Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASAN detects a heap-use-after-free in dump.c #44931

Closed
tkf opened this issue Apr 11, 2022 · 2 comments
Closed

ASAN detects a heap-use-after-free in dump.c #44931

tkf opened this issue Apr 11, 2022 · 2 comments
Labels
bug Indicates an unexpected problem or unintended behavior ci Continuous integration

Comments

@tkf
Copy link
Member

tkf commented Apr 11, 2022
edited
Loading

https://buildkite.com/julialang/julia-master/builds/10957#c804d848-190a-4b1d-878e-652d22e86e6d/1482-1501 (a build for 992b261)

precompile   (1) |        started at 2022-04-10T19:25:07.967
=================================================================
==15357==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110096d0c98 at pc 0x7f2aac3ea090 bp 0x7ffdb90cf160 sp 0x7ffdb90cf158
WRITE of size 8 at 0x6110096d0c98 thread T0
    #0 0x7f2aac3ea08f in validate_new_code_instances /cache/build/default-amdci4-3/julialang/julia-master/src/dump.c:2445:83
    #1 0x7f2aac3d4024 in _jl_restore_incremental /cache/build/default-amdci4-3/julialang/julia-master/src/dump.c:3119:5
    #2 0x7f2aac3d441c in ijl_restore_incremental /cache/build/default-amdci4-3/julialang/julia-master/src/dump.c:3166:12
    #3 0x7f2a99f45b1b in julia__include_from_serialized_25041 loading.jl:793
    #4 0x7f2a99e1ae41 in julia__require_search_from_serialized_35628 loading.jl:921
    #5 0x7f2a99ded85f in _require_search_from_serialized loading.jl:893
    #6 0x7f2a99ded85f in julia__require_24191 loading.jl:1196
    #7 0x7f2a99df102d in julia__require_prelocked_36008 loading.jl:1089
    #8 0x7f2a99df7f79 in macro expansion loading.jl:1069
    #9 0x7f2a99df7f79 in macro expansion lock.jl:267
    #10 0x7f2a99df7f79 in julia_require_33480 loading.jl:1033
    #11 0x7f2a99df869c in jfptr_require_33481 text
    #12 0x7f2aac346f24 in _jl_invoke /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2348:35
    #13 0x7f2aac34736b in ijl_apply_generic /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2549:12
    #14 0x7f2aac409f0a in jl_apply /cache/build/default-amdci4-3/julialang/julia-master/src/julia.h:1830:12
    #15 0x7f2aac417fc6 in call_require /cache/build/default-amdci4-3/julialang/julia-master/src/toplevel.c:465:27
    #16 0x7f2aac413626 in eval_import_path /cache/build/default-amdci4-3/julialang/julia-master/src/toplevel.c:502:17
    #17 0x7f2aac40d491 in jl_toplevel_eval_flex /cache/build/default-amdci4-3/julialang/julia-master/src/toplevel.c:728:39
    #18 0x7f2aac4145b3 in ijl_toplevel_eval /cache/build/default-amdci4-3/julialang/julia-master/src/toplevel.c:918:12
    #19 0x7f2aac414a8b in ijl_toplevel_eval_in /cache/build/default-amdci4-3/julialang/julia-master/src/toplevel.c:968:13
    #20 0x7f2a98993a4e  (<unknown module>)
    #21 0x7f2a98996e8f  (<unknown module>)
    #22 0x7f2aac34729f in _jl_invoke /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2367:23
    #23 0x7f2aac34736b in ijl_apply_generic /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2549:12
    #24 0x7f2a9894b412  (<unknown module>)
    #25 0x7f2a9894bcac  (<unknown module>)
    #26 0x7f2a9894c103  (<unknown module>)
    #27 0x7f2aac346f24 in _jl_invoke /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2348:35
    #28 0x7f2aac34736b in ijl_apply_generic /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2549:12
    #29 0x7f2aac3a6d0a in jl_apply /cache/build/default-amdci4-3/julialang/julia-master/src/julia.h:1830:12
    #30 0x7f2aac3a6756 in do_call /cache/build/default-amdci4-3/julialang/julia-master/src/interpreter.c:126:26
    #31 0x7f2aac3a266b in eval_value /cache/build/default-amdci4-3/julialang/julia-master/src/interpreter.c:215:16
    #32 0x7f2aac3a59ac in eval_stmt_value /cache/build/default-amdci4-3/julialang/julia-master/src/interpreter.c:166:23
    #33 0x7f2aac39f8cf in eval_body /cache/build/default-amdci4-3/julialang/julia-master/src/interpreter.c:594:21
    #34 0x7f2aac3a10d2 in jl_interpret_toplevel_thunk /cache/build/default-amdci4-3/julialang/julia-master/src/interpreter.c:750:21
    #35 0x7f2aac4106eb in jl_toplevel_eval_flex /cache/build/default-amdci4-3/julialang/julia-master/src/toplevel.c:909:18
    #36 0x7f2aac40f481 in jl_toplevel_eval_flex /cache/build/default-amdci4-3/julialang/julia-master/src/toplevel.c:853:19
    #37 0x7f2aac4145b3 in ijl_toplevel_eval /cache/build/default-amdci4-3/julialang/julia-master/src/toplevel.c:918:12
    #38 0x7f2aac414a8b in ijl_toplevel_eval_in /cache/build/default-amdci4-3/julialang/julia-master/src/toplevel.c:968:13
    #39 0x7f2a99de8524 in eval boot.jl:370
    #40 0x7f2a99de8524 in japi1_include_string_33501 loading.jl:1297
    #41 0x7f2aac32b63d in jl_fptr_args /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2128:20
    #42 0x7f2aac346f24 in _jl_invoke /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2348:35
    #43 0x7f2aac34736b in ijl_apply_generic /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2549:12
    #44 0x7f2a99ec9367 in japi1__include_24919 loading.jl:1357
    #45 0x7f2a989408b5  (<unknown module>)
    #46 0x7f2a98941470  (<unknown module>)
    #47 0x7f2a989414e0  (<unknown module>)
    #48 0x7f2aac34729f in _jl_invoke /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2367:23
    #49 0x7f2aac34736b in ijl_apply_generic /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2549:12
    #50 0x7f2aac3792aa in jl_apply /cache/build/default-amdci4-3/julialang/julia-master/src/julia.h:1830:12
    #51 0x7f2aac37920d in jl_f__call_latest /cache/build/default-amdci4-3/julialang/julia-master/src/builtins.c:774:23
    #52 0x7f2aac32b63d in jl_fptr_args /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2128:20
    #53 0x7f2aac346f24 in _jl_invoke /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2348:35
    #54 0x7f2aac34736b in ijl_apply_generic /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2549:12
    #55 0x7f2aac3792aa in jl_apply /cache/build/default-amdci4-3/julialang/julia-master/src/julia.h:1830:12
    #56 0x7f2aac378ba4 in do_apply /cache/build/default-amdci4-3/julialang/julia-master/src/builtins.c:730:26
    #57 0x7f2aac37677c in jl_f__apply_iterate /cache/build/default-amdci4-3/julialang/julia-master/src/builtins.c:738:12
    #58 0x7f2a9893ac28  (<unknown module>)
    #59 0x7f2aac32b63d in jl_fptr_args /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2128:20
    #60 0x7f2aac34729f in _jl_invoke /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2367:23
    #61 0x7f2aac34736b in ijl_apply_generic /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2549:12
    #62 0x7f2aac3792aa in jl_apply /cache/build/default-amdci4-3/julialang/julia-master/src/julia.h:1830:12
    #63 0x7f2aac378ba4 in do_apply /cache/build/default-amdci4-3/julialang/julia-master/src/builtins.c:730:26
    #64 0x7f2aac37677c in jl_f__apply_iterate /cache/build/default-amdci4-3/julialang/julia-master/src/builtins.c:738:12
    #65 0x7f2a9893aa7a  (<unknown module>)
    #66 0x7f2aac32b63d in jl_fptr_args /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2128:20
    #67 0x7f2aac34729f in _jl_invoke /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2367:23
    #68 0x7f2aac34736b in ijl_apply_generic /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2549:12
    #69 0x7f2a988bea59  (<unknown module>)
    #70 0x7f2a988c0cdd  (<unknown module>)
    #71 0x7f2a988c0ea0  (<unknown module>)
    #72 0x7f2aac34729f in _jl_invoke /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2367:23
    #73 0x7f2aac34736b in ijl_apply_generic /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2549:12
    #74 0x7f2aac3a6d0a in jl_apply /cache/build/default-amdci4-3/julialang/julia-master/src/julia.h:1830:12
    #75 0x7f2aac3a6756 in do_call /cache/build/default-amdci4-3/julialang/julia-master/src/interpreter.c:126:26
    #76 0x7f2aac3a266b in eval_value /cache/build/default-amdci4-3/julialang/julia-master/src/interpreter.c:215:16
    #77 0x7f2aac3a59ac in eval_stmt_value /cache/build/default-amdci4-3/julialang/julia-master/src/interpreter.c:166:23
    #78 0x7f2aac39f8cf in eval_body /cache/build/default-amdci4-3/julialang/julia-master/src/interpreter.c:594:21
    #79 0x7f2aac3a10d2 in jl_interpret_toplevel_thunk /cache/build/default-amdci4-3/julialang/julia-master/src/interpreter.c:750:21
    #80 0x7f2aac4106eb in jl_toplevel_eval_flex /cache/build/default-amdci4-3/julialang/julia-master/src/toplevel.c:909:18
    #81 0x7f2aac40f481 in jl_toplevel_eval_flex /cache/build/default-amdci4-3/julialang/julia-master/src/toplevel.c:853:19
    #82 0x7f2aac4145b3 in ijl_toplevel_eval /cache/build/default-amdci4-3/julialang/julia-master/src/toplevel.c:918:12
    #83 0x7f2aac414a8b in ijl_toplevel_eval_in /cache/build/default-amdci4-3/julialang/julia-master/src/toplevel.c:968:13
    #84 0x7f2a99de8524 in eval boot.jl:370
    #85 0x7f2a99de8524 in japi1_include_string_33501 loading.jl:1297
    #86 0x7f2aac32b63d in jl_fptr_args /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2128:20
    #87 0x7f2aac346f24 in _jl_invoke /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2348:35
    #88 0x7f2aac34736b in ijl_apply_generic /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2549:12
    #89 0x7f2a99ec9367 in japi1__include_24919 loading.jl:1357
    #90 0x7f2a99ec95d9 in julia_include_28811 Base.jl:427
    #91 0x7f2a99ec962c in jfptr_include_28812 text
    #92 0x7f2aac346f24 in _jl_invoke /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2348:35
    #93 0x7f2aac34736b in ijl_apply_generic /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2549:12
    #94 0x7f2a99dd8ca3 in julia_exec_options_22280 client.jl:303
    #95 0x7f2a99dd932a in julia__start_36836 client.jl:518
    #96 0x7f2a99dd9485 in jfptr__start_36837 text
    #97 0x7f2aac346f24 in _jl_invoke /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2348:35
    #98 0x7f2aac34736b in ijl_apply_generic /cache/build/default-amdci4-3/julialang/julia-master/src/gf.c:2549:12
    #99 0x7f2aac4a3a9a in jl_apply /cache/build/default-amdci4-3/julialang/julia-master/src/julia.h:1830:12
    #100 0x7f2aac4a67f2 in true_main /cache/build/default-amdci4-3/julialang/julia-master/src/jlapi.c:558:13
    #101 0x7f2aac4a6558 in jl_repl_entrypoint /cache/build/default-amdci4-3/julialang/julia-master/src/jlapi.c:702:15
    #102 0x7f2aadb5df42 in jl_load_repl /cache/build/default-amdci4-3/julialang/julia-master/cli/loader_lib.c:277:12
 
