This is an archive of the discontinued LLVM Phabricator instance.

[ubsan] Null-check pointers in -fsanitize=vptr (PR33881)
ClosedPublic

Authored by vsk on Jul 21 2017, 1:33 PM.

Details

Summary

The instrumentation generated by -fsanitize=vptr does not null check a
user pointer before loading from it. This causes crashes in the face of
UB member calls (this=nullptr), i.e it causes user programs to crash only
after UBSan is turned on.

The fix is to make run-time null checking a prerequisite for enabling
-fsanitize=vptr, and to then teach UBSan to reuse these run-time null
checks to make -fsanitize=vptr safe.

Testing: check-clang, check-ubsan, a stage2 ubsan-enabled build
(Test updates in compiler-rt to follow in a separate patch)

https://bugs.llvm.org/show_bug.cgi?id=33881
rdar://problem/32659008

Diff Detail

Repository
rL LLVM

Event Timeline

aprantl added inline comments.Jul 21 2017, 3:26 PM
test/CodeGenCXX/ubsan-devirtualized-calls.cpp
1 ↗(On Diff #107711)

Perhaps match for the labels instead of restricting to assert only?

vsk updated this revision to Diff 107741.Jul 21 2017, 3:48 PM
vsk marked an inline comment as done.
  • Drop 'REQUIRES: asserts'.
arphaman accepted this revision.Jul 24 2017, 6:14 AM

LGTM!

test/CodeGenCXX/ubsan-devirtualized-calls.cpp
67 ↗(On Diff #107741)

NIT: because

test/CodeGenCXX/ubsan-type-checks.cpp
5 ↗(On Diff #107741)

You might want to check that the vptr type check is still emitted without -fsanitize=null when PtrToAlloca is true, because it doesn't look that scenario is tested.

This revision is now accepted and ready to land.Jul 24 2017, 6:14 AM

You might also want to mention the fact that -fsanitizer=vptr requires null in the release notes.

This revision was automatically updated to reflect the committed changes.
vsk marked an inline comment as done.Jul 25 2017, 12:35 PM

I made the suggested test changes and updated the release notes: r309007