https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108894
Bug ID: 108894
Summary: -fsanitize=bounds missing bounds provided by
__builtin_dynamic_object_size()
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: kees at outflux dot net
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at
gcc dot gnu.org
Target Milestone: ---
Created attachment 54508
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54508&action=edit
PoC showing lack of __bdos support in -fsanitize=bounds
While -fsanitize-bounds is able to perform run-time bounds checking on
fixed-size arrays (i.e. when __builtin_object_size(x, 1) does not return
SIZE_MAX), it does not perform bounds checking when
__builtin_dynamic_object_size(x, 1) is available.
For example, the attached program produces _no_ bounds-checker warnings:
$ gcc -Wall -O2 -fstrict-flex-arrays=3 -fsanitize=bounds -fstrict-flex-arrays=3
-o bounds bounds.c
$ ./bounds
p->array has a fixed size: 64 (16 elements of size 4)
p->array[0] assignment: 255 (should be ok)
p->array[16] assignment: 255 (should be failure)
p->array has a dynamic size: 64 (16 elements of size 4)
p->array[0] assignment: 255 (should be ok)
p->array[16] assignment: 255 (should be failure)
p->array has unknowable size
p->array[0] assignment: 255 (should be ok)
p->array[16] assignment: 255 (should be failure)
Note that the first failure for a fixed size array implies that
-fsanitize=bounds has also not been wired up to -fstrict-flex-arrays=3, so it
is ignoring all trailing arrays.
