ASAN problem found in RecHitProcessor

[Dr15Jones]

The ASAN build found the following
https://cmssdt.cern.ch/SDT/cgi-bin/buildlogs/raw/el8_amd64_gcc12/CMSSW_15_0_ASAN_X_2025-01-20-2300/pyRelValMatrixLogs/run/145.301_RunDisplacedJet2024E/step3_RunDisplacedJet2024E.log

=================================================================
==2180428==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x1539dc4847f4 at pc 0x1539f77bcfd7 bp 0x153a0233faa0 sp 0x153a0233fa98
READ of size 4 at 0x1539dc4847f4 thread T4
    #0 0x1539f77bcfd6 in RecHitProcessor::processLook(edm::Event const&, edm::EventSetup const&, edm::EDGetToken const&, edm::EDGetToken const&, edm::EDGetToken const&, edm::ESGetToken<RPCGeometry, MuonGeometryRecord> const&, std::vector<RecHitProcessor::CppfItem, std::allocator<RecHitProcessor::CppfItem> >&, std::vector<l1t::CPPFDigi, std::allocator<l1t::CPPFDigi> >&, int) const (/cvmfs/cms-ib.cern.ch/sw/x86_64/nweek-02873/el8_amd64_gcc12/cms/cmssw/CMSSW_15_0_ASAN_X_2025-01-20-2300/lib/el8_amd64_gcc12/libL1TriggerL1TMuonCPPF.so+0x1cfd6)
    #1 0x1539f77aea6a in EmulateCPPF::process(edm::Event const&, edm::EventSetup const&, std::vector<l1t::CPPFDigi, std::allocator<l1t::CPPFDigi> >&) (/cvmfs/cms-ib.cern.ch/sw/x86_64/nweek-02873/el8_amd64_gcc12/cms/cmssw/CMSSW_15_0_ASAN_X_2025-01-20-2300/lib/el8_amd64_gcc12/libL1TriggerL1TMuonCPPF.so+0xea6a)
    #2 0x1539f77deef0 in L1TMuonCPPFDigiProducer::produce(edm::Event&, edm::EventSetup const&) (/cvmfs/cms-ib.cern.ch/sw/x86_64/nweek-02873/el8_amd64_gcc12/cms/cmssw/CMSSW_15_0_ASAN_X_2025-01-20-2300/lib/el8_amd64_gcc12/pluginL1TriggerL1TMuonCPPFPlugins.so+0xcef0)
...


0x1539dc4847f4 is located 12 bytes to the left of 3670016-byte region [0x1539dc484800,0x1539dc804800)
allocated by thread T3 here:
    #0 0x153a67eb96d8 in operator new(unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cpp:95
    #1 0x1539f77b0dca in EmulateCPPF::EmulateCPPF(edm::ParameterSet const&, edm::ConsumesCollector&&) (/cvmfs/cms-ib.cern.ch/sw/x86_64/nweek-02873/el8_amd64_gcc12/cms/cmssw/CMSSW_15_0_ASAN_X_2025-01-20-2300/lib/el8_amd64_gcc12/libL1TriggerL1TMuonCPPF.so+0x10dca)
    #2 0x1539f77da2a4 in L1TMuonCPPFDigiProducer::L1TMuonCPPFDigiProducer(edm::ParameterSet const&) (/cvmfs/cms-ib.cern.ch/sw/x86_64/nweek-02873/el8_amd64_gcc12/cms/cmssw/CMSSW_15_0_ASAN_X_2025-01-20-2300/lib/el8_amd64_gcc12/pluginL1TriggerL1TMuonCPPFPlugins.so+0x82a4)
...


SUMMARY: AddressSanitizer: heap-buffer-overflow (/cvmfs/cms-ib.cern.ch/sw/x86_64/nweek-02873/el8_amd64_gcc12/cms/cmssw/CMSSW_15_0_ASAN_X_2025-01-20-2300/lib/el8_amd64_gcc12/libL1TriggerL1TMuonCPPF.so+0x1cfd6) in RecHitProcessor::processLook(edm::Event const&, edm::EventSetup const&, edm::EDGetToken const&, edm::EDGetToken const&, edm::EDGetToken const&, edm::ESGetToken<RPCGeometry, MuonGeometryRecord> const&, std::vector<RecHitProcessor::CppfItem, std::allocator<RecHitProcessor::CppfItem> >&, std::vector<l1t::CPPFDigi, std::allocator<l1t::CPPFDigi> >&, int) const
Shadow bytes around the buggy address:
  0x02a7bb8888a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x02a7bb8888b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x02a7bb8888c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x02a7bb8888d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x02a7bb8888e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x02a7bb8888f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
  0x02a7bb888900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02a7bb888910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02a7bb888920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02a7bb888930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02a7bb888940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2180428==ABORTING

[cmsbuild]

cms-bot internal usage

[cmsbuild]

A new Issue was created by @Dr15Jones.

@Dr15Jones, @antoniovilela, @makortel, @mandrenguyen, @rappoccio, @sextonkennedy, @smuzaffar can you please review it and eventually sign/assign? Thanks.

cms-bot commands are listed here

[makortel]

assign l1

[cmsbuild]

New categories assigned: l1

@aloeliger,@epalencia you have been requested to review this Pull request/Issue and eventually sign? Thanks

[Dr15Jones]

I believe the problem is the following

cmssw/L1Trigger/L1TMuonCPPF/src/RecHitProcessor.cc

Lines 177 to 178 in 75451d5

	if (cppf1 != CppfVec1.begin())
	before = (*(cppf1 - 2)).strip;

so when cppf1 is CppfVec1.begin()+1 then it will read one before the beginning

cmssw/L1Trigger/L1TMuonCPPF/src/RecHitProcessor.cc

Lines 181 to 182 in 75451d5

	if (cppf1 != CppfVec1.end())
	after = (*(cppf1 + 2)).strip;

when cppf1 is CppfVec1.end()-1 or CppfVec1.end()-2 it will read either the end or one passed the end (both illegal operations)

cmssw/L1Trigger/L1TMuonCPPF/src/RecHitProcessor.cc

Lines 183 to 184 in 75451d5

	else if (cppf1 == CppfVec1.end())
	after = (*cppf1).strip;

here it clearly reads the end, which is illegal.

Then in the following logic the iterators are manipulated in such a way as to be able to get iterators pointing to before the beginning or even after the end

cmssw/L1Trigger/L1TMuonCPPF/src/RecHitProcessor.cc

Lines 185 to 199 in 75451d5

	cppf = cppf1;
	if (clustersize == 2) {
	if (firststrip == 1) {
	if (before < after)
	cppf = (cppf1 - 1);
	else if (before > after)
	cppf = (cppf1 + 1);
	} else if (firststrip > 1) {
	if (before < after)
	cppf = (cppf1 + 1);
	else if (before > after)
	cppf = (cppf1 - 1);
	}
	}