<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/61133>61133</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Clang Stack Protector Falsely Claims Stack Smashing When Assigning to Variable in Another Stack Frame
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          gavinhoward
      </td>
    </tr>
</table>

<pre>
    ```
clang version 15.0.7
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm/15/bin
Configuration file: /etc/clang/clang.cfg
```

To reproduce, use the following file:

```
#include <bcl.h>

static BclBigDig
x(BclNumber b)
{
        BclError e;
        BclBigDig b_int;

        e = bcl_bigdig_keep(b, &b_int);
        if (e != BCL_ERROR_NONE) exit(1);

        return b_int;
}

int
main(int argc, char* argv[])
{
        BclError bclerr;
        BclContext ctxt;
        BclNumber t;
        char* ts;
        BclBigDig r;
        BclNumber b;

        bclerr = bcl_start();
        if (bclerr != BCL_ERROR_NONE) return 1;

        bclerr = bcl_init();
        if (bclerr != BCL_ERROR_NONE) return 1;

        ctxt = bcl_ctxt_create();
        if (ctxt == NULL) return 1;

        bclerr = bcl_pushContext(ctxt);
        if (bclerr != BCL_ERROR_NONE) return 1;

        b = bcl_parse("3");
        if (bcl_err(t)) return 1;

        r = x(b);

        return (r != 3);
}
```

I named it `bug.c`.

Steps to reproduce:

```
$ ls
bug.c
$ git clone https://git.gavinhoward.com/gavin/bc.git
$ cd bc
$ CC=clang CFLAGS="-fstack-protector-strong" ./configure -gO0 -a
$ make
$ cd ..
$ clang -fstack-protector-strong -Ibc/include -o bug bug.c -Lbc/bin -lbcl
$ ./bug
*** stack smashing detected ***: terminated
Aborted
```

This reproducer uses my `bc` library (`bcl`) available at <https://git.gavinhoward.com/gavin/bc> and <https://github.com/gavinhoward/bc>. This library makes the `bc` math available to C code.

The code calls [`bcl_bigdig_keep()`][1], which just calls [`bcl_bigdig_helper()`][2].

After experimentation, I found that commenting out [this line][3] removes the problem. I also found that replacing that line with `*result = 3;` does *not* remove the problem.

`result` is a variable in another stack frame whose address is passed to `bcl`, which should mean it's okay to store a value there. Yet I get the stack smashing warning.

**Expected behavior**: `./bug` runs to completion and returns a 0 exit status. Compiling exactly the same, but with GCC, does do that.

[1]: https://git.gavinhoward.com/gavin/bc/src/branch/master/src/library.c#L843-L847
[2]: https://git.gavinhoward.com/gavin/bc/src/branch/master/src/library.c#L802-L835
[3]: https://git.gavinhoward.com/gavin/bc/src/branch/master/src/library.c#L823
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJy8V1tv4roW_jXmZYkoOFwfeIBQRpVQ52h6ztnaT8h2Fomnjh3ZDqX_fstOoMBuZzTS3iOhNr6s71v3lTDnZKkRl2SyJpPNgLW-MnZZsqPUlXllthhwU7wtyTTtf-mGpCuhmC7hiNZJo2E0SdJk1p38l9kSPclWcJpP99PxsBFDJXV7Gpa67a9UFlkBtSlQhYuNcfLUHT1q55lSWGykDUeEbltnCd0qycNfdawJ3Y4mhG651J1MbvRBlq1lPuhykAp7SfSC0G1U9fw_EYeyk7ozqNfMgMXGmqIVSGgOrUPwFcLBKGVepS7P8NdC90g0k1qotkAgWc6FSiqSPVwLOM-8FLAWai3LjewVOhE6Xwv11NYcLXBCF73MbH0WXqyFerDWWECS3ex2QMD3Uvuro_5C0GQDXKg9l2Uhy_0LYkPonAcbCZ12YnRxDSoPQOgcgdBREF7nu_3Dt29fv-2fvj49ELoAPElP6Hx0K9dLW_St1ff6zDbX18JRfKiZ1ITOpfbAbCmCUqJiltBVWB-7zPyxP7hQaO2dU3KjPZ48CH_yd0e9l2-2z5zefezce_hLpP5mfafNxenOMxtc9aGHz3c_c3PvydFPWaSW_wJJ8N2FIiz2wiLz-BnT-X4QefrfbvdLJjStq_qg9VD_tMveqZh1nRE0I5R-xrMPWUXnUY8fIndGnLqi-rwgCJ1fFM9uLl5q46O-9Aia1ViA9ECmKW_LRJBpmlxfefbYOPDXDewnbWoMynXPHeBlu5QehDIaofK-cQGHbgndltInV4MhESY047gT-rFISunfUUQB_Ao0z0m26cZGvt2tvjyHJKF0eHCeiZdhY41H4Y0dOm9NaNgUktC1--aOMCy_pjBk74g1e8EbuiS5Wkamz9Bh-MjDbDg36qEB3pYQ_QDDXTzjUsNQcaHeQYNCvD0PENr_IHKAq5mrwogoMHBhAZcbYR55tLXUzGPRia-4sZfFx8Ooku49mjYMIwf1W8yAEH5Qkltm30JSxT0VAOgC2JFJxbhCYKEW81-LIskegOniQ8Gq5df3O4SzVAJR47NWITwuTs-LwjXz1ZV23kAOwhSY3JqNcRMEU8pB6P7RuLvZFYpnmobBMFmP4nzI4bWSooLvrfOfCVeoGrR34pRMNjcqrA4eLeCpQStr1D6-WQSCRziYVhfgK-ZBmDochpCb1gcu39mvscPNyGQDFmtz7B3RWMMV1gk8AlPOXINZbBQTASsuAwi8Sl9BjOnKomtV14iz0DOmKRQGXUgxbXxIwo7nhuau-juMICodMDgyK2MYpAamja_Q9pl8sKxGeK2MQ2BFYdG5INIw57AIUbvKtrPTXWVaVUCNTEOYQzMH5oW9hdvOG4uRULVRQYsJ_IkeHqFEHzW-q6BXZrXU5a0BsZIeTk1XWxwrdpTGvhdYbIhdfU5TsK2O3VCYulEY3wxDUndtOJifxheYwOxbl0Bu6kaqQI4nJrx66_RidXwP5K3vovElz8M6-r4wMVa3WvbJmK1-sXcSunU2th3LtKgI3dbM-ZCq_X5fVokgNNvNx9lwNx_PLqT0d5CmdLibZ5MLafY7SGk2KJZZscgWbIDL0XQ2my2mlI4H1XLMxCzNFhx5mmXz6WhSzKnI-KyYidFkPC0GcklTmqVZSinNUjpOJpOU4vwwYvSQCY4TMk6xZlIl4cMiMbYcSOdaXE5HoywbKMZRufhlRKnGV4iH4W1hshnYZZAZ8rZ0ZJwq6bx7R_HSK1zmcQY9x9z-z3kCwZYph-oNcsVk7frj53Pq_1GhhlX8KIvNwMD_r-p01ddpJ7QNdTporVr-oFH3n0xR2caa7yh8GHzBEkfoNlr6VwAAAP__PsopZQ">