[Bug sanitizer/96775] New: UBSan: confusing error message load of address with insufficient space

diane2332 at gmail dot com gcc-bugzilla@gcc.gnu.org
Mon Aug 24 19:34:23 GMT 2020 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96775

            Bug ID: 96775
           Summary: UBSan: confusing error message load of address with
                    insufficient space
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: diane2332 at gmail dot com
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

UBSan gives 2 very confusing error messages:

load of address with insufficient space for an object of type 'whatever'
store of address with insufficient space for an object of type 'whatever'

We ran UBSan on a very large application and filed many bugs detected.
Developers of this application were stumped as to what this message meant, and
I was also for a while. Eventually I realized that this message really
indicates either BUFFER OVERFLOW READ or BUFFER OVERFLOW WRITE. This is what's
happening and this is something that developers understand and can take action
on. Here is a simple example:

#include <stdlib.h>

int main()
{
const unsigned int size = 20;
unsigned int array = (unsigned int)malloc(sizeof(unsigned int) * size);
array[size] = array[size+1];
return array[-1];
}

gcc test3.c -O -fsanitize=undefined
./a.out
test3.c:7:16: runtime error: load of address 0x000001bf8064 with insufficient
space for an object of type 'unsigned int'
0x000001bf8064: note: pointer points here
00 00 00 00 00 00 00 00 a1 0f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00
^
test3.c:7:16: runtime error: store to address 0x000001bf8060 with insufficient
space for an object of type 'unsigned int'
0x000001bf8060: note: pointer points here
00 00 00 00 00 00 00 00 00 00 00 00 a1 0f 02 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00
^

I'm using gcc 8.2.1.

It would be much clearer to say something like:

test3.c:7:16: runtime error: BUFFER OVERFLOW READ on address 0x000001bf8064 for
an object of type 'unsigned int'

Please see the GitHub issue I filed for this:
   https://github.com/google/sanitizers/issues/1297

More information about the Gcc-bugs mailing list