[cfe-dev] Buildling with/without AddressSanitizer causes divergent execution behaviour

Reid Kleckner via cfe-dev cfe-dev at lists.llvm.org
Thu Feb 11 09:08:47 PST 2016


On Thu, Feb 11, 2016 at 5:53 AM, Dan Liew via cfe-dev <
cfe-dev at lists.llvm.org> wrote:
>
> > Can you somehow verify that this heap-use-after-free is happening?
> > E.g. print all the pointer values coming from memory::allocate, coming
> into
> > memory::deallocate, and coming into sat::clause::operator[]
> >
> > If curious, check what size of quarantine is required to catch this bug
> > (ASAN_OPTIONS=quarantine_size_mb=N, default=256)
> > Valgrind may have smaller default quarantine and thus misses this bug.
>
> I was lazy and just told valgrind to execute the program (built by gcc
> without ASan) with the largest quarantine it supported.
>

There are some differences between Clang and GCC, such as left-to-right vs
right-to-left argument evaluation. This usually bites people who are moving
unique_ptr or vector and accessing it in the same expression. Given the
stack traces, I suspect that different orderings of refcount operations is
what's happening here. I would suggest building Z3 with Clang without ASan
and running valgrind on that.


> > Did you try msan?
>
> I just have and it immediately reported a problem. I took a closer
> look and it looks like a false positive to me.
>
...

This is because your STL was not compiled with MSan. The std::ofstream
constructor is provided by libstdc++, the writes are not instrumented, and
MSan never sees the initialization. Unfortunately, MSan is not very useful
unless you recompile your *entire* application minus glibc with msan. =/

It is possible to build an MSan-ified libc++ and use it if you want to keep
trying, but it's involved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160211/a3628a27/attachment.html>


More information about the cfe-dev mailing list