<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - AddressSanitizer use-after-poison error when optimisation is disabled"
href="https://bugs.llvm.org/show_bug.cgi?id=44972">44972</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>AddressSanitizer use-after-poison error when optimisation is disabled
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>7.0
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Core LLVM classes
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>carlier.lau@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=23149" name="attach_23149" title="Reproduction scenario">attachment 23149</a> <a href="attachment.cgi?id=23149&action=edit" title="Reproduction scenario">[details]</a></span>
Reproduction scenario
Hi,
I'm getting the following error from AddressSanitizer whenever I'm compiling my
tool without the optimisation. I'm using LLVM 7.0
I've managed to isolate the issue and I attached the reproduction scenario to
the ticket.
the dummy compile.sh scripts gives the commmand to compile the tool (in
main.cpp).
Just run the executable to see the error.
lcarlier@lcarlier-mate[/tmp/test]# ./a.out
=================================================================
==13708==ERROR: AddressSanitizer: use-after-poison on address 0x621000047870 at
pc 0x556f7d5e2d5b bp 0x7fff01897cc0 sp 0x7fff01897cb0
READ of size 1 at 0x621000047870 thread T0
#0 0x556f7d5e2d5a in clang::Stmt::getStmtClass() const
/usr/lib/llvm-7/include/clang/AST/Stmt.h:392
#1 0x556f7d5e4c72 in clang::BinaryOperator::classof(clang::Stmt const*)
/usr/lib/llvm-7/include/clang/AST/Expr.h:3301
#2 0x556f7d6da812 in llvm::isa_impl<clang::BinaryOperator, clang::Stmt,
void>::doit(clang::Stmt const&)
/usr/lib/llvm-7/include/llvm/Support/Casting.h:59
#3 0x556f7d6d8254 in llvm::isa_impl_cl<clang::BinaryOperator, clang::Stmt
const*>::doit(clang::Stmt const*)
/usr/lib/llvm-7/include/llvm/Support/Casting.h:107
#4 0x556f7d6d20b5 in llvm::isa_impl_wrap<clang::BinaryOperator, clang::Stmt
const*, clang::Stmt const*>::doit(clang::Stmt const* const&)
/usr/lib/llvm-7/include/llvm/Support/Casting.h:133
#5 0x556f7d6c9a39 in llvm::isa_impl_wrap<clang::BinaryOperator,
clang::Stmt* const, clang::Stmt const*>::doit(clang::Stmt* const&)
/usr/lib/llvm-7/include/llvm/Support/Casting.h:125
#6 0x556f7d6c0624 in bool llvm::isa<clang::BinaryOperator,
clang::Stmt*>(clang::Stmt* const&)
/usr/lib/llvm-7/include/llvm/Support/Casting.h:144
#7 0x556f7d66520d in llvm::cast_retty<clang::BinaryOperator,
clang::Stmt*>::ret_type llvm::dyn_cast<clang::BinaryOperator,
clang::Stmt>(clang::Stmt*) /usr/lib/llvm-7/include/llvm/Support/Casting.h:334
#8 0x556f7d644fb1 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::dataTraverseNode(clang::Stmt*,
llvm::SmallVectorImpl<llvm::PointerIntPair<clang::Stmt*, 1u, bool,
llvm::PointerLikeTypeTraits<clang::Stmt*>,
llvm::PointerIntPairInfo<clang::Stmt*, 1u,
llvm::PointerLikeTypeTraits<clang::Stmt*> > > >*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:551
#9 0x556f7d61f388 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseStmt(clang::Stmt*,
llvm::SmallVectorImpl<llvm::PointerIntPair<clang::Stmt*, 1u, bool,
llvm::PointerLikeTypeTraits<clang::Stmt*>,
llvm::PointerIntPairInfo<clang::Stmt*, 1u,
llvm::PointerLikeTypeTraits<clang::Stmt*> > > >*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:654
#10 0x556f7d6595a4 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseArrayTypeLocHelper(clang::ArrayTypeLoc)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1188
#11 0x556f7d639dd8 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseConstantArrayTypeLoc(clang::ConstantArrayTypeLoc)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1192
#12 0x556f7d61e81b in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseTypeLoc(clang::TypeLoc)
/usr/lib/llvm-7/include/clang/AST/TypeNodes.def:71
#13 0x556f7d623aee in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseDeclaratorHelper(clang::DeclaratorDecl*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1910
#14 0x556f7d6249a8 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseVarHelper(clang::VarDecl*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:2052
#15 0x556f7d61288c in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseParmVarDecl(clang::ParmVarDecl*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:2071
#16 0x556f7d6019a1 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseDecl(clang::Decl*)
/usr/lib/llvm-7/include/clang/AST/DeclNodes.inc:463
