[Bug 52386] New: err:module:LdrInitializeThunk "libclang_rt.asan_dynamic-i386.dll" failed to initialize when using clang address sanitizer
https://bugs.winehq.org/show_bug.cgi?id=52386
Bug ID: 52386 Summary: err:module:LdrInitializeThunk "libclang_rt.asan_dynamic-i386.dll" failed to initialize when using clang address sanitizer Product: Wine Version: 5.0.5 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: ralf.habacker@freenet.de Distribution: ---
Created attachment 71603 --> https://bugs.winehq.org/attachment.cgi?id=71603 testcase binary
This test case
$ cat use-after-free.cc int main(int argc, char **argv) { int *array = new int[100]; delete [] array; return array[argc]; // BOOM }
compiled with
$ i686-w64-mingw32-clang use-after-free.cc -fsanitize=address -g -o use-after-free-i386.exe
makes wine fail with the error message in the title.
The compiler was downloaded from https://github.com/mstorsjo/llvm-mingw/releases (https://github.com/mstorsjo/llvm-mingw/releases/download/20211002/llvm-mingw...)
https://bugs.winehq.org/show_bug.cgi?id=52386
--- Comment #1 from Ralf Habacker ralf.habacker@freenet.de --- Created attachment 71604 --> https://bugs.winehq.org/attachment.cgi?id=71604 wine log
https://bugs.winehq.org/show_bug.cgi?id=52386
--- Comment #2 from Ralf Habacker ralf.habacker@freenet.de --- Created attachment 71605 --> https://bugs.winehq.org/attachment.cgi?id=71605 windows log
https://bugs.winehq.org/show_bug.cgi?id=52386
--- Comment #3 from Ralf Habacker ralf.habacker@freenet.de --- Created attachment 71606 --> https://bugs.winehq.org/attachment.cgi?id=71606 testcase source
https://bugs.winehq.org/show_bug.cgi?id=52386
--- Comment #4 from Ralf Habacker ralf.habacker@freenet.de --- Created attachment 71607 --> https://bugs.winehq.org/attachment.cgi?id=71607 backtrace
https://bugs.winehq.org/show_bug.cgi?id=52386
--- Comment #5 from Ralf Habacker ralf.habacker@freenet.de --- The location mentioned on the backtrace
#0 0x10001c34 in InterceptionFailed () at ../lib/interception/interception_win.cpp:146
can be inspected here: https://github.com/llvm/llvm-project/blob/1bb0caf561688681be67cc91560348c9e4...
https://bugs.winehq.org/show_bug.cgi?id=52386
Eric Pouech eric.pouech@orange.fr changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |eric.pouech@orange.fr Ever confirmed|0 |1 Status|UNCONFIRMED |NEW See Also| |https://bugs.winehq.org/sho | |w_bug.cgi?id=50993
--- Comment #6 from Eric Pouech eric.pouech@orange.fr --- confirmed sibling of #50993, which is more targetted to 64bit programs, while this one is targetting 32bit... core of issue is the same
https://bugs.winehq.org/show_bug.cgi?id=52386
--- Comment #7 from Eric Pouech eric.pouech@orange.fr --- Created attachment 71626 --> https://bugs.winehq.org/attachment.cgi?id=71626 patch against llvm-mingw32
the attached patch to llvm-mingw allows the use case to be run partial result
[eric:~/work/llvm-mingw/target/i686-w64-mingw32/bin]$ ~/work/output-wine/wine/wine ~/work/output-wine/wine/bugzilla/52386/use-after-free-i386.exe ================================================================= ==32==ERROR: AddressSanitizer: heap-use-after-free on address 0x00f03e44 at pc 0x00401492 bp 0x0021fe8c sp 0x0021fe88 READ of size 4 at 0x00f03e44 thread T0 0024:fixme:dbghelp_dwarf:dwarf2_read_range no entry found 0024:fixme:dbghelp_dwarf:dwarf2_read_range no entry found #0 0x401491 in main+0x81 (H:\work\output-wine\wine\bugzilla\52386\use-after-free-i386.exe+0x401491) #1 0x401396 in __tmainCRTStartup H:\work\llvm-mingw\mingw-w64\mingw-w64-crt\crt\crtexe.c:321 #2 0x7b62dd4f in BaseThreadInitThunk+0xf (C:\windows\system32\kernel32.dll+0x7b62dd4f) #3 0x7bc57856 in RtlUserThreadStart+0x26 (C:\windows\system32\ntdll.dll+0x7bc57856) #4 0x7bc57f0f in call_thread_func+0xaf (C:\windows\system32\ntdll.dll+0x7bc57f0f)
