New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use-after-free during garbage collection #3466

Closed
clayton-shopify opened this Issue Feb 24, 2017 · 2 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Feb 24, 2017

The following input demonstrates a crash:

def a
  yield
ensure
  a { return }
end

a { return }

This code should overflow the stack, but it appears to crash during a garbage collection well before that point.

ASAN report:

=================================================================
==82611==ERROR: AddressSanitizer: heap-use-after-free on address 0x62300000dc58 at pc 0x000103cefdbe bp 0x7fff5bbfb820 sp 0x7fff5bbfb818
READ of size 4 at 0x62300000dc58 thread T0
    #0 0x103cefdbd in gc_mark_children gc.c:644
    #1 0x103ceefaf in gc_gray_mark gc.c:887
    #2 0x103ced376 in incremental_marking_phase gc.c:982
    #3 0x103cec3c3 in incremental_gc gc.c:1086
    #4 0x103ce84ec in incremental_gc_step gc.c:1121
    #5 0x103ce76fc in mrb_incremental_gc gc.c:1165
    #6 0x103ce7078 in mrb_obj_alloc gc.c:507
    #7 0x103d50623 in mrb_proc_new proc.c:22
    #8 0x103d5090c in mrb_closure_new proc.c:69
    #9 0x103dd2815 in mrb_vm_exec vm.c:1106
    #10 0x103dcb589 in mrb_vm_run vm.c:815
    #11 0x103dc476e in mrb_run vm.c:2558
    #12 0x103df9dad in ecall vm.c:311
    #13 0x103de12c4 in mrb_vm_exec vm.c:1736
    #14 0x103dcb589 in mrb_vm_run vm.c:815
    #15 0x103dc476e in mrb_run vm.c:2558
    #16 0x103df9dad in ecall vm.c:311
    #17 0x103de12c4 in mrb_vm_exec vm.c:1736
    #18 0x103dcb589 in mrb_vm_run vm.c:815
    #19 0x103dc476e in mrb_run vm.c:2558
    #20 0x103df9dad in ecall vm.c:311
    #21 0x103de12c4 in mrb_vm_exec vm.c:1736
    #22 0x103dcb589 in mrb_vm_run vm.c:815
    #23 0x103dc476e in mrb_run vm.c:2558
    #24 0x103df9dad in ecall vm.c:311
    #25 0x103de12c4 in mrb_vm_exec vm.c:1736
    #26 0x103dcb589 in mrb_vm_run vm.c:815
    #27 0x103dc476e in mrb_run vm.c:2558
    #28 0x103df9dad in ecall vm.c:311
    #29 0x103de12c4 in mrb_vm_exec vm.c:1736
    #30 0x103dcb589 in mrb_vm_run vm.c:815
    #31 0x103dc476e in mrb_run vm.c:2558
    #32 0x103df9dad in ecall vm.c:311
    #33 0x103de12c4 in mrb_vm_exec vm.c:1736
    #34 0x103dcb589 in mrb_vm_run vm.c:815
    #35 0x103dc476e in mrb_run vm.c:2558
    #36 0x103df9dad in ecall vm.c:311
    #37 0x103de12c4 in mrb_vm_exec vm.c:1736
    #38 0x103dcb589 in mrb_vm_run vm.c:815
    #39 0x103dc476e in mrb_run vm.c:2558
    #40 0x103df9dad in ecall vm.c:311
    #41 0x103de12c4 in mrb_vm_exec vm.c:1736
    #42 0x103dcb589 in mrb_vm_run vm.c:815
    #43 0x103dc476e in mrb_run vm.c:2558
    #44 0x103df9dad in ecall vm.c:311
    #45 0x103de12c4 in mrb_vm_exec vm.c:1736
    #46 0x103dcb589 in mrb_vm_run vm.c:815
    #47 0x103dc476e in mrb_run vm.c:2558
    #48 0x103df9dad in ecall vm.c:311
    #49 0x103de12c4 in mrb_vm_exec vm.c:1736
    #50 0x103dcb589 in mrb_vm_run vm.c:815
    #51 0x103dc476e in mrb_run vm.c:2558
    #52 0x103df9dad in ecall vm.c:311
    #53 0x103de12c4 in mrb_vm_exec vm.c:1736
    #54 0x103dcb589 in mrb_vm_run vm.c:815
    #55 0x103dc476e in mrb_run vm.c:2558
    #56 0x103df9dad in ecall vm.c:311
    #57 0x103de12c4 in mrb_vm_exec vm.c:1736
    #58 0x103dcb589 in mrb_vm_run vm.c:815
    #59 0x103dc476e in mrb_run vm.c:2558
    #60 0x103df9dad in ecall vm.c:311
    #61 0x103de12c4 in mrb_vm_exec vm.c:1736
    #62 0x103dcb589 in mrb_vm_run vm.c:815
    #63 0x103dc476e in mrb_run vm.c:2558
    #64 0x103df9dad in ecall vm.c:311
    #65 0x103de12c4 in mrb_vm_exec vm.c:1736
    #66 0x103dcb589 in mrb_vm_run vm.c:815
    #67 0x103dc476e in mrb_run vm.c:2558
    #68 0x103df9dad in ecall vm.c:311
    #69 0x103de12c4 in mrb_vm_exec vm.c:1736
    #70 0x103dcb589 in mrb_vm_run vm.c:815
    #71 0x103dc476e in mrb_run vm.c:2558
    #72 0x103df9dad in ecall vm.c:311
    #73 0x103de12c4 in mrb_vm_exec vm.c:1736
    #74 0x103dcb589 in mrb_vm_run vm.c:815
    #75 0x103dc476e in mrb_run vm.c:2558
    #76 0x103df9dad in ecall vm.c:311
    #77 0x103de12c4 in mrb_vm_exec vm.c:1736
    #78 0x103dcb589 in mrb_vm_run vm.c:815
    #79 0x103dc476e in mrb_run vm.c:2558
    #80 0x103df9dad in ecall vm.c:311
    #81 0x103de12c4 in mrb_vm_exec vm.c:1736
    #82 0x103dcb589 in mrb_vm_run vm.c:815
    #83 0x103dc476e in mrb_run vm.c:2558
    #84 0x103df9dad in ecall vm.c:311
    #85 0x103de12c4 in mrb_vm_exec vm.c:1736
    #86 0x103dcb589 in mrb_vm_run vm.c:815
    #87 0x103dc476e in mrb_run vm.c:2558
    #88 0x103df9dad in ecall vm.c:311
    #89 0x103de12c4 in mrb_vm_exec vm.c:1736
    #90 0x103dcb589 in mrb_vm_run vm.c:815
    #91 0x103dc476e in mrb_run vm.c:2558
    #92 0x103df9dad in ecall vm.c:311
    #93 0x103de12c4 in mrb_vm_exec vm.c:1736
    #94 0x103dcb589 in mrb_vm_run vm.c:815
    #95 0x103dc476e in mrb_run vm.c:2558
    #96 0x103df9dad in ecall vm.c:311
    #97 0x103de12c4 in mrb_vm_exec vm.c:1736
    #98 0x103dcb589 in mrb_vm_run vm.c:815
    #99 0x103dc476e in mrb_run vm.c:2558
    #100 0x103df9dad in ecall vm.c:311
    #101 0x103de12c4 in mrb_vm_exec vm.c:1736
    #102 0x103dcb589 in mrb_vm_run vm.c:815
    #103 0x103dc476e in mrb_run vm.c:2558
    #104 0x103df9dad in ecall vm.c:311
    #105 0x103de12c4 in mrb_vm_exec vm.c:1736
    #106 0x103dcb589 in mrb_vm_run vm.c:815
    #107 0x103dc476e in mrb_run vm.c:2558
    #108 0x103df9dad in ecall vm.c:311
    #109 0x103de12c4 in mrb_vm_exec vm.c:1736
    #110 0x103dcb589 in mrb_vm_run vm.c:815
    #111 0x103dc476e in mrb_run vm.c:2558
    #112 0x103df9dad in ecall vm.c:311
    #113 0x103de12c4 in mrb_vm_exec vm.c:1736
    #114 0x103dcb589 in mrb_vm_run vm.c:815
    #115 0x103dc476e in mrb_run vm.c:2558
    #116 0x103df9dad in ecall vm.c:311
    #117 0x103de12c4 in mrb_vm_exec vm.c:1736
    #118 0x103dcb589 in mrb_vm_run vm.c:815
    #119 0x103dc476e in mrb_run vm.c:2558
