| Message ID | 20220617212002.3747825-1-jason@redhat.com |
|---|---|
| State | New |
| Headers |
Return-Path: <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id CBDA6385734C for <patchwork@sourceware.org>; Fri, 17 Jun 2022 21:20:37 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org CBDA6385734C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1655500837; bh=cuQ7ZcA1fYSJdWvVO95uyliFTUxQj76ceH2Fow8zJAo=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=ai8IfNuVMIHvCd+ngWMlw9CvShe9gCKOJG7DYpLkPXsgNx1o4vXJyMAXDp7oy35Lh 3jQ+1QXbFVii4IURevFoguEAQk6U2du1lnx6nalH4V4O9+E5U2Jjzq+pabO6xhhOWi 1fTb5AqY1IFJzYPAZOTF+0ODKvLOoRFmiLYoxYa8= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 0D1763858434 for <gcc-patches@gcc.gnu.org>; Fri, 17 Jun 2022 21:20:07 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0D1763858434 Received: from mail-qv1-f71.google.com (mail-qv1-f71.google.com [209.85.219.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-142-1jQZ-3AJNFC_PFNZ0_Si_A-1; Fri, 17 Jun 2022 17:20:05 -0400 X-MC-Unique: 1jQZ-3AJNFC_PFNZ0_Si_A-1 Received: by mail-qv1-f71.google.com with SMTP id s11-20020a0562140cab00b0046e7d2b24b3so5385246qvs.16 for <gcc-patches@gcc.gnu.org>; Fri, 17 Jun 2022 14:20:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=cuQ7ZcA1fYSJdWvVO95uyliFTUxQj76ceH2Fow8zJAo=; b=WtFmERjX57b01OiVR5Umso3owlHz2YCbg5oDm4ohPgxp4uJCTdUm921Mlans+CpIO+ keWKxQ0PET8V6JkSCoea6HBB5zkrIiu9NET6mdbquxYRG0CnpG06kYPy+nmWoYjxWqvW ceYffq8VHOARc3end2NiWS1bhdII+J+OOKCPTOedzowyZtP0yMJZ1v7Ev07LfiHq8fhz BJvgO2qPeQltJGIYrfTtdQ0cpNeGuiNgggvc+IpPtXRvS9mUAHO55/OWTUzo+2rb7aFQ 6ILGD/X80/dHG/iVHTlZz72ql1JNrdZE9xmuhskSyJBUDK1tn4kSLmEbYaT0Cw4MMDam BNgw== X-Gm-Message-State: AJIora9fWh5IbUYX/XSClT6degVF6HdGeWqtdWmWQ+4ShhJvC8g0HQMS 5TpMV5MX4FnBMQZCn3ChxZdFN3UlPGgim8S9pBi/0oFnoRpJudbim+g5opYxkvTq1kA552HejP/ tmQO980Hmbx4qqnOiraTvJ5f62d8o9prSvQQzHQp9u/21PotN8HF+7HeooNL6kwXEkw== X-Received: by 2002:a05:6214:20c8:b0:470:2b1e:99b with SMTP id 8-20020a05621420c800b004702b1e099bmr3109705qve.111.1655500804859; Fri, 17 Jun 2022 14:20:04 -0700 (PDT) X-Google-Smtp-Source: AGRyM1sOtsJWqG1b+kfBagK8+YQWQkfyr5EsiH/OnmtvsdUCungNtb9DvYU9LEA73xnHUaeBi/Q/8w== X-Received: by 2002:a05:6214:20c8:b0:470:2b1e:99b with SMTP id 8-20020a05621420c800b004702b1e099bmr3109684qve.111.1655500804456; Fri, 17 Jun 2022 14:20:04 -0700 (PDT) Received: from barrymore.redhat.com (130-44-159-43.s15913.c3-0.arl-cbr1.sbo-arl.ma.cable.rcncustomer.com. [130.44.159.43]) by smtp.gmail.com with ESMTPSA id u7-20020a05622a198700b002f90a33c78csm5291820qtc.67.2022.06.17.14.20.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Jun 2022 14:20:04 -0700 (PDT) To: gcc-patches@gcc.gnu.org, jakub@redhat.com Subject: [PATCH RFA] ubsan: do return check with -fsanitize=unreachable Date: Fri, 17 Jun 2022 17:20:02 -0400 Message-Id: <20220617212002.3747825-1-jason@redhat.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-Spam-Status: No, score=-13.5 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org> List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe> List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/> List-Post: <mailto:gcc-patches@gcc.gnu.org> List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help> List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe> From: Jason Merrill via Gcc-patches <gcc-patches@gcc.gnu.org> Reply-To: Jason Merrill <jason@redhat.com> Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org Sender: "Gcc-patches" <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> |
| Series |
[RFA] ubsan: do return check with -fsanitize=unreachable
|
|
Commit Message
Jason Merrill
June 17, 2022, 9:20 p.m. UTC
Related to PR104642, the current situation where we get less return checking with just -fsanitize=unreachable than no sanitize flags seems undesirable; I propose that we do return checking when -fsanitize=unreachable. Looks like clang just traps on missing return if not -fsanitize=return, but the approach in this patch seems more helpful to me if we're already sanitizing other should-be-unreachable code. I'm assuming that the difference in treatment of SANITIZE_UNREACHABLE and SANITIZE_RETURN with regard to loop optimization is deliberate. This assumes Jakub's -fsanitize-trap patch. gcc/ChangeLog: * doc/invoke.texi: Note that -fsanitize=unreachable implies -fsanitize=return. * opts.cc (finish_options): Make that so. gcc/cp/ChangeLog: * cp-gimplify.cc (cp_maybe_instrument_return): Remove return vs. unreachable handling. gcc/testsuite/ChangeLog: * g++.dg/ubsan/return-8c.C: New test. --- gcc/doc/invoke.texi | 2 ++ gcc/cp/cp-gimplify.cc | 12 ------------ gcc/opts.cc | 10 ++++++++++ gcc/testsuite/g++.dg/ubsan/return-8c.C | 15 +++++++++++++++ 4 files changed, 27 insertions(+), 12 deletions(-) create mode 100644 gcc/testsuite/g++.dg/ubsan/return-8c.C base-commit: 0f96ac43fa0a5fdbfce317b274233852d5b46d23 prerequisite-patch-id: fa35013a253eae78fe744794172aeed26fe6f166
Comments
On Fri, Jun 17, 2022 at 05:20:02PM -0400, Jason Merrill wrote: > Related to PR104642, the current situation where we get less return checking > with just -fsanitize=unreachable than no sanitize flags seems undesirable; I > propose that we do return checking when -fsanitize=unreachable. __builtin_unreachable itself (unless turned into trap or __ubsan_handle_builtin_unreachable) is not any kind of return checking, it is just an optimization. > Looks like clang just traps on missing return if not -fsanitize=return, but > the approach in this patch seems more helpful to me if we're already > sanitizing other should-be-unreachable code. > > I'm assuming that the difference in treatment of SANITIZE_UNREACHABLE and > SANITIZE_RETURN with regard to loop optimization is deliberate. return and unreachable are separate sanitizers and such silent one way implication can have quite unexpected consequences, especially with -fsanitize-trap=. Say with -fsanitize=unreachable -fsanitize-trap=unreachable, both current trunk and clang will link without -lubsan, because the only enabled UBSan sanitizers use __builtin_trap () which doesn't need library. With -fsanitize=unreachable silently meaning -fsanitize=unreachable,return the above would link in -lubsan, because while SANITIZE_UNREACHABLE uses __builtin_trap, SANITIZE_RETURN doesn't. Similarly, one has no_sanitize attribute, one could in certain function __attribute__((no_sanitize ("unreachable"))) and because on the command line using -fsanitize=unreachable assume other sanitizers aren't enabled, but the silent addition of return sanitizer would break that. > --- a/gcc/cp/cp-gimplify.cc > +++ b/gcc/cp/cp-gimplify.cc > @@ -1806,18 +1806,6 @@ cp_maybe_instrument_return (tree fndecl) > || !targetm.warn_func_return (fndecl)) > return; > > - if (!sanitize_flags_p (SANITIZE_RETURN, fndecl) > - /* Don't add __builtin_unreachable () if not optimizing, it will not > - improve any optimizations in that case, just break UB code. > - Don't add it if -fsanitize=unreachable -fno-sanitize=return either, > - UBSan covers this with ubsan_instrument_return above where sufficient > - information is provided, while the __builtin_unreachable () below > - if return sanitization is disabled will just result in hard to > - understand runtime error without location. */ > - && (!optimize > - || sanitize_flags_p (SANITIZE_UNREACHABLE, fndecl))) > - return; > - > tree