AddressSanitizer: heap-use-after-free on mark_context_stack

[ksss]

master[7e285107] ~/src/github.com/ksss/mruby
$ git rev-parse HEAD
7e285107255877f92db2df84d104afef54030ea8

$ clang --version
Apple LLVM version 8.1.0 (clang-802.0.38)
Target: x86_64-apple-darwin16.5.0
Thread model: posix
InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin

$ uname -v
Darwin Kernel Version 16.5.0: Fri Mar  3 16:52:33 PST 2017; root:xnu-3789.51.2~3/RELEASE_X86_64

build_config.rb

MRuby::Build.new do |conf|
  toolchain :gcc
  enable_debug
  conf.gembox 'default'
  conf.cc.flags << '-fsanitize=address'
  conf.linker.flags << '-fsanitize=address'
  conf.cc.defines << %w(MRB_GC_STRESS)
end

t.rb

i = 0
hash = {}
while i < 256
  hash['%d' % i] = i.to_s
  i += 1
end

$ ./build/host/bin/mruby t.rb

Build summary:

================================================
      Config Name: host
 Output Directory: build/host
         Binaries: mrbc
    Included Gems:
             mruby-sprintf - standard Kernel#sprintf method
             mruby-print - standard print/puts/p
             mruby-math - standard Math module
             mruby-time - standard Time class
             mruby-struct - standard Struct class
             mruby-enum-ext - Enumerable module extension
             mruby-string-ext - String class extension
             mruby-numeric-ext - Numeric class extension
             mruby-array-ext - Array class extension
             mruby-hash-ext - Hash class extension
             mruby-range-ext - Range class extension
             mruby-proc-ext - Proc class extension
             mruby-symbol-ext - Symbol class extension
             mruby-random - Random class
             mruby-object-ext - Object class extension
             mruby-objectspace - ObjectSpace class
             mruby-fiber - Fiber class
             mruby-enumerator - Enumerator class
             mruby-enum-lazy - Enumerator::Lazy class
             mruby-toplevel-ext - toplevel object (main) methods extension
             mruby-compiler - mruby compiler library
             mruby-bin-mirb - mirb command
               - Binaries: mirb
             mruby-error - extensional error handling
             mruby-bin-mruby - mruby command
               - Binaries: mruby
             mruby-bin-strip - irep dump debug section remover command
               - Binaries: mruby-strip
             mruby-kernel-ext - Kernel module extension
             mruby-class-ext - class/module extension
             mruby-bin-mrbc - mruby compiler executable
================================================

=================================================================
==42458==ERROR: AddressSanitizer: heap-use-after-free on address 0x62f000028400 at pc 0x000109606f34 bp 0x7fff56676bb0 sp 0x7fff56676ba8
READ of size 4 at 0x62f000028400 thread T0
    #0 0x109606f33 in mark_context_stack gc.c:555
    #1 0x10960646f in mark_context gc.c:572
    #2 0x109605227 in root_scan_phase gc.c:873
    #3 0x109604400 in incremental_gc gc.c:1080
    #4 0x109600586 in incremental_gc_until gc.c:1111
    #5 0x1095fabd3 in mrb_full_gc gc.c:1211
    #6 0x1095ff11a in mrb_obj_alloc gc.c:505
    #7 0x10967cfce in str_new string.c:59
    #8 0x1096870c7 in mrb_str_dup string.c:1070
    #9 0x10970c778 in mrb_vm_exec vm.c:2376
    #10 0x1096e4599 in mrb_vm_run vm.c:821
    #11 0x109716e19 in mrb_top_run vm.c:2628
    #12 0x1097e7f85 in mrb_load_exec parse.y:5762
    #13 0x1097e8d95 in mrb_load_file_cxt parse.y:5771
    #14 0x109580fd6 in main mruby.c:227
    #15 0x7fff92fbb234 in start (libdyld.dylib:x86_64+0x5234)

