ivptr might be GC marked before it gets used

shyouhei · shyouhei · commit 8c03aaf5537a · 2019-04-25T16:38:34.000+09:00
GC.stress unveils that an ivptr allocated using transient heap gets marked right before it evacuates to normal heaps (the evacuation itself triggers GC). Should fill something beforehand. ================================================================= ==60984==ERROR: AddressSanitizer: use-after-poison on address 0x7f0fcfdf0020 at pc 0x55bdaad55381 bp 0x7fffcddc0910 sp 0x7fffcddc0908 READ of size 8 at 0x7f0fcfdf0020 thread T0 #0 0x55bdaad55380 in gc_mark_children gc.c:5063:39 #1 0x55bdaad6b7c2 in gc_mark_stacked_objects gc.c:5156:9 #2 0x55bdaad6cb1a in gc_mark_stacked_objects_all gc.c:5196:12 #3 0x55bdaad6a180 in gc_marks_rest gc.c:6109:2 #4 0x55bdaad6ef51 in gc_marks gc.c:6169:6 #5 0x55bdaad63bfd in gc_start gc.c:6974:2 #6 0x55bdaad4fa73 in garbage_collect gc.c:6869:12 #7 0x55bdaad7866e in garbage_collect_with_gvl gc.c:7127:9 #8 0x55bdaad784d6 in objspace_malloc_gc_stress gc.c:9270:9 #9 0x55bdaad56f29 in objspace_xmalloc0 gc.c:9416:5 #10 0x55bdaad56ef2 in ruby_xmalloc2_body gc.c:9623:12 #11 0x55bdaad615dc in ruby_xmalloc2 gc.c:11479:12 #12 0x55bdab26a601 in obj_ivar_heap_alloc variable.c:1405:18 #13 0x55bdab27a35b in obj_ivar_heap_realloc variable.c:1418:23 ruby#14 0x55bdab26ac98 in obj_ivar_set variable.c:1490:26 ruby#15 0x55bdab2621fd in rb_ivar_set variable.c:1513:16 ruby#16 0x55bdab2e841d in vm_setivar vm_insnhelper.c:1118:12 ruby#17 0x55bdab2ecca4 in vm_setinstancevariable vm_insnhelper.c:1130:5 ruby#18 0x55bdab28113c in vm_exec_core insns.def:227:5 0x7f0fcfdf0020 is located 26181664 bytes inside of 33554432-byte region [0x7f0fce4f8000,0x7f0fd04f8000) allocated by thread T0 here: #0 0x55bdaacd3047 in posix_memalign (ruby+0x1c2047) #1 0x55bdaad56b75 in rb_aligned_malloc gc.c:9195:9 #2 0x55bdab24c523 in transient_heap_block_alloc transient_heap.c:296:24 #3 0x55bdab24c1fe in Init_TransientHeap transient_heap.c:435:39 #4 0x55bdaada26f8 in rb_call_inits inits.c:20:5 #5 0x55bdaad076af in ruby_setup eval.c:74:2 #6 0x55bdaad0796c in ruby_init eval.c:91:17 #7 0x55bdaad01598 in main main.c:41:2 #8 0x7f0fd344cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 SUMMARY: AddressSanitizer: use-after-poison gc.c:5063:39 in gc_mark_children Shadow bytes around the buggy address: 0x0fe279fb5fb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fe279fb5fc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fe279fb5fd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fe279fb5fe0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fe279fb5ff0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x0fe279fb6000: 00 00 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fe279fb6010: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fe279fb6020: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fe279fb6030: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fe279fb6040: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fe279fb6050: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==60984==ABORTING
diff --git a/variable.c b/variable.c
@@ -1415,13 +1415,9 @@ obj_ivar_heap_realloc(VALUE obj, int32_t len, size_t newsize)
 
     if (ROBJ_TRANSIENT_P(obj)) {
         const VALUE *orig_ptr = ROBJECT(obj)->as.heap.ivptr;
-        if ((newptr = obj_ivar_heap_alloc(obj, newsize)) != NULL) {
-            /* ok */
-        }
-        else {
-            newptr = ALLOC_N(VALUE, newsize);
-            ROBJ_TRANSIENT_UNSET(obj);
-        }
+        newptr = obj_ivar_heap_alloc(obj, newsize);
+
+        assert(newptr);
         ROBJECT(obj)->as.heap.ivptr = newptr;
         for (i=0; i<(int)len; i++) {
             newptr[i] = orig_ptr[i];
