[Bug demangler/79099] Memory leak in cplus-dem.c:2232

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79099

Kostya Serebryany  changed:

   What|Removed |Added

 CC||kcc at gcc dot gnu.org

--- Comment #2 from Kostya Serebryany  ---

We are already fuzzing the LLVM demangler on https://github.com/google/oss-fuzz
(a free continuous fuzzing service for OSS). 
Binutils demangler is very welcome there as well. 

[Bug sanitizer/77982] deadlock in asan thread initialization/interception.

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77982

--- Comment #5 from Kostya Serebryany  ---
(In reply to Pawel Sikora from comment #3)
> (In reply to Kostya Serebryany from comment #2)
> > Is -flto important here?
> > Does this happen with clang? (does not happen for me)
> > Does this happen if you use statically linked asan (-static-libasan)?
> 
> ad1). lto isn't important.
> ad2). with static libasan testcase works.
> ad3). i can't verify with clang on fedora 24 due to linking error:
> 
> clang++ -fuse-ld=gold -g2 -O -fsanitize=address s.cpp -shared -o s.so -fPIC
> clang++ -fuse-ld=gold -g2 -O -fsanitize=address m.cpp -o m
> /usr/bin/ld.gold: error: cannot open
> /usr/bin/../lib64/clang/3.8.0/lib/linux/libclang_rt.asan-x86_64.a: No such
> file or directory
> /usr/bin/ld.gold: error: cannot open
> /usr/bin/../lib64/clang/3.8.0/lib/linux/libclang_rt.asan_cxx-x86_64.a: No
> such file or directory

Apparently, the clang installation is broken. 
Besides 3.8 is too old and is irrelevant anyway. 
Your test case works for me with clang trunk (clang links asan runtime
statically) 

> m.cpp:5: error: undefined reference to '__asan_init'
> m.cpp:5: error: undefined reference to '__asan_version_mismatch_check_v6'
> m.cpp:5: error: undefined reference to '__asan_register_globals'
> m.cpp:5: error: undefined reference to '__asan_unregister_globals'

>> ./s.so: undefined symbol: __asan_option_detect_stack_use_after_return
This does not happen with clang.

So, this looks like a gcc-specific bug, probably related to dynamic linking of
asan-rt. 

Hopefully the GCC folks can help. Ejecting myself from here. 
If something like this reproduces in clang trunk, please summon me back.

[Bug sanitizer/77982] deadlock in asan thread initialization/interception.

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77982

--- Comment #2 from Kostya Serebryany  ---
Is -flto important here?
Does this happen with clang? (does not happen for me)
Does this happen if you use statically linked asan (-static-libasan)?

[Bug sanitizer/78028] ASAN doesn't find memory leak

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78028

--- Comment #1 from Kostya Serebryany  ---
interestingly, this works for me with clang

[Bug sanitizer/77963] inconsistent (false?) leaks detection.

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77963

--- Comment #1 from Kostya Serebryany  ---
lsan does not work with ptrace. 
There is https://github.com/google/sanitizers/issues/728 for it. 
We don't have plans to fix it, but the change I sent for review yesterday 
causes lsan to complain loudly instead of producing false reports. 

If you know how to *fix* it, i.e. to make lsan work with ptrace -- please tell.

[Bug sanitizer/77567] ASAN: Bugus error "alloc-dealloc-mismatch (malloc vs operator delete [])" with C++17's over-aligned types

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77567

--- Comment #6 from Kostya Serebryany  ---
(In reply to Jakub Jelinek from comment #5)
> Created attachment 39612 [details]
> pr77567-2.patch
> 
> Slightly larger patch, which attempts to diagnose that, but fails to do so,
> because asan_allocator.cc only has:
>   u32 alloc_type: 2;
> and we now need 3 bits instead of just 2.
> Dmitry, is there any possibility to free one bit for this in ChunkHeader?

There are no bits left. 
But do we need these new states here? 
Can't we reuse the from_memalign field? 

Also, please remember that we can not accept patches from this buganizer --
they need to go via http://llvm.org/docs/Phabricator.html

[Bug sanitizer/77567] ASAN: Bugus error "alloc-dealloc-mismatch (malloc vs operator delete [])" with C++17's over-aligned types

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77567

--- Comment #2 from Kostya Serebryany  ---
(In reply to Jakub Jelinek from comment #1)
> I guess libasan needs to add the new C++17 aligned new operator entrypoints.
> Dmitry, are you going to add this upstream yourself, or should I cook a
> patch?

Jaukub, yes, a patch upstream would be welcome. 
In clang we don't have -std=c++17 yet, so I won't even be able to test it
there.

[Bug sanitizer/69840] two ASAN help nits

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69840

--- Comment #3 from Kostya Serebryany  ---
You don't :) 
The agreement between the teams was that the code in gcc is a verbatim copy of
upstream. (Well, there was a single-line difference at some point)
If you break this assumption, the next merge will undo your change.
Or the next merge will become impossible.

[Bug sanitizer/70712] False positive from AddressSanitizer with use of 'alignas'

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70712

--- Comment #1 from Kostya Serebryany  ---
Does not happen with clang: 
clang++ -fsanitize=address alignas.cc -std=c++11 && ./a.out 
So this is gcc-specific.

[Bug c++/68399] New: c++11 default initialization of a large array: slow compile

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68399

Bug ID: 68399
   Summary: c++11 default initialization of a large array: slow
compile
   Product: gcc
   Version: unknown
Status: UNCONFIRMED
  Severity: normal
  Priority: P3
 Component: c++
  Assignee: unassigned at gcc dot gnu.org
  Reporter: kcc at gcc dot gnu.org
  Target Milestone: ---

Reproducible with 4.8.2 and fresh trunk (r230509). 

% gcc -O1 z.cpp -std=c++11 -c


#ifndef SZ
# define SZ 16
#endif
struct Range {
  short B, E;
  Range() : B(0), E(0) {}
};
struct ArrayOfRanges {
  Range LabelRanges[1 << SZ] = {};
};
ArrayOfRanges *AOR = new ArrayOfRanges();


This code will take ~10 minutes to compile at -O1
The larger the SZ is the longer it takes.

[Bug sanitizer/67865] ASAN crashes on thread creation

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67865

--- Comment #2 from Kostya Serebryany  ---
(In reply to dominik.strasser from comment #1)
> Host system: CentOS release 6.4 (Final)
> glibc: glibc-2.12-1.132.el6.x86_64

glibc-2.12 might be a bit too old. 
We don't test with it, and this code is very glibc-dependent. 

Also, the asan run-time in gcc has not been updated for at least 1 year. 
Do you observe the same behavior with fresh clang?

[Bug sanitizer/67513] ASAN: Not optimal shadow value check (unlikely condition checked in fast path)

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67513

--- Comment #5 from Kostya Serebryany  ---
(In reply to Yury Gribov from comment #1)
> (In reply to Andrey Ryabinin from comment #0)
> > (shadow value is usually zero).
> 
> What makes you think so? AFAIU for less-than-8-byte scalars it's always
> non-zero. I vaguely remember than Kostya did something like this in Clang
> case and it resulted in negligeable improvement.

The code in llvm uses branch weights to indicate that the slow path
is rarely taken. 

  if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) {
// We use branch weights for the slow path check, to indicate that the slow
// path is rarely taken. This seems to be the case for SPEC benchmarks.
TerminatorInst *CheckTerm = SplitBlockAndInsertIfThen(
Cmp, InsertBefore, false, MDBuilder(*C).createBranchWeights(1,
10));

The measurements were done on SPEC 2016 lng ago, 
I have no idea whether this is still a good heuristic.

I remember that the difference was not huge, but enough to justify 
one extra parameter.

[Bug sanitizer/67168] Asan crashes on program startup

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67168

Kostya Serebryany  changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 Resolution|--- |INVALID

--- Comment #1 from Kostya Serebryany  ---
- don't add -lsan. -fsanitize=address is all you need. 
- please provide more details.
- check if lsan works for you on a simple synthetic test case, e.g. grab some
from https://github.com/llvm-mirror/compiler-rt/tree/master/test/lsan/TestCases
- does the lsan in fresh clang work for you? 

Since the bug report is not actionable at this point I am closing it.
Please reopen when the above bullets are checked.

[Bug sanitizer/65662] AddressSanitizer CHECK failed: ../../../../gcc/libsanitizer/sanitizer_common/sanitizer_allocator.h:835 "((res)) < ((kNumPossibleRegions))" (0x3ffb49, 0x80000)

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65662

--- Comment #5 from Kostya Serebryany  ---
AArch64 is being discussed at
https://groups.google.com/forum/#!topic/address-sanitizer/YzYRJEvVimw
Please join the discussion. 
We, the primary maintainers of asan, have no access to AArch64 boxes yet, 
so we rely on others here.

[Bug sanitizer/65662] AddressSanitizer CHECK failed: ../../../../gcc/libsanitizer/sanitizer_common/sanitizer_allocator.h:835 "((res)) < ((kNumPossibleRegions))" (0x3ffb49, 0x80000)

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65662

--- Comment #4 from Kostya Serebryany  ---
AArch64 is being discussed at
https://groups.google.com/forum/#!topic/address-sanitizer/YzYRJEvVimw
Please join the discussion. 
We, the primary maintainers of asan, have no access to AArch64 boxes yet, 
so we rely on others here.

[Bug sanitizer/65285] __asan_describe_address crashes when used with global variable

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65285

Kostya Serebryany  changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 Resolution|--- |WONTFIX

--- Comment #10 from Kostya Serebryany  ---
(In reply to Peter Wu from comment #9)
> Tested with
> clang version 3.7.0 (http://llvm.org/git/clang.git
> 6b7e300a9c14a2ff364d8ef8a0f7510378f38dbc) (http://llvm.org/git/llvm
> 258b7710d59c086656f7b26f02326d7ca69d71fd)
> 
> (http://llvm.org/git/compiler-rt.git
> 70b3c4464a4067db2cd9862736611fdf6739f451)
> 
> The output is still:
> AddressSanitizer can not describe address in more detail (wild memory access
> suspected).
> 
> I can however live with the -fno-common workaround (which sounds like a good
> idea overall). 

Exactly, we recommend using -fno-common with asan for C to find more bugs. 


> I'll leave it up to you whether it will be closed as WONTFIX.
> 
> Thanks for your hints!

[Bug sanitizer/65285] __asan_describe_address crashes when used with global variable

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65285

--- Comment #8 from Kostya Serebryany  ---
(In reply to Peter Wu from comment #7)
> (In reply to Kostya Serebryany from comment #6)
> > > How does your GCC behave with the test case? The sanitizer code in GCC is
> > > imported from Clang, I believe, so it probably does not crash either?
> > 
> > I get this: 
> > ~/gcc-inst/bin/gcc -fsanitize=address -static-libasan   d.c && ./a.out 
> > AddressSanitizer can not describe address in more detail (wild memory access
> > suspected).
> 
> I guess this is better than crashing. Is it possible to report something
> better? Can't it at least report the type and address?

Since asan does not instrument this global it knows nothing about it. 
Sure, it is possible to provide better diagnostic, but this is nowhere near the
top of the things we are planing to work on. Frankly, this looks like a
relatively low value feature. 

> 
> > Did you check the GCC trunk?
> 
> It took a while to get the build environment, but now I can confirm that I
> see the same wild memory access error (tested with r221125).

Let me double-check with the fresh GCC trunk. 
Does fresh Clang trunk work for you?

[Bug sanitizer/65285] __asan_describe_address crashes when used with global variable

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65285

--- Comment #6 from Kostya Serebryany  ---
> How does your GCC behave with the test case? The sanitizer code in GCC is
> imported from Clang, I believe, so it probably does not crash either?

I get this: 
~/gcc-inst/bin/gcc -fsanitize=address -static-libasan   d.c && ./a.out 
AddressSanitizer can not describe address in more detail (wild memory access
suspected).

Did you check the GCC trunk?

[Bug sanitizer/65285] __asan_describe_address crashes when used with global variable

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65285

--- Comment #4 from Kostya Serebryany  ---
(In reply to Peter Wu from comment #3)
> GCC 4.9.2 cannot include the headers, it blows up on lines such as:
> In file included from
> /usr/lib/clang/3.5.1/include/sanitizer/common_interface_defs.h:16:0,
>  from
> /usr/lib/clang/3.5.1/include/sanitizer/asan_interface.h:17,
>  from :1:
> /usr/lib/clang/3.5.1/include/stddef.h:42:42: error: missing binary operator
> before token "("
>  #if !defined(_PTRDIFF_T) || __has_feature(modules)
> ...
> 
> (gcc -I/usr/lib/clang/3.5.1/include ...)
> 
> With clang 3.5.1, it works, but *only* with "-x c++" and not "-x c".
This should work with clang trunk. 

I think I know what your problem is. 
In C, the globals by default have common linkage and asan does not instrument
them at all and thus can not properly report them. 

Use -fno-common with C. 
https://code.google.com/p/address-sanitizer/wiki/Flags

[Bug sanitizer/65285] __asan_describe_address crashes when used with global variable

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65285

--- Comment #1 from Kostya Serebryany  ---
What happens if you properly include sanitizer/asan_interface.h?

This is what I see with fresh clang:

% cat d.cc 
#include 
int foo[10];
int main(void) {
  __asan_describe_address(&foo);
}
% clang -fsanitize=address  d.cc && ./a.out 
0x0135c820 is located 0 bytes inside of global variable 'foo' defined in
'd.cc:2:5' (0x135c820) of size 40
%

[Bug sanitizer/65285] __asan_describe_address crashes when used with global variable

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65285

--- Comment #2 from Kostya Serebryany  ---
and for gcc: 

% ~/gcc-inst/bin/g++ -fsanitize=address -static-libasan   d.cc && ./a.out 
0x0134f900 is located 0 bytes inside of global variable 'foo' defined in
'd.cc:2:5' (0x134f900) of size 40
%

[Bug bootstrap/63888] [5 Regression] bootstrap failed when configured with -with-build-config=bootstrap-asan --disable-werror

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63888

--- Comment #34 from Kostya Serebryany  ---
(In reply to Jakub Jelinek from comment #31)
> Any progress on this?
> 
> If not, I'm considering doing:
> --- libsanitizer/asan/asan_globals.cc.jj  2014-11-14 00:10:34.0 
> +0100
> +++ libsanitizer/asan/asan_globals.cc 2015-02-20 11:43:33.179177767 +0100
> @@ -148,7 +148,9 @@ static void RegisterGlobal(const Global
>CHECK(AddrIsInMem(g->beg));
>CHECK(AddrIsAlignedByGranularity(g->beg));
>CHECK(AddrIsAlignedByGranularity(g->size_with_redzone));
> -  if (flags()->detect_odr_violation) {
> +  // This "ODR violation" detection is fundamentally incompatible with
> +  // how GCC registers globals.  Disable as useless until rewritten
> upstream.
> +  if (0 && flags()->detect_odr_violation) {
>  // Try detecting ODR (One Definition Rule) violation, i.e. the situation
>  // where two globals with the same name are defined in different
> modules.
>  if (__asan_region_is_poisoned(g->beg, g->size_with_redzone)) {
> for now.

Sorry, this got pushed back in the queue... 
Sure, feel free to commit something like this.
Slightly better place is at the definition of detect_odr_violation -- change
the default to 0 and mark the change with some visible markers. 
Obviously we'll need to do a proper fix upstream before the next merge.

Frankly, I am not at all motivated to do any significant surgery in the llvm
compiler instrumentation because for me everything works fine. 

We can extend the Global struct to have a boolean (bit?) that says whether we
are checking for ODRs (as you suggested above). This will be a new ABI break.
Not a big deal, of course.

I wonder if we can somehow else detect that the module is compiled with GCC and
disable the checking in that case?

[Bug sanitizer/64435] [5 Regression] Bootstrap failure in libsanitizer on AArch64 with Linux kernel <= 3.15

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64435

--- Comment #23 from Kostya Serebryany  ---
Can we move the discussion to the asan issue tracker? 
https://code.google.com/p/address-sanitizer/issues/list

There is already quite a bit of aarch64 discussion at
https://code.google.com/p/address-sanitizer/issues/detail?id=246

Not all of the asan developers are looking at the gcc buganizer and the fix
will need to go to the upstream anyway.

[Bug tree-optimization/64330] [5 Regression] IPA-ICF merges const exported vars that could be addressable in other TUs

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64330

--- Comment #4 from Kostya Serebryany  ---
So, maybe the ODR checker in the current form is not that useless.
Sorry, couldn't resist :)

[Bug bootstrap/63888] [5 Regression] bootstrap failed when configured with -with-build-config=bootstrap-asan --disable-werror

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63888

Kostya Serebryany  changed:

   What|Removed |Added

 CC||richard-gccbugzilla@metafoo
   ||.co.uk

--- Comment #22 from Kostya Serebryany  ---
Summoning more folks

[Bug bootstrap/63888] [5 Regression] bootstrap failed when configured with -with-build-config=bootstrap-asan --disable-werror

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63888

--- Comment #20 from Kostya Serebryany  ---
> Is this clear?  This is on access of the b1 variable defined in main.c,
> certainly not anything around f variable defined in libfoo.c.

Yea. Thanks. Pondering...
I am still not convinced that this code is good (even if it is
C-standard-compliant).

[Bug bootstrap/63888] [5 Regression] bootstrap failed when configured with -with-build-config=bootstrap-asan --disable-werror

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63888

--- Comment #18 from Kostya Serebryany  ---
(In reply to Jakub Jelinek from comment #17)
> (In reply to Kostya Serebryany from comment #16)
> > Frankly, I realize that I don't understand the subtleties of this problem.
> > :( 
> > 
> > First, if this is C++ we clearly have a bug (ODR violation) and we are 
> > done. 
> 
> So it is an ODR violation in C++, but you won't report it (remember, the
> binary is not instrumented), just it will misbehave (can mark valid memory
> of other vars in the binary as poisoned, e.g.).
> 
> > Then, if this is C w/o any extra flags we will not instrument these globals.
> 
> Not true, the vars are initialized, thus are not common.  Or the var in the
> binary could be common, and the var in the shared library not, etc.
> And I've actually verified both clang and gcc instrument it.
> 
> Registering something assuming padding has been added (and aligned) when you
> don't have a control on it is just wrong, and the local alias is an very
> easy way to avoid it.

I am disoriented. 
Can you please give a full repro (with command lines, etc) where 
we'll now produce a false positive (in clang or in gcc)?

[Bug bootstrap/63888] [5 Regression] bootstrap failed when configured with -with-build-config=bootstrap-asan --disable-werror

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63888

--- Comment #16 from Kostya Serebryany  ---
(In reply to Jakub Jelinek from comment #15)
> (In reply to Kostya Serebryany from comment #14)
> > We should be careful when instrumenting something that can be redefined
> > because the 
> > definition may be no-instrumented. 
> 
> But that is a strong argument why what GCC does is desirable and not what
> LLVM does.
> Say you have:
> int f = 4;
> int g = 5;
> int foo (int *p) { return *p; }
> in libfoo.c and
> int f = 4;
> int g = 5;
> int foo (int *);
> int main ()
> {
>   return foo (&f) - 4;
> }
> Suppose libfoo.c is compiled/linked with -fsanitize=address -fpic -shared.
> Suppose main.c is compiled without -fsanitize=address.
> GCC will use in registration of global symbols in libfoo.c the local alias
> to f and g, so registers something that in the end is not used, because f in
> the executable comes earlier in the search scope.  But registers something
> that is known to be properly padded for asan.
> LLVM doesn't use a local alias, and so will happily register the f and g
> symbols in the binary, but as if they had the padding which they most
> probably don't.  So you can end up with false positives or false negatives
> that way.
> But when you use local aliases, obviously the current way of ODR checking
> can't work and should use symbol names instead.

