Segmentation Faults 2017-08-03

[rwhitworth]

Hello, I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the k program on Linux. Is fixing the crashes from these input files something you're interested in? The input files can be found here: https://github.com/rwhitworth/kona-fuzz/tree/master/2017-08-03. kona was compiled from git commit 3d0ca5a

The files can be executed as ./k id_filename to cause segmentation faults.

Let me know if I can provide any more information to help narrow down this issue.

Here are two examples of backtraces from gdb:

id:000000,sig:11,src:000020,op:arith8,pos:0,val:-21

#0  ex1 (w=0x7ffacc127218, k=0x0, i=0x7ffde0252558, n=<optimized out>, f=1) at src/kx.c:824
#1  0x0000000000420b8c in ex0 (v=<optimized out>, k=<optimized out>, r=<optimized out>) at src/kx.c:688
#2  0x0000000000424465 in ex_ (a=0x7ffde02525e0, r=0) at src/kx.c:664
#3  0x000000000042426a in ex (a=<optimized out>) at src/kx.c:672
#4  0x000000000041cd70 in line (f=<optimized out>, a=<optimized out>, n=<optimized out>, p=<optimized out>) at src/kc.c:283
#5  0x000000000041db1a in lines (f=<optimized out>) at src/kc.c:246
#6  0x0000000000409ec0 in load (s=0x7ffde0252e1d "output/k-1/crashes/id:000000,sig:11,src:000020,op:arith8,pos:0,val:-21") at src/c.c:85
#7  0x000000000041be77 in args (n=<optimized out>, v=<optimized out>) at src/kc.c:90
#8  0x0000000000447066 in main (argc=9, argv=0x0) at src/main.c:7

id:000002,sig:11,src:000001+000321,op:splice,rep:4

#0  unpool (r=<optimized out>) at src/km.c:184
#1  kallocI (k=<optimized out>, r=<optimized out>) at src/km.c:153
#2  kalloc (k=<optimized out>, r=<optimized out>) at src/km.c:158
#3  newK (t=<optimized out>, n=<optimized out>) at src/km.c:141
#4  0x000000000042b959 in promote (a=0x7efcfeb9acc0) at src/ko.c:105
#5  0x00000000004451c5 in joinI (a=<optimized out>, y=0x7efcfeb9af80) at src/vg.c:623
#6  0x00000000004452a1 in join (x=<error reading variable: Cannot access memory at address 0x0>, y=0xffffffffffffffff) at src/vg.c:629
#7  0x00000000004217fa in vf_ex (q=<optimized out>, g=<optimized out>) at src/kx.c:484
#8  0x000000000041f1a4 in dv_ex (a=0x7efcfeb9acc0, p=0x7efcfeb985f0, b=<optimized out>) at src/kx.c:401
#9  0x0000000000423656 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:981
#10 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#11 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#12 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#13 0x0000000000422d34 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:951
#14 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#15 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#16 0x0000000000422d34 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:951
#17 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#18 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#19 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#20 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#21 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#22 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#23 0x0000000000422d34 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:951
#24 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#25 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#26 0x0000000000422d34 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:951
#27 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#28 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#29 0x0000000000422d34 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:951
#30 0x0000000000422db2 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:987
#31 0x0000000000422d34 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:951
#32 0x0000000000422d34 in ex2 (v=<optimized out>, k=<optimized out>) at src/kx.c:951
#33 0x00000000004248e4 in ex1 (w=<optimized out>, k=<optimized out>, i=<optimized out>, n=<optimized out>, f=2) at src/kx.c:829
#34 0x0000000000420b8c in ex0 (v=<optimized out>, k=<optimized out>, r=<optimized out>) at src/kx.c:688
#35 0x0000000000424465 in ex_ (a=0x7fffa43386a0, r=0) at src/kx.c:664
#36 0x000000000042426a in ex (a=<optimized out>) at src/kx.c:672
#37 0x000000000041cd70 in line (f=<optimized out>, a=<optimized out>, n=<optimized out>, p=<optimized out>) at src/kc.c:283
#38 0x000000000041db1a in lines (f=<optimized out>) at src/kc.c:246
#39 0x0000000000409ec0 in load (s=0x7fffa4339e1a "../post-min/id:000002,sig:11,src:000001+000321,op:splice,rep:4") at src/c.c:85
#40 0x000000000041be77 in args (n=<optimized out>, v=<optimized out>) at src/kc.c:90
#41 0x0000000000447066 in main (argc=0, argv=0xffffffffffffffff) at src/main.c:7

[tavmem]

The 201st case (which causes a segfault in Kona) is:

  400000000 000000#00=/0000000#0000000000000 0

This gets simplified to

  0=/!0

which causes a segfault in Kona.
k3.2 (and k2.8) returns 0

[tavmem]

The failure of 0=/!0 is a regression.
It last worked in commit bdb5945 of Dec 3, 2015.

It began to fail in commit aa5ac60 also of Dec 3, 2015.

[tavmem]

This regression was fixed (issue 475) on Aug 21, 2017.

[tavmem]

Case 255 reveals another problem not related to syntax checking.
Note that case 255 is

"?x<\;\\xx<\\!x"

The following works as it should (value error):

$ pwd
/home/tom/kona-fuzz
$ rlwrap -n ~/kona/k 
K Console - Enter \ for help
  #ls: -1 _ `4:"ls /home/tom/kona-fuzz/2017-08-03/"
12380
  f: {. *0: "2017-08-03/",ls x}
  .[ f; 255; :]
value error
x
^

However, making the 255 a parameter causes a seg fault:

$ pwd
/home/tom/kona-fuzz
$ rlwrap -n ~/kona/k 
K Console - Enter \ for help
  #ls: -1 _ `4:"ls /home/tom/kona-fuzz/2017-08-03/"
12380
  f: {. *0: "2017-08-03/",ls x}
  {.[ f; x; :]}255
Segmentation fault (core dumped)
$

But in k2.8, having 255 as a parameter works (value error)

$ pwd
/home/tom/kona-fuzz 
$ rlwrap -n ~/k2.8/k 
K 2.8 2000-10-10 Copyright (C) 1993-2000 Kx Systems
Evaluation. Not for commercial use. 
\ for help. \\ to exit.
  #ls: -1 _ `4:"ls /home/tom/kona-fuzz/2017-08-03/"
12380
  f: {. *0: "2017-08-03/",ls x}
  {.[ f; x; :]}255
value error
x
^

I will create a separate issue for this problem.

[tavmem]

Case 255 probably does not need a separate issue. Consider a somewhat simplified form:

. "?3<\\;\\\\2<\\\\!3"

This prodces a result in k2.8

$ rlwrap -n ~/k2.8/k
K 2.8 2000-10-10 Copyright (C) 1993-2000 Kx Systems
Evaluation. Not for commercial use. 
\ for help. \\ to exit.
  . "?3<\\;\\\\2<\\\\!3"
(0 1 2
 0 1 1
 0 1 0)
,(0 1 2
  0 1 1
  0 1 0)

but in k2.8, simply executing the command does not does not produce results

  ?3<\\;\\\\2<\\\\!3
eval size limit
permission error
?3<\\;\\\\2<\\\\!3
           ^
> 

In Kona, we get a segfault

$ rlwrap -n ~/kona/k
K Console - Enter \ for help
  . "?3<\\;\\\\2<\\\\!3"
Segmentation fault (core dumped)
$ 

but Kona will execute the command directly (and needs stopping):

$ rlwrap -n ~/konak/k
K Console - Enter \ for help
  ?3<\\;\\\\2<\\\\!3
[1]+  Stopped                 rlwrap -n ~/konak/k
$ 

I think it may be OK to make this a syntax error.

[tavmem]

Forgot to factor in the "escapes". It is consistently good syntax in k2.8:

$ rlwrap -n ~/k2.8/k
K 2.8 2000-10-10 Copyright (C) 1993-2000 Kx Systems
Evaluation. Not for commercial use. 
\ for help. \\ to exit.
  . "?3<\\;\\\\2<\\\\!3"
(0 1 2
 0 1 1
 0 1 0)
,(0 1 2
  0 1 1
  0 1 0)

  ?3<\;\\2<\\!3
(0 1 2
 0 1 1
 0 1 0)
,(0 1 2
  0 1 1
  0 1 0)

And it consistently segfaults in Kona:

$ rlwrap -n ~/kona/k
K Console - Enter \ for help

  . "?3<\\;\\\\2<\\\\!3"
Segmentation fault (core dumped)

$ rlwrap -n ~/kona/k
K Console - Enter \ for help
  ?3<\;\\2<\\!3
Segmentation fault (core dumped)

Since the syntax is OK, case 255 does deserve a separate issue.

[tavmem]

On the other hand, in k2.8 case 255 is clearly a borderline case (and probably should be considered a syntax error):

$ rlwrap -n ~/k2.8/k
K 2.8 2000-10-10 Copyright (C) 1993-2000 Kx Systems
Evaluation. Not for commercial use. 
\ for help. \\ to exit.

  ;\\2<\\!3
(0 1 2
 0 1 1
 0 1 0)
,(0 1 2
  0 1 1
  0 1 0)
  
  \\2<\\!3
sh: \!3: No such file or directory
domain error

I think I will go with syntax error in Kona (for now). This can be changed if needed.

[tavmem]

Interesting:
The last time I worked on this was Mar 23, 2018 with commit 4a8dbe0
When I use that commit now, and try to run the first 1000 cases on a Fedora box:

• the first 877 cases run with no segfault.
• case 878 hangs ... and the box keeps spinning its wheels till you break with ctl-C, then processing resumes through case 999.

Using the latest commit 79a5e0a of Mar 10, 2020:

• only the first 72 cases run with no segfault.
• case 73 segfaults.

Sometime between Mar 23, 2018 and Mar 10, 2020 a change was made that causes case 73 to segfault.

Case 73 is
::?U:\\!:
Case 878 is
;7777777777777777777777777777777777777774777777777,/7777777$777;777

[tavmem]

Here are the results using k2.8 on these 2 cases:

$ rlwrap -n ./k
K 2.8 2000-10-10 Copyright (C) 1993-2000 Kx Systems
Evaluation. Not for commercial use. 
\ for help. \\ to exit.

  ::?U:\\!:
syntax error
::?U:\\!:
 ^
parse error
  
  ;7777777777777777777777777777777777777774777777777,/7777777$777;777
eval size limit
permission error
;7777777777777777777777777777777777777774777777777,/7777777$777;777
                                                  ^
>  

[tavmem]

The commit that causes case 73 to segfault again is 31fc38f .

[tavmem]

After commit 7a02fd6 we get a segfault on case 483
Case 483 is \\v\rv\r

In case 483, k2.8 passes a command to the shell:

$ rlwrap -n ./k
K 2.8 2000-10-10 Copyright (C) 1993-2000 Kx Systems
Evaluation. Not for commercial use. 
\ for help. \\ to exit.

  \\v\rv\r
sh: vrvr: command not found
domain error

When run in a standalone basis, kona simply exits:

$ rlwrap -n ./k
kona      \ for help. \\ to exit.

  \\v\rv\r
$

[tavmem]

The current problem with case 483 is also a regression.
It worked in commit 4a8dbe0
and was broken by commit 83ef164

When run standalone using commit 4a8dbe0 we get

$ rlwrap -n ./k
K Console - Enter \ for help

  \\v\rv\r
sh: \vrvr: command not found
domain error
> 

[tavmem]

After commit 50f33aa case 483 works again when run standalone:

$ rlwrap -n ./k
kona      \ for help. \\ to exit.

  \\v\rv\r
sh: \vrvr: command not found
domain error
> 

However, when run in a batch it fails, and the content is reported differently:

483
vv
Segmentation fault (core dumped)
$ 

This bears further investigation.

[tavmem]

Consider this script

 cat vw.k
ls: -1 _ `4:"ls 2017-08-03/"
g:{ *0: "2017-08-03/",ls x}

• loads all 12,380 case file names into varialble ls
• creates function g which can display contents of any file.

When run using k2.8 on case 483

 rlwrap -n ~/k2.8/k
K 2.8 2000-10-10 Copyright (C) 1993-2000 Kx Systems
Evaluation. Not for commercial use. 
\ for help. \\ to exit.

  \l vw
  g 483
"\\v\rv\r"

We get same result when using kona

$ rlwrap -n ~/kona/k
kona      \ for help. \\ to exit.

  \l vw
  g 483
"\\v\rv\r"

Consider this script

$ cat chk.k
ls: -1 _ `4:"ls 2017-08-03/"
f: {. *0: "2017-08-03/",ls x}
g:{ *0: "2017-08-03/",ls x}
i:0;
while[i<484
      `0: ($ i)," --- ",($ #t: g i),"\n"
      `0: t,"\n"
      res: .[ f; i; :]
      `0: "rtn code: ",($ res 0),"\n\n"
      i+:1 ]
`0: "done\n"

It runs the first 484 cases. Using k2.8, the final test result is:

483 --- 5
vv
sh: $'v\rv\r': command not found
rtn code: 1

Using kona, the final test result is:

483 --- 5
vv
Segmentation fault (core dumped)

Kona is segfaulting when the shell command is not found.
This may not be a regression at all.
Although case 483 does not segfault when running the batch using commit 4a8dbe0, the command string appears incorrect, the number of characters is wrong, and you get a different error message at the end:

483 --- 3
\v
rtn code: 1

done
file error
\l chk
  select: Bad file descriptor

Additional notes:

• when running batch, both k2.8 and kona display case 483 as vv, though both k2.8 and kona show \\v\rv\r when using the script vw.k.
  My guess is that `0: considers 3 of the 5 characters \\ \r \ras control characters and is suppressing them.
• another difference when running batch is that k2.8 stops after case 190 and case 311, and resumes when you enter cntl-c. Kona does not stop after any of the cases. These cases are:

$ rlwrap -n ~/k2.8/k
K 2.8 2000-10-10 Copyright (C) 1993-2000 Kx Systems
Evaluation. Not for commercial use. 
\ for help. \\ to exit.

  \l vw
  g 190
"<//\\/@/9"
  g 311
".///////////////!//\\////010.0 0"

[tavmem]

If we modify the batch script to only run 191 and 311, and have it display the complete result codes:

$ cat chk.k
ls: -1 _ `4:"ls 2017-08-03/"
f: {. *0: "2017-08-03/",ls x}
g:{ *0: "2017-08-03/",ls x}
i:0;
while[i<484
  if[i _in 190 311
    `0: ($ i)," --- ",($ #t: g i),"\n"
    `0: t,"\n"
    res: .[ f; i; :]
    `0: "rtn code: ",($ res 0)," - ",(res 1),"\n\n" ]
  i+:1 ]
`0: "done\n"

we see k2.8 is actually initiating a stop

$ rlwrap -n ~/k2.8/k
K 2.8 2000-10-10 Copyright (C) 1993-2000 Kx Systems
Evaluation. Not for commercial use. 
\ for help. \\ to exit.

  \l chk
190 --- 8
<//\/@/9
rtn code: 1 - stop

311 --- 31
.///////////////!//\////010.0 0
rtn code: 1 - stop

done

kona is only reporting a syntax error

$ rlwrap -n ~/kona/k
kona      \ for help. \\ to exit.

  \l chk
190 --- 8
<//\/@/9
rtn code: 1 - syntax

311 --- 31
.///////////////!//\////010.0 0
rtn code: 1 - syntax

done

[tavmem]

A minimal 6-character inuput string for case 190
k2.8

$ rlwrap -n ~/k2.8/k
K 2.8 2000-10-10 Copyright (C) 1993-2000 Kx Systems
Evaluation. Not for commercial use. 
\ for help. \\ to exit.

  <//\/9
stop
<//\/9
^
> 

kona

$ rlwrap -n ~/kona/k
kona      \ for help. \\ to exit.

  <//\/9
syntax error
> 

Similarly, a 6-character minimal input string for case 311
k2.8

$ rlwrap -n ~/k2.8/k
K 2.8 2000-10-10 Copyright (C) 1993-2000 Kx Systems
Evaluation. Not for commercial use. 
\ for help. \\ to exit.

  !//\/1
stop
!//\/1
^
> 

kona

$ rlwrap -n ~/kona/k
kona      \ for help. \\ to exit.

  !//\/1
syntax error
> 

[tavmem]

From the k2.0 reference manual:

Stop / Trace
\ x
When \ is placed to the left of an expression in a function expression, 
as if it were a monadic function to be applied to the value of that expression,

Looks like stop is being invoked in <//\/9 and in !//\/1
Stop seems to be invoked if the leading character is any monadic function.
So +//\/9 and -//\/9 also cause a stop.

Except that the break flag is set to trace

$ rlwrap -n ~/k2.8/k
K 2.8 2000-10-10 Copyright (C) 1993-2000 Kx Systems
Evaluation. Not for commercial use. 
\ for help. \\ to exit.

  \b
t
  !//\/1
stop
!//\/1
^
>

It seems this is a bug in k2.8.
The fact that kona reports a "syntax error" seems acceptable.

[tavmem]

Case 483 (when run in batch) now works.
The next case that fails in batch is case 730:

730 --- 17
`000!000-&1% 00 0
Segmentation fault (core dumped)

We have 12,380 cases to work through.
Adding all the comments to this one stream will make it too long.
I am going to open a new issue for each subsequent case.