t = DECL_SAVED_TREE (fndecl); > while (t) > { I think the above is correct, if -fsanitize=return, we want to fall through and use __ubsan_handle_missing_return (or __builtin_trap if -fsanitize-trap=return). Otherwise, for -O0, __builtin_unreachable most likely doesn't offer any important optimization benefits and just makes debugging bad code harder. Similarly for -fsanitize=unreachable, the __builtin_unreachable there would be an optimization which we shouldn't turn into __ubsan_handle_builtin_unreachable / __builtin_trap. Now, -funreachable-traps can of course change the condition a little bit, and so can implementation of builtin_decl_unreachable and stopping of folding of __builtin_unreachable to __builtin_trap if -fsanitize=unreachable -fsanitize-trap=unreachable. The -fsanitize=return case remains the same no matter what. Otherwise, if -funreachable-traps, we are emitting __builtin_trap rather than __builtin_unreachable, so it is perfectly fine to fall through regardless of !optimize or SANITIZE_UNREACHABLE being on, it isn't an optimization in that case, but checking. Otherwise, if !optimize, we should return, __builtin_unreachable in there wouldn't bring many advantages and just punish users of bad code. Otherwise, if builtin_decl_unreachable is implemented and we never fold __builtin_unreachable to __builtin_trap, for SANITIZE_UNREACHABLE enabled and (flag_sanitize_trap & SANITIZE_UNREACHABLE) != 0 we could emit __builtin_unreachable (but in that case directly, not through builtin_decl_unreachable). Otherwise, if SANITIZE_UNREACHABLE is on and (flag_sanitize_trap & SANITIZE_UNREACHABLE) == 0, I assume we'll still want to fold __builtin_unreachable to __ubsan_handle_builtin_unreachable during sanopt etc., we can live without the optimization and not instrument. Otherwise emit __builtin_unreachable (directly). Jakub
On 6/20/22 07:05, Jakub Jelinek wrote: > On Fri, Jun 17, 2022 at 05:20:02PM -0400, Jason Merrill wrote: >> Related to PR104642, the current situation where we get less return checking >> with just -fsanitize=unreachable than no sanitize flags seems undesirable; I >> propose that we do return checking when -fsanitize=unreachable. > > __builtin_unreachable itself (unless turned into trap or > __ubsan_handle_builtin_unreachable) is not any kind of return checking, it > is just an optimization. Yes, but I'm talking about "when -fsanitize=unreachable". >> Looks like clang just traps on missing return if not -fsanitize=return, but >> the approach in this patch seems more helpful to me if we're already >> sanitizing other should-be-unreachable code. >> >> I'm assuming that the difference in treatment of SANITIZE_UNREACHABLE and >> SANITIZE_RETURN with regard to loop optimization is deliberate. > > return and unreachable are separate sanitizers and such silent one way > implication can have quite unexpected consequences, especially with > -fsanitize-trap=. > Say with -fsanitize=unreachable -fsanitize-trap=unreachable, both current > trunk and clang will link without -lubsan, because the only enabled UBSan > sanitizers use __builtin_trap () which doesn't need library. > With -fsanitize=unreachable silently meaning -fsanitize=unreachable,return > the above would link in -lubsan, because while SANITIZE_UNREACHABLE uses > __builtin_trap, SANITIZE_RETURN doesn't. > Similarly, one has no_sanitize attribute, one could in certain function > __attribute__((no_sanitize ("unreachable"))) and because on the command > line using -fsanitize=unreachable assume other sanitizers aren't enabled, > but the silent addition of return sanitizer would break that. Ah, true. How about this approach instead?
