Most active commenters
  • nayuki(3)

←back to thread

How a 20 year old bug in GTA San Andreas surfaced in Windows 11 24H2

(cookieplmonster.github.io)
1371 points yett | 13 comments | 23 Apr 25 14:00 UTC | HN request time: 1.466s | source | bottom
Show context
jandrese ◴[23 Apr 25 16:53 UTC] No.43774091[source]
> Not ignore the compilation warnings – this code most likely threw a warning in the original code that was either ignored or disabled!

What compiler error would you expect here? Maybe not checking the return value from scanf to make sure it matches the number of parameters? Otherwise this seems like a data file error that the compiler would have no clue about.

replies(3): >>43775089 #>>43777497 #>>43778191 #
burch45 ◴[23 Apr 25 18:22 UTC] No.43775089[source]
Undefined behavior to access the uninitialized memory. A sanitizer would have flagged that.
replies(2): >>43775220 #>>43775229 #
1. jandrese ◴[23 Apr 25 18:31 UTC] No.43775220[source]
The compiler has no way of knowing that the memory would be undefined, not unless it somehow can verify the data file. The most I think it can do is flag the program for not checking the return value of scanf, but even that is unlikely to be true since the program probably was checking for end of file which is also in the return value. It was failing to check the number of matched parameters. This is the kind of error that is easy to miss given the semantics of scanf.
replies(2): >>43775241 #>>43775941 #
2. andrewmcwatters ◴[23 Apr 25 18:32 UTC] No.43775241[source]
Uninitialized variables are a really common case.
replies(1): >>43776366 #
3. nayuki ◴[23 Apr 25 19:44 UTC] No.43775941[source]
> The compiler has no way of knowing that the memory would be undefined

Yes it would. -fsanitize=address does a bunch of instrumentation - it allocates shadow memory to keep track of what main memory is defined, and it checks every read and write address against the shadow memory. It is a combination of compile-time instrumentation and run-time checking. And yes, it is expensive, so it should be used for debugging and not the final release.

https://clang.llvm.org/docs/AddressSanitizer.html , https://learn.microsoft.com/en-us/cpp/sanitizers/asan?view=m...

replies(3): >>43776057 #>>43776483 #>>43776929 #
4. maccard ◴[23 Apr 25 19:59 UTC] No.43776057[source]
This codebase predates ASAN by the best part of a decade.
5. gmueckl ◴[23 Apr 25 20:34 UTC] No.43776366[source]
The pointer to the uninitialized variable is passed to scanf, which writes a value there unless it encounters an error. The compiler cannot understand this contract from the scanf declaration alone.
6. hoten ◴[23 Apr 25 20:49 UTC] No.43776483[source]
You both may be right. It could be that ASAN is not instrumenting scanf (or some other random standard lib function). Though since 2015, it certainly has been. https://github.com/google/sanitizers/issues/108

The simpler policy of "don't allow unintialized locals when declared" would also have caught it with the tools available when the game was made (though a bit ham-fisted).

replies(1): >>43776808 #
7. nayuki ◴[23 Apr 25 21:30 UTC] No.43776808{3}[source]
The problem is that after calling scanf(), the number of variables that are defined is a variable number. For example:

    int x, y, z;
    int n = scanf("%d %d %d", &x, &y, &z);
At compile time, you can make no inferences about which of x, y, and z are defined, because that depends on the returned value n. There are many ways to branch out from this.

One is to insist on definite assignment - so if we cannot prove all of them are always assigned, then we can treat them as "possibly undefined" and err out.

Another way is to avoid passing references and instead allow multiple returns, like Python (this is pseudocode):

    x, y, z = scanf("%d %d %d")
In that case, if the hypothetical `scanf()` returns a tuple that is less than 3 elements or more than 3 elements, then the unpacking will fail at run time and crash exactly at that line.

Another way is like Java, which insists that the return value is a scalar, so it can't do what C and Python can do. This can be painful on the programmer, of course.

replies(2): >>43777791 #>>43777955 #
8. bri3d ◴[23 Apr 25 21:43 UTC] No.43776929[source]
I tried this with clang ASAN. Nothing happens. It won't catch this bug. ASAN detects the presence of incorrect behavior, not the absence of correct behavior.

There's no use-after-free, use-after-return, use-after-scope, or OOB access here. It's a case of "an allocated stack variable is dynamically read without being initialized only in a runtime case," which afaik no standard analyzer will catch.

The best way to identify this would be to require all locals to be initialized as a matter of policy (very unlikely to fly in a games studio, especially back then, due to the perceived performance overhead) or to debug with a form of stack initialization enabled, like "-ftrivial-auto-var-init=pattern" which while it doesn't catch the issue statically, does make it appear pretty quickly in QA (I tested).

replies(1): >>43777042 #
9. nayuki ◴[23 Apr 25 21:54 UTC] No.43777042{3}[source]
Thanks for the investigation. Oops, it seems like MSan (memory sanitizer) is the appropriate tool that detects uninitialized reads? https://stackoverflow.com/questions/68576464/clang-sanitizer...

I only use UBSan and ASan on my own programs because I tend not to make mistakes about initialization. So my knowledge is incomplete with respect to auditing other people's code, which can have different classes of errors than mine.

Thank goodness that every language that is newer than C and C++ doesn't repeat these design mistakes, and doesn't require these awkward sanitizer tools that are introduced decades after the fact.

10. hoten ◴[23 Apr 25 23:27 UTC] No.43777791{4}[source]
The idea is that ASAN would replace scanf with a function that does additional book keeping when writing to whatever arbitrary memory location the inputs dictate at runtime.

It's probably what the PR resolving the issue I linked to does. Though I didn't check

11. twic ◴[23 Apr 25 23:53 UTC] No.43777955{4}[source]
I interpret "don't allow unintialized locals when declared" as meaning that this call:

    int n = scanf("%d %d %d", &x, &y, &z);
Would be caught, because it takes references to undeclared variables. To be allowed, the programmer would have to initialize the variables beforehand.
replies(1): >>43778926 #
12. dwattttt ◴[24 Apr 25 03:07 UTC] No.43778926{5}[source]
Then people would complain about the wasteful initialisation of out-params. Foolishly, perhaps
replies(1): >>43780936 #
13. da_chicken ◴[24 Apr 25 10:07 UTC] No.43780936{6}[source]
I think it would make sense to have a keyword that permits unsafe instantiation specifically for the edge cases where initialization is too expensive. But I think it makes sense for the lazy case to be a little bit safer.