This is an archive of the discontinued LLVM Phabricator instance.

Differential D35735

[ubsan] Null-check pointers in -fsanitize=vptr (PR33881)
ClosedPublic

Authored by vsk on Jul 21 2017, 1:33 PM.

Details

Reviewers
rsmith
arphaman
aprantl
Commits
rGbbc953fed443: [ubsan] Null-check pointers in -fsanitize=vptr (PR33881)
rC309007: [ubsan] Null-check pointers in -fsanitize=vptr (PR33881)
rL309007: [ubsan] Null-check pointers in -fsanitize=vptr (PR33881)
Summary

The instrumentation generated by -fsanitize=vptr does not null check a
user pointer before loading from it. This causes crashes in the face of
UB member calls (this=nullptr), i.e it causes user programs to crash only
after UBSan is turned on.

The fix is to make run-time null checking a prerequisite for enabling
-fsanitize=vptr, and to then teach UBSan to reuse these run-time null
checks to make -fsanitize=vptr safe.

Testing: check-clang, check-ubsan, a stage2 ubsan-enabled build
(Test updates in compiler-rt to follow in a separate patch)

https://bugs.llvm.org/show_bug.cgi?id=33881
rdar://problem/32659008

Diff Detail

Repository
rL LLVM

Event Timeline

vsk created this revision.Jul 21 2017, 1:33 PM
vsk added a child revision: D35736: [ubsan] -fsanitize=vptr now requires -fsanitize=null, update tests.
aprantl added inline comments.Jul 21 2017, 3:26 PM
test/CodeGenCXX/ubsan-devirtualized-calls.cpp
1 ↗(On Diff #107711)

Perhaps match for the labels instead of restricting to assert only?

vsk updated this revision to Diff 107741.Jul 21 2017, 3:48 PM
vsk marked an inline comment as done.
  • Drop 'REQUIRES: asserts'.
arphaman accepted this revision.Jul 24 2017, 6:14 AM

LGTM!

test/CodeGenCXX/ubsan-devirtualized-calls.cpp
67 ↗(On Diff #107741)

NIT: because

test/CodeGenCXX/ubsan-type-checks.cpp
5 ↗(On Diff #107741)

You might want to check that the vptr type check is still emitted without -fsanitize=null when PtrToAlloca is true, because it doesn't look that scenario is tested.

This revision is now accepted and ready to land.Jul 24 2017, 6:14 AM
arphaman added a comment.Jul 24 2017, 6:17 AM

You might also want to mention the fact that -fsanitizer=vptr requires null in the release notes.

Closed by commit rL309007: [ubsan] Null-check pointers in -fsanitize=vptr (PR33881) (authored by vedantk). · Explain WhyJul 25 2017, 12:35 PM
This revision was automatically updated to reflect the committed changes.
vsk marked an inline comment as done.Jul 25 2017, 12:35 PM

I made the suggested test changes and updated the release notes: r309007

Revision Contents

PathSize
cfe/
trunk/
docs/
4 lines
10 lines
include/
clang/
Basic/
5 lines
1 line
lib/
CodeGen/
25 lines
Driver/
7 lines
test/
CodeGenCXX/
4 lines
9 lines
46 lines
4 lines
Driver/
8 lines
12 lines

Diff 108133

cfe/trunk/docs/ReleaseNotes.rst

Show First 20 LinesShow All 149 Lines▼ Show 20 Lines
Static Analyzer Static Analyzer
--------------- ---------------
... ...
Undefined Behavior Sanitizer (UBSan) Undefined Behavior Sanitizer (UBSan)
------------------------------------ ------------------------------------
... The C++ dynamic type check now requires run-time null checking (i.e,
`-fsanitize=vptr` cannot be used without `-fsanitize=null`). This change does
not impact users who rely on UBSan check groups (e.g `-fsanitize=undefined`).
Core Analysis Improvements Core Analysis Improvements
========================== ==========================
- ... - ...
New Issues Found New Issues Found
================ ================
Show All 26 Lines

cfe/trunk/docs/UndefinedBehaviorSanitizer.rst

Show First 20 LinesShow All 124 Lines▼ Show 20 LinesAvailable checks are:
- ``-fsanitize=unreachable``: If control flow reaches - ``-fsanitize=unreachable``: If control flow reaches
``__builtin_unreachable``. ``__builtin_unreachable``.
- ``-fsanitize=unsigned-integer-overflow``: Unsigned integer - ``-fsanitize=unsigned-integer-overflow``: Unsigned integer
overflows. Note that unlike signed integer overflow, unsigned integer overflows. Note that unlike signed integer overflow, unsigned integer
is not undefined behavior. However, while it has well-defined semantics, is not undefined behavior. However, while it has well-defined semantics,
it is often unintentional, so UBSan offers to catch it. it is often unintentional, so UBSan offers to catch it.
- ``-fsanitize=vla-bound``: A variable-length array whose bound - ``-fsanitize=vla-bound``: A variable-length array whose bound
does not evaluate to a positive value. does not evaluate to a positive value.
- ``-fsanitize=vptr``: Use of an object whose vptr indicates that - ``-fsanitize=vptr``: Use of an object whose vptr indicates that it is of
it is of the wrong dynamic type, or that its lifetime has not the wrong dynamic type, or that its lifetime has not begun or has ended.
begun or has ended. Incompatible with ``-fno-rtti``. Link must Incompatible with ``-fno-rtti`` and ``-fno-sanitize=null``. Link must be
be performed by ``clang++``, not ``clang``, to make sure C++-specific performed by ``clang++``, not ``clang``, to make sure C++-specific parts of
parts of the runtime library and C++ standard libraries are present. the runtime library and C++ standard libraries are present.
You can also use the following check groups: You can also use the following check groups:
- ``-fsanitize=undefined``: All of the checks listed above other than - ``-fsanitize=undefined``: All of the checks listed above other than
``unsigned-integer-overflow`` and the ``nullability-*`` checks. ``unsigned-integer-overflow`` and the ``nullability-*`` checks.
- ``-fsanitize=undefined-trap``: Deprecated alias of - ``-fsanitize=undefined-trap``: Deprecated alias of
``-fsanitize=undefined``. ``-fsanitize=undefined``.
- ``-fsanitize=integer``: Checks for undefined or suspicious integer - ``-fsanitize=integer``: Checks for undefined or suspicious integer
behavior (e.g. unsigned integer overflow). behavior (e.g. unsigned integer overflow).
▲ Show 20 LinesShow All 134 LinesShow Last 20 Lines

cfe/trunk/include/clang/Basic/DiagnosticDriverKinds.td

Show First 20 LinesShow All 224 Lines▼ Show 20 Linesdef warn_incompatible_sysroot : Warning<"using sysroot for '%0' but targeting '%1'">,
InGroup<DiagGroup<"incompatible-sysroot">>; InGroup<DiagGroup<"incompatible-sysroot">>;
def warn_debug_compression_unavailable : Warning<"cannot compress debug sections (zlib not installed)">, def warn_debug_compression_unavailable : Warning<"cannot compress debug sections (zlib not installed)">,
InGroup<DiagGroup<"debug-compression-unavailable">>; InGroup<DiagGroup<"debug-compression-unavailable">>;
def warn_drv_enabling_rtti_with_exceptions : Warning< def warn_drv_enabling_rtti_with_exceptions : Warning<
"implicitly enabling rtti for exception handling">, "implicitly enabling rtti for exception handling">,
InGroup<DiagGroup<"rtti-for-exceptions">>; InGroup<DiagGroup<"rtti-for-exceptions">>;
def warn_drv_disabling_vptr_no_rtti_default : Warning< def warn_drv_disabling_vptr_no_rtti_default : Warning<
"implicitly disabling vptr sanitizer because rtti wasn't enabled">, "implicitly disabling vptr sanitizer because rtti wasn't enabled">,
InGroup<DiagGroup<"auto-disable-vptr-sanitizer">>; InGroup<AutoDisableVptrSanitizer>;
def warn_drv_disabling_vptr_no_null_check : Warning<
"implicitly disabling vptr sanitizer because null checking wasn't enabled">,
InGroup<AutoDisableVptrSanitizer>;
def warn_drv_object_size_disabled_O0 : Warning< def warn_drv_object_size_disabled_O0 : Warning<
"the object size sanitizer has no effect at -O0, but is explicitly enabled: %0">, "the object size sanitizer has no effect at -O0, but is explicitly enabled: %0">,
InGroup<InvalidCommandLineArgument>; InGroup<InvalidCommandLineArgument>;
def note_drv_command_failed_diag_msg : Note< def note_drv_command_failed_diag_msg : Note<
"diagnostic msg: %0">; "diagnostic msg: %0">;
def note_drv_t_option_is_global : Note< def note_drv_t_option_is_global : Note<
"The last /TC or /TP option takes precedence over earlier instances">; "The last /TC or /TP option takes precedence over earlier instances">;
▲ Show 20 LinesShow All 65 LinesShow Last 20 Lines

cfe/trunk/include/clang/Basic/DiagnosticGroups.td

Show All 21 Lines
def AddressOfTemporary : DiagGroup<"address-of-temporary">; def AddressOfTemporary : DiagGroup<"address-of-temporary">;
def : DiagGroup<"aggregate-return">; def : DiagGroup<"aggregate-return">;
def GNUAlignofExpression : DiagGroup<"gnu-alignof-expression">; def GNUAlignofExpression : DiagGroup<"gnu-alignof-expression">;
def AmbigMemberTemplate : DiagGroup<"ambiguous-member-template">; def AmbigMemberTemplate : DiagGroup<"ambiguous-member-template">;
def GNUAnonymousStruct : DiagGroup<"gnu-anonymous-struct">; def GNUAnonymousStruct : DiagGroup<"gnu-anonymous-struct">;
def GNUAutoType : DiagGroup<"gnu-auto-type">; def GNUAutoType : DiagGroup<"gnu-auto-type">;
def ArrayBounds : DiagGroup<"array-bounds">; def ArrayBounds : DiagGroup<"array-bounds">;
def ArrayBoundsPointerArithmetic : DiagGroup<"array-bounds-pointer-arithmetic">; def ArrayBoundsPointerArithmetic : DiagGroup<"array-bounds-pointer-arithmetic">;
def AutoDisableVptrSanitizer : DiagGroup<"auto-disable-vptr-sanitizer">;
def Availability : DiagGroup<"availability">; def Availability : DiagGroup<"availability">;
def Section : DiagGroup<"section">; def Section : DiagGroup<"section">;
def AutoImport : DiagGroup<"auto-import">; def AutoImport : DiagGroup<"auto-import">;
def CXX14BinaryLiteral : DiagGroup<"c++14-binary-literal">; def CXX14BinaryLiteral : DiagGroup<"c++14-binary-literal">;
def GNUBinaryLiteral : DiagGroup<"gnu-binary-literal">; def GNUBinaryLiteral : DiagGroup<"gnu-binary-literal">;
def GNUCompoundLiteralInitializer : DiagGroup<"gnu-compound-literal-initializer">; def GNUCompoundLiteralInitializer : DiagGroup<"gnu-compound-literal-initializer">;
def BitFieldConstantConversion : DiagGroup<"bitfield-constant-conversion">; def BitFieldConstantConversion : DiagGroup<"bitfield-constant-conversion">;
def BitFieldEnumConversion : DiagGroup<"bitfield-enum-conversion">; def BitFieldEnumConversion : DiagGroup<"bitfield-enum-conversion">;
▲ Show 20 LinesShow All 892 LinesShow Last 20 Lines

cfe/trunk/lib/CodeGen/CGExpr.cpp

Show First 20 LinesShow All 598 Lines▼ Show 20 Linesvoid CodeGenFunction::EmitTypeCheck(TypeCheckKind TCK, SourceLocation Loc,
llvm::BasicBlock *Done = nullptr; llvm::BasicBlock *Done = nullptr;
// Quickly determine whether we have a pointer to an alloca. It's possible // Quickly determine whether we have a pointer to an alloca. It's possible
// to skip null checks, and some alignment checks, for these pointers. This // to skip null checks, and some alignment checks, for these pointers. This
// can reduce compile-time significantly. // can reduce compile-time significantly.
auto PtrToAlloca = auto PtrToAlloca =
dyn_cast<llvm::AllocaInst>(Ptr->stripPointerCastsNoFollowAliases()); dyn_cast<llvm::AllocaInst>(Ptr->stripPointerCastsNoFollowAliases());
llvm::Value *IsNonNull = nullptr;
bool IsGuaranteedNonNull =
SkippedChecks.has(SanitizerKind::Null) || PtrToAlloca;
bool AllowNullPointers = TCK == TCK_DowncastPointer || TCK == TCK_Upcast || bool AllowNullPointers = TCK == TCK_DowncastPointer || TCK == TCK_Upcast ||
TCK == TCK_UpcastToVirtualBase; TCK == TCK_UpcastToVirtualBase;
if ((SanOpts.has(SanitizerKind::Null) || AllowNullPointers) && if ((SanOpts.has(SanitizerKind::Null) || AllowNullPointers) &&
!SkippedChecks.has(SanitizerKind::Null) && !PtrToAlloca) { !IsGuaranteedNonNull) {
// The glvalue must not be an empty glvalue. // The glvalue must not be an empty glvalue.
llvm::Value *IsNonNull = Builder.CreateIsNotNull(Ptr); IsNonNull = Builder.CreateIsNotNull(Ptr);
// The IR builder can constant-fold the null check if the pointer points to // The IR builder can constant-fold the null check if the pointer points to
// a constant. // a constant.
bool PtrIsNonNull = IsGuaranteedNonNull =
IsNonNull == llvm::ConstantInt::getTrue(getLLVMContext()); IsNonNull == llvm::ConstantInt::getTrue(getLLVMContext());
// Skip the null check if the pointer is known to be non-null. // Skip the null check if the pointer is known to be non-null.
if (!PtrIsNonNull) { if (!IsGuaranteedNonNull) {
if (AllowNullPointers) { if (AllowNullPointers) {
// When performing pointer casts, it's OK if the value is null. // When performing pointer casts, it's OK if the value is null.
// Skip the remaining checks in that case. // Skip the remaining checks in that case.
Done = createBasicBlock("null"); Done = createBasicBlock("null");
llvm::BasicBlock *Rest = createBasicBlock("not.null"); llvm::BasicBlock *Rest = createBasicBlock("not.null");
Builder.CreateCondBr(IsNonNull, Rest, Done); Builder.CreateCondBr(IsNonNull, Rest, Done);
EmitBlock(Rest); EmitBlock(Rest);
} else { } else {
▲ Show 20 LinesShow All 57 Lines▼ Show 20 Linesvoid CodeGenFunction::EmitTypeCheck(TypeCheckKind TCK, SourceLocation Loc,
// type Ty at offset zero within this object. // type Ty at offset zero within this object.
// //
// C++11 [basic.life]p5,6: // C++11 [basic.life]p5,6:
// [For storage which does not refer to an object within its lifetime] // [For storage which does not refer to an object within its lifetime]
// The program has undefined behavior if: // The program has undefined behavior if:
// -- the [pointer or glvalue] is used to access a non-static data member // -- the [pointer or glvalue] is used to access a non-static data member
// or call a non-static member function // or call a non-static member function
CXXRecordDecl *RD = Ty->getAsCXXRecordDecl(); CXXRecordDecl *RD = Ty->getAsCXXRecordDecl();
bool HasNullCheck = IsGuaranteedNonNull || IsNonNull;
if (SanOpts.has(SanitizerKind::Vptr) && if (SanOpts.has(SanitizerKind::Vptr) &&
!SkippedChecks.has(SanitizerKind::Vptr) && !SkippedChecks.has(SanitizerKind::Vptr) && HasNullCheck &&
(TCK == TCK_MemberAccess || TCK == TCK_MemberCall || (TCK == TCK_MemberAccess || TCK == TCK_MemberCall ||
TCK == TCK_DowncastPointer || TCK == TCK_DowncastReference || TCK == TCK_DowncastPointer || TCK == TCK_DowncastReference ||
TCK == TCK_UpcastToVirtualBase) && TCK == TCK_UpcastToVirtualBase) &&
RD && RD->hasDefinition() && RD->isDynamicClass()) { RD && RD->hasDefinition() && RD->isDynamicClass()) {
// Ensure that the pointer is non-null before loading it. If there is no
// compile-time guarantee, reuse the run-time null check.
if (!IsGuaranteedNonNull) {
assert(IsNonNull && "Missing run-time null check");
if (!Done)
Done = createBasicBlock("vptr.null");
llvm::BasicBlock *VptrNotNull = createBasicBlock("vptr.not.null");
Builder.CreateCondBr(IsNonNull, VptrNotNull, Done);
EmitBlock(VptrNotNull);
}
// Compute a hash of the mangled name of the type. // Compute a hash of the mangled name of the type.
// //
// FIXME: This is not guaranteed to be deterministic! Move to a // FIXME: This is not guaranteed to be deterministic! Move to a
// fingerprinting mechanism once LLVM provides one. For the time // fingerprinting mechanism once LLVM provides one. For the time
// being the implementation happens to be deterministic. // being the implementation happens to be deterministic.
SmallString<64> MangledName; SmallString<64> MangledName;
llvm::raw_svector_ostream Out(MangledName); llvm::raw_svector_ostream Out(MangledName);
CGM.getCXXABI().getMangleContext().mangleCXXRTTI(Ty.getUnqualifiedType(), CGM.getCXXABI().getMangleContext().mangleCXXRTTI(Ty.getUnqualifiedType(),
▲ Show 20 LinesShow All 3,930 LinesShow Last 20 Lines

cfe/trunk/lib/Driver/SanitizerArgs.cpp

Show First 20 LinesShow All 300 Lines▼ Show 20 LinesSanitizerArgs::SanitizerArgs(const ToolChain &TC,
// We disable the vptr sanitizer if it was enabled by group expansion but RTTI // We disable the vptr sanitizer if it was enabled by group expansion but RTTI
// is disabled. // is disabled.
if ((Kinds & Vptr) && if ((Kinds & Vptr) &&
(RTTIMode == ToolChain::RM_DisabledImplicitly || (RTTIMode == ToolChain::RM_DisabledImplicitly ||
RTTIMode == ToolChain::RM_DisabledExplicitly)) { RTTIMode == ToolChain::RM_DisabledExplicitly)) {
Kinds &= ~Vptr; Kinds &= ~Vptr;
} }
// Disable -fsanitize=vptr if -fsanitize=null is not enabled (the vptr
// instrumentation is broken without run-time null checks).
if ((Kinds & Vptr) && !(Kinds & Null)) {
Kinds &= ~Vptr;
D.Diag(diag::warn_drv_disabling_vptr_no_null_check);
}
// Check that LTO is enabled if we need it. // Check that LTO is enabled if we need it.
if ((Kinds & NeedsLTO) && !D.isUsingLTO()) { if ((Kinds & NeedsLTO) && !D.isUsingLTO()) {
D.Diag(diag::err_drv_argument_only_allowed_with) D.Diag(diag::err_drv_argument_only_allowed_with)
<< lastArgumentForMask(D, Args, Kinds & NeedsLTO) << "-flto"; << lastArgumentForMask(D, Args, Kinds & NeedsLTO) << "-flto";
} }
// Report error if there are non-trapping sanitizers that require // Report error if there are non-trapping sanitizers that require
// c++abi-specific parts of UBSan runtime, and they are not provided by the // c++abi-specific parts of UBSan runtime, and they are not provided by the
▲ Show 20 LinesShow All 551 LinesShow Last 20 Lines

cfe/trunk/test/CodeGenCXX/catch-undef-behavior.cpp

// RUN: %clang_cc1 -std=c++11 -fsanitize=signed-integer-overflow,integer-divide-by-zero,float-divide-by-zero,shift-base,shift-exponent,unreachable,return,vla-bound,alignment,null,vptr,object-size,float-cast-overflow,bool,enum,array-bounds,function -fsanitize-recover=signed-integer-overflow,integer-divide-by-zero,float-divide-by-zero,shift-base,shift-exponent,vla-bound,alignment,null,vptr,object-size,float-cast-overflow,bool,enum,array-bounds,function -emit-llvm %s -o - -triple x86_64-linux-gnu | opt -instnamer -S | FileCheck %s // RUN: %clang_cc1 -std=c++11 -fsanitize=signed-integer-overflow,integer-divide-by-zero,float-divide-by-zero,shift-base,shift-exponent,unreachable,return,vla-bound,alignment,null,vptr,object-size,float-cast-overflow,bool,enum,array-bounds,function -fsanitize-recover=signed-integer-overflow,integer-divide-by-zero,float-divide-by-zero,shift-base,shift-exponent,vla-bound,alignment,null,vptr,object-size,float-cast-overflow,bool,enum,array-bounds,function -emit-llvm %s -o - -triple x86_64-linux-gnu | opt -instnamer -S | FileCheck %s
// RUN: %clang_cc1 -std=c++11 -fsanitize=vptr,address -fsanitize-recover=vptr,address -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefix=CHECK-ASAN // RUN: %clang_cc1 -std=c++11 -fsanitize=null,vptr,address -fsanitize-recover=null,vptr,address -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefix=CHECK-ASAN
// RUN: %clang_cc1 -std=c++11 -fsanitize=vptr -fsanitize-recover=vptr -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefix=DOWNCAST-NULL // RUN: %clang_cc1 -std=c++11 -fsanitize=null,vptr -fsanitize-recover=null,vptr -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefix=DOWNCAST-NULL
// RUN: %clang_cc1 -std=c++11 -fsanitize=function -emit-llvm %s -o - -triple x86_64-linux-gnux32 | FileCheck %s --check-prefix=CHECK-X32 // RUN: %clang_cc1 -std=c++11 -fsanitize=function -emit-llvm %s -o - -triple x86_64-linux-gnux32 | FileCheck %s --check-prefix=CHECK-X32
// RUN: %clang_cc1 -std=c++11 -fsanitize=function -emit-llvm %s -o - -triple i386-linux-gnu | FileCheck %s --check-prefix=CHECK-X86 // RUN: %clang_cc1 -std=c++11 -fsanitize=function -emit-llvm %s -o - -triple i386-linux-gnu | FileCheck %s --check-prefix=CHECK-X86
struct S { struct S {
double d; double d;
int a, b; int a, b;
virtual int f(); virtual int f();
}; };
▲ Show 20 LinesShow All 524 LinesShow Last 20 Lines

