2

So I'm playing around in VS2022 with /fsanitize=address but I fail to understand how is this useful if it only catches only a small number of out of bounds accesses.

For instance, this simple program works fine:

int main()
{
  unsigned char arr[2] = { 0xAA, 0xAB };
  arr[255] = 4;
}

Is there something I'm missing? I see that small indexes like arr[2] do trigger address sanitizer errors. Is there a way to configure the limits of the address sanitizer?

Context: I discovered a bug in my C program where I would index an array using a variable which is wrongly reset to 0xFF under certain circumstances but none of my ~300 tests detect this. I thought the address sanitizer would detect it but it seems I'm wrong.

Improve this question
9
  • 4
    Are you sure this code is not optimized out? It does not do anything, so the offending stack writes could be not happening at all. Commented Feb 6 at 17:20
  • 1
    Do you want a possibility to configure the range of sanitizer? Or would you also like a (speculated) explanation of how your observation might have been caused? I ask because I could provide some hopefully insightful (though not guaranteed) speculation, while how to configure is a question that can probably only be answered by studying the manual of your sanitizer. Consider asking so that an answer you would find helpful would actually match your question. Commented Feb 6 at 17:22
  • 1
    @gregspears I think we are in the same boat, feeling that technical discussion, even speculation, would be more helpful than how to configure. Commented Feb 6 at 17:27
  • 1
    Aside, it is virtually impossible to detect these things reliably. In this case, the sanitizer is likely implemented via stack canaries, but if the write happens far beyond the canary, it goes undetected. On the other hand, the memory which does not belong to the process is not supposed to be writable. But again, there is certain granularity to the allocated memory, so the specific write might still hit the page which is accessible. and technically belonging to the process. Commented Feb 6 at 17:38
  • 1
    @Yunnosch I figured that you need more paddlers :D Commented Feb 6 at 17:45

2 Answers 2

Reset to default
2

how is this useful if it only catches only a small number of out of bounds accesses

First of all, catching even a small number of errors is useful.

Secondly, it catches far more than a small amount of errors. It's common to accidentally dereference one beyond what's valid. NULL dereferences is another huge source of invalid dereferences, and those are also caught (by gcc's address sanitizer if not VS's).

This is why an address sanitizer provides a lot of value as a debugging tool.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

It's common to accidentally dereferences one beyond what's valid. - however it is also common to dereference one less than 0.. :) Well, but at that case I guess there will be some page access fault.
I think you answered a rhetoric question (well, though). The question actually asked in the question post seems to be "Is there a way to configure the limits of the address sanitizer?". I tried to convince OP to ask a better answerable question... So I think you are in the boat too. Welcome.
@Yunnosch, They asked two questions. I answered the one in the title, and asked rhetorically, and asked non-rhetorically ("Is there something I'm missing?"). In passing, they also asked a second question to which I don't know the answer. (I didn't even know VS's compiler had an address sanitizer.) I wasn't about to let that prevent the main question from being answered. If you know the answer to the secondary question, let me know and I'll add it to my answer.
So, a question in the title (which I do not see), a question without a "?" which seem rhetoric, A question about missed details. An explicit on topic question with a "?", which however nobody can answer. Time to close for lack of focus.
@Yunnosch, No, I'm not saying four different questions were asked. I'm saying one question was asked in three different ways, plus a short related second question. I answered the former.
|
0

ASan uses a so-called "redzone" between stack and heap objects to detect OOB accesses. The size of this zone is typically between 8 and 32 bytes. An OOB access beyond the redzone can't be detected reliably.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.