0x62f000028400 is located 49152 bytes inside of 49200-byte region [0x62f00001c400,0x62f000028430)
freed by thread T0 here:
    #0 0x10998f356 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56356)
    #1 0x1096793eb in mrb_default_allocf state.c:56
    #2 0x1095fbbb9 in mrb_free gc.c:269
    #3 0x10960608f in incremental_sweep_phase gc.c:1054
    #4 0x1096045bc in incremental_gc gc.c:1095
    #5 0x109600586 in incremental_gc_until gc.c:1111
    #6 0x1095fabd3 in mrb_full_gc gc.c:1211
    #7 0x1095ff11a in mrb_obj_alloc gc.c:505
    #8 0x10967cfce in str_new string.c:59
    #9 0x10967cdcf in mrb_str_new string.c:193
    #10 0x109644db5 in mrb_fixnum_to_str numeric.c:1186
    #11 0x10964cc35 in fix_to_s numeric.c:1211
    #12 0x1096ef3e8 in mrb_vm_exec vm.c:1265
    #13 0x1096e4599 in mrb_vm_run vm.c:821
    #14 0x109716e19 in mrb_top_run vm.c:2628
    #15 0x1097e7f85 in mrb_load_exec parse.y:5762
    #16 0x1097e8d95 in mrb_load_file_cxt parse.y:5771
    #17 0x109580fd6 in main mruby.c:227
    #18 0x7fff92fbb234 in start (libdyld.dylib:x86_64+0x5234)

previously allocated by thread T0 here:
    #0 0x10998f520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x109679405 in mrb_default_allocf state.c:60
    #2 0x1095fa8d8 in mrb_realloc_simple gc.c:202
    #3 0x1095fafbe in mrb_realloc gc.c:216
    #4 0x1095fba43 in mrb_malloc gc.c:237
    #5 0x1095fbadd in mrb_calloc gc.c:255
    #6 0x1095fc089 in add_heap gc.c:325
    #7 0x1095ff223 in mrb_obj_alloc gc.c:511
    #8 0x10967c38b in mrb_str_buf_new string.c:106
    #9 0x109719d57 in mrb_str_format sprintf.c:561
    #10 0x109718ce9 in mrb_f_sprintf sprintf.c:517
    #11 0x1096ef3e8 in mrb_vm_exec vm.c:1265
    #12 0x1096e4599 in mrb_vm_run vm.c:821
    #13 0x109716e19 in mrb_top_run vm.c:2628
    #14 0x1097e7f85 in mrb_load_exec parse.y:5762
    #15 0x1097e8d95 in mrb_load_file_cxt parse.y:5771
    #16 0x109580fd6 in main mruby.c:227
    #17 0x7fff92fbb234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free gc.c:555 in mark_context_stack
Shadow bytes around the buggy address:
  0x1c5e00005030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c5e00005040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c5e00005050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c5e00005060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c5e00005070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c5e00005080:[fd]fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x1c5e00005090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e000050a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e000050b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e000050c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e000050d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==42458==ABORTING
[1]    42458 abort      ./build/host/bin/mruby t.rb

$ lldb
(lldb) run t.rb

(lldb)
frame #5: 0x0000000100087f34 mruby`mark_context_stack(mrb=0x000061400000a440, c=0x000060b00000aa10) at gc.c:555
   552 	    mrb_value v = c->stbase[i];
   553
   554 	    if (!mrb_immediate_p(v)) {
-> 555 	      if (mrb_basic_ptr(v)->tt == MRB_TT_FREE) {
   556 	        c->stbase[i] = mrb_nil_value();
   557 	      }
   558 	      else {

(lldb) p v
(mrb_value) $8 = {
  value = (f = 5.3745909475022056E-310, p = 0x000062f000028400, i = 164864, sym = 164864)
  tt = MRB_TT_STRING
}

(lldb) p (*(struct RBasic*)(v.value.p))
(struct RBasic) $7 = {
  tt = MRB_TT_FREE
  color = 1
  flags = 0
  c = 0x000062f0000183f0
  gcnext = 0x000062f00000e460
}