Actions
Bug #15165
closedheap-use-after-free (READ of size 8) in obj_free (gc.c:2266)
Description
This is triggered while compiling 22de2030c5 on my Debian machine. Compiled with:
CC=clang CXX=clang++ LDFLAGS="-O0 -fno-omit-frame-pointer -g3 -fsanitize=address -fsanitize-coverage=trace-pc-guard" ASAN_OPTIONS=detect_leaks=0 CFLAGS="-O0 -fno-omit-frame-pointer -g3 -fsanitize=address -fsanitize-coverage=trace-pc-guard" LD=clang make all
Patch:
https://github.com/ruby/ruby/pull/1964
Crash:
generating encdb.h [523/4506]
=================================================================
==61672==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000e670 at pc 0x55cfaf4cb68c bp 0x7ffc415ac8c0 sp 0x7ffc415ac8b8
READ of size 8 at 0x60600000e670 thread T0
#0 0x55cfaf4cb68b in obj_free /home/jtruba/rubies/ruby-trunk/gc.c:2266:17
#1 0x55cfaf4c93da in gc_page_sweep /home/jtruba/rubies/ruby-trunk/gc.c:3562:10
#2 0x55cfaf4c80de in gc_sweep_step /home/jtruba/rubies/ruby-trunk/gc.c:3730:19
#3 0x55cfaf4c697e in gc_sweep_continue /home/jtruba/rubies/ruby-trunk/gc.c:3796:5
#4 0x55cfaf4c6695 in heap_prepare /home/jtruba/rubies/ruby-trunk/gc.c:1741:2
#5 0x55cfaf4c6448 in heap_get_freeobj_from_next_freepage /home/jtruba/rubies/ruby-trunk/gc.c:1761:2
#6 0x55cfaf4c60ef in heap_get_freeobj /home/jtruba/rubies/ruby-trunk/gc.c:1795:10
#7 0x55cfaf4c5ea6 in newobj_slowpath /home/jtruba/rubies/ruby-trunk/gc.c:1925:11
#8 0x55cfaf4c5a22 in newobj_slowpath_wb_protected /home/jtruba/rubies/ruby-trunk/gc.c:1937:12
#9 0x55cfaf4a271d in newobj_of /home/jtruba/rubies/ruby-trunk/gc.c:1974:4
#10 0x55cfaf4a27ce in rb_wb_protected_newobj_of /home/jtruba/rubies/ruby-trunk/gc.c:1990:12
#11 0x55cfaf925f32 in str_alloc /home/jtruba/rubies/ruby-trunk/string.c:715:5
#12 0x55cfaf91f592 in str_new0 /home/jtruba/rubies/ruby-trunk/string.c:737:11
#13 0x55cfaf91f4ab in rb_enc_str_new /home/jtruba/rubies/ruby-trunk/string.c:789:11
#14 0x55cfaf9a7142 in rb_intern3 /home/jtruba/rubies/ruby-trunk/symbol.c:600:11
#15 0x55cfaf72535a in tokenize_ident /home/jtruba/rubies/ruby-trunk/parse.y:7321:16
#16 0x55cfaf71a139 in parse_ident /home/jtruba/rubies/ruby-trunk/parse.y:7576:13
#17 0x55cfaf709576 in parser_yylex /home/jtruba/rubies/ruby-trunk/parse.y:8255:12
#18 0x55cfaf6dae43 in yylex /home/jtruba/rubies/ruby-trunk/parse.y:8265:9
#19 0x55cfaf6aea5b in ruby_yyparse /home/jtruba/rubies/ruby-trunk/parse.c:5254:16
#20 0x55cfaf6f640e in yycompile0 /home/jtruba/rubies/ruby-trunk/parse.y:4882:9
#21 0x55cfafb483c4 in rb_suppress_tracing /home/jtruba/rubies/ruby-trunk/vm_trace.c:401:11
#22 0x55cfaf6f1302 in yycompile /home/jtruba/rubies/ruby-trunk/parse.y:4926:5
#23 0x55cfaf6f0f91 in rb_parser_compile_file_path /home/jtruba/rubies/ruby-trunk/parse.y:5065:12
#24 0x55cfaf8b9dd2 in load_file_internal /home/jtruba/rubies/ruby-trunk/ruby.c:1984:11
#25 0x55cfaf465d84 in rb_ensure /home/jtruba/rubies/ruby-trunk/eval.c:1052:11
#26 0x55cfaf8b2660 in load_file /home/jtruba/rubies/ruby-trunk/ruby.c:2103:24
#27 0x55cfaf8b17e4 in rb_parser_load_file /home/jtruba/rubies/ruby-trunk/ruby.c:2125:12
#28 0x55cfaf5a3e9f in rb_load_internal0 /home/jtruba/rubies/ruby-trunk/load.c:606:24
