<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - DataFlowSanitizer works wrong when snprintf use char-array as argument"

   href="https://bugs.llvm.org/show_bug.cgi?id=37106">37106</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>DataFlowSanitizer works wrong when snprintf use char-array as argument

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>libraries

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>5.0

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Miscellaneous Instrumentation passes

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>3n4t5yu@gmail.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>1. the code:

#include <stdio.h>

void fun()

{

        char buf[1000] ;

        char h[100] ;

        h[1] = 'a' ;

        h[0] = '\0' ;

        snprintf(buf, sizeof(buf), "%s", h) ;

}

2. the compile command:

clang -O3 -fsanitize=dataflow 1.c

unless you use -O0, you would got a clang crash

3. the crash

Wrong types for attribute: byval inalloca nest noalias nocapture nonnull

readnone readonly sret dereferenceable(1) dereferenceable_or_null(1)

  %12 = call i32 (i8*, i64, i8*, i16, i16, i16, i16*, i16*, ...)

@__dfsw_snprintf(i8* nonnull %0, i64 1000, i8* getelementptr inbounds ([3 x

i8], [3 x i8]* @.str, i64 0, i64 0), i16 nonnull zeroext 0, i16 zeroext 0, i16

zeroext 0, i16* %11, i16* %labelreturn, i8* %1) #5

fatal error: error in backend: Broken function found, compilation aborted!

clang-5.0: error: clang frontend command failed with exit code 70 (use -v to

see invocation)

clang version 5.0.1 (tags/RELEASE_501/final)

Target: x86_64-unknown-linux-gnu

Thread model: posix

InstalledDir: /wangchu_data/LLVM5_Install/bin

clang-5.0: note: diagnostic msg: PLEASE submit a bug report to

<a href="http://llvm.org/bugs/">http://llvm.org/bugs/</a> and include the crash backtrace, preprocessed source, and

associated run script.

clang-5.0: note: diagnostic msg: 

********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:

Preprocessed source(s) and associated run script(s) are located at:

clang-5.0: note: diagnostic msg: /tmp/dfsan_bug-0cbaaf.c

clang-5.0: note: diagnostic msg: /tmp/dfsan_bug-0cbaaf.sh

clang-5.0: note: diagnostic msg: 

********************

4. 

$clang --version

clang version 5.0.1 (tags/RELEASE_501/final)

Target: x86_64-unknown-linux-gnu

Thread model: posix

I guess, it could be caused by some wrong inserted IR which generated by

DataFlowSanitizer PASS when use snprintf with char-array argument.

DFSan is great tool, please fix it :)</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>