A little fun for the last day of 2012:
how to crash a program via division?
x86’s IDIV instruction traps not only on division by zero,
but also on
INT_MIN / -1 (signed integer overflow).
Try to compile this little function.
You need a 64-bit PostgreSQL (older than 9.2.2/9.1.7/9.0.11) installed on Windows.
Try the following SQL statement.
Here goes more evil SQL.
The first two are straightforward. The third one (multiplication) crashes PostgreSQL because the overflow check is done via division.
The fix is simple: do the overflow check before the division, not after.
It’s interesting that the developers
fixed 32-bit division crashes,
but missed 64-bit cases.
My guess is that the developers did the tests on a 32-bit
Windows. In that case, since there’s no 64-bit IDIV instruction,
the compiler instead generates a call to a runtime function
which doesn’t trap on
INT_MIN / -1.
This would lead to the incorrect conclusion that 64-bit division
The ClamAV engine accepts bytecode signatures as extensions to detect new viruses. You can write one to crash ClamAV’s interpreter, as follows.
It basically does
INT_MIN / -1, only to prevent ClamAV’s bytecode
compiler from optimizing away the division.
Then compile the function into bytecode, load it into
and it will crash the interpreter.
Actually the interpreter does have a sanity check for signed division, which was introduced in 2009.
The sanity check doesn’t work because, well, you really should
op1 in the second half of the check.
Let me know if you have more stories. Happy new year!