[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/7] Fixing all cex leaks
From: |
Akim Demaille |
Subject: |
Re: [PATCH 0/7] Fixing all cex leaks |
Date: |
Sat, 23 May 2020 11:45:16 +0200 |
Hi Vincent,
We crash on the Cim grammar (test 545) when enabling cex.
Cheers!
$ lldb -- ./_build/ga/src/bison -Wcou
./_build/ga/tests/testsuite.dir/545/input.y
(lldb) target create "./_build/ga/src/bison"
Current executable set to './_build/ga/src/bison' (x86_64).
(lldb) settings set -- target.run-args "-Wcou"
"./_build/ga/tests/testsuite.dir/545/input.y"
(lldb) r
yProcess 50187 launched: '/Users/akim/src/gnu/bison/_build/ga/src/bison'
(x86_64)
y=================================================================
==50187==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000746c8
at pc 0x0001000fc840 bp 0x7ffeefbfd160 sp 0x7ffeefbfd158
READ of size 8 at 0x6060000746c8 thread T0
#0 0x1000fc83f in bitset_reset bitset.h:152
#1 0x100102949 in prune_disabled_paths state-item.c:430
#2 0x100104069 in state_items_init state-item.c:509
#3 0x100023ecf in counterexample_init counterexample.c:1133
#4 0x10005d25d in main main.c:149
#5 0x7fff6df8d3d4 in start (libdyld.dylib:x86_64+0x163d4)
0x6060000746c8 is located 8 bytes inside of 56-byte region
[0x6060000746c0,0x6060000746f8)
freed by thread T0 here:
#0 0x10046ac0b (libasan.6.dylib:x86_64+0x36c0b)
#1 0x10011c503 in bitset_free bitset.c:174
#2 0x100102334 in disable_state_item state-item.c:387
#3 0x100102ba2 in prune_disabled_paths state-item.c:433
#4 0x100104069 in state_items_init state-item.c:509
#5 0x100023ecf in counterexample_init counterexample.c:1133
#6 0x10005d25d in main main.c:149
#7 0x7fff6df8d3d4 in start (libdyld.dylib:x86_64+0x163d4)
previously allocated by thread T0 here:
#0 0x10046ae9e (libasan.6.dylib:x86_64+0x36e9e)
#1 0x1001624f8 in xcalloc xmalloc.c:112
#2 0x1001624ab in xzalloc xmalloc.c:97
#3 0x10011bfac in bitset_alloc bitset.c:132
#4 0x10011c430 in bitset_create bitset.c:163
#5 0x100100912 in init_prods state-item.c:280
#6 0x10010405a in state_items_init state-item.c:506
#7 0x100023ecf in counterexample_init counterexample.c:1133
#8 0x10005d25d in main main.c:149
#9 0x7fff6df8d3d4 in start (libdyld.dylib:x86_64+0x163d4)
SUMMARY: AddressSanitizer: heap-use-after-free bitset.h:152 in bitset_reset
Shadow bytes around the buggy address:
0x1c0c0000e880: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x1c0c0000e890: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x1c0c0000e8a0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x1c0c0000e8b0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x1c0c0000e8c0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
=>0x1c0c0000e8d0: 00 00 00 fa fa fa fa fa fd[fd]fd fd fd fd fd fa
0x1c0c0000e8e0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x1c0c0000e8f0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
0x1c0c0000e900: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x1c0c0000e910: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x1c0c0000e920: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
2020-05-23 11:42:48.783213+0200 bison[50187:48263898]
=================================================================
2020-05-23 11:42:48.784274+0200 bison[50187:48263898] ==50187==ERROR:
AddressSanitizer: heap-use-after-free on address 0x6060000746c8 at pc
0x0001000fc840 bp 0x7ffeefbfd160 sp 0x7ffeefbfd158
2020-05-23 11:42:48.784290+0200 bison[50187:48263898] READ of size 8 at
0x6060000746c8 thread T0
2020-05-23 11:42:48.784299+0200 bison[50187:48263898] #0 0x1000fc83f in
