[Vm-dev] A new ready-to-crash image is available

Nicolas Cellier nicolas.cellier.aka.nice at gmail.com
Fri Feb 7 21:57:07 UTC 2020

Hi Stephane,
I first tried with a debug VM on OSX and could not trigger the failure.
A fast VM though does easily fail, here is where when launched via lldb:

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS
(code=1, address=0x38)
    frame #0: 0x10df6c75 Squeak3D`b3dAddBackFill(fillList=0x05cff2b8,
aFace=0x05cc6b18) at b3dMain.c:994:21 [opt]
   991 if(minZ <= (firstFace->minZ + lastFace->minZ) * 0.5) {
   992 /* search front to back */
   993 face = firstFace->nextFace;
-> 994 while(face->minZ < minZ) face = face->nextFace;
   995 } else {
   996 /* search back to front */
   997 face = lastFace->prevFace; /* already checked if lastFace->minZ <=
minZ */

Looking at full code of function, I do not see any logic error in
if faces are correctly sorted by increasing minZ, the while loop on line
994 should always exit before reaching NULL

Though, it seems that we exhaust the face chain without encoutering the
condition on line 994 and dereference a NULL pointer.
Why only with fast VM? It might be yet another case of Undefined Behavior
I have thus recompiled the VM with UB sanitizer, and there is indeed some
UB reported:

../../platforms/Cross/plugins/Squeak3D/b3dMain.c:1252:29: runtime error:
left shift of negative value -760
../../platforms/Cross/plugins/Squeak3D/b3dMain.c:1254:25: runtime error:
left shift of negative value -751
../../platforms/Cross/plugins/Squeak3D/b3dDraw.c:317:33: runtime error:
left shift of negative value -802
../../platforms/Cross/plugins/Squeak3D/b3dDraw.c:318:33: runtime error:
left shift of negative value -802
../../platforms/Cross/plugins/Squeak3D/b3dDraw.c:316:33: runtime error:
left shift of negative value -114
../../platforms/Cross/plugins/Squeak3D/b3dMain.c:829:61: runtime error:
left shift of negative value -2

Though, the instrumented fast VM does not fail...
It might be that some aggressive optimizations assuming the absence of UB
do not occur with all the instrumentation stuff embedded...

So it's not going to be easy to debug.
The only way I see is eliminating UB...
By protecting those left shift with (unsigned) cast, I also made the crash
disappear, which is a good clue.

IMO, declaring a left shift of negative int UB is sort of FOOLISH.
Yes, some overflow of sign bit by a 0 could happen, EXACTLY like overflow
of sign bit by a 1 could happen for positive!!!
For me, it should be implementation defined eventually for those exotic
machines using sign/magnitude rather than 2-complement.
But we cannot easily control what the standard committee decide, we have to
cope with...

We will have to protect each and every left shift in b3d with a cast...

Le mer. 5 févr. 2020 à 16:28, Stéphane Rollandin <lecteur at zogotounga.net> a
écrit :

> Hello,
> I made up a fairly repeatable way to crash the Squeak3D plugin again.
> Just evaluate the doIt proposed in the image at:
> http://www.zogotounga.net/swap/crashlab4.zip
> Things go wrong about every other time on my system, sometimes with a
> crash dump (one is featured in the archive), sometimes silently.
> You will have to way about 20 seconds for the animation to reach the
> critical point (when it stops, but sometimes before).
> BTW this animation also features a number of glitches - it would be nice
> to fix that too, but this is another topic.
> Stef
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/vm-dev/attachments/20200207/e00a615d/attachment-0001.html>

More information about the Vm-dev mailing list