From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id D48293858C31; Fri, 17 Feb 2023 14:31:21 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D48293858C31 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1676644281; bh=FrvrxTFIXs0eGIAH897OQElc06Hjsew1/3gKUpcnPvs=; h=From:To:Subject:Date:In-Reply-To:References:From; b=Jgv8FpKox/iIqLdLPsn3FKDbsen/mjNaRPlU6xZSDrt41hq7IBixHEn1f97LrnrMY PyDdQhPXV7apjDKRiFtMKr033oPK8bkZ0BgowoLx/FSvvhBxKTmUTjJ+l9PDQCEBjN oPUZkt8RbF2G8oNZzP8+t0scRvem+BJvB8JJ5kkM= From: "marxin at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/108817] ASAN at -O3 failed to detect a global-buffer-overflow Date: Fri, 17 Feb 2023 14:31:21 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: sanitizer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: marxin at gcc dot gnu.org X-Bugzilla-Status: RESOLVED X-Bugzilla-Resolution: INVALID X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: resolution bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108817 Martin Li=C5=A1ka changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|UNCONFIRMED |RESOLVED --- Comment #1 from Martin Li=C5=A1ka --- Here we prove that 'return c' only depends on the last execution of 'c =3D b[a+1];' which is going to happen with a =3D=3D 0 and thus we optimize out = that. $ gcc pr108817.C -fsanitize=3Daddress -O3 -fdump-tree-optimized=3D/dev/stdo= ut int main () { signed char _4; unsigned long _8; int _12; unsigned long _15; bool _16; unsigned long _18; int _19; char _20; bool _21; signed char _22; signed char _23; unsigned long _25; signed char * _27; bool _38; [local count: 26541933]: a =3D 2; _15 =3D (unsigned long) &MEM [(void *)&b + 4B]; (checking if &b + 4 is valid in shadow memory)=20 if (_16 !=3D 0) goto ; [0.05%] else goto ; [99.95%] [local count: 13271]: __builtin___asan_report_load4 (_15); [local count: 26541933]: _19 =3D b[1]; <- here we use it as the future value _20 =3D (char) _19; c =3D _20; a =3D -1; _12 =3D (int) _20; return _12; } Final note: note clang does not report the issue even with -O1.=