This is an archive of the discontinued LLVM Phabricator instance.

Differential D25199

[ubsan] Sanitize deleted pointers
Needs ReviewPublic

Authored by gingell on Oct 3 2016, 10:58 AM.

Details

Reviewers
kcc
pcc
cfe-commits
rsmith
Summary

This patch adds a "value-after-delete" sanitizer, which will
invalidate the value of a pointer passed in a delete expression.

For instance, when -fsanitize=value-after-delete is passed:

int *foo = new int;
delete foo;
// foo == 0xDEADBEEFDEADBEEF

This is intended to help catch some use-after-free problems by
ensuring access through a deleted pointer fails immediately on
an address should be obviously suspicious when inspected in the
debugger. The expectation is immediately invalidating dangling
pointers can help uncover latent bugs that might otherwise cause
more subtle problems further down the line.

Diff Detail

Event Timeline

gingell updated this revision to Diff 73302.Oct 3 2016, 10:58 AM
gingell retitled this revision from to [ubsan] Sanitize deleted pointers .
gingell updated this object.
gingell added reviewers: cfe-commits, kcc.
vsk added a subscriber: vsk.Oct 3 2016, 11:24 AM

It looks like programs which trip -fsanitize-value-after-delete will just crash without further reporting, which isn't in keeping with the way other ubsan checks are implemented.

IMO, address sanitizer is better-equipped to diagnose this issue.

kcc added a reviewer: pcc.Oct 3 2016, 2:37 PM
In D25199#559407, @vsk wrote:

It looks like programs which trip -fsanitize-value-after-delete will just crash without further reporting, which isn't in keeping with the way other ubsan checks are implemented.

IMO, address sanitizer is better-equipped to diagnose this issue.

of course, but asan's overhead is much greater.
This tool might be fast enough to be always on in production.

The code looks reasonable to me, but as I am not too familiar with clang code, so asking pcc@ to have a look.

Also, please

  • update the ubsan documentation
  • add a runnable test to compiler-rt/test/ubsan
kcc added a comment.Oct 3 2016, 2:40 PM

will just crash without further reporting

I agree, and we can address that by having special logic in ubsan's segv handler.
This does not have to be in this patch.

Also, I am not sure about the actual constant.
DEADBEEF is commonly recognized poison valued, but on a 32-bit system it may actually be a valid pointer.

vsk added a comment.Oct 3 2016, 2:52 PM
In D25199#559797, @kcc wrote:

will just crash without further reporting

I agree, and we can address that by having special logic in ubsan's segv handler.
This does not have to be in this patch.

@kcc Is it safe to add a handler for segv and continue program execution as normal? I'm asking because I haven't tried that before, and am guessing you have experience with this from working on asan.

If there is a safe and portable way to call a ubsan diagnostic handler after hitting this error, then I agree that it would be very valuable.

One more thing to consider: how will we support -fsanitize-trap=value-after-delete?

lib/CodeGen/CGExprScalar.cpp
413

This is typically done by placing a call to e.g CGF.EmitValueAfterDeleteCheck, and then having an early return in EmitValueAfterDeleteCheck if the sanitizer isn't enabled.

414

Variables are usually capitalized.

418

This is missing a negative test.

test/CodeGenCXX/sanitize-value-after-delete.cpp
2

Why are the '-O3' and '-disable-llvm-optzns' flags needed here?

pcc added a reviewer: rsmith.Oct 3 2016, 2:59 PM

It seems to me that this sanitizer would break the semantics of otherwise well-defined programs. For example:

int *x = nullptr;
delete x;
if (x != nullptr) {
  // normally unreachable
}

It may be that a null comparison would be enough to avoid the semantics break, but I am not certain of this. Richard, what do you think?

vsk added a comment.Oct 3 2016, 3:06 PM
In D25199#559849, @pcc wrote:

It seems to me that this sanitizer would break the semantics of otherwise well-defined programs. For example:

int *x = nullptr;
delete x;
if (x != nullptr) {
  // normally unreachable
}

It may be that a null comparison would be enough to avoid the semantics break, but I am not certain of this.

Maybe we could call this -fpoison-dangling-ptrs and force users to be more explicit about opting into this behavior change. That would remove some of the constraints usually placed on new sanitizer checks (e.g support for executing after the error triggers, support for custom trap functions).

kcc added a comment.Oct 3 2016, 4:52 PM

Maybe we could call this -fpoison-dangling-ptrs and force users to be more explicit about opting into this behavior change. That would remove some of the constraints usually placed on new sanitizer checks (e.g support for executing after the error triggers, support for custom trap functions).

What's wrong with -fsanitize=SOMETHING? (the exact value of SOMETHING is debatable)

@kcc Is it safe to add a handler for segv and continue program execution as normal? I'm asking because I haven't tried that before, and am guessing you have experience with this from working on asan.

Not sure I understand your question.
We can add an optional SEGV handler to ubsan that will see the address on which we failed, and say something like "faulty address is close to 0xDEADBEEF, use of dangling pointer suspected. <STACK_TRACE>"
Then exit.

One more thing to consider: how will we support -fsanitize-trap=value-after-delete?

This will essentially only have the trap mode, it will not support -fsanitize-recover

include/clang/Basic/Sanitizers.def
105

Agree with Peter's concern -- it may break rare valid cases, so it should not be in this group.
We already have unsigned-integer-overflow that will also break valid code, so it's fine to have a second case like that.

vsk added a comment.Oct 3 2016, 5:14 PM
In D25199#560023, @kcc wrote:

Maybe we could call this -fpoison-dangling-ptrs and force users to be more explicit about opting into this behavior change. That would remove some of the constraints usually placed on new sanitizer checks (e.g support for executing after the error triggers, support for custom trap functions).

What's wrong with -fsanitize=SOMETHING? (the exact value of SOMETHING is debatable)

My concern is that using -fsanitize=something could confuse users who expect support for -fsanitize-trap-function=custom_func or -fsanitize-recover=something. But it's a minor concern. I am fine with -fsanitize=something if we leave it out of the default -fsanitize=undefined checks.

@kcc Is it safe to add a handler for segv and continue program execution as normal? I'm asking because I haven't tried that before, and am guessing you have experience with this from working on asan.

Not sure I understand your question.
We can add an optional SEGV handler to ubsan that will see the address on which we failed, and say something like "faulty address is close to 0xDEADBEEF, use of dangling pointer suspected. <STACK_TRACE>"
Then exit.

My question was about whether it's possible to resume normal program execution after printing the stack trace from the segv handler. I had assumed this is not possible, and (mistakenly) thought that you were suggesting this approach.

One more thing to consider: how will we support -fsanitize-trap=value-after-delete?

This will essentially only have the trap mode, it will not support -fsanitize-recover

OK.

filcab added a subscriber: filcab.Oct 4 2016, 8:25 AM
In D25199#560061, @vsk wrote:

My question was about whether it's possible to resume normal program execution after printing the stack trace from the segv handler. I had assumed this is not possible, and (mistakenly) thought that you were suggesting this approach.

I guess we can eventually add a warning if you have this check + trap-function. If there's really a need for it.

docs/UndefinedBehaviorSanitizer.rst
122

Why just delete and not free()?

lib/CodeGen/CGExprScalar.cpp
416

Missing a test for this condition.

test/CodeGenCXX/sanitize-value-after-delete.cpp
2

Please keep the test simple. You don't even need C++11 (in addition to the flags vsk mentioned).

22

Why?

Revision Contents

PathSize
docs/
2 lines
include/
clang/
Basic/
7 lines
Driver/
3 lines
lib/
CodeGen/
17 lines
test/
CodeGenCXX/
24 lines
Driver/
18 lines

Diff 73302

docs/UndefinedBehaviorSanitizer.rst

Show First 20 LinesShow All 112 Lines▼ Show 20 Lines - ``-fsanitize=shift``: Shift operators where the amount shifted is
right-hand side of shift operation, respectively. right-hand side of shift operation, respectively.
- ``-fsanitize=signed-integer-overflow``: Signed integer overflow, - ``-fsanitize=signed-integer-overflow``: Signed integer overflow,
including all the checks added by ``-ftrapv``, and checking for including all the checks added by ``-ftrapv``, and checking for
overflow in signed division (``INT_MIN / -1``). overflow in signed division (``INT_MIN / -1``).
- ``-fsanitize=unreachable``: If control flow reaches - ``-fsanitize=unreachable``: If control flow reaches
``__builtin_unreachable``. ``__builtin_unreachable``.
- ``-fsanitize=unsigned-integer-overflow``: Unsigned integer - ``-fsanitize=unsigned-integer-overflow``: Unsigned integer
overflows. overflows.
- ``-fsanitize=value-after-delete``: Set the value of the pointer
passed in a delete expression to 0xDEADBEEF.
filcabUnsubmitted
Not Done
ReplyInline Actions

Why just delete and not free()?

filcab: Why just `delete` and not `free()`?
- ``-fsanitize=vla-bound``: A variable-length array whose bound - ``-fsanitize=vla-bound``: A variable-length array whose bound
does not evaluate to a positive value. does not evaluate to a positive value.
- ``-fsanitize=vptr``: Use of an object whose vptr indicates that - ``-fsanitize=vptr``: Use of an object whose vptr indicates that
it is of the wrong dynamic type, or that its lifetime has not it is of the wrong dynamic type, or that its lifetime has not
begun or has ended. Incompatible with ``-fno-rtti``. Link must begun or has ended. Incompatible with ``-fno-rtti``. Link must
be performed by ``clang++``, not ``clang``, to make sure C++-specific be performed by ``clang++``, not ``clang``, to make sure C++-specific
parts of the runtime library and C++ standard libraries are present. parts of the runtime library and C++ standard libraries are present.
▲ Show 20 LinesShow All 131 LinesShow Last 20 Lines

include/clang/Basic/Sanitizers.def

Show First 20 LinesShow All 66 Lines▼ Show 20 Lines
SANITIZER("object-size", ObjectSize) SANITIZER("object-size", ObjectSize)
SANITIZER("return", Return) SANITIZER("return", Return)
SANITIZER("returns-nonnull-attribute", ReturnsNonnullAttribute) SANITIZER("returns-nonnull-attribute", ReturnsNonnullAttribute)
SANITIZER("shift-base", ShiftBase) SANITIZER("shift-base", ShiftBase)
SANITIZER("shift-exponent", ShiftExponent) SANITIZER("shift-exponent", ShiftExponent)
SANITIZER_GROUP("shift", Shift, ShiftBase | ShiftExponent) SANITIZER_GROUP("shift", Shift, ShiftBase | ShiftExponent)
SANITIZER("signed-integer-overflow", SignedIntegerOverflow) SANITIZER("signed-integer-overflow", SignedIntegerOverflow)
SANITIZER("unreachable", Unreachable) SANITIZER("unreachable", Unreachable)
SANITIZER("value-after-delete", ValueAfterDelete)
SANITIZER("vla-bound", VLABound) SANITIZER("vla-bound", VLABound)
SANITIZER("vptr", Vptr) SANITIZER("vptr", Vptr)
// IntegerSanitizer // IntegerSanitizer
SANITIZER("unsigned-integer-overflow", UnsignedIntegerOverflow) SANITIZER("unsigned-integer-overflow", UnsignedIntegerOverflow)
// DataFlowSanitizer // DataFlowSanitizer
SANITIZER("dataflow", DataFlow) SANITIZER("dataflow", DataFlow)
Show All 12 Lines
// Safe Stack // Safe Stack
SANITIZER("safe-stack", SafeStack) SANITIZER("safe-stack", SafeStack)
// -fsanitize=undefined includes all the sanitizers which have low overhead, no // -fsanitize=undefined includes all the sanitizers which have low overhead, no
// ABI or address space layout implications, and only catch undefined behavior. // ABI or address space layout implications, and only catch undefined behavior.
SANITIZER_GROUP("undefined", Undefined, SANITIZER_GROUP("undefined", Undefined,
Alignment | Bool | ArrayBounds | Enum | FloatCastOverflow | Alignment | Bool | ArrayBounds | Enum | FloatCastOverflow |
FloatDivideByZero | IntegerDivideByZero | NonnullAttribute | FloatDivideByZero | IntegerDivideByZero | NonnullAttribute |
Null | ObjectSize | Return | ReturnsNonnullAttribute | Null | ObjectSize | Return | ReturnsNonnullAttribute | Shift |
Shift | SignedIntegerOverflow | Unreachable | VLABound | SignedIntegerOverflow | ValueAfterDelete | VLABound |
kccUnsubmitted
Not Done
ReplyInline Actions

