[llvm-bugs] [Bug 43870] New: r374662 introduces sanitzer errors with stricter bcmp requirements

Thu Oct 31 18:25:15 PDT 2019

https://bugs.llvm.org/show_bug.cgi?id=43870

            Bug ID: 43870
           Summary: r374662 introduces sanitzer errors with stricter bcmp
                    requirements
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Loop Optimizer
          Assignee: unassignedbugs at nondot.org
          Reporter: rupprecht at google.com
                CC: clement.courbet at gmail.com, lebedev.ri at gmail.com,
                    llvm-bugs at lists.llvm.org

I ran into a curious sanitizer error when integrating r374662. I'm curious
whether it's considered a bug or not. It is reduced to:

$ cat repro.c
#include <stdio.h>
#include <strings.h>

// Gets reduced to an actual bcmp call after r374662
int simple_bcmp(const char *s1, const char *s2, size_t n) {
  // Note: if any character matches, don't go past it.
  for (size_t i = 0; i < n; ++i) if (*s1++ != *s2++) return 1;
  return 0;
}

int main() {
  char msg[] = "hello world";
  for (int i = 0; i < sizeof(msg); ++i)
    printf("bcmp at %d (%s) is %d\n", i, msg + i,
           simple_bcmp(msg + i, "world", 5));
  return 0;
}

$ stable-clang -O1 -fsanitize=address repro.c && ./a.out
bcmp at 0 (hello world) is 1
bcmp at 1 (ello world) is 1
bcmp at 2 (llo world) is 1
bcmp at 3 (lo world) is 1
bcmp at 4 (o world) is 1
bcmp at 5 ( world) is 1
bcmp at 6 (world) is 0
bcmp at 7 (orld) is 1
bcmp at 8 (rld) is 1
bcmp at 9 (ld) is 1
bcmp at 10 (d) is 1
bcmp at 11 () is 1

$ next-clang -O1 -fsanitize=address repro.c && ./a.out
bcmp at 0 (hello world) is 1
bcmp at 1 (ello world) is 1
bcmp at 2 (llo world) is 1
bcmp at 3 (lo world) is 1
bcmp at 4 (o world) is 1
bcmp at 5 ( world) is 1
bcmp at 6 (world) is 0
bcmp at 7 (orld) is 1
=================================================================
==77134==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffdbfae9d8c at pc 0x00000044f979 bp 0x7ffdbfae9d20 sp 0x7ffdbfae94c8         
READ of size 5 at 0x7ffdbfae9d8c thread T0
    #0 0x44f978 in MemcmpInterceptorCommon(void*, int (*)(void const*, void
const*, unsigned long), void const*, void const*, unsigned long)
llvm/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:839:7
    #1 0x44ff0a in bcmp
llvm/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:885:10 
    #2 0x4ca97a in simple_bcmp (/tmp/repro+0x4ca97a)
    #3 0x4caa45 in main (/tmp/repro+0x4caa45)
    #4 0x7f66dec2d52a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2352a)
    #5 0x41bac9 in _start (/tmp/repro+0x41bac9)

The loop idiom is correctly recognized as being bcmp; however, for efficiency
an actual bcmp implementation may choose to compare many bytes at a time,
including bytes past the buffer; hence the asan error. (Replacing `simple_bcmp`
with a call to `bcmp` also shows this).

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20191101/343be319/attachment.html>