Uploaded image for project: 'Qt Creator'
  1. Qt Creator
  2. QTCREATORBUG-31046

LiteHtml: AddressSanitizer: container-overflow

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • P3: Somewhat important
    • None
    • Qt Creator 14.0.0
    • Help System

    Description

      I've build Qt Creator 14 with -DWITH_SANITIZE:BOOL=ON and -DSANITIZE_FLAGS:STRING=address and when trying to start Qt Creator I've got:

      =================================================================
==14517==ERROR: AddressSanitizer: container-overflow on address 0x00013bd14b68 at pc 0x000138e20b20 bp 0x00016fdf54e0 sp 0x00016fdf4c90
READ of size 24 at 0x00013bd14b68 thread T0
    #0 0x138e20b1c in __asan_memcpy+0x394 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x50b1c)
    #1 0x102d44fe4 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::basic_string[abi:v160006](std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&&) string:855
    #2 0x102d44f50 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::basic_string[abi:v160006](std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&&) string:855
    #3 0x10d1b3d58 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>* std::__1::construct_at[abi:v160006]<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&&) construct_at.h:38
    #4 0x10d1b3a18 in void std::__1::allocator_traits<std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>::construct[abi:v160006]<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, void, void>(std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&&) allocator_traits.h:304
    #5 0x10d1b3468 in std::__1::reverse_iterator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*> std::__1::__uninitialized_allocator_move_if_noexcept[abi:v160006]<std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::reverse_iterator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*>, std::__1::reverse_iterator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*>, std::__1::reverse_iterator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*>>(std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>&, std::__1::reverse_iterator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*>, std::__1::reverse_iterator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*>, std::__1::reverse_iterator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*>) uninitialized_algorithms.h:604
    #6 0x10d1b27bc in std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>::__swap_out_circular_buffer(std::__1::__split_buffer<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>&>&) vector:917
    #7 0x113590dd4 in void std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>::__push_back_slow_path<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) vector:1542
    #8 0x113b39240 in litehtml::split_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) html.cpp:159
    #9 0x113b5594c in _GLOBAL__sub_I_string_id.cpp+0xf4 (Qt Creator:arm64+0x113b5594c)
    #10 0x199275058  (<unknown module>)
    #11 0x1992b3304  (<unknown module>)
    #12 0x1992a6998 in invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const+0x1ec (dyld:arm64e+0xfffffffffff9a998)
    #13 0x1992562f8  (<unknown module>)
    #14 0x1992a592c in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const+0xbc (dyld:arm64e+0xfffffffffff9992c)
    #15 0x1992b2e18  (<unknown module>)
    #16 0x19927106c  (<unknown module>)
    #17 0x199277610  (<unknown module>)
    #18 0x199271458  (<unknown module>)
    #19 0x1992750e8  (<unknown module>)
    #20 0x199271624  (<unknown module>)
    #21 0x1992944d4  (<unknown module>)
    #22 0x19925af78  (<unknown module>)
    #23 0x199259ed8  (<unknown module>)

0x00013bd14b68 is located 72 bytes inside of 96-byte region [0x00013bd14b20,0x00013bd14b80)
allocated by thread T0 here:
    #0 0x138e310ec in wrap__Znwm+0x74 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x610ec)
    #1 0x1000328b0 in void* std::__1::__libcpp_operator_new[abi:v160006]<unsigned long>(unsigned long) new:285
    #2 0x100032834 in std::__1::__libcpp_allocate[abi:v160006](unsigned long, unsigned long) new:311
    #3 0x10d12a12c in std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>::allocate[abi:v160006](unsigned long) allocator.h:115
    #4 0x10d129e20 in std::__1::__allocation_result<std::__1::allocator_traits<std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>::pointer> std::__1::__allocate_at_least[abi:v160006]<std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>(std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>&, unsigned long) allocate_at_least.h:55
    #5 0x10d1b2c50 in std::__1::__split_buffer<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>&) __split_buffer:323
    #6 0x10d1b2478 in std::__1::__split_buffer<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>&) __split_buffer:319
    #7 0x113590d2c in void std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>::__push_back_slow_path<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) vector:1538
    #8 0x113b39240 in litehtml::split_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) html.cpp:159
    #9 0x113b5594c in _GLOBAL__sub_I_string_id.cpp+0xf4 (Qt Creator:arm64+0x113b5594c)
    #10 0x199275058  (<unknown module>)
    #11 0x1992b3304  (<unknown module>)
    #12 0x1992a6998 in invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const+0x1ec (dyld:arm64e+0xfffffffffff9a998)
    #13 0x1992562f8  (<unknown module>)
    #14 0x1992a592c in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const+0xbc (dyld:arm64e+0xfffffffffff9992c)
    #15 0x1992b2e18  (<unknown module>)
    #16 0x19927106c  (<unknown module>)
    #17 0x199277610  (<unknown module>)
    #18 0x199271458  (<unknown module>)
    #19 0x1992750e8  (<unknown module>)
    #20 0x199271624  (<unknown module>)
    #21 0x1992944d4  (<unknown module>)
    #22 0x19925af78  (<unknown module>)
    #23 0x199259ed8  (<unknown module>)

HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0.
If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x50b1c) in __asan_memcpy+0x394
Shadow bytes around the buggy address:
  0x00013bd14880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x00013bd14900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x00013bd14980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x00013bd14a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x00013bd14a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x00013bd14b00: fa fa fa fa 00 00 00 00 00 00 00 00 00[fc]fc fc
  0x00013bd14b80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 04
  0x00013bd14c00: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 04
  0x00013bd14c80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 04
  0x00013bd14d00: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 04
  0x00013bd14d80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 02 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14517==ABORTING

      The debugger session looked like this:

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            jkobus Jarek Kobus
            cadam Cristian Adam
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes