<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Checks not generated for vla-bound when the size is unsigned"
href="https://bugs.llvm.org/show_bug.cgi?id=50127">50127</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Checks not generated for vla-bound when the size is unsigned
</td>
</tr>
<tr>
<th>Product</th>
<td>compiler-rt
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>ubsan
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>adammagier.llvm@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=24803" name="attach_24803" title="Source file with VLAs being instantiated via signed and unsigned types">attachment 24803</a> <a href="attachment.cgi?id=24803&action=edit" title="Source file with VLAs being instantiated via signed and unsigned types">[details]</a></span>
Source file with VLAs being instantiated via signed and unsigned types
The vla-bound checker for UBSan does not generate the necessary checks when the
size of the VLA is an unsigned type. Given the following code (vla-bound.c,
also attached):
#include <stdlib.h>
long int s = 0;
int main(void) {
int w[(size_t)s];
int x[(ssize_t)s];
int y[(unsigned)s];
int z[(int)s];
return 0;
}
Inspecting the IR generated from compiling with `clang -S -emit-llvm -O0
-fsanitize=vla-bound vla-bound.c` we see that there's only two checks generated
for the VLA bounds checking:
$ clang -S -emit-llvm -O0 -fsanitize=vla-bound vla-bound.c
$ grep -P "^handler.vla_bound_not_positive" vla-bound.ll
handler.vla_bound_not_positive: ; preds = %entry
handler.vla_bound_not_positive4: ; preds = %cont
Further comparing this behaviour between clang and gcc, we see that gcc
performs the checking on the VLA size for both signed and unsigned variable
types:
clang:
$ clang -O0 -fsanitize=vla-bound vla-bound.c
$ ./a.out
vla-bound.c:6:9: runtime error: variable length array bound evaluates to
non-positive value 0
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior vla-bound.c:6:9 in
vla-bound.c:8:9: runtime error: variable length array bound evaluates to
non-positive value 0
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior vla-bound.c:8:9 in
gcc:
$ gcc -O0 -fsanitize=vla-bound vla-bound.c
$ ./a.out
vla-bound.c:5:7: runtime error: variable length array bound evaluates to
non-positive value 0
vla-bound.c:6:7: runtime error: variable length array bound evaluates to
non-positive value 0
vla-bound.c:7:7: runtime error: variable length array bound evaluates to
non-positive value 0
vla-bound.c:8:7: runtime error: variable length array bound evaluates to
non-positive value 0
We would expect that the behaviour of both clang and gcc would agree when it
comes to checking the VLA bounds. Reading through the C specification does not
indicate any limitation on whether or not a VLA's size needs to be in the form
of a signed or unsigned type so there seems no reason why this check shouldn't
be performed.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>