0x00f03e44 is located 4 bytes inside of 400-byte region [0x00f03e40,0x00f03fd0) freed by thread T0 here: #0 0x10042c4b in operator delete[]+0x7b (H:\work\llvm-mingw\target\i686-w64-mingw32\bin\libclang_rt.asan_dynamic-i386.dll+0x10042c4b) #1 0x401450 in main+0x40 (H:\work\output-wine\wine\bugzilla\52386\use-after-free-i386.exe+0x401450) #2 0x401396 in __tmainCRTStartup H:\work\llvm-mingw\mingw-w64\mingw-w64-crt\crt\crtexe.c:321 #3 0x7b62dd4f in BaseThreadInitThunk+0xf (C:\windows\system32\kernel32.dll+0x7b62dd4f) #4 0x7bc57856 in RtlUserThreadStart+0x26 (C:\windows\system32\ntdll.dll+0x7bc57856) #5 0x7bc57f0f in call_thread_func+0xaf (C:\windows\system32\ntdll.dll+0x7bc57f0f)
previously allocated by thread T0 here: #0 0x100424eb in operator new[]+0x7b (H:\work\llvm-mingw\target\i686-w64-mingw32\bin\libclang_rt.asan_dynamic-i386.dll+0x100424eb) #1 0x401433 in main+0x23 (H:\work\output-wine\wine\bugzilla\52386\use-after-free-i386.exe+0x401433) #2 0x401396 in __tmainCRTStartup H:\work\llvm-mingw\mingw-w64\mingw-w64-crt\crt\crtexe.c:321 #3 0x7b62dd4f in BaseThreadInitThunk+0xf (C:\windows\system32\kernel32.dll+0x7b62dd4f) #4 0x7bc57856 in RtlUserThreadStart+0x26 (C:\windows\system32\ntdll.dll+0x7bc57856) #5 0x7bc57f0f in call_thread_func+0xaf (C:\windows\system32\ntdll.dll+0x7bc57f0f)
SUMMARY: AddressSanitizer: heap-use-after-free (H:\work\output-wine\wine\bugzilla\52386\use-after-free-i386.exe+0x401491) in main+0x81 Shadow bytes around the buggy address: 0x301e0770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x301e0780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x301e0790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x301e07a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x301e07b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x301e07c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd 0x301e07d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x301e07e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x301e07f0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x301e0800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x301e0810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==32==ABORTING
https://bugs.winehq.org/show_bug.cgi?id=52386
--- Comment #8 from Eric Pouech eric.pouech@orange.fr --- for the record, tested with wine 7.0rc5 compiled with: $ i686-w64-mingw32-gcc -v Using built-in specs. COLLECT_GCC=/usr/bin/i686-w64-mingw32-gcc COLLECT_LTO_WRAPPER=/usr/libexec/gcc/i686-w64-mingw32/11.2.1/lto-wrapper Target: i686-w64-mingw32 Configured with: ../configure --prefix=/usr --bindir=/usr/bin --includedir=/usr/include --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --with-gnu-as --with-gnu-ld --verbose --without-newlib --disable-multilib --disable-plugin --with-system-zlib --disable-nls --without-included-gettext --disable-win32-registry --enable-languages=c,c++,objc,obj-c++,fortran --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-threads=posix --with-isl --enable-libgomp --target=i686-w64-mingw32 --with-sysroot=/usr/i686-w64-mingw32/sys-root --with-gxx-include-dir=/usr/i686-w64-mingw32/sys-root/mingw/include/c++ --disable-sjlj-exceptions --with-dwarf2 Thread model: posix Supported LTO compression algorithms: zlib gcc version 11.2.1 20210728 (Fedora MinGW 11.2.1-3.fc35) (GCC)
https://bugs.winehq.org/show_bug.cgi?id=52386
--- Comment #9 from Ralf Habacker ralf.habacker@freenet.de --- Reported upstream at https://github.com/mstorsjo/llvm-mingw/issues/195
https://bugs.winehq.org/show_bug.cgi?id=52386
Neko-san nekoNexus@protonmail.ch changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |nekoNexus@protonmail.ch
https://bugs.winehq.org/show_bug.cgi?id=52386
Bernhard Übelacker bernhardu@mailbox.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bernhardu@mailbox.org
--- Comment #10 from Bernhard Übelacker bernhardu@mailbox.org --- Tried to place a merge request with llvm-project, containing the interception changes from comment #7: https://github.com/llvm/llvm-project/pull/113085
-
WineHQ Bugzilla