<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Crash in __sanitizer::DTLS_on_tls_get_addr if alternate stack is regsitered"

   href="https://bugs.llvm.org/show_bug.cgi?id=50225">50225</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Crash in __sanitizer::DTLS_on_tls_get_addr if alternate stack is regsitered

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>compiler-rt

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>12.0

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>asan

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>dominik.strasser@onespin.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=24827" name="attach_24827" title="Test source">attachment 24827</a> <a href="attachment.cgi?id=24827&action=edit" title="Test source">[details]</a></span>

Test source

Please see the attached C++ program which should run on any Linux system.

In this program, the signal stack is set to an mmaped region.

This makes ASAN crashlike this:

   #0 0x4e5f85 in __sanitizer::DTLS_on_tls_get_addr(void*, void*, unsigned

long, unsigned long)

/local/software/llvm-12.0.0.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_tls_get_addr.cpp:116:20

    #1 0x43e60d in __interceptor___tls_get_addr

/local/software/llvm-12.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:5302:40

    #2 0x43e60d in __tls_get_addr

/local/software/llvm-12.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:5296:1

    #3 0x7f4b574a3d0f in __cxa_get_globals

/local/software/gcc-10.3.obj/x86_64-pc-linux-gnu/libstdc++-v3/libsupc++/../../../../gcc-10.3.0/libstdc++-v3/libsupc++/eh_globals.cc:62:21

    #4 0x7f4b574a3bd8 in std::uncaught_exception()

/local/software/gcc-10.3.obj/x86_64-pc-linux-gnu/libstdc++-v3/libsupc++/../../../../gcc-10.3.0/libstdc++-v3/libsupc++/eh_catch.cc:140:49

    #5 0x50ba34 in

std::_V2::condition_variable_any::_Unlock<std::unique_lock<std::mutex>

<span class="quote">>::~_Unlock()</span >

/sw/local64/gcc-10.3/lib/gcc/x86_64-pc-linux-gnu/10.3.0/../../../../include/c++/10.3.0/condition_variable:273:8

    #6 0x50b295 in std::cv_status

std::_V2::condition_variable_any::wait_until<std::unique_lock<std::mutex>,

std::chrono::_V2::system_clock, std::chrono::duration<long, std::ratio<1l,

1000000000l> > >(std::unique_lock<std::mutex>&,

std::chrono::time_point<std::chrono::_V2::system_clock,

std::chrono::duration<long, std::ratio<1l, 1000000000l> > > const&)

/sw/local64/gcc-10.3/lib/gcc/x86_64-pc-linux-gnu/10.3.0/../../../../include/c++/10.3.0/condition_variable:348:7

    #7 0x505011 in bool

std::_V2::condition_variable_any::wait_until<std::unique_lock<std::mutex>,

std::chrono::_V2::system_clock, std::chrono::duration<long, std::ratio<1l,

1000000000l> >, main::$_2>(std::unique_lock<std::mutex>&,

std::chrono::time_point<std::chrono::_V2::system_clock,

std::chrono::duration<long, std::ratio<1l, 1000000000l> > > const&, main::$_2)

/sw/local64/gcc-10.3/lib/gcc/x86_64-pc-linux-gnu/10.3.0/../../../../include/c++/10.3.0/condition_variable:358:8

    #8 0x502fa3 in bool

std::_V2::condition_variable_any::wait_for<std::unique_lock<std::mutex>, long,

std::ratio<1l, 1l>, main::$_2>(std::unique_lock<std::mutex>&,

std::chrono::duration<long, std::ratio<1l, 1l> > const&, main::$_2)

/sw/local64/gcc-10.3/lib/gcc/x86_64-pc-linux-gnu/10.3.0/../../../../include/c++/10.3.0/condition_variable:373:16

    #9 0x50249e in main

/local/strasser/cve/src/libraries/systemlib/unittest/ConditionVariableTest.cpp:40:14

If the threads are not joined at the end of main(), a similar crash occurs is

std::thread::join called from the destructor.

The crash is not 100% reproducable, but ~50%.

Compiler call:

clang++ -fsanitize=address ConditionVariableTest.cpp -lpthread

This is a dupe to Bugzilla#45456, but this time with a test case.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>