This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/CodeGen/
-
CodeGen/
-
CGAtomic.cpp
-
CGExpr.cpp
-
CodeGenFunction.h
-
test/
-
CodeGenCXX/
3
ubsan-bitfields.cpp
-
CodeGenObjC/
14
ubsan-bool.m

Differential D30423

[ubsan] Detect UB loads from bitfields
ClosedPublic

Authored by vsk on Feb 27 2017, 12:00 PM.

Download Raw Diff

Details

Reviewers

filcab
jroelofs
arphaman
rsmith

Commits

rG129edab12593: Retry: [ubsan] Detect UB loads from bitfields
rG5c13623a69ba: [ubsan] Detect UB loads from bitfields
rC297389: Retry: [ubsan] Detect UB loads from bitfields
rC297298: [ubsan] Detect UB loads from bitfields
rL297389: Retry: [ubsan] Detect UB loads from bitfields
rL297298: [ubsan] Detect UB loads from bitfields

Summary

We frequently run into user bugs caused by UB loads of out-of-range values from enum / BOOL bitfields. Teach UBSan to diagnose the issue.

Diff Detail

Event Timeline

vsk created this revision.Feb 27 2017, 12:00 PM

arphaman added inline comments.Mar 6 2017, 9:29 AM

test/CodeGenCXX/ubsan-bitfields.cpp
21	Can we avoid the check if the bitfield is 2 bits wide?
test/CodeGenObjC/ubsan-bool.m
25	One unrelated thing that I noticed in the IR, the `zext`s to `i64` are emitted before the branch, even though they are used only in the `invalid_value` blocks. I know that the optimizer can move those anyway, but would there any be any benefit in moving them into the blocks at the frontend IRGen level?
26	Is it possible to avoid the check here since the bitfield is just one bit wide?

Thanks for the feedback!

test/CodeGenCXX/ubsan-bitfields.cpp
21	I don't think so, because if the user memset()'s the memory backing the struct, we could still load a value outside of {1, 2, 3} from the bitfield.
test/CodeGenObjC/ubsan-bool.m
25	I'm not sure. Maybe it would make the live range of the zext smaller at -O0? I'll look into this and see if there's a real perf impact.
26	No, a user could do: struct S1 s; s.b1 = 1; if (s.b1 == 1) // evaluates to false, s.b1 is negative With this patch we get: runtime error: load of value -1, which is not a valid value for type 'BOOL' (aka 'signed char')

I think this might miss loads from bitfield ivars. Also, what about the conversion that happens for properties whose backing ivar is a bitfield? (or does that happen in the runtime? can't remember)

test/CodeGenObjC/ubsan-bool.m
25	@arphaman if it can be done easily/eleganly during IRGen, then this is a compile-duration win.
26	What if BOOL is an `unsigned char`, or a `char` that's not signed?

In D30423#694003, @jroelofs wrote:

I think this might miss loads from bitfield ivars.

I'll add a test that shows that this case is covered.

Also, what about the conversion that happens for properties whose backing ivar is a bitfield? (or does that happen in the runtime? can't remember)

I'll also check that synthesized getters have the range check.

test/CodeGenObjC/ubsan-bool.m
26	Good point, we don't need to emit the range check if the bitfield is an unsigned, 1-bit wide BOOL. Would you be OK with me tackling that in a follow-up patch?

Improve objc test coverage per Jon's suggestions.

vsk added inline comments.Mar 7 2017, 9:45 AM

test/CodeGenCXX/ubsan-bitfields.cpp
21	Sorry, I misread your question as 'if the enum can be represented in 2 bits'. You're right, the check can be skipped if the _bitfield_ is 2 bits wide. I think this can be handled along with the 1-bit unsigned BOOL case in a follow up.

LGTM

test/CodeGenObjC/ubsan-bool.m
26	No problem, sounds good to me.
67	hmmm. just occurred to me that this value is always going to be 0xff or 0x0, so it might be useful if there were also a frontend warning that complains about signed bitfield bools (maybe something useful for another patch).

This revision is now accepted and ready to land.Mar 7 2017, 10:01 PM

filcab added inline comments.Mar 8 2017, 7:47 AM

test/CodeGenObjC/ubsan-bool.m
26	I don't like generating an error here. -1 is a perfectly valid BOOL (signed char) value and it's a perfectly valid value to have in a (signed) 1-wide bitfield.
67	I'm more ok with this, assuming it makes sense in ObjC.

vsk added inline comments.Mar 8 2017, 8:56 AM

test/CodeGenObjC/ubsan-bool.m
26	True/false should be the only values loaded from a boolean. Since we made ubsan stricter about the range of BOOL (r289290), the check has caught a lot of bugs in our software. Specifically, it's helped root out buggy BOOL initialization and portability problems (the signedness of BOOL is not consistent on Apple platforms). There have been no false positives so far. Is this an issue you think needs to be addressed in this patch?
67	Yes, we have an internal feature request for such a warning.

LGTM since my issue is only an issue on ObjC platforms and it seems those are the semantics it should have there.

test/CodeGenObjC/ubsan-bool.m
26	It looks weird that we would disallow using a 1-bit (signed) bitfield for storing `BOOL`. But since this will only be a problem on obj-c, I don't think it will be a problem in general. If you're saying those are the semantics, then I'm ok with it. P.S: If it documented that the only possible values for `BOOL` are `YES` and `NO` (assuming they are `1` and `0`)? If so, I wonder if it's planned to document that you can't store a `YES` on a `BOOL` bitfield with a width of 1, since it looks like a weird case.

In D30423#695608, @filcab wrote:

LGTM since my issue is only an issue on ObjC platforms and it seems those are the semantics it should have there.

Thanks for the review.

P.S: If it documented that the only possible values for BOOL are YES and NO (assuming they are 1 and 0)?

I think this more or less counts: https://developer.apple.com/reference/objectivec/objective_c_runtime/boolean_values

If so, I wonder if it's planned to document that you can't store a YES on a BOOL bitfield with a width of 1, since it looks like a weird case.

I will ask around. There is a warning about signedness issues here: https://developer.apple.com/reference/objectivec/bool?language=objc

Closed by commit rL297298: [ubsan] Detect UB loads from bitfields (authored by vedantk). · Explain WhyMar 8 2017, 9:50 AM

This revision was automatically updated to reflect the committed changes.

teemperor mentioned this in D93533: [clang][objc] Add a warning when declaring BOOL bitfields with width 1.Dec 18 2020, 4:34 AM

Revision Contents

Path

Size

lib/

CodeGen/

CGAtomic.cpp

2 lines

CGExpr.cpp

7 lines

CodeGenFunction.h

2 lines

test/

CodeGenCXX/

ubsan-bitfields.cpp

22 lines

CodeGenObjC/

ubsan-bool.m

18 lines

Diff 89914

lib/CodeGen/CGAtomic.cpp

	Show First 20 Lines • Show All 992 Lines • ▼ Show 20 Lines
	return CGF.convertTempToRValue(addr, getValueType(), loc);			return CGF.convertTempToRValue(addr, getValueType(), loc);
	}			}
	if (!asValue)			if (!asValue)
	// Get RValue from temp memory as atomic for non-simple lvalues			// Get RValue from temp memory as atomic for non-simple lvalues
	return RValue::get(CGF.Builder.CreateLoad(addr));			return RValue::get(CGF.Builder.CreateLoad(addr));
	if (LVal.isBitField())			if (LVal.isBitField())
	return CGF.EmitLoadOfBitfieldLValue(			return CGF.EmitLoadOfBitfieldLValue(
	LValue::MakeBitfield(addr, LVal.getBitFieldInfo(), LVal.getType(),			LValue::MakeBitfield(addr, LVal.getBitFieldInfo(), LVal.getType(),
	LVal.getAlignmentSource()));			LVal.getAlignmentSource()), loc);
	if (LVal.isVectorElt())			if (LVal.isVectorElt())
	return CGF.EmitLoadOfLValue(			return CGF.EmitLoadOfLValue(
	LValue::MakeVectorElt(addr, LVal.getVectorIdx(), LVal.getType(),			LValue::MakeVectorElt(addr, LVal.getVectorIdx(), LVal.getType(),
	LVal.getAlignmentSource()), loc);			LVal.getAlignmentSource()), loc);
	assert(LVal.isExtVectorElt());			assert(LVal.isExtVectorElt());
	return CGF.EmitLoadOfExtVectorElementLValue(LValue::MakeExtVectorElt(			return CGF.EmitLoadOfExtVectorElementLValue(LValue::MakeExtVectorElt(
	addr, LVal.getExtVectorElts(), LVal.getType(),			addr, LVal.getExtVectorElts(), LVal.getType(),
	LVal.getAlignmentSource()));			LVal.getAlignmentSource()));
	▲ Show 20 Lines • Show All 662 Lines • Show Last 20 Lines

lib/CodeGen/CGExpr.cpp

	Show First 20 Lines • Show All 992 Lines • ▼ Show 20 Lines
	if (LV.isExtVectorElt())			if (LV.isExtVectorElt())
	return EmitLoadOfExtVectorElementLValue(LV);			return EmitLoadOfExtVectorElementLValue(LV);

	// Global Register variables always invoke intrinsics			// Global Register variables always invoke intrinsics
	if (LV.isGlobalReg())			if (LV.isGlobalReg())
	return EmitLoadOfGlobalRegLValue(LV);			return EmitLoadOfGlobalRegLValue(LV);

	assert(LV.isBitField() && "Unknown LValue type!");			assert(LV.isBitField() && "Unknown LValue type!");
	return EmitLoadOfBitfieldLValue(LV);			return EmitLoadOfBitfieldLValue(LV, Loc);
	}			}

	RValue CodeGenFunction::EmitLoadOfBitfieldLValue(LValue LV) {			RValue CodeGenFunction::EmitLoadOfBitfieldLValue(LValue LV,
				SourceLocation Loc) {
	const CGBitFieldInfo &Info = LV.getBitFieldInfo();			const CGBitFieldInfo &Info = LV.getBitFieldInfo();

	// Get the output type.			// Get the output type.
	llvm::Type *ResLTy = ConvertType(LV.getType());			llvm::Type *ResLTy = ConvertType(LV.getType());

	Address Ptr = LV.getBitFieldAddress();			Address Ptr = LV.getBitFieldAddress();
	llvm::Value *Val = Builder.CreateLoad(Ptr, LV.isVolatileQualified(), "bf.load");			llvm::Value *Val = Builder.CreateLoad(Ptr, LV.isVolatileQualified(), "bf.load");

	if (Info.IsSigned) {			if (Info.IsSigned) {
	assert(static_cast<unsigned>(Info.Offset + Info.Size) <= Info.StorageSize);			assert(static_cast<unsigned>(Info.Offset + Info.Size) <= Info.StorageSize);
	unsigned HighBits = Info.StorageSize - Info.Offset - Info.Size;			unsigned HighBits = Info.StorageSize - Info.Offset - Info.Size;
	if (HighBits)			if (HighBits)
	Val = Builder.CreateShl(Val, HighBits, "bf.shl");			Val = Builder.CreateShl(Val, HighBits, "bf.shl");
	if (Info.Offset + HighBits)			if (Info.Offset + HighBits)
	Val = Builder.CreateAShr(Val, Info.Offset + HighBits, "bf.ashr");			Val = Builder.CreateAShr(Val, Info.Offset + HighBits, "bf.ashr");
	} else {			} else {
	if (Info.Offset)			if (Info.Offset)
	Val = Builder.CreateLShr(Val, Info.Offset, "bf.lshr");			Val = Builder.CreateLShr(Val, Info.Offset, "bf.lshr");
	if (static_cast<unsigned>(Info.Offset) + Info.Size < Info.StorageSize)			if (static_cast<unsigned>(Info.Offset) + Info.Size < Info.StorageSize)
	Val = Builder.CreateAnd(Val, llvm::APInt::getLowBitsSet(Info.StorageSize,			Val = Builder.CreateAnd(Val, llvm::APInt::getLowBitsSet(Info.StorageSize,
	Info.Size),			Info.Size),
	"bf.clear");			"bf.clear");
	}			}
	Val = Builder.CreateIntCast(Val, ResLTy, Info.IsSigned, "bf.cast");			Val = Builder.CreateIntCast(Val, ResLTy, Info.IsSigned, "bf.cast");
				EmitScalarRangeCheck(Val, LV.getType(), Loc);
	return RValue::get(Val);			return RValue::get(Val);
	}			}

	// If this is a reference to a subset of the elements of a vector, create an			// If this is a reference to a subset of the elements of a vector, create an
	// appropriate shufflevector.			// appropriate shufflevector.
	RValue CodeGenFunction::EmitLoadOfExtVectorElementLValue(LValue LV) {			RValue CodeGenFunction::EmitLoadOfExtVectorElementLValue(LValue LV) {
	llvm::Value *Vec = Builder.CreateLoad(LV.getExtVectorAddress(),			llvm::Value *Vec = Builder.CreateLoad(LV.getExtVectorAddress(),
	LV.isVolatileQualified());			LV.isVolatileQualified());
	▲ Show 20 Lines • Show All 992 Lines • Show Last 20 Lines

lib/CodeGen/CodeGenFunction.h

	Show First 20 Lines • Show All 992 Lines • ▼ Show 20 Lines
	/// If so, atomic qualifiers are ignored and the store is always non-atomic.			/// If so, atomic qualifiers are ignored and the store is always non-atomic.
	void EmitStoreOfScalar(llvm::Value *value, LValue lvalue, bool isInit=false);			void EmitStoreOfScalar(llvm::Value *value, LValue lvalue, bool isInit=false);

	/// EmitLoadOfLValue - Given an expression that represents a value lvalue,			/// EmitLoadOfLValue - Given an expression that represents a value lvalue,
	/// this method emits the address of the lvalue, then loads the result as an			/// this method emits the address of the lvalue, then loads the result as an
	/// rvalue, returning the rvalue.			/// rvalue, returning the rvalue.
	RValue EmitLoadOfLValue(LValue V, SourceLocation Loc);			RValue EmitLoadOfLValue(LValue V, SourceLocation Loc);
	RValue EmitLoadOfExtVectorElementLValue(LValue V);			RValue EmitLoadOfExtVectorElementLValue(LValue V);
	RValue EmitLoadOfBitfieldLValue(LValue LV);			RValue EmitLoadOfBitfieldLValue(LValue LV, SourceLocation Loc);
	RValue EmitLoadOfGlobalRegLValue(LValue LV);			RValue EmitLoadOfGlobalRegLValue(LValue LV);

	/// EmitStoreThroughLValue - Store the specified rvalue into the specified			/// EmitStoreThroughLValue - Store the specified rvalue into the specified
	/// lvalue, where both are guaranteed to the have the same type, and that type			/// lvalue, where both are guaranteed to the have the same type, and that type
	/// is 'Ty'.			/// is 'Ty'.
	void EmitStoreThroughLValue(RValue Src, LValue Dst, bool isInit = false);			void EmitStoreThroughLValue(RValue Src, LValue Dst, bool isInit = false);
	void EmitStoreThroughExtVectorComponentLValue(RValue Src, LValue Dst);			void EmitStoreThroughExtVectorComponentLValue(RValue Src, LValue Dst);
	void EmitStoreThroughGlobalRegLValue(RValue Src, LValue Dst);			void EmitStoreThroughGlobalRegLValue(RValue Src, LValue Dst);
	▲ Show 20 Lines • Show All 847 Lines • Show Last 20 Lines

test/CodeGenCXX/ubsan-bitfields.cpp

This file was added.

				// RUN: %clang_cc1 -std=c++11 -triple x86_64-apple-darwin10 -emit-llvm -o - %s -fsanitize=enum \| FileCheck %s

				enum E {
				a = 1,
				b = 2,
				c = 3
				};

				struct S {
				E e1 : 10;
				};

				// CHECK-LABEL: define i32 @_Z4loadP1S
				E load(S *s) {
				// CHECK: [[LOAD:%.]] = load i16, i16 {{.*}}
				// CHECK: [[CLEAR:%.*]] = and i16 [[LOAD]], 1023
				// CHECK: [[CAST:%.*]] = zext i16 [[CLEAR]] to i32
				// CHECK: [[ICMP:%.*]] = icmp ule i32 [[CAST]], 3, !nosanitize
				// CHECK: br i1 [[ICMP]], {{.*}}, !nosanitize
				// CHECK: call void @__ubsan_handle_load_invalid_value
				return s->e1;
				arphamanUnsubmitted Not Done Reply Inline Actions Can we avoid the check if the bitfield is 2 bits wide? arphaman: Can we avoid the check if the bitfield is 2 bits wide?
				vskAuthorUnsubmitted Not Done Reply Inline Actions I don't think so, because if the user memset()'s the memory backing the struct, we could still load a value outside of {1, 2, 3} from the bitfield. vsk: I don't think so, because if the user memset()'s the memory backing the struct, we could still…
				vskAuthorUnsubmitted Not Done Reply Inline Actions Sorry, I misread your question as 'if the enum can be represented in 2 bits'. You're right, the check can be skipped if the _bitfield_ is 2 bits wide. I think this can be handled along with the 1-bit unsigned BOOL case in a follow up. vsk: Sorry, I misread your question as 'if the enum can be represented in 2 bits'. You're right, the…
				}

test/CodeGenObjC/ubsan-bool.m

	// RUN: %clang_cc1 -x objective-c -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - \| FileCheck %s -check-prefixes=SHARED,OBJC			// RUN: %clang_cc1 -x objective-c -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - \| FileCheck %s -check-prefixes=SHARED,OBJC
	// RUN: %clang_cc1 -x objective-c++ -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - \| FileCheck %s -check-prefixes=SHARED,OBJC			// RUN: %clang_cc1 -x objective-c++ -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - \| FileCheck %s -check-prefixes=SHARED,OBJC
	// RUN: %clang_cc1 -x c -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - \| FileCheck %s -check-prefixes=SHARED,C			// RUN: %clang_cc1 -x c -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - \| FileCheck %s -check-prefixes=SHARED,C

	typedef signed char BOOL;			typedef signed char BOOL;

	// SHARED-LABEL: f1			// SHARED-LABEL: f1
	BOOL f1() {			BOOL f1() {
	// OBJC: call void @__ubsan_handle_load_invalid_value			// OBJC: call void @__ubsan_handle_load_invalid_value
	// C-NOT: call void @__ubsan_handle_load_invalid_value			// C-NOT: call void @__ubsan_handle_load_invalid_value
	BOOL a = 2;			BOOL a = 2;
	return a + 1;			return a + 1;
				// SHARED: ret i8
				}

				struct S1 {
				BOOL b1 : 1;
				};

