This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug sanitizer/58543] Invalid unpoisoning of stack redzones on ARM
- From: "dodji at seketeli dot org" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Mon, 30 Sep 2013 10:15:32 +0000
- Subject: [Bug sanitizer/58543] Invalid unpoisoning of stack redzones on ARM
- Auto-submitted: auto-generated
- References: <bug-58543-4 at http dot gcc dot gnu dot org/bugzilla/>
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58543
--- Comment #4 from dodji at seketeli dot org <dodji at seketeli dot org> ---
Thank you for reporting this bug.
Please find my comments below,
"y.gribov at samsung dot com" <gcc-bugzilla@gcc.gnu.org> a Ãcrit:
> Prologue seems to poison words at frame_shadow_base + { 0, 4, 8, 12, 16, 24,
> 28}:
Right.
>
> add r4, r3, #536870912
> ldr r3, .L3+8
> str r3, [r4]
> ldr r3, .L3+12
> str r3, [r4, #4]
> ldr r3, .L3+16
> str r3, [r4, #8]
> ldr r3, .L3+20
> str r3, [r4, #12]
> ldr r3, .L3+16
> str r3, [r4, #16]
> ldr r3, .L3+20
> str r3, [r4, #24]
> ldr r3, .L3+24
> str r3, [r4, #28]
>
> Whereas epilogue poisons frame_shadow_base + { 0, 4, 8, 12, 16, 40, 44}:
I guess you mean *un*poison here.
> add r3, r4, #20
> .L1:
> mov r2, #0
> str r2, [r4]
> add r4, r4, #4
> cmp r4, r3
> bcc .L1
My understanding is that in the loop above, we are setting the memory
pointed to by frame_shadow_base + { 0, 4, 8, 12, 16} to zero.
And in the code below, we are preparing to set the memory pointed to by
frame_shadow_base + {24, 28} to zero.
> add r3, r4, #24 ; r3 gets invalid value here
Why is r3 invalid? It's being set to #24, so that the strb r2, [r3]
below writes a zero byte to [r4,#24].
Or what am I missing?
> mov r2, #0
> strb r2, [r3]
> add r3, r3, #1
> mov r2, #0
> strb r2, [r3]
> add r3, r3, #1
> mov r2, #0
> strb r2, [r3]
> add r3, r3, #1
> mov r2, #0
> strb r2, [r3]
> add r3, r3, #1
> mov r2, #0
> strb r2, [r3]
> add r3, r3, #1
> mov r2, #0
> strb r2, [r3]
> add r3, r3, #1
> mov r2, #0
> strb r2, [r3]
> add r3, r3, #1
> mov r2, #0
> strb r2, [r3]
>
> This causes some shadow bytes to remain set after function returns. Those may
> trigger incorrect Asan errors later.
I am guessing that you have a short and self contained example of an
asan error that is caused by a wrong epilogue. Would it be possible
that you file it so that I can understand better what is going on?
Thanks.