https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87875
Bug ID: 87875 Summary: Address sanitizer doen't work with nested functions with enabled stack-use-after-return check Product: gcc Version: 8.2.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: sanitizer Assignee: unassigned at gcc dot gnu.org Reporter: belous.vs at yandex dot ru CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org, jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org Target Milestone: --- Created attachment 44953 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44953&action=edit sources Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/8/lto-wrapper OFFLOAD_TARGET_NAMES=nvptx-none OFFLOAD_TARGET_DEFAULT=1 Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 8.2.0-9' --with-bugurl=file:///usr/share/doc/gcc-8/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr --with-gcc-major-version-only --program-suffix=-8 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 8.2.0 (Debian 8.2.0-9) Commands: cc -o libxxx.so lib.c -Wall -Wextra -Werror -fsanitize=address -ggdb3 -fPIC -shared cc -o bin bin.c -Wall -Wextra -Werror -fsanitize=address -ggdb3 -L. -lxxx LSAN_OPTIONS='detect_leaks=0' \ ASAN_OPTIONS='verbosity=1,detect_stack_use_after_return=true' LD_LIBRARY_PATH=. ./bin Result: ... ==9581==AddressSanitizer Init done ==9581==T0: FakeStack created: 0x7ffff3e37000 -- 0x7ffff4940000 stack_size_log: 20; mmapped 11300K, noreserve=0 ... 7ffff3e37000-7ffff6cc0000 rw-p 00000000 00:00 0 ... call cb: 0x7ffff3f40024 AddressSanitizer:DEADLYSIGNAL ================================================================= ==9581==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffff3f40024 (pc 0x7ffff3f40024 bp 0x7fffffffe800 sp 0x7fffffffe688 T0) ==9581==The signal is caused by a READ memory access. ==9581==Hint: PC is at a non-executable region. Maybe a wild jump? #0 0x7ffff3f40023 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (<unknown module>) ==9581==ABORTING It looks like that problem appears because nested function is created on fake stack, which is not executable. May be one need always use PROT_EXEC when creating fake stacks? I've found a workaround - append 'READ_IMPLIES_EXEC' into process 'personality', but it affects all 'mmap' calls, so this is not very good. Sources are in attachment. With "detect_stack_use_after_return=false" all is ok.