Discussion:
[Gc] Address Sanitizer reports stack underflow
(too old to reply)
Hanno Böck
2016-01-24 13:40:26 UTC
Permalink
Raw Message
Hi,

When trying to compile boehm-gc with address sanitizer it reports a
stack underflow in the function GC_push_all_eager().

I am not sure if this is a bug or if boehm-gc is in principle unable to
work with address sanitizer (as asan is basically intercepting memory
management and boehm-gc is supposed to be a replacement for existing
memory managements). But I haven't found it reported elsewhere and am
unsure.

The bug appears as soon as one calls GC_INIT() (tested with gc-7.4.2).
It can also be triggered by running the test suite:
./configure CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"
make
make check

The asan errors will be in test-suite.log.

This is an example for such an error:
==2112==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffc1e6284a0 at pc 0x7fa4a24bcd14 bp 0x7ffc1e6283d0 sp 0x7ffc1e6283c0
READ of size 8 at 0x7ffc1e6284a0 thread T0
#0 0x7fa4a24bcd13 in GC_push_all_eager /mnt/ram/asan/gc-7.4.2/mark.c:1509
#1 0x7fa4a24bf26d in GC_push_current_stack /mnt/ram/asan/gc-7.4.2/mark_rts.c:664
#2 0x7fa4a24b2357 in GC_with_callee_saves_pushed /mnt/ram/asan/gc-7.4.2/mach_dep.c:296
#3 0x7fa4a24bf2d9 in GC_push_regs_and_stack /mnt/ram/asan/gc-7.4.2/mark_rts.c:741
#4 0x7fa4a24bf509 in GC_push_roots /mnt/ram/asan/gc-7.4.2/mark_rts.c:813
#5 0x7fa4a24b835d in GC_mark_some /mnt/ram/asan/gc-7.4.2/mark.c:352
#6 0x7fa4a24a21ad in GC_stopped_mark /mnt/ram/asan/gc-7.4.2/alloc.c:637
#7 0x7fa4a24a1b30 in GC_try_to_collect_inner /mnt/ram/asan/gc-7.4.2/alloc.c:456
#8 0x7fa4a24c188c in GC_init /mnt/ram/asan/gc-7.4.2/misc.c:1199
#9 0x401170 in main tests/disclaim_bench.c:92
#10 0x7fa4a1ce962f in __libc_start_main (/lib64/libc.so.6+0x2062f)
#11 0x400da8 in _start (/mnt/ram/asan/gc-7.4.2/.libs/disclaim_bench+0x400da8)

Address 0x7ffc1e6284a0 is located in stack of thread T0 at offset 0 in frame
#0 0x7fa4a24b2186 in GC_with_callee_saves_pushed /mnt/ram/asan/gc-7.4.2/mach_dep.c:215

This frame has 4 object(s):
[32, 34) 'old_fcw'
[96, 100) 'dummy'
[160, 164) 'mxcsr'
[224, 1160) 'ctxt'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow /mnt/ram/asan/gc-7.4.2/mark.c:1509 GC_push_all_eager
Shadow bytes around the buggy address:
0x100003cbd040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003cbd050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003cbd060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003cbd070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003cbd080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100003cbd090: 00 00 00 00[f1]f1 f1 f1 02 f4 f4 f4 f2 f2 f2 f2
0x100003cbd0a0: 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2
0x100003cbd0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003cbd0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003cbd0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003cbd0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==2112==ABORTING
--
Hanno Böck
http://hboeck.de/

mail/jabber: ***@hboeck.de
GPG: BBB51E42
Florian Weimer
2016-01-24 19:29:04 UTC
Permalink
Raw Message
Post by Hanno Böck
I am not sure if this is a bug or if boehm-gc is in principle unable to
work with address sanitizer (as asan is basically intercepting memory
management and boehm-gc is supposed to be a replacement for existing
memory managements). But I haven't found it reported elsewhere and am
unsure.
The collector needs to scan the stack to find potential roots. It
will necessarily hit undefined areas not corresponding to on-stack
objects. The stack scan would have to be performed in a way that
bypasses Address Sanitzer, or the collector would have to obtain an
explicit list of stack frames from Address Sanitizer.
Florian Weimer
2016-11-16 21:09:20 UTC
Permalink
Raw Message
AddressSanitizer, MemorySanitizer are supported now by bdwgc (master
branch) if compiled by clang. This commit fixed the issues outlined by
Florian -
https://github.com/ivmai/bdwgc/commit/ce75cf115b8739632fd54bf4a64745749ab13299
 
UnexpectedBehaviorSanittizer is also supported by bdwgc (both gcc and clang).
Thanks for working on this, Ivan.

Loading...