LCOV - code coverage report
Current view: top level - gcc/c-family - c-ubsan.c (source / functions) Hit Total Coverage
Test: gcc.info Lines: 235 241 97.5 %
Date: 2020-03-28 11:57:23 Functions: 10 10 100.0 %
Legend: Lines: hit not hit | Branches: + taken - not taken # not executed Branches: 0 0 -

           Branch data     Line data    Source code
       1                 :            : /* UndefinedBehaviorSanitizer, undefined behavior detector.
       2                 :            :    Copyright (C) 2013-2020 Free Software Foundation, Inc.
       3                 :            :    Contributed by Marek Polacek <polacek@redhat.com>
       4                 :            : 
       5                 :            : This file is part of GCC.
       6                 :            : 
       7                 :            : GCC is free software; you can redistribute it and/or modify it under
       8                 :            : the terms of the GNU General Public License as published by the Free
       9                 :            : Software Foundation; either version 3, or (at your option) any later
      10                 :            : version.
      11                 :            : 
      12                 :            : GCC is distributed in the hope that it will be useful, but WITHOUT ANY
      13                 :            : WARRANTY; without even the implied warranty of MERCHANTABILITY or
      14                 :            : FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
      15                 :            : for more details.
      16                 :            : 
      17                 :            : You should have received a copy of the GNU General Public License
      18                 :            : along with GCC; see the file COPYING3.  If not see
      19                 :            : <http://www.gnu.org/licenses/>.  */
      20                 :            : 
      21                 :            : #include "config.h"
      22                 :            : #include "system.h"
      23                 :            : #include "coretypes.h"
      24                 :            : #include "tm.h"
      25                 :            : #include "c-family/c-common.h"
      26                 :            : #include "ubsan.h"
      27                 :            : #include "c-family/c-ubsan.h"
      28                 :            : #include "stor-layout.h"
      29                 :            : #include "builtins.h"
      30                 :            : #include "gimplify.h"
      31                 :            : #include "stringpool.h"
      32                 :            : #include "attribs.h"
      33                 :            : #include "asan.h"
      34                 :            : #include "langhooks.h"
      35                 :            : 
      36                 :            : /* Instrument division by zero and INT_MIN / -1.  If not instrumenting,
      37                 :            :    return NULL_TREE.  */
      38                 :            : 
      39                 :            : tree
      40                 :       1285 : ubsan_instrument_division (location_t loc, tree op0, tree op1)
      41                 :            : {
      42                 :       1285 :   tree t, tt;
      43                 :       1285 :   tree type = TREE_TYPE (op0);
      44                 :            : 
      45                 :            :   /* At this point both operands should have the same type,
      46                 :            :      because they are already converted to RESULT_TYPE.
      47                 :            :      Use TYPE_MAIN_VARIANT since typedefs can confuse us.  */
      48                 :       1285 :   tree top0 = TYPE_MAIN_VARIANT (type);
      49                 :       1285 :   tree top1 = TYPE_MAIN_VARIANT (TREE_TYPE (op1));
      50                 :       1285 :   gcc_checking_assert (lang_hooks.types_compatible_p (top0, top1));
      51                 :            : 
      52                 :       1285 :   op0 = unshare_expr (op0);
      53                 :       1285 :   op1 = unshare_expr (op1);
      54                 :            : 
      55                 :       1285 :   if (TREE_CODE (type) == INTEGER_TYPE
      56                 :       1285 :       && sanitize_flags_p (SANITIZE_DIVIDE))
      57                 :       1096 :     t = fold_build2 (EQ_EXPR, boolean_type_node,
      58                 :            :                      op1, build_int_cst (type, 0));
      59                 :        189 :   else if (TREE_CODE (type) == REAL_TYPE
      60                 :        189 :            && sanitize_flags_p (SANITIZE_FLOAT_DIVIDE))
      61                 :        122 :     t = fold_build2 (EQ_EXPR, boolean_type_node,
      62                 :            :                      op1, build_real (type, dconst0));
      63                 :            :   else
      64                 :         67 :     return NULL_TREE;
      65                 :            : 
      66                 :            :   /* We check INT_MIN / -1 only for signed types.  */
