[llvm-bugs] [Bug 42269] New: heap-use-after-free in kmp_runtime.cpp:5684:41 in __kmp_free_thread

via llvm-bugs llvm-bugs at lists.llvm.org
Thu Jun 13 06:52:11 PDT 2019


https://bugs.llvm.org/show_bug.cgi?id=42269

            Bug ID: 42269
           Summary: heap-use-after-free in kmp_runtime.cpp:5684:41 in
                    __kmp_free_thread
           Product: OpenMP
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Runtime Library
          Assignee: unassignedbugs at nondot.org
          Reporter: lechen.yu at gatech.edu
                CC: llvm-bugs at lists.llvm.org

Created attachment 22094
  --> https://bugs.llvm.org/attachment.cgi?id=22094&action=edit
OpenMP programs to reproduce the error

We encounter a heap-use-after-free error when using OpenMP device offloading 
 to x86_64-pc-linux-gnu target. The error is not encountered if we replace
`#pragma omp target` and `#pragma omp teams distribute parallel for`, with
`#pragma omp parallel for`.

I have attached a zip file which contains an OpenMP program to trigger the
error. To reproduce the error, just set up the path of OpenMP install folder in
the Makefile, then execute "make run-error-trigger". This make target will link
AddressSanitizer library into the application but not instrument the
application. The OpenMP runtime we use is instrumented by AddressSanitizer (see
CMake flags below).



The details of our testing environment are listed below.

System: NEC-GPS12G3Rg-1

Processor: Intel Broadwell EP E5-2650v4

OpenMP version: commit 402c7439d7ba1cfa49e205554dfa8087a5a64313 on master
branch

CMake flags: -DCMAKE_BUILD_TYPE=Debug 
             -DLIBOMPTARGET_NVPTX_COMPUTE_CAPABILITIES=35,60,70 
             -DLIBOMP_CXXFLAGS=-fsanitize=address

AddressSanitizer report:
=================================================================
==172788==ERROR: AddressSanitizer: heap-use-after-free on address
0x60c00000170c at pc 0x2ad3e4ec58dc bp 0x7ffc6c744880 sp 0x7ffc6c744878
READ of size 4 at 0x60c00000170c thread T0
    #0 0x2ad3e4ec58db in __kmp_free_thread
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:5684:41
    #1 0x2ad3e4ec3777 in __kmp_free_team
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:5573:7
    #2 0x2ad3e4ed017a in __kmp_reset_root(int, kmp_root*)
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:3974:3
    #3 0x2ad3e4ecf9a7 in __kmp_unregister_root_current_thread(int)
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:4070:3
    #4 0x2ad3e4edb7c6 in __kmp_internal_end_library
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:6256:9
    #5 0x2ad3e4edb154 in __kmp_internal_end_atexit
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:5957:3
    #6 0x2ad3e4edb0d8 in __kmp_internal_end_dtor
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:5923:3
    #7 0x2ad3e4235fb9 in _dl_fini
/usr/src/debug/glibc-2.17-c758a686/elf/dl-fini.c:253
    #8 0x2ad3e57eeb68 in __run_exit_handlers
/usr/src/debug/glibc-2.17-c758a686/stdlib/exit.c:77
    #9 0x2ad3e57eebb6 in __GI_exit
/usr/src/debug/glibc-2.17-c758a686/stdlib/exit.c:99
    #10 0x2ad3e57d73db in __libc_start_main
/usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:300
    #11 0x41ad99 in _start
(/rwthfs/rz/cluster/home/zm006271/Repository/OpenMP/tool/SimpleOMPTTool/app+0x41ad99)

0x60c00000170c is located 76 bytes inside of 120-byte region
[0x60c0000016c0,0x60c000001738)
freed by thread T0 here:
    #0 0x4c63c2 in __interceptor_free
/w0/tmp/jh366276/LLVM/8.0.0/src-8.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x2ad3e4df1457 in ___kmp_free
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_alloc.cpp:1796:3
    #2 0x2ad3e4e65fdb in __kmpc_fork_teams
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_csupport.cpp:443:3
    #3 0x2ad3ebf7998a  (<unknown module>)
    #4 0x2ad3ebf79dc3  (<unknown module>)
    #5 0x2ad3ea38bdcb in ffi_call_unix64 (/lib64/libffi.so.6+0x5dcb)

previously allocated by thread T0 here:
    #0 0x4c6743 in malloc
/w0/tmp/jh366276/LLVM/8.0.0/src-8.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x2ad3e4dfa105 in ___kmp_allocate_align(unsigned long, unsigned long,
char const*, int)
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_alloc.cpp:1685:25
    #2 0x2ad3e4df6f60 in ___kmp_allocate
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_alloc.cpp:1739:9
    #3 0x2ad3e4eb86a5 in __kmp_teams_master
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:7220:41
    #4 0x2ad3e4edf3ac in __kmp_invoke_teams_master
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:7265:3
    #5 0x2ad3e4eb2f88 in __kmp_fork_call
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:1870:11
    #6 0x2ad3e4e65d22 in __kmpc_fork_teams
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_csupport.cpp:419:3
    #7 0x2ad3ebf7998a  (<unknown module>)
    #8 0x2ad3ebf79dc3  (<unknown module>)
    #9 0x2ad3ea38bdcb in ffi_call_unix64 (/lib64/libffi.so.6+0x5dcb)

SUMMARY: AddressSanitizer: heap-use-after-free
/home/zm006271/Repository/OpenMP/LLVM-openmp/runtime/src/kmp_runtime.cpp:5684:41
in __kmp_free_thread
Shadow bytes around the buggy address:
  0x0c187fff8290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fff82a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fff82b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c187fff82d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c187fff82e0: fd[fd]fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c187fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==172788==ABORTING
make: *** [run-notool] Error 1

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20190613/54047f4a/attachment-0001.html>


More information about the llvm-bugs mailing list