This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

RE: [PATCH, PR 57748] Check for out of bounds access, Part 2

From: Bernd Edlinger <bernd dot edlinger at hotmail dot de>
To: Richard Biener <richard dot guenther at gmail dot com>
Cc: Eric Botcazou <ebotcazou at adacore dot com>, GCC Patches <gcc-patches at gcc dot gnu dot org>, Martin Jambor <mjambor at suse dot cz>, Jakub Jelinek <jakub at redhat dot com>
Date: Thu, 7 Nov 2013 13:58:55 +0100
Subject: RE: [PATCH, PR 57748] Check for out of bounds access, Part 2
Authentication-results: sourceware.org; auth=none
References: <20130910193228 dot GE6732 at virgil dot suse>,<20131023171106 dot GC22314 at virgil dot suse>,<DUB122-W18EE8845FD49B5DF19B227E40C0 at phx dot gbl>,<3910341 dot 1yrhooXIjO at polaris>,<CAFiYyc0+6E5jQijgb+xVitqJZoDTy5EHNtHS2fPdVQx_BD1jUA at mail dot gmail dot com>,<DUB122-W3250D65A780768771CDEB5E40C0 at phx dot gbl>,<CAFiYyc10-KqBBJCzPqs9DJ8x0BLDyak4n5MGkKiWDyvvtQwf0g at mail dot gmail dot com>,<DUB122-W2465C900CBE219827F300CE40D0 at phx dot gbl>,<CAFiYyc0iUz1BJknJ4-kQYzB=b+ujJaUVqP=mF237brP4OJzvqw at mail dot gmail dot com>,<DUB122-W45EB12583A2B768CE9631AE40D0 at phx dot gbl>,<CAFiYyc1KcuO+HkqmDCNqehDjzj3hQBHCxKfBzqvRd7vbmyTUCg at mail dot gmail dot com>,<DUB122-W188369190C05F1E42EF3F0E4F30 at phx dot gbl>

oops - this time with attachments...


> Hi,
>
> On Fri, 25 Oct 2013 12:51:13, Richard Biener wrote:
>>
>> On Fri, Oct 25, 2013 at 12:02 PM, Bernd Edlinger
>> <bernd.edlinger@hotmail.de> wrote:
>>> Hi,
>>>
>>>> Eh ... even
>>>>
>>>> register struct { int i; int a[0]; } asm ("ebx");
>>>>
>>>> works. Also with int a[1] but not with a[2]. So just handling trailing
>>>> arrays makes this case regress as well.
>>>>
>>>> Now I'd call this use questionable ... but we've likely supported that
>>>> for decades and cannot change that now.
>>>>
>>>> Back to fixing everything in expand.
>>>>
>>>> Richard.
>>>>
>>>
>>> Ok, finally you asked for it.
>>>
>>> Here is my previous version of that patch again.
>>>
>>> I have now added a new value "EXPAND_REFERENCE" to the expand_modifier
>>> enumeration. It is almost like EXPAND_MEMORY but it does not interfere with
>>> constant values.
>>>
>>> I have done the same modification to VIEW_CONVERT_EXPR too, because
>>> this is a possible inner reference, itself. It is however inherently hard to
>>> test around this code.
>>>
>>> To understand this patch it is good to know what type of object the
>>> return value "tem" of get_inner_reference can be.
>>>
>>> From the program logic at get_inner_reference it is clear that the
>>> return value may *not* be BIT_FIELD_REF, COMPONENT_REF, ARRAY_REF,
>>> ARRAY_RANGE_REF, REALPART_EXPR, IMAGPART_EXPR. The result may
>>> be VIEW_CONVERT_EXPR only on a STRICT_ALIGNMENT target. This is probably
>>> further restricted because exp is gimplified.
>>>
>>> Usually the result will be a MEM_REF or a SSA_NAME of the memory where
>>> the structure is to be found.
>>>
>>> When you look at where EXPAND_MEMORY is handled you see it is special-cased
>>> in TARGET_MEM_REF, MEM_REF, ARRAY_REF, COMPONENT_REF, BIT_FIELD_REF,
>>> ARRAY_RANGE_REF.
>>>
>>> At TARGET_MEM_REF, MEM_REF, VIEW_CONVERT_EXPR, it should be the
>>> same if EXPAND_MEMORY, EXPAND_WRITE or EXPAND_REFERENCE is given:
>>> If it is an unaligned memory, we just return the unaligned reference.
>>>
>>> This was missing for VIEW_CONVERT_EXPR, and unfortunately I have no test case,
>>> because it is only a problem for STRICT_ALIGNMENT targets, and even there it will
>>> certainly be really hard to find test cases that exercise this code.
>>>
>>> In ARRAY_REF, COMPONENT_REF, BIT_FIELD_REF, ARRAY_RANGE_REF
>>> we do not have to touch the handling of the outer modifier. However we pass
>>> EXPAND_REFERENCE to the inner object, which should not be a recursive
>>> use of any ARRAY_REF, COMPONENT_REF, BIT_FIELD_REF, ARRAY_RANGE_REF.
>>>
>>> TARGET_MEM_REF, MEM_REF and VIEW_CONVERT_EXPR know how to handle
>>> EXPAND_REFERENCE, anything else handles it like EXPAND_NORMAL.
>>>
>>>
>>> Boot-strapped and regression-tested on x86_64-linux-gnu
>>> OK for trunk?
>>
>> You point to a weak spot in expansion - that it handles creating
>> the base MEM to offset with handled components by recursing
>> into the case that handles bare MEM_REFs. This makes the
>> bare MEM_REF handling code somewhat awkward (it's the
>> one to assign mem-attrs which are later adjusted for example).
>>
>> Maybe a better appropach than adding yet another expand
>> modifier would be to split out the "base MEM" expansion part
>> out of the bare MEM_REF handling code so we can call that
>> instead of recursing.
>>
>> In this light - instead of a new expand modifier don't you want
>> an actual flag that specifies we are coming from a call that
>> wants to expand a base? That is, allow EXPAND_SUM
>> but with the recursion flag set?
>>
>
> I think you are right. After some thought, I start to like that idea.
>
> This way we have at least much more flexibility, how to handle the inner
> references correctly, and if I change only the interfaces of expand_expr_real/real_1
> that will not be used at too many places, either.
>
>> Finally I think the recursion into the VIEW_CONVERT_EXPR case
>> is only there because of the keep_aligning flag of get_inner_reference
>> which should be obsolete now that we properly handle its effects
>> in get_object_alignment. So you wouldn't need to adjust this path
>> if we finally can get rid of that.
>>
>
> I proposed a patch for that, but did not hear from you:
> http://gcc.gnu.org/ml/gcc-patches/2013-10/msg02267.html
>
> nevertheless, even if the VIEW_CONVERT_EXPR may or may not be an inner
> reference, the code there should be kept in sync with the normal_inner_ref,
> and MEM_REF, IMHO.
>
> Attached, my updated patch for PR57748, Part 2.
>
> Boot-strapped and regression-tested on X86_64-pc-linux-gnu.
>
> Ok for trunk?
>
>
> Thanks
> Bernd.
>
>> What do others think?
>>
>> Thanks,
>> Richard.
>>
>>> Thanks
>>> Bernd.

Attachment: changelog-pr57748-2.txt
Description: Text document

Attachment: patch-pr57748-2.diff
Description: Binary data

Follow-Ups:
- [PATCH, PR 57748] Check for out of bounds access, Part 2
  - From: Bernd Edlinger

References:
- RE: [PATCH, PR 57748] Check for out of bounds access, Part 2
  - From: Bernd Edlinger

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]