digitalmars.D.bugs - [Issue 18717] New: Segfault in BitManip
- d-bugmail puremagic.com (48/48) Apr 03 2018 https://issues.dlang.org/show_bug.cgi?id=18717
d-bugmail puremagic.com https://issues.dlang.org/show_bug.cgi?id=18717 Issue ID: 18717 Summary: Segfault in BitManip Product: D Version: D2 Hardware: x86_64 OS: Linux Status: NEW Severity: normal Priority: P1 Component: phobos Assignee: nobody puremagic.com Reporter: cpicard openmailbox.org The following program segfaults with dmd v2.079.0 when compiled with no arguments in x86_64: ``` import std.bitmanip; void main(string[] args) { auto barray = BitArray(); ulong evilVal = 2534886795; barray.length = evilVal + 1; barray[evilVal]; } ``` The segfault happens there: ╭ (fcn) sym._D4core5bitop2btFNaNbNixPmmZi 13 │ sym._D4core5bitop2btFNaNbNixPmmZi (); │ 0x5558709cde6c 55 push rbp │ 0x5558709cde6d 488bec mov rbp, rsp | ;-- rip: │ 0x5558709cde70 0fa33e bt dword [rsi], edi │ 0x5558709cde73 19c0 sbb eax, eax │ 0x5558709cde75 f7d8 neg eax │ 0x5558709cde77 5d pop rbp ╰ 0x5558709cde78 c3 ret 0x5558709cde79 0000 add byte [rax], al 0x5558709cde7b ~ 005548 add byte [rbp + 0x48], dl At that point we have: rsi = 0x7f40163e2010 -> our BitArray rdi = 0x97174d8b -> "evilVal" A look at /proc/*/maps shows that the call falls into that section: IIUC this is what was allocated for our BitArray. However this isn't enough as 0x00007f4032928000 - 0x00007f40163e2000 < 2534886795. Therefore my understanding is that not enough memory was allocated to hold the BitArray even though we specified a length strictly greater than the index we are accessing. --
Apr 03 2018