Agree with Peter's concern -- it may break rare valid cases, so it should not be in this group.
We already have unsigned-integer-overflow that will also break valid code, so it's fine to have a second case like that.

kcc: Agree with Peter's concern -- it may break rare valid cases, so it should not be in this group.
Function | Vptr) Unreachable | Function | Vptr)
// -fsanitize=undefined-trap is an alias for -fsanitize=undefined. // -fsanitize=undefined-trap is an alias for -fsanitize=undefined.
SANITIZER_GROUP("undefined-trap", UndefinedTrap, Undefined) SANITIZER_GROUP("undefined-trap", UndefinedTrap, Undefined)
SANITIZER_GROUP("integer", Integer, SANITIZER_GROUP("integer", Integer,
SignedIntegerOverflow | UnsignedIntegerOverflow | Shift | SignedIntegerOverflow | UnsignedIntegerOverflow | Shift |
IntegerDivideByZero) IntegerDivideByZero)
Show All 16 Lines

include/clang/Driver/Options.td

Show First 20 LinesShow All 681 Lines▼ Show 20 Linesdef fsanitize_memory_use_after_dtor : Flag<["-"], "fsanitize-memory-use-after-dtor">,
Group<f_clang_Group>, Flags<[CC1Option]>, Group<f_clang_Group>, Flags<[CC1Option]>,
HelpText<"Enable use-after-destroy detection in MemorySanitizer">; HelpText<"Enable use-after-destroy detection in MemorySanitizer">;
def fsanitize_address_field_padding : Joined<["-"], "fsanitize-address-field-padding=">, def fsanitize_address_field_padding : Joined<["-"], "fsanitize-address-field-padding=">,
Group<f_clang_Group>, Flags<[CC1Option]>, Group<f_clang_Group>, Flags<[CC1Option]>,
HelpText<"Level of field padding for AddressSanitizer">; HelpText<"Level of field padding for AddressSanitizer">;
def fsanitize_address_use_after_scope : Flag<["-"], "fsanitize-address-use-after-scope">, def fsanitize_address_use_after_scope : Flag<["-"], "fsanitize-address-use-after-scope">,
Group<f_clang_Group>, Flags<[CC1Option]>, Group<f_clang_Group>, Flags<[CC1Option]>,
HelpText<"Enable use-after-scope detection in AddressSanitizer">; HelpText<"Enable use-after-scope detection in AddressSanitizer">;
def fsanitize_value_after_delete : Flag<["-"], "fsanitize-value-after-delete">,
Group<f_clang_Group>, Flags<[CC1Option]>,
HelpText<"Set the value of a deleted pointer to 0xDEADBEEF">;
def fsanitize_recover : Flag<["-"], "fsanitize-recover">, Group<f_clang_Group>, def fsanitize_recover : Flag<["-"], "fsanitize-recover">, Group<f_clang_Group>,
Flags<[CoreOption]>; Flags<[CoreOption]>;
def fno_sanitize_recover : Flag<["-"], "fno-sanitize-recover">, def fno_sanitize_recover : Flag<["-"], "fno-sanitize-recover">,
Group<f_clang_Group>, Flags<[CoreOption]>; Group<f_clang_Group>, Flags<[CoreOption]>;
def fsanitize_recover_EQ : CommaJoined<["-"], "fsanitize-recover=">, def fsanitize_recover_EQ : CommaJoined<["-"], "fsanitize-recover=">,
Group<f_clang_Group>, Group<f_clang_Group>,
Flags<[CC1Option, CoreOption]>, Flags<[CC1Option, CoreOption]>,
HelpText<"Enable recovery for specified sanitizers">; HelpText<"Enable recovery for specified sanitizers">;
▲ Show 20 LinesShow All 1,637 LinesShow Last 20 Lines