0x6110096d0c98 is located 88 bytes inside of 192-byte region [0x6110096d0c40,0x6110096d0d00)
freed by thread T0 here:
    #0 0x4b2492 in free /workspace/srcdir/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:111
    #1 0x7f2aac47b964 in jl_free_aligned /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:255:5
    #2 0x7f2aac47bd96 in sweep_big_list /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:1029:13
    #3 0x7f2aac47b50e in sweep_big /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:1041:9
    #4 0x7f2aac47a5df in gc_sweep_other /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:1515:5
    #5 0x7f2aac4731c4 in _jl_gc_collect /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:3180:5
    #6 0x7f2aac471edb in ijl_gc_collect /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:3293:13
    #7 0x7f2aac474f2e in maybe_collect /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:887:9
    #8 0x7f2aac4627db in jl_gc_big_alloc_inner /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:952:5
    #9 0x7f2aac46279c in ijl_gc_big_alloc /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:981:23
    #10 0x7f2aac463cd9 in jl_gc_pool_alloc_inner /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:1229:12
    #11 0x7f2aac463d00 in jl_gc_pool_alloc_noinline /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:1290:12
    #12 0x7f2aac41f6e8 in jl_gc_alloc_ /cache/build/default-amdci4-3/julialang/julia-master/src/julia_internal.h:370:13
    #13 0x7f2aac421f74 in jl_new_uninitialized_datatype /cache/build/default-amdci4-3/julialang/julia-master/src/datatype.c:97:40
    #14 0x7f2aac3123e6 in inst_datatype_inner /cache/build/default-amdci4-3/julialang/julia-master/src/jltypes.c:1490:11
    #15 0x7f2aac30d22c in inst_type_w_ /cache/build/default-amdci4-3/julialang/julia-master/src/jltypes.c:1804:13
    #16 0x7f2aac30ab06 in ijl_instantiate_unionall /cache/build/default-amdci4-3/julialang/julia-master/src/jltypes.c:1050:12
    #17 0x7f2aac30a275 in ijl_apply_type /cache/build/default-amdci4-3/julialang/julia-master/src/jltypes.c:982:14
    #18 0x7f2aac4d38d3 in intersect /cache/build/default-amdci4-3/julialang/julia-master/src/subtype.c:3136:27
    #19 0x7f2aac4dccd2 in intersect_unionall_ /cache/build/default-amdci4-3/julialang/julia-master/src/subtype.c:2577:15
    #20 0x7f2aac4d7aa9 in intersect_unionall /cache/build/default-amdci4-3/julialang/julia-master/src/subtype.c:2622:11
    #21 0x7f2aac4d314f in intersect /cache/build/default-amdci4-3/julialang/julia-master/src/subtype.c:3105:16
    #22 0x7f2aac4d93a9 in intersect_tuple /cache/build/default-amdci4-3/julialang/julia-master/src/subtype.c:2769:18
    #23 0x7f2aac4d3459 in intersect /cache/build/default-amdci4-3/julialang/julia-master/src/subtype.c:3122:24
    #24 0x7f2aac4dcbfb in intersect_unionall_ /cache/build/default-amdci4-3/julialang/julia-master/src/subtype.c:2573:15
    #25 0x7f2aac4d7aa9 in intersect_unionall /cache/build/default-amdci4-3/julialang/julia-master/src/subtype.c:2622:11
    #26 0x7f2aac4d31f1 in intersect /cache/build/default-amdci4-3/julialang/julia-master/src/subtype.c:3108:16
    #27 0x7f2aac4b7e85 in intersect_all /cache/build/default-amdci4-3/julialang/julia-master/src/subtype.c:3173:22
    #28 0x7f2aac4b5b2b in jl_type_intersection_env_s /cache/build/default-amdci4-3/julialang/julia-master/src/subtype.c:3415:16
    #29 0x7f2aac3521bc in jl_typemap_intersection_node_visitor /cache/build/default-amdci4-3/julialang/julia-master/src/typemap.c:459:27
 
