search

dreal / dreal3

There is a new version of dReal, available at https://github.com/dreal/dreal4
GNU General Public License v3.0
48 stars 36 forks source link

container-overflow from capd4 #324

Closed soonho-tri closed 8 years ago

soonho-tri commented 8 years ago

Reproducible without dReal. Run ./tests/capd4/capd4_example_01 with -DUSE_ASAN=ON (to enable clang's address sanitizer).

=================================================================
==8291==ERROR: AddressSanitizer: container-overflow on address 0x60800000be68 at pc 0x00010ad38078 bp 0x7fff55d00dd0 sp 0x7fff55d00580
READ of size 24 at 0x60800000be68 thread T0
    #0 0x10ad38077 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x49077)
    #1 0x10a1f0fe6 in std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >::__swap_out_circular_buffer(std::__1::__split_buffer<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >&>&) string:2140
    #2 0x10a1efff9 in void std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >::__push_back_slow_path<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) vector:1577
    #3 0x10a5b7efa in capd::map::parseVariables(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >&) (capd4_example_01+0x1006baefa)
    #4 0x10a5277b1 in capd::map::BasicFunction<capd::intervals::Interval<double, capd::rounding::DoubleRounding> >::createFromText(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >) (capd4_example_01+0x10062a7b1)
    #5 0x10a527b87 in capd::map::BasicFunction<capd::intervals::Interval<double, capd::rounding::DoubleRounding> >::BasicFunction(char const*) (capd4_example_01+0x10062ab87)
    #6 0x10a5b12c1 in capd::map::Map<capd::vectalg::Matrix<capd::intervals::Interval<double, capd::rounding::DoubleRounding>, 0u, 0u> >::Map(char const*, unsigned int) (capd4_example_01+0x1006b42c1)
    #7 0x109f005d0 in main example_01.cpp:24
    #8 0x7fffab65c254 in start (libdyld.dylib+0x5254)

0x60800000be68 is located 72 bytes inside of 96-byte region [0x60800000be20,0x60800000be80)
allocated by thread T0 here:
    #0 0x10ad4df0b in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib+0x5ef0b)
    #1 0x10a5b9338 in std::__1::__split_buffer<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >&) (capd4_example_01+0x1006bc338)
    #2 0x10a1f0bbc in std::__1::__split_buffer<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >&) __split_buffer:310
    #3 0x10a1efd83 in void std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >::__push_back_slow_path<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) vector:1573
    #4 0x10a5b6777 in capd::map::splitVariables(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >&) (capd4_example_01+0x1006b9777)
    #5 0x10a5b7db2 in capd::map::parseVariables(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >&) (capd4_example_01+0x1006badb2)
    #6 0x10a5277b1 in capd::map::BasicFunction<capd::intervals::Interval<double, capd::rounding::DoubleRounding> >::createFromText(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >) (capd4_example_01+0x10062a7b1)
    #7 0x10a527b87 in capd::map::BasicFunction<capd::intervals::Interval<double, capd::rounding::DoubleRounding> >::BasicFunction(char const*) (capd4_example_01+0x10062ab87)
    #8 0x10a5b12c1 in capd::map::Map<capd::vectalg::Matrix<capd::intervals::Interval<double, capd::rounding::DoubleRounding>, 0u, 0u> >::Map(char const*, unsigned int) (capd4_example_01+0x1006b42c1)
    #9 0x109f005d0 in main example_01.cpp:24
    #10 0x7fffab65c254 in start (libdyld.dylib+0x5254)

HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0.
If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow (libclang_rt.asan_osx_dynamic.dylib+0x49077) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c1000001770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c1000001780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c1000001790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c10000017a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c10000017b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c10000017c0: fa fa fa fa 00 00 00 00 00 00 00 00 00[fc]fc fc
  0x1c10000017d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c10000017e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c10000017f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c1000001800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c1000001810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8291==ABORTING
[1]    8291 abort      ./tests/capd4/capd4_example_01
soonho-tri commented 8 years ago

It seems it was a build glitch. I can't reproduce it any more.