<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - heap-use-after-free in kmp_runtime.cpp:5684:41 in __kmp_free_thread"
href="https://bugs.llvm.org/show_bug.cgi?id=42269">42269</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>heap-use-after-free in kmp_runtime.cpp:5684:41 in __kmp_free_thread
</td>
</tr>
<tr>
<th>Product</th>
<td>OpenMP
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Runtime Library
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>lechen.yu@gatech.edu
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=22094" name="attach_22094" title="OpenMP programs to reproduce the error">attachment 22094</a> <a href="attachment.cgi?id=22094&action=edit" title="OpenMP programs to reproduce the error">[details]</a></span>
OpenMP programs to reproduce the error
We encounter a heap-use-after-free error when using OpenMP device offloading
to x86_64-pc-linux-gnu target. The error is not encountered if we replace
`#pragma omp target` and `#pragma omp teams distribute parallel for`, with
`#pragma omp parallel for`.
I have attached a zip file which contains an OpenMP program to trigger the
error. To reproduce the error, just set up the path of OpenMP install folder in
the Makefile, then execute "make run-error-trigger". This make target will link
AddressSanitizer library into the application but not instrument the
application. The OpenMP runtime we use is instrumented by AddressSanitizer (see
CMake flags below).
The details of our testing environment are listed below.
System: NEC-GPS12G3Rg-1
Processor: Intel Broadwell EP E5-2650v4
OpenMP version: commit 402c7439d7ba1cfa49e205554dfa8087a5a64313 on master
branch
CMake flags: -DCMAKE_BUILD_TYPE=Debug
-DLIBOMPTARGET_NVPTX_COMPUTE_CAPABILITIES=35,60,70
-DLIBOMP_CXXFLAGS=-fsanitize=address
AddressSanitizer report:
=================================================================
==172788==ERROR: AddressSanitizer: heap-use-after-free on address
0x60c00000170c at pc 0x2ad3e4ec58dc bp 0x7ffc6c744880 sp 0x7ffc6c744878
READ of size 4 at 0x60c00000170c thread T0
#0 0x2ad3e4ec58db in __kmp_free_thread
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:5684:41
#1 0x2ad3e4ec3777 in __kmp_free_team
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:5573:7
#2 0x2ad3e4ed017a in __kmp_reset_root(int, kmp_root*)
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:3974:3
#3 0x2ad3e4ecf9a7 in __kmp_unregister_root_current_thread(int)
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:4070:3
#4 0x2ad3e4edb7c6 in __kmp_internal_end_library
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:6256:9
#5 0x2ad3e4edb154 in __kmp_internal_end_atexit
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:5957:3
#6 0x2ad3e4edb0d8 in __kmp_internal_end_dtor
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:5923:3
#7 0x2ad3e4235fb9 in _dl_fini
/usr/src/debug/glibc-2.17-c758a686/elf/dl-fini.c:253
#8 0x2ad3e57eeb68 in __run_exit_handlers
/usr/src/debug/glibc-2.17-c758a686/stdlib/exit.c:77
#9 0x2ad3e57eebb6 in __GI_exit
/usr/src/debug/glibc-2.17-c758a686/stdlib/exit.c:99
#10 0x2ad3e57d73db in __libc_start_main
/usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:300
#11 0x41ad99 in _start
(/rwthfs/rz/cluster/home/zm006271/Repository/OpenMP/tool/SimpleOMPTTool/app+0x41ad99)
0x60c00000170c is located 76 bytes inside of 120-byte region
[0x60c0000016c0,0x60c000001738)
freed by thread T0 here:
#0 0x4c63c2 in __interceptor_free
/w0/tmp/jh366276/LLVM/8.0.0/src-8.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
#1 0x2ad3e4df1457 in ___kmp_free
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_alloc.cpp:1796:3
#2 0x2ad3e4e65fdb in __kmpc_fork_teams
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_csupport.cpp:443:3
#3 0x2ad3ebf7998a (<unknown module>)
#4 0x2ad3ebf79dc3 (<unknown module>)
#5 0x2ad3ea38bdcb in ffi_call_unix64 (/lib64/libffi.so.6+0x5dcb)
previously allocated by thread T0 here:
#0 0x4c6743 in malloc
/w0/tmp/jh366276/LLVM/8.0.0/src-8.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x2ad3e4dfa105 in ___kmp_allocate_align(unsigned long, unsigned long,
char const*, int)
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_alloc.cpp:1685:25
#2 0x2ad3e4df6f60 in ___kmp_allocate
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_alloc.cpp:1739:9
#3 0x2ad3e4eb86a5 in __kmp_teams_master
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:7220:41
#4 0x2ad3e4edf3ac in __kmp_invoke_teams_master
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:7265:3
#5 0x2ad3e4eb2f88 in __kmp_fork_call
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:1870:11
#6 0x2ad3e4e65d22 in __kmpc_fork_teams
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_csupport.cpp:419:3
#7 0x2ad3ebf7998a (<unknown module>)
#8 0x2ad3ebf79dc3 (<unknown module>)
#9 0x2ad3ea38bdcb in ffi_call_unix64 (/lib64/libffi.so.6+0x5dcb)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:5684:41
in __kmp_free_thread
Shadow bytes around the buggy address:
0x0c187fff8290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c187fff82a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fff82b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c187fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c187fff82d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c187fff82e0: fd[fd]fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c187fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==172788==ABORTING
make: *** [run-notool] Error 1</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>