How does address sanitizer handle read-modify-write memory access?

Konstantin Serebryany
Fri Dec 14 09:40:00 GMT 2012

Hi Uros,

When we have a code like X++ (either RMW, or a regular increment) it
is enough for asan to instrument it just once (either as a read or a
write, doesn't matter).
LLVM implementation does this optimization for regular increments,
while GCC does not (yet).

% cat
void foo(int *a) {
% clang -O2 -fsanitize=address -S -o - | grep __asan_report
	callq	__asan_report_load4
% gcc -O2 -fsanitize=address -S -o - | grep __asan_report
	call	__asan_report_load4
	call	__asan_report_store4

Doing two __asan_report* calls here is not a correctness bug, but a
performance problem.
I think we saw ~3%-5% performance gain due to this optimization in
LLVM, i.e. this is nice to have, but not critical.



On Fri, Dec 14, 2012 at 1:22 PM, Uros Bizjak <> wrote:
> Hello!
> c-c++-common/asan/null-deref-1.c test can generate read-modify-write
> instruction ("incl 40(%eax)") when compiled with -Os. However,
> address-sanitizer only calls __asan_report_load4 in this case. With
> -O2, load of value, modification and store are different instructions,
> and address-sanitizer calls __asan_report_load4 and
> __asan_report_store4.
> BTW: This testcase currently fails on x32 [1], but I don't have x32
> runtime to investigate runtime failure further.
> [1]
> Uros.

More information about the Gcc mailing list