Created
June 13, 2022 16:39
-
-
Save kripken/5b46a19e513483c96b8f007c03f0fc5f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ================================================================= | |
| ==2342311==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030004541e4 at pc 0x7ff218ebce95 bp 0x7ff1fe2bc850 sp 0x7ff1fe2bc848 | |
| READ of size 4 at 0x6030004541e4 thread T6 | |
| #0 0x7ff218ebce94 in wasm::Type::isTuple() const (/bin/../lib/libbinaryen.so+0x125e0e94) | |
| #1 0x7ff218fa852b in wasm::TypeBuilder::build() (/bin/../lib/libbinaryen.so+0x126cc52b) | |
| #2 0x7ff218fbda5f in wasm::Type::getLeastUpperBound(wasm::Type, wasm::Type) (/bin/../lib/libbinaryen.so+0x126e1a5f) | |
| #3 0x7ff2186f5006 in wasm::If::finalize() (/bin/../lib/libbinaryen.so+0x11e19006) | |
| #4 0x56004b397f60 in wasm::Walker<wasm::ReFinalize, wasm::OverriddenVisitor<wasm::ReFinalize, void> >::walk(wasm::Expression*&) (/bin/wasm-opt+0xce3f60) | |
| #5 0x7ff2178918ed in wasm::RemoveUnusedBrs::doWalkFunction(wasm::Function*) (/bin/../lib/libbinaryen.so+0x10fb58ed) | |
| #6 0x7ff2178973ec in wasm::WalkerPass<wasm::PostWalker<wasm::RemoveUnusedBrs, wasm::Visitor<wasm::RemoveUnusedBrs, void> > >::runOnFunction(wasm::PassRunner*, wasm::Module*, wasm::Function*) (/bin/../lib/libbinaryen.so+0x10fbb3ec) | |
| #7 0x7ff2147a6cac in wasm::PassRunner::runPassOnFunction(wasm::Pass*, wasm::Function*) (/bin/../lib/libbinaryen.so+0xdecacac) | |
| #8 0x7ff2147a8781 in std::_Function_handler<wasm::ThreadWorkState (), wasm::PassRunner::run()::{lambda()#2}::operator()() const::{lambda()#1}>::_M_invoke(std::_Any_data const&) (/bin/../lib/libbinaryen.so+0xdecc781) | |
| #9 0x7ff219ae0008 in wasm::Thread::mainLoop(void*) (/bin/../lib/libbinaryen.so+0x13204008) | |
| #10 0x7ff2067939d2 (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd49d2) | |
| #11 0x7ff205f0dd7f in start_thread nptl/pthread_create.c:481 | |
| #12 0x7ff205e2776e in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfa76e) | |
| 0x6030004541e4 is located 4 bytes inside of 32-byte region [0x6030004541e0,0x603000454200) | |
| freed by thread T2 here: | |
| #0 0x7ff22a360db7 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:172 | |
| #1 0x7ff218ea7e97 in std::default_delete<wasm::TypeBuilder::Impl>::operator()(wasm::TypeBuilder::Impl*) const [clone .part.0] (/bin/../lib/libbinaryen.so+0x125cbe97) | |
| #2 0x7ff218ecf113 in wasm::TypeBuilder::~TypeBuilder() (/bin/../lib/libbinaryen.so+0x125f3113) | |
| #3 0x7ff218fbd661 in wasm::Type::getLeastUpperBound(wasm::Type, wasm::Type) (/bin/../lib/libbinaryen.so+0x126e1661) | |
| #4 0x7ff2186f5006 in wasm::If::finalize() (/bin/../lib/libbinaryen.so+0x11e19006) | |
| #5 0x56004b397f60 in wasm::Walker<wasm::ReFinalize, wasm::OverriddenVisitor<wasm::ReFinalize, void> >::walk(wasm::Expression*&) (/bin/wasm-opt+0xce3f60) | |
| #6 0x7ff2178918ed in wasm::RemoveUnusedBrs::doWalkFunction(wasm::Function*) (/bin/../lib/libbinaryen.so+0x10fb58ed) | |
| #7 0x7ff2178973ec in wasm::WalkerPass<wasm::PostWalker<wasm::RemoveUnusedBrs, wasm::Visitor<wasm::RemoveUnusedBrs, void> > >::runOnFunction(wasm::PassRunner*, wasm::Module*, wasm::Function*) (/bin/../lib/libbinaryen.so+0x10fbb3ec) | |
| #8 0x7ff2147a6cac in wasm::PassRunner::runPassOnFunction(wasm::Pass*, wasm::Function*) (/bin/../lib/libbinaryen.so+0xdecacac) | |
| #9 0x7ff2147a8781 in std::_Function_handler<wasm::ThreadWorkState (), wasm::PassRunner::run()::{lambda()#2}::operator()() const::{lambda()#1}>::_M_invoke(std::_Any_data const&) (/bin/../lib/libbinaryen.so+0xdecc781) | |
| #10 0x7ff219ae0008 in wasm::Thread::mainLoop(void*) (/bin/../lib/libbinaryen.so+0x13204008) | |
| #11 0x7ff2067939d2 (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd49d2) | |
| previously allocated by thread T2 here: | |
| #0 0x7ff22a35ff37 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99 | |
| #1 0x7ff218eead81 in wasm::Type wasm::(anonymous namespace)::Store<wasm::(anonymous namespace)::TypeInfo>::doInsert<wasm::(anonymous namespace)::TypeInfo const>(wasm::(anonymous namespace)::TypeInfo const&) (/bin/../lib/libbinaryen.so+0x1260ed81) | |
| #2 0x7ff218ef4f8c in wasm::TypeBuilder::getTempRefType(wasm::HeapType, wasm::Nullability) (/bin/../lib/libbinaryen.so+0x12618f8c) | |
| #3 0x7ff218f578e1 in wasm::(anonymous namespace)::TypeBounder::lub(wasm::Type, wasm::Type) (/bin/../lib/libbinaryen.so+0x1267b8e1) | |
| #4 0x7ff218fbd391 in wasm::Type::getLeastUpperBound(wasm::Type, wasm::Type) (/bin/../lib/libbinaryen.so+0x126e1391) | |
| #5 0x7ff2186f5006 in wasm::If::finalize() (/bin/../lib/libbinaryen.so+0x11e19006) | |
| #6 0x56004b397f60 in wasm::Walker<wasm::ReFinalize, wasm::OverriddenVisitor<wasm::ReFinalize, void> >::walk(wasm::Expression*&) (/bin/wasm-opt+0xce3f60) | |
| #7 0x7ff2178918ed in wasm::RemoveUnusedBrs::doWalkFunction(wasm::Function*) (/bin/../lib/libbinaryen.so+0x10fb58ed) | |
| #8 0x7ff2178973ec in wasm::WalkerPass<wasm::PostWalker<wasm::RemoveUnusedBrs, wasm::Visitor<wasm::RemoveUnusedBrs, void> > >::runOnFunction(wasm::PassRunner*, wasm::Module*, wasm::Function*) (/bin/../lib/libbinaryen.so+0x10fbb3ec) | |
| #9 0x7ff2147a6cac in wasm::PassRunner::runPassOnFunction(wasm::Pass*, wasm::Function*) (/bin/../lib/libbinaryen.so+0xdecacac) | |
| #10 0x7ff2147a8781 in std::_Function_handler<wasm::ThreadWorkState (), wasm::PassRunner::run()::{lambda()#2}::operator()() const::{lambda()#1}>::_M_invoke(std::_Any_data const&) (/bin/../lib/libbinaryen.so+0xdecc781) | |
| #11 0x7ff219ae0008 in wasm::Thread::mainLoop(void*) (/bin/../lib/libbinaryen.so+0x13204008) | |
| #12 0x7ff2067939d2 (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd49d2) | |
| Thread T6 created by T0 here: | |
| #0 0x7ff22a306716 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216 | |
| #1 0x7ff206793cdb in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd4cdb) | |
| #2 0x7ff219adee21 in wasm::Thread::Thread(wasm::ThreadPool*) (/bin/../lib/libbinaryen.so+0x13202e21) | |
| #3 0x7ff219ae2679 in wasm::ThreadPool::initialize(unsigned long) (/bin/../lib/libbinaryen.so+0x13206679) | |
| #4 0x7ff219ae3387 in wasm::ThreadPool::get() (/bin/../lib/libbinaryen.so+0x13207387) | |
| #5 0x7ff2147b13a7 in wasm::PassRunner::run()::{lambda()#2}::operator()() const (/bin/../lib/libbinaryen.so+0xded53a7) | |
| #6 0x7ff2147b7484 in wasm::PassRunner::run() (/bin/../lib/libbinaryen.so+0xdedb484) | |
