This is an archive of the discontinued LLVM Phabricator instance.

Differential D30599

[ubsan] Extend the nonnull argument check to ObjC
ClosedPublic

Authored by vsk on Mar 3 2017, 7:59 PM.

Details

Reviewers
jroelofs
ahatanak
aprantl
Commits
rGed00ea084e40: [ubsan] Extend the nonnull arg check to ObjC
rC296996: [ubsan] Extend the nonnull arg check to ObjC
rL296996: [ubsan] Extend the nonnull arg check to ObjC
Summary

UBSan's nonnull argument check applies when a parameter has the
"nonnull" attribute. The check currently works for FunctionDecls, but
not for ObjCMethodDecls. This patch extends the check to work for ObjC.

To do this, I introduced a new AbstractCallee class to represent the
logical callee in a generic "call", and added a use of AbstractCallee to
CGObjC.cpp. This does not affect IRGen except to fix the UBSan check.

I opted not to reuse CGCalleeInfo for this because: 1) it isn't meant to
represent the callee itself, 2) it carries around an extra pointer for
the callee prototype, and 3) it's a bit tricky to repurpose (i.e it
really "wants" to live in CGCall.h).

Testing: check-clang, check-ubsan

Diff Detail

Event Timeline

vsk created this revision.Mar 3 2017, 7:59 PM
jroelofs added a subscriber: jroelofs.Mar 3 2017, 8:38 PM

Can the null check be performed in the callee?

That'd make this check work for a few more cases that this patch doesn't cover:

  • performSelector: messages
  • messages to id.
vsk added a comment.Mar 3 2017, 8:54 PM
In D30599#692210, @jroelofs wrote:

Can the null check be performed in the callee?

Yes, but I think that would result in perplexing diagnostics, because we wouldn't be able to report the source location of the buggy calls.

That'd make this check work for a few more cases that this patch doesn't cover:

  • performSelector: messages
  • messages to id.

That's a good point, but sadly I don't see a way to diagnose these situations well with the current check. I think the best we can do is to check for nullability violations on assignment/return. I will upload a nullability "sanitizer" for review soon that does this.

jroelofs accepted this revision.Mar 3 2017, 9:12 PM

LGTM, by the way.

This revision is now accepted and ready to land.Mar 3 2017, 9:12 PM
aprantl added inline comments.Mar 4 2017, 11:02 AM
lib/CodeGen/CodeGenFunction.h
308

The \brief is redundant (we use autobrief) and shouldn't be used any more.

Closed by commit rL296996: [ubsan] Extend the nonnull arg check to ObjC (authored by vedantk). · Explain WhyMar 5 2017, 9:40 PM
This revision was automatically updated to reflect the committed changes.
vsk marked an inline comment as done.Mar 5 2017, 9:40 PM

Thanks for the reviews!

lib/CodeGen/CodeGenFunction.h
308

I will fix this before committing.

Revision Contents

PathSize
lib/
CodeGen/
17 lines
2 lines
2 lines
33 lines
test/
CodeGenObjC/
48 lines

Diff 90564

lib/CodeGen/CGCall.cpp

Show First 20 LinesShow All 3,236 Lines▼ Show 20 Lines if (StackBase) {
// Restore the stack after the call. // Restore the stack after the call.
llvm::Value *F = CGF.CGM.getIntrinsic(llvm::Intrinsic::stackrestore); llvm::Value *F = CGF.CGM.getIntrinsic(llvm::Intrinsic::stackrestore);
CGF.Builder.CreateCall(F, StackBase); CGF.Builder.CreateCall(F, StackBase);
} }
} }
void CodeGenFunction::EmitNonNullArgCheck(RValue RV, QualType ArgType, void CodeGenFunction::EmitNonNullArgCheck(RValue RV, QualType ArgType,
SourceLocation ArgLoc, SourceLocation ArgLoc,
const FunctionDecl *FD, AbstractCallee AC,
unsigned ParmNum) { unsigned ParmNum) {
if (!SanOpts.has(SanitizerKind::NonnullAttribute) || !FD) if (!SanOpts.has(SanitizerKind::NonnullAttribute) || !AC.getDecl())
return; return;
auto PVD = ParmNum < FD->getNumParams() ? FD->getParamDecl(ParmNum) : nullptr; auto PVD = ParmNum < AC.getNumParams() ? AC.getParamDecl(ParmNum) : nullptr;
unsigned ArgNo = PVD ? PVD->getFunctionScopeIndex() : ParmNum; unsigned ArgNo = PVD ? PVD->getFunctionScopeIndex() : ParmNum;
auto NNAttr = getNonNullAttr(FD, PVD, ArgType, ArgNo); auto NNAttr = getNonNullAttr(AC.getDecl(), PVD, ArgType, ArgNo);
if (!NNAttr) if (!NNAttr)
return; return;
SanitizerScope SanScope(this); SanitizerScope SanScope(this);
assert(RV.isScalar()); assert(RV.isScalar());
llvm::Value *V = RV.getScalarVal(); llvm::Value *V = RV.getScalarVal();
llvm::Value *Cond = llvm::Value *Cond =
Builder.CreateICmpNE(V, llvm::Constant::getNullValue(V->getType())); Builder.CreateICmpNE(V, llvm::Constant::getNullValue(V->getType()));
llvm::Constant *StaticData[] = { llvm::Constant *StaticData[] = {
EmitCheckSourceLocation(ArgLoc), EmitCheckSourceLocation(ArgLoc),
EmitCheckSourceLocation(NNAttr->getLocation()), EmitCheckSourceLocation(NNAttr->getLocation()),
llvm::ConstantInt::get(Int32Ty, ArgNo + 1), llvm::ConstantInt::get(Int32Ty, ArgNo + 1),
}; };
EmitCheck(std::make_pair(Cond, SanitizerKind::NonnullAttribute), EmitCheck(std::make_pair(Cond, SanitizerKind::NonnullAttribute),
SanitizerHandler::NonnullArg, StaticData, None); SanitizerHandler::NonnullArg, StaticData, None);
} }
void CodeGenFunction::EmitCallArgs( void CodeGenFunction::EmitCallArgs(
CallArgList &Args, ArrayRef<QualType> ArgTypes, CallArgList &Args, ArrayRef<QualType> ArgTypes,
llvm::iterator_range<CallExpr::const_arg_iterator> ArgRange, llvm::iterator_range<CallExpr::const_arg_iterator> ArgRange,
const FunctionDecl *CalleeDecl, unsigned ParamsToSkip, AbstractCallee AC, unsigned ParamsToSkip, EvaluationOrder Order) {
EvaluationOrder Order) {
assert((int)ArgTypes.size() == (ArgRange.end() - ArgRange.begin())); assert((int)ArgTypes.size() == (ArgRange.end() - ArgRange.begin()));
// We *have* to evaluate arguments from right to left in the MS C++ ABI, // We *have* to evaluate arguments from right to left in the MS C++ ABI,
// because arguments are destroyed left to right in the callee. As a special // because arguments are destroyed left to right in the callee. As a special
// case, there are certain language constructs that require left-to-right // case, there are certain language constructs that require left-to-right
// evaluation, and in those cases we consider the evaluation order requirement // evaluation, and in those cases we consider the evaluation order requirement
// to trump the "destruction order is reverse construction order" guarantee. // to trump the "destruction order is reverse construction order" guarantee.
bool LeftToRight = bool LeftToRight =
CGM.getTarget().getCXXABI().areArgsDestroyedLeftToRightInCallee() CGM.getTarget().getCXXABI().areArgsDestroyedLeftToRightInCallee()
? Order == EvaluationOrder::ForceLeftToRight ? Order == EvaluationOrder::ForceLeftToRight
: Order != EvaluationOrder::ForceRightToLeft; : Order != EvaluationOrder::ForceRightToLeft;
auto MaybeEmitImplicitObjectSize = [&](unsigned I, const Expr *Arg, auto MaybeEmitImplicitObjectSize = [&](unsigned I, const Expr *Arg,
RValue EmittedArg) { RValue EmittedArg) {
if (CalleeDecl == nullptr || I >= CalleeDecl->getNumParams()) if (!AC.hasFunctionDecl() || I >= AC.getNumParams())
return; return;
auto *PS = CalleeDecl->getParamDecl(I)->getAttr<PassObjectSizeAttr>(); auto *PS = AC.getParamDecl(I)->getAttr<PassObjectSizeAttr>();
if (PS == nullptr) if (PS == nullptr)
return; return;
const auto &Context = getContext(); const auto &Context = getContext();
auto SizeTy = Context.getSizeType(); auto SizeTy = Context.getSizeType();
auto T = Builder.getIntNTy(Context.getTypeSize(SizeTy)); auto T = Builder.getIntNTy(Context.getTypeSize(SizeTy));
assert(EmittedArg.getScalarVal() && "We emitted nothing for the arg?"); assert(EmittedArg.getScalarVal() && "We emitted nothing for the arg?");
llvm::Value *V = evaluateOrEmitBuiltinObjectSize(Arg, PS->getType(), T, llvm::Value *V = evaluateOrEmitBuiltinObjectSize(Arg, PS->getType(), T,
Show All 25 Lines for (unsigned I = 0, E = ArgTypes.size(); I != E; ++I) {
unsigned InitialArgSize = Args.size(); unsigned InitialArgSize = Args.size();
EmitCallArg(Args, *Arg, ArgTypes[Idx]); EmitCallArg(Args, *Arg, ArgTypes[Idx]);
// In particular, we depend on it being the last arg in Args, and the // In particular, we depend on it being the last arg in Args, and the
// objectsize bits depend on there only being one arg if !LeftToRight. // objectsize bits depend on there only being one arg if !LeftToRight.
assert(InitialArgSize + 1 == Args.size() && assert(InitialArgSize + 1 == Args.size() &&
"The code below depends on only adding one arg per EmitCallArg"); "The code below depends on only adding one arg per EmitCallArg");
(void)InitialArgSize; (void)InitialArgSize;
RValue RVArg = Args.back().RV; RValue RVArg = Args.back().RV;
EmitNonNullArgCheck(RVArg, ArgTypes[Idx], (*Arg)->getExprLoc(), CalleeDecl, EmitNonNullArgCheck(RVArg, ArgTypes[Idx], (*Arg)->getExprLoc(), AC,
ParamsToSkip + Idx); ParamsToSkip + Idx);
// @llvm.objectsize should never have side-effects and shouldn't need // @llvm.objectsize should never have side-effects and shouldn't need
// destruction/cleanups, so we can safely "emit" it after its arg, // destruction/cleanups, so we can safely "emit" it after its arg,
// regardless of right-to-leftness // regardless of right-to-leftness
MaybeEmitImplicitObjectSize(Idx, *Arg, RVArg); MaybeEmitImplicitObjectSize(Idx, *Arg, RVArg);
} }
if (!LeftToRight) { if (!LeftToRight) {
▲ Show 20 LinesShow All 960 LinesShow Last 20 Lines

lib/CodeGen/CGExprCXX.cpp

Show First 20 LinesShow All 1,573 Lines▼ Show 20 Lines if (E->passAlignment()) {
} }
allocatorArgs.add( allocatorArgs.add(
RValue::get(llvm::ConstantInt::get(SizeTy, allocAlign.getQuantity())), RValue::get(llvm::ConstantInt::get(SizeTy, allocAlign.getQuantity())),
AlignValT); AlignValT);
} }
// FIXME: Why do we not pass a CalleeDecl here? // FIXME: Why do we not pass a CalleeDecl here?
EmitCallArgs(allocatorArgs, allocatorType, E->placement_arguments(), EmitCallArgs(allocatorArgs, allocatorType, E->placement_arguments(),
/*CalleeDecl*/nullptr, /*ParamsToSkip*/ParamsToSkip); /*AC*/AbstractCallee(), /*ParamsToSkip*/ParamsToSkip);
RValue RV = RValue RV =
EmitNewDeleteCall(*this, allocator, allocatorType, allocatorArgs); EmitNewDeleteCall(*this, allocator, allocatorType, allocatorArgs);
// If this was a call to a global replaceable allocation function that does // If this was a call to a global replaceable allocation function that does
// not take an alignment argument, the allocator is known to produce // not take an alignment argument, the allocator is known to produce
// storage that's suitably aligned for any object that fits, up to a known // storage that's suitably aligned for any object that fits, up to a known
// threshold. Otherwise assume it's suitably aligned for the allocated type. // threshold. Otherwise assume it's suitably aligned for the allocated type.
▲ Show 20 LinesShow All 575 LinesShow Last 20 Lines

