For the following code, ASAN at -O3 missed the stack-use-after-return, while other opt levels detected it. Clang at all opt levels can detect it. Compiler explorer: https://godbolt.org/z/q5ezG1MK3 % cat a.c int *a; int **b = &a; char c; int d, g; void h(int i) { long e[112]; e; int *f = &i; a = f; } void j() { char *k[12]; for (; d; d++) k[g] = &c; } int main() { j(); h(-1); __builtin_printf("**b=%d\n", **b); } % % gcc-tk -fsanitize=address -O3 a.c && ./a.out **b=-1 % % gcc-tk -fsanitize=address -O2 a.c && ./a.out ================================================================= ==1==ERROR: AddressSanitizer: stack-use-after-return on address 0x7f0646b00020 at pc 0x000000401148 bp 0x7ffed3f9a190 sp 0x7ffed3f9a188 READ of size 4 at 0x7f0646b00020 thread T0 #0 0x401147 in main /a.c:19 #1 0x7f064954c082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #2 0x4011ad in _start (/output.s+0x4011ad) (BuildId: 7b9e8ee9f7af16e4a0a8a05fef54777844619617) Address 0x7f0646b00020 is located in stack of thread T0 at offset 32 in frame #0 0x40127f in h /a.c:5 This frame has 1 object(s): [32, 36) 'i' (line 5) <== Memory access at offset 32 is inside this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-return /a.c:19 in main Shadow bytes around the buggy address: 0x7f0646affd80: 00 00 00 00 00 00 ... %
For this case, we propagate &(-1) which is quite a weird test-case.