#29 0x55cfaf5a5298 in rb_require_internal /home/jtruba/rubies/ruby-trunk/load.c:992:15
#30 0x55cfaf5a4417 in rb_require_safe /home/jtruba/rubies/ruby-trunk/load.c:1038:18
#31 0x55cfaf5a43d6 in rb_f_require /home/jtruba/rubies/ruby-trunk/load.c:820:12
#32 0x55cfafb2320c in call_cfunc_1 /home/jtruba/rubies/ruby-trunk/./vm_insnhelper.c:1748:12
#33 0x55cfafaffd41 in vm_call_cfunc_with_frame /home/jtruba/rubies/ruby-trunk/./vm_insnhelper.c:1931:11
#34 0x55cfafae8cc5 in vm_call_cfunc /home/jtruba/rubies/ruby-trunk/./vm_insnhelper.c:1947:12
#35 0x55cfafae6039 in vm_call_method_each_type /home/jtruba/rubies/ruby-trunk/./vm_insnhelper.c:2269:9
#36 0x55cfafae59ba in vm_call_method /home/jtruba/rubies/ruby-trunk/./vm_insnhelper.c:2406:13
#37 0x55cfafa8f86b in vm_call_general /home/jtruba/rubies/ruby-trunk/./vm_insnhelper.c:2438:12
#38 0x55cfafa9cf26 in vm_exec_core /home/jtruba/rubies/ruby-trunk/insns.def:767:5
#39 0x55cfafad69eb in rb_vm_exec /home/jtruba/rubies/ruby-trunk/vm.c:1812:22
#40 0x55cfafada946 in rb_iseq_eval_main /home/jtruba/rubies/ruby-trunk/vm.c:2071:11
#41 0x55cfaf461079 in ruby_exec_internal /home/jtruba/rubies/ruby-trunk/eval.c:261:2
#42 0x55cfaf4608d7 in ruby_exec_node /home/jtruba/rubies/ruby-trunk/eval.c:325:12
#43 0x55cfaf460706 in ruby_run_node /home/jtruba/rubies/ruby-trunk/eval.c:317:25
#44 0x55cfaf27b7f4 in main /home/jtruba/rubies/ruby-trunk/./main.c:42:9
#45 0x7fd4b91bbb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
#46 0x55cfaf1a552b in _start (/home/jtruba/rubies/ruby-trunk/miniruby+0x14352b)
0x60600000e670 is located 16 bytes inside of 56-byte region [0x60600000e660,0x60600000e698)
freed by thread T0 here:
#0 0x55cfaf24c612 in __interceptor_free /home/jtruba/to_install/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:78:3
#1 0x55cfaf4ba088 in objspace_xfree /home/jtruba/rubies/ruby-trunk/gc.c:8160:5
#2 0x55cfaf4ba024 in ruby_sized_xfree /home/jtruba/rubies/ruby-trunk/gc.c:8256:2
#3 0x55cfaf4a1fdf in ruby_xfree /home/jtruba/rubies/ruby-trunk/gc.c:8263:5
#4 0x55cfaf8f6af0 in st_free_table /home/jtruba/rubies/ruby-trunk/st.c:690:5
#5 0x55cfaf4cb5d2 in obj_free /home/jtruba/rubies/ruby-trunk/gc.c:2264:6
#6 0x55cfaf4c93da in gc_page_sweep /home/jtruba/rubies/ruby-trunk/gc.c:3562:10
#7 0x55cfaf4c80de in gc_sweep_step /home/jtruba/rubies/ruby-trunk/gc.c:3730:19
#8 0x55cfaf4c697e in gc_sweep_continue /home/jtruba/rubies/ruby-trunk/gc.c:3796:5
#9 0x55cfaf4c6695 in heap_prepare /home/jtruba/rubies/ruby-trunk/gc.c:1741:2
#10 0x55cfaf4c6448 in heap_get_freeobj_from_next_freepage /home/jtruba/rubies/ruby-trunk/gc.c:1761:2
#11 0x55cfaf4c60ef in heap_get_freeobj /home/jtruba/rubies/ruby-trunk/gc.c:1795:10
#12 0x55cfaf4c5ea6 in newobj_slowpath /home/jtruba/rubies/ruby-trunk/gc.c:1925:11
#13 0x55cfaf4c5a22 in newobj_slowpath_wb_protected /home/jtruba/rubies/ruby-trunk/gc.c:1937:12
#14 0x55cfaf4a271d in newobj_of /home/jtruba/rubies/ruby-trunk/gc.c:1974:4
#15 0x55cfaf4a27ce in rb_wb_protected_newobj_of /home/jtruba/rubies/ruby-trunk/gc.c:1990:12
#16 0x55cfaf925f32 in str_alloc /home/jtruba/rubies/ruby-trunk/string.c:715:5
#17 0x55cfaf91f592 in str_new0 /home/jtruba/rubies/ruby-trunk/string.c:737:11
