Re: [PATCH][ubsan] Add VLA bound instrumentation

["Joseph S. Myers" <joseph at codesourcery dot com>]

On Fri, 13 Sep 2013, Marek Polacek wrote:

> On Thu, Sep 12, 2013 at 04:05:48PM +0000, Joseph S. Myers wrote:
> > cause stack overflow that doesn't get detected by the kernel.  So maybe 
> > ubsan should imply -fstack-check or similar.
> 
> Well, I have a patch for that, but I no longer think that ubsan should
> imply -fstack-check, since e.g. 
> 
> int
> main (void)
> {
>   int x = -1;
>   int b[x - 4];
>   /* ... */
>   return 0;
> }
> 
> segfaults at runtime on int b[x - 4]; line when -fstack-check is used
> (even without sanitizing), so we wouldn't give proper diagnostics
> for stmts following that line...

A guaranteed segfault is better than doing something undefined.  But I'd 
expect sanitizing to make the initial check that the array size in bytes 
is in the range [1, PTRDIFF_MAX] and -fstack-check only to come into play 
if that passes (for sizes that are too large for the stack limit in effect 
at runtime although within the range that is in principle valid).  You 
probably don't want to enable -fstack-check from ubsan until the checks 
for the range [1, PTRDIFF_MAX] are in place.

(Those checks, incidentally, would need to apply not just to arrays whose 
specified size is variable, but also to constant-size arrays of 
variable-size arrays - if you have a VLA type, then define an array 
VLA array[10]; then you need to check that the result of the 
multiplication of sizes in bytes doesn't exceed PTRDIFF_MAX.  So the more 
general checks can't all go in the place where you're inserting the checks 
for a single variable size in isolation.)

-- 
Joseph S. Myers
joseph@codesourcery.com