<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - [UBSAN] segfault with -fsanitize=undefined"
href="https://bugs.llvm.org/show_bug.cgi?id=33221">33221</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[UBSAN] segfault with -fsanitize=undefined
</td>
</tr>
<tr>
<th>Product</th>
<td>compiler-rt
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>compiler-rt
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>d.khalikov@partner.samsung.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=18534" name="attach_18534" title="ubsan fix for vptr check">attachment 18534</a> <a href="attachment.cgi?id=18534&action=edit" title="ubsan fix for vptr check">[details]</a></span>
ubsan fix for vptr check
Hello everyone.
I have a situation when UBSAN got segfault.
Test case (that code actually close example of the code in package
groff-1.22.3.)
$cat test.cc
class Base {
public:
Base *next;
virtual void print() {}
};
class Derived : public Base {
public:
void print() {}
};
enum { SIZE = 2 };
int main() {
Derived *list = (Derived *)new char[SIZE * sizeof(Derived)];
list->next = list + 1;
return 0;
}
$clang++ -o test test.cc -fsanitize=undefined -fsanitize=address
$./test
And we will get following backtrace:
==3737==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000051a9f2 bp 0x000000531bf8 sp 0x7ffc38852540 T0)
==3737==The signal is caused by a READ memory access.
==3737==Hint: address points to the zero page.
#0 0x51a9f1 in getVtablePrefix
/llvm/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:200
#1 0x51a9f1 in __ubsan::checkDynamicType(void*, void*, unsigned long)
/llvm/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:223
#2 0x518942 in
HandleDynamicTypeCacheMiss(__ubsan::DynamicTypeCacheMissData*, unsigned long,
unsigned long, __ubsan::ReportOptions)
/llvm/projects/compiler-rt/lib/ubsan/ubsan_handlers_cxx.cc:37
#3 0x519232 in __ubsan_handle_dynamic_type_cache_miss
/llvm/projects/compiler-rt/lib/ubsan/ubsan_handlers_cxx.cc:87
#4 0x51addd in main (/test/ubsan/test+0x51addd)
#5 0x7ff8cad7ef44 in __libc_start_main
/build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287
#6 0x41ac9b in _start (/test/ubsan/test+0x41ac9b)
As far as I understood vptr is initializing by constructor of the object. In
this code that doesn't happen, this code use operator new () of type char which
doesn't have default constructor. Standard says:
if default constructor is not specified
(7.3) no initialization is performed.
So, vptr could have a junk data, at the beginning of the object, which
cause a segfault in function getVtablePrefix.
Should we check Vptr with
if (!IsAccessibleMemoryRange((uptr)Vptr, sizeof(VtablePrefix)))
instead
if (!Vptr)
I've attached patch for this issue.
Thanks.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>