<html>
<head>
<base href="https://llvm.org/bugs/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - UBSan complains about map::__find_equal_key (invalid upcast)"
href="https://llvm.org/bugs/show_bug.cgi?id=31402">31402</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>UBSan complains about map::__find_equal_key (invalid upcast)
</td>
</tr>
<tr>
<th>Product</th>
<td>libc++
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>All Bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedclangbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>vsk@apple.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org, mclow.lists@gmail.com
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr></table>
<p>
<div>
<pre>UBSan complains about an invalid upcast in map::__find_equal_key. Here are the
steps I took to reproduce this issue:
1) Check out an ToT llvm and libcxx.
2) Revert r264989 from the libcxx checkout. That's:
"Fix LWG issue 2469 - Use piecewise construction in map::operator[]."
3) Configure llvm with this cmake command:
cmake -G Ninja \
-DLLVM_TARGETS_TO_BUILD="X86;ARM;AArch64" \
-DCMAKE_BUILD_TYPE:STRING=Release \
-DLLVM_ENABLE_ASSERTIONS:BOOL=On \
-DLLVM_USE_SANITIZER=Undefined \
..
It's important to use "Release". This is an -fsanitize=object-size violation,
so we need optimizations on to trigger it.
4) Make sure we're building with our libcxx checkout. E.g:
$ export CCC_OVERRIDE_OPTIONS="+-I/Users/vk/Desktop/llvm/projects/libcxx"
The QA override is a convenient way to do this.
5) Build the lib/Target/ARM/ARMGenAsmMatcher.inc target. E.g:
$ ninja -v lib/Target/ARM/ARMGenAsmMatcher.inc
6) I then get:
FAILED: lib/Target/ARM/ARMGenAsmMatcher.inc.tmp
cd /Users/vk/Desktop/llvm/ubsan-R/lib/Target/ARM &&
/Users/vk/Desktop/llvm/ubsan-R/bin/llvm-tblgen -gen-asm-matcher -I
/Users/vk/Desktop/llvm/lib/Target/ARM -I /Users/vk/Desktop/llvm/include -I
/Users/vk/Desktop/llvm/lib/Target /Users/vk/Desktop/llvm/lib/Target/ARM/ARM.td
-o /Users/vk/Desktop/llvm/ubsan-R/lib/Target/ARM/ARMGenAsmMatcher.inc.tmp
/Users/vk/Desktop/llvm/projects/libcxx/include/map:1382:16: runtime error:
downcast of address 0x7fff5c878208 with insufficient space for an object of
type 'std::__1::__tree_node_base<void *>'
0x7fff5c878208: note: pointer points here
ff 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 01 73 65 72
73 2f 76 74 bd 64 03
^
0 llvm-tblgen 0x000000010354dff6 llvm::sys::RunSignalHandlers() +
118
1 llvm-tblgen 0x000000010354f6e1 SignalHandler(int) + 321
2 libsystem_platform.dylib 0x00007fffb6d2cfba _sigtramp + 26
Stack dump:
0. Program arguments: /Users/vk/Desktop/llvm/ubsan-R/bin/llvm-tblgen
-gen-asm-matcher -I /Users/vk/Desktop/llvm/lib/Target/ARM -I
/Users/vk/Desktop/llvm/include -I /Users/vk/Desktop/llvm/lib/Target
/Users/vk/Desktop/llvm/lib/Target/ARM/ARM.td -o
/Users/vk/Desktop/llvm/ubsan-R/lib/Target/ARM/ARMGenAsmMatcher.inc.tmp
/bin/sh: line 1: 59222 Abort trap: 6
/Users/vk/Desktop/llvm/ubsan-R/bin/llvm-tblgen -gen-asm-matcher -I
/Users/vk/Desktop/llvm/lib/Target/ARM -I /Users/vk/Desktop/llvm/include -I
/Users/vk/Desktop/llvm/lib/Target /Users/vk/Desktop/llvm/lib/Target/ARM/ARM.td
-o /Users/vk/Desktop/llvm/ubsan-R/lib/Target/ARM/ARMGenAsmMatcher.inc.tmp
ninja: build stopped: subcommand failed.
I believe the issue is masked on our bots by r264989 because we stop calling
__find_equal_key as often.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>