    #120 0x103df9dad in ecall vm.c:311
    #121 0x103de12c4 in mrb_vm_exec vm.c:1736
    #122 0x103dcb589 in mrb_vm_run vm.c:815
    #123 0x103dc476e in mrb_run vm.c:2558
    #124 0x103df9dad in ecall vm.c:311
    #125 0x103de12c4 in mrb_vm_exec vm.c:1736
    #126 0x103dcb589 in mrb_vm_run vm.c:815
    #127 0x103dc476e in mrb_run vm.c:2558
    #128 0x103df9dad in ecall vm.c:311
    #129 0x103de12c4 in mrb_vm_exec vm.c:1736
    #130 0x103dcb589 in mrb_vm_run vm.c:815
    #131 0x103dc476e in mrb_run vm.c:2558
    #132 0x103df9dad in ecall vm.c:311
    #133 0x103de12c4 in mrb_vm_exec vm.c:1736
    #134 0x103dcb589 in mrb_vm_run vm.c:815
    #135 0x103dc476e in mrb_run vm.c:2558
    #136 0x103df9dad in ecall vm.c:311
    #137 0x103de12c4 in mrb_vm_exec vm.c:1736
    #138 0x103dcb589 in mrb_vm_run vm.c:815
    #139 0x103dc476e in mrb_run vm.c:2558
    #140 0x103df9dad in ecall vm.c:311
    #141 0x103de12c4 in mrb_vm_exec vm.c:1736
    #142 0x103dcb589 in mrb_vm_run vm.c:815
    #143 0x103dc476e in mrb_run vm.c:2558
    #144 0x103df9dad in ecall vm.c:311
    #145 0x103de12c4 in mrb_vm_exec vm.c:1736
    #146 0x103dcb589 in mrb_vm_run vm.c:815
    #147 0x103dc476e in mrb_run vm.c:2558
    #148 0x103df9dad in ecall vm.c:311
    #149 0x103de12c4 in mrb_vm_exec vm.c:1736
    #150 0x103dcb589 in mrb_vm_run vm.c:815
    #151 0x103dc476e in mrb_run vm.c:2558
    #152 0x103df9dad in ecall vm.c:311
    #153 0x103de12c4 in mrb_vm_exec vm.c:1736
    #154 0x103dcb589 in mrb_vm_run vm.c:815
    #155 0x103dc476e in mrb_run vm.c:2558
    #156 0x103df9dad in ecall vm.c:311
    #157 0x103de12c4 in mrb_vm_exec vm.c:1736
    #158 0x103dcb589 in mrb_vm_run vm.c:815
    #159 0x103dc476e in mrb_run vm.c:2558
    #160 0x103df9dad in ecall vm.c:311
    #161 0x103de12c4 in mrb_vm_exec vm.c:1736
    #162 0x103dcb589 in mrb_vm_run vm.c:815
    #163 0x103dc476e in mrb_run vm.c:2558
    #164 0x103df9dad in ecall vm.c:311
    #165 0x103de12c4 in mrb_vm_exec vm.c:1736
    #166 0x103dcb589 in mrb_vm_run vm.c:815
    #167 0x103dc476e in mrb_run vm.c:2558
    #168 0x103df9dad in ecall vm.c:311
    #169 0x103de12c4 in mrb_vm_exec vm.c:1736
    #170 0x103dcb589 in mrb_vm_run vm.c:815
    #171 0x103dc476e in mrb_run vm.c:2558
    #172 0x103df9dad in ecall vm.c:311
    #173 0x103de12c4 in mrb_vm_exec vm.c:1736
    #174 0x103dcb589 in mrb_vm_run vm.c:815
    #175 0x103dc476e in mrb_run vm.c:2558
    #176 0x103df9dad in ecall vm.c:311
    #177 0x103de12c4 in mrb_vm_exec vm.c:1736
    #178 0x103dcb589 in mrb_vm_run vm.c:815
    #179 0x103dc476e in mrb_run vm.c:2558
    #180 0x103df9dad in ecall vm.c:311
    #181 0x103de12c4 in mrb_vm_exec vm.c:1736
    #182 0x103dcb589 in mrb_vm_run vm.c:815
    #183 0x103dc476e in mrb_run vm.c:2558
    #184 0x103df9dad in ecall vm.c:311
    #185 0x103de12c4 in mrb_vm_exec vm.c:1736
    #186 0x103dcb589 in mrb_vm_run vm.c:815
    #187 0x103dc476e in mrb_run vm.c:2558
    #188 0x103df9dad in ecall vm.c:311
    #189 0x103de12c4 in mrb_vm_exec vm.c:1736
    #190 0x103dcb589 in mrb_vm_run vm.c:815
    #191 0x103dc476e in mrb_run vm.c:2558
    #192 0x103df9dad in ecall vm.c:311
    #193 0x103de12c4 in mrb_vm_exec vm.c:1736
    #194 0x103dcb589 in mrb_vm_run vm.c:815
    #195 0x103dc476e in mrb_run vm.c:2558
    #196 0x103df9dad in ecall vm.c:311
    #197 0x103de12c4 in mrb_vm_exec vm.c:1736
    #198 0x103dcb589 in mrb_vm_run vm.c:815
    #199 0x103dc476e in mrb_run vm.c:2558
    #200 0x103df9dad in ecall vm.c:311
    #201 0x103de12c4 in mrb_vm_exec vm.c:1736
    #202 0x103dcb589 in mrb_vm_run vm.c:815
    #203 0x103dc476e in mrb_run vm.c:2558
    #204 0x103df9dad in ecall vm.c:311
    #205 0x103de12c4 in mrb_vm_exec vm.c:1736
    #206 0x103dcb589 in mrb_vm_run vm.c:815
    #207 0x103dc476e in mrb_run vm.c:2558
    #208 0x103df9dad in ecall vm.c:311
    #209 0x103de12c4 in mrb_vm_exec vm.c:1736
    #210 0x103dcb589 in mrb_vm_run vm.c:815
    #211 0x103dc476e in mrb_run vm.c:2558
    #212 0x103df9dad in ecall vm.c:311
    #213 0x103de12c4 in mrb_vm_exec vm.c:1736
    #214 0x103dcb589 in mrb_vm_run vm.c:815
    #215 0x103dc476e in mrb_run vm.c:2558
    #216 0x103df9dad in ecall vm.c:311
    #217 0x103de12c4 in mrb_vm_exec vm.c:1736
    #218 0x103dcb589 in mrb_vm_run vm.c:815
    #219 0x103dc476e in mrb_run vm.c:2558
    #220 0x103df9dad in ecall vm.c:311
    #221 0x103de12c4 in mrb_vm_exec vm.c:1736
    #222 0x103dcb589 in mrb_vm_run vm.c:815
    #223 0x103dc476e in mrb_run vm.c:2558
    #224 0x103df9dad in ecall vm.c:311
    #225 0x103de12c4 in mrb_vm_exec vm.c:1736
    #226 0x103dcb589 in mrb_vm_run vm.c:815
    #227 0x103dc476e in mrb_run vm.c:2558
    #228 0x103df9dad in ecall vm.c:311
    #229 0x103de12c4 in mrb_vm_exec vm.c:1736
    #230 0x103dcb589 in mrb_vm_run vm.c:815
    #231 0x103dc476e in mrb_run vm.c:2558
    #232 0x103df9dad in ecall vm.c:311
    #233 0x103de12c4 in mrb_vm_exec vm.c:1736
    #234 0x103dcb589 in mrb_vm_run vm.c:815
    #235 0x103dc476e in mrb_run vm.c:2558
    #236 0x103df9dad in ecall vm.c:311
    #237 0x103de12c4 in mrb_vm_exec vm.c:1736
    #238 0x103dcb589 in mrb_vm_run vm.c:815
    #239 0x103dc476e in mrb_run vm.c:2558
    #240 0x103df9dad in ecall vm.c:311
    #241 0x103de12c4 in mrb_vm_exec vm.c:1736
    #242 0x103dcb589 in mrb_vm_run vm.c:815
    #243 0x103dc476e in mrb_run vm.c:2558
    #244 0x103df9dad in ecall vm.c:311
    #245 0x103de12c4 in mrb_vm_exec vm.c:1736
    #246 0x103dcb589 in mrb_vm_run vm.c:815
    #247 0x103dc476e in mrb_run vm.c:2558
    #248 0x103df9dad in ecall vm.c:311
    #249 0x103de12c4 in mrb_vm_exec vm.c:1736
    #250 0x103dcb589 in mrb_vm_run vm.c:815
    #251 0x103dc476e in mrb_run vm.c:2558
    #252 0x103df9dad in ecall vm.c:311
    #253 0x103de12c4 in mrb_vm_exec vm.c:1736
    #254 0x103dcb589 in mrb_vm_run vm.c:815
    #255 0x103dc476e in mrb_run vm.c:2558

0x62300000dc58 is located 5976 bytes inside of 6144-byte region [0x62300000c500,0x62300000dd00)
freed by thread T0 here:
    #0 0x104007f87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x103d61305 in mrb_default_allocf state.c:60
    #2 0x103ce27b8 in mrb_realloc_simple gc.c:201
    #3 0x103ce2e9e in mrb_realloc gc.c:215
    #4 0x103dfd491 in stack_extend_alloc vm.c:161
    #5 0x103dc3e97 in stack_extend vm.c:181
    #6 0x103dd6793 in mrb_vm_exec vm.c:1266
    #7 0x103dcb589 in mrb_vm_run vm.c:815
    #8 0x103dc476e in mrb_run vm.c:2558
    #9 0x103df9dad in ecall vm.c:311
    #10 0x103de12c4 in mrb_vm_exec vm.c:1736
    #11 0x103dcb589 in mrb_vm_run vm.c:815
    #12 0x103dc476e in mrb_run vm.c:2558
    #13 0x103df9dad in ecall vm.c:311
    #14 0x103de12c4 in mrb_vm_exec vm.c:1736
    #15 0x103dcb589 in mrb_vm_run vm.c:815
    #16 0x103dc476e in mrb_run vm.c:2558
    #17 0x103df9dad in ecall vm.c:311
    #18 0x103de12c4 in mrb_vm_exec vm.c:1736
    #19 0x103dcb589 in mrb_vm_run vm.c:815
    #20 0x103dc476e in mrb_run vm.c:2558
    #21 0x103df9dad in ecall vm.c:311
    #22 0x103de12c4 in mrb_vm_exec vm.c:1736
    #23 0x103dcb589 in mrb_vm_run vm.c:815
    #24 0x103dc476e in mrb_run vm.c:2558
    #25 0x103df9dad in ecall vm.c:311
    #26 0x103de12c4 in mrb_vm_exec vm.c:1736
    #27 0x103dcb589 in mrb_vm_run vm.c:815
    #28 0x103dc476e in mrb_run vm.c:2558
    #29 0x103df9dad in ecall vm.c:311

previously allocated by thread T0 here:
    #0 0x104007f87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x103d61305 in mrb_default_allocf state.c:60
    #2 0x103ce27b8 in mrb_realloc_simple gc.c:201
    #3 0x103ce2e9e in mrb_realloc gc.c:215
    #4 0x103dfd491 in stack_extend_alloc vm.c:161
    #5 0x103dc3e97 in stack_extend vm.c:181
    #6 0x103dd6793 in mrb_vm_exec vm.c:1266
    #7 0x103dcb589 in mrb_vm_run vm.c:815
    #8 0x103dc476e in mrb_run vm.c:2558
    #9 0x103df9dad in ecall vm.c:311
    #10 0x103de12c4 in mrb_vm_exec vm.c:1736
    #11 0x103dcb589 in mrb_vm_run vm.c:815
    #12 0x103dc476e in mrb_run vm.c:2558
    #13 0x103df9dad in ecall vm.c:311
    #14 0x103de12c4 in mrb_vm_exec vm.c:1736
    #15 0x103dcb589 in mrb_vm_run vm.c:815
    #16 0x103dc476e in mrb_run vm.c:2558
    #17 0x103df9dad in ecall vm.c:311
    #18 0x103de12c4 in mrb_vm_exec vm.c:1736
    #19 0x103dcb589 in mrb_vm_run vm.c:815
    #20 0x103dc476e in mrb_run vm.c:2558
    #21 0x103df9dad in ecall vm.c:311
    #22 0x103de12c4 in mrb_vm_exec vm.c:1736
    #23 0x103dcb589 in mrb_vm_run vm.c:815
    #24 0x103dc476e in mrb_run vm.c:2558
    #25 0x103df9dad in ecall vm.c:311
    #26 0x103de12c4 in mrb_vm_exec vm.c:1736
    #27 0x103dcb589 in mrb_vm_run vm.c:815
    #28 0x103dc476e in mrb_run vm.c:2558
    #29 0x103df9dad in ecall vm.c:311

SUMMARY: AddressSanitizer: heap-use-after-free gc.c:644 in gc_mark_children
Shadow bytes around the buggy address:
  0x1c4600001b30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4600001b40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4600001b50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4600001b60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4600001b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c4600001b80: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x1c4600001b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4600001ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4600001bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4600001bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4600001bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==82611==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

@clayton-shopify

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify Feb 27, 2017

Contributor

It looks like this issue was fixed in b563bcb

Contributor

clayton-shopify commented Feb 27, 2017

It looks like this issue was fixed in b563bcb

@clayton-shopify

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify Feb 28, 2017

Contributor

Actually this doesn't seem to be fixed yet. The following input supplied by https://hackerone.com/ssarong still causes a crash:

def a
  yield
ensure
lambda { a { return } }.call
end

lambda { a { return } }.call

ASAN report:

==36937==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000011478 at pc 0x0001031ed7be bp 0x7fff5c882da0 sp 0x7fff5c882d98
READ of size 4 at 0x621000011478 thread T0
    #0 0x1031ed7bd in gc_mark_children gc.c:644
    #1 0x1031ec9af in gc_gray_mark gc.c:887
    #2 0x1031ead76 in incremental_marking_phase gc.c:982
    #3 0x1031e9dc3 in incremental_gc gc.c:1086
    #4 0x1031e5eec in incremental_gc_step gc.c:1121
    #5 0x1031e50fc in mrb_incremental_gc gc.c:1165
    #6 0x1031e4a78 in mrb_obj_alloc gc.c:507
    #7 0x1032521e1 in proc_lambda proc.c:254
    #8 0x1032d3aa2 in mrb_vm_exec vm.c:1228
    #9 0x1032c94c9 in mrb_vm_run vm.c:815
    #10 0x1032c26ae in mrb_run vm.c:2562
    #11 0x1032f8005 in ecall vm.c:311
    #12 0x1032df492 in mrb_vm_exec vm.c:1740
    #13 0x1032c94c9 in mrb_vm_run vm.c:815
    #14 0x1032c26ae in mrb_run vm.c:2562
    #15 0x1032f8005 in ecall vm.c:311
    #16 0x1032df492 in mrb_vm_exec vm.c:1740
    #17 0x1032c94c9 in mrb_vm_run vm.c:815
    #18 0x1032c26ae in mrb_run vm.c:2562
    #19 0x1032f8005 in ecall vm.c:311
    #20 0x1032df492 in mrb_vm_exec vm.c:1740
    #21 0x1032c94c9 in mrb_vm_run vm.c:815
    #22 0x1032c26ae in mrb_run vm.c:2562
    #23 0x1032f8005 in ecall vm.c:311
    #24 0x1032df492 in mrb_vm_exec vm.c:1740
    #25 0x1032c94c9 in mrb_vm_run vm.c:815
    #26 0x1032c26ae in mrb_run vm.c:2562
    #27 0x1032f8005 in ecall vm.c:311
    #28 0x1032df492 in mrb_vm_exec vm.c:1740
    #29 0x1032c94c9 in mrb_vm_run vm.c:815
    #30 0x1032c26ae in mrb_run vm.c:2562
    #31 0x1032f8005 in ecall vm.c:311
    #32 0x1032df492 in mrb_vm_exec vm.c:1740
    #33 0x1032c94c9 in mrb_vm_run vm.c:815
    #34 0x1032c26ae in mrb_run vm.c:2562
    #35 0x1032f8005 in ecall vm.c:311
    #36 0x1032df492 in mrb_vm_exec vm.c:1740
    #37 0x1032c94c9 in mrb_vm_run vm.c:815
    #38 0x1032c26ae in mrb_run vm.c:2562
    #39 0x1032f8005 in ecall vm.c:311
    #40 0x1032df492 in mrb_vm_exec vm.c:1740
    #41 0x1032c94c9 in mrb_vm_run vm.c:815
    #42 0x1032c26ae in mrb_run vm.c:2562
    #43 0x1032f8005 in ecall vm.c:311
    #44 0x1032df492 in mrb_vm_exec vm.c:1740
    #45 0x1032c94c9 in mrb_vm_run vm.c:815
    #46 0x1032c26ae in mrb_run vm.c:2562
    #47 0x1032f8005 in ecall vm.c:311
    #48 0x1032df492 in mrb_vm_exec vm.c:1740
    #49 0x1032c94c9 in mrb_vm_run vm.c:815
    #50 0x1032c26ae in mrb_run vm.c:2562
    #51 0x1032f8005 in ecall vm.c:311
    #52 0x1032df492 in mrb_vm_exec vm.c:1740
    #53 0x1032c94c9 in mrb_vm_run vm.c:815
    #54 0x1032c26ae in mrb_run vm.c:2562
    #55 0x1032f8005 in ecall vm.c:311
    #56 0x1032df492 in mrb_vm_exec vm.c:1740
    #57 0x1032c94c9 in mrb_vm_run vm.c:815
    #58 0x1032c26ae in mrb_run vm.c:2562
    #59 0x1032f8005 in ecall vm.c:311
    #60 0x1032df492 in mrb_vm_exec vm.c:1740
    #61 0x1032c94c9 in mrb_vm_run vm.c:815
    #62 0x1032c26ae in mrb_run vm.c:2562
    #63 0x1032f8005 in ecall vm.c:311
    #64 0x1032df492 in mrb_vm_exec vm.c:1740
    #65 0x1032c94c9 in mrb_vm_run vm.c:815
    #66 0x1032c26ae in mrb_run vm.c:2562
    #67 0x1032f8005 in ecall vm.c:311
    #68 0x1032df492 in mrb_vm_exec vm.c:1740
    #69 0x1032c94c9 in mrb_vm_run vm.c:815
    #70 0x1032c26ae in mrb_run vm.c:2562
    #71 0x1032f8005 in ecall vm.c:311
    #72 0x1032df492 in mrb_vm_exec vm.c:1740
    #73 0x1032c94c9 in mrb_vm_run vm.c:815
    #74 0x1032c26ae in mrb_run vm.c:2562
    #75 0x1032f8005 in ecall vm.c:311
    #76 0x1032df492 in mrb_vm_exec vm.c:1740
    #77 0x1032c94c9 in mrb_vm_run vm.c:815
    #78 0x1032c26ae in mrb_run vm.c:2562
    #79 0x1032f8005 in ecall vm.c:311
    #80 0x1032df492 in mrb_vm_exec vm.c:1740
    #81 0x1032c94c9 in mrb_vm_run vm.c:815
    #82 0x1032c26ae in mrb_run vm.c:2562
    #83 0x1032f8005 in ecall vm.c:311
    #84 0x1032df492 in mrb_vm_exec vm.c:1740
    #85 0x1032c94c9 in mrb_vm_run vm.c:815
    #86 0x1032c26ae in mrb_run vm.c:2562
    #87 0x1032f8005 in ecall vm.c:311
    #88 0x1032df492 in mrb_vm_exec vm.c:1740
    #89 0x1032c94c9 in mrb_vm_run vm.c:815
    #90 0x1032c26ae in mrb_run vm.c:2562
    #91 0x1032f8005 in ecall vm.c:311
    #92 0x1032df492 in mrb_vm_exec vm.c:1740
    #93 0x1032c94c9 in mrb_vm_run vm.c:815
    #94 0x1032c26ae in mrb_run vm.c:2562
    #95 0x1032f8005 in ecall vm.c:311
    #96 0x1032df492 in mrb_vm_exec vm.c:1740
    #97 0x1032c94c9 in mrb_vm_run vm.c:815
    #98 0x1032c26ae in mrb_run vm.c:2562
    #99 0x1032f8005 in ecall vm.c:311
    #100 0x1032df492 in mrb_vm_exec vm.c:1740
    #101 0x1032c94c9 in mrb_vm_run vm.c:815
    #102 0x1032c26ae in mrb_run vm.c:2562
    #103 0x1032f8005 in ecall vm.c:311
    #104 0x1032df492 in mrb_vm_exec vm.c:1740
    #105 0x1032c94c9 in mrb_vm_run vm.c:815
    #106 0x1032c26ae in mrb_run vm.c:2562
    #107 0x1032f8005 in ecall vm.c:311
    #108 0x1032df492 in mrb_vm_exec vm.c:1740
    #109 0x1032c94c9 in mrb_vm_run vm.c:815
    #110 0x1032c26ae in mrb_run vm.c:2562
    #111 0x1032f8005 in ecall vm.c:311
    #112 0x1032df492 in mrb_vm_exec vm.c:1740
    #113 0x1032c94c9 in mrb_vm_run vm.c:815
    #114 0x1032c26ae in mrb_run vm.c:2562
    #115 0x1032f8005 in ecall vm.c:311
    #116 0x1032df492 in mrb_vm_exec vm.c:1740
    #117 0x1032c94c9 in mrb_vm_run vm.c:815
    #118 0x1032c26ae in mrb_run vm.c:2562
    #119 0x1032f8005 in ecall vm.c:311
    #120 0x1032df492 in mrb_vm_exec vm.c:1740
    #121 0x1032c94c9 in mrb_vm_run vm.c:815
    #122 0x1032c26ae in mrb_run vm.c:2562
    #123 0x1032f8005 in ecall vm.c:311
    #124 0x1032df492 in mrb_vm_exec vm.c:1740
    #125 0x1032c94c9 in mrb_vm_run vm.c:815
    #126 0x1032c26ae in mrb_run vm.c:2562
    #127 0x1032f8005 in ecall vm.c:311
    #128 0x1032df492 in mrb_vm_exec vm.c:1740
    #129 0x1032c94c9 in mrb_vm_run vm.c:815
    #130 0x1032c26ae in mrb_run vm.c:2562
    #131 0x1032f8005 in ecall vm.c:311
    #132 0x1032df492 in mrb_vm_exec vm.c:1740
    #133 0x1032c94c9 in mrb_vm_run vm.c:815
    #134 0x1032c26ae in mrb_run vm.c:2562
    #135 0x1032f8005 in ecall vm.c:311
    #136 0x1032df492 in mrb_vm_exec vm.c:1740
    #137 0x1032c94c9 in mrb_vm_run vm.c:815
    #138 0x1032c26ae in mrb_run vm.c:2562
    #139 0x1032f8005 in ecall vm.c:311
    #140 0x1032df492 in mrb_vm_exec vm.c:1740
    #141 0x1032c94c9 in mrb_vm_run vm.c:815
    #142 0x1032c26ae in mrb_run vm.c:2562
    #143 0x1032f8005 in ecall vm.c:311
    #144 0x1032df492 in mrb_vm_exec vm.c:1740
    #145 0x1032c94c9 in mrb_vm_run vm.c:815
    #146 0x1032c26ae in mrb_run vm.c:2562
    #147 0x1032f8005 in ecall vm.c:311
    #148 0x1032df492 in mrb_vm_exec vm.c:1740
    #149 0x1032c94c9 in mrb_vm_run vm.c:815
    #150 0x1032c26ae in mrb_run vm.c:2562
    #151 0x1032f8005 in ecall vm.c:311
    #152 0x1032df492 in mrb_vm_exec vm.c:1740
    #153 0x1032c94c9 in mrb_vm_run vm.c:815
    #154 0x1032c26ae in mrb_run vm.c:2562
    #155 0x1032f8005 in ecall vm.c:311
    #156 0x1032df492 in mrb_vm_exec vm.c:1740
    #157 0x1032c94c9 in mrb_vm_run vm.c:815
    #158 0x1032c26ae in mrb_run vm.c:2562
    #159 0x1032f8005 in ecall vm.c:311
    #160 0x1032df492 in mrb_vm_exec vm.c:1740
    #161 0x1032c94c9 in mrb_vm_run vm.c:815
    #162 0x1032c26ae in mrb_run vm.c:2562
    #163 0x1032f8005 in ecall vm.c:311
    #164 0x1032df492 in mrb_vm_exec vm.c:1740
    #165 0x1032c94c9 in mrb_vm_run vm.c:815
    #166 0x1032c26ae in mrb_run vm.c:2562
    #167 0x1032f8005 in ecall vm.c:311
    #168 0x1032df492 in mrb_vm_exec vm.c:1740
    #169 0x1032c94c9 in mrb_vm_run vm.c:815
    #170 0x1032c26ae in mrb_run vm.c:2562
    #171 0x1032f8005 in ecall vm.c:311
    #172 0x1032df492 in mrb_vm_exec vm.c:1740
    #173 0x1032c94c9 in mrb_vm_run vm.c:815
    #174 0x1032c26ae in mrb_run vm.c:2562
    #175 0x1032f8005 in ecall vm.c:311
    #176 0x1032df492 in mrb_vm_exec vm.c:1740
    #177 0x1032c94c9 in mrb_vm_run vm.c:815
    #178 0x1032c26ae in mrb_run vm.c:2562
    #179 0x1032f8005 in ecall vm.c:311
    #180 0x1032df492 in mrb_vm_exec vm.c:1740
    #181 0x1032c94c9 in mrb_vm_run vm.c:815
    #182 0x1032c26ae in mrb_run vm.c:2562
    #183 0x1032f8005 in ecall vm.c:311
    #184 0x1032df492 in mrb_vm_exec vm.c:1740
    #185 0x1032c94c9 in mrb_vm_run vm.c:815
    #186 0x1032c26ae in mrb_run vm.c:2562
    #187 0x1032f8005 in ecall vm.c:311
    #188 0x1032df492 in mrb_vm_exec vm.c:1740
    #189 0x1032c94c9 in mrb_vm_run vm.c:815
    #190 0x1032c26ae in mrb_run vm.c:2562
    #191 0x1032f8005 in ecall vm.c:311
    #192 0x1032df492 in mrb_vm_exec vm.c:1740
    #193 0x1032c94c9 in mrb_vm_run vm.c:815
    #194 0x1032c26ae in mrb_run vm.c:2562
    #195 0x1032f8005 in ecall vm.c:311
    #196 0x1032df492 in mrb_vm_exec vm.c:1740
    #197 0x1032c94c9 in mrb_vm_run vm.c:815
    #198 0x1032c26ae in mrb_run vm.c:2562
    #199 0x1032f8005 in ecall vm.c:311
    #200 0x1032df492 in mrb_vm_exec vm.c:1740
    #201 0x1032c94c9 in mrb_vm_run vm.c:815
    #202 0x1032c26ae in mrb_run vm.c:2562
    #203 0x1032f8005 in ecall vm.c:311
    #204 0x1032df492 in mrb_vm_exec vm.c:1740
    #205 0x1032c94c9 in mrb_vm_run vm.c:815
    #206 0x1032c26ae in mrb_run vm.c:2562
    #207 0x1032f8005 in ecall vm.c:311
    #208 0x1032df492 in mrb_vm_exec vm.c:1740
    #209 0x1032c94c9 in mrb_vm_run vm.c:815
    #210 0x1032c26ae in mrb_run vm.c:2562
    #211 0x1032f8005 in ecall vm.c:311
    #212 0x1032df492 in mrb_vm_exec vm.c:1740
    #213 0x1032c94c9 in mrb_vm_run vm.c:815
    #214 0x1032c26ae in mrb_run vm.c:2562
    #215 0x1032f8005 in ecall vm.c:311
    #216 0x1032df492 in mrb_vm_exec vm.c:1740
    #217 0x1032c94c9 in mrb_vm_run vm.c:815
    #218 0x1032c26ae in mrb_run vm.c:2562
    #219 0x1032f8005 in ecall vm.c:311
    #220 0x1032df492 in mrb_vm_exec vm.c:1740
    #221 0x1032c94c9 in mrb_vm_run vm.c:815
    #222 0x1032c26ae in mrb_run vm.c:2562
    #223 0x1032f8005 in ecall vm.c:311
    #224 0x1032df492 in mrb_vm_exec vm.c:1740
    #225 0x1032c94c9 in mrb_vm_run vm.c:815
    #226 0x1032c26ae in mrb_run vm.c:2562
    #227 0x1032f8005 in ecall vm.c:311
    #228 0x1032df492 in mrb_vm_exec vm.c:1740
    #229 0x1032c94c9 in mrb_vm_run vm.c:815
    #230 0x1032c26ae in mrb_run vm.c:2562
    #231 0x1032f8005 in ecall vm.c:311
    #232 0x1032df492 in mrb_vm_exec vm.c:1740
    #233 0x1032c94c9 in mrb_vm_run vm.c:815
    #234 0x1032c26ae in mrb_run vm.c:2562
    #235 0x1032f8005 in ecall vm.c:311
    #236 0x1032df492 in mrb_vm_exec vm.c:1740
    #237 0x1032c94c9 in mrb_vm_run vm.c:815
    #238 0x1032c26ae in mrb_run vm.c:2562
    #239 0x1032f8005 in ecall vm.c:311
    #240 0x1032df492 in mrb_vm_exec vm.c:1740
    #241 0x1032c94c9 in mrb_vm_run vm.c:815
    #242 0x1032c26ae in mrb_run vm.c:2562
    #243 0x1032f8005 in ecall vm.c:311
    #244 0x1032df492 in mrb_vm_exec vm.c:1740
    #245 0x1032c94c9 in mrb_vm_run vm.c:815
    #246 0x1032c26ae in mrb_run vm.c:2562
    #247 0x1032f8005 in ecall vm.c:311
    #248 0x1032df492 in mrb_vm_exec vm.c:1740
    #249 0x1032c94c9 in mrb_vm_run vm.c:815
    #250 0x1032c26ae in mrb_run vm.c:2562
    #251 0x1032f8005 in ecall vm.c:311
    #252 0x1032df492 in mrb_vm_exec vm.c:1740
    #253 0x1032c94c9 in mrb_vm_run vm.c:815
    #254 0x1032c26ae in mrb_run vm.c:2562
    #255 0x1032f8005 in ecall vm.c:311

0x621000011478 is located 3960 bytes inside of 4096-byte region [0x621000010500,0x621000011500)
freed by thread T0 here:
    #0 0x103508f87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x10325ed05 in mrb_default_allocf state.c:60
    #2 0x1031e01b8 in mrb_realloc_simple gc.c:201
    #3 0x1031e089e in mrb_realloc gc.c:215
    #4 0x1032fb761 in stack_extend_alloc vm.c:161
    #5 0x1032c1dd7 in stack_extend vm.c:181
    #6 0x1032d48e5 in mrb_vm_exec vm.c:1265
    #7 0x1032c94c9 in mrb_vm_run vm.c:815
    #8 0x1032c26ae in mrb_run vm.c:2562
    #9 0x1032f8005 in ecall vm.c:311
    #10 0x1032df492 in mrb_vm_exec vm.c:1740
    #11 0x1032c94c9 in mrb_vm_run vm.c:815
    #12 0x1032c26ae in mrb_run vm.c:2562
    #13 0x1032f8005 in ecall vm.c:311
    #14 0x1032df492 in mrb_vm_exec vm.c:1740
    #15 0x1032c94c9 in mrb_vm_run vm.c:815
    #16 0x1032c26ae in mrb_run vm.c:2562
    #17 0x1032f8005 in ecall vm.c:311
    #18 0x1032df492 in mrb_vm_exec vm.c:1740
    #19 0x1032c94c9 in mrb_vm_run vm.c:815
    #20 0x1032c26ae in mrb_run vm.c:2562
    #21 0x1032f8005 in ecall vm.c:311
    #22 0x1032df492 in mrb_vm_exec vm.c:1740
    #23 0x1032c94c9 in mrb_vm_run vm.c:815
    #24 0x1032c26ae in mrb_run vm.c:2562
    #25 0x1032f8005 in ecall vm.c:311
    #26 0x1032df492 in mrb_vm_exec vm.c:1740
    #27 0x1032c94c9 in mrb_vm_run vm.c:815
    #28 0x1032c26ae in mrb_run vm.c:2562
    #29 0x1032f8005 in ecall vm.c:311

previously allocated by thread T0 here:
    #0 0x103508f87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x10325ed05 in mrb_default_allocf state.c:60
    #2 0x1031e01b8 in mrb_realloc_simple gc.c:201
    #3 0x1031e089e in mrb_realloc gc.c:215
    #4 0x1032fb761 in stack_extend_alloc vm.c:161
    #5 0x1032c1dd7 in stack_extend vm.c:181
    #6 0x1032c93d7 in mrb_vm_run vm.c:813
    #7 0x1032c26ae in mrb_run vm.c:2562
    #8 0x1032f8005 in ecall vm.c:311
    #9 0x1032df492 in mrb_vm_exec vm.c:1740
    #10 0x1032c94c9 in mrb_vm_run vm.c:815
    #11 0x1032c26ae in mrb_run vm.c:2562
    #12 0x1032f8005 in ecall vm.c:311
    #13 0x1032df492 in mrb_vm_exec vm.c:1740
    #14 0x1032c94c9 in mrb_vm_run vm.c:815
    #15 0x1032c26ae in mrb_run vm.c:2562
    #16 0x1032f8005 in ecall vm.c:311
    #17 0x1032df492 in mrb_vm_exec vm.c:1740
    #18 0x1032c94c9 in mrb_vm_run vm.c:815
    #19 0x1032c26ae in mrb_run vm.c:2562
    #20 0x1032f8005 in ecall vm.c:311
    #21 0x1032df492 in mrb_vm_exec vm.c:1740
    #22 0x1032c94c9 in mrb_vm_run vm.c:815
    #23 0x1032c26ae in mrb_run vm.c:2562
    #24 0x1032f8005 in ecall vm.c:311
    #25 0x1032df492 in mrb_vm_exec vm.c:1740
    #26 0x1032c94c9 in mrb_vm_run vm.c:815
    #27 0x1032c26ae in mrb_run vm.c:2562
    #28 0x1032f8005 in ecall vm.c:311
    #29 0x1032df492 in mrb_vm_exec vm.c:1740

SUMMARY: AddressSanitizer: heap-use-after-free gc.c:644 in gc_mark_children
Shadow bytes around the buggy address:
  0x1c4200002230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4200002240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4200002250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4200002260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4200002270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c4200002280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
  0x1c4200002290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c42000022a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c42000022b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c42000022c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c42000022d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==36937==ABORTING
Abort trap: 6
Contributor

clayton-shopify commented Feb 28, 2017

Actually this doesn't seem to be fixed yet. The following input supplied by https://hackerone.com/ssarong still causes a crash:

def a
  yield
ensure
lambda { a { return } }.call
end

lambda { a { return } }.call

ASAN report:

==36937==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000011478 at pc 0x0001031ed7be bp 0x7fff5c882da0 sp 0x7fff5c882d98
READ of size 4 at 0x621000011478 thread T0
    #0 0x1031ed7bd in gc_mark_children gc.c:644
    #1 0x1031ec9af in gc_gray_mark gc.c:887
    #2 0x1031ead76 in incremental_marking_phase gc.c:982
    #3 0x1031e9dc3 in incremental_gc gc.c:1086
    #4 0x1031e5eec in incremental_gc_step gc.c:1121
    #5 0x1031e50fc in mrb_incremental_gc gc.c:1165
    #6 0x1031e4a78 in mrb_obj_alloc gc.c:507
    #7 0x1032521e1 in proc_lambda proc.c:254
    #8 0x1032d3aa2 in mrb_vm_exec vm.c:1228
    #9 0x1032c94c9 in mrb_vm_run vm.c:815
    #10 0x1032c26ae in mrb_run vm.c:2562
    #11 0x1032f8005 in ecall vm.c:311
    #12 0x1032df492 in mrb_vm_exec vm.c:1740
    #13 0x1032c94c9 in mrb_vm_run vm.c:815
    #14 0x1032c26ae in mrb_run vm.c:2562
    #15 0x1032f8005 in ecall vm.c:311
    #16 0x1032df492 in mrb_vm_exec vm.c:1740
    #17 0x1032c94c9 in mrb_vm_run vm.c:815
    #18 0x1032c26ae in mrb_run vm.c:2562
    #19 0x1032f8005 in ecall vm.c:311
    #20 0x1032df492 in mrb_vm_exec vm.c:1740
    #21 0x1032c94c9 in mrb_vm_run vm.c:815
    #22 0x1032c26ae in mrb_run vm.c:2562
    #23 0x1032f8005 in ecall vm.c:311
    #24 0x1032df492 in mrb_vm_exec vm.c:1740
    #25 0x1032c94c9 in mrb_vm_run vm.c:815
    #26 0x1032c26ae in mrb_run vm.c:2562
    #27 0x1032f8005 in ecall vm.c:311
    #28 0x1032df492 in mrb_vm_exec vm.c:1740
    #29 0x1032c94c9 in mrb_vm_run vm.c:815
    #30 0x1032c26ae in mrb_run vm.c:2562
    #31 0x1032f8005 in ecall vm.c:311
    #32 0x1032df492 in mrb_vm_exec vm.c:1740
    #33 0x1032c94c9 in mrb_vm_run vm.c:815
    #34 0x1032c26ae in mrb_run vm.c:2562
    #35 0x1032f8005 in ecall vm.c:311
    #36 0x1032df492 in mrb_vm_exec vm.c:1740
    #37 0x1032c94c9 in mrb_vm_run vm.c:815
    #38 0x1032c26ae in mrb_run vm.c:2562
    #39 0x1032f8005 in ecall vm.c:311
    #40 0x1032df492 in mrb_vm_exec vm.c:1740
    #41 0x1032c94c9 in mrb_vm_run vm.c:815
    #42 0x1032c26ae in mrb_run vm.c:2562
    #43 0x1032f8005 in ecall vm.c:311
    #44 0x1032df492 in mrb_vm_exec vm.c:1740
    #45 0x1032c94c9 in mrb_vm_run vm.c:815
    #46 0x1032c26ae in mrb_run vm.c:2562
    #47 0x1032f8005 in ecall vm.c:311
    #48 0x1032df492 in mrb_vm_exec vm.c:1740
    #49 0x1032c94c9 in mrb_vm_run vm.c:815
    #50 0x1032c26ae in mrb_run vm.c:2562
    #51 0x1032f8005 in ecall vm.c:311
    #52 0x1032df492 in mrb_vm_exec vm.c:1740
    #53 0x1032c94c9 in mrb_vm_run vm.c:815
    #54 0x1032c26ae in mrb_run vm.c:2562
    #55 0x1032f8005 in ecall vm.c:311
    #56 0x1032df492 in mrb_vm_exec vm.c:1740
    #57 0x1032c94c9 in mrb_vm_run vm.c:815
    #58 0x1032c26ae in mrb_run vm.c:2562
    #59 0x1032f8005 in ecall vm.c:311
    #60 0x1032df492 in mrb_vm_exec vm.c:1740
    #61 0x1032c94c9 in mrb_vm_run vm.c:815
    #62 0x1032c26ae in mrb_run vm.c:2562
    #63 0x1032f8005 in ecall vm.c:311
    #64 0x1032df492 in mrb_vm_exec vm.c:1740
    #65 0x1032c94c9 in mrb_vm_run vm.c:815
    #66 0x1032c26ae in mrb_run vm.c:2562
    #67 0x1032f8005 in ecall vm.c:311
    #68 0x1032df492 in mrb_vm_exec vm.c:1740
    #69 0x1032c94c9 in mrb_vm_run vm.c:815
    #70 0x1032c26ae in mrb_run vm.c:2562
    #71 0x1032f8005 in ecall vm.c:311
    #72 0x1032df492 in mrb_vm_exec vm.c:1740
    #73 0x1032c94c9 in mrb_vm_run vm.c:815
    #74 0x1032c26ae in mrb_run vm.c:2562
    #75 0x1032f8005 in ecall vm.c:311
    #76 0x1032df492 in mrb_vm_exec vm.c:1740
    #77 0x1032c94c9 in mrb_vm_run vm.c:815
    #78 0x1032c26ae in mrb_run vm.c:2562
    #79 0x1032f8005 in ecall vm.c:311
    #80 0x1032df492 in mrb_vm_exec vm.c:1740
    #81 0x1032c94c9 in mrb_vm_run vm.c:815
    #82 0x1032c26ae in mrb_run vm.c:2562
    #83 0x1032f8005 in ecall vm.c:311
    #84 0x1032df492 in mrb_vm_exec vm.c:1740
    #85 0x1032c94c9 in mrb_vm_run vm.c:815
    #86 0x1032c26ae in mrb_run vm.c:2562
    #87 0x1032f8005 in ecall vm.c:311
    #88 0x1032df492 in mrb_vm_exec vm.c:1740
    #89 0x1032c94c9 in mrb_vm_run vm.c:815
    #90 0x1032c26ae in mrb_run vm.c:2562
    #91 0x1032f8005 in ecall vm.c:311
    #92 0x1032df492 in mrb_vm_exec vm.c:1740
    #93 0x1032c94c9 in mrb_vm_run vm.c:815
    #94 0x1032c26ae in mrb_run vm.c:2562
    #95 0x1032f8005 in ecall vm.c:311
    #96 0x1032df492 in mrb_vm_exec vm.c:1740
    #97 0x1032c94c9 in mrb_vm_run vm.c:815
    #98 0x1032c26ae in mrb_run vm.c:2562
    #99 0x1032f8005 in ecall vm.c:311
    #100 0x1032df492 in mrb_vm_exec vm.c:1740
    #101 0x1032c94c9 in mrb_vm_run vm.c:815
    #102 0x1032c26ae in mrb_run vm.c:2562
    #103 0x1032f8005 in ecall vm.c:311
    #104 0x1032df492 in mrb_vm_exec vm.c:1740
    #105 0x1032c94c9 in mrb_vm_run vm.c:815
    #106 0x1032c26ae in mrb_run vm.c:2562
    #107 0x1032f8005 in ecall vm.c:311
    #108 0x1032df492 in mrb_vm_exec vm.c:1740
    #109 0x1032c94c9 in mrb_vm_run vm.c:815
    #110 0x1032c26ae in mrb_run vm.c:2562
    #111 0x1032f8005 in ecall vm.c:311
    #112 0x1032df492 in mrb_vm_exec vm.c:1740
    #113 0x1032c94c9 in mrb_vm_run vm.c:815
    #114 0x1032c26ae in mrb_run vm.c:2562
    #115 0x1032f8005 in ecall vm.c:311
    #116 0x1032df492 in mrb_vm_exec vm.c:1740
    #117 0x1032c94c9 in mrb_vm_run vm.c:815
    #118 0x1032c26ae in mrb_run vm.c:2562
    #119 0x1032f8005 in ecall vm.c:311
    #120 0x1032df492 in mrb_vm_exec vm.c:1740
    #121 0x1032c94c9 in mrb_vm_run vm.c:815
    #122 0x1032c26ae in mrb_run vm.c:2562
    #123 0x1032f8005 in ecall vm.c:311
    #124 0x1032df492 in mrb_vm_exec vm.c:1740
    #125 0x1032c94c9 in mrb_vm_run vm.c:815
    #126 0x1032c26ae in mrb_run vm.c:2562
    #127 0x1032f8005 in ecall vm.c:311
    #128 0x1032df492 in mrb_vm_exec vm.c:1740
    #129 0x1032c94c9 in mrb_vm_run vm.c:815
    #130 0x1032c26ae in mrb_run vm.c:2562
    #131 0x1032f8005 in ecall vm.c:311
    #132 0x1032df492 in mrb_vm_exec vm.c:1740
    #133 0x1032c94c9 in mrb_vm_run vm.c:815
    #134 0x1032c26ae in mrb_run vm.c:2562
    #135 0x1032f8005 in ecall vm.c:311
    #136 0x1032df492 in mrb_vm_exec vm.c:1740
    #137 0x1032c94c9 in mrb_vm_run vm.c:815
    #138 0x1032c26ae in mrb_run vm.c:2562
    #139 0x1032f8005 in ecall vm.c:311
    #140 0x1032df492 in mrb_vm_exec vm.c:1740
    #141 0x1032c94c9 in mrb_vm_run vm.c:815
    #142 0x1032c26ae in mrb_run vm.c:2562
    #143 0x1032f8005 in ecall vm.c:311
    #144 0x1032df492 in mrb_vm_exec vm.c:1740
    #145 0x1032c94c9 in mrb_vm_run vm.c:815
    #146 0x1032c26ae in mrb_run vm.c:2562
    #147 0x1032f8005 in ecall vm.c:311
    #148 0x1032df492 in mrb_vm_exec vm.c:1740
    #149 0x1032c94c9 in mrb_vm_run vm.c:815
    #150 0x1032c26ae in mrb_run vm.c:2562
    #151 0x1032f8005 in ecall vm.c:311
    #152 0x1032df492 in mrb_vm_exec vm.c:1740
    #153 0x1032c94c9 in mrb_vm_run vm.c:815
    #154 0x1032c26ae in mrb_run vm.c:2562
    #155 0x1032f8005 in ecall vm.c:311
    #156 0x1032df492 in mrb_vm_exec vm.c:1740
    #157 0x1032c94c9 in mrb_vm_run vm.c:815
    #158 0x1032c26ae in mrb_run vm.c:2562
    #159 0x1032f8005 in ecall vm.c:311
    #160 0x1032df492 in mrb_vm_exec vm.c:1740
    #161 0x1032c94c9 in mrb_vm_run vm.c:815
    #162 0x1032c26ae in mrb_run vm.c:2562
    #163 0x1032f8005 in ecall vm.c:311
    #164 0x1032df492 in mrb_vm_exec vm.c:1740
    #165 0x1032c94c9 in mrb_vm_run vm.c:815
    #166 0x1032c26ae in mrb_run vm.c:2562
    #167 0x1032f8005 in ecall vm.c:311
    #168 0x1032df492 in mrb_vm_exec vm.c:1740
    #169 0x1032c94c9 in mrb_vm_run vm.c:815
    #170 0x1032c26ae in mrb_run vm.c:2562
    #171 0x1032f8005 in ecall vm.c:311
    #172 0x1032df492 in mrb_vm_exec vm.c:1740
    #173 0x1032c94c9 in mrb_vm_run vm.c:815
    #174 0x1032c26ae in mrb_run vm.c:2562
    #175 0x1032f8005 in ecall vm.c:311
    #176 0x1032df492 in mrb_vm_exec vm.c:1740
    #177 0x1032c94c9 in mrb_vm_run vm.c:815
    #178 0x1032c26ae in mrb_run vm.c:2562
    #179 0x1032f8005 in ecall vm.c:311
    #180 0x1032df492 in mrb_vm_exec vm.c:1740
    #181 0x1032c94c9 in mrb_vm_run vm.c:815
    #182 0x1032c26ae in mrb_run vm.c:2562
    #183 0x1032f8005 in ecall vm.c:311
    #184 0x1032df492 in mrb_vm_exec vm.c:1740
    #185 0x1032c94c9 in mrb_vm_run vm.c:815
    #186 0x1032c26ae in mrb_run vm.c:2562
    #187 0x1032f8005 in ecall vm.c:311
    #188 0x1032df492 in mrb_vm_exec vm.c:1740
    #189 0x1032c94c9 in mrb_vm_run vm.c:815
    #190 0x1032c26ae in mrb_run vm.c:2562
    #191 0x1032f8005 in ecall vm.c:311
    #192 0x1032df492 in mrb_vm_exec vm.c:1740
    #193 0x1032c94c9 in mrb_vm_run vm.c:815
    #194 0x1032c26ae in mrb_run vm.c:2562
    #195 0x1032f8005 in ecall vm.c:311
    #196 0x1032df492 in mrb_vm_exec vm.c:1740
    #197 0x1032c94c9 in mrb_vm_run vm.c:815
    #198 0x1032c26ae in mrb_run vm.c:2562
    #199 0x1032f8005 in ecall vm.c:311
    #200 0x1032df492 in mrb_vm_exec vm.c:1740
    #201 0x1032c94c9 in mrb_vm_run vm.c:815
    #202 0x1032c26ae in mrb_run vm.c:2562
    #203 0x1032f8005 in ecall vm.c:311
    #204 0x1032df492 in mrb_vm_exec vm.c:1740
    #205 0x1032c94c9 in mrb_vm_run vm.c:815
    #206 0x1032c26ae in mrb_run vm.c:2562
    #207 0x1032f8005 in ecall vm.c:311
    #208 0x1032df492 in mrb_vm_exec vm.c:1740
    #209 0x1032c94c9 in mrb_vm_run vm.c:815
    #210 0x1032c26ae in mrb_run vm.c:2562
    #211 0x1032f8005 in ecall vm.c:311
    #212 0x1032df492 in mrb_vm_exec vm.c:1740
    #213 0x1032c94c9 in mrb_vm_run vm.c:815
    #214 0x1032c26ae in mrb_run vm.c:2562
    #215 0x1032f8005 in ecall vm.c:311
    #216 0x1032df492 in mrb_vm_exec vm.c:1740
    #217 0x1032c94c9 in mrb_vm_run vm.c:815
    #218 0x1032c26ae in mrb_run vm.c:2562
    #219 0x1032f8005 in ecall vm.c:311
    #220 0x1032df492 in mrb_vm_exec vm.c:1740
    #221 0x1032c94c9 in mrb_vm_run vm.c:815
    #222 0x1032c26ae in mrb_run vm.c:2562
    #223 0x1032f8005 in ecall vm.c:311
    #224 0x1032df492 in mrb_vm_exec vm.c:1740
    #225 0x1032c94c9 in mrb_vm_run vm.c:815
    #226 0x1032c26ae in mrb_run vm.c:2562
    #227 0x1032f8005 in ecall vm.c:311
    #228 0x1032df492 in mrb_vm_exec vm.c:1740
    #229 0x1032c94c9 in mrb_vm_run vm.c:815
    #230 0x1032c26ae in mrb_run vm.c:2562
    #231 0x1032f8005 in ecall vm.c:311
    #232 0x1032df492 in mrb_vm_exec vm.c:1740
    #233 0x1032c94c9 in mrb_vm_run vm.c:815
    #234 0x1032c26ae in mrb_run vm.c:2562
    #235 0x1032f8005 in ecall vm.c:311
    #236 0x1032df492 in mrb_vm_exec vm.c:1740
    #237 0x1032c94c9 in mrb_vm_run vm.c:815
    #238 0x1032c26ae in mrb_run vm.c:2562
    #239 0x1032f8005 in ecall vm.c:311
    #240 0x1032df492 in mrb_vm_exec vm.c:1740
    #241 0x1032c94c9 in mrb_vm_run vm.c:815
    #242 0x1032c26ae in mrb_run vm.c:2562
    #243 0x1032f8005 in ecall vm.c:311
    #244 0x1032df492 in mrb_vm_exec vm.c:1740
    #245 0x1032c94c9 in mrb_vm_run vm.c:815
    #246 0x1032c26ae in mrb_run vm.c:2562
    #247 0x1032f8005 in ecall vm.c:311
    #248 0x1032df492 in mrb_vm_exec vm.c:1740
    #249 0x1032c94c9 in mrb_vm_run vm.c:815
    #250 0x1032c26ae in mrb_run vm.c:2562
    #251 0x1032f8005 in ecall vm.c:311
    #252 0x1032df492 in mrb_vm_exec vm.c:1740
    #253 0x1032c94c9 in mrb_vm_run vm.c:815
    #254 0x1032c26ae in mrb_run vm.c:2562
    #255 0x1032f8005 in ecall vm.c:311

0x621000011478 is located 3960 bytes inside of 4096-byte region [0x621000010500,0x621000011500)
freed by thread T0 here:
    #0 0x103508f87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x10325ed05 in mrb_default_allocf state.c:60
    #2 0x1031e01b8 in mrb_realloc_simple gc.c:201
    #3 0x1031e089e in mrb_realloc gc.c:215
    #4 0x1032fb761 in stack_extend_alloc vm.c:161
    #5 0x1032c1dd7 in stack_extend vm.c:181
    #6 0x1032d48e5 in mrb_vm_exec vm.c:1265
    #7 0x1032c94c9 in mrb_vm_run vm.c:815
    #8 0x1032c26ae in mrb_run vm.c:2562
    #9 0x1032f8005 in ecall vm.c:311
    #10 0x1032df492 in mrb_vm_exec vm.c:1740
    #11 0x1032c94c9 in mrb_vm_run vm.c:815
    #12 0x1032c26ae in mrb_run vm.c:2562
    #13 0x1032f8005 in ecall vm.c:311
    #14 0x1032df492 in mrb_vm_exec vm.c:1740
    #15 0x1032c94c9 in mrb_vm_run vm.c:815
    #16 0x1032c26ae in mrb_run vm.c:2562
    #17 0x1032f8005 in ecall vm.c:311
    #18 0x1032df492 in mrb_vm_exec vm.c:1740
    #19 0x1032c94c9 in mrb_vm_run vm.c:815
    #20 0x1032c26ae in mrb_run vm.c:2562
    #21 0x1032f8005 in ecall vm.c:311
    #22 0x1032df492 in mrb_vm_exec vm.c:1740
    #23 0x1032c94c9 in mrb_vm_run vm.c:815
    #24 0x1032c26ae in mrb_run vm.c:2562
    #25 0x1032f8005 in ecall vm.c:311
    #26 0x1032df492 in mrb_vm_exec vm.c:1740
    #27 0x1032c94c9 in mrb_vm_run vm.c:815
    #28 0x1032c26ae in mrb_run vm.c:2562
    #29 0x1032f8005 in ecall vm.c:311

previously allocated by thread T0 here:
    #0 0x103508f87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x10325ed05 in mrb_default_allocf state.c:60
    #2 0x1031e01b8 in mrb_realloc_simple gc.c:201
    #3 0x1031e089e in mrb_realloc gc.c:215
    #4 0x1032fb761 in stack_extend_alloc vm.c:161
    #5 0x1032c1dd7 in stack_extend vm.c:181
    #6 0x1032c93d7 in mrb_vm_run vm.c:813
    #7 0x1032c26ae in mrb_run vm.c:2562
    #8 0x1032f8005 in ecall vm.c:311
    #9 0x1032df492 in mrb_vm_exec vm.c:1740
    #10 0x1032c94c9 in mrb_vm_run vm.c:815
    #11 0x1032c26ae in mrb_run vm.c:2562
    #12 0x1032f8005 in ecall vm.c:311
    #13 0x1032df492 in mrb_vm_exec vm.c:1740
    #14 0x1032c94c9 in mrb_vm_run vm.c:815
    #15 0x1032c26ae in mrb_run vm.c:2562
    #16 0x1032f8005 in ecall vm.c:311
    #17 0x1032df492 in mrb_vm_exec vm.c:1740
    #18 0x1032c94c9 in mrb_vm_run vm.c:815
    #19 0x1032c26ae in mrb_run vm.c:2562
    #20 0x1032f8005 in ecall vm.c:311
    #21 0x1032df492 in mrb_vm_exec vm.c:1740
    #22 0x1032c94c9 in mrb_vm_run vm.c:815
    #23 0x1032c26ae in mrb_run vm.c:2562
    #24 0x1032f8005 in ecall vm.c:311
    #25 0x1032df492 in mrb_vm_exec vm.c:1740
    #26 0x1032c94c9 in mrb_vm_run vm.c:815
    #27 0x1032c26ae in mrb_run vm.c:2562
    #28 0x1032f8005 in ecall vm.c:311
    #29 0x1032df492 in mrb_vm_exec vm.c:1740

SUMMARY: AddressSanitizer: heap-use-after-free gc.c:644 in gc_mark_children
Shadow bytes around the buggy address:
  0x1c4200002230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4200002240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4200002250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4200002260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4200002270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c4200002280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
  0x1c4200002290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c42000022a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c42000022b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c42000022c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c42000022d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==36937==ABORTING
Abort trap: 6

@matz matz closed this in 3b40a2f Mar 4, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment