search

gopalshankar / address-sanitizer

Automatically exported from code.google.com/p/address-sanitizer
0 stars 0 forks source link

CHECK failed while printing a stack if a memory access hits an adjacent allocation #183

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
$ cat test.cpp 
int main() {
  int *test = new int[0];
  test[8] = 42;
}

As of r178511,
$ clang -fsanitize=address -g test.cpp && ./a.out |& asan_symbolize.py |& 
c++filt
=================================================================
==24955==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60200000f010 at pc 0x42b54c ...
WRITE of size 4 at 0x60200000f010 thread T0
    #0 0x42b54b in main test.cpp:3
0x60200000f010 is located 0 bytes to the right of 0-byte region 
[0x60200000f010,0x60200000f010)
==24955==AddressSanitizer CHECK failed: 
/ssd/llvm/projects/compiler-rt/lib/asan/asan_allocator2.cc:217 "((id)) != (0)" 
(0x0, 0x0)
    #0 0x42276f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) _asan_rtl_
    #1 0x423f61 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ??:0
    #2 0x40f1f1 in __asan::AsanChunkView::GetAllocStack(__sanitizer::StackTrace*) ??:0
    #3 0x41f9c6 in __asan::DescribeHeapAddress(unsigned long, unsigned long) ??:0
    #4 0x420a32 in __asan_report_error ??:0
    #5 0x421c29 in __asan_report_store4 ??:0
    #6 0x42b54b in main test.cpp:3

Looks stackdepot-related?

Original issue reported on code.google.com by timurrrr@google.com on 4 May 2013 at 12:22

GoogleCodeExporter commented 9 years ago 
Ah, funny.

This happens iff the access goes to a different allocation which has no id / 
stack associated, e.g.:
  $ cat test.cpp 
  int main() {
    int *test = new int[5];
    test[12] = 42;  // Fails on CHECK,
    // Whilst "test[11] = 42;" doesn't fail the CHECK.
  }

Original comment by timurrrr@google.com on 4 May 2013 at 12:27

GoogleCodeExporter commented 9 years ago

Original comment by timurrrr@google.com on 4 May 2013 at 12:28

GoogleCodeExporter commented 9 years ago 
I'd argue that every CHECK on the error reporting path should be replaced by

  if (something_wrong) {
    print("couldn't get some info");
    return;
  }

Original comment by timurrrr@google.com on 11 Oct 2013 at 7:05

GoogleCodeExporter commented 9 years ago 
AFAIK this CHECK will also be triggered if user sets malloc_context_size=0.

Original comment by tetra2...@gmail.com on 11 Oct 2013 at 7:42

GoogleCodeExporter commented 9 years ago

Original comment by samso...@google.com on 11 Oct 2013 at 9:05

GoogleCodeExporter commented 9 years ago 
This may be relevant: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58718

Original comment by tetra2...@gmail.com on 14 Oct 2013 at 6:06

GoogleCodeExporter commented 9 years ago 
I think this should be fixed by LLVM r192581

Original comment by samso...@google.com on 14 Oct 2013 at 11:17