Frankly, I realize that I don't understand the subtleties of this problem. :( 

First, if this is C++ we clearly have a bug (ODR violation) and we are done. 
Then, if this is C w/o any extra flags we will not instrument these globals.
Done.
Finally, if this is C with -fno-common, I am not sure if the C standard covers
this and how we should behave.

[Bug bootstrap/63888] [5 Regression] bootstrap failed when configured with -with-build-config=bootstrap-asan --disable-werror

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63888

--- Comment #14 from Kostya Serebryany  ---
(In reply to Yury Gribov from comment #13)
> (In reply to Kostya Serebryany from comment #12)
> > But for this example in C the globals will not get instrumented, unless 
> > -fno-common is given.
> 
> BTW I think everyone already pairs this with -fsanitize=address, otherwise
> sanitization of globals becomes so weak.

Dunno. That's what we recommend.

> 
> >> If LLVM uses global symbols instead of local aliases, it is more expensive.
> >> You can have aliases/weakrefs etc. to symbols, and those still aren't ODR
> >> violations.
> > 
> > But these again should not be instrumented by asan at all. No? 
> 
> Wouldn't that cause false negatives for internal references to local aliases?

We should be careful when instrumenting something that can be redefined because
the 
definition may be no-instrumented. 
Consider a case where 
 a.c has a weakref (or whatever else that can be redefined) and
 b.c had a regular definition. 
Then, a.c is instrumented and b.c is not. Bad.


> 
> > Never seen a case like this ("registered multiple times for multiple
> > addresses").
> > Can you give an example?
> 
> How about this: say some global variable xyz is defined both in executable
> and in shared library. Now
> 1) if xyz isn't exported from executable, it will not be available to shlib;
> so exe's internal references will bind to exe's definition but shlib's
> references will bind to shlib's definition
> 2) if xyz is exported from executable but shlib is linked with -Bsymbolic,
> shlib's internal references will bind to shlib's implementation
> 3) RTLD_DEEPBIND could also alter symbol resolution order in a shlib

[Bug sanitizer/59410] tsan tests fail with address randomization disabled

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=59410

--- Comment #36 from Kostya Serebryany  ---
While we are at it, H.J., is there any hope with 
https://bugzilla.kernel.org/show_bug.cgi?id=66721 ?

[Bug sanitizer/64265] [5 Regression] r217669 broke tsan

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64265

--- Comment #16 from Kostya Serebryany  ---
> Kostya, can you say anything about llvm? On the tsan issue you said:
> "We'll need a kind of RAII for tsan entry/exit hooks. When we are adding
> tsan instrumentation, we need to create a fake class object with a ctor and
> dtor."

I am still pretty confident that this is the only viable solution
(the fix should be done in Clang, not LLVM).
I did not try to actually implement it yet. 

> 
> Which suggests that you wanted to do it in a similar way in llvm.
> 
> If we decide to it this way in both compilers, then no support in runtime is
> required, and gcc can well implement it ahead of llvm.

Absolutely.

[Bug bootstrap/63888] [5 Regression] bootstrap failed when configured with -with-build-config=bootstrap-asan --disable-werror

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63888

--- Comment #12 from Kostya Serebryany  ---
(In reply to Jakub Jelinek from comment #9)
> (In reply to Kostya Serebryany from comment #8)
> > > You haven't responded about the language thing, there is no such thing as
> > > ODR in C or Fortran, so you shouldn't report it.
> > 
> > In LLVM, I do not (and should not) know what source language is being
> > compiled.
> 
> Sounds like LLVM limitation.
> 
> > The differences between languages are represented in the linkage types 
> > of the globals. E.g. a regular global in C will not be instrumented at all 
> > unless -fno-common is given. I.e. the difference is not in the source
> > language 
> > but in the linkage type of the globals. 
> 
> I believe your
> http://llvm.org/klaus/compiler-rt/blob/
> 0926de35c9357aa1a5c47d3a618d6c72f9e8f085/test/asan/TestCases/Linux/odr-
> violation.cc
> example is valid in C

But for this example in C the globals will not get instrumented, unless 
-fno-common is given. 


> , and commonly used (sure, more commonly with functions
> than with variables, but even with variables).  Furthermore, the kind of ODR
> detection in libasan isn't really ODR detection, you are instead checking if
> the same global is registered multiple times.  GCC intentionally registers
> local aliases of the globals, so that the same global isn't registered
> multiple times if it is defined by multiple shared libraries or binary and
> some shared library - each TU registers the vars local to it, rather than
> trying to register globals in a completely different shared library.

> If LLVM uses global symbols instead of local aliases, it is more expensive.
> You can have aliases/weakrefs etc. to symbols, and those still aren't ODR
> violations.

But these again should not be instrumented by asan at all. No? 

> 
> An ODR violation is IMHO something different, it is the case where you have
> the same symbol name (but, you'd need to distinguish between globally
> visible symbols that should be ODR checked and local symbols and/or symbols
> from languages you don't want to check for it) registered multiple times for
> multiple addresses.

Never seen a case like this ("registered multiple times for multiple
addresses").
Can you give an example? 

>> So you'd need to hash based on the symbol name if
> marked for ODR checking, and check if the same (non-comdat) global isn't
> registered several times.

[Bug bootstrap/63888] [5 Regression] bootstrap failed when configured with -with-build-config=bootstrap-asan --disable-werror

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63888

--- Comment #8 from Kostya Serebryany  ---
(sorry for delay, I missed the last comment)
> Generally, we do want to instrument even artificial variables, and on many
> of them buffer overflow is possible.

Yea, agree. 

> 
> > I.e. is a buffer overflow on these variables possible? 
> > 
> > If we don't instrument them we won't report an ODR violation. 
> > 
> > >> GCC with -fmerge-all-constants also merges many read-only constants, 
> > >> even addressable ones, when they have the same content.
> > 
> > Then I guess we may have other false positives. 
> > We may want to disable -fmerge-all-constants under asan
> 
> You haven't responded about the language thing, there is no such thing as
> ODR in C or Fortran, so you shouldn't report it.

In LLVM, I do not (and should not) know what source language is being compiled.
The differences between languages are represented in the linkage types 
of the globals. E.g. a regular global in C will not be instrumented at all 
unless -fno-common is given. I.e. the difference is not in the source language 
but in the linkage type of the globals. 

% clang -S -o - -emit-llvm glob.c 
@GLOBAL = common global i32 0, align 4
% clang -S -o - -emit-llvm glob.c -fno-common
@GLOBAL = global i32 0, align 4
% clang++ -x c++ -S -o - -emit-llvm glob.c 
@GLOBAL = global i32 0, align 4


Can you give an example in C where we do not want to check for ODRs, yet
the basic asan instrumentation is legal? 

> There are 31 (or 63) bits left in __has_dynamic_init field, can't one bit be
> used for whether ODR should be reported or not?
That will still mean an API change, something I like to avoid when possible.

[Bug sanitizer/63958] [5 Regression] bootstrap failure in the sanitizer libs on sparc-linux-gnu

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63958

--- Comment #6 from Kostya Serebryany  ---
I am not at war with anyone and if I am, I give up and surrender.

But whoever wants the sanitizers to work on SPARC [s]he will have to work with
us upstream. We can not fix build failures on SPARC upstream because we don't
have access to SPARC machines and there is no public buildbot with SPARC. 
If no one needs sanitizers on SPARC and all you care about is that GCC builds
on SPARC, just disable the sanitizers for SPARC. 

This is my last response here. 
For constructive discussion please start sending patches upstream.

[Bug sanitizer/63958] [5 Regression] bootstrap failure in the sanitizer libs on sparc-linux-gnu

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63958

--- Comment #3 from Kostya Serebryany  ---
I am very sorry that you are so upset, but the workflow will not change. 
All changes to sanitizer files (except for GCC-specific tests and make files)
have to go to upstream first. 
If any change goes directly to GCC it will get overwritten by a following merge
from upstream. 
(merge is the wrong name for process actually. The right name would be "copy").

[Bug sanitizer/63958] [5 Regression] bootstrap failure in the sanitizer libs on sparc-linux-gnu

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63958

--- Comment #1 from Kostya Serebryany  ---
Please send patches upstream:
https://code.google.com/p/address-sanitizer/wiki/HowToContribute

[Bug bootstrap/63888] [5 Regression] bootstrap failed when configured with -with-build-config=bootstrap-asan --disable-werror

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63888

--- Comment #6 from Kostya Serebryany  ---
(In reply to Yury Gribov from comment #5)
> Perhaps ODR check should check that names of global variables match before
> issuing warning?

The variables are generated by the compiler, right? 
(These are switch tables)

Do we want to instrument them at all? 
I.e. is a buffer overflow on these variables possible? 

If we don't instrument them we won't report an ODR violation. 

>> GCC with -fmerge-all-constants also merges many read-only constants, even 
>> addressable ones, when they have the same content.

Then I guess we may have other false positives. 
We may want to disable -fmerge-all-constants under asan

[Bug sanitizer/63927] AddressSanitizer painfully slow on ppc64

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63927

Kostya Serebryany  changed:

   What|Removed |Added

 CC||eugeni.stepanov at gmail dot 
com,
   ||samsonov at google dot com

--- Comment #7 from Kostya Serebryany  ---
(In reply to Markus Trippelsdorf from comment #6)
> See:
> http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi-1.9.html#STACK

Then someone needs to implement the appropriate unwinder 
in sanitizer_common/sanitizer_stacktrace.cc
and submit the patch for review upstream. 
https://code.google.com/p/address-sanitizer/wiki/HowToContribute

[Bug sanitizer/63927] AddressSanitizer painfully slow on ppc64

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63927

--- Comment #4 from Kostya Serebryany  ---
Why can't we use frame pointers on PPC? 
So far I have not seen any implementation of unwinder not based on FPs
that was fast enough for ASan. 
ASan unwinds the stack on every malloc/free and thus it is very sensitive to
the unwinder performance.

[Bug sanitizer/63564] -fsanitize=address obscures access to free memory

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63564

--- Comment #4 from Kostya Serebryany  ---
(In reply to Bernd Edlinger from comment #3)
> In the original example (it was ported from windows,
> and the windows semaphores are completely immune
> against this kind of error) the sem_post were in
> *another* thread and there were several milliseconds
> between the free the next malloc. So this is
> already a really, really hard to find bug.
> But what I don't understand, why the malloc does
> *not* crash when address sanitizer is used. 

If the program has undefined behavior then the program's behavior is, well, 
undefined. You can not expect malloc to crash if there is a bug in the code.
asan's malloc does not rely on malloc headers for bookeeping so it did not
crash.

> The same for thread sanitizer, it does not spot
> the error, and the error does not happen in debug
> builds only in release builds.

Good point. 
tsan does intercept sem_post/sem_wait but does not detect when there is a
use-after-free on it (we do it for pthread_mutex_lock though). 

Dmitry, You may want to add that to tsan.

[Bug sanitizer/63564] -fsanitize=address obscures access to free memory

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63564

--- Comment #2 from Kostya Serebryany  ---
We don't intercept sem_post/sem_wait and don't instrument glibc where they are
implemented. Sadly, the same applies to quite a few other glibc functions. 
In future we may have fully instrumented glibc,
but in the meantime we need to add more interceptors. 
Patches are welcome, 
see https://code.google.com/p/address-sanitizer/wiki/HowToContribute

Most likely sanitizer_common/sanitizer_common_interceptors.inc  will need to be
modified.

[Bug c/63418] false positive with -Wmaybe-uninitialized

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63418

--- Comment #3 from Kostya Serebryany  ---
Thanks for confirming the current state of this warning :)

[Bug c/63418] false positive with -Wmaybe-uninitialized

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63418

--- Comment #1 from Kostya Serebryany  ---
Created attachment 33626
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=33626&action=edit
w1.c

attached the repro

[Bug c/63418] New: false positive with -Wmaybe-uninitialized

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63418

Bug ID: 63418
   Summary: false positive with -Wmaybe-uninitialized
   Product: gcc
   Version: unknown
Status: UNCONFIRMED
  Severity: normal
  Priority: P3
 Component: c
  Assignee: unassigned at gcc dot gnu.org
  Reporter: kcc at gcc dot gnu.org

I know there are some known false positives with -Wmaybe-uninitialized, so this
might be a dup. I'd like to document this one just in case this is another
corner case. 
The test comes from a slightly modified glibc sources.
Tested with the fresh gcc trunk r215730.

% gcc w1.c -std=gnu99 -c -Wmaybe-uninitialized -O2

w1.c: In function ‘parse_expression.constprop’:
w1.c:13311:28: warning: ‘extra’ may be used uninitialized in this function
[-Wmaybe-uninitialized]
   if (name_len == extra[idx]
^
w1.c:13500:24: note: ‘extra’ was declared here
   const unsigned char *extra;


Looking at the code:

"extra" is defined w/o initializer:
13500   const unsigned char *extra;

Then, it is initialized under if (nrules):
13522   if (nrules) {
...
13533 extra =

nrules never changes again. 

The warning complains about "extra" being used in seek_collating_symbol_entry
w/o being initialied. 
There are two calls to seek_collating_symbol_entry, they look like this: 

13337 if (nrules != 0) {
13338   int32_t elem, idx;
13339   elem = seek_collating_symbol_entry(br_elem->opr.name, sym_name_len,


13456   if (nrules != 0) {
13457 elem = seek_collating_symbol_entry(name, name_len, symb_table,
table_size,


So, in both cases seek_collating_symbol_entry is called if nrules != 0, i.e.
'extra' is initialized. 


If this is something new and unexpected I can prepare a better minimized
example, but I don't want to waste time if this is known. 
I wasn't able to reproduce this on a tiny example.

[Bug sanitizer/61293] asan can not find left buffer overflow of new[]-allocated buffer, frontend help needed

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61293

--- Comment #4 from Kostya Serebryany  ---
FTR, this has been implemented in Clang (Itanium ABI only for now): 
clang: http://llvm.org/viewvc/llvm-project?view=revision&revision=216434
asan: http://llvm.org/viewvc/llvm-project?rev=214711&view=rev
test:  http://llvm.org/viewvc/llvm-project?rev=216494&view=rev

[Bug driver/62105] sanitizer libraries in wrong command line position in link spec file

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62105

Kostya Serebryany  changed:

   What|Removed |Added

 CC||eugeni.stepanov at gmail dot 
com,
   ||kcc at gcc dot gnu.org,
   ||samsonov at google dot com

--- Comment #1 from Kostya Serebryany  ---
clang uses -whole-archive:
clang  -fsanitize=thread a.cc -v
 "/usr/bin/ld" -whole-archive
...lib/clang/3.5.0/lib/linux/libclang_rt.tsan-x86_64.a -no-whole-archive ...

I believe this is the only right thing to do. 
Placing the tsan run-time after the objects will have other nasty side effects 
(Alexey, Evgenyi may remember exactly which)

[Bug sanitizer/61978] implement blacklist for sanitizer

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61978

--- Comment #8 from Kostya Serebryany  ---
(In reply to Daniel Pinol from comment #7)
> thank you everybody for your great feedback!
> 
> @kostya: I provide here the full log. Even removing the #if's, it still
> aborts. strict_memcmp=0 worked like a charm. Thanks!

Good. Formally this is a bug, but in most cases not a very harmful one. 
So, just continue using strict_memcmp=0

> 
> I guess there's no way to just report the errors but not abort execution,
> right?

Right, asan exits on first error. 
(First entry in FAQ:
https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer#FAQ)

> 
> 
> 0x09de51cc is located 52 bytes to the left of global variable '*.LC2' from
> '/home/dani/svn/robot/sources/src/interaction/gui/touchscreen/ReemH/
> videoWindow/VideoWindow.cpp' (0x9de5200) of size 1
>   '*.LC2' is ascii string ''
> 0x09de51cc is located 0 bytes to the right of global variable '*.LC1' from
> '/home/dani/svn/robot/sources/src/interaction/gui/touchscreen/ReemH/
> videoWindow/VideoWindow.cpp' (0x9de51c0) of size 12
>   '*.LC1' is ascii string 'VideoWindow'
> SUMMARY: AddressSanitizer: global-buffer-overflow
> ../../.././libsanitizer/asan/asan_interceptors.cc:325 __interceptor_memcmp
> Shadow bytes around the buggy address:
>   0x213bc9e0: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
>   0x213bc9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x213bca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x213bca10: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
>   0x213bca20: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
> =>0x213bca30: 00 00 00 00 00 00 00 00 00[04]f9 f9 f9 f9 f9 f9
>   0x213bca40: 01 f9 f9 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9
>   0x213bca50: 00 00 01 f9 f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9
>   0x213bca60: 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
>   0x213bca70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x213bca80: 00 01 f9 f9 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:   00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:   fa
>   Heap right redzone:  fb
>   Freed heap region:   fd
>   Stack left redzone:  f1
>   Stack mid redzone:   f2
>   Stack right redzone: f3
>   Stack partial redzone:   f4
>   Stack after return:  f5
>   Stack use after scope:   f8
>   Global redzone:  f9
>   Global init order:   f6
>   Poisoned by user:f7
>   Contiguous container OOB:fc
>   ASan internal:   fe
> ==19590==ABORTING

[Bug sanitizer/61978] implement blacklist for sanitizer

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61978

--- Comment #5 from Kostya Serebryany  ---
Also check if strict_memcmp=0 helps you. 
https://code.google.com/p/address-sanitizer/wiki/Flags

[Bug sanitizer/61978] implement blacklist for sanitizer

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61978

--- Comment #4 from Kostya Serebryany  ---
Note that the blacklist can not disable the checking inside the memcmp
interceptor. But it will disable instrumenting globals in QT, so 
if this is a global from QT (you did not post the full log) you will not see
the error.

[Bug sanitizer/61978] implement blacklist for sanitizer

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61978

--- Comment #2 from Kostya Serebryany  ---
Yea. This has been discussed a couple of times before. 
using an attribute in the source is clearly the preferable way. 
Unfortunately, it is not always technically possible, so we *have* to use the
blacklists. 
The major use cases: 
  a) third_party code that can not be easily modified 
  b) needs to blacklist an entire source directory 
  c) blacklist should be applied to a type, not a function

In Chromium we have these:
http://src.chromium.org/viewvc/chrome/trunk/src/tools/memory/tsan_v2/ignores.txt?revision=279695
http://src.chromium.org/viewvc/chrome/trunk/src/tools/msan/blacklist.txt?revision=284946
http://src.chromium.org/viewvc/chrome/trunk/src/tools/ubsan_vptr/blacklist.txt?revision=285951
http://src.chromium.org/viewvc/chrome/trunk/src/third_party/instrumented_libraries/blacklists/asan/libglib2.0-0.txt?revision=282959
http://src.chromium.org/viewvc/chrome/trunk/src/third_party/instrumented_libraries/blacklists/msan/libx11-6.txt?revision=282959

[Bug sanitizer/61771] Regressions in ASan testsuite on ARM Linux

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61771

--- Comment #5 from Kostya Serebryany  ---
> > Of course, it would be awesome if we could synchronize
> > (and document somewhere) FP stack layout between GCC and Clang
Isn't this what ARM should be doing?

