<html>

    <head>

      <base href="http://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - clang 3.4 UBSan falsely reports "member access with insufficient space" (screwed up 'this' null check in variadic function?)"

   href="http://llvm.org/bugs/show_bug.cgi?id=17605">17605</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>clang 3.4 UBSan falsely reports "member access with insufficient space" (screwed up 'this' null check in variadic function?)

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>new-bugs

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>new bugs

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>corydoras@ridiculousfish.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvmbugs@cs.uiuc.edu

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Ubuntu Clang version 3.4-1~exp1 (trunk) (based on LLVM 3.4), x86-64

1. Compile <a href="https://gist.github.com/ridiculousfish/7017899">https://gist.github.com/ridiculousfish/7017899</a> like so:

    clang++ -O1 -fsanitize=undefined test.cpp

2. Run it

Result: you get a bogus 'member access insufficient space' runtime error. 

This does NOT occur at -O0 but DOES occur at -O1 through -O3, and -Os. The bug

is also somewhat fragile: changes to the objects like removing fields prevents

it from reproducing.

When the bug reproduces, the assembly for the 'this' pointer check is as

follows:

    setne    %al

    testb    $7, %bl

    sete    %r15b

    andb    %al, %r15b

    je    .LBB1_3

When the bug does not reproduce, the `setne` insn is preceded by a null

comparison like `testq %r10, %r10`. When it does reproduce, the comparison is

omitted, as illustrated above. So the setne just picks up whatever is in ZF,

which happens to be 1 by virtue of a prior comparison. Thus it thinks that

'this' is 0.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>