On 6/20/22 16:16, Jason Merrill wrote: > On 6/20/22 07:05, Jakub Jelinek wrote: >> On Fri, Jun 17, 2022 at 05:20:02PM -0400, Jason Merrill wrote: >>> Related to PR104642, the current situation where we get less return >>> checking >>> with just -fsanitize=unreachable than no sanitize flags seems >>> undesirable; I >>> propose that we do return checking when -fsanitize=unreachable. >> >> __builtin_unreachable itself (unless turned into trap or >> __ubsan_handle_builtin_unreachable) is not any kind of return >> checking, it >> is just an optimization. > > Yes, but I'm talking about "when -fsanitize=unreachable". > >>> Looks like clang just traps on missing return if not >>> -fsanitize=return, but >>> the approach in this patch seems more helpful to me if we're already >>> sanitizing other should-be-unreachable code. >>> >>> I'm assuming that the difference in treatment of SANITIZE_UNREACHABLE >>> and >>> SANITIZE_RETURN with regard to loop optimization is deliberate. >> >> return and unreachable are separate sanitizers and such silent one way >> implication can have quite unexpected consequences, especially with >> -fsanitize-trap=. >> Say with -fsanitize=unreachable -fsanitize-trap=unreachable, both current >> trunk and clang will link without -lubsan, because the only enabled UBSan >> sanitizers use __builtin_trap () which doesn't need library. >> With -fsanitize=unreachable silently meaning >> -fsanitize=unreachable,return >> the above would link in -lubsan, because while SANITIZE_UNREACHABLE uses >> __builtin_trap, SANITIZE_RETURN doesn't. >> Similarly, one has no_sanitize attribute, one could in certain function >> __attribute__((no_sanitize ("unreachable"))) and because on the command >> line using -fsanitize=unreachable assume other sanitizers aren't enabled, >> but the silent addition of return sanitizer would break that. > > Ah, true. How about this approach instead? Or, this approach relies on the PR104642 patch, and just fixes the line number issue. This is less clear about the problem than using the return ubsan library function, but avoids using one entry point to implement the other sanitizer, if that's important.
On 6/22/22 00:04, Jason Merrill wrote: > On 6/20/22 16:16, Jason Merrill wrote: >> On 6/20/22 07:05, Jakub Jelinek wrote: >>> On Fri, Jun 17, 2022 at 05:20:02PM -0400, Jason Merrill wrote: >>>> Related to PR104642, the current situation where we get less return >>>> checking >>>> with just -fsanitize=unreachable than no sanitize flags seems >>>> undesirable; I >>>> propose that we do return checking when -fsanitize=unreachable. >>> >>> __builtin_unreachable itself (unless turned into trap or >>> __ubsan_handle_builtin_unreachable) is not any kind of return >>> checking, it >>> is just an optimization. >> >> Yes, but I'm talking about "when -fsanitize=unreachable". >> >>>> Looks like clang just traps on missing return if not >>>> -fsanitize=return, but >>>> the approach in this patch seems more helpful to me if we're already >>>> sanitizing other should-be-unreachable code. >>>> >>>> I'm assuming that the difference in treatment of >>>> SANITIZE_UNREACHABLE and >>>> SANITIZE_RETURN with regard to loop optimization is deliberate. >>> >>> return and unreachable are separate sanitizers and such silent one way >>> implication can have quite unexpected consequences, especially with >>> -fsanitize-trap=. >>> Say with -fsanitize=unreachable -fsanitize-trap=unreachable, both >>> current >>> trunk and clang will link without -lubsan, because the only enabled >>> UBSan >>> sanitizers use __builtin_trap () which doesn't need library. >>> With -fsanitize=unreachable silently meaning >>> -fsanitize=unreachable,return >>> the above would link in -lubsan, because while SANITIZE_UNREACHABLE uses >>> __builtin_trap, SANITIZE_RETURN doesn't. >>> Similarly, one has no_sanitize attribute, one could in certain function >>> __attribute__((no_sanitize ("unreachable"))) and because on the command >>> line using -fsanitize=unreachable assume other sanitizers aren't >>> enabled, >>> but the silent addition of return sanitizer would break that. >> >> Ah, true. How about this approach instead? > > Or, this approach relies on the PR104642 patch, and just fixes the line > number issue. This is less clear about the problem than using the > return ubsan library function, but avoids using one entry point to > implement the other sanitizer, if that's important. Ping?
On Wed, Jun 22, 2022 at 12:04:59AM -0400, Jason Merrill wrote: > On 6/20/22 16:16, Jason Merrill wrote: > > On 6/20/22 07:05, Jakub Jelinek wrote: > > > On Fri, Jun 17, 2022 at 05:20:02PM -0400, Jason Merrill wrote: > > > > Related to PR104642, the current situation where we get less > > > > return checking > > > > with just -fsanitize=unreachable than no sanitize flags seems > > > > undesirable; I > > > > propose that we do return checking when -fsanitize=unreachable. > > > > > > __builtin_unreachable itself (unless turned into trap or > > > __ubsan_handle_builtin_unreachable) is not any kind of return > > > checking, it > > > is just an optimization. > > > > Yes, but I'm talking about "when -fsanitize=unreachable". The usual case is that people just use -fsanitize=undefined and get both return and unreachable sanitization, for fall through into end of functions returning non-void done through return sanitization. In the rare case people use something different like -fsanitize=undefined -fno-sanitize=return or -fsanitize=unreachable etc., they presumably don't want the fall through from end of function diagnosed at runtime. I think the behavior we want is: 1) -fsanitize=return is on -> use ubsan_instrument_return (__ubsan_missing_return_data or __builtin_trap depending on -fsanitize-trap=return); otherwise 2) -funreachable-traps is on (from -O0/-Og by default or explicit), emit __builtin_trap; otherwise 3) -fsanitize=unreachable is on, not emit anything (__builtin_unreachable would be just an optimization, but user asked not to instrument returns, only unreachable, so honor user's decision and avoid confusion); otherwise 4) -O0 is on, not emit anything (__builtin_unreachable wouldn't be much of an optimization, just surprising and hard to debug effect); otherwise 5) emit __builtin_unreachable Current trunk with your PR104642 fix in implements 1), will do 2) only if -fsanitize=unreachable is not on, will do 3), will do 4) and 5). So, I'd change cp-gimplify.cc (cp_maybe_instrument_return), change: if (!sanitize_flags_p (SANITIZE_RETURN, fndecl) && ((!optimize && !flag_unreachable_traps) || sanitize_flags_p (SANITIZE_UNREACHABLE, fndecl))) return; to if (!sanitize_flags_p (SANITIZE_RETURN, fndecl) && !flag_unreachable_traps && (!optimize || sanitize_flags_p (SANITIZE_UNREACHABLE, fndecl))) return; and if (sanitize_flags_p (SANITIZE_RETURN, fndecl)) t = ubsan_instrument_return (loc); else t = build_builtin_unreachable (BUILTINS_LOCATION); to if (sanitize_flags_p (SANITIZE_RETURN, fndecl)) t = ubsan_instrument_return (loc); else if (flag_unreachable_traps) t = build_call_expr_loc (BUILTINS_LOCATION, builtin_decl_explicit (BUILT_IN_TRAP), 0); else t = build_builtin_unreachable (BUILTINS_LOCATION); Jakub
On 6/27/22 11:44, Jakub Jelinek wrote: > On Wed, Jun 22, 2022 at 12:04:59AM -0400, Jason Merrill wrote: >> On 6/20/22 16:16, Jason Merrill wrote: >>> On 6/20/22 07:05, Jakub Jelinek wrote: >>>> On Fri, Jun 17, 2022 at 05:20:02PM -0400, Jason Merrill wrote: >>>>> Related to PR104642, the current situation where we get less >>>>> return checking >>>>> with just -fsanitize=unreachable than no sanitize flags seems >>>>> undesirable; I >>>>> propose that we do return checking when -fsanitize=unreachable. >>>> >>>> __builtin_unreachable itself (unless turned into trap or >>>> __ubsan_handle_builtin_unreachable) is not any kind of return >>>> checking, it >>>> is just an optimization. >>> >>> Yes, but I'm talking about "when -fsanitize=unreachable". > > The usual case is that people just use -fsanitize=undefined > and get both return and unreachable sanitization, for fall through > into end of functions returning non-void done through return sanitization. > > In the rare case people use something different like > -fsanitize=undefined -fno-sanitize=return > or > -fsanitize=unreachable > etc., they presumably don't want the fall through from end of function > diagnosed at runtime. I disagree with this assumption for the second case; it seems much more likely to me that the user just wasn't thinking about needing to also mention return. Missing return is a logical subset of unreachable; if we sanitize all the other __builtin_unreachable introduced by the compiler, why in the world would we want to leave out this one that is such a frequent error? Full -fsanitize=undefined is much higher overhead than just -fsanitize=unreachable, which introduces no extra checks. And adding return checking to unreachable is essentially zero overhead. I can't imagine any reason to want to check unreachable points EXCEPT for missing return. > I think the behavior we want is: > 1) -fsanitize=return is on -> use ubsan_instrument_return > (__ubsan_missing_return_data or __builtin_trap depending on > -fsanitize-trap=return); otherwise > 2) -funreachable-traps is on (from -O0/-Og by default or explicit), > emit __builtin_trap; otherwise > 3) -fsanitize=unreachable is on, not emit anything (__builtin_unreachable > would be just an optimization, but user asked not to instrument returns, > only unreachable, so honor user's decision and avoid confusion); otherwise > 4) -O0 is on, not emit anything (__builtin_unreachable wouldn't be much > of an optimization, just surprising and hard to debug effect); otherwise > 5) emit __builtin_unreachable > > Current trunk with your PR104642 fix in implements 1), will do 2) > only if -fsanitize=unreachable is not on, will do 3), will do 4) and 5). > > So, I'd change cp-gimplify.cc (cp_maybe_instrument_return), change: > if (!sanitize_flags_p (SANITIZE_RETURN, fndecl) > && ((!optimize && !flag_unreachable_traps) > || sanitize_flags_p (SANITIZE_UNREACHABLE, fndecl))) > return; > to > if (!sanitize_flags_p (SANITIZE_RETURN, fndecl) > && !flag_unreachable_traps > && (!optimize || sanitize_flags_p (SANITIZE_UNREACHABLE, fndecl))) > return; > and > if (sanitize_flags_p (SANITIZE_RETURN, fndecl)) > t = ubsan_instrument_return (loc); > else > t = build_builtin_unreachable (BUILTINS_LOCATION); > to > if (sanitize_flags_p (SANITIZE_RETURN, fndecl)) > t = ubsan_instrument_return (loc); > else if (flag_unreachable_traps) > t = build_call_expr_loc (BUILTINS_LOCATION, > builtin_decl_explicit (BUILT_IN_TRAP), 0); > else > t = build_builtin_unreachable (BUILTINS_LOCATION); > > Jakub >
On Wed, Jun 29, 2022 at 12:42:04PM -0400, Jason Merrill wrote: > > The usual case is that people just use -fsanitize=undefined > > and get both return and unreachable sanitization, for fall through > > into end of functions returning non-void done through return sanitization. > > > > In the rare case people use something different like > > -fsanitize=undefined -fno-sanitize=return > > or > > -fsanitize=unreachable > > etc., they presumably don't want the fall through from end of function > > diagnosed at runtime. > > I disagree with this assumption for the second case; it seems much more > likely to me that the user just wasn't thinking about needing to also > mention return. Missing return is a logical subset of unreachable; if we > sanitize all the other __builtin_unreachable introduced by the compiler, why > in the world would we want to leave out this one that is such a frequent > error? UBSan was initially implemented in LLVM and our -fsanitize= options try to match where possible what they do. And their behavior is too that return and unreachable are separate sanitizers, fallthrough from function return is sanitized only for the former, they apparently at -O0 implement something like -funreachable-traps (but not at -Og) and emit a trap there (regardless of -fsanitize=unreachable), for -O1 and higher they act as if non-sanitized __builtin_unreachable () is in there regardless of -fsanitize=unreachable. It would be strange to diverge from this without a strong reason. The fact that we use __builtin_unreachable for the function ends is just our implementation detail and when we'd report that to users, they'd just be confused on what's going on. With -fsanitize=return they are told what happens. > Full -fsanitize=undefined is much higher overhead than just > -fsanitize=unreachable, which introduces no extra checks. And adding return > checking to unreachable is essentially zero overhead. I can't imagine any > reason to want to check unreachable points EXCEPT for missing return. -fsanitize=unreachable isn't zero overhead, it will force evaluation of all the conditionals guarding it and preparation of arguments for it etc. Jakub
On 6/29/22 13:26, Jakub Jelinek wrote: > On Wed, Jun 29, 2022 at 12:42:04PM -0400, Jason Merrill wrote: >>> The usual case is that people just use -fsanitize=undefined >>> and get both return and unreachable sanitization, for fall through >>> into end of functions returning non-void done through return sanitization. >>> >>> In the rare case people use something different like >>> -fsanitize=undefined -fno-sanitize=return >>> or >>> -fsanitize=unreachable >>> etc., they presumably don't want the fall through from end of function >>> diagnosed at runtime. >> >> I disagree with this assumption for the second case; it seems much more >> likely to me that the user just wasn't thinking about needing to also >> mention return. Missing return is a logical subset of unreachable; if we >> sanitize all the other __builtin_unreachable introduced by the compiler, why >> in the world would we want to leave out this one that is such a frequent >> error? > > UBSan was initially implemented in LLVM and our -fsanitize= options try to > match where possible what they do. > And their behavior is too that return and unreachable are separate > sanitizers, fallthrough from function return is sanitized only for the > former, they apparently at -O0 implement something like -funreachable-traps > (but not at -Og) and emit a trap there (regardless of > -fsanitize=unreachable), for -O1 and higher they act as if non-sanitized > __builtin_unreachable () is in there regardless of -fsanitize=unreachable. Hmm, does clang only sanitize explicit calls to __builtin_unreachable? > It would be strange to diverge from this without a strong reason. > The fact that we use __builtin_unreachable for the function ends is just our > implementation detail and when we'd report that to users, they'd just be > confused on what's going on. With -fsanitize=return they are told what > happens. > >> Full -fsanitize=undefined is much higher overhead than just >> -fsanitize=unreachable, which introduces no extra checks. And adding return >> checking to unreachable is essentially zero overhead. I can't imagine any >> reason to want to check unreachable points EXCEPT for missing return. > > -fsanitize=unreachable isn't zero overhead, it will force evaluation of all > the conditionals guarding it and preparation of arguments for it etc.
