[Bug sanitizer/82517] New: use-after-scope for a variable with big alignment causes a false positive

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82517

            Bug ID: 82517
           Summary: use-after-scope for a variable with big alignment
                    causes a false positive
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at 
gcc dot gnu.org
  Target Milestone: ---
            Target: aarch64-linux-gnu

Considering a target with MAX_SUPPORTED_STACK_ALIGNMENT being limited, we have:

$ cat bug_1.c 
static int *pp;

void baz() {
  return;
}

void bar(int *p) {
  *p = 1;
}

void foo(int a) {
  if (a == 2) {
lab:
    baz();
    return;
  } 
  if (a > 1) {
    int x __attribute__((aligned(256)));
    pp = &x;
    bar(&x);
    if (!x)
      goto lab;
  }
}

int main(int argc, char **argv) {
  foo(4);
  foo(3);
}

$ gcc bug_1.c  -fsanitize=address && ./a.out 
=================================================================
==6958==ERROR: AddressSanitizer: stack-use-after-scope on address
0xffffcd0fe400 at pc 0x000000400a70 bp 0xffffcd0fe310 sp 0xffffcd0fe328
WRITE of size 4 at 0xffffcd0fe400 thread T0
    #0 0x400a6f in bar (/tmp/a.out+0x400a6f)
    #1 0x400ae3 in foo (/tmp/a.out+0x400ae3)
    #2 0x400b93 in main (/tmp/a.out+0x400b93)
    #3 0xffffacb5182f in __libc_start_main (/lib64/libc.so.6+0x1f82f)
    #4 0x400937  (/tmp/a.out+0x400937)

Address 0xffffcd0fe400 is located in stack of thread T0
SUMMARY: AddressSanitizer: stack-use-after-scope (/tmp/a.out+0x400a6f) in bar
Shadow bytes around the buggy address:
  0x200ff9a1fc30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200ff9a1fc40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200ff9a1fc50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200ff9a1fc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200ff9a1fc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x200ff9a1fc80:[f8]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200ff9a1fc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200ff9a1fca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200ff9a1fcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200ff9a1fcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200ff9a1fcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Problem is that we don't add a stack_variable to asan_decl_vec in else branch:

  1119        if (alignb * BITS_PER_UNIT <= MAX_SUPPORTED_STACK_ALIGNMENT)
  1120          {
  1121            base = virtual_stack_vars_rtx;
  1122            if ((asan_sanitize_stack_p ())
...
  1153                data->asan_decl_vec.safe_push (repr_decl);
...
  1172        else
  1173          {
  1174            /* Large alignment is only processed in the last pass.  */
  1175            if (pred)
...