Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SR-9348] Crash in Set insert #51817

Closed
aschwaighofer opened this issue Nov 26, 2018 · 6 comments
Closed

[SR-9348] Crash in Set insert #51817

aschwaighofer opened this issue Nov 26, 2018 · 6 comments
Assignees
@lorentey
Labels
bug A deviation from expected or documented behavior. Also: expected but undesirable behavior. standard library Area: Standard library umbrella

Comments

@aschwaighofer
Copy link
Member

Previous ID SR-9348
Radar None
Original Reporter @aschwaighofer
Type Bug
Status Resolved
Resolution Done
Additional Detail from JIRA
Votes 0
Component/s Standard Library
Labels Bug
Assignee @lorentey
Priority Medium

md5: 9adc0fc9f37fd1d69cfd162853a9b4db

Issue Description:

The following program crashes in the ulitmate insert call if run with libgmalloc.

var alphanumericsMemo = Set<UInt32>()

var alphanumericsMemoD : Set<UInt32> {
  get {
    return alphanumericsMemo
  }
  set {
    alphanumericsMemo = newValue
  }
}

func repo() {
  alphanumericsMemo.insert(1)
  alphanumericsMemo.insert(2)
  alphanumericsMemoD.insert(3)
}

repo()

$ DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib ./RepoChar

It crashes in result.hashTable.copyContents(of: hashTable) reading out of bounds of the allocated source object.

I think this is because the copyContents function should really be:

diff --git a/stdlib/public/core/HashTable.swift b/stdlib/public/core/HashTable.swift
index fb00946db7..198dc6bb9f 100644
--- a/stdlib/public/core/HashTable.swift
+++ b/stdlib/public/core/HashTable.swift
@@ -406,7 +406,7 @@ extension _HashTable {
   @_effects(releasenone)
   internal func copyContents(of other: _HashTable) {
     _internalInvariant(bucketCount == other.bucketCount)
-    self.words.assign(from: other.words, count: bucketCount)
+    self.words.assign(from: other.words, count: wordCount)
   }
 
   /// Insert a new entry with the specified hash value into the table.
@aschwaighofer
Copy link
Member Author

@swift-ci create

@aschwaighofer
Copy link
Member Author

@lorentey

@lorentey
Copy link
Member

Great catch! That's a highly disturbing typo.

The overrun only happens when the payload types are short enough, which explains how this elided detection for so long.

@lorentey
Copy link
Member

@swift-ci create

@belkadan
Copy link
Contributor

@lorentey, you fixed this a long time ago, right?

@lorentey
Copy link
Member

Ah, yes! This was resolved in #20762

@swift-ci swift-ci transferred this issue from apple/swift-issues Apr 25, 2022
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lorentey lorentey

Labels
bug A deviation from expected or documented behavior. Also: expected but undesirable behavior. standard library Area: Standard library umbrella
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lorentey @belkadan @aschwaighofer