This is an archive of the discontinued LLVM Phabricator instance.

Differential D5629

ubsan: add 'UndefinedBehaviorSanitizer' to messages
Needs ReviewPublic

Authored by ben.boeckel on Oct 6 2014, 11:57 AM.

Details

Reviewers
samsonov
rsmith
Summary

This allows detection of them to be much more accurate since 'runtime error:' and 'note:' are fairly generic.

Diff Detail

Event Timeline

ben.boeckel updated this revision to Diff 14468.Oct 6 2014, 11:57 AM
ben.boeckel retitled this revision from to ubsan: add 'UndefinedBehaviorSanitizer' to messages.
ben.boeckel updated this object.
ben.boeckel edited the test plan for this revision. (Show Details)
ben.boeckel added reviewers: rsmith, samsonov.
ben.boeckel added a subscriber: Unknown Object (MLST).
samsonov edited edge metadata.Oct 6 2014, 12:06 PM

Hi Ben!

I think we should improve it in a different way. I think we should either replace "runtime-error" with "undefined-behavior", or be even more specific and print the exact UB kind in bold red letters here ("integer overflow", "misaligned address" etc). Richard, WDYT?

rsmith edited edge metadata.Oct 6 2014, 1:06 PM

I'm fine changing "runtime error" to "undefined behavior". As to listing the kind of undefined behavior, how about following Clang's diagnostic format and adding a [-fsanitize=<kind of UB>] suffix?

ben.boeckel updated this revision to Diff 15956.Nov 8 2014, 9:32 PM
ben.boeckel edited edge metadata.

Updates messages to contain the sanitizer which triggered the message. There's a part which is a little nasty (strcmp() to see if 'bool' or 'enum' is the trigger sanitizer), but can be addressed by patching TypeDescriptor to have a flag for 'bool' (not done here).

ben.boeckel added a comment.Nov 8 2014, 9:43 PM

I've submitted a parallel patch to GCC here: https://codereview.appspot.com/168380043/.

samsonov added a comment.Nov 10 2014, 3:08 PM

I'm opposed to this change. The error messages you suggest are occasionaly confusing

UndefinedBehaviorSanitizer function error

or way too redundant

UndefinedBehaviorSanitizer unsigned-integer-overflow error: unsigned integer overflow:

Also, if UBSan is combined with another sanitizer (most notably, ASan), we treat the latter as the "main" tool, and don't mention UBSan in error reports. For instance,
look at the SUMMARY: line that would be emiited in this case:

SUMMARY: AddressSanitizer: undefined-behavior: file.cc:10

I'd prefer to replace generic "runtime error" with generic "undefined-behavior" (or at least make it a common prefix). I also like the idea of specifying the exact -fsanitize= flag that caused the error (what Richard suggests), if that's easily doable.

lib/ubsan/ubsan_handlers.cc
19

It's not allowed to #include system headers into generic sanitizer runtimes.

348

This is wrong, this type of check is also emitted for bool-like types.

ben.boeckel added a comment.Nov 10 2014, 4:59 PM
In D5629#9, @samsonov wrote:

I'm opposed to this change. The error messages you suggest are occasionaly confusing

UndefinedBehaviorSanitizer function error

or way too redundant

UndefinedBehaviorSanitizer unsigned-integer-overflow error: unsigned integer overflow:

Also, if UBSan is combined with another sanitizer (most notably, ASan), we treat the latter as the "main" tool, and don't mention UBSan in error reports. For instance,
look at the SUMMARY: line that would be emiited in this case:

SUMMARY: AddressSanitizer: undefined-behavior: file.cc:10

The test cases don't specialize for UBSan and UBSan+ASan together and pass, so I don't know that this is accurate (or you're referring to something else).

I'd prefer to replace generic "runtime error" with generic "undefined-behavior" (or at least make it a common prefix). I also like the idea of specifying the exact -fsanitize= flag that caused the error (what Richard suggests), if that's easily doable.

The string is the sanitize flag which caused the error, just placed next to "UndefinedBehaviorSanitizer" like it is with AddressSanitizer. I'm not opposed to putting it in parentheses or brackets to distinguish it, but ASan doesn't do this (though ASan is also just ASan and not a group of other sanitizers):

ERROR: AddressSanitizer heap-use-after-free on address

Error messages could certainly be cleaned up to be have less duplication as well.

lib/ubsan/ubsan_handlers.cc
19

OK. I'll make the TypeDescriptor aware of bool then which would make this unnecessary.

348

Such as? Would 'enum' not be accurate for that? In any case, rsmith did mention (at the WG21 meeting) that TypeDescriptor should probably grow support for 'bool' since its sizeof() is likely 8 and therefore indistinguishable that way.

Revision Contents

PathSize
lib/
ubsan/
7 lines
6 lines
110 lines
9 lines
test/
ubsan/
TestCases/
Float/
20 lines
Integer/
2 lines
2 lines
11 lines
2 lines
2 lines
8 lines
10 lines
6 lines
2 lines
2 lines
4 lines
2 lines
2 lines
Misc/
2 lines
6 lines
6 lines
4 lines
2 lines
16 lines
4 lines
2 lines
4 lines
TypeCheck/
Function/
10 lines
32 lines
10 lines
4 lines
24 lines

Diff 15956

lib/ubsan/ubsan_diag.h

Context not available.
/// The diagnostic level. /// The diagnostic level.
DiagLevel Level; DiagLevel Level;
/// The name of the sanitizer which triggered the message.
const char *SanitizerName;
/// The message which will be emitted, with %0, %1, ... placeholders for /// The message which will be emitted, with %0, %1, ... placeholders for
/// arguments. /// arguments.
const char *Message; const char *Message;
Context not available.
Diag &operator=(const Diag &); Diag &operator=(const Diag &);
public: public:
Diag(Location Loc, DiagLevel Level, const char *Message) Diag(Location Loc, DiagLevel Level, const char *SanitizerName, const char *Message)
: Loc(Loc), Level(Level), Message(Message), NumArgs(0), NumRanges(0) {} : Loc(Loc), Level(Level), SanitizerName(SanitizerName), Message(Message), NumArgs(0), NumRanges(0) {}
~Diag(); ~Diag();
Diag &operator<<(const char *Str) { return AddArg(Str); } Diag &operator<<(const char *Str) { return AddArg(Str); }
Context not available.

lib/ubsan/ubsan_diag.cc

Context not available.
switch (Level) { switch (Level) {
case DL_Error: case DL_Error:
Printf("%s runtime error: %s%s", Printf("%s UndefinedBehaviorSanitizer %s error: %s%s",
Decor.Warning(), Decor.EndWarning(), Decor.Bold()); Decor.Warning(), SanitizerName, Decor.EndWarning(), Decor.Bold());
break; break;
case DL_Note: case DL_Note:
Printf("%s note: %s", Decor.Note(), Decor.EndNote()); Printf("%s UndefinedBehaviorSanitizer %s note: %s", Decor.Note(), SanitizerName, Decor.EndNote());
break; break;
} }
Context not available.

lib/ubsan/ubsan_handlers.cc

Context not available.
#include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_common.h"
#include <string.h>
samsonovUnsubmitted
Not Done
ReplyInline Actions

It's not allowed to #include system headers into generic sanitizer runtimes.

samsonov: It's not allowed to #include system headers into generic sanitizer runtimes.
ben.boeckelAuthorUnsubmitted
Not Done
ReplyInline Actions

OK. I'll make the TypeDescriptor aware of bool then which would make this unnecessary.

ben.boeckel: OK. I'll make the TypeDescriptor aware of bool then which would make this unnecessary.
using namespace __sanitizer; using namespace __sanitizer;
using namespace __ubsan; using namespace __ubsan;
Context not available.
Loc = FallbackLoc; Loc = FallbackLoc;
ScopedReport R(Opts, Loc); ScopedReport R(Opts, Loc);
const char *Name;
if (!Pointer) const char *NullName = "null";
Diag(Loc, DL_Error, "%0 null pointer of type %1") const char *AlignmentName = "alignment";
const char *ObjectSizeName = "object-size";
if (!Pointer) {
Name = NullName;
Diag(Loc, DL_Error, Name, "%0 null pointer of type %1")
<< TypeCheckKinds[Data->TypeCheckKind] << Data->Type; << TypeCheckKinds[Data->TypeCheckKind] << Data->Type;
else if (Data->Alignment && (Pointer & (Data->Alignment - 1))) } else if (Data->Alignment && (Pointer & (Data->Alignment - 1))) {
Diag(Loc, DL_Error, "%0 misaligned address %1 for type %3, " Name = AlignmentName;
"which requires %2 byte alignment") Diag(Loc, DL_Error, Name, "%0 misaligned address %1 for type %3, "
"which requires %2 byte alignment")
<< TypeCheckKinds[Data->TypeCheckKind] << (void*)Pointer << TypeCheckKinds[Data->TypeCheckKind] << (void*)Pointer
<< Data->Alignment << Data->Type; << Data->Alignment << Data->Type;
else } else {
Diag(Loc, DL_Error, "%0 address %1 with insufficient space " Name = ObjectSizeName;
"for an object of type %2") Diag(Loc, DL_Error, Name, "%0 address %1 with insufficient space "
"for an object of type %2")
<< TypeCheckKinds[Data->TypeCheckKind] << (void*)Pointer << Data->Type; << TypeCheckKinds[Data->TypeCheckKind] << (void*)Pointer << Data->Type;
}
if (Pointer) if (Pointer)
Diag(Pointer, DL_Note, "pointer points here"); Diag(Pointer, DL_Note, Name, "pointer points here");
} }
void __ubsan::__ubsan_handle_type_mismatch(TypeMismatchData *Data, void __ubsan::__ubsan_handle_type_mismatch(TypeMismatchData *Data,
Context not available.
return; return;
ScopedReport R(Opts, Loc); ScopedReport R(Opts, Loc);
const char *SignedName = "signed-integer-overflow";
Diag(Loc, DL_Error, "%0 integer overflow: " const char *UnsignedName = "unsigned-integer-overflow";
"%1 %2 %3 cannot be represented in type %4") bool IsSigned = Data->Type.isSignedIntegerTy();
<< (Data->Type.isSignedIntegerTy() ? "signed" : "unsigned") const char *Name = IsSigned ? SignedName : UnsignedName;
Diag(Loc, DL_Error, Name, "%0 integer overflow: "
"%1 %2 %3 cannot be represented in type %4")
<< (IsSigned ? "signed" : "unsigned")
<< Value(Data->Type, LHS) << Operator << RHS << Data->Type; << Value(Data->Type, LHS) << Operator << RHS << Data->Type;
} }
Context not available.
return; return;
ScopedReport R(Opts, Loc); ScopedReport R(Opts, Loc);
const char *SignedName = "signed-integer-overflow";
const char *UnsignedName = "unsigned-integer-overflow";
bool IsSigned = Data->Type.isSignedIntegerTy();
const char *Name = IsSigned ? SignedName : UnsignedName;
if (Data->Type.isSignedIntegerTy()) if (IsSigned)
Diag(Loc, DL_Error, Diag(Loc, DL_Error, Name,
"negation of %0 cannot be represented in type %1; " "negation of %0 cannot be represented in type %1; "
"cast to an unsigned type to negate this value to itself") "cast to an unsigned type to negate this value to itself")
<< Value(Data->Type, OldVal) << Data->Type; << Value(Data->Type, OldVal) << Data->Type;
else else
Diag(Loc, DL_Error, Diag(Loc, DL_Error, Name,
"negation of %0 cannot be represented in type %1") "negation of %0 cannot be represented in type %1")
<< Value(Data->Type, OldVal) << Data->Type; << Value(Data->Type, OldVal) << Data->Type;
} }
Context not available.
return; return;
ScopedReport R(Opts, Loc); ScopedReport R(Opts, Loc);
const char *IntegerName = "integer-divide-by-zero";
const char *FloatName = "float-divide-by-zero";
const char *MinusOneName = "signed-integer-overflow";
const char *Name = Data->Type.isIntegerTy() ? IntegerName : FloatName;
Value LHSVal(Data->Type, LHS); Value LHSVal(Data->Type, LHS);
Value RHSVal(Data->Type, RHS); Value RHSVal(Data->Type, RHS);
if (RHSVal.isMinusOne()) if (RHSVal.isMinusOne())
Diag(Loc, DL_Error, Diag(Loc, DL_Error, MinusOneName,
"division of %0 by -1 cannot be represented in type %1") "division of %0 by -1 cannot be represented in type %1")
<< LHSVal << Data->Type; << LHSVal << Data->Type;
else else
Diag(Loc, DL_Error, "division by zero"); Diag(Loc, DL_Error, Name, "division by zero");
} }
void __ubsan::__ubsan_handle_divrem_overflow(OverflowData *Data, void __ubsan::__ubsan_handle_divrem_overflow(OverflowData *Data,
Context not available.
return; return;
ScopedReport R(Opts, Loc); ScopedReport R(Opts, Loc);
const char *Name = "shift";
Value LHSVal(Data->LHSType, LHS); Value LHSVal(Data->LHSType, LHS);
Value RHSVal(Data->RHSType, RHS); Value RHSVal(Data->RHSType, RHS);
if (RHSVal.isNegative()) if (RHSVal.isNegative())
Diag(Loc, DL_Error, "shift exponent %0 is negative") << RHSVal; Diag(Loc, DL_Error, Name, "shift exponent %0 is negative") << RHSVal;
else if (RHSVal.getPositiveIntValue() >= Data->LHSType.getIntegerBitWidth()) else if (RHSVal.getPositiveIntValue() >= Data->LHSType.getIntegerBitWidth())
Diag(Loc, DL_Error, Diag(Loc, DL_Error, Name,
"shift exponent %0 is too large for %1-bit type %2") "shift exponent %0 is too large for %1-bit type %2")
<< RHSVal << Data->LHSType.getIntegerBitWidth() << Data->LHSType; << RHSVal << Data->LHSType.getIntegerBitWidth() << Data->LHSType;
else if (LHSVal.isNegative()) else if (LHSVal.isNegative())
Diag(Loc, DL_Error, "left shift of negative value %0") << LHSVal; Diag(Loc, DL_Error, Name, "left shift of negative value %0") << LHSVal;
else else
Diag(Loc, DL_Error, Diag(Loc, DL_Error, Name,
"left shift of %0 by %1 places cannot be represented in type %2") "left shift of %0 by %1 places cannot be represented in type %2")
<< LHSVal << RHSVal << Data->LHSType; << LHSVal << RHSVal << Data->LHSType;
} }
Context not available.
return; return;
ScopedReport R(Opts, Loc); ScopedReport R(Opts, Loc);
const char *Name = "bounds";
Value IndexVal(Data->IndexType, Index); Value IndexVal(Data->IndexType, Index);
Diag(Loc, DL_Error, "index %0 out of bounds for type %1") Diag(Loc, DL_Error, Name, "index %0 out of bounds for type %1")
<< IndexVal << Data->ArrayType; << IndexVal << Data->ArrayType;
} }
Context not available.
static void handleBuiltinUnreachableImpl(UnreachableData *Data, static void handleBuiltinUnreachableImpl(UnreachableData *Data,
ReportOptions Opts) { ReportOptions Opts) {
ScopedReport R(Opts, Data->Loc); ScopedReport R(Opts, Data->Loc);
Diag(Data->Loc, DL_Error, "execution reached a __builtin_unreachable() call"); const char *Name = "unreachable";
Diag(Data->Loc, DL_Error, Name, "execution reached a __builtin_unreachable() call");
} }
void __ubsan::__ubsan_handle_builtin_unreachable(UnreachableData *Data) { void __ubsan::__ubsan_handle_builtin_unreachable(UnreachableData *Data) {
Context not available.
static void handleMissingReturnImpl(UnreachableData *Data, ReportOptions Opts) { static void handleMissingReturnImpl(UnreachableData *Data, ReportOptions Opts) {
ScopedReport R(Opts, Data->Loc); ScopedReport R(Opts, Data->Loc);
Diag(Data->Loc, DL_Error, const char *Name = "return";
Diag(Data->Loc, DL_Error, Name,
"execution reached the end of a value-returning function " "execution reached the end of a value-returning function "
"without returning a value"); "without returning a value");
} }
Context not available.
return; return;
ScopedReport R(Opts, Loc); ScopedReport R(Opts, Loc);
const char *Name = "vla-bound";
Diag(Loc, DL_Error, "variable length array bound evaluates to " Diag(Loc, DL_Error, Name, "variable length array bound evaluates to "
"non-positive value %0") "non-positive value %0")
<< Value(Data->Type, Bound); << Value(Data->Type, Bound);
} }
Context not available.
// TODO: Add deduplication once a SourceLocation is generated for this check. // TODO: Add deduplication once a SourceLocation is generated for this check.
Location Loc = getCallerLocation(); Location Loc = getCallerLocation();
ScopedReport R(Opts, Loc); ScopedReport R(Opts, Loc);
const char *Name = "float-cast-overflow";
Diag(Loc, DL_Error, Diag(Loc, DL_Error, Name,
"value %0 is outside the range of representable values of type %2") "value %0 is outside the range of representable values of type %2")
<< Value(Data->FromType, From) << Data->FromType << Data->ToType; << Value(Data->FromType, From) << Data->FromType << Data->ToType;
} }
Context not available.
return; return;
ScopedReport R(Opts, Loc); ScopedReport R(Opts, Loc);
const char *Name;
if (!strcmp(Data->Type.getTypeName(), "'bool'")) // XXX(mathstuf): Is there a better way to do this?
samsonovUnsubmitted
Not Done
ReplyInline Actions

This is wrong, this type of check is also emitted for bool-like types.

samsonov: This is wrong, this type of check is also emitted for bool-like types.
ben.boeckelAuthorUnsubmitted
Not Done
ReplyInline Actions

Such as? Would 'enum' not be accurate for that? In any case, rsmith did mention (at the WG21 meeting) that TypeDescriptor should probably grow support for 'bool' since its sizeof() is likely 8 and therefore indistinguishable that way.

ben.boeckel: Such as? Would 'enum' not be accurate for that? In any case, rsmith did mention (at the WG21…
Name = "bool";
else
Name = "enum";
Diag(Loc, DL_Error, Diag(Loc, DL_Error, Name,
"load of value %0, which is not a valid value for type %1") "load of value %0, which is not a valid value for type %1")
<< Value(Data->Type, Val) << Data->Type; << Value(Data->Type, Val) << Data->Type;
} }
Context not available.
Location Loc = getFunctionLocation(Function, &FName); Location Loc = getFunctionLocation(Function, &FName);
ScopedReport R(Opts, Loc); ScopedReport R(Opts, Loc);
const char *Name = "function";
Diag(Data->Loc, DL_Error, Diag(Data->Loc, DL_Error, Name,
"call to function %0 through pointer to incorrect function type %1") "call to function %0 through pointer to incorrect function type %1")
<< FName << Data->Type; << FName << Data->Type;
Diag(Loc, DL_Note, "%0 defined here") << FName; Diag(Loc, DL_Note, Name, "%0 defined here") << FName;
} }
void void
Context not available.
return; return;
ScopedReport R(Opts, Loc); ScopedReport R(Opts, Loc);
const char *Name = "returns-nonnull-attribute";
Diag(Loc, DL_Error, "null pointer returned from function declared to never " Diag(Loc, DL_Error, Name, "null pointer returned from function declared to never "
"return null"); "return null");
if (!Data->AttrLoc.isInvalid()) if (!Data->AttrLoc.isInvalid())
Diag(Data->AttrLoc, DL_Note, "returns_nonnull attribute specified here"); Diag(Data->AttrLoc, DL_Note, Name, "returns_nonnull attribute specified here");
} }
void __ubsan::__ubsan_handle_nonnull_return(NonNullReturnData *Data) { void __ubsan::__ubsan_handle_nonnull_return(NonNullReturnData *Data) {
Context not available.
return; return;
ScopedReport R(Opts, Loc); ScopedReport R(Opts, Loc);
const char *Name = "nonnull-attribute";
Diag(Loc, DL_Error, "null pointer passed as argument %0, which is declared to " Diag(Loc, DL_Error, Name, "null pointer passed as argument %0, which is declared to "
"never be null") << Data->ArgIndex; "never be null") << Data->ArgIndex;
if (!Data->AttrLoc.isInvalid()) if (!Data->AttrLoc.isInvalid())
Diag(Data->AttrLoc, DL_Note, "nonnull attribute specified here"); Diag(Data->AttrLoc, DL_Note, Name, "nonnull attribute specified here");
} }
void __ubsan::__ubsan_handle_nonnull_arg(NonNullArgData *Data) { void __ubsan::__ubsan_handle_nonnull_arg(NonNullArgData *Data) {
Context not available.

lib/ubsan/ubsan_handlers_cxx.cc

Context not available.
return; return;
ScopedReport R(Opts, Loc); ScopedReport R(Opts, Loc);
const char *Name = "vptr";
Diag(Loc, DL_Error, Diag(Loc, DL_Error, Name,
"%0 address %1 which does not point to an object of type %2") "%0 address %1 which does not point to an object of type %2")
<< TypeCheckKinds[Data->TypeCheckKind] << (void*)Pointer << Data->Type; << TypeCheckKinds[Data->TypeCheckKind] << (void*)Pointer << Data->Type;
// If possible, say what type it actually points to. // If possible, say what type it actually points to.
if (!DTI.isValid()) if (!DTI.isValid())
Diag(Pointer, DL_Note, "object has invalid vptr") Diag(Pointer, DL_Note, Name, "object has invalid vptr")
<< MangledName(DTI.getMostDerivedTypeName()) << MangledName(DTI.getMostDerivedTypeName())
<< Range(Pointer, Pointer + sizeof(uptr), "invalid vptr"); << Range(Pointer, Pointer + sizeof(uptr), "invalid vptr");
else if (!DTI.getOffset()) else if (!DTI.getOffset())
Diag(Pointer, DL_Note, "object is of type %0") Diag(Pointer, DL_Note, Name, "object is of type %0")
<< MangledName(DTI.getMostDerivedTypeName()) << MangledName(DTI.getMostDerivedTypeName())
<< Range(Pointer, Pointer + sizeof(uptr), "vptr for %0"); << Range(Pointer, Pointer + sizeof(uptr), "vptr for %0");
else else
// FIXME: Find the type at the specified offset, and include that // FIXME: Find the type at the specified offset, and include that
// in the note. // in the note.
Diag(Pointer - DTI.getOffset(), DL_Note, Diag(Pointer - DTI.getOffset(), DL_Note, Name,
"object is base class subobject at offset %0 within object of type %1") "object is base class subobject at offset %0 within object of type %1")
<< DTI.getOffset() << MangledName(DTI.getMostDerivedTypeName()) << DTI.getOffset() << MangledName(DTI.getMostDerivedTypeName())
<< MangledName(DTI.getSubobjectTypeName()) << MangledName(DTI.getSubobjectTypeName())
Context not available.

test/ubsan/TestCases/Float/cast-overflow.cpp

Context not available.
case '0': case '0':
// Note that values between 0x7ffffe00 and 0x80000000 may or may not // Note that values between 0x7ffffe00 and 0x80000000 may or may not
// successfully round-trip, depending on the rounding mode. // successfully round-trip, depending on the rounding mode.
// CHECK-0: runtime error: value 2.14748{{.*}} is outside the range of representable values of type 'int' // CHECK-0: UndefinedBehaviorSanitizer float-cast-overflow error: value 2.14748{{.*}} is outside the range of representable values of type 'int'
return MaxFloatRepresentableAsInt + 0x80; return MaxFloatRepresentableAsInt + 0x80;
case '1': case '1':
// CHECK-1: runtime error: value -2.14748{{.*}} is outside the range of representable values of type 'int' // CHECK-1: UndefinedBehaviorSanitizer float-cast-overflow error: value -2.14748{{.*}} is outside the range of representable values of type 'int'
return MinFloatRepresentableAsInt - 0x100; return MinFloatRepresentableAsInt - 0x100;
case '2': { case '2': {
// CHECK-2: runtime error: value -1 is outside the range of representable values of type 'unsigned int' // CHECK-2: UndefinedBehaviorSanitizer float-cast-overflow error: value -1 is outside the range of representable values of type 'unsigned int'
volatile float f = -1.0; volatile float f = -1.0;
volatile unsigned u = (unsigned)f; volatile unsigned u = (unsigned)f;
return 0; return 0;
} }
case '3': case '3':
// CHECK-3: runtime error: value 4.2949{{.*}} is outside the range of representable values of type 'unsigned int' // CHECK-3: UndefinedBehaviorSanitizer float-cast-overflow error: value 4.2949{{.*}} is outside the range of representable values of type 'unsigned int'
return (unsigned)(MaxFloatRepresentableAsUInt + 0x100); return (unsigned)(MaxFloatRepresentableAsUInt + 0x100);
case '4': case '4':
// CHECK-4: runtime error: value {{.*}} is outside the range of representable values of type 'int' // CHECK-4: UndefinedBehaviorSanitizer float-cast-overflow error: value {{.*}} is outside the range of representable values of type 'int'
return Inf; return Inf;
case '5': case '5':
// CHECK-5: runtime error: value {{.*}} is outside the range of representable values of type 'int' // CHECK-5: UndefinedBehaviorSanitizer float-cast-overflow error: value {{.*}} is outside the range of representable values of type 'int'
return NaN; return NaN;
// Integer -> floating point overflow. // Integer -> floating point overflow.
case '6': case '6':
// CHECK-6: {{runtime error: value 0xffffff00000000000000000000000001 is outside the range of representable values of type 'float'|__int128 not supported}} // CHECK-6: {{UndefinedBehaviorSanitizer float-cast-overflow error: value 0xffffff00000000000000000000000001 is outside the range of representable values of type 'float'|__int128 not supported}}
#ifdef __SIZEOF_INT128__ #ifdef __SIZEOF_INT128__
return (float)(FloatMaxAsUInt128 + 1); return (float)(FloatMaxAsUInt128 + 1);
#else #else
Context not available.
// FIXME: The backend cannot lower __fp16 operations on x86 yet. // FIXME: The backend cannot lower __fp16 operations on x86 yet.
//case '7': //case '7':
// (__fp16)65504; // ok // (__fp16)65504; // ok
// // CHECK-7: runtime error: value 65505 is outside the range of representable values of type '__fp16' // // CHECK-7: UndefinedBehaviorSanitizer float-cast-overflow error: value 65505 is outside the range of representable values of type '__fp16'
// return (__fp16)65505; // return (__fp16)65505;
// Floating point -> floating point overflow. // Floating point -> floating point overflow.
case '8': case '8':
// CHECK-8: runtime error: value 1e+39 is outside the range of representable values of type 'float' // CHECK-8: UndefinedBehaviorSanitizer float-cast-overflow error: value 1e+39 is outside the range of representable values of type 'float'
return (float)1e39; return (float)1e39;
case '9': case '9':
volatile long double ld = 300.0; volatile long double ld = 300.0;
// CHECK-9: runtime error: value 300 is outside the range of representable values of type 'char' // CHECK-9: UndefinedBehaviorSanitizer float-cast-overflow error: value 300 is outside the range of representable values of type 'char'
char c = ld; char c = ld;
return c; return c;
} }
Context not available.

test/ubsan/TestCases/Integer/add-overflow.cpp

Context not available.
#ifdef ADD_I32 #ifdef ADD_I32
int32_t k = 0x12345678; int32_t k = 0x12345678;
k += 0x789abcde; k += 0x789abcde;
// CHECK-ADD_I32: add-overflow.cpp:[[@LINE-1]]:5: runtime error: signed integer overflow: 305419896 + 2023406814 cannot be represented in type 'int' // CHECK-ADD_I32: add-overflow.cpp:[[@LINE-1]]:5: UndefinedBehaviorSanitizer signed-integer-overflow error: signed integer overflow: 305419896 + 2023406814 cannot be represented in type 'int'
#endif #endif
#ifdef ADD_I64 #ifdef ADD_I64
Context not available.

test/ubsan/TestCases/Integer/div-overflow.cpp

Context not available.
int main() { int main() {
unsigned(0x80000000) / -1; unsigned(0x80000000) / -1;
// CHECK: div-overflow.cpp:9:23: runtime error: division of -2147483648 by -1 cannot be represented in type 'int' // CHECK: div-overflow.cpp:9:23: UndefinedBehaviorSanitizer signed-integer-overflow error: division of -2147483648 by -1 cannot be represented in type 'int'
int32_t(0x80000000) / -1; int32_t(0x80000000) / -1;
} }
Context not available.

test/ubsan/TestCases/Integer/div-zero.cpp

// RUN: %clangxx -fsanitize=integer-divide-by-zero -DDIVIDEND=0 %s -o %t && %run %t 2>&1 | FileCheck %s // RUN: %clangxx -fsanitize=integer-divide-by-zero -DDIVIDEND=0 %s -o %t && %run %t 2>&1 | FileCheck %s --check-prefix=CHECKI
// RUN: %clangxx -fsanitize=integer-divide-by-zero -DDIVIDEND=1U %s -o %t && %run %t 2>&1 | FileCheck %s // RUN: %clangxx -fsanitize=integer-divide-by-zero -DDIVIDEND=1U %s -o %t && %run %t 2>&1 | FileCheck %s --check-prefix=CHECKI
// RUN: %clangxx -fsanitize=float-divide-by-zero -DDIVIDEND=1.5 %s -o %t && %run %t 2>&1 | FileCheck %s // RUN: %clangxx -fsanitize=float-divide-by-zero -DDIVIDEND=1.5 %s -o %t && %run %t 2>&1 | FileCheck %s --check-prefix=CHECKF
// RUN: %clangxx -fsanitize=integer-divide-by-zero -DDIVIDEND='intmax(123)' %s -o %t && %run %t 2>&1 | FileCheck %s // RUN: %clangxx -fsanitize=integer-divide-by-zero -DDIVIDEND='intmax(123)' %s -o %t && %run %t 2>&1 | FileCheck %s --check-prefix=CHECKI
#ifdef __SIZEOF_INT128__ #ifdef __SIZEOF_INT128__
typedef __int128 intmax; typedef __int128 intmax;
Context not available.
#endif #endif
int main() { int main() {
// CHECK: div-zero.cpp:[[@LINE+1]]:12: runtime error: division by zero // CHECKI: div-zero.cpp:[[@LINE+2]]:12: UndefinedBehaviorSanitizer integer-divide-by-zero error: division by zero
// CHECKF: div-zero.cpp:[[@LINE+1]]:12: UndefinedBehaviorSanitizer float-divide-by-zero error: division by zero
DIVIDEND / 0; DIVIDEND / 0;
} }
Context not available.

test/ubsan/TestCases/Integer/incdec-overflow.cpp

Context not available.
n++; n++;
n++; n++;
int m = -n - 1; int m = -n - 1;
// CHECK: incdec-overflow.cpp:15:3: runtime error: signed integer overflow: [[MINUS:-?]]214748364 // CHECK: incdec-overflow.cpp:15:3: UndefinedBehaviorSanitizer signed-integer-overflow error: signed integer overflow: [[MINUS:-?]]214748364
// CHECK: + [[MINUS]]1 cannot be represented in type 'int' // CHECK: + [[MINUS]]1 cannot be represented in type 'int'
OP; OP;
} }
Context not available.

test/ubsan/TestCases/Integer/mul-overflow.cpp

Context not available.
(void)(uint16_t(0xffff) * int16_t(0x7fff)); (void)(uint16_t(0xffff) * int16_t(0x7fff));
(void)(uint16_t(0xffff) * uint16_t(0x8000)); (void)(uint16_t(0xffff) * uint16_t(0x8000));
// CHECK: mul-overflow.cpp:13:27: runtime error: signed integer overflow: 65535 * 32769 cannot be represented in type 'int' // CHECK: mul-overflow.cpp:13:27: UndefinedBehaviorSanitizer signed-integer-overflow error: signed integer overflow: 65535 * 32769 cannot be represented in type 'int'
(void)(uint16_t(0xffff) * uint16_t(0x8001)); (void)(uint16_t(0xffff) * uint16_t(0x8001));
} }
Context not available.

test/ubsan/TestCases/Integer/negate-overflow.cpp

Context not available.
// RUN: %clangxx -fsanitize=unsigned-integer-overflow %s -o %t && %run %t 2>&1 | FileCheck %s --check-prefix=CHECKU // RUN: %clangxx -fsanitize=unsigned-integer-overflow %s -o %t && %run %t 2>&1 | FileCheck %s --check-prefix=CHECKU
int main() { int main() {
// CHECKS-NOT: runtime error // CHECKS-NOT: UndefinedBehaviorSanitizer signed-integer-overflow
// CHECKU: negate-overflow.cpp:[[@LINE+2]]:3: runtime error: negation of 2147483648 cannot be represented in type 'unsigned int' // CHECKU: negate-overflow.cpp:[[@LINE+2]]:3: UndefinedBehaviorSanitizer unsigned-integer-overflow error: negation of 2147483648 cannot be represented in type 'unsigned int'
// CHECKU-NOT: cast to an unsigned // CHECKU-NOT: cast to an unsigned
-unsigned(-0x7fffffff - 1); // ok -unsigned(-0x7fffffff - 1); // ok
// CHECKS: negate-overflow.cpp:[[@LINE+2]]:10: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself // CHECKS: negate-overflow.cpp:[[@LINE+2]]:10: UndefinedBehaviorSanitizer signed-integer-overflow error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
// CHECKU-NOT: runtime error // CHECKU-NOT: UndefinedBehaviorSanitizer unsigned-integer-overflow
return -(-0x7fffffff - 1); return -(-0x7fffffff - 1);
} }
Context not available.

test/ubsan/TestCases/Integer/no-recover.cpp

Context not available.
// These promote to 'int'. // These promote to 'int'.
(void)(uint8_t(0xff) + uint8_t(0xff)); (void)(uint8_t(0xff) + uint8_t(0xff));
(void)(uint16_t(0xf0fff) + uint16_t(0x0fff)); (void)(uint16_t(0xf0fff) + uint16_t(0x0fff));
// RECOVER-NOT: runtime error // RECOVER-NOT: UndefinedBehaviorSanitizer unsigned-integer-overflow
// ABORT-NOT: runtime error // ABORT-NOT: UndefinedBehaviorSanitizer unsigned-integer-overflow
uint32_t k = 0x87654321; uint32_t k = 0x87654321;
k += 0xedcba987; k += 0xedcba987;
// RECOVER: no-recover.cpp:[[@LINE-1]]:5: runtime error: unsigned integer overflow: 2271560481 + 3989547399 cannot be represented in type 'unsigned int' // RECOVER: no-recover.cpp:[[@LINE-1]]:5: UndefinedBehaviorSanitizer unsigned-integer-overflow error: unsigned integer overflow: 2271560481 + 3989547399 cannot be represented in type 'unsigned int'
// ABORT: no-recover.cpp:[[@LINE-2]]:5: runtime error: unsigned integer overflow: 2271560481 + 3989547399 cannot be represented in type 'unsigned int' // ABORT: no-recover.cpp:[[@LINE-2]]:5: UndefinedBehaviorSanitizer unsigned-integer-overflow error: unsigned integer overflow: 2271560481 + 3989547399 cannot be represented in type 'unsigned int'
(void)(uint64_t(10000000000000000000ull) + uint64_t(9000000000000000000ull)); (void)(uint64_t(10000000000000000000ull) + uint64_t(9000000000000000000ull));
// RECOVER: 10000000000000000000 + 9000000000000000000 cannot be represented in type 'unsigned {{long( long)?}}' // RECOVER: 10000000000000000000 + 9000000000000000000 cannot be represented in type 'unsigned {{long( long)?}}'
// ABORT-NOT: runtime error // ABORT-NOT: UndefinedBehaviorSanitizer unsigned-integer-overflow
} }
Context not available.

test/ubsan/TestCases/Integer/shift.cpp

Context not available.
b <<= 1; // still ok, unsigned b <<= 1; // still ok, unsigned
#ifdef LSH_OVERFLOW #ifdef LSH_OVERFLOW
// CHECK-LSH_OVERFLOW: shift.cpp:24:5: runtime error: left shift of negative value -2147483648 // CHECK-LSH_OVERFLOW: shift.cpp:24:5: UndefinedBehaviorSanitizer shift error: left shift of negative value -2147483648
a OP 1; a OP 1;
#endif #endif
#ifdef TOO_LOW #ifdef TOO_LOW
// CHECK-TOO_LOW: shift.cpp:29:5: runtime error: shift exponent -3 is negative // CHECK-TOO_LOW: shift.cpp:29:5: UndefinedBehaviorSanitizer shift error: shift exponent -3 is negative
a OP (-3); a OP (-3);
#endif #endif
#ifdef TOO_HIGH #ifdef TOO_HIGH
a = 0; a = 0;
// CHECK-TOO_HIGH: shift.cpp:35:5: runtime error: shift exponent 32 is too large for 32-bit type 'int' // CHECK-TOO_HIGH: shift.cpp:35:5: UndefinedBehaviorSanitizer shift error: shift exponent 32 is too large for 32-bit type 'int'
a OP 32; a OP 32;
#endif #endif
} }
Context not available.

test/ubsan/TestCases/Integer/sub-overflow.cpp

Context not available.
#ifdef SUB_I32 #ifdef SUB_I32
(void)(int32_t(-2) - int32_t(0x7fffffff)); (void)(int32_t(-2) - int32_t(0x7fffffff));
// CHECK-SUB_I32: sub-overflow.cpp:[[@LINE-1]]:22: runtime error: signed integer overflow: -2 - 2147483647 cannot be represented in type 'int' // CHECK-SUB_I32: sub-overflow.cpp:[[@LINE-1]]:22: UndefinedBehaviorSanitizer signed-integer-overflow error: signed integer overflow: -2 - 2147483647 cannot be represented in type 'int'
#endif #endif
#ifdef SUB_I64 #ifdef SUB_I64
Context not available.

test/ubsan/TestCases/Integer/uadd-overflow.cpp

Context not available.
#ifdef ADD_I32 #ifdef ADD_I32
uint32_t k = 0x87654321; uint32_t k = 0x87654321;
k += 0xedcba987; k += 0xedcba987;
// CHECK-ADD_I32: uadd-overflow.cpp:[[@LINE-1]]:5: runtime error: unsigned integer overflow: 2271560481 + 3989547399 cannot be represented in type 'unsigned int' // CHECK-ADD_I32: uadd-overflow.cpp:[[@LINE-1]]:5: UndefinedBehaviorSanitizer unsigned-integer-overflow error: unsigned integer overflow: 2271560481 + 3989547399 cannot be represented in type 'unsigned int'
#endif #endif
#ifdef ADD_I64 #ifdef ADD_I64
Context not available.

test/ubsan/TestCases/Integer/uincdec-overflow.cpp

Context not available.
n++; n++;
n++; n++;
unsigned m = 0; unsigned m = 0;
// CHECK-INC: uincdec-overflow.cpp:15:3: runtime error: unsigned integer overflow: 4294967295 + 1 cannot be represented in type 'unsigned int' // CHECK-INC: uincdec-overflow.cpp:15:3: UndefinedBehaviorSanitizer unsigned-integer-overflow error: unsigned integer overflow: 4294967295 + 1 cannot be represented in type 'unsigned int'
// CHECK-DEC: uincdec-overflow.cpp:15:3: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'unsigned int' // CHECK-DEC: uincdec-overflow.cpp:15:3: UndefinedBehaviorSanitizer unsigned-integer-overflow error: unsigned integer overflow: 0 - 1 cannot be represented in type 'unsigned int'
OP; OP;
} }
Context not available.

test/ubsan/TestCases/Integer/umul-overflow.cpp

Context not available.
(void)(uint16_t(0xffff) * uint16_t(0x8001)); (void)(uint16_t(0xffff) * uint16_t(0x8001));
(void)(uint32_t(0xffffffff) * uint32_t(0x2)); (void)(uint32_t(0xffffffff) * uint32_t(0x2));
// CHECK: umul-overflow.cpp:15:31: runtime error: unsigned integer overflow: 4294967295 * 2 cannot be represented in type 'unsigned int' // CHECK: umul-overflow.cpp:15:31: UndefinedBehaviorSanitizer unsigned-integer-overflow error: unsigned integer overflow: 4294967295 * 2 cannot be represented in type 'unsigned int'
return 0; return 0;
} }
Context not available.

test/ubsan/TestCases/Integer/usub-overflow.cpp

Context not available.
#ifdef SUB_I32 #ifdef SUB_I32
(void)(uint32_t(1) - uint32_t(2)); (void)(uint32_t(1) - uint32_t(2));
// CHECK-SUB_I32: usub-overflow.cpp:[[@LINE-1]]:22: runtime error: unsigned integer overflow: 1 - 2 cannot be represented in type 'unsigned int' // CHECK-SUB_I32: usub-overflow.cpp:[[@LINE-1]]:22: UndefinedBehaviorSanitizer unsigned-integer-overflow error: unsigned integer overflow: 1 - 2 cannot be represented in type 'unsigned int'
#endif #endif
#ifdef SUB_I64 #ifdef SUB_I64
Context not available.

test/ubsan/TestCases/Misc/bool.cpp

Context not available.
int main(int argc, char **argv) { int main(int argc, char **argv) {
bool *p = (bool*)&NotABool; bool *p = (bool*)&NotABool;
// CHECK: bool.cpp:9:10: runtime error: load of value 123, which is not a valid value for type 'bool' // CHECK: bool.cpp:9:10: UndefinedBehaviorSanitizer bool error: load of value 123, which is not a valid value for type 'bool'
return *p; return *p;
} }
Context not available.

test/ubsan/TestCases/Misc/bounds.cpp

Context not available.
int arr[2][3][4] = {}; int arr[2][3][4] = {};
return arr[argv[1][0] - '0'][argv[2][0] - '0'][argv[3][0] - '0']; return arr[argv[1][0] - '0'][argv[2][0] - '0'][argv[3][0] - '0'];
// CHECK-A-2: bounds.cpp:[[@LINE-1]]:10: runtime error: index 2 out of bounds for type 'int [2][3][4]' // CHECK-A-2: bounds.cpp:[[@LINE-1]]:10: UndefinedBehaviorSanitizer bounds error: index 2 out of bounds for type 'int [2][3][4]'
// CHECK-B-3: bounds.cpp:[[@LINE-2]]:10: runtime error: index 3 out of bounds for type 'int [3][4]' // CHECK-B-3: bounds.cpp:[[@LINE-2]]:10: UndefinedBehaviorSanitizer bounds error: index 3 out of bounds for type 'int [3][4]'
// CHECK-C-4: bounds.cpp:[[@LINE-3]]:10: runtime error: index 4 out of bounds for type 'int [4]' // CHECK-C-4: bounds.cpp:[[@LINE-3]]:10: UndefinedBehaviorSanitizer bounds error: index 4 out of bounds for type 'int [4]'
} }
Context not available.

test/ubsan/TestCases/Misc/deduplication.cpp

Context not available.
// CHECK: Start // CHECK: Start
fprintf(stderr, "Start\n"); fprintf(stderr, "Start\n");
// CHECK: runtime error // CHECK: UndefinedBehaviorSanitizer
// CHECK-NOT: runtime error // CHECK-NOT: UndefinedBehaviorSanitizer
// CHECK-NOT: runtime error // CHECK-NOT: UndefinedBehaviorSanitizer
overflow(); overflow();
overflow(); overflow();
overflow(); overflow();
Context not available.

test/ubsan/TestCases/Misc/enum.cpp

Context not available.
for (unsigned char *p = (unsigned char*)&e; p != (unsigned char*)(&e + 1); ++p) for (unsigned char *p = (unsigned char*)&e; p != (unsigned char*)(&e + 1); ++p)
*p = 0xff; *p = 0xff;
// CHECK-PLAIN: error: load of value 4294967295, which is not a valid value for type 'enum E' // CHECK-PLAIN: UndefinedBehaviorSanitizer enum error: load of value 4294967295, which is not a valid value for type 'enum E'
// FIXME: Support marshalling and display of enum class values. // FIXME: Support marshalling and display of enum class values.
// CHECK-BOOL: error: load of value <unknown>, which is not a valid value for type 'enum E' // CHECK-BOOL: UndefinedBehaviorSanitizer enum error: load of value <unknown>, which is not a valid value for type 'enum E'
return (int)e != -1; return (int)e != -1;
} }
Context not available.

test/ubsan/TestCases/Misc/missing_return.cpp

Context not available.
// RUN: not %run %t 2>&1 | FileCheck %s // RUN: not %run %t 2>&1 | FileCheck %s
// RUN: UBSAN_OPTIONS=print_stacktrace=1 not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os-STACKTRACE // RUN: UBSAN_OPTIONS=print_stacktrace=1 not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os-STACKTRACE
// CHECK: missing_return.cpp:[[@LINE+1]]:5: runtime error: execution reached the end of a value-returning function without returning a value // CHECK: missing_return.cpp:[[@LINE+1]]:5: UndefinedBehaviorSanitizer return error: execution reached the end of a value-returning function without returning a value
int f() { int f() {
// Slow stack unwinding is disabled on Darwin for now, see // Slow stack unwinding is disabled on Darwin for now, see
// https://code.google.com/p/address-sanitizer/issues/detail?id=137 // https://code.google.com/p/address-sanitizer/issues/detail?id=137
Context not available.

test/ubsan/TestCases/Misc/nonnull-arg.cpp

Context not available.
switch (argv[1][1]) { switch (argv[1][1]) {
case 'c': case 'c':
return C(0x0, arg).value(); return C(0x0, arg).value();
// CTOR: {{.*}}nonnull-arg.cpp:[[@LINE-1]]:21: runtime error: null pointer passed as argument 2, which is declared to never be null // CTOR: {{.*}}nonnull-arg.cpp:[[@LINE-1]]:21: UndefinedBehaviorSanitizer nonnull-attribute error: null pointer passed as argument 2, which is declared to never be null
// CTOR-NEXT: {{.*}}nonnull-arg.cpp:16:31: note: nonnull attribute specified here // CTOR-NEXT: {{.*}}nonnull-arg.cpp:16:31: UndefinedBehaviorSanitizer nonnull-attribute note: nonnull attribute specified here
case 'm': case 'm':
return C(0x0, &local).method(arg, 0x0); return C(0x0, &local).method(arg, 0x0);
// METHOD: {{.*}}nonnull-arg.cpp:[[@LINE-1]]:36: runtime error: null pointer passed as argument 1, which is declared to never be null // METHOD: {{.*}}nonnull-arg.cpp:[[@LINE-1]]:36: UndefinedBehaviorSanitizer nonnull-attribute error: null pointer passed as argument 1, which is declared to never be null
// METHOD-NEXT: {{.*}}nonnull-arg.cpp:19:54: note: nonnull attribute specified here // METHOD-NEXT: {{.*}}nonnull-arg.cpp:19:54: UndefinedBehaviorSanitizer nonnull-attribute note: nonnull attribute specified here
case 'f': case 'f':
return func(arg); return func(arg);
// FUNC: {{.*}}nonnull-arg.cpp:[[@LINE-1]]:19: runtime error: null pointer passed as argument 1, which is declared to never be null // FUNC: {{.*}}nonnull-arg.cpp:[[@LINE-1]]:19: UndefinedBehaviorSanitizer nonnull-attribute error: null pointer passed as argument 1, which is declared to never be null
// FUNC-NEXT: {{.*}}nonnull-arg.cpp:24:16: note: nonnull attribute specified here // FUNC-NEXT: {{.*}}nonnull-arg.cpp:24:16: UndefinedBehaviorSanitizer nonnull-attribute note: nonnull attribute specified here
case 'v': case 'v':
return variadic(42, arg); return variadic(42, arg);
// VARIADIC: {{.*}}nonnull-arg.cpp:[[@LINE-1]]:27: runtime error: null pointer passed as argument 2, which is declared to never be null // VARIADIC: {{.*}}nonnull-arg.cpp:[[@LINE-1]]:27: UndefinedBehaviorSanitizer nonnull-attribute error: null pointer passed as argument 2, which is declared to never be null
// VARIADIC-NEXT: {{.*}}nonnull-arg.cpp:27:16: note: nonnull attribute specified here // VARIADIC-NEXT: {{.*}}nonnull-arg.cpp:27:16: UndefinedBehaviorSanitizer nonnull-attribute note: nonnull attribute specified here
} }
return 0; return 0;
} }
Context not available.

test/ubsan/TestCases/Misc/nonnull.cpp

Context not available.
char *foo(char *a) { char *foo(char *a) {
return a; return a;
// CHECK: nonnull.cpp:[[@LINE+2]]:1: runtime error: null pointer returned from function declared to never return null // CHECK: nonnull.cpp:[[@LINE+2]]:1: UndefinedBehaviorSanitizer returns-nonnull-attribute error: null pointer returned from function declared to never return null
// CHECK-NEXT: nonnull.cpp:[[@LINE-5]]:16: note: returns_nonnull attribute specified here // CHECK-NEXT: nonnull.cpp:[[@LINE-5]]:16: UndefinedBehaviorSanitizer returns-nonnull-attribute note: returns_nonnull attribute specified here
} }
int main(int argc, char **argv) { int main(int argc, char **argv) {
Context not available.

test/ubsan/TestCases/Misc/unreachable.cpp

// RUN: %clangxx -fsanitize=unreachable %s -O3 -o %t && not %run %t 2>&1 | FileCheck %s // RUN: %clangxx -fsanitize=unreachable %s -O3 -o %t && not %run %t 2>&1 | FileCheck %s
int main(int, char **argv) { int main(int, char **argv) {
// CHECK: unreachable.cpp:5:3: runtime error: execution reached a __builtin_unreachable() call // CHECK: unreachable.cpp:5:3: UndefinedBehaviorSanitizer unreachable error: execution reached a __builtin_unreachable() call
__builtin_unreachable(); __builtin_unreachable();
} }

test/ubsan/TestCases/Misc/vla.c

Context not available.
// RUN: %run %t a b // RUN: %run %t a b
int main(int argc, char **argv) { int main(int argc, char **argv) {
// CHECK-MINUS-ONE: vla.c:9:11: runtime error: variable length array bound evaluates to non-positive value -1 // CHECK-MINUS-ONE: vla.c:9:11: UndefinedBehaviorSanitizer vla-bound error: variable length array bound evaluates to non-positive value -1
// CHECK-ZERO: vla.c:9:11: runtime error: variable length array bound evaluates to non-positive value 0 // CHECK-ZERO: vla.c:9:11: UndefinedBehaviorSanitizer vla-bound error: variable length array bound evaluates to non-positive value 0
int arr[argc - 2]; int arr[argc - 2];
return 0; return 0;
} }
Context not available.

test/ubsan/TestCases/TypeCheck/Function/function.cpp

Context not available.
void g(int x) {} void g(int x) {}
int main(void) { int main(void) {
// CHECK: runtime error: call to function f() through pointer to incorrect function type 'void (*)(int)' // CHECK: UndefinedBehaviorSanitizer function error: call to function f() through pointer to incorrect function type 'void (*)(int)'
// CHECK-NEXT: function.cpp:11: note: f() defined here // CHECK-NEXT: function.cpp:11: UndefinedBehaviorSanitizer function note: f() defined here
// NOSYM: runtime error: call to function (unknown) through pointer to incorrect function type 'void (*)(int)' // NOSYM: UndefinedBehaviorSanitizer function error: call to function (unknown) through pointer to incorrect function type 'void (*)(int)'
// NOSYM-NEXT: ({{.*}}+0x{{.*}}): note: (unknown) defined here // NOSYM-NEXT: ({{.*}}+0x{{.*}}): UndefinedBehaviorSanitizer function note: (unknown) defined here
reinterpret_cast<void (*)(int)>(reinterpret_cast<uintptr_t>(f))(42); reinterpret_cast<void (*)(int)>(reinterpret_cast<uintptr_t>(f))(42);
// CHECK-NOT: runtime error: call to function g // CHECK-NOT: UndefinedBehaviorSanitizer function error: call to function g
reinterpret_cast<void (*)(int)>(reinterpret_cast<uintptr_t>(g))(42); reinterpret_cast<void (*)(int)>(reinterpret_cast<uintptr_t>(g))(42);
} }
Context not available.

test/ubsan/TestCases/TypeCheck/misaligned.cpp

Context not available.
switch (argv[1][0]) { switch (argv[1][0]) {
case 'l': case 'l':
// CHECK-LOAD: misaligned.cpp:[[@LINE+4]]:12: runtime error: load of misaligned address [[PTR:0x[0-9a-f]*]] for type 'int', which requires 4 byte alignment // CHECK-LOAD: misaligned.cpp:[[@LINE+4]]:12: UndefinedBehaviorSanitizer alignment error: load of misaligned address [[PTR:0x[0-9a-f]*]] for type 'int', which requires 4 byte alignment
// CHECK-LOAD-NEXT: [[PTR]]: note: pointer points here // CHECK-LOAD-NEXT: [[PTR]]: UndefinedBehaviorSanitizer alignment note: pointer points here
// CHECK-LOAD-NEXT: {{^ 00 00 00 01 02 03 04 05}} // CHECK-LOAD-NEXT: {{^ 00 00 00 01 02 03 04 05}}
// CHECK-LOAD-NEXT: {{^ \^}} // CHECK-LOAD-NEXT: {{^ \^}}
return *p && 0; return *p && 0;
Context not available.
// CHECK-Darwin-STACK-LOAD: {{ }} // CHECK-Darwin-STACK-LOAD: {{ }}
case 's': case 's':
// CHECK-STORE: misaligned.cpp:[[@LINE+4]]:5: runtime error: store to misaligned address [[PTR:0x[0-9a-f]*]] for type 'int', which requires 4 byte alignment // CHECK-STORE: misaligned.cpp:[[@LINE+4]]:5: UndefinedBehaviorSanitizer alignment error: store to misaligned address [[PTR:0x[0-9a-f]*]] for type 'int', which requires 4 byte alignment
// CHECK-STORE-NEXT: [[PTR]]: note: pointer points here // CHECK-STORE-NEXT: [[PTR]]: UndefinedBehaviorSanitizer alignment note: pointer points here
// CHECK-STORE-NEXT: {{^ 00 00 00 01 02 03 04 05}} // CHECK-STORE-NEXT: {{^ 00 00 00 01 02 03 04 05}}
// CHECK-STORE-NEXT: {{^ \^}} // CHECK-STORE-NEXT: {{^ \^}}
*p = 1; *p = 1;
break; break;
case 'r': case 'r':
// CHECK-REFERENCE: misaligned.cpp:[[@LINE+4]]:15: runtime error: reference binding to misaligned address [[PTR:0x[0-9a-f]*]] for type 'int', which requires 4 byte alignment // CHECK-REFERENCE: misaligned.cpp:[[@LINE+4]]:15: UndefinedBehaviorSanitizer alignment error: reference binding to misaligned address [[PTR:0x[0-9a-f]*]] for type 'int', which requires 4 byte alignment
// CHECK-REFERENCE-NEXT: [[PTR]]: note: pointer points here // CHECK-REFERENCE-NEXT: [[PTR]]: UndefinedBehaviorSanitizer alignment note: pointer points here
// CHECK-REFERENCE-NEXT: {{^ 00 00 00 01 02 03 04 05}} // CHECK-REFERENCE-NEXT: {{^ 00 00 00 01 02 03 04 05}}
// CHECK-REFERENCE-NEXT: {{^ \^}} // CHECK-REFERENCE-NEXT: {{^ \^}}
{int &r = *p;} {int &r = *p;}
break; break;
case 'm': case 'm':
// CHECK-MEMBER: misaligned.cpp:[[@LINE+4]]:15: runtime error: member access within misaligned address [[PTR:0x[0-9a-f]*]] for type 'S', which requires 4 byte alignment // CHECK-MEMBER: misaligned.cpp:[[@LINE+4]]:15: UndefinedBehaviorSanitizer alignment error: member access within misaligned address [[PTR:0x[0-9a-f]*]] for type 'S', which requires 4 byte alignment
// CHECK-MEMBER-NEXT: [[PTR]]: note: pointer points here // CHECK-MEMBER-NEXT: [[PTR]]: UndefinedBehaviorSanitizer alignment note: pointer points here
// CHECK-MEMBER-NEXT: {{^ 00 00 00 01 02 03 04 05}} // CHECK-MEMBER-NEXT: {{^ 00 00 00 01 02 03 04 05}}
// CHECK-MEMBER-NEXT: {{^ \^}} // CHECK-MEMBER-NEXT: {{^ \^}}
return s->k && 0; return s->k && 0;
case 'f': case 'f':
// CHECK-MEMFUN: misaligned.cpp:[[@LINE+4]]:12: runtime error: member call on misaligned address [[PTR:0x[0-9a-f]*]] for type 'S', which requires 4 byte alignment // CHECK-MEMFUN: misaligned.cpp:[[@LINE+4]]:12: UndefinedBehaviorSanitizer alignment error: member call on misaligned address [[PTR:0x[0-9a-f]*]] for type 'S', which requires 4 byte alignment
// CHECK-MEMFUN-NEXT: [[PTR]]: note: pointer points here // CHECK-MEMFUN-NEXT: [[PTR]]: UndefinedBehaviorSanitizer alignment note: pointer points here
// CHECK-MEMFUN-NEXT: {{^ 00 00 00 01 02 03 04 05}} // CHECK-MEMFUN-NEXT: {{^ 00 00 00 01 02 03 04 05}}
// CHECK-MEMFUN-NEXT: {{^ \^}} // CHECK-MEMFUN-NEXT: {{^ \^}}
return s->f() && 0; return s->f() && 0;
case 'n': case 'n':
// CHECK-NEW: misaligned.cpp:[[@LINE+4]]:5: runtime error: constructor call on misaligned address [[PTR:0x[0-9a-f]*]] for type 'S', which requires 4 byte alignment // CHECK-NEW: misaligned.cpp:[[@LINE+4]]:5: UndefinedBehaviorSanitizer alignment error: constructor call on misaligned address [[PTR:0x[0-9a-f]*]] for type 'S', which requires 4 byte alignment
// CHECK-NEW-NEXT: [[PTR]]: note: pointer points here // CHECK-NEW-NEXT: [[PTR]]: UndefinedBehaviorSanitizer alignment note: pointer points here
// CHECK-NEW-NEXT: {{^ 00 00 00 01 02 03 04 05}} // CHECK-NEW-NEXT: {{^ 00 00 00 01 02 03 04 05}}
// CHECK-NEW-NEXT: {{^ \^}} // CHECK-NEW-NEXT: {{^ \^}}
return (new (s) S)->k && 0; return (new (s) S)->k && 0;
case 'u': { case 'u': {
// CHECK-UPCAST: misaligned.cpp:[[@LINE+4]]:17: runtime error: upcast of misaligned address [[PTR:0x[0-9a-f]*]] for type 'T', which requires 4 byte alignment // CHECK-UPCAST: misaligned.cpp:[[@LINE+4]]:17: UndefinedBehaviorSanitizer alignment error: upcast of misaligned address [[PTR:0x[0-9a-f]*]] for type 'T', which requires 4 byte alignment
// CHECK-UPCAST-NEXT: [[PTR]]: note: pointer points here // CHECK-UPCAST-NEXT: [[PTR]]: UndefinedBehaviorSanitizer alignment note: pointer points here
// CHECK-UPCAST-NEXT: {{^ 00 00 00 01 02 03 04 05}} // CHECK-UPCAST-NEXT: {{^ 00 00 00 01 02 03 04 05}}
// CHECK-UPCAST-NEXT: {{^ \^}} // CHECK-UPCAST-NEXT: {{^ \^}}
S *s2 = (S*)t; S *s2 = (S*)t;
Context not available.
} }
case 'w': case 'w':
// CHECK-WILD: misaligned.cpp:[[@LINE+3]]:35: runtime error: member access within misaligned address 0x000000000123 for type 'S', which requires 4 byte alignment // CHECK-WILD: misaligned.cpp:[[@LINE+3]]:35: UndefinedBehaviorSanitizer alignment error: member access within misaligned address 0x000000000123 for type 'S', which requires 4 byte alignment
// CHECK-WILD-NEXT: 0x000000000123: note: pointer points here // CHECK-WILD-NEXT: 0x000000000123: UndefinedBehaviorSanitizer alignment note: pointer points here
// CHECK-WILD-NEXT: <memory cannot be printed> // CHECK-WILD-NEXT: <memory cannot be printed>
return static_cast<S*>(wild)->k; return static_cast<S*>(wild)->k;
} }
Context not available.

test/ubsan/TestCases/TypeCheck/null.cpp

Context not available.
switch (argv[1][0]) { switch (argv[1][0]) {
case 'l': case 'l':
// CHECK-LOAD: null.cpp:22:12: runtime error: load of null pointer of type 'int' // CHECK-LOAD: null.cpp:22:12: UndefinedBehaviorSanitizer null error: load of null pointer of type 'int'
return *p; return *p;
case 's': case 's':
// CHECK-STORE: null.cpp:25:5: runtime error: store to null pointer of type 'int' // CHECK-STORE: null.cpp:25:5: UndefinedBehaviorSanitizer null error: store to null pointer of type 'int'
*p = 1; *p = 1;
break; break;
case 'r': case 'r':
// CHECK-REFERENCE: null.cpp:29:15: runtime error: reference binding to null pointer of type 'int' // CHECK-REFERENCE: null.cpp:29:15: UndefinedBehaviorSanitizer null error: reference binding to null pointer of type 'int'
{int &r = *p;} {int &r = *p;}
break; break;
case 'm': case 'm':
// CHECK-MEMBER: null.cpp:33:15: runtime error: member access within null pointer of type 'S' // CHECK-MEMBER: null.cpp:33:15: UndefinedBehaviorSanitizer null error: member access within null pointer of type 'S'
return s->k; return s->k;
case 'f': case 'f':
// CHECK-MEMFUN: null.cpp:36:12: runtime error: member call on null pointer of type 'S' // CHECK-MEMFUN: null.cpp:36:12: UndefinedBehaviorSanitizer null error: member call on null pointer of type 'S'
return s->f(); return s->f();
} }
} }
Context not available.

test/ubsan/TestCases/TypeCheck/vptr-virtual-base.cpp

Context not available.
Foo foo; Foo foo;
T *t = (T*)&foo; T *t = (T*)&foo;
S *s = t; S *s = t;
// CHECK: vptr-virtual-base.cpp:[[@LINE-1]]:10: runtime error: cast to virtual base of address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'T' // CHECK: vptr-virtual-base.cpp:[[@LINE-1]]:10: UndefinedBehaviorSanitizer vptr error: cast to virtual base of address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'T'
// CHECK-NEXT: [[PTR]]: note: object is of type 'Foo' // CHECK-NEXT: [[PTR]]: UndefinedBehaviorSanitizer vptr note: object is of type 'Foo'
return s->f(); return s->f();
} }
Context not available.

test/ubsan/TestCases/TypeCheck/vptr.cpp

Context not available.
for (int i = 0; i < 2; i++) { for (int i = 0; i < 2; i++) {
// Check that the first iteration ("S") succeeds, while the second ("V") fails. // Check that the first iteration ("S") succeeds, while the second ("V") fails.
p = reinterpret_cast<T*>((i == 0) ? new S : new V); p = reinterpret_cast<T*>((i == 0) ? new S : new V);
// CHECK-LOC-SUPPRESS: vptr.cpp:[[@LINE+5]]:7: runtime error: member call on address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'T' // CHECK-LOC-SUPPRESS: vptr.cpp:[[@LINE+5]]:7: UndefinedBehaviorSanitizer vptr error: member call on address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'T'
// CHECK-LOC-SUPPRESS-NEXT: [[PTR]]: note: object is of type 'V' // CHECK-LOC-SUPPRESS-NEXT: [[PTR]]: UndefinedBehaviorSanitizer vptr note: object is of type 'V'
// CHECK-LOC-SUPPRESS-NEXT: {{^ .. .. .. .. .. .. .. .. .. .. .. .. }} // CHECK-LOC-SUPPRESS-NEXT: {{^ .. .. .. .. .. .. .. .. .. .. .. .. }}
// CHECK-LOC-SUPPRESS-NEXT: {{^ \^~~~~~~~~~~(~~~~~~~~~~~~)? *$}} // CHECK-LOC-SUPPRESS-NEXT: {{^ \^~~~~~~~~~~(~~~~~~~~~~~~)? *$}}
// CHECK-LOC-SUPPRESS-NEXT: {{^ vptr for 'V'}} // CHECK-LOC-SUPPRESS-NEXT: {{^ vptr for 'V'}}
Context not available.
return 0; return 0;
case 'm': case 'm':
// CHECK-MEMBER: vptr.cpp:[[@LINE+6]]:15: runtime error: member access within address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'T' // CHECK-MEMBER: vptr.cpp:[[@LINE+6]]:15: UndefinedBehaviorSanitizer vptr error: member access within address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'T'
// CHECK-MEMBER-NEXT: [[PTR]]: note: object is of type [[DYN_TYPE:'S'|'U']] // CHECK-MEMBER-NEXT: [[PTR]]: UndefinedBehaviorSanitizer vptr note: object is of type [[DYN_TYPE:'S'|'U']]
// CHECK-MEMBER-NEXT: {{^ .. .. .. .. .. .. .. .. .. .. .. .. }} // CHECK-MEMBER-NEXT: {{^ .. .. .. .. .. .. .. .. .. .. .. .. }}
// CHECK-MEMBER-NEXT: {{^ \^~~~~~~~~~~(~~~~~~~~~~~~)? *$}} // CHECK-MEMBER-NEXT: {{^ \^~~~~~~~~~~(~~~~~~~~~~~~)? *$}}
// CHECK-MEMBER-NEXT: {{^ vptr for}} [[DYN_TYPE]] // CHECK-MEMBER-NEXT: {{^ vptr for}} [[DYN_TYPE]]
// CHECK-MEMBER-NEXT: #0 {{.*}} in access_p{{.*}}vptr.cpp:[[@LINE+1]] // CHECK-MEMBER-NEXT: #0 {{.*}} in access_p{{.*}}vptr.cpp:[[@LINE+1]]
return p->b; return p->b;
// CHECK-NULL-MEMBER: vptr.cpp:[[@LINE-2]]:15: runtime error: member access within address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'T' // CHECK-NULL-MEMBER: vptr.cpp:[[@LINE-2]]:15: UndefinedBehaviorSanitizer vptr error: member access within address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'T'
// CHECK-NULL-MEMBER-NEXT: [[PTR]]: note: object has invalid vptr // CHECK-NULL-MEMBER-NEXT: [[PTR]]: UndefinedBehaviorSanitizer vptr note: object has invalid vptr
// CHECK-NULL-MEMBER-NEXT: {{^ ?.. .. .. .. ?00 00 00 00 ?00 00 00 00 ?}} // CHECK-NULL-MEMBER-NEXT: {{^ ?.. .. .. .. ?00 00 00 00 ?00 00 00 00 ?}}
// CHECK-NULL-MEMBER-NEXT: {{^ \^~~~~~~~~~~(~~~~~~~~~~~~)? *$}} // CHECK-NULL-MEMBER-NEXT: {{^ \^~~~~~~~~~~(~~~~~~~~~~~~)? *$}}
// CHECK-NULL-MEMBER-NEXT: {{^ invalid vptr}} // CHECK-NULL-MEMBER-NEXT: {{^ invalid vptr}}
// CHECK-NULL-MEMBER-NEXT: #0 {{.*}} in access_p{{.*}}vptr.cpp:[[@LINE-7]] // CHECK-NULL-MEMBER-NEXT: #0 {{.*}} in access_p{{.*}}vptr.cpp:[[@LINE-7]]
case 'f': case 'f':
// CHECK-MEMFUN: vptr.cpp:[[@LINE+6]]:12: runtime error: member call on address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'T' // CHECK-MEMFUN: vptr.cpp:[[@LINE+6]]:12: UndefinedBehaviorSanitizer vptr error: member call on address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'T'
// CHECK-MEMFUN-NEXT: [[PTR]]: note: object is of type [[DYN_TYPE:'S'|'U']] // CHECK-MEMFUN-NEXT: [[PTR]]: UndefinedBehaviorSanitizer vptr note: object is of type [[DYN_TYPE:'S'|'U']]
// CHECK-MEMFUN-NEXT: {{^ .. .. .. .. .. .. .. .. .. .. .. .. }} // CHECK-MEMFUN-NEXT: {{^ .. .. .. .. .. .. .. .. .. .. .. .. }}
// CHECK-MEMFUN-NEXT: {{^ \^~~~~~~~~~~(~~~~~~~~~~~~)? *$}} // CHECK-MEMFUN-NEXT: {{^ \^~~~~~~~~~~(~~~~~~~~~~~~)? *$}}
// CHECK-MEMFUN-NEXT: {{^ vptr for}} [[DYN_TYPE]] // CHECK-MEMFUN-NEXT: {{^ vptr for}} [[DYN_TYPE]]
Context not available.
return p->g(); return p->g();
case 'o': case 'o':
// CHECK-OFFSET: vptr.cpp:[[@LINE+6]]:12: runtime error: member call on address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'U' // CHECK-OFFSET: vptr.cpp:[[@LINE+6]]:12: UndefinedBehaviorSanitizer vptr error: member call on address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'U'
// CHECK-OFFSET-NEXT: 0x{{[0-9a-f]*}}: note: object is base class subobject at offset {{8|16}} within object of type [[DYN_TYPE:'U']] // CHECK-OFFSET-NEXT: 0x{{[0-9a-f]*}}: UndefinedBehaviorSanitizer vptr note: object is base class subobject at offset {{8|16}} within object of type [[DYN_TYPE:'U']]
// CHECK-OFFSET-NEXT: {{^ .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. }} // CHECK-OFFSET-NEXT: {{^ .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. }}
// CHECK-OFFSET-NEXT: {{^ \^ ( ~~~~~~~~~~~~)?~~~~~~~~~~~ *$}} // CHECK-OFFSET-NEXT: {{^ \^ ( ~~~~~~~~~~~~)?~~~~~~~~~~~ *$}}
// CHECK-OFFSET-NEXT: {{^ ( )?vptr for}} 'T' base class of [[DYN_TYPE]] // CHECK-OFFSET-NEXT: {{^ ( )?vptr for}} 'T' base class of [[DYN_TYPE]]
Context not available.
return reinterpret_cast<U*>(p)->v() - 2; return reinterpret_cast<U*>(p)->v() - 2;
case 'c': case 'c':
// CHECK-DOWNCAST: vptr.cpp:[[@LINE+6]]:5: runtime error: downcast of address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'T' // CHECK-DOWNCAST: vptr.cpp:[[@LINE+6]]:5: UndefinedBehaviorSanitizer vptr error: downcast of address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'T'
// CHECK-DOWNCAST-NEXT: [[PTR]]: note: object is of type [[DYN_TYPE:'S'|'U']] // CHECK-DOWNCAST-NEXT: [[PTR]]: UndefinedBehaviorSanitizer vptr note: object is of type [[DYN_TYPE:'S'|'U']]
// CHECK-DOWNCAST-NEXT: {{^ .. .. .. .. .. .. .. .. .. .. .. .. }} // CHECK-DOWNCAST-NEXT: {{^ .. .. .. .. .. .. .. .. .. .. .. .. }}
// CHECK-DOWNCAST-NEXT: {{^ \^~~~~~~~~~~(~~~~~~~~~~~~)? *$}} // CHECK-DOWNCAST-NEXT: {{^ \^~~~~~~~~~~(~~~~~~~~~~~~)? *$}}
// CHECK-DOWNCAST-NEXT: {{^ vptr for}} [[DYN_TYPE]] // CHECK-DOWNCAST-NEXT: {{^ vptr for}} [[DYN_TYPE]]
Context not available.