FFI crashes when scanning pointer field of subtypes of Pointer #36125
Description
https://ci.chromium.org/p/dart/builders/ci.sandbox/vm-kernel-asan-linux-release-x64/1859
FAILED: dartk-vm release_x64 standalone_2/ffi/subtype_test
Expected: Pass
Actual: Fail
--- Command "vm" (took 01.000755s):
DART_CONFIGURATION=ReleaseX64 out/ReleaseX64/dart --ignore-unrecognized-flags --packages=/b/s/w/ir/cache/builder/sdk/.packages /b/s/w/ir/cache/builder/sdk/tests/standalone_2/ffi/subtype_test.dart
exit code:
1
stderr:
=================================================================
==26809==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000001150 at pc 0x55c46744fb29 bp 0x7fb2d46fd8a0 sp 0x7fb2d46fd898
READ of size 4 at 0x602000001150 thread T8
#0 0x55c46744fb28 in dart::RawObject::IsMarked() const ../../out/ReleaseX64/../../runtime/vm/raw_object.h:256:47
#1 0x55c46744fb28 in dart::MarkingVisitorBase<true>::MarkObject(dart::RawObject*) ../../out/ReleaseX64/../../runtime/vm/heap/marker.cc:393
#2 0x55c46744fb28 in dart::MarkingVisitorBase<true>::VisitPointers(dart::RawObject**, dart::RawObject**) ../../out/ReleaseX64/../../runtime/vm/heap/marker.cc:285
#3 0x55c467467eac in dart::RawObject::VisitPointers(dart::ObjectPointerVisitor*) ../../out/ReleaseX64/../../runtime/vm/raw_object.h:429:14
#4 0x55c467467eac in dart::Scavenger::VisitObjectPointers(dart::ObjectPointerVisitor*) const ../../out/ReleaseX64/../../runtime/vm/heap/scavenger.cc:886
#5 0x55c467449bc7 in dart::GCMarker::IterateRoots(dart::ObjectPointerVisitor*) ../../out/ReleaseX64/../../runtime/vm/heap/marker.cc:556:29
#6 0x55c46744ff3b in dart::ParallelMarkTask::Run() ../../out/ReleaseX64/../../runtime/vm/heap/marker.cc:650:16
#7 0x55c466f2a7bf in dart::ThreadPool::Worker::Loop() ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:381:11
#8 0x55c466f2a483 in dart::ThreadPool::Worker::Main(unsigned long) ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:436:27
#9 0x55c466d26c4d in dart::ThreadStart(void*) ../../out/ReleaseX64/../../runtime/vm/os_thread_linux.cc:134:5
#10 0x7fb2dfe7c183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
#11 0x7fb2df69b03c in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfe03c)
0x602000001150 is located 0 bytes inside of 13-byte region [0x602000001150,0x60200000115d)
freed by thread T2 here:
#0 0x55c46643bc52 in __interceptor_free /b/s/w/ir/kitchen-workdir/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
#1 0x55c466907ff3 in dart::DN_HelperFfi_free(dart::Isolate*, dart::Thread*, dart::Zone*, dart::NativeArguments*) ../../out/ReleaseX64/../../runtime/lib/ffi.cc:307:3
#2 0x55c466907ff3 in dart::BootstrapNatives::DN_Ffi_free(_Dart_NativeArguments*) ../../out/ReleaseX64/../../runtime/lib/ffi.cc:303
#3 0x7fb2dc88113e (<unknown module>)
#4 0x7fb2d8834fed (<unknown module>)
#5 0x7fb2d882cb3b (<unknown module>)
#6 0x7fb2d882ca0c (<unknown module>)
#7 0x7fb2d882c93c (<unknown module>)
#8 0x7fb2d882c758 (<unknown module>)
#9 0x7fb2d882bb14 (<unknown module>)
#10 0x7fb2d8809a3b (<unknown module>)
#11 0x7fb2d882b7f2 (<unknown module>)
#12 0x7fb2dc88146b (<unknown module>)
#13 0x55c4669f1c6f in dart::DartEntry::InvokeFunction(dart::Function const&, dart::Array const&, dart::Array const&, unsigned long) ../../out/ReleaseX64/../../runtime/vm/dart_entry.cc:197:10
#14 0x55c4669fb25e in dart::DartLibraryCalls::HandleMessage(dart::Object const&, dart::Instance const&) ../../out/ReleaseX64/../../runtime/vm/dart_entry.cc:691:28
#15 0x55c466a97cd9 in dart::IsolateMessageHandler::HandleMessage(dart::Message*) ../../out/ReleaseX64/../../runtime/vm/isolate.cc:625:30
#16 0x55c466b33f5c in dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool) ../../out/ReleaseX64/../../runtime/vm/message_handler.cc:217:28
#17 0x55c466b358a5 in dart::MessageHandler::TaskCallback() ../../out/ReleaseX64/../../runtime/vm/message_handler.cc:417:20
#18 0x55c466f2a7bf in dart::ThreadPool::Worker::Loop() ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:381:11
#19 0x55c466f2a483 in dart::ThreadPool::Worker::Main(unsigned long) ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:436:27
#20 0x55c466d26c4d in dart::ThreadStart(void*) ../../out/ReleaseX64/../../runtime/vm/os_thread_linux.cc:134:5
#21 0x7fb2dfe7c183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
previously allocated by thread T2 here:
#0 0x55c46643bfd3 in __interceptor_malloc /b/s/w/ir/kitchen-workdir/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x55c466904035 in dart::DN_HelperFfi_allocate(dart::Isolate*, dart::Thread*, dart::Zone*, dart::NativeArguments*) ../../out/ReleaseX64/../../runtime/lib/ffi.cc:234:48
#2 0x55c466904035 in dart::BootstrapNatives::DN_Ffi_allocate(_Dart_NativeArguments*) ../../out/ReleaseX64/../../runtime/lib/ffi.cc:218
#3 0x7fb2dc88113e (<unknown module>)
#4 0x7fb2d882d19c (<unknown module>)
#5 0x7fb2d882cce8 (<unknown module>)
#6 0x7fb2d882cafc (<unknown module>)
#7 0x7fb2d882ca0c (<unknown module>)
#8 0x7fb2d882c93c (<unknown module>)
#9 0x7fb2d882c758 (<unknown module>)
#10 0x7fb2d882bb14 (<unknown module>)
#11 0x7fb2d8809a3b (<unknown module>)
#12 0x7fb2d882b7f2 (<unknown module>)
#13 0x7fb2dc88146b (<unknown module>)
#14 0x55c4669f1c6f in dart::DartEntry::InvokeFunction(dart::Function const&, dart::Array const&, dart::Array const&, unsigned long) ../../out/ReleaseX64/../../runtime/vm/dart_entry.cc:197:10
#15 0x55c4669fb25e in dart::DartLibraryCalls::HandleMessage(dart::Object const&, dart::Instance const&) ../../out/ReleaseX64/../../runtime/vm/dart_entry.cc:691:28
#16 0x55c466a97cd9 in dart::IsolateMessageHandler::HandleMessage(dart::Message*) ../../out/ReleaseX64/../../runtime/vm/isolate.cc:625:30
#17 0x55c466b33f5c in dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool) ../../out/ReleaseX64/../../runtime/vm/message_handler.cc:217:28
#18 0x55c466b358a5 in dart::MessageHandler::TaskCallback() ../../out/ReleaseX64/../../runtime/vm/message_handler.cc:417:20
#19 0x55c466f2a7bf in dart::ThreadPool::Worker::Loop() ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:381:11
#20 0x55c466f2a483 in dart::ThreadPool::Worker::Main(unsigned long) ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:436:27
#21 0x55c466d26c4d in dart::ThreadStart(void*) ../../out/ReleaseX64/../../runtime/vm/os_thread_linux.cc:134:5
#22 0x7fb2dfe7c183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
Thread T8 created by T2 here:
#0 0x55c466424a8d in __interceptor_pthread_create /b/s/w/ir/kitchen-workdir/llvm-project/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x55c466d269cf in dart::OSThread::Start(char const*, void (*)(unsigned long), unsigned long) ../../out/ReleaseX64/../../runtime/vm/os_thread_linux.cc:153:12
#2 0x55c466f290f3 in dart::ThreadPool::Worker::StartThread() ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:338:16
#3 0x55c466f290f3 in dart::ThreadPool::Run(dart::ThreadPool::Task*) ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:69
#4 0x55c46744adf1 in dart::GCMarker::StartConcurrentMark(dart::PageSpace*, bool) ../../out/ReleaseX64/../../runtime/vm/heap/marker.cc:891:40
#5 0x55c46745cd50 in dart::PageSpace::CollectGarbageAtSafepoint(bool, bool, long, long) ../../out/ReleaseX64/../../runtime/vm/heap/pages.cc:1123:14
#6 0x55c46745bd19 in dart::PageSpace::CollectGarbage(bool, bool) ../../out/ReleaseX64/../../runtime/vm/heap/pages.cc:1059:5
#7 0x55c467445971 in dart::Heap::CheckStartConcurrentMarking(dart::Thread*, dart::Heap::GCReason) ../../out/ReleaseX64/../../runtime/vm/heap/heap.cc:555:18
#8 0x55c4674561b4 in dart::PageSpace::TryAllocateInFreshPage(long, dart::HeapPage::PageType, dart::PageSpace::GrowthPolicy, bool) ../../out/ReleaseX64/../../runtime/vm/heap/pages.cc:448:16
#9 0x55c46743fe26 in dart::PageSpace::TryAllocate(long, dart::HeapPage::PageType, dart::PageSpace::GrowthPolicy) ../../out/ReleaseX64/../../runtime/vm/heap/pages.h:259:12
#10 0x55c46743fe26 in dart::Heap::AllocateOld(long, dart::HeapPage::PageType) ../../out/ReleaseX64/../../runtime/vm/heap/heap.cc:131
#11 0x55c466b484c1 in dart::Object::Allocate(long, long, dart::Heap::Space) ../../out/ReleaseX64/../../runtime/vm/heap/heap.h
#12 0x55c466c56466 in dart::ICData::NewDescriptor(dart::Zone*, dart::Function const&, dart::String const&, dart::Array const&, long, long, dart::ICData::RebindRule, dart::AbstractType const&) ../../out/ReleaseX64/../../runtime/vm/object.cc:14014:9
#13 0x55c466c567f9 in dart::ICData::New(dart::Function const&, dart::String const&, dart::Array const&, long, long, dart::ICData::RebindRule, dart::AbstractType const&) ../../out/ReleaseX64/../../runtime/vm/object.cc:14058:7
#14 0x55c467068eba in dart::FlowGraphCompiler::GetOrAddStaticCallICData(long, dart::Function const&, dart::Array const&, long, dart::ICData::RebindRule) ../../out/ReleaseX64/../../runtime/vm/compiler/backend/flow_graph_compiler.cc:1795:7
#15 0x55c467068925 in dart::FlowGraphCompiler::GenerateStaticCall(long, dart::TokenPosition, dart::Function const&, dart::ArgumentsInfo, dart::LocationSummary*, dart::ICData const&, dart::ICData::RebindRule, dart::CodeEntryKind) ../../out/ReleaseX64/../../runtime/vm/compiler/backend/flow_graph_compiler.cc:1343:11
#16 0x55c4670ebc19 in dart::StringInterpolateInstr::EmitNativeCode(dart::FlowGraphCompiler*) ../../out/ReleaseX64/../../runtime/vm/compiler/backend/il_x64.cc:953:13
#17 0x55c46705e9b8 in dart::FlowGraphCompiler::VisitBlocks() ../../out/ReleaseX64/../../runtime/vm/compiler/backend/flow_graph_compiler.cc:584:16
#18 0x55c46707adc8 in dart::FlowGraphCompiler::CompileGraph() ../../out/ReleaseX64/../../runtime/vm/compiler/backend/flow_graph_compiler_x64.cc:932:3
#19 0x55c4673bed03 in dart::CompileParsedFunctionHelper::Compile(dart::CompilationPipeline*) ../../out/ReleaseX64/../../runtime/vm/compiler/jit/compiler.cc:678:24
#20 0x55c4673c161f in dart::CompileFunctionHelper(dart::CompilationPipeline*, dart::Function const&, bool, long) ../../out/ReleaseX64/../../runtime/vm/compiler/jit/compiler.cc:812:46
#21 0x55c4673c06c9 in dart::Compiler::CompileFunction(dart::Thread*, dart::Function const&) ../../out/ReleaseX64/../../runtime/vm/compiler/jit/compiler.cc:989:10
#22 0x55c4673ba0e9 in dart::DRT_HelperCompileFunction(dart::Isolate*, dart::Thread*, dart::Zone*, dart::NativeArguments) ../../out/ReleaseX64/../../runtime/vm/compiler/jit/compiler.cc:254:12
#23 0x55c4673ba0e9 in dart::DRT_CompileFunction(dart::NativeArguments) ../../out/ReleaseX64/../../runtime/vm/compiler/jit/compiler.cc:230
#24 0x7fb2dc880fa7 (<unknown module>)
#25 0x7fb2dc881023 (<unknown module>)
#26 0x7fb2d882cb29 (<unknown module>)
#27 0x7fb2d882ca0c (<unknown module>)
#28 0x7fb2d882c93c (<unknown module>)
#29 0x7fb2d882c758 (<unknown module>)
#30 0x7fb2d882bb14 (<unknown module>)
#31 0x7fb2d8809a3b (<unknown module>)
#32 0x7fb2d882b7f2 (<unknown module>)
#33 0x7fb2dc88146b (<unknown module>)
#34 0x55c4669f1c6f in dart::DartEntry::InvokeFunction(dart::Function const&, dart::Array const&, dart::Array const&, unsigned long) ../../out/ReleaseX64/../../runtime/vm/dart_entry.cc:197:10
#35 0x55c4669fb25e in dart::DartLibraryCalls::HandleMessage(dart::Object const&, dart::Instance const&) ../../out/ReleaseX64/../../runtime/vm/dart_entry.cc:691:28
#36 0x55c466a97cd9 in dart::IsolateMessageHandler::HandleMessage(dart::Message*) ../../out/ReleaseX64/../../runtime/vm/isolate.cc:625:30
#37 0x55c466b33f5c in dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool) ../../out/ReleaseX64/../../runtime/vm/message_handler.cc:217:28
#38 0x55c466b358a5 in dart::MessageHandler::TaskCallback() ../../out/ReleaseX64/../../runtime/vm/message_handler.cc:417:20
#39 0x55c466f2a7bf in dart::ThreadPool::Worker::Loop() ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:381:11
#40 0x55c466f2a483 in dart::ThreadPool::Worker::Main(unsigned long) ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:436:27
#41 0x55c466d26c4d in dart::ThreadStart(void*) ../../out/ReleaseX64/../../runtime/vm/os_thread_linux.cc:134:5
#42 0x7fb2dfe7c183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
Thread T2 created by T0 here:
#0 0x55c466424a8d in __interceptor_pthread_create /b/s/w/ir/kitchen-workdir/llvm-project/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x55c466d269cf in dart::OSThread::Start(char const*, void (*)(unsigned long), unsigned long) ../../out/ReleaseX64/../../runtime/vm/os_thread_linux.cc:153:12
#2 0x55c466f290f3 in dart::ThreadPool::Worker::StartThread() ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:338:16
#3 0x55c466f290f3 in dart::ThreadPool::Run(dart::ThreadPool::Task*) ../../out/ReleaseX64/../../runtime/vm/thread_pool.cc:69
#4 0x55c4669da952 in dart::Dart::Init(unsigned char const*, unsigned char const*, _Dart_Isolate* (*)(char const*, char const*, char const*, char const*, Dart_IsolateFlags*, void*, char**), void (*)(void*), void (*)(void*), void (*)(), void* (*)(char const*, bool), void (*)(unsigned char**, long*, void*), void (*)(void const*, long, void*), void (*)(void*), bool (*)(unsigned char*, long), _Dart_Handle* (*)(), bool) ../../out/ReleaseX64/../../runtime/vm/dart.cc:355:5
#5 0x55c4674abf04 in Dart_Initialize ../../out/ReleaseX64/../../runtime/vm/dart_api_impl.cc:1011:10
#6 0x55c46646b3c5 in dart::bin::main(int, char**) ../../out/ReleaseX64/../../runtime/bin/main.cc:1147:11
#7 0x55c46646cf3a in main ../../out/ReleaseX64/../../runtime/bin/main.cc:1199:3
#8 0x7fb2df5bef44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-use-after-free ../../out/ReleaseX64/../../runtime/vm/raw_object.h:256:47 in dart::RawObject::IsMarked() const
Shadow bytes around the buggy address:
0x0c047fff81d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff81e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff81f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff8200: fa fa 00 03 fa fa fd fd fa fa 00 00 fa fa 00 00
0x0c047fff8210: fa fa 00 03 fa fa fd fa fa fa 00 00 fa fa fd fd
=>0x0c047fff8220: fa fa 00 00 fa fa fd fa fa fa[fd]fd fa fa 00 00
0x0c047fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==26809==ABORTING
--- Re-run this test:
python tools/test.py -n dartk-asan-linux-release-x64 standalone_2/ffi/subtype_test