This is an archive of the discontinued LLVM Phabricator instance.

Differential D33305

[ubsan] Add a check for pointer overflow UB
ClosedPublic

Authored by vsk on May 17 2017, 5:39 PM.
Tokens
"Party Time" token, awarded by dtzWill.

Details

Reviewers
regehr
dtzWill
rsmith
filcab
Commits
rGa125eb55cb60: [ubsan] Add a check for pointer overflow UB
rC304459: [ubsan] Add a check for pointer overflow UB
rL304459: [ubsan] Add a check for pointer overflow UB
Summary

Check pointer arithmetic for overflow.

For some more background on this check, see:

https://wdtz.org/catching-pointer-overflow-bugs.html
https://reviews.llvm.org/D20322

Patch by Will Dietz and John Regehr!

This version of the patch is different from the original in a few ways:

  • It introduces the EmitCheckedInBoundsGEP utility which inserts checks when the pointer overflow check is enabled.
  • It does some constant-folding to reduce instrumentation overhead.
  • It does not check some GEPs in CGExprCXX. I'm not sure that inserting checks here, or in CGClass, would catch many bugs.

Possible future directions for this check:

  • Introduce CGF.EmitCheckedStructGEP, to detect overflows when accessing structures.

Testing: Apart from the added lit test, I ran check-llvm and check-clang
with a stage2, ubsan-instrumented clang. I found one overflow (see:
https://reviews.llvm.org/D33149).

Diff Detail

Event Timeline

vsk created this revision.May 17 2017, 5:39 PM
Herald added a subscriber: krytarowski. · View Herald TranscriptMay 17 2017, 5:39 PM
dtzWill awarded a token.May 17 2017, 7:19 PM
filcab added inline comments.May 18 2017, 8:34 AM
lib/CodeGen/CGExprScalar.cpp
3854

You're creating the GEP first (possibly triggering UB), and then checking ("after" UB). Shouldn't you put the checking instructions before the GEP?

3948

Do we want an extra test for TotalOffset being a constant + not overflowing? (Not strictly need, but you've been working on avoiding __ubsan() calls :-) )

vsk added a comment.May 18 2017, 9:38 AM

Thanks for the comments, responses inline --

lib/CodeGen/CGExprScalar.cpp
3854

The checking instructions are not users of the (possibly poisoned) GEP value so inserting the checks after the GEP should be OK. FWIW ubsan's scalar range checks do the same thing and I haven't seen an issue there.

I do have a concern about the IR constant folder reducing GEPs to Undef, but I don't think this affects any interesting cases, and we handle that below by bailing out if the GEP is a Constant.

Does that clear up your concerns?

3948

If the total offset is a constant and doesn't overflow, there's no need for the select instruction below, but we'd still need to emit a pointer overflow check. Teaching clang to omit the select is a little messy, and I don't think we'd save very much, so I'm leaning against doing it.

vsk updated this revision to Diff 100475.May 26 2017, 2:34 PM
vsk edited the summary of this revision. (Show Details)

Ping.

dtzWill edited edge metadata.May 29 2017, 10:43 AM

LGTM!

I've built quite a bit with this (ground-up Linux distribution) which attests to it being fairly robust (no crashing or new errors not experienced with unpatched clang) and the bugs found so far are all true positives (few of which were caught and reported last time around).

For what it's worth, this needs to be adjusted slightly to work with latest Clang. Changes were straightforward as I recall, updated patch attached.

D33305.diff39 KBDownload

dtzWill accepted this revision.May 29 2017, 10:44 AM
This revision is now accepted and ready to land.May 29 2017, 10:44 AM
vsk added a comment.May 31 2017, 2:52 PM

Thanks for the review! I've rebased the patch and plan on checking it in tomorrow. At the moment I'm getting some additional test coverage (running check-libcxx and testing more backends).

Closed by commit rL304459: [ubsan] Add a check for pointer overflow UB (authored by vedantk). · Explain WhyJun 1 2017, 12:22 PM
This revision was automatically updated to reflect the committed changes.
sberg added a subscriber: sberg.Jun 7 2017, 6:50 AM

Just a heads up that I ran into an arguably somewhat unexpected instance of this with (a copy of the Graphite project included in) LibreOffice, see the commit message of https://cgit.freedesktop.org/libreoffice/core/commit/?id=681b4a49d797996229513d3e842d2a431030730a "external/graphite: Avoid -fsanitize=pointer-overflow" for details. (In short, "ptrdiff_t d = ...; T * p += d / sizeof(T);" can trigger an overflow warning when d is negative.)

regehr edited edge metadata.Jun 7 2017, 8:27 AM

I'm taking a look. For reference here's the test program I'm using.

#include <stddef.h>

typedef struct {
  int x[2];
} T;

int main(void) {
  T f;
  T *p = &f;
  ptrdiff_t d = -3293184;
  p += d / sizeof(T);
  return 0;
}
regehr added a comment.Jun 7 2017, 8:51 AM

Sorry, let's go with this example instead, which makes it clear that the program is attempting to do something completely sensible:

#include <stddef.h>

typedef struct {
  int x[2];
} T;

int main(void) {
  T f[1000];
  T *p = &f[500];
  ptrdiff_t d = -10;
  p += d / sizeof(T);
  return 0;
}
regehr added a comment.Jun 7 2017, 9:29 AM

Well, my second program should subtract a multiple of sizeof(T). But anyway, my view is that this is a real overflow and a nasty consequence of the unsigned size_t and the usual arithmetic conversions and I don't think we want to try to poke a hole in UBSan to allow this idiom unless it turns out to be extremely common.

I think it would be better style to cast the sizeof() to a ptrdiff_t rather than to an int, but as long as d is a ptrdiff_t this won't matter.

vsk added a comment.Jun 12 2017, 5:02 PM

@sberg I agree with @regehr's analysis, and do think that this is a real overflow. Once D34121 lands, we will report this issue in a better way:

runtime error: addition of unsigned offset to 0x7fff59dfe990 overflowed to 0x7fff59dfe980

Revision Contents

PathSize
docs/
2 lines
include/
clang/
Basic/
7 lines
lib/
CodeGen/
38 lines
213 lines
8 lines
test/
CodeGen/
171 lines
Driver/
18 lines

Diff 99378

docs/UndefinedBehaviorSanitizer.rst

Show First 20 LinesShow All 100 Lines▼ Show 20 LinesAvailable checks are:
- ``-fsanitize=object-size``: An attempt to potentially use bytes which - ``-fsanitize=object-size``: An attempt to potentially use bytes which
the optimizer can determine are not part of the object being accessed. the optimizer can determine are not part of the object being accessed.
This will also detect some types of undefined behavior that may not This will also detect some types of undefined behavior that may not
directly access memory, but are provably incorrect given the size of directly access memory, but are provably incorrect given the size of
the objects involved, such as invalid downcasts and calling methods on the objects involved, such as invalid downcasts and calling methods on
invalid pointers. These checks are made in terms of invalid pointers. These checks are made in terms of
``__builtin_object_size``, and consequently may be able to detect more ``__builtin_object_size``, and consequently may be able to detect more
problems at higher optimization levels. problems at higher optimization levels.
- ``-fsanitize=pointer-overflow``: Performing pointer arithmetic which
overflows.
- ``-fsanitize=return``: In C++, reaching the end of a - ``-fsanitize=return``: In C++, reaching the end of a
value-returning function without returning a value. value-returning function without returning a value.
- ``-fsanitize=returns-nonnull-attribute``: Returning null pointer - ``-fsanitize=returns-nonnull-attribute``: Returning null pointer
from a function which is declared to never return null. from a function which is declared to never return null.
- ``-fsanitize=shift``: Shift operators where the amount shifted is - ``-fsanitize=shift``: Shift operators where the amount shifted is
greater or equal to the promoted bit-width of the left hand side greater or equal to the promoted bit-width of the left hand side
or less than zero, or where the left hand side is negative. For a or less than zero, or where the left hand side is negative. For a
signed left shift, also checks for signed overflow in C, and for signed left shift, also checks for signed overflow in C, and for
▲ Show 20 LinesShow All 155 LinesShow Last 20 Lines

