This is an archive of the discontinued LLVM Phabricator instance.

Add a test for vcall on a null ptr.
ClosedPublic

Authored by krasin on Nov 11 2016, 1:03 PM.

Download Raw Diff

Details

Reviewers

Commits

rG694c28495abb: Add a test for vcall on a null ptr.
rCRT287578: Add a test for vcall on a null ptr.
rL287578: Add a test for vcall on a null ptr.

Summary

Turns out that in the case of -fsanitize=null and a virtual call,
the type check was generated *after* reading from vtable, which
causes a non-interpretable segfault. The check has been moved up
in https://reviews.llvm.org/D26559 and this CL adds a test for this case.

Diff Detail

Build Status

Buildable 1419
Build 1419: arc lint + arc unit

Event Timeline

krasin updated this revision to Diff 77661.Nov 11 2016, 1:03 PM

krasin retitled this revision from to Add a test for vcall on a null ptr..

krasin updated this object.

Herald added a subscriber: kubamracek. · View Herald TranscriptNov 11 2016, 1:03 PM

krasin updated this object.Nov 11 2016, 1:04 PM

krasin added a reviewer: pcc.

pcc added a subscriber: cfe-commits.Nov 11 2016, 1:19 PM

sync

pcc added inline comments.Nov 17 2016, 5:43 PM

test/ubsan/TestCases/TypeCheck/null.cpp
1–8	Why add the -g?
10	Is this #include needed?
29	Did you intend to add tests for these cases?

sync & address the comments.

test/ubsan/TestCases/TypeCheck/null.cpp
1–8	It's a debug left over. Thank you for the catch.
10	Debug leftover. Removed. Thank you for spotting this.
29	Actually, the real reason for adding these is that break_optimization didn't really fool the compiler, and I had to add some more logic to avoid letting it know that the pointer is always null => it's undefined behavior. In my case, I saw my return being ignored and two switch statements executed together. I can't currently reproduce it now, most likely, because the fix has eliminated the virtual call on a pointer that is guaranteed to be null. So, I have removed these as well as break_optimization calls.

Ping.

LGTM

This revision is now accepted and ready to land.Nov 21 2016, 12:53 PM

krasin closed this revision.Nov 21 2016, 1:33 PM

Revision Contents

Path

Size

test/

ubsan/

TestCases/

TypeCheck/

null.cpp

32 lines

Diff 78557

test/ubsan/TestCases/TypeCheck/null.cpp

	// RUN: %clangxx -fsanitize=null %s -O3 -o %t			// RUN: %clangxx -fsanitize=null -fno-sanitize-recover=null %s -O3 -o %t
	// RUN: %run %t l 2>&1 \| FileCheck %s --check-prefix=CHECK-LOAD			// RUN: not %run %t l 2>&1 \| FileCheck %s --check-prefix=CHECK-LOAD
	// RUN: %expect_crash %run %t s 2>&1 \| FileCheck %s --check-prefix=CHECK-STORE			// RUN: not %run %t s 2>&1 \| FileCheck %s --check-prefix=CHECK-STORE
	// RUN: %run %t r 2>&1 \| FileCheck %s --check-prefix=CHECK-REFERENCE			// RUN: not %run %t r 2>&1 \| FileCheck %s --check-prefix=CHECK-REFERENCE
	// RUN: %run %t m 2>&1 \| FileCheck %s --check-prefix=CHECK-MEMBER			// RUN: not %run %t m 2>&1 \| FileCheck %s --check-prefix=CHECK-MEMBER
	// RUN: %run %t f 2>&1 \| FileCheck %s --check-prefix=CHECK-MEMFUN			// RUN: not %run %t f 2>&1 \| FileCheck %s --check-prefix=CHECK-MEMFUN
				// RUN: not %run %t t 2>&1 \| FileCheck %s --check-prefix=CHECK-VCALL
				// RUN: not %run %t u 2>&1 \| FileCheck %s --check-prefix=CHECK-VCALL2
				pccUnsubmitted Not Done Reply Inline Actions Why add the -g? pcc: Why add the -g?
				krasinAuthorUnsubmitted Not Done Reply Inline Actions It's a debug left over. Thank you for the catch. krasin: It's a debug left over. Thank you for the catch.

	struct S {			struct S {
				pccUnsubmitted Not Done Reply Inline Actions Is this #include needed? pcc: Is this #include needed?
				krasinAuthorUnsubmitted Not Done Reply Inline Actions Debug leftover. Removed. Thank you for spotting this. krasin: Debug leftover. Removed. Thank you for spotting this.
	int f() { return 0; }			int f() { return 0; }
	int k;			int k;
	};			};

				struct T {
				virtual int v() { return 1; }
				};

				struct U : T {
				virtual int v() { return 2; }
				};

	int main(int, char **argv) {			int main(int, char **argv) {
	int *p = 0;			int *p = 0;
	S *s = 0;			S *s = 0;
				T *t = 0;
				U *u = 0;

	(void)*p; // ok!			(void)*p; // ok!
				pccUnsubmitted Not Done Reply Inline Actions Did you intend to add tests for these cases? pcc: Did you intend to add tests for these cases?
				krasinAuthorUnsubmitted Not Done Reply Inline Actions Actually, the real reason for adding these is that break_optimization didn't really fool the compiler, and I had to add some more logic to avoid letting it know that the pointer is always null => it's undefined behavior. In my case, I saw my return being ignored and two switch statements executed together. I can't currently reproduce it now, most likely, because the fix has eliminated the virtual call on a pointer that is guaranteed to be null. So, I have removed these as well as break_optimization calls. krasin: Actually, the real reason for adding these is that break_optimization didn't really fool the…
				(void)*t; // ok!
				(void)*u; // ok!

	switch (argv[1][0]) {			switch (argv[1][0]) {
	case 'l':			case 'l':
	// CHECK-LOAD: null.cpp:[[@LINE+1]]:12: runtime error: load of null pointer of type 'int'			// CHECK-LOAD: null.cpp:[[@LINE+1]]:12: runtime error: load of null pointer of type 'int'
	return *p;			return *p;
	case 's':			case 's':
	// CHECK-STORE: null.cpp:[[@LINE+1]]:5: runtime error: store to null pointer of type 'int'			// CHECK-STORE: null.cpp:[[@LINE+1]]:5: runtime error: store to null pointer of type 'int'
	*p = 1;			*p = 1;
	break;			break;
	case 'r':			case 'r':
	// CHECK-REFERENCE: null.cpp:[[@LINE+1]]:15: runtime error: reference binding to null pointer of type 'int'			// CHECK-REFERENCE: null.cpp:[[@LINE+1]]:15: runtime error: reference binding to null pointer of type 'int'
	{int &r = *p;}			{int &r = *p;}
	break;			break;
	case 'm':			case 'm':
	// CHECK-MEMBER: null.cpp:[[@LINE+1]]:15: runtime error: member access within null pointer of type 'S'			// CHECK-MEMBER: null.cpp:[[@LINE+1]]:15: runtime error: member access within null pointer of type 'S'
	return s->k;			return s->k;
	case 'f':			case 'f':
	// CHECK-MEMFUN: null.cpp:[[@LINE+1]]:15: runtime error: member call on null pointer of type 'S'			// CHECK-MEMFUN: null.cpp:[[@LINE+1]]:15: runtime error: member call on null pointer of type 'S'
	return s->f();			return s->f();
				case 't':
				// CHECK-VCALL: null.cpp:[[@LINE+1]]:15: runtime error: member call on null pointer of type 'T'
				return t->v();
				case 'u':
				// CHECK-VCALL2: null.cpp:[[@LINE+1]]:15: runtime error: member call on null pointer of type 'U'
				return u->v();
	}			}
	}			}