public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug sanitizer/103792] New: stack-use-after-scope false positive with exceptions on ARM EABI
@ 2021-12-21 15:28 mcross at irobot dot com
2021-12-21 15:31 ` [Bug sanitizer/103792] " mcross at irobot dot com
0 siblings, 1 reply; 2+ messages in thread
From: mcross at irobot dot com @ 2021-12-21 15:28 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103792
Bug ID: 103792
Summary: stack-use-after-scope false positive with exceptions
on ARM EABI
Product: gcc
Version: 10.2.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: mcross at irobot dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
Created attachment 52039
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=52039&action=edit
reproduction code
This is the same issue as https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81021 ,
except specific to ARM EABI. I think the same change needs to be applied to
the ARM EABI specific code that sets up the call to __cxa_end_cleanup() in
gcc/tree-eh.c.
I have attached minimal code that reproduces the issue (well, as minimal as I
could get it).
To reproduce, this must be compiled with "-O1 -fsanitize=address".
The reproduction code is also available on Compiler Explorer here:
https://godbolt.org/z/5q1Yq5za3 Unfortunately it cannot run it there, but here
is what I see when I run it (based on generated code addresses in that view):
* At address 10cce is where the exception is thrown in the intermediate()
function (it has inline the calls to the constructors for "struct Bad" and
optimized it down to just throwing an exception).
* The clean-up for for this PC in intermediate() is at 10cd2, and if you follow
it through it effectively just poisons the stack and then calls
__cxa_end_cleanup().
This leaves the stack poisoned after exception handling is complete, which
later code then trips over.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug sanitizer/103792] stack-use-after-scope false positive with exceptions on ARM EABI
2021-12-21 15:28 [Bug sanitizer/103792] New: stack-use-after-scope false positive with exceptions on ARM EABI mcross at irobot dot com
@ 2021-12-21 15:31 ` mcross at irobot dot com
0 siblings, 0 replies; 2+ messages in thread
From: mcross at irobot dot com @ 2021-12-21 15:31 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103792
--- Comment #1 from Matt Cross <mcross at irobot dot com> ---
Address Sanitizer output from executing this:
=================================================================
==29328==ERROR: AddressSanitizer: stack-use-after-scope on address 0xbed737e0
at pc 0xb319b875 bp 0xbed733a0 sp 0xbed733a8
WRITE of size 388 at 0xbed737e0 thread T0
#0 0xb319b872 in memcpy (/usr/lib/brewst.so.d/libasan.so.6+0x2e872)
#1 0x10d92 in process_dummy_recursive(int, Dummy)
/home/mcross/sources/brewst3/utils/mcross-test/mcross-test1.cpp:41
#2 0x10dd8 in exc_cleanup_test()
/home/mcross/sources/brewst3/utils/mcross-test/mcross-test1.cpp:65
#3 0x10de4 in main
/home/mcross/sources/brewst3/utils/mcross-test/mcross-test1.cpp:70
#4 0xb2eb455a in __libc_start_main (/usr/lib/brewst.so.d/libc.so.6+0x1755a)
Address 0xbed737e0 is located in stack of thread T0
SUMMARY: AddressSanitizer: stack-use-after-scope
(/usr/lib/brewst.so.d/libasan.so.6+0x2e872) in memcpy
Shadow bytes around the buggy address:
0x37dae6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x37dae6b0: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8
0x37dae6c0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x37dae6d0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x37dae6e0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 00 00 00 00 00 00
=>0x37dae6f0: 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8[f8]f8 f8 f8
0x37dae700: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x37dae710: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x37dae720: f8 f8 f8 f8 00 00 00 00 00 00 00 00 00 00 00 00
0x37dae730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x37dae740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==29328==ABORTING
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-12-21 15:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-21 15:28 [Bug sanitizer/103792] New: stack-use-after-scope false positive with exceptions on ARM EABI mcross at irobot dot com
2021-12-21 15:31 ` [Bug sanitizer/103792] " mcross at irobot dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).