erikcorry · February 21, 2025 12:31
diff --git a/asan failure b/asan failure
 python3 ../../tools/run.py ./mksnapshot --turbo_instruction_scheduling --stress-turbo-late-spilling --target_os=linux --target_arch=x64 --embedded_src gen/embedded.S --predictable --no-use-ic --embedded_variant Default --random-seed 314159265 --startup_src gen/snapshot.cc --native-code-counters --concurrent-builtin-generation --concurrent-turbofan-max-threads=0 --verify-heap
 =================================================================
 ==1412959==ERROR: AddressSanitizer: heap-use-after-free on address 0x75a4a36202c0 at pc 0x5c2e6e9dca2f bp 0x7ffece69cad0 sp 0x7ffece69cac8
 READ of size 8 at 0x75a4a36202c0 thread T0
    #0 0x5c2e6e9dca2e in v8::internal::VirtualMemory::Free() src/utils/allocation.cc:286:52
    #1 0x5c2e6cec2c69 in v8::internal::CodeRange::Free() src/heap/code-range.cc:361:24
    #2 0x5c2e6cec2c69 in v8::internal::CodeRange::~CodeRange() src/heap/code-range.cc:93:27
    #3 0x5c2e6d66c7c6 in std::__Cr::default_delete<v8::internal::CodeRange>::operator()(v8::internal::CodeRange*) const third_party/libc++/src/include/__memory/unique_ptr.h:78:5
    #4 0x5c2e6d66c7c6 in std::__Cr::unique_ptr<v8::internal::CodeRange, std::__Cr::default_delete<v8::internal::CodeRange>>::reset(v8::internal::CodeRange*) third_party/libc++/src/include/__memory/unique_ptr.h:300:7
    #5 0x5c2e6d66c7c6 in v8::internal::IsolateGroup::~IsolateGroup() src/init/isolate-group.cc:77:15
    #6 0x5c2e6d66d407 in v8::internal::IsolateGroup::Release() src/init/isolate-group.cc:192:5
    #7 0x5c2e6d66d203 in v8::internal::IsolateGroup::ReleaseDefault() src/init/isolate-group.cc:300:10
    #8 0x5c2e6d66d203 in v8::internal::IsolateGroup::TearDownOncePerProcess() src/init/isolate-group.cc:167:47
    #9 0x5c2e6d670708 in v8::internal::V8::Dispose() src/init/v8.cc:262:3
    #10 0x5c2e6c516398 in v8::V8::Dispose() src/api/api.cc:6758:3
    #11 0x5c2e6c44d00b in main src/snapshot/mksnapshot.cc:327:3
    #12 0x7894a4429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

 0x75a4a36202c0 is located 0 bytes inside of 224-byte region [0x75a4a36202c0,0x75a4a36203a0)
 freed by thread T0 here:
    #0 0x5c2e6c43c222 in operator delete(void*, unsigned long) /b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cpp:155:3
    #1 0x5c2e6e9dd11e in std::__Cr::default_delete<v8::base::BoundedPageAllocator>::operator()(v8::base::BoundedPageAllocator*) const third_party/libc++/src/include/__memory/unique_ptr.h:78:5
    #2 0x5c2e6e9dd11e in std::__Cr::unique_ptr<v8::base::BoundedPageAllocator, std::__Cr::default_delete<v8::base::BoundedPageAllocator>>::reset(v8::base::BoundedPageAllocator*) third_party/libc++/src/include/__memory/unique_ptr.h:300:7
    #3 0x5c2e6e9dd11e in v8::internal::VirtualMemoryCage::Free() src/utils/allocation.cc:359:21
    #4 0x5c2e6d66d3f6 in v8::internal::IsolateGroup::Release() src/init/isolate-group.cc:185:18
    #5 0x5c2e6d66d203 in v8::internal::IsolateGroup::ReleaseDefault() src/init/isolate-group.cc:300:10
    #6 0x5c2e6d66d203 in v8::internal::IsolateGroup::TearDownOncePerProcess() src/init/isolate-group.cc:167:47
    #7 0x5c2e6d670708 in v8::internal::V8::Dispose() src/init/v8.cc:262:3
    #8 0x5c2e6c516398 in v8::V8::Dispose() src/api/api.cc:6758:3
    #9 0x5c2e6c44d00b in main src/snapshot/mksnapshot.cc:327:3
    #10 0x7894a4429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

 previously allocated by thread T0 here:
    #0 0x5c2e6c43b5bd in operator new(unsigned long) /b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cpp:86:3
    #1 0x5c2e6e9ddc22 in std::__Cr::unique_ptr<v8::base::BoundedPageAllocator, std::__Cr::default_delete<v8::base::BoundedPageAllocator>> std::__Cr::make_unique<v8::base::BoundedPageAllocator, v8::PageAllocator* const&, unsigned long const&, unsigned long const&, unsigned long const&, v8::base::PageInitializationMode const&, v8::base::PageFreeingMode const&, 0>(v8::PageAllocator* const&, unsigned long const&, unsigned long const&, unsigned long const&, v8::base::PageInitializationMode const&, v8::base::PageFreeingMode const&) third_party/libc++/src/include/__memory/unique_ptr.h:767:26
    #2 0x5c2e6e9ddc22 in v8::internal::VirtualMemoryCage::InitReservation(v8::internal::VirtualMemoryCage::ReservationParams const&, v8::base::AddressRegion) src/utils/allocation.cc:348:21
    #3 0x5c2e6d66cc58 in v8::internal::IsolateGroup::Initialize(bool) src/init/isolate-group.cc:115:21
    #4 0x5c2e6d66cfdf in v8::internal::IsolateGroup::InitializeOncePerProcess() src/init/isolate-group.cc:148:10
    #5 0x5c2e6d670208 in v8::internal::V8::Initialize() src/init/v8.cc:227:3
    #6 0x5c2e6c51624e in v8::V8::Initialize(int) src/api/api.cc:6698:3
    #7 0x5c2e6c44c4c1 in v8::V8::Initialize() include/v8-initialization.h:127:12
    #8 0x5c2e6c44c4c1 in main src/snapshot/mksnapshot.cc:253:3
    #9 0x7894a4429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

 SUMMARY: AddressSanitizer: heap-use-after-free src/utils/allocation.cc:286:52 in v8::internal::VirtualMemory::Free()
 Shadow bytes around the buggy address:
  0x75a4a3620000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x75a4a3620080: 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7
  0x75a4a3620100: f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x75a4a3620180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x75a4a3620200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
 =>0x75a4a3620280: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x75a4a3620300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x75a4a3620380: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x75a4a3620400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x75a4a3620480: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x75a4a3620500: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==1412959==ABORTING
 Return code is 1
 ninja: build stopped: cannot make progress due to previous errors.
	python3 ../../tools/run.py ./mksnapshot --turbo_instruction_scheduling --stress-turbo-late-spilling --target_os=linux --target_arch=x64 --embedded_src gen/embedded.S --predictable --no-use-ic --embedded_variant Default --random-seed 314159265 --startup_src gen/snapshot.cc --native-code-counters --concurrent-builtin-generation --concurrent-turbofan-max-threads=0 --verify-heap
	=================================================================
	==1412959==ERROR: AddressSanitizer: heap-use-after-free on address 0x75a4a36202c0 at pc 0x5c2e6e9dca2f bp 0x7ffece69cad0 sp 0x7ffece69cac8
	READ of size 8 at 0x75a4a36202c0 thread T0
	#0 0x5c2e6e9dca2e in v8::internal::VirtualMemory::Free() src/utils/allocation.cc:286:52
	#1 0x5c2e6cec2c69 in v8::internal::CodeRange::Free() src/heap/code-range.cc:361:24
	#2 0x5c2e6cec2c69 in v8::internal::CodeRange::~CodeRange() src/heap/code-range.cc:93:27
	#3 0x5c2e6d66c7c6 in std::__Cr::default_delete<v8::internal::CodeRange>::operator()(v8::internal::CodeRange*) const third_party/libc++/src/include/__memory/unique_ptr.h:78:5
	#4 0x5c2e6d66c7c6 in std::__Cr::unique_ptr<v8::internal::CodeRange, std::__Cr::default_delete<v8::internal::CodeRange>>::reset(v8::internal::CodeRange*) third_party/libc++/src/include/__memory/unique_ptr.h:300:7
	#5 0x5c2e6d66c7c6 in v8::internal::IsolateGroup::~IsolateGroup() src/init/isolate-group.cc:77:15
	#6 0x5c2e6d66d407 in v8::internal::IsolateGroup::Release() src/init/isolate-group.cc:192:5
	#7 0x5c2e6d66d203 in v8::internal::IsolateGroup::ReleaseDefault() src/init/isolate-group.cc:300:10
	#8 0x5c2e6d66d203 in v8::internal::IsolateGroup::TearDownOncePerProcess() src/init/isolate-group.cc:167:47
	#9 0x5c2e6d670708 in v8::internal::V8::Dispose() src/init/v8.cc:262:3
	#10 0x5c2e6c516398 in v8::V8::Dispose() src/api/api.cc:6758:3
	#11 0x5c2e6c44d00b in main src/snapshot/mksnapshot.cc:327:3
	#12 0x7894a4429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

