Created
August 23, 2018 19:28
-
-
Save dogbert17/a6ee6ddd172ad3ff57c0096eca767716 to your computer and use it in GitHub Desktop.
ASAN delivers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dogbert@dogbert-VirtualBox ~/repos/rakudo/nqp/MoarVM $ git diff | |
| diff --git a/src/core/fixedsizealloc.c b/src/core/fixedsizealloc.c | |
| index fda6414..0714750 100644 | |
| --- a/src/core/fixedsizealloc.c | |
| +++ b/src/core/fixedsizealloc.c | |
| @@ -10,7 +10,7 @@ | |
| * behavior. */ | |
| /* Turn this on to switch to a mode where we debug by size. */ | |
| -#define FSA_SIZE_DEBUG 0 | |
| +#define FSA_SIZE_DEBUG 1 | |
| #if FSA_SIZE_DEBUG | |
| typedef struct { | |
| MVMuint64 alloc_size; | |
| diff --git a/src/gc/collect.h b/src/gc/collect.h | |
| index 123d934..f3eaa46 100644 | |
| --- a/src/gc/collect.h | |
| +++ b/src/gc/collect.h | |
| @@ -1,6 +1,6 @@ | |
| /* The maximum size of the nursery area. Note that since it's semi-space | |
| * copying, we could actually have double this amount allocated per thread. */ | |
| -#define MVM_NURSERY_SIZE 4194304 | |
| +#define MVM_NURSERY_SIZE (32768 * 2) | |
| /* The nursery size threads other than the main thread start out with. If | |
| * they fill it and trigger a GC run, then it is doubled. If they are | |
| diff --git a/src/gc/debug.h b/src/gc/debug.h | |
| index 1dd4f17..088bdac 100644 | |
| --- a/src/gc/debug.h | |
| +++ b/src/gc/debug.h | |
| @@ -3,7 +3,7 @@ | |
| * 1 = Checks on reference assignments and other relatively cheap cases | |
| * 2 = Checks on every object register access (slow) | |
| */ | |
| -#define MVM_GC_DEBUG 0 | |
| +#define MVM_GC_DEBUG 1 | |
| #if MVM_GC_DEBUG | |
| #define MVM_ASSERT_NOT_FROMSPACE(tc, c) do { \ | |
| dogbert@dogbert-VirtualBox ~/repos/rakudo $ ASAN_OPTIONS=detect_leaks=0 ./perl6 t/spec/S17-lowlevel/atomic.t | |
| 1..33 | |
| ok 1 - Doing a full memory barrier lives | |
| ok 2 - Can do an atomic fetch from a Scalar container | |
| ok 3 - Can do an atomic assign to a Scalar container; returns new value | |
| ok 4 - Atomic fetch after atomic assign shows latest value | |
| ok 5 - Updated value seen by non-atomic too | |
| 1..2 | |
| ok 1 - code dies | |
| ok 2 - right exception type (X::TypeCheck::Assignment) | |
| ok 6 - Cannot atomic assign value of the wrong type | |
| ok 7 - Can atomic assign to a Scalar container with a subset type if value matches | |
| 1..2 | |
| ok 1 - code dies | |
| ok 2 - right exception type (X::TypeCheck::Assignment) | |
| ok 8 - Cannot atomic assign value failing to meet subset type | |
| ok 9 - Correct value is in the container | |
| ok 10 - No hang due to incorrect lifting of atomic fetch out of loop | |
| ok 11 - Can do an atomic fetch from an int container | |
| ok 12 - Can do an atomic assign to an int container; returns new value | |
| ok 13 - Atomic int fetch after atomic int assign shows latest value | |
| ok 14 - Updated value seen by non-atomic too | |
| ok 15 - No hang due to incorrect lifting of atomic int fetch out of loop | |
| ok 16 - atomic-fetch-inc returns value before incrementing (1) | |
| ok 17 - atomic-fetch-inc returns value before incrementing (1) | |
| ok 18 - atomic-fetch-dec returns value before decrementing (1) | |
| ok 19 - atomic-fetch-dec returns value before decrementing (2) | |
| ok 20 - atomic-postfix-add returns value before adding (1) | |
| ok 21 - atomic-postfix-add returns value before adding (2) | |
| ok 22 - Atomic increment of lexical works (1) | |
| ok 23 - Atomic increment of lexical works (2) | |
| ok 24 - Atomic increment of lexical works (3) | |
| ================================================================= | |
| ==8690==ERROR: AddressSanitizer: heap-use-after-free on address 0x612001c993c8 at pc 0x7f555367b04e bp 0x7fff6f06c550 sp 0x7fff6f06c540 | |
| READ of size 8 at 0x612001c993c8 thread T0 | |
| #0 0x7f555367b04d in MVM_gc_mark_collectable src/gc/collect.c:370 | |
| #1 0x7f555367b76f in process_worklist src/gc/collect.c:344 | |
| #2 0x7f555367c62c in MVM_gc_collect src/gc/collect.c:134 | |
| #3 0x7f55536671a1 in run_gc src/gc/orchestrate.c:409 | |
| #4 0x7f5553668406 in MVM_gc_enter_from_interrupt src/gc/orchestrate.c:613 | |
| #5 0x7f55535e66a9 in MVM_interp_run src/core/interp.c:217 | |
| #6 0x7f55538c1386 in MVM_vm_run_file src/moar.c:420 | |
| #7 0x40183f in main src/main.c:300 | |
| #8 0x7f5552ba782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) | |
| #9 0x401a88 in _start (/home/dogbert/repos/rakudo/install/bin/moar+0x401a88) | |
| 0x612001c993c8 is located 8 bytes inside of 280-byte region [0x612001c993c0,0x612001c994d8) | |
| freed by thread T4 here: | |
| #0 0x7f55547392ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) | |
| #1 0x7f55535f766d in remove_one_frame src/core/frame.c:870 | |
| #2 0x7f555360bdcc in MVM_frame_try_return src/core/frame.c:1003 | |
| #3 0x7f554d78738a (<unknown module>) | |
| #4 0x7f55535c58bc in MVM_interp_run src/core/interp.c:5946 | |
| #5 0x7f55536178a5 in start_thread src/core/threads.c:87 | |
| #6 0x7f55529716b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) | |
| previously allocated by thread T4 here: | |
| #0 0x7f5554739602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) | |
| #1 0x7f55536403f5 in MVM_malloc src/core/alloc.h:2 | |
| #2 0x7f55536403f5 in MVM_fixed_size_alloc src/core/fixedsizealloc.c:178 | |
| #3 0x7f5553640440 in MVM_fixed_size_alloc_zeroed src/core/fixedsizealloc.c:201 | |
| #4 0x7f55535fc746 in allocate_frame src/core/frame.c:296 | |
| #5 0x7f55535fd329 in MVM_frame_invoke src/core/frame.c:494 | |
| #6 0x7f55536fd742 in invoke_handler src/6model/reprs/MVMCode.c:10 | |
| #7 0x7f554d785603 (<unknown module>) | |
| #8 0x7f55535c58bc in MVM_interp_run src/core/interp.c:5946 | |
| #9 0x7f55536178a5 in start_thread src/core/threads.c:87 | |
| #10 0x7f55529716b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) | |
| Thread T4 created by T3 here: | |
| #0 0x7f55546d7253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253) | |
| #1 0x7f555395fc7f in uv_thread_create (//home/dogbert/repos/rakudo/nqp/MoarVM/../../install/lib/libmoar.so+0xa0ec7f) | |
| Thread T3 created by T0 here: | |
| #0 0x7f55546d7253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253) | |
| #1 0x7f555395fc7f in uv_thread_create (//home/dogbert/repos/rakudo/nqp/MoarVM/../../install/lib/libmoar.so+0xa0ec7f) | |
| SUMMARY: AddressSanitizer: heap-use-after-free src/gc/collect.c:370 MVM_gc_mark_collectable | |
| Shadow bytes around the buggy address: | |
| 0x0c248038b220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd | |
| 0x0c248038b230: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa | |
| 0x0c248038b240: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd | |
| 0x0c248038b250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd | |
| 0x0c248038b260: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa | |
| =>0x0c248038b270: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd | |
| 0x0c248038b280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd | |
| 0x0c248038b290: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa | |
| 0x0c248038b2a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd | |
| 0x0c248038b2b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd | |
| 0x0c248038b2c0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa | |
| Shadow byte legend (one shadow byte represents 8 application bytes): | |
| Addressable: 00 | |
| Partially addressable: 01 02 03 04 05 06 07 | |
| Heap left redzone: fa | |
| Heap right redzone: fb | |
| Freed heap region: fd | |
| Stack left redzone: f1 | |
| Stack mid redzone: f2 | |
| Stack right redzone: f3 | |
| Stack partial redzone: f4 | |
| Stack after return: f5 | |
| Stack use after scope: f8 | |
| Global redzone: f9 | |
| Global init order: f6 | |
| Poisoned by user: f7 | |
| Container overflow: fc | |
| Array cookie: ac | |
| Intra object redzone: bb | |
| ASan internal: fe | |
| ==8690==ABORTING | |
| dogbert@dogbert-VirtualBox ~/repos/rakudo $ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment