Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Use after free with compiler invocation #770

Open
kumarak opened this issue Jan 30, 2025 · 0 comments
Open

[Bug]: Use after free with compiler invocation #770

kumarak opened this issue Jan 30, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@kumarak
Copy link
Member

kumarak commented Jan 30, 2025

VAST version

v0.0.66

LLVM version

19.1

Operating system

Ubuntu

Description

Address sanitizer throws use-after-free bug while creating compiler instance from the given args.

=================================================================
==228041==ERROR: AddressSanitizer: use-after-poison on address 0x52100000650e at pc 0x5ee7a4a6ca46 bp 0x7ffcf6176b10 sp 0x7ffcf61762c8
WRITE of size 2 at 0x52100000650e thread T0
    #0 0x5ee7a4a6ca45 in memcpy (/home/akshaykumar/vast/build/tools/vast-front/vast-front+0x8fd3a45) (BuildId: df24ad95257c9aaa)
    #1 0x5ee7b29cffea in llvm::StringSaver::save(llvm::StringRef) /home/akshaykumar/llvm19/llvm/lib/Support/StringSaver.cpp:18:5
    #2 0x5ee7b29d00a8 in llvm::StringSaver::save(llvm::Twine const&) /home/akshaykumar/llvm19/llvm/lib/Support/StringSaver.cpp:25:10
    #3 0x5ee7acd075bf in RoundTrip(llvm::function_ref<bool (clang::CompilerInvocation&, llvm::ArrayRef<char const*>, clang::DiagnosticsEngine&, char const*)>, llvm::function_ref<void (clang::CompilerInvocation&, llvm::SmallVectorImpl<char const*>&, llvm::function_ref<char const* (llvm::Twine const&)>)>, clang::CompilerInvocation&, clang::CompilerInvocation&, llvm::ArrayRef<char const*>, clang::DiagnosticsEngine&, char const*, bool, bool)::$_0::operator()(llvm::Twine const&) const /home/akshaykumar/llvm19/clang/lib/Frontend/CompilerInvocation.cpp:853:23
    #4 0x5ee7acd0758c in char const* llvm::function_ref<char const* (llvm::Twine const&)>::callback_fn<RoundTrip(llvm::function_ref<bool (clang::CompilerInvocation&, llvm::ArrayRef<char const*>, clang::DiagnosticsEngine&, char const*)>, llvm::function_ref<void (clang::CompilerInvocation&, llvm::SmallVectorImpl<char const*>&, llvm::function_ref<char const* (llvm::Twine const&)>)>, clang::CompilerInvocation&, clang::CompilerInvocation&, llvm::ArrayRef<char const*>, clang::DiagnosticsEngine&, char const*, bool, bool)::$_0>(long, llvm::Twine const&) /home/akshaykumar/llvm19/llvm/include/llvm/ADT/STLFunctionalExtras.h:45:12
    #5 0x5ee7acd3ef30 in llvm::function_ref<char const* (llvm::Twine const&)>::operator()(llvm::Twine const&) const /home/akshaykumar/llvm19/llvm/include/llvm/ADT/STLFunctionalExtras.h:68:12
    #6 0x5ee7acd3ee98 in clang::CompilerInvocationBase::generateCC1CommandLine(llvm::SmallVectorImpl<char const*>&, llvm::function_ref<char const* (llvm::Twine const&)>) const::'lambda'(llvm::Twine const&)::operator()(llvm::Twine const&) const /home/akshaykumar/llvm19/clang/include/clang/Frontend/CompilerInvocation.h:167:28
    #7 0x5ee7acd3ee1c in void llvm::function_ref<void (llvm::Twine const&)>::callback_fn<clang::CompilerInvocationBase::generateCC1CommandLine(llvm::SmallVectorImpl<char const*>&, llvm::function_ref<char const* (llvm::Twine const&)>) const::'lambda'(llvm::Twine const&)>(long, llvm::Twine const&) /home/akshaykumar/llvm19/llvm/include/llvm/ADT/STLFunctionalExtras.h:45:12
    #8 0x5ee7a6de22d0 in llvm::function_ref<void (llvm::Twine const&)>::operator()(llvm::Twine const&) const /home/akshaykumar/llvm19/llvm/include/llvm/ADT/STLFunctionalExtras.h:68:12
    #9 0x5ee7acd078a2 in denormalizeStringImpl(llvm::function_ref<void (llvm::Twine const&)>, llvm::Twine const&, llvm::opt::Option::OptionClass, unsigned int, llvm::Twine const&) /home/akshaykumar/llvm19/clang/lib/Frontend/CompilerInvocation.cpp:362:5
    #10 0x5ee7acd079da in void denormalizeString<unsigned int>(llvm::function_ref<void (llvm::Twine const&)>, llvm::Twine const&, llvm::opt::Option::OptionClass, unsigned int, unsigned int) /home/akshaykumar/llvm19/clang/lib/Frontend/CompilerInvocation.cpp:378:3
    #11 0x5ee7accbb2fd in _ZZN5clang22CompilerInvocationBase22GenerateDiagnosticArgsERKNS_17DiagnosticOptionsEN4llvm12function_refIFvRKNS4_5TwineEEEEbENK4$_38clIjEEDaRKT_ /home/akshaykumar/llvm19/build/tools/clang/include/clang/Driver/Options.inc:8563:1
    #12 0x5ee7accb982a in clang::CompilerInvocationBase::GenerateDiagnosticArgs(clang::DiagnosticOptions const&, llvm::function_ref<void (llvm::Twine const&)>, bool) /home/akshaykumar/llvm19/build/tools/clang/include/clang/Driver/Options.inc:8563:1
    #13 0x5ee7accff7cb in clang::CompilerInvocationBase::generateCC1CommandLine(llvm::function_ref<void (llvm::Twine const&)>) const /home/akshaykumar/llvm19/clang/lib/Frontend/CompilerInvocation.cpp:5042:3
    #14 0x5ee7acd3edc4 in clang::CompilerInvocationBase::generateCC1CommandLine(llvm::SmallVectorImpl<char const*>&, llvm::function_ref<char const* (llvm::Twine const&)>) const /home/akshaykumar/llvm19/clang/include/clang/Frontend/CompilerInvocation.h:163:5
    #15 0x5ee7acd15c30 in clang::CompilerInvocation::CreateFromArgs(clang::CompilerInvocation&, llvm::ArrayRef<char const*>, clang::DiagnosticsEngine&, char const*)::$_1::operator()(clang::CompilerInvocation&, llvm::SmallVectorImpl<char const*>&, llvm::function_ref<char const* (llvm::Twine const&)>) const /home/akshaykumar/llvm19/clang/lib/Frontend/CompilerInvocation.cpp:4909:20
    #16 0x5ee7acd15bd4 in void llvm::function_ref<void (clang::CompilerInvocation&, llvm::SmallVectorImpl<char const*>&, llvm::function_ref<char const* (llvm::Twine const&)>)>::callback_fn<clang::CompilerInvocation::CreateFromArgs(clang::CompilerInvocation&, llvm::ArrayRef<char const*>, clang::DiagnosticsEngine&, char const*)::$_1>(long, clang::CompilerInvocation&, llvm::SmallVectorImpl<char const*>&, llvm::function_ref<char const* (llvm::Twine const&)>) /home/akshaykumar/llvm19/llvm/include/llvm/ADT/STLFunctionalExtras.h:45:12
    #17 0x5ee7acd18cd8 in llvm::function_ref<void (clang::CompilerInvocation&, llvm::SmallVectorImpl<char const*>&, llvm::function_ref<char const* (llvm::Twine const&)>)>::operator()(clang::CompilerInvocation&, llvm::SmallVectorImpl<char const*>&, llvm::function_ref<char const* (llvm::Twine const&)>) const /home/akshaykumar/llvm19/llvm/include/llvm/ADT/STLFunctionalExtras.h:68:12
    #18 0x5ee7acc8c7d0 in RoundTrip(llvm::function_ref<bool (clang::CompilerInvocation&, llvm::ArrayRef<char const*>, clang::DiagnosticsEngine&, char const*)>, llvm::function_ref<void (clang::CompilerInvocation&, llvm::SmallVectorImpl<char const*>&, llvm::function_ref<char const* (llvm::Twine const&)>)>, clang::CompilerInvocation&, clang::CompilerInvocation&, llvm::ArrayRef<char const*>, clang::DiagnosticsEngine&, char const*, bool, bool) /home/akshaykumar/llvm19/clang/lib/Frontend/CompilerInvocation.cpp:860:3
    #19 0x5ee7accfc68c in clang::CompilerInvocation::CreateFromArgs(clang::CompilerInvocation&, llvm::ArrayRef<char const*>, clang::DiagnosticsEngine&, char const*) /home/akshaykumar/llvm19/clang/lib/Frontend/CompilerInvocation.cpp:4901:10
    #20 0x5ee7a4aba3a9 in vast::cc::compiler_invocation::create_from_args(clang::CompilerInvocation&, clang::DiagnosticsEngine&, llvm::ArrayRef<char const*>, char const*) /home/akshaykumar/vast/include/vast/Frontend/CompilerInvocation.hpp:20:20
    #21 0x5ee7a4aba3a9 in vast::cc::cc1(vast::cc::vast_args const&, llvm::ArrayRef<char const*>, char const*, void*) /home/akshaykumar/vast/tools/vast-front/cc1.cpp:78:24
    #22 0x5ee7a4ab011d in execute_cc1_tool(llvm::SmallVectorImpl<char const*>&) /home/akshaykumar/vast/tools/vast-front/driver.cpp:71:16
    #23 0x5ee7acadbeb0 in llvm::function_ref<int (llvm::SmallVectorImpl<char const*>&)>::operator()(llvm::SmallVectorImpl<char const*>&) const /home/akshaykumar/llvm19/llvm/include/llvm/ADT/STLFunctionalExtras.h:68:12
    #24 0x5ee7acad8077 in clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const::$_0::operator()() const /home/akshaykumar/llvm19/clang/lib/Driver/Job.cpp:440:34
    #25 0x5ee7acad8044 in void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const::$_0>(long) /home/akshaykumar/llvm19/llvm/include/llvm/ADT/STLFunctionalExtras.h:45:12
    #26 0x5ee7a52f9d48 in llvm::function_ref<void ()>::operator()() const /home/akshaykumar/llvm19/llvm/include/llvm/ADT/STLFunctionalExtras.h:68:12
    #27 0x5ee7b296bfc9 in llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) /home/akshaykumar/llvm19/llvm/lib/Support/CrashRecoveryContext.cpp:426:3
    #28 0x5ee7acad79da in clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const /home/akshaykumar/llvm19/clang/lib/Driver/Job.cpp:440:12
    #29 0x5ee7aca6ed19 in clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const /home/akshaykumar/llvm19/clang/lib/Driver/Compilation.cpp:199:15
    #30 0x5ee7aca6ef26 in clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&, bool) const /home/akshaykumar/llvm19/clang/lib/Driver/Compilation.cpp:253:19
    #31 0x5ee7aca89e01 in clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&) /home/akshaykumar/llvm19/clang/lib/Driver/Driver.cpp:1940:5
    #32 0x5ee7a4ab0e20 in vast::cc::driver::execute() /home/akshaykumar/vast/include/vast/Frontend/Driver.hpp:178:30
    #33 0x5ee7a4aaf49a in main /home/akshaykumar/vast/tools/vast-front/driver.cpp:161:19
    #34 0x72fa13e29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #35 0x72fa13e29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #36 0x5ee7a49d36e4 in _start (/home/akshaykumar/vast/build/tools/vast-front/vast-front+0x8f3a6e4) (BuildId: df24ad95257c9aaa)

0x52100000650e is located 14 bytes inside of 4096-byte region [0x521000006500,0x521000007500)
allocated by thread T0 here:
    #0 0x5ee7a4aab122 in operator new(unsigned long, std::align_val_t) (/home/akshaykumar/vast/build/tools/vast-front/vast-front+0x9012122) (BuildId: df24ad95257c9aaa)
    #1 0x5ee7b299cf3c in llvm::allocate_buffer(unsigned long, unsigned long) /home/akshaykumar/llvm19/llvm/lib/Support/MemAlloc.cpp:16:10
    #2 0x5ee7a4b10953 in llvm::MallocAllocator::Allocate(unsigned long, unsigned long) /home/akshaykumar/env/include/llvm/Support/AllocatorBase.h:92:12
    #3 0x5ee7a4b10953 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul, 128ul>::StartNewSlab() /home/akshaykumar/env/include/llvm/Support/Allocator.h:344:42

SUMMARY: AddressSanitizer: use-after-poison (/home/akshaykumar/vast/build/tools/vast-front/vast-front+0x8fd3a45) (BuildId: df24ad95257c9aaa) in memcpy
Shadow bytes around the buggy address:
  0x521000006280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x521000006300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x521000006380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x521000006400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x521000006480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x521000006500: 00[06]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x521000006580: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x521000006600: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x521000006680: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x521000006700: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x521000006780: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==228041==ABORTING

Steps to Reproduce

  1. Build vast with address sanitizer ON
  2. Follow the steps below
cat << EOF > test.c
typedef unsigned int uint32_t;
typedef unsigned short uint16_t;
enum struct adc_opmode {
};
enum struct rcc_periph_clken {
};
typedef unsigned int undefined4;
typedef unsigned char uint8_t;
asm("clock_msleep") void clock_msleep(unsigned int param_0);
asm("adc_set_right_aligned") void adc_set_right_aligned(uint32_t param_0);
asm("adc_set_sample_time_on_all_channels") void adc_set_sample_time_on_all_channels(uint32_t param_0, uint8_t param_1);
asm("adc_power_off") void adc_power_off(uint32_t param_0);
asm("adc_set_resolution") void adc_set_resolution(uint32_t param_0, uint16_t param_1);
asm("rcc_periph_clock_enable") void rcc_periph_clock_enable(enum rcc_periph_clken param_0);
asm("adc_set_operation_mode") void adc_set_operation_mode(uint32_t param_0, enum adc_opmode param_1);
asm("adc_disable_external_trigger_regular") void adc_disable_external_trigger_regular(uint32_t param_0);
asm("adc_set_clk_source") void adc_set_clk_source(uint32_t param_0, uint32_t param_1);
asm("adc_init") void adc_init(void);
asm("adc_power_on") void adc_power_on(uint32_t param_0);
asm("adc_disable_analog_watchdog") void adc_disable_analog_watchdog(uint32_t param_0);
asm("adc_calibrate") void adc_calibrate(uint32_t param_0);
void adc_init(void) {
    rcc_periph_clock_enable((enum rcc_periph_clken)777);
    adc_power_off(1073816576U);
    adc_set_clk_source(1073816576U, 0U);
    adc_calibrate(1073816576U);
    adc_set_operation_mode(1073816576U, (enum adc_opmode)1);
    adc_disable_external_trigger_regular(1073816576U);
    adc_set_right_aligned(1073816576U);
    adc_set_sample_time_on_all_channels(1073816576U, 4Ui8);
    adc_set_resolution(1073816576U, 0Ui16);
    adc_disable_analog_watchdog(1073816576U);
    adc_power_on(1073816576U);
    clock_msleep(100U);
    return;
}
EOF

// emit hl representation
./tools/vast-front/vast-front -vast-emit-mlir=hl test.c -o test.mlir
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kumarak