This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug sanitizer/58543] Invalid unpoisoning of stack redzones on ARM

From: "dodji at seketeli dot org" <gcc-bugzilla at gcc dot gnu dot org>
To: gcc-bugs at gcc dot gnu dot org
Date: Mon, 30 Sep 2013 10:15:32 +0000
Subject: [Bug sanitizer/58543] Invalid unpoisoning of stack redzones on ARM
Auto-submitted: auto-generated
References: <bug-58543-4 at http dot gcc dot gnu dot org/bugzilla/>

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58543

--- Comment #4 from dodji at seketeli dot org <dodji at seketeli dot org> ---
Thank you for reporting this bug.

Please find my comments below,


"y.gribov at samsung dot com" <gcc-bugzilla@gcc.gnu.org> a Ãcrit:

> Prologue seems to poison words at frame_shadow_base + { 0, 4, 8, 12, 16, 24,
> 28}:

Right.

>
>   add  r4, r3, #536870912
>   ldr  r3, .L3+8
>   str  r3, [r4]
>   ldr  r3, .L3+12
>   str  r3, [r4, #4]
>   ldr  r3, .L3+16
>   str  r3, [r4, #8]
>   ldr  r3, .L3+20
>   str  r3, [r4, #12]
>   ldr  r3, .L3+16
>   str  r3, [r4, #16]
>   ldr  r3, .L3+20
>   str  r3, [r4, #24]
>   ldr  r3, .L3+24
>   str  r3, [r4, #28]
>
> Whereas epilogue poisons frame_shadow_base + { 0, 4, 8, 12, 16, 40, 44}:

I guess you mean *un*poison here.

>   add  r3, r4, #20
> .L1:
>   mov  r2, #0
>   str  r2, [r4]
>   add  r4, r4, #4
>   cmp  r4, r3
>   bcc  .L1

My understanding is that in the loop above, we are setting the memory
pointed to by frame_shadow_base + { 0, 4, 8, 12, 16} to zero.

And in the code below, we are preparing to set the memory pointed to by
frame_shadow_base + {24, 28} to zero.

>   add  r3, r4, #24   ; r3 gets invalid value here

Why is r3 invalid?  It's being set to #24, so that the strb r2, [r3]
below writes a zero byte to [r4,#24].

Or what am I missing?

>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>   add  r3, r3, #1
>   mov  r2, #0
>   strb  r2, [r3]
>
> This causes some shadow bytes to remain set after function returns. Those may
> trigger incorrect Asan errors later.

I am guessing that you have a short and self contained example of an
asan error that is caused by a wrong epilogue.  Would it be possible
that you file it so that I can understand better what is going on?

Thanks.

References:
- [Bug sanitizer/58543] New: Invalid unpoisoning of stack redzones on ARM
  - From: y.gribov at samsung dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]