<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - sanitize-coverage: incorrectly instruments logical operations"
   href="https://bugs.llvm.org/show_bug.cgi?id=34437">34437</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>sanitize-coverage: incorrectly instruments logical operations
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>clang
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>enhancement
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>-New Bugs
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedclangbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>dvyukov@google.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>clang version 5.0.0 (trunk 303084)

Program:

void bad();
void foo(int x, int y) {
  if (x == 0xdead && y == 0xbeef)
    bad();
}
int bar(int x, int y) {
  return x == 0xdead && y == 0xbeef;
}


$ clang test.c -O2 -c -S -o - -fsanitize-coverage=trace-pc

foo:

        movl    %esi, %ebx
        movl    %edi, %ebp
        callq   __sanitizer_cov_trace_pc
        #APP
        #NO_APP
        cmpl    $57005, %ebp            # imm = 0xDEAD
        jne     .LBB0_2
# BB#1:                                 # %entry
        cmpl    $48879, %ebx            # imm = 0xBEEF
        jne     .LBB0_2
# BB#3:                                 # %if.then
        callq   __sanitizer_cov_trace_pc
        #APP
        #NO_APP
        xorl    %eax, %eax
        addq    $8, %rsp
        popq    %rbx
        popq    %rbp
        jmp     bad                     # TAILCALL
.LBB0_2:                                # %if.end
        callq   __sanitizer_cov_trace_pc
        #APP
        #NO_APP
        addq    $8, %rsp
        popq    %rbx
        popq    %rbp
        retq
.Lfunc_end0:
        .size   foo, .Lfunc_end0-foo
        .cfi_endproc


bar:

        movl    %esi, %ebx
        movl    %edi, %ebp
        callq   __sanitizer_cov_trace_pc
        #APP
        #NO_APP
        xorl    $57005, %ebp            # imm = 0xDEAD
        xorl    $48879, %ebx            # imm = 0xBEEF
        xorl    %eax, %eax
        orl     %ebp, %ebx
        sete    %al
        addq    $8, %rsp
        popq    %rbx
        popq    %rbp
        retq


For foo there must be an additional callback at BB#1, for bar there must be an
additional callback somewhere.

This has negative effect on coverage-guided fuzzers as they need to guess N
values simultaneously in order to make progress, rather then guess values
one-by-one and persist progress.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>