<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/64135>64135</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
[MSan] LLVM 16 causes MSan false positives with va_list on MIPS
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
vit9696
</td>
</tr>
</table>
<pre>
Consider the following example:
```c
extern void test(const char *fmt, ...);
extern void test2(const char *fmt, va_list params);
__attribute__((noinline))
void test2(const char *fmt, va_list params)
{
(void)fmt;
(void)params;
}
__attribute__((noinline))
void test(const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
test2(fmt, ap);
va_end(ap);
}
void main(void) {
test("hello", 123);
}
```
Compiled as follows:
```
clang -o main.o -c -std=c18 -target mipsel-gnu-linux -ffreestanding -fno-short-enums -fno-common \
-nostdlib -g -gdwarf-4 -fno-pic -fno-pie -G0 -mno-abicalls -mfpxx -mips32r2 -modd-spreg -mmt \
-ffunction-sections -fdata-sections -nostdlibinc -mhard-float -femulated-tls \
-mllvm -msan-shadow-base=1056964608 -fsanitize=memory main.c
```
Starting with LLVM 16.x this will always trigger a msan warning as it thinks `ap` is not initialised as seen here:
```
# void test(const char *fmt, ...)
.globl test
test:
fmt = -0x10
params = -0xC
var_8 = -8
var_4 = -4
var_s0 = 0
var_s4 = 4
arg_4 = 0xC
arg_8 = 0x10
arg_C = 0x14
D8 FF BD 27 addiu $sp, -0x28
24 00 BF AF sw $ra, 0x20+var_s4($sp)
20 00 BE AF sw $fp, 0x20+var_s0($sp)
25 F0 A0 03 move $fp, $sp
25 10 80 00 move $v0, $a0
34 00 C7 AF sw $a3, 0x20+arg_C($fp)
30 00 C6 AF sw $a2, 0x20+arg_8($fp)
2C 00 C5 AF sw $a1, 0x20+arg_4($fp)
00 3F 04 3C lui $a0, 0x3F00
1C 00 C1 27 addiu $at, $fp, 0x1C
21 08 24 00 addu $at, $a0
FF FF 03 24 li $v1, 0xFFFFFFFF # initialises ap shadow with POISON
00 00 23 AC sw $v1, 0($at)
00 00 20 AC sw $zero, 0($at)
1C 00 C2 AF sw $v0, 0x1C($fp)
18 00 C2 27 addiu $v0, $fp, 0x20+var_8
21 10 44 00 addu $v0, $a0
00 00 43 AC sw $v1, 0($v0) # stores poisoned ap shadow
2C 00 C3 27 addiu $v1, $fp, 0x20+arg_4
18 00 C3 AF sw $v1, 0x20+var_8($fp)
1C 00 C3 8F lw $v1, 0x20+var_4($fp)
10 00 C3 AF sw $v1, 0x20+fmt($fp)
00 00 21 8C lw $at, 0($at)
18 00 C3 8F lw $v1, 0x20+var_8($fp)
14 00 C3 AF sw $v1, 0x20+params($fp)
00 00 42 8C lw $v0, 0($v0) # reads poisoned ap shadow
25 08 22 00 or $at, $v0
05 00 20 10 beqz $at, ok
00 00 00 00 nop
35 00 40 08 j fatal
00 00 00 00 nop
# ---------------------------------------------------------------------------
fatal: # CODE XREF: test+74↑j
2A 0B 40 0C jal __msan_warning_noreturn
00 00 00 00 nop
# ---------------------------------------------------------------------------
ok:
```
LLVM 15 generated code does not seem to test `ap` shadow at all, thus it works fine. I somewhat understand that va_list tracking is not properly implemented for architectures aside from x86_64, but this seems to be an unpleasant regression to me.
cc @vitalybuka @kcc
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzcWF2PmzwW_jXOzZEjYwiBi1zMJM2q0ttttZVWexc5YIg7xmZtk2T661fmY4bJZ9Pu1YuqoRCf5zznOccHDsxaUSrOF2j2jGarCWvcTpvFXrg0TuPJVuevi6VWVuTcgNtxKLSU-iBUCfzIqlpyFD4hskJk-BuT7l_WXfOj40bBXoscHLcO0STTyjrIdswAok9F5RBdwnQ6RTRF4fNlM3rNbs82UlgHNTOssmOI7u9mw5wzYts4vtkgmiCaKC2UFIr7xTTtlv2Oo87LvHcHgGjiYRBNvUl44X5v-8ZwvvoTqnekPKU3BMDqEbc921jHjMditTduMdLRikGUHtyvSj8CcJX35um10FrOFRPqXQsYURvCQZTuuJQaUep9BTS8jDnU2NjFUle1kDwHZvsite-l-dEgk0yVgHXLaKoBZ4Cty1G4yoIEsGOm5A4qUVsucakaLIVqjoCLwnBuHVO5r39cKI3tThuHuWoq293IdFVpBWi27Hxhpa3LpdgCLgGX-YGZAkfd2lpkw3844H8QwJXSmG1FxqS0gKuiPh4BeyIhNRRwpfMc29rwEnBVuZGXomhU5oRW2PL27OnkzLHR9cBEqAwAVztmclxIzRzggleNZI7n2Ek7gq2k3FeAK8sUtjuW6wPeMstRuArILE7jKCYJ4MIyJZz46e9XvNLmtVM2u5Gu777qvIwH4Xbw11___gJBPD2C2wkLByElMHlgrxacEWXJDTDwLODAjPJmzIJwfrV6sYBiwmoUExAWlHYgPB0mhe3KwXKuYMfN1V71VocXD0TDX-5fN4GmpdRb2cHcXNiuGLheW1RU7iPNcAWYHIM70XQ96Mxsedtqz8wmOXWW3LeJTm2i-zaWfLSBOxG1NtGJzR0_zJRn3OCuCt7qVAW4L7k3W14wi8bFuEpgvYbnFdD5NZwOLM9F01ZlZNuOjcmR9pmgERACz2t4Wt_EsIeeCI0M8xjkSAmiz52SbSNuwft6pqSF_fQAbFGfwpJz2BmsCTwRIOFN2Erv-QfYDmbACAgkLcFfxNiTHoP1aQtb1ZbzB8Jj4Si8Nr1ddMV7dGHLaRk_gkpPUJMzVP87geXsEdTgBDU6QyUEwjWQCMLlTVTZiDdU0qGGa9LLGHTUggcKmLk-FUO5BP0GpAGQBLpyvoPVwAnWkNb12m8oEnqYm0GJN6n2vVTr_mhb__vDxAKroXsMdo-tb18_f__6zzcNCQEawtNtDUeZ6d116WBunA4PRR6A-smNvgzWp4U-UDF78paN00oJkh7t15P8tt_OekLyluyAQPRIss_2cCdZ9Nvqe8C0Tbd12nALtRZWK__-MKT8wwYMHxEguCRAtxPHooaPpCg40_IsVQPT5DaqvIF63ioC8mdc29el8_bj6z2A5E77GTU1d6Xakz8P-oKU0Z8FPcyMF-OO6ANx91vztGgNZ_mNmp213ZTe22DanOjb-ei4zvqeFNzG2PL__vyAoV_GwZK7T2ql-0d72HqMiOd-6_jRnwvmmPxNX1dXeHHx_-8Yv_Bdc9nFEV7n9JHd8uvqE_znX5_W3qSbUJ7nEfpEURKjNPjRl8ATkOdWzNul9oPJ9rzZ-Glr009bG6UNd41RfwN59ctY2xsTajeTzqDkihs_G0Omcw655t2QaTmvwOlW8_cJtH89YA6YlL7-3a5pR9WDNi8WCqH4FD6D1RU_7JiDRuXctN8UwPnr4SuNMyx78YNuP9LWRtfcyFcQVS15xZUnVGgDzGQ74XjmGv_YYlbkHAqjKzgm8SaOPIVt47q52lO2nvOWA1PQqFpyZplyYHhpuLVCK_9zxadjJbIMUET2wjH5um1emL96yTKY5IswT8OUTfgiiFMSERrSdLJbzANeBDELiixJKZ0VAYm3wSyfbWkxJ7P5diIWlNCQzGlMSUBJOiWzLM5YQtI4IiSIOYoIr5iQUyn31VSbciKsbfgijoJwNpFsy6Vtv1lSqvgB2h8RpWi2mpiFt8HbprQoIl5M-47ihJPtx84v35lCs9Xw5QEy1vgXPH8bCiYth1pb4cSe2-5db0iMVvDl87fvk8bIxc65uv3KRNeIrkvhds12mukK0bX32J9wbfQPnjlE1y1Pi-i6jeN_AQAA__86HD3r">