bitset_reset bitset.h:152
2020-05-23 11:42:48.784307+0200 bison[50187:48263898] #1 0x100102949 in
prune_disabled_paths state-item.c:430
2020-05-23 11:42:48.784315+0200 bison[50187:48263898] #2 0x100104069 in
state_items_init state-item.c:509
2020-05-23 11:42:48.784324+0200 bison[50187:48263898] #3 0x100023ecf in
counterexample_init counterexample.c:1133
2020-05-23 11:42:48.784332+0200 bison[50187:48263898] #4 0x10005d25d in
main main.c:149
2020-05-23 11:42:48.784340+0200 bison[50187:48263898] #5 0x7fff6df8d3d4 in
start (libdyld.dylib:x86_64+0x163d4)
2020-05-23 11:42:48.784348+0200 bison[50187:48263898]
2020-05-23 11:42:48.784356+0200 bison[50187:48263898] 0x6060000746c8 is located
8 bytes inside of 56-byte region [0x6060000746c0,0x6060000746f8)
2020-05-23 11:42:48.784366+0200 bison[50187:48263898] freed by thread T0 here:
2020-05-23 11:42:48.784373+0200 bison[50187:48263898] #0 0x10046ac0b
(libasan.6.dylib:x86_64+0x36c0b)
2020-05-23 11:42:48.784381+0200 bison[50187:48263898] #1 0x10011c503 in
bitset_free bitset.c:174
2020-05-23 11:42:48.784388+0200 bison[50187:48263898] #2 0x100102334 in
disable_state_item state-item.c:387
2020-05-23 11:42:48.784396+0200 bison[50187:48263898] #3 0x100102ba2 in
prune_disabled_paths state-item.c:433
2020-05-23 11:42:48.784403+0200 bison[50187:48263898] #4 0x100104069 in
state_items_init state-item.c:509
2020-05-23 11:42:48.784410+0200 bison[50187:48263898] #5 0x100023ecf in
counterexample_init counterexample.c:1133
2020-05-23 11:42:48.784417+0200 bison[50187:48263898] #6 0x10005d25d in
main main.c:149
2020-05-23 11:42:48.784427+0200 bison[50187:48263898] #7 0x7fff6df8d3d4 in
start (libdyld.dylib:x86_64+0x163d4)
2020-05-23 11:42:48.784434+0200 bison[50187:48263898]
2020-05-23 11:42:48.784440+0200 bison[50187:48263898] previously allocated by
thread T0 here:
2020-05-23 11:42:48.784448+0200 bison[50187:48263898] #0 0x10046ae9e
(libasan.6.dylib:x86_64+0x36e9e)
2020-05-23 11:42:48.784456+0200 bison[50187:48263898] #1 0x1001624f8 in
xcalloc xmalloc.c:112
2020-05-23 11:42:48.784463+0200 bison[50187:48263898] #2 0x1001624ab in
xzalloc xmalloc.c:97
2020-05-23 11:42:48.784470+0200 bison[50187:48263898] #3 0x10011bfac in
bitset_alloc bitset.c:132
2020-05-23 11:42:48.784478+0200 bison[50187:48263898] #4 0x10011c430 in
bitset_create bitset.c:163
2020-05-23 11:42:48.784486+0200 bison[50187:48263898] #5 0x100100912 in
init_prods state-item.c:280
2020-05-23 11:42:48.784495+0200 bison[50187:48263898] #6 0x10010405a in
state_items_init state-item.c:506
2020-05-23 11:42:48.784503+0200 bison[50187:48263898] #7 0x100023ecf in
counterexample_init counterexample.c:1133
2020-05-23 11:42:48.784510+0200 bison[50187:48263898] #8 0x10005d25d in
main main.c:149
2020-05-23 11:42:48.784518+0200 bison[50187:48263898] #9 0x7fff6df8d3d4 in
start (libdyld.dylib:x86_64+0x163d4)
2020-05-23 11:42:48.784526+0200 bison[50187:48263898]
2020-05-23 11:42:48.784533+0200 bison[50187:48263898] SUMMARY:
AddressSanitizer: heap-use-after-free bitset.h:152 in bitset_reset
2020-05-23 11:42:48.784541+0200 bison[50187:48263898] Shadow bytes around the
buggy address:
2020-05-23 11:42:48.784548+0200 bison[50187:48263898] 0x1c0c0000e880: fa fa
fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
2020-05-23 11:42:48.784558+0200 bison[50187:48263898] 0x1c0c0000e890: 00 00
00 00 00 00 00 fa fa fa fa fa 00 00 00 00
2020-05-23 11:42:48.784571+0200 bison[50187:48263898] 0x1c0c0000e8a0: 00 00
00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
