SBCL

in-file function type derivation violates safety

Bug #657499 reported by Nikodemus Siivola on 2010-10-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	SBCL	Fix Released	High	Unassigned

File-compiling the following and calling QUUX returns "foo" instead of signalling a type-error.

(declaim (optimize safety))

(defun foo ()
(cons t t))

(defun bar ()
  (let ((cons (foo)))
    (setf (car cons) 3)
    cons))

(defun quux ()
  (eval `(locally (declare (optimize safety))
           (setf (fdefinition 'foo) (lambda () (copy-seq "foobar")))
           (bar))))

Tags:

Nikodemus Siivola (nikodemus) on 2010-10-09

Changed in sbcl:
assignee:	nobody → Nikodemus Siivola (nikodemus)
status:	New → In Progress

Nikodemus Siivola (nikodemus) on 2010-10-10

tags:

added: compiler types

Revision history for this message

Nikodemus Siivola (nikodemus) wrote on 2010-10-10:

Marking this as "high" due to heap corruption potential.

Changed in sbcl:
importance:	Undecided → High

Revision history for this message

Nikodemus Siivola (nikodemus) wrote on 2010-10-12:

Attached patch is my current status on this. Pending addition of tests and more testing, I plan to commit this soonish.

The basic approach is to use ASSERT-LVAR-TYPE instead of DERIVE-NODE-TYPE for derived untrusted calls.

Revision history for this message

Nikodemus Siivola (nikodemus) wrote on 2010-10-14:

In 1.0.43.57.

Changed in sbcl:
assignee:	Nikodemus Siivola (nikodemus) → nobody
status:	In Progress → Fix Committed

Nikodemus Siivola (nikodemus) on 2010-11-07

Changed in sbcl:
status:	Fix Committed → Fix Released

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Bug watches keep track of this bug in other bug trackers.