* [PATCH] c++: Further fix for -fsanitize=vptr [PR94325]
@ 2020-04-06 22:43 Jakub Jelinek
2020-04-08 12:57 ` Jason Merrill
0 siblings, 1 reply; 2+ messages in thread
From: Jakub Jelinek @ 2020-04-06 22:43 UTC (permalink / raw)
To: Jason Merrill; +Cc: gcc-patches
Hi!
For -fsanitize=vptr, we insert a NULL store into the vptr instead of just
adding a CLOBBER of this. build_clobber_this makes the CLOBBER conditional
on in_charge (implicit) parameter whenever CLASSTYPE_VBASECLASSES, but when
adding this conditionalization to the -fsanitize=vptr code in PR87095,
I wanted it to catch some more cases when the class has CLASSTYPE_VBASECLASSES,
but the vptr is still not shared with something else, otherwise the
sanitization would be less effective.
The following testcase shows that the chosen test that CLASSTYPE_PRIMARY_BINFO
is non-NULL and has BINFO_VIRTUAL_P set wasn't sufficient,
the D class has still sizeof(D) == sizeof(void*) and thus contains just
a single vptr, but while in B::~B() this results in the vptr not being
cleared, in C::~C() this condition isn't true, as CLASSTYPE_PRIMARY_BINFO
in that case is B and is not BINFO_VIRTUAL_P, so it clears the vptr, but the
D::~D() dtor after invoking C::~C() invokes A::~A() with an already cleared
vptr, which is then reported.
The following patch is just a shot in the dark, keep looking through
CLASSTYPE_PRIMARY_BINFO until we find BINFO_VIRTUAL_P, but it works on the
existing testcase as well as this new one.
Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?
Or do we want some other test?
2020-04-06 Jakub Jelinek <jakub@redhat.com>
PR c++/94325
* decl.c (begin_destructor_body): For CLASSTYPE_VBASECLASSES class
dtors, if CLASSTYPE_PRIMARY_BINFO is non-NULL, but not BINFO_VIRTUAL_P,
look at CLASSTYPE_PRIMARY_BINFO of its BINFO_TYPE if it is not
BINFO_VIRTUAL_P, and so on.
* g++.dg/ubsan/vptr-15.C: New test.
--- gcc/cp/decl.c.jj 2020-03-27 09:59:26.407083563 +0100
+++ gcc/cp/decl.c 2020-04-06 13:25:03.321511554 +0200
@@ -16662,14 +16662,20 @@ begin_destructor_body (void)
/* If the vptr is shared with some virtual nearly empty base,
don't clear it if not in charge, the dtor of the virtual
nearly empty base will do that later. */
- if (CLASSTYPE_VBASECLASSES (current_class_type)
- && CLASSTYPE_PRIMARY_BINFO (current_class_type)
- && BINFO_VIRTUAL_P
- (CLASSTYPE_PRIMARY_BINFO (current_class_type)))
+ if (CLASSTYPE_VBASECLASSES (current_class_type))
{
- stmt = convert_to_void (stmt, ICV_STATEMENT,
- tf_warning_or_error);
- stmt = build_if_in_charge (stmt);
+ tree c = current_class_type;
+ while (CLASSTYPE_PRIMARY_BINFO (c))
+ {
+ if (BINFO_VIRTUAL_P (CLASSTYPE_PRIMARY_BINFO (c)))
+ {
+ stmt = convert_to_void (stmt, ICV_STATEMENT,
+ tf_warning_or_error);
+ stmt = build_if_in_charge (stmt);
+ break;
+ }
+ c = BINFO_TYPE (CLASSTYPE_PRIMARY_BINFO (c));
+ }
}
finish_decl_cleanup (NULL_TREE, stmt);
}
--- gcc/testsuite/g++.dg/ubsan/vptr-15.C.jj 2020-04-06 13:32:43.501627756 +0200
+++ gcc/testsuite/g++.dg/ubsan/vptr-15.C 2020-04-06 13:37:52.642001353 +0200
@@ -0,0 +1,14 @@
+// PR c++/94325
+// { dg-do run { target c++11 } }
+// { dg-options "-fsanitize=vptr -fno-sanitize-recover=vptr" }
+
+struct A { virtual ~A () = default; };
+struct B : public virtual A {};
+struct C : public B {};
+struct D : public C {};
+
+int
+main ()
+{
+ D a;
+}
Jakub
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] c++: Further fix for -fsanitize=vptr [PR94325]
2020-04-06 22:43 [PATCH] c++: Further fix for -fsanitize=vptr [PR94325] Jakub Jelinek
@ 2020-04-08 12:57 ` Jason Merrill
0 siblings, 0 replies; 2+ messages in thread
From: Jason Merrill @ 2020-04-08 12:57 UTC (permalink / raw)
To: Jakub Jelinek; +Cc: gcc-patches
On 4/6/20 6:43 PM, Jakub Jelinek wrote:
> Hi!
>
> For -fsanitize=vptr, we insert a NULL store into the vptr instead of just
> adding a CLOBBER of this. build_clobber_this makes the CLOBBER conditional
> on in_charge (implicit) parameter whenever CLASSTYPE_VBASECLASSES, but when
> adding this conditionalization to the -fsanitize=vptr code in PR87095,
> I wanted it to catch some more cases when the class has CLASSTYPE_VBASECLASSES,
> but the vptr is still not shared with something else, otherwise the
> sanitization would be less effective.
> The following testcase shows that the chosen test that CLASSTYPE_PRIMARY_BINFO
> is non-NULL and has BINFO_VIRTUAL_P set wasn't sufficient,
> the D class has still sizeof(D) == sizeof(void*) and thus contains just
> a single vptr, but while in B::~B() this results in the vptr not being
> cleared, in C::~C() this condition isn't true, as CLASSTYPE_PRIMARY_BINFO
> in that case is B and is not BINFO_VIRTUAL_P, so it clears the vptr, but the
> D::~D() dtor after invoking C::~C() invokes A::~A() with an already cleared
> vptr, which is then reported.
> The following patch is just a shot in the dark, keep looking through
> CLASSTYPE_PRIMARY_BINFO until we find BINFO_VIRTUAL_P, but it works on the
> existing testcase as well as this new one.
>
> Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?
> Or do we want some other test?
OK.
> 2020-04-06 Jakub Jelinek <jakub@redhat.com>
>
> PR c++/94325
> * decl.c (begin_destructor_body): For CLASSTYPE_VBASECLASSES class
> dtors, if CLASSTYPE_PRIMARY_BINFO is non-NULL, but not BINFO_VIRTUAL_P,
> look at CLASSTYPE_PRIMARY_BINFO of its BINFO_TYPE if it is not
> BINFO_VIRTUAL_P, and so on.
>
> * g++.dg/ubsan/vptr-15.C: New test.
>
> --- gcc/cp/decl.c.jj 2020-03-27 09:59:26.407083563 +0100
> +++ gcc/cp/decl.c 2020-04-06 13:25:03.321511554 +0200
> @@ -16662,14 +16662,20 @@ begin_destructor_body (void)
> /* If the vptr is shared with some virtual nearly empty base,
> don't clear it if not in charge, the dtor of the virtual
> nearly empty base will do that later. */
> - if (CLASSTYPE_VBASECLASSES (current_class_type)
> - && CLASSTYPE_PRIMARY_BINFO (current_class_type)
> - && BINFO_VIRTUAL_P
> - (CLASSTYPE_PRIMARY_BINFO (current_class_type)))
> + if (CLASSTYPE_VBASECLASSES (current_class_type))
> {
> - stmt = convert_to_void (stmt, ICV_STATEMENT,
> - tf_warning_or_error);
> - stmt = build_if_in_charge (stmt);
> + tree c = current_class_type;
> + while (CLASSTYPE_PRIMARY_BINFO (c))
> + {
> + if (BINFO_VIRTUAL_P (CLASSTYPE_PRIMARY_BINFO (c)))
> + {
> + stmt = convert_to_void (stmt, ICV_STATEMENT,
> + tf_warning_or_error);
> + stmt = build_if_in_charge (stmt);
> + break;
> + }
> + c = BINFO_TYPE (CLASSTYPE_PRIMARY_BINFO (c));
> + }
> }
> finish_decl_cleanup (NULL_TREE, stmt);
> }
> --- gcc/testsuite/g++.dg/ubsan/vptr-15.C.jj 2020-04-06 13:32:43.501627756 +0200
> +++ gcc/testsuite/g++.dg/ubsan/vptr-15.C 2020-04-06 13:37:52.642001353 +0200
> @@ -0,0 +1,14 @@
> +// PR c++/94325
> +// { dg-do run { target c++11 } }
> +// { dg-options "-fsanitize=vptr -fno-sanitize-recover=vptr" }
> +
> +struct A { virtual ~A () = default; };
> +struct B : public virtual A {};
> +struct C : public B {};
> +struct D : public C {};
> +
> +int
> +main ()
> +{
> + D a;
> +}
>
> Jakub
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-04-08 12:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-06 22:43 [PATCH] c++: Further fix for -fsanitize=vptr [PR94325] Jakub Jelinek
2020-04-08 12:57 ` Jason Merrill
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).