|
01:48
ilbot3 joined
|
|||
| zostay | going back to the discussion of the abort issue, how is control exception resumability different from regular exceptions? aren't those resumable too? | 02:14 | |
|
02:16
ggoebel18 joined
04:14
geekosaur joined
04:17
geekosaur joined
04:32
lizmat joined
05:56
geekosaur joined
07:15
zakharyas joined
07:23
domidumont joined
07:28
domidumont joined
07:49
vendethiel joined
|
|||
| nwc10 | werda.geizhals.at/ -- spot the difference | 08:46 | |
| oops, mischan | 08:51 | ||
| now, that resolves, but you shouldn't be able to get any content | |||
|
09:34
vendethiel joined
09:47
diakopter joined
10:20
zakharyas joined
10:31
vendethiel joined
10:57
vendethiel joined
|
|||
| dalek | arVM: 808fd05 | timotimo++ | src/strings/ops.c: cope with buffers being too small in re_nfg fixes a crash when working with utf8-c8 strings. |
12:06 | |
| timotimo | ^- i'm not sure if this gives us the right semantics, but we're not crashing any more at least | 12:07 | |
|
12:30
zakharyas joined
12:46
vendethiel joined
|
|||
| nine | timotimo: left some comments on the commit | 13:02 | |
| timotimo | ah, good catch on the second one | 13:03 | |
| dalek | arVM: fcee004 | timotimo++ | src/strings/ops.c: fix references to buffer size to use the actual variable. |
13:04 | |
| nine | Cool :) Demonstrating again, that even reviews by total newbies can help. | 13:06 | |
| timotimo | aye, i'm grateful | ||
| arnsholt | Yeah, I like the commitbots more and more | 13:12 | |
| Especially when the commit message is something that makes me go "I wonder how that was implemented" | |||
| timotimo | if the first line contains "timo", it's probably "poorly" | 13:13 | |
| doubly so, if it contains "timo" twice | |||
|
16:04
vendethiel joined
|
|||
| diakopter | lol | 16:42 | |
| timotimo | now things get a bit more interesting | 16:52 | |
| afl found out that if you arg_o with a high number, you get a segfault | |||
| should we really put bounds checks into those operators? maybe the bytecode verifier could be able to handle this? not sure. | 16:53 | ||
| diakopter | yeah it kinda should | ||
| in the original bytecode verifier I had a TODO listed for that | |||
| it can at least be conservative | 16:54 | ||
| timotimo | like "we're probably not going to have 1k arguments here, so complain" | 16:55 | |
| diakopter | well it can look at the arg puller | 16:56 | |
| the thing that adds args | |||
| it can at least limit it to the number of those | |||
| timotimo | the arg puller? | 16:57 | |
| ... the what now? :) | |||
| Unhandled exception: Tried to takeclosure a null object. | 17:00 | ||
| at <unknown>:1 | |||
| (/tmp/minimized_output/crashes/id:000006,sig:11,src:000002,op:flip1,pos:107072:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| how did this happen :D | |||
| well, "0" is the char that afl-tmin fills stuff up with when it has decided stuff is not interesting to the execution of the test case | 17:01 | ||
|
17:03
domidumont joined
|
|||
| timotimo | hm. | 17:05 | |
| should i really put a null-check into assignunchecked? | |||
| like, what kind of guarantee do we give, what's the threat model? | 17:08 | ||
|
17:33
vendethiel joined
|
|||
| timotimo | diakopter: wanna diagnose a crash? | 18:04 | |
| hack.p6c.org/~timo/crashes_after_update.tar.gz - the file with id 000017 does a crash in bytecode.c that my brane can't cope with right now | 18:07 | ||
| Unhandled exception: Too few positionals passed; expected 12336 arguments but got 0 | 18:20 | ||
| sprinkling ALL the null checks | 18:26 | ||
| maybe some of these checks could be made unnecessary by the validator by making sure registers being used for stuff have been written to at least once before they are read from | 18:34 | ||
| because then we'd have a VMNull object that would gracefully blow up | |||
| of course, branches and stuff make that hard | 18:35 | ||
| but i don't really feel like giving every single op out there an MVM_is_null and a exception_throw_adhoc | |||
| dalek | arVM/many_null_checks: 70491b8 | timotimo++ | src/core/ (3 files): WIP on making fuzzed bytecode less crashy though perhaps there's a better way by making the validator smarter; if a register has been written to before it gets read, it'll surely be a proper VMNull, not an actual null pointer. |
18:37 | |
| timotimo | we could also have an instrumentation pass that runs every piece of code with extra null checks added to it when it's hit for the first time | 18:46 | |
| jnthn | timotimo: Well, the other option is to pre-populate object registers with VMNull | 18:47 | |
| timotimo | i also thought about that | ||
| don't we store vm-level null in some places to signify something? | |||
| is that only lexicals and attributes? | |||
| jnthn | We use real NULLs in lexicals and attrs | 18:48 | |
| For lazy viv | |||
| But not normal registers | |||
| We could drop doing it for specialized frames potentially, after further analysis. Or even detect lack of need for it during validation | |||
| timotimo | should i build that solution? | ||
| jnthn | It'd be better than NULL checks everywhere | 18:49 | |
| timotimo | quite | ||
| jnthn | Branches everywhere considered bad | ||
| timotimo | and repr checks would then automagically include the null check | ||
| jnthn | aye | 18:50 | |
| timotimo | oh, i think i put the args range check in there, too | 19:20 | |
| well, it's also very much not pretty :) | |||
| i'll be interested to see how we'll end up doing bigger registers, like long doubles | 19:27 | ||
| maybe a separate bit of space in "work" that is reserved for 2-64bit-pieces of space | 19:33 | ||
| and also a separate space for arguments in extra-big types | |||
| nine | Why are Lexotics not serializable? | 19:35 | |
| And...what exactly are they anyway? | |||
| The most interesting question would probably be how they end up in my shiny SC, but I fear, only another massive debugging quest will answer that | 19:36 | ||
| jnthn | nine: They're involved in the implementation of `return` | ||
| nine: They're the thing that is stored in the frame that has the return handler | 19:37 | ||
| nine | Even implicit returns? | ||
| jnthn | No | 19:39 | |
| Though I think we code-gen one for every routine that might explicit return | |||
| The VM caches them also | 19:40 | ||
| I've been pondering killing them off in favor of real control exceptions though | |||
| The reason we have this approach dates back to the Parrot days | |||
| The caching creates problems of its own | |||
| timotimo | i didn't know we could kill them off | 19:47 | |
| bbl, food time | |||
| nine | So probably not for an EVAL's return value either | 19:59 | |
| timotimo | my patch for initializing work with VMNull pointers survives spectests :) | 20:32 | |
| it seems like the validator is already supposed to bail out when argument numbers are out of range | 20:35 | ||
| but for some reason it doesn't fire | |||
| maybe when we put in lazy deserialization we forgot to trigger bytecode validation at some point? | 20:36 | ||
| jnthn | timotimo: Unlikely | 20:44 | |
| dalek | arVM: 9cce207 | timotimo++ | src/core/frame.c: initialize objetc registers with VMNull when allocating frames this ensures that even if we handle corrupt bytecode or broken code in general, that we get proper errors rather than segfaults. |
||
| jnthn | timotimo: The validation and the rest of deserialization is triggered by the same flag, I think | ||
| timotimo | right, i see now that the instrumentation barrier hit will cause the verification | 20:46 | |
| that shouldn't be b0rked :) | |||
| otherwise we'd have bigger problems | |||
| oh wow, what the ... | 20:50 | ||
| 1266 int save_errno = errno; | |||
| Cannot access memory at address 0x7fffff7fed0f | |||
| probably a stack overflow? | |||
| geekosaur | um, is that even sensible these days? | 20:51 | |
| errno usually expands to a function accessing thread local storage | |||
| timotimo | tell that to whoever made _IO_vfprintf_internal | ||
| oh, holy hell | 20:52 | ||
| the stack *is* big | |||
| hah | |||
| it looks like we're trying to complain about something | 20:53 | ||
| and when building the stack trace, we notice the string index for a filename is way past the string heap's end | |||
| or something like that | |||
| so what do we do? we throw an exception warning about that :) | 20:54 | ||
| then we panic_unhandled_ex, dump_backtrace, exception_backtrace_line, cu_obtain_string, exception_throw_adhoc, panic_unhandled_ex, ... :) | 20:55 | ||
| pretty cool that afl-fuzz found this | |||
| hoelzro | I love that name | 20:58 | |
| timotimo | yes! when i saw the picture that goes with the name on wikipedia, i knew i had to use that piece of software | 20:59 | |
| afl-fuzz is gnawing on a really, really, really big file right now :\ | 21:03 | ||
| 44.0 M execs for this phase, of which it has already done 1.28M :\ | 21:04 | ||
| hoelzro | wow | ||
| timotimo | but the expected amount goes down sometimes | ||
| it's 43.9M now | 21:05 | ||
| all in all, that instance of afl-fuzz has already executed moar 253M times over the last 4 days, 10 hours | |||
| did you look at the pretty graphs yet? hack.p6c.org/~timo/ | |||
| hoelzro | I haven't! | 21:08 | |
| 235 *million* times? | |||
| wow | |||
| timotimo | one of the runs only goes to --dump | 21:11 | |
| that's supposed to exercise the bytecode loader | 21:12 | ||
| the other one executes the .moarvm file in full | |||
| including dependencies, if there are any | |||
| wow, it got through that run that it claimed would take 44M execs | 21:14 | ||
| it seems to do some pretty agressive culling i guess | |||
|
21:17
lizmat joined
|
|||
| timotimo | jnthn: how best to remind you that there's an invalid read off the end of the to-be-decoded utf8-c8 buffer and what line does it? | 21:44 | |
| moarvm github issue? | 21:45 | ||
| jnthn | timotimo: Is it in RT? I can the end of that pretty often :) I think Tux already filed there today... :) | 21:48 | |
| timotimo | it doesn't result in a crash | 21:50 | |
| can't tell if it corrupts data or not | |||
| jnthn | invalid read is still bad | ||
| Note it on the RT maybe? | |||
| Will look there | |||
| Did you fix it some already? | 21:51 | ||
| timotimo | yup | ||
| jnthn | Cool...in master, or branch? | ||
| timotimo | trouble was we were convinced the buffer in "re_nfg" wouldn't ever need to grow | ||
| jnthn | ah | ||
| timotimo | even had a comment saying we'd never need a bigger buffer than the initial guess | ||
| it's in master | |||
| jnthn | heh, ok | ||
| Well, rest time...maybe will look tomorrow. Otherwise Wed is, as usual, reserved for Perl 6 things :) | 21:52 | ||
| timotimo | and the bytecode validator doesn't catch arg_* ops with obscene argument indices because it only checks if the number of calls is less than there are supposed to be args | ||
| jnthn | oops | ||
| timotimo | but nothing ensures that the arg calls are successive numbers, or all below the count | ||
| jnthn | Validator has a few holes... | ||
| There's comments at the top about some of 'em, iirc | 21:53 | ||
| Anyway, resting :) | |||
| timotimo | gnite! | ||
| "cur_frame->args indexes" is probably the one i'm looking at | |||
| buh, of course the validator works with the bytecode as a raw buffer and doesn't have things like the arguments nicely put into arrays and such | 22:00 | ||
| diakopter | buh indeed | 22:08 | |
|
22:14
Unavowed joined
|
|||