Project

General

Profile

Actions
Copy link

Bug #19095

closed

use-after-poison with shapes

Added by nobu (Nobuyoshi Nakada) about 2 years ago. Updated about 2 years ago.

Status:
Closed
Assignee:
tenderlovemaking (Aaron Patterson)
Target version:
3.2
ruby -v:
ruby 3.2.0dev (2022-10-30T14:21:31Z master 7ed10abdd9) [x86_64-darwin21]
Backport:
2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN
[ruby-core:110555]

Description

Compiling with the clang address sanitizer and the following patch, make BASERUBY='$(MINIRUBY)' golf_prelude.c aborts by use-after-poison.
I can't make minimum code yet.

diff --git i/template/prelude.c.tmpl w/template/prelude.c.tmpl
index 428c9f4d014..7d4c3505d88 100644
--- i/template/prelude.c.tmpl
+++ w/template/prelude.c.tmpl
@@ -77,7 +77,7 @@ class Prelude
     result
   end
 end
-Prelude.new(output, ARGV, vpath).instance_eval do
+p(Prelude.new(output, ARGV, vpath)).instance_eval do
 -%>
 /* -*-c-*-
  THIS FILE WAS AUTOGENERATED BY template/prelude.c.tmpl. DO NOT EDIT.

Files

use-after-poison.txt (5.51 KB) use-after-poison.txt nobu (Nobuyoshi Nakada), 10/31/2022 05:48 AM
Actions
Copy link
 #1

Updated by tenderlovemaking (Aaron Patterson) about 2 years ago

  • Status changed from Open to Closed

Applied in changeset git|2d86e79fe6a8eaea85edb4b9ab59d12228dbd8b9.

Always lookup IV buffers when iterating

Always look up instance variable buffers when iterating. It is possible
for the instance variable buffer to change out from under the object
during iteration, so we cannot cache the buffer on the stack.

In the case of Bug #19095, the transient heap moved the buffer during
iteration:

Watchpoint 1 hit:
old value: 0x0000000107c00df8
new value: 0x00000001032743c0
Process 31720 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 1
    frame #0: 0x00000001006e5178 miniruby`rb_obj_transient_heap_evacuate(obj=0x000000010d6b94b0, promote=1) at variable.c:1361:5
   1358         }
   1359         MEMCPY(new_ptr, old_ptr, VALUE, len);
   1360         ROBJECT(obj)->as.heap.ivptr = new_ptr;
-> 1361     }
   1362 }
   1363 #endif
   1364
miniruby`rb_obj_transient_heap_evacuate:
->  0x1006e5178 <+328>: b      0x1006e517c               ; <+332> at variable.c:1362:1
    0x1006e517c <+332>: ldp    x29, x30, [sp, #0x50]
    0x1006e5180 <+336>: add    sp, sp, #0x60
    0x1006e5184 <+340>: ret
Target 0: (miniruby) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 1
  * frame #0: 0x00000001006e5178 miniruby`rb_obj_transient_heap_evacuate(obj=0x000000010d6b94b0, promote=1) at variable.c:1361:5
    frame #1: 0x00000001006cb150 miniruby`transient_heap_block_evacuate(theap=0x0000000100b196c0, block=0x0000000107c00000) at transient_heap.c:734:17
    frame #2: 0x00000001006c854c miniruby`transient_heap_evacuate(dmy=0x0000000000000000) at transient_heap.c:808:17
    frame #3: 0x00000001007fe6c0 miniruby`rb_postponed_job_flush(vm=0x0000000104402900) at vm_trace.c:1773:21
    frame #4: 0x0000000100637a84 miniruby`rb_threadptr_execute_interrupts(th=0x0000000103803bc0, blocking_timing=0) at thread.c:2316:13
    frame #5: 0x000000010078b730 miniruby`rb_vm_check_ints(ec=0x00000001048038d0) at vm_core.h:2025:9
    frame #6: 0x00000001006fbd10 miniruby`vm_pop_frame(ec=0x00000001048038d0, cfp=0x0000000104a04440, ep=0x0000000104904a28) at vm_insnhelper.c:422:5
    frame #7: 0x00000001006fbca0 miniruby`rb_vm_pop_frame(ec=0x00000001048038d0) at vm_insnhelper.c:431:5
    frame #8: 0x00000001007d6420 miniruby`vm_call0_cfunc_with_frame(ec=0x00000001048038d0, calling=0x000000016fdcc6a0, argv=0x0000000000000000) at vm_eval.c:153:9
    frame #9: 0x00000001007d44cc miniruby`vm_call0_cfunc(ec=0x00000001048038d0, calling=0x000000016fdcc6a0, argv=0x0000000000000000) at vm_eval.c:164:12
    frame #10: 0x0000000100766e80 miniruby`vm_call0_body(ec=0x00000001048038d0, calling=0x000000016fdcc6a0, argv=0x0000000000000000) at vm_eval.c:210:15
    frame #11: 0x00000001007d76f0 miniruby`vm_call0_cc(ec=0x00000001048038d0, recv=0x000000010d6b49d8, id=2769, argc=0, argv=0x0000000000000000, cc=0x000000010d6b2e58, kw_splat=0) at vm_eval.c:87:12
    frame #12: 0x0000000100769e48 miniruby`rb_funcallv_scope(recv=0x000000010d6b49d8, mid=2769, argc=0, argv=0x0000000000000000, scope=CALL_FCALL) at vm_eval.c:1051:16
    frame #13: 0x0000000100760a54 miniruby`rb_funcallv(recv=0x000000010d6b49d8, mid=2769, argc=0, argv=0x0000000000000000) at vm_eval.c:1066:12
    frame #14: 0x000000010037513c miniruby`rb_inspect(obj=0x000000010d6b49d8) at object.c:633:34
    frame #15: 0x000000010002c950 miniruby`inspect_ary(ary=0x000000010d6b4938, dummy=0x0000000000000000, recur=0) at array.c:3091:13
    frame #16: 0x0000000100642020 miniruby`exec_recursive(func=(miniruby`inspect_ary at array.c:3084), obj=0x000000010d6b4938, pairid=0x0000000000000000, arg=0x0000000000000000, outer=0, mid=2769) at thread.c:5177:23
    frame #17: 0x00000001006412fc miniruby`rb_exec_recursive(func=(miniruby`inspect_ary at array.c:3084), obj=0x000000010d6b4938, arg=0x0000000000000000) at thread.c:5205:12
    frame #18: 0x00000001000127f0 miniruby`rb_ary_inspect(ary=0x000000010d6b4938) at array.c:3117:12

In general though, any calls back out to the interpreter could change
the IV buffer, so it's not safe to cache.

[Bug #19095]

Actions
Copy link

Also available in: Atom PDF

Like0
Like0