While I was executing a few fuzz tests for Libforth, I discovered multiple memory corruption security flaws in libforth Version 4.0 at various locations. I have attached a zip archive named crash.zip for replication. The easiest way to reproduce is to compile the project and execute forth against the crash files that call specific library functions:
$ forth [name of reproduction file]
- Libforth v4.0 Out of bounds read in static void check_is_asciiz(jmp_buf *on_error, char *s, forth_cell_t end) libforth/libforth.c, line 1436 (CVE-2024-30898)
- Libforth v4.0 Out of bounds read in static void print_stack(forth_t *o, FILE *out, forth_cell_t *S, forth_cell_t f) at libforth.c, line 1481 (CVE-2024-30899)
- Libforth v4.0 Stack-based buffer overflow in static int print_cell(forth_t *o, FILE *out, forth_cell_t u) at libforth.c, line 1367 (CVE-2024-30900)
- Libforth v4.0 Out of bounds read in static int match(forth_cell_t *m, forth_cell_t pwd, const char *s) at libforth.c, line 1306 (CVE-2024-30901)
- Libforth v4.0 Out of bounds write in static forth_cell_t compile(forth_t *o, forth_cell_t code, const char *str, forth_cell_t compiling, forth_cell_t hide) at libforth.c, line 1241 (CVE-2024-30902)
- Libforth v4.0 Out of bounds read in int forth_run(forth_t *o) at libforth/libforth.c (CVE-2024-30903)
- Libforth v4.0 Out of bounds read in static int forth_get_char(forth_t *o) at libforth.c (CVE-2024-30907)
After triaging all of the crashes, I can verify that there are 17 separate and unique issues at the following locations:
Out of bounds read (CWE-125) in static int match(forth_cell_t *m, forth_cell_t pwd, const char *s) at libforth.c, line 1306 when attempting to execute 'forth_cell_t len = WORD_LENGTH(m[pwd + 1]);':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L1306
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x7ffff7d87010 ◂— 0xf010408485434ff
RCX 0x7ffff7f483c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002
RDX 0x2000002da
RDI 0x7ffff7d87010 ◂— 0xf010408485434ff
RSI 0x7ffff7d87158 ◂— 0x2a /* '*' */
R8 0x8dc
R9 0x0
R10 0x7ffff7f47ac0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000
R11 0x7ffff7f483c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002
R12 0x2000002db
R13 0x7ffff7d87058 ◂— 0x0
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7fffffffdbd0 —▸ 0x7fffffffde98 ◂— 0x0
RBP 0x7ffff7d87158 ◂— 0x2a /* '*' */
RSP 0x7fffffffdb00 —▸ 0x7ffff7d87010 ◂— 0xf010408485434ff
RIP 0x555555559e23 (forth_find+67) ◂— mov rax, qword ptr [r13 + r12*8]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x555555559e23 <forth_find+67> mov rax, qword ptr [r13 + r12*8]
0x555555559e28 <forth_find+72> lea r14, [r12*8]
0x555555559e30 <forth_find+80> mov rbx, rax
0x555555559e33 <forth_find+83> and ebx, 0x80
0x555555559e39 <forth_find+89> jne forth_find+48 <forth_find+48>
↓
0x555555559e10 <forth_find+48> mov rdx, qword ptr [r13 + r14 - 8]
0x555555559e15 <forth_find+53> cmp rdx, 0x40
0x555555559e19 <forth_find+57> jbe forth_find+208 <forth_find+208>
↓
0x555555559eb0 <forth_find+208> xor r12d, r12d
0x555555559eb3 <forth_find+211> jmp forth_find+172 <forth_find+172>
↓
0x555555559e8c <forth_find+172> add rsp, 8
==1122143==ERROR: AddressSanitizer: SEGV on unknown address 0x7f89f7f6ff20 (pc 0x558480b1fd3b bp 0x7f79f7f6e808 sp 0x7ffe51895260 T0)
==1122143==The signal is caused by a READ memory access.
#0 0x558480b1fd3b in match /dev/shm/libforth/libforth.c:1306
#1 0x558480b1fd3b in forth_find /dev/shm/libforth/libforth.c:1343
#2 0x558480b241ba in forth_run /dev/shm/libforth/libforth.c:2354
#3 0x558480b1b92f in eval_file /dev/shm/libforth/main.c:248
#4 0x558480b1af6e in main /dev/shm/libforth/main.c:449
#5 0x7f79fac46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7f79fac46244 in __libc_start_main_impl ../csu/libc-start.c:381
#7 0x558480b1b530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /dev/shm/libforth/libforth.c:1306 in match
==1122143==ABORTING
Invalid free (CWE-763) in int forth_run(forth_t *o) at libforth.c, line 2745 when attempting to execute 'free((char*)f);':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2745
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x7ffff7dc86c0 ◂— 0x0
RBX 0xffffffffffffff80
RCX 0x1
RDX 0x55555555f0c0 ◂— 0xffffbf20ffffcc48
RDI 0x2a
RSI 0x1a
R8 0x8dc
R9 0x64
R10 0x7ffff7dd69a0 ◂— 0x10001200004e24 /* '$N' */
R11 0x7ffff7e63cc0 (free) ◂— test rdi, rdi
R12 0x0
R13 0x40
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5060 ◂— 0x0
RSP 0x7fffffffdb00 —▸ 0x7ffff7d87010 ◂— 0xf010408485434ff
RIP 0x7ffff7e63cda (free+26) ◂— mov rax, qword ptr [rdi - 8]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e63cda <free+26> mov rax, qword ptr [rdi - 8]
0x7ffff7e63cde <free+30> mov ebp, dword ptr fs:[rbx]
0x7ffff7e63ce1 <free+33> test al, 2
0x7ffff7e63ce3 <free+35> jne free+128 <free+128>
↓
0x7ffff7e63d40 <free+128> mov edx, dword ptr [rip + 0x139642] <mp_+72>
0x7ffff7e63d46 <free+134> test edx, edx
0x7ffff7e63d48 <free+136> jne free+176 <free+176>
↓
0x7ffff7e63d70 <free+176> mov rdi, rsi
0x7ffff7e63d73 <free+179> call munmap_chunk <munmap_chunk>
0x7ffff7e63d78 <free+184> mov dword ptr fs:[rbx], ebp
0x7ffff7e63d7b <free+187> add rsp, 0x18
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1147301==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001a (pc 0x7f24978289c6 bp 0x00000000002a sp 0x7ffe9396fb50 T0)
==1147301==The signal is caused by a WRITE memory access.
==1147301==Hint: address points to the zero page.
#0 0x7f24978289c6 in bool __sanitizer::atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t volatile*, __sanitizer::atomic_uint8_t::Type*, __sanitizer::atomic_uint8_t::Type, __sanitizer::memory_order) ../../../../src/libsanitizer/sanitizer_common/sanitizer_atomic_clang.h:80
#1 0x7f24978289c6 in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) ../../../../src/libsanitizer/asan/asan_allocator.cpp:621
#2 0x7f24978289c6 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) ../../../../src/libsanitizer/asan/asan_allocator.cpp:697
#3 0x7f24978289c6 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) ../../../../src/libsanitizer/asan/asan_allocator.cpp:971
#4 0x7f24978ae4a7 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:128
#5 0x561df32b70bb in forth_run /dev/shm/libforth/libforth.c:2745
#6 0x561df32b092f in eval_file /dev/shm/libforth/main.c:248
#7 0x561df32aff6e in main /dev/shm/libforth/main.c:449
#8 0x7f2497646189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7f2497646244 in __libc_start_main_impl ../csu/libc-start.c:381
#10 0x561df32b0530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_atomic_clang.h:80 in bool __sanitizer::atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t volatile*, __sanitizer::atomic_uint8_t::Type*, __sanitizer::atomic_uint8_t::Type, __sanitizer::memory_order)
==1147301==ABORTING
Out of bounds read (CWE-125) in static void check_is_asciiz(jmp_buf *on_error, char *s, forth_cell_t end) libforth/libforth.c, line 1436 when attempting to execute 'if (*(s + end) != '\0')':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L1436
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x55555557cf90 ◂— 0xfbad2480
RBX 0x7ffff7d87010 ◂— 0xf010408485434ff
RCX 0x4
RDX 0x55555555f0c0 ◂— 0xffffbf20ffffcc48
RDI 0x7ffff7d87010 ◂— 0xf010408485434ff
RSI 0x7fffffffdbc0 —▸ 0x7fffffffde88 ◂— 0x0
R8 0x8dc
R9 0x5555555632a0 ◂— 0xfbad2488
R10 0x180
R11 0x1e0
R12 0x7ffff7d87058 ◂— 0x0
R13 0x55555555d11f ◂— 0x2065726f63006277 /* 'wb' */
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5078 —▸ 0x55555557cdb0 ◂— 0xfbad2480
RSP 0x7fffffffdb30 ◂— 0x2f9
RIP 0x55555555b6e7 (forth_run+2535) ◂— cmp byte ptr [r12 + rax + 1], 0
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x55555555b6e7 <forth_run+2535> cmp byte ptr [r12 + rax + 1], 0
0x55555555b6ed <forth_run+2541> jne forth_run+4648 <forth_run+4648>
↓
0x55555555bf28 <forth_run+4648> mov r8, r12
0x55555555bf2b <forth_run+4651> lea rcx, [rip + 0x294c]
0x55555555bf32 <forth_run+4658> mov edx, 0x59d
0x55555555bf37 <forth_run+4663> lea rsi, [rip + 0x32b2] <__func__.2>
0x55555555bf3e <forth_run+4670> lea rdi, [rip + 0x10e5]
0x55555555bf45 <forth_run+4677> xor eax, eax
0x55555555bf47 <forth_run+4679> call forth_logger <forth_logger>
0x55555555bf4c <forth_run+4684> lea rdi, [rsp + 0x90]
0x55555555bf54 <forth_run+4692> mov esi, 3
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1231948==ERROR: AddressSanitizer: SEGV on unknown address 0x1c16ea37e869 (pc 0x55be73cf37d3 bp 0x7f6351c27808 sp 0x7ffc17e47850 T0)
==1231948==The signal is caused by a READ memory access.
#0 0x55be73cf37d3 in check_is_asciiz /dev/shm/libforth/libforth.c:1436
#1 0x55be73cf37d3 in forth_get_string /dev/shm/libforth/libforth.c:1453
#2 0x55be73cf37d3 in forth_run /dev/shm/libforth/libforth.c:2674
#3 0x55be73cec92f in eval_file /dev/shm/libforth/main.c:248
#4 0x55be73cebf6e in main /dev/shm/libforth/main.c:449
#5 0x7f6351046189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7f6351046244 in __libc_start_main_impl ../csu/libc-start.c:381
#7 0x55be73cec530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /dev/shm/libforth/libforth.c:1436 in check_is_asciiz
==1231948==ABORTING
Stack-based buffer overflow (CWE-121) in static int print_cell(forth_t *o, FILE *out, forth_cell_t u) at libforth.c, line 1367 when attempting to execute 's[i++] = conv[u % base];':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L1367
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x40
RBX 0x8
RCX 0x1580
RDX 0x30
RDI 0x40
RSI 0x1
R8 0x40
R9 0x55555555f700 (conv) ◂— '0123456789abcdefghijklmnopqrstuvwxzy'
R10 0x1000
R11 0x410
R12 0x1580
R13 0x1
R14 0x7ffff7f9e760 (_IO_2_1_stdout_) ◂— 0xfbad2a84
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7fffffffda80 ◂— 0x3030303030303030 ('00000000')
RSP 0x7fffffffda80 ◂— 0x3030303030303030 ('00000000')
RIP 0x5555555593d6 (print_cell+150) ◂— mov byte ptr [rbp + rcx], dl
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x5555555593d6 <print_cell+150> mov byte ptr [rbp + rcx], dl
0x5555555593da <print_cell+154> add rcx, 1
0x5555555593de <print_cell+158> cmp rdi, rsi
0x5555555593e1 <print_cell+161> jae print_cell+128 <print_cell+128>
↓
0x5555555593c0 <print_cell+128> mov rax, r8
0x5555555593c3 <print_cell+131> xor edx, edx
0x5555555593c5 <print_cell+133> mov rdi, r8
0x5555555593c8 <print_cell+136> mov r12d, ecx
0x5555555593cb <print_cell+139> div rsi
0x5555555593ce <print_cell+142> movzx edx, byte ptr [r9 + rdx]
0x5555555593d3 <print_cell+147> mov r8, rax
==1264804==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd6498d371 at pc 0x55e3edcf16f8 bp 0x7ffd6498d2e0 sp 0x7ffd6498d2d8
WRITE of size 1 at 0x7ffd6498d371 thread T0
#0 0x55e3edcf16f7 in print_cell /dev/shm/libforth/libforth.c:1367
#1 0x55e3edcf1849 in print_stack /dev/shm/libforth/libforth.c:1484
#2 0x55e3edcf1849 in print_stack /dev/shm/libforth/libforth.c:1474
#3 0x55e3edcf5f7a in forth_run /dev/shm/libforth/libforth.c:2554
#4 0x55e3edcee92f in eval_file /dev/shm/libforth/main.c:248
#5 0x55e3edcedf6e in main /dev/shm/libforth/main.c:449
#6 0x7f7afea46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7f7afea46244 in __libc_start_main_impl ../csu/libc-start.c:381
#8 0x55e3edcee530 in _start (/dev/shm/libforth/forth+0xc530)
Address 0x7ffd6498d371 is located in stack of thread T0 at offset 113 in frame
#0 0x55e3edcf146f in print_cell /dev/shm/libforth/libforth.c:1357
This frame has 1 object(s):
[48, 113) 's' (line 1359) <== Memory access at offset 113 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /dev/shm/libforth/libforth.c:1367 in print_cell
Shadow bytes around the buggy address:
0x10002c929a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c929a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c929a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c929a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c929a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10002c929a60: f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00[01]f3
0x10002c929a70: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c929a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c929a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c929aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c929ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1264804==ABORTING
Out of bounds write (CWE-787) in static forth_cell_t compile(forth_t *o, forth_cell_t code, const char *str, forth_cell_t compiling, forth_cell_t hide) at libforth.c, line 1241 when attempting to execute 'strcpy((char *)(o->m + head), str);':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L1241
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x207ffff7d88750
RBX 0x7ffff7d87010 ◂— 0xf010408485434ff
RCX 0x18
RDX 0x32
RDI 0x207ffff7d88750
RSI 0x7ffff7d87158 ◂— 0x32 /* '2' */
R8 0x8dc
R9 0x5555555632a0 ◂— 0xfbad2488
R10 0x7ffff7fc5080
R11 0x293
R12 0x2
R13 0x7ffff7d87158 ◂— 0x32 /* '2' */
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x1
RSP 0x7fffffffdaf8 —▸ 0x555555559667 (compile.constprop.0.isra+55) ◂— mov rdi, r13
RIP 0x7ffff7f20d23 (__strcpy_avx2+755) ◂— mov word ptr [rdi], dx
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7f20d23 <__strcpy_avx2+755> mov word ptr [rdi], dx
0x7ffff7f20d26 <__strcpy_avx2+758> vzeroupper
0x7ffff7f20d29 <__strcpy_avx2+761> ret
0x7ffff7f20d2a <__strcpy_avx2+762> nop word ptr [rax + rax]
0x7ffff7f20d30 <__strcpy_avx2+768> movzx ecx, word ptr [rsi]
0x7ffff7f20d33 <__strcpy_avx2+771> mov word ptr [rdi], cx
0x7ffff7f20d36 <__strcpy_avx2+774> mov byte ptr [rdi + 2], 0
0x7ffff7f20d3a <__strcpy_avx2+778> vzeroupper
0x7ffff7f20d3d <__strcpy_avx2+781> ret
0x7ffff7f20d3e <__strcpy_avx2+782> nop
0x7ffff7f20d40 <__strcpy_avx2+784> mov edx, dword ptr [rsi]
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1333584==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f7d8d838cab bp 0x7ffc98533a50 sp 0x7ffc985331e8 T0)
==1333584==The signal is caused by a READ memory access.
==1333584==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x7f7d8d838cab in AddressIsPoisoned ../../../../src/libsanitizer/asan/asan_mapping.h:407
#1 0x7f7d8d838cab in QuickCheckForUnpoisonedRegion ../../../../src/libsanitizer/asan/asan_interceptors_memintrinsics.h:31
#2 0x7f7d8d85277f in __interceptor_strcpy ../../../../src/libsanitizer/asan/asan_interceptors.cpp:440
#3 0x55aeea6fbb72 in compile /dev/shm/libforth/libforth.c:1241
#4 0x55aeea70061c in forth_run /dev/shm/libforth/libforth.c:2304
#5 0x55aeea6f892f in eval_file /dev/shm/libforth/main.c:248
#6 0x55aeea6f7f6e in main /dev/shm/libforth/main.c:449
#7 0x7f7d8e206189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0x7f7d8e206244 in __libc_start_main_impl ../csu/libc-start.c:381
#9 0x55aeea6f8530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/asan/asan_mapping.h:407 in AddressIsPoisoned
==1333584==ABORTING
Out of bounds read (CWE-125) in static int forth_get_char(forth_t *o) at libforth.c, line 1091 when attempting to execute 'r = fgetc((FILE*)(o->m[FIN]));':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L1091
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x5
RCX 0x0
RDX 0x55555555f0c0 ◂— 0xffffbf20ffffcc48
RDI 0x5
RSI 0x7ffff7d87158 ◂— 0x0
R8 0x8dc
R9 0x55555555edb0 ◂— 0x656764756d73203a (': smudge')
R10 0x7ffff7fc5080
R11 0x293
R12 0x0
R13 0x5
R14 0x7ffff7d87158 ◂— 0x0
R15 0x7fffffffda20 ◂— 0x7e02
RBP 0x7ffff7dc5058 ◂— 0x0
RSP 0x7fffffffd930 ◂— 0x0
RIP 0x7ffff7e48b89 (getc+9) ◂— test byte ptr [rdi + 0x74], 0x80
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e48b89 <getc+9> test byte ptr [rdi + 0x74], 0x80
0x7ffff7e48b8d <getc+13> je getc+168 <getc+168>
↓
0x7ffff7e48c28 <getc+168> mov rax, qword ptr [rdi + 8]
0x7ffff7e48c2c <getc+172> cmp rax, qword ptr [rdi + 0x10]
0x7ffff7e48c30 <getc+176> jae getc+240 <getc+240>
↓
0x7ffff7e48c70 <getc+240> add rsp, 0x18
0x7ffff7e48c74 <getc+244> pop rbx
0x7ffff7e48c75 <getc+245> pop rbp
0x7ffff7e48c76 <getc+246> jmp __uflow <__uflow>
↓
0x7ffff7e4dd50 <__uflow> push rbp
0x7ffff7e4dd51 <__uflow+1> push rbx
==1351430==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000079 (pc 0x7f670349cb89 bp 0x7f670401483c sp 0x7ffea3a50810 T0)
==1351430==The signal is caused by a READ memory access.
==1351430==Hint: address points to the zero page.
#0 0x7f670349cb89 in _IO_getc libio/getc.c:37
#1 0x55ad1ee56fa6 in forth_get_char /dev/shm/libforth/libforth.c:1091
#2 0x55ad1ee56fa6 in forth_get_char /dev/shm/libforth/libforth.c:1081
#3 0x55ad1ee56fa6 in forth_get_word /dev/shm/libforth/libforth.c:1140
#4 0x55ad1ee5c185 in forth_run /dev/shm/libforth/libforth.c:2352
#5 0x55ad1ee5c60e in forth_run /dev/shm/libforth/libforth.c:2535
#6 0x55ad1ee5392f in eval_file /dev/shm/libforth/main.c:248
#7 0x55ad1ee52f6e in main /dev/shm/libforth/main.c:449
#8 0x7f6703446189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7f6703446244 in __libc_start_main_impl ../csu/libc-start.c:381
#10 0x55ad1ee53530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libio/getc.c:37 in _IO_getc
==1351430==ABORTING
Out of bounds read (CWE-125) in static void print_stack(forth_t *o, FILE *out, forth_cell_t *S, forth_cell_t f) at libforth.c, line 1481 when attempting to execute 'print_cell(o, out, *(o->S + i + 1));':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L1481
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x7ffff7dc5058 ◂— 0x0
RBX 0x3cdf5
RCX 0x7ffff7ec3190 (write+16) ◂— cmp rax, -0x1000 /* 'H=' */
RDX 0xffffffff
RDI 0x7ffff7d87010 ◂— 0xf010408485434ff
RSI 0x7ffff7f9e680 (_IO_2_1_stderr_) ◂— 0xfbad2887
R8 0x0
R9 0x64
R10 0x7fffffffb877 ◂— 0x7ffff7e4c55100
R11 0x202
R12 0x7ffff7d87010 ◂— 0xf010408485434ff
R13 0xffffffffffff86e0
R14 0x0
R15 0x7fffffffdbc0 —▸ 0x7fffffffde88 ◂— 0x0
RBP 0x7ffff7f9e680 (_IO_2_1_stderr_) ◂— 0xfbad2887
RSP 0x7fffffffdb00 —▸ 0x7ffff7d87010 ◂— 0xf010408485434ff
RIP 0x55555555949f (print_stack+95) ◂— mov rdx, qword ptr [rax + rbx*8]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x55555555949f <print_stack+95> mov rdx, qword ptr [rax + rbx*8]
0x5555555594a3 <print_stack+99> call print_cell <print_cell>
0x5555555594a8 <print_stack+104> mov rsi, rbp
0x5555555594ab <print_stack+107> mov edi, 0x20
0x5555555594b0 <print_stack+112> call fputc@plt <fputc@plt>
0x5555555594b5 <print_stack+117> cmp r13, rbx
0x5555555594b8 <print_stack+120> ja print_stack+80 <print_stack+80>
0x5555555594ba <print_stack+122> mov rsi, rbp
0x5555555594bd <print_stack+125> mov rdi, r12
0x5555555594c0 <print_stack+128> mov rdx, r14
0x5555555594c3 <print_stack+131> call print_cell <print_cell>
==1381839==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1a49660848 at pc 0x55d3a318b87c bp 0x7ffd14815d80 sp 0x7ffd14815d78
READ of size 8 at 0x7f1a49660848 thread T0
#0 0x55d3a318b87b in print_stack /dev/shm/libforth/libforth.c:1481
#1 0x55d3a318b87b in print_stack /dev/shm/libforth/libforth.c:1474
#2 0x55d3a318ef23 in trace /dev/shm/libforth/libforth.c:1500
#3 0x55d3a318ef23 in forth_run /dev/shm/libforth/libforth.c:2269
#4 0x55d3a318892f in eval_file /dev/shm/libforth/main.c:248
#5 0x55d3a3187f6e in main /dev/shm/libforth/main.c:449
#6 0x7f1a48a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7f1a48a46244 in __libc_start_main_impl ../csu/libc-start.c:381
#8 0x55d3a3188530 in _start (/dev/shm/libforth/forth+0xc530)
0x7f1a49660848 is located 0 bytes to the right of 262216-byte region [0x7f1a49620800,0x7f1a49660848)
allocated by thread T0 here:
#0 0x7f1a48cae987 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x55d3a319299f in forth_init /dev/shm/libforth/libforth.c:1721
SUMMARY: AddressSanitizer: heap-buffer-overflow /dev/shm/libforth/libforth.c:1481 in print_stack
Shadow bytes around the buggy address:
0x0fe3c92c40b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe3c92c40c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe3c92c40d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe3c92c40e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe3c92c40f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe3c92c4100: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
0x0fe3c92c4110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe3c92c4120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe3c92c4130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe3c92c4140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe3c92c4150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1381839==ABORTING
Invalid free (CWE-763) in int forth_run(forth_t *o) libforth/libforth.c, line 2750 when attempting to execute 'w = (forth_cell_t)realloc((char*)(*S--), f);':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2750
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x7ffff7dc86c0 ◂— 0x0
RBX 0x1
RCX 0x2
RDX 0x55555555f0c0 ◂— 0xffffbf20ffffcc48
RDI 0x1
RSI 0x2e2
R8 0x8dc
R9 0x0
R10 0x7ffff7ddcbf8 ◂— 0x10001200000e38
R11 0x7ffff7e63f00 (realloc) ◂— push r15
R12 0x0
R13 0x41
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x2e2
RSP 0x7fffffffdad0 ◂— 0x0
RIP 0x7ffff7e63f4d (realloc+77) ◂— mov rax, qword ptr [rbx - 8]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e63f4d <realloc+77> mov rax, qword ptr [rbx - 8]
0x7ffff7e63f51 <realloc+81> lea r13, [rbx - 0x10]
0x7ffff7e63f55 <realloc+85> xor r8d, r8d
0x7ffff7e63f58 <realloc+88> mov r15, rax
0x7ffff7e63f5b <realloc+91> and r15, 0xfffffffffffffff8
0x7ffff7e63f5f <realloc+95> test al, 2
0x7ffff7e63f61 <realloc+97> jne realloc+166 <realloc+166>
↓
0x7ffff7e63fa6 <realloc+166> mov rdx, r15
0x7ffff7e63fa9 <realloc+169> neg rdx
0x7ffff7e63fac <realloc+172> cmp rdx, r13
0x7ffff7e63faf <realloc+175> jb realloc+776 <realloc+776>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1414447==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffff1 (pc 0x7f72b5c28b23 bp 0x0000000002e2 sp 0x7ffdd923d030 T0)
==1414447==The signal is caused by a READ memory access.
