How does address sanitizer handle read-modify-write memory access?

Konstantin Serebryany konstantin.s.serebryany@gmail.com
Fri Dec 14 09:40:00 GMT 2012


Hi Uros,

When we have a code like X++ (either RMW, or a regular increment) it
is enough for asan to instrument it just once (either as a read or a
write, doesn't matter).
LLVM implementation does this optimization for regular increments,
while GCC does not (yet).

% cat inc.cc
void foo(int *a) {
  (*a)++;
}
% clang -O2 -fsanitize=address -S -o -  inc.cc | grep __asan_report
	callq	__asan_report_load4
% gcc -O2 -fsanitize=address -S -o -  inc.cc | grep __asan_report
	call	__asan_report_load4
	call	__asan_report_store4

Doing two __asan_report* calls here is not a correctness bug, but a
performance problem.
I think we saw ~3%-5% performance gain due to this optimization in
LLVM, i.e. this is nice to have, but not critical.

hth,

--kcc

On Fri, Dec 14, 2012 at 1:22 PM, Uros Bizjak <ubizjak@gmail.com> wrote:
> Hello!
>
> c-c++-common/asan/null-deref-1.c test can generate read-modify-write
> instruction ("incl 40(%eax)") when compiled with -Os. However,
> address-sanitizer only calls __asan_report_load4 in this case. With
> -O2, load of value, modification and store are different instructions,
> and address-sanitizer calls __asan_report_load4 and
> __asan_report_store4.
>
> BTW: This testcase currently fails on x32 [1], but I don't have x32
> runtime to investigate runtime failure further.
>
> [1] http://gcc.gnu.org/ml/gcc-testresults/2012-12/msg01227.html
>
> Uros.



More information about the Gcc mailing list