<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Undefined behavior- and address sanitizer fails to detect invalid vptr and use-after-free"

   href="https://bugs.llvm.org/show_bug.cgi?id=39805">39805</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Undefined behavior- and address sanitizer fails to detect invalid vptr and use-after-free

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>compiler-rt

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>7.0

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>ubsan

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>idart@hotmail.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>The undefined address sanitizer fails to detect the invalid vptr in the example

below.

In addition, the address sanitizer fails to detect the use-after-free.

This holds even if the interface and classes are in different translation

units.

//-----

#include <iostream>

#include <memory>

#include <string>

namespace {

class StatusIntf

{

public:

    virtual ~StatusIntf() = default;

    virtual void updateStatus(const std::string& status) = 0;

};

class StatusImpl : public StatusIntf

{

public:

    ~StatusImpl() override

    {

        std::cout << "Status Implementation deleted" << std::endl;

    }

    void updateStatus(const std::string& status) override

    {

        status_ = status;

        std::cout << "Status is: " << status_ << std::flush << std::endl;

    }

private:

    std::string status_;

};

class User

{

public:

    User(StatusIntf& statusUpdater) : statusUpdater_(statusUpdater) {}

    ~User()

    {

        statusUpdater_.updateStatus("Ending");

    }

private:

    StatusIntf& statusUpdater_;

};

class Keeper

{

public:

    Keeper()

    {

        user_ = std::make_unique<User>(statusUpdater_);

    }

private:

    // Note the declaration order:

    // 'statusUpdater_' will be deleted before 'user_'.

    std::unique_ptr<User> user_;

    StatusImpl statusUpdater_;

};

}

int main()

{

    Keeper keeper;

    return 0;

}

//-----

Compiled with:

clang++ -std=c++14 -stdlib=libc++ -fsanitize=undefined,address

-fno-sanitize-recover=undefined -fPIC -fno-omit-frame-pointer -O2 -g

Tried Clang 6.0.1 and 7.0.0 on Linux (x86-64) and the version that ships with

Xcode 10.1 on macOS (identifying itself as clang-1000.11.45.5).

g++-8 detects the vptr issue and issues a "object has invalid vptr" error. But

its address sanitizer also fails to detect the use-after-free.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>