https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82079
Bug ID: 82079
Summary: missing pointer overflow detection with
-fsanitize=pointer-overflow
Product: gcc
Version: 8.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at
gcc dot gnu.org
Target Milestone: ---
I've been experimenting with the new -fsanitize=pointer-overflow option to
better understand what it detects. For example, I would expect both instances
of overflow/wrapping in the following test case to trigger an error at runtime
but only the second one does. So either I don't understand what problems the
option is supposed to detect or it doesn't quite work.
$ cat t.c && /opt/notnfs/msebor/build/gcc-git-ubsan/gcc/xgcc -B
/opt/notnfs/msebor/build/gcc-git-ubsan/gcc -O2 -Wall -fsanitize=undefined
-fsanitize=pointer-overflow -L
/opt/notnfs/msebor/build/gcc-git-ubsan/x86_64-pc-linux-gnu/libsanitizer/ubsan/.libs
t.c &&
LD_LIBRARY_PATH=/opt/notnfs/msebor/build/gcc-git-ubsan/x86_64-pc-linux-gnu/libsanitizer/ubsan/.libs
./a.out
void __attribute__ ((noclone, noinline))
f (const char *s)
{
volatile __SIZE_TYPE__ n = __SIZE_MAX__ - (__SIZE_TYPE__)s + 2;
const char *p = s + n;
__builtin_printf ("%p + %zu = %p\n", s, n, p);
}
int main (void)
{
const char a[] = "123";
f (a); // overflow not detected
f ((char*)__SIZE_MAX__ - 1); // overflow detected
}
0x7fff4e8440dc + 18446603339198873381 = 0x1
t.c:6:15: runtime error: pointer index expression with base 0xfffffffffffffffe
overflowed to 0x000000000001
0xfffffffffffffffe + 3 = 0x1
