This is an archive of the discontinued LLVM Phabricator instance.

Differential D8312

Implement bad cast checks using control flow integrity information.
ClosedPublic

Authored by pcc on Mar 12 2015, 11:31 PM.

Details

Reviewers
kcc
jfb
Commits
rGd2926c91d513: Implement bad cast checks using control flow integrity information.
rC232241: Implement bad cast checks using control flow integrity information.
rL232241: Implement bad cast checks using control flow integrity information.
Summary

This scheme checks that pointer and lvalue casts are made to an object of
the correct dynamic type; that is, the dynamic type of the object must be
a derived class of the pointee type of the cast. The checks are currently
only introduced where the class being casted to is a polymorphic class.

Diff Detail

Event Timeline

pcc updated this revision to Diff 21898.Mar 12 2015, 11:31 PM
pcc retitled this revision from to Implement bad cast checks using control flow integrity information..
pcc updated this object.
pcc edited the test plan for this revision. (Show Details)
pcc added reviewers: kcc, jfb.
pcc added a subscriber: Unknown Object (MLST).
jfb added inline comments.Mar 13 2015, 10:04 AM
docs/UsersManual.rst
974

Add -fsanitize=cfi-cast-strict?

lib/CodeGen/CGClass.cpp
2121

Why?

test/CodeGenCXX/cfi-cast.cpp
5

Could you have a quick blurb that helps decipher the metadata !"1B' part, explaining that it's the important bit in the checks.

16

CHECK-LABEL-DCAST (same below).

78

Add rvalue ref test?

A a();

B rvalue() {
  return static_cast<B&&>(a());
}
kcc edited edge metadata.Mar 13 2015, 12:47 PM

Please also add compiler-rt test(s)

docs/UsersManual.rst
971

Don't we want more verbose names?
cfi-polymorphic-base-downcast
cfi-void-to-polymorphic-cast
or something.

pcc updated this revision to Diff 21967.Mar 13 2015, 3:45 PM
pcc edited edge metadata.
  • Address reviewer comments
pcc added a comment.Mar 13 2015, 3:46 PM

Please also add compiler-rt test(s)

Will do

docs/UsersManual.rst
971

Okay, I've given these better names.

974

Done.

lib/CodeGen/CGClass.cpp
2121

Explained in comment.

test/CodeGenCXX/cfi-cast.cpp
5

Done

16

Done

78

Done.

jfb edited edge metadata.Mar 13 2015, 7:24 PM

lgtm after what seems like a typo.

test/CodeGenCXX/cfi-cast.cpp
58

B&&

Closed by commit rL232241: Implement bad cast checks using control flow integrity information. (authored by pcc). · Explain WhyMar 13 2015, 7:44 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
docs/
54 lines
6 lines
include/
clang/
Basic/
5 lines
lib/
CodeGen/
91 lines
7 lines
11 lines
10 lines
Driver/
4 lines
test/
CodeGenCXX/
109 lines
Driver/
9 lines

Diff 21967

docs/ControlFlowIntegrity.rst

Show First 20 LinesShow All 52 Lines▼ Show 20 Lines
A performance overhead of less than 1% has been measured by running the A performance overhead of less than 1% has been measured by running the
Dromaeo benchmark suite against an instrumented version of the Chromium Dromaeo benchmark suite against an instrumented version of the Chromium
web browser. Another good performance benchmark for this mechanism is the web browser. Another good performance benchmark for this mechanism is the
virtual-call-heavy SPEC 2006 xalancbmk. virtual-call-heavy SPEC 2006 xalancbmk.
Note that this scheme has not yet been optimized for binary size; an increase Note that this scheme has not yet been optimized for binary size; an increase
of up to 15% has been observed for Chromium. of up to 15% has been observed for Chromium.
Bad Cast Checking
-----------------
This scheme checks that pointer casts are made to an object of the correct
dynamic type; that is, the dynamic type of the object must be a derived class
of the pointee type of the cast. The checks are currently only introduced
where the class being casted to is a polymorphic class.
Bad casts are not in themselves control flow integrity violations, but they
can also create security vulnerabilities, and the implementation uses many
of the same mechanisms.
There are two types of bad cast that may be forbidden: bad casts
from a base class to a derived class (which can be checked with
``-fsanitize=cfi-derived-cast``), and bad casts from a pointer of
type ``void*`` or another unrelated type (which can be checked with
``-fsanitize=cfi-unrelated-cast``).
The difference between these two types of casts is that the first is defined
by the C++ standard to produce an undefined value, while the second is not
in itself undefined behavior (it is well defined to cast the pointer back
to its original type).
If a program as a matter of policy forbids the second type of cast, that
restriction can normally be enforced. However it may in some cases be necessary
for a function to perform a forbidden cast to conform with an external API
(e.g. the ``allocate`` member function of a standard library allocator). Such
functions may be blacklisted using a :doc:`SanitizerSpecialCaseList`.
For this scheme to work, all translation units containing the definition
of a virtual member function (whether inline or not) must be compiled with
``-fsanitize=cfi-derived-cast`` or ``-fsanitize=cfi-unrelated-cast`` enabled
and be statically linked into the program. Classes in the C++ standard library
(under namespace ``std``) are exempted from checking, and therefore programs
may be linked against a pre-built standard library, but this may change in
the future.
.. _cfi-strictness:
Strictness
~~~~~~~~~~
If a class has a single non-virtual base and does not introduce or override
virtual member functions or fields other than an implicitly defined virtual
destructor, it will have the same layout and virtual function semantics as
its base. By default, casts to such classes are checked as if they were made
to the least derived such class.
Casting an instance of a base class to such a derived class is technically
undefined behavior, but it is a relatively common hack for introducing
member functions on class instances with specific properties that works under
most compilers and should not have security implications, so we allow it by
default. It can be disabled with ``-fsanitize=cfi-cast-strict``.
Design Design
------ ------
Please refer to the :doc:`design document<ControlFlowIntegrityDesign>`. Please refer to the :doc:`design document<ControlFlowIntegrityDesign>`.
Publications Publications
------------ ------------
`Control-Flow Integrity: Principles, Implementations, and Applications <http://research.microsoft.com/pubs/64250/ccs05.pdf>`_. `Control-Flow Integrity: Principles, Implementations, and Applications <http://research.microsoft.com/pubs/64250/ccs05.pdf>`_.
Martin Abadi, Mihai Budiu, Úlfar Erlingsson, Jay Ligatti. Martin Abadi, Mihai Budiu, Úlfar Erlingsson, Jay Ligatti.
`Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM <http://www.pcc.me.uk/~peter/acad/usenix14.pdf>`_. `Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM <http://www.pcc.me.uk/~peter/acad/usenix14.pdf>`_.
Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway,
Úlfar Erlingsson, Luis Lozano, Geoff Pike. Úlfar Erlingsson, Luis Lozano, Geoff Pike.

docs/UsersManual.rst

Show First 20 LinesShow All 962 Lines▼ Show 20 Lines**-f[no-]sanitize=check1,check2,...**
The following more fine-grained checks are also available: The following more fine-grained checks are also available:
- ``-fsanitize=alignment``: Use of a misaligned pointer or creation - ``-fsanitize=alignment``: Use of a misaligned pointer or creation
of a misaligned reference. of a misaligned reference.
- ``-fsanitize=bool``: Load of a ``bool`` value which is neither - ``-fsanitize=bool``: Load of a ``bool`` value which is neither
``true`` nor ``false``. ``true`` nor ``false``.
- ``-fsanitize=bounds``: Out of bounds array indexing, in cases - ``-fsanitize=bounds``: Out of bounds array indexing, in cases
where the array bound can be statically determined. where the array bound can be statically determined.
- ``-fsanitize=cfi-cast-strict``: Enables :ref:`strict cast checks
kccUnsubmitted
Not Done
ReplyInline Actions

Don't we want more verbose names?
cfi-polymorphic-base-downcast
cfi-void-to-polymorphic-cast
or something.

kcc: Don't we want more verbose names? cfi-polymorphic-base-downcast cfi-void-to-polymorphic-cast…
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Okay, I've given these better names.

pcc: Okay, I've given these better names.
<cfi-strictness>`.
- ``-fsanitize=cfi-derived-cast``: Base-to-derived cast to the wrong
dynamic type. Implies ``-flto``.
jfbUnsubmitted
Not Done
ReplyInline Actions

Add -fsanitize=cfi-cast-strict?

jfb: Add `-fsanitize=cfi-cast-strict`?
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Done.

pcc: Done.
- ``-fsanitize=cfi-unrelated-cast``: Cast from ``void*`` or another
unrelated type to the wrong dynamic type. Implies ``-flto``.
- ``-fsanitize=cfi-vptr``: Use of an object whose vptr is of the - ``-fsanitize=cfi-vptr``: Use of an object whose vptr is of the
wrong dynamic type. Implies ``-flto``. wrong dynamic type. Implies ``-flto``.
- ``-fsanitize=enum``: Load of a value of an enumerated type which - ``-fsanitize=enum``: Load of a value of an enumerated type which
is not in the range of representable values for that enumerated is not in the range of representable values for that enumerated
type. type.
- ``-fsanitize=float-cast-overflow``: Conversion to, from, or - ``-fsanitize=float-cast-overflow``: Conversion to, from, or
between floating-point types which would overflow the between floating-point types which would overflow the
destination. destination.
▲ Show 20 LinesShow All 987 LinesShow Last 20 Lines

include/clang/Basic/Sanitizers.def

Show First 20 LinesShow All 73 Lines▼ Show 20 Lines
// IntegerSanitizer // IntegerSanitizer
SANITIZER("unsigned-integer-overflow", UnsignedIntegerOverflow) SANITIZER("unsigned-integer-overflow", UnsignedIntegerOverflow)
// DataFlowSanitizer // DataFlowSanitizer
SANITIZER("dataflow", DataFlow) SANITIZER("dataflow", DataFlow)
// Control Flow Integrity // Control Flow Integrity
SANITIZER("cfi-cast-strict", CFICastStrict)
SANITIZER("cfi-derived-cast", CFIDerivedCast)
SANITIZER("cfi-unrelated-cast", CFIUnrelatedCast)
SANITIZER("cfi-vptr", CFIVptr) SANITIZER("cfi-vptr", CFIVptr)
SANITIZER_GROUP("cfi", CFI, CFIVptr) SANITIZER_GROUP("cfi", CFI, CFIDerivedCast | CFIUnrelatedCast | CFIVptr)
// -fsanitize=undefined-trap includes sanitizers from -fsanitize=undefined // -fsanitize=undefined-trap includes sanitizers from -fsanitize=undefined
// that can be used without runtime support, generally by providing extra // that can be used without runtime support, generally by providing extra
// -fsanitize-undefined-trap-on-error flag. // -fsanitize-undefined-trap-on-error flag.
SANITIZER_GROUP("undefined-trap", UndefinedTrap, SANITIZER_GROUP("undefined-trap", UndefinedTrap,
Alignment | Bool | ArrayBounds | Enum | FloatCastOverflow | Alignment | Bool | ArrayBounds | Enum | FloatCastOverflow |
FloatDivideByZero | IntegerDivideByZero | NonnullAttribute | FloatDivideByZero | IntegerDivideByZero | NonnullAttribute |
Null | ObjectSize | Return | ReturnsNonnullAttribute | Null | ObjectSize | Return | ReturnsNonnullAttribute |
Show All 19 Lines

lib/CodeGen/CGClass.cpp

Show First 20 LinesShow All 2,087 Lines▼ Show 20 Linesllvm::Value *CodeGenFunction::GetVTablePtr(llvm::Value *This,
return VTable; return VTable;
} }
void CodeGenFunction::EmitVTablePtrCheckForCall(const CXXMethodDecl *MD, void CodeGenFunction::EmitVTablePtrCheckForCall(const CXXMethodDecl *MD,
llvm::Value *VTable) { llvm::Value *VTable) {
if (!SanOpts.has(SanitizerKind::CFIVptr)) if (!SanOpts.has(SanitizerKind::CFIVptr))
return; return;
const CXXRecordDecl *RD = MD->getParent(); EmitVTablePtrCheck(MD->getParent(), VTable);
}
// If a class has a single non-virtual base and does not introduce or override
// virtual member functions or fields, it will have the same layout as its base.
// This function returns the least derived such class.
//
// Casting an instance of a base class to such a derived class is technically
// undefined behavior, but it is a relatively common hack for introducing member
// functions on class instances with specific properties (e.g. llvm::Operator)
// that works under most compilers and should not have security implications, so
// we allow it by default. It can be disabled with -fsanitize=cfi-cast-strict.
static const CXXRecordDecl *
LeastDerivedClassWithSameLayout(const CXXRecordDecl *RD) {
if (!RD->field_empty())
return RD;
if (RD->getNumVBases() != 0)
return RD;
if (RD->getNumBases() != 1)
return RD;
for (const CXXMethodDecl *MD : RD->methods()) {
if (MD->isVirtual()) {
// Virtual member functions are only ok if they are implicit destructors
jfbUnsubmitted
Not Done
ReplyInline Actions

Why?

jfb: Why?
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Explained in comment.

pcc: Explained in comment.
// because the implicit destructor will have the same semantics as the
// base class's destructor if no fields are added.
if (isa<CXXDestructorDecl>(MD) && MD->isImplicit())
continue;
return RD;
}
}
return LeastDerivedClassWithSameLayout(
RD->bases_begin()->getType()->getAsCXXRecordDecl());
}
void CodeGenFunction::EmitVTablePtrCheckForCast(QualType T,
llvm::Value *Derived,
bool MayBeNull) {
if (!getLangOpts().CPlusPlus)
return;
auto *ClassTy = T->getAs<RecordType>();
if (!ClassTy)
return;
const CXXRecordDecl *ClassDecl = cast<CXXRecordDecl>(ClassTy->getDecl());
if (!ClassDecl->isCompleteDefinition() || !ClassDecl->isDynamicClass())
return;
SmallString<64> MangledName;
llvm::raw_svector_ostream Out(MangledName);
CGM.getCXXABI().getMangleContext().mangleCXXRTTI(T.getUnqualifiedType(),
Out);
// Blacklist based on the mangled type.
if (CGM.getContext().getSanitizerBlacklist().isBlacklistedType(Out.str()))
return;
if (!SanOpts.has(SanitizerKind::CFICastStrict))
ClassDecl = LeastDerivedClassWithSameLayout(ClassDecl);
llvm::BasicBlock *ContBlock = 0;
if (MayBeNull) {
llvm::Value *DerivedNotNull =
Builder.CreateIsNotNull(Derived, "cast.nonnull");
llvm::BasicBlock *CheckBlock = createBasicBlock("cast.check");
ContBlock = createBasicBlock("cast.cont");
Builder.CreateCondBr(DerivedNotNull, CheckBlock, ContBlock);
EmitBlock(CheckBlock);
}
llvm::Value *VTable = GetVTablePtr(Derived, Int8PtrTy);
EmitVTablePtrCheck(ClassDecl, VTable);
if (MayBeNull) {
Builder.CreateBr(ContBlock);
EmitBlock(ContBlock);
}
}
void CodeGenFunction::EmitVTablePtrCheck(const CXXRecordDecl *RD,
llvm::Value *VTable) {
// FIXME: Add blacklisting scheme. // FIXME: Add blacklisting scheme.
if (RD->isInStdNamespace()) if (RD->isInStdNamespace())
return; return;
std::string OutName; std::string OutName;
llvm::raw_string_ostream Out(OutName); llvm::raw_string_ostream Out(OutName);
CGM.getCXXABI().getMangleContext().mangleCXXVTableBitSet(RD, Out); CGM.getCXXABI().getMangleContext().mangleCXXVTableBitSet(RD, Out);
▲ Show 20 LinesShow All 216 LinesShow Last 20 Lines

lib/CodeGen/CGExpr.cpp

Show First 20 LinesShow All 3,025 Lines▼ Show 20 Lines llvm::Value *Derived =
/*NullCheckValue=*/false); /*NullCheckValue=*/false);
// C++11 [expr.static.cast]p2: Behavior is undefined if a downcast is // C++11 [expr.static.cast]p2: Behavior is undefined if a downcast is
// performed and the object is not of the derived type. // performed and the object is not of the derived type.
if (sanitizePerformTypeCheck()) if (sanitizePerformTypeCheck())
EmitTypeCheck(TCK_DowncastReference, E->getExprLoc(), EmitTypeCheck(TCK_DowncastReference, E->getExprLoc(),
Derived, E->getType()); Derived, E->getType());
if (SanOpts.has(SanitizerKind::CFIDerivedCast))
EmitVTablePtrCheckForCast(E->getType(), Derived, /*MayBeNull=*/false);
return MakeAddrLValue(Derived, E->getType()); return MakeAddrLValue(Derived, E->getType());
} }
case CK_LValueBitCast: { case CK_LValueBitCast: {
// This must be a reinterpret_cast (or c-style equivalent). // This must be a reinterpret_cast (or c-style equivalent).
const auto *CE = cast<ExplicitCastExpr>(E); const auto *CE = cast<ExplicitCastExpr>(E);
LValue LV = EmitLValue(E->getSubExpr()); LValue LV = EmitLValue(E->getSubExpr());
llvm::Value *V = Builder.CreateBitCast(LV.getAddress(), llvm::Value *V = Builder.CreateBitCast(LV.getAddress(),
ConvertType(CE->getTypeAsWritten())); ConvertType(CE->getTypeAsWritten()));
if (SanOpts.has(SanitizerKind::CFIUnrelatedCast))
EmitVTablePtrCheckForCast(E->getType(), V, /*MayBeNull=*/false);
return MakeAddrLValue(V, E->getType()); return MakeAddrLValue(V, E->getType());
} }
case CK_ObjCObjectLValueCast: { case CK_ObjCObjectLValueCast: {
LValue LV = EmitLValue(E->getSubExpr()); LValue LV = EmitLValue(E->getSubExpr());
QualType ToType = getContext().getLValueReferenceType(E->getType()); QualType ToType = getContext().getLValueReferenceType(E->getType());
llvm::Value *V = Builder.CreateBitCast(LV.getAddress(), llvm::Value *V = Builder.CreateBitCast(LV.getAddress(),
ConvertType(ToType)); ConvertType(ToType));
return MakeAddrLValue(V, E->getType()); return MakeAddrLValue(V, E->getType());
▲ Show 20 LinesShow All 504 LinesShow Last 20 Lines

lib/CodeGen/CGExprScalar.cpp

Show First 20 LinesShow All 1,349 Lines▼ Show 20 Lines case CK_BitCast: {
Value *Src = Visit(const_cast<Expr*>(E)); Value *Src = Visit(const_cast<Expr*>(E));
llvm::Type *SrcTy = Src->getType(); llvm::Type *SrcTy = Src->getType();
llvm::Type *DstTy = ConvertType(DestTy); llvm::Type *DstTy = ConvertType(DestTy);
if (SrcTy->isPtrOrPtrVectorTy() && DstTy->isPtrOrPtrVectorTy() && if (SrcTy->isPtrOrPtrVectorTy() && DstTy->isPtrOrPtrVectorTy() &&
SrcTy->getPointerAddressSpace() != DstTy->getPointerAddressSpace()) { SrcTy->getPointerAddressSpace() != DstTy->getPointerAddressSpace()) {
llvm_unreachable("wrong cast for pointers in different address spaces" llvm_unreachable("wrong cast for pointers in different address spaces"
"(must be an address space cast)!"); "(must be an address space cast)!");
} }
if (CGF.SanOpts.has(SanitizerKind::CFIUnrelatedCast)) {
if (auto PT = DestTy->getAs<PointerType>())
CGF.EmitVTablePtrCheckForCast(PT->getPointeeType(), Src,
/*MayBeNull=*/true);
}
return Builder.CreateBitCast(Src, DstTy); return Builder.CreateBitCast(Src, DstTy);
} }
case CK_AddressSpaceConversion: { case CK_AddressSpaceConversion: {
Value *Src = Visit(const_cast<Expr*>(E)); Value *Src = Visit(const_cast<Expr*>(E));
return Builder.CreateAddrSpaceCast(Src, ConvertType(DestTy)); return Builder.CreateAddrSpaceCast(Src, ConvertType(DestTy));
} }
case CK_AtomicToNonAtomic: case CK_AtomicToNonAtomic:
case CK_NonAtomicToAtomic: case CK_NonAtomicToAtomic:
Show All 13 Lines llvm::Value *Derived =
ShouldNullCheckClassCastValue(CE)); ShouldNullCheckClassCastValue(CE));
// C++11 [expr.static.cast]p11: Behavior is undefined if a downcast is // C++11 [expr.static.cast]p11: Behavior is undefined if a downcast is
// performed and the object is not of the derived type. // performed and the object is not of the derived type.
if (CGF.sanitizePerformTypeCheck()) if (CGF.sanitizePerformTypeCheck())
CGF.EmitTypeCheck(CodeGenFunction::TCK_DowncastPointer, CE->getExprLoc(), CGF.EmitTypeCheck(CodeGenFunction::TCK_DowncastPointer, CE->getExprLoc(),
Derived, DestTy->getPointeeType()); Derived, DestTy->getPointeeType());
if (CGF.SanOpts.has(SanitizerKind::CFIDerivedCast))
CGF.EmitVTablePtrCheckForCast(DestTy->getPointeeType(), Derived,
/*MayBeNull=*/true);
return Derived; return Derived;
} }
case CK_UncheckedDerivedToBase: case CK_UncheckedDerivedToBase:
case CK_DerivedToBase: { case CK_DerivedToBase: {
const CXXRecordDecl *DerivedClassDecl = const CXXRecordDecl *DerivedClassDecl =
E->getType()->getPointeeCXXRecordDecl(); E->getType()->getPointeeCXXRecordDecl();
assert(DerivedClassDecl && "DerivedToBase arg isn't a C++ object pointer!"); assert(DerivedClassDecl && "DerivedToBase arg isn't a C++ object pointer!");
▲ Show 20 LinesShow All 2,120 LinesShow Last 20 Lines

lib/CodeGen/CodeGenFunction.h

Show First 20 LinesShow All 1,282 Lines▼ Show 20 Lines void InitializeVTablePointers(BaseSubobject Base,
VisitedVirtualBasesSetTy& VBases); VisitedVirtualBasesSetTy& VBases);
void InitializeVTablePointers(const CXXRecordDecl *ClassDecl); void InitializeVTablePointers(const CXXRecordDecl *ClassDecl);
/// GetVTablePtr - Return the Value of the vtable pointer member pointed /// GetVTablePtr - Return the Value of the vtable pointer member pointed
/// to by This. /// to by This.
llvm::Value *GetVTablePtr(llvm::Value *This, llvm::Type *Ty); llvm::Value *GetVTablePtr(llvm::Value *This, llvm::Type *Ty);
/// \brief Derived is the presumed address of an object of type T after a
/// cast. If T is a polymorphic class type, emit a check that the virtual
/// table for Derived belongs to a class derived from T.
void EmitVTablePtrCheckForCast(QualType T, llvm::Value *Derived,
bool MayBeNull);
/// EmitVTablePtrCheckForCall - Virtual method MD is being called via VTable. /// EmitVTablePtrCheckForCall - Virtual method MD is being called via VTable.
/// If vptr CFI is enabled, emit a check that VTable is valid. /// If vptr CFI is enabled, emit a check that VTable is valid.
void EmitVTablePtrCheckForCall(const CXXMethodDecl *MD, llvm::Value *VTable); void EmitVTablePtrCheckForCall(const CXXMethodDecl *MD, llvm::Value *VTable);
/// EmitVTablePtrCheck - Emit a check that VTable is a valid virtual table for
/// RD using llvm.bitset.test.
void EmitVTablePtrCheck(const CXXRecordDecl *RD, llvm::Value *VTable);
/// CanDevirtualizeMemberFunctionCalls - Checks whether virtual calls on given /// CanDevirtualizeMemberFunctionCalls - Checks whether virtual calls on given
/// expr can be devirtualized. /// expr can be devirtualized.
bool CanDevirtualizeMemberFunctionCall(const Expr *Base, bool CanDevirtualizeMemberFunctionCall(const Expr *Base,
const CXXMethodDecl *MD); const CXXMethodDecl *MD);
/// EnterDtorCleanups - Enter the cleanups necessary to complete the /// EnterDtorCleanups - Enter the cleanups necessary to complete the
/// given phase of destruction for a destructor. The end result /// given phase of destruction for a destructor. The end result
/// should call destructors on members and base classes in reverse /// should call destructors on members and base classes in reverse
▲ Show 20 LinesShow All 1,574 LinesShow Last 20 Lines

lib/Driver/SanitizerArgs.cpp

Show First 20 LinesShow All 42 Lines▼ Show 20 Lines#include "clang/Basic/Sanitizers.def"
NeedsUbsanRt = Undefined | Integer, NeedsUbsanRt = Undefined | Integer,
NotAllowedWithTrap = Vptr, NotAllowedWithTrap = Vptr,
RequiresPIE = Memory | DataFlow, RequiresPIE = Memory | DataFlow,
NeedsUnwindTables = Address | Thread | Memory | DataFlow, NeedsUnwindTables = Address | Thread | Memory | DataFlow,
SupportsCoverage = Address | Memory | Leak | Undefined | Integer, SupportsCoverage = Address | Memory | Leak | Undefined | Integer,
RecoverableByDefault = Undefined | Integer, RecoverableByDefault = Undefined | Integer,
Unrecoverable = Address | Unreachable | Return, Unrecoverable = Address | Unreachable | Return,
LegacyFsanitizeRecoverMask = Undefined | Integer, LegacyFsanitizeRecoverMask = Undefined | Integer,
NeedsLTO = CFIVptr, NeedsLTO = CFIDerivedCast | CFIUnrelatedCast | CFIVptr,
}; };
} }
/// Returns true if set of \p Sanitizers contain at least one sanitizer from /// Returns true if set of \p Sanitizers contain at least one sanitizer from
/// \p Kinds. /// \p Kinds.
static bool hasOneOf(const clang::SanitizerSet &Sanitizers, uint64_t Kinds) { static bool hasOneOf(const clang::SanitizerSet &Sanitizers, uint64_t Kinds) {
#define SANITIZER(NAME, ID) \ #define SANITIZER(NAME, ID) \
if (Sanitizers.has(clang::SanitizerKind::ID) && (Kinds & ID)) \ if (Sanitizers.has(clang::SanitizerKind::ID) && (Kinds & ID)) \
▲ Show 20 LinesShow All 85 Lines▼ Show 20 Linesbool SanitizerArgs::requiresPIE() const {
return AsanZeroBaseShadow || hasOneOf(Sanitizers, RequiresPIE); return AsanZeroBaseShadow || hasOneOf(Sanitizers, RequiresPIE);
} }
bool SanitizerArgs::needsUnwindTables() const { bool SanitizerArgs::needsUnwindTables() const {
return hasOneOf(Sanitizers, NeedsUnwindTables); return hasOneOf(Sanitizers, NeedsUnwindTables);
} }
bool SanitizerArgs::needsLTO() const { bool SanitizerArgs::needsLTO() const {
return hasOneOf(Sanitizers, CFIVptr); return hasOneOf(Sanitizers, NeedsLTO);
} }
void SanitizerArgs::clear() { void SanitizerArgs::clear() {
Sanitizers.clear(); Sanitizers.clear();
RecoverableSanitizers.clear(); RecoverableSanitizers.clear();
BlacklistFiles.clear(); BlacklistFiles.clear();
SanitizeCoverage = 0; SanitizeCoverage = 0;
MsanTrackOrigins = 0; MsanTrackOrigins = 0;
▲ Show 20 LinesShow All 415 LinesShow Last 20 Lines

test/CodeGenCXX/cfi-cast.cpp

  • This file was added.
// RUN: %clang_cc1 -triple x86_64-unknown-linux -fsanitize=cfi-derived-cast -emit-llvm -o - %s | FileCheck -check-prefix=CHECK-DCAST %s
// RUN: %clang_cc1 -triple x86_64-unknown-linux -fsanitize=cfi-unrelated-cast -emit-llvm -o - %s | FileCheck -check-prefix=CHECK-UCAST %s
// RUN: %clang_cc1 -triple x86_64-unknown-linux -fsanitize=cfi-unrelated-cast,cfi-cast-strict -emit-llvm -o - %s | FileCheck -check-prefix=CHECK-UCAST-STRICT %s
// In this test the main thing we are searching for is something like
jfbUnsubmitted
Not Done
ReplyInline Actions

Could you have a quick blurb that helps decipher the metadata !"1B' part, explaining that it's the important bit in the checks.

jfb: Could you have a quick blurb that helps decipher the `metadata !"1B'` part, explaining that…
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Done

pcc: Done
// 'metadata !"1B"' where "1B" is the mangled name of the class we are
// casting to (or maybe its base class in non-strict mode).
struct A {
virtual void f();
};
struct B : A {
virtual void f();
};
jfbUnsubmitted
Not Done
ReplyInline Actions

CHECK-LABEL-DCAST (same below).

jfb: `CHECK-LABEL-DCAST` (same below).
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Done

pcc: Done
struct C : A {};
// CHECK-DCAST-LABEL: define void @_Z3abpP1A
void abp(A *a) {
// CHECK-DCAST: [[P:%[^ ]*]] = call i1 @llvm.bitset.test(i8* {{%[^ ]*}}, metadata !"1B")
// CHECK-DCAST-NEXT: br i1 [[P]], label %[[CONTBB:[^ ]*]], label %[[TRAPBB:[^ ]*]]
// CHECK-DCAST: [[TRAPBB]]
// CHECK-DCAST-NEXT: call void @llvm.trap()
// CHECK-DCAST-NEXT: unreachable
// CHECK-DCAST: [[CONTBB]]
// CHECK-DCAST: ret
static_cast<B*>(a);
}
// CHECK-DCAST-LABEL: define void @_Z3abrR1A
void abr(A &a) {
// CHECK-DCAST: [[P:%[^ ]*]] = call i1 @llvm.bitset.test(i8* {{%[^ ]*}}, metadata !"1B")
// CHECK-DCAST-NEXT: br i1 [[P]], label %[[CONTBB:[^ ]*]], label %[[TRAPBB:[^ ]*]]
// CHECK-DCAST: [[TRAPBB]]
// CHECK-DCAST-NEXT: call void @llvm.trap()
// CHECK-DCAST-NEXT: unreachable
// CHECK-DCAST: [[CONTBB]]
// CHECK-DCAST: ret
static_cast<B&>(a);
}
// CHECK-DCAST-LABEL: define void @_Z4abrrO1A
void abrr(A &&a) {
// CHECK-DCAST: [[P:%[^ ]*]] = call i1 @llvm.bitset.test(i8* {{%[^ ]*}}, metadata !"1B")
// CHECK-DCAST-NEXT: br i1 [[P]], label %[[CONTBB:[^ ]*]], label %[[TRAPBB:[^ ]*]]
// CHECK-DCAST: [[TRAPBB]]
// CHECK-DCAST-NEXT: call void @llvm.trap()
// CHECK-DCAST-NEXT: unreachable
// CHECK-DCAST: [[CONTBB]]
// CHECK-DCAST: ret
static_cast<B&>(a);
jfbUnsubmitted
Not Done
ReplyInline Actions

B&&

jfb: `B&&`
}
// CHECK-UCAST-LABEL: define void @_Z3vbpPv
void vbp(void *p) {
// CHECK-UCAST: [[P:%[^ ]*]] = call i1 @llvm.bitset.test(i8* {{%[^ ]*}}, metadata !"1B")
// CHECK-UCAST-NEXT: br i1 [[P]], label %[[CONTBB:[^ ]*]], label %[[TRAPBB:[^ ]*]]
// CHECK-UCAST: [[TRAPBB]]
// CHECK-UCAST-NEXT: call void @llvm.trap()
// CHECK-UCAST-NEXT: unreachable
// CHECK-UCAST: [[CONTBB]]
// CHECK-UCAST: ret
static_cast<B*>(p);
}
// CHECK-UCAST-LABEL: define void @_Z3vbrRc
void vbr(char &r) {
// CHECK-UCAST: [[P:%[^ ]*]] = call i1 @llvm.bitset.test(i8* {{%[^ ]*}}, metadata !"1B")
// CHECK-UCAST-NEXT: br i1 [[P]], label %[[CONTBB:[^ ]*]], label %[[TRAPBB:[^ ]*]]
jfbUnsubmitted
Not Done
ReplyInline Actions

Add rvalue ref test?

A a();

B rvalue() {
  return static_cast<B&&>(a());
}
jfb: Add rvalue ref test? ``` A a(); B rvalue() { return static_cast<B&&>(a()); } ```
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Done.

pcc: Done.
// CHECK-UCAST: [[TRAPBB]]
// CHECK-UCAST-NEXT: call void @llvm.trap()
// CHECK-UCAST-NEXT: unreachable
// CHECK-UCAST: [[CONTBB]]
// CHECK-UCAST: ret
reinterpret_cast<B&>(r);
}
// CHECK-UCAST-LABEL: define void @_Z4vbrrOc
void vbrr(char &&r) {
// CHECK-UCAST: [[P:%[^ ]*]] = call i1 @llvm.bitset.test(i8* {{%[^ ]*}}, metadata !"1B")
// CHECK-UCAST-NEXT: br i1 [[P]], label %[[CONTBB:[^ ]*]], label %[[TRAPBB:[^ ]*]]
// CHECK-UCAST: [[TRAPBB]]
// CHECK-UCAST-NEXT: call void @llvm.trap()
// CHECK-UCAST-NEXT: unreachable
// CHECK-UCAST: [[CONTBB]]
// CHECK-UCAST: ret
reinterpret_cast<B&&>(r);
}
// CHECK-UCAST-LABEL: define void @_Z3vcpPv
// CHECK-UCAST-STRICT-LABEL: define void @_Z3vcpPv
void vcp(void *p) {
// CHECK-UCAST: [[P:%[^ ]*]] = call i1 @llvm.bitset.test(i8* {{%[^ ]*}}, metadata !"1A")
// CHECK-UCAST-STRICT: [[P:%[^ ]*]] = call i1 @llvm.bitset.test(i8* {{%[^ ]*}}, metadata !"1C")
static_cast<C*>(p);
}

test/Driver/fsanitize.c

Show First 20 LinesShow All 195 Lines▼ Show 20 Lines
// RUN: %clang -target x86_64-apple-darwin10 -fsanitize=function %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSAN-DARWIN // RUN: %clang -target x86_64-apple-darwin10 -fsanitize=function %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSAN-DARWIN
// CHECK-FSAN-DARWIN: unsupported option '-fsanitize=function' for target 'x86_64-apple-darwin10' // CHECK-FSAN-DARWIN: unsupported option '-fsanitize=function' for target 'x86_64-apple-darwin10'
// RUN: %clang -target x86_64-apple-darwin10 -fsanitize=function -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSAN-UBSAN-DARWIN // RUN: %clang -target x86_64-apple-darwin10 -fsanitize=function -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSAN-UBSAN-DARWIN
// CHECK-FSAN-UBSAN-DARWIN: unsupported option '-fsanitize=function' for target 'x86_64-apple-darwin10' // CHECK-FSAN-UBSAN-DARWIN: unsupported option '-fsanitize=function' for target 'x86_64-apple-darwin10'
// RUN: %clang -target x86_64-linux-gnu -fsanitize=cfi -c %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-CFI // RUN: %clang -target x86_64-linux-gnu -fsanitize=cfi -c %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-CFI
// RUN: %clang -target x86_64-linux-gnu -fsanitize=cfi-vptr -c %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-CFI // RUN: %clang -target x86_64-linux-gnu -fsanitize=cfi-derived-cast -c %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-CFI-DCAST
// CHECK-CFI: -emit-llvm-bc{{.*}}-fsanitize=cfi-vptr // RUN: %clang -target x86_64-linux-gnu -fsanitize=cfi-unrelated-cast -c %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-CFI-UCAST
// RUN: %clang -target x86_64-linux-gnu -fsanitize=cfi-vptr -c %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-CFI-VPTR
// CHECK-CFI: -emit-llvm-bc{{.*}}-fsanitize=cfi-derived-cast,cfi-unrelated-cast,cfi-vptr
// CHECK-CFI-DCAST: -emit-llvm-bc{{.*}}-fsanitize=cfi-derived-cast
// CHECK-CFI-UCAST: -emit-llvm-bc{{.*}}-fsanitize=cfi-unrelated-cast
// CHECK-CFI-VPTR: -emit-llvm-bc{{.*}}-fsanitize=cfi-vptr
// RUN: %clang_cl -fsanitize=address -c -MDd -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-DEBUGRTL // RUN: %clang_cl -fsanitize=address -c -MDd -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-DEBUGRTL
// RUN: %clang_cl -fsanitize=address -c -MTd -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-DEBUGRTL // RUN: %clang_cl -fsanitize=address -c -MTd -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-DEBUGRTL
// RUN: %clang_cl -fsanitize=address -c -LDd -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-DEBUGRTL // RUN: %clang_cl -fsanitize=address -c -LDd -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-DEBUGRTL
// RUN: %clang_cl -fsanitize=address -c -MD -MDd -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-DEBUGRTL // RUN: %clang_cl -fsanitize=address -c -MD -MDd -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-DEBUGRTL
// RUN: %clang_cl -fsanitize=address -c -MT -MTd -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-DEBUGRTL // RUN: %clang_cl -fsanitize=address -c -MT -MTd -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-DEBUGRTL
// RUN: %clang_cl -fsanitize=address -c -LD -LDd -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-DEBUGRTL // RUN: %clang_cl -fsanitize=address -c -LD -LDd -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-DEBUGRTL
// CHECK-ASAN-DEBUGRTL: error: invalid argument // CHECK-ASAN-DEBUGRTL: error: invalid argument
Show All 10 Lines