public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug sanitizer/103730] New: ubsan: store with insufficient space for an object of type
@ 2021-12-15  9:47 jan.smets at nokia dot com
  2021-12-15  9:56 ` [Bug sanitizer/103730] " jakub at gcc dot gnu.org
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: jan.smets at nokia dot com @ 2021-12-15  9:47 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103730

            Bug ID: 103730
           Summary: ubsan: store with insufficient space for an object of
                    type
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: jan.smets at nokia dot com
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

Following testcase produces an ubsan runtime error in GCC 10.2/11.3/trunk

gcc test.c -o /tmp/test -O2 -Wall -Wextra -fsanitize=undefined && /tmp/test


typedef int (logger_args_to_string)(void *event, void *pEntry);
typedef struct logger_msginfo
{
    #if 1 // OK when excluded
    void *test;
    #endif
    logger_args_to_string *Fn;
} logger_msginfo;

logger_msginfo x;
logger_msginfo *logger = &x;

void call( void )
{
    logger->Fn = (logger_args_to_string*) 0x1234; // Happy
    ((logger_msginfo *) & logger[0])->Fn = (logger_args_to_string*) 0x1234; //
Happy
    ((logger_msginfo *) & logger)->Fn = (logger_args_to_string*) 0x1234; //
store with insufficient space... , trunk gives array-bounds warning here too -
but not on the line above.
}

int main(void) {
    call();
    return 0;
}

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug sanitizer/103730] ubsan: store with insufficient space for an object of type
  2021-12-15  9:47 [Bug sanitizer/103730] New: ubsan: store with insufficient space for an object of type jan.smets at nokia dot com
@ 2021-12-15  9:56 ` jakub at gcc dot gnu.org
  2021-12-15 10:06 ` jan.smets at nokia dot com
  2021-12-15 10:07 ` jakub at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: jakub at gcc dot gnu.org @ 2021-12-15  9:56 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103730

--- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
What do you find wrong about it?
((logger_msginfo *) & logger)->Fn
where logger is a pointer and logger_msginfo is a 2 * sizeof (void*) sized
struct  does reference the pointer after the logger variable.  It is a clear
UB.
While ((logger_msginfo *) & logger[0])->Fn is dereferencing that pointer and
then taking address, so effectively ((logger_msginfo *) logger)->Fn or
logger->Fn.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug sanitizer/103730] ubsan: store with insufficient space for an object of type
  2021-12-15  9:47 [Bug sanitizer/103730] New: ubsan: store with insufficient space for an object of type jan.smets at nokia dot com
  2021-12-15  9:56 ` [Bug sanitizer/103730] " jakub at gcc dot gnu.org
@ 2021-12-15 10:06 ` jan.smets at nokia dot com
  2021-12-15 10:07 ` jakub at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: jan.smets at nokia dot com @ 2021-12-15 10:06 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103730

--- Comment #2 from Jan Smets <jan.smets at nokia dot com> ---
PEBKAC. Thanks for clarifying.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug sanitizer/103730] ubsan: store with insufficient space for an object of type
  2021-12-15  9:47 [Bug sanitizer/103730] New: ubsan: store with insufficient space for an object of type jan.smets at nokia dot com
  2021-12-15  9:56 ` [Bug sanitizer/103730] " jakub at gcc dot gnu.org
  2021-12-15 10:06 ` jan.smets at nokia dot com
@ 2021-12-15 10:07 ` jakub at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: jakub at gcc dot gnu.org @ 2021-12-15 10:07 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103730

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-12-15 10:07 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-15  9:47 [Bug sanitizer/103730] New: ubsan: store with insufficient space for an object of type jan.smets at nokia dot com
2021-12-15  9:56 ` [Bug sanitizer/103730] " jakub at gcc dot gnu.org
2021-12-15 10:06 ` jan.smets at nokia dot com
2021-12-15 10:07 ` jakub at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).