[llvm-bugs] [Bug 26095] New: -fsanitize=object-size checks sizes too eagerly

[via llvm-bugs]

https://llvm.org/bugs/show_bug.cgi?id=26095

            Bug ID: 26095
           Summary: -fsanitize=object-size checks sizes too eagerly
           Product: clang
           Version: trunk
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: C++
          Assignee: unassignedclangbugs at nondot.org
          Reporter: george.burgess.iv at gmail.com
                CC: dgregor at apple.com, llvm-bugs at lists.llvm.org
    Classification: Unclassified

Compiling the following program with `-fsanitize=object-size` gives an
executable that traps:

struct Foo { };
struct Bar : public Foo { int i; };

Bar *volatile B;

int main() {
  Foo F;
  B = static_cast<Bar*>(&F);
  return 0;
}

(Full set of flags used: ./bin/clang++ foo.cpp -fsanitize=object-size
-fsanitize-trap=all -O1 )

AFAIK, it's perfectly okay to cast a pointer to `T` to a
(non-member/non-function) pointer to any other type, so long as you don't
dereference the casted pointer as a non-{T, superclass-of-T, char}. So, this
code is sketchy, but valid.

This is mildly problematic, because libc++ takes advantage of the above trick
in its `__tree` implementation[1], which causes trapping when constructing
`std::map`s.

[1] - Specifically in `__tree::__end_node()`; it casts an `__end_node_t*` to a
`__node*`, when the `__end_node_t*` may point to something smaller than
`sizeof(__node)`

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160109/755415f4/attachment-0001.html>