[thirdparty/gcc.git] / gcc / c-family / c-ubsan.c

/* UndefinedBehaviorSanitizer, undefined behavior detector.
   Copyright (C) 2013-2014 Free Software Foundation, Inc.
   Contributed by Marek Polacek <polacek@redhat.com>

This file is part of GCC.

GCC is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation; either version 3, or (at your option) any later
version.

GCC is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
for more details.

You should have received a copy of the GNU General Public License
along with GCC; see the file COPYING3.  If not see
<http://www.gnu.org/licenses/>.  */

#include "config.h"
#include "system.h"
#include "coretypes.h"
#include "tree.h"
#include "alloc-pool.h"
#include "cgraph.h"
#include "output.h"
#include "toplev.h"
#include "ubsan.h"
#include "c-family/c-common.h"
#include "c-family/c-ubsan.h"
#include "asan.h"

/* Instrument division by zero and INT_MIN / -1.  If not instrumenting,
   return NULL_TREE.  */

tree
ubsan_instrument_division (location_t loc, tree op0, tree op1)
{
  tree t, tt;
  tree type = TREE_TYPE (op0);

  /* At this point both operands should have the same type,
     because they are already converted to RESULT_TYPE.
     Use TYPE_MAIN_VARIANT since typedefs can confuse us.  */
  gcc_assert (TYPE_MAIN_VARIANT (TREE_TYPE (op0))
	      == TYPE_MAIN_VARIANT (TREE_TYPE (op1)));

  if (TREE_CODE (type) == INTEGER_TYPE
      && (flag_sanitize & SANITIZE_DIVIDE))
    t = fold_build2 (EQ_EXPR, boolean_type_node,
		     op1, build_int_cst (type, 0));
  else if (TREE_CODE (type) == REAL_TYPE
	   && (flag_sanitize & SANITIZE_FLOAT_DIVIDE))
    t = fold_build2 (EQ_EXPR, boolean_type_node,
		     op1, build_real (type, dconst0));
  else
    return NULL_TREE;

  /* We check INT_MIN / -1 only for signed types.  */
  if (TREE_CODE (type) == INTEGER_TYPE
      && (flag_sanitize & SANITIZE_DIVIDE)
      && !TYPE_UNSIGNED (type))
    {
      tree x;
      tt = fold_build2 (EQ_EXPR, boolean_type_node, op1,
			build_int_cst (type, -1));
      x = fold_build2 (EQ_EXPR, boolean_type_node, op0,
		       TYPE_MIN_VALUE (type));
      x = fold_build2 (TRUTH_AND_EXPR, boolean_type_node, x, tt);
      t = fold_build2 (TRUTH_OR_EXPR, boolean_type_node, t, x);
    }

  /* If the condition was folded to 0, no need to instrument
     this expression.  */
  if (integer_zerop (t))
    return NULL_TREE;

  /* In case we have a SAVE_EXPR in a conditional context, we need to
     make sure it gets evaluated before the condition.  */
  t = fold_build2 (COMPOUND_EXPR, TREE_TYPE (t), op0, t);
  if (flag_sanitize_undefined_trap_on_error)
    tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
  else
    {
      tree data = ubsan_create_data ("__ubsan_overflow_data", &loc, NULL,
				     ubsan_type_descriptor (type, false),
				     NULL_TREE);
      data = build_fold_addr_expr_loc (loc, data);
      enum built_in_function bcode
	= flag_sanitize_recover
	  ? BUILT_IN_UBSAN_HANDLE_DIVREM_OVERFLOW
	  : BUILT_IN_UBSAN_HANDLE_DIVREM_OVERFLOW_ABORT;
      tt = builtin_decl_explicit (bcode);
      tt = build_call_expr_loc (loc, tt, 3, data, ubsan_encode_value (op0),
				ubsan_encode_value (op1));
    }
  t = fold_build3 (COND_EXPR, void_type_node, t, tt, void_zero_node);

  return t;
}

/* Instrument left and right shifts.  */

tree
ubsan_instrument_shift (location_t loc, enum tree_code code,
			tree op0, tree op1)
{
  tree t, tt = NULL_TREE;
  tree type0 = TREE_TYPE (op0);
  tree type1 = TREE_TYPE (op1);
  tree op1_utype = unsigned_type_for (type1);
  HOST_WIDE_INT op0_prec = TYPE_PRECISION (type0);
  tree uprecm1 = build_int_cst (op1_utype, op0_prec - 1);
  tree precm1 = build_int_cst (type1, op0_prec - 1);

  t = fold_convert_loc (loc, op1_utype, op1);
  t = fold_build2 (GT_EXPR, boolean_type_node, t, uprecm1);

  /* For signed x << y, in C99/C11, the following:
     (unsigned) x >> (precm1 - y)
     if non-zero, is undefined.  */
  if (code == LSHIFT_EXPR
      && !TYPE_UNSIGNED (type0)
      && flag_isoc99)
    {
      tree x = fold_build2 (MINUS_EXPR, integer_type_node, precm1, op1);
      tt = fold_convert_loc (loc, unsigned_type_for (type0), op0);
      tt = fold_build2 (RSHIFT_EXPR, TREE_TYPE (tt), tt, x);
      tt = fold_build2 (NE_EXPR, boolean_type_node, tt,
			build_int_cst (TREE_TYPE (tt), 0));
    }

  /* For signed x << y, in C++11/C++14, the following:
     x < 0 || ((unsigned) x >> (precm1 - y))
     if > 1, is undefined.  */
  if (code == LSHIFT_EXPR
      && !TYPE_UNSIGNED (TREE_TYPE (op0))
      && (cxx_dialect == cxx11 || cxx_dialect == cxx1y))
    {
      tree x = fold_build2 (MINUS_EXPR, integer_type_node, precm1, op1);
      tt = fold_convert_loc (loc, unsigned_type_for (type0), op0);
      tt = fold_build2 (RSHIFT_EXPR, TREE_TYPE (tt), tt, x);
      tt = fold_build2 (GT_EXPR, boolean_type_node, tt,
			build_int_cst (TREE_TYPE (tt), 1));
      x = fold_build2 (LT_EXPR, boolean_type_node, op0,
		       build_int_cst (type0, 0));
      tt = fold_build2 (TRUTH_OR_EXPR, boolean_type_node, x, tt);
    }

  /* If the condition was folded to 0, no need to instrument
     this expression.  */
  if (integer_zerop (t) && (tt == NULL_TREE || integer_zerop (tt)))
    return NULL_TREE;

  /* In case we have a SAVE_EXPR in a conditional context, we need to
     make sure it gets evaluated before the condition.  */
  t = fold_build2 (COMPOUND_EXPR, TREE_TYPE (t), op0, t);
  t = fold_build2 (TRUTH_OR_EXPR, boolean_type_node, t,
		   tt ? tt : integer_zero_node);

  if (flag_sanitize_undefined_trap_on_error)
    tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
  else
    {
      tree data = ubsan_create_data ("__ubsan_shift_data", &loc, NULL,
				     ubsan_type_descriptor (type0, false),
				     ubsan_type_descriptor (type1, false),
				     NULL_TREE);

      data = build_fold_addr_expr_loc (loc, data);

      enum built_in_function bcode
	= flag_sanitize_recover
	  ? BUILT_IN_UBSAN_HANDLE_SHIFT_OUT_OF_BOUNDS
	  : BUILT_IN_UBSAN_HANDLE_SHIFT_OUT_OF_BOUNDS_ABORT;
      tt = builtin_decl_explicit (bcode);
      tt = build_call_expr_loc (loc, tt, 3, data, ubsan_encode_value (op0),
				ubsan_encode_value (op1));
    }
  t = fold_build3 (COND_EXPR, void_type_node, t, tt, void_zero_node);

  return t;
}

/* Instrument variable length array bound.  */

tree
ubsan_instrument_vla (location_t loc, tree size)
{
  tree type = TREE_TYPE (size);
  tree t, tt;

  t = fold_build2 (LE_EXPR, boolean_type_node, size, build_int_cst (type, 0));
  if (flag_sanitize_undefined_trap_on_error)
    tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
  else
    {
      tree data = ubsan_create_data ("__ubsan_vla_data", &loc, NULL,
				     ubsan_type_descriptor (type, false),
				     NULL_TREE);
      data = build_fold_addr_expr_loc (loc, data);
      enum built_in_function bcode
	= flag_sanitize_recover
	  ? BUILT_IN_UBSAN_HANDLE_VLA_BOUND_NOT_POSITIVE
	  : BUILT_IN_UBSAN_HANDLE_VLA_BOUND_NOT_POSITIVE_ABORT;
      tt = builtin_decl_explicit (bcode);
      tt = build_call_expr_loc (loc, tt, 2, data, ubsan_encode_value (size));
    }
  t = fold_build3 (COND_EXPR, void_type_node, t, tt, void_zero_node);

  return t;
}

/* Instrument missing return in C++ functions returning non-void.  */

tree
ubsan_instrument_return (location_t loc)
{
  if (flag_sanitize_undefined_trap_on_error)
    return build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
  /* It is possible that PCH zapped table with definitions of sanitizer
     builtins.  Reinitialize them if needed.  */
  initialize_sanitizer_builtins ();

  tree data = ubsan_create_data ("__ubsan_missing_return_data", &loc,
				 NULL, NULL_TREE);
  tree t = builtin_decl_explicit (BUILT_IN_UBSAN_HANDLE_MISSING_RETURN);
  return build_call_expr_loc (loc, t, 1, build_fold_addr_expr_loc (loc, data));
}
Commit	Line	Data
9e46467d	1	/* UndefinedBehaviorSanitizer, undefined behavior detector.
3aea1f79	2	Copyright (C) 2013-2014 Free Software Foundation, Inc.
9e46467d	3	Contributed by Marek Polacek <polacek@redhat.com>
	4
	5	This file is part of GCC.
	6
	7	GCC is free software; you can redistribute it and/or modify it under
	8	the terms of the GNU General Public License as published by the Free
	9	Software Foundation; either version 3, or (at your option) any later
	10	version.
	11
	12	GCC is distributed in the hope that it will be useful, but WITHOUT ANY
	13	WARRANTY; without even the implied warranty of MERCHANTABILITY or
	14	FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	15	for more details.
	16
	17	You should have received a copy of the GNU General Public License
	18	along with GCC; see the file COPYING3. If not see
	19	<http://www.gnu.org/licenses/>. */
	20
	21	#include "config.h"
	22	#include "system.h"
	23	#include "coretypes.h"
	24	#include "tree.h"
	25	#include "alloc-pool.h"
	26	#include "cgraph.h"
9e46467d	27	#include "output.h"
	28	#include "toplev.h"
	29	#include "ubsan.h"
	30	#include "c-family/c-common.h"
	31	#include "c-family/c-ubsan.h"
a34c1231	32	#include "asan.h"
9e46467d	33
	34	/* Instrument division by zero and INT_MIN / -1. If not instrumenting,
	35	return NULL_TREE. */
	36
	37	tree
	38	ubsan_instrument_division (location_t loc, tree op0, tree op1)
	39	{
	40	tree t, tt;
	41	tree type = TREE_TYPE (op0);
	42
	43	/* At this point both operands should have the same type,
	44	because they are already converted to RESULT_TYPE.
	45	Use TYPE_MAIN_VARIANT since typedefs can confuse us. */
	46	gcc_assert (TYPE_MAIN_VARIANT (TREE_TYPE (op0))
	47	== TYPE_MAIN_VARIANT (TREE_TYPE (op1)));
	48
52cc0072	49	if (TREE_CODE (type) == INTEGER_TYPE
	50	&& (flag_sanitize & SANITIZE_DIVIDE))
	51	t = fold_build2 (EQ_EXPR, boolean_type_node,
	52	op1, build_int_cst (type, 0));
	53	else if (TREE_CODE (type) == REAL_TYPE
	54	&& (flag_sanitize & SANITIZE_FLOAT_DIVIDE))
	55	t = fold_build2 (EQ_EXPR, boolean_type_node,
	56	op1, build_real (type, dconst0));
	57	else
9e46467d	58	return NULL_TREE;
9e46467d	59
9e46467d	60	/* We check INT_MIN / -1 only for signed types. */
52cc0072	61	if (TREE_CODE (type) == INTEGER_TYPE
	62	&& (flag_sanitize & SANITIZE_DIVIDE)
	63	&& !TYPE_UNSIGNED (type))
9e46467d	64	{
	65	tree x;
	66	tt = fold_build2 (EQ_EXPR, boolean_type_node, op1,
	67	build_int_cst (type, -1));
	68	x = fold_build2 (EQ_EXPR, boolean_type_node, op0,
	69	TYPE_MIN_VALUE (type));
	70	x = fold_build2 (TRUTH_AND_EXPR, boolean_type_node, x, tt);
	71	t = fold_build2 (TRUTH_OR_EXPR, boolean_type_node, t, x);
	72	}
	73
51f553af	74	/* If the condition was folded to 0, no need to instrument
	75	this expression. */
	76	if (integer_zerop (t))
	77	return NULL_TREE;
	78
9e46467d	79	/* In case we have a SAVE_EXPR in a conditional context, we need to
	80	make sure it gets evaluated before the condition. */
	81	t = fold_build2 (COMPOUND_EXPR, TREE_TYPE (t), op0, t);
7311d7c1	82	if (flag_sanitize_undefined_trap_on_error)
	83	tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
	84	else
	85	{
	86	tree data = ubsan_create_data ("__ubsan_overflow_data", &loc, NULL,
	87	ubsan_type_descriptor (type, false),
	88	NULL_TREE);
	89	data = build_fold_addr_expr_loc (loc, data);
	90	enum built_in_function bcode
	91	= flag_sanitize_recover
	92	? BUILT_IN_UBSAN_HANDLE_DIVREM_OVERFLOW
	93	: BUILT_IN_UBSAN_HANDLE_DIVREM_OVERFLOW_ABORT;
	94	tt = builtin_decl_explicit (bcode);
	95	tt = build_call_expr_loc (loc, tt, 3, data, ubsan_encode_value (op0),
	96	ubsan_encode_value (op1));
	97	}
9e46467d	98	t = fold_build3 (COND_EXPR, void_type_node, t, tt, void_zero_node);
	99
	100	return t;
	101	}
	102
2c4c3477	103	/* Instrument left and right shifts. */
9e46467d	104
	105	tree
	106	ubsan_instrument_shift (location_t loc, enum tree_code code,
	107	tree op0, tree op1)
	108	{
	109	tree t, tt = NULL_TREE;
	110	tree type0 = TREE_TYPE (op0);
	111	tree type1 = TREE_TYPE (op1);
	112	tree op1_utype = unsigned_type_for (type1);
	113	HOST_WIDE_INT op0_prec = TYPE_PRECISION (type0);
	114	tree uprecm1 = build_int_cst (op1_utype, op0_prec - 1);
	115	tree precm1 = build_int_cst (type1, op0_prec - 1);
	116
	117	t = fold_convert_loc (loc, op1_utype, op1);
	118	t = fold_build2 (GT_EXPR, boolean_type_node, t, uprecm1);
	119
	120	/* For signed x << y, in C99/C11, the following:
	121	(unsigned) x >> (precm1 - y)
	122	if non-zero, is undefined. */
	123	if (code == LSHIFT_EXPR
	124	&& !TYPE_UNSIGNED (type0)
	125	&& flag_isoc99)
	126	{
	127	tree x = fold_build2 (MINUS_EXPR, integer_type_node, precm1, op1);
	128	tt = fold_convert_loc (loc, unsigned_type_for (type0), op0);
	129	tt = fold_build2 (RSHIFT_EXPR, TREE_TYPE (tt), tt, x);
	130	tt = fold_build2 (NE_EXPR, boolean_type_node, tt,
	131	build_int_cst (TREE_TYPE (tt), 0));
	132	}
	133
	134	/* For signed x << y, in C++11/C++14, the following:
	135	x < 0 \|\| ((unsigned) x >> (precm1 - y))
	136	if > 1, is undefined. */
	137	if (code == LSHIFT_EXPR
	138	&& !TYPE_UNSIGNED (TREE_TYPE (op0))
	139	&& (cxx_dialect == cxx11 \|\| cxx_dialect == cxx1y))
	140	{
	141	tree x = fold_build2 (MINUS_EXPR, integer_type_node, precm1, op1);
	142	tt = fold_convert_loc (loc, unsigned_type_for (type0), op0);
	143	tt = fold_build2 (RSHIFT_EXPR, TREE_TYPE (tt), tt, x);
	144	tt = fold_build2 (GT_EXPR, boolean_type_node, tt,
	145	build_int_cst (TREE_TYPE (tt), 1));
	146	x = fold_build2 (LT_EXPR, boolean_type_node, op0,
	147	build_int_cst (type0, 0));
