[llvm-bugs] [Bug 28267] New: Labels in C allows to jump over llvm.lifetime.start

via llvm-bugs llvm-bugs at lists.llvm.org
Wed Jun 22 13:08:51 PDT 2016 

https://llvm.org/bugs/show_bug.cgi?id=28267

            Bug ID: 28267
           Summary: Labels in C allows to jump over llvm.lifetime.start
           Product: new-bugs
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: new bugs
          Assignee: unassignedbugs at nondot.org
          Reporter: vitalybuka at google.com
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

In code example we can jump over llvm.lifetime.start having only
llvm.lifetime.end for 'tmp'.
This is a problem for asan-use-after-scope check as memory can not be
unpoisoned as usual on llvm.lifetime.start.

source:

int res;
int* ptr;

void f(int cond) {
  if (cond)
    goto label;
  {
    int tmp;

  label:
    ptr = &tmp;
    res = *ptr;
  }
  if (cond) {
    cond = 0;
    goto label;
  }
}

llvm:

; Function Attrs: nounwind sanitize_address uwtable
define void @f(i32 %cond) #0 !dbg !11 {
  %cond.addr = alloca i32, align 4
  %tmp = alloca i32, align 4
  store i32 %cond, i32* %cond.addr, align 4
  %1 = load i32, i32* %cond.addr, align 4, !dbg !13
  %tobool = icmp ne i32 %1, 0, !dbg !13
  br i1 %tobool, label %2, label %3, !dbg !13

; <label>:2:                                      ; preds = %0
  br label %5, !dbg !14

; <label>:3:                                      ; preds = %0
  %4 = bitcast i32* %tmp to i8*, !dbg !15
  call void @llvm.lifetime.start(i64 4, i8* %4) #2, !dbg !15
  br label %5, !dbg !15

; <label>:5:                                      ; preds = %10, %3, %2
  store i32* %tmp, i32** @ptr, align 8, !dbg !16
  %6 = load i32*, i32** @ptr, align 8, !dbg !17
  %7 = load i32, i32* %6, align 4, !dbg !18
  store i32 %7, i32* @res, align 4, !dbg !19
  %8 = bitcast i32* %tmp to i8*, !dbg !20
  call void @llvm.lifetime.end(i64 4, i8* %8) #2, !dbg !20
  %9 = load i32, i32* %cond.addr, align 4, !dbg !21
  %tobool1 = icmp ne i32 %9, 0, !dbg !21
  br i1 %tobool1, label %10, label %11, !dbg !21

; <label>:10:                                     ; preds = %5
  store i32 0, i32* %cond.addr, align 4, !dbg !22
  br label %5, !dbg !23

; <label>:11:                                     ; preds = %5
  ret void, !dbg !24
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160622/98594ff2/attachment.html>

More information about the llvm-bugs mailing list