[Bug libstdc++/91856] New: std::list::remove(const T& value) is broken with -D_GLIBCXX_DEBUG when value is a reference inside the list

Sun, 22 Sep 2019 03:30:30 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91856

            Bug ID: 91856
           Summary: std::list::remove(const T& value) is broken with
                    -D_GLIBCXX_DEBUG when value is a reference inside the
                    list
           Product: gcc
           Version: 8.3.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: libstdc++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: kp.lehrmann+gcc at gmail dot com
  Target Milestone: ---

Created attachment 46909
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=46909&action=edit
preprocessed file

Hi,

I believe this is https://gcc.gnu.org/bugzilla/show_bug.cgi?id=17012 for
_GLIBCXX_DEBUG.

---
#define _GLIBCXX_DEBUG
#include <list>

main() {
    std::list<int> l{1, 2, 3};
    l.remove(*l.begin());
    return 0;
}
---

Address sanitizer would report a use after free:
> LANG=C g++ -v -save-temps a.cpp  -g  -fsanitize=undefined -fsanitize=address 
> && ./a.out
Using built-in specs.
COLLECT_GCC=g++
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 8.3.0-6'
--with-bugurl=file:///usr/share/doc/gcc-8/README.Bugs
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr
--with-gcc-major-version-only --program-suffix=-8
--program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu
--enable-libstdcxx-debug --enable-libstdcxx-time=yes
--with-default-libstdcxx-abi=new --enable-gnu-unique-object
--disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie
--with-system-zlib --with-target-system-zlib --enable-objc-gc=auto
--enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none --without-cuda-driver
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu
--target=x86_64-linux-gnu
Thread model: posix
gcc version 8.3.0 (Debian 8.3.0-6) 
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-g' '-fsanitize=undefined'
'-fsanitize=address' '-shared-libgcc' '-mtune=generic' '-march=x86-64'
 /usr/lib/gcc/x86_64-linux-gnu/8/cc1plus -E -quiet -v -imultiarch
x86_64-linux-gnu -D_GNU_SOURCE a.cpp -mtune=generic -march=x86-64
-fsanitize=undefined -fsanitize=address -g -fworking-directory -fpch-preprocess
-o a.ii
ignoring duplicate directory "/usr/include/x86_64-linux-gnu/c++/8"
ignoring nonexistent directory "/usr/local/include/x86_64-linux-gnu"
ignoring nonexistent directory
"/usr/lib/gcc/x86_64-linux-gnu/8/../../../../x86_64-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
 /usr/include/c++/8
 /usr/include/x86_64-linux-gnu/c++/8
 /usr/include/c++/8/backward
 /usr/lib/gcc/x86_64-linux-gnu/8/include
 /usr/local/include
 /usr/lib/gcc/x86_64-linux-gnu/8/include-fixed
 /usr/include/x86_64-linux-gnu
 /usr/include
End of search list.
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-g' '-fsanitize=undefined'
'-fsanitize=address' '-shared-libgcc' '-mtune=generic' '-march=x86-64'
 /usr/lib/gcc/x86_64-linux-gnu/8/cc1plus -fpreprocessed a.ii -quiet -dumpbase
a.cpp -mtune=generic -march=x86-64 -auxbase a -g -version -fsanitize=undefined
-fsanitize=address -o a.s
GNU C++14 (Debian 8.3.0-6) version 8.3.0 (x86_64-linux-gnu)
        compiled by GNU C version 8.3.0, GMP version 6.1.2, MPFR version 4.0.2,
MPC version 1.1.0, isl version isl-0.20-GMP

GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
GNU C++14 (Debian 8.3.0-6) version 8.3.0 (x86_64-linux-gnu)
        compiled by GNU C version 8.3.0, GMP version 6.1.2, MPFR version 4.0.2,
MPC version 1.1.0, isl version isl-0.20-GMP

GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: 3c854693d01dc9a844a56a0b1ab1c0f4
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-g' '-fsanitize=undefined'
'-fsanitize=address' '-shared-libgcc' '-mtune=generic' '-march=x86-64'
 as -v --64 -o a.o a.s
GNU assembler version 2.31.1 (x86_64-linux-gnu) using BFD version (GNU Binutils
for Debian) 2.31.1
COMPILER_PATH=/usr/lib/gcc/x86_64-linux-gnu/8/:/usr/lib/gcc/x86_64-linux-gnu/8/:/usr/lib/gcc/x86_64-linux-gnu/:/usr/lib/gcc/x86_64-linux-gnu/8/:/usr/lib/gcc/x86_64-linux-gnu/
LIBRARY_PATH=/usr/lib/gcc/x86_64-linux-gnu/8/:/usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/:/usr/lib/gcc/x86_64-linux-gnu/8/../../../../lib/:/lib/x86_64-linux-gnu/:/lib/../lib/:/usr/lib/x86_64-linux-gnu/:/usr/lib/../lib/:/usr/lib/gcc/x86_64-linux-gnu/8/../../../:/lib/:/usr/lib/
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-g' '-fsanitize=undefined'
'-fsanitize=address' '-shared-libgcc' '-mtune=generic' '-march=x86-64'
 /usr/lib/gcc/x86_64-linux-gnu/8/collect2 -plugin
/usr/lib/gcc/x86_64-linux-gnu/8/liblto_plugin.so
-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/8/lto-wrapper
-plugin-opt=-fresolution=a.res -plugin-opt=-pass-through=-lgcc_s
-plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lc
-plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lgcc --build-id
--eh-frame-hdr -m elf_x86_64 --hash-style=gnu -dynamic-linker
/lib64/ld-linux-x86-64.so.2 -pie
/usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/Scrt1.o
/usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crti.o
/usr/lib/gcc/x86_64-linux-gnu/8/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/8
-L/usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu
-L/usr/lib/gcc/x86_64-linux-gnu/8/../../../../lib -L/lib/x86_64-linux-gnu
-L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib
-L/usr/lib/gcc/x86_64-linux-gnu/8/../../..
/usr/lib/gcc/x86_64-linux-gnu/8/libasan_preinit.o -lasan a.o -lstdc++ -lm
-lubsan -lgcc_s -lgcc -lc -lgcc_s -lgcc
/usr/lib/gcc/x86_64-linux-gnu/8/crtendS.o
/usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crtn.o
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-g' '-fsanitize=undefined'
'-fsanitize=address' '-shared-libgcc' '-mtune=generic' '-march=x86-64'
=================================================================
==24879==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000020
at pc 0x56169613eb39 bp 0x7ffd90a47e20 sp 0x7ffd90a47e18
READ of size 4 at 0x603000000020 thread T0
    #0 0x56169613eb38 in std::__debug::list<int, std::allocator<int>
>::remove(int const&) /usr/include/c++/8/debug/list:649
    #1 0x56169613c5fe in main /home/gulain/a.cpp:6
    #2 0x7f573395409a in __libc_start_main ../csu/libc-start.c:308
    #3 0x56169613c309 in _start (/home/gulain/a.out+0x10309)

0x603000000020 is located 16 bytes inside of 24-byte region
[0x603000000010,0x603000000028)
freed by thread T0 here:
    #0 0x7f5734a3baa0 in operator delete(void*)
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0xebaa0)
    #1 0x5616961430f7 in
__gnu_cxx::new_allocator<std::__cxx1998::_List_node<int>
>::deallocate(std::__cxx1998::_List_node<int>*, unsigned long)
/usr/include/c++/8/ext/new_allocator.h:125
    #2 0x5616961424e7 in
std::allocator_traits<std::allocator<std::__cxx1998::_List_node<int> >
>::deallocate(std::allocator<std::__cxx1998::_List_node<int> >&,
std::__cxx1998::_List_node<int>*, unsigned long)
/usr/include/c++/8/bits/alloc_traits.h:462
    #3 0x5616961409b1 in std::__cxx1998::__cxx11::_List_base<int,
std::allocator<int> >::_M_put_node(std::__cxx1998::_List_node<int>*)
/usr/include/c++/8/bits/stl_list.h:454
    #4 0x561696142bee in std::__cxx1998::__cxx11::list<int, std::allocator<int>
>::_M_erase(std::__cxx1998::_List_iterator<int>)
/usr/include/c++/8/bits/stl_list.h:1922
    #5 0x56169614215c in std::__cxx1998::__cxx11::list<int, std::allocator<int>
>::erase(std::__cxx1998::_List_const_iterator<int>)
/usr/include/c++/8/bits/list.tcc:158
    #6 0x561696140309 in std::__debug::list<int, std::allocator<int>
>::_M_erase(std::__cxx1998::_List_const_iterator<int>)
/usr/include/c++/8/debug/list:491
    #7 0x56169613ec0a in std::__debug::list<int, std::allocator<int>
>::remove(int const&) /usr/include/c++/8/debug/list:650
    #8 0x56169613c5fe in main /home/gulain/a.cpp:6
    #9 0x7f573395409a in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7f5734a3ad30 in operator new(unsigned long)
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0xead30)
    #1 0x561696143c4d in
__gnu_cxx::new_allocator<std::__cxx1998::_List_node<int> >::allocate(unsigned
long, void const*) /usr/include/c++/8/ext/new_allocator.h:111
    #2 0x561696143ab7 in
std::allocator_traits<std::allocator<std::__cxx1998::_List_node<int> >
>::allocate(std::allocator<std::__cxx1998::_List_node<int> >&, unsigned long)
/usr/include/c++/8/bits/alloc_traits.h:436
    #3 0x5616961436b6 in std::__cxx1998::__cxx11::_List_base<int,
std::allocator<int> >::_M_get_node() /usr/include/c++/8/bits/stl_list.h:450
    #4 0x56169614339b in std::__cxx1998::_List_node<int>*
std::__cxx1998::__cxx11::list<int, std::allocator<int> >::_M_create_node<int
const&>(int const&) /usr/include/c++/8/bits/stl_list.h:642
    #5 0x561696142f5b in void std::__cxx1998::__cxx11::list<int,
std::allocator<int> >::_M_insert<int
const&>(std::__cxx1998::_List_iterator<int>, int const&)
/usr/include/c++/8/bits/stl_list.h:1903
    #6 0x56169614244d in void std::__cxx1998::__cxx11::list<int,
std::allocator<int> >::emplace_back<int const&>(int const&)
/usr/include/c++/8/bits/stl_list.h:1235
    #7 0x5616961407ee in void std::__cxx1998::__cxx11::list<int,
std::allocator<int> >::_M_initialize_dispatch<int const*>(int const*, int
const*, std::__false_type) /usr/include/c++/8/bits/stl_list.h:1832
    #8 0x56169613efde in std::__cxx1998::__cxx11::list<int, std::allocator<int>
>::list(std::initializer_list<int>, std::allocator<int> const&)
/usr/include/c++/8/bits/stl_list.h:769
    #9 0x56169613e216 in std::__debug::list<int, std::allocator<int>
>::list(std::initializer_list<int>, std::allocator<int> const&)
/usr/include/c++/8/debug/list:96
    #10 0x56169613c4de in main /home/gulain/a.cpp:5
    #11 0x7f573395409a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free
/usr/include/c++/8/debug/list:649 in std::__debug::list<int,
std::allocator<int> >::remove(int const&)
Shadow bytes around the buggy address:
  0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa fd fd[fd]fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fff8010: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24879==ABORTING

FTR, it was spotted in https://github.com/danmar/cppcheck/pull/2186.

Reply via email to