This is an archive of the discontinued LLVM Phabricator instance.

Differential D49589

[UBSan] Strengthen pointer checks in 'new' expressions
ClosedPublic

Authored by sepavloff on Jul 19 2018, 10:24 PM.

Details

Reviewers
rsmith
rjmccall
ikudrin
Commits
rG376051820d17: [UBSan] Strengthen pointer checks in 'new' expressions
rC338199: [UBSan] Strengthen pointer checks in 'new' expressions
rL338199: [UBSan] Strengthen pointer checks in 'new' expressions
Summary

With this change compiler generates alignment checks for wider range
of types. Previously such checks were generated only for the record types
with non-trivial default constructor. So the types like:

struct alignas(32) S2 { int x; };
typedef __attribute__((ext_vector_type(2), aligned(32))) float float32x2_t;

did not get checks when allocated by 'new' expression.

This change also optimizes the checks generated for the arrays created
in 'new' expressions. Previously the check was generated for each
invocation of type constructor. Now the check is generated only once
for entire array.

Diff Detail

Repository
rL LLVM

Event Timeline

sepavloff created this revision.Jul 19 2018, 10:24 PM
Harbormaster completed remote builds in B20543: Diff 156428.Jul 19 2018, 10:24 PM
ikudrin added a comment.Jul 20 2018, 3:42 AM

You may want to add a test for placement new, no?

rjmccall added inline comments.Jul 21 2018, 12:33 PM
lib/CodeGen/CodeGenFunction.h
380 ↗(On Diff #156428)

I don't think this is a good way of doing this. Using global state makes this unnecessarily difficult to reason about and can have unintended effects. For example, you are unintentionally suppressing any checks that would be done as part of e.g. evaluating default arguments to the default constructor.

You should pass a parameter down that says whether checks are necessary. You can also use that parameter to e.g. suppress checks when constructing local variables and temporaries, although you may already have an alternative mechanism for doing that.

ikudrin added a comment.Jul 23 2018, 12:30 AM

Did you consider dividing the patch into two separate changes to solve the two described issues independently?

sepavloff added a comment.Jul 23 2018, 1:48 AM
In D49589#1171279, @ikudrin wrote:

Did you consider dividing the patch into two separate changes to solve the two described issues independently?

The both tow issues have the same cause: the check is genereated too late. Now it is generated during contructor generation. For arrays it means that every array element gets its own check. For types like vectors with required alignment it means no check at all, because technically such type do not have a constructor. If the check is generated earlier, while processing 'new' expression, both the problems are solved. But in this case we need to inform EmitCXXConstructorCall that the checks are already generated, because this function may be called in cases other than 'new' expression.

sepavloff updated this revision to Diff 157102.Jul 24 2018, 12:09 PM

Updated patch

  • Modified check generation. Now for each 'new' expression compiler tries to

generate the checks. It solves problem of 'nested' new expressions, which
appear when 'new' is used in default arguments.

  • Field and RAII class names are made more specific.
  • Added new tests including that with inplace new operator.
sepavloff added inline comments.Jul 24 2018, 12:25 PM
lib/CodeGen/CodeGenFunction.h
380 ↗(On Diff #156428)

Passing parameter that inctructs whether to generate checks or not hardly can be directly implemented. This information is used in EmitCXXConstructorCall and it is formed during processing of new expression. The distance between these points can be 10 call frames, in some of them (StmtVisitor interface of AggExprEmitter) we cannot change function parameters.
The case of new expression in default arguments indeed handled incorrectly, thank you for the catch. The updated version must process this case correctly.

rjmccall added inline comments.Jul 24 2018, 2:06 PM
lib/CodeGen/CodeGenFunction.h
380 ↗(On Diff #156428)

I'm not going to accept a patch based on global state here. AggValueSlot already propagates a bunch of flags about the slot into which we're emitting an expression; I don't think it would be difficult to propagate some sort of "alignment is statically known or already checked" flag along with that.

vsk added a subscriber: vsk.Jul 24 2018, 3:10 PM
vsk added inline comments.
lib/CodeGen/CodeGenFunction.h
380 ↗(On Diff #156428)

+ 1. @rjmccall offered similar advice in D25448, which led us to find a few more bugs / missed opportunities we otherwise wouldn't have.

sepavloff updated this revision to Diff 157305.Jul 25 2018, 10:29 AM

Updated patch

Now the information, if the pointer produced by 'new' operator is checked,
is stored in objects used for pointer representation (Address and
AggValueSlot) rather than globally.

Also the tests were cleaned up a bit.

Harbormaster completed remote builds in B20701: Diff 157305.Jul 25 2018, 10:29 AM
rjmccall added inline comments.Jul 25 2018, 10:40 AM
lib/CodeGen/Address.h
46 ↗(On Diff #157305)

Address is a pretty low-level type to be changing here. Is this necessary? Can you find a way to propagate this just in higher-level types like AggValueSlot, RValue, and LValue?

Also, please remember that your analysis is not the only thing happening in the compiler. isChecked is not a meaningful name taken out of context.

sepavloff updated this revision to Diff 157519.Jul 26 2018, 10:04 AM

Updated patch

Now information, if sanitizer checks are generated while processing 'new'
expression, is passed through function call arguments.

Harbormaster completed remote builds in B20739: Diff 157519.Jul 26 2018, 10:04 AM
sepavloff added a comment.Jul 26 2018, 10:13 AM

Also, please remember that your analysis is not the only thing happening in the compiler. isChecked is not a meaningful name taken out of context.

Address is not modified in the current patch version. As for AggValueSlot, this method name is leaved, as there is no other meaning for this class. Please let me know if it is inappropriate.

rjmccall added inline comments.Jul 26 2018, 12:38 PM
lib/CodeGen/CGClass.cpp
2190 ↗(On Diff #157519)

Please include /* */ comments to describe what true and false mean as arguments throughout this patch, just like the /*Delegating*/ comment here.

lib/CodeGen/CGValue.h
487 ↗(On Diff #157519)

Are those checks anything more than pointer alignment? If so, please call this
(and all the methods for it) SanitizerCheckedFlag; otherwise, please just call it
AlignmentCheckedFlag.

sepavloff updated this revision to Diff 157643.Jul 26 2018, 9:50 PM

Updated patch

Added names for boolean arguments, renamed a field in AggValueSlot.
No functional changes.

rjmccall added a comment.Jul 27 2018, 12:53 AM

Okay, thank you, that's better, but I should've been clearer. What I was really asking for was this: in *all* the code you're adding in this patch, where you've currently written IsChecked or isChecked or NewPointerIsChecked, please instead write IsSanitizerChecked or isSanitizerChecked or NewPointerIsSanitizerChecked unless it is literally something like a local variable in a function about performing sanitizer checks.

sepavloff updated this revision to Diff 157677.Jul 27 2018, 6:05 AM

Updated patch

Use SanitizerCheck instead of Check in method and enum names.
No functional changes.

Harbormaster completed remote builds in B20778: Diff 157677.Jul 27 2018, 6:05 AM
rjmccall accepted this revision.Jul 27 2018, 10:13 AM

Thanks, that'll do.

This revision is now accepted and ready to land.Jul 27 2018, 10:13 AM
sepavloff added a comment.Jul 27 2018, 10:36 AM

@rjmccall Thank you!

Closed by commit rL338199: [UBSan] Strengthen pointer checks in 'new' expressions (authored by sepavloff). · Explain WhyJul 28 2018, 8:33 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptJul 28 2018, 8:33 AM

Revision Contents

PathSize
cfe/
trunk/
lib/
CodeGen/
46 lines
20 lines
21 lines
8 lines
test/
CodeGenCXX/
146 lines

