https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63888
--- Comment #19 from Jakub Jelinek <jakub at gcc dot gnu.org> --- (In reply to Kostya Serebryany from comment #18) > I am disoriented. > Can you please give a full repro (with command lines, etc) where > we'll now produce a false positive (in clang or in gcc)? $ cat libfoo.c long f = 4; long g = 5; long foo (long *p) { return *p; } $ cat main.c extern void abort (void); char a[32] __attribute__((aligned (32))) = { 1 }; long f = 4; long b1 = 2, b2 = 3, b3 = 4, b4 = 5, b5 = 6, b6 = 7, b7 = 8; long g = 5; long c1 = 2, c2 = 3, c3 = 4, c4 = 5, c5 = 6, c6 = 7, c7 = 8; long foo (long *); int main () { if (foo (&f) != 4 || foo (&b1) != 2 || foo (&b2) != 3 || foo (&b3) != 4 || foo (&b4) != 5 || foo (&b5) != 6 || foo (&b6) != 7 || foo (&b7) != 8 || foo (&g) != 5 || foo (&c1) != 2 || foo (&c2) != 3 || foo (&c3) != 4 || foo (&c4) != 5 || foo (&c5) != 6 || foo (&c6) != 7 || foo (&c7) != 8) abort (); return 0; } $ gcc -fsanitize=address -g -shared -fpic -o libfoo.{so,c} $ gcc -c -g -o main.{o,c} $ gcc -fsanitize=address -o main{,.o} ./libfoo.so $ ./main; echo $? 0 $ clang -fsanitize=address -g -shared -fpic -o libfoo.{so,c} $ clang -c -g -o main.{o,c} $ clang -fsanitize=address -o main{,.o} ./libfoo.so $ ./main; echo $? ================================================================= ==5535==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006dca28 at pc 0x7f691dc51b94 bp 0x7fffd23e0930 sp 0x7fffd23e0928 READ of size 8 at 0x0000006dca28 thread T0 #0 0x7f691dc51b93 in foo /tmp/libfoo.c:3:22 #1 0x4ba3c8 in main /tmp/main.c:11:24 #2 0x327981ffdf in __libc_start_main (/lib64/libc.so.6+0x327981ffdf) #3 0x434366 in _start (/tmp/main+0x434366) 0x0000006dca28 is located 56 bytes to the left of global variable 'g' defined in 'libfoo.c:2:6' (0x6dca60) of size 8 0x0000006dca28 is located 0 bytes to the right of global variable 'f' defined in 'libfoo.c:1:6' (0x6dca20) of size 8 SUMMARY: AddressSanitizer: global-buffer-overflow /tmp/libfoo.c:3 foo Shadow bytes around the buggy address: 0x0000800d38f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800d3900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800d3910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800d3920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800d3930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0000800d3940: 00 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0000800d3950: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800d3960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800d3970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800d3980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800d3990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==5535==ABORTING 1 Is this clear? This is on access of the b1 variable defined in main.c, certainly not anything around f variable defined in libfoo.c.