[TySan] False positive related to structs in structs?

[seanm]

Maybe I'm just not using it right, or not understanding something, but OTOH TySan is new, and thus probably a bit buggy... I used creduce to create a C test case showing, I think, a false positive.

typedef struct {
	int len;
	char *list;
} str_list;

typedef struct {
	str_list infiles;
	char command;
} nt_opts;

int add_string(str_list *slist) {
	(void)(slist->list);
}

int process_opts(nt_opts *opts) {
	add_string(&opts->infiles);
}

void free_opts_mem(nt_opts *nopt) {
	(void)(nopt->infiles.list); // •••TySan warns here•••
}

void main(int argc, char *argv[]) {
	nt_opts opts;
	int rv = process_opts(&opts);
	free_opts_mem(&opts);
}

then I run:

(xcrun /Users/sean/llvm/llvm-install/bin/clang -w -g -fsanitize=type test.c && ./a.out)

and I get:

==4848==ERROR: TypeSanitizer: type-aliasing-violation on address 0x00016cfc71f0 (pc 0x000102e3b690 bp 0x00016cfc6ea0 sp 0x00016cfc6620 tid 24776816)
READ of size 8 at 0x00016cfc71f0 with type p1 omnipotent char (in <anonymous type> at offset 8) accesses an existing object of type p1 omnipotent char (in <anonymous type> at offset 8)
    #0 0x000102e3b68c in free_opts_mem test.c:20

Aside:

• what is an "omnipotent char"?
• what is "type p1" referring to?

[seanm]

@fhahn @gbMattN this may interest you.

Perhaps it is related to #120412 afterall?

[seanm]

I forgot to say that the clang I built is from the #120412 PR.

[fhahn]

@seanm thanks jumping in head first, the feedback is extremely valuable. TySan is experimental at this stage, and any issues reported help a lot getting it in good shape quickly.

what is an "omnipotent char"?
what is "type p1" referring to?

This is the terminology Clang uses to encode the type information for LLVM, which tysan uses verbatim. We could probably try better to translate the types to something closer related to the types in source

[seanm]

This is the terminology Clang uses to encode the type information for LLVM, which tysan uses verbatim. We could probably try better to translate the types to something closer related to the types in source

Thanks. I've created #122522 to suggest some documentation ideas.

I think I'll have to stop playing with it for now, as best as I can tell at least 3/4 of the reports I'm seeing from TySan are variants of this reduced case. It's just too much noise for now.

Excited to try more later!

[gbMattN]

Perhaps it is related to #120412 afterall?

I can reproduce this on main, and it seems its fixed in #120412 which will be merged in as soon as the build tests pass!

[seanm]

Confirmed fixed. That got me down from 827 ERROR: TypeSanitizer to just 61 now.

The first of the 61 looks like a false positive to me too... I'll creduce it now...

[seanm]

The first of the 61 looks like a false positive to me too... I'll creduce it now...

#122934