https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63888
--- Comment #19 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
(In reply to Kostya Serebryany from comment #18)
> I am disoriented.
> Can you please give a full repro (with command lines, etc) where
> we'll now produce a false positive (in clang or in gcc)?
$ cat libfoo.c
long f = 4;
long g = 5;
long foo (long *p) { return *p; }
$ cat main.c
extern void abort (void);
char a[32] __attribute__((aligned (32))) = { 1 };
long f = 4;
long b1 = 2, b2 = 3, b3 = 4, b4 = 5, b5 = 6, b6 = 7, b7 = 8;
long g = 5;
long c1 = 2, c2 = 3, c3 = 4, c4 = 5, c5 = 6, c6 = 7, c7 = 8;
long foo (long *);
int main ()
{
if (foo (&f) != 4 || foo (&b1) != 2 || foo (&b2) != 3 || foo (&b3) != 4
|| foo (&b4) != 5 || foo (&b5) != 6 || foo (&b6) != 7 || foo (&b7) != 8
|| foo (&g) != 5 || foo (&c1) != 2 || foo (&c2) != 3 || foo (&c3) != 4
|| foo (&c4) != 5 || foo (&c5) != 6 || foo (&c6) != 7 || foo (&c7) != 8)
abort ();
return 0;
}
$ gcc -fsanitize=address -g -shared -fpic -o libfoo.{so,c}
$ gcc -c -g -o main.{o,c}
$ gcc -fsanitize=address -o main{,.o} ./libfoo.so
$ ./main; echo $?
0
$ clang -fsanitize=address -g -shared -fpic -o libfoo.{so,c}
$ clang -c -g -o main.{o,c}
$ clang -fsanitize=address -o main{,.o} ./libfoo.so
$ ./main; echo $?
=================================================================
==5535==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000006dca28 at pc 0x7f691dc51b94 bp 0x7fffd23e0930 sp 0x7fffd23e0928
READ of size 8 at 0x0000006dca28 thread T0
#0 0x7f691dc51b93 in foo /tmp/libfoo.c:3:22
#1 0x4ba3c8 in main /tmp/main.c:11:24
#2 0x327981ffdf in __libc_start_main (/lib64/libc.so.6+0x327981ffdf)
#3 0x434366 in _start (/tmp/main+0x434366)
0x0000006dca28 is located 56 bytes to the left of global variable 'g' defined
in 'libfoo.c:2:6' (0x6dca60) of size 8
0x0000006dca28 is located 0 bytes to the right of global variable 'f' defined
in 'libfoo.c:1:6' (0x6dca20) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow /tmp/libfoo.c:3 foo
Shadow bytes around the buggy address:
0x0000800d38f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800d3900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800d3910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800d3920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800d3930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800d3940: 00 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800d3950: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800d3960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800d3970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800d3980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800d3990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==5535==ABORTING
1
Is this clear? This is on access of the b1 variable defined in main.c,
certainly not anything around f variable defined in libfoo.c.
