ldc-developers / ldc

The LLVM-based D Compiler.
http://wiki.dlang.org/LDC
Other
1.21k stars 261 forks source link

AddressSanitizer-reported errors #388

Open dnadlinger opened 11 years ago

dnadlinger commented 11 years ago

Running the test suite under Clang -fsanitize=address yields the following errors:

/mnt/work/ldc/bin/ldmd2 -m64 -Irunnable   -od/mnt/work/ldc/dmd-testsuite_debug/runnable -of/mnt/work/ldc/dmd-testsuite_debug/runnable/ldc_github_176_0 runnable/ldc_github_176.d
=================================================================
==19870== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x2aaaabf685bf at pc 0xedd00b bp 0x7fff4173a310 sp 0x7fff4173a308
READ of size 1 at 0x2aaaabf685bf thread T0
    #0 0xedd00a (/mnt/work/ldc/bin/ldc2+0xedd00a)
    #1 0xed2ca3 (/mnt/work/ldc/bin/ldc2+0xed2ca3)
    #2 0xeae901 (/mnt/work/ldc/bin/ldc2+0xeae901)
    #3 0xeacb89 (/mnt/work/ldc/bin/ldc2+0xeacb89)
    #4 0xcc67b1 (/mnt/work/ldc/bin/ldc2+0xcc67b1)
    #5 0xdc2240 (/mnt/work/ldc/bin/ldc2+0xdc2240)
    #6 0xc95f57 (/mnt/work/ldc/bin/ldc2+0xc95f57)
    #7 0xe75197 (/mnt/work/ldc/bin/ldc2+0xe75197)
    #8 0xd6c294 (/mnt/work/ldc/bin/ldc2+0xd6c294)
    #9 0xd8651c (/mnt/work/ldc/bin/ldc2+0xd8651c)
    #10 0x884cec (/mnt/work/ldc/bin/ldc2+0x884cec)
    #11 0x88e563 (/mnt/work/ldc/bin/ldc2+0x88e563)
    #12 0x1155486 (/mnt/work/ldc/bin/ldc2+0x1155486)
    #13 0xb2566b (/mnt/work/ldc/bin/ldc2+0xb2566b)
    #14 0x776413 (/mnt/work/ldc/bin/ldc2+0x776413)
    #15 0x2aaaabb46ea4 (/lib/x86_64-linux-gnu/libc-2.17.so+0x21ea4)
0x2aaaabf685bf is located 7 bytes to the right of 120-byte region [0x2aaaabf68540,0x2aaaabf685b8)
allocated by thread T0 here:
    #0 0x2850040 (/mnt/work/ldc/bin/ldc2+0x2850040)
    #1 0x7f8811 (/mnt/work/ldc/bin/ldc2+0x7f8811)
    #2 0x825638 (/mnt/work/ldc/bin/ldc2+0x825638)
    #3 0x7c82a5 (/mnt/work/ldc/bin/ldc2+0x7c82a5)
    #4 0x7ac701 (/mnt/work/ldc/bin/ldc2+0x7ac701)
    #5 0x7a9ee3 (/mnt/work/ldc/bin/ldc2+0x7a9ee3)
    #6 0xb1e199 (/mnt/work/ldc/bin/ldc2+0xb1e199)
    #7 0x7743e6 (/mnt/work/ldc/bin/ldc2+0x7743e6)
    #8 0x2aaaabb46ea4 (/lib/x86_64-linux-gnu/libc-2.17.so+0x21ea4)
Shadow byte and word:
  0x1555557ed0b7: fb
  0x1555557ed0b0: 00 00 00 00 00 00 00 fb
More shadow bytes:
  0x1555557ed090: 00 00 00 00 00 00 00 00
  0x1555557ed098: fa fa fa fa fa fa fa fa
  0x1555557ed0a0: fa fa fa fa fa fa fa fa
  0x1555557ed0a8: 00 00 00 00 00 00 00 00
=>0x1555557ed0b0: 00 00 00 00 00 00 00 fb
  0x1555557ed0b8: fa fa fa fa fa fa fa fa
  0x1555557ed0c0: fa fa fa fa fa fa fa fa
  0x1555557ed0c8: 00 00 00 00 00 00 00 00
  0x1555557ed0d0: 00 00 00 00 00 00 00 00
Stats: 0M malloced (1M for red zones) by 9888 calls
Stats: 0M realloced by 1149 calls
Stats: 0M freed by 2608 calls
Stats: 0M really freed by 0 calls
Stats: 5M (1413 full pages) mmaped in 11 calls
  mmaps   by size class: 7:8190; 8:2047; 9:1023; 10:511; 11:255; 12:128; 13:64; 14:32; 15:16; 16:8; 
  mallocs by size class: 7:7335; 8:1434; 9:874; 10:201; 11:24; 12:8; 13:4; 14:3; 15:4; 16:1; 
  frees   by size class: 7:2424; 8:113; 9:38; 10:16; 11:8; 12:3; 13:3; 14:1; 15:2; 
  rfrees  by size class: 
Stats: malloc large: 5 small slow: 68
/mnt/work/ldc/bin/ldmd2 -m64 -Irunnable   -od/mnt/work/ldc/dmd-testsuite_debug/runnable -of/mnt/work/ldc/dmd-testsuite_debug/runnable/ldc_github_179_0 runnable/ldc_github_179.d
=================================================================
==19902== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x2aaaabf687bf at pc 0xedd00b bp 0x7fff8bb24c70 sp 0x7fff8bb24c68
READ of size 1 at 0x2aaaabf687bf thread T0
    #0 0xedd00a (/mnt/work/ldc/bin/ldc2+0xedd00a)
    #1 0xed2ca3 (/mnt/work/ldc/bin/ldc2+0xed2ca3)
    #2 0xeae7d0 (/mnt/work/ldc/bin/ldc2+0xeae7d0)
    #3 0xeafb8f (/mnt/work/ldc/bin/ldc2+0xeafb8f)
    #4 0xc20520 (/mnt/work/ldc/bin/ldc2+0xc20520)
    #5 0xd58af0 (/mnt/work/ldc/bin/ldc2+0xd58af0)
    #6 0x884cec (/mnt/work/ldc/bin/ldc2+0x884cec)
    #7 0x88e563 (/mnt/work/ldc/bin/ldc2+0x88e563)
    #8 0x1155486 (/mnt/work/ldc/bin/ldc2+0x1155486)
    #9 0xb2566b (/mnt/work/ldc/bin/ldc2+0xb2566b)
    #10 0x776413 (/mnt/work/ldc/bin/ldc2+0x776413)
    #11 0x2aaaabb46ea4 (/lib/x86_64-linux-gnu/libc-2.17.so+0x21ea4)
0x2aaaabf687bf is located 7 bytes to the right of 120-byte region [0x2aaaabf68740,0x2aaaabf687b8)
allocated by thread T0 here:
    #0 0x2850040 (/mnt/work/ldc/bin/ldc2+0x2850040)
    #1 0x7f8811 (/mnt/work/ldc/bin/ldc2+0x7f8811)
    #2 0x825638 (/mnt/work/ldc/bin/ldc2+0x825638)
    #3 0x7c82a5 (/mnt/work/ldc/bin/ldc2+0x7c82a5)
    #4 0x7ac701 (/mnt/work/ldc/bin/ldc2+0x7ac701)
    #5 0x7a9ee3 (/mnt/work/ldc/bin/ldc2+0x7a9ee3)
    #6 0xb1e199 (/mnt/work/ldc/bin/ldc2+0xb1e199)
    #7 0x7743e6 (/mnt/work/ldc/bin/ldc2+0x7743e6)
    #8 0x2aaaabb46ea4 (/lib/x86_64-linux-gnu/libc-2.17.so+0x21ea4)
Shadow byte and word:
  0x1555557ed0f7: fb
  0x1555557ed0f0: 00 00 00 00 00 00 00 fb
More shadow bytes:
  0x1555557ed0d0: 00 00 00 00 00 00 00 00
  0x1555557ed0d8: fa fa fa fa fa fa fa fa
  0x1555557ed0e0: fa fa fa fa fa fa fa fa
  0x1555557ed0e8: 00 00 00 00 00 00 00 00
=>0x1555557ed0f0: 00 00 00 00 00 00 00 fb
  0x1555557ed0f8: fa fa fa fa fa fa fa fa
  0x1555557ed100: fa fa fa fa fa fa fa fa
  0x1555557ed108: 00 00 00 00 00 00 00 00
  0x1555557ed110: 00 00 00 00 00 00 00 00
Stats: 0M malloced (1M for red zones) by 9511 calls
Stats: 0M realloced by 1129 calls
Stats: 0M freed by 2575 calls
Stats: 0M really freed by 0 calls
Stats: 5M (1413 full pages) mmaped in 11 calls
  mmaps   by size class: 7:8190; 8:2047; 9:1023; 10:511; 11:255; 12:128; 13:64; 14:32; 15:16; 16:8; 
  mallocs by size class: 7:7096; 8:1344; 9:829; 10:198; 11:24; 12:8; 13:4; 14:3; 15:4; 16:1; 
  frees   by size class: 7:2391; 8:113; 9:38; 10:16; 11:8; 12:3; 13:3; 14:1; 15:2; 
  rfrees  by size class: 
Stats: malloc large: 5 small slow: 65
==19902== ABORTING
/mnt/work/ldc/bin/ldmd2 -m64 -Irunnable   -od/mnt/work/ldc/dmd-testsuite_debug/runnable -of/mnt/work/ldc/dmd-testsuite_debug/runnable/ldc_llvm_inline_ir_0 runnable/ldc_llvm_inline_ir.d
Warning: non-vendor-prefixed pragma 'llvm_inline_ir' is deprecated; use 'LDC_inline_ir' instead
=================================================================
==20072== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x2aaaabf68dbf at pc 0xedd00b bp 0x7fffd9ecded0 sp 0x7fffd9ecdec8
READ of size 1 at 0x2aaaabf68dbf thread T0
    #0 0xedd00a (/mnt/work/ldc/bin/ldc2+0xedd00a)
    #1 0xed2ca3 (/mnt/work/ldc/bin/ldc2+0xed2ca3)
    #2 0xeae901 (/mnt/work/ldc/bin/ldc2+0xeae901)
    #3 0xebe988 (/mnt/work/ldc/bin/ldc2+0xebe988)
    #4 0xd86704 (/mnt/work/ldc/bin/ldc2+0xd86704)
    #5 0x884cec (/mnt/work/ldc/bin/ldc2+0x884cec)
    #6 0x88e563 (/mnt/work/ldc/bin/ldc2+0x88e563)
    #7 0x1155486 (/mnt/work/ldc/bin/ldc2+0x1155486)
    #8 0xb2566b (/mnt/work/ldc/bin/ldc2+0xb2566b)
    #9 0x776413 (/mnt/work/ldc/bin/ldc2+0x776413)
    #10 0x2aaaabb46ea4 (/lib/x86_64-linux-gnu/libc-2.17.so+0x21ea4)
0x2aaaabf68dbf is located 7 bytes to the right of 120-byte region [0x2aaaabf68d40,0x2aaaabf68db8)
allocated by thread T0 here:
    #0 0x2850040 (/mnt/work/ldc/bin/ldc2+0x2850040)
    #1 0x7f8811 (/mnt/work/ldc/bin/ldc2+0x7f8811)
    #2 0x825638 (/mnt/work/ldc/bin/ldc2+0x825638)
    #3 0x7c82a5 (/mnt/work/ldc/bin/ldc2+0x7c82a5)
    #4 0x7ac701 (/mnt/work/ldc/bin/ldc2+0x7ac701)
    #5 0x7a9ee3 (/mnt/work/ldc/bin/ldc2+0x7a9ee3)
    #6 0xb1e199 (/mnt/work/ldc/bin/ldc2+0xb1e199)
    #7 0x7743e6 (/mnt/work/ldc/bin/ldc2+0x7743e6)
    #8 0x2aaaabb46ea4 (/lib/x86_64-linux-gnu/libc-2.17.so+0x21ea4)
Shadow byte and word:
  0x1555557ed1b7: fb
  0x1555557ed1b0: 00 00 00 00 00 00 00 fb
More shadow bytes:
  0x1555557ed190: 00 00 00 00 00 00 00 00
  0x1555557ed198: fa fa fa fa fa fa fa fa
  0x1555557ed1a0: fa fa fa fa fa fa fa fa
  0x1555557ed1a8: 00 00 00 00 00 00 00 00
=>0x1555557ed1b0: 00 00 00 00 00 00 00 fb
  0x1555557ed1b8: fa fa fa fa fa fa fa fa
  0x1555557ed1c0: fa fa fa fa fa fa fa fa
  0x1555557ed1c8: 00 00 00 00 00 00 00 00
  0x1555557ed1d0: 00 00 00 00 00 00 04 fb
Stats: 0M malloced (1M for red zones) by 10057 calls
Stats: 0M realloced by 1194 calls
Stats: 0M freed by 2667 calls
Stats: 0M really freed by 0 calls
Stats: 5M (1413 full pages) mmaped in 11 calls
  mmaps   by size class: 7:8190; 8:2047; 9:1023; 10:511; 11:255; 12:128; 13:64; 14:32; 15:16; 16:8; 
  mallocs by size class: 7:7463; 8:1440; 9:901; 10:205; 11:27; 12:9; 13:4; 14:3; 15:4; 16:1; 
  frees   by size class: 7:2471; 8:120; 9:39; 10:18; 11:9; 12:4; 13:3; 14:1; 15:2; 
  rfrees  by size class: 
Stats: malloc large: 5 small slow: 71
==20072== ABORTING

Not sure if these are real, though – this was on a build server, and for some reason, the symbol name were missing. Need to investigate those locally.

redstar commented 11 years ago

It ain't easy to verify this.

DMD uses memcmp to compare strings. In many cases this leads to reads beyond the end of allocated memory which triggers an address sanitizer error (e.g. in dmd2/identifier.c, methods equals and compare).

As result I am unable to compile a single source file with my address sanitizer-instrumented ldc compiler.

redstar commented 11 years ago

Ok, I got it. In all 3 cases it is in mtype.c, function Type::nullAttributes, line 404. It looks like that 128 bytes are read but only 120 bytes are allocated for this. This is not a real problem but to get here I had to patch 2 other dmd source files...

redstar commented 11 years ago

This pull request https://github.com/D-Programming-Language/dmd/pull/2699 contains the upstream changes to build DMDFE with AddressSanitizer enabled.