lib/CodeGen/CGExprScalar.cpp

Show First 20 LinesShow All 402 Lines▼ Show 20 Lines Value *VisitExprWithCleanups(ExprWithCleanups *E) {
CodeGenFunction::RunCleanupsScope Scope(CGF); CodeGenFunction::RunCleanupsScope Scope(CGF);
return Visit(E->getSubExpr()); return Visit(E->getSubExpr());
} }
Value *VisitCXXNewExpr(const CXXNewExpr *E) { Value *VisitCXXNewExpr(const CXXNewExpr *E) {
return CGF.EmitCXXNewExpr(E); return CGF.EmitCXXNewExpr(E);
} }
Value *VisitCXXDeleteExpr(const CXXDeleteExpr *E) { Value *VisitCXXDeleteExpr(const CXXDeleteExpr *E) {
CGF.EmitCXXDeleteExpr(E); CGF.EmitCXXDeleteExpr(E);
// If the value after delete sanitize is enabled then set the
// value of the deleted pointer to an invalid debug constant.
if (CGF.SanOpts.has(SanitizerKind::ValueAfterDelete)) {
vskUnsubmitted
Not Done
ReplyInline Actions

This is typically done by placing a call to e.g CGF.EmitValueAfterDeleteCheck, and then having an early return in EmitValueAfterDeleteCheck if the sanitizer isn't enabled.

vsk: This is typically done by placing a call to e.g `CGF.EmitValueAfterDeleteCheck`, and then…
const Expr *arg = E->getArgument();
vskUnsubmitted
Not Done
ReplyInline Actions

Variables are usually capitalized.

vsk: Variables are usually capitalized.
if (arg->IgnoreImplicit()->isLValue() &&
!arg->HasSideEffects(CGF.getContext())) {
filcabUnsubmitted
Not Done
ReplyInline Actions

Missing a test for this condition.

filcab: Missing a test for this condition.
LValue LHS = EmitLValue(arg);
if (!LHS.isVolatile()) {
vskUnsubmitted
Not Done
ReplyInline Actions

This is missing a negative test.

vsk: This is missing a negative test.
const unsigned width = CGF.getTarget().getMaxPointerWidth();
Value *valueAfterDelete = Builder.getInt(
llvm::APInt(width, 0xDEADBEEFDEADBEEF));
llvm::Value *RHS = Builder.CreateIntToPtr(
valueAfterDelete, ConvertType(LHS.getType()), "conv");
CGF.EmitStoreThroughLValue(RValue::get(RHS), LHS);
}
}
}
return nullptr; return nullptr;
} }
Value *VisitTypeTraitExpr(const TypeTraitExpr *E) { Value *VisitTypeTraitExpr(const TypeTraitExpr *E) {
return llvm::ConstantInt::get(ConvertType(E->getType()), E->getValue()); return llvm::ConstantInt::get(ConvertType(E->getType()), E->getValue());
} }
Value *VisitArrayTypeTraitExpr(const ArrayTypeTraitExpr *E) { Value *VisitArrayTypeTraitExpr(const ArrayTypeTraitExpr *E) {
▲ Show 20 LinesShow All 3,186 LinesShow Last 20 Lines

test/CodeGenCXX/sanitize-value-after-delete.cpp

// Test -fsanitize-value-after-delete
// RUN: %clang_cc1 -O3 -fsanitize=value-after-delete -disable-llvm-optzns -std=c++11 -triple=x86_64-pc-linux -emit-llvm -o - %s | FileCheck %s
vskUnsubmitted
Not Done
ReplyInline Actions

Why are the '-O3' and '-disable-llvm-optzns' flags needed here?

vsk: Why are the '-O3' and '-disable-llvm-optzns' flags needed here?
filcabUnsubmitted
Not Done
ReplyInline Actions

Please keep the test simple. You don't even need C++11 (in addition to the flags vsk mentioned).

filcab: Please keep the test simple. You don't even need C++11 (in addition to the flags vsk mentioned).
int *f1() {
return new int;
}
void test() {
int *p1 = new int;
char *p2 = new char[1024];
delete p1;
delete[] p2;
DO_NOT_MODIFY:
delete f1();
}
// CHECK-LABEL: define void @_Z4testv()
// CHECK: store {{.*}} inttoptr (i64 -2401053088876216593 {{.*}} %p1
// CHECK: store {{.*}} inttoptr (i64 -2401053088876216593 {{.*}} %p2
// CHECK-NOT: store {{.*}} inttoptr (i64 -2401053088876216593 {{.*}} %p2
filcabUnsubmitted
Not Done
ReplyInline Actions

Why?

filcab: Why?
// CHECK-LABEL: DO_NOT_MODIFY
// CHECK-NOT: {{.*}} inttoptr (i64 -2401053088876216593 {{.*}}

test/Driver/fsanitize.c

// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fsanitize-trap=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP // RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fsanitize-trap=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP
// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fsanitize-trap=undefined -fno-sanitize-trap=signed-integer-overflow %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP2 // RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fsanitize-trap=undefined -fno-sanitize-trap=signed-integer-overflow %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP2
// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP // RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP
// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined-trap -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP // RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined-trap -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP
// RUN: %clang -target x86_64-linux-gnu -fsanitize-undefined-trap-on-error -fsanitize=undefined-trap %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP // RUN: %clang -target x86_64-linux-gnu -fsanitize-undefined-trap-on-error -fsanitize=undefined-trap %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP
// CHECK-UNDEFINED-TRAP: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute|function),?){18}"}} // CHECK-UNDEFINED-TRAP: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|value-after-delete|vla-bound|alignment|null|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute|function),?){19}"}}
// CHECK-UNDEFINED-TRAP: "-fsanitize-trap=alignment,array-bounds,bool,enum,float-cast-overflow,float-divide-by-zero,function,integer-divide-by-zero,nonnull-attribute,null,object-size,return,returns-nonnull-attribute,shift-base,shift-exponent,signed-integer-overflow,unreachable,vla-bound" // CHECK-UNDEFINED-TRAP: "-fsanitize-trap=alignment,array-bounds,bool,enum,float-cast-overflow,float-divide-by-zero,function,integer-divide-by-zero,nonnull-attribute,null,object-size,return,returns-nonnull-attribute,shift-base,shift-exponent,signed-integer-overflow,unreachable,value-after-delete,vla-bound"
// CHECK-UNDEFINED-TRAP2: "-fsanitize-trap=alignment,array-bounds,bool,enum,float-cast-overflow,float-divide-by-zero,function,integer-divide-by-zero,nonnull-attribute,null,object-size,return,returns-nonnull-attribute,shift-base,shift-exponent,unreachable,vla-bound" // CHECK-UNDEFINED-TRAP2: "-fsanitize-trap=alignment,array-bounds,bool,enum,float-cast-overflow,float-divide-by-zero,function,integer-divide-by-zero,nonnull-attribute,null,object-size,return,returns-nonnull-attribute,shift-base,shift-exponent,unreachable,value-after-delete,vla-bound"
// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED // RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED
// CHECK-UNDEFINED: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|vptr|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){19}"}} // CHECK-UNDEFINED: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift-base|shift-exponent|unreachable|return|value-after-delete|vla-bound|alignment|null|vptr|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){20}"}}
// RUN: %clang -target x86_64-apple-darwin10 -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-DARWIN // RUN: %clang -target x86_64-apple-darwin10 -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-DARWIN
// CHECK-UNDEFINED-DARWIN: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){17}"}} // CHECK-UNDEFINED-DARWIN: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|value-after-delete|vla-bound|alignment|null|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){18}"}}
// RUN: %clang -target i386-unknown-openbsd -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-OPENBSD // RUN: %clang -target i386-unknown-openbsd -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-OPENBSD
// CHECK-UNDEFINED-OPENBSD: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){17}"}} // CHECK-UNDEFINED-OPENBSD: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|value-after-delete|vla-bound|alignment|null|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){18}"}}
// RUN: %clang -target i386-pc-win32 -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN32 // RUN: %clang -target i386-pc-win32 -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN32
// RUN: %clang -target i386-pc-win32 -fsanitize=undefined -x c++ %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN32 --check-prefix=CHECK-UNDEFINED-WIN-CXX // RUN: %clang -target i386-pc-win32 -fsanitize=undefined -x c++ %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN32 --check-prefix=CHECK-UNDEFINED-WIN-CXX
// RUN: %clang -target x86_64-pc-win32 -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN64 // RUN: %clang -target x86_64-pc-win32 -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN64
// RUN: %clang -target x86_64-pc-win32 -fsanitize=undefined -x c++ %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN64 --check-prefix=CHECK-UNDEFINED-WIN-CXX // RUN: %clang -target x86_64-pc-win32 -fsanitize=undefined -x c++ %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN64 --check-prefix=CHECK-UNDEFINED-WIN-CXX
// CHECK-UNDEFINED-WIN32: "--dependent-lib={{[^"]*}}ubsan_standalone-i386.lib" // CHECK-UNDEFINED-WIN32: "--dependent-lib={{[^"]*}}ubsan_standalone-i386.lib"
// CHECK-UNDEFINED-WIN64: "--dependent-lib={{[^"]*}}ubsan_standalone-x86_64.lib" // CHECK-UNDEFINED-WIN64: "--dependent-lib={{[^"]*}}ubsan_standalone-x86_64.lib"
// CHECK-UNDEFINED-WIN-CXX: "--dependent-lib={{[^"]*}}ubsan_standalone_cxx{{[^"]*}}.lib" // CHECK-UNDEFINED-WIN-CXX: "--dependent-lib={{[^"]*}}ubsan_standalone_cxx{{[^"]*}}.lib"
// CHECK-UNDEFINED-WIN-SAME: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){17}"}} // CHECK-UNDEFINED-WIN-SAME: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|value-after-delete|vla-bound|alignment|null|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){18}"}}
// RUN: %clang -target i386-pc-win32 -fsanitize-coverage=bb %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-COVERAGE-WIN32 // RUN: %clang -target i386-pc-win32 -fsanitize-coverage=bb %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-COVERAGE-WIN32
// CHECK-COVERAGE-WIN32: "--dependent-lib={{[^"]*}}ubsan_standalone-i386.lib" // CHECK-COVERAGE-WIN32: "--dependent-lib={{[^"]*}}ubsan_standalone-i386.lib"
// RUN: %clang -target x86_64-pc-win32 -fsanitize-coverage=bb %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-COVERAGE-WIN64 // RUN: %clang -target x86_64-pc-win32 -fsanitize-coverage=bb %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-COVERAGE-WIN64
// CHECK-COVERAGE-WIN64: "--dependent-lib={{[^"]*}}ubsan_standalone-x86_64.lib" // CHECK-COVERAGE-WIN64: "--dependent-lib={{[^"]*}}ubsan_standalone-x86_64.lib"
// RUN: %clang -target x86_64-linux-gnu -fsanitize=integer %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-INTEGER // RUN: %clang -target x86_64-linux-gnu -fsanitize=integer %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-INTEGER
// CHECK-INTEGER: "-fsanitize={{((signed-integer-overflow|unsigned-integer-overflow|integer-divide-by-zero|shift-base|shift-exponent),?){5}"}} // CHECK-INTEGER: "-fsanitize={{((signed-integer-overflow|unsigned-integer-overflow|integer-divide-by-zero|shift-base|shift-exponent),?){5}"}}
// RUN: %clang -fsanitize=bounds -### -fsyntax-only %s 2>&1 | FileCheck %s --check-prefix=CHECK-BOUNDS // RUN: %clang -fsanitize=bounds -### -fsyntax-only %s 2>&1 | FileCheck %s --check-prefix=CHECK-BOUNDS
// CHECK-BOUNDS: "-fsanitize={{((array-bounds|local-bounds),?){2}"}} // CHECK-BOUNDS: "-fsanitize={{((array-bounds|local-bounds),?){2}"}}
// RUN: %clang -target x86_64-linux-gnu -fsanitize=all %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSANITIZE-ALL // RUN: %clang -target x86_64-linux-gnu -fsanitize=all %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSANITIZE-ALL
// CHECK-FSANITIZE-ALL: error: unsupported argument 'all' to option 'fsanitize=' // CHECK-FSANITIZE-ALL: error: unsupported argument 'all' to option 'fsanitize='
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address,undefined -fno-sanitize=all -fsanitize=thread %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FNO-SANITIZE-ALL // RUN: %clang -target x86_64-linux-gnu -fsanitize=address,undefined -fno-sanitize=all -fsanitize=thread %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FNO-SANITIZE-ALL
// CHECK-FNO-SANITIZE-ALL: "-fsanitize=thread" // CHECK-FNO-SANITIZE-ALL: "-fsanitize=thread"