include/clang/Basic/Sanitizers.def

Show First 20 LinesShow All 67 Lines▼ Show 20 Lines
SANITIZER("nonnull-attribute", NonnullAttribute) SANITIZER("nonnull-attribute", NonnullAttribute)
SANITIZER("null", Null) SANITIZER("null", Null)
SANITIZER("nullability-arg", NullabilityArg) SANITIZER("nullability-arg", NullabilityArg)
SANITIZER("nullability-assign", NullabilityAssign) SANITIZER("nullability-assign", NullabilityAssign)
SANITIZER("nullability-return", NullabilityReturn) SANITIZER("nullability-return", NullabilityReturn)
SANITIZER_GROUP("nullability", Nullability, SANITIZER_GROUP("nullability", Nullability,
NullabilityArg | NullabilityAssign | NullabilityReturn) NullabilityArg | NullabilityAssign | NullabilityReturn)
SANITIZER("object-size", ObjectSize) SANITIZER("object-size", ObjectSize)
SANITIZER("pointer-overflow", PointerOverflow)
SANITIZER("return", Return) SANITIZER("return", Return)
SANITIZER("returns-nonnull-attribute", ReturnsNonnullAttribute) SANITIZER("returns-nonnull-attribute", ReturnsNonnullAttribute)
SANITIZER("shift-base", ShiftBase) SANITIZER("shift-base", ShiftBase)
SANITIZER("shift-exponent", ShiftExponent) SANITIZER("shift-exponent", ShiftExponent)
SANITIZER_GROUP("shift", Shift, ShiftBase | ShiftExponent) SANITIZER_GROUP("shift", Shift, ShiftBase | ShiftExponent)
SANITIZER("signed-integer-overflow", SignedIntegerOverflow) SANITIZER("signed-integer-overflow", SignedIntegerOverflow)
SANITIZER("unreachable", Unreachable) SANITIZER("unreachable", Unreachable)
SANITIZER("vla-bound", VLABound) SANITIZER("vla-bound", VLABound)
Show All 19 Lines
// Safe Stack // Safe Stack
SANITIZER("safe-stack", SafeStack) SANITIZER("safe-stack", SafeStack)
// -fsanitize=undefined includes all the sanitizers which have low overhead, no // -fsanitize=undefined includes all the sanitizers which have low overhead, no
// ABI or address space layout implications, and only catch undefined behavior. // ABI or address space layout implications, and only catch undefined behavior.
SANITIZER_GROUP("undefined", Undefined, SANITIZER_GROUP("undefined", Undefined,
Alignment | Bool | ArrayBounds | Enum | FloatCastOverflow | Alignment | Bool | ArrayBounds | Enum | FloatCastOverflow |
FloatDivideByZero | IntegerDivideByZero | NonnullAttribute | FloatDivideByZero | IntegerDivideByZero | NonnullAttribute |
Null | ObjectSize | Return | ReturnsNonnullAttribute | Null | ObjectSize | PointerOverflow | Return |
Shift | SignedIntegerOverflow | Unreachable | VLABound | ReturnsNonnullAttribute | Shift | SignedIntegerOverflow |
Function | Vptr) Unreachable | VLABound | Function | Vptr)
// -fsanitize=undefined-trap is an alias for -fsanitize=undefined. // -fsanitize=undefined-trap is an alias for -fsanitize=undefined.
SANITIZER_GROUP("undefined-trap", UndefinedTrap, Undefined) SANITIZER_GROUP("undefined-trap", UndefinedTrap, Undefined)
SANITIZER_GROUP("integer", Integer, SANITIZER_GROUP("integer", Integer,
SignedIntegerOverflow | UnsignedIntegerOverflow | Shift | SignedIntegerOverflow | UnsignedIntegerOverflow | Shift |
IntegerDivideByZero) IntegerDivideByZero)
Show All 16 Lines

lib/CodeGen/CGExpr.cpp

Show First 20 LinesShow All 2,977 Lines▼ Show 20 Linesstatic const Expr *isSimpleArrayDecayOperand(const Expr *E) {
return SubExpr; return SubExpr;
} }
static llvm::Value *emitArraySubscriptGEP(CodeGenFunction &CGF, static llvm::Value *emitArraySubscriptGEP(CodeGenFunction &CGF,
llvm::Value *ptr, llvm::Value *ptr,
ArrayRef<llvm::Value*> indices, ArrayRef<llvm::Value*> indices,
bool inbounds, bool inbounds,
SourceLocation loc,
const llvm::Twine &name = "arrayidx") { const llvm::Twine &name = "arrayidx") {
if (inbounds) { if (inbounds) {
return CGF.Builder.CreateInBoundsGEP(ptr, indices, name); return CGF.EmitCheckedInBoundsGEP(ptr, indices, loc, name);
} else { } else {
return CGF.Builder.CreateGEP(ptr, indices, name); return CGF.Builder.CreateGEP(ptr, indices, name);
} }
} }
static CharUnits getArrayElementAlign(CharUnits arrayAlign, static CharUnits getArrayElementAlign(CharUnits arrayAlign,
llvm::Value *idx, llvm::Value *idx,
CharUnits eltSize) { CharUnits eltSize) {
Show All 14 Linesstatic QualType getFixedSizeElementType(const ASTContext &ctx,
QualType eltType; QualType eltType;
do { do {
eltType = vla->getElementType(); eltType = vla->getElementType();
} while ((vla = ctx.getAsVariableArrayType(eltType))); } while ((vla = ctx.getAsVariableArrayType(eltType)));
return eltType; return eltType;
} }
static Address emitArraySubscriptGEP(CodeGenFunction &CGF, Address addr, static Address emitArraySubscriptGEP(CodeGenFunction &CGF, Address addr,
ArrayRef<llvm::Value*> indices, ArrayRef<llvm::Value *> indices,
QualType eltType, bool inbounds, QualType eltType, bool inbounds,
SourceLocation loc,
const llvm::Twine &name = "arrayidx") { const llvm::Twine &name = "arrayidx") {
// All the indices except that last must be zero. // All the indices except that last must be zero.
#ifndef NDEBUG #ifndef NDEBUG
for (auto idx : indices.drop_back()) for (auto idx : indices.drop_back())
assert(isa<llvm::ConstantInt>(idx) && assert(isa<llvm::ConstantInt>(idx) &&
cast<llvm::ConstantInt>(idx)->isZero()); cast<llvm::ConstantInt>(idx)->isZero());
#endif #endif
// Determine the element size of the statically-sized base. This is // Determine the element size of the statically-sized base. This is
// the thing that the indices are expressed in terms of. // the thing that the indices are expressed in terms of.
if (auto vla = CGF.getContext().getAsVariableArrayType(eltType)) { if (auto vla = CGF.getContext().getAsVariableArrayType(eltType)) {
eltType = getFixedSizeElementType(CGF.getContext(), vla); eltType = getFixedSizeElementType(CGF.getContext(), vla);
} }
// We can use that to compute the best alignment of the element. // We can use that to compute the best alignment of the element.
CharUnits eltSize = CGF.getContext().getTypeSizeInChars(eltType); CharUnits eltSize = CGF.getContext().getTypeSizeInChars(eltType);
CharUnits eltAlign = CharUnits eltAlign =
getArrayElementAlign(addr.getAlignment(), indices.back(), eltSize); getArrayElementAlign(addr.getAlignment(), indices.back(), eltSize);
llvm::Value *eltPtr = llvm::Value *eltPtr =
emitArraySubscriptGEP(CGF, addr.getPointer(), indices, inbounds, name); emitArraySubscriptGEP(CGF, addr.getPointer(), indices, inbounds, loc, name);
return Address(eltPtr, eltAlign); return Address(eltPtr, eltAlign);
} }
LValue CodeGenFunction::EmitArraySubscriptExpr(const ArraySubscriptExpr *E, LValue CodeGenFunction::EmitArraySubscriptExpr(const ArraySubscriptExpr *E,
bool Accessed) { bool Accessed) {
// The index must always be an integer, which is not an aggregate. Emit it // The index must always be an integer, which is not an aggregate. Emit it
// in lexical order (this complexity is, sadly, required by C++17). // in lexical order (this complexity is, sadly, required by C++17).
llvm::Value *IdxPre = llvm::Value *IdxPre =
Show All 36 LinesLValue CodeGenFunction::EmitArraySubscriptExpr(const ArraySubscriptExpr *E,
// Handle the extvector case we ignored above. // Handle the extvector case we ignored above.
if (isa<ExtVectorElementExpr>(E->getBase())) { if (isa<ExtVectorElementExpr>(E->getBase())) {
LValue LV = EmitLValue(E->getBase()); LValue LV = EmitLValue(E->getBase());
auto *Idx = EmitIdxAfterBase(/*Promote*/true); auto *Idx = EmitIdxAfterBase(/*Promote*/true);
Address Addr = EmitExtVectorElementLValue(LV); Address Addr = EmitExtVectorElementLValue(LV);
QualType EltType = LV.getType()->castAs<VectorType>()->getElementType(); QualType EltType = LV.getType()->castAs<VectorType>()->getElementType();
Addr = emitArraySubscriptGEP(*this, Addr, Idx, EltType, /*inbounds*/ true); Addr = emitArraySubscriptGEP(*this, Addr, Idx, EltType, /*inbounds*/ true,
E->getExprLoc());
return MakeAddrLValue(Addr, EltType, LV.getAlignmentSource()); return MakeAddrLValue(Addr, EltType, LV.getAlignmentSource());
} }
AlignmentSource AlignSource; AlignmentSource AlignSource;
Address Addr = Address::invalid(); Address Addr = Address::invalid();
if (const VariableArrayType *vla = if (const VariableArrayType *vla =
getContext().getAsVariableArrayType(E->getType())) { getContext().getAsVariableArrayType(E->getType())) {
// The base must be a pointer, which is not an aggregate. Emit // The base must be a pointer, which is not an aggregate. Emit
Show All 11 Lines if (const VariableArrayType *vla =
// multiply. We suppress this if overflow is not undefined behavior. // multiply. We suppress this if overflow is not undefined behavior.
if (getLangOpts().isSignedOverflowDefined()) { if (getLangOpts().isSignedOverflowDefined()) {
Idx = Builder.CreateMul(Idx, numElements); Idx = Builder.CreateMul(Idx, numElements);
} else { } else {
Idx = Builder.CreateNSWMul(Idx, numElements); Idx = Builder.CreateNSWMul(Idx, numElements);
} }
Addr = emitArraySubscriptGEP(*this, Addr, Idx, vla->getElementType(), Addr = emitArraySubscriptGEP(*this, Addr, Idx, vla->getElementType(),
!getLangOpts().isSignedOverflowDefined()); !getLangOpts().isSignedOverflowDefined(),
E->getExprLoc());
} else if (const ObjCObjectType *OIT = E->getType()->getAs<ObjCObjectType>()){ } else if (const ObjCObjectType *OIT = E->getType()->getAs<ObjCObjectType>()){
// Indexing over an interface, as in "NSString *P; P[4];" // Indexing over an interface, as in "NSString *P; P[4];"
// Emit the base pointer. // Emit the base pointer.
Addr = EmitPointerWithAlignment(E->getBase(), &AlignSource); Addr = EmitPointerWithAlignment(E->getBase(), &AlignSource);
auto *Idx = EmitIdxAfterBase(/*Promote*/true); auto *Idx = EmitIdxAfterBase(/*Promote*/true);
CharUnits InterfaceSize = getContext().getTypeSizeInChars(OIT); CharUnits InterfaceSize = getContext().getTypeSizeInChars(OIT);
llvm::Value *InterfaceSizeVal = llvm::Value *InterfaceSizeVal =
llvm::ConstantInt::get(Idx->getType(), InterfaceSize.getQuantity()); llvm::ConstantInt::get(Idx->getType(), InterfaceSize.getQuantity());
llvm::Value *ScaledIdx = Builder.CreateMul(Idx, InterfaceSizeVal); llvm::Value *ScaledIdx = Builder.CreateMul(Idx, InterfaceSizeVal);
// We don't necessarily build correct LLVM struct types for ObjC // We don't necessarily build correct LLVM struct types for ObjC
// interfaces, so we can't rely on GEP to do this scaling // interfaces, so we can't rely on GEP to do this scaling
// correctly, so we need to cast to i8*. FIXME: is this actually // correctly, so we need to cast to i8*. FIXME: is this actually
// true? A lot of other things in the fragile ABI would break... // true? A lot of other things in the fragile ABI would break...
llvm::Type *OrigBaseTy = Addr.getType(); llvm::Type *OrigBaseTy = Addr.getType();
Addr = Builder.CreateElementBitCast(Addr, Int8Ty); Addr = Builder.CreateElementBitCast(Addr, Int8Ty);
// Do the GEP. // Do the GEP.
CharUnits EltAlign = CharUnits EltAlign =
getArrayElementAlign(Addr.getAlignment(), Idx, InterfaceSize); getArrayElementAlign(Addr.getAlignment(), Idx, InterfaceSize);
llvm::Value *EltPtr = llvm::Value *EltPtr = emitArraySubscriptGEP(
emitArraySubscriptGEP(*this, Addr.getPointer(), ScaledIdx, false); *this, Addr.getPointer(), ScaledIdx, false, E->getExprLoc());
Addr = Address(EltPtr, EltAlign); Addr = Address(EltPtr, EltAlign);
// Cast back. // Cast back.
Addr = Builder.CreateBitCast(Addr, OrigBaseTy); Addr = Builder.CreateBitCast(Addr, OrigBaseTy);
} else if (const Expr *Array = isSimpleArrayDecayOperand(E->getBase())) { } else if (const Expr *Array = isSimpleArrayDecayOperand(E->getBase())) {
// If this is A[i] where A is an array, the frontend will have decayed the // If this is A[i] where A is an array, the frontend will have decayed the
// base to be a ArrayToPointerDecay implicit cast. While correct, it is // base to be a ArrayToPointerDecay implicit cast. While correct, it is
// inefficient at -O0 to emit a "gep A, 0, 0" when codegen'ing it, then a // inefficient at -O0 to emit a "gep A, 0, 0" when codegen'ing it, then a
// "gep x, i" here. Emit one "gep A, 0, i". // "gep x, i" here. Emit one "gep A, 0, i".
assert(Array->getType()->isArrayType() && assert(Array->getType()->isArrayType() &&
"Array to pointer decay must have array source type!"); "Array to pointer decay must have array source type!");
LValue ArrayLV; LValue ArrayLV;
// For simple multidimensional array indexing, set the 'accessed' flag for // For simple multidimensional array indexing, set the 'accessed' flag for
// better bounds-checking of the base expression. // better bounds-checking of the base expression.
if (const auto *ASE = dyn_cast<ArraySubscriptExpr>(Array)) if (const auto *ASE = dyn_cast<ArraySubscriptExpr>(Array))
ArrayLV = EmitArraySubscriptExpr(ASE, /*Accessed*/ true); ArrayLV = EmitArraySubscriptExpr(ASE, /*Accessed*/ true);
else else
ArrayLV = EmitLValue(Array); ArrayLV = EmitLValue(Array);
auto *Idx = EmitIdxAfterBase(/*Promote*/true); auto *Idx = EmitIdxAfterBase(/*Promote*/true);
// Propagate the alignment from the array itself to the result. // Propagate the alignment from the array itself to the result.
Addr = emitArraySubscriptGEP(*this, ArrayLV.getAddress(), Addr = emitArraySubscriptGEP(
{CGM.getSize(CharUnits::Zero()), Idx}, *this, ArrayLV.getAddress(), {CGM.getSize(CharUnits::Zero()), Idx},
E->getType(), E->getType(), !getLangOpts().isSignedOverflowDefined(),
!getLangOpts().isSignedOverflowDefined()); E->getExprLoc());
AlignSource = ArrayLV.getAlignmentSource(); AlignSource = ArrayLV.getAlignmentSource();
} else { } else {
// The base must be a pointer; emit it with an estimate of its alignment. // The base must be a pointer; emit it with an estimate of its alignment.
Addr = EmitPointerWithAlignment(E->getBase(), &AlignSource); Addr = EmitPointerWithAlignment(E->getBase(), &AlignSource);
auto *Idx = EmitIdxAfterBase(/*Promote*/true); auto *Idx = EmitIdxAfterBase(/*Promote*/true);
Addr = emitArraySubscriptGEP(*this, Addr, Idx, E->getType(), Addr = emitArraySubscriptGEP(*this, Addr, Idx, E->getType(),
!getLangOpts().isSignedOverflowDefined()); !getLangOpts().isSignedOverflowDefined(),
E->getExprLoc());
} }
LValue LV = MakeAddrLValue(Addr, E->getType(), AlignSource); LValue LV = MakeAddrLValue(Addr, E->getType(), AlignSource);
// TODO: Preserve/extend path TBAA metadata? // TODO: Preserve/extend path TBAA metadata?
if (getLangOpts().ObjC1 && if (getLangOpts().ObjC1 &&
getLangOpts().getGC() != LangOptions::NonGC) { getLangOpts().getGC() != LangOptions::NonGC) {
▲ Show 20 LinesShow All 153 Lines▼ Show 20 Lines if (auto *VLA = getContext().getAsVariableArrayType(ResultExprTy)) {
// GEP indexes are signed, and scaling an index isn't permitted to // GEP indexes are signed, and scaling an index isn't permitted to
// signed-overflow, so we use the same semantics for our explicit // signed-overflow, so we use the same semantics for our explicit
// multiply. We suppress this if overflow is not undefined behavior. // multiply. We suppress this if overflow is not undefined behavior.
if (getLangOpts().isSignedOverflowDefined()) if (getLangOpts().isSignedOverflowDefined())
Idx = Builder.CreateMul(Idx, NumElements); Idx = Builder.CreateMul(Idx, NumElements);
else else
Idx = Builder.CreateNSWMul(Idx, NumElements); Idx = Builder.CreateNSWMul(Idx, NumElements);
EltPtr = emitArraySubscriptGEP(*this, Base, Idx, VLA->getElementType(), EltPtr = emitArraySubscriptGEP(*this, Base, Idx, VLA->getElementType(),
!getLangOpts().isSignedOverflowDefined()); !getLangOpts().isSignedOverflowDefined(),
E->getExprLoc());
} else if (const Expr *Array = isSimpleArrayDecayOperand(E->getBase())) { } else if (const Expr *Array = isSimpleArrayDecayOperand(E->getBase())) {
// If this is A[i] where A is an array, the frontend will have decayed the // If this is A[i] where A is an array, the frontend will have decayed the
// base to be a ArrayToPointerDecay implicit cast. While correct, it is // base to be a ArrayToPointerDecay implicit cast. While correct, it is
// inefficient at -O0 to emit a "gep A, 0, 0" when codegen'ing it, then a // inefficient at -O0 to emit a "gep A, 0, 0" when codegen'ing it, then a
// "gep x, i" here. Emit one "gep A, 0, i". // "gep x, i" here. Emit one "gep A, 0, i".
assert(Array->getType()->isArrayType() && assert(Array->getType()->isArrayType() &&
"Array to pointer decay must have array source type!"); "Array to pointer decay must have array source type!");
LValue ArrayLV; LValue ArrayLV;
// For simple multidimensional array indexing, set the 'accessed' flag for // For simple multidimensional array indexing, set the 'accessed' flag for
// better bounds-checking of the base expression. // better bounds-checking of the base expression.
if (const auto *ASE = dyn_cast<ArraySubscriptExpr>(Array)) if (const auto *ASE = dyn_cast<ArraySubscriptExpr>(Array))
ArrayLV = EmitArraySubscriptExpr(ASE, /*Accessed*/ true); ArrayLV = EmitArraySubscriptExpr(ASE, /*Accessed*/ true);
else else
ArrayLV = EmitLValue(Array); ArrayLV = EmitLValue(Array);
// Propagate the alignment from the array itself to the result. // Propagate the alignment from the array itself to the result.
EltPtr = emitArraySubscriptGEP( EltPtr = emitArraySubscriptGEP(
*this, ArrayLV.getAddress(), {CGM.getSize(CharUnits::Zero()), Idx}, *this, ArrayLV.getAddress(), {CGM.getSize(CharUnits::Zero()), Idx},
ResultExprTy, !getLangOpts().isSignedOverflowDefined()); ResultExprTy, !getLangOpts().isSignedOverflowDefined(),
E->getExprLoc());
AlignSource = ArrayLV.getAlignmentSource(); AlignSource = ArrayLV.getAlignmentSource();
} else { } else {
Address Base = emitOMPArraySectionBase(*this, E->getBase(), AlignSource, Address Base = emitOMPArraySectionBase(*this, E->getBase(), AlignSource,
BaseTy, ResultExprTy, IsLowerBound); BaseTy, ResultExprTy, IsLowerBound);
EltPtr = emitArraySubscriptGEP(*this, Base, Idx, ResultExprTy, EltPtr = emitArraySubscriptGEP(*this, Base, Idx, ResultExprTy,
!getLangOpts().isSignedOverflowDefined()); !getLangOpts().isSignedOverflowDefined(),
E->getExprLoc());
} }
return MakeAddrLValue(EltPtr, ResultExprTy, AlignSource); return MakeAddrLValue(EltPtr, ResultExprTy, AlignSource);
} }
LValue CodeGenFunction:: LValue CodeGenFunction::
EmitExtVectorElementExpr(const ExtVectorElementExpr *E) { EmitExtVectorElementExpr(const ExtVectorElementExpr *E) {
// Emit the base vector as an l-value. // Emit the base vector as an l-value.
▲ Show 20 LinesShow All 1,131 LinesShow Last 20 Lines

lib/CodeGen/CGExprScalar.cpp

Show All 24 Lines
#include "clang/AST/StmtVisitor.h" #include "clang/AST/StmtVisitor.h"
#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"
#include "clang/Frontend/CodeGenOptions.h" #include "clang/Frontend/CodeGenOptions.h"
#include "llvm/ADT/Optional.h" #include "llvm/ADT/Optional.h"
#include "llvm/IR/CFG.h" #include "llvm/IR/CFG.h"
#include "llvm/IR/Constants.h" #include "llvm/IR/Constants.h"
#include "llvm/IR/DataLayout.h" #include "llvm/IR/DataLayout.h"
#include "llvm/IR/Function.h" #include "llvm/IR/Function.h"
#include "llvm/IR/GetElementPtrTypeIterator.h"
#include "llvm/IR/GlobalVariable.h" #include "llvm/IR/GlobalVariable.h"
#include "llvm/IR/Intrinsics.h" #include "llvm/IR/Intrinsics.h"
#include "llvm/IR/Module.h" #include "llvm/IR/Module.h"
#include <cstdarg> #include <cstdarg>
using namespace clang; using namespace clang;
using namespace CodeGen; using namespace CodeGen;
using llvm::Value; using llvm::Value;
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Scalar Expression Emitter // Scalar Expression Emitter
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
struct BinOpInfo {
Value *LHS;
Value *RHS;
QualType Ty; // Computation Type.
BinaryOperator::Opcode Opcode; // Opcode of BinOp to perform
FPOptions FPFeatures;
const Expr *E; // Entire expr, for error unsupported. May not be binop.
/// Check if the binop can result in integer overflow.
bool mayHaveIntegerOverflow() const {
// Without constant input, we can't rule out overflow.
const auto *LHSCI = dyn_cast<llvm::ConstantInt>(LHS);
const auto *RHSCI = dyn_cast<llvm::ConstantInt>(RHS);
if (!LHSCI || !RHSCI)
return true;
/// Determine whether the given binary operation may overflow.
/// Sets \p Result to the value of the operation for BO_Add, BO_Sub, BO_Mul,
/// and signed BO_{Div,Rem}. For these opcodes, and for unsigned BO_{Div,Rem},
/// the returned overflow check is precise. The returned value is 'true' for
/// all other opcodes, to be conservative.
bool mayHaveIntegerOverflow(llvm::ConstantInt *LHS, llvm::ConstantInt *RHS,
BinaryOperator::Opcode Opcode, bool Signed,
llvm::APInt &Result) {
// Assume overflow is possible, unless we can prove otherwise. // Assume overflow is possible, unless we can prove otherwise.
bool Overflow = true; bool Overflow = true;
const auto &LHSAP = LHSCI->getValue(); const auto &LHSAP = LHS->getValue();
const auto &RHSAP = RHSCI->getValue(); const auto &RHSAP = RHS->getValue();
if (Opcode == BO_Add) { if (Opcode == BO_Add) {
if (Ty->hasSignedIntegerRepresentation()) if (Signed)
(void)LHSAP.sadd_ov(RHSAP, Overflow); Result = LHSAP.sadd_ov(RHSAP, Overflow);
else else
(void)LHSAP.uadd_ov(RHSAP, Overflow); Result = LHSAP.uadd_ov(RHSAP, Overflow);
} else if (Opcode == BO_Sub) { } else if (Opcode == BO_Sub) {
if (Ty->hasSignedIntegerRepresentation()) if (Signed)
(void)LHSAP.ssub_ov(RHSAP, Overflow); Result = LHSAP.ssub_ov(RHSAP, Overflow);
else else
(void)LHSAP.usub_ov(RHSAP, Overflow); Result = LHSAP.usub_ov(RHSAP, Overflow);
} else if (Opcode == BO_Mul) { } else if (Opcode == BO_Mul) {
if (Ty->hasSignedIntegerRepresentation()) if (Signed)
(void)LHSAP.smul_ov(RHSAP, Overflow); Result = LHSAP.smul_ov(RHSAP, Overflow);
else else
(void)LHSAP.umul_ov(RHSAP, Overflow); Result = LHSAP.umul_ov(RHSAP, Overflow);
} else if (Opcode == BO_Div || Opcode == BO_Rem) { } else if (Opcode == BO_Div || Opcode == BO_Rem) {
if (Ty->hasSignedIntegerRepresentation() && !RHSCI->isZero()) if (Signed && !RHS->isZero())
(void)LHSAP.sdiv_ov(RHSAP, Overflow); Result = LHSAP.sdiv_ov(RHSAP, Overflow);
else else
return false; return false;
} }
return Overflow; return Overflow;
} }
struct BinOpInfo {
Value *LHS;
Value *RHS;
QualType Ty; // Computation Type.
BinaryOperator::Opcode Opcode; // Opcode of BinOp to perform
FPOptions FPFeatures;
const Expr *E; // Entire expr, for error unsupported. May not be binop.
/// Check if the binop can result in integer overflow.
bool mayHaveIntegerOverflow() const {
// Without constant input, we can't rule out overflow.
auto *LHSCI = dyn_cast<llvm::ConstantInt>(LHS);
auto *RHSCI = dyn_cast<llvm::ConstantInt>(RHS);
if (!LHSCI || !RHSCI)
return true;
llvm::APInt Result;
return ::mayHaveIntegerOverflow(
LHSCI, RHSCI, Opcode, Ty->hasSignedIntegerRepresentation(), Result);
}
/// Check if the binop computes a division or a remainder. /// Check if the binop computes a division or a remainder.
bool isDivremOp() const { bool isDivremOp() const {
return Opcode == BO_Div || Opcode == BO_Rem || Opcode == BO_DivAssign || return Opcode == BO_Div || Opcode == BO_Rem || Opcode == BO_DivAssign ||
Opcode == BO_RemAssign; Opcode == BO_RemAssign;
} }
/// Check if the binop can result in an integer division by zero. /// Check if the binop can result in an integer division by zero.
bool mayHaveIntegerDivisionByZero() const { bool mayHaveIntegerDivisionByZero() const {
▲ Show 20 LinesShow All 1,822 Lines▼ Show 20 Lines // Next most common: pointer increment.
// VLA types don't have constant size. // VLA types don't have constant size.
if (const VariableArrayType *vla if (const VariableArrayType *vla
= CGF.getContext().getAsVariableArrayType(type)) { = CGF.getContext().getAsVariableArrayType(type)) {
llvm::Value *numElts = CGF.getVLASize(vla).first; llvm::Value *numElts = CGF.getVLASize(vla).first;
if (!isInc) numElts = Builder.CreateNSWNeg(numElts, "vla.negsize"); if (!isInc) numElts = Builder.CreateNSWNeg(numElts, "vla.negsize");
if (CGF.getLangOpts().isSignedOverflowDefined()) if (CGF.getLangOpts().isSignedOverflowDefined())
value = Builder.CreateGEP(value, numElts, "vla.inc"); value = Builder.CreateGEP(value, numElts, "vla.inc");
else else
value = Builder.CreateInBoundsGEP(value, numElts, "vla.inc"); value = CGF.EmitCheckedInBoundsGEP(value, numElts, E->getExprLoc(),
"vla.inc");
// Arithmetic on function pointers (!) is just +-1. // Arithmetic on function pointers (!) is just +-1.
} else if (type->isFunctionType()) { } else if (type->isFunctionType()) {
llvm::Value *amt = Builder.getInt32(amount); llvm::Value *amt = Builder.getInt32(amount);
value = CGF.EmitCastToVoidPtr(value); value = CGF.EmitCastToVoidPtr(value);
if (CGF.getLangOpts().isSignedOverflowDefined()) if (CGF.getLangOpts().isSignedOverflowDefined())
value = Builder.CreateGEP(value, amt, "incdec.funcptr"); value = Builder.CreateGEP(value, amt, "incdec.funcptr");
else else
value = Builder.CreateInBoundsGEP(value, amt, "incdec.funcptr"); value = CGF.EmitCheckedInBoundsGEP(value, amt, E->getExprLoc(),
"incdec.funcptr");
value = Builder.CreateBitCast(value, input->getType()); value = Builder.CreateBitCast(value, input->getType());
// For everything else, we can just do a simple increment. // For everything else, we can just do a simple increment.
} else { } else {
llvm::Value *amt = Builder.getInt32(amount); llvm::Value *amt = Builder.getInt32(amount);
if (CGF.getLangOpts().isSignedOverflowDefined()) if (CGF.getLangOpts().isSignedOverflowDefined())
value = Builder.CreateGEP(value, amt, "incdec.ptr"); value = Builder.CreateGEP(value, amt, "incdec.ptr");
else else
value = Builder.CreateInBoundsGEP(value, amt, "incdec.ptr"); value = CGF.EmitCheckedInBoundsGEP(value, amt, E->getExprLoc(),
"incdec.ptr");
} }
// Vector increment/decrement. // Vector increment/decrement.
} else if (type->isVectorType()) { } else if (type->isVectorType()) {
if (type->hasIntegerRepresentation()) { if (type->hasIntegerRepresentation()) {
llvm::Value *amt = llvm::ConstantInt::get(value->getType(), amount); llvm::Value *amt = llvm::ConstantInt::get(value->getType(), amount);
value = Builder.CreateAdd(value, amt, isInc ? "inc" : "dec"); value = Builder.CreateAdd(value, amt, isInc ? "inc" : "dec");
▲ Show 20 LinesShow All 64 Lines▼ Show 20 Lines // Objective-C pointer types.
CharUnits size = CGF.getContext().getTypeSizeInChars(OPT->getObjectType()); CharUnits size = CGF.getContext().getTypeSizeInChars(OPT->getObjectType());
if (!isInc) size = -size; if (!isInc) size = -size;
llvm::Value *sizeValue = llvm::Value *sizeValue =
llvm::ConstantInt::get(CGF.SizeTy, size.getQuantity()); llvm::ConstantInt::get(CGF.SizeTy, size.getQuantity());
if (CGF.getLangOpts().isSignedOverflowDefined()) if (CGF.getLangOpts().isSignedOverflowDefined())
value = Builder.CreateGEP(value, sizeValue, "incdec.objptr"); value = Builder.CreateGEP(value, sizeValue, "incdec.objptr");
else else
value = Builder.CreateInBoundsGEP(value, sizeValue, "incdec.objptr"); value = CGF.EmitCheckedInBoundsGEP(value, sizeValue, E->getExprLoc(),
"incdec.objptr");
value = Builder.CreateBitCast(value, input->getType()); value = Builder.CreateBitCast(value, input->getType());
} }
if (atomicPHI) { if (atomicPHI) {
llvm::BasicBlock *opBB = Builder.GetInsertBlock(); llvm::BasicBlock *opBB = Builder.GetInsertBlock();
llvm::BasicBlock *contBB = CGF.createBasicBlock("atomic_cont", CGF.CurFn); llvm::BasicBlock *contBB = CGF.createBasicBlock("atomic_cont", CGF.CurFn);
auto Pair = CGF.EmitAtomicCompareExchange( auto Pair = CGF.EmitAtomicCompareExchange(
LV, RValue::get(atomicPHI), RValue::get(value), E->getExprLoc()); LV, RValue::get(atomicPHI), RValue::get(value), E->getExprLoc());
▲ Show 20 LinesShow All 650 Lines▼ Show 20 Lines if (const VariableArrayType *vla
// GEP indexes are signed, and scaling an index isn't permitted to // GEP indexes are signed, and scaling an index isn't permitted to
// signed-overflow, so we use the same semantics for our explicit // signed-overflow, so we use the same semantics for our explicit
// multiply. We suppress this if overflow is not undefined behavior. // multiply. We suppress this if overflow is not undefined behavior.
if (CGF.getLangOpts().isSignedOverflowDefined()) { if (CGF.getLangOpts().isSignedOverflowDefined()) {
index = CGF.Builder.CreateMul(index, numElements, "vla.index"); index = CGF.Builder.CreateMul(index, numElements, "vla.index");
pointer = CGF.Builder.CreateGEP(pointer, index, "add.ptr"); pointer = CGF.Builder.CreateGEP(pointer, index, "add.ptr");
} else { } else {
index = CGF.Builder.CreateNSWMul(index, numElements, "vla.index"); index = CGF.Builder.CreateNSWMul(index, numElements, "vla.index");
pointer = CGF.Builder.CreateInBoundsGEP(pointer, index, "add.ptr"); pointer = CGF.EmitCheckedInBoundsGEP(pointer, index, op.E->getExprLoc(),
"add.ptr");
} }
return pointer; return pointer;
} }
// Explicitly handle GNU void* and function pointer arithmetic extensions. The // Explicitly handle GNU void* and function pointer arithmetic extensions. The
// GNU void* casts amount to no-ops since our void* type is i8*, but this is // GNU void* casts amount to no-ops since our void* type is i8*, but this is
// future proof. // future proof.
if (elementType->isVoidType() || elementType->isFunctionType()) { if (elementType->isVoidType() || elementType->isFunctionType()) {
Value *result = CGF.Builder.CreateBitCast(pointer, CGF.VoidPtrTy); Value *result = CGF.Builder.CreateBitCast(pointer, CGF.VoidPtrTy);
result = CGF.Builder.CreateGEP(result, index, "add.ptr"); result = CGF.Builder.CreateGEP(result, index, "add.ptr");
return CGF.Builder.CreateBitCast(result, pointer->getType()); return CGF.Builder.CreateBitCast(result, pointer->getType());
} }
if (CGF.getLangOpts().isSignedOverflowDefined()) if (CGF.getLangOpts().isSignedOverflowDefined())
return CGF.Builder.CreateGEP(pointer, index, "add.ptr"); return CGF.Builder.CreateGEP(pointer, index, "add.ptr");
return CGF.Builder.CreateInBoundsGEP(pointer, index, "add.ptr"); return CGF.EmitCheckedInBoundsGEP(pointer, index, op.E->getExprLoc(),
"add.ptr");
} }
// Construct an fmuladd intrinsic to represent a fused mul-add of MulOp and // Construct an fmuladd intrinsic to represent a fused mul-add of MulOp and
// Addend. Use negMul and negAdd to negate the first operand of the Mul or // Addend. Use negMul and negAdd to negate the first operand of the Mul or
// the add operand respectively. This allows fmuladd to represent a*b-c, or // the add operand respectively. This allows fmuladd to represent a*b-c, or
// c-a*b. Patterns in LLVM should catch the negated forms and translate them to // c-a*b. Patterns in LLVM should catch the negated forms and translate them to
// efficient operations. // efficient operations.
static Value* buildFMulAdd(llvm::BinaryOperator *MulOp, Value *Addend, static Value* buildFMulAdd(llvm::BinaryOperator *MulOp, Value *Addend,
▲ Show 20 LinesShow All 1,098 Lines▼ Show 20 Lines#undef COMPOUND_OP
case BO_LOr: case BO_LOr:
case BO_Assign: case BO_Assign:
case BO_Comma: case BO_Comma:
llvm_unreachable("Not valid compound assignment operators"); llvm_unreachable("Not valid compound assignment operators");
} }
llvm_unreachable("Unhandled compound assignment operator"); llvm_unreachable("Unhandled compound assignment operator");
} }
Value *CodeGenFunction::EmitCheckedInBoundsGEP(Value *Ptr,
ArrayRef<Value *> IdxList,
SourceLocation Loc,
const Twine &Name) {
Value *GEPVal = Builder.CreateInBoundsGEP(Ptr, IdxList, Name);
filcabUnsubmitted
Not Done
ReplyInline Actions

You're creating the GEP first (possibly triggering UB), and then checking ("after" UB). Shouldn't you put the checking instructions before the GEP?

filcab: You're creating the GEP first (possibly triggering UB), and then checking ("after" UB).
vskAuthorUnsubmitted
Not Done
ReplyInline Actions

The checking instructions are not users of the (possibly poisoned) GEP value so inserting the checks after the GEP should be OK. FWIW ubsan's scalar range checks do the same thing and I haven't seen an issue there.

I do have a concern about the IR constant folder reducing GEPs to Undef, but I don't think this affects any interesting cases, and we handle that below by bailing out if the GEP is a Constant.

Does that clear up your concerns?

vsk: The checking instructions are not users of the (possibly poisoned) GEP value so inserting the…
// If the pointer overflow sanitizer isn't enabled, do nothing.
if (!SanOpts.has(SanitizerKind::PointerOverflow))
return GEPVal;
// If the GEP has already been reduced to a constant, leave it be.
if (isa<llvm::Constant>(GEPVal))
return GEPVal;
// Only check for overflows in the default address space.
if (GEPVal->getType()->getPointerAddressSpace())
return GEPVal;
auto *GEP = cast<llvm::GEPOperator>(GEPVal);
assert(GEP->isInBounds() && "Expected inbounds GEP");
SanitizerScope SanScope(this);
auto &VMContext = getLLVMContext();
const auto &DL = CGM.getDataLayout();
auto *IntPtrTy = DL.getIntPtrType(GEP->getPointerOperandType());
// Grab references to the signed add/mul overflow intrinsics for intptr_t.
auto *Zero = llvm::ConstantInt::getNullValue(IntPtrTy);
auto *SAddIntrinsic =
CGM.getIntrinsic(llvm::Intrinsic::sadd_with_overflow, IntPtrTy);
auto *SMulIntrinsic =
CGM.getIntrinsic(llvm::Intrinsic::smul_with_overflow, IntPtrTy);
// The total (signed) byte offset for the GEP.
llvm::Value *TotalOffset = nullptr;
// The offset overflow flag - true if the total offset overflows.
llvm::Value *OffsetOverflows = Builder.getFalse();
/// Return the result of the given binary operation. \p Overflows is set to
/// the logical OR of itself and whether the operation overflows.
auto evalBinop = [&](llvm::Value *LHS, llvm::Value *RHS,
BinaryOperator::Opcode Opcode,
llvm::Value *&Overflows) -> llvm::Value * {
assert(Opcode == BO_Add || Opcode == BO_Mul && "Can't eval binop");
// If the operands are constants, return a constant result.
if (auto *LHSCI = dyn_cast<llvm::ConstantInt>(LHS)) {
if (auto *RHSCI = dyn_cast<llvm::ConstantInt>(RHS)) {
llvm::APInt N;
bool HasOverflow = mayHaveIntegerOverflow(LHSCI, RHSCI, Opcode,
/*Signed=*/true, N);
if (HasOverflow)
Overflows = Builder.getTrue();
return llvm::ConstantInt::get(VMContext, N);
}
}
// Otherwise, compute the result with checked arithmetic.
auto *ResultAndOverflow = Builder.CreateCall(
(Opcode == BO_Add) ? SAddIntrinsic : SMulIntrinsic, {LHS, RHS});
Overflows = Builder.CreateOr(
Overflows, Builder.CreateExtractValue(ResultAndOverflow, 1));
return Builder.CreateExtractValue(ResultAndOverflow, 0);
};
// Determine the total byte offset by looking at each GEP operand.
for (auto GTI = llvm::gep_type_begin(GEP), GTE = llvm::gep_type_end(GEP);
GTI != GTE; ++GTI) {
llvm::Value *LocalOffset;
auto *Index = GTI.getOperand();
// Compute the local offset contributed by this indexing step:
if (auto *STy = GTI.getStructTypeOrNull()) {
// For struct indexing, the local offset is the byte position of the
// specified field.
unsigned FieldNo = cast<llvm::ConstantInt>(Index)->getZExtValue();
LocalOffset = llvm::ConstantInt::get(
IntPtrTy, DL.getStructLayout(STy)->getElementOffset(FieldNo));
} else {
// Otherwise this is array-like indexing. The local offset is the index
// multiplied by the element size.
auto *ElementSize = llvm::ConstantInt::get(
IntPtrTy, DL.getTypeAllocSize(GTI.getIndexedType()));
auto *IndexS = Builder.CreateIntCast(Index, IntPtrTy, /*isSigned=*/true);
LocalOffset = evalBinop(ElementSize, IndexS, BO_Mul, OffsetOverflows);
}
// If this is the first offset, set it as the total offset. Otherwise, add
// the local offset into the running total.
if (!TotalOffset || TotalOffset == Zero)
TotalOffset = LocalOffset;
else
TotalOffset =
evalBinop(TotalOffset, LocalOffset, BO_Add, OffsetOverflows);
}
// Common case: if the total offset is zero, don't emit a check.
if (TotalOffset == Zero)
return GEPVal;
filcabUnsubmitted
Not Done
ReplyInline Actions

Do we want an extra test for TotalOffset being a constant + not overflowing? (Not strictly need, but you've been working on avoiding __ubsan() calls :-) )

filcab: Do we want an extra test for `TotalOffset` being a constant + not overflowing? (Not strictly…
vskAuthorUnsubmitted
Not Done
ReplyInline Actions

If the total offset is a constant and doesn't overflow, there's no need for the select instruction below, but we'd still need to emit a pointer overflow check. Teaching clang to omit the select is a little messy, and I don't think we'd save very much, so I'm leaning against doing it.

vsk: If the total offset is a constant and doesn't overflow, there's no need for the select…
// Now that we've computed the total offset, add it to the base pointer (with
// wrapping semantics).
auto *IntPtr = Builder.CreatePtrToInt(GEP->getPointerOperand(), IntPtrTy);
auto *ComputedGEP = Builder.CreateAdd(IntPtr, TotalOffset);
// The GEP is valid if:
// 1) The total offset doesn't overflow, and
// 2) The sign of the difference between the computed address and the base
// pointer matches the sign of the total offset.
llvm::Value *PosOrZeroValid = Builder.CreateICmpUGE(ComputedGEP, IntPtr);
llvm::Value *NegValid = Builder.CreateICmpULT(ComputedGEP, IntPtr);
auto *PosOrZeroOffset = Builder.CreateICmpSGE(TotalOffset, Zero);
llvm::Value *ValidGEP = Builder.CreateAnd(
Builder.CreateNot(OffsetOverflows),
Builder.CreateSelect(PosOrZeroOffset, PosOrZeroValid, NegValid));
llvm::Constant *StaticArgs[] = {EmitCheckSourceLocation(Loc)};
// Pass the computed GEP to the runtime to avoid emitting poisoned arguments.
llvm::Value *DynamicArgs[] = {IntPtr, ComputedGEP};
EmitCheck(std::make_pair(ValidGEP, SanitizerKind::PointerOverflow),
SanitizerHandler::PointerOverflow, StaticArgs, DynamicArgs);
return GEPVal;
}

lib/CodeGen/CodeGenFunction.h

Show First 20 LinesShow All 114 Lines▼ Show 20 Lines#define LIST_SANITIZER_CHECKS \
SANITIZER_CHECK(MissingReturn, missing_return, 0) \ SANITIZER_CHECK(MissingReturn, missing_return, 0) \
SANITIZER_CHECK(MulOverflow, mul_overflow, 0) \ SANITIZER_CHECK(MulOverflow, mul_overflow, 0) \
SANITIZER_CHECK(NegateOverflow, negate_overflow, 0) \ SANITIZER_CHECK(NegateOverflow, negate_overflow, 0) \
SANITIZER_CHECK(NullabilityArg, nullability_arg, 0) \ SANITIZER_CHECK(NullabilityArg, nullability_arg, 0) \
SANITIZER_CHECK(NullabilityReturn, nullability_return, 0) \ SANITIZER_CHECK(NullabilityReturn, nullability_return, 0) \
SANITIZER_CHECK(NonnullArg, nonnull_arg, 0) \ SANITIZER_CHECK(NonnullArg, nonnull_arg, 0) \
SANITIZER_CHECK(NonnullReturn, nonnull_return, 0) \ SANITIZER_CHECK(NonnullReturn, nonnull_return, 0) \
SANITIZER_CHECK(OutOfBounds, out_of_bounds, 0) \ SANITIZER_CHECK(OutOfBounds, out_of_bounds, 0) \
SANITIZER_CHECK(PointerOverflow, pointer_overflow, 0) \
SANITIZER_CHECK(ShiftOutOfBounds, shift_out_of_bounds, 0) \ SANITIZER_CHECK(ShiftOutOfBounds, shift_out_of_bounds, 0) \
SANITIZER_CHECK(SubOverflow, sub_overflow, 0) \ SANITIZER_CHECK(SubOverflow, sub_overflow, 0) \
SANITIZER_CHECK(TypeMismatch, type_mismatch, 1) \ SANITIZER_CHECK(TypeMismatch, type_mismatch, 1) \
SANITIZER_CHECK(VLABoundNotPositive, vla_bound_not_positive, 0) SANITIZER_CHECK(VLABoundNotPositive, vla_bound_not_positive, 0)
enum SanitizerHandler { enum SanitizerHandler {
#define SANITIZER_CHECK(Enum, Name, Version) Enum, #define SANITIZER_CHECK(Enum, Name, Version) Enum,
LIST_SANITIZER_CHECKS LIST_SANITIZER_CHECKS
▲ Show 20 LinesShow All 3,412 Lines▼ Show 20 Linespublic:
/// evaluate to true based on PGO data. /// evaluate to true based on PGO data.
void EmitBranchOnBoolExpr(const Expr *Cond, llvm::BasicBlock *TrueBlock, void EmitBranchOnBoolExpr(const Expr *Cond, llvm::BasicBlock *TrueBlock,
llvm::BasicBlock *FalseBlock, uint64_t TrueCount); llvm::BasicBlock *FalseBlock, uint64_t TrueCount);
/// Given an assignment `*LHS = RHS`, emit a test that checks if \p RHS is /// Given an assignment `*LHS = RHS`, emit a test that checks if \p RHS is
/// nonnull, if \p LHS is marked _Nonnull. /// nonnull, if \p LHS is marked _Nonnull.
void EmitNullabilityCheck(LValue LHS, llvm::Value *RHS, SourceLocation Loc); void EmitNullabilityCheck(LValue LHS, llvm::Value *RHS, SourceLocation Loc);
/// Same as IRBuilder::CreateInBoundsGEP, but additionally emits a check to
/// detect undefined behavior when the pointer overflow sanitizer is enabled.
llvm::Value *EmitCheckedInBoundsGEP(llvm::Value *Ptr,
ArrayRef<llvm::Value *> IdxList,
SourceLocation Loc,
const Twine &Name = "");
/// \brief Emit a description of a type in a format suitable for passing to /// \brief Emit a description of a type in a format suitable for passing to
/// a runtime sanitizer handler. /// a runtime sanitizer handler.
llvm::Constant *EmitCheckTypeDescriptor(QualType T); llvm::Constant *EmitCheckTypeDescriptor(QualType T);
/// \brief Convert a value into a format suitable for passing to a runtime /// \brief Convert a value into a format suitable for passing to a runtime
/// sanitizer handler. /// sanitizer handler.
llvm::Value *EmitCheckValue(llvm::Value *V); llvm::Value *EmitCheckValue(llvm::Value *V);
▲ Show 20 LinesShow All 336 LinesShow Last 20 Lines

test/CodeGen/ubsan-pointer-overflow.m

  • This file was added.
// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -w -emit-llvm -o - %s -fsanitize=pointer-overflow | FileCheck %s
// CHECK-LABEL: define void @unary_arith
void unary_arith(char *p) {
// CHECK: [[BASE:%.*]] = ptrtoint i8* {{.*}} to i64, !nosanitize
// CHECK-NEXT: [[COMPGEP:%.*]] = add i64 [[BASE]], 1, !nosanitize
// CHECK-NEXT: [[POSVALID:%.*]] = icmp uge i64 [[COMPGEP]], [[BASE]], !nosanitize
// CHECK-NEXT: [[NEGVALID:%.*]] = icmp ult i64 [[COMPGEP]], [[BASE]], !nosanitize
// CHECK-NEXT: [[DIFFVALID:%.*]] = select i1 true, i1 [[POSVALID]], i1 [[NEGVALID]], !nosanitize
// CHECK-NEXT: [[VALID:%.*]] = and i1 true, [[DIFFVALID]], !nosanitize
// CHECK-NEXT: br i1 [[VALID]]{{.*}}, !nosanitize
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}, i64 [[BASE]], i64 [[COMPGEP]]){{.*}}, !nosanitize
++p;
// CHECK: ptrtoint i8* {{.*}} to i64, !nosanitize
// CHECK-NEXT: add i64 {{.*}}, -1, !nosanitize
// CHECK: select i1 false{{.*}}, !nosanitize
// CHECK-NEXT: and i1 true{{.*}}, !nosanitize
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}
--p;
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}
p++;
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}
p--;
}
// CHECK-LABEL: define void @binary_arith
void binary_arith(char *p, int i) {
// CHECK: [[SMUL:%.*]] = call { i64, i1 } @llvm.smul.with.overflow.i64(i64 1, i64 %{{.*}}), !nosanitize
// CHECK-NEXT: [[SMULOFLOW:%.*]] = extractvalue { i64, i1 } [[SMUL]], 1, !nosanitize
// CHECK-NEXT: [[OFFSETOFLOW:%.*]] = or i1 false, [[SMULOFLOW]], !nosanitize
// CHECK-NEXT: [[SMULVAL:%.*]] = extractvalue { i64, i1 } [[SMUL]], 0, !nosanitize
// CHECK-NEXT: [[BASE:%.*]] = ptrtoint i8* {{.*}} to i64, !nosanitize
// CHECK-NEXT: [[COMPGEP:%.*]] = add i64 [[BASE]], [[SMULVAL]], !nosanitize
// CHECK-NEXT: [[POSVALID:%.*]] = icmp uge i64 [[COMPGEP]], [[BASE]], !nosanitize
// CHECK-NEXT: [[NEGVALID:%.*]] = icmp ult i64 [[COMPGEP]], [[BASE]], !nosanitize
// CHECK-NEXT: [[POSOFFSET:%.*]] = icmp sge i64 [[SMULVAL]], 0, !nosanitize
// CHECK-NEXT: [[OFFSETVALID:%.*]] = xor i1 [[OFFSETOFLOW]], true, !nosanitize
// CHECK-NEXT: [[DIFFVALID:%.*]] = select i1 [[POSOFFSET]], i1 [[POSVALID]], i1 [[NEGVALID]], !nosanitize
// CHECK-NEXT: [[VALID:%.*]] = and i1 [[OFFSETVALID]], [[DIFFVALID]], !nosanitize
// CHECK-NEXT: br i1 [[VALID]]{{.*}}, !nosanitize
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}, i64 [[BASE]], i64 [[COMPGEP]]){{.*}}, !nosanitize
p + i;
// CHECK: [[OFFSET:%.*]] = sub i64 0, {{.*}}
// CHECK-NEXT: getelementptr inbounds {{.*}} [[OFFSET]]
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}
p - i;
}
// CHECK-LABEL: define void @fixed_len_array
void fixed_len_array(int k) {
// CHECK: getelementptr inbounds [10 x [10 x i32]], [10 x [10 x i32]]* [[ARR:%.*]], i64 0, i64 [[IDXPROM:%.*]]
// CHECK-NEXT: [[SMUL:%.*]] = call { i64, i1 } @llvm.smul.with.overflow.i64(i64 40, i64 [[IDXPROM]]), !nosanitize
// CHECK-NEXT: [[SMULOFLOW:%.*]] = extractvalue { i64, i1 } [[SMUL]], 1, !nosanitize
// CHECK-NEXT: [[OFFSETOFLOW:%.*]] = or i1 false, [[SMULOFLOW]], !nosanitize
// CHECK-NEXT: [[SMULVAL:%.*]] = extractvalue { i64, i1 } [[SMUL]], 0, !nosanitize
// CHECK-NEXT: [[BASE:%.*]] = ptrtoint [10 x [10 x i32]]* [[ARR]] to i64, !nosanitize
// CHECK-NEXT: [[COMPGEP:%.*]] = add i64 [[BASE]], [[SMULVAL]], !nosanitize
// CHECK-NEXT: [[POSVALID:%.*]] = icmp uge i64 [[COMPGEP]], [[BASE]], !nosanitize
// CHECK-NEXT: [[NEGVALID:%.*]] = icmp ult i64 [[COMPGEP]], [[BASE]], !nosanitize
// CHECK-NEXT: [[POSOFFSET:%.*]] = icmp sge i64 [[SMULVAL]], 0, !nosanitize
// CHECK-NEXT: [[OFFSETVALID:%.*]] = xor i1 [[OFFSETOFLOW]], true, !nosanitize
// CHECK-NEXT: [[DIFFVALID:%.*]] = select i1 [[POSOFFSET]], i1 [[POSVALID]], i1 [[NEGVALID]], !nosanitize
// CHECK-NEXT: [[VALID:%.*]] = and i1 [[OFFSETVALID]], [[DIFFVALID]], !nosanitize
// CHECK-NEXT: br i1 [[VALID]]{{.*}}, !nosanitize
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}, i64 [[BASE]], i64 [[COMPGEP]]){{.*}}, !nosanitize
// CHECK: getelementptr inbounds [10 x i32], [10 x i32]* {{.*}}, i64 0, i64 [[IDXPROM1:%.*]]
// CHECK-NEXT: @llvm.smul.with.overflow.i64(i64 4, i64 [[IDXPROM1]]), !nosanitize
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}
int arr[10][10];
arr[k][k];
}
// CHECK-LABEL: define void @variable_len_array
void variable_len_array(int n, int k) {
// CHECK: getelementptr inbounds i32, i32* {{.*}}, i64 [[IDXPROM:%.*]]
// CHECK-NEXT: @llvm.smul.with.overflow.i64(i64 4, i64 [[IDXPROM]]), !nosanitize
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}
// CHECK: getelementptr inbounds i32, i32* {{.*}}, i64 [[IDXPROM1:%.*]]
// CHECK-NEXT: @llvm.smul.with.overflow.i64(i64 4, i64 [[IDXPROM1]]), !nosanitize
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}
int arr[n][n];
arr[k][k];
}
// CHECK-LABEL: define void @pointer_array
void pointer_array(int **arr, int k) {
// CHECK: @llvm.smul.with.overflow.i64(i64 8, i64 {{.*}}), !nosanitize
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}
// CHECK: @llvm.smul.with.overflow.i64(i64 4, i64 {{.*}}), !nosanitize
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}
arr[k][k];
}
struct S1 {
int pad1;
union {
char leaf;
struct S1 *link;
} u;
struct S1 *arr;
};
// TODO: Currently, structure GEPs are not checked, so there are several
// potentially unsafe GEPs here which we don't instrument.
//
// CHECK-LABEL: define void @struct_index
void struct_index(struct S1 *p) {
// CHECK: getelementptr inbounds %struct.S1, %struct.S1* [[P:%.*]], i64 10
// CHECK-NEXT: [[BASE:%.*]] = ptrtoint %struct.S1* [[P]] to i64, !nosanitize
// CHECK-NEXT: [[COMPGEP:%.*]] = add i64 [[BASE]], 240, !nosanitize
// CHECK: @__ubsan_handle_pointer_overflow{{.*}} i64 [[BASE]], i64 [[COMPGEP]]) {{.*}}, !nosanitize
// CHECK-NOT: @__ubsan_handle_pointer_overflow_abort
p->arr[10].u.link->u.leaf;
}
typedef void (*funcptr_t)(void);
// CHECK-LABEL: define void @function_pointer_arith
void function_pointer_arith(funcptr_t *p, int k) {
// CHECK: add i64 {{.*}}, 8, !nosanitize
// CHECK: @__ubsan_handle_pointer_overflow{{.*}}
++p;
// CHECK: @llvm.smul.with.overflow.i64(i64 8, i64 {{.*}}), !nosanitize
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}
p + k;
}
// CHECK-LABEL: define void @variable_len_array_arith
void variable_len_array_arith(int n, int k) {
int vla[n];
int (*p)[n] = &vla;
// CHECK: getelementptr inbounds i32, i32* {{.*}}, i64 [[INC:%.*]]
// CHECK: @llvm.smul.with.overflow.i64(i64 4, i64 [[INC]]), !nosanitize
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}
++p;
// CHECK: getelementptr inbounds i32, i32* {{.*}}, i64 [[IDXPROM:%.*]]
// CHECK: @llvm.smul.with.overflow.i64(i64 4, i64 [[IDXPROM]]), !nosanitize
// CHECK: call void @__ubsan_handle_pointer_overflow{{.*}}
p + k;
}
// CHECK-LABEL: define void @objc_id
void objc_id(id *p) {
// CHECK: add i64 {{.*}}, 8, !nosanitize
// CHECK: @__ubsan_handle_pointer_overflow{{.*}}
p++;
}
// CHECK-LABEL: define void @dont_emit_checks_for_no_op_GEPs
// CHECK-NOT: __ubsan_handle_pointer_overflow
void dont_emit_checks_for_no_op_GEPs(char *p) {
&p[0];
int arr[10][10];
&arr[0][0];
}

test/Driver/fsanitize.c

// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fsanitize-trap=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP // RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fsanitize-trap=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP
// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fsanitize-trap=undefined -fno-sanitize-trap=signed-integer-overflow %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP2 // RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fsanitize-trap=undefined -fno-sanitize-trap=signed-integer-overflow %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP2
// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP // RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP
// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined-trap -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP // RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined-trap -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP
// RUN: %clang -target x86_64-linux-gnu -fsanitize-undefined-trap-on-error -fsanitize=undefined-trap %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP // RUN: %clang -target x86_64-linux-gnu -fsanitize-undefined-trap-on-error -fsanitize=undefined-trap %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-TRAP
// CHECK-UNDEFINED-TRAP: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute|function),?){18}"}} // CHECK-UNDEFINED-TRAP: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|pointer-overflow|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute|function),?){19}"}}
// CHECK-UNDEFINED-TRAP: "-fsanitize-trap=alignment,array-bounds,bool,enum,float-cast-overflow,float-divide-by-zero,function,integer-divide-by-zero,nonnull-attribute,null,object-size,return,returns-nonnull-attribute,shift-base,shift-exponent,signed-integer-overflow,unreachable,vla-bound" // CHECK-UNDEFINED-TRAP: "-fsanitize-trap=alignment,array-bounds,bool,enum,float-cast-overflow,float-divide-by-zero,function,integer-divide-by-zero,nonnull-attribute,null,object-size,pointer-overflow,return,returns-nonnull-attribute,shift-base,shift-exponent,signed-integer-overflow,unreachable,vla-bound"
// CHECK-UNDEFINED-TRAP2: "-fsanitize-trap=alignment,array-bounds,bool,enum,float-cast-overflow,float-divide-by-zero,function,integer-divide-by-zero,nonnull-attribute,null,object-size,return,returns-nonnull-attribute,shift-base,shift-exponent,unreachable,vla-bound" // CHECK-UNDEFINED-TRAP2: "-fsanitize-trap=alignment,array-bounds,bool,enum,float-cast-overflow,float-divide-by-zero,function,integer-divide-by-zero,nonnull-attribute,null,object-size,pointer-overflow,return,returns-nonnull-attribute,shift-base,shift-exponent,unreachable,vla-bound"
// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED // RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED
// CHECK-UNDEFINED: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|vptr|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){19}"}} // CHECK-UNDEFINED: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|vptr|object-size|pointer-overflow|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){20}"}}
// RUN: %clang -target x86_64-apple-darwin10 -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-DARWIN // RUN: %clang -target x86_64-apple-darwin10 -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-DARWIN
// CHECK-UNDEFINED-DARWIN: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){17}"}} // CHECK-UNDEFINED-DARWIN: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|pointer-overflow|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){18}"}}
// RUN: %clang -target i386-unknown-openbsd -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-OPENBSD // RUN: %clang -target i386-unknown-openbsd -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-OPENBSD
// CHECK-UNDEFINED-OPENBSD: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){17}"}} // CHECK-UNDEFINED-OPENBSD: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|pointer-overflow|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){18}"}}
// RUN: %clang -target i386-pc-win32 -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN32 // RUN: %clang -target i386-pc-win32 -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN32
// RUN: %clang -target i386-pc-win32 -fsanitize=undefined -x c++ %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN32 --check-prefix=CHECK-UNDEFINED-WIN-CXX // RUN: %clang -target i386-pc-win32 -fsanitize=undefined -x c++ %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN32 --check-prefix=CHECK-UNDEFINED-WIN-CXX
// RUN: %clang -target x86_64-pc-win32 -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN64 // RUN: %clang -target x86_64-pc-win32 -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN64
// RUN: %clang -target x86_64-pc-win32 -fsanitize=undefined -x c++ %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN64 --check-prefix=CHECK-UNDEFINED-WIN-CXX // RUN: %clang -target x86_64-pc-win32 -fsanitize=undefined -x c++ %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-WIN --check-prefix=CHECK-UNDEFINED-WIN64 --check-prefix=CHECK-UNDEFINED-WIN-CXX
// CHECK-UNDEFINED-WIN32: "--dependent-lib={{[^"]*}}ubsan_standalone-i386.lib" // CHECK-UNDEFINED-WIN32: "--dependent-lib={{[^"]*}}ubsan_standalone-i386.lib"
// CHECK-UNDEFINED-WIN64: "--dependent-lib={{[^"]*}}ubsan_standalone-x86_64.lib" // CHECK-UNDEFINED-WIN64: "--dependent-lib={{[^"]*}}ubsan_standalone-x86_64.lib"
// CHECK-UNDEFINED-WIN-CXX: "--dependent-lib={{[^"]*}}ubsan_standalone_cxx{{[^"]*}}.lib" // CHECK-UNDEFINED-WIN-CXX: "--dependent-lib={{[^"]*}}ubsan_standalone_cxx{{[^"]*}}.lib"
// CHECK-UNDEFINED-WIN-SAME: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){17}"}} // CHECK-UNDEFINED-WIN-SAME: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|pointer-overflow|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){18}"}}
// RUN: %clang -target i386-pc-win32 -fsanitize-coverage=bb %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-COVERAGE-WIN32 // RUN: %clang -target i386-pc-win32 -fsanitize-coverage=bb %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-COVERAGE-WIN32
// CHECK-COVERAGE-WIN32: "--dependent-lib={{[^"]*}}ubsan_standalone-i386.lib" // CHECK-COVERAGE-WIN32: "--dependent-lib={{[^"]*}}ubsan_standalone-i386.lib"
// RUN: %clang -target x86_64-pc-win32 -fsanitize-coverage=bb %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-COVERAGE-WIN64 // RUN: %clang -target x86_64-pc-win32 -fsanitize-coverage=bb %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-COVERAGE-WIN64
// CHECK-COVERAGE-WIN64: "--dependent-lib={{[^"]*}}ubsan_standalone-x86_64.lib" // CHECK-COVERAGE-WIN64: "--dependent-lib={{[^"]*}}ubsan_standalone-x86_64.lib"
// RUN: %clang -target x86_64-linux-gnu -fsanitize=integer %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-INTEGER -implicit-check-not="-fsanitize-address-use-after-scope" // RUN: %clang -target x86_64-linux-gnu -fsanitize=integer %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-INTEGER -implicit-check-not="-fsanitize-address-use-after-scope"
// CHECK-INTEGER: "-fsanitize={{((signed-integer-overflow|unsigned-integer-overflow|integer-divide-by-zero|shift-base|shift-exponent),?){5}"}} // CHECK-INTEGER: "-fsanitize={{((signed-integer-overflow|unsigned-integer-overflow|integer-divide-by-zero|shift-base|shift-exponent),?){5}"}}
// RUN: %clang -fsanitize=bounds -### -fsyntax-only %s 2>&1 | FileCheck %s --check-prefix=CHECK-BOUNDS // RUN: %clang -fsanitize=bounds -### -fsyntax-only %s 2>&1 | FileCheck %s --check-prefix=CHECK-BOUNDS
// CHECK-BOUNDS: "-fsanitize={{((array-bounds|local-bounds),?){2}"}} // CHECK-BOUNDS: "-fsanitize={{((array-bounds|local-bounds),?){2}"}}
// RUN: %clang -target x86_64-linux-gnu -fsanitize=all %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSANITIZE-ALL // RUN: %clang -target x86_64-linux-gnu -fsanitize=all %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSANITIZE-ALL
// CHECK-FSANITIZE-ALL: error: unsupported argument 'all' to option 'fsanitize=' // CHECK-FSANITIZE-ALL: error: unsupported argument 'all' to option 'fsanitize='
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address,undefined -fno-sanitize=all -fsanitize=thread %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FNO-SANITIZE-ALL // RUN: %clang -target x86_64-linux-gnu -fsanitize=address,undefined -fno-sanitize=all -fsanitize=thread %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FNO-SANITIZE-ALL
// CHECK-FNO-SANITIZE-ALL: "-fsanitize=thread" // CHECK-FNO-SANITIZE-ALL: "-fsanitize=thread"
// RUN: %clang -target x86_64-linux-gnu -fsanitize=thread,undefined -fno-sanitize=thread -fno-sanitize=float-cast-overflow,vptr,bool,enum %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PARTIAL-UNDEFINED // RUN: %clang -target x86_64-linux-gnu -fsanitize=thread,undefined -fno-sanitize=thread -fno-sanitize=float-cast-overflow,vptr,bool,enum %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PARTIAL-UNDEFINED
// CHECK-PARTIAL-UNDEFINED: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|array-bounds|returns-nonnull-attribute|nonnull-attribute),?){15}"}} // CHECK-PARTIAL-UNDEFINED: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|object-size|pointer-overflow|array-bounds|returns-nonnull-attribute|nonnull-attribute),?){16}"}}
// RUN: %clang -target x86_64-linux-gnu -fsanitize=shift -fno-sanitize=shift-base %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSANITIZE-SHIFT-PARTIAL // RUN: %clang -target x86_64-linux-gnu -fsanitize=shift -fno-sanitize=shift-base %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSANITIZE-SHIFT-PARTIAL
// CHECK-FSANITIZE-SHIFT-PARTIAL: "-fsanitize=shift-exponent" // CHECK-FSANITIZE-SHIFT-PARTIAL: "-fsanitize=shift-exponent"
// RUN: %clang -target x86_64-linux-gnu -fsanitize=vptr -fsanitize-trap=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-TRAP-UNDEF // RUN: %clang -target x86_64-linux-gnu -fsanitize=vptr -fsanitize-trap=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-TRAP-UNDEF
// RUN: %clang -target x86_64-linux-gnu -fsanitize=vptr -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-TRAP-UNDEF // RUN: %clang -target x86_64-linux-gnu -fsanitize=vptr -fsanitize-undefined-trap-on-error %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-TRAP-UNDEF
// CHECK-VPTR-TRAP-UNDEF: error: invalid argument '-fsanitize=vptr' not allowed with '-fsanitize-trap=undefined' // CHECK-VPTR-TRAP-UNDEF: error: invalid argument '-fsanitize=vptr' not allowed with '-fsanitize-trap=undefined'
▲ Show 20 LinesShow All 157 Lines▼ Show 20 Lines
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fsanitize-recover -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fsanitize-recover -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fsanitize-recover=all -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fsanitize-recover=all -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover -fsanitize-recover=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover -fsanitize-recover=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-UBSAN
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-RECOVER-UBSAN
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover=all -fsanitize-recover=thread -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover=all -fsanitize-recover=thread -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-RECOVER-UBSAN
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fsanitize-recover=all -fno-sanitize-recover=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-RECOVER-UBSAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fsanitize-recover=all -fno-sanitize-recover=undefined -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-RECOVER-UBSAN
// CHECK-RECOVER-UBSAN: "-fsanitize-recover={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift-base|shift-exponent|vla-bound|alignment|null|vptr|object-size|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){17}"}} // CHECK-RECOVER-UBSAN: "-fsanitize-recover={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|function|shift-base|shift-exponent|vla-bound|alignment|null|vptr|object-size|pointer-overflow|float-cast-overflow|array-bounds|enum|bool|returns-nonnull-attribute|nonnull-attribute),?){18}"}}
// CHECK-NO-RECOVER-UBSAN-NOT: sanitize-recover // CHECK-NO-RECOVER-UBSAN-NOT: sanitize-recover
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover=all -fsanitize-recover=object-size,shift-base -### 2>&1 | FileCheck %s --check-prefix=CHECK-PARTIAL-RECOVER // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=undefined -fno-sanitize-recover=all -fsanitize-recover=object-size,shift-base -### 2>&1 | FileCheck %s --check-prefix=CHECK-PARTIAL-RECOVER
// CHECK-PARTIAL-RECOVER: "-fsanitize-recover={{((object-size|shift-base),?){2}"}} // CHECK-PARTIAL-RECOVER: "-fsanitize-recover={{((object-size|shift-base),?){2}"}}
// RUN: %clang -target x86_64-linux-gnu %s -fsanitize=address -fsanitize-recover=all -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-ASAN // RUN: %clang -target x86_64-linux-gnu %s -fsanitize=address -fsanitize-recover=all -### 2>&1 | FileCheck %s --check-prefix=CHECK-RECOVER-ASAN
// CHECK-RECOVER-ASAN: "-fsanitize-recover=address" // CHECK-RECOVER-ASAN: "-fsanitize-recover=address"
▲ Show 20 LinesShow All 303 LinesShow Last 20 Lines