[llvm-bugs] [Bug 33242] New: Address Sanitizer (ASAN) flags incorrect heap-use-after-free on PowerPC

[via llvm-bugs]

https://bugs.llvm.org/show_bug.cgi?id=33242

            Bug ID: 33242
           Summary: Address Sanitizer (ASAN) flags incorrect
                    heap-use-after-free on PowerPC
           Product: compiler-rt
           Version: 4.0
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: compiler-rt
          Assignee: unassignedbugs at nondot.org
          Reporter: david.hows at mongodb.com
                CC: llvm-bugs at lists.llvm.org

We are using ASAN builds within our testing infrastructure to find potential
errors. Recently we have upgraded to LLVM 4.0 on our PowerPC test machine and
have encountered the error below. The error is highly sporadic as we have only
reproduced it twice while attempting to get to the bottom of the error.

Most interesting is that the error stems from T52, which is working with a data
structure that would in no way be related to that seen in T2.

The data structure allocated/freed in T2 is a "WT_DICTIONARY" the item being
accessed (inline) on T52 would be a "WT_INSERT" allocated elsewhere. 

On its face, we suspect that the issue here could be error in accounting within
ASAN on PowerPC.

Error as Reported:

=================================================================
==40049==ERROR: AddressSanitizer: heap-use-after-free on address 0x0a1804122c18
at pc 0x00001053ef84 bp 0x3fff7852b420 sp 0x3fff7852b440
READ of size 8 at 0x0a1804122c18 thread T52
    #0 0x1053ef80 in __col_insert_search
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/include/column.i:189:15
    #1 0x1053c2b4 in __wt_col_search
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/col_srch.c:297:18
    #2 0x106c8cbc in __cursor_col_search
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_cursor.c:320:2
    #3 0x106d12e0 in __btcur_update
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_cursor.c:1066:3
    #4 0x106d273c in __wt_btcur_update
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_cursor.c:1167:10
    #5 0x105a7e28 in __curfile_update
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/cursor/cur_file.c:293:2
    #6 0x10159e44 in col_update
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/test/format/../../../test/format/ops.c:1501:16
    #7 0x101513ec in ops
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/test/format/../../../test/format/ops.c:781:11
    #8 0x10107658 in __asan::AsanThread::ThreadStart(unsigned long,
__sanitizer::atomic_uintptr_t*)
/home/dhows/downloads/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:256
    #9 0x1003bec8 in asan_thread_start(void*)
/home/dhows/downloads/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:296
    #10 0x3fff84ca8940 in start_thread (/lib64/power8/libpthread.so.0+0x8940)
    #11 0x3fff849f763c in __clone (/lib64/power8/libc.so.6+0x11763c)

0x0a1804122c18 is located 8 bytes inside of 24-byte region
[0x0a1804122c10,0x0a1804122c28)
freed by thread T2 here:
    #0 0x100f30ac in __interceptor_cfree.localalias.0
/home/dhows/downloads/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:55
    #1 0x1028ee18 in __wt_free_int
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/os_common/os_alloc.c:311:2
    #2 0x102f1018 in __rec_dictionary_free
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/reconcile/rec_write.c:6510:3
    #3 0x102e89c0 in __rec_destroy
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/reconcile/rec_write.c:996:2
    #4 0x102e304c in __rec_destroy_session
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/reconcile/rec_write.c:1008:2
    #5 0x102cfbf0 in __wt_reconcile
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/reconcile/rec_write.c:499:3
    #6 0x10218bc0 in __evict_review
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_page.c:559:8
    #7 0x102162b8 in __wt_evict
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_page.c:149:2
    #8 0x101fc504 in __evict_page
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_lru.c:2168:2
    #9 0x101f5ae8 in __evict_lru_pages
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_lru.c:1160:14
    #10 0x101f4d9c in __wt_evict_thread_run
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_lru.c:337:3
    #11 0x103d3054 in __thread_run
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/support/thread_group.c:31:3
    #12 0x10107658 in __asan::AsanThread::ThreadStart(unsigned long,
__sanitizer::atomic_uintptr_t*)
/home/dhows/downloads/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:256
    #13 0x1003bec8 in asan_thread_start(void*)
/home/dhows/downloads/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:296
    #14 0x3fff84ca8940 in start_thread (/lib64/power8/libpthread.so.0+0x8940)
    #15 0x3fff849f763c in __clone (/lib64/power8/libc.so.6+0x11763c)

