Use after free #55
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Just by launching
make tests
`
==12942==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b0000054a8 at pc 0x7f8d6b735773 bp 0x7fff133de6d0 sp 0x7fff133de6c8
READ of size 4 at 0x62b0000054a8 thread T0
#0 0x7f8d6b735772 in PH7_VmEmitInstr engine/vm.c:299
#1 0x7f8d6b76433d in VmEvalChunk engine/vm.c:8999
#2 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003
#3 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644
#4 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482)
#5 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308
#6 0x563853924149 in _start (/home/dcarlier/Contribs/Aer/binary/aer+0x1149)
0x62b0000054a8 is located 21160 bytes inside of 24596-byte region [0x62b000000200,0x62b000006214)
freed by thread T0 here:
#0 0x7f8d6c4cb1d7 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x1071d7)
#1 0x7f8d6b6b2928 in SyOSHeapFree engine/lib/memory.c:39
#2 0x7f8d6b6b2945 in MemOSFree engine/lib/memory.c:108
#3 0x7f8d6b6b3caa in MemBackendFree engine/lib/memory.c:273
#4 0x7f8d6b6b5fba in SyMemBackendFree engine/lib/memory.c:290
#5 0x7f8d6b6a3c62 in SySetRelease engine/lib/dataset.c:97
#6 0x7f8d6b710ffe in PH7_CompileAerScript engine/compiler.c:5174
#7 0x7f8d6b76402c in VmEvalChunk engine/vm.c:8986
#8 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003
#9 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644
#10 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482)
#11 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x7f8d6c4cb98e in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10798e)
#1 0x7f8d6b6b296c in SyOSHeapRealloc engine/lib/memory.c:31
#2 0x7f8d6b6b4b7f in MemOSRealloc engine/lib/memory.c:98
#3 0x7f8d6b6b3730 in MemBackendRealloc engine/lib/memory.c:208
#4 0x7f8d6b6b5c89 in SyMemBackendRealloc engine/lib/memory.c:246
#5 0x7f8d6b6a2bba in SySetPut engine/lib/dataset.c:31
#6 0x7f8d6b6bbe16 in SyLexTokenizeInput engine/lib/tokenizer.c:72
#7 0x7f8d6b6c89cf in PH7_TokenizeAerScript engine/lexer.c:604
#8 0x7f8d6b7103dd in PH7_CompileScript engine/compiler.c:5093
#9 0x7f8d6b710e91 in PH7_CompileAerScript engine/compiler.c:5167
#10 0x7f8d6b76402c in VmEvalChunk engine/vm.c:8986
#11 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003
#12 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644
#13 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482)
#14 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free engine/vm.c:299 in PH7_VmEmitInstr
Shadow bytes around the buggy address:
0x0c567fff8a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c567fff8a90: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c567fff8aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==12942==ABORTING
make: *** [Makefile:165: tests/reference_test.test] Error 1`
Does it occur on 4881ddf6de?
For the record, it does not occur with this tag.
Reverted
3dcc908788
with3b9d91f186
.Will investigate deeper after vacation.