public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug sanitizer/102095] New: Returned reference to temporary not caught by -fsanitize=undefined
@ 2021-08-27 11:28 loximann at gmail dot com
2021-08-31 8:15 ` [Bug sanitizer/102095] " redi at gcc dot gnu.org
2021-08-31 8:25 ` jakub at gcc dot gnu.org
0 siblings, 2 replies; 3+ messages in thread
From: loximann at gmail dot com @ 2021-08-27 11:28 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102095
Bug ID: 102095
Summary: Returned reference to temporary not caught by
-fsanitize=undefined
Product: gcc
Version: 11.1.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: loximann at gmail dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
The following code results in undefined behaviour (I believe), but it is not
caught by -fsanitize=undefined:
#include <functional>
#include <iostream>
#include <tuple>
template <typename T>
std::function<const T&()> constant(const T& c) {
return [c]() noexcept -> const T&{ return c; };
}
template <typename T>
std::function<std::tuple<T>()> zip_good(const std::function<T()>& f) {
return [f]() { return std::tuple<T>{f()}; };
}
template <typename T>
std::function<std::tuple<T>()> zip_bad(const std::function<T()>& f) {
return [f]() { return std::tuple{f()}; }; // <- UNDEFINED if T is const ref
}
int main() {
std::cout << std::get<0>(zip_good(constant(1.0))()) << std::endl;
std::cout << std::get<0>(zip_bad(constant(1.0))()) << std::endl;
}
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug sanitizer/102095] Returned reference to temporary not caught by -fsanitize=undefined
2021-08-27 11:28 [Bug sanitizer/102095] New: Returned reference to temporary not caught by -fsanitize=undefined loximann at gmail dot com
@ 2021-08-31 8:15 ` redi at gcc dot gnu.org
2021-08-31 8:25 ` jakub at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: redi at gcc dot gnu.org @ 2021-08-31 8:15 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102095
--- Comment #1 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Yes, it's undefined. See PR libstdc++/70692
There is a C++ standard proposal to make this ill-formed:
https://wg21.link/p0932
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug sanitizer/102095] Returned reference to temporary not caught by -fsanitize=undefined
2021-08-27 11:28 [Bug sanitizer/102095] New: Returned reference to temporary not caught by -fsanitize=undefined loximann at gmail dot com
2021-08-31 8:15 ` [Bug sanitizer/102095] " redi at gcc dot gnu.org
@ 2021-08-31 8:25 ` jakub at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: jakub at gcc dot gnu.org @ 2021-08-31 8:25 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102095
--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
-fsanitize=undefined is never meant to catch such bugs, -fsanitize=address is.
And it does catch that:
g++ -g -fsanitize=address -o /tmp/pr102095{,.C} -std=c++20;
ASAN_OPTIONS=detect_stack_use_after_return=1 /tmp/pr102095
1
=================================================================
==2328983==ERROR: AddressSanitizer: stack-use-after-return on address
0x7fbca4fec0a0 at pc 0x000000401773 bp 0x7ffeb2a60420 sp 0x7ffeb2a60418
READ of size 8 at 0x7fbca4fec0a0 thread T0
#0 0x401772 in main /tmp/pr102095.C:22
#1 0x7fbca86a01a1 in __libc_start_main (/lib64/libc.so.6+0x281a1)
#2 0x4011dd in _start (/tmp/pr102095+0x4011dd)
Address 0x7fbca4fec0a0 is located in stack of thread T0 at offset 32 in frame
#0 0x402f32 in std::enable_if<is_invocable_r_v<std::tuple<double const&>,
zip_bad<double const&>(std::function<double const& ()> const&)::{lambda()#1}&>,
std::tuple<double const&> >::type std::__invoke_r<std::tuple<double const&>,
zip_bad<double const&>(std::function<double const& ()>
const&)::{lambda()#1}&>(std::enable_if&&, (zip_bad<double
const&>(std::function<double const& ()> const&)::{lambda()#1}&)...)
/usr/include/c++/10/bits/invoke.h:103
This frame has 1 object(s):
[32, 40) '<unknown>' <== Memory access at offset 32 is inside this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return /tmp/pr102095.C:22 in main
Shadow bytes around the buggy address:
0x0ff8149f57c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff8149f57d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff8149f57e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff8149f57f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff8149f5800: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
=>0x0ff8149f5810: f5 f5 f5 f5[f5]f5 f5 f5 00 00 00 00 00 00 00 00
0x0ff8149f5820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff8149f5830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff8149f5840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff8149f5850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff8149f5860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2328983==ABORTING
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-31 8:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-27 11:28 [Bug sanitizer/102095] New: Returned reference to temporary not caught by -fsanitize=undefined loximann at gmail dot com
2021-08-31 8:15 ` [Bug sanitizer/102095] " redi at gcc dot gnu.org
2021-08-31 8:25 ` jakub at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).