cfe/trunk/test/CodeGenCXX/ubsan-devirtualized-calls.cpp

// RUN: %clang_cc1 -std=c++11 -triple %itanium_abi_triple -emit-llvm -fsanitize=vptr %s -o - | FileCheck %s // RUN: %clang_cc1 -std=c++11 -triple %itanium_abi_triple -emit-llvm -fsanitize=null,vptr %s -o - | FileCheck %s
struct Base1 { struct Base1 {
virtual void f1() {} virtual void f1() {}
}; };
struct Base2 { struct Base2 {
virtual void f1() {} virtual void f1() {}
}; };
▲ Show 20 LinesShow All 49 Lines▼ Show 20 Lines
// CHECK-LABEL: define void @_Z2t4v // CHECK-LABEL: define void @_Z2t4v
void t4() { void t4() {
Base1 p; Base1 p;
Derived3 *badp = static_cast<Derived3 *>(&p); //< Check that &p isa Derived3. Derived3 *badp = static_cast<Derived3 *>(&p); //< Check that &p isa Derived3.
// CHECK: %[[P1:[0-9]+]] = ptrtoint %struct.Derived3* {{%[0-9]+}} to i{{[0-9]+}}, !nosanitize // CHECK: %[[P1:[0-9]+]] = ptrtoint %struct.Derived3* {{%[0-9]+}} to i{{[0-9]+}}, !nosanitize
// CHECK-NEXT: call void @__ubsan_handle_dynamic_type_cache{{[_a-z]*}}({{.*}} [[UBSAN_TI_DERIVED3]] {{.*}}, i{{[0-9]+}} %[[P1]] // CHECK-NEXT: call void @__ubsan_handle_dynamic_type_cache{{[_a-z]*}}({{.*}} [[UBSAN_TI_DERIVED3]] {{.*}}, i{{[0-9]+}} %[[P1]]
static_cast<Base1 *>(badp)->f1(); //< No devirt, test 'badp isa Base1'. static_cast<Base1 *>(badp)->f1(); //< No devirt, test 'badp isa Base1'.
// We were able to skip the null check on the first type check because 'p'
// is backed by an alloca. We can't skip the second null check because 'badp'
// is a (bitcast (load ...)).
// CHECK: call void @__ubsan_handle_type_mismatch
//
// CHECK: %[[BADP1:[0-9]+]] = ptrtoint %struct.Base1* {{%[0-9]+}} to i{{[0-9]+}}, !nosanitize // CHECK: %[[BADP1:[0-9]+]] = ptrtoint %struct.Base1* {{%[0-9]+}} to i{{[0-9]+}}, !nosanitize
// CHECK-NEXT: call void @__ubsan_handle_dynamic_type_cache{{[_a-z]*}}({{.*}} [[UBSAN_TI_BASE1]] {{.*}}, i{{[0-9]+}} %[[BADP1]] // CHECK-NEXT: call void @__ubsan_handle_dynamic_type_cache{{[_a-z]*}}({{.*}} [[UBSAN_TI_BASE1]] {{.*}}, i{{[0-9]+}} %[[BADP1]]
} }
// CHECK-LABEL: define void @_Z2t5v // CHECK-LABEL: define void @_Z2t5v
void t5() { void t5() {
Base1 p; Base1 p;
Derived4 *badp = static_cast<Derived4 *>(&p); //< Check that &p isa Derived4. Derived4 *badp = static_cast<Derived4 *>(&p); //< Check that &p isa Derived4.
// CHECK: %[[P1:[0-9]+]] = ptrtoint %struct.Derived4* {{%[0-9]+}} to i{{[0-9]+}}, !nosanitize // CHECK: %[[P1:[0-9]+]] = ptrtoint %struct.Derived4* {{%[0-9]+}} to i{{[0-9]+}}, !nosanitize
// CHECK-NEXT: call void @__ubsan_handle_dynamic_type_cache{{[_a-z]*}}({{.*}} [[UBSAN_TI_DERIVED4_1]] {{.*}}, i{{[0-9]+}} %[[P1]] // CHECK-NEXT: call void @__ubsan_handle_dynamic_type_cache{{[_a-z]*}}({{.*}} [[UBSAN_TI_DERIVED4_1]] {{.*}}, i{{[0-9]+}} %[[P1]]
static_cast<Base1 *>(badp)->f1(); //< Devirt Base1::f1 to Derived4::f1. static_cast<Base1 *>(badp)->f1(); //< Devirt Base1::f1 to Derived4::f1.
// CHECK: call void @__ubsan_handle_type_mismatch
//
// CHECK: %[[BADP1:[0-9]+]] = ptrtoint %struct.Derived4* {{%[0-9]+}} to i{{[0-9]+}}, !nosanitize // CHECK: %[[BADP1:[0-9]+]] = ptrtoint %struct.Derived4* {{%[0-9]+}} to i{{[0-9]+}}, !nosanitize
// CHECK-NEXT: call void @__ubsan_handle_dynamic_type_cache{{[_a-z]*}}({{.*}} [[UBSAN_TI_DERIVED4_2]] {{.*}}, i{{[0-9]+}} %[[BADP1]] // CHECK-NEXT: call void @__ubsan_handle_dynamic_type_cache{{[_a-z]*}}({{.*}} [[UBSAN_TI_DERIVED4_2]] {{.*}}, i{{[0-9]+}} %[[BADP1]]
} }

cfe/trunk/test/CodeGenCXX/ubsan-type-checks.cpp

// RUN: %clang_cc1 -std=c++11 -triple x86_64-apple-darwin10 -emit-llvm -o - %s -fsanitize=alignment | FileCheck %s -check-prefixes=ALIGN,COMMON // RUN: %clang_cc1 -std=c++11 -triple x86_64-apple-darwin10 -emit-llvm -o - %s -fsanitize=alignment | FileCheck %s -check-prefixes=ALIGN,COMMON
// RUN: %clang_cc1 -std=c++11 -triple x86_64-apple-darwin10 -emit-llvm -o - %s -fsanitize=null | FileCheck %s -check-prefixes=NULL,COMMON // RUN: %clang_cc1 -std=c++11 -triple x86_64-apple-darwin10 -emit-llvm -o - %s -fsanitize=null | FileCheck %s -check-prefixes=NULL,COMMON
// RUN: %clang_cc1 -std=c++11 -triple x86_64-apple-darwin10 -emit-llvm -o - %s -fsanitize=object-size | FileCheck %s -check-prefixes=OBJSIZE,COMMON // RUN: %clang_cc1 -std=c++11 -triple x86_64-apple-darwin10 -emit-llvm -o - %s -fsanitize=object-size | FileCheck %s -check-prefixes=OBJSIZE,COMMON
// RUN: %clang_cc1 -std=c++11 -triple x86_64-apple-darwin10 -emit-llvm -o - %s -fsanitize=null,vptr | FileCheck %s -check-prefixes=VPTR
// RUN: %clang_cc1 -std=c++11 -triple x86_64-apple-darwin10 -emit-llvm -o - %s -fsanitize=vptr | FileCheck %s -check-prefixes=VPTR_NO_NULL
struct A { struct A {
// COMMON-LABEL: define linkonce_odr void @_ZN1A10do_nothingEv // COMMON-LABEL: define linkonce_odr void @_ZN1A10do_nothingEv
void do_nothing() { void do_nothing() {
// ALIGN-NOT: ptrtoint %struct.A* %{{.*}} to i64, !nosanitize // ALIGN-NOT: ptrtoint %struct.A* %{{.*}} to i64, !nosanitize
// NULL: icmp ne %struct.A* %{{.*}}, null, !nosanitize // NULL: icmp ne %struct.A* %{{.*}}, null, !nosanitize
// OBJSIZE-NOT: call i64 @llvm.objectsize // OBJSIZE-NOT: call i64 @llvm.objectsize
} }
}; };
struct B { struct B {
int x; int x;
// COMMON-LABEL: define linkonce_odr void @_ZN1B10do_nothingEv // COMMON-LABEL: define linkonce_odr void @_ZN1B10do_nothingEv
void do_nothing() { void do_nothing() {
// ALIGN: ptrtoint %struct.B* %{{.*}} to i64, !nosanitize // ALIGN: ptrtoint %struct.B* %{{.*}} to i64, !nosanitize
// ALIGN: and i64 %{{.*}}, 3, !nosanitize // ALIGN: and i64 %{{.*}}, 3, !nosanitize
// NULL: icmp ne %struct.B* %{{.*}}, null, !nosanitize // NULL: icmp ne %struct.B* %{{.*}}, null, !nosanitize
// OBJSIZE-NOT: call i64 @llvm.objectsize // OBJSIZE-NOT: call i64 @llvm.objectsize
// OBJSIZE: ret void
} }
}; };
void force_irgen() { struct Animal {
virtual const char *speak() = 0;
};
struct Cat : Animal {
const char *speak() override { return "meow"; }
};
struct Dog : Animal {
const char *speak() override { return "woof"; }
};
// VPTR-LABEL: define void @_Z12invalid_castP3Cat
void invalid_cast(Cat *cat = nullptr) {
// First, null check the pointer:
//
// VPTR: [[ICMP:%.*]] = icmp ne %struct.Dog* {{.*}}, null
// VPTR-NEXT: br i1 [[ICMP]]
// VPTR: call void @__ubsan_handle_type_mismatch
//
// Once we're done emitting the null check, reuse the check to see if we can
// proceed to the vptr check:
//
// VPTR: br i1 [[ICMP]]
// VPTR: call void @__ubsan_handle_dynamic_type_cache_miss
auto *badDog = reinterpret_cast<Dog *>(cat);
badDog->speak();
}
// VPTR_NO_NULL-LABEL: define void @_Z13invalid_cast2v
void invalid_cast2() {
// We've got a pointer to an alloca, so there's no run-time null check needed.
// VPTR_NO_NULL-NOT: call void @__ubsan_handle_type_mismatch
// VPTR_NO_NULL: call void @__ubsan_handle_dynamic_type_cache_miss
Cat cat;
cat.speak();
}
int main() {
A a; A a;
a.do_nothing(); a.do_nothing();
B b; B b;
b.do_nothing(); b.do_nothing();
invalid_cast();
return 0;
} }

cfe/trunk/test/CodeGenCXX/ubsan-vtable-checks.cpp

// RUN: %clang_cc1 -std=c++11 -triple x86_64-unknown-linux -emit-llvm -fsanitize=null %s -o - | FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-NULL --check-prefix=ITANIUM // RUN: %clang_cc1 -std=c++11 -triple x86_64-unknown-linux -emit-llvm -fsanitize=null %s -o - | FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-NULL --check-prefix=ITANIUM
// RUN: %clang_cc1 -std=c++11 -triple x86_64-windows -emit-llvm -fsanitize=null %s -o - | FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-NULL --check-prefix=MSABI // RUN: %clang_cc1 -std=c++11 -triple x86_64-windows -emit-llvm -fsanitize=null %s -o - | FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-NULL --check-prefix=MSABI
// RUN: %clang_cc1 -std=c++11 -triple x86_64-unknown-linux -emit-llvm -fsanitize=vptr %s -o - | FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-VPTR --check-prefix=ITANIUM // RUN: %clang_cc1 -std=c++11 -triple x86_64-unknown-linux -emit-llvm -fsanitize=null,vptr %s -o - | FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-VPTR --check-prefix=ITANIUM
// RUN: %clang_cc1 -std=c++11 -triple x86_64-windows -emit-llvm -fsanitize=vptr %s -o - | FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-VPTR --check-prefix=MSABI // RUN: %clang_cc1 -std=c++11 -triple x86_64-windows -emit-llvm -fsanitize=null,vptr %s -o - | FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-VPTR --check-prefix=MSABI
struct T { struct T {
virtual ~T() {} virtual ~T() {}
virtual int v() { return 1; } virtual int v() { return 1; }
}; };
struct U : T { struct U : T {
~U(); ~U();
virtual int v() { return 2; } virtual int v() { return 2; }
Show All 28 Lines

cfe/trunk/test/Driver/fsanitize.c

Show First 20 LinesShow All 52 Lines▼ Show 20 Lines
// CHECK-VPTR-TRAP-UNDEF: error: invalid argument '-fsanitize=vptr' not allowed with '-fsanitize-trap=undefined' // CHECK-VPTR-TRAP-UNDEF: error: invalid argument '-fsanitize=vptr' not allowed with '-fsanitize-trap=undefined'
// RUN: %clang -target x86_64-linux-gnu -fsanitize=vptr -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-NO-RTTI // RUN: %clang -target x86_64-linux-gnu -fsanitize=vptr -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-NO-RTTI
// CHECK-VPTR-NO-RTTI: '-fsanitize=vptr' not allowed with '-fno-rtti' // CHECK-VPTR-NO-RTTI: '-fsanitize=vptr' not allowed with '-fno-rtti'
// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-NO-RTTI // RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-UNDEFINED-NO-RTTI
// CHECK-UNDEFINED-NO-RTTI-NOT: vptr // CHECK-UNDEFINED-NO-RTTI-NOT: vptr
// RUN: %clang -target x86_64-linux-gnu -fsanitize=undefined -fno-sanitize=null %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-NO-NULL
// RUN: %clang -target x86_64-linux-gnu -fsanitize=vptr %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-NO-NULL
// CHECK-VPTR-NO-NULL: warning: implicitly disabling vptr sanitizer because null checking wasn't enabled
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address,thread -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANA-SANT // RUN: %clang -target x86_64-linux-gnu -fsanitize=address,thread -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANA-SANT
// CHECK-SANA-SANT: '-fsanitize=address' not allowed with '-fsanitize=thread' // CHECK-SANA-SANT: '-fsanitize=address' not allowed with '-fsanitize=thread'
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address,memory -pie -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANA-SANM // RUN: %clang -target x86_64-linux-gnu -fsanitize=address,memory -pie -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANA-SANM
// CHECK-SANA-SANM: '-fsanitize=address' not allowed with '-fsanitize=memory' // CHECK-SANA-SANM: '-fsanitize=address' not allowed with '-fsanitize=memory'
// RUN: %clang -target x86_64-linux-gnu -fsanitize=thread,memory -pie -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANT-SANM // RUN: %clang -target x86_64-linux-gnu -fsanitize=thread,memory -pie -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANT-SANM
// CHECK-SANT-SANM: '-fsanitize=thread' not allowed with '-fsanitize=memory' // CHECK-SANT-SANM: '-fsanitize=thread' not allowed with '-fsanitize=memory'
▲ Show 20 LinesShow All 288 Lines▼ Show 20 Lines
// CHECK-FSAN-DARWIN: unsupported option '-fsanitize=function' for target 'x86_64-apple-darwin10' // CHECK-FSAN-DARWIN: unsupported option '-fsanitize=function' for target 'x86_64-apple-darwin10'
// RUN: %clang -target x86_64-apple-darwin10 -fsanitize=function -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSAN-UBSAN-DARWIN // RUN: %clang -target x86_64-apple-darwin10 -fsanitize=function -fsanitize=undefined %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-FSAN-UBSAN-DARWIN
// CHECK-FSAN-UBSAN-DARWIN: unsupported option '-fsanitize=function' for target 'x86_64-apple-darwin10' // CHECK-FSAN-UBSAN-DARWIN: unsupported option '-fsanitize=function' for target 'x86_64-apple-darwin10'
// RUN: %clang -target x86_64-apple-darwin10 -mmacosx-version-min=10.8 -fsanitize=vptr %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-DARWIN-OLD // RUN: %clang -target x86_64-apple-darwin10 -mmacosx-version-min=10.8 -fsanitize=vptr %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-DARWIN-OLD
// CHECK-VPTR-DARWIN-OLD: unsupported option '-fsanitize=vptr' for target 'x86_64-apple-darwin10' // CHECK-VPTR-DARWIN-OLD: unsupported option '-fsanitize=vptr' for target 'x86_64-apple-darwin10'
// RUN: %clang -target x86_64-apple-darwin10 -mmacosx-version-min=10.9 -fsanitize=alignment,vptr %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-DARWIN-NEW // RUN: %clang -target x86_64-apple-darwin10 -mmacosx-version-min=10.9 -fsanitize=alignment,null,vptr %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-VPTR-DARWIN-NEW
// CHECK-VPTR-DARWIN-NEW: -fsanitize=alignment,vptr // CHECK-VPTR-DARWIN-NEW: -fsanitize=alignment,null,vptr
// RUN: %clang -target armv7-apple-ios7 -miphoneos-version-min=7.0 -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-IOS // RUN: %clang -target armv7-apple-ios7 -miphoneos-version-min=7.0 -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-IOS
// CHECK-ASAN-IOS: -fsanitize=address // CHECK-ASAN-IOS: -fsanitize=address
// RUN: %clang -target i386-pc-openbsd -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-OPENBSD // RUN: %clang -target i386-pc-openbsd -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-OPENBSD
// CHECK-ASAN-OPENBSD: unsupported option '-fsanitize=address' for target 'i386-pc-openbsd' // CHECK-ASAN-OPENBSD: unsupported option '-fsanitize=address' for target 'i386-pc-openbsd'
// RUN: %clang -target x86_64-apple-darwin -fsanitize=leak %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-LSAN-X86-64-DARWIN // RUN: %clang -target x86_64-apple-darwin -fsanitize=leak %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-LSAN-X86-64-DARWIN
▲ Show 20 LinesShow All 163 LinesShow Last 20 Lines

