Giters

rust-lang / rust

Empowering everyone to build reliable and efficient software.

Home Page:https://www.rust-lang.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Heap corruption during parsing

kmcallister opened this issue · comments

commented

Found with american fuzzy lop.

trait A {  
    fn a(&self) ->ze;  
}  

trait B { fn b(&self) -> e;  
}  

trait C {  
fn cne<T:A+B>(&self,&T) -> p;  
}  

struct Foo;  

impl A for Foo {  
fn b(&self) ->ze { 2 }  
    fn a(&self) -> us{***************************************************************************************************************************1 }fn b(&self) ->ze { 2 }  
}  

struct Bar;  

impl C for Bar { fn cGm<T:B+A>(&self, t: &T) ->ze { (t.a() * 100) + t.b()*}  

fn u<S:C, T:B+A>(s: &S, t: &T) -> us{  
s.ine(t)  
}  

fn main() {  
let foo = Foo; let bar = Bar;  
let r = c(&bar, &foo);  
 }_eq!(r, 10o);  
q!(r, 102);  
}
2:21:75: 21:76 error: unexpected token: `}`
2:21 impl C for Bar { fn cGm<T:B+A>(&self, t: &T) ->ze { (t.a() * 100) + t.b()*}
                                                                               ^

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffef3ff700 (LWP 5733)]
je_bitmap_unset () at /home/keegan/rust-master/src/jemalloc/include/jemalloc/internal/bitmap.h:215
215                             g = *gp;
(gdb) bt
#0  je_bitmap_unset () at /home/keegan/rust-master/src/jemalloc/include/jemalloc/internal/bitmap.h:215
#1  arena_run_reg_dalloc () at /home/keegan/rust-master/src/jemalloc/src/arena.c:217
#2  je_arena_dalloc_bin_locked () at /home/keegan/rust-master/src/jemalloc/src/arena.c:1780
#3  0x00007ffff74b9b06 in je_tcache_bin_flush_small () at /home/keegan/rust-master/src/jemalloc/src/tcache.c:120
#4  0x00007ffff74b654a in je_tcache_dalloc_small ()
    at /home/keegan/rust-master/src/jemalloc/include/jemalloc/internal/tcache.h:339
#5  je_arena_sdalloc () at /home/keegan/rust-master/src/jemalloc/include/jemalloc/internal/arena.h:1190
#6  je_isdalloct () at include/jemalloc/internal/jemalloc_internal.h:784
#7  je_isqalloc () at include/jemalloc/internal/jemalloc_internal.h:813
#8  isfree () at /home/keegan/rust-master/src/jemalloc/src/jemalloc.c:1257
#9  je_sdallocx () at /home/keegan/rust-master/src/jemalloc/src/jemalloc.c:1896
#10 0x00007ffff7adc436 in rustc_back..target..Target::drop.12797::h1e1c3ed7e6be37a6 ()
   from /home/keegan/rust-master/x86_64-unknown-linux-gnu/stage2/bin/../lib/librustc_driver-4e7c5e5c.so
#11 0x00007ffff7adba94 in rustc..session..Session::drop.12791::h2ce281c92dd41c3b ()
   from /home/keegan/rust-master/x86_64-unknown-linux-gnu/stage2/bin/../lib/librustc_driver-4e7c5e5c.so
#12 0x00007ffff7ad908a in driver::compile_input::ha75be46f7955f69aQba ()
   from /home/keegan/rust-master/x86_64-unknown-linux-gnu/stage2/bin/../lib/librustc_driver-4e7c5e5c.so
#13 0x00007ffff7b8f506 in run_compiler::h7ddd0e44b4551e93S4b ()
   from /home/keegan/rust-master/x86_64-unknown-linux-gnu/stage2/bin/../lib/librustc_driver-4e7c5e5c.so
#14 0x00007ffff7b8ce1e in boxed::F.FnBox$LT$A$GT$::call_box::h4968616622847640130 ()
   from /home/keegan/rust-master/x86_64-unknown-linux-gnu/stage2/bin/../lib/librustc_driver-4e7c5e5c.so
#15 0x00007ffff7b8c35a in rt::unwind::try::try_fn::h5274304894971128350 ()
   from /home/keegan/rust-master/x86_64-unknown-linux-gnu/stage2/bin/../lib/librustc_driver-4e7c5e5c.so
#16 0x00007ffff751cda9 in rust_try_inner ()
   from /home/keegan/rust-master/x86_64-unknown-linux-gnu/stage2/bin/../lib/libstd-4e7c5e5c.so
#17 0x00007ffff751cd96 in rust_try ()
   from /home/keegan/rust-master/x86_64-unknown-linux-gnu/stage2/bin/../lib/libstd-4e7c5e5c.so
#18 0x00007ffff7b8c62c in boxed::F.FnBox$LT$A$GT$::call_box::h3021413309117770884 ()
   from /home/keegan/rust-master/x86_64-unknown-linux-gnu/stage2/bin/../lib/librustc_driver-4e7c5e5c.so
#19 0x00007ffff74827f2 in sys::thread::create::thread_start::h73e97ad98bae720fruH ()
   from /home/keegan/rust-master/x86_64-unknown-linux-gnu/stage2/bin/../lib/libstd-4e7c5e5c.so
#20 0x00007ffff13dd0a4 in start_thread (arg=0x7fffef3ff700) at pthread_create.c:309
#21 0x00007ffff703904d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Tested on rustc 1.0.0-dev (f207ecb 2015-04-03) (built 2015-04-04). Also happens on play.rust-lang.org

commented

Does not crash, or make valgrind complain, on new rustc (d9146bf 2015-04-07). Probably fixed in the parser improvements.

The old parser had quite a lot of unsafe code, through.

Anyway, minified:

impl () {
  fn p() { t + t* }  
  fn q() {  }
}
commented

Both of these also no longer crash for me either! @kmcallister , let me know if I'm missing something, but closing for now.