From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugs-return-492986-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 10054 invoked by alias); 22 Jul 2015 07:38:12 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Received: (qmail 9978 invoked by uid 48); 22 Jul 2015 07:38:08 -0000
From: "chefmax at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/66908] Uninitialized variable when compiled with UBsan
Date: Wed, 22 Jul 2015 07:38:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: sanitizer
X-Bugzilla-Version: unknown
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: chefmax at gcc dot gnu.org
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: mpolacek at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-66908-4-iJiS3pOgOH@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-66908-4@http.gcc.gnu.org/bugzilla/>
References: <bug-66908-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-07/txt/msg01876.txt.bz2

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66908

Maxim Ostapenko <chefmax at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |chefmax at gcc dot gnu.org

--- Comment #5 from Maxim Ostapenko <chefmax at gcc dot gnu.org> ---
(In reply to Yury Gribov from comment #1)
> Looks like -fsanitize=bounds may introduce uninitialized variables when run
> after shift.

It looks like that -fsanitize=shift may introduce uninitialized variables
itself, without other checks.

For arm-linux-gnueabi target:

$ cat test.cpp

class Foo {

private:

  int a_;

public:

  Foo (int a) : a_(a) {};

  inline int get_a () { return a_; };
};

int bar (int (Foo::*get)()) {
  Foo *A = new Foo(1);
  int result = (A->*get)();
  delete (A);
  return result;
}

int main () {
  return bar (&Foo::get_a);
}

$ armv7l-tizen-linux-gnueabi-g++ -S -fsanitize=shift test.cpp
-fdump-tree-gimple

  <D.6138>
.......................
      D.6137 = get.__delta;
      D.6138 = D.6137 & 1;
      if (D.6138 == 0) goto <D.6139>; else goto <D.6140>;
  <D.6139>:
      iftmp.1 = get.__pfn;
      goto <D.6141>;
  <D.6140>:
      A.2 = A;
==>   D.6143 = get.__delta;
      D.6144 = D.6143 >> 1;
      D.6145 = (sizetype) D.6144;
      D.6146 = A.2 + D.6145;
      D.6147 = MEM[(int (*__vtbl_ptr_type) () * *)D.6146];
      D.6148 = get.__pfn; 
      D.6149 = (sizetype) D.6148;
      D.6150 = D.6147 + D.6149;
      iftmp.1 = *D.6150;
  <D.6141>:
      A.3 = A; 
==>   ????????
      D.6152 = D.6143 >> 1;
      D.6153 = (sizetype) D.6152;
      D.6154 = A.3 + D.6153;
      result = iftmp.1 (D.6154);

Here, <D.6138> => <D.6139> => <D.6141> introduces uninitialized D.6153 value
and broken *this parameter for called method.

$ armv7l-tizen-linux-gnueabi-g++ -v
Using built-in specs.
COLLECT_GCC=armv7l-tizen-linux-gnueabi-g++
COLLECT_LTO_WRAPPER=/home/max/install/armv7l-tizen/libexec/gcc/armv7l-tizen-linux-gnueabi/6.0.0/lto-wrapper
Target: armv7l-tizen-linux-gnueabi
Configured with: /home/max/src/v6/gcc/configure
--prefix=/home/max/install/armv7l-tizen --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --target=armv7l-tizen-linux-gnueabi --disable-nls
--enable-poison-system-directories
--with-pkgversion=Tizen.armv7l.GA2.2015-07-15
--with-sysroot=/home/max/install/armv7l-tizen/armv7l-tizen-linux-gnueabi/sys-root
--with-gmp=/home/max/build/v6/fake-root
--with-libelf=/home/max/build/v6/fake-root
--with-mpc=/home/max/build/v6/fake-root
--with-mpfr=/home/max/build/v6/fake-root --without-cloog --without-ppl
--with-host-libstdcxx='-static-libgcc -Wl,-Bstatic,-lstdc++,-Bdynamic -lm'
--enable-languages=c,c++,fortran --disable-libstdcxx-pch --enable-__cxa_atexit
--enable-libssp --enable-lto --enable-checking=release
--with-build-time-tools=/home/max/install/armv7l-tizen/bin --with-gnu-as
--with-gnu-ld
--with-specs='%{funwind-tables|fno-unwind-tables|mabi=*|ffreestanding|nostdlib:;:-funwind-tables}
%{!Werror=unused-local-typedefs:%{!Wno-error=unused-local-typedefs:-Wno-error=unused-local-typedefs}}
%{fuse-linker-plugin|fno-use-linker-plugin|flto|flto=*:;:-fno-use-linker-plugin}'
--disable-multilib --disable-gnu-unique-object --enable-linker-build-id
--with-mode=arm --with-fpu=neon-vfpv4 --with-cpu=cortex-a15.cortex-a7
--with-float=softfp --enable-libgomp --enable-linux-futex