<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - False heap buffer overflow error in ASan after r304824"
href="https://bugs.llvm.org/show_bug.cgi?id=33514">33514</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>False heap buffer overflow error in ASan after r304824
</td>
</tr>
<tr>
<th>Product</th>
<td>new-bugs
</td>
</tr>
<tr>
<th>Version</th>
<td>4.0
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>new bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>hans@chromium.org
</td>
</tr>
<tr>
<th>CC</th>
<td>evstupac@gmail.com, kcc@google.com, llvm-bugs@lists.llvm.org, qcolombet@apple.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=18661" name="attach_18661" title="creduced repro">attachment 18661</a> <a href="attachment.cgi?id=18661&action=edit" title="creduced repro">[details]</a></span>
creduced repro
A Chrome test started failing under ASan after r304824. Reproduction in a
Chromium build:
#include <string>
#include <vector>
using namespace std;
struct DataView {
DataView() {}
bool ReadBinary(std::vector<uint8_t> *v) const {
v->push_back(1);
return true;
}
};
void g(const std::string &s) {
volatile void* p = (volatile void*)&s;
}
bool f(const DataView &data_view) {
std::vector<uint8_t> binary;
if (!data_view.ReadBinary(&binary))
return false;
g(std::string(binary.data(), binary.data() + binary.size()));
return true;
}
int main() {
DataView d;
f(d);
return 0;
}
$ ../../third_party/llvm-build/Release+Asserts/bin/clang -fsanitize=address
-fsanitize-coverage=trace-pc-guard -O2 -g1 -nostdinc++
-isystem../../buildtools/third_party/libc++/trunk/include
-isystem../../buildtools/third_party/libc++abi/trunk/include /tmp/a.cc
./libc++.so -Wl,-rpath=\$ORIGIN/. && ASAN_OPTIONS=symbolize=1 ./a.out
=================================================================
==66042==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000011 at pc 0x0000004e4c59 bp 0x7ffd344de930 sp 0x7ffd344de928
READ of size 1 at 0x602000000011 thread T0
#0 0x4e4c58 in __init<unsigned char *>
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/string:1847:35
#1 0x4e4c58 in basic_string<unsigned char *>
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/string:1856
#2 0x4e4c58 in f(DataView const&) /tmp/a.cc:17
#3 0x4e4fe9 in main /tmp/a.cc:23:3
#4 0x7fb6289b7f44 in __libc_start_main
/build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287
#5 0x41999b in _start
(/usr/local/google/work/chromium/src/out/asan/a.out+0x41999b)
0x602000000011 is located 0 bytes to the right of 1-byte region
[0x602000000010,0x602000000011)
allocated by thread T0 here:
#0 0x4b9363 in malloc
(/usr/local/google/work/chromium/src/out/asan/a.out+0x4b9363)
#1 0x7fb629a5dc1d in operator new(unsigned long)
out/asan/../../buildtools/third_party/libc++/trunk/src/new.cpp:70:17
#2 0x4e5177 in __allocate
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/new:226:10
#3 0x4e5177 in allocate
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1786
#4 0x4e5177 in allocate
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1541
#5 0x4e5177 in __split_buffer
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__split_buffer:309
#6 0x4e5177 in void std::__1::vector<unsigned char,
std::__1::allocator<unsigned char> >::__push_back_slow_path<unsigned char
const>(unsigned char const&)
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/vector:1572
#7 0x7ffd344de99f (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/string:1847:35
in __init<unsigned char *>
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==66042==ABORTING
Attaching a creduced repro that's harder to read but might be easier to read
and work with:
$ clang -std=c++11 -fsanitize=address -fsanitize-coverage=trace-pc-guard -O2
-g1 /tmp/c.cc && ASAN_OPTIONS=symbolize=1 ./a.out
==67194==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000011 at pc 0x0000005274de bp 0x7ffd10d72850 sp 0x7ffd10d72848</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>