From d8ed43c1f8e29cfe63ebd7c40a76715c9c644522 Mon Sep 17 00:00:00 2001
From: marxin <mliska@suse.cz>
Date: Tue, 25 Oct 2016 13:29:47 +0200
Subject: [PATCH] Fix not caught use-after-scope with -O1 (PR sanitize/78106)
gcc/ChangeLog:
2016-10-25 Martin Liska <mliska@suse.cz>
PR sanitizer/78106
* sanopt.c (imm_dom_path_with_freeing_call): Handle gasm
statements as they can also contain possibly a freeing call.
gcc/testsuite/ChangeLog:
2016-10-25 Martin Liska <mliska@suse.cz>
PR sanitizer/78106
* gcc.dg/asan/pr78106.c: New test.
---
gcc/sanopt.c | 6 +++++-
gcc/testsuite/gcc.dg/asan/pr78106.c | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 39 insertions(+), 1 deletion(-)
create mode 100644 gcc/testsuite/gcc.dg/asan/pr78106.c
@@ -211,8 +211,12 @@ imm_dom_path_with_freeing_call (basic_block bb, basic_block dom)
for (gsi = gsi_start_bb (e->src); !gsi_end_p (gsi); gsi_next (&gsi))
{
gimple *stmt = gsi_stmt (gsi);
+ gasm *asm_stmt;
- if (is_gimple_call (stmt) && !nonfreeing_call_p (stmt))
+ if ((is_gimple_call (stmt) && !nonfreeing_call_p (stmt))
+ || ((asm_stmt = dyn_cast <gasm *> (stmt))
+ && (gimple_asm_clobbers_memory_p (asm_stmt)
+ || gimple_asm_volatile_p (asm_stmt))))
{
pred_info->has_freeing_call_p = true;
break;
new file mode 100644
@@ -0,0 +1,34 @@
+/* PR sanitizer/78106 */
+/* { dg-do run } */
+/* { dg-options "-fsanitize=address" } */
+/* { dg-shouldfail "asan" } */
+
+int *variable;
+
+void __attribute__((used)) release()
+{
+ __builtin_free (variable);
+}
+
+int main2(int argc)
+{
+ *variable = 2;
+
+ if (argc <= 5)
+ asm volatile ("call release");
+
+ *variable = 2;
+ __builtin_abort ();
+
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ variable = __builtin_malloc (sizeof(int));
+ return main2(argc);
+}
+
+/* { dg-output "ERROR: AddressSanitizer:? heap-use-after-free on address.*(\n|\r\n|\r)" } */
+/* { dg-output "WRITE of size 4 at.*" } */
+/* { dg-output " #0 0x\[0-9a-f\]+ +in _*main2 .*" } */
--
2.10.1