
<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - memcmp of 16 bytes is created for a 12-byte struct causing ASAN false positive"

   href="https://bugs.llvm.org/show_bug.cgi?id=33372">33372</a>

          </td>

        </tr>


        <tr>

          <th>Summary</th>

          <td>memcmp of 16 bytes is created for a 12-byte struct causing ASAN false positive

          </td>

        </tr>


        <tr>

          <th>Product</th>

          <td>new-bugs

          </td>

        </tr>


        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>


        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>


        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>


        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>


        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>


        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>


        <tr>

          <th>Component</th>

          <td>new bugs

          </td>

        </tr>


        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>


        <tr>

          <th>Reporter</th>

          <td>kcc@google.com

          </td>

        </tr>


        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>trunk 305024, x86_64 linux

LLVM generates an out-of-bound read that is not present in the input code. 


struct A { int x, y, z; };

struct B { A a; /*gap*/ long b; };

B *bb;

int main() {

  A a1 = {1, 1, 2};

  B b1{a1, 6};

  bb = new B(b1);

} 


% clang++ -O1   z.cc -std=c++11 -S -o -  -emit-llvm

... 

%struct.A = type { i32, i32, i32 }

...

@_ZZ4mainE2a1 = private unnamed_addr constant %struct.A { i32 1, i32 1, i32 2

}, align 8


  tail call void @llvm.memcpy.p0i8.p0i8.i64(i8* nonnull %call, i8* bitcast

(%struct.A* @_ZZ4mainE2a1 to i8*), i64 16, i32 8, i1 false)


(with -O0, a regular 12-byte memcpy is emitted) 


This causes an ASAN false positive: 

% clang++ -g -O1   -fsanitize=address z.cc -std=c++11 && ./a.out 


==9157==ERROR: AddressSanitizer: global-buffer-overflow on address

0x0000004fb54c at pc 0x0000004a35b4 bp 0x7ffcac467ef0 sp 0x7ffcac4676a0

READ of size 16 at 0x0000004fb54c thread T0

    #0 0x4a35b3 in __asan_memcpy 

    #1 0x4e5b1f in main z.cc:7:12</pre>

        </div>

      </p>


      <hr>

      <span>You are receiving this mail because:</span>


      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>