pika Use-after-return in `bind`

Use-after-return in `bind`

Open msimberg opened this issue 1 year ago • 0 comments
Sometimes reported by address sanitizer, e.g. in the thread_stacksize_current test:
=================================================================
==6427==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fdc770c2920 at pc 0x7fdc7f9cc7b4 bp 0x7fdc770c28d0 sp 0x7fdc770c28c8
WRITE of size 16 at 0x7fdc770c2920 thread T3
    #0 0x7fdc7f9cc7b3 in pika::util::detail::invoke_bound_result<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*&)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack<pika::runtime*&, pika::util::detail::function<int ()>&, int&, bool&>, pika::threads::detail::thread_restart_state&&>::type pika::util::detail::bound<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack_c<unsigned long, 0ul, 1ul, 2ul, 3ul>, pika::runtime*, pika::util::detail::function<int ()>, int&, bool>::operator()<pika::threads::detail::thread_restart_state>(pika::threads::detail::thread_restart_state&&) & /__w/pika/pika/libs/pika/functional/include/pika/functional/bind.hpp:123:20
    #1 0x7fdc7f9cc5e5 in std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> pika::util::detail::callable_vtable<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::threads::detail::thread_restart_state)>::_invoke<pika::util::detail::bound<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack_c<unsigned long, 0ul, 1ul, 2ul, 3ul>, pika::runtime*, pika::util::detail::function<int ()>, int&, bool> >(void*, pika::threads::detail::thread_restart_state&&) /__w/pika/pika/libs/pika/functional/include/pika/functional/detail/vtable/callable_vtable.hpp:88:20
    #2 0x7fdc7f5999a3 in pika::util::detail::basic_function<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::threads::detail::thread_restart_state), false>::operator()(pika::threads::detail::thread_restart_state) const /__w/pika/pika/libs/pika/functional/include/pika/functional/detail/basic_function.hpp:199:20
    #3 0x7fdc7f5999a3 in pika::threads::coroutines::detail::coroutine_impl::operator()() /__w/pika/pika/libs/pika/coroutines/src/detail/coroutine_impl.cpp:71:35
    #4 0x7fdc7f595ff0 in void pika::threads::coroutines::detail::lx::trampoline<pika::threads::coroutines::detail::coroutine_impl>(void*) /__w/pika/pika/libs/pika/coroutines/include/pika/coroutines/detail/context_linux_x86.hpp:93:13

Address 0x7fdc770c2920 is located in stack of thread T3 at offset 64 in frame
    #0 0x7fdc7f9cc5ff in pika::util::detail::invoke_bound_result<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*&)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack<pika::runtime*&, pika::util::detail::function<int ()>&, int&, bool&>, pika::threads::detail::thread_restart_state&&>::type pika::util::detail::bound<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack_c<unsigned long, 0ul, 1ul, 2ul, 3ul>, pika::runtime*, pika::util::detail::function<int ()>, int&, bool>::operator()<pika::threads::detail::thread_restart_state>(pika::threads::detail::thread_restart_state&&) & /__w/pika/pika/libs/pika/functional/include/pika/functional/bind.hpp:122

  This frame has 2 object(s):
    [32, 48) 'ref.tmp' (line 123)
    [64, 80) 'coerce' <== Memory access at offset 64 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T3 created by T0 here:
    #0 0x55b74d7472dc in pthread_create (/__w/pika/pika/build/bin/thread_stacksize_current_test+0x1b92dc) (BuildId: 2ddf9c86fb33001c)
    #1 0x7fdc7deb0328 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc328) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #2 0x7fdc7fac9550 in pika::threads::detail::scheduled_thread_pool<pika::threads::detail::local_priority_queue_scheduler<std::mutex, pika::threads::detail::lockfree_fifo, pika::threads::detail::lockfree_fifo, pika::threads::detail::lockfree_lifo> >::add_processing_unit_internal(unsigned long, unsigned long, std::shared_ptr<pika::concurrency::detail::barrier>, pika::error_code&) /__w/pika/pika/libs/pika/thread_pools/include/pika/thread_pools/scheduled_thread_pool_impl.hpp:1312:31
    #3 0x7fdc7fac62c8 in pika::threads::detail::scheduled_thread_pool<pika::threads::detail::local_priority_queue_scheduler<std::mutex, pika::threads::detail::lockfree_fifo, pika::threads::detail::lockfree_fifo, pika::threads::detail::lockfree_lifo> >::run(std::unique_lock<std::mutex>&, unsigned long) /__w/pika/pika/libs/pika/thread_pools/include/pika/thread_pools/scheduled_thread_pool_impl.hpp:304:17
    #4 0x7fdc7ff5d2be in pika::threads::detail::thread_manager::run() /__w/pika/pika/libs/pika/thread_manager/src/thread_manager.cpp:832:29
    #5 0x7fdc7f94b5dd in pika::runtime::start(pika::util::detail::function<int ()> const&, bool) /__w/pika/pika/libs/pika/runtime/src/runtime.cpp:1148:26
    #6 0x7fdc7f955d5d in pika::runtime::run(pika::util::detail::function<int ()> const&) /__w/pika/pika/libs/pika/runtime/src/runtime.cpp:1423:9
    #7 0x7fdc7f74d3a5 in pika::detail::run(pika::runtime&, pika::util::detail::function<int (pika::program_options::variables_map&)> const&, pika::program_options::variables_map&, std::function<void ()>, std::function<void ()>) /__w/pika/pika/libs/pika/init_runtime/src/init_runtime.cpp:198:39
    #8 0x7fdc7f74e684 in pika::detail::run_or_start(bool, std::unique_ptr<pika::runtime, std::default_delete<pika::runtime> >, pika::detail::command_line_handling&, std::function<void ()>, std::function<void ()>) /__w/pika/pika/libs/pika/init_runtime/src/init_runtime.cpp:229:24
    #9 0x7fdc7f7525c8 in pika::detail::run_or_start(pika::util::detail::function<int (pika::program_options::variables_map&)> const&, int, char const* const*, pika::init_params const&, bool) /__w/pika/pika/libs/pika/init_runtime/src/init_runtime.cpp:344:20
    #10 0x7fdc7f752bb2 in pika::detail::init_start_impl(pika::util::detail::function<int (pika::program_options::variables_map&)>, int, char const* const*, pika::init_params const&, bool) /__w/pika/pika/libs/pika/init_runtime/src/init_runtime.cpp:366:20
    #11 0x7fdc7f75344e in pika::init(std::function<int ()>, int, char const* const*, pika::init_params const&) /__w/pika/pika/libs/pika/init_runtime/src/init_runtime.cpp:388:16
    #12 0x55b74d79dc5a in main /__w/pika/pika/libs/pika/threading_base/tests/regressions/thread_stacksize_current.cpp:85:9
    #13 0x7fdc7daced8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

SUMMARY: AddressSanitizer: stack-use-after-scope /__w/pika/pika/libs/pika/functional/include/pika/functional/bind.hpp:123:20 in pika::util::detail::invoke_bound_result<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*&)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack<pika::runtime*&, pika::util::detail::function<int ()>&, int&, bool&>, pika::threads::detail::thread_restart_state&&>::type pika::util::detail::bound<std::pair<pika::threads::detail::thread_schedule_state, pika::threads::detail::thread_id> (pika::runtime::*)(pika::util::detail::function<int ()> const&, int&, bool), pika::util::detail::pack_c<unsigned long, 0ul, 1ul, 2ul, 3ul>, pika::runtime*, pika::util::detail::function<int ()>, int&, bool>::operator()<pika::threads::detail::thread_restart_state>(pika::threads::detail::thread_restart_state&&) &
Shadow bytes around the buggy address:
  0x0ffc0ee104d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee104e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee104f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee10500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee10510: f1 f1 f1 f1 f8 f8 f8 f2 f2 f2 f2 f2 f1 f1 f1 f1
=>0x0ffc0ee10520: 00 00 f2 f2[f8]f8 f3 f3 f2 f2 f2 f2 f8 f8 f8 f8
  0x0ffc0ee10530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee10540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee10550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc0ee10560: f1 f1 f1 f1 01 f2 00 00 f2 f2 f8 f2 00 f2 f2 f2
  0x0ffc0ee10570: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6427==ABORTING
detect_stack_use_after_return is currently disabled (see #992) and the particular member function triggering this is suppressed in #972.
Jan 22 '24 17:01 msimberg
pika pika copied to clipboard

Use-after-return in `bind`

pika
pika copied to clipboard
