On Tue, 28 Mar 2023, Jakub Jelinek wrote:
> Hi!
>
> The following testcase ICEs, because without optimization eh lowering
> decides not to duplicate finally block of try/finally and so we end up
> with variable guarded cleanup. The sanopt pass creates a cfg that ought
> to be cleaned up (some IFN_UBSAN_* functions are lowered in this case with
> constant conditions in gcond and when not allowing recovery some bbs which
> end with noreturn calls actually have successor edges), but the cfg cleanup
> is actually (it is -O0) done only during the optimized pass. We notice
> there that the d[1][a] = 0; statement which has an EH edge is unreachable
> (because ubsan would always abort on the out of bounds d[1] access), remove
> the EH landing pad and block, but because that block just sets a variable
> and jumps to another one which tests that variable and that one is reachable
> from normal control flow, the __builtin_eh_pointer (1) later in there is
> kept in the IL and we ICE during expansion of that statement because the
> EH region has been removed.
>
> The following patch fixes it by doing the cfg cleanup already during
> sanopt pass if we create something that might need it, while the EH
> landing pad is then removed already during sanopt pass, there is ehcleanup
> later and we don't ICE anymore.
>
> Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?
OK.
Richard.
> 2023-03-28 Jakub Jelinek <ja...@redhat.com>
>
> PR middle-end/106190
> * sanopt.cc (pass_sanopt::execute): Return TODO_cleanup_cfg if any
> of the IFN_{UB,HWA,A}SAN_* internal fns are lowered.
>
> * gcc.dg/asan/pr106190.c: New test.
>
> --- gcc/sanopt.cc.jj 2023-02-15 09:23:27.832389821 +0100
> +++ gcc/sanopt.cc 2023-03-27 16:00:23.758621014 +0200
> @@ -1300,6 +1300,7 @@ pass_sanopt::execute (function *fun)
> basic_block bb;
> int asan_num_accesses = 0;
> bool contains_asan_mark = false;
> + int ret = 0;
>
> /* Try to remove redundant checks. */
> if (optimize
> @@ -1352,6 +1353,7 @@ pass_sanopt::execute (function *fun)
> if (gimple_call_internal_p (stmt))
> {
> enum internal_fn ifn = gimple_call_internal_fn (stmt);
> + int this_ret = TODO_cleanup_cfg;
> switch (ifn)
> {
> case IFN_UBSAN_NULL:
> @@ -1387,8 +1389,10 @@ pass_sanopt::execute (function *fun)
> no_next = hwasan_expand_mark_ifn (&gsi);
> break;
> default:
> + this_ret = 0;
> break;
> }
> + ret |= this_ret;
> }
> else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
> {
> @@ -1418,7 +1422,7 @@ pass_sanopt::execute (function *fun)
> if (need_commit_edge_insert)
> gsi_commit_edge_inserts ();
>
> - return 0;
> + return ret;
> }
>
> } // anon namespace
> --- gcc/testsuite/gcc.dg/asan/pr106190.c.jj 2023-03-27 16:50:15.685501029
> +0200
> +++ gcc/testsuite/gcc.dg/asan/pr106190.c 2023-03-27 16:51:25.187499082
> +0200
> @@ -0,0 +1,15 @@
> +/* PR middle-end/106190 */
> +/* { dg-do compile } */
> +/* { dg-options "-fnon-call-exceptions -fsanitize=address,undefined
> -fno-sanitize-recover=all" } */
> +
> +int
> +main ()
> +{
> + int a;
> + int *b[1];
> + int c[10];
> + int d[1][1];
> + for (a = 0; a < 1; a++)
> + d[1][a] = 0;
> + return 0;
> +}
>
> Jakub
>
>
--
Richard Biener <rguent...@suse.de>
SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg,
Germany; GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman;
HRB 36809 (AG Nuernberg)
