https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944
Bug ID: 79944 Summary: asan: incorrect instrumentation of atomic operations Product: gcc Version: 7.0.1 Status: UNCONFIRMED Severity: normal Priority: P3 Component: sanitizer Assignee: unassigned at gcc dot gnu.org Reporter: dvyukov at google dot com CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org, jakub at gcc dot gnu.org, kcc at gcc dot gnu.org Target Milestone: --- Created attachment 40915 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=40915&action=edit reproducer Reduced from kernel miscompilation, but reproduces with user-space asan as well. gcc version 7.0.1 20170307 (experimental) (GCC) Last Changed Rev: 245952 Last Changed Date: 2017-03-07 15:13:10 +0100 (Tue, 07 Mar 2017) The program is attached. It prints: ==138034==ERROR: AddressSanitizer: unknown-crash on address 0x61b0000006c0 at pc 0x0000004009b0 bp 0x7ffef6db2af0 sp 0x7ffef6db2ae8 WRITE of size 1640 at 0x61b0000006c0 thread T0 #0 0x4009af in atomic_add /tmp/reduced-delta4.c:4 #1 0x4009af in cpupri_set /tmp/reduced-delta4.c:34 #2 0x4007d3 in cpupri_set /tmp/reduced-delta4.c:19 #3 0x4007d3 in main /tmp/reduced-delta4.c:40 Note the 1640 size. It's bogus. 1640 is size of whole struct cpupri, but the access happens only to 'int counter'. I've localized it to this part of get_mem_refs_of_builtin_call: else if (TREE_CODE (dest) == SSA_NAME || TREE_CODE (dest) == INTEGER_CST) dest = build2 (MEM_REF, TREE_TYPE (TREE_TYPE (dest)), dest, build_int_cst (TREE_TYPE (dest), 0)); before that line int_size_in_bytes (TREE_TYPE (dest)) == 8, after 1640.