Diff 157861

cfe/trunk/lib/CodeGen/CGClass.cpp

Show First 20 LinesShow All 679 Lines▼ Show 20 Lines case TEK_Complex:
break; break;
case TEK_Aggregate: { case TEK_Aggregate: {
AggValueSlot Slot = AggValueSlot Slot =
AggValueSlot::forLValue( AggValueSlot::forLValue(
LHS, LHS,
AggValueSlot::IsDestructed, AggValueSlot::IsDestructed,
AggValueSlot::DoesNotNeedGCBarriers, AggValueSlot::DoesNotNeedGCBarriers,
AggValueSlot::IsNotAliased, AggValueSlot::IsNotAliased,
overlapForFieldInit(Field)); overlapForFieldInit(Field),
AggValueSlot::IsNotZeroed,
// Checks are made by the code that calls constructor.
AggValueSlot::IsSanitizerChecked);
EmitAggExpr(Init, Slot); EmitAggExpr(Init, Slot);
break; break;
} }
} }
// Ensure that we destroy this object if an exception is thrown // Ensure that we destroy this object if an exception is thrown
// later in the constructor. // later in the constructor.
QualType::DestructionKind dtorKind = FieldType.isDestructedType(); QualType::DestructionKind dtorKind = FieldType.isDestructedType();
▲ Show 20 LinesShow All 1,167 Lines▼ Show 20 Lines
/// ///
/// \param ctor the constructor to call for each element /// \param ctor the constructor to call for each element
/// \param arrayType the type of the array to initialize /// \param arrayType the type of the array to initialize
/// \param arrayBegin an arrayType* /// \param arrayBegin an arrayType*
/// \param zeroInitialize true if each element should be /// \param zeroInitialize true if each element should be
/// zero-initialized before it is constructed /// zero-initialized before it is constructed
void CodeGenFunction::EmitCXXAggrConstructorCall( void CodeGenFunction::EmitCXXAggrConstructorCall(
const CXXConstructorDecl *ctor, const ArrayType *arrayType, const CXXConstructorDecl *ctor, const ArrayType *arrayType,
Address arrayBegin, const CXXConstructExpr *E, bool zeroInitialize) { Address arrayBegin, const CXXConstructExpr *E, bool NewPointerIsChecked,
bool zeroInitialize) {
QualType elementType; QualType elementType;
llvm::Value *numElements = llvm::Value *numElements =
emitArrayLength(arrayType, elementType, arrayBegin); emitArrayLength(arrayType, elementType, arrayBegin);
EmitCXXAggrConstructorCall(ctor, numElements, arrayBegin, E, zeroInitialize); EmitCXXAggrConstructorCall(ctor, numElements, arrayBegin, E,
NewPointerIsChecked, zeroInitialize);
} }
/// EmitCXXAggrConstructorCall - Emit a loop to call a particular /// EmitCXXAggrConstructorCall - Emit a loop to call a particular
/// constructor for each of several members of an array. /// constructor for each of several members of an array.
/// ///
/// \param ctor the constructor to call for each element /// \param ctor the constructor to call for each element
/// \param numElements the number of elements in the array; /// \param numElements the number of elements in the array;
/// may be zero /// may be zero
/// \param arrayBase a T*, where T is the type constructed by ctor /// \param arrayBase a T*, where T is the type constructed by ctor
/// \param zeroInitialize true if each element should be /// \param zeroInitialize true if each element should be
/// zero-initialized before it is constructed /// zero-initialized before it is constructed
void CodeGenFunction::EmitCXXAggrConstructorCall(const CXXConstructorDecl *ctor, void CodeGenFunction::EmitCXXAggrConstructorCall(const CXXConstructorDecl *ctor,
llvm::Value *numElements, llvm::Value *numElements,
Address arrayBase, Address arrayBase,
const CXXConstructExpr *E, const CXXConstructExpr *E,
bool NewPointerIsChecked,
bool zeroInitialize) { bool zeroInitialize) {
// It's legal for numElements to be zero. This can happen both // It's legal for numElements to be zero. This can happen both
// dynamically, because x can be zero in 'new A[x]', and statically, // dynamically, because x can be zero in 'new A[x]', and statically,
// because of GCC extensions that permit zero-length arrays. There // because of GCC extensions that permit zero-length arrays. There
// are probably legitimate places where we could assume that this // are probably legitimate places where we could assume that this
// doesn't happen, but it's not clear that it's worth it. // doesn't happen, but it's not clear that it's worth it.
llvm::BranchInst *zeroCheckBranch = nullptr; llvm::BranchInst *zeroCheckBranch = nullptr;
▲ Show 20 LinesShow All 60 Lines▼ Show 20 Lines if (getLangOpts().Exceptions &&
!ctor->getParent()->hasTrivialDestructor()) { !ctor->getParent()->hasTrivialDestructor()) {
Destroyer *destroyer = destroyCXXObject; Destroyer *destroyer = destroyCXXObject;
pushRegularPartialArrayCleanup(arrayBegin, cur, type, eltAlignment, pushRegularPartialArrayCleanup(arrayBegin, cur, type, eltAlignment,
*destroyer); *destroyer);
