On 11/23/2016 03:13 PM, Jakub Jelinek wrote:
> On Wed, Nov 23, 2016 at 02:57:07PM +0100, Martin Liška wrote:
>> I started review process in libsanitizer: https://reviews.llvm.org/D26965
>> And I have a question that was asked in the review: can we distinguish
>> between load and store
>> in case of having usage of ASAN_POISON?
> I think with ASAN_POISON it is indeed just loads from after scope that can
> be caught, a store overwrites the variable with a new value and when turning
> the store after we make the var no longer addressable into SSA form, we
> loose information about the out of scope store. Furthermore, if there is
> first a store and then a read, like:
> if (argc != 12312)
> char my_char;
> ptr = &my_char;
> *ptr = i + 26;
> return *ptr;
> we don't notice even the read. Not sure what could be done against that
> though. I think we'd need to hook into the into-ssa framework, there it
> should know the current value of the variable at the point of the store is
> result of ASAN_POISON and be able to instead of turning that
> my_char = _23;
> my_char_35 = _23;
> turn it into:
> my_char_35 = ASAN_POISON (_23);
> which would represent after scope store into my_char.
> Not really familiar with into-ssa though to know where to do it.
Richi, may I ask you for help with this question?