https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70514
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |msebor at gcc dot gnu.org
Resolution|--- |INVALID
--- Comment #2 from Martin Sebor <msebor at gcc dot gnu.org> ---
There are known problems with VLAs in G++ (see bug 16994) but I don't think
this is one of them. I suspect the problem you are seeing is due to the
sort_of_sieve() function writing past the end of the variable length array
allocated in factorize() as underlined below. With that fixed, the output is
as expected. I'm going to close this report as invalid but feel free to reopen
it if you think I missed something.
As an aside, even though I would expect Address Sanitizer to find the bug in
the program, it doesn't (or at least not reliably and it when it does catch it,
it fails to indicate what caused it). I would view that as a bug in the
sanitizer and suggest opening one for it.
void sort_of_sieve(bool primes[], int n) {
for (int i = 2; i <= n; i++) {
^^^^^^
primes[i] = true;
}
}
void factorize(int n, int OUT[]) {
bool primes[n];
^
int factors = 0;
sort_of_sieve(primes, n);
^
With -fsanitize=address, when the program does crash (it doesn't always), I get
one of the following two reports:
ASAN:DEADLYSIGNAL
=================================================================
==20465==ERROR: AddressSanitizer: stack-overflow on address 0x7fffdeac0000 (pc
0x000000400be7 bp 0x7fffdeabd330 sp 0x7fffdeabd2e0 T0)
#0 0x400be6 in factorize(int, int*) (/home/msebor/build/tmp/a.out+0x400be6)
#1 0x400d19 in main (/home/msebor/build/tmp/a.out+0x400d19)
#2 0x7fbd9661157f in __libc_start_main (/lib64/libc.so.6+0x2057f)
#3 0x4009a8 in _start (/home/msebor/build/tmp/a.out+0x4009a8)
SUMMARY: AddressSanitizer: stack-overflow
(/home/msebor/build/tmp/a.out+0x400be6) in factorize(int, int*)
==20465==ABORTING
or this one:
=================================================================
==20463==ERROR: AddressSanitizer: stack-buffer-underflow on address
0x7fff54492d01 at pc 0x000000400be4 bp 0x7fff54492c80 sp 0x7fff54492c78
WRITE of size 4 at 0x7fff54492d01 thread T0
#0 0x400be3 in factorize(int, int*) (/home/msebor/build/tmp/a.out+0x400be3)
#1 0x400d19 in main (/home/msebor/build/tmp/a.out+0x400d19)
#2 0x7faa9866c57f in __libc_start_main (/lib64/libc.so.6+0x2057f)
#3 0x4009a8 in _start (/home/msebor/build/tmp/a.out+0x4009a8)
Address 0x7fff54492d01 is located in stack of thread T0 at offset 1 in frame
#0 0x400c8c in main (/home/msebor/build/tmp/a.out+0x400c8c)
This frame has 1 object(s):
[32, 232) 'fact'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow
(/home/msebor/build/tmp/a.out+0x400be3) in factorize(int, int*)
Shadow bytes around the buggy address:
0x10006a88a550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006a88a560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006a88a570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006a88a580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006a88a590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006a88a5a0:[f1]f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
0x10006a88a5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 f4 f4
0x10006a88a5c0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10006a88a5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006a88a5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006a88a5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20463==ABORTING
