This is an archive of the discontinued LLVM Phabricator instance.

Differential D1338

Implement function type checker for the undefined behavior sanitizer.
ClosedPublic

Authored by pcc on Aug 9 2013, 1:30 AM.

Details

Reviewers
rsmith
Commits
rL193058: Implement function type checker for the undefined behavior sanitizer.
Summary

This uses function prefix data to store
function type information at the function pointer.

Diff Detail

Event Timeline

pcc updated this revision to Unknown Object (????).Aug 9 2013, 1:31 PM
  • Also test for the RTTI pointer check code
pcc updated this revision to Unknown Object (????).Sep 15 2013, 6:32 PM

Rebase.

pcc added a comment.Sep 15 2013, 6:35 PM

The LLVM-side dependency for this has landed now.

pcc updated this revision to Unknown Object (????).Oct 10 2013, 7:08 PM
Rebase.
rsmith added a comment.Oct 14 2013, 9:12 PM

Clever! The approach only makes me feel a little uneasy =)

It would be polite to issue a diagnostic if someone explicitly asks for this (not via -fsanitize=undefined) and we don't support it for their target.

lib/CodeGen/CGExpr.cpp
3107

This is a bit hard to parse. (!TargetDecl || !isa<FunctionDecl>(TargetDecl)) maybe?

3108

* on the right.

3112

Some indication of what "PD" stands for here would be useful.

3112–3113

We usually format this as

llvm::Type *PDStructTyElems[] = {
  PDSig->getType(),
  FTRTTIConst->getType()
};

or similar.

3117–3121

What happens if the callee address is at the end of a page and doesn't have the extra data? Could this load trigger a segfault?

3134–3135

Likewise.

lib/CodeGen/CodeGenFunction.cpp
525–526

It'd be nice if we could only do this for address-taken functions. When we take the address of a function, we could emit linkonce_odr thunk with the extra data, and use that instead of the original address... except that would break address-of-function comparisons between instrumented and uninstrumented code. Can we provide an option to enable that behavior for the case where we're OK with an ABI change?

531–532

Does this include the calling convention attributes?

533

Spaces around braces.

lib/CodeGen/TargetInfo.cpp
602–603

What do 'F' and 'T' demangle as? An invalid instruction encoding would give me more confidence here.

pcc updated this revision to Unknown Object (????).Oct 18 2013, 4:06 PM
  • Address code review comments
pcc added a comment.Oct 18 2013, 4:09 PM

It would be polite to issue a diagnostic if someone explicitly asks for this (not via -fsanitize=undefined) and we don't support it for their target.

Hmm, we should probably be doing this for other sanitizers too (e.g. MSan and DFSan are only supported on 64-bit Linux).

lib/CodeGen/CGExpr.cpp
3107

Done.

3108

Done.

3112

Globally replaced 'PD' with 'Prefix'.

3112–3113

Done. clang-format prefers something closer to the formatting I originally used; I'll raise this with the clang-format folks.

3117–3121

It could in principle. In practice, Clang always aligns function bodies to 16 bytes, GCC does it at -O>=2 and GCC (4.4 and 4.6) codegens an empty function body at -O0 with >4 bytes. A quick survey of a number of system libraries (libc, libm, libstdc++) on an Ubuntu machine reveals that the functions are suitably aligned. I think the circumstances in which a segfault might occur are sufficiently rare as to justify doing a single load. If it does turn out to be a problem in practice we could consider splitting the load (perhaps conditional on a command line flag).

3134–3135

Done.

lib/CodeGen/CodeGenFunction.cpp
525–526

I like the idea of doing this as an option, but I would prefer to land this version first.

531–532

Not with the Itanium ABI, which does not have a representation for calling conventions, but the Microsoft ABI (for which calling conventions matter more) does, so once RTTI has been implemented for that ABI, this should respect calling conventions there.

533

Done.

lib/CodeGen/TargetInfo.cpp
602–603

"rex.RX push %rsp", according to objdump. But I don't think it really matters what this decodes to. If the instruction pointer finds itself here the situation isn't dissimilar to jumping into the middle of a multibyte instruction. (Besides, the RTTI pointer could decode to anything.)

rsmith accepted this revision.Oct 18 2013, 4:34 PM

LGTM

lib/CodeGen/CGExpr.cpp
3107

It'd be nice if we could erase these checks if the optimizer resolves the call.

lib/CodeGen/TargetInfo.cpp
602–603

I think it matters: it's not unreasonable for a function to start as:

jmp +8
6 byte loop body
check loop condition
conditional jmp back to loop body

IIUC, your check would flag a false positive on indirect calls to such a function.

However, since the 'F' is an instruction prefix that is redundant on a 'T' (pushq %rsp) instruction, I think it's reasonable to assume that the FT signature will not occur in uninstrumented code.

pcc added a comment.Oct 18 2013, 5:59 PM

What about the compiler-rt changes?

lib/CodeGen/CGExpr.cpp
3107

Sure. A design point of function prefix data is that it permits this sort of optimization. Maybe if I get a chance I'll see if I can teach the optimizer to do this.

lib/CodeGen/TargetInfo.cpp
602–603

I see. I think I agree with your reasoning.

pcc closed this revision.Oct 20 2013, 2:33 PM

Closed by commit rL193058 (authored by @pcc).

MaskRay mentioned this in D119296: KCFI sanitizer.Jun 6 2022, 10:33 PM

Revision Contents

PathSize
docs/
2 lines
include/
clang/
Basic/
7 lines
lib/
CodeGen/
2 lines
4 lines
46 lines
3 lines
1 line
17 lines
8 lines
16 lines
test/
CodeGenCXX/
12 lines
Driver/
4 lines

Diff 3313

docs/UsersManual.rst

Show First 20 LinesShow All 908 Lines▼ Show 20 Lines**-f[no-]sanitize=check1,check2,...**
- ``-fsanitize=enum``: Load of a value of an enumerated type which - ``-fsanitize=enum``: Load of a value of an enumerated type which
is not in the range of representable values for that enumerated is not in the range of representable values for that enumerated
type. type.
- ``-fsanitize=float-cast-overflow``: Conversion to, from, or - ``-fsanitize=float-cast-overflow``: Conversion to, from, or
between floating-point types which would overflow the between floating-point types which would overflow the
destination. destination.
- ``-fsanitize=float-divide-by-zero``: Floating point division by - ``-fsanitize=float-divide-by-zero``: Floating point division by
zero. zero.
- ``-fsanitize=function``: Indirect call of a function through a
function pointer of the wrong type (C++ and x86/x86_64 only).
- ``-fsanitize=integer-divide-by-zero``: Integer division by zero. - ``-fsanitize=integer-divide-by-zero``: Integer division by zero.
- ``-fsanitize=null``: Use of a null pointer or creation of a null - ``-fsanitize=null``: Use of a null pointer or creation of a null
reference. reference.
- ``-fsanitize=object-size``: An attempt to use bytes which the - ``-fsanitize=object-size``: An attempt to use bytes which the
optimizer can determine are not part of the object being optimizer can determine are not part of the object being
accessed. The sizes of objects are determined using accessed. The sizes of objects are determined using
``__builtin_object_size``, and consequently may be able to detect ``__builtin_object_size``, and consequently may be able to detect
more problems at higher optimization levels. more problems at higher optimization levels.
▲ Show 20 LinesShow All 464 LinesShow Last 20 Lines

include/clang/Basic/Sanitizers.def

Show First 20 LinesShow All 58 Lines▼ Show 20 Lines
// UndefinedBehaviorSanitizer // UndefinedBehaviorSanitizer
SANITIZER("alignment", Alignment) SANITIZER("alignment", Alignment)
SANITIZER("bool", Bool) SANITIZER("bool", Bool)
SANITIZER("bounds", Bounds) SANITIZER("bounds", Bounds)
SANITIZER("enum", Enum) SANITIZER("enum", Enum)
SANITIZER("float-cast-overflow", FloatCastOverflow) SANITIZER("float-cast-overflow", FloatCastOverflow)
SANITIZER("float-divide-by-zero", FloatDivideByZero) SANITIZER("float-divide-by-zero", FloatDivideByZero)
SANITIZER("function", Function)
SANITIZER("integer-divide-by-zero", IntegerDivideByZero) SANITIZER("integer-divide-by-zero", IntegerDivideByZero)
SANITIZER("null", Null) SANITIZER("null", Null)
SANITIZER("object-size", ObjectSize) SANITIZER("object-size", ObjectSize)
SANITIZER("return", Return) SANITIZER("return", Return)
SANITIZER("shift", Shift) SANITIZER("shift", Shift)
SANITIZER("signed-integer-overflow", SignedIntegerOverflow) SANITIZER("signed-integer-overflow", SignedIntegerOverflow)
SANITIZER("unreachable", Unreachable) SANITIZER("unreachable", Unreachable)
SANITIZER("vla-bound", VLABound) SANITIZER("vla-bound", VLABound)
SANITIZER("vptr", Vptr) SANITIZER("vptr", Vptr)
// IntegerSanitizer // IntegerSanitizer
SANITIZER("unsigned-integer-overflow", UnsignedIntegerOverflow) SANITIZER("unsigned-integer-overflow", UnsignedIntegerOverflow)
// DataFlowSanitizer // DataFlowSanitizer
SANITIZER("dataflow", DataFlow) SANITIZER("dataflow", DataFlow)
// -fsanitize=undefined includes all the sanitizers which have low overhead, no // -fsanitize=undefined includes all the sanitizers which have low overhead, no
// ABI or address space layout implications, and only catch undefined behavior. // ABI or address space layout implications, and only catch undefined behavior.
SANITIZER_GROUP("undefined", Undefined, SANITIZER_GROUP("undefined", Undefined,
Alignment | Bool | Bounds | Enum | FloatCastOverflow | Alignment | Bool | Bounds | Enum | FloatCastOverflow |
FloatDivideByZero | IntegerDivideByZero | Null | ObjectSize | FloatDivideByZero | Function | IntegerDivideByZero | Null |
Return | Shift | SignedIntegerOverflow | Unreachable | ObjectSize | Return | Shift | SignedIntegerOverflow |
VLABound | Vptr) Unreachable | VLABound | Vptr)
// -fsanitize=undefined-trap (and its alias -fcatch-undefined-behavior) includes // -fsanitize=undefined-trap (and its alias -fcatch-undefined-behavior) includes
// all sanitizers included by -fsanitize=undefined, except those that require // all sanitizers included by -fsanitize=undefined, except those that require
// runtime support. This group is generally used in conjunction with the // runtime support. This group is generally used in conjunction with the
// -fsanitize-undefined-trap-on-error flag. // -fsanitize-undefined-trap-on-error flag.
SANITIZER_GROUP("undefined-trap", UndefinedTrap, SANITIZER_GROUP("undefined-trap", UndefinedTrap,
Alignment | Bool | Bounds | Enum | FloatCastOverflow | Alignment | Bool | Bounds | Enum | FloatCastOverflow |
FloatDivideByZero | IntegerDivideByZero | Null | ObjectSize | FloatDivideByZero | IntegerDivideByZero | Null | ObjectSize |
Show All 9 Lines

lib/CodeGen/CGBuiltin.cpp

Show First 20 LinesShow All 159 Lines▼ Show 20 Lines llvm::FunctionType *FT = llvm::FunctionType::get(V->getType(), V->getType(),
false); false);
llvm::Value *Fn = CGF.CGM.CreateRuntimeFunction(FT, FnName); llvm::Value *Fn = CGF.CGM.CreateRuntimeFunction(FT, FnName);
return CGF.EmitNounwindRuntimeCall(Fn, V, "abs"); return CGF.EmitNounwindRuntimeCall(Fn, V, "abs");
} }
static RValue emitLibraryCall(CodeGenFunction &CGF, const FunctionDecl *Fn, static RValue emitLibraryCall(CodeGenFunction &CGF, const FunctionDecl *Fn,
const CallExpr *E, llvm::Value *calleeValue) { const CallExpr *E, llvm::Value *calleeValue) {
return CGF.EmitCall(E->getCallee()->getType(), calleeValue, return CGF.EmitCall(E->getCallee()->getType(), calleeValue, E->getLocStart(),
ReturnValueSlot(), E->arg_begin(), E->arg_end(), Fn); ReturnValueSlot(), E->arg_begin(), E->arg_end(), Fn);
} }
/// \brief Emit a call to llvm.{sadd,uadd,ssub,usub,smul,umul}.with.overflow.* /// \brief Emit a call to llvm.{sadd,uadd,ssub,usub,smul,umul}.with.overflow.*
/// depending on IntrinsicID. /// depending on IntrinsicID.
/// ///
/// \arg CGF The current codegen function. /// \arg CGF The current codegen function.
/// \arg IntrinsicID The ID for the Intrinsic we wish to generate. /// \arg IntrinsicID The ID for the Intrinsic we wish to generate.
▲ Show 20 LinesShow All 3,004 LinesShow Last 20 Lines

lib/CodeGen/CGCUDARuntime.cpp

Show All 38 LinesRValue CGCUDARuntime::EmitCUDAKernelCallExpr(CodeGenFunction &CGF,
const Decl *TargetDecl = 0; const Decl *TargetDecl = 0;
if (const ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E->getCallee())) { if (const ImplicitCastExpr *CE = dyn_cast<ImplicitCastExpr>(E->getCallee())) {
if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(CE->getSubExpr())) { if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(CE->getSubExpr())) {
TargetDecl = DRE->getDecl(); TargetDecl = DRE->getDecl();
} }
} }
llvm::Value *Callee = CGF.EmitScalarExpr(E->getCallee()); llvm::Value *Callee = CGF.EmitScalarExpr(E->getCallee());
CGF.EmitCall(E->getCallee()->getType(), Callee, ReturnValue, CGF.EmitCall(E->getCallee()->getType(), Callee, E->getLocStart(),
E->arg_begin(), E->arg_end(), TargetDecl); ReturnValue, E->arg_begin(), E->arg_end(), TargetDecl);
CGF.EmitBranch(ContBlock); CGF.EmitBranch(ContBlock);
CGF.EmitBlock(ContBlock); CGF.EmitBlock(ContBlock);
eval.end(CGF); eval.end(CGF);
return RValue::get(0); return RValue::get(0);
} }

lib/CodeGen/CGExpr.cpp

Show First 20 LinesShow All 2,905 Lines▼ Show 20 Lines if (getLangOpts().ObjCAutoRefCount &&
// arrow. // arrow.
EmitScalarExpr(E->getCallee()); EmitScalarExpr(E->getCallee());
} }
return RValue::get(0); return RValue::get(0);
} }
llvm::Value *Callee = EmitScalarExpr(E->getCallee()); llvm::Value *Callee = EmitScalarExpr(E->getCallee());
return EmitCall(E->getCallee()->getType(), Callee, ReturnValue, return EmitCall(E->getCallee()->getType(), Callee, E->getLocStart(),
E->arg_begin(), E->arg_end(), TargetDecl); ReturnValue, E->arg_begin(), E->arg_end(), TargetDecl);
} }
LValue CodeGenFunction::EmitBinaryOperatorLValue(const BinaryOperator *E) { LValue CodeGenFunction::EmitBinaryOperatorLValue(const BinaryOperator *E) {
// Comma expressions just emit their LHS then their RHS as an l-value. // Comma expressions just emit their LHS then their RHS as an l-value.
if (E->getOpcode() == BO_Comma) { if (E->getOpcode() == BO_Comma) {
EmitIgnoredExpr(E->getLHS()); EmitIgnoredExpr(E->getLHS());
EnsureInsertPoint(); EnsureInsertPoint();
return EmitLValue(E->getRHS()); return EmitLValue(E->getRHS());
▲ Show 20 LinesShow All 153 Lines▼ Show 20 Lines
LValue CodeGenFunction::EmitStmtExprLValue(const StmtExpr *E) { LValue CodeGenFunction::EmitStmtExprLValue(const StmtExpr *E) {
// Can only get l-value for message expression returning aggregate type // Can only get l-value for message expression returning aggregate type
RValue RV = EmitAnyExprToTemp(E); RValue RV = EmitAnyExprToTemp(E);
return MakeAddrLValue(RV.getAggregateAddr(), E->getType()); return MakeAddrLValue(RV.getAggregateAddr(), E->getType());
} }
RValue CodeGenFunction::EmitCall(QualType CalleeType, llvm::Value *Callee, RValue CodeGenFunction::EmitCall(QualType CalleeType, llvm::Value *Callee,
SourceLocation CallLoc,
ReturnValueSlot ReturnValue, ReturnValueSlot ReturnValue,
CallExpr::const_arg_iterator ArgBeg, CallExpr::const_arg_iterator ArgBeg,
CallExpr::const_arg_iterator ArgEnd, CallExpr::const_arg_iterator ArgEnd,
const Decl *TargetDecl) { const Decl *TargetDecl) {
// Get the actual function type. The callee type will always be a pointer to // Get the actual function type. The callee type will always be a pointer to
// function type or a block pointer type. // function type or a block pointer type.
assert(CalleeType->isFunctionPointerType() && assert(CalleeType->isFunctionPointerType() &&
"Call must have function pointer type!"); "Call must have function pointer type!");
CalleeType = getContext().getCanonicalType(CalleeType); CalleeType = getContext().getCanonicalType(CalleeType);
const FunctionType *FnType const FunctionType *FnType
= cast<FunctionType>(cast<PointerType>(CalleeType)->getPointeeType()); = cast<FunctionType>(cast<PointerType>(CalleeType)->getPointeeType());
// Force column info to differentiate multiple inlined call sites on // Force column info to differentiate multiple inlined call sites on
// the same line, analoguous to EmitCallExpr. // the same line, analoguous to EmitCallExpr.
bool ForceColumnInfo = false; bool ForceColumnInfo = false;
if (const FunctionDecl* FD = dyn_cast_or_null<const FunctionDecl>(TargetDecl)) if (const FunctionDecl* FD = dyn_cast_or_null<const FunctionDecl>(TargetDecl))
ForceColumnInfo = FD->isInlineSpecified(); ForceColumnInfo = FD->isInlineSpecified();
if (getLangOpts().CPlusPlus && SanOpts->Function &&
!dyn_cast_or_null<FunctionDecl>(TargetDecl)) {
rsmithUnsubmitted
Not Done
ReplyInline Actions

This is a bit hard to parse. (!TargetDecl || !isa<FunctionDecl>(TargetDecl)) maybe?

rsmith: This is a bit hard to parse. `(!TargetDecl || !isa<FunctionDecl>(TargetDecl))` maybe?
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Done.

pcc: Done.
rsmithUnsubmitted
Not Done
ReplyInline Actions

It'd be nice if we could erase these checks if the optimizer resolves the call.

rsmith: It'd be nice if we could erase these checks if the optimizer resolves the call.
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Sure. A design point of function prefix data is that it permits this sort of optimization. Maybe if I get a chance I'll see if I can teach the optimizer to do this.

pcc: Sure. A design point of function prefix data is that it permits this sort of optimization.
if (llvm::Constant* PDSig =
rsmithUnsubmitted
Not Done
ReplyInline Actions

* on the right.

rsmith: `*` on the right.
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Done.

pcc: Done.
CGM.getTargetCodeGenInfo().getUBSanFunctionSignature(CGM)) {
llvm::Constant *FTRTTIConst =
CGM.GetAddrOfRTTIDescriptor(QualType(FnType, 0), /*ForEH=*/true);
llvm::Type *PDStructTyElems[] = {PDSig->getType(),
rsmithUnsubmitted
Not Done
ReplyInline Actions

Some indication of what "PD" stands for here would be useful.

rsmith: Some indication of what "PD" stands for here would be useful.
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Globally replaced 'PD' with 'Prefix'.

pcc: Globally replaced 'PD' with 'Prefix'.
FTRTTIConst->getType()};
rsmithUnsubmitted
Not Done
ReplyInline Actions

We usually format this as

llvm::Type *PDStructTyElems[] = {
  PDSig->getType(),
  FTRTTIConst->getType()
};

or similar.

rsmith: We usually format this as llvm::Type *PDStructTyElems[] = { PDSig->getType()…
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Done. clang-format prefers something closer to the formatting I originally used; I'll raise this with the clang-format folks.

pcc: Done. clang-format prefers something closer to the formatting I originally used; I'll raise…
llvm::StructType *PDStructTy = llvm::StructType::get(
CGM.getLLVMContext(), PDStructTyElems, /*isPacked=*/true);
llvm::Value *CalleePDStruct = Builder.CreateBitCast(
Callee, llvm::PointerType::getUnqual(PDStructTy));
llvm::Value *CalleeSigPtr =
Builder.CreateConstGEP2_32(CalleePDStruct, 0, 0);
llvm::Value *CalleeSig = Builder.CreateLoad(CalleeSigPtr);
rsmithUnsubmitted
Not Done
ReplyInline Actions

What happens if the callee address is at the end of a page and doesn't have the extra data? Could this load trigger a segfault?

rsmith: What happens if the callee address is at the end of a page and doesn't have the extra data?
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

It could in principle. In practice, Clang always aligns function bodies to 16 bytes, GCC does it at -O>=2 and GCC (4.4 and 4.6) codegens an empty function body at -O0 with >4 bytes. A quick survey of a number of system libraries (libc, libm, libstdc++) on an Ubuntu machine reveals that the functions are suitably aligned. I think the circumstances in which a segfault might occur are sufficiently rare as to justify doing a single load. If it does turn out to be a problem in practice we could consider splitting the load (perhaps conditional on a command line flag).

pcc: It could in principle. In practice, Clang always aligns function bodies to 16 bytes, GCC does…
llvm::Value *CalleeSigMatch = Builder.CreateICmpEQ(CalleeSig, PDSig);
llvm::BasicBlock *Cont = createBasicBlock("cont");
llvm::BasicBlock *TypeCheck = createBasicBlock("typecheck");
Builder.CreateCondBr(CalleeSigMatch, TypeCheck, Cont);
EmitBlock(TypeCheck);
llvm::Value *CalleeRTTIPtr =
Builder.CreateConstGEP2_32(CalleePDStruct, 0, 1);
llvm::Value *CalleeRTTI = Builder.CreateLoad(CalleeRTTIPtr);
llvm::Value *CalleeRTTIMatch =
Builder.CreateICmpEQ(CalleeRTTI, FTRTTIConst);
llvm::Constant *StaticData[] = {EmitCheckSourceLocation(CallLoc),
EmitCheckTypeDescriptor(CalleeType)};
rsmithUnsubmitted
Not Done
ReplyInline Actions

Likewise.

rsmith: Likewise.
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Done.

pcc: Done.
EmitCheck(CalleeRTTIMatch,
"function_type_mismatch",
StaticData,
Callee,
CRK_Recoverable);
Builder.CreateBr(Cont);
EmitBlock(Cont);
}
}
CallArgList Args; CallArgList Args;
EmitCallArgs(Args, dyn_cast<FunctionProtoType>(FnType), ArgBeg, ArgEnd, EmitCallArgs(Args, dyn_cast<FunctionProtoType>(FnType), ArgBeg, ArgEnd,
ForceColumnInfo); ForceColumnInfo);
const CGFunctionInfo &FnInfo = const CGFunctionInfo &FnInfo =
CGM.getTypes().arrangeFreeFunctionCall(Args, FnType); CGM.getTypes().arrangeFreeFunctionCall(Args, FnType);
// C99 6.5.2.2p6: // C99 6.5.2.2p6:
▲ Show 20 LinesShow All 152 LinesShow Last 20 Lines

lib/CodeGen/CGExprCXX.cpp

Show First 20 LinesShow All 173 Lines▼ Show 20 LinesRValue CodeGenFunction::EmitCXXMemberCallExpr(const CXXMemberCallExpr *CE,
const MemberExpr *ME = cast<MemberExpr>(callee); const MemberExpr *ME = cast<MemberExpr>(callee);
const CXXMethodDecl *MD = cast<CXXMethodDecl>(ME->getMemberDecl()); const CXXMethodDecl *MD = cast<CXXMethodDecl>(ME->getMemberDecl());
if (MD->isStatic()) { if (MD->isStatic()) {
// The method is static, emit it as we would a regular call. // The method is static, emit it as we would a regular call.
llvm::Value *Callee = CGM.GetAddrOfFunction(MD); llvm::Value *Callee = CGM.GetAddrOfFunction(MD);
return EmitCall(getContext().getPointerType(MD->getType()), Callee, return EmitCall(getContext().getPointerType(MD->getType()), Callee,
ReturnValue, CE->arg_begin(), CE->arg_end()); CE->getLocStart(), ReturnValue, CE->arg_begin(),
CE->arg_end());
} }
// Compute the object pointer. // Compute the object pointer.
const Expr *Base = ME->getBase(); const Expr *Base = ME->getBase();
bool CanUseVirtualCall = MD->isVirtual() && !ME->hasQualifier(); bool CanUseVirtualCall = MD->isVirtual() && !ME->hasQualifier();
const CXXMethodDecl *DevirtualizedMethod = NULL; const CXXMethodDecl *DevirtualizedMethod = NULL;
if (CanUseVirtualCall && if (CanUseVirtualCall &&
▲ Show 20 LinesShow All 1,759 LinesShow Last 20 Lines

lib/CodeGen/CodeGenFunction.h

Show First 20 LinesShow All 2,066 Lines▼ Show 20 Lines#endif
RValue EmitCall(const CGFunctionInfo &FnInfo, RValue EmitCall(const CGFunctionInfo &FnInfo,
llvm::Value *Callee, llvm::Value *Callee,
ReturnValueSlot ReturnValue, ReturnValueSlot ReturnValue,
const CallArgList &Args, const CallArgList &Args,
const Decl *TargetDecl = 0, const Decl *TargetDecl = 0,
llvm::Instruction **callOrInvoke = 0); llvm::Instruction **callOrInvoke = 0);
RValue EmitCall(QualType FnType, llvm::Value *Callee, RValue EmitCall(QualType FnType, llvm::Value *Callee,
SourceLocation CallLoc,
ReturnValueSlot ReturnValue, ReturnValueSlot ReturnValue,
CallExpr::const_arg_iterator ArgBeg, CallExpr::const_arg_iterator ArgBeg,
CallExpr::const_arg_iterator ArgEnd, CallExpr::const_arg_iterator ArgEnd,
const Decl *TargetDecl = 0); const Decl *TargetDecl = 0);
RValue EmitCallExpr(const CallExpr *E, RValue EmitCallExpr(const CallExpr *E,
ReturnValueSlot ReturnValue = ReturnValueSlot()); ReturnValueSlot ReturnValue = ReturnValueSlot());
llvm::CallInst *EmitRuntimeCall(llvm::Value *callee, llvm::CallInst *EmitRuntimeCall(llvm::Value *callee,
▲ Show 20 LinesShow All 553 LinesShow Last 20 Lines

lib/CodeGen/CodeGenFunction.cpp

Show All 10 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "CodeGenFunction.h" #include "CodeGenFunction.h"
#include "CGCUDARuntime.h" #include "CGCUDARuntime.h"
#include "CGCXXABI.h" #include "CGCXXABI.h"
#include "CGDebugInfo.h" #include "CGDebugInfo.h"
#include "CodeGenModule.h" #include "CodeGenModule.h"
#include "TargetInfo.h"
#include "clang/AST/ASTContext.h" #include "clang/AST/ASTContext.h"
#include "clang/AST/Decl.h" #include "clang/AST/Decl.h"
#include "clang/AST/DeclCXX.h" #include "clang/AST/DeclCXX.h"
#include "clang/AST/StmtCXX.h" #include "clang/AST/StmtCXX.h"
#include "clang/Basic/OpenCL.h" #include "clang/Basic/OpenCL.h"
#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"
#include "clang/Frontend/CodeGenOptions.h" #include "clang/Frontend/CodeGenOptions.h"
#include "llvm/IR/DataLayout.h" #include "llvm/IR/DataLayout.h"
▲ Show 20 LinesShow All 489 Lines▼ Show 20 Lines if (const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D))
} }
if (getLangOpts().OpenCL) { if (getLangOpts().OpenCL) {
// Add metadata for a kernel function. // Add metadata for a kernel function.
if (const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D)) if (const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D))
EmitOpenCLKernelMetadata(FD, Fn); EmitOpenCLKernelMetadata(FD, Fn);
} }
// If we are checking function types, emit a function type signature as
// prefix data.
rsmithUnsubmitted
Not Done
ReplyInline Actions

It'd be nice if we could only do this for address-taken functions. When we take the address of a function, we could emit linkonce_odr thunk with the extra data, and use that instead of the original address... except that would break address-of-function comparisons between instrumented and uninstrumented code. Can we provide an option to enable that behavior for the case where we're OK with an ABI change?

rsmith: It'd be nice if we could only do this for address-taken functions. When we take the address of…
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

I like the idea of doing this as an option, but I would prefer to land this version first.

pcc: I like the idea of doing this as an option, but I would prefer to land this version first.
if (getLangOpts().CPlusPlus && SanOpts->Function) {
if (const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D)) {
if (llvm::Constant *PDSig =
CGM.getTargetCodeGenInfo().getUBSanFunctionSignature(CGM)) {
llvm::Constant *FTRTTIConst =
CGM.GetAddrOfRTTIDescriptor(FD->getType(), /*ForEH=*/true);
rsmithUnsubmitted
Not Done
ReplyInline Actions

Does this include the calling convention attributes?

rsmith: Does this include the calling convention attributes?
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Not with the Itanium ABI, which does not have a representation for calling conventions, but the Microsoft ABI (for which calling conventions matter more) does, so once RTTI has been implemented for that ABI, this should respect calling conventions there.

pcc: Not with the Itanium ABI, which does not have a representation for calling conventions, but the…
llvm::Constant *PDStructElems[] = {PDSig, FTRTTIConst};
rsmithUnsubmitted
Not Done
ReplyInline Actions

Spaces around braces.

rsmith: Spaces around braces.
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

Done.

pcc: Done.
llvm::Constant *PDStructConst =
llvm::ConstantStruct::getAnon(PDStructElems, /*Packed=*/true);
Fn->setPrefixData(PDStructConst);
}
}
}
llvm::BasicBlock *EntryBB = createBasicBlock("entry", CurFn); llvm::BasicBlock *EntryBB = createBasicBlock("entry", CurFn);
// Create a marker to make it easy to insert allocas into the entryblock // Create a marker to make it easy to insert allocas into the entryblock
// later. Don't create this with the builder, because we don't want it // later. Don't create this with the builder, because we don't want it
// folded. // folded.
llvm::Value *Undef = llvm::UndefValue::get(Int32Ty); llvm::Value *Undef = llvm::UndefValue::get(Int32Ty);
AllocaInsertPt = new llvm::BitCastInst(Undef, Int32Ty, "", EntryBB); AllocaInsertPt = new llvm::BitCastInst(Undef, Int32Ty, "", EntryBB);
if (Builder.isNamePreserving()) if (Builder.isNamePreserving())
▲ Show 20 LinesShow All 933 LinesShow Last 20 Lines

lib/CodeGen/TargetInfo.h

Show All 15 Lines
#define CLANG_CODEGEN_TARGETINFO_H #define CLANG_CODEGEN_TARGETINFO_H
#include "clang/AST/Type.h" #include "clang/AST/Type.h"
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "llvm/ADT/StringRef.h" #include "llvm/ADT/StringRef.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
namespace llvm { namespace llvm {
class Constant;
class GlobalValue; class GlobalValue;
class Type; class Type;
class Value; class Value;
} }
namespace clang { namespace clang {
class ABIInfo; class ABIInfo;
class Decl; class Decl;
▲ Show 20 LinesShow All 99 Lines▼ Show 20 Lines public:
/// relocation model, and so on some targets it instead sniffs for /// relocation model, and so on some targets it instead sniffs for
/// a particular instruction sequence. This functions returns /// a particular instruction sequence. This functions returns
/// that instruction sequence in inline assembly, which will be /// that instruction sequence in inline assembly, which will be
/// empty if none is required. /// empty if none is required.
virtual StringRef getARCRetainAutoreleasedReturnValueMarker() const { virtual StringRef getARCRetainAutoreleasedReturnValueMarker() const {
return ""; return "";
} }
/// Return a constant used by UBSan as a signature to identify functions
/// possessing type information, or 0 if the platform is unsupported.
virtual llvm::Constant *getUBSanFunctionSignature(
CodeGen::CodeGenModule &CGM) const {
return 0;
}
/// Determine whether a call to an unprototyped functions under /// Determine whether a call to an unprototyped functions under
/// the given calling convention should use the variadic /// the given calling convention should use the variadic
/// convention or the non-variadic convention. /// convention or the non-variadic convention.
/// ///
/// There's a good reason to make a platform's variadic calling /// There's a good reason to make a platform's variadic calling
/// convention be different from its non-variadic calling /// convention be different from its non-variadic calling
/// convention: the non-variadic arguments can be passed in /// convention: the non-variadic arguments can be passed in
/// registers (better for performance), and the variadic arguments /// registers (better for performance), and the variadic arguments
▲ Show 20 LinesShow All 51 LinesShow Last 20 Lines

lib/CodeGen/TargetInfo.cpp

Show First 20 LinesShow All 590 Lines▼ Show 20 Lines bool initDwarfEHRegSizeTable(CodeGen::CodeGenFunction &CGF,
llvm::Value *Address) const; llvm::Value *Address) const;
llvm::Type* adjustInlineAsmType(CodeGen::CodeGenFunction &CGF, llvm::Type* adjustInlineAsmType(CodeGen::CodeGenFunction &CGF,
StringRef Constraint, StringRef Constraint,
llvm::Type* Ty) const { llvm::Type* Ty) const {
return X86AdjustInlineAsmType(CGF, Constraint, Ty); return X86AdjustInlineAsmType(CGF, Constraint, Ty);
} }
llvm::Constant *getUBSanFunctionSignature(CodeGen::CodeGenModule &CGM) const {
unsigned Sig = (0xeb << 0) | // jmp rel8
(0x06 << 8) | // .+0x08
('F' << 16) |
('T' << 24);
rsmithUnsubmitted
Not Done
ReplyInline Actions

What do 'F' and 'T' demangle as? An invalid instruction encoding would give me more confidence here.

rsmith: What do 'F' and 'T' demangle as? An invalid instruction encoding would give me more confidence…
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

"rex.RX push %rsp", according to objdump. But I don't think it really matters what this decodes to. If the instruction pointer finds itself here the situation isn't dissimilar to jumping into the middle of a multibyte instruction. (Besides, the RTTI pointer could decode to anything.)

pcc: "rex.RX push %rsp", according to objdump. But I don't think it really matters what this…
rsmithUnsubmitted
Not Done
ReplyInline Actions

I think it matters: it's not unreasonable for a function to start as:

jmp +8
6 byte loop body
check loop condition
conditional jmp back to loop body

IIUC, your check would flag a false positive on indirect calls to such a function.

However, since the 'F' is an instruction prefix that is redundant on a 'T' (pushq %rsp) instruction, I think it's reasonable to assume that the FT signature will not occur in uninstrumented code.

rsmith: I think it matters: it's not unreasonable for a function to start as: jmp +8 6 byte…
pccAuthorUnsubmitted
Not Done
ReplyInline Actions

I see. I think I agree with your reasoning.

pcc: I see. I think I agree with your reasoning.
return llvm::ConstantInt::get(CGM.Int32Ty, Sig);
}
}; };
} }
/// shouldReturnTypeInRegister - Determine if the given type should be /// shouldReturnTypeInRegister - Determine if the given type should be
/// passed in a register (for the Darwin ABI). /// passed in a register (for the Darwin ABI).
bool X86_32ABIInfo::shouldReturnTypeInRegister(QualType Ty, bool X86_32ABIInfo::shouldReturnTypeInRegister(QualType Ty,
ASTContext &Context, ASTContext &Context,
▲ Show 20 LinesShow All 667 Lines▼ Show 20 Lines if (fnType->getCallConv() == CC_Default || fnType->getCallConv() == CC_C) {
if (!HasAVXType) if (!HasAVXType)
return true; return true;
} }
return TargetCodeGenInfo::isNoProtoCallVariadic(args, fnType); return TargetCodeGenInfo::isNoProtoCallVariadic(args, fnType);
} }
llvm::Constant *getUBSanFunctionSignature(CodeGen::CodeGenModule &CGM) const {
unsigned Sig = (0xeb << 0) | // jmp rel8
(0x0a << 8) | // .+0x0c
('F' << 16) |
('T' << 24);
return llvm::ConstantInt::get(CGM.Int32Ty, Sig);
}
}; };
static std::string qualifyWindowsLibrary(llvm::StringRef Lib) { static std::string qualifyWindowsLibrary(llvm::StringRef Lib) {
// If the argument does not end in .lib, automatically add the suffix. This // If the argument does not end in .lib, automatically add the suffix. This
// matches the behavior of MSVC. // matches the behavior of MSVC.
std::string ArgStr = Lib; std::string ArgStr = Lib;
if (Lib.size() <= 4 || if (Lib.size() <= 4 ||
Lib.substr(Lib.size() - 4).compare_lower(".lib") != 0) { Lib.substr(Lib.size() - 4).compare_lower(".lib") != 0) {
▲ Show 20 LinesShow All 4,189 LinesShow Last 20 Lines

