[Bug sanitizer/99418] sanitizer checks for accessing multidimentional VLA-array

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "marxin at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/99418] sanitizer checks for accessing multidimentional VLA-array
Date: Mon, 08 Mar 2021 09:15:25 +0000	[thread overview]
Message-ID: <bug-99418-4-3LZRJQ33dY@http.gcc.gnu.org/bugzilla/> (raw)
In-Reply-To: <bug-99418-4@http.gcc.gnu.org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99418

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2021-03-08
             Status|UNCONFIRMED                 |WAITING
     Ever confirmed|0                           |1

--- Comment #3 from Martin Liška <marxin at gcc dot gnu.org> ---
> Surprisingly if I replace taking a reference with writing to the array it
> will show an error.

Yes, ASAN instruments memory reads and writes, so your test-case reports ASAN
errors with:

void escape(int &a)
{
  a = 123;
}

$ g++ pr99418.C -fsanitize=address && ./a.out 
=================================================================
==7912==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address
0x7fffffffde90 at pc 0x000000400869 bp 0x7fffffffde10 sp 0x7fffffffde08
WRITE of size 4 at 0x7fffffffde90 thread T0
    #0 0x400868 in escape(int&)
(/home/marxin/Programming/testcases/a.out+0x400868)
    #1 0x4009c0 in test(unsigned long, unsigned long)
(/home/marxin/Programming/testcases/a.out+0x4009c0)
    #2 0x400a06 in main (/home/marxin/Programming/testcases/a.out+0x400a06)
    #3 0x7ffff708db24 in __libc_start_main (/lib64/libc.so.6+0x27b24)
    #4 0x40077d in _start (/home/marxin/Programming/testcases/a.out+0x40077d)

Address 0x7fffffffde90 is located in stack of thread T0
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow
(/home/marxin/Programming/testcases/a.out+0x400868) in escape(int&)
Shadow bytes around the buggy address:
  0x10007fff7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bc0: 00 00 00 00 00 00 00 00 ca ca ca ca 00 00 00 00
=>0x10007fff7bd0: 00 00[cb]cb cb cb cb cb 00 00 00 00 00 00 00 00
  0x10007fff7be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7912==ABORTING

That said, can we close it as resolved?

next prev parent reply	other threads:[~2021-03-08  9:15 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-05 19:11 [Bug sanitizer/99418] New: " vanyacpp at gmail dot com
2021-03-06 22:53 ` [Bug sanitizer/99418] " vanyacpp at gmail dot com
2021-03-07  7:44 ` vanyacpp at gmail dot com
2021-03-08  9:15 ` marxin at gcc dot gnu.org [this message]
2021-03-08 10:14 ` jakub at gcc dot gnu.org
2021-03-08 18:23 ` msebor at gcc dot gnu.org
2021-03-09  8:39 ` vanyacpp at gmail dot com
2021-03-09  8:47 ` vanyacpp at gmail dot com
2021-03-09  8:54 ` vanyacpp at gmail dot com
2021-03-09 15:48 ` [Bug sanitizer/99418] more cases where -fsanitize=bounds can check one-past-the-end accesses msebor at gcc dot gnu.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-99418-4-3LZRJQ33dY@http.gcc.gnu.org/bugzilla/ \
    --to=gcc-bugzilla@gcc.gnu.org \
    --cc=gcc-bugs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).