https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110527
Bug ID: 110527
Summary: [10/11/12/13/14 Regression] ASan is missing array
out-of-bounds check
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: jwzeng at nuaa dot edu.cn
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at
gcc dot gnu.org
Target Milestone: ---
Link to the Compiler Explorer: https://godbolt.org/z/YKaT3YdTx
The following snippet:
#include <stdio.h>
unsigned int aa = 204;
unsigned char bb = 126;
unsigned short cc[19][24][22][11][21];
unsigned int dd[19][24][22][11][21];
int main() {
for (int i = 0; i < 19; ++i)
cc[i][0][0][0][0] = 6294;
unsigned char i = aa - 172;
bb = cc[i][0][0][0][0];
printf("%d\n", bb);
}
> $ gcc -O0 -fsanitize=address bug.c; ./a.out
> $ 0
Look at the statement `bb = cc[i][0][0][0][0];` in the above code snippet. The
array is out of bounds, but the program did not output any error after
compilation with "-O0 -fsanitize=address".
When I deleted the statement `unsigned int dd[19][24][22][11][21];` in the
above code snippet. Then compiled with "-O0 -fsanitize=address" again, and it
outputs the following error in this time:
> ddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000b75e40 (pc
> 0x000000401251 bp 0x7ffc6e878c80 sp 0x7ffc6e878c70 T0)
> ==1==The signal is caused by a READ memory access.
> #0 0x401251 in main /app/example.cpp:10
> #1 0x7fd690372082 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId:
> 1878e6b475720c7c51969e69ab2d276fae6d1dee)
> #2 0x4010cd in _start (/app/output.s+0x4010cd) (BuildId:
> 18aa19a5491b44e6b2908ed7ba8b0a483242b3a5)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /app/example.cpp:10 in main
> ==1==ABORTING
I found that the above bug appeared in gcc 10/11/12/13/14. Earlier GCCs do not
have this bug.