#0 0x7f72b5c28b23 in __sanitizer::atomic_uint8_t::Type __sanitizer::atomic_load<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t const volatile*, __sanitizer::memory_order) ../../../../src/libsanitizer/sanitizer_common/sanitizer_atomic_clang_x86.h:46
#1 0x7f72b5c28b23 in __sanitizer::atomic_uint8_t::Type __sanitizer::atomic_load<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t const volatile*, __sanitizer::memory_order) ../../../../src/libsanitizer/sanitizer_common/sanitizer_atomic_clang_x86.h:27
#2 0x7f72b5c28b23 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) ../../../../src/libsanitizer/asan/asan_allocator.cpp:729
#3 0x7f72b5c28b23 in __asan::asan_realloc(void*, unsigned long, __sanitizer::BufferedStackTrace*) ../../../../src/libsanitizer/asan/asan_allocator.cpp:1009
#4 0x7f72b5caeb24 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:165
#5 0x55c6cbfdc4af in forth_run /dev/shm/libforth/libforth.c:2750
#6 0x55c6cbfd492f in eval_file /dev/shm/libforth/main.c:248
#7 0x55c6cbfd3f6e in main /dev/shm/libforth/main.c:449
#8 0x7f72b5a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7f72b5a46244 in __libc_start_main_impl ../csu/libc-start.c:381
#10 0x55c6cbfd4530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_atomic_clang_x86.h:46 in __sanitizer::atomic_uint8_t::Type __sanitizer::atomic_load<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t const volatile*, __sanitizer::memory_order)
==1414447==ABORTING
Out of bounds read (CWE-125) in int forth_run(forth_t *o) at libforth/libforth.c, line 2730 when attempting to execute 'f = memcmp((char*)(S--), (char)w, f);':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2730
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x73e
RBX 0x7ffff7dc5060 ◂— 0x0
RCX 0x3
RDX 0x2
RDI 0x6
RSI 0x73e
R8 0x8dc
R9 0x0
R10 0x7ffff7de1c08 ◂— 0x10001a000048c5
R11 0x7ffff7f1cee0 (__memcmp_avx2_movbe) ◂— cmp rdx, 0x20
R12 0x2
R13 0x3e
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5070 ◂— 0x73e
RSP 0x7fffffffdb28 —▸ 0x55555555b14f (forth_run+1103) ◂— movsxd r12, eax
RIP 0x7ffff7f1d1d5 (__memcmp_avx2_movbe+757) ◂— vmovdqu ymm2, ymmword ptr [rsi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7f1d1d5 <__memcmp_avx2_movbe+757> vmovdqu ymm2, ymmword ptr [rsi]
0x7ffff7f1d1d9 <__memcmp_avx2_movbe+761> vpcmpeqb ymm2, ymm2, ymmword ptr [rdi]
0x7ffff7f1d1dd <__memcmp_avx2_movbe+765> vpmovmskb eax, ymm2
0x7ffff7f1d1e1 <__memcmp_avx2_movbe+769> inc eax
0x7ffff7f1d1e3 <__memcmp_avx2_movbe+771> bzhi edx, eax, edx
0x7ffff7f1d1e8 <__memcmp_avx2_movbe+776> jne __memcmp_avx2_movbe+208 <__memcmp_avx2_movbe+208>
↓
0x7ffff7f1cfb0 <__memcmp_avx2_movbe+208> tzcnt eax, eax
0x7ffff7f1cfb4 <__memcmp_avx2_movbe+212> movzx ecx, byte ptr [rsi + rax]
0x7ffff7f1cfb8 <__memcmp_avx2_movbe+216> movzx eax, byte ptr [rdi + rax]
0x7ffff7f1cfbc <__memcmp_avx2_movbe+220> sub eax, ecx
0x7ffff7f1cfbe <__memcmp_avx2_movbe+222> vzeroupper
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1439508==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000073e (pc 0x7f5b42f711d5 bp 0x7ffc9b2acec0 sp 0x7ffc9b2ac638 T0)
==1439508==The signal is caused by a READ memory access.
==1439508==Hint: address points to the zero page.
#0 0x7f5b42f711d5 in __memcmp_avx2_movbe ../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:414
#1 0x7f5b4308f11c in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:881
#2 0x7f5b4308f9a8 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
#3 0x7f5b4308f9a8 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
#4 0x5571e47d4208 in forth_run /dev/shm/libforth/libforth.c:2730
#5 0x5571e47cd92f in eval_file /dev/shm/libforth/main.c:248
#6 0x5571e47ccf6e in main /dev/shm/libforth/main.c:449
#7 0x7f5b42e46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0x7f5b42e46244 in __libc_start_main_impl ../csu/libc-start.c:381
#9 0x5571e47cd530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:414 in __memcmp_avx2_movbe
==1439508==ABORTING
Out of bounds read (CWE-125) in int forth_run(forth_t *o) at libforth/libforth.c, line 2362 when attempting to execute 'error("'%s' is not a word (line %zu)", o->s, o->line);':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2362
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x7ffff7dc86c0 ◂— 0x0
RBX 0x4
RCX 0x7ffff7ec3190 (write+16) ◂— cmp rax, -0x1000 /* 'H=' */
RDX 0x55555555f0c0 ◂— 0xffffbf20ffffcc48
RDI 0x4
RSI 0x55555555e848 ◂— 0x27732527000a2920 /* ' )\n' */
R8 0x0
R9 0x64
R10 0x7ffff7dd8fc8 ◂— 0x100022000064f9
R11 0x7ffff7e40ca0 (fflush) ◂— test rdi, rdi
R12 0x0
R13 0x36
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5060 ◂— 0x0
RSP 0x7fffffffdb00 —▸ 0x7ffff7dc5060 ◂— 0x0
RIP 0x7ffff7e40cb2 (fflush+18) ◂— mov eax, dword ptr [rdi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e40cb2 <fflush+18> mov eax, dword ptr [rdi]
0x7ffff7e40cb4 <fflush+20> and eax, 0x8000
0x7ffff7e40cb9 <fflush+25> jne fflush+79 <fflush+79>
↓
0x7ffff7e40cef <fflush+79> mov rbp, qword ptr [rbx + 0xd8]
0x7ffff7e40cf6 <fflush+86> lea rdx, [rip + 0x158ce3] <_IO_helper_jumps>
0x7ffff7e40cfd <fflush+93> lea rax, [rip + 0x159a44]
0x7ffff7e40d04 <fflush+100> sub rax, rdx
0x7ffff7e40d07 <fflush+103> mov rcx, rbp
0x7ffff7e40d0a <fflush+106> sub rcx, rdx
0x7ffff7e40d0d <fflush+109> cmp rcx, rax
0x7ffff7e40d10 <fflush+112> jae fflush+184 <fflush+184>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1472125==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7fb746e94cb2 bp 0x000000000004 sp 0x7ffd1c82d350 T0)
==1472125==The signal is caused by a READ memory access.
==1472125==Hint: address points to the zero page.
