https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108824
Bug ID: 108824 Summary: ASAN -O2/3 missed a stack-buffer-underflow since GCC-10 Product: gcc Version: 13.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: sanitizer Assignee: unassigned at gcc dot gnu.org Reporter: shaohua.li at inf dot ethz.ch CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org, jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org Target Milestone: --- For the following code, ASAN at -O2 missed the stack-buffer-underflow since GCC-10, while -O3 missed it since GCC-8. Clang can detect it at all opt levels. Compiler explorer: https://godbolt.org/z/vM7bPq7de % cat a.c struct a {}; struct b { unsigned c; } g; char d, f;; int e=1, h; void i(); void j() { int k=0; struct a l; for (; h < 4; h++) i(g, 0, &e, &k, 0); } void i(struct b p1, long p2, int *m, int *n, struct b o) { *m = o.c > *(n - 1); for (; f;) for (; d;) ; } int main() { j(); return e; } % % gcc-tk -O2 -fsanitize=address a.c &&./a.out % % gcc-9 -O2 -fsanitize=address a.c &&./a.out ================================================================= ==1==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffda463e79c at pc 0x0000004009e2 bp 0x7ffda463e6f0 sp 0x7ffda463e6e8 READ of size 4 at 0x7ffda463e79c thread T0 #0 0x4009e1 in i /a.c:19 #1 0x400a99 in j /a.c:15 #2 0x40074a in main /a.c:24 #3 0x7fc175a80082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #4 0x4007bd in _start (/a.s+0x4007bd) Address 0x7ffda463e79c is located in stack of thread T0 at offset 28 in frame #0 0x4009ff in j /a.c:10 This frame has 1 object(s): [32, 36) 'k' (line 11) <== Memory access at offset 28 underflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-underflow /a.c:19 in i Shadow bytes around the buggy address: 0x1000348bfca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000348bfcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000348bfcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000348bfcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000348bfce0: 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00 =>0x1000348bfcf0: f1 f1 f1[f1]04 f3 f3 f3 00 00 00 00 00 00 00 00 0x1000348bfd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000348bfd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000348bfd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000348bfd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000348bfd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 ... %