From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1687 invoked by alias); 21 Jun 2017 07:58:12 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Received: (qmail 1201 invoked by uid 89); 21 Jun 2017 07:58:11 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-10.9 required=5.0 tests=BAYES_00,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy= X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 21 Jun 2017 07:58:10 +0000 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AFE7BB814D; Wed, 21 Jun 2017 07:58:08 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com AFE7BB814D Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=jakub@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com AFE7BB814D Received: from tucnak.zalov.cz (ovpn-116-143.ams2.redhat.com [10.36.116.143]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4D38318C71; Wed, 21 Jun 2017 07:58:08 +0000 (UTC) Received: from tucnak.zalov.cz (localhost [127.0.0.1]) by tucnak.zalov.cz (8.15.2/8.15.2) with ESMTP id v5L7w0cE014597; Wed, 21 Jun 2017 09:58:00 +0200 Received: (from jakub@localhost) by tucnak.zalov.cz (8.15.2/8.15.2/Submit) id v5L7vqnA014596; Wed, 21 Jun 2017 09:57:52 +0200 Date: Wed, 21 Jun 2017 07:58:00 -0000 From: Jakub Jelinek To: Richard Biener Cc: Martin =?utf-8?B?TGnFoWth?= , gcc-patches@gcc.gnu.org Subject: Re: [RFC PATCH] -fsanitize=pointer-overflow support (PR sanitizer/80998) Message-ID: <20170621075752.GM2123@tucnak> Reply-To: Jakub Jelinek References: <20170619182515.GA2123@tucnak> <20170620081348.GE2123@tucnak> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="7iMSBzlTiPOCCT2k" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.1 (2016-10-04) X-IsSubscribed: yes X-SW-Source: 2017-06/txt/msg01541.txt.bz2 --7iMSBzlTiPOCCT2k Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-length: 2971 On Tue, Jun 20, 2017 at 10:18:20AM +0200, Richard Biener wrote: > > It would be an attempt to avoid sanitizing int foo (int *p) { return p[10] + p[-5]; } > > (when the offset is constant and small and we dereference it). > > If there is no page mapped at NULL or at the highest page in the virtual > > address space, then the above will crash in case p + 10 or p - 5 wraps > > around. > > Ah, so merely an optimization to avoid excessive instrumentation then, > yes, this might work (maybe make 4096 a --param configurable to be able > to disable it). Yes. And I think it can be implemented incrementally. > > > > I've bootstrapped/regtested the patch on x86_64-linux and i686-linux > > > > and additionally bootstrapped/regtested with bootstrap-ubsan on both too. > > > > The latter revealed a couple of issues I'd like to discuss: > > > > > > > > 1) libcpp/symtab.c contains a couple of spots reduced into: > > > > #define DELETED ((char *) -1) > > > > void bar (char *); > > > > void > > > > foo (char *p) > > > > { > > > > if (p && p != DELETED) > > > > bar (p); > > > > } > > > > where we fold it early into if ((p p+ -1) <= (char *) -3) > > > > and as the instrumentation is done during ubsan pass, if p is NULL, > > > > we diagnose this as invalid pointer overflow from NULL to 0xffff*f. > > > > Shall we change the folder so that during GENERIC folding it > > > > actually does the addition and comparison in pointer_sized_int > > > > instead (my preference), or shall I move the UBSAN_PTR instrumentation > > > > earlier into the FEs (but then I still risk stuff is folded earlier)? > > > > > > Aww, so we turn the pointer test into a range test ;) That it uses > > > a pointer type rather than an unsigned integer type is a bug, probably > > > caused by pointers being TYPE_UNSIGNED. > > > > > > Not sure if the folding itself is worthwhile to keep though, thus an > > > option would be to not generate range tests from pointers? > > > > I'll have a look. Maybe only do it during reassoc and not earlier. > > It certainly looks somewhat premature in fold-const.c. So for this, I have right now 2 variant patches: The first one keeps doing what we were except for the -fsanitize=pointer-overflow case and has been bootstrap-ubsan bootstrapped/regtested on x86_64-linux and i686-linux. The second one performs the addition and comparison in pointer sized unsigned type instead (not bootstrapped yet). I think the second one would be my preference. Note build_range_check is used not just during early folding, but e.g. during ifcombine, reassoc etc. Martin is contemplating instrumentation of pointer <=/=/> comparisons and in that case we'd need some further build_range_check changes, because while ptr == (void *) 0 || ptr == (void *) 1 || ptr == (void *) 2 would be without UB, ptr <= (void *) 2 would be UB, so we'd need to perform all pointer range checks in integral type except the ones where we just do EQ_EXPR/NE_EXPR. Jakub --7iMSBzlTiPOCCT2k Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=U606j_ Content-length: 1128 2017-06-21 Jakub Jelinek PR sanitizer/80998 * fold-const.c: Include asan.h. (build_range_check): For -fsanitize=pointer-overflow don't add pointer arithmetics for range test. --- gcc/fold-const.c.jj 2017-06-14 18:07:47.000000000 +0200 +++ gcc/fold-const.c 2017-06-20 17:05:44.351608513 +0200 @@ -79,6 +79,7 @@ along with GCC; see the file COPYING3. #include "tree-vrp.h" #include "tree-ssanames.h" #include "selftest.h" +#include "asan.h" /* Nonzero if we are folding constants inside an initializer; zero otherwise. */ @@ -4906,6 +4907,14 @@ build_range_check (location_t loc, tree { if (value != 0 && !TREE_OVERFLOW (value)) { + /* Avoid creating pointer arithmetics that is not present + in the source when sanitizing. */ + if (!integer_zerop (low) + && current_function_decl + && sanitize_flags_p (SANITIZE_POINTER_OVERFLOW, + current_function_decl)) + return 0; + low = fold_build1_loc (loc, NEGATE_EXPR, TREE_TYPE (low), low); return build_range_check (loc, type, fold_build_pointer_plus_loc (loc, exp, low), --7iMSBzlTiPOCCT2k Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=U625 Content-length: 2274 2017-06-21 Jakub Jelinek * fold-const.c (build_range_check): Compute pointer range check in integral type if pointer arithmetics would be needed. Formatting fixes. --- gcc/fold-const.c.jj 2017-06-20 21:38:04.000000000 +0200 +++ gcc/fold-const.c 2017-06-21 09:23:00.572404964 +0200 @@ -4818,21 +4818,21 @@ build_range_check (location_t loc, tree if (low == 0) return fold_build2_loc (loc, LE_EXPR, type, exp, - fold_convert_loc (loc, etype, high)); + fold_convert_loc (loc, etype, high)); if (high == 0) return fold_build2_loc (loc, GE_EXPR, type, exp, - fold_convert_loc (loc, etype, low)); + fold_convert_loc (loc, etype, low)); if (operand_equal_p (low, high, 0)) return fold_build2_loc (loc, EQ_EXPR, type, exp, - fold_convert_loc (loc, etype, low)); + fold_convert_loc (loc, etype, low)); if (TREE_CODE (exp) == BIT_AND_EXPR && maskable_range_p (low, high, etype, &mask, &value)) return fold_build2_loc (loc, EQ_EXPR, type, fold_build2_loc (loc, BIT_AND_EXPR, etype, - exp, mask), + exp, mask), value); if (integer_zerop (low)) @@ -4864,7 +4864,7 @@ build_range_check (location_t loc, tree exp = fold_convert_loc (loc, etype, exp); } return fold_build2_loc (loc, GT_EXPR, type, exp, - build_int_cst (etype, 0)); + build_int_cst (etype, 0)); } } @@ -4895,25 +4895,15 @@ build_range_check (location_t loc, tree return 0; } + if (POINTER_TYPE_P (etype)) + etype = unsigned_type_for (etype); + high = fold_convert_loc (loc, etype, high); low = fold_convert_loc (loc, etype, low); exp = fold_convert_loc (loc, etype, exp); value = const_binop (MINUS_EXPR, high, low); - - if (POINTER_TYPE_P (etype)) - { - if (value != 0 && !TREE_OVERFLOW (value)) - { - low = fold_build1_loc (loc, NEGATE_EXPR, TREE_TYPE (low), low); - return build_range_check (loc, type, - fold_build_pointer_plus_loc (loc, exp, low), - 1, build_int_cst (etype, 0), value); - } - return 0; - } - if (value != 0 && !TREE_OVERFLOW (value)) return build_range_check (loc, type, fold_build2_loc (loc, MINUS_EXPR, etype, exp, low), --7iMSBzlTiPOCCT2k--