Re: Clang UndefinedBehaviorSanitize (Postgres14) Detected undefined-behavior

From: Noah Misch <noah(at)leadboat(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Peter Geoghegan <pg(at)bowt(dot)ie>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Ranier Vilela <ranier(dot)vf(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: Clang UndefinedBehaviorSanitize (Postgres14) Detected undefined-behavior
Date: 2020-09-04 03:10:49
Message-ID: 20200904031049.GC3426768@rfd.leadboat.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Thu, Sep 03, 2020 at 10:53:37PM -0400, Tom Lane wrote:
> Noah Misch <noah(at)leadboat(dot)com> writes:
> > We do assume dereferencing NULL would crash, but we also assume this
> > optimization doesn't happen:
>
> > #ifndef REMOVE_MEMCPY
> > memcpy(dest, src, n);
> > #endif
> > if (src)
> > pause();
>
> > [ gcc believes the if-test is unnecessary ]
>
> > So yes, it would be reasonable to adopt -fno-delete-null-pointer-checks and/or
> > remove -fno-sanitize=nonnull-attribute from buildfarm member thorntail.

> If there actually are places where this is a problem, I think we
> need to fix it by doing
>
> if (n > 0)
> memcpy(dest, src, n);
>
> so that the compiler can no longer assume that src!=NULL even
> when n is zero. I'd still leave -fdelete-null-pointer-checks
> enabled, because it can make valid and useful optimizations in
> other cases. (Besides that, it's far from clear that disabling
> that flag would suppress all bad consequences of the assumption
> that memcpy's arguments aren't null.)

Your proposal is what I had in mind when I wrote "remove
-fno-sanitize=nonnull-attribute from buildfarm member thorntail", and I agree
it's attractive. In particular, gcc is not likely to be the last compiler to
attempt such an optimization, and other compilers may not offer
-fno-delete-null-pointer-checks or equivalent.

One might argue for -fno-delete-null-pointer-checks in addition, because it
would defend against cases that sanitizers miss. I tend to think that's
overkill, but maybe not. I suppose one could do an audit, diffing the
generated code with and without the option.

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Pavel Stehule 2020-09-04 03:21:37 Re: proposal: possibility to read dumped table's name from file
Previous Message Tom Lane 2020-09-04 03:06:26 Re: Clang UndefinedBehaviorSanitize (Postgres14) Detected undefined-behavior