New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use-after-free in gc_mark_children #3612

Closed
clayton-shopify opened this Issue Apr 17, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Apr 17, 2017

The following input demonstrates a crash:

def e;end
''
def m
e 1.times{begin return
ensure$0<m end}end
m

ASAN report:

==11958==ERROR: AddressSanitizer: heap-use-after-free on address 0x629000009198 at pc 0x000108ee05ce bp 0x7fff56a039c0 sp 0x7fff56a039b8
READ of size 4 at 0x629000009198 thread T0
    #0 0x108ee05cd in gc_mark_children gc.c:651
    #1 0x108edf7bf in gc_gray_mark gc.c:895
    #2 0x108edd946 in incremental_marking_phase gc.c:990
    #3 0x108edc993 in incremental_gc gc.c:1094
    #4 0x108ed8abc in incremental_gc_step gc.c:1129
    #5 0x108ed7ccc in mrb_incremental_gc gc.c:1173
    #6 0x108ed7638 in mrb_obj_alloc gc.c:508
    #7 0x108f40ca3 in mrb_proc_new (mruby:x86_64+0x1000e9ca3)
    #8 0x108f40f8c in mrb_closure_new (mruby:x86_64+0x1000e9f8c)
    #9 0x108fe6037 in mrb_vm_exec (mruby:x86_64+0x10018f037)
    #10 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #11 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #12 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #13 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #14 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #15 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #16 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #17 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #18 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #19 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #20 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #21 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #22 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #23 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #24 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #25 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #26 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #27 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #28 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #29 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #30 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #31 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #32 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #33 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #34 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #35 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #36 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #37 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #38 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #39 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #40 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #41 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #42 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #43 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #44 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #45 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #46 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #47 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #48 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #49 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #50 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #51 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #52 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #53 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #54 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #55 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #56 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #57 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #58 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #59 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #60 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #61 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #62 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #63 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #64 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #65 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #66 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #67 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #68 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #69 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #70 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #71 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #72 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #73 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #74 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #75 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #76 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #77 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #78 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #79 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #80 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #81 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #82 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #83 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #84 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #85 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #86 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #87 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #88 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #89 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #90 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #91 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #92 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #93 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #94 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #95 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #96 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #97 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #98 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #99 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #100 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #101 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #102 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #103 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #104 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #105 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #106 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #107 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #108 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #109 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #110 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #111 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #112 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #113 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #114 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #115 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #116 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #117 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #118 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #119 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #120 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #121 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #122 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #123 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #124 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #125 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #126 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #127 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #128 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #129 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #130 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #131 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #132 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #133 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #134 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #135 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #136 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #137 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #138 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #139 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #140 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #141 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #142 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #143 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #144 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #145 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #146 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #147 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #148 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #149 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #150 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #151 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #152 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #153 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #154 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #155 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #156 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #157 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #158 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #159 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #160 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #161 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #162 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #163 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #164 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #165 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #166 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #167 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #168 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #169 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #170 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #171 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #172 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #173 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #174 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #175 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #176 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #177 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #178 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #179 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #180 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #181 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #182 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #183 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #184 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #185 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #186 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #187 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #188 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #189 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #190 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #191 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #192 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #193 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #194 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #195 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #196 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #197 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #198 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #199 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #200 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #201 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #202 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #203 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #204 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #205 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #206 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #207 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #208 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #209 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #210 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #211 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #212 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #213 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #214 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #215 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #216 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #217 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #218 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #219 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #220 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #221 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #222 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #223 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #224 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #225 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #226 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #227 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #228 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #229 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #230 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #231 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #232 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #233 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #234 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #235 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #236 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #237 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #238 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #239 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #240 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #241 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #242 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #243 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #244 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #245 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #246 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #247 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #248 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #249 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #250 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #251 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #252 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #253 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #254 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #255 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)

0x629000009198 is located 16280 bytes inside of 16384-byte region [0x629000005200,0x629000009200)
freed by thread T0 here:
    #0 0x10926d520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x108f51a85 in mrb_default_allocf (mruby:x86_64+0x1000faa85)
    #2 0x108ed2d58 in mrb_realloc_simple gc.c:202
    #3 0x108ed343e in mrb_realloc gc.c:216
    #4 0x108ff035f in stack_extend_alloc (mruby:x86_64+0x10019935f)
    #5 0x108fb4d4f in stack_extend (mruby:x86_64+0x10015dd4f)
    #6 0x108fc8a56 in mrb_vm_exec (mruby:x86_64+0x100171a56)
    #7 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #8 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #9 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #10 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #11 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #12 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #13 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #14 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #15 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #16 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #17 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #18 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #19 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #20 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #21 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #22 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #23 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #24 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #25 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #26 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #27 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #28 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #29 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)

previously allocated by thread T0 here:
    #0 0x10926d520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x108f51a85 in mrb_default_allocf (mruby:x86_64+0x1000faa85)
    #2 0x108ed2d58 in mrb_realloc_simple gc.c:202
    #3 0x108ed343e in mrb_realloc gc.c:216
    #4 0x108ff035f in stack_extend_alloc (mruby:x86_64+0x10019935f)
    #5 0x108fb4d4f in stack_extend (mruby:x86_64+0x10015dd4f)
    #6 0x108fc8a56 in mrb_vm_exec (mruby:x86_64+0x100171a56)
    #7 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #8 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #9 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #10 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #11 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #12 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #13 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #14 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #15 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #16 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #17 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #18 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #19 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #20 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #21 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #22 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #23 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #24 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #25 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)
    #26 0x108fd3b75 in mrb_vm_exec (mruby:x86_64+0x10017cb75)
    #27 0x108fbcdbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #28 0x108fb5a4e in mrb_run (mruby:x86_64+0x10015ea4e)
    #29 0x108fecd1e in ecall (mruby:x86_64+0x100195d1e)

SUMMARY: AddressSanitizer: heap-use-after-free gc.c:651 in gc_mark_children
Shadow bytes around the buggy address:
  0x1c52000011e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c52000011f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c5200001200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c5200001210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c5200001220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c5200001230: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c5200001240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5200001250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5200001260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5200001270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5200001280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11958==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ston3

@matz matz closed this in e8dca6b Apr 18, 2017

matz added a commit that referenced this issue Apr 22, 2017

matz added a commit that referenced this issue May 25, 2017

matz added a commit that referenced this issue May 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment