Line data Source code
1 : /* UndefinedBehaviorSanitizer, undefined behavior detector.
2 : Copyright (C) 2013-2026 Free Software Foundation, Inc.
3 : Contributed by Marek Polacek <polacek@redhat.com>
4 :
5 : This file is part of GCC.
6 :
7 : GCC is free software; you can redistribute it and/or modify it under
8 : the terms of the GNU General Public License as published by the Free
9 : Software Foundation; either version 3, or (at your option) any later
10 : version.
11 :
12 : GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 : WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 : FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 : for more details.
16 :
17 : You should have received a copy of the GNU General Public License
18 : along with GCC; see the file COPYING3. If not see
19 : <http://www.gnu.org/licenses/>. */
20 :
21 : #include "config.h"
22 : #include "system.h"
23 : #include "coretypes.h"
24 : #include "tm.h"
25 : #include "c-family/c-common.h"
26 : #include "ubsan.h"
27 : #include "c-family/c-ubsan.h"
28 : #include "stor-layout.h"
29 : #include "builtins.h"
30 : #include "gimplify.h"
31 : #include "stringpool.h"
32 : #include "attribs.h"
33 : #include "asan.h"
34 : #include "langhooks.h"
35 :
36 : /* Instrument division by zero and INT_MIN / -1. If not instrumenting,
37 : return NULL_TREE. */
38 :
39 : tree
40 1377 : ubsan_instrument_division (location_t loc, tree op0, tree op1)
41 : {
42 1377 : tree t, tt, x = NULL_TREE;
43 1377 : tree type = TREE_TYPE (op0);
44 1377 : enum sanitize_code flag = SANITIZE_DIVIDE;
45 :
46 : /* At this point both operands should have the same type,
47 : because they are already converted to RESULT_TYPE.
48 : Use TYPE_MAIN_VARIANT since typedefs can confuse us. */
49 1377 : tree top0 = TYPE_MAIN_VARIANT (type);
50 1377 : tree top1 = TYPE_MAIN_VARIANT (TREE_TYPE (op1));
51 1377 : gcc_checking_assert (lang_hooks.types_compatible_p (top0, top1));
52 :
53 1377 : op0 = unshare_expr (op0);
54 1377 : op1 = unshare_expr (op1);
55 :
56 1377 : if (INTEGRAL_TYPE_P (type)
57 1377 : && sanitize_flags_p (SANITIZE_DIVIDE))
58 901 : t = fold_build2 (EQ_EXPR, boolean_type_node,
59 : op1, build_int_cst (type, 0));
60 476 : else if (SCALAR_FLOAT_TYPE_P (type)
61 476 : && sanitize_flags_p (SANITIZE_FLOAT_DIVIDE))
62 : {
63 96 : t = fold_build2 (EQ_EXPR, boolean_type_node,
64 : op1, build_real (type, dconst0));
65 96 : flag = SANITIZE_FLOAT_DIVIDE;
66 : }
67 : else
68 : t = NULL_TREE;
69 :
70 : /* We check INT_MIN / -1 only for signed types. */
71 1377 : if (INTEGRAL_TYPE_P (type)
72 1166 : && sanitize_flags_p (SANITIZE_SI_OVERFLOW)
73 2268 : && !TYPE_UNSIGNED (type))
74 : {
75 759 : tt = fold_build2 (EQ_EXPR, boolean_type_node, unshare_expr (op1),
76 : build_int_cst (type, -1));
77 759 : x = fold_build2 (EQ_EXPR, boolean_type_node, op0,
78 : TYPE_MIN_VALUE (type));
79 759 : x = fold_build2 (TRUTH_AND_EXPR, boolean_type_node, x, tt);
80 759 : if (t == NULL_TREE || integer_zerop (t))
81 : {
82 : t = x;
83 : x = NULL_TREE;
84 : flag = SANITIZE_SI_OVERFLOW;
85 : }
86 301 : else if ((((flag_sanitize_trap & SANITIZE_DIVIDE) == 0)
87 301 : == ((flag_sanitize_trap & SANITIZE_SI_OVERFLOW) == 0))
88 301 : && (((flag_sanitize_recover & SANITIZE_DIVIDE) == 0)
89 301 : == ((flag_sanitize_recover & SANITIZE_SI_OVERFLOW) == 0)))
90 : {
91 260 : t = fold_build2 (TRUTH_OR_EXPR, boolean_type_node, t, x);
92 260 : x = NULL_TREE;
93 : }
94 41 : else if (integer_zerop (x))
95 482 : x = NULL_TREE;
96 : }
97 618 : else if (t == NULL_TREE)
98 : return NULL_TREE;
99 :
100 : /* If the condition was folded to 0, no need to instrument
101 : this expression. */
102 1241 : if (integer_zerop (t))
103 : return NULL_TREE;
104 :
105 : /* In case we have a SAVE_EXPR in a conditional context, we need to
106 : make sure it gets evaluated before the condition. */
107 786 : t = fold_build2 (COMPOUND_EXPR, TREE_TYPE (t), unshare_expr (op0), t);
108 786 : t = fold_build2 (COMPOUND_EXPR, TREE_TYPE (t), unshare_expr (op1), t);
109 786 : if ((flag_sanitize_trap & flag) && x == NULL_TREE)
110 10 : tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
111 : else
112 : {
113 776 : tree data = ubsan_create_data ("__ubsan_overflow_data", 1, &loc,
114 : ubsan_type_descriptor (type), NULL_TREE,
115 : NULL_TREE);
116 776 : data = build_fold_addr_expr_loc (loc, data);
117 776 : if (flag_sanitize_trap & flag)
118 0 : tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP),
119 : 0);
120 : else
121 : {
122 115 : enum built_in_function bcode
123 776 : = (flag_sanitize_recover & flag)
124 776 : ? BUILT_IN_UBSAN_HANDLE_DIVREM_OVERFLOW
125 : : BUILT_IN_UBSAN_HANDLE_DIVREM_OVERFLOW_ABORT;
126 776 : tt = builtin_decl_explicit (bcode);
127 776 : op0 = unshare_expr (op0);
128 776 : op1 = unshare_expr (op1);
129 776 : tt = build_call_expr_loc (loc, tt, 3, data, ubsan_encode_value (op0),
130 : ubsan_encode_value (op1));
131 : }
132 776 : if (x)
133 : {
134 41 : tree xt;
135 41 : if (flag_sanitize_trap & SANITIZE_SI_OVERFLOW)
136 0 : xt = build_call_expr_loc (loc,
137 : builtin_decl_explicit (BUILT_IN_TRAP),
138 : 0);
139 : else
140 : {
141 16 : enum built_in_function bcode
