https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114058
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jakub at gcc dot gnu.org
--- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Better testcase which doesn't need special options, just -O2 -fsanitize=address
will do:
_BitInt(129)
foo (void)
{
_BitInt(129) *p;
{
_BitInt(129) r = 42;
p = &r;
}
return *p;
}
void
bar (void)
{
_BitInt(129) *p;
{
_BitInt(129) r = 42;
p = &r;
}
*p = 0;
}
With s/129/127/g, we get:
r_5 = .ASAN_POISON (); [tail call]
return r_5;
and
r_5 = .ASAN_POISON ();
.ASAN_POISON_USE (r_5); [tail call]
and sanopt turns that into:
_6 = (unsigned long) &r;
_7 = _6 >> 3;
_8 = _7 + 2147450880;
_9 = (signed char *) _8;
MEM[(short int *)_9] = -1800;
__builtin___asan_report_load16 (&r);
return r_5(D);
and
_6 = (unsigned long) &r;
_7 = _6 >> 3;
_8 = _7 + 2147450880;
_9 = (signed char *) _8;
MEM[(short int *)_9] = -1800;
__builtin___asan_report_store16 (&r);
Currently bitint lowering for large/huge _BitInt rewrites this such that the
lhs of .ASAN_POISON () is typically a VIEW_CONVERT_EXPR of a VAR_DECL and ditto
for the .ASAN_POISON_USE arguments, that is something sanopt can't handle.
But we can't also easily just poison the underlying variable at .ASAN_POISON ()
call,
because the var can be reused later and we wouldn't know where to unpoison it.
We want the use after scope accesses reported by asan.
Perhaps turn the .ASAN_POISON call into .ASAN_POISON setting some other
SSA_NAME (say limb_type), replace .ASAN_POISON_USE argument with that new
SSA_NAME, keep the associated underlying VAR_DECL uninitialized and arrange the
other SSA_NAME to be somehow used whenever using the original SSA_NAME (say,
instead of actually reading from the VAR_DECL's limbs, read from the other
var).
