On Fri, 13 Sep 2013, Marek Polacek wrote:
> On Thu, Sep 12, 2013 at 04:05:48PM +0000, Joseph S. Myers wrote:
> > cause stack overflow that doesn't get detected by the kernel. So maybe
> > ubsan should imply -fstack-check or similar.
>
> Well, I have a patch for that, but I no longer think that ubsan should
> imply -fstack-check, since e.g.
>
> int
> main (void)
> {
> int x = -1;
> int b[x - 4];
> /* ... */
> return 0;
> }
>
> segfaults at runtime on int b[x - 4]; line when -fstack-check is used
> (even without sanitizing), so we wouldn't give proper diagnostics
> for stmts following that line...
A guaranteed segfault is better than doing something undefined. But I'd
expect sanitizing to make the initial check that the array size in bytes
is in the range [1, PTRDIFF_MAX] and -fstack-check only to come into play
if that passes (for sizes that are too large for the stack limit in effect
at runtime although within the range that is in principle valid). You
probably don't want to enable -fstack-check from ubsan until the checks
for the range [1, PTRDIFF_MAX] are in place.
(Those checks, incidentally, would need to apply not just to arrays whose
specified size is variable, but also to constant-size arrays of
variable-size arrays - if you have a VLA type, then define an array
VLA array[10]; then you need to check that the result of the
multiplication of sizes in bytes doesn't exceed PTRDIFF_MAX. So the more
general checks can't all go in the place where you're inserting the checks
for a single variable size in isolation.)
--
Joseph S. Myers
[email protected]
