[PATCH, RFC] Introduce -fsanitize=use-after-scope (v2)

Jakub Jelinek jakub@redhat.com
Thu Oct 27 17:24:00 GMT 2016

On Thu, Oct 27, 2016 at 04:40:30PM +0200, Martin Liška wrote:
> On 10/21/2016 04:26 PM, Jakub Jelinek wrote:
> > On Wed, Oct 12, 2016 at 04:07:53PM +0200, Martin Liška wrote:
> >>> Ok, first let me list some needed follow-ups that don't need to be handled
> >>> right away:
> >>> - r237814-like changes for ASAN_MARK
> I've spent quite some on that and that's what I begin (use-after-scope-addressable.patch).
> Problem is that as I ignore all ASAN_MARK internal fns, the code does not detect having address
> taken in:
> _2 = MEM[(char *)&my_char + 8B];
>   char *ptr;
>   {
>     char my_char[9];
>     ptr = &my_char[0];
>   }
>   return *(ptr+8);
> and thus the code in tree-ssa.c (maybe_optimize_var) sets TREE_ADDRESSABLE (var) = 0.

Perhaps we should do that only if the var's type is_gimple_reg_type,
then we'd rewrite that into SSA at that time, right?  So, in theory if we
turned the ASAN_MARK poisoning call into another internal function
(var_5 = ASAN_POISON ()) and then after converting it into SSA looked at
all the uses of such an lhs and perhaps at sanopt part or when marked all
the use places with a library call that would complain at runtime?
Or turn those back at sanopt time into addressable memory loads which would
be poisoned or similar?  Or alternatively, immediately before turning
variables addressable just because of ASAN_MARK into non-addressable use
the same framework into-ssa uses to find out if there are any poisoned
accesses, and just not optimize it in that case.
Anyway, this can be done incrementally.

> Second question I have is whether we want to handle just TREE_ADDRESSABLE stuff during gimplification?
> Basically in a way that the current patch is doing?

How could variables that aren't TREE_ADDRESSABLE during gimplification be
accessed out of scope?

> +/* Return true if DECL should be guarded on the stack.  */
> +
> +static inline bool
> +asan_protect_stack_decl (tree decl)
> +{
> +  return DECL_P (decl)
> +    && (!DECL_ARTIFICIAL (decl)
> +	|| (asan_sanitize_use_after_scope () && TREE_ADDRESSABLE (decl)));

Bad formatting.  Should be:

  return (DECL_P (decl)
	  && (!DECL_ARTIFICIAL (decl)
	      || (asan_sanitize_use_after_scope ()
		  && TREE_ADDRESSABLE (decl))));

Ok for trunk with that change.


More information about the Gcc-patches mailing list