This is an archive of the discontinued LLVM Phabricator instance.

libcxx/include/__config
281	It would be great to rebase this on top of D155866.
287	Here we could add a short comment rationalizing the choice: `Nullptr conditions are generally meant to protect against dereferencing a null pointer, which generally results in a crash`.
libcxx/include/__hash_table
1112	It would be nice to make sure that all the non-internal assertions we add are tested. In some cases this will mean removing `XFAIL` on an existing test, in other cases we'll need to add some tests but it should be easy.
libcxx/include/__string/char_traits.h
145–146	Maybe `_LIBCPP_ASSERT_NON_OVERLAPPING_RANGES`? Both ranges can technically be valid ranges yet still be overlapping. Also, the result of the algo will be incorrect if the ranges overlap but I don't think this can directly cause bad stuff to happen, so I don't think we want this in the hardened mode. Using another category would allow excluding it.
libcxx/include/string
956 ↗	(On Diff #542605)	I think a lot of these `NON_NULL` checks are actually `VALID_RANGE` checks. http://eel.is/c++draft/iterators#iterator.requirements.general-11 Here we seem to be using `__s != nullptr` as a way to say `__s` is dereferenceable. Do we want to move these checks to `ASSERT_VALID_RANGE`? Do we want these checks in hardened mode? I'm not sure, I think we should probably review this with a security specialist.
963 ↗	(On Diff #542605)	Separate from the `ASSERT_VALID_RANGE` question, do we want to introduce helper functions to help checking whether a range is valid?

Harbormaster completed remote builds in B246978: Diff 542605.Jul 20 2023, 3:02 PM

Partially address feedback;
remove the non-null assertions from the patch;
rebase.

libcxx/include/string
956 ↗	(On Diff #542605)	It's a great question and a topic for discussion, IMO. I think reviewing this with a security expert would be great. I'd prefer to avoid blocking the patch on this, though, given that the branch cutoff date is coming up, and a large part of the patch seems to be more straightforward than the questions related to non-null checks. I'd remove the `NON_NULL` part from this patch and do it in a follow-up instead, does that sound reasonable to you?
963 ↗	(On Diff #542605)	Yes, this is something I'd really love to do. I'd do this in a separate patch, though, if that's okay.

LGTM with tests!

libcxx/include/__string/char_traits.h
241	Do we want to change the message to `overlapping ranges`? To consider as we add tests.

This revision is now accepted and ready to land.Jul 21 2023, 10:44 AM

I really like this hardening work. I think it would be good to have bit more discussion and tweaking after LLVM 17 has branched. I would love it when a security expert can have a look at it. I expect they have a better view on what root causes for security issues are.

libcxx/include/__hash_table
1112	+1
libcxx/include/__tree
171	As mentioned in D155906 I really would like to have these kind of cheap internal sanity checks enabled in `_LIBCPP_ENABLE_HARDENED_MODE`. They are not user errors, but they still cause potential issues for users, including users in safety-critial places. When there's not enough time to get that done before LLVM 17, I'm happy to defer that to LLVM 18.
libcxx/include/string
956 ↗	(On Diff #542605)	+1 for having security expert having a look on this. I would like to have this check in hardened mode. This is check to check and users of libc++ may do the "wrong thing". But not a blocker for me.

In D155873#4523344, @Mordante wrote:

I really like this hardening work. I think it would be good to have bit more discussion and tweaking after LLVM 17 has branched. I would love it when a security expert can have a look at it. I expect they have a better view on what root causes for security issues are.

FWIW, we're planning to review everything with security experts in the coming weeks. The idea for now is to be conservative and only enable the checks that we are certain need to be added in the hardened mode.

var-const added inline comments.Jul 21 2023, 3:27 PM

libcxx/include/__tree
171	Thanks for starting this discussion! My current thinking has been to keep the hardened mode as lightweight as possible. I have a big concern about performance penalty blocking adoption; also, while I'm not 100% sure this can happen, my ideal would be if we could make the hardened mode the default at some point (of course, users would still be able to opt out and use the unchecked mode). Because of that, so far I have been generally erring on the side of performance and using the following criteria for enabling an assertion: Is the failure directly triggered by user input? Is the failure directly exploitable? Is the failure condition relatively cheap to check? Personally, I feel #2 is the most important distinction. Almost any error, including logic errors that don't trigger UB, can lead to very incorrect results and also contribute to a security vulnerability. I envision the hardened mode as only preventing errors that create a security vulnerability directly (e.g. an out-of-bounds read) -- the kind of errors where we can confidently say "if your program has one of those, it is vulnerable, regardless of any other context" (and thus we can justify the extra penalty for checking those). From that perspective, it follows that checks for null pointers should not be a part of the hardened mode (FWIW, it was somewhat surprising to me, or at least I found it counterintuitive). From what I know (and I'd be happy to be corrected on this if I'm missing something), dereferencing a null pointer on any relatively modern OS leads to a crash and is not directly exploitable (it might contribute to a more complicated exploit arising from context, but so can many other types of failures). The upside I'm hoping we get from limiting the number of checks we perform is wider adoption. The intention behind hardened mode is not that it provides complete safety or entirely eliminates UB -- rather, it makes your program measurably safer at a "negligible" cost; it relatively cheaply protects against the most catastrophic stuff. I'm hoping something like the 80/20 principle applies here (meaning that just a fraction of the cost that would be necessary to protect against all UB is enough to prevent 80% of exploitable vulnerabilities). The "perfect" hardened mode (aspirational, not realistic) is the mode where if you were to enable it, you would be guaranteed that an attacker could not use your program to achieve arbitrary code execution, and it's cheap enough to use in production. We currently have the hardened mode and the debug mode. While I'd prefer to keep this as simple as possible and stick with the 2 modes, I'd be open to exploring adding a 3rd mode in-between those two that would contain more checks that the hardened mode while still aiming at some reasonable level of performance (which for the debug mode is almost a non-goal). Tagging @ldionne as well in case he has a different perspective.

Harbormaster completed remote builds in B247270: Diff 542983.Jul 21 2023, 3:31 PM

In D155873#4523756, @ldionne wrote:

In D155873#4523344, @Mordante wrote:

I really like this hardening work. I think it would be good to have bit more discussion and tweaking after LLVM 17 has branched. I would love it when a security expert can have a look at it. I expect they have a better view on what root causes for security issues are.

FWIW, we're planning to review everything with security experts in the coming weeks.

Great to hear, thanks.

libcxx/include/__tree
171	I'm not sure whether deferring a null pointer will always leads to a crash on a modern OS. I can imagine some cases where that might be an issue. Embedded systems may use less well know OSes. Are kernel drivers allowed to modify address 0 or with low values? (This assumes a nullptr is mapped to address 0, which is not required by the Standard.) Maybe we should ask this to security experts. They probably can tell us how often deferring a nullptr may lead to real-world issues. Even when it's not a security-issue I think it would be good to test a nullptr when not allowed. Deferring nullptr is known to be quite a large issue in both C and C++. I'm also open to a third mode. Maybe we should measure what the overhead for adding null checks is. When we annotate it with likelihood attribute telling the compiler to expect a valid pointer the branch predictor will always guess correctly. In that case the overhead should be low. The nullptr case will be more expense, but I in that case the performance is no longer relevant. I think we can move forward this way. When we put everything in the right category we can measure the overhead of every category. That way we can have number of the performance overhead and can make an informed decision in this regard. I think it would be good to discuss this on Discord/Discourse to get input of more people in the LLVM communicate. Again I'm fine to do that for LLVM 18 and keep the current way in LLVM 17.

var-const added inline comments.Jul 24 2023, 2:55 PM

libcxx/include/__hash_table
1112	As discussed offline -- I will do this in a follow-up, simply due to the release timing. I did a quick survey and counted 83 untested assertions (among the ones currently categorized), so unfortunately it will take a while.
libcxx/include/__tree
171	Maybe we should ask this to security experts. They probably can tell us how often deferring a nullptr may lead to real-world issues. Absolutely. I think these are all great questions to discuss. I'm not sure whether deferring a null pointer will always leads to a crash on a modern OS. That's my understanding but I would absolutely love a domain expert to confirm. Embedded systems may use less well know OSes. Are kernel drivers allowed to modify address 0 or with low values? (This assumes a nullptr is mapped to address 0, which is not required by the Standard.) IMO, the hardened mode should only contain checks that apply to almost every user; it shouldn't make users of widely-used systems to pay a performance penalty for the sake of more niche OSs. I'd much rather think of a way to let vendors of these kind of systems to enable additional null pointer checks on top of the hardened mode, whether via a third mode or some finer-grained approach. My overarching concern is users avoiding the hardened mode due to performance concerns, whether real or perceived; I'm afraid that enabling too many checks might backfire and result in less security due to a lack of use. Maybe we should measure what the overhead for adding null checks is. +1. When we annotate it with likelihood attribute telling the compiler to expect a valid pointer the branch predictor will always guess correctly. In that case the overhead should be low. There was recently a Discourse thread about how the assume attribute can prevent certain optimizations, so I'm not sure we can always rely on that. I think we can move forward this way. When we put everything in the right category we can measure the overhead of every category. That way we can have number of the performance overhead and can make an informed decision in this regard. I think it would be good to discuss this on Discord/Discourse to get input of more people in the LLVM communicate. Again I'm fine to do that for LLVM 18 and keep the current way in LLVM 17. Agreed -- once the release is done, I'd like to get some performance data and start a wider discussion.

