False negative related to atomic operations

steleman / address-sanitizer

Automatically exported from code.google.com/p/address-sanitizer

0 stars 0 forks source link

False negative related to atomic operations #352

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

Not sure how important it is, but for what it's worth:

Racy use-after-free in the following code is never detected, as the second 
access to *p is not instrumented.

void foo(long *p, long *q)
{
    *p = 1;
    __atomic_store_n(q, 2, __ATOMIC_RELEASE);  // signals another thread to free(p)
    *p = *p + 1;
}

From the point of view of the analysis that we do in asan, an atomic store is 
equivalent to a function call.

Original issue reported on code.google.com by dvyu...@google.com on 9 Oct 2014 at 8:53

GoogleCodeExporter commented 9 years ago

You've meant false negative?

Original comment by timurrrr@google.com on 10 Oct 2014 at 11:25

GoogleCodeExporter commented 9 years ago

yes, fixed, thanks
I've tried to come up with a scenario where atomic loads or stores lead to 
false positives, but failed.

Original comment by dvyu...@google.com on 10 Oct 2014 at 11:29

Changed title: False negative related to atomic operations