| #7 0x7ff219167037 in wasm::WalkerPass<wasm::PostWalker<wasm::FunctionValidator, wasm::Visitor<wasm::FunctionValidator, void> > >::run(wasm::PassRunner*, wasm::Module*) (/bin/../lib/libbinaryen.so+0x1288b037) | |
| #8 0x7ff2190fe3c0 in wasm::WasmValidator::validate(wasm::Module&, unsigned int) (/bin/../lib/libbinaryen.so+0x128223c0) | |
| #9 0x56004b07f575 in main (/bin/wasm-opt+0x9cb575) | |
| #10 0x7ff205d507fc in __libc_start_main ../csu/libc-start.c:332 | |
| Thread T2 created by T0 here: | |
| #0 0x7ff22a306716 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216 | |
| #1 0x7ff206793cdb in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd4cdb) | |
| #2 0x7ff219adee21 in wasm::Thread::Thread(wasm::ThreadPool*) (/bin/../lib/libbinaryen.so+0x13202e21) | |
| #3 0x7ff219ae2679 in wasm::ThreadPool::initialize(unsigned long) (/bin/../lib/libbinaryen.so+0x13206679) | |
| #4 0x7ff219ae3387 in wasm::ThreadPool::get() (/bin/../lib/libbinaryen.so+0x13207387) | |
| #5 0x7ff2147b13a7 in wasm::PassRunner::run()::{lambda()#2}::operator()() const (/bin/../lib/libbinaryen.so+0xded53a7) | |
| #6 0x7ff2147b7484 in wasm::PassRunner::run() (/bin/../lib/libbinaryen.so+0xdedb484) | |
| #7 0x7ff219167037 in wasm::WalkerPass<wasm::PostWalker<wasm::FunctionValidator, wasm::Visitor<wasm::FunctionValidator, void> > >::run(wasm::PassRunner*, wasm::Module*) (/bin/../lib/libbinaryen.so+0x1288b037) | |
| #8 0x7ff2190fe3c0 in wasm::WasmValidator::validate(wasm::Module&, unsigned int) (/bin/../lib/libbinaryen.so+0x128223c0) | |
| #9 0x56004b07f575 in main (/bin/wasm-opt+0x9cb575) | |
| #10 0x7ff205d507fc in __libc_start_main ../csu/libc-start.c:332 | |
| SUMMARY: AddressSanitizer: heap-use-after-free (/bin/../lib/libbinaryen.so+0x125e0e94) in wasm::Type::isTuple() const | |
| Shadow bytes around the buggy address: | |
| 0x0c06800827e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd | |
| 0x0c06800827f0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa | |
| 0x0c0680082800: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd | |
| 0x0c0680082810: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd | |
| 0x0c0680082820: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa | |
| =>0x0c0680082830: fd fd fd fd fa fa fd fd fd fa fa fa[fd]fd fd fd | |
| 0x0c0680082840: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd | |
| 0x0c0680082850: fd fa fa fa fd fd fd fd fa fa 00 00 00 fa fa fa | |
| 0x0c0680082860: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa | |
| 0x0c0680082870: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd | |
| 0x0c0680082880: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa | |
| Shadow byte legend (one shadow byte represents 8 application bytes): | |
| Addressable: 00 | |
| Partially addressable: 01 02 03 04 05 06 07 | |
| Heap left redzone: fa | |
| Freed heap region: fd | |
| Stack left redzone: f1 | |
| Stack mid redzone: f2 | |
| Stack right redzone: f3 | |
| Stack after return: f5 | |
| Stack use after scope: f8 | |
| Global redzone: f9 | |
| Global init order: f6 | |
| Poisoned by user: f7 | |
| Container overflow: fc | |
| Array cookie: ac | |
| Intra object redzone: bb | |
| ASan internal: fe | |
| Left alloca redzone: ca | |
| Right alloca redzone: cb | |
| Shadow gap: cc | |
| ==2342311==ABORTING |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment