[Vm-dev] BitBltSimulation buffer overrun

Nicolas Cellier nicolas.cellier.aka.nice at gmail.com
Wed Sep 4 07:48:25 UTC 2019 

To trigger the failure, just do this:

    BitmapStreamTests new testShortIntegerArrayReadRefStream2.

The source code of BitBlt hack in ShortIntegerArray>>restoreEndianness
sounds correct.
The assertion failure occurs when destX < sourceX - presumably a case when
hDir = 1 (see checkSourceOverlap).

I used LLDB rather than simulation to find it fast, but now it would be
easier to just run VM simulation
Here are the details:
1) I tried LLDB conditional break, but it's awfully slow
2) I modified generated source code and compiled the hardcoded condition:
   2131 /* pick up next word */ if( ((usqInt)sourceIndex) >= endOfSource )
   2132 assert((((usqInt)sourceIndex)) < endOfSource);
3) launch lldb, set the breaskpoint
(lldb) br se -f BitBltPlugin.c -l 2132
(lldb) run ../../image/trunk6-64.image
3) I ran the SUnit tests...

Process 83691 launched:
'/Users/nicolas/Smalltalk/OpenSmalltalk/opensmalltalk-vm/build.macos64x64/squeak.cog.spur/SqueakDebug.app/Contents/MacOS/Squeak'
(x86_64)
Process 83691 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x0000000100186871 Squeak`copyLoop at BitBltPlugin.c:2132
   2129 destMask = mask1;
   2130
   2131 /* pick up next word */ if( ((usqInt)sourceIndex) >= endOfSource )
-> 2132 assert((((usqInt)sourceIndex)) < endOfSource);
   2133 thisWord = long32At(sourceIndex);
   2134 sourceIndex += hInc;
   2135
Target 0: (Squeak) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
  * frame #0: 0x0000000100186871 Squeak`copyLoop at BitBltPlugin.c:2132
    frame #1: 0x0000000100182b81 Squeak`copyBitsLockedAndClipped at
BitBltPlugin.c:1595
    frame #2: 0x000000010017fba6 Squeak`copyBits at BitBltPlugin.c:1257
    frame #3: 0x000000010017fea3 Squeak`primitiveCopyBits at
BitBltPlugin.c:5115
    frame #4: 0x000000010000cd2d Squeak`interpret at gcc3x-cointerp.c:6192
    frame #5: 0x0000000100022196
Squeak`enterSmalltalkExecutiveImplementation at gcc3x-cointerp.c:16192
    frame #6: 0x0000000100001657 Squeak`interpret at gcc3x-cointerp.c:2761
    frame #7: 0x000000010015e477 Squeak`-[sqSqueakMainApplication
runSqueak](self=0x00000001018091d0, _cmd="runSqueak") at
sqSqueakMainApplication.m:201
    frame #8: 0x00007fff41cd87b8 Foundation`__NSFirePerformWithOrder + 360
    frame #9: 0x00007fff3fb4df57
CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__
+ 23
    frame #10: 0x00007fff3fb4de7f CoreFoundation`__CFRunLoopDoObservers +
527
    frame #11: 0x00007fff3fb303f8 CoreFoundation`__CFRunLoopRun + 1240
    frame #12: 0x00007fff3fb2fc93 CoreFoundation`CFRunLoopRunSpecific + 483
    frame #13: 0x00007fff3ee1ad96 HIToolbox`RunCurrentEventLoopInMode + 286
    frame #14: 0x00007fff3ee1aa0f HIToolbox`ReceiveNextEventCommon + 366
    frame #15: 0x00007fff3ee1a884
HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 64
    frame #16: 0x00007fff3d0caa73 AppKit`_DPSNextEvent + 2085
    frame #17: 0x00007fff3d860e34 AppKit`-[NSApplication(NSEvent)
_nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044
    frame #18: 0x00007fff3d0bf885 AppKit`-[NSApplication run] + 764
    frame #19: 0x00007fff3d08ea72 AppKit`NSApplicationMain + 804
    frame #20: 0x0000000100158086 Squeak`main(argc=2,
argv=0x00007ffeefbff910, envp=0x00007ffeefbff928) at main.m:74
    frame #21: 0x00007fff67a5d015 libdyld.dylib`start + 1
(lldb) call printCallStack()
    0x7ffeefbd21e8 I ShortIntegerArray>restoreEndianness 0x1083e30e8: a(n)
ShortIntegerArray
    0x7ffeefbd2248 I ReadStream(PositionableStream)>nextWordsInto:
0x108377710: a(n) ReadStream
    0x7ffeefbd2298 I ShortIntegerArray class(ArrayedCollection
class)>newFromStream: 0x1089b2bf0: a(n) ShortIntegerArray class
    0x7ffeefbd22f0 M ReferenceStream(DataStream)>readWordLike 0x108377738:
a(n) ReferenceStream
    0x7ffeefbd2360 I ReferenceStream(DataStream)>next 0x108377738: a(n)
ReferenceStream
    0x7ffeefbd23c8 I ReferenceStream>next 0x108377738: a(n) ReferenceStream
    0x7ffeefbd2420 I BitmapStreamTests>testShortIntegerArrayReadRefStream2
0x1083775e0: a(n) BitmapStreamTests
snip...

(lldb) print skew
(sqInt) $25 = -24
(lldb) print preload
(sqInt) $26 = 1
(lldb) print hDir
(sqInt) $14 = 1

It seems to me that it's got something to do with 64bits shifter...
No time to simulate the VM now, if someone want to take it, it's a good
exercize...


Le mar. 3 sept. 2019 à 23:44, Nicolas Cellier <
nicolas.cellier.aka.nice at gmail.com> a écrit :

> Hi all,
> while running a debug squeak.cog.spur macos x64, I noticed repeated logs
> in console:
>
> > (((usqInt)sourceIndex)) < endOfSource 2132
>
> This corresponds to failing assert: in BitBltSimulation slang
>
>     srcLongAt: idx
>          <inline: #always>
>          self assert: idx asUnsignedInteger < endOfSource.
>          ^self long32At: idx
>
> Maybe it's a well known bug, but it's easy to trigger if you are after it:
> Open Squeak5.1-16548-64bit.image (I took that of nsboot while testing
> failing Newspeak bootstrap
> https://github.com/OpenSmalltalk/opensmalltalk-vm/blob/Cog/tests/newspeakBootstrap.sh
> )
> Open TestRunner and run all tests...
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/vm-dev/attachments/20190904/17976a99/attachment.html>

More information about the Vm-dev mailing list