[cfe-dev] Sanitizer and "downcast of address 0xXX...XXX with insufficient space for an object of type '_Rb_tree_node' "

James Dennett james.dennett at gmail.com
Thu Aug 1 11:58:13 PDT 2013


On Thu, Aug 1, 2013 at 8:41 AM, David Blaikie <dblaikie at gmail.com> wrote:
> On Thu, Aug 1, 2013 at 12:57 AM, Jeffrey Walton <noloader at gmail.com> wrote:
>> Hi All,
>>
>> What is this finding trying to tell me.
>>
>> The iterator is a typedef for _Base_ptr, and the address of _M_header
>> is a pointer.
>
> What type is _M_header? How big is it? I think it's telling you that
> _M_header is too small to possibly be a _Link_type.
>
>>_Link_type is typedef'd as a _Rb_tree_node<_Tp>*. So I
>> don't see a width problem.
>>
>> *****
>> Testing ECDSA (InSiTo unit tests):
>> ../usr/include/c++/4.2.1/bits/stl_tree.h:620:25: runtime error:
>> downcast of address 0x7fff5598fe88 with insufficient space for an
>> object of type '_Rb_tree_node' (aka '_Rb_tree_node<std::pair<const
>> Botan::OID, std::basic_string<char> > >')
>> 0x7fff5598fe88: note: pointer points here
>>  00 00 00 00  00 00 00 00 00 00 00 00  10 a7 14 01 70 60 00 00  80 a7
>> 14 01 70 60 00 00  c0 a5 14 01
>>               ^
>> *****
>> From stl_tree.h:
>>
>>   618    iterator
>>   619    end()
>>   620    { return iterator(static_cast<_Link_type>(&this->_M_impl._M_header)); }

I've not looked at the code, but a typical implementation for
iterators/end() for a node-based container is that they return a
[wrapper for a] Node* which actually points only to a base class of a
Node, knowing that it will be casted back to the correct type before
any permitted use (e.g., dereferencing it is undefined behavior).
That's valid, and yet seems like a pretty reasonable thing for a
sanitizer to catch -- the Node* does not point to a Node.  It's
arguably a false positive, but I don't see how any automated tool
could reasonably know that unless it has some kind of whitelist.

-- James



More information about the cfe-dev mailing list