#18 0x55cfaf91f4ab in rb_enc_str_new /home/jtruba/rubies/ruby-trunk/string.c:789:11
#19 0x55cfaf9a7142 in rb_intern3 /home/jtruba/rubies/ruby-trunk/symbol.c:600:11
#20 0x55cfaf72535a in tokenize_ident /home/jtruba/rubies/ruby-trunk/parse.y:7321:16
#21 0x55cfaf71a139 in parse_ident /home/jtruba/rubies/ruby-trunk/parse.y:7576:13
#22 0x55cfaf709576 in parser_yylex /home/jtruba/rubies/ruby-trunk/parse.y:8255:12
#23 0x55cfaf6dae43 in yylex /home/jtruba/rubies/ruby-trunk/parse.y:8265:9
#24 0x55cfaf6aea5b in ruby_yyparse /home/jtruba/rubies/ruby-trunk/parse.c:5254:16
#25 0x55cfaf6f640e in yycompile0 /home/jtruba/rubies/ruby-trunk/parse.y:4882:9
#26 0x55cfafb483c4 in rb_suppress_tracing /home/jtruba/rubies/ruby-trunk/vm_trace.c:401:11
#27 0x55cfaf6f1302 in yycompile /home/jtruba/rubies/ruby-trunk/parse.y:4926:5
#28 0x55cfaf6f0f91 in rb_parser_compile_file_path /home/jtruba/rubies/ruby-trunk/parse.y:5065:12
#29 0x55cfaf8b9dd2 in load_file_internal /home/jtruba/rubies/ruby-trunk/ruby.c:1984:11
previously allocated by thread T0 here:
#0 0x55cfaf24c953 in malloc /home/jtruba/to_install/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3
#1 0x55cfaf4b9601 in objspace_xmalloc0 /home/jtruba/rubies/ruby-trunk/gc.c:7985:5
#2 0x55cfaf4b948e in ruby_xmalloc0 /home/jtruba/rubies/ruby-trunk/gc.c:8169:12
#3 0x55cfaf4b92fd in ruby_xmalloc_body /home/jtruba/rubies/ruby-trunk/gc.c:8178:12
#4 0x55cfaf4b04eb in ruby_xmalloc /home/jtruba/rubies/ruby-trunk/gc.c:9948:12
#5 0x55cfaf8f60b9 in st_init_table_with_size /home/jtruba/rubies/ruby-trunk/st.c:593:24
#6 0x55cfaf8f682f in st_init_table /home/jtruba/rubies/ruby-trunk/st.c:623:12
#7 0x55cfaf4ea158 in rb_ident_hash_new /home/jtruba/rubies/ruby-trunk/hash.c:3041:25
#8 0x55cfaf99aa6a in struct_make_members_list /home/jtruba/rubies/ruby-trunk/struct.c:354:23
#9 0x55cfaf99b13c in rb_struct_define_without_accessor /home/jtruba/rubies/ruby-trunk/struct.c:420:15
#10 0x55cfaf78636c in Init_Range /home/jtruba/rubies/ruby-trunk/range.c:1538:17
#11 0x55cfaf4fec5c in rb_call_inits /home/jtruba/rubies/ruby-trunk/inits.c:43:5
#12 0x55cfaf45d310 in ruby_setup /home/jtruba/rubies/ruby-trunk/eval.c:74:2
#13 0x55cfaf45d5d8 in ruby_init /home/jtruba/rubies/ruby-trunk/eval.c:91:17
#14 0x55cfaf27b77a in main /home/jtruba/rubies/ruby-trunk/./main.c:41:2
#15 0x7fd4b91bbb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-use-after-free /home/jtruba/rubies/ruby-trunk/gc.c:2266:17 in obj_free
Shadow bytes around the buggy address:
0x0c0c7fff9c70: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9c80: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7fff9c90: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c7fff9ca0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fff9cb0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c7fff9cc0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd[fd]fd
0x0c0c7fff9cd0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fff9ce0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7fff9cf0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x0c0c7fff9d00: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fff9d10: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==61672==ABORTING
Actions
Like0
Like0Like0Like0