ASAN reports 'stack-use-after-scope' at seemingly random places after switching to clang15

[davenger]

We recently switched to building ClickHouse with clang15 and started seeing 'stack-use-after-scope' at seemingly random places that look like false positives. Here is one example: ASan reports problem in memcpy() called from realloc() to copy old data to a new buffer. From the code the new buffer cannot be on the stack. Also the reported address is 0x7f16fbf4f4f0 which is about 8GB apart from BP register (0x7f151225d980). So it doesn't look like it is on the stack.

=================================================================
==646==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f151225d980 at pc 0x00000dfc05aa bp 0x7f16fbf4f4f0 sp 0x7f16fbf4ecc0
WRITE of size 33554432 at 0x7f151225d980 thread T994 (QueryPipelineEx)
    #0 0xdfc05a9 in __asan_memcpy (/usr/bin/clickhouse+0xdfc05a9) (BuildId: e2f3e57c9d5750229244e6ee26377f571bcec5b8)
    #1 0x1ea29560 in Allocator<false, false>::realloc(void*, unsigned long, unsigned long, unsigned long) build_docker/../src/Common/Allocator.h:172:13
...

Here we have some more examples of these reports: ClickHouse/ClickHouse#41500

@vitalybuka @eugenis @itrofimow, we found some recent changes around ASan interceptor and stack size limit
d0751c9
868e1ee
15e9b1d
could this lead to the problem that we are seeing?

[vitalybuka]

It's possible. It would be nice to have a single-file reproducer.

[itrofimow]

Guess i've got one https://godbolt.org/z/TMnYPzhPP
Crashes with clang-15, works just fine with clang-14

@vitalybuka could you please have a look?

[itrofimow]

We encounter this as well (userver-framework/userver#170) in a project which makes heavy use of swapcontext.

It feels to me that resetting oucp stack here

llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp

Lines 278 to 283 in 15e9b1d

	uptr stack, ssize;
	ReadContextStack(ucp, &stack, &ssize);
	ClearShadowMemoryForContextStack(stack, ssize);
	// See getcontext interceptor.
	ResetContextStack(oucp);

breaks cleanup after reentering oucp again, such as in ping-pong scenario

[vitalybuka]

Thanks, Now I see why it's wrong, but without that it's wrong as well:
ss_sp and ss_size are just makecontext inputs. If context struct is allocated on the stack and filled without makecontext, then these fields can have a garbage. Using them in ClearShadowMemoryForContextStack is not safe. d0751c9 previously helped with such garbage.

Not sure what is the good solution here.
Maybe we should give up and remove ClearShadowMemoryForContextStack completely and assume that it's swapcontext caller responsibility unpoison custom stack?

[itrofimow]

Maybe we should give up and remove ClearShadowMemoryForContextStack completely and assume that it's swapcontext caller responsibility unpoison custom stack?

I'm afraid that would break lots and lots of people (folks at ClickHouse were just unlucky to be the early adopters of swapcontext+llvm-15 at scale), and it's practically impossible to debug without prior knowledge of this swapcontext mess in ASAN.

Do i understand correctly that the problem is that swapcontext can leave garbage in oucp.uc_stack values, so we can't rely on them when calling ClearShadowMemoryForContextStack later when oucp becomes ucp?

[vitalybuka]

Do i understand correctly that the problem is that swapcontext can leave garbage in oucp.uc_stack values, so we can't rely on them when calling ClearShadowMemoryForContextStack later when oucp becomes ucp?

Yes, this is a test for that
c93e4b6#diff-bb28c1d36729061a85d29c1c8db61c82542bf66022db277c2a42897ca69824b5R65

[vitalybuka]

Maybe the following will be good enough?

1. Revert https://reviews.llvm.org/D129219 and https://reviews.llvm.org/D130218 and consider integrating into release
2. If neccecary D129219 can be replaced with temp increase of the stack limit
3. Intercept makecontext and wrap the function. the wrapped will unpoison ss_sp - ss_size and continue into users func

[itrofimow]

Intercept makecontext and wrap the function. the wrapped will unpoison ss_sp - ss_size and continue into users func

Not sure if i follow, but does that help with unpoisoning after users func has ran?


I had a similar idea: we could intercept ucp continuation with correcting oucp.uc_stack values after swapcontext potentially threw them away. That could be done via intermediate throwaway context, that would fix oucp and then setcontext into ucp.

Then getcontext interceptor would set stack values to zero as it does right now, swapcontext would actually preserve stack values for oucp and current cleanup logic should work as is. What do you think?

[itrofimow]

After spending some time on it i figured out that the example i provided crashes because of this:

Previously disabled sanitizer options now enabled by default:
ASAN_OPTIONS=detect_stack_use_after_return=1 (only on Linux).

in clang-15 changelog. And indeed in my example i'm taking the address from fake stack, which, well, ain't a some_valid_pointer.
Not sure whether this disregards my concerns about resetting oucp.uc_stack, but i'm yet to come up with an repro.

edit:
Repro: https://godbolt.org/z/6ej1E39xM
And reproducing this with real-world use case from MariaDB: https://godbolt.org/z/vcrG9cjvo

I implemented the solution i proposed above and it seems to fix the issue, should i submit a patch @vitalybuka ?