[Bug lto/79061] [7 Regression][LTO][ASAN] LTO plus ASAN fails with "AddressSanitizer: initialization-order-fiasco"

Thu, 12 Jan 2017 04:40:59 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79061

Maxim Ostapenko <m.ostapenko at samsung dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |m.ostapenko at samsung dot com

--- Comment #4 from Maxim Ostapenko <m.ostapenko at samsung dot com> ---
(In reply to Tobias Burnus from comment #3)
> (In reply to Richard Biener from comment #2)
> > Is this after the fix for PR79042?
> 
> I am nearly certain that it was after that fix.
> 
> Before, I got an UBSAN overflow but only when combining OpenMP, LTO,
> -fipa-cp-clone and UBSAN, which I had hoped PR78365 and PR78599 would fix.
> (It didn't.)
> 
> Shortly after, I saw the commit for PR79042, tried whether it made a
> difference - and ended up with this bug.
> 
> [Sorry for not narrowing the regression range in the initial report. (I
> somehow failed to realize that this ASAN message comes way before the UBSAN
> error can be triggered.)]

You have ASAN_OPTIONS=check_initialization_order=true exported on your system,
right? (because w/o this option initialization-order-fiasco checker is
disabled)

Here a more detailed ASan log:

$ ASAN_OPTIONS=check_initialization_order=true:report_globals=3 ./a.out
    #0 0x41a29b in __asan_register_globals
/home/max/workspace/downloads/gcc/libsanitizer/asan/asan_globals.cc:326
    #1 0x4f608f in _GLOBAL__sub_I_00099_1_main.4474 (/tmp/test/a.out+0x4f608f)
    #2 0x4f60ec in __libc_csu_init (/tmp/test/a.out+0x4f60ec)
    #3 0x7f9f12efaed4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ed4)
    #4 0x405feb  (/tmp/test/a.out+0x405feb)

=== ID 1140850689; 0x00000072ce40 0x00000072d000
==29614==Added Global[0x00000072ce40]: beg=0x00000050bee0 size=1/64
name=piecewise_construct module=/tmp/ccdXK8GX.ltrans0.o dyn_init=0
==29614==  location (0x00000072ce00):
name=/home/max/install/master/include/c++/7.0.0/bits/stl_pair.h[0x00000050c020],
79 35
==29614==Added Global[0x00000072ce80]: beg=0x000001391e20 size=1/64
name=__ioinit module=/tmp/ccdXK8GX.ltrans0.o dyn_init=1
==29614==  location (0x00000072ce10):
name=/home/max/install/master/include/c++/7.0.0/iostream[0x00000050c060], 74 25
==29614==Added Global[0x00000072cec0]: beg=0x000001391ea0 size=2/64
name=xptimer_coordinit module=/tmp/ccdXK8GX.ltrans0.o dyn_init=1
==29614==  location (0x00000072ce20): name=xptiming.cc[0x00000050bf60], 5 9
==29614==Added Global[0x00000072cf00]: beg=0x000001391e60 size=2/64
name=xptimer_tiling module=/tmp/ccdXK8GX.ltrans0.o dyn_init=1
==29614==  location (0x00000072ce30): name=xptiming.cc[0x00000050bf60], 4 9
==29614==Added Global[0x00000072cf40]: beg=0x00000050bfe0 size=18/64 name=*.LC3
module=/tmp/ccdXK8GX.ltrans0.o dyn_init=0
==29614==Added Global[0x00000072cf80]: beg=0x00000050bf60 size=12/64 name=*.LC1
module=/tmp/ccdXK8GX.ltrans0.o dyn_init=0
==29614==Added Global[0x00000072cfc0]: beg=0x00000050bfa0 size=15/64 name=*.LC2
module=/tmp/ccdXK8GX.ltrans0.o dyn_init=0
==29614==Added Global[0x00000072d000]: beg=0x00000050bf20 size=11/64 name=*.LC0
module=/tmp/ccdXK8GX.ltrans0.o dyn_init=0
DynInitPoison module: xptimer.cc
DynInitPoison module: xptiming.cc
=================================================================
==29614==Search Global[0x00000072d000]: beg=0x00000050bf20 size=11/64
name=*.LC0 module=/tmp/ccdXK8GX.ltrans0.o dyn_init=0
==29614==Search Global[0x00000072cfc0]: beg=0x00000050bfa0 size=15/64
name=*.LC2 module=/tmp/ccdXK8GX.ltrans0.o dyn_init=0
==29614==Search Global[0x00000072cf80]: beg=0x00000050bf60 size=12/64
name=*.LC1 module=/tmp/ccdXK8GX.ltrans0.o dyn_init=0
==29614==Search Global[0x00000072cf40]: beg=0x00000050bfe0 size=18/64
name=*.LC3 module=/tmp/ccdXK8GX.ltrans0.o dyn_init=0
==29614==Search Global[0x00000072cf00]: beg=0x000001391e60 size=2/64
name=xptimer_tiling module=/tmp/ccdXK8GX.ltrans0.o dyn_init=1
==29614==  location (0x00000072ce30): name=xptiming.cc[0x00000050bf60], 4 9
==29614==Search Global[0x00000072cec0]: beg=0x000001391ea0 size=2/64
name=xptimer_coordinit module=/tmp/ccdXK8GX.ltrans0.o dyn_init=1
==29614==  location (0x00000072ce20): name=xptiming.cc[0x00000050bf60], 5 9
==29614==Search Global[0x00000072ce80]: beg=0x000001391e20 size=1/64
name=__ioinit module=/tmp/ccdXK8GX.ltrans0.o dyn_init=1
==29614==  location (0x00000072ce10):
name=/home/max/install/master/include/c++/7.0.0/iostream[0x00000050c060], 74 25
==29614==Search Global[0x00000072ce40]: beg=0x00000050bee0 size=1/64
name=piecewise_construct module=/tmp/ccdXK8GX.ltrans0.o dyn_init=0
==29614==  location (0x00000072ce00):
name=/home/max/install/master/include/c++/7.0.0/bits/stl_pair.h[0x00000050c020],
79 35
==29614==ERROR: AddressSanitizer: initialization-order-fiasco on address
0x000001391e60 at pc 0x0000004f5ea9 bp 0x7ffcf3920920 sp 0x7ffcf3920918
WRITE of size 1 at 0x000001391e60 thread T0
    #0 0x4f5ea8 in __base_ctor  /tmp/test/xptimer.cc:9
    #1 0x4f602d in __static_initialization_and_destruction_0
/tmp/test/xptiming.cc:4
    #2 0x4f605b in _GLOBAL__sub_I_xptimer_tiling /tmp/test/xptiming.cc:5
    #3 0x4f60ec in __libc_csu_init (/tmp/test/a.out+0x4f60ec)
    #4 0x7f9f12efaed4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ed4)
    #5 0x405feb  (/tmp/test/a.out+0x405feb)

0x000001391e60 is located 0 bytes inside of global variable 'xptimer_tiling'
defined in 'xptiming.cc:4:9' (0x1391e60) of size 2
  registered at:
    #0 0x41a558 in __asan_register_globals
/home/max/workspace/downloads/gcc/libsanitizer/asan/asan_globals.cc:317
    #1 0x4f608f in _GLOBAL__sub_I_00099_1_main.4474 (/tmp/test/a.out+0x4f608f)
    #2 0x4f60ec in __libc_csu_init (/tmp/test/a.out+0x4f60ec)

SUMMARY: AddressSanitizer: initialization-order-fiasco /tmp/test/xptimer.cc:9
in __base_ctor 
Shadow bytes around the buggy address:
  0x00008026a370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008026a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008026a390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008026a3a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008026a3b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008026a3c0: 00 00 00 00 f6 f6 f6 f6 f6 f6 f6 f6[f6]f6 f6 f6
  0x00008026a3d0: f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 00 00 00 00
  0x00008026a3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008026a3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008026a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008026a410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29614==ABORTING

I suspect this happens because module name from globals descriptor
(g.module_name) doesn't match module name passed to __asan_before_dynamic_init.
E.g. in our case we have:
g.module_name == /tmp/ccdXK8GX.ltrans0.o for both xptimer_tiling and
xptimer_coordinit variables and module_name == xptimer.cc and module_name ==
xptiming.cc for corresponding __asan_before_dynamic_init calls.

Reply via email to