This is an archive of the discontinued LLVM Phabricator instance.

[UBSan] Fix isDerivedFromAtOffset on iOS ARM64
ClosedPublic

Authored by filcab on Jul 24 2015, 11:57 PM.

Download Raw Diff

Details

Reviewers

samsonov
kubamracek
eugenis
rsmith
filcab

Commits

rGb7692bc3e9ad: [UBSan] Fix isDerivedFromAtOffset on iOS ARM64
rCRT262147: [UBSan] Fix isDerivedFromAtOffset on iOS ARM64
rL262147: [UBSan] Fix isDerivedFromAtOffset on iOS ARM64

Summary

iOS on ARM64 doesn't unique RTTI.
Ref: clang's iOS64CXXABI::shouldRTTIBeUnique()

Due to this, pointer-equality will not necessarily work in this
architecture, across dylib boundaries.

dynamic_cast<>() will still work, since Apple ships with one prepared
for this, but we can't rely on it by simply comparing the type names for
pointer-equality.

I've limited the expensive strcmp check to the specific architecture
which needs it.

Example which triggers this bug:

lib.h:

struct X {
  virtual ~X() {}
};
X *libCall();

lib.mm:

X *libCall() {
  return new X;
}

prog.mm:

int main() {
  X *px = libCall();
  delete px;
}

Expected output: Nothing
Actual output:

<unknown>: runtime error: member call on address 0x00017001ef50 which does not point to an object of type 'X'
0x00017001ef50: note: object is of type 'X'
 00 00 00 00  60 00 0f 00 01 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for ‘X’

Compilation is fairly straightforward (be sure to pass -isysroot,
-mios-min-version, etc). I ended up looking at what Xcode did to compile
and built a script.

No test since it doesn't seem we support anything related to running on
iOS devices. I couldn't even figure out a nice way to do it from the
command line.

Diff Detail

Repository: rL LLVM

Event Timeline

filcab updated this revision to Diff 30632.Jul 24 2015, 11:57 PM

filcab retitled this revision from to [UBSan] Fix isDerivedFromAtOffset on iOS ARM64.

filcab updated this object.

filcab added reviewers: kubamracek, samsonov, eugenis, rsmith.

filcab added a subscriber: llvm-commits.

Herald added subscribers: rengolin, aemerson. · View Herald TranscriptJul 24 2015, 11:57 PM

I erred on the side of caution by being verbose in the commit message.
The problem is non-obvious and I want anyone who might think about removing that line to have no excuse (assuming they blame that line and see the commit ;-) ).

This might happen in other platforms too… :-)

Reword the dynamic_cast paragraph (wasn't making sense).

Ping.

Ping! (Adding Anna Zaks)

LGTM. Sorry, for some reason I've lost track of this :-/

This revision is now accepted and ready to land.Sep 1 2015, 10:55 AM

No test since it doesn't seem we support anything related to running on
iOS devices. I couldn't even figure out a nice way to do it from the
command line.

The test case you provided should be passing on all architectures, correct? If so, why not just add it?
(We do have a way to run tests on iOS devices internally.)

I can try to add a generic "darwin" test (maybe even darwin+linux, but
adding Windows might be harder, since the platform is so different). This
test would pass both before and after my change, though (in every platform
I can test).
Do your internal test harnesses account for tests which need
executable+dylib (two files) to run?

Filipe

I can try to add a generic "darwin" test (maybe even darwin+linux, ...

I think this would be overall goodness.

Do your internal test harnesses account for tests which need
executable+dylib (two files) to run?

Yes. (Though, we are only testing ASan at the moment.)

I can try to add a generic "darwin" test (maybe even darwin+linux, ...

I think this would be overall goodness.

Do your internal test harnesses account for tests which need
executable+dylib (two files) to run?

Yes. (Though, we are only testing ASan at the moment.)

zaks.anna resigned from this revision.Nov 30 2015, 5:37 PM

zaks.anna removed a reviewer: zaks.anna.

Sorry, I totally forgot about this revision. Refreshing it, with a test.

I'm not sure how well the test will run on all platforms (no idea about Windows), especially on the ones that really need it (iOS ARM64 is impossible to test outside of Apple, AFAICT).

Closed by commit rL262147: [UBSan] Fix isDerivedFromAtOffset on iOS ARM64 (authored by filcab). · Explain WhyFeb 27 2016, 12:02 PM

This revision was automatically updated to reflect the committed changes.

marxin added a reviewer: filcab.Jan 16 2019, 11:50 PM

Herald added subscribers: delcypher, kristof.beyls, javed.absar. · View Herald TranscriptJan 16 2019, 11:50 PM

Revision Contents

Path

Size

compiler-rt/

trunk/

lib/

sanitizer_common/

sanitizer_platform.h

6 lines

ubsan/

ubsan_type_hash_itanium.cc

4 lines

test/

ubsan/

TestCases/

TypeCheck/

Helpers/

lit.local.cfg

3 lines

vptr-non-unique-typeinfo-lib.h

4 lines

vptr-non-unique-typeinfo-lib.cpp

5 lines

vptr-non-unique-typeinfo.cpp

10 lines

Diff 49297

compiler-rt/trunk/lib/sanitizer_common/sanitizer_platform.h

	Show First 20 Lines • Show All 156 Lines • ▼ Show 20 Lines
	/// * 1800: Microsoft Visual Studio 2013 / 12.0			/// * 1800: Microsoft Visual Studio 2013 / 12.0
	/// * 1900: Microsoft Visual Studio 2015 / 14.0			/// * 1900: Microsoft Visual Studio 2015 / 14.0
	#ifdef _MSC_VER			#ifdef _MSC_VER
	# define MSC_PREREQ(version) (_MSC_VER >= (version))			# define MSC_PREREQ(version) (_MSC_VER >= (version))
	#else			#else
	# define MSC_PREREQ(version) 0			# define MSC_PREREQ(version) 0
	#endif			#endif

				#if defined(__arm64__) && SANITIZER_IOS
				# define SANITIZER_NON_UNIQUE_TYPEINFO 1
				#else
				# define SANITIZER_NON_UNIQUE_TYPEINFO 0
				#endif

	#endif // SANITIZER_PLATFORM_H			#endif // SANITIZER_PLATFORM_H

compiler-rt/trunk/lib/ubsan/ubsan_type_hash_itanium.cc

Show First 20 Lines • Show All 109 Lines • ▼ Show 20 Lines	static __ubsan::HashValue *getTypeCacheHashTableBucket(__ubsan::HashValue V) {
return &__ubsan_vptr_hash_set[First];		return &__ubsan_vptr_hash_set[First];
}		}

/// \brief Determine whether \p Derived has a \p Base base class subobject at		/// \brief Determine whether \p Derived has a \p Base base class subobject at
/// offset \p Offset.		/// offset \p Offset.
static bool isDerivedFromAtOffset(const abi::__class_type_info *Derived,		static bool isDerivedFromAtOffset(const abi::__class_type_info *Derived,
const abi::__class_type_info *Base,		const abi::__class_type_info *Base,
sptr Offset) {		sptr Offset) {
if (Derived->__type_name == Base->__type_name)		if (Derived->__type_name == Base->__type_name \|\|
		(SANITIZER_NON_UNIQUE_TYPEINFO &&
		!internal_strcmp(Derived->__type_name, Base->__type_name)))
return Offset == 0;		return Offset == 0;

if (const abi::__si_class_type_info *SI =		if (const abi::__si_class_type_info *SI =
dynamic_cast<const abi::__si_class_type_info*>(Derived))		dynamic_cast<const abi::__si_class_type_info*>(Derived))
return isDerivedFromAtOffset(SI->__base_type, Base, Offset);		return isDerivedFromAtOffset(SI->__base_type, Base, Offset);

const abi::__vmi_class_type_info *VTI =		const abi::__vmi_class_type_info *VTI =
dynamic_cast<const abi::__vmi_class_type_info*>(Derived);		dynamic_cast<const abi::__vmi_class_type_info*>(Derived);
▲ Show 20 Lines • Show All 125 Lines • Show Last 20 Lines

compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Helpers/lit.local.cfg

				# Sources in this directory are helper files for tests which test functionality
				# involving multiple translation units.
				config.suffixes = []

compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Helpers/vptr-non-unique-typeinfo-lib.h

				struct X {
				virtual ~X() {}
				};
				X *libCall();

compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Helpers/vptr-non-unique-typeinfo-lib.cpp

				#include "vptr-non-unique-typeinfo-lib.h"

				X *libCall() {
				return new X;
				}

compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/vptr-non-unique-typeinfo.cpp

				// RUN: %clangxx -frtti -fsanitize=vptr -fno-sanitize-recover=vptr -I%p/Helpers %p/Helpers/vptr-non-unique-typeinfo-lib.cpp -fPIC -shared -o %t-lib.so
				// RUN: %clangxx -frtti -fsanitize=vptr -fno-sanitize-recover=vptr -I%p/Helpers -g %s -O3 -o %t %t-lib.so
				// RUN: %run %t

				#include "vptr-non-unique-typeinfo-lib.h"

				int main() {
				X *px = libCall();
				delete px;
				}