lib/CodeGen/CGObjC.cpp

Show First 20 LinesShow All 421 Lines▼ Show 20 LinesRValue CodeGenFunction::EmitObjCMessageExpr(const ObjCMessageExpr *E,
if (getLangOpts().ObjCAutoRefCount && method && if (getLangOpts().ObjCAutoRefCount && method &&
method->hasAttr<ObjCReturnsInnerPointerAttr>() && method->hasAttr<ObjCReturnsInnerPointerAttr>() &&
shouldExtendReceiverForInnerPointerMessage(E)) shouldExtendReceiverForInnerPointerMessage(E))
Receiver = EmitARCRetainAutorelease(ReceiverType, Receiver); Receiver = EmitARCRetainAutorelease(ReceiverType, Receiver);
QualType ResultType = method ? method->getReturnType() : E->getType(); QualType ResultType = method ? method->getReturnType() : E->getType();
CallArgList Args; CallArgList Args;
EmitCallArgs(Args, method, E->arguments()); EmitCallArgs(Args, method, E->arguments(), /*AC*/AbstractCallee(method));
// For delegate init calls in ARC, do an unsafe store of null into // For delegate init calls in ARC, do an unsafe store of null into
// self. This represents the call taking direct ownership of that // self. This represents the call taking direct ownership of that
// value. We have to do this after emitting the other call // value. We have to do this after emitting the other call
// arguments because they might also reference self, but we don't // arguments because they might also reference self, but we don't
// have to worry about any of them modifying self because that would // have to worry about any of them modifying self because that would
// be an undefined read and write of an object in unordered // be an undefined read and write of an object in unordered
// expressions. // expressions.
▲ Show 20 LinesShow All 2,981 LinesShow Last 20 Lines

lib/CodeGen/CodeGenFunction.h

Show First 20 LinesShow All 299 Lines▼ Show 20 Lines public:
CGCapturedStmtRAII(CodeGenFunction &CGF, CGCapturedStmtRAII(CodeGenFunction &CGF,
CGCapturedStmtInfo *NewCapturedStmtInfo) CGCapturedStmtInfo *NewCapturedStmtInfo)
: CGF(CGF), PrevCapturedStmtInfo(CGF.CapturedStmtInfo) { : CGF(CGF), PrevCapturedStmtInfo(CGF.CapturedStmtInfo) {
CGF.CapturedStmtInfo = NewCapturedStmtInfo; CGF.CapturedStmtInfo = NewCapturedStmtInfo;
} }
~CGCapturedStmtRAII() { CGF.CapturedStmtInfo = PrevCapturedStmtInfo; } ~CGCapturedStmtRAII() { CGF.CapturedStmtInfo = PrevCapturedStmtInfo; }
}; };
/// \brief An abstract representation of regular/ObjC call/message targets.
aprantlUnsubmitted
Not Done
ReplyInline Actions

The \brief is redundant (we use autobrief) and shouldn't be used any more.

aprantl: The \brief is redundant (we use autobrief) and shouldn't be used any more.
vskAuthorUnsubmitted
Not Done
ReplyInline Actions

I will fix this before committing.

vsk: I will fix this before committing.
class AbstractCallee {
/// \brief The function declaration of the callee.
const Decl *CalleeDecl;
public:
AbstractCallee() : CalleeDecl(nullptr) {}
AbstractCallee(const FunctionDecl *FD) : CalleeDecl(FD) {}
AbstractCallee(const ObjCMethodDecl *OMD) : CalleeDecl(OMD) {}
bool hasFunctionDecl() const {
return dyn_cast_or_null<FunctionDecl>(CalleeDecl);
}
const Decl *getDecl() const { return CalleeDecl; }
unsigned getNumParams() const {
if (const auto *FD = dyn_cast<FunctionDecl>(CalleeDecl))
return FD->getNumParams();
return cast<ObjCMethodDecl>(CalleeDecl)->param_size();
}
const ParmVarDecl *getParamDecl(unsigned I) const {
if (const auto *FD = dyn_cast<FunctionDecl>(CalleeDecl))
return FD->getParamDecl(I);
return *(cast<ObjCMethodDecl>(CalleeDecl)->param_begin() + I);
}
};
/// \brief Sanitizers enabled for this function. /// \brief Sanitizers enabled for this function.
SanitizerSet SanOpts; SanitizerSet SanOpts;
/// \brief True if CodeGen currently emits code implementing sanitizer checks. /// \brief True if CodeGen currently emits code implementing sanitizer checks.
bool IsSanitizerScope; bool IsSanitizerScope;
/// \brief RAII object to set/unset CodeGenFunction::IsSanitizerScope. /// \brief RAII object to set/unset CodeGenFunction::IsSanitizerScope.
class SanitizerScope { class SanitizerScope {
▲ Show 20 LinesShow All 3,146 Lines▼ Show 20 Linespublic:
llvm::CallInst *EmitTrapCall(llvm::Intrinsic::ID IntrID); llvm::CallInst *EmitTrapCall(llvm::Intrinsic::ID IntrID);
/// \brief Emit a cross-DSO CFI failure handling function. /// \brief Emit a cross-DSO CFI failure handling function.
void EmitCfiCheckFail(); void EmitCfiCheckFail();
/// \brief Create a check for a function parameter that may potentially be /// \brief Create a check for a function parameter that may potentially be
/// declared as non-null. /// declared as non-null.
void EmitNonNullArgCheck(RValue RV, QualType ArgType, SourceLocation ArgLoc, void EmitNonNullArgCheck(RValue RV, QualType ArgType, SourceLocation ArgLoc,
const FunctionDecl *FD, unsigned ParmNum); AbstractCallee AC, unsigned ParmNum);
/// EmitCallArg - Emit a single call argument. /// EmitCallArg - Emit a single call argument.
void EmitCallArg(CallArgList &args, const Expr *E, QualType ArgType); void EmitCallArg(CallArgList &args, const Expr *E, QualType ArgType);
/// EmitDelegateCallArg - We are performing a delegate call; that /// EmitDelegateCallArg - We are performing a delegate call; that
/// is, the current function is delegating to another one. Produce /// is, the current function is delegating to another one. Produce
/// a r-value suitable for passing the given parameter. /// a r-value suitable for passing the given parameter.
void EmitDelegateCallArg(CallArgList &args, const VarDecl *param, void EmitDelegateCallArg(CallArgList &args, const VarDecl *param,
▲ Show 20 LinesShow All 85 Lines▼ Show 20 Lines enum class EvaluationOrder {
///! Language semantics require right-to-left evaluation. ///! Language semantics require right-to-left evaluation.
ForceRightToLeft ForceRightToLeft
}; };
/// EmitCallArgs - Emit call arguments for a function. /// EmitCallArgs - Emit call arguments for a function.
template <typename T> template <typename T>
void EmitCallArgs(CallArgList &Args, const T *CallArgTypeInfo, void EmitCallArgs(CallArgList &Args, const T *CallArgTypeInfo,
llvm::iterator_range<CallExpr::const_arg_iterator> ArgRange, llvm::iterator_range<CallExpr::const_arg_iterator> ArgRange,
const FunctionDecl *CalleeDecl = nullptr, AbstractCallee AC = AbstractCallee(),
unsigned ParamsToSkip = 0, unsigned ParamsToSkip = 0,
EvaluationOrder Order = EvaluationOrder::Default) { EvaluationOrder Order = EvaluationOrder::Default) {
SmallVector<QualType, 16> ArgTypes; SmallVector<QualType, 16> ArgTypes;
CallExpr::const_arg_iterator Arg = ArgRange.begin(); CallExpr::const_arg_iterator Arg = ArgRange.begin();
assert((ParamsToSkip == 0 || CallArgTypeInfo) && assert((ParamsToSkip == 0 || CallArgTypeInfo) &&
"Can't skip parameters if type info is not provided"); "Can't skip parameters if type info is not provided");
if (CallArgTypeInfo) { if (CallArgTypeInfo) {
Show All 25 Lines#endif
assert((Arg == ArgRange.end() || !CallArgTypeInfo || assert((Arg == ArgRange.end() || !CallArgTypeInfo ||
CallArgTypeInfo->isVariadic()) && CallArgTypeInfo->isVariadic()) &&
"Extra arguments in non-variadic function!"); "Extra arguments in non-variadic function!");
// If we still have any arguments, emit them using the type of the argument. // If we still have any arguments, emit them using the type of the argument.
for (auto *A : llvm::make_range(Arg, ArgRange.end())) for (auto *A : llvm::make_range(Arg, ArgRange.end()))
ArgTypes.push_back(CallArgTypeInfo ? getVarArgType(A) : A->getType()); ArgTypes.push_back(CallArgTypeInfo ? getVarArgType(A) : A->getType());
EmitCallArgs(Args, ArgTypes, ArgRange, CalleeDecl, ParamsToSkip, Order); EmitCallArgs(Args, ArgTypes, ArgRange, AC, ParamsToSkip, Order);
} }
void EmitCallArgs(CallArgList &Args, ArrayRef<QualType> ArgTypes, void EmitCallArgs(CallArgList &Args, ArrayRef<QualType> ArgTypes,
llvm::iterator_range<CallExpr::const_arg_iterator> ArgRange, llvm::iterator_range<CallExpr::const_arg_iterator> ArgRange,
const FunctionDecl *CalleeDecl = nullptr, AbstractCallee AC = AbstractCallee(),
unsigned ParamsToSkip = 0, unsigned ParamsToSkip = 0,
EvaluationOrder Order = EvaluationOrder::Default); EvaluationOrder Order = EvaluationOrder::Default);
/// EmitPointerWithAlignment - Given an expression with a pointer /// EmitPointerWithAlignment - Given an expression with a pointer
/// type, emit the value and compute our best estimate of the /// type, emit the value and compute our best estimate of the
/// alignment of the pointee. /// alignment of the pointee.
/// ///
/// Note that this function will conservatively fall back on the type /// Note that this function will conservatively fall back on the type
▲ Show 20 LinesShow All 144 LinesShow Last 20 Lines

test/CodeGenObjC/ubsan-nonnull.m

  • This file was added.
// RUN: %clang_cc1 -x objective-c -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=nonnull-attribute %s -o - -w | FileCheck %s
@interface A
-(void) one_arg: (__attribute__((nonnull)) int *) arg1;
-(void) varargs: (__attribute__((nonnull)) int *) arg1, ...;
+(void) clsmethod: (__attribute__((nonnull)) int *) arg1;
@end
@implementation A
// CHECK-LABEL: define internal void @"\01-[A one_arg:]"
// CHECK-SAME: i32* nonnull
-(void) one_arg: (__attribute__((nonnull)) int *) arg1 {}
// CHECK-LABEL: define internal void @"\01-[A varargs:]"
// CHECK-SAME: i32* nonnull
-(void) varargs: (__attribute__((nonnull)) int *) arg1, ... {}
// CHECK-LABEL: define internal void @"\01+[A clsmethod:]"
// CHECK-SAME: i32* nonnull
+(void) clsmethod: (__attribute__((nonnull)) int *) arg1 {}
@end
// CHECK-LABEL: define void @call_A
void call_A(A *a, int *p) {
// CHECK: [[ICMP:%.*]] = icmp ne i32* [[P1:%.*]], null, !nosanitize
// CHECK: br i1 [[ICMP]], {{.*}}, !nosanitize
// CHECK: call void @__ubsan_handle_nonnull_arg{{.*}} !nosanitize
// CHECK: call void {{.*}} @objc_msgSend {{.*}} ({{.*}}, i32* [[P1]])
[a one_arg: p];
// CHECK: [[ICMP:%.*]] = icmp ne i32* [[P2:%.*]], null, !nosanitize
// CHECK: br i1 [[ICMP]], {{.*}}, !nosanitize
// CHECK: call void @__ubsan_handle_nonnull_arg{{.*}} !nosanitize
// CHECK: call void {{.*}} @objc_msgSend {{.*}} ({{.*}}, i32* [[P2]], {{.*}})
[a varargs: p, p];
// CHECK: [[ICMP:%.*]] = icmp ne i32* [[P3:%.*]], null, !nosanitize
// CHECK: br i1 [[ICMP]], {{.*}}, !nosanitize
// CHECK: call void @__ubsan_handle_nonnull_arg{{.*}} !nosanitize
// CHECK: call void {{.*}} @objc_msgSend {{.*}} ({{.*}}, i32* [[P3]])
[A clsmethod: p];
}