This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug c/69624] New: sanitize-coverage=trace-pc miscompiles kernel
- From: "jirislaby at gmail dot com" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Tue, 02 Feb 2016 14:01:28 +0000
- Subject: [Bug c/69624] New: sanitize-coverage=trace-pc miscompiles kernel
- Auto-submitted: auto-generated
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69624
Bug ID: 69624
Summary: sanitize-coverage=trace-pc miscompiles kernel
Product: gcc
Version: 6.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: jirislaby at gmail dot com
Target Milestone: ---
I have
commit a8175057d14fa8ff8cc4589edf55a6855d9afdf4
Author: Dmitry Vyukov <dvyukov@google.com>
Date: Mon Nov 9 19:59:08 2015 +0100
new coverage that uses shared buffer
applied to kernel 4.4.
I am seeing crashes in netlink_bind at 0xd5dc:
d5bd: 4c 89 e2 mov %r12,%rdx
d5c0: e8 00 00 00 00 callq d5c5 <netlink_bind+0x485>
d5c1: R_X86_64_PC32 __sw_hweight32-0x4
d5c5: 03 83 d0 02 00 00 add 0x2d0(%rbx),%eax
d5cb: 48 c1 ea 03 shr $0x3,%rdx
d5cf: 41 89 c5 mov %eax,%r13d
d5d2: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
d5d9: fc ff df
d5dc: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
because rdx is 0.
rdx is fetched from r12, then __sw_hweight32 is called, it zeroes rdx and
(%rdx,%rax,1) dereference is then rax == 0xdffffc0000000000 dereference which
leads to a crash.