On Mon, Aug 08, 2016 at 12:25:52AM -0700, Aleks-Daniel Jakimenko-Aleksejev
wrote:
> While it is probably a bad idea to push values into the same array from two
> threads, if I recall correctly rakudo is supposed to not crash like that no
> matter what.
>
> Code:
> my @a;
> start loop { @a.push: rand };
> start loop { @a.push: rand };
> sleep 1
>
> Result:
> “corrupted double-linked list”, or “double free or corruption”, or
> “.realloc():
> invalid next size”, etc. Usually with memory map dumped.
Thanks for the report. Yes, I also don't think that it should crash at a VM
level. Ugly stuff like that is potentially exploitable.
ASAN seems to be pretty consistent:
$ ./perl6-m -Ilib -e 'my @a; start loop { @a.push: rand }; start loop {
@a.push: rand }; sleep 1'
=================================================================
==25229==ERROR: AddressSanitizer: attempting double-free on 0x60c000173740 in
thread T1:
#0 0x7fb80293b8e6 in __interceptor_realloc
../../.././libsanitizer/asan/asan_malloc_linux.cc:93
#1 0x7fb801e6de7e in MVM_realloc src/core/alloc.h:20
#2 0x7fb801e70c67 in set_size_internal src/6model/reprs/MVMArray.c:334
#3 0x7fb801e71b77 in push src/6model/reprs/MVMArray.c:437
#4 0x7fb801d385ee in MVM_interp_run src/core/interp.c:2163
#5 0x7fb801dbd862 in start_thread src/core/threads.c:77
#6 0x7fb80208460d in uv__thread_start 3rdparty/libuv/src/unix/thread.c:49
#7 0x7fb80111daa0 in start_thread (/lib64/libpthread.so.0+0x7aa0)
#8 0x7fb801623aac in __clone (/lib64/libc.so.6+0xe8aac)
0x60c000173740 is located 0 bytes inside of 128-byte region
[0x60c000173740,0x60c0001737c0)
freed by thread T2 here:
#0 0x7fb80293b8e6 in __interceptor_realloc
../../.././libsanitizer/asan/asan_malloc_linux.cc:93
#1 0x7fb801e6de7e in MVM_realloc src/core/alloc.h:20
#2 0x7fb801e70c67 in set_size_internal src/6model/reprs/MVMArray.c:334
#3 0x7fb801e71b77 in push src/6model/reprs/MVMArray.c:437
#4 0x7fb801d385ee in MVM_interp_run src/core/interp.c:2163
#5 0x7fb801dbd862 in start_thread src/core/threads.c:77
#6 0x7fb80208460d in uv__thread_start 3rdparty/libuv/src/unix/thread.c:49
#7 0x7fb80111daa0 in start_thread (/lib64/libpthread.so.0+0x7aa0)
previously allocated by thread T1 here:
#0 0x7fb80293b8e6 in __interceptor_realloc
../../.././libsanitizer/asan/asan_malloc_linux.cc:93
#1 0x7fb801e6de7e in MVM_realloc src/core/alloc.h:20
#2 0x7fb801e70c67 in set_size_internal src/6model/reprs/MVMArray.c:334
#3 0x7fb801e71b77 in push src/6model/reprs/MVMArray.c:437
#4 0x7fb801d385ee in MVM_interp_run src/core/interp.c:2163
#5 0x7fb801dbd862 in start_thread src/core/threads.c:77
#6 0x7fb80208460d in uv__thread_start 3rdparty/libuv/src/unix/thread.c:49
#7 0x7fb80111daa0 in start_thread (/lib64/libpthread.so.0+0x7aa0)
Thread T1 created by T0 here:
#0 0x7fb80290a6ea in __interceptor_pthread_create
../../.././libsanitizer/asan/asan_interceptors.cc:183
#1 0x7fb802084712 in uv_thread_create 3rdparty/libuv/src/unix/thread.c:66
#2 0x7fb801dbdc13 in MVM_thread_run src/core/threads.c:129
#3 0x7fb801d63435 in MVM_interp_run src/core/interp.c:3964
#4 0x7fb802018c7c in MVM_vm_run_file src/moar.c:304
#5 0x401a4f in main src/main.c:191
#6 0x7fb801559d1c in __libc_start_main (/lib64/libc.so.6+0x1ed1c)
Thread T2 created by T0 here:
#0 0x7fb80290a6ea in __interceptor_pthread_create
../../.././libsanitizer/asan/asan_interceptors.cc:183
#1 0x7fb802084712 in uv_thread_create 3rdparty/libuv/src/unix/thread.c:66
#2 0x7fb801dbdc13 in MVM_thread_run src/core/threads.c:129
#3 0x7fb801d63435 in MVM_interp_run src/core/interp.c:3964
#4 0x7fb802018c7c in MVM_vm_run_file src/moar.c:304
#5 0x401a4f in main src/main.c:191
#6 0x7fb801559d1c in __libc_start_main (/lib64/libc.so.6+0x1ed1c)
SUMMARY: AddressSanitizer: double-free
../../.././libsanitizer/asan/asan_malloc_linux.cc:93 __interceptor_realloc
==25229==ABORTING
Nicholas Clark
