<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - AddressSanitizer doesn't catch stack-use-after-return of variable-length arrays"
   href="https://bugs.llvm.org/show_bug.cgi?id=43633">43633</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>AddressSanitizer doesn't catch stack-use-after-return of variable-length arrays
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>compiler-rt
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>8.0
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>asan
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>csander@caltech.edu
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>ASAN correctly warns when dereferencing a returned reference to a local
fixed-length array. See this example:

```
#include <stdio.h>

int *returns_dangling_pointer() {
  int a[5];
  for (size_t i = 0; i < 5; i++) a[i] = i;
  return &a[3];
}

int main() {
  printf("%d\n", *returns_dangling_pointer());
}
```

Compiling with clang -fsanitize=address and running the program with
ASAN_OPTIONS=detect_stack_use_after_return=1 reports a stack use after return,
as expected:
[32, 52) 'a' <== Memory access at offset 44 is inside this variable

But if the array is replaced by a VLA, ASAN does not catch the undefined
behavior. Example:

```
#include <stdio.h>

int *returns_dangling_pointer(size_t len) {
  int a[len];
  for (size_t i = 0; i < 5; i++) a[i] = i;
  return &a[3];
}

int main() {
  printf("%d\n", *returns_dangling_pointer(5));
}
```

Compiling and running as before, the program prints 3 and exits normally. I
would have expected ASAN to identify that the returned pointer refers to
stack-allocated memory that is no longer valid once returns_dangling_pointer()
returns.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>