[Bug sanitizer/68016] New: ASan doesn't catch overflow in globals when COPY relocation is involved.

[chefmax at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68016

            Bug ID: 68016
           Summary: ASan doesn't catch overflow in globals when COPY
                    relocation is involved.
           Product: gcc
           Version: 6.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: chefmax at gcc dot gnu.org
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org,
                    y.gribov at samsung dot com
  Target Milestone: ---
              Host: x86_64-pc-linux-gnu
            Target: x86_64-pc-linux-gnu
             Build: x86_64-pc-linux-gnu

Consider:

max@max:~/workspace/downloads/gcc$ cat libfoo.c
int f[5] = {1};

max@max:~/workspace/downloads/gcc$ cat main.c
extern int f[5];
int main ()
{
  return f[5];
}

max@max:~/workspace/downloads/gcc$ ~/install/master-ref/bin/gcc
-fsanitize=address libfoo.c -shared -fpic -fsanitize=address -o libfoo.so
max@max:~/workspace/downloads/gcc$ ~/install/master-ref/bin/gcc
-fsanitize=address  main.c -c  -o main.o
max@max:~/workspace/downloads/gcc$ ~/install/master-ref/bin/gcc
-fsanitize=address main.o ./libfoo.so -o main
max@max:~/workspace/downloads/gcc$ LD_LIBRARY_PATH=~/install/master-ref/lib64
ASAN_OPTIONS=report_globals=3  ./main
    #0 0x7f73cc9bfdde in __asan_register_globals
/home/max/workspace/downloads/gcc/libsanitizer/asan/asan_globals.cc:228
    #1 0x7f73cc796800 in _GLOBAL__sub_I_00099_1_libfoo.c (libfoo.so+0x800)
    #2 0x7f73cd910139  (/lib64/ld-linux-x86-64.so.2+0x10139)
    #3 0x7f73cd910222  (/lib64/ld-linux-x86-64.so.2+0x10222)
    #4 0x7f73cd901309  (/lib64/ld-linux-x86-64.so.2+0x1309)

=== ID 738197505; 0x7f73cc996bc0 0x7f73cc996bc0
==16063==Added Global[0x7f73cc996bc0]: beg=0x7f73cc996b60 size=20/64 name=f
module=libfoo.c dyn_init=0
==16063==  location (0x7f73cc996ba0): name=libfoo.c[0x7f73cc79680d], 1 5

max@max:~/workspace/downloads/gcc$ readelf -r main | grep COPY
00000070eac0  025400000005 R_X86_64_COPY     000000000070eac0 f + 0 

This happens due to private aliases, used by GCC to register globals. LLVM
catches this overflow, but it has another drawback - mixing sanitized and
non-sanitized code may lead to application crash.

Don't know if there is a good fix for both issues. Any thoughts? IMHO, false
negatives are more preferable than application crash.