This is an archive of the discontinued LLVM Phabricator instance.

Differential D29437

[ubsan] Detect signed overflow UB in remainder operations
ClosedPublic

Authored by vsk on Feb 1 2017, 6:54 PM.

Details

Reviewers
regehr
efriedma
Commits
rG42de38076517: [ubsan] Detect signed overflow UB in remainder operations
rC296214: [ubsan] Detect signed overflow UB in remainder operations
rL296214: [ubsan] Detect signed overflow UB in remainder operations
Summary

Teach ubsan to diagnose remainder operations which have undefined behavior due to signed overflow.

My copy of the C11 spec draft (6.5.5.6) says that: if the quotient a/b is representable, (a/b)*b + a%b shall equal a; otherwise, the behavior of both a/b and a%b is undefined. I take this to mean INT_MIN % -1 has signed overflow UB, so we should check for that.

Loosely depends on: https://reviews.llvm.org/D29369

Diff Detail

Repository
rL LLVM

Event Timeline

vsk created this revision.Feb 1 2017, 6:54 PM
regehr edited edge metadata.Feb 1 2017, 9:10 PM

Does this check need to be sensitive to the dialect of C/C++ that the user asked for? I know that it used to be the case that the standard could be read either way for this case, but as you observe it is now unambiguously UB.

vsk added a comment.Feb 2 2017, 12:25 AM
In D29437#664379, @regehr wrote:

Does this check need to be sensitive to the dialect of C/C++ that the user asked for? I know that it used to be the case that the standard could be read either way for this case, but as you observe it is now unambiguously UB.

No, I don't think the check should be sensitive to language dialect.

You're right about the C99 spec not being very explicit about what 'a % b' means if 'a / b' is not representable. It's simply the "remainder" of 'a / b'. However, clang treats 'INT_MIN % -1' as having UB in C99 mode (rightly, imho), so it'd be nice to have a diagnostic for it.

vsk mentioned this in D29369: [ubsan] Omit superflous overflow checks for promoted arithmetic (PR20193).Feb 3 2017, 1:57 PM
efriedma added inline comments.Feb 24 2017, 11:51 AM
lib/CodeGen/CGExprScalar.cpp
2380 ↗(On Diff #86759)

I don't think you need the isIntegerType check here?

vsk updated this revision to Diff 89734.Feb 24 2017, 3:20 PM
  • Add a small test that shows why the 'isIntegerType' check is required (we'd crash otherwise).
efriedma accepted this revision.Feb 24 2017, 3:44 PM

LGTM.

This revision is now accepted and ready to land.Feb 24 2017, 3:44 PM
Closed by commit rL296214: [ubsan] Detect signed overflow UB in remainder operations (authored by vedantk). · Explain WhyFeb 24 2017, 4:55 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
lib/
CodeGen/
8 lines
test/
CodeGen/
13 lines

Diff 89753

cfe/trunk/lib/CodeGen/CGExprScalar.cpp

Show First 20 LinesShow All 2,397 Lines▼ Show 20 LinesValue *ScalarExprEmitter::EmitDiv(const BinOpInfo &Ops) {
else if (Ops.Ty->hasUnsignedIntegerRepresentation()) else if (Ops.Ty->hasUnsignedIntegerRepresentation())
return Builder.CreateUDiv(Ops.LHS, Ops.RHS, "div"); return Builder.CreateUDiv(Ops.LHS, Ops.RHS, "div");
else else
return Builder.CreateSDiv(Ops.LHS, Ops.RHS, "div"); return Builder.CreateSDiv(Ops.LHS, Ops.RHS, "div");
} }
Value *ScalarExprEmitter::EmitRem(const BinOpInfo &Ops) { Value *ScalarExprEmitter::EmitRem(const BinOpInfo &Ops) {
// Rem in C can't be a floating point type: C99 6.5.5p2. // Rem in C can't be a floating point type: C99 6.5.5p2.
if (CGF.SanOpts.has(SanitizerKind::IntegerDivideByZero)) { if ((CGF.SanOpts.has(SanitizerKind::IntegerDivideByZero) ||
CGF.SanOpts.has(SanitizerKind::SignedIntegerOverflow)) &&
Ops.Ty->isIntegerType()) {
CodeGenFunction::SanitizerScope SanScope(&CGF); CodeGenFunction::SanitizerScope SanScope(&CGF);
llvm::Value *Zero = llvm::Constant::getNullValue(ConvertType(Ops.Ty)); llvm::Value *Zero = llvm::Constant::getNullValue(ConvertType(Ops.Ty));
if (Ops.Ty->isIntegerType())
EmitUndefinedBehaviorIntegerDivAndRemCheck(Ops, Zero, false); EmitUndefinedBehaviorIntegerDivAndRemCheck(Ops, Zero, false);
} }
if (Ops.Ty->hasUnsignedIntegerRepresentation()) if (Ops.Ty->hasUnsignedIntegerRepresentation())
return Builder.CreateURem(Ops.LHS, Ops.RHS, "rem"); return Builder.CreateURem(Ops.LHS, Ops.RHS, "rem");
else else
return Builder.CreateSRem(Ops.LHS, Ops.RHS, "rem"); return Builder.CreateSRem(Ops.LHS, Ops.RHS, "rem");
} }
▲ Show 20 LinesShow All 1,296 LinesShow Last 20 Lines

cfe/trunk/test/CodeGen/ubsan-promoted-arith.cpp

// RUN: %clang_cc1 -std=c++11 -triple x86_64-apple-darwin10 -emit-llvm -o - %s -fsanitize=signed-integer-overflow,unsigned-integer-overflow | FileCheck %s // RUN: %clang_cc1 -std=c++11 -triple x86_64-apple-darwin10 -emit-llvm -o - %s -fsanitize=signed-integer-overflow,unsigned-integer-overflow | FileCheck %s
typedef unsigned char uchar; typedef unsigned char uchar;
typedef unsigned short ushort; typedef unsigned short ushort;
typedef int int4 __attribute__((ext_vector_type(4)));
enum E1 : int { enum E1 : int {
a a
}; };
enum E2 : char { enum E2 : char {
b b
}; };
▲ Show 20 LinesShow All 83 Lines▼ Show 20 Lines
// CHECK-LABEL: define signext i8 @_Z4rem1 // CHECK-LABEL: define signext i8 @_Z4rem1
// CHECK-NOT: ubsan_handle_divrem_overflow // CHECK-NOT: ubsan_handle_divrem_overflow
char rem1(char c) { return c % c; } char rem1(char c) { return c % c; }
// CHECK-LABEL: define zeroext i8 @_Z4rem2 // CHECK-LABEL: define zeroext i8 @_Z4rem2
// CHECK-NOT: ubsan_handle_divrem_overflow // CHECK-NOT: ubsan_handle_divrem_overflow
uchar rem2(uchar uc) { return uc % uc; } uchar rem2(uchar uc) { return uc % uc; }
// FIXME: This is a long-standing false negative.
//
// CHECK-LABEL: define signext i8 @_Z4rem3 // CHECK-LABEL: define signext i8 @_Z4rem3
// rdar30301609: ubsan_handle_divrem_overflow // CHECK: ubsan_handle_divrem_overflow
char rem3(int i, char c) { return i % c; } char rem3(int i, char c) { return i % c; }
// CHECK-LABEL: define signext i8 @_Z4rem4
// CHECK-NOT: ubsan_handle_divrem_overflow
char rem4(char c, int i) { return c % i; }
// CHECK-LABEL: define signext i8 @_Z4inc1 // CHECK-LABEL: define signext i8 @_Z4inc1
// CHECK-NOT: sadd.with.overflow // CHECK-NOT: sadd.with.overflow
char inc1(char c) { return c++ + (char)0; } char inc1(char c) { return c++ + (char)0; }
// CHECK-LABEL: define zeroext i8 @_Z4inc2 // CHECK-LABEL: define zeroext i8 @_Z4inc2
// CHECK-NOT: uadd.with.overflow // CHECK-NOT: uadd.with.overflow
uchar inc2(uchar uc) { return uc++ + (uchar)0; } uchar inc2(uchar uc) { return uc++ + (uchar)0; }
// CHECK-LABEL: define void @_Z4inc3 // CHECK-LABEL: define void @_Z4inc3
// CHECK-NOT: sadd.with.overflow // CHECK-NOT: sadd.with.overflow
void inc3(char c) { c++; } void inc3(char c) { c++; }
// CHECK-LABEL: define void @_Z4inc4 // CHECK-LABEL: define void @_Z4inc4
// CHECK-NOT: uadd.with.overflow // CHECK-NOT: uadd.with.overflow
void inc4(uchar uc) { uc++; } void inc4(uchar uc) { uc++; }
// CHECK-LABEL: define <4 x i32> @_Z4vremDv4_iS_
// CHECK-NOT: ubsan_handle_divrem_overflow
int4 vrem(int4 a, int4 b) { return a % b; }