Stack Overflow (operator_int_cmp)

[r0t0tiller]

There is a stack based buffer overflow in the operator_int_cmp function. By using the testcase below, it is possible to trigger a stack overflow. It has something to do with the "self" value being called. Attached is the valgrind, ASAN, and GDB output.

class Crash
{
	var x,y,w,h;
	
	func init (n1,n2,n3,n4)
	{
		x = n1;
		y = n2;
		w = n3;
		h = n4;
	}
	
	func Int()
	{	
		var i;

		while (i < self)
		{
			i += 1;
		}

		return i+i;
	}
}


func main()
{
	var a = 10;
	var b = Crash(1,2,3,4);
	return a + b;
}

[marcobambini]

I think to have fixed it by d493524
I am not sure I am 100% satisfied by the solution. Any advice is more than welcomed.

[marcobambini]

I removed the Valgrind output because it was interpreted as reference to other issues.

[r0t0tiller]

I am still playing with the code and bug on this, but I think we have a different bug now. So I was able to bypass the check for converting objects to Int's by doing a typecast. Code below will cause the heap to almost go into a infinite loop before crashing (Heap Overflow). It allocates 6,532,018,156 bytes to the heap before crashing.

Test 1:

class Crash
{
	var x,y,w,h;
	
	func init (n1,n2,n3,n4)
	{
		x = n1;
		y = n2;
		w = n3;
		h = n4;
	}
	
	func Int()
	{	
		var i;

		while (i < Int(self)) // Bug Here
		{
			i += 1;
		}

		return i+i;
	}
}


func main()
{
	var a = 10;
	var b = Crash(1,2,3,4);
	return a + b;
}

Test 2:

class Crash
{
	var x,y,w,h;
	
	func init (n1,n2,n3,n4)
	{
		x = n1;
		y = n2;
		w = n3;
		h = n4;
	}
	
	func Int()
	{	
		var i;

		while (i < Int()) // Bug Here
		{
			i += 1;
		}

		return i+i;
	}
}


func main()
{
	var a = 10;
	var b = Crash(1,2,3,4);
	return a + b;
}

Valgrind:

==2477== Memcheck, a memory error detector
==2477== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==2477== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==2477== Command: ./gravity /home/ctf/Desktop/Crash_Data/overflow.gravity
==2477==
==2477== Warning: set address range perms: large range [0x495db040, 0x795db040) (undefined)
==2477== Warning: set address range perms: large range [0xe337028, 0x1e337058) (noaccess)
==2477== Invalid write of size 8
==2477== at 0x41A0B8: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Address 0x20000048 is 30,179,336 bytes inside a block of size 201,326,592 free'd
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Block was alloc'd at
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477==
==2477== Invalid write of size 8
==2477== at 0x41A0C0: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Address 0x20000040 is 30,179,328 bytes inside a block of size 201,326,592 free'd
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Block was alloc'd at
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477==
==2477== Invalid write of size 8
==2477== at 0x41B7ED: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Address 0x20000050 is 30,179,344 bytes inside a block of size 201,326,592 free'd
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Block was alloc'd at
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477==
==2477== Invalid write of size 8
==2477== at 0x41B7F1: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Address 0x20000058 is 30,179,352 bytes inside a block of size 201,326,592 free'd
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Block was alloc'd at
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477==
==2477== Invalid read of size 8
==2477== at 0x4170C2: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Address 0x20000030 is 30,179,312 bytes inside a block of size 201,326,592 free'd
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Block was alloc'd at
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477==
==2477== Invalid read of size 8
==2477== at 0x4170CB: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Address 0x20000038 is 30,179,320 bytes inside a block of size 201,326,592 free'd
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Block was alloc'd at
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477==
==2477== Invalid read of size 8
==2477== at 0x417B87: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Address 0x20000050 is 30,179,344 bytes inside a block of size 201,326,592 free'd
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Block was alloc'd at
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477==
==2477== Invalid read of size 8
==2477== at 0x417B8A: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Address 0x20000058 is 30,179,352 bytes inside a block of size 201,326,592 free'd
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Block was alloc'd at
==2477== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2477== by 0x41D804: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477==
==2477== Jump to the invalid address stated on the next line
==2477== at 0x0: ???
==2477== by 0x42D98B: gravity_hash_lookup (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x42EBDF: gravity_class_lookup_closure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41713E: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==2477==
==2477==
==2477== Process terminating with default action of signal 11 (SIGSEGV)
==2477== Bad permissions for mapped region at address 0x0
==2477== at 0x0: ???
==2477== by 0x42D98B: gravity_hash_lookup (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x42EBDF: gravity_class_lookup_closure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41713E: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FAEF: gravity_vm_runclosure (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x425C96: operator_int_add (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41C8AD: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==2477==
==2477== HEAP SUMMARY:
==2477== in use at exit: 1,476,475,172 bytes in 1,217 blocks
==2477== total heap usage: 1,391 allocs, 174 frees, 6,532,018,156 bytes allocated
==2477==
==2477== LEAK SUMMARY:
==2477== definitely lost: 120 bytes in 3 blocks
==2477== indirectly lost: 0 bytes in 0 blocks
==2477== possibly lost: 1,073,742,568 bytes in 12 blocks
==2477== still reachable: 402,732,484 bytes in 1,202 blocks
==2477== suppressed: 0 bytes in 0 blocks
==2477== Rerun with --leak-check=full to see details of leaked memory
==2477==
==2477== For counts of detected and suppressed errors, rerun with: -v
==2477== ERROR SUMMARY: 9 errors from 9 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

