[Bug sanitizer/109050] New: UBsan failed to detect out-of-bound at -O0/1/2/s

[Bug sanitizer/109050] New: UBsan failed to detect out-of-bound at -O0/1/2/s

[shaohua.li at inf dot ethz.ch]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109050

            Bug ID: 109050
           Summary: UBsan failed to detect out-of-bound at -O0/1/2/s
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: shaohua.li at inf dot ethz.ch
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

For the following code, UBsan failed to detect the out-of-bound access at all
opt levels. Clang can detect it at all opt levels.

Compiler explorer: https://godbolt.org/z/TK35hvPrK

% cat a.c
long a;
int b;
int main() {
  int c[4]={0, 1, 2, 3};
  a = 0;
  for (; a <= 2; a++)
    c[a - 9806816] |= b;
}
%
% gcc-tk -O0 -fsanitize=undefined a.c && ./a.out
%
% gcc-tk -O1 -fsanitize=undefined a.c && ./a.out
%
% clang -O1 -fsanitize=undefined a.c && ./a.out
/a.c:7:5: runtime error: index -9806816 out of bounds for type 'int[4]'
...
% gcc-tk -v
Using built-in specs.
COLLECT_GCC=gcc-tk
COLLECT_LTO_WRAPPER=/zdata/shaoli/compilers/ccbuilder-compilers/gcc-7e9dd9de169034810b92d47bf78284db731fa5da/libexec/gcc/x86_64-pc-linux-gnu/13.0.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: ../configure --disable-multilib --disable-bootstrap
--enable-languages=c,c++
--prefix=/zdata/shaoli/compilers/ccbuilder-compilers/gcc-7e9dd9de169034810b92d47bf78284db731fa5da
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 13.0.1 20230221 (experimental) (GCC)
%

[Bug sanitizer/109050] UBsan failed to detect out-of-bound at -O0/1/2/s

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109050

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |DUPLICATE

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
I'm pretty sure it's a dup of PR108060.

*** This bug has been marked as a duplicate of bug 108060 ***

[Bug sanitizer/109050] UBsan failed to detect out-of-bound at -O0/1/2/s

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109050

--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The trunk branch has been updated by Marek Polacek <mpolacek@gcc.gnu.org>:

https://gcc.gnu.org/g:4d0baeae315ebe7d0ec7682ea3e7c0516027c2b8

commit r13-6593-g4d0baeae315ebe7d0ec7682ea3e7c0516027c2b8
Author: Marek Polacek <polacek@redhat.com>
Date:   Wed Mar 8 09:15:07 2023 -0500

    ubsan: missed -fsanitize=bounds for compound ops [PR108060]

    In this PR we are dealing with a missing .UBSAN_BOUNDS, so the
    out-of-bounds access in the test makes the program crash before
    a UBSan diagnostic was emitted.  In C and C++, c_genericize gets

      a[b] = a[b] | c;

    but in C, both a[b] are one identical shared tree (not in C++ because
    cp_fold/ARRAY_REF created two same but not identical trees).  Since
    ubsan_walk_array_refs_r keeps a pset, in C we produce

      a[.UBSAN_BOUNDS (0B, SAVE_EXPR <b>, 8);, SAVE_EXPR <b>;] = a[b] | c;

    because the LHS is walked before the RHS.

    Since r7-1900, we gimplify the RHS before the LHS.  So the statement above
    gets gimplified into

        _1 = a[b];
        c.0_2 = c;
        b.1 = b;
        .UBSAN_BOUNDS (0B, b.1, 8);

    With this patch we produce:

      a[b] = a[.UBSAN_BOUNDS (0B, SAVE_EXPR <b>, 8);, SAVE_EXPR <b>;] | c;

    which gets gimplified into:

        b.0 = b;
        .UBSAN_BOUNDS (0B, b.0, 8);
        _1 = a[b.0];

    therefore we emit a runtime error before making the bad array access.

    I think it's OK that only the RHS gets a .UBSAN_BOUNDS, as in few lines
    above: the instrumented array access dominates the array access on the
    LHS, and I've verified that

      b = 0;
      a[b] = (a[b], b = -32768, a[0] | c);

    works as expected: the inner a[b] is OK but we do emit an error for the
    a[b] on the LHS.

    For GCC 14, we could apply
    <https://gcc.gnu.org/pipermail/gcc-patches/2023-March/613687.html>
    since the copy_node doesn't seem to be needed.

            PR sanitizer/108060
            PR sanitizer/109050

    gcc/c-family/ChangeLog:

            * c-gimplify.cc (ubsan_walk_array_refs_r): For a MODIFY_EXPR,
instrument
            the RHS before the LHS.

    gcc/testsuite/ChangeLog:

            * c-c++-common/ubsan/bounds-17.c: New test.
            * c-c++-common/ubsan/bounds-18.c: New test.
            * c-c++-common/ubsan/bounds-19.c: New test.
            * c-c++-common/ubsan/bounds-20.c: New test.
            * c-c++-common/ubsan/bounds-21.c: New test.

[Bug sanitizer/109050] UBsan failed to detect out-of-bound at -O0/1/2/s

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109050

--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-12 branch has been updated by Marek Polacek
<mpolacek@gcc.gnu.org>:

https://gcc.gnu.org/g:94af33aa4da07269cb4a6645da9f7ddf8d1bad69

commit r12-9264-g94af33aa4da07269cb4a6645da9f7ddf8d1bad69
Author: Marek Polacek <polacek@redhat.com>
Date:   Wed Mar 8 09:15:07 2023 -0500

    ubsan: missed -fsanitize=bounds for compound ops [PR108060]

    In this PR we are dealing with a missing .UBSAN_BOUNDS, so the
    out-of-bounds access in the test makes the program crash before
    a UBSan diagnostic was emitted.  In C and C++, c_genericize gets

      a[b] = a[b] | c;

    but in C, both a[b] are one identical shared tree (not in C++ because
    cp_fold/ARRAY_REF created two same but not identical trees).  Since
    ubsan_walk_array_refs_r keeps a pset, in C we produce

      a[.UBSAN_BOUNDS (0B, SAVE_EXPR <b>, 8);, SAVE_EXPR <b>;] = a[b] | c;

    because the LHS is walked before the RHS.

    Since r7-1900, we gimplify the RHS before the LHS.  So the statement above
    gets gimplified into

        _1 = a[b];
        c.0_2 = c;
        b.1 = b;
        .UBSAN_BOUNDS (0B, b.1, 8);

    With this patch we produce:

      a[b] = a[.UBSAN_BOUNDS (0B, SAVE_EXPR <b>, 8);, SAVE_EXPR <b>;] | c;

    which gets gimplified into:

        b.0 = b;
        .UBSAN_BOUNDS (0B, b.0, 8);
        _1 = a[b.0];

    therefore we emit a runtime error before making the bad array access.

    I think it's OK that only the RHS gets a .UBSAN_BOUNDS, as in few lines
    above: the instrumented array access dominates the array access on the
    LHS, and I've verified that

      b = 0;
      a[b] = (a[b], b = -32768, a[0] | c);

    works as expected: the inner a[b] is OK but we do emit an error for the
    a[b] on the LHS.

    For GCC 14, we could apply
    <https://gcc.gnu.org/pipermail/gcc-patches/2023-March/613687.html>
    since the copy_node doesn't seem to be needed.

            PR sanitizer/108060
            PR sanitizer/109050

    gcc/c-family/ChangeLog:

            * c-gimplify.cc (ubsan_walk_array_refs_r): For a MODIFY_EXPR,
instrument
            the RHS before the LHS.

    gcc/testsuite/ChangeLog:

            * c-c++-common/ubsan/bounds-17.c: New test.
            * c-c++-common/ubsan/bounds-18.c: New test.
            * c-c++-common/ubsan/bounds-19.c: New test.
            * c-c++-common/ubsan/bounds-20.c: New test.
            * c-c++-common/ubsan/bounds-21.c: New test.

    (cherry picked from commit 4d0baeae315ebe7d0ec7682ea3e7c0516027c2b8)