* [Ada] Type invariant or postcondition may cause uninitialized memory reads
@ 2022-05-16 8:43 Pierre-Marie de Rodat
0 siblings, 0 replies; only message in thread
From: Pierre-Marie de Rodat @ 2022-05-16 8:43 UTC (permalink / raw)
To: gcc-patches; +Cc: Justin Squirek
[-- Attachment #1: Type: text/plain, Size: 1130 bytes --]
This patch corrects an error in the compiler whereby a function
requiring the generation of a postconditions procedure may cause an
uninitialized memory read when the return type
Has_Unconstrained_Elements or is an unconstrained array.
The error occurs because evaluation of postconditions happens within the
"at end" handler when the temporary result object may go out of scope.
The patch modifies expansion in the above cases to evaluate
postconditions at the point of return instead - in order to guarantee
the result object is valid.
Note that these changes have the side effect of introducing a semantic
bug such that functions returning types with unconstrained elements will
have their postconditions/return type invariants evaluated before
finalization. Work is currently being done to introduce wrappers which
will solve this problem and remove technical debt in this area.
Tested on x86_64-pc-linux-gnu, committed on trunk
gcc/ada/
* exp_ch7.adb (Build_Finalizer): Disable late evaluation of
postconditions for functions returning types which where
Has_Unconstrained_Elements is true or are unconstrained arrays.
[-- Attachment #2: patch.diff --]
[-- Type: text/x-diff, Size: 1997 bytes --]
diff --git a/gcc/ada/exp_ch7.adb b/gcc/ada/exp_ch7.adb
--- a/gcc/ada/exp_ch7.adb
+++ b/gcc/ada/exp_ch7.adb
@@ -4247,14 +4247,33 @@ package body Exp_Ch7 is
--
-- Postcond_Enable := False;
- Append_To (Top_Decls,
- Make_Assignment_Statement (Loc,
- Name =>
- New_Occurrence_Of
- (Get_Postcond_Enabled (Def_Ent), Loc),
- Expression =>
- New_Occurrence_Of
- (Standard_False, Loc)));
+ -- Note that we do not disable early evaluation of postconditions
+ -- for return types that are unconstrained or have unconstrained
+ -- elements since the temporary result object could get allocated on
+ -- the stack and be out of scope at the point where we perform late
+ -- evaluation of postconditions - leading to uninitialized memory
+ -- reads.
+
+ -- This disabling of early evaluation can lead to incorrect run-time
+ -- semantics where functions with unconstrained elements will
+ -- have their corresponding postconditions evaluated before
+ -- finalization. The proper solution here is to generate a wrapper
+ -- to capture the result instead of using multiple flags and playing
+ -- with flags which does not even work in all cases ???
+
+ if not Has_Unconstrained_Elements (Etype (Def_Ent))
+ or else (Is_Array_Type (Etype (Def_Ent))
+ and then not Is_Constrained (Etype (Def_Ent)))
+ then
+ Append_To (Top_Decls,
+ Make_Assignment_Statement (Loc,
+ Name =>
+ New_Occurrence_Of
+ (Get_Postcond_Enabled (Def_Ent), Loc),
+ Expression =>
+ New_Occurrence_Of
+ (Standard_False, Loc)));
+ end if;
-- Add the subprogram to the list of declarations an analyze it
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-05-16 8:43 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-16 8:43 [Ada] Type invariant or postcondition may cause uninitialized memory reads Pierre-Marie de Rodat
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).