This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/CodeGen/
-
CodeGen/
3/6
CGExpr.cpp
-
test/CodeGenObjC/
-
CodeGenObjC/
-
ubsan-bool.m

Differential D27607

[ubsan] Treat ObjC's BOOL as if its range is always {0, 1}
ClosedPublic

Authored by vsk on Dec 8 2016, 7:42 PM.

Download Raw Diff

Details

Reviewers

ahatanak
zaks.anna

Commits

rG4593a46cd92a: [ubsan] Treat ObjC's BOOL as if its range is always {0, 1}
rC289290: [ubsan] Treat ObjC's BOOL as if its range is always {0, 1}
rL289290: [ubsan] Treat ObjC's BOOL as if its range is always {0, 1}

Summary

On some Apple platforms, the ObjC BOOL type is defined as a signed char.
When performing instrumentation for -fsanitize=bool, we'd like to treat
the range of BOOL like it's always {0, 1}. While we can't change clang's
IRGen for char-backed BOOL's due to ABI compatibility concerns, we can
teach ubsan to catch potential abuses of this type.

rdar://problem/29502773

Diff Detail

Event Timeline

vsk updated this revision to Diff 80856.Dec 8 2016, 7:42 PM

vsk retitled this revision from to [ubsan] Treat ObjC's BOOL as if its range is always {0, 1}.

vsk updated this object.

vsk added a reviewer: ahatanak.

vsk added subscribers: kubamracek, cfe-commits.

arphaman added a subscriber: arphaman.Dec 9 2016, 4:19 AM

arphaman added inline comments.

lib/CodeGen/CGExpr.cpp
1224	LangOptions.ObjC1 should be always set if LangOptions.ObjC2 is set, so the second check is redundant I think.

zaks.anna added a subscriber: zaks.anna.Dec 9 2016, 11:26 AM

zaks.anna added inline comments.

lib/CodeGen/CGExpr.cpp
1222	Could you use the existing method for this? From NSAPI.h: // \brief Returns true if \param T is a typedef of "BOOL" in objective-c. bool isObjCBOOLType(QualType T) const;

ahatanak added inline comments.Dec 9 2016, 12:32 PM

lib/CodeGen/CGExpr.cpp
1221	If your intention is to exclude BOOLs defined in files that aren't system headers, is it possible to add a test for that? void foo() { typedef long long BOOL; ... }

Thanks for your feedback. I will updated the patch shortly.

lib/CodeGen/CGExpr.cpp
1221	Thinking about this some more, I think it's enough to check for an ObjC language mode, and that the system header check is unnecessary.
1222	Thanks, this is a lot better than rolling my own.
1224	Using NSAPI takes care of this.

Use NSAPI's 'is-BOOL' predicate.
Simplify test.

LGTM!

This revision is now accepted and ready to land.Dec 9 2016, 3:42 PM

Closed by commit rL289290: [ubsan] Treat ObjC's BOOL as if its range is always {0, 1} (authored by vedantk). · Explain WhyDec 9 2016, 3:58 PM

This revision was automatically updated to reflect the committed changes.

On platforms where BOOL == signed char, is it actually undefined behavior (or is it just bad programming practice) to store a value other than 0 or 1 in your BOOL? I can't find any language specs suggesting that it is, and given that it's just a typedef for a signed char, I don't see why it would be.

If it's not actually undefined behavior, could we make it controllable via a separate fsanitize switch (like we have for unsigned integer overflow, which is also potentially bad practice but not actually undefined behavior).

In D27607#901882, @fjricci wrote:

On platforms where BOOL == signed char, is it actually undefined behavior (or is it just bad programming practice) to store a value other than 0 or 1 in your BOOL? I can't find any language specs suggesting that it is, and given that it's just a typedef for a signed char, I don't see why it would be.

Treating BOOL as a regular 'signed char' creates bad interactions with bitfields. For example, this code calls panic:

struct S {
  BOOL b1 : 1;
};

S s;
s.b1 = YES;
if (s.b1 != YES)
  panic();

If it's not actually undefined behavior, could we make it controllable via a separate fsanitize switch (like we have for unsigned integer overflow, which is also potentially bad practice but not actually undefined behavior).

The only defined values for BOOL are 'YES' and 'NO' {1, 0}. We've documented that it's UB to load values outside of this range from a BOOL here:
https://developer.apple.com/documentation/code_diagnostics/undefined_behavior_sanitizer/invalid_boolean

Awesome, good to know. Thanks!

Revision Contents

Path

Size

lib/

CodeGen/

CGExpr.cpp

15 lines

test/

CodeGenObjC/

ubsan-bool.m

13 lines

Diff 80960

lib/CodeGen/CGExpr.cpp

Show All 18 Lines
#include "CGOpenMPRuntime.h"		#include "CGOpenMPRuntime.h"
#include "CGRecordLayout.h"		#include "CGRecordLayout.h"
#include "CodeGenFunction.h"		#include "CodeGenFunction.h"
#include "CodeGenModule.h"		#include "CodeGenModule.h"
#include "TargetInfo.h"		#include "TargetInfo.h"
#include "clang/AST/ASTContext.h"		#include "clang/AST/ASTContext.h"
#include "clang/AST/Attr.h"		#include "clang/AST/Attr.h"
#include "clang/AST/DeclObjC.h"		#include "clang/AST/DeclObjC.h"
		#include "clang/AST/NSAPI.h"
#include "clang/Frontend/CodeGenOptions.h"		#include "clang/Frontend/CodeGenOptions.h"
#include "llvm/ADT/Hashing.h"		#include "llvm/ADT/Hashing.h"
#include "llvm/ADT/StringExtras.h"		#include "llvm/ADT/StringExtras.h"
#include "llvm/IR/DataLayout.h"		#include "llvm/IR/DataLayout.h"
#include "llvm/IR/Intrinsics.h"		#include "llvm/IR/Intrinsics.h"
#include "llvm/IR/LLVMContext.h"		#include "llvm/IR/LLVMContext.h"
#include "llvm/IR/MDBuilder.h"		#include "llvm/IR/MDBuilder.h"
#include "llvm/Support/ConvertUTF.h"		#include "llvm/Support/ConvertUTF.h"
▲ Show 20 Lines • Show All 1,177 Lines • ▼ Show 20 Lines	if (const EnumType *ET = Ty->getAs<EnumType>())
return ET->getDecl()->getIntegerType()->isBooleanType();		return ET->getDecl()->getIntegerType()->isBooleanType();

if (const AtomicType *AT = Ty->getAs<AtomicType>())		if (const AtomicType *AT = Ty->getAs<AtomicType>())
return hasBooleanRepresentation(AT->getValueType());		return hasBooleanRepresentation(AT->getValueType());

return false;		return false;
}		}

static bool getRangeForType(CodeGenFunction &CGF, QualType Ty,		static bool getRangeForType(CodeGenFunction &CGF, QualType Ty,
		ahatanakUnsubmitted Done Reply Inline Actions If your intention is to exclude BOOLs defined in files that aren't system headers, is it possible to add a test for that? void foo() { typedef long long BOOL; ... } ahatanak: If your intention is to exclude BOOLs defined in files that aren't system headers, is it…
		vskAuthorUnsubmitted Not Done Reply Inline Actions Thinking about this some more, I think it's enough to check for an ObjC language mode, and that the system header check is unnecessary. vsk: Thinking about this some more, I think it's enough to check for an ObjC language mode, and that…
llvm::APInt &Min, llvm::APInt &End,		llvm::APInt &Min, llvm::APInt &End,
		zaks.annaUnsubmitted Done Reply Inline Actions Could you use the existing method for this? From NSAPI.h: // \brief Returns true if \param T is a typedef of "BOOL" in objective-c. bool isObjCBOOLType(QualType T) const; zaks.anna: Could you use the existing method for this? From NSAPI.h: ``` // \brief Returns true if…
		vskAuthorUnsubmitted Not Done Reply Inline Actions Thanks, this is a lot better than rolling my own. vsk: Thanks, this is a lot better than rolling my own.
bool StrictEnums) {		bool StrictEnums, bool IsBool) {
const EnumType *ET = Ty->getAs<EnumType>();		const EnumType *ET = Ty->getAs<EnumType>();
		arphamanUnsubmitted Done Reply Inline Actions LangOptions.ObjC1 should be always set if LangOptions.ObjC2 is set, so the second check is redundant I think. arphaman: LangOptions.ObjC1 should be always set if LangOptions.ObjC2 is set, so the second check is…
		vskAuthorUnsubmitted Not Done Reply Inline Actions Using NSAPI takes care of this. vsk: Using NSAPI takes care of this.
bool IsRegularCPlusPlusEnum = CGF.getLangOpts().CPlusPlus && StrictEnums &&		bool IsRegularCPlusPlusEnum = CGF.getLangOpts().CPlusPlus && StrictEnums &&
ET && !ET->getDecl()->isFixed();		ET && !ET->getDecl()->isFixed();
bool IsBool = hasBooleanRepresentation(Ty);
if (!IsBool && !IsRegularCPlusPlusEnum)		if (!IsBool && !IsRegularCPlusPlusEnum)
return false;		return false;

if (IsBool) {		if (IsBool) {
Min = llvm::APInt(CGF.getContext().getTypeSize(Ty), 0);		Min = llvm::APInt(CGF.getContext().getTypeSize(Ty), 0);
End = llvm::APInt(CGF.getContext().getTypeSize(Ty), 2);		End = llvm::APInt(CGF.getContext().getTypeSize(Ty), 2);
} else {		} else {
const EnumDecl *ED = ET->getDecl();		const EnumDecl *ED = ET->getDecl();
Show All 13 Lines	if (NumNegativeBits) {
Min = llvm::APInt(Bitwidth, 0);		Min = llvm::APInt(Bitwidth, 0);
}		}
}		}
return true;		return true;
}		}

llvm::MDNode *CodeGenFunction::getRangeForLoadFromType(QualType Ty) {		llvm::MDNode *CodeGenFunction::getRangeForLoadFromType(QualType Ty) {
llvm::APInt Min, End;		llvm::APInt Min, End;
if (!getRangeForType(*this, Ty, Min, End,		if (!getRangeForType(*this, Ty, Min, End, CGM.getCodeGenOpts().StrictEnums,
CGM.getCodeGenOpts().StrictEnums))		hasBooleanRepresentation(Ty)))
return nullptr;		return nullptr;

llvm::MDBuilder MDHelper(getLLVMContext());		llvm::MDBuilder MDHelper(getLLVMContext());
return MDHelper.createRange(Min, End);		return MDHelper.createRange(Min, End);
}		}

llvm::Value *CodeGenFunction::EmitLoadOfScalar(Address Addr, bool Volatile,		llvm::Value *CodeGenFunction::EmitLoadOfScalar(Address Addr, bool Volatile,
QualType Ty,		QualType Ty,
▲ Show 20 Lines • Show All 42 Lines • ▼ Show 20 Lines	llvm::Value *CodeGenFunction::EmitLoadOfScalar(Address Addr, bool Volatile,
if (TBAAInfo) {		if (TBAAInfo) {
llvm::MDNode *TBAAPath = CGM.getTBAAStructTagInfo(TBAABaseType, TBAAInfo,		llvm::MDNode *TBAAPath = CGM.getTBAAStructTagInfo(TBAABaseType, TBAAInfo,
TBAAOffset);		TBAAOffset);
if (TBAAPath)		if (TBAAPath)
CGM.DecorateInstructionWithTBAA(Load, TBAAPath,		CGM.DecorateInstructionWithTBAA(Load, TBAAPath,
false /ConvertTypeToTag/);		false /ConvertTypeToTag/);
}		}

bool NeedsBoolCheck =		bool IsBool = hasBooleanRepresentation(Ty) \|\|
SanOpts.has(SanitizerKind::Bool) && hasBooleanRepresentation(Ty);		NSAPI(CGM.getContext()).isObjCBOOLType(Ty);
		bool NeedsBoolCheck = SanOpts.has(SanitizerKind::Bool) && IsBool;
bool NeedsEnumCheck =		bool NeedsEnumCheck =
SanOpts.has(SanitizerKind::Enum) && Ty->getAs<EnumType>();		SanOpts.has(SanitizerKind::Enum) && Ty->getAs<EnumType>();
if (NeedsBoolCheck \|\| NeedsEnumCheck) {		if (NeedsBoolCheck \|\| NeedsEnumCheck) {
SanitizerScope SanScope(this);		SanitizerScope SanScope(this);
llvm::APInt Min, End;		llvm::APInt Min, End;
if (getRangeForType(*this, Ty, Min, End, true)) {		if (getRangeForType(this, Ty, Min, End, /StrictEnums=*/true, IsBool)) {
--End;		--End;
llvm::Value *Check;		llvm::Value *Check;
if (!Min)		if (!Min)
Check = Builder.CreateICmpULE(		Check = Builder.CreateICmpULE(
Load, llvm::ConstantInt::get(getLLVMContext(), End));		Load, llvm::ConstantInt::get(getLLVMContext(), End));
else {		else {
llvm::Value *Upper = Builder.CreateICmpSLE(		llvm::Value *Upper = Builder.CreateICmpSLE(
Load, llvm::ConstantInt::get(getLLVMContext(), End));		Load, llvm::ConstantInt::get(getLLVMContext(), End));
▲ Show 20 Lines • Show All 992 Lines • Show Last 20 Lines

test/CodeGenObjC/ubsan-bool.m

This file was added.

				// RUN: %clang_cc1 -x objective-c -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - \| FileCheck %s -check-prefixes=SHARED,OBJC
				// RUN: %clang_cc1 -x objective-c++ -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - \| FileCheck %s -check-prefixes=SHARED,OBJC
				// RUN: %clang_cc1 -x c -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - \| FileCheck %s -check-prefixes=SHARED,C

				typedef signed char BOOL;

				// SHARED-LABEL: f1
				BOOL f1() {
				// OBJC: call void @__ubsan_handle_load_invalid_value
				// C-NOT: call void @__ubsan_handle_load_invalid_value
				BOOL a = 2;
				return a + 1;
				}