[llvm-bugs] [Bug 36700] New: -fsanitize=vptr false positive when pointer is not dereferenced

via llvm-bugs llvm-bugs at lists.llvm.org
Tue Mar 13 05:54:04 PDT 2018 

https://bugs.llvm.org/show_bug.cgi?id=36700

            Bug ID: 36700
           Summary: -fsanitize=vptr false positive when pointer is not
                    dereferenced
           Product: clang
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: -New Bugs
          Assignee: unassignedclangbugs at nondot.org
          Reporter: llvmbugs at squelart.com
                CC: llvm-bugs at lists.llvm.org

>From the documentation [1]:
"-fsanitize=vptr: Use of an object whose vptr indicates that it is of the wrong
dynamic type, or that its lifetime has not begun or has ended."
Note that it says "Use of an object", which I take to mean "Reading/writing the
object data", however it trips when doing pointer casting even when (bad)
pointers are not actually dereferenced.

For example, I've got code like this:
> template<typename D>
> struct Base
> {
>   Base() { cout << static_cast<D*>(this); }
> };
> struct Derived : Base<Derived>
> {
>   virtual ~Derived() {}
> };
> void test() { Derived d; }
And I'm getting this error on the static_cast line:
"runtime error: downcast of address 0x... which does not point to an object of
type 'Derived'
0x...: note: object has invalid vptr"

At the time of the static_cast, the Derived object is not yet fully constructed
(since we are still constructing its Base), so the error message is correct.

However I think that based on the documentation it is a false positive in this
case, because:
- A pointer downcast is just pointer arithmetics, and doesn't access any part
of the object,
- The pointer is never dereferenced so the object is not actually accessed.

Ideally, clang should detect that the pointer is not dereferenced. But I'm
guessing this may be difficult.

Otherwise, I would suggest you tweak the documentation to make it clear that
dereferencing is assumed -- which is of course the most common case, but not
always.

(The real code is an object lifetime logger, I'm converting the pointer to
void* for storage and later display. More details there: [2])


I tried `__attribute__((no_sanitize("vptr"))) Base() {...}` but still got the
same error; is that a bug, or did I misuse the attribute?

Thank you.

[1] https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1442819

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180313/628c2acb/attachment.html>

More information about the llvm-bugs mailing list