previously allocated by thread T2 here:
    #0 0x100f34ec in calloc
/home/dhows/downloads/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x1028d124 in __wt_calloc
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/os_common/os_alloc.c:52:11
    #2 0x102f0b8c in __rec_dictionary_init
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/reconcile/rec_write.c:6484:3
    #3 0x102d16b0 in __rec_write_init
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/reconcile/rec_write.c:926:3
    #4 0x102cde3c in __wt_reconcile
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/reconcile/rec_write.c:406:13
    #5 0x10218bc0 in __evict_review
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_page.c:559:8
    #6 0x102162b8 in __wt_evict
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_page.c:149:2
    #7 0x101fc504 in __evict_page
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_lru.c:2168:2
    #8 0x101f5ae8 in __evict_lru_pages
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_lru.c:1160:14
    #9 0x101f4d9c in __wt_evict_thread_run
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_lru.c:337:3
    #10 0x103d3054 in __thread_run
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/support/thread_group.c:31:3
    #11 0x10107658 in __asan::AsanThread::ThreadStart(unsigned long,
__sanitizer::atomic_uintptr_t*)
/home/dhows/downloads/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:256
    #12 0x1003bec8 in asan_thread_start(void*)
/home/dhows/downloads/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:296
    #13 0x3fff84ca8940 in start_thread (/lib64/power8/libpthread.so.0+0x8940)
    #14 0x3fff849f763c in __clone (/lib64/power8/libc.so.6+0x11763c)

Thread T52 created by T0 here:
    #0 0x1003bc58 in pthread_create
/home/dhows/downloads/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:305
    #1 0x1014bf30 in wts_ops
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/test/format/../../../test/format/ops.c:124:3
    #2 0x10163a88 in main
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/test/format/../../../test/format/t.c:209:5
    #3 0x3fff8490457c in generic_start_main.isra.0
(/lib64/power8/libc.so.6+0x2457c)
    #4 0x3fff84904770 in __libc_start_main (/lib64/power8/libc.so.6+0x24770)

Thread T2 created by T0 here:
    #0 0x1003bc58 in pthread_create
/home/dhows/downloads/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:305
    #1 0x102a9068 in __wt_thread_create
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/os_posix/os_thread.c:29:2
    #2 0x103d0088 in __thread_group_resize
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/support/thread_group.c:213:3
    #3 0x103d0cfc in __wt_thread_group_create
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/support/thread_group.c:304:2
    #4 0x101f7404 in __wt_evict_create
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_lru.c:492:2
    #5 0x101c0a68 in __wt_connection_workers
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/conn/conn_open.c:261:2
    #6 0x1018630c in wiredtiger_open
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/conn/conn_api.c:2457:2
    #7 0x1016d930 in wts_open
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/test/format/../../../test/format/wts.c:254:2
    #8 0x10163910 in main
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/test/format/../../../test/format/t.c:190:3
    #9 0x3fff8490457c in generic_start_main.isra.0
(/lib64/power8/libc.so.6+0x2457c)
    #10 0x3fff84904770 in __libc_start_main (/lib64/power8/libc.so.6+0x24770)

SUMMARY: AddressSanitizer: heap-use-after-free
/home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/include/column.i:189:15
in __col_insert_search
Shadow bytes around the buggy address:
  0x034300824530: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x034300824540: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa
  0x034300824550: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x034300824560: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x034300824570: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
=>0x034300824580: fa fa fd[fd]fd fa fa fa fd fd fd fd fa fa fd fd
  0x034300824590: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0343008245a0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0343008245b0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0343008245c0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0343008245d0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20170531/8280f465/attachment-0001.html>