Fix empty array join encoding #12
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- `isnan` is something relatively new. We need to provide one for those systems without it. However: - X/Open defines `int isnan(double)`. Note the `int`. - C99 defines `isnan(x)` to be a macro. - C++11 nukes them all, undefines all the "masking macro"s, and defines its own `bool isnan(double)`. Note the `bool`. - In C++, `int isnan(double)` and `bool isnan(double)` are incompatible. - So the mess. [Bug #14816][ruby-core:87364] further reading: https://developers.redhat.com/blog/2016/02/29/why-cstdlib-is-more-complicated-than-you-might-think/ git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63571 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* include/ruby/missing.h (isinf, isnan): For non-C++ programs, defined(__cplusplus) may be needed before using __cplusplus. [Bug #14816] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63572 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
We may add gc_*_continue calls in a few more places, and adding more #ifdefs around those is ugly. For now, this makes the heap_prepare function look better. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63573 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63574 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Every time I look at gc.c, I get confused by argument ordering: gc_start(..., TRUE, TRUE, FALSE, ...) gc_start(..., FALSE, FALSE, FALSE, ... ) While we do not have kwargs in C, we can use flags to improve readability: gc_start(..., GPR_FLAG_FULL_MARK | GPR_FLAG_IMMEDIATE_MARK | GPR_FLAG_IMMEDIATE_SWEEP | ...) [ruby-core:87311] [Misc #14798] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63575 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
GNU/Hurd has writev(2) but does not define IOV_MAX [ruby-core:87417] [Bug #14827] Reported-by: Paul Sonnenschein git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63576 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
RbConfig::TOPDIR points to my installation prefix on my FreeBSD and GNU/Linux systems, so there's no way miniruby exists, there. In case we don't have miniruby, --disable=gems anyways to reduce dtrace overhead. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63577 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Nowadays we create empty arrays in the parse/compile phase which gave us lineno==0. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63578 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Don't output method cache clearing at startup since it causes dtrace to drop output and break the test. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63579 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Since [Feature #14104], "trace" instructions are no longer emitted by default, so we must enable them explicitly for function tracing to work. [ruby-core:85965] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63580 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
For the current cases, a few string substitions is enough to make dtrace(1) scripts work with stap(1). For more complex scripts (maybe in the future), we may pass a hash with implementation-specific scripts. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63581 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
rb_gc_mark_encodings has been empty for a decade (since r17875 / 28b216a). Just remove it and its only caller in gc.c git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63582 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
I'm not entirely sure why, but SIGTTOU pauses the test when running test-all in parallel. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63583 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63584 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
…defined [ruby-core:87420] [Bug #14828] Thanks-to: MSP-Greg (Greg L) git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63585 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ast.c: I created a new C source code file with tabs and spaces mixed format by mistake. Currently we move to spaces only. Surely we agreed not to batch update. But ast.c is a new source code. So please forgive me to change the format before many changes are committed this file. I'm sorry about my mistake. ref [Bug #14246] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63586 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63587 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63588 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63589 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63590 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
`Net::HTTPServerException` has been deprecated since r63590. [Bug #14688] And `net/http/responses.rb` uses the deprecated constant, so Ruby warns of the deprecation. Example: ```bash $ ruby -r net/http -e '' /home/pocke/.rbenv/versions/trunk/lib/ruby/2.6.0/net/http/responses.rb:22: warning: constant Net::HTTPServerException is deprecated ``` This change suppresses the warning. From: Masataka Pocke Kuwabara <kuwabara@pocke.me> git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63591 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* math.c (math_cbrt): refine the approximation result on boundary values by an iteration of Newton-Raphson method. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63592 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Some comments say "stop", others say "finish". I'm going to add code which dynamically stops MJIT worker, rather than finishing it forever. So I'm thinking `stop` is more appropreate for it. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63593 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
The current VM_INSTRUCTION_SIZE is 198, so the linear search painful during a major GC phase. I noticed rb_vm_insn_addr2insn2 showing up at the top of some profiles while working on some malloc-related stuff, so I decided to attack it. Most notably, the benchmark/bm_vm3_gc.rb improves by over 40%: https://80x24.org/spew/20180602220554.GA9991@whir/raw [ruby-core:87361] [Feature #14814] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63594 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63595 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Nobody uses it, and "git log -p -Scached_const" shows it's ever been used in public history. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63596 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/net/http/test_http.rb (test_timeout_during_HTTP_session_write): on some platforms such as Windows immediately returns from Socket#write, and have to wait to read its response. So, we can not handle Net::WriteTimeout and should handle Net::ReadTimeout instead. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63597 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This test is about write_timeout. To ensure it really raised Net::WriteTimeout, skip this test on Windows, whose write returns immediately even for large data. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63598 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Upstream repository is https://github.com/ruby/ostruct. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63599 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63600 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* spec/ruby/optional/capi/typed_data_spec.rb: same as r63692. * spec/ruby/optional/capi/ext/typed_data_spec.c: ditto. * vm_insnhelper.h (PUSH): re-enable assertion to check hidden objects. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63694 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Shouldn't affect production use, but good to fix regardless :> git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63695 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* variable.c (rb_const_search): fix NameError :receiver attribute on private constant, should raise with the included module, not the ICLASS. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63696 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63697 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
invoke_service_command may set entries in @servers to `false', making it incompatible with the intended use of the safe navigation operator. This caused occasional DRb test failures, but they were hidden with automatic retry. [ruby-core:87524] [Bug #14856] Fixes: r53111 ("use safe navigation operator") commit 059c9c1 [rubyGH-1142] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63698 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63699 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63700 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* include/ruby/defines.h: introduce `USE_GC_MALLOC_OBJ_INFO_DETAILS` to show malloc statistics by replace ruby_xmalloc() and so on with macros. * gc.c (struct malloc_obj_info): introduced to save per-malloc information. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63701 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
I created an issue for this in Redmine: https://bugs.ruby-lang.org/issues/14863 |
xsimov
force-pushed
the
fix-empty-array-join-encoding
branch
from
823f7c9
to
bc9df29
Compare
The locale encoding can be set from the magic comment in the top of the file `# Encoding: UTF-8` and the empty string resulting from `[].join` must have that encoding instead of being forced to US ASCII.
xsimov
force-pushed
the
fix-empty-array-join-encoding
branch
from
bc9df29
to
5dd08d2
Compare
|
Closing in favor of ruby#1897 |
shyouhei
added a commit
that referenced
this issue
Oct 18, 2018
This funcion can be called from inside of rb_ast_new(). Should add appropriate case branches. (lldb) run Process 9135 launched: './miniruby' (x86_64) Process 9135 stopped * thread #1: tid = 0xdf36b, 0x00000001000ca4f9 miniruby`rb_raw_obj_info(buff="0x000000010205d158 [0 ] T_IMEMO", buff_size=256, obj=4328903000) + 2361 at gc.c:9617, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0) frame #0: 0x00000001000ca4f9 miniruby`rb_raw_obj_info(buff="0x000000010205d158 [0 ] T_IMEMO", buff_size=256, obj=4328903000) + 2361 at gc.c:9617 9614 IMEMO_NAME(iseq); 9615 IMEMO_NAME(tmpbuf); 9616 #undef IMEMO_NAME -> 9617 default: UNREACHABLE; 9618 } 9619 snprintf(buff, buff_size, "%s %s", buff, imemo_name); 9620 (lldb) bt * thread #1: tid = 0xdf36b, 0x00000001000ca4f9 miniruby`rb_raw_obj_info(buff="0x000000010205d158 [0 ] T_IMEMO", buff_size=256, obj=4328903000) + 2361 at gc.c:9617, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0) * frame #0: 0x00000001000ca4f9 miniruby`rb_raw_obj_info(buff="0x000000010205d158 [0 ] T_IMEMO", buff_size=256, obj=4328903000) + 2361 at gc.c:9617 frame #1: 0x00000001000c433f miniruby`obj_info(obj=4328903000) + 95 at gc.c:9671 frame #2: 0x00000001000ce2ac miniruby`newobj_init(klass=4302478608, flags=36890, v1=0, v2=0, v3=0, wb_protected=1, objspace=0x0000000101800410, obj=4328903000) + 444 at gc.c:1882 frame #3: 0x00000001000c0a49 miniruby`newobj_of(klass=4302478608, flags=36890, v1=0, v2=0, v3=0, wb_protected=1) + 217 at gc.c:1968 frame #4: 0x00000001000c0bcb miniruby`rb_imemo_new(type=imemo_ast, v1=0, v2=0, v3=0, v0=4302478608) + 75 at gc.c:2017 frame #5: 0x0000000100148f2a miniruby`rb_ast_new + 58 at node.c:1118 frame #6: 0x000000010018d9e2 miniruby`yycompile(vparser=4328903720, p=0x0000000100729670, fname=4328903160, line=1) + 98 at parse.y:4925 frame #7: 0x000000010018d66f miniruby`parser_compile_string(vparser=4328903720, fname=4328903160, s=4328904440, line=1) + 143 at parse.y:4995 frame #8: 0x000000010018d768 miniruby`rb_parser_compile_string_path(vparser=4328903720, f=4328903160, s=4328904440, line=1) + 56 at parse.y:5015 frame #9: 0x000000010018d71e miniruby`rb_parser_compile_string(vparser=4328903720, f="-e", s=4328904440, line=1) + 62 at parse.y:5008 frame #10: 0x00000001002130d5 miniruby`process_options(argc=0, argv=0x00007fff5fbfdc08, opt=0x00007fff5fbfd9e8) + 3477 at ruby.c:1754 frame #11: 0x00000001002122dd miniruby`ruby_process_options(argc=2, argv=0x00007fff5fbfdbf8) + 285 at ruby.c:2332 frame #12: 0x00000001000aa966 miniruby`ruby_options(argc=2, argv=0x00007fff5fbfdbf8) + 262 at eval.c:118 frame #13: 0x0000000100000ed4 miniruby`main(argc=2, argv=0x00007fff5fbfdbf8) + 116 at main.c:42 frame ruby#14: 0x00007fff933845ad libdyld.dylib`start + 1 frame ruby#15: 0x00007fff933845ad libdyld.dylib`start + 1 (lldb) git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@65148 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
shyouhei
added a commit
that referenced
this issue
Apr 26, 2019
GC.stress unveils that an ivptr allocated using transient heap gets
marked right before it evacuates to normal heaps (the evacuation
itself triggers GC).
