(also, this needs a bit more work around irgen, will look in a bit.)

In your example, clang++ a.cc; ./a.out gives a libstdc++ error:

terminate called after throwing an instance of 'int'

libc++'s is similar.

footgun is nounwind (due to the GNU pure attribute), so Clang uses call instead of invoke and the function call is described by a call site entry with a zero action_record_offset (i.e. not a handler) in .gcc_except_table.
In _Unwind_RaiseException called by __cxa_throw, the missing exception handler causes __terminate.

g++ a.cc; ./a.out succeeds, because its footgun call is caught by catch (...). (Perhaps GCC doesn't have Clang's nounwind optimization.)

The patch doesn't implement the runtime correctly (I get a linker error) so I cannot try it out. How expensive is your instrumentation?
Does it work with -fno-exceptions intermediate functions? (Unwinding through such functions should fail as well). Note that this check can be done today,without any instrumentation: just use -fno-asynchronous-unwind-tables (for some targets which default to async unwind tables (aarch64,x86,etc)).
If the process installs a SIGABRT signal handler, the stack trace can be printed when __terminate calls abort.

In D137381#3907104, @MaskRay wrote:

In your example, clang++ a.cc; ./a.out gives a libstdc++ error:

terminate called after throwing an instance of 'int'

libc++'s is similar.

That's great, but just a symptom of misreduced testcase.
The whole problem is that in the original bug *no* abort happened at runtime,
the program terminated successfully, with a mysterious leak.

footgun is nounwind (due to the GNU pure attribute), so Clang uses call instead of invoke and the function call is described by a call site entry with a zero action_record_offset (i.e. not a handler) in .gcc_except_table.
In _Unwind_RaiseException called by __cxa_throw, the missing exception handler causes __terminate.

g++ a.cc; ./a.out succeeds, because its footgun call is caught by catch (...). (Perhaps GCC doesn't have Clang's nounwind optimization.)

The patch doesn't implement the runtime correctly (I get a linker error) so I cannot try it out. How expensive is your instrumentation?
Does it work with -fno-exceptions intermediate functions? (Unwinding through such functions should fail as well). Note that this check can be done today,without any instrumentation: just use -fno-asynchronous-unwind-tables (for some targets which default to async unwind tables (aarch64,x86,etc)).
If the process installs a SIGABRT signal handler, the stack trace can be printed when __terminate calls abort.

I find this comment non-welcoming and discouraging.
I just wanted to get something posted when i had something to post already. All of this needs a bit more time.

I think improving diagnostic is useful but -fsanitize= is probably not a good place. Instrumenting call sites with callq __ubsan_handle_exception_escape@PLT wastes code size. The functionality is better handled somewhere in libc++abi personality related code with possible improvement to exception handling related LLVM IR.

void bar(); void foo() { bar(); }

clang++ -fno-exceptions -fsanitize=exception-escape -c b.cc does not instrument the potentially-throwing-and-propagating bar() so an error cannot be caught.
However, for -fno-exceptions code, instrumenting every call site is going to greatly increase code size and suppress optimizations.

I wish that I capture the compiler and runtime behavior well in https://maskray.me/blog/2020-12-12-c++-exception-handling-abi#compiler-behavior. https://discourse.llvm.org/t/catching-exceptions-while-unwinding-through-fno-exceptions-code/57151 is a proposal to improve the diagnostics.

Can someone from @Sanitizers please comment? :) @vitalybuka ? @glider ? @rsmith ?

In D137381#3923911, @MaskRay wrote:

I think improving diagnostic is useful but -fsanitize= is probably not a good place.

Instrumenting call sites with callq __ubsan_handle_exception_escape@PLT wastes code size.

Can you please explain why replacing one call with another somehow makes things worse?

The functionality is better handled somewhere in libc++abi personality related code

That would not be helpful, i'm not using libc++.
It seems obviously wrong to me to require every used C++ ABI library
to implement "some improvements", instead, you know,
the clang irgen + clang ubsan lib.

If we do this, we have native source location info for the location of the call site
out of which the exception has escaped, that causes the "abort".
I do not know if that will be possible with less native approach.

The reason i'm doing this, is because recently i had to deal with a few of these bugs,
and i never got any kind of backtrace, so the situation can't not be made better.

with possible improvement to exception handling related LLVM IR.

void bar(); void foo() { bar(); }

clang++ -fno-exceptions -fsanitize=exception-escape -c b.cc does not instrument the potentially-throwing-and-propagating bar() so an error cannot be caught.

i'm only looking at -fexceptions side of things, i'm not sure how
mixing -fno-exceptions and -fexceptions code is supposed to work.
It is not oblivious to me why not dealing with some other situation
means we can't deal with the situation we can deal with.

However, for -fno-exceptions code, instrumenting every call site is going to greatly increase code size and suppress optimizations.

Citation needed/define "greatly"?
We have a single "termination" landing pad per function,
and we seem to end up with just a single extra jmp per call.
https://godbolt.org/z/Td3jWM1oh

But yes, that's the known and expected nature of sanitization.

I wish that I capture the compiler and runtime behavior well in https://maskray.me/blog/2020-12-12-c++-exception-handling-abi#compiler-behavior. https://discourse.llvm.org/t/catching-exceptions-while-unwinding-through-fno-exceptions-code/57151 is a proposal to improve the diagnostics.

Thanks. That explains current behavior, but does not tell why it must be enshrined and never changed.

In D137381#3924698, @lebedev.ri wrote:

Can someone from @Sanitizers please comment? :) @vitalybuka ? @glider ? @rsmith ?

In D137381#3923911, @MaskRay wrote:

I think improving diagnostic is useful but -fsanitize= is probably not a good place.

@MaskRay Seems find to me. Why do you think so?

Instrumenting call sites with callq __ubsan_handle_exception_escape@PLT wastes code size.

Can you please explain why replacing one call with another somehow makes things worse?

Would be nice to see some measuraments? E.g. CTMark.

The functionality is better handled somewhere in libc++abi personality related code

That would not be helpful, i'm not using libc++.
It seems obviously wrong to me to require every used C++ ABI library
to implement "some improvements", instead, you know,
the clang irgen + clang ubsan lib.

If we do this, we have native source location info for the location of the call site
out of which the exception has escaped, that causes the "abort".
I do not know if that will be possible with less native approach.

The reason i'm doing this, is because recently i had to deal with a few of these bugs,
and i never got any kind of backtrace, so the situation can't not be made better.

with possible improvement to exception handling related LLVM IR.

void bar(); void foo() { bar(); }

clang++ -fno-exceptions -fsanitize=exception-escape -c b.cc does not instrument the potentially-throwing-and-propagating bar() so an error cannot be caught.

i'm only looking at -fexceptions side of things, i'm not sure how
mixing -fno-exceptions and -fexceptions code is supposed to work.

Handling this case would be usefull.

It is not oblivious to me why not dealing with some other situation
means we can't deal with the situation we can deal with.

However, for -fno-exceptions code, instrumenting every call site is going to greatly increase code size and suppress optimizations.

Citation needed/define "greatly"?
We have a single "termination" landing pad per function,
and we seem to end up with just a single extra jmp per call.
https://godbolt.org/z/Td3jWM1oh

But yes, that's the known and expected nature of sanitization.

I wish that I capture the compiler and runtime behavior well in https://maskray.me/blog/2020-12-12-c++-exception-handling-abi#compiler-behavior. https://discourse.llvm.org/t/catching-exceptions-while-unwinding-through-fno-exceptions-code/57151 is a proposal to improve the diagnostics.

Thanks. That explains current behavior, but does not tell why it must be enshrined and never changed.

I don't have a problem with adding a sanitizer like this. IIRC, though, there's a review process for adding new sanitizers; I don't remember if this is the normal RFC process or something more streamlined. Also, I know @jyknight is interested in a mode that checks -fno-exceptions more efficiently, which is of direct relevance to what you're trying here; that was discussed in a forums thread (https://discourse.llvm.org/t/rfc-add-call-unwindabort-to-llvm-ir/62543).

The implementation and tests here don't seem to match the stated problem, though. Trying to throw out of a noexcept function is actually well-defined — the function has to catch the exception and call std::terminate, and we do actually generate code that way. Your patch is just adding a check at the start of the handler we emit, which means it's not catching anything we're not already catching; also, again, this is a well-defined execution path, so it doesn't seem appropriate to trigger UBSan on it.

IIRC, there are really only two potential sources of UB with noexcept. The first is that you can declare a function noexcept(true) but implement it as noexcept(false), which is in a class of problems (ODR violations) that I think UBSan doesn't normally try to diagnose. The second is that I think it's possible to get a noexcept(true) function pointer for a noexcept(false) function, maybe via some chain of casts; that would be a little closer to what UBSan normally diagnoses.

