Project

General

Profile

Actions
Copy link

Bug #20402

closed

Double-free in TestIseqLoad#test_stressful_roundtrip

Added by kjtsanaktsidis (KJ Tsanaktsidis) about 1 month ago. Updated about 1 month ago.

Status:
Closed
Assignee:
kjtsanaktsidis (KJ Tsanaktsidis)
Target version:
-
ruby -v:
Backport:
3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
[ruby-core:117380]

Description

With ASAN enabled, the TestIseqLoad#test_stressful_roundtrip fails with the following output:

2/9] TestIseqLoad#test_stressful_roundtrip = 7.26 s
  1) Failure:
TestIseqLoad#test_stressful_roundtrip [/home/kj/ruby/test/-ext-/iseq_load/test_iseq_load.rb:20]:
pid 172821 killed by SIGSEGV (signal 11) (core dumped)
| -:10: [BUG] Segmentation fault at 0x0000000000000018
| ruby 3.4.0dev (2024-03-28T23:13:25Z master 02d40b6c17) [x86_64-linux]
|
| -- Control frame information -----------------------------------------------
| c:0005 p:---- s:0023 e:000022 CFUNC  :iseq_load
| c:0004 p:0037 s:0018 e:000017 METHOD -:10
| c:0003 p:0005 s:0010 e:000009 METHOD -:16
| c:0002 p:0054 s:0006 e:000005 EVAL   -:26 [FINISH]
| c:0001 p:0000 s:0003 E:000540 DUMMY  [FINISH]
|
| -- Ruby level backtrace information ----------------------------------------
| -:26:in '<main>'
| -:16:in 'test_bug8543'
| -:10:in 'assert_iseq_roundtrip'
| -:10:in 'iseq_load'
|
| -- Threading information ---------------------------------------------------
| Total ractor count: 1
| Ruby thread count for this ractor: 1
|
| -- Machine register context ------------------------------------------------
|  RIP: 0x0000556b3dc84a08 RBP: 0x00007ffeff1f6d40 RSP: 0x00007ffeff1f6c10
|  RAX: 0x0000000000000003 RBX: 0x0000000000000000 RCX: 0x00000fe916945e7a
|  RDX: 0x0000000000000001 RDI: 0x0000000000000018 RSI: 0x0000000000000000
|   R8: 0x00000000003ba300  R9: 0x0000000000000000 R10: 0x00000a4a000000b7
|  R11: 0x0000000000000000 R12: 0x000051b000016c80 R13: 0x00007f48b4a2f3b0
|  R14: 0x00007f48d283bb80 R15: 0x00000fe91a507760 EFL: 0x0000000000010246
|
| -- C level backtrace information -------------------------------------------
| /home/kj/ruby/build/ruby(___interceptor_backtrace+0x39) [0x556b3d8cf379] /home/kj/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4358
| /home/kj/ruby/build/ruby(rb_print_backtrace+0x14) [0x556b3ddef67c] /home/kj/ruby/build/../vm_dump.c:820
| /home/kj/ruby/build/ruby(rb_vm_bugreport) /home/kj/ruby/build/../vm_dump.c:1151
| /home/kj/ruby/build/ruby(rb_bug_for_fatal_signal+0x2db) [0x556b3e0190fb] /home/kj/ruby/build/../error.c:1087
| /home/kj/ruby/build/ruby(sigsegv+0x184) [0x556b3dc78ca4] /home/kj/ruby/build/../signal.c:926
| /lib64/libc.so.6(__restore_rt+0x0) [0x7f48d46429a0] /usr/src/debug/glibc-2.38-16.fc39.x86_64/signal/sigaction.c:34
| /home/kj/ruby/build/ruby(rb_st_free_table+0x18) [0x556b3dc84a08] /home/kj/ruby/build/../st.c:661
| /home/kj/ruby/build/ruby(finalize_deferred_heap_pages+0x224) [0x556b3d9dd0b4] /home/kj/ruby/build/../gc.c:4128
| /home/kj/ruby/build/ruby(gc_finalize_deferred+0x97) [0x556b3d9d7127] /home/kj/ruby/build/../gc.c:4195
| /home/kj/ruby/build/ruby(rb_postponed_job_flush+0x501) [0x556b3ddfde81] /home/kj/ruby/build/../vm_trace.c:1849
| /home/kj/ruby/build/ruby(rb_threadptr_execute_interrupts+0x35d) [0x556b3dce9ddd] /home/kj/ruby/build/../thread.c:2464
| /home/kj/ruby/build/ruby(rb_vm_pop_frame+0x18d) [0x556b3dd5b0dd] ../vm_core.h:2103
| /home/kj/ruby/build/ruby(vm_call_cfunc_with_frame_+0x392) [0x556b3ddc6d72] ../vm_insnhelper.c:3529
| /home/kj/ruby/build/ruby(vm_call_method_each_type+0x2a6) [0x556b3ddae576] ../vm_insnhelper.c:4470
| /home/kj/ruby/build/ruby(vm_call_method+0x2a2) [0x556b3ddadb22]
| /home/kj/ruby/build/ruby(vm_sendish+0xec7) [0x556b3dd63687]
| /home/kj/ruby/build/ruby(vm_exec_core+0x68fc) [0x556b3dd6cf4c] ../insns.def:891
| /home/kj/ruby/build/ruby(rb_vm_exec+0x350) [0x556b3dd64520] /home/kj/ruby/build/../vm.c:2552
| /home/kj/ruby/build/ruby(rb_ec_exec_node+0x264) [0x556b3d9b5844] /home/kj/ruby/build/../eval.c:282
| /home/kj/ruby/build/ruby(ruby_run_node+0x6e) [0x556b3d9b552e] /home/kj/ruby/build/../eval.c:320
| /home/kj/ruby/build/ruby(rb_main+0x29) [0x556b3d9b0981] /home/kj/ruby/build/../main.c:40
| /home/kj/ruby/build/ruby(main) /home/kj/ruby/build/../main.c:59
| /lib64/libc.so.6(__libc_start_call_main+0x7a) [0x7f48d462c14a] ../sysdeps/nptl/libc_start_call_main.h:58
| /lib64/libc.so.6(__libc_start_main_alias_2+0x8b) [0x7f48d462c20b] ../csu/libc-start.c:360
| [0x556b3d87ee05]

Reversing execution with rr reveals that DATA_PTR(labels_wrapper) = 0 in iseq_build_from_ary_body (https://github.com/ruby/ruby/blob/cdb8d208c919bbc72b3b07d24c118d3a4af95d11/compile.c#L11320) is being executed after labels_wrapper is collected. We need to protect lables_wrapper with an RB_GC_GUARD.

Related issues 1 (1 open0 closed)

Related to Ruby master - Misc #20387: Meta-ticket for ASAN supportAssignedkjtsanaktsidis (KJ Tsanaktsidis)Actions
Actions
Copy link
 #2

Updated by kjtsanaktsidis (KJ Tsanaktsidis) about 1 month ago

  • Related to Misc #20387: Meta-ticket for ASAN support added
Actions
Copy link
 #3

Updated by Anonymous about 1 month ago

  • Status changed from Open to Closed

Applied in changeset git|9d0a5148ae062a0481a4a18fbeb9cfd01dc10428.

Add missing RB_GC_GUARDs related to DATA_PTR

I discovered the problem in compile.c from a failing
TestIseqLoad#test_stressful_roundtrip test with ASAN enabled. The other
two changes in array.c and string.c I found by auditing similar usages
of DATA_PTR in the codebase.

[Bug #20402]

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0