[Bug 202213] bluez trunk tests fail with GCC 9 (or with -fsanitize=address with GCC 9)

bugzilla-daemon@xxxxxxxxxxxxxxxxxxx · Fri, 11 Jan 2019 13:53:04 +0000



https://bugzilla.kernel.org/show_bug.cgi?id=202213

--- Comment #10 from Martin Liška (mliska@xxxxxxx) ---
Yes, it's problematic, please see explanation:
https://gcc.gnu.org/ml/gcc-patches/2019-01/msg00629.html

and there's a reduced example:

$ cat /tmp/x.c
struct test_data_de {
 const void *input_data;
 int input_size;
};


int main()
{
  struct test_data_de *ptr;
  {
    static struct test_data_de data;
    data.input_size = sizeof((const unsigned char[]) { 0x25, 0x00 });
    data.input_data = ((const unsigned char[]) { 0x25, 0x00 });
    ptr = &data;
  }

  *(char*)ptr->input_data = 'x';

  return 0;
}

$ gcc /tmp/x.c -fsanitize=address && ./a.out 
=================================================================
==17535==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7fffffffdc20 at pc 0x0000004012d9 bp 0x7fffffffdbe0 sp 0x7fffffffdbd8
WRITE of size 1 at 0x7fffffffdc20 thread T0
    #0 0x4012d8 in main (/home/marxin/Programming/bluez/a.out+0x4012d8)
    #1 0x7ffff7018fea in __libc_start_main ../csu/libc-start.c:308
    #2 0x4010c9 in _start (/home/marxin/Programming/bluez/a.out+0x4010c9)

Address 0x7fffffffdc20 is located in stack of thread T0 at offset 32 in frame
    #0 0x401181 in main (/home/marxin/Programming/bluez/a.out+0x401181)

  This frame has 1 object(s):
    [32, 34) '<unknown>' <== Memory access at offset 32 is inside this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope
(/home/marxin/Programming/bluez/a.out+0x4012d8) in main
Shadow bytes around the buggy address:
  0x10007fff7b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7b80: f1 f1 f1 f1[f8]f3 f3 f3 00 00 00 00 00 00 00 00
  0x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

-- 
You are receiving this mail because:
You are the assignee for the bug.