https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105396
--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> --- So, the bug is clearly in asan_redzone_buffer::emit_redzone_byte. The off == offset case is handled correctly, but the other case is valid only if the gap is bigger such that we need to flush in between. --- gcc/asan.cc.jj 2022-02-19 09:03:50.000000000 +0100 +++ gcc/asan.cc 2022-04-26 16:36:55.717551793 +0200 @@ -1502,6 +1502,15 @@ asan_redzone_buffer::emit_redzone_byte ( m_shadow_bytes.safe_push (value); flush_if_full (); } + else if (offset < m_prev_offset + ASAN_SHADOW_GRANULARITY * RZ_BUFFER_SIZE + && !m_shadow_bytes.is_empty ()) + { + /* Shadow memory byte with a small gap. */ + for (; off < offset; off += ASAN_SHADOW_GRANULARITY) + m_shadow_bytes.safe_push (0); + m_shadow_bytes.safe_push (value); + flush_if_full (); + } else { if (!m_shadow_bytes.is_empty ()) fixes this.