[ruby-core:117380] [Ruby master Bug#20402] Double-free in TestIseqLoad#test_stressful_roundtrip - kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core

ruby-core@ruby-lang.org archive (unofficial mirror)
 help / color / mirror / Atom feed

From: "kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core" <ruby-core@ml.ruby-lang.org>
To: ruby-core@ml.ruby-lang.org
Cc: "kjtsanaktsidis (KJ Tsanaktsidis)" <noreply@ruby-lang.org>
Subject: [ruby-core:117380] [Ruby master Bug#20402] Double-free in TestIseqLoad#test_stressful_roundtrip
Date: Sat, 30 Mar 2024 01:57:42 +0000 (UTC)	[thread overview]
Message-ID: <redmine.issue-20402.20240330015741.10173@ruby-lang.org> (raw)
In-Reply-To: redmine.issue-20402.20240330015741.10173@ruby-lang.org

Issue #20402 has been reported by kjtsanaktsidis (KJ Tsanaktsidis).

----------------------------------------
Bug #20402: Double-free in TestIseqLoad#test_stressful_roundtrip
https://bugs.ruby-lang.org/issues/20402

* Author: kjtsanaktsidis (KJ Tsanaktsidis)
* Status: Open
* Assignee: kjtsanaktsidis (KJ Tsanaktsidis)
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
----------------------------------------
With ASAN enabled, the TestIseqLoad#test_stressful_roundtrip fails with the following output:

```
2/9] TestIseqLoad#test_stressful_roundtrip = 7.26 s
  1) Failure:
TestIseqLoad#test_stressful_roundtrip [/home/kj/ruby/test/-ext-/iseq_load/test_iseq_load.rb:20]:
pid 172821 killed by SIGSEGV (signal 11) (core dumped)
| -:10: [BUG] Segmentation fault at 0x0000000000000018
| ruby 3.4.0dev (2024-03-28T23:13:25Z master 02d40b6c17) [x86_64-linux]
|
| -- Control frame information -----------------------------------------------
| c:0005 p:---- s:0023 e:000022 CFUNC  :iseq_load
| c:0004 p:0037 s:0018 e:000017 METHOD -:10
| c:0003 p:0005 s:0010 e:000009 METHOD -:16
| c:0002 p:0054 s:0006 e:000005 EVAL   -:26 [FINISH]
| c:0001 p:0000 s:0003 E:000540 DUMMY  [FINISH]
|
| -- Ruby level backtrace information ----------------------------------------
| -:26:in '<main>'
| -:16:in 'test_bug8543'
| -:10:in 'assert_iseq_roundtrip'
| -:10:in 'iseq_load'
|
| -- Threading information ---------------------------------------------------
| Total ractor count: 1
| Ruby thread count for this ractor: 1
|
| -- Machine register context ------------------------------------------------
|  RIP: 0x0000556b3dc84a08 RBP: 0x00007ffeff1f6d40 RSP: 0x00007ffeff1f6c10
|  RAX: 0x0000000000000003 RBX: 0x0000000000000000 RCX: 0x00000fe916945e7a
|  RDX: 0x0000000000000001 RDI: 0x0000000000000018 RSI: 0x0000000000000000
|   R8: 0x00000000003ba300  R9: 0x0000000000000000 R10: 0x00000a4a000000b7
|  R11: 0x0000000000000000 R12: 0x000051b000016c80 R13: 0x00007f48b4a2f3b0
|  R14: 0x00007f48d283bb80 R15: 0x00000fe91a507760 EFL: 0x0000000000010246
|
| -- C level backtrace information -------------------------------------------
| /home/kj/ruby/build/ruby(___interceptor_backtrace+0x39) [0x556b3d8cf379] /home/kj/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4358
| /home/kj/ruby/build/ruby(rb_print_backtrace+0x14) [0x556b3ddef67c] /home/kj/ruby/build/../vm_dump.c:820
| /home/kj/ruby/build/ruby(rb_vm_bugreport) /home/kj/ruby/build/../vm_dump.c:1151
| /home/kj/ruby/build/ruby(rb_bug_for_fatal_signal+0x2db) [0x556b3e0190fb] /home/kj/ruby/build/../error.c:1087
| /home/kj/ruby/build/ruby(sigsegv+0x184) [0x556b3dc78ca4] /home/kj/ruby/build/../signal.c:926
| /lib64/libc.so.6(__restore_rt+0x0) [0x7f48d46429a0] /usr/src/debug/glibc-2.38-16.fc39.x86_64/signal/sigaction.c:34
| /home/kj/ruby/build/ruby(rb_st_free_table+0x18) [0x556b3dc84a08] /home/kj/ruby/build/../st.c:661
| /home/kj/ruby/build/ruby(finalize_deferred_heap_pages+0x224) [0x556b3d9dd0b4] /home/kj/ruby/build/../gc.c:4128
| /home/kj/ruby/build/ruby(gc_finalize_deferred+0x97) [0x556b3d9d7127] /home/kj/ruby/build/../gc.c:4195
| /home/kj/ruby/build/ruby(rb_postponed_job_flush+0x501) [0x556b3ddfde81] /home/kj/ruby/build/../vm_trace.c:1849
| /home/kj/ruby/build/ruby(rb_threadptr_execute_interrupts+0x35d) [0x556b3dce9ddd] /home/kj/ruby/build/../thread.c:2464
| /home/kj/ruby/build/ruby(rb_vm_pop_frame+0x18d) [0x556b3dd5b0dd] ../vm_core.h:2103
| /home/kj/ruby/build/ruby(vm_call_cfunc_with_frame_+0x392) [0x556b3ddc6d72] ../vm_insnhelper.c:3529
| /home/kj/ruby/build/ruby(vm_call_method_each_type+0x2a6) [0x556b3ddae576] ../vm_insnhelper.c:4470
| /home/kj/ruby/build/ruby(vm_call_method+0x2a2) [0x556b3ddadb22]
| /home/kj/ruby/build/ruby(vm_sendish+0xec7) [0x556b3dd63687]
| /home/kj/ruby/build/ruby(vm_exec_core+0x68fc) [0x556b3dd6cf4c] ../insns.def:891
| /home/kj/ruby/build/ruby(rb_vm_exec+0x350) [0x556b3dd64520] /home/kj/ruby/build/../vm.c:2552
| /home/kj/ruby/build/ruby(rb_ec_exec_node+0x264) [0x556b3d9b5844] /home/kj/ruby/build/../eval.c:282
| /home/kj/ruby/build/ruby(ruby_run_node+0x6e) [0x556b3d9b552e] /home/kj/ruby/build/../eval.c:320
| /home/kj/ruby/build/ruby(rb_main+0x29) [0x556b3d9b0981] /home/kj/ruby/build/../main.c:40
| /home/kj/ruby/build/ruby(main) /home/kj/ruby/build/../main.c:59
| /lib64/libc.so.6(__libc_start_call_main+0x7a) [0x7f48d462c14a] ../sysdeps/nptl/libc_start_call_main.h:58
| /lib64/libc.so.6(__libc_start_main_alias_2+0x8b) [0x7f48d462c20b] ../csu/libc-start.c:360
| [0x556b3d87ee05]
```

Reversing execution with `rr` reveals that `DATA_PTR(labels_wrapper) = 0` in `iseq_build_from_ary_body` (https://github.com/ruby/ruby/blob/cdb8d208c919bbc72b3b07d24c118d3a4af95d11/compile.c#L11320) is being executed after `labels_wrapper` is collected. We need to protect `lables_wrapper` with an RB_GC_GUARD.



-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/

next      parent reply	other threads:[~2024-03-30  1:57 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-30  1:57 kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core [this message]
2024-03-30  2:02 ` [ruby-core:117381] [Ruby master Bug#20402] Double-free in TestIseqLoad#test_stressful_roundtrip kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.ruby-lang.org/en/community/mailing-lists/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=redmine.issue-20402.20240330015741.10173@ruby-lang.org \
    --to=ruby-core@ruby-lang.org \
    --cc=noreply@ruby-lang.org \
    --cc=ruby-core@ml.ruby-lang.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).