From: Qing Zhao <qing.zhao@oracle.com>
To: Jeff Law <jeffreyalaw@gmail.com>, Kees Cook <keescook@chromium.org>
Cc: Andrew Pinski <pinskia@gmail.com>,
GCC Patches <gcc-patches@gcc.gnu.org>,
Richard Guenther <rguenther@suse.de>
Subject: Re: [RFC][PATCH] PR tree-optimization/109071 - -Warray-bounds false positive warnings due to code duplication from jump threading
Date: Tue, 14 May 2024 16:03:50 +0000 [thread overview]
Message-ID: <31C9CC21-2304-42C8-AB7F-41F98E679143@oracle.com> (raw)
In-Reply-To: <3af3bb5b-0e31-42d2-b034-86f4ae5a39b4@gmail.com>
> On May 14, 2024, at 11:08, Jeff Law <jeffreyalaw@gmail.com> wrote:
>
>
>
> On 5/14/24 8:57 AM, Qing Zhao wrote:
>>> On May 13, 2024, at 20:14, Kees Cook <keescook@chromium.org> wrote:
>>>
>>> On Tue, May 14, 2024 at 01:38:49AM +0200, Andrew Pinski wrote:
>>>> On Mon, May 13, 2024, 11:41 PM Kees Cook <keescook@chromium.org> wrote:
>>>>> But it makes no sense to warn about:
>>>>>
>>>>> void sparx5_set (int * ptr, struct nums * sg, int index)
>>>>> {
>>>>> if (index >= 4)
>>>>> warn ();
>>>>> *ptr = 0;
>>>>> *val = sg->vals[index];
>>>>> if (index >= 4)
>>>>> warn ();
>>>>> *ptr = *val;
>>>>> }
>>>>>
>>>>> Because at "*val = sg->vals[index];" the actual value range tracking for
>>>>> index is _still_ [INT_MIN,INT_MAX]. (Only within the "then" side of the
>>>>> "if" statements is the range tracking [4,INT_MAX].)
>>>>>
>>>>> However, in the case where jump threading has split the execution flow
>>>>> and produced a copy of "*val = sg->vals[index];" where the value range
>>>>> tracking for "index" is now [4,INT_MAX], is the warning valid. But it
>>>>> is only for that instance. Reporting it for effectively both (there is
>>>>> only 1 source line for the array indexing) is misleading because there
>>>>> is nothing the user can do about it -- the compiler created the copy and
>>>>> then noticed it had a range it could apply to that array index.
>>>>>
>>>>
>>>> "there is nothing the user can do about it" is very much false. They could
>>>> change warn call into a noreturn function call instead. (In the case of
>>>> the Linux kernel panic). There are things the user can do to fix the
>>>> warning and even get better code generation out of the compilers.
>>>
>>> This isn't about warn() not being noreturn. The warn() could be any
>>> function call; the jump threading still happens.
>> When the program is executed on the “if (index > = 4)” path, the value of “index” is definitely
>>> = 4, when sg->vals[index] is referenced on this path (the case when the routine “warn” is NOT noreturn), it’s
>> definitely an out-of-bounds array access. So, the compiler’s warning is correct. And this warning does catch
>> a potential issue in the source code that need to be fixed by either of the following two solutions:
>> 1. Make the routine “warn” as noreturn and mark it noreturn;
> This would be my recommendation. We're about to execute undefined behavior. I don't see a way to necessarily recover safely here, so I'd suggest having warn() not return and mark it appropriately.
>
> That'll have numerous secondary benefits as well.
Yes, agreed. Such source code change should be a nice security improvement to the linux kernel source code.
Qing
>
> jeff
next prev parent reply other threads:[~2024-05-14 16:03 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-13 19:48 Qing Zhao
2024-05-13 20:46 ` Jeff Law
2024-05-13 21:41 ` Kees Cook
2024-05-13 23:38 ` Andrew Pinski
2024-05-14 0:14 ` Kees Cook
2024-05-14 14:57 ` Qing Zhao
2024-05-14 15:08 ` Jeff Law
2024-05-14 16:03 ` Qing Zhao [this message]
2024-05-14 13:08 ` Richard Biener
2024-05-14 14:17 ` Qing Zhao
2024-05-14 14:29 ` Richard Biener
2024-05-14 15:19 ` Qing Zhao
2024-05-14 17:14 ` Richard Biener
2024-05-14 17:21 ` Qing Zhao
2024-05-15 6:09 ` Richard Biener
2024-05-15 13:37 ` Qing Zhao
2024-05-14 19:50 ` Kees Cook
2024-05-15 5:50 ` Richard Biener
2024-05-15 14:00 ` David Malcolm
2024-05-21 15:13 ` Qing Zhao
2024-05-21 21:36 ` David Malcolm
2024-05-22 7:38 ` Richard Biener
2024-05-22 18:53 ` Qing Zhao
2024-05-23 11:46 ` Richard Biener
2024-05-23 14:03 ` Qing Zhao
2024-05-23 14:13 ` David Malcolm
2024-05-23 14:23 ` Qing Zhao
2024-05-31 21:22 ` Qing Zhao
2024-06-03 6:29 ` Richard Biener
2024-06-03 14:33 ` Qing Zhao
2024-06-03 14:48 ` David Malcolm
2024-06-04 7:43 ` Richard Biener
2024-06-04 20:30 ` Qing Zhao
2024-06-05 7:26 ` Richard Biener
2024-06-05 16:38 ` Qing Zhao
2024-06-05 17:07 ` Richard Biener
2024-06-05 17:58 ` Qing Zhao
2024-06-07 19:13 ` Qing Zhao
2024-06-12 18:15 ` Qing Zhao
2024-05-14 16:43 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=31C9CC21-2304-42C8-AB7F-41F98E679143@oracle.com \
--to=qing.zhao@oracle.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=jeffreyalaw@gmail.com \
--cc=keescook@chromium.org \
--cc=pinskia@gmail.com \
--cc=rguenther@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).