From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2153) id 8C99A3858403; Wed, 30 Mar 2022 08:50:27 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 8C99A3858403 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" From: Jakub Jelinek To: gcc-cvs@gcc.gnu.org Subject: [gcc r12-7917] ubsan: Fix ICE due to -fsanitize=object-size [PR105093] X-Act-Checkin: gcc X-Git-Author: Jakub Jelinek X-Git-Refname: refs/heads/master X-Git-Oldrev: 387e818cda0ffde86f624228c3da1ab28f453685 X-Git-Newrev: e3e68fa59ead502c24950298b53c637bbe535a74 Message-Id: <20220330085027.8C99A3858403@sourceware.org> Date: Wed, 30 Mar 2022 08:50:27 +0000 (GMT) X-BeenThere: gcc-cvs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-cvs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2022 08:50:27 -0000 https://gcc.gnu.org/g:e3e68fa59ead502c24950298b53c637bbe535a74 commit r12-7917-ge3e68fa59ead502c24950298b53c637bbe535a74 Author: Jakub Jelinek Date: Wed Mar 30 10:49:47 2022 +0200 ubsan: Fix ICE due to -fsanitize=object-size [PR105093] The following testcase ICEs, because for a volatile X & RESULT_DECL ubsan wants to take address of that reference. instrument_object_size is called with x, so the base is equal to the access and the var is automatic, so there is no risk of an out of bounds access for it. Normally we wouldn't instrument those because we fold address of the t - address of inner to 0, add constant size of the decl and it is equal to what __builtin_object_size computes. But the volatile results in the subtraction not being folded. The first hunk fixes it by punting if we access the whole automatic decl, so that even volatile won't cause a problem. The second hunk (not strictly needed for this testcase) is similar to what has been added to asan.cc recently, if we actually take address of a decl and keep it in the IL, we better mark it addressable. 2022-03-30 Jakub Jelinek PR sanitizer/105093 * ubsan.cc (instrument_object_size): If t is equal to inner and is a decl other than global var, punt. When emitting call to UBSAN_OBJECT_SIZE ifn, make sure base is addressable. * g++.dg/ubsan/pr105093.C: New test. Diff: --- gcc/testsuite/g++.dg/ubsan/pr105093.C | 12 ++++++++++++ gcc/ubsan.cc | 7 +++++++ 2 files changed, 19 insertions(+) diff --git a/gcc/testsuite/g++.dg/ubsan/pr105093.C b/gcc/testsuite/g++.dg/ubsan/pr105093.C new file mode 100644 index 00000000000..49f75ed69cf --- /dev/null +++ b/gcc/testsuite/g++.dg/ubsan/pr105093.C @@ -0,0 +1,12 @@ +// PR sanitizer/105093 +// { dg-do compile } +// { dg-options "-O2 -fsanitize=undefined -Wno-volatile" } + +struct X { X (); ~X (); }; + +volatile X +foo () +{ + X x; + return x; +} diff --git a/gcc/ubsan.cc b/gcc/ubsan.cc index a858994c841..0f5b372b195 100644 --- a/gcc/ubsan.cc +++ b/gcc/ubsan.cc @@ -2123,6 +2123,8 @@ instrument_object_size (gimple_stmt_iterator *gsi, tree t, bool is_lhs) || TREE_CODE (inner) == RESULT_DECL) && DECL_REGISTER (inner)) return; + if (t == inner && !is_global_var (t)) + return; base = inner; } else if (TREE_CODE (inner) == MEM_REF) @@ -2219,6 +2221,11 @@ instrument_object_size (gimple_stmt_iterator *gsi, tree t, bool is_lhs) } } + if (DECL_P (base) + && decl_function_context (base) == current_function_decl + && !TREE_ADDRESSABLE (base)) + mark_addressable (base); + if (bos_stmt && gimple_call_builtin_p (bos_stmt, BUILT_IN_OBJECT_SIZE)) ubsan_create_edge (bos_stmt);