https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82501
--- Comment #14 from Andrey Drobyshev <a.drobyshev at samsung dot com> ---
(In reply to Martin Liška from comment #12)
> However:
> g++-8 -fsanitize=address global4.c -fno-common && ./a.out
> =================================================================
> ==12713==ERROR: AddressSanitizer: global-buffer-overflow on address
> 0x0000004040e4 at pc 0x00000040118e bp 0x7fffffffdc00 sp 0x7fffffffdbf8
> READ of size 4 at 0x0000004040e4 thread T0
> #0 0x40118d in main (/home/marxin/Programming/testcases/a.out+0x40118d)
> #1 0x7ffff7076b7a in __libc_start_main ../csu/libc-start.c:308
> #2 0x4010a9 in _start (/home/marxin/Programming/testcases/a.out+0x4010a9)
>
> 0x0000004040e4 is located 0 bytes to the right of global variable 'f'
> defined in 'global4.c:1:5' (0x4040e0) of size 4
> SUMMARY: AddressSanitizer: global-buffer-overflow
> (/home/marxin/Programming/testcases/a.out+0x40118d) in main
> Shadow bytes around the buggy address:
> 0x0000800787c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0000800787d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0000800787e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0000800787f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080078800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x000080078810: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00[04]f9 f9 f9
> 0x000080078820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080078830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080078840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080078850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080078860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
> There's a left 'f9', but the variable has 4 x '00' which is wrong. That's
> probably due to some alignment. But fixing that would fix the underlying
> problem of this PR.
>
As far as I can tell, this particular redzone has nothing to do with globals
layout. It is produced by the following calls:
#0 __asan::PoisonShadow (addr=6294944, size=64, value=249 '\371') at
/home/src/gcc/libsanitizer/asan/asan_poisoning.cc:39
#1 0x00007ffff716ac31 in __asan_register_globals (globals=0x600da0, n=1) at
/home/src/gcc/libsanitizer/asan/asan_globals.cc:371
#2 0x0000000000400815 in _GLOBAL__sub_I_00099_1_main () at global4.c:6
#3 0x000000000040086d in __libc_csu_init ()
#4 0x00007ffff6d847bf in __libc_start_main (main=0x40079f <main>, argc=1,
argv=0x7fffffffe6b8, init=0x400820 <__libc_csu_init>, fini=<optimized out>,
rtld_fini=<optimized out>,
stack_end=0x7fffffffe6a8) at ../csu/libc-start.c:247
#5 0x00000000004006b9 in _start ()
Looking at asan_globals.cc:370:
// Poison the metadata. It should not be accessible to user code.
PoisonShadow(reinterpret_cast<uptr>(globals), n * sizeof(__asan_global),
kAsanGlobalRedzoneMagic);
So this redzone is just a struct __asan_global, which is being poisoned.
gcc-7 and gcc-8 just make this struct relocate at different adresses for some
reason.
