[cfe-dev] Buildling with/without AddressSanitizer causes divergent execution behaviour

Reid Kleckner via cfe-dev cfe-dev at lists.llvm.org
Wed Feb 17 10:57:11 PST 2016


On Wed, Feb 17, 2016 at 10:48 AM, Dan Liew <dan at su-root.co.uk> wrote:

> Hi,
>
> Well I dug into Z3's codebase a little more and figured out what the
> problem was. If you're curious see [1].
>

Neat bug. :)


> What worries me more is that prior to a heap-use-after-free being
> reported there an out of bounds write occurs but ASan doesn't catch it
> which seems like a bug to me. Note I'm using Clang 3.7.1
> ...
> This seems like a bug to me. Thoughts?
>

m_segments is at the end of the clause_allocator object, which I'm assuming
is allocated in another object sls here:
        clause_allocator m_alloc;              // clause allocator
        clause_vector    m_bin_clauses;        // binary clauses
The out-of-bounds access probably touches memory in m_bin_clauses.

One of ASan's limitations is that it can't currently catch intra-object
overflow:
https://github.com/google/sanitizers/wiki/AddressSanitizerIntraObjectOverflow
There's a prototype that adds padding to make it possible to catch this
kind of bug, but I haven't seen anyone pushing it forward for a while now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160217/9af254b0/attachment.html>


More information about the cfe-dev mailing list