ASAN failure: context_from_object_template
mmastrac opened this issue · 2 comments
mmastrac commented
This one is quite puzzling. It appears like it might be rust-lang/rust#121028
#[test]
fn context_from_object_template() {
let _setup_guard = setup::parallel_test();
let isolate = &mut v8::Isolate::new(Default::default());
{
let scope = &mut v8::HandleScope::new(isolate);
let object_templ = v8::ObjectTemplate::new(scope);
let function_templ = v8::FunctionTemplate::new(scope, fortytwo_callback);
let name = v8::String::new(scope, "f").unwrap();
// ❌❌❌ Fails here --v
object_templ.set(name.into(), function_templ.into());
let context = v8::Context::new_from_template(scope, object_templ);
let scope = &mut v8::ContextScope::new(scope, context);
let actual = eval(scope, "f()").unwrap();
let expected = v8::Integer::new(scope, 42);
assert!(expected.strict_equals(actual));
}
}test context_from_object_template ... =================================================================
==35535==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016f23b837 at pc 0x000101786a68 bp 0x00016f23afb0 sp 0x00016f23afa8
READ of size 8 at 0x00016f23b837 thread T37
#0 0x101786a64 in test_api::context_from_object_template::he40048305f21c36c test_api.rs:6879
#1 0x100f52778 in test_api::context_from_object_template::_$u7b$$u7b$closure$u7d$$u7d$::h1ce138a8af3e90e8 test_api.rs:6871
#2 0x101c364a0 in core::ops::function::FnOnce::call_once::h78e543fb879a6138 function.rs:250
#3 0x101d02a04 in test::__rust_begin_short_backtrace::h6472109df73e5e08+0x18 (test_api-441e187b249b3809:arm64+0x100f3aa04)
#4 0x101d01b90 in test::run_test::_$u7b$$u7b$closure$u7d$$u7d$::h46f0e6082afe4ab7+0x244 (test_api-441e187b249b3809:arm64+0x100f39b90)
#5 0x101cd4244 in std::sys_common::backtrace::__rust_begin_short_backtrace::hc71099ad9d56bf1a+0xa0 (test_api-441e187b249b3809:arm64+0x100f0c244)
#6 0x101cd8954 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h0323615f4ca3d79d+0x88 (test_api-441e187b249b3809:arm64+0x100f10954)
#7 0x10742efb4 in std::sys::pal::unix::thread::Thread::new::thread_start::h49a075a0c44dbc61+0x2c (test_api-441e187b249b3809:arm64+0x106666fb4)
#8 0x10d380bc8 in asan_thread_start(void*)+0x3c (librustc-nightly_rt.asan.dylib:arm64+0x4cbc8)
#9 0x1a3ecbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4)
#10 0xd06f0001a3ec6d9c (<unknown module>)
Address 0x00016f23b837 is located in stack of thread T37 at offset 2167 in frame
#0 0x101781030 in test_api::context_from_object_template::he40048305f21c36c test_api.rs:6871
This frame has 172 object(s):
[32, 80) '_10.i.i.i.i'
[112, 128) '_2.i.i.i.i543'
[144, 152) 'val.i535'
[176, 184) ''
[208, 216) 'self.i536'
[240, 248) 'val.i530'
[272, 280) ''
[304, 312) 'self.i531'
[336, 344) 'val.i525'
[368, 376) ''
[400, 408) 'self.i526'
[432, 440) 'val.i519'
[464, 472) ''
[496, 504) 'self.i520'
[528, 536) 'val.i514'
[560, 568) ''
[592, 600) 'self.i515'
[624, 632) 'val.i469'
[656, 664) ''
[688, 696) 'self.i470'
[720, 728) 'val.i'
[752, 760) ''
[784, 792) 'self.i'
[816, 824) ''
[848, 856) '_0.i11.i332'
[880, 928) '_27.i.i.i336'
