| Issue |
182720
|
| Summary |
AddressSanitizer: container-overflow after #182183
|
| Labels |
mlir
|
| Assignees |
vitalybuka
|
| Reporter |
vitalybuka
|
After https://github.com/llvm/llvm-project/pull/182183/changes sanitizer-x86_64-linux-bootstrap-asan reporst
https://lab.llvm.org/buildbot/#/builders/52/builds/15224/steps/12/logs/stdio
```
==> /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/sanitizer_logs/report.mlir-tblgen.2856476 <==
=================================================================
==mlir-tblgen==2856476==ERROR: AddressSanitizer: container-overflow on address 0x741d40a763a8 at pc 0x5b1bc9714954 bp 0x7ffddd18d590 sp 0x7ffddd18d588
READ of size 4 at 0x741d40a763a8 thread T0
#0 0x5b1bc9714953 in findBucketForInsertion<const llvm::Record *> /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/ADT/DenseMap.h:592:27
#1 0x5b1bc9714953 in lookupOrInsertIntoBucket<const llvm::Record *const &> /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/ADT/DenseMap.h:510:17
#2 0x5b1bc9714953 in llvm::DenseMapBase<llvm::SmallDenseMap<llvm::Record const*, (anonymous namespace)::OpDocGroup, 4u, llvm::DenseMapInfo<llvm::Record const*, void>, llvm::detail::DenseMapPair<llvm::Record const*, (anonymous namespace)::OpDocGroup>>, llvm::Record const*, (anonymous namespace)::OpDocGroup, llvm::DenseMapInfo<llvm::Record const*, void>, llvm::detail::DenseMapPair<llvm::Record const*, (anonymous namespace)::OpDocGroup>>::operator[](llvm::Record const* const&) /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/ADT/DenseMap.h:350:12
#3 0x5b1bc97131b2 in collectRecords(llvm::RecordKeeper const&) /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/mlir/tools/mlir-tblgen/OpDocGen.cpp:588:24
#4 0x5b1bc9735e11 in operator() /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/mlir/tools/mlir-tblgen/OpDocGen.cpp:670:39
#5 0x5b1bc9735e11 in __invoke<(lambda at /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/mlir/tools/mlir-tblgen/OpDocGen.cpp:669:17) &, const llvm::RecordKeeper &, llvm::raw_ostream &> /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/libcxx_install_asan/include/c++/v1/__type_traits/invoke.h:90:27
#6 0x5b1bc9735e11 in __call<(lambda at /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/mlir/tools/mlir-tblgen/OpDocGen.cpp:669:17) &, const llvm::RecordKeeper &, llvm::raw_ostream &> /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/libcxx_install_asan/include/c++/v1/__type_traits/invoke.h:342:12
#7 0x5b1bc9735e11 in __invoke_r<bool, (lambda at /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/mlir/tools/mlir-tblgen/OpDocGen.cpp:669:17) &, const llvm::RecordKeeper &, llvm::raw_ostream &> /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/libcxx_install_asan/include/c++/v1/__type_traits/invoke.h:356:10
#8 0x5b1bc9735e11 in std::__1::__function::__func<$_6, bool (llvm::RecordKeeper const&, llvm::raw_ostream&)>::operator()(llvm::RecordKeeper const&, llvm::raw_ostream&) /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/libcxx_install_asan/include/c++/v1/__functional/function.h:172:12
#9 0x5b1bc99d2009 in operator() /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/libcxx_install_asan/include/c++/v1/__functional/function.h:273:12
#10 0x5b1bc99d2009 in operator() /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/libcxx_install_asan/include/c++/v1/__functional/function.h:754:10
#11 0x5b1bc99d2009 in invoke /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/mlir/include/mlir/TableGen/GenInfo.h:39:12
#12 0x5b1bc99d2009 in mlirTableGenMain /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/mlir/lib/Tools/mlir-tblgen/MlirTblgenMain.cpp:136:21
#13 0x5b1bc99d2009 in operator() /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/mlir/lib/Tools/mlir-tblgen/MlirTblgenMain.cpp:160:20
#14 0x5b1bc99d2009 in bool llvm::function_ref<bool (llvm::TableGenOutputFiles&, llvm::RecordKeeper const&)>::callback_fn<mlir::MlirTblgenMain(int, char**)::$_0>(long, llvm::TableGenOutputFiles&, llvm::RecordKeeper const&) /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/ADT/STLFunctionalExtras.h:46:12
#15 0x5b1bc99d9365 in operator() /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/ADT/STLFunctionalExtras.h:69:12
#16 0x5b1bc99d9365 in llvm::TableGenMain(char const*, llvm::function_ref<bool (llvm::TableGenOutputFiles&, llvm::RecordKeeper const&)>) /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/TableGen/Main.cpp:175:23
#17 0x5b1bc99cc62a in mlir::MlirTblgenMain(int, char**) /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/mlir/lib/Tools/mlir-tblgen/MlirTblgenMain.cpp:156:10
#18 0x781d4262a577 (/lib/x86_64-linux-gnu/libc.so.6+0x2a577) (BuildId: ae7440bbdce614e0e79280c3b2e45b1df44e639c)
#19 0x781d4262a63a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a63a) (BuildId: ae7440bbdce614e0e79280c3b2e45b1df44e639c)
#20 0x5b1bc94a5ca4 in _start (/home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm_build_asan/bin/mlir-tblgen+0x244ca4)
Address 0x741d40a763a8 is located in stack of thread T0 at offset 936 in frame
#0 0x5b1bc97125ff in collectRecords(llvm::RecordKeeper const&) /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/mlir/tools/mlir-tblgen/OpDocGen.cpp:553
This frame has 19 object(s):
[32, 40) '__end'
[64, 96) 'ref.tmp' (line 577)
[128, 160) 'ref.tmp' (line 577)
[192, 200) '__end'
[224, 256) 'ref.tmp' (line 577)
[288, 320) 'ref.tmp' (line 577)
[352, 400) 'dialects' (line 555)
[432, 472) 'dialect' (line 556)
[512, 536) 'opDefs' (line 560)
[576, 768) 'result' (line 567)
[832, 880) 'seen' (line 568)
[912, 1216) 'opDocGroup' (line 580) <== Memory access at offset 936 is inside this variable
[1280, 1488) 'ref.tmp' (line 583)
[1552, 1568) 'ref.tmp' (line 585)
[1584, 3616) 'ref.tmp' (line 589)
[3744, 3808) 'op' (line 591)
[3840, 4048) 'ref.tmp' (line 605)
[4112, 4128) 'ref.tmp' (line 607)
[4144, 4152) 'ref.tmp' (line 610)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0.
Or if supported by the container library, pass -D__SANITIZER_DISABLE_CONTAINER_OVERFLOW__ to the compiler to disable instrumentation.
If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow /home/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/ADT/DenseMap.h:592:27 in findBucketForInsertion<const llvm::Record *>
Shadow bytes around the buggy address:
0x741d40a76100: f2 f2 f2 f2 f8 f8 f8 f8 f2 f2 f2 f2 00 00 00 00
0x741d40a76180: 00 00 f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2 f2 f2
0x741d40a76200: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x741d40a76280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x741d40a76300: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 f2 f2
=>0x741d40a76380: f2 f2 00 00 00[02]fc fc 00 00 00 00 00 00 00 00
0x741d40a76400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x741d40a76480: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2
0x741d40a76500: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x741d40a76580: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2
0x741d40a76600: f2 f2 f8 f8 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
```
Exact test is: `LIT_FILTER=mlir-tblgen/gen-dialect-doc.td ninja check-mlir`
As-is I don't see anything wrong with the code, but removing `namespace {}` around OpDocGroup helps.
I suspect issue in std::string container overflow implementation.
![]()
_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
