AddressSanitizer: container-overflow with expression evaluation

[springmeyer]

I built node+node-mapnik with -fsanitize=address and this line crashes: https://github.com/mapnik/node-mapnik/blob/6e44899659453c9d9761e0ac999588b70c959c71/test/expression.test.js#L47

/cc @artemp

=================================================================
==32704==ERROR: AddressSanitizer: container-overflow on address 0x6100000341d0 at pc 0x000106e211ba bp 0x7fff5fbf9c70 sp 0x7fff5fbf9c68
READ of size 8 at 0x6100000341d0 thread T0
    #0 0x106e211b9 in mapnik::util::variant<mapnik::value_null, bool, long long, double, icu_55::UnicodeString>::variant(mapnik::util::variant<mapnik::value_null, bool, long long, double, icu_55::UnicodeString> const&) (/Users/dane/projects/node-mapnik/lib/binding/node-v11-darwin-x64/mapnik.node+0x1771b9)
    #1 0x106e21137 in mapnik::value_adl_barrier::value::value(mapnik::value_adl_barrier::value const&) (/Users/dane/projects/node-mapnik/lib/binding/node-v11-darwin-x64/mapnik.node+0x177137)
    #2 0x106e210fc in mapnik::value_adl_barrier::value::value(mapnik::value_adl_barrier::value const&) (/Users/dane/projects/node-mapnik/lib/binding/node-v11-darwin-x64/mapnik.node+0x1770fc)
    #3 0x107184d4c in mapnik::evaluate<mapnik::feature_impl, mapnik::value_adl_barrier::value, std::__1::unordered_map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, mapnik::value_adl_barrier::value, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const, mapnik::value_adl_barrier::value> > > >::operator()(mapnik::attribute const&) const (/Users/dane/projects/node-mapnik/lib/binding/node-v11-darwin-x64/mapnik.node+0x4dad4c)
    #4 0x1071bfded in mapnik::value_adl_barrier::value mapnik::evaluate<mapnik::feature_impl, mapnik::value_adl_barrier::value, std::__1::unordered_map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, mapnik::value_adl_barrier::value, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const, mapnik::value_adl_barrier::value> > > >::operator()<mapnik::tags::equal_to>(mapnik::binary_node<mapnik::tags::equal_to> const&) const (/Users/dane/projects/node-mapnik/lib/binding/node-v11-darwin-x64/mapnik.node+0x515ded)
    #5 0x1071d283c in mapnik::evaluate<mapnik::feature_impl, mapnik::value_adl_barrier::value, std::__1::unordered_map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, mapnik::value_adl_barrier::value, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const, mapnik::value_adl_barrier::value> > > >::operator()(mapnik::binary_node<mapnik::tags::logical_and> const&) const (/Users/dane/projects/node-mapnik/lib/binding/node-v11-darwin-x64/mapnik.node+0x52883c)
    #6 0x10717fd81 in Expression::evaluate(Nan::FunctionCallbackInfo<v8::Value> const&) (/Users/dane/projects/node-mapnik/lib/binding/node-v11-darwin-x64/mapnik.node+0x4d5d81)
    #7 0x106cb3e4c in Nan::imp::FunctionCallbackWrapper(v8::Arguments const&) (/Users/dane/projects/node-mapnik/lib/binding/node-v11-darwin-x64/mapnik.node+0x9e4c)
    #8 0x10037666f in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) (/opt/node-address/bin/node+0x10037666f)

[springmeyer]

It looks like our expression tests in C++ are missing coverage of @variables. I presume this will start failing in core once we have those: https://github.com/mapnik/mapnik/blob/master/test/unit/core/expressions_test.cpp#L58-L191.

@artemp can you take a look at adding tests and then building with -fsanitize=address to replicate in core?

[artemp]

@springmeyer - yep

[lightmare]

Isn't that stack trace weird?
#3 evaluate operator()(mapnik::attribute const&) (not global_attribute)
#1 and #2 value copy ctor (twice?)
#0 and then it blows in variant copy ctor?

[springmeyer]

This has continued to replicate. However today I had an idea: maybe this is a problem because I'm building all of node-mapnik with -fsanitize=address but linking in libmapnik that has not be built with -fsanitize=address.

I've now found that rebuilding libmapnik with ./configure DEBUG_SANITIZE=True DEBUG=True CXX=/opt/llvm/bin/clang++ CC=/opt/llvm/bin/clang and the problem goes away.

So, this is my fault, sorry!