[ruby-core:117380] [Ruby master Bug#20402] Double-free in TestIseqLoad#test_stressful_roundtrip
30 Mar
2024
30 Mar
'24
1:57 a.m.
Issue #20402 has been reported by kjtsanaktsidis (KJ Tsanaktsidis).
----------------------------------------
Bug #20402: Double-free in TestIseqLoad#test_stressful_roundtrip
https://bugs.ruby-lang.org/issues/20402
* Author: kjtsanaktsidis (KJ Tsanaktsidis)
* Status: Open
* Assignee: kjtsanaktsidis (KJ Tsanaktsidis)
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
----------------------------------------
With ASAN enabled, the TestIseqLoad#test_stressful_roundtrip fails with the following
output:
```
2/9] TestIseqLoad#test_stressful_roundtrip = 7.26 s
1) Failure:
TestIseqLoad#test_stressful_roundtrip
[/home/kj/ruby/test/-ext-/iseq_load/test_iseq_load.rb:20]:
pid 172821 killed by SIGSEGV (signal 11) (core dumped)
| -:10: [BUG] Segmentation fault at 0x0000000000000018
| ruby 3.4.0dev (2024-03-28T23:13:25Z master 02d40b6c17) [x86_64-linux]
|
| -- Control frame information -----------------------------------------------
| c:0005 p:---- s:0023 e:000022 CFUNC :iseq_load
| c:0004 p:0037 s:0018 e:000017 METHOD -:10
| c:0003 p:0005 s:0010 e:000009 METHOD -:16
| c:0002 p:0054 s:0006 e:000005 EVAL -:26 [FINISH]
| c:0001 p:0000 s:0003 E:000540 DUMMY [FINISH]
|
| -- Ruby level backtrace information ----------------------------------------
| -:26:in '<main>'
| -:16:in 'test_bug8543'
| -:10:in 'assert_iseq_roundtrip'
| -:10:in 'iseq_load'
|
| -- Threading information ---------------------------------------------------
| Total ractor count: 1
| Ruby thread count for this ractor: 1
|
| -- Machine register context ------------------------------------------------
| RIP: 0x0000556b3dc84a08 RBP: 0x00007ffeff1f6d40 RSP: 0x00007ffeff1f6c10
| RAX: 0x0000000000000003 RBX: 0x0000000000000000 RCX: 0x00000fe916945e7a
| RDX: 0x0000000000000001 RDI: 0x0000000000000018 RSI: 0x0000000000000000
| R8: 0x00000000003ba300 R9: 0x0000000000000000 R10: 0x00000a4a000000b7
| R11: 0x0000000000000000 R12: 0x000051b000016c80 R13: 0x00007f48b4a2f3b0
| R14: 0x00007f48d283bb80 R15: 0x00000fe91a507760 EFL: 0x0000000000010246
|
| -- C level backtrace information -------------------------------------------
| /home/kj/ruby/build/ruby(___interceptor_backtrace+0x39) [0x556b3d8cf379]
/home/kj/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4358
| /home/kj/ruby/build/ruby(rb_print_backtrace+0x14) [0x556b3ddef67c]
/home/kj/ruby/build/../vm_dump.c:820
| /home/kj/ruby/build/ruby(rb_vm_bugreport) /home/kj/ruby/build/../vm_dump.c:1151
| /home/kj/ruby/build/ruby(rb_bug_for_fatal_signal+0x2db) [0x556b3e0190fb]
/home/kj/ruby/build/../error.c:1087
| /home/kj/ruby/build/ruby(sigsegv+0x184) [0x556b3dc78ca4]
/home/kj/ruby/build/../signal.c:926
| /lib64/libc.so.6(__restore_rt+0x0) [0x7f48d46429a0]
/usr/src/debug/glibc-2.38-16.fc39.x86_64/signal/sigaction.c:34
| /home/kj/ruby/build/ruby(rb_st_free_table+0x18) [0x556b3dc84a08]
/home/kj/ruby/build/../st.c:661
| /home/kj/ruby/build/ruby(finalize_deferred_heap_pages+0x224) [0x556b3d9dd0b4]
/home/kj/ruby/build/../gc.c:4128
| /home/kj/ruby/build/ruby(gc_finalize_deferred+0x97) [0x556b3d9d7127]
/home/kj/ruby/build/../gc.c:4195
| /home/kj/ruby/build/ruby(rb_postponed_job_flush+0x501) [0x556b3ddfde81]
/home/kj/ruby/build/../vm_trace.c:1849
| /home/kj/ruby/build/ruby(rb_threadptr_execute_interrupts+0x35d) [0x556b3dce9ddd]
/home/kj/ruby/build/../thread.c:2464
| /home/kj/ruby/build/ruby(rb_vm_pop_frame+0x18d) [0x556b3dd5b0dd] ../vm_core.h:2103
| /home/kj/ruby/build/ruby(vm_call_cfunc_with_frame_+0x392) [0x556b3ddc6d72]
../vm_insnhelper.c:3529
| /home/kj/ruby/build/ruby(vm_call_method_each_type+0x2a6) [0x556b3ddae576]
../vm_insnhelper.c:4470
| /home/kj/ruby/build/ruby(vm_call_method+0x2a2) [0x556b3ddadb22]
| /home/kj/ruby/build/ruby(vm_sendish+0xec7) [0x556b3dd63687]
| /home/kj/ruby/build/ruby(vm_exec_core+0x68fc) [0x556b3dd6cf4c] ../insns.def:891
| /home/kj/ruby/build/ruby(rb_vm_exec+0x350) [0x556b3dd64520]
/home/kj/ruby/build/../vm.c:2552
| /home/kj/ruby/build/ruby(rb_ec_exec_node+0x264) [0x556b3d9b5844]
/home/kj/ruby/build/../eval.c:282
| /home/kj/ruby/build/ruby(ruby_run_node+0x6e) [0x556b3d9b552e]
/home/kj/ruby/build/../eval.c:320
| /home/kj/ruby/build/ruby(rb_main+0x29) [0x556b3d9b0981]
/home/kj/ruby/build/../main.c:40
| /home/kj/ruby/build/ruby(main) /home/kj/ruby/build/../main.c:59
| /lib64/libc.so.6(__libc_start_call_main+0x7a) [0x7f48d462c14a]
../sysdeps/nptl/libc_start_call_main.h:58
| /lib64/libc.so.6(__libc_start_main_alias_2+0x8b) [0x7f48d462c20b]
../csu/libc-start.c:360
| [0x556b3d87ee05]
```
Reversing execution with `rr` reveals that `DATA_PTR(labels_wrapper) = 0` in
`iseq_build_from_ary_body`
(https://github.com/ruby/ruby/blob/cdb8d208c919bbc72b3b07d24c118d3a4af95d11/…)
is being executed after `labels_wrapper` is collected. We need to protect `lables_wrapper`
with an RB_GC_GUARD.
--
https://bugs.ruby-lang.org/
30 Mar
30 Mar
2:02 a.m.
New subject: [ruby-core:117381] [Ruby master Bug#20402] Double-free in TestIseqLoad#test_stressful_roundtrip
Issue #20402 has been updated by kjtsanaktsidis (KJ Tsanaktsidis).
https://github.com/ruby/ruby/pull/10408 should fix this
----------------------------------------
Bug #20402: Double-free in TestIseqLoad#test_stressful_roundtrip
https://bugs.ruby-lang.org/issues/20402#change-107540
* Author: kjtsanaktsidis (KJ Tsanaktsidis)
* Status: Open
* Assignee: kjtsanaktsidis (KJ Tsanaktsidis)
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
----------------------------------------
With ASAN enabled, the TestIseqLoad#test_stressful_roundtrip fails with the following
output:
```
2/9] TestIseqLoad#test_stressful_roundtrip = 7.26 s
1) Failure:
TestIseqLoad#test_stressful_roundtrip
[/home/kj/ruby/test/-ext-/iseq_load/test_iseq_load.rb:20]:
pid 172821 killed by SIGSEGV (signal 11) (core dumped)
| -:10: [BUG] Segmentation fault at 0x0000000000000018
| ruby 3.4.0dev (2024-03-28T23:13:25Z master 02d40b6c17) [x86_64-linux]
|
| -- Control frame information -----------------------------------------------
| c:0005 p:---- s:0023 e:000022 CFUNC :iseq_load
| c:0004 p:0037 s:0018 e:000017 METHOD -:10
| c:0003 p:0005 s:0010 e:000009 METHOD -:16
| c:0002 p:0054 s:0006 e:000005 EVAL -:26 [FINISH]
| c:0001 p:0000 s:0003 E:000540 DUMMY [FINISH]
|
| -- Ruby level backtrace information ----------------------------------------
| -:26:in '<main>'
| -:16:in 'test_bug8543'
| -:10:in 'assert_iseq_roundtrip'
| -:10:in 'iseq_load'
|
| -- Threading information ---------------------------------------------------
| Total ractor count: 1
| Ruby thread count for this ractor: 1
|
| -- Machine register context ------------------------------------------------