	0x75a4a36202c0 is located 0 bytes inside of 224-byte region [0x75a4a36202c0,0x75a4a36203a0)
	freed by thread T0 here:
	#0 0x5c2e6c43c222 in operator delete(void*, unsigned long) /b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cpp:155:3
	#1 0x5c2e6e9dd11e in std::__Cr::default_delete<v8::base::BoundedPageAllocator>::operator()(v8::base::BoundedPageAllocator*) const third_party/libc++/src/include/__memory/unique_ptr.h:78:5
	#2 0x5c2e6e9dd11e in std::__Cr::unique_ptr<v8::base::BoundedPageAllocator, std::__Cr::default_delete<v8::base::BoundedPageAllocator>>::reset(v8::base::BoundedPageAllocator*) third_party/libc++/src/include/__memory/unique_ptr.h:300:7
	#3 0x5c2e6e9dd11e in v8::internal::VirtualMemoryCage::Free() src/utils/allocation.cc:359:21
	#4 0x5c2e6d66d3f6 in v8::internal::IsolateGroup::Release() src/init/isolate-group.cc:185:18
	#5 0x5c2e6d66d203 in v8::internal::IsolateGroup::ReleaseDefault() src/init/isolate-group.cc:300:10
	#6 0x5c2e6d66d203 in v8::internal::IsolateGroup::TearDownOncePerProcess() src/init/isolate-group.cc:167:47
	#7 0x5c2e6d670708 in v8::internal::V8::Dispose() src/init/v8.cc:262:3
	#8 0x5c2e6c516398 in v8::V8::Dispose() src/api/api.cc:6758:3
	#9 0x5c2e6c44d00b in main src/snapshot/mksnapshot.cc:327:3
	#10 0x7894a4429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

	previously allocated by thread T0 here:
	#0 0x5c2e6c43b5bd in operator new(unsigned long) /b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cpp:86:3
	#1 0x5c2e6e9ddc22 in std::__Cr::unique_ptr<v8::base::BoundedPageAllocator, std::__Cr::default_delete<v8::base::BoundedPageAllocator>> std::__Cr::make_unique<v8::base::BoundedPageAllocator, v8::PageAllocator* const&, unsigned long const&, unsigned long const&, unsigned long const&, v8::base::PageInitializationMode const&, v8::base::PageFreeingMode const&, 0>(v8::PageAllocator* const&, unsigned long const&, unsigned long const&, unsigned long const&, v8::base::PageInitializationMode const&, v8::base::PageFreeingMode const&) third_party/libc++/src/include/__memory/unique_ptr.h:767:26
	#2 0x5c2e6e9ddc22 in v8::internal::VirtualMemoryCage::InitReservation(v8::internal::VirtualMemoryCage::ReservationParams const&, v8::base::AddressRegion) src/utils/allocation.cc:348:21
	#3 0x5c2e6d66cc58 in v8::internal::IsolateGroup::Initialize(bool) src/init/isolate-group.cc:115:21
	#4 0x5c2e6d66cfdf in v8::internal::IsolateGroup::InitializeOncePerProcess() src/init/isolate-group.cc:148:10
	#5 0x5c2e6d670208 in v8::internal::V8::Initialize() src/init/v8.cc:227:3
	#6 0x5c2e6c51624e in v8::V8::Initialize(int) src/api/api.cc:6698:3
	#7 0x5c2e6c44c4c1 in v8::V8::Initialize() include/v8-initialization.h:127:12
	#8 0x5c2e6c44c4c1 in main src/snapshot/mksnapshot.cc:253:3
	#9 0x7894a4429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

	SUMMARY: AddressSanitizer: heap-use-after-free src/utils/allocation.cc:286:52 in v8::internal::VirtualMemory::Free()
	Shadow bytes around the buggy address:
	0x75a4a3620000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
	0x75a4a3620080: 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7
	0x75a4a3620100: f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x75a4a3620180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x75a4a3620200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
	=>0x75a4a3620280: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
	0x75a4a3620300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
	0x75a4a3620380: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
	0x75a4a3620400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
	0x75a4a3620480: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
	0x75a4a3620500: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
	Shadow byte legend (one shadow byte represents 8 application bytes):
	Addressable: 00
	Partially addressable: 01 02 03 04 05 06 07
	Heap left redzone: fa
	Freed heap region: fd
	Stack left redzone: f1
	Stack mid redzone: f2
	Stack right redzone: f3
	Stack after return: f5
	Stack use after scope: f8
	Global redzone: f9
	Global init order: f6
	Poisoned by user: f7
	Container overflow: fc
	Array cookie: ac
	Intra object redzone: bb
	ASan internal: fe
	Left alloca redzone: ca
	Right alloca redzone: cb
	==1412959==ABORTING
	Return code is 1
	ninja: build stopped: cannot make progress due to previous errors.