From patchwork Wed Mar 30 08:41:09 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jakub Jelinek <jakub@redhat.com>
X-Patchwork-Id: 1610989
Return-Path: <gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (1024-bit key;
 unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.a=rsa-sha256
 header.s=default header.b=EJACB1k0;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=gcc.gnu.org
 (client-ip=8.43.85.97; helo=sourceware.org;
 envelope-from=gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org;
 receiver=<UNKNOWN>)
Received: from sourceware.org (server2.sourceware.org [8.43.85.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KT0Ky6BFnz9sDX
	for <incoming@patchwork.ozlabs.org>; Wed, 30 Mar 2022 19:42:13 +1100 (AEDT)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 271DD385840F
	for <incoming@patchwork.ozlabs.org>; Wed, 30 Mar 2022 08:42:10 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 271DD385840F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1648629730;
	bh=tAz5lniPuYj1pExq3+SpGl5tMRgRHJUyrqg1COY93PU=;
	h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:Cc:From;
	b=EJACB1k0sUdSTft142xuCBHhIiu03Ve27D1NRHZKtud6qPb6yLSIZi1/E1s568Jdp
	 W373k98963UVQzHvVz1F1Yixt4A1e+AgBRH/eMKSZX8+U88aUp9qIT1PM8g0l38/Rc
	 ODg40Pve64qTnT5uAgv+KH7GyfsZ7v6+WDtZR/Wg=
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by sourceware.org (Postfix) with ESMTPS id B46543858403
 for <gcc-patches@gcc.gnu.org>; Wed, 30 Mar 2022 08:41:26 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org B46543858403
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-519-6tJPegSKOBGV8gXMzLaeRg-1; Wed, 30 Mar 2022 04:41:18 -0400
X-MC-Unique: 6tJPegSKOBGV8gXMzLaeRg-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id BE9D1382220E;
 Wed, 30 Mar 2022 08:41:17 +0000 (UTC)
Received: from tucnak.zalov.cz (unknown [10.39.192.15])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 7D8B040D2822;
 Wed, 30 Mar 2022 08:41:17 +0000 (UTC)
Received: from tucnak.zalov.cz (localhost [127.0.0.1])
 by tucnak.zalov.cz (8.16.1/8.16.1) with ESMTPS id 22U8fF6p156802
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT);
 Wed, 30 Mar 2022 10:41:15 +0200
Received: (from jakub@localhost)
 by tucnak.zalov.cz (8.16.1/8.16.1/Submit) id 22U8f9Qp156799;
 Wed, 30 Mar 2022 10:41:09 +0200
Date: Wed, 30 Mar 2022 10:41:09 +0200
To: Richard Biener <rguenther@suse.de>
Subject: [PATCH] ubsan: Fix ICE due to -fsanitize=object-size [PR105093]
Message-ID: <YkQXpVNfEAwu/ylc@tucnak>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Disposition: inline
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_LOW,
 RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
X-Patchwork-Original-From: Jakub Jelinek via Gcc-patches
 <gcc-patches@gcc.gnu.org>
From: Jakub Jelinek <jakub@redhat.com>
Reply-To: Jakub Jelinek <jakub@redhat.com>
Cc: gcc-patches@gcc.gnu.org
Errors-To: gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org
Sender: "Gcc-patches"
 <gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org>

Hi!

The following testcase ICEs, because for a volatile X & RESULT_DECL
ubsan wants to take address of that reference.  instrument_object_size
is called with x, so the base is equal to the access and the var
is automatic, so there is no risk of an out of bounds access for it.
Normally we wouldn't instrument those because we fold address of the
t - address of inner to 0, add constant size of the decl and it is
equal to what __builtin_object_size computes.  But the volatile
results in the subtraction not being folded.

The first hunk fixes it by punting if we access the whole automatic
decl, so that even volatile won't cause a problem.
The second hunk (not strictly needed for this testcase) is similar
to what has been added to asan.cc recently, if we actually take
address of a decl and keep it in the IL, we better mark it addressable.

Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?

2022-03-30  Jakub Jelinek  <jakub@redhat.com>

	PR sanitizer/105093
	* ubsan.cc (instrument_object_size): If t is equal to inner and
	is a decl other than global var, punt.  When emitting call to
	UBSAN_OBJECT_SIZE ifn, make sure base is addressable.

	* g++.dg/ubsan/pr105093.C: New test.


	Jakub

--- gcc/ubsan.cc.jj	2022-02-22 10:38:02.000000000 +0100
+++ gcc/ubsan.cc	2022-03-29 14:02:42.877916597 +0200
@@ -2123,6 +2123,8 @@ instrument_object_size (gimple_stmt_iter
 	   || TREE_CODE (inner) == RESULT_DECL)
 	  && DECL_REGISTER (inner))
 	return;
+      if (t == inner && !is_global_var (t))
+	return;
       base = inner;
     }
   else if (TREE_CODE (inner) == MEM_REF)
@@ -2219,6 +2221,11 @@ instrument_object_size (gimple_stmt_iter
 	}
     }
 
+  if (DECL_P (base)
+      && decl_function_context (base) == current_function_decl
+      && !TREE_ADDRESSABLE (base))
+    mark_addressable (base);
+
   if (bos_stmt && gimple_call_builtin_p (bos_stmt, BUILT_IN_OBJECT_SIZE))
     ubsan_create_edge (bos_stmt);
 
--- gcc/testsuite/g++.dg/ubsan/pr105093.C.jj	2022-03-29 13:34:42.462885890 +0200
+++ gcc/testsuite/g++.dg/ubsan/pr105093.C	2022-03-29 14:22:22.385209238 +0200
@@ -0,0 +1,12 @@
+// PR sanitizer/105093
+// { dg-do compile }
+// { dg-options "-O2 -fsanitize=undefined -Wno-volatile" }
+
+struct X { X (); ~X (); };
+
+volatile X
+foo ()
+{
+  X x;
+  return x;
+}