[Bug sanitizer/70712] New: False positive from memory sanitizer with use of 'alignas'

rogero at howzatt dot demon.co.uk gcc-bugzilla@gcc.gnu.org
Mon Apr 18 10:29:00 GMT 2016 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70712

            Bug ID: 70712
           Summary: False positive from memory sanitizer with use of
                    'alignas'
           Product: gcc
           Version: 6.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: rogero at howzatt dot demon.co.uk
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
  Target Milestone: ---

Created attachment 38302
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=38302&action=edit
Sample program demonstrating the false positive

The attached simple program generates a false positive with address sanitizer
on x86_64 Linux. The problem seems to be related to the alignas attribute on
the 'owner' object.

$ g++ -v 
Using built-in specs.
COLLECT_GCC=g++
COLLECT_LTO_WRAPPER=/opt/reactor-buildkit/B2BH-BK2GIT44-2/gcc/bin/../libexec/gcc/x86_64-pc-linux-gnu/6.0.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: ../configure
--prefix=/data/bamboo.agent.home/xml-data/build-dir/B2BH-BKC0-JOB1/build/install
--enable-cloog-backend --enable-lto --enable-languages=c,c++
--enable-libstdcxx-time --enable-gold --enable-plugins --disable-multilib
--enable-werror=no --enable-libstdcxx-dual-abi
--with-default-libstdcxx-abi=gcc4-compatible
Thread model: posix
gcc version 6.0.0 20160413 (experimental) (GCC)

$ g++ -fsanitize=address stack-buffer-overflow.cxx && ./a.out
=================================================================
==12917==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffc5bb30020 at pc 0x7f1fede0851c bp 0x7ffc5bb2ff50 sp 0x7ffc5bb2f700
WRITE of size 8 at 0x7ffc5bb30020 thread T0
    #0 0x7f1fede0851b in __interceptor_memset
../../../../libsanitizer/asan/asan_interceptors.cc:451
    #1 0x4009d9 in Buffer::Buffer(Owner&)
(/home/rorr/test/prXXXXX/a.out+0x4009d9)
    #2 0x40089a in main (/home/rorr/test/prXXXXX/a.out+0x40089a)
    #3 0x3b81a1ed5c in __libc_start_main (/lib64/libc.so.6+0x3b81a1ed5c)
    #4 0x4006e8  (/home/rorr/test/prXXXXX/a.out+0x4006e8)

Address 0x7ffc5bb30020 is located in stack of thread T0 at offset 160 in frame
    #0 0x4007e5 in main (/home/rorr/test/prXXXXX/a.out+0x4007e5)

  This frame has 2 object(s):
    [64, 128) 'owner'
    [192, 648) 'buffer' <== Memory access at offset 160 underflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
../../../../libsanitizer/asan/asan_interceptors.cc:451 in __interceptor_memset
Shadow bytes around the buggy address:
  0x10000b75dfb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000b75dfc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000b75dfd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000b75dfe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000b75dff0: f1 f1 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00
=>0x10000b75e000: f2 f2 f2 f2[f2]f2 f2 f2 00 00 00 00 00 00 00 00
  0x10000b75e010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000b75e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000b75e030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000b75e040: 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10000b75e050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12917==ABORTING

(Also fails with gcc 5.3.0)

More information about the Gcc-bugs mailing list