[AddressSanitizer] Missed the out-of-bounds access to tentative array

[XChy]

Testcase:

int a[];
int b[7][10][3];
int main() {
  int *d = &a[8];
  *d = 0;
}

I met this case when I reduced the miscompilation cases with creduce and sanitizers. Both GCC and Clang treat a as a single-element array.
However, GCC sanitizer reports such a kind of out-of-bounds access, while Clang doesn't.

Godbolt link: https://godbolt.org/z/rhdnaaTf9

[AdvenamTacet]

Hi, thanks for the report! I believe it works as expected. ASan only checks the address you access (there is no bound check; bound check is part of libc++ hardening), and a[8] in that case is after the red zone (poisoned area between buffers). Different compilers may have different red zone sizes.

If you change a[8] to a[2], incorrect access is detected: https://godbolt.org/z/MP819bcdG (notice that I had to change the flag for clang, as in your link memory sanitizer is used and not ASan).

[firewave]

UBSAN detects it with both compilers if you enable optimizations

/app/example.c:5:3: runtime error: store to address 0x5621f1610e50 with insufficient space for an object of type 'int'
0x5621f1610e50: note: pointer points here
 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
              ^ 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /app/example.c:5:3 

https://godbolt.org/z/6dKPdz5K4