New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
attempting free on address which was not malloc()-ed #15769
Comments
From @geeknikTriggered with Perl v5.25.7-98-gdf13534 while fuzzing with AFL. od -tx1 test557 ==20040==ERROR: AddressSanitizer: attempting free on address which was not 0x60400000adb0 is located 32 bytes inside of 37-byte region SUMMARY: AddressSanitizer: bad-free ??:0 __interceptor_free Perl 5.20.2 fails under Valgrind like so: |
From @geeknik |
From @tonycozOn Mon, 12 Dec 2016 22:59:57 -0800, brian.carpenter@gmail.com wrote:
I also got: $ ./perl ../130336.pl and: $ ./perl ../130336.pl==18473==ERROR: AddressSanitizer: attempting double-free on 0x60400000d0f0 in thread T0: 0x60400000d0f0 is located 32 bytes inside of 43-byte region [0x60400000d0d0,0x60400000d0fb) SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free and: $ ./perl ../130336.pl==18728==ERROR: AddressSanitizer: alloc-dealloc-mismatch (INVALID vs free) on 0x60400000c1f0 0x60400000c1f0 is located 32 bytes inside of 39-byte region [0x60400000c1d0,0x60400000c1f7) SUMMARY: AddressSanitizer: alloc-dealloc-mismatch ??:0 __interceptor_free (which is new to me) and: $ ./perl ../130336b.pl==18686==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001c8f0 at pc 0x839aa3 bp 0x7ffe33854990 sp 0x7ffe33854988 0x62100001c8f0 is located 0 bytes to the right of 4080-byte region [0x62100001b900,0x62100001c8f0) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/tony/dev/perl/git/perl/pp_hot.c:4362 Perl_vivify_ref which looks familiar. and occasionally no error at all. This seemds to be controlled by the hash order: $ PERL_HASH_SEED=0x00 ./perl ../130336.pl==18920==ERROR: AddressSanitizer: alloc-dealloc-mismatch (INVALID vs free) on 0x60400000c270 $ PERL_HASH_SEED=0x01 ./perl ../130336.pl $ PERL_HASH_SEED=0x02 ./perl ../130336.pl==18950==ERROR: AddressSanitizer: attempting double-free on 0x60400000ae70 in thread T0: $ PERL_HASH_SEED=0x07 ./perl ../130336.pl==18984==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x60400000adf0 in thread T0 Simplifies: $ PERL_HASH_SEED=0x01 ./perl -e 'map%$_= %_= %$_,%::'==19013==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x60400000ac30 in thread T0 0x60400000ac30 is located 32 bytes inside of 37-byte region [0x60400000ac10,0x60400000ac35) SUMMARY: AddressSanitizer: bad-free ??:0 __interceptor_free Tony |
The RT System itself - Status changed from 'new' to 'open' |
From @arcI have a deterministic reduction to a double-free, omitting one of the assignments and one of the uses of the iteration variable. I get essentially the same trace regardless of what empty array or hash is on the rhs of the aassign. I suspect this is a stack-not-refcounted issue, tbh. $ ./miniperl -e 'map %$_ = %_, *::, $::{Internals::}'==59124==ERROR: AddressSanitizer: attempting double-free on 0x611000009780 in thread T0: 0x611000009780 is located 0 bytes inside of 248-byte region [0x611000009780,0x611000009878) previously allocated by thread T0 here: SUMMARY: AddressSanitizer: double-free (libclang_rt.asan_osx_dynamic.dylib+0x46939) in wrap_free -- |
From @iabynOn Sat, Jan 28, 2017 at 09:01:10AM -0800, Aaron Crane via RT wrote:
The first part is equivalent to map %$_ = (), *:: which aliases $_ to *::, then the hash %$_ is actually %::, and assigning So it is indeed another stack-not-refcounted bug. As with #130321 and #130332, , I propose that the ticket be moved to the -- |
From @iabynOn Mon, Feb 20, 2017 at 03:14:35PM +0000, Dave Mitchell wrote:
which I am now doing. -- |
Migrated from rt.perl.org#130336 (status was 'open')
Searchable as RT130336$
The text was updated successfully, but these errors were encountered: