This is an archive of the discontinued LLVM Phabricator instance.

Differential D52615

Handle -fsanitize-address-poison-class-member-array-new-cookie in the driver and propagate it to cc1
ClosedPublic

Authored by filcab on Sep 27 2018, 8:13 AM.

Details

Reviewers
rjmccall
kcc
rsmith
Commits
rG0eb5008352d8: Change -fsanitize-address-poison-class-member-array-new-cookie to -fsanitize…
rL346001: Change -fsanitize-address-poison-class-member-array-new-cookie to -fsanitize…
rC346001: Change -fsanitize-address-poison-class-member-array-new-cookie to -fsanitize…

Diff Detail

Repository
rL LLVM

Event Timeline

filcab created this revision.Sep 27 2018, 8:13 AM
Harbormaster completed remote builds in B23188: Diff 167330.Sep 27 2018, 8:13 AM
rsmith added a comment.Oct 3 2018, 5:40 PM

This seems like an unreasonably long flag name. Can you try to find a shorter name for it?

filcab added a comment.Oct 16 2018, 3:59 AM
In D52615#1254567, @rsmith wrote:

This seems like an unreasonably long flag name. Can you try to find a shorter name for it?

-fsanitize-poison-extra-operator-new?
Not as explicit, but maybe ok if documented?

Thank you,
Filipe

filcab added a comment.Oct 23 2018, 3:34 AM

Ping!

Thank you,
Filipe

rjmccall added a comment.Oct 23 2018, 9:55 AM
In D52615#1266320, @filcab wrote:
In D52615#1254567, @rsmith wrote:

This seems like an unreasonably long flag name. Can you try to find a shorter name for it?

-fsanitize-poison-extra-operator-new?
Not as explicit, but maybe ok if documented?

-fsanitize-address-poison-array-cookie?

filcab added a comment.Oct 25 2018, 9:43 AM
In D52615#1272725, @rjmccall wrote:
In D52615#1266320, @filcab wrote:
In D52615#1254567, @rsmith wrote:

This seems like an unreasonably long flag name. Can you try to find a shorter name for it?

-fsanitize-poison-extra-operator-new?
Not as explicit, but maybe ok if documented?

-fsanitize-address-poison-array-cookie?

I strongly dislike this one because "poison array cookie", in general, is always enabled (it's actually triggered by a runtime flag). This flag is about poisoning it in more cases (cases where the standard doesn't completely disallow accesses to the cookie, so we have to have a flag and can't enable it all the time).

Thank you,
Filipe

P.S: Some additional discussion is at D41664, from when this flag was first implemented.

rjmccall added a comment.EditedOct 25 2018, 10:24 PM
In D52615#1275946, @filcab wrote:
In D52615#1272725, @rjmccall wrote:
In D52615#1266320, @filcab wrote:
In D52615#1254567, @rsmith wrote:

This seems like an unreasonably long flag name. Can you try to find a shorter name for it?

-fsanitize-poison-extra-operator-new?
Not as explicit, but maybe ok if documented?

-fsanitize-address-poison-array-cookie?

I strongly dislike this one because "poison array cookie", in general, is always enabled (it's actually triggered by a runtime flag). This flag is about poisoning it in more cases (cases where the standard doesn't completely disallow accesses to the cookie, so we have to have a flag and can't enable it all the time).

Hmm. This naming discussion might be a proxy for another debate. I understand the argument that programs are allowed to assume a particular C++ ABI and therefore access the array cookie. And I can understand having an option that makes ASan stricter and disallow accessing the array cookie anyway. But I don't understand why this analysis is in any way case-specific, and the discussion you've linked doesn't seem particularly clarifying about that point. Can you explain this a little?

rjmccall added a comment.Oct 25 2018, 10:29 PM

Oops, sorry for the unedited comment; it's fixed on Phab.

filcab added a comment.Oct 26 2018, 5:55 AM
In D52615#1276938, @rjmccall wrote:
In D52615#1275946, @filcab wrote:
In D52615#1272725, @rjmccall wrote:
In D52615#1266320, @filcab wrote:
In D52615#1254567, @rsmith wrote:

This seems like an unreasonably long flag name. Can you try to find a shorter name for it?

-fsanitize-poison-extra-operator-new?
Not as explicit, but maybe ok if documented?

-fsanitize-address-poison-array-cookie?

I strongly dislike this one because "poison array cookie", in general, is always enabled (it's actually triggered by a runtime flag). This flag is about poisoning it in more cases (cases where the standard doesn't completely disallow accesses to the cookie, so we have to have a flag and can't enable it all the time).

Hmm. This naming discussion might be a proxy for another debate. I understand the argument that programs are allowed to assume a particular C++ ABI and therefore access the array cookie. And I can understand having an option that makes ASan stricter and disallow accessing the array cookie anyway. But I don't understand why this analysis is in any way case-specific, and the discussion you've linked doesn't seem particularly clarifying about that point. Can you explain this a little?

If you don't have a class-member operator new[], then you don't expect to be able to have access to the memory occupied by the array cookie, since you never "see" a pointer that points to it.
But if you have a class-member operator new[], then you can keep a copy of all the pointers you've returned, and you're allowed to read from them, even if they contain an array cookie (you're just reading from memory you've returned to users).
With this flag, we disallow this second case, at the expense of having ASan trigger an error on code that is standards compliant. We're making it more strict, therefore we start emitting ASan errors on the test I was removing in D41664. Kostya's comment on me removing that test was that the code is valid, so ASan shouldn't reject it by default (but ok to have flags that make it more strict).

Thank you,
Filipe

P.S: We still have "placement new" (::operator new[](size_t, void*)as a special case, which will not have an array cookie, so we don't poison it. This flag only applies to user-defined, class-specific allocation functions.

P.P.S: Sorry if I misunderstood your question. Please let me know.

rjmccall added a comment.Oct 26 2018, 5:41 PM

So, three points:

  • That's not class-member-specific; you can have a placement operator new[] at global scope that isn't the special void* placement operator and therefore still has a cookie, and it would have just as much flexibility as a class-member override would. So the split you're trying to describe is the standard operators vs. custom ones.
  • Anyone can provide their own definition of the standard operators; there are some semantic restrictions on those definitions, but I'm not sure what about those restrictions would forbid this kind of capture.
  • Even with the standard implementations of the standard replaceable operators, I'm not sure what rule would actually outlaw the client from going from the result of new[] back to the cookie.

At any rate, taking the feature as a given, the first point suggests -fsanitize-address-poison-custom-array-cookie or something along those lines. If we want a more standard-ese term than "custom", the standard refers to its operators collectively as "library allocation functions", so maybe "non-library".

filcab updated this revision to Diff 171660.Oct 30 2018, 3:45 AM

Update with name change, using rjmccall's suggestion

Harbormaster completed remote builds in B24318: Diff 171660.Oct 30 2018, 3:45 AM
filcab updated this revision to Diff 171661.Oct 30 2018, 3:47 AM

Missed the change in some places

filcab added a comment.Oct 30 2018, 4:17 AM
In D52615#1278000, @rjmccall wrote:

So, three points:

  • That's not class-member-specific; you can have a placement operator new[] at global scope that isn't the special void* placement operator and therefore still has a cookie, and it would have just as much flexibility as a class-member override would. So the split you're trying to describe is the standard operators vs. custom ones.
  • Anyone can provide their own definition of the standard operators; there are some semantic restrictions on those definitions, but I'm not sure what about those restrictions would forbid this kind of capture.
  • Even with the standard implementations of the standard replaceable operators, I'm not sure what rule would actually outlaw the client from going from the result of new[] back to the cookie.

At any rate, taking the feature as a given, the first point suggests -fsanitize-address-poison-custom-array-cookie or something along those lines. If we want a more standard-ese term than "custom", the standard refers to its operators collectively as "library allocation functions", so maybe "non-library".

Thank you. I went with your suggestion, as I think it's close enough to be understandable. I've also changed the -cc1 argument in this patch, as it looks weird to have two different arguments (unless needed). Let me know if you'd like to keep the different names.

