michaeleisel / zld

A faster version of Apple's linker
MIT License
1.19k stars 50 forks source link

ASAN issue #48

Closed rmaz closed 1 year ago

rmaz commented 4 years ago

While testing an internal build that used unordered_map instead of absl::flat_map, we got a crash when running under ASAN. Unclear if this is some related to the previous issue of parallel sorting:

=================================================================
==10131==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6130002727fb at pc 0x00010d671173 bp 0x70000ca68e90 sp 0x70000ca68620
READ of size 87 at 0x6130002727fb thread T22
    #0 0x10d671172 in wrap_strlcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x54172)
    #1 0x10a4c3d98 in ld::tool::StringPoolAtom::add(char const*) (zld:x86_64+0x10036ed98)
    #2 0x10a4c3ee5 in ld::tool::StringPoolAtom::add(char const*) (zld:x86_64+0x10036eee5)
    #3 0x10a4c4505 in ld::tool::StringPoolAtom::addUnique(char const*) (zld:x86_64+0x10036f505)
    #4 0x10a58027f in ld::tool::SymbolTableAtom<x86_64>::encode() (zld:x86_64+0x10042b27f)
    #5 0x7fff3cffb7bc in __NSBLOCKOPERATION_IS_CALLING_OUT_TO_A_BLOCK__ (Foundation:x86_64+0x427bc)
    #6 0x7fff3cffb6b4 in -[NSBlockOperation main] (Foundation:x86_64+0x426b4)
    #7 0x7fff3cffb63f in __NSOPERATION_IS_INVOKING_MAIN__ (Foundation:x86_64+0x4263f)
    #8 0x7fff3cffa833 in -[NSOperation start] (Foundation:x86_64+0x41833)
    #9 0x7fff3cffa54d in __NSOPERATIONQUEUE_IS_STARTING_AN_OPERATION__ (Foundation:x86_64+0x4154d)
    #10 0x7fff3cffa417 in __NSOQSchedule_f (Foundation:x86_64+0x41417)
    #11 0x7fff71fc350d in _dispatch_client_callout (libdispatch.dylib:x86_64+0x350d)
    #12 0x7fff71fc5c20 in _dispatch_block_invoke_direct (libdispatch.dylib:x86_64+0x5c20)
    #13 0x10d67d6e5 in __wrap_dispatch_async_block_invoke (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x606e5)
    #14 0x7fff71fc2582 in _dispatch_call_block_and_release (libdispatch.dylib:x86_64+0x2582)
    #15 0x7fff71fc350d in _dispatch_client_callout (libdispatch.dylib:x86_64+0x350d)
    #16 0x7fff71fc56bf in _dispatch_continuation_pop (libdispatch.dylib:x86_64+0x56bf)
    #17 0x7fff71fc4dbd in _dispatch_async_redirect_invoke (libdispatch.dylib:x86_64+0x4dbd)
    #18 0x7fff71fd17e1 in _dispatch_root_queue_drain (libdispatch.dylib:x86_64+0x117e1)
    #19 0x7fff71fd1f21 in _dispatch_worker_thread2 (libdispatch.dylib:x86_64+0x11f21)
    #20 0x7fff7221d6b5 in _pthread_wqthread (libsystem_pthread.dylib:x86_64+0x26b5)
    #21 0x7fff7221c826 in start_wqthread (libsystem_pthread.dylib:x86_64+0x1826)

0x6130002727fb is located 0 bytes to the right of 379-byte region [0x613000272680,0x6130002727fb)
allocated by thread T20 here:
    #0 0x10d67eb17 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x61b17)
    #1 0x7fff720c9a16 in reallocf (libsystem_c.dylib:x86_64+0x5ea16)
    #2 0x7fff720a6791 in __sfvwrite (libsystem_c.dylib:x86_64+0x3b791)
    #3 0x7fff720b0026 in __vfprintf (libsystem_c.dylib:x86_64+0x45026)
    #4 0x7fff720d3e1a in __v2printf (libsystem_c.dylib:x86_64+0x68e1a)
    #5 0x7fff720ac199 in _vasprintf (libsystem_c.dylib:x86_64+0x41199)
    #6 0x10d646ebb in wrap_vasprintf (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x29ebb)
    #7 0x10d64758c in wrap_asprintf (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x2a58c)
    #8 0x10a2e822b in mach_o::relocatable::Parser<x86_64>::parseDebugInfo() (zld:x86_64+0x10019322b)
    #9 0x10a2dd807 in mach_o::relocatable::Parser<x86_64>::parse(mach_o::relocatable::ParserOptions const&) (zld:x86_64+0x100188807)
    #10 0x10a2b3852 in mach_o::relocatable::Parser<x86_64>::parse(unsigned char const*, unsigned long long, char const*, long, ld::File::Ordinal, mach_o::relocatable::ParserOptions const&) (zld:x86_64+0x10015e852)
    #11 0x10a2b2e82 in mach_o::relocatable::parse(unsigned char const*, unsigned long long, char const*, long, ld::File::Ordinal, mach_o::relocatable::ParserOptions const&) (zld:x86_64+0x10015de82)
    #12 0x10a3aa282 in archive::File<x86_64>::makeObjectFileForMember(archive::File<x86_64>::Entry const*) const (zld:x86_64+0x100255282)
    #13 0x10a46389d in tbb::interface9::internal::start_for<tbb::blocked_range<unsigned long>, ld::tool::InputFiles::preParseLibraries() const::$_3, tbb::auto_partitioner const>::execute() (zld:x86_64+0x10030e89d)
    #14 0x10a8bdce1 in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::process_bypass_loop(tbb::internal::context_guard_helper<false>&, tbb::task*, long) (zld:x86_64+0x100768ce1)
    #15 0x10a8bd5da in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::local_wait_for_all(tbb::task&, tbb::task*) (zld:x86_64+0x1007685da)
    #16 0x10a8b8b06 in tbb::internal::arena::process(tbb::internal::generic_scheduler&) (zld:x86_64+0x100763b06)
    #17 0x10a8b850c in tbb::internal::market::process(rml::job&) (zld:x86_64+0x10076350c)
    #18 0x10a8b5263 in tbb::internal::rml::private_worker::run() (zld:x86_64+0x100760263)
    #19 0x10a8b51b2 in tbb::internal::rml::private_worker::thread_routine(void*) (zld:x86_64+0x1007601b2)
    #20 0x7fff72220e64 in _pthread_start (libsystem_pthread.dylib:x86_64+0x5e64)
    #21 0x7fff7221c83a in thread_start (libsystem_pthread.dylib:x86_64+0x183a)

Thread T22 created by T0 here:
    <empty stack>

Thread T20 created by T13 here:
    #0 0x10d67678d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5978d)
    #1 0x10a8b5910 in rml::internal::thread_monitor::launch(void* (*)(void*), void*, unsigned long) (zld:x86_64+0x100760910)
    #2 0x10a8b56da in tbb::internal::rml::private_worker::wake_or_launch() (zld:x86_64+0x1007606da)
    #3 0x10a8b563f in tbb::internal::rml::private_server::wake_some(int) (zld:x86_64+0x10076063f)
    #4 0x10a8b51d8 in tbb::internal::rml::private_worker::run() (zld:x86_64+0x1007601d8)
    #5 0x10a8b51b2 in tbb::internal::rml::private_worker::thread_routine(void*) (zld:x86_64+0x1007601b2)
    #6 0x7fff72220e64 in _pthread_start (libsystem_pthread.dylib:x86_64+0x5e64)
    #7 0x7fff7221c83a in thread_start (libsystem_pthread.dylib:x86_64+0x183a)

Thread T13 created by T12 here:
    #0 0x10d67678d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5978d)
    #1 0x10a8b5910 in rml::internal::thread_monitor::launch(void* (*)(void*), void*, unsigned long) (zld:x86_64+0x100760910)
    #2 0x10a8b56da in tbb::internal::rml::private_worker::wake_or_launch() (zld:x86_64+0x1007606da)
    #3 0x10a8b563f in tbb::internal::rml::private_server::wake_some(int) (zld:x86_64+0x10076063f)
    #4 0x10a8b51d8 in tbb::internal::rml::private_worker::run() (zld:x86_64+0x1007601d8)
    #5 0x10a8b51b2 in tbb::internal::rml::private_worker::thread_routine(void*) (zld:x86_64+0x1007601b2)
    #6 0x7fff72220e64 in _pthread_start (libsystem_pthread.dylib:x86_64+0x5e64)
    #7 0x7fff7221c83a in thread_start (libsystem_pthread.dylib:x86_64+0x183a)

Thread T12 created by T11 here:
    #0 0x10d67678d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5978d)
    #1 0x10a8b5910 in rml::internal::thread_monitor::launch(void* (*)(void*), void*, unsigned long) (zld:x86_64+0x100760910)
    #2 0x10a8b56da in tbb::internal::rml::private_worker::wake_or_launch() (zld:x86_64+0x1007606da)
    #3 0x10a8b563f in tbb::internal::rml::private_server::wake_some(int) (zld:x86_64+0x10076063f)
    #4 0x10a8b51d8 in tbb::internal::rml::private_worker::run() (zld:x86_64+0x1007601d8)
    #5 0x10a8b51b2 in tbb::internal::rml::private_worker::thread_routine(void*) (zld:x86_64+0x1007601b2)
    #6 0x7fff72220e64 in _pthread_start (libsystem_pthread.dylib:x86_64+0x5e64)
    #7 0x7fff7221c83a in thread_start (libsystem_pthread.dylib:x86_64+0x183a)

Thread T11 created by T10 here:
    #0 0x10d67678d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5978d)
    #1 0x10a8b5910 in rml::internal::thread_monitor::launch(void* (*)(void*), void*, unsigned long) (zld:x86_64+0x100760910)
    #2 0x10a8b56da in tbb::internal::rml::private_worker::wake_or_launch() (zld:x86_64+0x1007606da)
    #3 0x10a8b563f in tbb::internal::rml::private_server::wake_some(int) (zld:x86_64+0x10076063f)
    #4 0x10a8b51d8 in tbb::internal::rml::private_worker::run() (zld:x86_64+0x1007601d8)
    #5 0x10a8b51b2 in tbb::internal::rml::private_worker::thread_routine(void*) (zld:x86_64+0x1007601b2)
    #6 0x7fff72220e64 in _pthread_start (libsystem_pthread.dylib:x86_64+0x5e64)
    #7 0x7fff7221c83a in thread_start (libsystem_pthread.dylib:x86_64+0x183a)

Thread T10 created by T0 here:
    #0 0x10d67678d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5978d)
    #1 0x10a8b5910 in rml::internal::thread_monitor::launch(void* (*)(void*), void*, unsigned long) (zld:x86_64+0x100760910)
    #2 0x10a8b56da in tbb::internal::rml::private_worker::wake_or_launch() (zld:x86_64+0x1007606da)
    #3 0x10a8b563f in tbb::internal::rml::private_server::wake_some(int) (zld:x86_64+0x10076063f)
    #4 0x10a8baacf in tbb::internal::generic_scheduler::local_spawn(tbb::task*, tbb::task*&) (zld:x86_64+0x100765acf)
    #5 0x10a4631a6 in tbb::interface9::internal::start_for<tbb::blocked_range<unsigned long>, ld::tool::InputFiles::preParseLibraries() const::$_3, tbb::auto_partitioner const>::execute() (zld:x86_64+0x10030e1a6)
    #6 0x10a8bdce1 in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::process_bypass_loop(tbb::internal::context_guard_helper<false>&, tbb::task*, long) (zld:x86_64+0x100768ce1)
    #7 0x10a8bd5da in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::local_wait_for_all(tbb::task&, tbb::task*) (zld:x86_64+0x1007685da)
    #8 0x10a8bafb9 in tbb::internal::generic_scheduler::local_spawn_root_and_wait(tbb::task*, tbb::task*&) (zld:x86_64+0x100765fb9)
    #9 0x10a43f6b0 in ld::tool::InputFiles::preParseLibraries() const (zld:x86_64+0x1002ea6b0)
    #10 0x10a43c8b7 in ld::tool::InputFiles::forEachInitialAtom(ld::File::AtomHandler&, ld::Internal&) (zld:x86_64+0x1002e78b7)
    #11 0x10a4b4dcd in ld::tool::Resolver::resolve() (zld:x86_64+0x10035fdcd)
    #12 0x10a277e23 in main (zld:x86_64+0x100122e23)
    #13 0x7fff7201c7fc in start (libdyld.dylib:x86_64+0x1a7fc)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x54172) in wrap_strlcpy
Shadow bytes around the buggy address:
  0x1c260004e4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c260004e4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c260004e4c0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x1c260004e4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c260004e4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c260004e4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[03]
  0x1c260004e500: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c260004e510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c260004e520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c260004e530: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
  0x1c260004e540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==10131==ABORTING
clang: error: unable to execute command: Abort trap: 6
clang: error: linker command failed due to signal (use -v to see invocation)