search

SWI-Prolog / swipl-devel

SWI-Prolog Main development repository
http://www.swi-prolog.org
Other
946 stars 171 forks source link

Use-after-free bug in `trace` #1245

Open jinwoo opened 6 months ago

jinwoo commented 6 months ago

I'm running version 9.3.1-8-g551cdfe51 on Mac, which I built from HEAD using homebrew a few days ago.

It seems to have a use-after-free bug in trace. A simple example below.

my_plus(A, B, C) :-
    C is A + B.

If I load and run this without tracing, things run fine.

% swipl
Welcome to SWI-Prolog (threaded, 64 bits, version 9.3.1-8-g551cdfe51)
SWI-Prolog comes with ABSOLUTELY NO WARRANTY. This is free software.
Please run ?- license. for legal details.

For online help and background, visit https://www.swi-prolog.org
For built-in help, use ?- help(Topic). or ?- apropos(Word).

?- [foo].
true.

?- foldl(my_plus, [1,2,3], 0, N).
N = 6.

But if I enable tracing, it crashes. The stack trace shows prolog_trace:my_plus/3 (vs user:my_plus/3) and <garbage_collected>. It seems to suggest that there's a use-after-free bug somewhere around trace.

% swipl
Welcome to SWI-Prolog (threaded, 64 bits, version 9.3.1-8-g551cdfe51)
SWI-Prolog comes with ABSOLUTELY NO WARRANTY. This is free software.
Please run ?- license. for legal details.

For online help and background, visit https://www.swi-prolog.org
For built-in help, use ?- help(Topic). or ?- apropos(Word).

?- [foo].
true.

?- trace(foldl).
%     apply:foldl/4: [all]
%     apply:foldl/5: [all]
%     apply:foldl/6: [all]
%     apply:foldl/7: [all]
true.

?- foldl(my_plus, [1,2,3], 0, N).
 T [12] Call: apply:foldl(my_plus, [1, 2, 3], 0, _33416)
ERROR: Unknown procedure: prolog_trace:my_plus/3
ERROR: In:
ERROR:   [20] prolog_trace:my_plus(1,0,_344)
ERROR:   [19] apply:foldl_('<garbage_collected>',prolog_trace:my_plus,0,_380) at /opt/homebrew/Cellar/swi-prolog/HEAD-551cdfe/lib/swipl/library/apply.pl:317
ERROR:   [17] call('<garbage_collected>') at /opt/homebrew/Cellar/swi-prolog/HEAD-551cdfe/lib/swipl/boot/init.pl:502
ERROR:   [16] call_cleanup(prolog_trace:call(...),prolog_trace:(_456=true)) at /opt/homebrew/Cellar/swi-prolog/HEAD-551cdfe/lib/swipl/boot/init.pl:685
ERROR:   [15] '<meta-call>'('<garbage_collected>') <foreign>
ERROR:   [14] call('<garbage_collected>') at /opt/homebrew/Cellar/swi-prolog/HEAD-551cdfe/lib/swipl/boot/init.pl:502
ERROR:   [13] call_cleanup(prolog_trace:call(...),prolog_trace:(_562=true)) at /opt/homebrew/Cellar/swi-prolog/HEAD-551cdfe/lib/swipl/boot/init.pl:685
ERROR:   [12] apply:'$wrap$foldl'(my_plus,[1,2|...],0,_600)1-st clause of '$wrap$foldl'/4 <no source>
ERROR:   [11] toplevel_call('<garbage_collected>') at /opt/homebrew/Cellar/swi-prolog/HEAD-551cdfe/lib/swipl/boot/toplevel.pl:1317
ERROR:
ERROR: Note: some frames are missing due to last-call optimization.
ERROR: Re-run your program in debug mode (:- debug.) to get more detail.
   Exception: (20) prolog_trace:my_plus(1, 0, _264) ?

Maybe a similar issue as the one in the http package: https://github.com/SWI-Prolog/packages-http/issues/164?

JanWielemaker commented 6 months ago

This issue has been mentioned on SWI-Prolog. There might be relevant details there:

https://swi-prolog.discourse.group/t/another-use-after-free-bug-report/7258/1