Hello,
I use icc (ICC) version 16.0.2 (20160204). I found a bug in the way its MPX transformation pass passes bounds via an indirect call.
Here is the test case that reproduces the problem:
char x = 42;
int (*f) (int, char * ); // IF REMOVE INT ARGUMENT: WORKS
char* p;
int bar(int i, char *q) {
return q[0];
}
int __attribute__ ((noinline)) foo() {
return f(0, p);
// return bar(0, p); // WORKS
}
int main() {
f = bar;
p = &x;
return foo();
}This code raises the false-positive #BR exception when compiled & run:
>>> icc -O3 -ggdb -check-pointers-mpx=rw -lmpx -lmpxwrappers test.c>>> ./a.out Saw a #BR! status 1 at 0x400b75
Note that the function pointer `f` is used to call `bar` in `foo` (indirect call). When using a direct call `bar(0, p)`, everything compiles and runs correctly. Also note that by removing the first argument for `bar` (integer `i`), the bounds are again correct and no exception is triggered.
Here is the corresponding assembly:
<foo>: mov $0x1,%eax mov 0x203144(%rip),%rsi # 603c90 <p> xor %edi,%edi mov 0x203143(%rip),%rdx # 603c98 <f> bndldx 0x603c90(,%rsi,1),%bnd1 bndmk -0x1(%rax),%bnd0 # NULL bounds are created?! bnd jmpq *%rdx<bar>: rex.W bndcl %rsi,%bnd0 # BR EXCEPTION HERE rex.W bndcu %rsi,%bnd0 movsbl (%rsi),%eax bnd retq
So, `foo` calls `bar` with two bounds passed in BND0 (with NULL bounds) and BND1 (with correct bounds for p), but `bar` assumes that the bounds for its pointer argument are passed in BND0. AFAIK, the way `foo` is compiled is a violation of the X64 calling convention for MPX. Also, this exception does not happen under GCC 6.1. Thus, I believe it's a bug in the ICC MPX pass implementation.