[marcobambini]

Well, it is not really a typecast, what you are really doing is allocating an Int class passing self as an argument. It is an interesting case, something I have not covered yet. I should be able to fix pretty quickly.

[marcobambini]

Fixed by c67888e.
Please confirm.

[r0t0tiller]

Bug still exists using the same testcase. Attached is the ASAN output. Causing a infinite loop.

==6083==ERROR: AddressSanitizer failed to allocate 0x100002000 (4294975488) bytes of LargeMmapAllocator (errno: 12)
==6083==Process memory map follows:
	0x000000400000-0x000000446000	/home/ctf/Desktop/New Gravity/gravity/gravity
	0x000000646000-0x000000647000	/home/ctf/Desktop/New Gravity/gravity/gravity
	0x000000647000-0x000000648000	/home/ctf/Desktop/New Gravity/gravity/gravity
	0x000000648000-0x000000649000	
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x606000000000	
	0x606000000000-0x606000010000	
	0x606000010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x608000000000	
	0x608000000000-0x608000010000	
	0x608000010000-0x60b000000000	
	0x60b000000000-0x60b000010000	
	0x60b000010000-0x60c000000000	
	0x60c000000000-0x60c000010000	
	0x60c000010000-0x60d000000000	
	0x60d000000000-0x60d000010000	
	0x60d000010000-0x611000000000	
	0x611000000000-0x611000010000	
	0x611000010000-0x612000000000	
	0x612000000000-0x612000010000	
	0x612000010000-0x616000000000	
	0x616000000000-0x616000020000	
	0x616000020000-0x619000000000	
	0x619000000000-0x619000020000	
	0x619000020000-0x61b000000000	
	0x61b000000000-0x61b000020000	
	0x61b000020000-0x61d000000000	
	0x61d000000000-0x61d000020000	
	0x61d000020000-0x61f000000000	
	0x61f000000000-0x61f000020000	
	0x61f000020000-0x621000000000	
	0x621000000000-0x621000020000	
	0x621000020000-0x623000000000	
	0x623000000000-0x623000020000	
	0x623000020000-0x624000000000	
	0x624000000000-0x624000030000	
	0x624000030000-0x627000000000	
	0x627000000000-0x627000020000	
	0x627000020000-0x629000000000	
	0x629000000000-0x629000010000	
	0x629000010000-0x62b000000000	
	0x62b000000000-0x62b000010000	
	0x62b000010000-0x62f000000000	
	0x62f000000000-0x62f000020000	
	0x62f000020000-0x631000000000	
	0x631000000000-0x631000030000	
	0x631000030000-0x633000000000	
	0x633000000000-0x633000040000	
	0x633000040000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7fb8140a2000-0x7fb8840a6000	
	0x7fb8b1400000-0x7fb8b1500000	
	0x7fb8b1600000-0x7fb8b1700000	
	0x7fb8b1744000-0x7fb8b3a96000	
	0x7fb8b3a96000-0x7fb8b3aac000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7fb8b3aac000-0x7fb8b3cab000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7fb8b3cab000-0x7fb8b3cac000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7fb8b3cac000-0x7fb8b3caf000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7fb8b3caf000-0x7fb8b3eae000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7fb8b3eae000-0x7fb8b3eaf000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7fb8b3eaf000-0x7fb8b3eb0000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7fb8b3eb0000-0x7fb8b3ec8000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7fb8b3ec8000-0x7fb8b40c7000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7fb8b40c7000-0x7fb8b40c8000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7fb8b40c8000-0x7fb8b40c9000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7fb8b40c9000-0x7fb8b40cd000	
	0x7fb8b40cd000-0x7fb8b428c000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7fb8b428c000-0x7fb8b448c000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7fb8b448c000-0x7fb8b4490000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7fb8b4490000-0x7fb8b4492000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7fb8b4492000-0x7fb8b4496000	
	0x7fb8b4496000-0x7fb8b449d000	/lib/x86_64-linux-gnu/librt-2.23.so
	0x7fb8b449d000-0x7fb8b469c000	/lib/x86_64-linux-gnu/librt-2.23.so
	0x7fb8b469c000-0x7fb8b469d000	/lib/x86_64-linux-gnu/librt-2.23.so
	0x7fb8b469d000-0x7fb8b469e000	/lib/x86_64-linux-gnu/librt-2.23.so
	0x7fb8b469e000-0x7fb8b47a6000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7fb8b47a6000-0x7fb8b49a5000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7fb8b49a5000-0x7fb8b49a6000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7fb8b49a6000-0x7fb8b49a7000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7fb8b49a7000-0x7fb8b4a9b000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7fb8b4a9b000-0x7fb8b4c9b000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7fb8b4c9b000-0x7fb8b4c9e000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7fb8b4c9e000-0x7fb8b4c9f000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7fb8b4c9f000-0x7fb8b5914000	
	0x7fb8b5914000-0x7fb8b593a000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7fb8b5ae7000-0x7fb8b5b1d000	
	0x7fb8b5b20000-0x7fb8b5b2c000	
	0x7fb8b5b2f000-0x7fb8b5b39000	
	0x7fb8b5b39000-0x7fb8b5b3a000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7fb8b5b3a000-0x7fb8b5b3b000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7fb8b5b3b000-0x7fb8b5b3c000	
	0x7fff3e196000-0x7fff3e1b7000	[stack]
	0x7fff3e1c2000-0x7fff3e1c4000	[vvar]
	0x7fff3e1c4000-0x7fff3e1c6000	[vdso]
	0xffffffffff600000-0xffffffffff601000	[vsyscall]
==6083==End of process memory map.
==6083==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    0 0x7fb8b4a47631  (/usr/lib/gcc/x86_64-linux-gnu/5/libasan.so+0xa0631)
    1 0x7fb8b4a4c613 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/gcc/x86_64-linux-gnu/5/libasan.so+0xa5613)
    2 0x7fb8b4a54641  (/usr/lib/gcc/x86_64-linux-gnu/5/libasan.so+0xad641)
    3 0x7fb8b49c9c0c  (/usr/lib/gcc/x86_64-linux-gnu/5/libasan.so+0x22c0c)
    4 0x7fb8b49cabf5  (/usr/lib/gcc/x86_64-linux-gnu/5/libasan.so+0x23bf5)
    5 0x7fb8b4a3f92f in realloc (/usr/lib/gcc/x86_64-linux-gnu/5/libasan.so+0x9892f)
    6 0x41d031 in gravity_vm_exec (/home/ctf/Desktop/New Gravity/gravity/gravity+0x41d031)
    7 0x4200e4 in gravity_vm_runclosure (/home/ctf/Desktop/New Gravity/gravity/gravity+0x4200e4)
    8 0x426486 in operator_int_add (/home/ctf/Desktop/New Gravity/gravity/gravity+0x426486)
    9 0x41c72b in gravity_vm_exec (/home/ctf/Desktop/New Gravity/gravity/gravity+0x41c72b)
    10 0x420442 in gravity_vm_runmain (/home/ctf/Desktop/New Gravity/gravity/gravity+0x420442)
    11 0x401737 in main (/home/ctf/Desktop/New Gravity/gravity/gravity+0x401737)
    12 0x7fb8b40ed82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    13 0x401948 in _start (/home/ctf/Desktop/New Gravity/gravity/gravity+0x401948)

[marcobambini]

Hi @tylerp96 please pull the latest version and try again.
I just tested it on Linux 64bit using Valgrind and everything seems to works fine for me.

[r0t0tiller]

Fixed. got the error "RUNTIME ERROR: Infinite loop detected. Current execution must be aborted." Good fix.