				// SHARED-LABEL: f2
				BOOL f2(struct S1 *s) {
				// OBJC: [[LOAD:%.]] = load i8, i8 {{.*}}
				// OBJC: [[SHL:%.*]] = shl i8 [[LOAD]], 7
				// OBJC: [[ASHR:%.*]] = ashr i8 [[SHL]], 7
				// OBJC: [[ICMP:%.*]] = icmp ule i8 [[ASHR]], 1, !nosanitize
				arphamanUnsubmitted Not Done Reply Inline Actions One unrelated thing that I noticed in the IR, the `zext`s to `i64` are emitted before the branch, even though they are used only in the `invalid_value` blocks. I know that the optimizer can move those anyway, but would there any be any benefit in moving them into the blocks at the frontend IRGen level? arphaman: One unrelated thing that I noticed in the IR, the `zext`s to `i64` are emitted before the…
				vskAuthorUnsubmitted Not Done Reply Inline Actions I'm not sure. Maybe it would make the live range of the zext smaller at -O0? I'll look into this and see if there's a real perf impact. vsk: I'm not sure. Maybe it would make the live range of the zext smaller at -O0? I'll look into…
				jroelofsUnsubmitted Not Done Reply Inline Actions @arphaman if it can be done easily/eleganly during IRGen, then this is a compile-duration win. jroelofs: @arphaman if it can be done easily/eleganly during IRGen, then this is a compile-duration win.
				// OBJC: call void @__ubsan_handle_load_invalid_value
				arphamanUnsubmitted Not Done Reply Inline Actions Is it possible to avoid the check here since the bitfield is just one bit wide? arphaman: Is it possible to avoid the check here since the bitfield is just one bit wide?
				vskAuthorUnsubmitted Not Done Reply Inline Actions No, a user could do: struct S1 s; s.b1 = 1; if (s.b1 == 1) // evaluates to false, s.b1 is negative With this patch we get: runtime error: load of value -1, which is not a valid value for type 'BOOL' (aka 'signed char') vsk: No, a user could do: ``` struct S1 s; s.b1 = 1; if (s.b1 == 1) // evaluates to false, s.b1 is…
				jroelofsUnsubmitted Not Done Reply Inline Actions What if BOOL is an `unsigned char`, or a `char` that's not signed? jroelofs: What if BOOL is an `unsigned char`, or a `char` that's not signed?
				vskAuthorUnsubmitted Not Done Reply Inline Actions Good point, we don't need to emit the range check if the bitfield is an unsigned, 1-bit wide BOOL. Would you be OK with me tackling that in a follow-up patch? vsk: Good point, we don't need to emit the range check if the bitfield is an unsigned, 1-bit wide…
				jroelofsUnsubmitted Not Done Reply Inline Actions No problem, sounds good to me. jroelofs: No problem, sounds good to me.
				filcabUnsubmitted Not Done Reply Inline Actions I don't like generating an error here. -1 is a perfectly valid BOOL (signed char) value and it's a perfectly valid value to have in a (signed) 1-wide bitfield. filcab: I don't like generating an error here. -1 is a perfectly valid BOOL (signed char) value and…
				vskAuthorUnsubmitted Not Done Reply Inline Actions True/false should be the only values loaded from a boolean. Since we made ubsan stricter about the range of BOOL (r289290), the check has caught a lot of bugs in our software. Specifically, it's helped root out buggy BOOL initialization and portability problems (the signedness of BOOL is not consistent on Apple platforms). There have been no false positives so far. Is this an issue you think needs to be addressed in this patch? vsk: True/false should be the only values loaded from a boolean. Since we made ubsan stricter about…
				filcabUnsubmitted Not Done Reply Inline Actions It looks weird that we would disallow using a 1-bit (signed) bitfield for storing `BOOL`. But since this will only be a problem on obj-c, I don't think it will be a problem in general. If you're saying those are the semantics, then I'm ok with it. P.S: If it documented that the only possible values for `BOOL` are `YES` and `NO` (assuming they are `1` and `0`)? If so, I wonder if it's planned to document that you can't store a `YES` on a `BOOL` bitfield with a width of 1, since it looks like a weird case. filcab: It looks weird that we would disallow using a 1-bit (signed) bitfield for storing `BOOL`. But…

				// C-NOT: call void @__ubsan_handle_load_invalid_value
				return s->b1;
				// SHARED: ret i8
	}			}
				jroelofsUnsubmitted Not Done Reply Inline Actions hmmm. just occurred to me that this value is always going to be 0xff or 0x0, so it might be useful if there were also a frontend warning that complains about signed bitfield bools (maybe something useful for another patch). jroelofs: hmmm. just occurred to me that this value is always going to be 0xff or 0x0, so it might be…
				filcabUnsubmitted Not Done Reply Inline Actions I'm more ok with this, assuming it makes sense in ObjC. filcab: I'm more ok with this, assuming it makes sense in ObjC.
				vskAuthorUnsubmitted Not Done Reply Inline Actions Yes, we have an internal feature request for such a warning. vsk: Yes, we have an internal feature request for such a warning.