Implement Managed vs. Manual Series Model #2406

hostilefork · 2015-06-18T22:26:45Z

In the spirit of Comments vs Web Links on the World Wide Web, I thought it would be a good time to take out a longstanding note from Carl labeled "ideas" in m-pools.c and migrate it to a GitHub issue that I plan to be committing a fix for soon (hopefully).

It happens that he's describing something I did wind up realizing something had to be done about. He wrote:

Each task needs its own series-save list that is simply a pointer array of un-rooted (NEW) series that should not be GCed. When a TRAP or THROW occurs, the list is trimmed back to its prior marker, allowing series that were orphaned by the TRAP to be GCed.

When GC occurs, each series on the save list is mark-scanned to keep it alive. The save list can be expanded, but care should be used to avoid creating a huge list when recursion happens.

What if interpreter kept track of save list marker when calling each native, and reset it on return?

This is an extension of the current "GC Infants" idea, which saves the last few created series from being garbage collected. Picking the last N to protect doesn't make a lot of sense--however--and is more likely to cover up a bug and make difficult repro scenarios.

What I came up with was that series are considered to not be shown to the GC until they have been explicitly "shared" with it. This moves them from a manual memory state to a managed memory state. Rebol code is able to call Free_Series until the sharing has been done...but once the sharing happens, only the GC can free it and calls to Free_Series will assert.

These "infant" series (or "Triage", as I called them) are freed automatically when a Trap happens as Carl suggests...because the interpreter state capture holds the list. But if a trap does not happen, an assert at the end of the native notifies you of the leak in the debug build. In a release build, these would be permanent memory leaks. Each native also ensures the data stack is balanced...

Found by AddressSanitizer: ==8157==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000f5897 at pc 0x4816ef bp 0x7fffffffafb0 sp 0x7fffffffafa0 READ of size 1 at 0x61d0000f5897 thread T0 #0 0x4816ee in Expand_Series ../src/core/m-series.c:138 #1 0x4e258c in Insert_Gobs ../src/core/t-gob.c:219 rebolsource#2 0x4e7782 in T_Gob ../src/core/t-gob.c:833 rebolsource#3 0x42e26f in Do_Act ../src/core/c-function.c:338 #4 0x42e9d8 in Do_Action ../src/core/c-function.c:396 #5 0x41395b in Do_Next ../src/core/c-do.c:886 rebolsource#6 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#7 0x4883d6 in N_if ../src/core/n-control.c:632 #8 0x42dd9c in Do_Native ../src/core/c-function.c:289 #9 0x41395b in Do_Next ../src/core/c-do.c:886 #10 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #11 0x4893c0 in N_unless ../src/core/n-control.c:792 #12 0x42dd9c in Do_Native ../src/core/c-function.c:289 #13 0x41395b in Do_Next ../src/core/c-do.c:886 #14 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #15 0x488c03 in N_switch ../src/core/n-control.c:736 #16 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#17 0x41395b in Do_Next ../src/core/c-do.c:886 #18 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#19 0x4883d6 in N_if ../src/core/n-control.c:632 #20 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#21 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#22 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#23 0x42ea5c in Do_Function ../src/core/c-function.c:415 #24 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#25 0x415658 in Try_Block ../src/core/c-do.c:1083 rebol#26 0x4862f8 in N_attempt ../src/core/n-control.c:306 #27 0x42dd9c in Do_Native ../src/core/c-function.c:289 #28 0x41395b in Do_Next ../src/core/c-do.c:886 #29 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #30 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131 #31 0x49693a in N_for ../src/core/n-loop.c:486 #32 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#33 0x41395b in Do_Next ../src/core/c-do.c:886 #34 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#35 0x4883d6 in N_if ../src/core/n-control.c:632 #36 0x42dd9c in Do_Native ../src/core/c-function.c:289 #37 0x41395b in Do_Next ../src/core/c-do.c:886 #38 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #39 0x42ea5c in Do_Function ../src/core/c-function.c:415 rebol#40 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#41 0x415658 in Try_Block ../src/core/c-do.c:1083 #42 0x488f7d in N_try ../src/core/n-control.c:760 #43 0x42dd9c in Do_Native ../src/core/c-function.c:289 #44 0x41395b in Do_Next ../src/core/c-do.c:886 #45 0x4118a1 in Do_Args ../src/core/c-do.c:668 rebol#46 0x413700 in Do_Next ../src/core/c-do.c:879 #47 0x4118a1 in Do_Args ../src/core/c-do.c:668 rebol#48 0x413700 in Do_Next ../src/core/c-do.c:879 rebol#49 0x414f2f in Do_Block_Value_Throw ../src/core/c-do.c:1048 #50 0x5725ac in Parse_Rules_Loop ../src/core/u-parse.c:830 #51 0x5731f8 in Parse_Rules_Loop ../src/core/u-parse.c:927 #52 0x56c799 in Parse_Series ../src/core/u-parse.c:96 rebol#53 0x576950 in N_parse ../src/core/u-parse.c:1269 #54 0x42dd9c in Do_Native ../src/core/c-function.c:289 #55 0x41395b in Do_Next ../src/core/c-do.c:886 #56 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #57 0x4883d6 in N_if ../src/core/n-control.c:632 #58 0x42dd9c in Do_Native ../src/core/c-function.c:289 #59 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#60 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #61 0x42ea5c in Do_Function ../src/core/c-function.c:415 #62 0x41395b in Do_Next ../src/core/c-do.c:886 #63 0x415658 in Try_Block ../src/core/c-do.c:1083 #64 0x4862f8 in N_attempt ../src/core/n-control.c:306 rebol#65 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#66 0x41395b in Do_Next ../src/core/c-do.c:886 #67 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#68 0x487b91 in N_do ../src/core/n-control.c:524 #69 0x42dd9c in Do_Native ../src/core/c-function.c:289 #70 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#71 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #72 0x487fcb in N_either ../src/core/n-control.c:598 #73 0x42dd9c in Do_Native ../src/core/c-function.c:289 #74 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#75 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#76 0x487fcb in N_either ../src/core/n-control.c:598 #77 0x42dd9c in Do_Native ../src/core/c-function.c:289 #78 0x41395b in Do_Next ../src/core/c-do.c:886 #79 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #80 0x487fcb in N_either ../src/core/n-control.c:598 #81 0x42dd9c in Do_Native ../src/core/c-function.c:289 #82 0x41395b in Do_Next ../src/core/c-do.c:886 #83 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#84 0x42ea5c in Do_Function ../src/core/c-function.c:415 #85 0x4198c2 in Apply_Function ../src/core/c-do.c:1524 #86 0x419fa8 in Do_Sys_Func ../src/core/c-do.c:1584 #87 0x41e406 in Init_Mezz ../src/core/c-do.c:2313 #88 0x405fd3 in RL_Start ../src/core/a-lib.c:167 #89 0x59d1f7 in main ../src/os/host-main.c:231 #90 0x7ffff571403f in __libc_start_main (/usr/lib/libc.so.6+0x2003f) #91 0x405858 (/home/zsx/work/r3.git/make/r3-view-linux+0x405858) 0x61d0000f5897 is located 7 bytes to the right of 2064-byte region [0x61d0000f5080,0x61d0000f5890) allocated by thread T0 here: #0 0x7ffff6f56b77 in __interceptor_malloc (/usr/lib/libasan.so.1+0x57b77) #1 0x47c300 in Make_Mem ../src/core/m-pools.c:125 rebolsource#2 0x47ca2f in Fill_Pool ../src/core/m-pools.c:233 rebolsource#3 0x47d80c in Make_Series ../src/core/m-pools.c:388 #4 0x4826f3 in Copy_Series ../src/core/m-series.c:261 #5 0x43ca14 in Copy_Deep_Values ../src/core/f-blocks.c:131 rebolsource#6 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 rebol#7 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #8 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #9 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #10 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #11 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #12 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #13 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #14 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #15 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #16 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 rebol#17 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159 #18 0x43cd9f in Clone_Block ../src/core/f-blocks.c:174 rebol#19 0x42db12 in Clone_Function ../src/core/c-function.c:266 #20 0x43cc00 in Copy_Deep_Values ../src/core/f-blocks.c:139 rebol#21 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159 rebol#22 0x4fd371 in T_Object ../src/core/t-object.c:364 rebol#23 0x42e26f in Do_Act ../src/core/c-function.c:338 #24 0x42e9d8 in Do_Action ../src/core/c-function.c:396 rebol#25 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#26 0x4133cc in Do_Next ../src/core/c-do.c:860 #27 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #28 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131 #29 0x49693a in N_for ../src/core/n-loop.c:486 SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:138 Expand_Series Shadow bytes around the buggy address: 0x0c3a80016ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3a80016b10: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==8157==ABORTING This is happening because "GOB_TAIL(gob) = count" sets the tail of a series with length of "count" to be "count", and Expand_Series expects a terminator in the series. (m-series.c:90 size = (series->tail + 1) * wide;)

Reported by AddressSanitizer of GCC: Direct leak of 970518528 byte(s) in 947772 object(s) allocated from: #0 0x7f505036363f in operator new[](unsigned long) (/usr/lib/libasan.so.1+0x5863f) #1 0x65676f in agg::agg_graphics::agg_gradient_pen(int, double, double, double, double, double, double, double, unsigned char*, double*, int) ../src/agg/agg_graphics.cpp:1306 rebolsource#2 0x5fe247 in rebdrw_gradient_pen ../src/os/host-draw-api-agg.cpp:184 rebolsource#3 0x5f8834 in RXD_Draw ../src/os/host-draw.c:294 #4 0x45cd8e in Do_Commands ../src/core/f-extension.c:579 #5 0x40680d in RL_Do_Commands ../src/core/a-lib.c:376 rebolsource#6 0x603d21 in rebdrw_gob_draw ../src/os/host-draw-api-agg.cpp:567 rebol#7 0x60c732 in process_gobs ../src/os/linux/host-compositor.c:520 #8 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559 #9 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559 #10 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559 #11 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559 #12 0x60f753 in rebcmp_compose ../src/os/linux/host-compositor.c:685 #13 0x5e8299 in Draw_Window ../src/os/host-view.c:225 #14 0x5e8682 in Show_Gob ../src/os/host-view.c:288 #15 0x5e8b58 in RXD_Graphics ../src/os/host-view.c:346 #16 0x45bf75 in Do_Command ../src/core/f-extension.c:456 rebol#17 0x41395b in Do_Next ../src/core/c-do.c:886 #18 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#19 0x42ea5c in Do_Function ../src/core/c-function.c:415 #20 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#21 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#22 0x42ea5c in Do_Function ../src/core/c-function.c:415 rebol#23 0x41395b in Do_Next ../src/core/c-do.c:886 #24 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#25 0x4883d6 in N_if ../src/core/n-control.c:632 rebol#26 0x42dd9c in Do_Native ../src/core/c-function.c:289 #27 0x41395b in Do_Next ../src/core/c-do.c:886 #28 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #29 0x496d2f in N_forever ../src/core/n-loop.c:532

Found by GCC Address Sanitizer: ================================================================= ==32465==ERROR: AddressSanitizer: alloc-dealloc-mismatch (malloc vs operator delete []) on 0x6030000add40 #0 0x7f012194676f in operator delete[](void*) (/usr/lib/libasan.so.1+0x5876f) #1 0x6c8785 in agg::agg_graphics::agg_reset() ../src/agg/agg_graphics.cpp:1562 rebolsource#2 0x6bc20c in agg::agg_graphics::~agg_graphics() ../src/agg/agg_graphics.cpp:96 rebolsource#3 0x66fb18 in rebdrw_gob_draw ../src/os/host-draw-api-agg.cpp:571 #4 0x678500 in process_gobs ../src/os/linux/host-compositor.c:520 #5 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559 rebolsource#6 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559 rebol#7 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559 #8 0x67b63f in rebcmp_compose ../src/os/linux/host-compositor.c:685 #9 0x65158c in Draw_Window ../src/os/host-view.c:225 #10 0x651b21 in Show_Gob ../src/os/host-view.c:288 #11 0x6520ed in RXD_Graphics ../src/os/host-view.c:346 #12 0x471ccd in Do_Command ../src/core/f-extension.c:456 #13 0x419332 in Do_Next ../src/core/c-do.c:886 #14 0x41aaed in Do_Blk ../src/core/c-do.c:1017 #15 0x43f6c8 in Do_Function ../src/core/c-function.c:415 #16 0x419332 in Do_Next ../src/core/c-do.c:886 rebol#17 0x41aaed in Do_Blk ../src/core/c-do.c:1017 #18 0x43f6c8 in Do_Function ../src/core/c-function.c:415 rebol#19 0x419332 in Do_Next ../src/core/c-do.c:886 #20 0x41aaed in Do_Blk ../src/core/c-do.c:1017 rebol#21 0x4a6c9a in N_do ../src/core/n-control.c:524 rebol#22 0x43e037 in Do_Native ../src/core/c-function.c:289 rebol#23 0x419332 in Do_Next ../src/core/c-do.c:886 #24 0x41b643 in Try_Block ../src/core/c-do.c:1087 rebol#25 0x4a872e in N_try ../src/core/n-control.c:760 rebol#26 0x43e037 in Do_Native ../src/core/c-function.c:289 #27 0x419332 in Do_Next ../src/core/c-do.c:886 #28 0x4168bd in Do_Args ../src/core/c-do.c:668 #29 0x41a070 in Do_Next ../src/core/c-do.c:942 #30 0x4168bd in Do_Args ../src/core/c-do.c:668 #31 0x4190d4 in Do_Next ../src/core/c-do.c:879 #32 0x4168bd in Do_Args ../src/core/c-do.c:668 rebol#33 0x4190d4 in Do_Next ../src/core/c-do.c:879 #34 0x41aaed in Do_Blk ../src/core/c-do.c:1017 rebol#35 0x43f6c8 in Do_Function ../src/core/c-function.c:415 #36 0x419332 in Do_Next ../src/core/c-do.c:886 #37 0x4168bd in Do_Args ../src/core/c-do.c:668 #38 0x4190d4 in Do_Next ../src/core/c-do.c:879 #39 0x41aaed in Do_Blk ../src/core/c-do.c:1017 rebol#40 0x4a6c9a in N_do ../src/core/n-control.c:524 rebol#41 0x43e037 in Do_Native ../src/core/c-function.c:289 #42 0x419332 in Do_Next ../src/core/c-do.c:886 #43 0x41aaed in Do_Blk ../src/core/c-do.c:1017 #44 0x4a732e in N_either ../src/core/n-control.c:598 #45 0x43e037 in Do_Native ../src/core/c-function.c:289 rebol#46 0x419332 in Do_Next ../src/core/c-do.c:886 #47 0x41aaed in Do_Blk ../src/core/c-do.c:1017 rebol#48 0x4a732e