-
Notifications
You must be signed in to change notification settings - Fork 757
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segfault in XXH3_64bits_reset_withSeed with x86 Visual Studio 2015 #401
Comments
Could you update the xxHash module ? |
Use xxHash dev branch:
Use xxHash master branch:
Use xxHash v0.7.3:
All these three have the same |
Are you sure it doesn't have to do with calling @Cyan4973 We should probably switch to |
Can confirm a crash with #define XXH_STATIC_LINKING_ONLY
#include <stdio.h>
#include <xxhash.h>
int main(void)
{
XXH3_state_t *state = XXH3_createState();
printf("%llx\n", (unsigned long long)XXH3_64bits_digest(state));
XXH3_freeState(state);
}
Normally it doesn't show up because most Linux implementations use Undefined behavior on your side, but we could improve this a bit with |
@easyaspi314 you're right, it's my fault, it's a use before init error. Reset right after creating a state and everything is fine. |
Sorry to bother again, thanks in advance! Actually I'm developing python-xxhash and trying to support xxh3.
@Cyan4973 @easyaspi314 Anything special between v0.7.3 and dev? |
Well v0.7.3's state is not movable due to a pointer issue. Not sure why it only crashes on 32-bit, though. (#365, fix #366). For the reference, it goes like this XXH3_state_t *s1 = XXH3_createState(), *s2 = XXH3_createState;
XXH3_64bits_reset_withSeed(s1, seed);
XXH3_copyState(s2, s1);
XXH3_freeState(s1);
// s2 has a wild pointer to the internal state of s1 in v0.7.3, fixed in dev Or simplifying the wrappers, the bug is a simple use-after-free: typedef struct XXH3_state_s {
unsigned char customSecret[192];
const unsigned char *secret;
} XXH3_state_t;
XXH3_state_t *s1 = malloc(sizeof(XXH3_state_t)), *s2 = malloc(sizeof(XXH3_state_t));
s1->secret = &s1->customSecret[0];
memcpy(s2, s1, sizeof(XXH3_state_t));
assert(s2->secret == &s1->customSecret[0]);
free(s1); For a workaround for v0.7.3, you can do this: XXH3_copyState(s2, s1);
#if XXH_VERSION_NUMBER < 704
// v0.7.3 and earlier have a bug where states reset with a seed
// will have a wild pointer to the original state when copied,
// causing a use-after-free if the original is freed.
if (s2->secret == &s1->customSecret[0])
s2->secret = &s2->customSecret[0];
#endif |
@easyaspi314 Thanks for your detailed reply. Very helpful. |
I don't know if it's a bug, I have setup a reproduce:
The text was updated successfully, but these errors were encountered: