public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug sanitizer/109050] New: UBsan failed to detect out-of-bound at -O0/1/2/s
@ 2023-03-07 8:51 shaohua.li at inf dot ethz.ch
2023-03-07 14:30 ` [Bug sanitizer/109050] " marxin at gcc dot gnu.org
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: shaohua.li at inf dot ethz.ch @ 2023-03-07 8:51 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109050
Bug ID: 109050
Summary: UBsan failed to detect out-of-bound at -O0/1/2/s
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: shaohua.li at inf dot ethz.ch
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
For the following code, UBsan failed to detect the out-of-bound access at all
opt levels. Clang can detect it at all opt levels.
Compiler explorer: https://godbolt.org/z/TK35hvPrK
% cat a.c
long a;
int b;
int main() {
int c[4]={0, 1, 2, 3};
a = 0;
for (; a <= 2; a++)
c[a - 9806816] |= b;
}
%
% gcc-tk -O0 -fsanitize=undefined a.c && ./a.out
%
% gcc-tk -O1 -fsanitize=undefined a.c && ./a.out
%
% clang -O1 -fsanitize=undefined a.c && ./a.out
/a.c:7:5: runtime error: index -9806816 out of bounds for type 'int[4]'
...
% gcc-tk -v
Using built-in specs.
COLLECT_GCC=gcc-tk
COLLECT_LTO_WRAPPER=/zdata/shaoli/compilers/ccbuilder-compilers/gcc-7e9dd9de169034810b92d47bf78284db731fa5da/libexec/gcc/x86_64-pc-linux-gnu/13.0.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: ../configure --disable-multilib --disable-bootstrap
--enable-languages=c,c++
--prefix=/zdata/shaoli/compilers/ccbuilder-compilers/gcc-7e9dd9de169034810b92d47bf78284db731fa5da
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 13.0.1 20230221 (experimental) (GCC)
%
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug sanitizer/109050] UBsan failed to detect out-of-bound at -O0/1/2/s
2023-03-07 8:51 [Bug sanitizer/109050] New: UBsan failed to detect out-of-bound at -O0/1/2/s shaohua.li at inf dot ethz.ch
@ 2023-03-07 14:30 ` marxin at gcc dot gnu.org
2023-03-10 18:25 ` cvs-commit at gcc dot gnu.org
2023-03-15 18:35 ` cvs-commit at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: marxin at gcc dot gnu.org @ 2023-03-07 14:30 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109050
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |DUPLICATE
--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
I'm pretty sure it's a dup of PR108060.
*** This bug has been marked as a duplicate of bug 108060 ***
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug sanitizer/109050] UBsan failed to detect out-of-bound at -O0/1/2/s
2023-03-07 8:51 [Bug sanitizer/109050] New: UBsan failed to detect out-of-bound at -O0/1/2/s shaohua.li at inf dot ethz.ch
2023-03-07 14:30 ` [Bug sanitizer/109050] " marxin at gcc dot gnu.org
@ 2023-03-10 18:25 ` cvs-commit at gcc dot gnu.org
2023-03-15 18:35 ` cvs-commit at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-03-10 18:25 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109050
--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The trunk branch has been updated by Marek Polacek <mpolacek@gcc.gnu.org>:
https://gcc.gnu.org/g:4d0baeae315ebe7d0ec7682ea3e7c0516027c2b8
commit r13-6593-g4d0baeae315ebe7d0ec7682ea3e7c0516027c2b8
Author: Marek Polacek <polacek@redhat.com>
Date: Wed Mar 8 09:15:07 2023 -0500
ubsan: missed -fsanitize=bounds for compound ops [PR108060]
In this PR we are dealing with a missing .UBSAN_BOUNDS, so the
out-of-bounds access in the test makes the program crash before
a UBSan diagnostic was emitted. In C and C++, c_genericize gets
a[b] = a[b] | c;
but in C, both a[b] are one identical shared tree (not in C++ because
cp_fold/ARRAY_REF created two same but not identical trees). Since
ubsan_walk_array_refs_r keeps a pset, in C we produce
a[.UBSAN_BOUNDS (0B, SAVE_EXPR <b>, 8);, SAVE_EXPR <b>;] = a[b] | c;
because the LHS is walked before the RHS.
Since r7-1900, we gimplify the RHS before the LHS. So the statement above
gets gimplified into
_1 = a[b];
c.0_2 = c;
b.1 = b;
.UBSAN_BOUNDS (0B, b.1, 8);
With this patch we produce:
a[b] = a[.UBSAN_BOUNDS (0B, SAVE_EXPR <b>, 8);, SAVE_EXPR <b>;] | c;
which gets gimplified into:
b.0 = b;
.UBSAN_BOUNDS (0B, b.0, 8);
_1 = a[b.0];
therefore we emit a runtime error before making the bad array access.
