illegal read of byte preceding an automatic (stack allocate) variable

[RobertHenry6bev]

Description

Compiling on/for x64 architecture on linux with clang-14.

The function CMiniMdBase::InitColsForTable

runtime/src/coreclr/md/runtime/metamodel.cpp

Line 720 in 9bd2cb5

CMiniColDef pCols[9]; // The col defs to init.

allocates an automatic array variable of CMiniColDef[9]. The base address of this array is passed down through UsesAllocatedMemory(). UsesAllocatedMemory apparently implements some kind of marking of the preceding byte to determine if the block was obtained from a memory allocator.

But in this case, the block is an automatic in some nearby frame. In our case, the preceding bytes contain a pointer pTemplate. Uses AllocatedMemory reads a byte from that pointer, which one depends on endianness.

You can't do thatt.

Reproduction Steps

Compile with -fsanitize=address and stop at first fail.

Expected behavior

no errors detected by asan

Actual behavior

Read an adjacent memory location.

Regression?

No response

Known Workarounds

Probably put a dummy slot in the frame before the [9] vector to emulate what's done when those CMiniColDefs are allocated dynamically.

Configuration

No response

Other information

No response

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

Tagging subscribers to this area: @hoyosjs
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

Compiling on/for x64 architecture on linux with clang-14.

The function CMiniMdBase::InitColsForTable

runtime/src/coreclr/md/runtime/metamodel.cpp

Line 720 in 9bd2cb5

CMiniColDef pCols[9]; // The col defs to init.

allocates an automatic array variable of CMiniColDef[9]. The base address of this array is passed down through UsesAllocatedMemory(). UsesAllocatedMemory apparently implements some kind of marking of the preceding byte to determine if the block was obtained from a memory allocator.

But in this case, the block is an automatic in some nearby frame. In our case, the preceding bytes contain a pointer pTemplate. Uses AllocatedMemory reads a byte from that pointer, which one depends on endianness.

You can't do thatt.

Reproduction Steps

Compile with -fsanitize=address and stop at first fail.

Expected behavior

no errors detected by asan

Actual behavior

Read an adjacent memory location.

Regression?

No response

Known Workarounds

Probably put a dummy slot in the frame before the [9] vector to emulate what's done when those CMiniColDefs are allocated dynamically.

Configuration

No response

Other information

No response

Author:	RobertHenry6bev
Assignees:	-
Labels:	area-Infrastructure-coreclr, untriaged, in-pr
Milestone:	-

Tagging subscribers to this area: @tommcdon
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

Compiling on/for x64 architecture on linux with clang-14.

The function CMiniMdBase::InitColsForTable

runtime/src/coreclr/md/runtime/metamodel.cpp

Line 720 in 9bd2cb5

CMiniColDef pCols[9]; // The col defs to init.

allocates an automatic array variable of CMiniColDef[9]. The base address of this array is passed down through UsesAllocatedMemory(). UsesAllocatedMemory apparently implements some kind of marking of the preceding byte to determine if the block was obtained from a memory allocator.

But in this case, the block is an automatic in some nearby frame. In our case, the preceding bytes contain a pointer pTemplate. Uses AllocatedMemory reads a byte from that pointer, which one depends on endianness.

You can't do thatt.

Reproduction Steps

Compile with -fsanitize=address and stop at first fail.

Expected behavior

no errors detected by asan

Actual behavior

Read an adjacent memory location.

Regression?

No response

Known Workarounds

Probably put a dummy slot in the frame before the [9] vector to emulate what's done when those CMiniColDefs are allocated dynamically.

Configuration

No response

Other information

No response

Author:	RobertHenry6bev
Assignees:	-
Labels:	area-Diagnostics-coreclr, area-Infrastructure-coreclr, in-pr
Milestone:	-

[mikelle-rogers]

Moving to future as this long term work to enable sanitizers is ongoing. This will be fixed as part of that.