Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SR-11316] Swift Address Sanitizer fails to catch trivial use-after-free #53717

Open
Lukasa opened this issue Aug 16, 2019 · 1 comment
Open

[SR-11316] Swift Address Sanitizer fails to catch trivial use-after-free #53717

Lukasa opened this issue Aug 16, 2019 · 1 comment
Labels
bug A deviation from expected or documented behavior. Also: expected but undesirable behavior. compiler The Swift compiler in itself found by asan Flag: An issue found by the Address Sanitizer

Comments

@Lukasa
Copy link
Contributor

Lukasa commented Aug 16, 2019

Previous ID SR-11316
Radar None
Original Reporter @Lukasa
Type Bug
Environment

Apple Swift version 5.1 (swiftlang-1100.0.257.2 clang-1100.0.31.3)
Target: x86_64-apple-darwin19.0.0

Additional Detail from JIRA
Votes 0
Component/s Compiler
Labels Bug, ASan
Assignee None
Priority Medium

md5: 50ad02007f272067ec8e8b9fef2c3c04

Issue Description:

The following Swift program is memory unsafe (see SR-11315, as it contains a use-after-free.

@inline(never)
func foo(_ t: UnsafeRawPointer) -> Int {
    return t.assumingMemoryBound(to: Int.self).pointee
}

@inline(never)
func test() {
    foo(UnsafeRawPointer(Array(repeating: 1, count: 1_000_000)))
}

test()

The use-after-free can be observed in the SIL for test:

// test()
sil hidden [noinline] @$s4bug24testyyF : $@convention(thin) () -> () {
bb0:
  %0 = integer_literal $Builtin.Int64, 1          // users: %29, %3
  %1 = integer_literal $Builtin.Int64, 1000000    // users: %33, %2
  %2 = struct $Int (%1 : $Builtin.Int64)          // users: %14, %7
  %3 = struct $Int (%0 : $Builtin.Int64)          // user: %32
  %4 = integer_literal $Builtin.Int64, 0          // user: %19
  %5 = metatype $@thin Array<Int>.Type            // user: %7
  // function_ref static Array._allocateBufferUninitialized(minimumCapacity:)
  %6 = function_ref @$sSa28_allocateBufferUninitialized15minimumCapacitys06_ArrayB0VyxGSi_tFZ : $@convention(method) <τ_0_0> (Int, @thin Array<τ_0_0>.Type) -> @owned _ArrayBuffer<τ_0_0> // user: %7
  %7 = apply %6<Int>(%2, %5) : $@convention(method) <τ_0_0> (Int, @thin Array<τ_0_0>.Type) -> @owned _ArrayBuffer<τ_0_0> // users: %22, %8
  %8 = struct_extract %7 : $_ArrayBuffer<Int>, #_ArrayBuffer._storage // user: %9
  %9 = struct_extract %8 : $_BridgeStorage<__ContiguousArrayStorageBase>, #_BridgeStorage.rawValue // user: %10
  %10 = unchecked_ref_cast %9 : $Builtin.BridgeObject to $__ContiguousArrayStorageBase // users: %21, %15, %11
  %11 = ref_element_addr %10 : $__ContiguousArrayStorageBase, #__ContiguousArrayStorageBase.countAndCapacity // user: %12
  %12 = struct_element_addr %11 : $*_ArrayBody, #_ArrayBody._storage // user: %13
  %13 = struct_element_addr %12 : $*_SwiftArrayBodyStorage, #_SwiftArrayBodyStorage.count // user: %14
  store %2 to %13 : $*Int                         // id: %14
  %15 = ref_tail_addr %10 : $__ContiguousArrayStorageBase, $Int // user: %16
  %16 = address_to_pointer %15 : $*Int to $Builtin.RawPointer // users: %20, %19
  %17 = integer_literal $Builtin.Int1, -1         // user: %29
  %18 = integer_literal $Builtin.Word, 1          // user: %35
  br bb2(%16 : $Builtin.RawPointer, %4 : $Builtin.Int64) // id: %19

bb1:                                              // Preds: bb2
  %20 = struct $UnsafeRawPointer (%16 : $Builtin.RawPointer) // user: %21
  %21 = mark_dependence %20 : $UnsafeRawPointer on %10 : $__ContiguousArrayStorageBase // user: %24
  release_value %7 : $_ArrayBuffer<Int>           // id: %22
  // function_ref foo(_:)
  %23 = function_ref @$s4bug23fooySiSVF : $@convention(thin) (UnsafeRawPointer) -> Int // user: %24
  %24 = apply %23(%21) : $@convention(thin) (UnsafeRawPointer) -> Int
  %25 = tuple ()                                  // user: %26
  return %25 : $()                                // id: %26

// %27                                            // user: %31
// %28                                            // user: %29
bb2(%27 : $Builtin.RawPointer, %28 : $Builtin.Int64): // Preds: bb3 bb0
  %29 = builtin "sadd_with_overflow_Int64"(%28 : $Builtin.Int64, %0 : $Builtin.Int64, %17 : $Builtin.Int1) : $(Builtin.Int64, Builtin.Int1) // user: %30
  %30 = tuple_extract %29 : $(Builtin.Int64, Builtin.Int1), 0 // users: %37, %33
  %31 = pointer_to_address %27 : $Builtin.RawPointer to [strict] $*Int // users: %35, %32
  store %3 to %31 : $*Int                         // id: %32
  %33 = builtin "cmp_eq_Int64"(%30 : $Builtin.Int64, %1 : $Builtin.Int64) : $Builtin.Int1 // user: %34
  cond_br %33, bb1, bb3                           // id: %34

bb3:                                              // Preds: bb2
  %35 = index_addr %31 : $*Int, %18 : $Builtin.Word // user: %36
  %36 = address_to_pointer %35 : $*Int to $Builtin.RawPointer // user: %37
  br bb2(%36 : $Builtin.RawPointer, %30 : $Builtin.Int64) // id: %37
} // end sil function '$s4bug24testyyF'

The pointer is loaded into %16, then to %20, then passed into %23. Unfortunately, the backing storage was freed 3 lines earlier. This means the pointer is being used after the value it is pointing to is freed.

However, ASAN does not trigger.
@belkadan
Copy link
Contributor

cc ravikandhadai (JIRA User), @kubamracek

@swift-ci swift-ci transferred this issue from apple/swift-issues Apr 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug A deviation from expected or documented behavior. Also: expected but undesirable behavior. compiler The Swift compiler in itself found by asan Flag: An issue found by the Address Sanitizer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@belkadan @Lukasa