<html>
<head>
<base href="http://llvm.org/bugs/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - use-after-free in PrecompilePreambleAction::shouldEraseOutputFiles during clang/asan bootstrap"
href="http://llvm.org/bugs/show_bug.cgi?id=16295">16295</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>use-after-free in PrecompilePreambleAction::shouldEraseOutputFiles during clang/asan bootstrap
</td>
</tr>
<tr>
<th>Product</th>
<td>new-bugs
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>new bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedclangbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>kcc@google.com
</td>
</tr>
<tr>
<th>CC</th>
<td>eugeni.stepanov@gmail.com, llvmbugs@cs.uiuc.edu, samsonov@google.com
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr></table>
<p>
<div>
<pre>At LLVM r183732.
1. Build clang and asan as usual
2. Build new clang with asan:
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_ASSERTIONS=ON
-DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++
-DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DLLVM_ENABLE_WERROR=ON ~/llvm/
-DLLVM_USE_SANITIZER=Address -GNinja
3. Run 'check-clang' or simply
env CINDEXTEST_EDITING=1 ./bin/c-index-test
-file-includes-in=~/llvm/tools/clang/test/Index/file-includes.c
~/llvm/tools/clang/test/Index/file-includes.c
Report:
==5833==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e00000faf1
at pc 0x7f3453333285 bp 0x7f344bffdc60 sp 0x7f344bffdc58
READ of size 1 at 0x61e00000faf1 thread T3
#0 0x7f3453333284 in (anonymous
namespace)::PrecompilePreambleAction::shouldEraseOutputFiles()
llvm/tools/clang/include/clang/Serialization/ASTWriter.h:768
#1 0x7f34533baac0 in clang::FrontendAction::EndSourceFile()
llvm/tools/clang/lib/Frontend/FrontendAction.cpp:434
#2 0x7f345332107a in
clang::ASTUnit::getMainBufferWithPrecompiledPreamble(clang::CompilerInvocation
const&, bool, unsigned int) llvm/tools/clang/lib/Frontend/ASTUnit.cpp:1631
#3 0x7f3453327eae in clang::ASTUnit::Reparse(std::pair<std::string,
llvm::PointerUnion<char const*, llvm::MemoryBuffer const*> >*, unsigned int)
llvm/tools/clang/lib/Frontend/ASTUnit.cpp:2103
#4 0x7f3452c2a86a in clang_reparseTranslationUnit_Impl(void*)
llvm/tools/clang/tools/libclang/CIndex.cpp:2910
#5 0x7f3452d7c68e in llvm::CrashRecoveryContext::RunSafely(void (*)(void*),
void*) llvm/lib/Support/CrashRecoveryContext.cpp:308
#6 0x7f3452d7ca30 in RunSafelyOnThread_Dispatch(void*)
llvm/lib/Support/CrashRecoveryContext.cpp:339
#7 0x7f3452dcd4ef in ExecuteOnThread_Dispatch(void*)
llvm/lib/Support/Threading.cpp:75
#8 0x42db23 in __asan::AsanThread::ThreadStart(unsigned long)
llvm/projects/compiler-rt/lib/asan/asan_thread.cc:139
#9 0x7f3455eb7e99 in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x7e99)
#10 0x7f34517f1ccc (/lib/x86_64-linux-gnu/libc.so.6+0xf3ccc)
0x61e00000faf1 is located 2673 bytes inside of 2720-byte region
[0x61e00000f080,0x61e00000fb20)
freed by thread T3 here:
#0 0x426e21 in operator delete(void*)
llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:83
#1 0x7f34533ba50e in clang::FrontendAction::EndSourceFile()
llvm/tools/clang/lib/Frontend/FrontendAction.cpp:416
#2 0x7f345332107a in
clang::ASTUnit::getMainBufferWithPrecompiledPreamble(clang::CompilerInvocation
const&, bool, unsigned int) llvm/tools/clang/lib/Frontend/ASTUnit.cpp:1631
#3 0x7f3453327eae in clang::ASTUnit::Reparse(std::pair<std::string,
llvm::PointerUnion<char const*, llvm::MemoryBuffer const*> >*, unsigned int)
llvm/tools/clang/lib/Frontend/ASTUnit.cpp:2103
#4 0x7f3452c2a86a in clang_reparseTranslationUnit_Impl(void*)
llvm/tools/clang/tools/libclang/CIndex.cpp:2910
#5 0x7f3452d7c68e in llvm::CrashRecoveryContext::RunSafely(void (*)(void*),
void*) llvm/lib/Support/CrashRecoveryContext.cpp:308
#6 0x7f3452d7ca30 in RunSafelyOnThread_Dispatch(void*)
llvm/lib/Support/CrashRecoveryContext.cpp:339
#7 0x7f3452dcd4ef in ExecuteOnThread_Dispatch(void*)
llvm/lib/Support/Threading.cpp:75
#8 0x42db23 in __asan::AsanThread::ThreadStart(unsigned long)
llvm/projects/compiler-rt/lib/asan/asan_thread.cc:139
previously allocated by thread T3 here:
#0 0x426ba1 in operator new(unsigned long)
llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:52
#1 0x7f3453332d5a in (anonymous
namespace)::PrecompilePreambleAction::CreateASTConsumer(clang::CompilerInstance&,
llvm::StringRef) llvm/tools/clang/lib/Frontend/ASTUnit.cpp:1034
#2 0x7f34533b5f59 in
clang::FrontendAction::CreateWrappedASTConsumer(clang::CompilerInstance&,
llvm::StringRef) llvm/tools/clang/lib/Frontend/FrontendAction.cpp:130
#3 0x7f34533b913c in
clang::FrontendAction::BeginSourceFile(clang::CompilerInstance&,
clang::FrontendInputFile const&)
llvm/tools/clang/lib/Frontend/FrontendAction.cpp:285
#4 0x7f345332105a in
clang::ASTUnit::getMainBufferWithPrecompiledPreamble(clang::CompilerInvocation
const&, bool, unsigned int) llvm/tools/clang/lib/Frontend/ASTUnit.cpp:1621
#5 0x7f3453327eae in clang::ASTUnit::Reparse(std::pair<std::string,
llvm::PointerUnion<char const*, llvm::MemoryBuffer const*> >*, unsigned int)
llvm/tools/clang/lib/Frontend/ASTUnit.cpp:2103
#6 0x7f3452c2a86a in clang_reparseTranslationUnit_Impl(void*)
llvm/tools/clang/tools/libclang/CIndex.cpp:2910
#7 0x7f3452d7c68e in llvm::CrashRecoveryContext::RunSafely(void (*)(void*),
void*) llvm/lib/Support/CrashRecoveryContext.cpp:308
#8 0x7f3452d7ca30 in RunSafelyOnThread_Dispatch(void*)
llvm/lib/Support/CrashRecoveryContext.cpp:339
#9 0x7f3452dcd4ef in ExecuteOnThread_Dispatch(void*)
llvm/lib/Support/Threading.cpp:75
#10 0x42db23 in __asan::AsanThread::ThreadStart(unsigned long)
llvm/projects/compiler-rt/lib/asan/asan_thread.cc:139
Thread T3 created by T1 here:
#0 0x41c078 in pthread_create
llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:148
#1 0x7f3452dcd42d in llvm::llvm_execute_on_thread(void (*)(void*), void*,
unsigned int) llvm/lib/Support/Threading.cpp:96
#2 0x7f3452d7c971 in llvm::CrashRecoveryContext::RunSafelyOnThread(void
(*)(void*), void*, unsigned int) llvm/lib/Support/CrashRecoveryContext.cpp:344
#3 0x7f3452c2a04c in RunSafely
llvm/tools/clang/tools/libclang/CIndex.cpp:6378
#4 0x7f3452c2a04c in clang_reparseTranslationUnit
llvm/tools/clang/tools/libclang/CIndex.cpp:2932
#5 0x444590 in find_file_includes_in
llvm/tools/clang/tools/c-index-test/c-index-test.c:2316
#6 0x444590 in cindextest_main
llvm/tools/clang/tools/c-index-test/c-index-test.c:3801
#7 0x4479d4 in thread_runner
llvm/tools/clang/tools/c-index-test/c-index-test.c:3890
#8 0x7f3452dcd4ef in ExecuteOnThread_Dispatch(void*)
llvm/lib/Support/Threading.cpp:75
#9 0x42db23 in __asan::AsanThread::ThreadStart(unsigned long)
llvm/projects/compiler-rt/lib/asan/asan_thread.cc:139
Thread T1 created by T0 here:
#0 0x41c078 in pthread_create
llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:148
#1 0x7f3452dcd42d in llvm::llvm_execute_on_thread(void (*)(void*), void*,
unsigned int) llvm/lib/Support/Threading.cpp:96
#2 0x447b01 in main llvm/tools/clang/tools/c-index-test/c-index-test.c:3908
#3 0x7f345171f76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
SUMMARY: AddressSanitizer: heap-use-after-free
llvm/tools/clang/include/clang/Serialization/ASTWriter.h:768 (anonymous
namespace)::PrecompilePreambleAction::shouldEraseOutputFiles()
Suspected revision: r183717</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>