-
-
Notifications
You must be signed in to change notification settings - Fork 415
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Memory corruption via Array.copy_to #4174
Comments
Update fix to include ponylang#4174
I don't think silently not doing this is a good API here. Most of Array if you overshoot an index are partial... see
|
Note, it appears that |
This is exactly how for example |
Include tests for ponylang#4174
Looks like this has been a bug since pretty much the very beginning (8 years ago). I would take the position that silently truncating the range is the most consistent thing to do here, rather than making the method partial. The general precedent in the String and Array methods seems to be:
If you were going to take the position that the latter class of cases should also be partial, you're going to need to make a lot more of the methods partial than just |
Re: "dest index is outside of valid range (should be handled correctly now)" It's worth noting that by requesting a destination index out of bounds, in a way that leaves "gaps" in between, we might also encounter memory corruption. The code below will segfault in release and debug modes: class Counter
var value: U32 = 0
new create(v': U32) =>
value = v'
actor Main
new create(e: Env) =>
let src = [Counter(0)]
let dest = [Counter(1)]
src.copy_to(dest, 0, 2, 1) // past the range
try
e.out.print(dest(0)?.value.string()) // valid memory
e.out.print(dest(1)?.value.string()) // invalid memory
end |
Yeah, we definitely don't want to leave gap in between in whatever the desired behavior for this method is. We discussed this a lot on the sync call and my basic thought is: I don't mind removing |
I updated the fix in #4173 to catch a destination index that goes past @jemc I too don't mind removing |
After discussing this topic with Sean today, here's a path forward that at least he and I are in agreement on (others here can chime in as well). This mostly matches what @ergl and I discussed in the sync call 10 days ago, so to hear more about the rationale, listen to that recording. Make the
Add a new Make Add a new |
This sounds like a good way forward -- I closed #4173. |
@stefandd would you be interested in implementing the above? You already did a decent amount of work towards the tests and implementation. |
@jemc @SeanTAllen I am happy to, for a start, work on the new |
Sounds great, if you're willing to continue on that path. Thanks! |
Does If so, and with the addition of If we're making a breaking change, I'd prefer to specify that any out of range scenario in
These would be modified to the following:
|
That's an interesting point, and I definitely like the reduced conceptual complexity of that approach (especially that it avoids the mental overhead of remembering which cases truncate and which cases raise an error), though I think it has two downsides to mention:
If we want to take your approach then we may want to consider at least changing the function names for force a compile-time failure so that we don't make a silently breaking behavioral change to an existing function. |
@stefandd No consensus as of yet afaik. I won't be able to give this the time that it needs until next month. |
@SeanTAllen I am happy to take a stab at implementing a proposed change to |
We discussed this in sync today. @SeanTAllen and I still want to go with the partial approach that I outlined in this comment: #4174 (comment) @ergl - what do you think? Do you think you can align with this same consensus? Or do you still prefer the alternative you outlined in this comment: #4174 (comment) |
@jemc Your proposal sounds good. I came round on your idea: your point about having a silent breaking change was a good one. |
I believe we have a quorum of agreement now. @stefandd are you still up for working on this? |
There's bugs in Array's copy to where it doesn't validate input
for example:
prints 11 and then prints 0. copying from an out of index
src_index
shouldn't be changing the destination array, it should be an error.To fix, copy_to needs to become partial.
As part of this change, the
slice
method that usecopy_to
be switched to using_copy_to
so that it isn't required to become partial UNLESS, slice actually needs to be partial. We should validate that it doesn't.Some things that we should be adding
copy_to
tests methods for:Array.copy_to
#4173)Array.copy_to
#4173)Here's some example code that shows the length bug:
The text was updated successfully, but these errors were encountered: