-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
help strings of ASSERT and TRANSCODE #89
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Nice, it's less confusing and doesn't change the doc string length. |
Merged to community |
carls
added a commit
that referenced
this pull request
Aug 18, 2013
Update help strings of ASSERT and TRANSCODE
zsx
added a commit
to zsx/r3
that referenced
this pull request
May 13, 2014
It will confuse Expand_Series expects "tail" to be the actual size, and cause a read beyond the allocated memory, or heap buffer overflow found by address sanitizer of GCC: ================================================================= ==10856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b201 at pc 0x47df61 bp 0x7fffffff2ca0 sp 0x7fffffff2c98 READ of size 1 at 0x62a00000b201 thread T0 #0 0x47df60 in Expand_Series ../src/core/m-series.c:145 #1 0x47e5a7 in Extend_Series ../src/core/m-series.c:187 #2 0x466e0c in Scan_Quote ../src/core/l-scan.c:462 #3 0x46a797 in Scan_Token ../src/core/l-scan.c:918 #4 0x46e263 in Scan_Block ../src/core/l-scan.c:1188 #5 0x46e722 in Scan_Code ../src/core/l-scan.c:1548 #6 0x46e886 in Scan_Source ../src/core/l-scan.c:1568 #7 0x4cb85c in Make_Block_Type ../src/core/t-block.c:306 #8 0x4cd1b8 in T_Block ../src/core/t-block.c:608 #9 0x4d042e in T_Datatype ../src/core/t-datatype.c:92 #10 0x42e080 in Do_Act ../src/core/c-function.c:338 #11 0x42e7e5 in Do_Action ../src/core/c-function.c:396 #12 0x413628 in Do_Next ../src/core/c-do.c:884 #13 0x41309b in Do_Next ../src/core/c-do.c:858 #14 0x414825 in Do_Blk ../src/core/c-do.c:1010 #15 0x482dd2 in N_case ../src/core/n-control.c:349 #16 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #17 0x413628 in Do_Next ../src/core/c-do.c:884 #18 0x414825 in Do_Blk ../src/core/c-do.c:1010 #19 0x42e869 in Do_Function ../src/core/c-function.c:415 #20 0x413628 in Do_Next ../src/core/c-do.c:884 #21 0x41309b in Do_Next ../src/core/c-do.c:858 #22 0x414825 in Do_Blk ../src/core/c-do.c:1010 #23 0x42e869 in Do_Function ../src/core/c-function.c:415 #24 0x413628 in Do_Next ../src/core/c-do.c:884 #25 0x4115f2 in Do_Args ../src/core/c-do.c:669 #26 0x414152 in Do_Next ../src/core/c-do.c:939 #27 0x48201c in N_all ../src/core/n-control.c:261 #28 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #29 0x413628 in Do_Next ../src/core/c-do.c:884 #30 0x414825 in Do_Blk ../src/core/c-do.c:1010 #31 0x491abc in Loop_Each ../src/core/n-loop.c:410 #32 0x492a6c in N_foreach ../src/core/n-loop.c:546 #33 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #34 0x413628 in Do_Next ../src/core/c-do.c:884 #35 0x414825 in Do_Blk ../src/core/c-do.c:1010 #36 0x42e869 in Do_Function ../src/core/c-function.c:415 #37 0x413628 in Do_Next ../src/core/c-do.c:884 #38 0x4115f2 in Do_Args ../src/core/c-do.c:669 #39 0x414152 in Do_Next ../src/core/c-do.c:939 #40 0x414825 in Do_Blk ../src/core/c-do.c:1010 #41 0x48459c in N_if ../src/core/n-control.c:619 #42 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #43 0x413628 in Do_Next ../src/core/c-do.c:884 #44 0x414825 in Do_Blk ../src/core/c-do.c:1010 #45 0x491abc in Loop_Each ../src/core/n-loop.c:410 #46 0x492a6c in N_foreach ../src/core/n-loop.c:546 #47 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #48 0x413628 in Do_Next ../src/core/c-do.c:884 #49 0x414825 in Do_Blk ../src/core/c-do.c:1010 #50 0x42e869 in Do_Function ../src/core/c-function.c:415 #51 0x418fb4 in Apply_Block ../src/core/c-do.c:1474 #52 0x4824fb in N_apply ../src/core/n-control.c:295 rebol#53 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#54 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#55 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#56 0x414152 in Do_Next ../src/core/c-do.c:939 rebol#57 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#58 0x485388 in N_unless ../src/core/n-control.c:763 rebol#59 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#60 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#61 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#62 0x483eff in N_do ../src/core/n-control.c:523 rebol#63 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#64 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#65 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#66 0x414152 in Do_Next ../src/core/c-do.c:939 rebol#67 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#68 0x48459c in N_if ../src/core/n-control.c:619 rebol#69 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#70 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#71 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#72 0x48f8cc in Loop_Integer ../src/core/n-loop.c:130 rebol#73 0x49314d in N_repeat ../src/core/n-loop.c:631 rebol#74 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#75 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#76 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#77 0x42ee10 in Do_Closure ../src/core/c-function.c:459 rebol#78 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#79 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#80 0x485388 in N_unless ../src/core/n-control.c:763 rebol#81 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#82 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#83 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#84 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#85 0x418fb4 in Apply_Block ../src/core/c-do.c:1474 rebol#86 0x4824fb in N_apply ../src/core/n-control.c:295 rebol#87 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#88 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#89 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#90 0x414152 in Do_Next ../src/core/c-do.c:939 rebol#91 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#92 0x485388 in N_unless ../src/core/n-control.c:763 rebol#93 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#94 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#95 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#96 0x483eff in N_do ../src/core/n-control.c:523 rebol#97 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#98 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#99 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#100 0x414152 in Do_Next ../src/core/c-do.c:939 rebol#101 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#102 0x48459c in N_if ../src/core/n-control.c:619 rebol#103 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#104 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#105 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#106 0x48f8cc in Loop_Integer ../src/core/n-loop.c:130 rebol#107 0x49314d in N_repeat ../src/core/n-loop.c:631 rebol#108 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#109 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#110 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#111 0x42ee10 in Do_Closure ../src/core/c-function.c:459 rebol#112 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#113 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#114 0x485388 in N_unless ../src/core/n-control.c:763 rebol#115 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#116 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#117 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#118 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#119 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#120 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#121 0x484cf1 in N_switch ../src/core/n-control.c:716 rebol#122 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#123 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#124 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#125 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#126 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#127 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#128 0x48459c in N_if ../src/core/n-control.c:619 rebol#129 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#130 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#131 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#132 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#133 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#134 0x41309b in Do_Next ../src/core/c-do.c:858 rebol#135 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#136 0x484280 in N_either ../src/core/n-control.c:595 rebol#137 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#138 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#139 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#140 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#141 0x419631 in Apply_Function ../src/core/c-do.c:1518 rebol#142 0x419918 in Apply_Func ../src/core/c-do.c:1545 rebol#143 0x48d102 in N_wake_up ../src/core/n-io.c:415 rebol#144 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#145 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#146 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#147 0x4133c9 in Do_Next ../src/core/c-do.c:877 rebol#148 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#149 0x492b66 in N_loop ../src/core/n-loop.c:590 rebol#150 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#151 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#152 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#153 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#154 0x419631 in Apply_Function ../src/core/c-do.c:1518 rebol#155 0x419918 in Apply_Func ../src/core/c-do.c:1545 rebol#156 0x42fef7 in Awake_System ../src/core/c-port.c:198 rebol#157 0x43012a in Wait_Ports ../src/core/c-port.c:231 rebol#158 0x48cd62 