[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944 Jakub Jelinek changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #11 from Jakub Jelinek --- Fixed.
[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944 --- Comment #10 from Jakub Jelinek --- Author: jakub Date: Tue May 30 08:13:33 2017 New Revision: 248658 URL: https://gcc.gnu.org/viewcvs?rev=248658=gcc=rev Log: Backported from mainline 2017-03-09 Jakub JelinekPR sanitizer/79944 * asan.c (get_mem_refs_of_builtin_call): For BUILT_IN_ATOMIC* and BUILT_IN_SYNC*, determine the access type from the size suffix and always build a MEM_REF with that type. Handle forgotten BUILT_IN_SYNC_FETCH_AND_NAND_16 and BUILT_IN_SYNC_NAND_AND_FETCH_16. * c-c++-common/asan/pr79944.c: New test. Added: branches/gcc-5-branch/gcc/testsuite/c-c++-common/asan/pr79944.c Modified: branches/gcc-5-branch/gcc/ChangeLog branches/gcc-5-branch/gcc/asan.c branches/gcc-5-branch/gcc/testsuite/ChangeLog
[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944 --- Comment #9 from Jakub Jelinek --- Author: jakub Date: Fri May 5 21:40:10 2017 New Revision: 247685 URL: https://gcc.gnu.org/viewcvs?rev=247685=gcc=rev Log: Backported from mainline 2017-03-09 Jakub JelinekPR sanitizer/79944 * asan.c (get_mem_refs_of_builtin_call): For BUILT_IN_ATOMIC* and BUILT_IN_SYNC*, determine the access type from the size suffix and always build a MEM_REF with that type. Handle forgotten BUILT_IN_SYNC_FETCH_AND_NAND_16 and BUILT_IN_SYNC_NAND_AND_FETCH_16. * c-c++-common/asan/pr79944.c: New test. Added: branches/gcc-6-branch/gcc/testsuite/c-c++-common/asan/pr79944.c Modified: branches/gcc-6-branch/gcc/ChangeLog branches/gcc-6-branch/gcc/asan.c branches/gcc-6-branch/gcc/testsuite/ChangeLog
[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944 --- Comment #8 from Jakub Jelinek --- Fixed on the trunk so far.
[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944 --- Comment #7 from Jakub Jelinek --- Author: jakub Date: Thu Mar 9 09:20:23 2017 New Revision: 245991 URL: https://gcc.gnu.org/viewcvs?rev=245991=gcc=rev Log: PR sanitizer/79944 * asan.c (get_mem_refs_of_builtin_call): For BUILT_IN_ATOMIC* and BUILT_IN_SYNC*, determine the access type from the size suffix and always build a MEM_REF with that type. Handle forgotten BUILT_IN_SYNC_FETCH_AND_NAND_16 and BUILT_IN_SYNC_NAND_AND_FETCH_16. * c-c++-common/asan/pr79944.c: New test. Added: trunk/gcc/testsuite/c-c++-common/asan/pr79944.c Modified: trunk/gcc/ChangeLog trunk/gcc/asan.c trunk/gcc/testsuite/ChangeLog
[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944 --- Comment #6 from Dmitry Vyukov --- Just build kernel with it. Boots fine and sustains some load now. Did not do any positive tests, though. Thanks for the quick fix!
[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944 Jakub Jelinek changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2017-03-08 Assignee|unassigned at gcc dot gnu.org |jakub at gcc dot gnu.org Ever confirmed|0 |1 --- Comment #5 from Jakub Jelinek --- Created attachment 40923 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=40923=edit gcc7-pr79944.patch Untested fix.
[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944 --- Comment #4 from Dmitry Vyukov --- Attached second minimized reproducer. Build it with: gcc dmaengine2.c -fsanitize=address -O2 -lasan -g It produces: ==57662==ERROR: AddressSanitizer: unknown-crash on address 0x00601321 at pc 0x00400729 bp 0x7ffdd78835b0 sp 0x7ffdd78835a8 WRITE of size 8 at 0x00601321 thread T0 #0 0x400728 in clear_bit /tmp/dmaengine2.c:10 #1 0x400728 in dma_channel_table_init /tmp/dmaengine2.c:130 #2 0x400728 in main /tmp/dmaengine2.c:207 On the following line: __atomic_fetch_and((char *)addr + (nr / 8), (char)(~(1 << (nr % 8))), 0); This is access of size 1, not 8.
[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944 --- Comment #3 from Dmitry Vyukov --- Created attachment 40918 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=40918=edit reproducer2
[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944 --- Comment #2 from Dmitry Vyukov --- I've shutup that bug with dest = NULL, but then I immediately got this: BUG: KASAN: global-out-of-bounds in clear_bit include/linux/bitops_compiler.h:15 [inline] BUG: KASAN: global-out-of-bounds in dma_channel_table_init+0x81/0x18c drivers/dma/dmaengine.c:334 Write of size 8 at addr 84d5e921 by task swapper/0/1 which looks like another bug because clear_bit is defined as: static inline void clear_bit(long nr, volatile unsigned long *addr) { __atomic_fetch_and((char *)addr + (nr / 8), ~(1 << (nr % 8)), __ATOMIC_RELAXED); } Unless I am missing something, type of the first arg to __atomic_fetch_and s char* so this should be a 1 byte access. Extracting and minimizing this is quite time consuming, so maybe you will just spot something else in that code.
[Bug sanitizer/79944] asan: incorrect instrumentation of atomic operations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79944 --- Comment #1 from Jakub Jelinek --- I'll have a look tomorrow.