From: "m.aldo (Muhammad Aldo Firmansyah)" <noreply@...>
Date: 2022-07-15T15:22:55+00:00
Subject: [ruby-core:109218] [Ruby master Bug#18918] Can't compile ruby master with AFL ASAN

Issue #18918 has been reported by m.aldo (Muhammad Aldo Firmansyah).

----------------------------------------
Bug #18918: Can't compile ruby master with AFL ASAN
https://bugs.ruby-lang.org/issues/18918

* Author: m.aldo (Muhammad Aldo Firmansyah)
* Status: Open
* Priority: Normal
* ruby -v: ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]
* Backport: 2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN
----------------------------------------
On ubuntu 20.04, I want to compile ruby on master branch with AFL's afl-clang-fast but I got ASAN error

```sh
$ ruby -v
$ ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]
```

```sh
$ git rev-parse --short HEAD
$ 7424ea184f
```

Here is error I got when using yjit in `configure`

```sh
...
...
linking miniruby
afl-clang-fast 2.56b by <lszekeres@google.com>
generating encdb.h
=================================================================
==101657==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000217d0 at pc 0x555555dde515 bp 0x7fffffffbff0 sp 0x7fffffffbfe8
WRITE of size 8 at 0x6130000217d0 thread T0
SCARINESS: 52 (8-byte-write-heap-use-after-free)
    #0 0x555555dde514  (/home/aldo/ruby/miniruby+0x88a514)
    #1 0x555555d3f411  (/home/aldo/ruby/miniruby+0x7eb411)
    #2 0x555555dba231  (/home/aldo/ruby/miniruby+0x866231)
    #3 0x555556279edb  (/home/aldo/ruby/miniruby+0xd25edb)
    #4 0x555555db32db  (/home/aldo/ruby/miniruby+0x85f2db)
    #5 0x555555fa7fef  (/home/aldo/ruby/miniruby+0xa53fef)
    #6 0x555555a486f4  (/home/aldo/ruby/miniruby+0x4f46f4)
    #7 0x555555f9e628  (/home/aldo/ruby/miniruby+0xa4a628)
    #8 0x555555c085ab  (/home/aldo/ruby/miniruby+0x6b45ab)
    #9 0x555555bff657  (/home/aldo/ruby/miniruby+0x6ab657)
    #10 0x555555bfbad5  (/home/aldo/ruby/miniruby+0x6a7ad5)
    #11 0x5555562378b8  (/home/aldo/ruby/miniruby+0xce38b8)
    #12 0x55555621b80e  (/home/aldo/ruby/miniruby+0xcc780e)
    #13 0x55555621acde  (/home/aldo/ruby/miniruby+0xcc6cde)
    #14 0x555556242f38  (/home/aldo/ruby/miniruby+0xceef38)
    #15 0x5555561c1378  (/home/aldo/ruby/miniruby+0xc6d378)
    #16 0x5555562049e4  (/home/aldo/ruby/miniruby+0xcb09e4)
    #17 0x555555a423e1  (/home/aldo/ruby/miniruby+0x4ee3e1)
    #18 0x555555a41cb5  (/home/aldo/ruby/miniruby+0x4edcb5)
    #19 0x5555557d9fa5  (/home/aldo/ruby/miniruby+0x285fa5)
    #20 0x7ffff7b78082  (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #21 0x555555731f7d  (/home/aldo/ruby/miniruby+0x1ddf7d)

0x6130000217d0 is located 16 bytes inside of 336-byte region [0x6130000217c0,0x613000021910)
freed by thread T0 here:
    #0 0x5555557aa43d  (/home/aldo/ruby/miniruby+0x25643d)
    #1 0x555555abc166  (/home/aldo/ruby/miniruby+0x568166)

previously allocated by thread T0 here:
    #0 0x5555557aa832  (/home/aldo/ruby/miniruby+0x256832)
    #1 0x555555abb646  (/home/aldo/ruby/miniruby+0x567646)
    #2 0x555555bff657  (/home/aldo/ruby/miniruby+0x6ab657)
    #3 0x555555bfbad5  (/home/aldo/ruby/miniruby+0x6a7ad5)
    #4 0x55555621b80e  (/home/aldo/ruby/miniruby+0xcc780e)
    #5 0x55555621acde  (/home/aldo/ruby/miniruby+0xcc6cde)
    #6 0x555556242f38  (/home/aldo/ruby/miniruby+0xceef38)
    #7 0x5555561c1378  (/home/aldo/ruby/miniruby+0xc6d378)
    #8 0x5555562049e4  (/home/aldo/ruby/miniruby+0xcb09e4)
    #9 0x555555a423e1  (/home/aldo/ruby/miniruby+0x4ee3e1)
    #10 0x555555a41cb5  (/home/aldo/ruby/miniruby+0x4edcb5)
    #11 0x5555557d9fa5  (/home/aldo/ruby/miniruby+0x285fa5)
    #12 0x7ffff7b78082  (/lib/x86_64-linux-gnu/libc.so.6+0x24082)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/aldo/ruby/miniruby+0x88a514)
Shadow bytes around the buggy address:
  0x0c267fffc2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fffc2b0: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fffc2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fffc2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fffc2e0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
=>0x0c267fffc2f0: fa fa fa fa fa fa fa fa fd fd[fd]fd fd fd fd fd
  0x0c267fffc300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fffc310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fffc320: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fffc330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fffc340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==101657==ABORTING
make: *** [uncommon.mk:1132: encdb.h] Aborted
make: *** Waiting for unfinished jobs....
/bin/sh ./tool/ifchange "--timestamp=.rbconfig.time" rbconfig.rb rbconfig.tmp
rbconfig.rb updated
```


And Here is error I got when not using yjit in `configure`

```sh
...
...
./revision.h unchanged
linking miniruby
afl-clang-fast 2.56b by <lszekeres@google.com>
generating encdb.h
=================================================================
==124261==ERROR: AddressSanitizer: use-after-poison on address 0x7ffff40a0068 at pc 0x555555ff7ab5 bp 0x7fffffffb5e0 sp 0x7fffffffb5d8
READ of size 8 at 0x7ffff40a0068 thread T0
SCARINESS: 33 (8-byte-read-use-after-poison)
    #0 0x555555ff7ab4  (/home/aldo/ruby/miniruby+0xaa3ab4)
    #1 0x555555e7bdce  (/home/aldo/ruby/miniruby+0x927dce)
    #2 0x555555e63436  (/home/aldo/ruby/miniruby+0x90f436)
    #3 0x555555e65f3c  (/home/aldo/ruby/miniruby+0x911f3c)
    #4 0x555555d86fd4  (/home/aldo/ruby/miniruby+0x832fd4)
    #5 0x555555ce6c8f  (/home/aldo/ruby/miniruby+0x792c8f)
    #6 0x555555d4b151  (/home/aldo/ruby/miniruby+0x7f7151)
    #7 0x55555620a81b  (/home/aldo/ruby/miniruby+0xcb681b)
    #8 0x555555d441fb  (/home/aldo/ruby/miniruby+0x7f01fb)
    #9 0x555555f38b14  (/home/aldo/ruby/miniruby+0x9e4b14)
    #10 0x5555559d9754  (/home/aldo/ruby/miniruby+0x485754)
    #11 0x555555f2f568  (/home/aldo/ruby/miniruby+0x9db568)
    #12 0x555555b995bb  (/home/aldo/ruby/miniruby+0x6455bb)
    #13 0x555555b9066a  (/home/aldo/ruby/miniruby+0x63c66a)
    #14 0x555555b8cae5  (/home/aldo/ruby/miniruby+0x638ae5)
    #15 0x5555561c81f8  (/home/aldo/ruby/miniruby+0xc741f8)
    #16 0x5555561d3878  (/home/aldo/ruby/miniruby+0xc7f878)
    #17 0x555556151d28  (/home/aldo/ruby/miniruby+0xbfdd28)
    #18 0x555556195404  (/home/aldo/ruby/miniruby+0xc41404)
    #19 0x555555b9974d  (/home/aldo/ruby/miniruby+0x64574d)
    #20 0x555555b9066a  (/home/aldo/ruby/miniruby+0x63c66a)
    #21 0x555555b8cae5  (/home/aldo/ruby/miniruby+0x638ae5)
    #22 0x5555561c81f8  (/home/aldo/ruby/miniruby+0xc741f8)
    #23 0x5555561ac14e  (/home/aldo/ruby/miniruby+0xc5814e)
    #24 0x5555561ab61e  (/home/aldo/ruby/miniruby+0xc5761e)
    #25 0x5555561d3878  (/home/aldo/ruby/miniruby+0xc7f878)
    #26 0x555556151d28  (/home/aldo/ruby/miniruby+0xbfdd28)
    #27 0x555556195404  (/home/aldo/ruby/miniruby+0xc41404)
    #28 0x5555559d3451  (/home/aldo/ruby/miniruby+0x47f451)
    #29 0x5555559d2d25  (/home/aldo/ruby/miniruby+0x47ed25)
    #30 0x55555576ae25  (/home/aldo/ruby/miniruby+0x216e25)
    #31 0x7ffff7b78082  (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #32 0x5555556c2dfd  (/home/aldo/ruby/miniruby+0x16edfd)

Address 0x7ffff40a0068 is a wild pointer.
SUMMARY: AddressSanitizer: use-after-poison (/home/aldo/ruby/miniruby+0xaa3ab4)
Shadow bytes around the buggy address:
  0x10007e80bfb0: 00 00 00 f7 00 00 00 00 f7 00 00 00 00 f7 00 00
  0x10007e80bfc0: 00 00 f7 00 00 00 00 f7 00 00 00 00 f7 00 00 00
  0x10007e80bfd0: 00 f7 00 00 00 00 f7 00 00 00 00 f7 00 00 00 00
  0x10007e80bfe0: f7 00 00 00 00 f7 00 00 00 00 f7 00 00 00 00 f7
  0x10007e80bff0: 00 00 00 00 f7 00 00 00 00 f7 00 00 00 00 00 00
=>0x10007e80c000: 00 00 00 f7 00 00 00 00 f7 00 00 00 00[f7]00 00
  0x10007e80c010: 00 00 f7 00 00 00 00 f7 00 00 00 00 f7 00 00 00
  0x10007e80c020: 00 f7 00 00 00 00 f7 00 00 00 00 f7 00 00 00 00
  0x10007e80c030: f7 00 00 00 00 f7 00 00 00 00 f7 00 00 00 00 f7
  0x10007e80c040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00
  0x10007e80c050: 00 00 00 00 00 00 00 00 f7 00 00 00 00 f7 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==124261==ABORTING
make: *** [uncommon.mk:1132: encdb.h] Aborted
make: *** Waiting for unfinished jobs....
/bin/sh ./tool/ifchange "--timestamp=.rbconfig.time" rbconfig.rb rbconfig.tmp
rbconfig.rb updated
```



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>