Re: [PATCH 0/7] Fixing all cex leaks

bison-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/7] Fixing all cex leaks

From:	Akim Demaille
Subject:	Re: [PATCH 0/7] Fixing all cex leaks
Date:	Sat, 23 May 2020 11:45:16 +0200

Hi Vincent,

We crash on the Cim grammar (test 545) when enabling cex.

Cheers!

$ lldb -- ./_build/ga/src/bison -Wcou 
./_build/ga/tests/testsuite.dir/545/input.y
(lldb) target create "./_build/ga/src/bison"
Current executable set to './_build/ga/src/bison' (x86_64).
(lldb) settings set -- target.run-args  "-Wcou" 
"./_build/ga/tests/testsuite.dir/545/input.y"
(lldb) r
yProcess 50187 launched: '/Users/akim/src/gnu/bison/_build/ga/src/bison' 
(x86_64)
y=================================================================
==50187==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000746c8 
at pc 0x0001000fc840 bp 0x7ffeefbfd160 sp 0x7ffeefbfd158
READ of size 8 at 0x6060000746c8 thread T0

    #0 0x1000fc83f in bitset_reset bitset.h:152
    #1 0x100102949 in prune_disabled_paths state-item.c:430
    #2 0x100104069 in state_items_init state-item.c:509
    #3 0x100023ecf in counterexample_init counterexample.c:1133
    #4 0x10005d25d in main main.c:149
    #5 0x7fff6df8d3d4 in start (libdyld.dylib:x86_64+0x163d4)

0x6060000746c8 is located 8 bytes inside of 56-byte region 
[0x6060000746c0,0x6060000746f8)
freed by thread T0 here:
    #0 0x10046ac0b  (libasan.6.dylib:x86_64+0x36c0b)
    #1 0x10011c503 in bitset_free bitset.c:174
    #2 0x100102334 in disable_state_item state-item.c:387
    #3 0x100102ba2 in prune_disabled_paths state-item.c:433
    #4 0x100104069 in state_items_init state-item.c:509
    #5 0x100023ecf in counterexample_init counterexample.c:1133
    #6 0x10005d25d in main main.c:149
    #7 0x7fff6df8d3d4 in start (libdyld.dylib:x86_64+0x163d4)

previously allocated by thread T0 here:
    #0 0x10046ae9e  (libasan.6.dylib:x86_64+0x36e9e)
    #1 0x1001624f8 in xcalloc xmalloc.c:112
    #2 0x1001624ab in xzalloc xmalloc.c:97
    #3 0x10011bfac in bitset_alloc bitset.c:132
    #4 0x10011c430 in bitset_create bitset.c:163
    #5 0x100100912 in init_prods state-item.c:280
    #6 0x10010405a in state_items_init state-item.c:506
    #7 0x100023ecf in counterexample_init counterexample.c:1133
    #8 0x10005d25d in main main.c:149
    #9 0x7fff6df8d3d4 in start (libdyld.dylib:x86_64+0x163d4)

