[llvm-dev] Inexplicable ASAN report. Code generation bug?

Kostya Serebryany via llvm-dev llvm-dev at lists.llvm.org
Mon Nov 16 16:59:44 PST 2015 

Confirmed.


A smaller repro:

typedef union {
  short q;
  struct {
    short x;
    short y;
    int for_alignment;
  } w;
} U;
char *buf = new char[2];
int main() {
  buf[0] = buf[1] = 0x0;
  U *u = (U *)buf;
  return  u->q == 0 ? 0 : u->w.y;
}


With O2 asan produces false positive and with -O1/-O0 it does not.
One more case where an optimization is hostile to asan...
Looking.



On Sat, Nov 14, 2015 at 9:09 AM, Greg Stark <stark at mit.edu> wrote:

> On Thu, Nov 12, 2015 at 8:42 PM, Kostya Serebryany <kcc at google.com> wrote:
> > 2 questions:
> > - Do you see this with the fresh llvm trunk?
> > - Can you prepare a minimized example?
>
> Pretty recent, I updated a couple days ago. I tried to minimize the
> attached but at the same time I didn't want to lose too many unions
> and casts in case it didn't trigger any more.
>
> $ clang -fsanitize=address  -Wall numeric-asan-test.c
> $ ./a.out
> VARSIZE 6
> NDIGITS 0
> WEIGHT 0
> SIGN 0
> DSCALE 0
> $ clang -fsanitize=address -O2  -Wall numeric-asan-test.c
> $ ./a.out
> VARSIZE 6
> =================================================================
> ==19982==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60200000eff4 at pc 0x0000004d4986 bp 0x7ffe14e2cb90 sp
> 0x7ffe14e2cb88
> READ of size 4 at 0x60200000eff4 thread T0
>     #0 0x4d4985 in main (/home/stark/src/a.out+0x4d4985)
>     #1 0x7f6360f40b44 in __libc_start_main
> /tmp/buildd/glibc-2.19/csu/libc-start.c:287
>     #2 0x41a935 in _start (/home/stark/src/a.out+0x41a935)
>
> 0x60200000eff6 is located 0 bytes to the right of 6-byte region
> [0x60200000eff0,0x60200000eff6)
> allocated by thread T0 here:
>     #0 0x4abceb in __interceptor_malloc
>
> /home/stark/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
>     #1 0x4d479e in main (/home/stark/src/a.out+0x4d479e)
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> (/home/stark/src/a.out+0x4d4985) in main
> Shadow bytes around the buggy address:
>   0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[06]fa
>   0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==19982==ABORTING
>
>
>
> --
> greg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20151116/d65c5efc/attachment.html>

More information about the llvm-dev mailing list