2020-05-23 11:42:48.784587+0200 bison[50187:48263898] 0x1c0c0000e8b0: fa fa
fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
2020-05-23 11:42:48.784597+0200 bison[50187:48263898] 0x1c0c0000e8c0: 00 00
00 00 00 00 00 fa fa fa fa fa 00 00 00 00
2020-05-23 11:42:48.784606+0200 bison[50187:48263898] =>0x1c0c0000e8d0: 00 00
00 fa fa fa fa fa fd[fd]fd fd fd fd fd fa
2020-05-23 11:42:48.784615+0200 bison[50187:48263898] 0x1c0c0000e8e0: fa fa
fa fa fd fd fd fd fd fd fd fa fa fa fa fa
2020-05-23 11:42:48.784623+0200 bison[50187:48263898] 0x1c0c0000e8f0: 00 00
00 00 00 00 00 fa fa fa fa fa fd fd fd fd
2020-05-23 11:42:48.784631+0200 bison[50187:48263898] 0x1c0c0000e900: fd fd
fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
2020-05-23 11:42:48.784643+0200 bison[50187:48263898] 0x1c0c0000e910: fa fa
fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
2020-05-23 11:42:48.784652+0200 bison[50187:48263898] 0x1c0c0000e920: fd fd
fd fd fd fd fd fa fa fa fa fa fd fd fd fd
2020-05-23 11:42:48.784660+0200 bison[50187:48263898] Shadow byte legend (one
shadow byte represents 8 application bytes):
2020-05-23 11:42:48.784671+0200 bison[50187:48263898] Addressable:
00
2020-05-23 11:42:48.784679+0200 bison[50187:48263898] Partially addressable:
01 02 03 04 05 06 07
2020-05-23 11:42:48.784687+0200 bison[50187:48263898] Heap left redzone:
fa
2020-05-23 11:42:48.784694+0200 bison[50187:48263898] Freed heap region:
fd
2020-05-23 11:42:48.784701+0200 bison[50187:48263898] Stack left redzone:
f1
2020-05-23 11:42:48.784708+0200 bison[50187:48263898] Stack mid redzone:
f2
2020-05-23 11:42:48.784715+0200 bison[50187:48263898] Stack right redzone:
f3
2020-05-23 11:42:48.784721+0200 bison[50187:48263898] Stack after return:
f5
2020-05-23 11:42:48.784728+0200 bison[50187:48263898] Stack use after scope:
f8
2020-05-23 11:42:48.784737+0200 bison[50187:48263898] Global redzone:
f9
2020-05-23 11:42:48.784744+0200 bison[50187:48263898] Global init order:
f6
2020-05-23 11:42:48.784750+0200 bison[50187:48263898] Poisoned by user:
f7
2020-05-23 11:42:48.784758+0200 bison[50187:48263898] Container overflow:
fc
2020-05-23 11:42:48.784765+0200 bison[50187:48263898] Array cookie:
ac
2020-05-23 11:42:48.784772+0200 bison[50187:48263898] Intra object redzone:
bb
2020-05-23 11:42:48.784780+0200 bison[50187:48263898] ASan internal:
fe
2020-05-23 11:42:48.784788+0200 bison[50187:48263898] Left alloca redzone:
ca
2020-05-23 11:42:48.784795+0200 bison[50187:48263898] Right alloca redzone:
cb
2020-05-23 11:42:48.784802+0200 bison[50187:48263898] Shadow gap:
cc
==50187==ABORTING
Process 50187 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
frame #0: 0x00007fff6e0c82c2 libsystem_kernel.dylib`__pthread_kill + 10
libsystem_kernel.dylib`__pthread_kill:
-> 0x7fff6e0c82c2 <+10>: jae 0x7fff6e0c82cc ; <+20>
0x7fff6e0c82c4 <+12>: movq %rax, %rdi
0x7fff6e0c82c7 <+15>: jmp 0x7fff6e0c2453 ; cerror_nocancel
0x7fff6e0c82cc <+20>: retq
Target 0: (bison) stopped.
Cheers!
- Re: [PATCH 1/7] cex: dervation reference counting, (continued)
- [PATCH 2/7] cex: fix parse state leaks, Vincent Imbimbo, 2020/05/21
- [PATCH 3/7] cex: fix lssi leaks, Vincent Imbimbo, 2020/05/21
- [PATCH 4/7] cex: fix counterexample leak, Vincent Imbimbo, 2020/05/21
- [PATCH 5/7] cex: fix miscellaneous leaks, Vincent Imbimbo, 2020/05/21
- [PATCH 6/7] cex: fix bad reference counting, Vincent Imbimbo, 2020/05/21
- [PATCH 7/7] cex: replace state-item data structures, Vincent Imbimbo, 2020/05/21
- Re: [PATCH 0/7] Fixing all cex leaks, Akim Demaille, 2020/05/22