Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

`netlib_test_integral` test fails run with Address Sanitizer #1478

Open
seanm opened this issue Dec 7, 2019 · 0 comments
Open

`netlib_test_integral` test fails run with Address Sanitizer #1478

seanm opened this issue Dec 7, 2019 · 0 comments
Labels

Comments

@seanm
Copy link
Contributor

@seanm seanm commented Dec 7, 2019

I gave it a try, but it's not trivial, or I'm just not seeing it. So here's the output running it in lldb under ASan:

builder16:ITK-AppleClang-dbg-ASanUBSan builder$ lldb -- /Users/builder/external/ITK-AppleClang-dbg-ASanUBSan/bin/netlib_integral_test
(lldb) target create "/Users/builder/external/ITK-AppleClang-dbg-ASanUBSan/bin/netlib_integral_test"
Current executable set to '/Users/builder/external/ITK-AppleClang-dbg-ASanUBSan/bin/netlib_integral_test' (x86_64).
(lldb) r
Process 43691 launched: '/Users/builder/external/ITK-AppleClang-dbg-ASanUBSan/bin/netlib_integral_test' (x86_64)
simpson integral of x/(1+x^2) from 0 to 1 (100 grids) is 0.3465735903
=================================================================
==43691==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeefbfd378 at pc 0x0001000044be bp 0x7ffeefbfce10 sp 0x7ffeefbfce08
READ of size 8 at 0x7ffeefbfd378 thread T0
2019-12-07 17:33:17.116382-0500 atos[43694:1803107] examining /Users/USER/*/netlib_integral_test [43691]
2019-12-07 17:33:17.554432-0500 atos[43695:1803117] examining /Users/USER/*/netlib_integral_test [43691]
    #0 0x1000044bd in v3p_netlib_refine_ adaquad.c:217
    #1 0x10000347d in v3p_netlib_adaptquad_ adaquad.c:83
    #2 0x100001ed0 in test_adapted_simpson_integral integral-test.c:32
    #3 0x1000022bd in main integral-test.c:53
    #4 0x7fff685673d4 in start (libdyld.dylib:x86_64+0x163d4)

Address 0x7ffeefbfd378 is located in stack of thread T0 at offset 152 in frame
    #0 0x100001c0f in test_adapted_simpson_integral integral-test.c:22

  This frame has 8 object(s):
    [32, 40) 'a' (line 23)
    [64, 72) 'b' (line 24)
    [96, 104) 'res' (line 25)
    [128, 136) 'n' (line 26)
    [160, 9048) 'rmat' (line 27) <== Memory access at offset 152 underflows this variable
    [9312, 9320) 'tol' (line 28)
    [9344, 9352) 'errbound' (line 29)
    [9376, 9384) 'stat' (line 30)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow adaquad.c:217 in v3p_netlib_refine_
Shadow bytes around the buggy address:
  0x1fffddf7fa10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffddf7fa20: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
  0x1fffddf7fa30: 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3
  0x1fffddf7fa40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffddf7fa50: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x1fffddf7fa60: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2[f2]
  0x1fffddf7fa70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffddf7fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffddf7fa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffddf7faa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffddf7fab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
2019-12-07 17:33:17.632774-0500 netlib_integral_test[43691:1803085] =================================================================
2019-12-07 17:33:17.633552-0500 netlib_integral_test[43691:1803085] ==43691==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeefbfd378 at pc 0x0001000044be bp 0x7ffeefbfce10 sp 0x7ffeefbfce08
2019-12-07 17:33:17.633651-0500 netlib_integral_test[43691:1803085] READ of size 8 at 0x7ffeefbfd378 thread T0
2019-12-07 17:33:17.633670-0500 netlib_integral_test[43691:1803085]     #0 0x1000044bd in v3p_netlib_refine_ adaquad.c:217
2019-12-07 17:33:17.633690-0500 netlib_integral_test[43691:1803085]     #1 0x10000347d in v3p_netlib_adaptquad_ adaquad.c:83
2019-12-07 17:33:17.633708-0500 netlib_integral_test[43691:1803085]     #2 0x100001ed0 in test_adapted_simpson_integral integral-test.c:32
2019-12-07 17:33:17.633730-0500 netlib_integral_test[43691:1803085]     #3 0x1000022bd in main integral-test.c:53
2019-12-07 17:33:17.633748-0500 netlib_integral_test[43691:1803085]     #4 0x7fff685673d4 in start (libdyld.dylib:x86_64+0x163d4)
2019-12-07 17:33:17.633766-0500 netlib_integral_test[43691:1803085] 
2019-12-07 17:33:17.633782-0500 netlib_integral_test[43691:1803085] Address 0x7ffeefbfd378 is located in stack of thread T0 at offset 152 in frame
2019-12-07 17:33:17.633801-0500 netlib_integral_test[43691:1803085]     #0 0x100001c0f in test_adapted_simpson_integral integral-test.c:22
2019-12-07 17:33:17.633825-0500 netlib_integral_test[43691:1803085] 
2019-12-07 17:33:17.633840-0500 netlib_integral_test[43691:1803085]   This frame has 8 object(s):
2019-12-07 17:33:17.633857-0500 netlib_integral_test[43691:1803085]     [32, 40) 'a' (line 23)
2019-12-07 17:33:17.633875-0500 netlib_integral_test[43691:1803085]     [64, 72) 'b' (line 24)
2019-12-07 17:33:17.633892-0500 netlib_integral_test[43691:1803085]     [96, 104) 'res' (line 25)
2019-12-07 17:33:17.633909-0500 netlib_integral_test[43691:1803085]     [128, 136) 'n' (line 26)
2019-12-07 17:33:17.633927-0500 netlib_integral_test[43691:1803085]     [160, 9048) 'rmat' (line 27) <== Memory access at offset 152 underflows this variable
2019-12-07 17:33:17.634019-0500 netlib_integral_test[43691:1803085]     [9312, 9320) 'tol' (line 28)
2019-12-07 17:33:17.634038-0500 netlib_integral_test[43691:1803085]     [9344, 9352) 'errbound' (line 29)
2019-12-07 17:33:17.634056-0500 netlib_integral_test[43691:1803085]     [9376, 9384) 'stat' (line 30)
2019-12-07 17:33:17.634074-0500 netlib_integral_test[43691:1803085] HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
2019-12-07 17:33:17.634093-0500 netlib_integral_test[43691:1803085]       (longjmp and C++ exceptions *are* supported)
2019-12-07 17:33:17.634111-0500 netlib_integral_test[43691:1803085] SUMMARY: AddressSanitizer: stack-buffer-overflow adaquad.c:217 in v3p_netlib_refine_
2019-12-07 17:33:17.634130-0500 netlib_integral_test[43691:1803085] Shadow bytes around the buggy address:
2019-12-07 17:33:17.634148-0500 netlib_integral_test[43691:1803085]   0x1fffddf7fa10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2019-12-07 17:33:17.634173-0500 netlib_integral_test[43691:1803085]   0x1fffddf7fa20: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
2019-12-07 17:33:17.634192-0500 netlib_integral_test[43691:1803085]   0x1fffddf7fa30: 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3
2019-12-07 17:33:17.634211-0500 netlib_integral_test[43691:1803085]   0x1fffddf7fa40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2019-12-07 17:33:17.634230-0500 netlib_integral_test[43691:1803085]   0x1fffddf7fa50: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
2019-12-07 17:33:17.634249-0500 netlib_integral_test[43691:1803085] =>0x1fffddf7fa60: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2[f2]