in N_either ../src/core/n-control.c:598 rebol#49 0x43e037 in Do_Native ../src/core/c-function.c:289 #50 0x419332 in Do_Next ../src/core/c-do.c:886 #51 0x41aaed in Do_Blk ../src/core/c-do.c:1017 #52 0x4a732e in N_either ../src/core/n-control.c:598 rebol#53 0x43e037 in Do_Native ../src/core/c-function.c:289 #54 0x419332 in Do_Next ../src/core/c-do.c:886 #55 0x41aaed in Do_Blk ../src/core/c-do.c:1017 #56 0x43f6c8 in Do_Function ../src/core/c-function.c:415 #57 0x42094d in Apply_Function ../src/core/c-do.c:1528 #58 0x42116c in Do_Sys_Func ../src/core/c-do.c:1588 #59 0x426d54 in Init_Mezz ../src/core/c-do.c:2320 rebol#60 0x4069c1 in RL_Start ../src/core/a-lib.c:193 #61 0x5fea9d in main ../src/os/host-main.c:235 #62 0x7f011fed27ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #63 0x405dd8 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x405dd8) 0x6030000add40 is located 0 bytes inside of 24-byte region [0x6030000add40,0x6030000add58) allocated by thread T0 here: #0 0x7f01219457a7 in malloc (/usr/lib/libasan.so.1+0x577a7) #1 0x606495 in OS_Make ../src/os/linux/host-lib.c:380 rebolsource#2 0x664b61 in RXD_Draw ../src/os/host-draw.c:438 rebolsource#3 0x472f24 in Do_Commands ../src/core/f-extension.c:585 #4 0x4073a0 in RL_Do_Commands ../src/core/a-lib.c:402 #5 0x66fadb in rebdrw_gob_draw ../src/os/host-draw-api-agg.cpp:568 rebolsource#6 0x678500 in process_gobs ../src/os/linux/host-compositor.c:520 rebol#7 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559 #8 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559 #9 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559 #10 0x67b63f in rebcmp_compose ../src/os/linux/host-compositor.c:685 #11 0x65158c in Draw_Window ../src/os/host-view.c:225 #12 0x651b21 in Show_Gob ../src/os/host-view.c:288 #13 0x6520ed in RXD_Graphics ../src/os/host-view.c:346 #14 0x471ccd in Do_Command ../src/core/f-extension.c:456 #15 0x419332 in Do_Next ../src/core/c-do.c:886 #16 0x41aaed in Do_Blk ../src/core/c-do.c:1017 rebol#17 0x43f6c8 in Do_Function ../src/core/c-function.c:415 #18 0x419332 in Do_Next ../src/core/c-do.c:886 rebol#19 0x41aaed in Do_Blk ../src/core/c-do.c:1017 #20 0x43f6c8 in Do_Function ../src/core/c-function.c:415 rebol#21 0x419332 in Do_Next ../src/core/c-do.c:886 rebol#22 0x41aaed in Do_Blk ../src/core/c-do.c:1017 rebol#23 0x4a6c9a in N_do ../src/core/n-control.c:524 #24 0x43e037 in Do_Native ../src/core/c-function.c:289 rebol#25 0x419332 in Do_Next ../src/core/c-do.c:886 rebol#26 0x41b643 in Try_Block ../src/core/c-do.c:1087 #27 0x4a872e in N_try ../src/core/n-control.c:760 #28 0x43e037 in Do_Native ../src/core/c-function.c:289 #29 0x419332 in Do_Next ../src/core/c-do.c:886 SUMMARY: AddressSanitizer: alloc-dealloc-mismatch ??:0 operator delete[](void*) ==32465==HINT: if you don't care about these warnings you may set ASAN_OPTIONS=alloc_dealloc_mismatch=0 ==32465==ABORTING

