Re: [PATCH, RFC] Introduce -fsanitize=use-after-scope (v2)

Wed, 02 Nov 2016 07:38:46 -0700 

On 11/02/2016 02:16 PM, Richard Biener wrote:
> On Wed, Nov 2, 2016 at 2:06 PM, Jakub Jelinek <ja...@redhat.com> wrote:
>> On Wed, Nov 02, 2016 at 01:59:00PM +0100, Richard Biener wrote:
>>>> Yeah, that is what I meant.  The issue is how to report uses of such
>>>> SSA_NAME when there is no memory.  So, either we'd need a special runtime
>>>> library entrypoint that would report uses after scope even when there is no
>>>> underlying memory, or we'd need to force it at asan pass time into memory 
>>>> again.
>>>
>>> Well, there can't be any uses outside the scope -- there are no (memory) 
>>> uses
>>> left if we rewrite the thing into SSA.  That is, the address can no
>>> longer "escape".
>>>
>>> Of course there could have been invalid uses before the rewrite into SSA.  
>>> But
>>> those can be diagnosed either immediately before or after re-writing into 
>>> SSA
>>> at compile-time (may be in dead code regions of course).
>>
>> Sure, we can warn on those at compile time, but we really should arrange to
>> error on those at runtime if they are ever executed, the UB happens only at
>> runtime, so in dead code isn't fatal.
> 
> Then we can replace those uses with a call into the asan runtime diagnosing 
> the
> issue instead?
> 
> Richard.
> 
>>         Jakub

OK, thanks for the clarification, it's more clear to me. So we want to consider 
for
SSA transformation of ASAN_MARK only is_gimple_reg_types. I'm having a 
test-case where
it converts:
foo ()
{
  char a;
  char * p;
  char _1;
  int _2;
  int _8;
  int _9;

  <bb 2>:
  ASAN_MARK (2, &a, 1);
  a = 0;
  p_6 = &a;
  ASAN_MARK (1, &a, 1);
  _1 = *p_6;
  if (_1 != 0)
    goto <bb 3>;
  else
    goto <bb 4>;

  <bb 3>:
  _9 = 1;
  goto <bb 5>;

  <bb 4>:
  _8 = 0;

  <bb 5>:
  # _2 = PHI <_9(3), _8(4)>
  return _2;

}

to:

foo ()
{
  char a;
  char * p;
  char _1;
  int _2;

  <bb 2>:
  a_10 = 0;
  a_12 = ASAN_POISON ();
  _1 = a_12;
  if (_1 != 0)
    goto <bb 4>;
  else
    goto <bb 3>;

  <bb 3>:

  <bb 4>:
  # _2 = PHI <1(2), 0(3)>
  return _2;

}

and probably the last goal is to convert the newly added internal fn to a 
runtime call.
Hope sanopt pass is the right place where to it?

Thanks,
Martin

Reply via email to