[Bug sanitizer/89298] New: Address-Sanitizer false positive for global-buffer-overflow?

2019-02-12 Thread lee_shao at 126 dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89298

Bug ID: 89298
   Summary: Address-Sanitizer false positive for
global-buffer-overflow?
   Product: gcc
   Version: 8.1.0
Status: UNCONFIRMED
  Severity: normal
  Priority: P3
 Component: sanitizer
  Assignee: unassigned at gcc dot gnu.org
  Reporter: lee_shao at 126 dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at 
gcc dot gnu.org
  Target Milestone: ---

Hi,
In my program, the ASAN report ERROR global-buffer-overflow on several global
variables.

However,I'm sure that I use the global variables in the right way, like this:

  In AAA.c 
 //define a global var 
 int g_var_a;
  
  
 g_var_a =1; //ASAN report global-buffer-overflow right here!

According to the formula, Shadow = (Mem >> 3) + 0x2000, the value of the
shadow memory of the global var **g_var_a** is F9 ( Global Redzone),witch
confuses me very much!

I use GCC8.1.0 to compile my project on SUSE Linux Enterprise Server 12.

The application is compiled like this:
1. A.c  +  B.c  -> GCC8.1 ASan ->  libproblem.so
2. C.c  +  libproblem.so  --> GCC8.1 ASan --> App
3. In A.c  :
   ... globals ...
   unsigned int g_var =0;
   ... globals ...
   In B.c :
   extern unsigned int g_var =0;
   ..
   void fun(){
   .
   g_var =0;   //ASan report global-buffer-overflow right here!
   .
   }

I found that:
1. The global g_var is located 0 bytes to the right of another global
variable,that is , no redzone is inserted between them
2. Under normal circumstances, $ nm App > nm.log  we can get the addresses of
globals g_var and __odr_asan.g_var ;
   However, when it goes wrong, there is no symbol __odr_asan.g_var

[Bug sanitizer/89298] Address-Sanitizer false positive for global-buffer-overflow?

2019-02-12 Thread lee_shao at 126 dot com 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89298

--- Comment #3 from Keerecles  ---
(In reply to Jakub Jelinek from comment #2)
> It is not clear how that can compile, because both
> unsigned int g_var =0;
> and
> extern unsigned int g_var =0;
> are g_var definitions, so if that is in multiple TUs, linker should fail to
> link that.
No multiple definitions and the program is successfully compiled and linked.

> In the other snippet you mention
> int g_var_a;
> which is something very different (unless -fno-common), that is a common var
> and ASAN doesn't instrument those.

Sorry, I made a mistake. In my application, ASAN reports global-buffer-overflow
just on the global g_var. 
"int g_var_a;"  should be "int g_var;"



Here is the ASAN log :
 $ LD_PRELOAD=/usr/local/gcc-8.1/lib/libasan.so gdb ./App
 $ b ***/***/AAA.c:288
 $ run
 $ Breakpoint 1  288 g_var=1;
 $ p &g_var  
 $ $1 = (int) 0xe04e4620 
 $ n
 $ ==106196==ERROR: AddressSanitizer: global-buffer-overflow on address
0x08d09bc0 at pc 0xde57b983 bp 0xcfe8 sp 0xcfdc [Here the address
(0x08d09bc0) is not 0xe04e4620 ]
 $ #0 0xde57b982 in  ***/***/AAA.c:288
 $ 0x08d09bc0 is located 0 bytes to the right of global variable 'g_var_others'
defined in ***
 $ 0x08d09bc0 is located 0 bytes inside of global variable 'g_var' defined in 
***