Should fill something beforehand.
=================================================================
==60984==ERROR: AddressSanitizer: use-after-poison on address 0x7f0fcfdf0020 at pc 0x55bdaad55381 bp 0x7fffcddc0910 sp 0x7fffcddc0908
READ of size 8 at 0x7f0fcfdf0020 thread T0
#0 0x55bdaad55380 in gc_mark_children gc.c:5063:39
#1 0x55bdaad6b7c2 in gc_mark_stacked_objects gc.c:5156:9
#2 0x55bdaad6cb1a in gc_mark_stacked_objects_all gc.c:5196:12
#3 0x55bdaad6a180 in gc_marks_rest gc.c:6109:2
#4 0x55bdaad6ef51 in gc_marks gc.c:6169:6
#5 0x55bdaad63bfd in gc_start gc.c:6974:2
#6 0x55bdaad4fa73 in garbage_collect gc.c:6869:12
#7 0x55bdaad7866e in garbage_collect_with_gvl gc.c:7127:9
#8 0x55bdaad784d6 in objspace_malloc_gc_stress gc.c:9270:9
#9 0x55bdaad56f29 in objspace_xmalloc0 gc.c:9416:5
#10 0x55bdaad56ef2 in ruby_xmalloc2_body gc.c:9623:12
#11 0x55bdaad615dc in ruby_xmalloc2 gc.c:11479:12
#12 0x55bdab26a601 in obj_ivar_heap_alloc variable.c:1405:18
#13 0x55bdab27a35b in obj_ivar_heap_realloc variable.c:1418:23
ruby#14 0x55bdab26ac98 in obj_ivar_set variable.c:1490:26
ruby#15 0x55bdab2621fd in rb_ivar_set variable.c:1513:16
ruby#16 0x55bdab2e841d in vm_setivar vm_insnhelper.c:1118:12
ruby#17 0x55bdab2ecca4 in vm_setinstancevariable vm_insnhelper.c:1130:5
ruby#18 0x55bdab28113c in vm_exec_core insns.def:227:5
0x7f0fcfdf0020 is located 26181664 bytes inside of 33554432-byte region [0x7f0fce4f8000,0x7f0fd04f8000)
allocated by thread T0 here:
#0 0x55bdaacd3047 in posix_memalign (ruby+0x1c2047)
#1 0x55bdaad56b75 in rb_aligned_malloc gc.c:9195:9
#2 0x55bdab24c523 in transient_heap_block_alloc transient_heap.c:296:24
#3 0x55bdab24c1fe in Init_TransientHeap transient_heap.c:435:39
#4 0x55bdaada26f8 in rb_call_inits inits.c:20:5
#5 0x55bdaad076af in ruby_setup eval.c:74:2
#6 0x55bdaad0796c in ruby_init eval.c:91:17
#7 0x55bdaad01598 in main main.c:41:2
#8 0x7f0fd344cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: use-after-poison gc.c:5063:39 in gc_mark_children
Shadow bytes around the buggy address:
0x0fe279fb5fb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb5fc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb5fd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb5fe0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb5ff0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0fe279fb6000: 00 00 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb6010: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb6020: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb6030: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb6040: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb6050: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==60984==ABORTING
shyouhei
added a commit
that referenced
this issue
Apr 26, 2019
ec->cfp->iseq might not exist at the very beginning of a thread.
=================================================================
==82954==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc86f334810 at pc 0x55ceaf013125 bp 0x7ffe2eddbbf0 sp 0x7ffe2eddbbe8
READ of size 8 at 0x7fc86f334810 thread T0
#0 0x55ceaf013124 in vm_check_canary vm_insnhelper.c:217:24
#1 0x55ceaefb4796 in vm_push_frame vm_insnhelper.c:276:5
#2 0x55ceaf0124bd in th_init vm.c:2661:5
#3 0x55ceaf00d5eb in ruby_thread_init vm.c:2690:5
#4 0x55ceaf00d4b1 in rb_thread_alloc vm.c:2703:5
#5 0x55ceaef0038b in thread_s_new thread.c:872:20
#6 0x55ceaf04d8c1 in call_cfunc_m1 vm_insnhelper.c:2041:12
#7 0x55ceaf03118d in vm_call_cfunc_with_frame vm_insnhelper.c:2207:11
#8 0x55ceaf017985 in vm_call_cfunc vm_insnhelper.c:2225:12
#9 0x55ceaf01548b in vm_call_method_each_type vm_insnhelper.c:2560:9
#10 0x55ceaf014c96 in vm_call_method vm_insnhelper.c:2686:13
#11 0x55ceaefb5de4 in vm_call_general vm_insnhelper.c:2730:12
#12 0x55ceaf03c868 in vm_sendish vm_insnhelper.c:3623:11
#13 0x55ceaefc95bb in vm_exec_core insns.def:771:11
ruby#14 0x55ceaf006700 in rb_vm_exec vm.c:1892:22
ruby#15 0x55ceaf00acbf in rb_iseq_eval_main vm.c:2151:11
ruby#16 0x55ceaea250ca in ruby_exec_internal eval.c:262:2
ruby#17 0x55ceaea2498b in ruby_exec_node eval.c:326:12
ruby#18 0x55ceaea247d0 in ruby_run_node eval.c:318:25
ruby#19 0x55ceae88c486 in main main.c:42:9
#20 0x7fc874330b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
ruby#21 0x55ceae7e5289 in _start (miniruby+0x15f289)
0x7fc86f334810 is located 16 bytes to the right of 1048576-byte region [0x7fc86f234800,0x7fc86f334800)
allocated by thread T0 here:
#0 0x55ceae85d56d in malloc (miniruby+0x1d756d)
#1 0x55ceaea71d12 in objspace_xmalloc0 gc.c:9416:5
#2 0x55ceaea71cd2 in ruby_xmalloc2_body gc.c:9623:12
#3 0x55ceaea7d09c in ruby_xmalloc2 gc.c:11479:12
#4 0x55ceaf00c3b7 in rb_thread_recycle_stack vm.c:2462:12
#5 0x55ceaf012256 in th_init vm.c:2656:29
#6 0x55ceaf00d5eb in ruby_thread_init vm.c:2690:5
#7 0x55ceaf00d4b1 in rb_thread_alloc vm.c:2703:5
#8 0x55ceaef0038b in thread_s_new thread.c:872:20
#9 0x55ceaf04d8c1 in call_cfunc_m1 vm_insnhelper.c:2041:12
#10 0x55ceaf03118d in vm_call_cfunc_with_frame vm_insnhelper.c:2207:11
#11 0x55ceaf017985 in vm_call_cfunc vm_insnhelper.c:2225:12
#12 0x55ceaf01548b in vm_call_method_each_type vm_insnhelper.c:2560:9
#13 0x55ceaf014c96 in vm_call_method vm_insnhelper.c:2686:13
ruby#14 0x55ceaefb5de4 in vm_call_general vm_insnhelper.c:2730:12
ruby#15 0x55ceaf03c868 in vm_sendish vm_insnhelper.c:3623:11
ruby#16 0x55ceaefc95bb in vm_exec_core insns.def:771:11
ruby#17 0x55ceaf006700 in rb_vm_exec vm.c:1892:22
ruby#18 0x55ceaf00acbf in rb_iseq_eval_main vm.c:2151:11
ruby#19 0x55ceaea250ca in ruby_exec_internal eval.c:262:2
#20 0x55ceaea2498b in ruby_exec_node eval.c:326:12
ruby#21 0x55ceaea247d0 in ruby_run_node eval.c:318:25
ruby#22 0x55ceae88c486 in main main.c:42:9
ruby#23 0x7fc874330b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow vm_insnhelper.c:217:24 in vm_check_canary
Shadow bytes around the buggy address:
0x0ff98de5e8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff98de5e900: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==82954==ABORTING
shyouhei
added a commit
that referenced
this issue
Apr 26, 2019
rb_io_fptr_finalize_internal frees the memory region.
=================================================================
==85264==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000000d8c at pc 0x5608e38077f7 bp 0x7ffee12d5440 sp 0x7ffee12d5438
READ of size 4 at 0x610000000d8c thread T0
#0 0x5608e38077f6 in rb_io_memsize io.c:4749:24
#1 0x5608e37a0481 in obj_memsize_of gc.c:3547:14
#2 0x5608e37a4f30 in check_rvalue_consistency gc.c:1107:2
#3 0x5608e37a2624 in RVALUE_OLD_P gc.c:1218:5
#4 0x5608e37a5bae in rb_gc_force_recycle gc.c:6652:18
#5 0x5608e38191f9 in rb_f_backquote io.c:9021:5
#6 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12
#7 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11
#8 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12
#9 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9
#10 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13
#11 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12
#12 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11
#13 0x5608e3d06cf5 in vm_exec_core insns.def:789:11
ruby#14 0x5608e3d43700 in rb_vm_exec vm.c:1892:22
ruby#15 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11
ruby#16 0x5608e37620ca in ruby_exec_internal eval.c:262:2
ruby#17 0x5608e376198b in ruby_exec_node eval.c:326:12
ruby#18 0x5608e37617d0 in ruby_run_node eval.c:318:25
ruby#19 0x5608e35c9486 in main main.c:42:9
#20 0x7f62e9421b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
ruby#21 0x5608e3522289 in _start (miniruby+0x15f289)
0x610000000d8c is located 76 bytes inside of 192-byte region [0x610000000d40,0x610000000e00)
freed by thread T0 here:
#0 0x5608e359a2ed in free (miniruby+0x1d72ed)
#1 0x5608e37af421 in objspace_xfree gc.c:9591:5
#2 0x5608e37af3da in ruby_sized_xfree gc.c:9687:2
#3 0x5608e3799ac8 in ruby_xfree gc.c:9694:5
#4 0x5608e380746d in rb_io_fptr_finalize_internal io.c:4728:5
#5 0x5608e38191ed in rb_f_backquote io.c:9020:5
#6 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12
#7 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11
#8 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12
#9 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9
#10 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13
#11 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12
#12 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11
#13 0x5608e3d06cf5 in vm_exec_core insns.def:789:11
ruby#14 0x5608e3d43700 in rb_vm_exec vm.c:1892:22
ruby#15 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11
ruby#16 0x5608e37620ca in ruby_exec_internal eval.c:262:2
ruby#17 0x5608e376198b in ruby_exec_node eval.c:326:12
ruby#18 0x5608e37617d0 in ruby_run_node eval.c:318:25
ruby#19 0x5608e35c9486 in main main.c:42:9
#20 0x7f62e9421b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
previously allocated by thread T0 here:
#0 0x5608e359a56d in malloc (miniruby+0x1d756d)
#1 0x5608e37aed12 in objspace_xmalloc0 gc.c:9416:5
#2 0x5608e37aebe7 in ruby_xmalloc0 gc.c:9600:12
#3 0x5608e37aea8b in ruby_xmalloc_body gc.c:9609:12
#4 0x5608e37a6d64 in ruby_xmalloc gc.c:11469:12
#5 0x5608e380e4b4 in rb_io_fptr_new io.c:8040:19
#6 0x5608e380e446 in rb_io_make_open_file io.c:8077:10
#7 0x5608e3850ea0 in pipe_open io.c:6707:5
#8 0x5608e384edb4 in pipe_open_s io.c:6772:12
#9 0x5608e381910b in rb_f_backquote io.c:9014:12
#10 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12
#11 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11
#12 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12
#13 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9
ruby#14 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13
ruby#15 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12
ruby#16 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11
ruby#17 0x5608e3d06cf5 in vm_exec_core insns.def:789:11
ruby#18 0x5608e3d43700 in rb_vm_exec vm.c:1892:22
ruby#19 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11
#20 0x5608e37620ca in ruby_exec_internal eval.c:262:2
ruby#21 0x5608e376198b in ruby_exec_node eval.c:326:12
ruby#22 0x5608e37617d0 in ruby_run_node eval.c:318:25
ruby#23 0x5608e35c9486 in main main.c:42:9
ruby#24 0x7f62e9421b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-use-after-free io.c:4749:24 in
rb_io_memsize
Shadow bytes around the buggy address:
0x0c207fff8160: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c207fff8180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c207fff81a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c207fff81b0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c207fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==85264==ABORTING
shyouhei
added a commit
that referenced
this issue
Apr 26, 2019
GC.stress unveils that an ivptr allocated using transient heap gets
marked right before it evacuates to normal heaps (the evacuation
itself triggers GC).
