<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/56568>56568</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
Clang generates nonsensical code for "-fsanitize=bool"
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
torvalds
</td>
</tr>
</table>
<pre>
This is actually causing problems for us in the kernel, because clang UBSAN ends up generating code that violates our object file sanity checks, calling out to invalid functions in critical code.
It seems to happen only for inline asm with flag output, but it may be that that just happens to be the only place in the kernel where the sanity checks notice.
I've created a trivial test-case independent of the kernel:
#include <stdbool.h>
#define unlikely(x) __builtin_expect(!!(x), 0)
/*
* Silly saturating increment implementation.
* Only really meant to show oddity with UBSAN and
* inline asm with flag output.
*/
int test(unsigned int val)
{
bool carry;
/* Overflow if ZF bit set - inc doesn't affect CF */
asm("incl %0"
:"=r" (val), "=@ccz" (carry)
:"0" (val));
if (unlikely(carry))
val = ~0;
return val;
}
which should (and, with "-O2" but without "-fsanitize-bool" does), just result in
test:
movl %edi, %eax
incl %eax
je .LBB0_1
retq
.LBB0_1:
movl $-1, %eax
retq
but if you compile that with "-fsanitize-bool" you get this unholy mess:
test:
pushq %rbp
pushq %rbx
pushq %rax
movl %edi, %ebx
xorl %esi, %esi
incl %ebx
sete %bpl
cmpb $2, %bpl
jae .LBB0_1
testb %bpl, %bpl
jne .LBB0_3
.LBB0_4:
movl %ebx, %eax
addq $8, %rsp
popq %rbx
popq %rbp
retq
.LBB0_1:
movb %bpl, %sil
movl $.L__unnamed_1, %edi
callq __ubsan_handle_load_invalid_value
testb %bpl, %bpl
je .LBB0_4
.LBB0_3:
movl $-1, %ebx
jmp .LBB0_4
where clang is literally generating a "undefined behavior test" of the result of the "sete" instruction.
Note that it was clang itself that generated that "sete". And note how "sete" is *defined* to set the result to 0/1. So the undefined test is entirely pointless, and results in problems when code like this runs in a context where function calls are not allowed, and our object file sanity checking tool is understandably unhappy.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJytV8lu4zgQ_Rr5QsSQpdhODj5kaQMDNDqHnrnMxaDEksWEJhUuTtxfP1WUvEZKegYjGJJFFmt5VSw-FUbsFn_W0jH88dIHrtSOlTw4qdessaZQsHGsMpYFlNHM18BewGpQSfbACiBRYKXiKP7X_c-7Hwy0cCw0bA0aLPekpzQCcCX3bCuN4h4cM8EyUzxD6VklFTDHtfRouYbyxZHqEj2htSZ45g2a3nIlBauCLr00OjpTWuklCkYD4yR9TNK79v6HZw7Ic1xa86YBzYzGyCgQqVExMO427E36mlWKRzNN8DEmNCg92_Adhtd6HW_PwflOV1QbJ6FV2yhewjk87K0G24qcB8e0Qacv3E2y-RZhtIDgCMaZt3IrMTCEyl-V3JFyAWhagPbMVKd5yO9OVbHuSrJc6lIFRD7JH5wXhTFqXCf5twFpARXBEhCdF1C7JLt5T7JbtloVQSpM4wreG0wXjifZJP6iAEGW0vNC3zLJLmzg4B37KanAHPehqw100sKGopKbRsV_nBI87ln8RFgjRqRiA1zHynC1eWNGCEI45rMtQ65Fj4ZPct9jkKI4G5RkElOCsQft5FpjsmgMa_MjBPP7C43dRYnA8rZ2l-T3fck4B5E9bcFWCoOUFft7yQpJte3ZFUHHhAGnsXo841VFu-lh2ev5_sLIYwYzKg6UnGLusn7RgxtYYCiTP1p84JKbLlpMfDueXKdl-aubbAO7BKNfZ3qh8PYAyKU8hh4xP9TmwcxXllA3WnvEdHxLB9VbwHrUMY2XIsn88TRHb7Usa6q5oAS5RGWGQMRiwmiunjKKiXoIDVHzotEqdgD5C64o-SRBeetAjI3FggsK94DuK4hYcvlgiORlb1gbs1VxNpuCkG3CpsDfBzCmiuikh2SeoX2Ov9_fp6vJIJqv5zN78Xyg0o-OXl9NvvLzqL69x4ZdsZ0JeA5sGjpNYsM-5OQj-iS7BmrseOwFXZvYUJwb6KUd_v3uNMHVry1stmh-Q2YgrFOZodD7Ezqk8d3Yg7Q7SOO_L9M_pBH7DnQyRaP6ZcpNU7Qy11lnc1D2mbf19Gk5EfrF0ehXKvWpyryvDq9_ow4jBl8UIhfitYv0ppO1bqgCTNPJflIBpzIDev7T3urycQKfkwPwnezE8ffVKmjNNyBWh00pBqqH6Bo5j0sK3G6rGhujgpUyXKw67rbCe4D_JcdnXei6D4_83_WaoZQ8b5qPlvYnAfG7lvliF1HSI90lZnJCfDn1n6BbaiWQMtYcGbDtOES2J3Jd8-_ecIL2Gc1L7bwN5Qkfau8_jO-aHJKBN-72bngHqmonOi_Qanw9Kh2zOy2IhAIj5nRqzRF16Jwl5kHsKnbJg4s4gof2cjJmP00cPwZHMZEKJHDSApFig9RIUVdFkLEcOh2RuR--LBBF3X4f0NHeNmQbWnrPcUJ7ePcdl95z_1hs-LmCQxgGwxfzBmJv5bMvC8qJJ_oV274A6zwu4QV6i6cAcvvdeCQWubjNb_nIS_R-8RCR3aNJ7F07_AI4fHbET4qzUwbZRnfOjIJVi9r7Jh4sxOaWazyUQjHGgwpflNruH1eIyHOk10vpXCBysJzOprObUb2oIJtMi9u5uOY8F7NJycs8hWnKU15Nilk6UrwA5RbJ9B6NakCmSCqInE0fR3KRpUi15pPZZJ7Ns3yc3syLCefFDZ-WMzG7RfoGGy7VmPwYG7se2UV0qQhrh5NKOu-Ok9xF4gvRHOrnAXmOXXhjcX8LN4q2F9H3fwC9WwCE">