Comments (2)
saaramar
commented on June 30, 2024
Adding the callstack as well, you can see it originates from sandbox::MemoryServiceProvider::run():
Temporary breakpoint 1, 0x000000000040d790 in main ()
(gdb) c
Continuing.
[New Thread 0x7faea05e5700 (LWP 1765)]
[Detaching after vfork from child process 1766]
Thread 2 "test-sandbox-rp" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7faea05e5700 (LWP 1765)]
0x00007faea0bad4fb in snmalloc::RBTree<snmalloc::BuddyChunkRep<sandbox::SharedAllocConfig::Pagemap>, false, false>::insert_path(snmalloc::RBTree<snmalloc::BuddyChunkRep<sandbox::SharedAllocConfig::Pagemap>, false, false>::RBPath&, unsigned long) () from /verona/experiments/process_sandbox/build-ninja/libsandbox.so
(gdb) bt
#0 0x00007faea0bad4fb in snmalloc::RBTree<snmalloc::BuddyChunkRep<sandbox::SharedAllocConfig::Pagemap>, false, false>::insert_path(snmalloc::RBTree<snmalloc::BuddyChunkRep<sandbox::SharedAllocConfig::Pagemap>, false, false>::RBPath&, unsigned long) () from /verona/experiments/process_sandbox/build-ninja/libsandbox.so
#1 0x00007faea0babb20 in snmalloc::Buddy<snmalloc::BuddyChunkRep<sandbox::SharedAllocConfig::Pagemap>, 14ul, 63ul>::add_block(unsigned long, unsigned long) ()
from /verona/experiments/process_sandbox/build-ninja/libsandbox.so
#2 0x00007faea0bab7ca in sandbox::SharedAllocConfig::dealloc_range(sandbox::SharedAllocConfig::LocalState&, snmalloc::CapPtr<void, snmalloc::capptr::bound<(snmalloc::capptr::dimension::Spatial)1, (snmalloc::capptr::dimension::AddressSpaceControl)1, (snmalloc::capptr::dimension::Wildness)1> >, unsigned long) () from /verona/experiments/process_sandbox/build-ninja/libsandbox.so
#3 0x00007faea0bab3b0 in sandbox::MemoryServiceProvider::run() () from /verona/experiments/process_sandbox/build-ninja/libsandbox.so
#4 0x00007faea0a1dde4 in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#5 0x00007faea0b39609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#6 0x00007faea070a163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb) x/2i $pc
=> 0x7faea0bad4fb <_ZN8snmalloc6RBTreeINS_13BuddyChunkRepIN7sandbox17SharedAllocConfig7PagemapEEELb0ELb0EE11insert_pathERNS6_6RBPathEm+1323>: mov %rbx,(%rcx)
0x7faea0bad4fe <_ZN8snmalloc6RBTreeINS_13BuddyChunkRepIN7sandbox17SharedAllocConfig7PagemapEEELb0ELb0EE11insert_pathERNS6_6RBPathEm+1326>: mov 0x52853(%rip),%rbx # 0x7faea0bffd58
(gdb) x/2gx $rcx
0x7faea0babb20 <_ZN8snmalloc5BuddyINS_13BuddyChunkRepIN7sandbox17SharedAllocConfig7PagemapEEELm14ELm63EE9add_blockEmm+128>: 0x000810c48148c031 0x5e415d415c415b00
(gdb) x/4i $rcx
0x7faea0babb20 <_ZN8snmalloc5BuddyINS_13BuddyChunkRepIN7sandbox17SharedAllocConfig7PagemapEEELm14ELm63EE9add_blockEmm+128>: xor %eax,%eax
0x7faea0babb22 <_ZN8snmalloc5BuddyINS_13BuddyChunkRepIN7sandbox17SharedAllocConfig7PagemapEEELm14ELm63EE9add_blockEmm+130>: add $0x810,%rsp
0x7faea0babb29 <_ZN8snmalloc5BuddyINS_13BuddyChunkRepIN7sandbox17SharedAllocConfig7PagemapEEELm14ELm63EE9add_blockEmm+137>: pop %rbx
0x7faea0babb2a <_ZN8snmalloc5BuddyINS_13BuddyChunkRepIN7sandbox17SharedAllocConfig7PagemapEEELm14ELm63EE9add_blockEmm+138>: pop %r12
(gdb)
from verona.
saaramar
commented on June 30, 2024
In case *p does not contain an unaligned address, the following modification could be made to trigger the issue:
//error = try_dealloc(reinterpret_cast<const char*>(*p), snmalloc::MIN_CHUNK_SIZE);
error = try_dealloc(reinterpret_cast<const char*>(allocs[0]+0x100), snmalloc::MIN_CHUNK_SIZE);
error = try_dealloc(reinterpret_cast<const char*>(allocs[1]+0x100), snmalloc::MIN_CHUNK_SIZE);from verona.
Related Issues (20)
- what is the meaning of mut-view? HOT 3
- Question about when expression scheduling HOT 5
- security issue in DeallocChunk- double free
- security issue in DeallocChunk - lack bounds check on size HOT 1
- cross sandbox DOS in handle
- Issue in `handle` - use of uninitialized stack due to lack of return value check HOT 1
- verona-mlir do not support cown, when HOT 1
- `handle` doesn't check the return value of send
- sandbox can violate of sizeclass assert in snmalloc HOT 2
- check for failure in Library.alloc
- Problem about iso type class field HOT 1
- Why not use a more C/C++ like syntax? HOT 2
- verona develop progress , any compare with google carbon language. HOT 2
- Is this project dead? HOT 2
- Move to later version of Mac OS HOT 1
- so it has eventualy dead? HOT 1
- Fuzzing failure
- Shadowing of Self type name leads to looping in structure pass
- Looping in validtypeargs pass HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from verona.