[BOUNDS]: invalid container_of/offsetof not detected (heap + stack), even with --ct-shadow-aggressive #13
Description
Context
Accesses through a base reconstructed with offsetof can yield an incorrect base.
The bounds pass forwards this base to the runtime, which fails to find the allocation and emits no error.
Repro (heap)
ct_bounds_offsefof_stack.c ct_bounds_offsefof_heap.c
Build:
./cc --instrument --ct-bounds --ct-alloc --ct-shadow-aggressive -o bad_base test/ct_bounds_offsefof_stack.cCurrent behavior
No error, even with --ct-shadow-aggressive.
Typical trace: illegal accesses but no report (see provided log).
Root cause
• resolveBasePointer() does not reconstruct provenance when the pointer is derived via arithmetic (ptrtoint/inttoptr).
• __ct_check_bounds performs a lookup using an incorrect base → lookup failure.
• In aggressive mode, ct_table_lookup_containing(ptr) fails if ptr is outside any allocation.
Expected behavior
• Heap: report the OOB even if the base passed in is incorrect.
• Stack: report the OOB (no stack tracking today).
Implementation ideas
• Bounds pass: preserve heap provenance across ptrtoint/inttoptr.
• Detect the pattern inttoptr(ptrtoint(P) +/- C) and use P (or its base).
• Runtime: optionally add an “unknown provenance” mode to report an access outside shadow when the base is invalid (watch out for stack/globals false positives).
• Stack: instrument alloca (stack region table or local shadow).