On Wed, Nov 23, 2016 at 02:57:07PM +0100, Martin Liška wrote:
> I started review process in libsanitizer: https://reviews.llvm.org/D26965
> And I have a question that was asked in the review: can we distinguish
> between load and store
> in case of having usage of ASAN_POISON?
I think with ASAN_POISON it is indeed just loads from after scope that can
be caught, a store overwrites the variable with a new value and when turning
the store after we make the var no longer addressable into SSA form, we
loose information about the out of scope store. Furthermore, if there is
first a store and then a read, like:
if (argc != 12312)
{
char my_char;
ptr = &my_char;
}
*ptr = i + 26;
return *ptr;
we don't notice even the read. Not sure what could be done against that
though. I think we'd need to hook into the into-ssa framework, there it
should know the current value of the variable at the point of the store is
result of ASAN_POISON and be able to instead of turning that
my_char = _23;
into
my_char_35 = _23;
turn it into:
my_char_35 = ASAN_POISON (_23);
which would represent after scope store into my_char.
Not really familiar with into-ssa though to know where to do it.
Jakub
