DynArray[-1] bad mem access in unit InfoDwrf
Original Reporter info from Mantis: Martin @martin_frb
-
Reporter name: Martin Friebe
Original Reporter info from Mantis: Martin @martin_frb
- Reporter name: Martin Friebe
Description:
Below valgrind is from linux. // Code review from Windows
InfoDwrf line 964
Abbrev_Attrs[nr]:=nil;
This is in
procedure ReadAbbrevTable;
var
nr,
...
PrevHigh : Int64;
begin
...
nr:=ReadULEB128;
...
Abbrev_Attrs[nr]:=nil;
ReadULEB128 returns QWord => so this could be cast to -1 or -2 ....
If nr is -2 or -3 (dyn-array header is part of alloc mem) then below valgrind traces could maybe be explained.
==105501== Address 0x1e8ebdf8 is 8 bytes before a block of size 152 alloc'd
points to a negative index
------------------------
Not checked if any other ReadULEB128 call is affected....
Steps to reproduce:
==105501== Invalid read of size 8 ==105501== at 0x43C994: SYSTEM_$$_WAITFREE_VAR$PMEMCHUNK_VAR (heap.inc:1123) ==105501== by 0x43CAF3: SYSTEM_$$_SYSFREEMEM_VAR$PFREELISTS$PMEMCHUNK_VAR$$QWORD (heap.inc:1183) ==105501== by 0x43CC26: SYSTEM_$$_SYSFREEMEM$POINTER$$QWORD (heap.inc:1225) ==105501== by 0x43B482: SYSTEM_$$_FREEMEM$POINTER$$QWORD (heap.inc:324) ==105501== by 0x4328CD: fpc_dynarray_clear (dynarr.inc:100) ==105501== by 0x432AB6: fpc_dynarray_setlength (dynarr.inc:208) ==105501== by 0x449516: LNFODWRF_$$_READABBREVTABLE (lnfodwrf.pp:964) ==105501== by 0x449845: LNFODWRF_$$_PARSECOMPILATIONUNITFORFUNCTIONNAME$QWORD$WORD$QWORD$SHORTSTRING$BOOLEAN$$QWORD (lnfodwrf.pp:1220) ==105501== by 0x44A046: LNFODWRF_$$_GETLINEINFO$QWORD$SHORTSTRING$SHORTSTRING$LONGINT$$BOOLEAN (lnfodwrf.pp:1346) ==105501== by 0x44A13A: LNFODWRF_$$_DWARFBACKTRACESTR$POINTER$$SHORTSTRING (lnfodwrf.pp:1386) ==105501== by 0x50CBE8: SYSUTILS_$$_CATCHUNHANDLEDEXCEPTION$TOBJECT$POINTER$LONGINT$PCODEPOINTER (sysutils.inc:321) ==105501== by 0x436312: SYSTEM_$$_DOUNHANDLEDEXCEPTION (except.inc:144) ==105501== Address 0x1e8ebdf8 is 8 bytes before a block of size 152 alloc'd ==105501== at 0x483BCE8: realloc (vg_replace_malloc.c:834) ==105501== by 0x44BB3D: CMEM_$$_CREALLOCMEM$POINTER$QWORD$$POINTER (cmem.pp:123) ==105501== by 0x43B52E: SYSTEM_$$_REALLOCMEM$POINTER$QWORD$$POINTER (heap.inc:350) ==105501== by 0x432CBF: fpc_dynarray_setlength (dynarr.inc:270) ==105501== by 0x449560: LNFODWRF_$$_READABBREVTABLE (lnfodwrf.pp:970) ==105501== by 0x449845: LNFODWRF_$$_PARSECOMPILATIONUNITFORFUNCTIONNAME$QWORD$WORD$QWORD$SHORTSTRING$BOOLEAN$$QWORD (lnfodwrf.pp:1220) ==105501== by 0x44A046: LNFODWRF_$$_GETLINEINFO$QWORD$SHORTSTRING$SHORTSTRING$LONGINT$$BOOLEAN (lnfodwrf.pp:1346) ==105501== by 0x44A13A: LNFODWRF_$$_DWARFBACKTRACESTR$POINTER$$SHORTSTRING (lnfodwrf.pp:1386) ==105501== by 0x91EC37: FPCUNIT_$$_POINTERTOLOCATIONINFO$POINTER$$ANSISTRING (fpcunit.pp:399) ==105501== by 0x91F611: FPCUNIT$_$TTESTFAILURE_$__$$_GETLOCATIONINFO$$ANSISTRING (fpcunit.pp:501) ==105501== by 0x475D15: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_ADDFAILURE$TTEST$TTESTFAILURE (guitestrunner.pas:883) ==105501== by 0x926EFA: FPCUNIT$_$TTESTRESULT_$__$$_ADDFAILURE$TTEST$EASSERTIONFAILEDERROR$TFPLIST$POINTER (fpcunit.pp:1526) ==105501== ==105501== Invalid write of size 8 ==105501== at 0x43C99C: SYSTEM_$$_WAITFREE_VAR$PMEMCHUNK_VAR (heap.inc:1123) ==105501== by 0x43CAF3: SYSTEM_$$_SYSFREEMEM_VAR$PFREELISTS$PMEMCHUNK_VAR$$QWORD (heap.inc:1183) ==105501== by 0x43CC26: SYSTEM_$$_SYSFREEMEM$POINTER$$QWORD (heap.inc:1225) ==105501== by 0x43B482: SYSTEM_$$_FREEMEM$POINTER$$QWORD (heap.inc:324) ==105501== by 0x4328CD: fpc_dynarray_clear (dynarr.inc:100) ==105501== by 0x432AB6: fpc_dynarray_setlength (dynarr.inc:208) ==105501== by 0x449516: LNFODWRF_$$_READABBREVTABLE (lnfodwrf.pp:964) ==105501== by 0x449845: LNFODWRF_$$_PARSECOMPILATIONUNITFORFUNCTIONNAME$QWORD$WORD$QWORD$SHORTSTRING$BOOLEAN$$QWORD (lnfodwrf.pp:1220) ==105501== by 0x44A046: LNFODWRF_$$_GETLINEINFO$QWORD$SHORTSTRING$SHORTSTRING$LONGINT$$BOOLEAN (lnfodwrf.pp:1346) ==105501== by 0x44A13A: LNFODWRF_$$_DWARFBACKTRACESTR$POINTER$$SHORTSTRING (lnfodwrf.pp:1386) ==105501== by 0x50CBE8: SYSUTILS_$$_CATCHUNHANDLEDEXCEPTION$TOBJECT$POINTER$LONGINT$PCODEPOINTER (sysutils.inc:321) ==105501== by 0x436312: SYSTEM_$$_DOUNHANDLEDEXCEPTION (except.inc:144) ==105501== Address 0x257eddfb is 273,067 bytes inside a block of size 493,590 free'd ==105501== at 0x483A9F5: free (vg_replace_malloc.c:538) ==105501== by 0x44BA1F: CMEM_$$_CFREEMEM$POINTER$$QWORD (cmem.pp:75) ==105501== by 0x43B482: SYSTEM_$$_FREEMEM$POINTER$$QWORD (heap.inc:324) ==105501== by 0x4328CD: fpc_dynarray_clear (dynarr.inc:100) ==105501== by 0x432AB6: fpc_dynarray_setlength (dynarr.inc:208) ==105501== by 0x4C3765: CLASSES$_$TSTRINGS_$__$$_LOADFROMSTREAM$TSTREAM$TENCODING (stringl.inc:1489) ==105501== by 0x4C33FA: CLASSES$_$TSTRINGS_$__$$_LOADFROMSTREAM$TSTREAM$BOOLEAN (stringl.inc:1427) ==105501== by 0x4C3381: CLASSES$_$TSTRINGS_$__$$_LOADFROMSTREAM$TSTREAM (stringl.inc:1405) ==105501== by 0x4767C2: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_RUNTEST$TTEST (guitestrunner.pas:1044) ==105501== by 0x473CD7: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_RUNEXECUTE$TOBJECT (guitestrunner.pas:393) ==105501== by 0x4CBBDC: CLASSES$_$TBASICACTION_$__$$_EXECUTE$$BOOLEAN (action.inc:124) ==105501== by 0x81006A: ACTNLIST$_$TCONTAINEDACTION_$__$$_EXECUTE$$BOOLEAN (containedaction.inc:98) ==105501== Block was alloc'd at ==105501== at 0x483BCE8: realloc (vg_replace_malloc.c:834) ==105501== by 0x44BB3D: CMEM_$$_CREALLOCMEM$POINTER$QWORD$$POINTER (cmem.pp:123) ==105501== by 0x43B52E: SYSTEM_$$_REALLOCMEM$POINTER$QWORD$$POINTER (heap.inc:350) ==105501== by 0x432C94: fpc_dynarray_setlength (dynarr.inc:266) ==105501== by 0x4C36CF: CLASSES$_$TSTRINGS_$__$$_LOADFROMSTREAM$TSTREAM$TENCODING (stringl.inc:1483) ==105501== by 0x4C33FA: CLASSES$_$TSTRINGS_$__$$_LOADFROMSTREAM$TSTREAM$BOOLEAN (stringl.inc:1427) ==105501== by 0x4C3381: CLASSES$_$TSTRINGS_$__$$_LOADFROMSTREAM$TSTREAM (stringl.inc:1405) ==105501== by 0x4767C2: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_RUNTEST$TTEST (guitestrunner.pas:1044) ==105501== by 0x473CD7: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_RUNEXECUTE$TOBJECT (guitestrunner.pas:393) ==105501== by 0x4CBBDC: CLASSES$_$TBASICACTION_$__$$_EXECUTE$$BOOLEAN (action.inc:124) ==105501== by 0x81006A: ACTNLIST$_$TCONTAINEDACTION_$__$$_EXECUTE$$BOOLEAN (containedaction.inc:98) ==105501== by 0x812C7D: ACTNLIST$_$TCUSTOMACTION_$__$$_EXECUTE$$BOOLEAN (customaction.inc:246) ==105501== ==105501==
=105501== Thread 1: ==105501== Invalid read of size 8 ==105501== at 0x43CAE1: SYSTEM_$$_SYSFREEMEM_VAR$PFREELISTS$PMEMCHUNK_VAR$$QWORD (heap.inc:1180) ==105501== by 0x43CC26: SYSTEM_$$_SYSFREEMEM$POINTER$$QWORD (heap.inc:1225) ==105501== by 0x43B482: SYSTEM_$$_FREEMEM$POINTER$$QWORD (heap.inc:324) ==105501== by 0x4328CD: fpc_dynarray_clear (dynarr.inc:100) ==105501== by 0x439004: fpc_finalize (rtti.inc:268) ==105501== by 0x44A30B: LNFODWRF_$$_finalize$ (lnfodwrf.pp:1417) ==105501== by 0x43A078: SYSTEM_$$_FINALIZEUNITS (system.inc:1009) ==105501== by 0x43A3E8: SYSTEM_$$_INTERNALEXIT (system.inc:1090) ==105501== by 0x43A438: fpc_do_exit (system.inc:1133) ==105501== by 0x41F208: main (LazDebFpTest.lpr:18) ==105501== Address 0x18c63d38 is 8 bytes before a block of size 8,224 alloc'd ==105501== at 0x4839809: malloc (vg_replace_malloc.c:307) ==105501== by 0x44B9D8: CMEM_$$_CGETMEM$QWORD$$POINTER (cmem.pp:62) ==105501== by 0x43B369: SYSTEM_$$_GETMEM$POINTER$QWORD (heap.inc:284) ==105501== by 0x432A55: fpc_dynarray_setlength (dynarr.inc:194) ==105501== by 0x449421: LNFODWRF_$$_READABBREVTABLE (lnfodwrf.pp:947) ==105501== by 0x449845: LNFODWRF_$$_PARSECOMPILATIONUNITFORFUNCTIONNAME$QWORD$WORD$QWORD$SHORTSTRING$BOOLEAN$$QWORD (lnfodwrf.pp:1220) ==105501== by 0x44A046: LNFODWRF_$$_GETLINEINFO$QWORD$SHORTSTRING$SHORTSTRING$LONGINT$$BOOLEAN (lnfodwrf.pp:1346) ==105501== by 0x44A13A: LNFODWRF_$$_DWARFBACKTRACESTR$POINTER$$SHORTSTRING (lnfodwrf.pp:1386) ==105501== by 0x91EC37: FPCUNIT_$$_POINTERTOLOCATIONINFO$POINTER$$ANSISTRING (fpcunit.pp:399) ==105501== by 0x91F611: FPCUNIT$_$TTESTFAILURE_$__$$_GETLOCATIONINFO$$ANSISTRING (fpcunit.pp:501) ==105501== by 0x475D15: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_ADDFAILURE$TTEST$TTESTFAILURE (guitestrunner.pas:883) ==105501== by 0x926EFA: FPCUNIT$_$TTESTRESULT_$__$$_ADDFAILURE$TTEST$EASSERTIONFAILEDERROR$TFPLIST$POINTER (fpcunit.pp:1526) ==105501== ==105501== Invalid read of size 8 ==105501== at 0x43C97D: SYSTEM_$$_WAITFREE_VAR$PMEMCHUNK_VAR (heap.inc:1122) ==105501== by 0x43CAF3: SYSTEM_$$_SYSFREEMEM_VAR$PFREELISTS$PMEMCHUNK_VAR$$QWORD (heap.inc:1183) ==105501== by 0x43CC26: SYSTEM_$$_SYSFREEMEM$POINTER$$QWORD (heap.inc:1225) ==105501== by 0x43B482: SYSTEM_$$_FREEMEM$POINTER$$QWORD (heap.inc:324) ==105501== by 0x4328CD: fpc_dynarray_clear (dynarr.inc:100) ==105501== by 0x439004: fpc_finalize (rtti.inc:268) ==105501== by 0x44A30B: LNFODWRF_$$_finalize$ (lnfodwrf.pp:1417) ==105501== by 0x43A078: SYSTEM_$$_FINALIZEUNITS (system.inc:1009) ==105501== by 0x43A3E8: SYSTEM_$$_INTERNALEXIT (system.inc:1090) ==105501== by 0x43A438: fpc_do_exit (system.inc:1133) ==105501== by 0x41F208: main (LazDebFpTest.lpr:18) ==105501== Address 0x18c63d38 is 8 bytes before a block of size 8,224 alloc'd ==105501== at 0x4839809: malloc (vg_replace_malloc.c:307) ==105501== by 0x44B9D8: CMEM_$$_CGETMEM$QWORD$$POINTER (cmem.pp:62) ==105501== by 0x43B369: SYSTEM_$$_GETMEM$POINTER$QWORD (heap.inc:284) ==105501== by 0x432A55: fpc_dynarray_setlength (dynarr.inc:194) ==105501== by 0x449421: LNFODWRF_$$_READABBREVTABLE (lnfodwrf.pp:947) ==105501== by 0x449845: LNFODWRF_$$_PARSECOMPILATIONUNITFORFUNCTIONNAME$QWORD$WORD$QWORD$SHORTSTRING$BOOLEAN$$QWORD (lnfodwrf.pp:1220) ==105501== by 0x44A046: LNFODWRF_$$_GETLINEINFO$QWORD$SHORTSTRING$SHORTSTRING$LONGINT$$BOOLEAN (lnfodwrf.pp:1346) ==105501== by 0x44A13A: LNFODWRF_$$_DWARFBACKTRACESTR$POINTER$$SHORTSTRING (lnfodwrf.pp:1386) ==105501== by 0x91EC37: FPCUNIT_$$_POINTERTOLOCATIONINFO$POINTER$$ANSISTRING (fpcunit.pp:399) ==105501== by 0x91F611: FPCUNIT$_$TTESTFAILURE_$__$$_GETLOCATIONINFO$$ANSISTRING (fpcunit.pp:501) ==105501== by 0x475D15: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_ADDFAILURE$TTEST$TTESTFAILURE (guitestrunner.pas:883) ==105501== by 0x926EFA: FPCUNIT$_$TTESTRESULT_$__$$_ADDFAILURE$TTEST$EASSERTIONFAILEDERROR$TFPLIST$POINTER (fpcunit.pp:1526) ==105501== ==105501== Invalid read of size 8 ==105501== at 0x43C985: SYSTEM_$$_WAITFREE_VAR$PMEMCHUNK_VAR (heap.inc:1122) ==105501== by 0x43CAF3: SYSTEM_$$_SYSFREEMEM_VAR$PFREELISTS$PMEMCHUNK_VAR$$QWORD (heap.inc:1183) ==105501== by 0x43CC26: SYSTEM_$$_SYSFREEMEM$POINTER$$QWORD (heap.inc:1225) ==105501== by 0x43B482: SYSTEM_$$_FREEMEM$POINTER$$QWORD (heap.inc:324) ==105501== by 0x4328CD: fpc_dynarray_clear (dynarr.inc:100) ==105501== by 0x439004: fpc_finalize (rtti.inc:268) ==105501== by 0x44A30B: LNFODWRF_$$_finalize$ (lnfodwrf.pp:1417) ==105501== by 0x43A078: SYSTEM_$$_FINALIZEUNITS (system.inc:1009) ==105501== by 0x43A3E8: SYSTEM_$$_INTERNALEXIT (system.inc:1090) ==105501== by 0x43A438: fpc_do_exit (system.inc:1133) ==105501== by 0x41F208: main (LazDebFpTest.lpr:18) ==105501== Address 0x1fea1 is not stack'd, malloc'd or (recently) free'd ==105501==
Mantis conversion info:
- Mantis ID: 38302
- OS: any
- OS Build: any
- Platform: Win / LInux
- Version: 3.2.0