[llvm-bugs] [Bug 50127] New: Checks not generated for vla-bound when the size is unsigned

via llvm-bugs llvm-bugs at lists.llvm.org
Mon Apr 26 07:56:29 PDT 2021 

https://bugs.llvm.org/show_bug.cgi?id=50127

            Bug ID: 50127
           Summary: Checks not generated for vla-bound when the size is
                    unsigned
           Product: compiler-rt
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: ubsan
          Assignee: unassignedbugs at nondot.org
          Reporter: adammagier.llvm at gmail.com
                CC: llvm-bugs at lists.llvm.org

Created attachment 24803
  --> https://bugs.llvm.org/attachment.cgi?id=24803&action=edit
Source file with VLAs being instantiated via signed and unsigned types

The vla-bound checker for UBSan does not generate the necessary checks when the
size of the VLA is an unsigned type. Given the following code (vla-bound.c,
also attached):

  #include <stdlib.h>

  long int s = 0;
  int main(void) {
    int w[(size_t)s];
    int x[(ssize_t)s];
    int y[(unsigned)s];
    int z[(int)s];
    return 0;
  }

Inspecting the IR generated from compiling with `clang -S -emit-llvm -O0
-fsanitize=vla-bound vla-bound.c` we see that there's only two checks generated
for the VLA bounds checking:

  $ clang -S -emit-llvm -O0 -fsanitize=vla-bound vla-bound.c
  $ grep -P "^handler.vla_bound_not_positive" vla-bound.ll
  handler.vla_bound_not_positive:                   ; preds = %entry
  handler.vla_bound_not_positive4:                  ; preds = %cont

Further comparing this behaviour between clang and gcc, we see that gcc
performs the checking on the VLA size for both signed and unsigned variable
types:

clang:

  $ clang -O0 -fsanitize=vla-bound vla-bound.c
  $ ./a.out
  vla-bound.c:6:9: runtime error: variable length array bound evaluates to
non-positive value 0
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior vla-bound.c:6:9 in
  vla-bound.c:8:9: runtime error: variable length array bound evaluates to
non-positive value 0
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior vla-bound.c:8:9 in


gcc:

  $ gcc -O0 -fsanitize=vla-bound vla-bound.c
  $ ./a.out
  vla-bound.c:5:7: runtime error: variable length array bound evaluates to
non-positive value 0
  vla-bound.c:6:7: runtime error: variable length array bound evaluates to
non-positive value 0
  vla-bound.c:7:7: runtime error: variable length array bound evaluates to
non-positive value 0
  vla-bound.c:8:7: runtime error: variable length array bound evaluates to
non-positive value 0

We would expect that the behaviour of both clang and gcc would agree when it
comes to checking the VLA bounds. Reading through the C specification does not
indicate any limitation on whether or not a VLA's size needs to be in the form
of a signed or unsigned type so there seems no reason why this check shouldn't
be performed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210426/93115e25/attachment.html>

More information about the llvm-bugs mailing list