return of return bug?

[edo494]

I was curious, "now" that blizzard checks if branches, and if you dont have return in else branch, or outside of if code. However, they dont check return statement inside loop block, so code like

function a takes nothing returns unit
     return null //some unit
endfunction

function b takes integer newA returns integer
    loop
        call a()
        exitwhen true
        return newA
    endloop
endfunction

function c takes nothing returns nothing
    call BJDebugMsg(I2S(b(5)))
endfunction

However, blizzard having at least a bit of foresight knew we would come up with another way to return bug, and they to make sure made it so that the thread crashes when the return statement is not reached at the end of function(even if a would return integer, it would still crash the thread).

This is nothing fancy, just thought I would share it

 

[Ceday]

I guess the point of function a is just filling some space here.

 

[edo494]

this is how return bug worked before, but instead of loop endloop block, there was if false then block. Basically, when you call function b, it says that it will return integer, but when you call function a, you return unit and how it used to work was that the last returned thing was not flushed, so if there was no return statement that was reachable inside b, you would return unit, but it would still be considered as integer(the interpreter does 0 type checks, the compiler does all the checkings) and it would work, because in Jass everything is of size 4 bytes

 

[chobibo]

Can you grab string table Ids with this? Because that thing was useful when we still had used the previous return bug exploit.

 

[edo494]

unfortunately, they made the interpreter run in such a way that it crashes(as I said) when the function that is meant to return something doesnt end in return statment(it will crash the thread)

 

[chobibo]

Too bad, still, a great find man. That exploit was very useful...