kalker icon indicating copy to clipboard operation
kalker copied to clipboard

Published 20 hours ago verified publisher icon PaddiM8

Detected stack-use-after-scope with ASAN in debug mode

Open nyw0102 opened this issue 4 months ago • 0 comments

Fist of all, I would appreciate to make this great program. In my usage of kalker with 1.1.0 version, there is a crash with debug symbol when I built Kalker in debug mode. I'll attach a report about this crash and I hope other people acknowledge about this issue and no more have this kind of crash anymore!

Version

1.1.0

Description

There is an stack-use-after-scope detected by ASAN with debug symbol when I built a program in debug mode and execute it.

Current Behavior

ASAN detect stack-use-after-scope on usage of debug symbol in the object

WRITE of size 8 at 0x7ffc5ce75f20 thread T0
    #0 0x555b37094569 in core::result::Result$LT$T$C$E$GT$::unwrap_unchecked::h6cfb46921a4f454b /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/raw_vec.rs:247:30
    #1 0x555b37094569 in alloc::raw_vec::RawVec$LT$T$C$A$GT$::current_memory::h87c3fa55ea618e8f /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/raw_vec.rs:247:30
    #2 0x555b3709e938 in _$LT$alloc..raw_vec..RawVec$LT$T$C$A$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::hfb3e151993bb6e3c /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/raw_vec.rs:478:38
    #3 0x555b3707cc3a in core::ptr::drop_in_place$LT$alloc..raw_vec..RawVec$LT$u8$GT$$GT$::h951a0905f42e2724 /home/nyw0102/s2fuzz/scripts/rust/library/core/src/ptr/mod.rs:487:1
    #4 0x555b3707bed9 in core::ptr::drop_in_place$LT$alloc..vec..Vec$LT$u8$GT$$GT$::h0009d14b97a609b2 /home/nyw0102/s2fuzz/scripts/rust/library/core/src/ptr/mod.rs:487:1
    #5 0x555b3707ba1a in core::ptr::drop_in_place$LT$alloc..string..String$GT$::h5bbb43acfc9c61a4 /home/nyw0102/s2fuzz/scripts/rust/library/core/src/ptr/mod.rs:487:1
    #6 0x555b36d08c31 in kalk::parser::parse_identifier::hc7bfb11be2bba6d6 /home/nyw0102/FoundBugs/kalker/kalk/src/parser.rs:680:1
    #7 0x555b36cf5ff1 in kalk::parser::parse_primary::h001fbcb149cdd1ed /home/nyw0102/FoundBugs/kalker/kalk/src/parser.rs:512:34
    #8 0x555b36cf3cc0 in kalk::parser::parse_factorial::hb3364b9e23eb4e0a /home/nyw0102/FoundBugs/kalker/kalk/src/parser.rs:498:16
    #9 0x555b36cf033a in kalk::parser::parse_indexer::h9818ea8ad9ce7c6d /home/nyw0102/FoundBugs/kalker/kalk/src/parser.rs:479:16
    #10 0x555b36ced1d2 in kalk::parser::parse_unary::hb354a8a7709e15db /home/nyw0102/FoundBugs/kalker/kalk/src/parser.rs:470:16
    #11 0x555b36cea226 in kalk::parser::parse_exponent::h6ff6ec7c39d004fb /home/nyw0102/FoundBugs/kalker/kalk/src/parser.rs:452:16
    #12 0x555b36ce7e71 in kalk::parser::parse_unit::h966b65330c12a0b9 /home/nyw0102/FoundBugs/kalker/kalk/src/parser.rs:436:16
    #13 0x555b36ce598a in kalk::parser::parse_factor::h94a56e0c2790d530 /home/nyw0102/FoundBugs/kalker/kalk/src/parser.rs:427:21
    #14 0x555b36cde765 in kalk::parser::parse_term::hb0a44c12867f75f5 /home/nyw0102/FoundBugs/kalker/kalk/src/parser.rs:387:21
.
.
.
Address 0x7ffc5ce75f20 is located in stack of thread T0 at offset 64 in frame
    #0 0x555b37093b9f in alloc::raw_vec::RawVec$LT$T$C$A$GT$::current_memory::h87c3fa55ea618e8f /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/raw_vec.rs:240

  This frame has 4 object(s):
    [32, 48) 'layout.dbg.spill'
    [64, 80) 't.dbg.spill' <== Memory access at offset 64 is inside this variable
    [96, 120) '_9' (line 248)
    [160, 176) 'self1' (line 247)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/raw_vec.rs:247:30 in core::result::Result$LT$T$C$E$GT$::unwrap_unchecked::h6cfb46921a4f454b
Shadow bytes around the buggy address:
  0x10000b9c6b90: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f8 f8 f8 f8
  0x10000b9c6ba0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2
  0x10000b9c6bb0: f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10000b9c6bc0: f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8
  0x10000b9c6bd0: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f1 f1 f1 f1
=>0x10000b9c6be0: 00 00 f2 f2[f8]f8 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2
  0x10000b9c6bf0: 00 00 f3 f3 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8
  0x10000b9c6c00: f8 f2 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8
  0x10000b9c6c10: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 00 00 00 00
  0x10000b9c6c20: f1 f1 f1 f1 00 00 f2 f2 00 00 00 f3 f3 f3 f3 f3
  0x10000b9c6c30: 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00

Expected Behavior

Memory-safety with no stack-use-after-scope. As far as I know, there is no this kind of crash in latest version even though I build kalker in debug mode. So, I think when using kalker in latest version, This kind of bug would not appear.

nyw0102 avatar Oct 17 '24 09:10 nyw0102