index is unsigned, and could be zero, so 'index--' will underflow and round to 0xffffffff, and cause problem in a later call to Expand_Series I believe the idea of if ((REBINT)index > i) index--; is to move the index forward because gob being inserted were in PANE, and they can't be there twice (Detach_Gob will remove them from the current gob). So if they were not there, "index" shouldn't be changed. This fixes a crash in the following script: REBOL [] foo: make block! [] for i 0 15 1 [ txt: #"a" + i append foo make gob! reduce/no-set [text: to string! txt] ] g: make gob! [] append g foo g/pane: next g/pane With this stack trace: zsx@touchsmart-arch:~/work/r3.git/make$ R3_ALWAYS_MALLOC=1 ./r3-view-linux test-insert-gob-crash.r ================================================================= ==24248==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000c8a8 at pc 0x522243 bp 0x7fff91ba7a60 sp 0x7fff91ba7a50 WRITE of size 8 at 0x60d00000c8a8 thread T0 #0 0x522242 in Insert_Gobs ../src/core/t-gob.c:230 #1 0x5242d6 in Set_GOB_Var ../src/core/t-gob.c:421 rebolsource#2 0x5278ee in PD_Gob ../src/core/t-gob.c:713 rebolsource#3 0x414cda in Next_Path ../src/core/c-do.c:399 #4 0x415c8c in Do_Path ../src/core/c-do.c:463 #5 0x41a018 in Do_Next ../src/core/c-do.c:928 rebolsource#6 0x41ad1d in Do_Blk ../src/core/c-do.c:1017 rebol#7 0x4a6eca in N_do ../src/core/n-control.c:524 #8 0x43e267 in Do_Native ../src/core/c-function.c:289 #9 0x419562 in Do_Next ../src/core/c-do.c:886 #10 0x41ad1d in Do_Blk ../src/core/c-do.c:1017 #11 0x4a755e in N_either ../src/core/n-control.c:598 #12 0x43e267 in Do_Native ../src/core/c-function.c:289 #13 0x419562 in Do_Next ../src/core/c-do.c:886 #14 0x41ad1d in Do_Blk ../src/core/c-do.c:1017 #15 0x4a755e in N_either ../src/core/n-control.c:598 #16 0x43e267 in Do_Native ../src/core/c-function.c:289 rebol#17 0x419562 in Do_Next ../src/core/c-do.c:886 #18 0x41ad1d in Do_Blk ../src/core/c-do.c:1017 rebol#19 0x4a755e in N_either ../src/core/n-control.c:598 #20 0x43e267 in Do_Native ../src/core/c-function.c:289 rebol#21 0x419562 in Do_Next ../src/core/c-do.c:886 rebol#22 0x41ad1d in Do_Blk ../src/core/c-do.c:1017 rebol#23 0x43f8f8 in Do_Function ../src/core/c-function.c:415 #24 0x420b7d in Apply_Function ../src/core/c-do.c:1528 rebol#25 0x42139c in Do_Sys_Func ../src/core/c-do.c:1588 rebol#26 0x426f84 in Init_Mezz ../src/core/c-do.c:2320 #27 0x406bf1 in RL_Start ../src/core/a-lib.c:193 #28 0x5fecee in main ../src/os/host-main.c:235 #29 0x7facd0bf67ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #30 0x406008 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x406008) 0x60d00000c8a8 is located 0 bytes to the right of 136-byte region [0x60d00000c820,0x60d00000c8a8) allocated by thread T0 here: #0 0x7facd26567a7 in malloc (/usr/lib/libasan.so.1+0x577a7) #1 0x4999a7 in Make_Mem ../src/core/m-pools.c:125 rebolsource#2 0x49b188 in Make_Series ../src/core/m-pools.c:413 rebolsource#3 0x521929 in Insert_Gobs ../src/core/t-gob.c:208 #4 0x529717 in T_Gob ../src/core/t-gob.c:835 #5 0x43eb86 in Do_Act ../src/core/c-function.c:338 rebolsource#6 0x43f82a in Do_Action ../src/core/c-function.c:396 rebol#7 0x419562 in Do_Next ../src/core/c-do.c:886 #8 0x41ad1d in Do_Blk ../src/core/c-do.c:1017 #9 0x4a6eca in N_do ../src/core/n-control.c:524 #10 0x43e267 in Do_Native ../src/core/c-function.c:289 #11 0x419562 in Do_Next ../src/core/c-do.c:886 #12 0x41ad1d in Do_Blk ../src/core/c-do.c:1017 #13 0x4a755e in N_either ../src/core/n-control.c:598 #14 0x43e267 in Do_Native ../src/core/c-function.c:289 #15 0x419562 in Do_Next ../src/core/c-do.c:886 #16 0x41ad1d in Do_Blk ../src/core/c-do.c:1017 rebol#17 0x4a755e in N_either ../src/core/n-control.c:598 #18 0x43e267 in Do_Native ../src/core/c-function.c:289 rebol#19 0x419562 in Do_Next ../src/core/c-do.c:886 #20 0x41ad1d in Do_Blk ../src/core/c-do.c:1017 rebol#21 0x4a755e in N_either ../src/core/n-control.c:598 rebol#22 0x43e267 in Do_Native ../src/core/c-function.c:289 rebol#23 0x419562 in Do_Next ../src/core/c-do.c:886 #24 0x41ad1d in Do_Blk ../src/core/c-do.c:1017 rebol#25 0x43f8f8 in Do_Function ../src/core/c-function.c:415 rebol#26 0x420b7d in Apply_Function ../src/core/c-do.c:1528 #27 0x42139c in Do_Sys_Func ../src/core/c-do.c:1588 #28 0x426f84 in Init_Mezz ../src/core/c-do.c:2320 #29 0x406bf1 in RL_Start ../src/core/a-lib.c:193 SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/t-gob.c:230 Insert_Gobs Shadow bytes around the buggy address: 0x0c1a7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff9900: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c1a7fff9910: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa 00 00 0x0c1a7fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c1a7fff9930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c1a7fff9940: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa 0x0c1a7fff9950: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1a7fff9960: 00 00 00 00 fa fa fa fa fa fa fa fa fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==24248==ABORTING

