I'm puzzled by an address sanitizer error in some code I'm compiling. It's a legacy C program (Spice3f5) that defines a few global variables:
bool ft_servermode = false; /* Are we a server? */
bool ft_nutmeg = false; /* Are we nutmeg? */
bool ft_batchmode = false; /* Are we running in batch mode? */
In some other function where these are defines as extern bool, we have:
if (ft_nutmeg == true)
return (US_OK);
Address sanitizer complains about this:
=================================================================
==14345==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000100b807c0 at pc 0x0001003fcefc bp 0x00016fdd7ff0 sp 0x00016fdd7fe8
READ of size 4 at 0x000100b807c0 thread T0
#0 0x0001003fcef8 in cp_usrset options.c:333
#1 0x00010019c4e4 in cp_vset variable.c:168
#2 0x000100189830 in cp_init modify.c:27
#3 0x000100301b64 in ft_cpinit cpitf.c:55
#4 0x000100008224 in main main.cpp:413
#5 0x00018bf82b94 in start+0x17b8 (dyld:arm64e+0xfffffffffff3ab94)
0x000100b807c0 is located 32 bytes before global variable 'ft_batchmode' defined in '../../src/bin/main.cpp' (0x000100b807e0) of size 1
'ft_batchmode' is ascii string ''
0x000100b807c1 is located 0 bytes after global variable 'ft_nutmeg' defined in '../../src/bin/main.cpp' (0x000100b807c0) of size 1
'ft_nutmeg' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow options.c:333 in cp_usrset
Shadow bytes around the buggy address:
0x000100b80500: 00 00 00 00 00 00 00 00 00 f9 f9 f9 00 f9 f9 f9
0x000100b80580: 00 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9
0x000100b80600: 00 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9 01 f9 f9 f9
0x000100b80680: 01 f9 f9 f9 00 f9 f9 f9 00 00 00 00 00 00 00 00
0x000100b80700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000100b80780: f9 f9 f9 f9 01 f9 f9 f9[01]f9 f9 f9 01 f9 f9 f9
0x000100b80800: 00 f9 f9 f9 00 f9 f9 f9 00 00 00 00 00 00 00 00
0x000100b80880: 00 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9 00 f9 f9 f9
0x000100b80900: 00 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9
0x000100b80980: 00 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9 00 f9 f9 f9
0x000100b80a00: 04 f9 f9 f9 00 f9 f9 f9 04 f9 f9 f9 00 f9 f9 f9
Now the bool var seems to be set as a single byte with value 01 (true). So why is it complaining about a global buffer overflow? It would appear it thinks ft_nutmeg is being assigned an int rather than a bool? Or is this just a false positive?
READ of size 4 at 0x000100b807c0 thread T0
at
if (ft_nutmeg == false)
The non standard sizeof(bool) in the legacy C is 4 bytes. Look for bool definition in the legacy sources. It may be typedef int bool or #define bool int.
C++ bool is a keyword and sizeof(bool) is 1.
C99 bool is defined in stdbool.h, is alias of _Bool and likely has the size 1 also.