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index 50f57877477..e572158a1ba 100644 --- a/gcc/doc/invoke.texi +++ b/gcc/doc/invoke.texi @@ -15946,6 +15946,8 @@ built with this option turned on will issue an error message when the end of a non-void function is reached without actually returning a value. This option works in C++ only. +This check is also enabled by -fsanitize=unreachable. + @item -fsanitize=signed-integer-overflow @opindex fsanitize=signed-integer-overflow This option enables signed integer overflow checking. We check that diff --git a/gcc/cp/cp-gimplify.cc b/gcc/cp/cp-gimplify.cc index 6f84d157c98..5c2eb61842c 100644 --- a/gcc/cp/cp-gimplify.cc +++ b/gcc/cp/cp-gimplify.cc @@ -1806,18 +1806,6 @@ cp_maybe_instrument_return (tree fndecl) || !targetm.warn_func_return (fndecl)) return; - if (!sanitize_flags_p (SANITIZE_RETURN, fndecl) - /* Don't add __builtin_unreachable () if not optimizing, it will not - improve any optimizations in that case, just break UB code. - Don't add it if -fsanitize=unreachable -fno-sanitize=return either, - UBSan covers this with ubsan_instrument_return above where sufficient - information is provided, while the __builtin_unreachable () below - if return sanitization is disabled will just result in hard to - understand runtime error without location. */ - && (!optimize - || sanitize_flags_p (SANITIZE_UNREACHABLE, fndecl))) - return; - tree t = DECL_SAVED_TREE (fndecl); while (t) { diff --git a/gcc/opts.cc b/gcc/opts.cc index 062782ac700..a7b02b0f693 100644 --- a/gcc/opts.cc +++ b/gcc/opts.cc @@ -1254,6 +1254,16 @@ finish_options (struct gcc_options *opts, struct gcc_options *opts_set, if (opts->x_flag_sanitize & ~(SANITIZE_LEAK | SANITIZE_UNREACHABLE)) opts->x_flag_aggressive_loop_optimizations = 0; + /* -fsanitize=unreachable implies -fsanitize=return, but without affecting + aggressive loop optimizations. */ + if ((opts->x_flag_sanitize & (SANITIZE_UNREACHABLE | SANITIZE_RETURN)) + == SANITIZE_UNREACHABLE) + { + opts->x_flag_sanitize |= SANITIZE_RETURN; + if (opts->x_flag_sanitize_trap & SANITIZE_UNREACHABLE) + opts->x_flag_sanitize_trap |= SANITIZE_RETURN; + } + /* Enable -fsanitize-address-use-after-scope if either address sanitizer is enabled. */ if (opts->x_flag_sanitize diff --git a/gcc/testsuite/g++.dg/ubsan/return-8c.C b/gcc/testsuite/g++.dg/ubsan/return-8c.C new file mode 100644 index 00000000000..a67f086d452 --- /dev/null +++ b/gcc/testsuite/g++.dg/ubsan/return-8c.C @@ -0,0 +1,15 @@ +// PR c++/104642 + +// -fsanitize=unreachable should imply -fsanitize=return. + +// { dg-do run } +// { dg-shouldfail { *-*-* } } +// { dg-additional-options "-O -fsanitize=unreachable" } + +bool b; + +int f() { + if (b) return 42; +} // { dg-warning "-Wreturn-type" } + +int main() { f(); }