[llvm-bugs] [Bug 33732] New: -fsanitize-coverage=trace-cmp passes parameters incorrectly

via llvm-bugs llvm-bugs at lists.llvm.org
Mon Jul 10 11:30:45 PDT 2017 

https://bugs.llvm.org/show_bug.cgi?id=33732

            Bug ID: 33732
           Summary: -fsanitize-coverage=trace-cmp passes parameters
                    incorrectly
           Product: clang
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: -New Bugs
          Assignee: unassignedclangbugs at nondot.org
          Reporter: glider at google.com
                CC: dvyukov at google.com, kcc at google.com,
                    llvm-bugs at lists.llvm.org

Consider the following program:

==========dummy.ii================
char *_copy_from_user(void *to, const void *from, unsigned n);
long dev_write(struct file *filep, const char *buffer) {
  char s[16];
  _copy_from_user(s, buffer, 1);
  if (s[0] == 's')
    return 1;
  return 0;
}
==================================

When compiled as follows:

$ clang -O2 -fsanitize-coverage=trace-pc -fsanitize-coverage=trace-cmp  -x c
dummy.ii -c -o dummy.o -w

it produces the following assembly:

$ objdump -dr dummy.o

dummy.o:     file format elf64-x86-64


Disassembly of section .text:

0000000000000000 <dev_write>:
   0:   53                      push   %rbx
   1:   48 83 ec 10             sub    $0x10,%rsp
   5:   48 89 f3                mov    %rsi,%rbx
   8:   e8 00 00 00 00          callq  d <dev_write+0xd>
                        9: R_X86_64_PC32        __sanitizer_cov_trace_pc-0x4
   d:   48 89 e7                mov    %rsp,%rdi
  10:   ba 01 00 00 00          mov    $0x1,%edx
  15:   48 89 de                mov    %rbx,%rsi
  18:   e8 00 00 00 00          callq  1d <dev_write+0x1d>
                        19: R_X86_64_PC32       _copy_from_user-0x4
  1d:   8b 1c 24                mov    (%rsp),%ebx
  20:   be 73 00 00 00          mov    $0x73,%esi
  25:   89 df                   mov    %ebx,%edi
  27:   e8 00 00 00 00          callq  2c <dev_write+0x2c>
                        28: R_X86_64_PC32       __sanitizer_cov_trace_cmp1-0x4
  2c:   31 c0                   xor    %eax,%eax
  2e:   80 fb 73                cmp    $0x73,%bl
  31:   0f 94 c0                sete   %al
  34:   48 83 c4 10             add    $0x10,%rsp
  38:   5b                      pop    %rbx
  39:   c3                      retq   


Note that the first parameter to __sanitizer_cov_trace_cmp1() is a 4-byte value
taken directly from the stack, despite __sanitizer_cov_trace_cmp1() expects a
1-byte value.

This looks like a violation of the x86_64 ABI, which mandates that byte-sized
arguments are extended (in this case zero-extended) to the full register.

If I change the s[] size to, say, 1, Clang generates correct code:


   d:   48 8d 7c 24 0f          lea    0xf(%rsp),%rdi
  12:   ba 01 00 00 00          mov    $0x1,%edx
  17:   48 89 de                mov    %rbx,%rsi
  1a:   e8 00 00 00 00          callq  1f <dev_write+0x1f>
                        1b: R_X86_64_PC32       _copy_from_user-0x4
  1f:   0f b6 5c 24 0f          movzbl 0xf(%rsp),%ebx
  24:   be 73 00 00 00          mov    $0x73,%esi
  29:   89 df                   mov    %ebx,%edi
  2b:   e8 00 00 00 00          callq  30 <dev_write+0x30>
                        2c: R_X86_64_PC32       __sanitizer_cov_trace_cmp1-0x4

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20170710/d01a8547/attachment.html>

More information about the llvm-bugs mailing list