re PR sanitizer/79572 (reference binding to null pointer not reported with -fsanitize=undefined)

PR c++/79572 * c-ubsan.h (ubsan_maybe_instrument_reference): Change argument to tree *. * c-ubsan.c (ubsan_maybe_instrument_reference): Likewise. Handle not just NOP_EXPR to REFERENCE_TYPE, but also INTEGER_CST with REFERENCE_TYPE. * cp-gimplify.c (cp_genericize_r): Sanitize INTEGER_CSTs with REFERENCE_TYPE. Adjust ubsan_maybe_instrument_reference caller for NOP_EXPR to REFERENCE_TYPE. * g++.dg/ubsan/null-8.C: New test. From-SVN: r246621
2017-03-31 20:39:25 +02:00 · 2017-03-31 20:39:25 +02:00 · 6f3af35628
commit 6f3af35628
parent 77734296b4
7 changed files with 66 additions and 6 deletions
--- a/gcc/c-family/ChangeLog
+++ b/gcc/c-family/ChangeLog
@ -1,3 +1,12 @@
+2017-03-31  Jakub Jelinek  <jakub@redhat.com>
+
+	PR c++/79572
+	* c-ubsan.h (ubsan_maybe_instrument_reference): Change argument to
+	tree *.
+	* c-ubsan.c (ubsan_maybe_instrument_reference): Likewise.  Handle
+	not just NOP_EXPR to REFERENCE_TYPE, but also INTEGER_CST with
+	REFERENCE_TYPE.
+
 2017-03-31  David Malcolm  <dmalcolm@redhat.com>

 	PR documentation/78732
--- a/gcc/c-family/c-ubsan.c
+++ b/gcc/c-family/c-ubsan.c
@ -458,17 +458,26 @@ ubsan_maybe_instrument_reference_or_call (location_t loc, tree op, tree ptype,
  return fold_build2 (COMPOUND_EXPR, TREE_TYPE (op), call, op);
 }

-/* Instrument a NOP_EXPR to REFERENCE_TYPE if needed.  */
+/* Instrument a NOP_EXPR to REFERENCE_TYPE or INTEGER_CST with REFERENCE_TYPE
+   type if needed.  */

 void
-ubsan_maybe_instrument_reference (tree stmt)
+ubsan_maybe_instrument_reference (tree *stmt_p)
 {
-  tree op = TREE_OPERAND (stmt, 0);
+  tree stmt = *stmt_p;
+  tree op = stmt;
+  if (TREE_CODE (stmt) == NOP_EXPR)
+    op = TREE_OPERAND (stmt, 0);
  op = ubsan_maybe_instrument_reference_or_call (EXPR_LOCATION (stmt), op,
 						 TREE_TYPE (stmt),
 						 UBSAN_REF_BINDING);
  if (op)
-    TREE_OPERAND (stmt, 0) = op;
+    {
+      if (TREE_CODE (stmt) == NOP_EXPR) 
+	TREE_OPERAND (stmt, 0) = op;
+      else
+	*stmt_p = op;
+    }
 }

 /* Instrument a CALL_EXPR to a method if needed.  */
--- a/gcc/c-family/c-ubsan.h
+++ b/gcc/c-family/c-ubsan.h
@ -28,7 +28,7 @@ extern tree ubsan_instrument_return (location_t);
 extern tree ubsan_instrument_bounds (location_t, tree, tree *, bool);
 extern bool ubsan_array_ref_instrumented_p (const_tree);
 extern void ubsan_maybe_instrument_array_ref (tree *, bool);
-extern void ubsan_maybe_instrument_reference (tree);
+extern void ubsan_maybe_instrument_reference (tree *);
 extern void ubsan_maybe_instrument_member_call (tree, bool);

 /* Declare this here as well as in ubsan.h. */
--- a/gcc/cp/ChangeLog
+++ b/gcc/cp/ChangeLog
@ -1,5 +1,10 @@
 2017-03-31  Jakub Jelinek  <jakub@redhat.com>

+	PR c++/79572
+	* cp-gimplify.c (cp_genericize_r): Sanitize INTEGER_CSTs with
+	REFERENCE_TYPE.  Adjust ubsan_maybe_instrument_reference caller
+	for NOP_EXPR to REFERENCE_TYPE.
+
 	PR libstdc++/80251
 	* cp-tree.h (enum cp_trait_kind): Add CPTK_IS_AGGREGATE.
 	* cxx-pretty-print.c (pp_cxx_trait_expression): Handle
--- a/gcc/cp/cp-gimplify.c
+++ b/gcc/cp/cp-gimplify.c
@ -1130,6 +1130,19 @@ cp_genericize_r (tree *stmt_p, int *walk_subtrees, void *data)
 	}
    }

+  if (TREE_CODE (stmt) == INTEGER_CST
+      && TREE_CODE (TREE_TYPE (stmt)) == REFERENCE_TYPE
+      && (flag_sanitize & (SANITIZE_NULL | SANITIZE_ALIGNMENT))
+      && !wtd->no_sanitize_p)
+    {
+      ubsan_maybe_instrument_reference (stmt_p);
+      if (*stmt_p != stmt)
+	{
+	  *walk_subtrees = 0;
+	  return NULL_TREE;
+	}
+    }
+
  /* Other than invisiref parms, don't walk the same tree twice.  */
  if (p_set->contains (stmt))
    {
@ -1477,7 +1490,7 @@ cp_genericize_r (tree *stmt_p, int *walk_subtrees, void *data)
      if ((flag_sanitize & (SANITIZE_NULL | SANITIZE_ALIGNMENT))
 	  && TREE_CODE (stmt) == NOP_EXPR
 	  && TREE_CODE (TREE_TYPE (stmt)) == REFERENCE_TYPE)
-	ubsan_maybe_instrument_reference (stmt);
+	ubsan_maybe_instrument_reference (stmt_p);
      else if (TREE_CODE (stmt) == CALL_EXPR)
 	{
 	  tree fn = CALL_EXPR_FN (stmt);
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@ -1,3 +1,8 @@
+2017-03-31  Jakub Jelinek  <jakub@redhat.com>
+
+	PR c++/79572
+	* g++.dg/ubsan/null-8.C: New test.
+
 2017-03-31  Pat Haugen  <pthaugen@us.ibm.com>

 	PR target/80107
--- a/gcc/testsuite/g++.dg/ubsan/null-8.C
+++ b/gcc/testsuite/g++.dg/ubsan/null-8.C
@ -0,0 +1,19 @@
+// PR c++/79572
+// { dg-do run }
+// { dg-options "-fsanitize=null -std=c++14" }
+// { dg-output "reference binding to null pointer of type 'const int'" }
+
+void
+foo (const int &iref)
+{
+  if (&iref)
+    __builtin_printf ("iref %d\n", iref);
+  else
+    __builtin_printf ("iref is NULL\n");
+}
+
+int
+main ()
+{
+  foo (*((int*) __null));
+}