Should fill something beforehand.
=================================================================
==60984==ERROR: AddressSanitizer: use-after-poison on address 0x7f0fcfdf0020 at pc 0x55bdaad55381 bp 0x7fffcddc0910 sp 0x7fffcddc0908
READ of size 8 at 0x7f0fcfdf0020 thread T0
#0 0x55bdaad55380 in gc_mark_children gc.c:5063:39
#1 0x55bdaad6b7c2 in gc_mark_stacked_objects gc.c:5156:9
#2 0x55bdaad6cb1a in gc_mark_stacked_objects_all gc.c:5196:12
#3 0x55bdaad6a180 in gc_marks_rest gc.c:6109:2
#4 0x55bdaad6ef51 in gc_marks gc.c:6169:6
#5 0x55bdaad63bfd in gc_start gc.c:6974:2
#6 0x55bdaad4fa73 in garbage_collect gc.c:6869:12
#7 0x55bdaad7866e in garbage_collect_with_gvl gc.c:7127:9
#8 0x55bdaad784d6 in objspace_malloc_gc_stress gc.c:9270:9
#9 0x55bdaad56f29 in objspace_xmalloc0 gc.c:9416:5
#10 0x55bdaad56ef2 in ruby_xmalloc2_body gc.c:9623:12
#11 0x55bdaad615dc in ruby_xmalloc2 gc.c:11479:12
#12 0x55bdab26a601 in obj_ivar_heap_alloc variable.c:1405:18
#13 0x55bdab27a35b in obj_ivar_heap_realloc variable.c:1418:23
ruby#14 0x55bdab26ac98 in obj_ivar_set variable.c:1490:26
ruby#15 0x55bdab2621fd in rb_ivar_set variable.c:1513:16
ruby#16 0x55bdab2e841d in vm_setivar vm_insnhelper.c:1118:12
ruby#17 0x55bdab2ecca4 in vm_setinstancevariable vm_insnhelper.c:1130:5
ruby#18 0x55bdab28113c in vm_exec_core insns.def:227:5
0x7f0fcfdf0020 is located 26181664 bytes inside of 33554432-byte region [0x7f0fce4f8000,0x7f0fd04f8000)
allocated by thread T0 here:
#0 0x55bdaacd3047 in posix_memalign (ruby+0x1c2047)
#1 0x55bdaad56b75 in rb_aligned_malloc gc.c:9195:9
#2 0x55bdab24c523 in transient_heap_block_alloc transient_heap.c:296:24
#3 0x55bdab24c1fe in Init_TransientHeap transient_heap.c:435:39
#4 0x55bdaada26f8 in rb_call_inits inits.c:20:5
#5 0x55bdaad076af in ruby_setup eval.c:74:2
#6 0x55bdaad0796c in ruby_init eval.c:91:17
#7 0x55bdaad01598 in main main.c:41:2
#8 0x7f0fd344cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: use-after-poison gc.c:5063:39 in gc_mark_children
Shadow bytes around the buggy address:
0x0fe279fb5fb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb5fc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb5fd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb5fe0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb5ff0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0fe279fb6000: 00 00 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb6010: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb6020: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb6030: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb6040: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fe279fb6050: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==60984==ABORTING
shyouhei
added a commit
that referenced
this issue
Apr 26, 2019
ec->cfp->iseq might not exist at the very beginning of a thread.
=================================================================
==82954==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc86f334810 at pc 0x55ceaf013125 bp 0x7ffe2eddbbf0 sp 0x7ffe2eddbbe8
READ of size 8 at 0x7fc86f334810 thread T0
#0 0x55ceaf013124 in vm_check_canary vm_insnhelper.c:217:24
#1 0x55ceaefb4796 in vm_push_frame vm_insnhelper.c:276:5
#2 0x55ceaf0124bd in th_init vm.c:2661:5
#3 0x55ceaf00d5eb in ruby_thread_init vm.c:2690:5
#4 0x55ceaf00d4b1 in rb_thread_alloc vm.c:2703:5
#5 0x55ceaef0038b in thread_s_new thread.c:872:20
#6 0x55ceaf04d8c1 in call_cfunc_m1 vm_insnhelper.c:2041:12
#7 0x55ceaf03118d in vm_call_cfunc_with_frame vm_insnhelper.c:2207:11
#8 0x55ceaf017985 in vm_call_cfunc vm_insnhelper.c:2225:12
#9 0x55ceaf01548b in vm_call_method_each_type vm_insnhelper.c:2560:9
#10 0x55ceaf014c96 in vm_call_method vm_insnhelper.c:2686:13
#11 0x55ceaefb5de4 in vm_call_general vm_insnhelper.c:2730:12
#12 0x55ceaf03c868 in vm_sendish vm_insnhelper.c:3623:11
#13 0x55ceaefc95bb in vm_exec_core insns.def:771:11
ruby#14 0x55ceaf006700 in rb_vm_exec vm.c:1892:22
ruby#15 0x55ceaf00acbf in rb_iseq_eval_main vm.c:2151:11
ruby#16 0x55ceaea250ca in ruby_exec_internal eval.c:262:2
ruby#17 0x55ceaea2498b in ruby_exec_node eval.c:326:12
ruby#18 0x55ceaea247d0 in ruby_run_node eval.c:318:25
ruby#19 0x55ceae88c486 in main main.c:42:9
#20 0x7fc874330b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
ruby#21 0x55ceae7e5289 in _start (miniruby+0x15f289)
0x7fc86f334810 is located 16 bytes to the right of 1048576-byte region [0x7fc86f234800,0x7fc86f334800)
allocated by thread T0 here:
#0 0x55ceae85d56d in malloc (miniruby+0x1d756d)
#1 0x55ceaea71d12 in objspace_xmalloc0 gc.c:9416:5
#2 0x55ceaea71cd2 in ruby_xmalloc2_body gc.c:9623:12
#3 0x55ceaea7d09c in ruby_xmalloc2 gc.c:11479:12
#4 0x55ceaf00c3b7 in rb_thread_recycle_stack vm.c:2462:12
#5 0x55ceaf012256 in th_init vm.c:2656:29
#6 0x55ceaf00d5eb in ruby_thread_init vm.c:2690:5
#7 0x55ceaf00d4b1 in rb_thread_alloc vm.c:2703:5
#8 0x55ceaef0038b in thread_s_new thread.c:872:20
#9 0x55ceaf04d8c1 in call_cfunc_m1 vm_insnhelper.c:2041:12
#10 0x55ceaf03118d in vm_call_cfunc_with_frame vm_insnhelper.c:2207:11
#11 0x55ceaf017985 in vm_call_cfunc vm_insnhelper.c:2225:12
#12 0x55ceaf01548b in vm_call_method_each_type vm_insnhelper.c:2560:9
#13 0x55ceaf014c96 in vm_call_method vm_insnhelper.c:2686:13
ruby#14 0x55ceaefb5de4 in vm_call_general vm_insnhelper.c:2730:12
ruby#15 0x55ceaf03c868 in vm_sendish vm_insnhelper.c:3623:11
ruby#16 0x55ceaefc95bb in vm_exec_core insns.def:771:11
ruby#17 0x55ceaf006700 in rb_vm_exec vm.c:1892:22
ruby#18 0x55ceaf00acbf in rb_iseq_eval_main vm.c:2151:11
ruby#19 0x55ceaea250ca in ruby_exec_internal eval.c:262:2
#20 0x55ceaea2498b in ruby_exec_node eval.c:326:12
ruby#21 0x55ceaea247d0 in ruby_run_node eval.c:318:25
ruby#22 0x55ceae88c486 in main main.c:42:9
ruby#23 0x7fc874330b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow vm_insnhelper.c:217:24 in vm_check_canary
Shadow bytes around the buggy address:
0x0ff98de5e8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff98de5e900: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==82954==ABORTING
shyouhei
added a commit
that referenced
this issue
Apr 26, 2019
rb_io_fptr_finalize_internal frees the memory region.
