| Message ID | 20200406224316.GW2212@tucnak |
|---|---|
| State | New |
| Headers | show |
| Series | c++: Further fix for -fsanitize=vptr [PR94325] | expand |
On 4/6/20 6:43 PM, Jakub Jelinek wrote: > Hi! > > For -fsanitize=vptr, we insert a NULL store into the vptr instead of just > adding a CLOBBER of this. build_clobber_this makes the CLOBBER conditional > on in_charge (implicit) parameter whenever CLASSTYPE_VBASECLASSES, but when > adding this conditionalization to the -fsanitize=vptr code in PR87095, > I wanted it to catch some more cases when the class has CLASSTYPE_VBASECLASSES, > but the vptr is still not shared with something else, otherwise the > sanitization would be less effective. > The following testcase shows that the chosen test that CLASSTYPE_PRIMARY_BINFO > is non-NULL and has BINFO_VIRTUAL_P set wasn't sufficient, > the D class has still sizeof(D) == sizeof(void*) and thus contains just > a single vptr, but while in B::~B() this results in the vptr not being > cleared, in C::~C() this condition isn't true, as CLASSTYPE_PRIMARY_BINFO > in that case is B and is not BINFO_VIRTUAL_P, so it clears the vptr, but the > D::~D() dtor after invoking C::~C() invokes A::~A() with an already cleared > vptr, which is then reported. > The following patch is just a shot in the dark, keep looking through > CLASSTYPE_PRIMARY_BINFO until we find BINFO_VIRTUAL_P, but it works on the > existing testcase as well as this new one. > > Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk? > Or do we want some other test? OK. > 2020-04-06 Jakub Jelinek <jakub@redhat.com> > > PR c++/94325 > * decl.c (begin_destructor_body): For CLASSTYPE_VBASECLASSES class > dtors, if CLASSTYPE_PRIMARY_BINFO is non-NULL, but not BINFO_VIRTUAL_P, > look at CLASSTYPE_PRIMARY_BINFO of its BINFO_TYPE if it is not > BINFO_VIRTUAL_P, and so on. > > * g++.dg/ubsan/vptr-15.C: New test. > > --- gcc/cp/decl.c.jj 2020-03-27 09:59:26.407083563 +0100 > +++ gcc/cp/decl.c 2020-04-06 13:25:03.321511554 +0200 > @@ -16662,14 +16662,20 @@ begin_destructor_body (void) > /* If the vptr is shared with some virtual nearly empty base, > don't clear it if not in charge, the dtor of the virtual > nearly empty base will do that later. */ > - if (CLASSTYPE_VBASECLASSES (current_class_type) > - && CLASSTYPE_PRIMARY_BINFO (current_class_type) > - && BINFO_VIRTUAL_P > - (CLASSTYPE_PRIMARY_BINFO (current_class_type))) > + if (CLASSTYPE_VBASECLASSES (current_class_type)) > { > - stmt = convert_to_void (stmt, ICV_STATEMENT, > - tf_warning_or_error); > - stmt = build_if_in_charge (stmt); > + tree c = current_class_type; > + while (CLASSTYPE_PRIMARY_BINFO (c)) > + { > + if (BINFO_VIRTUAL_P (CLASSTYPE_PRIMARY_BINFO (c))) > + { > + stmt = convert_to_void (stmt, ICV_STATEMENT, > + tf_warning_or_error); > + stmt = build_if_in_charge (stmt); > + break; > + } > + c = BINFO_TYPE (CLASSTYPE_PRIMARY_BINFO (c)); > + } > } > finish_decl_cleanup (NULL_TREE, stmt); > } > --- gcc/testsuite/g++.dg/ubsan/vptr-15.C.jj 2020-04-06 13:32:43.501627756 +0200 > +++ gcc/testsuite/g++.dg/ubsan/vptr-15.C 2020-04-06 13:37:52.642001353 +0200 > @@ -0,0 +1,14 @@ > +// PR c++/94325 > +// { dg-do run { target c++11 } } > +// { dg-options "-fsanitize=vptr -fno-sanitize-recover=vptr" } > + > +struct A { virtual ~A () = default; }; > +struct B : public virtual A {}; > +struct C : public B {}; > +struct D : public C {}; > + > +int > +main () > +{ > + D a; > +} > > Jakub >
--- gcc/cp/decl.c.jj 2020-03-27 09:59:26.407083563 +0100 +++ gcc/cp/decl.c 2020-04-06 13:25:03.321511554 +0200 @@ -16662,14 +16662,20 @@ begin_destructor_body (void) /* If the vptr is shared with some virtual nearly empty base, don't clear it if not in charge, the dtor of the virtual nearly empty base will do that later. */ - if (CLASSTYPE_VBASECLASSES (current_class_type) - && CLASSTYPE_PRIMARY_BINFO (current_class_type) - && BINFO_VIRTUAL_P - (CLASSTYPE_PRIMARY_BINFO (current_class_type))) + if (CLASSTYPE_VBASECLASSES (current_class_type)) { - stmt = convert_to_void (stmt, ICV_STATEMENT, - tf_warning_or_error); - stmt = build_if_in_charge (stmt); + tree c = current_class_type; + while (CLASSTYPE_PRIMARY_BINFO (c)) + { + if (BINFO_VIRTUAL_P (CLASSTYPE_PRIMARY_BINFO (c))) + { + stmt = convert_to_void (stmt, ICV_STATEMENT, + tf_warning_or_error); + stmt = build_if_in_charge (stmt); + break; + } + c = BINFO_TYPE (CLASSTYPE_PRIMARY_BINFO (c)); + } } finish_decl_cleanup (NULL_TREE, stmt); } --- gcc/testsuite/g++.dg/ubsan/vptr-15.C.jj 2020-04-06 13:32:43.501627756 +0200 +++ gcc/testsuite/g++.dg/ubsan/vptr-15.C 2020-04-06 13:37:52.642001353 +0200 @@ -0,0 +1,14 @@ +// PR c++/94325 +// { dg-do run { target c++11 } } +// { dg-options "-fsanitize=vptr -fno-sanitize-recover=vptr" } + +struct A { virtual ~A () = default; }; +struct B : public virtual A {}; +struct C : public B {}; +struct D : public C {}; + +int +main () +{ + D a; +}