[Bug sanitizer/102095] New: Returned reference to temporary not caught by -fsanitize=undefined

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug sanitizer/102095] New: Returned reference to temporary not caught by -fsanitize=undefined
@ 2021-08-27 11:28 loximann at gmail dot com
  2021-08-31  8:15 ` [Bug sanitizer/102095] " redi at gcc dot gnu.org
  2021-08-31  8:25 ` jakub at gcc dot gnu.org
  0 siblings, 2 replies; 3+ messages in thread
From: loximann at gmail dot com @ 2021-08-27 11:28 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102095

            Bug ID: 102095
           Summary: Returned reference to temporary not caught by
                    -fsanitize=undefined
           Product: gcc
           Version: 11.1.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: loximann at gmail dot com
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

The following code results in undefined behaviour (I believe), but it is not
caught by -fsanitize=undefined:

#include <functional>
#include <iostream>
#include <tuple>

template <typename T>
std::function<const T&()> constant(const T& c) {
  return [c]() noexcept -> const T&{ return c; };
}

template <typename T>
std::function<std::tuple<T>()> zip_good(const std::function<T()>& f) {
  return [f]() { return std::tuple<T>{f()}; };
}

template <typename T>
std::function<std::tuple<T>()> zip_bad(const std::function<T()>& f) {
  return [f]() { return std::tuple{f()}; }; // <- UNDEFINED if T is const ref
}

int main() {
    std::cout << std::get<0>(zip_good(constant(1.0))()) << std::endl;
    std::cout << std::get<0>(zip_bad(constant(1.0))()) << std::endl;
}

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug sanitizer/102095] Returned reference to temporary not caught by -fsanitize=undefined
  2021-08-27 11:28 [Bug sanitizer/102095] New: Returned reference to temporary not caught by -fsanitize=undefined loximann at gmail dot com
@ 2021-08-31  8:15 ` redi at gcc dot gnu.org
  2021-08-31  8:25 ` jakub at gcc dot gnu.org
  1 sibling, 0 replies; 3+ messages in thread
From: redi at gcc dot gnu.org @ 2021-08-31  8:15 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102095

--- Comment #1 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Yes, it's undefined. See PR libstdc++/70692

There is a C++ standard proposal to make this ill-formed:
https://wg21.link/p0932

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug sanitizer/102095] Returned reference to temporary not caught by -fsanitize=undefined
  2021-08-27 11:28 [Bug sanitizer/102095] New: Returned reference to temporary not caught by -fsanitize=undefined loximann at gmail dot com
  2021-08-31  8:15 ` [Bug sanitizer/102095] " redi at gcc dot gnu.org
@ 2021-08-31  8:25 ` jakub at gcc dot gnu.org
  1 sibling, 0 replies; 3+ messages in thread
From: jakub at gcc dot gnu.org @ 2021-08-31  8:25 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102095

--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
-fsanitize=undefined is never meant to catch such bugs, -fsanitize=address is.
And it does catch that:
g++ -g -fsanitize=address -o /tmp/pr102095{,.C} -std=c++20;
ASAN_OPTIONS=detect_stack_use_after_return=1 /tmp/pr102095
1
=================================================================
==2328983==ERROR: AddressSanitizer: stack-use-after-return on address
0x7fbca4fec0a0 at pc 0x000000401773 bp 0x7ffeb2a60420 sp 0x7ffeb2a60418
READ of size 8 at 0x7fbca4fec0a0 thread T0
    #0 0x401772 in main /tmp/pr102095.C:22
    #1 0x7fbca86a01a1 in __libc_start_main (/lib64/libc.so.6+0x281a1)
    #2 0x4011dd in _start (/tmp/pr102095+0x4011dd)

Address 0x7fbca4fec0a0 is located in stack of thread T0 at offset 32 in frame
    #0 0x402f32 in std::enable_if<is_invocable_r_v<std::tuple<double const&>,
zip_bad<double const&>(std::function<double const& ()> const&)::{lambda()#1}&>,
std::tuple<double const&> >::type std::__invoke_r<std::tuple<double const&>,
zip_bad<double const&>(std::function<double const& ()>
const&)::{lambda()#1}&>(std::enable_if&&, (zip_bad<double
const&>(std::function<double const& ()> const&)::{lambda()#1}&)...)
/usr/include/c++/10/bits/invoke.h:103

  This frame has 1 object(s):
    [32, 40) '<unknown>' <== Memory access at offset 32 is inside this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return /tmp/pr102095.C:22 in main
Shadow bytes around the buggy address:
  0x0ff8149f57c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff8149f57d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff8149f57e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff8149f57f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff8149f5800: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
=>0x0ff8149f5810: f5 f5 f5 f5[f5]f5 f5 f5 00 00 00 00 00 00 00 00
  0x0ff8149f5820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff8149f5830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff8149f5840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff8149f5850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff8149f5860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2328983==ABORTING

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-08-31  8:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-27 11:28 [Bug sanitizer/102095] New: Returned reference to temporary not caught by -fsanitize=undefined loximann at gmail dot com
2021-08-31  8:15 ` [Bug sanitizer/102095] " redi at gcc dot gnu.org
2021-08-31  8:25 ` jakub at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).