[cfe-dev] Buildling with/without AddressSanitizer causes divergent execution behaviour

Kostya Serebryany via cfe-dev cfe-dev at lists.llvm.org
Tue Feb 9 14:48:13 PST 2016


Hi Dan,

On Tue, Feb 9, 2016 at 10:57 AM, Dan Liew <dan at su-root.co.uk> wrote:

> Hi,
>
> # TL;DR
>
> I've been building an application with and without the address
> sanitizer (with gcc 5.3 and clang 3.7.1) and I've observed that the
> application's behaviour changes (assertion hit/ not hit). I'm
> wondering if this could be a bug in address sanitizer or if the
> application I'm running is just buggy (e.g. doing bad things like
> relying on memory layout, etc.). I'm also observing ASan reporting a
> heap-use-after-free which Valgrind is not reporting, which makes me
> wonder if it is a false positive.
>

Let us start from this heap-use-after-free report. The one in
https://github.com/Z3Prover/z3/issues/436 looks legitimate.
Unless the application does something extremely weird and tricky,
heap-use-after-free reports are usually true positives.

Can you somehow verify that this heap-use-after-free is happening?
E.g. print all the pointer values coming from memory::allocate, coming
into memory::deallocate, and coming into sat::clause::operator[]

If curious, check what size of quarantine is required to catch this bug
(ASAN_OPTIONS=quarantine_size_mb=N, default=256)
Valgrind may have smaller default quarantine and thus misses this bug.


>
> Any hints on how I might determine this? Building with UBSan doesn't
> turn up anything.
>

Does the application have threads? (If yes, did you run with TSan?)
Is it valgrind-clean?
Did you try msan?


>
> # Longer version (if you are interested in the specific details)
>
> The application of interest is the Z3 constraint solver [1].
>

Yay!


>
> Much of what I'm going to say is covered in [2] which is a bug report
> I opened (including a heap-use-after-free AddressSanitizer finds, I'm
> not sure if this a false positive or not) but here are the basics of
> what I found.
>
> Build Z3 as follows
>
> ```
> git clone https://github.com/Z3Prover/z3.git
> cd z3
>
> # Now apply the attached patch.
> # Basically this makes it so that in ``examples/c/test_capi.c``
> # the main() function only calls two functions.
> # Note if you build without the patch when running ``c_example``
> program AddressSanitizer
> # reports a heap-use-after-free. I'm not sure if this a false positive
> or not. Valgrind doesn't
> # seem to think there's a problem.
>
> # Build with ASan, Assertion will be hit when running the example
> CXX=clang++ CC=clang CXXFLAGS="-fno-omit-frame-pointer
> -fsanitize=address" LDFLAGS="-fsanitize=address" python
> scripts/mk_make.py --debug --noomp --build build_asan
> cd build_asan
> make
> make c_examples
> LD_LIBRARY_PATH=`pwd` ./c_example
> ...
> ASSERTION VIOLATION
> File: ../src/sat/sat_clause.h
> Line: 59
>
> # Now build without ASan
> cd ../
> CXX=clang++ CC=clang python scripts/mk_make.py --debug --noomp --build
> build_noasan
> cd build_noasan
> make
> make c_example
> LD_LIBRARY_PATH=`pwd` ./c_example
>
> # No assertion is hit
> ```
>
> Any insights/suggestions on how I could debug what I'm seeing further
> would be appreciated.
>
> [1] https://github.com/z3prover/z3
> [2] https://github.com/Z3Prover/z3/issues/436
>
> Thanks,
> Dan.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160209/780cb470/attachment.html>


More information about the cfe-dev mailing list