https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113482
Xi Ruoyao <xry111 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |INVALID
CC| |xry111 at gcc dot gnu.org
--- Comment #1 from Xi Ruoyao <xry111 at gcc dot gnu.org> ---
GCC 13.2 gives a better diagnostic, with -fsanitize=address -g:
==728119==ERROR: AddressSanitizer: stack-use-after-return on address
0x7f98b1709030 at pc 0x0000004013bd bp 0x7ffd9b8fcef0 sp 0x7ffd9b8fcee0
READ of size 4 at 0x7f98b1709030 thread T0
#0 0x4013bc in func_2 /home/xry111/t.c:31
#1 0x401227 in func_1 /home/xry111/t.c:19
#2 0x40186b in main /home/xry111/t.c:60
#3 0x7f98b4827f59 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#4 0x7f98b4828024 in __libc_start_main_impl ../csu/libc-start.c:360
#5 0x401100 in _start ../sysdeps/x86_64/start.S:115
Address 0x7f98b1709030 is located in stack of thread T0 at offset 48 in frame
#0 0x401660 in func_11 /home/xry111/t.c:48
This frame has 2 object(s):
[48, 52) 'l_92' (line 50) <== Memory access at offset 48 is inside this
variable
[64, 72) 'l_57' (line 49)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return /home/xry111/t.c:31 in func_2
Shadow bytes around the buggy address:
0x7f98b1708d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f98b1708e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f98b1708e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f98b1708f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f98b1708f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7f98b1709000: f5 f5 f5 f5 f5 f5[f5]f5 f5 f5 f5 f5 00 00 00 00
0x7f98b1709080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f98b1709100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f98b1709180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f98b1709200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f98b1709280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==728119==ABORTING
Now it should be obvious that the code is buggy. So with GCC 12
-fsanitize=undefined,address is at -O0 is correct, while the other combinations
produce a false negative.
You may argue the false negatives are also a bug but we don't backport the
fixes for sanitizer false negatives to old releases because doing so is
completely impractical (unless the fix is obvious and very simple).
