FFI crashes when scanning pointer field of subtypes of Pointer #36125

sjindel-google · 2019-03-06T13:48:35Z

https://ci.chromium.org/p/dart/builders/ci.sandbox/vm-kernel-asan-linux-release-x64/1859

FAILED: dartk-vm release_x64 standalone_2/ffi/subtype_test
Expected: Pass
Actual: Fail

--- Command "vm" (took 01.000755s):
DART_CONFIGURATION=ReleaseX64 out/ReleaseX64/dart --ignore-unrecognized-flags --packages=/b/s/w/ir/cache/builder/sdk/.packages /b/s/w/ir/cache/builder/sdk/tests/standalone_2/ffi/subtype_test.dart

exit code:
1

stderr:
=================================================================
==26809==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000001150 at pc 0x55c46744fb29 bp 0x7fb2d46fd8a0 sp 0x7fb2d46fd898
READ of size 4 at 0x602000001150 thread T8
    #0 0x55c46744fb28 in dart::RawObject::IsMarked() const ../../out/ReleaseX64/../../runtime/vm/raw_object.h:256:47
    #1 0x55c46744fb28 in dart::MarkingVisitorBase<true>::MarkObject(dart::RawObject*) ../../out/ReleaseX64/../../runtime/vm/heap/marker.cc:393
    #2 0x55c46744fb28 in dart::MarkingVisitorBase<true>::VisitPointers(dart::RawObject**, dart::RawObject**) ../../out/ReleaseX64/../../runtime/vm/heap/marker.cc:285
    #3 0x55c467467eac in dart::RawObject::VisitPointers(dart::ObjectPointerVisitor*) ../../out/ReleaseX64/../../runtime/vm/raw_object.h:429:14
    #4 0x55c467467eac in dart::Scavenger::VisitObjectPointers(dart::ObjectPointerVisitor*) const ../../out/ReleaseX64/../../runtime/vm/heap/scavenger.cc:886
    #5 0x55c467449bc7 in dart::GCMarker::IterateRoots(dart::ObjectPointerVisitor*) ../../out/ReleaseX64/../../runtime/vm/heap/marker.cc:556:29
    #6 0x55c46744ff3b in dart::ParallelMarkTask::Run() ../../out/ReleaseX64/../../runtime/vm/heap/marker.cc:650:16
    #7 0x55c466f2a7bf in dart::ThreadPool::Worker::Loop() ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:381:11
    #8 0x55c466f2a483 in dart::ThreadPool::Worker::Main(unsigned long) ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:436:27
    #9 0x55c466d26c4d in dart::ThreadStart(void*) ../../out/ReleaseX64/../../runtime/vm/os_thread_linux.cc:134:5
    #10 0x7fb2dfe7c183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
    #11 0x7fb2df69b03c in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfe03c)

0x602000001150 is located 0 bytes inside of 13-byte region [0x602000001150,0x60200000115d)
freed by thread T2 here:
    #0 0x55c46643bc52 in __interceptor_free /b/s/w/ir/kitchen-workdir/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x55c466907ff3 in dart::DN_HelperFfi_free(dart::Isolate*, dart::Thread*, dart::Zone*, dart::NativeArguments*) ../../out/ReleaseX64/../../runtime/lib/ffi.cc:307:3
    #2 0x55c466907ff3 in dart::BootstrapNatives::DN_Ffi_free(_Dart_NativeArguments*) ../../out/ReleaseX64/../../runtime/lib/ffi.cc:303
    #3 0x7fb2dc88113e  (<unknown module>)
    #4 0x7fb2d8834fed  (<unknown module>)
    #5 0x7fb2d882cb3b  (<unknown module>)
    #6 0x7fb2d882ca0c  (<unknown module>)
    #7 0x7fb2d882c93c  (<unknown module>)
    #8 0x7fb2d882c758  (<unknown module>)
    #9 0x7fb2d882bb14  (<unknown module>)
    #10 0x7fb2d8809a3b  (<unknown module>)
    #11 0x7fb2d882b7f2  (<unknown module>)
    #12 0x7fb2dc88146b  (<unknown module>)
    #13 0x55c4669f1c6f in dart::DartEntry::InvokeFunction(dart::Function const&, dart::Array const&, dart::Array const&, unsigned long) ../../out/ReleaseX64/../../runtime/vm/dart_entry.cc:197:10
    #14 0x55c4669fb25e in dart::DartLibraryCalls::HandleMessage(dart::Object const&, dart::Instance const&) ../../out/ReleaseX64/../../runtime/vm/dart_entry.cc:691:28
    #15 0x55c466a97cd9 in dart::IsolateMessageHandler::HandleMessage(dart::Message*) ../../out/ReleaseX64/../../runtime/vm/isolate.cc:625:30
    #16 0x55c466b33f5c in dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool) ../../out/ReleaseX64/../../runtime/vm/message_handler.cc:217:28
    #17 0x55c466b358a5 in dart::MessageHandler::TaskCallback() ../../out/ReleaseX64/../../runtime/vm/message_handler.cc:417:20
    #18 0x55c466f2a7bf in dart::ThreadPool::Worker::Loop() ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:381:11
    #19 0x55c466f2a483 in dart::ThreadPool::Worker::Main(unsigned long) ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:436:27
    #20 0x55c466d26c4d in dart::ThreadStart(void*) ../../out/ReleaseX64/../../runtime/vm/os_thread_linux.cc:134:5
    #21 0x7fb2dfe7c183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)

previously allocated by thread T2 here:
    #0 0x55c46643bfd3 in __interceptor_malloc /b/s/w/ir/kitchen-workdir/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x55c466904035 in dart::DN_HelperFfi_allocate(dart::Isolate*, dart::Thread*, dart::Zone*, dart::NativeArguments*) ../../out/ReleaseX64/../../runtime/lib/ffi.cc:234:48
    #2 0x55c466904035 in dart::BootstrapNatives::DN_Ffi_allocate(_Dart_NativeArguments*) ../../out/ReleaseX64/../../runtime/lib/ffi.cc:218
    #3 0x7fb2dc88113e  (<unknown module>)
    #4 0x7fb2d882d19c  (<unknown module>)
    #5 0x7fb2d882cce8  (<unknown module>)
    #6 0x7fb2d882cafc  (<unknown module>)
    #7 0x7fb2d882ca0c  (<unknown module>)
    #8 0x7fb2d882c93c  (<unknown module>)
    #9 0x7fb2d882c758  (<unknown module>)
    #10 0x7fb2d882bb14  (<unknown module>)
    #11 0x7fb2d8809a3b  (<unknown module>)
    #12 0x7fb2d882b7f2  (<unknown module>)
    #13 0x7fb2dc88146b  (<unknown module>)
    #14 0x55c4669f1c6f in dart::DartEntry::InvokeFunction(dart::Function const&, dart::Array const&, dart::Array const&, unsigned long) ../../out/ReleaseX64/../../runtime/vm/dart_entry.cc:197:10
    #15 0x55c4669fb25e in dart::DartLibraryCalls::HandleMessage(dart::Object const&, dart::Instance const&) ../../out/ReleaseX64/../../runtime/vm/dart_entry.cc:691:28
    #16 0x55c466a97cd9 in dart::IsolateMessageHandler::HandleMessage(dart::Message*) ../../out/ReleaseX64/../../runtime/vm/isolate.cc:625:30
    #17 0x55c466b33f5c in dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool) ../../out/ReleaseX64/../../runtime/vm/message_handler.cc:217:28
    #18 0x55c466b358a5 in dart::MessageHandler::TaskCallback() ../../out/ReleaseX64/../../runtime/vm/message_handler.cc:417:20
    #19 0x55c466f2a7bf in dart::ThreadPool::Worker::Loop() ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:381:11
    #20 0x55c466f2a483 in dart::ThreadPool::Worker::Main(unsigned long) ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:436:27
    #21 0x55c466d26c4d in dart::ThreadStart(void*) ../../out/ReleaseX64/../../runtime/vm/os_thread_linux.cc:134:5
    #22 0x7fb2dfe7c183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)

