https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92589
Bug ID: 92589
Summary: heuristic to avoid flexible array members too liberal
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: kees at outflux dot net
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at
gcc dot gnu.org
Target Milestone: ---
Created attachment 47305
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=47305&action=edit
PoC for -fsanitize=bounds
When choosing which arrays to instrument, -fsanitize=bounds tries to avoid
flexible array members. Traditionally, this has been either [], [0], or
[1]-sized arrays (though the latter two are realistically considered deprecated
in C).
However, the sanitizer appears to be ignoring _all_ trailing arrays in a
structure, no matter what their size. Comparing the behavior between GCC and
Clang, this is more visible:
$ gcc -Wall -g3 -fsanitize=bounds -fsanitize-undefined-trap-on-error -o
bounds-gcc bounds.c
$ ./bounds-gcc abc
flex
non_flex
non_trailing
Illegal instruction (core dumped)
$ clang -Wall -g3 -fsanitize=bounds -fsanitize-undefined-trap-on-error -o
bounds-clang bounds.c
$ ./bounds-clang abc
flex
non_flex
Illegal instruction (core dumped)
I would expect the trap during the non_flex structure over-index, as seen in
the Clang-built binary.
