[v8-dev] Issue 2761 in v8: AddressSanitizer reports use-after-free in V8 tests on x64 Linux

codesite-noreply Wed, 03 Jul 2013 07:44:17 -0700

Status: New
Owner: ----

New issue 2761 by [email protected]: AddressSanitizer reportsuse-after-free in V8 tests on x64 Linux

http://code.google.com/p/v8/issues/detail?id=2761


To reproduce: build with ASan and run

tools/run-tests.py --no-presubmit --arch=x64 -m release

I see several very similar reports, e.g.:

=== cctest/test-api/Threading3 ===
Extension or internal compilation error in exception at line 1.
Error installing extension 'exception'.
Extension or internal compilation error in srclentest_fail at line 1.
Error installing extension 'srclentest_fail'.
Extension or internal compilation error in nativedeclerr at line 2.
Error installing extension 'nativedeclerr'.
Extension or internal compilation error in ext #33 at line 1.
Error installing extension 'ext #33'.
Extension or internal compilation error in ext #35 at line 1.
Error installing extension 'ext #35'.
Extension or internal compilation error in syntaxerror at line 1.
Error installing extension 'syntaxerror'.
=================================================================

==3358==ERROR: AddressSanitizer: heap-use-after-free on address0x603000034660 at pc 0x555556fc32f0 bp 0x7fffdf35e810 sp 0x7fffdf35e7d8

READ of size 1 at 0x603000034660 thread T24 (ApiTestFuzzer)

#0 0x555556fc32ef in strcmp/san/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:439#1 0x555557320929 in InstallExtension/v8/out/../src/bootstrapper.cc:2316#2 0x555557320929 inv8::internal::Genesis::InstallExtensions(v8::internal::Handle<v8::internal::Context>,v8::ExtensionConfiguration*) /v8/out/../src/bootstrapper.cc:2300#3 0x5555572f37b8 inv8::internal::Bootstrapper::InstallExtensions(v8::internal::Handle<v8::internal::Context>,v8::ExtensionConfiguration*) /v8/out/../src/bootstrapper.cc:2183#4 0x5555572f3077 inv8::internal::Bootstrapper::CreateEnvironment(v8::internal::Handle<v8::internal::Object>,v8::Handle<v8::ObjectTemplate>, v8::ExtensionConfiguration*)/v8/out/../src/bootstrapper.cc:322

    #5 0x5555572aaafe in CreateEnvironment /v8/out/../src/api.cc:5483:27

#6 0x5555572aaafe in v8::Context::New(v8::Isolate*,v8::ExtensionConfiguration*, v8::Handle<v8::ObjectTemplate>,v8::Handle<v8::Value>) /v8/out/../src/api.cc:5535#7 0x55555702a1cc in TestWeakReference()/v8/out/../test/cctest/test-api.cc:6330#8 0x55555705367e in CallTestNumber/v8/out/../test/cctest/test-api.cc:11898

    #9 0x55555705367e in CallTest /v8/out/../test/cctest/test-api.cc:11974

#10 0x55555705367e in ApiTestFuzzer::Run()/v8/out/../test/cctest/test-api.cc:11863

    #11 0x555557c9f186 in NotifyStartedAndRun /v8/out/../src/platform.h:611

#12 0x555557c9f186 in v8::internal::ThreadEntry(void*)/v8/out/../src/platform-linux.cc:800#13 0x555556fd6763 in __asan::AsanThread::ThreadStart(unsigned long)/san/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:138#14 0x7ffff7bc4e99 in start_thread(/lib/x86_64-linux-gnu/libpthread.so.0+0x7e99)

    #15 0x7ffff6cd3ccc (/lib/x86_64-linux-gnu/libc.so.6+0xf3ccc)

0x603000034660 is located 0 bytes inside of 32-byte region[0x603000034660,0x603000034680)

freed by thread T38 (ApiTestFuzzer) here:

#0 0x555556fd05f5 in operator delete[](void*)/san/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:85

    #1 0x555557026d03 in DeleteArray<char> /v8/out/../src/allocation.h:92
    #2 0x555557026d03 in ~ScopedVector /v8/out/../src/utils.h:572
    #3 0x555557026d03 in ~ScopedVector /v8/out/../src/utils.h:571

#4 0x555557026d03 in TestExtensionWithSourceLength()/v8/out/../test/cctest/test-api.cc:5871#5 0x55555705367e in CallTestNumber/v8/out/../test/cctest/test-api.cc:11898

    #6 0x55555705367e in CallTest /v8/out/../test/cctest/test-api.cc:11974

#7 0x55555705367e in ApiTestFuzzer::Run()/v8/out/../test/cctest/test-api.cc:11863

    #8 0x555557c9f186 in NotifyStartedAndRun /v8/out/../src/platform.h:611

#9 0x555557c9f186 in v8::internal::ThreadEntry(void*)/v8/out/../src/platform-linux.cc:800#10 0x555556fd6763 in __asan::AsanThread::ThreadStart(unsigned long)/san/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:138#11 0x7ffff7bc4e99 in start_thread(/lib/x86_64-linux-gnu/libpthread.so.0+0x7e99)

    #12 0x7ffff6cd3ccc (/lib/x86_64-linux-gnu/libc.so.6+0xf3ccc)
previously allocated by thread T38 (ApiTestFuzzer) here:

#0 0x555556fd0345 in operator new[](unsigned long)/san/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:54

    #1 0x555557026b4c in NewArray<char> /v8/out/../src/allocation.h:84
    #2 0x555557026b4c in ScopedVector /v8/out/../src/utils.h:570
    #3 0x555557026b4c in ScopedVector /v8/out/../src/utils.h:570

#4 0x555557026b4c in TestExtensionWithSourceLength()/v8/out/../test/cctest/test-api.cc:5854#5 0x55555705367e in CallTestNumber/v8/out/../test/cctest/test-api.cc:11898

    #6 0x55555705367e in CallTest /v8/out/../test/cctest/test-api.cc:11974

#7 0x55555705367e in ApiTestFuzzer::Run()/v8/out/../test/cctest/test-api.cc:11863

    #8 0x555557c9f186 in NotifyStartedAndRun /v8/out/../src/platform.h:611

    #12 0x7ffff6cd3ccc (/lib/x86_64-linux-gnu/libc.so.6+0xf3ccc)
Thread T24 (ApiTestFuzzer) created by T0 here:

#0 0x555556fc183b in pthread_create/san/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:148#1 0x555557c9f037 in v8::internal::Thread::Start()/v8/out/../src/platform-linux.cc:823#2 0x555557053c98 in ApiTestFuzzer::SetUp(ApiTestFuzzer::PartOfTest)/v8/out/../test/cctest/test-api.cc:11892#3 0x555557054304 in TestThreading3()/v8/out/../test/cctest/test-api.cc:11960

    #4 0x7ffff6c0176c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
Thread T38 (ApiTestFuzzer) created by T0 here:

    #4 0x7ffff6c0176c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)

SUMMARY: AddressSanitizer: heap-use-after-free/san/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:439 strcmp

Shadow bytes around the buggy address:
  0x0c067fffe870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffe880: fa fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fffe890: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fffe8a0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fffe8b0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
=>0x0c067fffe8c0: fd fd fd fa fa fa fd fd fd fa fa fa[fd]fd fd fd
  0x0c067fffe8d0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c067fffe8e0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fffe8f0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fffe900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffe910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==3358==ABORTING

Command: /v8/out/x64.release/cctest --nocrankshaft test-api/Threading3--nobreak-on-abort --nodead-code-elimination --nofold-constants--testing_serialization_file=/v8/out/.serdes/serdes_Threading3__nocrankshaft

--

You received this message because this project is configured to send allissue notifications to this address.

You may adjust your notification preferences at:
https://code.google.com/hosting/settings

--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

---You received this message because you are subscribed to the Google Groups "v8-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

[v8-dev] Issue 2761 in v8: AddressSanitizer reports use-after-free in V8 tests on x64 Linux

Reply via email to