[LLVMbugs] [Bug 14251] New: strncpy-overflow.cc and use-after-free.cc AddressSanitizer failures on x86_64-apple-darwin12

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Sat Nov 3 09:13:36 PDT 2012 

http://llvm.org/bugs/show_bug.cgi?id=14251

             Bug #: 14251
           Summary: strncpy-overflow.cc and use-after-free.cc
                    AddressSanitizer failures on x86_64-apple-darwin12
           Product: compiler-rt
           Version: unspecified
          Platform: Macintosh
        OS/Version: MacOS X
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: compiler-rt
        AssignedTo: unassignedbugs at nondot.org
        ReportedBy: howarth at nitro.med.uc.edu
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified


Two AddressSanitizer failures exist on x86_64-apple-darwin12 with a debug build
at   r167357...

Failing Tests (2):
    AddressSanitizer :: strncpy-overflow.cc
    AddressSanitizer :: use-after-free.cc

% cat strncpy-overflow.cc.tmp.out
=================================================================
==72320== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x0001113bb049 at pc 0x10f0da71b bp 0x7fff50b2c970 sp 0x7fff50b2c118
WRITE of size 1 at 0x0001113bb049 thread T0
    #0 0x10f0da71a in _wrap_strncpy _asan_rtl_:5
    #1 0x10f0d4945 in _main
/sw/src/fink.build/llvm32-3.2-0/llvm-3.2/projects/compiler-unsigned short
restrict/lib/asan/lit_tests/strncpy-overflow.cc:24:0
    #2 0x7fff8bd827e0 in start (in libdyld.dylib) + 0
    #3 0x0
0x0001113bb049 is located 0 bytes to the right of 9-byte region
[0x0001113bb040,0x0001113bb049)
allocated by thread T0 here:
    #0 0x10f0dd2a2 in (anonymous namespace)::mz_malloc(_malloc_zone_t*,
unsigned long) _asan_rtl_:3
    #1 0x7fff94c3b152 in malloc_zone_malloc (in libsystem_c.dylib) + 70
    #2 0x7fff94c3bba6 in malloc (in libsystem_c.dylib) + 40
    #3 0x10f0d48b4 in _main
/sw/src/fink.build/llvm32-3.2-0/llvm-3.2/projects/compiler-unsigned short
restrict/lib/asan/lit_tests/strncpy-overflow.cc:23:0
    #4 0x7fff8bd827e0 in start (in libdyld.dylib) + 0
Shadow byte and word:
  0x100022277609: 1
  0x100022277608: 00 01 fb fb fb fb fb fb
long double restrictunsigned __int128::* shadow bytes:
  0x1000222775e8: fa fa fa fa fa fa fa fa
  0x1000222775f0: fa fa fa fa fa fa fa fa
  0x1000222775f8: 06 fb fb fb fb fb fb fb
  0x100022277600: fa fa fa fa fa fa fa fa
=>0x100022277608: 00 01 fb fb fb fb fb fb
  0x100022277610: fa fa fa fa fa fa fa fa
  0x100022277618: fa fa fa fa fa fa fa fa
  0x100022277620: fa fa fa fa fa fa fa fa
  0x100022277628: fa fa fa fa fa fa fa fa
Stats: 0M malloced (0M for red zones) by 2 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 0 calls
Stats: 0M really freed by 0 calls
Stats: 0M (128 full pages) mmaped in 1 calls
  mmaps   by size class: 7:4095;
  mallocs by size class: 7:2;
  frees   by size class:
  rfrees  by size class:
Stats: malloc large: 0 small slow: 1
==72320== ABORTING

=================================================================
==72453== ERROR: AddressSanitizer: heap-use-after-free on address
0x00010525efc5 at pc 0x102f79b9e bp 0x7fff5cc86ab0 sp 0x7fff5cc86aa8
READ of size 1 at 0x00010525efc5 thread T0
    #0 0x102f79b9d in _main
/sw/src/fink.build/llvm32-3.2-0/llvm-3.2/projects/compiler-unsigned short
restrict/lib/asan/lit_tests/use-after-free.cc:22:0
    #1 0x7fff8bd827e0 in start (in libdyld.dylib) + 0
    #2 0x0
0x00010525efc5 is located 5 bytes inside of 10-byte region
[0x00010525efc0,0x00010525efca)
freed by thread T0 here:
    #0 0x102f825e8 in free_common _asan_rtl_:5
    #1 0x102f825e8 in (anonymous namespace)::mz_free(_malloc_zone_t*, void*)
_asan_rtl_:0
    #2 0x102f81c62 in _wrap_free _asan_rtl_:7
    #3 0x102f79b17 in _main
/sw/src/fink.build/llvm32-3.2-0/llvm-3.2/projects/compiler-unsigned short
restrict/lib/asan/lit_tests/use-after-free.cc:21:0
    #4 0x7fff8bd827e0 in start (in libdyld.dylib) + 0
    #4 0x0
previously allocated by thread T0 here:
    #0 0x102f823f2 in (anonymous namespace)::mz_malloc(_malloc_zone_t*,
unsigned long) _asan_rtl_:3
    #1 0x7fff94c3b152 in malloc_zone_malloc (in libsystem_c.dylib) + 70
    #2 0x7fff94c3bba6 in malloc (in libsystem_c.dylib) + 40
    #3 0x102f79ad4 in _main
/sw/src/fink.build/llvm32-3.2-0/llvm-3.2/projects/compiler-unsigned short
restrict/lib/asan/lit_tests/use-after-free.cc:20:0
    #4 0x7fff8bd827e0 in start (in libdyld.dylib) + 0
Shadow byte and word:
  0x100020a4bdf8: fd
  0x100020a4bdf8: fd fd fd fd fd fd fd fd
long double restrictunsigned __int128::* shadow bytes:
  0x100020a4bdd8: fa fa fa fa fa fa fa fa
  0x100020a4bde0: fa fa fa fa fa fa fa fa
  0x100020a4bde8: fa fa fa fa fa fa fa fa
  0x100020a4bdf0: fa fa fa fa fa fa fa fa
=>0x100020a4bdf8: fd fd fd fd fd fd fd fd
  0x100020a4be00: fa fa fa fa fa fa fa fa
  0x100020a4be08: fa fa fa fa fa fa fa fa
  0x100020a4be10: fa fa fa fa fa fa fa fa
  0x100020a4be18: fa fa fa fa fa fa fa fa
Stats: 0M malloced (0M for red zones) by 1 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 1 calls
Stats: 0M really freed by 0 calls
Stats: 0M (128 full pages) mmaped in 1 calls
  mmaps   by size class: 7:4095;
  mallocs by size class: 7:1;
  frees   by size class: 7:1;
  rfrees  by size class:
Stats: malloc large: 0 small slow: 1
==72453== ABORTING

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list