forked from pool/mono-core
80 lines
2.2 KiB
Diff
80 lines
2.2 KiB
Diff
|
From 95316628378f3802f091a69a715a179e210fd1d8 Mon Sep 17 00:00:00 2001
|
||
|
From: Alexander Kyte <alexmkyte@gmail.com>
|
||
|
Date: Mon, 11 Feb 2019 09:11:11 -0500
|
||
|
Subject: [PATCH] [crash] Use safer invalid-free test (#12864)
|
||
|
|
||
|
When using the previous test, some memory unsafety was
|
||
|
observed. It's rather unrecoverable memory unsafety, as
|
||
|
it corrupts heap memory used by the sequence points, registered MERP
|
||
|
paths, jit info internals, and output string.
|
||
|
|
||
|
Crashes seen here: https://github.com/mono/mono/pull/12387 reproduce
|
||
|
with less than 100 iterations of this malloc test run as the stress
|
||
|
test.
|
||
|
|
||
|
```
|
||
|
(MonoJitInfoTable) $2 = {
|
||
|
domain = 0x5050505050505050
|
||
|
num_chunks = 1347440720
|
||
|
num_valid = 1347440720
|
||
|
chunks = {}
|
||
|
}
|
||
|
```
|
||
|
|
||
|
with
|
||
|
|
||
|
```
|
||
|
(lldb) p/x 1347440720
|
||
|
(int) $0 = 0x50505050
|
||
|
```
|
||
|
|
||
|
And sometimes the mono crash
|
||
|
|
||
|
```
|
||
|
(lldb) p *it
|
||
|
(SeqPointIterator) $3 = {
|
||
|
seq_point = (il_offset = 0, native_offset = 0, flags = 0, next_offset = 0, next_len = 0)
|
||
|
ptr = 0x5050505050505050 <no value available>
|
||
|
begin = 0x5050505050505050 <no value available>
|
||
|
end = 0x5050505050505064 <no value available>
|
||
|
has_debug_data = 0
|
||
|
}
|
||
|
```
|
||
|
|
||
|
===
|
||
|
|
||
|
These do not reproduce when doing a double free of legally allocated
|
||
|
memory.
|
||
|
|
||
|
I think that the crash reporting tests aren't the place to check if the
|
||
|
OS allows for wild heap corruption when doing these things. I don't
|
||
|
think it's currently in scope for the runtime to do crash reporting
|
||
|
after it's internal metadata tables have been corrupted. They're the
|
||
|
source of truth for symbolication. We don't have many options to
|
||
|
validate and reparse them, unless we want to make this all very
|
||
|
heavyweight.
|
||
|
---
|
||
|
mono/tests/libtest.c | 9 +++++----
|
||
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/mono/tests/libtest.c b/mono/tests/libtest.c
|
||
|
index ace5bab7c9bf..8688c3a76b5c 100644
|
||
|
--- a/mono/tests/libtest.c
|
||
|
+++ b/mono/tests/libtest.c
|
||
|
@@ -7705,10 +7705,11 @@ mono_test_MerpCrashDladdr (void)
|
||
|
LIBTEST_API void STDCALL
|
||
|
mono_test_MerpCrashMalloc (void)
|
||
|
{
|
||
|
- void *mem = malloc (sizeof (char) * 10);
|
||
|
- memset (mem, sizeof (mem) * 10, 'A');
|
||
|
- int x = 100;
|
||
|
- g_free (&x);
|
||
|
+ gpointer x = g_malloc (sizeof(gpointer));
|
||
|
+ g_free (x);
|
||
|
+
|
||
|
+ // Double free
|
||
|
+ g_free (x);
|
||
|
}
|
||
|
|
||
|
LIBTEST_API void STDCALL
|