Closed by commit rG4a652e4a996f: [libc++][hardening] Categorize more assertions. (authored by varconst <varconsteq@gmail.com>, committed by var-const). · Explain WhyJul 24 2023, 2:57 PM

This revision was automatically updated to reflect the committed changes.

var-const added a commit: rG4a652e4a996f: [libc++][hardening] Categorize more assertions..

AdvenamTacet added a subscriber: AdvenamTacet.Jul 24 2023, 4:11 PM

AdvenamTacet added inline comments.Aug 1 2023, 12:57 PM

libcxx/include/__tree
171	In Linux userspace programs, a null pointer dereference will result in a SIGSEGV signal sent to the process if the program didn't allocate memory at address zero. Nowadays, this is not possible due to the `vm.mmap_min_addr` runtime kernel parameter which is usually set to 65536 (although there are probably systems that set it to 4096 [0]) though a root user can change it with `sysctl -w vm.mmap_min_addr=0` and then programs can allocate memory at zero address using the mmap syscall as: cpp #include <sys/mman.h> mmap(0, sysconf(_SC_PAGE_SIZE), PROT_READ \| PROT_WRITE, MAP_PRIVATE \| MAP_FIXED \| MAP_ANONYMOUS, -1, 0); A program can also register a SIGSEGV handler which could maybe be a vector of attack in case of null pointer dereferences, although this is rather unlikely as the program would have to be very specific. However, a null pointer dereference can be used to launch a denial-of-service (DoS) attack. On the Linux kernel side, null pointer dereferences were exploitable in the past when both the vm.mmap_min_addr and SMEP/SMAP [1] mitigations (or equivalents on e.g. ARM) were not there. In such a case, a null pointer dereference in the kernel could actually fetch the data from a userspace program that invoked a syscall. Null pointer dereferences in the kernel may also end up as "kernel oops" and it turned out that this behavior was exploitable recently as shown by the Google Project Zero team [2]. However, this bug is already fixed in the upstream kernel repository. It is also worth mentioning that libc++ is not used in the kernel code. Given all of the above, I believe that the overhead of checking for null pointer dereferences in the hardened mode is not necessary, at least not on Linux. [0] https://grep.app/search?q=mmap_min_addr%3D [1] https://wiki.osdev.org/Supervisor_Memory_Protection [2] https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html PS Is there a discussion on discourse to post it for long term visibility and discussion?

Revision Contents

Path

Size

libcxx/

include/

__config

39 lines

__hash_table

22 lines

__node_handle

2 lines

__stop_token/

intrusive_list_view.h

2 lines

__string/

char_traits.h

15 lines

__tree

28 lines

src/

string.cpp

2 lines

Diff 543704

libcxx/include/__config

	Show First 20 Lines • Show All 233 Lines • ▼ Show 20 Lines
	// #define _LIBCPP_ENABLE_DEBUG_MODE 1			// #define _LIBCPP_ENABLE_DEBUG_MODE 1

	// Inside the library, assertions are categorized so they can be cherry-picked based on the chosen hardening mode. These			// Inside the library, assertions are categorized so they can be cherry-picked based on the chosen hardening mode. These
	// macros are only for internal use -- users should only pick one of the high-level hardening modes described above.			// macros are only for internal use -- users should only pick one of the high-level hardening modes described above.
	//			//
	// - `_LIBCPP_ASSERT_VALID_INPUT_RANGE` -- checks that ranges (whether expressed as an iterator pair, an iterator and			// - `_LIBCPP_ASSERT_VALID_INPUT_RANGE` -- checks that ranges (whether expressed as an iterator pair, an iterator and
	// a sentinel, an iterator and a count, or a `std::range`) given as input to library functions are valid:			// a sentinel, an iterator and a count, or a `std::range`) given as input to library functions are valid:
	// - the sentinel is reachable from the begin iterator;			// - the sentinel is reachable from the begin iterator;
	// - TODO(hardening): where applicable, the input range and the output range do not overlap;
	// - TODO(hardening): both iterators refer to the same container.			// - TODO(hardening): both iterators refer to the same container.
	//			//
	// - `_LIBCPP_ASSERT_VALID_ELEMENT_ACCESS` -- checks that any attempts to access a container element, whether through			// - `_LIBCPP_ASSERT_VALID_ELEMENT_ACCESS` -- checks that any attempts to access a container element, whether through
	// the container object or through an iterator, are valid and do not attempt to go out of bounds or otherwise access			// the container object or through an iterator, are valid and do not attempt to go out of bounds or otherwise access
	// a non-existent element. For iterator checks to work, bounded iterators must be enabled in the ABI. Types like			// a non-existent element. For iterator checks to work, bounded iterators must be enabled in the ABI. Types like
	// `optional` and `function` are considered one-element containers for the purposes of this check.			// `optional` and `function` are considered one-element containers for the purposes of this check.
	//			//
				// - `_LIBCPP_ASSERT_NON_OVERLAPPING_RANGES` -- for functions that take several ranges as arguments, checks that the
				// given ranges do not overlap.
				//
	// - `_LIBCPP_ASSERT_COMPATIBLE_ALLOCATOR` -- checks any operations that exchange nodes between containers to make sure			// - `_LIBCPP_ASSERT_COMPATIBLE_ALLOCATOR` -- checks any operations that exchange nodes between containers to make sure
	// the containers have compatible allocators.			// the containers have compatible allocators.
	//			//
	// - `_LIBCPP_ASSERT_INTERNAL` -- checks that internal invariants of the library hold. These assertions don't depend on			// - `_LIBCPP_ASSERT_INTERNAL` -- checks that internal invariants of the library hold. These assertions don't depend on
	// user input.			// user input.
	//			//
	// - `_LIBCPP_ASSERT_UNCATEGORIZED` -- for assertions that haven't been properly classified yet.			// - `_LIBCPP_ASSERT_UNCATEGORIZED` -- for assertions that haven't been properly classified yet.

	Show All 13 Lines

	# if _LIBCPP_ENABLE_HARDENED_MODE && _LIBCPP_ENABLE_DEBUG_MODE			# if _LIBCPP_ENABLE_HARDENED_MODE && _LIBCPP_ENABLE_DEBUG_MODE
	# error "Only one of _LIBCPP_ENABLE_HARDENED_MODE and _LIBCPP_ENABLE_DEBUG_MODE can be enabled."			# error "Only one of _LIBCPP_ENABLE_HARDENED_MODE and _LIBCPP_ENABLE_DEBUG_MODE can be enabled."
	# endif			# endif

	// Hardened mode checks.			// Hardened mode checks.

	// clang-format off			// clang-format off
	# if _LIBCPP_ENABLE_HARDENED_MODE			# if _LIBCPP_ENABLE_HARDENED_MODE
				ldionneUnsubmitted Done Reply Inline Actions It would be great to rebase this on top of D155866. ldionne: It would be great to rebase this on top of D155866.

	// Enabled checks.			// Enabled checks.
	# define _LIBCPP_ASSERT_VALID_INPUT_RANGE(expression, message) _LIBCPP_ASSERT(expression, message)			# define _LIBCPP_ASSERT_VALID_INPUT_RANGE(expression, message) _LIBCPP_ASSERT(expression, message)
	# define _LIBCPP_ASSERT_VALID_ELEMENT_ACCESS(expression, message) _LIBCPP_ASSERT(expression, message)			# define _LIBCPP_ASSERT_VALID_ELEMENT_ACCESS(expression, message) _LIBCPP_ASSERT(expression, message)
	// Disabled checks.			// Disabled checks.
				// Overlapping ranges will make algorithms produce incorrect results but don't directly lead to a security
				ldionneUnsubmitted Not Done Reply Inline Actions Here we could add a short comment rationalizing the choice: `Nullptr conditions are generally meant to protect against dereferencing a null pointer, which generally results in a crash`. ldionne: Here we could add a short comment rationalizing the choice: `Nullptr conditions are generally…
				// vulnerability.
				# define _LIBCPP_ASSERT_NON_OVERLAPPING_RANGES(expression, message) _LIBCPP_ASSUME(expression)
	# define _LIBCPP_ASSERT_COMPATIBLE_ALLOCATOR(expression, message) _LIBCPP_ASSUME(expression)			# define _LIBCPP_ASSERT_COMPATIBLE_ALLOCATOR(expression, message) _LIBCPP_ASSUME(expression)
	# define _LIBCPP_ASSERT_INTERNAL(expression, message) _LIBCPP_ASSUME(expression)			# define _LIBCPP_ASSERT_INTERNAL(expression, message) _LIBCPP_ASSUME(expression)
	# define _LIBCPP_ASSERT_UNCATEGORIZED(expression, message) _LIBCPP_ASSUME(expression)			# define _LIBCPP_ASSERT_UNCATEGORIZED(expression, message) _LIBCPP_ASSUME(expression)

	// Debug mode checks.			// Debug mode checks.

	# elif _LIBCPP_ENABLE_DEBUG_MODE			# elif _LIBCPP_ENABLE_DEBUG_MODE

	// All checks enabled.			// All checks enabled.
	# define _LIBCPP_ASSERT_VALID_INPUT_RANGE(expression, message) _LIBCPP_ASSERT(expression, message)			# define _LIBCPP_ASSERT_VALID_INPUT_RANGE(expression, message) _LIBCPP_ASSERT(expression, message)
	# define _LIBCPP_ASSERT_VALID_ELEMENT_ACCESS(expression, message) _LIBCPP_ASSERT(expression, message)			# define _LIBCPP_ASSERT_VALID_ELEMENT_ACCESS(expression, message) _LIBCPP_ASSERT(expression, message)
				# define _LIBCPP_ASSERT_NON_OVERLAPPING_RANGES(expression, message) _LIBCPP_ASSERT(expression, message)
	# define _LIBCPP_ASSERT_COMPATIBLE_ALLOCATOR(expression, message) _LIBCPP_ASSERT(expression, message)			# define _LIBCPP_ASSERT_COMPATIBLE_ALLOCATOR(expression, message) _LIBCPP_ASSERT(expression, message)
	# define _LIBCPP_ASSERT_INTERNAL(expression, message) _LIBCPP_ASSERT(expression, message)			# define _LIBCPP_ASSERT_INTERNAL(expression, message) _LIBCPP_ASSERT(expression, message)
	# define _LIBCPP_ASSERT_UNCATEGORIZED(expression, message) _LIBCPP_ASSERT(expression, message)			# define _LIBCPP_ASSERT_UNCATEGORIZED(expression, message) _LIBCPP_ASSERT(expression, message)

	// Disable all checks if hardening is not enabled.			// Disable all checks if hardening is not enabled.

	# else			# else

	// All checks disabled.			// All checks disabled.
	# define _LIBCPP_ASSERT_VALID_INPUT_RANGE(expression, message) _LIBCPP_ASSUME(expression)			# define _LIBCPP_ASSERT_VALID_INPUT_RANGE(expression, message) _LIBCPP_ASSUME(expression)
	# define _LIBCPP_ASSERT_VALID_ELEMENT_ACCESS(expression, message) _LIBCPP_ASSUME(expression)			# define _LIBCPP_ASSERT_VALID_ELEMENT_ACCESS(expression, message) _LIBCPP_ASSUME(expression)
				# define _LIBCPP_ASSERT_NON_OVERLAPPING_RANGES(expression, message) _LIBCPP_ASSUME(expression)
	# define _LIBCPP_ASSERT_COMPATIBLE_ALLOCATOR(expression, message) _LIBCPP_ASSUME(expression)			# define _LIBCPP_ASSERT_COMPATIBLE_ALLOCATOR(expression, message) _LIBCPP_ASSUME(expression)
	# define _LIBCPP_ASSERT_INTERNAL(expression, message) _LIBCPP_ASSUME(expression)			# define _LIBCPP_ASSERT_INTERNAL(expression, message) _LIBCPP_ASSUME(expression)
	# define _LIBCPP_ASSERT_UNCATEGORIZED(expression, message) _LIBCPP_ASSUME(expression)			# define _LIBCPP_ASSERT_UNCATEGORIZED(expression, message) _LIBCPP_ASSUME(expression)

	# endif // _LIBCPP_ENABLE_HARDENED_MODE			# endif // _LIBCPP_ENABLE_HARDENED_MODE
	// clang-format on			// clang-format on

	// } HARDENING			// } HARDENING

	# define _LIBCPP_TOSTRING2(x) #x			# define _LIBCPP_TOSTRING2(x) #x
	# define _LIBCPP_TOSTRING(x) _LIBCPP_TOSTRING2(x)			# define _LIBCPP_TOSTRING(x) _LIBCPP_TOSTRING2(x)
	▲ Show 20 Lines • Show All 1,148 Lines • Show Last 20 Lines

libcxx/include/__hash_table

Show First 20 Lines • Show All 1,103 Lines • ▼ Show 20 Lines	_LIBCPP_INLINE_VISIBILITY void max_load_factor(float __mlf) _NOEXCEPT
"unordered container::max_load_factor(lf) called with lf <= 0");		"unordered container::max_load_factor(lf) called with lf <= 0");
max_load_factor() = _VSTD::max(__mlf, load_factor());		max_load_factor() = _VSTD::max(__mlf, load_factor());
}		}

_LIBCPP_INLINE_VISIBILITY		_LIBCPP_INLINE_VISIBILITY
local_iterator		local_iterator
begin(size_type __n)		begin(size_type __n)
{		{
_LIBCPP_ASSERT_UNCATEGORIZED(__n < bucket_count(),		_LIBCPP_ASSERT_VALID_ELEMENT_ACCESS(__n < bucket_count(),
		ldionneUnsubmitted Not Done Reply Inline Actions It would be nice to make sure that all the non-internal assertions we add are tested. In some cases this will mean removing `XFAIL` on an existing test, in other cases we'll need to add some tests but it should be easy. ldionne: It would be nice to make sure that all the non-internal assertions we add are tested. In some…
		MordanteUnsubmitted Not Done Reply Inline Actions +1 Mordante: +1
		var-constAuthorUnsubmitted Done Reply Inline Actions As discussed offline -- I will do this in a follow-up, simply due to the release timing. I did a quick survey and counted 83 untested assertions (among the ones currently categorized), so unfortunately it will take a while. var-const: As discussed offline -- I will do this in a follow-up, simply due to the release timing. I did…
"unordered container::begin(n) called with n >= bucket_count()");		"unordered container::begin(n) called with n >= bucket_count()");
return local_iterator(__bucket_list_[__n], __n, bucket_count());		return local_iterator(__bucket_list_[__n], __n, bucket_count());
}		}

_LIBCPP_INLINE_VISIBILITY		_LIBCPP_INLINE_VISIBILITY
local_iterator		local_iterator
end(size_type __n)		end(size_type __n)
{		{
_LIBCPP_ASSERT_UNCATEGORIZED(__n < bucket_count(),		_LIBCPP_ASSERT_VALID_ELEMENT_ACCESS(__n < bucket_count(),
"unordered container::end(n) called with n >= bucket_count()");		"unordered container::end(n) called with n >= bucket_count()");
return local_iterator(nullptr, __n, bucket_count());		return local_iterator(nullptr, __n, bucket_count());
}		}

_LIBCPP_INLINE_VISIBILITY		_LIBCPP_INLINE_VISIBILITY
const_local_iterator		const_local_iterator
cbegin(size_type __n) const		cbegin(size_type __n) const
{		{
_LIBCPP_ASSERT_UNCATEGORIZED(__n < bucket_count(),		_LIBCPP_ASSERT_VALID_ELEMENT_ACCESS(__n < bucket_count(),
"unordered container::cbegin(n) called with n >= bucket_count()");		"unordered container::cbegin(n) called with n >= bucket_count()");
return const_local_iterator(__bucket_list_[__n], __n, bucket_count());		return const_local_iterator(__bucket_list_[__n], __n, bucket_count());
}		}

