[ubsan PATCH] Fix ICE with bounds checking on VLA-in-a-struct (PR sanitizer/70875)
Marek Polacek
polacek@redhat.com
Fri May 6 09:22:00 GMT 2016
A program containing an array of structs containing a VLA caused ICE with UBSAN
bounds checking, because in get_ubsan_type_info_for_type we asserted that the
size of a type fits uhwi, which implies it is an INTEGER_CST. But that's not
the case for a struct with VLA. However, the assert here is bogus, for
!REAL_TYPE and !INTEGRAL_TYPE_P get_ubsan_type_info_for_type just returns 0.
And since tree_to_uhwi has
gcc_assert (tree_fits_uhwi_p (t));
there's no need to duplicate that for the REAL_TYPE / INTEGRAL_TYPE_P cases.
Bootstrapped/regtested on x86_64-linux, ok for trunk?
2016-05-06 Marek Polacek <polacek@redhat.com>
PR sanitizer/70875
* ubsan.c (get_ubsan_type_info_for_type): Remove assert.
* gcc.dg/ubsan/bounds-3.c: New test.
diff --git gcc/testsuite/gcc.dg/ubsan/bounds-3.c gcc/testsuite/gcc.dg/ubsan/bounds-3.c
index e69de29..50ad673 100644
--- gcc/testsuite/gcc.dg/ubsan/bounds-3.c
+++ gcc/testsuite/gcc.dg/ubsan/bounds-3.c
@@ -0,0 +1,22 @@
+/* PR sanitizer/70875 */
+/* { dg-do run } */
+/* { dg-options "-fsanitize=bounds" } */
+
+int
+foo (int n, int k)
+{
+ struct S
+ {
+ int i[n];
+ int value;
+ } s[2];
+ return s[k].value = 0;
+}
+
+int
+main ()
+{
+ return foo (2, 2);
+}
+
+/* { dg-output "index 2 out of bounds for type 'S \\\[2\\\]'" } */
diff --git gcc/ubsan.c gcc/ubsan.c
index 802341e..c5543f8 100644
--- gcc/ubsan.c
+++ gcc/ubsan.c
@@ -302,7 +302,6 @@ ubsan_source_location (location_t loc)
static unsigned short
get_ubsan_type_info_for_type (tree type)
{
- gcc_assert (TYPE_SIZE (type) && tree_fits_uhwi_p (TYPE_SIZE (type)));
if (TREE_CODE (type) == REAL_TYPE)
return tree_to_uhwi (TYPE_SIZE (type));
else if (INTEGRAL_TYPE_P (type))
Marek
More information about the Gcc-patches
mailing list