One of the most interesting bugs I ever fixed
Last updated on December 4, 2018, 23:10 by Sebastian Mihai
In this article I describe one of the most interesting bugs I've had to fix.

This bug surfaced while I was extending Snowdrop OS's BASIC interpreter. Like all other Snowdrop OS software, I was writing in assembly language.

The bug occurs when the program assigns an empty string to a variable, via LET variable = "". Any subsequent variable assignments cause undefined behaviour.

A program exhibiting this issue would look like this:

LET variable = "";

LET otherVar = 3;

This bug is an unfortunate combination of two different issues, as well as a zero byte found by chance in a specific place.

  • First issue: during the execution of LET, a variable must be looked up by name. Erroneously, a pointer to the variable value instead of the variable name is used. In our case of LET variable = "", this effectively looks up a variable with an empty name.

  • Second issue: variable lookup-by-name routine has an off by one error (x86 opcode ja instead of jae), causing it to look at an extra, false variable slot immediately past the end of the variable storage area.

  • Unfortunate zero: executable code lies immediately past the end of the variable storage area. By chance, the first byte of the would-be variable name string was zero. This means that the respective chunk of executable code was regarded as a variable with an empty name.

|var slot   |var slot   |var slot   |last var slot  | ... executable code

The executable code is now seen as a variable slot with a matching name string. Upon finding this false variable slot, LET modifies it, effectively corrupting executable code with data.

Then, subsequent LET instructions will execute the corrupted executable code, causing undefined behaviour.
If you use the materials on this page, or any other page on this web site, you do so at your own risk. They are provided "as is". No warranty is provided or implied. I neither guarantee that the materials will work, nor that they will not be harmful in any way.

One of the most interesting bugs I ever fixed

Example of indexing and searching in Lucene.Net using C#

Atari Lynx - installing a power connector

Blood Bros arcade JAMMA PCB repair log (sound problems)

Generating DC (direct current) from a plasma ball (wireless charging)

Listening to an electromagnetic field

Tesla coil - visualizing its electromagnetic field

.Net development - C# from C#

The naming convention of the C standards is Y2K-susceptible

Missing stack trace entries in Release mode assemblies in .Net 4.0 (C#)

Public constants across assemblies and default parameter values in C#

C# lambda operator

Simple two-column, three-panel web site template

An easy to use random number generator

Puppy Linux on a computer without a hard drive (on a USB stick!)

(My) Useful settings for fresh Windows installations on new computers

How to use multiple versions of Firefox on the same computer

How indexes work

Trivialization of history through technology

Entropy in code

Basic Linux tricks

MSSQL tips for production databases

Keep your computer clean with VMware