Bug 106591 - ASan at -O1 fails to detect a global buffer overflow
Summary: ASan at -O1 fails to detect a global buffer overflow
Status: WAITING
Alias: None
Product: gcc
Classification: Unclassified
Component: sanitizer (show other bugs)
Version: 13.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-12 06:47 UTC by Shaohua Li
Modified: 2022-08-15 13:54 UTC (History)
6 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed: 2022-08-15 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Shaohua Li 2022-08-12 06:47:06 UTC 
For the following code, `gcc-trunk -O1 -fsanitize=address` failed to detect the global-buffer-overflow, while other opt flags (-O0, -O2, and -O3) can.

$cat a.c
a;
*b = &a, *d = &a;
volatile static **c = &b;

int foo(int p1, int p2) {
    return p1 % p2;
}
static int* e() {
  **c;
  int *f = &a;
  return f + 1;
}
int main() {
  *c = e();
  *d = 1;
  foo(**c, *d);
}
$
$gcc-trunk -O1 -fsanitize=address -w -g && ./a.out
$
$gcc-trunk -O2 -fsanitize=address -w -g && ./a.out
=================================================================
==1==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000404224 at pc 0x00000040113b bp 0x7ffff3ecdca0 sp 0x7ffff3ecdc98
READ of size 4 at 0x000000404224 thread T0
    #0 0x40113a in main /app/a.c:16
    #1 0x7f68868750b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2) (BuildId: 9fdb74e7b217d06c93172a8243f8547f947ee6d1)
    #2 0x4011ad in _start (/app/output.s+0x4011ad) (BuildId: db3aa359dc97f1881309f971535063412033e172)

0x000000404224 is located 0 bytes to the right of global variable 'a' defined in '/app/a.c:1:1' (0x404220) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow /app/a.c:16 in main
Shadow bytes around the buggy address:
  0x0000800787f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078810: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x000080078820: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080078830: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x000080078840: 00 00 00 00[04]f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080078850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1==ABORTING
Comment 1 Martin Liška 2022-08-15 13:53:47 UTC 
Is it the same problem as PR106558?