public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "vanyacpp at gmail dot com" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/99418] sanitizer checks for accessing multidimentional VLA-array Date: Tue, 09 Mar 2021 08:39:28 +0000 [thread overview] Message-ID: <bug-99418-4-ZmfPBrMRFh@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-99418-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99418 --- Comment #6 from Ivan Sorokin <vanyacpp at gmail dot com> --- (In reply to Jakub Jelinek from comment #4) > Asan can't by design detect neither #c0 nor #c1, only ubsan can. > The reason why ubsan has that off by one stuff is that in C/C++, > &mas[n - 1][m] is not undefined behavior, only mas[n - 1][m] is. That is very unfortunate. For standard containers subscripting with wrond index is undefined behavior no matter if it is followed by taking of address. I assumed the same rules apply for builtin arrays. If one need just a point one can easily write a + n instead of &a[n]. Now I see that this is not the case and built-in arrays behave differently. > For #c1, the big question is what exactly is UB in C++, whether already > binding a reference to the object after the end of the array or only > actually accessing that reference. If the former, ubsan could treat > REFERENCE_TYPE differently, if the latter, then I'm afraid it can't do that, > and ubsan by design has to be done early before all the optimizations change > the IL so much that it is completely lost what were the user errors in it. > For the method calls, there really isn't a reference in the IL either, this > argument is a pointer, but .UBSAN_BOUNDS calls are added in the FE and so > perhaps it could know it is a method call and treat it as a reference. > So, something can be done but we need answers on where the UB in C++ exactly > happens. For -fsanitize=null the rules are quite subtle: dereferencing by itself (*p) doesn't check for nullptr, but binding a reference (int& q = *p;) does. Perhaps similar rules can be employed for past-the-end element: taking pointer to it is fine, but passing the pointer as this parameter to function is UB? At least this would be consistent with null pointers.
next prev parent reply other threads:[~2021-03-09 8:39 UTC|newest] Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-03-05 19:11 [Bug sanitizer/99418] New: " vanyacpp at gmail dot com 2021-03-06 22:53 ` [Bug sanitizer/99418] " vanyacpp at gmail dot com 2021-03-07 7:44 ` vanyacpp at gmail dot com 2021-03-08 9:15 ` marxin at gcc dot gnu.org 2021-03-08 10:14 ` jakub at gcc dot gnu.org 2021-03-08 18:23 ` msebor at gcc dot gnu.org 2021-03-09 8:39 ` vanyacpp at gmail dot com [this message] 2021-03-09 8:47 ` vanyacpp at gmail dot com 2021-03-09 8:54 ` vanyacpp at gmail dot com 2021-03-09 15:48 ` [Bug sanitizer/99418] more cases where -fsanitize=bounds can check one-past-the-end accesses msebor at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-99418-4-ZmfPBrMRFh@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).