Thank you,
Filipe

rjmccall added a comment.Oct 30 2018, 2:48 PM

Thanks, and I agree with renaming the existing option.

docs/ClangCommandLineReference.rst
805 ↗(On Diff #171661)

This is user documentation, so it would be good to explain here what exactly this does and why you might enable or disable it. I know the surrounding documentation is even more barebones, but that's a problem, and it's a problem we won't fix by making it worse.

filcab updated this revision to Diff 172149.Nov 1 2018, 9:36 AM

Expanded a bit more on the documentation, mentioning that user code might be technically allowed to access those array cookies, but that users might not want to allow it.

Harbormaster completed remote builds in B24458: Diff 172149.Nov 1 2018, 9:37 AM
filcab updated this revision to Diff 172179.Nov 1 2018, 10:58 AM

Expand yet a bit more.

Harbormaster completed remote builds in B24466: Diff 172179.Nov 1 2018, 10:58 AM
rjmccall added inline comments.Nov 1 2018, 11:18 AM
docs/ClangCommandLineReference.rst
805 ↗(On Diff #171661)

Thanks. Grammar/style clean-up:

Enable "poisoning" array cookies when allocating arrays with a custom operator new[] in Address Sanitizer, preventing accesses to the cookies from user code. An array cookie is a small implementation-defined header added to certain array allocations to record metadata such as the length of the array. Accesses to array cookies from user code are technically allowed by the standard but are more likely to be the result of an out-of-bounds array access.

An operator new[] is "custom" if it is not one of the allocation functions provided by the C++ standard library. Array cookies from non-custom allocation functions are always poisoned.

filcab updated this revision to Diff 172376.Nov 2 2018, 8:59 AM

Reworded with feedback from the review.

Harbormaster completed remote builds in B24504: Diff 172376.Nov 2 2018, 9:00 AM
rjmccall accepted this revision.Nov 2 2018, 10:16 AM

Thanks, LGTM.

This revision is now accepted and ready to land.Nov 2 2018, 10:16 AM
Closed by commit rC346001: Change -fsanitize-address-poison-class-member-array-new-cookie to -fsanitize… (authored by filcab). · Explain WhyNov 2 2018, 10:31 AM
Closed by commit rL346001: Change -fsanitize-address-poison-class-member-array-new-cookie to -fsanitize… (authored by filcab). · Explain Why
This revision was automatically updated to reflect the committed changes.
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptNov 2 2018, 10:31 AM
filcab added a comment.Nov 2 2018, 10:34 AM

Thanks for the review.
Unfortunately, I forgot to edit the commit message. Let's hope no one gets too confused (phab reviews will be up anyway, so should be easy to figure out).
Filipe

Revision Contents

PathSize
cfe/
trunk/
docs/
6 lines
8 lines
include/
clang/
Driver/
12 lines
1 line
Frontend/
2 lines
lib/
CodeGen/
2 lines
Driver/
8 lines
Frontend/
8 lines
test/
CodeGen/
2 lines
Driver/
18 lines

Diff 172393

cfe/trunk/docs/ClangCommandLineReference.rst

Show First 20 LinesShow All 794 Lines▼ Show 20 Lines
.. option:: -fsanitize-address-field-padding=<arg> .. option:: -fsanitize-address-field-padding=<arg>
Level of field padding for AddressSanitizer Level of field padding for AddressSanitizer
.. option:: -fsanitize-address-globals-dead-stripping .. option:: -fsanitize-address-globals-dead-stripping
Enable linker dead stripping of globals in AddressSanitizer Enable linker dead stripping of globals in AddressSanitizer
.. option:: -fsanitize-address-poison-class-member-array-new-cookie, -fno-sanitize-address-poison-class-member-array-new-cookie .. option:: -fsanitize-address-poison-custom-array-cookie, -fno-sanitize-address-poison-custom-array-cookie
Enable poisoning array cookies when using class member operator new\[\] in AddressSanitizer Enable "poisoning" array cookies when allocating arrays with a custom operator new\[\] in Address Sanitizer, preventing accesses to the cookies from user code. An array cookie is a small implementation-defined header added to certain array allocations to record metadata such as the length of the array. Accesses to array cookies from user code are technically allowed by the standard but are more likely to be the result of an out-of-bounds array access.
An operator new\[\] is "custom" if it is not one of the allocation functions provided by the C++ standard library. Array cookies from non-custom allocation functions are always poisoned.
.. option:: -fsanitize-address-use-after-scope, -fno-sanitize-address-use-after-scope .. option:: -fsanitize-address-use-after-scope, -fno-sanitize-address-use-after-scope
Enable use-after-scope detection in AddressSanitizer Enable use-after-scope detection in AddressSanitizer
.. option:: -fsanitize-blacklist=<arg> .. option:: -fsanitize-blacklist=<arg>
Path to blacklist file for sanitizers Path to blacklist file for sanitizers
▲ Show 20 LinesShow All 2,257 LinesShow Last 20 Lines