test/CodeGenCXX/catch-undef-behavior.cpp

// RUN: %clang_cc1 -std=c++11 -fsanitize=signed-integer-overflow,integer-divide-by-zero,float-divide-by-zero,shift,unreachable,return,vla-bound,alignment,null,vptr,object-size,float-cast-overflow,bool,enum,bounds -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s // RUN: %clang_cc1 -std=c++11 -fsanitize=signed-integer-overflow,integer-divide-by-zero,float-divide-by-zero,shift,unreachable,return,vla-bound,alignment,null,vptr,object-size,float-cast-overflow,bool,enum,bounds,function -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s
struct S { struct S {
double d; double d;
int a, b; int a, b;
virtual int f(); virtual int f();
}; };
struct T : S {}; struct T : S {};
▲ Show 20 LinesShow All 357 Lines▼ Show 20 Linesvoid downcast_reference(B &b) {
// CHECK: [[C_INT:%[0-9]*]] = ptrtoint %class.C* [[C]] to i64 // CHECK: [[C_INT:%[0-9]*]] = ptrtoint %class.C* [[C]] to i64
// CHECK-NEXT: [[MASKED:%[0-9]*]] = and i64 [[C_INT]], 15 // CHECK-NEXT: [[MASKED:%[0-9]*]] = and i64 [[C_INT]], 15
// CHECK-NEXT: [[TEST:%[0-9]*]] = icmp eq i64 [[MASKED]], 0 // CHECK-NEXT: [[TEST:%[0-9]*]] = icmp eq i64 [[MASKED]], 0
// AND the alignment test with the objectsize test. // AND the alignment test with the objectsize test.
// CHECK-NEXT: [[AND:%[0-9]*]] = and i1 {{.*}}, [[TEST]] // CHECK-NEXT: [[AND:%[0-9]*]] = and i1 {{.*}}, [[TEST]]
// CHECK-NEXT: br i1 [[AND]] // CHECK-NEXT: br i1 [[AND]]
} }
// CHECK-LABEL: @_Z22indirect_function_callPFviE({{.*}} prefix <{ i32, i8* }> <{ i32 1413876459, i8* bitcast ({ i8*, i8* }* @_ZTIFvPFviEE to i8*) }>
void indirect_function_call(void (*p)(int)) {
// CHECK: [[PTR:%[0-9]*]] = bitcast void (i32)* {{.*}} to <{ i32, i8* }>*
// CHECK-NEXT: [[ELEM:%[0-9]*]] = getelementptr <{ i32, i8* }>* [[PTR]], i32 0, i32 0
// CHECK-NEXT: [[LOAD:%[0-9]*]] = load i32* [[ELEM]]
// CHECK-NEXT: [[ICMP:%[0-9]*]] = icmp eq i32 [[LOAD]], 1413876459
// CHECK-NEXT: br i1 [[ICMP]]
p(42);
}
// CHECK: attributes [[NR_NUW]] = { noreturn nounwind } // CHECK: attributes [[NR_NUW]] = { noreturn nounwind }

test/Driver/fsanitize.c

// RUN: %clang -target x86_64-linux-gnu -fcatch-undefined-behavior %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP // RUN: %clang -target x86_64-linux-gnu -fcatch-undefined-behavior %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP
// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined-trap -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP // RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined-trap -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP
// RUN: %clang -target x86_64-linux-gnu -fsanitize-undefined-trap-on-error -fsanitize=undefined-trap %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP // RUN: %clang -target x86_64-linux-gnu -fsanitize-undefined-trap-on-error -fsanitize=undefined-trap %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP
// CHECK-UNDEFINED-TRAP: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift|unreachable|return|vla-bound|alignment|null|object-size|float-cast-overflow|bounds|enum|bool),?){14}"}} // CHECK-UNDEFINED-TRAP: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift|unreachable|return|vla-bound|alignment|null|object-size|float-cast-overflow|bounds|enum|bool),?){14}"}}
// CHECK-UNDEFINED-TRAP: "-fsanitize-undefined-trap-on-error" // CHECK-UNDEFINED-TRAP: "-fsanitize-undefined-trap-on-error"
// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED // RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED
// CHECK-UNDEFINED: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift|unreachable|return|vla-bound|alignment|null|vptr|object-size|float-cast-overflow|bounds|enum|bool),?){15}"}} // CHECK-UNDEFINED: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift|unreachable|return|vla-bound|alignment|null|vptr|object-size|float-cast-overflow|bounds|enum|bool),?){16}"}}
// RUN: %clang -target x86_64-linux-gnu -fsanitize=integer %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-INTEGER // RUN: %clang -target x86_64-linux-gnu -fsanitize=integer %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-INTEGER
// CHECK-INTEGER: "-fsanitize={{((signed-integer-overflow|unsigned-integer-overflow|integer-divide-by-zero|shift),?){4}"}} // CHECK-INTEGER: "-fsanitize={{((signed-integer-overflow|unsigned-integer-overflow|integer-divide-by-zero|shift),?){4}"}}
// RUN: %clang -target x86_64-linux-gnu -fsanitize=thread,undefined -fno-thread-sanitizer -fno-sanitize=float-cast-overflow,vptr,bool,enum %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PARTIAL-UNDEFINED // RUN: %clang -target x86_64-linux-gnu -fsanitize=thread,undefined -fno-thread-sanitizer -fno-sanitize=float-cast-overflow,vptr,bool,enum %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PARTIAL-UNDEFINED
// CHECK-PARTIAL-UNDEFINED: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift|unreachable|return|vla-bound|alignment|null|object-size|bounds),?){11}"}} // CHECK-PARTIAL-UNDEFINED: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift|unreachable|return|vla-bound|alignment|null|object-size|bounds),?){12}"}}
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address-full %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-FULL // RUN: %clang -target x86_64-linux-gnu -fsanitize=address-full %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-FULL
// CHECK-ASAN-FULL: "-fsanitize={{((address|init-order|use-after-return|use-after-scope),?){4}"}} // CHECK-ASAN-FULL: "-fsanitize={{((address|init-order|use-after-return|use-after-scope),?){4}"}}
// RUN: %clang -target x86_64-linux-gnu -fno-sanitize=init-order -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-IMPLIED-INIT-ORDER // RUN: %clang -target x86_64-linux-gnu -fno-sanitize=init-order -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-IMPLIED-INIT-ORDER
// CHECK-ASAN-IMPLIED-INIT-ORDER: "-fsanitize={{((address|init-order),?){2}"}} // CHECK-ASAN-IMPLIED-INIT-ORDER: "-fsanitize={{((address|init-order),?){2}"}}
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fno-sanitize=init-order %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-NO-IMPLIED-INIT-ORDER // RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fno-sanitize=init-order %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-NO-IMPLIED-INIT-ORDER
▲ Show 20 LinesShow All 122 LinesShow Last 20 Lines