On 11/23/2016 03:13 PM, Jakub Jelinek wrote: > On Wed, Nov 23, 2016 at 02:57:07PM +0100, Martin Liška wrote: >> I started review process in libsanitizer: https://reviews.llvm.org/D26965 >> And I have a question that was asked in the review: can we distinguish >> between load and store >> in case of having usage of ASAN_POISON? > > I think with ASAN_POISON it is indeed just loads from after scope that can > be caught, a store overwrites the variable with a new value and when turning > the store after we make the var no longer addressable into SSA form, we > loose information about the out of scope store. Furthermore, if there is > first a store and then a read, like: > if (argc != 12312) > { > char my_char; > ptr = &my_char; > } > *ptr = i + 26; > return *ptr; > we don't notice even the read. Not sure what could be done against that > though. I think we'd need to hook into the into-ssa framework, there it > should know the current value of the variable at the point of the store is > result of ASAN_POISON and be able to instead of turning that > my_char = _23; > into > my_char_35 = _23; > turn it into: > my_char_35 = ASAN_POISON (_23); > which would represent after scope store into my_char. > > Not really familiar with into-ssa though to know where to do it. > > Jakub >
Richi, may I ask you for help with this question? Thanks, Martin