From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by sourceware.org (Postfix) with ESMTP id CB50A3858008 for ; Thu, 3 Dec 2020 02:01:53 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org CB50A3858008 Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-371-3WSFerU1PnWdRef1HSmFig-1; Wed, 02 Dec 2020 21:01:51 -0500 X-MC-Unique: 3WSFerU1PnWdRef1HSmFig-1 Received: by mail-qk1-f197.google.com with SMTP id o25so719207qkj.1 for ; Wed, 02 Dec 2020 18:01:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=PFq4+CJ6Ic2zK7guRpZW+GEA517Nj1f7uSWrRTcjlKM=; b=lzL50Mc/bgim2xHCmxQFlcpErjlHAzHYmWb00HvnMmpCrw/GbbYnji/3DYnUWwC8ix e9YrDgBM12zsrFFABdQKx10XV3/ybmtvtTxtjhkYGzmuPECeTP1drw62JjbNaNNvNIZY JcMG6AO81Th6grJqsMfXXpuSQet7DCO9kFpqbsC+JuWNAdtc1rE1WvP3xDjQQAecHsrm eINr626B+Vs67fnyTmWqEP0NFEQzXaKf6rZMHsM6zjmWQEjX9/AsN2eG2JrX+jJ4g9G4 pM8oVTPb/1n6E4ASXIo8emHN+sPSkGXpFviz0mVOhl6ntVwwnbYIfbs9HIVOQSLIY8DW J8tA== X-Gm-Message-State: AOAM532HFqnHZ1LhF6EefZ/6mGOLhGv3nxavAEn0k1m4VBeluwYGUfOM s9560rN+TeqUKeDtq/06C8kdk+8ixBogi5K4oaD/qITT0jeFQiBEqSy9Hd57+v7FDginwPwnh7u 1pYVCf2cPeEA1Me8RY+Uz5M6ab7dMvcOzHTcDQDmHxCu+bxqmRsFOw9Svlv1qyB1uZQ== X-Received: by 2002:ac8:4708:: with SMTP id f8mr1183921qtp.376.1606960910724; Wed, 02 Dec 2020 18:01:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJzcPaz2g+6zaq9JaCj3vo20+pStJZqZvsXo6JVQ0dfZ9oKizmaQU1xMFWrqokc60wW6NkesrQ== X-Received: by 2002:ac8:4708:: with SMTP id f8mr1183896qtp.376.1606960910294; Wed, 02 Dec 2020 18:01:50 -0800 (PST) Received: from [192.168.1.148] (209-6-216-142.s141.c3-0.smr-cbr1.sbo-smr.ma.cable.rcncustomer.com. [209.6.216.142]) by smtp.gmail.com with ESMTPSA id r14sm925187qtu.25.2020.12.02.18.01.48 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 02 Dec 2020 18:01:49 -0800 (PST) Subject: Re: [PATCH] c++: ICE with -fsanitize=vptr and constexpr dynamic_cast [PR98103] To: Marek Polacek , GCC Patches References: <20201202231857.2416552-1-polacek@redhat.com> From: Jason Merrill Message-ID: <1a4d9b45-e23e-b05a-bfee-7c9bc33776a8@redhat.com> Date: Wed, 2 Dec 2020 21:01:48 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 In-Reply-To: <20201202231857.2416552-1-polacek@redhat.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-16.6 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, NICE_REPLY_A, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2020 02:01:55 -0000 On 12/2/20 6:18 PM, Marek Polacek wrote: > -fsanitize=vptr initializes all vtable pointers to null so that it can > catch invalid calls; see cp_ubsan_maybe_initialize_vtbl_ptrs. That > means that evaluating a vtable reference can produce a null pointer > in this mode, so cxx_eval_dynamic_cast_fn should check that. Yes, but we shouldn't accept it silently; sanitize is supposed to flag undefined behavior, not allow it. If we see a null vptr, we should complain and set *non_constant_p. > Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk? > > gcc/cp/ChangeLog: > > PR c++/98103 > * constexpr.c (cxx_eval_dynamic_cast_fn): If the evaluating of vtable > yields a null pointer, return. > > gcc/testsuite/ChangeLog: > > PR c++/98103 > * g++.dg/ubsan/vptr-18.C: New test. > --- > gcc/cp/constexpr.c | 4 +++- > gcc/testsuite/g++.dg/ubsan/vptr-18.C | 27 +++++++++++++++++++++++++++ > 2 files changed, 30 insertions(+), 1 deletion(-) > create mode 100644 gcc/testsuite/g++.dg/ubsan/vptr-18.C > > diff --git a/gcc/cp/constexpr.c b/gcc/cp/constexpr.c > index 9a1a1db1267..8c6a9cf2b40 100644 > --- a/gcc/cp/constexpr.c > +++ b/gcc/cp/constexpr.c > @@ -1996,7 +1996,9 @@ cxx_eval_dynamic_cast_fn (const constexpr_ctx *ctx, tree call, > tree vtable = build_vfield_ref (obj, TREE_TYPE (obj)); > vtable = cxx_eval_constant_expression (ctx, vtable, /*lval*/false, > non_constant_p, overflow_p); > - if (*non_constant_p) > + /* With -fsanitize=vptr, we initialize all vtable pointers to null, > + so it's possible that we got a null pointer now. */ > + if (*non_constant_p || integer_zerop (vtable)) > return call; > /* VTABLE will be &_ZTV1A + 16 or similar, get _ZTV1A. */ > vtable = extract_obj_from_addr_offset (vtable); > diff --git a/gcc/testsuite/g++.dg/ubsan/vptr-18.C b/gcc/testsuite/g++.dg/ubsan/vptr-18.C > new file mode 100644 > index 00000000000..9f421c269bc > --- /dev/null > +++ b/gcc/testsuite/g++.dg/ubsan/vptr-18.C > @@ -0,0 +1,27 @@ > +// PR c++/98103 > +// { dg-do compile { target c++20 } } > +// { dg-additional-options "-fsanitize=vptr" } > +// Modified constexpr-dynamic17.C. -fsanitize=vptr initializes all vtable > +// pointers to null, so we don't get the "accessing uninitialized member" > +// error. > + > +struct V { > + virtual void f(); > +}; > + > +struct A : V { }; > + > +struct B : V { > + constexpr B(V*, A*); > +}; > + > +struct D : B, A { > + constexpr D() : B((A*)this, this) { } > +}; > + > +constexpr B::B(V* v, A* a) > +{ > + dynamic_cast(a); > +} > + > +constexpr D d; > > base-commit: dc2b372ed1b1e9af6db45051cff95478c7616807 >