This is an archive of the discontinued LLVM Phabricator instance.

Differential D12712

Implementation and testing for poisoning vtable ptr in dtor.
ClosedPublic

Authored by nmusgrave on Sep 8 2015, 4:23 PM.

Details

Reviewers
kcc
eugenis
rsmith
Commits
rG703835c7f33a: Implementation and testing for poisoning vtable ptr in dtor.
rC247762: Implementation and testing for poisoning vtable
Summary

After destruction, invocation of virtual functions prevented
by poisoning vtable pointer.

Diff Detail

Event Timeline

nmusgrave updated this revision to Diff 34277.Sep 8 2015, 4:23 PM
nmusgrave retitled this revision from to Implementation and testing for poisoning vtable ptr in dtor..
nmusgrave updated this object.
nmusgrave added reviewers: eugenis, kcc.
nmusgrave added a subscriber: cfe-commits.
eugenis added inline comments.Sep 8 2015, 5:00 PM
lib/CodeGen/CGClass.cpp
1687

You are poisoning the vtable pointer in the base destructor.
Isn't that too early?
For example, in the following case the vptr would be poisoned before ~A, right?
https://github.com/google/sanitizers/wiki/ThreadSanitizerPopularDataRaces#data-race-on-vptr

nmusgrave updated this revision to Diff 34357.Sep 9 2015, 12:09 PM
nmusgrave marked an inline comment as done.Sep 9 2015, 12:11 PM
eugenis added inline comments.Sep 9 2015, 12:42 PM
lib/CodeGen/CGClass.cpp
1697

Did you mean to move this chunk to the other cleanup class?
Is there a test that would fail if vptr is prematurely poisoned? There should be one (it's ok if it is only in compiler-rt, this could be hard to test with lit over IR).

nmusgrave updated this revision to Diff 34373.Sep 9 2015, 3:28 PM
  • Cleaned up impl.
nmusgrave marked an inline comment as done.Sep 9 2015, 4:09 PM
nmusgrave added inline comments.
lib/CodeGen/CGClass.cpp
1697

compiler-rt/test/msan/dtor-multiple-inheritance.cc checks that vtable is still accessible within dtors.

eugenis added a reviewer: rsmith.Sep 10 2015, 4:22 PM
eugenis edited edge metadata.

So, this can not be moved to the complete destructor because that would fail to poisons vptrs of the base classes. On the other hand, the current implementation is a bit wasteful, as it can poison the same pointer multiple times when it is shared by the derived class and the first base.

Maybe skip poisoning if the first base (or whatever is at offset 0 in the record layout) is a dynamic class with non-trivial destructor?

lib/CodeGen/CGClass.cpp
1652

If it's a global function, it should have a more descriptive name, like EmitSanitizerDtorCallback.
OffsetPtr => just Ptr
And move the body of the function to this line to avoid unnecessary redeclaration.

test/CodeGenCXX/sanitize-dtor-derived-class.cpp
70

Check that this poisons exactly 8 bytes.

nmusgrave marked 2 inline comments as done.Sep 10 2015, 4:37 PM
nmusgrave added inline comments.
lib/CodeGen/CGClass.cpp
1652

It's inside of a namespace- is it still global?

eugenis added inline comments.Sep 10 2015, 4:39 PM
lib/CodeGen/CGClass.cpp
1652

In a sense. This namespace is not only about sanitizers, so Poison is ambiguous.

nmusgrave updated this revision to Diff 34614.Sep 11 2015, 6:27 PM
nmusgrave marked 2 inline comments as done.
nmusgrave edited edge metadata.
  • Fixed testing callback emission order to account for vptr.
nmusgrave updated this revision to Diff 34617.Sep 11 2015, 7:41 PM
  • Poison vtable in either complete or base dtor.
nmusgrave updated this revision to Diff 34822.Sep 15 2015, 11:53 AM
  • Re-checking testing for poisoning vtable.
nmusgrave updated this revision to Diff 34851.Sep 15 2015, 4:47 PM
  • Remove commented-out block.
eugenis accepted this revision.Sep 15 2015, 4:56 PM
eugenis edited edge metadata.

LGTM

This revision is now accepted and ready to land.Sep 15 2015, 4:56 PM
nmusgrave closed this revision.Sep 15 2015, 5:43 PM
chapuni added a subscriber: chapuni.Sep 15 2015, 7:44 PM
chapuni added inline comments.
lib/CodeGen/CGClass.cpp
1756

It causes a warning in -Asserts. [-Wunused-private-field]

Revision Contents

PathSize
lib/
CodeGen/
72 lines
test/
CodeGenCXX/
12 lines
47 lines

Diff 34851

lib/CodeGen/CGClass.cpp

Show First 20 LinesShow All 1,642 Lines▼ Show 20 Lines void Emit(CodeGenFunction &CGF, Flags flags) override {
LValue LV = CGF.EmitLValueForField(ThisLV, field); LValue LV = CGF.EmitLValueForField(ThisLV, field);
assert(LV.isSimple()); assert(LV.isSimple());
CGF.emitDestroy(LV.getAddress(), field->getType(), destroyer, CGF.emitDestroy(LV.getAddress(), field->getType(), destroyer,
flags.isForNormalCleanup() && useEHCleanupForArray); flags.isForNormalCleanup() && useEHCleanupForArray);
} }
}; };
class SanitizeDtor final : public EHScopeStack::Cleanup { static void EmitSanitizerDtorCallback(CodeGenFunction &CGF, llvm::Value *Ptr,
CharUnits::QuantityType PoisonSize) {
eugenisUnsubmitted
Done
ReplyInline Actions

If it's a global function, it should have a more descriptive name, like EmitSanitizerDtorCallback.
OffsetPtr => just Ptr
And move the body of the function to this line to avoid unnecessary redeclaration.

eugenis: If it's a global function, it should have a more descriptive name, like…
nmusgraveAuthorUnsubmitted
Not Done
ReplyInline Actions

It's inside of a namespace- is it still global?

nmusgrave: It's inside of a namespace- is it still global?
eugenisUnsubmitted
Done
ReplyInline Actions

In a sense. This namespace is not only about sanitizers, so Poison is ambiguous.

eugenis: In a sense. This namespace is not only about sanitizers, so Poison is ambiguous.
// Pass in void pointer and size of region as arguments to runtime
// function
llvm::Value *Args[] = {CGF.Builder.CreateBitCast(Ptr, CGF.VoidPtrTy),
llvm::ConstantInt::get(CGF.SizeTy, PoisonSize)};
llvm::Type *ArgTypes[] = {CGF.VoidPtrTy, CGF.SizeTy};
llvm::FunctionType *FnType =
llvm::FunctionType::get(CGF.VoidTy, ArgTypes, false);
llvm::Value *Fn =
CGF.CGM.CreateRuntimeFunction(FnType, "__sanitizer_dtor_callback");
CGF.EmitNounwindRuntimeCall(Fn, Args);
}
class SanitizeDtorMembers final : public EHScopeStack::Cleanup {
const CXXDestructorDecl *Dtor; const CXXDestructorDecl *Dtor;
public: public:
SanitizeDtor(const CXXDestructorDecl *Dtor) : Dtor(Dtor) {} SanitizeDtorMembers(const CXXDestructorDecl *Dtor) : Dtor(Dtor) {}
// Generate function call for handling object poisoning. // Generate function call for handling object poisoning.
// Disables tail call elimination, to prevent the current stack frame // Disables tail call elimination, to prevent the current stack frame
// from disappearing from the stack trace. // from disappearing from the stack trace.
void Emit(CodeGenFunction &CGF, Flags flags) override { void Emit(CodeGenFunction &CGF, Flags flags) override {
const ASTRecordLayout &Layout = const ASTRecordLayout &Layout =
CGF.getContext().getASTRecordLayout(Dtor->getParent()); CGF.getContext().getASTRecordLayout(Dtor->getParent());
// Nothing to poison. // Nothing to poison.
if (Layout.getFieldCount() == 0) if (Layout.getFieldCount() == 0)
return; return;
// Prevent the current stack frame from disappearing from the stack trace. // Prevent the current stack frame from disappearing from the stack trace.
CGF.CurFn->addFnAttr("disable-tail-calls", "true"); CGF.CurFn->addFnAttr("disable-tail-calls", "true");
// Construct pointer to region to begin poisoning, and calculate poison // Construct pointer to region to begin poisoning, and calculate poison
eugenisUnsubmitted
Done
ReplyInline Actions

You are poisoning the vtable pointer in the base destructor.
Isn't that too early?
For example, in the following case the vptr would be poisoned before ~A, right?
https://github.com/google/sanitizers/wiki/ThreadSanitizerPopularDataRaces#data-race-on-vptr

eugenis: You are poisoning the vtable pointer in the base destructor. Isn't that too early? For example…
// size, so that only members declared in this class are poisoned. // size, so that only members declared in this class are poisoned.
ASTContext &Context = CGF.getContext(); ASTContext &Context = CGF.getContext();
unsigned fieldIndex = 0; unsigned fieldIndex = 0;
int startIndex = -1; int startIndex = -1;
// RecordDecl::field_iterator Field; // RecordDecl::field_iterator Field;
for (const FieldDecl *Field : Dtor->getParent()->fields()) { for (const FieldDecl *Field : Dtor->getParent()->fields()) {
// Poison field if it is trivial // Poison field if it is trivial
if (FieldHasTrivialDestructorBody(Context, Field)) { if (FieldHasTrivialDestructorBody(Context, Field)) {
// Start sanitizing at this field // Start sanitizing at this field
if (startIndex < 0) if (startIndex < 0)
eugenisUnsubmitted
Done
ReplyInline Actions

Did you mean to move this chunk to the other cleanup class?
Is there a test that would fail if vptr is prematurely poisoned? There should be one (it's ok if it is only in compiler-rt, this could be hard to test with lit over IR).

eugenis: Did you mean to move this chunk to the other cleanup class? Is there a test that would fail if…
nmusgraveAuthorUnsubmitted
Not Done
ReplyInline Actions

compiler-rt/test/msan/dtor-multiple-inheritance.cc checks that vtable is still accessible within dtors.

nmusgrave: compiler-rt/test/msan/dtor-multiple-inheritance.cc checks that vtable is still accessible…
startIndex = fieldIndex; startIndex = fieldIndex;
// Currently on the last field, and it must be poisoned with the // Currently on the last field, and it must be poisoned with the
// current block. // current block.
if (fieldIndex == Layout.getFieldCount() - 1) { if (fieldIndex == Layout.getFieldCount() - 1) {
PoisonBlock(CGF, startIndex, Layout.getFieldCount()); PoisonMembers(CGF, startIndex, Layout.getFieldCount());
} }
} else if (startIndex >= 0) { } else if (startIndex >= 0) {
// No longer within a block of memory to poison, so poison the block // No longer within a block of memory to poison, so poison the block
PoisonBlock(CGF, startIndex, fieldIndex); PoisonMembers(CGF, startIndex, fieldIndex);
// Re-set the start index // Re-set the start index
startIndex = -1; startIndex = -1;
} }
fieldIndex += 1; fieldIndex += 1;
} }
} }
private: private:
/// \param layoutStartOffset index of the ASTRecordLayout field to /// \param layoutStartOffset index of the ASTRecordLayout field to
/// start poisoning (inclusive) /// start poisoning (inclusive)
/// \param layoutEndOffset index of the ASTRecordLayout field to /// \param layoutEndOffset index of the ASTRecordLayout field to
/// end poisoning (exclusive) /// end poisoning (exclusive)
void PoisonBlock(CodeGenFunction &CGF, unsigned layoutStartOffset, void PoisonMembers(CodeGenFunction &CGF, unsigned layoutStartOffset,
unsigned layoutEndOffset) { unsigned layoutEndOffset) {
ASTContext &Context = CGF.getContext(); ASTContext &Context = CGF.getContext();
const ASTRecordLayout &Layout = const ASTRecordLayout &Layout =
Context.getASTRecordLayout(Dtor->getParent()); Context.getASTRecordLayout(Dtor->getParent());
llvm::ConstantInt *OffsetSizePtr = llvm::ConstantInt::get( llvm::ConstantInt *OffsetSizePtr = llvm::ConstantInt::get(
CGF.SizeTy, CGF.SizeTy,
Context.toCharUnitsFromBits(Layout.getFieldOffset(layoutStartOffset)) Context.toCharUnitsFromBits(Layout.getFieldOffset(layoutStartOffset))
Show All 14 Lines void PoisonMembers(CodeGenFunction &CGF, unsigned layoutStartOffset,
Layout.getFieldOffset(layoutEndOffset) - Layout.getFieldOffset(layoutEndOffset) -
Layout.getFieldOffset(layoutStartOffset)) Layout.getFieldOffset(layoutStartOffset))
.getQuantity(); .getQuantity();
} }
if (PoisonSize == 0) if (PoisonSize == 0)
return; return;
// Pass in void pointer and size of region as arguments to runtime EmitSanitizerDtorCallback(CGF, OffsetPtr, PoisonSize);
// function }
llvm::Value *Args[] = {CGF.Builder.CreateBitCast(OffsetPtr, CGF.VoidPtrTy), };
llvm::ConstantInt::get(CGF.SizeTy, PoisonSize)};
llvm::Type *ArgTypes[] = {CGF.VoidPtrTy, CGF.SizeTy}; class SanitizeDtorVTable final : public EHScopeStack::Cleanup {
const CXXDestructorDecl *Dtor;
chapuniUnsubmitted
Not Done
ReplyInline Actions

It causes a warning in -Asserts. [-Wunused-private-field]

chapuni: It causes a warning in -Asserts. [-Wunused-private-field]
llvm::FunctionType *FnType = public:
llvm::FunctionType::get(CGF.VoidTy, ArgTypes, false); SanitizeDtorVTable(const CXXDestructorDecl *Dtor) : Dtor(Dtor) {}
llvm::Value *Fn =
CGF.CGM.CreateRuntimeFunction(FnType, "__sanitizer_dtor_callback"); // Generate function call for handling vtable pointer poisoning.
CGF.EmitNounwindRuntimeCall(Fn, Args); void Emit(CodeGenFunction &CGF, Flags flags) override {
assert(Dtor->getParent()->isDynamicClass());
ASTContext &Context = CGF.getContext();
// Poison vtable and vtable ptr if they exist for this class.
llvm::Value *VTablePtr = CGF.LoadCXXThis();
CharUnits::QuantityType PoisonSize =
Context.toCharUnitsFromBits(CGF.PointerWidthInBits).getQuantity();
// Pass in void pointer and size of region as arguments to runtime
// function
EmitSanitizerDtorCallback(CGF, VTablePtr, PoisonSize);
} }
}; };
} }
/// \brief Emit all code that comes at the end of class's /// \brief Emit all code that comes at the end of class's
/// destructor. This is to call destructors on members and base classes /// destructor. This is to call destructors on members and base classes
/// in reverse order of their construction. /// in reverse order of their construction.
void CodeGenFunction::EnterDtorCleanups(const CXXDestructorDecl *DD, void CodeGenFunction::EnterDtorCleanups(const CXXDestructorDecl *DD,
CXXDtorType DtorType) { CXXDtorType DtorType) {
assert((!DD->isTrivial() || DD->hasAttr<DLLExportAttr>()) && assert((!DD->isTrivial() || DD->hasAttr<DLLExportAttr>()) &&
Show All 18 Linesvoid CodeGenFunction::EnterDtorCleanups(const CXXDestructorDecl *DD,
const CXXRecordDecl *ClassDecl = DD->getParent(); const CXXRecordDecl *ClassDecl = DD->getParent();
// Unions have no bases and do not call field destructors. // Unions have no bases and do not call field destructors.
if (ClassDecl->isUnion()) if (ClassDecl->isUnion())
return; return;
// The complete-destructor phase just destructs all the virtual bases. // The complete-destructor phase just destructs all the virtual bases.
if (DtorType == Dtor_Complete) { if (DtorType == Dtor_Complete) {
// Poison the vtable pointer such that access after the base
// and member destructors are invoked is invalid.
if (CGM.getCodeGenOpts().SanitizeMemoryUseAfterDtor &&
SanOpts.has(SanitizerKind::Memory) && ClassDecl->getNumVBases() &&
ClassDecl->isPolymorphic())
EHStack.pushCleanup<SanitizeDtorVTable>(NormalAndEHCleanup, DD);
// We push them in the forward order so that they'll be popped in // We push them in the forward order so that they'll be popped in
// the reverse order. // the reverse order.
for (const auto &Base : ClassDecl->vbases()) { for (const auto &Base : ClassDecl->vbases()) {
CXXRecordDecl *BaseClassDecl CXXRecordDecl *BaseClassDecl
= cast<CXXRecordDecl>(Base.getType()->getAs<RecordType>()->getDecl()); = cast<CXXRecordDecl>(Base.getType()->getAs<RecordType>()->getDecl());
// Ignore trivial destructors. // Ignore trivial destructors.
if (BaseClassDecl->hasTrivialDestructor()) if (BaseClassDecl->hasTrivialDestructor())
continue; continue;
EHStack.pushCleanup<CallBaseDtor>(NormalAndEHCleanup, EHStack.pushCleanup<CallBaseDtor>(NormalAndEHCleanup,
BaseClassDecl, BaseClassDecl,
/*BaseIsVirtual*/ true); /*BaseIsVirtual*/ true);
} }
return; return;
} }
assert(DtorType == Dtor_Base); assert(DtorType == Dtor_Base);
// Poison the vtable pointer if it has no virtual bases, but inherits
// virtual functions.
if (CGM.getCodeGenOpts().SanitizeMemoryUseAfterDtor &&
SanOpts.has(SanitizerKind::Memory) && !ClassDecl->getNumVBases() &&
ClassDecl->isPolymorphic())
EHStack.pushCleanup<SanitizeDtorVTable>(NormalAndEHCleanup, DD);
// Destroy non-virtual bases. // Destroy non-virtual bases.
for (const auto &Base : ClassDecl->bases()) { for (const auto &Base : ClassDecl->bases()) {
// Ignore virtual bases. // Ignore virtual bases.
if (Base.isVirtual()) if (Base.isVirtual())
continue; continue;
CXXRecordDecl *BaseClassDecl = Base.getType()->getAsCXXRecordDecl(); CXXRecordDecl *BaseClassDecl = Base.getType()->getAsCXXRecordDecl();
// Ignore trivial destructors. // Ignore trivial destructors.
if (BaseClassDecl->hasTrivialDestructor()) if (BaseClassDecl->hasTrivialDestructor())
continue; continue;
EHStack.pushCleanup<CallBaseDtor>(NormalAndEHCleanup, EHStack.pushCleanup<CallBaseDtor>(NormalAndEHCleanup,
BaseClassDecl, BaseClassDecl,
/*BaseIsVirtual*/ false); /*BaseIsVirtual*/ false);
} }
// Poison fields such that access after their destructors are // Poison fields such that access after their destructors are
// invoked, and before the base class destructor runs, is invalid. // invoked, and before the base class destructor runs, is invalid.
if (CGM.getCodeGenOpts().SanitizeMemoryUseAfterDtor && if (CGM.getCodeGenOpts().SanitizeMemoryUseAfterDtor &&
SanOpts.has(SanitizerKind::Memory)) SanOpts.has(SanitizerKind::Memory))
EHStack.pushCleanup<SanitizeDtor>(NormalAndEHCleanup, DD); EHStack.pushCleanup<SanitizeDtorMembers>(NormalAndEHCleanup, DD);
// Destroy direct fields. // Destroy direct fields.
for (const auto *Field : ClassDecl->fields()) { for (const auto *Field : ClassDecl->fields()) {
QualType type = Field->getType(); QualType type = Field->getType();
QualType::DestructionKind dtorKind = type.isDestructedType(); QualType::DestructionKind dtorKind = type.isDestructedType();
if (!dtorKind) continue; if (!dtorKind) continue;
// Anonymous union members do not have their destructors called. // Anonymous union members do not have their destructors called.
▲ Show 20 LinesShow All 872 LinesShow Last 20 Lines

test/CodeGenCXX/sanitize-dtor-derived-class.cpp

// RUN: %clang_cc1 -fsanitize=memory -fsanitize-memory-use-after-dtor -disable-llvm-optzns -std=c++11 -triple=x86_64-pc-linux -emit-llvm -o - %s | FileCheck %s // RUN: %clang_cc1 -fsanitize=memory -fsanitize-memory-use-after-dtor -disable-llvm-optzns -std=c++11 -triple=x86_64-pc-linux -emit-llvm -o - %s | FileCheck %s
// RUN: %clang_cc1 -O1 -fsanitize=memory -fsanitize-memory-use-after-dtor -disable-llvm-optzns -std=c++11 -triple=x86_64-pc-linux -emit-llvm -o - %s | FileCheck %s // RUN: %clang_cc1 -O1 -fsanitize=memory -fsanitize-memory-use-after-dtor -disable-llvm-optzns -std=c++11 -triple=x86_64-pc-linux -emit-llvm -o - %s | FileCheck %s
// Only the last dtor of a class invokes the sanitizing callback // Base dtor poisons members
// Sanitizing callback emited prior to base class dtor invocations // Complete dtor poisons vtable ptr after destroying members and
// virtual bases
class Base { class Base {
public: public:
int x; int x;
Base() { Base() {
x = 5; x = 5;
} }
virtual ~Base() { virtual ~Base() {
Show All 9 Lines public:
} }
~Derived() { ~Derived() {
y += 1; y += 1;
} }
}; };
Derived d; Derived d;
// Invoke base destructor. No vtable pointer to poison.
// CHECK-LABEL: define {{.*}}DerivedD1Ev // CHECK-LABEL: define {{.*}}DerivedD1Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback // CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}DerivedD2Ev // CHECK: call void {{.*}}DerivedD2Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback // CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void // CHECK: ret void
// CHECK-LABEL: define {{.*}}DerivedD0Ev // CHECK-LABEL: define {{.*}}DerivedD0Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback // CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}DerivedD1Ev // CHECK: call void {{.*}}DerivedD1Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback // CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void // CHECK: ret void
// Invokes base destructor, and poison vtable pointer.
// CHECK-LABEL: define {{.*}}BaseD1Ev // CHECK-LABEL: define {{.*}}BaseD1Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback // CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}BaseD2Ev // CHECK: call void {{.*}}BaseD2Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback // CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void // CHECK: ret void
// CHECK-LABEL: define {{.*}}BaseD0Ev // CHECK-LABEL: define {{.*}}BaseD0Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback // CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}BaseD1Ev // CHECK: call void {{.*}}BaseD1Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback // CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void // CHECK: ret void
// Poison members and vtable ptr.
// CHECK-LABEL: define {{.*}}BaseD2Ev // CHECK-LABEL: define {{.*}}BaseD2Ev
// CHECK: call void @__sanitizer_dtor_callback // CHECK: call void @__sanitizer_dtor_callback
// CHECK: call void @__sanitizer_dtor_callback{{.*}}i64 8
// CHECK-NOT: call void @__sanitizer_dtor_callback // CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void // CHECK: ret void
// Poison members and destroy non-virtual base.
// CHECK-LABEL: define {{.*}}DerivedD2Ev // CHECK-LABEL: define {{.*}}DerivedD2Ev
// CHECK: call void @__sanitizer_dtor_callback // CHECK: call void @__sanitizer_dtor_callback
// CHECK-NOT: call void @__sanitizer_dtor_callback // CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}BaseD2Ev // CHECK: call void {{.*}}BaseD2Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback // CHECK: call void @__sanitizer_dtor_callback{{.*}}i64 8
eugenisUnsubmitted
Done
ReplyInline Actions

Check that this poisons exactly 8 bytes.

eugenis: Check that this poisons exactly 8 bytes.
// CHECK: ret void // CHECK: ret void

test/CodeGenCXX/sanitize-dtor-vtable.cpp

  • This file was added.
// RUN: %clang_cc1 -O0 -fsanitize=memory -fsanitize-memory-use-after-dtor -disable-llvm-optzns -std=c++11 -triple=x86_64-pc-linux -emit-llvm -o - %s | FileCheck %s
// RUN: %clang_cc1 -O1 -fsanitize=memory -fsanitize-memory-use-after-dtor -disable-llvm-optzns -std=c++11 -triple=x86_64-pc-linux -emit-llvm -o - %s | FileCheck %s
class A {
public:
int x;
A() {}
virtual ~A() {}
};
A a;
class B : virtual public A {
public:
int y;
B() {}
~B() {}
};
B b;
// CHECK-LABEL: define {{.*}}AD1Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}AD2Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void
// After invoking base dtor and dtor for virtual base, poison vtable ptr.
// CHECK-LABEL: define {{.*}}BD1Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}BD2Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}AD2Ev
// CHECK: call void @__sanitizer_dtor_callback{{.*}}i64 8
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void
// Since no virtual bases, poison vtable ptr here.
// CHECK-LABEL: define {{.*}}AD2Ev
// CHECK: call void @__sanitizer_dtor_callback
// CHECK: call void @__sanitizer_dtor_callback{{.*}}i64 8
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void
// Poison members
// CHECK-LABEL: define {{.*}}BD2Ev
// CHECK: call void @__sanitizer_dtor_callback
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void