-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Combination of O3 and UBSan makes seadsa crash on input analysis #128
Comments
It seems that the check in DsaLocal at line 667 is specifically made for sea-dsa/lib/seadsa/DsaLocal.cc Line 667 in 9d8d71a
Here the crash is acually a load of a pointer, which is obtained from a load on a GEP null, so two levels of indirection:
It is undefined behavior, but it is present due to UBSan. sea-dsa/lib/seadsa/DsaLocal.cc Line 699 in 9d8d71a
Probably the fix should avoid creating the null cell in the first place. |
Ok if I enable assertions with PR #131 it actually crashes on sea-dsa/lib/seadsa/DsaLocal.cc Line 623 in 9d8d71a
after printing as a warning: |
It seems a bitcode file compiled with the Undefined Behavior Sanitizer and highest optimization level (-O3) makes seadsa analysis to crash.
Environment
To Reproduce
main.cc
:And then to compile and analyze with:
seadsa crashes with the following stack trace:
This is a release version, but the tool would have crashed on:
sea-dsa/lib/seadsa/DsaLocal.cc
Line 699 in 9d8d71a
Analysis
It seems that the crash is caused by the tool analysing a load instruction that accesses a
%23 = getelementptr inbounds i8*, i8** null, i64 %22
that has a null pointer as base. This instruction is caused by a combination of the NULL checker in UBSan (that checks theUse of a null pointer or creation of a null reference
) and the (LoopUnswitch)[https://llvm.org/docs/Passes.html#loop-unswitch-unswitch-loops] pass executed by-O3
that creates the alternative slow path in the loop with the GEP using null. Notice that the program has no path in which pData may be null, but the check is still present due to UBSan.The text was updated successfully, but these errors were encountered: