Address Sanitize failure in Combo()

[colesnicov]

Version/Branch of Dear ImGui:

docking, commit: 15b96fd

Back-ends:

imgui_impl_opengls3.cpp

Compiler, OS:

Linux Ubuntu 24, g++ (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0

Full config/build information:

No response

Details:

Hey.

You have new templates for problems, so hopefully I won't get anything wrong here.

I wanted to check out the bugs in my code but I came across a problem that I do not understand. The Program, when normally used, works without a problem, but when I want to perform some tests with the fsanitize=address it crashes.
Is there a problem in ImGui?

• build with flags: -std=c++23 -DIMGUI_DEFINE_MATH_OPERATORS=1 -DIMGUI_IMPL_OPENGL_ES2=1 -fsanitize=address
• link with -lGLESv2 -lGL -lglfw -ldl -lasan
• run as $ LD_PRELOAD=libasan.so.8 ./serviceLocation_gui

Screenshots/Video:

==16585==ERROR: AddressSanitizer: stack-use-after-scope on address 0x76afae5e6b10 at pc 0x5c2e4db59f16 bp 0x7ffe5c470d30 sp 0x7ffe5c470d20
READ of size 1 at 0x76afae5e6b10 thread T0
    #0 0x5c2e4db59f15 in ImGui::FindRenderedTextEnd(char const*, char const*) ../components/imgui/imgui.cpp:3652
    #1 0x5c2e4db5afde in ImGui::RenderTextClipped(ImVec2 const&, ImVec2 const&, char const*, char const*, ImVec2 const*, ImVec2 const&, ImRect const*) ../components/imgui/imgui.cpp:3737
    #2 0x5c2e4dd69fb3 in ImGui::BeginCombo(char const*, char const*, int) ../components/imgui/imgui_widgets.cpp:1919
    #3 0x5c2e4dd6c191 in ImGui::Combo(char const*, int*, char const* (*)(void*, int), void*, int, int) ../components/imgui/imgui_widgets.cpp:2093
    #4 0x5c2e4dd6c659 in ImGui::Combo(char const*, int*, char const* const*, int, int) ../components/imgui/imgui_widgets.cpp:2130
    #5 0x5c2e4da71869 in packet::module::WindowSettings::_DrawTabProvider() ../src/gui/TabProvider.cpp:27
    #6 0x5c2e4da611c3 in packet::module::WindowSettings::Draw() ../src/gui/Draw.cpp:106
    #7 0x5c2e4da95231 in main ../src/main.cpp:206
    #8 0x76afb022a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x76afb022a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #10 0x5c2e4d9749e4 in _start (/home/denis/Odey/serviceLocation_gui/dev/serviceLocation_gui+0xe89e4) (BuildId: d3676d718a5707d90a947e09206d832e1ca6a7ef)

Address 0x76afae5e6b10 is located in stack of thread T0 at offset 784 in frame
    #0 0x5c2e4da71125 in packet::module::WindowSettings::_DrawTabProvider() ../src/gui/TabProvider.cpp:16

  This frame has 51 object(s):
    [48, 49) '<unknown>'
    [64, 65) '<unknown>'
    [80, 81) '<unknown>'
    [96, 97) '<unknown>'
    [112, 113) '<unknown>'
    [128, 129) '<unknown>'
    [144, 145) '<unknown>'
    [160, 161) '<unknown>'
    [176, 177) '<unknown>'
    [192, 193) '<unknown>'
    [208, 209) '<unknown>'
    [224, 225) '<unknown>'
    [240, 241) '<unknown>'
    [256, 257) '<unknown>'
    [272, 273) '<unknown>'
    [288, 289) '<unknown>'
    [304, 305) '<unknown>'
    [320, 321) '<unknown>'
    [336, 337) '<unknown>'
    [352, 353) '<unknown>'
    [368, 369) '<unknown>'
    [384, 385) '<unknown>'
    [400, 404) 'source_id' (line 25)
    [416, 424) '<unknown>'
    [448, 456) '<unknown>'
    [480, 488) '<unknown>'
    [512, 520) '<unknown>'
    [544, 552) '<unknown>'
    [576, 600) 'sources' (line 24)
    [640, 672) '<unknown>'
    [704, 736) '<unknown>'
    [768, 800) '<unknown>' <== Memory access at offset 784 is inside this variable
    [832, 864) '<unknown>'
    [896, 928) '<unknown>'
    [960, 992) '<unknown>'
    [1024, 1056) '<unknown>'
    [1088, 1120) '<unknown>'
    [1152, 1184) '<unknown>'
    [1216, 1248) '<unknown>'
    [1280, 1312) '<unknown>'
    [1344, 1376) '<unknown>'
    [1408, 1440) '<unknown>'
    [1472, 1504) '<unknown>'
    [1536, 1568) '<unknown>'
    [1600, 1632) '<unknown>'
    [1664, 1696) '<unknown>'
    [1728, 1760) '<unknown>'
    [1792, 1824) '<unknown>'
    [1856, 1888) '<unknown>'
    [1920, 1952) '<unknown>'
    [1984, 2016) '<unknown>'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope ../components/imgui/imgui.cpp:3652 in ImGui::FindRenderedTextEnd(char const*, char const*)
Shadow bytes around the buggy address:
  0x76afae5e6880: 01 f2 01 f2 01 f2 01 f2 01 f2 01 f2 01 f2 01 f2
  0x76afae5e6900: 01 f2 01 f2 01 f2 01 f2 01 f2 01 f2 01 f2 01 f2
  0x76afae5e6980: 01 f2 04 f2 f8 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2
  0x76afae5e6a00: 00 f2 f2 f2 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
  0x76afae5e6a80: f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f2 f2 f2 f2
=>0x76afae5e6b00: f8 f8[f8]f8 f2 f2 f2 f2 f8 f8 f8 f8 f2 f2 f2 f2
  0x76afae5e6b80: f8 f8 f8 f8 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2
  0x76afae5e6c00: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2
  0x76afae5e6c80: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2
  0x76afae5e6d00: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2
  0x76afae5e6d80: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16585==ABORTING

Minimal, Complete and Verifiable Example code:

header -> define vars:

#define __T(x) gettext(x)
enum source_e {
    STATIC,
    EXTERN,
    DEVICE
};
source_e m_location_source = source_e::FILE;

source -> function draw():

ImGui::TextUnformatted(__T("Source"));
ImGui::SetNextItemWidth(ImGui::GetContentRegionAvail().x);

const char *sources[3] = { __T("Static"), __T("Extern"), __T("Device") };
int source_id = static_cast<int>(m_location_source);

if (ImGui::Combo("##int_wcur", &source_id, sources, 3))
{
   m_location_source = static_cast<source_e>(source_id);
}

[ocornut]

It's surprising because the value passed to that RenderTextClipped() call is exactly coming from here:

    const char* preview_value = NULL;
    if (*current_item >= 0 && *current_item < items_count)
        preview_value = getter(user_data, *current_item);

Regardless of your value for m_location_source / source_id it shouldn't make a difference.

Are you 100% sure that the code you have posted here is triggering address sanitizer?

[ocornut]

Interesting while looking at your issue I discovered an unrelated bug with ImGuiListClipper, which would easily manifest when passing a large out of bound value to Combo(). I fixed it in 4819eae. But it's not technically related to your issue.

[colesnicov]

That's interesting. The mistake is gone. I updated the repository, deleted the cache and everything works without a problem. I'm not sure if it was an ImGui bug, but it was thrown by IMGUI. Only if address sanitize is set. There is no error now. But I will test. I'm glad I helped you find another flaw.

I close this problem because the bug did not occur again. And no, I did not write issue after the first application failure. This was a repeated application failure on every attempt to run with the address sanitize flag.