| RIP: 0x0000556b3dc84a08 RBP: 0x00007ffeff1f6d40 RSP: 0x00007ffeff1f6c10
| RAX: 0x0000000000000003 RBX: 0x0000000000000000 RCX: 0x00000fe916945e7a
| RDX: 0x0000000000000001 RDI: 0x0000000000000018 RSI: 0x0000000000000000
| R8: 0x00000000003ba300 R9: 0x0000000000000000 R10: 0x00000a4a000000b7
| R11: 0x0000000000000000 R12: 0x000051b000016c80 R13: 0x00007f48b4a2f3b0
| R14: 0x00007f48d283bb80 R15: 0x00000fe91a507760 EFL: 0x0000000000010246
|
| -- C level backtrace information -------------------------------------------
| /home/kj/ruby/build/ruby(___interceptor_backtrace+0x39) [0x556b3d8cf379]
/home/kj/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4358
| /home/kj/ruby/build/ruby(rb_print_backtrace+0x14) [0x556b3ddef67c]
/home/kj/ruby/build/../vm_dump.c:820
| /home/kj/ruby/build/ruby(rb_vm_bugreport) /home/kj/ruby/build/../vm_dump.c:1151
| /home/kj/ruby/build/ruby(rb_bug_for_fatal_signal+0x2db) [0x556b3e0190fb]
/home/kj/ruby/build/../error.c:1087
| /home/kj/ruby/build/ruby(sigsegv+0x184) [0x556b3dc78ca4]
/home/kj/ruby/build/../signal.c:926
| /lib64/libc.so.6(__restore_rt+0x0) [0x7f48d46429a0]
/usr/src/debug/glibc-2.38-16.fc39.x86_64/signal/sigaction.c:34
| /home/kj/ruby/build/ruby(rb_st_free_table+0x18) [0x556b3dc84a08]
/home/kj/ruby/build/../st.c:661
| /home/kj/ruby/build/ruby(finalize_deferred_heap_pages+0x224) [0x556b3d9dd0b4]
/home/kj/ruby/build/../gc.c:4128
| /home/kj/ruby/build/ruby(gc_finalize_deferred+0x97) [0x556b3d9d7127]
/home/kj/ruby/build/../gc.c:4195
| /home/kj/ruby/build/ruby(rb_postponed_job_flush+0x501) [0x556b3ddfde81]
/home/kj/ruby/build/../vm_trace.c:1849
| /home/kj/ruby/build/ruby(rb_threadptr_execute_interrupts+0x35d) [0x556b3dce9ddd]
/home/kj/ruby/build/../thread.c:2464
| /home/kj/ruby/build/ruby(rb_vm_pop_frame+0x18d) [0x556b3dd5b0dd] ../vm_core.h:2103
| /home/kj/ruby/build/ruby(vm_call_cfunc_with_frame_+0x392) [0x556b3ddc6d72]
../vm_insnhelper.c:3529
| /home/kj/ruby/build/ruby(vm_call_method_each_type+0x2a6) [0x556b3ddae576]
../vm_insnhelper.c:4470
| /home/kj/ruby/build/ruby(vm_call_method+0x2a2) [0x556b3ddadb22]
| /home/kj/ruby/build/ruby(vm_sendish+0xec7) [0x556b3dd63687]
| /home/kj/ruby/build/ruby(vm_exec_core+0x68fc) [0x556b3dd6cf4c] ../insns.def:891
| /home/kj/ruby/build/ruby(rb_vm_exec+0x350) [0x556b3dd64520]
/home/kj/ruby/build/../vm.c:2552
| /home/kj/ruby/build/ruby(rb_ec_exec_node+0x264) [0x556b3d9b5844]
/home/kj/ruby/build/../eval.c:282
| /home/kj/ruby/build/ruby(ruby_run_node+0x6e) [0x556b3d9b552e]
/home/kj/ruby/build/../eval.c:320
| /home/kj/ruby/build/ruby(rb_main+0x29) [0x556b3d9b0981]
/home/kj/ruby/build/../main.c:40
| /home/kj/ruby/build/ruby(main) /home/kj/ruby/build/../main.c:59
| /lib64/libc.so.6(__libc_start_call_main+0x7a) [0x7f48d462c14a]
../sysdeps/nptl/libc_start_call_main.h:58
| /lib64/libc.so.6(__libc_start_main_alias_2+0x8b) [0x7f48d462c20b]
../csu/libc-start.c:360
| [0x556b3d87ee05]
```
Reversing execution with `rr` reveals that `DATA_PTR(labels_wrapper) = 0` in
`iseq_build_from_ary_body`
(https://github.com/ruby/ruby/blob/cdb8d208c919bbc72b3b07d24c118d3a4af95d11/…)
is being executed after `labels_wrapper` is collected. We need to protect `lables_wrapper`
with an RB_GC_GUARD.
--
https://bugs.ruby-lang.org/
51
days inactive
51
days old
1 comments
1 participants
participants (1)
-
kjtsanaktsidis (KJ Tsanaktsidis)