[erlang-bugs] beam_validator does not validate receive state

[Björn Gustavsson]

On Sun, Jun 19, 2011 at 3:40 AM, Erik Søe Sørensen <ess@REDACTED> wrote:
> The following function passes beam_validator verification, but crashes the emulator with a segfault if called:
>
> {function, recv, 0, 2}.
>  {label,1}.
>    {func_info,{atom,broken_recv},{atom,recv},0}.
>  {label,2}.
>    {loop_rec_end,{f,3}}.
>  {label,3}.
>    return.

The purpose of the beam_validator is to find
subtle compiler bugs that are difficult to find
using test suites.

An example of such bug is invoking the
test_heap instruction with uninitialized x
registers. It is very difficult to find that
kind of bug by testing because:

1) The test_heap instruction will not invoke
the GC at all if there already is sufficient heap
space.

2) Even if the GC is invoked, if the uninitialized
x register happens to contain an immediate value
(such as an atom or small integer), nothing bad
will happen.

3) Even if the x register contains a pointer term
(e.g. cons or boxed pointer), depending on where
the pointer points, there may not happen any
actual and/or noticeable harm.


It is not a primary focus of the beam_validator
to find obvious bugs that will be found by the
loader (for example, references to non-existing
labels) or found when the emulator is started or
a few test suites are run.

-- 
Björn Gustavsson, Erlang/OTP, Ericsson AB