https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116984
Bug ID: 116984
Summary: -fsanitize=bounds triggers within
__builtin_dynamic_object_size()
Product: gcc
Version: 15.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: kees at outflux dot net
Target Milestone: ---
It should be be possible to trigger -fsanitize=bounds within
__builtin_dynamoc_object_size() (which should have no side-effects).
// CFLAGS=""-Wall -O2 -fsanitize=bounds"
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <unistd.h>
#define noinline __attribute__((noinline))
#define __counted_by(member) __attribute__((counted_by(member)))
struct counted {
int length;
int array[] __counted_by(length);
};
static noinline void *alloc(size_t count)
{
struct counted *p = malloc(sizeof(*p) + sizeof(*p->array) * count);
p->length = count;
return p;
}
int main(void)
{
volatile int unconst = 0; // avoid optimizations
int negative = -3 + unconst;
int count = 1 + unconst;
struct counted *p = alloc(count);
printf("%zu\n", __builtin_dynamic_object_size(&p->array[negative], 1));
return 0;
}
This correctly reports "0", but also incorrectly trips the sanitizer:
/app/example.c:30:60: runtime error: index -3 out of bounds for type 'int [*]'
0