// RUN: %clang -target x86_64-linux-gnu -fsanitize=thread,undefined -fno-sanitize=thread -fno-sanitize=float-cast-overflow,vptr,bool,enum %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PARTIAL-UNDEFINED // RUN: %clang -target x86_64-linux-gnu -fsanitize=thread,undefined -fno-sanitize=thread -fno-sanitize=float-cast-overflow,vptr,bool,enum %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PARTIAL-UNDEFINED
// CHECK-PARTIAL-UNDEFINED: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|array-bounds|returns-nonnull-attribute|nonnull-attribute),?){15}"}} // CHECK-PARTIAL-UNDEFINED: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift-base|shift-exponent|unreachable|return|value-after-delete|vla-bound|alignment|null|object-size|array-bounds|returns-nonnull-attribute|nonnull-attribute),?){16}"}}
// RUN: %clang -target x86_64-linux-gnu -fsanitize=shift -fno-sanitize=shift-base %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSANITIZE-SHIFT-PARTIAL // RUN: %clang -target x86_64-linux-gnu -fsanitize=shift -fno-sanitize=shift-base %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSANITIZE-SHIFT-PARTIAL
// CHECK-FSANITIZE-SHIFT-PARTIAL: "-fsanitize=shift-exponent" // CHECK-FSANITIZE-SHIFT-PARTIAL: "-fsanitize=shift-exponent"
// RUN: %clang -target x86_64-linux-gnu -fsanitize=vptr -fsanitize-trap=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-TRAP-UNDEF // RUN: %clang -target x86_64-linux-gnu -fsanitize=vptr -fsanitize-trap=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-TRAP-UNDEF
// RUN: %clang -target x86_64-linux-gnu -fsanitize=vptr -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-TRAP-UNDEF // RUN: %clang -target x86_64-linux-gnu -fsanitize=vptr -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-TRAP-UNDEF
// CHECK-VPTR-TRAP-UNDEF: error: invalid argument '-fsanitize=vptr' not allowed with '-fsanitize-trap=undefined' // CHECK-VPTR-TRAP-UNDEF: error: invalid argument '-fsanitize=vptr' not allowed with '-fsanitize-trap=undefined'
▲ Show 20 LinesShow All 141 Lines▼ Show 20 Lines
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fsanitize-recover -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fsanitize-recover -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fsanitize-recover=all -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fsanitize-recover=all -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover -fsanitize-recover=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover -fsanitize-recover=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-RECOVER-UBSAN
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover=all -fsanitize-recover=thread -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover=all -fsanitize-recover=thread -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-RECOVER-UBSAN
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fsanitize-recover=all -fno-sanitize-recover=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fsanitize-recover=all -fno-sanitize-recover=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-RECOVER-UBSAN
// CHECK-RECOVER-UBSAN: "-fsanitize-recover={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift-base|shift-exponent|vla-bound|alignment|null|vptr|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){17}"}} // CHECK-RECOVER-UBSAN: "-fsanitize-recover={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift-base|shift-exponent|vla-bound|alignment|null|value-after-delete|vptr|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){18}"}}
// CHECK-NO-RECOVER-UBSAN-NOT: sanitize-recover // CHECK-NO-RECOVER-UBSAN-NOT: sanitize-recover
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover=all -fsanitize-recover=object-size,shift-base -### 2>&1 | FileCheck %s --check-prefix=CHECK-PARTIAL-RECOVER // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover=all -fsanitize-recover=object-size,shift-base -### 2>&1 | FileCheck %s --check-prefix=CHECK-PARTIAL-RECOVER
// CHECK-PARTIAL-RECOVER: "-fsanitize-recover={{((object-size|shift-base),?){2}"}} // CHECK-PARTIAL-RECOVER: "-fsanitize-recover={{((object-size|shift-base),?){2}"}}
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=address -fsanitize-recover=all -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-ASAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=address -fsanitize-recover=all -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-ASAN
// CHECK-RECOVER-ASAN: "-fsanitize-recover=address" // CHECK-RECOVER-ASAN: "-fsanitize-recover=address"
▲ Show 20 LinesShow All 218 LinesShow Last 20 Lines