[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose
From: |
Simon Marchi |
Subject: |
Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose |
Date: |
Mon, 29 May 2023 12:43:11 -0400 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.1 |
On 5/28/23 04:20, Tom de Vries via Gdb-patches wrote:
> On 5/27/23 21:10, Chet Ramey wrote:
>> On 5/23/23 12:04 PM, Tom de Vries wrote:
>>
>>> Both these issues need fixing independently, though after fixing the first
>>> we
>>> no longer trigger the second.
>>
>> Thanks for the report. These are both good fixes.
>
> Thanks for the review.
>
> Added test-case and committed.
>
> Thanks,
> - Tom
Hi Tom,
ASan sees a double-free in the test:
==144635==ERROR: AddressSanitizer: attempting double-free on 0x60200001ae90 in
thread T0:
#0 0x7f39ef4dfdc2 in __interceptor_free
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x7f39ef3cef65 in _rl_scxt_dispose (/usr/lib/libreadline.so.8+0x25f65)
(BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
#2 0x7f39ef3d0f5d in _rl_isearch_cleanup
(/usr/lib/libreadline.so.8+0x27f5d) (BuildId:
092e91fc4361b0ef94561e3ae03a75f69398acbb)
#3 0x7f39ef3e42ec in rl_callback_read_char
(/usr/lib/libreadline.so.8+0x3b2ec) (BuildId:
092e91fc4361b0ef94561e3ae03a75f69398acbb)
#4 0x5649f96ec632 in gdb_rl_callback_read_char_wrapper_noexcept
/home/smarchi/src/binutils-gdb/gdb/event-top.c:192
#5 0x5649f96ec88a in gdb_rl_callback_read_char_wrapper
/home/smarchi/src/binutils-gdb/gdb/event-top.c:225
#6 0x5649fafd3641 in stdin_event_handler
/home/smarchi/src/binutils-gdb/gdb/ui.c:155
#7 0x5649fb6dbe79 in handle_file_event
/home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:573
#8 0x5649fb6dc80f in gdb_wait_for_event
/home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:694
#9 0x5649fb6da468 in gdb_do_one_event(int)
/home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:264
#10 0x5649f9e61094 in start_event_loop
/home/smarchi/src/binutils-gdb/gdb/main.c:412
#11 0x5649f9e615a6 in captured_command_loop
/home/smarchi/src/binutils-gdb/gdb/main.c:476
#12 0x5649f9e66b5c in captured_main
/home/smarchi/src/binutils-gdb/gdb/main.c:1320
#13 0x5649f9e66c99 in gdb_main(captured_main_args*)
/home/smarchi/src/binutils-gdb/gdb/main.c:1339
#14 0x5649f83b758d in main /home/smarchi/src/binutils-gdb/gdb/gdb.c:32
#15 0x7f39eda3984f (/usr/lib/libc.so.6+0x2384f) (BuildId:
2f005a79cd1a8e385972f5a102f16adba414d75e)
#16 0x7f39eda39909 in __libc_start_main (/usr/lib/libc.so.6+0x23909)
(BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
#17 0x5649f83b7354 in _start
(/home/smarchi/build/binutils-gdb/gdb/gdb+0xb0f0354) (BuildId:
2bb3933a88a2426705e531a680e7075402ea19f8)
0x60200001ae90 is located 0 bytes inside of 1-byte region
[0x60200001ae90,0x60200001ae91)
freed by thread T0 here:
#0 0x7f39ef4dfdc2 in __interceptor_free
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x7f39ef3cef65 in _rl_scxt_dispose (/usr/lib/libreadline.so.8+0x25f65)
(BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
previously allocated by thread T0 here:
#0 0x7f39ef4e1369 in __interceptor_malloc
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x5649f865bca2 in xmalloc /home/smarchi/src/binutils-gdb/gdb/alloc.c:57
#2 0x7f39ef3eb6da (/usr/lib/libreadline.so.8+0x426da) (BuildId:
092e91fc4361b0ef94561e3ae03a75f69398acbb)
SUMMARY: AddressSanitizer: double-free
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52 in
__interceptor_free
Simon