<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/62656>62656</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [ASAN] invalid-pointer-pair with flexible array member
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          alejandro-colomar
      </td>
    </tr>
</table>

<pre>
    I'm getting an AddressSanitizer report that I believe is invalid.

Here's the source code of the program:

```c
#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

struct s {
        int        x;
        ptrdiff_t off[];
};

int
main(void)
{
        char      *p;
        struct s  *s;

        s = malloc(offsetof(struct s, off) +
                   sizeof(ptrdiff_t) * 2 +
                 sizeof("foo") + sizeof("bar"));

        p = (char *) s + offsetof(struct s, off) + sizeof(ptrdiff_t) * 2;

        s->off[0] = p - (char *) s;
        p = stpcpy(p, "foo") + 1;
        s->off[1] = p - (char *) s;
        p = stpcpy(p, "bar") + 1;

        puts((char *) s + s->off[0]);
        puts((char *) s + s->off[1]);

        free(s);
}
```

Here's the compilation and run:

```sh
$ export ASAN_OPTIONS='detect_invalid_pointer_pairs=2'
$ clang-16 --version
Debian clang version 16.0.0 (++20221111053703+a77a02aa5794-1~exp1)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
$ clang-16 -Weverything -Wno-padded -D_FORTIFY_SOURCE=3 -fstrict-flex-arrays=3 -O3 flexi2.c
$ ./a.out 
foo
bar
```

And here's the same with sanitizers:

```sh
$ export ASAN_OPTIONS='detect_invalid_pointer_pairs=2'
$ clang-16 -Weverything -Wno-padded -D_FORTIFY_SOURCE=3 -fstrict-flex-arrays=3 -O3 -g -fsanitize=address -fsanitize=pointer-compare -fsanitize=pointer-subtract -fsanitize=undefined flexi2.c
$ ./a.out 
=================================================================
==7569==ERROR: AddressSanitizer: invalid-pointer-pair: 0x603000000048 0xffffffffffffffef
 #0 0x561cc3867b2b in main /home/alx/tmp/flexi2.c:21:43
    #1 0x7f05260cf189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #2 0x7f05260cf244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #3 0x561cc37932e0 in _start (/home/alx/tmp/a.out+0x1e2e0) (BuildId: 832643d32c15646f636155b4b23a053d68ec17c7)

0x603000000048 is located 8 bytes inside of 32-byte region [0x603000000040,0x603000000060)
allocated by thread T0 here:
    #0 0x561cc382d36e in __interceptor_malloc (/home/alx/tmp/a.out+0xb836e) (BuildId: 832643d32c15646f636155b4b23a053d68ec17c7)
    #1 0x561cc3867af4 in main /home/alx/tmp/flexi2.c:17:6

Address 0xffffffffffffffef is a wild pointer inside of access range of size 0x000000000001.
SUMMARY: AddressSanitizer: invalid-pointer-pair /home/alx/tmp/flexi2.c:21:43 in main
==7569==ABORTING
```

The report refers to the following code:

```c
        p = (char *) s + offsetof(struct s, off) + sizeof(ptrdiff_t) * 2;
                                                 ^~~ this operation is the trigger
```

</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzUV09v47gV_zT0hZBBkRYlH3xQxnGbw06KJIvFngyKfLK5oEWBpDLOHuazF6QU20k80xTbFighwPL7x8cf3z8J7_WuA1ih4gYV65kYwt66lTDwh-iUs5m0xh6EmzVWvazuEC0PeAch6G6HRYdrpRx4_yg6HfSf4LCD3rqAw14EfIcbMBqeAWuPdfcsjFZzRGpE6r-DA0RLj8MesLeDk4ClVYBtm0i9szsnDojVozziZHxk_EOZ7qQZFGDEvvigFLTzPWK313hGNz_kafsjltPd7sQjtQ9ukAF7jMqbRFnqLuBpHRGbiH1wSrftNmDbtiOgE698fSG17gIi9UHoDtHq2WqF6DKJTEbkXrjRMKJ1f7J9ciGS_cla5GDE1vggjLES0cq2rYdgW0SrVx1EvySP6BIjOtnD5-X1n5DkT_6PkjWmZ_mochJElLbWIkonk284jXAjJz4XfvbJT0SrdEJE66jsk_q_9PlnPr7BIkPsdgSfoGKdduxx9mHX85UlER962b9E63HbD6fLz7dwtp__FfsnjN7aTxpD8AnIKzi9O94FwJ9Vy9-qRc3WAUTgz-RyfZlyVzJW2kOvjQjadlh0Cruh-5iqfp8Sa4HhmGpC_Vh_3d7_4-nu_usjYmtESwUBZNhOpWHbW90FcNteaOcRW1NEy8mENKLbZTnHWfYMzmvbIVKvodGiG3l4IuOcz8mc4ATFDaI3lFCa53lOClYShuiNKEtBqBBFuVxk-Xc49vmYgU_C7SAgVuNjxbd8kfUyM7objtmuGyJ_70AofLAKTJTqrddHROq7zgdhDKi1dpGO6GbwDtFNo7sP7v8Gz-Bewj7Wz-y3zma9UAoUztbbzf3D093m9-3j_a8PX24RWzOctbEUyZC1Bo6ZcE68-JFxz3CkaTqX0x5zRDdiboeAEalj_JI6RtmHi6w7hfdvyq84AP6mwx771zLu_1e3-R-EI9tF_nQCxNZibE1viZNTWQxg4eA60w9NcEKGt9yhU9DqDtRPgY9Q_L8_r6coC74c324fHu4fYmy_7_eRNl149gpfvPBIJ0dOGBnXosLk2L5Z0CISk4URTI4Fz6VkFS8b2mDd4dgeYyLt7QEivOaI6CYcekQ3J_RZTXPE6gWLdlK7ZDkmx7IlBeVEtnm1jKa2W6MbufVBuLCVwphtMi79gOhmHi_Pv3gFvUd00_XBILq5phCngbqoEKtzft6QXm5IF4sPG77fa3yNAlkSSOdgVTzIxTnYCZJyySiQZDbJj4XtGi4pBBG9IcccKJCxt1Q3gzbqTsX7qBjlC6YYlXnBF7zljOdF0SwaygQpmOIVyLyU5TSPkPrdBWqPjZUigMIVbl4CxKHO63FoYzSLJOxgF6twbFCX2gTRL5cETsZd0tCSTDYvOIwF9omM9SmVoAmQixihinEYcU7xJqEP1m3H-ecz8DQV4_BX4bkIuFPsinbx-djNS8RqPpXkqVR9TJEIusDftFF4Sq8LzIWUUcuJbpf-xxkJkyM5rzyO24-__vJL_fD7v5O-n0691_NeqRn1TSzgX__2sQM97eH1O8FBC87jYFMnaq0x9lvsBfFb4AfD_39_kLycjX--UHH7_TsOe-2x7cGNA5Ee22pwereD9w14plZMLdlSzGCV84pVpMqX-Wy_aqQkikvBBMgC8pZKtuScUyUXohLFcqZXlFBGijzPKV0W-bwp26LMVcELzqFZtGhB4CC0mRvzfJhbt5tp7wdYccoLPjOiAePTZx6lHXzDiRmH0GI9c6uokzXDzqMFMdoHf7YSdDDp-zC2_Dj0Xo2YNECkAGkM4NSb8QEODbjZ4MxqH0Kfpgq6QXSz02E_NHNpD7EYmufXn6x39g-QAdFNci_W5OT-PwMAAP__0WI3Dw">