[TySan] False positive with struct containing two lists

[tavianator]

I am trying out #76261 (commit 733b3ed). The following file

struct node {
	struct node *prev, *next;
};

struct list {
	unsigned long n;
	struct node *head, *tail;
};

void list_init(struct list *list) {
	list->n = 0;
	list->head = list->tail = 0;
}

struct lists {
	struct list foo;
	struct list bar;
};

int main(void) {
	struct lists *lists = __builtin_malloc(sizeof(*lists));
	if (lists) {
		list_init(&lists->foo);
		list_init(&lists->bar);
		for (struct node *node = lists->foo.head; node; node = node->next);
	}
	return 0;
}

gives a false positive:

tavianator@tachyon $ ~/code/llvm/llvm-project/build/bin/clang -g -fsanitize=type foo.c -o foo
tavianator@tachyon $ ./foo
==478819==ERROR: TypeSanitizer: type-aliasing-violation on address 0x5590bcd3e2a8 (pc 0x559084519178 bp 0x7ffc5c0f0100 sp 0x7ffc5c0f00a8 tid 478819)
READ of size 8 at 0x5590bcd3e2a8 with type any pointer (in lists at offset 8) accesses an existing object of type any pointer (in list at offset 8)
    #0 0x559084519177 in main /home/tavianator/code/bfs/foo.c:25:39

[gbMattN]

This seems to be the same or a similar problem raised in the TySan discourse (https://discourse.llvm.org/t/reviving-typesanitizer-a-sanitizer-to-catch-type-based-aliasing-violations/66092/23?u=gbmattn), but the current WIP patch does not work for this case.

I'll look into this and see if I can improve the patch!

[tavianator]

I did see that patch, but I thought this issues was different since there are no global variables involved. I think I understand the cause of this issue actually: malloc() returns a block of memory that is initially untyped. The two list_init() calls write to different regions of that memory, setting the dynamic type of each to struct list in the shadow. Then the region is read expecting the dynamic type to be struct lists. This is not an exact match, so the runtime is called.

I'm not sure what the right fix is, because I don't know the precise effective type rules off the top of my head. But I think the runtime should probably say the read is okay if the access type is compatible with the current dynamic type, even if the struct path is different (read: lists::list::head, shadow: list::head).

[gbMattN]

Since the fix has been merged, someone with the correct permissions can close this issue out (@goussepi ?)

[goussepi]

Since the fix has been merged, someone with the correct permissions can close this issue out (@goussepi ?)

Yes I can close.