use after free in pseudofork on win32

[xenu]

Description
Microsoft recently added ASan support to Visual C++ so I decided to test perl with it. It turns out that it makes op\fork.t fail.

Here's simplified code from the test that triggers use after free:

BEGIN {
    fork and exit;
}

and here's the output of the script:

>perl a.pl
=================================================================
==428==ERROR: AddressSanitizer: heap-use-after-free on address 0x04907d8c at pc 0x709628ff bp 0x060bf67c sp 0x060bf67c
READ of size 4 at 0x04907d8c thread T1
    #0 0x709628fe  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100228fe)
    #1 0x70962ca2  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10022ca2)
    #2 0x70963ef9  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10023ef9)
    #3 0x70961aec  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10021aec)
    #4 0x70b0500d  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c500d)
    #5 0x6ca59bb0  (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x10049bb0)
    #6 0x6ca5a2ae  (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x1004a2ae)
    #7 0x74ce6358  (C:\Windows\System32\KERNEL32.DLL+0x6b816358)
    #8 0x77537b73  (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #9 0x77537b43  (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43)

0x04907d8c is located 44 bytes inside of 64-byte region [0x04907d60,0x04907da0)
freed by thread T0 here:
    #0 0x6ca50ef1  (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x10040ef1)
    #1 0x70b011f4  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c11f4)
    #2 0x70b034b3  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c34b3)
    #3 0x70af6efb  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101b6efb)
    #4 0x70a95a2e  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10155a2e)
    #5 0x709ced3a  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008ed3a)
    #6 0x709ce997  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008e997)
    #7 0x70a0181c  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100c181c)
    #8 0x70a913ca  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101513ca)
    #9 0x709c8bec  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10088bec)
    #10 0x709ce439  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008e439)
    #11 0x709acf2e  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006cf2e)
    #12 0x709ac918  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006c918)
    #13 0x709cfb0c  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008fb0c)
    #14 0x709c75bd  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100875bd)
    #15 0x709c6a11  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10086a11)
    #16 0x70b07950  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c7950)
    #17 0x8e1014  (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x401014)
    #18 0x8e11eb  (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x4011eb)
    #19 0x74ce6358  (C:\Windows\System32\KERNEL32.DLL+0x6b816358)
    #20 0x77537b73  (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #21 0x77537b43  (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43)

previously allocated by thread T0 here:
    #0 0x6ca51035  (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x10041035)
    #1 0x70b01093  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c1093)
    #2 0x70b0347a  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c347a)
    #3 0x70af6ce9  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101b6ce9)
    #4 0x709acc94  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006cc94)
    #5 0x709ac918  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006c918)
    #6 0x709cfb0c  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008fb0c)
    #7 0x709c75bd  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100875bd)
    #8 0x709c6a11  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10086a11)
    #9 0x70b07950  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c7950)
    #10 0x8e1014  (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x401014)
    #11 0x8e11eb  (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x4011eb)
    #12 0x74ce6358  (C:\Windows\System32\KERNEL32.DLL+0x6b816358)
    #13 0x77537b73  (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #14 0x77537b43  (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43)

Thread T1 created by T0 here:
    #0 0x6ca5a3f2  (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x1004a3f2)
    #1 0x70b05252  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c5252)
    #2 0x70a38a16  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100f8a16)
    #3 0x70a913ca  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101513ca)
    #4 0x709c8bec  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10088bec)
    #5 0x709ce439  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008e439)
    #6 0x709acf2e  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006cf2e)
    #7 0x709ac918  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006c918)
    #8 0x709cfb0c  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008fb0c)
    #9 0x709c75bd  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100875bd)
    #10 0x709c6a11  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10086a11)
    #11 0x70b07950  (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c7950)
    #12 0x8e1014  (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x401014)
    #13 0x8e11eb  (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x4011eb)
    #14 0x74ce6358  (C:\Windows\System32\KERNEL32.DLL+0x6b816358)
    #15 0x77537b73  (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #16 0x77537b43  (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43)

SUMMARY: AddressSanitizer: heap-use-after-free (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100228fe)
Shadow bytes around the buggy address:
  0x30920f60: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x30920f70: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x30920f80: 00 00 00 05 fa fa fa fa 00 00 00 00 00 00 02 fa
  0x30920f90: fa fa fa fa 00 00 00 00 00 00 00 06 fa fa fa fa
  0x30920fa0: 00 00 00 00 00 00 01 fa fa fa fa fa fd fd fd fd
=>0x30920fb0: fd[fd]fd fd fa fa fa fa 00 00 00 00 00 00 00 fa
  0x30920fc0: fa fa fa fa 00 00 00 00 00 00 04 fa fa fa fa fa
  0x30920fd0: 00 00 00 00 00 00 06 fa fa fa fa fa fd fd fd fd
  0x30920fe0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x30920ff0: fa fa fa fa 00 00 00 00 00 00 00 06 fa fa fa fa
  0x30921000: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==428==ABORTING

Perl configuration

Summary of my perl5 (revision 5 version 31 subversion 9) configuration:
  Derived from: 3a25432294a38b1c9c70d459c84132b7d76f245a
  Platform:
    osname=MSWin32
    osvers=10.0.18363.592
    archname=MSWin32-x86-multi-thread-64int
    uname=''
    config_args='undef'
    hint=recommended
    useposix=true
    d_sigaction=undef
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=undef
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='cl'
    ccflags ='-nologo -GF -W3 -fsanitize=address -MD -DWIN32 -D_CONSOLE -DNO_STRICT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -D_WINSOCK_DEPRECATED_NO_WARNINGS  -DPERL_TEXTMODE_SCRIPTS -DPERL_IMPLICIT_CONTEXT -DPERL_IMPLICIT_SYS'
    optimize='-O1 -Zi -GL'
    cppflags='-DWIN32'
    ccversion='19.24.28316'
    gccversion=''
    gccosandvers=''
    intsize=4
    longsize=4
    ptrsize=4
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=undef
    longlongsize=8
    d_longdbl=define
    longdblsize=8
    longdblkind=0
    ivtype='__int64'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='__int64'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='link'
    ldflags ='-nologo -nodefaultlib -debug -opt:ref,icf -ltcg  -libpath:"c:\perl\lib\CORE"  -machine:x86 -subsystem:console,"5.01"'
    libpth="C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\\lib\x86"
    libs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib  comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib  netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib  version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib vcruntime.lib ucrt.lib clang_rt.asan_dynamic-i386.lib clang_rt.asan_dynamic_runtime_thunk-i386.lib
    perllibs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib  comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib  netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib  version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib vcruntime.lib ucrt.lib clang_rt.asan_dynamic-i386.lib clang_rt.asan_dynamic_runtime_thunk-i386.lib
    libc=ucrt.lib
    so=dll
    useshrplib=true
    libperl=perl531.lib
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_win32.xs
    dlext=dll
    d_dlsymun=undef
    ccdlflags=' '
    cccdlflags=' '
    lddlflags='-dll -nologo -nodefaultlib -debug -opt:ref,icf -ltcg  -libpath:"c:\perl\lib\CORE"  -machine:x86 -subsystem:console,"5.01"'


Characteristics of this binary (from libperl):
  Compile-time options:
    HAS_TIMES
    HAVE_INTERP_INTERN
    MULTIPLICITY
    PERLIO_LAYERS
    PERL_COPY_ON_WRITE
    PERL_DONT_CREATE_GVSV
    PERL_IMPLICIT_CONTEXT
    PERL_IMPLICIT_SYS
    PERL_MALLOC_WRAP
    PERL_OP_PARENT
    PERL_PRESERVE_IVUV
    USE_64_BIT_INT
    USE_ITHREADS
    USE_LARGE_FILES
    USE_LOCALE
    USE_LOCALE_COLLATE
    USE_LOCALE_CTYPE
    USE_LOCALE_NUMERIC
    USE_LOCALE_TIME
    USE_PERLIO
    USE_PERL_ATOF
    USE_THREAD_SAFE_LOCALE
  Locally applied patches:
    uncommitted-changes
  Built under MSWin32
  Compiled at Feb  2 2020 06:52:11
  @INC:
    C:/Users/xenu/Documents/git/perl5/lib

[demerphq]

On Sun, 2 Feb 2020 at 07:16, xenu ***@***.***> wrote: *Description* Microsoft recently added <https://devblogs.microsoft.com/cppblog/addresssanitizer-asan-for-windows-with-msvc/> ASan support to Visual C++ so I decided to test perl with it. It turns out that it makes op\fork.t fail.

Is it possible to build your perl with debugging symbols? I forget how to do it, but iirc you can generate a separate debugging symbol file even without enabling DEBUGGING using msvc. That i think would give us the debug info to see the proper stack trace.

…

Here's simplified code from the test that triggers use after free: BEGIN { fork and exit; } and here's the output of the script: >perl a.pl ================================================================= ==428==ERROR: AddressSanitizer: heap-use-after-free on address 0x04907d8c at pc 0x709628ff bp 0x060bf67c sp 0x060bf67c READ of size 4 at 0x04907d8c thread T1 #0 0x709628fe (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100228fe) #1 0x70962ca2 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10022ca2) #2 0x70963ef9 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10023ef9) #3 0x70961aec (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10021aec) #4 0x70b0500d (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c500d) #5 0x6ca59bb0 (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x10049bb0) #6 0x6ca5a2ae (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x1004a2ae) #7 0x74ce6358 (C:\Windows\System32\KERNEL32.DLL+0x6b816358) #8 0x77537b73 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73) #9 0x77537b43 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43) 0x04907d8c is located 44 bytes inside of 64-byte region [0x04907d60,0x04907da0) freed by thread T0 here: #0 0x6ca50ef1 (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x10040ef1) #1 0x70b011f4 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c11f4) #2 0x70b034b3 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c34b3) #3 0x70af6efb (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101b6efb) #4 0x70a95a2e (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10155a2e) #5 0x709ced3a (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008ed3a) #6 0x709ce997 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008e997) #7 0x70a0181c (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100c181c) #8 0x70a913ca (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101513ca) #9 0x709c8bec (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10088bec) #10 0x709ce439 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008e439) #11 0x709acf2e (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006cf2e) #12 0x709ac918 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006c918) #13 0x709cfb0c (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008fb0c) #14 0x709c75bd (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100875bd) #15 0x709c6a11 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10086a11) #16 0x70b07950 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c7950) #17 0x8e1014 (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x401014) #18 0x8e11eb (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x4011eb) #19 0x74ce6358 (C:\Windows\System32\KERNEL32.DLL+0x6b816358) #20 0x77537b73 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73) #21 0x77537b43 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43) previously allocated by thread T0 here: #0 0x6ca51035 (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x10041035) #1 0x70b01093 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c1093) #2 0x70b0347a (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c347a) #3 0x70af6ce9 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101b6ce9) #4 0x709acc94 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006cc94) #5 0x709ac918 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006c918) #6 0x709cfb0c (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008fb0c) #7 0x709c75bd (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100875bd) #8 0x709c6a11 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10086a11) #9 0x70b07950 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c7950) #10 0x8e1014 (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x401014) #11 0x8e11eb (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x4011eb) #12 0x74ce6358 (C:\Windows\System32\KERNEL32.DLL+0x6b816358) #13 0x77537b73 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73) #14 0x77537b43 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43) Thread T1 created by T0 here: #0 0x6ca5a3f2 (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x1004a3f2) #1 0x70b05252 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c5252) #2 0x70a38a16 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100f8a16) #3 0x70a913ca (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101513ca) #4 0x709c8bec (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10088bec) #5 0x709ce439 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008e439) #6 0x709acf2e (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006cf2e) #7 0x709ac918 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006c918) #8 0x709cfb0c (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008fb0c) #9 0x709c75bd (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100875bd) #10 0x709c6a11 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10086a11) #11 0x70b07950 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c7950) #12 0x8e1014 (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x401014) #13 0x8e11eb (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x4011eb) #14 0x74ce6358 (C:\Windows\System32\KERNEL32.DLL+0x6b816358) #15 0x77537b73 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73) #16 0x77537b43 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43) SUMMARY: AddressSanitizer: heap-use-after-free (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100228fe) Shadow bytes around the buggy address: 0x30920f60: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x30920f70: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00 0x30920f80: 00 00 00 05 fa fa fa fa 00 00 00 00 00 00 02 fa 0x30920f90: fa fa fa fa 00 00 00 00 00 00 00 06 fa fa fa fa 0x30920fa0: 00 00 00 00 00 00 01 fa fa fa fa fa fd fd fd fd =>0x30920fb0: fd[fd]fd fd fa fa fa fa 00 00 00 00 00 00 00 fa 0x30920fc0: fa fa fa fa 00 00 00 00 00 00 04 fa fa fa fa fa 0x30920fd0: 00 00 00 00 00 00 06 fa fa fa fa fa fd fd fd fd 0x30920fe0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x30920ff0: fa fa fa fa 00 00 00 00 00 00 00 06 fa fa fa fa 0x30921000: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==428==ABORTING *Perl configuration* Summary of my perl5 (revision 5 version 31 subversion 9) configuration: Derived from: 3a25432 Platform: osname=MSWin32 osvers=10.0.18363.592 archname=MSWin32-x86-multi-thread-64int uname='' config_args='undef' hint=recommended useposix=true d_sigaction=undef useithreads=define usemultiplicity=define use64bitint=define use64bitall=undef uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='cl' ccflags ='-nologo -GF -W3 -fsanitize=address -MD -DWIN32 -D_CONSOLE -DNO_STRICT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -D_WINSOCK_DEPRECATED_NO_WARNINGS -DPERL_TEXTMODE_SCRIPTS -DPERL_IMPLICIT_CONTEXT -DPERL_IMPLICIT_SYS' optimize='-O1 -Zi -GL' cppflags='-DWIN32' ccversion='19.24.28316' gccversion='' gccosandvers='' intsize=4 longsize=4 ptrsize=4 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=undef longlongsize=8 d_longdbl=define longdblsize=8 longdblkind=0 ivtype='__int64' ivsize=8 nvtype='double' nvsize=8 Off_t='__int64' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='link' ldflags ='-nologo -nodefaultlib -debug -opt:ref,icf -ltcg -libpath:"c:\perl\lib\CORE" -machine:x86 -subsystem:console,"5.01"' libpth="C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\\lib\x86" libs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib vcruntime.lib ucrt.lib clang_rt.asan_dynamic-i386.lib clang_rt.asan_dynamic_runtime_thunk-i386.lib perllibs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib vcruntime.lib ucrt.lib clang_rt.asan_dynamic-i386.lib clang_rt.asan_dynamic_runtime_thunk-i386.lib libc=ucrt.lib so=dll useshrplib=true libperl=perl531.lib gnulibc_version='' Dynamic Linking: dlsrc=dl_win32.xs dlext=dll d_dlsymun=undef ccdlflags=' ' cccdlflags=' ' lddlflags='-dll -nologo -nodefaultlib -debug -opt:ref,icf -ltcg -libpath:"c:\perl\lib\CORE" -machine:x86 -subsystem:console,"5.01"' Characteristics of this binary (from libperl): Compile-time options: HAS_TIMES HAVE_INTERP_INTERN MULTIPLICITY PERLIO_LAYERS PERL_COPY_ON_WRITE PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT PERL_IMPLICIT_SYS PERL_MALLOC_WRAP PERL_OP_PARENT PERL_PRESERVE_IVUV USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_PERLIO USE_PERL_ATOF USE_THREAD_SAFE_LOCALE Locally applied patches: uncommitted-changes Built under MSWin32 Compiled at Feb 2 2020 06:52:11 @inc: C:/Users/xenu/Documents/git/perl5/lib — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#17522?email_source=notifications&email_token=AAAZ5R6M2LMNU3K6KWNTBV3RAZQLFA5CNFSM4KOXYAYKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IKMKLSA>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAZ5R4JD3TV73FVHMKVYCDRAZQLFANCNFSM4KOXYAYA> .

-- perl -Mre=debug -e "/just|another|perl|hacker/"

[xenu]

Oh, I posted that just before going to bed and I didn't notice there were no source lines in the output. The symbols are there (msvc build always builds with them), but for some reason asan isn't using them.

Here's the backtrace of the asan exception from windbg:

#  3  Id: 16a0.2208 Suspend: 1 Teb: 00745000 Unfrozen
 # ChildEBP RetAddr  
00 056fea38 6abfb423 clang_rt_asan_dynamic_i386!__sanitizer::internal__exit+0x1a
01 056fea44 6ac22a52 clang_rt_asan_dynamic_i386!__sanitizer::Die+0x43
02 056fea60 6ac23cba clang_rt_asan_dynamic_i386!__asan::ScopedInErrorReport::~ScopedInErrorReport+0x192
03 056ff48c 6ac26739 clang_rt_asan_dynamic_i386!__asan::ReportGenericError+0xda
04 056ff4b4 6b2628ff clang_rt_asan_dynamic_i386!__asan_load4+0x49
05 056ff4f0 6b262ca3 perl531!S_gv_is_in_main(struct interpreter * my_perl = 0x04e00e8c, char * name = 0x6b4294c0 "STDOUT", unsigned int len = 6, unsigned long is_utf8 = 0)+0x33 [C:\Users\xenu\Documents\git\perl5\gv.c @ 1764] 
06 056ff524 6b263efa perl531!S_find_default_stash(struct interpreter * my_perl = 0x04e00e8c, struct hv ** stash = 0x056ff588, char * name = 0x6b4294c0 "STDOUT", unsigned int len = 6, unsigned long is_utf8 = 0, long add = 0n1, svtype sv_type = SVt_PVIO (0n15))+0x20 [C:\Users\xenu\Documents\git\perl5\gv.c @ 1827] 
07 056ff624 6b261aed perl531!Perl_gv_fetchpvn_flags(struct interpreter * my_perl = 0x04e00e8c, char * nambeg = 0x6b4294c0 "STDOUT", unsigned int full_len = 6, long flags = 0n1, svtype sv_type = SVt_PVIO (0n15))+0x149 [C:\Users\xenu\Documents\git\perl5\gv.c @ 2406] 
08 056ff644 6b40500e perl531!Perl_gv_fetchpv(struct interpreter * my_perl = 0x04e00e8c, char * nambeg = 0x6b4294c0 "STDOUT", long add = 0n1, svtype sv_type = SVt_PVIO (0n15))+0x22 [C:\Users\xenu\Documents\git\perl5\gv.c @ 1613] 
09 056ff768 6ac29bb1 perl531!win32_start_child(void * arg = 0x04e00e8c)+0x6c3 [C:\Users\xenu\Documents\git\perl5\win32\perlhost.h @ 1781] 
0a 056ff77c 6ac2a2af clang_rt_asan_dynamic_i386!__asan::AsanThread::ThreadStart+0x61
0b 056ff790 74ce6359 clang_rt_asan_dynamic_i386!asan_thread_start+0x1f
0c 056ff7a0 77537b74 KERNEL32!BaseThreadInitThunk+0x19
0d 056ff7fc 77537b44 ntdll!__RtlUserThreadStart+0x2f
0e 056ff80c 00000000 ntdll!_RtlUserThreadStart+0x1b

[xenu]

wtf, asan does pick up the symbols, but only when I copy clang_rt.asan_dynamic-i386.dll to the same directory as perl.exe and don't use the VS tools command prompt (aka vcvars.bat).

Anyway, here's the annotated asan output:

=================================================================
==5792==ERROR: AddressSanitizer: heap-use-after-free on address 0x04006bec at pc 0x6b2628ff bp 0x056ff4bc sp 0x056ff4bc
READ of size 4 at 0x04006bec thread T1
    #0 0x6b2628fe in S_gv_is_in_main C:\Users\xenu\Documents\git\perl5\gv.c:1764
    #1 0x6b262ca2 in S_find_default_stash C:\Users\xenu\Documents\git\perl5\gv.c:1827
    #2 0x6b263ef9 in Perl_gv_fetchpvn_flags C:\Users\xenu\Documents\git\perl5\gv.c:2406
    #3 0x6b261aec in Perl_gv_fetchpv C:\Users\xenu\Documents\git\perl5\gv.c:1613
    #4 0x6b40500d in win32_start_child C:\Users\xenu\Documents\git\perl5\win32\perlhost.h:1781
    #5 0x6ac29bb0 in _asan_handle_no_return+0x44623 (C:\Users\xenu\Documents\git\perl5\clang_rt.asan_dynamic-i386.dll+0x10049bb0)
    #6 0x6ac2a2ae in _asan_handle_no_return+0x44d21 (C:\Users\xenu\Documents\git\perl5\clang_rt.asan_dynamic-i386.dll+0x1004a2ae)
    #7 0x74ce6358 in BaseThreadInitThunk+0x18 (C:\Windows\System32\KERNEL32.DLL+0x6b816358)
    #8 0x77537b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #9 0x77537b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43)

0x04006bec is located 44 bytes inside of 64-byte region [0x04006bc0,0x04006c00)
freed by thread T0 here:
    #0 0x6ac20ef1 in _asan_handle_no_return+0x3b964 (C:\Users\xenu\Documents\git\perl5\clang_rt.asan_dynamic-i386.dll+0x10040ef1)
    #1 0x6b4011f4 in VMem::Free C:\Users\xenu\Documents\git\perl5\win32\vmem.h:211
    #2 0x6b4034b3 in PerlMemFree C:\Users\xenu\Documents\git\perl5\win32\perlhost.h:303
    #3 0x6b3f6efb in Perl_safesysfree C:\Users\xenu\Documents\git\perl5\util.c:399
    #4 0x6b395a2e in Perl_leave_scope C:\Users\xenu\Documents\git\perl5\scope.c:1138
    #5 0x6b2ced3a in S_my_exit_jump C:\Users\xenu\Documents\git\perl5\win32\perl.c:5349
    #6 0x6b2ce997 in Perl_my_exit C:\Users\xenu\Documents\git\perl5\win32\perl.c:5239
    #7 0x6b30181c in Perl_pp_exit C:\Users\xenu\Documents\git\perl5\pp_ctl.c:3218
    #8 0x6b3913ca in Perl_runops_standard C:\Users\xenu\Documents\git\perl5\run.c:41
    #9 0x6b2c8bec in Perl_call_sv C:\Users\xenu\Documents\git\perl5\win32\perl.c:3116
    #10 0x6b2ce439 in Perl_call_list C:\Users\xenu\Documents\git\perl5\win32\perl.c:5159
    #11 0x6b2acf2e in S_process_special_blocks C:\Users\xenu\Documents\git\perl5\win32\op.c:11562
    #12 0x6b2ac918 in Perl_newATTRSUB_x C:\Users\xenu\Documents\git\perl5\win32\op.c:11465
    #13 0x6b2cfb0c in Perl_yyparse C:\Users\xenu\Documents\git\perl5\perly.c:438
    #14 0x6b2c75bd in S_parse_body C:\Users\xenu\Documents\git\perl5\win32\perl.c:2601
    #15 0x6b2c6a11 in perl_parse C:\Users\xenu\Documents\git\perl5\win32\perl.c:1892
    #16 0x6b407950 in RunPerl C:\Users\xenu\Documents\git\perl5\win32\perllib.c:207
    #17 0xfc1014 in main C:\Users\xenu\Documents\git\perl5\win32\perlmain.c:39
    #18 0xfc11eb in __scrt_common_main_seh d:\agent\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #19 0x74ce6358 in BaseThreadInitThunk+0x18 (C:\Windows\System32\KERNEL32.DLL+0x6b816358)
    #20 0x77537b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #21 0x77537b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43)

previously allocated by thread T0 here:
    #0 0x6ac21035 in _asan_handle_no_return+0x3baa8 (C:\Users\xenu\Documents\git\perl5\clang_rt.asan_dynamic-i386.dll+0x10041035)
    #1 0x6b401093 in VMem::Malloc C:\Users\xenu\Documents\git\perl5\win32\vmem.h:149
    #2 0x6b40347a in PerlMemMalloc C:\Users\xenu\Documents\git\perl5\win32\perlhost.h:293
    #3 0x6b3f6ce9 in Perl_safesysmalloc C:\Users\xenu\Documents\git\perl5\util.c:155
    #4 0x6b2acc94 in S_process_special_blocks C:\Users\xenu\Documents\git\perl5\win32\op.c:11549
    #5 0x6b2ac918 in Perl_newATTRSUB_x C:\Users\xenu\Documents\git\perl5\win32\op.c:11465
    #6 0x6b2cfb0c in Perl_yyparse C:\Users\xenu\Documents\git\perl5\perly.c:438
    #7 0x6b2c75bd in S_parse_body C:\Users\xenu\Documents\git\perl5\win32\perl.c:2601
    #8 0x6b2c6a11 in perl_parse C:\Users\xenu\Documents\git\perl5\win32\perl.c:1892
    #9 0x6b407950 in RunPerl C:\Users\xenu\Documents\git\perl5\win32\perllib.c:207
    #10 0xfc1014 in main C:\Users\xenu\Documents\git\perl5\win32\perlmain.c:39
    #11 0xfc11eb in __scrt_common_main_seh d:\agent\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #12 0x74ce6358 in BaseThreadInitThunk+0x18 (C:\Windows\System32\KERNEL32.DLL+0x6b816358)
    #13 0x77537b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #14 0x77537b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43)

Thread T1 created by T0 here:
    #0 0x6ac2a3f2 in _asan_handle_no_return+0x44e65 (C:\Users\xenu\Documents\git\perl5\clang_rt.asan_dynamic-i386.dll+0x1004a3f2)
    #1 0x6b405252 in PerlProcFork C:\Users\xenu\Documents\git\perl5\win32\perlhost.h:1840
    #2 0x6b338a16 in Perl_pp_fork C:\Users\xenu\Documents\git\perl5\pp_sys.c:4230
    #3 0x6b3913ca in Perl_runops_standard C:\Users\xenu\Documents\git\perl5\run.c:41
    #4 0x6b2c8bec in Perl_call_sv C:\Users\xenu\Documents\git\perl5\win32\perl.c:3116
    #5 0x6b2ce439 in Perl_call_list C:\Users\xenu\Documents\git\perl5\win32\perl.c:5159
    #6 0x6b2acf2e in S_process_special_blocks C:\Users\xenu\Documents\git\perl5\win32\op.c:11562
    #7 0x6b2ac918 in Perl_newATTRSUB_x C:\Users\xenu\Documents\git\perl5\win32\op.c:11465
    #8 0x6b2cfb0c in Perl_yyparse C:\Users\xenu\Documents\git\perl5\perly.c:438
    #9 0x6b2c75bd in S_parse_body C:\Users\xenu\Documents\git\perl5\win32\perl.c:2601
    #10 0x6b2c6a11 in perl_parse C:\Users\xenu\Documents\git\perl5\win32\perl.c:1892
    #11 0x6b407950 in RunPerl C:\Users\xenu\Documents\git\perl5\win32\perllib.c:207
    #12 0xfc1014 in main C:\Users\xenu\Documents\git\perl5\win32\perlmain.c:39
    #13 0xfc11eb in __scrt_common_main_seh d:\agent\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #14 0x74ce6358 in BaseThreadInitThunk+0x18 (C:\Windows\System32\KERNEL32.DLL+0x6b816358)
    #15 0x77537b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #16 0x77537b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43)

SUMMARY: AddressSanitizer: heap-use-after-free C:\Users\xenu\Documents\git\perl5\gv.c:1764 in S_gv_is_in_main
Shadow bytes around the buggy address:
  0x30800d20: fa fa fa fa 00 00 00 00 00 00 00 06 fa fa fa fa
  0x30800d30: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x30800d40: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 05
  0x30800d50: fa fa fa fa 00 00 00 00 00 00 02 fa fa fa fa fa
  0x30800d60: 00 00 00 00 00 00 00 06 fa fa fa fa 00 00 00 00
=>0x30800d70: 00 00 00 fa fa fa fa fa fd fd fd fd fd[fd]fd fd
  0x30800d80: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x30800d90: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x30800da0: 00 00 04 fa fa fa fa fa 00 00 00 00 00 00 05 fa
  0x30800db0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x30800dc0: 00 00 00 00 00 00 00 05 fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==5792==ABORTING

[tonycoz]

Does this (or something similar) still occur? The code that allocated that particular block of memory was removed in 79f75ea.

[tonycoz]

Does this (or something similar) still occur? The code that allocated that particular block of memory was removed in 79f75ea.

Reproduced in d0b5de5 (the parent of 79f75ea) but not in 79f75ea itself. Closing.