https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87191
Bug ID: 87191
Summary: UBSan doesn't catch invalid pointer arithmetic outside
known object bounds
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: bugdal at aerifal dot cx
Target Milestone: ---
Test case:
void bar(void *);
int foo()
{
char a[10];
bar(&a+2);
}
The function bar is just there as a compiler barrier.
My expectation is that -fsanitize=undefined should produce an unconditional
trap, since the only value constants to add to &a are 0 or 1 (and only 0 if the
result is dereferenced). Instead, GCC versions prior to 8 generate no sanitizer
check at all, and GCC 8 and clang both generate what I would characterize as a
wrong check: they look to see if (uintptr_t)a+20 overflows past the end of the
address space, rather than past the end of the object size (which is clearly
available here via __builtin_object_size).
My understanding is that -fsanitize=object-size, included in
-fsanitize=undefined, is supposed to catch exactly this case.
