This is an archive of the discontinued LLVM Phabricator instance.

Differential D11951

Implement poisoning of only class members in dtor, and verify emitted code for dtors of classes with virtual base dtors.
ClosedPublic

Authored by nmusgrave on Aug 11 2015, 11:12 AM.

Details

Reviewers
kcc
eugenis
Commits
rGe50cb9b9c8b3: Fix previous commit: poison only class members, simpler tests
rG9bd83fd465b7: Implement poisoning of only class members in dtor, as opposed to also poisoning…
rC244933: Fix previous commit: poison only class members, simpler tests
rC244819: Implement poisoning of only class members in dtor, as opposed to also poisoning…
rL244819: Implement poisoning of only class members in dtor, as opposed to also…
Summary

Poisoning applied to only class members, and before dtors for base class invoked

Diff Detail

Event Timeline

nmusgrave updated this revision to Diff 31834.Aug 11 2015, 11:12 AM
nmusgrave updated this revision to Diff 31836.
nmusgrave retitled this revision from to Implement poisoning of only class members in dtor, and verify emitted code for dtors of classes with virtual base dtors..
nmusgrave updated this object.
nmusgrave added reviewers: eugenis, kcc.
  • Removed patch file containing extraneous changes
eugenis edited edge metadata.Aug 11 2015, 11:33 AM

I assume this makes the XFAIL-ed test in compiler-rt pass? Then you need to remove the XFAIL either in this change, or in another, simultaneously committed change.

Please check that this does the right thing for non-trivial class members. This should be tested in compiler-rt. In any case, this seems to be a change in the right direction.

lib/CodeGen/CGClass.cpp
1383

So if there are 0 fields, you poison the entire object? This does not sound right.

1389

There must be a way to do this with a single GEP, without bitcasting to int8ptrty. See how clang emits member address expression, like &(a->b).

test/CodeGenCXX/sanitize-dtor-derived-class.cpp
28

Don't need {{.*}} at the end of the line.

nmusgrave updated this revision to Diff 31978.Aug 12 2015, 1:55 PM
nmusgrave marked an inline comment as done.
nmusgrave edited edge metadata.
  • clang tests to verify dtor sanitizing function emitted only in the last dtor of this class, and before base dtors are invoked
eugenis accepted this revision.Aug 12 2015, 2:21 PM
eugenis edited edge metadata.

LGTM with a nit

lib/CodeGen/CGClass.cpp
1396

No need to emit the call is PoisonSize is 0.

This revision is now accepted and ready to land.Aug 12 2015, 2:21 PM
nmusgrave updated this revision to Diff 31984.Aug 12 2015, 2:29 PM
nmusgrave edited edge metadata.
  • Removed patch file containing extraneous changes
  • clang tests to verify dtor sanitizing function emitted only in the last dtor of this class, and before base dtors are invoked
  • skip poisoning if class has no fields
Closed by commit rL244819: Implement poisoning of only class members in dtor, as opposed to also… (authored by nmusgrave). · Explain WhyAug 12 2015, 2:38 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
CodeGen/
37 lines
test/
CodeGenCXX/
62 lines
10 lines

Diff 31836

lib/CodeGen/CGClass.cpp

Show First 20 LinesShow All 1,370 Lines▼ Show 20 Lines
// references to 'this' and its size as arguments. // references to 'this' and its size as arguments.
// Disables tail call elimination, to prevent the current stack frame from // Disables tail call elimination, to prevent the current stack frame from
// disappearing from the stack trace. // disappearing from the stack trace.
static void EmitDtorSanitizerCallback(CodeGenFunction &CGF, static void EmitDtorSanitizerCallback(CodeGenFunction &CGF,
const CXXDestructorDecl *Dtor) { const CXXDestructorDecl *Dtor) {
const ASTRecordLayout &Layout = const ASTRecordLayout &Layout =
CGF.getContext().getASTRecordLayout(Dtor->getParent()); CGF.getContext().getASTRecordLayout(Dtor->getParent());
// Construct pointer to region to begin poisoning, and calculate poison
// size, so that only members declared in this class are poisoned.
llvm::Value *OffsetPtr;
CharUnits::QuantityType PoisonSize;
if(Layout.getFieldCount() > 0) {
eugenisUnsubmitted
Not Done
ReplyInline Actions

So if there are 0 fields, you poison the entire object? This does not sound right.

eugenis: So if there are 0 fields, you poison the entire object? This does not sound right.
ASTContext &Context = CGF.getContext();
llvm::ConstantInt *OffsetSizePtr = llvm::ConstantInt::get(CGF.SizeTy,
Context.toCharUnitsFromBits(Layout.getFieldOffset(0)).getQuantity());
OffsetPtr = CGF.Builder.CreateGEP(CGF.Builder.
CreateBitCast(CGF.LoadCXXThis(), CGF.Int8PtrTy), OffsetSizePtr);
eugenisUnsubmitted
Not Done
ReplyInline Actions

There must be a way to do this with a single GEP, without bitcasting to int8ptrty. See how clang emits member address expression, like &(a->b).

eugenis: There must be a way to do this with a single GEP, without bitcasting to int8ptrty. See how…
PoisonSize = Layout.getSize().getQuantity() -
Context.toCharUnitsFromBits(Layout.getFieldOffset(0)).getQuantity();
} else {
OffsetPtr = CGF.LoadCXXThis();
PoisonSize = Layout.getSize().getQuantity();
}
eugenisUnsubmitted
Not Done
ReplyInline Actions

No need to emit the call is PoisonSize is 0.

eugenis: No need to emit the call is PoisonSize is 0.
llvm::Value *Args[] = { llvm::Value *Args[] = {
CGF.Builder.CreateBitCast(CGF.LoadCXXThis(), CGF.VoidPtrTy), CGF.Builder.CreateBitCast(OffsetPtr, CGF.VoidPtrTy),
llvm::ConstantInt::get(CGF.SizeTy, Layout.getSize().getQuantity())}; llvm::ConstantInt::get(CGF.SizeTy, PoisonSize)};
llvm::Type *ArgTypes[] = {CGF.VoidPtrTy, CGF.SizeTy}; llvm::Type *ArgTypes[] = {CGF.VoidPtrTy, CGF.SizeTy};
llvm::FunctionType *FnType = llvm::FunctionType *FnType =
llvm::FunctionType::get(CGF.VoidTy, ArgTypes, false); llvm::FunctionType::get(CGF.VoidTy, ArgTypes, false);
llvm::Value *Fn = llvm::Value *Fn =
CGF.CGM.CreateRuntimeFunction(FnType, "__sanitizer_dtor_callback"); CGF.CGM.CreateRuntimeFunction(FnType, "__sanitizer_dtor_callback");
// Disables tail call elimination, to prevent the current stack frame from
// disappearing from the stack trace.
CGF.CurFn->addFnAttr("disable-tail-calls", "true"); CGF.CurFn->addFnAttr("disable-tail-calls", "true");
CGF.EmitNounwindRuntimeCall(Fn, Args); CGF.EmitNounwindRuntimeCall(Fn, Args);
} }
/// EmitDestructorBody - Emits the body of the current destructor. /// EmitDestructorBody - Emits the body of the current destructor.
void CodeGenFunction::EmitDestructorBody(FunctionArgList &Args) { void CodeGenFunction::EmitDestructorBody(FunctionArgList &Args) {
const CXXDestructorDecl *Dtor = cast<CXXDestructorDecl>(CurGD.getDecl()); const CXXDestructorDecl *Dtor = cast<CXXDestructorDecl>(CurGD.getDecl());
CXXDtorType DtorType = CurGD.getDtorType(); CXXDtorType DtorType = CurGD.getDtorType();
Show All 16 Linesvoid CodeGenFunction::EmitDestructorBody(FunctionArgList &Args) {
// If the body is a function-try-block, enter the try before // If the body is a function-try-block, enter the try before
// anything else. // anything else.
bool isTryBody = (Body && isa<CXXTryStmt>(Body)); bool isTryBody = (Body && isa<CXXTryStmt>(Body));
if (isTryBody) if (isTryBody)
EnterCXXTryStmt(*cast<CXXTryStmt>(Body), true); EnterCXXTryStmt(*cast<CXXTryStmt>(Body), true);
EmitAsanPrologueOrEpilogue(false); EmitAsanPrologueOrEpilogue(false);
// Insert memory-poisoning instrumentation, before final clean ups,
// to ensure this class's members are protected from invalid access.
if (CGM.getCodeGenOpts().SanitizeMemoryUseAfterDtor
&& SanOpts.has(SanitizerKind::Memory))
EmitDtorSanitizerCallback(*this, Dtor);
// Enter the epilogue cleanups. // Enter the epilogue cleanups.
RunCleanupsScope DtorEpilogue(*this); RunCleanupsScope DtorEpilogue(*this);
// If this is the complete variant, just invoke the base variant; // If this is the complete variant, just invoke the base variant;
// the epilogue will destruct the virtual bases. But we can't do // the epilogue will destruct the virtual bases. But we can't do
// this optimization if the body is a function-try-block, because // this optimization if the body is a function-try-block, because
// we'd introduce *two* handler blocks. In the Microsoft ABI, we // we'd introduce *two* handler blocks. In the Microsoft ABI, we
// always delegate because we might not have a definition in this TU. // always delegate because we might not have a definition in this TU.
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Linesvoid CodeGenFunction::EmitDestructorBody(FunctionArgList &Args) {
} }
// Jump out through the epilogue cleanups. // Jump out through the epilogue cleanups.
DtorEpilogue.ForceCleanup(); DtorEpilogue.ForceCleanup();
// Exit the try if applicable. // Exit the try if applicable.
if (isTryBody) if (isTryBody)
ExitCXXTryStmt(*cast<CXXTryStmt>(Body), true); ExitCXXTryStmt(*cast<CXXTryStmt>(Body), true);
// Insert memory-poisoning instrumentation.
if (CGM.getCodeGenOpts().SanitizeMemoryUseAfterDtor
&& SanOpts.has(SanitizerKind::Memory))
EmitDtorSanitizerCallback(*this, Dtor);
} }
void CodeGenFunction::emitImplicitAssignmentOperatorBody(FunctionArgList &Args) { void CodeGenFunction::emitImplicitAssignmentOperatorBody(FunctionArgList &Args) {
const CXXMethodDecl *AssignOp = cast<CXXMethodDecl>(CurGD.getDecl()); const CXXMethodDecl *AssignOp = cast<CXXMethodDecl>(CurGD.getDecl());
const Stmt *RootS = AssignOp->getBody(); const Stmt *RootS = AssignOp->getBody();
assert(isa<CompoundStmt>(RootS) && assert(isa<CompoundStmt>(RootS) &&
"Body of an implicit assignment operator should be compound stmt."); "Body of an implicit assignment operator should be compound stmt.");
const CompoundStmt *RootCS = cast<CompoundStmt>(RootS); const CompoundStmt *RootCS = cast<CompoundStmt>(RootS);
▲ Show 20 LinesShow All 974 LinesShow Last 20 Lines

test/CodeGenCXX/sanitize-dtor-derived-class.cpp

  • This file was added.
// RUN: %clang_cc1 -fsanitize=memory -fsanitize-memory-use-after-dtor -disable-llvm-optzns -std=c++11 -triple=x86_64-pc-linux -emit-llvm -o - %s | FileCheck %s
// RUN: %clang_cc1 -O1 -fsanitize=memory -fsanitize-memory-use-after-dtor -disable-llvm-optzns -std=c++11 -triple=x86_64-pc-linux -emit-llvm -o - %s | FileCheck %s
class Base {
public:
int x;
Base() {
x = 5;
}
virtual ~Base() {
x += 1;
}
};
class Derived : public Base {
public:
int y;
Derived() {
y = 10;
}
~Derived() {
y += 1;
}
};
Derived d;
// CHECK-LABEL: define {{.*}}DerivedD1Ev{{.*}}
eugenisUnsubmitted
Done
ReplyInline Actions

Don't need {{.*}} at the end of the line.

eugenis: Don't need {{.*}} at the end of the line.
// CHECK: call void @__sanitizer_dtor_callback
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}DerivedD2Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void
// CHECK-LABEL: define {{.*}}DerivedD0Ev{{.*}}
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}DerivedD1Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void
// CHECK-LABEL: define {{.*}}BaseD1Ev{{.*}}
// CHECK: call void @__sanitizer_dtor_callback
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}BaseD2Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void
// CHECK-LABEL: define {{.*}}BaseD0Ev{{.*}}
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}BaseD1Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void
// CHECK-LABEL: define {{.*}}BaseD2Ev{{.*}}
// CHECK: call void @__sanitizer_dtor_callback
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void
// CHECK-LABEL: define {{.*}}DerivedD2Ev{{.*}}
// CHECK: call void @__sanitizer_dtor_callback
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void

test/CodeGenCXX/sanitize-dtor-fn-attribute.cpp

Show All 20 Linesint main() {
No_San *ns = new No_San(); No_San *ns = new No_San();
ns->~No_San(); ns->~No_San();
return 0; return 0;
} }
// Repressing the sanitization attribute results in no msan // Repressing the sanitization attribute results in no msan
// instrumentation of the destructor // instrumentation of the destructor
// CHECK: define {{.*}}No_SanD1Ev{{.*}} [[ATTRIBUTE:#[0-9]+]] // CHECK: define {{.*}}No_SanD1Ev{{.*}} [[ATTRIBUTE:#[0-9]+]]
// CHECK: call void {{.*}}No_SanD2Ev
// CHECK: call void @__sanitizer_dtor_callback // CHECK: call void @__sanitizer_dtor_callback
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}No_SanD2Ev
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void // CHECK: ret void
// CHECK-ATTR: define {{.*}}No_SanD1Ev{{.*}} [[ATTRIBUTE:#[0-9]+]] // CHECK-ATTR: define {{.*}}No_SanD1Ev{{.*}} [[ATTRIBUTE:#[0-9]+]]
// CHECK-ATTR-NOT: call void @__sanitizer_dtor_callback
// CHECK-ATTR: call void {{.*}}No_SanD2Ev // CHECK-ATTR: call void {{.*}}No_SanD2Ev
// CHECK-ATTR-NOT: call void @__sanitizer_dtor_callback // CHECK-ATTR-NOT: call void @__sanitizer_dtor_callback
// CHECK-ATTR: ret void // CHECK-ATTR: ret void
// CHECK: define {{.*}}No_SanD2Ev{{.*}} [[ATTRIBUTE:#[0-9]+]] // CHECK: define {{.*}}No_SanD2Ev{{.*}} [[ATTRIBUTE:#[0-9]+]]
// CHECK: call void {{.*}}Vector
// CHECK: call void @__sanitizer_dtor_callback // CHECK: call void @__sanitizer_dtor_callback
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: call void {{.*}}Vector
// CHECK-NOT: call void @__sanitizer_dtor_callback
// CHECK: ret void // CHECK: ret void
// CHECK-ATTR: define {{.*}}No_SanD2Ev{{.*}} [[ATTRIBUTE:#[0-9]+]] // CHECK-ATTR: define {{.*}}No_SanD2Ev{{.*}} [[ATTRIBUTE:#[0-9]+]]
// CHECK-ATTR-NOT: call void @__sanitizer_dtor_callback
// CHECK-ATTR: call void {{.*}}Vector // CHECK-ATTR: call void {{.*}}Vector
// CHECK-ATTR-NOT: call void @__sanitizer_dtor_callback // CHECK-ATTR-NOT: call void @__sanitizer_dtor_callback
// CHECK-ATTR: ret void // CHECK-ATTR: ret void
// When attribute is repressed, the destructor does not emit any tail calls // When attribute is repressed, the destructor does not emit any tail calls
// CHECK: attributes [[ATTRIBUTE]] = {{.*}} sanitize_memory // CHECK: attributes [[ATTRIBUTE]] = {{.*}} sanitize_memory
// CHECK-ATTR-NOT: attributes [[ATTRIBUTE]] = {{.*}} sanitize_memory // CHECK-ATTR-NOT: attributes [[ATTRIBUTE]] = {{.*}} sanitize_memory