<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - ASan shows wrong crash locations"
   href="https://bugs.llvm.org/show_bug.cgi?id=43339">43339</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>ASan shows wrong crash locations
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>compiler-rt
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>release blocker
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>asan
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>choller@mozilla.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=22514" name="attach_22514" title="Testcase">attachment 22514</a> <a href="attachment.cgi?id=22514&action=edit" title="Testcase">[details]</a></span>
Testcase

The attached file shows that ASan is printing the wrong crash stacks for
certain crashes:

$ clang++ -O2 -g -fsanitize=address -o test.o test.cpp && ./test.o
If you see a crash in line 34, then ASan is printing the wrong stack.
Calling testCrashFoo...
AddressSanitizer:DEADLYSIGNAL
=================================================================
==28753==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x0000004efe3c bp 0x7ffd0b6721e0 sp 0x7ffd0b672100 T0)
==28753==The signal is caused by a WRITE memory access.
==28753==Hint: address points to the zero page.
    #0 0x4efe3b in main test.cpp:34:5
    #1 0x7f91857c4b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #2 0x41b399 in _start (test.o+0x41b399)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV test.cpp:34:5 in main
==28753==ABORTING


Note that ASan claims the crash to be in line 34 while it actually is in line
43. It might be possible to shrink the testcase further, I extracted this from
a live example in mozilla-central. We have had other cases where this happens,
where stacks are pointing to other crash locations, even non-forced ones (ASan
claiming a null-deref somewhere even though the crash is a MOZ_CRASH several
lines further).

I've tested this locally on Clang 7 and Clang Trunk
(3d0fbafd0bce43bb9106230a45d1130f7a40e5ec).

We have tried to analyze the problem further in
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1581584">https://bugzilla.mozilla.org/show_bug.cgi?id=1581584</a> and it seems that this is
not a miscompilation where crash sites are merged. In GDB, it is clearly
visible that the correct crash site is reached and that ASan's signal handler
is called from there. Then ASan produces the wrong stack, suggesting there
might be a problem with ASan's unwinder.


This is a serious problem and has misled developers a few times already.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>