>> Perhaps we should just disable fast unwind on ARM?
You will slowdown asan to the point where Valgrind will become preferable

[Bug c++/61288] valgrind finds problem in build_conditional_expr_1

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61288

Kostya Serebryany  changed:

   What|Removed |Added

   Assignee|unassigned at gcc dot gnu.org  |jason at gcc dot gnu.org

--- Comment #3 from Kostya Serebryany  ---
Seems to have appeared after r210281

[Bug c++/61288] valgrind finds problem in build_conditional_expr_1

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61288

--- Comment #2 from Kostya Serebryany  ---
Created attachment 33107
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=33107&action=edit
61288.cc

Somewhat minimized reproducer: 

cc1plus -mtune=generic -march=x86-64  -std=gnu++11 61288.cc

[Bug c++/61288] valgrind finds problem in build_conditional_expr_1

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61288

Kostya Serebryany  changed:

   What|Removed |Added

 Status|UNCONFIRMED |NEW
   Last reconfirmed||2014-07-11
 CC||kcc at gcc dot gnu.org
 Ever confirmed|0   |1

--- Comment #1 from Kostya Serebryany  ---
I see this bug as well while running asan-ified or msan-ified gcc r212448
Besides just being a bug it also prevents me from testing gcc with asan and
msan

Minimized reproducer coming soon. 


==6753==ERROR: AddressSanitizer: heap-use-after-free on address 0x6210001c49a8
at pc 0x5df403 bp 0x7fff67fe9a70 sp 0x7fff67fe9a68
READ of size 1 at 0x6210001c49a8 thread T0
#0 0x5df402 in build_conditional_expr_1 gcc/cp/call.c:4842:11
#1 0x5db148 in build_conditional_expr gcc/cp/call.c:5089:9
#2 0x965849 in build_x_conditional_expr gcc/cp/typeck.c:6073:10
#3 0x88f88d in cp_parser_question_colon_clause gcc/cp/parser.c:8146:10
#4 0x88f88d in cp_parser_assignment_expression gcc/cp/parser.c:8185

0x6210001c49a8 is located 168 bytes inside of 4064-byte region
[0x6210001c4900,0x6210001c58e0)
freed by thread T0 here:
#0 0x5a3871 in free
#1 0x7fa9dca702a7 in obstack_free 
#2 0x5dcf0a in build_conditional_expr_1 gcc/cp/call.c:4822:7
#3 0x5db148 in build_conditional_expr gcc/cp/call.c:5089:9
#4 0x965849 in build_x_conditional_expr gcc/cp/typeck.c:6073:10
#5 0x88f88d in cp_parser_question_colon_clause gcc/cp/parser.c:8146:10
#6 0x88f88d in cp_parser_assignment_expression gcc/cp/parser.c:8185

previously allocated by thread T0 here:
#0 0x5a3b49 in __interceptor_malloc
#1 0x2907384 in xmalloc 
#2 0x7fa9dca701c5 in _obstack_newchunk
/build/buildd/eglibc-2.15/malloc/obstack.c:271
#3 0x5ce9c6 in conversion_obstack_alloc gcc/cp/call.c:615:7
#4 0x5c7029 in alloc_conversion gcc/cp/call.c:724:22
#5 0x5c7029 in build_identity_conv gcc/cp/call.c:1049
#6 0x5c7029 in build_user_type_conversion_1 gcc/cp/call.c:3620
#7 0x5d0297 in implicit_conversion gcc/cp/call.c:1820:14
#8 0x5dbf3f in build_conditional_expr_1 gcc/cp/call.c:4769:15
#9 0x5db148 in build_conditional_expr gcc/cp/call.c:5089:9
#10 0x965849 in build_x_conditional_expr gcc/cp/typeck.c:6073:10
#11 0x88f88d in cp_parser_question_colon_clause gcc/cp/parser.c:8146:10
#12 0x88f88d in cp_parser_assignment_expression gcc/cp/parser.c:8185

[Bug other/61016] use of uninitialized memory in gcc/config/i386/i386.c

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61016

--- Comment #3 from Kostya Serebryany  ---
Ping. Any interest? 
The bug is still present in r212279

[Bug sanitizer/61693] [asan] is not intercepting aligned_alloc

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61693

Kostya Serebryany  changed:

   What|Removed |Added

 CC||eugeni.stepanov at gmail dot 
com,
   ||glider at google dot com,
   ||timu at google dot com

--- Comment #4 from Kostya Serebryany  ---
http://llvm.org/viewvc/llvm-project?view=revision&revision=212322 implements 
aligned_alloc support on Linux.
I will let others implement Android/Windows/Mac support if relevant.

This will reach GCC with the next libsanitizer merge (not sure when), 
or feel free to cherry pick in a couple of days (to make sure it works well)

[Bug sanitizer/61693] [asan] is not intercepting aligned_alloc

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61693

--- Comment #3 from Kostya Serebryany  ---
yep, that's the plan...

[Bug sanitizer/61693] [asan] is not intercepting aligned_alloc

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61693

Kostya Serebryany  changed:

   What|Removed |Added

 Status|UNCONFIRMED |ASSIGNED
   Last reconfirmed||2014-07-04
   Assignee|unassigned at gcc dot gnu.org  |kcc at gcc dot gnu.org
 Ever confirmed|0   |1

--- Comment #1 from Kostya Serebryany  ---
Interesting. This is a relatively new c11 feature. 
On older Linux distros this does not compile nor link:

aligned_alloc.c: In function ‘main’:
aligned_alloc.c:5:3: warning: implicit declaration of function ‘aligned_alloc’
[-Wimplicit-function-declaration]
   void * p = aligned_alloc(128, 1024);
...
/tmp/ccJJcsqx.o: In function `main':
aligned_alloc.c:(.text+0x13): undefined reference to `aligned_alloc'

On Ubuntu 14.04 it behaves as you describe and indeed we need to add an
interceptor. The tricky part is to add a test that will work on older distros

[Bug sanitizer/61547] Invalid sanitization of trailing byte in __builtin_strlen

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61547

--- Comment #4 from Kostya Serebryany  ---
(In reply to Richard Biener from comment #3)
> (In reply to Kostya Serebryany from comment #2)
> > Note that in clang we chose not to instrument any builtins in compiler, 
> > but instead fully rely on interceptors.
> 
> So you never expand such builtins inline?

Not that I know of. 
LLVM has only 3 builtins like this (memset/memcpy/memmove):
http://llvm.org/docs/LangRef.html#standard-c-library-intrinsics
And asan replaces these builtins with asan's own call (e.g. __asan_memset)

[Bug sanitizer/61547] Invalid sanitization of trailing byte in __builtin_strlen

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61547

--- Comment #2 from Kostya Serebryany  ---
Note that in clang we chose not to instrument any builtins in compiler, 
but instead fully rely on interceptors.

[Bug sanitizer/61408] r205695 breaks packaging step of Firefox 24 ESR on Ubuntu Lucid building with ASan

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61408

--- Comment #12 from Kostya Serebryany  ---
I am not sure what does your bisection of LLVM/clang/compiler-rt mean
if you say that clang trunk works fine.

[Bug sanitizer/61475] Building Firefox with ASan is broken in the packaging step

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61475

--- Comment #6 from Kostya Serebryany  ---
So, clang trunk works and gcc trunk fails, right? 
Could be a miscompile by GCC.
I'd suggest to find the guilty module somehow (e.g. build all modules w/ and
w/o asan and then mix them in different proportions until you have just 
one asan-ified module and FF still fails).

(I may not get to reproducing this myself any time soon, sorry)

[Bug sanitizer/61475] Building Firefox with ASan is broken in the packaging step

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61475

--- Comment #1 from Kostya Serebryany  ---
Please
  1. try building with -static-libasan 
  2. provide full reproduction steps

[Bug sanitizer/61408] r205695 breaks packaging step of Firefox 24 ESR on Ubuntu Lucid building with ASan

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61408

--- Comment #4 from Kostya Serebryany  ---
> > LLVM trunk?
> 
> Have not tried yet. Shall I?

asan is being developed in LLVM trunk.
So if there is a bug in run-time it's better to investigate the freshest
variant in LLVM trunk
The fix will have to go there first anyway.

If the problem is in GCC instrumentation, then of course, there is no reason to
test LLVM.
But you say that the problem stared after the libsanitizer merge, so it is
likely in run-time. 

It can be a problem in FF itself or in the way you run it, of course.

[Bug sanitizer/61408] r205695 breaks packaging step of Firefox 24 ESR on Ubuntu Lucid building with ASan

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61408

--- Comment #2 from Kostya Serebryany  ---
Does this happen with GCC trunk? 
LLVM trunk?

[Bug sanitizer/61293] asan can not find left buffer overflow of new[]-allocated buffer, frontend help needed

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61293

--- Comment #2 from Kostya Serebryany  ---
(In reply to Jakub Jelinek from comment #1)
> IMNSHO you can't change the value of extra, that is an ABI issue,
> and -fsanitize=address shouldn't be an ABI changing option.  Consider:
> struct S { S (); ~S (); };
> S *foo (int n) { return new S[n]; }
> void bar (S *p) { delete [] p; }
> int main () { bar (foo (5)); }
> where bar is defined in a different compilation unit/library and something
> is built with -fsanitize=address, something is not.
> 
> If the padding before structure is at least 64-bit, sure, instrumenting the
> FE to put there an __asan_poison_memory_region call after the size is stored

yep

> there
> and in delete[] again to __asan_unpoison_memory_region before reading the
> size should not be that hard.

Yes, but a bit more preferable is to ignore the instructions
reading the size instead of calling __asan_unpoison_memory_region. 
Consider a case where the DTORs are accessing the array itself out of bounds.
(We've seen similar things!!)
That's a bit harder to implement though. 

> 
> For 32-bit code if the type doesn't need at least 64-bit alignment (again,
> alignment of the type is an ABI thing), you are out of luck I'm afraid.
Yea... We can theoretically request operator new to 
return memory that is == 4 mod 8 for these cases. 
That's a bit complicated too...



> Thus, e.g. tests for this will need to be conditionalized.

[Bug sanitizer/61293] New: asan can not find left buffer overflow of new[]-allocated buffer, frontend help needed

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61293

Bug ID: 61293
   Summary: asan can not find left buffer overflow of
new[]-allocated buffer, frontend help needed
   Product: gcc
   Version: 4.10.0
Status: UNCONFIRMED
  Severity: enhancement
  Priority: P3
 Component: sanitizer
  Assignee: unassigned at gcc dot gnu.org
  Reporter: kcc at gcc dot gnu.org
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org,
timu at google dot com

asan does not detect the following case: 

TypeWithDtor *a = new TypeWithDtor[N];
a[-1] = ... 
https://code.google.com/p/address-sanitizer/issues/detail?id=314

That's because when we have new[] for a type with DTORs, 
the actual allocated size is greater.
The code looks something like this:
  extra = max(sizeof(long), alignment_of(TypeWithDtor));
  ptr = malloc(N + extra);
  *(long*)(ptr+extra-sizeof(long)) = N;
  return ptr + extra;  // must be properly aligned for TypeWithDtor

As the result, we will not detect overwrites of new[] cookie -- scary! 

I don't see how we can implement this w/o help from FE. 

First, we need to ensure alignment 8 even on 32-bits: 
  extra = max(8, alignment_of(TypeWithDtor));  

Second, we need to poison the first extra bytes.

Lastly, we need to not instrument the legitimate loads/stores of the cookie
generated by the frontend. 

All of this has to be done with the help from FE

[Bug sanitizer/61100] asan/tsan should have the sanitizer includes

[kcc at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61100

Kostya Serebryany  changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 Resolution|--- |FIXED

--- Comment #4 from Kostya Serebryany  ---
Excellent, thank you!

[Bug sanitizer/61095] [4.10 Regression] miscompile: tsan is broken in gcc trunk, works in 4.9

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61095

--- Comment #11 from Kostya Serebryany  ---
ignore comment #9, everything seems to work now. 
This passes: 

make -j 40 -C gcc check-g{cc,++} 
RUNTESTFLAGS='--target_board=unix\{-m32,-m64\} tsan.exp'

[Bug sanitizer/61095] [4.10 Regression] miscompile: tsan is broken in gcc trunk, works in 4.9

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61095

--- Comment #10 from Kostya Serebryany  ---
also, just curious: are such fixes supposed to be accompanied with regression
tests?

[Bug sanitizer/61095] [4.10 Regression] miscompile: tsan is broken in gcc trunk, works in 4.9

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61095

--- Comment #9 from Kostya Serebryany  ---
I confirm that the minimized reproducer is fixed, but tsan is still crashing on
the same CHECK:

../gcc-inst/bin/g++ -g -fsanitize=thread -fPIE -pie -static-libtsan
simple_race.cc  && ./a.out 
FATAL: ThreadSanitizer CHECK failed:
../../../../gcc/libsanitizer/tsan/tsan_rtl.cc:587 "((IsShadowMem((uptr)(p +
size * kShadowCnt / kShadowCell - 1 != (0)" (0x0, 0x0)
#0 __tsan::PrintCurrentStackSlow()
../../../../gcc/libsanitizer/tsan/tsan_rtl_report.cc:710 (a.out+0x0005840c)
#1 __tsan::TsanCheckFailed(char const*, int, char const*, unsigned long
long, unsigned long long)
../../../../gcc/libsanitizer/tsan/tsan_rtl_report.cc:39 (a.out+0x000584e2)
#2 __sanitizer::CheckFailed(char const*, int, char const*, unsigned long
long, unsigned long long)
../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common.cc:74
(a.out+0x0005ea93)
#3 MemoryRangeSet ../../../../gcc/libsanitizer/tsan/tsan_rtl.cc:587
(a.out+0x0001e1d6)

Maybe there is another similar issue somewhere nearby

[Bug sanitizer/61100] New: asan/tsan should have the sanitizer includes

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61100

Bug ID: 61100
   Summary: asan/tsan should have the sanitizer includes
   Product: gcc
   Version: 4.10.0
Status: UNCONFIRMED
  Severity: normal
  Priority: P3
 Component: sanitizer
  Assignee: unassigned at gcc dot gnu.org
  Reporter: kcc at gcc dot gnu.org
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org

asan/tsan users may need to use the tool's API that is defined in headers
like  
I.e. the directory libsanitizer/include/sanitizer should be installed
together with the rest of the gcc so that  is a valid
include path

[Bug sanitizer/61095] [4.10 Regression] miscompile: tsan is broken in gcc trunk, works in 4.9

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61095

Kostya Serebryany  changed:

   What|Removed |Added

 Target||x86_64-*-*
   Target Milestone|--- |4.10.0
Summary|miscompile: tsan is broken  |[4.10 Regression]
   |in gcc trunk, works in 4.9  |miscompile: tsan is broken
   ||in gcc trunk, works in 4.9

[Bug sanitizer/61095] miscompile: tsan is broken in gcc trunk, works in 4.9

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61095

Kostya Serebryany  changed:

   What|Removed |Added

 Target|x86_64-*-*  |
   Priority|P3  |P1
   Target Milestone|4.10.0  |---
Summary|[4.10 Regression] tsan is   |miscompile: tsan is broken
   |broken in gcc trunk, works  |in gcc trunk, works in 4.9
   |in 4.9  |

--- Comment #2 from Kostya Serebryany  ---
fresh gcc optimizes away a piece of code. minimal repro:

int FOO(unsigned long addr) {
unsigned long *p = (unsigned long*)((addr & 0x83f8UL) * 4);
unsigned long xxx = (unsigned long)(p + 1);
return xxx >= 0x3c0UL;
}


gcc 4.9: 
/usr/local/gcc-4.9.0/bin/gcc -S z.c -O2  -o -  | grep -A 10 FOO:
FOO:
.LFB0:
.cfi_startproc
movabsq $-136339441844232, %rax
andq%rax, %rdi
movabsq $4123168604159, %rax
leaq8(,%rdi,4), %rdx
cmpq%rax, %rdx
seta%al
movzbl  %al, %eax
ret


trunk: 
../gcc-inst/bin/gcc -S z.c -O2  -o -  | grep -A 10 FOO:
FOO:
.LFB0:
.cfi_startproc
xorl%eax, %eax
ret

[Bug sanitizer/61095] tsan is broken in gcc trunk, works in 4.9

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61095

--- Comment #1 from Kostya Serebryany  ---
I suspect a miscompile,
at least the following patch to the libsanitizer sources fixes the problem:

--- tsan_rtl.cc (revision 210145)
+++ tsan_rtl.cc (working copy)
@@ -584,7 +584,8 @@
   if (kGoMode || size < 64*1024) {
 u64 *p = (u64*)MemToShadow(addr);
 CHECK(IsShadowMem((uptr)p));
-CHECK(IsShadowMem((uptr)(p + size * kShadowCnt / kShadowCell - 1)));
+volatile uptr xxx = (uptr)(p + size * kShadowCnt / kShadowCell - 1);
+CHECK(IsShadowMem(xxx));
 // FIXME: may overwrite a part outside the region
 for (uptr i = 0; i < size / kShadowCell * kShadowCnt;) {
   p[i++] = val;


Note the "volatile". W/o volatile tsan still crashes.

[Bug sanitizer/61095] New: tsan is broken in gcc trunk, works in 4.9

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61095

Bug ID: 61095
   Summary: tsan is broken in gcc trunk, works in 4.9
   Product: gcc
   Version: 4.10.0
Status: UNCONFIRMED
  Severity: normal
  Priority: P3
 Component: sanitizer
  Assignee: unassigned at gcc dot gnu.org
  Reporter: kcc at gcc dot gnu.org
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org

tsan seems to be broken in the current gcc trunk
(Tested r210145 on Linux ubuntu 12.04). 
gcc 4.9.0 works fine. 

There have been no recent libsanitizer merges from upstream so the problem
was likely introduced somewhere in the buildfiles, etc


% /usr/local/gcc-4.9.0/bin/g++ -g -fsanitize=thread -fPIE -pie -static-libtsan
simple_race.cc  && ./a.out 
==
WARNING: ThreadSanitizer: data race (pid=31025)
...

