bug-readline
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose

From: Tom de Vries
Subject: Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose
Date: Mon, 29 May 2023 18:50:28 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 
On 5/29/23 18:43, Simon Marchi wrote:

On 5/28/23 04:20, Tom de Vries via Gdb-patches wrote:

On 5/27/23 21:10, Chet Ramey wrote:

On 5/23/23 12:04 PM, Tom de Vries wrote:


Both these issues need fixing independently, though after fixing the first we
no longer trigger the second.


Thanks for the report. These are both good fixes.


Thanks for the review.

Added test-case and committed.

Thanks,
- Tom


Hi Tom,

ASan sees a double-free in the test:

==144635==ERROR: AddressSanitizer: attempting double-free on 0x60200001ae90 in 
thread T0:
     #0 0x7f39ef4dfdc2 in __interceptor_free 
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
     #1 0x7f39ef3cef65 in _rl_scxt_dispose (/usr/lib/libreadline.so.8+0x25f65) 
(BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
     #2 0x7f39ef3d0f5d in _rl_isearch_cleanup 
(/usr/lib/libreadline.so.8+0x27f5d) (BuildId: 
092e91fc4361b0ef94561e3ae03a75f69398acbb)
     #3 0x7f39ef3e42ec in rl_callback_read_char 
(/usr/lib/libreadline.so.8+0x3b2ec) (BuildId: 
092e91fc4361b0ef94561e3ae03a75f69398acbb)
     #4 0x5649f96ec632 in gdb_rl_callback_read_char_wrapper_noexcept 
/home/smarchi/src/binutils-gdb/gdb/event-top.c:192
     #5 0x5649f96ec88a in gdb_rl_callback_read_char_wrapper 
/home/smarchi/src/binutils-gdb/gdb/event-top.c:225
     #6 0x5649fafd3641 in stdin_event_handler 
/home/smarchi/src/binutils-gdb/gdb/ui.c:155
     #7 0x5649fb6dbe79 in handle_file_event 
/home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:573
     #8 0x5649fb6dc80f in gdb_wait_for_event 
/home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:694
     #9 0x5649fb6da468 in gdb_do_one_event(int) 
/home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:264
     #10 0x5649f9e61094 in start_event_loop 
/home/smarchi/src/binutils-gdb/gdb/main.c:412
     #11 0x5649f9e615a6 in captured_command_loop 
/home/smarchi/src/binutils-gdb/gdb/main.c:476
     #12 0x5649f9e66b5c in captured_main 
/home/smarchi/src/binutils-gdb/gdb/main.c:1320
     #13 0x5649f9e66c99 in gdb_main(captured_main_args*) 
/home/smarchi/src/binutils-gdb/gdb/main.c:1339
     #14 0x5649f83b758d in main /home/smarchi/src/binutils-gdb/gdb/gdb.c:32
     #15 0x7f39eda3984f  (/usr/lib/libc.so.6+0x2384f) (BuildId: 
2f005a79cd1a8e385972f5a102f16adba414d75e)
     #16 0x7f39eda39909 in __libc_start_main (/usr/lib/libc.so.6+0x23909) 
(BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
     #17 0x5649f83b7354 in _start 
(/home/smarchi/build/binutils-gdb/gdb/gdb+0xb0f0354) (BuildId: 
2bb3933a88a2426705e531a680e7075402ea19f8)

0x60200001ae90 is located 0 bytes inside of 1-byte region 
[0x60200001ae90,0x60200001ae91)
freed by thread T0 here:
     #0 0x7f39ef4dfdc2 in __interceptor_free 
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
     #1 0x7f39ef3cef65 in _rl_scxt_dispose (/usr/lib/libreadline.so.8+0x25f65) 
(BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)

previously allocated by thread T0 here:
     #0 0x7f39ef4e1369 in __interceptor_malloc 
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
     #1 0x5649f865bca2 in xmalloc /home/smarchi/src/binutils-gdb/gdb/alloc.c:57
     #2 0x7f39ef3eb6da  (/usr/lib/libreadline.so.8+0x426da) (BuildId: 
092e91fc4361b0ef94561e3ae03a75f69398acbb)

SUMMARY: AddressSanitizer: double-free 
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52 in 
__interceptor_free



Hm, I guess the test-case detects the bug in system readline.
I suppose we can add a KFAIL or skip the test-case entirely when using system readline. 

Thanks,
- Tom
reply via email to
[Prev in Thread] Current Thread [Next in Thread]