SUMMARY: AddressSanitizer: heap-use-after-free bitset.h:152 in bitset_reset
Shadow bytes around the buggy address:
  0x1c0c0000e880: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x1c0c0000e890: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x1c0c0000e8a0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x1c0c0000e8b0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x1c0c0000e8c0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
=>0x1c0c0000e8d0: 00 00 00 fa fa fa fa fa fd[fd]fd fd fd fd fd fa
  0x1c0c0000e8e0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x1c0c0000e8f0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x1c0c0000e900: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x1c0c0000e910: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x1c0c0000e920: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
2020-05-23 11:42:48.783213+0200 bison[50187:48263898] 
=================================================================
2020-05-23 11:42:48.784274+0200 bison[50187:48263898] ==50187==ERROR: 
AddressSanitizer: heap-use-after-free on address 0x6060000746c8 at pc 
0x0001000fc840 bp 0x7ffeefbfd160 sp 0x7ffeefbfd158
2020-05-23 11:42:48.784290+0200 bison[50187:48263898] READ of size 8 at 
0x6060000746c8 thread T0
2020-05-23 11:42:48.784299+0200 bison[50187:48263898]     #0 0x1000fc83f in 
bitset_reset bitset.h:152
2020-05-23 11:42:48.784307+0200 bison[50187:48263898]     #1 0x100102949 in 
prune_disabled_paths state-item.c:430
2020-05-23 11:42:48.784315+0200 bison[50187:48263898]     #2 0x100104069 in 
state_items_init state-item.c:509
2020-05-23 11:42:48.784324+0200 bison[50187:48263898]     #3 0x100023ecf in 
counterexample_init counterexample.c:1133
2020-05-23 11:42:48.784332+0200 bison[50187:48263898]     #4 0x10005d25d in 
main main.c:149
2020-05-23 11:42:48.784340+0200 bison[50187:48263898]     #5 0x7fff6df8d3d4 in 
start (libdyld.dylib:x86_64+0x163d4)
2020-05-23 11:42:48.784348+0200 bison[50187:48263898] 
2020-05-23 11:42:48.784356+0200 bison[50187:48263898] 0x6060000746c8 is located 
8 bytes inside of 56-byte region [0x6060000746c0,0x6060000746f8)
2020-05-23 11:42:48.784366+0200 bison[50187:48263898] freed by thread T0 here:
2020-05-23 11:42:48.784373+0200 bison[50187:48263898]     #0 0x10046ac0b  
(libasan.6.dylib:x86_64+0x36c0b)
2020-05-23 11:42:48.784381+0200 bison[50187:48263898]     #1 0x10011c503 in 
bitset_free bitset.c:174
2020-05-23 11:42:48.784388+0200 bison[50187:48263898]     #2 0x100102334 in 
disable_state_item state-item.c:387
2020-05-23 11:42:48.784396+0200 bison[50187:48263898]     #3 0x100102ba2 in 
prune_disabled_paths state-item.c:433
2020-05-23 11:42:48.784403+0200 bison[50187:48263898]     #4 0x100104069 in 
state_items_init state-item.c:509
2020-05-23 11:42:48.784410+0200 bison[50187:48263898]     #5 0x100023ecf in 
counterexample_init counterexample.c:1133
2020-05-23 11:42:48.784417+0200 bison[50187:48263898]     #6 0x10005d25d in 
main main.c:149
2020-05-23 11:42:48.784427+0200 bison[50187:48263898]     #7 0x7fff6df8d3d4 in 
start (libdyld.dylib:x86_64+0x163d4)
2020-05-23 11:42:48.784434+0200 bison[50187:48263898] 
2020-05-23 11:42:48.784440+0200 bison[50187:48263898] previously allocated by 
thread T0 here:
2020-05-23 11:42:48.784448+0200 bison[50187:48263898]     #0 0x10046ae9e  
(libasan.6.dylib:x86_64+0x36e9e)
2020-05-23 11:42:48.784456+0200 bison[50187:48263898]     #1 0x1001624f8 in 
xcalloc xmalloc.c:112
2020-05-23 11:42:48.784463+0200 bison[50187:48263898]     #2 0x1001624ab in 
xzalloc xmalloc.c:97
2020-05-23 11:42:48.784470+0200 bison[50187:48263898]     #3 0x10011bfac in 
bitset_alloc bitset.c:132
2020-05-23 11:42:48.784478+0200 bison[50187:48263898]     #4 0x10011c430 in 
bitset_create bitset.c:163
2020-05-23 11:42:48.784486+0200 bison[50187:48263898]     #5 0x100100912 in 
init_prods state-item.c:280
2020-05-23 11:42:48.784495+0200 bison[50187:48263898]     #6 0x10010405a in 
state_items_init state-item.c:506
2020-05-23 11:42:48.784503+0200 bison[50187:48263898]     #7 0x100023ecf in 
counterexample_init counterexample.c:1133
2020-05-23 11:42:48.784510+0200 bison[50187:48263898]     #8 0x10005d25d in 
main main.c:149
2020-05-23 11:42:48.784518+0200 bison[50187:48263898]     #9 0x7fff6df8d3d4 in 
start (libdyld.dylib:x86_64+0x163d4)
2020-05-23 11:42:48.784526+0200 bison[50187:48263898] 
2020-05-23 11:42:48.784533+0200 bison[50187:48263898] SUMMARY: 
AddressSanitizer: heap-use-after-free bitset.h:152 in bitset_reset
2020-05-23 11:42:48.784541+0200 bison[50187:48263898] Shadow bytes around the 
buggy address:
2020-05-23 11:42:48.784548+0200 bison[50187:48263898]   0x1c0c0000e880: fa fa 
fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
2020-05-23 11:42:48.784558+0200 bison[50187:48263898]   0x1c0c0000e890: 00 00 
00 00 00 00 00 fa fa fa fa fa 00 00 00 00
2020-05-23 11:42:48.784571+0200 bison[50187:48263898]   0x1c0c0000e8a0: 00 00 
00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
2020-05-23 11:42:48.784587+0200 bison[50187:48263898]   0x1c0c0000e8b0: fa fa 
fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
2020-05-23 11:42:48.784597+0200 bison[50187:48263898]   0x1c0c0000e8c0: 00 00 
00 00 00 00 00 fa fa fa fa fa 00 00 00 00
2020-05-23 11:42:48.784606+0200 bison[50187:48263898] =>0x1c0c0000e8d0: 00 00 
00 fa fa fa fa fa fd[fd]fd fd fd fd fd fa
2020-05-23 11:42:48.784615+0200 bison[50187:48263898]   0x1c0c0000e8e0: fa fa 
fa fa fd fd fd fd fd fd fd fa fa fa fa fa
2020-05-23 11:42:48.784623+0200 bison[50187:48263898]   0x1c0c0000e8f0: 00 00 
00 00 00 00 00 fa fa fa fa fa fd fd fd fd
2020-05-23 11:42:48.784631+0200 bison[50187:48263898]   0x1c0c0000e900: fd fd 
fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
2020-05-23 11:42:48.784643+0200 bison[50187:48263898]   0x1c0c0000e910: fa fa 
fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
2020-05-23 11:42:48.784652+0200 bison[50187:48263898]   0x1c0c0000e920: fd fd 
fd fd fd fd fd fa fa fa fa fa fd fd fd fd
2020-05-23 11:42:48.784660+0200 bison[50187:48263898] Shadow byte legend (one 
shadow byte represents 8 application bytes):
2020-05-23 11:42:48.784671+0200 bison[50187:48263898]   Addressable:           
00
2020-05-23 11:42:48.784679+0200 bison[50187:48263898]   Partially addressable: 
01 02 03 04 05 06 07
2020-05-23 11:42:48.784687+0200 bison[50187:48263898]   Heap left redzone:      
 fa
2020-05-23 11:42:48.784694+0200 bison[50187:48263898]   Freed heap region:      
 fd
2020-05-23 11:42:48.784701+0200 bison[50187:48263898]   Stack left redzone:     
 f1
2020-05-23 11:42:48.784708+0200 bison[50187:48263898]   Stack mid redzone:      
 f2
2020-05-23 11:42:48.784715+0200 bison[50187:48263898]   Stack right redzone:    
 f3
2020-05-23 11:42:48.784721+0200 bison[50187:48263898]   Stack after return:     
 f5
2020-05-23 11:42:48.784728+0200 bison[50187:48263898]   Stack use after scope:  
 f8
2020-05-23 11:42:48.784737+0200 bison[50187:48263898]   Global redzone:         
 f9
2020-05-23 11:42:48.784744+0200 bison[50187:48263898]   Global init order:      
 f6
2020-05-23 11:42:48.784750+0200 bison[50187:48263898]   Poisoned by user:       
 f7
2020-05-23 11:42:48.784758+0200 bison[50187:48263898]   Container overflow:     
 fc
2020-05-23 11:42:48.784765+0200 bison[50187:48263898]   Array cookie:           
 ac
2020-05-23 11:42:48.784772+0200 bison[50187:48263898]   Intra object redzone:   
 bb
2020-05-23 11:42:48.784780+0200 bison[50187:48263898]   ASan internal:          
 fe
2020-05-23 11:42:48.784788+0200 bison[50187:48263898]   Left alloca redzone:    
 ca
2020-05-23 11:42:48.784795+0200 bison[50187:48263898]   Right alloca redzone:   
 cb
2020-05-23 11:42:48.784802+0200 bison[50187:48263898]   Shadow gap:             
 cc
==50187==ABORTING
Process 50187 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
    frame #0: 0x00007fff6e0c82c2 libsystem_kernel.dylib`__pthread_kill + 10
libsystem_kernel.dylib`__pthread_kill:
->  0x7fff6e0c82c2 <+10>: jae    0x7fff6e0c82cc            ; <+20>
    0x7fff6e0c82c4 <+12>: movq   %rax, %rdi
    0x7fff6e0c82c7 <+15>: jmp    0x7fff6e0c2453            ; cerror_nocancel
    0x7fff6e0c82cc <+20>: retq   
Target 0: (bison) stopped.



Cheers!

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 1/7] cex: dervation reference counting, (continued)
- [PATCH 2/7] cex: fix parse state leaks, Vincent Imbimbo, 2020/05/21
- [PATCH 3/7] cex: fix lssi leaks, Vincent Imbimbo, 2020/05/21
- [PATCH 4/7] cex: fix counterexample leak, Vincent Imbimbo, 2020/05/21
- [PATCH 5/7] cex: fix miscellaneous leaks, Vincent Imbimbo, 2020/05/21
- [PATCH 6/7] cex: fix bad reference counting, Vincent Imbimbo, 2020/05/21
- [PATCH 7/7] cex: replace state-item data structures, Vincent Imbimbo, 2020/05/21
  - Re: [PATCH 7/7] cex: replace state-item data structures, Akim Demaille, 2020/05/22
- Re: [PATCH 0/7] Fixing all cex leaks, Akim Demaille, 2020/05/22
  - Re: [PATCH 0/7] Fixing all cex leaks, Akim Demaille, 2020/05/22
    - Re: [PATCH 0/7] Fixing all cex leaks, Akim Demaille <=

Prev by Date: style: spell fixes
Next by Date: [PATCH 0/6] Use symbol kinds in symbol actions
Previous by thread: Re: [PATCH 0/7] Fixing all cex leaks
Next by thread: [PATCH 0/3] Fix generated comments
Index(es):
- Date
- Thread