From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 734843858C56; Sun, 21 Apr 2024 04:09:17 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 734843858C56 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1713672557; bh=6aYIR/KQ3D0pwOh3JTyFcUsPR0QCQqsWgDx7cm+ap2I=; h=From:To:Subject:Date:In-Reply-To:References:From; b=OXUUAQt2WSclIzRKR2A/mVvn10xvLmwOWyMzHRWkMkGpZSPQ62wyNn7mOoHh8EYiD yH4r+UJf4bG+lIBXr2h2Gf5Bd3cbUBepWMDr/p0xR7aE35Djb1Ry5DeJptC8FILUYQ eZWEFSKUZozXowQE7lDFF+GbUUFTZESxROTk77Vg= From: "cvs-commit at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug middle-end/110027] [11/12/13 regression] Stack objects with extended alignments (vectors etc) misaligned on detect_stack_use_after_return Date: Sun, 21 Apr 2024 04:09:10 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: middle-end X-Bugzilla-Version: 13.1.1 X-Bugzilla-Keywords: wrong-code X-Bugzilla-Severity: normal X-Bugzilla-Who: cvs-commit at gcc dot gnu.org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: jakub at gcc dot gnu.org X-Bugzilla-Target-Milestone: 11.5 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D110027 --- Comment #24 from GCC Commits --- The releases/gcc-13 branch has been updated by Jakub Jelinek : https://gcc.gnu.org/g:a16d90ec302e588dab5d7d31ccdd7b3fd5c6214e commit r13-8630-ga16d90ec302e588dab5d7d31ccdd7b3fd5c6214e Author: Jakub Jelinek Date: Thu Apr 11 11:12:11 2024 +0200 asan, v3: Fix up handling of > 32 byte aligned variables with -fsanitize=3Daddress -fstack-protector* [PR110027] On Tue, Mar 26, 2024 at 02:08:02PM +0800, liuhongt wrote: > > > So, try to add some other variable with larger size and smaller alignment > > > to the frame (and make sure it isn't optimized away). > > > > > > alignb above is the alignment of the first partition's var, if > > > align_frame_offset really needs to depend on the var alignment, it probably > > > should be the maximum alignment of all the vars with alignment > > > alignb * BITS_PER_UNIT <=3D3D MAX_SUPPORTED_STACK_ALIGNMENT > > > > > In asan_emit_stack_protection, when it allocated fake stack, it assume > bottom of stack is also aligned to alignb. And the place violated this > is the first var partition. which is 32 bytes offsets, it should be > BIGGEST_ALIGNMENT / BITS_PER_UNIT. > So I think we need to use MAX (BIGGEST_ALIGNMENT / > BITS_PER_UNIT, ASAN_RED_ZONE_SIZE) for the first var partition. Your first patch aligned offsets[0] to maximum of alignb and ASAN_RED_ZONE_SIZE. But as I wrote in the reply to that mail, alignb t= here is the alignment of just a single variable which is the first one to ap= pear in the sorted list and is placed in the highest spot in the stack frame. That is not necessarily the largest alignment, the sorting ensures that= it is a variable with the largest size in the frame (and only if several of them have equal size, largest alignment from the same sized ones). Your second patch used maximum of BIGGEST_ALIGNMENT / BITS_PER_UNIT and ASAN_RED_ZONE_SIZE. That doesn't change anything at all when using -mno-avx512f - offsets[0] is still just 32-byte aligned in that case relative to top of frame, just changes the -mavx512f case to be 64-byte aligned offsets[0] (aka offsets[0] is then either 0 or -64 instead of either 0 or -32). That will not help if any variable in the frame needs 128-b= yte, 256-byte, 512-byte ... 4096-byte alignment. If you want to fix the bu= g in the spot you've touched, you'd need to walk all the stack_vars[stack_vars_sorted[si2]] for si2 [si + 1, n - 1] and for those where the loop would do anything (i.e. stack_vars[i2].representative =3D=3D i2 && TREE_CODE (decl2) =3D=3D SSA_NAME ? SA.partition_to_pseudo[var_to_partition (SA.map, decl2)] =3D=3D NU= LL_RTX : DECL_RTL (decl2) =3D=3D pc_rtx and the pred applies (but that means also walking the earlier ones! because with -fstack-protector* the vars can be processed in several ca= lls) and alignb2 * BITS_PER_UNIT <=3D MAX_SUPPORTED_STACK_ALIGNMENT and compute maximum of those alignments. That maximum is already computed, data->asan_alignb =3D MAX (data->asan_alignb, alignb); computes that, but you get the final result only after you do all the expand_stack_vars calls. You'd need to compute it before. Though, that change would be still in the wrong place. The thing is, it would be a waste of the precious stack space when it i= sn't needed at all (e.g. when asan will not at compile time do the use after return checking, or if it won't do it at runtime, or even if it will do= at runtime it will waste the space on the stack). The following patch fixes it solely for the __asan_stack_malloc_N allocations, doesn't enlarge unnecessarily further the actual stack fra= me. Because asan is only supported on FRAME_GROWS_DOWNWARD architectures (mips, rs6000 and xtensa are conditional FRAME_GROWS_DOWNWARD arches, w= hich for -fsanitize=3Daddress or -fstack-protector* use FRAME_GROWS_DOWNWARD= 1, otherwise 0, others supporting asan always just use 1), the assumption = for the dynamic stack realignment is that the top of the stack frame (aka offset 0) is aligned to alignb passed to the function (which is the maximum of alignb of all the vars in the frame). As checked by the assertion in the patc= h, offsets[0] is 0 most of the time and so that assumption is correct, the only case when it is not 0 is if -fstack-protector* is on together with -fsanitize=3Daddress and cfgexpand.cc (create_stack_guard) created a st= ack guard. That is the only variable which is allocated in the stack frame right away, for all others with -fsanitize=3Daddress defer_stack_alloca= tion (or -fstack-protector*) returns true and so they aren't allocated immediately but handled during the frame layout phases. So, the origin= al frame_offset of 0 is changed because of the stack guard to -pointer_size_in_bytes and later at the if (data->asan_vec.is_empty ()) { align_frame_offset (ASAN_RED_ZONE_SIZE); prev_offset =3D frame_offset.to_constant (); } to -ASAN_RED_ZONE_SIZE. The asan_emit_stack_protection code wasn't taking this into account though, so essentially assumed in the __asan_stack_malloc_N allocated memory it needs to align it such that pointer corresponding to offsets[0] is alignb aligned. But that isn't correct if alignb > ASAN_RED_ZONE_SIZE, in that case it needs to ensure that pointer corresponding to frame offset 0 is alignb aligned. The following patch fixes that. Unlike the previous case where we knew that asan_frame_size + base_align_bias falls into the same buck= et as asan_frame_size, this isn't in some cases true anymore, so the patch recomputes which bucket to use and if going to bucket 11 (because there= is no __asan_stack_malloc_11 function in the library) disables the after return sanitization. 2024-04-11 Jakub Jelinek PR middle-end/110027 * asan.cc (asan_emit_stack_protection): Assert offsets[0] is zero if there is no stack protect guard, otherwise -ASAN_RED_ZONE_SIZE. If alignb > ASAN_RED_ZONE_SIZE and there = is stack pointer guard, take the ASAN_RED_ZONE_SIZE bytes allocate= d at the top of the stack into account when computing base_align_bia= s. Recompute use_after_return_class from asan_frame_size + base_align_bias and set to -1 if that would overflow to 11. * gcc.dg/asan/pr110027.c: New test. (cherry picked from commit 467898d513e602f5b5fc4183052217d7e6d6e8ab)=