Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
cmd/compile: missing bounds checks in 1.11 #27289
What version of Go are you using (
Yeah, might be so.
Obviously can't handle
It seems that this can be used to corrupt arbitrary memory.
referenced this issue
Aug 30, 2018
Here's a simple repro:
This should panic, but it doesn't.
Definitely an error in prove. At some point we derive the following fact, in the bounds-check-failed direction of the branch:
That is, the index is unsigned >= the length of the array (i.e. negative, or too big). This is correct.
Then the fence-post logic kicks in. If x-1 >= y, then x > y, right?
That's a contradiction, a value can't be greater than itself. Prove then assumes that the bounds-check-failed direction is unreachable. Hence the bug.
Here's the relevant fencepost logic:
This is all seems reasonable with signed logic. But the bug is that (A)
I think we need signed/unsigned versions of this fencepost logic.