SOLL
SOLL copied to clipboard
second-state
AddressSanitizer: heap-use-after-free
Input : https://github.com/second-state/SOLL/blob/master/test/solidity/Library.sol
Compile with -fsanitize=address -fsanitize=leak
=================================================================
==29301==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700000a858 at pc 0x55bd247e2650 bp 0x7ffff339ef10 sp 0x7ffff339ef00
READ of size 8 at 0x60700000a858 thread T0
#0 0x55bd247e264f in std::vector<std::shared_ptr<soll::CodeGen::ExprValue>, std::allocator<std::shared_ptr<soll::CodeGen::ExprValue> > >::_M_range_check(unsigned long) const /usr/include/c++/9/bits/stl_vector.h:1069
#1 0x55bd247e264f in std::vector<std::shared_ptr<soll::CodeGen::ExprValue>, std::allocator<std::shared_ptr<soll::CodeGen::ExprValue> > >::at(unsigned long) /usr/include/c++/9/bits/stl_vector.h:1091
#2 0x55bd247e264f in soll::CodeGen::CodeGenFunction::emitLibraryCall(soll::CallExpr const*, soll::MemberExpr const*) /code/lib/CodeGen/CGExpr.cpp:265
#3 0x55bd247f21e5 in soll::CodeGen::CodeGenFunction::emitSpecialCallExpr(soll::Identifier const*, soll::CallExpr const*, soll::MemberExpr const*) /code/lib/CodeGen/CGExpr.cpp:528
#4 0x55bd247fb3fb in soll::CodeGen::CodeGenFunction::emitCallExpr(soll::CallExpr const*) /code/lib/CodeGen/CGExpr.cpp:406
#5 0x55bd247a6eec in soll::CodeGen::ExprEmitter::visit(soll::CallExpr const*) /code/lib/CodeGen/ExprEmitter.cpp:671
#6 0x55bd247a6eec in soll::CodeGen::ExprEmitter::visit(soll::Expr const*) /code/lib/CodeGen/ExprEmitter.cpp:12
#7 0x55bd247c1194 in soll::CodeGen::CodeGenFunction::emitExpr(soll::Expr const*) /code/lib/CodeGen/CGExpr.cpp:15
#8 0x55bd247fe7eb in soll::CodeGen::CodeGenFunction::emitExprStmt(soll::ExprStmt const*) /code/lib/CodeGen/CodeGenFunction.cpp:223
#9 0x55bd2480fe2e in soll::CodeGen::CodeGenFunction::emitBlock(soll::Block const*) /code/lib/CodeGen/CodeGenFunction.cpp:228
#10 0x55bd24812bde in soll::CodeGen::CodeGenFunction::generateCode(soll::FunctionDecl const*, llvm::Function*) /code/lib/CodeGen/CodeGenFunction.cpp:28
#11 0x55bd24732830 in soll::CodeGen::CodeGenModule::emitFunctionDecl(soll::FunctionDecl const*) /code/lib/CodeGen/CodeGenModule.cpp:1562
#12 0x55bd24743d7f in soll::CodeGen::CodeGenModule::emitContractDecl(soll::ContractDecl const*) /code/lib/CodeGen/CodeGenModule.cpp:1182
#13 0x55bd246b2bff in HandleTopLevelDecl /code/lib/CodeGen/ModuleBuilder.cpp:79
#14 0x55bd246b2bff in HandleSourceUnit /code/lib/CodeGen/ModuleBuilder.cpp:60
#15 0x55bd246b2bff in HandleSourceUnit /code/lib/CodeGen/ModuleBuilder.cpp:52
#16 0x55bd246af081 in soll::BackendConsumer::HandleSourceUnit(soll::ASTContext&, soll::SourceUnit&) /code/lib/CodeGen/CodeGenAction.cpp:218
#17 0x55bd2486349e in soll::ParseAST(soll::Sema&, soll::ASTConsumer&, soll::ASTContext&, bool) /code/lib/Parse/ParseAST.cpp:30
#18 0x55bd2469acf1 in soll::FrontendAction::Execute() /code/lib/Frontend/FrontendAction.cpp:79
#19 0x55bd2467ac80 in soll::CompilerInstance::ExecuteAction(soll::FrontendAction&) /code/lib/Frontend/CompilerInstance.cpp:328
#20 0x55bd246a15c5 in soll::ExecuteCompilerInvocation(soll::CompilerInstance*) /code/lib/FrontendTool/ExecuteCompilerInvocation.cpp:48
#21 0x55bd24644a32 in main /code/tools/soll/main.cpp:34
#22 0x7ffaa22120b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#23 0x55bd2465b7ed in _start (/code/build/tools/soll/soll+0x1557ed)
0x60700000a858 is located 56 bytes inside of 80-byte region [0x60700000a820,0x60700000a870)
freed by thread T0 here:
#0 0x7ffaa75f68df in operator delete(void*) (/lib/x86_64-linux-gnu/libasan.so.5+0x1108df)
#1 0x55bd24795234 in std::_Sp_counted_ptr_inplace<soll::CodeGen::ExprValueTuple, std::allocator<soll::CodeGen::ExprValueTuple>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/9/ext/new_allocator.h:128
previously allocated by thread T0 here:
#0 0x7ffaa75f5947 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
#1 0x55bd247fd899 in std::__shared_ptr<soll::CodeGen::ExprValueTuple, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<soll::CodeGen::ExprValueTuple>, soll::TupleType const*&, soll::ValueKind, std::vector<std::shared_ptr<soll::CodeGen::ExprValue>, std::allocator<std::shared_ptr<soll::CodeGen::ExprValue> > > >(std::_Sp_alloc_shared_tag<std::allocator<soll::CodeGen::ExprValueTuple> >, soll::TupleType const*&, soll::ValueKind&&, std::vector<std::shared_ptr<soll::CodeGen::ExprValue>, std::allocator<std::shared_ptr<soll::CodeGen::ExprValue> > >&&) /usr/include/c++/9/ext/new_allocator.h:114
#2 0x55bd247fd899 in std::shared_ptr<soll::CodeGen::ExprValueTuple>::shared_ptr<std::allocator<soll::CodeGen::ExprValueTuple>, soll::TupleType const*&, soll::ValueKind, std::vector<std::shared_ptr<soll::CodeGen::ExprValue>, std::allocator<std::shared_ptr<soll::CodeGen::ExprValue> > > >(std::_Sp_alloc_shared_tag<std::allocator<soll::CodeGen::ExprValueTuple> >, soll::TupleType const*&, soll::ValueKind&&, std::vector<std::shared_ptr<soll::CodeGen::ExprValue>, std::allocator<std::shared_ptr<soll::CodeGen::ExprValue> > >&&) /usr/include/c++/9/bits/shared_ptr.h:359
#3 0x55bd247fd899 in std::shared_ptr<soll::CodeGen::ExprValueTuple> std::allocate_shared<soll::CodeGen::ExprValueTuple, std::allocator<soll::CodeGen::ExprValueTuple>, soll::TupleType const*&, soll::ValueKind, std::vector<std::shared_ptr<soll::CodeGen::ExprValue>, std::allocator<std::shared_ptr<soll::CodeGen::ExprValue> > > >(std::allocator<soll::CodeGen::ExprValueTuple> const&, soll::TupleType const*&, soll::ValueKind&&, std::vector<std::shared_ptr<soll::CodeGen::ExprValue>, std::allocator<std::shared_ptr<soll::CodeGen::ExprValue> > >&&) /usr/include/c++/9/bits/shared_ptr.h:702
#4 0x55bd247fd899 in std::shared_ptr<soll::CodeGen::ExprValueTuple> std::make_shared<soll::CodeGen::ExprValueTuple, soll::TupleType const*&, soll::ValueKind, std::vector<std::shared_ptr<soll::CodeGen::ExprValue>, std::allocator<std::shared_ptr<soll::CodeGen::ExprValue> > > >(soll::TupleType const*&, soll::ValueKind&&, std::vector<std::shared_ptr<soll::CodeGen::ExprValue>, std::allocator<std::shared_ptr<soll::CodeGen::ExprValue> > >&&) /usr/include/c++/9/bits/shared_ptr.h:718
#5 0x55bd247fd899 in soll::CodeGen::ExprValueTuple::getRValue(soll::TupleType const*, std::vector<llvm::Value*, std::allocator<llvm::Value*> > const&) /code/lib/CodeGen/CGValue.h:441
SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/9/bits/stl_vector.h:1069 in std::vector<std::shared_ptr<soll::CodeGen::ExprValue>, std::allocator<std::shared_ptr<soll::CodeGen::ExprValue> > >::_M_range_check(unsigned long) const
Shadow bytes around the buggy address:
0x0c0e7fff94b0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
0x0c0e7fff94c0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x0c0e7fff94d0: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff94e0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff94f0: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00
=>0x0c0e7fff9500: fa fa fa fa fd fd fd fd fd fd fd[fd]fd fd fa fa
0x0c0e7fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==29301==ABORTING
