This is an archive of the discontinued LLVM Phabricator instance.

Differential D6074

UBSan: Teach isDerivedFromAtOffset and findBaseAtOffset about vbases
ClosedPublic

Authored by majnemer on Nov 1 2014, 6:46 PM.

Details

Reviewers
samsonov
rsmith
Commits
rG3400563ea616: UBSan: Teach isDerivedFromAtOffset and findBaseAtOffset about vbases
rCRT221445: UBSan: Teach isDerivedFromAtOffset and findBaseAtOffset about vbases
rL221445: UBSan: Teach isDerivedFromAtOffset and findBaseAtOffset about vbases
Summary

When the virtual_mask is set, offset_flags >> __offset_shift yields
an offset into the vtable. Dereferencing this vtable slot gets us the
vbase offset.

Adjust a test case to verify that this, in fact, works.

Diff Detail

Repository
rL LLVM

Event Timeline

majnemer updated this revision to Diff 15673.Nov 1 2014, 6:46 PM
majnemer retitled this revision from to UBSan: Teach isDerivedFromAtOffset and findBaseAtOffset about vbases.
majnemer updated this object.
majnemer added reviewers: rsmith, samsonov.
majnemer added a subscriber: Unknown Object (MLST).
samsonov accepted this revision.Nov 5 2014, 7:24 PM
samsonov edited edge metadata.

LGTM. Thanks for doing this!

lib/ubsan/ubsan_type_hash.cc
143 ↗(On Diff #15673)

Can this be

sptr VTable = *reinterpret_cast<sptr *>(Object);
OffsetHere = *reinterpret_cast<sptr *>(VTable + OffsetHere);

?

This revision is now accepted and ready to land.Nov 5 2014, 7:24 PM
majnemer closed this revision.Nov 6 2014, 1:06 AM
majnemer updated this revision to Diff 15843.

Closed by commit rL221445 (authored by @majnemer).

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
ubsan/
47 lines
test/
ubsan/
TestCases/
TypeCheck/
3 lines

Diff 15843

compiler-rt/trunk/lib/ubsan/ubsan_type_hash.cc

Show First 20 LinesShow All 109 Lines▼ Show 20 Lines
} }
/// A cache of recently-checked hashes. Mini hash table with "random" evictions. /// A cache of recently-checked hashes. Mini hash table with "random" evictions.
__ubsan::HashValue __ubsan::HashValue
__ubsan::__ubsan_vptr_type_cache[__ubsan::VptrTypeCacheSize]; __ubsan::__ubsan_vptr_type_cache[__ubsan::VptrTypeCacheSize];
/// \brief Determine whether \p Derived has a \p Base base class subobject at /// \brief Determine whether \p Derived has a \p Base base class subobject at
/// offset \p Offset. /// offset \p Offset.
static bool isDerivedFromAtOffset(const abi::__class_type_info *Derived, static bool isDerivedFromAtOffset(sptr Object,
const abi::__class_type_info *Derived,
const abi::__class_type_info *Base, const abi::__class_type_info *Base,
sptr Offset) { sptr Offset) {
if (Derived->__type_name == Base->__type_name) if (Derived->__type_name == Base->__type_name)
return Offset == 0; return Offset == 0;
if (const abi::__si_class_type_info *SI = if (const abi::__si_class_type_info *SI =
dynamic_cast<const abi::__si_class_type_info*>(Derived)) dynamic_cast<const abi::__si_class_type_info*>(Derived))
return isDerivedFromAtOffset(SI->__base_type, Base, Offset); return isDerivedFromAtOffset(Object, SI->__base_type, Base, Offset);
const abi::__vmi_class_type_info *VTI = const abi::__vmi_class_type_info *VTI =
dynamic_cast<const abi::__vmi_class_type_info*>(Derived); dynamic_cast<const abi::__vmi_class_type_info*>(Derived);
if (!VTI) if (!VTI)
// No base class subobjects. // No base class subobjects.
return false; return false;
// Look for a base class which is derived from \p Base at the right offset. // Look for a base class which is derived from \p Base at the right offset.
for (unsigned int base = 0; base != VTI->base_count; ++base) { for (unsigned int base = 0; base != VTI->base_count; ++base) {
// FIXME: Curtail the recursion if this base can't possibly contain the // FIXME: Curtail the recursion if this base can't possibly contain the
// given offset. // given offset.
sptr OffsetHere = VTI->base_info[base].__offset_flags >> sptr OffsetHere = VTI->base_info[base].__offset_flags >>
abi::__base_class_type_info::__offset_shift; abi::__base_class_type_info::__offset_shift;
if (VTI->base_info[base].__offset_flags & if (VTI->base_info[base].__offset_flags &
abi::__base_class_type_info::__virtual_mask) abi::__base_class_type_info::__virtual_mask) {
// For now, just punt on virtual bases and say 'yes'. sptr VTable = *reinterpret_cast<const sptr *>(Object);
// FIXME: OffsetHere is the offset in the vtable of the virtual base OffsetHere = *reinterpret_cast<const sptr *>(VTable + OffsetHere);
// offset. Read the vbase offset out of the vtable and use it. }
return true; if (isDerivedFromAtOffset(Object + OffsetHere,
if (isDerivedFromAtOffset(VTI->base_info[base].__base_type, VTI->base_info[base].__base_type, Base,
Base, Offset - OffsetHere)) Offset - OffsetHere))
return true; return true;
} }
return false; return false;
} }
/// \brief Find the derived-most dynamic base class of \p Derived at offset /// \brief Find the derived-most dynamic base class of \p Derived at offset
/// \p Offset. /// \p Offset.
static const abi::__class_type_info *findBaseAtOffset( static const abi::__class_type_info *
const abi::__class_type_info *Derived, sptr Offset) { findBaseAtOffset(sptr Object, const abi::__class_type_info *Derived,
sptr Offset) {
if (!Offset) if (!Offset)
return Derived; return Derived;
if (const abi::__si_class_type_info *SI = if (const abi::__si_class_type_info *SI =
dynamic_cast<const abi::__si_class_type_info*>(Derived)) dynamic_cast<const abi::__si_class_type_info*>(Derived))
return findBaseAtOffset(SI->__base_type, Offset); return findBaseAtOffset(Object, SI->__base_type, Offset);
const abi::__vmi_class_type_info *VTI = const abi::__vmi_class_type_info *VTI =
dynamic_cast<const abi::__vmi_class_type_info*>(Derived); dynamic_cast<const abi::__vmi_class_type_info*>(Derived);
if (!VTI) if (!VTI)
// No base class subobjects. // No base class subobjects.
return 0; return 0;
for (unsigned int base = 0; base != VTI->base_count; ++base) { for (unsigned int base = 0; base != VTI->base_count; ++base) {
sptr OffsetHere = VTI->base_info[base].__offset_flags >> sptr OffsetHere = VTI->base_info[base].__offset_flags >>
abi::__base_class_type_info::__offset_shift; abi::__base_class_type_info::__offset_shift;
if (VTI->base_info[base].__offset_flags & if (VTI->base_info[base].__offset_flags &
abi::__base_class_type_info::__virtual_mask) abi::__base_class_type_info::__virtual_mask) {
// FIXME: Can't handle virtual bases yet. sptr VTable = *reinterpret_cast<const sptr *>(Object);
continue; OffsetHere = *reinterpret_cast<const sptr *>(VTable + OffsetHere);
if (const abi::__class_type_info *Base = }
findBaseAtOffset(VTI->base_info[base].__base_type, if (const abi::__class_type_info *Base = findBaseAtOffset(
Object + OffsetHere, VTI->base_info[base].__base_type,
Offset - OffsetHere)) Offset - OffsetHere))
return Base; return Base;
} }
return 0; return 0;
} }
namespace { namespace {
Show All 35 Linesbool __ubsan::checkDynamicType(void *Object, void *Type, HashValue Hash) {
// Check that this is actually a type_info object for a class type. // Check that this is actually a type_info object for a class type.
abi::__class_type_info *Derived = abi::__class_type_info *Derived =
dynamic_cast<abi::__class_type_info*>(Vtable->TypeInfo); dynamic_cast<abi::__class_type_info*>(Vtable->TypeInfo);
if (!Derived) if (!Derived)
return false; return false;
abi::__class_type_info *Base = (abi::__class_type_info*)Type; abi::__class_type_info *Base = (abi::__class_type_info*)Type;
if (!isDerivedFromAtOffset(Derived, Base, -Vtable->Offset)) if (!isDerivedFromAtOffset(reinterpret_cast<sptr>(Object), Derived, Base,
-Vtable->Offset))
return false; return false;
// Success. Cache this result. // Success. Cache this result.
__ubsan_vptr_type_cache[Hash % VptrTypeCacheSize] = Hash; __ubsan_vptr_type_cache[Hash % VptrTypeCacheSize] = Hash;
*Bucket = Hash; *Bucket = Hash;
return true; return true;
} }
__ubsan::DynamicTypeInfo __ubsan::getDynamicTypeInfo(void *Object) { __ubsan::DynamicTypeInfo __ubsan::getDynamicTypeInfo(void *Object) {
VtablePrefix *Vtable = getVtablePrefix(Object); VtablePrefix *Vtable = getVtablePrefix(Object);
if (!Vtable) if (!Vtable)
return DynamicTypeInfo(0, 0, 0); return DynamicTypeInfo(0, 0, 0);
const abi::__class_type_info *ObjectType = findBaseAtOffset( const abi::__class_type_info *ObjectType = findBaseAtOffset(
reinterpret_cast<sptr>(Object),
static_cast<const abi::__class_type_info*>(Vtable->TypeInfo), static_cast<const abi::__class_type_info *>(Vtable->TypeInfo),
-Vtable->Offset); -Vtable->Offset);
return DynamicTypeInfo(Vtable->TypeInfo->__type_name, -Vtable->Offset, return DynamicTypeInfo(Vtable->TypeInfo->__type_name, -Vtable->Offset,
ObjectType ? ObjectType->__type_name : "<unknown>"); ObjectType ? ObjectType->__type_name : "<unknown>");
} }

compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/vptr.cpp

Show First 20 LinesShow All 42 Lines▼ Show 20 Lines
struct T : S { struct T : S {
T() : b(0) {} T() : b(0) {}
int b; int b;
int g() { return 0; } int g() { return 0; }
virtual int v() { return 1; } virtual int v() { return 1; }
}; };
struct U : S, T { virtual int v() { return 2; } }; struct X {};
struct U : S, T, virtual X { virtual int v() { return 2; } };
struct V : S {}; struct V : S {};
// Make p global so that lsan does not complain. // Make p global so that lsan does not complain.
T *p = 0; T *p = 0;
int access_p(T *p, char type); int access_p(T *p, char type);
▲ Show 20 LinesShow All 106 LinesShow Last 20 Lines