I think it's OK that only the RHS gets a .UBSAN_BOUNDS, as in few lines
above: the instrumented array access dominates the array access on the
LHS, and I've verified that
b = 0;
a[b] = (a[b], b = -32768, a[0] | c);
works as expected: the inner a[b] is OK but we do emit an error for the
a[b] on the LHS.
For GCC 14, we could apply
<https://gcc.gnu.org/pipermail/gcc-patches/2023-March/613687.html>
since the copy_node doesn't seem to be needed.
PR sanitizer/108060
PR sanitizer/109050
gcc/c-family/ChangeLog:
* c-gimplify.cc (ubsan_walk_array_refs_r): For a MODIFY_EXPR,
instrument
the RHS before the LHS.
gcc/testsuite/ChangeLog:
* c-c++-common/ubsan/bounds-17.c: New test.
* c-c++-common/ubsan/bounds-18.c: New test.
* c-c++-common/ubsan/bounds-19.c: New test.
* c-c++-common/ubsan/bounds-20.c: New test.
* c-c++-common/ubsan/bounds-21.c: New test.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug sanitizer/109050] UBsan failed to detect out-of-bound at -O0/1/2/s
2023-03-07 8:51 [Bug sanitizer/109050] New: UBsan failed to detect out-of-bound at -O0/1/2/s shaohua.li at inf dot ethz.ch
2023-03-07 14:30 ` [Bug sanitizer/109050] " marxin at gcc dot gnu.org
2023-03-10 18:25 ` cvs-commit at gcc dot gnu.org
@ 2023-03-15 18:35 ` cvs-commit at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-03-15 18:35 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109050
--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-12 branch has been updated by Marek Polacek
<mpolacek@gcc.gnu.org>:
https://gcc.gnu.org/g:94af33aa4da07269cb4a6645da9f7ddf8d1bad69
commit r12-9264-g94af33aa4da07269cb4a6645da9f7ddf8d1bad69
Author: Marek Polacek <polacek@redhat.com>
Date: Wed Mar 8 09:15:07 2023 -0500
ubsan: missed -fsanitize=bounds for compound ops [PR108060]
In this PR we are dealing with a missing .UBSAN_BOUNDS, so the
out-of-bounds access in the test makes the program crash before
a UBSan diagnostic was emitted. In C and C++, c_genericize gets
a[b] = a[b] | c;
but in C, both a[b] are one identical shared tree (not in C++ because
cp_fold/ARRAY_REF created two same but not identical trees). Since
ubsan_walk_array_refs_r keeps a pset, in C we produce
a[.UBSAN_BOUNDS (0B, SAVE_EXPR <b>, 8);, SAVE_EXPR <b>;] = a[b] | c;
because the LHS is walked before the RHS.
Since r7-1900, we gimplify the RHS before the LHS. So the statement above
gets gimplified into
_1 = a[b];
c.0_2 = c;
b.1 = b;
.UBSAN_BOUNDS (0B, b.1, 8);
With this patch we produce:
a[b] = a[.UBSAN_BOUNDS (0B, SAVE_EXPR <b>, 8);, SAVE_EXPR <b>;] | c;
which gets gimplified into:
b.0 = b;
.UBSAN_BOUNDS (0B, b.0, 8);
_1 = a[b.0];
therefore we emit a runtime error before making the bad array access.
I think it's OK that only the RHS gets a .UBSAN_BOUNDS, as in few lines
above: the instrumented array access dominates the array access on the
LHS, and I've verified that
b = 0;
a[b] = (a[b], b = -32768, a[0] | c);
works as expected: the inner a[b] is OK but we do emit an error for the
a[b] on the LHS.
For GCC 14, we could apply
<https://gcc.gnu.org/pipermail/gcc-patches/2023-March/613687.html>
since the copy_node doesn't seem to be needed.
PR sanitizer/108060
PR sanitizer/109050
gcc/c-family/ChangeLog:
* c-gimplify.cc (ubsan_walk_array_refs_r): For a MODIFY_EXPR,
instrument
the RHS before the LHS.
gcc/testsuite/ChangeLog:
* c-c++-common/ubsan/bounds-17.c: New test.
* c-c++-common/ubsan/bounds-18.c: New test.
* c-c++-common/ubsan/bounds-19.c: New test.
* c-c++-common/ubsan/bounds-20.c: New test.
* c-c++-common/ubsan/bounds-21.c: New test.
(cherry picked from commit 4d0baeae315ebe7d0ec7682ea3e7c0516027c2b8)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-03-15 18:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-07 8:51 [Bug sanitizer/109050] New: UBsan failed to detect out-of-bound at -O0/1/2/s shaohua.li at inf dot ethz.ch
2023-03-07 14:30 ` [Bug sanitizer/109050] " marxin at gcc dot gnu.org
2023-03-10 18:25 ` cvs-commit at gcc dot gnu.org
2023-03-15 18:35 ` cvs-commit at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).