From: Jeff Law <law@redhat.com>
To: Martin Sebor <msebor@gmail.com>,
Gcc Patch List <gcc-patches@gcc.gnu.org>
Subject: Re: [PATCH] avoid calling memset et al. with excessively large sizes (PR 79095)
Date: Tue, 17 Jan 2017 18:00:00 -0000 [thread overview]
Message-ID: <661df20e-3446-e303-a125-80adf3a74359@redhat.com> (raw)
In-Reply-To: <e79b9029-8914-5a3f-3423-04ba5fd2900c@gmail.com>
On 01/17/2017 09:12 AM, Martin Sebor wrote:
> On 01/17/2017 08:26 AM, Jeff Law wrote:
>> On 01/16/2017 05:06 PM, Martin Sebor wrote:
>>> The test case submitted in bug 79095 - [7 regression] spurious
>>> stringop-overflow warning shows that GCC optimizes some loops
>>> into calls to memset with size arguments in excess of the object
>>> size limit. Since such calls will unavoidably lead to a buffer
>>> overflow and memory corruption the attached patch detects them
>>> and replaces them with a trap. That both prevents the buffer
>>> overflow and eliminates the warning.
>> But doesn't the creation of the bogus memset signal an invalid
>> transformation in the loop optimizer? ie, if we're going to convert a
>> loop into a memset, then we'd damn well better be sure the loop bounds
>> are reasonable.
>
> I'm not sure that emitting the memset call is necessarily a bug in
> the loop optimizer (which in all likelihood wasn't written with
> the goal of preventing or detecting possible buffer overflows).
> The loop with the excessive bound is in the source code and can
> be reached given the right inputs (calling v.resize(v.size() - 1)
> on an empty vector. It's a lurking bug in the program that, if
> triggered, will overflow the vector and crash the program (or worse)
> with or without the optimization.
Right, but that doesn't mean that the loop optimizer can turn it into a
memset. If the bounds are such that we're going to invoke undefined
behaviour from memset, then the loop optimizer must leave the loop alone.
>
> What else could the loop optimizer could do in this instance?
> I suppose it could just leave the loop alone and avoid emitting
> the memset call. That would avoid the warning but mask the
> problem with the overflow. In my mind, preventing the overflow
> given that we have the opportunity is the right thing to do.
> That is, after all, the goal of the warning.
The right warning in this case is WRT the loop iteration space
independent of mem*.
>
> As I mentioned privately yesterday, I'm actually pleasantly
> surprised that it's helped identify this opportunity in GCC itself.
> My hope was to eventually go and find the places where GCC emits
> potentially out of bounds calls (based on user inputs) and fix them
> to emit better code on the assumption that they can't be valid or
> replace them with traps if they could happen in a running program.
> It didn't occur to me that the warning itself would help find them.
>
> Martin
>
next prev parent reply other threads:[~2017-01-17 17:57 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-17 0:06 Martin Sebor
2017-01-17 7:38 ` Jakub Jelinek
2017-01-18 3:38 ` Martin Sebor
2017-01-18 7:54 ` Jeff Law
2017-01-18 8:55 ` Jakub Jelinek
2017-01-18 18:08 ` Martin Sebor
2017-01-20 23:32 ` Jeff Law
2017-01-21 6:42 ` A + B CMP A -> A CMP' CST' match.pd patterns [was [PATCH] avoid calling memset et al. with excessively large sizes (PR 79095)] Jeff Law
2017-01-21 8:18 ` Marc Glisse
2017-01-24 0:21 ` Jeff Law
2017-01-24 10:49 ` Richard Biener
2017-01-24 14:46 ` Marc Glisse
2017-01-24 15:21 ` Jeff Law
2017-01-24 16:02 ` Marc Glisse
2017-01-24 16:28 ` Richard Biener
2017-01-25 10:36 ` Richard Biener
2017-01-25 17:45 ` Jeff Law
2017-01-23 9:14 ` Richard Biener
2017-01-23 21:13 ` Jeff Law
2017-01-20 23:32 ` [PATCH] avoid calling memset et al. with excessively large sizes (PR 79095) Jeff Law
2017-01-20 23:39 ` Jakub Jelinek
2017-01-21 0:19 ` Jeff Law
2017-01-17 15:26 ` Jeff Law
2017-01-17 16:14 ` Martin Sebor
2017-01-17 18:00 ` Jeff Law [this message]
2017-01-18 3:19 ` Martin Sebor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=661df20e-3446-e303-a125-80adf3a74359@redhat.com \
--to=law@redhat.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=msebor@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).