From patchwork Tue Oct 25 12:16:33 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Martin_Li=C5=A1ka?= X-Patchwork-Id: 79164 Delivered-To: patch@linaro.org Received: by 10.140.97.247 with SMTP id m110csp3079700qge; Tue, 25 Oct 2016 05:17:09 -0700 (PDT) X-Received: by 10.36.28.135 with SMTP id c129mr1404515itc.66.1477397829088; Tue, 25 Oct 2016 05:17:09 -0700 (PDT) Return-Path: Received: from sourceware.org (server1.sourceware.org. [209.132.180.131]) by mx.google.com with ESMTPS id dh11si2450952pac.111.2016.10.25.05.17.08 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Oct 2016 05:17:09 -0700 (PDT) Received-SPF: pass (google.com: domain of gcc-patches-return-439497-patch=linaro.org@gcc.gnu.org designates 209.132.180.131 as permitted sender) client-ip=209.132.180.131; Authentication-Results: mx.google.com; dkim=pass header.i=@gcc.gnu.org; spf=pass (google.com: domain of gcc-patches-return-439497-patch=linaro.org@gcc.gnu.org designates 209.132.180.131 as permitted sender) smtp.mailfrom=gcc-patches-return-439497-patch=linaro.org@gcc.gnu.org DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender :subject:to:references:cc:from:message-id:date:mime-version :in-reply-to:content-type; q=dns; s=default; b=iSkqZrwQzEV/Mqm53 rW1oNRArMTrB8uFLw/PthoY1PASMdm3TgE21X0b428yOy3RU3J5GVQlxPagcSkQ5 ZSn+D2+zmUn4TQaySl70ZLdMwT7rssVS4WGkDWJzpDs12oKh7HiV6x3H570dxvFg x3U4TVgoBmSlLRmwSh+WO1xLUg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender :subject:to:references:cc:from:message-id:date:mime-version :in-reply-to:content-type; s=default; bh=2jlHp0NQq1vzQhJ/Z+nV43J 3GVw=; b=HICsTg9pYZEgjZbUj2SAhe3XkSbHez/aCJ/QbGDmmNhEANdDa4Ubebh aOm3r9YmdDztGI0ejY8XALGpqxs/pcPSnNDyTFfoZjVMJUkiCxGTgIQFjlJHFMRS e4ro3JXmd9lIqlp18xKBhGus2bytXgSdqEpeGdYRDbmmKquepJnE= Received: (qmail 129746 invoked by alias); 25 Oct 2016 12:16:47 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 129720 invoked by uid 89); 25 Oct 2016 12:16:46 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00, SPF_PASS autolearn=ham version=3.3.2 spammy= X-HELO: mx2.suse.de Received: from mx2.suse.de (HELO mx2.suse.de) (195.135.220.15) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 25 Oct 2016 12:16:36 +0000 Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 613B3AAC7; Tue, 25 Oct 2016 12:16:34 +0000 (UTC) Subject: Re: [PATCH] Fix not caught use-after-scope with -O1 (PR sanitize/78106) To: Jakub Jelinek References: <8fb63eca-0d92-efc1-8497-d3e2c8e14e07@suse.cz> <20161025115219.GY7282@tucnak.redhat.com> Cc: GCC Patches From: =?UTF-8?Q?Martin_Li=c5=a1ka?= Message-ID: Date: Tue, 25 Oct 2016 14:16:33 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <20161025115219.GY7282@tucnak.redhat.com> X-IsSubscribed: yes On 10/25/2016 01:52 PM, Jakub Jelinek wrote: > On Tue, Oct 25, 2016 at 01:40:03PM +0200, Martin Liška wrote: >> While reading and trying to understand sanopt code, I've noticed that we can possibly >> optimize out a ASAN_CHECK when there's a BB in between DOM(BB) and BB which can >> call a freeing function. >> >> Ready to be installed after it survives regression tests? >> Martin > >> >From d8ed43c1f8e29cfe63ebd7c40a76715c9c644522 Mon Sep 17 00:00:00 2001 >> From: marxin >> Date: Tue, 25 Oct 2016 13:29:47 +0200 >> Subject: [PATCH] Fix not caught use-after-scope with -O1 (PR sanitize/78106) >> >> gcc/ChangeLog: >> >> 2016-10-25 Martin Liska >> >> PR sanitizer/78106 >> * sanopt.c (imm_dom_path_with_freeing_call): Handle gasm >> statements as they can also contain possibly a freeing call. > > Other places use something like > if ((gimple_code (stmt) == GIMPLE_ASM && gimple_vdef (stmt)) > || (is_gimple_call (stmt) > && (!nonfreeing_call_p (stmt) || !nonbarrier_call_p (stmt)))) > though what you added matches more what ipa-pure-const.c does, ok. Yes, I basically took the same code as we already have on a different place in the file: sanopt.c:531 if (!is_gimple_call (stmt)) { /* Handle asm volatile or asm with "memory" clobber the same as potentionally freeing call. */ gasm *asm_stmt = dyn_cast (stmt); if (asm_stmt && asan_check_optimize && (gimple_asm_clobbers_memory_p (asm_stmt) || gimple_asm_volatile_p (asm_stmt))) info->freeing_call_events++; gsi_next (&gsi); continue; } if (asan_check_optimize && !nonfreeing_call_p (stmt)) info->freeing_call_events++; > >> gcc/testsuite/ChangeLog: >> >> 2016-10-25 Martin Liska >> >> PR sanitizer/78106 >> * gcc.dg/asan/pr78106.c: New test. > > The test is bad. 1) asan is supported on various architectures, call release > is x86 specific, and even there on some OSes the syntax might be different > (_release, etc.?) 2) you aren't trying to maintain required stack alignment > > So, I think it would be better to just use dg-do compile and just scan some > dump. I see! I changed the code to scan sanopts-details dump file. Ready to install with the change? Thanks, Martin > > Jakub > >From aed3af4fb992a58c77d9f5b2ef9a70de5dff8aa8 Mon Sep 17 00:00:00 2001 From: marxin Date: Tue, 25 Oct 2016 13:29:47 +0200 Subject: [PATCH] Fix not caught use-after-scope with -O1 (PR sanitize/78106) gcc/ChangeLog: 2016-10-25 Martin Liska PR sanitizer/78106 * sanopt.c (imm_dom_path_with_freeing_call): Handle gasm statements as they can also contain possibly a freeing call. gcc/testsuite/ChangeLog: 2016-10-25 Martin Liska PR sanitizer/78106 * gcc.dg/asan/pr78106.c: New test. --- gcc/sanopt.c | 6 +++++- gcc/testsuite/gcc.dg/asan/pr78106.c | 31 +++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 gcc/testsuite/gcc.dg/asan/pr78106.c diff --git a/gcc/sanopt.c b/gcc/sanopt.c index 27c43da..8a6fbe9 100644 --- a/gcc/sanopt.c +++ b/gcc/sanopt.c @@ -211,8 +211,12 @@ imm_dom_path_with_freeing_call (basic_block bb, basic_block dom) for (gsi = gsi_start_bb (e->src); !gsi_end_p (gsi); gsi_next (&gsi)) { gimple *stmt = gsi_stmt (gsi); + gasm *asm_stmt; - if (is_gimple_call (stmt) && !nonfreeing_call_p (stmt)) + if ((is_gimple_call (stmt) && !nonfreeing_call_p (stmt)) + || ((asm_stmt = dyn_cast (stmt)) + && (gimple_asm_clobbers_memory_p (asm_stmt) + || gimple_asm_volatile_p (asm_stmt)))) { pred_info->has_freeing_call_p = true; break; diff --git a/gcc/testsuite/gcc.dg/asan/pr78106.c b/gcc/testsuite/gcc.dg/asan/pr78106.c new file mode 100644 index 0000000..d333f9b --- /dev/null +++ b/gcc/testsuite/gcc.dg/asan/pr78106.c @@ -0,0 +1,31 @@ +/* PR sanitizer/78106 */ +/* { dg-do compile } */ +/* { dg-options "-fsanitize=address -fdump-tree-sanopt-details" } */ + +int *variable; + +void __attribute__((used)) release() +{ + __builtin_free (variable); +} + +int main2(int argc) +{ + *variable = 2; + + if (argc <= 5) + asm volatile ("call release"); + + *variable = 2; + __builtin_abort (); + + return 0; +} + +int main(int argc, char **argv) +{ + variable = __builtin_malloc (sizeof(int)); + return main2(argc); +} + +/* { dg-final { scan-tree-dump-not "Optimizing out(\n|\r\n|\r) ASAN_CHECK \\(7, variable.*" "sanopt" } } */ -- 2.10.1