Hi!
This patch improves code generated for:
struct A { int a; };
struct B { int b; };
struct C : A, B { int c; };
C *bar (B *b) { return &static_cast<C &>(*b); }
Unlike return static_cast<C *>(b); where b can be validly NULL, the
reference shouldn't bind to NULL, but we still emit
b ? b - 4 : 0. The following patch omits the non-NULL check except when
-fsanitize=null (or undefined) and when sanitizing makes sure such bugs are
diagnosed.
Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?
2018-01-02 Jakub Jelinek <ja...@redhat.com>
PR c++/83555
* typeck.c (build_static_cast_1): For static casts to reference types,
call build_base_path with true as nonnull unless -fsanitize=null,
instead of always false. When -fsanitize=null, call
ubsan_maybe_instrument_reference on the NULL reference INTEGER_CST.
* cp-gimplify.c (cp_genericize_r): Don't walk subtrees of UBSAN_NULL
call if the first argument is INTEGER_CST with REFERENCE_TYPE.
* g++.dg/ubsan/pr83555.C: New test.
--- gcc/cp/typeck.c.jj 2017-12-19 18:09:05.000000000 +0100
+++ gcc/cp/typeck.c 2018-01-02 18:26:46.782251809 +0100
@@ -6942,10 +6942,13 @@ build_static_cast_1 (tree type, tree exp
expr = ubsan_check;
}
+ bool sanitize_null_p = sanitize_flags_p (SANITIZE_NULL);
/* Convert from "B*" to "D*". This function will check that "B"
- is not a virtual base of "D". */
- expr = build_base_path (MINUS_EXPR, expr, base, /*nonnull=*/false,
- complain);
+ is not a virtual base of "D". Even if we don't have a guarantee
+ that expr is NULL, if the static_cast is to a reference type,
+ it is UB if it would be NULL, so omit the non-NULL check. */
+ expr = build_base_path (MINUS_EXPR, expr, base,
+ /*nonnull=*/!sanitize_null_p, complain);
/* Convert the pointer to a reference -- but then remember that
there are no expressions with reference type in C++.
@@ -6955,7 +6958,18 @@ build_static_cast_1 (tree type, tree exp
is a variable with the same type, the conversion would get folded
away, leaving just the variable and causing lvalue_kind to give
the wrong answer. */
- return convert_from_reference (rvalue (cp_fold_convert (type, expr)));
+ expr = cp_fold_convert (type, expr);
+
+ /* When -fsanitize=null, make sure to diagnose reference binding to
+ NULL even when the reference is converted to pointer later on. */
+ if (sanitize_null_p
+ && TREE_CODE (expr) == COND_EXPR
+ && TREE_OPERAND (expr, 2)
+ && TREE_CODE (TREE_OPERAND (expr, 2)) == INTEGER_CST
+ && TREE_TYPE (TREE_OPERAND (expr, 2)) == type)
+ ubsan_maybe_instrument_reference (&TREE_OPERAND (expr, 2));
+
+ return convert_from_reference (rvalue (expr));
}
/* "A glvalue of type cv1 T1 can be cast to type rvalue reference to
--- gcc/cp/cp-gimplify.c.jj 2018-01-02 13:23:51.946128057 +0100
+++ gcc/cp/cp-gimplify.c 2018-01-02 18:36:59.145469721 +0100
@@ -1506,6 +1506,12 @@ cp_genericize_r (tree *stmt_p, int *walk
if (sanitize_flags_p (SANITIZE_VPTR) && !is_ctor)
cp_ubsan_maybe_instrument_member_call (stmt);
}
+ else if (fn == NULL_TREE
+ && CALL_EXPR_IFN (stmt) == IFN_UBSAN_NULL
+ && TREE_CODE (CALL_EXPR_ARG (stmt, 0)) == INTEGER_CST
+ && (TREE_CODE (TREE_TYPE (CALL_EXPR_ARG (stmt, 0)))
+ == REFERENCE_TYPE))
+ *walk_subtrees = 0;
}
break;
--- gcc/testsuite/g++.dg/ubsan/pr83555.C.jj 2018-01-02 18:52:19.600792132
+0100
+++ gcc/testsuite/g++.dg/ubsan/pr83555.C 2018-01-02 18:53:49.839823167
+0100
@@ -0,0 +1,40 @@
+// PR c++/83555
+// { dg-do run }
+// { dg-options "-fsanitize=null" }
+// { dg-output ":25:\[^\n\r]*reference binding to null pointer of type 'struct
C'" }
+
+struct A { int a; };
+struct B { int b; };
+struct C : A, B { int c; };
+
+__attribute__((noipa)) C *
+foo (B *b)
+{
+ return static_cast<C *>(b);
+}
+
+__attribute__((noipa)) C *
+bar (B *b)
+{
+ return &static_cast<C &>(*b);
+}
+
+__attribute__((noipa)) C *
+baz (B *b)
+{
+ return &static_cast<C &>(*b);
+}
+
+int
+main ()
+{
+ C c;
+ if (foo (static_cast<B *> (&c)) != &c)
+ __builtin_abort ();
+ if (foo (0))
+ __builtin_abort ();
+ if (bar (static_cast<B *> (&c)) != &c)
+ __builtin_abort ();
+ baz (0);
+ return 0;
+}
Jakub
