https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81040
Bug ID: 81040 Summary: asan false negative if parameter of a global function passed by reference Product: gcc Version: 8.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: sanitizer Assignee: unassigned at gcc dot gnu.org Reporter: ryabinin.a.a at gmail dot com CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org, jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org Target Milestone: --- The following test case doesn't produce asan warning while it should. For some reason gcc doesn't surround 'a' with redzones. $ cat asan_test.c static __attribute__((noinline)) void goo(int *a) { *(volatile int*)a; } __attribute__((noinline)) void foo(char a) { goo((int*)&a); } int main() { foo(1); return 0; } $ gcc -fsanitize=address -O2 asan_test.c $ ./a.out $ Now, if we make foo() static, asan suddenly works: $ cat asan_static_test.c static __attribute__((noinline)) void goo(int *a) { *(volatile int*)a; } static __attribute__((noinline)) void foo(char a) { goo((int*)&a); } int main() { foo(1); return 0; } $ gcc -fsanitize=address -O2 asan_static_test.c $ ./a.out ================================================================= ==3278==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc2e298480 at pc 0x00000040083b bp 0x7ffc2e298440 sp 0x7ffc2e298438 READ of size 4 at 0x7ffc2e298480 thread T0 #0 0x40083a in goo (/home/andrew/linux/a.out+0x40083a) #1 0x4008a0 in foo.constprop.0 (/home/andrew/linux/a.out+0x4008a0) #2 0x4006e8 in main (/home/andrew/linux/a.out+0x4006e8) #3 0x7ff179db971f in __libc_start_main (/lib64/libc.so.6+0x2071f) #4 0x400738 in _start (/home/andrew/linux/a.out+0x400738) Address 0x7ffc2e298480 is located in stack of thread T0 at offset 32 in frame #0 0x40084f in foo.constprop.0 (/home/andrew/linux/a.out+0x40084f) This frame has 1 object(s): [32, 33) 'a' <== Memory access at offset 32 partially overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/andrew/linux/a.out+0x40083a) in goo Shadow bytes around the buggy address: 0x100005c4b040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100005c4b050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100005c4b060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100005c4b070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100005c4b080: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 =>0x100005c4b090:[01]f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x100005c4b0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100005c4b0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100005c4b0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100005c4b0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100005c4b0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3278==ABORTING