reported by address sanitizer with manual poisonation: ================================================================= ==11513==ERROR: AddressSanitizer: use-after-poison on address 0x7efe281542c0 at pc 0x00000071038f bp 0x7ffdc9de9330 sp 0x7ffdc9de9328 READ of size 4 at 0x7efe281542c0 thread T0 #0 0x71038e in Mark_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:501:6 #1 0x70ea8b in Recycle /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:744:4 rebolsource#2 0x7bbde6 in N_recycle /home/zsx/stuffs/work/r3.git/make/../src/core/n-system.c:99:10 rebolsource#3 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #4 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #5 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 rebolsource#6 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 rebol#7 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #8 0x566f3d in Do_Block_Value_Throw /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1049:11 #9 0xb0b6d9 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:830:4 #10 0xb0e7f7 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9 #11 0xb07b10 in Parse_Series /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:96:9 #12 0xb06b65 in N_parse /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:1269:7 #13 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #14 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #15 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #16 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 rebol#17 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #18 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 rebol#19 0x745e54 in N_case /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:348:10 #20 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 rebol#21 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 rebol#22 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12 rebol#23 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11 #24 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 rebol#25 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 rebol#26 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #27 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11 #28 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #29 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 #30 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #31 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #32 0x749b0b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8 rebol#33 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #34 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 rebol#35 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #36 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3 #37 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #38 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #39 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 rebol#40 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3 rebol#41 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #42 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #43 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #44 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3 #45 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 rebol#46 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #47 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 rebol#48 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 rebol#49 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33 #50 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10 #51 0x582548 in Init_Mezz /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:2320:9 #52 0x52e62f in RL_Start /home/zsx/stuffs/work/r3.git/make/../src/core/a-lib.c:193:9 rebol#53 0xbb6c93 in main /home/zsx/stuffs/work/r3.git/make/../src/os/host-main.c:235:6 #54 0x7efe2bfcb7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #55 0x486498 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x486498) 0x7efe281542c0 is located 96960 bytes inside of 131088-byte region [0x7efe2813c800,0x7efe2815c810) allocated by thread T0 here: #0 0x50d462 in __interceptor_malloc (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x50d462) #1 0x721a85 in Make_Mem /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:127:14 rebolsource#2 0x723acd in Fill_Pool /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:235:19 rebolsource#3 0x7233af in Make_Node /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:280:20 #4 0x725f8a in Make_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:391:21 #5 0x738823 in Copy_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-series.c:261:19 rebolsource#6 0x5f93a6 in Copy_Deep_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:131:22 rebol#7 0x5f98cf in Copy_Deep_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:136:6 #8 0x5fa3ed in Copy_Block_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:159:18 #9 0x89efc2 in T_Block /home/zsx/stuffs/work/r3.git/make/../src/core/t-block.c:796:23 #10 0x5c458f in Do_Act /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:338:8 #11 0x5c5927 in Do_Action /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:396:2 #12 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #13 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12 #14 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11 #15 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #16 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 rebol#17 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #18 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11 rebol#19 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #20 0x749b0b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8 rebol#21 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 rebol#22 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 rebol#23 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #24 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 rebol#25 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33 rebol#26 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10 #27 0x5a37d0 in Make_Module /home/zsx/stuffs/work/r3.git/make/../src/core/c-frame.c:585:10 #28 0x9510d5 in T_Object /home/zsx/stuffs/work/r3.git/make/../src/core/t-object.c:308:16 #29 0x8ac4eb in T_Datatype /home/zsx/stuffs/work/r3.git/make/../src/core/t-datatype.c:92:20 SUMMARY: AddressSanitizer: use-after-poison /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:501 Mark_Series Shadow bytes around the buggy address: 0x0fe045022800: f7 f7 00 00 00 00 00 00 00 00 f7 f7 f7 f7 00 00 0x0fe045022810: 00 00 00 00 00 00 f7 f7 f7 f7 00 00 00 00 00 00 0x0fe045022820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe045022830: 00 00 f7 f7 f7 f7 00 00 00 00 00 00 00 00 f7 f7 0x0fe045022840: f7 f7 00 00 00 00 00 00 00 00 f7 f7 f7 f7 00 00 =>0x0fe045022850: 00 00 00 00 00 00 f7 f7[f7]f7 00 00 00 00 00 00 0x0fe045022860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe045022870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe045022880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe045022890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe0450228a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==11513==ABORTING

