This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/test/CodeGen/
-
test/
-
CodeGen/
2/2
bounds-checking-fam.c

Differential D128783

[test] Check for more -fsanitize=array-bounds regressions
ClosedPublic

Authored by sberg on Jun 28 2022, 11:33 PM.

Download Raw Diff

Details

Reviewers

MaskRay
serge-sans-paille

Commits

rG4996e3f68315: [test] Check for more -fsanitize=array-bounds behavior

Summary

...that had been introduced with (since reverted) https://github.com/llvm/llvm-project/commit/886715af962de2c92fac4bd37104450345711e4a "[clang] Introduce -fstrict-flex-arrays=<n> for stricter handling of flexible arrays", and caused issues in the wild:

For one, the HarfBuzz project has various "fake" flexible array members of the form

Type                arrayZ[HB_VAR_ARRAY];

in https://github.com/harfbuzz/harfbuzz/blob/main/src/hb-open-type.hh, where HB_VAR_ARRAY is a macro defined as

#ifndef HB_VAR_ARRAY
#define HB_VAR_ARRAY 1
#endif

in https://github.com/harfbuzz/harfbuzz/blob/main/src/hb-machinery.hh.

For another, the Firebird project in https://github.com/FirebirdSQL/firebird/blob/master/src/lock/lock_proto.h uses a trailing member

srq lhb_hash[1];                        // Hash table

as a "fake" flexible array, but declared in a

struct lhb : public Firebird::MemoryHeader

that is not a standard-layout class (because the Firebird::MemoryHeader base class also declares non-static data members).

(Checking for the second case required changing the test file from C to C++.)

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

sberg created this revision.Jun 28 2022, 11:33 PM

Herald added a project: Restricted Project. · View Herald TranscriptJun 28 2022, 11:33 PM

Herald added a subscriber: StephenFan. · View Herald Transcript

sberg requested review of this revision.Jun 28 2022, 11:33 PM

Harbormaster completed remote builds in B172653: Diff 440863.Jun 29 2022, 12:33 AM

Do we need a C test (just add a -x c RUN line)? @serge-sans-paille Do you think we may likely make C++ stricter than C?

MaskRay retitled this revision from Check for more -fsanitize=array-bounds regressions to [test] Check for more -fsanitize=array-bounds regressions.Jun 29 2022, 1:15 AM

In D128783#3617924, @MaskRay wrote:

Do we need a C test (just add a -x c RUN line)? @serge-sans-paille Do you think we may likely make C++ stricter than C?

I've started a similar discussion on https://reviews.llvm.org/D126864, but I'm fine to discuss that here :-)

Some extra data points:

GCC doesn't special case macro expansion, nor non-standard layout, not even size that result from the expansion of a template parameter.

I *guess* bounds resulting from macro expansion could result from preprocessor parameters and then are somehow variable.

I *guess* bounds resulting from template parameter expansion could result from various template instantiation and then are somehow variable.

I don't have a clue about non-standard layout interaction with FAM.

Following Chesterton's fence we should understand why this was introduced in Clang, because it turns out this actually causes issues to (some) users, and without that knowledge I'd be in favor of adopting GCC behavior and not making C++ stricter than C here.

And note that with current clang, the behavior I describe here is not uniform across clang code base :-/

Updated the prospective git commit message as follow:

[test] Check for more -fsanitize=array-bounds behavior

...that had temporarily regressed with (since reverted)
<https://github.com/llvm/llvm-project/commit/886715af962de2c92fac4bd37104450345711e4a>
"[clang] Introduce -fstrict-flex-arrays=<n> for stricter handling of flexible
arrays", and had then been seen to cause issues in the wild:

For one, the HarfBuzz project has various "fake" flexible array members of the
form

> Type                arrayZ[HB_VAR_ARRAY];

in <https://github.com/harfbuzz/harfbuzz/blob/main/src/hb-open-type.hh>, where
HB_VAR_ARRAY is a macro defined as

> #ifndef HB_VAR_ARRAY
> #define HB_VAR_ARRAY 1
> #endif

in <https://github.com/harfbuzz/harfbuzz/blob/main/src/hb-machinery.hh>.

For another, the Firebird project in
<https://github.com/FirebirdSQL/firebird/blob/master/src/lock/lock_proto.h> uses
a trailing member

>         srq lhb_hash[1];                        // Hash table

as a "fake" flexible array, but declared in a

> struct lhb : public Firebird::MemoryHeader

that is not a standard-layout class (because the Firebird::MemoryHeader base
class also declares non-static data members).

(The second case is specific to C++.  Extend the test setup so that all the
other tests are now run for both C and C++, just in case the behavior could ever
start to diverge for those two languages.)

Differential Revision: https://reviews.llvm.org/D128783

Harbormaster completed remote builds in B172976: Diff 441313.Jun 30 2022, 2:30 AM

serge-sans-paille added inline comments.Jul 1 2022, 12:27 AM

clang/test/CodeGen/bounds-checking-fam.c
55	Another C++-specific behavior: if the bound results from the substitution of a template parameter, event if its value is 1 it's currently not considered a FAM

added test involving template argument substitution

sberg marked an inline comment as done.Jul 1 2022, 2:06 AM

sberg added inline comments.

clang/test/CodeGen/bounds-checking-fam.c
55	I hadn't encountered that in the wild, so didn't bother to create a test for it; but yes, makes sense to add it too

Harbormaster completed remote builds in B173199: Diff 441640.Jul 1 2022, 2:37 AM

clang/test/SemaCXX/array-bounds.cpp has tailpad and metaprogramming tests which may be added here.

Happy when @serge-sans-paille is happy.

This revision is now accepted and ready to land.Jul 1 2022, 10:15 AM

I'm fine with these tests has they reflect current implementation. But beware that ubsan and -Warray-bounds don't behave the same wrt. FAM, which I find disturbing. I'll discuss that in another review.

This revision was landed with ongoing or failed builds.Jul 4 2022, 11:14 PM

Closed by commit rG4996e3f68315: [test] Check for more -fsanitize=array-bounds behavior (authored by sberg). · Explain Why

This revision was automatically updated to reflect the committed changes.

sberg marked an inline comment as done.

sberg added a commit: rG4996e3f68315: [test] Check for more -fsanitize=array-bounds behavior.

Revision Contents

Path

Size

clang/

test/

CodeGen/

bounds-checking-fam.c

45 lines

Diff 442180

clang/test/CodeGen/bounds-checking-fam.c

	// REQUIRES: x86-registered-target			// REQUIRES: x86-registered-target
	// RUN: %clang_cc1 -emit-llvm -triple x86_64 -fsanitize=array-bounds %s -o - \| FileCheck %s --check-prefixes=CHECK,CHECK-STRICT-0			// RUN: %clang_cc1 -emit-llvm -triple x86_64 -fsanitize=array-bounds %s -o - \| FileCheck %s --check-prefixes=CHECK,CHECK-STRICT-0
				// RUN: %clang_cc1 -emit-llvm -triple x86_64 -fsanitize=array-bounds -x c++ %s -o - \| FileCheck %s --check-prefixes=CHECK,CHECK-STRICT-0,CXX,CXX-STRICT-0

	/// Before flexible array member was added to C99, many projects use a			/// Before flexible array member was added to C99, many projects use a
	/// one-element array as the last emember of a structure as an alternative.			/// one-element array as the last emember of a structure as an alternative.
	/// E.g. https://github.com/python/cpython/issues/84301			/// E.g. https://github.com/python/cpython/issues/84301
	/// Suppress such errors by default.			/// Suppress such errors by default.
	struct One {			struct One {
	int a[1];			int a[1];
	};			};
	struct Two {			struct Two {
	int a[2];			int a[2];
	};			};
	struct Three {			struct Three {
	int a[3];			int a[3];
	};			};

	// CHECK-LABEL: define {{.*}} @test_one(			// CHECK-LABEL: define {{.}} @{{.}}test_one{{.*}}(
	int test_one(struct One *p, int i) {			int test_one(struct One *p, int i) {
	// CHECK-STRICT-0-NOT: @__ubsan			// CHECK-STRICT-0-NOT: @__ubsan
	return p->a[i] + (p->a)[i];			return p->a[i] + (p->a)[i];
	}			}

	// CHECK-LABEL: define {{.*}} @test_two(			// CHECK-LABEL: define {{.}} @{{.}}test_two{{.*}}(
	int test_two(struct Two *p, int i) {			int test_two(struct Two *p, int i) {
	// CHECK-STRICT-0: call void @__ubsan_handle_out_of_bounds_abort(			// CHECK-STRICT-0: call void @__ubsan_handle_out_of_bounds_abort(
	return p->a[i] + (p->a)[i];			return p->a[i] + (p->a)[i];
	}			}

	// CHECK-LABEL: define {{.*}} @test_three(			// CHECK-LABEL: define {{.}} @{{.}}test_three{{.*}}(
	int test_three(struct Three *p, int i) {			int test_three(struct Three *p, int i) {
	// CHECK-STRICT-0: call void @__ubsan_handle_out_of_bounds_abort(			// CHECK-STRICT-0: call void @__ubsan_handle_out_of_bounds_abort(
	return p->a[i] + (p->a)[i];			return p->a[i] + (p->a)[i];
	}			}

				#define FLEXIBLE 1
				struct Macro {
				int a[FLEXIBLE];
				};

				// CHECK-LABEL: define {{.}} @{{.}}test_macro{{.*}}(
				int test_macro(struct Macro *p, int i) {
				// CHECK-STRICT-0-NOT: @__ubsan
				return p->a[i] + (p->a)[i];
				}

				#if defined __cplusplus

				struct Base {
				int b;
				};
				struct NoStandardLayout : Base {
				int a[1];
				};
				serge-sans-pailleUnsubmitted Done Reply Inline Actions Another C++-specific behavior: if the bound results from the substitution of a template parameter, event if its value is 1 it's currently not considered a FAM serge-sans-paille: Another C++-specific behavior: if the bound results from the substitution of a template…
				sbergAuthorUnsubmitted Done Reply Inline Actions I hadn't encountered that in the wild, so didn't bother to create a test for it; but yes, makes sense to add it too sberg: I hadn't encountered that in the wild, so didn't bother to create a test for it; but yes, makes…

				// CXX-LABEL: define {{.}} @{{.}}test_nostandardlayout{{.*}}(
				int test_nostandardlayout(NoStandardLayout *p, int i) {
				// CXX-STRICT-0-NOT: @__ubsan
				return p->a[i] + (p->a)[i];
				}

				template<int N> struct Template {
				int a[N];
				};

				// CXX-LABEL: define {{.}} @{{.}}test_template{{.*}}(
				int test_template(Template<1> *p, int i) {
				// CXX-STRICT-0-NOT: @__ubsan
				return p->a[i] + (p->a)[i];
				}

				#endif