in N_wait ../src/core/n-io.c:374 rebol#159 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#160 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#161 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#162 0x4133c9 in Do_Next ../src/core/c-do.c:877 rebol#163 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#164 0x4133c9 in Do_Next ../src/core/c-do.c:877 rebol#165 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#166 0x4929a7 in N_forever ../src/core/n-loop.c:527 rebol#167 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#168 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#169 0x4152ff in Try_Block ../src/core/c-do.c:1077 rebol#170 0x48507e in N_try ../src/core/n-control.c:740 rebol#171 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#172 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#173 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#174 0x414152 in Do_Next ../src/core/c-do.c:939 rebol#175 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#176 0x4133c9 in Do_Next ../src/core/c-do.c:877 rebol#177 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#178 0x4133c9 in Do_Next ../src/core/c-do.c:877 rebol#179 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#180 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#181 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#182 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#183 0x48459c in N_if ../src/core/n-control.c:619 rebol#184 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#185 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#186 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#187 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#188 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#189 0x41309b in Do_Next ../src/core/c-do.c:858 rebol#190 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#191 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#192 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#193 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#194 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#195 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#196 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#197 0x414152 in Do_Next ../src/core/c-do.c:939 rebol#198 0x48201c in N_all ../src/core/n-control.c:261 rebol#199 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#200 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#201 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#202 0x491abc in Loop_Each ../src/core/n-loop.c:410 rebol#203 0x492a6c in N_foreach ../src/core/n-loop.c:546 rebol#204 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#205 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#206 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#207 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#208 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#209 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#210 0x485388 in N_unless ../src/core/n-control.c:763 rebol#211 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#212 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#213 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#214 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#215 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#216 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#217 0x48459c in N_if ../src/core/n-control.c:619 rebol#218 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#219 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#220 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#221 0x42ee10 in Do_Closure ../src/core/c-function.c:459 rebol#222 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#223 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#224 0x414152 in Do_Next ../src/core/c-do.c:939 rebol#225 0x48201c in N_all ../src/core/n-control.c:261 rebol#226 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#227 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#228 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#229 0x491abc in Loop_Each ../src/core/n-loop.c:410 rebol#230 0x492a6c in N_foreach ../src/core/n-loop.c:546 rebol#231 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#232 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#233 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#234 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#235 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#236 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#237 0x48459c in N_if ../src/core/n-control.c:619 rebol#238 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#239 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#240 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#241 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#242 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#243 0x41309b in Do_Next ../src/core/c-do.c:858 rebol#244 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#245 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#246 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#247 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#248 0x48459c in N_if ../src/core/n-control.c:619 rebol#249 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#250 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#251 0x414825 in Do_Blk ../src/core/c-do.c:1010 0x62a00000b201 is located 1 bytes to the right of 20480-byte region [0x62a000006200,0x62a00000b200) allocated by thread T0 here: #0 0x7ffff6f58b1f in malloc (/usr/lib/libasan.so.1+0x54b1f) #1 0x47924a in Make_Mem ../src/core/m-pools.c:121 #2 0x47a9ff in Make_Series ../src/core/m-pools.c:406 #3 0x4aee84 in Make_Unicode ../src/core/s-make.c:59 #4 0x4bb797 in Init_Mold ../src/core/s-mold.c:1425 #5 0x40da64 in Init_Core ../src/core/b-init.c:940 #6 0x4055e0 in RL_Init ../src/core/a-lib.c:124 #7 0x580aa2 in main ../src/os/host-main.c:154 #8 0x7ffff5719fff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff) SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:145 Expand_Series Shadow bytes around the buggy address: 0x0c547fff95f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c547fff9600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c547fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c547fff9620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c547fff9630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c547fff9640:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal:
zsx
added a commit
to zsx/r3
that referenced
this pull request
Oct 15, 2014
Found by AddressSanitizer: ==8157==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000f5897 at pc 0x4816ef bp 0x7fffffffafb0 sp 0x7fffffffafa0 READ of size 1 at 0x61d0000f5897 thread T0 #0 0x4816ee in Expand_Series ../src/core/m-series.c:138 #1 0x4e258c in Insert_Gobs ../src/core/t-gob.c:219 #2 0x4e7782 in T_Gob ../src/core/t-gob.c:833 #3 0x42e26f in Do_Act ../src/core/c-function.c:338 #4 0x42e9d8 in Do_Action ../src/core/c-function.c:396 #5 0x41395b in Do_Next ../src/core/c-do.c:886 #6 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #7 0x4883d6 in N_if ../src/core/n-control.c:632 #8 0x42dd9c in Do_Native ../src/core/c-function.c:289 #9 0x41395b in Do_Next ../src/core/c-do.c:886 #10 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #11 0x4893c0 in N_unless ../src/core/n-control.c:792 #12 0x42dd9c in Do_Native ../src/core/c-function.c:289 #13 0x41395b in Do_Next ../src/core/c-do.c:886 #14 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #15 0x488c03 in N_switch ../src/core/n-control.c:736 #16 0x42dd9c in Do_Native ../src/core/c-function.c:289 #17 0x41395b in Do_Next ../src/core/c-do.c:886 #18 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #19 0x4883d6 in N_if ../src/core/n-control.c:632 #20 0x42dd9c in Do_Native ../src/core/c-function.c:289 #21 0x41395b in Do_Next ../src/core/c-do.c:886 #22 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #23 0x42ea5c in Do_Function ../src/core/c-function.c:415 #24 0x41395b in Do_Next ../src/core/c-do.c:886 #25 0x415658 in Try_Block ../src/core/c-do.c:1083 #26 0x4862f8 in N_attempt ../src/core/n-control.c:306 #27 0x42dd9c in Do_Native ../src/core/c-function.c:289 #28 0x41395b in Do_Next ../src/core/c-do.c:886 #29 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #30 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131 #31 0x49693a in N_for ../src/core/n-loop.c:486 #32 0x42dd9c in Do_Native ../src/core/c-function.c:289 #33 0x41395b in Do_Next ../src/core/c-do.c:886 #34 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #35 0x4883d6 in N_if ../src/core/n-control.c:632 #36 0x42dd9c in Do_Native ../src/core/c-function.c:289 #37 0x41395b in Do_Next ../src/core/c-do.c:886 #38 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #39 0x42ea5c in Do_Function ../src/core/c-function.c:415 #40 0x41395b in Do_Next ../src/core/c-do.c:886 #41 0x415658 in Try_Block ../src/core/c-do.c:1083 #42 0x488f7d in N_try ../src/core/n-control.c:760 #43 0x42dd9c in Do_Native ../src/core/c-function.c:289 #44 0x41395b in Do_Next ../src/core/c-do.c:886 #45 0x4118a1 in Do_Args ../src/core/c-do.c:668 #46 0x413700 in Do_Next ../src/core/c-do.c:879 #47 0x4118a1 in Do_Args ../src/core/c-do.c:668 #48 0x413700 in Do_Next ../src/core/c-do.c:879 #49 0x414f2f in Do_Block_Value_Throw ../src/core/c-do.c:1048 #50 0x5725ac in Parse_Rules_Loop ../src/core/u-parse.c:830 #51 0x5731f8 in Parse_Rules_Loop ../src/core/u-parse.c:927 #52 0x56c799 in Parse_Series ../src/core/u-parse.c:96 rebol#53 0x576950 in N_parse ../src/core/u-parse.c:1269 rebol#54 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#55 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#56 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#57 0x4883d6 in N_if ../src/core/n-control.c:632 rebol#58 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#59 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#60 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#61 0x42ea5c in Do_Function ../src/core/c-function.c:415 rebol#62 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#63 0x415658 in Try_Block ../src/core/c-do.c:1083 rebol#64 0x4862f8 in N_attempt ../src/core/n-control.c:306 rebol#65 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#66 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#67 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#68 0x487b91 in N_do ../src/core/n-control.c:524 rebol#69 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#70 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#71 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#72 0x487fcb in N_either ../src/core/n-control.c:598 rebol#73 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#74 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#75 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#76 0x487fcb in N_either ../src/core/n-control.c:598 rebol#77 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#78 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#79 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#80 0x487fcb in N_either ../src/core/n-control.c:598 rebol#81 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#82 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#83 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#84 0x42ea5c in Do_Function ../src/core/c-function.c:415 rebol#85 0x4198c2 in Apply_Function ../src/core/c-do.c:1524 rebol#86 0x419fa8 in Do_Sys_Func ../src/core/c-do.c:1584 rebol#87 0x41e406 in Init_Mezz ../src/core/c-do.c:2313 rebol#88 0x405fd3 in RL_Start ../src/core/a-lib.c:167 rebol#89 0x59d1f7 in main ../src/os/host-main.c:231 rebol#90 0x7ffff571403f in __libc_start_main (/usr/lib/libc.so.6+0x2003f) rebol#91 0x405858 (/home/zsx/work/r3.git/make/r3-view-linux+0x405858) 0x61d0000f5897 is located 7 bytes to the right of 2064-byte region [0x61d0000f5080,0x61d0000f5890) allocated by thread T0 here: #0 0x7ffff6f56b77 in __interceptor_malloc (/usr/lib/libasan.so.1+0x57b77) #1 0x47c300 in Make_Mem ../src/core/m-pools.c:125 #2 0x47ca2f in Fill_Pool ../src/core/m-pools.c:233 #3 0x47d80c in Make_Series ../src/core/m-pools.c:388 #4 0x4826f3 in Copy_Series ../src/core/m-series.c:261 #5 0x43ca14 in Copy_Deep_Values ../src/core/f-blocks.c:131 #6 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #7 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #8 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #9 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #10 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #11 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #12 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #13 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #14 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #15 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #16 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #17 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159 #18 0x43cd9f in Clone_Block ../src/core/f-blocks.c:174 #19 0x42db12 in Clone_Function ../src/core/c-function.c:266 #20 0x43cc00 in Copy_Deep_Values ../src/core/f-blocks.c:139 #21 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159 #22 0x4fd371 in T_Object ../src/core/t-object.c:364 #23 0x42e26f in Do_Act ../src/core/c-function.c:338 #24 0x42e9d8 in Do_Action ../src/core/c-function.c:396 #25 0x41395b in Do_Next ../src/core/c-do.c:886 #26 0x4133cc in Do_Next ../src/core/c-do.c:860 #27 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #28 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131 #29 0x49693a in N_for ../src/core/n-loop.c:486 SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:138 Expand_Series Shadow bytes around the buggy address: 0x0c3a80016ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3a80016b10: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==8157==ABORTING This is happening because "GOB_TAIL(gob) = count" sets the tail of a series with length of "count" to be "count", and Expand_Series expects a terminator in the series. (m-series.c:90 size = (series->tail + 1) * wide;)
zsx
added a commit
to zsx/r3
that referenced
this pull request
Oct 15, 2014
Found by AddressSanitizer: ==8157==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000f5897 at pc 0x4816ef bp 0x7fffffffafb0 sp 0x7fffffffafa0 READ of size 1 at 0x61d0000f5897 thread T0 #0 0x4816ee in Expand_Series ../src/core/m-series.c:138 #1 0x4e258c in Insert_Gobs ../src/core/t-gob.c:219 #2 0x4e7782 in T_Gob ../src/core/t-gob.c:833 #3 0x42e26f in Do_Act ../src/core/c-function.c:338 #4 0x42e9d8 in Do_Action ../src/core/c-function.c:396 #5 0x41395b in Do_Next ../src/core/c-do.c:886 #6 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #7 0x4883d6 in N_if ../src/core/n-control.c:632 #8 0x42dd9c in Do_Native ../src/core/c-function.c:289 #9 0x41395b in Do_Next ../src/core/c-do.c:886 #10 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #11 0x4893c0 in N_unless ../src/core/n-control.c:792 #12 0x42dd9c in Do_Native ../src/core/c-function.c:289 #13 0x41395b in Do_Next ../src/core/c-do.c:886 #14 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #15 0x488c03 in N_switch ../src/core/n-control.c:736 #16 0x42dd9c in Do_Native ../src/core/c-function.c:289 #17 0x41395b in Do_Next ../src/core/c-do.c:886 #18 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #19 0x4883d6 in N_if ../src/core/n-control.c:632 #20 0x42dd9c in Do_Native ../src/core/c-function.c:289 #21 0x41395b in Do_Next ../src/core/c-do.c:886 #22 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #23 0x42ea5c in Do_Function ../src/core/c-function.c:415 #24 0x41395b in Do_Next ../src/core/c-do.c:886 #25 0x415658 in Try_Block ../src/core/c-do.c:1083 #26 0x4862f8 in N_attempt ../src/core/n-control.c:306 #27 0x42dd9c in Do_Native ../src/core/c-function.c:289 #28 0x41395b in Do_Next ../src/core/c-do.c:886 #29 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #30 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131 #31 0x49693a in N_for ../src/core/n-loop.c:486 #32 0x42dd9c in Do_Native ../src/core/c-function.c:289 #33 0x41395b in Do_Next ../src/core/c-do.c:886 #34 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #35 0x4883d6 in N_if ../src/core/n-control.c:632 #36 0x42dd9c in Do_Native ../src/core/c-function.c:289 #37 0x41395b in Do_Next ../src/core/c-do.c:886 #38 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #39 0x42ea5c in Do_Function ../src/core/c-function.c:415 #40 0x41395b in Do_Next ../src/core/c-do.c:886 #41 0x415658 in Try_Block ../src/core/c-do.c:1083 #42 0x488f7d in N_try ../src/core/n-control.c:760 #43 0x42dd9c in Do_Native ../src/core/c-function.c:289 #44 0x41395b in Do_Next ../src/core/c-do.c:886 #45 0x4118a1 in Do_Args ../src/core/c-do.c:668 #46 0x413700 in Do_Next ../src/core/c-do.c:879 #47 0x4118a1 in Do_Args ../src/core/c-do.c:668 #48 0x413700 in Do_Next ../src/core/c-do.c:879 #49 0x414f2f in Do_Block_Value_Throw ../src/core/c-do.c:1048 #50 0x5725ac in Parse_Rules_Loop ../src/core/u-parse.c:830 #51 0x5731f8 in Parse_Rules_Loop ../src/core/u-parse.c:927 #52 0x56c799 in Parse_Series ../src/core/u-parse.c:96 rebol#53 0x576950 in N_parse ../src/core/u-parse.c:1269 rebol#54 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#55 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#56 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#57 0x4883d6 in N_if ../src/core/n-control.c:632 rebol#58 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#59 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#60 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#61 0x42ea5c in Do_Function ../src/core/c-function.c:415 rebol#62 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#63 0x415658 in Try_Block ../src/core/c-do.c:1083 rebol#64 0x4862f8 in N_attempt ../src/core/n-control.c:306 rebol#65 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#66 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#67 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#68 0x487b91 in N_do ../src/core/n-control.c:524 rebol#69 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#70 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#71 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#72 0x487fcb in N_either ../src/core/n-control.c:598 rebol#73 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#74 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#75 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#76 0x487fcb in N_either ../src/core/n-control.c:598 rebol#77 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#78 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#79 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#80 0x487fcb in N_either ../src/core/n-control.c:598 rebol#81 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#82 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#83 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#84 0x42ea5c in Do_Function ../src/core/c-function.c:415 rebol#85 0x4198c2 in Apply_Function ../src/core/c-do.c:1524 rebol#86 0x419fa8 in Do_Sys_Func ../src/core/c-do.c:1584 rebol#87 0x41e406 in Init_Mezz ../src/core/c-do.c:2313 rebol#88 0x405fd3 in