% ../gcc-inst/bin/g++ -g -fsanitize=thread -fPIE -pie -static-libtsan
simple_race.cc  && ./a.out 
FATAL: ThreadSanitizer CHECK failed:
../../../../gcc/libsanitizer/tsan/tsan_rtl.cc:587 "((IsShadowMem((uptr)(p +
size * kShadowCnt / kShadowCell - 1 != (0)" (0x0, 0x0)
#0 __tsan::PrintCurrentStackSlow()
../../../../gcc/libsanitizer/tsan/tsan_rtl_report.cc:710 (a.out+0x0005840c)
#1 __tsan::TsanCheckFailed(char const*, int, char const*, unsigned long
long, unsigned long long)
../../../../gcc/libsanitizer/tsan/tsan_rtl_report.cc:39 (a.out+0x000584e2)
#2 __sanitizer::CheckFailed(char const*, int, char const*, unsigned long
long, unsigned long long)
../../../../gcc/libsanitizer/sanitizer_common/sanitizer_common.cc:74
(a.out+0x0005ea93)
#3 MemoryRangeSet ../../../../gcc/libsanitizer/tsan/tsan_rtl.cc:587
(a.out+0x0001e1d6)
#4 __tsan::user_alloc(__tsan::ThreadState*, unsigned long, unsigned long,
unsigned long) ../../../../gcc/libsanitizer/tsan/tsan_mman.cc:113
(a.out+0x0005403a)
#5 calloc ../../../../gcc/libsanitizer/tsan/tsan_interceptors.cc:500
(a.out+0x0003d4d4)
#6 _dl_allocate_tls :0 (ld-linux-x86-64.so.2+0x00012074)
#7 __pthread_create_2_1 :0 (libpthread.so.0+0x8abc)
#8 pthread_create
../../../../gcc/libsanitizer/tsan/tsan_interceptors.cc:891
(a.out+0x0003b758)
#9 main /home/kcc/tmp/simple_race.cc:23 (a.out+0x00079473)
#10 __libc_start_main :0 (libc.so.6+0x0002176c)
#11  :0 (a.out+0x00010694)


% cat simple_race.cc 
#include 
int Global;
void *Thread1(void *x) {
  Global++;
  return NULL;
}
int main() {
  pthread_t t;
  pthread_create(&t, NULL, Thread1, NULL);
  Global++;
  pthread_join(t, NULL);
}
%

[Bug other/61016] use of uninitialized memory in gcc/config/i386/i386.c

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61016

Kostya Serebryany  changed:

   What|Removed |Added

 CC||hubicka at gcc dot gnu.org

--- Comment #2 from Kostya Serebryany  ---
"svn blame" tells that the uninitialized array was introduced by hubicka@: 

 45726hubicka   enum x86_64_reg_class subclasses[MAX_CLASSES];

[Bug other/61016] use of uninitialized memory in gcc/config/i386/i386.c

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61016

--- Comment #1 from Kostya Serebryany  ---
Slightly more reduced test: 


template 
struct vector {
  void resize(int, T = T()) {}
};
class UnknownField;
class UnknownFieldSet {
  void DeleteByNumber (int);
  vector < UnknownField > *fields_;
};
class UnknownField {
  long a;
  union {
void *b;
  };
};
void UnknownFieldSet::DeleteByNumber (int) {
  fields_->resize (0);
}

[Bug sanitizer/61021] [4.9 regression] libsanitizer fails to build with old glibc

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61021

--- Comment #1 from Kostya Serebryany  ---
Please send the patch to llvm-commits, we'll review it and apply it upstream
(We may not be able to do so before ~ May 5).
Then you can either wait for the next merge (we planned it for ~ mid May, but
it may take quite some time), or send it directly to gcc-patches

>> the minimum kernel/glibc requirements for libsanitizer need to be documented
>> and enforced by the configure scripts if possible.
I thought this was done. Jakub?

[Bug other/61016] New: use of uninitialized memory in gcc/config/i386/i386.c

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=61016

Bug ID: 61016
   Summary: use of uninitialized memory in gcc/config/i386/i386.c
   Product: gcc
   Version: unknown
Status: UNCONFIRMED
  Severity: normal
  Priority: P3
 Component: other
  Assignee: unassigned at gcc dot gnu.org
  Reporter: kcc at gcc dot gnu.org
CC: eugeni.stepanov at gmail dot com

Created attachment 32715
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=32715&action=edit
z.cc

This is revision 209930 on x86_64 Linux. 

% valgrind --track-origins=yes gcc/cc1plus -quiet   z.cc-O2 -o /dev/null

==12029== Conditional jump or move depends on uninitialised value(s)
==12029==at 0xDBEF66: classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) (gcc/config/i386/i386.c:6361)
==12029==by 0xDBF2D4: classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) (gcc/config/i386/i386.c:6501)
==12029==by 0xDBA097: ix86_function_arg_advance(cumulative_args_t,
machine_mode, tree_node const*, bool) (gcc/config/i386/i386.c:6818)
==12029==by 0x92B40A: gimplify_parameters() (gcc/function.c:3624)
==12029==by 0x978AEA: gimplify_body(tree_node*, bool) (gcc/gimplify.c:8620)
==12029==by 0x9794AC: gimplify_function_tree(tree_node*)
(gcc/gimplify.c:8777)
==12029==by 0x7EBC14: analyze_function(cgraph_node*) (gcc/cgraphunit.c:649)
==12029==by 0x7EECD2: analyze_functions() (gcc/cgraphunit.c:1017)
==12029==by 0x7EEACB: finalize_compilation_unit() (gcc/cgraphunit.c:2320)
==12029==by 0x5E67D3: cp_write_global_declarations() (gcc/cp/decl2.c:4619)
==12029==by 0xB19A20: compile_file() (gcc/toplev.c:562)
==12029==by 0xB197D7: toplev_main(int, char**) (gcc/toplev.c:1914)
==12029==  Uninitialised value was created by a stack allocation
==12029==at 0xDBE920: classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) (gcc/config/i386/i386.c:6412)


The bug was initially detected by MemorySanitizer (which is a bit trickier to
use with gcc at the moment)

==5348== WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x7f265400f64d in merge_classes(x86_64_reg_class, x86_64_reg_class)
gcc/config/i386/i386.c:6361
#1 0x7f265400f64d in classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) gcc/config/i386/i386.c:6557
#2 0x7f265400dbfa in classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) gcc/config/i386/i386.c:6501
#3 0x7f2653fef8fc in examine_argument(machine_mode, tree_node const*, int,
int*, int*) gcc/config/i386/i386.c:6817
#4 0x7f2653fef8fc in function_arg_advance_64(ix86_args*, machine_mode,
tree_node const*, long, bool) gcc/config/i386/i386.c:7199
#5 0x7f2653fef8fc in ix86_function_arg_advance(cumulative_args_t,
machine_mode, tree_node const*, bool) gcc/config/i386/i386.c:7253
#6 0x7f26523a1ae1 in gimplify_parameters() gcc/function.c:3624
#7 0x7f2652594737 in gimplify_body(tree_node*, bool) gcc/gimplify.c:8620
#8 0x7f2652598479 in gimplify_function_tree(tree_node*) gcc/gimplify.c:8777
#9 0x7f2651bee7db in analyze_function(cgraph_node*) gcc/cgraphunit.c:649
#10 0x7f2651c01aa1 in analyze_functions() gcc/cgraphunit.c:1017
#11 0x7f2651c01088 in finalize_compilation_unit() gcc/cgraphunit.c:2320
#12 0x7f2650f8da6e in cp_write_global_declarations() gcc/cp/decl2.c:4619
#13 0x7f2652fa249d in compile_file() gcc/toplev.c:562
#14 0x7f2652fa06ff in do_compile() gcc/toplev.c:1914
#15 0x7f2652fa06ff in toplev_main(int, char**) gcc/toplev.c:1990
#16 0x7f26552563b3 in main gcc/main.c:36
#17 0x7f264f30276c in __libc_start_main
/build/buildd/eglibc-2.15/csu/libc-start.c:226
#18 0x7f26509f8960 in _start
(/usr/local/google/ssd/msan-gcc/inst/libexec/gcc/x86_64-unknown-linux-gnu/4.10.0/cc1plus+0x2f4960)

  Uninitialized value was created by an allocation of 'subclasses' in the stack
frame of function 'classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int)'
#0 0x7f265400a310 in classify_argument(machine_mode, tree_node const*,
x86_64_reg_class*, int) gcc/config/i386/i386.c:6412


Confirmed by printf:

Index: gcc/config/i386/i386.c
===
--- gcc/config/i386/i386.c  (revision 209930)
+++ gcc/config/i386/i386.c  (working copy)
@@ -6428,6 +6428,7 @@
   int i;
   tree field;
   enum x86_64_reg_class subclasses[MAX_CLASSES];
+  subclasses[1] = (enum x86_64_reg_class)0xab;

   /* On x86-64 we pass structures larger than 64 bytes on the stack.  */
   if (bytes > 64)
@@ -6553,8 +6554,10 @@
   bit_offset);
  if (!num)
return 0;
- for (i = 0; i < num; i++)
+ for (i = 0; i < num; i++) {
+fprintf(

[Bug sanitizer/60861] out of bounds access of global var in .rodata/.bss not detected

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60861

Kostya Serebryany  changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 Resolution|--- |WORKSFORME

--- Comment #6 from Kostya Serebryany  ---
None of these is an asan bug, closing. 
Feel free to reopen if you disagree.

[Bug sanitizer/60861] out of bounds access of global var in .rodata/.bss not detected

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60861

--- Comment #1 from Kostya Serebryany  ---
Will adding "-fno-common" help? 
Or building the test as C++?

See https://code.google.com/p/address-sanitizer/wiki/Flags

[Bug sanitizer/60536] Backtrace corrupted on Firefox build with -fsanitize=address and -flto

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60536

--- Comment #13 from Kostya Serebryany  ---
> What about the "allocating memory until the OOM killer hits" issue?
> Do you think this is an asan bug?
Dunno. File a bug with more details if you think it's a bug.
I guess you can close this one.

