On Fri, Dec 22, 2017 at 07:12:35PM +0100, Jann Horn wrote: > This checks that it is not possible to bypass the total stack size check in > update_stack_depth() by calling a function that uses a large amount of > stack memory *before* using a large amount of stack memory in the caller. > > Currently, the first added testcase causes a rejection as expected, but > the second testcase is (AFAICS incorrectly) accepted: > > [...] > #483/p calls: stack overflow using two frames (post-call access) FAIL > Unexpected success to load! > 0: (85) call pc+2 > caller: > R10=fp0,call_-1 > callee: > frame1: R1=ctx(id=0,off=0,imm=0) R10=fp0,call_0 > 3: (72) *(u8 *)(r10 -300) = 0 > 4: (b7) r0 = 0 > 5: (95) exit > returning from callee: > frame1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0,call_0 > to caller at 1: > R0_w=inv0 R10=fp0,call_-1 > > from 5 to 1: R0=inv0 R10=fp0,call_-1 > 1: (72) *(u8 *)(r10 -300) = 0 > 2: (95) exit > processed 6 insns, stack depth 300+300
got it. thanks for the test! working on a fix.
