https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108894
Bug ID: 108894 Summary: -fsanitize=bounds missing bounds provided by __builtin_dynamic_object_size() Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: sanitizer Assignee: unassigned at gcc dot gnu.org Reporter: kees at outflux dot net CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org, jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org Target Milestone: --- Created attachment 54508 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54508&action=edit PoC showing lack of __bdos support in -fsanitize=bounds While -fsanitize-bounds is able to perform run-time bounds checking on fixed-size arrays (i.e. when __builtin_object_size(x, 1) does not return SIZE_MAX), it does not perform bounds checking when __builtin_dynamic_object_size(x, 1) is available. For example, the attached program produces _no_ bounds-checker warnings: $ gcc -Wall -O2 -fstrict-flex-arrays=3 -fsanitize=bounds -fstrict-flex-arrays=3 -o bounds bounds.c $ ./bounds p->array has a fixed size: 64 (16 elements of size 4) p->array[0] assignment: 255 (should be ok) p->array[16] assignment: 255 (should be failure) p->array has a dynamic size: 64 (16 elements of size 4) p->array[0] assignment: 255 (should be ok) p->array[16] assignment: 255 (should be failure) p->array has unknowable size p->array[0] assignment: 255 (should be ok) p->array[16] assignment: 255 (should be failure) Note that the first failure for a fixed size array implies that -fsanitize=bounds has also not been wired up to -fstrict-flex-arrays=3, so it is ignoring all trailing arrays.