[Bug sanitizer/110527] New: [10/11/12/13/14 Regression] ASan is missing array out-of-bounds check

[Bug sanitizer/110527] New: [10/11/12/13/14 Regression] ASan is missing array out-of-bounds check

[jwzeng at nuaa dot edu.cn]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110527

            Bug ID: 110527
           Summary: [10/11/12/13/14 Regression] ASan is missing array
                    out-of-bounds check
           Product: gcc
           Version: 14.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: jwzeng at nuaa dot edu.cn
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

Link to the Compiler Explorer: https://godbolt.org/z/YKaT3YdTx

The following snippet:

#include <stdio.h>
unsigned int aa = 204;
unsigned char bb = 126;
unsigned short cc[19][24][22][11][21];
unsigned int dd[19][24][22][11][21];
int main() {
    for (int i = 0; i < 19; ++i)
        cc[i][0][0][0][0] = 6294;
    unsigned char i = aa - 172;
    bb = cc[i][0][0][0][0];
    printf("%d\n", bb);
}

> $ gcc -O0 -fsanitize=address bug.c; ./a.out
> $ 0

Look at the statement `bb = cc[i][0][0][0][0];` in the above code snippet. The
array is out of bounds, but the program did not output any error after
compilation with "-O0 -fsanitize=address".

When I deleted the statement `unsigned int dd[19][24][22][11][21];` in the
above code snippet. Then compiled with "-O0 -fsanitize=address" again, and it
outputs the following error in this time:

> ddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000b75e40 (pc 0x000000401251 bp 0x7ffc6e878c80 sp 0x7ffc6e878c70 T0)
> ==1==The signal is caused by a READ memory access.
>     #0 0x401251 in main /app/example.cpp:10
>     #1 0x7fd690372082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
>     #2 0x4010cd in _start (/app/output.s+0x4010cd) (BuildId: 18aa19a5491b44e6b2908ed7ba8b0a483242b3a5)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /app/example.cpp:10 in main
> ==1==ABORTING

I found that the above bug appeared in gcc 10/11/12/13/14. Earlier GCCs do not
have this bug.

[Bug sanitizer/110527] [10/11/12/13/14 Regression] ASan is missing array out-of-bounds check

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110527

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
There is a redzone for the variables but there is no way it going to be this
large. 

In this case, it just happens that

cc[204-172][0][0][0][0] points into the variable dd and therefore is a valid
address.

[Bug sanitizer/110527] [10/11/12/13/14 Regression] ASan is missing array out-of-bounds check

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110527

--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
As mentioned, ASan can reliably detect out of bounds accesses into the fairly
small redzone around variables, for out of bounds accesses with larger distance
it is a lottery whether one hits some other variable or whatever other valid
memory or something marked as inaccessible (another redzone etc.).
-fsanitize=undefined detects this out of bounds access and you can use both at
the same time, -fsanitize=address,undefined or just -fsanitize=address,bounds