> our BitArray
rdi = 0x97174d8b       -> "evilVal"

A look at /proc/*/maps shows that the call falls into that section:



IIUC this is what was allocated for our BitArray. However this isn't enough as
0x00007f4032928000 - 0x00007f40163e2000 < 2534886795.

Therefore my understanding is that not enough memory was allocated to hold the
BitArray even though we specified a length strictly greater than the index we
are accessing.

--
Apr 03 2018