=================================================================
==85264==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000000d8c at pc 0x5608e38077f7 bp 0x7ffee12d5440 sp 0x7ffee12d5438
READ of size 4 at 0x610000000d8c thread T0
#0 0x5608e38077f6 in rb_io_memsize io.c:4749:24
#1 0x5608e37a0481 in obj_memsize_of gc.c:3547:14
#2 0x5608e37a4f30 in check_rvalue_consistency gc.c:1107:2
#3 0x5608e37a2624 in RVALUE_OLD_P gc.c:1218:5
#4 0x5608e37a5bae in rb_gc_force_recycle gc.c:6652:18
#5 0x5608e38191f9 in rb_f_backquote io.c:9021:5
#6 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12
#7 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11
#8 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12
#9 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9
#10 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13
#11 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12
#12 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11
#13 0x5608e3d06cf5 in vm_exec_core insns.def:789:11
ruby#14 0x5608e3d43700 in rb_vm_exec vm.c:1892:22
ruby#15 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11
ruby#16 0x5608e37620ca in ruby_exec_internal eval.c:262:2
ruby#17 0x5608e376198b in ruby_exec_node eval.c:326:12
ruby#18 0x5608e37617d0 in ruby_run_node eval.c:318:25
ruby#19 0x5608e35c9486 in main main.c:42:9
#20 0x7f62e9421b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
ruby#21 0x5608e3522289 in _start (miniruby+0x15f289)
0x610000000d8c is located 76 bytes inside of 192-byte region [0x610000000d40,0x610000000e00)
freed by thread T0 here:
#0 0x5608e359a2ed in free (miniruby+0x1d72ed)
#1 0x5608e37af421 in objspace_xfree gc.c:9591:5
#2 0x5608e37af3da in ruby_sized_xfree gc.c:9687:2
#3 0x5608e3799ac8 in ruby_xfree gc.c:9694:5
#4 0x5608e380746d in rb_io_fptr_finalize_internal io.c:4728:5
#5 0x5608e38191ed in rb_f_backquote io.c:9020:5
#6 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12
#7 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11
#8 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12
#9 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9
#10 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13
#11 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12
#12 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11
#13 0x5608e3d06cf5 in vm_exec_core insns.def:789:11
ruby#14 0x5608e3d43700 in rb_vm_exec vm.c:1892:22
ruby#15 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11
ruby#16 0x5608e37620ca in ruby_exec_internal eval.c:262:2
ruby#17 0x5608e376198b in ruby_exec_node eval.c:326:12
ruby#18 0x5608e37617d0 in ruby_run_node eval.c:318:25
ruby#19 0x5608e35c9486 in main main.c:42:9
#20 0x7f62e9421b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
previously allocated by thread T0 here:
#0 0x5608e359a56d in malloc (miniruby+0x1d756d)
#1 0x5608e37aed12 in objspace_xmalloc0 gc.c:9416:5
#2 0x5608e37aebe7 in ruby_xmalloc0 gc.c:9600:12
#3 0x5608e37aea8b in ruby_xmalloc_body gc.c:9609:12
#4 0x5608e37a6d64 in ruby_xmalloc gc.c:11469:12
#5 0x5608e380e4b4 in rb_io_fptr_new io.c:8040:19
#6 0x5608e380e446 in rb_io_make_open_file io.c:8077:10
#7 0x5608e3850ea0 in pipe_open io.c:6707:5
#8 0x5608e384edb4 in pipe_open_s io.c:6772:12
#9 0x5608e381910b in rb_f_backquote io.c:9014:12
#10 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12
#11 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11
#12 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12
#13 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9
ruby#14 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13
ruby#15 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12
ruby#16 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11
ruby#17 0x5608e3d06cf5 in vm_exec_core insns.def:789:11
ruby#18 0x5608e3d43700 in rb_vm_exec vm.c:1892:22
ruby#19 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11
#20 0x5608e37620ca in ruby_exec_internal eval.c:262:2
ruby#21 0x5608e376198b in ruby_exec_node eval.c:326:12
ruby#22 0x5608e37617d0 in ruby_run_node eval.c:318:25
ruby#23 0x5608e35c9486 in main main.c:42:9
ruby#24 0x7f62e9421b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-use-after-free io.c:4749:24 in
rb_io_memsize
Shadow bytes around the buggy address:
0x0c207fff8160: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c207fff8180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c207fff81a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c207fff81b0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c207fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==85264==ABORTING
shyouhei
added a commit
that referenced
this issue
Apr 26, 2019
ec->cfp->iseq might not exist at the very beginning of a thread.
=================================================================
==82954==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc86f334810 at pc 0x55ceaf013125 bp 0x7ffe2eddbbf0 sp 0x7ffe2eddbbe8
READ of size 8 at 0x7fc86f334810 thread T0
#0 0x55ceaf013124 in vm_check_canary vm_insnhelper.c:217:24
#1 0x55ceaefb4796 in vm_push_frame vm_insnhelper.c:276:5
#2 0x55ceaf0124bd in th_init vm.c:2661:5
#3 0x55ceaf00d5eb in ruby_thread_init vm.c:2690:5
#4 0x55ceaf00d4b1 in rb_thread_alloc vm.c:2703:5
#5 0x55ceaef0038b in thread_s_new thread.c:872:20
#6 0x55ceaf04d8c1 in call_cfunc_m1 vm_insnhelper.c:2041:12
#7 0x55ceaf03118d in vm_call_cfunc_with_frame vm_insnhelper.c:2207:11
#8 0x55ceaf017985 in vm_call_cfunc vm_insnhelper.c:2225:12
#9 0x55ceaf01548b in vm_call_method_each_type vm_insnhelper.c:2560:9
#10 0x55ceaf014c96 in vm_call_method vm_insnhelper.c:2686:13
#11 0x55ceaefb5de4 in vm_call_general vm_insnhelper.c:2730:12
#12 0x55ceaf03c868 in vm_sendish vm_insnhelper.c:3623:11
#13 0x55ceaefc95bb in vm_exec_core insns.def:771:11
ruby#14 0x55ceaf006700 in rb_vm_exec vm.c:1892:22
ruby#15 0x55ceaf00acbf in rb_iseq_eval_main vm.c:2151:11
ruby#16 0x55ceaea250ca in ruby_exec_internal eval.c:262:2
ruby#17 0x55ceaea2498b in ruby_exec_node eval.c:326:12
ruby#18 0x55ceaea247d0 in ruby_run_node eval.c:318:25
ruby#19 0x55ceae88c486 in main main.c:42:9
#20 0x7fc874330b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
ruby#21 0x55ceae7e5289 in _start (miniruby+0x15f289)
0x7fc86f334810 is located 16 bytes to the right of 1048576-byte region [0x7fc86f234800,0x7fc86f334800)
allocated by thread T0 here:
#0 0x55ceae85d56d in malloc (miniruby+0x1d756d)
#1 0x55ceaea71d12 in objspace_xmalloc0 gc.c:9416:5
#2 0x55ceaea71cd2 in ruby_xmalloc2_body gc.c:9623:12
#3 0x55ceaea7d09c in ruby_xmalloc2 gc.c:11479:12
#4 0x55ceaf00c3b7 in rb_thread_recycle_stack vm.c:2462:12
#5 0x55ceaf012256 in th_init vm.c:2656:29
#6 0x55ceaf00d5eb in ruby_thread_init vm.c:2690:5
#7 0x55ceaf00d4b1 in rb_thread_alloc vm.c:2703:5
#8 0x55ceaef0038b in thread_s_new thread.c:872:20
#9 0x55ceaf04d8c1 in call_cfunc_m1 vm_insnhelper.c:2041:12
#10 0x55ceaf03118d in vm_call_cfunc_with_frame vm_insnhelper.c:2207:11
#11 0x55ceaf017985 in vm_call_cfunc vm_insnhelper.c:2225:12
#12 0x55ceaf01548b in vm_call_method_each_type vm_insnhelper.c:2560:9
#13 0x55ceaf014c96 in vm_call_method vm_insnhelper.c:2686:13
ruby#14 0x55ceaefb5de4 in vm_call_general vm_insnhelper.c:2730:12
ruby#15 0x55ceaf03c868 in vm_sendish vm_insnhelper.c:3623:11
ruby#16 0x55ceaefc95bb in vm_exec_core insns.def:771:11
ruby#17 0x55ceaf006700 in rb_vm_exec vm.c:1892:22
ruby#18 0x55ceaf00acbf in rb_iseq_eval_main vm.c:2151:11
ruby#19 0x55ceaea250ca in ruby_exec_internal eval.c:262:2
#20 0x55ceaea2498b in ruby_exec_node eval.c:326:12
ruby#21 0x55ceaea247d0 in ruby_run_node eval.c:318:25
ruby#22 0x55ceae88c486 in main main.c:42:9
ruby#23 0x7fc874330b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow vm_insnhelper.c:217:24 in vm_check_canary
Shadow bytes around the buggy address:
0x0ff98de5e8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff98de5e900: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==82954==ABORTING
shyouhei
added a commit
that referenced
this issue
Apr 26, 2019
rb_io_fptr_finalize_internal frees the memory region.
