[llvm-bugs] [Bug 44972] New: AddressSanitizer use-after-poison error when optimisation is disabled
via llvm-bugs
llvm-bugs at lists.llvm.org
Thu Feb 20 02:34:38 PST 2020
https://bugs.llvm.org/show_bug.cgi?id=44972
Bug ID: 44972
Summary: AddressSanitizer use-after-poison error when
optimisation is disabled
Product: libraries
Version: 7.0
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: Core LLVM classes
Assignee: unassignedbugs at nondot.org
Reporter: carlier.lau at gmail.com
CC: llvm-bugs at lists.llvm.org
Created attachment 23149
--> https://bugs.llvm.org/attachment.cgi?id=23149&action=edit
Reproduction scenario
Hi,
I'm getting the following error from AddressSanitizer whenever I'm compiling my
tool without the optimisation. I'm using LLVM 7.0
I've managed to isolate the issue and I attached the reproduction scenario to
the ticket.
the dummy compile.sh scripts gives the commmand to compile the tool (in
main.cpp).
Just run the executable to see the error.
lcarlier at lcarlier-mate[/tmp/test]# ./a.out
=================================================================
==13708==ERROR: AddressSanitizer: use-after-poison on address 0x621000047870 at
pc 0x556f7d5e2d5b bp 0x7fff01897cc0 sp 0x7fff01897cb0
READ of size 1 at 0x621000047870 thread T0
#0 0x556f7d5e2d5a in clang::Stmt::getStmtClass() const
/usr/lib/llvm-7/include/clang/AST/Stmt.h:392
#1 0x556f7d5e4c72 in clang::BinaryOperator::classof(clang::Stmt const*)
/usr/lib/llvm-7/include/clang/AST/Expr.h:3301
#2 0x556f7d6da812 in llvm::isa_impl<clang::BinaryOperator, clang::Stmt,
void>::doit(clang::Stmt const&)
/usr/lib/llvm-7/include/llvm/Support/Casting.h:59
#3 0x556f7d6d8254 in llvm::isa_impl_cl<clang::BinaryOperator, clang::Stmt
const*>::doit(clang::Stmt const*)
/usr/lib/llvm-7/include/llvm/Support/Casting.h:107
#4 0x556f7d6d20b5 in llvm::isa_impl_wrap<clang::BinaryOperator, clang::Stmt
const*, clang::Stmt const*>::doit(clang::Stmt const* const&)
/usr/lib/llvm-7/include/llvm/Support/Casting.h:133
#5 0x556f7d6c9a39 in llvm::isa_impl_wrap<clang::BinaryOperator,
clang::Stmt* const, clang::Stmt const*>::doit(clang::Stmt* const&)
/usr/lib/llvm-7/include/llvm/Support/Casting.h:125
#6 0x556f7d6c0624 in bool llvm::isa<clang::BinaryOperator,
clang::Stmt*>(clang::Stmt* const&)
/usr/lib/llvm-7/include/llvm/Support/Casting.h:144
#7 0x556f7d66520d in llvm::cast_retty<clang::BinaryOperator,
clang::Stmt*>::ret_type llvm::dyn_cast<clang::BinaryOperator,
clang::Stmt>(clang::Stmt*) /usr/lib/llvm-7/include/llvm/Support/Casting.h:334
#8 0x556f7d644fb1 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::dataTraverseNode(clang::Stmt*,
llvm::SmallVectorImpl<llvm::PointerIntPair<clang::Stmt*, 1u, bool,
llvm::PointerLikeTypeTraits<clang::Stmt*>,
llvm::PointerIntPairInfo<clang::Stmt*, 1u,
llvm::PointerLikeTypeTraits<clang::Stmt*> > > >*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:551
#9 0x556f7d61f388 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseStmt(clang::Stmt*,
llvm::SmallVectorImpl<llvm::PointerIntPair<clang::Stmt*, 1u, bool,
llvm::PointerLikeTypeTraits<clang::Stmt*>,
llvm::PointerIntPairInfo<clang::Stmt*, 1u,
llvm::PointerLikeTypeTraits<clang::Stmt*> > > >*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:654
#10 0x556f7d6595a4 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseArrayTypeLocHelper(clang::ArrayTypeLoc)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1188
#11 0x556f7d639dd8 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseConstantArrayTypeLoc(clang::ConstantArrayTypeLoc)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1192
#12 0x556f7d61e81b in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseTypeLoc(clang::TypeLoc)
/usr/lib/llvm-7/include/clang/AST/TypeNodes.def:71
#13 0x556f7d623aee in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseDeclaratorHelper(clang::DeclaratorDecl*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1910
#14 0x556f7d6249a8 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseVarHelper(clang::VarDecl*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:2052
#15 0x556f7d61288c in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseParmVarDecl(clang::ParmVarDecl*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:2071
#16 0x556f7d6019a1 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseDecl(clang::Decl*)
/usr/lib/llvm-7/include/clang/AST/DeclNodes.inc:463
#17 0x556f7d63bb95 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseFunctionProtoTypeLoc(clang::FunctionProtoTypeLoc)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1246
#18 0x556f7d61ea0a in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseTypeLoc(clang::TypeLoc)
/usr/lib/llvm-7/include/clang/AST/TypeNodes.def:81
#19 0x556f7d6240e6 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseFunctionHelper(clang::FunctionDecl*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1982
#20 0x556f7d611809 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseFunctionDecl(clang::FunctionDecl*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:2006
#21 0x556f7d6016f5 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseDecl(clang::Decl*)
/usr/lib/llvm-7/include/clang/AST/DeclNodes.inc:389
#22 0x556f7d61e485 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseDeclContextHelper(clang::DeclContext*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1388
#23 0x556f7d613d34 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseTranslationUnitDecl(clang::TranslationUnitDecl*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1480
#24 0x556f7d601c4d in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseDecl(clang::Decl*)
/usr/lib/llvm-7/include/clang/AST/DeclNodes.inc:553
#25 0x556f7d5f6839 in
FunctionDeclASTConsumer::HandleTranslationUnit(clang::ASTContext&)
/tmp/test/main.cpp:34
#26 0x556f7d900c18 in clang::ParseAST(clang::Sema&, bool, bool)
(/tmp/test/a.out+0x534c18)
#27 0x556f7d74b495 in clang::FrontendAction::Execute()
(/tmp/test/a.out+0x37f495)
#28 0x556f7d713b7b in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/tmp/test/a.out+0x347b7b)
#29 0x556f7d6ee743 in
clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>,
clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>,
clang::DiagnosticConsumer*) (/tmp/test/a.out+0x322743)
#30 0x556f7d6e6efb in clang::tooling::ToolInvocation::runInvocation(char
const*, clang::driver::Compilation*,
std::shared_ptr<clang::CompilerInvocation>,
std::shared_ptr<clang::PCHContainerOperations>) (/tmp/test/a.out+0x31aefb)
#31 0x556f7d6eb074 in clang::tooling::ToolInvocation::run()
(/tmp/test/a.out+0x31f074)
#32 0x556f7d6ed5b8 in
clang::tooling::ClangTool::run(clang::tooling::ToolAction*)
(/tmp/test/a.out+0x3215b8)
#33 0x556f7d5dd16a in main /tmp/test/main.cpp:76
#34 0x7f5a38939b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#35 0x556f7d5dc629 in _start (/tmp/test/a.out+0x210629)
0x621000047870 is located 880 bytes inside of 4096-byte region
[0x621000047500,0x621000048500)
allocated by thread T0 here:
#0 0x7f5a39fa7b50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x556f7d5dd813 in llvm::safe_malloc(unsigned long)
/usr/lib/llvm-7/include/llvm/Support/MemAlloc.h:27
#2 0x556f7d5ddaff in llvm::MallocAllocator::Allocate(unsigned long,
unsigned long) /usr/lib/llvm-7/include/llvm/Support/Allocator.h:99
#3 0x556f7d6069e6 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator,
4096ul, 4096ul>::StartNewSlab()
/usr/lib/llvm-7/include/llvm/Support/Allocator.h:346
#4 0x556f7d5fb4c1 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator,
4096ul, 4096ul>::Allocate(unsigned long, unsigned long)
/usr/lib/llvm-7/include/llvm/Support/Allocator.h:260
#5 0x556f7e2850f2 in clang::TypedefDecl::Create(clang::ASTContext&,
clang::DeclContext*, clang::SourceLocation, clang::SourceLocation,
clang::IdentifierInfo*, clang::TypeSourceInfo*) (/tmp/test/a.out+0xeb90f2)
SUMMARY: AddressSanitizer: use-after-poison
/usr/lib/llvm-7/include/clang/AST/Stmt.h:392 in clang::Stmt::getStmtClass()
const
Shadow bytes around the buggy address:
0x0c4280000eb0: 00 00 00 00 00 00 00 00 00 00 00 00 f7 f7 00 00
0x0c4280000ec0: 00 00 f7 00 00 f7 00 00 00 00 00 00 f7 00 00 00
0x0c4280000ed0: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
0x0c4280000ee0: f7 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
0x0c4280000ef0: 00 00 00 00 f7 f7 00 00 00 00 00 00 00 f7 00 00
=>0x0c4280000f00: 00 00 f7 00 00 00 00 00 00 00 00 00 00 f7[f7]f7
0x0c4280000f10: f7 f7 00 00 00 00 00 00 00 f7 00 00 00 00 00 f7
0x0c4280000f20: 00 00 00 00 00 f7 00 00 00 00 00 00 f7 00 00 00
0x0c4280000f30: 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00
0x0c4280000f40: 00 f7 00 00 00 00 00 00 00 f7 00 00 00 00 00 f7
0x0c4280000f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13708==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200220/6373e093/attachment.html>
More information about the llvm-bugs
mailing list