cfe/trunk/test/Driver/rtti-options.cpp

Show All 10 Lines
// Make sure we keep the last -frtti/-fno-rtti argument // Make sure we keep the last -frtti/-fno-rtti argument
// RUN: %clang -### -c -fno-rtti -frtti %s 2>&1 | FileCheck -check-prefix=CHECK-RTTI %s // RUN: %clang -### -c -fno-rtti -frtti %s 2>&1 | FileCheck -check-prefix=CHECK-RTTI %s
// RUN: %clang -### -c -frtti -fno-rtti %s 2>&1 | FileCheck -check-prefix=CHECK-NO-RTTI %s // RUN: %clang -### -c -frtti -fno-rtti %s 2>&1 | FileCheck -check-prefix=CHECK-NO-RTTI %s
// -fsanitize=vptr // -fsanitize=vptr
// Make sure we only error/warn once, when trying to enable vptr and // Make sure we only error/warn once, when trying to enable vptr and
// undefined and have -fno-rtti // undefined and have -fno-rtti
// RUN: %clang -### -c -target x86_64-unknown-linux -fsanitize=undefined -fsanitize=vptr -fno-rtti %s 2>&1 | FileCheck -check-prefix=CHECK-SAN-ERROR -check-prefix=CHECK-OK %s // RUN: %clang -### -c -target x86_64-unknown-linux -fsanitize=undefined -fsanitize=vptr -fno-rtti %s 2>&1 | FileCheck -check-prefix=CHECK-SAN-ERROR -check-prefix=CHECK-OK %s
// RUN: %clang -### -c -target x86_64-unknown-linux -fsanitize=vptr %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s // RUN: %clang -### -c -target x86_64-unknown-linux -fsanitize=null,vptr %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s
// RUN: %clang -### -c -target x86_64-unknown-linux -fsanitize=vptr -frtti %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s // RUN: %clang -### -c -target x86_64-unknown-linux -fsanitize=null,vptr -frtti %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s
// RUN: %clang -### -c -target x86_64-unknown-linux -fsanitize=vptr -fno-rtti %s 2>&1 | FileCheck -check-prefix=CHECK-SAN-ERROR %s // RUN: %clang -### -c -target x86_64-unknown-linux -fsanitize=null,vptr -fno-rtti %s 2>&1 | FileCheck -check-prefix=CHECK-SAN-ERROR %s
// RUN: %clang -### -c -target x86_64-unknown-linux -fsanitize=undefined %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s // RUN: %clang -### -c -target x86_64-unknown-linux -fsanitize=undefined %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s
// RUN: %clang -### -c -target x86_64-unknown-linux -fsanitize=undefined -frtti %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s // RUN: %clang -### -c -target x86_64-unknown-linux -fsanitize=undefined -frtti %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s
// RUN: %clang -### -c -target x86_64-scei-ps4 -fsanitize=vptr %s 2>&1 | FileCheck -check-prefix=CHECK-SAN-WARN %s // RUN: %clang -### -c -target x86_64-scei-ps4 -fsanitize=null,vptr %s 2>&1 | FileCheck -check-prefix=CHECK-SAN-WARN %s
// RUN: %clang -### -c -target x86_64-scei-ps4 -fsanitize=vptr -frtti %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s // RUN: %clang -### -c -target x86_64-scei-ps4 -fsanitize=null,vptr -frtti %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s
// RUN: %clang -### -c -target x86_64-scei-ps4 -fsanitize=vptr -fno-rtti %s 2>&1 | FileCheck -check-prefix=CHECK-SAN-ERROR %s // RUN: %clang -### -c -target x86_64-scei-ps4 -fsanitize=null,vptr -fno-rtti %s 2>&1 | FileCheck -check-prefix=CHECK-SAN-ERROR %s
// RUN: %clang -### -c -target x86_64-scei-ps4 -fsanitize=undefined -frtti %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s // RUN: %clang -### -c -target x86_64-scei-ps4 -fsanitize=undefined -frtti %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s
// Exceptions + no/default rtti // Exceptions + no/default rtti
// RUN: %clang -### -c -target x86_64-scei-ps4 -fcxx-exceptions -fno-rtti %s 2>&1 | FileCheck -check-prefix=CHECK-EXC-ERROR-CXX %s // RUN: %clang -### -c -target x86_64-scei-ps4 -fcxx-exceptions -fno-rtti %s 2>&1 | FileCheck -check-prefix=CHECK-EXC-ERROR-CXX %s
// RUN: %clang -### -c -target x86_64-scei-ps4 -fcxx-exceptions %s 2>&1 | FileCheck -check-prefix=CHECK-EXC-WARN %s // RUN: %clang -### -c -target x86_64-scei-ps4 -fcxx-exceptions %s 2>&1 | FileCheck -check-prefix=CHECK-EXC-WARN %s
// RUN: %clang -### -c -target x86_64-unknown-unknown -fcxx-exceptions -fno-rtti %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s // RUN: %clang -### -c -target x86_64-unknown-unknown -fcxx-exceptions -fno-rtti %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s
// RUN: %clang -### -c -target x86_64-unknown-unknown -fcxx-exceptions %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s // RUN: %clang -### -c -target x86_64-unknown-unknown -fcxx-exceptions %s 2>&1 | FileCheck -check-prefix=CHECK-OK %s
// In C++, -fexceptions implies -fcxx-exceptions // In C++, -fexceptions implies -fcxx-exceptions
Show All 27 Lines