[LLVMdev] load widening conflicts with AddressSanitizer

Kostya Serebryany kcc at google.com
Fri Dec 16 10:24:34 PST 2011


We've just got a bug report from Mozilla folks about AddressSanitizer false
positive with -O2.
Turns out there is a conflict between load widening and AddressSanitizer.

Simple reproducer:

% cat load_widening.c && echo ========= && clang  -O2  -c
load_widening.c -flto && llvm-dis load_widening.o && cat
void init(char *);
int foo() {
  char a[22];
  return a[16] + a[21];
; ModuleID = 'load_widening.o'
target datalayout =
target triple = "x86_64-unknown-linux-gnu"

define i32 @foo() nounwind uwtable {
  %a = alloca [22 x i8], align 16
  %arraydecay = getelementptr inbounds [22 x i8]* %a, i64 0, i64 0
  call void @init(i8* %arraydecay) nounwind
  %arrayidx = getelementptr inbounds [22 x i8]* %a, i64 0, i64 16
  %0 = bitcast i8* %arrayidx to i64*
  %1 = load i64* %0, align 16 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
  %2 = trunc i64 %1 to i32
  %sext = shl i32 %2, 24
  %conv = ashr exact i32 %sext, 24
  %3 = lshr i64 %1, 16
  %.tr = trunc i64 %3 to i32
  %sext3 = ashr i32 %.tr, 24
  %add = add nsw i32 %sext3, %conv
  ret i32 %add

Here, the load widening replaces two 1-byte loads with one 8-byte load
which partially goes out of bounds.
Since the array is 16-byte aligned, this transformation should never cause
problems in regular compilation,
but it causes AddressSanitizer false positives because the generated load
*is* in fact out of bounds.

Do we consider the above transformation legal?
If yes, can we disable load widening when AddressSanitizer is enabled? How?

This problem is a bit similar to http://llvm.org/bugs/show_bug.cgi?id=11376,
but that time there was an obvious bug in LLVM.
More info: http://code.google.com/p/address-sanitizer/issues/detail?id=20


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20111216/67b7eae0/attachment.html>

More information about the llvm-dev mailing list