[llvm-bugs] [Bug 39805] New: Undefined behavior- and address sanitizer fails to detect invalid vptr and use-after-free

via llvm-bugs llvm-bugs at lists.llvm.org
Tue Nov 27 02:54:52 PST 2018 

https://bugs.llvm.org/show_bug.cgi?id=39805

            Bug ID: 39805
           Summary: Undefined behavior- and address sanitizer fails to
                    detect invalid vptr and use-after-free
           Product: compiler-rt
           Version: 7.0
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: ubsan
          Assignee: unassignedbugs at nondot.org
          Reporter: idart at hotmail.com
                CC: llvm-bugs at lists.llvm.org

The undefined address sanitizer fails to detect the invalid vptr in the example
below.

In addition, the address sanitizer fails to detect the use-after-free.

This holds even if the interface and classes are in different translation
units.

//-----
#include <iostream>
#include <memory>
#include <string>


namespace {


class StatusIntf
{
public:
    virtual ~StatusIntf() = default;
    virtual void updateStatus(const std::string& status) = 0;
};


class StatusImpl : public StatusIntf
{
public:
    ~StatusImpl() override
    {
        std::cout << "Status Implementation deleted" << std::endl;
    }

    void updateStatus(const std::string& status) override
    {
        status_ = status;
        std::cout << "Status is: " << status_ << std::flush << std::endl;
    }

private:
    std::string status_;
};


class User
{
public:
    User(StatusIntf& statusUpdater) : statusUpdater_(statusUpdater) {}

    ~User()
    {
        statusUpdater_.updateStatus("Ending");
    }

private:
    StatusIntf& statusUpdater_;
};


class Keeper
{
public:
    Keeper()
    {
        user_ = std::make_unique<User>(statusUpdater_);
    }

private:
    // Note the declaration order:
    // 'statusUpdater_' will be deleted before 'user_'.
    std::unique_ptr<User> user_;
    StatusImpl statusUpdater_;
};


}


int main()
{
    Keeper keeper;
    return 0;
}
//-----

Compiled with:
clang++ -std=c++14 -stdlib=libc++ -fsanitize=undefined,address
-fno-sanitize-recover=undefined -fPIC -fno-omit-frame-pointer -O2 -g

Tried Clang 6.0.1 and 7.0.0 on Linux (x86-64) and the version that ships with
Xcode 10.1 on macOS (identifying itself as clang-1000.11.45.5).

g++-8 detects the vptr issue and issues a "object has invalid vptr" error. But
its address sanitizer also fails to detect the use-after-free.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20181127/afbb1efb/attachment.html>

More information about the llvm-bugs mailing list