llvm dev - Nov 2017 - [Sanitizer] Sanitizer does not identify violation

Hello fellas,
  Recently i was working on bug, which is simplified as follow.


==================================================================================================================Code:
#include<iostream>

int thisShallError(int b[10]){
int gaurdTop = 0xF0F0;
int c[16] = {0};
int gaurdDown[16];
gaurdDown[0] = 0x0F0F;
return c[16] | b[11];
}

int main(){
int mb[32]={0};
mb[11] = 0xF0F0;
std::cout<<std::hex << thisShallError(mb);
return 0;
}


Warning:

4 : <source>:4:9: warning: unused variable 'gaurdTop'
[-Wunused-variable] <https://godbolt.org/#>
    int gaurdTop = 0xF0F0;
        ^
8 : <source>:8:12: warning: array index 16 is past the end of the
array (which contains 16 elements) [-Warray-bounds]
<https://godbolt.org/#>
    return c[16] | b[11];
           ^ ~~
5 : <source>:5:5: note: array 'c' declared here
<https://godbolt.org/#>
    int c[16] = {0};
    ^
2 warnings generated.
Compiler exited with result code 0

==============================================================================

Things to note here.
1. variable b's size is know at compile time and i was expecting error just
like c [third warning]
2. thisShallError accepts size of array as 10 but it is clearly declared
with 32. Should we do something. [Given fact that Array will decay to
pointer but sanitizer may warn, if possible]

I want to confirm if this is bug or not,sanitizer has no false positive
rule scenario??, will happy to patch it myself :)

Thanks
Mahesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20171105/3c6c34de/attachment.html>

Mahesh,

First, to clarify: the term "sanitizer" refers to a set of dynamic
techniques for finding bugs and it does not intersect at all with these
statically-detected compiler warnings.  The AddressSanitizer would detect
out-of-bounds issues like these at runtime and in my experience false
negatives and false positives are very rare.  Though since the access of
b[11] is actually in-bounds, it would not trigger.  This behavior is likely
by design and not considered a bug.

So, regarding the warnings:

If you had declared the parameter with "static" qualifying the size,
*and*
you had passed an array smaller than the size indicated, that would result
in another warning from the caller.  Note that this is a C99 feature that
is not present in C++.

Here's a demo showing the resulting warnings from clang when using that
feature: https://godbolt.org/g/48NnME

Absent the "static" qualifier for the size, there's no real
restriction
from the language regarding the access of b[11] in the thisShallError()
func beyond it failing to meet an implicit API.


On Sat, Nov 4, 2017 at 2:01 PM, Mahesh Attarde via llvm-dev <
llvm-dev at lists.llvm.org> wrote:
> Hello fellas,
>   Recently i was working on bug, which is simplified as follow.
>
>
> ===========================================================>
======================================================> Code:
> #include<iostream>
>
> int thisShallError(int b[10]){
> int gaurdTop = 0xF0F0;
> int c[16] = {0};
> int gaurdDown[16];
> gaurdDown[0] = 0x0F0F;
> return c[16] | b[11];
> }
>
> int main(){
> int mb[32]={0};
> mb[11] = 0xF0F0;
> std::cout<<std::hex << thisShallError(mb);
> return 0;
> }
>
>
> Warning:
>
> 4 : <source>:4:9: warning: unused variable 'gaurdTop'
[-Wunused-variable] <https://godbolt.org/#>
>     int gaurdTop = 0xF0F0;
>         ^
> 8 : <source>:8:12: warning: array index 16 is past the end of the
array (which contains 16 elements) [-Warray-bounds]
<https://godbolt.org/#>
>     return c[16] | b[11];
>            ^ ~~
> 5 : <source>:5:5: note: array 'c' declared here
<https://godbolt.org/#>
>     int c[16] = {0};
>     ^
> 2 warnings generated.
> Compiler exited with result code 0
>
> ===========================================================>
==================>
>
> Things to note here.
> 1. variable b's size is know at compile time and i was expecting error
> just like c [third warning]
> 2. thisShallError accepts size of array as 10 but it is clearly declared
> with 32. Should we do something. [Given fact that Array will decay to
> pointer but sanitizer may warn, if possible]
>
> I want to confirm if this is bug or not,sanitizer has no false positive
> rule scenario??, will happy to patch it myself :)
>
> Thanks
> Mahesh
>
>
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>
>

-- 
-Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20171104/4dbae874/attachment.html>