Re: [PATCH] Fix not caught use-after-scope with -O1 (PR sanitize/78106)

[Martin Liška]

On 10/25/2016 01:52 PM, Jakub Jelinek wrote:
> On Tue, Oct 25, 2016 at 01:40:03PM +0200, Martin Liška wrote:
>> While reading and trying to understand sanopt code, I've noticed that we can 
>> possibly
>> optimize out a ASAN_CHECK when there's a BB in between DOM(BB) and BB which 
>> can
>> call a freeing function.
>>
>> Ready to be installed after it survives regression tests?
>> Martin
> 
>> >From d8ed43c1f8e29cfe63ebd7c40a76715c9c644522 Mon Sep 17 00:00:00 2001
>> From: marxin <mli...@suse.cz>
>> Date: Tue, 25 Oct 2016 13:29:47 +0200
>> Subject: [PATCH] Fix not caught use-after-scope with -O1 (PR sanitize/78106)
>>
>> gcc/ChangeLog:
>>
>> 2016-10-25  Martin Liska  <mli...@suse.cz>
>>
>>      PR sanitizer/78106
>>      * sanopt.c (imm_dom_path_with_freeing_call): Handle gasm
>>      statements as they can also contain possibly a freeing call.
> 
> Other places use something like
>       if ((gimple_code (stmt) == GIMPLE_ASM && gimple_vdef (stmt))
>           || (is_gimple_call (stmt)
>               && (!nonfreeing_call_p (stmt) || !nonbarrier_call_p (stmt))))
> though what you added matches more what ipa-pure-const.c does, ok.

Yes, I basically took the same code as we already have on a different place in 
the file:

sanopt.c:531
      if (!is_gimple_call (stmt))
        {
          /* Handle asm volatile or asm with "memory" clobber
             the same as potentionally freeing call.  */
          gasm *asm_stmt = dyn_cast <gasm *> (stmt);
          if (asm_stmt
              && asan_check_optimize
              && (gimple_asm_clobbers_memory_p (asm_stmt)
                  || gimple_asm_volatile_p (asm_stmt)))
            info->freeing_call_events++;
          gsi_next (&gsi);
          continue;
        }

      if (asan_check_optimize && !nonfreeing_call_p (stmt))
        info->freeing_call_events++;

> 
>> gcc/testsuite/ChangeLog:
>>
>> 2016-10-25  Martin Liska  <mli...@suse.cz>
>>
>>      PR sanitizer/78106
>>      * gcc.dg/asan/pr78106.c: New test.
> 
> The test is bad.  1) asan is supported on various architectures, call release
> is x86 specific, and even there on some OSes the syntax might be different
> (_release, etc.?) 2) you aren't trying to maintain required stack alignment
> 
> So, I think it would be better to just use dg-do compile and just scan some
> dump.

I see! I changed the code to scan sanopts-details dump file.

Ready to install with the change?
Thanks,
Martin

> 
>       Jakub
> 


>From aed3af4fb992a58c77d9f5b2ef9a70de5dff8aa8 Mon Sep 17 00:00:00 2001
From: marxin <mli...@suse.cz>
Date: Tue, 25 Oct 2016 13:29:47 +0200
Subject: [PATCH] Fix not caught use-after-scope with -O1 (PR sanitize/78106)

gcc/ChangeLog:

2016-10-25  Martin Liska  <mli...@suse.cz>

	PR sanitizer/78106
	* sanopt.c (imm_dom_path_with_freeing_call): Handle gasm
	statements as they can also contain possibly a freeing call.

gcc/testsuite/ChangeLog:

2016-10-25  Martin Liska  <mli...@suse.cz>

	PR sanitizer/78106
	* gcc.dg/asan/pr78106.c: New test.
---
 gcc/sanopt.c                        |  6 +++++-
 gcc/testsuite/gcc.dg/asan/pr78106.c | 31 +++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 gcc/testsuite/gcc.dg/asan/pr78106.c

diff --git a/gcc/sanopt.c b/gcc/sanopt.c
index 27c43da..8a6fbe9 100644
--- a/gcc/sanopt.c
+++ b/gcc/sanopt.c
@@ -211,8 +211,12 @@ imm_dom_path_with_freeing_call (basic_block bb, basic_block dom)
       for (gsi = gsi_start_bb (e->src); !gsi_end_p (gsi); gsi_next (&gsi))
 	{
 	  gimple *stmt = gsi_stmt (gsi);
+	  gasm *asm_stmt;
 
-	  if (is_gimple_call (stmt) && !nonfreeing_call_p (stmt))
+	  if ((is_gimple_call (stmt) && !nonfreeing_call_p (stmt))
+	      || ((asm_stmt = dyn_cast <gasm *> (stmt))
+		  && (gimple_asm_clobbers_memory_p (asm_stmt)
+		      || gimple_asm_volatile_p (asm_stmt))))
 	    {
 	      pred_info->has_freeing_call_p = true;
 	      break;
diff --git a/gcc/testsuite/gcc.dg/asan/pr78106.c b/gcc/testsuite/gcc.dg/asan/pr78106.c
new file mode 100644
index 0000000..d333f9b
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/asan/pr78106.c
@@ -0,0 +1,31 @@
+/* PR sanitizer/78106 */
+/* { dg-do compile } */
+/* { dg-options "-fsanitize=address -fdump-tree-sanopt-details" } */
+
+int *variable;
+
+void __attribute__((used)) release()
+{
+  __builtin_free (variable);
+}
+
+int main2(int argc)
+{
+  *variable = 2;
+
+  if (argc <= 5)
+    asm volatile ("call release");
+
+  *variable = 2;
+  __builtin_abort ();
+
+  return 0;
+}
+
+int main(int argc, char **argv)
+{
+  variable = __builtin_malloc (sizeof(int));
+  return main2(argc);
+}
+
+/* { dg-final { scan-tree-dump-not "Optimizing out(\n|\r\n|\r)  ASAN_CHECK \\(7, variable.*" "sanopt" } } */
-- 
2.10.1