This is an archive of the discontinued LLVM Phabricator instance.

Differential D148785

-fsanitize=function: use type hashes instead of RTTI objects
ClosedPublic

Authored by MaskRay on Apr 20 2023, 12:54 AM.

Details

Reviewers
pcc
peter.smith
sberg
samitolvanen
vitalybuka
Group Reviewers
Restricted Project
Commits
rG46f366494f3c: -fsanitize=function: use type hashes instead of RTTI objects
Summary

Currently we use RTTI objects to check type compatibility. To support non-unique
RTTI objects, commit 5745eccef54ddd3caca278d1d292a88b2281528b added a
checkTypeInfoEquality string matching to the runtime.
The scheme is inefficient.

_Z1fv:
  .long   846595819                    # jmp
  .long   .L__llvm_rtti_proxy-_Z3funv
  ...

main:
  ...
  # Load the second word (pointer to the RTTI object) and dereference it.
  movslq  4(%rsi), %rax
  movq    (%rax,%rsi), %rdx
  # Is it the desired typeinfo object?
  leaq    _ZTIFvvE(%rip), %rax
  # If not, call __ubsan_handle_function_type_mismatch_v1, which may recover if checkTypeInfoEquality allows
  cmpq    %rax, %rdx
  jne     .LBB1_2
  ...

.section        .data.rel.ro,"aw",@progbits
  .p2align        3, 0x0
.L__llvm_rtti_proxy:
  .quad   _ZTIFvvE

Let's replace the indirect _ZTI pointer with a type hash similar to
-fsanitize=kcfi.

_Z1fv:
  .long   3238382334
  .long   2772461324  # type hash

main:
  ...
  # Load the second word (callee type hash) and check whether it is expected
  cmpl    $-1522505972, -4(%rax)
  # If not, fail: call __ubsan_handle_function_type_mismatch
  jne     .LBB2_2

The RTTI object derives its name from clang::MangleContext::mangleCXXRTTI,
which uses mangleType. mangleTypeName uses mangleType as well. So the
type compatibility change is high-fidelity.

Since we no longer need RTTI pointers in
__ubsan::__ubsan_handle_function_type_mismatch_v1, let's switch it back to
version 0, the original signature before
e215996a2932ed7c472f4e94dc4345b30fd0c373 (2019).
__ubsan::__ubsan_handle_function_type_mismatch_abort is not
recoverable, so we can revert some changes from
e215996a2932ed7c472f4e94dc4345b30fd0c373.

Diff Detail

Event Timeline

MaskRay created this revision.Apr 20 2023, 12:54 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 20 2023, 12:54 AM
Herald added subscribers: Enna1, hiraditya. · View Herald Transcript
MaskRay requested review of this revision.Apr 20 2023, 12:54 AM
Herald added projects: Restricted Project, Restricted Project, Restricted Project. · View Herald TranscriptApr 20 2023, 12:54 AM
Herald added subscribers: llvm-commits, cfe-commits. · View Herald Transcript
MaskRay updated this revision to Diff 515243.Apr 20 2023, 12:57 AM

update llvm/test/CodeGen

Herald added a subscriber: pengfei. · View Herald TranscriptApr 20 2023, 12:57 AM
Harbormaster completed remote builds in B226813: Diff 515243.Apr 20 2023, 12:58 AM
MaskRay mentioned this in D148827: -fsanitize=function: support C.Apr 20 2023, 11:55 AM
MaskRay added a child revision: D148827: -fsanitize=function: support C.Apr 20 2023, 11:57 AM
peter.smith mentioned this in D148665: Change -fsanitize=function to place two words before the function entry.May 3 2023, 11:11 AM
peter.smith added a comment.May 15 2023, 10:51 AM

Should HANDLER(__ubsan_handle_function_type_mismatch,"function") be added to ubsan_minimal_runtime if this is supported in the minimal runtime?

clang/lib/CodeGen/CGExpr.cpp
5377–5378

Would CalleeTypeHashMatch be a better name?

clang/lib/CodeGen/CodeGenFunction.h
120

Presumably the signature is different to the original v0 shouldn't it be 2; or is it effectively so long since the last one that we can reuse the original without fear?

clang/test/CodeGenCXX/catch-undef-behavior.cpp
404–405

CalleeTypeHash check?

llvm/test/CodeGen/AArch64/patchable-function-entry-bti.ll
92

Assuming the test is the equivalent of -fpatchable-function-entry=1,1 I think this is the wrong place for the nop, I think it needs to be after the signature and the loads adjusted. For example with -fsanitize=kcfi -fpatchable-function-entries=1,1

typedef int Fptr(void);

int function(void) {
  return 0;
}

int call(Fptr* fp) {
  return fp();
}

Results in code like:

        .word   1670944012                      // @call
                                        // 0x6398950c
.Ltmp1:
        nop
call:
.Lfunc_begin1:
        .cfi_startproc
// %bb.0:                               // %entry
        ldur    w16, [x0, #-8]
        movk    w17, #50598
        movk    w17, #14001, lsl #16
        cmp     w16, w17
        b.eq    .Ltmp2
        brk     #0x8220
.Ltmp2:
        br      x0
.Lfunc_end1:

Note the NOP is after the signature, with the ldur having an offset of -8 and not the usual -4. I think you would need to make sure the signature is a branch instruction for each target for this scheme to work.

MaskRay marked 2 inline comments as done.May 15 2023, 11:56 AM
In D148785#4343112, @peter.smith wrote:

Should HANDLER(__ubsan_handle_function_type_mismatch,"function") be added to ubsan_minimal_runtime if this is supported in the minimal runtime?

Thanks for the comments.

compiler-rt/lib/ubsan_minimal/ubsan_minimal_handlers.cpp has HANDLER(function_type_mismatch, "function-type-mismatch") and with this patch clang++ -fsanitize=function -fsanitize-minimal-runtime works.

clang/lib/CodeGen/CGExpr.cpp
5377–5378

Thanks for the suggestion. Adopted.

clang/lib/CodeGen/CodeGenFunction.h
120

The signature is identical to the original v0, so we just "downgrade" the version.

MaskRay updated this revision to Diff 522286.May 15 2023, 11:57 AM
MaskRay marked 2 inline comments as done.

rename a variable

Harbormaster completed remote builds in B232075: Diff 522286.May 15 2023, 11:57 AM
thesamesam added a subscriber: thesamesam.May 15 2023, 11:57 PM
MaskRay added a reviewer: vitalybuka.May 16 2023, 2:17 PM
vitalybuka added a comment.May 16 2023, 3:39 PM

Is possible to split the patch into smaller ones?

MaskRay added a comment.May 16 2023, 4:01 PM
In D148785#4348053, @vitalybuka wrote:

Is possible to split the patch into smaller ones?

The Clang CodeGen side needs to match llvm/lib/CodeGen/AsmPrinter/AsmPrinter.cpp and compiler-rt/lib/ubsan, so no, I think this is the smallest unit...

I have placed logically independent parts in other patches: D148665, D148573.

MaskRay added a parent revision: D148573: Allow -fsanitize=function on all targets.May 16 2023, 4:01 PM
samitolvanen accepted this revision.May 16 2023, 4:10 PM

Looks good to me, but maybe worth waiting for someone more familiar with compiler-rt to take a look as well.

llvm/test/CodeGen/AArch64/patchable-function-entry-bti.ll
92

No, this looks correct to me. Note that in AsmPrinter the type hash is emitted after the patchable-function-prefix nops, while the KCFI type hash is emitted before them.

This revision is now accepted and ready to land.May 16 2023, 4:10 PM
peter.smith added inline comments.May 17 2023, 2:35 AM
llvm/test/CodeGen/AArch64/patchable-function-entry-bti.ll
92

My concern is more along the lines of how would this function be patched if the code doing the patching were unaware of the signature. I'm not familiar with how the kernel uses the nops so it could be that this is won't be a problem in practice.

With -fsanitize=kcfi it looks like there is no difference to the code doing the patching as the nops are in the same place with respect to the function entry point and there is no fall through into the signature.

With -fsanitize=function anything patching the first nop as an instruction would need to branch over the signature (unless the first entry of the signature was a branch instruction, but that would mean a target specific signature), obviously if the nop is patched with data and isn't the entry point then this doesn't matter. The code doing the patching would also need to know how to locate the nop ahead of the signature.

MaskRay added inline comments.May 17 2023, 6:27 PM
llvm/test/CodeGen/AArch64/patchable-function-entry-bti.ll
92

The responsibility is on the user side to ensure that when M>0, they code patches one of the M NOPs to a branch over the signature (0xc105cafe).

// -fsanitize=function -fpatchable-function-entry=3,3
.Ltmp0:
        nop
        nop
        nop    # ensure there is a branch over the signature
        .long   3238382334                      # 0xc105cafe
        .long   2772461324                      # 0xa540670c
foo:

In addition, -fpatchable-function-entry=N,M where M>0 is uncommon. -fpatchable-function-entry= didn't work with -fsanitize=function before my changes.

MaskRay marked 2 inline comments as done.May 17 2023, 6:32 PM
MaskRay added inline comments.
clang/test/CodeGenCXX/catch-undef-behavior.cpp
404–405

CalleeTypeHashPtr seems clear. Do you mean to change HashCmp below to CalleeTypeHashMatch?

MaskRay added inline comments.May 17 2023, 6:36 PM
llvm/test/CodeGen/AArch64/patchable-function-entry-bti.ll
92

My concern is more along the lines of how would this function be patched if the code doing the patching were unaware of the signature. I'm not familiar with how the kernel uses the nops so it could be that this is won't be a problem in practice.

I think the patching code must be aware if the user decides to use -fpatchable-function-entry=N,M where M>0, otherwise it's the pilot error to use the option with -fsanitize=function.

-fsanitize=function is designed to be compatible with uninstrumented functions (used as indirect call callees) and compatible with object files, -fpatchable-function-entry=N,M functions, and regular functions. The call site must use the fixed offset unaffected by -fpatchable-function-entry=N,M.

peter.smith added inline comments.May 18 2023, 2:25 AM
clang/test/CodeGenCXX/catch-undef-behavior.cpp
404–405

Apologies; I meant the comment is stale, it still says RTTI pointer check

llvm/test/CodeGen/AArch64/patchable-function-entry-bti.ll
92

I don't have any objections here. Just wanted to make sure that we weren't breaking any expectations.

I found one use in the kernel that uses -fpatchable-function-entry=4,2 (https://lore.kernel.org/all/20230123134603.1064407-9-mark.rutland@arm.com/)

Quoting from that:

Currently, this approach is not compatible with CLANG_CFI, as the
presence/absence of pre-function NOPs changes the offset of the
pre-function type hash, and there's no existing mechanism to ensure a
consistent offset for instrumented and uninstrumented functions. When
CLANG_CFI is enabled, the existing scheme with a global ops->func
pointer is used, and there should be no functional change. I am
currently working with others to allow the two to work together in
future (though this will liekly require updated compiler support).

I expect -fsanitize=kcfi to be used in this case over -fsanitize=functions so I don't think this will cause a problem in practice.

MaskRay updated this revision to Diff 523984.May 19 2023, 8:21 PM
MaskRay marked 2 inline comments as done.

fix a comment

MaskRay added inline comments.May 19 2023, 8:34 PM
clang/test/CodeGenCXX/catch-undef-behavior.cpp
404–405

Sorry for missing the stale comment. Fixed!

llvm/test/CodeGen/AArch64/patchable-function-entry-bti.ll
92

I expect -fsanitize=kcfi to be used in this case over -fsanitize=functions so I don't think this will cause a problem in practice.

Yes, the kernel requires the addresses of the instrumented call sites which can only be provided by -fsanitize=kcfi. -fsanitize=function instrumented call sites are not recorded in a metadata section.
The kernel doesn't have a -fsanitize=function configuration.

For userspace programs that want to attempt both -fpatchable-function-entry=N,M where M>0 and -fsanitize=function, I expect that they need to check the -fsanitize=function signature...

Harbormaster completed remote builds in B233333: Diff 523984.May 19 2023, 9:12 PM
This revision was landed with ongoing or failed builds.May 20 2023, 8:24 AM
Closed by commit rG46f366494f3c: -fsanitize=function: use type hashes instead of RTTI objects (authored by MaskRay). · Explain Why
This revision was automatically updated to reflect the committed changes.
MaskRay added a commit: rG46f366494f3c: -fsanitize=function: use type hashes instead of RTTI objects.
MaskRay mentioned this in rG279a4d0d67c8: -fsanitize=function: support C.May 22 2023, 10:11 AM
hans added a subscriber: hans.May 23 2023, 6:57 AM

This broke the tests on Mac, see e.g. https://green.lab.llvm.org/green/job/clang-stage1-RA/34396/consoleFull (or http://crbug.com/1447928)

MaskRay mentioned this in rGaa972f607c55: -fsanitize=function,MicrosoftMangle: Switch to xxh3_64bits.Jul 19 2023, 3:21 PM

Revision Contents

PathSize
clang/
docs/
4 lines
lib/
CodeGen/
29 lines
9 lines
38 lines
Driver/
3 lines
test/
CodeGen/
17 lines
CodeGenCXX/
19 lines
19 lines
Driver/
5 lines
compiler-rt/
lib/
ubsan/
11 lines
35 lines
16 lines
44 lines
4 lines
llvm/
lib/
CodeGen/
AsmPrinter/
9 lines
test/
CodeGen/
AArch64/
12 lines
7 lines
X86/
7 lines
7 lines

Diff 524038

clang/docs/UndefinedBehaviorSanitizer.rst

Show First 20 LinesShow All 216 Lines▼ Show 20 Lines
The ``null``, ``alignment``, ``object-size``, ``local-bounds``, and ``vptr`` checks do not apply The ``null``, ``alignment``, ``object-size``, ``local-bounds``, and ``vptr`` checks do not apply
to pointers to types with the ``volatile`` qualifier. to pointers to types with the ``volatile`` qualifier.
Minimal Runtime Minimal Runtime
=============== ===============
There is a minimal UBSan runtime available suitable for use in production There is a minimal UBSan runtime available suitable for use in production
environments. This runtime has a small attack surface. It only provides very environments. This runtime has a small attack surface. It only provides very
basic issue logging and deduplication, and does not support basic issue logging and deduplication, and does not support ``-fsanitize=vptr``
``-fsanitize=function`` and ``-fsanitize=vptr`` checking. checking.
To use the minimal runtime, add ``-fsanitize-minimal-runtime`` to the clang To use the minimal runtime, add ``-fsanitize-minimal-runtime`` to the clang
command line options. For example, if you're used to compiling with command line options. For example, if you're used to compiling with
``-fsanitize=undefined``, you could enable the minimal runtime with ``-fsanitize=undefined``, you could enable the minimal runtime with
``-fsanitize=undefined -fsanitize-minimal-runtime``. ``-fsanitize=undefined -fsanitize-minimal-runtime``.
Stack traces and report symbolization Stack traces and report symbolization
===================================== =====================================
▲ Show 20 LinesShow All 137 LinesShow Last 20 Lines

clang/lib/CodeGen/CGExpr.cpp

Show All 34 Lines
#include "llvm/IR/Intrinsics.h" #include "llvm/IR/Intrinsics.h"
#include "llvm/IR/LLVMContext.h" #include "llvm/IR/LLVMContext.h"
#include "llvm/IR/MDBuilder.h" #include "llvm/IR/MDBuilder.h"
#include "llvm/IR/MatrixBuilder.h" #include "llvm/IR/MatrixBuilder.h"
#include "llvm/Support/ConvertUTF.h" #include "llvm/Support/ConvertUTF.h"
#include "llvm/Support/MathExtras.h" #include "llvm/Support/MathExtras.h"
#include "llvm/Support/Path.h" #include "llvm/Support/Path.h"
#include "llvm/Support/SaveAndRestore.h" #include "llvm/Support/SaveAndRestore.h"
#include "llvm/Support/xxhash.h"
#include "llvm/Transforms/Utils/SanitizerStats.h" #include "llvm/Transforms/Utils/SanitizerStats.h"
#include <optional> #include <optional>
#include <string> #include <string>
using namespace clang; using namespace clang;
using namespace CodeGen; using namespace CodeGen;
▲ Show 20 LinesShow All 3,166 Lines▼ Show 20 Linesenum class CheckRecoverableKind {
Recoverable, Recoverable,
/// Runtime conditionally aborts, always need to support recovery. /// Runtime conditionally aborts, always need to support recovery.
AlwaysRecoverable AlwaysRecoverable
}; };
} }
static CheckRecoverableKind getRecoverableKind(SanitizerMask Kind) { static CheckRecoverableKind getRecoverableKind(SanitizerMask Kind) {
assert(Kind.countPopulation() == 1); assert(Kind.countPopulation() == 1);
if (Kind == SanitizerKind::Function || Kind == SanitizerKind::Vptr) if (Kind == SanitizerKind::Vptr)
return CheckRecoverableKind::AlwaysRecoverable; return CheckRecoverableKind::AlwaysRecoverable;
else if (Kind == SanitizerKind::Return || Kind == SanitizerKind::Unreachable) else if (Kind == SanitizerKind::Return || Kind == SanitizerKind::Unreachable)
return CheckRecoverableKind::Unrecoverable; return CheckRecoverableKind::Unrecoverable;
else else
return CheckRecoverableKind::Recoverable; return CheckRecoverableKind::Recoverable;
} }
namespace { namespace {
▲ Show 20 LinesShow All 2,114 Lines▼ Show 20 LinesRValue CodeGenFunction::EmitCall(QualType CalleeType, const CGCallee &OrigCallee,
CGCallee Callee = OrigCallee; CGCallee Callee = OrigCallee;
if (getLangOpts().CPlusPlus && SanOpts.has(SanitizerKind::Function) && if (getLangOpts().CPlusPlus && SanOpts.has(SanitizerKind::Function) &&
(!TargetDecl || !isa<FunctionDecl>(TargetDecl))) { (!TargetDecl || !isa<FunctionDecl>(TargetDecl))) {
if (llvm::Constant *PrefixSig = if (llvm::Constant *PrefixSig =
CGM.getTargetCodeGenInfo().getUBSanFunctionSignature(CGM)) { CGM.getTargetCodeGenInfo().getUBSanFunctionSignature(CGM)) {
SanitizerScope SanScope(this); SanitizerScope SanScope(this);
// Remove any (C++17) exception specifications, to allow calling e.g. a auto *TypeHash = getUBSanFunctionTypeHash(PointeeType);
// noexcept function through a non-noexcept pointer.
auto ProtoTy =
getContext().getFunctionTypeWithExceptionSpec(PointeeType, EST_None);
llvm::Constant *FTRTTIConst =
CGM.GetAddrOfRTTIDescriptor(ProtoTy, /*ForEH=*/true);
llvm::Type *PrefixSigType = PrefixSig->getType(); llvm::Type *PrefixSigType = PrefixSig->getType();
llvm::StructType *PrefixStructTy = llvm::StructType::get( llvm::StructType *PrefixStructTy = llvm::StructType::get(
CGM.getLLVMContext(), {PrefixSigType, Int32Ty}, /*isPacked=*/true); CGM.getLLVMContext(), {PrefixSigType, Int32Ty}, /*isPacked=*/true);
llvm::Value *CalleePtr = Callee.getFunctionPointer(); llvm::Value *CalleePtr = Callee.getFunctionPointer();
llvm::Value *CalleePrefixStruct = Builder.CreateBitCast( llvm::Value *CalleePrefixStruct = Builder.CreateBitCast(
CalleePtr, llvm::PointerType::getUnqual(PrefixStructTy)); CalleePtr, llvm::PointerType::getUnqual(PrefixStructTy));
llvm::Value *CalleeSigPtr = llvm::Value *CalleeSigPtr =
Builder.CreateConstGEP2_32(PrefixStructTy, CalleePrefixStruct, -1, 0); Builder.CreateConstGEP2_32(PrefixStructTy, CalleePrefixStruct, -1, 0);
llvm::Value *CalleeSig = llvm::Value *CalleeSig =
Builder.CreateAlignedLoad(PrefixSigType, CalleeSigPtr, getIntAlign()); Builder.CreateAlignedLoad(PrefixSigType, CalleeSigPtr, getIntAlign());
llvm::Value *CalleeSigMatch = Builder.CreateICmpEQ(CalleeSig, PrefixSig); llvm::Value *CalleeSigMatch = Builder.CreateICmpEQ(CalleeSig, PrefixSig);
llvm::BasicBlock *Cont = createBasicBlock("cont"); llvm::BasicBlock *Cont = createBasicBlock("cont");
llvm::BasicBlock *TypeCheck = createBasicBlock("typecheck"); llvm::BasicBlock *TypeCheck = createBasicBlock("typecheck");
Builder.CreateCondBr(CalleeSigMatch, TypeCheck, Cont); Builder.CreateCondBr(CalleeSigMatch, TypeCheck, Cont);
EmitBlock(TypeCheck); EmitBlock(TypeCheck);
llvm::Value *CalleeRTTIPtr = llvm::Value *CalleeTypeHash = Builder.CreateAlignedLoad(
peter.smithUnsubmitted
Done
ReplyInline Actions

Would CalleeTypeHashMatch be a better name?

peter.smith: Would CalleeTypeHashMatch be a better name?
MaskRayAuthorUnsubmitted
Done
ReplyInline Actions

Thanks for the suggestion. Adopted.

MaskRay: Thanks for the suggestion. Adopted.
Builder.CreateConstGEP2_32(PrefixStructTy, CalleePrefixStruct, -1, 1); Int32Ty,
llvm::Value *CalleeRTTIEncoded = Builder.CreateConstGEP2_32(PrefixStructTy, CalleePrefixStruct, -1, 1),
Builder.CreateAlignedLoad(Int32Ty, CalleeRTTIPtr, getPointerAlign()); getPointerAlign());
llvm::Value *CalleeRTTI = llvm::Value *CalleeTypeHashMatch =
DecodeAddrUsedInPrologue(CalleePtr, CalleeRTTIEncoded); Builder.CreateICmpEQ(CalleeTypeHash, TypeHash);
llvm::Value *CalleeRTTIMatch =
Builder.CreateICmpEQ(CalleeRTTI, FTRTTIConst);
llvm::Constant *StaticData[] = {EmitCheckSourceLocation(E->getBeginLoc()), llvm::Constant *StaticData[] = {EmitCheckSourceLocation(E->getBeginLoc()),
EmitCheckTypeDescriptor(CalleeType)}; EmitCheckTypeDescriptor(CalleeType)};
EmitCheck(std::make_pair(CalleeRTTIMatch, SanitizerKind::Function), EmitCheck(std::make_pair(CalleeTypeHashMatch, SanitizerKind::Function),
SanitizerHandler::FunctionTypeMismatch, StaticData, SanitizerHandler::FunctionTypeMismatch, StaticData,
{CalleePtr, CalleeRTTI, FTRTTIConst}); {CalleePtr});
Builder.CreateBr(Cont); Builder.CreateBr(Cont);
EmitBlock(Cont); EmitBlock(Cont);
} }
} }
const auto *FnType = cast<FunctionType>(PointeeType); const auto *FnType = cast<FunctionType>(PointeeType);
▲ Show 20 LinesShow All 271 LinesShow Last 20 Lines

clang/lib/CodeGen/CodeGenFunction.h

Show First 20 LinesShow All 111 Lines▼ Show 20 Lines
#define LIST_SANITIZER_CHECKS \ #define LIST_SANITIZER_CHECKS \
SANITIZER_CHECK(AddOverflow, add_overflow, 0) \ SANITIZER_CHECK(AddOverflow, add_overflow, 0) \
SANITIZER_CHECK(BuiltinUnreachable, builtin_unreachable, 0) \ SANITIZER_CHECK(BuiltinUnreachable, builtin_unreachable, 0) \
SANITIZER_CHECK(CFICheckFail, cfi_check_fail, 0) \ SANITIZER_CHECK(CFICheckFail, cfi_check_fail, 0) \
SANITIZER_CHECK(DivremOverflow, divrem_overflow, 0) \ SANITIZER_CHECK(DivremOverflow, divrem_overflow, 0) \
SANITIZER_CHECK(DynamicTypeCacheMiss, dynamic_type_cache_miss, 0) \ SANITIZER_CHECK(DynamicTypeCacheMiss, dynamic_type_cache_miss, 0) \
SANITIZER_CHECK(FloatCastOverflow, float_cast_overflow, 0) \ SANITIZER_CHECK(FloatCastOverflow, float_cast_overflow, 0) \
SANITIZER_CHECK(FunctionTypeMismatch, function_type_mismatch, 1) \ SANITIZER_CHECK(FunctionTypeMismatch, function_type_mismatch, 0) \
peter.smithUnsubmitted
Done
ReplyInline Actions

Presumably the signature is different to the original v0 shouldn't it be 2; or is it effectively so long since the last one that we can reuse the original without fear?

peter.smith: Presumably the signature is different to the original v0 shouldn't it be 2; or is it…
MaskRayAuthorUnsubmitted
Done
ReplyInline Actions

The signature is identical to the original v0, so we just "downgrade" the version.

MaskRay: The signature is identical to the original v0, so we just "downgrade" the version.
SANITIZER_CHECK(ImplicitConversion, implicit_conversion, 0) \ SANITIZER_CHECK(ImplicitConversion, implicit_conversion, 0) \
SANITIZER_CHECK(InvalidBuiltin, invalid_builtin, 0) \ SANITIZER_CHECK(InvalidBuiltin, invalid_builtin, 0) \
SANITIZER_CHECK(InvalidObjCCast, invalid_objc_cast, 0) \ SANITIZER_CHECK(InvalidObjCCast, invalid_objc_cast, 0) \
SANITIZER_CHECK(LoadInvalidValue, load_invalid_value, 0) \ SANITIZER_CHECK(LoadInvalidValue, load_invalid_value, 0) \
SANITIZER_CHECK(MissingReturn, missing_return, 0) \ SANITIZER_CHECK(MissingReturn, missing_return, 0) \
SANITIZER_CHECK(MulOverflow, mul_overflow, 0) \ SANITIZER_CHECK(MulOverflow, mul_overflow, 0) \
SANITIZER_CHECK(NegateOverflow, negate_overflow, 0) \ SANITIZER_CHECK(NegateOverflow, negate_overflow, 0) \
SANITIZER_CHECK(NullabilityArg, nullability_arg, 0) \ SANITIZER_CHECK(NullabilityArg, nullability_arg, 0) \
▲ Show 20 LinesShow All 2,234 Lines▼ Show 20 Linespublic:
/// AlwaysEmitXRayCustomEvents - Return true if we must unconditionally emit /// AlwaysEmitXRayCustomEvents - Return true if we must unconditionally emit
/// XRay custom event handling calls. /// XRay custom event handling calls.
bool AlwaysEmitXRayCustomEvents() const; bool AlwaysEmitXRayCustomEvents() const;
/// AlwaysEmitXRayTypedEvents - Return true if clang must unconditionally emit /// AlwaysEmitXRayTypedEvents - Return true if clang must unconditionally emit
/// XRay typed event handling calls. /// XRay typed event handling calls.
bool AlwaysEmitXRayTypedEvents() const; bool AlwaysEmitXRayTypedEvents() const;
/// Decode an address used in a function prologue, encoded by \c /// Return a type hash constant for a function instrumented by
/// EncodeAddrForUseInPrologue. /// -fsanitize=function.
llvm::Value *DecodeAddrUsedInPrologue(llvm::Value *F, llvm::ConstantInt *getUBSanFunctionTypeHash(QualType T) const;
llvm::Value *EncodedAddr);
/// EmitFunctionProlog - Emit the target specific LLVM code to load the /// EmitFunctionProlog - Emit the target specific LLVM code to load the
/// arguments for the given function. This is also responsible for naming the /// arguments for the given function. This is also responsible for naming the
/// LLVM function arguments. /// LLVM function arguments.
void EmitFunctionProlog(const CGFunctionInfo &FI, void EmitFunctionProlog(const CGFunctionInfo &FI,
llvm::Function *Fn, llvm::Function *Fn,
const FunctionArgList &Args); const FunctionArgList &Args);
▲ Show 20 LinesShow All 2,513 LinesShow Last 20 Lines

clang/lib/CodeGen/CodeGenFunction.cpp

Show All 38 Lines
#include "llvm/IR/DataLayout.h" #include "llvm/IR/DataLayout.h"
#include "llvm/IR/Dominators.h" #include "llvm/IR/Dominators.h"
#include "llvm/IR/FPEnv.h" #include "llvm/IR/FPEnv.h"
#include "llvm/IR/IntrinsicInst.h" #include "llvm/IR/IntrinsicInst.h"
#include "llvm/IR/Intrinsics.h" #include "llvm/IR/Intrinsics.h"
#include "llvm/IR/MDBuilder.h" #include "llvm/IR/MDBuilder.h"
#include "llvm/IR/Operator.h" #include "llvm/IR/Operator.h"
#include "llvm/Support/CRC.h" #include "llvm/Support/CRC.h"
#include "llvm/Support/xxhash.h"
#include "llvm/Transforms/Scalar/LowerExpectIntrinsic.h" #include "llvm/Transforms/Scalar/LowerExpectIntrinsic.h"
#include "llvm/Transforms/Utils/PromoteMemToReg.h" #include "llvm/Transforms/Utils/PromoteMemToReg.h"
#include <optional> #include <optional>
using namespace clang; using namespace clang;
using namespace CodeGen; using namespace CodeGen;
/// shouldEmitLifetimeMarkers - Decide whether we need emit the life-time /// shouldEmitLifetimeMarkers - Decide whether we need emit the life-time
▲ Show 20 LinesShow All 507 Lines▼ Show 20 Lines
bool CodeGenFunction::AlwaysEmitXRayTypedEvents() const { bool CodeGenFunction::AlwaysEmitXRayTypedEvents() const {
return CGM.getCodeGenOpts().XRayInstrumentFunctions && return CGM.getCodeGenOpts().XRayInstrumentFunctions &&
(CGM.getCodeGenOpts().XRayAlwaysEmitTypedEvents || (CGM.getCodeGenOpts().XRayAlwaysEmitTypedEvents ||
CGM.getCodeGenOpts().XRayInstrumentationBundle.Mask == CGM.getCodeGenOpts().XRayInstrumentationBundle.Mask ==
XRayInstrKind::Typed); XRayInstrKind::Typed);
} }
llvm::Value * llvm::ConstantInt *
CodeGenFunction::DecodeAddrUsedInPrologue(llvm::Value *F, CodeGenFunction::getUBSanFunctionTypeHash(QualType Ty) const {
llvm::Value *EncodedAddr) { // Remove any (C++17) exception specifications, to allow calling e.g. a
// Reconstruct the address of the global. // noexcept function through a non-noexcept pointer.
auto *PCRelAsInt = Builder.CreateSExt(EncodedAddr, IntPtrTy); auto ProtoTy = getContext().getFunctionTypeWithExceptionSpec(Ty, EST_None);
auto *FuncAsInt = Builder.CreatePtrToInt(F, IntPtrTy, "func_addr.int"); std::string Mangled;
auto *GOTAsInt = Builder.CreateAdd(PCRelAsInt, FuncAsInt, "global_addr.int"); llvm::raw_string_ostream Out(Mangled);
auto *GOTAddr = Builder.CreateIntToPtr(GOTAsInt, Int8PtrPtrTy, "global_addr"); CGM.getCXXABI().getMangleContext().mangleTypeName(ProtoTy, Out, false);
return llvm::ConstantInt::get(CGM.Int32Ty,
// Load the original pointer through the global. static_cast<uint32_t>(llvm::xxHash64(Mangled)));
return Builder.CreateLoad(Address(GOTAddr, Int8PtrTy, getPointerAlign()),
"decoded_addr");
} }
void CodeGenFunction::EmitKernelMetadata(const FunctionDecl *FD, void CodeGenFunction::EmitKernelMetadata(const FunctionDecl *FD,
llvm::Function *Fn) { llvm::Function *Fn) {
if (!FD->hasAttr<OpenCLKernelAttr>() && !FD->hasAttr<CUDAGlobalAttr>()) if (!FD->hasAttr<OpenCLKernelAttr>() && !FD->hasAttr<CUDAGlobalAttr>())
return; return;
llvm::LLVMContext &Context = getLLVMContext(); llvm::LLVMContext &Context = getLLVMContext();
▲ Show 20 LinesShow All 353 Lines▼ Show 20 Lines if (FD && (getLangOpts().OpenCL ||
// Add metadata for a kernel function. // Add metadata for a kernel function.
EmitKernelMetadata(FD, Fn); EmitKernelMetadata(FD, Fn);
} }
// If we are checking function types, emit a function type signature as // If we are checking function types, emit a function type signature as
// prologue data. // prologue data.
if (FD && getLangOpts().CPlusPlus && SanOpts.has(SanitizerKind::Function)) { if (FD && getLangOpts().CPlusPlus && SanOpts.has(SanitizerKind::Function)) {
if (llvm::Constant *PrologueSig = getPrologueSignature(CGM, FD)) { if (llvm::Constant *PrologueSig = getPrologueSignature(CGM, FD)) {
// Remove any (C++17) exception specifications, to allow calling e.g. a
// noexcept function through a non-noexcept pointer.
auto ProtoTy = getContext().getFunctionTypeWithExceptionSpec(
FD->getType(), EST_None);
llvm::Constant *FTRTTIConst =
CGM.GetAddrOfRTTIDescriptor(ProtoTy, /*ForEH=*/true);
llvm::GlobalVariable *FTRTTIProxy =
CGM.GetOrCreateRTTIProxyGlobalVariable(FTRTTIConst);
llvm::LLVMContext &Ctx = Fn->getContext(); llvm::LLVMContext &Ctx = Fn->getContext();
llvm::MDBuilder MDB(Ctx); llvm::MDBuilder MDB(Ctx);
Fn->setMetadata(llvm::LLVMContext::MD_func_sanitize, Fn->setMetadata(
MDB.createRTTIPointerPrologue(PrologueSig, FTRTTIProxy)); llvm::LLVMContext::MD_func_sanitize,
CGM.addCompilerUsedGlobal(FTRTTIProxy); MDB.createRTTIPointerPrologue(
PrologueSig, getUBSanFunctionTypeHash(FD->getType())));
} }
} }
// If we're checking nullability, we need to know whether we can check the // If we're checking nullability, we need to know whether we can check the
// return value. Initialize the flag to 'true' and refine it in EmitParmDecl. // return value. Initialize the flag to 'true' and refine it in EmitParmDecl.
if (SanOpts.has(SanitizerKind::NullabilityReturn)) { if (SanOpts.has(SanitizerKind::NullabilityReturn)) {
auto Nullability = FnRetTy->getNullability(); auto Nullability = FnRetTy->getNullability();
if (Nullability && *Nullability == NullabilityKind::NonNull) { if (Nullability && *Nullability == NullabilityKind::NonNull) {
▲ Show 20 LinesShow All 1,938 LinesShow Last 20 Lines

clang/lib/Driver/SanitizerArgs.cpp

Show All 30 Lines
static const SanitizerMask NeedsUbsanRt = static const SanitizerMask NeedsUbsanRt =
SanitizerKind::Undefined | SanitizerKind::Integer | SanitizerKind::Undefined | SanitizerKind::Integer |
SanitizerKind::ImplicitConversion | SanitizerKind::Nullability | SanitizerKind::ImplicitConversion | SanitizerKind::Nullability |
SanitizerKind::CFI | SanitizerKind::FloatDivideByZero | SanitizerKind::CFI | SanitizerKind::FloatDivideByZero |
SanitizerKind::ObjCCast; SanitizerKind::ObjCCast;
static const SanitizerMask NeedsUbsanCxxRt = static const SanitizerMask NeedsUbsanCxxRt =
SanitizerKind::Vptr | SanitizerKind::CFI; SanitizerKind::Vptr | SanitizerKind::CFI;
static const SanitizerMask NotAllowedWithTrap = SanitizerKind::Vptr; static const SanitizerMask NotAllowedWithTrap = SanitizerKind::Vptr;
static const SanitizerMask NotAllowedWithMinimalRuntime = static const SanitizerMask NotAllowedWithMinimalRuntime = SanitizerKind::Vptr;
SanitizerKind::Function | SanitizerKind::Vptr;
static const SanitizerMask RequiresPIE = static const SanitizerMask RequiresPIE =
SanitizerKind::DataFlow | SanitizerKind::Scudo; SanitizerKind::DataFlow | SanitizerKind::Scudo;
static const SanitizerMask NeedsUnwindTables = static const SanitizerMask NeedsUnwindTables =
SanitizerKind::Address | SanitizerKind::HWAddress | SanitizerKind::Thread | SanitizerKind::Address | SanitizerKind::HWAddress | SanitizerKind::Thread |
SanitizerKind::Memory | SanitizerKind::DataFlow; SanitizerKind::Memory | SanitizerKind::DataFlow;
static const SanitizerMask SupportsCoverage = static const SanitizerMask SupportsCoverage =
SanitizerKind::Address | SanitizerKind::HWAddress | SanitizerKind::Address | SanitizerKind::HWAddress |
SanitizerKind::KernelAddress | SanitizerKind::KernelHWAddress | SanitizerKind::KernelAddress | SanitizerKind::KernelHWAddress |
▲ Show 20 LinesShow All 1,426 LinesShow Last 20 Lines

clang/test/CodeGen/ubsan-function.cpp

// RUN: %clang_cc1 -triple x86_64-linux-gnu -emit-llvm -o - %s -fsanitize=function -fno-sanitize-recover=all | FileCheck %s // RUN: %clang_cc1 -triple x86_64-linux-gnu -emit-llvm -o - %s -fsanitize=function -fno-sanitize-recover=all | FileCheck %s
// RUN: %clang_cc1 -triple aarch64-linux-gnu -emit-llvm -o - %s -fsanitize=function -fno-sanitize-recover=all | FileCheck %s // RUN: %clang_cc1 -triple aarch64-linux-gnu -emit-llvm -o - %s -fsanitize=function -fno-sanitize-recover=all | FileCheck %s
// RUN: %clang_cc1 -triple aarch64_be-linux-gnu -emit-llvm -o - %s -fsanitize=function -fno-sanitize-recover=all | FileCheck %s // RUN: %clang_cc1 -triple aarch64_be-linux-gnu -emit-llvm -o - %s -fsanitize=function -fno-sanitize-recover=all | FileCheck %s
// CHECK: @[[PROXY:.*]] = private unnamed_addr constant ptr @_ZTIFvvE
// CHECK: define{{.*}} void @_Z3funv() #0 !func_sanitize ![[FUNCSAN:.*]] { // CHECK: define{{.*}} void @_Z3funv() #0 !func_sanitize ![[FUNCSAN:.*]] {
void fun() {} void fun() {}
// CHECK-LABEL: define{{.*}} void @_Z6callerPFvvE(ptr noundef %f) // CHECK-LABEL: define{{.*}} void @_Z6callerPFvvE(ptr noundef %f)
// CHECK: getelementptr <{ i32, i32 }>, ptr {{.*}}, i32 -1, i32 0, !nosanitize // CHECK: getelementptr <{ i32, i32 }>, ptr {{.*}}, i32 -1, i32 0, !nosanitize
// CHECK: load i32, ptr {{.*}}, align {{.*}}, !nosanitize // CHECK: load i32, ptr {{.*}}, align {{.*}}, !nosanitize
// CHECK: icmp eq i32 {{.*}}, -1056584962, !nosanitize // CHECK: icmp eq i32 {{.*}}, -1056584962, !nosanitize
// CHECK: br i1 {{.*}}, label %[[LABEL1:.*]], label %[[LABEL4:.*]], !nosanitize // CHECK: br i1 {{.*}}, label %[[LABEL1:.*]], label %[[LABEL4:.*]], !nosanitize
// CHECK: [[LABEL1]]: // CHECK: [[LABEL1]]:
// CHECK: getelementptr <{ i32, i32 }>, ptr {{.*}}, i32 -1, i32 1, !nosanitize // CHECK: getelementptr <{ i32, i32 }>, ptr {{.*}}, i32 -1, i32 1, !nosanitize
// CHECK: load i32, ptr {{.*}}, align {{.*}}, !nosanitize // CHECK: load i32, ptr {{.*}}, align {{.*}}, !nosanitize
// CHECK: icmp eq ptr {{.*}}, @_ZTIFvvE, !nosanitize // CHECK: icmp eq i32 {{.*}}, -1522505972, !nosanitize
// CHECK: br i1 {{.*}}, label %[[LABEL3:.*]], label %[[LABEL2:[^,]*]], {{.*}}!nosanitize // CHECK: br i1 {{.*}}, label %[[LABEL3:.*]], label %[[LABEL2:[^,]*]], {{.*}}!nosanitize
// CHECK: [[LABEL2]]: // CHECK: [[LABEL2]]:
// CHECK: call void @__ubsan_handle_function_type_mismatch_v1_abort(ptr {{.*}}, i64 {{.*}}, i64 {{.*}}, i64 {{.*}}) #{{.*}}, !nosanitize // CHECK: call void @__ubsan_handle_function_type_mismatch_abort(ptr @[[#]], i64 %[[#]]) #[[#]], !nosanitize
// CHECK-NOT: unreachable // CHECK-NEXT: unreachable, !nosanitize
// CHECK: br label %[[LABEL3]], !nosanitize // CHECK-EMPTY:
// CHECK: [[LABEL3]]: // CHECK-NEXT: [[LABEL3]]:
// CHECK: br label %[[LABEL4]], !nosanitize // CHECK: br label %[[LABEL4]], !nosanitize
// CHECK-EMPTY:
// CHECK-NEXT: [[LABEL4]]:
// CHECK-NEXT: call void
// CHECK-NEXT: ret void
void caller(void (*f)()) { f(); } void caller(void (*f)()) { f(); }
// CHECK: ![[FUNCSAN]] = !{i32 -1056584962, ptr @[[PROXY]]} // CHECK: ![[FUNCSAN]] = !{i32 -1056584962, i32 -1522505972}

clang/test/CodeGenCXX/catch-undef-behavior.cpp

Show All 10 Lines
}; };
// Check that type descriptor global is not modified by ASan. // Check that type descriptor global is not modified by ASan.
// CHECK-ASAN: [[TYPE_DESCR:@[0-9]+]] = private unnamed_addr constant { i16, i16, [4 x i8] } { i16 -1, i16 0, [4 x i8] c"'S'\00" } // CHECK-ASAN: [[TYPE_DESCR:@[0-9]+]] = private unnamed_addr constant { i16, i16, [4 x i8] } { i16 -1, i16 0, [4 x i8] c"'S'\00" }
// Check that type mismatch handler is not modified by ASan. // Check that type mismatch handler is not modified by ASan.
// CHECK-ASAN: private unnamed_addr global { { ptr, i32, i32 }, ptr, ptr, i8 } { {{.*}}, ptr [[TYPE_DESCR]], {{.*}} } // CHECK-ASAN: private unnamed_addr global { { ptr, i32, i32 }, ptr, ptr, i8 } { {{.*}}, ptr [[TYPE_DESCR]], {{.*}} }
// CHECK-FUNCSAN: [[PROXY:@.+]] = private unnamed_addr constant ptr @_ZTIFvPFviEE
struct T : S {}; struct T : S {};
// CHECK-LABEL: @_Z17reference_binding // CHECK-LABEL: @_Z17reference_binding
void reference_binding(int *p, S *q) { void reference_binding(int *p, S *q) {
// C++ core issue 453: If an lvalue to which a reference is directly bound // C++ core issue 453: If an lvalue to which a reference is directly bound
// designates neither an existing object or function of an appropriate type, // designates neither an existing object or function of an appropriate type,
// nor a region of storage of suitable size and alignment to contain an object // nor a region of storage of suitable size and alignment to contain an object
// of the reference's type, the behavior is undefined. // of the reference's type, the behavior is undefined.
▲ Show 20 LinesShow All 369 Lines▼ Show 20 Lines
void indirect_function_call(void (*p)(int)) { void indirect_function_call(void (*p)(int)) {
// CHECK: [[PTR:%.+]] = load ptr, ptr // CHECK: [[PTR:%.+]] = load ptr, ptr
// Signature check // Signature check
// CHECK-NEXT: [[SIGPTR:%.+]] = getelementptr <{ i32, i32 }>, ptr [[PTR]], i32 -1, i32 0 // CHECK-NEXT: [[SIGPTR:%.+]] = getelementptr <{ i32, i32 }>, ptr [[PTR]], i32 -1, i32 0
// CHECK-NEXT: [[SIG:%.+]] = load i32, ptr [[SIGPTR]] // CHECK-NEXT: [[SIG:%.+]] = load i32, ptr [[SIGPTR]]
// CHECK-NEXT: [[SIGCMP:%.+]] = icmp eq i32 [[SIG]], -1056584962 // CHECK-NEXT: [[SIGCMP:%.+]] = icmp eq i32 [[SIG]], -1056584962
// CHECK-NEXT: br i1 [[SIGCMP]] // CHECK-NEXT: br i1 [[SIGCMP]]
// RTTI pointer check // CalleeTypeHash check
peter.smithUnsubmitted
Done
ReplyInline Actions

CalleeTypeHash check?

peter.smith: CalleeTypeHash check?
MaskRayAuthorUnsubmitted
Done
ReplyInline Actions

CalleeTypeHashPtr seems clear. Do you mean to change HashCmp below to CalleeTypeHashMatch?

MaskRay: `CalleeTypeHashPtr` seems clear. Do you mean to change `HashCmp` below to `CalleeTypeHashMatch`?
peter.smithUnsubmitted
Done
ReplyInline Actions

Apologies; I meant the comment is stale, it still says RTTI pointer check

peter.smith: Apologies; I meant the comment is stale, it still says RTTI pointer check
MaskRayAuthorUnsubmitted
Done
ReplyInline Actions

Sorry for missing the stale comment. Fixed!

MaskRay: Sorry for missing the stale comment. Fixed!
// CHECK: [[RTTIPTR:%.+]] = getelementptr <{ i32, i32 }>, ptr [[PTR]], i32 -1, i32 1 // CHECK: [[CalleeTypeHashPtr:%.+]] = getelementptr <{ i32, i32 }>, ptr [[PTR]], i32 -1, i32 1
// CHECK-NEXT: [[RTTIEncIntTrunc:%.+]] = load i32, ptr [[RTTIPTR]] // CHECK-NEXT: [[CalleeTypeHash:%.+]] = load i32, ptr [[CalleeTypeHashPtr]]
// CHECK-NEXT: [[RTTIEncInt:%.+]] = sext i32 [[RTTIEncIntTrunc]] to i64 // CHECK-NEXT: [[CalleeTypeHashMatch:%.+]] = icmp eq i32 [[CalleeTypeHash]], 27004076
// CHECK-NEXT: [[FuncAddrInt:%.+]] = ptrtoint ptr {{.*}} to i64 // CHECK-NEXT: br i1 [[CalleeTypeHashMatch]]
// CHECK-NEXT: [[IndirectGVInt:%.+]] = add i64 [[RTTIEncInt]], [[FuncAddrInt]]
// CHECK-NEXT: [[IndirectGV:%.+]] = inttoptr i64 [[IndirectGVInt]] to ptr
// CHECK-NEXT: [[RTTI:%.+]] = load ptr, ptr [[IndirectGV]], align 8
// CHECK-NEXT: [[RTTICMP:%.+]] = icmp eq ptr [[RTTI]], @_ZTIFviE
// CHECK-NEXT: br i1 [[RTTICMP]]
p(42); p(42);
} }
namespace VBaseObjectSize { namespace VBaseObjectSize {
// Note: C is laid out such that offsetof(C, B) + sizeof(B) extends outside // Note: C is laid out such that offsetof(C, B) + sizeof(B) extends outside
// the C object. // the C object.
struct alignas(16) A { void *a1, *a2; }; struct alignas(16) A { void *a1, *a2; };
▲ Show 20 LinesShow All 317 Lines▼ Show 20 Linesvoid ThisAlign::this_align_lambda_2() {
// called from a static invoker. // called from a static invoker.
// CHECK-NOT: icmp ne ptr %[[this_inner]], null // CHECK-NOT: icmp ne ptr %[[this_inner]], null
auto *p = +[] {}; auto *p = +[] {};
p(); p();
} }
// CHECK: attributes [[NR_NUW]] = { noreturn nounwind } // CHECK: attributes [[NR_NUW]] = { noreturn nounwind }
// CHECK-FUNCSAN: ![[FUNCSAN]] = !{i32 -1056584962, ptr [[PROXY]]} // CHECK-FUNCSAN: ![[FUNCSAN]] = !{i32 -1056584962, i32 -1302768377}

clang/test/CodeGenCXX/ubsan-function-noexcept.cpp

// RUN: %clang_cc1 -std=c++17 -fsanitize=function -emit-llvm -triple x86_64-linux-gnu %s -o - | FileCheck %s // RUN: %clang_cc1 -std=c++17 -fsanitize=function -emit-llvm -triple x86_64-linux-gnu %s -o - | FileCheck %s
// Check that typeinfo recorded in function prolog doesn't have "Do" noexcept /// Check the following two functions have the same func_sanitize metadata, i.e.
// qualifier in its mangled name. /// they have the same type hash despite the exception specifier.
// CHECK: [[PROXY:@.*]] = private unnamed_addr constant ptr @_ZTIFvvE // CHECK: define{{.*}} void @_Z1fv() #[[#]] !func_sanitize ![[FUNCSAN:.*]] {
// CHECK: define{{.*}} void @_Z1fv() #{{.*}} !func_sanitize ![[FUNCSAN:.*]] { // CHECK: define{{.*}} void @_Z10f_noexceptv() #[[#]] !func_sanitize
void f() noexcept {} // CHECK-SAME: ![[FUNCSAN]] {
void f() {}
void f_noexcept() noexcept {}
// CHECK: define{{.*}} void @_Z1gPDoFvvE // CHECK: define{{.*}} void @_Z1gPDoFvvE
void g(void (*p)() noexcept) { void g(void (*p)() noexcept) {
// Check that reference typeinfo at call site doesn't have "Do" noexcept // CHECK: icmp eq i32 %{{.*}}, -1056584962, !nosanitize
// qualifier in its mangled name, either. // CHECK: icmp eq i32 %{{.*}}, [[Hash:[-0-9]+]], !nosanitize
// CHECK: icmp eq ptr %{{.*}}, @_ZTIFvvE, !nosanitize
p(); p();
} }
// CHECK: ![[FUNCSAN]] = !{i32 -1056584962, ptr [[PROXY]]} // CHECK: ![[FUNCSAN]] = !{i32 -1056584962, i32 [[Hash]]}

clang/test/Driver/fsanitize.c

Show First 20 LinesShow All 835 Lines▼ Show 20 Lines
// RUN: %clang --target=x86_64-linux-gnu -fsanitize=address -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-MINIMAL // RUN: %clang --target=x86_64-linux-gnu -fsanitize=address -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-MINIMAL
// CHECK-ASAN-MINIMAL: error: invalid argument '-fsanitize-minimal-runtime' not allowed with '-fsanitize=address' // CHECK-ASAN-MINIMAL: error: invalid argument '-fsanitize-minimal-runtime' not allowed with '-fsanitize=address'
// RUN: %clang --target=x86_64-linux-gnu -fsanitize=thread -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-TSAN-MINIMAL // RUN: %clang --target=x86_64-linux-gnu -fsanitize=thread -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-TSAN-MINIMAL
// CHECK-TSAN-MINIMAL: error: invalid argument '-fsanitize-minimal-runtime' not allowed with '-fsanitize=thread' // CHECK-TSAN-MINIMAL: error: invalid argument '-fsanitize-minimal-runtime' not allowed with '-fsanitize=thread'
// RUN: %clang --target=x86_64-linux-gnu -fsanitize=undefined -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UBSAN-MINIMAL // RUN: %clang --target=x86_64-linux-gnu -fsanitize=undefined -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UBSAN-MINIMAL
// CHECK-UBSAN-MINIMAL: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|pointer-overflow|float-cast-overflow|array-bounds|enum|bool|builtin|returns-nonnull-attribute|nonnull-attribute),?){17}"}} // CHECK-UBSAN-MINIMAL: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|pointer-overflow|float-cast-overflow|array-bounds|enum|bool|builtin|returns-nonnull-attribute|nonnull-attribute|function),?){18}"}}
// CHECK-UBSAN-MINIMAL: "-fsanitize-minimal-runtime" // CHECK-UBSAN-MINIMAL: "-fsanitize-minimal-runtime"
// RUN: %clang --target=x86_64-linux-gnu -fsanitize=integer -fsanitize-trap=integer %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-INTSAN-TRAP // RUN: %clang --target=x86_64-linux-gnu -fsanitize=integer -fsanitize-trap=integer %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-INTSAN-TRAP
// CHECK-INTSAN-TRAP: "-fsanitize-trap=integer-divide-by-zero,shift-base,shift-exponent,signed-integer-overflow,unsigned-integer-overflow,unsigned-shift-base,implicit-unsigned-integer-truncation,implicit-signed-integer-truncation,implicit-integer-sign-change" // CHECK-INTSAN-TRAP: "-fsanitize-trap=integer-divide-by-zero,shift-base,shift-exponent,signed-integer-overflow,unsigned-integer-overflow,unsigned-shift-base,implicit-unsigned-integer-truncation,implicit-signed-integer-truncation,implicit-integer-sign-change"
// RUN: %clang --target=x86_64-linux-gnu -fsanitize=integer -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-INTSAN-MINIMAL // RUN: %clang --target=x86_64-linux-gnu -fsanitize=integer -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-INTSAN-MINIMAL
// CHECK-INTSAN-MINIMAL: "-fsanitize=integer-divide-by-zero,shift-base,shift-exponent,signed-integer-overflow,unsigned-integer-overflow,unsigned-shift-base,implicit-unsigned-integer-truncation,implicit-signed-integer-truncation,implicit-integer-sign-change" // CHECK-INTSAN-MINIMAL: "-fsanitize=integer-divide-by-zero,shift-base,shift-exponent,signed-integer-overflow,unsigned-integer-overflow,unsigned-shift-base,implicit-unsigned-integer-truncation,implicit-signed-integer-truncation,implicit-integer-sign-change"
// CHECK-INTSAN-MINIMAL: "-fsanitize-minimal-runtime" // CHECK-INTSAN-MINIMAL: "-fsanitize-minimal-runtime"
// RUN: %clang --target=aarch64-linux-android -march=armv8-a+memtag -fsanitize=memtag -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-MEMTAG-MINIMAL // RUN: %clang --target=aarch64-linux-android -march=armv8-a+memtag -fsanitize=memtag -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-MEMTAG-MINIMAL
// CHECK-MEMTAG-MINIMAL: "-fsanitize=memtag-stack,memtag-heap,memtag-globals" // CHECK-MEMTAG-MINIMAL: "-fsanitize=memtag-stack,memtag-heap,memtag-globals"
// CHECK-MEMTAG-MINIMAL: "-fsanitize-minimal-runtime" // CHECK-MEMTAG-MINIMAL: "-fsanitize-minimal-runtime"
// RUN: %clang --target=x86_64-linux-gnu -fsanitize=undefined -fsanitize=function -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UBSAN-FUNCTION-MINIMAL // RUN: %clang --target=x86_64-linux-gnu -fsanitize=undefined -fsanitize=function -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck /dev/null --implicit-check-not=error:
// CHECK-UBSAN-FUNCTION-MINIMAL: error: invalid argument '-fsanitize=function' not allowed with '-fsanitize-minimal-runtime'
// RUN: %clang --target=x86_64-linux-gnu -fsanitize=undefined -fsanitize=vptr -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UBSAN-VPTR-MINIMAL // RUN: %clang --target=x86_64-linux-gnu -fsanitize=undefined -fsanitize=vptr -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UBSAN-VPTR-MINIMAL
// CHECK-UBSAN-VPTR-MINIMAL: error: invalid argument '-fsanitize=vptr' not allowed with '-fsanitize-minimal-runtime' // CHECK-UBSAN-VPTR-MINIMAL: error: invalid argument '-fsanitize=vptr' not allowed with '-fsanitize-minimal-runtime'
// RUN: %clang --target=x86_64-linux-gnu -fsanitize=address -fsanitize-minimal-runtime -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-UBSAN-MINIMAL // RUN: %clang --target=x86_64-linux-gnu -fsanitize=address -fsanitize-minimal-runtime -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-UBSAN-MINIMAL
// CHECK-ASAN-UBSAN-MINIMAL: error: invalid argument '-fsanitize-minimal-runtime' not allowed with '-fsanitize=address' // CHECK-ASAN-UBSAN-MINIMAL: error: invalid argument '-fsanitize-minimal-runtime' not allowed with '-fsanitize=address'
// RUN: %clang --target=x86_64-linux-gnu -fsanitize=hwaddress -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-HWASAN-MINIMAL // RUN: %clang --target=x86_64-linux-gnu -fsanitize=hwaddress -fsanitize-minimal-runtime %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-HWASAN-MINIMAL
// CHECK-HWASAN-MINIMAL: error: invalid argument '-fsanitize-minimal-runtime' not allowed with '-fsanitize=hwaddress' // CHECK-HWASAN-MINIMAL: error: invalid argument '-fsanitize-minimal-runtime' not allowed with '-fsanitize=hwaddress'
▲ Show 20 LinesShow All 107 LinesShow Last 20 Lines

compiler-rt/lib/ubsan/ubsan_handlers.h

Show First 20 LinesShow All 225 Lines▼ Show 20 LinesRECOVERABLE(cfi_check_fail, CFICheckFailData *Data, ValueHandle Function,
uptr VtableIsValid) uptr VtableIsValid)
struct ReportOptions; struct ReportOptions;
extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __ubsan_handle_cfi_bad_type( extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __ubsan_handle_cfi_bad_type(
CFICheckFailData *Data, ValueHandle Vtable, bool ValidVtable, CFICheckFailData *Data, ValueHandle Vtable, bool ValidVtable,
ReportOptions Opts); ReportOptions Opts);
struct FunctionTypeMismatchData {
SourceLocation Loc;
const TypeDescriptor &Type;
};
extern "C" SANITIZER_INTERFACE_ATTRIBUTE void
__ubsan_handle_function_type_mismatch(FunctionTypeMismatchData *Data,
ValueHandle Val);
extern "C" SANITIZER_INTERFACE_ATTRIBUTE void
__ubsan_handle_function_type_mismatch_abort(FunctionTypeMismatchData *Data,
ValueHandle Val);
} }
#endif // UBSAN_HANDLERS_H #endif // UBSAN_HANDLERS_H

compiler-rt/lib/ubsan/ubsan_handlers.cpp

Show First 20 LinesShow All 909 Lines▼ Show 20 Linesvoid __ubsan::__ubsan_handle_cfi_check_fail_abort(CFICheckFailData *Data,
GET_REPORT_OPTIONS(true); GET_REPORT_OPTIONS(true);
if (Data->CheckKind == CFITCK_ICall || Data->CheckKind == CFITCK_NVMFCall) if (Data->CheckKind == CFITCK_ICall || Data->CheckKind == CFITCK_NVMFCall)
handleCFIBadIcall(Data, Value, Opts); handleCFIBadIcall(Data, Value, Opts);
else else
__ubsan_handle_cfi_bad_type(Data, Value, ValidVtable, Opts); __ubsan_handle_cfi_bad_type(Data, Value, ValidVtable, Opts);
Die(); Die();
} }
static bool handleFunctionTypeMismatch(FunctionTypeMismatchData *Data,
ValueHandle Function,
ReportOptions Opts) {
SourceLocation CallLoc = Data->Loc.acquire();
ErrorType ET = ErrorType::FunctionTypeMismatch;
if (ignoreReport(CallLoc, Opts, ET))
return true;
ScopedReport R(Opts, CallLoc, ET);
SymbolizedStackHolder FLoc(getSymbolizedLocation(Function));
const char *FName = FLoc.get()->info.function;
if (!FName)
FName = "(unknown)";
Diag(CallLoc, DL_Error, ET,
"call to function %0 through pointer to incorrect function type %1")
<< FName << Data->Type;
Diag(FLoc, DL_Note, ET, "%0 defined here") << FName;
return true;
}
void __ubsan::__ubsan_handle_function_type_mismatch(
FunctionTypeMismatchData *Data, ValueHandle Function) {
GET_REPORT_OPTIONS(false);
handleFunctionTypeMismatch(Data, Function, Opts);
}
void __ubsan::__ubsan_handle_function_type_mismatch_abort(
FunctionTypeMismatchData *Data, ValueHandle Function) {
GET_REPORT_OPTIONS(true);
if (handleFunctionTypeMismatch(Data, Function, Opts))
Die();
}
#endif // CAN_SANITIZE_UB #endif // CAN_SANITIZE_UB

compiler-rt/lib/ubsan/ubsan_handlers_cxx.h

Show All 27 Lines
/// When this handler is called, all we know is that the type was not in the /// When this handler is called, all we know is that the type was not in the
/// cache; this does not necessarily imply the existence of a bug. /// cache; this does not necessarily imply the existence of a bug.
extern "C" SANITIZER_INTERFACE_ATTRIBUTE extern "C" SANITIZER_INTERFACE_ATTRIBUTE
void __ubsan_handle_dynamic_type_cache_miss( void __ubsan_handle_dynamic_type_cache_miss(
DynamicTypeCacheMissData *Data, ValueHandle Pointer, ValueHandle Hash); DynamicTypeCacheMissData *Data, ValueHandle Pointer, ValueHandle Hash);
extern "C" SANITIZER_INTERFACE_ATTRIBUTE extern "C" SANITIZER_INTERFACE_ATTRIBUTE
void __ubsan_handle_dynamic_type_cache_miss_abort( void __ubsan_handle_dynamic_type_cache_miss_abort(
DynamicTypeCacheMissData *Data, ValueHandle Pointer, ValueHandle Hash); DynamicTypeCacheMissData *Data, ValueHandle Pointer, ValueHandle Hash);
struct FunctionTypeMismatchData {
SourceLocation Loc;
const TypeDescriptor &Type;
};
extern "C" SANITIZER_INTERFACE_ATTRIBUTE void
__ubsan_handle_function_type_mismatch_v1(FunctionTypeMismatchData *Data,
ValueHandle Val,
ValueHandle calleeRTTI,
ValueHandle fnRTTI);
extern "C" SANITIZER_INTERFACE_ATTRIBUTE void
__ubsan_handle_function_type_mismatch_v1_abort(FunctionTypeMismatchData *Data,
ValueHandle Val,
ValueHandle calleeRTTI,
ValueHandle fnRTTI);
} }
#endif // UBSAN_HANDLERS_CXX_H #endif // UBSAN_HANDLERS_CXX_H

compiler-rt/lib/ubsan/ubsan_handlers_cxx.cpp

Show First 20 LinesShow All 150 Lines▼ Show 20 Linesvoid __ubsan_handle_cfi_bad_type(CFICheckFailData *Data, ValueHandle Vtable,
const char *SrcModule = Symbolizer::GetOrInit()->GetModuleNameForPc(Opts.pc); const char *SrcModule = Symbolizer::GetOrInit()->GetModuleNameForPc(Opts.pc);
if (!SrcModule) if (!SrcModule)
SrcModule = "(unknown)"; SrcModule = "(unknown)";
if (internal_strcmp(SrcModule, DstModule)) if (internal_strcmp(SrcModule, DstModule))
Diag(Loc, DL_Note, ET, "check failed in %0, vtable located in %1") Diag(Loc, DL_Note, ET, "check failed in %0, vtable located in %1")
<< SrcModule << DstModule; << SrcModule << DstModule;
} }
static bool handleFunctionTypeMismatch(FunctionTypeMismatchData *Data,
ValueHandle Function,
ValueHandle calleeRTTI,
ValueHandle fnRTTI, ReportOptions Opts) {
if (checkTypeInfoEquality(reinterpret_cast<void *>(calleeRTTI),
reinterpret_cast<void *>(fnRTTI)))
return false;
SourceLocation CallLoc = Data->Loc.acquire();
ErrorType ET = ErrorType::FunctionTypeMismatch;
if (ignoreReport(CallLoc, Opts, ET))
return true;
ScopedReport R(Opts, CallLoc, ET);
SymbolizedStackHolder FLoc(getSymbolizedLocation(Function));
const char *FName = FLoc.get()->info.function;
if (!FName)
FName = "(unknown)";
Diag(CallLoc, DL_Error, ET,
"call to function %0 through pointer to incorrect function type %1")
<< FName << Data->Type;
Diag(FLoc, DL_Note, ET, "%0 defined here") << FName;
return true;
}
void __ubsan_handle_function_type_mismatch_v1(FunctionTypeMismatchData *Data,
ValueHandle Function,
ValueHandle calleeRTTI,
ValueHandle fnRTTI) {
GET_REPORT_OPTIONS(false);
handleFunctionTypeMismatch(Data, Function, calleeRTTI, fnRTTI, Opts);
}
void __ubsan_handle_function_type_mismatch_v1_abort(
FunctionTypeMismatchData *Data, ValueHandle Function,
ValueHandle calleeRTTI, ValueHandle fnRTTI) {
GET_REPORT_OPTIONS(true);
if (handleFunctionTypeMismatch(Data, Function, calleeRTTI, fnRTTI, Opts))
Die();
}
} // namespace __ubsan } // namespace __ubsan
#endif // CAN_SANITIZE_UB #endif // CAN_SANITIZE_UB

compiler-rt/lib/ubsan/ubsan_interface.inc

Show All 15 Lines
INTERFACE_FUNCTION(__ubsan_handle_cfi_check_fail) INTERFACE_FUNCTION(__ubsan_handle_cfi_check_fail)
INTERFACE_FUNCTION(__ubsan_handle_cfi_check_fail_abort) INTERFACE_FUNCTION(__ubsan_handle_cfi_check_fail_abort)
INTERFACE_FUNCTION(__ubsan_handle_divrem_overflow) INTERFACE_FUNCTION(__ubsan_handle_divrem_overflow)
INTERFACE_FUNCTION(__ubsan_handle_divrem_overflow_abort) INTERFACE_FUNCTION(__ubsan_handle_divrem_overflow_abort)
INTERFACE_FUNCTION(__ubsan_handle_dynamic_type_cache_miss) INTERFACE_FUNCTION(__ubsan_handle_dynamic_type_cache_miss)
INTERFACE_FUNCTION(__ubsan_handle_dynamic_type_cache_miss_abort) INTERFACE_FUNCTION(__ubsan_handle_dynamic_type_cache_miss_abort)
INTERFACE_FUNCTION(__ubsan_handle_float_cast_overflow) INTERFACE_FUNCTION(__ubsan_handle_float_cast_overflow)
INTERFACE_FUNCTION(__ubsan_handle_float_cast_overflow_abort) INTERFACE_FUNCTION(__ubsan_handle_float_cast_overflow_abort)
INTERFACE_FUNCTION(__ubsan_handle_function_type_mismatch_v1) INTERFACE_FUNCTION(__ubsan_handle_function_type_mismatch)
INTERFACE_FUNCTION(__ubsan_handle_function_type_mismatch_v1_abort) INTERFACE_FUNCTION(__ubsan_handle_function_type_mismatch_abort)
INTERFACE_FUNCTION(__ubsan_handle_implicit_conversion) INTERFACE_FUNCTION(__ubsan_handle_implicit_conversion)
INTERFACE_FUNCTION(__ubsan_handle_implicit_conversion_abort) INTERFACE_FUNCTION(__ubsan_handle_implicit_conversion_abort)
INTERFACE_FUNCTION(__ubsan_handle_invalid_builtin) INTERFACE_FUNCTION(__ubsan_handle_invalid_builtin)
INTERFACE_FUNCTION(__ubsan_handle_invalid_builtin_abort) INTERFACE_FUNCTION(__ubsan_handle_invalid_builtin_abort)
INTERFACE_FUNCTION(__ubsan_handle_invalid_objc_cast) INTERFACE_FUNCTION(__ubsan_handle_invalid_objc_cast)
INTERFACE_FUNCTION(__ubsan_handle_invalid_objc_cast_abort) INTERFACE_FUNCTION(__ubsan_handle_invalid_objc_cast_abort)
INTERFACE_FUNCTION(__ubsan_handle_load_invalid_value) INTERFACE_FUNCTION(__ubsan_handle_load_invalid_value)
INTERFACE_FUNCTION(__ubsan_handle_load_invalid_value_abort) INTERFACE_FUNCTION(__ubsan_handle_load_invalid_value_abort)
Show All 28 Lines

llvm/lib/CodeGen/AsmPrinter/AsmPrinter.cpp

Show First 20 LinesShow All 970 Lines▼ Show 20 Lines if (PatchableFunctionPrefix) {
CurrentPatchableFunctionEntrySym = CurrentFnBegin; CurrentPatchableFunctionEntrySym = CurrentFnBegin;
} }
// Emit the function prologue data for the indirect call sanitizer. // Emit the function prologue data for the indirect call sanitizer.
if (const MDNode *MD = F.getMetadata(LLVMContext::MD_func_sanitize)) { if (const MDNode *MD = F.getMetadata(LLVMContext::MD_func_sanitize)) {
assert(MD->getNumOperands() == 2); assert(MD->getNumOperands() == 2);
auto *PrologueSig = mdconst::extract<Constant>(MD->getOperand(0)); auto *PrologueSig = mdconst::extract<Constant>(MD->getOperand(0));
auto *FTRTTIProxy = mdconst::extract<Constant>(MD->getOperand(1)); auto *TypeHash = mdconst::extract<Constant>(MD->getOperand(1));
emitGlobalConstant(F.getParent()->getDataLayout(), PrologueSig); emitGlobalConstant(F.getParent()->getDataLayout(), PrologueSig);
emitGlobalConstant(F.getParent()->getDataLayout(), TypeHash);
const MCExpr *Proxy = lowerConstant(FTRTTIProxy);
const MCExpr *FnExp = MCSymbolRefExpr::create(CurrentFnSym, OutContext);
const MCExpr *PCRel = MCBinaryExpr::createSub(Proxy, FnExp, OutContext);
// Use 32 bit since only small code model is supported.
OutStreamer->emitValue(PCRel, 4u);
} }
if (isVerbose()) { if (isVerbose()) {
F.printAsOperand(OutStreamer->getCommentOS(), F.printAsOperand(OutStreamer->getCommentOS(),
/*PrintType=*/false, F.getParent()); /*PrintType=*/false, F.getParent());
emitFunctionHeaderComment(); emitFunctionHeaderComment();
OutStreamer->getCommentOS() << '\n'; OutStreamer->getCommentOS() << '\n';
} }
▲ Show 20 LinesShow All 3,154 LinesShow Last 20 Lines

llvm/test/CodeGen/AArch64/func-sanitizer.ll

; RUN: llc -mtriple=aarch64-unknown-linux-gnu < %s | FileCheck %s ; RUN: llc -mtriple=aarch64-unknown-linux-gnu < %s | FileCheck %s
; CHECK-LABEL: .type _Z3funv,@function ; CHECK-LABEL: .type _Z3funv,@function
; CHECK-NEXT: .word 3238382334 // 0xc105cafe ; CHECK-NEXT: .word 3238382334 // 0xc105cafe
; CHECK-NEXT: .word .L__llvm_rtti_proxy-_Z3funv ; CHECK-NEXT: .word 42
; CHECK-NEXT: _Z3funv: ; CHECK-NEXT: _Z3funv:
; CHECK-NEXT: // %bb.0: ; CHECK-NEXT: // %bb.0:
; CHECK-NEXT: ret ; CHECK-NEXT: ret
; CHECK: .section .rodata,"a",@progbits
; CHECK-LABEL: .L__llvm_rtti_proxy:
; CHECK-NEXT: .xword _ZTIFvvE
; CHECK-NEXT: .size .L__llvm_rtti_proxy, 8
@_ZTIFvvE = linkonce_odr constant i32 1
@__llvm_rtti_proxy = private unnamed_addr constant ptr @_ZTIFvvE
define dso_local void @_Z3funv() nounwind !func_sanitize !0 { define dso_local void @_Z3funv() nounwind !func_sanitize !0 {
ret void ret void
} }
!0 = !{i32 3238382334, ptr @__llvm_rtti_proxy} !0 = !{i32 3238382334, i32 42}

llvm/test/CodeGen/AArch64/patchable-function-entry-bti.ll

; RUN: llc -mtriple=aarch64 %s -o - | FileCheck %s ; RUN: llc -mtriple=aarch64 %s -o - | FileCheck %s
@_ZTIFvvE = linkonce_odr constant i32 2
@__llvm_rtti_proxy = private unnamed_addr constant ptr @_ZTIFvvE
define void @f0() "patchable-function-entry"="0" "branch-target-enforcement"="true" { define void @f0() "patchable-function-entry"="0" "branch-target-enforcement"="true" {
; CHECK-LABEL: f0: ; CHECK-LABEL: f0:
; CHECK-NEXT: .Lfunc_begin0: ; CHECK-NEXT: .Lfunc_begin0:
; CHECK: // %bb.0: ; CHECK: // %bb.0:
; CHECK-NEXT: hint #34 ; CHECK-NEXT: hint #34
; CHECK-NEXT: ret ; CHECK-NEXT: ret
; CHECK-NOT: .section __patchable_function_entries ; CHECK-NOT: .section __patchable_function_entries
ret void ret void
▲ Show 20 LinesShow All 73 Lines▼ Show 20 Lines
sw.bb4: sw.bb4:
call void asm sideeffect "", ""() call void asm sideeffect "", ""()
ret void ret void
} }
;; Test the interaction with -fsanitize=function. ;; Test the interaction with -fsanitize=function.
; CHECK: .type sanitize_function,@function ; CHECK: .type sanitize_function,@function
; CHECK-NEXT: .Ltmp{{.*}}: ; CHECK-NEXT: .Ltmp{{.*}}:
; CHECK-NEXT: nop ; CHECK-NEXT: nop
peter.smithUnsubmitted
Done
ReplyInline Actions

Assuming the test is the equivalent of -fpatchable-function-entry=1,1 I think this is the wrong place for the nop, I think it needs to be after the signature and the loads adjusted. For example with -fsanitize=kcfi -fpatchable-function-entries=1,1

typedef int Fptr(void);

int function(void) {
  return 0;
}

int call(Fptr* fp) {
  return fp();
}

Results in code like:

        .word   1670944012                      // @call
                                        // 0x6398950c
.Ltmp1:
        nop
call:
.Lfunc_begin1:
        .cfi_startproc
// %bb.0:                               // %entry
        ldur    w16, [x0, #-8]
        movk    w17, #50598
        movk    w17, #14001, lsl #16
        cmp     w16, w17
        b.eq    .Ltmp2
        brk     #0x8220
.Ltmp2:
        br      x0
.Lfunc_end1:

Note the NOP is after the signature, with the ldur having an offset of -8 and not the usual -4. I think you would need to make sure the signature is a branch instruction for each target for this scheme to work.

peter.smith: Assuming the test is the equivalent of `-fpatchable-function-entry=1,1` I think this is the…
samitolvanenUnsubmitted
Done
ReplyInline Actions

No, this looks correct to me. Note that in AsmPrinter the type hash is emitted after the patchable-function-prefix nops, while the KCFI type hash is emitted before them.

samitolvanen: No, this looks correct to me. Note that in AsmPrinter the type hash is emitted after the…
peter.smithUnsubmitted
Done
ReplyInline Actions

My concern is more along the lines of how would this function be patched if the code doing the patching were unaware of the signature. I'm not familiar with how the kernel uses the nops so it could be that this is won't be a problem in practice.

With -fsanitize=kcfi it looks like there is no difference to the code doing the patching as the nops are in the same place with respect to the function entry point and there is no fall through into the signature.

With -fsanitize=function anything patching the first nop as an instruction would need to branch over the signature (unless the first entry of the signature was a branch instruction, but that would mean a target specific signature), obviously if the nop is patched with data and isn't the entry point then this doesn't matter. The code doing the patching would also need to know how to locate the nop ahead of the signature.

peter.smith: My concern is more along the lines of how would this function be patched if the code doing the…
MaskRayAuthorUnsubmitted
Done
ReplyInline Actions

The responsibility is on the user side to ensure that when M>0, they code patches one of the M NOPs to a branch over the signature (0xc105cafe).

// -fsanitize=function -fpatchable-function-entry=3,3
.Ltmp0:
        nop
        nop
        nop    # ensure there is a branch over the signature
        .long   3238382334                      # 0xc105cafe
        .long   2772461324                      # 0xa540670c
foo:

In addition, -fpatchable-function-entry=N,M where M>0 is uncommon. -fpatchable-function-entry= didn't work with -fsanitize=function before my changes.

MaskRay: The responsibility is on the user side to ensure that when M>0, they code patches one of the M…
MaskRayAuthorUnsubmitted
Done
ReplyInline Actions

My concern is more along the lines of how would this function be patched if the code doing the patching were unaware of the signature. I'm not familiar with how the kernel uses the nops so it could be that this is won't be a problem in practice.

I think the patching code must be aware if the user decides to use -fpatchable-function-entry=N,M where M>0, otherwise it's the pilot error to use the option with -fsanitize=function.

-fsanitize=function is designed to be compatible with uninstrumented functions (used as indirect call callees) and compatible with object files, -fpatchable-function-entry=N,M functions, and regular functions. The call site must use the fixed offset unaffected by -fpatchable-function-entry=N,M.

MaskRay: > My concern is more along the lines of how would this function be patched if the code doing…
peter.smithUnsubmitted
Not Done
ReplyInline Actions

I don't have any objections here. Just wanted to make sure that we weren't breaking any expectations.

I found one use in the kernel that uses -fpatchable-function-entry=4,2 (https://lore.kernel.org/all/20230123134603.1064407-9-mark.rutland@arm.com/)

Quoting from that:

Currently, this approach is not compatible with CLANG_CFI, as the
presence/absence of pre-function NOPs changes the offset of the
pre-function type hash, and there's no existing mechanism to ensure a
consistent offset for instrumented and uninstrumented functions. When
CLANG_CFI is enabled, the existing scheme with a global ops->func
pointer is used, and there should be no functional change. I am
currently working with others to allow the two to work together in
future (though this will liekly require updated compiler support).

I expect -fsanitize=kcfi to be used in this case over -fsanitize=functions so I don't think this will cause a problem in practice.

peter.smith: I don't have any objections here. Just wanted to make sure that we weren't breaking any…
MaskRayAuthorUnsubmitted
Done
ReplyInline Actions

I expect -fsanitize=kcfi to be used in this case over -fsanitize=functions so I don't think this will cause a problem in practice.

Yes, the kernel requires the addresses of the instrumented call sites which can only be provided by -fsanitize=kcfi. -fsanitize=function instrumented call sites are not recorded in a metadata section.
The kernel doesn't have a -fsanitize=function configuration.

For userspace programs that want to attempt both -fpatchable-function-entry=N,M where M>0 and -fsanitize=function, I expect that they need to check the -fsanitize=function signature...

MaskRay: > I expect -fsanitize=kcfi to be used in this case over -fsanitize=functions so I don't think…
; CHECK-NEXT: .word 3238382334 // 0xc105cafe ; CHECK-NEXT: .word 3238382334 // 0xc105cafe
; CHECK-NEXT: .word .L__llvm_rtti_proxy-sanitize_function ; CHECK-NEXT: .word 42
; CHECK-NEXT: sanitize_function: ; CHECK-NEXT: sanitize_function:
; CHECK-NEXT: .Lfunc_begin{{.*}}: ; CHECK-NEXT: .Lfunc_begin{{.*}}:
; CHECK-NEXT: .cfi_startproc ; CHECK-NEXT: .cfi_startproc
; CHECK-NEXT: // %bb.0: ; CHECK-NEXT: // %bb.0:
; CHECK-NEXT: hint #34 ; CHECK-NEXT: hint #34
; CHECK-NEXT: nop ; CHECK-NEXT: nop
; CHECK-NEXT: ret ; CHECK-NEXT: ret
define void @sanitize_function(ptr noundef %x) "patchable-function-prefix"="1" "patchable-function-entry"="1" "branch-target-enforcement"="true" !func_sanitize !0 { define void @sanitize_function(ptr noundef %x) "patchable-function-prefix"="1" "patchable-function-entry"="1" "branch-target-enforcement"="true" !func_sanitize !0 {
ret void ret void
} }
!0 = !{i32 3238382334, ptr @__llvm_rtti_proxy} !0 = !{i32 3238382334, i32 42}

llvm/test/CodeGen/X86/func-sanitizer.ll

; RUN: llc -mtriple=x86_64-unknown-linux-gnu < %s | FileCheck %s ; RUN: llc -mtriple=x86_64-unknown-linux-gnu < %s | FileCheck %s
; CHECK: .type _Z3funv,@function ; CHECK: .type _Z3funv,@function
; CHECK-NEXT: .long 3238382334 # 0xc105cafe ; CHECK-NEXT: .long 3238382334 # 0xc105cafe
; CHECK-NEXT: .long .L__llvm_rtti_proxy-_Z3funv ; CHECK-NEXT: .long 42
; CHECK-NEXT: _Z3funv: ; CHECK-NEXT: _Z3funv:
; CHECK-NEXT: .cfi_startproc ; CHECK-NEXT: .cfi_startproc
; CHECK-NEXT: # %bb.0: ; CHECK-NEXT: # %bb.0:
; CHECK-NEXT: retq ; CHECK-NEXT: retq
@i = linkonce_odr constant i32 1
@__llvm_rtti_proxy = private unnamed_addr constant ptr @i
define dso_local void @_Z3funv() !func_sanitize !0 { define dso_local void @_Z3funv() !func_sanitize !0 {
ret void ret void
} }
!0 = !{i32 3238382334, ptr @__llvm_rtti_proxy} !0 = !{i32 3238382334, i32 42}

llvm/test/CodeGen/X86/patchable-function-entry-ibt.ll

; RUN: llc -mtriple=i686 %s -o - | FileCheck --check-prefixes=CHECK,32 %s ; RUN: llc -mtriple=i686 %s -o - | FileCheck --check-prefixes=CHECK,32 %s
; RUN: llc -mtriple=x86_64 %s -o - | FileCheck --check-prefixes=CHECK,64 %s ; RUN: llc -mtriple=x86_64 %s -o - | FileCheck --check-prefixes=CHECK,64 %s
@_ZTIFvvE = linkonce_odr constant i32 1
@__llvm_rtti_proxy = private unnamed_addr constant ptr @_ZTIFvvE
;; -fpatchable-function-entry=0 -fcf-protection=branch ;; -fpatchable-function-entry=0 -fcf-protection=branch
define void @f0() "patchable-function-entry"="0" { define void @f0() "patchable-function-entry"="0" {
; CHECK-LABEL: f0: ; CHECK-LABEL: f0:
; CHECK-NEXT: .Lfunc_begin0: ; CHECK-NEXT: .Lfunc_begin0:
; CHECK-NEXT: .cfi_startproc ; CHECK-NEXT: .cfi_startproc
; CHECK-NEXT: # %bb.0: ; CHECK-NEXT: # %bb.0:
; 32-NEXT: endbr32 ; 32-NEXT: endbr32
; 64-NEXT: endbr64 ; 64-NEXT: endbr64
▲ Show 20 LinesShow All 71 Lines▼ Show 20 Linesentry:
ret void ret void
} }
;; Test the interaction with -fsanitize=function. ;; Test the interaction with -fsanitize=function.
; CHECK: .type sanitize_function,@function ; CHECK: .type sanitize_function,@function
; CHECK-NEXT: .Ltmp{{.*}}: ; CHECK-NEXT: .Ltmp{{.*}}:
; CHECK-NEXT: nop ; CHECK-NEXT: nop
; CHECK-NEXT: .long 3238382334 ; CHECK-NEXT: .long 3238382334
; CHECK-NEXT: .long .L__llvm_rtti_proxy-sanitize_function ; CHECK-NEXT: .long 42
; CHECK-NEXT: sanitize_function: ; CHECK-NEXT: sanitize_function:
; CHECK-NEXT: .Lfunc_begin{{.*}}: ; CHECK-NEXT: .Lfunc_begin{{.*}}:
; CHECK-NEXT: .cfi_startproc ; CHECK-NEXT: .cfi_startproc
; CHECK-NEXT: # %bb.0: ; CHECK-NEXT: # %bb.0:
; 32-NEXT: endbr32 ; 32-NEXT: endbr32
; 64-NEXT: endbr64 ; 64-NEXT: endbr64
; CHECK-NEXT: nop ; CHECK-NEXT: nop
; CHECK-NEXT: ret ; CHECK-NEXT: ret
define void @sanitize_function(ptr noundef %x) "patchable-function-prefix"="1" "patchable-function-entry"="1" !func_sanitize !1 { define void @sanitize_function(ptr noundef %x) "patchable-function-prefix"="1" "patchable-function-entry"="1" !func_sanitize !1 {
ret void ret void
} }
!llvm.module.flags = !{!0} !llvm.module.flags = !{!0}
!0 = !{i32 8, !"cf-protection-branch", i32 1} !0 = !{i32 8, !"cf-protection-branch", i32 1}
!1 = !{i32 3238382334, ptr @__llvm_rtti_proxy} !1 = !{i32 3238382334, i32 42}