[Bug sanitizer/108824] New: ASAN -O2/3 missed a stack-buffer-underflow since GCC-10

["shaohua.li at inf dot ethz.ch" <gcc-bugzilla@gcc.gnu.org>]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108824

            Bug ID: 108824
           Summary: ASAN -O2/3 missed a stack-buffer-underflow since
                    GCC-10
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: shaohua.li at inf dot ethz.ch
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

For the following code, ASAN at -O2 missed the stack-buffer-underflow since
GCC-10, while -O3 missed it since GCC-8.

Clang can detect it at all opt levels.

Compiler explorer: https://godbolt.org/z/vM7bPq7de

% cat a.c
struct a {};
struct b {
    unsigned c;
} g;
char d, f;;
int e=1, h;

void i();

void j() {
    int k=0;
    struct a l;

    for (; h < 4; h++) 
        i(g, 0, &e, &k, 0);
}

void i(struct b p1, long p2, int *m, int *n, struct b o) {
    *m = o.c > *(n - 1);
    for (; f;)
        for (; d;)
            ;
}
int main() { 
    j(); 
    return e;
}
%
% gcc-tk -O2 -fsanitize=address a.c &&./a.out
%
% gcc-9 -O2 -fsanitize=address a.c &&./a.out
=================================================================
==1==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffda463e79c
at pc 0x0000004009e2 bp 0x7ffda463e6f0 sp 0x7ffda463e6e8
READ of size 4 at 0x7ffda463e79c thread T0
    #0 0x4009e1 in i /a.c:19
    #1 0x400a99 in j /a.c:15
    #2 0x40074a in main /a.c:24
    #3 0x7fc175a80082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #4 0x4007bd in _start (/a.s+0x4007bd)

Address 0x7ffda463e79c is located in stack of thread T0 at offset 28 in frame
    #0 0x4009ff in j /a.c:10

  This frame has 1 object(s):
    [32, 36) 'k' (line 11) <== Memory access at offset 28 underflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow /a.c:19 in i
Shadow bytes around the buggy address:
  0x1000348bfca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000348bfcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000348bfcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000348bfcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000348bfce0: 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00
=>0x1000348bfcf0: f1 f1 f1[f1]04 f3 f3 f3 00 00 00 00 00 00 00 00
  0x1000348bfd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000348bfd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000348bfd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000348bfd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000348bfd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
...
%