For the following code, `gcc-trunk -O1 -fsanitize=address` misses the global-buffer-overflow, while `gcc-trunk -Ox -fsanitize=address` (x=0,2,3, or s) can detect it. clang can detect it at all optimization levels. Compiler explorer: https://godbolt.org/z/5Tcjrc4zf % cat a.c int a=0, d=1; int *b = &a, *c = &a; int main() { *b = 0; b = b + 1; *c = 1; *b = d; } % % gcc-tk -O1 -fsanitize=address a.c && ./a.out % % gcc-tk -O3 -fsanitize=address a.c && ./a.out ================================================================= ==851733==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000404284 at pc 0x000000401130 bp 0x7ffd4cb2a6a0 sp 0x7ffd4cb2a698 WRITE of size 4 at 0x000000404284 thread T0 #0 0x40112f in main /zdata/shaoli/sanitizertesting/mutate/synthesizer/bugs/work119_1/a.c:7 #1 0x7fb79dc33082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #2 0x40119d in _start (/zdata/shaoli/sanitizertesting/mutate/synthesizer/bugs/work119_1/a.out+0x40119d) 0x000000404284 is located 0 bytes to the right of global variable 'a' defined in 'a.c:1:5' (0x404280) of size 4 SUMMARY: AddressSanitizer: global-buffer-overflow /zdata/shaoli/sanitizertesting/mutate/synthesizer/bugs/work119_1/a.c:7 in main Shadow bytes around the buggy address: 0x000080078800: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 0x000080078810: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x000080078820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9 0x000080078830: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x000080078840: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 =>0x000080078850:[04]f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x000080078860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080078870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080078880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080078890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800788a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==851733==ABORTING %
I think it's a variation of https://github.com/google/sanitizers/issues/869, but I will take a look deeper.
I found a new test where gcc-O1 misses the global-buffer-overflow. Not sure if these two have the same root cause: % cat a.c int a, c; int *b = &a; int main() { int d = *b; for (; c < 3; c++) b = b + (d == *b); } % % gcc-tk -O1 -fsanitize=address a.c && ./a.out % % gcc-tk -O3 -fsanitize=address a.c && ./a.out ================================================================= ==3536571==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000404204 at pc 0x000000401130 bp 0x7ffe232ffd40 sp 0x7ffe232ffd38 ... %
Dup of PR106558, it's fixed now. *** This bug has been marked as a duplicate of bug 106558 ***