False negative for vptr use-after-free

theRockLiu / thread-sanitizer

Automatically exported from code.google.com/p/thread-sanitizer

0 stars 0 forks source link

False negative for vptr use-after-free #33

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

TSan fails to detect the following UAF:

struct MyClass {
 virtual ~MyClass() {
   LOG(INFO) << "~MyClass()";
 }
 virtual void Doit() {
   LOG(INFO) << "Doit()";
 }
};

int main() {
 char data[sizeof(MyClass)];
 MyClass *c = new(data) MyClass();
 c->~MyClass();
 c->Doit();
}

To fix this we can emit an additional vptr write at the end of every dtor.

Original issue reported on code.google.com by dvyu...@google.com on 10 Oct 2013 at 12:57

GoogleCodeExporter commented 9 years ago

Isn't this the same as 
https://code.google.com/p/address-sanitizer/issues/detail?id=73 ?

Original comment by konstant...@gmail.com on 10 Oct 2013 at 1:25

GoogleCodeExporter commented 9 years ago

Apparently it is not the same, because that is AddressSanitizer and this is 
ThreadSanitizer.

Original comment by dvyu...@google.com on 15 Mar 2014 at 8:52

GoogleCodeExporter commented 9 years ago

Original comment by dvyu...@google.com on 15 Mar 2014 at 8:52

Added labels: Type-Enhancement
Removed labels: Type-Defect

GoogleCodeExporter commented 9 years ago

Unassigning from myself as this requires some llvm expertise. CCing more llvm 
experts.

Asan issue 73 needs to be resolved first, and then we can employ the same 
approach in tsan.

Original comment by dvyu...@google.com on 2 Sep 2014 at 2:23