[Octave-bug-tracker] [bug #55432] clang w/ ASAN: stack-use-after-scope (starting octave)

[Dmitri A. Sergatskov]

Follow-up Comment #6, bug #55432 (project octave):

OK, I managed to downgrade to clang-6.0.1
The problem is still there:


clang -v
clang version 6.0.1 (tags/RELEASE_601/final)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-redhat-linux/8
Found candidate GCC installation: /usr/lib/gcc/x86_64-redhat-linux/8
Selected GCC installation: /usr/bin/../lib/gcc/x86_64-redhat-linux/8
Candidate multilib: .;@m64
Candidate multilib: 32;@m32
Selected multilib: .;@m64



hg id
f6730533820e (stable) tip


../configure CC=clang CXX=clang++ CFLAGS="-ggdb3 -O0 -fsanitize=address"
CXXFLAGS="-ggdb3 -O0 -fsanitize=address" FFLAGS="-ggdb3 -O0"
--enable-address-sanitizer-flags --without-qt --disable-java --disable-docs 



./run-octave -q -f
=================================================================
==8206==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7ffda1d94ce0 at pc 0x7f49e6f02301 bp 0x7ffda1d945f0 sp 0x7ffda1d945e8
READ of size 8 at 0x7ffda1d94ce0 thread T0
    #0 0x7f49e6f02300 in std::__shared_ptr<octave::symbol_scope_rep,
(__gnu_cxx::_Lock_policy)2>::operator bool() const
/usr/bin/../lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/shared_ptr_base.h:1291:16
    #1 0x7f49e73bd35e in octave::symbol_scope::unbind_script_symbols()
/home/dima/src/octave/clang_asan/../libinterp/corefcn/symscope.h:1007:11
    #2 0x7f49e73d16bf in void std::__invoke_impl<void, void
(octave::symbol_scope::*&)(),
octave::symbol_scope*&>(std::__invoke_memfun_deref, void
(octave::symbol_scope::*&)(), octave::symbol_scope*&)
/usr/bin/../lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/invoke.h:73:14
    #3 0x7f49e73d1551 in std::__invoke_result<void
(octave::symbol_scope::*&)(), octave::symbol_scope*&>::type std::__invoke<void
(octave::symbol_scope::*&)(), octave::symbol_scope*&>(void
(octave::symbol_scope::*&)(), octave::symbol_scope*&)
/usr/bin/../lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/invoke.h:95:14
    #4 0x7f49e73d14ca in void std::_Bind<void (octave::symbol_scope::*
(octave::symbol_scope*))()>::__call<void, 0ul>(std::tuple<>&&,
std::_Index_tuple<0ul>)
/usr/bin/../lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/functional:400:11
    #5 0x7f49e73d1346 in void std::_Bind<void (octave::symbol_scope::*
(octave::symbol_scope*))()>::operator()<void>()
/usr/bin/../lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/functional:482:17
    #6 0x7f49e73d0dfc in std::_Function_handler<void (), std::_Bind<void
(octave::symbol_scope::* (octave::symbol_scope*))()>
>::_M_invoke(std::_Any_data const&)
/usr/bin/../lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/std_function.h:297:2
    #7 0x7f49e6dfca1e in std::function<void ()>::operator()() const
/usr/bin/../lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/std_function.h:687:14
    #8 0x7f49e6dfbb38 in octave::action_container::fcn_elem::run()
/home/dima/src/octave/clang_asan/../liboctave/util/action-container.h:76:25
    #9 0x7f49e6df6d27 in octave::unwind_protect::run_first()
/home/dima/src/octave/clang_asan/../liboctave/util/unwind-prot.h:67:16
    #10 0x7f49e6dfa9ab in octave::action_container::run(unsigned long)
/home/dima/src/octave/clang_asan/../liboctave/util/action-container.h:200:9
    #11 0x7f49e6dfa829 in octave::action_container::run()
/home/dima/src/octave/clang_asan/../liboctave/util/action-container.h:203:23
    #12 0x7f49e6df5452 in octave::unwind_protect::~unwind_protect()
/home/dima/src/octave/clang_asan/../liboctave/util/unwind-prot.h:56:30
    #13 0x7f49e739ea78 in
octave::tree_evaluator::execute_user_script(octave_user_script&, int,
octave_value_list const&)
/home/dima/src/octave/clang_asan/../libinterp/parse-tree/pt-eval.cc:1522:3
    #14 0x7f49e70d46b1 in octave_user_script::call(octave::tree_evaluator&,
int, octave_value_list const&)
/home/dima/src/octave/clang_asan/../libinterp/octave-value/ov-usr-fcn.cc:168:13
    #15 0x7f49e7319be5 in octave::source_file(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>
> const&, bool, bool, std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&)
/home/dima/src/octave/clang_asan/../libinterp/parse-tree/oct-parse.yy:5065:11
    #16 0x7f49e7cad584 in
octave::load_path::execute_pkg_add_or_del(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>
> const&)
/home/dima/src/octave/clang_asan/../libinterp/corefcn/load-path.cc:856:7
    #17 0x7f49e7cad0fc in
octave::load_path::execute_pkg_add(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&)
/home/dima/src/octave/clang_asan/../libinterp/corefcn/load-path.cc:834:5
    #18 0x7f49e7c7e31e in
octave::interpreter::execute_pkg_add(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&)
/home/dima/src/octave/clang_asan/../libinterp/corefcn/interpreter.cc:1224:21
    #19 0x7f49e7c7ed94 in
octave::interpreter::initialize_load_path(bool)::$_0::operator()(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&) const
/home/dima/src/octave/clang_asan/../libinterp/corefcn/interpreter.cc:607:43
    #20 0x7f49e7c7ebd1 in std::_Function_handler<void
(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>
> const&),
octave::interpreter::initialize_load_path(bool)::$_0>::_M_invoke(std::_Any_data
const&, std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&)
/usr/bin/../lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/std_function.h:297:2
    #21 0x7f49e7cc0748 in std::function<void (std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >
const&)>::operator()(std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&) const
/usr/bin/../lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/std_function.h:687:14
    #22 0x7f49e7c9efe9 in
octave::load_path::set(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&, bool, bool)
/home/dima/src/octave/clang_asan/../libinterp/corefcn/load-path.cc:291:11
    #23 0x7f49e7c9e016 in octave::load_path::initialize(bool)
/home/dima/src/octave/clang_asan/../libinterp/corefcn/load-path.cc:234:5
    #24 0x7f49e7c78bdc in octave::interpreter::initialize_load_path(bool)
/home/dima/src/octave/clang_asan/../libinterp/corefcn/interpreter.cc:609:21
    #25 0x7f49e7c7914b in octave::interpreter::initialize()
/home/dima/src/octave/clang_asan/../libinterp/corefcn/interpreter.cc:636:5
    #26 0x7f49e7c7973b in octave::interpreter::execute()
/home/dima/src/octave/clang_asan/../libinterp/corefcn/interpreter.cc:648:9
    #27 0x7f49e6259051 in octave::cli_application::execute()
/home/dima/src/octave/clang_asan/../libinterp/octave.cc:391:25
    #28 0x5186f2 in main
/home/dima/src/octave/clang_asan/../src/main-cli.cc:92:14
    #29 0x7f49dfc0e412 in __libc_start_main (/lib64/libc.so.6+0x24412)
    #30 0x41b55d in _start
(/home/dima/src/octave/clang_asan/src/.libs/lt-octave-cli+0x41b55d)

Address 0x7ffda1d94ce0 is located in stack of thread T0 at offset 384 in
frame
    #0 0x7f49e739ddaf in
octave::tree_evaluator::execute_user_script(octave_user_script&, int,
octave_value_list const&)
/home/dima/src/octave/clang_asan/../libinterp/parse-tree/pt-eval.cc:1466

  This frame has 9 object(s):
    [32, 64) 'file_name' (line 1469)
    [96, 184) 'frame' (line 1479)
    [224, 228) 'ref.tmp' (line 1482)
    [240, 256) 'coerce'
    [272, 288) 'coerce10'
    [304, 352) 'block' (line 1504)
    [384, 400) 'script_scope' (line 1506) <== Memory access at offset 384 is
inside this variable
    [416, 432) 'coerce14'
    [448, 464) 'ref.tmp15' (line 1508)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope
/usr/bin/../lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/shared_ptr_base.h:1291:16
in std::__shared_ptr<octave::symbol_scope_rep,
(__gnu_cxx::_Lock_policy)2>::operator bool() const
Shadow bytes around the buggy address:
  0x1000343aa940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000343aa950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000343aa960: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x1000343aa970: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x1000343aa980: 00 00 00 f2 f2 f2 f2 f2 f8 f2 00 00 f2 f2 00 00
=>0x1000343aa990: f2 f2 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2[f8]f8 f2 f2
  0x1000343aa9a0: 00 00 f2 f2 f8 f8 f3 f3 00 00 00 00 00 00 00 00
  0x1000343aa9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000343aa9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000343aa9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000343aa9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8206==ABORTING


Dmitri.
-- 


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?55432>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/