[Bug sanitizer/63251] New: tsan: corrupted shadow stack

dvyukov at google dot com gcc-bugzilla@gcc.gnu.org
Fri Sep 12 22:27:00 GMT 2014 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63251

            Bug ID: 63251
           Summary: tsan: corrupted shadow stack
           Product: gcc
           Version: 5.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: dvyukov at google dot com
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org

Created attachment 33486
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=33486&action=edit
reproducer

Reported in the ThreadSanitizer bug tracker, but it looks like gcc
instrumentation issue:
https://code.google.com/p/thread-sanitizer/issues/detail?id=76

gcc version 5.0.0 20140830 (experimental) (GCC)

$ g++ -fsanitize=thread /tmp/stack.cc -pie -fPIE -g
$ ./a.out 
==================
WARNING: ThreadSanitizer: data race (pid=27898)
...
  Thread T2 (tid=27901, running) created by main thread at:
    #0 pthread_create ../../.././libsanitizer/tsan/tsan_interceptors.cc:853
(libtsan.so.0+0x000000026eb4)
    #1 main /tmp/stack.cc:28 (a.out+0x000000001017)
    #2 void std::__introsort_loop<__gnu_cxx::__normal_iterator<int*,
std::vector<int, std::allocator<int> > >, long,
__gnu_cxx::__ops::_Iter_less_iter>(__gnu_cxx::__normal_iterator<int*,
std::vector<int, std::allocator<int> > >, __gnu_cxx::__normal_iterator<int*,
std::vector<int, std::allocator<int> > >, long,
__gnu_cxx::__ops::_Iter_less_iter)
/ssd/src/gcc_trunk/install/include/c++/5.0.0/bits/stl_algo.h:1952
(a.out+0x000000001d60)
    #3 void std::__sort<__gnu_cxx::__normal_iterator<int*, std::vector<int,
std::allocator<int> > >,
__gnu_cxx::__ops::_Iter_less_iter>(__gnu_cxx::__normal_iterator<int*,
std::vector<int, std::allocator<int> > >, __gnu_cxx::__normal_iterator<int*,
std::vector<int, std::allocator<int> > >, __gnu_cxx::__ops::_Iter_less_iter)
/ssd/src/gcc_trunk/install/include/c++/5.0.0/bits/stl_algo.h:1967
(a.out+0x00000000182c)
    #4 void std::sort<__gnu_cxx::__normal_iterator<int*, std::vector<int,
std::allocator<int> > > >(__gnu_cxx::__normal_iterator<int*, std::vector<int,
std::allocator<int> > >, __gnu_cxx::__normal_iterator<int*, std::vector<int,
std::allocator<int> > >)
/ssd/src/gcc_trunk/install/include/c++/5.0.0/bits/stl_algo.h:4676
(a.out+0x00000000130a)
    #5 main /tmp/stack.cc:24 (a.out+0x000000000fd9)


Frames #1-4 are bogus and must not be present in the thread creation stack.

Clang produces a correct stack, which is:
  Thread T2 (tid=12121, running) created by main thread at:
    #0 pthread_create
/ssd/src/llvm/build/../projects/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:847
(a.out+0x000000048403)
    #1 main /tmp/stack.cc:28:3 (a.out+0x000000095bcf)


Looking at the symptoms I think that the sort-related functions do not call
__tsan_func_exit and so they are left on the shadow stack.

It's not only about report quality. If it happens enough times, then it will
overflow and blow up tsan shadow stack.

More information about the Gcc-bugs mailing list