[Bug sanitizer/113053] New: local variable misaligned with AddressSanitizer

["pobrn at protonmail dot com" <gcc-bugzilla@gcc.gnu.org>]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113053

            Bug ID: 113053
           Summary: local variable misaligned with AddressSanitizer
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: pobrn at protonmail dot com
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

Created attachment 56895
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56895&action=edit
source code and tree/rtl dumps

Consider the following code:

#include <assert.h>
#include <stdint.h>

struct thing {
    int x[5] __attribute__((aligned(64)));
};

__attribute__((noinline))
void f(void *x)
{
    assert((uintptr_t) x % 64 == 0);
}

int main()
{
    struct thing t;
    static_assert(_Alignof(t) == 64);
    assert((uintptr_t) &t % 64 == 0);

    f(&t);
}


When compiled with `gcc -O2 -fsanitize=address`, the following assembly is
generated:


00000000000010d0 <main>:
    10d0:       55                      push   rbp
    10d1:       48 89 e5                mov    rbp,rsp
    10d4:       41 55                   push   r13
    10d6:       41 54                   push   r12
    10d8:       53                      push   rbx
    10d9:       48 83 e4 c0             and    rsp,0xffffffffffffffc0
    10dd:       48 81 ec c0 00 00 00    sub    rsp,0xc0
    10e4:       8b 05 56 30 00 00       mov    eax,DWORD PTR [rip+0x3056]      
 # 4140 <__asan_option_detect_stack_use_after_return@@Base>
    10ea:       48 8d 5c 24 20          lea    rbx,[rsp+0x20] # ?????
    10ef:       49 89 dd                mov    r13,rbx
    10f2:       85 c0                   test   eax,eax
    10f4:       0f 85 95 00 00 00       jne    118f <main+0xbf>
    10fa:       48 8d 05 df 0f 00 00    lea    rax,[rip+0xfdf]        # 20e0
<__PRETTY_FUNCTION__.0+0x40>
    1101:       49 89 dc                mov    r12,rbx
    1104:       48 c7 03 b3 8a b5 41    mov    QWORD PTR [rbx],0x41b58ab3
    110b:       48 8d 7b 20             lea    rdi,[rbx+0x20] # ?????
...
    114d:       e8 ae 01 00 00          call   1300 <f>
...
    118f:       bf 80 00 00 00          mov    edi,0x80
    1194:       e8 a7 fe ff ff          call   1040 <__asan_stack_malloc_1@plt>
    1199:       48 85 c0                test   rax,rax
    119c:       48 0f 45 d8             cmovne rbx,rax
    11a0:       e9 55 ff ff ff          jmp    10fa <main+0x2a>


Assume that stack-user-after-return detection is enabled
(`ASAN_OPTIONS=detect_stack_use_after_return=1`). In that case the jump at
0x10f4 will be taken, if __asan_stack_malloc_1 returns a 64 byte aligned
address, then the lea at 0x110b will add 32 to the address, making it not 64
byte aligned anymore.

Now confusingly, the error cannot be reproduced on the Compiler Explorer or in
the GCC docker container because the assembly is different, for example they
call `__asan_stack_malloc_2`, and there is still a +64 to get the address of
the variable, but it is done as a single step, not split up into two parts.

But this code is generated on both current Arch Linux (GCC 13.2.1 20230801),
and Ubuntu 22.04 (GCC 11.4.0-1ubuntu1~22.04). One can easily trigger this error
for example in an Arch container:

$ docker run --rm -it archlinux
# pacman -Syu gcc nano --noconfirm
# nano x.c # etc...
# gcc -O2 -fsanitize=address x.c
# ASAN_OPTIONS=detect_stack_use_after_return=1 ./a.out
a.out: x.c:11: f: Assertion `(uintptr_t) x % 64 == 0' failed.
Aborted (core dumped)


GCC on Arch Linux is configured as follows:
https://gitlab.archlinux.org/archlinux/packaging/packages/gcc/-/blob/64b6b1ded75259ba7e9311d0e5b1ab44320b92d5/PKGBUILD#L111