public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug sanitizer/113531] New: AddressSanitizer: stack-use-after-scope when iterating over initializer list
@ 2024-01-21 20:50 gcc at pauldreik dot se
2024-01-23 0:05 ` [Bug c++/113531] [14 Regression] " pinskia at gcc dot gnu.org
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: gcc at pauldreik dot se @ 2024-01-21 20:50 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113531
Bug ID: 113531
Summary: AddressSanitizer: stack-use-after-scope when iterating
over initializer list
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: gcc at pauldreik dot se
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
Target Milestone: ---
Sorry for not being able to condense this better, it is reduced from several
thousand lines in multiple files into this. The false alarm easily goes away
when something changes, I guess it is the optimizer removing things. Therefore,
the program is run in catch and not as a simple main() function.
I have git bisected this to happen at commit
4d935f52b0d5c00fcc154461b87415ebd8791a94 "c++: make initializer_list array
static again [PR110070]" which seems related.
Address sanitizer gives me a warning about stack-use-after-scope on the for
loop, which I believe is legal C++.
Here is a godbolt link: https://godbolt.org/z/vrWEWzd9a , but I include the
program and error message below as well:
// compile with -std=c++20 -fsanitize=address -lCatch2Main
#include <cstdio>
#include <catch2/catch_test_macros.hpp>
struct Inner
{
enum class Indices
{
A,
B,
C
};
Inner()
{
// must be three indices, if only two the problem goes away
for (auto i : { Indices::A, Indices::B, Indices::C }) //
<------------------------------ ERROR: AddressSanitizer: stack-use-after-scope
{
}
std::puts("this line must be here");
}
};
struct Outer
{
int return_42() const
{
// not 42, to trigger the test (so the code is not optimized away, I
assume)
return 0;
}
Inner inner;
};
TEST_CASE("demonstrate AddressSanitizer: stack-use-after-scope")
{
Outer c;
WHEN("this WHEN must be here, otherwise the error does not trigger")
{
REQUIRE(c.return_42() == 42);
}
}
And the error message:
Program returned: 1
=================================================================
==1==ERROR: AddressSanitizer: stack-use-after-scope on address 0x0000004c3380
at pc 0x00000040b924 bp 0x7ffd52eff450 sp 0x7ffd52eff448
READ of size 4 at 0x0000004c3380 thread T0
#0 0x40b923 in Inner::Inner() /app/example.cpp:17
#1 0x40b9d5 in Outer::Outer() /app/example.cpp:24
#2 0x40a3c7 in ____C_A_T_C_H____T_E_S_T____0 /app/example.cpp:37
#3 0x45a68d in Catch::TestInvokerAsFunction::invoke() const
(/app/output.s+0x45a68d) (BuildId: 433ece10f75938fe33f68968e4c7ab9a1f766f29)
#4 0x440c86 in Catch::TestCaseHandle::invoke() const
(/app/output.s+0x440c86) (BuildId: 433ece10f75938fe33f68968e4c7ab9a1f766f29)
#5 0x440062 in Catch::RunContext::invokeActiveTestCase()
(/app/output.s+0x440062) (BuildId: 433ece10f75938fe33f68968e4c7ab9a1f766f29)
#6 0x43fdf1 in
Catch::RunContext::runCurrentTest(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >&,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>
>&) (/app/output.s+0x43fdf1) (BuildId:
433ece10f75938fe33f68968e4c7ab9a1f766f29)
#7 0x43e99b in Catch::RunContext::runTest(Catch::TestCaseHandle const&)
(/app/output.s+0x43e99b) (BuildId: 433ece10f75938fe33f68968e4c7ab9a1f766f29)
#8 0x447bac in Catch::(anonymous namespace)::TestGroup::execute()
(/app/output.s+0x447bac) (BuildId: 433ece10f75938fe33f68968e4c7ab9a1f766f29)
#9 0x448b6c in Catch::Session::runInternal() (/app/output.s+0x448b6c)
(BuildId: 433ece10f75938fe33f68968e4c7ab9a1f766f29)
#10 0x4488a0 in Catch::Session::run() (/app/output.s+0x4488a0) (BuildId:
433ece10f75938fe33f68968e4c7ab9a1f766f29)
#11 0x40a26a in int Catch::Session::run<char>(int, char const* const*)
(/app/output.s+0x40a26a) (BuildId: 433ece10f75938fe33f68968e4c7ab9a1f766f29)
#12 0x40a18b in main (/app/output.s+0x40a18b) (BuildId:
433ece10f75938fe33f68968e4c7ab9a1f766f29)
#13 0x7f0adaa29d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId:
a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
#14 0x7f0adaa29e3f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId:
a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
#15 0x40a084 in _start (/app/output.s+0x40a084) (BuildId:
433ece10f75938fe33f68968e4c7ab9a1f766f29)
0x0000004c3380 is located 0 bytes inside of global variable 'C.1' defined in
'/app/example.cpp:17:60' (0x4c3380) of size 12
SUMMARY: AddressSanitizer: stack-use-after-scope /app/example.cpp:17 in
Inner::Inner()
Shadow bytes around the buggy address:
0x0000004c3100: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
0x0000004c3180: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
0x0000004c3200: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
0x0000004c3280: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
0x0000004c3300: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
=>0x0000004c3380:[f8]f8 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000004c3400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000004c3480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000004c3500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000004c3580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000004c3600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1==ABORTING
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug c++/113531] [14 Regression] AddressSanitizer: stack-use-after-scope when iterating over initializer list
2024-01-21 20:50 [Bug sanitizer/113531] New: AddressSanitizer: stack-use-after-scope when iterating over initializer list gcc at pauldreik dot se
@ 2024-01-23 0:05 ` pinskia at gcc dot gnu.org
2024-01-23 0:06 ` [Bug c++/113531] [14 Regression] AddressSanitizer: stack-use-after-scope when iterating over initializer list since r14-1500-g4d935f52b0d5c0 pinskia at gcc dot gnu.org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: pinskia at gcc dot gnu.org @ 2024-01-23 0:05 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113531
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |wrong-code
Target Milestone|--- |14.0
Summary|AddressSanitizer: |[14 Regression]
|stack-use-after-scope when |AddressSanitizer:
|iterating over initializer |stack-use-after-scope when
|list |iterating over initializer
| |list
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug c++/113531] [14 Regression] AddressSanitizer: stack-use-after-scope when iterating over initializer list since r14-1500-g4d935f52b0d5c0
2024-01-21 20:50 [Bug sanitizer/113531] New: AddressSanitizer: stack-use-after-scope when iterating over initializer list gcc at pauldreik dot se
2024-01-23 0:05 ` [Bug c++/113531] [14 Regression] " pinskia at gcc dot gnu.org
@ 2024-01-23 0:06 ` pinskia at gcc dot gnu.org
2024-01-30 18:17 ` jason at gcc dot gnu.org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: pinskia at gcc dot gnu.org @ 2024-01-23 0:06 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113531
--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
It would be useful to get a reduced testcase without the use of the Catch2Main
library.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug c++/113531] [14 Regression] AddressSanitizer: stack-use-after-scope when iterating over initializer list since r14-1500-g4d935f52b0d5c0
2024-01-21 20:50 [Bug sanitizer/113531] New: AddressSanitizer: stack-use-after-scope when iterating over initializer list gcc at pauldreik dot se
2024-01-23 0:05 ` [Bug c++/113531] [14 Regression] " pinskia at gcc dot gnu.org
2024-01-23 0:06 ` [Bug c++/113531] [14 Regression] AddressSanitizer: stack-use-after-scope when iterating over initializer list since r14-1500-g4d935f52b0d5c0 pinskia at gcc dot gnu.org
@ 2024-01-30 18:17 ` jason at gcc dot gnu.org
2024-01-31 3:38 ` jason at gcc dot gnu.org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: jason at gcc dot gnu.org @ 2024-01-30 18:17 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113531
Jason Merrill <jason at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jason at gcc dot gnu.org
Last reconfirmed| |2024-01-30
Assignee|unassigned at gcc dot gnu.org |jason at gcc dot gnu.org
Status|UNCONFIRMED |ASSIGNED
Ever confirmed|0 |1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug c++/113531] [14 Regression] AddressSanitizer: stack-use-after-scope when iterating over initializer list since r14-1500-g4d935f52b0d5c0
2024-01-21 20:50 [Bug sanitizer/113531] New: AddressSanitizer: stack-use-after-scope when iterating over initializer list gcc at pauldreik dot se
` (2 preceding siblings ...)
2024-01-30 18:17 ` jason at gcc dot gnu.org
@ 2024-01-31 3:38 ` jason at gcc dot gnu.org
2024-02-01 8:19 ` cvs-commit at gcc dot gnu.org
2024-02-01 8:20 ` jakub at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: jason at gcc dot gnu.org @ 2024-01-31 3:38 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113531
--- Comment #2 from Jason Merrill <jason at gcc dot gnu.org> ---
Reduced:
#include <initializer_list>
void f(int) { }
void g()
{
for (auto i : { 1, 2, 3 })
f (i);
f(42);
}
int main()
{
g();
g();
}
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug c++/113531] [14 Regression] AddressSanitizer: stack-use-after-scope when iterating over initializer list since r14-1500-g4d935f52b0d5c0
2024-01-21 20:50 [Bug sanitizer/113531] New: AddressSanitizer: stack-use-after-scope when iterating over initializer list gcc at pauldreik dot se
` (3 preceding siblings ...)
2024-01-31 3:38 ` jason at gcc dot gnu.org
@ 2024-02-01 8:19 ` cvs-commit at gcc dot gnu.org
2024-02-01 8:20 ` jakub at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2024-02-01 8:19 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113531
--- Comment #3 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Jakub Jelinek <jakub@gcc.gnu.org>:
https://gcc.gnu.org/g:ceb242f5302027c44a7dca86c344863004b6fec4
commit r14-8681-gceb242f5302027c44a7dca86c344863004b6fec4
Author: Jakub Jelinek <jakub@redhat.com>
Date: Thu Feb 1 09:16:57 2024 +0100
gimple-low: Remove .ASAN_MARK calls on TREE_STATIC variables [PR113531]
Since the r14-1500-g4d935f52b0d5c0 commit we promote an initializer_list
backing array to static storage where appropriate, but this happens after
we decided to add it to asan_poisoned_variables. As a result we add
unpoison/poison for it to the gimple. But then sanopt removes the
unpoison.
So the second time we call the function and want to load from the array
asan
still considers it poisoned.
The following patch fixes it by removing the .ASAN_MARK internal calls
during gimple lowering if they refer to TREE_STATIC vars.
2024-02-01 Jakub Jelinek <jakub@redhat.com>
Jason Merrill <jason@redhat.com>
PR c++/113531
* gimple-low.cc (lower_stmt): Remove .ASAN_MARK calls
on variables which were promoted to TREE_STATIC.
* g++.dg/asan/initlist1.C: New test.
Co-authored-by: Jason Merrill <jason@redhat.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug c++/113531] [14 Regression] AddressSanitizer: stack-use-after-scope when iterating over initializer list since r14-1500-g4d935f52b0d5c0
2024-01-21 20:50 [Bug sanitizer/113531] New: AddressSanitizer: stack-use-after-scope when iterating over initializer list gcc at pauldreik dot se
` (4 preceding siblings ...)
2024-02-01 8:19 ` cvs-commit at gcc dot gnu.org
@ 2024-02-01 8:20 ` jakub at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: jakub at gcc dot gnu.org @ 2024-02-01 8:20 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113531
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Priority|P3 |P1
Status|ASSIGNED |RESOLVED
--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Fixed.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-02-01 8:20 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-21 20:50 [Bug sanitizer/113531] New: AddressSanitizer: stack-use-after-scope when iterating over initializer list gcc at pauldreik dot se
2024-01-23 0:05 ` [Bug c++/113531] [14 Regression] " pinskia at gcc dot gnu.org
2024-01-23 0:06 ` [Bug c++/113531] [14 Regression] AddressSanitizer: stack-use-after-scope when iterating over initializer list since r14-1500-g4d935f52b0d5c0 pinskia at gcc dot gnu.org
2024-01-30 18:17 ` jason at gcc dot gnu.org
2024-01-31 3:38 ` jason at gcc dot gnu.org
2024-02-01 8:19 ` cvs-commit at gcc dot gnu.org
2024-02-01 8:20 ` jakub at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).