From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id D15A03858D33; Wed, 22 Feb 2023 20:57:05 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D15A03858D33 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1677099425; bh=l4db8PcOSqw/ZVjYvGLAwCqa/ilsXxBJUS5srzAoPKI=; h=From:To:Subject:Date:From; b=Py+JKevGjjh7HjerqcU0rQI06h/bbOlt3KRH1+3k1q6/T3rlcRWSx44dmUPweAflo aSWSdteyThZ+PYPDky0KIB7JIhniz5BgZ2OB+G3SjH96yrTjfdjTAeBFBVUcv24E0Q wb0deywA7YFHnvyZesndj41kqig6aygZvrV58USQ= From: "kees at outflux dot net" To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/108894] New: -fsanitize=bounds missing bounds provided by __builtin_dynamic_object_size() Date: Wed, 22 Feb 2023 20:57:05 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: sanitizer X-Bugzilla-Version: unknown X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: kees at outflux dot net X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108894 Bug ID: 108894 Summary: -fsanitize=3Dbounds missing bounds provided by __builtin_dynamic_object_size() Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: sanitizer Assignee: unassigned at gcc dot gnu.org Reporter: kees at outflux dot net CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org, jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxi= n at gcc dot gnu.org Target Milestone: --- Created attachment 54508 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D54508&action=3Dedit PoC showing lack of __bdos support in -fsanitize=3Dbounds While -fsanitize-bounds is able to perform run-time bounds checking on fixed-size arrays (i.e. when __builtin_object_size(x, 1) does not return SIZE_MAX), it does not perform bounds checking when __builtin_dynamic_object_size(x, 1) is available. For example, the attached program produces _no_ bounds-checker warnings: $ gcc -Wall -O2 -fstrict-flex-arrays=3D3 -fsanitize=3Dbounds -fstrict-flex-= arrays=3D3 -o bounds bounds.c $ ./bounds p->array has a fixed size: 64 (16 elements of size 4) p->array[0] assignment: 255 (should be ok) p->array[16] assignment: 255 (should be failure) p->array has a dynamic size: 64 (16 elements of size 4) p->array[0] assignment: 255 (should be ok) p->array[16] assignment: 255 (should be failure) p->array has unknowable size p->array[0] assignment: 255 (should be ok) p->array[16] assignment: 255 (should be failure) Note that the first failure for a fixed size array implies that -fsanitize=3Dbounds has also not been wired up to -fstrict-flex-arrays=3D3,= so it is ignoring all trailing arrays.=