<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - MSan use-of-uninitialized-value falsepositive after D88834"

   href="https://bugs.llvm.org/show_bug.cgi?id=50840">50840</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>MSan use-of-uninitialized-value falsepositive after D88834

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>new-bugs

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>new bugs

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>hans@chromium.org

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>htmldeveloper@gmail.com, llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Consider the following program:

$ cat /tmp/a.cc

#include <stdint.h>

#include <sanitizer/msan_interface.h>

template <typename T>

class opti {

 public:

  constexpr opti() : engaged_(false) {}

  constexpr opti(T&& v) : engaged_(true), data_(v) {}

  const T* operator->() const { return &this->data_; }

 private:

  bool engaged_;  // Whether there is data or not.

  T data_;  // Data storage.

};

struct Unit {

  uint32_t a;

  uint32_t b;

};

__attribute__((noinline))

opti<Unit> Foo() {

  return Unit{100, 200};

}

__attribute__((noinline))

opti<Unit> Bar() {

  auto unit = Foo();

  opti<Unit> ret({unit->a, unit->b});

  return ret;

}

__attribute__((noinline))

void TriggerBug() {

  auto ref = Bar();

  __msan_dump_shadow(&ref, sizeof(ref));

  __msan_check_mem_is_initialized(&ref->a, sizeof(uint32_t));

}

int main() {

  TriggerBug();

  return 0;

}

When built with MSan on trunk (121ecb05e73427ab3bc6ceeca04fbab161417e6e), it

fails:

$ clang++ -fsanitize=memory -O2 /tmp/a.cc && ./a.out

00 ff ff ff 00 ff ff ff 00 00 00 00 

Uninitialized bytes in __msan_check_mem_is_initialized at offset 1 inside

[0x7ffefc2b454c, 4)

==3119770==WARNING: MemorySanitizer: use-of-uninitialized-value

    #0 0x49eaed  (/work/llvm.monorepo/a.out+0x49eaed)

    #1 0x49eb05  (/work/llvm.monorepo/a.out+0x49eb05)

    #2 0x7f6cfe0b9d09  (/lib/x86_64-linux-gnu/libc.so.6+0x26d09)

    #3 0x420239  (/work/llvm.monorepo/a.out+0x420239)

SUMMARY: MemorySanitizer: use-of-uninitialized-value

(/work/llvm.monorepo/a.out+0x49eaed) 

Exiting

That seems incorrect.

When built at c1fd4305b68500c754a7ce6a86fe297c36e21d3b, before D88834 landed,

it works:

$ clang++ -fsanitize=memory -O2 /tmp/a.cc && ./a.out

So it seems that either something is wrong with D88834, or that it uncovered

some underlying problem in the MSan instrumentation.

00 ff ff ff 00 00 00 00 00 00 00 00</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>