2019-12-07 17:33:17.634267-0500 netlib_integral_test[43691:1803085]   0x1fffddf7fa70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2019-12-07 17:33:17.634289-0500 netlib_integral_test[43691:1803085]   0x1fffddf7fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2019-12-07 17:33:17.634307-0500 netlib_integral_test[43691:1803085]   0x1fffddf7fa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2019-12-07 17:33:17.634326-0500 netlib_integral_test[43691:1803085]   0x1fffddf7faa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2019-12-07 17:33:17.634344-0500 netlib_integral_test[43691:1803085]   0x1fffddf7fab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2019-12-07 17:33:17.634379-0500 netlib_integral_test[43691:1803085] Shadow byte legend (one shadow byte represents 8 application bytes):
2019-12-07 17:33:17.634410-0500 netlib_integral_test[43691:1803085]   Addressable:           00
2019-12-07 17:33:17.634435-0500 netlib_integral_test[43691:1803085]   Partially addressable: 01 02 03 04 05 06 07
2019-12-07 17:33:17.634455-0500 netlib_integral_test[43691:1803085]   Heap left redzone:       fa
2019-12-07 17:33:17.634473-0500 netlib_integral_test[43691:1803085]   Freed heap region:       fd
2019-12-07 17:33:17.634494-0500 netlib_integral_test[43691:1803085]   Stack left redzone:      f1
2019-12-07 17:33:17.634513-0500 netlib_integral_test[43691:1803085]   Stack mid redzone:       f2
2019-12-07 17:33:17.634533-0500 netlib_integral_test[43691:1803085]   Stack right redzone:     f3
2019-12-07 17:33:17.634551-0500 netlib_integral_test[43691:1803085]   Stack after return:      f5
2019-12-07 17:33:17.634569-0500 netlib_integral_test[43691:1803085]   Stack use after scope:   f8
2019-12-07 17:33:17.634592-0500 netlib_integral_test[43691:1803085]   Global redzone:          f9
2019-12-07 17:33:17.634609-0500 netlib_integral_test[43691:1803085]   Global init order:       f6
2019-12-07 17:33:17.634628-0500 netlib_integral_test[43691:1803085]   Poisoned by user:        f7
2019-12-07 17:33:17.634653-0500 netlib_integral_test[43691:1803085]   Container overflow:      fc
2019-12-07 17:33:17.634672-0500 netlib_integral_test[43691:1803085]   Array cookie:            ac
2019-12-07 17:33:17.634697-0500 netlib_integral_test[43691:1803085]   Intra object redzone:    bb
2019-12-07 17:33:17.634715-0500 netlib_integral_test[43691:1803085]   ASan internal:           fe
2019-12-07 17:33:17.634744-0500 netlib_integral_test[43691:1803085]   Left alloca redzone:     ca
2019-12-07 17:33:17.634761-0500 netlib_integral_test[43691:1803085]   Right alloca redzone:    cb
2019-12-07 17:33:17.634779-0500 netlib_integral_test[43691:1803085]   Shadow gap:              cc
2019-12-07 17:33:17.634796-0500 netlib_integral_test[43691:1803085] 
==43691==ABORTING
(lldb) AddressSanitizer report breakpoint hit. Use 'thread info -s' to get extended information about the report.
Process 43691 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = Stack buffer overflow
    frame #0: 0x0000000100134e40 libclang_rt.asan_osx_dynamic.dylib`__asan::AsanDie()
libclang_rt.asan_osx_dynamic.dylib`__asan::AsanDie:
->  0x100134e40 <+0>: pushq  %rbp
    0x100134e41 <+1>: movq   %rsp, %rbp
    0x100134e44 <+4>: pushq  %rbx
    0x100134e45 <+5>: pushq  %rax
Target 0: (netlib_integral_test) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = Stack buffer overflow
  * frame #0: 0x0000000100134e40 libclang_rt.asan_osx_dynamic.dylib`__asan::AsanDie()
    frame #1: 0x000000010014ab5f libclang_rt.asan_osx_dynamic.dylib`__sanitizer::Die() + 175
    frame #2: 0x0000000100132c89 libclang_rt.asan_osx_dynamic.dylib`__asan::ScopedInErrorReport::~ScopedInErrorReport() + 409
    frame #3: 0x0000000100132493 libclang_rt.asan_osx_dynamic.dylib`__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 387
    frame #4: 0x00000001001331eb libclang_rt.asan_osx_dynamic.dylib`__asan_report_load8 + 43
    frame #5: 0x00000001000044be netlib_integral_test`v3p_netlib_refine_(f=(netlib_integral_test`f at integral-test.c:6), p=0x00007ffeefbfd160, srmat=0x00007ffeefbfd380, m=0x00007ffeefbfd360, state=0x00007ffeefbff780) at adaquad.c:217:38 [opt]
    frame #6: 0x000000010000347e netlib_integral_test`v3p_netlib_adaptquad_(f=(netlib_integral_test`f at integral-test.c:6), a=0x00007ffeefbfd300, b=0x00007ffeefbfd320, tol=0x00001fffddf7fef0, srmat=<unavailable>, integral=0x00007ffeefbfd340, errbdd=<unavailable>, m=<unavailable>, state=<unavailable>) at adaquad.c:83:13 [opt]
    frame #7: 0x0000000100001ed1 netlib_integral_test`test_adapted_simpson_integral at integral-test.c:32:3 [opt]
    frame #8: 0x00000001000022be netlib_integral_test`main at integral-test.c:53:3 [opt]
    frame #9: 0x00007fff685673d5 libdyld.dylib`start + 1

(lldb) fr sel 5
netlib_integral_test was compiled with optimization - stepping may behave oddly; variables may not be available.
frame #5: 0x00000001000044be netlib_integral_test`v3p_netlib_refine_(f=(netlib_integral_test`f at integral-test.c:6), p=0x00007ffeefbfd160, srmat=0x00007ffeefbfd380, m=0x00007ffeefbfd360, state=0x00007ffeefbff780) at adaquad.c:217:38 [opt]
   214 	/*<           DO K=1,11 >*/
   215 	            for (k = 1; k <= 11; ++k) {
   216 	/*<             SRmat(J, K) = SRmat(J - 1, K) >*/
-> 217 	                srmat[j + k * 101] = srmat[j - 1 + k * 101];
   218 	/*<           ENDDO >*/
   219 	            }
   220 	/*<         ENDDO >*/

It's the srmat buffer that's accessed out of bounds.

I considered regenerating the file from Fortran with a newer f2c, in case it's a conversion bug, but that seems non-trivial either.

@seanm seanm added the type:Bug label Dec 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.