[llvm-bugs] [Bug 44779] New: Regression(d437fba8ef626b6d8b7928540f630163a9b04021): msan doesn't correctly instrument memcpy() with -D_FORTIFY_SOURCE=2

Tue Feb 4 12:38:40 PST 2020

https://bugs.llvm.org/show_bug.cgi?id=44779

            Bug ID: 44779
           Summary: Regression(d437fba8ef626b6d8b7928540f630163a9b04021):
                    msan doesn't correctly instrument memcpy() with
                    -D_FORTIFY_SOURCE=2
           Product: compiler-rt
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: msan
          Assignee: unassignedbugs at nondot.org
          Reporter: nicolasweber at gmx.de
                CC: llvm-bugs at lists.llvm.org

Created attachment 23088
  --> https://bugs.llvm.org/attachment.cgi?id=23088&action=edit
repro

Not sure if this is a clang bug or a runtime bug.

Link to discussion of bad commit: https://reviews.llvm.org/D71082

Unzip the attached repro.cc and run:

third_party/llvm-build/Release+Asserts/bin/clang++ -D_FORTIFY_SOURCE=2 -O2
-gline-tables-only -fsanitize=memory -fsanitize-memory-track-origins=2
-std=c++14 -fno-exceptions -fno-rtti ./base/repro.cc -o repro

./repro

Before d437fba8ef626b6d8b7928540f630163a9b04021 that worked fine. After, it
yields:

+ ./repro
==93469==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x4d199a in (anonymous
namespace)::itanium_demangle::PODSmallVector<(anonymous
namespace)::itanium_demangle::Node*, 8ul>::push_back((anonymous
namespace)::itanium_demangle::Node* const&)
/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:2588:9
    #1 0x4ac008 in (anonymous
namespace)::itanium_demangle::AbstractManglingParser<(anonymous
namespace)::itanium_demangle::ManglingParser<Allocator>,
Allocator>::parseTemplateArgs(bool)
/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:5808:30
    #2 0x4a4a3b in parseNestedName
/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:3471:31
    #3 0x4a4a3b in (anonymous
namespace)::itanium_demangle::AbstractManglingParser<(anonymous
namespace)::itanium_demangle::ManglingParser<Allocator>,
Allocator>::parseName((anonymous
namespace)::itanium_demangle::AbstractManglingParser<(anonymous
namespace)::itanium_demangle::ManglingParser<Allocator>,
Allocator>::NameState*)
/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:2845:25
    #4 0x49ba91 in (anonymous
namespace)::itanium_demangle::AbstractManglingParser<(anonymous
namespace)::itanium_demangle::ManglingParser<Allocator>,
Allocator>::parseEncoding()
/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:5420:29
    #5 0x49ad0b in parse
/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:5827:35
    #6 0x49ad0b in main
/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:5924:40
    #7 0x7fc8bb947bba in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x26bba)
    #8 0x41f299 in _start
(/usr/local/google/home/thakis/src/chrome/src/repro+0x41f299)

  Uninitialized value was stored to memory at
    #0 0x445316 in __msan_memcpy
/b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/msan/msan_interceptors.cpp:1567:3
    #1 0x4ac09e in memcpy
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
    #2 0x4ac09e in operator=
/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:2566:7
    #3 0x4ac09e in (anonymous
namespace)::itanium_demangle::AbstractManglingParser<(anonymous
namespace)::itanium_demangle::ManglingParser<Allocator>,
Allocator>::parseTemplateArgs(bool)
/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:5797:22

  Uninitialized value was created by an allocation of 'OldParams' in the stack
frame of function
'_ZN12_GLOBAL__N_116itanium_demangle22AbstractManglingParserINS0_14ManglingParserI9AllocatorEES3_E17parseTemplateArgsEb'
    #0 0x4ab420 in (anonymous
namespace)::itanium_demangle::AbstractManglingParser<(anonymous
namespace)::itanium_demangle::ManglingParser<Allocator>,
Allocator>::parseTemplateArgs(bool)
/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:5780

SUMMARY: MemorySanitizer: use-of-uninitialized-value
/usr/local/google/home/thakis/src/chrome/src/./base/repro.cc:2588:9 in
(anonymous namespace)::itanium_demangle::PODSmallVector<(anonymous
namespace)::itanium_demangle::Node*, 8ul>::push_back((anonymous
namespace)::itanium_demangle::Node* const&)
Exiting

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200204/af9b0b84/attachment.html>