[LLVMbugs] [Bug 7217] New: Crash for accessing too-small malloc'd buffer

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Mon May 24 16:28:38 PDT 2010


           Summary: Crash for accessing too-small malloc'd buffer
           Product: clang
           Version: trunk
          Platform: Macintosh
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: -New Bugs
        AssignedTo: unassignedclangbugs at nondot.org
        ReportedBy: jediknil at belkadan.com
                CC: llvmbugs at cs.uiuc.edu

When accessing a malloc buffer whose size is less than one element wide, Clang
crashes, very appropriately in asserting that the region size should be at
least one element wide.

Statically allocated buffers don't crash but don't warn properly either.

Related to PR6123 (check malloc sizes are multiple of access type), since that
could keep this error from occurring in the first place.


#include <stdlib.h>

void test () {
    int *buf = malloc(2);
    buf[1] = 'c'; // buf[0] does not crash


Assertion failed: (RegionSize % EleSize == 0), function getSizeInElements, file
RegionStore.cpp, line 762.
0  clang             0x0000000101005126 PrintStackTrace(void*) + 38
1  clang             0x0000000101005606 SignalHandler(int) + 312
2  libSystem.B.dylib 0x00007fff8451780a _sigtramp + 26
3  libSystem.B.dylib 0x00007fff844bc50a tiny_malloc_from_free_list + 1196
4  libSystem.B.dylib 0x00007fff84592ef0 __pthread_markcancel + 0
5  clang             0x00000001004cee70 (anonymous
namespace)::RegionStoreManager::getSizeInElements(clang::GRState const*,
clang::MemRegion const*, clang::QualType) + 638
6  clang             0x00000001004165d3 (anonymous
clang::Stmt const*, clang::SVal) + 245

Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list