<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/61937>61937</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
AddressSanitizer: use-after-poison when calling std::memmove() in moveOperands()
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
mattpulver
</td>
</tr>
</table>
<pre>
We are experiencing a consistent AddressSanitizer: use-after-poison error w/ stack trace:
```
==32563==ERROR: AddressSanitizer: use-after-poison on address 0x621001049b60 at pc 0x7fdcbb8b14be bp 0x7fdc88bd2990 sp 0x7fdc88bd2140
READ of size 32 at 0x621001049b60 thread T8
#0 0x7fdcbb8b14bd in __interceptor_memmove ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:810
#1 0xbc9ed81 in llvm::MachineInstr::addOperand(llvm::MachineFunction&, llvm::MachineOperand const&) [clone .localalias]
#2 0xbb47ce4 in llvm::InstrEmitter::CreateVirtualRegisters(llvm::SDNode*, llvm::MachineInstrBuilder&, llvm::MCInstrDesc const&, bool, bool, llvm::DenseMap<llvm::SDValue, llvm::Register, llvm::DenseMapInfo<llvm::SDValue, void>, llvm::detail::DenseMapPair<llvm::SDValue, llvm::Register> >&)
#3 0xbb4e0a9 in llvm::InstrEmitter::EmitMachineNode(llvm::SDNode*, bool, bool, llvm::DenseMap<llvm::SDValue, llvm::Register, llvm::DenseMapInfo<llvm::SDValue, void>, llvm::detail::DenseMapPair<llvm::SDValue, llvm::Register> >&)
#4 0xbb3972c in llvm::ScheduleDAGSDNodes::EmitSchedule(llvm::MachineInstrBundleIterator<llvm::MachineInstr, false>&)::{lambda(llvm::SDNode*, bool, bool, llvm::DenseMap<llvm::SDValue, llvm::Register, llvm::DenseMapInfo<llvm::SDValue, void>, llvm::detail::DenseMapPair<llvm::SDValue, llvm::Register> >&)#1}::operator()(llvm::SDNode*, bool, bool, llvm::DenseMap<llvm::SDValue, llvm::Register, llvm::DenseMapInfo<llvm::SDValue, void>, llvm::detail::DenseMapPair<llvm::SDValue, llvm::Register> >&) const
#5 0xbb3f9c4 in llvm::ScheduleDAGSDNodes::EmitSchedule(llvm::MachineInstrBundleIterator<llvm::MachineInstr, false>&)
#6 0xba7b0f5 in llvm::SelectionDAGISel::CodeGenAndEmitDAG() [clone .localalias]
#7 0xba7dbef in llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&)
#8 0xba80371 in llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) [clone .part.0]
#9 0xb11c200 in (anonymous namespace)::X86DAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&)
#10 0xbc99d66 in llvm::MachineFunctionPass::runOnFunction(llvm::Function&)
#11 0xd183abf in llvm::FPPassManager::runOnFunction(llvm::Function&)
#12 0xd183c2b in llvm::FPPassManager::runOnModule(llvm::Module&)
#13 0xd1853fe in llvm::legacy::PassManagerImpl::run(llvm::Module&)
#14 0xc820955 in llvm::MCJIT::emitObject(llvm::Module*) [clone .localalias]
#15 0xc820fe4 in llvm::MCJIT::generateCodeForModule(llvm::Module*)
#16 0xc81d937 in llvm::MCJIT::finalizeObject() [clone .localalias]
...
0x621001049b60 is located 3680 bytes inside of 4096-byte region [0x621001048d00,0x621001049d00)
allocated by thread T8 here:
#0 0x7fdcbb927007 in operator new(unsigned long) ../../.././libsanitizer/asan/asan_new_delete.cpp:99
#1 0x87191ff in llvm::MallocAllocator::Allocate(unsigned long, unsigned long)
#2 0x87191ff in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul, 128ul>::StartNewSlab()
#3 0x87191ff in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul, 128ul>::Allocate(unsigned long, llvm::Align)
#4 0xbc98480 in llvm::MachineFunction::init()
...
SUMMARY: AddressSanitizer: use-after-poison ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:810 in __interceptor_memmove
Shadow bytes around the buggy address:
0x0c4280201310: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00
0x0c4280201320: 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 00
0x0c4280201330: 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4280201340: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4280201350: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c4280201360: f7 f7 00 00 00 00 00 00 00 00 00 f7[f7]f7 f7 f7
0x0c4280201370: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4280201380: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4280201390: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c42802013a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c42802013b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
...
Poisoned by user: f7
```
It has been difficult to reduce this to a simple self-contained example, but our question is:
When `std::memmove()` was added in https://github.com/llvm/llvm-project/commit/5c0e64fcd6d93ed1033165ed74b524831fff285e was the fact that some of the memory may contain llvm-poisoned addresses taken into consideration? (Or possibly the poisoning of such memory after `std::memmove()` was added?)
That is,
https://github.com/llvm/llvm-project/blob/f56b5921d3954cbd99175d0df44030e7782bc456/llvm/lib/CodeGen/MachineInstr.cpp#L187
contains 2 calls to
https://github.com/llvm/llvm-project/blob/f56b5921d3954cbd99175d0df44030e7782bc456/llvm/lib/CodeGen/MachineInstr.cpp#L174
which in turn calls `std::memmove()` which is touching the poisoned memory, but not necessarily using those value, but is sufficient to trigger the `use-after-poison` ASAN error.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzkWd1u2zoSfhrlhqhBUf8XvlDsuMhi0xZJ95zdq4AiRza3NKklqSbp0y9IybHsOKlbdBcHaGDYEiV-880M54cMtVasFcA8yi6jbHlBe7fRZr6lznW9_ArmotH8af4nIGoAwWMHRoBiQq0RRUwrK6wD5VDNuQFr76gSTnwDEyU16i28o60D867TwmqFwBht0ENEVsg6yr4gZyiDKKkjvIxwHeV4_Ay3yTJKlgnJ8mS4vLq9_Xjrgc8SphWiw3sIP-YkxjjGadXkGFGHOobwY9Fy1jRlE6cNoKYbR8qy4aSqMLIHI3E60rq9qpdIt8iKb4AS4tGO8N3GAOXoczlMQAihiCT4UCJHQqH7e6EcGAad0-Z-C9ut_gpoNovIavIVkZUUjX3Wlqyer--Z3m61OjE0RbYzoViU1GU86uD5xAg_NqwCXsaeipRft94TSX1D2UYouFbWmWGEcv6xA0MVj0j54sVVr5gTnkQekcVLoHFqWC0uvFShKLtkUitAM6kZlVQKaqNseWAw4gk2acEgPSQYmF1thXMwElwYoA7-EMb1VN7C2i9KYw_I3i0_aA4RqU9yDJCXvZDc2_dYj0V4vATLJkosUKO1nP7uZyxBWbihXZQspgz-oLKHwzd3ZE_Pv1atfg3jqxY8Sq4OJ3JwVMhDkE9UmB8gklyhAOv9dOCPZPAHYFp9zx_-ZrTsYPXXHPGbmTANJkyqgrBDE96xDfBewrJ-P9jH7g25e3Yq9sZ1q7iEaweGOn3I8yCWyQK1VFrYcwvvRMWlpNuG09_aTSSJo2I5vKG70ZSkDI9-X7OM-W66hrNhDbcVS_8Sa3jKLffcaNHgNjviBhJCkVrW76_vYDTQQnN4D6pW3HNc1u8Hh59VnYpBFG-gPUfUMFpLeUmtYJdSsy-H9WlXRadl8kBgGQSWOCnicwSaXn1ULyr0d6r3VPWOGjfDx2pXnkUcM4KxZxGRkiqtnra6t0jRLdjOd3S71PLPMl_W7z_rX8Bs0rjgoXOpeJ6f7Fx2Ez9RayciT8o6KWRQNfYdEo_LhDZHLl598tA3VNH1ruL9nAQySmCkOU_CjX4ZRePQS_RkQM-SFg7RJawpexquJ3Kut93eRWfK8BWNlQRX2VHE3Sz-dv15uIStcB-bfwNzJ0Hr74ecl5SNktrjdnAiaQ3KJxDwgb3S5g1r1YdLKg_gMa-S4lXwVigqxTd4VuW7vGez2biVCd9H2wRhkZ_jgKMkLzFqnhxYJJQVHPwGI8VV_s4PIgNrnxmi7HIPUXKMI7KYYIaBUSkqd9DN034_gjZg9tutF_uSihQYB_13BRApeIhI2auwSeRIarX2Wn9_h0ItVePPvYKHew4SHMxY10VJXR0tIoQfyyKu4rY9jmevRj3oosc4GG_hJa8FOib6Yj9xUsxlv-0-OfMsZ4iDxes8yCI4p5eHVzEpe-kL05CWHTXuAzzcSdqMjcRxN_1_ZPOW1fbQtRRrdbJpZVWZlvjNdDsMCiXcVN2jSLj7x81Nffuvs3fx_8u98Ks78JHqhnL9MIYlNbpXHLkNoKZfr592Zwv7aMKPmKWkxATHSYy9MhjvP23x6mf3zgkc8gLnDLQTOMkrOG-incBJA84b0s_EyX4eJxwFXU3B8gnYayoGLaPs0n8t3yBW_CIFy1-EU_0iHDrg0B_6nMBpfh5nEk5IwhoU992jL5128sRAZ8CCchaViHadFIyGtjiE4dhYDrzG_EEb6Wsa2v_tQuA56SD0KWSToRz2dsg1zyvq8Njx2qENtagBUIiLthWslw45jQzwngFyG2H9LUVWbDsJyIJs3zGtHBVeAjxSPxz2hb1DujfoPz3YoITY54vh-88NKBTl2Do-pM9dBhoyaI7RA7U-10A4L9w41wUIsorIai3cpm9mTG99VvRpefh51xk9tCgrn_98Pl5lDEOetoznvEqAxzhJ4jwDXqRNRtIyidu2JWUGQZ7Pci1lDrkNdcjqbehH_OgWtto8oS19QqPGaJC4s--YFsEiR7-AQkI5PZwTc99ShDKx8o7_aFCnrRWNfArIA4JQ63C22rPNTlYoB2faKEpWR4Xns9dA2IgshvsftmAjdRORVZvlTVaRmCdVlrKGV1VcZBzzNk1xgqEoStKwNMsnOMLPG7eYEVlNt7GhDyLJ3-NyXIOjMS0iiFEp_QL7S_It0oHWw0awjV-RrjdqpPy2i4YJXrHe464nTgc--noXM0o7pID54DZC-ogdJmgL6Ovu5MK_KCyyvQ9RASrEqDNivQYTwKMcH7cTnkl9V38Y_hMxu-DzhFdJRS9gHuclztO0JMXFZt6QjDNcshQYT9ss5gW0RVlWQDjHaVNciDnBJMEpTkmcFriYZVXCs7yM8wQYzVMapRi2VMiZt-5Mm_WFsLaHeR5XSXEhaQPShv-5EKLgAYWHESFRtrww8-DSpl_bKMVSWGf3KE44CfOzWqcHn1u8a7zxTnvGe9DfjUf0dhi96I2c__DCCyrYiKyCiv8NAAD__yLN7kk">