Ticket #59 (closed bug: fixed)

Opened 6 years ago

Last modified 6 years ago

OrderedHash exposes hash corruption

Reported by: cotto Owned by:
Priority: normal Milestone:
Component: core Version: trunk
Severity: medium Keywords: hash
Cc: Language:
Patch status: Platform: all

Description

Storing items in a hash with certain keys can cause garbage to be added near the end of hash->bs. This doesn't cause any issues for normal Hashes because the garbage is overwritten as the Hash is populated, but it breaks OrderedHash's clone() VTABLE function.

The bug can be exposed and reproduced by applying the attached patch (which adds a sanity_check METHOD to Hashes), and running the following PIR.

.sub main
    $P2 = new 'Hash'  
    $P2.'sanity_check'()
    say "adding c to hash..."
    $P2["c"] = 0
    $P2.'sanity_check'()
.end

This outputs:

hash->bs+0: key and value are null
<snip>
hash->bs+15: key and value are null
adding c to hash...
hash->bs+0: 'c' => '0'
hash->bs+1: key and value are null
<snip>
hash->bs+13: 't' =>  (null)
hash->bs+14: key and value are null
hash->bs+15: key and value are null

Note that using 'b' as a key causes no corruption and 'a' causes a segfault that screws up the stack.

As far as I've been able to trace it, a symptom of the problem is that at the end of parrot_hash_put, &(hash->bs[13])->key == &hash->bi[4]. I don't know what that implies (or if it's even the expected behavior), but it may be useful as a starting point for someone else to look at.

Attachments

hash_sanity_check.patch Download (1.1 KB) - added by cotto 6 years ago.
add sanity_check method to Hash PMCs

Change History

Changed 6 years ago by cotto

add sanity_check method to Hash PMCs

Changed 6 years ago by cotto

  • status changed from new to closed
  • resolution set to fixed

Thanks to some help from chromatic, this was fixed r34051 and r34052.

Note: See TracTickets for help on using tickets.