[Bug sanitizer/108094] New: gcc trunk's ASAN at -O2 and above did not report a stack-use-after-return

Wed, 14 Dec 2022 00:54:37 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108094

            Bug ID: 108094
           Summary: gcc trunk's ASAN at -O2 and above did not report a
                    stack-use-after-return
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: shaohua.li at inf dot ethz.ch
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at 
gcc dot gnu.org
  Target Milestone: ---

ASAN at -O0/1 reported the stack-use-after-return bug, however -O2 and above
only reported SEGV. I checked the pointer addresses and noted this may due to
over-optimization of UB behavior, i.e., variable a is optimized to NULL. Not
sure if this is an issue or not.

Clang can detect it at all optimization levels.

Compiler explorer: https://godbolt.org/z/bYPxe31Mx

% cat a.c
int *a;
int d;
int *e() {
  int b[1]={0};
  __builtin_printf("&b[0]=%p\n", &b[0]);
  int *c = &b[0];
  __builtin_printf("c=%p\n", c);
  return c;
}
int main() {
  a = e();
  __builtin_printf("a=%p\n", a);
  d = *a;
  return d;
}
% gcc-tk -O0 -fsanitize=address a.c -g
% AN_OPTIONS=detect_stack_use_after_return=1 ./a.out 
&b[0]=0x7fe7cc000020
c=0x7fe7cc000020
a=0x7fe7cc000020
=================================================================
==1645405==ERROR: AddressSanitizer: stack-use-after-return on address
0x7fe7cc000020 at pc 0x000000401325 bp 0x7ffe8e2fe990 sp 0x7ffe8e2fe988
READ of size 4 at 0x7fe7cc000020 thread T0
    #0 0x401324 in main /a.c:13
    #1 0x7fe7cea78082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId:
1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #2 0x4010dd in _start (/a.out+0x4010dd)

Address 0x7fe7cc000020 is located in stack of thread T0 at offset 32 in frame
    #0 0x4011a5 in e /a.c:3

  This frame has 1 object(s):
    [32, 36) 'b' (line 4) <== Memory access at offset 32 is inside this
variable
...
%
% gcc-tk -O2 -fsanitize=address a.c -g
% AN_OPTIONS=detect_stack_use_after_return=1 ./a.out 
&b[0]=0x7f3f2a100020
c=0x7f3f2a100020
a=(nil)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1885716==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x000000401107 bp 0x000000000000 sp 0x7fff49942b00 T0)
==1885716==The signal is caused by a READ memory access.
==1885716==Hint: address points to the zero page.
    #0 0x401107 in main /a.c:13
    #1 0x7f3f2cb26082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId:
1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #2 0x40117d in _start (/a.out+0x40117d)
...
%

Reply via email to