From patchwork Tue Apr 13 20:38:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 11919 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 6F6EFBD224 for ; Tue, 13 Apr 2021 20:39:46 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id D7926687FE; Tue, 13 Apr 2021 22:39:45 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="jpcq9/Lf"; dkim-atps=neutral Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [213.167.242.64]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id F3A8F602D1 for ; Tue, 13 Apr 2021 22:39:44 +0200 (CEST) Received: from pendragon.lan (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 7C7B19F0 for ; Tue, 13 Apr 2021 22:39:44 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1618346384; bh=a37vvJFN/8e/c6r5qliL8JANrYK7SNJGsGsaqkUJfUA=; h=From:To:Subject:Date:From; b=jpcq9/Lf5K89Msc7MvS29k80Cww7ofPnS8VsORPnZWGzrvaUaQXgTv6ToIFhg22kP PCcQavIZ0LFaDYHFq8Xj8YojshwcGgmDs5hsJ7DgxlI2CJDzO0UgnA1AZdrUZIIkuh zlPx48rg/F4+S9srijN5jai+0gKH+j8BamuHthGY= From: Laurent Pinchart To: libcamera-devel@lists.libcamera.org Date: Tue, 13 Apr 2021 23:38:49 +0300 Message-Id: <20210413203849.4902-1-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.28.1 MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH v2] libcamera: bound_method: Please the gcc undefined behaviour sanitizer X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" Enabling the gcc undefined behaviour sanitizer (with the meson configure -Db_sanitize=undefined option) causes many tests to fail, with errors such as the following (for test/object-invoke): ------------------------------------------------------------------------ ../../include/libcamera/bound_method.h:198:27: runtime error: member access within address 0x55fcd7bfbd38 which does not point to an object of type 'BoundMethodBase' 0x55fcd7bfbd38: note: object has invalid vptr fc 55 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 00 00 00 00 00 00 00 4b c6 72 88 ^~~~~~~~~~~~~~~~~~~~~~~ invalid vptr ../../include/libcamera/bound_method.h:198:41: runtime error: member call on null pointer of type 'struct InvokedObject' ../../include/libcamera/bound_method.h:198:41: runtime error: member access within null pointer of type 'struct InvokedObject' Segmentation fault ------------------------------------------------------------------------ or ------------------------------------------------------------------------ ../../include/libcamera/bound_method.h:198:27: runtime error: member access within address 0x603000006628 which does not point to an object of type 'BoundMethodBase' 0x603000006628: note: object has invalid vptr 70 55 00 00 2a 00 00 00 be be be be 03 02 00 00 18 00 00 00 01 00 00 60 00 00 00 00 05 00 80 07 ^~~~~~~~~~~~~~~~~~~~~~~ invalid vptr ================================================================= ==941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000006630 at pc 0x55704e461371 bp 0x7fff539b9040 sp 0x7fff539b9030 READ of size 8 at 0x603000006630 thread T0 #0 0x55704e461370 in libcamera::BoundMethodMember::invoke(int) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x47370) #1 0x55704e4622ca in void libcamera::BoundMethodArgs::invokePack<0ul>(libcamera::BoundMethodPackBase*, std::integer_sequence) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x482ca) #2 0x55704e460a93 in libcamera::BoundMethodArgs::invokePack(libcamera::BoundMethodPackBase*) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x46a93) #3 0x7fdc38a5fec4 in libcamera::InvokeMessage::invoke() ../../src/libcamera/message.cpp:154 #4 0x7fdc38a62faf in libcamera::Object::message(libcamera::Message*) ../../src/libcamera/object.cpp:183 #5 0x7fdc38ad3742 in libcamera::Thread::dispatchMessages(libcamera::Message::Type) ../../src/libcamera/thread.cpp:575 #6 0x7fdc38972d8d in libcamera::EventDispatcherPoll::processEvents() ../../src/libcamera/event_dispatcher_poll.cpp:148 #7 0x55704e44bc15 in ObjectInvokeTest::run() (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x31c15) #8 0x55704e4630ab in Test::execute() ../../test/libtest/test.cpp:28 #9 0x55704e44965b in main ../../test/object-invoke.cpp:204 #10 0x7fdc36090eba in __libc_start_main ../csu/libc-start.c:314 #11 0x55704e449359 in _start (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x2f359) 0x603000006630 is located 0 bytes to the right of 32-byte region [0x603000006610,0x603000006630) allocated by thread T0 here: #0 0x7fdc3ad757c7 in operator new(unsigned long) /var/tmp/portage/sys-devel/gcc-11.0.1_pre9999/work/gcc-11.0.1_pre9999/libsanitizer/asan/asan_new_delete.cpp:99 #1 0x55704e45afea