demo on i3wm #2
Comments
|
It seems that i3wm doesn't support EWMH (http://standards.freedesktop.org/wm-spec/wm-spec-latest.html). Current implementation uses EWMH to get the graphic information (such as work area, title bar height, etc). I hardcoded some values such that it runs on my computer with i3wm, but I might have missed some. |
zsx
added a commit
that referenced
this issue
May 13, 2014
It will confuse Expand_Series expects "tail" to be the actual size, and
cause a read beyond the allocated memory, or heap buffer overflow found
by address sanitizer of GCC:
=================================================================
==10856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b201 at pc 0x47df61 bp 0x7fffffff2ca0 sp 0x7fffffff2c98
READ of size 1 at 0x62a00000b201 thread T0
#0 0x47df60 in Expand_Series ../src/core/m-series.c:145
#1 0x47e5a7 in Extend_Series ../src/core/m-series.c:187
#2 0x466e0c in Scan_Quote ../src/core/l-scan.c:462
#3 0x46a797 in Scan_Token ../src/core/l-scan.c:918
#4 0x46e263 in Scan_Block ../src/core/l-scan.c:1188
#5 0x46e722 in Scan_Code ../src/core/l-scan.c:1548
#6 0x46e886 in Scan_Source ../src/core/l-scan.c:1568
#7 0x4cb85c in Make_Block_Type ../src/core/t-block.c:306
#8 0x4cd1b8 in T_Block ../src/core/t-block.c:608
#9 0x4d042e in T_Datatype ../src/core/t-datatype.c:92
#10 0x42e080 in Do_Act ../src/core/c-function.c:338
#11 0x42e7e5 in Do_Action ../src/core/c-function.c:396
#12 0x413628 in Do_Next ../src/core/c-do.c:884
#13 0x41309b in Do_Next ../src/core/c-do.c:858
#14 0x414825 in Do_Blk ../src/core/c-do.c:1010
#15 0x482dd2 in N_case ../src/core/n-control.c:349
#16 0x42dbb7 in Do_Native ../src/core/c-function.c:289
#17 0x413628 in Do_Next ../src/core/c-do.c:884
#18 0x414825 in Do_Blk ../src/core/c-do.c:1010
#19 0x42e869 in Do_Function ../src/core/c-function.c:415
#20 0x413628 in Do_Next ../src/core/c-do.c:884
#21 0x41309b in Do_Next ../src/core/c-do.c:858
#22 0x414825 in Do_Blk ../src/core/c-do.c:1010
#23 0x42e869 in Do_Function ../src/core/c-function.c:415
#24 0x413628 in Do_Next ../src/core/c-do.c:884
#25 0x4115f2 in Do_Args ../src/core/c-do.c:669
#26 0x414152 in Do_Next ../src/core/c-do.c:939
#27 0x48201c in N_all ../src/core/n-control.c:261
#28 0x42dbb7 in Do_Native ../src/core/c-function.c:289
#29 0x413628 in Do_Next ../src/core/c-do.c:884
#30 0x414825 in Do_Blk ../src/core/c-do.c:1010
#31 0x491abc in Loop_Each ../src/core/n-loop.c:410
#32 0x492a6c in N_foreach ../src/core/n-loop.c:546
#33 0x42dbb7 in Do_Native ../src/core/c-function.c:289
#34 0x413628 in Do_Next ../src/core/c-do.c:884
#35 0x414825 in Do_Blk ../src/core/c-do.c:1010
#36 0x42e869 in Do_Function ../src/core/c-function.c:415
#37 0x413628 in Do_Next ../src/core/c-do.c:884
#38 0x4115f2 in Do_Args ../src/core/c-do.c:669
#39 0x414152 in Do_Next ../src/core/c-do.c:939
#40 0x414825 in Do_Blk ../src/core/c-do.c:1010
#41 0x48459c in N_if ../src/core/n-control.c:619
#42 0x42dbb7 in Do_Native ../src/core/c-function.c:289
#43 0x413628 in Do_Next ../src/core/c-do.c:884
#44 0x414825 in Do_Blk ../src/core/c-do.c:1010
#45 0x491abc in Loop_Each ../src/core/n-loop.c:410
#46 0x492a6c in N_foreach ../src/core/n-loop.c:546
#47 0x42dbb7 in Do_Native ../src/core/c-function.c:289
#48 0x413628 in Do_Next ../src/core/c-do.c:884
#49 0x414825 in Do_Blk ../src/core/c-do.c:1010
#50 0x42e869 in Do_Function ../src/core/c-function.c:415
#51 0x418fb4 in Apply_Block ../src/core/c-do.c:1474
#52 0x4824fb in N_apply ../src/core/n-control.c:295
rebol#53 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#54 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#55 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#56 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#57 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#58 0x485388 in N_unless ../src/core/n-control.c:763
rebol#59 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#60 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#61 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#62 0x483eff in N_do ../src/core/n-control.c:523
rebol#63 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#64 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#65 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#66 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#67 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#68 0x48459c in N_if ../src/core/n-control.c:619
rebol#69 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#70 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#71 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#72 0x48f8cc in Loop_Integer ../src/core/n-loop.c:130
rebol#73 0x49314d in N_repeat ../src/core/n-loop.c:631
rebol#74 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#75 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#76 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#77 0x42ee10 in Do_Closure ../src/core/c-function.c:459
rebol#78 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#79 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#80 0x485388 in N_unless ../src/core/n-control.c:763
rebol#81 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#82 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#83 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#84 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#85 0x418fb4 in Apply_Block ../src/core/c-do.c:1474
rebol#86 0x4824fb in N_apply ../src/core/n-control.c:295
rebol#87 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#88 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#89 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#90 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#91 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#92 0x485388 in N_unless ../src/core/n-control.c:763
rebol#93 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#94 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#95 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#96 0x483eff in N_do ../src/core/n-control.c:523
rebol#97 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#98 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#99 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#100 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#101 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#102 0x48459c in N_if ../src/core/n-control.c:619
rebol#103 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#104 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#105 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#106 0x48f8cc in Loop_Integer ../src/core/n-loop.c:130
rebol#107 0x49314d in N_repeat ../src/core/n-loop.c:631
rebol#108 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#109 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#110 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#111 0x42ee10 in Do_Closure ../src/core/c-function.c:459
rebol#112 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#113 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#114 0x485388 in N_unless ../src/core/n-control.c:763
rebol#115 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#116 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#117 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#118 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#119 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#120 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#121 0x484cf1 in N_switch ../src/core/n-control.c:716
rebol#122 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#123 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#124 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#125 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#126 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#127 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#128 0x48459c in N_if ../src/core/n-control.c:619
rebol#129 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#130 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#131 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#132 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#133 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#134 0x41309b in Do_Next ../src/core/c-do.c:858
rebol#135 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#136 0x484280 in N_either ../src/core/n-control.c:595
rebol#137 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#138 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#139 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#140 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#141 0x419631 in Apply_Function ../src/core/c-do.c:1518
rebol#142 0x419918 in Apply_Func ../src/core/c-do.c:1545
rebol#143 0x48d102 in N_wake_up ../src/core/n-io.c:415
rebol#144 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#145 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#146 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#147 0x4133c9 in Do_Next ../src/core/c-do.c:877
rebol#148 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#149 0x492b66 in N_loop ../src/core/n-loop.c:590
rebol#150 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#151 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#152 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#153 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#154 0x419631 in Apply_Function ../src/core/c-do.c:1518
rebol#155 0x419918 in Apply_Func ../src/core/c-do.c:1545
rebol#156 0x42fef7 in Awake_System ../src/core/c-port.c:198
rebol#157 0x43012a in Wait_Ports ../src/core/c-port.c:231
rebol#158 0x48cd62 in N_wait ../src/core/n-io.c:374
rebol#159 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#160 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#161 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#162 0x4133c9 in Do_Next ../src/core/c-do.c:877
rebol#163 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#164 0x4133c9 in Do_Next ../src/core/c-do.c:877
rebol#165 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#166 0x4929a7 in N_forever ../src/core/n-loop.c:527
rebol#167 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#168 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#169 0x4152ff in Try_Block ../src/core/c-do.c:1077
rebol#170 0x48507e in N_try ../src/core/n-control.c:740
rebol#171 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#172 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#173 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#174 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#175 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#176 0x4133c9 in Do_Next ../src/core/c-do.c:877
rebol#177 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#178 0x4133c9 in Do_Next ../src/core/c-do.c:877
rebol#179 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#180 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#181 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#182 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#183 0x48459c in N_if ../src/core/n-control.c:619
rebol#184 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#185 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#186 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#187 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#188 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#189 0x41309b in Do_Next ../src/core/c-do.c:858
rebol#190 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#191 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#192 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#193 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#194 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#195 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#196 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#197 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#198 0x48201c in N_all ../src/core/n-control.c:261
rebol#199 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#200 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#201 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#202 0x491abc in Loop_Each ../src/core/n-loop.c:410
rebol#203 0x492a6c in N_foreach ../src/core/n-loop.c:546
rebol#204 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#205 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#206 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#207 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#208 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#209 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#210 0x485388 in N_unless ../src/core/n-control.c:763
rebol#211 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#212 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#213 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#214 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#215 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#216 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#217 0x48459c in N_if ../src/core/n-control.c:619
rebol#218 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#219 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#220 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#221 0x42ee10 in Do_Closure ../src/core/c-function.c:459
rebol#222 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#223 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#224 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#225 0x48201c in N_all ../src/core/n-control.c:261
rebol#226 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#227 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#228 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#229 0x491abc in Loop_Each ../src/core/n-loop.c:410
rebol#230 0x492a6c in N_foreach ../src/core/n-loop.c:546
rebol#231 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#232 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#233 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#234 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#235 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#236 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#237 0x48459c in N_if ../src/core/n-control.c:619
rebol#238 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#239 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#240 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#241 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#242 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#243 0x41309b in Do_Next ../src/core/c-do.c:858
rebol#244 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#245 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#246 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#247 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#248 0x48459c in N_if ../src/core/n-control.c:619
rebol#249 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#250 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#251 0x414825 in Do_Blk ../src/core/c-do.c:1010
0x62a00000b201 is located 1 bytes to the right of 20480-byte region [0x62a000006200,0x62a00000b200)
allocated by thread T0 here:
#0 0x7ffff6f58b1f in malloc (/usr/lib/libasan.so.1+0x54b1f)
#1 0x47924a in Make_Mem ../src/core/m-pools.c:121
#2 0x47a9ff in Make_Series ../src/core/m-pools.c:406
#3 0x4aee84 in Make_Unicode ../src/core/s-make.c:59
#4 0x4bb797 in Init_Mold ../src/core/s-mold.c:1425
#5 0x40da64 in Init_Core ../src/core/b-init.c:940
#6 0x4055e0 in RL_Init ../src/core/a-lib.c:124
#7 0x580aa2 in main ../src/os/host-main.c:154
#8 0x7ffff5719fff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:145 Expand_Series
Shadow bytes around the buggy address:
0x0c547fff95f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff9600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff9620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff9630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c547fff9640:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal:
zsx
added a commit
that referenced
this issue
Oct 15, 2014
Found by AddressSanitizer:
==8157==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000f5897 at pc 0x4816ef bp 0x7fffffffafb0 sp 0x7fffffffafa0
READ of size 1 at 0x61d0000f5897 thread T0
#0 0x4816ee in Expand_Series ../src/core/m-series.c:138
#1 0x4e258c in Insert_Gobs ../src/core/t-gob.c:219
#2 0x4e7782 in T_Gob ../src/core/t-gob.c:833
#3 0x42e26f in Do_Act ../src/core/c-function.c:338
#4 0x42e9d8 in Do_Action ../src/core/c-function.c:396
#5 0x41395b in Do_Next ../src/core/c-do.c:886
#6 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#7 0x4883d6 in N_if ../src/core/n-control.c:632
#8 0x42dd9c in Do_Native ../src/core/c-function.c:289
#9 0x41395b in Do_Next ../src/core/c-do.c:886
#10 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#11 0x4893c0 in N_unless ../src/core/n-control.c:792
#12 0x42dd9c in Do_Native ../src/core/c-function.c:289
#13 0x41395b in Do_Next ../src/core/c-do.c:886
#14 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#15 0x488c03 in N_switch ../src/core/n-control.c:736
#16 0x42dd9c in Do_Native ../src/core/c-function.c:289
#17 0x41395b in Do_Next ../src/core/c-do.c:886
#18 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#19 0x4883d6 in N_if ../src/core/n-control.c:632
#20 0x42dd9c in Do_Native ../src/core/c-function.c:289
#21 0x41395b in Do_Next ../src/core/c-do.c:886
#22 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#23 0x42ea5c in Do_Function ../src/core/c-function.c:415
#24 0x41395b in Do_Next ../src/core/c-do.c:886
#25 0x415658 in Try_Block ../src/core/c-do.c:1083
#26 0x4862f8 in N_attempt ../src/core/n-control.c:306
#27 0x42dd9c in Do_Native ../src/core/c-function.c:289
#28 0x41395b in Do_Next ../src/core/c-do.c:886
#29 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#30 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131
#31 0x49693a in N_for ../src/core/n-loop.c:486
#32 0x42dd9c in Do_Native ../src/core/c-function.c:289
#33 0x41395b in Do_Next ../src/core/c-do.c:886
#34 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#35 0x4883d6 in N_if ../src/core/n-control.c:632
#36 0x42dd9c in Do_Native ../src/core/c-function.c:289
#37 0x41395b in Do_Next ../src/core/c-do.c:886
#38 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#39 0x42ea5c in Do_Function ../src/core/c-function.c:415
#40 0x41395b in Do_Next ../src/core/c-do.c:886
#41 0x415658 in Try_Block ../src/core/c-do.c:1083
#42 0x488f7d in N_try ../src/core/n-control.c:760
#43 0x42dd9c in Do_Native ../src/core/c-function.c:289
#44 0x41395b in Do_Next ../src/core/c-do.c:886
#45 0x4118a1 in Do_Args ../src/core/c-do.c:668
#46 0x413700 in Do_Next ../src/core/c-do.c:879
#47 0x4118a1 in Do_Args ../src/core/c-do.c:668
#48 0x413700 in Do_Next ../src/core/c-do.c:879
#49 0x414f2f in Do_Block_Value_Throw ../src/core/c-do.c:1048
#50 0x5725ac in Parse_Rules_Loop ../src/core/u-parse.c:830
#51 0x5731f8 in Parse_Rules_Loop ../src/core/u-parse.c:927
#52 0x56c799 in Parse_Series ../src/core/u-parse.c:96
rebol#53 0x576950 in N_parse ../src/core/u-parse.c:1269
rebol#54 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#55 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#56 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#57 0x4883d6 in N_if ../src/core/n-control.c:632
rebol#58 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#59 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#60 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#61 0x42ea5c in Do_Function ../src/core/c-function.c:415
rebol#62 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#63 0x415658 in Try_Block ../src/core/c-do.c:1083
rebol#64 0x4862f8 in N_attempt ../src/core/n-control.c:306
rebol#65 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#66 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#67 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#68 0x487b91 in N_do ../src/core/n-control.c:524
rebol#69 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#70 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#71 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#72 0x487fcb in N_either ../src/core/n-control.c:598
rebol#73 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#74 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#75 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#76 0x487fcb in N_either ../src/core/n-control.c:598
rebol#77 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#78 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#79 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#80 0x487fcb in N_either ../src/core/n-control.c:598
rebol#81 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#82 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#83 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#84 0x42ea5c in Do_Function ../src/core/c-function.c:415
rebol#85 0x4198c2 in Apply_Function ../src/core/c-do.c:1524
rebol#86 0x419fa8 in Do_Sys_Func ../src/core/c-do.c:1584
rebol#87 0x41e406 in Init_Mezz ../src/core/c-do.c:2313
rebol#88 0x405fd3 in RL_Start ../src/core/a-lib.c:167
rebol#89 0x59d1f7 in main ../src/os/host-main.c:231
rebol#90 0x7ffff571403f in __libc_start_main (/usr/lib/libc.so.6+0x2003f)
rebol#91 0x405858 (/home/zsx/work/r3.git/make/r3-view-linux+0x405858)
0x61d0000f5897 is located 7 bytes to the right of 2064-byte region [0x61d0000f5080,0x61d0000f5890)
allocated by thread T0 here:
#0 0x7ffff6f56b77 in __interceptor_malloc (/usr/lib/libasan.so.1+0x57b77)
#1 0x47c300 in Make_Mem ../src/core/m-pools.c:125
#2 0x47ca2f in Fill_Pool ../src/core/m-pools.c:233
#3 0x47d80c in Make_Series ../src/core/m-pools.c:388
#4 0x4826f3 in Copy_Series ../src/core/m-series.c:261
#5 0x43ca14 in Copy_Deep_Values ../src/core/f-blocks.c:131
#6 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#7 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#8 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#9 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#10 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#11 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#12 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#13 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#14 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#15 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#16 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#17 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159
#18 0x43cd9f in Clone_Block ../src/core/f-blocks.c:174
#19 0x42db12 in Clone_Function ../src/core/c-function.c:266
#20 0x43cc00 in Copy_Deep_Values ../src/core/f-blocks.c:139
#21 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159
#22 0x4fd371 in T_Object ../src/core/t-object.c:364
#23 0x42e26f in Do_Act ../src/core/c-function.c:338
#24 0x42e9d8 in Do_Action ../src/core/c-function.c:396
#25 0x41395b in Do_Next ../src/core/c-do.c:886
#26 0x4133cc in Do_Next ../src/core/c-do.c:860
#27 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#28 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131
#29 0x49693a in N_for ../src/core/n-loop.c:486
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:138 Expand_Series
Shadow bytes around the buggy address:
0x0c3a80016ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a80016b10: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==8157==ABORTING
This is happening because "GOB_TAIL(gob) = count" sets the tail of a
series with length of "count" to be "count", and Expand_Series expects
a terminator in the series. (m-series.c:90 size = (series->tail + 1) * wide;)
zsx
added a commit
that referenced
this issue
Oct 15, 2014
Reported by AddressSanitizer of GCC:
Direct leak of 970518528 byte(s) in 947772 object(s) allocated from:
#0 0x7f505036363f in operator new[](unsigned long) (/usr/lib/libasan.so.1+0x5863f)
#1 0x65676f in agg::agg_graphics::agg_gradient_pen(int, double, double, double, double, double, double, double, unsigned char*, double*, int) ../src/agg/agg_graphics.cpp:1306
#2 0x5fe247 in rebdrw_gradient_pen ../src/os/host-draw-api-agg.cpp:184
#3 0x5f8834 in RXD_Draw ../src/os/host-draw.c:294
#4 0x45cd8e in Do_Commands ../src/core/f-extension.c:579
#5 0x40680d in RL_Do_Commands ../src/core/a-lib.c:376
#6 0x603d21 in rebdrw_gob_draw ../src/os/host-draw-api-agg.cpp:567
#7 0x60c732 in process_gobs ../src/os/linux/host-compositor.c:520
#8 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559
#9 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559
#10 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559
#11 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559
#12 0x60f753 in rebcmp_compose ../src/os/linux/host-compositor.c:685
#13 0x5e8299 in Draw_Window ../src/os/host-view.c:225
#14 0x5e8682 in Show_Gob ../src/os/host-view.c:288
#15 0x5e8b58 in RXD_Graphics ../src/os/host-view.c:346
#16 0x45bf75 in Do_Command ../src/core/f-extension.c:456
#17 0x41395b in Do_Next ../src/core/c-do.c:886
#18 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#19 0x42ea5c in Do_Function ../src/core/c-function.c:415
#20 0x41395b in Do_Next ../src/core/c-do.c:886
#21 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#22 0x42ea5c in Do_Function ../src/core/c-function.c:415
#23 0x41395b in Do_Next ../src/core/c-do.c:886
#24 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#25 0x4883d6 in N_if ../src/core/n-control.c:632
#26 0x42dd9c in Do_Native ../src/core/c-function.c:289
#27 0x41395b in Do_Next ../src/core/c-do.c:886
#28 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#29 0x496d2f in N_forever ../src/core/n-loop.c:532
zsx
added a commit
that referenced
this issue
Oct 15, 2014
Found by AddressSanitizer:
==8157==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000f5897 at pc 0x4816ef bp 0x7fffffffafb0 sp 0x7fffffffafa0
READ of size 1 at 0x61d0000f5897 thread T0
#0 0x4816ee in Expand_Series ../src/core/m-series.c:138
#1 0x4e258c in Insert_Gobs ../src/core/t-gob.c:219
#2 0x4e7782 in T_Gob ../src/core/t-gob.c:833
#3 0x42e26f in Do_Act ../src/core/c-function.c:338
#4 0x42e9d8 in Do_Action ../src/core/c-function.c:396
#5 0x41395b in Do_Next ../src/core/c-do.c:886
#6 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#7 0x4883d6 in N_if ../src/core/n-control.c:632
#8 0x42dd9c in Do_Native ../src/core/c-function.c:289
#9 0x41395b in Do_Next ../src/core/c-do.c:886
#10 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#11 0x4893c0 in N_unless ../src/core/n-control.c:792
#12 0x42dd9c in Do_Native ../src/core/c-function.c:289
#13 0x41395b in Do_Next ../src/core/c-do.c:886
#14 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#15 0x488c03 in N_switch ../src/core/n-control.c:736
#16 0x42dd9c in Do_Native ../src/core/c-function.c:289
#17 0x41395b in Do_Next ../src/core/c-do.c:886
#18 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#19 0x4883d6 in N_if ../src/core/n-control.c:632
#20 0x42dd9c in Do_Native ../src/core/c-function.c:289
#21 0x41395b in Do_Next ../src/core/c-do.c:886
#22 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#23 0x42ea5c in Do_Function ../src/core/c-function.c:415
#24 0x41395b in Do_Next ../src/core/c-do.c:886
#25 0x415658 in Try_Block ../src/core/c-do.c:1083
#26 0x4862f8 in N_attempt ../src/core/n-control.c:306
#27 0x42dd9c in Do_Native ../src/core/c-function.c:289
#28 0x41395b in Do_Next ../src/core/c-do.c:886
#29 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#30 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131
#31 0x49693a in N_for ../src/core/n-loop.c:486
#32 0x42dd9c in Do_Native ../src/core/c-function.c:289
#33 0x41395b in Do_Next ../src/core/c-do.c:886
#34 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#35 0x4883d6 in N_if ../src/core/n-control.c:632
#36 0x42dd9c in Do_Native ../src/core/c-function.c:289
#37 0x41395b in Do_Next ../src/core/c-do.c:886
#38 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#39 0x42ea5c in Do_Function ../src/core/c-function.c:415
#40 0x41395b in Do_Next ../src/core/c-do.c:886
#41 0x415658 in Try_Block ../src/core/c-do.c:1083
#42 0x488f7d in N_try ../src/core/n-control.c:760
#43 0x42dd9c in Do_Native ../src/core/c-function.c:289
#44 0x41395b in Do_Next ../src/core/c-do.c:886
#45 0x4118a1 in Do_Args ../src/core/c-do.c:668
#46 0x413700 in Do_Next ../src/core/c-do.c:879
#47 0x4118a1 in Do_Args ../src/core/c-do.c:668
#48 0x413700 in Do_Next ../src/core/c-do.c:879
#49 0x414f2f in Do_Block_Value_Throw ../src/core/c-do.c:1048
#50 0x5725ac in Parse_Rules_Loop ../src/core/u-parse.c:830
#51 0x5731f8 in Parse_Rules_Loop ../src/core/u-parse.c:927
#52 0x56c799 in Parse_Series ../src/core/u-parse.c:96
rebol#53 0x576950 in N_parse ../src/core/u-parse.c:1269
rebol#54 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#55 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#56 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#57 0x4883d6 in N_if ../src/core/n-control.c:632
rebol#58 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#59 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#60 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#61 0x42ea5c in Do_Function ../src/core/c-function.c:415
rebol#62 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#63 0x415658 in Try_Block ../src/core/c-do.c:1083
rebol#64 0x4862f8 in N_attempt ../src/core/n-control.c:306
rebol#65 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#66 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#67 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#68 0x487b91 in N_do ../src/core/n-control.c:524
rebol#69 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#70 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#71 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#72 0x487fcb in N_either ../src/core/n-control.c:598
rebol#73 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#74 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#75 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#76 0x487fcb in N_either ../src/core/n-control.c:598
rebol#77 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#78 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#79 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#80 0x487fcb in N_either ../src/core/n-control.c:598
rebol#81 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#82 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#83 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#84 0x42ea5c in Do_Function ../src/core/c-function.c:415
rebol#85 0x4198c2 in Apply_Function ../src/core/c-do.c:1524
rebol#86 0x419fa8 in Do_Sys_Func ../src/core/c-do.c:1584
rebol#87 0x41e406 in Init_Mezz ../src/core/c-do.c:2313
rebol#88 0x405fd3 in RL_Start ../src/core/a-lib.c:167
rebol#89 0x59d1f7 in main ../src/os/host-main.c:231
rebol#90 0x7ffff571403f in __libc_start_main (/usr/lib/libc.so.6+0x2003f)
rebol#91 0x405858 (/home/zsx/work/r3.git/make/r3-view-linux+0x405858)
0x61d0000f5897 is located 7 bytes to the right of 2064-byte region [0x61d0000f5080,0x61d0000f5890)
allocated by thread T0 here:
#0 0x7ffff6f56b77 in __interceptor_malloc (/usr/lib/libasan.so.1+0x57b77)
#1 0x47c300 in Make_Mem ../src/core/m-pools.c:125
#2 0x47ca2f in Fill_Pool ../src/core/m-pools.c:233
#3 0x47d80c in Make_Series ../src/core/m-pools.c:388
#4 0x4826f3 in Copy_Series ../src/core/m-series.c:261
#5 0x43ca14 in Copy_Deep_Values ../src/core/f-blocks.c:131
#6 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#7 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#8 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#9 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#10 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#11 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#12 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#13 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#14 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#15 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#16 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#17 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159
#18 0x43cd9f in Clone_Block ../src/core/f-blocks.c:174
#19 0x42db12 in Clone_Function ../src/core/c-function.c:266
#20 0x43cc00 in Copy_Deep_Values ../src/core/f-blocks.c:139
#21 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159
#22 0x4fd371 in T_Object ../src/core/t-object.c:364
#23 0x42e26f in Do_Act ../src/core/c-function.c:338
#24 0x42e9d8 in Do_Action ../src/core/c-function.c:396
#25 0x41395b in Do_Next ../src/core/c-do.c:886
#26 0x4133cc in Do_Next ../src/core/c-do.c:860
#27 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#28 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131
#29 0x49693a in N_for ../src/core/n-loop.c:486
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:138 Expand_Series
Shadow bytes around the buggy address:
0x0c3a80016ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a80016b10: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==8157==ABORTING
This is happening because "GOB_TAIL(gob) = count" sets the tail of a
series with length of "count" to be "count", and Expand_Series expects
a terminator in the series. (m-series.c:90 size = (series->tail + 1) * wide;)
zsx
added a commit
that referenced
this issue
Oct 15, 2014
Reported by AddressSanitizer of GCC:
Direct leak of 970518528 byte(s) in 947772 object(s) allocated from:
#0 0x7f505036363f in operator new[](unsigned long) (/usr/lib/libasan.so.1+0x5863f)
#1 0x65676f in agg::agg_graphics::agg_gradient_pen(int, double, double, double, double, double, double, double, unsigned char*, double*, int) ../src/agg/agg_graphics.cpp:1306
#2 0x5fe247 in rebdrw_gradient_pen ../src/os/host-draw-api-agg.cpp:184
#3 0x5f8834 in RXD_Draw ../src/os/host-draw.c:294
#4 0x45cd8e in Do_Commands ../src/core/f-extension.c:579
#5 0x40680d in RL_Do_Commands ../src/core/a-lib.c:376
#6 0x603d21 in rebdrw_gob_draw ../src/os/host-draw-api-agg.cpp:567
#7 0x60c732 in process_gobs ../src/os/linux/host-compositor.c:520
#8 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559
#9 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559
#10 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559
#11 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559
#12 0x60f753 in rebcmp_compose ../src/os/linux/host-compositor.c:685
#13 0x5e8299 in Draw_Window ../src/os/host-view.c:225
#14 0x5e8682 in Show_Gob ../src/os/host-view.c:288
#15 0x5e8b58 in RXD_Graphics ../src/os/host-view.c:346
#16 0x45bf75 in Do_Command ../src/core/f-extension.c:456
#17 0x41395b in Do_Next ../src/core/c-do.c:886
#18 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#19 0x42ea5c in Do_Function ../src/core/c-function.c:415
#20 0x41395b in Do_Next ../src/core/c-do.c:886
#21 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#22 0x42ea5c in Do_Function ../src/core/c-function.c:415
#23 0x41395b in Do_Next ../src/core/c-do.c:886
#24 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#25 0x4883d6 in N_if ../src/core/n-control.c:632
#26 0x42dd9c in Do_Native ../src/core/c-function.c:289
#27 0x41395b in Do_Next ../src/core/c-do.c:886
#28 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#29 0x496d2f in N_forever ../src/core/n-loop.c:532
zsx
added a commit
that referenced
this issue
May 14, 2015
Found by GCC Address Sanitizer:
=================================================================
==32465==ERROR: AddressSanitizer: alloc-dealloc-mismatch (malloc vs operator delete []) on 0x6030000add40
#0 0x7f012194676f in operator delete[](void*) (/usr/lib/libasan.so.1+0x5876f)
#1 0x6c8785 in agg::agg_graphics::agg_reset() ../src/agg/agg_graphics.cpp:1562
#2 0x6bc20c in agg::agg_graphics::~agg_graphics() ../src/agg/agg_graphics.cpp:96
#3 0x66fb18 in rebdrw_gob_draw ../src/os/host-draw-api-agg.cpp:571
#4 0x678500 in process_gobs ../src/os/linux/host-compositor.c:520
#5 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559
#6 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559
#7 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559
#8 0x67b63f in rebcmp_compose ../src/os/linux/host-compositor.c:685
#9 0x65158c in Draw_Window ../src/os/host-view.c:225
#10 0x651b21 in Show_Gob ../src/os/host-view.c:288
#11 0x6520ed in RXD_Graphics ../src/os/host-view.c:346
#12 0x471ccd in Do_Command ../src/core/f-extension.c:456
#13 0x419332 in Do_Next ../src/core/c-do.c:886
#14 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#15 0x43f6c8 in Do_Function ../src/core/c-function.c:415
#16 0x419332 in Do_Next ../src/core/c-do.c:886
#17 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#18 0x43f6c8 in Do_Function ../src/core/c-function.c:415
#19 0x419332 in Do_Next ../src/core/c-do.c:886
#20 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#21 0x4a6c9a in N_do ../src/core/n-control.c:524
#22 0x43e037 in Do_Native ../src/core/c-function.c:289
#23 0x419332 in Do_Next ../src/core/c-do.c:886
#24 0x41b643 in Try_Block ../src/core/c-do.c:1087
#25 0x4a872e in N_try ../src/core/n-control.c:760
#26 0x43e037 in Do_Native ../src/core/c-function.c:289
#27 0x419332 in Do_Next ../src/core/c-do.c:886
#28 0x4168bd in Do_Args ../src/core/c-do.c:668
#29 0x41a070 in Do_Next ../src/core/c-do.c:942
#30 0x4168bd in Do_Args ../src/core/c-do.c:668
#31 0x4190d4 in Do_Next ../src/core/c-do.c:879
#32 0x4168bd in Do_Args ../src/core/c-do.c:668
#33 0x4190d4 in Do_Next ../src/core/c-do.c:879
#34 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#35 0x43f6c8 in Do_Function ../src/core/c-function.c:415
#36 0x419332 in Do_Next ../src/core/c-do.c:886
#37 0x4168bd in Do_Args ../src/core/c-do.c:668
#38 0x4190d4 in Do_Next ../src/core/c-do.c:879
#39 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#40 0x4a6c9a in N_do ../src/core/n-control.c:524
#41 0x43e037 in Do_Native ../src/core/c-function.c:289
#42 0x419332 in Do_Next ../src/core/c-do.c:886
#43 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#44 0x4a732e in N_either ../src/core/n-control.c:598
#45 0x43e037 in Do_Native ../src/core/c-function.c:289
#46 0x419332 in Do_Next ../src/core/c-do.c:886
#47 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#48 0x4a732e in N_either ../src/core/n-control.c:598
#49 0x43e037 in Do_Native ../src/core/c-function.c:289
#50 0x419332 in Do_Next ../src/core/c-do.c:886
#51 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#52 0x4a732e in N_either ../src/core/n-control.c:598
rebol#53 0x43e037 in Do_Native ../src/core/c-function.c:289
rebol#54 0x419332 in Do_Next ../src/core/c-do.c:886
rebol#55 0x41aaed in Do_Blk ../src/core/c-do.c:1017
rebol#56 0x43f6c8 in Do_Function ../src/core/c-function.c:415
rebol#57 0x42094d in Apply_Function ../src/core/c-do.c:1528
rebol#58 0x42116c in Do_Sys_Func ../src/core/c-do.c:1588
rebol#59 0x426d54 in Init_Mezz ../src/core/c-do.c:2320
rebol#60 0x4069c1 in RL_Start ../src/core/a-lib.c:193
rebol#61 0x5fea9d in main ../src/os/host-main.c:235
rebol#62 0x7f011fed27ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
rebol#63 0x405dd8 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x405dd8)
0x6030000add40 is located 0 bytes inside of 24-byte region [0x6030000add40,0x6030000add58)
allocated by thread T0 here:
#0 0x7f01219457a7 in malloc (/usr/lib/libasan.so.1+0x577a7)
#1 0x606495 in OS_Make ../src/os/linux/host-lib.c:380
#2 0x664b61 in RXD_Draw ../src/os/host-draw.c:438
#3 0x472f24 in Do_Commands ../src/core/f-extension.c:585
#4 0x4073a0 in RL_Do_Commands ../src/core/a-lib.c:402
#5 0x66fadb in rebdrw_gob_draw ../src/os/host-draw-api-agg.cpp:568
#6 0x678500 in process_gobs ../src/os/linux/host-compositor.c:520
#7 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559
#8 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559
#9 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559
#10 0x67b63f in rebcmp_compose ../src/os/linux/host-compositor.c:685
#11 0x65158c in Draw_Window ../src/os/host-view.c:225
#12 0x651b21 in Show_Gob ../src/os/host-view.c:288
#13 0x6520ed in RXD_Graphics ../src/os/host-view.c:346
#14 0x471ccd in Do_Command ../src/core/f-extension.c:456
#15 0x419332 in Do_Next ../src/core/c-do.c:886
#16 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#17 0x43f6c8 in Do_Function ../src/core/c-function.c:415
#18 0x419332 in Do_Next ../src/core/c-do.c:886
#19 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#20 0x43f6c8 in Do_Function ../src/core/c-function.c:415
#21 0x419332 in Do_Next ../src/core/c-do.c:886
#22 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#23 0x4a6c9a in N_do ../src/core/n-control.c:524
#24 0x43e037 in Do_Native ../src/core/c-function.c:289
#25 0x419332 in Do_Next ../src/core/c-do.c:886
#26 0x41b643 in Try_Block ../src/core/c-do.c:1087
#27 0x4a872e in N_try ../src/core/n-control.c:760
#28 0x43e037 in Do_Native ../src/core/c-function.c:289
#29 0x419332 in Do_Next ../src/core/c-do.c:886
SUMMARY: AddressSanitizer: alloc-dealloc-mismatch ??:0 operator delete[](void*)
==32465==HINT: if you don't care about these warnings you may set ASAN_OPTIONS=alloc_dealloc_mismatch=0
==32465==ABORTING
zsx
added a commit
that referenced
this issue
May 18, 2015
index is unsigned, and could be zero, so 'index--' will underflow and
round to 0xffffffff, and cause problem in a later call to Expand_Series
I believe the idea of
if ((REBINT)index > i) index--;
is to move the index forward because gob being inserted were in PANE,
and they can't be there twice (Detach_Gob will remove them from the
current gob). So if they were not there, "index" shouldn't be changed.
This fixes a crash in the following script:
REBOL []
foo: make block! []
for i 0 15 1 [
txt: #"a" + i
append foo make gob! reduce/no-set [text: to string! txt]
]
g: make gob! []
append g foo
g/pane: next g/pane
With this stack trace:
zsx@touchsmart-arch:~/work/r3.git/make$ R3_ALWAYS_MALLOC=1 ./r3-view-linux test-insert-gob-crash.r
=================================================================
==24248==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000c8a8 at pc 0x522243 bp 0x7fff91ba7a60 sp 0x7fff91ba7a50
WRITE of size 8 at 0x60d00000c8a8 thread T0
#0 0x522242 in Insert_Gobs ../src/core/t-gob.c:230
#1 0x5242d6 in Set_GOB_Var ../src/core/t-gob.c:421
#2 0x5278ee in PD_Gob ../src/core/t-gob.c:713
#3 0x414cda in Next_Path ../src/core/c-do.c:399
#4 0x415c8c in Do_Path ../src/core/c-do.c:463
#5 0x41a018 in Do_Next ../src/core/c-do.c:928
#6 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#7 0x4a6eca in N_do ../src/core/n-control.c:524
#8 0x43e267 in Do_Native ../src/core/c-function.c:289
#9 0x419562 in Do_Next ../src/core/c-do.c:886
#10 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#11 0x4a755e in N_either ../src/core/n-control.c:598
#12 0x43e267 in Do_Native ../src/core/c-function.c:289
#13 0x419562 in Do_Next ../src/core/c-do.c:886
#14 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#15 0x4a755e in N_either ../src/core/n-control.c:598
#16 0x43e267 in Do_Native ../src/core/c-function.c:289
#17 0x419562 in Do_Next ../src/core/c-do.c:886
#18 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#19 0x4a755e in N_either ../src/core/n-control.c:598
#20 0x43e267 in Do_Native ../src/core/c-function.c:289
#21 0x419562 in Do_Next ../src/core/c-do.c:886
#22 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#23 0x43f8f8 in Do_Function ../src/core/c-function.c:415
#24 0x420b7d in Apply_Function ../src/core/c-do.c:1528
#25 0x42139c in Do_Sys_Func ../src/core/c-do.c:1588
#26 0x426f84 in Init_Mezz ../src/core/c-do.c:2320
#27 0x406bf1 in RL_Start ../src/core/a-lib.c:193
#28 0x5fecee in main ../src/os/host-main.c:235
#29 0x7facd0bf67ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
#30 0x406008 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x406008)
0x60d00000c8a8 is located 0 bytes to the right of 136-byte region [0x60d00000c820,0x60d00000c8a8)
allocated by thread T0 here:
#0 0x7facd26567a7 in malloc (/usr/lib/libasan.so.1+0x577a7)
#1 0x4999a7 in Make_Mem ../src/core/m-pools.c:125
#2 0x49b188 in Make_Series ../src/core/m-pools.c:413
#3 0x521929 in Insert_Gobs ../src/core/t-gob.c:208
#4 0x529717 in T_Gob ../src/core/t-gob.c:835
#5 0x43eb86 in Do_Act ../src/core/c-function.c:338
#6 0x43f82a in Do_Action ../src/core/c-function.c:396
#7 0x419562 in Do_Next ../src/core/c-do.c:886
#8 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#9 0x4a6eca in N_do ../src/core/n-control.c:524
#10 0x43e267 in Do_Native ../src/core/c-function.c:289
#11 0x419562 in Do_Next ../src/core/c-do.c:886
#12 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#13 0x4a755e in N_either ../src/core/n-control.c:598
#14 0x43e267 in Do_Native ../src/core/c-function.c:289
#15 0x419562 in Do_Next ../src/core/c-do.c:886
#16 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#17 0x4a755e in N_either ../src/core/n-control.c:598
#18 0x43e267 in Do_Native ../src/core/c-function.c:289
#19 0x419562 in Do_Next ../src/core/c-do.c:886
#20 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#21 0x4a755e in N_either ../src/core/n-control.c:598
#22 0x43e267 in Do_Native ../src/core/c-function.c:289
#23 0x419562 in Do_Next ../src/core/c-do.c:886
#24 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#25 0x43f8f8 in Do_Function ../src/core/c-function.c:415
#26 0x420b7d in Apply_Function ../src/core/c-do.c:1528
#27 0x42139c in Do_Sys_Func ../src/core/c-do.c:1588
#28 0x426f84 in Init_Mezz ../src/core/c-do.c:2320
#29 0x406bf1 in RL_Start ../src/core/a-lib.c:193
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/t-gob.c:230 Insert_Gobs
Shadow bytes around the buggy address:
0x0c1a7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff9900: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a7fff9910: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa 00 00
0x0c1a7fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1a7fff9930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1a7fff9940: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c1a7fff9950: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff9960: 00 00 00 00 fa fa fa fa fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==24248==ABORTING
zsx
added a commit
that referenced
this issue
May 19, 2015
reported by address sanitizer with manual poisonation:
=================================================================
==11513==ERROR: AddressSanitizer: use-after-poison on address 0x7efe281542c0 at pc 0x00000071038f bp 0x7ffdc9de9330 sp 0x7ffdc9de9328
READ of size 4 at 0x7efe281542c0 thread T0
#0 0x71038e in Mark_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:501:6
#1 0x70ea8b in Recycle /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:744:4
#2 0x7bbde6 in N_recycle /home/zsx/stuffs/work/r3.git/make/../src/core/n-system.c:99:10
#3 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#4 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#5 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#6 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#7 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#8 0x566f3d in Do_Block_Value_Throw /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1049:11
#9 0xb0b6d9 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:830:4
#10 0xb0e7f7 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
#11 0xb07b10 in Parse_Series /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:96:9
#12 0xb06b65 in N_parse /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:1269:7
#13 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#14 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#15 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#16 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#17 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#18 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#19 0x745e54 in N_case /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:348:10
#20 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#21 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#22 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#23 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#24 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#25 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#26 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#27 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#28 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#29 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#30 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#31 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#32 0x749b0b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8
#33 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#34 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#35 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#36 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
#37 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#38 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#39 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#40 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
#41 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#42 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#43 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#44 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
#45 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#46 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#47 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#48 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#49 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33
#50 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10
#51 0x582548 in Init_Mezz /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:2320:9
#52 0x52e62f in RL_Start /home/zsx/stuffs/work/r3.git/make/../src/core/a-lib.c:193:9
rebol#53 0xbb6c93 in main /home/zsx/stuffs/work/r3.git/make/../src/os/host-main.c:235:6
rebol#54 0x7efe2bfcb7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
rebol#55 0x486498 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x486498)
0x7efe281542c0 is located 96960 bytes inside of 131088-byte region [0x7efe2813c800,0x7efe2815c810)
allocated by thread T0 here:
#0 0x50d462 in __interceptor_malloc (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x50d462)
#1 0x721a85 in Make_Mem /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:127:14
#2 0x723acd in Fill_Pool /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:235:19
#3 0x7233af in Make_Node /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:280:20
#4 0x725f8a in Make_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:391:21
#5 0x738823 in Copy_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-series.c:261:19
#6 0x5f93a6 in Copy_Deep_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:131:22
#7 0x5f98cf in Copy_Deep_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:136:6
#8 0x5fa3ed in Copy_Block_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:159:18
#9 0x89efc2 in T_Block /home/zsx/stuffs/work/r3.git/make/../src/core/t-block.c:796:23
#10 0x5c458f in Do_Act /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:338:8
#11 0x5c5927 in Do_Action /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:396:2
#12 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#13 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#14 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#15 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#16 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#17 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#18 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#19 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#20 0x749b0b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8
#21 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#22 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#23 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#24 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#25 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33
#26 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10
#27 0x5a37d0 in Make_Module /home/zsx/stuffs/work/r3.git/make/../src/core/c-frame.c:585:10
#28 0x9510d5 in T_Object /home/zsx/stuffs/work/r3.git/make/../src/core/t-object.c:308:16
#29 0x8ac4eb in T_Datatype /home/zsx/stuffs/work/r3.git/make/../src/core/t-datatype.c:92:20
SUMMARY: AddressSanitizer: use-after-poison /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:501 Mark_Series
Shadow bytes around the buggy address:
0x0fe045022800: f7 f7 00 00 00 00 00 00 00 00 f7 f7 f7 f7 00 00
0x0fe045022810: 00 00 00 00 00 00 f7 f7 f7 f7 00 00 00 00 00 00
0x0fe045022820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe045022830: 00 00 f7 f7 f7 f7 00 00 00 00 00 00 00 00 f7 f7
0x0fe045022840: f7 f7 00 00 00 00 00 00 00 00 f7 f7 f7 f7 00 00
=>0x0fe045022850: 00 00 00 00 00 00 f7 f7[f7]f7 00 00 00 00 00 00
0x0fe045022860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe045022870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe045022880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe045022890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0450228a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11513==ABORTING
zsx
added a commit
that referenced
this issue
May 19, 2015
reported by address sanitizer with manual poisonation:
=================================================================
==11513==ERROR: AddressSanitizer: use-after-poison on address 0x7efe281542c0 at pc 0x00000071038f bp 0x7ffdc9de9330 sp 0x7ffdc9de9328
READ of size 4 at 0x7efe281542c0 thread T0
#0 0x71038e in Mark_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:501:6
#1 0x70ea8b in Recycle /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:744:4
#2 0x7bbde6 in N_recycle /home/zsx/stuffs/work/r3.git/make/../src/core/n-system.c:99:10
#3 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#4 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#5 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#6 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#7 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#8 0x566f3d in Do_Block_Value_Throw /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1049:11
#9 0xb0b6d9 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:830:4
#10 0xb0e7f7 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
#11 0xb07b10 in Parse_Series /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:96:9
#12 0xb06b65 in N_parse /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:1269:7
#13 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#14 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#15 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#16 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#17 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#18 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#19 0x745e54 in N_case /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:348:10
#20 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#21 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#22 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#23 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#24 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#25 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#26 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#27 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#28 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#29 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#30 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#31 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#32 0x749b0b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8
#33 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#34 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#35 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#36 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
#37 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#38 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#39 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#40 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
#41 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#42 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#43 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#44 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
#45 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#46 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#47 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#48 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#49 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33
#50 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10
#51 0x582548 in Init_Mezz /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:2320:9
#52 0x52e62f in RL_Start /home/zsx/stuffs/work/r3.git/make/../src/core/a-lib.c:193:9
rebol#53 0xbb6c93 in main /home/zsx/stuffs/work/r3.git/make/../src/os/host-main.c:235:6
rebol#54 0x7efe2bfcb7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
rebol#55 0x486498 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x486498)
0x7efe281542c0 is located 96960 bytes inside of 131088-byte region [0x7efe2813c800,0x7efe2815c810)
allocated by thread T0 here:
#0 0x50d462 in __interceptor_malloc (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x50d462)
#1 0x721a85 in Make_Mem /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:127:14
#2 0x723acd in Fill_Pool /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:235:19
#3 0x7233af in Make_Node /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:280:20
#4 0x725f8a in Make_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:391:21
#5 0x738823 in Copy_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-series.c:261:19
#6 0x5f93a6 in Copy_Deep_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:131:22
#7 0x5f98cf in Copy_Deep_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:136:6
#8 0x5fa3ed in Copy_Block_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:159:18
#9 0x89efc2 in T_Block /home/zsx/stuffs/work/r3.git/make/../src/core/t-block.c:796:23
#10 0x5c458f in Do_Act /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:338:8
#11 0x5c5927 in Do_Action /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:396:2
#12 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#13 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#14 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#15 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#16 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#17 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#18 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#19 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#20 0x749b0b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8
#21 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#22 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#23 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#24 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#25 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33
#26 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10
#27 0x5a37d0 in Make_Module /home/zsx/stuffs/work/r3.git/make/../src/core/c-frame.c:585:10
#28 0x9510d5 in T_Object /home/zsx/stuffs/work/r3.git/make/../src/core/t-object.c:308:16
#29 0x8ac4eb in T_Datatype /home/zsx/stuffs/work/r3.git/make/../src/core/t-datatype.c:92:20
SUMMARY: AddressSanitizer: use-after-poison /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:501 Mark_Series
Shadow bytes around the buggy address:
0x0fe045022800: f7 f7 00 00 00 00 00 00 00 00 f7 f7 f7 f7 00 00
0x0fe045022810: 00 00 00 00 00 00 f7 f7 f7 f7 00 00 00 00 00 00
0x0fe045022820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe045022830: 00 00 f7 f7 f7 f7 00 00 00 00 00 00 00 00 f7 f7
0x0fe045022840: f7 f7 00 00 00 00 00 00 00 00 f7 f7 f7 f7 00 00
=>0x0fe045022850: 00 00 00 00 00 00 f7 f7[f7]f7 00 00 00 00 00 00
0x0fe045022860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe045022870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe045022880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe045022890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0450228a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11513==ABORTING
zsx
added a commit
that referenced
this issue
May 21, 2015
The length of the VAL_SERIES(value) has been set correctly by
Append_UTF8, and it could be smaller than "len", because UTF8 is a
multi-byte encoding, thus passing "len" to Deline_Uni could cause
out-of-bound memory access.
Fixes CC#2169
The following code
REBOL[]
t: <ēee>
causes:
==13053==ERROR: AddressSanitizer: use-after-poison on address 0x61d00001a5f8 at pc 0x000000853d50 bp 0x7ffd2a31a1b0 sp 0x7ffd2a31a1a8
WRITE of size 2 at 0x61d00001a5f8 thread T0
#0 0x853d4f in Deline_Uni /home/zsx/stuffs/work/r3.git/make/../src/core/s-ops.c:426:2
#1 0x7064d4 in Scan_Any /home/zsx/stuffs/work/r3.git/make/../src/core/l-types.c:846:7
#2 0x6dca3c in Scan_Block /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1421:4
#3 0x6d9f92 in Scan_Block /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1301:12
#4 0x6df0e6 in Scan_Code /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1550:9
#5 0x6df462 in Scan_Source /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1570:9
#6 0x896105 in Make_Block_Type /home/zsx/stuffs/work/r3.git/make/../src/core/t-block.c:306:9
#7 0x89af62 in T_Block /home/zsx/stuffs/work/r3.git/make/../src/core/t-block.c:624:3
#8 0x8ac80b in T_Datatype /home/zsx/stuffs/work/r3.git/make/../src/core/t-datatype.c:92:20
#9 0x5c458f in Do_Act /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:338:8
#10 0x5c5927 in Do_Action /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:396:2
#11 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#12 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#13 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#14 0x746174 in N_case /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:348:10
#15 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#16 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#17 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#18 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#19 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#20 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#21 0x568295 in Try_Block /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1087:11
#22 0x7506ac in N_try /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:760:6
#23 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#24 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#25 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#26 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#27 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#28 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#29 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#30 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#31 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#32 0x566f3d in Do_Block_Value_Throw /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1049:11
#33 0xb0b9f9 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:830:4
#34 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
#35 0xb07e30 in Parse_Series /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:96:9
#36 0xb06e85 in N_parse /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:1269:7
#37 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#38 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#39 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#40 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#41 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#42 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#43 0x746174 in N_case /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:348:10
#44 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#45 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#46 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#47 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#48 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#49 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#50 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#51 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#52 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
rebol#53 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
rebol#54 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
rebol#55 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
rebol#56 0x749e2b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8
rebol#57 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
rebol#58 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
rebol#59 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
rebol#60 0x74aeea in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
rebol#61 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
rebol#62 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
rebol#63 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
rebol#64 0x74aeea in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
rebol#65 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
rebol#66 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
rebol#67 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
rebol#68 0x74aeea in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
rebol#69 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
rebol#70 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
rebol#71 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
rebol#72 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
rebol#73 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33
rebol#74 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10
rebol#75 0x582548 in Init_Mezz /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:2320:9
rebol#76 0x52e62f in RL_Start /home/zsx/stuffs/work/r3.git/make/../src/core/a-lib.c:193:9
rebol#77 0xbb6fb3 in main /home/zsx/stuffs/work/r3.git/make/../src/os/host-main.c:235:6
rebol#78 0x7fd1c04ef7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
rebol#79 0x486498 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x486498)
0x61d00001a5f8 is located 376 bytes inside of 2064-byte region [0x61d00001a480,0x61d00001ac90)
allocated by thread T0 here:
#0 0x50d462 in __interceptor_malloc (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x50d462)
#1 0x721a85 in Make_Mem /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:132:14
#2 0x723bed in Fill_Pool /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:240:19
#3 0x7233c2 in Make_Node /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:295:20
#4 0x7267f3 in Make_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:419:10
#5 0x818d71 in Copy_String /home/zsx/stuffs/work/r3.git/make/../src/core/s-make.c:337:8
#6 0x6dc386 in Scan_Block /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1388:22
#7 0x6df0e6 in Scan_Code /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1550:9
#8 0x6e1f81 in N_transcode /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1630:8
#9 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#10 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#11 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#12 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#13 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#14 0x56110f in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:942:13
#15 0x568295 in Try_Block /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1087:11
#16 0x7506ac in N_try /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:760:6
#17 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#18 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#19 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#20 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#21 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#22 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#23 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#24 0x566f3d in Do_Block_Value_Throw /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1049:11
#25 0xb0b9f9 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:830:4
#26 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
#27 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
#28 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
#29 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
SUMMARY: AddressSanitizer: use-after-poison /home/zsx/stuffs/work/r3.git/make/../src/core/s-ops.c:426 Deline_Uni
Shadow bytes around the buggy address:
0x0c3a7fffb460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffb490: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3a7fffb4a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c3a7fffb4b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 f7 00 00[f7]
0x0c3a7fffb4c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3a7fffb4d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3a7fffb4e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3a7fffb4f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3a7fffb500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13053==ABORTING
zsx
added a commit
that referenced
this issue
Jul 17, 2015
It will confuse Expand_Series expects "tail" to be the actual size, and
cause a read beyond the allocated memory, or heap buffer overflow found
by address sanitizer of GCC:
=================================================================
==10856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b201 at pc 0x47df61 bp 0x7fffffff2ca0 sp 0x7fffffff2c98
READ of size 1 at 0x62a00000b201 thread T0
#0 0x47df60 in Expand_Series ../src/core/m-series.c:145
#1 0x47e5a7 in Extend_Series ../src/core/m-series.c:187
#2 0x466e0c in Scan_Quote ../src/core/l-scan.c:462
#3 0x46a797 in Scan_Token ../src/core/l-scan.c:918
#4 0x46e263 in Scan_Block ../src/core/l-scan.c:1188
#5 0x46e722 in Scan_Code ../src/core/l-scan.c:1548
#6 0x46e886 in Scan_Source ../src/core/l-scan.c:1568
#7 0x4cb85c in Make_Block_Type ../src/core/t-block.c:306
#8 0x4cd1b8 in T_Block ../src/core/t-block.c:608
#9 0x4d042e in T_Datatype ../src/core/t-datatype.c:92
#10 0x42e080 in Do_Act ../src/core/c-function.c:338
#11 0x42e7e5 in Do_Action ../src/core/c-function.c:396
#12 0x413628 in Do_Next ../src/core/c-do.c:884
#13 0x41309b in Do_Next ../src/core/c-do.c:858
#14 0x414825 in Do_Blk ../src/core/c-do.c:1010
#15 0x482dd2 in N_case ../src/core/n-control.c:349
#16 0x42dbb7 in Do_Native ../src/core/c-function.c:289
#17 0x413628 in Do_Next ../src/core/c-do.c:884
#18 0x414825 in Do_Blk ../src/core/c-do.c:1010
#19 0x42e869 in Do_Function ../src/core/c-function.c:415
#20 0x413628 in Do_Next ../src/core/c-do.c:884
#21 0x41309b in Do_Next ../src/core/c-do.c:858
#22 0x414825 in Do_Blk ../src/core/c-do.c:1010
#23 0x42e869 in Do_Function ../src/core/c-function.c:415
#24 0x413628 in Do_Next ../src/core/c-do.c:884
#25 0x4115f2 in Do_Args ../src/core/c-do.c:669
#26 0x414152 in Do_Next ../src/core/c-do.c:939
#27 0x48201c in N_all ../src/core/n-control.c:261
#28 0x42dbb7 in Do_Native ../src/core/c-function.c:289
#29 0x413628 in Do_Next ../src/core/c-do.c:884
#30 0x414825 in Do_Blk ../src/core/c-do.c:1010
#31 0x491abc in Loop_Each ../src/core/n-loop.c:410
#32 0x492a6c in N_foreach ../src/core/n-loop.c:546
#33 0x42dbb7 in Do_Native ../src/core/c-function.c:289
#34 0x413628 in Do_Next ../src/core/c-do.c:884
#35 0x414825 in Do_Blk ../src/core/c-do.c:1010
#36 0x42e869 in Do_Function ../src/core/c-function.c:415
#37 0x413628 in Do_Next ../src/core/c-do.c:884
#38 0x4115f2 in Do_Args ../src/core/c-do.c:669
#39 0x414152 in Do_Next ../src/core/c-do.c:939
#40 0x414825 in Do_Blk ../src/core/c-do.c:1010
#41 0x48459c in N_if ../src/core/n-control.c:619
#42 0x42dbb7 in Do_Native ../src/core/c-function.c:289
#43 0x413628 in Do_Next ../src/core/c-do.c:884
#44 0x414825 in Do_Blk ../src/core/c-do.c:1010
#45 0x491abc in Loop_Each ../src/core/n-loop.c:410
#46 0x492a6c in N_foreach ../src/core/n-loop.c:546
#47 0x42dbb7 in Do_Native ../src/core/c-function.c:289
#48 0x413628 in Do_Next ../src/core/c-do.c:884
#49 0x414825 in Do_Blk ../src/core/c-do.c:1010
#50 0x42e869 in Do_Function ../src/core/c-function.c:415
#51 0x418fb4 in Apply_Block ../src/core/c-do.c:1474
#52 0x4824fb in N_apply ../src/core/n-control.c:295
rebol#53 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#54 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#55 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#56 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#57 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#58 0x485388 in N_unless ../src/core/n-control.c:763
rebol#59 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#60 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#61 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#62 0x483eff in N_do ../src/core/n-control.c:523
rebol#63 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#64 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#65 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#66 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#67 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#68 0x48459c in N_if ../src/core/n-control.c:619
rebol#69 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#70 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#71 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#72 0x48f8cc in Loop_Integer ../src/core/n-loop.c:130
rebol#73 0x49314d in N_repeat ../src/core/n-loop.c:631
rebol#74 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#75 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#76 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#77 0x42ee10 in Do_Closure ../src/core/c-function.c:459
rebol#78 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#79 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#80 0x485388 in N_unless ../src/core/n-control.c:763
rebol#81 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#82 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#83 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#84 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#85 0x418fb4 in Apply_Block ../src/core/c-do.c:1474
rebol#86 0x4824fb in N_apply ../src/core/n-control.c:295
rebol#87 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#88 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#89 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#90 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#91 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#92 0x485388 in N_unless ../src/core/n-control.c:763
rebol#93 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#94 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#95 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#96 0x483eff in N_do ../src/core/n-control.c:523
rebol#97 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#98 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#99 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#100 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#101 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#102 0x48459c in N_if ../src/core/n-control.c:619
rebol#103 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#104 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#105 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#106 0x48f8cc in Loop_Integer ../src/core/n-loop.c:130
rebol#107 0x49314d in N_repeat ../src/core/n-loop.c:631
rebol#108 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#109 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#110 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#111 0x42ee10 in Do_Closure ../src/core/c-function.c:459
rebol#112 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#113 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#114 0x485388 in N_unless ../src/core/n-control.c:763
rebol#115 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#116 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#117 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#118 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#119 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#120 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#121 0x484cf1 in N_switch ../src/core/n-control.c:716
rebol#122 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#123 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#124 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#125 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#126 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#127 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#128 0x48459c in N_if ../src/core/n-control.c:619
rebol#129 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#130 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#131 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#132 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#133 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#134 0x41309b in Do_Next ../src/core/c-do.c:858
rebol#135 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#136 0x484280 in N_either ../src/core/n-control.c:595
rebol#137 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#138 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#139 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#140 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#141 0x419631 in Apply_Function ../src/core/c-do.c:1518
rebol#142 0x419918 in Apply_Func ../src/core/c-do.c:1545
rebol#143 0x48d102 in N_wake_up ../src/core/n-io.c:415
rebol#144 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#145 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#146 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#147 0x4133c9 in Do_Next ../src/core/c-do.c:877
rebol#148 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#149 0x492b66 in N_loop ../src/core/n-loop.c:590
rebol#150 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#151 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#152 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#153 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#154 0x419631 in Apply_Function ../src/core/c-do.c:1518
rebol#155 0x419918 in Apply_Func ../src/core/c-do.c:1545
rebol#156 0x42fef7 in Awake_System ../src/core/c-port.c:198
rebol#157 0x43012a in Wait_Ports ../src/core/c-port.c:231
rebol#158 0x48cd62 in N_wait ../src/core/n-io.c:374
rebol#159 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#160 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#161 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#162 0x4133c9 in Do_Next ../src/core/c-do.c:877
rebol#163 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#164 0x4133c9 in Do_Next ../src/core/c-do.c:877
rebol#165 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#166 0x4929a7 in N_forever ../src/core/n-loop.c:527
rebol#167 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#168 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#169 0x4152ff in Try_Block ../src/core/c-do.c:1077
rebol#170 0x48507e in N_try ../src/core/n-control.c:740
rebol#171 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#172 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#173 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#174 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#175 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#176 0x4133c9 in Do_Next ../src/core/c-do.c:877
rebol#177 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#178 0x4133c9 in Do_Next ../src/core/c-do.c:877
rebol#179 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#180 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#181 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#182 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#183 0x48459c in N_if ../src/core/n-control.c:619
rebol#184 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#185 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#186 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#187 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#188 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#189 0x41309b in Do_Next ../src/core/c-do.c:858
rebol#190 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#191 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#192 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#193 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#194 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#195 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#196 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#197 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#198 0x48201c in N_all ../src/core/n-control.c:261
rebol#199 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#200 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#201 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#202 0x491abc in Loop_Each ../src/core/n-loop.c:410
rebol#203 0x492a6c in N_foreach ../src/core/n-loop.c:546
rebol#204 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#205 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#206 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#207 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#208 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#209 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#210 0x485388 in N_unless ../src/core/n-control.c:763
rebol#211 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#212 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#213 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#214 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#215 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#216 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#217 0x48459c in N_if ../src/core/n-control.c:619
rebol#218 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#219 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#220 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#221 0x42ee10 in Do_Closure ../src/core/c-function.c:459
rebol#222 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#223 0x4115f2 in Do_Args ../src/core/c-do.c:669
rebol#224 0x414152 in Do_Next ../src/core/c-do.c:939
rebol#225 0x48201c in N_all ../src/core/n-control.c:261
rebol#226 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#227 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#228 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#229 0x491abc in Loop_Each ../src/core/n-loop.c:410
rebol#230 0x492a6c in N_foreach ../src/core/n-loop.c:546
rebol#231 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#232 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#233 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#234 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#235 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#236 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#237 0x48459c in N_if ../src/core/n-control.c:619
rebol#238 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#239 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#240 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#241 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#242 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#243 0x41309b in Do_Next ../src/core/c-do.c:858
rebol#244 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#245 0x42e869 in Do_Function ../src/core/c-function.c:415
rebol#246 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#247 0x414825 in Do_Blk ../src/core/c-do.c:1010
rebol#248 0x48459c in N_if ../src/core/n-control.c:619
rebol#249 0x42dbb7 in Do_Native ../src/core/c-function.c:289
rebol#250 0x413628 in Do_Next ../src/core/c-do.c:884
rebol#251 0x414825 in Do_Blk ../src/core/c-do.c:1010
0x62a00000b201 is located 1 bytes to the right of 20480-byte region [0x62a000006200,0x62a00000b200)
allocated by thread T0 here:
#0 0x7ffff6f58b1f in malloc (/usr/lib/libasan.so.1+0x54b1f)
#1 0x47924a in Make_Mem ../src/core/m-pools.c:121
#2 0x47a9ff in Make_Series ../src/core/m-pools.c:406
#3 0x4aee84 in Make_Unicode ../src/core/s-make.c:59
#4 0x4bb797 in Init_Mold ../src/core/s-mold.c:1425
#5 0x40da64 in Init_Core ../src/core/b-init.c:940
#6 0x4055e0 in RL_Init ../src/core/a-lib.c:124
#7 0x580aa2 in main ../src/os/host-main.c:154
#8 0x7ffff5719fff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:145 Expand_Series
Shadow bytes around the buggy address:
0x0c547fff95f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff9600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff9620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff9630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c547fff9640:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal:
zsx
added a commit
that referenced
this issue
Jul 17, 2015
Found by AddressSanitizer:
==8157==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000f5897 at pc 0x4816ef bp 0x7fffffffafb0 sp 0x7fffffffafa0
READ of size 1 at 0x61d0000f5897 thread T0
#0 0x4816ee in Expand_Series ../src/core/m-series.c:138
#1 0x4e258c in Insert_Gobs ../src/core/t-gob.c:219
#2 0x4e7782 in T_Gob ../src/core/t-gob.c:833
#3 0x42e26f in Do_Act ../src/core/c-function.c:338
#4 0x42e9d8 in Do_Action ../src/core/c-function.c:396
#5 0x41395b in Do_Next ../src/core/c-do.c:886
#6 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#7 0x4883d6 in N_if ../src/core/n-control.c:632
#8 0x42dd9c in Do_Native ../src/core/c-function.c:289
#9 0x41395b in Do_Next ../src/core/c-do.c:886
#10 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#11 0x4893c0 in N_unless ../src/core/n-control.c:792
#12 0x42dd9c in Do_Native ../src/core/c-function.c:289
#13 0x41395b in Do_Next ../src/core/c-do.c:886
#14 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#15 0x488c03 in N_switch ../src/core/n-control.c:736
#16 0x42dd9c in Do_Native ../src/core/c-function.c:289
#17 0x41395b in Do_Next ../src/core/c-do.c:886
#18 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#19 0x4883d6 in N_if ../src/core/n-control.c:632
#20 0x42dd9c in Do_Native ../src/core/c-function.c:289
#21 0x41395b in Do_Next ../src/core/c-do.c:886
#22 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#23 0x42ea5c in Do_Function ../src/core/c-function.c:415
#24 0x41395b in Do_Next ../src/core/c-do.c:886
#25 0x415658 in Try_Block ../src/core/c-do.c:1083
#26 0x4862f8 in N_attempt ../src/core/n-control.c:306
#27 0x42dd9c in Do_Native ../src/core/c-function.c:289
#28 0x41395b in Do_Next ../src/core/c-do.c:886
#29 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#30 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131
#31 0x49693a in N_for ../src/core/n-loop.c:486
#32 0x42dd9c in Do_Native ../src/core/c-function.c:289
#33 0x41395b in Do_Next ../src/core/c-do.c:886
#34 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#35 0x4883d6 in N_if ../src/core/n-control.c:632
#36 0x42dd9c in Do_Native ../src/core/c-function.c:289
#37 0x41395b in Do_Next ../src/core/c-do.c:886
#38 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#39 0x42ea5c in Do_Function ../src/core/c-function.c:415
#40 0x41395b in Do_Next ../src/core/c-do.c:886
#41 0x415658 in Try_Block ../src/core/c-do.c:1083
#42 0x488f7d in N_try ../src/core/n-control.c:760
#43 0x42dd9c in Do_Native ../src/core/c-function.c:289
#44 0x41395b in Do_Next ../src/core/c-do.c:886
#45 0x4118a1 in Do_Args ../src/core/c-do.c:668
#46 0x413700 in Do_Next ../src/core/c-do.c:879
#47 0x4118a1 in Do_Args ../src/core/c-do.c:668
#48 0x413700 in Do_Next ../src/core/c-do.c:879
#49 0x414f2f in Do_Block_Value_Throw ../src/core/c-do.c:1048
#50 0x5725ac in Parse_Rules_Loop ../src/core/u-parse.c:830
#51 0x5731f8 in Parse_Rules_Loop ../src/core/u-parse.c:927
#52 0x56c799 in Parse_Series ../src/core/u-parse.c:96
rebol#53 0x576950 in N_parse ../src/core/u-parse.c:1269
rebol#54 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#55 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#56 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#57 0x4883d6 in N_if ../src/core/n-control.c:632
rebol#58 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#59 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#60 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#61 0x42ea5c in Do_Function ../src/core/c-function.c:415
rebol#62 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#63 0x415658 in Try_Block ../src/core/c-do.c:1083
rebol#64 0x4862f8 in N_attempt ../src/core/n-control.c:306
rebol#65 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#66 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#67 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#68 0x487b91 in N_do ../src/core/n-control.c:524
rebol#69 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#70 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#71 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#72 0x487fcb in N_either ../src/core/n-control.c:598
rebol#73 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#74 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#75 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#76 0x487fcb in N_either ../src/core/n-control.c:598
rebol#77 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#78 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#79 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#80 0x487fcb in N_either ../src/core/n-control.c:598
rebol#81 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#82 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#83 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#84 0x42ea5c in Do_Function ../src/core/c-function.c:415
rebol#85 0x4198c2 in Apply_Function ../src/core/c-do.c:1524
rebol#86 0x419fa8 in Do_Sys_Func ../src/core/c-do.c:1584
rebol#87 0x41e406 in Init_Mezz ../src/core/c-do.c:2313
rebol#88 0x405fd3 in RL_Start ../src/core/a-lib.c:167
rebol#89 0x59d1f7 in main ../src/os/host-main.c:231
rebol#90 0x7ffff571403f in __libc_start_main (/usr/lib/libc.so.6+0x2003f)
rebol#91 0x405858 (/home/zsx/work/r3.git/make/r3-view-linux+0x405858)
0x61d0000f5897 is located 7 bytes to the right of 2064-byte region [0x61d0000f5080,0x61d0000f5890)
allocated by thread T0 here:
#0 0x7ffff6f56b77 in __interceptor_malloc (/usr/lib/libasan.so.1+0x57b77)
#1 0x47c300 in Make_Mem ../src/core/m-pools.c:125
#2 0x47ca2f in Fill_Pool ../src/core/m-pools.c:233
#3 0x47d80c in Make_Series ../src/core/m-pools.c:388
#4 0x4826f3 in Copy_Series ../src/core/m-series.c:261
#5 0x43ca14 in Copy_Deep_Values ../src/core/f-blocks.c:131
#6 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#7 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#8 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#9 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#10 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#11 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#12 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#13 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#14 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#15 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#16 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
#17 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159
#18 0x43cd9f in Clone_Block ../src/core/f-blocks.c:174
#19 0x42db12 in Clone_Function ../src/core/c-function.c:266
#20 0x43cc00 in Copy_Deep_Values ../src/core/f-blocks.c:139
#21 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159
#22 0x4fd371 in T_Object ../src/core/t-object.c:364
#23 0x42e26f in Do_Act ../src/core/c-function.c:338
#24 0x42e9d8 in Do_Action ../src/core/c-function.c:396
#25 0x41395b in Do_Next ../src/core/c-do.c:886
#26 0x4133cc in Do_Next ../src/core/c-do.c:860
#27 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#28 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131
#29 0x49693a in N_for ../src/core/n-loop.c:486
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:138 Expand_Series
Shadow bytes around the buggy address:
0x0c3a80016ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a80016b10: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==8157==ABORTING
This is happening because "GOB_TAIL(gob) = count" sets the tail of a
series with length of "count" to be "count", and Expand_Series expects
a terminator in the series. (m-series.c:90 size = (series->tail + 1) * wide;)
zsx
added a commit
that referenced
this issue
Jul 17, 2015
Reported by AddressSanitizer of GCC:
Direct leak of 970518528 byte(s) in 947772 object(s) allocated from:
#0 0x7f505036363f in operator new[](unsigned long) (/usr/lib/libasan.so.1+0x5863f)
#1 0x65676f in agg::agg_graphics::agg_gradient_pen(int, double, double, double, double, double, double, double, unsigned char*, double*, int) ../src/agg/agg_graphics.cpp:1306
#2 0x5fe247 in rebdrw_gradient_pen ../src/os/host-draw-api-agg.cpp:184
#3 0x5f8834 in RXD_Draw ../src/os/host-draw.c:294
#4 0x45cd8e in Do_Commands ../src/core/f-extension.c:579
#5 0x40680d in RL_Do_Commands ../src/core/a-lib.c:376
#6 0x603d21 in rebdrw_gob_draw ../src/os/host-draw-api-agg.cpp:567
#7 0x60c732 in process_gobs ../src/os/linux/host-compositor.c:520
#8 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559
#9 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559
#10 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559
#11 0x60cb55 in process_gobs ../src/os/linux/host-compositor.c:559
#12 0x60f753 in rebcmp_compose ../src/os/linux/host-compositor.c:685
#13 0x5e8299 in Draw_Window ../src/os/host-view.c:225
#14 0x5e8682 in Show_Gob ../src/os/host-view.c:288
#15 0x5e8b58 in RXD_Graphics ../src/os/host-view.c:346
#16 0x45bf75 in Do_Command ../src/core/f-extension.c:456
#17 0x41395b in Do_Next ../src/core/c-do.c:886
#18 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#19 0x42ea5c in Do_Function ../src/core/c-function.c:415
#20 0x41395b in Do_Next ../src/core/c-do.c:886
#21 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#22 0x42ea5c in Do_Function ../src/core/c-function.c:415
#23 0x41395b in Do_Next ../src/core/c-do.c:886
#24 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#25 0x4883d6 in N_if ../src/core/n-control.c:632
#26 0x42dd9c in Do_Native ../src/core/c-function.c:289
#27 0x41395b in Do_Next ../src/core/c-do.c:886
#28 0x414b73 in Do_Blk ../src/core/c-do.c:1016
#29 0x496d2f in N_forever ../src/core/n-loop.c:532
zsx
added a commit
that referenced
this issue
Jul 17, 2015
Found by GCC Address Sanitizer:
=================================================================
==32465==ERROR: AddressSanitizer: alloc-dealloc-mismatch (malloc vs operator delete []) on 0x6030000add40
#0 0x7f012194676f in operator delete[](void*) (/usr/lib/libasan.so.1+0x5876f)
#1 0x6c8785 in agg::agg_graphics::agg_reset() ../src/agg/agg_graphics.cpp:1562
#2 0x6bc20c in agg::agg_graphics::~agg_graphics() ../src/agg/agg_graphics.cpp:96
#3 0x66fb18 in rebdrw_gob_draw ../src/os/host-draw-api-agg.cpp:571
#4 0x678500 in process_gobs ../src/os/linux/host-compositor.c:520
#5 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559
#6 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559
#7 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559
#8 0x67b63f in rebcmp_compose ../src/os/linux/host-compositor.c:685
#9 0x65158c in Draw_Window ../src/os/host-view.c:225
#10 0x651b21 in Show_Gob ../src/os/host-view.c:288
#11 0x6520ed in RXD_Graphics ../src/os/host-view.c:346
#12 0x471ccd in Do_Command ../src/core/f-extension.c:456
#13 0x419332 in Do_Next ../src/core/c-do.c:886
#14 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#15 0x43f6c8 in Do_Function ../src/core/c-function.c:415
#16 0x419332 in Do_Next ../src/core/c-do.c:886
#17 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#18 0x43f6c8 in Do_Function ../src/core/c-function.c:415
#19 0x419332 in Do_Next ../src/core/c-do.c:886
#20 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#21 0x4a6c9a in N_do ../src/core/n-control.c:524
#22 0x43e037 in Do_Native ../src/core/c-function.c:289
#23 0x419332 in Do_Next ../src/core/c-do.c:886
#24 0x41b643 in Try_Block ../src/core/c-do.c:1087
#25 0x4a872e in N_try ../src/core/n-control.c:760
#26 0x43e037 in Do_Native ../src/core/c-function.c:289
#27 0x419332 in Do_Next ../src/core/c-do.c:886
#28 0x4168bd in Do_Args ../src/core/c-do.c:668
#29 0x41a070 in Do_Next ../src/core/c-do.c:942
#30 0x4168bd in Do_Args ../src/core/c-do.c:668
#31 0x4190d4 in Do_Next ../src/core/c-do.c:879
#32 0x4168bd in Do_Args ../src/core/c-do.c:668
#33 0x4190d4 in Do_Next ../src/core/c-do.c:879
#34 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#35 0x43f6c8 in Do_Function ../src/core/c-function.c:415
#36 0x419332 in Do_Next ../src/core/c-do.c:886
#37 0x4168bd in Do_Args ../src/core/c-do.c:668
#38 0x4190d4 in Do_Next ../src/core/c-do.c:879
#39 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#40 0x4a6c9a in N_do ../src/core/n-control.c:524
#41 0x43e037 in Do_Native ../src/core/c-function.c:289
#42 0x419332 in Do_Next ../src/core/c-do.c:886
#43 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#44 0x4a732e in N_either ../src/core/n-control.c:598
#45 0x43e037 in Do_Native ../src/core/c-function.c:289
#46 0x419332 in Do_Next ../src/core/c-do.c:886
#47 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#48 0x4a732e in N_either ../src/core/n-control.c:598
#49 0x43e037 in Do_Native ../src/core/c-function.c:289
#50 0x419332 in Do_Next ../src/core/c-do.c:886
#51 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#52 0x4a732e in N_either ../src/core/n-control.c:598
rebol#53 0x43e037 in Do_Native ../src/core/c-function.c:289
rebol#54 0x419332 in Do_Next ../src/core/c-do.c:886
rebol#55 0x41aaed in Do_Blk ../src/core/c-do.c:1017
rebol#56 0x43f6c8 in Do_Function ../src/core/c-function.c:415
rebol#57 0x42094d in Apply_Function ../src/core/c-do.c:1528
rebol#58 0x42116c in Do_Sys_Func ../src/core/c-do.c:1588
rebol#59 0x426d54 in Init_Mezz ../src/core/c-do.c:2320
rebol#60 0x4069c1 in RL_Start ../src/core/a-lib.c:193
rebol#61 0x5fea9d in main ../src/os/host-main.c:235
rebol#62 0x7f011fed27ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
rebol#63 0x405dd8 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x405dd8)
0x6030000add40 is located 0 bytes inside of 24-byte region [0x6030000add40,0x6030000add58)
allocated by thread T0 here:
#0 0x7f01219457a7 in malloc (/usr/lib/libasan.so.1+0x577a7)
#1 0x606495 in OS_Make ../src/os/linux/host-lib.c:380
#2 0x664b61 in RXD_Draw ../src/os/host-draw.c:438
#3 0x472f24 in Do_Commands ../src/core/f-extension.c:585
#4 0x4073a0 in RL_Do_Commands ../src/core/a-lib.c:402
#5 0x66fadb in rebdrw_gob_draw ../src/os/host-draw-api-agg.cpp:568
#6 0x678500 in process_gobs ../src/os/linux/host-compositor.c:520
#7 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559
#8 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559
#9 0x6789b7 in process_gobs ../src/os/linux/host-compositor.c:559
#10 0x67b63f in rebcmp_compose ../src/os/linux/host-compositor.c:685
#11 0x65158c in Draw_Window ../src/os/host-view.c:225
#12 0x651b21 in Show_Gob ../src/os/host-view.c:288
#13 0x6520ed in RXD_Graphics ../src/os/host-view.c:346
#14 0x471ccd in Do_Command ../src/core/f-extension.c:456
#15 0x419332 in Do_Next ../src/core/c-do.c:886
#16 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#17 0x43f6c8 in Do_Function ../src/core/c-function.c:415
#18 0x419332 in Do_Next ../src/core/c-do.c:886
#19 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#20 0x43f6c8 in Do_Function ../src/core/c-function.c:415
#21 0x419332 in Do_Next ../src/core/c-do.c:886
#22 0x41aaed in Do_Blk ../src/core/c-do.c:1017
#23 0x4a6c9a in N_do ../src/core/n-control.c:524
#24 0x43e037 in Do_Native ../src/core/c-function.c:289
#25 0x419332 in Do_Next ../src/core/c-do.c:886
#26 0x41b643 in Try_Block ../src/core/c-do.c:1087
#27 0x4a872e in N_try ../src/core/n-control.c:760
#28 0x43e037 in Do_Native ../src/core/c-function.c:289
#29 0x419332 in Do_Next ../src/core/c-do.c:886
SUMMARY: AddressSanitizer: alloc-dealloc-mismatch ??:0 operator delete[](void*)
==32465==HINT: if you don't care about these warnings you may set ASAN_OPTIONS=alloc_dealloc_mismatch=0
==32465==ABORTING
zsx
added a commit
that referenced
this issue
Jul 17, 2015
index is unsigned, and could be zero, so 'index--' will underflow and
round to 0xffffffff, and cause problem in a later call to Expand_Series
I believe the idea of
if ((REBINT)index > i) index--;
is to move the index forward because gob being inserted were in PANE,
and they can't be there twice (Detach_Gob will remove them from the
current gob). So if they were not there, "index" shouldn't be changed.
This fixes a crash in the following script:
REBOL []
foo: make block! []
for i 0 15 1 [
txt: #"a" + i
append foo make gob! reduce/no-set [text: to string! txt]
]
g: make gob! []
append g foo
g/pane: next g/pane
With this stack trace:
zsx@touchsmart-arch:~/work/r3.git/make$ R3_ALWAYS_MALLOC=1 ./r3-view-linux test-insert-gob-crash.r
=================================================================
==24248==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000c8a8 at pc 0x522243 bp 0x7fff91ba7a60 sp 0x7fff91ba7a50
WRITE of size 8 at 0x60d00000c8a8 thread T0
#0 0x522242 in Insert_Gobs ../src/core/t-gob.c:230
#1 0x5242d6 in Set_GOB_Var ../src/core/t-gob.c:421
#2 0x5278ee in PD_Gob ../src/core/t-gob.c:713
#3 0x414cda in Next_Path ../src/core/c-do.c:399
#4 0x415c8c in Do_Path ../src/core/c-do.c:463
#5 0x41a018 in Do_Next ../src/core/c-do.c:928
#6 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#7 0x4a6eca in N_do ../src/core/n-control.c:524
#8 0x43e267 in Do_Native ../src/core/c-function.c:289
#9 0x419562 in Do_Next ../src/core/c-do.c:886
#10 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#11 0x4a755e in N_either ../src/core/n-control.c:598
#12 0x43e267 in Do_Native ../src/core/c-function.c:289
#13 0x419562 in Do_Next ../src/core/c-do.c:886
#14 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#15 0x4a755e in N_either ../src/core/n-control.c:598
#16 0x43e267 in Do_Native ../src/core/c-function.c:289
#17 0x419562 in Do_Next ../src/core/c-do.c:886
#18 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#19 0x4a755e in N_either ../src/core/n-control.c:598
#20 0x43e267 in Do_Native ../src/core/c-function.c:289
#21 0x419562 in Do_Next ../src/core/c-do.c:886
#22 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#23 0x43f8f8 in Do_Function ../src/core/c-function.c:415
#24 0x420b7d in Apply_Function ../src/core/c-do.c:1528
#25 0x42139c in Do_Sys_Func ../src/core/c-do.c:1588
#26 0x426f84 in Init_Mezz ../src/core/c-do.c:2320
#27 0x406bf1 in RL_Start ../src/core/a-lib.c:193
#28 0x5fecee in main ../src/os/host-main.c:235
#29 0x7facd0bf67ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
#30 0x406008 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x406008)
0x60d00000c8a8 is located 0 bytes to the right of 136-byte region [0x60d00000c820,0x60d00000c8a8)
allocated by thread T0 here:
#0 0x7facd26567a7 in malloc (/usr/lib/libasan.so.1+0x577a7)
#1 0x4999a7 in Make_Mem ../src/core/m-pools.c:125
#2 0x49b188 in Make_Series ../src/core/m-pools.c:413
#3 0x521929 in Insert_Gobs ../src/core/t-gob.c:208
#4 0x529717 in T_Gob ../src/core/t-gob.c:835
#5 0x43eb86 in Do_Act ../src/core/c-function.c:338
#6 0x43f82a in Do_Action ../src/core/c-function.c:396
#7 0x419562 in Do_Next ../src/core/c-do.c:886
#8 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#9 0x4a6eca in N_do ../src/core/n-control.c:524
#10 0x43e267 in Do_Native ../src/core/c-function.c:289
#11 0x419562 in Do_Next ../src/core/c-do.c:886
#12 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#13 0x4a755e in N_either ../src/core/n-control.c:598
#14 0x43e267 in Do_Native ../src/core/c-function.c:289
#15 0x419562 in Do_Next ../src/core/c-do.c:886
#16 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#17 0x4a755e in N_either ../src/core/n-control.c:598
#18 0x43e267 in Do_Native ../src/core/c-function.c:289
#19 0x419562 in Do_Next ../src/core/c-do.c:886
#20 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#21 0x4a755e in N_either ../src/core/n-control.c:598
#22 0x43e267 in Do_Native ../src/core/c-function.c:289
#23 0x419562 in Do_Next ../src/core/c-do.c:886
#24 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#25 0x43f8f8 in Do_Function ../src/core/c-function.c:415
#26 0x420b7d in Apply_Function ../src/core/c-do.c:1528
#27 0x42139c in Do_Sys_Func ../src/core/c-do.c:1588
#28 0x426f84 in Init_Mezz ../src/core/c-do.c:2320
#29 0x406bf1 in RL_Start ../src/core/a-lib.c:193
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/t-gob.c:230 Insert_Gobs
Shadow bytes around the buggy address:
0x0c1a7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff9900: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a7fff9910: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa 00 00
0x0c1a7fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1a7fff9930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1a7fff9940: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c1a7fff9950: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff9960: 00 00 00 00 fa fa fa fa fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==24248==ABORTING
zsx
added a commit
that referenced
this issue
Jul 17, 2015
reported by address sanitizer with manual poisonation:
=================================================================
==11513==ERROR: AddressSanitizer: use-after-poison on address 0x7efe281542c0 at pc 0x00000071038f bp 0x7ffdc9de9330 sp 0x7ffdc9de9328
READ of size 4 at 0x7efe281542c0 thread T0
#0 0x71038e in Mark_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:501:6
#1 0x70ea8b in Recycle /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:744:4
#2 0x7bbde6 in N_recycle /home/zsx/stuffs/work/r3.git/make/../src/core/n-system.c:99:10
#3 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#4 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#5 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#6 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#7 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#8 0x566f3d in Do_Block_Value_Throw /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1049:11
#9 0xb0b6d9 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:830:4
#10 0xb0e7f7 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
#11 0xb07b10 in Parse_Series /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:96:9
#12 0xb06b65 in N_parse /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:1269:7
#13 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#14 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#15 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#16 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#17 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#18 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#19 0x745e54 in N_case /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:348:10
#20 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#21 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#22 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#23 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#24 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#25 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#26 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#27 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#28 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#29 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#30 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#31 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#32 0x749b0b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8
#33 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#34 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#35 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#36 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
#37 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#38 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#39 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#40 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
#41 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#42 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#43 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#44 0x74abca in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
#45 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#46 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#47 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#48 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#49 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33
#50 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10
#51 0x582548 in Init_Mezz /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:2320:9
#52 0x52e62f in RL_Start /home/zsx/stuffs/work/r3.git/make/../src/core/a-lib.c:193:9
rebol#53 0xbb6c93 in main /home/zsx/stuffs/work/r3.git/make/../src/os/host-main.c:235:6
rebol#54 0x7efe2bfcb7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
rebol#55 0x486498 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x486498)
0x7efe281542c0 is located 96960 bytes inside of 131088-byte region [0x7efe2813c800,0x7efe2815c810)
allocated by thread T0 here:
#0 0x50d462 in __interceptor_malloc (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x50d462)
#1 0x721a85 in Make_Mem /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:127:14
#2 0x723acd in Fill_Pool /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:235:19
#3 0x7233af in Make_Node /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:280:20
#4 0x725f8a in Make_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:391:21
#5 0x738823 in Copy_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-series.c:261:19
#6 0x5f93a6 in Copy_Deep_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:131:22
#7 0x5f98cf in Copy_Deep_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:136:6
#8 0x5fa3ed in Copy_Block_Values /home/zsx/stuffs/work/r3.git/make/../src/core/f-blocks.c:159:18
#9 0x89efc2 in T_Block /home/zsx/stuffs/work/r3.git/make/../src/core/t-block.c:796:23
#10 0x5c458f in Do_Act /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:338:8
#11 0x5c5927 in Do_Action /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:396:2
#12 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#13 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#14 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#15 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#16 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#17 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#18 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#19 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#20 0x749b0b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8
#21 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#22 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#23 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#24 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#25 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33
#26 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10
#27 0x5a37d0 in Make_Module /home/zsx/stuffs/work/r3.git/make/../src/core/c-frame.c:585:10
#28 0x9510d5 in T_Object /home/zsx/stuffs/work/r3.git/make/../src/core/t-object.c:308:16
#29 0x8ac4eb in T_Datatype /home/zsx/stuffs/work/r3.git/make/../src/core/t-datatype.c:92:20
SUMMARY: AddressSanitizer: use-after-poison /home/zsx/stuffs/work/r3.git/make/../src/core/m-gc.c:501 Mark_Series
Shadow bytes around the buggy address:
0x0fe045022800: f7 f7 00 00 00 00 00 00 00 00 f7 f7 f7 f7 00 00
0x0fe045022810: 00 00 00 00 00 00 f7 f7 f7 f7 00 00 00 00 00 00
0x0fe045022820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe045022830: 00 00 f7 f7 f7 f7 00 00 00 00 00 00 00 00 f7 f7
0x0fe045022840: f7 f7 00 00 00 00 00 00 00 00 f7 f7 f7 f7 00 00
=>0x0fe045022850: 00 00 00 00 00 00 f7 f7[f7]f7 00 00 00 00 00 00
0x0fe045022860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe045022870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe045022880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe045022890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0450228a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11513==ABORTING
zsx
added a commit
that referenced
this issue
Jul 17, 2015
The length of the VAL_SERIES(value) has been set correctly by
Append_UTF8, and it could be smaller than "len", because UTF8 is a
multi-byte encoding, thus passing "len" to Deline_Uni could cause
out-of-bound memory access.
