Open takuro-sato opened 1 year ago
I believe this is actually a true positive: the code is buggy and ASAN correctly detects it as such. The asm has an implicit input operand (the address of ok
), and the rand
output operand is written before this input is consumed. Therefore, the rand
operand needs an earlyclober &
modifier. Without this, it is legitimate for the compiler to use the same register for the address of ok
as for rand
.
The compiler can and will break such code even without ASAN. If we modify the example slightly, so that the address of operand 1 is already in rax
, then the compiler again uses the same register for both:
char *get_okptr();
uint64_t rand;
asm("rdrand %0 ; setc %1" : "=r" (rand), "=m" (*get_okptr()));
return rand;
will emit rdrand %rax ; setb (%rax)
under both gcc and clang (using -O3
). https://godbolt.org/z/TWdzY45Wr
It happens in x64 machines and looks like address sanitizer creates executables with invalid memory access.
Somehow the output assembly code uses the random number output of
rdrand
as a pointer as you can see in result of objdump. The executable without address sanitizer looks like this:For this case the output is used as a value as expected.