Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash in typeinfo when using the marshal module #1462

Closed
DiThi opened this issue Sep 20, 2024 · 1 comment · Fixed by #1463
Closed

Crash in typeinfo when using the marshal module #1462

DiThi opened this issue Sep 20, 2024 · 1 comment · Fixed by #1463
Assignees
@zerbina
Labels
bug Something isn't working stdlib Standard library

Comments

@DiThi
Copy link

DiThi commented Sep 20, 2024
edited
Loading

Specification

Using the marshal module the application crashes in some situations.

Example

import std/marshal

type ImageSetting = object
    filename, name: string
    a, b, c: float32

type Settings = object
    last_uri: string
    images: seq[ImageSetting]

var settings: Settings

# it only crashes when last_uri is at least 40 characters long

settings = to[Settings]("""{
  "last_uri": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "images": [
    {
      "name": ""
    }
  ]
}""")

echo settings

This is the smallest I've been able to make an example that crashes before even doing anything with it. If we remove anything, it seems to work until you use the data (with the last echo) when it does crash trying to access a string.

Actual Output

Traceback (most recent call last)
[...]/main.nim(16) main
[...]/nimskull/lib/pure/marshal.nim(339) to
[...]/nimskull/lib/pure/marshal.nim(269) loadAny
[...]/nimskull/lib/pure/marshal.nim(189) loadAny
[...]/nimskull/lib/pure/marshal.nim(174) loadAny
[...]/nimskull/lib/pure/marshal.nim(189) loadAny
[...]/nimskull/lib/pure/marshal.nim(236) loadAny
[...]/nimskull/lib/core/typeinfo.nim(605) setString
SIGSEGV: Illegal storage access. (Attempt to read from nil?)

And if we do something like removing a float or shortening the string:

Traceback (most recent call last)
[...]/src/main.nim(25) main
[...]/nimskull/lib/system/dollars.nim(104) $
[...]/nimskull/lib/system.nim(2848) addQuoted
[...]/nimskull/lib/system/dollars.nim(146) $
[...]/nimskull/lib/system/dollars.nim(116) collectionToString
[...]/nimskull/lib/system.nim(2848) addQuoted
[...]/nimskull/lib/system/dollars.nim(104) $
[...]/nimskull/lib/system.nim(2828) addQuoted
SIGSEGV: Illegal storage access. (Attempt to read from nil?)

Expected Output

(last_uri: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", images: @[(filename: "", name: "", a: 0.0, b: 0.0, c: 0.0)])

Possible Solution

Printing some info in setString suggests that the string "name" is being overwritten with "xxxxxxxxxxxxxxxx", so both the length and the address of the payload become 8680820740569200760.

Additional information

Using Linux x86_64, all default settings.
@DiThi DiThi added the bug Something isn't working label Sep 20, 2024
@zerbina zerbina added the stdlib Standard library label Sep 22, 2024
@zerbina zerbina self-assigned this Sep 22, 2024
@zerbina
Copy link
Collaborator

zerbina commented Sep 22, 2024

The problem is with the content of the freshly-allocated sequence not being zeroed, resulting in a segmentation fault when a string is assigned to a location therein.

@zerbina zerbina mentioned this issue Sep 25, 2024
Merged
github-merge-queue bot pushed a commit that referenced this issue Sep 25, 2024
@zerbina
fix(typeinfo): expanding seq doesn't clear locations (#1463)
c61e95b 
## Summary

New seq slots are now zeroed when expanding the seq via `invokeNewSeq`
or `extendSeq`, making the behaviour consistent with `setLen` and
`newSeq`, and also fixing crashes with `marshal` caused by the
uninitialized memory.

## Details

Zeroing the memory is not correct for types that don't have a zero-
default, but those cannot be detected with just RTTI. Zeroing the
memory is usually still better then leaving it as is.

For the JavaScript and VM backends, the `zeroMem` call is excluded
from compilation. Using `invokeNewSeq` and `extendSeq` is already
not possible on these backends.

Fixes #1462
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zerbina zerbina

Labels
bug Something isn't working stdlib Standard library
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(typeinfo): expanding seq doesn't clear locations zerbina/nimskull
2 participants
@DiThi @zerbina