=================================================================
==85264==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000000d8c at pc 0x5608e38077f7 bp 0x7ffee12d5440 sp 0x7ffee12d5438
READ of size 4 at 0x610000000d8c thread T0
#0 0x5608e38077f6 in rb_io_memsize io.c:4749:24
#1 0x5608e37a0481 in obj_memsize_of gc.c:3547:14
#2 0x5608e37a4f30 in check_rvalue_consistency gc.c:1107:2
#3 0x5608e37a2624 in RVALUE_OLD_P gc.c:1218:5
#4 0x5608e37a5bae in rb_gc_force_recycle gc.c:6652:18
#5 0x5608e38191f9 in rb_f_backquote io.c:9021:5
#6 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12
#7 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11
#8 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12
#9 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9
#10 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13
#11 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12
#12 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11
#13 0x5608e3d06cf5 in vm_exec_core insns.def:789:11
ruby#14 0x5608e3d43700 in rb_vm_exec vm.c:1892:22
ruby#15 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11
ruby#16 0x5608e37620ca in ruby_exec_internal eval.c:262:2
ruby#17 0x5608e376198b in ruby_exec_node eval.c:326:12
ruby#18 0x5608e37617d0 in ruby_run_node eval.c:318:25
ruby#19 0x5608e35c9486 in main main.c:42:9
#20 0x7f62e9421b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
ruby#21 0x5608e3522289 in _start (miniruby+0x15f289)
0x610000000d8c is located 76 bytes inside of 192-byte region [0x610000000d40,0x610000000e00)
freed by thread T0 here:
#0 0x5608e359a2ed in free (miniruby+0x1d72ed)
#1 0x5608e37af421 in objspace_xfree gc.c:9591:5
#2 0x5608e37af3da in ruby_sized_xfree gc.c:9687:2
#3 0x5608e3799ac8 in ruby_xfree gc.c:9694:5
#4 0x5608e380746d in rb_io_fptr_finalize_internal io.c:4728:5
#5 0x5608e38191ed in rb_f_backquote io.c:9020:5
#6 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12
#7 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11
#8 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12
#9 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9
#10 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13
#11 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12
#12 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11
#13 0x5608e3d06cf5 in vm_exec_core insns.def:789:11
ruby#14 0x5608e3d43700 in rb_vm_exec vm.c:1892:22
ruby#15 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11
ruby#16 0x5608e37620ca in ruby_exec_internal eval.c:262:2
ruby#17 0x5608e376198b in ruby_exec_node eval.c:326:12
ruby#18 0x5608e37617d0 in ruby_run_node eval.c:318:25
ruby#19 0x5608e35c9486 in main main.c:42:9
#20 0x7f62e9421b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
previously allocated by thread T0 here:
#0 0x5608e359a56d in malloc (miniruby+0x1d756d)
#1 0x5608e37aed12 in objspace_xmalloc0 gc.c:9416:5
#2 0x5608e37aebe7 in ruby_xmalloc0 gc.c:9600:12
#3 0x5608e37aea8b in ruby_xmalloc_body gc.c:9609:12
#4 0x5608e37a6d64 in ruby_xmalloc gc.c:11469:12
#5 0x5608e380e4b4 in rb_io_fptr_new io.c:8040:19
#6 0x5608e380e446 in rb_io_make_open_file io.c:8077:10
#7 0x5608e3850ea0 in pipe_open io.c:6707:5
#8 0x5608e384edb4 in pipe_open_s io.c:6772:12
#9 0x5608e381910b in rb_f_backquote io.c:9014:12
#10 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12
#11 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11
#12 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12
#13 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9
ruby#14 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13
ruby#15 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12
ruby#16 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11
ruby#17 0x5608e3d06cf5 in vm_exec_core insns.def:789:11
ruby#18 0x5608e3d43700 in rb_vm_exec vm.c:1892:22
ruby#19 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11
#20 0x5608e37620ca in ruby_exec_internal eval.c:262:2
ruby#21 0x5608e376198b in ruby_exec_node eval.c:326:12
ruby#22 0x5608e37617d0 in ruby_run_node eval.c:318:25
ruby#23 0x5608e35c9486 in main main.c:42:9
ruby#24 0x7f62e9421b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-use-after-free io.c:4749:24 in
rb_io_memsize
Shadow bytes around the buggy address:
0x0c207fff8160: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c207fff8180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c207fff81a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c207fff81b0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c207fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==85264==ABORTING
shyouhei
added a commit
that referenced
this issue
Apr 26, 2019
ec->cfp->iseq might not exist at the very beginning of a thread.
=================================================================
==82954==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc86f334810 at pc 0x55ceaf013125 bp 0x7ffe2eddbbf0 sp 0x7ffe2eddbbe8
READ of size 8 at 0x7fc86f334810 thread T0
#0 0x55ceaf013124 in vm_check_canary vm_insnhelper.c:217:24
#1 0x55ceaefb4796 in vm_push_frame vm_insnhelper.c:276:5
#2 0x55ceaf0124bd in th_init vm.c:2661:5
#3 0x55ceaf00d5eb in ruby_thread_init vm.c:2690:5
#4 0x55ceaf00d4b1 in rb_thread_alloc vm.c:2703:5
#5 0x55ceaef0038b in thread_s_new thread.c:872:20
#6 0x55ceaf04d8c1 in call_cfunc_m1 vm_insnhelper.c:2041:12
#7 0x55ceaf03118d in vm_call_cfunc_with_frame vm_insnhelper.c:2207:11
#8 0x55ceaf017985 in vm_call_cfunc vm_insnhelper.c:2225:12
#9 0x55ceaf01548b in vm_call_method_each_type vm_insnhelper.c:2560:9
#10 0x55ceaf014c96 in vm_call_method vm_insnhelper.c:2686:13
#11 0x55ceaefb5de4 in vm_call_general vm_insnhelper.c:2730:12
#12 0x55ceaf03c868 in vm_sendish vm_insnhelper.c:3623:11
#13 0x55ceaefc95bb in vm_exec_core insns.def:771:11
ruby#14 0x55ceaf006700 in rb_vm_exec vm.c:1892:22
ruby#15 0x55ceaf00acbf in rb_iseq_eval_main vm.c:2151:11
ruby#16 0x55ceaea250ca in ruby_exec_internal eval.c:262:2
ruby#17 0x55ceaea2498b in ruby_exec_node eval.c:326:12
ruby#18 0x55ceaea247d0 in ruby_run_node eval.c:318:25
ruby#19 0x55ceae88c486 in main main.c:42:9
#20 0x7fc874330b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
ruby#21 0x55ceae7e5289 in _start (miniruby+0x15f289)
0x7fc86f334810 is located 16 bytes to the right of 1048576-byte region [0x7fc86f234800,0x7fc86f334800)
allocated by thread T0 here:
#0 0x55ceae85d56d in malloc (miniruby+0x1d756d)
#1 0x55ceaea71d12 in objspace_xmalloc0 gc.c:9416:5
#2 0x55ceaea71cd2 in ruby_xmalloc2_body gc.c:9623:12
#3 0x55ceaea7d09c in ruby_xmalloc2 gc.c:11479:12
#4 0x55ceaf00c3b7 in rb_thread_recycle_stack vm.c:2462:12
#5 0x55ceaf012256 in th_init vm.c:2656:29
#6 0x55ceaf00d5eb in ruby_thread_init vm.c:2690:5
#7 0x55ceaf00d4b1 in rb_thread_alloc vm.c:2703:5
#8 0x55ceaef0038b in thread_s_new thread.c:872:20
#9 0x55ceaf04d8c1 in call_cfunc_m1 vm_insnhelper.c:2041:12
#10 0x55ceaf03118d in vm_call_cfunc_with_frame vm_insnhelper.c:2207:11
#11 0x55ceaf017985 in vm_call_cfunc vm_insnhelper.c:2225:12
#12 0x55ceaf01548b in vm_call_method_each_type vm_insnhelper.c:2560:9
#13 0x55ceaf014c96 in vm_call_method vm_insnhelper.c:2686:13
ruby#14 0x55ceaefb5de4 in vm_call_general vm_insnhelper.c:2730:12
ruby#15 0x55ceaf03c868 in vm_sendish vm_insnhelper.c:3623:11
ruby#16 0x55ceaefc95bb in vm_exec_core insns.def:771:11
ruby#17 0x55ceaf006700 in rb_vm_exec vm.c:1892:22
ruby#18 0x55ceaf00acbf in rb_iseq_eval_main vm.c:2151:11
ruby#19 0x55ceaea250ca in ruby_exec_internal eval.c:262:2
#20 0x55ceaea2498b in ruby_exec_node eval.c:326:12
ruby#21 0x55ceaea247d0 in ruby_run_node eval.c:318:25
ruby#22 0x55ceae88c486 in main main.c:42:9
ruby#23 0x7fc874330b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow vm_insnhelper.c:217:24 in vm_check_canary
Shadow bytes around the buggy address:
0x0ff98de5e8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff98de5e8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff98de5e900: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff98de5e950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==82954==ABORTING
shyouhei
added a commit
that referenced
this issue
Apr 26, 2019
rb_io_fptr_finalize_internal frees the memory region.
=================================================================
==85264==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000000d8c at pc 0x5608e38077f7 bp 0x7ffee12d5440 sp 0x7ffee12d5438
READ of size 4 at 0x610000000d8c thread T0
#0 0x5608e38077f6 in rb_io_memsize io.c:4749:24
#1 0x5608e37a0481 in obj_memsize_of gc.c:3547:14
#2 0x5608e37a4f30 in check_rvalue_consistency gc.c:1107:2
#3 0x5608e37a2624 in RVALUE_OLD_P gc.c:1218:5
#4 0x5608e37a5bae in rb_gc_force_recycle gc.c:6652:18
#5 0x5608e38191f9 in rb_f_backquote io.c:9021:5
#6 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12
#7 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11
#8 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12
#9 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9
#10 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13
#11 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12
#12 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11
#13 0x5608e3d06cf5 in vm_exec_core insns.def:789:11
ruby#14 0x5608e3d43700 in rb_vm_exec vm.c:1892:22
ruby#15 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11
ruby#16 0x5608e37620ca in ruby_exec_internal eval.c:262:2
ruby#17 0x5608e376198b in ruby_exec_node eval.c:326:12
ruby#18 0x5608e37617d0 in ruby_run_node eval.c:318:25
ruby#19 0x5608e35c9486 in main main.c:42:9
#20 0x7f62e9421b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
ruby#21 0x5608e3522289 in _start (miniruby+0x15f289)
0x610000000d8c is located 76 bytes inside of 192-byte region [0x610000000d40,0x610000000e00)
freed by thread T0 here:
#0 0x5608e359a2ed in free (miniruby+0x1d72ed)
#1 0x5608e37af421 in objspace_xfree gc.c:9591:5
#2 0x5608e37af3da in ruby_sized_xfree gc.c:9687:2
#3 0x5608e3799ac8 in ruby_xfree gc.c:9694:5
#4 0x5608e380746d in rb_io_fptr_finalize_internal io.c:4728:5
#5 0x5608e38191ed in rb_f_backquote io.c:9020:5
#6 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12
#7 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11
#8 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12
#9 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9
#10 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13
#11 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12
#12 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11
#13 0x5608e3d06cf5 in vm_exec_core insns.def:789:11
ruby#14 0x5608e3d43700 in rb_vm_exec vm.c:1892:22
ruby#15 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11
ruby#16 0x5608e37620ca in ruby_exec_internal eval.c:262:2
ruby#17 0x5608e376198b in ruby_exec_node eval.c:326:12
ruby#18 0x5608e37617d0 in ruby_run_node eval.c:318:25
ruby#19 0x5608e35c9486 in main main.c:42:9
#20 0x7f62e9421b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
previously allocated by thread T0 here:
#0 0x5608e359a56d in malloc (miniruby+0x1d756d)
#1 0x5608e37aed12 in objspace_xmalloc0 gc.c:9416:5
#2 0x5608e37aebe7 in ruby_xmalloc0 gc.c:9600:12
#3 0x5608e37aea8b in ruby_xmalloc_body gc.c:9609:12
#4 0x5608e37a6d64 in ruby_xmalloc gc.c:11469:12
#5 0x5608e380e4b4 in rb_io_fptr_new io.c:8040:19
#6 0x5608e380e446 in rb_io_make_open_file io.c:8077:10
#7 0x5608e3850ea0 in pipe_open io.c:6707:5
#8 0x5608e384edb4 in pipe_open_s io.c:6772:12
#9 0x5608e381910b in rb_f_backquote io.c:9014:12
#10 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12
#11 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11
#12 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12
#13 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9
ruby#14 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13
ruby#15 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12
ruby#16 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11
ruby#17 0x5608e3d06cf5 in vm_exec_core insns.def:789:11
ruby#18 0x5608e3d43700 in rb_vm_exec vm.c:1892:22
ruby#19 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11
#20 0x5608e37620ca in ruby_exec_internal eval.c:262:2
ruby#21 0x5608e376198b in ruby_exec_node eval.c:326:12
ruby#22 0x5608e37617d0 in ruby_run_node eval.c:318:25
ruby#23 0x5608e35c9486 in main main.c:42:9
ruby#24 0x7f62e9421b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-use-after-free io.c:4749:24 in
rb_io_memsize
Shadow bytes around the buggy address:
0x0c207fff8160: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c207fff8180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c207fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c207fff81a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c207fff81b0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c207fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==85264==ABORTING
shyouhei
added a commit
that referenced
this issue
Dec 16, 2019
This changeset makes no difference unless GC_DEBUG is on. When that flag is set, struct RVALUE is bigger than struct RObject. We have to take care of the additional fields. Otherwise we get a SIGSEGV like shown below. The way obj is initialized in this patch works for both GC_DEBUG is on and off. See also ISO/IEC 9899:1999 section 6.7.8 paragraph ruby#21. ``` Program received signal SIGSEGV, Segmentation fault. __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:62 62 ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory (gdb) bt #0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:62 #1 0x00005555557dd9a7 in BSD_vfprintf (fp=0x7fffffff6be0, fmt0=0x5555558f3059 "@%s:%d", ap=0x7fffffff6dd0) at vsnprintf.c:1027 #2 0x00005555557db6f5 in ruby_do_vsnprintf (str=0x555555bfc58d <obj_info_buffers+1325> "", n=211, fmt=0x5555558f3059 "@%s:%d", ap=0x7fffffff6dd0) at sprintf.c:1022 #3 0x00005555557db909 in ruby_snprintf (str=0x555555bfc58d <obj_info_buffers+1325> "", n=211, fmt=0x5555558f3059 "@%s:%d") at sprintf.c:1040 #4 0x0000555555661ef4 in rb_raw_obj_info (buff=0x555555bfc560 <obj_info_buffers+1280> "0x0000555555d2bfa0 [0 ] T_STRING (String)", buff_size=256, obj=93825000456096) at gc.c:11449 #5 0x000055555565baaf in obj_info (obj=93825000456096) at gc.c:11612 #6 0x000055555565bae1 in rgengc_remembered (objspace=0x555555c0a1c0, obj=93825000456096) at gc.c:6618 #7 0x0000555555666987 in newobj_init (klass=93824999964192, flags=5, v1=0, v2=0, v3=0, wb_protected=1, objspace=0x555555c0a1c0, obj=93825000456096) at gc.c:2134 #8 0x0000555555666e49 in newobj_slowpath (klass=93824999964192, flags=5, v1=0, v2=0, v3=0, objspace=0x555555c0a1c0, wb_protected=1) at gc.c:2209 #9 0x0000555555666b94 in newobj_slowpath_wb_protected (klass=93824999964192, flags=5, v1=0, v2=0, v3=0, objspace=0x555555c0a1c0) at gc.c:2220 #10 0x000055555565751b in newobj_of (klass=93824999964192, flags=5, v1=0, v2=0, v3=0, wb_protected=1) at gc.c:2256 #11 0x00005555556575ca in rb_wb_protected_newobj_of (klass=93824999964192, flags=5) at gc.c:2272 #12 0x00005555557f36ea in str_alloc (klass=93824999964192) at string.c:728 #13 0x00005555557f2128 in rb_str_buf_new (capa=0) at string.c:1317 ruby#14 0x000055555578c66d in rb_reg_preprocess (p=0x555555cc8148 "^-(.)(.+)?", end=0x555555cc8152 "", enc=0x555555cc7c80, fixed_enc=0x7fffffff74e8, err=0x7fffffff75f0 "") at re.c:2682 ruby#15 0x000055555578ea13 in rb_reg_initialize (obj=93825000046736, s=0x555555cc8148 "^-(.)(.+)?", len=10, enc=0x555555cc7c80, options=0, err=0x7fffffff75f0 "", sourcefile=0x555555d1a5c0 "lib/optparse.rb", sourceline=1460) at re.c:2808 ruby#16 0x000055555578e285 in rb_reg_initialize_str (obj=93825000046736, str=93825000046904, options=0, err=0x7fffffff75f0 "", sourcefile=0x555555d1a5c0 "lib/optparse.rb", sourceline=1460) at re.c:2869 ruby#17 0x000055555578ee02 in rb_reg_compile (str=93825000046904, options=0, sourcefile=0x555555d1a5c0 "lib/optparse.rb", sourceline=1460) at re.c:2958 ruby#18 0x0000555555748dfb in rb_parser_reg_compile (p=0x555555d1f760, str=93825000046904, options=0) at parse.y:12157 ruby#19 0x00005555557581c3 in parser_reg_compile (p=0x555555d1f760, str=93825000046904, options=0) at parse.y:12151 #20 0x00005555557580ac in reg_compile (p=0x555555d1f760, str=93825000046904, options=0) at parse.y:12167 ruby#21 0x0000555555746ebb in new_regexp (p=0x555555d1f760, node=0x555555dece68, options=0, loc=0x7fffffff89e8) at parse.y:10072 ruby#22 0x000055555573d1f5 in ruby_yyparse (p=0x555555d1f760) at parse.y:4395 ruby#23 0x000055555574a582 in yycompile0 (arg=93825000404832) at parse.y:5945 ruby#24 0x00005555558c6898 in rb_suppress_tracing (func=0x55555574a470 <yycompile0>, arg=93825000404832) at vm_trace.c:427 ruby#25 0x0000555555748290 in yycompile (vparser=93824999283456, p=0x555555d1f760, fname=93824999283624, line=1) at parse.y:5994 ruby#26 0x00005555557481ae in rb_parser_compile_file_path (vparser=93824999283456, fname=93824999283624, file=93824999283400, start=1) at parse.y:6098 ruby#27 0x00005555557cdd35 in load_file_internal (argp_v=140737488331760) at ruby.c:2023 ruby#28 0x00005555556438c5 in rb_ensure (b_proc=0x5555557cd610 <load_file_internal>, data1=140737488331760, e_proc=0x5555557cddd0 <restore_load_file>, data2=140737488331760) at eval.c:1128 ruby#29 0x00005555557cb68b in load_file (parser=93824999283456, fname=93824999283624, f=93824999283400, script=0, opt=0x7fffffffa468) at ruby.c:2142 ruby#30 0x00005555557cb339 in rb_parser_load_file (parser=93824999283456, fname_v=93824999283624) at ruby.c:2164 ruby#31 0x00005555556ba3e1 in load_iseq_eval (ec=0x555555c0a650, fname=93824999283624) at load.c:579 ruby#32 0x00005555556b857a in require_internal (ec=0x555555c0a650, fname=93824999284352, exception=1) at load.c:1016 ruby#33 0x00005555556b7967 in rb_require_string (fname=93824999284464) at load.c:1105 ruby#34 0x00005555556b7939 in rb_f_require (obj=93824999994824, fname=93824999284464) at load.c:811 ruby#35 0x00005555558b7ae0 in call_cfunc_1 (recv=93824999994824, argc=1, argv=0x7ffff7ecd0a8, func=0x5555556b7920 <rb_f_require>) at vm_insnhelper.c:2348 ruby#36 0x00005555558a8889 in vm_call_cfunc_with_frame (ec=0x555555c0a650, reg_cfp=0x7ffff7fccfa0, calling=0x7fffffffaab0, cd=0x555555d76a10, empty_kw_splat=0) at vm_insnhelper.c:2513 ruby#37 0x000055555589fb5c in vm_call_cfunc (ec=0x555555c0a650, reg_cfp=0x7ffff7fccfa0, calling=0x7fffffffaab0, cd=0x555555d76a10) at vm_insnhelper.c:2538 ruby#38 0x000055555589f22e in vm_call_method_each_type (ec=0x555555c0a650, cfp=0x7ffff7fccfa0, calling=0x7fffffffaab0, cd=0x555555d76a10) at vm_insnhelper.c:2924 ruby#39 0x000055555589ef47 in vm_call_method (ec=0x555555c0a650, cfp=0x7ffff7fccfa0, calling=0x7fffffffaab0, cd=0x555555d76a10) at vm_insnhelper.c:3038 ruby#40 0x0000555555866dbd in vm_call_general (ec=0x555555c0a650, reg_cfp=0x7ffff7fccfa0, calling=0x7fffffffaab0, cd=0x555555d76a10) at vm_insnhelper.c:3075 ruby#41 0x00005555558ae557 in vm_sendish (ec=0x555555c0a650, reg_cfp=0x7ffff7fccfa0, cd=0x555555d76a10, block_handler=0, method_explorer=0x5555558ae5d0 <vm_search_method_wrap>) at vm_insnhelper.c:4021 ruby#42 0x000055555587745b in vm_exec_core (ec=0x555555c0a650, initial=0) at insns.def:801 ruby#43 0x0000555555899b9c in rb_vm_exec (ec=0x555555c0a650, mjit_enable_p=1) at vm.c:1907 ruby#44 0x000055555589aaf0 in rb_iseq_eval_main (iseq=0x555555c1da80) at vm.c:2166 ruby#45 0x0000555555641f0b in rb_ec_exec_node (ec=0x555555c0a650, n=0x555555c1da80) at eval.c:277 ruby#46 0x0000555555641d62 in ruby_run_node (n=0x555555c1da80) at eval.c:335 ruby#47 0x000055555557a188 in main (argc=11, argv=0x7fffffffc848) at main.c:50 (gdb) fr 7 #7 0x0000555555666987 in newobj_init (klass=93824999964192, flags=5, v1=0, v2=0, v3=0, wb_protected=1, objspace=0x555555c0a1c0, obj=93825000456096) at gc.c:2134 2134 if (rgengc_remembered(objspace, (VALUE)obj)) rb_bug("newobj: %s is remembered.", obj_info(obj)); (gdb) p ((struct RVALUE*)obj)->file $1 = 0x65a5992b0fb25ce7 <error: Cannot access memory at address 0x65a5992b0fb25ce7> (gdb) ```
shyouhei
pushed a commit
that referenced
this issue
Jun 11, 2020
This reverts commit 02b216e. This reverts commit 9b8825b. I found that combining sweep and move is not safe. I don't think that we can do compaction concurrently with _anything_ unless there is a read barrier installed. Here is a simple example. A class object is freed, and during it's free step, it tries to remove itself from its parent's subclass list. However, during the sweep step, the parent class was moved and the "currently being freed" class didn't have references updated yet. So we get a segv like this: ``` (lldb) bt * thread #1, name = 'ruby', stop reason = signal SIGSEGV * frame #0: 0x0000560763e344cb ruby`rb_st_lookup at st.c:320:43 frame #1: 0x0000560763e344cb ruby`rb_st_lookup(tab=0x2f7469672f6e6f72, key=3809, value=0x0000560765bf2270) at st.c:1010 frame #2: 0x0000560763e8f16a ruby`rb_search_class_path at variable.c:99:9 frame #3: 0x0000560763e8f141 ruby`rb_search_class_path at variable.c:145 frame #4: 0x0000560763e8f141 ruby`rb_search_class_path(klass=94589785585880) at variable.c:191 frame #5: 0x0000560763ec744e ruby`rb_vm_bugreport at vm_dump.c:996:17 frame #6: 0x0000560763f5b958 ruby`rb_bug_for_fatal_signal at error.c:675:5 frame #7: 0x0000560763e27dad ruby`sigsegv(sig=<unavailable>, info=<unavailable>, ctx=<unavailable>) at signal.c:955:5 frame #8: 0x00007f8b891d33c0 libpthread.so.0`___lldb_unnamed_symbol1$$libpthread.so.0 + 1 frame #9: 0x0000560763efa8bb ruby`rb_class_remove_from_super_subclasses(klass=94589790314280) at class.c:93:56 frame #10: 0x0000560763d10cb7 ruby`gc_sweep_step at gc.c:2674:2 frame #11: 0x0000560763d1187b ruby`gc_sweep at gc.c:4540:2 frame #12: 0x0000560763d101f0 ruby`gc_start at gc.c:6797:6 frame #13: 0x0000560763d15153 ruby`rb_gc_compact at gc.c:7479:12 frame ruby#14: 0x0000560763eb4eb8 ruby`vm_exec_core at vm_insnhelper.c:5183:13 frame ruby#15: 0x0000560763ea9bae ruby`rb_vm_exec at vm.c:1953:22 frame ruby#16: 0x0000560763eac08d ruby`rb_yield at vm.c:1132:9 frame ruby#17: 0x0000560763edb4f2 ruby`rb_ary_collect at array.c:3186:9 frame ruby#18: 0x0000560763e9ee15 ruby`vm_call_cfunc_with_frame at vm_insnhelper.c:2575:12 frame ruby#19: 0x0000560763eb2e66 ruby`vm_exec_core at vm_insnhelper.c:4177:11 frame #20: 0x0000560763ea9bae ruby`rb_vm_exec at vm.c:1953:22 frame ruby#21: 0x0000560763eac08d ruby`rb_yield at vm.c:1132:9 frame ruby#22: 0x0000560763edb4f2 ruby`rb_ary_collect at array.c:3186:9 frame ruby#23: 0x0000560763e9ee15 ruby`vm_call_cfunc_with_frame at vm_insnhelper.c:2575:12 frame ruby#24: 0x0000560763eb2e66 ruby`vm_exec_core at vm_insnhelper.c:4177:11 frame ruby#25: 0x0000560763ea9bae ruby`rb_vm_exec at vm.c:1953:22 frame ruby#26: 0x0000560763ceee01 ruby`rb_ec_exec_node(ec=0x0000560765afa530, n=0x0000560765b088e0) at eval.c:296:2 frame ruby#27: 0x0000560763cf3b7b ruby`ruby_run_node(n=0x0000560765b088e0) at eval.c:354:12 frame ruby#28: 0x0000560763cee4a3 ruby`main(argc=<unavailable>, argv=<unavailable>) at main.c:50:9 frame ruby#29: 0x00007f8b88e560b3 libc.so.6`__libc_start_main + 243 frame ruby#30: 0x0000560763cee4ee ruby`_start + 46 (lldb) f 9 frame #9: 0x0000560763efa8bb ruby`rb_class_remove_from_super_subclasses(klass=94589790314280) at class.c:93:56 90 91 *RCLASS_EXT(klass)->parent_subclasses = entry->next; 92 if (entry->next) { -> 93 RCLASS_EXT(entry->next->klass)->parent_subclasses = RCLASS_EXT(klass)->parent_subclasses; 94 } 95 xfree(entry); 96 } (lldb) command script import -r misc/lldb_cruby.py lldb scripts for ruby has been installed. (lldb) rp entry->next->klass (struct RMoved) $1 = (flags = 30, destination = 94589792806680, next = 94589784369160) (lldb) ```
shyouhei
pushed a commit
that referenced
this issue
Jul 28, 2020
eliminate use of freed memory rb_io_fptr_finalize_internal frees the memory region. ================================================================= ==85264==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000000d8c at pc 0x5608e38077f7 bp 0x7ffee12d5440 sp 0x7ffee12d5438 READ of size 4 at 0x610000000d8c thread T0 #0 0x5608e38077f6 in rb_io_memsize io.c:4749:24 #1 0x5608e37a0481 in obj_memsize_of gc.c:3547:14 #2 0x5608e37a4f30 in check_rvalue_consistency gc.c:1107:2 #3 0x5608e37a2624 in RVALUE_OLD_P gc.c:1218:5 #4 0x5608e37a5bae in rb_gc_force_recycle gc.c:6652:18 #5 0x5608e38191f9 in rb_f_backquote io.c:9021:5 #6 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12 #7 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11 #8 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12 #9 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9 #10 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13 #11 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12 #12 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11 #13 0x5608e3d06cf5 in vm_exec_core insns.def:789:11 ruby#14 0x5608e3d43700 in rb_vm_exec vm.c:1892:22 ruby#15 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11 ruby#16 0x5608e37620ca in ruby_exec_internal eval.c:262:2 ruby#17 0x5608e376198b in ruby_exec_node eval.c:326:12 ruby#18 0x5608e37617d0 in ruby_run_node eval.c:318:25 ruby#19 0x5608e35c9486 in main main.c:42:9 #20 0x7f62e9421b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 ruby#21 0x5608e3522289 in _start (miniruby+0x15f289) 0x610000000d8c is located 76 bytes inside of 192-byte region [0x610000000d40,0x610000000e00) freed by thread T0 here: #0 0x5608e359a2ed in free (miniruby+0x1d72ed) #1 0x5608e37af421 in objspace_xfree gc.c:9591:5 #2 0x5608e37af3da in ruby_sized_xfree gc.c:9687:2 #3 0x5608e3799ac8 in ruby_xfree gc.c:9694:5 #4 0x5608e380746d in rb_io_fptr_finalize_internal io.c:4728:5 #5 0x5608e38191ed in rb_f_backquote io.c:9020:5 #6 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12 #7 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11 #8 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12 #9 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9 #10 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13 #11 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12 #12 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11 #13 0x5608e3d06cf5 in vm_exec_core insns.def:789:11 ruby#14 0x5608e3d43700 in rb_vm_exec vm.c:1892:22 ruby#15 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11 ruby#16 0x5608e37620ca in ruby_exec_internal eval.c:262:2 ruby#17 0x5608e376198b in ruby_exec_node eval.c:326:12 ruby#18 0x5608e37617d0 in ruby_run_node eval.c:318:25 ruby#19 0x5608e35c9486 in main main.c:42:9 #20 0x7f62e9421b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 previously allocated by thread T0 here: #0 0x5608e359a56d in malloc (miniruby+0x1d756d) #1 0x5608e37aed12 in objspace_xmalloc0 gc.c:9416:5 #2 0x5608e37aebe7 in ruby_xmalloc0 gc.c:9600:12 #3 0x5608e37aea8b in ruby_xmalloc_body