[Bug sanitizer/110527] New: [10/11/12/13/14 Regression] ASan is missing array out-of-bounds check

Sun, 02 Jul 2023 22:05:23 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110527

            Bug ID: 110527
           Summary: [10/11/12/13/14 Regression] ASan is missing array
                    out-of-bounds check
           Product: gcc
           Version: 14.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: jwzeng at nuaa dot edu.cn
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at 
gcc dot gnu.org
  Target Milestone: ---

Link to the Compiler Explorer: https://godbolt.org/z/YKaT3YdTx

The following snippet:

#include <stdio.h>
unsigned int aa = 204;
unsigned char bb = 126;
unsigned short cc[19][24][22][11][21];
unsigned int dd[19][24][22][11][21];
int main() {
    for (int i = 0; i < 19; ++i)
        cc[i][0][0][0][0] = 6294;
    unsigned char i = aa - 172;
    bb = cc[i][0][0][0][0];
    printf("%d\n", bb);
}

> $ gcc -O0 -fsanitize=address bug.c; ./a.out
> $ 0

Look at the statement `bb = cc[i][0][0][0][0];` in the above code snippet. The
array is out of bounds, but the program did not output any error after
compilation with "-O0 -fsanitize=address".

When I deleted the statement `unsigned int dd[19][24][22][11][21];` in the
above code snippet. Then compiled with "-O0 -fsanitize=address" again, and it
outputs the following error in this time:

> ddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000b75e40 (pc 
> 0x000000401251 bp 0x7ffc6e878c80 sp 0x7ffc6e878c70 T0)
> ==1==The signal is caused by a READ memory access.
>     #0 0x401251 in main /app/example.cpp:10
>     #1 0x7fd690372082 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 
> 1878e6b475720c7c51969e69ab2d276fae6d1dee)
>     #2 0x4010cd in _start (/app/output.s+0x4010cd) (BuildId: 
> 18aa19a5491b44e6b2908ed7ba8b0a483242b3a5)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /app/example.cpp:10 in main
> ==1==ABORTING

I found that the above bug appeared in gcc 10/11/12/13/14. Earlier GCCs do not
have this bug.

Reply via email to