Add boundscheck in speccache_eq to avoid OOB access due to data race (#159)

kpamnany · web-flow · commit 775c5d258444 · 2024-06-19T13:09:51.000-04:00
diff --git a/src/gf.c b/src/gf.c
@@ -112,7 +112,7 @@ static int8_t jl_cachearg_offset(jl_methtable_t *mt)
 
 static uint_t speccache_hash(size_t idx, jl_svec_t *data)
 {
-    jl_method_instance_t *ml = (jl_method_instance_t*)jl_svecref(data, idx);
+    jl_method_instance_t *ml = (jl_method_instance_t*)jl_svecref(data, idx); // This must always happen inside the lock
     jl_value_t *sig = ml->specTypes;
     if (jl_is_unionall(sig))
         sig = jl_unwrap_unionall(sig);
@@ -121,6 +121,8 @@ static uint_t speccache_hash(size_t idx, jl_svec_t *data)
 
 static int speccache_eq(size_t idx, const void *ty, jl_svec_t *data, uint_t hv)
 {
+    if (idx >= jl_svec_len(data))
+        return 0; // We got a OOB access, probably due to a data race
     jl_method_instance_t *ml = (jl_method_instance_t*)jl_svecref(data, idx);
     jl_value_t *sig = ml->specTypes;
     if (ty == sig)
