ASan error heap-use-after-free in benchmark_run
Submitted by Frank Dittrich
Assigned to Xiuli Pan
Description
This is with latest beignet (commit fc410ee2) and the patch mentioned in https://bugs.freedesktop.org/show_bug.cgi?id=93625.
I built beignet with adddress sanitizer support (-fsanitize=address) and then in the benchmark/ directory ran
$ ./benchmark_run
This results in the following ASan error:
================================================================= ==12824==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000229888 at pc 0x7fb37c854bb2 bp 0x7fffdd333830 sp 0x7fffdd333820 READ of size 8 at 0x611000229888 thread T0 #0 0x7fb37c854bb1 in clReleaseMemObject /home/fd/git/beignet/src/cl_api.c:668 #1 0x7fb37cb177d8 in cl_buffer_destroy() /home/fd/git/beignet/utests/utest_helper.cpp:578 #2 0x7fb37cb1138e in UTest::runAllBenchMark() /home/fd/git/beignet/utests/utest.cpp:243 #3 0x401c99 in main /home/fd/git/beignet/benchmark/benchmark_run.cpp:101 #4 0x7fb37a7a66ff in __libc_start_main (/lib64/libc.so.6+0x206ff) #5 0x402008 in _start (/home/fd/git/beignet/build/benchmark/benchmark_run+0x402008)
0x611000229888 is located 8 bytes inside of 224-byte region [0x611000229880,0x611000229960) freed by thread T0 here: #0 0x7fb37cddc66a in __interceptor_free (/lib64/libasan.so.2+0x9866a) #1 0x7fb37c86544b in cl_kernel_delete /home/fd/git/beignet/src/cl_kernel.c:66
previously allocated by thread T0 here: #0 0x7fb37cddcb09 in __interceptor_calloc (/lib64/libasan.so.2+0x98b09) #1 0x7fb37c865245 in cl_calloc /home/fd/git/beignet/src/cl_alloc.c:54 #2 0x7fb37c8b6b90 (/home/fd/git/beignet/build/src/libcl.so+0x87b90)
SUMMARY: AddressSanitizer: heap-use-after-free /home/fd/git/beignet/src/cl_api.c:668 clReleaseMemObject Shadow bytes around the buggy address: 0x0c228003d2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c228003d2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c228003d2e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c228003d2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c228003d300: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa =>0x0c228003d310: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c228003d320: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c228003d330: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c228003d340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c228003d350: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x0c228003d360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==12824==ABORTING