From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
	id D48293858C31; Fri, 17 Feb 2023 14:31:21 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D48293858C31
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1676644281;
	bh=FrvrxTFIXs0eGIAH897OQElc06Hjsew1/3gKUpcnPvs=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=Jgv8FpKox/iIqLdLPsn3FKDbsen/mjNaRPlU6xZSDrt41hq7IBixHEn1f97LrnrMY
	 PyDdQhPXV7apjDKRiFtMKr033oPK8bkZ0BgowoLx/FSvvhBxKTmUTjJ+l9PDQCEBjN
	 oPUZkt8RbF2G8oNZzP8+t0scRvem+BJvB8JJ5kkM=
From: "marxin at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/108817] ASAN at -O3 failed to detect a
 global-buffer-overflow
Date: Fri, 17 Feb 2023 14:31:21 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: sanitizer
X-Bugzilla-Version: 13.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: marxin at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: INVALID
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: resolution bug_status
Message-ID: <bug-108817-4-tQVcVqHXJG@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-108817-4@http.gcc.gnu.org/bugzilla/>
References: <bug-108817-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gcc-bugs.sourceware.org>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108817

Martin Li=C5=A1ka <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #1 from Martin Li=C5=A1ka <marxin at gcc dot gnu.org> ---
Here we prove that 'return c' only depends on the last execution of 'c =3D
b[a+1];' which is going to happen with a =3D=3D 0 and thus we optimize out =
that.

$ gcc pr108817.C -fsanitize=3Daddress -O3 -fdump-tree-optimized=3D/dev/stdo=
ut

int main ()
{
  signed char _4;
  unsigned long _8;
  int _12;
  unsigned long _15;
  bool _16;
  unsigned long _18;
  int _19;
  char _20;
  bool _21;
  signed char _22;
  signed char _23;
  unsigned long _25;
  signed char * _27;
  bool _38;

  <bb 2> [local count: 26541933]:
  a =3D 2;
  _15 =3D (unsigned long) &MEM <int> [(void *)&b + 4B];
(checking if &b + 4 is valid in shadow memory)=20
  if (_16 !=3D 0)
    goto <bb 3>; [0.05%]
  else
    goto <bb 4>; [99.95%]

  <bb 3> [local count: 13271]:
  __builtin___asan_report_load4 (_15);

  <bb 4> [local count: 26541933]:
  _19 =3D b[1]; <- here we use it as the future value
  _20 =3D (char) _19;
  c =3D _20;
  a =3D -1;
  _12 =3D (int) _20;
  return _12;
}

Final note: note clang does not report the issue even with -O1.=