This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: [PATCH][ubsan] Add VLA bound instrumentation
- From: "Joseph S. Myers" <joseph at codesourcery dot com>
- To: Marek Polacek <polacek at redhat dot com>
- Cc: GCC Patches <gcc-patches at gcc dot gnu dot org>, Jakub Jelinek <jakub at redhat dot com>, Jason Merrill <jason at redhat dot com>
- Date: Fri, 13 Sep 2013 16:52:27 +0000
- Subject: Re: [PATCH][ubsan] Add VLA bound instrumentation
- Authentication-results: sourceware.org; auth=none
- References: <20130912122655 dot GN23899 at redhat dot com> <Pine dot LNX dot 4 dot 64 dot 1309121546080 dot 5614 at digraph dot polyomino dot org dot uk> <Pine dot LNX dot 4 dot 64 dot 1309121555130 dot 5614 at digraph dot polyomino dot org dot uk> <20130913095030 dot GS23899 at redhat dot com>
On Fri, 13 Sep 2013, Marek Polacek wrote:
> On Thu, Sep 12, 2013 at 04:05:48PM +0000, Joseph S. Myers wrote:
> > cause stack overflow that doesn't get detected by the kernel. So maybe
> > ubsan should imply -fstack-check or similar.
>
> Well, I have a patch for that, but I no longer think that ubsan should
> imply -fstack-check, since e.g.
>
> int
> main (void)
> {
> int x = -1;
> int b[x - 4];
> /* ... */
> return 0;
> }
>
> segfaults at runtime on int b[x - 4]; line when -fstack-check is used
> (even without sanitizing), so we wouldn't give proper diagnostics
> for stmts following that line...
A guaranteed segfault is better than doing something undefined. But I'd
expect sanitizing to make the initial check that the array size in bytes
is in the range [1, PTRDIFF_MAX] and -fstack-check only to come into play
if that passes (for sizes that are too large for the stack limit in effect
at runtime although within the range that is in principle valid). You
probably don't want to enable -fstack-check from ubsan until the checks
for the range [1, PTRDIFF_MAX] are in place.
(Those checks, incidentally, would need to apply not just to arrays whose
specified size is variable, but also to constant-size arrays of
variable-size arrays - if you have a VLA type, then define an array
VLA array[10]; then you need to check that the result of the
multiplication of sizes in bytes doesn't exceed PTRDIFF_MAX. So the more
general checks can't all go in the place where you're inserting the checks
for a single variable size in isolation.)
--
Joseph S. Myers
joseph@codesourcery.com