From patchwork Wed Mar 20 13:15:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qing Zhao X-Patchwork-Id: 1914109 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=oracle.com header.i=@oracle.com header.a=rsa-sha256 header.s=corp-2023-11-20 header.b=JwjM7pYU; dkim=pass (1024-bit key; unprotected) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-oracle-onmicrosoft-com header.b=fpLmHGR9; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gcc.gnu.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V08KW5xSGz1yXD for ; Thu, 21 Mar 2024 00:18:06 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id DC6353858C98 for ; Wed, 20 Mar 2024 13:18:04 +0000 (GMT) X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by sourceware.org (Postfix) with ESMTPS id D6A803858282 for ; Wed, 20 Mar 2024 13:15:44 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D6A803858282 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=oracle.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=oracle.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D6A803858282 Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=205.220.165.32 ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1710940548; cv=pass; b=YJbo6lmUKg161zazmB3qi+Yo0z7Rvmgq1N3MvyAQlmqNV9BLz3VRSAiaQ9o58dHvtMCnqHcZiWzMIpoH0AoY6myI6Z5E8qzED+1jN2dX/7faSweQfkjYe/JDyIQgGOoh3lRx1TABFW8LNeBd488yUDnqSgncWM7Jmin3o0KYQaE= ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1710940548; c=relaxed/simple; bh=0YRWIQX9ls3JhXwyeR0otx4g4eCi0zJEtHjlY4lQVsA=; h=DKIM-Signature:DKIM-Signature:From:To:Subject:Date:Message-Id: MIME-Version; b=kASg/Kacc4m1GNuUd4KAHHr72xm2Zf/DU7Yl0aV6DJN1nw0qX1f3IsnZzke5GTzszE9piNP3skB2oo95tTfS+m/ImKuVoZPUe4EynBi3wVmuANdMYdzbeYGYbB+AaX7mlxeBpvvDu7H2M4OJAgCBhRdgEGOBU2SlBPMIMvNZbNA= ARC-Authentication-Results: i=2; server2.sourceware.org Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 42KBxRYn028175; Wed, 20 Mar 2024 13:15:43 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2023-11-20; bh=bziWo9A3n6MHzlSmXm2qiRcKVF9Nw3ikvHsWgJlTapM=; b=JwjM7pYUHc4uRGGworH9tfWnkkUqDEMAWCa70GhDFjTdbI7pfn4oanxuQrLzQc6boyTR 9Y4DMMPHc79TGw57Q8mZeBO2/MIobYv32FKeGPVKQBIOInLkwg/nsh2gb32eHIDRZAW4 17J0oZVmDDNwJkc5Xq2UBtJsxSMsJEM4E7Wz/Z1kHXxJkATwa5hSFty5g/il7naOfdr5 kWw1MXmdozq3UAh7QPFl9QLo+bQrAFsMFGE7MreZ4UodFnYojBVK4pjGNElCwyDU8CpS TtXf/tf8ykRW3rj4xftFJg2eAexPKbIsyvhj7YHoEx/cOQqMDjQWuBlnIfmQLg477YKi Pg== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3ww3aafxkh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Mar 2024 13:15:42 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 42KCGA9b006165; Wed, 20 Mar 2024 13:15:41 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2100.outbound.protection.outlook.com [104.47.70.100]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3ww1v81b44-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Mar 2024 13:15:41 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DSukCRYHh4E9JuuzRYAMeEyXcUjCJnIufGDk2Sw+NG3NU1DVXhhRQAADxG3V/02UmiBTg0AUn+6LVY0OXfNNSEVlxL0aenXbt9RdW7kbw1g9MBy0kj+YmpJU3UD0lAIyMf3OlyloXSRtAmHXZeprmsdw5CNIsRR/h3sBq18J6Ynm0xQNuMB66bpF7wbWSHqTS9FHeKNDUrhTtfnDe2lc6haypuxyR/PyHgr7ux90VPeZg5PT/Md8qlAKd63e8/59c/rPAzQcGJAayCgSOMvoovcAroHb3CL4Q/PnLmp9b5NuP2PLMhmXmrq9zUD1QK/Eu30/Z677BBwm/1AGWQzsow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bziWo9A3n6MHzlSmXm2qiRcKVF9Nw3ikvHsWgJlTapM=; b=An5g4oALP/juL0k2AT8Hl0/zHrmPNAKaCue33IKE+HEP/tilfMIpwxqw7Q9LMvHy+iCg4Q3oQ8AUnYfKD3Tcpd/VUZKj2fqTwYgU1u94Yn+ijBq+3KVVI5MGvXjykwryJLXvHMFZ5SlGKfGl/QdwVXQOhATGm3iq+ak9hp0CFlSaIMAQdfPaocKTyVFx/UqP5V5Sf85wt4DVmL0VTpesVGNiJ7Ps4d73J2o/eeS+ibAnkFJqHYusJB5/T8ZWbeXHlsVg3kWUnYz4MgllHg6Z4BIFSaQtS+964pN/H71Y8dRqDBPw60LUCVDZPySuPgCS2I9ZhRFlN5NNXF44Zu/jQA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bziWo9A3n6MHzlSmXm2qiRcKVF9Nw3ikvHsWgJlTapM=; b=fpLmHGR9YKdDYhQkmIPctyW2b0NottEbHOaV49VVFfDwzjQ2gvrqGkIaCzvp50N0DOX7V9V6bxyLkeFc+1cCovPXzweu03vJGoL70fvyLsKwi6pOae/rUuNJGNsmjRKYe5z6GTCqZuzHpPBs3CnKFF1MOT/vH/lW4mRBQPZMgag= Received: from CY8PR10MB6538.namprd10.prod.outlook.com (2603:10b6:930:5a::17) by PH0PR10MB5562.namprd10.prod.outlook.com (2603:10b6:510:f1::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.31; Wed, 20 Mar 2024 13:15:39 +0000 Received: from CY8PR10MB6538.namprd10.prod.outlook.com ([fe80::2dae:7852:9563:b4bc]) by CY8PR10MB6538.namprd10.prod.outlook.com ([fe80::2dae:7852:9563:b4bc%6]) with mapi id 15.20.7386.031; Wed, 20 Mar 2024 13:15:39 +0000 From: Qing Zhao To: josmyers@redhat.com, richard.guenther@gmail.com, siddhesh@gotplt.org, uecker@tugraz.at Cc: keescook@chromium.org, isanbard@gmail.com, gcc-patches@gcc.gnu.org, Qing Zhao Subject: [PATCH v7 4/5] Use the .ACCESS_WITH_SIZE in bound sanitizer. Date: Wed, 20 Mar 2024 13:15:17 +0000 Message-Id: <20240320131518.2292317-5-qing.zhao@oracle.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20240320131518.2292317-1-qing.zhao@oracle.com> References: <20240320131518.2292317-1-qing.zhao@oracle.com> X-ClientProxiedBy: BYAPR07CA0052.namprd07.prod.outlook.com (2603:10b6:a03:60::29) To CY8PR10MB6538.namprd10.prod.outlook.com (2603:10b6:930:5a::17) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY8PR10MB6538:EE_|PH0PR10MB5562:EE_ X-MS-Office365-Filtering-Correlation-Id: acc10a73-a639-4b40-9e09-08dc48dfd67b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: llrJFgDkfPYTPRzaJU9pXWfg7M/DNJM5LUJ/UBtPpDj44EVZyx836o6U6JU/Nuv0TSbi9atXwwQIcTqjxgN+haXYFv6df/Ybc/EKlBhXHiZ095i/ruXt2N7SfVZkVEIWTjPgKR+R8fW1DBPV4/m8JaHhw9rjQe0PIRfphARRQ1h5VVZ/46ZCXcUn0FVKYM4c7aSdDL+pk1mztLFWBZ2unneLXQFB9+xbGl4xyTciLMgvQqXq7mBjqvj5zXU8HC0oHUj9tFgvPxj7ynnprEY9uj+DVqcXp7NCyo3Bad8VB9XiONehrj5/kYWA6LFJs01ua2NiRq5cSiACVcaJTqYOzzQs1fOdVMANuKn6RbeKkkBKFp+/5StMXAI0x53hilQH22AxHBtuQKkuBM00onAntc4jJdsEl3tTVe9NrwFzjsXyjrKG6MAN/ExCDV6f44gmsMNL1psz/l90QCOixhVQjvVe4gAXkW7pq4Wb3qBH31v56ZeKTWqH8KT5HWWAPkZ1M0KdViSCgsDpDaR8PCU2YFWVFy2DgjVrQah7hH3R6YSSC20pPyixJFSG4duXa9cQsPTGzZRQGIfMcm3nnWfoBOU/lKMiFIhfPurgP+TJoBrRA1pzSe7jaSp6nwqAdDqx X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY8PR10MB6538.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(376005)(366007); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: ZGMTVnCZwmLR8rdWUwnfern2xlel3pd6DDEZ4z0h6h57lQ33QC6OqfZ+sMrApiXBZV4P0llnyLDrVjMyx1txu1V+1b92wnCxGaNAFLTt6VelZR2vpMs1dQZLCy2TkWcD+m4IAUZ6Lv1c8LBwPpjXDeGgqxm77KciAYHZaBHsK7D2ZPK+pwXqxbg/W9al2gDvsR5j6+p3ZxoXFAJHFIHLyuMY9EfkXhfPrR3vAzDede0a5UduQVmZWqBnH5ZE+DXugIJiiNabSO2ysoQ1Adei6R5T9UnE2zcWcw+SQAYXNr1J7knHg5rZW9j9ZjS0J6KA4r8ftH26ASWzxNYDLh9uI7d7P4Glhnz7t6fZpaKBQiMm2Ty8lIJ2MAVx7evh7xcIRxvRG93Fl22nAH9uDCnuqC+YM/Iu8hMK6r/7q4OgyejyDUS+fq7BGKuegkA3b8UuCg9LKR03v0VYGVK84ScEMO1ygkUM/zg1+LMptk6P40FzcEFMXuoWK98kv89fcbe5hHjP5U+DXUXbARZ/Zi5k3a4sLQdgDpZHu82tm0BR82N35W9rolURTekLiP8PfZ0PmX8MIaBx4a1Onb/CNWhaEhYIGJimbFxpLww0HJyzVS363Cx4oxcWKJLVtI8vhtVjcc/uiheZd7hDGcipsrqmNhD0fehgWd8lTZhxA7b8YCOjHAT8UuSQQh9jFjqaTtUFKL2qJJhgwdNFgdvxFcsId4evIQh688HIemhpRG7j2u2JbB5NECz7PhjlwA5eXJXxy3j5xvDPaYerdmIPCpa59aT/VjVM9qO8mjAvvijymLmuYh/7me1NyyZpIeVu6uBB0sXnj4jZuaEW+uUQyopqfUwTMedP0t0REFKEEeN6emEJo4ZkP3XYHO2UzXsiKy3qptOcvxCFM6WY6Us/5C1qx1RNS+07+7vWimPXlFbJl+6dKuAlo9/D7q/KAerLc8mDZwaHPbu05dE7gJpde8GY1N1N2FZPo3u10hPfgbUr0l8bXcLjN5LfE0e1LArjp2MCBxYaxVTF7nuJNQ/3kQXQbhXB+aveciz2PICPKX5TehC/ytUqwxpS+rGkAyp+I+9iYUGE0jMJy3vUYi9tHj9ISOxYzznwZlZ2XOsk4dESvLep1ET+sfRoCd4oTykdo9qlhCsPtm2RMKVKM5CPYe97hY/J/AU0Cnid+EM2BqPGAKkm5UqJJxw3bTcRx/vmWWtei0T3qi8iHV2vpFa9PkL5OnNOQY/yUHOrdnuXJ/pQC7Ea9wMB2YLR6zr8Ri07U+kDyUqaWQl8fBMeHXRRWXiGkjnaEriWv2giUjXUgAmESXetloMq4e+bhtW51xh7N2ff70vgFqDtVgH36CMXO4evh0yE/DHT9SUWNR1eecGlTBr2MdLQKsKRJu9J/F00n8UJOhkxAzqaCZ3kfOsOyimzOOWJ7aOMgMN5j0lKlqVLPEzM0KSEfPVr5vERqeiqgZfPbr1p4ECX3Z8eMufKOqcx0gMuiIjfqihAeSNvM5VqngSYustMJQoL2n+5sw5FVqoJCiecaMUZ7rXt4cO8dNmBlb2HG7B0pD6SEF8p8Kozh0ZLNbEfPd5E2UBMGE3CMM95 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 6lLSo7GYu7mutjKMcGIIjnic+76JNckoUpRvuFvDd7KXK3y6KTQDMeqSpiQvJ/vWKKbD8g5NnpRlquvnsEpymYuFhlxN6eUBEI5rzw1wIk4wlM/tTaW2SB9uHU9SStE4v1dSAqCHi9tMcHGIWgmjQONgBTO6C8RA/DiS+EHo9WyMA1fkbc8knKoRLkHs82HmXgArOhY5HjFKuhw+qFxSFRcVFm3eCtIe40AyZue7095zjtgh/VO6ZoRBNyKSX0pyA8zAFaPxAVQIcQxkHlxHJ70GPY9xyMwI/w63zXrDORSX6/PGRJ2kz/XlBoYK07tmMe+E42XfkwuNFUrPy/WTI6UzDaw2z0m+YG/ODCmLb0cnXbU5xzHrapmI9N2+0IZ3vygo3Egapi69T64kechug3BFSMbk1FSKavV4T3Gn9eMb5nIJuKEKbBIIp8CooUj45ntLFoEIcQqj5nT/4th60jQyHsPm3koqPj69DNRVf8KLJFKGt1BfG7YAqnRpddmgrMkrinBhezeyT71vAw9XnEJA61fuLzr9iZbo9n4H8WK94lvTr5ZUMzkE6rMAO00/D1lIb3iD6gWkIl/TgkF6hXL/27rjWnId/uCfC7tiqu4= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: acc10a73-a639-4b40-9e09-08dc48dfd67b X-MS-Exchange-CrossTenant-AuthSource: CY8PR10MB6538.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Mar 2024 13:15:39.4408 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ZcdPH07ZaT7DEuKHDyAQ4JrssPAKRi7dwXjFs1P7Rv0W0f018a6rl5mEVQDQ7NFVYRuu0/LIdfUi0uEsZ/Sw+A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR10MB5562 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-20_08,2024-03-18_03,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 mlxscore=0 spamscore=0 adultscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2403140000 definitions=main-2403200104 X-Proofpoint-ORIG-GUID: rrekCdy8J3MNALOlbiI6Oq1dJbg5OGBy X-Proofpoint-GUID: rrekCdy8J3MNALOlbiI6Oq1dJbg5OGBy X-Spam-Status: No, score=-11.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org gcc/c-family/ChangeLog: * c-ubsan.cc (get_bound_from_access_with_size): New function. (ubsan_instrument_bounds): Handle call to .ACCESS_WITH_SIZE. gcc/testsuite/ChangeLog: * gcc.dg/ubsan/flex-array-counted-by-bounds-2.c: New test. * gcc.dg/ubsan/flex-array-counted-by-bounds-3.c: New test. * gcc.dg/ubsan/flex-array-counted-by-bounds-4.c: New test. * gcc.dg/ubsan/flex-array-counted-by-bounds.c: New test. --- gcc/c-family/c-ubsan.cc | 42 +++++++++++++++++ .../ubsan/flex-array-counted-by-bounds-2.c | 45 ++++++++++++++++++ .../ubsan/flex-array-counted-by-bounds-3.c | 34 ++++++++++++++ .../ubsan/flex-array-counted-by-bounds-4.c | 34 ++++++++++++++ .../ubsan/flex-array-counted-by-bounds.c | 46 +++++++++++++++++++ 5 files changed, 201 insertions(+) create mode 100644 gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds-2.c create mode 100644 gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds-3.c create mode 100644 gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds-4.c create mode 100644 gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds.c diff --git a/gcc/c-family/c-ubsan.cc b/gcc/c-family/c-ubsan.cc index 940982819ddf..7cd3c6aa5b88 100644 --- a/gcc/c-family/c-ubsan.cc +++ b/gcc/c-family/c-ubsan.cc @@ -376,6 +376,40 @@ ubsan_instrument_return (location_t loc) return build_call_expr_loc (loc, t, 1, build_fold_addr_expr_loc (loc, data)); } +/* Get the tree that represented the number of counted_by, i.e, the maximum + number of the elements of the object that the call to .ACCESS_WITH_SIZE + points to, this number will be the bound of the corresponding array. */ +static tree +get_bound_from_access_with_size (tree call) +{ + if (!is_access_with_size_p (call)) + return NULL_TREE; + + tree ref_to_size = CALL_EXPR_ARG (call, 1); + unsigned int class_of_size = TREE_INT_CST_LOW (CALL_EXPR_ARG (call, 2)); + tree type = TREE_TYPE (CALL_EXPR_ARG (call, 3)); + tree size = fold_build2 (MEM_REF, type, unshare_expr (ref_to_size), + build_int_cst (ptr_type_node, 0)); + /* If size is negative value, treat it as zero. */ + if (!TYPE_UNSIGNED (type)) + { + tree cond = fold_build2 (LT_EXPR, boolean_type_node, + unshare_expr (size), build_zero_cst (type)); + size = fold_build3 (COND_EXPR, type, cond, + build_zero_cst (type), size); + } + + /* Only when class_of_size is 1, i.e, the number of the elements of + the object type, return the size. */ + if (class_of_size != 1) + return NULL_TREE; + else + size = fold_convert (sizetype, size); + + return size; +} + + /* Instrument array bounds for ARRAY_REFs. We create special builtin, that gets expanded in the sanopt pass, and make an array dimension of it. ARRAY is the array, *INDEX is an index to the array. @@ -401,6 +435,14 @@ ubsan_instrument_bounds (location_t loc, tree array, tree *index, && COMPLETE_TYPE_P (type) && integer_zerop (TYPE_SIZE (type))) bound = build_int_cst (TREE_TYPE (TYPE_MIN_VALUE (domain)), -1); + else if (INDIRECT_REF_P (array) + && is_access_with_size_p ((TREE_OPERAND (array, 0)))) + { + bound = get_bound_from_access_with_size ((TREE_OPERAND (array, 0))); + bound = fold_build2 (MINUS_EXPR, TREE_TYPE (bound), + bound, + build_int_cst (TREE_TYPE (bound), 1)); + } else return NULL_TREE; } diff --git a/gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds-2.c b/gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds-2.c new file mode 100644 index 000000000000..148934975ee5 --- /dev/null +++ b/gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds-2.c @@ -0,0 +1,45 @@ +/* test the attribute counted_by and its usage in + bounds sanitizer combined with VLA. */ +/* { dg-do run } */ +/* { dg-options "-fsanitize=bounds" } */ +/* { dg-output "index 11 out of bounds for type 'int \\\[\\\*\\\]\\\[\\\*\\\]'\[^\n\r]*(\n|\r\n|\r)" } */ +/* { dg-output "\[^\n\r]*index 20 out of bounds for type 'int \\\[\\\*\\\]\\\[\\\*\\\]\\\[\\\*\\\]'\[^\n\r]*(\n|\r\n|\r)" } */ +/* { dg-output "\[^\n\r]*index 11 out of bounds for type 'int \\\[\\\*\\\]\\\[\\\*\\\]'\[^\n\r]*(\n|\r\n|\r)" } */ +/* { dg-output "\[^\n\r]*index 10 out of bounds for type 'int \\\[\\\*\\\]'\[^\n\r]*(\n|\r\n|\r)" } */ + + +#include + +void __attribute__((__noinline__)) setup_and_test_vla (int n, int m) +{ + struct foo { + int n; + int p[][n] __attribute__((counted_by(n))); + } *f; + + f = (struct foo *) malloc (sizeof(struct foo) + m*sizeof(int[n])); + f->n = m; + f->p[m][n-1]=1; + return; +} + +void __attribute__((__noinline__)) setup_and_test_vla_1 (int n1, int n2, int m) +{ + struct foo { + int n; + int p[][n2][n1] __attribute__((counted_by(n))); + } *f; + + f = (struct foo *) malloc (sizeof(struct foo) + m*sizeof(int[n2][n1])); + f->n = m; + f->p[m][n2][n1]=1; + return; +} + +int main(int argc, char *argv[]) +{ + setup_and_test_vla (10, 11); + setup_and_test_vla_1 (10, 11, 20); + return 0; +} + diff --git a/gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds-3.c b/gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds-3.c new file mode 100644 index 000000000000..33bdea1c430b --- /dev/null +++ b/gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds-3.c @@ -0,0 +1,34 @@ +/* test the attribute counted_by and its usage in bounds + sanitizer. when counted_by field is negative value. */ +/* { dg-do run } */ +/* { dg-options "-fsanitize=bounds" } */ + +#include + +struct annotated { + int b; + int c[] __attribute__ ((counted_by (b))); +} *array_annotated; + +void __attribute__((__noinline__)) setup (int annotated_count) +{ + array_annotated + = (struct annotated *)malloc (sizeof (struct annotated)); + array_annotated->b = annotated_count; + + return; +} + +void __attribute__((__noinline__)) test (int annotated_index) +{ + array_annotated->c[annotated_index] = 2; +} + +int main(int argc, char *argv[]) +{ + setup (-3); + test (2); + return 0; +} + +/* { dg-output "24:21: runtime error: index 2 out of bounds for type" } */ diff --git a/gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds-4.c b/gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds-4.c new file mode 100644 index 000000000000..c6b55defeae4 --- /dev/null +++ b/gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds-4.c @@ -0,0 +1,34 @@ +/* test the attribute counted_by and its usage in bounds + sanitizer. when counted_by field is zero value. */ +/* { dg-do run } */ +/* { dg-options "-fsanitize=bounds" } */ + +#include + +struct annotated { + int b; + int c[] __attribute__ ((counted_by (b))); +} *array_annotated; + +void __attribute__((__noinline__)) setup (int annotated_count) +{ + array_annotated + = (struct annotated *)malloc (sizeof (struct annotated)); + array_annotated->b = annotated_count; + + return; +} + +void __attribute__((__noinline__)) test (int annotated_index) +{ + array_annotated->c[annotated_index] = 2; +} + +int main(int argc, char *argv[]) +{ + setup (0); + test (1); + return 0; +} + +/* { dg-output "24:21: runtime error: index 1 out of bounds for type" } */ diff --git a/gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds.c b/gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds.c new file mode 100644 index 000000000000..81eaeb3f2681 --- /dev/null +++ b/gcc/testsuite/gcc.dg/ubsan/flex-array-counted-by-bounds.c @@ -0,0 +1,46 @@ +/* test the attribute counted_by and its usage in + bounds sanitizer. */ +/* { dg-do run } */ +/* { dg-options "-fsanitize=bounds" } */ + +#include + +struct flex { + int b; + int c[]; +} *array_flex; + +struct annotated { + int b; + int c[] __attribute__ ((counted_by (b))); +} *array_annotated; + +void __attribute__((__noinline__)) setup (int normal_count, int annotated_count) +{ + array_flex + = (struct flex *)malloc (sizeof (struct flex) + + normal_count * sizeof (int)); + array_flex->b = normal_count; + + array_annotated + = (struct annotated *)malloc (sizeof (struct annotated) + + annotated_count * sizeof (int)); + array_annotated->b = annotated_count; + + return; +} + +void __attribute__((__noinline__)) test (int normal_index, int annotated_index) +{ + array_flex->c[normal_index] = 1; + array_annotated->c[annotated_index] = 2; +} + +int main(int argc, char *argv[]) +{ + setup (10, 10); + test (10, 10); + return 0; +} + +/* { dg-output "36:21: runtime error: index 10 out of bounds for type" } */