Thread T8 created by T2 here:
    #0 0x55c466424a8d in __interceptor_pthread_create /b/s/w/ir/kitchen-workdir/llvm-project/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x55c466d269cf in dart::OSThread::Start(char const*, void (*)(unsigned long), unsigned long) ../../out/ReleaseX64/../../runtime/vm/os_thread_linux.cc:153:12
    #2 0x55c466f290f3 in dart::ThreadPool::Worker::StartThread() ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:338:16
    #3 0x55c466f290f3 in dart::ThreadPool::Run(dart::ThreadPool::Task*) ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:69
    #4 0x55c46744adf1 in dart::GCMarker::StartConcurrentMark(dart::PageSpace*, bool) ../../out/ReleaseX64/../../runtime/vm/heap/marker.cc:891:40
    #5 0x55c46745cd50 in dart::PageSpace::CollectGarbageAtSafepoint(bool, bool, long, long) ../../out/ReleaseX64/../../runtime/vm/heap/pages.cc:1123:14
    #6 0x55c46745bd19 in dart::PageSpace::CollectGarbage(bool, bool) ../../out/ReleaseX64/../../runtime/vm/heap/pages.cc:1059:5
    #7 0x55c467445971 in dart::Heap::CheckStartConcurrentMarking(dart::Thread*, dart::Heap::GCReason) ../../out/ReleaseX64/../../runtime/vm/heap/heap.cc:555:18
    #8 0x55c4674561b4 in dart::PageSpace::TryAllocateInFreshPage(long, dart::HeapPage::PageType, dart::PageSpace::GrowthPolicy, bool) ../../out/ReleaseX64/../../runtime/vm/heap/pages.cc:448:16
    #9 0x55c46743fe26 in dart::PageSpace::TryAllocate(long, dart::HeapPage::PageType, dart::PageSpace::GrowthPolicy) ../../out/ReleaseX64/../../runtime/vm/heap/pages.h:259:12
    #10 0x55c46743fe26 in dart::Heap::AllocateOld(long, dart::HeapPage::PageType) ../../out/ReleaseX64/../../runtime/vm/heap/heap.cc:131
    #11 0x55c466b484c1 in dart::Object::Allocate(long, long, dart::Heap::Space) ../../out/ReleaseX64/../../runtime/vm/heap/heap.h
    #12 0x55c466c56466 in dart::ICData::NewDescriptor(dart::Zone*, dart::Function const&, dart::String const&, dart::Array const&, long, long, dart::ICData::RebindRule, dart::AbstractType const&) ../../out/ReleaseX64/../../runtime/vm/object.cc:14014:9
    #13 0x55c466c567f9 in dart::ICData::New(dart::Function const&, dart::String const&, dart::Array const&, long, long, dart::ICData::RebindRule, dart::AbstractType const&) ../../out/ReleaseX64/../../runtime/vm/object.cc:14058:7
    #14 0x55c467068eba in dart::FlowGraphCompiler::GetOrAddStaticCallICData(long, dart::Function const&, dart::Array const&, long, dart::ICData::RebindRule) ../../out/ReleaseX64/../../runtime/vm/compiler/backend/flow_graph_compiler.cc:1795:7
    #15 0x55c467068925 in dart::FlowGraphCompiler::GenerateStaticCall(long, dart::TokenPosition, dart::Function const&, dart::ArgumentsInfo, dart::LocationSummary*, dart::ICData const&, dart::ICData::RebindRule, dart::CodeEntryKind) ../../out/ReleaseX64/../../runtime/vm/compiler/backend/flow_graph_compiler.cc:1343:11
    #16 0x55c4670ebc19 in dart::StringInterpolateInstr::EmitNativeCode(dart::FlowGraphCompiler*) ../../out/ReleaseX64/../../runtime/vm/compiler/backend/il_x64.cc:953:13
    #17 0x55c46705e9b8 in dart::FlowGraphCompiler::VisitBlocks() ../../out/ReleaseX64/../../runtime/vm/compiler/backend/flow_graph_compiler.cc:584:16
    #18 0x55c46707adc8 in dart::FlowGraphCompiler::CompileGraph() ../../out/ReleaseX64/../../runtime/vm/compiler/backend/flow_graph_compiler_x64.cc:932:3
    #19 0x55c4673bed03 in dart::CompileParsedFunctionHelper::Compile(dart::CompilationPipeline*) ../../out/ReleaseX64/../../runtime/vm/compiler/jit/compiler.cc:678:24
    #20 0x55c4673c161f in dart::CompileFunctionHelper(dart::CompilationPipeline*, dart::Function const&, bool, long) ../../out/ReleaseX64/../../runtime/vm/compiler/jit/compiler.cc:812:46
    #21 0x55c4673c06c9 in dart::Compiler::CompileFunction(dart::Thread*, dart::Function const&) ../../out/ReleaseX64/../../runtime/vm/compiler/jit/compiler.cc:989:10
    #22 0x55c4673ba0e9 in dart::DRT_HelperCompileFunction(dart::Isolate*, dart::Thread*, dart::Zone*, dart::NativeArguments) ../../out/ReleaseX64/../../runtime/vm/compiler/jit/compiler.cc:254:12
    #23 0x55c4673ba0e9 in dart::DRT_CompileFunction(dart::NativeArguments) ../../out/ReleaseX64/../../runtime/vm/compiler/jit/compiler.cc:230
    #24 0x7fb2dc880fa7  (<unknown module>)
    #25 0x7fb2dc881023  (<unknown module>)
    #26 0x7fb2d882cb29  (<unknown module>)
    #27 0x7fb2d882ca0c  (<unknown module>)
    #28 0x7fb2d882c93c  (<unknown module>)
    #29 0x7fb2d882c758  (<unknown module>)
    #30 0x7fb2d882bb14  (<unknown module>)
    #31 0x7fb2d8809a3b  (<unknown module>)
    #32 0x7fb2d882b7f2  (<unknown module>)
    #33 0x7fb2dc88146b  (<unknown module>)
    #34 0x55c4669f1c6f in dart::DartEntry::InvokeFunction(dart::Function const&, dart::Array const&, dart::Array const&, unsigned long) ../../out/ReleaseX64/../../runtime/vm/dart_entry.cc:197:10
    #35 0x55c4669fb25e in dart::DartLibraryCalls::HandleMessage(dart::Object const&, dart::Instance const&) ../../out/ReleaseX64/../../runtime/vm/dart_entry.cc:691:28
    #36 0x55c466a97cd9 in dart::IsolateMessageHandler::HandleMessage(dart::Message*) ../../out/ReleaseX64/../../runtime/vm/isolate.cc:625:30
    #37 0x55c466b33f5c in dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool) ../../out/ReleaseX64/../../runtime/vm/message_handler.cc:217:28
    #38 0x55c466b358a5 in dart::MessageHandler::TaskCallback() ../../out/ReleaseX64/../../runtime/vm/message_handler.cc:417:20
    #39 0x55c466f2a7bf in dart::ThreadPool::Worker::Loop() ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:381:11
    #40 0x55c466f2a483 in dart::ThreadPool::Worker::Main(unsigned long) ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:436:27
    #41 0x55c466d26c4d in dart::ThreadStart(void*) ../../out/ReleaseX64/../../runtime/vm/os_thread_linux.cc:134:5
    #42 0x7fb2dfe7c183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)

Thread T2 created by T0 here:
    #0 0x55c466424a8d in __interceptor_pthread_create /b/s/w/ir/kitchen-workdir/llvm-project/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x55c466d269cf in dart::OSThread::Start(char const*, void (*)(unsigned long), unsigned long) ../../out/ReleaseX64/../../runtime/vm/os_thread_linux.cc:153:12
    #2 0x55c466f290f3 in dart::ThreadPool::Worker::StartThread() ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:338:16
    #3 0x55c466f290f3 in dart::ThreadPool::Run(dart::ThreadPool::Task*) ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:69
    #4 0x55c4669da952 in dart::Dart::Init(unsigned char const*, unsigned char const*, _Dart_Isolate* (*)(char const*, char const*, char const*, char const*, Dart_IsolateFlags*, void*, char**), void (*)(void*), void (*)(void*), void (*)(), void* (*)(char const*, bool), void (*)(unsigned char**, long*, void*), void (*)(void const*, long, void*), void (*)(void*), bool (*)(unsigned char*, long), _Dart_Handle* (*)(), bool) ../../out/ReleaseX64/../../runtime/vm/dart.cc:355:5
    #5 0x55c4674abf04 in Dart_Initialize ../../out/ReleaseX64/../../runtime/vm/dart_api_impl.cc:1011:10
    #6 0x55c46646b3c5 in dart::bin::main(int, char**) ../../out/ReleaseX64/../../runtime/bin/main.cc:1147:11
    #7 0x55c46646cf3a in main ../../out/ReleaseX64/../../runtime/bin/main.cc:1199:3
    #8 0x7fb2df5bef44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-use-after-free ../../out/ReleaseX64/../../runtime/vm/raw_object.h:256:47 in dart::RawObject::IsMarked() const
Shadow bytes around the buggy address:
  0x0c047fff81d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fff81e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fff81f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fff8200: fa fa 00 03 fa fa fd fd fa fa 00 00 fa fa 00 00
  0x0c047fff8210: fa fa 00 03 fa fa fd fa fa fa 00 00 fa fa fd fd
=>0x0c047fff8220: fa fa 00 00 fa fa fd fa fa fa[fd]fd fa fa 00 00
  0x0c047fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==26809==ABORTING

--- Re-run this test:
python tools/test.py -n dartk-asan-linux-release-x64 standalone_2/ffi/subtype_test

@dcharkes @mraleph

The text was updated successfully, but these errors were encountered:

sjindel-google · 2019-03-06T13:53:37Z

This can be reproduced reliably with the following modification to the test:

dynamic foo;

void testAllocate() {
  CString cs = CString.toUtf8("hello world!");
  Expect.equals("hello world!", cs.fromUtf8());
  cs.free();
  foo = "";
  for (int i = 0; i < 100000; ++i) {
    foo = 0x8fffffff00000000;
  }
}

sjindel-google · 2019-03-06T14:18:28Z

The problem is that the VISIT_FROM/VISIT_TO annotations in RawPointer aren't respected because the virtual VisitPointers is only used for predefined classes. Since the cid is for CString, not Pointer, it gets scanned like any regular object.

sjindel-google added type-bug Incorrect behavior (everything from a crash to more subtle misbehavior) crash Process exits with SIGSEGV, SIGABRT, etc. An unhandled exception is not a crash. labels Mar 6, 2019

sjindel-google added this to the Dart VM FFI 1.0 milestone Mar 6, 2019

sjindel-google changed the title ~~Flaky failure of ffi/subtype_test on dartk-asan-linux-release-x64~~ FFI crashes when scanning pointer field of subtypes of Pointer Mar 6, 2019

sjindel-google added the P2 A bug or feature request we're likely to work on label Mar 6, 2019

sjindel-google self-assigned this Mar 6, 2019

a-siva added the area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. label Mar 7, 2019

dart-bot closed this as completed in bdb07f4 Mar 7, 2019

sjindel-google mentioned this issue Mar 12, 2019

dart:ffi function_stress_test on Windows 64 #36138

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FFI crashes when scanning pointer field of subtypes of Pointer #36125

FFI crashes when scanning pointer field of subtypes of Pointer #36125

sjindel-google commented Mar 6, 2019

sjindel-google commented Mar 6, 2019

sjindel-google commented Mar 6, 2019

FFI crashes when scanning pointer field of subtypes of Pointer #36125

FFI crashes when scanning pointer field of subtypes of Pointer #36125

Comments

sjindel-google commented Mar 6, 2019

sjindel-google commented Mar 6, 2019

sjindel-google commented Mar 6, 2019