| timotimo | afl claims to have found 303 unique ways to crash moar using fuzzed .moarvm files | 01:05 | |
| samcv | timotimo: crash as in ungracefully? like without a MVM_oops or throwing? | 01:09 | |
| i could see that happening | |||
| timotimo | segfaulting, i believe. though it can also mean running against the memory limit i *think* | 01:10 | |
| just taking too long is counted separately as a timeout, i believe | 01:11 | ||
| the compressed bunch of files is just 450 kbytes big - extracts to 100 megs | |||
| hack.p6c.org/~timo/moar-fuzzing-stuff.tar.xz | |||
| f0478cc5138d27aeeb618d84142b3c9cee81c79026b58e8556744d45284e5f6d is the sha256sum | 01:12 | ||
| because i think hack's webserver doesn't do https perhaps? | |||
| anyway, cd into the input folder and moar ../findings/crashes/blah | |||
| hack.p6c.org/~timo/ - this has the plots afl makes | 01:14 | ||
| i believe the speed differences clearly visible on the bottom left comes from it reaching a different input file | 01:15 | ||
| a bigger input file, i expect | 01:16 | ||
| the nqp input currently looks like lots and lots of 4, then a *, then lots of 4 again and a P and more 4s | |||
| there's a null byte or two in there, as well | 01:17 | ||
| cool, i just saw it go from one cycle to the next. the nqp side of things has done 46 cycles now | 01:19 | ||
| what it identified as crashes was a whole lot less explosive than i had expected. .. like not crashy at all :( | 01:20 | ||
| samcv | hmm | ||
| ../finding_0/crashes/id:000005,sig:11,src:000000,op:flip1,pos:88 this gets angry with asan | |||
| By a read memory access, address points to the zero page | |||
| timotimo | one of the early crashes is just clargs being turned into some op that tries to use its first register as an object of some kind, but in the fuzzed version it's actually a register that was just nulled out | 01:21 | |
| samcv | yeah asan is very unhappy with most of these | 01:22 | |
| maybe all | |||
| timotimo | that's what we get afl for :) | 01:23 | |
|
01:48
ilbot3 left
01:56
ilbot3 joined
04:55
lizmat left
05:01
lizmat joined
|
|||
| Geth | MoarVM: b836b0dfd1 | (Samantha McVey)++ | src/6model/reprs/MVMMultiCache.c Initialize pointers in MVMMultiCache.c to NULL Coverity scan stated known_type_st needs to be initialized as NULL as it's possible it can be accessed before it's initialized. I set all the other pointers in the file to NULL as an added measure. |
05:08 | |
|
05:46
domidumont joined
05:52
domidumont left
05:53
domidumont joined
06:19
domidumont left
06:37
domidumont joined
|
|||
| Geth | MoarVM: 4470c96cc9 | (Samantha McVey)++ | src/strings/shiftjis.c Fix the shiftjis decode bug in decode as well as decodestream Also rename the variables in decodestream to be the same as te ones in the current patch. Fixes an issue where a -1 grapheme in the replacement could cause unexpected behavior. |
06:45 | |
|
06:50
Ven`` joined
06:54
Ven`` left,
Ven`` joined
07:26
zakharyas joined
|
|||
| samcv | .ask brrt this showed up on the coverity scan. was thinking of maybe adding a comment like so cry.nu/p/qh7j | 07:29 | |
| yoleaux | samcv: I'll pass your message to brrt. | ||
| samcv | .tell brrt this was the coverity scan issue fyi scan4.coverity.com/reports.htm#v27...tId=287693 i think it's totally fine (probably) though youknow better | 07:30 | |
| yoleaux | samcv: I'll pass your message to brrt. | ||
| samcv | this one looks more interesting, we don't guard against accessing out of bounds array access in MVM_jit_get_template_for_opcode scan4.coverity.com/reports.htm#v27...tId=287729 | ||
| we only guard it's less than MVM_OP_EXT_BASE, but the array is 867 at time of writing while MVM_OP_EXT_BASE is 1024 | 07:31 | ||
|
07:37
brrt joined
09:18
brrt left,
brrt joined
10:00
brrt left
11:11
Ven`` left
11:24
zakharyas left
11:58
brrt joined
12:31
Ven`` joined
12:46
Ven` joined,
Ven` left
12:47
Ven` joined
12:49
Ven`` left
12:57
zakharyas joined
13:21
Ven` left,
Ven`` joined
13:25
Redfoxmoon joined
|
|||
| Redfoxmoon | What's the minimum version of GCC needed to build moarvm? | 13:25 | |
| brrt | i have no idea | 13:48 | |
| yoleaux | 07:29Z <samcv> brrt: this showed up on the coverity scan. was thinking of maybe adding a comment like so cry.nu/p/qh7j | ||
| 07:30Z <samcv> brrt: this was the coverity scan issue fyi scan4.coverity.com/reports.htm#v27...tId=287693 i think it's totally fine (probably) though youknow better | |||
| brrt | is there a version that's broken? | ||
| .ask samcv is there a public version where I can see that? | 13:50 | ||
| yoleaux | brrt: I'll pass your message to samcv. | ||
| brrt | i mean, that shouldn't ever ever happen | ||
| .samcv: samcv: if you wrap it with a #if MVM_JIT_DEBUG or something like that, then I"m perfectly happy | 13:52 | ||
| .tell samcv I'll be happy, and i'll be happier if wrapped with #if MVM_JIT_DEBUG, because in real code this basically cannot happen | 13:53 | ||
| yoleaux | brrt: I'll pass your message to samcv. | ||
|
13:56
Ven`` left
14:01
Ven`` joined
14:15
brrt left
14:39
brrt joined
|
|||
| brrt | i'm thinking of dropping the whole remove-invokish thing and getting the jit-stack-walker branch merged as-is | 14:48 | |
|
15:03
brrt left,
brrt joined
15:05
Ven`` left
15:09
Ven`` joined
|
|||
| samcv | ah k. though we'll need a define that has the length of the actual array. i think that array is generated or is it not? | 15:19 | |
| yoleaux | 13:50Z <brrt> samcv: is there a public version where I can see that? | ||
| 13:53Z <brrt> samcv: I'll be happy, and i'll be happier if wrapped with #if MVM_JIT_DEBUG, because in real code this basically cannot happen | |||
| [Coke] | brrt: any luck with those warnings? | 15:20 | |
| brrt | [Coke]: sorry, have not been sufficiently online so far | 15:21 | |
| [Coke] | no worries | ||
| brrt | samcv: which array? | ||
| oh, the NVR_GPR_BITMAP | 15:22 | ||
| samcv | no | ||
| brrt | that's not even really an array | ||
| samcv | MVM_jit_expr_template_info | 15:23 | |
| brrt | oh, that one | ||
| yeah | |||
| i was going to fix that with a sizeof(MVM_jit_expr_template_info)/sizeof(MVM_jit_expr_template_info[0]); then i realized that we ought to have a macro for that, then I forgot and started doing something else | |||
| that one *is* a bug, i actually agree | 15:24 | ||
| samcv | ok :) | ||
| brrt | having said that, i've been thinking about jit-debug flags | 15:26 | |
|
15:33
Ven`` left
15:56
brrt left
|
|||
| timotimo | Redfoxmoon: we are developing moarvm in c89, so i assume the gcc can be a couple of years old and still work | 16:02 | |
| Redfoxmoon: have you got any specific version in mind that doesn't seem to work? | 16:03 | ||
| Redfoxmoon | o_O | ||
| Oh, no, just wondered before bothering to try:-) | |||
| timotimo | we're keeping compatibility with MSVC, which is not quite but almost the worst thing in my whole existence | ||
| Redfoxmoon | heheheheh. yeah. | 16:04 | |
| I've got a policy of only using GNU C myself :P | |||
| out of pure spite | |||
|
16:04
domidumont left
16:21
zakharyas left
16:43
domidumont joined
16:44
brrt joined
|
|||
| brrt | oh. I may have fixed the no-more-invokish thing after all | 16:44 | |
| Geth | MoarVM/jit-stack-walker: bba6fd85e7 | (Bart Wiegmans)++ | 15 files [JIT] No more invokish Some MoarVM opcodes can change control flow for the interpreter, e.g by invoking a new frame or jumping to a new ecxeption handler. The JIT relied specially compiled 'control guards' to in order follow these control flow changes. However, now that we actually have a pointer to the return-address on stack, it is possible to change the 'current position' for the JIT-compiled code, much like for interpreted code. Thus, the control guards are no longer necessary, which should result in a nice reduction in code size and hopefully a speedup as well. |
||
|
17:02
zakharyas joined
|
|||
| Geth | MoarVM/jit-stack-walker: 17 commits pushed by (Bart Wiegmans)++ review: github.com/MoarVM/MoarVM/compare/b...913728a9d9 |
17:04 | |
| brrt | ^ rebase | 17:08 | |
| samcv | this looks like a bug scan4.coverity.com/reports.htm#v27...tId=287729 | 17:09 | |
| if (!ds_>bytes_head && pos == 0) return; but then below we check ds->bytes_head->length | 17:10 | ||
| so if there's no ds->bytes_head but pos != 0 then we'll dereference the null poniter | |||
|
17:13
brrt left
|
|||
| samcv | i'm thinking it should probably never happen so i may just want to guard against it with an exception | 17:15 | |
| Geth | MoarVM: 1b83cc54bf | (Samantha McVey)++ | src/strings/decode_stream.c Guard against null pointer dereference in decodestream_discard I'm guessing that this in proper operation should not happen, but to be safe it's a good idea to guard it with throwing an exception so MoarVM doesn't explode by dereferencing a null pointer if ds->bytes_head == NULL and pos != 0. Detected by Coverity scan. |
17:18 | |
| samcv | .ask jnthn i think this seems proper github.com/MoarVM/MoarVM/commit/1b83cc54bf trying to fix this coverity scan warning scan4.coverity.com/reports.htm#v27...tId=287729 let me know if any issues with this | 17:20 | |
| yoleaux | samcv: I'll pass your message to jnthn. | ||
| samcv | so 74 issues now i think i've dealt with almost 10 coverity issues so far. maybe 5 at least. idk i'm bad at estimating :) | 17:21 | |
| seems like it's at least 6 | |||
| and dismissed several that were false positives associated with MVM_trycas since it resolves to AO_compare_and_swap_full which uses asm to set values | 17:23 | ||
| Geth | MoarVM: 212e4175fb | (Samantha McVey)++ | 2 files Annotate the switch in generate_codepoints_by_name Also add a comment about an unused value that was detected by a Coverity scan. Semi more importantly I annotated what each of the switch values denote making it more understandable what is happening. |
17:32 | |
| MoarVM: a0eb65bf82 | (Samantha McVey)++ | src/gc/roots.c Fix unportable sizeof in roots.c sizeof(MVMCollectable*) is the same as sizeof(MVMCollectable**) generally, but not guarenteed by C standard. Detected by Coverity scan. |
17:42 | ||
| MoarVM: 853ea27c70 | (Samantha McVey)++ | src/debug/debugserver.c Check that socket() doesn't return -1 in debugserver We checked that setsockopt(), bind() and listen() don't return -1 but didn't check that socket() didn't return -1. Detected by Coverity scan. |
17:52 | ||
| MoarVM: 4fcbdce2af | (Samantha McVey)++ | src/main.c Put code in an ifdef for HAVE_TELEMEH that was dead otherwise Detected by Coverity scan. There is code above that's in an ifdef for HAVE_TELEMEH but code below was not. |
17:56 | ||
|
17:59
zakharyas left
|
|||
| samcv | timotimo: i think this may be a valid bug? scan4.coverity.com/reports.htm#v38...tId=287691 you know more about this than me | 18:04 | |
| seems to be a place we don't get a lock before setting a value? | 18:05 | ||
|
18:49
brrt joined
|
|||
| Geth | MoarVM: bdw++ created pull request #868: [JIT] Use on-stack return address for reading and writing the current position |
18:50 | |
|
19:04
domidumont left
|
|||
| Geth | MoarVM/jit-stack-walker: 409f68a294 | (Bart Wiegmans)++ | src/jit/stub.c [JIT] Unbreak stub lizmat++ for pointing this out |
19:17 | |
|
19:17
brrt left
20:05
brrt joined
20:40
brrt left
21:17
lizmat left
21:19
lizmat joined
|
|||