bug-gawk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

free(): double free detected in tcache 2

From: Emanuel Attila Czirai
Subject: free(): double free detected in tcache 2
Date: Mon, 5 Sep 2022 14:53:23 +0200 
tl;dr:
$ awk 'function add_flags(old) {
  if (old)
    return 0
  if (!old)
    return 1
}
BEGIN {
  a[0]=add_flags(a[0])
}'
free(): double free detected in tcache 2
Aborted (core dumped)


Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: x86_64-pc-linux-gnu-gcc
Compilation CFLAGS: -march=skylake -mtune=skylake
-mprefer-vector-width=128 -O2 -pipe -frecord-gcc-switches -ggdb
-fvar-tracking-assignments -fno-omit-frame-pointer
-ftrack-macro-expansion=2 -fstack-protector-all -Wno-trigraphs
-fno-schedule-insns2 -fno-delete-null-pointer-checks
-D_FORTIFY_SOURCE=2 -rdynamic -flifetime-dse=1 -DNDEBUG
uname output: Linux i87k 5.18.16-gentoo-x86_64 #1 SMP Mon Aug 8
12:29:48 CEST 2022 x86_64 Intel(R) Core(TM) i7-8700K CPU @ 3.70GHz
GenuineIntel GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Gawk Version: 5.2.0

Attestation:
    I have read https://www.gnu.org/software/gawk/manual/html_node/Bugs.html.
    Yes

Description:
failing to compile kernel on gentoo via genkernel due to

free(): double free detected in tcache 2

eg.

  CALL    /usr/src/linux-5.18.19-gentoo-r1/scripts/atomic/check-atomics.sh
  CALL    /usr/src/linux-5.18.19-gentoo-r1/scripts/checksyscalls.sh
  GEN     /tmp/genkernel.outdir/tools/objtool/arch/x86/lib/inat-tables.c
free(): double free detected in tcache 2
make[5]: *** [arch/x86/Build:9:
/tmp/genkernel.outdir/tools/objtool/arch/x86/lib/inat-tables.c] Error
134
make[5]: *** Deleting file
'/tmp/genkernel.outdir/tools/objtool/arch/x86/lib/inat-tables.c'
make[4]: *** [/usr/src/linux-5.18.19-gentoo-r1/tools/build/Makefile.build:139:
arch/x86] Error 2
make[3]: *** [Makefile:56:
/tmp/genkernel.outdir/tools/objtool/objtool-in.o] Error 2
make[3]: *** Waiting for unfinished jobs....


originally:
$ /var/tmp/portage/sys-apps/gawk-5.2.0/work/gawk-5.2.0/gawk -f
/usr/src/linux-5.18.19-gentoo-r1/arch/x86/tools/gen-insn-attr-x86.awk
/usr/src/linux-5.18.19-gentoo-r1/arch/x86/lib/x86-opcode-map.txt
/* x86 opcode map generated from x86-opcode-map.txt */
/* Do not change this code. */

/* Table: one byte opcode */
free(): double free detected in tcache 2
Aborted (core dumped)

^ thanks to OP of https://bugs.gentoo.org/868567

Repeat-By:
    I've minimized it to this:

$ awk 'function add_flags(old) {
  if (old)
    return 0
  if (!old)
    return 1
}
BEGIN {
  a[0]=add_flags(a[0])
}'
free(): double free detected in tcache 2
Aborted (core dumped)


Fix:
 unknown.
 Some gdb info:

...
executing: 'bt -full -frame-info source-and-location -past-entry on
-entry-values both -frame-arguments all -past-main on'
...
#9  0x000059ea61562f86 in unref (r=<optimized out>) at
/var/tmp/portage/sys-apps/gawk-5.2.0/work/gawk-5.2.0/awk.h:1986
0x59ea61562f86 is in r_interpret
(/var/tmp/portage/sys-apps/gawk-5.2.0/work/gawk-5.2.0/awk.h:1986).
1981    static inline void
1982    unref(NODE *r)
1983    {
1984            assert(r == NULL || r->valref > 0);
1985            if (r != NULL && --r->valref <= 0)
1986                    r_unref(r);  // THIS LINE
1987    }
1988
1989    /* force_number --- force a  node to have a numeric value */
1990
#10 r_interpret (code=<optimized out>) at
/var/tmp/portage/sys-apps/gawk-5.2.0/work/gawk-5.2.0/interpret.h:865
 //0x59ea61562f86 is in r_interpret
(/var/tmp/portage/sys-apps/gawk-5.2.0/work/gawk-5.2.0/awk.h:1986).
 //1981    static inline void
 //1982    unref(NODE *r)
 //1983    {
 //1984            assert(r == NULL || r->valref > 0);
 //1985            if (r != NULL && --r->valref <= 0)
 //1986                    r_unref(r);
 //1987    }
 //1988
 //1989    /* force_number --- force a  node to have a numeric value */
 //1990
^ that is bad gdb, it's this instead (interpret.h:865):

    case Op_assign:
      lhs = POP_ADDRESS();
      r = TOP_SCALAR();
      unref(*lhs);      //THIS LINE is interpret.h:865
      if (r->type == Node_elem_new) {
        DEREF(r);
        r = dupnode(Nnull_string);
      }
      UPREF(r);

#11 0x000059ea61525533 in main (argc=<optimized out>, argv=<optimized
out>) at main.c:552
0x59ea61525533 is in main (main.c:552).
547             if (do_debug)
548                     debug_prog(code_block);
549             else if (do_pretty_print && ! do_profile)
550                     ;       /* run pretty printer only. */
551             else
552                     interpret(code_block); // THIS LINE
553
554             if (do_pretty_print) {
555                     set_current_namespace(awk_namespace);
556                     dump_prog(code_block);
reply via email to
[Prev in Thread] Current Thread [Next in Thread]