in __gnu_cxx::new_allocator, std::allocator >, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x40fea) #2 0x55704e45a45d in std::allocator_traits, std::allocator >, (__gnu_cxx::_Lock_policy)2> > >::allocate(std::allocator, std::allocator >, (__gnu_cxx::_Lock_policy)2> >&, unsigned long) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x4045d) #3 0x55704e458339 in std::__allocated_ptr, std::allocator >, (__gnu_cxx::_Lock_policy)2> > > std::__allocate_guarded, std::allocator >, (__gnu_cxx::_Lock_policy)2> > >(std::allocator, std::allocator >, (__gnu_cxx::_Lock_policy)2> >&) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x3e339) #4 0x55704e4574ad in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count, std::allocator >, int&>(libcamera::BoundMethodPack*&, std::_Sp_alloc_shared_tag > >, int&) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x3d4ad) #5 0x55704e4569c7 in std::__shared_ptr, (__gnu_cxx::_Lock_policy)2>::__shared_ptr >, int&>(std::_Sp_alloc_shared_tag > >, int&) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x3c9c7) #6 0x55704e455f9d in std::shared_ptr >::shared_ptr >, int&>(std::_Sp_alloc_shared_tag > >, int&) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x3bf9d) #7 0x55704e454eb5 in std::shared_ptr > std::allocate_shared, std::allocator >, int&>(std::allocator > const&, int&) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x3aeb5) #8 0x55704e454220 in std::shared_ptr > std::make_shared, int&>(int&) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x3a220) #9 0x55704e450e60 in libcamera::BoundMethodMember::activate(int, bool) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x36e60) #10 0x55704e44efb2 in void libcamera::Object::invokeMethod(void (InvokedObject::*)(int), libcamera::ConnectionType, int) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x34fb2) #11 0x55704e44b7cc in ObjectInvokeTest::run() (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x317cc) #12 0x55704e4630ab in Test::execute() ../../test/libtest/test.cpp:28 #13 0x55704e44965b in main ../../test/object-invoke.cpp:204 #14 0x7fdc36090eba in __libc_start_main ../csu/libc-start.c:314 SUMMARY: AddressSanitizer: heap-buffer-overflow (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x47370) in libcamera::BoundMethodMember::invoke(int) Shadow bytes around the buggy address: 0x0c067fff8c70: 00 fa fa fa 00 00 06 fa fa fa fd fd fd fd fa fa 0x0c067fff8c80: 00 00 06 fa fa fa 00 00 03 fa fa fa 00 00 00 05 0x0c067fff8c90: fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa fd fd 0x0c067fff8ca0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c067fff8cb0: fd fd fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 =>0x0c067fff8cc0: fa fa 00 00 00 00[fa]fa fd fd fd fa fa fa fa fa 0x0c067fff8cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==941==ABORTING ------------------------------------------------------------------------ The root cause isn't clear, but this change fixes the issue. It may be a bug in gcc. Signed-off-by: Laurent Pinchart Acked-by: Kieran Bingham --- Changes since v1: - Add another error to the commit message - Expand the change to two other locations, for consistency --- include/libcamera/bound_method.h | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/include/libcamera/bound_method.h b/include/libcamera/bound_method.h index f216e3b56826..4fc445ecd191 100644 --- a/include/libcamera/bound_method.h +++ b/include/libcamera/bound_method.h @@ -153,8 +153,10 @@ public: R activate(Args... args, bool deleteMethod = false) override { - if (!this->object_) - return (static_cast(this->obj_)->*func_)(args...); + if (!this->object_) { + T *obj = static_cast(this->obj_); + return (obj->*func_)(args...); + } auto pack = std::make_shared(args...); bool sync = BoundMethodBase::activatePack(pack, deleteMethod); @@ -163,7 +165,8 @@ public: R invoke(Args... args) override { - return (static_cast(this->obj_)->*func_)(args...); + T *obj = static_cast(this->obj_); + return (obj->*func_)(args...); } private: @@ -186,8 +189,10 @@ public: void activate(Args... args, bool deleteMethod = false) override { - if (!this->object_) - return (static_cast(this->obj_)->*func_)(args...); + if (!this->object_) { + T *obj = static_cast(this->obj_); + return (obj->*func_)(args...); + } auto pack = std::make_shared(args...); BoundMethodBase::activatePack(pack, deleteMethod); @@ -195,7 +200,8 @@ public: void invoke(Args... args) override { - (static_cast(this->obj_)->*func_)(args...); + T *obj = static_cast(this->obj_); + return (obj->*func_)(args...); } private: