<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Regression(d437fba8ef626b6d8b7928540f630163a9b04021): msan doesn't correctly instrument memcpy() with -D_FORTIFY_SOURCE=2"

   href="https://bugs.llvm.org/show_bug.cgi?id=44779">44779</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Regression(d437fba8ef626b6d8b7928540f630163a9b04021): msan doesn't correctly instrument memcpy() with -D_FORTIFY_SOURCE=2

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>compiler-rt

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>msan

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>nicolasweber@gmx.de

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=23088" name="attach_23088" title="repro">attachment 23088</a> <a href="attachment.cgi?id=23088&action=edit" title="repro">[details]</a></span>

repro

Not sure if this is a clang bug or a runtime bug.

Link to discussion of bad commit: <a href="https://reviews.llvm.org/D71082">https://reviews.llvm.org/D71082</a>

Unzip the attached repro.cc and run:

third_party/llvm-build/Release+Asserts/bin/clang++ -D_FORTIFY_SOURCE=2 -O2

-gline-tables-only -fsanitize=memory -fsanitize-memory-track-origins=2

-std=c++14 -fno-exceptions -fno-rtti ./base/repro.cc -o repro

./repro

Before d437fba8ef626b6d8b7928540f630163a9b04021 that worked fine. After, it

yields:

+ ./repro

==93469==WARNING: MemorySanitizer: use-of-uninitialized-value

    #0 0x4d199a in (anonymous

namespace)::itanium_demangle::PODSmallVector<(anonymous

namespace)::itanium_demangle::Node*, 8ul>::push_back((anonymous

namespace)::itanium_demangle::Node* const&)

/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:2588:9

    #1 0x4ac008 in (anonymous

namespace)::itanium_demangle::AbstractManglingParser<(anonymous

namespace)::itanium_demangle::ManglingParser<Allocator>,

Allocator>::parseTemplateArgs(bool)

/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:5808:30

    #2 0x4a4a3b in parseNestedName

/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:3471:31

    #3 0x4a4a3b in (anonymous

namespace)::itanium_demangle::AbstractManglingParser<(anonymous

namespace)::itanium_demangle::ManglingParser<Allocator>,

Allocator>::parseName((anonymous

namespace)::itanium_demangle::AbstractManglingParser<(anonymous

namespace)::itanium_demangle::ManglingParser<Allocator>,

Allocator>::NameState*)

/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:2845:25

    #4 0x49ba91 in (anonymous

namespace)::itanium_demangle::AbstractManglingParser<(anonymous

namespace)::itanium_demangle::ManglingParser<Allocator>,

Allocator>::parseEncoding()

/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:5420:29

    #5 0x49ad0b in parse

/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:5827:35

    #6 0x49ad0b in main

/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:5924:40

    #7 0x7fc8bb947bba in __libc_start_main

(/lib/x86_64-linux-gnu/libc.so.6+0x26bba)

    #8 0x41f299 in _start

(/usr/local/google/home/thakis/src/chrome/src/repro+0x41f299)

  Uninitialized value was stored to memory at

    #0 0x445316 in __msan_memcpy

/b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/msan/msan_interceptors.cpp:1567:3

    #1 0x4ac09e in memcpy

/usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10

    #2 0x4ac09e in operator=

/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:2566:7

    #3 0x4ac09e in (anonymous

namespace)::itanium_demangle::AbstractManglingParser<(anonymous

namespace)::itanium_demangle::ManglingParser<Allocator>,

Allocator>::parseTemplateArgs(bool)

/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:5797:22

  Uninitialized value was created by an allocation of 'OldParams' in the stack

frame of function

'_ZN12_GLOBAL__N_116itanium_demangle22AbstractManglingParserINS0_14ManglingParserI9AllocatorEES3_E17parseTemplateArgsEb'

    #0 0x4ab420 in (anonymous

namespace)::itanium_demangle::AbstractManglingParser<(anonymous

namespace)::itanium_demangle::ManglingParser<Allocator>,

Allocator>::parseTemplateArgs(bool)

/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:5780

SUMMARY: MemorySanitizer: use-of-uninitialized-value

/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:2588:9 in

(anonymous namespace)::itanium_demangle::PODSmallVector<(anonymous

namespace)::itanium_demangle::Node*, 8ul>::push_back((anonymous

namespace)::itanium_demangle::Node* const&)

Exiting</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>