search

belozierov / SwiftCoroutine

Swift coroutines for iOS, macOS and Linux.
https://belozierov.github.io/SwiftCoroutine
MIT License
836 stars 51 forks source link

Buffer Overflow? #32

Closed ckornher closed 3 years ago

ckornher commented 3 years ago

I have been experiencing random crashes some of which seem to involve random memory corruption. I have since found a probable cause, but did run across this while I was searching for issues.

I ran address sanitizer on my code and it spit out the following. There is a warning of potential false positives...

==47182==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x70000f1bb000; bottom 0x00010a1da000; size: 0x6fff04fe1000 (123141091102720) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189

==47182==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00010a1db9e1 at pc 0x000100136a7a bp 0x70000f1b9bb0 sp 0x70000f1b9370 READ of size 5664 at 0x00010a1db9e1 thread T2

0 0x100136a79 in wrap_memmove+0x169 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1da79)

#1 0x109ce5d60 in SharedCoroutine.saveStack()+0x830 (goSwiftlyTests:x86_64+0xdad60)
#2 0x109cedc9d in SharedCoroutineQueue.start(dispatcher:scheduler:task:)+0x47d (goSwiftlyTests:x86_64+0xe2c9d)
#3 0x109ceac4a in closure #1 in SharedCoroutineDispatcher.execute(on:task:)+0x22a (goSwiftlyTests:x86_64+0xdfc4a)
#4 0x109cbd932 in thunk for @escaping @callee_guaranteed () -> ()+0x92 (goSwiftlyTests:x86_64+0xb2932)
#5 0x1001613ba in __wrap_dispatch_async_block_invoke+0xca (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x483ba)
#6 0x7fff72cb56c3 in _dispatch_call_block_and_release+0xb (libdispatch.dylib:x86_64+0x16c3)
#7 0x7fff72cb6657 in _dispatch_client_callout+0x7 (libdispatch.dylib:x86_64+0x2657)
#8 0x7fff72cbbc43 in _dispatch_lane_serial_drain+0x254 (libdispatch.dylib:x86_64+0x7c43)
#9 0x7fff72cbc5d5 in _dispatch_lane_invoke+0x16a (libdispatch.dylib:x86_64+0x85d5)
#10 0x7fff72cc5c08 in _dispatch_workloop_worker_thread+0x253 (libdispatch.dylib:x86_64+0x11c08)
#11 0x7fff72f10a3c in _pthread_wqthread+0x121 (libsystem_pthread.dylib:x86_64+0x2a3c)
#12 0x7fff72f0fb76 in start_wqthread+0xe (libsystem_pthread.dylib:x86_64+0x1b76)

0x00010a1db9e1 is located 190945 bytes inside of 200704-byte region [0x00010a1ad000,0x00010a1de000) allocated by thread T2 here:

0 0x100162870 in wrap_posix_memalign+0xb0 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x49870)

#1 0x7fff7262bcd1 in swift_slowAlloc+0x41 (libswiftCore.dylib:x86_64+0x2f2cd1)
#2 0x109cd817b in CoroutineContext.init(stackSize:guardPage:)+0x4fb (goSwiftlyTests:x86_64+0xcd17b)
#3 0x109cd7c68 in CoroutineContext.__allocating_init(stackSize:guardPage:)+0x38 (goSwiftlyTests:x86_64+0xccc68)
#4 0x109ced426 in SharedCoroutineQueue.init(stackSize:)+0x5b6 (goSwiftlyTests:x86_64+0xe2426)
#5 0x109cece58 in SharedCoroutineQueue.__allocating_init(stackSize:)+0x28 (goSwiftlyTests:x86_64+0xe1e58)
#6 0x109ceb158 in SharedCoroutineDispatcher.getFreeQueue()+0x438 (goSwiftlyTests:x86_64+0xe0158)
#7 0x109ceac2f in closure #1 in SharedCoroutineDispatcher.execute(on:task:)+0x20f (goSwiftlyTests:x86_64+0xdfc2f)
#8 0x109cbd932 in thunk for @escaping @callee_guaranteed () -> ()+0x92 (goSwiftlyTests:x86_64+0xb2932)
#9 0x1001613ba in __wrap_dispatch_async_block_invoke+0xca (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x483ba)
#10 0x7fff72cb56c3 in _dispatch_call_block_and_release+0xb (libdispatch.dylib:x86_64+0x16c3)
#11 0x7fff72cb6657 in _dispatch_client_callout+0x7 (libdispatch.dylib:x86_64+0x2657)
#12 0x7fff72cbbc43 in _dispatch_lane_serial_drain+0x254 (libdispatch.dylib:x86_64+0x7c43)
#13 0x7fff72cbc5d5 in _dispatch_lane_invoke+0x16a (libdispatch.dylib:x86_64+0x85d5)
#14 0x7fff72cc5c08 in _dispatch_workloop_worker_thread+0x253 (libdispatch.dylib:x86_64+0x11c08)
#15 0x7fff72f10a3c in _pthread_wqthread+0x121 (libsystem_pthread.dylib:x86_64+0x2a3c)
#16 0x7fff72f0fb76 in start_wqthread+0xe (libsystem_pthread.dylib:x86_64+0x1b76)

Thread T2 created by T1 here:

Thread T1 created by T0 here: SUMMARY: AddressSanitizer: stack-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1da79) in wrap_memmove+0x169 Shadow bytes around the buggy address: 0x10002143b6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002143b6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002143b700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002143b710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002143b720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10002143b730: 00 00 00 00 00 00 00 00 f1 f1 f1 f1[01]f3 f3 f3 0x10002143b740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002143b750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002143b760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002143b770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002143b780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc 2020-11-06 15:47:39.270045-0700 xctest[47182:2741407] ==47182==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x70000f1bb000; bottom 0x00010a1da000; size: 0x6fff04fe1000 (123141091102720) 2020-11-06 15:47:39.270161-0700 xctest[47182:2741407] False positive error reports may follow 2020-11-06 15:47:39.270244-0700 xctest[47182:2741407] For details see https://github.com/google/sanitizers/issues/189 2020-11-06 15:47:39.270366-0700 xctest[47182:2741407] ================================================================= 2020-11-06 15:47:39.270476-0700 xctest[47182:2741407] ==47182==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00010a1db9e1 at pc 0x000100136a7a bp 0x70000f1b9bb0 sp 0x70000f1b9370 2020-11-06 15:47:39.270527-0700 xctest[47182:2741407] READ of size 5664 at 0x00010a1db9e1 thread T2 2020-11-06 15:47:39.270648-0700 xctest[47182:2741407] #0 0x100136a79 in wrap_memmove+0x169 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1da79) 2020-11-06 15:47:39.270708-0700 xctest[47182:2741407] #1 0x109ce5d60 in SharedCoroutine.saveStack()+0x830 (goSwiftlyTests:x86_64+0xdad60) 2020-11-06 15:47:39.270798-0700 xctest[47182:2741407] #2 0x109cedc9d in SharedCoroutineQueue.start(dispatcher:scheduler:task:)+0x47d (goSwiftlyTests:x86_64+0xe2c9d) 2020-11-06 15:47:39.270892-0700 xctest[47182:2741407] #3 0x109ceac4a in closure #1 in SharedCoroutineDispatcher.execute(on:task:)+0x22a (goSwiftlyTests:x86_64+0xdfc4a) 2020-11-06 15:47:39.270955-0700 xctest[47182:2741407] #4 0x109cbd932 in thunk for @escaping @callee_guaranteed () -> ()+0x92 (goSwiftlyTests:x86_64+0xb2932) 2020-11-06 15:47:39.271008-0700 xctest[47182:2741407] #5 0x1001613ba in __wrap_dispatch_async_block_invoke+0xca (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x483ba) 2020-11-06 15:47:39.271119-0700 xctest[47182:2741407] #6 0x7fff72cb56c3 in _dispatch_call_block_and_release+0xb (libdispatch.dylib:x86_64+0x16c3) 2020-11-06 15:47:39.271189-0700 xctest[47182:2741407] #7 0x7fff72cb6657 in _dispatch_client_callout+0x7 (libdispatch.dylib:x86_64+0x2657) 2020-11-06 15:47:39.271266-0700 xctest[47182:2741407] #8 0x7fff72cbbc43 in _dispatch_lane_serial_drain+0x254 (libdispatch.dylib:x86_64+0x7c43) 2020-11-06 15:47:39.271346-0700 xctest[47182:2741407] #9 0x7fff72cbc5d5 in _dispatch_lane_invoke+0x16a (libdispatch.dylib:x86_64+0x85d5) 2020-11-06 15:47:39.271396-0700 xctest[47182:2741407] #10 0x7fff72cc5c08 in _dispatch_workloop_worker_thread+0x253 (libdispatch.dylib:x86_64+0x11c08) 2020-11-06 15:47:39.271445-0700 xctest[47182:2741407] #11 0x7fff72f10a3c in _pthread_wqthread+0x121 (libsystem_pthread.dylib:x86_64+0x2a3c) 2020-11-06 15:47:39.271534-0700 xctest[47182:2741407] #12 0x7fff72f0fb76 in start_wqthread+0xe (libsystem_pthread.dylib:x86_64+0x1b76) 2020-11-06 15:47:39.271578-0700 xctest[47182:2741407] 2020-11-06 15:47:39.271621-0700 xctest[47182:2741407] 0x00010a1db9e1 is located 190945 bytes inside of 200704-byte region [0x00010a1ad000,0x00010a1de000) 2020-11-06 15:47:39.271667-0700 xctest[47182:2741407] allocated by thread T2 here: 2020-11-06 15:47:39.271708-0700 xctest[47182:2741407] #0 0x100162870 in wrap_posix_memalign+0xb0 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x49870) 2020-11-06 15:47:39.271749-0700 xctest[47182:2741407] #1 0x7fff7262bcd1 in swift_slowAlloc+0x41 (libswiftCore.dylib:x86_64+0x2f2cd1) 2020-11-06 15:47:39.271861-0700 xctest[47182:2741407] #2 0x109cd817b in CoroutineContext.init(stackSize:guardPage:)+0x4fb (goSwiftlyTests:x86_64+0xcd17b) 2020-11-06 15:47:39.271926-0700 xctest[47182:2741407] #3 0x109cd7c68 in CoroutineContext.__allocating_init(stackSize:guardPage:)+0x38 (goSwiftlyTests:x86_64+0xccc68) 2020-11-06 15:47:39.272024-0700 xctest[47182:2741407] #4 0x109ced426 in SharedCoroutineQueue.init(stackSize:)+0x5b6 (goSwiftlyTests:x86_64+0xe2426) 2020-11-06 15:47:39.272134-0700 xctest[47182:2741407] #5 0x109cece58 in SharedCoroutineQueue.__allocating_init(stackSize:)+0x28 (goSwiftlyTests:x86_64+0xe1e58) 2020-11-06 15:47:39.272253-0700 xctest[47182:2741407] #6 0x109ceb158 in SharedCoroutineDispatcher.getFreeQueue()+0x438 (goSwiftlyTests:x86_64+0xe0158) 2020-11-06 15:47:39.272323-0700 xctest[47182:2741407] #7 0x109ceac2f in closure #1 in SharedCoroutineDispatcher.execute(on:task:)+0x20f (goSwiftlyTests:x86_64+0xdfc2f) 2020-11-06 15:47:39.272388-0700 xctest[47182:2741407] #8 0x109cbd932 in thunk for @escaping @callee_guaranteed () -> ()+0x92 (goSwiftlyTests:x86_64+0xb2932) 2020-11-06 15:47:39.272434-0700 xctest[47182:2741407] #9 0x1001613ba in __wrap_dispatch_async_block_invoke+0xca (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x483ba) 2020-11-06 15:47:39.272518-0700 xctest[47182:2741407] #10 0x7fff72cb56c3 in _dispatch_call_block_and_release+0xb (libdispatch.dylib:x86_64+0x16c3) 2020-11-06 15:47:39.272628-0700 xctest[47182:2741407] #11 0x7fff72cb6657 in _dispatch_client_callout+0x7 (libdispatch.dylib:x86_64+0x2657) 2020-11-06 15:47:39.272735-0700 xctest[47182:2741407] #12 0x7fff72cbbc43 in _dispatch_lane_serial_drain+0x254 (libdispatch.dylib:x86_64+0x7c43) 2020-11-06 15:47:39.272836-0700 xctest[47182:2741407] #13 0x7fff72cbc5d5 in _dispatch_lane_invoke+0x16a (libdispatch.dylib:x86_64+0x85d5) 2020-11-06 15:47:39.272911-0700 xctest[47182:2741407] #14 0x7fff72cc5c08 in _dispatch_workloop_worker_thread+0x253 (libdispatch.dylib:x86_64+0x11c08) 2020-11-06 15:47:39.273034-0700 xctest[47182:2741407] #15 0x7fff72f10a3c in _pthread_wqthread+0x121 (libsystem_pthread.dylib:x86_64+0x2a3c) 2020-11-06 15:47:39.273105-0700 xctest[47182:2741407] #16 0x7fff72f0fb76 in start_wqthread+0xe (libsystem_pthread.dylib:x86_64+0x1b76) 2020-11-06 15:47:39.273255-0700 xctest[47182:2741407] 2020-11-06 15:47:39.273320-0700 xctest[47182:2741407] Thread T2 created by T1 here: 2020-11-06 15:47:39.273371-0700 xctest[47182:2741407] 2020-11-06 15:47:39.273523-0700 xctest[47182:2741407] 2020-11-06 15:47:39.273596-0700 xctest[47182:2741407] Thread T1 created by T0 here: 2020-11-06 15:47:39.273647-0700 xctest[47182:2741407] 2020-11-06 15:47:39.273745-0700 xctest[47182:2741407] 2020-11-06 15:47:39.273816-0700 xctest[47182:2741407] SUMMARY: AddressSanitizer: stack-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1da79) in wrap_memmove+0x169 2020-11-06 15:47:39.273872-0700 xctest[47182:2741407] Shadow bytes around the buggy address: 2020-11-06 15:47:39.273990-0700 xctest[47182:2741407] 0x10002143b6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2020-11-06 15:47:39.274067-0700 xctest[47182:2741407] 0x10002143b6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2020-11-06 15:47:39.274157-0700 xctest[47182:2741407] 0x10002143b700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2020-11-06 15:47:39.274265-0700 xctest[47182:2741407] 0x10002143b710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2020-11-06 15:47:39.274326-0700 xctest[47182:2741407] 0x10002143b720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2020-11-06 15:47:39.274419-0700 xctest[47182:2741407] =>0x10002143b730: 00 00 00 00 00 00 00 00 f1 f1 f1 f1[01]f3 f3 f3 2020-11-06 15:47:39.274529-0700 xctest[47182:2741407] 0x10002143b740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2020-11-06 15:47:39.274609-0700 xctest[47182:2741407] 0x10002143b750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2020-11-06 15:47:39.274754-0700 xctest[47182:2741407] 0x10002143b760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2020-11-06 15:47:39.274823-0700 xctest[47182:2741407] 0x10002143b770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2020-11-06 15:47:39.274904-0700 xctest[47182:2741407] 0x10002143b780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2020-11-06 15:47:39.274969-0700 xctest[47182:2741407] Shadow byte legend (one shadow byte represents 8 application bytes): 2020-11-06 15:47:39.275105-0700 xctest[47182:2741407] Addressable: 00 2020-11-06 15:47:39.275183-0700 xctest[47182:2741407] Partially addressable: 01 02 03 04 05 06 07 2020-11-06 15:47:39.275238-0700 xctest[47182:2741407] Heap left redzone: fa 2020-11-06 15:47:39.275349-0700 xctest[47182:2741407] Freed heap region: fd 2020-11-06 15:47:39.275440-0700 xctest[47182:2741407] Stack left redzone: f1 2020-11-06 15:47:39.275499-0700 xctest[47182:2741407] Stack mid redzone: f2 2020-11-06 15:47:39.275594-0700 xctest[47182:2741407] Stack right redzone: f3 2020-11-06 15:47:39.275647-0700 xctest[47182:2741407] Stack after return: f5 2020-11-06 15:47:39.275709-0700 xctest[47182:2741407] Stack use after scope: f8 2020-11-06 15:47:39.275749-0700 xctest[47182:2741407] Global redzone: f9 2020-11-06 15:47:39.275838-0700 xctest[47182:2741407] Global init order: f6 2020-11-06 15:47:39.275905-0700 xctest[47182:2741407] Poisoned by user: f7 2020-11-06 15:47:39.275996-0700 xctest[47182:2741407] Container overflow: fc 2020-11-06 15:47:39.276094-0700 xctest[47182:2741407] Array cookie: ac 2020-11-06 15:47:39.276177-0700 xctest[47182:2741407] Intra object redzone: bb 2020-11-06 15:47:39.276229-0700 xctest[47182:2741407] ASan internal: fe 2020-11-06 15:47:39.276335-0700 xctest[47182:2741407] Left alloca redzone: ca 2020-11-06 15:47:39.276429-0700 xctest[47182:2741407] Right alloca redzone: cb 2020-11-06 15:47:39.276583-0700 xctest[47182:2741407] Shadow gap: cc ==47182==ABORTING Warning: hit breakpoint while running function, skipping commands and conditions to prevent recursion. AddressSanitizer report breakpoint hit. Use 'thread info -s' to get extended information about the report. (lldb) thread info -s thread #3: tid = 0x29d49f, 0x000000010016ab20 libclang_rt.asan_osx_dynamic.dylib`__asan::AsanDie(), queue = 'GoSwiftly[1]', stop reason = Stack buffer overflow { "access_size": 5664, "access_type": 0, "address": 4464687585, "description": "stack-buffer-overflow", "instrumentation_class": "AddressSanitizer", "pc": 4296239738, "stop_type": "fatal_error" } (lldb)
belozierov commented 3 years ago

@ckornher Hi, AddressSanitizer can show stack buffer overflow warning because it can't detect the change of stack location (google/sanitizers#189). If possible, could you please provide real crash reports?

Also please pay attention to this issue which has already been discussed - https://github.com/belozierov/SwiftCoroutine/issues/22

ckornher commented 3 years ago

@belozierov Thanks for the reply. It looks like it was probably a race condition in my code. I am going to close the one.