<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - -fsanitize=vptr false positive when pointer is not dereferenced"

   href="https://bugs.llvm.org/show_bug.cgi?id=36700">36700</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>-fsanitize=vptr false positive when pointer is not dereferenced

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>-New Bugs

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedclangbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>llvmbugs@squelart.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>From the documentation [1]:

"-fsanitize=vptr: Use of an object whose vptr indicates that it is of the wrong

dynamic type, or that its lifetime has not begun or has ended."

Note that it says "Use of an object", which I take to mean "Reading/writing the

object data", however it trips when doing pointer casting even when (bad)

pointers are not actually dereferenced.

For example, I've got code like this:

<span class="quote">> template<typename D>

> struct Base

> {

>   Base() { cout << static_cast<D*>(this); }

> };

> struct Derived : Base<Derived>

> {

>   virtual ~Derived() {}

> };

> void test() { Derived d; }</span >

And I'm getting this error on the static_cast line:

"runtime error: downcast of address 0x... which does not point to an object of

type 'Derived'

0x...: note: object has invalid vptr"

At the time of the static_cast, the Derived object is not yet fully constructed

(since we are still constructing its Base), so the error message is correct.

However I think that based on the documentation it is a false positive in this

case, because:

- A pointer downcast is just pointer arithmetics, and doesn't access any part

of the object,

- The pointer is never dereferenced so the object is not actually accessed.

Ideally, clang should detect that the pointer is not dereferenced. But I'm

guessing this may be difficult.

Otherwise, I would suggest you tweak the documentation to make it clear that

dereferencing is assumed -- which is of course the most common case, but not

always.

(The real code is an object lifetime logger, I'm converting the pointer to

void* for storage and later display. More details there: [2])

I tried `__attribute__((no_sanitize("vptr"))) Base() {...}` but still got the

same error; is that a bug, or did I misuse the attribute?

Thank you.

[1] <a href="https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html">https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html</a>

[2] <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1442819">https://bugzilla.mozilla.org/show_bug.cgi?id=1442819</a></pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>