[Bug 202213] bluez trunk tests fail with GCC 9 (or with -fsanitize=address with GCC 9)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: bugzilla-daemon@bugzilla.kernel.org
To: linux-bluetooth@vger.kernel.org
Subject: [Bug 202213] bluez trunk tests fail with GCC 9 (or with -fsanitize=address with GCC 9)
Date: Fri, 11 Jan 2019 09:49:41 +0000	[thread overview]
Message-ID: <bug-202213-62941-cPX9nAEond@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-202213-62941@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=202213

--- Comment #5 from Martin Liška (mliska@suse.cz) ---
(In reply to Stefan Seyfried from comment #4)
> With gcc9 (finally found a way to use it in OBS :-), it asserts:
> 
> abuild@strolchi:~/rpmbuild/BUILD/bluez-5.50> cat unit/test-sdp.log
> bluetoothd[3066]: Bluetooth daemon 5.50
> len: 7 raw_size: 14 cont_len: 0
> **
> ERROR:unit/test-sdp.c:258:client_handler: assertion failed: ((size_t) len ==
> rsp_pdu->raw_size + rsp_pdu->cont_len)
> FAIL unit/test-sdp (exit status: 134)
> 
> I added a printf before the assert (and shifted it down one line)

The patch does not fix the root problem.
#define define_test(name, _mtu, args...) \
        do {                                                            \
                const struct sdp_pdu pdus[] = {                         \
                        args, { }                                       \
                };                                                      \
                static struct test_data data;                           \
                data.mtu = _mtu;                                        \
                data.pdu_list = g_memdup(pdus, sizeof(pdus));           \
                tester_add(name, &data, NULL, test_sdp, NULL);          \
        } while (0)

here you copy pdus, but you should also memdup .raw_data, otherwise
it will reach it's end of scope.

Slightly reduced test-case that illustrates that:

$ cat test-sdp.i
struct a {
  void *b;
  long c
};
enum { d = 5 } typedef *e;
e g_malloc0_n();
typedef enum { f, g } h;
*g_io_channel_unix_new();
e g_memdup();
struct i {
  _Bool j;
  void *k;
  long l
};
struct m {
  struct i *n
};
struct context {
  int o;
  int fd;
  struct m *data
};
int q;
struct i r;
struct a s[];
t(e u) {
  struct context *context = u;
  r = context->data->n[q];
  s[0].b = r.k;
  s[0].c = r.l;
  writev(context->fd, s, 2);
  return 0;
}
v(int channel, h cond, e u) {
  struct context *context = u;
  g_source_remove(context->o);
  g_free(u);
  tester_test_passed();
}
int *w;
int aa[];
*x(data) {
  struct context *context = g_malloc0_n(1, sizeof(struct context));
  socketpair(1, d, 0, aa);
  w = g_io_channel_unix_new(aa[0]);
  context->o = g_io_add_watch(w, g, v, context);
  context->fd = aa[1];
  context->data = data;
}
y() {
  struct context *context = x();
  g_idle_add(t, context);
}
z;
main() {
  tester_init(z);
  {
    struct i ab[] = {.1, (char[]){4, 11, 0, 1}, sizeof(0)};
    static struct m data;
    data.n = g_memdup(ab, sizeof(ab));
    tester_add("", &data, 0, y);
  }
  tester_run();
}

$ ./test

 - init
 - setup
 - setup complete
 - run
=================================================================
==29724==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7fffffffdc00 at pc 0x7ffff744c678 bp 0x7fffffffd9e0 sp 0x7fffffffd190
READ of size 4 at 0x7fffffffdc00 thread T0
    #0 0x7ffff744c677 in read_iovec
/home/marxin/Programming/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:956
    #1 0x7ffff744cded in __interceptor_writev
/home/marxin/Programming/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1150
    #2 0x408160 in t
/home/marxin/BIG/osc/Base:System/bluez/bluez-5.50/xxx/test-sdp.i:31
    #3 0x7ffff7ed8626  (/usr/lib64/libglib-2.0.so.0+0x4d626)
    #4 0x7ffff7edbc14 in g_main_context_dispatch
(/usr/lib64/libglib-2.0.so.0+0x50c14)
    #5 0x7ffff7edbfd7  (/usr/lib64/libglib-2.0.so.0+0x50fd7)
    #6 0x7ffff7edc2d1 in g_main_loop_run (/usr/lib64/libglib-2.0.so.0+0x512d1)
    #7 0x41ad10 in tester_run src/shared/tester.c:830
    #8 0x408603 in main
/home/marxin/BIG/osc/Base:System/bluez/bluez-5.50/xxx/test-sdp.i:63
    #9 0x7ffff7018fea in __libc_start_main ../csu/libc-start.c:308
    #10 0x403789 in _start
(/home/marxin/BIG/osc/Base:System/bluez/bluez-5.50/xxx/test+0x403789)

Address 0x7fffffffdc00 is located in stack of thread T0 at offset 48 in frame
    #0 0x408394 in main
/home/marxin/BIG/osc/Base:System/bluez/bluez-5.50/xxx/test-sdp.i:55

  This frame has 2 object(s):
    [48, 52) '<unknown>' <== Memory access at offset 48 is inside this variable
    [64, 88) 'ab' (line 58)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope
/home/marxin/Programming/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:956
in read_iovec
Shadow bytes around the buggy address:
  0x10007fff7b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
=>0x10007fff7b80:[f8]f2 f8 f8 f8 f3 f3 f3 f3 f3 00 00 00 00 00 00
  0x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

-- 
You are receiving this mail because:
You are the assignee for the bug.

next prev parent reply	other threads:[~2019-01-11  9:49 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-10 13:45 [Bug 202213] New: bluez trunk tests fail with GCC 9 (or with -fsanitize=address with GCC 9) bugzilla-daemon
2019-01-10 16:05 ` [Bug 202213] " bugzilla-daemon
2019-01-10 18:57 ` bugzilla-daemon
2019-01-10 19:16 ` bugzilla-daemon
2019-01-10 20:05 ` bugzilla-daemon
2019-01-11  9:49 ` bugzilla-daemon [this message]
2019-01-11 12:01 ` bugzilla-daemon
2019-01-11 13:07 ` bugzilla-daemon
2019-01-11 13:09 ` bugzilla-daemon
2019-01-11 13:31 ` bugzilla-daemon
2019-01-11 13:53 ` bugzilla-daemon
2019-01-11 16:36 ` bugzilla-daemon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-202213-62941-cPX9nAEond@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon@bugzilla.kernel.org \
    --cc=linux-bluetooth@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.