<html>
    <head>
      <base href="https://llvm.org/bugs/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - -fsanitize=object-size checks sizes too eagerly"
   href="https://llvm.org/bugs/show_bug.cgi?id=26095">26095</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>-fsanitize=object-size checks sizes too eagerly
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>clang
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>C++
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedclangbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>george.burgess.iv@gmail.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>dgregor@apple.com, llvm-bugs@lists.llvm.org
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Compiling the following program with `-fsanitize=object-size` gives an
executable that traps:

struct Foo { };
struct Bar : public Foo { int i; };

Bar *volatile B;

int main() {
  Foo F;
  B = static_cast<Bar*>(&F);
  return 0;
}

(Full set of flags used: ./bin/clang++ foo.cpp -fsanitize=object-size
-fsanitize-trap=all -O1 )

AFAIK, it's perfectly okay to cast a pointer to `T` to a
(non-member/non-function) pointer to any other type, so long as you don't
dereference the casted pointer as a non-{T, superclass-of-T, char}. So, this
code is sketchy, but valid.

This is mildly problematic, because libc++ takes advantage of the above trick
in its `__tree` implementation[1], which causes trapping when constructing
`std::map`s.

[1] - Specifically in `__tree::__end_node()`; it casts an `__end_node_t*` to a
`__node*`, when the `__end_node_t*` may point to something smaller than
`sizeof(__node)`</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>