Interpreter backend: Fix asan and tsan in interpreter_optimizer.hh

[kmatheussen]

Firstmost a fix for asan, but even tsan compaints (see below).

But maybe both NDEBUG and !NDEBUG should use "INST2 (*(cur+1))"? It's not so pretty reading past allocated memory, although a combination of the c compiler optimizing it out and the memory after allocation is readable anyway, probably makes it safe.

WARNING: ThreadSanitizer: heap-use-after-free (pid=22570)
  Read of size 8 at 0x7b04000a2b40 by thread T21 (mutexes: write M392):
    #0 FBCInstructionOptimizer<float>::optimize_aux(FBCBlockInstruction<float>*, FBCInstructionOptimizer<float>&) /home/kjetil/faust/compiler/generator/interpreter/interpreter_optimizer.hh:1164:45 (radium_linux.bin+0x17f811f)
    #1 FBCInstructionOptimizer<float>::optimize(FBCBlockInstruction<float>*, FBCInstructionOptimizer<float>&) /home/kjetil/faust/compiler/generator/interpreter/interpreter_optimizer.hh:1203:45 (radium_linux.bin+0x17f5928)
    #2 FBCInstructionOptimizer<float>::optimizeBlock(FBCBlockInstruction<float>*, int, int) /home/kjetil/faust/compiler/generator/interpreter/interpreter_optimizer.hh:1286:21 (radium_linux.bin+0x17f3d95)
    #3 interpreter_dsp_factory_aux<float, 0>::optimize() /home/kjetil/faust/compiler/generator/interpreter/interpreter_dsp_aux.hh:156:36 (radium_linux.bin+0x191f59d)
    #4 interpreter_dsp_aux<float, 0>::interpreter_dsp_aux(interpreter_dsp_factory_aux<float, 0>*) /home/kjetil/faust/compiler/generator/interpreter/interpreter_dsp_aux.hh:667:19 (radium_linux.bin+0x191f120)
    #5 interpreter_dsp_factory_aux<float, 0>::createDSPInstance(dsp_factory*) /home/kjetil/faust/compiler/generator/interpreter/interpreter_dsp_aux.hh:1286:38 (radium_linux.bin+0x191d379)
    #6 interpreter_dsp_factory::createDSPInstance() /home/kjetil/faust/compiler/generator/interpreter/interpreter_dsp_aux.cpp:88:26 (radium_linux.bin+0x1bbe061)
    #7 (anonymous namespace)::FFF_Thread::create_reply_data((anonymous namespace)::FFF_Reply&) /home/kjetil/radium/audio/Faust_factory_factory.cpp:312:34 (radium_linux.bin+0x12a3dc1)
    #8 (anonymous namespace)::FFF_Thread::create_reply(QString, QString, int, (anonymous namespace)::FFF_Reply&) /home/kjetil/radium/audio/Faust_factory_factory.cpp:417:23 (radium_linux.bin+0x12a17f5)
    #9 (anonymous namespace)::FFF_Thread::run() /home/kjetil/radium/audio/Faust_factory_factory.cpp:485:13 (radium_linux.bin+0x12a131c)
    #10 <null> <null> (libQt5Core.so.5+0xac60b)

[kmatheussen]

I get a lot of compilation errors like the one below now, but I don't think it's related to this commit.

/home/kjetil/faust_dev/compiler/generator/sharing.cpp
In file included from /home/kjetil/faust_dev/compiler/generator/interpreter/fbc_cpp_compiler.hh:31:0,
                 from /home/kjetil/faust_dev/compiler/generator/interpreter/interpreter_dsp_aux.hh:40,
                 from /home/kjetil/faust_dev/compiler/generator/interpreter/interpreter_dsp_aux.cpp:22:
/home/kjetil/faust_dev/compiler/generator/interpreter/fbc_interpreter.hh: In member function ‘virtual void FBCInterpreter<T, TRACE>::ExecuteBlock(FBCBlockInstruction<T>*, bool)’:
/home/kjetil/faust_dev/compiler/generator/interpreter/fbc_interpreter.hh:866:53: error: there are no arguments to ‘__builtin_sadd_overflow’ that depend on a template parameter, so a declaration of ‘__builtin_sadd_overflow’ must be available [-fpermissive]
             if (__builtin_sadd_overflow(v1, v2, &res)) {
                                                     ^
/home/kjetil/faust_dev/compiler/generator/interpreter/fbc_interpreter.hh:866:53: note: (if you use ‘-fpermissive’, G++ will accept your code, but allowing the use of an undeclared name is deprecated)
/home/kjetil/faust_dev/compiler/generator/interpreter/fbc_interpreter.hh:888:53: error: there are no arguments to ‘__builtin_ssub_overflow’ that depend on a template parameter, so a declaration

[kmatheussen]

No, it's not related. Get the same error messages in master-dev.

[kmatheussen]

Oh, it's that cmake thing again.
"-DCMAKE_C_COMPILER=`which gcc` -DCMAKE_CXX_COMPILER=`which gg++`"
fixes it.

[sletz]

Sorry, but I don't get the point of this PR. Blocks have at least 2 instructions (see line 1154 comment in interpreter_optimzer.hh. So cur, cur+1, cur+2 are always supposed to access something valid. Or I'm missing something?

[kmatheussen]

Blocks have at least 2 instructions in line 1154, but inside the do/while loop below line 1154, you increase "cur", and then we will read past allocated memory when initialing "inst2".

I don't know if this commit is the best solution here though. Perhaps it would be better to test if there can only be 1 "inst" variable, and then have the "inst2" and "inst3" variables in the else-part of the if-test. But this commit keeps the original code structure.

It's easy to reproduce. Just compile faust with "-fsanitize=address" and run the interpreter backend. Asan should report memory error almost immediately. Valgrind should report it too.

[sletz]

"Blocks have at least 2 instructions in line 1154, but inside the do/while loop below line 1154, you increase "cur", and then we will read past allocated memory when initialing "inst2"."

So it is a false positive, since the do/while loop always runs on blocks with at least 2 instructions, then inst1 and inst2 are correct. Or I am still missing something?

[kmatheussen]

So it is a false positive, since the do/while loop always runs on blocks with at least 2 instructions, then inst1 and inst2 are correct. Or I am still missing something?

"cur" is increased inside the loop, causing inst1 to be created from memory outside the allocated memory. Asan should never report false positives.

[sletz]

Still I dont get it:

cur = cur_block->fInstructions.begin();
correct right?
and 'cur' points to a valid instruction iterator

Then:
FBCBasicInstruction* inst1 = *cur;

so inst1 should be correct ?

FBCBasicInstruction* inst2 = *(cur + 1);

and 'cur + 1' is still correct (since blocks has at least 2 instructions)

So 'inst2' is correct?

[kmatheussen]

Still I dont get it:

cur = cur_block->fInstructions.begin();
correct right?
and 'cur' points to a valid instruction iterator

Then:
FBCBasicInstruction* inst1 = *cur;

so inst1 should be correct ?

Yes, inst1 is always correct.

FBCBasicInstruction* inst2 = *(cur + 1);

and 'cur + 1' is still correct (since blocks has at least 2 instructions)

So 'inst2' is correct?

Yes, in the first iteration of the loop, 'inst2' is always correct. But in the next iteration, 'cur' have increased it's value by at least one, and then 'inst2' might not be correct.

[kmatheussen]

and then 'inst2' might not be correct.

Well, it's correct if it's needed. But it's not always needed, and in that case we have read past the allocated memory.

[sletz]

1. cur is changed in each if (..) part of the do/while loop
2. then the while part test for (cur != cur_block->fInstructions.end());
3. the either this code is buggy, and has to be fixed in the first place, but I still don't get where is is buggy...
4. or Asan cannot grasp what this code is actually doing, and reports a false positive that can be ignored

[kmatheussen]

It's possible that the code is buggy, I don't know the details of what happens. But you can probably rule out #4 since asan doesn't report false positives.

[sletz]

Trying to improve the code right now.

[kmatheussen]

Hmm, googling for "asan false positive" I got this hit: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow

So if one file is compiled with -fsanitize=address and another file is not, you can get false postivies for vectors. To add asan, I added set(CMAKE_CXX_FLAGS_DEBUG "-fsanitize=address -g") to build/CMakeLists.txt, so if cmake didn't apply these options to all files, I guess that could have happened.

[sletz]

Could not activate "asan" test here for now. Possible fix here: 3ac5872

[kmatheussen]

It's not a false positive due to mixing asan and not-asan. abort() is called below:

@@ -1160,15 +1177,19 @@ struct FBCInstructionOptimizer {
         InstructionIT           next, cur = cur_block->fInstructions.begin();
 
         do {
            FBCBasicInstruction<T>* inst1 = *cur;
            FBCBasicInstruction<T>* inst2 = *(cur + 1);
+            if ( (cur+1) >= cur_block->fInstructions.end())
+              abort();
+

(since even tsan reported an error for this, this was not really a surprise)

[kmatheussen]

Maybe this type of fix might be better:

- FBCBasicInstruction<T>* inst2 = *(cur + 1);
+ FBCBasicInstruction<T>* &inst2 = *(cur + 1);

Wouldn't c++ magically do the right thing now?

[sletz]

What does "asan" says with the latest code?

[kmatheussen]

It's getting further, but there's still hits in 'rewrite'.

=================================================================
==27618==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000567980 at pc 0x0000054f7558 bp 0x7fff5adf3890 sp 0x7fff5adf3888
READ of size 8 at 0x602000567980 thread T21 (FFF_Thread)
[New Thread 0x7fff583e3700 (LWP 27682)]
    #0 0x54f7557 in FBCInstructionLoadStoreOptimizer<float>::rewrite(__gnu_cxx::__normal_iterator<FBCBasicInstruction<float>**, std::vector<FBCBasicInstruction<float>*, std::allocator<FBCBasicInstruction<float>*> > >, __gnu_cxx::__normal_iterator<FBCBasicInstruction<float>**, std::vector<FBCBasicInstruction<float>*, std::allocator<FBCBasicInstruction<float>*> > >&) /home/kjetil/faust/compiler/generator/interpreter/interpreter_optimizer.hh:101:41
    #1 0x54e767b in FBCInstructionOptimizer<float>::optimize_aux(FBCBlockInstruction<float>*, FBCInstructionOptimizer<float>&) /home/kjetil/faust/compiler/generator/interpreter/interpreter_optimizer.hh:1195:43
    #2 0x54e191c in FBCInstructionOptimizer<float>::optimize(FBCBlockInstruction<float>*, FBCInstructionOptimizer<float>&) /home/kjetil/faust/compiler/generator/interpreter/interpreter_optimizer.hh:1207:45
    #3 0x54df1eb in FBCInstructionOptimizer<float>::optimizeBlock(FBCBlockInstruction<float>*, int, int) /home/kjetil/faust/compiler/generator/interpreter/interpreter_optimizer.hh:1278:21
    #4 0x57307fb in interpreter_dsp_factory_aux<float, 0>::optimize() /home/kjetil/faust/compiler/generator/interpreter/interpreter_dsp_aux.hh:156:36
    #5 0x573019a in interpreter_dsp_aux<float, 0>::interpreter_dsp_aux(interpreter_dsp_factory_aux<float, 0>*) /home/kjetil/faust/compiler/generator/interpreter/interpreter_dsp_aux.hh:667:19
    #6 0x572d99b in interpreter_dsp_factory_aux<float, 0>::createDSPInstance(dsp_factory*) /home/kjetil/faust/compiler/generator/interpreter/interpreter_dsp_aux.hh:1286:38
    #7 0x5beaf5d in interpreter_dsp_factory::createDSPInstance() /home/kjetil/faust/compiler/generator/interpreter/interpreter_dsp_aux.cpp:99:26
    #8 0x495677d in (anonymous namespace)::FFF_Thread::create_reply_data((anonymous namespace)::FFF_Reply&) /home/kjetil/radium/audio/Faust_factory_factory.cpp:315:34
    #9 0x4948e6b in (anonymous namespace)::FFF_Thread::create_reply(QString, QString, int, (anonymous namespace)::FFF_Reply&) /home/kjetil/radium/audio/Faust_factory_factory.cpp:420:23
    #10 0x494788b in (anonymous namespace)::FFF_Thread::run() /home/kjetil/radium/audio/Faust_factory_factory.cpp:491:13
    #11 0x7ffff3c1860b  (/home/kjetil/Qt/5.10.0/gcc_64/lib/libQt5Core.so.5+0xac60b)
    #12 0x7fffeea0dee4 in start_thread /usr/src/debug/glibc-2.18/nptl/pthread_create.c:309
    #13 0x7fffee73cd1c in __clone /usr/src/debug////////glibc-2.18/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111