#17 0x556f7d63bb95 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseFunctionProtoTypeLoc(clang::FunctionProtoTypeLoc)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1246
#18 0x556f7d61ea0a in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseTypeLoc(clang::TypeLoc)
/usr/lib/llvm-7/include/clang/AST/TypeNodes.def:81
#19 0x556f7d6240e6 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseFunctionHelper(clang::FunctionDecl*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1982
#20 0x556f7d611809 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseFunctionDecl(clang::FunctionDecl*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:2006
#21 0x556f7d6016f5 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseDecl(clang::Decl*)
/usr/lib/llvm-7/include/clang/AST/DeclNodes.inc:389
#22 0x556f7d61e485 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseDeclContextHelper(clang::DeclContext*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1388
#23 0x556f7d613d34 in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseTranslationUnitDecl(clang::TranslationUnitDecl*)
/usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1480
#24 0x556f7d601c4d in
clang::RecursiveASTVisitor<FunctionDeclASTVisitor>::TraverseDecl(clang::Decl*)
/usr/lib/llvm-7/include/clang/AST/DeclNodes.inc:553
#25 0x556f7d5f6839 in
FunctionDeclASTConsumer::HandleTranslationUnit(clang::ASTContext&)
/tmp/test/main.cpp:34
#26 0x556f7d900c18 in clang::ParseAST(clang::Sema&, bool, bool)
(/tmp/test/a.out+0x534c18)
#27 0x556f7d74b495 in clang::FrontendAction::Execute()
(/tmp/test/a.out+0x37f495)
#28 0x556f7d713b7b in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/tmp/test/a.out+0x347b7b)
#29 0x556f7d6ee743 in
clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>,
clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>,
clang::DiagnosticConsumer*) (/tmp/test/a.out+0x322743)
#30 0x556f7d6e6efb in clang::tooling::ToolInvocation::runInvocation(char
const*, clang::driver::Compilation*,
std::shared_ptr<clang::CompilerInvocation>,
std::shared_ptr<clang::PCHContainerOperations>) (/tmp/test/a.out+0x31aefb)
#31 0x556f7d6eb074 in clang::tooling::ToolInvocation::run()
(/tmp/test/a.out+0x31f074)
#32 0x556f7d6ed5b8 in
clang::tooling::ClangTool::run(clang::tooling::ToolAction*)
(/tmp/test/a.out+0x3215b8)
#33 0x556f7d5dd16a in main /tmp/test/main.cpp:76
#34 0x7f5a38939b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#35 0x556f7d5dc629 in _start (/tmp/test/a.out+0x210629)
0x621000047870 is located 880 bytes inside of 4096-byte region
[0x621000047500,0x621000048500)
allocated by thread T0 here:
#0 0x7f5a39fa7b50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x556f7d5dd813 in llvm::safe_malloc(unsigned long)
/usr/lib/llvm-7/include/llvm/Support/MemAlloc.h:27
#2 0x556f7d5ddaff in llvm::MallocAllocator::Allocate(unsigned long,
unsigned long) /usr/lib/llvm-7/include/llvm/Support/Allocator.h:99
#3 0x556f7d6069e6 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator,
4096ul, 4096ul>::StartNewSlab()
/usr/lib/llvm-7/include/llvm/Support/Allocator.h:346
#4 0x556f7d5fb4c1 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator,
4096ul, 4096ul>::Allocate(unsigned long, unsigned long)
/usr/lib/llvm-7/include/llvm/Support/Allocator.h:260
#5 0x556f7e2850f2 in clang::TypedefDecl::Create(clang::ASTContext&,
clang::DeclContext*, clang::SourceLocation, clang::SourceLocation,
clang::IdentifierInfo*, clang::TypeSourceInfo*) (/tmp/test/a.out+0xeb90f2)
SUMMARY: AddressSanitizer: use-after-poison
/usr/lib/llvm-7/include/clang/AST/Stmt.h:392 in clang::Stmt::getStmtClass()
const
Shadow bytes around the buggy address:
0x0c4280000eb0: 00 00 00 00 00 00 00 00 00 00 00 00 f7 f7 00 00
0x0c4280000ec0: 00 00 f7 00 00 f7 00 00 00 00 00 00 f7 00 00 00
0x0c4280000ed0: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
0x0c4280000ee0: f7 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
0x0c4280000ef0: 00 00 00 00 f7 f7 00 00 00 00 00 00 00 f7 00 00
=>0x0c4280000f00: 00 00 f7 00 00 00 00 00 00 00 00 00 00 f7[f7]f7
0x0c4280000f10: f7 f7 00 00 00 00 00 00 00 f7 00 00 00 00 00 f7
0x0c4280000f20: 00 00 00 00 00 f7 00 00 00 00 00 00 f7 00 00 00
0x0c4280000f30: 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00
0x0c4280000f40: 00 f7 00 00 00 00 00 00 00 f7 00 00 00 00 00 f7
0x0c4280000f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13708==ABORTING</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>