exp-sgcheck is not detecting stack overruns either for me Reproducible: Always Steps to Reproduce: -bash-4.1$ cat t.c int stat[5]; int main(void) { int stack[5]; stat[12] = 0; stack [12] = 0; return 0; } -bash-4.1$ gcc -g -o t t.c -bash-4.1$ /sw/valgrind/valgrind-3.11.0/bin/valgrind --tool=exp-sgcheck ./t Actual Results: ==3004== exp-sgcheck, a stack and global array overrun detector ==3004== NOTE: This is an Experimental-Class Valgrind Tool ==3004== Copyright (C) 2003-2015, and GNU GPL'd, by OpenWorks Ltd et al. ==3004== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==3004== Command: ./t ==3004== ==3004== ==3004== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) -bash-4.1$ Expected Results: Any error message with details.
Most likely the compiler optimized out "stack" array accesses . Please double check.
-bash-4.1$ cat t.c int stat[5]; int main(void) { int stack[5]; stat[48] = 111; stack [48] = 1; return stat[48]; } -bash-4.1$ gcc -O0 -g -o t t.c -bash-4.1$ /sw/valgrind/valgrind-3.11.0/bin/valgrind --tool=exp-sgcheck ./t ==49197== exp-sgcheck, a stack and global array overrun detector ==49197== NOTE: This is an Experimental-Class Valgrind Tool ==49197== Copyright (C) 2003-2015, and GNU GPL'd, by OpenWorks Ltd et al. ==49197== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==49197== Command: ./t ==49197== ==49197== ==49197== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) -bash-4.1$ echo $? 111 -bash-4.1$
Also: -bash-4.1$ gdb ./t GNU gdb (GDB) Red Hat Enterprise Linux (7.2-83.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/e154466/valgrind/t...done. (gdb) break t.c:1 Breakpoint 1 at 0x400478: file t.c, line 1. (gdb) run Starting program: /home/e154466/valgrind/t Breakpoint 1, main () at t.c:7 7 stat[48] = 111; Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.166.el6_7.3.x86_64 (gdb) s 8 stack [48] = 1; (gdb) p stat[48] $1 = 111 (gdb)
Please (re-)read the user manual about sgcheck, in particular the sections 11.3. How SGCheck Works and 11.5. Limitations That should (clearly?) explain why nothing is reported for your example (false negative). If the manual is not clear, please re-open a bug, e.g. suggesting what to add to make it more clear.
Sorry. I indeed missed that. But why next also doesn't trigger any error message? -bash-4.1$ cat t.c int main(int c, char **o) { int stack[2]; stack[0] = c; stack[1] = c++; stack[2] = c++; return stack[2]; } -bash-4.1$ gcc -O0 -ggdb -o t t.c -bash-4.1$ /sw/valgrind/valgrind-3.11.0/bin/valgrind --tool=exp-sgcheck ./t s f a aa ==36489== exp-sgcheck, a stack and global array overrun detector ==36489== NOTE: This is an Experimental-Class Valgrind Tool ==36489== Copyright (C) 2003-2015, and GNU GPL'd, by OpenWorks Ltd et al. ==36489== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==36489== Command: ./t s f a aa ==36489== ==36489== ==36489== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) -bash-4.1$ echo $? 6 -bash-4.1$ Am I still missing something?
(In reply to Sergey Meirovich from comment #5) > Sorry. I indeed missed that. But why next also doesn't trigger any error > message? > > -bash-4.1$ cat t.c > int main(int c, char **o) > { > int stack[2]; > stack[0] = c; > stack[1] = c++; > stack[2] = c++; > return stack[2]; > } exp-sgcheck associates (for each function call) each instruction to the first array accessed by this instruction. It then checks that (during the same function call) this instruction continues to access the same array (and in the array bounds). So, basically, this means that exp-sgcheck will only detect array over or under-run in loops. It will never detect an over/under-run on instructions executed only once (either because they are not in a loop, or because the loop is executed once). All this limitations derived from the fact that exp-sgcheck works at binary level. It has to discover which array is accessed by an instruction 'at run time'.
Thanks for the explanation. Is that could be concluded by implication from the manual?
(In reply to Sergey Meirovich from comment #7) > Thanks for the explanation. Is that could be concluded by implication from > the manual? IMO, effectively, reading the manual leads to this. But I have in any case added a few sentences to make this even more clear. Committed revision 15897.