This is an archive of the discontinued LLVM Phabricator instance.

Differential D12793

Three new overflow builtins with generic argument types
ClosedPublic

Authored by DavidEGrayson on Sep 10 2015, 9:52 PM.

Details

Reviewers
rjmccall
DavidEGrayson
Summary

This patch adds __builtin_add_overflow, __builtin_sub_overflow, and __builtin_mul_overflow to clang. These are useful functions and are easier to use than the existing overflow builtins because they can accept any type of integer for the inputs and output. GCC 5 already has these functions in it, and I think they should be added to clang.

The need for these built-ins is discussed here:

https://llvm.org/bugs/show_bug.cgi?id=21716

The repository I used to help develop this patch is here:

https://github.com/DavidEGrayson/builtin_overflow

The patch should apply cleanly to revision 248284 of clang. I added these new builtins to the documentation and added tests for them.

I went through some extra effort to support boolean arguments, even though GCC does not support boolean arguments for these functions.

I am new to clang/LLVM development and I am not really sure if I have submitted this patch in the right way. For example, I never found a way to select "clang" as the project that I am submitting this patch to. Please let me know if I there is a better way I can submit patches. I hope someone can review this and commit it to clang. Please let me know if there are any problems with it. Thanks!

Diff Detail

Event Timeline

DavidEGrayson updated this revision to Diff 34530.Sep 10 2015, 9:52 PM
DavidEGrayson retitled this revision from to Three new security overflow builtins with generic argument types.
DavidEGrayson updated this object.
DavidEGrayson added a reviewer: Restricted Project.
DavidEGrayson set the repository for this revision to rL LLVM.
DavidEGrayson updated this object.
DavidEGrayson updated this object.
DavidEGrayson updated this object.Sep 10 2015, 9:58 PM
DavidEGrayson removed a reviewer: Restricted Project.Sep 10 2015, 10:32 PM
DavidEGrayson added a reviewer: rjmccall.Sep 10 2015, 10:53 PM
DavidEGrayson added subscribers: cfe-commits, DavidEGrayson.
jevinskie added a subscriber: jevinskie.Sep 14 2015, 10:46 AM
rjmccall edited edge metadata.Sep 21 2015, 8:09 PM

Thanks for doing this; this is a great start.

docs/LanguageExtensions.rst
1720

Hmm. It's not necessarily truncation; you could meaningfully use these intrinsics to add two small signed numbers and store the result in an unsigned number. It's the unique representative value modulo 2^n, where n is the bit-width of the result.

lib/CodeGen/CGBuiltin.cpp
289

This should just take an ArrayRef. Also, please at least introduce a typedef for your pair type, and consider just making a little struct for it.

314

getIntegerWidthAndSignedness, please.

1601

These are not the most evocative names you could have chosen. :)

Also, this strategy is correct, but it produces horrible code when the operands have the same signedness and the result is different, where the result would otherwise be an ordinary operation and a compare. You really want to just merge the two operands and then max with the width of the result type.

1610

These aren't really security-specific; they're just arbitrary-precision.

1630

This is Builder.CreateIntegerCast(X, ELTy, XITy.second).

1667

EmitToMemory.

DavidEGrayson added a comment.Sep 22 2015, 9:29 AM

Thanks for looking at this patch, John! I disagreed with your comment about calculating the encompassing type, but I will incorporate everything else and make a new patch tonight or within a few days.

docs/LanguageExtensions.rst
1720

OK, I'll change the documentation because I like your way of phrasing it, but I think truncation always gives you the unique representative value modulo 2^n. If I'm adding ((int8_t)-1) to ((int8_t)-1), the infinite-width result would be -2, which in infinite-width binary is 11...1111111111110. Then we truncate it to 8 bits to get 11111110, which is 254. And 254 is also the unique representative value of -2 modulo 256.

lib/CodeGen/CGBuiltin.cpp
289

A struct called IntegerWidthAndSignedness sounds good to me, thanks. And I will learn how to use ArrayRef and use it here.

314

Sounds good. That frees up the name IntegerWidthAndSignedness to be used for my new struct.

1601

I don't think that would work. It sounds like you want me to remove RITy from the call to EncompassingIntegerType. That means the ecompassing type could be smaller than the result type, and the arithmetic intrinsic would report an overflow even though the mathematical result is representable in the result type.

For example, if I am multiplying ((uint8_t)100) by ((uint8_t)100) and storing the result in a (uint16_t), the result needs to be 10000 and there is no overflow. To arrive at that result, we need to convert the operands to 16-bit unsigned integers before multiplying them. If we multiply them as 8-bit unsigned integers, the multiplication intrinsic will report an overflow and give a result of 16. That seems like a messy situation and I don't see how a max operation would fix it.

1610

I agree that these functions are not security-specific. I just copied that message from a place a little bit lower in CGBuiltin.cpp where it was used to describe some other overflow builtins. I am happy to remove the word "security" from both places.

1630

Thanks, I thought there had to be a function for that already but just could not find it.

1667

Thanks again, will do.

rjmccall added inline comments.Sep 22 2015, 11:48 AM
docs/LanguageExtensions.rst
1720

When talking about mathematical abstractions, I think it's better to stick with mathematical presentations all the way through instead of mixing in the idea that the universe is 2's-complement. :)

lib/CodeGen/CGBuiltin.cpp
1601

I think I was unclear. I'm not saying that you should do a max as part of computing the dynamic result. I'm saying that, when deciding the encompassing type, it should still be at least as wide as the result, but you should ignore the result type's signedness and then patch it up with a comparison at the end if necessary. (I believe that in both cases, it's a signed comparison against zero.)

That is, when multiplying two uint8_t's and storing the result in an int16_t, we should just do an unsigned 16-bit multiply-with-overflow. The computation overflows if the multiply overflows (which it provably doesn't, but we can let LLVM figure that out for now) or the result is signed-< 0.

DavidEGrayson added a comment.EditedSep 23 2015, 9:34 AM

Hi John. I thought about your comment on line 1601 somewhat carefully and tried to imagine what it would look like. See my inline comment.

Also, by the way, do you know if the results of the LLVM intrinsics like llvm.smul.with.overflow.* are guaranteed to be well-defined when there is an overflow? This whole patch hinges on that, because the results of the builtins are supposed to be well-defined. The documentation _here_ is not so great.

lib/CodeGen/CGBuiltin.cpp
1601

OK, I understand now. As an optimization, you would to like the operation type (the width/signedness that we use to perform the main math operation) to sometimes be the same width as the result type (the type that the third argument points to) but have a different sign.

I'm thinking about how that would work in all the different cases. I have concluded that it would work in 5 out of 6 cases, but we would have to think carefully about each case and it is possible I have made some mistakes. But here are the 6 cases:

  1. __builtin_add_overflow, operation type signed, result type unsigned: It would work but it would be complicated. If the signed addition intrinsic reports an overflow, we need to know whether the result was too big (which is OK) or too small (which is bad). The most extreme underflow would be (-2^(N-1)) + (-2^(N-1)) = 0, so every underflow should give a non-negative result. Similarly, every overflow-proper (case where the result was too big) would result in a negative number. So the overflow bit returned from __builtin_add_overflow should be the overflow bit from the intrinsic XORed with a "less than zero" comparison.
  1. __builtin_add_overflow, operation type unsigned, result type signed: This is easier, because the only possible overflow reported by the unsigned addition intrinsic happens when the result is too big, which means it's definitely too big for the signed type. The overflow bit returned from __builtin_add_overflow in this case would be the overflow bit from the intrinsic ORed with a "less than zero" comparison.
  1. __builtin_sub_overflow, operation type signed, result type unsigned: If the signed subtraction intrinsic reports an overflow, we need to know whether the result was too big (which is OK) or too small (which is bad). The most extreme underflow would be (-2^(N-1)) - (2^(N-1)-1) = 1, so every underflow gives a positive value. The most extreme overflow-proper would be (2^(N-1)-1) - (-2^(N-1)) = -1, so every overflow-proper gives a negative number. Just like case #1, the overflow bit we return shoud be the overflow bit from the intrinsic XORed with a "less than zero" comparison.
  1. __builtin_sub_overflow, operation type unsigned, result type signed: If the unsigned subtraction intrinsic reports an overflow, it simply means Y > X. That is OK as long as Y isn't too much greater than X. The most extreme case is 0 - (2^N-1) = 1. So if the result from the intrinsic is less than zero, then we are OK. So the overflow bit returned from __builtin_sub_overflow should be the overflow bit from the intrinsic XORed with a "less than zero" comparison.
  1. __builtin_mul_overflow, operation type signed, result type unsigned: I don't think this case would work, so we would have to fall back to using an operation type that actually encompasses the result type. For example, if we are multiplying two int16_t and the result is uint16_t, and the intrinsic gives us an overflow, it's really hard to know whether that overflow was OK (200 * 200) or not OK (200 * 527).
  1. __builtin_mul_overflow, operation type unsigned, result type signed: The logic from case 2 applies here.

Do you want the patch to go in this direction? Since we have to consider these 6 cases, I think it would be more complicated than what you were describing.

rjmccall added a comment.Sep 23 2015, 12:22 PM

Yes, the main result is defined to be the true value mod 2^k even when overflow occurs. We do use the intrinsics to implement the existing fixed-width GCC builtins, which are meant to be useful not just for security checking, but for implementing arbitrary-precision arithmetic libraries. (LLVM doesn't seem to reliably do the add/adc peepholes that make that performant, though.)

lib/CodeGen/CGBuiltin.cpp
1601

Oh, I see your point; I wasn't thinking about the fact that some of the overflows aren't necessarily overflows in the result type. Going ahead with your original approach seems reasonable.

scanon added a subscriber: scanon.Sep 23 2015, 1:06 PM
DavidEGrayson updated this revision to Diff 35592.Sep 24 2015, 12:42 AM
DavidEGrayson edited edge metadata.
DavidEGrayson removed rL LLVM as the repository for this revision.

I have changed the patch to incorporate most of John McCall's feedback. The only thing I didn't act on was the suggestion to change the names of the variables XITy, YITy, RITy, and EITy, because I could not think of anything better.

DavidEGrayson marked 18 inline comments as done.Sep 24 2015, 12:44 AM
rjmccall added a comment.Sep 25 2015, 2:28 PM

X and Y aren't unreasonable for the operands, although you could also use "left" and "right" (or LHS/RHS), especially since it's significant for subtraction. R is short for "result" and should be spelled out. E is presumably short for "encompassing", but that is not immediately obvious even to someone reading your patch; spelling it out wouldn't hurt, or you could at least use a longer abbreviation.

You should also spell out the different *Ty suffixes in some way that differentiates them. I don't think you actually need the *QTy variables. The *ITy variables aren't really types and should not be named that way. *LLVMTy is not unreasonable for the IR types.

DavidEGrayson updated this revision to Diff 35825.Sep 27 2015, 2:32 PM

I have incorporated John McCall's feedback about variable naming. I was able to remove most of the *QTy variables, but ResultQTy is used in several places and the expression to compute it is pretty long, so I kept it.

I would argue that a struct with a width and signedness does in fact define an integer type. It's not a clang type or an LLVM type though. But that's fine, I renamed those variables to be called *Info.

Is there a better place to stick getIntegerWidthAndSignedness? It seems like a basic feature like this should be part of clang::Type or something.

DavidEGrayson retitled this revision from Three new security overflow builtins with generic argument types to Three new overflow builtins with generic argument types.Sep 28 2015, 8:45 AM
DavidEGrayson updated this object.
rjmccall added a comment.Sep 28 2015, 10:44 AM

LGTM, thanks.

DavidEGrayson added inline comments.Sep 29 2015, 1:38 PM
lib/CodeGen/CGBuiltin.cpp
303

Sorry, I need to fix this incorrect comment. I would probably just remove the second paragraph. After that, the patch is probably good to be committed.

DavidEGrayson updated this revision to Diff 36117.Sep 30 2015, 9:11 AM

I changed the patch in two ways: it now returns ExprError() is the third argument is wrong (for consistency with the other argument checking code). I removed an outdated comment for EncompassingIntegerType.

Thanks for reviewing this, John! I think it is finally ready to be committed. Please let me know if I have to do anything else to get it committed.

This patch is still based on 248284, which is from 8 days ago. Hopefully it can still be committed cleanly.

DavidEGrayson marked an inline comment as done.Oct 7 2015, 10:37 AM

Well, it has been another week. John, I don't have commit access, so can you commit this? Thanks! Let me know if the patch doesn't apply cleanly or any tests fail.

DavidEGrayson added a comment.Oct 27 2015, 8:56 PM

Ping.

rjmccall added a comment.Oct 29 2015, 1:50 PM

Sorry for the delay. Committed with a few minor tweaks in r251650.

DavidEGrayson added a comment.Oct 30 2015, 8:59 AM

Thanks, John! Looks like it's actually committed in rL251651. Thanks for handling the volatile pointers correctly (I didn't know I had to do something special for them) and giving me credit in the commit message!

DavidEGrayson accepted this revision.Oct 30 2015, 9:02 AM
DavidEGrayson added a reviewer: DavidEGrayson.
This revision is now accepted and ready to land.Oct 30 2015, 9:02 AM
Eugene.Zelenko closed this revision.Sep 27 2016, 1:47 PM

Revision Contents

PathSize
docs/
17 lines
include/
clang/
Basic/
3 lines
6 lines
lib/
CodeGen/
126 lines
Sema/
37 lines
test/
CodeGen/
17 lines
152 lines

Diff 36117

docs/LanguageExtensions.rst

Context not available.
errorcode_t security_critical_application(...) { errorcode_t security_critical_application(...) {
unsigned x, y, result; unsigned x, y, result;
... ...
if (__builtin_umul_overflow(x, y, &result)) if (__builtin_mul_overflow(x, y, &result))
return kErrorCodeHackers; return kErrorCodeHackers;
... ...
use_multiply(result); use_multiply(result);
Context not available.
... ...
} }
A complete enumeration of the builtins are: Clang provides the following checked arithmetic builtins:
.. code-block:: c .. code-block:: c
bool __builtin_add_overflow (type1 x, type2 y, type3 *sum);
bool __builtin_sub_overflow (type1 x, type2 y, type3 *diff);
bool __builtin_mul_overflow (type1 x, type2 y, type3 *prod);
bool __builtin_uadd_overflow (unsigned x, unsigned y, unsigned *sum); bool __builtin_uadd_overflow (unsigned x, unsigned y, unsigned *sum);
bool __builtin_uaddl_overflow (unsigned long x, unsigned long y, unsigned long *sum); bool __builtin_uaddl_overflow (unsigned long x, unsigned long y, unsigned long *sum);
bool __builtin_uaddll_overflow(unsigned long long x, unsigned long long y, unsigned long long *sum); bool __builtin_uaddll_overflow(unsigned long long x, unsigned long long y, unsigned long long *sum);
Context not available.
bool __builtin_smull_overflow (long x, long y, long *prod); bool __builtin_smull_overflow (long x, long y, long *prod);
bool __builtin_smulll_overflow(long long x, long long y, long long *prod); bool __builtin_smulll_overflow(long long x, long long y, long long *prod);
Each builtin performs the specified mathematical operation on the
first two arguments and stores the result in the third argument. If
possible, the result will be equal to mathematically-correct result
and the builtin will return 0. Otherwise, the builtin will return
1 and the result will be equal to the unique value that is equivalent
to the mathematically-correct result modulo two raised to the *k*
rjmccallUnsubmitted
Done
ReplyInline Actions

Hmm. It's not necessarily truncation; you could meaningfully use these intrinsics to add two small signed numbers and store the result in an unsigned number. It's the unique representative value modulo 2^n, where n is the bit-width of the result.

rjmccall: Hmm. It's not necessarily truncation; you could meaningfully use these intrinsics to add two…
DavidEGraysonAuthorUnsubmitted
Done
ReplyInline Actions

OK, I'll change the documentation because I like your way of phrasing it, but I think truncation always gives you the unique representative value modulo 2^n. If I'm adding ((int8_t)-1) to ((int8_t)-1), the infinite-width result would be -2, which in infinite-width binary is 11...1111111111110. Then we truncate it to 8 bits to get 11111110, which is 254. And 254 is also the unique representative value of -2 modulo 256.

DavidEGrayson: OK, I'll change the documentation because I like your way of phrasing it, but I think…
rjmccallUnsubmitted
Done
ReplyInline Actions

When talking about mathematical abstractions, I think it's better to stick with mathematical presentations all the way through instead of mixing in the idea that the universe is 2's-complement. :)

rjmccall: When talking about mathematical abstractions, I think it's better to stick with mathematical…
power, where *k* is the number of bits in the result type. The
behavior of these builtins is well-defined for all argument values.
The first three builtins can operate on any integer types (including booleans).
.. _langext-__c11_atomic: .. _langext-__c11_atomic:
__c11_atomic builtins __c11_atomic builtins
Context not available.

include/clang/Basic/Builtins.def

Context not available.
BUILTIN(__builtin_subcll, "ULLiULLiCULLiCULLiCULLi*", "n") BUILTIN(__builtin_subcll, "ULLiULLiCULLiCULLiCULLi*", "n")
// Checked Arithmetic Builtins for Security. // Checked Arithmetic Builtins for Security.
BUILTIN(__builtin_add_overflow, "v.", "nt")
BUILTIN(__builtin_sub_overflow, "v.", "nt")
BUILTIN(__builtin_mul_overflow, "v.", "nt")
BUILTIN(__builtin_uadd_overflow, "bUiCUiCUi*", "n") BUILTIN(__builtin_uadd_overflow, "bUiCUiCUi*", "n")
BUILTIN(__builtin_uaddl_overflow, "bULiCULiCULi*", "n") BUILTIN(__builtin_uaddl_overflow, "bULiCULiCULi*", "n")
BUILTIN(__builtin_uaddll_overflow, "bULLiCULLiCULLi*", "n") BUILTIN(__builtin_uaddll_overflow, "bULLiCULLiCULLi*", "n")
Context not available.

include/clang/Basic/DiagnosticSemaKinds.td

Context not available.
"memory order argument to atomic operation is invalid">, "memory order argument to atomic operation is invalid">,
InGroup<DiagGroup<"atomic-memory-ordering">>; InGroup<DiagGroup<"atomic-memory-ordering">>;
def err_overflow_builtin_must_be_int : Error<
"operand argument to overflow builtin must be an integer (%0 invalid)">;
def err_overflow_builtin_must_be_ptr_int : Error<
"result argument to overflow builtin must be a pointer "
"to a non-const integer (%0 invalid)">;
def err_atomic_load_store_uses_lib : Error< def err_atomic_load_store_uses_lib : Error<
"atomic %select{load|store}0 requires runtime support that is not " "atomic %select{load|store}0 requires runtime support that is not "
"available for this target">; "available for this target">;
Context not available.

lib/CodeGen/CGBuiltin.cpp

Context not available.
return CGF.Builder.CreateExtractValue(Tmp, 0); return CGF.Builder.CreateExtractValue(Tmp, 0);
} }
namespace {
struct WidthAndSignedness {
unsigned Width;
bool Signed;
};
}
static WidthAndSignedness
getIntegerWidthAndSignedness(const clang::ASTContext &context,
rjmccallUnsubmitted
Done
ReplyInline Actions

This should just take an ArrayRef. Also, please at least introduce a typedef for your pair type, and consider just making a little struct for it.

rjmccall: This should just take an ArrayRef. Also, please at least introduce a typedef for your pair…
DavidEGraysonAuthorUnsubmitted
Done
ReplyInline Actions

A struct called IntegerWidthAndSignedness sounds good to me, thanks. And I will learn how to use ArrayRef and use it here.

DavidEGrayson: A struct called IntegerWidthAndSignedness sounds good to me, thanks. And I will learn how to…
const clang::QualType Type) {
assert(Type->isIntegerType() && "Given type is not an integer.");
unsigned Width = Type->isBooleanType() ? 1 : context.getTypeInfo(Type).Width;
bool Signed = Type->isSignedIntegerType();
return {Width, Signed};
}
// Given one or more integer types, this function produces an integer type that
// encompasses them: any value in one of the given types could be expressed in
// the encompassing type.
static struct WidthAndSignedness
EncompassingIntegerType(ArrayRef<struct WidthAndSignedness> Types) {
assert(Types.size() > 0 && "Empty list of types.");
DavidEGraysonAuthorUnsubmitted
Done
ReplyInline Actions

Sorry, I need to fix this incorrect comment. I would probably just remove the second paragraph. After that, the patch is probably good to be committed.

DavidEGrayson: Sorry, I need to fix this incorrect comment. I would probably just remove the second paragraph.
// If any of the given types is signed, we must return a signed type.
bool Signed = false;
for (const auto &Type : Types) {
Signed |= Type.Signed;
}
// The encompassing type must have a width greater than or equal to the width
// of the specified types. Aditionally, if the encompassing type is signed,
// its width must be strictly greater than the width of any unsigned types
// given.
unsigned Width = 0;
rjmccallUnsubmitted
Done
ReplyInline Actions

getIntegerWidthAndSignedness, please.

rjmccall: getIntegerWidthAndSignedness, please.
DavidEGraysonAuthorUnsubmitted
Done
ReplyInline Actions

Sounds good. That frees up the name IntegerWidthAndSignedness to be used for my new struct.

DavidEGrayson: Sounds good. That frees up the name IntegerWidthAndSignedness to be used for my new struct.
for (const auto &Type : Types) {
unsigned MinWidth = Type.Width + (Signed && !Type.Signed);
if (Width < MinWidth) {
Width = MinWidth;
}
}
return {Width, Signed};
}
Value *CodeGenFunction::EmitVAStartEnd(Value *ArgValue, bool IsStart) { Value *CodeGenFunction::EmitVAStartEnd(Value *ArgValue, bool IsStart) {
llvm::Type *DestType = Int8PtrTy; llvm::Type *DestType = Int8PtrTy;
if (ArgValue->getType() != DestType) if (ArgValue->getType() != DestType)
Context not available.
Builder.CreateStore(CarryOut, CarryOutPtr); Builder.CreateStore(CarryOut, CarryOutPtr);
return RValue::get(Sum2); return RValue::get(Sum2);
} }
case Builtin::BI__builtin_add_overflow:
case Builtin::BI__builtin_sub_overflow:
case Builtin::BI__builtin_mul_overflow: {
const clang::Expr *LeftArg = E->getArg(0);
const clang::Expr *RightArg = E->getArg(1);
const clang::Expr *ResultArg = E->getArg(2);
clang::QualType ResultQTy =
ResultArg->getType()->castAs<PointerType>()->getPointeeType();
rjmccallUnsubmitted
Done
ReplyInline Actions

These are not the most evocative names you could have chosen. :)

Also, this strategy is correct, but it produces horrible code when the operands have the same signedness and the result is different, where the result would otherwise be an ordinary operation and a compare. You really want to just merge the two operands and then max with the width of the result type.

rjmccall: These are not the most evocative names you could have chosen. :) Also, this strategy is…
DavidEGraysonAuthorUnsubmitted
Done
ReplyInline Actions

I don't think that would work. It sounds like you want me to remove RITy from the call to EncompassingIntegerType. That means the ecompassing type could be smaller than the result type, and the arithmetic intrinsic would report an overflow even though the mathematical result is representable in the result type.

For example, if I am multiplying ((uint8_t)100) by ((uint8_t)100) and storing the result in a (uint16_t), the result needs to be 10000 and there is no overflow. To arrive at that result, we need to convert the operands to 16-bit unsigned integers before multiplying them. If we multiply them as 8-bit unsigned integers, the multiplication intrinsic will report an overflow and give a result of 16. That seems like a messy situation and I don't see how a max operation would fix it.

DavidEGrayson: I don't think that would work. It sounds like you want me to remove RITy from the call to…
rjmccallUnsubmitted
Done
ReplyInline Actions

I think I was unclear. I'm not saying that you should do a max as part of computing the dynamic result. I'm saying that, when deciding the encompassing type, it should still be at least as wide as the result, but you should ignore the result type's signedness and then patch it up with a comparison at the end if necessary. (I believe that in both cases, it's a signed comparison against zero.)

That is, when multiplying two uint8_t's and storing the result in an int16_t, we should just do an unsigned 16-bit multiply-with-overflow. The computation overflows if the multiply overflows (which it provably doesn't, but we can let LLVM figure that out for now) or the result is signed-< 0.

rjmccall: I think I was unclear. I'm not saying that you should do a max as part of computing the…
DavidEGraysonAuthorUnsubmitted
Done
ReplyInline Actions

OK, I understand now. As an optimization, you would to like the operation type (the width/signedness that we use to perform the main math operation) to sometimes be the same width as the result type (the type that the third argument points to) but have a different sign.

I'm thinking about how that would work in all the different cases. I have concluded that it would work in 5 out of 6 cases, but we would have to think carefully about each case and it is possible I have made some mistakes. But here are the 6 cases:

  1. __builtin_add_overflow, operation type signed, result type unsigned: It would work but it would be complicated. If the signed addition intrinsic reports an overflow, we need to know whether the result was too big (which is OK) or too small (which is bad). The most extreme underflow would be (-2^(N-1)) + (-2^(N-1)) = 0, so every underflow should give a non-negative result. Similarly, every overflow-proper (case where the result was too big) would result in a negative number. So the overflow bit returned from __builtin_add_overflow should be the overflow bit from the intrinsic XORed with a "less than zero" comparison.
  1. __builtin_add_overflow, operation type unsigned, result type signed: This is easier, because the only possible overflow reported by the unsigned addition intrinsic happens when the result is too big, which means it's definitely too big for the signed type. The overflow bit returned from __builtin_add_overflow in this case would be the overflow bit from the intrinsic ORed with a "less than zero" comparison.
  1. __builtin_sub_overflow, operation type signed, result type unsigned: If the signed subtraction intrinsic reports an overflow, we need to know whether the result was too big (which is OK) or too small (which is bad). The most extreme underflow would be (-2^(N-1)) - (2^(N-1)-1) = 1, so every underflow gives a positive value. The most extreme overflow-proper would be (2^(N-1)-1) - (-2^(N-1)) = -1, so every overflow-proper gives a negative number. Just like case #1, the overflow bit we return shoud be the overflow bit from the intrinsic XORed with a "less than zero" comparison.
  1. __builtin_sub_overflow, operation type unsigned, result type signed: If the unsigned subtraction intrinsic reports an overflow, it simply means Y > X. That is OK as long as Y isn't too much greater than X. The most extreme case is 0 - (2^N-1) = 1. So if the result from the intrinsic is less than zero, then we are OK. So the overflow bit returned from __builtin_sub_overflow should be the overflow bit from the intrinsic XORed with a "less than zero" comparison.
  1. __builtin_mul_overflow, operation type signed, result type unsigned: I don't think this case would work, so we would have to fall back to using an operation type that actually encompasses the result type. For example, if we are multiplying two int16_t and the result is uint16_t, and the intrinsic gives us an overflow, it's really hard to know whether that overflow was OK (200 * 200) or not OK (200 * 527).
  1. __builtin_mul_overflow, operation type unsigned, result type signed: The logic from case 2 applies here.

Do you want the patch to go in this direction? Since we have to consider these 6 cases, I think it would be more complicated than what you were describing.

DavidEGrayson: OK, I understand now. As an optimization, you would to like the operation type (the…
rjmccallUnsubmitted
Done
ReplyInline Actions

Oh, I see your point; I wasn't thinking about the fact that some of the overflows aren't necessarily overflows in the result type. Going ahead with your original approach seems reasonable.

rjmccall: Oh, I see your point; I wasn't thinking about the fact that some of the overflows aren't…
WidthAndSignedness LeftInfo =
getIntegerWidthAndSignedness(CGM.getContext(), LeftArg->getType());
WidthAndSignedness RightInfo =
getIntegerWidthAndSignedness(CGM.getContext(), RightArg->getType());
WidthAndSignedness ResultInfo =
getIntegerWidthAndSignedness(CGM.getContext(), ResultQTy);
WidthAndSignedness EncompassingInfo =
EncompassingIntegerType({LeftInfo, RightInfo, ResultInfo});
rjmccallUnsubmitted
Done
ReplyInline Actions

These aren't really security-specific; they're just arbitrary-precision.

rjmccall: These aren't really security-specific; they're just arbitrary-precision.
DavidEGraysonAuthorUnsubmitted
Done
ReplyInline Actions

I agree that these functions are not security-specific. I just copied that message from a place a little bit lower in CGBuiltin.cpp where it was used to describe some other overflow builtins. I am happy to remove the word "security" from both places.

DavidEGrayson: I agree that these functions are not security-specific. I just copied that message from a…
llvm::Type *EncompassingLLVMTy =
llvm::IntegerType::get(CGM.getLLVMContext(), EncompassingInfo.Width);
llvm::Type *ResultLLVMTy = CGM.getTypes().ConvertType(ResultQTy);
llvm::Intrinsic::ID IntrinsicId;
switch (BuiltinID) {
default:
llvm_unreachable("Unknown overflow builtin id.");
case Builtin::BI__builtin_add_overflow:
IntrinsicId = EncompassingInfo.Signed
? llvm::Intrinsic::sadd_with_overflow
: llvm::Intrinsic::uadd_with_overflow;
break;
case Builtin::BI__builtin_sub_overflow:
IntrinsicId = EncompassingInfo.Signed
? llvm::Intrinsic::ssub_with_overflow
: llvm::Intrinsic::usub_with_overflow;
break;
case Builtin::BI__builtin_mul_overflow:
rjmccallUnsubmitted
Done
ReplyInline Actions

This is Builder.CreateIntegerCast(X, ELTy, XITy.second).

rjmccall: This is Builder.CreateIntegerCast(X, ELTy, XITy.second).
DavidEGraysonAuthorUnsubmitted
Done
ReplyInline Actions

Thanks, I thought there had to be a function for that already but just could not find it.

DavidEGrayson: Thanks, I thought there had to be a function for that already but just could not find it.
IntrinsicId = EncompassingInfo.Signed
? llvm::Intrinsic::smul_with_overflow
: llvm::Intrinsic::umul_with_overflow;
break;
}
llvm::Value *Left = EmitScalarExpr(LeftArg);
llvm::Value *Right = EmitScalarExpr(RightArg);
Address ResultPtr = EmitPointerWithAlignment(ResultArg);
// Extend each operand to the encompassing type.
Left = Builder.CreateIntCast(Left, EncompassingLLVMTy, LeftInfo.Signed);
Right = Builder.CreateIntCast(Right, EncompassingLLVMTy, RightInfo.Signed);
// Perform the operation on the extended values.
llvm::Value *Overflow, *Result;
Result = EmitOverflowIntrinsic(*this, IntrinsicId, Left, Right, Overflow);
if (EncompassingInfo.Width > ResultInfo.Width) {
// The encompassing type is wider than the result type, so we need to
// truncate it.
llvm::Value *ResultTrunc = Builder.CreateTrunc(Result, ResultLLVMTy);
// To see if the truncation caused an overflow, we will extend
// the result and then compare it to the original result.
llvm::Value *ResultTruncExt = Builder.CreateIntCast(
ResultTrunc, EncompassingLLVMTy, ResultInfo.Signed);
llvm::Value *TruncationOverflow =
Builder.CreateICmpNE(Result, ResultTruncExt);
Overflow = Builder.CreateOr(Overflow, TruncationOverflow);
Result = ResultTrunc;
}
// Finally, store the result using the pointer.
Builder.CreateStore(EmitToMemory(Result, ResultQTy), ResultPtr);
rjmccallUnsubmitted
Done
ReplyInline Actions

EmitToMemory.

rjmccall: EmitToMemory.
DavidEGraysonAuthorUnsubmitted
Done
ReplyInline Actions

Thanks again, will do.

DavidEGrayson: Thanks again, will do.
return RValue::get(Overflow);
}
case Builtin::BI__builtin_uadd_overflow: case Builtin::BI__builtin_uadd_overflow:
case Builtin::BI__builtin_uaddl_overflow: case Builtin::BI__builtin_uaddl_overflow:
case Builtin::BI__builtin_uaddll_overflow: case Builtin::BI__builtin_uaddll_overflow:
Context not available.
// Decide which of the overflow intrinsics we are lowering to: // Decide which of the overflow intrinsics we are lowering to:
llvm::Intrinsic::ID IntrinsicId; llvm::Intrinsic::ID IntrinsicId;
switch (BuiltinID) { switch (BuiltinID) {
default: llvm_unreachable("Unknown security overflow builtin id."); default: llvm_unreachable("Unknown overflow builtin id.");
case Builtin::BI__builtin_uadd_overflow: case Builtin::BI__builtin_uadd_overflow:
case Builtin::BI__builtin_uaddl_overflow: case Builtin::BI__builtin_uaddl_overflow:
case Builtin::BI__builtin_uaddll_overflow: case Builtin::BI__builtin_uaddll_overflow:
Context not available.

lib/Sema/SemaChecking.cpp

Context not available.
return false; return false;
} }
static bool SemaBuiltinOverflow(Sema &S, CallExpr *TheCall) {
if (checkArgCount(S, TheCall, 3))
return true;
// First two arguments should be integers.
for (unsigned I = 0; I < 2; ++I) {
Expr *Arg = TheCall->getArg(I);
QualType Ty = Arg->getType();
if (!Ty->isIntegerType()) {
S.Diag(Arg->getLocStart(), diag::err_overflow_builtin_must_be_int)
<< Ty << Arg->getSourceRange();
return true;
}
}
// Third argument should be a pointer to a non-const integer.
{
Expr *Arg = TheCall->getArg(2);
QualType Ty = Arg->getType();
const auto *PtrTy = Ty->getAs<PointerType>();
if (!(PtrTy && PtrTy->getPointeeType()->isIntegerType() &&
!PtrTy->getPointeeType().isConstQualified())) {
S.Diag(Arg->getLocStart(), diag::err_overflow_builtin_must_be_ptr_int)
<< Ty << Arg->getSourceRange();
return true;
}
}
return false;
}
static void SemaBuiltinMemChkCall(Sema &S, FunctionDecl *FDecl, static void SemaBuiltinMemChkCall(Sema &S, FunctionDecl *FDecl,
CallExpr *TheCall, unsigned SizeIdx, CallExpr *TheCall, unsigned SizeIdx,
unsigned DstSizeIdx) { unsigned DstSizeIdx) {
Context not available.
if (SemaBuiltinAddressof(*this, TheCall)) if (SemaBuiltinAddressof(*this, TheCall))
return ExprError(); return ExprError();
break; break;
case Builtin::BI__builtin_add_overflow:
case Builtin::BI__builtin_sub_overflow:
case Builtin::BI__builtin_mul_overflow:
if (SemaBuiltinOverflow(*this, TheCall))
return ExprError();
break;
case Builtin::BI__builtin_operator_new: case Builtin::BI__builtin_operator_new:
case Builtin::BI__builtin_operator_delete: case Builtin::BI__builtin_operator_delete:
if (!getLangOpts().CPlusPlus) { if (!getLangOpts().CPlusPlus) {
Context not available.

test/CodeGen/builtins-overflow-error.c

// RUN: %clang_cc1 -Wall -Werror -fsyntax-only -verify %s
void test(void) {
unsigned r;
const char * c;
float f;
const unsigned q;
__builtin_add_overflow(); // expected-error {{too few arguments to function call, expected 3, have 0}}
__builtin_add_overflow(1, 1, 1, 1); // expected-error {{too many arguments to function call, expected 3, have 4}}
__builtin_add_overflow(c, 1, &r); // expected-error {{operand argument to overflow builtin must be an integer ('const char *' invalid)}}
__builtin_add_overflow(1, c, &r); // expected-error {{operand argument to overflow builtin must be an integer ('const char *' invalid)}}
__builtin_add_overflow(1, 1, 3); // expected-error {{result argument to overflow builtin must be a pointer to a non-const integer ('int' invalid)}}
__builtin_add_overflow(1, 1, &f); // expected-error {{result argument to overflow builtin must be a pointer to a non-const integer ('float *' invalid)}}
__builtin_add_overflow(1, 1, &q); // expected-error {{result argument to overflow builtin must be a pointer to a non-const integer ('const unsigned int *' invalid)}}
}

test/CodeGen/builtins-overflow.c

Context not available.
extern int IntErrorCode; extern int IntErrorCode;
extern long LongErrorCode; extern long LongErrorCode;
extern long long LongLongErrorCode; extern long long LongLongErrorCode;
void overflowed(void);
unsigned test_add_overflow_uint_uint_uint(unsigned x, unsigned y) {
// CHECK: @test_add_overflow_uint_uint_uint
// CHECK-NOT: ext
// CHECK: [[S:%.+]] = call { i32, i1 } @llvm.uadd.with.overflow.i32(i32 %{{.+}}, i32 %{{.+}})
// CHECK-DAG: [[Q:%.+]] = extractvalue { i32, i1 } [[S]], 0
// CHECK-DAG: [[C:%.+]] = extractvalue { i32, i1 } [[S]], 1
// CHECK: store i32 [[Q]], i32* %r
// CHECK: br i1 [[C]]
unsigned r;
if (__builtin_add_overflow(x, y, &r))
overflowed();
return r;
}
int test_add_overflow_int_int_int(int x, int y) {
// CHECK: @test_add_overflow_int_int_int
// CHECK-NOT: ext
// CHECK: [[S:%.+]] = call { i32, i1 } @llvm.sadd.with.overflow.i32(i32 %{{.+}}, i32 %{{.+}})
// CHECK-DAG: [[C:%.+]] = extractvalue { i32, i1 } [[S]], 1
// CHECK-DAG: [[Q:%.+]] = extractvalue { i32, i1 } [[S]], 0
// CHECK: store i32 [[Q]], i32* %r
// CHECK: br i1 [[C]]
int r;
if (__builtin_add_overflow(x, y, &r))
overflowed();
return r;
}
unsigned test_sub_overflow_uint_uint_uint(unsigned x, unsigned y) {
// CHECK: @test_sub_overflow_uint_uint_uint
// CHECK-NOT: ext
// CHECK: [[S:%.+]] = call { i32, i1 } @llvm.usub.with.overflow.i32(i32 %{{.+}}, i32 %{{.+}})
// CHECK-DAG: [[Q:%.+]] = extractvalue { i32, i1 } [[S]], 0
// CHECK-DAG: [[C:%.+]] = extractvalue { i32, i1 } [[S]], 1
// CHECK: store i32 [[Q]], i32* %r
// CHECK: br i1 [[C]]
unsigned r;
if (__builtin_sub_overflow(x, y, &r))
overflowed();
return r;
}
int test_sub_overflow_int_int_int(int x, int y) {
// CHECK: @test_sub_overflow_int_int_int
// CHECK-NOT: ext
// CHECK: [[S:%.+]] = call { i32, i1 } @llvm.ssub.with.overflow.i32(i32 %{{.+}}, i32 %{{.+}})
// CHECK-DAG: [[C:%.+]] = extractvalue { i32, i1 } [[S]], 1
// CHECK-DAG: [[Q:%.+]] = extractvalue { i32, i1 } [[S]], 0
// CHECK: store i32 [[Q]], i32* %r
// CHECK: br i1 [[C]]
int r;
if (__builtin_sub_overflow(x, y, &r))
overflowed();
return r;
}
unsigned test_mul_overflow_uint_uint_uint(unsigned x, unsigned y) {
// CHECK: @test_mul_overflow_uint_uint_uint
// CHECK-NOT: ext
// CHECK: [[S:%.+]] = call { i32, i1 } @llvm.umul.with.overflow.i32(i32 %{{.+}}, i32 %{{.+}})
// CHECK-DAG: [[Q:%.+]] = extractvalue { i32, i1 } [[S]], 0
// CHECK-DAG: [[C:%.+]] = extractvalue { i32, i1 } [[S]], 1
// CHECK: store i32 [[Q]], i32* %r
// CHECK: br i1 [[C]]
unsigned r;
if (__builtin_mul_overflow(x, y, &r))
overflowed();
return r;
}
int test_mul_overflow_int_int_int(int x, int y) {
// CHECK: @test_mul_overflow_int_int_int
// CHECK-NOT: ext
// CHECK: [[S:%.+]] = call { i32, i1 } @llvm.smul.with.overflow.i32(i32 %{{.+}}, i32 %{{.+}})
// CHECK-DAG: [[C:%.+]] = extractvalue { i32, i1 } [[S]], 1
// CHECK-DAG: [[Q:%.+]] = extractvalue { i32, i1 } [[S]], 0
// CHECK: store i32 [[Q]], i32* %r
// CHECK: br i1 [[C]]
int r;
if (__builtin_mul_overflow(x, y, &r))
overflowed();
return r;
}
int test_add_overflow_uint_int_int(unsigned x, int y) {
// CHECK: @test_add_overflow_uint_int_int
// CHECK: [[XE:%.+]] = zext i32 %{{.+}} to i33
// CHECK: [[YE:%.+]] = sext i32 %{{.+}} to i33
// CHECK: [[S:%.+]] = call { i33, i1 } @llvm.sadd.with.overflow.i33(i33 [[XE]], i33 [[YE]])
// CHECK-DAG: [[Q:%.+]] = extractvalue { i33, i1 } [[S]], 0
// CHECK-DAG: [[C1:%.+]] = extractvalue { i33, i1 } [[S]], 1
// CHECK: [[QT:%.+]] = trunc i33 [[Q]] to i32
// CHECK: [[QTE:%.+]] = sext i32 [[QT]] to i33
// CHECK: [[C2:%.+]] = icmp ne i33 [[Q]], [[QTE]]
// CHECK: [[C3:%.+]] = or i1 [[C1]], [[C2]]
// CHECK: store i32 [[QT]], i32* %r
// CHECK: br i1 [[C3]]
int r;
if (__builtin_add_overflow(x, y, &r))
overflowed();
return r;
}
_Bool test_add_overflow_uint_uint_bool(unsigned x, unsigned y) {
// CHECK: @test_add_overflow_uint_uint_bool
// CHECK-NOT: ext
// CHECK: [[S:%.+]] = call { i32, i1 } @llvm.uadd.with.overflow.i32(i32 %{{.+}}, i32 %{{.+}})
// CHECK-DAG: [[Q:%.+]] = extractvalue { i32, i1 } [[S]], 0
// CHECK-DAG: [[C1:%.+]] = extractvalue { i32, i1 } [[S]], 1
// CHECK: [[QT:%.+]] = trunc i32 [[Q]] to i1
// CHECK: [[QTE:%.+]] = zext i1 [[QT]] to i32
// CHECK: [[C2:%.+]] = icmp ne i32 [[Q]], [[QTE]]
// CHECK: [[C3:%.+]] = or i1 [[C1]], [[C2]]
// CHECK: [[QT2:%.+]] = zext i1 [[QT]] to i8
// CHECK: store i8 [[QT2]], i8* %r
// CHECK: br i1 [[C3]]
_Bool r;
if (__builtin_add_overflow(x, y, &r))
overflowed();
return r;
}
unsigned test_add_overflow_bool_bool_uint(_Bool x, _Bool y) {
// CHECK: @test_add_overflow_bool_bool_uint
// CHECK: [[XE:%.+]] = zext i1 %{{.+}} to i32
// CHECK: [[YE:%.+]] = zext i1 %{{.+}} to i32
// CHECK: [[S:%.+]] = call { i32, i1 } @llvm.uadd.with.overflow.i32(i32 [[XE]], i32 [[YE]])
// CHECK-DAG: [[Q:%.+]] = extractvalue { i32, i1 } [[S]], 0
// CHECK-DAG: [[C:%.+]] = extractvalue { i32, i1 } [[S]], 1
// CHECK: store i32 [[Q]], i32* %r
// CHECK: br i1 [[C]]
unsigned r;
if (__builtin_add_overflow(x, y, &r))
overflowed();
return r;
}
_Bool test_add_overflow_bool_bool_bool(_Bool x, _Bool y) {
// CHECK: @test_add_overflow_bool_bool_bool
// CHECK: [[S:%.+]] = call { i1, i1 } @llvm.uadd.with.overflow.i1(i1 %{{.+}}, i1 %{{.+}})
// CHECK-DAG: [[Q:%.+]] = extractvalue { i1, i1 } [[S]], 0
// CHECK-DAG: [[C:%.+]] = extractvalue { i1, i1 } [[S]], 1
// CHECK: [[QT2:%.+]] = zext i1 [[Q]] to i8
// CHECK: store i8 [[QT2]], i8* %r
// CHECK: br i1 [[C]]
_Bool r;
if (__builtin_add_overflow(x, y, &r))
overflowed();
return r;
}
unsigned test_uadd_overflow(unsigned x, unsigned y) { unsigned test_uadd_overflow(unsigned x, unsigned y) {
// CHECK: @test_uadd_overflow // CHECK: @test_uadd_overflow
// CHECK: %{{.+}} = call { i32, i1 } @llvm.uadd.with.overflow.i32(i32 %{{.+}}, i32 %{{.+}}) // CHECK: %{{.+}} = call { i32, i1 } @llvm.uadd.with.overflow.i32(i32 %{{.+}}, i32 %{{.+}})
Context not available.