This is an archive of the discontinued LLVM Phabricator instance.

Differential D50250

[clang][ubsan] Implicit Conversion Sanitizer - integer sign change - clang part
ClosedPublic

Authored by lebedev.ri on Aug 3 2018, 6:22 AM.

Details

Reviewers
vsk
rsmith
rjmccall
erichkeane
Group Reviewers
Restricted Project
Commits
rG62debd805515: [clang][ubsan] Implicit Conversion Sanitizer - integer sign change - clang part
rC345660: [clang][ubsan] Implicit Conversion Sanitizer - integer sign change - clang part
rL345660: [clang][ubsan] Implicit Conversion Sanitizer - integer sign change - clang part
Summary

C and C++ are interesting languages. They are statically typed, but weakly.
The implicit conversions are allowed. This is nice, allows to write code
while balancing between getting drowned in everything being convertible,
and nothing being convertible. As usual, this comes with a price:

void consume(unsigned int val);

void test(int val) {
  consume(val);
  // The 'val' is `signed int`, but `consume()` takes `unsigned int`.
  // If val is negative, then consume() will be operating on a large
  // unsigned value, and you may or may not have a bug.

  // But yes, sometimes this is intentional.
  // Making the conversion explicit silences the sanitizer.
  consume((unsigned int)val);
}

Yes, there is a -Wsign-conversion` diagnostic group, but first, it is kinda
noisy, since it warns on everything (unlike sanitizers, warning on an
actual issues), and second, likely there are cases where it does not warn.

The actual detection is pretty easy. We just need to check each of the values
whether it is negative, and equality-compare the results of those comparisons.
The unsigned value is obviously non-negative. Zero is non-negative too.
https://godbolt.org/g/w93oj2

We do not have to emit the check *always*, there are obvious situations
where we can avoid emitting it, since it would always get optimized-out.
But i do think the tautological IR (icmp ult %x, 0, which is always false)
should be emitted, and the middle-end should cleanup it.

This sanitizer is in the -fsanitize=implicit-conversion group,
and is a logical continuation of D48958 -fsanitize=implicit-integer-truncation.
As for the ordering, i'we opted to emit the check after
-fsanitize=implicit-integer-truncation. At least on these simple 16 test cases,
this results in 1 of the 12 emitted checks being optimized away,
as compared to 0 checks being optimized away if the order is reversed.

This is a clang part.
The compiler-rt part is D50251.

Finishes fixing PR21530, PR37552, PR35409.
Finishes partially fixing PR9821.
Finishes fixing https://github.com/google/sanitizers/issues/940.

Only the bitfield handling is missing.

Diff Detail

Repository
rC Clang

Event Timeline

lebedev.ri created this revision.Aug 3 2018, 6:22 AM
lebedev.ri added a parent revision: D48958: [clang][ubsan] Implicit Cast Sanitizer - integer truncation - clang part.Aug 3 2018, 6:22 AM
lebedev.ri mentioned this in D50251: [compiler-rt][ubsan] Implicit Conversion Sanitizer - integer sign change - compiler-rt part.
lebedev.ri edited the summary of this revision. (Show Details)
lebedev.ri added a reviewer: erichkeane.Aug 3 2018, 6:28 AM
erichkeane added inline comments.Aug 3 2018, 6:42 AM
lib/CodeGen/CGExprScalar.cpp
1198

I'd rather !SrcType->isInt || !DestType->isInt

1201

This seems like a silly assert, since you did the check above.

1220

Does this really need its own scope?

1222

Again, I'd rather we distribute the '!'.

1225

These scopes are getting out of hand... just kill them all. Introducing CanonSrcType/CanonDstType into the larger scope isn't that big of a deal.

1234

Curious what prevents this?

1244

// Is this value a signed type?

2215

Is this an error? You swapped a 'has' with a 'hasOneOf' but only listed a single thing.

lebedev.ri added inline comments.Aug 3 2018, 6:48 AM
lib/CodeGen/CGExprScalar.cpp
2215

ImplicitConversion is a *group*, which includes ImplicitIntegerTruncation and ImplicitIntegerSignChange.
So hasOneOf(group) checks that at least one check of the group is enabled.
No, this is correct, else the tests would break.

erichkeane added inline comments.Aug 3 2018, 6:50 AM
lib/CodeGen/CGExprScalar.cpp
2215

Ah! I missed that subtly, just LOOKed odd.

lebedev.ri updated this revision to Diff 159004.Aug 3 2018, 7:13 AM
lebedev.ri marked 5 inline comments as done.

Address most of @erichkeane review notes.

lib/CodeGen/CGExprScalar.cpp
1198

This i'd prefer to keep this as-is, since this is copied verbatim from ScalarExprEmitter::EmitIntegerTruncationCheck().

1201

If this assertion doesn't hold, we'll (hopefully!) hit an assertion somewhere down in the [IR] Builder.
I think it would be best to be proactive here.
(Similarly, this is copied verbatim from ScalarExprEmitter::EmitIntegerTruncationCheck().)

1220

Yeah, they got out of hand here..

1222

Here - ok.

1234

Right now this was simply copied from ScalarExprEmitter::EmitIntegerTruncationCheck(),
where it made sense (since conversion to bool should be comparison with 0, not truncation).
I'm not quite sure about booleans here. I think i should just drop it, at least for now.

1244

That reads strange, but i don't have a better idea.

erichkeane added inline comments.Aug 3 2018, 7:17 AM
lib/CodeGen/CGExprScalar.cpp
1198

If so much is being copied from EmitIntegerTruncationCheck, perhaps the two of these need to be the same function with an option/check on the sanitizer option on which it should do?

lebedev.ri added a project: Restricted Project.Aug 3 2018, 9:40 AM
lebedev.ri added inline comments.
lib/CodeGen/CGExprScalar.cpp
1198

I agree that code duplication is bad, but i'm not sure that inlining
both of these functions into an one huge one is the right solution.
The amount of actually duplicated code is somewhat small - one early-return
for non-integer types, and an assert that the llvm type is integer..

rsmith added inline comments.Aug 3 2018, 1:21 PM
lib/CodeGen/CGExprScalar.cpp
1226

I don't like the overlap between the implicit truncation check and this check. I think you should aim for exactly one of those checks to fire for any given integer conversion. There are the following cases:

  • Dst is smaller than Src: if the value changes at all (with sign change or without), then the truncation check already catches it, and catching it here does not seem useful
  • Dst is the same size as Src or larger: sign change is the only problem, and is only possible if exactly one of Src and Dst is signed

So I think you should bail out of this function if either Src and Dst are both unsigned or both are signed, and also if Src is larger than Dst (because we treat that case as a lossy truncation rather than as a sign change).

And when you do emit a check here, the only thing you need to check is if the signed value is negative (if so, you definitely changed the sign, and if not, you definitely didn't -- except in the truncation cases that the truncation sanitizer catches).

1240–1241

If !VSigned, the result is a constant false; you don't need to emit an icmp to work that out.

lebedev.ri added a comment.Aug 3 2018, 1:29 PM

@erichkeane, @rsmith thanks for taking a look!

lib/CodeGen/CGExprScalar.cpp
1226

To be clear: we want to skip emitting in those cases if the other check (truncation) is enabled, right?
It does seem to make sense, (and i did thought about that a bit), but i need to think about it more..

1240–1241

Ok, if you insist.
I didn't do that in the first place because we will now have an icmp
where one operand being a constant, so we can simplify it further.
And i don't want to complicate this logic if middle-end already handles it :)

rsmith added inline comments.Aug 3 2018, 2:26 PM
lib/CodeGen/CGExprScalar.cpp
1226

I think we want to skip emitting those checks always (regardless of whether the other sanitizer is enabled). One way to think of it: this sanitizer checks for non-truncating implicit integer conversions that change the value of the result. The other sanitizer checks for truncating implicit integer conversions that change the value of the result.

I don't see any point in allowing the user to ask to sanitize sign-changing truncation but not other value-changing truncations. That would lead to this:

int a = 0x17fffffff; // no sanitizer warning
int b = 0x180000000; // sanitizer warning
int c = 0x1ffffffff; // sanitizer warning
int d = 0x200000000; // no sanitizer warning

... which I think makes no sense.

1240–1241

This becomes a lot simpler with the approach I described in the other comment thread, because you don't need a second icmp eq at all.

rsmith added inline comments.Aug 3 2018, 2:46 PM
lib/CodeGen/CGExprScalar.cpp
1226

Hmm, wait, the "truncation" sanitizer doesn't catch this:

int a = 0x80000000u;

... does it? (Because it looks for cases where the value doesn't round-trip, not for cases where the value was changed by the truncation.)

I've thought a bit more about the user model and use cases for these sanitizers, and I think what we want is:

  • a sanitizer that checks for implicit conversions with data loss (the existing truncation sanitizer)
  • a sanitizer that checks for implicit conversions that change the value, where either the source or destination was signed (approximately what this sanitizer is doing)

The difference between that and what you have here is that I think the new sanitizer should catch all of these cases:

int a = 0x17fffffff;
int b = 0x180000000;
int c = 0x1ffffffff;
int d = 0x200000000;

... because while the initializations of a and d don't change the sign of the result, that's only because they wrap around *past* a sign change.

So, I think what you have here is fine for the SrcBits <= DstBits case, but for the SrcBits > DstBits case, you should also check whether the value is the same as the original (that is, perform the truncation check).

In order to avoid duplicating work when both sanitizers are enabled, it'd make sense to combine the two sanitizer functions into a single function and reuse the checks.

lebedev.ri updated this revision to Diff 159187.Aug 4 2018, 11:27 AM
lebedev.ri marked 11 inline comments as done.

Address most of @rsmith review notes.

lib/CodeGen/CGExprScalar.cpp
1226

Yep, makes sense. I don't think i have followed the recommendations to the letter,
but i think the end result is not worse than suggested. Added tests shows how it works now.

1240–1241

Humm. So i have initially did this. It is probably broken for non-scalars, but we don't care probably.

But then i thought more.

If we do not emit truncation check, we get icmp eq (icmp ...), false, which is tautological.
We can't just drop the outer icmp eq since we'd get the opposite value.
We could emit xor %icmp, -1 to invert it. Or simply invert the predicate, and avoid the second icmp.
By itself, either of these options doesn't sound that bad.

But if both are signed, we can't do that. So we have to have two different code paths...

If we do emit the icmp ult %x, 0, [it naturally works with vectors], we avoid complicating the front-end,
and the middle-end playfully simplifies this IR with no sweat.

So why do we want to complicate the front-end in this case, and not let the middle-end do it's job?
I'm unconvinced, and i have kept this as is. :/

lebedev.ri added inline comments.Aug 5 2018, 7:51 AM
lib/CodeGen/CGExprScalar.cpp
1144–1145

Actually, after messing with souper a little, if we are converting from *larger* *signed* type,
then the truncation check is sufficient already.
https://godbolt.org/g/DLVCy8
https://rise4fun.com/Alive/u2h

So it *seems* only the unsigned int -> signed char case is problematic.

lebedev.ri updated this revision to Diff 159230.Aug 5 2018, 11:56 AM

Do not emit sign-change check in signed int -> signed char case.
The truncation check is sufficient:
https://godbolt.org/g/r1wgQG
https://rise4fun.com/Alive/ifj

The middle-end [clearly] does not understand that,
but since the sign-change is completely unneeded here, it's not a blocker.

The unsigned int -> signed char case is the only oh-so-special one,
that needs both the truncation and sign change checks,
but the IR can be significantly improved, will handle that:
https://godbolt.org/g/q7e76x
https://rise4fun.com/Alive/2W8

lebedev.ri marked an inline comment as done.Aug 5 2018, 11:58 AM
lebedev.ri mentioned this in D50465: [InstCombine] Optimize redundant 'signed truncation check pattern'..Aug 8 2018, 10:46 AM
lebedev.ri added a parent revision: D50465: [InstCombine] Optimize redundant 'signed truncation check pattern'..
Diffusion mentioned this in rL339610: [InstCombine] Optimize redundant 'signed truncation check pattern'..Aug 13 2018, 1:33 PM
Diffusion mentioned this in rL339621: [InstCombine] Re-land: Optimize redundant 'signed truncation check pattern'..Aug 13 2018, 2:55 PM
lebedev.ri updated this revision to Diff 160458.Aug 13 2018, 3:09 PM

Ping.

Rebased, now that the D50465 has landed, and we are now able to properly optimize the ugliest case:

This comes with Implicit Conversion Sanitizer - integer sign change (D50250):

signed char test(unsigned int x) { return x; }

clang++ -fsanitize=implicit-conversion -S -emit-llvm -o - /tmp/test.cpp -O3

lebedev.ri added a parent revision: D50301: [InstCombine] De Morgan: sink 'not' into 'xor' (PR38446).Aug 14 2018, 9:39 AM
Diffusion mentioned this in rL339995: [NFC] Some small test updates for Implicit Conversion sanitizer..Aug 17 2018, 12:34 AM
Diffusion mentioned this in rC339995: [NFC] Some small test updates for Implicit Conversion sanitizer..
lebedev.ri planned changes to this revision.Aug 17 2018, 9:37 AM

Depends on D50901.
(which should land first, ideally.)

lebedev.ri added a parent revision: D50901: [clang][ubsan] Split Implicit Integer Truncation Sanitizer into unsigned and signed checks.Aug 17 2018, 9:38 AM
lebedev.ri updated this revision to Diff 162050.Aug 22 2018, 2:10 PM
lebedev.ri added a subscriber: chandlerc.

Rebased ontop of D50901, added

-  ``-fsanitize=implicit-integer-arithmetic-value-change``: Catches implicit
   conversions that change the arithmetic value of the integer. Enables
   ``implicit-signed-integer-truncation`` and ``implicit-integer-sign-change``.

as requested by @rsmith and @chandlerc.

lebedev.ri added inline comments.Aug 23 2018, 4:27 AM
lib/CodeGen/CGExprScalar.cpp
1240–1241

If !VSigned, the result is a constant false; you don't need to emit an icmp to work that out.

Even at -O0, dagcombine constant-folds (unsurprizingly) this case, https://godbolt.org/z/D5ueOq

lebedev.ri added a comment.Aug 28 2018, 11:55 AM

ping.

lebedev.ri added a comment.Sep 5 2018, 8:55 AM

Ping.

lebedev.ri added a comment.Sep 12 2018, 9:19 AM

Ping once again :)

rjmccall added a comment.Sep 16 2018, 11:52 PM

It might help if you're more specific about whose review you're asking for.

lebedev.ri added a comment.Sep 17 2018, 12:11 AM
In D50250#1236478, @rjmccall wrote:

It might help if you're more specific about whose review you're asking for.

I suppose the main suspect is still the @rsmith.
Though, D50901 is less controversial, so maybe best to start there..

lebedev.ri added a comment.Oct 2 2018, 12:25 PM

@rsmith Ping.
Though, D50901 is less controversial, so maybe best to start there..

lebedev.ri added a comment.Oct 7 2018, 11:48 PM

Ping.

lebedev.ri added a comment.Oct 15 2018, 3:38 AM

Ping.
The prerequisite "split truncation sanitizer into unsigned and signed cases" has landed.
I believe i have replied/addressed all the points previously raised here.
Would be awesome to get this going at long last :)

lebedev.ri added a comment.Oct 21 2018, 11:12 PM

@rsmith ping.

rsmith accepted this revision.Oct 23 2018, 3:14 PM

Just some minor nits.

docs/ReleaseNotes.rst
196

This seems inaccurate: -fsanitize=signed-integer-overflow is part of -fsanitize=integer and catches UB. Maybe "Like some other [...]"

200–201

This is a bit hard to read. Maybe reverse the order of these two lines.

lib/CodeGen/CGExprScalar.cpp
1075

Just emit i1 false directly in this case. IRBuilder generally only constant-folds values for you if all the operands are constant, and sanitizers are often used at -O0, so there's no guarantee that anyone else will clean this up.

1095–1107

Do we really need this comment? This seems kinda obvious.

1226

OK, so to be clear I'm following:

  • Any implicit conversion that truncates and changes the value triggers the truncation sanitizer (unsigned if both source and destination are unsigned, signed otherwise)
  • Any implicit conversion that results in a sign change triggers the sign change sanitizer
  • Any implicit conversion that triggers both sanitizers produces a single warning classified as ICCK_SignedIntegerTruncationOrSignChange (eg, the truncation changed the value, and the sign changed -- possibly multiple times -- when dropping bits)

That seems fine to me.

This revision is now accepted and ready to land.Oct 23 2018, 3:14 PM
lebedev.ri updated this revision to Diff 170952.Oct 24 2018, 12:30 PM
lebedev.ri marked 4 inline comments as done.
In D50250#1273415, @rsmith wrote:

Just some minor nits.

YES! Thank you for the [long-awaited] review!

Addressed review notes.
The compiler-rt part D50251 still needs a review before this can finally go in.

There is now a problem with SanitizerOrdinal - it's out of bits :)
After this, there isn't a single bit available.
I even had to drop one new sanitizer group that wasn't *strictly* needed just yet.
I should probably file a bug so this knowledge will not be lost.

lib/CodeGen/CGExprScalar.cpp
1075

Ok, fair enough.

1226

OK, so to be clear I'm following:

I do think that is what is going on.
It does warn on all of the cases you highlighted:

int a = 0x80000000u;

int a = 0x17fffffff;
int b = 0x180000000;
int c = 0x1ffffffff;
int d = 0x200000000;
lebedev.ri updated this revision to Diff 171688.Oct 30 2018, 6:59 AM

Rebased, NFC.

Closed by commit rL345660: [clang][ubsan] Implicit Conversion Sanitizer - integer sign change - clang part (authored by lebedevri). · Explain WhyOct 30 2018, 3:02 PM
This revision was automatically updated to reflect the committed changes.
Diffusion mentioned this in rCRT345659: [compiler-rt][ubsan] Implicit Conversion Sanitizer - integer sign change….
Diffusion mentioned this in rL345659: [compiler-rt][ubsan] Implicit Conversion Sanitizer - integer sign change….
Herald added a subscriber: llvm-commits. · View Herald TranscriptOct 30 2018, 3:03 PM
lebedev.ri added a child revision: D53949: [clang][CodeGen] Implicit Conversion Sanitizer: discover the world of CompoundAssign operators.Nov 3 2018, 12:55 AM

Revision Contents

Diff 170952

docs/ReleaseNotes.rst

Show First 20 LinesShow All 172 Lines▼ Show 20 Lines
... ...
.. _release-notes-ubsan: .. _release-notes-ubsan:
Undefined Behavior Sanitizer (UBSan) Undefined Behavior Sanitizer (UBSan)
------------------------------------ ------------------------------------
* The Implicit Conversion Sanitizer (``-fsanitize=implicit-conversion``) group
was extended. One more type of issues is caught - implicit integer sign change.
(``-fsanitize=implicit-integer-sign-change``).
While there is a ``-Wsign-conversion`` diagnostic group that catches this kind
of issues, it is both noisy, and does not catch **all** the cases.
.. code-block:: c++
bool consume(unsigned int val);
void test(int val) {
(void)consume(val); // If the value was negative, it is now large positive.
(void)consume((unsigned int)val); // OK, the conversion is explicit.
}
Like some other ``-fsanitize=integer`` checks, these issues are **not**
rsmithUnsubmitted
Done
ReplyInline Actions

This seems inaccurate: -fsanitize=signed-integer-overflow is part of -fsanitize=integer and catches UB. Maybe "Like some other [...]"

rsmith: This seems inaccurate: `-fsanitize=signed-integer-overflow` is part of `-fsanitize=integer` and…
undefined behaviour. But they are not *always* intentional, and are somewhat
hard to track down. This group is **not** enabled by ``-fsanitize=undefined``,
but the ``-fsanitize=implicit-integer-sign-change`` check
is enabled by ``-fsanitize=integer``.
(as is ``-fsanitize=implicit-integer-truncation`` check)
rsmithUnsubmitted
Done
ReplyInline Actions

This is a bit hard to read. Maybe reverse the order of these two lines.

rsmith: This is a bit hard to read. Maybe reverse the order of these two lines.
Core Analysis Improvements Core Analysis Improvements
========================== ==========================
- ... - ...
New Issues Found New Issues Found
================ ================
Show All 26 Lines

docs/UndefinedBehaviorSanitizer.rst

Show First 20 LinesShow All 94 Lines▼ Show 20 Lines - ``-fsanitize=implicit-unsigned-integer-truncation``,
loss. That is, if the demoted value, after casting back to the original loss. That is, if the demoted value, after casting back to the original
width, is not equal to the original value before the downcast. width, is not equal to the original value before the downcast.
The ``-fsanitize=implicit-unsigned-integer-truncation`` handles conversions The ``-fsanitize=implicit-unsigned-integer-truncation`` handles conversions
between two ``unsigned`` types, while between two ``unsigned`` types, while
``-fsanitize=implicit-signed-integer-truncation`` handles the rest of the ``-fsanitize=implicit-signed-integer-truncation`` handles the rest of the
conversions - when either one, or both of the types are signed. conversions - when either one, or both of the types are signed.
Issues caught by these sanitizers are not undefined behavior, Issues caught by these sanitizers are not undefined behavior,
but are often unintentional. but are often unintentional.
- ``-fsanitize=implicit-integer-sign-change``: Implicit conversion between
integer types, if that changes the sign of the value. That is, if the the
original value was negative and the new value is positive (or zero),
or the original value was positive, and the new value is negative.
Issues caught by this sanitizer are not undefined behavior,
but are often unintentional.
- ``-fsanitize=integer-divide-by-zero``: Integer division by zero. - ``-fsanitize=integer-divide-by-zero``: Integer division by zero.
- ``-fsanitize=nonnull-attribute``: Passing null pointer as a function - ``-fsanitize=nonnull-attribute``: Passing null pointer as a function
parameter which is declared to never be null. parameter which is declared to never be null.
- ``-fsanitize=null``: Use of a null pointer or creation of a null - ``-fsanitize=null``: Use of a null pointer or creation of a null
reference. reference.
- ``-fsanitize=nullability-arg``: Passing null as a function parameter - ``-fsanitize=nullability-arg``: Passing null as a function parameter
which is annotated with ``_Nonnull``. which is annotated with ``_Nonnull``.
- ``-fsanitize=nullability-assign``: Assigning null to an lvalue which - ``-fsanitize=nullability-assign``: Assigning null to an lvalue which
▲ Show 20 LinesShow All 45 Lines▼ Show 20 Lines - ``-fsanitize=vptr``: Use of an object whose vptr indicates that it is of
standard libraries are present. standard libraries are present.
You can also use the following check groups: You can also use the following check groups:
- ``-fsanitize=undefined``: All of the checks listed above other than - ``-fsanitize=undefined``: All of the checks listed above other than
``unsigned-integer-overflow``, ``implicit-conversion`` and the ``unsigned-integer-overflow``, ``implicit-conversion`` and the
``nullability-*`` group of checks. ``nullability-*`` group of checks.
- ``-fsanitize=undefined-trap``: Deprecated alias of - ``-fsanitize=undefined-trap``: Deprecated alias of
``-fsanitize=undefined``. ``-fsanitize=undefined``.
- ``-fsanitize=implicit-integer-truncation``: Catches lossy integral
conversions. Enables ``implicit-signed-integer-truncation`` and
``implicit-unsigned-integer-truncation``.
- ``-fsanitize=implicit-integer-arithmetic-value-change``: Catches implicit
conversions that change the arithmetic value of the integer. Enables
``implicit-signed-integer-truncation`` and ``implicit-integer-sign-change``.
- ``-fsanitize=implicit-conversion``: Checks for suspicious
behaviour of implicit conversions. Enables
``implicit-unsigned-integer-truncation``,
``implicit-signed-integer-truncation`` and
``implicit-integer-sign-change``.
- ``-fsanitize=integer``: Checks for undefined or suspicious integer - ``-fsanitize=integer``: Checks for undefined or suspicious integer
behavior (e.g. unsigned integer overflow). behavior (e.g. unsigned integer overflow).
Enables ``signed-integer-overflow``, ``unsigned-integer-overflow``, Enables ``signed-integer-overflow``, ``unsigned-integer-overflow``,
``shift``, ``integer-divide-by-zero``, and ``implicit-integer-truncation``. ``shift``, ``integer-divide-by-zero``,
- ``fsanitize=implicit-integer-truncation``: Checks for implicit integral ``implicit-unsigned-integer-truncation``,
conversions that result in data loss. ``implicit-signed-integer-truncation`` and
Enables ``implicit-unsigned-integer-truncation`` and ``implicit-integer-sign-change``.
``implicit-signed-integer-truncation``.
- ``-fsanitize=implicit-conversion``: Checks for suspicious behaviours of
implicit conversions.
Currently, only ``-fsanitize=implicit-integer-truncation`` is implemented.
- ``-fsanitize=nullability``: Enables ``nullability-arg``, - ``-fsanitize=nullability``: Enables ``nullability-arg``,
``nullability-assign``, and ``nullability-return``. While violating ``nullability-assign``, and ``nullability-return``. While violating
nullability does not have undefined behavior, it is often unintentional, nullability does not have undefined behavior, it is often unintentional,
so UBSan offers to catch it. so UBSan offers to catch it.
Volatile Volatile
-------- --------
▲ Show 20 LinesShow All 140 LinesShow Last 20 Lines

include/clang/Basic/Sanitizers.def

Show First 20 LinesShow All 136 Lines▼ Show 20 Lines
// ImplicitConversionSanitizer // ImplicitConversionSanitizer
SANITIZER("implicit-unsigned-integer-truncation", SANITIZER("implicit-unsigned-integer-truncation",
ImplicitUnsignedIntegerTruncation) ImplicitUnsignedIntegerTruncation)
SANITIZER("implicit-signed-integer-truncation", ImplicitSignedIntegerTruncation) SANITIZER("implicit-signed-integer-truncation", ImplicitSignedIntegerTruncation)
SANITIZER_GROUP("implicit-integer-truncation", ImplicitIntegerTruncation, SANITIZER_GROUP("implicit-integer-truncation", ImplicitIntegerTruncation,
ImplicitUnsignedIntegerTruncation | ImplicitUnsignedIntegerTruncation |
ImplicitSignedIntegerTruncation) ImplicitSignedIntegerTruncation)
SANITIZER("implicit-integer-sign-change", ImplicitIntegerSignChange)
SANITIZER_GROUP("implicit-integer-arithmetic-value-change",
ImplicitIntegerArithmeticValueChange,
ImplicitIntegerSignChange | ImplicitSignedIntegerTruncation)
// FIXME:
//SANITIZER_GROUP("implicit-integer-conversion", ImplicitIntegerConversion,
// ImplicitIntegerArithmeticValueChange |
// ImplicitUnsignedIntegerTruncation)
//SANITIZER_GROUP("implicit-conversion", ImplicitConversion,
// ImplicitIntegerConversion)
SANITIZER_GROUP("implicit-conversion", ImplicitConversion, SANITIZER_GROUP("implicit-conversion", ImplicitConversion,
ImplicitIntegerTruncation) ImplicitIntegerArithmeticValueChange |
ImplicitUnsignedIntegerTruncation)
SANITIZER_GROUP("integer", Integer, SANITIZER_GROUP("integer", Integer,
ImplicitIntegerTruncation | IntegerDivideByZero | Shift | ImplicitConversion | IntegerDivideByZero | Shift |
SignedIntegerOverflow | UnsignedIntegerOverflow) SignedIntegerOverflow | UnsignedIntegerOverflow)
SANITIZER("local-bounds", LocalBounds) SANITIZER("local-bounds", LocalBounds)
SANITIZER_GROUP("bounds", Bounds, ArrayBounds | LocalBounds) SANITIZER_GROUP("bounds", Bounds, ArrayBounds | LocalBounds)
// EfficiencySanitizer // EfficiencySanitizer
SANITIZER("efficiency-cache-frag", EfficiencyCacheFrag) SANITIZER("efficiency-cache-frag", EfficiencyCacheFrag)
SANITIZER("efficiency-working-set", EfficiencyWorkingSet) SANITIZER("efficiency-working-set", EfficiencyWorkingSet)
Show All 13 Lines

lib/CodeGen/CGExprScalar.cpp

Show First 20 LinesShow All 300 Lines▼ Show 20 Lines void EmitFloatConversionCheck(Value *OrigSrc, QualType OrigSrcType,
llvm::Type *DstTy, SourceLocation Loc); llvm::Type *DstTy, SourceLocation Loc);
/// Known implicit conversion check kinds. /// Known implicit conversion check kinds.
/// Keep in sync with the enum of the same name in ubsan_handlers.h /// Keep in sync with the enum of the same name in ubsan_handlers.h
enum ImplicitConversionCheckKind : unsigned char { enum ImplicitConversionCheckKind : unsigned char {
ICCK_IntegerTruncation = 0, // Legacy, was only used by clang 7. ICCK_IntegerTruncation = 0, // Legacy, was only used by clang 7.
ICCK_UnsignedIntegerTruncation = 1, ICCK_UnsignedIntegerTruncation = 1,
ICCK_SignedIntegerTruncation = 2, ICCK_SignedIntegerTruncation = 2,
ICCK_IntegerSignChange = 3,
ICCK_SignedIntegerTruncationOrSignChange = 4,
}; };
/// Emit a check that an [implicit] truncation of an integer does not /// Emit a check that an [implicit] truncation of an integer does not
/// discard any bits. It is not UB, so we use the value after truncation. /// discard any bits. It is not UB, so we use the value after truncation.
void EmitIntegerTruncationCheck(Value *Src, QualType SrcType, Value *Dst, void EmitIntegerTruncationCheck(Value *Src, QualType SrcType, Value *Dst,
QualType DstType, SourceLocation Loc); QualType DstType, SourceLocation Loc);
/// Emit a check that an [implicit] conversion of an integer does not change
/// the sign of the value. It is not UB, so we use the value after conversion.
/// NOTE: Src and Dst may be the exact same value! (point to the same thing)
void EmitIntegerSignChangeCheck(Value *Src, QualType SrcType, Value *Dst,
QualType DstType, SourceLocation Loc);
/// Emit a conversion from the specified type to the specified destination /// Emit a conversion from the specified type to the specified destination
/// type, both of which are LLVM scalar types. /// type, both of which are LLVM scalar types.
struct ScalarConversionOpts { struct ScalarConversionOpts {
bool TreatBooleanAsSigned; bool TreatBooleanAsSigned;
bool EmitImplicitIntegerTruncationChecks; bool EmitImplicitIntegerTruncationChecks;
bool EmitImplicitIntegerSignChangeChecks;
ScalarConversionOpts() ScalarConversionOpts()
: TreatBooleanAsSigned(false), : TreatBooleanAsSigned(false),
EmitImplicitIntegerTruncationChecks(false) {} EmitImplicitIntegerTruncationChecks(false),
EmitImplicitIntegerSignChangeChecks(false) {}
}; };
Value * Value *
EmitScalarConversion(Value *Src, QualType SrcTy, QualType DstTy, EmitScalarConversion(Value *Src, QualType SrcTy, QualType DstTy,
SourceLocation Loc, SourceLocation Loc,
ScalarConversionOpts Opts = ScalarConversionOpts()); ScalarConversionOpts Opts = ScalarConversionOpts());
Value *EmitFixedPointConversion(Value *Src, QualType SrcTy, QualType DstTy, Value *EmitFixedPointConversion(Value *Src, QualType SrcTy, QualType DstTy,
SourceLocation Loc); SourceLocation Loc);
▲ Show 20 LinesShow All 609 Lines▼ Show 20 Linesvoid ScalarExprEmitter::EmitFloatConversionCheck(
llvm::Constant *StaticArgs[] = {CGF.EmitCheckSourceLocation(Loc), llvm::Constant *StaticArgs[] = {CGF.EmitCheckSourceLocation(Loc),
CGF.EmitCheckTypeDescriptor(OrigSrcType), CGF.EmitCheckTypeDescriptor(OrigSrcType),
CGF.EmitCheckTypeDescriptor(DstType)}; CGF.EmitCheckTypeDescriptor(DstType)};
CGF.EmitCheck(std::make_pair(Check, SanitizerKind::FloatCastOverflow), CGF.EmitCheck(std::make_pair(Check, SanitizerKind::FloatCastOverflow),
SanitizerHandler::FloatCastOverflow, StaticArgs, OrigSrc); SanitizerHandler::FloatCastOverflow, StaticArgs, OrigSrc);
} }
// Should be called within CodeGenFunction::SanitizerScope RAII scope.
// Returns 'i1 false' when the truncation Src -> Dst was lossy.
static std::pair<ScalarExprEmitter::ImplicitConversionCheckKind,
std::pair<llvm::Value *, SanitizerMask>>
EmitIntegerTruncationCheckHelper(Value *Src, QualType SrcType, Value *Dst,
QualType DstType, CGBuilderTy &Builder) {
llvm::Type *SrcTy = Src->getType();
llvm::Type *DstTy = Dst->getType();
// This should be truncation of integral types.
assert(Src != Dst);
assert(SrcTy->getScalarSizeInBits() > Dst->getType()->getScalarSizeInBits());
assert(isa<llvm::IntegerType>(SrcTy) && isa<llvm::IntegerType>(DstTy) &&
"non-integer llvm type");
bool SrcSigned = SrcType->isSignedIntegerOrEnumerationType();
bool DstSigned = DstType->isSignedIntegerOrEnumerationType();
// If both (src and dst) types are unsigned, then it's an unsigned truncation.
// Else, it is a signed truncation.
ScalarExprEmitter::ImplicitConversionCheckKind Kind;
SanitizerMask Mask;
if (!SrcSigned && !DstSigned) {
Kind = ScalarExprEmitter::ICCK_UnsignedIntegerTruncation;
Mask = SanitizerKind::ImplicitUnsignedIntegerTruncation;
} else {
Kind = ScalarExprEmitter::ICCK_SignedIntegerTruncation;
Mask = SanitizerKind::ImplicitSignedIntegerTruncation;
}
llvm::Value *Check = nullptr;
// 1. Extend the truncated value back to the same width as the Src.
Check = Builder.CreateIntCast(Dst, SrcTy, DstSigned, "anyext");
// 2. Equality-compare with the original source value
Check = Builder.CreateICmpEQ(Check, Src, "truncheck");
// If the comparison result is 'i1 false', then the truncation was lossy.
return std::make_pair(Kind, std::make_pair(Check, Mask));
}
void ScalarExprEmitter::EmitIntegerTruncationCheck(Value *Src, QualType SrcType, void ScalarExprEmitter::EmitIntegerTruncationCheck(Value *Src, QualType SrcType,
Value *Dst, QualType DstType, Value *Dst, QualType DstType,
SourceLocation Loc) { SourceLocation Loc) {
if (!CGF.SanOpts.hasOneOf(SanitizerKind::ImplicitIntegerTruncation)) if (!CGF.SanOpts.hasOneOf(SanitizerKind::ImplicitIntegerTruncation))
return; return;
llvm::Type *SrcTy = Src->getType();
llvm::Type *DstTy = Dst->getType();
// We only care about int->int conversions here. // We only care about int->int conversions here.
// We ignore conversions to/from pointer and/or bool. // We ignore conversions to/from pointer and/or bool.
if (!(SrcType->isIntegerType() && DstType->isIntegerType())) if (!(SrcType->isIntegerType() && DstType->isIntegerType()))
return; return;
assert(isa<llvm::IntegerType>(SrcTy) && isa<llvm::IntegerType>(DstTy) && unsigned SrcBits = Src->getType()->getScalarSizeInBits();
"clang integer type lowered to non-integer llvm type"); unsigned DstBits = Dst->getType()->getScalarSizeInBits();
unsigned SrcBits = SrcTy->getScalarSizeInBits();
unsigned DstBits = DstTy->getScalarSizeInBits();
// This must be truncation. Else we do not care. // This must be truncation. Else we do not care.
if (SrcBits <= DstBits) if (SrcBits <= DstBits)
return; return;
assert(!DstType->isBooleanType() && "we should not get here with booleans."); assert(!DstType->isBooleanType() && "we should not get here with booleans.");
// If the integer sign change sanitizer is enabled,
// and we are truncating from larger unsigned type to smaller signed type,
// let that next sanitizer deal with it.
bool SrcSigned = SrcType->isSignedIntegerOrEnumerationType(); bool SrcSigned = SrcType->isSignedIntegerOrEnumerationType();
bool DstSigned = DstType->isSignedIntegerOrEnumerationType(); bool DstSigned = DstType->isSignedIntegerOrEnumerationType();
if (CGF.SanOpts.has(SanitizerKind::ImplicitIntegerSignChange) &&
(!SrcSigned && DstSigned))
return;
// If both (src and dst) types are unsigned, then it's an unsigned truncation. CodeGenFunction::SanitizerScope SanScope(&CGF);
// Else, it is a signed truncation.
ImplicitConversionCheckKind Kind; std::pair<ScalarExprEmitter::ImplicitConversionCheckKind,
SanitizerMask Mask; std::pair<llvm::Value *, SanitizerMask>>
if (!SrcSigned && !DstSigned) { Check =
Kind = ICCK_UnsignedIntegerTruncation; EmitIntegerTruncationCheckHelper(Src, SrcType, Dst, DstType, Builder);
Mask = SanitizerKind::ImplicitUnsignedIntegerTruncation; // If the comparison result is 'i1 false', then the truncation was lossy.
} else {
Kind = ICCK_SignedIntegerTruncation;
Mask = SanitizerKind::ImplicitSignedIntegerTruncation;
}
// Do we care about this type of truncation? // Do we care about this type of truncation?
if (!CGF.SanOpts.has(Mask)) if (!CGF.SanOpts.has(Check.second.second))
return; return;
CodeGenFunction::SanitizerScope SanScope(&CGF); llvm::Constant *StaticArgs[] = {
CGF.EmitCheckSourceLocation(Loc), CGF.EmitCheckTypeDescriptor(SrcType),
CGF.EmitCheckTypeDescriptor(DstType),
llvm::ConstantInt::get(Builder.getInt8Ty(), Check.first)};
CGF.EmitCheck(Check.second, SanitizerHandler::ImplicitConversion, StaticArgs,
{Src, Dst});
}
// Should be called within CodeGenFunction::SanitizerScope RAII scope.
// Returns 'i1 false' when the conversion Src -> Dst changed the sign.
static std::pair<ScalarExprEmitter::ImplicitConversionCheckKind,
std::pair<llvm::Value *, SanitizerMask>>
EmitIntegerSignChangeCheckHelper(Value *Src, QualType SrcType, Value *Dst,
QualType DstType, CGBuilderTy &Builder) {
llvm::Type *SrcTy = Src->getType();
llvm::Type *DstTy = Dst->getType();
assert(isa<llvm::IntegerType>(SrcTy) && isa<llvm::IntegerType>(DstTy) &&
"non-integer llvm type");
bool SrcSigned = SrcType->isSignedIntegerOrEnumerationType();
bool DstSigned = DstType->isSignedIntegerOrEnumerationType();
unsigned SrcBits = SrcTy->getScalarSizeInBits();
unsigned DstBits = DstTy->getScalarSizeInBits();
(void)SrcBits; // Only used in assert()
(void)DstBits; // Only used in assert()
assert(((SrcBits != DstBits) || (SrcSigned != DstSigned)) &&
"either the widths should be different, or the signednesses.");
// NOTE: zero value is considered to be non-negative.
auto EmitIsNegativeTest = [&Builder](Value *V, QualType VType,
const char *Name) -> Value * {
// Is this value a signed type?
bool VSigned = VType->isSignedIntegerOrEnumerationType();
llvm::Type *VTy = V->getType();
if (!VSigned) {
rsmithUnsubmitted
Done
ReplyInline Actions

Just emit i1 false directly in this case. IRBuilder generally only constant-folds values for you if all the operands are constant, and sanitizers are often used at -O0, so there's no guarantee that anyone else will clean this up.

rsmith: Just emit `i1 false` directly in this case. `IRBuilder` generally only constant-folds values…
lebedev.riAuthorUnsubmitted
Not Done
ReplyInline Actions

Ok, fair enough.

lebedev.ri: Ok, fair enough.
// If the value is unsigned, then it is never negative.
// FIXME: can we encounter non-scalar VTy here?
return llvm::ConstantInt::getFalse(VTy->getContext());
}
// Get the zero of the same type with which we will be comparing.
llvm::Constant *Zero = llvm::ConstantInt::get(VTy, 0);
// %V.isnegative = icmp slt %V, 0
// I.e is %V *strictly* less than zero, does it have negative value?
return Builder.CreateICmp(llvm::ICmpInst::ICMP_SLT, V, Zero,
llvm::Twine(Name) + "." + V->getName() +
".negativitycheck");
};
// 1. Was the old Value negative?
llvm::Value *SrcIsNegative = EmitIsNegativeTest(Src, SrcType, "src");
// 2. Is the new Value negative?
llvm::Value *DstIsNegative = EmitIsNegativeTest(Dst, DstType, "dst");
// 3. Now, was the 'negativity status' preserved during the conversion?
// NOTE: conversion from negative to zero is considered to change the sign.
// (We want to get 'false' when the conversion changed the sign)
// So we should just equality-compare the negativity statuses.
llvm::Value *Check = nullptr; llvm::Value *Check = nullptr;
Check = Builder.CreateICmpEQ(SrcIsNegative, DstIsNegative, "signchangecheck");
// If the comparison result is 'false', then the conversion changed the sign.
return std::make_pair(
ScalarExprEmitter::ICCK_IntegerSignChange,
std::make_pair(Check, SanitizerKind::ImplicitIntegerSignChange));
}
// 1. Extend the truncated value back to the same width as the Src. void ScalarExprEmitter::EmitIntegerSignChangeCheck(Value *Src, QualType SrcType,
Check = Builder.CreateIntCast(Dst, SrcTy, DstSigned, "anyext"); Value *Dst, QualType DstType,
// 2. Equality-compare with the original source value SourceLocation Loc) {
rsmithUnsubmitted
Done
ReplyInline Actions

Do we really need this comment? This seems kinda obvious.

rsmith: Do we really need this comment? This seems kinda obvious.
Check = Builder.CreateICmpEQ(Check, Src, "truncheck"); if (!CGF.SanOpts.has(SanitizerKind::ImplicitIntegerSignChange))
return;
llvm::Type *SrcTy = Src->getType();
llvm::Type *DstTy = Dst->getType();
// We only care about int->int conversions here.
// We ignore conversions to/from pointer and/or bool.
if (!(SrcType->isIntegerType() && DstType->isIntegerType()))
return;
bool SrcSigned = SrcType->isSignedIntegerOrEnumerationType();
bool DstSigned = DstType->isSignedIntegerOrEnumerationType();
unsigned SrcBits = SrcTy->getScalarSizeInBits();
unsigned DstBits = DstTy->getScalarSizeInBits();
// Now, we do not need to emit the check in *all* of the cases.
// We can avoid emitting it in some obvious cases where it would have been
// dropped by the opt passes (instcombine) always anyways.
// If it's a cast between the same type, just differently-sugared. no check.
QualType CanonSrcType = CGF.getContext().getCanonicalType(SrcType);
QualType CanonDstType = CGF.getContext().getCanonicalType(DstType);
if (CanonSrcType == CanonDstType)
return;
// At least one of the values needs to have signed type.
// If both are unsigned, then obviously, neither of them can be negative.
if (!SrcSigned && !DstSigned)
return;
// If the conversion is to *larger* *signed* type, then no check is needed.
// Because either sign-extension happens (so the sign will remain),
// or zero-extension will happen (the sign bit will be zero.)
if ((DstBits > SrcBits) && DstSigned)
return;
if (CGF.SanOpts.has(SanitizerKind::ImplicitSignedIntegerTruncation) &&
(SrcBits > DstBits) && SrcSigned) {
// If the signed integer truncation sanitizer is enabled,
// and this is a truncation from signed type, then no check is needed.
// Because here sign change check is interchangeable with truncation check.
lebedev.riAuthorUnsubmitted
Done
ReplyInline Actions

Actually, after messing with souper a little, if we are converting from *larger* *signed* type,
then the truncation check is sufficient already.
https://godbolt.org/g/DLVCy8
https://rise4fun.com/Alive/u2h

So it *seems* only the unsigned int -> signed char case is problematic.

lebedev.ri: Actually, after messing with souper a little, if we are converting from *larger* *signed* type…
return;
}
// That's it. We can't rule out any more cases with the data we have.
CodeGenFunction::SanitizerScope SanScope(&CGF);
std::pair<ScalarExprEmitter::ImplicitConversionCheckKind,
std::pair<llvm::Value *, SanitizerMask>>
Check;
// Each of these checks needs to return 'false' when an issue was detected.
ImplicitConversionCheckKind CheckKind;
llvm::SmallVector<std::pair<llvm::Value *, SanitizerMask>, 2> Checks;
// So we can 'and' all the checks together, and still get 'false',
// if at least one of the checks detected an issue.
Check = EmitIntegerSignChangeCheckHelper(Src, SrcType, Dst, DstType, Builder);
CheckKind = Check.first;
Checks.emplace_back(Check.second);
if (CGF.SanOpts.has(SanitizerKind::ImplicitSignedIntegerTruncation) &&
(SrcBits > DstBits) && !SrcSigned && DstSigned) {
// If the signed integer truncation sanitizer was enabled,
// and we are truncating from larger unsigned type to smaller signed type,
// let's handle the case we skipped in that check.
Check =
EmitIntegerTruncationCheckHelper(Src, SrcType, Dst, DstType, Builder);
CheckKind = ICCK_SignedIntegerTruncationOrSignChange;
Checks.emplace_back(Check.second);
// If the comparison result is 'i1 false', then the truncation was lossy. // If the comparison result is 'i1 false', then the truncation was lossy.
}
llvm::Constant *StaticArgs[] = { llvm::Constant *StaticArgs[] = {
CGF.EmitCheckSourceLocation(Loc), CGF.EmitCheckTypeDescriptor(SrcType), CGF.EmitCheckSourceLocation(Loc), CGF.EmitCheckTypeDescriptor(SrcType),
CGF.EmitCheckTypeDescriptor(DstType), CGF.EmitCheckTypeDescriptor(DstType),
llvm::ConstantInt::get(Builder.getInt8Ty(), Kind)}; llvm::ConstantInt::get(Builder.getInt8Ty(), CheckKind)};
CGF.EmitCheck(std::make_pair(Check, Mask), // EmitCheck() will 'and' all the checks together.
SanitizerHandler::ImplicitConversion, StaticArgs, {Src, Dst}); CGF.EmitCheck(Checks, SanitizerHandler::ImplicitConversion, StaticArgs,
{Src, Dst});
} }
/// Emit a conversion from the specified type to the specified destination type, /// Emit a conversion from the specified type to the specified destination type,
/// both of which are LLVM scalar types. /// both of which are LLVM scalar types.
Value *ScalarExprEmitter::EmitScalarConversion(Value *Src, QualType SrcType, Value *ScalarExprEmitter::EmitScalarConversion(Value *Src, QualType SrcType,
QualType DstType, QualType DstType,
SourceLocation Loc, SourceLocation Loc,
ScalarConversionOpts Opts) { ScalarConversionOpts Opts) {
// All conversions involving fixed point types should be handled by the // All conversions involving fixed point types should be handled by the
// EmitFixedPoint family functions. This is done to prevent bloating up this // EmitFixedPoint family functions. This is done to prevent bloating up this
// function more, and although fixed point numbers are represented by // function more, and although fixed point numbers are represented by
// integers, we do not want to follow any logic that assumes they should be // integers, we do not want to follow any logic that assumes they should be
// treated as integers. // treated as integers.
// TODO(leonardchan): When necessary, add another if statement checking for // TODO(leonardchan): When necessary, add another if statement checking for
erichkeaneUnsubmitted
Not Done
ReplyInline Actions

I'd rather !SrcType->isInt || !DestType->isInt

erichkeane: I'd rather !SrcType->isInt || !DestType->isInt
lebedev.riAuthorUnsubmitted
Not Done
ReplyInline Actions

This i'd prefer to keep this as-is, since this is copied verbatim from ScalarExprEmitter::EmitIntegerTruncationCheck().

lebedev.ri: This i'd prefer to keep this as-is, since this is copied verbatim from `ScalarExprEmitter…
erichkeaneUnsubmitted
Not Done
ReplyInline Actions

If so much is being copied from EmitIntegerTruncationCheck, perhaps the two of these need to be the same function with an option/check on the sanitizer option on which it should do?

erichkeane: If so much is being copied from EmitIntegerTruncationCheck, perhaps the two of these need to be…
lebedev.riAuthorUnsubmitted
Not Done
ReplyInline Actions

I agree that code duplication is bad, but i'm not sure that inlining
both of these functions into an one huge one is the right solution.
The amount of actually duplicated code is somewhat small - one early-return
for non-integer types, and an assert that the llvm type is integer..

lebedev.ri: I agree that code duplication is bad, but i'm not sure that inlining both of these functions…
// conversions to fixed point types from other types. // conversions to fixed point types from other types.
if (SrcType->isFixedPointType()) { if (SrcType->isFixedPointType()) {
if (DstType->isFixedPointType()) { if (DstType->isFixedPointType()) {
erichkeaneUnsubmitted
Not Done
ReplyInline Actions

This seems like a silly assert, since you did the check above.

erichkeane: This seems like a silly assert, since you did the check above.
lebedev.riAuthorUnsubmitted
Not Done
ReplyInline Actions

If this assertion doesn't hold, we'll (hopefully!) hit an assertion somewhere down in the [IR] Builder.
I think it would be best to be proactive here.
(Similarly, this is copied verbatim from ScalarExprEmitter::EmitIntegerTruncationCheck().)

lebedev.ri: If this assertion doesn't hold, we'll (hopefully!) hit an assertion somewhere down in the [IR]…
return EmitFixedPointConversion(Src, SrcType, DstType, Loc); return EmitFixedPointConversion(Src, SrcType, DstType, Loc);
} else if (DstType->isBooleanType()) { } else if (DstType->isBooleanType()) {
// We do not need to check the padding bit on unsigned types if unsigned // We do not need to check the padding bit on unsigned types if unsigned
// padding is enabled because overflow into this bit is undefined // padding is enabled because overflow into this bit is undefined
// behavior. // behavior.
return Builder.CreateIsNotNull(Src); return Builder.CreateIsNotNull(Src);
} }
llvm_unreachable( llvm_unreachable(
"Unhandled scalar conversion involving a fixed point type."); "Unhandled scalar conversion involving a fixed point type.");
} }
QualType NoncanonicalSrcType = SrcType; QualType NoncanonicalSrcType = SrcType;
QualType NoncanonicalDstType = DstType; QualType NoncanonicalDstType = DstType;
SrcType = CGF.getContext().getCanonicalType(SrcType); SrcType = CGF.getContext().getCanonicalType(SrcType);
DstType = CGF.getContext().getCanonicalType(DstType); DstType = CGF.getContext().getCanonicalType(DstType);
if (SrcType == DstType) return Src; if (SrcType == DstType) return Src;
erichkeaneUnsubmitted
Done
ReplyInline Actions

Does this really need its own scope?

erichkeane: Does this really need its own scope?
lebedev.riAuthorUnsubmitted
Done
ReplyInline Actions

Yeah, they got out of hand here..

lebedev.ri: Yeah, they got out of hand here..
if (DstType->isVoidType()) return nullptr; if (DstType->isVoidType()) return nullptr;
erichkeaneUnsubmitted
Done
ReplyInline Actions

Again, I'd rather we distribute the '!'.

erichkeane: Again, I'd rather we distribute the '!'.
lebedev.riAuthorUnsubmitted
Done
ReplyInline Actions

Here - ok.

lebedev.ri: Here - ok.
llvm::Value *OrigSrc = Src; llvm::Value *OrigSrc = Src;
QualType OrigSrcType = SrcType; QualType OrigSrcType = SrcType;
llvm::Type *SrcTy = Src->getType(); llvm::Type *SrcTy = Src->getType();
erichkeaneUnsubmitted
Done
ReplyInline Actions

These scopes are getting out of hand... just kill them all. Introducing CanonSrcType/CanonDstType into the larger scope isn't that big of a deal.

erichkeane: These scopes are getting out of hand... just kill them all. Introducing…
rsmithUnsubmitted
Done
ReplyInline Actions

I don't like the overlap between the implicit truncation check and this check. I think you should aim for exactly one of those checks to fire for any given integer conversion. There are the following cases:

  • Dst is smaller than Src: if the value changes at all (with sign change or without), then the truncation check already catches it, and catching it here does not seem useful
  • Dst is the same size as Src or larger: sign change is the only problem, and is only possible if exactly one of Src and Dst is signed

So I think you should bail out of this function if either Src and Dst are both unsigned or both are signed, and also if Src is larger than Dst (because we treat that case as a lossy truncation rather than as a sign change).

And when you do emit a check here, the only thing you need to check is if the signed value is negative (if so, you definitely changed the sign, and if not, you definitely didn't -- except in the truncation cases that the truncation sanitizer catches).

rsmith: I don't like the overlap between the implicit truncation check and this check. I think you…
lebedev.riAuthorUnsubmitted
Done
ReplyInline Actions

To be clear: we want to skip emitting in those cases if the other check (truncation) is enabled, right?
It does seem to make sense, (and i did thought about that a bit), but i need to think about it more..

lebedev.ri: To be clear: we want to skip emitting in those cases if the other check (truncation) is enabled…
rsmithUnsubmitted
Done
ReplyInline Actions

I think we want to skip emitting those checks always (regardless of whether the other sanitizer is enabled). One way to think of it: this sanitizer checks for non-truncating implicit integer conversions that change the value of the result. The other sanitizer checks for truncating implicit integer conversions that change the value of the result.

I don't see any point in allowing the user to ask to sanitize sign-changing truncation but not other value-changing truncations. That would lead to this:

int a = 0x17fffffff; // no sanitizer warning
int b = 0x180000000; // sanitizer warning
int c = 0x1ffffffff; // sanitizer warning
int d = 0x200000000; // no sanitizer warning

... which I think makes no sense.

rsmith: I think we want to skip emitting those checks always (regardless of whether the other sanitizer…
rsmithUnsubmitted
Done
ReplyInline Actions

Hmm, wait, the "truncation" sanitizer doesn't catch this:

int a = 0x80000000u;

... does it? (Because it looks for cases where the value doesn't round-trip, not for cases where the value was changed by the truncation.)

I've thought a bit more about the user model and use cases for these sanitizers, and I think what we want is:

  • a sanitizer that checks for implicit conversions with data loss (the existing truncation sanitizer)
  • a sanitizer that checks for implicit conversions that change the value, where either the source or destination was signed (approximately what this sanitizer is doing)

The difference between that and what you have here is that I think the new sanitizer should catch all of these cases:

int a = 0x17fffffff;
int b = 0x180000000;
int c = 0x1ffffffff;
int d = 0x200000000;

... because while the initializations of a and d don't change the sign of the result, that's only because they wrap around *past* a sign change.

So, I think what you have here is fine for the SrcBits <= DstBits case, but for the SrcBits > DstBits case, you should also check whether the value is the same as the original (that is, perform the truncation check).

In order to avoid duplicating work when both sanitizers are enabled, it'd make sense to combine the two sanitizer functions into a single function and reuse the checks.

rsmith: Hmm, wait, the "truncation" sanitizer doesn't catch this: `int a = 0x80000000u;` ... does it?
lebedev.riAuthorUnsubmitted
Not Done
ReplyInline Actions

Yep, makes sense. I don't think i have followed the recommendations to the letter,
but i think the end result is not worse than suggested. Added tests shows how it works now.

lebedev.ri: Yep, makes sense. I don't think i have followed the recommendations to the letter, but i think…
rsmithUnsubmitted
Not Done
ReplyInline Actions

OK, so to be clear I'm following:

  • Any implicit conversion that truncates and changes the value triggers the truncation sanitizer (unsigned if both source and destination are unsigned, signed otherwise)
  • Any implicit conversion that results in a sign change triggers the sign change sanitizer
  • Any implicit conversion that triggers both sanitizers produces a single warning classified as ICCK_SignedIntegerTruncationOrSignChange (eg, the truncation changed the value, and the sign changed -- possibly multiple times -- when dropping bits)

That seems fine to me.

rsmith: OK, so to be clear I'm following: * Any implicit conversion that truncates and changes the…
lebedev.riAuthorUnsubmitted
Not Done
ReplyInline Actions

OK, so to be clear I'm following:

I do think that is what is going on.
It does warn on all of the cases you highlighted:

int a = 0x80000000u;

int a = 0x17fffffff;
int b = 0x180000000;
int c = 0x1ffffffff;
int d = 0x200000000;
lebedev.ri: > OK, so to be clear I'm following: I do think that is what is going on. It does warn on all…
// Handle conversions to bool first, they are special: comparisons against 0. // Handle conversions to bool first, they are special: comparisons against 0.
if (DstType->isBooleanType()) if (DstType->isBooleanType())
return EmitConversionToBool(Src, SrcType); return EmitConversionToBool(Src, SrcType);
llvm::Type *DstTy = ConvertType(DstType); llvm::Type *DstTy = ConvertType(DstType);
// Cast from half through float if half isn't a native type. // Cast from half through float if half isn't a native type.
if (SrcType->isHalfType() && !CGF.getContext().getLangOpts().NativeHalfType) { if (SrcType->isHalfType() && !CGF.getContext().getLangOpts().NativeHalfType) {
erichkeaneUnsubmitted
Done
ReplyInline Actions

Curious what prevents this?

erichkeane: Curious what prevents this?
lebedev.riAuthorUnsubmitted
Done
ReplyInline Actions

Right now this was simply copied from ScalarExprEmitter::EmitIntegerTruncationCheck(),
where it made sense (since conversion to bool should be comparison with 0, not truncation).
I'm not quite sure about booleans here. I think i should just drop it, at least for now.

lebedev.ri: Right now this was simply copied from `ScalarExprEmitter::EmitIntegerTruncationCheck()`, where…
// Cast to FP using the intrinsic if the half type itself isn't supported. // Cast to FP using the intrinsic if the half type itself isn't supported.
if (DstTy->isFloatingPointTy()) { if (DstTy->isFloatingPointTy()) {
if (CGF.getContext().getTargetInfo().useFP16ConversionIntrinsics()) if (CGF.getContext().getTargetInfo().useFP16ConversionIntrinsics())
return Builder.CreateCall( return Builder.CreateCall(
CGF.CGM.getIntrinsic(llvm::Intrinsic::convert_from_fp16, DstTy), CGF.CGM.getIntrinsic(llvm::Intrinsic::convert_from_fp16, DstTy),
Src); Src);
} else { } else {
rsmithUnsubmitted
Not Done
ReplyInline Actions

If !VSigned, the result is a constant false; you don't need to emit an icmp to work that out.

rsmith: If `!VSigned`, the result is a constant `false`; you don't need to emit an `icmp` to work that…
lebedev.riAuthorUnsubmitted
Not Done
ReplyInline Actions

Ok, if you insist.
I didn't do that in the first place because we will now have an icmp
where one operand being a constant, so we can simplify it further.
And i don't want to complicate this logic if middle-end already handles it :)

lebedev.ri: Ok, if you insist. I didn't do that in the first place because we will now have an `icmp` where…
rsmithUnsubmitted
Not Done
ReplyInline Actions

This becomes a lot simpler with the approach I described in the other comment thread, because you don't need a second icmp eq at all.

rsmith: This becomes a lot simpler with the approach I described in the other comment thread, because…
lebedev.riAuthorUnsubmitted
Not Done
ReplyInline Actions

Humm. So i have initially did this. It is probably broken for non-scalars, but we don't care probably.

But then i thought more.

If we do not emit truncation check, we get icmp eq (icmp ...), false, which is tautological.
We can't just drop the outer icmp eq since we'd get the opposite value.
We could emit xor %icmp, -1 to invert it. Or simply invert the predicate, and avoid the second icmp.
By itself, either of these options doesn't sound that bad.

But if both are signed, we can't do that. So we have to have two different code paths...

If we do emit the icmp ult %x, 0, [it naturally works with vectors], we avoid complicating the front-end,
and the middle-end playfully simplifies this IR with no sweat.

So why do we want to complicate the front-end in this case, and not let the middle-end do it's job?
I'm unconvinced, and i have kept this as is. :/

lebedev.ri: Humm. So i have initially did this. It is probably broken for non-scalars, but we don't care…
lebedev.riAuthorUnsubmitted
Not Done
ReplyInline Actions

If !VSigned, the result is a constant false; you don't need to emit an icmp to work that out.

Even at -O0, dagcombine constant-folds (unsurprizingly) this case, https://godbolt.org/z/D5ueOq

lebedev.ri: > If !VSigned, the result is a constant false; you don't need to emit an icmp to work that out.
// Cast to other types through float, using either the intrinsic or FPExt, // Cast to other types through float, using either the intrinsic or FPExt,
// depending on whether the half type itself is supported // depending on whether the half type itself is supported
// (as opposed to operations on half, available with NativeHalfType). // (as opposed to operations on half, available with NativeHalfType).
erichkeaneUnsubmitted
Done
ReplyInline Actions

// Is this value a signed type?

erichkeane: // Is this value a signed type?
lebedev.riAuthorUnsubmitted
Done
ReplyInline Actions

That reads strange, but i don't have a better idea.

lebedev.ri: That reads strange, but i don't have a better idea.
if (CGF.getContext().getTargetInfo().useFP16ConversionIntrinsics()) { if (CGF.getContext().getTargetInfo().useFP16ConversionIntrinsics()) {
Src = Builder.CreateCall( Src = Builder.CreateCall(
CGF.CGM.getIntrinsic(llvm::Intrinsic::convert_from_fp16, CGF.CGM.getIntrinsic(llvm::Intrinsic::convert_from_fp16,
CGF.CGM.FloatTy), CGF.CGM.FloatTy),
Src); Src);
} else { } else {
Src = Builder.CreateFPExt(Src, CGF.CGM.FloatTy, "conv"); Src = Builder.CreateFPExt(Src, CGF.CGM.FloatTy, "conv");
} }
SrcType = CGF.getContext().FloatTy; SrcType = CGF.getContext().FloatTy;
SrcTy = CGF.FloatTy; SrcTy = CGF.FloatTy;
} }
} }
// Ignore conversions like int -> uint. // Ignore conversions like int -> uint.
if (SrcTy == DstTy) if (SrcTy == DstTy) {
if (Opts.EmitImplicitIntegerSignChangeChecks)
EmitIntegerSignChangeCheck(Src, NoncanonicalSrcType, Src,
NoncanonicalDstType, Loc);
return Src; return Src;
}
// Handle pointer conversions next: pointers can only be converted to/from // Handle pointer conversions next: pointers can only be converted to/from
// other pointers and integers. Check for pointer types in terms of LLVM, as // other pointers and integers. Check for pointer types in terms of LLVM, as
// some native types (like Obj-C id) may map to a pointer type. // some native types (like Obj-C id) may map to a pointer type.
if (auto DstPT = dyn_cast<llvm::PointerType>(DstTy)) { if (auto DstPT = dyn_cast<llvm::PointerType>(DstTy)) {
// The source value may be an integer, or a pointer. // The source value may be an integer, or a pointer.
if (isa<llvm::PointerType>(SrcTy)) if (isa<llvm::PointerType>(SrcTy))
return Builder.CreateBitCast(Src, DstTy, "conv"); return Builder.CreateBitCast(Src, DstTy, "conv");
▲ Show 20 LinesShow All 127 Lines▼ Show 20 Lines if (CGF.getContext().getTargetInfo().useFP16ConversionIntrinsics()) {
Res = Builder.CreateFPTrunc(Res, ResTy, "conv"); Res = Builder.CreateFPTrunc(Res, ResTy, "conv");
} }
} }
if (Opts.EmitImplicitIntegerTruncationChecks) if (Opts.EmitImplicitIntegerTruncationChecks)
EmitIntegerTruncationCheck(Src, NoncanonicalSrcType, Res, EmitIntegerTruncationCheck(Src, NoncanonicalSrcType, Res,
NoncanonicalDstType, Loc); NoncanonicalDstType, Loc);
if (Opts.EmitImplicitIntegerSignChangeChecks)
EmitIntegerSignChangeCheck(Src, NoncanonicalSrcType, Res,
NoncanonicalDstType, Loc);
return Res; return Res;
} }
Value *ScalarExprEmitter::EmitFixedPointConversion(Value *Src, QualType SrcTy, Value *ScalarExprEmitter::EmitFixedPointConversion(Value *Src, QualType SrcTy,
QualType DstTy, QualType DstTy,
SourceLocation Loc) { SourceLocation Loc) {
using llvm::APInt; using llvm::APInt;
using llvm::ConstantInt; using llvm::ConstantInt;
▲ Show 20 LinesShow All 785 Lines▼ Show 20 Lines case CK_FixedPointToBoolean:
assert(E->getType()->isFixedPointType() && assert(E->getType()->isFixedPointType() &&
"Expected src type to be fixed point type"); "Expected src type to be fixed point type");
assert(DestTy->isBooleanType() && "Expected dest type to be boolean type"); assert(DestTy->isBooleanType() && "Expected dest type to be boolean type");
return EmitScalarConversion(Visit(E), E->getType(), DestTy, return EmitScalarConversion(Visit(E), E->getType(), DestTy,
CE->getExprLoc()); CE->getExprLoc());
case CK_IntegralCast: { case CK_IntegralCast: {
ScalarConversionOpts Opts; ScalarConversionOpts Opts;
if (CGF.SanOpts.hasOneOf(SanitizerKind::ImplicitIntegerTruncation)) { if (auto *ICE = dyn_cast<ImplicitCastExpr>(CE)) {
if (auto *ICE = dyn_cast<ImplicitCastExpr>(CE)) if (CGF.SanOpts.hasOneOf(SanitizerKind::ImplicitConversion) &&
erichkeaneUnsubmitted
Done
ReplyInline Actions

Is this an error? You swapped a 'has' with a 'hasOneOf' but only listed a single thing.

erichkeane: Is this an error? You swapped a 'has' with a 'hasOneOf' but only listed a single thing.
lebedev.riAuthorUnsubmitted
Done
ReplyInline Actions

ImplicitConversion is a *group*, which includes ImplicitIntegerTruncation and ImplicitIntegerSignChange.
So hasOneOf(group) checks that at least one check of the group is enabled.
No, this is correct, else the tests would break.

lebedev.ri: `ImplicitConversion` is a *group*, which includes `ImplicitIntegerTruncation` and…
erichkeaneUnsubmitted
Done
ReplyInline Actions

Ah! I missed that subtly, just LOOKed odd.

erichkeane: Ah! I missed that subtly, just LOOKed odd.
Opts.EmitImplicitIntegerTruncationChecks = !ICE->isPartOfExplicitCast(); !ICE->isPartOfExplicitCast()) {
Opts.EmitImplicitIntegerTruncationChecks =
CGF.SanOpts.hasOneOf(SanitizerKind::ImplicitIntegerTruncation);
Opts.EmitImplicitIntegerSignChangeChecks =
CGF.SanOpts.has(SanitizerKind::ImplicitIntegerSignChange);
}
} }
return EmitScalarConversion(Visit(E), E->getType(), DestTy, return EmitScalarConversion(Visit(E), E->getType(), DestTy,
CE->getExprLoc(), Opts); CE->getExprLoc(), Opts);
} }
case CK_IntegralToFloating: case CK_IntegralToFloating:
case CK_FloatingToIntegral: case CK_FloatingToIntegral:
case CK_FloatingCast: case CK_FloatingCast:
return EmitScalarConversion(Visit(E), E->getType(), DestTy, return EmitScalarConversion(Visit(E), E->getType(), DestTy,
▲ Show 20 LinesShow All 2,307 LinesShow Last 20 Lines

test/CodeGen/catch-implicit-conversions-basics.c

  • This file was added.
// RUN: %clang_cc1 -fsanitize=implicit-unsigned-integer-truncation,implicit-signed-integer-truncation,implicit-integer-sign-change -fsanitize-recover=implicit-unsigned-integer-truncation,implicit-signed-integer-truncation,implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK
// Test plan:
// * Two types - int and char
// * Two signs - signed and unsigned
// * Square that - we have input and output types.
// Thus, there are total of (2*2)^2 == 16 tests.
// These are all the possible variations/combinations of casts.
// However, not all of them should result in the check.
// So here, we *only* check which should and which should not result in checks.
// CHECK-DAG: @[[LINE_500_UNSIGNED_TRUNCATION:.*]] = {{.*}}, i32 500, i32 10 }, {{.*}}, {{.*}}, i8 1 }
// CHECK-DAG: @[[LINE_900_SIGN_CHANGE:.*]] = {{.*}}, i32 900, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1000_SIGN_CHANGE:.*]] = {{.*}}, i32 1000, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1100_SIGNED_TRUNCATION:.*]] = {{.*}}, i32 1100, i32 10 }, {{.*}}, {{.*}}, i8 2 }
// CHECK-DAG: @[[LINE_1200_SIGN_CHANGE:.*]] = {{.*}}, i32 1200, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1300_SIGN_CHANGE:.*]] = {{.*}}, i32 1300, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1400_SIGN_CHANGE:.*]] = {{.*}}, i32 1400, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1500_SIGNED_TRUNCATION_OR_SIGN_CHANGE:.*]] = {{.*}}, i32 1500, i32 10 }, {{.*}}, {{.*}}, i8 4 }
// CHECK-DAG: @[[LINE_1600_SIGNED_TRUNCATION:.*]] = {{.*}}, i32 1600, i32 10 }, {{.*}}, {{.*}}, i8 2 }
// CHECK-LABEL: @convert_unsigned_int_to_unsigned_int
unsigned int convert_unsigned_int_to_unsigned_int(unsigned int x) {
#line 100
return x;
}
// CHECK-LABEL: @convert_unsigned_char_to_unsigned_char
unsigned char convert_unsigned_char_to_unsigned_char(unsigned char x) {
#line 200
return x;
}
// CHECK-LABEL: @convert_signed_int_to_signed_int
signed int convert_signed_int_to_signed_int(signed int x) {
#line 300
return x;
}
// CHECK-LABEL: @convert_signed_char_to_signed_char
signed char convert_signed_char_to_signed_char(signed char x) {
#line 400
return x;
}
// CHECK-LABEL: @convert_unsigned_int_to_unsigned_char
unsigned char convert_unsigned_int_to_unsigned_char(unsigned int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_500_UNSIGNED_TRUNCATION]] to i8*)
#line 500
return x;
}
// CHECK-LABEL: @convert_unsigned_char_to_unsigned_int
unsigned int convert_unsigned_char_to_unsigned_int(unsigned char x) {
#line 600
return x;
}
// CHECK-LABEL: @convert_unsigned_char_to_signed_int
signed int convert_unsigned_char_to_signed_int(unsigned char x) {
#line 700
return x;
}
// CHECK-LABEL: @convert_signed_char_to_signed_int
signed int convert_signed_char_to_signed_int(signed char x) {
#line 800
return x;
}
// CHECK-LABEL: @convert_unsigned_int_to_signed_int
signed int convert_unsigned_int_to_signed_int(unsigned int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_900_SIGN_CHANGE]] to i8*)
#line 900
return x;
}
// CHECK-LABEL: @convert_signed_int_to_unsigned_int
unsigned int convert_signed_int_to_unsigned_int(signed int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1000_SIGN_CHANGE]] to i8*)
#line 1000
return x;
}
// CHECK-LABEL: @convert_signed_int_to_unsigned_char
unsigned char convert_signed_int_to_unsigned_char(signed int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1100_SIGNED_TRUNCATION]] to i8*)
#line 1100
return x;
}
// CHECK-LABEL: @convert_signed_char_to_unsigned_char
unsigned char convert_signed_char_to_unsigned_char(signed char x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1200_SIGN_CHANGE]] to i8*)
#line 1200
return x;
}
// CHECK-LABEL: @convert_unsigned_char_to_signed_char
signed char convert_unsigned_char_to_signed_char(unsigned char x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1300_SIGN_CHANGE]] to i8*)
#line 1300
return x;
}
// CHECK-LABEL: @convert_signed_char_to_unsigned_int
unsigned int convert_signed_char_to_unsigned_int(signed char x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1400_SIGN_CHANGE]] to i8*)
#line 1400
return x;
}
// CHECK-LABEL: @convert_unsigned_int_to_signed_char
signed char convert_unsigned_int_to_signed_char(unsigned int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1500_SIGNED_TRUNCATION_OR_SIGN_CHANGE]] to i8*)
#line 1500
return x;
}
// CHECK-LABEL: @convert_signed_int_to_signed_char
signed char convert_signed_int_to_signed_char(signed int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1600_SIGNED_TRUNCATION]] to i8*)
#line 1600
return x;
}

test/CodeGen/catch-implicit-integer-arithmetic-value-change-basics.c

  • This file was added.
// RUN: %clang_cc1 -fsanitize=implicit-signed-integer-truncation,implicit-integer-sign-change -fsanitize-recover=implicit-signed-integer-truncation,implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK
// Test plan:
// * Two types - int and char
// * Two signs - signed and unsigned
// * Square that - we have input and output types.
// Thus, there are total of (2*2)^2 == 16 tests.
// These are all the possible variations/combinations of casts.
// However, not all of them should result in the check.
// So here, we *only* check which should and which should not result in checks.
// CHECK-DAG: @[[LINE_900_SIGN_CHANGE:.*]] = {{.*}}, i32 900, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1000_SIGN_CHANGE:.*]] = {{.*}}, i32 1000, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1100_SIGNED_TRUNCATION:.*]] = {{.*}}, i32 1100, i32 10 }, {{.*}}, {{.*}}, i8 2 }
// CHECK-DAG: @[[LINE_1200_SIGN_CHANGE:.*]] = {{.*}}, i32 1200, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1300_SIGN_CHANGE:.*]] = {{.*}}, i32 1300, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1400_SIGN_CHANGE:.*]] = {{.*}}, i32 1400, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1500_SIGNED_TRUNCATION_OR_SIGN_CHANGE:.*]] = {{.*}}, i32 1500, i32 10 }, {{.*}}, {{.*}}, i8 4 }
// CHECK-DAG: @[[LINE_1600_SIGNED_TRUNCATION:.*]] = {{.*}}, i32 1600, i32 10 }, {{.*}}, {{.*}}, i8 2 }
// CHECK-LABEL: @convert_unsigned_int_to_unsigned_int
unsigned int convert_unsigned_int_to_unsigned_int(unsigned int x) {
#line 100
return x;
}
// CHECK-LABEL: @convert_unsigned_char_to_unsigned_char
unsigned char convert_unsigned_char_to_unsigned_char(unsigned char x) {
#line 200
return x;
}
// CHECK-LABEL: @convert_signed_int_to_signed_int
signed int convert_signed_int_to_signed_int(signed int x) {
#line 300
return x;
}
// CHECK-LABEL: @convert_signed_char_to_signed_char
signed char convert_signed_char_to_signed_char(signed char x) {
#line 400
return x;
}
// CHECK-LABEL: @convert_unsigned_int_to_unsigned_char
unsigned char convert_unsigned_int_to_unsigned_char(unsigned int x) {
#line 500
return x;
}
// CHECK-LABEL: @convert_unsigned_char_to_unsigned_int
unsigned int convert_unsigned_char_to_unsigned_int(unsigned char x) {
#line 600
return x;
}
// CHECK-LABEL: @convert_unsigned_char_to_signed_int
signed int convert_unsigned_char_to_signed_int(unsigned char x) {
#line 700
return x;
}
// CHECK-LABEL: @convert_signed_char_to_signed_int
signed int convert_signed_char_to_signed_int(signed char x) {
#line 800
return x;
}
// CHECK-LABEL: @convert_unsigned_int_to_signed_int
signed int convert_unsigned_int_to_signed_int(unsigned int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_900_SIGN_CHANGE]] to i8*)
#line 900
return x;
}
// CHECK-LABEL: @convert_signed_int_to_unsigned_int
unsigned int convert_signed_int_to_unsigned_int(signed int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1000_SIGN_CHANGE]] to i8*)
#line 1000
return x;
}
// CHECK-LABEL: @convert_signed_int_to_unsigned_char
unsigned char convert_signed_int_to_unsigned_char(signed int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1100_SIGNED_TRUNCATION]] to i8*)
#line 1100
return x;
}
// CHECK-LABEL: @convert_signed_char_to_unsigned_char
unsigned char convert_signed_char_to_unsigned_char(signed char x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1200_SIGN_CHANGE]] to i8*)
#line 1200
return x;
}
// CHECK-LABEL: @convert_unsigned_char_to_signed_char
signed char convert_unsigned_char_to_signed_char(unsigned char x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1300_SIGN_CHANGE]] to i8*)
#line 1300
return x;
}
// CHECK-LABEL: @convert_signed_char_to_unsigned_int
unsigned int convert_signed_char_to_unsigned_int(signed char x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1400_SIGN_CHANGE]] to i8*)
#line 1400
return x;
}
// CHECK-LABEL: @convert_unsigned_int_to_signed_char
signed char convert_unsigned_int_to_signed_char(unsigned int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1500_SIGNED_TRUNCATION_OR_SIGN_CHANGE]] to i8*)
#line 1500
return x;
}
// CHECK-LABEL: @convert_signed_int_to_signed_char
signed char convert_signed_int_to_signed_char(signed int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1600_SIGNED_TRUNCATION]] to i8*)
#line 1600
return x;
}

test/CodeGen/catch-implicit-integer-conversions-basics.c

// RUN: %clang_cc1 -fsanitize=implicit-unsigned-integer-truncation,implicit-signed-integer-truncation -fsanitize-recover=implicit-unsigned-integer-truncation,implicit-signed-integer-truncation -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK // RUN: %clang_cc1 -fsanitize=implicit-unsigned-integer-truncation,implicit-signed-integer-truncation,implicit-integer-sign-change -fsanitize-recover=implicit-unsigned-integer-truncation,implicit-signed-integer-truncation,implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK
// Test plan: // Test plan:
// * Two types - int and char // * Two types - int and char
// * Two signs - signed and unsigned // * Two signs - signed and unsigned
// * Square that - we have input and output types. // * Square that - we have input and output types.
// Thus, there are total of (2*2)^2 == 16 tests. // Thus, there are total of (2*2)^2 == 16 tests.
// These are all the possible variations/combinations of casts. // These are all the possible variations/combinations of casts.
// However, not all of them should result in the check. // However, not all of them should result in the check.
// So here, we *only* check which should and which should not result in checks. // So here, we *only* check which should and which should not result in checks.
// CHECK-DAG: @[[LINE_500_UNSIGNED_TRUNCATION:.*]] = {{.*}}, i32 500, i32 10 }, {{.*}}, {{.*}}, i8 1 } // CHECK-DAG: @[[LINE_500_UNSIGNED_TRUNCATION:.*]] = {{.*}}, i32 500, i32 10 }, {{.*}}, {{.*}}, i8 1 }
// CHECK-DAG: @[[LINE_900_SIGN_CHANGE:.*]] = {{.*}}, i32 900, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1000_SIGN_CHANGE:.*]] = {{.*}}, i32 1000, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1100_SIGNED_TRUNCATION:.*]] = {{.*}}, i32 1100, i32 10 }, {{.*}}, {{.*}}, i8 2 } // CHECK-DAG: @[[LINE_1100_SIGNED_TRUNCATION:.*]] = {{.*}}, i32 1100, i32 10 }, {{.*}}, {{.*}}, i8 2 }
// CHECK-DAG: @[[LINE_1500_SIGNED_TRUNCATION:.*]] = {{.*}}, i32 1500, i32 10 }, {{.*}}, {{.*}}, i8 2 } // CHECK-DAG: @[[LINE_1200_SIGN_CHANGE:.*]] = {{.*}}, i32 1200, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1300_SIGN_CHANGE:.*]] = {{.*}}, i32 1300, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1400_SIGN_CHANGE:.*]] = {{.*}}, i32 1400, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1500_SIGNED_TRUNCATION_OR_SIGN_CHANGE:.*]] = {{.*}}, i32 1500, i32 10 }, {{.*}}, {{.*}}, i8 4 }
// CHECK-DAG: @[[LINE_1600_SIGNED_TRUNCATION:.*]] = {{.*}}, i32 1600, i32 10 }, {{.*}}, {{.*}}, i8 2 } // CHECK-DAG: @[[LINE_1600_SIGNED_TRUNCATION:.*]] = {{.*}}, i32 1600, i32 10 }, {{.*}}, {{.*}}, i8 2 }
// CHECK-LABEL: @convert_unsigned_int_to_unsigned_int // CHECK-LABEL: @convert_unsigned_int_to_unsigned_int
unsigned int convert_unsigned_int_to_unsigned_int(unsigned int x) { unsigned int convert_unsigned_int_to_unsigned_int(unsigned int x) {
#line 100 #line 100
return x; return x;
} }
Show All 37 Lines
// CHECK-LABEL: @convert_signed_char_to_signed_int // CHECK-LABEL: @convert_signed_char_to_signed_int
signed int convert_signed_char_to_signed_int(signed char x) { signed int convert_signed_char_to_signed_int(signed char x) {
#line 800 #line 800
return x; return x;
} }
// CHECK-LABEL: @convert_unsigned_int_to_signed_int // CHECK-LABEL: @convert_unsigned_int_to_signed_int
signed int convert_unsigned_int_to_signed_int(unsigned int x) { signed int convert_unsigned_int_to_signed_int(unsigned int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_900_SIGN_CHANGE]] to i8*)
#line 900 #line 900
return x; return x;
} }
// CHECK-LABEL: @convert_signed_int_to_unsigned_int // CHECK-LABEL: @convert_signed_int_to_unsigned_int
unsigned int convert_signed_int_to_unsigned_int(signed int x) { unsigned int convert_signed_int_to_unsigned_int(signed int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1000_SIGN_CHANGE]] to i8*)
#line 1000 #line 1000
return x; return x;
} }
// CHECK-LABEL: @convert_signed_int_to_unsigned_char // CHECK-LABEL: @convert_signed_int_to_unsigned_char
unsigned char convert_signed_int_to_unsigned_char(signed int x) { unsigned char convert_signed_int_to_unsigned_char(signed int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1100_SIGNED_TRUNCATION]] to i8*) // CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1100_SIGNED_TRUNCATION]] to i8*)
#line 1100 #line 1100
return x; return x;
} }
// CHECK-LABEL: @convert_signed_char_to_unsigned_char // CHECK-LABEL: @convert_signed_char_to_unsigned_char
unsigned char convert_signed_char_to_unsigned_char(signed char x) { unsigned char convert_signed_char_to_unsigned_char(signed char x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1200_SIGN_CHANGE]] to i8*)
#line 1200 #line 1200
return x; return x;
} }
// CHECK-LABEL: @convert_unsigned_char_to_signed_char // CHECK-LABEL: @convert_unsigned_char_to_signed_char
signed char convert_unsigned_char_to_signed_char(unsigned char x) { signed char convert_unsigned_char_to_signed_char(unsigned char x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1300_SIGN_CHANGE]] to i8*)
#line 1300 #line 1300
return x; return x;
} }
// CHECK-LABEL: @convert_signed_char_to_unsigned_int // CHECK-LABEL: @convert_signed_char_to_unsigned_int
unsigned int convert_signed_char_to_unsigned_int(signed char x) { unsigned int convert_signed_char_to_unsigned_int(signed char x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1400_SIGN_CHANGE]] to i8*)
#line 1400 #line 1400
return x; return x;
} }
// CHECK-LABEL: @convert_unsigned_int_to_signed_char // CHECK-LABEL: @convert_unsigned_int_to_signed_char
signed char convert_unsigned_int_to_signed_char(unsigned int x) { signed char convert_unsigned_int_to_signed_char(unsigned int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1500_SIGNED_TRUNCATION]] to i8*) // CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1500_SIGNED_TRUNCATION_OR_SIGN_CHANGE]] to i8*)
#line 1500 #line 1500
return x; return x;
} }
// CHECK-LABEL: @convert_signed_int_to_signed_char // CHECK-LABEL: @convert_signed_int_to_signed_char
signed char convert_signed_int_to_signed_char(signed int x) { signed char convert_signed_int_to_signed_char(signed int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1600_SIGNED_TRUNCATION]] to i8*) // CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1600_SIGNED_TRUNCATION]] to i8*)
#line 1600 #line 1600
return x; return x;
} }

test/CodeGen/catch-implicit-integer-sign-changes-basics.c

  • This file was added.
// RUN: %clang_cc1 -fsanitize=implicit-integer-sign-change -fsanitize-recover=implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK
// Test plan:
// * Two types - int and char
// * Two signs - signed and unsigned
// * Square that - we have input and output types.
// Thus, there are total of (2*2)^2 == 16 tests.
// These are all the possible variations/combinations of casts.
// However, not all of them should result in the check.
// So here, we *only* check which should and which should not result in checks.
// CHECK-DAG: @[[LINE_900_SIGN_CHANGE:.*]] = {{.*}}, i32 900, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1000_SIGN_CHANGE:.*]] = {{.*}}, i32 1000, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1100_SIGN_CHANGE:.*]] = {{.*}}, i32 1100, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1200_SIGN_CHANGE:.*]] = {{.*}}, i32 1200, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1300_SIGN_CHANGE:.*]] = {{.*}}, i32 1300, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1400_SIGN_CHANGE:.*]] = {{.*}}, i32 1400, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1500_SIGN_CHANGE:.*]] = {{.*}}, i32 1500, i32 10 }, {{.*}}, {{.*}}, i8 3 }
// CHECK-DAG: @[[LINE_1600_SIGN_CHANGE:.*]] = {{.*}}, i32 1600, i32 10 }, {{.*}}, {{.*}}, i8 3 }
//============================================================================//
// Half of the cases do not need the check. //
//============================================================================//
//----------------------------------------------------------------------------//
// No cast happens at all. No check needed.
//----------------------------------------------------------------------------//
// CHECK-LABEL: @convert_unsigned_int_to_unsigned_int
unsigned int convert_unsigned_int_to_unsigned_int(unsigned int x) {
#line 100
return x;
}
// CHECK-LABEL: @convert_unsigned_char_to_unsigned_char
unsigned char convert_unsigned_char_to_unsigned_char(unsigned char x) {
#line 200
return x;
}
// CHECK-LABEL: @convert_signed_int_to_signed_int
signed int convert_signed_int_to_signed_int(signed int x) {
#line 300
return x;
}
// CHECK-LABEL: @convert_signed_char_to_signed_char
signed char convert_signed_char_to_signed_char(signed char x) {
#line 400
return x;
}
//----------------------------------------------------------------------------//
// Both types are unsigned. No check needed.
//----------------------------------------------------------------------------//
// CHECK-LABEL: @convert_unsigned_int_to_unsigned_char
unsigned char convert_unsigned_int_to_unsigned_char(unsigned int x) {
#line 500
return x;
}
// CHECK-LABEL: @convert_unsigned_char_to_unsigned_int
unsigned int convert_unsigned_char_to_unsigned_int(unsigned char x) {
#line 600
return x;
}
//----------------------------------------------------------------------------//
// Source type was unsigned, destination type is signed, but non-negative.
// Because zero-extension happens - the sign bit will be 0. No check needed.
//----------------------------------------------------------------------------//
// CHECK-LABEL: @convert_unsigned_char_to_signed_int
signed int convert_unsigned_char_to_signed_int(unsigned char x) {
#line 700
return x;
}
//----------------------------------------------------------------------------//
// Both types are signed, and have the same sign, since sign-extension happens,
// i.e. the sign bit will be propagated. No check needed.
//----------------------------------------------------------------------------//
// CHECK-LABEL: @convert_signed_char_to_signed_int
signed int convert_signed_char_to_signed_int(signed char x) {
#line 800
return x;
}
//============================================================================//
// The remaining 8 cases *do* need the check. //
//============================================================================//
// These 3 result in simple 'icmp sge i32 %x, 0'
// CHECK-LABEL: @convert_unsigned_int_to_signed_int
signed int convert_unsigned_int_to_signed_int(unsigned int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_900_SIGN_CHANGE]] to i8*)
#line 900
return x;
}
// CHECK-LABEL: @convert_signed_int_to_unsigned_int
unsigned int convert_signed_int_to_unsigned_int(signed int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1000_SIGN_CHANGE]] to i8*)
#line 1000
return x;
}
// CHECK-LABEL: @convert_signed_int_to_unsigned_char
unsigned char convert_signed_int_to_unsigned_char(signed int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1100_SIGN_CHANGE]] to i8*)
#line 1100
return x;
}
// These 3 result in simple 'icmp sge i8 %x, 0'
// CHECK-LABEL: @convert_signed_char_to_unsigned_char
unsigned char convert_signed_char_to_unsigned_char(signed char x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1200_SIGN_CHANGE]] to i8*)
#line 1200
return x;
}
// CHECK-LABEL: @convert_unsigned_char_to_signed_char
signed char convert_unsigned_char_to_signed_char(unsigned char x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1300_SIGN_CHANGE]] to i8*)
#line 1300
return x;
}
// CHECK-LABEL: @convert_signed_char_to_unsigned_int
unsigned int convert_signed_char_to_unsigned_int(signed char x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1400_SIGN_CHANGE]] to i8*)
#line 1400
return x;
}
// 'icmp sge i8 (trunc i32 %x), 0'
// CHECK-LABEL: @convert_unsigned_int_to_signed_char
signed char convert_unsigned_int_to_signed_char(unsigned int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1500_SIGN_CHANGE]] to i8*)
#line 1500
return x;
}
// 'xor i1 (icmp sge i8 (trunc i32 %x), 0), (icmp sge i32 %x, 0)'
// CHECK-LABEL: @convert_signed_int_to_signed_char
signed char convert_signed_int_to_signed_char(signed int x) {
// CHECK: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_1600_SIGN_CHANGE]] to i8*)
#line 1600
return x;
}

test/CodeGen/catch-implicit-integer-sign-changes-true-negatives.c

  • This file was added.
// RUN: %clang_cc1 -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefix=CHECK
// RUN: %clang_cc1 -fsanitize=implicit-integer-sign-change -fno-sanitize-recover=implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-NORECOVER
// RUN: %clang_cc1 -fsanitize=implicit-integer-sign-change -fsanitize-recover=implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-RECOVER
// RUN: %clang_cc1 -fsanitize=implicit-integer-sign-change -fsanitize-trap=implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-TRAP
// ========================================================================== //
// The expected true-negatives.
// ========================================================================== //
// Sanitization is explicitly disabled.
// ========================================================================== //
// CHECK-LABEL: @blacklist_0
__attribute__((no_sanitize("undefined"))) unsigned int blacklist_0(signed int src) {
// We are not in "undefined" group, so that doesn't work.
// CHECK-SANITIZE: call
return src;
}
// CHECK-LABEL: @blacklist_1
__attribute__((no_sanitize("integer"))) unsigned int blacklist_1(signed int src) {
return src;
}
// CHECK-LABEL: @blacklist_2
__attribute__((no_sanitize("implicit-conversion"))) unsigned int blacklist_2(signed int src) {
return src;
}
// CHECK-LABEL: @blacklist_3
__attribute__((no_sanitize("implicit-integer-sign-change"))) unsigned int blacklist_3(signed int src) {
return src;
}
// Explicit sign-changing conversions.
// ========================================================================== //
// CHECK-LABEL: explicit_signed_int_to_unsigned_int
unsigned int explicit_signed_int_to_unsigned_int(signed int src) {
return (unsigned int)src;
}
// CHECK-LABEL: explicit_unsigned_int_to_signed_int
signed int explicit_unsigned_int_to_signed_int(unsigned int src) {
return (signed int)src;
}
// Explicit NOP conversions.
// ========================================================================== //
// CHECK-LABEL: @explicit_ununsigned_int_to_ununsigned_int
unsigned int explicit_ununsigned_int_to_ununsigned_int(unsigned int src) {
return (unsigned int)src;
}
// CHECK-LABEL: @explicit_unsigned_int_to_unsigned_int
signed int explicit_unsigned_int_to_unsigned_int(signed int src) {
return (signed int)src;
}
// conversions to to boolean type are not counted as sign-change.
// ========================================================================== //
// CHECK-LABEL: @unsigned_int_to_bool
_Bool unsigned_int_to_bool(unsigned int src) {
return src;
}
// CHECK-LABEL: @signed_int_to_bool
_Bool signed_int_to_bool(signed int src) {
return src;
}
// CHECK-LABEL: @explicit_unsigned_int_to_bool
_Bool explicit_unsigned_int_to_bool(unsigned int src) {
return (_Bool)src;
}
// CHECK-LABEL: @explicit_signed_int_to_bool
_Bool explicit_signed_int_to_bool(signed int src) {
return (_Bool)src;
}
// Explicit conversions from pointer to an integer.
// Can not have an implicit conversion from pointer to an integer.
// Can not have an implicit conversion between two enums.
// ========================================================================== //
// CHECK-LABEL: @explicit_voidptr_to_unsigned_int
unsigned int explicit_voidptr_to_unsigned_int(void *src) {
return (unsigned int)src;
}
// CHECK-LABEL: @explicit_voidptr_to_signed_int
signed int explicit_voidptr_to_signed_int(void *src) {
return (signed int)src;
}
// Implicit conversions from floating-point.
// ========================================================================== //
// CHECK-LABEL: @float_to_unsigned_int
unsigned int float_to_unsigned_int(float src) {
return src;
}
// CHECK-LABEL: @float_to_signed_int
signed int float_to_signed_int(float src) {
return src;
}
// CHECK-LABEL: @double_to_unsigned_int
unsigned int double_to_unsigned_int(double src) {
return src;
}
// CHECK-LABEL: @double_to_signed_int
signed int double_to_signed_int(double src) {
return src;
}
// Sugar.
// ========================================================================== //
typedef unsigned int uint32_t;
// CHECK-LABEL: @uint32_to_unsigned_int
unsigned int uint32_to_unsigned_int(uint32_t src) {
return src;
}
// CHECK-LABEL: @unsigned_int_to_uint32
uint32_t unsigned_int_to_uint32(unsigned int src) {
return src;
}
// CHECK-LABEL: @uint32_to_uint32
uint32_t uint32_to_uint32(uint32_t src) {
return src;
}

test/CodeGen/catch-implicit-integer-sign-changes.c

  • This file was added.
// RUN: %clang_cc1 -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefix=CHECK
// RUN: %clang_cc1 -fsanitize=implicit-integer-sign-change -fno-sanitize-recover=implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-NORECOVER,CHECK-SANITIZE-UNREACHABLE
// RUN: %clang_cc1 -fsanitize=implicit-integer-sign-change -fsanitize-recover=implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-RECOVER
// RUN: %clang_cc1 -fsanitize=implicit-integer-sign-change -fsanitize-trap=implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-TRAP,CHECK-SANITIZE-UNREACHABLE
// CHECK-SANITIZE-ANYRECOVER: @[[UNSIGNED_INT:.*]] = {{.*}} c"'unsigned int'\00" }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[SIGNED_INT:.*]] = {{.*}} c"'int'\00" }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[LINE_100:.*]] = {{.*}}, i32 100, i32 10 }, {{.*}}* @[[UNSIGNED_INT]], {{.*}}* @[[SIGNED_INT]], i8 3 }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[LINE_200:.*]] = {{.*}}, i32 200, i32 10 }, {{.*}}* @[[SIGNED_INT]], {{.*}}* @[[UNSIGNED_INT]], i8 3 }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[UNSIGNED_CHAR:.*]] = {{.*}} c"'unsigned char'\00" }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[LINE_300:.*]] = {{.*}}, i32 300, i32 10 }, {{.*}}* @[[SIGNED_INT]], {{.*}}* @[[UNSIGNED_CHAR]], i8 3 }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[SIGNED_CHAR:.*]] = {{.*}} c"'signed char'\00" }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[LINE_400:.*]] = {{.*}}, i32 400, i32 10 }, {{.*}}* @[[SIGNED_CHAR]], {{.*}}* @[[UNSIGNED_CHAR]], i8 3 }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[LINE_500:.*]] = {{.*}}, i32 500, i32 10 }, {{.*}}* @[[UNSIGNED_CHAR]], {{.*}}* @[[SIGNED_CHAR]], i8 3 }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[LINE_600:.*]] = {{.*}}, i32 600, i32 10 }, {{.*}}* @[[SIGNED_CHAR]], {{.*}}* @[[UNSIGNED_INT]], i8 3 }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[LINE_700:.*]] = {{.*}}, i32 700, i32 10 }, {{.*}}* @[[UNSIGNED_INT]], {{.*}}* @[[SIGNED_CHAR]], i8 3 }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[LINE_800:.*]] = {{.*}}, i32 800, i32 10 }, {{.*}}* @[[SIGNED_INT]], {{.*}}* @[[SIGNED_CHAR]], i8 3 }
// CHECK-SANITIZE-ANYRECOVER: @[[UINT32:.*]] = {{.*}} c"'uint32_t' (aka 'unsigned int')\00" }
// CHECK-SANITIZE-ANYRECOVER: @[[INT32:.*]] = {{.*}} c"'int32_t' (aka 'int')\00" }
// CHECK-SANITIZE-ANYRECOVER: @[[LINE_900:.*]] = {{.*}}, i32 900, i32 10 }, {{.*}}* @[[UINT32]], {{.*}}* @[[INT32]], i8 3 }
// ========================================================================== //
// The expected true-positives.
// These are implicit, potentially sign-altering, conversions.
// ========================================================================== //
// These 3 result (after optimizations) in simple 'icmp sge i32 %src, 0'.
// CHECK-LABEL: @unsigned_int_to_signed_int
// CHECK-SAME: (i32 %[[SRC:.*]])
signed int unsigned_int_to_signed_int(unsigned int src) {
// CHECK: %[[SRC_ADDR:.*]] = alloca i32
// CHECK-NEXT: store i32 %[[SRC]], i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i32, i32* %[[SRC_ADDR]]
// CHECK-SANITIZE-NEXT: %[[DST_NEGATIVITYCHECK:.*]] = icmp slt i32 %[[DST]], 0, !nosanitize
// CHECK-SANITIZE-NEXT: %[[SIGNCHANGECHECK:.*]] = icmp eq i1 false, %[[DST_NEGATIVITYCHECK]], !nosanitize
// CHECK-SANITIZE-NEXT: br i1 %[[SIGNCHANGECHECK]], label %[[CONT:.*]], label %[[HANDLER_IMPLICIT_CONVERSION:[^,]+]],{{.*}} !nosanitize
// CHECK-SANITIZE: [[HANDLER_IMPLICIT_CONVERSION]]:
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTSRC:.*]] = zext i32 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTDST:.*]] = zext i32 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-NORECOVER-NEXT: call void @__ubsan_handle_implicit_conversion_abort(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_100]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTDST]]){{.*}}, !nosanitize
// CHECK-SANITIZE-RECOVER-NEXT: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_100]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTDST]]){{.*}}, !nosanitize
// CHECK-SANITIZE-TRAP-NEXT: call void @llvm.trap(){{.*}}, !nosanitize
// CHECK-SANITIZE-UNREACHABLE-NEXT: unreachable, !nosanitize
// CHECK-SANITIZE: [[CONT]]:
// CHECK-NEXT: ret i32 %[[DST]]
// CHECK-NEXT: }
#line 100
return src;
}
// CHECK-LABEL: @signed_int_to_unsigned_int
// CHECK-SAME: (i32 %[[SRC:.*]])
unsigned int signed_int_to_unsigned_int(signed int src) {
// CHECK: %[[SRC_ADDR:.*]] = alloca i32
// CHECK-NEXT: store i32 %[[SRC]], i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i32, i32* %[[SRC_ADDR]]
// CHECK-SANITIZE-NEXT: %[[SRC_NEGATIVITYCHECK:.*]] = icmp slt i32 %[[DST]], 0, !nosanitize
// CHECK-SANITIZE-NEXT: %[[SIGNCHANGECHECK:.*]] = icmp eq i1 %[[SRC_NEGATIVITYCHECK]], false, !nosanitize
// CHECK-SANITIZE-NEXT: br i1 %[[SIGNCHANGECHECK]], label %[[CONT:.*]], label %[[HANDLER_IMPLICIT_CONVERSION:[^,]+]],{{.*}} !nosanitize
// CHECK-SANITIZE: [[HANDLER_IMPLICIT_CONVERSION]]:
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTSRC:.*]] = zext i32 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTDST:.*]] = zext i32 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-NORECOVER-NEXT: call void @__ubsan_handle_implicit_conversion_abort(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_200]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTDST]]){{.*}}, !nosanitize
// CHECK-SANITIZE-RECOVER-NEXT: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_200]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTDST]]){{.*}}, !nosanitize
// CHECK-SANITIZE-TRAP-NEXT: call void @llvm.trap(){{.*}}, !nosanitize
// CHECK-SANITIZE-UNREACHABLE-NEXT: unreachable, !nosanitize
// CHECK-SANITIZE: [[CONT]]:
// CHECK-NEXT: ret i32 %[[DST]]
// CHECK-NEXT: }
#line 200
return src;
}
// CHECK-LABEL: @signed_int_to_unsigned_char
// CHECK-SAME: (i32 %[[SRC:.*]])
unsigned char signed_int_to_unsigned_char(signed int src) {
// CHECK: %[[SRC_ADDR:.*]] = alloca i32
// CHECK-NEXT: store i32 %[[SRC]], i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i32, i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[CONV:.*]] = trunc i32 %[[DST]] to i8
// CHECK-SANITIZE-NEXT: %[[SRC_NEGATIVITYCHECK:.*]] = icmp slt i32 %[[DST]], 0, !nosanitize
// CHECK-SANITIZE-NEXT: %[[SIGNCHANGECHECK:.*]] = icmp eq i1 %[[SRC_NEGATIVITYCHECK]], false, !nosanitize
// CHECK-SANITIZE-NEXT: br i1 %[[SIGNCHANGECHECK]], label %[[CONT:.*]], label %[[HANDLER_IMPLICIT_CONVERSION:[^,]+]],{{.*}} !nosanitize
// CHECK-SANITIZE: [[HANDLER_IMPLICIT_CONVERSION]]:
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTSRC:.*]] = zext i32 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTCONV:.*]] = zext i8 %[[CONV]] to i64, !nosanitize
// CHECK-SANITIZE-NORECOVER-NEXT: call void @__ubsan_handle_implicit_conversion_abort(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_300]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-RECOVER-NEXT: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_300]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-TRAP-NEXT: call void @llvm.trap(){{.*}}, !nosanitize
// CHECK-SANITIZE-UNREACHABLE-NEXT: unreachable, !nosanitize
// CHECK-SANITIZE: [[CONT]]:
// CHECK-NEXT: ret i8 %[[CONV]]
// CHECK-NEXT: }
#line 300
return src;
}
// These 3 result (after optimizations) in simple 'icmp sge i8 %src, 0'
// CHECK-LABEL: @signed_char_to_unsigned_char
// CHECK-SAME: (i8 signext %[[SRC:.*]])
unsigned char signed_char_to_unsigned_char(signed char src) {
// CHECK: %[[SRC_ADDR:.*]] = alloca i8
// CHECK-NEXT: store i8 %[[SRC]], i8* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i8, i8* %[[SRC_ADDR]]
// CHECK-SANITIZE-NEXT: %[[SRC_NEGATIVITYCHECK:.*]] = icmp slt i8 %[[DST]], 0, !nosanitize
// CHECK-SANITIZE-NEXT: %[[SIGNCHANGECHECK:.*]] = icmp eq i1 %[[SRC_NEGATIVITYCHECK]], false, !nosanitize
// CHECK-SANITIZE-NEXT: br i1 %[[SIGNCHANGECHECK]], label %[[CONT:.*]], label %[[HANDLER_IMPLICIT_CONVERSION:[^,]+]],{{.*}} !nosanitize
// CHECK-SANITIZE: [[HANDLER_IMPLICIT_CONVERSION]]:
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTSRC:.*]] = zext i8 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTDST:.*]] = zext i8 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-NORECOVER-NEXT: call void @__ubsan_handle_implicit_conversion_abort(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_400]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTDST]]){{.*}}, !nosanitize
// CHECK-SANITIZE-RECOVER-NEXT: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_400]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTDST]]){{.*}}, !nosanitize
// CHECK-SANITIZE-TRAP-NEXT: call void @llvm.trap(){{.*}}, !nosanitize
// CHECK-SANITIZE-UNREACHABLE-NEXT: unreachable, !nosanitize
// CHECK-SANITIZE: [[CONT]]:
// CHECK-NEXT: ret i8 %[[DST]]
// CHECK-NEXT: }
#line 400
return src;
}
// CHECK-LABEL: @unsigned_char_to_signed_char
// CHECK-SAME: (i8 zeroext %[[SRC:.*]])
signed char unsigned_char_to_signed_char(unsigned char src) {
// CHECK: %[[SRC_ADDR:.*]] = alloca i8
// CHECK-NEXT: store i8 %[[SRC]], i8* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i8, i8* %[[SRC_ADDR]]
// CHECK-SANITIZE-NEXT: %[[DST_NEGATIVITYCHECK:.*]] = icmp slt i8 %[[DST]], 0, !nosanitize
// CHECK-SANITIZE-NEXT: %[[SIGNCHANGECHECK:.*]] = icmp eq i1 false, %[[DST_NEGATIVITYCHECK]], !nosanitize
// CHECK-SANITIZE-NEXT: br i1 %[[SIGNCHANGECHECK]], label %[[CONT:.*]], label %[[HANDLER_IMPLICIT_CONVERSION:[^,]+]],{{.*}} !nosanitize
// CHECK-SANITIZE: [[HANDLER_IMPLICIT_CONVERSION]]:
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTSRC:.*]] = zext i8 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTDST:.*]] = zext i8 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-NORECOVER-NEXT: call void @__ubsan_handle_implicit_conversion_abort(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_500]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTDST]]){{.*}}, !nosanitize
// CHECK-SANITIZE-RECOVER-NEXT: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_500]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTDST]]){{.*}}, !nosanitize
// CHECK-SANITIZE-TRAP-NEXT: call void @llvm.trap(){{.*}}, !nosanitize
// CHECK-SANITIZE-UNREACHABLE-NEXT: unreachable, !nosanitize
// CHECK-SANITIZE: [[CONT]]:
// CHECK-NEXT: ret i8 %[[DST]]
// CHECK-NEXT: }
#line 500
return src;
}
// CHECK-LABEL: @signed_char_to_unsigned_int
// CHECK-SAME: (i8 signext %[[SRC:.*]])
unsigned int signed_char_to_unsigned_int(signed char src) {
// CHECK: %[[SRC_ADDR:.*]] = alloca i8
// CHECK-NEXT: store i8 %[[SRC]], i8* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i8, i8* %[[SRC_ADDR]]
// CHECK-NEXT: %[[CONV:.*]] = sext i8 %[[DST]] to i32
// CHECK-SANITIZE-NEXT: %[[SRC_NEGATIVITYCHECK:.*]] = icmp slt i8 %[[DST]], 0, !nosanitize
// CHECK-SANITIZE-NEXT: %[[SIGNCHANGECHECK:.*]] = icmp eq i1 %[[SRC_NEGATIVITYCHECK]], false, !nosanitize
// CHECK-SANITIZE-NEXT: br i1 %[[SIGNCHANGECHECK]], label %[[CONT:.*]], label %[[HANDLER_IMPLICIT_CONVERSION:[^,]+]],{{.*}} !nosanitize
// CHECK-SANITIZE: [[HANDLER_IMPLICIT_CONVERSION]]:
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTSRC:.*]] = zext i8 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTCONV:.*]] = zext i32 %[[CONV]] to i64, !nosanitize
// CHECK-SANITIZE-NORECOVER-NEXT: call void @__ubsan_handle_implicit_conversion_abort(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_600]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-RECOVER-NEXT: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_600]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-TRAP-NEXT: call void @llvm.trap(){{.*}}, !nosanitize
// CHECK-SANITIZE-UNREACHABLE-NEXT: unreachable, !nosanitize
// CHECK-SANITIZE: [[CONT]]:
// CHECK-NEXT: ret i32 %[[CONV]]
// CHECK-NEXT: }
#line 600
return src;
}
// This one result (after optimizations) in 'icmp sge i8 (trunc i32 %src), 0'
// CHECK-LABEL: @unsigned_int_to_signed_char
// CHECK-SAME: (i32 %[[SRC:.*]])
signed char unsigned_int_to_signed_char(unsigned int src) {
// CHECK: %[[SRC_ADDR:.*]] = alloca i32
// CHECK-NEXT: store i32 %[[SRC]], i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i32, i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[CONV:.*]] = trunc i32 %[[DST]] to i8
// CHECK-SANITIZE-NEXT: %[[DST_NEGATIVITYCHECK:.*]] = icmp slt i8 %[[CONV]], 0, !nosanitize
// CHECK-SANITIZE-NEXT: %[[SIGNCHANGECHECK:.*]] = icmp eq i1 false, %[[DST_NEGATIVITYCHECK]], !nosanitize
// CHECK-SANITIZE-NEXT: br i1 %[[SIGNCHANGECHECK]], label %[[CONT:.*]], label %[[HANDLER_IMPLICIT_CONVERSION:[^,]+]],{{.*}} !nosanitize
// CHECK-SANITIZE: [[HANDLER_IMPLICIT_CONVERSION]]:
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTSRC:.*]] = zext i32 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTCONV:.*]] = zext i8 %[[CONV]] to i64, !nosanitize
// CHECK-SANITIZE-NORECOVER-NEXT: call void @__ubsan_handle_implicit_conversion_abort(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_700]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-RECOVER-NEXT: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_700]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-TRAP-NEXT: call void @llvm.trap(){{.*}}, !nosanitize
// CHECK-SANITIZE-UNREACHABLE-NEXT: unreachable, !nosanitize
// CHECK-SANITIZE: [[CONT]]:
// CHECK-NEXT: ret i8 %[[CONV]]
// CHECK-NEXT: }
#line 700
return src;
}
// The worst one: 'xor i1 (icmp sge i8 (trunc i32 %x), 0), (icmp sge i32 %x, 0)'
// CHECK-LABEL: @signed_int_to_signed_char
// CHECK-SAME: (i32 %[[SRC:.*]])
signed char signed_int_to_signed_char(signed int x) {
// CHECK: %[[SRC_ADDR:.*]] = alloca i32
// CHECK-NEXT: store i32 %[[SRC]], i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i32, i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[CONV:.*]] = trunc i32 %[[DST]] to i8
// CHECK-SANITIZE-NEXT: %[[SRC_NEGATIVITYCHECK:.*]] = icmp slt i32 %[[DST]], 0, !nosanitize
// CHECK-SANITIZE-NEXT: %[[DST_NEGATIVITYCHECK:.*]] = icmp slt i8 %[[CONV]], 0, !nosanitize
// CHECK-SANITIZE-NEXT: %[[SIGNCHANGECHECK:.*]] = icmp eq i1 %[[SRC_NEGATIVITYCHECK]], %[[DST_NEGATIVITYCHECK]], !nosanitize
// CHECK-SANITIZE-NEXT: br i1 %[[SIGNCHANGECHECK]], label %[[CONT:.*]], label %[[HANDLER_IMPLICIT_CONVERSION:[^,]+]],{{.*}} !nosanitize
// CHECK-SANITIZE: [[HANDLER_IMPLICIT_CONVERSION]]:
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTSRC:.*]] = zext i32 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTCONV:.*]] = zext i8 %[[CONV]] to i64, !nosanitize
// CHECK-SANITIZE-NORECOVER-NEXT: call void @__ubsan_handle_implicit_conversion_abort(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_800]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-RECOVER-NEXT: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_800]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-TRAP-NEXT: call void @llvm.trap(){{.*}}, !nosanitize
// CHECK-SANITIZE-UNREACHABLE-NEXT: unreachable, !nosanitize
// CHECK-SANITIZE: [[CONT]]:
// CHECK-NEXT: ret i8 %[[CONV]]
// CHECK-NEXT: }
#line 800
return x;
}
// ========================================================================== //
// Check canonical type stuff
// ========================================================================== //
typedef unsigned int uint32_t;
typedef signed int int32_t;
// CHECK-LABEL: @uint32_t_to_int32_t
// CHECK-SAME: (i32 %[[SRC:.*]])
int32_t uint32_t_to_int32_t(uint32_t src) {
// CHECK: %[[SRC_ADDR:.*]] = alloca i32
// CHECK-NEXT: store i32 %[[SRC]], i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i32, i32* %[[SRC_ADDR]]
// CHECK-SANITIZE-NEXT: %[[DST_NEGATIVITYCHECK:.*]] = icmp slt i32 %[[DST]], 0, !nosanitize
// CHECK-SANITIZE-NEXT: %[[SIGNCHANGECHECK:.*]] = icmp eq i1 false, %[[DST_NEGATIVITYCHECK]], !nosanitize
// CHECK-SANITIZE-NEXT: br i1 %[[SIGNCHANGECHECK]], label %[[CONT:.*]], label %[[HANDLER_IMPLICIT_CONVERSION:[^,]+]],{{.*}} !nosanitize
// CHECK-SANITIZE: [[HANDLER_IMPLICIT_CONVERSION]]:
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTSRC:.*]] = zext i32 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTDST:.*]] = zext i32 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-NORECOVER-NEXT: call void @__ubsan_handle_implicit_conversion_abort(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_900]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTDST]]){{.*}}, !nosanitize
// CHECK-SANITIZE-RECOVER-NEXT: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_900]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTDST]]){{.*}}, !nosanitize
// CHECK-SANITIZE-TRAP-NEXT: call void @llvm.trap(){{.*}}, !nosanitize
// CHECK-SANITIZE-UNREACHABLE-NEXT: unreachable, !nosanitize
// CHECK-SANITIZE: [[CONT]]:
// CHECK-NEXT: ret i32 %[[DST]]
// CHECK-NEXT: }
#line 900
return src;
}
// ========================================================================== //
// Check that explicit conversion does not interfere with implicit conversion
// ========================================================================== //
// These contain one implicit and one explicit sign-changing conversion.
// We want to make sure that we still diagnose the implicit conversion.
// Implicit sign-change after explicit sign-change.
// CHECK-LABEL: @explicit_conversion_interference0
unsigned int explicit_conversion_interference0(unsigned int c) {
// CHECK-SANITIZE: call
return (signed int)c;
}
// Implicit sign-change before explicit sign-change.
// CHECK-LABEL: @explicit_conversion_interference1
unsigned int explicit_conversion_interference1(unsigned int c) {
// CHECK-SANITIZE: call
signed int b;
return (unsigned int)(b = c);
}

test/CodeGen/catch-implicit-signed-integer-truncation-or-sign-change.c

  • This file was added.
// RUN: %clang_cc1 -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefix=CHECK
// RUN: %clang_cc1 -fsanitize=implicit-signed-integer-truncation,implicit-integer-sign-change -fno-sanitize-recover=implicit-signed-integer-truncation,implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-NORECOVER,CHECK-SANITIZE-UNREACHABLE
// RUN: %clang_cc1 -fsanitize=implicit-signed-integer-truncation,implicit-integer-sign-change -fsanitize-recover=implicit-signed-integer-truncation,implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-RECOVER
// RUN: %clang_cc1 -fsanitize=implicit-signed-integer-truncation,implicit-integer-sign-change -fsanitize-trap=implicit-signed-integer-truncation,implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void @__ubsan_handle_implicit_conversion" --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-TRAP,CHECK-SANITIZE-UNREACHABLE
// CHECK-SANITIZE-ANYRECOVER: @[[UNSIGNED_INT:.*]] = {{.*}} c"'unsigned int'\00" }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[SIGNED_CHAR:.*]] = {{.*}} c"'signed char'\00" }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[LINE_100_SIGNED_TRUNCATION_OR_SIGN_CHANGE:.*]] = {{.*}}, i32 100, i32 10 }, {{.*}}* @[[UNSIGNED_INT]], {{.*}}* @[[SIGNED_CHAR]], i8 4 }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[LINE_200_SIGN_CHANGE:.*]] = {{.*}}, i32 200, i32 10 }, {{.*}}* @[[UNSIGNED_INT]], {{.*}}* @[[SIGNED_CHAR]], i8 3 }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[LINE_300_SIGN_CHANGE:.*]] = {{.*}}, i32 300, i32 10 }, {{.*}}* @[[UNSIGNED_INT]], {{.*}}* @[[SIGNED_CHAR]], i8 3 }
// CHECK-SANITIZE-ANYRECOVER-NEXT: @[[LINE_400_SIGNED_TRUNCATION:.*]] = {{.*}}, i32 400, i32 10 }, {{.*}}* @[[UNSIGNED_INT]], {{.*}}* @[[SIGNED_CHAR]], i8 2 }
//============================================================================//
// Both sanitizers are enabled, and not disabled per-function.
//============================================================================//
// CHECK-LABEL: @unsigned_int_to_signed_char
// CHECK-SAME: (i32 %[[SRC:.*]])
signed char unsigned_int_to_signed_char(unsigned int src) {
// CHECK-NEXT: [[ENTRY:.*]]:
// CHECK-NEXT: %[[SRC_ADDR:.*]] = alloca i32
// CHECK-NEXT: store i32 %[[SRC]], i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i32, i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[CONV:.*]] = trunc i32 %[[DST]] to i8
// CHECK-SANITIZE-NEXT: %[[DST_NEGATIVITYCHECK:.*]] = icmp slt i8 %[[CONV]], 0, !nosanitize
// CHECK-SANITIZE-NEXT: %[[SIGNCHANGECHECK:.*]] = icmp eq i1 false, %[[DST_NEGATIVITYCHECK]], !nosanitize
// CHECK-SANITIZE-NEXT: %[[ANYEXT:.*]] = sext i8 %[[CONV]] to i32, !nosanitize
// CHECK-SANITIZE-NEXT: %[[TRUNCHECK:.*]] = icmp eq i32 %[[ANYEXT]], %[[DST]], !nosanitize
// CHECK-SANITIZE-NEXT: %[[BOTHCHECKS:.*]] = and i1 %[[SIGNCHANGECHECK]], %[[TRUNCHECK]], !nosanitize
// CHECK-SANITIZE-NEXT: br i1 %[[BOTHCHECKS]], label %[[CONT:.*]], label %[[HANDLER_IMPLICIT_CONVERSION:[^,]+]],{{.*}} !nosanitize
// CHECK-SANITIZE: [[HANDLER_IMPLICIT_CONVERSION]]:
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTSRC:.*]] = zext i32 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTCONV:.*]] = zext i8 %[[CONV]] to i64, !nosanitize
// CHECK-SANITIZE-NORECOVER-NEXT: call void @__ubsan_handle_implicit_conversion_abort(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_100_SIGNED_TRUNCATION_OR_SIGN_CHANGE]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-RECOVER-NEXT: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_100_SIGNED_TRUNCATION_OR_SIGN_CHANGE]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-TRAP-NEXT: call void @llvm.trap(){{.*}}, !nosanitize
// CHECK-SANITIZE-UNREACHABLE-NEXT: unreachable, !nosanitize
// CHECK-SANITIZE: [[CONT]]:
// CHECK-NEXT: ret i8 %[[CONV]]
// CHECK-NEXT: }
#line 100
return src;
}
//============================================================================//
// Truncation sanitizer is disabled per-function.
//============================================================================//
// CHECK-LABEL: @unsigned_int_to_signed_char__no_truncation_sanitizer
// CHECK-SAME: (i32 %[[SRC:.*]])
__attribute__((no_sanitize("implicit-integer-truncation"))) signed char
unsigned_int_to_signed_char__no_truncation_sanitizer(unsigned int src) {
// CHECK-NEXT: [[ENTRY:.*]]:
// CHECK-NEXT: %[[SRC_ADDR:.*]] = alloca i32
// CHECK-NEXT: store i32 %[[SRC]], i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i32, i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[CONV:.*]] = trunc i32 %[[DST]] to i8
// CHECK-SANITIZE-NEXT: %[[DST_NEGATIVITYCHECK:.*]] = icmp slt i8 %[[CONV]], 0, !nosanitize
// CHECK-SANITIZE-NEXT: %[[SIGNCHANGECHECK:.*]] = icmp eq i1 false, %[[DST_NEGATIVITYCHECK]], !nosanitize
// CHECK-SANITIZE-NEXT: br i1 %[[SIGNCHANGECHECK]], label %[[CONT:.*]], label %[[HANDLER_IMPLICIT_CONVERSION:[^,]+]],{{.*}} !nosanitize
// CHECK-SANITIZE: [[HANDLER_IMPLICIT_CONVERSION]]:
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTSRC:.*]] = zext i32 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTCONV:.*]] = zext i8 %[[CONV]] to i64, !nosanitize
// CHECK-SANITIZE-NORECOVER-NEXT: call void @__ubsan_handle_implicit_conversion_abort(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_200_SIGN_CHANGE]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-RECOVER-NEXT: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_200_SIGN_CHANGE]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-TRAP-NEXT: call void @llvm.trap(){{.*}}, !nosanitize
// CHECK-SANITIZE-UNREACHABLE-NEXT: unreachable, !nosanitize
// CHECK-SANITIZE: [[CONT]]:
// CHECK-NEXT: ret i8 %[[CONV]]
// CHECK-NEXT: }
#line 200
return src;
}
//============================================================================//
// Signed truncation sanitizer is disabled per-function.
//============================================================================//
// CHECK-LABEL: @unsigned_int_to_signed_char__no_signed_truncation_sanitizer
// CHECK-SAME: (i32 %[[SRC:.*]])
__attribute__((no_sanitize("implicit-signed-integer-truncation"))) signed char
unsigned_int_to_signed_char__no_signed_truncation_sanitizer(unsigned int src) {
// CHECK-NEXT: [[ENTRY:.*]]:
// CHECK-NEXT: %[[SRC_ADDR:.*]] = alloca i32
// CHECK-NEXT: store i32 %[[SRC]], i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i32, i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[CONV:.*]] = trunc i32 %[[DST]] to i8
// CHECK-SANITIZE-NEXT: %[[DST_NEGATIVITYCHECK:.*]] = icmp slt i8 %[[CONV]], 0, !nosanitize
// CHECK-SANITIZE-NEXT: %[[SIGNCHANGECHECK:.*]] = icmp eq i1 false, %[[DST_NEGATIVITYCHECK]], !nosanitize
// CHECK-SANITIZE-NEXT: br i1 %[[SIGNCHANGECHECK]], label %[[CONT:.*]], label %[[HANDLER_IMPLICIT_CONVERSION:[^,]+]],{{.*}} !nosanitize
// CHECK-SANITIZE: [[HANDLER_IMPLICIT_CONVERSION]]:
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTSRC:.*]] = zext i32 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTCONV:.*]] = zext i8 %[[CONV]] to i64, !nosanitize
// CHECK-SANITIZE-NORECOVER-NEXT: call void @__ubsan_handle_implicit_conversion_abort(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_300_SIGN_CHANGE]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-RECOVER-NEXT: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_300_SIGN_CHANGE]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-TRAP-NEXT: call void @llvm.trap(){{.*}}, !nosanitize
// CHECK-SANITIZE-UNREACHABLE-NEXT: unreachable, !nosanitize
// CHECK-SANITIZE: [[CONT]]:
// CHECK-NEXT: ret i8 %[[CONV]]
// CHECK-NEXT: }
#line 300
return src;
}
//============================================================================//
// Sign change sanitizer is disabled per-function
//============================================================================//
// CHECK-LABEL: @unsigned_int_to_signed_char__no_sign_change_sanitizer
// CHECK-SAME: (i32 %[[SRC:.*]])
__attribute__((no_sanitize("implicit-integer-sign-change"))) signed char
unsigned_int_to_signed_char__no_sign_change_sanitizer(unsigned int src) {
// CHECK-NEXT: [[ENTRY:.*]]:
// CHECK-NEXT: %[[SRC_ADDR:.*]] = alloca i32
// CHECK-NEXT: store i32 %[[SRC]], i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i32, i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[CONV:.*]] = trunc i32 %[[DST]] to i8
// CHECK-SANITIZE-NEXT: %[[ANYEXT:.*]] = sext i8 %[[CONV]] to i32, !nosanitize
// CHECK-SANITIZE-NEXT: %[[TRUNCHECK:.*]] = icmp eq i32 %[[ANYEXT]], %[[DST]], !nosanitize
// CHECK-SANITIZE-NEXT: br i1 %[[TRUNCHECK]], label %[[CONT:.*]], label %[[HANDLER_IMPLICIT_CONVERSION:[^,]+]],{{.*}} !nosanitize
// CHECK-SANITIZE: [[HANDLER_IMPLICIT_CONVERSION]]:
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTSRC:.*]] = zext i32 %[[DST]] to i64, !nosanitize
// CHECK-SANITIZE-ANYRECOVER-NEXT: %[[EXTCONV:.*]] = zext i8 %[[CONV]] to i64, !nosanitize
// CHECK-SANITIZE-NORECOVER-NEXT: call void @__ubsan_handle_implicit_conversion_abort(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_400_SIGNED_TRUNCATION]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-RECOVER-NEXT: call void @__ubsan_handle_implicit_conversion(i8* bitcast ({ {{{.*}}}, {{{.*}}}*, {{{.*}}}*, i8 }* @[[LINE_400_SIGNED_TRUNCATION]] to i8*), i64 %[[EXTSRC]], i64 %[[EXTCONV]]){{.*}}, !nosanitize
// CHECK-SANITIZE-TRAP-NEXT: call void @llvm.trap(){{.*}}, !nosanitize
// CHECK-SANITIZE-UNREACHABLE-NEXT: unreachable, !nosanitize
// CHECK-SANITIZE: [[CONT]]:
// CHECK-NEXT: ret i8 %[[CONV]]
// CHECK-NEXT: }
#line 400
return src;
}
//============================================================================//
// Both sanitizers are disabled per-function.
//============================================================================//
// CHECK-LABEL: @unsigned_int_to_signed_char__no_sanitizers
// CHECK-SAME: (i32 %[[SRC:.*]])
__attribute__((no_sanitize("implicit-integer-truncation"),
no_sanitize("implicit-integer-sign-change"))) signed char
unsigned_int_to_signed_char__no_sanitizers(unsigned int src) {
// CHECK-NEXT: [[ENTRY:.*]]:
// CHECK-NEXT: %[[SRC_ADDR:.*]] = alloca i32
// CHECK-NEXT: store i32 %[[SRC]], i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[DST:.*]] = load i32, i32* %[[SRC_ADDR]]
// CHECK-NEXT: %[[CONV:.*]] = trunc i32 %[[DST]] to i8
// CHECK-NEXT: ret i8 %[[CONV]]
// CHECK-NEXT: }
return src;
}

test/CodeGenCXX/catch-implicit-integer-sign-changes-true-negatives.cpp

  • This file was added.
// RUN: %clang_cc1 -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefix=CHECK
// RUN: %clang_cc1 -fsanitize=implicit-integer-sign-change -fno-sanitize-recover=implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-NORECOVER
// RUN: %clang_cc1 -fsanitize=implicit-integer-sign-change -fsanitize-recover=implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-RECOVER
// RUN: %clang_cc1 -fsanitize=implicit-integer-sign-change -fsanitize-trap=implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-TRAP
extern "C" { // Disable name mangling.
// ========================================================================== //
// The expected true-negatives.
// ========================================================================== //
// Sanitization is explicitly disabled.
// ========================================================================== //
// CHECK-LABEL: @blacklist_0
__attribute__((no_sanitize("undefined"))) unsigned int blacklist_0(signed int src) {
// We are not in "undefined" group, so that doesn't work.
// CHECK-SANITIZE: call
// CHECK: }
return src;
}
// CHECK-LABEL: @blacklist_1
__attribute__((no_sanitize("integer"))) unsigned int blacklist_1(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return src;
}
// CHECK-LABEL: @blacklist_2
__attribute__((no_sanitize("implicit-conversion"))) unsigned int blacklist_2(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return src;
}
// CHECK-LABEL: @blacklist_3
__attribute__((no_sanitize("implicit-integer-sign-change"))) unsigned int blacklist_3(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return src;
}
// Explicit sign-changing conversions.
// ========================================================================== //
// CHECK-LABEL: @explicit_signed_int_to_unsigned_int
unsigned int explicit_signed_int_to_unsigned_int(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return (unsigned int)src;
}
// CHECK-LABEL: @explicit_unsigned_int_to_signed_int
signed int explicit_unsigned_int_to_signed_int(unsigned int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return (signed int)src;
}
// Explicit NOP conversions.
// ========================================================================== //
// CHECK-LABEL: @explicit_unsigned_int_to_unsigned_int
unsigned int explicit_unsigned_int_to_unsigned_int(unsigned int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return (unsigned int)src;
}
// CHECK-LABEL: @explicit_signed_int_to_signed_int
signed int explicit_signed_int_to_signed_int(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return (signed int)src;
}
// Explicit functional sign-changing casts.
// ========================================================================== //
using UnsignedInt = unsigned int;
using SignedInt = signed int;
// CHECK-LABEL: explicit_functional_unsigned_int_to_signed_int
signed int explicit_functional_unsigned_int_to_signed_int(unsigned int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return SignedInt(src);
}
// CHECK-LABEL: @explicit_functional_signed_int_to_unsigned_int
unsigned int explicit_functional_signed_int_to_unsigned_int(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return UnsignedInt(src);
}
// Explicit functional NOP casts.
// ========================================================================== //
// CHECK-LABEL: @explicit_functional_unsigned_int_to_unsigned_int
unsigned int explicit_functional_unsigned_int_to_unsigned_int(unsigned int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return UnsignedInt(src);
}
// CHECK-LABEL: @explicit_functional_signed_int_to_signed_int
signed int explicit_functional_signed_int_to_signed_int(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return SignedInt(src);
}
// Explicit C++-style sign-changing casts.
// ========================================================================== //
// CHECK-LABEL: @explicit_cppstyle_unsigned_int_to_signed_int
signed int explicit_cppstyle_unsigned_int_to_signed_int(unsigned int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return static_cast<signed int>(src);
}
// CHECK-LABEL: @explicit_cppstyle_signed_int_to_unsigned_int
unsigned int explicit_cppstyle_signed_int_to_unsigned_int(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return static_cast<unsigned int>(src);
}
// Explicit C++-style casts NOP casts.
// ========================================================================== //
// CHECK-LABEL: @explicit_cppstyle_unsigned_int_to_unsigned_int
unsigned int explicit_cppstyle_unsigned_int_to_unsigned_int(unsigned int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return static_cast<unsigned int>(src);
}
// CHECK-LABEL: @explicit_cppstyle_signed_int_to_signed_int
signed int explicit_cppstyle_signed_int_to_signed_int(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return static_cast<signed int>(src);
}
} // extern "C"

test/Driver/fsanitize.c

Show All 25 Lines
// CHECK-UNDEFINED-WIN-SAME: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|pointer-overflow|float-cast-overflow|array-bounds|enum|bool|builtin|returns-nonnull-attribute|nonnull-attribute),?){18}"}} // CHECK-UNDEFINED-WIN-SAME: "-fsanitize={{((signed-integer-overflow|integer-divide-by-zero|float-divide-by-zero|shift-base|shift-exponent|unreachable|return|vla-bound|alignment|null|pointer-overflow|float-cast-overflow|array-bounds|enum|bool|builtin|returns-nonnull-attribute|nonnull-attribute),?){18}"}}
// RUN: %clang -target i386-pc-win32 -fsanitize-coverage=bb %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-COVERAGE-WIN32 // RUN: %clang -target i386-pc-win32 -fsanitize-coverage=bb %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-COVERAGE-WIN32
// CHECK-COVERAGE-WIN32: "--dependent-lib={{[^"]*}}ubsan_standalone-i386.lib" // CHECK-COVERAGE-WIN32: "--dependent-lib={{[^"]*}}ubsan_standalone-i386.lib"
// RUN: %clang -target x86_64-pc-win32 -fsanitize-coverage=bb %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-COVERAGE-WIN64 // RUN: %clang -target x86_64-pc-win32 -fsanitize-coverage=bb %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-COVERAGE-WIN64
// CHECK-COVERAGE-WIN64: "--dependent-lib={{[^"]*}}ubsan_standalone-x86_64.lib" // CHECK-COVERAGE-WIN64: "--dependent-lib={{[^"]*}}ubsan_standalone-x86_64.lib"
// RUN: %clang -target x86_64-linux-gnu -fsanitize=integer %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-INTEGER -implicit-check-not="-fsanitize-address-use-after-scope" // RUN: %clang -target x86_64-linux-gnu -fsanitize=integer %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-INTEGER -implicit-check-not="-fsanitize-address-use-after-scope"
// CHECK-INTEGER: "-fsanitize={{((signed-integer-overflow|unsigned-integer-overflow|integer-divide-by-zero|shift-base|shift-exponent|implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){7}"}} // CHECK-INTEGER: "-fsanitize={{((signed-integer-overflow|unsigned-integer-overflow|integer-divide-by-zero|shift-base|shift-exponent|implicit-unsigned-integer-truncation|implicit-signed-integer-truncation|implicit-integer-sign-change),?){8}"}}
// RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-conversion %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-conversion,CHECK-implicit-conversion-RECOVER // RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-conversion %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-conversion,CHECK-implicit-conversion-RECOVER
// RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-conversion -fsanitize-recover=implicit-conversion %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-conversion,CHECK-implicit-conversion-RECOVER // RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-conversion -fsanitize-recover=implicit-conversion %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-conversion,CHECK-implicit-conversion-RECOVER
// RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-conversion -fno-sanitize-recover=implicit-conversion %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-conversion,CHECK-implicit-conversion-NORECOVER // RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-conversion -fno-sanitize-recover=implicit-conversion %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-conversion,CHECK-implicit-conversion-NORECOVER
// RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-conversion -fsanitize-trap=implicit-conversion %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-conversion,CHECK-implicit-conversion-TRAP // RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-conversion -fsanitize-trap=implicit-conversion %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-conversion,CHECK-implicit-conversion-TRAP
// CHECK-implicit-conversion: "-fsanitize={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}} // CHECK-implicit-conversion: "-fsanitize={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation|implicit-integer-sign-change),?){3}"}}
// CHECK-implicit-conversion-RECOVER: "-fsanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}} // CHECK-implicit-conversion-RECOVER: "-fsanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation|implicit-integer-sign-change),?){3}"}}
// CHECK-implicit-conversion-RECOVER-NOT: "-fno-sanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}} // CHECK-implicit-conversion-RECOVER-NOT: "-fno-sanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation|implicit-integer-sign-change),?){3}"}}
// CHECK-implicit-conversion-RECOVER-NOT: "-fsanitize-trap={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}} // CHECK-implicit-conversion-RECOVER-NOT: "-fsanitize-trap={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation|implicit-integer-sign-change),?){3}"}}
// CHECK-implicit-conversion-NORECOVER-NOT: "-fno-sanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}} // ??? // CHECK-implicit-conversion-NORECOVER-NOT: "-fno-sanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation|implicit-integer-sign-change),?){3}"}} // ???
// CHECK-implicit-conversion-NORECOVER-NOT: "-fsanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}} // CHECK-implicit-conversion-NORECOVER-NOT: "-fsanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation|implicit-integer-sign-change),?){3}"}}
// CHECK-implicit-conversion-NORECOVER-NOT: "-fsanitize-trap={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}} // CHECK-implicit-conversion-NORECOVER-NOT: "-fsanitize-trap={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation|implicit-integer-sign-change),?){3}"}}
// CHECK-implicit-conversion-TRAP: "-fsanitize-trap={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}} // CHECK-implicit-conversion-TRAP: "-fsanitize-trap={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation|implicit-integer-sign-change),?){3}"}}
// CHECK-implicit-conversion-TRAP-NOT: "-fsanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}} // CHECK-implicit-conversion-TRAP-NOT: "-fsanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation|implicit-integer-sign-change),?){3}"}}
// CHECK-implicit-conversion-TRAP-NOT: "-fno-sanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}} // CHECK-implicit-conversion-TRAP-NOT: "-fno-sanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation|implicit-integer-sign-change),?){3}"}}
// RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-integer-arithmetic-value-change %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-integer-arithmetic-value-change,CHECK-implicit-integer-arithmetic-value-change-RECOVER
// RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-integer-arithmetic-value-change -fsanitize-recover=implicit-integer-arithmetic-value-change %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-integer-arithmetic-value-change,CHECK-implicit-integer-arithmetic-value-change-RECOVER
// RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-integer-arithmetic-value-change -fno-sanitize-recover=implicit-integer-arithmetic-value-change %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-integer-arithmetic-value-change,CHECK-implicit-integer-arithmetic-value-change-NORECOVER
// RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-integer-arithmetic-value-change -fsanitize-trap=implicit-integer-arithmetic-value-change %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-integer-arithmetic-value-change,CHECK-implicit-integer-arithmetic-value-change-TRAP
// CHECK-implicit-integer-arithmetic-value-change: "-fsanitize={{((implicit-signed-integer-truncation|implicit-integer-sign-change),?){2}"}}
// CHECK-implicit-integer-arithmetic-value-change-RECOVER: "-fsanitize-recover={{((implicit-signed-integer-truncation|implicit-integer-sign-change),?){2}"}}
// CHECK-implicit-integer-arithmetic-value-change-RECOVER-NOT: "-fno-sanitize-recover={{((implicit-signed-integer-truncation|implicit-integer-sign-change),?){2}"}}
// CHECK-implicit-integer-arithmetic-value-change-RECOVER-NOT: "-fsanitize-trap={{((implicit-signed-integer-truncation|implicit-integer-sign-change),?){2}"}}
// CHECK-implicit-integer-arithmetic-value-change-NORECOVER-NOT: "-fno-sanitize-recover={{((implicit-signed-integer-truncation|implicit-integer-sign-change),?){2}"}} // ???
// CHECK-implicit-integer-arithmetic-value-change-NORECOVER-NOT: "-fsanitize-recover={{((implicit-signed-integer-truncation|implicit-integer-sign-change),?){2}"}}
// CHECK-implicit-integer-arithmetic-value-change-NORECOVER-NOT: "-fsanitize-trap={{((implicit-signed-integer-truncation|implicit-integer-sign-change),?){2}"}}
// CHECK-implicit-integer-arithmetic-value-change-TRAP: "-fsanitize-trap={{((implicit-signed-integer-truncation|implicit-integer-sign-change),?){2}"}}
// CHECK-implicit-integer-arithmetic-value-change-TRAP-NOT: "-fsanitize-recover={{((implicit-signed-integer-truncation|implicit-integer-sign-change),?){2}"}}
// CHECK-implicit-integer-arithmetic-value-change-TRAP-NOT: "-fno-sanitize-recover={{((implicit-signed-integer-truncation|implicit-integer-sign-change),?){2}"}}
// RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-integer-truncation %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-integer-truncation,CHECK-implicit-integer-truncation-RECOVER // RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-integer-truncation %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-integer-truncation,CHECK-implicit-integer-truncation-RECOVER
// RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-integer-truncation -fsanitize-recover=implicit-integer-truncation %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-integer-truncation,CHECK-implicit-integer-truncation-RECOVER // RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-integer-truncation -fsanitize-recover=implicit-integer-truncation %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-integer-truncation,CHECK-implicit-integer-truncation-RECOVER
// RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-integer-truncation -fno-sanitize-recover=implicit-integer-truncation %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-integer-truncation,CHECK-implicit-integer-truncation-NORECOVER // RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-integer-truncation -fno-sanitize-recover=implicit-integer-truncation %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-integer-truncation,CHECK-implicit-integer-truncation-NORECOVER
// RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-integer-truncation -fsanitize-trap=implicit-integer-truncation %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-integer-truncation,CHECK-implicit-integer-truncation-TRAP // RUN: %clang -target x86_64-linux-gnu -fsanitize=implicit-integer-truncation -fsanitize-trap=implicit-integer-truncation %s -### 2>&1 | FileCheck %s --check-prefixes=CHECK-implicit-integer-truncation,CHECK-implicit-integer-truncation-TRAP
// CHECK-implicit-integer-truncation: "-fsanitize={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}} // CHECK-implicit-integer-truncation: "-fsanitize={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}}
// CHECK-implicit-integer-truncation-RECOVER: "-fsanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}} // CHECK-implicit-integer-truncation-RECOVER: "-fsanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}}
// CHECK-implicit-integer-truncation-RECOVER-NOT: "-fno-sanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}} // CHECK-implicit-integer-truncation-RECOVER-NOT: "-fno-sanitize-recover={{((implicit-unsigned-integer-truncation|implicit-signed-integer-truncation),?){2}"}}
▲ Show 20 LinesShow All 723 LinesShow Last 20 Lines