The length of the VAL_SERIES(value) has been set correctly by Append_UTF8, and it could be smaller than "len", because UTF8 is a multi-byte encoding, thus passing "len" to Deline_Uni could cause out-of-bound memory access. Fixes CC#2169 The following code REBOL[] t: <ēee> causes: ==13053==ERROR: AddressSanitizer: use-after-poison on address 0x61d00001a5f8 at pc 0x000000853d50 bp 0x7ffd2a31a1b0 sp 0x7ffd2a31a1a8 WRITE of size 2 at 0x61d00001a5f8 thread T0 #0 0x853d4f in Deline_Uni /home/zsx/stuffs/work/r3.git/make/../src/core/s-ops.c:426:2 #1 0x7064d4 in Scan_Any /home/zsx/stuffs/work/r3.git/make/../src/core/l-types.c:846:7 rebolsource#2 0x6dca3c in Scan_Block /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1421:4 rebolsource#3 0x6d9f92 in Scan_Block /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1301:12 #4 0x6df0e6 in Scan_Code /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1550:9 #5 0x6df462 in Scan_Source /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1570:9 rebolsource#6 0x896105 in Make_Block_Type /home/zsx/stuffs/work/r3.git/make/../src/core/t-block.c:306:9 rebol#7 0x89af62 in T_Block /home/zsx/stuffs/work/r3.git/make/../src/core/t-block.c:624:3 #8 0x8ac80b in T_Datatype /home/zsx/stuffs/work/r3.git/make/../src/core/t-datatype.c:92:20 #9 0x5c458f in Do_Act /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:338:8 #10 0x5c5927 in Do_Action /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:396:2 #11 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #12 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11 #13 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #14 0x746174 in N_case /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:348:10 #15 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #16 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 rebol#17 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #18 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 rebol#19 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #20 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11 rebol#21 0x568295 in Try_Block /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1087:11 rebol#22 0x7506ac in N_try /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:760:6 rebol#23 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #24 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 rebol#25 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12 rebol#26 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11 #27 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12 #28 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11 #29 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #30 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 #31 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #32 0x566f3d in Do_Block_Value_Throw /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1049:11 rebol#33 0xb0b9f9 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:830:4 #34 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9 rebol#35 0xb07e30 in Parse_Series /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:96:9 #36 0xb06e85 in N_parse /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:1269:7 #37 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #38 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #39 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 rebol#40 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 rebol#41 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #42 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #43 0x746174 in N_case /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:348:10 #44 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #45 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 rebol#46 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12 #47 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11 rebol#48 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 rebol#49 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 #50 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #51 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11 #52 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 rebol#53 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 #54 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #55 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #56 0x749e2b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8 #57 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #58 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #59 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 rebol#60 0x74aeea in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3 #61 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #62 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #63 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #64 0x74aeea in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3 rebol#65 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 rebol#66 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #67 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 rebol#68 0x74aeea in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3 #69 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #70 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 rebol#71 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #72 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 #73 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33 #74 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10 rebol#75 0x582548 in Init_Mezz /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:2320:9 rebol#76 0x52e62f in RL_Start /home/zsx/stuffs/work/r3.git/make/../src/core/a-lib.c:193:9 #77 0xbb6fb3 in main /home/zsx/stuffs/work/r3.git/make/../src/os/host-main.c:235:6 #78 0x7fd1c04ef7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #79 0x486498 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x486498) 0x61d00001a5f8 is located 376 bytes inside of 2064-byte region [0x61d00001a480,0x61d00001ac90) allocated by thread T0 here: #0 0x50d462 in __interceptor_malloc (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x50d462) #1 0x721a85 in Make_Mem /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:132:14 rebolsource#2 0x723bed in Fill_Pool /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:240:19 rebolsource#3 0x7233c2 in Make_Node /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:295:20 #4 0x7267f3 in Make_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:419:10 #5 0x818d71 in Copy_String /home/zsx/stuffs/work/r3.git/make/../src/core/s-make.c:337:8 rebolsource#6 0x6dc386 in Scan_Block /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1388:22 rebol#7 0x6df0e6 in Scan_Code /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1550:9 #8 0x6e1f81 in N_transcode /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1630:8 #9 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #10 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #11 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12 #12 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11 #13 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12 #14 0x56110f in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:942:13 #15 0x568295 in Try_Block /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1087:11 #16 0x7506ac in N_try /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:760:6 rebol#17 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #18 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 rebol#19 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12 #20 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11 rebol#21 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12 rebol#22 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11 rebol#23 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11 #24 0x566f3d in Do_Block_Value_Throw /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1049:11 rebol#25 0xb0b9f9 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:830:4 rebol#26 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9 #27 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9 #28 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9 #29 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9 SUMMARY: AddressSanitizer: use-after-poison /home/zsx/stuffs/work/r3.git/make/../src/core/s-ops.c:426 Deline_Uni Shadow bytes around the buggy address: 0x0c3a7fffb460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fffb490: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c3a7fffb4a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x0c3a7fffb4b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 f7 00 00[f7] 0x0c3a7fffb4c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c3a7fffb4d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c3a7fffb4e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c3a7fffb4f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c3a7fffb500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==13053==ABORTING