https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69624
Bug ID: 69624 Summary: sanitize-coverage=trace-pc miscompiles kernel Product: gcc Version: 6.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: jirislaby at gmail dot com Target Milestone: --- I have commit a8175057d14fa8ff8cc4589edf55a6855d9afdf4 Author: Dmitry Vyukov <dvyu...@google.com> Date: Mon Nov 9 19:59:08 2015 +0100 new coverage that uses shared buffer applied to kernel 4.4. I am seeing crashes in netlink_bind at 0xd5dc: d5bd: 4c 89 e2 mov %r12,%rdx d5c0: e8 00 00 00 00 callq d5c5 <netlink_bind+0x485> d5c1: R_X86_64_PC32 __sw_hweight32-0x4 d5c5: 03 83 d0 02 00 00 add 0x2d0(%rbx),%eax d5cb: 48 c1 ea 03 shr $0x3,%rdx d5cf: 41 89 c5 mov %eax,%r13d d5d2: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax d5d9: fc ff df d5dc: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) because rdx is 0. rdx is fetched from r12, then __sw_hweight32 is called, it zeroes rdx and (%rdx,%rax,1) dereference is then rax == 0xdffffc0000000000 dereference which leads to a crash.