#0 0x7fb746e94cb2 in __GI__IO_fflush libio/iofflush.c:39
#1 0x7fb74708c025 in __interceptor_fflush ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6214
#2 0x7fb74708c025 in __interceptor_fflush ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6211
#3 0x55e7cd00c89b in forth_run /dev/shm/libforth/libforth.c:2623
#4 0x55e7cd00592f in eval_file /dev/shm/libforth/main.c:248
#5 0x55e7cd004f6e in main /dev/shm/libforth/main.c:449
#6 0x7fb746e46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7fb746e46244 in __libc_start_main_impl ../csu/libc-start.c:381
#8 0x55e7cd005530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSaniti
Out of bounds read (CWE-125) in int forth_run(forth_t *o) at libforth/libforth.c, line 2665 when attempting to execute '++S = fwrite(((char)m)+offset, 1, count, file);':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2665
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x55555555b800 (forth_run+2816) ◂— mov rdi, qword ptr [rbp - 8]
RBX 0x7ffff7dc5068 ◂— 0x7
RCX 0x2
RDX 0xc3
RDI 0x7ffff7d8705f ◂— 0x0
RSI 0x1
R8 0x8dc
R9 0x0
R10 0x7ffff7de3c00 ◂— 0x10002200001aa2
R11 0x7ffff7e41950 (fwrite) ◂— push r15
R12 0x2
R13 0xc3
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5070 ◂— 0xc3
RSP 0x7fffffffdae0 —▸ 0x7ffff7dc86d8 —▸ 0x7ffff7f483c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002
RIP 0x7ffff7e4196e (fwrite+30) ◂— mov eax, dword ptr [rcx]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e4196e <fwrite+30> mov eax, dword ptr [rcx]
0x7ffff7e41970 <fwrite+32> mov r14, rdi
0x7ffff7e41973 <fwrite+35> mov r12, rsi
0x7ffff7e41976 <fwrite+38> mov rbp, rdx
0x7ffff7e41979 <fwrite+41> mov rbx, rcx
0x7ffff7e4197c <fwrite+44> and eax, 0x8000
0x7ffff7e41981 <fwrite+49> jne fwrite+103 <fwrite+103>
↓
0x7ffff7e419b7 <fwrite+103> mov eax, dword ptr [rbx + 0xc0]
0x7ffff7e419bd <fwrite+109> test eax, eax
0x7ffff7e419bf <fwrite+111> jne fwrite+256 <fwrite+256>
↓
0x7ffff7e41a50 <fwrite+256> cmp eax, -1
==1499801==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x7f4ed049596e bp 0x7ffd396c0ed0 sp 0x7ffd396c0620 T0)
==1499801==The signal is caused by a READ memory access.
==1499801==Hint: address points to the zero page.
#0 0x7f4ed049596e in __GI__IO_fwrite libio/iofwrite.c:37
#1 0x7f4ed063efb6 in __interceptor_fwrite ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1159
#2 0x55f7d6ba0ad7 in forth_run /dev/shm/libforth/libforth.c:2665
#3 0x55f7d6b9992f in eval_file /dev/shm/libforth/main.c:248
#4 0x55f7d6b98f6e in main /dev/shm/libforth/main.c:449
#5 0x7f4ed0446189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7f4ed0446244 in __libc_start_main_impl ../csu/libc-start.c:381
#7 0x55f7d6b99530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libio/iofwrite.c:37 in __GI__IO_fwrite
==1499801==ABORTING
Out of bounds read (CWE-125) in int forth_run(forth_t *o) at libforth/libforth.c, line 2716 when attempting to execute 'memmove((char*)(S--), (char)w, f);':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2716
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x6
RBX 0x7ffff7d87010 ◂— 0xf010408485434ff
RCX 0x3
RDX 0x2
RDI 0x6
RSI 0x5
R8 0x8dc
R9 0x0
R10 0x7ffff7dd9298 ◂— 0x10001a00005bee
R11 0x7ffff7f1d640 (__memmove_avx_unaligned_erms) ◂— mov rax, rdi
R12 0x2
R13 0x3b
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5058 ◂— 0x0
RSP 0x7fffffffdb28 —▸ 0x55555555b1bf (forth_run+1215) ◂— mov r12, qword ptr [rbp + 8]
RIP 0x7ffff7f1d684 (__memmove_avx_unaligned_erms+68) ◂— mov cl, byte ptr [rsi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7f1d684 <__memmove_avx_unaligned_erms+68> mov cl, byte ptr [rsi]
0x7ffff7f1d686 <__memmove_avx_unaligned_erms+70> je __memmove_avx_unaligned_erms+82 <__memmove_avx_unaligned_erms+82>
↓
0x7ffff7f1d692 <__memmove_avx_unaligned_erms+82> mov byte ptr [rdi], cl
0x7ffff7f1d694 <__memmove_avx_unaligned_erms+84> ret
0x7ffff7f1d695 <__memmove_avx_unaligned_erms+85> mov ecx, dword ptr [rsi + rdx - 4]
0x7ffff7f1d699 <__memmove_avx_unaligned_erms+89> mov esi, dword ptr [rsi]
0x7ffff7f1d69b <__memmove_avx_unaligned_erms+91> mov dword ptr [rdi + rdx - 4], ecx
0x7ffff7f1d69f <__memmove_avx_unaligned_erms+95> mov dword ptr [rdi], esi
0x7ffff7f1d6a1 <__memmove_avx_unaligned_erms+97> ret
0x7ffff7f1d6a2 <__memmove_avx_unaligned_erms+98> vmovdqu xmm0, xmmword ptr [rsi]
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1517907==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000006 (pc 0x7fb22f8c5210 bp 0x7fb230211808 sp 0x7ffee9470278 T0)
==1517907==The signal is caused by a READ memory access.
==1517907==Hint: address points to the zero page.
