From: Eric Wong <normalperson@...>
Date: 2018-02-03T20:50:53+00:00
Subject: [ruby-core:85364] Re: [Ruby trunk Bug#14357] thread_safe tests suite segfaults

v.ondruch@tiscali.cz wrote:
> https://bugs.ruby-lang.org/issues/14357
> 
> The thread_safe gem is not maintained anymore, but I don't see
> any reason why its test suite should segfault with Ruby 2.5.

Right, no 3rd-party C exts loaded and I hit this in trunk, too.
Using -fsanitize=address reveals use-after-free in st.c
Investigating, but maybe Vladimir can find it sooner.

thread_safe-0.3.6/spec/spec_helper.rb:5:in `<top (required)>': [DEPRECATION] ::[] is deprecated. Use ::new instead.

Randomized with seed 18515
......................................................=================================================================
==18224==ERROR: AddressSanitizer: heap-use-after-free on address 0x6230002112c0 at pc 0x557ae852ae34 bp 0x7fb3c088f5c0 sp 0x7fb3c088f5b8
READ of size 8 at 0x6230002112c0 thread T332 (cache_loops_sp*)
    #0 0x557ae852ae33 in find_table_entry_ind ../st.c:873
    #1 0x557ae852f847 in st_lookup ../st.c:1049
    #2 0x557ae831139e in rb_hash_aref ../hash.c:853
    #3 0x557ae8648e27 in vm_opt_aref ../vm_insnhelper.c:3650
    #4 0x557ae8648e27 in vm_exec_core $SRC/ruby/insns.def:1175
    #5 0x557ae8651696 in vm_exec ../vm.c:1791
    #6 0x557ae8654272 in invoke_block ../vm.c:994
    #7 0x557ae8654272 in invoke_iseq_block_from_c ../vm.c:1046
    #8 0x557ae8669c22 in invoke_block_from_c_bh ../vm.c:1064
    #9 0x557ae8669c22 in vm_yield ../vm.c:1109
    #10 0x557ae8669c22 in rb_yield_0 ../vm_eval.c:970
    #11 0x557ae8669c22 in rb_yield_1 ../vm_eval.c:976
    #12 0x557ae83a0a95 in int_dotimes ../numeric.c:4984
    #13 0x557ae862da57 in vm_call_cfunc_with_frame ../vm_insnhelper.c:1921
    #14 0x557ae862da57 in vm_call_cfunc ../vm_insnhelper.c:1937
    #15 0x557ae8646213 in vm_exec_core $SRC/ruby/insns.def:719
    #16 0x557ae8651696 in vm_exec ../vm.c:1791
    #17 0x557ae8654272 in invoke_block ../vm.c:994
    #18 0x557ae8654272 in invoke_iseq_block_from_c ../vm.c:1046
    #19 0x557ae8658126 in invoke_block_from_c_proc ../vm.c:1139
    #20 0x557ae8658126 in vm_invoke_proc ../vm.c:1157
    #21 0x557ae8658126 in rb_vm_invoke_proc ../vm.c:1178
    #22 0x557ae85a95e3 in thread_do_start ../thread.c:603
    #23 0x557ae85a95e3 in thread_start_func_2 ../thread.c:647
    #24 0x557ae85aa680 in thread_start_func_1 ../thread_pthread.c:872
    #25 0x7fb3d2fb6063 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8063)
    #26 0x7fb3d231662c in clone (/lib/x86_64-linux-gnu/libc.so.6+0xe862c)

0x6230002112c0 is located 2496 bytes inside of 6144-byte region [0x623000210900,0x623000212100)
freed by thread T343 (cache_loops_sp*) here:
    #0 0x7fb3d3222527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
    #1 0x557ae8303f06 in objspace_xfree ../gc.c:7987
    #2 0x557ae8303f06 in ruby_sized_xfree ../gc.c:8082
    #3 0x557ae8303f06 in ruby_xfree ../gc.c:8089

previously allocated by thread T331 (cache_loops_sp*) here:
    #0 0x7fb3d322273f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x557ae82fd573 in objspace_xmalloc0 ../gc.c:7927

Thread T332 (cache_loops_sp*) created by T0 here:
    #0 0x7fb3d31f1bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
    #1 0x557ae859489d in native_thread_create ../thread_pthread.c:1008
    #2 0x557ae859489d in thread_create_core ../thread.c:757
    #3 0x557ae884894c ($SRC/ruby/a/i/bin/ruby+0x63f94c)

Thread T343 (cache_loops_sp*) created by T0 here:
    #0 0x7fb3d31f1bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
    #1 0x557ae859489d in native_thread_create ../thread_pthread.c:1008
    #2 0x557ae859489d in thread_create_core ../thread.c:757
    #3 0x557ae884894c ($SRC/ruby/a/i/bin/ruby+0x63f94c)

Thread T331 (cache_loops_sp*) created by T0 here:
    #0 0x7fb3d31f1bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
    #1 0x557ae859489d in native_thread_create ../thread_pthread.c:1008
    #2 0x557ae859489d in thread_create_core ../thread.c:757
    #3 0x557ae884894c ($SRC/ruby/a/i/bin/ruby+0x63f94c)

SUMMARY: AddressSanitizer: heap-use-after-free ../st.c:873 find_table_entry_ind
Shadow bytes around the buggy address:
  0x0c468003a200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c468003a210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c468003a220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c468003a230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c468003a240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c468003a250: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c468003a260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c468003a270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c468003a280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c468003a290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c468003a2a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==18224==ABORTING

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>