      67                 :       1218 :   if (TREE_CODE (type) == INTEGER_TYPE
      68                 :       1096 :       && sanitize_flags_p (SANITIZE_DIVIDE)
      69                 :       2314 :       && !TYPE_UNSIGNED (type))
      70                 :            :     {
      71                 :        835 :       tree x;
      72                 :        835 :       tt = fold_build2 (EQ_EXPR, boolean_type_node, unshare_expr (op1),
      73                 :            :                         build_int_cst (type, -1));
      74                 :        835 :       x = fold_build2 (EQ_EXPR, boolean_type_node, op0,
      75                 :            :                        TYPE_MIN_VALUE (type));
      76                 :        835 :       x = fold_build2 (TRUTH_AND_EXPR, boolean_type_node, x, tt);
      77                 :        835 :       t = fold_build2 (TRUTH_OR_EXPR, boolean_type_node, t, x);
      78                 :            :     }
      79                 :            : 
      80                 :            :   /* If the condition was folded to 0, no need to instrument
      81                 :            :      this expression.  */
      82                 :       1218 :   if (integer_zerop (t))
      83                 :            :     return NULL_TREE;
      84                 :            : 
      85                 :            :   /* In case we have a SAVE_EXPR in a conditional context, we need to
      86                 :            :      make sure it gets evaluated before the condition.  */
      87                 :        911 :   t = fold_build2 (COMPOUND_EXPR, TREE_TYPE (t), unshare_expr (op0), t);
      88                 :        911 :   t = fold_build2 (COMPOUND_EXPR, TREE_TYPE (t), unshare_expr (op1), t);
      89                 :        911 :   if (flag_sanitize_undefined_trap_on_error)
      90                 :         14 :     tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
      91                 :            :   else
      92                 :            :     {
      93                 :        897 :       tree data = ubsan_create_data ("__ubsan_overflow_data", 1, &loc,
      94                 :            :                                      ubsan_type_descriptor (type), NULL_TREE,
      95                 :            :                                      NULL_TREE);
      96                 :        897 :       data = build_fold_addr_expr_loc (loc, data);
      97                 :       1794 :       enum built_in_function bcode
      98                 :        897 :         = (flag_sanitize_recover & SANITIZE_DIVIDE)
      99                 :        897 :           ? BUILT_IN_UBSAN_HANDLE_DIVREM_OVERFLOW
     100                 :            :           : BUILT_IN_UBSAN_HANDLE_DIVREM_OVERFLOW_ABORT;
     101                 :        897 :       tt = builtin_decl_explicit (bcode);
     102                 :        897 :       op0 = unshare_expr (op0);
     103                 :        897 :       op1 = unshare_expr (op1);
     104                 :        897 :       tt = build_call_expr_loc (loc, tt, 3, data, ubsan_encode_value (op0),
     105                 :            :                                 ubsan_encode_value (op1));
     106                 :            :     }
     107                 :        911 :   t = fold_build3 (COND_EXPR, void_type_node, t, tt, void_node);
     108                 :            : 
     109                 :        911 :   return t;
     110                 :            : }
     111                 :            : 
     112                 :            : /* Instrument left and right shifts.  */
     113                 :            : 
     114                 :            : tree
     115                 :       1940 : ubsan_instrument_shift (location_t loc, enum tree_code code,
     116                 :            :                         tree op0, tree op1)
     117                 :            : {
     118                 :       1940 :   tree t, tt = NULL_TREE;
     119                 :       1940 :   tree type0 = TREE_TYPE (op0);
     120                 :       1940 :   tree type1 = TREE_TYPE (op1);
     121                 :       1940 :   if (!INTEGRAL_TYPE_P (type0))
     122                 :            :     return NULL_TREE;
     123                 :            : 
     124                 :       1926 :   tree op1_utype = unsigned_type_for (type1);
     125                 :       1926 :   HOST_WIDE_INT op0_prec = TYPE_PRECISION (type0);
     126                 :       1926 :   tree uprecm1 = build_int_cst (op1_utype, op0_prec - 1);
     127                 :            : 
     128                 :       1926 :   op0 = unshare_expr (op0);
     129                 :       1926 :   op1 = unshare_expr (op1);
     130                 :            : 
     131                 :       1926 :   t = fold_convert_loc (loc, op1_utype, op1);
     132                 :       1926 :   t = fold_build2 (GT_EXPR, boolean_type_node, t, uprecm1);
     133                 :            : 
     134                 :            :   /* If this is not a signed operation, don't perform overflow checks.
