Re: [PATCH] avoid calling memset et al. with excessively large sizes (PR 79095)

public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed

From: Martin Sebor <msebor@gmail.com>
To: Jeff Law <law@redhat.com>, Gcc Patch List <gcc-patches@gcc.gnu.org>
Subject: Re: [PATCH] avoid calling memset et al. with excessively large sizes (PR 79095)
Date: Tue, 17 Jan 2017 16:14:00 -0000	[thread overview]
Message-ID: <e79b9029-8914-5a3f-3423-04ba5fd2900c@gmail.com> (raw)
In-Reply-To: <d886be73-3b9e-011f-156b-b461f1ea994b@redhat.com>

On 01/17/2017 08:26 AM, Jeff Law wrote:
> On 01/16/2017 05:06 PM, Martin Sebor wrote:
>> The test case submitted in bug 79095 - [7 regression] spurious
>> stringop-overflow warning shows that GCC optimizes some loops
>> into calls to memset with size arguments in excess of the object
>> size limit.  Since such calls will unavoidably lead to a buffer
>> overflow and memory corruption the attached patch detects them
>> and replaces them with a trap.  That both prevents the buffer
>> overflow and eliminates the warning.
> But doesn't the creation of the bogus memset signal an invalid
> transformation in the loop optimizer?  ie, if we're going to convert a
> loop into a memset, then we'd damn well better be sure the loop bounds
> are reasonable.

I'm not sure that emitting the memset call is necessarily a bug in
the loop optimizer (which in all likelihood wasn't written with
the goal of preventing or detecting possible buffer overflows).
The loop with the excessive bound is in the source code and can
be reached given the right inputs (calling v.resize(v.size() - 1)
on an empty vector.  It's a lurking bug in the program that, if
triggered, will overflow the vector and crash the program (or worse)
with or without the optimization.

What else could the loop optimizer could do in this instance?
I suppose it could just leave the loop alone and avoid emitting
the memset call.  That would avoid the warning but mask the
problem with the overflow.  In my mind, preventing the overflow
given that we have the opportunity is the right thing to do.
That is, after all, the goal of the warning.

As I mentioned privately yesterday, I'm actually pleasantly
surprised that it's helped identify this opportunity in GCC itself.
My hope was to eventually go and find the places where GCC emits
potentially out of bounds calls (based on user inputs) and fix them
to emit better code on the assumption that they can't be valid or
replace them with traps if they could happen in a running program.
It didn't occur to me that the warning itself would help find them.

Martin

next prev parent reply	other threads:[~2017-01-17 16:12 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-17  0:06 Martin Sebor
2017-01-17  7:38 ` Jakub Jelinek
2017-01-18  3:38   ` Martin Sebor
2017-01-18  7:54     ` Jeff Law
2017-01-18  8:55       ` Jakub Jelinek
2017-01-18 18:08         ` Martin Sebor
2017-01-20 23:32           ` Jeff Law
2017-01-21  6:42             ` A + B CMP A -> A CMP' CST' match.pd patterns [was [PATCH] avoid calling memset et al. with excessively large sizes (PR 79095)] Jeff Law
2017-01-21  8:18               ` Marc Glisse
2017-01-24  0:21                 ` Jeff Law
2017-01-24 10:49                   ` Richard Biener
2017-01-24 14:46                     ` Marc Glisse
2017-01-24 15:21                       ` Jeff Law
2017-01-24 16:02                         ` Marc Glisse
2017-01-24 16:28                           ` Richard Biener
2017-01-25 10:36                         ` Richard Biener
2017-01-25 17:45                           ` Jeff Law
2017-01-23  9:14               ` Richard Biener
2017-01-23 21:13                 ` Jeff Law
2017-01-20 23:32         ` [PATCH] avoid calling memset et al. with excessively large sizes (PR 79095) Jeff Law
2017-01-20 23:39           ` Jakub Jelinek
2017-01-21  0:19             ` Jeff Law
2017-01-17 15:26 ` Jeff Law
2017-01-17 16:14   ` Martin Sebor [this message]
2017-01-17 18:00     ` Jeff Law
2017-01-18  3:19       ` Martin Sebor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e79b9029-8914-5a3f-3423-04ba5fd2900c@gmail.com \
    --to=msebor@gmail.com \
    --cc=gcc-patches@gcc.gnu.org \
    --cc=law@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).