https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110442
Bug ID: 110442
Summary: IFUNC resolvers which use __builtin_cpu_supports crash
with -fsanitize=address
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: fw at gcc dot gnu.org
Target Milestone: ---
With -O2 -fsanitize=address, this code:
“
#include <stdio.h>
void
f1 (void)
{
puts ("f1");
}
void
f2 (void)
{
puts ("f2");
}
void *
resolve (void)
{
__builtin_cpu_init ();
if (__builtin_cpu_supports ("f16c"))
return f1;
else
return f2;
}
void f (void) __attribute__ ((ifunc ("resolve")));
int
main (void)
{
f ();
}
”
In the store to the shadow mapping:
Dump of assembler code for function resolve:
0x0000000000402320 <+0>: sub $0x8,%rsp
0x0000000000402324 <+4>: call 0x4010f0 <__cpu_indicator_init>
0x0000000000402329 <+9>: mov $0x4050f0,%eax
0x000000000040232e <+14>: shr $0x3,%rax
=> 0x0000000000402332 <+18>: movzbl 0x7fff8000(%rax),%eax
0x0000000000402339 <+25>: test %al,%al
0x000000000040233b <+27>: je 0x402341 <resolve+33>
0x000000000040233d <+29>: cmp $0x3,%al
[…]
This happens because with IRELATIVE relocations (or BIND_NOW), IFUNC resolvers
run early, before libasan had a chance to set up the shadow mapping.
Setting the component to the C front-end because the ifunc function attribute
probably needs to be changed to imply no_sanitize_address. IFUNC resolvers are
not supposed to call functions (although it works in some cases on x86), so I
think this would really help building random code with -fsanitize=address.
(In theory, if libasan were an audit module, it would be possible to set up the
mapping before relocation, but that's a change that seems unlikely to happen.)
