[LLVMbugs] [Bug 17605] New: clang 3.4 UBSan falsely reports "member access with insufficient space" (screwed up 'this' null check in variadic function?)

Wed Oct 16 19:40:49 PDT 2013

http://llvm.org/bugs/show_bug.cgi?id=17605

            Bug ID: 17605
           Summary: clang 3.4 UBSan falsely reports "member access with
                    insufficient space" (screwed up 'this' null check in
                    variadic function?)
           Product: new-bugs
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: new bugs
          Assignee: unassignedbugs at nondot.org
          Reporter: corydoras at ridiculousfish.com
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified

Ubuntu Clang version 3.4-1~exp1 (trunk) (based on LLVM 3.4), x86-64

1. Compile https://gist.github.com/ridiculousfish/7017899 like so:

    clang++ -O1 -fsanitize=undefined test.cpp

2. Run it

Result: you get a bogus 'member access insufficient space' runtime error. 

This does NOT occur at -O0 but DOES occur at -O1 through -O3, and -Os. The bug
is also somewhat fragile: changes to the objects like removing fields prevents
it from reproducing.

When the bug reproduces, the assembly for the 'this' pointer check is as
follows:

    setne    %al
    testb    $7, %bl
    sete    %r15b
    andb    %al, %r15b
    je    .LBB1_3

When the bug does not reproduce, the `setne` insn is preceded by a null
comparison like `testq %r10, %r10`. When it does reproduce, the comparison is
omitted, as illustrated above. So the setne just picks up whatever is in ZF,
which happens to be 1 by virtue of a prior comparison. Thus it thinks that
'this' is 0.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20131017/83a791f5/attachment.html>