} }
EmitCXXConstructorCall(ctor, Ctor_Complete, /*ForVirtualBase=*/false, EmitCXXConstructorCall(ctor, Ctor_Complete, /*ForVirtualBase=*/false,
/*Delegating=*/false, curAddr, E, /*Delegating=*/false, curAddr, E,
AggValueSlot::DoesNotOverlap); AggValueSlot::DoesNotOverlap, NewPointerIsChecked);
} }
// Go to the next element. // Go to the next element.
llvm::Value *next = llvm::Value *next =
Builder.CreateInBoundsGEP(cur, llvm::ConstantInt::get(SizeTy, 1), Builder.CreateInBoundsGEP(cur, llvm::ConstantInt::get(SizeTy, 1),
"arrayctor.next"); "arrayctor.next");
cur->addIncoming(next, Builder.GetInsertBlock()); cur->addIncoming(next, Builder.GetInsertBlock());
Show All 19 Lines CGF.EmitCXXDestructorCall(dtor, Dtor_Complete, /*for vbase*/ false,
/*Delegating=*/false, addr); /*Delegating=*/false, addr);
} }
void CodeGenFunction::EmitCXXConstructorCall(const CXXConstructorDecl *D, void CodeGenFunction::EmitCXXConstructorCall(const CXXConstructorDecl *D,
CXXCtorType Type, CXXCtorType Type,
bool ForVirtualBase, bool ForVirtualBase,
bool Delegating, Address This, bool Delegating, Address This,
const CXXConstructExpr *E, const CXXConstructExpr *E,
AggValueSlot::Overlap_t Overlap) { AggValueSlot::Overlap_t Overlap,
bool NewPointerIsChecked) {
CallArgList Args; CallArgList Args;
// Push the this ptr. // Push the this ptr.
Args.add(RValue::get(This.getPointer()), D->getThisType(getContext())); Args.add(RValue::get(This.getPointer()), D->getThisType(getContext()));
// If this is a trivial constructor, emit a memcpy now before we lose // If this is a trivial constructor, emit a memcpy now before we lose
// the alignment information on the argument. // the alignment information on the argument.
// FIXME: It would be better to preserve alignment information into CallArg. // FIXME: It would be better to preserve alignment information into CallArg.
Show All 12 Linesvoid CodeGenFunction::EmitCXXConstructorCall(const CXXConstructorDecl *D,
const FunctionProtoType *FPT = D->getType()->castAs<FunctionProtoType>(); const FunctionProtoType *FPT = D->getType()->castAs<FunctionProtoType>();
EvaluationOrder Order = E->isListInitialization() EvaluationOrder Order = E->isListInitialization()
? EvaluationOrder::ForceLeftToRight ? EvaluationOrder::ForceLeftToRight
: EvaluationOrder::Default; : EvaluationOrder::Default;
EmitCallArgs(Args, FPT, E->arguments(), E->getConstructor(), EmitCallArgs(Args, FPT, E->arguments(), E->getConstructor(),
/*ParamsToSkip*/ 0, Order); /*ParamsToSkip*/ 0, Order);
EmitCXXConstructorCall(D, Type, ForVirtualBase, Delegating, This, Args, EmitCXXConstructorCall(D, Type, ForVirtualBase, Delegating, This, Args,
Overlap, E->getExprLoc()); Overlap, E->getExprLoc(), NewPointerIsChecked);
} }
static bool canEmitDelegateCallArgs(CodeGenFunction &CGF, static bool canEmitDelegateCallArgs(CodeGenFunction &CGF,
const CXXConstructorDecl *Ctor, const CXXConstructorDecl *Ctor,
CXXCtorType Type, CallArgList &Args) { CXXCtorType Type, CallArgList &Args) {
// We can't forward a variadic call. // We can't forward a variadic call.
if (Ctor->isVariadic()) if (Ctor->isVariadic())
return false; return false;
Show All 17 Lines
void CodeGenFunction::EmitCXXConstructorCall(const CXXConstructorDecl *D, void CodeGenFunction::EmitCXXConstructorCall(const CXXConstructorDecl *D,
CXXCtorType Type, CXXCtorType Type,
bool ForVirtualBase, bool ForVirtualBase,
bool Delegating, bool Delegating,
Address This, Address This,
CallArgList &Args, CallArgList &Args,
AggValueSlot::Overlap_t Overlap, AggValueSlot::Overlap_t Overlap,
SourceLocation Loc) { SourceLocation Loc,
bool NewPointerIsChecked) {
const CXXRecordDecl *ClassDecl = D->getParent(); const CXXRecordDecl *ClassDecl = D->getParent();
// C++11 [class.mfct.non-static]p2: if (!NewPointerIsChecked)
// If a non-static member function of a class X is called for an object that EmitTypeCheck(CodeGenFunction::TCK_ConstructorCall, Loc, This.getPointer(),
// is not of type X, or of a type derived from X, the behavior is undefined. getContext().getRecordType(ClassDecl), CharUnits::Zero());
EmitTypeCheck(CodeGenFunction::TCK_ConstructorCall, Loc,
This.getPointer(), getContext().getRecordType(ClassDecl));
if (D->isTrivial() && D->isDefaultConstructor()) { if (D->isTrivial() && D->isDefaultConstructor()) {
assert(Args.size() == 1 && "trivial default ctor with args"); assert(Args.size() == 1 && "trivial default ctor with args");
return; return;
} }
// If this is a trivial constructor, just emit what's needed. If this is a // If this is a trivial constructor, just emit what's needed. If this is a
// union copy constructor, we must emit a memcpy, because the AST does not // union copy constructor, we must emit a memcpy, because the AST does not
▲ Show 20 LinesShow All 92 Lines▼ Show 20 Lines for (const auto *Param : OuterCtor->parameters()) {
assert(POSParam && "missing pass_object_size value for forwarding"); assert(POSParam && "missing pass_object_size value for forwarding");
EmitDelegateCallArg(Args, POSParam, E->getLocation()); EmitDelegateCallArg(Args, POSParam, E->getLocation());
} }
} }
} }
EmitCXXConstructorCall(D, Ctor_Base, ForVirtualBase, /*Delegating*/false, EmitCXXConstructorCall(D, Ctor_Base, ForVirtualBase, /*Delegating*/false,
This, Args, AggValueSlot::MayOverlap, This, Args, AggValueSlot::MayOverlap,
E->getLocation()); E->getLocation(), /*NewPointerIsChecked*/true);
} }
void CodeGenFunction::EmitInlinedInheritingCXXConstructorCall( void CodeGenFunction::EmitInlinedInheritingCXXConstructorCall(
const CXXConstructorDecl *Ctor, CXXCtorType CtorType, bool ForVirtualBase, const CXXConstructorDecl *Ctor, CXXCtorType CtorType, bool ForVirtualBase,
bool Delegating, CallArgList &Args) { bool Delegating, CallArgList &Args) {
GlobalDecl GD(Ctor, CtorType); GlobalDecl GD(Ctor, CtorType);
InlinedInheritingConstructorScope Scope(*this, GD); InlinedInheritingConstructorScope Scope(*this, GD);
ApplyInlineDebugLocation DebugScope(*this, GD); ApplyInlineDebugLocation DebugScope(*this, GD);
▲ Show 20 LinesShow All 79 Lines▼ Show 20 LinesCodeGenFunction::EmitSynthesizedCXXCopyCtorCall(const CXXConstructorDecl *D,
llvm::Type *t = CGM.getTypes().ConvertType(QT); llvm::Type *t = CGM.getTypes().ConvertType(QT);
Src = Builder.CreateBitCast(Src, t); Src = Builder.CreateBitCast(Src, t);
Args.add(RValue::get(Src.getPointer()), QT); Args.add(RValue::get(Src.getPointer()), QT);
// Skip over first argument (Src). // Skip over first argument (Src).
EmitCallArgs(Args, FPT, drop_begin(E->arguments(), 1), E->getConstructor(), EmitCallArgs(Args, FPT, drop_begin(E->arguments(), 1), E->getConstructor(),
/*ParamsToSkip*/ 1); /*ParamsToSkip*/ 1);
EmitCXXConstructorCall(D, Ctor_Complete, false, false, This, Args, EmitCXXConstructorCall(D, Ctor_Complete, /*ForVirtualBase*/false,
AggValueSlot::MayOverlap, E->getExprLoc()); /*Delegating*/false, This, Args,
AggValueSlot::MayOverlap, E->getExprLoc(),
/*NewPointerIsChecked*/false);
} }
void void
CodeGenFunction::EmitDelegateCXXConstructorCall(const CXXConstructorDecl *Ctor, CodeGenFunction::EmitDelegateCXXConstructorCall(const CXXConstructorDecl *Ctor,
CXXCtorType CtorType, CXXCtorType CtorType,
const FunctionArgList &Args, const FunctionArgList &Args,
SourceLocation Loc) { SourceLocation Loc) {
CallArgList DelegateArgs; CallArgList DelegateArgs;
Show All 19 LinesCodeGenFunction::EmitDelegateCXXConstructorCall(const CXXConstructorDecl *Ctor,
for (; I != E; ++I) { for (; I != E; ++I) {
const VarDecl *param = *I; const VarDecl *param = *I;
// FIXME: per-argument source location // FIXME: per-argument source location
EmitDelegateCallArg(DelegateArgs, param, Loc); EmitDelegateCallArg(DelegateArgs, param, Loc);
} }
EmitCXXConstructorCall(Ctor, CtorType, /*ForVirtualBase=*/false, EmitCXXConstructorCall(Ctor, CtorType, /*ForVirtualBase=*/false,
/*Delegating=*/true, This, DelegateArgs, /*Delegating=*/true, This, DelegateArgs,
AggValueSlot::MayOverlap, Loc); AggValueSlot::MayOverlap, Loc,
/*NewPointerIsChecked=*/true);
} }
namespace { namespace {
struct CallDelegatingCtorDtor final : EHScopeStack::Cleanup { struct CallDelegatingCtorDtor final : EHScopeStack::Cleanup {
const CXXDestructorDecl *Dtor; const CXXDestructorDecl *Dtor;
Address Addr; Address Addr;
CXXDtorType Type; CXXDtorType Type;
Show All 15 LinesCodeGenFunction::EmitDelegatingCXXConstructorCall(const CXXConstructorDecl *Ctor,
Address ThisPtr = LoadCXXThisAddress(); Address ThisPtr = LoadCXXThisAddress();
AggValueSlot AggSlot = AggValueSlot AggSlot =
AggValueSlot::forAddr(ThisPtr, Qualifiers(), AggValueSlot::forAddr(ThisPtr, Qualifiers(),
AggValueSlot::IsDestructed, AggValueSlot::IsDestructed,
AggValueSlot::DoesNotNeedGCBarriers, AggValueSlot::DoesNotNeedGCBarriers,
AggValueSlot::IsNotAliased, AggValueSlot::IsNotAliased,
AggValueSlot::MayOverlap); AggValueSlot::MayOverlap,
AggValueSlot::IsNotZeroed,
// Checks are made by the code that calls constructor.
AggValueSlot::IsSanitizerChecked);
EmitAggExpr(Ctor->init_begin()[0]->getInit(), AggSlot); EmitAggExpr(Ctor->init_begin()[0]->getInit(), AggSlot);
const CXXRecordDecl *ClassDecl = Ctor->getParent(); const CXXRecordDecl *ClassDecl = Ctor->getParent();
if (CGM.getLangOpts().Exceptions && !ClassDecl->hasTrivialDestructor()) { if (CGM.getLangOpts().Exceptions && !ClassDecl->hasTrivialDestructor()) {
CXXDtorType Type = CXXDtorType Type =
CurGD.getCtorType() == Ctor_Complete ? Dtor_Complete : Dtor_Base; CurGD.getCtorType() == Ctor_Complete ? Dtor_Complete : Dtor_Base;
▲ Show 20 LinesShow All 524 LinesShow Last 20 Lines

cfe/trunk/lib/CodeGen/CGExprCXX.cpp

Show First 20 LinesShow All 601 Lines▼ Show 20 Lines if (getLangOpts().ElideConstructors && E->isElidable()) {
if (E->getArg(0)->isTemporaryObject(getContext(), CD->getParent())) { if (E->getArg(0)->isTemporaryObject(getContext(), CD->getParent())) {
EmitAggExpr(E->getArg(0), Dest); EmitAggExpr(E->getArg(0), Dest);
return; return;
} }
} }
if (const ArrayType *arrayType if (const ArrayType *arrayType
= getContext().getAsArrayType(E->getType())) { = getContext().getAsArrayType(E->getType())) {
EmitCXXAggrConstructorCall(CD, arrayType, Dest.getAddress(), E); EmitCXXAggrConstructorCall(CD, arrayType, Dest.getAddress(), E,
Dest.isSanitizerChecked());
} else { } else {
CXXCtorType Type = Ctor_Complete; CXXCtorType Type = Ctor_Complete;
bool ForVirtualBase = false; bool ForVirtualBase = false;
bool Delegating = false; bool Delegating = false;
switch (E->getConstructionKind()) { switch (E->getConstructionKind()) {
case CXXConstructExpr::CK_Delegating: case CXXConstructExpr::CK_Delegating:
// We should be emitting a constructor; GlobalDecl will assert this // We should be emitting a constructor; GlobalDecl will assert this
Show All 10 Lines case CXXConstructExpr::CK_VirtualBase:
LLVM_FALLTHROUGH; LLVM_FALLTHROUGH;
case CXXConstructExpr::CK_NonVirtualBase: case CXXConstructExpr::CK_NonVirtualBase:
Type = Ctor_Base; Type = Ctor_Base;
} }
// Call the constructor. // Call the constructor.
EmitCXXConstructorCall(CD, Type, ForVirtualBase, Delegating, EmitCXXConstructorCall(CD, Type, ForVirtualBase, Delegating,
Dest.getAddress(), E, Dest.mayOverlap()); Dest.getAddress(), E, Dest.mayOverlap(),
Dest.isSanitizerChecked());
} }
} }
void CodeGenFunction::EmitSynthesizedCXXCopyCtor(Address Dest, Address Src, void CodeGenFunction::EmitSynthesizedCXXCopyCtor(Address Dest, Address Src,
const Expr *Exp) { const Expr *Exp) {
if (const ExprWithCleanups *E = dyn_cast<ExprWithCleanups>(Exp)) if (const ExprWithCleanups *E = dyn_cast<ExprWithCleanups>(Exp))
Exp = E->getSubExpr(); Exp = E->getSubExpr();
assert(isa<CXXConstructExpr>(Exp) && assert(isa<CXXConstructExpr>(Exp) &&
▲ Show 20 LinesShow All 303 Lines▼ Show 20 Lines CGF.EmitComplexExprIntoLValue(Init, CGF.MakeAddrLValue(NewPtr, AllocType),
/*isInit*/ true); /*isInit*/ true);
return; return;
case TEK_Aggregate: { case TEK_Aggregate: {
AggValueSlot Slot AggValueSlot Slot
= AggValueSlot::forAddr(NewPtr, AllocType.getQualifiers(), = AggValueSlot::forAddr(NewPtr, AllocType.getQualifiers(),
AggValueSlot::IsDestructed, AggValueSlot::IsDestructed,
AggValueSlot::DoesNotNeedGCBarriers, AggValueSlot::DoesNotNeedGCBarriers,
AggValueSlot::IsNotAliased, AggValueSlot::IsNotAliased,
MayOverlap); MayOverlap, AggValueSlot::IsNotZeroed,
AggValueSlot::IsSanitizerChecked);
CGF.EmitAggExpr(Init, Slot); CGF.EmitAggExpr(Init, Slot);
return; return;
} }
} }
llvm_unreachable("bad evaluation kind"); llvm_unreachable("bad evaluation kind");
} }
void CodeGenFunction::EmitNewArrayInitializer( void CodeGenFunction::EmitNewArrayInitializer(
▲ Show 20 LinesShow All 53 Lines▼ Show 20 Lines if (ILE->isStringLiteralInit()) {
// Initialize the initial portion of length equal to that of the string // Initialize the initial portion of length equal to that of the string
// literal. The allocation must be for at least this much; we emitted a // literal. The allocation must be for at least this much; we emitted a
// check for that earlier. // check for that earlier.
AggValueSlot Slot = AggValueSlot Slot =
AggValueSlot::forAddr(CurPtr, ElementType.getQualifiers(), AggValueSlot::forAddr(CurPtr, ElementType.getQualifiers(),
AggValueSlot::IsDestructed, AggValueSlot::IsDestructed,
AggValueSlot::DoesNotNeedGCBarriers, AggValueSlot::DoesNotNeedGCBarriers,
AggValueSlot::IsNotAliased, AggValueSlot::IsNotAliased,
AggValueSlot::DoesNotOverlap); AggValueSlot::DoesNotOverlap,
AggValueSlot::IsNotZeroed,
AggValueSlot::IsSanitizerChecked);
EmitAggExpr(ILE->getInit(0), Slot); EmitAggExpr(ILE->getInit(0), Slot);
// Move past these elements. // Move past these elements.
InitListElements = InitListElements =
cast<ConstantArrayType>(ILE->getType()->getAsArrayTypeUnsafe()) cast<ConstantArrayType>(ILE->getType()->getAsArrayTypeUnsafe())
->getSize().getZExtValue(); ->getSize().getZExtValue();
CurPtr = CurPtr =
Address(Builder.CreateInBoundsGEP(CurPtr.getPointer(), Address(Builder.CreateInBoundsGEP(CurPtr.getPointer(),
▲ Show 20 LinesShow All 113 Lines▼ Show 20 Lines if (EndOfInit.isValid())
Builder.CreateStore(CurPtr.getPointer(), EndOfInit); Builder.CreateStore(CurPtr.getPointer(), EndOfInit);
// Emit a constructor call loop to initialize the remaining elements. // Emit a constructor call loop to initialize the remaining elements.
if (InitListElements) if (InitListElements)
NumElements = Builder.CreateSub( NumElements = Builder.CreateSub(
NumElements, NumElements,
llvm::ConstantInt::get(NumElements->getType(), InitListElements)); llvm::ConstantInt::get(NumElements->getType(), InitListElements));
EmitCXXAggrConstructorCall(Ctor, NumElements, CurPtr, CCE, EmitCXXAggrConstructorCall(Ctor, NumElements, CurPtr, CCE,
/*NewPointerIsChecked*/true,
CCE->requiresZeroInitialization()); CCE->requiresZeroInitialization());
return; return;
} }
// If this is value-initialization, we can usually use memset. // If this is value-initialization, we can usually use memset.
ImplicitValueInitExpr IVIE(ElementType); ImplicitValueInitExpr IVIE(ElementType);
if (isa<ImplicitValueInitExpr>(Init)) { if (isa<ImplicitValueInitExpr>(Init)) {
if (TryMemsetInitialization()) if (TryMemsetInitialization())
▲ Show 20 LinesShow All 535 Lines▼ Show 20 Linesllvm::Value *CodeGenFunction::EmitCXXNewExpr(const CXXNewExpr *E) {
// vptrs information which may be included in previous type. // vptrs information which may be included in previous type.
// To not break LTO with different optimizations levels, we do it regardless // To not break LTO with different optimizations levels, we do it regardless
// of optimization level. // of optimization level.
if (CGM.getCodeGenOpts().StrictVTablePointers && if (CGM.getCodeGenOpts().StrictVTablePointers &&
allocator->isReservedGlobalPlacementOperator()) allocator->isReservedGlobalPlacementOperator())
result = Address(Builder.CreateLaunderInvariantGroup(result.getPointer()), result = Address(Builder.CreateLaunderInvariantGroup(result.getPointer()),
result.getAlignment()); result.getAlignment());
// Emit sanitizer checks for pointer value now, so that in the case of an
// array it was checked only once and not at each constructor call.
EmitTypeCheck(CodeGenFunction::TCK_ConstructorCall,
E->getAllocatedTypeSourceInfo()->getTypeLoc().getBeginLoc(),
result.getPointer(), allocType);
EmitNewInitializer(*this, E, allocType, elementTy, result, numElements, EmitNewInitializer(*this, E, allocType, elementTy, result, numElements,
allocSizeWithoutCookie); allocSizeWithoutCookie);
if (E->isArray()) { if (E->isArray()) {
// NewPtr is a pointer to the base element type. If we're // NewPtr is a pointer to the base element type. If we're
// allocating an array of arrays, we'll need to cast back to the // allocating an array of arrays, we'll need to cast back to the
// array pointer type. // array pointer type.
llvm::Type *resultType = ConvertTypeForMem(E->getType()); llvm::Type *resultType = ConvertTypeForMem(E->getType());
if (result.getType() != resultType) if (result.getType() != resultType)
▲ Show 20 LinesShow All 544 LinesShow Last 20 Lines

cfe/trunk/lib/CodeGen/CGValue.h

Show First 20 LinesShow All 473 Lines▼ Show 20 Linesclass AggValueSlot {
/// This is set to true if the tail padding of this slot might overlap /// This is set to true if the tail padding of this slot might overlap
/// another object that may have already been initialized (and whose /// another object that may have already been initialized (and whose
/// value must be preserved by this initialization). If so, we may only /// value must be preserved by this initialization). If so, we may only
/// store up to the dsize of the type. Otherwise we can widen stores to /// store up to the dsize of the type. Otherwise we can widen stores to
/// the size of the type. /// the size of the type.
bool OverlapFlag : 1; bool OverlapFlag : 1;
/// If is set to true, sanitizer checks are already generated for this address
/// or not required. For instance, if this address represents an object
/// created in 'new' expression, sanitizer checks for memory is made as a part
/// of 'operator new' emission and object constructor should not generate
/// them.
bool SanitizerCheckedFlag : 1;
public: public:
enum IsAliased_t { IsNotAliased, IsAliased }; enum IsAliased_t { IsNotAliased, IsAliased };
enum IsDestructed_t { IsNotDestructed, IsDestructed }; enum IsDestructed_t { IsNotDestructed, IsDestructed };
enum IsZeroed_t { IsNotZeroed, IsZeroed }; enum IsZeroed_t { IsNotZeroed, IsZeroed };
enum Overlap_t { DoesNotOverlap, MayOverlap }; enum Overlap_t { DoesNotOverlap, MayOverlap };
enum NeedsGCBarriers_t { DoesNotNeedGCBarriers, NeedsGCBarriers }; enum NeedsGCBarriers_t { DoesNotNeedGCBarriers, NeedsGCBarriers };
enum IsSanitizerChecked_t { IsNotSanitizerChecked, IsSanitizerChecked };
/// ignored - Returns an aggregate value slot indicating that the /// ignored - Returns an aggregate value slot indicating that the
/// aggregate value is being ignored. /// aggregate value is being ignored.
static AggValueSlot ignored() { static AggValueSlot ignored() {
return forAddr(Address::invalid(), Qualifiers(), IsNotDestructed, return forAddr(Address::invalid(), Qualifiers(), IsNotDestructed,
DoesNotNeedGCBarriers, IsNotAliased, DoesNotOverlap); DoesNotNeedGCBarriers, IsNotAliased, DoesNotOverlap);
} }
/// forAddr - Make a slot for an aggregate value. /// forAddr - Make a slot for an aggregate value.
/// ///
/// \param quals - The qualifiers that dictate how the slot should /// \param quals - The qualifiers that dictate how the slot should
/// be initialied. Only 'volatile' and the Objective-C lifetime /// be initialied. Only 'volatile' and the Objective-C lifetime
/// qualifiers matter. /// qualifiers matter.
/// ///
/// \param isDestructed - true if something else is responsible /// \param isDestructed - true if something else is responsible
/// for calling destructors on this object /// for calling destructors on this object
/// \param needsGC - true if the slot is potentially located /// \param needsGC - true if the slot is potentially located
/// somewhere that ObjC GC calls should be emitted for /// somewhere that ObjC GC calls should be emitted for
static AggValueSlot forAddr(Address addr, static AggValueSlot forAddr(Address addr,
Qualifiers quals, Qualifiers quals,
IsDestructed_t isDestructed, IsDestructed_t isDestructed,
NeedsGCBarriers_t needsGC, NeedsGCBarriers_t needsGC,
IsAliased_t isAliased, IsAliased_t isAliased,
Overlap_t mayOverlap, Overlap_t mayOverlap,
IsZeroed_t isZeroed = IsNotZeroed) { IsZeroed_t isZeroed = IsNotZeroed,
IsSanitizerChecked_t isChecked = IsNotSanitizerChecked) {
AggValueSlot AV; AggValueSlot AV;
if (addr.isValid()) { if (addr.isValid()) {
AV.Addr = addr.getPointer(); AV.Addr = addr.getPointer();
AV.Alignment = addr.getAlignment().getQuantity(); AV.Alignment = addr.getAlignment().getQuantity();
} else { } else {
AV.Addr = nullptr; AV.Addr = nullptr;
AV.Alignment = 0; AV.Alignment = 0;
} }
AV.Quals = quals; AV.Quals = quals;
AV.DestructedFlag = isDestructed; AV.DestructedFlag = isDestructed;
AV.ObjCGCFlag = needsGC; AV.ObjCGCFlag = needsGC;
AV.ZeroedFlag = isZeroed; AV.ZeroedFlag = isZeroed;
AV.AliasedFlag = isAliased; AV.AliasedFlag = isAliased;
AV.OverlapFlag = mayOverlap; AV.OverlapFlag = mayOverlap;
AV.SanitizerCheckedFlag = isChecked;
return AV; return AV;
} }
static AggValueSlot forLValue(const LValue &LV, static AggValueSlot forLValue(const LValue &LV,
IsDestructed_t isDestructed, IsDestructed_t isDestructed,
NeedsGCBarriers_t needsGC, NeedsGCBarriers_t needsGC,
IsAliased_t isAliased, IsAliased_t isAliased,
Overlap_t mayOverlap, Overlap_t mayOverlap,
IsZeroed_t isZeroed = IsNotZeroed) { IsZeroed_t isZeroed = IsNotZeroed,
IsSanitizerChecked_t isChecked = IsNotSanitizerChecked) {
return forAddr(LV.getAddress(), LV.getQuals(), isDestructed, needsGC, return forAddr(LV.getAddress(), LV.getQuals(), isDestructed, needsGC,
isAliased, mayOverlap, isZeroed); isAliased, mayOverlap, isZeroed, isChecked);
} }
IsDestructed_t isExternallyDestructed() const { IsDestructed_t isExternallyDestructed() const {
return IsDestructed_t(DestructedFlag); return IsDestructed_t(DestructedFlag);
} }
void setExternallyDestructed(bool destructed = true) { void setExternallyDestructed(bool destructed = true) {
DestructedFlag = destructed; DestructedFlag = destructed;
} }
Show All 35 Linespublic:
IsAliased_t isPotentiallyAliased() const { IsAliased_t isPotentiallyAliased() const {
return IsAliased_t(AliasedFlag); return IsAliased_t(AliasedFlag);
} }
Overlap_t mayOverlap() const { Overlap_t mayOverlap() const {
return Overlap_t(OverlapFlag); return Overlap_t(OverlapFlag);
} }
bool isSanitizerChecked() const {
return SanitizerCheckedFlag;
}
RValue asRValue() const { RValue asRValue() const {
if (isIgnored()) { if (isIgnored()) {
return RValue::getIgnored(); return RValue::getIgnored();
} else { } else {
return RValue::getAggregate(getAddress(), isVolatile()); return RValue::getAggregate(getAddress(), isVolatile());
} }
} }
Show All 18 Lines

cfe/trunk/lib/CodeGen/CodeGenFunction.h

Show First 20 LinesShow All 2,484 Lines▼ Show 20 Linespublic:
void EmitInheritedCXXConstructorCall(const CXXConstructorDecl *D, void EmitInheritedCXXConstructorCall(const CXXConstructorDecl *D,
bool ForVirtualBase, Address This, bool ForVirtualBase, Address This,
bool InheritedFromVBase, bool InheritedFromVBase,
const CXXInheritedCtorInitExpr *E); const CXXInheritedCtorInitExpr *E);
void EmitCXXConstructorCall(const CXXConstructorDecl *D, CXXCtorType Type, void EmitCXXConstructorCall(const CXXConstructorDecl *D, CXXCtorType Type,
bool ForVirtualBase, bool Delegating, bool ForVirtualBase, bool Delegating,
Address This, const CXXConstructExpr *E, Address This, const CXXConstructExpr *E,
AggValueSlot::Overlap_t Overlap); AggValueSlot::Overlap_t Overlap,
bool NewPointerIsChecked);
void EmitCXXConstructorCall(const CXXConstructorDecl *D, CXXCtorType Type, void EmitCXXConstructorCall(const CXXConstructorDecl *D, CXXCtorType Type,
bool ForVirtualBase, bool Delegating, bool ForVirtualBase, bool Delegating,
Address This, CallArgList &Args, Address This, CallArgList &Args,
AggValueSlot::Overlap_t Overlap, AggValueSlot::Overlap_t Overlap,
SourceLocation Loc); SourceLocation Loc,
bool NewPointerIsChecked);
/// Emit assumption load for all bases. Requires to be be called only on /// Emit assumption load for all bases. Requires to be be called only on
/// most-derived class and not under construction of the object. /// most-derived class and not under construction of the object.
void EmitVTableAssumptionLoads(const CXXRecordDecl *ClassDecl, Address This); void EmitVTableAssumptionLoads(const CXXRecordDecl *ClassDecl, Address This);
/// Emit assumption that vptr load == global vtable. /// Emit assumption that vptr load == global vtable.
void EmitVTableAssumptionLoad(const VPtr &vptr, Address This); void EmitVTableAssumptionLoad(const VPtr &vptr, Address This);
void EmitSynthesizedCXXCopyCtorCall(const CXXConstructorDecl *D, void EmitSynthesizedCXXCopyCtorCall(const CXXConstructorDecl *D,
Address This, Address Src, Address This, Address Src,
const CXXConstructExpr *E); const CXXConstructExpr *E);
void EmitCXXAggrConstructorCall(const CXXConstructorDecl *D, void EmitCXXAggrConstructorCall(const CXXConstructorDecl *D,
const ArrayType *ArrayTy, const ArrayType *ArrayTy,
Address ArrayPtr, Address ArrayPtr,
const CXXConstructExpr *E, const CXXConstructExpr *E,
bool NewPointerIsChecked,
bool ZeroInitialization = false); bool ZeroInitialization = false);
void EmitCXXAggrConstructorCall(const CXXConstructorDecl *D, void EmitCXXAggrConstructorCall(const CXXConstructorDecl *D,
llvm::Value *NumElements, llvm::Value *NumElements,
Address ArrayPtr, Address ArrayPtr,
const CXXConstructExpr *E, const CXXConstructExpr *E,
bool NewPointerIsChecked,
bool ZeroInitialization = false); bool ZeroInitialization = false);
static Destroyer destroyCXXObject; static Destroyer destroyCXXObject;
void EmitCXXDestructorCall(const CXXDestructorDecl *D, CXXDtorType Type, void EmitCXXDestructorCall(const CXXDestructorDecl *D, CXXDtorType Type,
bool ForVirtualBase, bool Delegating, bool ForVirtualBase, bool Delegating,
Address This); Address This);
▲ Show 20 LinesShow All 1,804 LinesShow Last 20 Lines

cfe/trunk/test/CodeGenCXX/ubsan-new-checks.cpp

// RUN: %clang_cc1 -triple x86_64-linux-gnu -std=c++11 -S -emit-llvm -fsanitize=alignment %s -o - | FileCheck %s
struct alignas(32) S1 {
int x;
S1();
};
struct alignas(32) S2 {
int x;
};
struct alignas(32) S3 {
int x;
S3(int *p = new int[4]);
};
struct S4 : public S3 {
S4() : S3() {}
};
typedef __attribute__((ext_vector_type(2), aligned(32))) float float32x2_t;
struct S5 {
float32x2_t x;
};
void *operator new (unsigned long, void *p) { return p; }
void *operator new[] (unsigned long, void *p) { return p; }
S1 *func_01() {
// CHECK-LABEL: define {{.*}} @_Z7func_01v
// CHECK: and i64 %{{.*}}, 31, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK: call void @_ZN2S1C1Ev(
// CHECK-NOT: and i64 %{{.*}}, 31
// CHECK: ret %struct.S1*
return new S1[20];
}
S2 *func_02() {
// CHECK-LABEL: define {{.*}} @_Z7func_02v
// CHECK: and i64 %{{.*}}, 31, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK: ret %struct.S2*
return new S2;
}
S2 *func_03() {
// CHECK-LABEL: define {{.*}} @_Z7func_03v
// CHECK: and i64 %{{.*}}, 31, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK-NOT: and i64 %{{.*}}, 31
// CHECK: ret %struct.S2*
return new S2[20];
}
float32x2_t *func_04() {
// CHECK-LABEL: define {{.*}} @_Z7func_04v
// CHECK: and i64 %{{.*}}, 31, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK: ret <2 x float>*
return new float32x2_t;
}
float32x2_t *func_05() {
// CHECK-LABEL: define {{.*}} @_Z7func_05v
// CHECK: and i64 %{{.*}}, 31, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK-NOT: and i64 %{{.*}}, 31
// CHECK: ret <2 x float>*
return new float32x2_t[20];
}
S3 *func_07() {
// CHECK-LABEL: define {{.*}} @_Z7func_07v
// CHECK: and i64 %{{.*}}, 31, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK: and i64 %{{.*}}, 3, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK: ret %struct.S3*
return new S3;
}
S3 *func_08() {
// CHECK-LABEL: define {{.*}} @_Z7func_08v
// CHECK: and i64 %{{.*}}, 31, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK: and i64 %{{.*}}, 3, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK: ret %struct.S3*
return new S3[10];
}
S2 *func_10(void *p) {
// CHECK-LABEL: define {{.*}} @_Z7func_10Pv
// CHECK: and i64 %{{.*}}, 31, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK: ret %struct.S2*
return new(p) S2;
}
S2 *func_11(void *p) {
// CHECK-LABEL: define {{.*}} @_Z7func_11Pv
// CHECK: and i64 %{{.*}}, 31, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK-NOT: and i64 %{{.*}}, 31, !nosanitize
// CHECK-NOT: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK: ret %struct.S2*
return new(p) S2[10];
}
float32x2_t *func_12() {
// CHECK-LABEL: define {{.*}} @_Z7func_12v
// CHECK: and i64 %{{.*}}, 31, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK: ret <2 x float>*
return new float32x2_t;
}
float32x2_t *func_13() {
// CHECK-LABEL: define {{.*}} @_Z7func_13v
// CHECK: and i64 %{{.*}}, 31, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK-NOT: and i64 %{{.*}}, 31
// CHECK: ret <2 x float>*
return new float32x2_t[20];
}
S4 *func_14() {
// CHECK-LABEL: define {{.*}} @_Z7func_14v
// CHECK: and i64 %{{.*}}, 31, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK-NOT: and i64 %{{.*}}, 31
// CHECK: ret %struct.S4*
return new S4;
}
S5 *func_15(const S5 *ptr) {
// CHECK-LABEL: define {{.*}} @_Z7func_15PK2S5
// CHECK: and i64 %{{.*}}, 31, !nosanitize
// CHECK: icmp eq i64 %{{.*}}, 0, !nosanitize
// CHECK-NOT: and i64
// CHECK: ret %struct.S5*
return new S5(*ptr);
}