previously allocated by thread T0 here:
    #0 0x4b3379 in posix_memalign /workspace/srcdir/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:210
    #1 0x7f2aac475c3d in jl_malloc_aligned /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:235:9
    #2 0x7f2aac46289a in jl_gc_big_alloc_inner /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:960:30
    #3 0x7f2aac46279c in ijl_gc_big_alloc /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:981:23
    #4 0x7f2aac463cd9 in jl_gc_pool_alloc_inner /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:1229:12
    #5 0x7f2aac463d00 in jl_gc_pool_alloc_noinline /cache/build/default-amdci4-3/julialang/julia-master/src/gc.c:1290:12
    #6 0x7f2aac3eb1d8 in jl_gc_alloc_ /cache/build/default-amdci4-3/julialang/julia-master/src/julia_internal.h:370:13
    #7 0x7f2aac3ed2ef in jl_deserialize_value_code_instance /cache/build/default-amdci4-3/julialang/julia-master/src/dump.c:1828:30
    #8 0x7f2aac3e6791 in jl_deserialize_value /cache/build/default-amdci4-3/julialang/julia-master/src/dump.c:2137:16
    #9 0x7f2aac3ed182 in jl_deserialize_value_method_instance /cache/build/default-amdci4-3/julialang/julia-master/src/dump.c:1819:38
    #10 0x7f2aac3e6774 in jl_deserialize_value /cache/build/default-amdci4-3/julialang/julia-master/src/dump.c:2135:16
    #11 0x7f2aac3d3a50 in _jl_restore_incremental /cache/build/default-amdci4-3/julialang/julia-master/src/dump.c:3091:21
    #12 0x7f2aac3d441c in ijl_restore_incremental /cache/build/default-amdci4-3/julialang/julia-master/src/dump.c:3166:12
    #13 0x7f2a99f45b1b in julia__include_from_serialized_25041 loading.jl:793
 
SUMMARY: AddressSanitizer: heap-use-after-free /cache/build/default-amdci4-3/julialang/julia-master/src/dump.c:2445:83 in validate_new_code_instances
Shadow bytes around the buggy address:
  0x0c22812d2140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22812d2150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c22812d2160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22812d2170: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c22812d2180: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c22812d2190: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22812d21a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c22812d21b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22812d21c0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c22812d21d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c22812d21e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15357==ABORTING
@pchintalapudi
Copy link
Member

This is also present here in #44924: https://buildkite.com/julialang/julia-master/builds/10940#_

@DilumAluthge DilumAluthge added bug Indicates an unexpected problem or unintended behavior ci Continuous integration labels Apr 12, 2022
@vtjnash
Copy link
Member

vtjnash commented Sep 28, 2022

Will be rewritten fully by #46920 (to avoid this problem), if it is not already fixed

@vtjnash vtjnash closed this as completed Sep 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Indicates an unexpected problem or unintended behavior ci Continuous integration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tkf @vtjnash @DilumAluthge @pchintalapudi