     135                 :            :      Also punt on bit-fields.  */
     136                 :       3385 :   if (TYPE_OVERFLOW_WRAPS (type0)
     137                 :       2918 :       || maybe_ne (GET_MODE_BITSIZE (TYPE_MODE (type0)),
     138                 :       1459 :                    TYPE_PRECISION (type0))
     139                 :       1459 :       || !sanitize_flags_p (SANITIZE_SHIFT_BASE)
     140                 :            :       /* In C++2a and later, shifts are well defined except when
     141                 :            :          the second operand is not within bounds.  */
     142                 :       3345 :       || cxx_dialect >= cxx2a)
     143                 :            :     ;
     144                 :            : 
     145                 :            :   /* For signed x << y, in C99/C11, the following:
     146                 :            :      (unsigned) x >> (uprecm1 - y)
     147                 :            :      if non-zero, is undefined.  */
     148                 :       1360 :   else if (code == LSHIFT_EXPR && flag_isoc99 && cxx_dialect < cxx11)
     149                 :            :     {
     150                 :        570 :       tree x = fold_build2 (MINUS_EXPR, op1_utype, uprecm1,
     151                 :            :                             fold_convert (op1_utype, unshare_expr (op1)));
     152                 :        570 :       tt = fold_convert_loc (loc, unsigned_type_for (type0), op0);
     153                 :        570 :       tt = fold_build2 (RSHIFT_EXPR, TREE_TYPE (tt), tt, x);
     154                 :        570 :       tt = fold_build2 (NE_EXPR, boolean_type_node, tt,
     155                 :        570 :                         build_int_cst (TREE_TYPE (tt), 0));
     156                 :            :     }
     157                 :            : 
     158                 :            :   /* For signed x << y, in C++11 and later, the following:
     159                 :            :      x < 0 || ((unsigned) x >> (uprecm1 - y))
     160                 :            :      if > 1, is undefined.  */
     161                 :        790 :   else if (code == LSHIFT_EXPR && cxx_dialect >= cxx11)
     162                 :            :     {
     163                 :        499 :       tree x = fold_build2 (MINUS_EXPR, op1_utype, uprecm1,
     164                 :            :                             fold_convert (op1_utype, unshare_expr (op1)));
     165                 :        499 :       tt = fold_convert_loc (loc, unsigned_type_for (type0),
     166                 :            :                              unshare_expr (op0));
     167                 :        499 :       tt = fold_build2 (RSHIFT_EXPR, TREE_TYPE (tt), tt, x);
     168                 :        499 :       tt = fold_build2 (GT_EXPR, boolean_type_node, tt,
     169                 :            :                         build_int_cst (TREE_TYPE (tt), 1));
     170                 :        499 :       x = fold_build2 (LT_EXPR, boolean_type_node, unshare_expr (op0),
     171                 :            :                        build_int_cst (type0, 0));
     172                 :        499 :       tt = fold_build2 (TRUTH_OR_EXPR, boolean_type_node, x, tt);
     173                 :            :     }
     174                 :            : 
     175                 :            :   /* If the condition was folded to 0, no need to instrument
     176                 :            :      this expression.  */
     177                 :       1926 :   if (integer_zerop (t) && (tt == NULL_TREE || integer_zerop (tt)))
     178                 :        720 :     return NULL_TREE;
     179                 :            : 
     180                 :            :   /* In case we have a SAVE_EXPR in a conditional context, we need to
     181                 :            :      make sure it gets evaluated before the condition.  */
     182                 :       1206 :   t = fold_build2 (COMPOUND_EXPR, TREE_TYPE (t), unshare_expr (op0), t);
     183                 :       1206 :   t = fold_build2 (COMPOUND_EXPR, TREE_TYPE (t), unshare_expr (op1), t);
     184                 :            : 
     185                 :       1206 :   enum sanitize_code recover_kind = SANITIZE_SHIFT_EXPONENT;
     186                 :       1206 :   tree else_t = void_node;
     187                 :       1206 :   if (tt)
     188                 :            :     {
     189                 :        873 :       if (!sanitize_flags_p (SANITIZE_SHIFT_EXPONENT))
     190                 :            :         {
     191                 :         28 :           t = fold_build1 (TRUTH_NOT_EXPR, boolean_type_node, t);
     192                 :         28 :           t = fold_build2 (TRUTH_AND_EXPR, boolean_type_node, t, tt);
     193                 :         28 :           recover_kind = SANITIZE_SHIFT_BASE;
     194                 :            :         }
     195                 :            :       else
     196                 :            :         {
     197                 :        845 :           if (flag_sanitize_undefined_trap_on_error
     198                 :        845 :               || ((!(flag_sanitize_recover & SANITIZE_SHIFT_EXPONENT))
     199                 :        845 :                   == (!(flag_sanitize_recover & SANITIZE_SHIFT_BASE))))
     200                 :        778 :             t = fold_build2 (TRUTH_OR_EXPR, boolean_type_node, t, tt);
     201                 :            :           else
     202                 :            :             else_t = tt;
     203                 :            :         }
     204                 :            :     }
     205                 :            : 
     206                 :       1206 :   if (flag_sanitize_undefined_trap_on_error)
     207                 :          0 :     tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
     208                 :            :   else
     209                 :            :     {
     210                 :       1206 :       tree data = ubsan_create_data ("__ubsan_shift_data", 1, &loc,
     211                 :            :                                      ubsan_type_descriptor (type0),
     212                 :            :                                      ubsan_type_descriptor (type1), NULL_TREE,
     213                 :            :                                      NULL_TREE);
     214                 :       1206 :       data = build_fold_addr_expr_loc (loc, data);
     215                 :            : 
     216                 :       2412 :       enum built_in_function bcode
     217                 :       1206 :         = (flag_sanitize_recover & recover_kind)
     218                 :       1206 :           ? BUILT_IN_UBSAN_HANDLE_SHIFT_OUT_OF_BOUNDS
     219                 :            :           : BUILT_IN_UBSAN_HANDLE_SHIFT_OUT_OF_BOUNDS_ABORT;
     220                 :       1206 :       tt = builtin_decl_explicit (bcode);
     221                 :       1206 :       op0 = unshare_expr (op0);
     222                 :       1206 :       op1 = unshare_expr (op1);
     223                 :       1206 :       tt = build_call_expr_loc (loc, tt, 3, data, ubsan_encode_value (op0),
     224                 :            :                                 ubsan_encode_value (op1));
     225                 :       1206 :       if (else_t != void_node)
     226                 :            :         {
     227                 :        134 :           bcode = (flag_sanitize_recover & SANITIZE_SHIFT_BASE)
     228                 :         67 :                   ? BUILT_IN_UBSAN_HANDLE_SHIFT_OUT_OF_BOUNDS
     229                 :            :                   : BUILT_IN_UBSAN_HANDLE_SHIFT_OUT_OF_BOUNDS_ABORT;
     230                 :         67 :           tree else_tt = builtin_decl_explicit (bcode);
     231                 :         67 :           op0 = unshare_expr (op0);
     232                 :         67 :           op1 = unshare_expr (op1);
     233                 :         67 :           else_tt = build_call_expr_loc (loc, else_tt, 3, data,
     234                 :            :                                          ubsan_encode_value (op0),
     235                 :            :                                          ubsan_encode_value (op1));
     236                 :         67 :           else_t = fold_build3 (COND_EXPR, void_type_node, else_t,
     237                 :            :                                 else_tt, void_node);
     238                 :            :         }
     239                 :            :     }
     240                 :       1206 :   t = fold_build3 (COND_EXPR, void_type_node, t, tt, else_t);
     241                 :            : 
     242                 :       1206 :   return t;
     243                 :            : }
     244                 :            : 
     245                 :            : /* Instrument variable length array bound.  */
     246                 :            : 
     247                 :            : tree
     248                 :        288 : ubsan_instrument_vla (location_t loc, tree size)
     249                 :            : {
     250                 :        288 :   tree type = TREE_TYPE (size);
     251                 :        288 :   tree t, tt;
     252                 :            : 
     253                 :        288 :   t = fold_build2 (LE_EXPR, boolean_type_node, size, build_int_cst (type, 0));
     254                 :        288 :   if (flag_sanitize_undefined_trap_on_error)
     255                 :          0 :     tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
     256                 :            :   else
     257                 :            :     {
     258                 :        288 :       tree data = ubsan_create_data ("__ubsan_vla_data", 1, &loc,
     259                 :            :                                      ubsan_type_descriptor (type), NULL_TREE,
     260                 :            :                                      NULL_TREE);
     261                 :        288 :       data = build_fold_addr_expr_loc (loc, data);
     262                 :        576 :       enum built_in_function bcode
     263                 :        288 :         = (flag_sanitize_recover & SANITIZE_VLA)
     264                 :        288 :           ? BUILT_IN_UBSAN_HANDLE_VLA_BOUND_NOT_POSITIVE
     265                 :            :           : BUILT_IN_UBSAN_HANDLE_VLA_BOUND_NOT_POSITIVE_ABORT;
     266                 :        288 :       tt = builtin_decl_explicit (bcode);
     267                 :        288 :       tt = build_call_expr_loc (loc, tt, 2, data, ubsan_encode_value (size));
     268                 :            :     }
     269                 :        288 :   t = fold_build3 (COND_EXPR, void_type_node, t, tt, void_node);
     270                 :            : 
     271                 :        288 :   return t;
     272                 :            : }
     273                 :            : 
     274                 :            : /* Instrument missing return in C++ functions returning non-void.  */
     275                 :            : 
     276                 :            : tree
     277                 :        867 : ubsan_instrument_return (location_t loc)
     278                 :            : {
     279                 :        867 :   if (flag_sanitize_undefined_trap_on_error)
     280                 :          0 :     return build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
     281                 :            : 
     282                 :        867 :   tree data = ubsan_create_data ("__ubsan_missing_return_data", 1, &loc,
     283                 :            :                                  NULL_TREE, NULL_TREE);
     284                 :        867 :   tree t = builtin_decl_explicit (BUILT_IN_UBSAN_HANDLE_MISSING_RETURN);
     285                 :        867 :   return build_call_expr_loc (loc, t, 1, build_fold_addr_expr_loc (loc, data));
     286                 :            : }
     287                 :            : 
     288                 :            : /* Instrument array bounds for ARRAY_REFs.  We create special builtin,
     289                 :            :    that gets expanded in the sanopt pass, and make an array dimension
     290                 :            :    of it.  ARRAY is the array, *INDEX is an index to the array.
     291                 :            :    Return NULL_TREE if no instrumentation is emitted.
     292                 :            :    IGNORE_OFF_BY_ONE is true if the ARRAY_REF is inside a ADDR_EXPR.  */
     293                 :            : 
     294                 :            : tree
     295                 :       3121 : ubsan_instrument_bounds (location_t loc, tree array, tree *index,
     296                 :            :                          bool ignore_off_by_one)
     297                 :            : {
     298                 :       3121 :   tree type = TREE_TYPE (array);
     299                 :       3121 :   tree domain = TYPE_DOMAIN (type);
     300                 :            : 
     301                 :       3121 :   if (domain == NULL_TREE || TYPE_MAX_VALUE (domain) == NULL_TREE)
     302                 :            :     return NULL_TREE;
     303                 :            : 
     304                 :       3059 :   tree bound = TYPE_MAX_VALUE (domain);
     305                 :       3059 :   if (ignore_off_by_one)
     306                 :        318 :     bound = fold_build2 (PLUS_EXPR, TREE_TYPE (bound), bound,
     307                 :            :                          build_int_cst (TREE_TYPE (bound), 1));
     308                 :            : 
     309                 :            :   /* Detect flexible array members and suchlike, unless
     310                 :            :      -fsanitize=bounds-strict.  */
     311                 :       3059 :   tree base = get_base_address (array);
     312                 :       3059 :   if (!sanitize_flags_p (SANITIZE_BOUNDS_STRICT)
     313                 :       3045 :       && TREE_CODE (array) == COMPONENT_REF
     314                 :       3780 :       && base && (INDIRECT_REF_P (base) || TREE_CODE (base) == MEM_REF))
     315                 :            :     {
     316                 :            :       tree next = NULL_TREE;
     317                 :            :       tree cref = array;
     318                 :            : 
     319                 :            :       /* Walk all structs/unions.  */
     320                 :        561 :       while (TREE_CODE (cref) == COMPONENT_REF)
     321                 :            :         {
     322                 :        400 :           if (TREE_CODE (TREE_TYPE (TREE_OPERAND (cref, 0))) == RECORD_TYPE)
     323                 :        540 :             for (next = DECL_CHAIN (TREE_OPERAND (cref, 1));
     324                 :        540 :                  next && TREE_CODE (next) != FIELD_DECL;
     325                 :        140 :                  next = DECL_CHAIN (next))
     326                 :            :               ;
     327                 :        400 :           if (next)
     328                 :            :             /* Not a last element.  Instrument it.  */
     329                 :            :             break;
     330                 :            :           /* Ok, this is the last field of the structure/union.  But the
     331                 :            :              aggregate containing the field must be the last field too,
     332                 :            :              recursively.  */
     333                 :        257 :           cref = TREE_OPERAND (cref, 0);
     334                 :            :         }
     335                 :        304 :       if (!next)
     336                 :            :         /* Don't instrument this flexible array member-like array in non-strict
     337                 :            :            -fsanitize=bounds mode.  */
     338                 :            :         return NULL_TREE;
     339                 :            :     }
     340                 :            : 
     341                 :            :   /* Don't emit instrumentation in the most common cases.  */
     342                 :       2898 :   tree idx = NULL_TREE;
     343                 :       2898 :   if (TREE_CODE (*index) == INTEGER_CST)
     344                 :            :     idx = *index;
     345                 :        685 :   else if (TREE_CODE (*index) == BIT_AND_EXPR
     346                 :        685 :            && TREE_CODE (TREE_OPERAND (*index, 1)) == INTEGER_CST)
     347                 :         24 :     idx = TREE_OPERAND (*index, 1);
     348                 :       2237 :   if (idx
     349                 :       2237 :       && TREE_CODE (bound) == INTEGER_CST
     350                 :       1900 :       && tree_int_cst_sgn (idx) >= 0
     351                 :       4105 :       && tree_int_cst_le (idx, bound))
     352                 :            :     return NULL_TREE;
     353                 :            : 
     354                 :       1427 :   *index = save_expr (*index);
     355                 :            :   /* Create a "(T *) 0" tree node to describe the array type.  */
     356                 :       1427 :   tree zero_with_type = build_int_cst (build_pointer_type (type), 0);
     357                 :       1427 :   return build_call_expr_internal_loc (loc, IFN_UBSAN_BOUNDS,
     358                 :            :                                        void_type_node, 3, zero_with_type,
     359                 :       1427 :                                        *index, bound);
     360                 :            : }
     361                 :            : 
     362                 :            : /* Return true iff T is an array that was instrumented by SANITIZE_BOUNDS.  */
     363                 :            : 
     364                 :            : bool
     365                 :       3128 : ubsan_array_ref_instrumented_p (const_tree t)
     366                 :            : {
     367                 :       3128 :   if (TREE_CODE (t) != ARRAY_REF)
     368                 :            :     return false;
     369                 :            : 
     370                 :       3128 :   tree op1 = TREE_OPERAND (t, 1);
     371                 :       3128 :   return TREE_CODE (op1) == COMPOUND_EXPR
     372                 :          0 :          && TREE_CODE (TREE_OPERAND (op1, 0)) == CALL_EXPR
     373                 :          0 :          && CALL_EXPR_FN (TREE_OPERAND (op1, 0)) == NULL_TREE
     374                 :       3128 :          && CALL_EXPR_IFN (TREE_OPERAND (op1, 0)) == IFN_UBSAN_BOUNDS;
     375                 :            : }
     376                 :            : 
     377                 :            : /* Instrument an ARRAY_REF, if it hasn't already been instrumented.
     378                 :            :    IGNORE_OFF_BY_ONE is true if the ARRAY_REF is inside a ADDR_EXPR.  */
     379                 :            : 
     380                 :            : void
     381                 :       3128 : ubsan_maybe_instrument_array_ref (tree *expr_p, bool ignore_off_by_one)
     382                 :            : {
     383                 :       3128 :   if (!ubsan_array_ref_instrumented_p (*expr_p)
     384                 :       3128 :       && sanitize_flags_p (SANITIZE_BOUNDS | SANITIZE_BOUNDS_STRICT)
     385                 :       6242 :       && current_function_decl != NULL_TREE)
     386                 :            :     {
     387                 :       3114 :       tree op0 = TREE_OPERAND (*expr_p, 0);
     388                 :       3114 :       tree op1 = TREE_OPERAND (*expr_p, 1);
     389                 :       3114 :       tree e = ubsan_instrument_bounds (EXPR_LOCATION (*expr_p), op0, &op1,
     390                 :            :                                         ignore_off_by_one);
     391                 :       3114 :       if (e != NULL_TREE)
     392                 :            :         {
     393                 :       1420 :           tree t = copy_node (*expr_p);
     394                 :       1420 :           TREE_OPERAND (t, 1) = build2 (COMPOUND_EXPR, TREE_TYPE (op1),
     395                 :            :                                         e, op1);
     396                 :       1420 :           *expr_p = t;
     397                 :            :         }
     398                 :            :     }
     399                 :       3128 : }
     400                 :            : 
     401                 :            : static tree
     402                 :       4663 : ubsan_maybe_instrument_reference_or_call (location_t loc, tree op, tree ptype,
     403                 :            :                                           enum ubsan_null_ckind ckind)
     404                 :            : {
     405                 :       4663 :   if (!sanitize_flags_p (SANITIZE_ALIGNMENT | SANITIZE_NULL)
     406                 :       4663 :       || current_function_decl == NULL_TREE)
     407                 :            :     return NULL_TREE;
     408                 :            : 
     409                 :       4663 :   tree type = TREE_TYPE (ptype);
     410                 :       4663 :   tree orig_op = op;
     411                 :       4663 :   bool instrument = false;
     412                 :       4663 :   unsigned int mina = 0;
     413                 :            : 
     414                 :       4663 :   if (sanitize_flags_p (SANITIZE_ALIGNMENT))
     415                 :            :     {
     416                 :       3902 :       mina = min_align_of_type (type);
     417                 :       3902 :       if (mina <= 1)
     418                 :       1202 :         mina = 0;
     419                 :            :     }
     420                 :       7066 :   while ((TREE_CODE (op) == NOP_EXPR
     421                 :       7066 :           || TREE_CODE (op) == NON_LVALUE_EXPR)
     422                 :       9469 :          && TREE_CODE (TREE_TYPE (op)) == POINTER_TYPE)
     423                 :       2403 :     op = TREE_OPERAND (op, 0);
     424                 :       4663 :   if (TREE_CODE (op) == NOP_EXPR
     425                 :       4663 :       && TREE_CODE (TREE_TYPE (op)) == REFERENCE_TYPE)
     426                 :            :     {
     427                 :          0 :       if (mina && mina > min_align_of_type (TREE_TYPE (TREE_TYPE (op))))
     428                 :            :         instrument = true;
     429                 :            :     }
     430                 :            :   else
     431                 :            :     {
     432                 :       4663 :       if (sanitize_flags_p (SANITIZE_NULL) && TREE_CODE (op) == ADDR_EXPR)
     433                 :            :         {
     434                 :       1769 :           bool strict_overflow_p = false;
     435                 :            :           /* tree_single_nonzero_warnv_p will not return true for non-weak
     436                 :            :              non-automatic decls with -fno-delete-null-pointer-checks,
     437                 :            :              which is disabled during -fsanitize=null.  We don't want to
     438                 :            :              instrument those, just weak vars though.  */
     439                 :       1769 :           int save_flag_delete_null_pointer_checks
     440                 :            :             = flag_delete_null_pointer_checks;
     441                 :       1769 :           flag_delete_null_pointer_checks = 1;
     442                 :       1769 :           if (!tree_single_nonzero_warnv_p (op, &strict_overflow_p)
     443                 :       1769 :               || strict_overflow_p)
     444                 :            :             instrument = true;
     445                 :       1769 :           flag_delete_null_pointer_checks
     446                 :       1769 :             = save_flag_delete_null_pointer_checks;
     447                 :            :         }
     448                 :       2894 :       else if (sanitize_flags_p (SANITIZE_NULL))
     449                 :       2551 :         instrument = true;
     450                 :       4663 :       if (mina && mina > 1)
     451                 :            :         {
     452                 :       3218 :           if (!POINTER_TYPE_P (TREE_TYPE (op))
     453                 :       3218 :               || mina > get_pointer_alignment (op) / BITS_PER_UNIT)
     454                 :            :             instrument = true;
     455                 :            :         }
     456                 :            :     }
     457                 :       2444 :   if (!instrument)
     458                 :       1101 :     return NULL_TREE;
     459                 :       3562 :   op = save_expr (orig_op);
     460                 :       3562 :   gcc_assert (POINTER_TYPE_P (ptype));
     461                 :       3562 :   if (TREE_CODE (ptype) == REFERENCE_TYPE)
     462                 :        987 :     ptype = build_pointer_type (TREE_TYPE (ptype));
     463                 :       3562 :   tree kind = build_int_cst (ptype, ckind);
     464                 :       3562 :   tree align = build_int_cst (pointer_sized_int_node, mina);
     465                 :       3562 :   tree call
     466                 :       3562 :     = build_call_expr_internal_loc (loc, IFN_UBSAN_NULL, void_type_node,
     467                 :            :                                     3, op, kind, align);
     468                 :       3562 :   TREE_SIDE_EFFECTS (call) = 1;
     469                 :       3562 :   return fold_build2 (COMPOUND_EXPR, TREE_TYPE (op), call, op);
     470                 :            : }
     471                 :            : 
     472                 :            : /* Instrument a NOP_EXPR to REFERENCE_TYPE or INTEGER_CST with REFERENCE_TYPE
     473                 :            :    type if needed.  */
     474                 :            : 
     475                 :            : void
     476                 :       1225 : ubsan_maybe_instrument_reference (tree *stmt_p)
     477                 :            : {
     478                 :       1225 :   tree stmt = *stmt_p;
     479                 :       1225 :   tree op = stmt;
     480                 :       1225 :   if (TREE_CODE (stmt) == NOP_EXPR)
     481                 :       1204 :     op = TREE_OPERAND (stmt, 0);
     482                 :       2450 :   op = ubsan_maybe_instrument_reference_or_call (EXPR_LOCATION (stmt), op,
     483                 :       1225 :                                                  TREE_TYPE (stmt),
     484                 :            :                                                  UBSAN_REF_BINDING);
     485                 :       1225 :   if (op)
     486                 :            :     {
     487                 :        987 :       if (TREE_CODE (stmt) == NOP_EXPR) 
     488                 :        966 :         TREE_OPERAND (stmt, 0) = op;
     489                 :            :       else
     490                 :         21 :         *stmt_p = op;
     491                 :            :     }
     492                 :       1225 : }
     493                 :            : 
     494                 :            : /* Instrument a CALL_EXPR to a method if needed.  */
     495                 :            : 
     496                 :            : void
     497                 :       3438 : ubsan_maybe_instrument_member_call (tree stmt, bool is_ctor)
     498                 :            : {
     499                 :       3438 :   if (call_expr_nargs (stmt) == 0)
     500                 :            :     return;
     501                 :       3438 :   tree op = CALL_EXPR_ARG (stmt, 0);
     502                 :       3438 :   if (op == error_mark_node
     503                 :       6876 :       || !POINTER_TYPE_P (TREE_TYPE (op)))
     504                 :            :     return;
     505                 :       3438 :   op = ubsan_maybe_instrument_reference_or_call (EXPR_LOCATION (stmt), op,
     506                 :       3438 :                                                  TREE_TYPE (op),
     507                 :            :                                                  is_ctor ? UBSAN_CTOR_CALL
     508                 :            :                                                  : UBSAN_MEMBER_CALL);
     509                 :       3438 :   if (op)
     510                 :       2575 :     CALL_EXPR_ARG (stmt, 0) = op;
     511                 :            : }

Generated by: LCOV version 1.0

LCOV profile is generated on x86_64 machine using following configure options: configure --disable-bootstrap --enable-coverage=opt --enable-languages=c,c++,fortran,go,jit,lto --enable-host-shared. GCC test suite is run with the built compiler.