_LIBCPP_INLINE_VISIBILITY		_LIBCPP_INLINE_VISIBILITY
const_local_iterator		const_local_iterator
cend(size_type __n) const		cend(size_type __n) const
{		{
_LIBCPP_ASSERT_UNCATEGORIZED(__n < bucket_count(),		_LIBCPP_ASSERT_VALID_ELEMENT_ACCESS(__n < bucket_count(),
"unordered container::cend(n) called with n >= bucket_count()");		"unordered container::cend(n) called with n >= bucket_count()");
return const_local_iterator(nullptr, __n, bucket_count());		return const_local_iterator(nullptr, __n, bucket_count());
}		}

private:		private:
template <bool _UniqueKeys>		template <bool _UniqueKeys>
_LIBCPP_HIDE_FROM_ABI void __rehash(size_type __n);		_LIBCPP_HIDE_FROM_ABI void __rehash(size_type __n);
template <bool _UniqueKeys>		template <bool _UniqueKeys>
▲ Show 20 Lines • Show All 1,070 Lines • ▼ Show 20 Lines	__hash_table<_Tp, _Hash, _Equal, _Alloc>::__construct_node_hash(
return __h;		return __h;
}		}

template <class _Tp, class _Hash, class _Equal, class _Alloc>		template <class _Tp, class _Hash, class _Equal, class _Alloc>
typename __hash_table<_Tp, _Hash, _Equal, _Alloc>::iterator		typename __hash_table<_Tp, _Hash, _Equal, _Alloc>::iterator
__hash_table<_Tp, _Hash, _Equal, _Alloc>::erase(const_iterator __p)		__hash_table<_Tp, _Hash, _Equal, _Alloc>::erase(const_iterator __p)
{		{
__next_pointer __np = __p.__node_;		__next_pointer __np = __p.__node_;
_LIBCPP_ASSERT_UNCATEGORIZED(__p != end(),		_LIBCPP_ASSERT_VALID_ELEMENT_ACCESS(__p != end(),
"unordered container erase(iterator) called with a non-dereferenceable iterator");		"unordered container::erase(iterator) called with a non-dereferenceable iterator");
iterator __r(__np);		iterator __r(__np);
++__r;		++__r;
remove(__p);		remove(__p);
return __r;		return __r;
}		}

template <class _Tp, class _Hash, class _Equal, class _Alloc>		template <class _Tp, class _Hash, class _Equal, class _Alloc>
typename __hash_table<_Tp, _Hash, _Equal, _Alloc>::iterator		typename __hash_table<_Tp, _Hash, _Equal, _Alloc>::iterator
▲ Show 20 Lines • Show All 182 Lines • ▼ Show 20 Lines	_NOEXCEPT_(
\|\| __is_nothrow_swappable<__pointer_allocator>::value)		\|\| __is_nothrow_swappable<__pointer_allocator>::value)
&& (!__node_traits::propagate_on_container_swap::value		&& (!__node_traits::propagate_on_container_swap::value
\|\| __is_nothrow_swappable<__node_allocator>::value)		\|\| __is_nothrow_swappable<__node_allocator>::value)
)		)
#else		#else
_NOEXCEPT_(__is_nothrow_swappable<hasher>::value && __is_nothrow_swappable<key_equal>::value)		_NOEXCEPT_(__is_nothrow_swappable<hasher>::value && __is_nothrow_swappable<key_equal>::value)
#endif		#endif
{		{
_LIBCPP_ASSERT_UNCATEGORIZED(__node_traits::propagate_on_container_swap::value \|\|		_LIBCPP_ASSERT_COMPATIBLE_ALLOCATOR(__node_traits::propagate_on_container_swap::value \|\|
this->__node_alloc() == __u.__node_alloc(),		this->__node_alloc() == __u.__node_alloc(),
"list::swap: Either propagate_on_container_swap must be true"		"unordered container::swap: Either propagate_on_container_swap "
" or the allocators must compare equal");		"must be true or the allocators must compare equal");
{		{
__node_pointer_pointer __npp = __bucket_list_.release();		__node_pointer_pointer __npp = __bucket_list_.release();
__bucket_list_.reset(__u.__bucket_list_.release());		__bucket_list_.reset(__u.__bucket_list_.release());
__u.__bucket_list_.reset(__npp);		__u.__bucket_list_.reset(__npp);
}		}
_VSTD::swap(__bucket_list_.get_deleter().size(), __u.__bucket_list_.get_deleter().size());		_VSTD::swap(__bucket_list_.get_deleter().size(), __u.__bucket_list_.get_deleter().size());
_VSTD::__swap_allocator(__bucket_list_.get_deleter().__alloc(),		_VSTD::__swap_allocator(__bucket_list_.get_deleter().__alloc(),
__u.__bucket_list_.get_deleter().__alloc());		__u.__bucket_list_.get_deleter().__alloc());
_VSTD::__swap_allocator(__node_alloc(), __u.__node_alloc());		_VSTD::__swap_allocator(__node_alloc(), __u.__node_alloc());
_VSTD::swap(__p1_.first().__next_, __u.__p1_.first().__next_);		_VSTD::swap(__p1_.first().__next_, __u.__p1_.first().__next_);
__p2_.swap(__u.__p2_);		__p2_.swap(__u.__p2_);
__p3_.swap(__u.__p3_);		__p3_.swap(__u.__p3_);
if (size() > 0)		if (size() > 0)
__bucket_list_[std::__constrain_hash(__p1_.first().__next_->__hash(), bucket_count())] =		__bucket_list_[std::__constrain_hash(__p1_.first().__next_->__hash(), bucket_count())] =
__p1_.first().__ptr();		__p1_.first().__ptr();
if (__u.size() > 0)		if (__u.size() > 0)
__u.__bucket_list_[std::__constrain_hash(__u.__p1_.first().__next_->__hash(), __u.bucket_count())] =		__u.__bucket_list_[std::__constrain_hash(__u.__p1_.first().__next_->__hash(), __u.bucket_count())] =
__u.__p1_.first().__ptr();		__u.__p1_.first().__ptr();
}		}

template <class _Tp, class _Hash, class _Equal, class _Alloc>		template <class _Tp, class _Hash, class _Equal, class _Alloc>
typename __hash_table<_Tp, _Hash, _Equal, _Alloc>::size_type		typename __hash_table<_Tp, _Hash, _Equal, _Alloc>::size_type
__hash_table<_Tp, _Hash, _Equal, _Alloc>::bucket_size(size_type __n) const		__hash_table<_Tp, _Hash, _Equal, _Alloc>::bucket_size(size_type __n) const
{		{
_LIBCPP_ASSERT_UNCATEGORIZED(__n < bucket_count(),		_LIBCPP_ASSERT_VALID_ELEMENT_ACCESS(__n < bucket_count(),
"unordered container::bucket_size(n) called with n >= bucket_count()");		"unordered container::bucket_size(n) called with n >= bucket_count()");
__next_pointer __np = __bucket_list_[__n];		__next_pointer __np = __bucket_list_[__n];
size_type __bc = bucket_count();		size_type __bc = bucket_count();
size_type __r = 0;		size_type __r = 0;
if (__np != nullptr)		if (__np != nullptr)
{		{
for (__np = __np->__next_; __np != nullptr &&		for (__np = __np->__next_; __np != nullptr &&
std::__constrain_hash(__np->__hash(), __bc) == __n;		std::__constrain_hash(__np->__hash(), __bc) == __n;
Show All 21 Lines

libcxx/include/__node_handle

Show First 20 Lines • Show All 143 Lines • ▼ Show 20 Lines	public:
{		{
__other.__ptr_ = nullptr;		__other.__ptr_ = nullptr;
__other.__alloc_ = _VSTD::nullopt;		__other.__alloc_ = _VSTD::nullopt;
}		}

_LIBCPP_INLINE_VISIBILITY		_LIBCPP_INLINE_VISIBILITY
__basic_node_handle& operator=(__basic_node_handle&& __other)		__basic_node_handle& operator=(__basic_node_handle&& __other)
{		{
_LIBCPP_ASSERT_UNCATEGORIZED(		_LIBCPP_ASSERT_COMPATIBLE_ALLOCATOR(
__alloc_ == _VSTD::nullopt \|\|		__alloc_ == _VSTD::nullopt \|\|
__alloc_traits::propagate_on_container_move_assignment::value \|\|		__alloc_traits::propagate_on_container_move_assignment::value \|\|
__alloc_ == __other.__alloc_,		__alloc_ == __other.__alloc_,
"node_type with incompatible allocator passed to "		"node_type with incompatible allocator passed to "
"node_type::operator=(node_type&&)");		"node_type::operator=(node_type&&)");

__destroy_node_pointer();		__destroy_node_pointer();
__ptr_ = __other.__ptr_;		__ptr_ = __other.__ptr_;
▲ Show 20 Lines • Show All 99 Lines • Show Last 20 Lines

libcxx/include/__stop_token/intrusive_list_view.h

Show First 20 Lines • Show All 61 Lines • ▼ Show 20 Lines	struct __intrusive_list_view {
_LIBCPP_HIDE_FROM_ABI void __remove(_Node* __node) noexcept {		_LIBCPP_HIDE_FROM_ABI void __remove(_Node* __node) noexcept {
if (__node->__prev_) {		if (__node->__prev_) {
// prev exists, set its next to our next to skip __node		// prev exists, set its next to our next to skip __node
__node->__prev_->__next_ = __node->__next_;		__node->__prev_->__next_ = __node->__next_;
if (__node->__next_) {		if (__node->__next_) {
__node->__next_->__prev_ = __node->__prev_;		__node->__next_->__prev_ = __node->__prev_;
}		}
} else {		} else {
_LIBCPP_ASSERT_UNCATEGORIZED(__node == __head_, "Node to be removed has no prev node, so it has to be the head");		_LIBCPP_ASSERT_INTERNAL(__node == __head_, "Node to be removed has no prev node, so it has to be the head");
__pop_front();		__pop_front();
}		}
}		}

_LIBCPP_HIDE_FROM_ABI bool __is_head(_Node* __node) noexcept { return __node == __head_; }		_LIBCPP_HIDE_FROM_ABI bool __is_head(_Node* __node) noexcept { return __node == __head_; }

private:		private:
_Node* __head_ = nullptr;		_Node* __head_ = nullptr;
};		};

#endif // _LIBCPP_STD_VER >= 20		#endif // _LIBCPP_STD_VER >= 20

_LIBCPP_END_NAMESPACE_STD		_LIBCPP_END_NAMESPACE_STD

#endif // _LIBCPP___STOP_TOKEN_INTRUSIVE_LIST_VIEW_H		#endif // _LIBCPP___STOP_TOKEN_INTRUSIVE_LIST_VIEW_H

libcxx/include/__string/char_traits.h

Show First 20 Lines • Show All 136 Lines • ▼ Show 20 Lines	char_type* move(char_type* __s1, const char_type* __s2, size_t __n) {
assign(--__s1, --__s2);		assign(--__s1, --__s2);
}		}
return __r;		return __r;
}		}
_LIBCPP_INLINE_VISIBILITY		_LIBCPP_INLINE_VISIBILITY
static _LIBCPP_CONSTEXPR_SINCE_CXX20		static _LIBCPP_CONSTEXPR_SINCE_CXX20
char_type* copy(char_type* __s1, const char_type* __s2, size_t __n) {		char_type* copy(char_type* __s1, const char_type* __s2, size_t __n) {
if (!__libcpp_is_constant_evaluated()) {		if (!__libcpp_is_constant_evaluated()) {
_LIBCPP_ASSERT_UNCATEGORIZED(__s2 < __s1 \|\| __s2 >= __s1+__n, "char_traits::copy overlapped range");		_LIBCPP_ASSERT_NON_OVERLAPPING_RANGES(
		__s2 < __s1 \|\| __s2 >= __s1 + __n, "char_traits::copy overlapped range");
		ldionneUnsubmitted Done Reply Inline Actions Maybe `_LIBCPP_ASSERT_NON_OVERLAPPING_RANGES`? Both ranges can technically be valid ranges yet still be overlapping. Also, the result of the algo will be incorrect if the ranges overlap but I don't think this can directly cause bad stuff to happen, so I don't think we want this in the hardened mode. Using another category would allow excluding it. ldionne: Maybe `_LIBCPP_ASSERT_NON_OVERLAPPING_RANGES`? Both ranges can technically be valid ranges yet…
}		}
char_type* __r = __s1;		char_type* __r = __s1;
for (; __n; --__n, ++__s1, ++__s2)		for (; __n; --__n, ++__s1, ++__s2)
assign(__s1, __s2);		assign(__s1, __s2);
return __r;		return __r;
}		}
_LIBCPP_INLINE_VISIBILITY		_LIBCPP_INLINE_VISIBILITY
static _LIBCPP_CONSTEXPR_SINCE_CXX20		static _LIBCPP_CONSTEXPR_SINCE_CXX20
▲ Show 20 Lines • Show All 77 Lines • ▼ Show 20 Lines	#endif // _LIBCPP_COMPILER_CLANG_BASED
static inline _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20		static inline _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20
char_type* move(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {		char_type* move(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {
return std::__constexpr_memmove(__s1, __s2, __element_count(__n));		return std::__constexpr_memmove(__s1, __s2, __element_count(__n));
}		}

static inline _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20		static inline _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20
char_type* copy(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {		char_type* copy(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {
if (!__libcpp_is_constant_evaluated())		if (!__libcpp_is_constant_evaluated())
_LIBCPP_ASSERT_UNCATEGORIZED(__s2 < __s1 \|\| __s2 >= __s1+__n, "char_traits::copy overlapped range");		_LIBCPP_ASSERT_NON_OVERLAPPING_RANGES(
		__s2 < __s1 \|\| __s2 >= __s1 + __n, "char_traits::copy overlapped range");
		ldionneUnsubmitted Not Done Reply Inline Actions Do we want to change the message to `overlapping ranges`? To consider as we add tests. ldionne: Do we want to change the message to `overlapping ranges`? To consider as we add tests.
std::copy_n(__s2, __n, __s1);		std::copy_n(__s2, __n, __s1);
return __s1;		return __s1;
}		}

static inline _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20		static inline _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20
char_type* assign(char_type* __s, size_t __n, char_type __a) _NOEXCEPT {		char_type* assign(char_type* __s, size_t __n, char_type __a) _NOEXCEPT {
std::fill_n(__s, __n, __a);		std::fill_n(__s, __n, __a);
return __s;		return __s;
▲ Show 20 Lines • Show All 54 Lines • ▼ Show 20 Lines	const char_type* find(const char_type* __s, size_t __n, const char_type& __a) _NOEXCEPT {
static inline _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20		static inline _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20
char_type* move(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {		char_type* move(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {
return std::__constexpr_memmove(__s1, __s2, __element_count(__n));		return std::__constexpr_memmove(__s1, __s2, __element_count(__n));
}		}

static inline _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20		static inline _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20
char_type* copy(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {		char_type* copy(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {
if (!__libcpp_is_constant_evaluated())		if (!__libcpp_is_constant_evaluated())
_LIBCPP_ASSERT_UNCATEGORIZED(__s2 < __s1 \|\| __s2 >= __s1+__n, "char_traits::copy overlapped range");		_LIBCPP_ASSERT_NON_OVERLAPPING_RANGES(
		__s2 < __s1 \|\| __s2 >= __s1 + __n, "char_traits::copy overlapped range");
std::copy_n(__s2, __n, __s1);		std::copy_n(__s2, __n, __s1);
return __s1;		return __s1;
}		}

static inline _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20		static inline _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20
char_type* assign(char_type* __s, size_t __n, char_type __a) _NOEXCEPT {		char_type* assign(char_type* __s, size_t __n, char_type __a) _NOEXCEPT {
std::fill_n(__s, __n, __a);		std::fill_n(__s, __n, __a);
return __s;		return __s;
▲ Show 20 Lines • Show All 47 Lines • ▼ Show 20 Lines	compare(const char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {
static _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20		static _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20
char_type* move(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {		char_type* move(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {
return std::__constexpr_memmove(__s1, __s2, __element_count(__n));		return std::__constexpr_memmove(__s1, __s2, __element_count(__n));
}		}

static _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20		static _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20
char_type* copy(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {		char_type* copy(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {
if (!__libcpp_is_constant_evaluated())		if (!__libcpp_is_constant_evaluated())
_LIBCPP_ASSERT_UNCATEGORIZED(__s2 < __s1 \|\| __s2 >= __s1+__n, "char_traits::copy overlapped range");		_LIBCPP_ASSERT_NON_OVERLAPPING_RANGES(
		__s2 < __s1 \|\| __s2 >= __s1+__n, "char_traits::copy overlapped range");
std::copy_n(__s2, __n, __s1);		std::copy_n(__s2, __n, __s1);
return __s1;		return __s1;
}		}

static _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20		static _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20
char_type* assign(char_type* __s, size_t __n, char_type __a) _NOEXCEPT {		char_type* assign(char_type* __s, size_t __n, char_type __a) _NOEXCEPT {
std::fill_n(__s, __n, __a);		std::fill_n(__s, __n, __a);
return __s;		return __s;
▲ Show 20 Lines • Show All 67 Lines • ▼ Show 20 Lines	#endif
_LIBCPP_INLINE_VISIBILITY _LIBCPP_CONSTEXPR_SINCE_CXX20		_LIBCPP_INLINE_VISIBILITY _LIBCPP_CONSTEXPR_SINCE_CXX20
static char_type* move(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {		static char_type* move(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {
return std::__constexpr_memmove(__s1, __s2, __element_count(__n));		return std::__constexpr_memmove(__s1, __s2, __element_count(__n));
}		}

_LIBCPP_INLINE_VISIBILITY _LIBCPP_CONSTEXPR_SINCE_CXX20		_LIBCPP_INLINE_VISIBILITY _LIBCPP_CONSTEXPR_SINCE_CXX20
static char_type* copy(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {		static char_type* copy(char_type* __s1, const char_type* __s2, size_t __n) _NOEXCEPT {
if (!__libcpp_is_constant_evaluated())		if (!__libcpp_is_constant_evaluated())
_LIBCPP_ASSERT_UNCATEGORIZED(__s2 < __s1 \|\| __s2 >= __s1+__n, "char_traits::copy overlapped range");		_LIBCPP_ASSERT_NON_OVERLAPPING_RANGES(
		__s2 < __s1 \|\| __s2 >= __s1+__n, "char_traits::copy overlapped range");
std::copy_n(__s2, __n, __s1);		std::copy_n(__s2, __n, __s1);
return __s1;		return __s1;
}		}

_LIBCPP_INLINE_VISIBILITY _LIBCPP_CONSTEXPR_SINCE_CXX20		_LIBCPP_INLINE_VISIBILITY _LIBCPP_CONSTEXPR_SINCE_CXX20
static char_type* assign(char_type* __s, size_t __n, char_type __a) _NOEXCEPT {		static char_type* assign(char_type* __s, size_t __n, char_type __a) _NOEXCEPT {
std::fill_n(__s, __n, __a);		std::fill_n(__s, __n, __a);
return __s;		return __s;
▲ Show 20 Lines • Show All 372 Lines • Show Last 20 Lines

libcxx/include/__tree

	Show First 20 Lines • Show All 162 Lines • ▼ Show 20 Lines
	}			}

	// Returns: pointer to the left-most node under __x.			// Returns: pointer to the left-most node under __x.
	template <class _NodePtr>			template <class _NodePtr>
	inline _LIBCPP_INLINE_VISIBILITY			inline _LIBCPP_INLINE_VISIBILITY
	_NodePtr			_NodePtr
	__tree_min(_NodePtr __x) _NOEXCEPT			__tree_min(_NodePtr __x) _NOEXCEPT
	{			{
	_LIBCPP_ASSERT_UNCATEGORIZED(__x != nullptr, "Root node shouldn't be null");			_LIBCPP_ASSERT_INTERNAL(__x != nullptr, "Root node shouldn't be null");
				MordanteUnsubmitted Not Done Reply Inline Actions As mentioned in D155906 I really would like to have these kind of cheap internal sanity checks enabled in `_LIBCPP_ENABLE_HARDENED_MODE`. They are not user errors, but they still cause potential issues for users, including users in safety-critial places. When there's not enough time to get that done before LLVM 17, I'm happy to defer that to LLVM 18. Mordante: As mentioned in D155906 I really would like to have these kind of cheap internal sanity checks…
				var-constAuthorUnsubmitted Done Reply Inline Actions Thanks for starting this discussion! My current thinking has been to keep the hardened mode as lightweight as possible. I have a big concern about performance penalty blocking adoption; also, while I'm not 100% sure this can happen, my ideal would be if we could make the hardened mode the default at some point (of course, users would still be able to opt out and use the unchecked mode). Because of that, so far I have been generally erring on the side of performance and using the following criteria for enabling an assertion: Is the failure directly triggered by user input? Is the failure directly exploitable? Is the failure condition relatively cheap to check? Personally, I feel #2 is the most important distinction. Almost any error, including logic errors that don't trigger UB, can lead to very incorrect results and also contribute to a security vulnerability. I envision the hardened mode as only preventing errors that create a security vulnerability directly (e.g. an out-of-bounds read) -- the kind of errors where we can confidently say "if your program has one of those, it is vulnerable, regardless of any other context" (and thus we can justify the extra penalty for checking those). From that perspective, it follows that checks for null pointers should not be a part of the hardened mode (FWIW, it was somewhat surprising to me, or at least I found it counterintuitive). From what I know (and I'd be happy to be corrected on this if I'm missing something), dereferencing a null pointer on any relatively modern OS leads to a crash and is not directly exploitable (it might contribute to a more complicated exploit arising from context, but so can many other types of failures). The upside I'm hoping we get from limiting the number of checks we perform is wider adoption. The intention behind hardened mode is not that it provides complete safety or entirely eliminates UB -- rather, it makes your program measurably safer at a "negligible" cost; it relatively cheaply protects against the most catastrophic stuff. I'm hoping something like the 80/20 principle applies here (meaning that just a fraction of the cost that would be necessary to protect against all UB is enough to prevent 80% of exploitable vulnerabilities). The "perfect" hardened mode (aspirational, not realistic) is the mode where if you were to enable it, you would be guaranteed that an attacker could not use your program to achieve arbitrary code execution, and it's cheap enough to use in production. We currently have the hardened mode and the debug mode. While I'd prefer to keep this as simple as possible and stick with the 2 modes, I'd be open to exploring adding a 3rd mode in-between those two that would contain more checks that the hardened mode while still aiming at some reasonable level of performance (which for the debug mode is almost a non-goal). Tagging @ldionne as well in case he has a different perspective. var-const: Thanks for starting this discussion! My current thinking has been to keep the hardened mode as…
				MordanteUnsubmitted Not Done Reply Inline Actions I'm not sure whether deferring a null pointer will always leads to a crash on a modern OS. I can imagine some cases where that might be an issue. Embedded systems may use less well know OSes. Are kernel drivers allowed to modify address 0 or with low values? (This assumes a nullptr is mapped to address 0, which is not required by the Standard.) Maybe we should ask this to security experts. They probably can tell us how often deferring a nullptr may lead to real-world issues. Even when it's not a security-issue I think it would be good to test a nullptr when not allowed. Deferring nullptr is known to be quite a large issue in both C and C++. I'm also open to a third mode. Maybe we should measure what the overhead for adding null checks is. When we annotate it with likelihood attribute telling the compiler to expect a valid pointer the branch predictor will always guess correctly. In that case the overhead should be low. The nullptr case will be more expense, but I in that case the performance is no longer relevant. I think we can move forward this way. When we put everything in the right category we can measure the overhead of every category. That way we can have number of the performance overhead and can make an informed decision in this regard. I think it would be good to discuss this on Discord/Discourse to get input of more people in the LLVM communicate. Again I'm fine to do that for LLVM 18 and keep the current way in LLVM 17. Mordante: I'm not sure whether deferring a null pointer will always leads to a crash on a modern OS. I…
				var-constAuthorUnsubmitted Done Reply Inline Actions Maybe we should ask this to security experts. They probably can tell us how often deferring a nullptr may lead to real-world issues. Absolutely. I think these are all great questions to discuss. I'm not sure whether deferring a null pointer will always leads to a crash on a modern OS. That's my understanding but I would absolutely love a domain expert to confirm. Embedded systems may use less well know OSes. Are kernel drivers allowed to modify address 0 or with low values? (This assumes a nullptr is mapped to address 0, which is not required by the Standard.) IMO, the hardened mode should only contain checks that apply to almost every user; it shouldn't make users of widely-used systems to pay a performance penalty for the sake of more niche OSs. I'd much rather think of a way to let vendors of these kind of systems to enable additional null pointer checks on top of the hardened mode, whether via a third mode or some finer-grained approach. My overarching concern is users avoiding the hardened mode due to performance concerns, whether real or perceived; I'm afraid that enabling too many checks might backfire and result in less security due to a lack of use. Maybe we should measure what the overhead for adding null checks is. +1. When we annotate it with likelihood attribute telling the compiler to expect a valid pointer the branch predictor will always guess correctly. In that case the overhead should be low. There was recently a Discourse thread about how the assume attribute can prevent certain optimizations, so I'm not sure we can always rely on that. I think we can move forward this way. When we put everything in the right category we can measure the overhead of every category. That way we can have number of the performance overhead and can make an informed decision in this regard. I think it would be good to discuss this on Discord/Discourse to get input of more people in the LLVM communicate. Again I'm fine to do that for LLVM 18 and keep the current way in LLVM 17. Agreed -- once the release is done, I'd like to get some performance data and start a wider discussion. var-const: > Maybe we should ask this to security experts. They probably can tell us how often deferring a…
				AdvenamTacetUnsubmitted Done Reply Inline Actions In Linux userspace programs, a null pointer dereference will result in a SIGSEGV signal sent to the process if the program didn't allocate memory at address zero. Nowadays, this is not possible due to the `vm.mmap_min_addr` runtime kernel parameter which is usually set to 65536 (although there are probably systems that set it to 4096 [0]) though a root user can change it with `sysctl -w vm.mmap_min_addr=0` and then programs can allocate memory at zero address using the mmap syscall as: cpp #include <sys/mman.h> mmap(0, sysconf(_SC_PAGE_SIZE), PROT_READ \| PROT_WRITE, MAP_PRIVATE \| MAP_FIXED \| MAP_ANONYMOUS, -1, 0); A program can also register a SIGSEGV handler which could maybe be a vector of attack in case of null pointer dereferences, although this is rather unlikely as the program would have to be very specific. However, a null pointer dereference can be used to launch a denial-of-service (DoS) attack. On the Linux kernel side, null pointer dereferences were exploitable in the past when both the vm.mmap_min_addr and SMEP/SMAP [1] mitigations (or equivalents on e.g. ARM) were not there. In such a case, a null pointer dereference in the kernel could actually fetch the data from a userspace program that invoked a syscall. Null pointer dereferences in the kernel may also end up as "kernel oops" and it turned out that this behavior was exploitable recently as shown by the Google Project Zero team [2]. However, this bug is already fixed in the upstream kernel repository. It is also worth mentioning that libc++ is not used in the kernel code. Given all of the above, I believe that the overhead of checking for null pointer dereferences in the hardened mode is not necessary, at least not on Linux. [0] https://grep.app/search?q=mmap_min_addr%3D [1] https://wiki.osdev.org/Supervisor_Memory_Protection [2] https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html PS Is there a discussion on discourse to post it for long term visibility and discussion? AdvenamTacet: In Linux userspace programs, a null pointer dereference will result in a SIGSEGV signal sent to…
	while (__x->__left_ != nullptr)			while (__x->__left_ != nullptr)
	__x = __x->__left_;			__x = __x->__left_;
	return __x;			return __x;
	}			}

	// Returns: pointer to the right-most node under __x.			// Returns: pointer to the right-most node under __x.
	template <class _NodePtr>			template <class _NodePtr>
	inline _LIBCPP_INLINE_VISIBILITY			inline _LIBCPP_INLINE_VISIBILITY
	_NodePtr			_NodePtr
	__tree_max(_NodePtr __x) _NOEXCEPT			__tree_max(_NodePtr __x) _NOEXCEPT
	{			{
	_LIBCPP_ASSERT_UNCATEGORIZED(__x != nullptr, "Root node shouldn't be null");			_LIBCPP_ASSERT_INTERNAL(__x != nullptr, "Root node shouldn't be null");
	while (__x->__right_ != nullptr)			while (__x->__right_ != nullptr)
	__x = __x->__right_;			__x = __x->__right_;
	return __x;			return __x;
	}			}

	// Returns: pointer to the next in-order node after __x.			// Returns: pointer to the next in-order node after __x.
	template <class _NodePtr>			template <class _NodePtr>
	_LIBCPP_HIDE_FROM_ABI _NodePtr			_LIBCPP_HIDE_FROM_ABI _NodePtr
	__tree_next(_NodePtr __x) _NOEXCEPT			__tree_next(_NodePtr __x) _NOEXCEPT
	{			{
	_LIBCPP_ASSERT_UNCATEGORIZED(__x != nullptr, "node shouldn't be null");			_LIBCPP_ASSERT_INTERNAL(__x != nullptr, "node shouldn't be null");
	if (__x->__right_ != nullptr)			if (__x->__right_ != nullptr)
	return _VSTD::__tree_min(__x->__right_);			return _VSTD::__tree_min(__x->__right_);
	while (!_VSTD::__tree_is_left_child(__x))			while (!_VSTD::__tree_is_left_child(__x))
	__x = __x->__parent_unsafe();			__x = __x->__parent_unsafe();
	return __x->__parent_unsafe();			return __x->__parent_unsafe();
	}			}

	template <class _EndNodePtr, class _NodePtr>			template <class _EndNodePtr, class _NodePtr>
	inline _LIBCPP_INLINE_VISIBILITY			inline _LIBCPP_INLINE_VISIBILITY
	_EndNodePtr			_EndNodePtr
	__tree_next_iter(_NodePtr __x) _NOEXCEPT			__tree_next_iter(_NodePtr __x) _NOEXCEPT
	{			{
	_LIBCPP_ASSERT_UNCATEGORIZED(__x != nullptr, "node shouldn't be null");			_LIBCPP_ASSERT_INTERNAL(__x != nullptr, "node shouldn't be null");
	if (__x->__right_ != nullptr)			if (__x->__right_ != nullptr)
	return static_cast<_EndNodePtr>(_VSTD::__tree_min(__x->__right_));			return static_cast<_EndNodePtr>(_VSTD::__tree_min(__x->__right_));
	while (!_VSTD::__tree_is_left_child(__x))			while (!_VSTD::__tree_is_left_child(__x))
	__x = __x->__parent_unsafe();			__x = __x->__parent_unsafe();
	return static_cast<_EndNodePtr>(__x->__parent_);			return static_cast<_EndNodePtr>(__x->__parent_);
	}			}

	// Returns: pointer to the previous in-order node before __x.			// Returns: pointer to the previous in-order node before __x.
	// Note: __x may be the end node.			// Note: __x may be the end node.
	template <class _NodePtr, class _EndNodePtr>			template <class _NodePtr, class _EndNodePtr>
	inline _LIBCPP_INLINE_VISIBILITY			inline _LIBCPP_INLINE_VISIBILITY
	_NodePtr			_NodePtr
	__tree_prev_iter(_EndNodePtr __x) _NOEXCEPT			__tree_prev_iter(_EndNodePtr __x) _NOEXCEPT
	{			{
	_LIBCPP_ASSERT_UNCATEGORIZED(__x != nullptr, "node shouldn't be null");			_LIBCPP_ASSERT_INTERNAL(__x != nullptr, "node shouldn't be null");
	if (__x->__left_ != nullptr)			if (__x->__left_ != nullptr)
	return _VSTD::__tree_max(__x->__left_);			return _VSTD::__tree_max(__x->__left_);
	_NodePtr __xx = static_cast<_NodePtr>(__x);			_NodePtr __xx = static_cast<_NodePtr>(__x);
	while (_VSTD::__tree_is_left_child(__xx))			while (_VSTD::__tree_is_left_child(__xx))
	__xx = __xx->__parent_unsafe();			__xx = __xx->__parent_unsafe();
	return __xx->__parent_unsafe();			return __xx->__parent_unsafe();
	}			}

	// Returns: pointer to a node which has no children			// Returns: pointer to a node which has no children
	template <class _NodePtr>			template <class _NodePtr>
	_LIBCPP_HIDE_FROM_ABI _NodePtr			_LIBCPP_HIDE_FROM_ABI _NodePtr
	__tree_leaf(_NodePtr __x) _NOEXCEPT			__tree_leaf(_NodePtr __x) _NOEXCEPT
	{			{
	_LIBCPP_ASSERT_UNCATEGORIZED(__x != nullptr, "node shouldn't be null");			_LIBCPP_ASSERT_INTERNAL(__x != nullptr, "node shouldn't be null");
	while (true)			while (true)
	{			{
	if (__x->__left_ != nullptr)			if (__x->__left_ != nullptr)
	{			{
	__x = __x->__left_;			__x = __x->__left_;
	continue;			continue;
	}			}
	if (__x->__right_ != nullptr)			if (__x->__right_ != nullptr)
	{			{
	__x = __x->__right_;			__x = __x->__right_;
	continue;			continue;
	}			}
	break;			break;
	}			}
	return __x;			return __x;
	}			}

	// Effects: Makes __x->__right_ the subtree root with __x as its left child			// Effects: Makes __x->__right_ the subtree root with __x as its left child
	// while preserving in-order order.			// while preserving in-order order.
	template <class _NodePtr>			template <class _NodePtr>
	_LIBCPP_HIDE_FROM_ABI void			_LIBCPP_HIDE_FROM_ABI void
	__tree_left_rotate(_NodePtr __x) _NOEXCEPT			__tree_left_rotate(_NodePtr __x) _NOEXCEPT
	{			{
	_LIBCPP_ASSERT_UNCATEGORIZED(__x != nullptr, "node shouldn't be null");			_LIBCPP_ASSERT_INTERNAL(__x != nullptr, "node shouldn't be null");
	_LIBCPP_ASSERT_UNCATEGORIZED(__x->__right_ != nullptr, "node should have a right child");			_LIBCPP_ASSERT_INTERNAL(__x->__right_ != nullptr, "node should have a right child");
	_NodePtr __y = __x->__right_;			_NodePtr __y = __x->__right_;
	__x->__right_ = __y->__left_;			__x->__right_ = __y->__left_;
	if (__x->__right_ != nullptr)			if (__x->__right_ != nullptr)
	__x->__right_->__set_parent(__x);			__x->__right_->__set_parent(__x);
	__y->__parent_ = __x->__parent_;			__y->__parent_ = __x->__parent_;
	if (_VSTD::__tree_is_left_child(__x))			if (_VSTD::__tree_is_left_child(__x))
	__x->__parent_->__left_ = __y;			__x->__parent_->__left_ = __y;
	else			else
	__x->__parent_unsafe()->__right_ = __y;			__x->__parent_unsafe()->__right_ = __y;
	__y->__left_ = __x;			__y->__left_ = __x;
	__x->__set_parent(__y);			__x->__set_parent(__y);
	}			}

	// Effects: Makes __x->__left_ the subtree root with __x as its right child			// Effects: Makes __x->__left_ the subtree root with __x as its right child
	// while preserving in-order order.			// while preserving in-order order.
	template <class _NodePtr>			template <class _NodePtr>
	_LIBCPP_HIDE_FROM_ABI void			_LIBCPP_HIDE_FROM_ABI void
	__tree_right_rotate(_NodePtr __x) _NOEXCEPT			__tree_right_rotate(_NodePtr __x) _NOEXCEPT
	{			{
	_LIBCPP_ASSERT_UNCATEGORIZED(__x != nullptr, "node shouldn't be null");			_LIBCPP_ASSERT_INTERNAL(__x != nullptr, "node shouldn't be null");
	_LIBCPP_ASSERT_UNCATEGORIZED(__x->__left_ != nullptr, "node should have a left child");			_LIBCPP_ASSERT_INTERNAL(__x->__left_ != nullptr, "node should have a left child");
	_NodePtr __y = __x->__left_;			_NodePtr __y = __x->__left_;
	__x->__left_ = __y->__right_;			__x->__left_ = __y->__right_;
	if (__x->__left_ != nullptr)			if (__x->__left_ != nullptr)
	__x->__left_->__set_parent(__x);			__x->__left_->__set_parent(__x);
	__y->__parent_ = __x->__parent_;			__y->__parent_ = __x->__parent_;
	if (_VSTD::__tree_is_left_child(__x))			if (_VSTD::__tree_is_left_child(__x))
	__x->__parent_->__left_ = __y;			__x->__parent_->__left_ = __y;
	else			else
	__x->__parent_unsafe()->__right_ = __y;			__x->__parent_unsafe()->__right_ = __y;
	__y->__right_ = __x;			__y->__right_ = __x;
	__x->__set_parent(__y);			__x->__set_parent(__y);
	}			}

	// Effects: Rebalances __root after attaching __x to a leaf.			// Effects: Rebalances __root after attaching __x to a leaf.
	// Precondition: __x has no children.			// Precondition: __x has no children.
	// __x == __root or == a direct or indirect child of __root.			// __x == __root or == a direct or indirect child of __root.
	// If __x were to be unlinked from __root (setting __root to			// If __x were to be unlinked from __root (setting __root to
	// nullptr if __root == __x), __tree_invariant(__root) == true.			// nullptr if __root == __x), __tree_invariant(__root) == true.
	// Postcondition: __tree_invariant(end_node->__left_) == true. end_node->__left_			// Postcondition: __tree_invariant(end_node->__left_) == true. end_node->__left_
	// may be different than the value passed in as __root.			// may be different than the value passed in as __root.
	template <class _NodePtr>			template <class _NodePtr>
	_LIBCPP_HIDE_FROM_ABI void			_LIBCPP_HIDE_FROM_ABI void
	__tree_balance_after_insert(_NodePtr __root, _NodePtr __x) _NOEXCEPT			__tree_balance_after_insert(_NodePtr __root, _NodePtr __x) _NOEXCEPT
	{			{
	_LIBCPP_ASSERT_UNCATEGORIZED(__root != nullptr, "Root of the tree shouldn't be null");			_LIBCPP_ASSERT_INTERNAL(__root != nullptr, "Root of the tree shouldn't be null");
	_LIBCPP_ASSERT_UNCATEGORIZED(__x != nullptr, "Can't attach null node to a leaf");			_LIBCPP_ASSERT_INTERNAL(__x != nullptr, "Can't attach null node to a leaf");
	__x->__is_black_ = __x == __root;			__x->__is_black_ = __x == __root;
	while (__x != __root && !__x->__parent_unsafe()->__is_black_)			while (__x != __root && !__x->__parent_unsafe()->__is_black_)
	{			{
	// __x->__parent_ != __root because __x->__parent_->__is_black == false			// __x->__parent_ != __root because __x->__parent_->__is_black == false
	if (_VSTD::__tree_is_left_child(__x->__parent_unsafe()))			if (_VSTD::__tree_is_left_child(__x->__parent_unsafe()))
	{			{
	_NodePtr __y = __x->__parent_unsafe()->__parent_unsafe()->__right_;			_NodePtr __y = __x->__parent_unsafe()->__parent_unsafe()->__right_;
	if (__y != nullptr && !__y->__is_black_)			if (__y != nullptr && !__y->__is_black_)
	▲ Show 20 Lines • Show All 52 Lines • ▼ Show 20 Lines
	// Effects: unlinks __z from the tree rooted at __root, rebalancing as needed.			// Effects: unlinks __z from the tree rooted at __root, rebalancing as needed.
	// Postcondition: __tree_invariant(end_node->__left_) == true && end_node->__left_			// Postcondition: __tree_invariant(end_node->__left_) == true && end_node->__left_
	// nor any of its children refer to __z. end_node->__left_			// nor any of its children refer to __z. end_node->__left_
	// may be different than the value passed in as __root.			// may be different than the value passed in as __root.
	template <class _NodePtr>			template <class _NodePtr>
	_LIBCPP_HIDE_FROM_ABI void			_LIBCPP_HIDE_FROM_ABI void
	__tree_remove(_NodePtr __root, _NodePtr __z) _NOEXCEPT			__tree_remove(_NodePtr __root, _NodePtr __z) _NOEXCEPT
	{			{
	_LIBCPP_ASSERT_UNCATEGORIZED(__root != nullptr, "Root node should not be null");			_LIBCPP_ASSERT_INTERNAL(__root != nullptr, "Root node should not be null");
	_LIBCPP_ASSERT_UNCATEGORIZED(__z != nullptr, "The node to remove should not be null");			_LIBCPP_ASSERT_INTERNAL(__z != nullptr, "The node to remove should not be null");
	_LIBCPP_ASSERT_INTERNAL(std::__tree_invariant(__root), "The tree invariants should hold");			_LIBCPP_ASSERT_INTERNAL(std::__tree_invariant(__root), "The tree invariants should hold");
	// __z will be removed from the tree. Client still needs to destruct/deallocate it			// __z will be removed from the tree. Client still needs to destruct/deallocate it
	// __y is either __z, or if __z has two children, __tree_next(__z).			// __y is either __z, or if __z has two children, __tree_next(__z).
	// __y will have at most one child.			// __y will have at most one child.
	// __y will be the initial hole in the tree (make the hole at a leaf)			// __y will be the initial hole in the tree (make the hole at a leaf)
	_NodePtr __y = (__z->__left_ == nullptr \|\| __z->__right_ == nullptr) ?			_NodePtr __y = (__z->__left_ == nullptr \|\| __z->__right_ == nullptr) ?
	__z : _VSTD::__tree_next(__z);			__z : _VSTD::__tree_next(__z);
	// __x is __y's possibly null single child			// __x is __y's possibly null single child
	▲ Show 20 Lines • Show All 2,370 Lines • Show Last 20 Lines

libcxx/src/string.cpp

	Show First 20 Lines • Show All 340 Lines • ▼ Show 20 Lines
	template <typename S, typename V>			template <typename S, typename V>
	S i_to_string(V v) {			S i_to_string(V v) {
	// numeric_limits::digits10 returns value less on 1 than desired for unsigned numbers.			// numeric_limits::digits10 returns value less on 1 than desired for unsigned numbers.
	// For example, for 1-byte unsigned value digits10 is 2 (999 can not be represented),			// For example, for 1-byte unsigned value digits10 is 2 (999 can not be represented),
	// so we need +1 here.			// so we need +1 here.
	constexpr size_t bufsize = numeric_limits<V>::digits10 + 2; // +1 for minus, +1 for digits10			constexpr size_t bufsize = numeric_limits<V>::digits10 + 2; // +1 for minus, +1 for digits10
	char buf[bufsize];			char buf[bufsize];
	const auto res = to_chars(buf, buf + bufsize, v);			const auto res = to_chars(buf, buf + bufsize, v);
	_LIBCPP_ASSERT_UNCATEGORIZED(res.ec == errc(), "bufsize must be large enough to accomodate the value");			_LIBCPP_ASSERT_INTERNAL(res.ec == errc(), "bufsize must be large enough to accomodate the value");
	return S(buf, res.ptr);			return S(buf, res.ptr);
	}			}

	} // unnamed namespace			} // unnamed namespace

	string to_string (int val) { return i_to_string< string>(val); }			string to_string (int val) { return i_to_string< string>(val); }
	string to_string (long val) { return i_to_string< string>(val); }			string to_string (long val) { return i_to_string< string>(val); }
	string to_string (long long val) { return i_to_string< string>(val); }			string to_string (long long val) { return i_to_string< string>(val); }
	Show All 24 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[libc++][hardening] Categorize more assertions.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 543704

libcxx/include/__config

libcxx/include/__hash_table

libcxx/include/__node_handle

libcxx/include/__stop_token/intrusive_list_view.h

libcxx/include/__string/char_traits.h

libcxx/include/__tree

libcxx/src/string.cpp

[libc++][hardening] Categorize more assertions.
ClosedPublic