0x602000567980 is located 0 bytes to the right of 16-byte region [0x602000567970,0x602000567980)
allocated by thread T21 (FFF_Thread) here:
    #0 0xba57b0 in operator new(unsigned long) /home/kjetil/site/src/llvm-8-0/compiler-rt/lib/asan/asan_new_delete.cc:106:3
    #1 0x544e90b in __gnu_cxx::new_allocator<FBCBasicInstruction<float>*>::allocate(unsigned long, void const*) /home/kjetil/site_gcc810/lib/gcc/x86_64-pc-linux-gnu/8.1.0/../../../../include/c++/8.1.0/ext/new_allocator.h:111:27
    #2 0x544e8ab in std::allocator_traits<std::allocator<FBCBasicInstruction<float>*> >::allocate(std::allocator<FBCBasicInstruction<float>*>&, unsigned long) /home/kjetil/site_gcc810/lib/gcc/x86_64-pc-linux-gnu/8.1.0/../../../../include/c++/8.1.0/bits/alloc_traits.h:436:20
    #3 0x544e512 in std::_Vector_base<FBCBasicInstruction<float>*, std::allocator<FBCBasicInstruction<float>*> >::_M_allocate(unsigned long) /home/kjetil/site_gcc810/lib/gcc/x86_64-pc-linux-gnu/8.1.0/../../../../include/c++/8.1.0/bits/stl_vector.h:296:20
    #4 0x544db68 in void std::vector<FBCBasicInstruction<float>*, std::allocator<FBCBasicInstruction<float>*> >::_M_realloc_insert<FBCBasicInstruction<float>* const&>(__gnu_cxx::__normal_iterator<FBCBasicInstruction<float>**, std::vector<FBCBasicInstruction<float>*, std::allocator<FBCBasicInstruction<float>*> > >, FBCBasicInstruction<float>* const&) /home/kjetil/site_gcc810/lib/gcc/x86_64-pc-linux-gnu/8.1.0/../../../../include/c++/8.1.0/bits/vector.tcc:427:33
    #5 0x544d832 in std::vector<FBCBasicInstruction<float>*, std::allocator<FBCBasicInstruction<float>*> >::push_back(FBCBasicInstruction<float>* const&) /home/kjetil/site_gcc810/lib/gcc/x86_64-pc-linux-gnu/8.1.0/../../../../include/c++/8.1.0/bits/stl_vector.h:1085:4
    #6 0x544d57f in FBCBlockInstruction<float>::push(FBCBasicInstruction<float>*) /home/kjetil/faust/compiler/generator/interpreter/interpreter_bytecode.hh:516:33
    #7 0x5424a31 in FBCBlockInstruction<float>* getCurrentBlock<float>() /home/kjetil/faust/compiler/generator/interpreter/interpreter_code_container.cpp:60:12
    #8 0x542ec30 in InterpreterCodeContainer<float>::produceFactory() /home/kjetil/faust/compiler/generator/interpreter/interpreter_code_container.cpp:172:49
    #9 0x54209e6 in generateCode(CTree*, int, int, bool) /home/kjetil/faust/compiler/libcode.cpp:1574:47
    #10 0x540ebcc in compileFaustFactoryAux(int, char const**, char const*, char const*, bool) /home/kjetil/faust/compiler/libcode.cpp:1919:5
    #11 0x540cf16 in compileFaustFactory(int, char const**, char const*, char const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, bool) /home/kjetil/faust/compiler/libcode.cpp:1937:9
    #12 0x5c0cef2 in createInterpreterDSPFactoryFromString(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, char const**, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) /home/kjetil/faust/compiler/generator/interpreter/interpreter_dynamic_dsp_aux.cpp:77:17
    #13 0x494872b in (anonymous namespace)::FFF_Thread::create_reply(QString, QString, int, (anonymous namespace)::FFF_Reply&) /home/kjetil/radium/audio/Faust_factory_factory.cpp:389:23
    #14 0x494788b in (anonymous namespace)::FFF_Thread::run() /home/kjetil/radium/audio/Faust_factory_factory.cpp:491:13
    #15 0x7ffff3c1860b  (/home/kjetil/Qt/5.10.0/gcc_64/lib/libQt5Core.so.5+0xac60b)
    #16 0x7fffeea0dee4 in start_thread /usr/src/debug/glibc-2.18/nptl/pthread_create.c:309

Thread T21 (FFF_Thread) created by T0 here:
    #0 0xabc5a0 in pthread_create /home/kjetil/site/src/llvm-8-0/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7ffff3c17b75 in QThread::start(QThread::Priority) (/home/kjetil/Qt/5.10.0/gcc_64/lib/libQt5Core.so.5+0xabb75)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kjetil/faust/compiler/generator/interpreter/interpreter_optimizer.hh:101:41 in FBCInstructionLoadStoreOptimizer<float>::rewrite(__gnu_cxx::__normal_iterator<FBCBasicInstruction<float>**, std::vector<FBCBasicInstruction<float>*, std::allocator<FBCBasicInstruction<float>*> > >, __gnu_cxx::__normal_iterator<FBCBasicInstruction<float>**, std::vector<FBCBasicInstruction<float>*, std::allocator<FBCBasicInstruction<float>*> > >&)
Shadow bytes around the buggy address:
  0x0c04800a4ee0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c04800a4ef0: fa fa fd fa fa fa fa fa fa fa fd fd fa fa fd fa
  0x0c04800a4f00: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c04800a4f10: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c04800a4f20: fa fa fd fa fa fa fd fd fa fa fd fa fa fa 00 00
=>0x0c04800a4f30:[fa]fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800a4f40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c04800a4f50: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fd fd
  0x0c04800a4f60: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fd fa
  0x0c04800a4f70: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fd fd
  0x0c04800a4f80: fa fa fa fa fa fa fa fa fa fa fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==27618==ABORTING
[New Thread 0x7fff571ff700 (LWP 27683)]

Thread 22 "FFF_Thread" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fff5adf6700 (LWP 27676)]
0x00007fffee67d877 in raise () from /lib64/libc.so.6

[kmatheussen]

But by changing the remaning 'inst2' and 'inst3' variables to references, I get no hits:

[kjetil@localhost faust]$ git diff compiler/generator/interpreter/interpreter_optimizer.hh   
diff --git a/compiler/generator/interpreter/interpreter_optimizer.hh b/compiler/generator/interpreter/interpreter_optimizer.hh
index c7fd4c2..6d46d3f 100644
--- a/compiler/generator/interpreter/interpreter_optimizer.hh
+++ b/compiler/generator/interpreter/interpreter_optimizer.hh
@@ -73,7 +73,7 @@ struct FBCInstructionCastOptimizer : public FBCInstructionOptimizer<T> {
     virtual FBCBasicInstruction<T>* rewrite(InstructionIT cur, InstructionIT& end)
     {
         FBCBasicInstruction<T>* inst1 = *cur;
-        FBCBasicInstruction<T>* inst2 = *(cur + 1);
+        FBCBasicInstruction<T>* &inst2 = *(cur + 1);
 
         if (inst1->fOpcode == FBCInstruction::kLoadInt && inst2->fOpcode == FBCInstruction::kCastReal) {
             end = cur + 2;
@@ -98,7 +98,7 @@ struct FBCInstructionLoadStoreOptimizer : public FBCInstructionOptimizer<T> {
     FBCBasicInstruction<T>* rewrite(InstructionIT cur, InstructionIT& end)
     {
         FBCBasicInstruction<T>* inst1 = *cur;
-        FBCBasicInstruction<T>* inst2 = *(cur + 1);
+        FBCBasicInstruction<T>* &inst2 = *(cur + 1);
 
         if (inst1->fOpcode == FBCInstruction::kInt32Value && inst2->fOpcode == FBCInstruction::kLoadIndexedReal) {
             end = cur + 2;
@@ -131,7 +131,7 @@ struct FBCInstructionMoveOptimizer : public FBCInstructionOptimizer<T> {
     FBCBasicInstruction<T>* rewrite(InstructionIT cur, InstructionIT& end)
     {
         FBCBasicInstruction<T>* inst1 = *cur;
-        FBCBasicInstruction<T>* inst2 = *(cur + 1);
+        FBCBasicInstruction<T>* &inst2 = *(cur + 1);
 
