Why does the option -fno-sanitize-address-use-after-scope not take effect?

[Zhenhang1213]

void foo(int *x) {
  *x = 0;
}

int main() {
  int x;
  foo(&x);
  return x;
}

https://godbolt.org/z/Yof6d6EYb

[llvmbot]

@llvm/issue-subscribers-clang-codegen

Author: None (Zhenhang1213)

`void foo(int *x) { *x = 0; }

int main() {
int x;
foo(&x);
return x;
}`
https://godbolt.org/z/9Mdexxd6x

[shafik]

Your question is not clear, can you explain in more detail what you are asking.

[Zhenhang1213]

Your question is not clear, can you explain in more detail what you are asking.

I found clang using this option, the assembly was still the call asan_report_load function，but gcc doesn‘t

[MaskRay]

Neither asan-use-after-scope nor asan-use-after-return controls whether accesses to a local variable x (AllocaInst) should be instrumented.
However, StackSafetyAnalysis can remove the unneeded instrumentation for return x. I have created #77210 to enable StackSafetyAnalysis by default.

godbolt.org/z/Yof6d6EYb

For future issues, consider adding the exact clang command line.

[Zhenhang1213]

Neither asan-use-after-scope nor asan-use-after-return controls whether accesses to a local variable x (AllocaInst) should be instrumented. However, StackSafetyAnalysis can remove the unneeded instrumentation for return x. I have created #77210 to enable StackSafetyAnalysis by default.

godbolt.org/z/Yof6d6EYb

For future issues, consider adding the exact clang command line.

Neither asan-use-after-scope nor asan-use-after-return controls whether accesses to a local variable x (AllocaInst) should be instrumented. However, StackSafetyAnalysis can remove the unneeded instrumentation for return x. I have created #77210 to enable StackSafetyAnalysis by default.

godbolt.org/z/Yof6d6EYb

For future issues, consider adding the exact clang command line.

ok，but I have another question, so what scenario is those options generally used for? Don't they detect the return value ？

[MaskRay]

Now StackSafetyAnalysis is the default, this variable in question is no longer instrumented.

---

I think neither -fsanitize-address-stack-use-after-scope nor -fsanitize-address-stack-use-after-return affects whether a stack variable should be instrumented,
but they are responsible for certain extra instructions for stack instrumentation.

---

If -fsanitize-address-stack-use-after-scope (default) is enabled, when a variable gets out of scope, its shadow memory is filled with 0xf8 (kAsanStackUseAfterScopeMagic).
Accessing the variable will lead to a stack-use-after-scope error.

-fsanitize-address-use-after-return= accepts one of the following values:

• runtime (default): instrumented code checks a global variable __asan_option_detect_stack_use_after_return to decide whether a fake stack frame is used.
• always: instrumented code unconditionally creates a fake stack frame. This saves code size.
• never: don't detect use-after-return

When the instrumentation decides to create a fake stack frame, it allocates one using __asan_stack_malloc_{0..10}(uptr ptr, uptr size).
The runtime function may return nullptr, in which case a fake stack frame is unavailable, and alloca will be used to allocate the local stack frame; otherwise, stack variables and associated redzones are allocated on the fake stack frame.
never removes the extra code.

---

I am curious why GCC -fsanitize-address-use-after-scope instruments the variable when optimizations are enabled.
It seems that this case can be optimized out as well.

[Zhenhang1213]

Now StackSafetyAnalysis is the default, this variable in question is no longer instrumented.

I think neither -fsanitize-address-stack-use-after-scope nor -fsanitize-address-stack-use-after-return affects whether a stack variable should be instrumented, but they are responsible for certain extra instructions for stack instrumentation.

If -fsanitize-address-stack-use-after-scope (default) is enabled, when a variable gets out of scope, its shadow memory is filled with 0xf8 (kAsanStackUseAfterScopeMagic). Accessing the variable will lead to a stack-use-after-scope error.

-fsanitize-address-use-after-return= accepts one of the following values:

• runtime (default): instrumented code checks a global variable __asan_option_detect_stack_use_after_return to decide whether a fake stack frame is used.
• always: instrumented code unconditionally creates a fake stack frame. This saves code size.
• never: don't detect use-after-return

When the instrumentation decides to create a fake stack frame, it allocates one using __asan_stack_malloc_{0..10}(uptr ptr, uptr size). The runtime function may return nullptr, in which case a fake stack frame is unavailable, and alloca will be used to allocate the local stack frame; otherwise, stack variables and associated redzones are allocated on the fake stack frame. never removes the extra code.

I am curious why GCC -fsanitize-address-use-after-scope instruments the variable when optimizations are enabled. It seems that this case can be optimized out as well.

I get it, but I find disable __asan_option_detect_stack_use_after_return doesnot work in gcc or clang。Asan still reports __asan_report_load4。
https://godbolt.org/z/Yzx9EM11e