Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASAN failure: context_from_object_template #1450

Open
mmastrac opened this issue Apr 10, 2024 · 2 comments
Open

ASAN failure: context_from_object_template #1450

mmastrac opened this issue Apr 10, 2024 · 2 comments

Comments

@mmastrac
Copy link
Member

mmastrac commented Apr 10, 2024
edited

This one is quite puzzling. It appears like it might be rust-lang/rust#121028

#[test]
fn context_from_object_template() {
  let _setup_guard = setup::parallel_test();
  let isolate = &mut v8::Isolate::new(Default::default());
  {
    let scope = &mut v8::HandleScope::new(isolate);
    let object_templ = v8::ObjectTemplate::new(scope);
    let function_templ = v8::FunctionTemplate::new(scope, fortytwo_callback);
    let name = v8::String::new(scope, "f").unwrap();
    // ❌❌❌ Fails here --v
    object_templ.set(name.into(), function_templ.into());
    let context = v8::Context::new_from_template(scope, object_templ);
    let scope = &mut v8::ContextScope::new(scope, context);
    let actual = eval(scope, "f()").unwrap();
    let expected = v8::Integer::new(scope, 42);
    assert!(expected.strict_equals(actual));
  }
}
test context_from_object_template ... =================================================================
==35535==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016f23b837 at pc 0x000101786a68 bp 0x00016f23afb0 sp 0x00016f23afa8
READ of size 8 at 0x00016f23b837 thread T37
    #0 0x101786a64 in test_api::context_from_object_template::he40048305f21c36c test_api.rs:6879
    #1 0x100f52778 in test_api::context_from_object_template::_$u7b$$u7b$closure$u7d$$u7d$::h1ce138a8af3e90e8 test_api.rs:6871
    #2 0x101c364a0 in core::ops::function::FnOnce::call_once::h78e543fb879a6138 function.rs:250
    #3 0x101d02a04 in test::__rust_begin_short_backtrace::h6472109df73e5e08+0x18 (test_api-441e187b249b3809:arm64+0x100f3aa04)
    #4 0x101d01b90 in test::run_test::_$u7b$$u7b$closure$u7d$$u7d$::h46f0e6082afe4ab7+0x244 (test_api-441e187b249b3809:arm64+0x100f39b90)
    #5 0x101cd4244 in std::sys_common::backtrace::__rust_begin_short_backtrace::hc71099ad9d56bf1a+0xa0 (test_api-441e187b249b3809:arm64+0x100f0c244)
    #6 0x101cd8954 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h0323615f4ca3d79d+0x88 (test_api-441e187b249b3809:arm64+0x100f10954)
    #7 0x10742efb4 in std::sys::pal::unix::thread::Thread::new::thread_start::h49a075a0c44dbc61+0x2c (test_api-441e187b249b3809:arm64+0x106666fb4)
    #8 0x10d380bc8 in asan_thread_start(void*)+0x3c (librustc-nightly_rt.asan.dylib:arm64+0x4cbc8)
    #9 0x1a3ecbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4)
    #10 0xd06f0001a3ec6d9c  (<unknown module>)

Address 0x00016f23b837 is located in stack of thread T37 at offset 2167 in frame
    #0 0x101781030 in test_api::context_from_object_template::he40048305f21c36c test_api.rs:6871

  This frame has 172 object(s):
    [32, 80) '_10.i.i.i.i'
    [112, 128) '_2.i.i.i.i543'
    [144, 152) 'val.i535'
    [176, 184) ''
    [208, 216) 'self.i536'
    [240, 248) 'val.i530'
    [272, 280) ''
    [304, 312) 'self.i531'
    [336, 344) 'val.i525'
    [368, 376) ''
    [400, 408) 'self.i526'
    [432, 440) 'val.i519'
    [464, 472) ''
    [496, 504) 'self.i520'
    [528, 536) 'val.i514'
    [560, 568) ''
    [592, 600) 'self.i515'
    [624, 632) 'val.i469'
    [656, 664) ''
    [688, 696) 'self.i470'
    [720, 728) 'val.i'
    [752, 760) ''
    [784, 792) 'self.i'
    [816, 824) ''
    [848, 856) '_0.i11.i332'
    [880, 928) '_27.i.i.i336'
    [960, 968) '_20.i.i.i338'
    [992, 1000) '_16.i.i.i339'
    [1024, 1040) '_14.i.i.i340'
    [1056, 1058) '_4.i.i.i341'
    [1072, 1080) ''
    [1104, 1120) ''
    [1136, 1176) '_4.i.i349'
    [1216, 1224) '_0.i.i350'
    [1248, 1256) ''
    [1280, 1288) ''
    [1312, 1352) '_4.i352'
    [1392, 1400) '_3.i353'
    [1424, 1432) '_0.i354'
    [1456, 1464) '_3.i.i320'
    [1488, 1496) '_2.i.i'
    [1520, 1528) ''
    [1552, 1592) '_3.i315'
    [1632, 1640) '_0.i316'
    [1664, 1672) ''
    [1696, 1704) '_0.i11.i247'
    [1728, 1776) '_27.i.i.i251'
    [1808, 1816) '_20.i.i.i253'
    [1840, 1848) '_16.i.i.i254'
    [1872, 1888) '_14.i.i.i255'
    [1904, 1906) '_4.i.i.i256'
    [1920, 1928) ''
    [1952, 1968) ''
    [1984, 1992) '_0.i.i264'
    [2016, 2024) ''
    [2048, 2056) ''
    [2080, 2088) '_2.i266'
    [2112, 2120) '_0.i267'
    [2144, 2148) ''
    [2160, 2164) 'attr.i.i'
    [2176, 2184) '' <== Memory access at offset 2167 underflows this variable
    [2208, 2216) 'value.i.i'
    [2240, 2248) ''
    [2272, 2280) 'key.i.i'
    [2304, 2308) ''
    [2320, 2328) ''
    [2352, 2360) ''
    [2384, 2392) ''
    [2416, 2424) 'value.i240'
    [2448, 2456) ''
    [2480, 2488) 'key.i'
    [2512, 2520) ''
    [2544, 2552) '_0.i11.i103'
    [2576, 2624) '_27.i.i.i107'
    [2656, 2664) '_20.i.i.i109'
    [2688, 2696) '_16.i.i.i110'
    [2720, 2736) '_14.i.i.i111'
    [2752, 2754) '_4.i.i.i112'
    [2768, 2776) ''
    [2800, 2816) ''
    [2832, 2840) '_0.i.i121'
    [2864, 2872) ''
    [2896, 2904) ''
    [2928, 2936) '_3.i124'
    [2960, 2968) '_0.i125'
    [2992, 3000) ''
    [3024, 3032) 'templ.i'
    [3056, 3064) ''
    [3088, 3096) '_0.i11.i36'
    [3120, 3168) '_27.i.i.i40'
    [3200, 3208) '_20.i.i.i42'
    [3232, 3240) '_16.i.i.i43'
    [3264, 3280) '_14.i.i.i44'
    [3296, 3298) '_4.i.i.i45'
    [3312, 3320) ''
    [3344, 3360) ''
    [3376, 3384) '_0.i.i53'
    [3408, 3416) ''
    [3440, 3448) ''
    [3472, 3480) '_2.i'
    [3504, 3512) '_0.i55'
    [3536, 3544) ''
    [3568, 3576) '_0.i11.i.i'
    [3600, 3648) '_27.i.i.i.i'
    [3680, 3688) '_20.i.i.i.i'
    [3712, 3720) '_16.i.i.i.i'
    [3744, 3760) '_14.i.i.i.i'
    [3776, 3778) '_4.i.i.i.i'
    [3792, 3800) ''
    [3824, 3840) ''
    [3856, 3888) '_4.i.i.i10'
    [3920, 3928) '_0.i.i.i11'
    [3952, 3960) ''
    [3984, 3992) ''
    [4016, 4024) ''
    [4048, 4064) 'buffer.dbg.spill.i.i'
    [4080, 4112) '_13.i.i'
    [4144, 4152) '_7.i.i13'
    [4176, 4180) 'buffer_len.i.i'
    [4192, 4200) '_5.i.i14'
    [4224, 4232) '_0.i.i15'
    [4256, 4264) ''
    [4288, 4304) 'value.dbg.spill.i'
    [4320, 4328) '_0.i18'
    [4352, 4360) ''
    [4384, 4392) '_0.i11.i'
    [4416, 4464) '_27.i.i.i'
    [4496, 4504) '_20.i.i.i'
    [4528, 4536) '_16.i.i.i'
    [4560, 4576) '_14.i.i.i'
    [4592, 4594) '_4.i.i.i'
    [4608, 4616) ''
    [4640, 4656) ''
    [4672, 4680) '_0.i.i'
    [4704, 4712) ''
    [4736, 4744) ''
    [4768, 4776) '_3.i'
    [4800, 4808) '_0.i'
    [4832, 4836) 'value.i'
    [4848, 4856) ''
    [4880, 4888) 'that.i'
    [4912, 4920) '' (line 6884)
    [4944, 4952) '' (line 6883)
    [4976, 4984) '' (line 6882)
    [5008, 5016) '' (line 6882)
    [5040, 5048) '' (line 6881)
    [5072, 5080) '' (line 6880)
    [5104, 5112) '' (line 6879)
    [5136, 5144) '' (line 6879)
    [5168, 5176) '' (line 6879)
    [5200, 5208) '' (line 6879)
    [5232, 5240) '' (line 6878)
    [5264, 5272) '' (line 6878)
    [5296, 5304) '' (line 6877)
    [5328, 5336) '' (line 6876)
    [5360, 5376) '' (line 6871)
    [5392, 5400) 'expected' (line 6883)
    [5424, 5432) '_23' (line 6882)
    [5456, 5464) 'actual'
    [5488, 5496) '_21' (line 6881)
    [5520, 5528) '_19' (line 6880)
    [5552, 5560) 'context'
    [5584, 5592) '_17' (line 6879)
    [5616, 5624) '_16' (line 6879)
    [5648, 5656) '_10' (line 6878)
    [5680, 5688) 'name'
    [5712, 5720) 'function_templ'
    [5744, 5752) 'object_templ' (line 6876)
    [5776, 5784) '_6' (line 6875)
    [5808, 6040) '_4' (line 6873)
    [6112, 6120) '_3' (line 6873)
    [6144, 6160) '_setup_guard' (line 6872)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T37 created by T0 here:
    #0 0x10d37b810 in pthread_create+0x58 (librustc-nightly_rt.asan.dylib:arm64+0x47810)
    #1 0x10742ee10 in std::sys::pal::unix::thread::Thread::new::hc9dc7907eae2fdbd+0xd0 (test_api-441e187b249b3809:arm64+0x106666e10)
    #2 0x101d007a8 in test::run_test::ha64c67454a60e5ad+0xa80 (test_api-441e187b249b3809:arm64+0x100f387a8)
    #3 0x101ce61e0 in test::console::run_tests_console::h288f7f6a8260c3e8+0xdf8 (test_api-441e187b249b3809:arm64+0x100f1e1e0)
    #4 0x101cfd874 in test::test_main::h4faabcd3f69d31be+0x150 (test_api-441e187b249b3809:arm64+0x100f35874)
    #5 0x101cfe52c in test::test_main_static::hbf74dfb2a1e59690+0x54 (test_api-441e187b249b3809:arm64+0x100f3652c)
    #6 0x101b142e0 in test_api::main::h632e07c5c3e8aee0 test_api.rs:1
    #7 0x101c22138 in core::ops::function::FnOnce::call_once::h121599985c4da522 function.rs:250
    #8 0x101b95a30 in std::sys_common::backtrace::__rust_begin_short_backtrace::hd27fc02c94ee71f9 backtrace.rs:155
    #9 0x100dce90c in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h2c95b575623b29eb rt.rs:166
    #10 0x10742284c in std::rt::lang_start_internal::h4fa8f964dc24ef50+0x28c (test_api-441e187b249b3809:arm64+0x10665a84c)
    #11 0x100dce728 in std::rt::lang_start::h012e916eee18d860 rt.rs:165
    #12 0x101b1430c in main+0x20 (test_api-441e187b249b3809:arm64+0x100d4c30c)
    #13 0x1a3b73f24  (<unknown module>)
    #14 0x5844fffffffffffc  (<unknown module>)

SUMMARY: AddressSanitizer: stack-buffer-overflow test_api.rs:6879 in test_api::context_from_object_template::he40048305f21c36c
Shadow bytes around the buggy address:
  0x00016f23b580: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f8 f8 f8 f8 f2
  0x00016f23b600: f2 f2 f2 f2 00 f2 f2 f2 f8 f2 f2 f2 00 f2 f2 f2
  0x00016f23b680: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2
  0x00016f23b700: f2 f2 f8 f8 f2 f2 f8 f2 f8 f2 f2 f2 f8 f8 f2 f2
  0x00016f23b780: 00 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2
=>0x00016f23b800: 00 f2 f2 f2 f8 f2[04]f2 f8 f2 f2 f2 00 f2 f2 f2
  0x00016f23b880: f8 f2 f2 f2 00 f2 f2 f2 04 f2 00 f2 f2 f2 00 f2
  0x00016f23b900: f2 f2 f8 f2 f2 f2 00 f2 f2 f2 f8 f2 f2 f2 00 f2
  0x00016f23b980: f2 f2 f8 f2 f2 f2 00 f2 f2 f2 f8 f8 f8 f8 f8 f8
  0x00016f23ba00: f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f8 f2 f2
  0x00016f23ba80: f8 f2 f8 f2 f2 f2 f8 f8 f2 f2 00 f2 f2 f2 f8 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==35535==ABORTING
error: test failed, to rerun pass `--test test_api`
@littledivy
Copy link
Member

Maybe related? #1371

@mmastrac
Copy link
Member Author

@littledivy Oh huh... that actually might be related to a problem I saw in deno_core when running w/ASAN

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mmastrac @littledivy