https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66977
Bug ID: 66977
Summary: -fsanitize=shift may introduce uninitialized variables
Product: gcc
Version: 6.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: chefmax at gcc dot gnu.org
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org,
mpolacek at gcc dot gnu.org, y.gribov at samsung dot com
Target Milestone: ---
Host: x86_64-pc-linux-gnu
Target: arm-linux-gnueabi
It looks like that -fsanitize=shift sometimes may introduce uninitialized
variables. This testcase is ARM specific, but I suppose this may be reproduced
on other targets too.
For arm-linux-gnueabi target:
$ cat test.cpp
class Foo {
private:
int a_;
public:
Foo (int a) : a_(a) {};
inline int get_a () { return a_; };
};
int bar (int (Foo::*get)()) {
Foo *A = new Foo(1);
int result = (A->*get)();
delete (A);
return result;
}
int main () {
return bar (&Foo::get_a);
}
$ armv7l-tizen-linux-gnueabi-g++ -S -fsanitize=shift test.cpp
-fdump-tree-gimple
<D.6138>
.......................
D.6137 = get.__delta;
D.6138 = D.6137 & 1;
if (D.6138 == 0) goto <D.6139>; else goto <D.6140>;
<D.6139>:
iftmp.1 = get.__pfn;
goto <D.6141>;
<D.6140>:
A.2 = A;
==> D.6143 = get.__delta;
D.6144 = D.6143 >> 1;
D.6145 = (sizetype) D.6144;
D.6146 = A.2 + D.6145;
D.6147 = MEM[(int (*__vtbl_ptr_type) () * *)D.6146];
D.6148 = get.__pfn;
D.6149 = (sizetype) D.6148;
D.6150 = D.6147 + D.6149;
iftmp.1 = *D.6150;
<D.6141>:
A.3 = A;
==> ????????
D.6152 = D.6143 >> 1;
D.6153 = (sizetype) D.6152;
D.6154 = A.3 + D.6153;
result = iftmp.1 (D.6154);
Here, <D.6138> => <D.6139> => <D.6141> introduces uninitialized D.6153 value
and broken *this parameter for called method.
Compiling this testcase with -O2 -Wall option introduces this warning:
$ armv7l-tizen-linux-gnueabi-g++ -S -fsanitize=shift test.cpp -O2 -Wall
test.cpp: In function 'int bar(int (Foo::*)())':
test.cpp:16:26: warning: '<anonymous>' may be used uninitialized in this
function [-Wmaybe-uninitialized]
int result = (A->*get)();
$ armv7l-tizen-linux-gnueabi-g++ -v
Using built-in specs.
COLLECT_GCC=armv7l-tizen-linux-gnueabi-g++
COLLECT_LTO_WRAPPER=/home/max/install/armv7l-tizen/libexec/gcc/armv7l-tizen-linux-gnueabi/6.0.0/lto-wrapper
Target: armv7l-tizen-linux-gnueabi
Configured with: /home/max/src/v6/gcc/configure
--prefix=/home/max/install/armv7l-tizen --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --target=armv7l-tizen-linux-gnueabi --disable-nls
--enable-poison-system-directories
--with-pkgversion=Tizen.armv7l.GA2.2015-07-15
--with-sysroot=/home/max/install/armv7l-tizen/armv7l-tizen-linux-gnueabi/sys-root
--with-gmp=/home/max/build/v6/fake-root
--with-libelf=/home/max/build/v6/fake-root
--with-mpc=/home/max/build/v6/fake-root
--with-mpfr=/home/max/build/v6/fake-root --without-cloog --without-ppl
--with-host-libstdcxx='-static-libgcc -Wl,-Bstatic,-lstdc++,-Bdynamic -lm'
--enable-languages=c,c++,fortran --disable-libstdcxx-pch --enable-__cxa_atexit
--enable-libssp --enable-lto --enable-checking=release
--with-build-time-tools=/home/max/install/armv7l-tizen/bin --with-gnu-as
--with-gnu-ld
--with-specs='%{funwind-tables|fno-unwind-tables|mabi=*|ffreestanding|nostdlib:;:-funwind-tables}
%{!Werror=unused-local-typedefs:%{!Wno-error=unused-local-typedefs:-Wno-error=unused-local-typedefs}}
%{fuse-linker-plugin|fno-use-linker-plugin|flto|flto=*:;:-fno-use-linker-plugin}'
--disable-multilib --disable-gnu-unique-object --enable-linker-build-id
--with-mode=arm --with-fpu=neon-vfpv4 --with-cpu=cortex-a15.cortex-a7
--with-float=softfp --enable-libgomp --enable-linux-futex
