Two among the bugs uncovered by CHERI (the mcel bug [1] and the xgettext bug [2]) could be found - by CHERI, or - by "gcc -fsanitize=address", or - by "clang -fsanitize=address", but not by valgrind.
This raises the question: Should we better use CHERI for general pre-release testing, or the address sanitizers? The answer is in [3], page 4, table III: CHERI does not detect use-after-free and stack-use-after-return bugs ("temporal memory safety"). Because of this, I'll be using address sanitizers, not CHERI, for the next foreseeable time. Find a writeup at [4]. Although running a desktop where everything, from the kernel to the web browser, has CHERI-enabled pointer validation would be cool from the security point of view. But that's a different goal than searching for bugs in a particular package... Bruno [1] https://lists.gnu.org/archive/html/bug-gnulib/2023-11/msg00034.html [2] https://lists.gnu.org/archive/html/bug-gnulib/2023-11/msg00109.html [3] https://www.techrxiv.org/articles/preprint/Towards_a_Hybrid_Approach_to_Protect_Against_Memory_Safety_Vulnerabilities/14680185 [4] https://gitlab.com/ghwiki/gnow-how/-/wikis/Finding_memory_bugs