https://bugs.llvm.org/show_bug.cgi?id=43633
Bug ID: 43633
Summary: AddressSanitizer doesn't catch stack-use-after-return
of variable-length arrays
Product: compiler-rt
Version: 8.0
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: asan
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
ASAN correctly warns when dereferencing a returned reference to a local
fixed-length array. See this example:
```
#include <stdio.h>
int *returns_dangling_pointer() {
int a[5];
for (size_t i = 0; i < 5; i++) a[i] = i;
return &a[3];
}
int main() {
printf("%d\n", *returns_dangling_pointer());
}
```
Compiling with clang -fsanitize=address and running the program with
ASAN_OPTIONS=detect_stack_use_after_return=1 reports a stack use after return,
as expected:
[32, 52) 'a' <== Memory access at offset 44 is inside this variable
But if the array is replaced by a VLA, ASAN does not catch the undefined
behavior. Example:
```
#include <stdio.h>
int *returns_dangling_pointer(size_t len) {
int a[len];
for (size_t i = 0; i < 5; i++) a[i] = i;
return &a[3];
}
int main() {
printf("%d\n", *returns_dangling_pointer(5));
}
```
Compiling and running as before, the program prints 3 and exits normally. I
would have expected ASAN to identify that the returned pointer refers to
stack-allocated memory that is no longer valid once returns_dangling_pointer()
returns.
--
You are receiving this mail because:
You are on the CC list for the bug._______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
