Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ThreadSanitizer: heap-use-after-free /home/FlexFringe/source/input/inputdata.cpp:382 in inputdata::process_symbol_attributes(symbol_info&, tail*) #44

Open
JohnSmithBH84 opened this issue Dec 10, 2024 · 0 comments
Open

ThreadSanitizer: heap-use-after-free /home/FlexFringe/source/input/inputdata.cpp:382 in inputdata::process_symbol_attributes(symbol_info&, tail*) #44

JohnSmithBH84 opened this issue Dec 10, 2024 · 0 comments

Comments

@JohnSmithBH84
Copy link

I’ve build FlexFringe with Thread Satitizer (TSan) and it detected a heap-use-after-free in inputdata.cpp after launching build/runtests. I'm not sure whether this is an actual issue, or whether FlexFringe' code is too sophisticated for TSan to understand. Do you guys have any idea?

Project version

FlexFringe: (main f5d4175)
clang: 19.1.0 (x86_64-unknown-linux-gnu)

Operating system

Ubuntu 22.04.4 LTS
Linux 5.15.0-125-generic #135-Ubuntu SMP Fri Sep 27 13:53:58 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

I did this

Added the next rows into CMakeLists.txt to build with Thread Sanitizer.

set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=thread -fno-omit-frame-pointer")
set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} -fsanitize=thread -fno-omit-frame-pointer")
set(CMAKE_EXPORT_COMPILE_COMMANDS ON)

Configured and build the project.

mkdir build & cd build
cmake -DCMAKE_BUILD_TYPE=DEBUG -Wno-dev ..
cmake --build . -- -j16

Launched executable without arguments.
./FlexFringe/build/runtests

I expected the following

No heap-use-after-free reported by TSan

I got the following

WARNING: ThreadSanitizer: heap-use-after-free (pid=606)
  Write of size 8 at 0x7b0400000730 by main thread:
    #0 inputdata::process_symbol_attributes(symbol_info&, tail*) /home/FlexFringe/source/input/inputdata.cpp:382 (runtests+0x2c79d1)
    #1 inputdata::process_symbol_info(symbol_info&, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, trace*, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, trace*> > >&) /home/FlexFringe/source/input/inputdata.cpp:81 (runtests+0x2c59d5)
    #2 read_all::consume_all(parser&, inputdata&) /home/FlexFringe/source/input/parsers/reader_strategy.cpp:34 (runtests+0x2ec3cb)
    #3 read_all::read(parser&, inputdata&) /home/FlexFringe/source/input/parsers/reader_strategy.cpp:11 (runtests+0x2ec214)
    #4 inputdata::read_trace(parser&, reader_strategy&) /home/FlexFringe/source/input/inputdata.cpp:394 (runtests+0x2c7ac1)
    #5 inputdata::read(parser*) /home/FlexFringe/source/input/inputdata.cpp:13 (runtests+0x2c5419)
    #6 C_A_T_C_H_T_E_S_T_10 /home/FlexFringe/tests/testinputdata.cpp:174 (runtests+0x1ef69c)
    #7 Catch::TestInvokerAsFunction::invoke() const /home/FlexFringe/source/utility/catch.hpp:14332 (runtests+0x8d3fe)
    #8 Catch::TestCase::invoke() const /home/FlexFringe/source/utility/catch.hpp:14171 (runtests+0x8c09e)
    #9 Catch::RunContext::invokeActiveTestCase() /home/FlexFringe/source/utility/catch.hpp:13027 (runtests+0x85a6e)
    #10 Catch::RunContext::runCurrentTest(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) /home/FlexFringe/source/utility/catch.hpp:13000 (runtests+0x85711)
    #11 Catch::RunContext::runTest(Catch::TestCase const&) /home/FlexFringe/source/utility/catch.hpp:12761 (runtests+0x83b0f)
    #12 execute /home/FlexFringe/source/utility/catch.hpp:13354 (runtests+0x87599)
    #13 Catch::Session::runInternal() /home/FlexFringe/source/utility/catch.hpp:13564 (runtests+0x88f85)
    #14 Catch::Session::run() /home/FlexFringe/source/utility/catch.hpp:13520 (runtests+0x88b7e)
    #15 int Catch::Session::run<char>(int, char const* const*) /home/FlexFringe/source/utility/catch.hpp:13238 (runtests+0xb6a37)
    #16 main /home/FlexFringe/source/utility/catch.hpp:17537 (runtests+0xa2f5d)

  Previous write of size 8 at 0x7b0400000730 by main thread:
    #0 operator delete(void*, unsigned long) ../../../../src/libsanitizer/tsan/tsan_new_delete.cpp:150 (libtsan.so.2+0x86c3d)
    #1 std::__new_allocator<char>::deallocate(char*, unsigned long) /usr/include/c++/12/bits/new_allocator.h:158 (runtests+0xf5170)
    #2 std::allocator<char>::deallocate(char*, unsigned long) /usr/include/c++/12/bits/allocator.h:200 (runtests+0xced93)
    #3 std::allocator_traits<std::allocator<char> >::deallocate(std::allocator<char>&, char*, unsigned long) /usr/include/c++/12/bits/alloc_traits.h:496 (runtests+0xced93)
    #4 std::_Vector_base<char, std::allocator<char> >::_M_deallocate(char*, unsigned long) /usr/include/c++/12/bits/stl_vector.h:387 (runtests+0x12e53f)
    #5 std::_Vector_base<char, std::allocator<char> >::~_Vector_base() /usr/include/c++/12/bits/stl_vector.h:366 (runtests+0x49e41)
    #6 std::vector<char, std::allocator<char> >::~vector() /usr/include/c++/12/bits/stl_vector.h:733 (runtests+0x482e4)
    #7 csv::CSVFormat::~CSVFormat() /home/FlexFringe/source/utility/csv.hpp:4917 (runtests+0x5abcd)
    #8 C_A_T_C_H_T_E_S_T_10 /home/FlexFringe/tests/testinputdata.cpp:172 (runtests+0x1ef683)
    #9 Catch::TestInvokerAsFunction::invoke() const /home/FlexFringe/source/utility/catch.hpp:14332 (runtests+0x8d3fe)
    #10 Catch::TestCase::invoke() const /home/FlexFringe/source/utility/catch.hpp:14171 (runtests+0x8c09e)
    #11 Catch::RunContext::invokeActiveTestCase() /home/FlexFringe/source/utility/catch.hpp:13027 (runtests+0x85a6e)
    #12 Catch::RunContext::runCurrentTest(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) /home/FlexFringe/source/utility/catch.hpp:13000 (runtests+0x85711)
    #13 Catch::RunContext::runTest(Catch::TestCase const&) /home/FlexFringe/source/utility/catch.hpp:12761 (runtests+0x83b0f)
    #14 execute /home/FlexFringe/source/utility/catch.hpp:13354 (runtests+0x87599)
    #15 Catch::Session::runInternal() /home/FlexFringe/source/utility/catch.hpp:13564 (runtests+0x88f85)
    #16 Catch::Session::run() /home/FlexFringe/source/utility/catch.hpp:13520 (runtests+0x88b7e)
    #17 int Catch::Session::run<char>(int, char const* const*) /home/FlexFringe/source/utility/catch.hpp:13238 (runtests+0xb6a37)
    #18 main /home/FlexFringe/source/utility/catch.hpp:17537 (runtests+0xa2f5d)

  Location is heap block of size 0 at 0x7b0400000730 allocated by main thread:
    #0 operator new[](unsigned long) ../../../../src/libsanitizer/tsan/tsan_new_delete.cpp:70 (libtsan.so.2+0x87423)
    #1 std::__detail::_MakeUniq<double []>::__array std::make_unique<double []>(unsigned long) /usr/include/c++/12/bits/unique_ptr.h:1080 (runtests+0x2a97e8)
    #2 tail_data::tail_data() /home/FlexFringe/source/input/tail.cpp:180 (runtests+0x2a9116)
    #3 void std::_Construct<tail_data>(tail_data*) /usr/include/c++/12/bits/stl_construct.h:119 (runtests+0x2aa923)
    #4 void std::allocator_traits<std::allocator<void> >::construct<tail_data>(std::allocator<void>&, tail_data*) /usr/include/c++/12/bits/alloc_traits.h:635 (runtests+0x2aa813)
    #5 std::_Sp_counted_ptr_inplace<tail_data, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_Sp_counted_ptr_inplace<>(std::allocator<void>) /usr/include/c++/12/bits/shared_ptr_base.h:604 (runtests+0x2aa45d)
    #6 std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<tail_data, std::allocator<void>>(tail_data*&, std::_Sp_alloc_shared_tag<std::allocator<void> >) /usr/include/c++/12/bits/shared_ptr_base.h:971 (runtests+0x2a9ffc)
    #7 std::__shared_ptr<tail_data, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<void>>(std::_Sp_alloc_shared_tag<std::allocator<void> >) /usr/include/c++/12/bits/shared_ptr_base.h:1712 (runtests+0x2a9cee)
    #8 std::shared_ptr<tail_data>::shared_ptr<std::allocator<void>>(std::_Sp_alloc_shared_tag<std::allocator<void> >) /usr/include/c++/12/bits/shared_ptr.h:464 (runtests+0x2a993b)
    #9 std::shared_ptr<tail_data> std::make_shared<tail_data>() /usr/include/c++/12/bits/shared_ptr.h:1010 (runtests+0x2a956c)
    #10 tail::tail(tail*) /home/FlexFringe/source/input/tail.cpp:74 (runtests+0x2a864e)
    #11 mem_store::create_tail(tail*) /home/FlexFringe/source/mem_store.cpp:191 (runtests+0x290f06)
    #12 inputdata::make_tail(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /home/FlexFringe/source/input/inputdata.cpp:310 (runtests+0x2c70ca)
    #13 inputdata::process_symbol_info(symbol_info&, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, trace*, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, trace*> > >&) /home/FlexFringe/source/input/inputdata.cpp:80 (runtests+0x2c598d)
    #14 read_all::consume_all(parser&, inputdata&) /home/FlexFringe/source/input/parsers/reader_strategy.cpp:34 (runtests+0x2ec3cb)
    #15 read_all::read(parser&, inputdata&) /home/FlexFringe/source/input/parsers/reader_strategy.cpp:11 (runtests+0x2ec214)
    #16 inputdata::read_trace(parser&, reader_strategy&) /home/FlexFringe/source/input/inputdata.cpp:394 (runtests+0x2c7ac1)
    #17 inputdata::read(parser*) /home/FlexFringe/source/input/inputdata.cpp:13 (runtests+0x2c5419)
    #18 C_A_T_C_H_T_E_S_T_10 /home/FlexFringe/tests/testinputdata.cpp:174 (runtests+0x1ef69c)
    #19 Catch::TestInvokerAsFunction::invoke() const /home/FlexFringe/source/utility/catch.hpp:14332 (runtests+0x8d3fe)
    #20 Catch::TestCase::invoke() const /home/FlexFringe/source/utility/catch.hpp:14171 (runtests+0x8c09e)
    #21 Catch::RunContext::invokeActiveTestCase() /home/FlexFringe/source/utility/catch.hpp:13027 (runtests+0x85a6e)
    #22 Catch::RunContext::runCurrentTest(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) /home/FlexFringe/source/utility/catch.hpp:13000 (runtests+0x85711)
    #23 Catch::RunContext::runTest(Catch::TestCase const&) /home/FlexFringe/source/utility/catch.hpp:12761 (runtests+0x83b0f)
    #24 execute /home/FlexFringe/source/utility/catch.hpp:13354 (runtests+0x87599)
    #25 Catch::Session::runInternal() /home/FlexFringe/source/utility/catch.hpp:13564 (runtests+0x88f85)
    #26 Catch::Session::run() /home/FlexFringe/source/utility/catch.hpp:13520 (runtests+0x88b7e)
    #27 int Catch::Session::run<char>(int, char const* const*) /home/FlexFringe/source/utility/catch.hpp:13238 (runtests+0xb6a37)
    #28 main /home/FlexFringe/source/utility/catch.hpp:17537 (runtests+0xa2f5d)

SUMMARY: ThreadSanitizer: heap-use-after-free /home/FlexFringe/source/input/inputdata.cpp:382 in inputdata::process_symbol_attributes(symbol_info&, tail*)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JohnSmithBH84