https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95279
--- Comment #9 from Jakub Jelinek <jakub at gcc dot gnu.org> --- (In reply to Frantisek Sumsal from comment #7) > Maybe I'm missing something here, but isn't detecting pointer overflows > (even in cases where it's apparently not an undefined behavior) the sole > purpose of -fsanitize=pointer-overflow (which, to my knowledge, is enabled > by default when using -fsanitize=undefined)? > > As described in [0]: > -fsanitize=pointer-overflow > > This option enables instrumentation of pointer arithmetics. If the > pointer arithmetics overflows, a run-time error is issued. > > > [0] https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html pointer-overflow is a cheap check without any context, for ptr + off it will do uintptr_t res = (uintptr_t) ptr + off; if (((intptr_t) res) < 0 ? res > (uintptr_t) ptr : res < (uintptr_t) ptr) runtime_diagnostics (); and nothing else. clang is wrong to assume that ptr + (size_t) -1 is standard-wise or behavior-wise any different from ptr + (-1). Oh, in #c4 I've made a mistake, obviously it should be buf + 1 rather than p + 1.
