This is an archive of the discontinued LLVM Phabricator instance.

Differential D30764

Disable unsigned integer sanitizer for basic_string::replace()
ClosedPublic

Authored by tomcherry on Mar 8 2017, 3:37 PM.

Details

Reviewers
mclow.lists
EricWF
Summary

basic_string::replace() has the below line

sz += n2 - __n1;

which fails overflow checks if n1 > n2, as the negative result
from the subtraction then overflows the original __sz when added to
it.

This behavior is valid as unsigned integer overflow is defined to wrap
around the maximum value and that produces the correct final value for
__sz. Therefore, we disable this check on this function.

Diff Detail

Event Timeline

tomcherry created this revision.Mar 8 2017, 3:37 PM
tomcherry added reviewers: mclow.lists, EricWF.Mar 8 2017, 3:38 PM
tomcherry added a subscriber: cfe-commits.
srhines added a subscriber: srhines.Mar 8 2017, 4:01 PM

You probably want to remove the Change-Id section above in your description (or at least drop that when you finally submit this to libc++).

tomcherry edited the summary of this revision. (Show Details)Mar 8 2017, 4:03 PM
EricWF added inline comments.Mar 8 2017, 4:35 PM
include/string
2559

Please put this comment inside one of the function bodies, right above the offending line.

I think putting it here will result in it maybe becoming unmaintained.

EricWF edited edge metadata.Mar 8 2017, 4:41 PM

Side note: There are plenty of tests in the test-suite that trigger this overflow, so no new tests are needed.

When I have time I'm going to enable -fsanitize=unsigned-integer-overflow once I have time to clean up any existing failures.

tomcherry updated this revision to Diff 91111.Mar 8 2017, 4:49 PM

Moved comments to an appropriate line

Harbormaster completed remote builds in B4644: Diff 91111.Mar 8 2017, 4:49 PM
tomcherry marked an inline comment as done.Mar 8 2017, 4:50 PM
EricWF accepted this revision.Mar 8 2017, 4:53 PM

@Tom Do you have commit acces or would you like me to commit this for you?

This revision is now accepted and ready to land.Mar 8 2017, 4:53 PM
tomcherry added a comment.Mar 8 2017, 5:02 PM

I don't have commit access, so please commit for me.

Thank you

EricWF closed this revision.Mar 8 2017, 6:06 PM

Committed in r297355.

Revision Contents

PathSize
include/
4 lines

Diff 91111

include/string

Show First 20 LinesShow All 2,550 Lines▼ Show 20 Lines _LIBCPP_ASSERT(__get_const_db()->__find_c_from_i(&__pos) == this,
" referring to this string"); " referring to this string");
#endif #endif
difference_type __p = __pos - begin(); difference_type __p = __pos - begin();
insert(static_cast<size_type>(__p), __n, __c); insert(static_cast<size_type>(__p), __n, __c);
return begin() + __p; return begin() + __p;
} }
// replace // replace
EricWFUnsubmitted
Done
ReplyInline Actions

Please put this comment inside one of the function bodies, right above the offending line.

I think putting it here will result in it maybe becoming unmaintained.

EricWF: Please put this comment inside one of the function bodies, right above the offending line. I…
template <class _CharT, class _Traits, class _Allocator> template <class _CharT, class _Traits, class _Allocator>
basic_string<_CharT, _Traits, _Allocator>& basic_string<_CharT, _Traits, _Allocator>&
basic_string<_CharT, _Traits, _Allocator>::replace(size_type __pos, size_type __n1, const value_type* __s, size_type __n2) basic_string<_CharT, _Traits, _Allocator>::replace(size_type __pos, size_type __n1, const value_type* __s, size_type __n2)
_LIBCPP_DISABLE_UBSAN_UNSIGNED_INTEGER_CHECK
{ {
_LIBCPP_ASSERT(__n2 == 0 || __s != nullptr, "string::replace received nullptr"); _LIBCPP_ASSERT(__n2 == 0 || __s != nullptr, "string::replace received nullptr");
size_type __sz = size(); size_type __sz = size();
if (__pos > __sz) if (__pos > __sz)
this->__throw_out_of_range(); this->__throw_out_of_range();
__n1 = _VSTD::min(__n1, __sz - __pos); __n1 = _VSTD::min(__n1, __sz - __pos);
size_type __cap = capacity(); size_type __cap = capacity();
if (__cap - __sz + __n1 >= __n2) if (__cap - __sz + __n1 >= __n2)
Show All 23 Lines if (__cap - __sz + __n1 >= __n2)
__n1 = 0; __n1 = 0;
} }
} }
traits_type::move(__p + __pos + __n2, __p + __pos + __n1, __n_move); traits_type::move(__p + __pos + __n2, __p + __pos + __n1, __n_move);
} }
} }
traits_type::move(__p + __pos, __s, __n2); traits_type::move(__p + __pos, __s, __n2);
__finish: __finish:
// __sz += __n2 - __n1; in this and the below function below can cause unsigned integer overflow,
// but this is a safe operation, so we disable the check.
__sz += __n2 - __n1; __sz += __n2 - __n1;
__set_size(__sz); __set_size(__sz);
__invalidate_iterators_past(__sz); __invalidate_iterators_past(__sz);
traits_type::assign(__p[__sz], value_type()); traits_type::assign(__p[__sz], value_type());
} }
else else
__grow_by_and_replace(__cap, __sz - __n1 + __n2 - __cap, __sz, __pos, __n1, __n2, __s); __grow_by_and_replace(__cap, __sz - __n1 + __n2 - __cap, __sz, __pos, __n1, __n2, __s);
return *this; return *this;
} }
template <class _CharT, class _Traits, class _Allocator> template <class _CharT, class _Traits, class _Allocator>
basic_string<_CharT, _Traits, _Allocator>& basic_string<_CharT, _Traits, _Allocator>&
basic_string<_CharT, _Traits, _Allocator>::replace(size_type __pos, size_type __n1, size_type __n2, value_type __c) basic_string<_CharT, _Traits, _Allocator>::replace(size_type __pos, size_type __n1, size_type __n2, value_type __c)
_LIBCPP_DISABLE_UBSAN_UNSIGNED_INTEGER_CHECK
{ {
size_type __sz = size(); size_type __sz = size();
if (__pos > __sz) if (__pos > __sz)
this->__throw_out_of_range(); this->__throw_out_of_range();
__n1 = _VSTD::min(__n1, __sz - __pos); __n1 = _VSTD::min(__n1, __sz - __pos);
size_type __cap = capacity(); size_type __cap = capacity();
value_type* __p; value_type* __p;
if (__cap - __sz + __n1 >= __n2) if (__cap - __sz + __n1 >= __n2)
▲ Show 20 LinesShow All 1,416 LinesShow Last 20 Lines