[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944

Jakub Jelinek  changed:

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |FIXED

--- Comment #11 from Jakub Jelinek  ---
Fixed.

[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944

--- Comment #10 from Jakub Jelinek  ---
Author: jakub
Date: Tue May 30 08:13:33 2017
New Revision: 248658

URL: https://gcc.gnu.org/viewcvs?rev=248658=gcc=rev
Log:
Backported from mainline
2017-03-09  Jakub Jelinek  

PR sanitizer/79944
* asan.c (get_mem_refs_of_builtin_call): For BUILT_IN_ATOMIC* and
BUILT_IN_SYNC*, determine the access type from the size suffix and
always build a MEM_REF with that type.  Handle forgotten
BUILT_IN_SYNC_FETCH_AND_NAND_16 and BUILT_IN_SYNC_NAND_AND_FETCH_16.

* c-c++-common/asan/pr79944.c: New test.

Added:
branches/gcc-5-branch/gcc/testsuite/c-c++-common/asan/pr79944.c
Modified:
branches/gcc-5-branch/gcc/ChangeLog
branches/gcc-5-branch/gcc/asan.c
branches/gcc-5-branch/gcc/testsuite/ChangeLog

[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944

--- Comment #9 from Jakub Jelinek  ---
Author: jakub
Date: Fri May  5 21:40:10 2017
New Revision: 247685

URL: https://gcc.gnu.org/viewcvs?rev=247685=gcc=rev
Log:
Backported from mainline
2017-03-09  Jakub Jelinek  

PR sanitizer/79944
* asan.c (get_mem_refs_of_builtin_call): For BUILT_IN_ATOMIC* and
BUILT_IN_SYNC*, determine the access type from the size suffix and
always build a MEM_REF with that type.  Handle forgotten
BUILT_IN_SYNC_FETCH_AND_NAND_16 and BUILT_IN_SYNC_NAND_AND_FETCH_16.

* c-c++-common/asan/pr79944.c: New test.

Added:
branches/gcc-6-branch/gcc/testsuite/c-c++-common/asan/pr79944.c
Modified:
branches/gcc-6-branch/gcc/ChangeLog
branches/gcc-6-branch/gcc/asan.c
branches/gcc-6-branch/gcc/testsuite/ChangeLog

[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944

--- Comment #8 from Jakub Jelinek  ---
Fixed on the trunk so far.

[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944

--- Comment #7 from Jakub Jelinek  ---
Author: jakub
Date: Thu Mar  9 09:20:23 2017
New Revision: 245991

URL: https://gcc.gnu.org/viewcvs?rev=245991=gcc=rev
Log:
PR sanitizer/79944
* asan.c (get_mem_refs_of_builtin_call): For BUILT_IN_ATOMIC* and
BUILT_IN_SYNC*, determine the access type from the size suffix and
always build a MEM_REF with that type.  Handle forgotten
BUILT_IN_SYNC_FETCH_AND_NAND_16 and BUILT_IN_SYNC_NAND_AND_FETCH_16.

* c-c++-common/asan/pr79944.c: New test.

Added:
trunk/gcc/testsuite/c-c++-common/asan/pr79944.c
Modified:
trunk/gcc/ChangeLog
trunk/gcc/asan.c
trunk/gcc/testsuite/ChangeLog

[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations

[dvyukov at google dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944

--- Comment #6 from Dmitry Vyukov  ---
Just build kernel with it. Boots fine and sustains some load now.
Did not do any positive tests, though.
Thanks for the quick fix!

[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944

Jakub Jelinek  changed:

   What|Removed |Added

 Status|UNCONFIRMED |ASSIGNED
   Last reconfirmed||2017-03-08
   Assignee|unassigned at gcc dot gnu.org  |jakub at gcc dot gnu.org
 Ever confirmed|0   |1

--- Comment #5 from Jakub Jelinek  ---
Created attachment 40923
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=40923=edit
gcc7-pr79944.patch

Untested fix.

[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations

[dvyukov at google dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944

--- Comment #4 from Dmitry Vyukov  ---
Attached second minimized reproducer.
Build it with:
gcc dmaengine2.c -fsanitize=address -O2 -lasan -g

It produces:

==57662==ERROR: AddressSanitizer: unknown-crash on address 0x00601321 at pc
0x00400729 bp 0x7ffdd78835b0 sp 0x7ffdd78835a8
WRITE of size 8 at 0x00601321 thread T0
#0 0x400728 in clear_bit /tmp/dmaengine2.c:10
#1 0x400728 in dma_channel_table_init /tmp/dmaengine2.c:130
#2 0x400728 in main /tmp/dmaengine2.c:207

On the following line:

  __atomic_fetch_and((char *)addr + (nr / 8), (char)(~(1 << (nr % 8))), 0);

This is access of size 1, not 8.

[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations

[dvyukov at google dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944

--- Comment #3 from Dmitry Vyukov  ---
Created attachment 40918
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=40918=edit
reproducer2

[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations

[dvyukov at google dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944

--- Comment #2 from Dmitry Vyukov  ---
I've shutup that bug with dest = NULL, but then I immediately got this:

BUG: KASAN: global-out-of-bounds in clear_bit
include/linux/bitops_compiler.h:15 [inline]
BUG: KASAN: global-out-of-bounds in dma_channel_table_init+0x81/0x18c
drivers/dma/dmaengine.c:334
Write of size 8 at addr 84d5e921 by task swapper/0/1

which looks like another bug because clear_bit is defined as:

static inline void
clear_bit(long nr, volatile unsigned long *addr)
{
__atomic_fetch_and((char *)addr + (nr / 8), ~(1 << (nr % 8)),
__ATOMIC_RELAXED);
}

Unless I am missing something, type of the first arg to __atomic_fetch_and s
char* so this should be a 1 byte access.

Extracting and minimizing this is quite time consuming, so maybe you will just
spot something else in that code.

[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944

--- Comment #1 from Jakub Jelinek  ---
I'll have a look tomorrow.