[Bug sanitizer/119958] New: UBSAN: Replacing add with lea leads to false positive

Sat, 26 Apr 2025 12:30:21 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=119958

            Bug ID: 119958
           Summary: UBSAN: Replacing add with lea leads to false positive
           Product: gcc
           Version: 15.1.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: stefan at bytereef dot org
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
  Target Milestone: ---

Hi,

I can submit a somewhat chaotic test case that is difficult to make smaller
and less chaotic, but if my guess is correct, the issue might be resolved by
looking at assembly snippets and this issue:

https://reviews.llvm.org/D131716


My guess is that addq is replaced by leaq, which does not clear the zero flag,
leading to a jump to __ubsan_handle_type_mismatch_v1, which results in:

apitest.cc:17:43: runtime error: member call on null pointer of type 'struct
Context'

Using clang++ and UBSAN does not exhibit this issue.



The relevant generated assembly of the test case (-O3 -g -fsanitize=undefined
-S) is:

=================================================================
.LVL3256:
        xorl    %esi, %esi  ### sets the zero flag
        movq    %rbx, %rax
        addq    context@gottpoff(%rip), %rax  ### add is replaced by lea        
        movl    %esi, -28(%rbp)
        je      .L4844  ### jump uses the zero flag from xor
[snip]

.L4844: 
        xorl    %esi, %esi
        movl    $.Lubsan_data6185, %edi
        call    __ubsan_handle_type_mismatch_v1
=================================================================


When actually compiled with "-O3 -g -fsanitize=undefined", gdb shows that
lea is used:

=================================================================
(gdb) display/i $pc
=> 0x400b21 <RealTest()-10655>: xor    %esi,%esi
=> 0x400b23 <RealTest()-10653>: mov    %rbx,%rax
=> 0x400b26 <RealTest()-10650>: lea    -0x10(%rax),%rax  ### <<== here
=> 0x400b2d <RealTest()-10643>: mov    %esi,-0x1c(%rbp)
=> 0x400b30 <RealTest()-10640>: je     0x400cbe <RealTest()-10242>
=> 0x400cbe <RealTest()-10242>: xor    %esi,%esi
=> 0x400cc0 <RealTest()-10240>: mov    $0x4176a0,%edi
=> 0x400cc5 <RealTest()-10235>: call   0x4005e0
<__ubsan_handle_type_mismatch_v1@plt>

(gdb) c
Continuing.
apitest.cc:17:43: runtime error: member call on null pointer of type 'struct
Context'
=================================================================

Reply via email to