Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use-after-return in bind #993

Open
msimberg opened this issue Jan 22, 2024 · 0 comments
Open

Use-after-return in bind #993

msimberg opened this issue Jan 22, 2024 · 0 comments
Labels
effort: 3 A few days of work. effort: 4 A few weeks of work. effort: 5 Who knows how long it'll take? This must be split into smaller tasks. priority: medium This should be done sooner or later. type: bug

Comments

@msimberg
Copy link
Contributor

Sometimes reported by address sanitizer, e.g. in the thread_stacksize_current test:

=================================================================
==6427==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fdc770c2920 at pc 0x7fdc7f9cc7b4 bp 0x7fdc770c28d0 sp 0x7fdc770c28c8
WRITE of size 16 at 0x7fdc770c2920 thread T3
    #0 0x7fdc7f9cc7b3 in pika::util::detail::invoke_bound_result<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*&)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack<pika::runtime*&, pika::util::detail::function<int ()>&, int&, bool&>, pika::threads::detail::thread_restart_state&&>::type pika::util::detail::bound<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack_c<unsigned long, 0ul, 1ul, 2ul, 3ul>, pika::runtime*, pika::util::detail::function<int ()>, int&, bool>::operator()<pika::threads::detail::thread_restart_state>(pika::threads::detail::thread_restart_state&&) & /__w/pika/pika/libs/pika/functional/include/pika/functional/bind.hpp:123:20
    #1 0x7fdc7f9cc5e5 in std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> pika::util::detail::callable_vtable<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::threads::detail::thread_restart_state)>::_invoke<pika::util::detail::bound<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack_c<unsigned long, 0ul, 1ul, 2ul, 3ul>, pika::runtime*, pika::util::detail::function<int ()>, int&, bool> >(void*, pika::threads::detail::thread_restart_state&&) /__w/pika/pika/libs/pika/functional/include/pika/functional/detail/vtable/callable_vtable.hpp:88:20
    #2 0x7fdc7f5999a3 in pika::util::detail::basic_function<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::threads::detail::thread_restart_state), false>::operator()(pika::threads::detail::thread_restart_state) const /__w/pika/pika/libs/pika/functional/include/pika/functional/detail/basic_function.hpp:199:20
    #3 0x7fdc7f5999a3 in pika::threads::coroutines::detail::coroutine_impl::operator()() /__w/pika/pika/libs/pika/coroutines/src/detail/coroutine_impl.cpp:71:35
    #4 0x7fdc7f595ff0 in void pika::threads::coroutines::detail::lx::trampoline<pika::threads::coroutines::detail::coroutine_impl>(void*) /__w/pika/pika/libs/pika/coroutines/include/pika/coroutines/detail/context_linux_x86.hpp:93:13

Address 0x7fdc770c2920 is located in stack of thread T3 at offset 64 in frame
    #0 0x7fdc7f9cc5ff in pika::util::detail::invoke_bound_result<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*&)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack<pika::runtime*&, pika::util::detail::function<int ()>&, int&, bool&>, pika::threads::detail::thread_restart_state&&>::type pika::util::detail::bound<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack_c<unsigned long, 0ul, 1ul, 2ul, 3ul>, pika::runtime*, pika::util::detail::function<int ()>, int&, bool>::operator()<pika::threads::detail::thread_restart_state>(pika::threads::detail::thread_restart_state&&) & /__w/pika/pika/libs/pika/functional/include/pika/functional/bind.hpp:122

  This frame has 2 object(s):
    [32, 48) 'ref.tmp' (line 123)
    [64, 80) 'coerce' <== Memory access at offset 64 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T3 created by T0 here:
    #0 0x55b74d7472dc in pthread_create (/__w/pika/pika/build/bin/thread_stacksize_current_test+0x1b92dc) (BuildId: 2ddf9c86fb33001c)
    #1 0x7fdc7deb0328 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc328) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #2 0x7fdc7fac9550 in pika::threads::detail::scheduled_thread_pool<pika::threads::detail::local_priority_queue_scheduler<std::mutex, pika::threads::detail::lockfree_fifo, pika::threads::detail::lockfree_fifo, pika::threads::detail::lockfree_lifo> >::add_processing_unit_internal(unsigned long, unsigned long, std::shared_ptr<pika::concurrency::detail::barrier>, pika::error_code&) /__w/pika/pika/libs/pika/thread_pools/include/pika/thread_pools/scheduled_thread_pool_impl.hpp:1312:31
    #3 0x7fdc7fac62c8 in pika::threads::detail::scheduled_thread_pool<pika::threads::detail::local_priority_queue_scheduler<std::mutex, pika::threads::detail::lockfree_fifo, pika::threads::detail::lockfree_fifo, pika::threads::detail::lockfree_lifo> >::run(std::unique_lock<std::mutex>&, unsigned long) /__w/pika/pika/libs/pika/thread_pools/include/pika/thread_pools/scheduled_thread_pool_impl.hpp:304:17
    #4 0x7fdc7ff5d2be in pika::threads::detail::thread_manager::run() /__w/pika/pika/libs/pika/thread_manager/src/thread_manager.cpp:832:29
    #5 0x7fdc7f94b5dd in pika::runtime::start(pika::util::detail::function<int ()> const&, bool) /__w/pika/pika/libs/pika/runtime/src/runtime.cpp:1148:26
    #6 0x7fdc7f955d5d in pika::runtime::run(pika::util::detail::function<int ()> const&) /__w/pika/pika/libs/pika/runtime/src/runtime.cpp:1423:9
    #7 0x7fdc7f74d3a5 in pika::detail::run(pika::runtime&, pika::util::detail::function<int (pika::program_options::variables_map&)> const&, pika::program_options::variables_map&, std::function<void ()>, std::function<void ()>) /__w/pika/pika/libs/pika/init_runtime/src/init_runtime.cpp:198:39
    #8 0x7fdc7f74e684 in pika::detail::run_or_start(bool, std::unique_ptr<pika::runtime, std::default_delete<pika::runtime> >, pika::detail::command_line_handling&, std::function<void ()>, std::function<void ()>) /__w/pika/pika/libs/pika/init_runtime/src/init_runtime.cpp:229:24
    #9 0x7fdc7f7525c8 in pika::detail::run_or_start(pika::util::detail::function<int (pika::program_options::variables_map&)> const&, int, char const* const*, pika::init_params const&, bool) /__w/pika/pika/libs/pika/init_runtime/src/init_runtime.cpp:344:20
    #10 0x7fdc7f752bb2 in pika::detail::init_start_impl(pika::util::detail::function<int (pika::program_options::variables_map&)>, int, char const* const*, pika::init_params const&, bool) /__w/pika/pika/libs/pika/init_runtime/src/init_runtime.cpp:366:20
    #11 0x7fdc7f75344e in pika::init(std::function<int ()>, int, char const* const*, pika::init_params const&) /__w/pika/pika/libs/pika/init_runtime/src/init_runtime.cpp:388:16
    #12 0x55b74d79dc5a in main /__w/pika/pika/libs/pika/threading_base/tests/regressions/thread_stacksize_current.cpp:85:9
    #13 0x7fdc7daced8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

SUMMARY: AddressSanitizer: stack-use-after-scope /__w/pika/pika/libs/pika/functional/include/pika/functional/bind.hpp:123:20 in pika::util::detail::invoke_bound_result<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*&)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack<pika::runtime*&, pika::util::detail::function<int ()>&, int&, bool&>, pika::threads::detail::thread_restart_state&&>::type pika::util::detail::bound<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack_c<unsigned long, 0ul, 1ul, 2ul, 3ul>, pika::runtime*, pika::util::detail::function<int ()>, int&, bool>::operator()<pika::threads::detail::thread_restart_state>(pika::threads::detail::thread_restart_state&&) &
Shadow bytes around the buggy address:
  0x0ffc0ee104d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee104e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee104f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee10500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee10510: f1 f1 f1 f1 f8 f8 f8 f2 f2 f2 f2 f2 f1 f1 f1 f1
=>0x0ffc0ee10520: 00 00 f2 f2[f8]f8 f3 f3 f2 f2 f2 f2 f8 f8 f8 f8
  0x0ffc0ee10530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee10540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee10550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee10560: f1 f1 f1 f1 01 f2 00 00 f2 f2 f8 f2 00 f2 f2 f2
  0x0ffc0ee10570: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6427==ABORTING

detect_stack_use_after_return is currently disabled (see #992) and the particular member function triggering this is suppressed in #972.
@msimberg msimberg added effort: 3 A few days of work. effort: 4 A few weeks of work. effort: 5 Who knows how long it'll take? This must be split into smaller tasks. priority: medium This should be done sooner or later. type: bug labels Jan 22, 2024
@msimberg msimberg mentioned this issue Jan 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
effort: 3 A few days of work. effort: 4 A few weeks of work. effort: 5 Who knows how long it'll take? This must be split into smaller tasks. priority: medium This should be done sooner or later. type: bug
Projects
pika planning board
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@msimberg