	148	tt = fold_build2 (TRUTH_OR_EXPR, boolean_type_node, x, tt);
	149	}
	150
51f553af	151	/* If the condition was folded to 0, no need to instrument
	152	this expression. */
	153	if (integer_zerop (t) && (tt == NULL_TREE \|\| integer_zerop (tt)))
	154	return NULL_TREE;
	155
9e46467d	156	/* In case we have a SAVE_EXPR in a conditional context, we need to
	157	make sure it gets evaluated before the condition. */
	158	t = fold_build2 (COMPOUND_EXPR, TREE_TYPE (t), op0, t);
9e46467d	159	t = fold_build2 (TRUTH_OR_EXPR, boolean_type_node, t,
9e46467d	160	tt ? tt : integer_zero_node);
7311d7c1	161
	162	if (flag_sanitize_undefined_trap_on_error)
	163	tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
	164	else
	165	{
	166	tree data = ubsan_create_data ("__ubsan_shift_data", &loc, NULL,
	167	ubsan_type_descriptor (type0, false),
	168	ubsan_type_descriptor (type1, false),
	169	NULL_TREE);
	170
	171	data = build_fold_addr_expr_loc (loc, data);
	172
	173	enum built_in_function bcode
	174	= flag_sanitize_recover
	175	? BUILT_IN_UBSAN_HANDLE_SHIFT_OUT_OF_BOUNDS
	176	: BUILT_IN_UBSAN_HANDLE_SHIFT_OUT_OF_BOUNDS_ABORT;
	177	tt = builtin_decl_explicit (bcode);
	178	tt = build_call_expr_loc (loc, tt, 3, data, ubsan_encode_value (op0),
	179	ubsan_encode_value (op1));
	180	}
9e46467d	181	t = fold_build3 (COND_EXPR, void_type_node, t, tt, void_zero_node);
	182
	183	return t;
	184	}
2c4c3477	185
	186	/* Instrument variable length array bound. */
	187
	188	tree
	189	ubsan_instrument_vla (location_t loc, tree size)
	190	{
	191	tree type = TREE_TYPE (size);
	192	tree t, tt;
	193
	194	t = fold_build2 (LE_EXPR, boolean_type_node, size, build_int_cst (type, 0));
7311d7c1	195	if (flag_sanitize_undefined_trap_on_error)
	196	tt = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
	197	else
	198	{
	199	tree data = ubsan_create_data ("__ubsan_vla_data", &loc, NULL,
	200	ubsan_type_descriptor (type, false),
	201	NULL_TREE);
	202	data = build_fold_addr_expr_loc (loc, data);
	203	enum built_in_function bcode
	204	= flag_sanitize_recover
	205	? BUILT_IN_UBSAN_HANDLE_VLA_BOUND_NOT_POSITIVE
	206	: BUILT_IN_UBSAN_HANDLE_VLA_BOUND_NOT_POSITIVE_ABORT;
	207	tt = builtin_decl_explicit (bcode);
	208	tt = build_call_expr_loc (loc, tt, 2, data, ubsan_encode_value (size));
	209	}
2c4c3477	210	t = fold_build3 (COND_EXPR, void_type_node, t, tt, void_zero_node);
	211
	212	return t;
	213	}
020bc656	214
	215	/* Instrument missing return in C++ functions returning non-void. */
	216
	217	tree
	218	ubsan_instrument_return (location_t loc)
	219	{
7311d7c1	220	if (flag_sanitize_undefined_trap_on_error)
7311d7c1	221	return build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
a34c1231	222	/* It is possible that PCH zapped table with definitions of sanitizer
	223	builtins. Reinitialize them if needed. */
	224	initialize_sanitizer_builtins ();
	225
d4d068c0	226	tree data = ubsan_create_data ("__ubsan_missing_return_data", &loc,
020bc656	227	NULL, NULL_TREE);
	228	tree t = builtin_decl_explicit (BUILT_IN_UBSAN_HANDLE_MISSING_RETURN);
	229	return build_call_expr_loc (loc, t, 1, build_fold_addr_expr_loc (loc, data));
	230	}