<table border="1" cellspacing="0" cellpadding="8">

    <tr>

        <th>Issue</th>

        <td>

            <a href=https://github.com/llvm/llvm-project/issues/62078>62078</a>

        </td>

    </tr>

    <tr>

        <th>Summary</th>

        <td>

            global-buffer-overflow on empty strings on windows

        </td>

    </tr>

    <tr>

      <th>Labels</th>

      <td>

            compiler-rt:asan

      </td>

    </tr>

    <tr>

      <th>Assignees</th>

      <td>

      </td>

    </tr>

    <tr>

      <th>Reporter</th>

      <td>

          amykhuang

      </td>

    </tr>

</table>

<pre>

    I'm seeing ASan crashes on Windows that look like 

```

$ ASAN_OPTIONS=detect_odr_violation=0 ./hello.exe

=================================================================

==16200==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7ff7f15f04e0 at pc 0x7ff7f15a7e68 bp 0x004ff18ff3c0 sp 0x004ff18ff408

READ of size 1 at 0x7ff7f15f04e0 thread T0

    #0 0x7ff7f15a7e67 in __asan_wrap_strlen (C:\src\testing\asan\build\hello.exe+0x140027e67)

    #1 0x7ffde5941699  (C:\Windows\SYSTEM32\ntdll.dll+0x180051699)

    #2 0x7ff7f15ccfbe in __asan_update_allocation_context (C:\src\testing\asan\build\hello.exe+0x14004cfbe)

0x7ff7f15f04e0 is located 15 bytes after global variable '"FLAGS_hello_worl"' defined in 'hello.cc' (0x7ff7f15f04c0) of size 17

  '"FLAGS_hello_worl"' is ascii string 'FLAGS_hello_worl'

0x7ff7f15f04e0 is located 0 bytes inside of global variable '""' defined in 'flag.cc' (0x7ff7f15f04e0) of size 1

 '""' is ascii string ''

SUMMARY: AddressSanitizer: global-buffer-overflow (C:\src\testing\asan\build\hello.exe+0x140027e67) in __asan_wrap_strlen

Shadow bytes around the buggy address:

 0x7ff7f15f0200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 0x7ff7f15f0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 0x7ff7f15f0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 0x7ff7f15f0380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 0x7ff7f15f0400: 00 00 00 00 00 00 f9 f9 00 00 05 f9 f9 f9 f9 f9

=>0x7ff7f15f0480: 00 00 02 f9 f9 f9 f9 f9 00 00 01 f9[f9]f9 f9 f9

 0x7ff7f15f0500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 0x7ff7f15f0580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 0x7ff7f15f0600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 0x7ff7f15f0680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 0x7ff7f15f0700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

 Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

 Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope: f8

  Global redzone:          f9

  Global init order:       f6

 Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal: fe

  Left alloca redzone:     ca

  Right alloca redzone: cb

==16200==ABORTING

```

I managed to reduce the code to this:

```

$ clang -cc1 -triple x86_64-pc-windows-msvc -emit-obj -O0 -fsanitize=address -fno-sanitize-address-use-odr-indicator -o flag.obj -x c++ flag.cc

$ clang -cc1 -triple x86_64-pc-windows-msvc -emit-obj -O0 -fms-extensions -fsanitize=address -fsanitize-address-globals-dead-stripping -fno-sanitize-address-use-odr-indicator -o hello.obj -x c++ hello.cc -isystem "C:/Program Files/Microsoft Visual Studio/2022/Professional/VC/Tools/MSVC/14.33.31629/include" -isystem "C:/Program Files (x86)/Windows Kits/10/Include/10.0.22621.0/ucrt" -D_DISABLE_STRING_ANNOTATION

$ llvm-lib hello.obj -OUT:libhello.lib

$ llvm-lib flag.obj -OUT:libflag.lib

$ lld-link -subsystem:console -OUT:hello.exe libhello.lib -wholearchive:libflag.lib -wholearchive:C:/src/llvm-project/build/lib/clang/17/lib/windows/clang_rt.asan-x86_64.lib

$ ASAN_OPTIONS=detect_odr_violation=0 ./hello.exe

```

where flag.cc is

```

const char* emptyflag = "";

```

and hello.cc is

```

#include <string>

static const char* StringFromEnv(const char* flag) {

  return "";

}

std::string FLAGS_hello = StringFromEnv("FLAGS_hello_worl");

int main() {

  return 0;

}

```

I also found https://github.com/google/sanitizers/issues/1102 which looks similar.

</pre>

<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzUWFtv47gO_jXKC-FAluPEeciDmzRzijPTDpruHuxTIEtyrK0iBZLcy_z6A_mSW9MdDCYvWxhBLX0iP1IkRZk6JzdaiBlKb1C6GNDaV8bO6Pb9uaqp3gwKw99nd4hMtuCEkHoD-YpqYJa6SjgwGv4nNTevDnxFPShjnkHJZwEILxDO0Rh3T_tKRpCv8vv1w_enu4f7FUoWXHjB_Npwu36RRlEvjUbJAsMQkWUllDJD8Sa65cniX_8cGRKPCcbtv7ePjw-PKMkh59wK51ZUSy9_CBvGNsoUVEVFXZbCRuZF2FKZ1-B72qIBv03KclLGaYlHAgP1sGOHQToR4wyKHeA3jEdlGWdlmTAM7mRkhLOW3ONtvgBTgpM_BMRB2Jl4X1lBOTx1mwoAgEiCTxVOQGpYr6mjev1q6W7tvFVCAyLZHCU5SufOMpTOvXBe6g1K5wGK0nlRS8VROj_sPbnBb_EIYxLEIjI9URu3arlIp6N4PJ3CkYYuNFE6X_21err9lhCUzrXnSg25Uq3cDOM0rDuXSw7mMFYW4sicesepF2uqlGFNvK6Z0V68-d8xbhSU7Em0v2d-lw4ajYJDnELx7oUDWnphuwiBF2olLZQARCaIkOXX_Mtq3ahavxqrECGITICLUmrBg0GITFomjIUZRLJjlQwjMj1EwqT3zz9Klw6oY1KC8zaUC0QmH5GTn9mHO_OkdpKLwOGyiRdNKhXdXLZInFrUGXQi6gL_Pd_VH9--5Y9__WKeXiHiL-dSR6qi3Lz24WBNrTn4SkBRbzbvfYUI-ltjj9zRVJ8cMP6l54Kc7DpykivxSa7EZ_QZn3Ianu417V7756jC3x4LOyFFzhb143EQkN6En8WpwGNi6ZUclV7JUeMr8Rlfic_kN_gcpRMosRGahwQ2WoA7mrFiZ4UT2jvIgO52SrYnQZuGoYzvE66rFKFoBVKHvz1z-E6tl1Spfbr2YByHUMEJ4FEINDwGvK_C_xF0B0qUHqzgP4w-kl7SHrS0QnCoAtSKTdNa7UG8A608Zc-XJZV9iexAW8kvaCOnICs31QdRZXIKas8tK3xtD5zK9BRUO9EBHTO7RlaZ9ZAv7YHwgU6QMz0DSS09GMvbOt2Bxh3ou5HOhNOjeA8ajyBQ7r09N9pTqYWFvq4fWLMelFtL34EZ8yzP9hroHnSnvaVgir8FO_dSUewlhSZbai-spqqxW_RTX8NGtb3HufFsv--PzR58RLHikwY0v3l4fLq7_3K5bW9-72BLNd0IDt4EmTUTzUHDDBdhyFfycM5caPyZonoDEWMxRN7KnRLwlo3X41G0Y9Fr26pFW_fCIBJb6SNT_A3RA4aodN0pi5JF3_FGpTZRPx51o1HtRGS4jaTmISGNhchA0w40wt6AIXKDyA30LcIVyG1dJN680E4a7T4j-4Fp2yu4iAvKo9Bq7Hah2_gFs9pu4cyuvpuDSLp358UWECFN90GW363ZWLqFpVShRC2_SWaNM6WHP6WrqYKVr7k0iCwJDr1QWFAKF-yiCpHln3NElk_GqGbxqnmNR8MkGSbxmEwRWUrNVM0FIuSn-kNRfcvGqFnXXyH_K32QHWNElne9rGWMh3hIyJjEwzBRM-sbDYv14m6V33y9Xa-eHu_uv6zz-_uHpzxcLA_7qtTLNlKyOHbXwx9PKMmVLNoxJYsL-EPU7OHN0BmaR0rqZ4hcXbQGoyRnRjujRL9y39bBsUqIXiujBLWski_iVMGHuc6DoX8ky4bizppQQBBZtt0jWQZiZNnEcXDaZD_URW8_ubZ-GDrJqI3vU4N-53J-qWa8VsKKPttAuovQ4C8PrKIWkRzEduffwwpAyQK6xjy5ubiSan4I-U-kI5J0cQkombddPUpuj1k6T71kcMpj1SCX1mxv9Qsi2elsIBgaczS56Wtue5h9YDxZnKriYS-TvLteHN2NGnvPtX520ZoeFDS_UnvYUqmbJZdo4QuMLld5qpyBsrlHVN7vXBt7iCw30ld1MWRmG16M2aiQnn21siHCpHN1U1ziGBN4rSSrmm9CDpzcSkXtcMBnCZ8mUzoQs3icxSRNRzgbVLMJi6dJkRZxNhqx6bSIYzYdlWQ6xrgkY8EGckYwSfAojklCEpIN6ZikZVrSrOQZTeIMjbDYUqmGIUOGxm4GDZ3ZmOBJNlC0EMo1H7oIYWa7k0rYyHqU5M09jBCULgZ21qRXUW8cGmElnXcHcV56JWaff45pQre7ODbfxrrUG9RWzf7Bl0HBx8Te-7Lh__8AAAD__71RmlA">