From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 9165838708E8; Tue, 9 Mar 2021 08:39:28 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9165838708E8 From: "vanyacpp at gmail dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/99418] sanitizer checks for accessing multidimentional VLA-array Date: Tue, 09 Mar 2021 08:39:28 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: sanitizer X-Bugzilla-Version: 10.2.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: vanyacpp at gmail dot com X-Bugzilla-Status: WAITING X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2021 08:39:28 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D99418 --- Comment #6 from Ivan Sorokin --- (In reply to Jakub Jelinek from comment #4) > Asan can't by design detect neither #c0 nor #c1, only ubsan can. > The reason why ubsan has that off by one stuff is that in C/C++, > &mas[n - 1][m] is not undefined behavior, only mas[n - 1][m] is. That is very unfortunate. For standard containers subscripting with wrond index is undefined behavior no matter if it is followed by taking of addres= s. I assumed the same rules apply for builtin arrays. If one need just a point one can easily write a + n instead of &a[n]. Now I see that this is not the case and built-in arrays behave differently. > For #c1, the big question is what exactly is UB in C++, whether already > binding a reference to the object after the end of the array or only > actually accessing that reference. If the former, ubsan could treat > REFERENCE_TYPE differently, if the latter, then I'm afraid it can't do th= at, > and ubsan by design has to be done early before all the optimizations cha= nge > the IL so much that it is completely lost what were the user errors in it. > For the method calls, there really isn't a reference in the IL either, th= is > argument is a pointer, but .UBSAN_BOUNDS calls are added in the FE and so > perhaps it could know it is a method call and treat it as a reference. > So, something can be done but we need answers on where the UB in C++ exac= tly > happens. For -fsanitize=3Dnull the rules are quite subtle: dereferencing by itself (= *p) doesn't check for nullptr, but binding a reference (int& q =3D *p;) does. Perhaps similar rules can be employed for past-the-end element: taking poin= ter to it is fine, but passing the pointer as this parameter to function is UB?= At least this would be consistent with null pointers.=