[960, 968) '_20.i.i.i338'
[992, 1000) '_16.i.i.i339'
[1024, 1040) '_14.i.i.i340'
[1056, 1058) '_4.i.i.i341'
[1072, 1080) ''
[1104, 1120) ''
[1136, 1176) '_4.i.i349'
[1216, 1224) '_0.i.i350'
[1248, 1256) ''
[1280, 1288) ''
[1312, 1352) '_4.i352'
[1392, 1400) '_3.i353'
[1424, 1432) '_0.i354'
[1456, 1464) '_3.i.i320'
[1488, 1496) '_2.i.i'
[1520, 1528) ''
[1552, 1592) '_3.i315'
[1632, 1640) '_0.i316'
[1664, 1672) ''
[1696, 1704) '_0.i11.i247'
[1728, 1776) '_27.i.i.i251'
[1808, 1816) '_20.i.i.i253'
[1840, 1848) '_16.i.i.i254'
[1872, 1888) '_14.i.i.i255'
[1904, 1906) '_4.i.i.i256'
[1920, 1928) ''
[1952, 1968) ''
[1984, 1992) '_0.i.i264'
[2016, 2024) ''
[2048, 2056) ''
[2080, 2088) '_2.i266'
[2112, 2120) '_0.i267'
[2144, 2148) ''
[2160, 2164) 'attr.i.i'
[2176, 2184) '' <== Memory access at offset 2167 underflows this variable
[2208, 2216) 'value.i.i'
[2240, 2248) ''
[2272, 2280) 'key.i.i'
[2304, 2308) ''
[2320, 2328) ''
[2352, 2360) ''
[2384, 2392) ''
[2416, 2424) 'value.i240'
[2448, 2456) ''
[2480, 2488) 'key.i'
[2512, 2520) ''
[2544, 2552) '_0.i11.i103'
[2576, 2624) '_27.i.i.i107'
[2656, 2664) '_20.i.i.i109'
[2688, 2696) '_16.i.i.i110'
[2720, 2736) '_14.i.i.i111'
[2752, 2754) '_4.i.i.i112'
[2768, 2776) ''
[2800, 2816) ''
[2832, 2840) '_0.i.i121'
[2864, 2872) ''
[2896, 2904) ''
[2928, 2936) '_3.i124'
[2960, 2968) '_0.i125'
[2992, 3000) ''
[3024, 3032) 'templ.i'
[3056, 3064) ''
[3088, 3096) '_0.i11.i36'
[3120, 3168) '_27.i.i.i40'
[3200, 3208) '_20.i.i.i42'
[3232, 3240) '_16.i.i.i43'
[3264, 3280) '_14.i.i.i44'
[3296, 3298) '_4.i.i.i45'
[3312, 3320) ''
[3344, 3360) ''
[3376, 3384) '_0.i.i53'
[3408, 3416) ''
[3440, 3448) ''
[3472, 3480) '_2.i'
[3504, 3512) '_0.i55'
[3536, 3544) ''
[3568, 3576) '_0.i11.i.i'
[3600, 3648) '_27.i.i.i.i'
[3680, 3688) '_20.i.i.i.i'
[3712, 3720) '_16.i.i.i.i'
[3744, 3760) '_14.i.i.i.i'
[3776, 3778) '_4.i.i.i.i'
[3792, 3800) ''
[3824, 3840) ''
[3856, 3888) '_4.i.i.i10'
[3920, 3928) '_0.i.i.i11'
[3952, 3960) ''
[3984, 3992) ''
[4016, 4024) ''
[4048, 4064) 'buffer.dbg.spill.i.i'
[4080, 4112) '_13.i.i'
[4144, 4152) '_7.i.i13'
[4176, 4180) 'buffer_len.i.i'
[4192, 4200) '_5.i.i14'
[4224, 4232) '_0.i.i15'
[4256, 4264) ''
[4288, 4304) 'value.dbg.spill.i'
[4320, 4328) '_0.i18'
[4352, 4360) ''
[4384, 4392) '_0.i11.i'
[4416, 4464) '_27.i.i.i'
[4496, 4504) '_20.i.i.i'
[4528, 4536) '_16.i.i.i'
[4560, 4576) '_14.i.i.i'
[4592, 4594) '_4.i.i.i'
[4608, 4616) ''
[4640, 4656) ''
[4672, 4680) '_0.i.i'
[4704, 4712) ''
[4736, 4744) ''
[4768, 4776) '_3.i'
[4800, 4808) '_0.i'
[4832, 4836) 'value.i'
[4848, 4856) ''
[4880, 4888) 'that.i'
[4912, 4920) '' (line 6884)
[4944, 4952) '' (line 6883)
[4976, 4984) '' (line 6882)
[5008, 5016) '' (line 6882)
[5040, 5048) '' (line 6881)
[5072, 5080) '' (line 6880)
[5104, 5112) '' (line 6879)
[5136, 5144) '' (line 6879)
[5168, 5176) '' (line 6879)
[5200, 5208) '' (line 6879)
[5232, 5240) '' (line 6878)
[5264, 5272) '' (line 6878)
[5296, 5304) '' (line 6877)
[5328, 5336) '' (line 6876)
[5360, 5376) '' (line 6871)
[5392, 5400) 'expected' (line 6883)
[5424, 5432) '_23' (line 6882)
[5456, 5464) 'actual'
[5488, 5496) '_21' (line 6881)
[5520, 5528) '_19' (line 6880)
[5552, 5560) 'context'
[5584, 5592) '_17' (line 6879)
[5616, 5624) '_16' (line 6879)
[5648, 5656) '_10' (line 6878)
[5680, 5688) 'name'
[5712, 5720) 'function_templ'
[5744, 5752) 'object_templ' (line 6876)
[5776, 5784) '_6' (line 6875)
[5808, 6040) '_4' (line 6873)
[6112, 6120) '_3' (line 6873)
[6144, 6160) '_setup_guard' (line 6872)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
Thread T37 created by T0 here:
#0 0x10d37b810 in pthread_create+0x58 (librustc-nightly_rt.asan.dylib:arm64+0x47810)
#1 0x10742ee10 in std::sys::pal::unix::thread::Thread::new::hc9dc7907eae2fdbd+0xd0 (test_api-441e187b249b3809:arm64+0x106666e10)
#2 0x101d007a8 in test::run_test::ha64c67454a60e5ad+0xa80 (test_api-441e187b249b3809:arm64+0x100f387a8)
#3 0x101ce61e0 in test::console::run_tests_console::h288f7f6a8260c3e8+0xdf8 (test_api-441e187b249b3809:arm64+0x100f1e1e0)
#4 0x101cfd874 in test::test_main::h4faabcd3f69d31be+0x150 (test_api-441e187b249b3809:arm64+0x100f35874)
#5 0x101cfe52c in test::test_main_static::hbf74dfb2a1e59690+0x54 (test_api-441e187b249b3809:arm64+0x100f3652c)
#6 0x101b142e0 in test_api::main::h632e07c5c3e8aee0 test_api.rs:1
#7 0x101c22138 in core::ops::function::FnOnce::call_once::h121599985c4da522 function.rs:250
#8 0x101b95a30 in std::sys_common::backtrace::__rust_begin_short_backtrace::hd27fc02c94ee71f9 backtrace.rs:155
#9 0x100dce90c in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h2c95b575623b29eb rt.rs:166
#10 0x10742284c in std::rt::lang_start_internal::h4fa8f964dc24ef50+0x28c (test_api-441e187b249b3809:arm64+0x10665a84c)
#11 0x100dce728 in std::rt::lang_start::h012e916eee18d860 rt.rs:165
#12 0x101b1430c in main+0x20 (test_api-441e187b249b3809:arm64+0x100d4c30c)
#13 0x1a3b73f24 (<unknown module>)
#14 0x5844fffffffffffc (<unknown module>)
SUMMARY: AddressSanitizer: stack-buffer-overflow test_api.rs:6879 in test_api::context_from_object_template::he40048305f21c36c
Shadow bytes around the buggy address:
0x00016f23b580: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f8 f8 f8 f8 f2
0x00016f23b600: f2 f2 f2 f2 00 f2 f2 f2 f8 f2 f2 f2 00 f2 f2 f2
0x00016f23b680: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2
0x00016f23b700: f2 f2 f8 f8 f2 f2 f8 f2 f8 f2 f2 f2 f8 f8 f2 f2
0x00016f23b780: 00 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2
=>0x00016f23b800: 00 f2 f2 f2 f8 f2[04]f2 f8 f2 f2 f2 00 f2 f2 f2
0x00016f23b880: f8 f2 f2 f2 00 f2 f2 f2 04 f2 00 f2 f2 f2 00 f2
0x00016f23b900: f2 f2 f8 f2 f2 f2 00 f2 f2 f2 f8 f2 f2 f2 00 f2
0x00016f23b980: f2 f2 f8 f2 f2 f2 00 f2 f2 f2 f8 f8 f8 f8 f8 f8
0x00016f23ba00: f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f8 f2 f2
0x00016f23ba80: f8 f2 f8 f2 f2 f2 f8 f8 f2 f2 00 f2 f2 f2 f8 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==35535==ABORTING
error: test failed, to rerun pass `--test test_api`
littledivy commented
Maybe related? #1371
mmastrac commented
@littledivy Oh huh... that actually might be related to a problem I saw in deno_core when running w/ASAN