#0 0x7fb22f8c5210 in __sanitizer::internal_memmove(void*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:68
#1 0x55c9e6ba1350 in forth_run /dev/shm/libforth/libforth.c:2716
#2 0x55c9e6b9a92f in eval_file /dev/shm/libforth/main.c:248
#3 0x55c9e6b99f6e in main /dev/shm/libforth/main.c:449
#4 0x7fb22f646189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#5 0x7fb22f646244 in __libc_start_main_impl ../csu/libc-start.c:381
#6 0x55c9e6b9a530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:68 in __sanitizer::internal_memmove(void*, void const*, unsigned long)
==1517907==ABORTING
Out of bounds read (CWE-125) in int forth_run(forth_t *o) at libforth/libforth.c, line 2721 when attempting to execute 'f = (forth_cell_t)memchr((char*)(*S--), w, f);':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2721
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x6
RBX 0x7ffff7dc5060 ◂— 0x0
RCX 0x3
RDX 0x2
RDI 0x6
RSI 0xba
R8 0x8dc
R9 0x0
R10 0x7ffff7ddef08 ◂— 0x10001a000062b8
R11 0x7ffff7f1cc40 (__memchr_avx2) ◂— test rdx, rdx
R12 0x2
R13 0x3c
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5070 ◂— 0xba
RSP 0x7fffffffdb28 —▸ 0x55555555b196 (forth_run+1174) ◂— mov rbp, rbx
RIP 0x7ffff7f1cc60 (__memchr_avx2+32) ◂— vpcmpeqb ymm1, ymm0, ymmword ptr [rdi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7f1cc60 <__memchr_avx2+32> vpcmpeqb ymm1, ymm0, ymmword ptr [rdi]
0x7ffff7f1cc64 <__memchr_avx2+36> vpmovmskb eax, ymm1
0x7ffff7f1cc68 <__memchr_avx2+40> cmp rdx, 0x20
0x7ffff7f1cc6c <__memchr_avx2+44> jbe __memchr_avx2+64 <__memchr_avx2+64>
↓
0x7ffff7f1cc80 <__memchr_avx2+64> tzcnt eax, eax
0x7ffff7f1cc84 <__memchr_avx2+68> vzeroupper
0x7ffff7f1cc87 <__memchr_avx2+71> cmp edx, eax
0x7ffff7f1cc89 <__memchr_avx2+73> jle __memchr_avx2+93 <__memchr_avx2+93>
↓
0x7ffff7f1cc9d <__memchr_avx2+93> xor eax, eax
0x7ffff7f1cc9f <__memchr_avx2+95> ret
0x7ffff7f1cca0 <__memchr_avx2+96> tzcnt eax, eax
==1540863==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000006 (pc 0x7f1e49338c60 bp 0x7ffd56cd19f0 sp 0x7ffd56cd1198 T0)
==1540863==The signal is caused by a READ memory access.
==1540863==Hint: address points to the zero page.
#0 0x7f1e49338c60 in __memchr_avx2 ../sysdeps/x86_64/multiarch/memchr-avx2.S:82
#1 0x7f1e4883e1c1 in __interceptor_memchr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:928
#2 0x5574bf6032e8 in forth_run /dev/shm/libforth/libforth.c:2721
#3 0x5574bf5fc92f in eval_file /dev/shm/libforth/main.c:248
#4 0x5574bf5fbf6e in main /dev/shm/libforth/main.c:449
#5 0x7f1e4920e189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7f1e4920e244 in __libc_start_main_impl ../csu/libc-start.c:381
#7 0x5574bf5fc530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../sysdeps/x86_64/multiarch/memchr-avx2.S:82 in __memchr_avx2
==1540863==ABORTING
Out of bounds write (CWE-787) in int forth_run(forth_t *o) libforth/libforth.c, line 2725 when attempting to execute 'memset((char*)(*S--), w, f);':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2725
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x4
RBX 0x7ffff7d87010 ◂— 0xf010408485434ff
RCX 0x7ffff7ec3190 (write+16) ◂— cmp rax, -0x1000 /* 'H=' */
RDX 0x2
RDI 0x4
RSI 0x91
R8 0x0
R9 0x64
R10 0x7ffff7de1fe0 ◂— 0x10001a00007ccc
R11 0x7ffff7f1e040 (__memset_avx2_unaligned_erms) ◂— vmovd xmm0, esi
R12 0x2
R13 0x3d
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5058 ◂— 0x0
RSP 0x7fffffffdb28 —▸ 0x55555555b176 (forth_run+1142) ◂— mov r12, qword ptr [rbp + 8]
RIP 0x7ffff7f1e170 (__memset_avx2_unaligned_erms+304) ◂— mov byte ptr [rdi], sil
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7f1e170 <__memset_avx2_unaligned_erms+304> mov byte ptr [rdi], sil
0x7ffff7f1e173 <__memset_avx2_unaligned_erms+307> mov byte ptr [rdi + 1], sil
0x7ffff7f1e177 <__memset_avx2_unaligned_erms+311> mov byte ptr [rdi + rdx - 1], sil
0x7ffff7f1e17c <__memset_avx2_unaligned_erms+316> ret
0x7ffff7f1e17d nop dword ptr [rax]
0x7ffff7f1e180 <__rawmemchr_avx2> vmovd xmm0, esi
0x7ffff7f1e184 <__rawmemchr_avx2+4> vpbroadcastb ymm0, xmm0
0x7ffff7f1e189 <__rawmemchr_avx2+9> mov eax, edi
0x7ffff7f1e18b <__rawmemchr_avx2+11> and eax, 0xfff
0x7ffff7f1e190 <__rawmemchr_avx2+16> cmp eax, 0xfe0
0x7ffff7f1e195 <__rawmemchr_avx2+21> ja __rawmemchr_avx2+304 <__rawmemchr_avx2+304>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1584856==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f9963572170 bp 0x7f996079c808 sp 0x7ffddf79bde8 T0)
==1584856==The signal is caused by a WRITE memory access.
==1584856==Hint: address points to the zero page.
#0 0x7f9963572170 in __memset_avx2_unaligned_erms ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:424
#1 0x5643d0cb5270 in forth_run /dev/shm/libforth/libforth.c:2725
#2 0x5643d0cae92f in eval_file /dev/shm/libforth/main.c:248
#3 0x5643d0cadf6e in main /dev/shm/libforth/main.c:449
#4 0x7f9963446189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#5 0x7f9963446244 in __libc_start_main_impl ../csu/libc-start.c:381
#6 0x5643d0cae530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:424 in __memset_avx2_unaligned_erms
==1584856==ABORTING
Out of bounds read (CWE-125) in int forth_run(forth_t *o) at libforth/libforth.c, line 2623 when attempting to execute 'f = fflush((FILE*)f) ? ferrno() : 0;':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2623
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x7ffff7dc86c0 ◂— 0x0
RBX 0x2e1
RCX 0x1
RDX 0x55555555f0c0 ◂— 0xffffbf20ffffcc48
RDI 0x2e1
RSI 0x7fffffffdbc0 —▸ 0x7fffffffde88 ◂— 0x0
R8 0x8dc
R9 0x5555555632a0 ◂— 0xfbad2488
R10 0x7ffff7dd8fc8 ◂— 0x100022000064f9
R11 0x7ffff7e40ca0 (fflush) ◂— test rdi, rdi
R12 0x0
R13 0x36
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5088 ◂— 0x0
RSP 0x7fffffffdb00 —▸ 0x7ffff7d87010 ◂— 0xf010408485434ff
RIP 0x7ffff7e40cb2 (fflush+18) ◂— mov eax, dword ptr [rdi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e40cb2 <fflush+18> mov eax, dword ptr [rdi]
0x7ffff7e40cb4 <fflush+20> and eax, 0x8000
0x7ffff7e40cb9 <fflush+25> jne fflush+79 <fflush+79>
↓
0x7ffff7e40cef <fflush+79> mov rbp, qword ptr [rbx + 0xd8]
0x7ffff7e40cf6 <fflush+86> lea rdx, [rip + 0x158ce3] <_IO_helper_jumps>
0x7ffff7e40cfd <fflush+93> lea rax, [rip + 0x159a44]
0x7ffff7e40d04 <fflush+100> sub rax, rdx
0x7ffff7e40d07 <fflush+103> mov rcx, rbp
0x7ffff7e40d0a <fflush+106> sub rcx, rdx
0x7ffff7e40d0d <fflush+109> cmp rcx, rax
0x7ffff7e40d10 <fflush+112> jae fflush+184 <fflush+184>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1621354==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002e1 (pc 0x7f9141894cb2 bp 0x0000000002e1 sp 0x7ffd15be62f0 T0)
==1621354==The signal is caused by a READ memory access.
