It looks like this is another way to cause a garbage collection during each_object, like in #3616.
ASAN report:
==48055==ERROR: AddressSanitizer: heap-use-after-free on address 0x62f00000e410 at pc 0x00010ac5db1c bp 0x7fff55016b70 sp 0x7fff55016b68
READ of size 8 at 0x62f00000e410 thread T0
#0 0x10ac5db1b in gc_each_objects gc.c:1501
#1 0x10ac5d594 in mrb_objspace_each_objects gc.c:1520
#2 0x10ade1f76 in os_each_object mruby_objectspace.c:172
#3 0x10ad4d206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
#4 0x10ad419e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#5 0x10ad75cdf in mrb_top_run (mruby:x86_64+0x100196cdf)
#6 0x10ae47dd5 in mrb_load_exec (mruby:x86_64+0x100268dd5)
#7 0x10ae48725 in mrb_load_file_cxt (mruby:x86_64+0x100269725)
#8 0x10abe0e46 in main mruby.c:227
#9 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)
0x62f00000e410 is located 16 bytes inside of 49200-byte region [0x62f00000e400,0x62f00001a430)
freed by thread T0 here:
#0 0x10aff3356 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56356)
#1 0x10acd5316 in mrb_default_allocf (mruby:x86_64+0x1000f6316)
#2 0x10ac573c9 in mrb_free gc.c:270
#3 0x10ac61cbf in incremental_sweep_phase gc.c:1059
#4 0x10ac604bc in incremental_gc gc.c:1100
#5 0x10ac5bd16 in incremental_gc_until gc.c:1116
#6 0x10ac5c117 in clear_all_old gc.c:1142
#7 0x10ac650e1 in change_gen_gc_mode gc.c:1439
#8 0x10ac5f9f4 in gc_generational_mode_set gc.c:1480
#9 0x10ad4d206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
#10 0x10ad419e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#11 0x10ad3986e in mrb_run (mruby:x86_64+0x10015a86e)
#12 0x10ad3fa16 in mrb_yield_with_class (mruby:x86_64+0x100160a16)
#13 0x10ad406f8 in mrb_yield (mruby:x86_64+0x1001616f8)
#14 0x10ade31bf in os_each_object_cb mruby_objectspace.c:140
#15 0x10ac5dac8 in gc_each_objects gc.c:1498
#16 0x10ac5d594 in mrb_objspace_each_objects gc.c:1520
#17 0x10ade1f76 in os_each_object mruby_objectspace.c:172
#18 0x10ad4d206 in mrb_vm_exec (mruby:x86_64+0x10016e206)
#19 0x10ad419e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#20 0x10ad75cdf in mrb_top_run (mruby:x86_64+0x100196cdf)
#21 0x10ae47dd5 in mrb_load_exec (mruby:x86_64+0x100268dd5)
#22 0x10ae48725 in mrb_load_file_cxt (mruby:x86_64+0x100269725)
#23 0x10abe0e46 in main mruby.c:227
#24 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)
previously allocated by thread T0 here:
#0 0x10aff3520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
#1 0x10acd52ff in mrb_default_allocf (mruby:x86_64+0x1000f62ff)
#2 0x10ac56078 in mrb_realloc_simple gc.c:203
#3 0x10ac567ce in mrb_realloc gc.c:217
#4 0x10ac57253 in mrb_malloc gc.c:238
#5 0x10ac572ed in mrb_calloc gc.c:256
#6 0x10ac57899 in add_heap gc.c:326
#7 0x10ac5a987 in mrb_obj_alloc gc.c:512
#8 0x10acc45f3 in mrb_proc_new (mruby:x86_64+0x1000e55f3)
#9 0x10ac94364 in mrb_load_irep_cxt (mruby:x86_64+0x1000b5364)
#10 0x10ac954af in mrb_load_irep (mruby:x86_64+0x1000b64af)
#11 0x10adcc7df in GENERATED_TMP_mrb_mruby_range_ext_gem_init (mruby:x86_64+0x1001ed7df)
#12 0x10ae677ee in mrb_init_mrbgems (mruby:x86_64+0x1002887ee)
#13 0x10acd54b1 in mrb_open_allocf (mruby:x86_64+0x1000f64b1)
#14 0x10acd5457 in mrb_open (mruby:x86_64+0x1000f6457)
#15 0x10abdfd58 in main mruby.c:171
#16 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)
SUMMARY: AddressSanitizer: heap-use-after-free gc.c:1501 in gc_each_objects
Shadow bytes around the buggy address:
0x1c5e00001c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c5e00001c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c5e00001c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c5e00001c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c5e00001c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c5e00001c80: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c5e00001c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c5e00001ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c5e00001cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c5e00001cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c5e00001cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==48055==ABORTING
Abort trap: 6
The following input demonstrates a crash:
It looks like this is another way to cause a garbage collection during
each_object, like in #3616.ASAN report:
This issue was reported by https://hackerone.com/ahihi
The text was updated successfully, but these errors were encountered: