stack use after scope on cppcheck --check-config

[matthiaskrgr]

./cppcheck  --check-config gui

crashes inside simplecpp:

49/53 files checked 89% done
Checking gui/translationhandler.cpp ...
[gui/translationhandler.cpp:19]: (information) Include file: <QApplication> not found. Please note: Cppcheck does not need standard library headers to get proper results.
[gui/translationhandler.cpp:20]: (information) Include file: <QFile> not found. Please note: Cppcheck does not need standard library headers to get proper results.
[gui/translationhandler.cpp:21]: (information) Include file: <QDebug> not found. Please note: Cppcheck does not need standard library headers to get proper results.
[gui/translationhandler.cpp:22]: (information) Include file: <QLocale> not found. Please note: Cppcheck does not need standard library headers to get proper results.
[gui/translationhandler.cpp:23]: (information) Include file: <QMessageBox> not found. Please note: Cppcheck does not need standard library headers to get proper results.
[gui/translationhandler.cpp:24]: (information) Include file: <QSettings> not found. Please note: Cppcheck does not need standard library headers to get proper results.
[gui/translationhandler.cpp:25]: (information) Include file: <QFileInfo> not found. Please note: Cppcheck does not need standard library headers to get proper results.
=================================================================
==32629==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fffd86a9048 at pc 0x000000fa35a3 bp 0x7fffd86a88c0 sp 0x7fffd86a88b8
READ of size 8 at 0x7fffd86a9048 thread T0
    #0 0xfa35a2 in std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::size() const /usr/lib64/gcc/x86_64-pc-linux-gnu/8.1.0/../../../../include/c++/8.1.0/bits/stl_vector.h:806:40
    #1 0xfa2e75 in simplecpp::Location::file[abi:cxx11]() const /home/matthias/vcs/github/cppcheck_llvm_debug/externals/simplecpp/simplecpp.h:82:38
    #2 0xf8e944 in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::istream&) /home/matthias/vcs/github/cppcheck_llvm_debug/lib/cppcheck.cpp:487:46
    #3 0xf78552 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/matthias/vcs/github/cppcheck_llvm_debug/lib/cppcheck.cpp:83:12
    #4 0x16661ae in CppCheckExecutor::check_internal(CppCheck&, int, char const* const*) /home/matthias/vcs/github/cppcheck_llvm_debug/cli/cppcheckexecutor.cpp:871:41
    #5 0x166253c in CppCheckExecutor::check(int, char const* const*) /home/matthias/vcs/github/cppcheck_llvm_debug/cli/cppcheckexecutor.cpp:198:12
    #6 0x1681d56 in main /home/matthias/vcs/github/cppcheck_llvm_debug/cli/main.cpp:136:21
    #7 0x7f0e1271506a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #8 0x99e029 in _start (/home/matthias/vcs/github/cppcheck_llvm_debug/cppcheck+0x99e029)
Address 0x7fffd86a9048 is located in stack of thread T0
SUMMARY: AddressSanitizer: stack-use-after-scope /usr/lib64/gcc/x86_64-pc-linux-gnu/8.1.0/../../../../include/c++/8.1.0/bits/stl_vector.h:806:40 in std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::size() const
Shadow bytes around the buggy address:
  0x10007b0cd1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0cd1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0cd1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0cd1e0: 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10007b0cd1f0: f8 f8 00 00 00 00 f8 f8 f8 f8 f8 f8 00 00 00 00
=>0x10007b0cd200: f8 f8 f8 00 00 00 00 00 f8[f8]f8 00 00 00 00 00
  0x10007b0cd210: f8 f8 f8 f8 f8 f8 f8 f8 f8 00 00 00 00 00 00 00
  0x10007b0cd220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0cd230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0cd240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0cd250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32629==ABORTING

[danmar]

Thanks! I doubt that this is a simplecpp issue. Because according to the call stack it does not happen during preprocessing. I assume that you don't see any crash with the simplecpp utility.

[matthiaskrgr]

Ok. From looking at the stacktrace this looked to me like it was happening in simplecpp but I probably interpreted that wrongly then ....

[matthiaskrgr]

Link to cppcheck trac ticket: https://trac.cppcheck.net/ticket/8585

[amai2012]

See https://github.com/danmar/simplecpp/pull/132 BTW, cppcheck's travis/appveyor jobs should also contain --check-configruns

[matthiaskrgr]

in none-asan mode, it only displays a bunch of corrupted characters but does not crash, so I doubt we would have found this on travis :/

[amai2012]

That is the current state after my - obviously failed - attempt to cure a program termination after a C++ exception was not caught at all.

[amai2012]

The code triggering for that is within cppcheck. One might consider some changes within simplecpp, maybe using some suitable pointer class instead of the reference, though within C++03 it would require a few lines of additional code...

[amai2012]

@matthiaskrgr Does this problem still exist?

[versat]

I have built Cppcheck 1.89 dev via CXXFLAGS="-fsanitize=address -Og -g3" make cppcheck and run ./cppcheck --check-config gui/ and ./cppcheck --check-config ./. So it looks like there is no longer an issue.

[firewave]

As pointed out this issue has probably been resolved since quite a while - but we are not testing --check-config in Cppcheck at all. I filed https://trac.cppcheck.net/ticket/13207 about this and will close this ticket when that has been implemented.