Undestanding Bad Access in probestack

I'm working on a wrapper of a FFI -sys module that implements the ability to create plugins for a C program. I recently happened upon a bad access crash which I think I've resolved but I'd like to know more if possible.

The thing that triggered the problem an allocation method called by the C FFI, where my wrapper was creating a nearly 1M struct on the stack, which was later wrapped in struct that is wrapped in a struct .. that eventually ends up on the heap. Its sort of convoluted but this is the entry point for allocation: median/wrapper.rs at 414b93a6fc349dc6b3642abe6070f4d0727247aa · Cycling74/median · GitHub

Unfortunately the plugin runs in a proprietary environment (Max/MSP) so I can't just share a simple example.

The crash indicated is:

Stop reason: EXC_BAD_ACCESS (code=2, address=0x7ffeef3ff568)

from this line 17B485727: 48 85 64 24 08 testq %rsp, 0x8(%rsp) in:

; id = {0x00000b32}, range = [0x0000000000077710-0x0000000000077750), mangled="__rust_probestack"
; Source location: unknown
17B485710: 55                         pushq  %rbp
17B485711: 48 89 E5                   movq   %rsp, %rbp
17B485714: 49 89 C3                   movq   %rax, %r11
17B485717: 49 81 FB 00 10 00 00       cmpq   $0x1000, %r11  ; imm = 0x1000 
17B48571E: 76 1C                      jbe    0x17b48573c  ; <+44>
17B485720: 48 81 EC 00 10 00 00       subq   $0x1000, %rsp  ; imm = 0x1000 
17B485727: 48 85 64 24 08             testq  %rsp, 0x8(%rsp)
17B48572C: 49 81 EB 00 10 00 00       subq   $0x1000, %r11  ; imm = 0x1000 
17B485733: 49 81 FB 00 10 00 00       cmpq   $0x1000, %r11  ; imm = 0x1000 
17B48573A: 77 E4                      ja     0x17b485720  ; <+16>
17B48573C: 4C 29 DC                   subq   %r11, %rsp
17B48573F: 48 85 64 24 08             testq  %rsp, 0x8(%rsp)
17B485744: 48 01 C4                   addq   %rax, %rsp
17B485747: C9                         leave  
17B485748: C3                         retq   
17B485749: 90                         nop    
17B48574A: 90                         nop    
17B48574B: 90                         nop    
17B48574C: 90                         nop    
17B48574D: 90                         nop    
17B48574E: 90                         nop    
17B48574F: 90                         nop    

I'm wondering if I've just overflowed the stack or if something else wrong is happening? Could I be setting something up incorrectly?
If I wrap this large inner struct in Box the problem goes away..
Thanks for any insights!

A bad access inside __rust_probestack almost always indicates a stackoverflow. The purpose of this function is to ensure that a stackoverflow reliably crashes the program instead of risking to jump over the guard page and cause a potentially exploitable overwrite/leak of data.

2 Likes

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.