<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=http://email.email.llvm.org/c/eJylVttu40YM_Rr5hZAgy9c8-CGXXayBbltsW_QxGEmUPI2kUWdGzrpf38OR7I2TbIuiiWxrbuQheUhObsrT7pMmPrI9mY6j7J725HrjPZfkD9qRdm5getb-QJ9_uf2RGtPVpGojW1VXYvuzclQMVpvBkcrN4El7zKjBcUKf2DJkUHuiRnvfYNAd2XldK69NR1G2vW38wQz1gVqlO48PW0emGtX11uQqb0701JnnEZFgES0t4N4kUfoQpbfTdybPXhCPr9Hiln4_cEfAYskOnSPLbmi8hhH8lYvBQziPqiz3xgL5b5-_EJA1AELROtUVMGqKFh9onkIjpigXI-vOQBhVvQVsbProfAmFeAq29moMuO8A_RV-IG9EsTXlUDDs49HhF_jT_nU6PdPxRXBWUlzGuiuaoQTgxT3UapMcAHhcBbqwG2YcjS7FhPHU5m58oenvaBoEJYQI5kWLV8sXQ7fQECy8R_iyKFuV0eq-C6_3OAf5r4--8eHV6hsg_6DNgnOmDbreqok2D9cTlv1gO0ovOy873nhUnrtBNyUVpm2h5W0IqGhUV8fzJcXVz_t7fHcmNq32cWVVy3FvgBg8iyunOu31XxwtHlpujT1RXFP8UzpFjWIT3h6LhlVHcYz0y43jb3DecOULK2e6kBffI8k8obsTlVwpEJxG91Fx4OJJErDUTqheIrgj3Q_e904OZx_x1EiqIU8K8e3Hpjmef2JQ8w8uPIZ5Y3L8rPKM1_N5vlksi3y9LFbrNC3mxbZM1Tpfbrdzla6q7WaJrZDWg082tnK-0XK8hW-mn6Toe1D3h_kqGy2441A1RiOBWTUNBZcW3HszVoXRrrjRT0zV0BVSRZCE1rR09rp9lBCa7vHl2QQZQqUBswsRO4qZNoKYD8JNePY07jmqRpfKMylbDy133k35myX04YiCoit6ZuIulI-zz0dnx6-FZ9t_h_dYGdsqLyjBbNJt37DoHatkaVBoOuPJMbdSMnIgE814vUB1MExZjK2WNZfQ3qNcmydHwVvaCw_eHJPSGLuh7xsNdkwcdkKTo3pstPOSeVLwxG2jDkhBVXdPuu-5vCps-w7udVO_uKp_r-sjMOUw9Q4PKRhmWh6VCyBHR9dNDD4HWUAXBs3D-gsMbMBk7LyVgi7tqDFyGoKQLTIHxpw3Iw75S4LBAmQtaoRkFqmxsbwo5-eXmyD42WrPL9vH0I1a4LR8qCrkfUADIy_WiplHragKh68dRcAsPdYI1bsngaTQSk8yU-mvgjbUuMn5XrrYXjigi9CalT_HR6IauBFIM4EJpTgsBc-2qtZwQ9BVj6cLVJ4n5l6YMHAIuOUa8hD9cLqi27s95v4ctPQ57RO6LUstsQAVTmMVuUpPhEf6twArTH8KmebGuGEEE-B6QRzkO0PlEOI2UVFijJxSDSJSnsj0bIWfmMVx8dWZjBKOl2QM2fViT2Bna_AivAfSS6DgVGhAhkfZxo-o3EGVuFk4L7ougAJ-uV7QLZTVjDtJsFlfZdQ5ACX33JXICix6AQzHnYGKmx28w9_zM_ywJ9XicB6kC34_1r-QD8mZMGfYB3WUyhOuTPwVXtLcFVPKnREFnyPuQz-lIgYh9sms3C3Km8WNmqkB9yi7Mw3-a93NBtvs_nNTCI3ISVvItpvN7LDL02y5KYtlqjabBa-VKueq2C445_l8XWRq1qicG7eLVkj9rOPncy_LotXD7P8j0LsszebzLFtl83SxXCc3ZVpky9Uyq7ZZqrZptEwZzbdJRE5ibD2zuyAyH2qHxUDQb4vKOdz0mANgIPQal9hd4L6E973b33vV7pInYPksQN4FvH8DLq_IcA>52877</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
MSAN and fprintf/std::cout/std::cerr interception
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
olologin
</td>
</tr>
</table>
<pre>
Hi everyone, I spotted this issue with MSAN long ago, and I was curious about its cause. Here is my little investigation (Although maintainers of MSAN probably know this without me).
**Issue**: When user runs resulting executable MSAN reports UMR on line `if(i > 10)` but ignores fprintf/std::cerr/std::cout.
**Test to reproduce the issue**:
```
# main.c
#include <stdio.h>
int main(void)
{
volatile int i;
fprintf(stderr, "%d\n", i);
if(i > 10)
{
fprintf(stderr, "random");
}
return 0;
}
```
**Build command**:
` clang-14 -fPIC -fno-omit-frame-pointer -fsanitize=memory -g -O0 main.c -o main_clean --verbose`
**Reasons of the issue**:
1. By default printf check is disabled in MSAN https://github.com/llvm/llvm-project/blob/5b2e611b734cb64c5600c1c8d0a6b4881a05f874/compiler-rt/lib/msan/msan.cpp#L152
Because of this all interceptors of printf-like functions from sanitizer_common_interceptors.inc dont call printf_common => they dont validate arguments.
2. Even if we enable default check - printf_common (from sanitizer_common_interceptors_format.inc) implementation does not seem to be able to validate scalar variables. It looks like it is able to validate user-supplied pointers in va_list, but all scalars are skipped.
In case with std::cout/std::cerr libc++ at some point uses vsnprintf function to convert scalars into c-string and loses poisoning of scalars (because of the same reason as with fprintf/printf) and writes resulting unpoisoned buffer into stdout/stderr via fwrite.
I tried to think of a way to fix (2), but then I noticed that va_list is not simple buffer, it is some magical thing that can keep values in registers, if ABI requires it. Additionally MSAN interceptors contain va_copy calls to copy these lists, so during validation we already operate on copied list, and all scalars from copied list are most likely poisoned (we don't copy shadow state during va_copy). And generally it looks like va_list depends a lot on ABI, and can store values in registers, so I am a bit lost at this point.
I don't have enough experience with va_list to come up with something.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJyVVtuSozYQ_Rr80gWF8f3BD3PZrXVVNknlUnmcEkJgZUAikvCs8_U5LbB3PLObVGawDbr16dOnuyltdd5_0qROyp2tUUnxQAfyvQ1BVRSO2pP2flD0osORPv969yO11jQkGstLhamw_EV4koPTdvAkSjsE0gEjYvAqo0_KKZxB3ZlaHUKLB3NSPuhGBG0NJcX2rg1HOzRH6oQ2AR_lPNl6NNc7W4qyPdOzsS8jIsbCVjrA3WVJ_pjkd9N3wdeBEY-3yeKO_jgqQ8DiyA3Gk1N-aIOGE-qLkkPA4Wo05VRvHZD__vkXArIWQChZ57oGRk3J4gPNc1jEEJXsZGMsDqO6d4CNRR99qGAQl1TO3TwD7jeA_gYeKFg27Gw1SAX_1Ej4Ff60fp1P17R9EcnK5PVZG9kOFQAvHmBW2-wIwOMs0MXVcONkdcUujLs29-MNTX8n2yIoMURwL1m8mb46uoWF6OEDwlckxapKVg8m3j5gH85_u_Udhzez74D8izUHzdku2npvJtk83g44FQZnKL-uvK54xyhf94NuK5K262DlfQhItsI06XxJaf3z4QHfxqa20yGtnehU2lsghs7S2gujg_5bJYvHTnXWnSltKP0pn6JGqY13T7JVwlCaIv1K69VXOO-08osS3pqYF98TyTyj-zNVqhYQOI30kTwq-cwJWGnPUq8Q3FHuxxB6z5uLj7gaJNVQZpK5_di2p8tPCmn-qWTAY9naEj-rslDr-bzcLJayXC_lap3nci63VS7W5XK7nYt8VW83SyzFaT305FLH-1vN2ztwM_1ksu8h3R_mq2L04F7FqjE6CcyibSlSKlUf7FgVRr_SVj8rqgcjuYogCZ3t6MK6e-IQWvP0em-GDKHKQtmSjx2PmRZCmI-sTTB7HtecRKsrERQJ1wydMsFP-Vtk9OGEgqJrelGkTCwfF85HstO3hxfb_4b3VFvXicAooWzSXd8qtjtWycqi0BgbyCvVcckogYwt4_YK1cMx4fDsNM_5jA4B5do-e4ps6cA6eLeNS2Pqh75vNdQxadizTE7iqdU-cOZxwWPaRhs4BVXdP-u-V9VNYTsY0OunfnFT_97WR2Aq4eo9LhJwzHZqNM6APJ28mRR8CTKDlhbNw4UrDCzAYOqD44LO7ai1vBsHIVt4DIq5LEYcytcCgwfIWtQIziwSY2N5Vc4vN7t48IvTQb1uH4MZrYC0cqhr5H1EAyev3rKbJy2ojptviSJg5h5rWermmSEJtNIzj9T6C6ONNW4iP3AXO7AGtIytWYRLfDiqURtRNBOYWIrjVGS2E40GDdFWM-6WqDzPSvWshEHFgDvV4DxEP-6u6e7-gLG_Bs19ToeM7qpKcywghfNYRW7SE-Hh_s3ApO3PMdP8GDc8wQVQz4jj-d5SNcS4TVLkGCOnRIuIVGeyvXKsT4xiO3N1ESOH47UYY3a9WhPV2VncsO6B9BookAoLyPCk2IQRlT-KCm8WPrCtK6CIn18v6A7GGoV3kuizvsmoSwAq1StTISswGRgwiLsAZZo92FHf4xk8HEh02FzG0xl_GOtfzIfsIpgL7KM4ceWJr0zqC1jSysgp5S6IIueI-9BPqYiHGPtsVu0X1W6xE7Og8Tq2j1FkoN96j_lW3l4jjnjNBtfu_3cjic3LcysptpvN7LjfyXqzLdZC1rWUu4XYravNdrtdbXb5Iq8qOWtFqVq_T1YoF4VRL5f-VySrx5neF3kxnxfFqpjni-U621W5LJarZVFvi1xs82SZK7TbNmMcmXXNzO0jpHJoPCajJL9OCu_xbqdUNIfzxYD3Tbe3Lf4bbWbR9j5i_wcePbLO">