Meanwhile, your original test case has nothing to do with noexcept. __attribute__((pure)) (like nothrow and -fno-exceptions) really does introduce a novel UB rule which it would be reasonable to ask the compiler to check under UBSan.

I think the right way to handle what you're trying to handle would be to introduce some different kind of scope, a "it's UB to unwind out of this" scope, and then push that scope around calls and implementations of functions that use one of the UB-to-throw attributes. You could also potentially push that scope around calls to nounwind functions if you want to catch those ODR / function-pointer cases.

@vitalybuka @rjmccall thank you for taking a look!
Since posting this, there has been a conversation in #llvm with @jyknight,
where it was established that the situation is even worse than i though.
Essentially, there are two situations:

1. exception escape out of non-unwinding function is guaranteed to cause program termination. That happens for:
   • the C++ noexcept
   • __attribute__((nothrow)) (for some non-obvious reason)
   • OpenMP region lowering (even though it's not mandated by the standard)
2. exception escape out of non-unwinding function is wild UB, this is the semantics of
   • __attribute__((pure))/__attribute__((const)).

It is possible that __attribute__((nothrow)) should also be in UB category,
otherwise what benefit does it bring over C++'s noexcept?

So, i have correctly felt that there is a problem, but the fix is going in the wrong way.
While i still think that we should handle case 1. in UBSan, let's first deal with 2.

In D137381#3926121, @rjmccall wrote:

I don't have a problem with adding a sanitizer like this. IIRC, though, there's a review process for adding new sanitizers; I don't remember if this is the normal RFC process or something more streamlined.

For the record, i have added the entirety of -fsanitize=implicit-conversion (part of -fsanitize=integer)
and -fsanitize=alignment, and this is the first time i'm hearing of an RFC process.

Also, I know @jyknight is interested in a mode that checks -fno-exceptions more efficiently, which is of direct relevance to what you're trying here; that was discussed in a forums thread (https://discourse.llvm.org/t/rfc-add-call-unwindabort-to-llvm-ir/62543).

Yes, we've talked in #llvm about that a bit.

The implementation and tests here don't seem to match the stated problem, though. Trying to throw out of a noexcept function is actually well-defined — the function has to catch the exception and call std::terminate, and we do actually generate code that way. Your patch is just adding a check at the start of the handler we emit, which means it's not catching anything we're not already catching; also, again, this is a well-defined execution path, so it doesn't seem appropriate to trigger UBSan on it.

IIRC, there are really only two potential sources of UB with noexcept. The first is that you can declare a function noexcept(true) but implement it as noexcept(false), which is in a class of problems (ODR violations) that I think UBSan doesn't normally try to diagnose. The second is that I think it's possible to get a noexcept(true) function pointer for a noexcept(false) function, maybe via some chain of casts; that would be a little closer to what UBSan normally diagnoses.

Meanwhile, your original test case has nothing to do with noexcept. __attribute__((pure)) (like nothrow and -fno-exceptions) really does introduce a novel UB rule which it would be reasonable to ask the compiler to check under UBSan.

I think the right way to handle what you're trying to handle would be to introduce some different kind of scope, a "it's UB to unwind out of this" scope, and then push that scope around calls and implementations of functions that use one of the UB-to-throw attributes. You could also potentially push that scope around calls to nounwind functions if you want to catch those ODR / function-pointer cases.

Yes. Somehow i did not think that those attributes introduce UB, and not are just handled incorrectly,
and tried to solve this the wrong way around. That being said, this diff is not incorrect.
I would like to have a sanitizer for the "exception escape is guaranteed to cause program termination" mode,
because all of the bugs with that mode i had to deal with had rather bad diagnostic,
but that can be done afterwards.

Thanks!

ping

ping. We need to get this going, reminder, this was caught because it caused a visible miscompilation.
@rjmccall are you satisfied with the way we emit srcloc info?
@aaron.ballman thoughts on the docs changes?

One unanswered question i have, is if we can get the exception's underlying C++ type as a string,
and print it. Also, is it useful to pass Exn into the handler? Can we do anything useful with it?

In D137381#3953178, @lebedev.ri wrote:

ping. We need to get this going, reminder, this was caught because it caused a visible miscompilation.

I'm sorry, I caught COVID-19 during the LLVM conference and have not had a lot of energy recently, plus last week was the Thanksgiving holiday in the US.

