<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - UBSan -fsanitize=alignment doesn't warn about memcpy unalignment"

   href="https://bugs.llvm.org/show_bug.cgi?id=35163">35163</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>UBSan -fsanitize=alignment doesn't warn about memcpy unalignment

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>new-bugs

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>new bugs

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>kcc@google.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>From <a href="https://github.com/google/sanitizers/issues/876">https://github.com/google/sanitizers/issues/876</a>

-fsanitize=alignment does a great job at spotting misaligned reads when

dereferencing pointers, but doesn't realize about them if they are passed to

memcpy.

You might say "wait, but memcpy doesn't require any alignment guarantee".

Well the problem is that if you trick the compiler into thinking that the

argument is aligned, it will emit very efficient code for memcpy that will

assume alignment, and later crash on architectures that don't support unaligned

reads (e.g. ARM).

I witnessed this sort of bug twice this year

<a href="https://bugs.chromium.org/p/chromium/issues/detail?id=729059#c4">https://bugs.chromium.org/p/chromium/issues/detail?id=729059#c4</a>

grpc/grpc#13221

Today, after 2, I wondered: isn't UBsan supposed to spot this?

Unfortunately it seems that it doesn't. Here's the minified repro:

Build with

clang++ -o test test.cc -std=c++11 -O3 -fsanitize=undefined 

-fsanitize=alignment

#include <stdint.h>

#include <stdio.h>

#include <string.h>

int main() {

 char x[128] = {};

 uint32_t* p = reinterpret_cast<uint32_t*>(&x[1]);

 uint32_t v = 42;

 // This is UB, p is a uint32_t pointer and the compiler is

 // allowed to assume it's aligned (in fact it will SIGBUS on arm)

 // but UBSan doesn't complain about this.

 memcpy(p, &v, sizeof(uint32_t));

 // Instead UBSan would complain about this, which is also UB.

 v = *p;

 printf("%x %x %x %x\n", x[1], x[2], x[3], x[4]);

}

<the reporter doesn't have access to the LLVM bug tracker, and subscriptions

are closed for spam></pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>