==1621354==Hint: address points to the zero page.
#0 0x7f9141894cb2 in __GI__IO_fflush libio/iofflush.c:39
#1 0x7f9141a8c025 in __interceptor_fflush ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6214
#2 0x7f9141a8c025 in __interceptor_fflush ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6211
#3 0x560fbfcaf89b in forth_run /dev/shm/libforth/libforth.c:2623
#4 0x560fbfca892f in eval_file /dev/shm/libforth/main.c:248
#5 0x560fbfca7f6e in main /dev/shm/libforth/main.c:449
#6 0x7f9141846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7f9141846244 in __libc_start_main_impl ../csu/libc-start.c:381
#8 0x560fbfca8530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libio/iofflush.c:39 in __GI__IO_fflush
==1621354==ABORTING
Out of bounds read (CWE-125) in int forth_run(forth_t *o) at libforth/libforth.c, line 2666 when attempting to execute 'f = ferror(file);':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2666
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x7ffff7dc5068 ◂— 0x0
RCX 0x2
RDX 0x0
RDI 0x2
RSI 0x1
R8 0x8dc
R9 0x0
R10 0x7ffff7dd8f20 ◂— 0x10002200006683
R11 0x7ffff7e48630 (ferror) ◂— mov edx, dword ptr [rdi]
R12 0x2
R13 0x2
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5068 ◂— 0x0
RSP 0x7fffffffdb28 —▸ 0x55555555b831 (forth_run+2865) ◂— mov rdi, r13
RIP 0x7ffff7e48630 (ferror) ◂— mov edx, dword ptr [rdi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e48630 <ferror> mov edx, dword ptr [rdi]
0x7ffff7e48632 <ferror+2> test byte ptr [rdi + 0x74], 0x80
0x7ffff7e48636 <ferror+6> je ferror+120 <ferror+120>
↓
0x7ffff7e486a8 <ferror+120> shr edx, 5
0x7ffff7e486ab <ferror+123> mov eax, edx
0x7ffff7e486ad <ferror+125> and eax, 1
0x7ffff7e486b0 <ferror+128> ret
0x7ffff7e486b1 <ferror+129> nop dword ptr [rax]
0x7ffff7e486b8 <ferror+136> shr edx, 5
0x7ffff7e486bb <ferror+139> mov ecx, dword ptr [rdi + 4]
0x7ffff7e486be <ferror+142> mov eax, edx
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1652582==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x7f97bf69c630 bp 0x000000000002 sp 0x7fff54242db8 T0)
==1652582==The signal is caused by a READ memory access.
==1652582==Hint: address points to the zero page.
#0 0x7f97bf69c630 in _IO_ferror libio/ferror.c:36
#1 0x561de1a17af3 in forth_run /dev/shm/libforth/libforth.c:2666
#2 0x561de1a1092f in eval_file /dev/shm/libforth/main.c:248
#3 0x561de1a0ff6e in main /dev/shm/libforth/main.c:449
#4 0x7f97bf646189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#5 0x7f97bf646244 in __libc_start_main_impl ../csu/libc-start.c:381
#6 0x561de1a10530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libio/ferror.c:36 in _IO_ferror
==1652582==ABORTING
Null pointer dereference (CWE-476) in int forth_run(forth_t *o) at libforth/libforth.c, line 2615 when attempting to execute 'f = fclose((FILE*)f) ? ferrno() : 0;':
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2615
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x7ffff7dc86c0 ◂— 0x0
RBX 0x7ffff7dc86c0 ◂— 0x0
RCX 0x7ffff7ec3190 (write+16) ◂— cmp rax, -0x1000 /* 'H=' */
RDX 0x55555555f0c0 ◂— 0xffffbf20ffffcc48
RDI 0x0
RSI 0x55555555e848 ◂— 0x27732527000a2920 /* ' )\n' */
R8 0x0
R9 0x64
R10 0x7ffff7de1c38 ◂— 0x100012000020a3
R11 0x7ffff7e40840 (fclose) ◂— push r12
R12 0x0
R13 0x2f
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5160 ◂— 0x1d
RSP 0x7fffffffdb10 —▸ 0x7ffff7dc86c0 ◂— 0x0
RIP 0x7ffff7e40844 (fclose+4) ◂— mov eax, dword ptr [rdi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e40844 <fclose+4> mov eax, dword ptr [rdi]
0x7ffff7e40846 <fclose+6> mov rbx, rdi
0x7ffff7e40849 <fclose+9> test ah, 0x20
0x7ffff7e4084c <fclose+12> jne fclose+400 <fclose+400>
↓
0x7ffff7e409d0 <fclose+400> call _IO_un_link <_IO_un_link>
0x7ffff7e409d5 <fclose+405> mov eax, dword ptr [rbx]
0x7ffff7e409d7 <fclose+407> test ah, 0x80
0x7ffff7e409da <fclose+410> jne fclose+83 <fclose+83>
0x7ffff7e409e0 <fclose+416> jmp fclose+27 <fclose+27>
0x7ffff7e409e5 <fclose+421> nop dword ptr [rax]
0x7ffff7e409e8 <fclose+424> call _IO_vtable_check <_IO_vtable_check>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1671224==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f0e28494844 bp 0x000000000000 sp 0x7ffcf466c1f0 T0)
==1671224==The signal is caused by a READ memory access.
==1671224==Hint: address points to the zero page.
#0 0x7f0e28494844 in _IO_new_fclose libio/iofclose.c:48
#1 0x7f0e2868c098 in __interceptor_fclose ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6233
#2 0x7f0e2868c098 in __interceptor_fclose ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6228
#3 0x557558c8ee23 in forth_run /dev/shm/libforth/libforth.c:2615
#4 0x557558c8792f in eval_file /dev/shm/libforth/main.c:248
#5 0x557558c86f6e in main /dev/shm/libforth/main.c:449
#6 0x7f0e28446189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7f0e28446244 in __libc_start_main_impl ../csu/libc-start.c:381
#8 0x557558c87530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libio/iofclose.c:48 in _IO_new_fclose
==1671224==ABORTING