public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug sanitizer/110676] New: builtin optimization prevents ASan from detecting OOB reads
@ 2023-07-15 18:28 nrk at disroot dot org
2023-07-15 18:32 ` [Bug sanitizer/110676] strlen of array[1] should not be optimized to 1 if using ASAN pinskia at gcc dot gnu.org
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: nrk at disroot dot org @ 2023-07-15 18:28 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110676
Bug ID: 110676
Summary: builtin optimization prevents ASan from detecting OOB
reads
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: nrk at disroot dot org
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
Minimal reproducible code-snippet:
#include <string.h>
int main(void)
{
char s[1] = "A";
return strlen(s);
}
Compile command: gcc -O0 -g3 -fsanitize=address,undefined
Expected behavior: ASan should catch the OOB access.
Reality: It gets optimized out and returns 0 always.
Note: adding `-fno-builtin` allows ASan to be effective.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug sanitizer/110676] strlen of array[1] should not be optimized to 1 if using ASAN
2023-07-15 18:28 [Bug sanitizer/110676] New: builtin optimization prevents ASan from detecting OOB reads nrk at disroot dot org
@ 2023-07-15 18:32 ` pinskia at gcc dot gnu.org
2023-07-15 18:35 ` [Bug sanitizer/110676] [11/12/13/14 Regression] " pinskia at gcc dot gnu.org
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-07-15 18:32 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110676
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|builtin optimization |strlen of array[1] should
|prevents ASan from |not be optimized to 1 if
|detecting OOB reads |using ASAN
Ever confirmed|0 |1
Status|UNCONFIRMED |NEW
Last reconfirmed| |2023-07-15
--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Confirmed. It is only an array of size 1 which is going to cause this issue.
array of size 2 is always fine, e.g.:
```
#include <string.h>
int main(void)
{
char s[2] = "AA";
return strlen(s);
}
```
gives the expected error message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug sanitizer/110676] [11/12/13/14 Regression] strlen of array[1] should not be optimized to 1 if using ASAN
2023-07-15 18:28 [Bug sanitizer/110676] New: builtin optimization prevents ASan from detecting OOB reads nrk at disroot dot org
2023-07-15 18:32 ` [Bug sanitizer/110676] strlen of array[1] should not be optimized to 1 if using ASAN pinskia at gcc dot gnu.org
@ 2023-07-15 18:35 ` pinskia at gcc dot gnu.org
2023-07-15 18:35 ` nrk at disroot dot org
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-07-15 18:35 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110676
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |11.5
Known to fail| |10.1.0, 8.1.0, 8.5.0
Known to work| |7.5.0
Summary|strlen of array[1] should |[11/12/13/14 Regression]
|not be optimized to 1 if |strlen of array[1] should
|using ASAN |not be optimized to 1 if
| |using ASAN
--- Comment #2 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
This is actually a regression ...
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug sanitizer/110676] [11/12/13/14 Regression] strlen of array[1] should not be optimized to 1 if using ASAN
2023-07-15 18:28 [Bug sanitizer/110676] New: builtin optimization prevents ASan from detecting OOB reads nrk at disroot dot org
2023-07-15 18:32 ` [Bug sanitizer/110676] strlen of array[1] should not be optimized to 1 if using ASAN pinskia at gcc dot gnu.org
2023-07-15 18:35 ` [Bug sanitizer/110676] [11/12/13/14 Regression] " pinskia at gcc dot gnu.org
@ 2023-07-15 18:35 ` nrk at disroot dot org
2024-02-05 20:23 ` [Bug sanitizer/110676] [11/12/13/14 Regression] strlen of array[1] should not be optimized to 0 " jakub at gcc dot gnu.org
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: nrk at disroot dot org @ 2023-07-15 18:35 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110676
--- Comment #3 from nrk at disroot dot org ---
Oops, forgot about https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107395.
But that bug was for missed warning opportunity, while this one is about ASan.
So I suppose both the bugs can coexist.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug sanitizer/110676] [11/12/13/14 Regression] strlen of array[1] should not be optimized to 0 if using ASAN
2023-07-15 18:28 [Bug sanitizer/110676] New: builtin optimization prevents ASan from detecting OOB reads nrk at disroot dot org
` (2 preceding siblings ...)
2023-07-15 18:35 ` nrk at disroot dot org
@ 2024-02-05 20:23 ` jakub at gcc dot gnu.org
2024-02-05 20:47 ` jakub at gcc dot gnu.org
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: jakub at gcc dot gnu.org @ 2024-02-05 20:23 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110676
--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Started with r8-5902-gc42d0aa0893cab444366c80fdd5b23bb45de6276
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug sanitizer/110676] [11/12/13/14 Regression] strlen of array[1] should not be optimized to 0 if using ASAN
2023-07-15 18:28 [Bug sanitizer/110676] New: builtin optimization prevents ASan from detecting OOB reads nrk at disroot dot org
` (3 preceding siblings ...)
2024-02-05 20:23 ` [Bug sanitizer/110676] [11/12/13/14 Regression] strlen of array[1] should not be optimized to 0 " jakub at gcc dot gnu.org
@ 2024-02-05 20:47 ` jakub at gcc dot gnu.org
2024-02-06 12:00 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: jakub at gcc dot gnu.org @ 2024-02-05 20:47 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110676
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Assignee|unassigned at gcc dot gnu.org |jakub at gcc dot gnu.org
--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Created attachment 57331
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=57331&action=edit
gcc14-pr110676.patch
Untested fix.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug sanitizer/110676] [11/12/13/14 Regression] strlen of array[1] should not be optimized to 0 if using ASAN
2023-07-15 18:28 [Bug sanitizer/110676] New: builtin optimization prevents ASan from detecting OOB reads nrk at disroot dot org
` (4 preceding siblings ...)
2024-02-05 20:47 ` jakub at gcc dot gnu.org
@ 2024-02-06 12:00 ` cvs-commit at gcc dot gnu.org
2024-02-06 12:01 ` [Bug sanitizer/110676] [11/12/13 " jakub at gcc dot gnu.org
2024-05-13 11:33 ` rguenth at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2024-02-06 12:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110676
--- Comment #6 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Jakub Jelinek <jakub@gcc.gnu.org>:
https://gcc.gnu.org/g:d3eac7d96de790df51859f63c13838f153b416de
commit r14-8825-gd3eac7d96de790df51859f63c13838f153b416de
Author: Jakub Jelinek <jakub@redhat.com>
Date: Tue Feb 6 13:00:04 2024 +0100
asan: Don't fold some strlens with -fsanitize=address [PR110676]
The UB on the following testcase isn't diagnosed by -fsanitize=address,
because we see that the array has a single element and optimize the
strlen to 0. I think it is fine to assume e.g. for range purposes the
lower bound for the strlen as long as we don't try to optimize
strlen (str)
where we know that it returns [26, 42] to
26 + strlen (str + 26), but for the upper bound we really want to punt
on optimizing that for -fsanitize=address to read all the bytes of the
string and diagnose if we run to object end etc.
2024-02-06 Jakub Jelinek <jakub@redhat.com>
PR sanitizer/110676
* gimple-fold.cc (gimple_fold_builtin_strlen): For
-fsanitize=address
reset maxlen to sizetype maximum.
* gcc.dg/asan/pr110676.c: New test.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug sanitizer/110676] [11/12/13 Regression] strlen of array[1] should not be optimized to 0 if using ASAN
2023-07-15 18:28 [Bug sanitizer/110676] New: builtin optimization prevents ASan from detecting OOB reads nrk at disroot dot org
` (5 preceding siblings ...)
2024-02-06 12:00 ` cvs-commit at gcc dot gnu.org
@ 2024-02-06 12:01 ` jakub at gcc dot gnu.org
2024-05-13 11:33 ` rguenth at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: jakub at gcc dot gnu.org @ 2024-02-06 12:01 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110676
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|[11/12/13/14 Regression] |[11/12/13 Regression]
|strlen of array[1] should |strlen of array[1] should
|not be optimized to 0 if |not be optimized to 0 if
|using ASAN |using ASAN
--- Comment #7 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Fixed on the trunk. Not sure whether we want to backport this or not.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug sanitizer/110676] [11/12/13 Regression] strlen of array[1] should not be optimized to 0 if using ASAN
2023-07-15 18:28 [Bug sanitizer/110676] New: builtin optimization prevents ASan from detecting OOB reads nrk at disroot dot org
` (6 preceding siblings ...)
2024-02-06 12:01 ` [Bug sanitizer/110676] [11/12/13 " jakub at gcc dot gnu.org
@ 2024-05-13 11:33 ` rguenth at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: rguenth at gcc dot gnu.org @ 2024-05-13 11:33 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110676
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P3 |P2
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-05-13 11:33 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-15 18:28 [Bug sanitizer/110676] New: builtin optimization prevents ASan from detecting OOB reads nrk at disroot dot org
2023-07-15 18:32 ` [Bug sanitizer/110676] strlen of array[1] should not be optimized to 1 if using ASAN pinskia at gcc dot gnu.org
2023-07-15 18:35 ` [Bug sanitizer/110676] [11/12/13/14 Regression] " pinskia at gcc dot gnu.org
2023-07-15 18:35 ` nrk at disroot dot org
2024-02-05 20:23 ` [Bug sanitizer/110676] [11/12/13/14 Regression] strlen of array[1] should not be optimized to 0 " jakub at gcc dot gnu.org
2024-02-05 20:47 ` jakub at gcc dot gnu.org
2024-02-06 12:00 ` cvs-commit at gcc dot gnu.org
2024-02-06 12:01 ` [Bug sanitizer/110676] [11/12/13 " jakub at gcc dot gnu.org
2024-05-13 11:33 ` rguenth at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).