[cfe-dev] Buildling with/without AddressSanitizer causes divergent execution behaviour

Kostya Serebryany via cfe-dev cfe-dev at lists.llvm.org
Wed Feb 17 11:05:10 PST 2016


On Wed, Feb 17, 2016 at 10:57 AM, Reid Kleckner <rnk at google.com> wrote:

> On Wed, Feb 17, 2016 at 10:48 AM, Dan Liew <dan at su-root.co.uk> wrote:
>
>> Hi,
>>
>> Well I dug into Z3's codebase a little more and figured out what the
>> problem was. If you're curious see [1].
>>
>
> Neat bug. :)
>
>
>> What worries me more is that prior to a heap-use-after-free being
>> reported there an out of bounds write occurs but ASan doesn't catch it
>> which seems like a bug to me. Note I'm using Clang 3.7.1
>> ...
>> This seems like a bug to me. Thoughts?
>>
>
> m_segments is at the end of the clause_allocator object, which I'm
> assuming is allocated in another object sls here:
>         clause_allocator m_alloc;              // clause allocator
>         clause_vector    m_bin_clauses;        // binary clauses
> The out-of-bounds access probably touches memory in m_bin_clauses.
>
> One of ASan's limitations is that it can't currently catch intra-object
> overflow:
>
> https://github.com/google/sanitizers/wiki/AddressSanitizerIntraObjectOverflow
> There's a prototype that adds padding to make it possible to catch this
> kind of bug, but I haven't seen anyone pushing it forward for a while now.
>
For practical purposes this does not exist yet :(
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160217/53468bb3/attachment.html>


More information about the cfe-dev mailing list