<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/58846>58846</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            ASAN causes crash after overriding function with backward jmp
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          gregstoll
      </td>
    </tr>
</table>

<pre>
    To reproduce: Download and run the latest [Firefox ASAN build](https://firefox-ci-tc.services.mozilla.com/api/index/v1/task/gecko.v2.mozilla-central.latest.firefox.win64-asan-opt/artifacts/public/build/target.zip) on Windows 11 (version 10.0.22621 Build 22621)
; it will crash on launch. 

The problem seems to be that when overriding the `memset` function in `OverrideFunctionWithRedirectJump()`, the `relative_offset` is stored as a `uptr`. Per the [Intel x64 instruction set reference](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf) (warning: large PDF), on page 646 the `jmp` instruction (specifically the near jump flavors that start with `E9`, which are the ones the `OverrideFunctionWithRedirectJump()` considers) treats the offset as a signed displacement. This causes an incorrect value to be stored for `REAL(memset)` which points to uninitialized memory, and a crash the next time that gets called.

The fix is to simply treat that offset as signed. I have attached a patch that I believe will fix it, along with a test; unfortunately I've been struggling to build and run these tests so I haven't been able to verify that it works.

[0001-compiler-rt-windows-Correctly-override-functions-wit.patch.txt](https://github.com/llvm/llvm-project/files/9952943/0001-compiler-rt-windows-Correctly-override-functions-wit.patch.txt)
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJytVU1v4zYQ_TXyhZCgL38ddEg2GyBF0S62AfZYUNTIYkKRAknZTn59H0V5Ny320AKFDZEWZ4Zv5r0Zt6Z7a54NszRZ082CkuqOPZiLVoZ3jOuO2VkzPxBT3JPzLNneP0pLvbmyuz_ufmPtLFWXbB-S8jB4Pzn4J-Ujvn20SoVMvcgc2bMU5LLRvEuleCbMCCM-STyl7uiK9Vzg4bl7xXIi8Wqyc3lzSAVpb7nKIo5sDZ9dpN7VKXdcp2byIaT1sufCO-ynuVVSYBNRhuD2RD57l1NSHpnR7BvuNhfHioIhgzNZJ_G2yLM8K8tdWbD74MmWPVyS_CHJ75LqnknPLsDFhOVuCJEUn7UYMraaLM9n1A11bRWNzBGNjnnDWkI9OdwH0szgSis7qU9LkZNdPsKMPDasR0Af4EgdDn6PpvS4vv4m_fCVOtRB-F_mERkdAsJdnpSfbsEsoVzyTH-avl-jSsecN5bArmM8GM2Tt1gy9oVsdNzeP2lPil13NS533s4RCEJAKT1Z0lDKT0i_XC6ZDK4rv8Lghw60dHyM5x9pmQNJpMOxEfMIy_Bi5HrmKuzArORpVabcikF6JDpbcqkzvb9wS2lHZ1JmIpt-QJkCZfodZRqjIci2OlTZ1PWBeQBHAI2yB72roAr25eEx1A_FQ6YTx5tdvbsV8gX1DcX7UAzEcBMJ2UvBlXpbLDVxy15ABusVPxvrItUOugt68UOI9flG0mWQYmBIZPE1mtztun_NNUOFHQytC2l5S9zHIJHwyLGTJw2-O-kmxQWFOmfseYASBJ8dbuVBY8LYEJ6duZppFeqqlN7YgOrr57tfcfOq0Hh_zGEyYH1R94yiSi-5ku9whKmxbyHXMEr42i2xUlfPvBzXZkBXBjRKUZf9s4N6eQ2qRXAnxylUOqQZ_X6kGZPM2BMb-JkY956LIagcXHoxRPMnJKUkVBObd4nsF3jKoAUXhjgLAyb0-KyRuJ81Jg5ufUrKPRxbQtsGFZxOamlbE2fgx2HpaIkBUGbFA43vffTlGAfBCxTL_i3iCtPE2Ff3t9zRhnmeFylaaZIKIrc-vcR5lX6KZKm3dJ0glN7GhYORz5akM3_1P2vTE_Kc27VHlTrflhTD6gVhl_GtKLTg8bgtj3WF3f-BpTxuqCl2u_2hqoui3nRN1R2rI9946RU1yz_KqskoFd57DKUPU_L7UFy4arl4RSN3DP25ma1q_nOe0rl5SXR7ONS7zdD0ec3bvG73_b4-FnmdV_mhF9t9XfGqPe5pozg05Bqwg9JuZFPmZVkU-b7Y4lNl1Be87Q5df-iKrtp3SZ3TyCX-uHBxZuxpY5sFQzufHA6VhFB-HHK3CJlu8fnsB2Obk6UTmlGpzQK4WdD-Bbjrnp0">