Message ID | 20201202231857.2416552-1-polacek@redhat.com |
---|---|
State | New |
Headers | show |
Series | c++: ICE with -fsanitize=vptr and constexpr dynamic_cast [PR98103] | expand |
On 12/2/20 6:18 PM, Marek Polacek wrote: > -fsanitize=vptr initializes all vtable pointers to null so that it can > catch invalid calls; see cp_ubsan_maybe_initialize_vtbl_ptrs. That > means that evaluating a vtable reference can produce a null pointer > in this mode, so cxx_eval_dynamic_cast_fn should check that. Yes, but we shouldn't accept it silently; sanitize is supposed to flag undefined behavior, not allow it. If we see a null vptr, we should complain and set *non_constant_p. > Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk? > > gcc/cp/ChangeLog: > > PR c++/98103 > * constexpr.c (cxx_eval_dynamic_cast_fn): If the evaluating of vtable > yields a null pointer, return. > > gcc/testsuite/ChangeLog: > > PR c++/98103 > * g++.dg/ubsan/vptr-18.C: New test. > --- > gcc/cp/constexpr.c | 4 +++- > gcc/testsuite/g++.dg/ubsan/vptr-18.C | 27 +++++++++++++++++++++++++++ > 2 files changed, 30 insertions(+), 1 deletion(-) > create mode 100644 gcc/testsuite/g++.dg/ubsan/vptr-18.C > > diff --git a/gcc/cp/constexpr.c b/gcc/cp/constexpr.c > index 9a1a1db1267..8c6a9cf2b40 100644 > --- a/gcc/cp/constexpr.c > +++ b/gcc/cp/constexpr.c > @@ -1996,7 +1996,9 @@ cxx_eval_dynamic_cast_fn (const constexpr_ctx *ctx, tree call, > tree vtable = build_vfield_ref (obj, TREE_TYPE (obj)); > vtable = cxx_eval_constant_expression (ctx, vtable, /*lval*/false, > non_constant_p, overflow_p); > - if (*non_constant_p) > + /* With -fsanitize=vptr, we initialize all vtable pointers to null, > + so it's possible that we got a null pointer now. */ > + if (*non_constant_p || integer_zerop (vtable)) > return call; > /* VTABLE will be &_ZTV1A + 16 or similar, get _ZTV1A. */ > vtable = extract_obj_from_addr_offset (vtable); > diff --git a/gcc/testsuite/g++.dg/ubsan/vptr-18.C b/gcc/testsuite/g++.dg/ubsan/vptr-18.C > new file mode 100644 > index 00000000000..9f421c269bc > --- /dev/null > +++ b/gcc/testsuite/g++.dg/ubsan/vptr-18.C > @@ -0,0 +1,27 @@ > +// PR c++/98103 > +// { dg-do compile { target c++20 } } > +// { dg-additional-options "-fsanitize=vptr" } > +// Modified constexpr-dynamic17.C. -fsanitize=vptr initializes all vtable > +// pointers to null, so we don't get the "accessing uninitialized member" > +// error. > + > +struct V { > + virtual void f(); > +}; > + > +struct A : V { }; > + > +struct B : V { > + constexpr B(V*, A*); > +}; > + > +struct D : B, A { > + constexpr D() : B((A*)this, this) { } > +}; > + > +constexpr B::B(V* v, A* a) > +{ > + dynamic_cast<B*>(a); > +} > + > +constexpr D d; > > base-commit: dc2b372ed1b1e9af6db45051cff95478c7616807 >
On Wed, Dec 02, 2020 at 09:01:48PM -0500, Jason Merrill wrote: > On 12/2/20 6:18 PM, Marek Polacek wrote: > > -fsanitize=vptr initializes all vtable pointers to null so that it can > > catch invalid calls; see cp_ubsan_maybe_initialize_vtbl_ptrs. That > > means that evaluating a vtable reference can produce a null pointer > > in this mode, so cxx_eval_dynamic_cast_fn should check that. > > Yes, but we shouldn't accept it silently; sanitize is supposed to flag > undefined behavior, not allow it. If we see a null vptr, we should complain > and set *non_constant_p. True, I shouldn't have left it for the run-time diagnostic. How's this, then? Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk? -- >8 -- -fsanitize=vptr initializes all vtable pointers to null so that it can catch invalid calls; see cp_ubsan_maybe_initialize_vtbl_ptrs. That means that evaluating a vtable reference can produce a null pointer in this mode, so cxx_eval_dynamic_cast_fn should check that and give and error. gcc/cp/ChangeLog: PR c++/98103 * constexpr.c (cxx_eval_dynamic_cast_fn): If the evaluating of vtable yields a null pointer, give an error and return. Use objtype. gcc/testsuite/ChangeLog: PR c++/98103 * g++.dg/ubsan/vptr-18.C: New test. --- gcc/cp/constexpr.c | 11 ++++++++++- gcc/testsuite/g++.dg/ubsan/vptr-18.C | 25 +++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 gcc/testsuite/g++.dg/ubsan/vptr-18.C diff --git a/gcc/cp/constexpr.c b/gcc/cp/constexpr.c index e0d358027c9..c413313fbe1 100644 --- a/gcc/cp/constexpr.c +++ b/gcc/cp/constexpr.c @@ -1998,11 +1998,20 @@ cxx_eval_dynamic_cast_fn (const constexpr_ctx *ctx, tree call, to the object under construction or destruction, this object is considered to be a most derived object that has the type of the constructor or destructor's class. */ - tree vtable = build_vfield_ref (obj, TREE_TYPE (obj)); + tree vtable = build_vfield_ref (obj, objtype); vtable = cxx_eval_constant_expression (ctx, vtable, /*lval*/false, non_constant_p, overflow_p); if (*non_constant_p) return call; + /* With -fsanitize=vptr, we initialize all vtable pointers to null, + so it's possible that we got a null pointer now. */ + if (integer_zerop (vtable)) + { + if (!ctx->quiet) + error_at (loc, "virtual table pointer is used uninitialized"); + *non_constant_p = true; + return integer_zero_node; + } /* VTABLE will be &_ZTV1A + 16 or similar, get _ZTV1A. */ vtable = extract_obj_from_addr_offset (vtable); const tree mdtype = DECL_CONTEXT (vtable); diff --git a/gcc/testsuite/g++.dg/ubsan/vptr-18.C b/gcc/testsuite/g++.dg/ubsan/vptr-18.C new file mode 100644 index 00000000000..cd2ca0a9fb6 --- /dev/null +++ b/gcc/testsuite/g++.dg/ubsan/vptr-18.C @@ -0,0 +1,25 @@ +// PR c++/98103 +// { dg-do compile { target c++20 } } +// { dg-additional-options "-fsanitize=vptr -fno-sanitize-recover=vptr" } +// Modified constexpr-dynamic17.C. + +struct V { + virtual void f(); +}; + +struct A : V { }; + +struct B : V { + constexpr B(V*, A*); +}; + +struct D : B, A { + constexpr D() : B((A*)this, this) { } +}; + +constexpr B::B(V* v, A* a) +{ + dynamic_cast<B*>(a); // { dg-error "uninitialized" } +} + +constexpr D d; base-commit: df933e307b1950ce12472660dcac1765b8eb431d
On 12/4/20 10:40 PM, Marek Polacek wrote: > On Wed, Dec 02, 2020 at 09:01:48PM -0500, Jason Merrill wrote: >> On 12/2/20 6:18 PM, Marek Polacek wrote: >>> -fsanitize=vptr initializes all vtable pointers to null so that it can >>> catch invalid calls; see cp_ubsan_maybe_initialize_vtbl_ptrs. That >>> means that evaluating a vtable reference can produce a null pointer >>> in this mode, so cxx_eval_dynamic_cast_fn should check that. >> >> Yes, but we shouldn't accept it silently; sanitize is supposed to flag >> undefined behavior, not allow it. If we see a null vptr, we should complain >> and set *non_constant_p. > > True, I shouldn't have left it for the run-time diagnostic. How's this, then? > > Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk? OK. > -- >8 -- > -fsanitize=vptr initializes all vtable pointers to null so that it can > catch invalid calls; see cp_ubsan_maybe_initialize_vtbl_ptrs. That > means that evaluating a vtable reference can produce a null pointer > in this mode, so cxx_eval_dynamic_cast_fn should check that and give > and error. > > gcc/cp/ChangeLog: > > PR c++/98103 > * constexpr.c (cxx_eval_dynamic_cast_fn): If the evaluating of vtable > yields a null pointer, give an error and return. Use objtype. > > gcc/testsuite/ChangeLog: > > PR c++/98103 > * g++.dg/ubsan/vptr-18.C: New test. > --- > gcc/cp/constexpr.c | 11 ++++++++++- > gcc/testsuite/g++.dg/ubsan/vptr-18.C | 25 +++++++++++++++++++++++++ > 2 files changed, 35 insertions(+), 1 deletion(-) > create mode 100644 gcc/testsuite/g++.dg/ubsan/vptr-18.C > > diff --git a/gcc/cp/constexpr.c b/gcc/cp/constexpr.c > index e0d358027c9..c413313fbe1 100644 > --- a/gcc/cp/constexpr.c > +++ b/gcc/cp/constexpr.c > @@ -1998,11 +1998,20 @@ cxx_eval_dynamic_cast_fn (const constexpr_ctx *ctx, tree call, > to the object under construction or destruction, this object is > considered to be a most derived object that has the type of the > constructor or destructor's class. */ > - tree vtable = build_vfield_ref (obj, TREE_TYPE (obj)); > + tree vtable = build_vfield_ref (obj, objtype); > vtable = cxx_eval_constant_expression (ctx, vtable, /*lval*/false, > non_constant_p, overflow_p); > if (*non_constant_p) > return call; > + /* With -fsanitize=vptr, we initialize all vtable pointers to null, > + so it's possible that we got a null pointer now. */ > + if (integer_zerop (vtable)) > + { > + if (!ctx->quiet) > + error_at (loc, "virtual table pointer is used uninitialized"); > + *non_constant_p = true; > + return integer_zero_node; > + } > /* VTABLE will be &_ZTV1A + 16 or similar, get _ZTV1A. */ > vtable = extract_obj_from_addr_offset (vtable); > const tree mdtype = DECL_CONTEXT (vtable); > diff --git a/gcc/testsuite/g++.dg/ubsan/vptr-18.C b/gcc/testsuite/g++.dg/ubsan/vptr-18.C > new file mode 100644 > index 00000000000..cd2ca0a9fb6 > --- /dev/null > +++ b/gcc/testsuite/g++.dg/ubsan/vptr-18.C > @@ -0,0 +1,25 @@ > +// PR c++/98103 > +// { dg-do compile { target c++20 } } > +// { dg-additional-options "-fsanitize=vptr -fno-sanitize-recover=vptr" } > +// Modified constexpr-dynamic17.C. > + > +struct V { > + virtual void f(); > +}; > + > +struct A : V { }; > + > +struct B : V { > + constexpr B(V*, A*); > +}; > + > +struct D : B, A { > + constexpr D() : B((A*)this, this) { } > +}; > + > +constexpr B::B(V* v, A* a) > +{ > + dynamic_cast<B*>(a); // { dg-error "uninitialized" } > +} > + > +constexpr D d; > > base-commit: df933e307b1950ce12472660dcac1765b8eb431d >
diff --git a/gcc/cp/constexpr.c b/gcc/cp/constexpr.c index 9a1a1db1267..8c6a9cf2b40 100644 --- a/gcc/cp/constexpr.c +++ b/gcc/cp/constexpr.c @@ -1996,7 +1996,9 @@ cxx_eval_dynamic_cast_fn (const constexpr_ctx *ctx, tree call, tree vtable = build_vfield_ref (obj, TREE_TYPE (obj)); vtable = cxx_eval_constant_expression (ctx, vtable, /*lval*/false, non_constant_p, overflow_p); - if (*non_constant_p) + /* With -fsanitize=vptr, we initialize all vtable pointers to null, + so it's possible that we got a null pointer now. */ + if (*non_constant_p || integer_zerop (vtable)) return call; /* VTABLE will be &_ZTV1A + 16 or similar, get _ZTV1A. */ vtable = extract_obj_from_addr_offset (vtable); diff --git a/gcc/testsuite/g++.dg/ubsan/vptr-18.C b/gcc/testsuite/g++.dg/ubsan/vptr-18.C new file mode 100644 index 00000000000..9f421c269bc --- /dev/null +++ b/gcc/testsuite/g++.dg/ubsan/vptr-18.C @@ -0,0 +1,27 @@ +// PR c++/98103 +// { dg-do compile { target c++20 } } +// { dg-additional-options "-fsanitize=vptr" } +// Modified constexpr-dynamic17.C. -fsanitize=vptr initializes all vtable +// pointers to null, so we don't get the "accessing uninitialized member" +// error. + +struct V { + virtual void f(); +}; + +struct A : V { }; + +struct B : V { + constexpr B(V*, A*); +}; + +struct D : B, A { + constexpr D() : B((A*)this, this) { } +}; + +constexpr B::B(V* v, A* a) +{ + dynamic_cast<B*>(a); +} + +constexpr D d;