Fixes CC#2169
The following code
REBOL[]
t: <ēee>
causes:
==13053==ERROR: AddressSanitizer: use-after-poison on address 0x61d00001a5f8 at pc 0x000000853d50 bp 0x7ffd2a31a1b0 sp 0x7ffd2a31a1a8
WRITE of size 2 at 0x61d00001a5f8 thread T0
#0 0x853d4f in Deline_Uni /home/zsx/stuffs/work/r3.git/make/../src/core/s-ops.c:426:2
#1 0x7064d4 in Scan_Any /home/zsx/stuffs/work/r3.git/make/../src/core/l-types.c:846:7
#2 0x6dca3c in Scan_Block /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1421:4
#3 0x6d9f92 in Scan_Block /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1301:12
#4 0x6df0e6 in Scan_Code /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1550:9
#5 0x6df462 in Scan_Source /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1570:9
#6 0x896105 in Make_Block_Type /home/zsx/stuffs/work/r3.git/make/../src/core/t-block.c:306:9
#7 0x89af62 in T_Block /home/zsx/stuffs/work/r3.git/make/../src/core/t-block.c:624:3
#8 0x8ac80b in T_Datatype /home/zsx/stuffs/work/r3.git/make/../src/core/t-datatype.c:92:20
#9 0x5c458f in Do_Act /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:338:8
#10 0x5c5927 in Do_Action /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:396:2
#11 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#12 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#13 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#14 0x746174 in N_case /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:348:10
#15 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#16 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#17 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#18 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#19 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#20 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#21 0x568295 in Try_Block /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1087:11
#22 0x7506ac in N_try /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:760:6
#23 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#24 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#25 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#26 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#27 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#28 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#29 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#30 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#31 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#32 0x566f3d in Do_Block_Value_Throw /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1049:11
#33 0xb0b9f9 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:830:4
#34 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
#35 0xb07e30 in Parse_Series /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:96:9
#36 0xb06e85 in N_parse /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:1269:7
#37 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#38 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#39 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#40 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#41 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#42 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#43 0x746174 in N_case /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:348:10
#44 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#45 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#46 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#47 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#48 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
#49 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
#50 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#51 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#52 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
rebol#53 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
rebol#54 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
rebol#55 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
rebol#56 0x749e2b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8
rebol#57 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
rebol#58 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
rebol#59 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
rebol#60 0x74aeea in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
rebol#61 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
rebol#62 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
rebol#63 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
rebol#64 0x74aeea in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
rebol#65 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
rebol#66 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
rebol#67 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
rebol#68 0x74aeea in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
rebol#69 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
rebol#70 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
rebol#71 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
rebol#72 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
rebol#73 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33
rebol#74 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10
rebol#75 0x582548 in Init_Mezz /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:2320:9
rebol#76 0x52e62f in RL_Start /home/zsx/stuffs/work/r3.git/make/../src/core/a-lib.c:193:9
rebol#77 0xbb6fb3 in main /home/zsx/stuffs/work/r3.git/make/../src/os/host-main.c:235:6
rebol#78 0x7fd1c04ef7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
rebol#79 0x486498 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x486498)
0x61d00001a5f8 is located 376 bytes inside of 2064-byte region [0x61d00001a480,0x61d00001ac90)
allocated by thread T0 here:
#0 0x50d462 in __interceptor_malloc (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x50d462)
#1 0x721a85 in Make_Mem /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:132:14
#2 0x723bed in Fill_Pool /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:240:19
#3 0x7233c2 in Make_Node /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:295:20
#4 0x7267f3 in Make_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:419:10
#5 0x818d71 in Copy_String /home/zsx/stuffs/work/r3.git/make/../src/core/s-make.c:337:8
#6 0x6dc386 in Scan_Block /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1388:22
#7 0x6df0e6 in Scan_Code /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1550:9
#8 0x6e1f81 in N_transcode /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1630:8
#9 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#10 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#11 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#12 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#13 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#14 0x56110f in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:942:13
#15 0x568295 in Try_Block /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1087:11
#16 0x7506ac in N_try /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:760:6
#17 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
#18 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
#19 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#20 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#21 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
#22 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
#23 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
#24 0x566f3d in Do_Block_Value_Throw /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1049:11
#25 0xb0b9f9 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:830:4
#26 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
#27 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
#28 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
#29 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
SUMMARY: AddressSanitizer: use-after-poison /home/zsx/stuffs/work/r3.git/make/../src/core/s-ops.c:426 Deline_Uni
Shadow bytes around the buggy address:
0x0c3a7fffb460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffb490: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3a7fffb4a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c3a7fffb4b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 f7 00 00[f7]
0x0c3a7fffb4c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3a7fffb4d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3a7fffb4e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3a7fffb4f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3a7fffb500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13053==ABORTING
zsx
added a commit
that referenced
this issue
Jan 1, 2016
The comment indicates that a terminator is included, but the code says
otherwise. The missing terminator is the cause of this crash:
#0 0x5afa8a in Panic_Series_Debug /home/zsx/work/r3-nanovg.git/src/core/m-series.c:531
#1 0x5af94f in Assert_Series_Term_Core /home/zsx/work/r3-nanovg.git/src/core/m-series.c:506
#2 0x577682 in Val_Init_Series_Index_Core /home/zsx/work/r3-nanovg.git/src/core/f-stubs.c:476
#3 0x782a96 in T_Struct /home/zsx/work/r3-nanovg.git/src/core/t-struct.c:1240
zsx
added a commit
that referenced
this issue
Dec 19, 2016
The comment indicates that a terminator is included, but the code says
otherwise. The missing terminator is the cause of this crash:
#0 0x5afa8a in Panic_Series_Debug /home/zsx/work/r3-nanovg.git/src/core/m-series.c:531
#1 0x5af94f in Assert_Series_Term_Core /home/zsx/work/r3-nanovg.git/src/core/m-series.c:506
#2 0x577682 in Val_Init_Series_Index_Core /home/zsx/work/r3-nanovg.git/src/core/f-stubs.c:476
#3 0x782a96 in T_Struct /home/zsx/work/r3-nanovg.git/src/core/t-struct.c:1240
zsx
added a commit
that referenced
this issue
Jan 13, 2017
This fixes the crash caused by:
>> #{a}
END marker or garbage/trash in VAL_TYPE()
REBVAL init on tick #28232 at /home/zsx/r3-dev/src/core/l-types.c:1028
Kind=50
Containing series for value pointer found, panicking it:
managed series was likely created during evaluator tick: 28232
=================================================================
==4319==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000b27d0 at pc 0x0000004f9f47 bp 0x7fffffffcde0 sp 0x7fffffffcdd0
READ of size 4 at 0x6020000b27d0 thread T0
#0 0x4f9f46 in Panic_Series_Debug /home/zsx/r3-dev/src/core/m-series.c:512
#1 0x47d073 in Panic_Value_Debug /home/zsx/r3-dev/src/core/c-value.c:81
#2 0x481e85 in Panic_Core /home/zsx/r3-dev/src/core/d-crash.c:220
#3 0x432a3c in VAL_TYPE_Debug /home/zsx/r3-dev/make/../src/include/sys-value.h:165
#4 0x4349fc in Bind_Values_Inner_Loop /home/zsx/r3-dev/src/core/c-bind.c:54
#5 0x434dff in Bind_Values_Core /home/zsx/r3-dev/src/core/c-bind.c:141
#6 0x4077bc in Do_String /home/zsx/r3-dev/src/os/host-main.c:323
#7 0x408799 in Host_Repl /home/zsx/r3-dev/src/os/host-main.c:569
#8 0x40a228 in main /home/zsx/r3-dev/src/os/host-main.c:1078
#9 0x7ffff65b2290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
#10 0x404009 in _start (/home/zsx/stuffs/work/r3-build/MakeFiles/Debug/r3-core+0x404009)
0x6020000b27d0 is located 0 bytes inside of 4-byte region [0x6020000b27d0,0x6020000b27d4)
freed by thread T0 here:
#0 0x7ffff6efeb00 in __interceptor_free /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:45
#1 0x4f2622 in Make_Series /home/zsx/r3-dev/src/core/m-pools.c:894
#2 0x4a255b in Make_Array /home/zsx/r3-dev/make/../src/include/sys-array.h:213
#3 0x4a3371 in Copy_Values_Len_Extra_Skip_Shallow /home/zsx/r3-dev/src/core/f-blocks.c:144
#4 0x4dc5c5 in Scan_Array /home/zsx/r3-dev/src/core/l-scan.c:1852
#5 0x4dcad5 in Scan_UTF8_Managed /home/zsx/r3-dev/src/core/l-scan.c:1936
#6 0x40772b in Do_String /home/zsx/r3-dev/src/os/host-main.c:304
#7 0x408799 in Host_Repl /home/zsx/r3-dev/src/os/host-main.c:569
#8 0x40a228 in main /home/zsx/r3-dev/src/os/host-main.c:1078
#9 0x7ffff65b2290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
previously allocated by thread T0 here:
#0 0x7ffff6efee60 in __interceptor_malloc /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x4f25e2 in Make_Series /home/zsx/r3-dev/src/core/m-pools.c:893
#2 0x4a255b in Make_Array /home/zsx/r3-dev/make/../src/include/sys-array.h:213
#3 0x4a3371 in Copy_Values_Len_Extra_Skip_Shallow /home/zsx/r3-dev/src/core/f-blocks.c:144
#4 0x4dc5c5 in Scan_Array /home/zsx/r3-dev/src/core/l-scan.c:1852
#5 0x4dcad5 in Scan_UTF8_Managed /home/zsx/r3-dev/src/core/l-scan.c:1936
#6 0x40772b in Do_String /home/zsx/r3-dev/src/os/host-main.c:304
#7 0x408799 in Host_Repl /home/zsx/r3-dev/src/os/host-main.c:569
#8 0x40a228 in main /home/zsx/r3-dev/src/os/host-main.c:1078
#9 0x7ffff65b2290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
and turns it to:
>> #{a}
** Syntax error: invalid "binary" -- "#{a}"
** Near: (line 1) #{a}
zsx
pushed a commit
that referenced
this issue
May 16, 2018
This introduces two new categories of "invisible" functions. They are designed to return nothing--not even void. The way to say how a function is in this category in the moment is to give it a `return: []` in its spec, to say the null set (even excluding `<opt>` for void) is what it can return. This means it will do its best to omit any influence from the chain of evaluator (outside running the body of the function itself). Category #1 is when the function is not enfix. This simplification will attempt to complete the left-hand side of an expression before running. This gives a mostly-intuitive order of evaluation, as shown by the DUMP debug primitive--which has been changed to be invisible: >> x: 10 >> y: 20 >> z: 1 + 2 * 3 dump [z y x] z: => 9 y: => 20 x: => 10 == 9 The cost of such a model is that it can't be truly invisible, since it has intruded on what the evaluative order would have been as seen by any enfix operations on their right. e.g. forcing (print 1) to complete below means the 1 is no longer available for the (1 + 2) that would happen if the comment weren't there: >> print 1 comment "hi" + 2 ** Script Error: + requires value1 argument to not be void Category #2 is achieved by making such a function enfix. By convention it will retain the state of the frame's output cell, instead of erasing it after extracting into the left hand parameter slot of the function. This gives that function access to the state being passed through it--as well as allowing the evaluator to retain enough of its internal state to make it "fully invisible" regarding characteristics not exposed (such as: there is no END! datatype to pass through to write an `<end> status on the output). A basic operator which provides commenting and evaluation in this model is provided called ELIDE. It can be used to erase any code if passed a BLOCK! x: 10 y: 1 elide [+ 2 z: 30] + 7 It can also be passed a GROUP!, but the order of evaluation may be surprising due to its tight-enfixing character. For instance, the ELIDE below must be done at the moment of evaluation of the 2, not deferred after `y: 1 + 2` has all been completed: >> y: 1 + 2 elide (print y) ** Script error: y has no value (Note: This commit includes clarifying code rearrangements which involved changing indentation levels, so it appears larger than it is.)
zsx
added a commit
that referenced
this issue
Nov 5, 2018
a simple "nl" in a text block could crash it, because it's a static
string, and not supposed to be free'd. "\n" is also supposed to be of
type wide_t*, or there'll be garbage text.
(gdb) bt
#0 0x00007ffff72b2f73 in free () from /usr/lib/libc.so.6
#1 0x00005555555fd956 in OS_Free (mem=0x5555556c49f8) at ../src/os/linux/host-lib.c:392
#2 0x0000555555687413 in agg::rich_text::rt_reset (this=0x5555558f7d60) at ../src/agg/agg_truetype_text.cpp:135
#3 0x0000555555652017 in agg::agg_graphics::agg_text (this=0x5555557ebde0, vectorial=1, p1=0x7fffffffc308, p2=0x7fffffffc310, block=0x7ffff61d6020) at ../src/agg/agg_graphics.cpp:1955
#4 0x0000555555626103 in agg::rebdrw_text (gr=0x5555557ebde0, mode=1, p1=0x7fffffffc308, p2=0x7fffffffc310, block=0x7ffff61d6020) at ../src/os/host-draw-api-agg.cpp:413
#5 0x0000555555623c01 in RXD_Draw (cmd=33, frm=0x7fffffffc3e0, ctx=0x7fffffffc5d0) at ../src/os/host-draw.c:571
#6 0x000055555558b577 in Do_Commands (cmds=0x7ffff61d5fc0, context=0x7fffffffc5d0) at ../src/core/f-extension.c:585
#7 0x000055555556b8a7 in RL_Do_Commands (blk=0x7ffff61d5fc0, flags=0, context=0x7fffffffc5d0) at ../src/core/a-lib.c:402
#8 0x0000555555627b27 in agg::rebdrw_gob_draw (gob=0x555555940798, buf=0x7ffff5add000 '\377' <repeats 200 times>..., buf_size=..., abs_oft=..., clip_oft=..., clip_siz=...)
at ../src/os/host-draw-api-agg.cpp:611
#9 0x000055555562abf9 in process_gobs (ctx=0x5555559091f0, gob=0x555555940798) at ../src/os/linux/host-compositor.c:524
#10 0x000055555562ae48 in process_gobs (ctx=0x5555559091f0, gob=0x555555940744) at ../src/os/linux/host-compositor.c:563
#11 0x000055555562ae48 in process_gobs (ctx=0x5555559091f0, gob=0x5555559407ec) at ../src/os/linux/host-compositor.c:563
#12 0x000055555562c037 in rebcmp_compose (ctx=0x5555559091f0, winGob=0x5555559407ec, gob=0x5555559407ec, only=0 '\000') at ../src/os/linux/host-compositor.c:691
#13 0x000055555561affd in Draw_Window (wingob=0x5555559407ec, gob=0x5555559407ec) at ../src/os/host-view.c:225
#14 0x000055555561b1a3 in Show_Gob (gob=0x5555559407ec) at ../src/os/host-view.c:288
#15 0x000055555561b5ed in RXD_Graphics (cmd=5, frm=0x7fffffffd190, data=0x0) at ../src/os/host-view.c:338
#16 0x000055555558b01a in Do_Command (value=0x7ffff6209110) at ../src/core/f-extension.c:456
#17 0x0000555555570768 in Do_Next (block=0x7ffff61d5c00, index=9, op=0) at ../src/core/c-do.c:886
#18 0x0000555555570e42 in Do_Blk (block=0x7ffff61d5c00, index=7) at ../src/core/c-do.c:1017
#19 0x00005555555790f4 in Do_Function (func=0x7ffff6209070) at ../src/core/c-function.c:415
#20 0x0000555555570768 in Do_Next (block=0x7ffff61d9a60, index=3, op=0) at ../src/core/c-do.c:886
#21 0x0000555555570587 in Do_Next (block=0x7ffff61d9a60, index=0, op=0) at ../src/core/c-do.c:860
#22 0x0000555555570e42 in Do_Blk (block=0x7ffff61d9a60, index=0) at ../src/core/c-do.c:1017
#23 0x00005555555a1bc3 in N_while (ds=0x7ffff6209010) at ../src/core/n-loop.c:690
#24 0x0000555555578bdd in Do_Native (func=0x7ffff6208fb0) at ../src/core/c-function.c:289
#25 0x0000555555570768 in Do_Next (block=0x7ffff61d9aa0, index=5, op=0) at ../src/core/c-do.c:886
#26 0x0000555555570e42 in Do_Blk (block=0x7ffff61d9aa0, index=2) at ../src/core/c-do.c:1017
#27 0x00005555555790f4 in Do_Function (func=0x7ffff6208ed0) at ../src/core/c-function.c:415
#28 0x0000555555572734 in Apply_Function (wblk=0x7ffff61d9aa0, widx=0, func=0x7ffff6208ed0, args=0x7fffffffd530) at ../src/core/c-do.c:1528
#29 0x0000555555572883 in Apply_Func (where=0x7ffff61d9aa0, func=0x555555844da0) at ../src/core/c-do.c:1555
#30 0x000055555559e5d2 in N_wake_up (ds=0x7ffff6208db0) at ../src/core/n-io.c:415
#31 0x0000555555578bdd in Do_Native (func=0x7ffff6208e10) at ../src/core/c-function.c:289
#32 0x0000555555570768 in Do_Next (block=0x7ffff7fbf1e0, index=6, op=0) at ../src/core/c-do.c:886
#33 0x000055555556fbe8 in Do_Args (func_offset=105, path=0x0, block=0x7ffff7fbf1e0, index=3) at ../src/core/c-do.c:668
#34 0x00005555555706ba in Do_Next (block=0x7ffff7fbf1e0, index=2, op=0) at ../src/core/c-do.c:879
#35 0x0000555555570e42 in Do_Blk (block=0x7ffff7fbf1e0, index=2) at ../src/core/c-do.c:1017
#36 0x000055555559b221 in N_either (ds=0x7ffff6208bd0) at ../src/core/n-control.c:596
#37 0x0000555555578bdd in Do_Native (func=0x7ffff6208c30) at ../src/core/c-function.c:289
#38 0x0000555555570768 in Do_Next (block=0x7ffff7fbf220, index=15, op=0) at ../src/core/c-do.c:886
#39 0x0000555555570e42 in Do_Blk (block=0x7ffff7fbf220, index=10) at ../src/core/c-do.c:1017
#40 0x00005555555a1bc3 in N_while (ds=0x7ffff6208bd0) at ../src/core/n-loop.c:690
#41 0x0000555555578bdd in Do_Native (func=0x7ffff6208b70) at ../src/core/c-function.c:289
#42 0x0000555555570768 in Do_Next (block=0x7ffff7fbf2e0, index=12, op=0) at ../src/core/c-do.c:886
#43 0x0000555555570e42 in Do_Blk (block=0x7ffff7fbf2e0, index=9) at ../src/core/c-do.c:1017
#44 0x00005555555790f4 in Do_Function (func=0x7ffff62089d0) at ../src/core/c-function.c:415
#45 0x0000555555572734 in Apply_Function (wblk=0x7ffff7fbf2e0, widx=0, func=0x7ffff62089d0, args=0x7fffffffda30) at ../src/core/c-do.c:1528
#46 0x0000555555572883 in Apply_Func (where=0x7ffff7fbf2e0, func=0x555555844140) at ../src/core/c-do.c:1555
#47 0x000055555557979c in Awake_System (ports=0x7ffff61d5640, only=0) at ../src/core/c-port.c:183
#48 0x0000555555579890 in Wait_Ports (ports=0x7ffff61d5640, timeout=4294967295, only=0) at ../src/core/c-port.c:217
#49 0x000055555559e463 in N_wait (ds=0x7ffff6208890) at ../src/core/n-io.c:374
#50 0x0000555555578bdd in Do_Native (func=0x7ffff62088f0) at ../src/core/c-function.c:289
#51 0x0000555555570768 in Do_Next (block=0x7ffff61d9800, index=2, op=0) at ../src/core/c-do.c:886
#52 0x0000555555570e42 in Do_Blk (block=0x7ffff61d9800, index=0) at ../src/core/c-do.c:1017
rebol#53 0x00005555555790f4 in Do_Function (func=0x7ffff6208870) at ../src/core/c-function.c:415
rebol#54 0x0000555555570768 in Do_Next (block=0x7ffff61d92e0, index=1, op=0) at ../src/core/c-do.c:886
rebol#55 0x0000555555570e42 in Do_Blk (block=0x7ffff61d92e0, index=0) at ../src/core/c-do.c:1017
rebol#56 0x000055555559b300 in N_if (ds=0x7ffff6208730) at ../src/core/n-control.c:623
rebol#57 0x0000555555578bdd in Do_Native (func=0x7ffff6208790) at ../src/core/c-function.c:289
rebol#58 0x0000555555570768 in Do_Next (block=0x7ffff61d9300, index=50, op=0) at ../src/core/c-do.c:886
rebol#59 0x0000555555570e42 in Do_Blk (block=0x7ffff61d9300, index=46) at ../src/core/c-do.c:1017
rebol#60 0x00005555555790f4 in Do_Function (func=0x7ffff62085f0) at ../src/core/c-function.c:415
rebol#61 0x0000555555570768 in Do_Next (block=0x7ffff61d60e0, index=28, op=0) at ../src/core/c-do.c:886
rebol#62 0x0000555555570e42 in Do_Blk (block=0x7ffff61d60e0, index=26) at ../src/core/c-do.c:1017
rebol#63 0x000055555559b02d in N_do (ds=0x7ffff6208470) at ../src/core/n-control.c:522
rebol#64 0x0000555555578bdd in Do_Native (func=0x7ffff62084d0) at ../src/core/c-function.c:289
rebol#65 0x0000555555570768 in Do_Next (block=0x7ffff7fc5140, index=6, op=0) at ../src/core/c-do.c:886
rebol#66 0x0000555555570e42 in Do_Blk (block=0x7ffff7fc5140, index=3) at ../src/core/c-do.c:1017
rebol#67 0x000055555559b221 in N_either (ds=0x7ffff6208370) at ../src/core/n-control.c:596
rebol#68 0x0000555555578bdd in Do_Native (func=0x7ffff62083d0) at ../src/core/c-function.c:289
rebol#69 0x0000555555570768 in Do_Next (block=0x7ffff7fc51c0, index=20, op=0) at ../src/core/c-do.c:886
rebol#70 0x0000555555570e42 in Do_Blk (block=0x7ffff7fc51c0, index=11) at ../src/core/c-do.c:1017
rebol#71 0x000055555559b221 in N_either (ds=0x7ffff6208270) at ../src/core/n-control.c:596
rebol#72 0x0000555555578bdd in Do_Native (func=0x7ffff62082d0) at ../src/core/c-function.c:289
rebol#73 0x0000555555570768 in Do_Next (block=0x7ffff7fc5200, index=11, op=0) at ../src/core/c-do.c:886
rebol#74 0x0000555555570e42 in Do_Blk (block=0x7ffff7fc5200, index=5) at ../src/core/c-do.c:1017
rebol#75 0x000055555559b221 in N_either (ds=0x7ffff6208170) at ../src/core/n-control.c:596
rebol#76 0x0000555555578bdd in Do_Native (func=0x7ffff62081d0) at ../src/core/c-function.c:289
rebol#77 0x0000555555570768 in Do_Next (block=0x7ffff7fc5240, index=76, op=0) at ../src/core/c-do.c:886
rebol#78 0x0000555555570e42 in Do_Blk (block=0x7ffff7fc5240, index=71) at ../src/core/c-do.c:1017
rebol#79 0x00005555555790f4 in Do_Function (func=0x7ffff6208090) at ../src/core/c-function.c:415
rebol#80 0x0000555555572734 in Apply_Function (wblk=0x7ffff7fc5240, widx=0, func=0x7ffff6208090, args=0x7fffffffe350) at ../src/core/c-do.c:1528
rebol#81 0x0000555555572a40 in Do_Sys_Func (inum=34) at ../src/core/c-do.c:1588
rebol#82 0x0000555555573f89 in Init_Mezz (reserved=0) at ../src/core/c-do.c:2320
rebol#83 0x000055555556b558 in RL_Start (
bin=0x5555556b63a0 <Reb_Init_Code> "x\234\325=is\334\066\226\373\231\277\002\241kK\322x\350>t\330鉣rdg\354\335\\e{j>t\261RT\223\222\070\352&{H\266e\215\343\377\276\357\302ţ[\262\235\311l\245b\221 \360\360\360\200w\342\001\375\027uV\256o\253\374\362\252Q\257_|\367\363\017\352m\266\270*\312ey\231g\265:\216~*\337E\323\361\344\311hr8;\236\314\306_Gdz\361\070\310W\353\262jԪL7\313L̓&o\226\331L\205\f\343P\275\375\341ͻɣ\261ZWeS.ʥ\252\027W\331*\v\203wYU\347e1S\343G'\217&A\221\254\240Y\263\254\203\030\240\244\331\371\346r\026\024e\221", <incomplete sequence \331>..., len=9009, script=0x0, script_len=0, flags=0)
at ../src/core/a-lib.c:193
rebol#84 0x00005555555fb344 in main (argc=2, argv=0x7fffffffe708) at ../src/os/host-main.c:235
(gdb) frame 2
#2 0x0000555555687413 in agg::rich_text::rt_reset (this=0x5555558f7d60) at ../src/agg/agg_truetype_text.cpp:135
135 OS_Free(attr.text);
(gdb) p attr
$1 = {index = 10, name = 0x5555557a8af0 "/usr/share/fonts/TTF/arial.ttf", name_free = false, bold = 0, italic = 0, underline = 1, size = 18, color = {r = 128 '\200', g = 128 '\200', b = 128 '\200',
a = 255 '\377'}, offset_x = 2, offset_y = 2, space_x = 0, space_y = 0, shadow_x = 0, shadow_y = 0, shadow_color = {r = 0 '\000', g = 0 '\000', b = 0 '\000', a = 255 '\377'}, shadow_blur = 0,
text = 0x5555556c49f8 L"\n\x4f000000\xcf000000", text_free = true, isPara = true, para = {origin_x = 2, origin_y = 2, margin_x = 2, margin_y = 2, indent_x = 0, indent_y = 0, tabs = 40, wrap = 1,
scroll_x = 0, scroll_y = 0, align = 19, valign = 23}, asc = 14, desc = 2, char_height = 13}
(gdb) quit
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
My original Problem with demo crashing on i3wm has been resolved, Now I get the following error.
Manjaro Linux, xfce4 with i3wm,
linux binary r3-view-linux 2014-02-21 16:03 from this repository.
The text was updated successfully, but these errors were encountered: