From: Marek Polacek <polacek@redhat.com>
To: Jason Merrill <jason@redhat.com>
Cc: GCC Patches <gcc-patches@gcc.gnu.org>,
Jakub Jelinek <jakub@redhat.com>,
"Joseph S. Myers" <joseph@codesourcery.com>
Subject: Re: [PATCH][ubsan] Add VLA bound instrumentation
Date: Fri, 01 Nov 2013 19:10:00 -0000 [thread overview]
Message-ID: <20131101191037.GK31396@redhat.com> (raw)
In-Reply-To: <5273E64B.8060703@redhat.com>
On Fri, Nov 01, 2013 at 01:35:07PM -0400, Jason Merrill wrote:
> On 10/31/2013 02:28 PM, Marek Polacek wrote:
> > /* A variable sized array. */
> > itype = variable_size (itype);
> >+
> >+ /* We need to stabilize side-effects in VLA sizes for regular array
> >+ declarations too, not just pointers to arrays. */
> >+ stabilize_vla_size (itype);
>
> Let's put this after the later call to variable_size, too.
>
> > if (TREE_CODE (itype) != SAVE_EXPR)
> > {
> > /* Look for SIZEOF_EXPRs in itype and fold them, otherwise
> >@@ -8390,6 +8385,31 @@ compute_array_index_type (tree name, tre
> > if (found)
> > itype = variable_size (fold (newitype));
> > }
>
> i.e. here.
Done.
> >+
> >+ if (cxx_dialect >= cxx1y)
> >+ {
> >+ /* If the VLA bound is larger than half the address space,
> >+ or less than zero, throw std::bad_array_length. */
> >+ tree comp = build2 (LT_EXPR, boolean_type_node, itype,
> >+ ssize_int (-1));
> >+ comp = build3 (COND_EXPR, void_type_node, comp,
> >+ throw_bad_array_length (), void_zero_node);
> >+ finish_expr_stmt (comp);
> >+ }
> >+
> >+ if ((flag_sanitize & SANITIZE_VLA)
> >+ /* From C++1y onwards, we throw an exception on a negative
> >+ length size of an array; see above */
> >+ && cxx_dialect < cxx1y)
>
> This could be
>
> else if (flag_sanitize & SANITIZE_VLA)
Done (with some formatting nits fixed).
> There's another use of stabilize_vla_size in grokdeclarator, that
> should be able to go as well.
Yep, seems so.
Regtest/bootstrap on x86_64-linux running (so far lookin' good), ok if passes?
2013-11-01 Marek Polacek <polacek@redhat.com>
Implement -fsanitize=vla-bound.
* opts.c (common_handle_option): Handle vla-bound.
* sanitizer.def (BUILT_IN_UBSAN_HANDLE_VLA_BOUND_NOT_POSITIVE):
Define.
* flag-types.h (enum sanitize_code): Add SANITIZE_VLA.
* asan.c (initialize_sanitizer_builtins): Build BT_FN_VOID_PTR_PTR.
c-family/
* c-ubsan.c: Don't include hash-table.h.
(ubsan_instrument_vla): New function.
* c-ubsan.h: Declare it.
cp/
* decl.c (cp_finish_decl): Move C++1y bounds checking...
(compute_array_index_type): ...here. Add VLA instrumentation.
Call stabilize_vla_size.
(grokdeclarator): Don't call stabilize_vla_size here.
c/
* c-decl.c (grokdeclarator): Add VLA instrumentation.
testsuite/
* g++.dg/ubsan/cxx1y-vla.C: New test.
* c-c++-common/ubsan/vla-3.c: New test.
* c-c++-common/ubsan/vla-2.c: New test.
* c-c++-common/ubsan/vla-4.c: New test.
* c-c++-common/ubsan/vla-1.c: New test.
--- gcc/opts.c.mp 2013-11-01 18:53:17.372014692 +0100
+++ gcc/opts.c 2013-11-01 18:53:48.857130430 +0100
@@ -1444,6 +1444,7 @@ common_handle_option (struct gcc_options
{ "undefined", SANITIZE_UNDEFINED, sizeof "undefined" - 1 },
{ "unreachable", SANITIZE_UNREACHABLE,
sizeof "unreachable" - 1 },
+ { "vla-bound", SANITIZE_VLA, sizeof "vla-bound" - 1 },
{ NULL, 0, 0 }
};
const char *comma;
--- gcc/c-family/c-ubsan.c.mp 2013-11-01 18:53:17.389014762 +0100
+++ gcc/c-family/c-ubsan.c 2013-11-01 18:53:48.858130434 +0100
@@ -25,7 +25,6 @@ along with GCC; see the file COPYING3.
#include "alloc-pool.h"
#include "cgraph.h"
#include "gimple.h"
-#include "hash-table.h"
#include "output.h"
#include "toplev.h"
#include "ubsan.h"
@@ -86,8 +85,7 @@ ubsan_instrument_division (location_t lo
return t;
}
-/* Instrument left and right shifts. If not instrumenting, return
- NULL_TREE. */
+/* Instrument left and right shifts. */
tree
ubsan_instrument_shift (location_t loc, enum tree_code code,
@@ -157,4 +155,23 @@ ubsan_instrument_shift (location_t loc,
t = fold_build3 (COND_EXPR, void_type_node, t, tt, void_zero_node);
return t;
+}
+
+/* Instrument variable length array bound. */
+
+tree
+ubsan_instrument_vla (location_t loc, tree size)
+{
+ tree type = TREE_TYPE (size);
+ tree t, tt;
+
+ t = fold_build2 (LE_EXPR, boolean_type_node, size, build_int_cst (type, 0));
+ tree data = ubsan_create_data ("__ubsan_vla_data",
+ loc, ubsan_type_descriptor (type), NULL_TREE);
+ data = build_fold_addr_expr_loc (loc, data);
+ tt = builtin_decl_explicit (BUILT_IN_UBSAN_HANDLE_VLA_BOUND_NOT_POSITIVE);
+ tt = build_call_expr_loc (loc, tt, 2, data, ubsan_encode_value (size));
+ t = fold_build3 (COND_EXPR, void_type_node, t, tt, void_zero_node);
+
+ return t;
}
--- gcc/c-family/c-ubsan.h.mp 2013-11-01 18:53:17.395014787 +0100
+++ gcc/c-family/c-ubsan.h 2013-11-01 18:53:48.864130461 +0100
@@ -23,5 +23,6 @@ along with GCC; see the file COPYING3.
extern tree ubsan_instrument_division (location_t, tree, tree);
extern tree ubsan_instrument_shift (location_t, enum tree_code, tree, tree);
+extern tree ubsan_instrument_vla (location_t, tree);
#endif /* GCC_C_UBSAN_H */
--- gcc/sanitizer.def.mp 2013-11-01 18:53:17.403014823 +0100
+++ gcc/sanitizer.def 2013-11-01 18:53:48.865130465 +0100
@@ -297,3 +297,7 @@ DEF_SANITIZER_BUILTIN(BUILT_IN_UBSAN_HAN
"__ubsan_handle_builtin_unreachable",
BT_FN_VOID_PTR,
ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST)
+DEF_SANITIZER_BUILTIN(BUILT_IN_UBSAN_HANDLE_VLA_BOUND_NOT_POSITIVE,
+ "__ubsan_handle_vla_bound_not_positive",
+ BT_FN_VOID_PTR_PTR,
+ ATTR_COLD_NOTHROW_LEAF_LIST)
--- gcc/flag-types.h.mp 2013-11-01 18:53:17.405014831 +0100
+++ gcc/flag-types.h 2013-11-01 18:53:48.866130469 +0100
@@ -210,7 +210,9 @@ enum sanitize_code {
SANITIZE_SHIFT = 1 << 2,
SANITIZE_DIVIDE = 1 << 3,
SANITIZE_UNREACHABLE = 1 << 4,
+ SANITIZE_VLA = 1 << 5,
SANITIZE_UNDEFINED = SANITIZE_SHIFT | SANITIZE_DIVIDE | SANITIZE_UNREACHABLE
+ | SANITIZE_VLA
};
/* flag_vtable_verify initialization levels. */
--- gcc/cp/decl.c.mp 2013-11-01 18:53:17.425014915 +0100
+++ gcc/cp/decl.c 2013-11-01 19:44:46.897799049 +0100
@@ -45,6 +45,7 @@ along with GCC; see the file COPYING3.
#include "c-family/c-objc.h"
#include "c-family/c-pragma.h"
#include "c-family/c-target.h"
+#include "c-family/c-ubsan.h"
#include "diagnostic.h"
#include "intl.h"
#include "debug.h"
@@ -6399,17 +6400,6 @@ cp_finish_decl (tree decl, tree init, bo
&& TYPE_FOR_JAVA (type) && MAYBE_CLASS_TYPE_P (type))
error ("non-static data member %qD has Java class type", decl);
- if (cxx_dialect >= cxx1y && array_of_runtime_bound_p (type))
- {
- /* If the VLA bound is larger than half the address space, or less
- than zero, throw std::bad_array_length. */
- tree max = convert (ssizetype, TYPE_MAX_VALUE (TYPE_DOMAIN (type)));
- tree comp = build2 (LT_EXPR, boolean_type_node, max, ssize_int (-1));
- comp = build3 (COND_EXPR, void_type_node, comp,
- throw_bad_array_length (), void_zero_node);
- finish_expr_stmt (comp);
- }
-
/* Add this declaration to the statement-tree. This needs to happen
after the call to check_initializer so that the DECL_EXPR for a
reference temp is added before the DECL_EXPR for the reference itself. */
@@ -8379,6 +8369,7 @@ compute_array_index_type (tree name, tre
{
/* A variable sized array. */
itype = variable_size (itype);
+
if (TREE_CODE (itype) != SAVE_EXPR)
{
/* Look for SIZEOF_EXPRs in itype and fold them, otherwise
@@ -8390,6 +8381,34 @@ compute_array_index_type (tree name, tre
if (found)
itype = variable_size (fold (newitype));
}
+
+ /* We need to stabilize side-effects in VLA sizes for regular array
+ declarations too, not just pointers to arrays. */
+ stabilize_vla_size (itype);
+
+ if (cxx_dialect >= cxx1y)
+ {
+ /* If the VLA bound is larger than half the address space,
+ or less than zero, throw std::bad_array_length. */
+ tree comp = build2 (LT_EXPR, boolean_type_node, itype,
+ ssize_int (-1));
+ comp = build3 (COND_EXPR, void_type_node, comp,
+ throw_bad_array_length (), void_zero_node);
+ finish_expr_stmt (comp);
+ }
+ else if (flag_sanitize & SANITIZE_VLA)
+ {
+ /* From C++1y onwards, we throw an exception on a negative
+ length size of an array; see above. */
+
+ /* We have to add 1 -- in the ubsan routine we generate
+ LE_EXPR rather than LT_EXPR. */
+ tree t = fold_build2 (PLUS_EXPR, TREE_TYPE (itype), itype,
+ build_one_cst (TREE_TYPE (itype)));
+ t = fold_build2 (COMPOUND_EXPR, TREE_TYPE (t),
+ ubsan_instrument_vla (input_location, t), t);
+ finish_expr_stmt (t);
+ }
}
/* Make sure that there was no overflow when creating to a signed
index type. (For example, on a 32-bit machine, an array with
@@ -9790,12 +9809,8 @@ grokdeclarator (const cp_declarator *dec
&& (decl_context == NORMAL || decl_context == FIELD)
&& at_function_scope_p ()
&& variably_modified_type_p (type, NULL_TREE))
- {
- /* First break out any side-effects. */
- stabilize_vla_size (TYPE_SIZE (type));
- /* And then force evaluation of the SAVE_EXPR. */
- finish_expr_stmt (TYPE_SIZE (type));
- }
+ /* Force evaluation of the SAVE_EXPR. */
+ finish_expr_stmt (TYPE_SIZE (type));
if (declarator->kind == cdk_reference)
{
@@ -9886,14 +9901,6 @@ grokdeclarator (const cp_declarator *dec
}
}
- /* We need to stabilize side-effects in VLA sizes for regular array
- declarations too, not just pointers to arrays. */
- if (type != error_mark_node && !TYPE_NAME (type)
- && (decl_context == NORMAL || decl_context == FIELD)
- && at_function_scope_p ()
- && variably_modified_type_p (type, NULL_TREE))
- stabilize_vla_size (TYPE_SIZE (type));
-
/* A `constexpr' specifier used in an object declaration declares
the object as `const'. */
if (constexpr_p && innermost_code != cdk_function)
--- gcc/c/c-decl.c.mp 2013-11-01 18:53:17.443014991 +0100
+++ gcc/c/c-decl.c 2013-11-01 18:53:48.946130794 +0100
@@ -45,6 +45,7 @@ along with GCC; see the file COPYING3.
#include "c-family/c-common.h"
#include "c-family/c-objc.h"
#include "c-family/c-pragma.h"
+#include "c-family/c-ubsan.h"
#include "c-lang.h"
#include "langhooks.h"
#include "tree-iterator.h"
@@ -5411,6 +5412,16 @@ grokdeclarator (const struct c_declarato
with known value. */
this_size_varies = size_varies = true;
warn_variable_length_array (name, size);
+ if (flag_sanitize & SANITIZE_VLA
+ && decl_context == NORMAL)
+ {
+ /* Evaluate the array size only once. */
+ size = c_save_expr (size);
+ size = c_fully_fold (size, false, NULL);
+ size = fold_build2 (COMPOUND_EXPR, TREE_TYPE (size),
+ ubsan_instrument_vla (loc, size),
+ size);
+ }
}
if (integer_zerop (size) && !this_size_varies)
--- gcc/testsuite/g++.dg/ubsan/cxx1y-vla.C.mp 2013-11-01 18:53:55.957155884 +0100
+++ gcc/testsuite/g++.dg/ubsan/cxx1y-vla.C 2013-11-01 18:53:48.956130834 +0100
@@ -0,0 +1,13 @@
+/* { dg-do run } */
+/* { dg-options "-fsanitize=vla-bound -w -std=c++1y" } */
+/* { dg-shouldfail "ubsan" } */
+
+int
+main (void)
+{
+ int y = -18;
+ int a[y];
+ return 0;
+}
+
+/* { dg-output "terminate called after throwing an instance" } */
--- gcc/testsuite/c-c++-common/ubsan/vla-3.c.mp 2013-11-01 18:54:05.024188578 +0100
+++ gcc/testsuite/c-c++-common/ubsan/vla-3.c 2013-11-01 18:53:48.957130838 +0100
@@ -0,0 +1,16 @@
+/* { dg-do run } */
+/* { dg-options "-fsanitize=vla-bound -w" } */
+
+/* Don't instrument the arrays here. */
+int
+foo (int n, int a[])
+{
+ return a[n - 1];
+}
+
+int
+main (void)
+{
+ int a[6] = { };
+ return foo (3, a);
+}
--- gcc/testsuite/c-c++-common/ubsan/vla-2.c.mp 2013-11-01 18:54:08.840202633 +0100
+++ gcc/testsuite/c-c++-common/ubsan/vla-2.c 2013-11-01 18:53:48.957130838 +0100
@@ -0,0 +1,15 @@
+/* { dg-do run } */
+/* { dg-options "-fsanitize=vla-bound -w" } */
+
+int
+main (void)
+{
+ const int t = 0;
+ struct s {
+ int x;
+ /* Don't instrument this one. */
+ int g[t];
+ };
+
+ return 0;
+}
--- gcc/testsuite/c-c++-common/ubsan/vla-4.c.mp 2013-11-01 18:54:10.576209008 +0100
+++ gcc/testsuite/c-c++-common/ubsan/vla-4.c 2013-11-01 18:53:48.957130838 +0100
@@ -0,0 +1,13 @@
+/* { dg-do run } */
+/* { dg-options "-fsanitize=vla-bound" } */
+
+int
+main (void)
+{
+ int x = 1;
+ /* Check that the size of an array is evaluated only once. */
+ int a[++x];
+ if (x != 2)
+ __builtin_abort ();
+ return 0;
+}
--- gcc/testsuite/c-c++-common/ubsan/vla-1.c.mp 2013-11-01 18:54:07.233196627 +0100
+++ gcc/testsuite/c-c++-common/ubsan/vla-1.c 2013-11-01 18:53:48.958130842 +0100
@@ -0,0 +1,48 @@
+/* { dg-do run } */
+/* { dg-options "-fsanitize=vla-bound -w" } */
+
+static int
+bar (void)
+{
+ return -42;
+}
+
+typedef long int V;
+int
+main (void)
+{
+ int x = -1;
+ double di = -3.2;
+ V v = -666;
+
+ int a[x];
+ int aa[x][x];
+ int aaa[x][x][x];
+ int b[x - 4];
+ int c[(int) di];
+ int d[1 + x];
+ int e[1 ? x : -1];
+ int f[++x];
+ int g[(signed char) --x];
+ int h[(++x, --x, x)];
+ int i[v];
+ int j[bar ()];
+
+ return 0;
+}
+
+/* { dg-output "variable length array bound evaluates to non-positive value -1(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value -1(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value -1(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value -1(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value -1(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value -1(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value -5(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value -3(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value 0(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value -1(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value 0(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value -1(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value -1(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value -666(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*variable length array bound evaluates to non-positive value -42(\n|\r\n|\r)" } */
--- gcc/asan.c.mp 2013-11-01 18:53:17.445015000 +0100
+++ gcc/asan.c 2013-11-01 18:53:48.959130846 +0100
@@ -2021,6 +2021,9 @@ initialize_sanitizer_builtins (void)
tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
tree BT_FN_VOID_PTR
= build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
+ tree BT_FN_VOID_PTR_PTR
+ = build_function_type_list (void_type_node, ptr_type_node,
+ ptr_type_node, NULL_TREE);
tree BT_FN_VOID_PTR_PTR_PTR
= build_function_type_list (void_type_node, ptr_type_node,
ptr_type_node, ptr_type_node, NULL_TREE);
Marek
next prev parent reply other threads:[~2013-11-01 19:10 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-12 12:38 Marek Polacek
2013-09-12 12:48 ` Marek Polacek
2013-09-12 16:12 ` Joseph S. Myers
2013-09-12 16:20 ` Joseph S. Myers
2013-09-12 17:15 ` Marek Polacek
2013-09-13 10:29 ` Marek Polacek
2013-09-13 11:23 ` Eric Botcazou
2013-09-13 18:01 ` Joseph S. Myers
2013-09-16 11:13 ` Marek Polacek
2013-09-16 13:39 ` Florian Weimer
2013-09-12 16:29 ` Marek Polacek
2013-09-25 13:23 ` Marek Polacek
2013-10-07 20:17 ` Marek Polacek
2013-10-15 13:25 ` Marek Polacek
2013-10-15 15:01 ` Joseph S. Myers
2013-10-24 20:35 ` Jason Merrill
2013-10-25 17:38 ` Marek Polacek
2013-10-25 19:04 ` Jason Merrill
2013-10-25 19:15 ` Marek Polacek
2013-10-25 19:30 ` Jason Merrill
2013-10-30 15:16 ` Marek Polacek
2013-10-30 16:08 ` Jason Merrill
2013-10-30 16:20 ` Marek Polacek
2013-10-30 20:55 ` Mike Stump
2013-10-30 22:46 ` Marek Polacek
2013-10-30 22:50 ` Mike Stump
2013-10-31 11:12 ` Marek Polacek
2013-10-31 3:18 ` Jason Merrill
2013-10-31 19:07 ` Marek Polacek
2013-11-01 17:35 ` Jason Merrill
2013-11-01 19:10 ` Marek Polacek [this message]
2013-11-01 20:39 ` Jason Merrill
2013-11-02 13:06 ` Marek Polacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131101191037.GK31396@redhat.com \
--to=polacek@redhat.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=jakub@redhat.com \
--cc=jason@redhat.com \
--cc=joseph@codesourcery.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).