I noticed a bug in our binutils port that had been generating semi-randomly broken branch relaxation trampolines for decades.
Why did it take so long to notice this code generation bug? The branch has to reach farther than +-32MB for the branch relaxation trampoline generation to kick in. And even then not all branches were affected (the type of relocation affected it, it had to be in a link library in a specific kind of segment and not in the beginning of it). Finally, for it to actually come into play, the branch had to actually be taken, too.
What did it do wrong then? It added the offset to the target function in the link library .text segment twice. So instead of jumping to the intended function it jumped somewhere random after that. Funnily, the jump might end up hitting some code that did not crash, but did something unintended. For you all non-developer peeps: That is very, very bad.
Fun features of this bug: Since whether the trampoline was generated or not depended on the order of object code and from where the affected call was being made, the bug would pop in and out of existence even on the smallest changes to the code or link libraries. If you know a thing about debugging, this is not very conducive to locating bugs.
Needless to say this one took a lot of head scratching to finally figure out. The fix was a change on a single line.
This bug was old enough to get into bars and drink alcohol legally.
EDIT: Oops, this was supposed to be a reply to this post: infosec.exchange/@harrysintone… - so added some context.
#bugstories #bugs #development #coding
Harry Sintonen (@harrysintonen@infosec.exchange)
Attached: 1 image The feeling when you notice a bug in your binutils port that has been generating semi-randomly broken branch relaxation trampolines for decades. #programming #coding #oopsInfosec Exchange
