From patchwork Mon Nov 21 09:57:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuri Gribov X-Patchwork-Id: 23630 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp1485487wrr; Mon, 21 Nov 2022 01:58:14 -0800 (PST) X-Google-Smtp-Source: AA0mqf7Un9+LTxnzm42pjD1MCbBsYHOvfA0dIbs5GIWB1cGxpgqpEN19ARgltV7ShwW8A8MLCkly X-Received: by 2002:a17:906:3bce:b0:7aa:6998:ad72 with SMTP id v14-20020a1709063bce00b007aa6998ad72mr15084907ejf.763.1669024694065; Mon, 21 Nov 2022 01:58:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669024694; cv=none; d=google.com; s=arc-20160816; b=vFIIdtV6N1ngiNqcnVpquqlDlnhBo9r3+poYJe3JQ6g0jHeAEG8zBoOeBeVuvibhxT IY6WRNs+v/vKvQ4ILrznf6nEja/V8+rGwUHjEMigG+1YL5vmszGtxZcF/27HpDAbJ0LH 2sZ8JIx7MfIz1sLIl2EomWJ4ZRE5Uq+XqP8fjkrFZ78GhXtsB/77YXmHgyekrnRzKGIA 2VkXDYp2SC7cVBH6oLk6Ukxms68tJgjlZnuBFKJHEt849iZPDu6dy5IY+V5wZaFepfn3 r9KOx5mxhNFVEXpxzLtDvOLSL6R6efgE6K/vLlnYg+/6dnA3pVoGa22G9Ch3x7866msc PTrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:cc:to:subject :message-id:date:in-reply-to:references:mime-version:dmarc-filter :delivered-to:dkim-signature:dkim-filter; bh=tARY0b1fl0n9k7xRGBjtwuwsY7E9FoSP1SA/OKA0G2U=; b=FKKkbHw8gSvcXCgKyNBAZWlOIt29xtduNsqD2KJGq9hqs4jRks+pHKSQUWA000BWzs a+lhRN4l+f1+gXhAAKlq2nDXNmGzuElSqbXWgTjkDWOy6FttoXQrofqSVmBQN1VdfBj3 Rh20DSSMM85B9AdIy9RzqJmbQhFnzAIoZ3XNsGs+c8KQTz7XyJ33xMrbzH9ABaAH0Kze 66XUnlTK0uQgVNN5GA5YSoqMW1dA1hxhTaq3UB6X/hFG41GOgQS5WQtEUu+acP3IjPva 5wrMh5PLS+UM9zqQxBx/fMgoUHHDTRGsQeev2h9E9u3SB/RO0YFl6+f4djGC7HsPuUtD Wojw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b="nPa/xpdJ"; spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org Received: from sourceware.org (server2.sourceware.org. [2620:52:3:1:0:246e:9693:128c]) by mx.google.com with ESMTPS id s11-20020a170906a18b00b007adf6f0f962si7604977ejy.291.2022.11.21.01.58.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Nov 2022 01:58:14 -0800 (PST) Received-SPF: pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) client-ip=2620:52:3:1:0:246e:9693:128c; Authentication-Results: mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b="nPa/xpdJ"; spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 28D58384F486 for ; Mon, 21 Nov 2022 09:58:12 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 28D58384F486 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1669024692; bh=tARY0b1fl0n9k7xRGBjtwuwsY7E9FoSP1SA/OKA0G2U=; h=References:In-Reply-To:Date:Subject:To:Cc:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=nPa/xpdJt7LwKGc1mnOwRJQYffPFGyeOkXZFhIYdKyX95cPpQDsM5E/PlFEUnTeM9 3tFcm/YWkJCrgQCrikwaK7y7AR2NfMH3WGazyyJab2mpL+b+eYEzZYbQVqN4VczxUV PhjXaRLcuaehS6CWc56Kww4aS4gbae68l7uNstkE= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) by sourceware.org (Postfix) with ESMTPS id AEA833858033 for ; Mon, 21 Nov 2022 09:57:27 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org AEA833858033 Received: by mail-qk1-x729.google.com with SMTP id 8so7655565qka.1 for ; Mon, 21 Nov 2022 01:57:27 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tARY0b1fl0n9k7xRGBjtwuwsY7E9FoSP1SA/OKA0G2U=; b=EWmljAVP4eaG+3WSOLSnQ2PXnZLpRwHJnJnbewou26S41ocEFYlJVmJ0jveF7a8YTq +UXuowHcXlkPnS/TjpnyZig2ZkwqVfMuENubzxf8ZUNoEj9sG9eJ8YtOSYZ0FoTr3nRd F1qLmUT4xgxNYLcJMETg2twSh5q/+Va5IR8FTi7C/FhOp4Nc1VA8JE0wpQm9CVK46DYC Co0/a5fTX0FCetgHTRA8Ch24xanpmNy3qXD67OVADCNJKmGDnhWY7skyy/GLbImGemyF ksDQ0kHgsyhzZsSUl//oUH6k0KtqmQXGhC8KdxT8lvjwd5xWcAlekgmMeN3/ybVHvCop BMKw== X-Gm-Message-State: ANoB5pm5wA/xBbB1EaLQ8jL0Xhi0d3rlJlVmJcfO+oRmXx5p4VDZs+In sd7U8ExqL+6r/7bo3FZprMBr8yhVrayDAJwcsDaKX9GX X-Received: by 2002:a37:e20d:0:b0:6fa:8e8e:1ee5 with SMTP id g13-20020a37e20d000000b006fa8e8e1ee5mr15400845qki.45.1669024647108; Mon, 21 Nov 2022 01:57:27 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 21 Nov 2022 12:57:15 +0300 Message-ID: Subject: [PATCH][PING][sanitizer/106558] asan: fix unsafe optimization of Asan checks. To: GCC Patches Cc: =?utf-8?q?Martin_Li=C5=A1ka?= , Jakub Jelinek X-Spam-Status: No, score=-10.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Yuri Gribov via Gcc-patches From: Yuri Gribov Reply-To: Yuri Gribov Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org Sender: "Gcc-patches" X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1743131882291820303?= X-GMAIL-MSGID: =?utf-8?q?1750099237349510219?= Hi, This patch fixes incorrect Asan optimization in https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106558 . It successfully passes bootstrap-asan, regular bootstrap and regression testing (on x86/amd64). With this patch number of optimizations has reduced only slightly (146062 -> 145824 on bootstrap-asan) so I decided to skip the more complicated alias oracle-based approach that was suggested by Jakub in the PR. Best regards, Yuri From 4729f2db3f1b6b40ef0124e4a645788d7f66f426 Mon Sep 17 00:00:00 2001 From: Yuri Gribov Date: Sun, 14 Aug 2022 08:42:44 +0300 Subject: [PATCH] asan: fix unsafe optimization of Asan checks. gcc/ PR sanitizer/106558 * sanopt.c: Do not optimize out checks for non-SSA addresses. gcc/testsuite/ PR sanitizer/106558 * c-c++-common/asan/pr106558.c: New test. --- gcc/sanopt.cc | 40 +++++++++++++++++----- gcc/testsuite/c-c++-common/asan/pr106558.c | 23 +++++++++++++ 2 files changed, 54 insertions(+), 9 deletions(-) create mode 100644 gcc/testsuite/c-c++-common/asan/pr106558.c diff --git a/gcc/sanopt.cc b/gcc/sanopt.cc index e9d188d7889..13942a0b1da 100644 --- a/gcc/sanopt.cc +++ b/gcc/sanopt.cc @@ -80,16 +80,16 @@ struct sanopt_info /* If T has a single definition of form T = T2, return T2. */ -static tree +static gimple * maybe_get_single_definition (tree t) { if (TREE_CODE (t) == SSA_NAME) { gimple *g = SSA_NAME_DEF_STMT (t); if (gimple_assign_single_p (g)) - return gimple_assign_rhs1 (g); + return g; } - return NULL_TREE; + return NULL; } /* Tree triplet for vptr_check_map. */ @@ -618,11 +618,30 @@ maybe_optimize_ubsan_vptr_ifn (class sanopt_ctx *ctx, gimple *stmt) return true; } +/* Checks whether value of T in CHECK and USE is the same. */ + +static bool same_value_p (gimple *check, gimple *use, tree t) +{ + tree check_vuse = gimple_vuse (check); + tree use_vuse = gimple_vuse (use); + + if (TREE_CODE (t) == SSA_NAME + || is_gimple_min_invariant (t) + || ! use_vuse) + return true; + + if (check_vuse == use_vuse) + return true; + + return false; +} + /* Returns TRUE if ASan check of length LEN in block BB can be removed if preceded by checks in V. */ static bool -can_remove_asan_check (auto_vec &v, tree len, basic_block bb) +can_remove_asan_check (auto_vec &v, tree len, basic_block bb, + gimple *base_stmt, tree base_addr) { unsigned int i; gimple *g; @@ -674,8 +693,10 @@ can_remove_asan_check (auto_vec &v, tree len, basic_block bb) last_bb = imm; } - if (last_bb == gbb) - remove = true; + if (last_bb != gbb) + break; + // In case of base_addr residing in memory we also need to check aliasing + remove = ! base_addr || same_value_p (g, base_stmt, base_addr); break; } @@ -718,7 +739,8 @@ maybe_optimize_asan_check_ifn (class sanopt_ctx *ctx, gimple *stmt) auto_vec *ptr_checks = &ctx->asan_check_map.get_or_insert (ptr); - tree base_addr = maybe_get_single_definition (ptr); + gimple *base_stmt = maybe_get_single_definition (ptr); + tree base_addr = base_stmt ? gimple_assign_rhs1 (base_stmt) : NULL_TREE; auto_vec *base_checks = NULL; if (base_addr) { @@ -747,11 +769,11 @@ maybe_optimize_asan_check_ifn (class sanopt_ctx *ctx, gimple *stmt) bool remove = false; if (ptr_checks) - remove = can_remove_asan_check (*ptr_checks, len, bb); + remove = can_remove_asan_check (*ptr_checks, len, bb, NULL, NULL); if (!remove && base_checks) /* Try with base address as well. */ - remove = can_remove_asan_check (*base_checks, len, bb); + remove = can_remove_asan_check (*base_checks, len, bb, base_stmt, base_addr); if (!remove) { diff --git a/gcc/testsuite/c-c++-common/asan/pr106558.c b/gcc/testsuite/c-c++-common/asan/pr106558.c new file mode 100644 index 00000000000..d82b2dc7a83 --- /dev/null +++ b/gcc/testsuite/c-c++-common/asan/pr106558.c @@ -0,0 +1,23 @@ +/* { dg-do run } */ +/* { dg-options "-w -fpermissive" } */ +/* { dg-shouldfail "asan" } */ + +int a; +int *b = &a; +int **c = &b; +int d[1]; +int *e = &d[1]; + +static int f(int *g) { + *b = e; + *c = e; + *b = 2; + *g = 2; +} + +int main() { + f(b); + return *b; +} + +/* { dg-output "AddressSanitizer: global-buffer-overflow on address" } */ -- 2.17.1