Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Will SEGV on Kernel#block_given? #3593

Closed
ksss opened this issue Apr 5, 2017 · 4 comments
Closed

Will SEGV on Kernel#block_given? #3593

ksss opened this issue Apr 5, 2017 · 4 comments

Comments

@ksss
Copy link
Contributor

@ksss ksss commented Apr 5, 2017

Sorry no repro code.

But I found a possibility to SEGV point.

ci = mrb->c->cibase + e->cioff;

The e->cioff will be -1 when unshared env.

I don't now how to repro and what return value if unshared env.

@ksss
Copy link
Contributor Author

@ksss ksss commented Apr 5, 2017

I found it from ruby/spec/core/kernel/block_given_spec.rb with -fsanitize=address flag on mruby-spec.

And I could be confirmed e->cioff == -1.

But this short code didn't reproduce.

module BlockGiven
  class << self
    define_method(:defined_block) do
      block_given?
    end
  end
end

BlockGiven.defined_block{}

@matz matz closed this as completed in a7b0ab3 Apr 5, 2017
@ksss
Copy link
Contributor Author

@ksss ksss commented Apr 5, 2017

Seems to be caused another problem.

mrb_f_block_given_p_m kernel.c:173

==30072==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000078558 at pc 0x00010c9a1138 bp 0x7fff532f6c10 sp 0x7fff532f6c08
READ of size 4 at 0x602000078558 thread T0
    #0 0x10c9a1137 in mrb_f_block_given_p_m kernel.c:173
    #1 0x10ca54ba1 in mrb_exec_irep vm.c:469
    #2 0x10ca562a5 in mrb_f_send vm.c:546
    #3 0x10ca66448 in mrb_vm_exec vm.c:1265
    #4 0x10ca5b5f9 in mrb_vm_run vm.c:821
    #5 0x10ca8e214 in mrb_top_run vm.c:2635
    #6 0x10cb00a05 in mrb_load_exec parse.y:5762
    #7 0x10cb01815 in mrb_load_file_cxt parse.y:5771
    #8 0x10cc58815 in load_rb_file mrb_require.c:425
    #9 0x10cc4f930 in load_file mrb_require.c:437
    #10 0x10cc4cdef in mrb_load mrb_require.c:453
    #11 0x10cc502cc in mrb_f_load mrb_require.c:468
    #12 0x10ca66448 in mrb_vm_exec vm.c:1265
    #13 0x10ca5b5f9 in mrb_vm_run vm.c:821
    #14 0x10ca8de79 in mrb_top_run vm.c:2628
    #15 0x10cb00a05 in mrb_load_exec parse.y:5762
    #16 0x10cb01815 in mrb_load_file_cxt parse.y:5771
    #17 0x10c8f84d6 in main mruby.c:227
    #18 0x7fff9f476254 in start (libdyld.dylib:x86_64+0x5254)

0x602000078558 is located 8 bytes inside of 16-byte region [0x602000078550,0x602000078560)
freed by thread T0 here:
    #0 0x10cf2b356 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56356)
    #1 0x10c9f044b in mrb_default_allocf state.c:56
    #2 0x10c972e49 in mrb_free gc.c:269
    #3 0x10c97389b in obj_free gc.c:748
    #4 0x10c97cf4b in incremental_sweep_phase gc.c:1029
    #5 0x10c97b7ec in incremental_gc gc.c:1095
    #6 0x10c9777b6 in incremental_gc_until gc.c:1111
    #7 0x10c976aca in mrb_incremental_gc gc.c:1162
    #8 0x10c976448 in mrb_obj_alloc gc.c:508
    #9 0x10c9699eb in mrb_data_object_alloc etc.c:19
    #10 0x10cc2db20 in create_onig_region mruby_onig_regexp.c:160
    #11 0x10cc1058a in onig_regexp_match mruby_onig_regexp.c:232
    #12 0x10ca66448 in mrb_vm_exec vm.c:1265
    #13 0x10ca5b5f9 in mrb_vm_run vm.c:821
    #14 0x10ca8e214 in mrb_top_run vm.c:2635
    #15 0x10cb00a05 in mrb_load_exec parse.y:5762
    #16 0x10cb01815 in mrb_load_file_cxt parse.y:5771
    #17 0x10cc58815 in load_rb_file mrb_require.c:425
    #18 0x10cc4f930 in load_file mrb_require.c:437
    #19 0x10cc4cdef in mrb_load mrb_require.c:453
    #20 0x10cc502cc in mrb_f_load mrb_require.c:468
    #21 0x10ca66448 in mrb_vm_exec vm.c:1265
    #22 0x10ca5b5f9 in mrb_vm_run vm.c:821
    #23 0x10ca8de79 in mrb_top_run vm.c:2628
    #24 0x10cb00a05 in mrb_load_exec parse.y:5762
    #25 0x10cb01815 in mrb_load_file_cxt parse.y:5771
    #26 0x10c8f84d6 in main mruby.c:227
    #27 0x7fff9f476254 in start (libdyld.dylib:x86_64+0x5254)

previously allocated by thread T0 here:
    #0 0x10cf2b520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10c9f0465 in mrb_default_allocf state.c:60
    #2 0x10c971b68 in mrb_realloc_simple gc.c:202
    #3 0x10c97224e in mrb_realloc gc.c:216
    #4 0x10c972cd3 in mrb_malloc gc.c:237
    #5 0x10ca4d8c2 in mrb_env_unshare vm.c:259
    #6 0x10ca51fe2 in cipop vm.c:283
    #7 0x10ca7260e in mrb_vm_exec vm.c:1804
    #8 0x10ca5b5f9 in mrb_vm_run vm.c:821
    #9 0x10ca8e214 in mrb_top_run vm.c:2635
    #10 0x10cb00a05 in mrb_load_exec parse.y:5762
    #11 0x10cb01815 in mrb_load_file_cxt parse.y:5771
    #12 0x10cc58815 in load_rb_file mrb_require.c:425
    #13 0x10cc4f930 in load_file mrb_require.c:437
    #14 0x10cc50b1e in mrb_require mrb_require.c:541
    #15 0x10cc5343c in mrb_f_require mrb_require.c:561
    #16 0x10ca66448 in mrb_vm_exec vm.c:1265
    #17 0x10ca5b5f9 in mrb_vm_run vm.c:821
    #18 0x10ca8e214 in mrb_top_run vm.c:2635
    #19 0x10cb00a05 in mrb_load_exec parse.y:5762
    #20 0x10cb01815 in mrb_load_file_cxt parse.y:5771
    #21 0x10cc58815 in load_rb_file mrb_require.c:425
    #22 0x10cc4f930 in load_file mrb_require.c:437
    #23 0x10cc4cdef in mrb_load mrb_require.c:453
    #24 0x10cc502cc in mrb_f_load mrb_require.c:468
    #25 0x10ca66448 in mrb_vm_exec vm.c:1265
    #26 0x10ca5b5f9 in mrb_vm_run vm.c:821
    #27 0x10ca8de79 in mrb_top_run vm.c:2628
    #28 0x10cb00a05 in mrb_load_exec parse.y:5762
    #29 0x10cb01815 in mrb_load_file_cxt parse.y:5771

SUMMARY: AddressSanitizer: heap-use-after-free kernel.c:173 in mrb_f_block_given_p_m
Shadow bytes around the buggy address:
  0x1c040000f050: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x1c040000f060: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x1c040000f070: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x1c040000f080: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa fd fd
  0x1c040000f090: fa fa 05 fa fa fa fd fd fa fa fd fd fa fa fd fd
=>0x1c040000f0a0: fa fa 00 00 fa fa 00 00 fa fa fd[fd]fa fa fd fd
  0x1c040000f0b0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x1c040000f0c0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x1c040000f0d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x1c040000f0e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x1c040000f0f0: fa fa 07 fa fa fa fd fd fa fa fd fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30072==ABORTING
SIGABRT from
/Users/ksss/src/github.com/ksss/mruby-spec/spec/core/kernel/fixtures/classes.rb:244:in #<Class:0x62f00006b670>.defined_block
/Users/ksss/src/github.com/ksss/mruby-spec/spec/core/kernel/block_given_spec.rb:16:in Object#protect
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/mspec.rb:73:in MSpec#protect
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/context.rb:250:in ContextState.protect
/Users/ksss/src/github.com/ksss/mruby-spec/mruby/mrblib/enum.rb:26:in Enumerable.all?
/Users/ksss/src/github.com/ksss/mruby-spec/mruby/mrblib/array.rb:17:in Array.each
/Users/ksss/src/github.com/ksss/mruby-spec/mruby/mrblib/enum.rb:26:in Enumerable#all?
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/context.rb:250:in ContextState.protect
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/context.rb:286:in ContextState.process
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/mspec.rb:243:in MSpec.repeat
/Users/ksss/src/github.com/ksss/mruby-spec/mruby/mrblib/numeric.rb:77:in Integral#times
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/mspec.rb:242:in MSpec#repeat
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/context.rb:278:in ContextState.process
/Users/ksss/src/github.com/ksss/mruby-spec/mruby/mrblib/array.rb:17:in Array.each
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/context.rb:277:in ContextState.process
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/mspec.rb:39:in MSpec#describe
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/object.rb:11:in Object.describe
/Users/ksss/src/github.com/ksss/mruby-spec/spec/core/kernel/block_given_spec.rb:38
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/mspec.rb:56:in MSpec#protect
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/mspec.rb:73:in MSpec#protect
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/mspec.rb:56:in MSpec.files
/Users/ksss/src/github.com/ksss/mruby-spec/mruby/mrblib/array.rb:17:in Array.each
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/mspec.rb:52:in MSpec#files
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/runner/mspec.rb:44:in MSpec#process
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/commands/mspec-run.rb:99:in MSpecRun.run
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/lib/mspec/utils/script.rb:237:in MSpecScript#main
/Users/ksss/src/github.com/ksss/mruby-spec/mspec/bin/mspec-run:7
make: *** [run] Abort trap: 6

@matz
Copy link
Member

@matz matz commented Apr 6, 2017

Without reproducing info, it's quite difficult to fix the issue. ;-<

@ksss
Copy link
Contributor Author

@ksss ksss commented Apr 11, 2017

@matz You are right...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants