Dmitry, thank you response. I'd like to use a example to invite you help me clarify this magic more clearly. Thank your patience.
Below simple code has a global variable buffer overflow in line 6, and the Asan can correctly detect and report it. In this case, Asan use __asan_report_store4 instrumentation to check the &global_array[12], so and I think the"size"= 4, and the SHADOW_GRANULARITY=8. Also, "addr"=0x0000013a2ab0, "sp" = MEM_TO_SHADOW(addr) = 0x00008026c556, "s" = 0xf9. Then, ((s8)((addr & (SHADOW_GRANULARITY - 1)) + size - 1)) >= (s8)s) become ((0x0000013a2ab0 & (8-1)) + 4 -1) >= 0xf9, which is 3 >= 0xf9, and it is false. So, the total s != 0 && ((s8)((addr & (SHADOW_GRANULARITY - 1)) + size - 1)) >= (s8)s) is false, and Asan should not go into the ReportGenericError branch with this logic. How could Asan check this shadow memory correctly? #include <stdio.h> #include <stdlib.h> int global_array[11] = {0}; int main(int argc, char **argv) { int Index = 12; global_array[Index] = 0x12345678; // line 6, global buffer overflow, Index should <= 10 return 1; } ================================================================= ==3622==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013a2ab0 at pc 0x00000050a1e1 bp 0x7ffd39460b60 sp 0x7ffd39460b58 WRITE of size 4 at 0x0000013a2ab0 thread T0 #0 0x50a1e0 in main /home/jshi19/sanitizer/global_ASAN_MEMORY_ACCESS_CALLBACK_BODY.c:6:23 #1 0x7f68fbd8082f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291 #2 0x419368 in _start (/home/jshi19/sanitizer/a.out+0x419368) 0x0000013a2ab0 is located 4 bytes to the right of global variable 'global_array' defined in 'global_ASAN_MEMORY_ACCESS_CALLBACK_BODY.c:3:5' (0x13a2a80) of size 44 SUMMARY: AddressSanitizer: global-buffer-overflow /home/jshi19/sanitizer/global_ASAN_MEMORY_ACCESS_CALLBACK_BODY.c:6:23 in main Shadow bytes around the buggy address: 0x00008026c500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008026c510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008026c520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008026c530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008026c540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x00008026c550: 00 00 00 00 00 04[f9]f9 f9 f9 f9 f9 00 00 00 00 0x00008026c560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008026c570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008026c580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008026c590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008026c5a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3622==ABORTING -- You received this message because you are subscribed to the Google Groups "address-sanitizer" group. To unsubscribe from this group and stop receiving emails from it, send an email to address-sanitizer+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.