[Bug sanitizer/60536] Backtrace corrupted on Firefox build with -fsanitize=address and -flto

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60536

--- Comment #11 from Kostya Serebryany  ---
> Sorry, but I don't have a google account and refuse to create one.
You can login to our bug tracker with any existing e-mail, 
or you can contact us via address-saniti...@googlegroups.com
or you can file a bug using the llvm bug tracker

[Bug sanitizer/60536] Backtrace corrupted on Firefox build with -fsanitize=address and -flto

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60536

--- Comment #10 from Kostya Serebryany  ---

> ==10632==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x6021ec50 at pc 0x7f3e30645dbd bp 0x7fff6d3b2a60 sp 0x7fff6d3b2a38
> READ of size 2 at 0x6021ec50 thread T0
> #0 0x7f3e30645dbc in setlocale

So, sounds like a real use-after-free in firefox

[Bug sanitizer/60536] Backtrace corrupted on Firefox build with -fsanitize=address and -flto

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60536

--- Comment #6 from Kostya Serebryany  ---

> _Unwind_Find_FDE+0x01D9 /home/markus/gcc/libgcc/unwind-dw2-fde-dip.c:462
> /home/markus/gcc/libgcc/unwind-dw2.c:1182
> _Unwind_Backtrace+0x004B /home/markus/gcc/libgcc/unwind.inc:291

Interesting. asan detects a bug and starts reporting it, then if crashes inside
the slow unwinder. 
Try the fast unwinder? 
ASAN_OPTIONS=fast_unwind_on_fatal=1

[Bug sanitizer/60536] Backtrace corrupted on Firefox build with -fsanitize=address and -flto

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60536

--- Comment #5 from Kostya Serebryany  ---

> Clang trunk cannot build Firefox with -fsanitize=address, because I get
> asan related linker errors.
To the best of my knowledge, firefox is routinely built by several different
teams using clang+asan.
Please report a separate bug at code.google.com/p/address-sanitizer/

[Bug sanitizer/60536] Backtrace corrupted on Firefox build with -fsanitize=address and -flto

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60536

--- Comment #2 from Kostya Serebryany  ---
Please symbolize the output. 
Also, does this happen with the clang version of AddressSanitizer?

[Bug sanitizer/60038] AddressSanitizer CHECK failed ... "((*tls_addr + *tls_size)) <= ((*stk_addr + *stk_size))" on CentOS 5.10

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60038

--- Comment #14 from Kostya Serebryany  ---
Landed upstream:
http://llvm.org/viewvc/llvm-project?view=revision&revision=200733
Note that the patch is slightly different from Jakub's: it uses
memory_order_relaxed.

My understanding is that now is not the best time to do full merge from
upstream,
so feel free to commit this patch to GCC separately.

[Bug sanitizer/60038] AddressSanitizer CHECK failed ... "((*tls_addr + *tls_size)) <= ((*stk_addr + *stk_size))" on CentOS 5.10

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60038

--- Comment #8 from Kostya Serebryany  ---
(In reply to Jakub Jelinek from comment #6)
>   size_t len = confstr (_CS_GNU_LIBC_VERSION, buf, sizeof buf);
>   if (strncmp (buf, "glibc 2.", 8) == 0)

Yea, such patch is even more welcome. 
I was thinking about using __gnu_get_libc_version, 
to extract the libc version numbers, but confstr (_CS_GNU_LIBC_VERSION
sounds good too.

[Bug sanitizer/60038] AddressSanitizer CHECK failed ... "((*tls_addr + *tls_size)) <= ((*stk_addr + *stk_size))" on CentOS 5.10

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60038

--- Comment #5 from Kostya Serebryany  ---
> We probably just have to fill in correct values for glibc 2.5.
This may help. A patch is welcome, please check 
https://code.google.com/p/address-sanitizer/wiki/HowToContribute

[Bug sanitizer/60038] AddressSanitizer CHECK failed ... "((*tls_addr + *tls_size)) <= ((*stk_addr + *stk_size))" on CentOS 5.10

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60038

--- Comment #4 from Kostya Serebryany  ---
> GNU C Library stable release version 2.5

2.5 is way too old. 
You may try to comment out this CHECK and see if the rest works
The main ASAN's functionality will probably not notice the lack of correct data
about TLS, but LSAN (LeakSanitizer) may start reporting false positives.

[Bug sanitizer/60038] AddressSanitizer CHECK failed ... "((*tls_addr + *tls_size)) <= ((*stk_addr + *stk_size))" on CentOS 5.10

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60038

--- Comment #1 from Kostya Serebryany  ---
I expect this also happens with the clang version of ASAN, please confirm.

This is related to the hackish way we extract stack and tls bounds,
and CentOS 5.10 may have different version of glibc or some other difference.
What is the version of glibc on your OS?

We are trying to solve it in a general way in glibc
(https://sourceware.org/bugzilla/show_bug.cgi?id=16291),
but that will not happen for the existing distros.

[Bug sanitizer/59733] [4.9 Regression] bootstrap-asan failed to bootstrap

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59733

Kostya Serebryany  changed:

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |WONTFIX

--- Comment #25 from Kostya Serebryany  ---
Even with this workaround asan is almost unusable with the buggy kernel.
I suspect that when a process has too many mappings it gets too slow.
The machine where we have our clang-asan bootstrap gets very slow and
unreliable.

We have reverted the kernel on that bot 
(http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-bootstrap/)
and reverted the above workaround in llvm trunk.
http://llvm.org/viewvc/llvm-project?rev=200217&view=rev

The kernel fix went into Linus's tree for 3.14 last week,
and was tagged for stable backport. Nothing else we could do here.

[Bug sanitizer/59733] [4.9 Regression] bootstrap-asan failed to bootstrap

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59733

Kostya Serebryany  changed:

   What|Removed |Added

 Status|NEW |ASSIGNED
   Assignee|unassigned at gcc dot gnu.org  |kcc at gcc dot gnu.org
   Target Milestone|4.9.0   |---

--- Comment #24 from Kostya Serebryany  ---
I increased the mmap granularity in sanitizer's allocator to 
allow our bot on ubuntu pre-14.04 to pass.
http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_allocator.h?r1=200197&r2=200196&pathrev=200197
Feel free to apply the same change to GCC trunk. 

Once the kernel bug is fixed and the fix reaches ubuntu 14.04 tree 
we will likely revert this change. 
There is nothing else we can do on sanitizer side -- the kernel bug 
is significant (e.g. it makes gimp crash) and so such system is unusable
for many other purposes. 

Let's keep this bug open so that we don't forget to revert the workaround.

FTR, here is a program that detects the presence of a broken kernel:

#include 
#include 
#include 
#include 
#include 
int main() {
  char *p = (char*)0x6000;
  size_t i;
  for (i = 0; i < 10; i++) {
void *addr = p + i * 4096;
void *ret = mmap(addr, 4096, PROT_WRITE | PROT_READ,
 MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
if (addr != ret) {
  fprintf(stderr, "failed at iteration %zd\n", i);
  char command[100];
  snprintf(command, sizeof(command), "cat /proc/%d/maps | head -30",
getpid());
  system(command);
  return 1;
}
  }
}


On a broken kernel it will print something like this:

failed at iteration 65514
0040-00401000 r-xp  fc:00 20991316  /tmp/a.out
0060-00601000 r--p  fc:00 20991316  /tmp/a.out
00601000-00602000 rw-p 1000 fc:00 20991316  /tmp/a.out
6000-60001000 rw-p  00:00 0 
60001000-60002000 rw-p  00:00 0 
60002000-60003000 rw-p  00:00 0 
60003000-60004000 rw-p  00:00 0 
60004000-60005000 rw-p  00:00 0 
...

[Bug sanitizer/55309] gcc's address-sanitizer 66% slower than clang's

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55309

--- Comment #58 from Kostya Serebryany  ---
FTR, here are the new numbers; except for 464.h264ref looks good.
clang r199888, gcc r207025
flags: -O2 -fsanitize=address
machine: Dell 3500 (Intel(R) Xeon(R) CPU W3690  @ 3.47GHz)

   clang  gccdiff
   400.perlbench,  1286.00,-1.00,-0.00
   401.bzip2,   857.00,   940.00, 1.10
 403.gcc,   621.00,   606.00, 0.98
 429.mcf,   578.00,   574.00, 0.99
   445.gobmk,   860.00,   850.00, 0.99
   456.hmmer,   880.00,  1149.00, 1.31
   458.sjeng,   992.00,   996.00, 1.00
  462.libquantum,   492.00,   483.00, 0.98
 464.h264ref,  1274.00,  3998.00, 3.14
 471.omnetpp,   566.00,   569.00, 1.01
   473.astar,   661.00,   647.00, 0.98
   483.xalancbmk,   478.00,   491.00, 1.03
433.milc,   620.00,   611.00, 0.99
444.namd,   601.00,   528.00, 0.88
  447.dealII,   624.00,   670.00, 1.07
  450.soplex,   366.00,   389.00, 1.06
  453.povray,   430.00,   374.00, 0.87
 470.lbm,   355.00,   452.00, 1.27
 482.sphinx3,   926.00,  1108.00, 1.20

[Bug sanitizer/59733] [4.9 Regression] bootstrap-asan failed to bootstrap

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59733

--- Comment #23 from Kostya Serebryany  ---
Relevant Kernel bug: https://bugzilla.kernel.org/show_bug.cgi?id=67651

[Bug sanitizer/59733] [4.9 Regression] bootstrap-asan failed to bootstrap

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59733

--- Comment #22 from Kostya Serebryany  ---
A quick workaround would be to change 
  static const uptr kUserMapSize = 1 << 16;
in sanitizer_common/sanitizer_allocator.h
to something like 17 or 18.
We can also try using mremap. 

However I'd like to hear from kernel experts whether this is considered 
a kernel bug or a feature.

[Bug sanitizer/59733] [4.9 Regression] bootstrap-asan failed to bootstrap

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59733

--- Comment #19 from Kostya Serebryany  ---
(In reply to Kostya Serebryany from comment #18)
> eugenis@ says he sees something similar on Ubuntu 13.10.

Actually, only on Ubuntu 14.04 candidate. 
Looks like a fresh regression in Kernel.

[Bug sanitizer/59733] [4.9 Regression] bootstrap-asan failed to bootstrap

[kcc at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59733

Kostya Serebryany  changed:

   What|Removed |Added

 CC||eugeni.stepanov at gmail dot 
com

--- Comment #18 from Kostya Serebryany  ---
eugenis@ says he sees something similar on Ubuntu 13.10.