RL_Start ../src/core/a-lib.c:167 rebol#89 0x59d1f7 in main ../src/os/host-main.c:231 rebol#90 0x7ffff571403f in __libc_start_main (/usr/lib/libc.so.6+0x2003f) rebol#91 0x405858 (/home/zsx/work/r3.git/make/r3-view-linux+0x405858) 0x61d0000f5897 is located 7 bytes to the right of 2064-byte region [0x61d0000f5080,0x61d0000f5890) allocated by thread T0 here: #0 0x7ffff6f56b77 in __interceptor_malloc (/usr/lib/libasan.so.1+0x57b77) #1 0x47c300 in Make_Mem ../src/core/m-pools.c:125 #2 0x47ca2f in Fill_Pool ../src/core/m-pools.c:233 #3 0x47d80c in Make_Series ../src/core/m-pools.c:388 #4 0x4826f3 in Copy_Series ../src/core/m-series.c:261 #5 0x43ca14 in Copy_Deep_Values ../src/core/f-blocks.c:131 #6 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #7 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #8 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #9 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #10 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #11 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #12 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #13 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #14 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #15 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #16 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #17 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159 #18 0x43cd9f in Clone_Block ../src/core/f-blocks.c:174 #19 0x42db12 in Clone_Function ../src/core/c-function.c:266 #20 0x43cc00 in Copy_Deep_Values ../src/core/f-blocks.c:139 #21 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159 #22 0x4fd371 in T_Object ../src/core/t-object.c:364 #23 0x42e26f in Do_Act ../src/core/c-function.c:338 #24 0x42e9d8 in Do_Action ../src/core/c-function.c:396 #25 0x41395b in Do_Next ../src/core/c-do.c:886 #26 0x4133cc in Do_Next ../src/core/c-do.c:860 #27 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #28 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131 #29 0x49693a in N_for ../src/core/n-loop.c:486 SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:138 Expand_Series Shadow bytes around the buggy address: 0x0c3a80016ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3a80016b10: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==8157==ABORTING This is happening because "GOB_TAIL(gob) = count" sets the tail of a series with length of "count" to be "count", and Expand_Series expects a terminator in the series. (m-series.c:90 size = (series->tail + 1) * wide;)
zsx
referenced
this pull request
in metaeducation/ren-c
Jun 21, 2015
It will confuse Expand_Series expects "tail" to be the actual size, and cause a read beyond the allocated memory, or heap buffer overflow found by address sanitizer of GCC: ================================================================= ==10856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b201 at pc 0x47df61 bp 0x7fffffff2ca0 sp 0x7fffffff2c98 READ of size 1 at 0x62a00000b201 thread T0 #0 0x47df60 in Expand_Series ../src/core/m-series.c:145 #1 0x47e5a7 in Extend_Series ../src/core/m-series.c:187 rebolsource#2 0x466e0c in Scan_Quote ../src/core/l-scan.c:462 rebolsource#3 0x46a797 in Scan_Token ../src/core/l-scan.c:918 #4 0x46e263 in Scan_Block ../src/core/l-scan.c:1188 #5 0x46e722 in Scan_Code ../src/core/l-scan.c:1548 rebolsource#6 0x46e886 in Scan_Source ../src/core/l-scan.c:1568 rebol#7 0x4cb85c in Make_Block_Type ../src/core/t-block.c:306 #8 0x4cd1b8 in T_Block ../src/core/t-block.c:608 #9 0x4d042e in T_Datatype ../src/core/t-datatype.c:92 #10 0x42e080 in Do_Act ../src/core/c-function.c:338 #11 0x42e7e5 in Do_Action ../src/core/c-function.c:396 #12 0x413628 in Do_Next ../src/core/c-do.c:884 #13 0x41309b in Do_Next ../src/core/c-do.c:858 #14 0x414825 in Do_Blk ../src/core/c-do.c:1010 #15 0x482dd2 in N_case ../src/core/n-control.c:349 #16 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#17 0x413628 in Do_Next ../src/core/c-do.c:884 #18 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#19 0x42e869 in Do_Function ../src/core/c-function.c:415 #20 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#21 0x41309b in Do_Next ../src/core/c-do.c:858 rebol#22 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#23 0x42e869 in Do_Function ../src/core/c-function.c:415 #24 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#25 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#26 0x414152 in Do_Next ../src/core/c-do.c:939 #27 0x48201c in N_all ../src/core/n-control.c:261 #28 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #29 0x413628 in Do_Next ../src/core/c-do.c:884 #30 0x414825 in Do_Blk ../src/core/c-do.c:1010 #31 0x491abc in Loop_Each ../src/core/n-loop.c:410 #32 0x492a6c in N_foreach ../src/core/n-loop.c:546 rebol#33 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #34 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#35 0x414825 in Do_Blk ../src/core/c-do.c:1010 #36 0x42e869 in Do_Function ../src/core/c-function.c:415 #37 0x413628 in Do_Next ../src/core/c-do.c:884 #38 0x4115f2 in Do_Args ../src/core/c-do.c:669 #39 0x414152 in Do_Next ../src/core/c-do.c:939 rebol#40 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#41 0x48459c in N_if ../src/core/n-control.c:619 #42 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #43 0x413628 in Do_Next ../src/core/c-do.c:884 #44 0x414825 in Do_Blk ../src/core/c-do.c:1010 #45 0x491abc in Loop_Each ../src/core/n-loop.c:410 rebol#46 0x492a6c in N_foreach ../src/core/n-loop.c:546 #47 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#48 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#49 0x414825 in Do_Blk ../src/core/c-do.c:1010 #50 0x42e869 in Do_Function ../src/core/c-function.c:415 #51 0x418fb4 in Apply_Block ../src/core/c-do.c:1474 #52 0x4824fb in N_apply ../src/core/n-control.c:295 rebol#53 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #54 0x413628 in Do_Next ../src/core/c-do.c:884 #55 0x4115f2 in Do_Args ../src/core/c-do.c:669 #56 0x414152 in Do_Next ../src/core/c-do.c:939 #57 0x414825 in Do_Blk ../src/core/c-do.c:1010 #58 0x485388 in N_unless ../src/core/n-control.c:763 #59 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#60 0x413628 in Do_Next ../src/core/c-do.c:884 #61 0x414825 in Do_Blk ../src/core/c-do.c:1010 #62 0x483eff in N_do ../src/core/n-control.c:523 #63 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #64 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#65 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#66 0x414152 in Do_Next ../src/core/c-do.c:939 #67 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#68 0x48459c in N_if ../src/core/n-control.c:619 #69 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #70 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#71 0x414825 in Do_Blk ../src/core/c-do.c:1010 #72 0x48f8cc in Loop_Integer ../src/core/n-loop.c:130 #73 0x49314d in N_repeat ../src/core/n-loop.c:631 #74 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#75 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#76 0x414825 in Do_Blk ../src/core/c-do.c:1010 #77 0x42ee10 in Do_Closure ../src/core/c-function.c:459 #78 0x413628 in Do_Next ../src/core/c-do.c:884 #79 0x414825 in Do_Blk ../src/core/c-do.c:1010 #80 0x485388 in N_unless ../src/core/n-control.c:763 #81 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #82 0x413628 in Do_Next ../src/core/c-do.c:884 #83 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#84 0x42e869 in Do_Function ../src/core/c-function.c:415 #85 0x418fb4 in Apply_Block ../src/core/c-do.c:1474 #86 0x4824fb in N_apply ../src/core/n-control.c:295 #87 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #88 0x413628 in Do_Next ../src/core/c-do.c:884 #89 0x4115f2 in Do_Args ../src/core/c-do.c:669 #90 0x414152 in Do_Next ../src/core/c-do.c:939 #91 0x414825 in Do_Blk ../src/core/c-do.c:1010 #92 0x485388 in N_unless ../src/core/n-control.c:763 rebol#93 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #94 0x413628 in Do_Next ../src/core/c-do.c:884 #95 0x414825 in Do_Blk ../src/core/c-do.c:1010 #96 0x483eff in N_do ../src/core/n-control.c:523 #97 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #98 0x413628 in Do_Next ../src/core/c-do.c:884 #99 0x4115f2 in Do_Args ../src/core/c-do.c:669 #100 0x414152 in Do_Next ../src/core/c-do.c:939 #101 0x414825 in Do_Blk ../src/core/c-do.c:1010 #102 0x48459c in N_if ../src/core/n-control.c:619 rebol#103 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #104 0x413628 in Do_Next ../src/core/c-do.c:884 #105 0x414825 in Do_Blk ../src/core/c-do.c:1010 #106 0x48f8cc in Loop_Integer ../src/core/n-loop.c:130 #107 0x49314d in N_repeat ../src/core/n-loop.c:631 #108 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #109 0x413628 in Do_Next ../src/core/c-do.c:884 #110 0x414825 in Do_Blk ../src/core/c-do.c:1010 #111 0x42ee10 in Do_Closure ../src/core/c-function.c:459 #112 0x413628 in Do_Next ../src/core/c-do.c:884 #113 0x414825 in Do_Blk ../src/core/c-do.c:1010 #114 0x485388 in N_unless ../src/core/n-control.c:763 #115 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #116 0x413628 in Do_Next ../src/core/c-do.c:884 #117 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#118 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#119 0x413628 in Do_Next ../src/core/c-do.c:884 #120 0x414825 in Do_Blk ../src/core/c-do.c:1010 #121 0x484cf1 in N_switch ../src/core/n-control.c:716 #122 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #123 0x413628 in Do_Next ../src/core/c-do.c:884 #124 0x414825 in Do_Blk ../src/core/c-do.c:1010 #125 0x42e869 in Do_Function ../src/core/c-function.c:415 #126 0x413628 in Do_Next ../src/core/c-do.c:884 #127 0x414825 in Do_Blk ../src/core/c-do.c:1010 #128 0x48459c in N_if ../src/core/n-control.c:619 #129 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #130 0x413628 in Do_Next ../src/core/c-do.c:884 #131 0x414825 in Do_Blk ../src/core/c-do.c:1010 #132 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#133 0x413628 in Do_Next ../src/core/c-do.c:884 #134 0x41309b in Do_Next ../src/core/c-do.c:858 #135 0x414825 in Do_Blk ../src/core/c-do.c:1010 #136 0x484280 in N_either ../src/core/n-control.c:595 #137 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #138 0x413628 in Do_Next ../src/core/c-do.c:884 #139 0x414825 in Do_Blk ../src/core/c-do.c:1010 #140 0x42e869 in Do_Function ../src/core/c-function.c:415 #141 0x419631 in Apply_Function ../src/core/c-do.c:1518 #142 0x419918 in Apply_Func ../src/core/c-do.c:1545 #143 0x48d102 in N_wake_up ../src/core/n-io.c:415 #144 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #145 0x413628 in Do_Next ../src/core/c-do.c:884 #146 0x4115f2 in Do_Args ../src/core/c-do.c:669 #147 0x4133c9 in Do_Next ../src/core/c-do.c:877 #148 0x414825 in Do_Blk ../src/core/c-do.c:1010 #149 0x492b66 in N_loop ../src/core/n-loop.c:590 #150 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #151 0x413628 in Do_Next ../src/core/c-do.c:884 #152 0x414825 in Do_Blk ../src/core/c-do.c:1010 #153 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#154 0x419631 in Apply_Function ../src/core/c-do.c:1518 rebol#155 0x419918 in Apply_Func ../src/core/c-do.c:1545 rebol#156 0x42fef7 in Awake_System ../src/core/c-port.c:198 rebol#157 0x43012a in Wait_Ports ../src/core/c-port.c:231 #158 0x48cd62 in N_wait ../src/core/n-io.c:374 rebol#159 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #160 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#161 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#162 0x4133c9 in Do_Next ../src/core/c-do.c:877 rebol#163 0x4115f2 in Do_Args ../src/core/c-do.c:669 #164 0x4133c9 in Do_Next ../src/core/c-do.c:877 rebol#165 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#166 0x4929a7 in N_forever ../src/core/n-loop.c:527 #167 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #168 0x413628 in Do_Next ../src/core/c-do.c:884 #169 0x4152ff in Try_Block ../src/core/c-do.c:1077 #170 0x48507e in N_try ../src/core/n-control.c:740 rebol#171 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #172 0x413628 in Do_Next ../src/core/c-do.c:884 #173 0x4115f2 in Do_Args ../src/core/c-do.c:669 #174 0x414152 in Do_Next ../src/core/c-do.c:939 #175 0x4115f2 in Do_Args ../src/core/c-do.c:669 #176 0x4133c9 in Do_Next ../src/core/c-do.c:877 #177 0x4115f2 in Do_Args ../src/core/c-do.c:669 #178 0x4133c9 in Do_Next ../src/core/c-do.c:877 #179 0x414825 in Do_Blk ../src/core/c-do.c:1010 #180 0x42e869 in Do_Function ../src/core/c-function.c:415 #181 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#182 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#183 0x48459c in N_if ../src/core/n-control.c:619 #184 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #185 0x413628 in Do_Next ../src/core/c-do.c:884 #186 0x414825 in Do_Blk ../src/core/c-do.c:1010 #187 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#188 0x413628 in Do_Next ../src/core/c-do.c:884 #189 0x41309b in Do_Next ../src/core/c-do.c:858 rebol#190 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#191 0x42e869 in Do_Function ../src/core/c-function.c:415 #192 0x413628 in Do_Next ../src/core/c-do.c:884 #193 0x414825 in Do_Blk ../src/core/c-do.c:1010 #194 0x42e869 in Do_Function ../src/core/c-function.c:415 #195 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#196 0x4115f2 in Do_Args ../src/core/c-do.c:669 #197 0x414152 in Do_Next ../src/core/c-do.c:939 #198 0x48201c in N_all ../src/core/n-control.c:261 rebol#199 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#200 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#201 0x414825 in Do_Blk ../src/core/c-do.c:1010 #202 0x491abc in Loop_Each ../src/core/n-loop.c:410 #203 0x492a6c in N_foreach ../src/core/n-loop.c:546 #204 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #205 0x413628 in Do_Next ../src/core/c-do.c:884 #206 0x414825 in Do_Blk ../src/core/c-do.c:1010 #207 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#208 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#209 0x414825 in Do_Blk ../src/core/c-do.c:1010 #210 0x485388 in N_unless ../src/core/n-control.c:763 rebol#211 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#212 0x413628 in Do_Next ../src/core/c-do.c:884 #213 0x414825 in Do_Blk ../src/core/c-do.c:1010 #214 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#215 0x413628 in Do_Next ../src/core/c-do.c:884 #216 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#217 0x48459c in N_if ../src/core/n-control.c:619 rebol#218 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #219 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#220 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#221 0x42ee10 in Do_Closure ../src/core/c-function.c:459 rebol#222 0x413628 in Do_Next ../src/core/c-do.c:884 #223 0x4115f2 in Do_Args ../src/core/c-do.c:669 #224 0x414152 in Do_Next ../src/core/c-do.c:939 rebol#225 0x48201c in N_all ../src/core/n-control.c:261 #226 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #227 0x413628 in Do_Next ../src/core/c-do.c:884 #228 0x414825 in Do_Blk ../src/core/c-do.c:1010 #229 0x491abc in Loop_Each ../src/core/n-loop.c:410 #230 0x492a6c in N_foreach ../src/core/n-loop.c:546 #231 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #232 0x413628 in Do_Next ../src/core/c-do.c:884 #233 0x414825 in Do_Blk ../src/core/c-do.c:1010 #234 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#235 0x413628 in Do_Next ../src/core/c-do.c:884 #236 0x414825 in Do_Blk ../src/core/c-do.c:1010 #237 0x48459c in N_if ../src/core/n-control.c:619 #238 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #239 0x413628 in Do_Next ../src/core/c-do.c:884 #240 0x414825 in Do_Blk ../src/core/c-do.c:1010 #241 0x42e869 in Do_Function ../src/core/c-function.c:415 #242 0x413628 in Do_Next ../src/core/c-do.c:884 #243 0x41309b in Do_Next ../src/core/c-do.c:858 rebol#244 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#245 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#246 0x413628 in Do_Next ../src/core/c-do.c:884 #247 0x414825 in Do_Blk ../src/core/c-do.c:1010 #248 0x48459c in N_if ../src/core/n-control.c:619 rebol#249 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #250 0x413628 in Do_Next ../src/core/c-do.c:884 #251 0x414825 in Do_Blk ../src/core/c-do.c:1010 0x62a00000b201 is located 1 bytes to the right of 20480-byte region [0x62a000006200,0x62a00000b200) allocated by thread T0 here: #0 0x7ffff6f58b1f in malloc (/usr/lib/libasan.so.1+0x54b1f) #1 0x47924a in Make_Mem ../src/core/m-pools.c:121 rebolsource#2 0x47a9ff in Make_Series ../src/core/m-pools.c:406 rebolsource#3 0x4aee84 in Make_Unicode ../src/core/s-make.c:59 #4 0x4bb797 in Init_Mold ../src/core/s-mold.c:1425 #5 0x40da64 in Init_Core ../src/core/b-init.c:940 rebolsource#6 0x4055e0 in RL_Init ../src/core/a-lib.c:124 rebol#7 0x580aa2 in main ../src/os/host-main.c:154 #8 0x7ffff5719fff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff) SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:145 Expand_Series Shadow bytes around the buggy address: 0x0c547fff95f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c547fff9600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c547fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c547fff9620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c547fff9630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c547fff9640:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal:
zsx
referenced
this pull request
in metaeducation/ren-c
Jun 21, 2015
Found by AddressSanitizer: ==8157==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000f5897 at pc 0x4816ef bp 0x7fffffffafb0 sp 0x7fffffffafa0 READ of size 1 at 0x61d0000f5897 thread T0 #0 0x4816ee in Expand_Series ../src/core/m-series.c:138 #1 0x4e258c in Insert_Gobs ../src/core/t-gob.c:219 rebolsource#2 0x4e7782 in T_Gob ../src/core/t-gob.c:833 rebolsource#3 0x42e26f in Do_Act ../src/core/c-function.c:338 #4 0x42e9d8 in Do_Action ../src/core/c-function.c:396 #5 0x41395b in Do_Next ../src/core/c-do.c:886 rebolsource#6 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#7 0x4883d6 in N_if ../src/core/n-control.c:632 #8 0x42dd9c in Do_Native ../src/core/c-function.c:289 #9 0x41395b in Do_Next ../src/core/c-do.c:886 #10 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #11 0x4893c0 in N_unless ../src/core/n-control.c:792 #12 0x42dd9c in Do_Native ../src/core/c-function.c:289 #13 0x41395b in Do_Next ../src/core/c-do.c:886 #14 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #15 0x488c03 in N_switch ../src/core/n-control.c:736 #16 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#17 0x41395b in Do_Next ../src/core/c-do.c:886 #18 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#19 0x4883d6 in N_if ../src/core/n-control.c:632 #20 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#21 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#22 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#23 0x42ea5c in Do_Function ../src/core/c-function.c:415 #24 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#25 0x415658 in Try_Block ../src/core/c-do.c:1083 rebol#26 0x4862f8 in N_attempt ../src/core/n-control.c:306 #27 0x42dd9c in Do_Native ../src/core/c-function.c:289 #28 0x41395b in Do_Next ../src/core/c-do.c:886 #29 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #30 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131 #31 0x49693a in N_for ../src/core/n-loop.c:486 #32 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#33 0x41395b in Do_Next ../src/core/c-do.c:886 #34 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#35 0x4883d6 in N_if ../src/core/n-control.c:632 #36 0x42dd9c in Do_Native ../src/core/c-function.c:289 #37 0x41395b in Do_Next ../src/core/c-do.c:886 #38 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #39 0x42ea5c in Do_Function ../src/core/c-function.c:415 rebol#40 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#41 0x415658 in Try_Block ../src/core/c-do.c:1083 #42 0x488f7d in N_try ../src/core/n-control.c:760 #43 0x42dd9c in Do_Native ../src/core/c-function.c:289 #44 0x41395b in Do_Next ../src/core/c-do.c:886 #45 0x4118a1 in Do_Args ../src/core/c-do.c:668 rebol#46 0x413700 in Do_Next ../src/core/c-do.c:879 #47 0x4118a1 in Do_Args ../src/core/c-do.c:668 rebol#48 0x413700 in Do_Next ../src/core/c-do.c:879 rebol#49 0x414f2f in Do_Block_Value_Throw ../src/core/c-do.c:1048 #50 0x5725ac in Parse_Rules_Loop ../src/core/u-parse.c:830 #51 0x5731f8 in Parse_Rules_Loop ../src/core/u-parse.c:927 #52 0x56c799 in Parse_Series ../src/core/u-parse.c:96 rebol#53 0x576950 in N_parse ../src/core/u-parse.c:1269 #54 0x42dd9c in Do_Native ../src/core/c-function.c:289 #55 0x41395b in Do_Next ../src/core/c-do.c:886 #56 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #57 0x4883d6 in N_if ../src/core/n-control.c:632 #58 0x42dd9c in Do_Native ../src/core/c-function.c:289 #59 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#60 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #61 0x42ea5c in Do_Function ../src/core/c-function.c:415 #62 0x41395b in Do_Next ../src/core/c-do.c:886 #63 0x415658 in Try_Block ../src/core/c-do.c:1083 #64 0x4862f8 in N_attempt ../src/core/n-control.c:306 rebol#65 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#66 0x41395b in Do_Next ../src/core/c-do.c:886 #67 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#68 0x487b91 in N_do ../src/core/n-control.c:524 #69 0x42dd9c in Do_Native ../src/core/c-function.c:289 #70 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#71 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #72 0x487fcb in N_either ../src/core/n-control.c:598 #73 0x42dd9c in Do_Native ../src/core/c-function.c:289 #74 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#75 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#76 0x487fcb in N_either ../src/core/n-control.c:598 #77 0x42dd9c in Do_Native ../src/core/c-function.c:289 #78 0x41395b in Do_Next ../src/core/c-do.c:886 #79 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #80 0x487fcb in N_either ../src/core/n-control.c:598 #81 0x42dd9c in Do_Native ../src/core/c-function.c:289 #82 0x41395b in Do_Next ../src/core/c-do.c:886 #83 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#84 0x42ea5c in Do_Function ../src/core/c-function.c:415 #85 0x4198c2 in Apply_Function ../src/core/c-do.c:1524 #86 0x419fa8 in Do_Sys_Func ../src/core/c-do.c:1584 #87 0x41e406 in Init_Mezz ../src/core/c-do.c:2313 #88 0x405fd3 in RL_Start ../src/core/a-lib.c:167 #89 0x59d1f7 in main ../src/os/host-main.c:231 #90 0x7ffff571403f in __libc_start_main (/usr/lib/libc.so.6+0x2003f) #91 0x405858 (/home/zsx/work/r3.git/make/r3-view-linux+0x405858) 0x61d0000f5897 is located 7 bytes to the right of 2064-byte region [0x61d0000f5080,0x61d0000f5890) allocated by thread T0 here: #0 0x7ffff6f56b77 in __interceptor_malloc (/usr/lib/libasan.so.1+0x57b77) #1 0x47c300 in Make_Mem ../src/core/m-pools.c:125 rebolsource#2 0x47ca2f in Fill_Pool ../src/core/m-pools.c:233 rebolsource#3 0x47d80c in Make_Series ../src/core/m-pools.c:388 #4 0x4826f3 in Copy_Series ../src/core/m-series.c:261 #5 0x43ca14 in Copy_Deep_Values ../src/core/f-blocks.c:131 rebolsource#6 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 rebol#7 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #8 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #9 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #10 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #11 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #12 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #13 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #14 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #15 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #16 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 rebol#17 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159 #18 0x43cd9f in Clone_Block ../src/core/f-blocks.c:174 rebol#19 0x42db12 in Clone_Function ../src/core/c-function.c:266 #20 0x43cc00 in Copy_Deep_Values ../src/core/f-blocks.c:139 rebol#21 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159 rebol#22 0x4fd371 in T_Object ../src/core/t-object.c:364 rebol#23 0x42e26f in Do_Act ../src/core/c-function.c:338 #24 0x42e9d8 in Do_Action ../src/core/c-function.c:396 rebol#25 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#26 0x4133cc in Do_Next ../src/core/c-do.c:860 #27 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #28 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131 #29 0x49693a in N_for ../src/core/n-loop.c:486 SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:138 Expand_Series Shadow bytes around the buggy address: 0x0c3a80016ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3a80016b10: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==8157==ABORTING This is happening because "GOB_TAIL(gob) = count" sets the tail of a series with length of "count" to be "count", and Expand_Series expects a terminator in the series. (m-series.c:90 size = (series->tail + 1) * wide;)
zsx
referenced
this pull request
in metaeducation/ren-c
Jun 21, 2015
It will confuse Expand_Series expects "tail" to be the actual size, and cause a read beyond the allocated memory, or heap buffer overflow found by address sanitizer of GCC: ================================================================= ==10856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b201 at pc 0x47df61 bp 0x7fffffff2ca0 sp 0x7fffffff2c98 READ of size 1 at 0x62a00000b201 thread T0 #0 0x47df60 in Expand_Series ../src/core/m-series.c:145 #1 0x47e5a7 in Extend_Series ../src/core/m-series.c:187 rebolsource#2 0x466e0c in Scan_Quote ../src/core/l-scan.c:462 rebolsource#3 0x46a797 in Scan_Token ../src/core/l-scan.c:918 #4 0x46e263 in Scan_Block ../src/core/l-scan.c:1188 #5 0x46e722 in Scan_Code ../src/core/l-scan.c:1548 rebolsource#6 0x46e886 in Scan_Source ../src/core/l-scan.c:1568 rebol#7 0x4cb85c in Make_Block_Type ../src/core/t-block.c:306 #8 0x4cd1b8 in T_Block ../src/core/t-block.c:608 #9 0x4d042e in T_Datatype ../src/core/t-datatype.c:92 #10 0x42e080 in Do_Act ../src/core/c-function.c:338 #11 0x42e7e5 in Do_Action ../src/core/c-function.c:396 #12 0x413628 in Do_Next ../src/core/c-do.c:884 #13 0x41309b in Do_Next ../src/core/c-do.c:858 #14 0x414825 in Do_Blk ../src/core/c-do.c:1010 #15 0x482dd2 in N_case ../src/core/n-control.c:349 #16 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#17 0x413628 in Do_Next ../src/core/c-do.c:884 #18 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#19 0x42e869 in Do_Function ../src/core/c-function.c:415 #20 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#21 0x41309b in Do_Next ../src/core/c-do.c:858 rebol#22 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#23 0x42e869 in Do_Function ../src/core/c-function.c:415 #24 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#25 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#26 0x414152 in Do_Next ../src/core/c-do.c:939 #27 0x48201c in N_all ../src/core/n-control.c:261 #28 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #29 0x413628 in Do_Next ../src/core/c-do.c:884 #30 0x414825 in Do_Blk ../src/core/c-do.c:1010 #31 0x491abc in Loop_Each ../src/core/n-loop.c:410 #32 0x492a6c in N_foreach ../src/core/n-loop.c:546 rebol#33 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #34 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#35 0x414825 in Do_Blk ../src/core/c-do.c:1010 #36 0x42e869 in Do_Function ../src/core/c-function.c:415 #37 0x413628 in Do_Next ../src/core/c-do.c:884 #38 0x4115f2 in Do_Args ../src/core/c-do.c:669 #39 0x414152 in Do_Next ../src/core/c-do.c:939 rebol#40 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#41 0x48459c in N_if ../src/core/n-control.c:619 #42 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #43 0x413628 in Do_Next ../src/core/c-do.c:884 #44 0x414825 in Do_Blk ../src/core/c-do.c:1010 #45 0x491abc in Loop_Each ../src/core/n-loop.c:410 rebol#46 0x492a6c in N_foreach ../src/core/n-loop.c:546 #47 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#48 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#49 0x414825 in Do_Blk ../src/core/c-do.c:1010 #50 0x42e869 in Do_Function ../src/core/c-function.c:415 #51 0x418fb4 in Apply_Block ../src/core/c-do.c:1474 #52 0x4824fb in N_apply ../src/core/n-control.c:295 rebol#53 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #54 0x413628 in Do_Next ../src/core/c-do.c:884 #55 0x4115f2 in Do_Args ../src/core/c-do.c:669 #56 0x414152 in Do_Next ../src/core/c-do.c:939 #57 0x414825 in Do_Blk ../src/core/c-do.c:1010 #58 0x485388 in N_unless ../src/core/n-control.c:763 #59 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#60 0x413628 in Do_Next ../src/core/c-do.c:884 #61 0x414825 in Do_Blk ../src/core/c-do.c:1010 #62 0x483eff in N_do ../src/core/n-control.c:523 #63 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #64 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#65 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#66 0x414152 in Do_Next ../src/core/c-do.c:939 #67 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#68 0x48459c in N_if ../src/core/n-control.c:619 #69 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #70 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#71 0x414825 in Do_Blk ../src/core/c-do.c:1010 #72 0x48f8cc in Loop_Integer ../src/core/n-loop.c:130 #73 0x49314d in N_repeat ../src/core/n-loop.c:631 #74 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#75 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#76 0x414825 in Do_Blk ../src/core/c-do.c:1010 #77 0x42ee10 in Do_Closure ../src/core/c-function.c:459 #78 0x413628 in Do_Next ../src/core/c-do.c:884 #79 0x414825 in Do_Blk ../src/core/c-do.c:1010 #80 0x485388 in N_unless ../src/core/n-control.c:763 #81 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #82 0x413628 in Do_Next ../src/core/c-do.c:884 #83 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#84 0x42e869 in Do_Function ../src/core/c-function.c:415 #85 0x418fb4 in Apply_Block ../src/core/c-do.c:1474 #86 0x4824fb in N_apply ../src/core/n-control.c:295 #87 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #88 0x413628 in Do_Next ../src/core/c-do.c:884 #89 0x4115f2 in Do_Args ../src/core/c-do.c:669 #90 0x414152 in Do_Next ../src/core/c-do.c:939 #91 0x414825 in Do_Blk ../src/core/c-do.c:1010 #92 0x485388 in N_unless ../src/core/n-control.c:763 rebol#93 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #94 0x413628 in Do_Next ../src/core/c-do.c:884 #95 0x414825 in Do_Blk ../src/core/c-do.c:1010 #96 0x483eff in N_do ../src/core/n-control.c:523 #97 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #98 0x413628 in Do_Next ../src/core/c-do.c:884 #99 0x4115f2 in Do_Args ../src/core/c-do.c:669 #100 0x414152 in Do_Next ../src/core/c-do.c:939 #101 0x414825 in Do_Blk ../src/core/c-do.c:1010 #102 0x48459c in N_if ../src/core/n-control.c:619 rebol#103 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #104 0x413628 in Do_Next ../src/core/c-do.c:884 #105 0x414825 in Do_Blk ../src/core/c-do.c:1010 #106 0x48f8cc in Loop_Integer ../src/core/n-loop.c:130 #107 0x49314d in N_repeat ../src/core/n-loop.c:631 #108 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #109 0x413628 in Do_Next ../src/core/c-do.c:884 #110 0x414825 in Do_Blk ../src/core/c-do.c:1010 #111 0x42ee10 in Do_Closure ../src/core/c-function.c:459 #112 0x413628 in Do_Next ../src/core/c-do.c:884 #113 0x414825 in Do_Blk ../src/core/c-do.c:1010 #114 0x485388 in N_unless ../src/core/n-control.c:763 #115 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #116 0x413628 in Do_Next ../src/core/c-do.c:884 #117 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#118 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#119 0x413628 in Do_Next ../src/core/c-do.c:884 #120 0x414825 in Do_Blk ../src/core/c-do.c:1010 #121 0x484cf1 in N_switch ../src/core/n-control.c:716 #122 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #123 0x413628 in Do_Next ../src/core/c-do.c:884 #124 0x414825 in Do_Blk ../src/core/c-do.c:1010 #125 0x42e869 in Do_Function ../src/core/c-function.c:415 #126 0x413628 in Do_Next ../src/core/c-do.c:884 #127 0x414825 in Do_Blk ../src/core/c-do.c:1010 #128 0x48459c in N_if ../src/core/n-control.c:619 #129 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #130 0x413628 in Do_Next ../src/core/c-do.c:884 #131 0x414825 in Do_Blk ../src/core/c-do.c:1010 #132 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#133 0x413628 in Do_Next ../src/core/c-do.c:884 #134 0x41309b in Do_Next ../src/core/c-do.c:858 #135 0x414825 in Do_Blk ../src/core/c-do.c:1010 #136 0x484280 in N_either ../src/core/n-control.c:595 #137 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #138 0x413628 in Do_Next ../src/core/c-do.c:884 #139 0x414825 in Do_Blk ../src/core/c-do.c:1010 #140 0x42e869 in Do_Function ../src/core/c-function.c:415 #141 0x419631 in Apply_Function ../src/core/c-do.c:1518 #142 0x419918 in Apply_Func ../src/core/c-do.c:1545 #143 0x48d102 in N_wake_up ../src/core/n-io.c:415 #144 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #145 0x413628 in Do_Next ../src/core/c-do.c:884 #146 0x4115f2 in Do_Args ../src/core/c-do.c:669 #147 0x4133c9 in Do_Next ../src/core/c-do.c:877 #148 0x414825 in Do_Blk ../src/core/c-do.c:1010 #149 0x492b66 in N_loop ../src/core/n-loop.c:590 #150 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #151 0x413628 in Do_Next ../src/core/c-do.c:884 #152 0x414825 in Do_Blk ../src/core/c-do.c:1010 #153 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#154 0x419631 in Apply_Function ../src/core/c-do.c:1518 rebol#155 0x419918 in Apply_Func ../src/core/c-do.c:1545 rebol#156 0x42fef7 in Awake_System ../src/core/c-port.c:198 rebol#157 0x43012a in Wait_Ports ../src/core/c-port.c:231 #158 0x48cd62 in N_wait ../src/core/n-io.c:374 rebol#159 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #160 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#161 0x4115f2 in Do_Args ../src/core/c-do.c:669 rebol#162 0x4133c9 in Do_Next ../src/core/c-do.c:877 rebol#163 0x4115f2 in Do_Args ../src/core/c-do.c:669 #164 0x4133c9 in Do_Next ../src/core/c-do.c:877 rebol#165 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#166 0x4929a7 in N_forever ../src/core/n-loop.c:527 #167 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #168 0x413628 in Do_Next ../src/core/c-do.c:884 #169 0x4152ff in Try_Block ../src/core/c-do.c:1077 #170 0x48507e in N_try ../src/core/n-control.c:740 rebol#171 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #172 0x413628 in Do_Next ../src/core/c-do.c:884 #173 0x4115f2 in Do_Args ../src/core/c-do.c:669 #174 0x414152 in Do_Next ../src/core/c-do.c:939 #175 0x4115f2 in Do_Args ../src/core/c-do.c:669 #176 0x4133c9 in Do_Next ../src/core/c-do.c:877 #177 0x4115f2 in Do_Args ../src/core/c-do.c:669 #178 0x4133c9 in Do_Next ../src/core/c-do.c:877 #179 0x414825 in Do_Blk ../src/core/c-do.c:1010 #180 0x42e869 in Do_Function ../src/core/c-function.c:415 #181 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#182 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#183 0x48459c in N_if ../src/core/n-control.c:619 #184 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #185 0x413628 in Do_Next ../src/core/c-do.c:884 #186 0x414825 in Do_Blk ../src/core/c-do.c:1010 #187 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#188 0x413628 in Do_Next ../src/core/c-do.c:884 #189 0x41309b in Do_Next ../src/core/c-do.c:858 rebol#190 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#191 0x42e869 in Do_Function ../src/core/c-function.c:415 #192 0x413628 in Do_Next ../src/core/c-do.c:884 #193 0x414825 in Do_Blk ../src/core/c-do.c:1010 #194 0x42e869 in Do_Function ../src/core/c-function.c:415 #195 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#196 0x4115f2 in Do_Args ../src/core/c-do.c:669 #197 0x414152 in Do_Next ../src/core/c-do.c:939 #198 0x48201c in N_all ../src/core/n-control.c:261 rebol#199 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#200 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#201 0x414825 in Do_Blk ../src/core/c-do.c:1010 #202 0x491abc in Loop_Each ../src/core/n-loop.c:410 #203 0x492a6c in N_foreach ../src/core/n-loop.c:546 #204 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #205 0x413628 in Do_Next ../src/core/c-do.c:884 #206 0x414825 in Do_Blk ../src/core/c-do.c:1010 #207 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#208 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#209 0x414825 in Do_Blk ../src/core/c-do.c:1010 #210 0x485388 in N_unless ../src/core/n-control.c:763 rebol#211 0x42dbb7 in Do_Native ../src/core/c-function.c:289 rebol#212 0x413628 in Do_Next ../src/core/c-do.c:884 #213 0x414825 in Do_Blk ../src/core/c-do.c:1010 #214 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#215 0x413628 in Do_Next ../src/core/c-do.c:884 #216 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#217 0x48459c in N_if ../src/core/n-control.c:619 rebol#218 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #219 0x413628 in Do_Next ../src/core/c-do.c:884 rebol#220 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#221 0x42ee10 in Do_Closure ../src/core/c-function.c:459 rebol#222 0x413628 in Do_Next ../src/core/c-do.c:884 #223 0x4115f2 in Do_Args ../src/core/c-do.c:669 #224 0x414152 in Do_Next ../src/core/c-do.c:939 rebol#225 0x48201c in N_all ../src/core/n-control.c:261 #226 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #227 0x413628 in Do_Next ../src/core/c-do.c:884 #228 0x414825 in Do_Blk ../src/core/c-do.c:1010 #229 0x491abc in Loop_Each ../src/core/n-loop.c:410 #230 0x492a6c in N_foreach ../src/core/n-loop.c:546 #231 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #232 0x413628 in Do_Next ../src/core/c-do.c:884 #233 0x414825 in Do_Blk ../src/core/c-do.c:1010 #234 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#235 0x413628 in Do_Next ../src/core/c-do.c:884 #236 0x414825 in Do_Blk ../src/core/c-do.c:1010 #237 0x48459c in N_if ../src/core/n-control.c:619 #238 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #239 0x413628 in Do_Next ../src/core/c-do.c:884 #240 0x414825 in Do_Blk ../src/core/c-do.c:1010 #241 0x42e869 in Do_Function ../src/core/c-function.c:415 #242 0x413628 in Do_Next ../src/core/c-do.c:884 #243 0x41309b in Do_Next ../src/core/c-do.c:858 rebol#244 0x414825 in Do_Blk ../src/core/c-do.c:1010 rebol#245 0x42e869 in Do_Function ../src/core/c-function.c:415 rebol#246 0x413628 in Do_Next ../src/core/c-do.c:884 #247 0x414825 in Do_Blk ../src/core/c-do.c:1010 #248 0x48459c in N_if ../src/core/n-control.c:619 rebol#249 0x42dbb7 in Do_Native ../src/core/c-function.c:289 #250 0x413628 in Do_Next ../src/core/c-do.c:884 #251 0x414825 in Do_Blk ../src/core/c-do.c:1010 0x62a00000b201 is located 1 bytes to the right of 20480-byte region [0x62a000006200,0x62a00000b200) allocated by thread T0 here: #0 0x7ffff6f58b1f in malloc (/usr/lib/libasan.so.1+0x54b1f) #1 0x47924a in Make_Mem ../src/core/m-pools.c:121 rebolsource#2 0x47a9ff in Make_Series ../src/core/m-pools.c:406 rebolsource#3 0x4aee84 in Make_Unicode ../src/core/s-make.c:59 #4 0x4bb797 in Init_Mold ../src/core/s-mold.c:1425 #5 0x40da64 in Init_Core ../src/core/b-init.c:940 rebolsource#6 0x4055e0 in RL_Init ../src/core/a-lib.c:124 rebol#7 0x580aa2 in main ../src/os/host-main.c:154 #8 0x7ffff5719fff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff) SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:145 Expand_Series Shadow bytes around the buggy address: 0x0c547fff95f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c547fff9600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c547fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c547fff9620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c547fff9630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c547fff9640:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c547fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal:
zsx
referenced
this pull request
in metaeducation/ren-c
Jun 21, 2015
Found by AddressSanitizer: ==8157==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000f5897 at pc 0x4816ef bp 0x7fffffffafb0 sp 0x7fffffffafa0 READ of size 1 at 0x61d0000f5897 thread T0 #0 0x4816ee in Expand_Series ../src/core/m-series.c:138 #1 0x4e258c in Insert_Gobs ../src/core/t-gob.c:219 rebolsource#2 0x4e7782 in T_Gob ../src/core/t-gob.c:833 rebolsource#3 0x42e26f in Do_Act ../src/core/c-function.c:338 #4 0x42e9d8 in Do_Action ../src/core/c-function.c:396 #5 0x41395b in Do_Next ../src/core/c-do.c:886 rebolsource#6 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#7 0x4883d6 in N_if ../src/core/n-control.c:632 #8 0x42dd9c in Do_Native ../src/core/c-function.c:289 #9 0x41395b in Do_Next ../src/core/c-do.c:886 #10 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #11 0x4893c0 in N_unless ../src/core/n-control.c:792 #12 0x42dd9c in Do_Native ../src/core/c-function.c:289 #13 0x41395b in Do_Next ../src/core/c-do.c:886 #14 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #15 0x488c03 in N_switch ../src/core/n-control.c:736 #16 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#17 0x41395b in Do_Next ../src/core/c-do.c:886 #18 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#19 0x4883d6 in N_if ../src/core/n-control.c:632 #20 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#21 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#22 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#23 0x42ea5c in Do_Function ../src/core/c-function.c:415 #24 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#25 0x415658 in Try_Block ../src/core/c-do.c:1083 rebol#26 0x4862f8 in N_attempt ../src/core/n-control.c:306 #27 0x42dd9c in Do_Native ../src/core/c-function.c:289 #28 0x41395b in Do_Next ../src/core/c-do.c:886 #29 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #30 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131 #31 0x49693a in N_for ../src/core/n-loop.c:486 #32 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#33 0x41395b in Do_Next ../src/core/c-do.c:886 #34 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#35 0x4883d6 in N_if ../src/core/n-control.c:632 #36 0x42dd9c in Do_Native ../src/core/c-function.c:289 #37 0x41395b in Do_Next ../src/core/c-do.c:886 #38 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #39 0x42ea5c in Do_Function ../src/core/c-function.c:415 rebol#40 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#41 0x415658 in Try_Block ../src/core/c-do.c:1083 #42 0x488f7d in N_try ../src/core/n-control.c:760 #43 0x42dd9c in Do_Native ../src/core/c-function.c:289 #44 0x41395b in Do_Next ../src/core/c-do.c:886 #45 0x4118a1 in Do_Args ../src/core/c-do.c:668 rebol#46 0x413700 in Do_Next ../src/core/c-do.c:879 #47 0x4118a1 in Do_Args ../src/core/c-do.c:668 rebol#48 0x413700 in Do_Next ../src/core/c-do.c:879 rebol#49 0x414f2f in Do_Block_Value_Throw ../src/core/c-do.c:1048 #50 0x5725ac in Parse_Rules_Loop ../src/core/u-parse.c:830 #51 0x5731f8 in Parse_Rules_Loop ../src/core/u-parse.c:927 #52 0x56c799 in Parse_Series ../src/core/u-parse.c:96 rebol#53 0x576950 in N_parse ../src/core/u-parse.c:1269 #54 0x42dd9c in Do_Native ../src/core/c-function.c:289 #55 0x41395b in Do_Next ../src/core/c-do.c:886 #56 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #57 0x4883d6 in N_if ../src/core/n-control.c:632 #58 0x42dd9c in Do_Native ../src/core/c-function.c:289 #59 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#60 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #61 0x42ea5c in Do_Function ../src/core/c-function.c:415 #62 0x41395b in Do_Next ../src/core/c-do.c:886 #63 0x415658 in Try_Block ../src/core/c-do.c:1083 #64 0x4862f8 in N_attempt ../src/core/n-control.c:306 rebol#65 0x42dd9c in Do_Native ../src/core/c-function.c:289 rebol#66 0x41395b in Do_Next ../src/core/c-do.c:886 #67 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#68 0x487b91 in N_do ../src/core/n-control.c:524 #69 0x42dd9c in Do_Native ../src/core/c-function.c:289 #70 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#71 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #72 0x487fcb in N_either ../src/core/n-control.c:598 #73 0x42dd9c in Do_Native ../src/core/c-function.c:289 #74 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#75 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#76 0x487fcb in N_either ../src/core/n-control.c:598 #77 0x42dd9c in Do_Native ../src/core/c-function.c:289 #78 0x41395b in Do_Next ../src/core/c-do.c:886 #79 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #80 0x487fcb in N_either ../src/core/n-control.c:598 #81 0x42dd9c in Do_Native ../src/core/c-function.c:289 #82 0x41395b in Do_Next ../src/core/c-do.c:886 #83 0x414b73 in Do_Blk ../src/core/c-do.c:1016 rebol#84 0x42ea5c in Do_Function ../src/core/c-function.c:415 #85 0x4198c2 in Apply_Function ../src/core/c-do.c:1524 #86 0x419fa8 in Do_Sys_Func ../src/core/c-do.c:1584 #87 0x41e406 in Init_Mezz ../src/core/c-do.c:2313 #88 0x405fd3 in RL_Start ../src/core/a-lib.c:167 #89 0x59d1f7 in main ../src/os/host-main.c:231 #90 0x7ffff571403f in __libc_start_main (/usr/lib/libc.so.6+0x2003f) #91 0x405858 (/home/zsx/work/r3.git/make/r3-view-linux+0x405858) 0x61d0000f5897 is located 7 bytes to the right of 2064-byte region [0x61d0000f5080,0x61d0000f5890) allocated by thread T0 here: #0 0x7ffff6f56b77 in __interceptor_malloc (/usr/lib/libasan.so.1+0x57b77) #1 0x47c300 in Make_Mem ../src/core/m-pools.c:125 rebolsource#2 0x47ca2f in Fill_Pool ../src/core/m-pools.c:233 rebolsource#3 0x47d80c in Make_Series ../src/core/m-pools.c:388 #4 0x4826f3 in Copy_Series ../src/core/m-series.c:261 #5 0x43ca14 in Copy_Deep_Values ../src/core/f-blocks.c:131 rebolsource#6 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 rebol#7 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #8 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #9 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #10 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #11 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #12 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #13 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #14 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #15 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 #16 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136 rebol#17 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159 #18 0x43cd9f in Clone_Block ../src/core/f-blocks.c:174 rebol#19 0x42db12 in Clone_Function ../src/core/c-function.c:266 #20 0x43cc00 in Copy_Deep_Values ../src/core/f-blocks.c:139 rebol#21 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159 rebol#22 0x4fd371 in T_Object ../src/core/t-object.c:364 rebol#23 0x42e26f in Do_Act ../src/core/c-function.c:338 #24 0x42e9d8 in Do_Action ../src/core/c-function.c:396 rebol#25 0x41395b in Do_Next ../src/core/c-do.c:886 rebol#26 0x4133cc in Do_Next ../src/core/c-do.c:860 #27 0x414b73 in Do_Blk ../src/core/c-do.c:1016 #28 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131 #29 0x49693a in N_for ../src/core/n-loop.c:486 SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:138 Expand_Series Shadow bytes around the buggy address: 0x0c3a80016ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3a80016b10: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a80016b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a80016b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==8157==ABORTING This is happening because "GOB_TAIL(gob) = count" sets the tail of a series with length of "count" to be "count", and Expand_Series expects a terminator in the series. (m-series.c:90 size = (series->tail + 1) * wide;)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
bug#1491 related changes, "throws an error" formulation replaced by "causes an error"