From 9c93854a97a0135a82c38e1d740d5ba3b92eee3c Mon Sep 17 00:00:00 2001 From: Shixin Zeng Date: Tue, 19 May 2015 15:21:19 -0400 Subject: [PATCH] Remove free'd serieses from GC_Infants reported by address sanitizer with manual poisonation: ================================================================= ==11513==ERROR: AddressSanitizer: use-after-poison on address 0x7efe281542c0 at pc 0x00000071038f bp 0x7ffdc9de9330 sp 0x7ffdc9de9328 READ of size 4 at 0x7efe281542c0 thread T0 #0 0x71038e in Mark_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:501:6 #1 0x70ea8b in Recycle /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:744:4 #2 0x7bbde6 in N_recycle /home/zsx/stuffs/work/r3.git/make/../src/core/n-system.c:99:10 #3 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #4 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #5 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #6 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 #7 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #8 0x566f3d in Do_Block_Value_Throw /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1049:11 #9 0xb0b6d9 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:830:4 #10 0xb0e7f7 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9 #11 0xb07b10 in Parse_Series /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:96:9 #12 0xb06b65 in N_parse /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:1269:7 #13 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #14 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #15 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #16 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 #17 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #18 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #19 0x745e54 in N_case /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:348:10 #20 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #21 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #22 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12 #23 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11 #24 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #25 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 #26 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #27 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11 #28 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #29 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 #30 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #31 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #32 0x749b0b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8 #33 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #34 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #35 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #36 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3 #37 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #38 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #39 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #40 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3 #41 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #42 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #43 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #44 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3 #45 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #46 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #47 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #48 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 #49 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33 #50 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10 #51 0x582548 in Init_Mezz /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:2320:9 #52 0x52e62f in RL_Start /home/zsx/stuffs/work/r3.git/make/../src/core/a-lib.c:193:9 #53 0xbb6c93 in main /home/zsx/stuffs/work/r3.git/make/../src/os/host-main.c:235:6 #54 0x7efe2bfcb7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #55 0x486498 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x486498) 0x7efe281542c0 is located 96960 bytes inside of 131088-byte region [0x7efe2813c800,0x7efe2815c810) allocated by thread T0 here: #0 0x50d462 in __interceptor_malloc (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x50d462) #1 0x721a85 in Make_Mem /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:127:14 #2 0x723acd in Fill_Pool /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:235:19 #3 0x7233af in Make_Node /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:280:20 #4 0x725f8a in Make_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:391:21 #5 0x738823 in Copy_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-series.c:261:19 #6 0x5f93a6 in Copy_Deep_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:131:22 #7 0x5f98cf in Copy_Deep_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:136:6 #8 0x5fa3ed in Copy_Block_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:159:18 #9 0x89efc2 in T_Block /home/zsx/stuffs/work/r3.git/make/../src/core/t-block.c:796:23 #10 0x5c458f in Do_Act /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:338:8 #11 0x5c5927 in Do_Action /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:396:2 #12 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #13 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12 #14 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11 #15 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #16 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 #17 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #18 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11 #19 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #20 0x749b0b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8 #21 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6 #22 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18 #23 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11 #24 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11 #25 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33 #26 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10 #27 0x5a37d0 in Make_Module /home/zsx/stuffs/work/r3.git/make/../src/core/c-frame.c:585:10 #28 0x9510d5 in T_Object /home/zsx/stuffs/work/r3.git/make/../src/core/t-object.c:308:16 #29 0x8ac4eb in T_Datatype /home/zsx/stuffs/work/r3.git/make/../src/core/t-datatype.c:92:20 SUMMARY: AddressSanitizer: use-after-poison /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:501 Mark_Series Shadow bytes around the buggy address: 0x0fe045022800: f7 f7 00 00 00 00 00 00 00 00 f7 f7 f7 f7 00 00 0x0fe045022810: 00 00 00 00 00 00 f7 f7 f7 f7 00 00 00 00 00 00 0x0fe045022820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe045022830: 00 00 f7 f7 f7 f7 00 00 00 00 00 00 00 00 f7 f7 0x0fe045022840: f7 f7 00 00 00 00 00 00 00 00 f7 f7 f7 f7 00 00 =>0x0fe045022850: 00 00 00 00 00 00 f7 f7[f7]f7 00 00 00 00 00 00 0x0fe045022860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe045022870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe045022880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe045022890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe0450228a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==11513==ABORTING --- src/core/m-pools.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/core/m-pools.c b/src/core/m-pools.c index 57934cba97..ba3d95786e 100644 --- a/src/core/m-pools.c +++ b/src/core/m-pools.c @@ -560,6 +560,12 @@ const REBPOOLSPEC Mem_Pool_Spec[MAX_POOLS] = Free_Node(SERIES_POOL, (REBNOD *)series); + /* remove from GC_Infants */ + for (n = 0; n < MAX_SAFE_SERIES; n++) { + if (GC_Infants[n] == series) + GC_Infants[n] = NULL; + } + /* Old torture mode: if (!SERIES_FREED(series)) { // Don't try to free twice. MUNG_CHECK(SERIES_POOL, (REBNOD *)series, Mem_Pools[SERIES_POOL].wide);