[llvm-bugs] [Bug 47616] New: ASAN use-after-scope for thread-local variables

via llvm-bugs llvm-bugs at lists.llvm.org
Tue Sep 22 12:11:17 PDT 2020 

https://bugs.llvm.org/show_bug.cgi?id=47616

            Bug ID: 47616
           Summary: ASAN use-after-scope for thread-local variables
           Product: compiler-rt
           Version: 11.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: asan
          Assignee: unassignedbugs at nondot.org
          Reporter: mvanotti at google.com
                CC: llvm-bugs at lists.llvm.org

It seems like asan is not keeping track of thread-local variables.

```cpp
#include <iostream>
#include <thread>

thread_local int x;

extern "C" int __asan_address_is_poisoned(void const volatile *addr);
extern "C" void __asan_describe_address(void *addr);
extern "C" void __asan_poison_memory_region(void const volatile *addr, size_t
size);


int main() {
  std::cout << __asan_address_is_poisoned(&x) << " " << 
  __asan_address_is_poisoned(&x + 1) << " " << __asan_address_is_poisoned(&x -
1) << std::endl;

  int* p = nullptr;
  x = 1;
  std::thread([&p]() {
    x = 2;
    p = &x;
    std::cout << __asan_address_is_poisoned(p) << " " << 
    __asan_address_is_poisoned(p + 1) << " " << __asan_address_is_poisoned(p -
1) << std::endl;
    __asan_poison_memory_region(p, sizeof(*p));
    std::cout << __asan_address_is_poisoned(p) << " " << 
    __asan_address_is_poisoned(p + 1) << " " << __asan_address_is_poisoned(p -
1) << std::endl;
    __asan_describe_address(p);
  }).join();

  std::cout << &x << " " << &p << std::endl;
  std::cout << __asan_address_is_poisoned(&x) << " " <<
__asan_address_is_poisoned(p) << std::endl;
  __asan_describe_address(&x);
  __asan_describe_address(p);
  std::cout << x << " " << *p << std::endl;
  return 0;
}
```

In this example, we are running a thread that takes the address of a
thread-local variable and it checks whether the local variable is poisoned
after the thread ends. It is not.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200922/d4591bd0/attachment.html>

More information about the llvm-bugs mailing list