https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94299
Bug ID: 94299
Summary: false positive: AddressSanitizer:
stack-use-after-scope on address
Product: gcc
Version: 9.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: jan.kratochvil at redhat dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at
gcc dot gnu.org
Target Milestone: ---
Created attachment 48103
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=48103&action=edit
reproducer patch
I believe it is a false positive.
gcc-9.2.1-1.fc31.x86_64
git clone https://github.com/llvm/llvm-project.git
(cd llvm-project;git checkout b6ae8937e031cde2e70e6a83d46c21e940fdf4ac;patch
-p1 <../asan.patch)
mkdir llvm-project-gccassertdebugasanO1
cd llvm-project-gccassertdebugasanO1
cmake ../llvm-project-gccassertdebugasanO1/llvm/ -DCMAKE_BUILD_TYPE=Debug
-DLLVM_USE_LINKER=gold -DLLVM_ENABLE_PROJECTS="lldb;clang;lld"
-DLLVM_USE_SPLIT_DWARF=ON -DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=gold
-Wl,--gdb-index" -DCMAKE_SHARED_LINKER_FLAGS="-fuse-ld=gold -Wl,--gdb-index"
-DLLVM_ENABLE_ASSERTIONS=ON -DLLVM_OPTIMIZED_TABLEGEN=ON
-DLLVM_USE_SANITIZER=Address
make
gdb -batch -ex 'catch syscall exit_group' -ex r -ex bt -ex 'frame 19' -ex 'info
source' --args ./bin/lldb -o 'command regex -h h -s s foo s/1/2/'
Catchpoint 1 (syscall 'exit_group' [231])
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[Detaching after vfork from child process 1526560]
[Detaching after vfork from child process 1526576]
[New Thread 0x7fffd1ad2700 (LWP 1526592)]
(lldb) command regex -h h -s s foo s/1/2/
=================================================================
==1526553==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7fffffffa410 at pc 0x7fffd9c497ec bp 0x7fffffff9c10 sp 0x7fffffff9c00
READ of size 1 at 0x7fffffffa410 thread T0
#0 0x7fffd9c497eb in void std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >::_M_construct<char const*>(char
const*, char const*, std::forward_iterator_tag)
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/../lib/liblldb.so.11git+0x28d77eb)
#1 0x7fffdb147b04 in
lldb_private::CommandObject::CommandObject(lldb_private::CommandInterpreter&,
llvm::StringRef, llvm::StringRef, llvm::StringRef, unsigned int)
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/../lib/liblldb.so.11git+0x3dd5b04)
#2 0x7fffdb14d6b2 in
lldb_private::CommandObjectRegexCommand::CommandObjectRegexCommand(lldb_private::CommandInterpreter&,
llvm::StringRef, llvm::StringRef, llvm::StringRef, unsigned int, unsigned int,
bool)
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/../lib/liblldb.so.11git+0x3ddb6b2)
#3 0x7fffe2c80c35 in
CommandObjectCommandsAddRegex::DoExecute(lldb_private::Args&,
lldb_private::CommandReturnObject&)
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/../lib/liblldb.so.11git+0xb90ec35)
#4 0x7fffdb1432c3 in lldb_private::CommandObjectParsed::Execute(char
const*, lldb_private::CommandReturnObject&)
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/../lib/liblldb.so.11git+0x3dd12c3)
#5 0x7fffdb12c344 in lldb_private::CommandInterpreter::HandleCommand(char
const*, lldb_private::LazyBool, lldb_private::CommandReturnObject&,
lldb_private::ExecutionContext*, bool, bool)
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/../lib/liblldb.so.11git+0x3dba344)
#6 0x7fffdb1319be in
lldb_private::CommandInterpreter::IOHandlerInputComplete(lldb_private::IOHandler&,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>
>&)
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/../lib/liblldb.so.11git+0x3dbf9be)
#7 0x7fffdad4286f in lldb_private::IOHandlerEditline::Run()
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/../lib/liblldb.so.11git+0x39d086f)
#8 0x7fffdacb1d2d in lldb_private::Debugger::RunIOHandlers()
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/../lib/liblldb.so.11git+0x393fd2d)
#9 0x7fffdb0e5ade in
lldb_private::CommandInterpreter::RunCommandInterpreter(bool, bool,
lldb_private::CommandInterpreterRunOptions&)
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/../lib/liblldb.so.11git+0x3d73ade)
#10 0x7fffd9e51ed9 in lldb::SBDebugger::RunCommandInterpreter(bool, bool,
lldb::SBCommandInterpreterRunOptions&, int&, bool&, bool&)
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/../lib/liblldb.so.11git+0x2adfed9)
#11 0x412c7e in Driver::MainLoop()
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/lldb+0x412c7e)
#12 0x42339d in main
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/lldb+0x42339d)
#13 0x7fffd54351a2 in __libc_start_main ../csu/libc-start.c:308
#14 0x4078ad in _start
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/lldb+0x4078ad)
Address 0x7fffffffa410 is located in stack of thread T0 at offset 944 in frame
#0 0x7fffe2c80311 in
CommandObjectCommandsAddRegex::DoExecute(lldb_private::Args&,
lldb_private::CommandReturnObject&)
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/../lib/liblldb.so.11git+0xb90e311)
This frame has 39 object(s):
[32, 33) '<unknown>'
[48, 49) '<unknown>'
[64, 65) '<unknown>'
[80, 81) '<unknown>'
[96, 97) '<unknown>'
[112, 113) '<unknown>'
[128, 129) '<unknown>'
[144, 145) '<unknown>'
[160, 161) '<unknown>'
[176, 177) '<unknown>'
[192, 193) '<unknown>'
[208, 209) '<unknown>'
[224, 225) '<unknown>'
[240, 241) '<unknown>'
[256, 264) '<unknown>'
[288, 304) '<unknown>'
[320, 336) 'name' (line 990)
[352, 368) '<unknown>'
[384, 400) '<unknown>'
[416, 432) 'io_handler_sp' (line 999)
[448, 464) '<unknown>'
[480, 496) '<unknown>'
[512, 528) '<unknown>'
[544, 560) '<unknown>'
[576, 592) '<unknown>'
[608, 624) '<unknown>'
[640, 656) '<unknown>'
[672, 688) '<unknown>'
[704, 720) '<unknown>'
[736, 752) '<unknown>'
[768, 784) '<unknown>'
[800, 816) '<unknown>'
[832, 848) '<unknown>'
[864, 880) '<unknown>'
[896, 912) 'cmd_sp' (line 1130)
[928, 960) '<unknown>' <== Memory access at offset 944 is inside this
variable
[992, 1024) '<unknown>'
[1056, 1096) 'error' (line 989)
[1136, 1176) '<unknown>'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope
(/quad/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/bin/../lib/liblldb.so.11git+0x28d77eb)
in void std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >::_M_construct<char const*>(char const*, char const*,
std::forward_iterator_tag)
Shadow bytes around the buggy address:
0x10007fff7430: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2
0x10007fff7440: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2
0x10007fff7450: 00 00 f2 f2 00 00 f2 f2 f8 f8 f2 f2 00 00 f2 f2
0x10007fff7460: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2
0x10007fff7470: f8 f8 f2 f2 f8 f8 f2 f2 00 00 f2 f2 00 00 f2 f2
=>0x10007fff7480: f8 f8[f8]f8 f2 f2 f2 f2 f8 f8 f8 f8 f2 f2 f2 f2
0x10007fff7490: 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 f3
0x10007fff74a0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff74b0: 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f2 f2 f8 f8
0x10007fff74c0: f2 f2 f8 f8 f2 f2 f8 f8 f2 f2 f8 f8 f2 f2 f8 f8
0x10007fff74d0: f2 f2 f8 f8 f2 f2 00 00 f2 f2 f8 f8 f2 f2 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1526553==ABORTING
Thread 1 "lldb" hit Catchpoint 1 (call to syscall exit_group),
__sanitizer::internal__exit (exitcode=1) at
../../../../libsanitizer/sanitizer_common/sanitizer_linux.cc:429
429 Die(); // Unreachable.
#0 __sanitizer::internal__exit (exitcode=1) at
../../../../libsanitizer/sanitizer_common/sanitizer_linux.cc:429
#1 0x00007ffff768f2e7 in __sanitizer::Die () at
../../../../libsanitizer/sanitizer_common/sanitizer_flags.h:37
#2 0x00007ffff767097c in __asan::ScopedInErrorReport::~ScopedInErrorReport
(this=0x7fffffff8f96, __in_chrg=<optimized out>) at
../../../../libsanitizer/asan/asan_report.cc:185
#3 0x00007ffff76703f3 in __asan::ReportGenericError (pc=140736846927852,
bp=bp@entry=140737488329744, sp=sp@entry=140737488329728,
addr=addr@entry=140737488331792, is_write=is_write@entry=false,
access_size=access_size@entry=1, exp=0, fatal=true) at
../../../../libsanitizer/asan/asan_report.cc:192
#4 0x00007ffff7670edb in __asan::__asan_report_load1
(addr=addr@entry=140737488331792) at
../../../../libsanitizer/asan/asan_rtl.cc:116
#5 0x00007fffd9c497ec in std::char_traits<char>::assign (__c2=@0x7fffffffa410:
104 'h', __c1=<optimized out>) at /usr/include/c++/9/bits/char_traits.h:365
#6 std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >::_S_copy (__n=1, __s=0x7fffffffa410 "h", __d=<optimized
out>) at /usr/include/c++/9/bits/basic_string.h:349
#7 std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >::_S_copy_chars (__k2=<optimized out>,
__k1=0x7fffffffa410 "h", __p=<optimized out>) at
/usr/include/c++/9/bits/basic_string.h:398
#8 std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >::_M_construct<char const*> (this=0x7fffffff9ec0,
__beg=<optimized out>, __end=<optimized out>) at
/usr/include/c++/9/bits/basic_string.tcc:225
#9 0x00007fffdb147b05 in std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >::_M_construct_aux<char const*>
(__end=<optimized out>, __beg=<optimized out>, this=0x7fffffff9ec0) at
/usr/include/c++/9/bits/basic_string.h:243
#10 std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >::_M_construct<char const*> (__end=<optimized out>,
__beg=<optimized out>, this=0x7fffffff9ec0) at
/usr/include/c++/9/bits/basic_string.h:266
#11 std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >::basic_string (__a=..., __n=<optimized out>,
__s=<optimized out>, this=0x7fffffff9ec0) at
/usr/include/c++/9/bits/basic_string.h:513
#12 llvm::StringRef::str[abi:cxx11]() const (this=0x7fffffff9e80) at
/home/jkratoch/redhat/llvm-monorepo3/llvm/include/llvm/ADT/StringRef.h:250
#13 llvm::StringRef::operator std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > (this=0x7fffffff9e80) at
/home/jkratoch/redhat/llvm-monorepo3/llvm/include/llvm/ADT/StringRef.h:275
#14 lldb_private::CommandObject::CommandObject (this=0x6120000133c0,
interpreter=..., name=..., help=..., syntax=..., flags=<optimized out>) at
/home/jkratoch/redhat/llvm-monorepo3/lldb/source/Interpreter/CommandObject.cpp:47
#15 0x00007fffdb14d6b3 in lldb_private::CommandObjectRaw::CommandObjectRaw
(flags=0, syntax=..., help=..., name=..., interpreter=..., this=0x6120000133c0)
at
/home/jkratoch/redhat/llvm-monorepo3/lldb/include/lldb/Interpreter/CommandObject.h:396
#16 lldb_private::CommandObjectRegexCommand::CommandObjectRegexCommand
(this=0x6120000133c0, interpreter=..., name=..., help=..., syntax=...,
max_matches=10, completion_type_mask=0, is_removable=true) at
/home/jkratoch/redhat/llvm-monorepo3/lldb/source/Interpreter/CommandObjectRegexCommand.cpp:24
#17 0x00007fffe2c80c36 in
std::make_unique<lldb_private::CommandObjectRegexCommand,
lldb_private::CommandInterpreter&, llvm::StringRef&, llvm::StringRef,
llvm::StringRef, int, int, bool> () at /usr/include/c++/9/bits/unique_ptr.h:848
#18 CommandObjectCommandsAddRegex::DoExecute (this=<optimized out>,
command=..., result=...) at
/home/jkratoch/redhat/llvm-monorepo3/lldb/source/Commands/CommandObjectCommands.cpp:991
#19 0x00007fffdb1432c4 in lldb_private::CommandObjectParsed::Execute
(this=<optimized out>, args_string=<optimized out>, result=...) at
/home/jkratoch/redhat/llvm-monorepo3/lldb/source/Interpreter/CommandObject.cpp:995
#20 0x00007fffdb12c345 in lldb_private::CommandInterpreter::HandleCommand
(this=this@entry=0x615000000800, command_line=<optimized out>,
lazy_add_to_history=lazy_add_to_history@entry=lldb_private::eLazyBoolCalculate,
result=..., override_context=override_context@entry=0x0,
repeat_on_empty_command=repeat_on_empty_command@entry=true,
no_context_switching=<optimized out>) at
/usr/include/c++/9/bits/basic_string.h:2300
#21 0x00007fffdb1319bf in
lldb_private::CommandInterpreter::IOHandlerInputComplete (this=0x615000000800,
io_handler=..., line=...) at /usr/include/c++/9/bits/basic_string.h:2300
#22 0x00007fffdad42870 in lldb_private::IOHandlerEditline::Run
(this=0x6130000129d0) at
/home/jkratoch/redhat/llvm-monorepo3/lldb/source/Core/IOHandler.cpp:551
#23 0x00007fffdacb1d2e in lldb_private::Debugger::RunIOHandlers
(this=0x618000001c80) at
/home/jkratoch/redhat/llvm-monorepo3/lldb/source/Core/Debugger.cpp:835
#24 0x00007fffdb0e5adf in
lldb_private::CommandInterpreter::RunCommandInterpreter
(this=this@entry=0x615000000800, auto_handle_events=<optimized out>,
spawn_thread=<optimized out>, options=...) at
/home/jkratoch/redhat/llvm-monorepo3/lldb/source/Interpreter/CommandInterpreter.cpp:2968
#25 0x00007fffd9e51eda in lldb::SBDebugger::RunCommandInterpreter
(this=this@entry=0x7fffffffcb10, auto_handle_events=<optimized out>,
auto_handle_events@entry=true, spawn_thread=<optimized out>,
spawn_thread@entry=false, options=..., num_errors=@0x7fffffffbe80: 0,
quit_requested=@0x7fffffffbd20: false, stopped_for_crash=<optimized out>) at
/home/jkratoch/redhat/llvm-monorepo3/lldb/source/API/SBDebugger.cpp:1189
#26 0x0000000000412c7f in Driver::MainLoop (this=this@entry=0x7fffffffcaf0) at
/home/jkratoch/redhat/llvm-monorepo3/lldb/tools/driver/Driver.cpp:613
#27 0x000000000042339e in main (argc=<optimized out>, argv=<optimized out>) at
/home/jkratoch/redhat/llvm-monorepo3/lldb/tools/driver/Driver.cpp:898
#19 0x00007fffdb1432c4 in lldb_private::CommandObjectParsed::Execute
(this=<optimized out>, args_string=<optimized out>, result=...) at
/home/jkratoch/redhat/llvm-monorepo3/lldb/source/Interpreter/CommandObject.cpp:995
995 handled = DoExecute(cmd_args, result);
Current source file is
/home/jkratoch/redhat/llvm-monorepo3/lldb/source/Interpreter/CommandObject.cpp
Compilation directory is
/home/jkratoch/redhat/llvm-monorepo3-gccassertdebugasanO1/tools/lldb/source/Interpreter
Located in
/home/jkratoch/redhat/llvm-monorepo3/lldb/source/Interpreter/CommandObject.cpp
Contains 1134 lines.
Source language is c++.
Producer is GNU C++14 9.2.1 20190827 (Red Hat 9.2.1-1) -mtune=generic
-march=x86-64 -g -gsplit-dwarf -O1 -std=c++14 -fPIC -fvisibility-inlines-hidden
-fno-omit-frame-pointer -fsanitize=address -fsanitize-address-use-after-scope
-fno-exceptions -fno-rtti.
Compiled with DWARF 2 debugging format.
Does not include preprocessor macro info.
