From: Jason Merrill <jason@redhat.com>
To: Jakub Jelinek <jakub@redhat.com>
Cc: gcc-patches@gcc.gnu.org
Subject: Re: [PATCH RFA] ubsan: do return check with -fsanitize=unreachable
Date: Wed, 29 Jun 2022 12:42:04 -0400 [thread overview]
Message-ID: <162bc331-56a6-ed11-872a-658235611ce2@redhat.com> (raw)
In-Reply-To: <YrnQXQny8UAKkPrZ@tucnak>
On 6/27/22 11:44, Jakub Jelinek wrote:
> On Wed, Jun 22, 2022 at 12:04:59AM -0400, Jason Merrill wrote:
>> On 6/20/22 16:16, Jason Merrill wrote:
>>> On 6/20/22 07:05, Jakub Jelinek wrote:
>>>> On Fri, Jun 17, 2022 at 05:20:02PM -0400, Jason Merrill wrote:
>>>>> Related to PR104642, the current situation where we get less
>>>>> return checking
>>>>> with just -fsanitize=unreachable than no sanitize flags seems
>>>>> undesirable; I
>>>>> propose that we do return checking when -fsanitize=unreachable.
>>>>
>>>> __builtin_unreachable itself (unless turned into trap or
>>>> __ubsan_handle_builtin_unreachable) is not any kind of return
>>>> checking, it
>>>> is just an optimization.
>>>
>>> Yes, but I'm talking about "when -fsanitize=unreachable".
>
> The usual case is that people just use -fsanitize=undefined
> and get both return and unreachable sanitization, for fall through
> into end of functions returning non-void done through return sanitization.
>
> In the rare case people use something different like
> -fsanitize=undefined -fno-sanitize=return
> or
> -fsanitize=unreachable
> etc., they presumably don't want the fall through from end of function
> diagnosed at runtime.
I disagree with this assumption for the second case; it seems much more
likely to me that the user just wasn't thinking about needing to also
mention return. Missing return is a logical subset of unreachable; if
we sanitize all the other __builtin_unreachable introduced by the
compiler, why in the world would we want to leave out this one that is
such a frequent error?
Full -fsanitize=undefined is much higher overhead than just
-fsanitize=unreachable, which introduces no extra checks. And adding
return checking to unreachable is essentially zero overhead. I can't
imagine any reason to want to check unreachable points EXCEPT for
missing return.
> I think the behavior we want is:
> 1) -fsanitize=return is on -> use ubsan_instrument_return
> (__ubsan_missing_return_data or __builtin_trap depending on
> -fsanitize-trap=return); otherwise
> 2) -funreachable-traps is on (from -O0/-Og by default or explicit),
> emit __builtin_trap; otherwise
> 3) -fsanitize=unreachable is on, not emit anything (__builtin_unreachable
> would be just an optimization, but user asked not to instrument returns,
> only unreachable, so honor user's decision and avoid confusion); otherwise > 4) -O0 is on, not emit anything (__builtin_unreachable wouldn't be much
> of an optimization, just surprising and hard to debug effect); otherwise
> 5) emit __builtin_unreachable
>
> Current trunk with your PR104642 fix in implements 1), will do 2)
> only if -fsanitize=unreachable is not on, will do 3), will do 4) and 5).
>
> So, I'd change cp-gimplify.cc (cp_maybe_instrument_return), change:
> if (!sanitize_flags_p (SANITIZE_RETURN, fndecl)
> && ((!optimize && !flag_unreachable_traps)
> || sanitize_flags_p (SANITIZE_UNREACHABLE, fndecl)))
> return;
> to
> if (!sanitize_flags_p (SANITIZE_RETURN, fndecl)
> && !flag_unreachable_traps
> && (!optimize || sanitize_flags_p (SANITIZE_UNREACHABLE, fndecl)))
> return;
> and
> if (sanitize_flags_p (SANITIZE_RETURN, fndecl))
> t = ubsan_instrument_return (loc);
> else
> t = build_builtin_unreachable (BUILTINS_LOCATION);
> to
> if (sanitize_flags_p (SANITIZE_RETURN, fndecl))
> t = ubsan_instrument_return (loc);
> else if (flag_unreachable_traps)
> t = build_call_expr_loc (BUILTINS_LOCATION,
> builtin_decl_explicit (BUILT_IN_TRAP), 0);
> else
> t = build_builtin_unreachable (BUILTINS_LOCATION);
>
> Jakub
>
next prev parent reply other threads:[~2022-06-29 16:42 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-17 21:20 Jason Merrill
2022-06-20 11:05 ` Jakub Jelinek
2022-06-20 20:16 ` Jason Merrill
2022-06-22 4:04 ` Jason Merrill
2022-06-24 14:26 ` Jason Merrill
2022-06-27 15:44 ` Jakub Jelinek
2022-06-29 16:42 ` Jason Merrill [this message]
2022-06-29 17:26 ` Jakub Jelinek
2022-07-05 20:54 ` Jason Merrill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=162bc331-56a6-ed11-872a-658235611ce2@redhat.com \
--to=jason@redhat.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=jakub@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).