Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mac OS: C++ printer segfaults #242

Closed
andreasabel opened this issue Nov 4, 2018 · 1 comment
Closed

Mac OS: C++ printer segfaults #242

andreasabel opened this issue Nov 4, 2018 · 1 comment
Assignees
@andreasabel
Labels
bug C++
Milestone
2.8.2

Comments

@andreasabel
Copy link
Member

andreasabel commented Nov 4, 2018
edited

Running bnfc-system-tests, I observed that the C++ AST printer for examples/GF/gf.cf https://github.com/BNFC/bnfc/blob/master/examples/GF/gf.cf segfaults when run on examples/GF/example.gf https://github.com/BNFC/bnfc/blob/master/examples/GF/example.gf .

I do not want to debug this. A brief look into the generated printer shows that it has inline functions and destructive update of a buf_ variable.

bnfc/source/src/BNFC/Backend/CPP/PrettyPrinter.hs

Lines 146 to 163 in 344ccde

" void inline resizeBuffer(void)",
" {",
" char *temp = (char *) malloc(buf_size);",
" if (!temp)",
" {",
" fprintf(stderr, \"Error: Out of memory while attempting to grow buffer!\\n\");",
" exit(1);",
" }",
" if (buf_)",
" {",
" strcpy(temp, buf_);",
" free(buf_);",
" }",
" buf_ = temp;",
" }",
" char *buf_;",
" int cur_, buf_size;",
"};",

I leave this to C++ enthusiasts and fans of pointer manipulations. Happy segfaulting!

$ g++ --version
Configured with: --prefix=/Applications/Xcode.app/Contents/Developer/usr --with-gxx-include-dir=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.14.sdk/usr/include/c++/4.2.1
Apple LLVM version 10.0.0 (clang-1000.11.45.5)
Target: x86_64-apple-darwin18.0.0
Thread model: posix
@andreasabel
Copy link
Member Author

Ah, I am too good natured, I fixed it anyway.
When you try to strcpy a previously grown buffer buf_ into a buffer temp of BUFFER_INITIAL size, yes, then you segfault on a good operating system.

bnfc/source/src/BNFC/Backend/CPP/PrettyPrinter.hs

Lines 141 to 156 in 344ccde

" buf_size = " ++ nsDefine inPackage "BUFFER_INITIAL" ++ ";",
" resizeBuffer();",
" memset(buf_, 0, buf_size);",
" }",
"",
" void inline resizeBuffer(void)",
" {",
" char *temp = (char *) malloc(buf_size);",
" if (!temp)",
" {",
" fprintf(stderr, \"Error: Out of memory while attempting to grow buffer!\\n\");",
" exit(1);",
" }",
" if (buf_)",
" {",
" strcpy(temp, buf_);",

Good old buffer overrun. Wonder if someone managed to hack machines with bnfc installed through this.

@andreasabel andreasabel self-assigned this Nov 4, 2018
@andreasabel andreasabel added this to the 2.8.2 milestone Nov 4, 2018
andreasabel added a commit that referenced this issue Nov 4, 2018
@andreasabel
[ re #242 ] some relaxations to not worry about 1-off bugs
a065117 
I sleep better if I do not have to worry about the corner cases which
have not been verified by a theorem prover or static analysis.
@andreasabel andreasabel mentioned this issue Apr 29, 2019
Closed
andreasabel added a commit that referenced this issue Nov 24, 2019
@andreasabel
Fixed quadratic behavior in C++ generated printer.
69b4dab 
This regression was introduced in the fix of issue #242 (commit
a065117).  It would cause the C++
generated printer to call resizeBuffer for every string appended to the
buffer, not just when resizing was needed.  So for each call to
bufAppend(char*/String), O(n) bytes were copied, with the complexity
deteriorating to O(n^2).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andreasabel andreasabel

Labels
bug C++
Projects
None yet
Milestone
2.8.2
Development

No branches or pull requests
1 participant
@andreasabel