142 41 : = (flag_sanitize_recover & SANITIZE_SI_OVERFLOW)
143 41 : ? BUILT_IN_UBSAN_HANDLE_DIVREM_OVERFLOW
144 : : BUILT_IN_UBSAN_HANDLE_DIVREM_OVERFLOW_ABORT;
145 41 : xt = builtin_decl_explicit (bcode);
146 41 : op0 = unshare_expr (op0);
147 41 : op1 = unshare_expr (op1);
148 41 : xt = build_call_expr_loc (loc, xt, 3, data,
149 : ubsan_encode_value (op0),
150 : ubsan_encode_value (op1));
151 : }
152 41 : x = fold_build3 (COND_EXPR, void_type_node, x, xt, void_node);
153 : }
154 : }
155 786 : t = fold_build3 (COND_EXPR, void_type_node, t, tt, x ? x : void_node);
156 :
157 786 : return t;
158 : }
159 :
160 : /* Instrument left and right shifts. */
161 :
162 : tree
163 2183 : ubsan_instrument_shift (location_t loc, enum tree_code code,
164 : tree op0, tree op1)
165 : {
166 2183 : tree t, tt = NULL_TREE;
167 2183 : tree type0 = TREE_TYPE (op0);
168 2183 : tree type1 = TREE_TYPE (op1);
169 2183 : if (!INTEGRAL_TYPE_P (type0))
170 : return NULL_TREE;
171 :
172 2169 : tree op1_utype = unsigned_type_for (type1);
173 2169 : HOST_WIDE_INT op0_prec = TYPE_PRECISION (type0);
174 2169 : tree uprecm1 = build_int_cst (op1_utype, op0_prec - 1);
175 :
176 2169 : op0 = unshare_expr (op0);
177 2169 : op1 = unshare_expr (op1);
178 :
179 2169 : if (code == LROTATE_EXPR || code == RROTATE_EXPR)
180 : {
181 : /* For rotates just check for negative op1. */
182 28 : if (TYPE_UNSIGNED (type1))
183 : return NULL_TREE;
184 28 : t = fold_build2 (LT_EXPR, boolean_type_node, op1,
185 : build_int_cst (type1, 0));
186 : }
187 : else
188 : {
189 2141 : t = fold_convert_loc (loc, op1_utype, op1);
190 2141 : t = fold_build2 (GT_EXPR, boolean_type_node, t, uprecm1);
191 : }
192 :
193 : /* If this is not a signed operation, don't perform overflow checks.
194 : Also punt on bit-fields. */
195 2169 : if (TYPE_OVERFLOW_WRAPS (type0)
196 2804 : || maybe_ne (GET_MODE_BITSIZE (TYPE_MODE (type0)),
197 1402 : TYPE_PRECISION (type0))
198 1322 : || !sanitize_flags_p (SANITIZE_SHIFT_BASE)
199 : /* In C++20 and later, shifts are well defined except when
200 : the second operand is not within bounds. */
201 1271 : || cxx_dialect >= cxx20)
202 : ;
203 :
204 : /* For signed x << y, in C99 and later, the following:
205 : (unsigned) x >> (uprecm1 - y)
206 : if non-zero, is undefined. */
207 1082 : else if (code == LSHIFT_EXPR && flag_isoc99 && cxx_dialect < cxx11)
208 : {
209 766 : tree x = fold_build2 (MINUS_EXPR, op1_utype, uprecm1,
210 : fold_convert (op1_utype, unshare_expr (op1)));
211 766 : tt = fold_convert_loc (loc, unsigned_type_for (type0), op0);
212 766 : tt = fold_build2 (RSHIFT_EXPR, TREE_TYPE (tt), tt, x);
213 766 : tt = fold_build2 (NE_EXPR, boolean_type_node, tt,
214 : build_int_cst (TREE_TYPE (tt), 0));
215 766 : }
216 :
217 : /* For signed x << y, in C++11 to C++17, the following:
218 : x < 0 || ((unsigned) x >> (uprecm1 - y))
219 : if > 1, is undefined. */
220 82 : else if (code == LSHIFT_EXPR && cxx_dialect >= cxx11)
221 : {
222 22 : tree x = fold_build2 (MINUS_EXPR, op1_utype, uprecm1,
223 : fold_convert (op1_utype, unshare_expr (op1)));
224 22 : tt = fold_convert_loc (loc, unsigned_type_for (type0),
225 : unshare_expr (op0));
226 22 : tt = fold_build2 (RSHIFT_EXPR, TREE_TYPE (tt), tt, x);
227 22 : tt = fold_build2 (GT_EXPR, boolean_type_node, tt,
228 : build_int_cst (TREE_TYPE (tt), 1));
229 22 : x = fold_build2 (LT_EXPR, boolean_type_node, unshare_expr (op0),
230 : build_int_cst (type0, 0));
231 22 : tt = fold_build2 (TRUTH_OR_EXPR, boolean_type_node, x, tt);
232 : }
233 :
234 : /* If the condition was folded to 0, no need to instrument
235 : this expression. */
236 2169 : if (integer_zerop (t) && (tt == NULL_TREE || integer_zerop (tt)))
237 1145 : return NULL_TREE;
238 :
239 : /* In case we have a SAVE_EXPR in a conditional context, we need to
240 : make sure it gets evaluated before the condition. */
241 1024 : t = fold_build2 (COMPOUND_EXPR, TREE_TYPE (t), unshare_expr (op0), t);
242 1024 : t = fold_build2 (COMPOUND_EXPR, TREE_TYPE (t), unshare_expr (op1), t);
243 :
244 1024 : enum sanitize_code recover_kind = SANITIZE_SHIFT_EXPONENT;
245 1024 : tree else_t = void_node;
246 1024 : if (tt)
247 : {
248 487 : if (!sanitize_flags_p (SANITIZE_SHIFT_EXPONENT))
249 : {
250 28 : t = fold_build1 (TRUTH_NOT_EXPR, boolean_type_node, t);
251 28 : t = fold_build2 (TRUTH_AND_EXPR, boolean_type_node, t, tt);
252 28 : recover_kind = SANITIZE_SHIFT_BASE;
253 : }
254 : else
255 : {
256 459 : if (((!(flag_sanitize_trap & SANITIZE_SHIFT_EXPONENT))
257 459 : == (!(flag_sanitize_trap & SANITIZE_SHIFT_BASE)))
258 459 : && ((!(flag_sanitize_recover & SANITIZE_SHIFT_EXPONENT))
259 459 : == (!(flag_sanitize_recover & SANITIZE_SHIFT_BASE))))
260 392 : t = fold_build2 (TRUTH_OR_EXPR, boolean_type_node, t, tt);
261 : else
262 : else_t = tt;
263 : }
264 : }
265 :
266 1024 : if ((flag_sanitize_trap & recover_kind) && else_t == void_node)
267 0 : tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
268 : else
269 : {
270 1024 : if (TREE_CODE (type1) == BITINT_TYPE
271 1056 : && TYPE_PRECISION (type1) > MAX_FIXED_MODE_SIZE)
272 : {
273 : /* Workaround for missing _BitInt support in libsanitizer.
274 : Instead of crashing in the library, pretend values above
275 : maximum value of normal integral type or below minimum value
276 : of that type are those extremes. */
277 32 : tree type2 = build_nonstandard_integer_type (MAX_FIXED_MODE_SIZE,
278 32 : TYPE_UNSIGNED (type1));
279 32 : tree op2 = op1;
280 32 : if (!TYPE_UNSIGNED (type1))
281 : {
282 32 : op2 = fold_build2 (LT_EXPR, boolean_type_node, unshare_expr (op1),
283 : fold_convert (type1, TYPE_MIN_VALUE (type2)));
284 32 : op2 = fold_build3 (COND_EXPR, type2, op2, TYPE_MIN_VALUE (type2),
285 : fold_convert (type2, unshare_expr (op1)));
286 : }
287 : else
288 0 : op2 = fold_convert (type2, op1);
289 32 : tree op3
290 32 : = fold_build2 (GT_EXPR, boolean_type_node, unshare_expr (op1),
291 : fold_convert (type1, TYPE_MAX_VALUE (type2)));
292 32 : op1 = fold_build3 (COND_EXPR, type2, op3, TYPE_MAX_VALUE (type2),
293 : op2);
294 32 : type1 = type2;
295 : }
296 1024 : tree utd0 = ubsan_type_descriptor (type0, UBSAN_PRINT_FORCE_INT);
297 1024 : tree data = ubsan_create_data ("__ubsan_shift_data", 1, &loc, utd0,
298 : ubsan_type_descriptor (type1), NULL_TREE,
299 : NULL_TREE);
300 1024 : data = build_fold_addr_expr_loc (loc, data);
301 :
302 1024 : if (flag_sanitize_trap & recover_kind)
303 0 : tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
304 : else
305 : {
306 152 : enum built_in_function bcode
307 1024 : = (flag_sanitize_recover & recover_kind)
308 1024 : ? BUILT_IN_UBSAN_HANDLE_SHIFT_OUT_OF_BOUNDS
309 : : BUILT_IN_UBSAN_HANDLE_SHIFT_OUT_OF_BOUNDS_ABORT;
310 1024 : tt = builtin_decl_explicit (bcode);
311 1024 : op0 = unshare_expr (op0);
312 1024 : op1 = unshare_expr (op1);
313 1024 : tt = build_call_expr_loc (loc, tt, 3, data, ubsan_encode_value (op0),
314 : ubsan_encode_value (op1));
315 : }
316 1024 : if (else_t != void_node)
317 : {
318 67 : tree else_tt;
319 67 : if (flag_sanitize_trap & SANITIZE_SHIFT_BASE)
320 0 : else_tt
321 0 : = build_call_expr_loc (loc,
322 : builtin_decl_explicit (BUILT_IN_TRAP), 0);
323 : else
324 : {
325 32 : enum built_in_function bcode
326 67 : = (flag_sanitize_recover & SANITIZE_SHIFT_BASE)
327 67 : ? BUILT_IN_UBSAN_HANDLE_SHIFT_OUT_OF_BOUNDS
328 : : BUILT_IN_UBSAN_HANDLE_SHIFT_OUT_OF_BOUNDS_ABORT;
329 67 : else_tt = builtin_decl_explicit (bcode);
330 67 : op0 = unshare_expr (op0);
331 67 : op1 = unshare_expr (op1);
332 67 : else_tt = build_call_expr_loc (loc, else_tt, 3, data,
333 : ubsan_encode_value (op0),
334 : ubsan_encode_value (op1));
335 : }
336 67 : else_t = fold_build3 (COND_EXPR, void_type_node, else_t,
337 : else_tt, void_node);
338 : }
339 : }
340 1024 : t = fold_build3 (COND_EXPR, void_type_node, t, tt, else_t);
341 :
342 1024 : return t;
343 : }
344 :
345 : /* Instrument variable length array bound. */
346 :
347 : tree
348 233 : ubsan_instrument_vla (location_t loc, tree size)
349 : {
350 233 : tree type = TREE_TYPE (size);
351 233 : tree t, tt;
352 :
353 233 : t = fold_build2 (LE_EXPR, boolean_type_node, size, build_int_cst (type, 0));
354 233 : if (flag_sanitize_trap & SANITIZE_VLA)
355 0 : tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
356 : else
357 : {
358 233 : tree data = ubsan_create_data ("__ubsan_vla_data", 1, &loc,
359 : ubsan_type_descriptor (type), NULL_TREE,
360 : NULL_TREE);
361 233 : data = build_fold_addr_expr_loc (loc, data);
362 12 : enum built_in_function bcode
363 233 : = (flag_sanitize_recover & SANITIZE_VLA)
364 233 : ? BUILT_IN_UBSAN_HANDLE_VLA_BOUND_NOT_POSITIVE
365 : : BUILT_IN_UBSAN_HANDLE_VLA_BOUND_NOT_POSITIVE_ABORT;
366 233 : tt = builtin_decl_explicit (bcode);
367 233 : tt = build_call_expr_loc (loc, tt, 2, data, ubsan_encode_value (size));
368 : }
369 233 : t = fold_build3 (COND_EXPR, void_type_node, t, tt, void_node);
370 :
371 233 : return t;
372 : }
373 :
374 : /* Instrument missing return in C++ functions returning non-void. */
375 :
376 : tree
377 1792 : ubsan_instrument_return (location_t loc)
378 : {
379 1792 : if (flag_sanitize_trap & SANITIZE_RETURN)
380 : /* pass_warn_function_return checks for BUILTINS_LOCATION. */
381 3 : return build_call_expr_loc (BUILTINS_LOCATION,
382 3 : builtin_decl_explicit (BUILT_IN_TRAP), 0);
383 :
384 1789 : tree data = ubsan_create_data ("__ubsan_missing_return_data", 1, &loc,
385 : NULL_TREE, NULL_TREE);
386 1789 : tree t = builtin_decl_explicit (BUILT_IN_UBSAN_HANDLE_MISSING_RETURN);
387 1789 : return build_call_expr_loc (loc, t, 1, build_fold_addr_expr_loc (loc, data));
388 : }
389 :
390 : /* Get the tree that represented the number of counted_by, i.e, the maximum
391 : number of the elements of the object that the call to .ACCESS_WITH_SIZE
392 : points to, this number will be the bound of the corresponding array. */
393 : static tree
394 146 : get_bound_from_access_with_size (tree call)
395 : {
396 146 : if (!is_access_with_size_p (call))
397 : return NULL_TREE;
398 :
399 146 : tree ref_to_size = CALL_EXPR_ARG (call, 1);
400 146 : tree type = TREE_TYPE (TREE_TYPE (CALL_EXPR_ARG (call, 2)));
401 146 : tree size = fold_build2 (MEM_REF, type, unshare_expr (ref_to_size),
402 : build_int_cst (ptr_type_node, 0));
403 : /* If size is negative value, treat it as zero. */
404 146 : if (!TYPE_UNSIGNED (type))
405 : {
406 146 : tree cond = fold_build2 (LT_EXPR, boolean_type_node,
407 : unshare_expr (size), build_zero_cst (type));
408 146 : size = fold_build3 (COND_EXPR, type, cond,
409 : build_zero_cst (type), size);
410 : }
411 :
412 146 : size = fold_convert (sizetype, size);
413 :
414 146 : return size;
415 : }
416 :
417 :
418 : /* Instrument array bounds for ARRAY_REFs. We create special builtin,
419 : that gets expanded in the sanopt pass, and make an array dimension
420 : of it. ARRAY is the array, *INDEX is an index to the array.
421 : Return NULL_TREE if no instrumentation is emitted.
422 : IGNORE_OFF_BY_ONE is true if the ARRAY_REF is inside an ADDR_EXPR. */
423 :
424 : tree
425 4320 : ubsan_instrument_bounds (location_t loc, tree array, tree *index,
426 : bool ignore_off_by_one)
427 : {
428 4320 : tree type = TREE_TYPE (array);
429 4320 : tree domain = TYPE_DOMAIN (type);
430 :
431 4320 : if (domain == NULL_TREE)
432 : return NULL_TREE;
433 :
434 4308 : tree bound = TYPE_MAX_VALUE (domain);
435 4308 : if (!bound)
436 : {
437 : /* Handle C [0] arrays, which have TYPE_MAX_VALUE NULL, like
438 : C++ [0] arrays which have TYPE_MIN_VALUE 0 TYPE_MAX_VALUE -1. */
439 260 : if (!c_dialect_cxx ()
440 260 : && COMPLETE_TYPE_P (type)
441 379 : && integer_zerop (TYPE_SIZE (type)))
442 119 : bound = build_int_cst (TREE_TYPE (TYPE_MIN_VALUE (domain)), -1);
443 141 : else if (INDIRECT_REF_P (array)
444 141 : && is_access_with_size_p ((TREE_OPERAND (array, 0))))
445 : {
446 69 : bound = get_bound_from_access_with_size ((TREE_OPERAND (array, 0)));
447 69 : bound = fold_build2 (MINUS_EXPR, TREE_TYPE (bound),
448 : bound,
449 : build_int_cst (TREE_TYPE (bound), 1));
450 : }
451 : else
452 72 : return NULL_TREE;
453 : }
454 :
455 4236 : bound = fold_build2 (PLUS_EXPR, TREE_TYPE (bound), bound,
456 : build_int_cst (TREE_TYPE (bound),
457 : 1 + ignore_off_by_one));
458 :
459 : /* Detect flexible array members and suchlike, unless
460 : -fsanitize=bounds-strict. */
461 4236 : tree base = get_base_address (array);
462 4236 : if (!sanitize_flags_p (SANITIZE_BOUNDS_STRICT)
463 4204 : && TREE_CODE (array) == COMPONENT_REF
464 5159 : && base && (INDIRECT_REF_P (base) || TREE_CODE (base) == MEM_REF))
465 : {
466 : tree next = NULL_TREE;
467 : tree cref = array;
468 :
469 : /* Walk all structs/unions. */
470 845 : while (TREE_CODE (cref) == COMPONENT_REF)
471 : {
472 618 : if (TREE_CODE (TREE_TYPE (TREE_OPERAND (cref, 0))) == RECORD_TYPE)
473 606 : for (next = DECL_CHAIN (TREE_OPERAND (cref, 1));
474 4193 : next && TREE_CODE (next) != FIELD_DECL;
475 3587 : next = DECL_CHAIN (next))
476 : ;
477 618 : if (next)
478 : /* Not a last element. Instrument it. */
479 : break;
480 377 : if (TREE_CODE (TREE_TYPE (TREE_OPERAND (cref, 1))) == ARRAY_TYPE
481 377 : && !c_dialect_cxx ())
482 : {
483 268 : unsigned l
484 268 : = c_strict_flex_array_level_of (TREE_OPERAND (cref, 1));
485 268 : tree type2 = TREE_TYPE (TREE_OPERAND (cref, 1));
486 268 : if (TYPE_DOMAIN (type2) != NULL_TREE)
487 : {
488 268 : tree max = TYPE_MAX_VALUE (TYPE_DOMAIN (type2));
489 268 : if (max == NULL_TREE)
490 : {
491 : /* C [0] */
492 47 : if (COMPLETE_TYPE_P (type2)
493 47 : && integer_zerop (TYPE_SIZE (type2))
494 94 : && l == 3)
495 8 : next = TREE_OPERAND (cref, 1);
496 : }
497 221 : else if (TREE_CODE (max) == INTEGER_CST)
498 : {
499 221 : if (c_dialect_cxx ()
500 221 : && integer_all_onesp (max))
501 : {
502 : /* C++ [0] */
503 0 : if (l == 3)
504 0 : next = TREE_OPERAND (cref, 1);
505 : }
506 221 : else if (integer_zerop (max))
507 : {
508 : /* C/C++ [1] */
509 95 : if (l >= 2)
510 16 : next = TREE_OPERAND (cref, 1);
511 : }
512 126 : else if (l >= 1)
513 48 : next = TREE_OPERAND (cref, 1);
514 : }
515 : }
516 268 : if (next)
517 : break;
518 : }
519 : /* Ok, this is the last field of the structure/union. But the
520 : aggregate containing the field must be the last field too,
521 : recursively. */
522 305 : cref = TREE_OPERAND (cref, 0);
523 : }
524 540 : if (!next)
525 : /* Don't instrument this flexible array member-like array in non-strict
526 : -fsanitize=bounds mode. */
527 : return NULL_TREE;
528 : }
529 :
530 : /* Don't emit instrumentation in the most common cases. */
531 4009 : tree idx = NULL_TREE;
532 4009 : if (TREE_CODE (*index) == INTEGER_CST)
533 : idx = *index;
534 759 : else if (TREE_CODE (*index) == BIT_AND_EXPR
535 759 : && TREE_CODE (TREE_OPERAND (*index, 1)) == INTEGER_CST)
536 26 : idx = TREE_OPERAND (*index, 1);
537 3276 : if (idx
538 3276 : && TREE_CODE (bound) == INTEGER_CST
539 2957 : && tree_int_cst_sgn (idx) >= 0
540 6211 : && tree_int_cst_lt (idx, bound))
541 : return NULL_TREE;
542 :
543 1567 : *index = save_expr (*index);
544 : /* If TYPE is a VLA, use 1 instead of 0 as the first argument and
545 : use just the addend to TYPE_MAX_VALUE (domain) as the third argument
546 : temporarily, so that gimplification can use TYPE_MAX_VALUE (domain)
547 : after gimplify_type_sizes. See PR120052. */
548 1567 : bool is_vla = (TYPE_MAX_VALUE (domain)
549 1567 : && TREE_CODE (TYPE_MAX_VALUE (domain)) != INTEGER_CST);
550 406 : if (is_vla)
551 406 : bound = build_int_cst (TREE_TYPE (bound), 1 + ignore_off_by_one);
552 : /* Create a "(T *) 0" (or 1) tree node to describe the array type. */
553 1567 : tree zero_with_type = build_int_cst (build_pointer_type (type), is_vla);
554 1567 : return build_call_expr_internal_loc (loc, IFN_UBSAN_BOUNDS,
555 : void_type_node, 3, zero_with_type,
556 1567 : *index, bound);
557 : }
558 :
559 :
560 : /* Instrument array bounds for the pointer array address which is
561 : a call to .ACCESS_WITH_SIZE. We create special
562 : builtin, that gets expanded in the sanopt pass, and make an array
563 : dimention of it. POINTER_ADDR is the pointer array's base address.
564 : *INDEX is an index to the array.
565 : IGNORE_OFF_BY_ONE is true if the POINTER_ADDR is not inside an
566 : INDIRECT_REF.
567 : Return NULL_TREE if no instrumentation is emitted. */
568 :
569 : tree
570 77 : ubsan_instrument_bounds_pointer_address (location_t loc, tree pointer_addr,
571 : tree *index,
572 : bool ignore_off_by_one)
573 : {
574 77 : tree call = pointer_addr;
575 77 : if (!is_access_with_size_p (call))
576 : return NULL_TREE;
577 77 : tree bound = get_bound_from_access_with_size (call);
578 :
579 77 : if (ignore_off_by_one)
580 0 : bound = fold_build2 (PLUS_EXPR, TREE_TYPE (bound), bound,
581 : build_int_cst (TREE_TYPE (bound),
582 : 1));
583 :
584 : /* Don't emit instrumentation in the most common cases. */
585 77 : tree idx = NULL_TREE;
586 77 : if (TREE_CODE (*index) == INTEGER_CST)
587 : idx = *index;
588 45 : else if (TREE_CODE (*index) == BIT_AND_EXPR
589 45 : && TREE_CODE (TREE_OPERAND (*index, 1)) == INTEGER_CST)
590 0 : idx = TREE_OPERAND (*index, 1);
591 32 : if (idx
592 32 : && TREE_CODE (bound) == INTEGER_CST
593 0 : && tree_int_cst_sgn (idx) >= 0
594 32 : && tree_int_cst_lt (idx, bound))
595 : return NULL_TREE;
596 :
597 77 : *index = save_expr (*index);
598 :
599 : /* Create an array_type for the corresponding pointer array. */
600 77 : tree itype = build_range_type (sizetype, size_zero_node, NULL_TREE);
601 : /* The array's element type can be get from the return type of the call to
602 : .ACCESS_WITH_SIZE. */
603 77 : tree element_type = TREE_TYPE (TREE_TYPE (call));
604 77 : tree array_type = build_array_type (element_type, itype);
605 : /* Create a "(T *) 0" tree node to describe the array type. */
606 77 : tree zero_with_type = build_int_cst (build_pointer_type (array_type), 0);
607 77 : return build_call_expr_internal_loc (loc, IFN_UBSAN_BOUNDS,
608 : void_type_node, 3, zero_with_type,
609 77 : *index, bound);
610 : }
611 :
612 : /* This structure is to combine a factor with its parent and its position
613 : * in its parent tree. */
614 : struct factor_t
615 : {
616 : tree factor;
617 : tree parent; /* the parent tree of this factor. */
618 : int pos; /* the position of this factor in its parent tree. */
619 : };
620 :
621 : /* for a multiply expression like:
622 : ((long unsigned int) m * (long unsigned int) SAVE_EXPR <n>) * 4
623 :
624 : locate all the factors, the parents of the factor and the position of
625 : the factor in its parent, and put them to VEC_FACTORS. */
626 :
627 : static void
628 183 : get_factors_from_mul_expr (tree mult_expr, tree parent,
629 : int pos, auto_vec<factor_t> *vec_factors)
630 : {
631 276 : struct factor_t mult_factor = {0, 0, -1};
632 276 : mult_factor.factor = mult_expr;
633 276 : mult_factor.parent = parent;
634 276 : mult_factor.pos = pos;
635 :
636 377 : while (CONVERT_EXPR_CODE_P (TREE_CODE (mult_expr)))
637 : {
638 101 : mult_factor.parent = mult_expr;
639 101 : mult_factor.pos = 0;
640 101 : mult_expr = TREE_OPERAND (mult_expr, 0);
641 101 : mult_factor.factor = mult_expr;
642 : }
643 276 : if (TREE_CODE (mult_expr) != MULT_EXPR)
644 183 : vec_factors->safe_push (mult_factor);
645 : else
646 : {
647 93 : get_factors_from_mul_expr (TREE_OPERAND (mult_expr, 0), mult_expr,
648 : 0, vec_factors);
649 93 : get_factors_from_mul_expr (TREE_OPERAND (mult_expr, 1), mult_expr,
650 : 1, vec_factors);
651 : }
652 183 : }
653 :
654 : /* Given an OFFSET expression, and the ELEMENT_SIZE,
655 : get the index expression from OFFSET and return it.
656 : For example:
657 : OFFSET:
658 : ((long unsigned int) m * (long unsigned int) SAVE_EXPR <n>) * 4
659 : ELEMENT_SIZE:
660 : (sizetype) SAVE_EXPR <n> * 4
661 : get the index as (long unsigned int) m, and return it.
662 : The INDEX_P holds the pointer to the parent tree of the index,
663 : INDEX_N holds the position of the index in its parent. */
664 :
665 : static tree
666 45 : get_index_from_offset (tree offset, tree *index_p,
667 : int *index_n, tree element_size)
668 : {
669 45 : if (TREE_CODE (offset) != MULT_EXPR)
670 : return NULL_TREE;
671 :
672 45 : auto_vec<factor_t> e_factors, o_factors;
673 45 : get_factors_from_mul_expr (element_size, NULL, -1, &e_factors);
674 45 : get_factors_from_mul_expr (offset, *index_p, *index_n, &o_factors);
675 :
676 90 : if (e_factors.is_empty () || o_factors.is_empty ())
677 : return NULL_TREE;
678 :
679 : bool all_found = true;
680 114 : for (unsigned i = 0; i < e_factors.length (); i++)
681 : {
682 69 : factor_t e_size_factor = e_factors[i];
683 69 : bool found = false;
684 215 : for (unsigned j = 0; j < o_factors.length ();)
685 : {
686 146 : factor_t o_exp_factor = o_factors[j];
687 146 : if (operand_equal_p (e_size_factor.factor, o_exp_factor.factor))
688 : {
689 69 : o_factors.unordered_remove (j);
690 69 : found = true;
691 69 : break;
692 : }
693 : else
694 77 : j++;
695 : }
696 69 : if (!found)
697 : all_found = false;
698 : }
699 :
700 45 : if (!all_found)
701 : return NULL_TREE;
702 :
703 45 : if (o_factors.length () != 1)
704 : return NULL_TREE;
705 :
706 45 : *index_p = o_factors[0].parent;
707 45 : *index_n = o_factors[0].pos;
708 45 : return o_factors[0].factor;
709 45 : }
710 :
711 : /* For an pointer + offset computation expression, such as,
712 : .ACCESS_WITH_SIZE (p->c, &p->b, 1, 0, -1, 0B)
713 : + (sizetype) ((long unsigned int) index * 4
714 : Return the index of this pointer array reference,
715 : set the parent tree of INDEX to *INDEX_P.
716 : set the operand position of the INDEX in the parent tree to *INDEX_N.
717 : If failed, return NULL_TREE. */
718 :
719 : static tree
720 77 : get_index_from_pointer_addr_expr (tree pointer, tree *index_p, int *index_n)
721 : {
722 77 : *index_p = NULL_TREE;
723 77 : *index_n = -1;
724 77 : tree call = TREE_OPERAND (pointer, 0);
725 77 : if (!is_access_with_size_p (call))
726 : return NULL_TREE;
727 :
728 : /* Get the pointee type of the call to .ACCESS_WITH_SIZE.
729 : This should be the element type of the pointer array. */
730 77 : tree pointee_type = TREE_TYPE (TREE_TYPE (call));
731 77 : tree pointee_size = TYPE_SIZE_UNIT (pointee_type);
732 :
733 77 : tree index_exp = TREE_OPERAND (pointer, 1);
734 77 : *index_p = pointer;
735 77 : *index_n = 1;
736 :
737 154 : if (!(TREE_CODE (index_exp) != MULT_EXPR
738 77 : && tree_int_cst_equal (pointee_size, integer_one_node)))
739 : {
740 90 : while (CONVERT_EXPR_CODE_P (TREE_CODE (index_exp)))
741 : {
742 45 : *index_p = index_exp;
743 45 : *index_n = 0;
744 45 : index_exp = TREE_OPERAND (index_exp, 0);
745 : }
746 45 : index_exp = get_index_from_offset (index_exp, index_p,
747 : index_n, pointee_size);
748 :
749 45 : if (!index_exp)
750 : return NULL_TREE;
751 : }
752 :
753 77 : while (CONVERT_EXPR_CODE_P (TREE_CODE (index_exp)))
754 : {
755 0 : *index_p = index_exp;
756 0 : *index_n = 0;
757 0 : index_exp = TREE_OPERAND (index_exp, 0);
758 : }
759 :
760 : return index_exp;
761 : }
762 :
763 : /* Return TRUE when the EXPR is a pointer array address that could be
764 : instrumented.
765 : We only instrument an address computation similar as the following:
766 : .ACCESS_WITH_SIZE (p->c, &p->b, 1, 0, -1, 0B)
767 : + (sizetype) ((long unsigned int) index * 4)
768 : if the EXPR is instrumentable, return TRUE and
769 : set the index to *INDEX.
770 : set the .ACCESS_WITH_SIZE to *BASE.
771 : set the parent tree of INDEX to *INDEX_P.
772 : set the operand position of the INDEX in the parent tree to INDEX_N. */
773 :
774 : static bool
775 77 : is_instrumentable_pointer_array_address (tree expr, tree *base,
776 : tree *index, tree *index_p,
777 : int *index_n)
778 : {
779 : /* For a pointer array address as:
780 : .ACCESS_WITH_SIZE (p->c, &p->b, 1, 0, -1, 0B)
781 : + (sizetype) ((long unsigned int) index * 4)
782 : op0 is the call to .ACCESS_WITH_SIZE;
783 : op1 is the index. */
784 77 : if (TREE_CODE (expr) != POINTER_PLUS_EXPR)
785 : return false;
786 :
787 77 : tree op0 = TREE_OPERAND (expr, 0);
788 77 : if (!is_access_with_size_p (op0))
789 : return false;
790 77 : tree op1 = get_index_from_pointer_addr_expr (expr, index_p, index_n);
791 77 : if (op1 != NULL_TREE)
792 : {
793 77 : *base = op0;
794 77 : *index = op1;
795 77 : return true;
796 : }
797 : return false;
798 : }
799 :
800 : /* Return true iff T is an array or an indirect reference that was
801 : instrumented by SANITIZE_BOUNDS. */
802 :
803 : bool
804 4404 : ubsan_array_ref_instrumented_p (tree t)
805 : {
806 4404 : if (TREE_CODE (t) != ARRAY_REF
807 77 : && TREE_CODE (t) != MEM_REF)
808 : return false;
809 :
810 4327 : bool is_array = (TREE_CODE (t) == ARRAY_REF);
811 4327 : tree op0 = NULL_TREE;
812 4327 : tree op1 = NULL_TREE;
813 4327 : tree index_p = NULL_TREE;
814 4327 : int index_n = 0;
815 4327 : if (is_array)
816 : {
817 4327 : op1 = TREE_OPERAND (t, 1);
818 4327 : return TREE_CODE (op1) == COMPOUND_EXPR
819 0 : && TREE_CODE (TREE_OPERAND (op1, 0)) == CALL_EXPR
820 0 : && CALL_EXPR_FN (TREE_OPERAND (op1, 0)) == NULL_TREE
821 4327 : && CALL_EXPR_IFN (TREE_OPERAND (op1, 0)) == IFN_UBSAN_BOUNDS;
822 : }
823 0 : else if (is_instrumentable_pointer_array_address (t, &op0, &op1,
824 : &index_p, &index_n))
825 0 : return TREE_CODE (op1) == COMPOUND_EXPR
826 0 : && TREE_CODE (TREE_OPERAND (op1, 0)) == CALL_EXPR
827 0 : && CALL_EXPR_FN (TREE_OPERAND (op1, 0)) == NULL_TREE
828 0 : && CALL_EXPR_IFN (TREE_OPERAND (op1, 0)) == IFN_UBSAN_BOUNDS;
829 :
830 : return false;
831 : }
832 :
833 : /* Instrument an ARRAY_REF or an address computation whose base address is
834 : a call to .ACCESS_WITH_SIZE, if it hasn't already been instrumented.
835 : IGNORE_OFF_BY_ONE is true if the ARRAY_REF is inside a ADDR_EXPR, or the
836 : address computation is not inside a INDIRECT_REF. */
837 :
838 : void
839 4404 : ubsan_maybe_instrument_array_ref (tree *expr_p, bool ignore_off_by_one)
840 : {
841 4404 : tree e = NULL_TREE;
842 4404 : tree op0 = NULL_TREE;
843 4404 : tree op1 = NULL_TREE;
844 4404 : tree index_p = NULL_TREE; /* the parent tree of INDEX. */
845 4404 : int index_n = 0; /* the operand position of INDEX in the parent tree. */
846 :
847 4404 : if (!ubsan_array_ref_instrumented_p (*expr_p)
848 4404 : && sanitize_flags_p (SANITIZE_BOUNDS | SANITIZE_BOUNDS_STRICT)
849 8798 : && current_function_decl != NULL_TREE)
850 : {
851 4394 : if (TREE_CODE (*expr_p) == ARRAY_REF)
852 : {
853 4317 : op0 = TREE_OPERAND (*expr_p, 0);
854 4317 : op1 = TREE_OPERAND (*expr_p, 1);
855 4317 : index_p = *expr_p;
856 4317 : index_n = 1;
857 4317 : e = ubsan_instrument_bounds (EXPR_LOCATION (*expr_p), op0,
858 : &op1, ignore_off_by_one);
859 : }
860 77 : else if (is_instrumentable_pointer_array_address (*expr_p, &op0, &op1,
861 : &index_p, &index_n))
862 77 : e = ubsan_instrument_bounds_pointer_address (EXPR_LOCATION (*expr_p),
863 : op0, &op1,
864 : ignore_off_by_one);
865 :
866 : /* Replace the original INDEX with the instrumented INDEX. */
867 4394 : if (e != NULL_TREE)
868 1641 : TREE_OPERAND (index_p, index_n)
869 3282 : = build2 (COMPOUND_EXPR, TREE_TYPE (op1), e, op1);
870 : }
871 4404 : }
872 :
873 : static tree
874 7247 : ubsan_maybe_instrument_reference_or_call (location_t loc, tree op, tree ptype,
875 : enum ubsan_null_ckind ckind)
876 : {
877 7247 : if (!sanitize_flags_p (SANITIZE_ALIGNMENT | SANITIZE_NULL)
878 7247 : || current_function_decl == NULL_TREE)
879 : return NULL_TREE;
880 :
881 7247 : tree type = TREE_TYPE (ptype);
882 7247 : tree orig_op = op;
883 7247 : bool instrument = false;
884 7247 : unsigned int mina = 0;
885 :
886 7247 : if (sanitize_flags_p (SANITIZE_ALIGNMENT))
887 : {
888 7016 : mina = min_align_of_type (type);
889 7016 : if (mina <= 1)
890 1135 : mina = 0;
891 : }
892 9691 : while ((TREE_CODE (op) == NOP_EXPR
893 9691 : || TREE_CODE (op) == NON_LVALUE_EXPR)
894 9691 : && TREE_CODE (TREE_TYPE (op)) == POINTER_TYPE)
895 2444 : op = TREE_OPERAND (op, 0);
896 7247 : if (TREE_CODE (op) == NOP_EXPR
897 7247 : && TREE_CODE (TREE_TYPE (op)) == REFERENCE_TYPE)
898 : {
899 0 : if (mina && mina > min_align_of_type (TREE_TYPE (TREE_TYPE (op))))
900 : instrument = true;
901 : }
902 : else
903 : {
904 7247 : if (sanitize_flags_p (SANITIZE_NULL) && TREE_CODE (op) == ADDR_EXPR)
905 : {
906 3997 : bool strict_overflow_p = false;
907 : /* tree_single_nonzero_warnv_p will not return true for non-weak
908 : non-automatic decls with -fno-delete-null-pointer-checks,
909 : which is disabled during -fsanitize=null. We don't want to
910 : instrument those, just weak vars though. */
911 3997 : int save_flag_delete_null_pointer_checks
912 : = flag_delete_null_pointer_checks;
913 3997 : flag_delete_null_pointer_checks = 1;
914 3997 : if (!tree_single_nonzero_warnv_p (op, &strict_overflow_p)
915 3997 : || strict_overflow_p)
916 : instrument = true;
917 3997 : flag_delete_null_pointer_checks
918 3997 : = save_flag_delete_null_pointer_checks;
919 : }
920 3250 : else if (sanitize_flags_p (SANITIZE_NULL))
921 : instrument = true;
922 7247 : if (mina && mina > 1)
923 : {
924 7186 : if (!POINTER_TYPE_P (TREE_TYPE (op))
925 7186 : || mina > get_pointer_alignment (op) / BITS_PER_UNIT)
926 : instrument = true;
927 : }
928 : }
929 3053 : if (!instrument)
930 2325 : return NULL_TREE;
931 4922 : op = save_expr (orig_op);
932 4922 : gcc_assert (POINTER_TYPE_P (ptype));
933 4922 : if (TREE_CODE (ptype) == REFERENCE_TYPE)
934 1789 : ptype = build_pointer_type (TREE_TYPE (ptype));
935 4922 : tree kind = build_int_cst (ptype, ckind);
936 4922 : tree align = build_int_cst (pointer_sized_int_node, mina);
937 4922 : tree call
938 4922 : = build_call_expr_internal_loc (loc, IFN_UBSAN_NULL, void_type_node,
939 : 3, op, kind, align);
940 4922 : TREE_SIDE_EFFECTS (call) = 1;
941 4922 : return fold_build2 (COMPOUND_EXPR, TREE_TYPE (op), call, op);
942 : }
943 :
944 : /* Instrument a NOP_EXPR to REFERENCE_TYPE or INTEGER_CST with REFERENCE_TYPE
945 : type if needed. */
946 :
947 : void
948 2417 : ubsan_maybe_instrument_reference (tree *stmt_p)
949 : {
950 2417 : tree stmt = *stmt_p;
951 2417 : tree op = stmt;
952 2417 : if (TREE_CODE (stmt) == NOP_EXPR)
953 2407 : op = TREE_OPERAND (stmt, 0);
954 2417 : op = ubsan_maybe_instrument_reference_or_call (EXPR_LOCATION (stmt), op,
955 2417 : TREE_TYPE (stmt),
956 : UBSAN_REF_BINDING);
957 2417 : if (op)
958 : {
959 1789 : if (TREE_CODE (stmt) == NOP_EXPR)
960 1779 : TREE_OPERAND (stmt, 0) = op;
961 : else
962 10 : *stmt_p = op;
963 : }
964 2417 : }
965 :
966 : /* Instrument a CALL_EXPR to a method if needed. */
967 :
968 : void
969 4830 : ubsan_maybe_instrument_member_call (tree stmt, bool is_ctor)
970 : {
971 4830 : if (call_expr_nargs (stmt) == 0)
972 : return;
973 4830 : tree op = CALL_EXPR_ARG (stmt, 0);
974 4830 : if (op == error_mark_node
975 4830 : || !POINTER_TYPE_P (TREE_TYPE (op)))
976 : return;
977 9660 : op = ubsan_maybe_instrument_reference_or_call (EXPR_LOCATION (stmt), op,
978 4830 : TREE_TYPE (op),
979 : is_ctor ? UBSAN_CTOR_CALL
980 : : UBSAN_MEMBER_CALL);
981 4830 : if (op)
982 3133 : CALL_EXPR_ARG (stmt, 0) = op;
983 : }
|
