[llvm-branch-commits] [compiler-rt] [TySan] Fix struct access with different bases (PR #108385)
via llvm-branch-commits
llvm-branch-commits at lists.llvm.org
Fri Sep 13 05:11:27 PDT 2024
gbMattN wrote:
Documenting this here as its part of the same issue: the following reproducer can be made (see the pull request above)
```
#include <string.h>
#include <stdlib.h>
struct inner {
struct inner *n;
};
struct outer {
struct inner *i;
};
struct outer* getOuter(){
struct outer *out = malloc(sizeof(struct outer));
struct inner *in = malloc(sizeof(struct inner));
in->n = 0;
out->i = in;
return out;
}
int main(void) {
struct outer* out = getOuter();
while (out->i) {
//out->i = out->i->n;
memcpy(&out->i, &out->i->n, sizeof(out->i));
}
return 0;
}
```
If memcpy is replaced by the commented code, no error is detected. Both code runs the same checking function, but they are inserted at different places in the Transformation pass. This implies that the wrong checks are being inserted for memcpy calls.
The failing check is checking any pointer (in outer at offset 0) against any pointer (in inner at offset 0), but due to how the outer is set up, its member is recorded simply as "any pointer", with no reference to inner anymore. The commented out path doesn't call tysan_check, meaning that their actual TDs should be an exact match.
https://github.com/llvm/llvm-project/pull/108385
More information about the llvm-branch-commits
mailing list