This is an archive of the discontinued LLVM Phabricator instance.

Differential D122748

[Sema] Don't check bounds for function pointer
ClosedPublic

Authored by ArcsinX on Mar 30 2022, 10:21 AM.

Details

Reviewers
aaron.ballman
erichkeane
abhinavgaba
chrish_ericsson_atx
Commits
rGb2c3ae0b6f05: [Sema] Don't check bounds for function pointer
Summary

Currently, clang crashes with i386 target on the following code:

void f() {
  f + 0xdead000000000000UL;
}

This problem is similar to the problem fixed in D104424, but that fix can't handle function pointer case, because getTypeSizeInCharsIfKnown() says that size is known and equal to 0 for function type.

This patch prevents bounds checking for function pointer, thus fixes the crash.

Fixes https://github.com/llvm/llvm-project/issues/50463

Diff Detail

Event Timeline

ArcsinX created this revision.Mar 30 2022, 10:21 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 30 2022, 10:21 AM
ArcsinX requested review of this revision.Mar 30 2022, 10:21 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 30 2022, 10:21 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
erichkeane added a comment.Mar 30 2022, 10:36 AM

It seems like this entire section of code was added here: https://github.com/llvm/llvm-project/commit/ce44fe199bbfd4b5a44764b678c431fdc117116a

@chrish_ericsson_atx should probably take a look at this. That said, we might not want to early-exist here, I think we can just skip the IsUnboundedArray branch? This example worked correctly in the 12.0 branch, so I think it was fine before then.

ArcsinX updated this revision to Diff 419242.Mar 30 2022, 12:17 PM

Check for function type only if IsUnboundedArray is true

ArcsinX added a comment.Mar 30 2022, 12:20 PM
In D122748#3417240, @erichkeane wrote:

That said, we might not want to early-exist here, I think we can just skip the IsUnboundedArray branch?

It seems you are right, thanks, fixed.

erichkeane added a comment.Mar 30 2022, 12:20 PM

I think I'm generally in favor, would still like to see the feedback from the original submitter here to see if there is more work to do in here that would be valuable.

clang/lib/Sema/SemaChecking.cpp
15498

Ah, I see... I originally made the comment thinking that we wanted to be able to get to ~15540 (which this 'return' would seem to undo), but I see this block ends in 'return' anyway. I'm happy with this change the way it is.

Harbormaster completed remote builds in B157034: Diff 419242.Mar 31 2022, 1:17 AM
ArcsinX added a comment.Apr 6 2022, 4:49 AM

Friendly ping.

In D122748#3417500, @erichkeane wrote:

would still like to see the feedback from the original submitter here to see if there is more work to do in here that would be valuable.

Unsure, maybe we can process without him? It seems his last activity here was more than six months ago.

ArcsinX added a comment.Apr 13 2022, 6:34 AM

Friendly ping

erichkeane accepted this revision.Apr 13 2022, 6:37 AM

Friendly ping

Unfriendly LGTM.

This revision is now accepted and ready to land.Apr 13 2022, 6:37 AM
Closed by commit rGb2c3ae0b6f05: [Sema] Don't check bounds for function pointer (authored by ArcsinX). · Explain WhyApr 13 2022, 10:43 AM
This revision was automatically updated to reflect the committed changes.
ArcsinX added a commit: rGb2c3ae0b6f05: [Sema] Don't check bounds for function pointer.

Revision Contents

PathSize
clang/
lib/
Sema/
2 lines
test/
Sema/
4 lines

Diff 422563

clang/lib/Sema/SemaChecking.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 15,489 Lines▼ Show 20 Linesvoid Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr,
const NamedDecl *ND = nullptr; const NamedDecl *ND = nullptr;
if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr)) if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr))
ND = DRE->getDecl(); ND = DRE->getDecl();
if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr))
ND = ME->getMemberDecl(); ND = ME->getMemberDecl();
if (IsUnboundedArray) { if (IsUnboundedArray) {
if (EffectiveType->isFunctionType())
erichkeaneUnsubmitted
Not Done
ReplyInline Actions

Ah, I see... I originally made the comment thinking that we wanted to be able to get to ~15540 (which this 'return' would seem to undo), but I see this block ends in 'return' anyway. I'm happy with this change the way it is.

erichkeane: Ah, I see... I originally made the comment thinking that we wanted to be able to get to ~15540…
return;
if (index.isUnsigned() || !index.isNegative()) { if (index.isUnsigned() || !index.isNegative()) {
const auto &ASTC = getASTContext(); const auto &ASTC = getASTContext();
unsigned AddrBits = unsigned AddrBits =
ASTC.getTargetInfo().getPointerWidth(ASTC.getTargetAddressSpace( ASTC.getTargetInfo().getPointerWidth(ASTC.getTargetAddressSpace(
EffectiveType->getCanonicalTypeInternal())); EffectiveType->getCanonicalTypeInternal()));
if (index.getBitWidth() < AddrBits) if (index.getBitWidth() < AddrBits)
index = index.zext(AddrBits); index = index.zext(AddrBits);
Optional<CharUnits> ElemCharUnits = Optional<CharUnits> ElemCharUnits =
▲ Show 20 LinesShow All 1,938 LinesShow Last 20 Lines

clang/test/Sema/unbounded-array-bounds.c

Show First 20 LinesShow All 74 Lines▼ Show 20 Linesvoid f6(void) {
// Should NOT produce a warning. // Should NOT produce a warning.
*(middle + 5 - N) = 22; *(middle + 5 - N) = 22;
} }
void pr50741(void) { void pr50741(void) {
(void *)0 + 0xdead000000000000UL; (void *)0 + 0xdead000000000000UL;
// no array-bounds warning, and no crash // no array-bounds warning, and no crash
} }
void func() {
func + 0xdead000000000000UL; // no crash
}