gc.c:9609:12 #4 0x5608e37a6d64 in ruby_xmalloc gc.c:11469:12 #5 0x5608e380e4b4 in rb_io_fptr_new io.c:8040:19 #6 0x5608e380e446 in rb_io_make_open_file io.c:8077:10 #7 0x5608e3850ea0 in pipe_open io.c:6707:5 #8 0x5608e384edb4 in pipe_open_s io.c:6772:12 #9 0x5608e381910b in rb_f_backquote io.c:9014:12 #10 0x5608e3d8aa14 in call_cfunc_1 vm_insnhelper.c:2058:12 #11 0x5608e3d6e23d in vm_call_cfunc_with_frame vm_insnhelper.c:2211:11 #12 0x5608e3d54a35 in vm_call_cfunc vm_insnhelper.c:2229:12 #13 0x5608e3d5253b in vm_call_method_each_type vm_insnhelper.c:2564:9 ruby#14 0x5608e3d51f50 in vm_call_method vm_insnhelper.c:2701:13 ruby#15 0x5608e3cf2de4 in vm_call_general vm_insnhelper.c:2734:12 ruby#16 0x5608e3d79918 in vm_sendish vm_insnhelper.c:3627:11 ruby#17 0x5608e3d06cf5 in vm_exec_core insns.def:789:11 ruby#18 0x5608e3d43700 in rb_vm_exec vm.c:1892:22 ruby#19 0x5608e3d47cbf in rb_iseq_eval_main vm.c:2151:11 #20 0x5608e37620ca in ruby_exec_internal eval.c:262:2 ruby#21 0x5608e376198b in ruby_exec_node eval.c:326:12 ruby#22 0x5608e37617d0 in ruby_run_node eval.c:318:25 ruby#23 0x5608e35c9486 in main main.c:42:9 ruby#24 0x7f62e9421b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 SUMMARY: AddressSanitizer: heap-use-after-free io.c:4749:24 in rb_io_memsize Shadow bytes around the buggy address: 0x0c207fff8160: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c207fff8180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c207fff81a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c207fff81b0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c207fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==85264==ABORTING git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67710 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
shyouhei
pushed a commit
that referenced
this issue
Apr 23, 2021
This commit adds a check on the ep just like in the mark function. The env can contain null bytes if allocation tracing is enabled. We're seeing errors during autocompaction like this: ``` (lldb) bt 40 * thread #1, name = 'ruby', stop reason = signal SIGABRT frame #0: 0x00007f7d64b6018b libc.so.6`raise + 203 frame #1: 0x00007f7d64b3f859 libc.so.6`abort + 299 frame #2: 0x000055af5f2fefc9 ruby`die at error.c:764:5 frame #3: 0x000055af5f2ff1ac ruby`rb_bug_for_fatal_signal(default_sighandler=0x0000000000000000, sig=11, ctx=0x000055af60bc3340, fmt="") at error.c:804:5 frame #4: 0x000055af5f4bd08f ruby`sigsegv(sig=11, info=0x000055af60bc3470, ctx=0x000055af60bc3340) at signal.c:960:5 frame #5: 0x00007f7d64ebe3c0 libpthread.so.0`__restore_rt frame #6: 0x000055af5f339b0a ruby`gc_ref_update_imemo(objspace=0x000055af60b2b040, obj=0x00007f7d5b513fd0) at gc.c:9046:13 frame #7: 0x000055af5f339172 ruby`gc_update_object_references(objspace=0x000055af60b2b040, obj=0x00007f7d5b513fd0) at gc.c:9307:9 frame #8: 0x000055af5f338e79 ruby`gc_ref_update(vstart=0x00007f7d5b510010, vend=0x00007f7d5b513ff8, stride=40, objspace=0x000055af60b2b040, page=0x000055af62577aa0) at gc.c:9452:21 frame #9: 0x000055af5f337846 ruby`gc_update_references(objspace=0x000055af60b2b040, heap=0x000055af60b2b068) at gc.c:9481:9 frame #10: 0x000055af5f336569 ruby`gc_compact_finish(objspace=0x000055af60b2b040, heap=0x000055af60b2b068) at gc.c:4840:5 frame #11: 0x000055af5f335efb ruby`gc_page_sweep(objspace=0x000055af60b2b040, heap=0x000055af60b2b068, sweep_page=0x000055af63a1eb30) at gc.c:5046:13 frame #12: 0x000055af5f3355c5 ruby`gc_sweep_step(objspace=0x000055af60b2b040, heap=0x000055af60b2b068) at gc.c:5214:19 frame #13: 0x000055af5f33daf6 ruby`gc_sweep_rest(objspace=0x000055af60b2b040) at gc.c:5271:2 frame ruby#14: 0x000055af5f33cacd ruby`gc_sweep(objspace=0x000055af60b2b040) at gc.c:5389:2 frame ruby#15: 0x000055af5f33c21d ruby`gc_marks_rest(objspace=0x000055af60b2b040) at gc.c:7555:5 frame ruby#16: 0x000055af5f324d41 ruby`gc_rest(objspace=0x000055af60b2b040) at gc.c:8457:13 frame ruby#17: 0x000055af5f3297d8 ruby`garbage_collect(objspace=0x000055af60b2b040, reason=45568) at gc.c:8318:9 frame ruby#18: 0x000055af5f344ece ruby`garbage_collect_with_gvl(objspace=0x000055af60b2b040, reason=45568) at gc.c:8632:9 frame ruby#19: 0x000055af5f344e61 ruby`objspace_malloc_gc_stress(objspace=0x000055af60b2b040) at gc.c:10592:9 frame #20: 0x000055af5f32ced1 ruby`objspace_xmalloc0(objspace=0x000055af60b2b040, size=64) at gc.c:10767:5 frame ruby#21: 0x000055af5f32ce11 ruby`ruby_xmalloc0(size=64) at gc.c:10988:12 frame ruby#22: 0x000055af5f32cdac ruby`ruby_xmalloc_body(size=64) at gc.c:10997:12 frame ruby#23: 0x000055af5f329415 ruby`ruby_xmalloc(size=64) at gc.c:12942:12 frame ruby#24: 0x00007f7d611c4fe5 objspace.so`newobj_i(tpval=0x00007f7d5b553770, data=0x000055af639031a0) at object_tracing.c:101:35 frame ruby#25: 0x000055af5f5b283f ruby`tp_call_trace(tpval=0x00007f7d5b553770, trace_arg=0x00007fff1016d398) at vm_trace.c:1115:2 frame ruby#26: 0x000055af5f5b50ec ruby`exec_hooks_body(ec=0x000055af60b2b700, list=0x000055af60b2b920, trace_arg=0x00007fff1016d398) at vm_trace.c:304:3 frame ruby#27: 0x000055af5f5b0f24 ruby`exec_hooks_unprotected(ec=0x000055af60b2b700, list=0x000055af60b2b920, trace_arg=0x00007fff1016d398) at vm_trace.c:333:5 frame ruby#28: 0x000055af5f5b0da8 ruby`rb_exec_event_hooks(trace_arg=0x00007fff1016d398, hooks=0x000055af60b2b920, pop_p=0) at vm_trace.c:378:13 frame ruby#29: 0x000055af5f33f8e2 ruby`rb_exec_event_hook_orig(ec=0x000055af60b2b700, hooks=0x000055af60b2b920, flag=1048576, self=0x00007f7d5b5c08c0, id=0, called_id=0, klass=0x0000000000000000, data=0x00007f7d5b513fd0, pop_p=0) at vm_core.h:1989:5 frame ruby#30: 0x000055af5f334975 ruby`gc_event_hook_body(ec=0x000055af60b2b700, objspace=0x000055af60b2b040, event=1048576, data=0x00007f7d5b513fd0) at gc.c:2083:5 * frame ruby#31: 0x000055af5f3342df ruby`newobj_slowpath_wb_protected [inlined] newobj_slowpath(klass=0x00007f7d5b9d19c8, flags=0x000000000000001a, objspace=0x000055af60b2b040, cr=0x000055af60b2b910, wb_protected=1) at gc.c:2284:9 frame ruby#32: 0x000055af5f33410f ruby`newobj_slowpath_wb_protected(klass=0x00007f7d5b9d19c8, flags=0x000000000000001a, objspace=0x000055af60b2b040, cr=0x000055af60b2b910) at gc.c:2299 frame ruby#33: 0x000055af5f333de9 ruby`newobj_of0(klass=0x00007f7d5b9d19c8, flags=0x000000000000001a, wb_protected=1, cr=0x000055af60b2b910) at gc.c:2338:11 frame ruby#34: 0x000055af5f3227ae ruby`newobj_of(klass=0x00007f7d5b9d19c8, flags=0x000000000000001a, v1=0x000055af657d88a0, v2=0x000055af657d8890, v3=0x0000000000000000, wb_protected=1) at gc.c:2348:17 frame ruby#35: 0x000055af5f322c5b ruby`rb_imemo_new(type=imemo_env, v1=0x000055af657d88a0, v2=0x000055af657d8890, v3=0x0000000000000000, v0=0x00007f7d5b9d19c8) at gc.c:2434:12 frame ruby#36: 0x000055af5f5a3925 ruby`vm_env_new(env_ep=0x000055af657d88a0, env_body=0x000055af657d8890, env_size=4, iseq=0x00007f7d5b9d19c8) at vm_core.h:1363:33 frame ruby#37: 0x000055af5f5a3808 ruby`vm_make_env_each(ec=0x000055af60b2b700, cfp=0x00007f7d6482fc90) at vm.c:801:11 frame ruby#38: 0x000055af5f5a368d ruby`vm_make_env_each(ec=0x000055af60b2b700, cfp=0x00007f7d6482fc20) at vm.c:752:13 frame ruby#39: 0x000055af5f5a368d ruby`vm_make_env_each(ec=0x000055af60b2b700, cfp=0x00007f7d6482fbb0) at vm.c:752:13 (lldb) f 31 frame ruby#31: 0x000055af5f3342df ruby`newobj_slowpath_wb_protected [inlined] newobj_slowpath(klass=0x00007f7d5b9d19c8, flags=0x000000000000001a, objspace=0x000055af60b2b040, cr=0x000055af60b2b910, wb_protected=1) at gc.c:2284:9 2281 } 2282 GC_ASSERT(obj != 0); 2283 newobj_init(klass, flags, wb_protected, objspace, obj); -> 2284 gc_event_hook_prep(objspace, RUBY_INTERNAL_EVENT_NEWOBJ, obj, newobj_fill(obj, 0, 0, 0)); 2285 } 2286 RB_VM_LOCK_LEAVE_CR_LEV(cr, &lev); 2287 (lldb) p obj (VALUE) $3 = 0x00007f7d5b513fd0 (lldb) f 6 frame #6: 0x000055af5f339b0a ruby`gc_ref_update_imemo(objspace=0x000055af60b2b040, obj=0x00007f7d5b513fd0) at gc.c:9046:13 9043 { 9044 rb_env_t *env = (rb_env_t *)obj; 9045 TYPED_UPDATE_IF_MOVED(objspace, rb_iseq_t *, env->iseq); -> 9046 UPDATE_IF_MOVED(objspace, env->ep[VM_ENV_DATA_INDEX_ENV]); 9047 gc_update_values(objspace, (long)env->env_size, (VALUE *)env->env); 9048 } 9049 break; (lldb) p obj (VALUE) $4 = 0x00007f7d5b513fd0 (lldb) ```
shyouhei
pushed a commit
that referenced
this issue
Oct 22, 2021
) * Use INT32_MIN, INT32_MAX, etc. constants in yjit_asm.c * Print warning on stderr when code past rel32 jump range * Fix preprocessor snafu * Move rel32 warning into --yjit-stats * Try to allocate within rel32 offset on Linux machines * Update yjit_asm.c Co-authored-by: Alan Wu <XrXr@users.noreply.github.com> * On Linux, use sysconf to get the page size Co-authored-by: Alan Wu <XrXr@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
WHERE
Array#join, ruby <= 2.5.x
WHAT
The Array#join method returns an empty string with encoding UTF-8 when the array is empty
WHY
The default encoding since Ruby 2.0 (*citation needed) is UTF-8 and it is odd that the empty string returned by joining an empty array has US-ASCII encoding. That often breaks the expectations from the return encoding of Array#join since most of the other cases result in an UTF-8 encoded string.
* I have read this information from many sources but could not find any official source to link in this PR.