Please don't describe this as a miscompilation. It may not match what you want as a user, but what the the compiler is doing is not incorrect. What you're doing is adding a mitigation to try to protect against a source of UB that recently affected you, which is commendable but doesn't have the same level of urgency.

@rjmccall thank you for taking a look!

In D137381#3955100, @rjmccall wrote:

In D137381#3953178, @lebedev.ri wrote:

ping. We need to get this going, reminder, this was caught because it caused a visible miscompilation.

I'm sorry, I caught COVID-19 during the LLVM conference and have not had a lot of energy recently,

I'm sorry.

plus last week was the Thanksgiving holiday in the US.

Please don't describe this as a miscompilation. It may not match what you want as a user, but what the the compiler is doing is not incorrect.

Right.

What you're doing is adding a mitigation to try to protect against a source of UB that recently affected you, which is commendable but doesn't have the same level of urgency.

I'm mainly worried that there are likely other "miscompilations" in the wild.
Also, after this, we might want to reevaluate which clang attribute does what,

The more i stare at this. The more worried i am. Is the idea that, when we are in termination/UB EH scope, we no longer have to play by the RAII rules, and destructors, for the moment, are no-ops and are side-effect free?

Termination is allowed to happen as soon as the implementation detects that unwinding will only avoid termination if a cleanup does something non-terminating, like infinite loop or abort. This does enable some amount of code-size optimization, but the main purpose (as I understand it) is to improve debugging of what's presumed to be a programmer error by allowing the runtime to trigger termination with the faulting context still intact instead of requiring the stack to be unwound just to, like, deallocate a temporary std::string ten frames up.

The important thing for us is that the standard explicitly blesses this presumption: it has been decided that C++ programmers should not be relying on destructors being called when their programs throw in a context where the implementation has no choice but to terminate, and if they really need unwinding to happen, they should be handling exceptions properly. I don't think that's an unreasonable rule. (Note that it is limited to failures to formally handle exceptions, not some sort of post-domination by std::terminate. If you catch an exception and then call std::terminate yourself, the rule does not apply, and the stack is required to be unwound to the catch.) Also, it's a rule that Clang already takes advantage of within terminate scopes, which are otherwise well-defined, so I do think it would be fairly absurd to act like these UB scopes need stricter rules about running cleanups.

Last(?) ping of the year?

ping

I am unfamiliar with Clang codegen so I am just commenting about what a user may feel about this feature.

compiler-rt/test/ubsan/TestCases/Misc/exception-escape.cpp cannot demonstrate the value of the new UBSan check -fsanitize=exception-escape, as the executable will fail without the option (Clang emits call instead of invoke for a nounwind function call, and there is no LSDA information, libgcc/libunwind will call terminate; it's trivial to get more diagnostic with a SIBABRT signal handler).
To demonstrate the value, footgun and its caller need to be in different TUs and the caller does not know footgun is nounwind.
In such a setup, I think people likely care more about -fno-exceptions/-fexceptions exception propagation instead of __attribute__((pure)) and find -fsanitize=exception-escape not do what it may advertise.

The more common -fno-exceptions/-fexceptions exception propagation dilemma can be detected today with -fno-asynchronous-unwind-tables.

In D137381#4038716, @MaskRay wrote:

I am unfamiliar with Clang codegen so I am just commenting about what a user may feel about this feature.

compiler-rt/test/ubsan/TestCases/Misc/exception-escape.cpp cannot demonstrate the value of the new UBSan check -fsanitize=exception-escape, as the executable will fail without the option (Clang emits call instead of invoke for a nounwind function call, and there is no LSDA information, libgcc/libunwind will call terminate; it's trivial to get more diagnostic with a SIBABRT signal handler).
To demonstrate the value, footgun and its caller need to be in different TUs and the caller does not know footgun is nounwind.
In such a setup, I think people likely care more about -fno-exceptions/-fexceptions exception propagation instead of __attribute__((pure)) and find -fsanitize=exception-escape not do what it may advertise.

The more common -fno-exceptions/-fexceptions exception propagation dilemma can be detected today with -fno-asynchronous-unwind-tables.

Thank you for taking a look. I'm afraid this review comment is not based on reality, so i'm forced to ignore it.
The whole point of the clang change is to *NOT* lower such calls that we "know" will not unwind to a call, but into an invoke, with sanitization in the landingpad.