         // Optimize Heap Load/Store as Move
         if (inst1->fOpcode == FBCInstruction::kLoadReal && inst2->fOpcode == FBCInstruction::kStoreReal) {
@@ -228,7 +228,7 @@ struct FBCInstructionPairMoveOptimizer : public FBCInstructionOptimizer<T> {
     FBCBasicInstruction<T>* rewrite(InstructionIT cur, InstructionIT& end)
     {
         FBCBasicInstruction<T>* inst1 = *cur;
-        FBCBasicInstruction<T>* inst2 = *(cur + 1);
+        FBCBasicInstruction<T>* &inst2 = *(cur + 1);
 
         if (inst1->fOpcode == FBCInstruction::kMoveReal && inst2->fOpcode == FBCInstruction::kMoveReal &&
             (inst1->fOffset1 == (inst1->fOffset2 + 1)) && (inst2->fOffset1 == (inst2->fOffset2 + 1)) &&
@@ -361,8 +361,8 @@ struct FBCInstructionMathOptimizer : public FBCInstructionOptimizer<T> {
     FBCBasicInstruction<T>* rewrite(InstructionIT cur, InstructionIT& end)
     {
         FBCBasicInstruction<T>* inst1 = *cur;
-        FBCBasicInstruction<T>* inst2 = *(cur + 1);
-        FBCBasicInstruction<T>* inst3 = *(cur + 2);
+        FBCBasicInstruction<T>* &inst2 = *(cur + 1);
+        FBCBasicInstruction<T>* &inst3 = *(cur + 2);
 
         faustassert(gFIRMath2Heap.size() > 0);
         faustassert(gFIRMath2Stack.size() > 0);
@@ -613,7 +613,7 @@ struct FBCInstructionConstantValueHeap2Map : public FBCInstructionOptimizer<T> {
     virtual FBCBasicInstruction<T>* rewrite(InstructionIT cur, InstructionIT& end)
     {
         FBCBasicInstruction<T>* inst1 = *cur;
-        FBCBasicInstruction<T>* inst2 = *(cur + 1);
+        FBCBasicInstruction<T>* &inst2 = *(cur + 1);
 
         if (inst1->fOpcode == FBCInstruction::kRealValue && inst2->fOpcode == FBCInstruction::kStoreReal) {
             end = cur + 2;
@@ -642,7 +642,7 @@ struct FBCInstructionCastSpecializer : public FBCInstructionOptimizer<T> {
     virtual FBCBasicInstruction<T>* rewrite(InstructionIT cur, InstructionIT& end)
     {
         FBCBasicInstruction<T>* inst1 = *cur;
-        FBCBasicInstruction<T>* inst2 = *(cur + 1);
+        FBCBasicInstruction<T>* &inst2 = *(cur + 1);
 
         if (inst1->fOpcode == FBCInstruction::kInt32Value && inst2->fOpcode == FBCInstruction::kCastReal) {
             end = cur + 2;
@@ -1032,8 +1032,8 @@ struct FBCInstructionMathSpecializer : public FBCInstructionOptimizer<T> {
     virtual FBCBasicInstruction<T>* rewrite(InstructionIT cur, InstructionIT& end)
     {
         FBCBasicInstruction<T>* inst1 = *cur;
-        FBCBasicInstruction<T>* inst2 = *(cur + 1);
-        FBCBasicInstruction<T>* inst3 = *(cur + 2);
+        FBCBasicInstruction<T>* &inst2 = *(cur + 1);
+        FBCBasicInstruction<T>* &inst3 = *(cur + 2);
 
         FBCBasicInstruction<T>* res;

By the way, I always use asan while developing. It only lowers performance by around 50%.

[kmatheussen]

fixed in master-dev