You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
==53995==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900000f080 at pc 0x0001092862f8 bp 0x7fff57562d10 sp 0x7fff575624c0
READ of size 16 at 0x61900000f080 thread T0
#0 0x1092862f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
#1 0x10889ba5a in fiber_switch fiber.c:198
#2 0x10889e715 in fiber_resume fiber.c:244
#3 0x108804f65 in mrb_vm_exec vm.c:1304
#4 0x1087fa07f in mrb_vm_run vm.c:854
#5 0x10882d649 in mrb_top_run vm.c:2705
#6 0x1088fea85 in mrb_load_exec parse.y:5780
#7 0x1088ff3d5 in mrb_load_file_cxt parse.y:5789
#8 0x1086954c6 in main mruby.c:227
#9 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)
0x61900000f080 is located 0 bytes inside of 1024-byte region [0x61900000f080,0x61900000f480)
freed by thread T0 here:
#0 0x10928f356 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56356)
#1 0x10878dfeb in mrb_default_allocf state.c:56
#2 0x108710499 in mrb_free gc.c:269
#3 0x10878fe5c in mrb_free_context state.c:226
#4 0x108711332 in obj_free gc.c:777
#5 0x10871a59b in incremental_sweep_phase gc.c:1038
#6 0x108718e3c in incremental_gc gc.c:1104
#7 0x108714e06 in incremental_gc_until gc.c:1120
#8 0x108715207 in clear_all_old gc.c:1146
#9 0x10870f3d1 in mrb_full_gc gc.c:1212
#10 0x1087167b3 in gc_start gc.c:1324
#11 0x108804f65 in mrb_vm_exec vm.c:1304
#12 0x1087fa07f in mrb_vm_run vm.c:854
#13 0x10882d649 in mrb_top_run vm.c:2705
#14 0x1088fea85 in mrb_load_exec parse.y:5780
#15 0x1088ff3d5 in mrb_load_file_cxt parse.y:5789
#16 0x1086954c6 in main mruby.c:227
#17 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)
previously allocated by thread T0 here:
#0 0x10928f520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
#1 0x10878e005 in mrb_default_allocf state.c:60
#2 0x10870f1b8 in mrb_realloc_simple gc.c:202
#3 0x10870f89e in mrb_realloc gc.c:216
#4 0x108710323 in mrb_malloc gc.c:237
#5 0x10889d7d1 in fiber_init fiber.c:94
#6 0x1087ef552 in mrb_funcall_with_block vm.c:445
#7 0x1086d2769 in mrb_instance_new class.c:1430
#8 0x108804f65 in mrb_vm_exec vm.c:1304
#9 0x1087fa07f in mrb_vm_run vm.c:854
#10 0x10882d649 in mrb_top_run vm.c:2705
#11 0x1088fea85 in mrb_load_exec parse.y:5780
#12 0x1088ff3d5 in mrb_load_file_cxt parse.y:5789
#13 0x1086954c6 in main mruby.c:227
#14 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)
SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
0x1c3200001dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3200001dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3200001de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3200001df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3200001e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c3200001e10:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200001e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200001e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200001e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200001e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200001e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==53995==ABORTING
Abort trap: 6
Dinko Galetic & Denis Kasak (https://hackerone.com/dgaletic) reported a similar case. Given the similar input, it's possible that the root cause is the same:
The following input demonstrates a crash:
ASAN report:
This issue was reported by https://hackerone.com/ssarong
The text was updated successfully, but these errors were encountered: