AddressSanitizer use-after-poison error when optimisation is disabled · Issue #44317 · llvm/llvm-project (original) (raw)
| Bugzilla Link | 44972 |
|---|---|
| Version | 7.0 |
| OS | Linux |
| Attachments | Reproduction scenario |
| CC | @kimgr |
Extended Description
Hi,
I'm getting the following error from AddressSanitizer whenever I'm compiling my tool without the optimisation. I'm using LLVM 7.0
I've managed to isolate the issue and I attached the reproduction scenario to the ticket.
the dummy compile.sh scripts gives the commmand to compile the tool (in main.cpp).
Just run the executable to see the error.
lcarlier@lcarlier-mate[/tmp/test]# ./a.out
==13708==ERROR: AddressSanitizer: use-after-poison on address 0x621000047870 at pc 0x556f7d5e2d5b bp 0x7fff01897cc0 sp 0x7fff01897cb0
READ of size 1 at 0x621000047870 thread T0
#0 0x556f7d5e2d5a in clang::Stmt::getStmtClass() const /usr/lib/llvm-7/include/clang/AST/Stmt.h:392
#1 0x556f7d5e4c72 in clang::BinaryOperator::classof(clang::Stmt const*) /usr/lib/llvm-7/include/clang/AST/Expr.h:3301
#2 0x556f7d6da812 in llvm::isa_impl<clang::BinaryOperator, clang::Stmt, void>::doit(clang::Stmt const&) /usr/lib/llvm-7/include/llvm/Support/Casting.h:59
#3 0x556f7d6d8254 in llvm::isa_impl_cl<clang::BinaryOperator, clang::Stmt const*>::doit(clang::Stmt const*) /usr/lib/llvm-7/include/llvm/Support/Casting.h:107
#4 0x556f7d6d20b5 in llvm::isa_impl_wrap<clang::BinaryOperator, clang::Stmt const*, clang::Stmt const*>::doit(clang::Stmt const* const&) /usr/lib/llvm-7/include/llvm/Support/Casting.h:133
#5 0x556f7d6c9a39 in llvm::isa_impl_wrap<clang::BinaryOperator, clang::Stmt* const, clang::Stmt const*>::doit(clang::Stmt* const&) /usr/lib/llvm-7/include/llvm/Support/Casting.h:125
#6 0x556f7d6c0624 in bool llvm::isa<clang::BinaryOperator, clang::Stmt*>(clang::Stmt* const&) /usr/lib/llvm-7/include/llvm/Support/Casting.h:144
#7 0x556f7d66520d in llvm::cast_retty<clang::BinaryOperator, clang::Stmt*>::ret_type llvm::dyn_cast<clang::BinaryOperator, clang::Stmt>(clang::Stmt*) /usr/lib/llvm-7/include/llvm/Support/Casting.h:334
#8 0x556f7d644fb1 in clang::RecursiveASTVisitor::dataTraverseNode(clang::Stmt*, llvm::SmallVectorImpl<llvm::PointerIntPair<clang::Stmt*, 1u, bool, llvm::PointerLikeTypeTraitsclang::Stmt*, llvm::PointerIntPairInfo<clang::Stmt*, 1u, llvm::PointerLikeTypeTraitsclang::Stmt* > > >) /usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:551
#9 0x556f7d61f388 in clang::RecursiveASTVisitor::TraverseStmt(clang::Stmt, llvm::SmallVectorImpl<llvm::PointerIntPair<clang::Stmt*, 1u, bool, llvm::PointerLikeTypeTraitsclang::Stmt*, llvm::PointerIntPairInfo<clang::Stmt*, 1u, llvm::PointerLikeTypeTraitsclang::Stmt* > > >) /usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:654
#10 0x556f7d6595a4 in clang::RecursiveASTVisitor::TraverseArrayTypeLocHelper(clang::ArrayTypeLoc) /usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1188
#11 0x556f7d639dd8 in clang::RecursiveASTVisitor::TraverseConstantArrayTypeLoc(clang::ConstantArrayTypeLoc) /usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1192
#12 0x556f7d61e81b in clang::RecursiveASTVisitor::TraverseTypeLoc(clang::TypeLoc) /usr/lib/llvm-7/include/clang/AST/TypeNodes.def:71
#13 0x556f7d623aee in clang::RecursiveASTVisitor::TraverseDeclaratorHelper(clang::DeclaratorDecl) /usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1910
#14 0x556f7d6249a8 in clang::RecursiveASTVisitor::TraverseVarHelper(clang::VarDecl*) /usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:2052
#15 0x556f7d61288c in clang::RecursiveASTVisitor::TraverseParmVarDecl(clang::ParmVarDecl*) /usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:2071
#16 0x556f7d6019a1 in clang::RecursiveASTVisitor::TraverseDecl(clang::Decl*) /usr/lib/llvm-7/include/clang/AST/DeclNodes.inc:463
#17 0x556f7d63bb95 in clang::RecursiveASTVisitor::TraverseFunctionProtoTypeLoc(clang::FunctionProtoTypeLoc) /usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1246
#18 0x556f7d61ea0a in clang::RecursiveASTVisitor::TraverseTypeLoc(clang::TypeLoc) /usr/lib/llvm-7/include/clang/AST/TypeNodes.def:81
#19 0x556f7d6240e6 in clang::RecursiveASTVisitor::TraverseFunctionHelper(clang::FunctionDecl*) /usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1982
#20 0x556f7d611809 in clang::RecursiveASTVisitor::TraverseFunctionDecl(clang::FunctionDecl*) /usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:2006
#21 0x556f7d6016f5 in clang::RecursiveASTVisitor::TraverseDecl(clang::Decl*) /usr/lib/llvm-7/include/clang/AST/DeclNodes.inc:389
#22 0x556f7d61e485 in clang::RecursiveASTVisitor::TraverseDeclContextHelper(clang::DeclContext*) /usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1388
#23 0x556f7d613d34 in clang::RecursiveASTVisitor::TraverseTranslationUnitDecl(clang::TranslationUnitDecl*) /usr/lib/llvm-7/include/clang/AST/RecursiveASTVisitor.h:1480
#24 0x556f7d601c4d in clang::RecursiveASTVisitor::TraverseDecl(clang::Decl*) /usr/lib/llvm-7/include/clang/AST/DeclNodes.inc:553
#25 0x556f7d5f6839 in FunctionDeclASTConsumer::HandleTranslationUnit(clang::ASTContext&) /tmp/test/main.cpp:34
#26 0x556f7d900c18 in clang::ParseAST(clang::Sema&, bool, bool) (/tmp/test/a.out+0x534c18)
#27 0x556f7d74b495 in clang::FrontendAction::Execute() (/tmp/test/a.out+0x37f495)
#28 0x556f7d713b7b in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/tmp/test/a.out+0x347b7b)
#29 0x556f7d6ee743 in clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptrclang::CompilerInvocation, clang::FileManager*, std::shared_ptrclang::PCHContainerOperations, clang::DiagnosticConsumer*) (/tmp/test/a.out+0x322743)
#30 0x556f7d6e6efb in clang::tooling::ToolInvocation::runInvocation(char const*, clang::driver::Compilation*, std::shared_ptrclang::CompilerInvocation, std::shared_ptrclang::PCHContainerOperations) (/tmp/test/a.out+0x31aefb)
#31 0x556f7d6eb074 in clang::tooling::ToolInvocation::run() (/tmp/test/a.out+0x31f074)
#32 0x556f7d6ed5b8 in clang::tooling::ClangTool::run(clang::tooling::ToolAction*) (/tmp/test/a.out+0x3215b8)
#33 0x556f7d5dd16a in main /tmp/test/main.cpp:76
#34 0x7f5a38939b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#35 0x556f7d5dc629 in _start (/tmp/test/a.out+0x210629)
0x621000047870 is located 880 bytes inside of 4096-byte region [0x621000047500,0x621000048500)
allocated by thread T0 here:
#0 0x7f5a39fa7b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x556f7d5dd813 in llvm::safe_malloc(unsigned long) /usr/lib/llvm-7/include/llvm/Support/MemAlloc.h:27
#2 0x556f7d5ddaff in llvm::MallocAllocator::Allocate(unsigned long, unsigned long) /usr/lib/llvm-7/include/llvm/Support/Allocator.h:99
#3 0x556f7d6069e6 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul>::StartNewSlab() /usr/lib/llvm-7/include/llvm/Support/Allocator.h:346
#4 0x556f7d5fb4c1 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul>::Allocate(unsigned long, unsigned long) /usr/lib/llvm-7/include/llvm/Support/Allocator.h:260
#5 0x556f7e2850f2 in clang::TypedefDecl::Create(clang::ASTContext&, clang::DeclContext*, clang::SourceLocation, clang::SourceLocation, clang::IdentifierInfo*, clang::TypeSourceInfo*) (/tmp/test/a.out+0xeb90f2)
SUMMARY: AddressSanitizer: use-after-poison /usr/lib/llvm-7/include/clang/AST/Stmt.h:392 in clang::Stmt::getStmtClass() const
Shadow bytes around the buggy address:
0x0c4280000eb0: 00 00 00 00 00 00 00 00 00 00 00 00 f7 f7 00 00
0x0c4280000ec0: 00 00 f7 00 00 f7 00 00 00 00 00 00 f7 00 00 00
0x0c4280000ed0: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
0x0c4280000ee0: f7 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
0x0c4280000ef0: 00 00 00 00 f7 f7 00 00 00 00 00 00 00 f7 00 00
=>0x0c4280000f00: 00 00 f7 00 00 00 00 00 00 00 00 00 00 f7[f7]f7
0x0c4280000f10: f7 f7 00 00 00 00 00 00 00 f7 00 00 00 00 00 f7
0x0c4280000f20: 00 00 00 00 00 f7 00 00 00 00 00 00 f7 00 00 00
0x0c4280000f30: 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00 00
0x0c4280000f40: 00 f7 00 00 00 00 00 00 00 f7 00 00 00 00 00 f7
0x0c4280000f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13708==ABORTING