Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getting crash on writing to readonly memory region while generating ec for exception #99

Open
iradization opened this issue Nov 22, 2022 · 4 comments
Open

getting crash on writing to readonly memory region while generating ec for exception #99

iradization opened this issue Nov 22, 2022 · 4 comments

Comments

@iradization
Copy link

I'm trying to figure out a crash dump that I got when initiating a boost implementation of unix domain socket.

What's strange about it is that the relevant frame is when it parsed the ec.what() which is a function that basically create a string message ...

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   P 0x104919660 boost::system::error_code::what() const (in P_arm64.dsym) + 528 + 251488
1   P 0x104919654 boost::system::error_code::what() const (in P_arm64.dsym) + 516 + 251476
2   P 0x104918ea8 boost::system::system_error::system_error(boost::system::error_code const&, char const*) (in P_arm64.dsym) + 308 + 249512
3   P 0x104adbd10 boost::asio::basic_socket<boost::asio::local::stream_protocol, boost::asio::any_io_exec
utor>::connect(boost::asio::local::basic_endpoint<boost::asio::local::stream_protocol> const&) (in P_arm64.dsym) + 1808 + 2096400
(--> this is my c'tor that initiate the unix domain socket) 
4   P 0x104ad9ed4 service::api::Instance(std::__1::function<void (std::__1::

Besides the callstack, I could generate a crash file with a crash reason

Termination Reason:    Namespace SIGNAL, Code 10 Bus error: 10
Terminating Process:   exc handler [2253]

VM Region Info: 0x107008fa8 is in 0x107006000-0x10705e000;  bytes after start: 12200  bytes before end: 348247
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      __TEXT                      10664e000-107006000    [ 9952K] r-x/r-x SM=COW  ...s/MacOS/P
--->  __DATA_CONST                107006000-10705e000    [  352K] r--/rw- SM=COW  ...s/MacOS/P
      __DATA                      10705e000-107072000    [   80K] rw-/rw- SM=COW  ...s/MacOS/P

So It seems like when the ec message is created, we attempt to write a read only memory (DATA_CONST) . I think that this is the problematic code :


source_location const & location() const BOOST_NOEXCEPT
{
   BOOST_STATIC_CONSTEXPR source_location loc;
   return lc_flags_ >= 4? *reinterpret_cast<source_location const*>( lc_flags_ &~ static_cast<boost::uintptr_t>( 1 ) ): loc;
}

which is called from here

std::string what() const
{
    std::string r = message();
    r += " [";
    r += to_string();
    if( has_location() )
    {
        r += " at ";
-->     r += location().to_string();
    }

    r += "]";
    return r;
}

However, i don't understand where do we attempt to write to the const expression 'loc'... any idea what may be the reason ?
@iradization
Copy link
Author

iradization commented Nov 22, 2022
edited
Loading

It appears that when the c'tor of loc is first created, the empty string ("") value should be written to this members of loc which are stored in __DATA_CONST section. Maybe the compiler should allow writing the __DATA_CONST section upon construction of constexpr like in this case, and prevent further writes from this point onward (I guess not).
Or maybe this loc object should be stored in the heap, since it's created during runtime by the c'tor (so it shouldn't be constexpr only static)

I'm using macOS M1/M2 architecture with Xcode/LLVM compiler, Perhaps do you know if there's a compilation flag that enables it ?

@pdimov pdimov transferred this issue from boostorg/exception Nov 26, 2022
@pdimov
Copy link
Member

pdimov commented Nov 26, 2022

constexpr variables don't execute any code on construction, they are initialized at compile time.

Without seeing the disassembly around the crash address, it's hard to tell what exactly is going on.

@pdimov
Copy link
Member

pdimov commented Nov 26, 2022

The system_error is constructed either here https://github.com/boostorg/asio/blob/ce07af1fdf532c22e6bfe161ded186cb356aa9c2/include/boost/asio/basic_socket.hpp#L861

or here https://github.com/boostorg/asio/blob/ce07af1fdf532c22e6bfe161ded186cb356aa9c2/include/boost/asio/basic_socket.hpp#L864

and it's possible that ec.lc_flags_ at this point somehow stores an invalid pointer to source_location, but why it would do so, isn't clear.

@pdimov
Copy link
Member

pdimov commented Nov 26, 2022

The location of the error code is probably set here https://github.com/boostorg/asio/blob/723eee7a402f5bd1c39a4821fc4951abfe0d0bbd/include/boost/asio/detail/reactive_socket_service.hpp#L587

although I'm not sure whether this is the right socket implementation for macOS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pdimov @iradization