cfe/trunk/docs/UsersManual.rst

Show First 20 LinesShow All 2,994 Lines▼ Show 20 Lines OPTIONS:
-fno-builtin-<value> Disable implicit builtin knowledge of a specific function -fno-builtin-<value> Disable implicit builtin knowledge of a specific function
-fno-builtin Disable implicit builtin knowledge of functions -fno-builtin Disable implicit builtin knowledge of functions
-fno-complete-member-pointers -fno-complete-member-pointers
Do not require member pointer base types to be complete if they would be significant under the Microsoft ABI Do not require member pointer base types to be complete if they would be significant under the Microsoft ABI
-fno-coverage-mapping Disable code coverage analysis -fno-coverage-mapping Disable code coverage analysis
-fno-debug-macro Do not emit macro debug information -fno-debug-macro Do not emit macro debug information
-fno-delayed-template-parsing -fno-delayed-template-parsing
Disable delayed template parsing Disable delayed template parsing
-fno-sanitize-address-poison-class-member-array-new-cookie -fno-sanitize-address-poison-custom-array-cookie
Disable poisoning array cookies when using class member operator new[] in AddressSanitizer Disable poisoning array cookies when using custom operator new[] in AddressSanitizer
-fno-sanitize-address-use-after-scope -fno-sanitize-address-use-after-scope
Disable use-after-scope detection in AddressSanitizer Disable use-after-scope detection in AddressSanitizer
-fno-sanitize-blacklist Don't use blacklist file for sanitizers -fno-sanitize-blacklist Don't use blacklist file for sanitizers
-fno-sanitize-cfi-cross-dso -fno-sanitize-cfi-cross-dso
Disable control flow integrity (CFI) checks for cross-DSO calls. Disable control flow integrity (CFI) checks for cross-DSO calls.
-fno-sanitize-coverage=<value> -fno-sanitize-coverage=<value>
Disable specified features of coverage instrumentation for Sanitizers Disable specified features of coverage instrumentation for Sanitizers
-fno-sanitize-memory-track-origins -fno-sanitize-memory-track-origins
Show All 19 Lines OPTIONS:
Generate instrumented code to collect execution counts into default.profraw file Generate instrumented code to collect execution counts into default.profraw file
(overridden by '=' form of option or LLVM_PROFILE_FILE env var) (overridden by '=' form of option or LLVM_PROFILE_FILE env var)
-fprofile-instr-use=<value> -fprofile-instr-use=<value>
Use instrumentation data for profile-guided optimization Use instrumentation data for profile-guided optimization
-fsanitize-address-field-padding=<value> -fsanitize-address-field-padding=<value>
Level of field padding for AddressSanitizer Level of field padding for AddressSanitizer
-fsanitize-address-globals-dead-stripping -fsanitize-address-globals-dead-stripping
Enable linker dead stripping of globals in AddressSanitizer Enable linker dead stripping of globals in AddressSanitizer
-fsanitize-address-poison-class-member-array-new-cookie -fsanitize-address-poison-custom-array-cookie
Enable poisoning array cookies when using class member operator new[] in AddressSanitizer Enable poisoning array cookies when using custom operator new[] in AddressSanitizer
-fsanitize-address-use-after-scope -fsanitize-address-use-after-scope
Enable use-after-scope detection in AddressSanitizer Enable use-after-scope detection in AddressSanitizer
-fsanitize-blacklist=<value> -fsanitize-blacklist=<value>
Path to blacklist file for sanitizers Path to blacklist file for sanitizers
-fsanitize-cfi-cross-dso -fsanitize-cfi-cross-dso
Enable control flow integrity (CFI) checks for cross-DSO calls. Enable control flow integrity (CFI) checks for cross-DSO calls.
-fsanitize-cfi-icall-generalize-pointers -fsanitize-cfi-icall-generalize-pointers
Generalize pointers in CFI indirect call type signature checks Generalize pointers in CFI indirect call type signature checks
▲ Show 20 LinesShow All 48 LinesShow Last 20 Lines

cfe/trunk/include/clang/Driver/Options.td

Show First 20 LinesShow All 965 Lines▼ Show 20 Linesdef fsanitize_address_field_padding : Joined<["-"], "fsanitize-address-field-padding=">,
HelpText<"Level of field padding for AddressSanitizer">; HelpText<"Level of field padding for AddressSanitizer">;
def fsanitize_address_use_after_scope : Flag<["-"], "fsanitize-address-use-after-scope">, def fsanitize_address_use_after_scope : Flag<["-"], "fsanitize-address-use-after-scope">,
Group<f_clang_Group>, Group<f_clang_Group>,
HelpText<"Enable use-after-scope detection in AddressSanitizer">; HelpText<"Enable use-after-scope detection in AddressSanitizer">;
def fno_sanitize_address_use_after_scope : Flag<["-"], "fno-sanitize-address-use-after-scope">, def fno_sanitize_address_use_after_scope : Flag<["-"], "fno-sanitize-address-use-after-scope">,
Group<f_clang_Group>, Group<f_clang_Group>,
Flags<[CoreOption, DriverOption]>, Flags<[CoreOption, DriverOption]>,
HelpText<"Disable use-after-scope detection in AddressSanitizer">; HelpText<"Disable use-after-scope detection in AddressSanitizer">;
def fsanitize_address_poison_class_member_array_new_cookie def fsanitize_address_poison_custom_array_cookie
: Flag<[ "-" ], "fsanitize-address-poison-class-member-array-new-cookie">, : Flag<[ "-" ], "fsanitize-address-poison-custom-array-cookie">,
Group<f_clang_Group>, Group<f_clang_Group>,
HelpText<"Enable poisoning array cookies when using class member operator new[] in AddressSanitizer">; HelpText<"Enable poisoning array cookies when using custom operator new[] in AddressSanitizer">;
def fno_sanitize_address_poison_class_member_array_new_cookie def fno_sanitize_address_poison_custom_array_cookie
: Flag<[ "-" ], "fno-sanitize-address-poison-class-member-array-new-cookie">, : Flag<[ "-" ], "fno-sanitize-address-poison-custom-array-cookie">,
Group<f_clang_Group>, Group<f_clang_Group>,
HelpText<"Disable poisoning array cookies when using class member operator new[] in AddressSanitizer">; HelpText<"Disable poisoning array cookies when using custom operator new[] in AddressSanitizer">;
def fsanitize_address_globals_dead_stripping : Flag<["-"], "fsanitize-address-globals-dead-stripping">, def fsanitize_address_globals_dead_stripping : Flag<["-"], "fsanitize-address-globals-dead-stripping">,
Group<f_clang_Group>, Group<f_clang_Group>,
HelpText<"Enable linker dead stripping of globals in AddressSanitizer">; HelpText<"Enable linker dead stripping of globals in AddressSanitizer">;
def fsanitize_recover : Flag<["-"], "fsanitize-recover">, Group<f_clang_Group>; def fsanitize_recover : Flag<["-"], "fsanitize-recover">, Group<f_clang_Group>;
def fno_sanitize_recover : Flag<["-"], "fno-sanitize-recover">, def fno_sanitize_recover : Flag<["-"], "fno-sanitize-recover">,
Flags<[CoreOption, DriverOption]>, Flags<[CoreOption, DriverOption]>,
Group<f_clang_Group>; Group<f_clang_Group>;
def fsanitize_recover_EQ : CommaJoined<["-"], "fsanitize-recover=">, def fsanitize_recover_EQ : CommaJoined<["-"], "fsanitize-recover=">,
▲ Show 20 LinesShow All 2,082 LinesShow Last 20 Lines

cfe/trunk/include/clang/Driver/SanitizerArgs.h

Show All 30 Linesclass SanitizerArgs {
int CoverageFeatures = 0; int CoverageFeatures = 0;
int MsanTrackOrigins = 0; int MsanTrackOrigins = 0;
bool MsanUseAfterDtor = true; bool MsanUseAfterDtor = true;
bool CfiCrossDso = false; bool CfiCrossDso = false;
bool CfiICallGeneralizePointers = false; bool CfiICallGeneralizePointers = false;
int AsanFieldPadding = 0; int AsanFieldPadding = 0;
bool SharedRuntime = false; bool SharedRuntime = false;
bool AsanUseAfterScope = true; bool AsanUseAfterScope = true;
bool AsanPoisonCustomArrayCookie = false;
bool AsanGlobalsDeadStripping = false; bool AsanGlobalsDeadStripping = false;
bool LinkCXXRuntimes = false; bool LinkCXXRuntimes = false;
bool NeedPIE = false; bool NeedPIE = false;
bool SafeStackRuntime = false; bool SafeStackRuntime = false;
bool Stats = false; bool Stats = false;
bool TsanMemoryAccess = true; bool TsanMemoryAccess = true;
bool TsanFuncEntryExit = true; bool TsanFuncEntryExit = true;
bool TsanAtomics = true; bool TsanAtomics = true;
▲ Show 20 LinesShow All 44 LinesShow Last 20 Lines

cfe/trunk/include/clang/Frontend/CodeGenOptions.def

Show First 20 LinesShow All 168 Lines▼ Show 20 Lines
CODEGENOPT(RelaxAll , 1, 0) ///< Relax all machine code instructions. CODEGENOPT(RelaxAll , 1, 0) ///< Relax all machine code instructions.
CODEGENOPT(RelaxedAliasing , 1, 0) ///< Set when -fno-strict-aliasing is enabled. CODEGENOPT(RelaxedAliasing , 1, 0) ///< Set when -fno-strict-aliasing is enabled.
CODEGENOPT(StructPathTBAA , 1, 0) ///< Whether or not to use struct-path TBAA. CODEGENOPT(StructPathTBAA , 1, 0) ///< Whether or not to use struct-path TBAA.
CODEGENOPT(NewStructPathTBAA , 1, 0) ///< Whether or not to use enhanced struct-path TBAA. CODEGENOPT(NewStructPathTBAA , 1, 0) ///< Whether or not to use enhanced struct-path TBAA.
CODEGENOPT(SaveTempLabels , 1, 0) ///< Save temporary labels. CODEGENOPT(SaveTempLabels , 1, 0) ///< Save temporary labels.
CODEGENOPT(SanitizeAddressUseAfterScope , 1, 0) ///< Enable use-after-scope detection CODEGENOPT(SanitizeAddressUseAfterScope , 1, 0) ///< Enable use-after-scope detection
///< in AddressSanitizer ///< in AddressSanitizer
CODEGENOPT(SanitizeAddressPoisonClassMemberArrayNewCookie, 1, CODEGENOPT(SanitizeAddressPoisonCustomArrayCookie, 1,
0) ///< Enable poisoning operator new[] which is not a replaceable 0) ///< Enable poisoning operator new[] which is not a replaceable
///< global allocation function in AddressSanitizer ///< global allocation function in AddressSanitizer
CODEGENOPT(SanitizeAddressGlobalsDeadStripping, 1, 0) ///< Enable linker dead stripping CODEGENOPT(SanitizeAddressGlobalsDeadStripping, 1, 0) ///< Enable linker dead stripping
///< of globals in AddressSanitizer ///< of globals in AddressSanitizer
CODEGENOPT(SanitizeMemoryTrackOrigins, 2, 0) ///< Enable tracking origins in CODEGENOPT(SanitizeMemoryTrackOrigins, 2, 0) ///< Enable tracking origins in
///< MemorySanitizer ///< MemorySanitizer
CODEGENOPT(SanitizeMemoryUseAfterDtor, 1, 0) ///< Enable use-after-delete detection CODEGENOPT(SanitizeMemoryUseAfterDtor, 1, 0) ///< Enable use-after-delete detection
///< in MemorySanitizer ///< in MemorySanitizer
▲ Show 20 LinesShow All 170 LinesShow Last 20 Lines

cfe/trunk/lib/CodeGen/ItaniumCXXABI.cpp

Show First 20 LinesShow All 1,910 Lines▼ Show 20 LinesAddress ItaniumCXXABI::InitializeArrayCookie(CodeGenFunction &CGF,
// Write the number of elements into the appropriate slot. // Write the number of elements into the appropriate slot.
Address NumElementsPtr = Address NumElementsPtr =
CGF.Builder.CreateElementBitCast(CookiePtr, CGF.SizeTy); CGF.Builder.CreateElementBitCast(CookiePtr, CGF.SizeTy);
llvm::Instruction *SI = CGF.Builder.CreateStore(NumElements, NumElementsPtr); llvm::Instruction *SI = CGF.Builder.CreateStore(NumElements, NumElementsPtr);
// Handle the array cookie specially in ASan. // Handle the array cookie specially in ASan.
if (CGM.getLangOpts().Sanitize.has(SanitizerKind::Address) && AS == 0 && if (CGM.getLangOpts().Sanitize.has(SanitizerKind::Address) && AS == 0 &&
(expr->getOperatorNew()->isReplaceableGlobalAllocationFunction() || (expr->getOperatorNew()->isReplaceableGlobalAllocationFunction() ||
CGM.getCodeGenOpts().SanitizeAddressPoisonClassMemberArrayNewCookie)) { CGM.getCodeGenOpts().SanitizeAddressPoisonCustomArrayCookie)) {
// The store to the CookiePtr does not need to be instrumented. // The store to the CookiePtr does not need to be instrumented.
CGM.getSanitizerMetadata()->disableSanitizerForInstruction(SI); CGM.getSanitizerMetadata()->disableSanitizerForInstruction(SI);
llvm::FunctionType *FTy = llvm::FunctionType *FTy =
llvm::FunctionType::get(CGM.VoidTy, NumElementsPtr.getType(), false); llvm::FunctionType::get(CGM.VoidTy, NumElementsPtr.getType(), false);
llvm::Constant *F = llvm::Constant *F =
CGM.CreateRuntimeFunction(FTy, "__asan_poison_cxx_array_cookie"); CGM.CreateRuntimeFunction(FTy, "__asan_poison_cxx_array_cookie");
CGF.Builder.CreateCall(F, NumElementsPtr.getPointer()); CGF.Builder.CreateCall(F, NumElementsPtr.getPointer());
} }
▲ Show 20 LinesShow All 2,309 LinesShow Last 20 Lines

cfe/trunk/lib/Driver/SanitizerArgs.cpp

Show First 20 LinesShow All 718 Lines▼ Show 20 Lines if (Arg *WindowsDebugRTArg =
D.Diag(clang::diag::note_drv_address_sanitizer_debug_runtime); D.Diag(clang::diag::note_drv_address_sanitizer_debug_runtime);
} }
} }
AsanUseAfterScope = Args.hasFlag( AsanUseAfterScope = Args.hasFlag(
options::OPT_fsanitize_address_use_after_scope, options::OPT_fsanitize_address_use_after_scope,
options::OPT_fno_sanitize_address_use_after_scope, AsanUseAfterScope); options::OPT_fno_sanitize_address_use_after_scope, AsanUseAfterScope);
AsanPoisonCustomArrayCookie = Args.hasFlag(
options::OPT_fsanitize_address_poison_custom_array_cookie,
options::OPT_fno_sanitize_address_poison_custom_array_cookie,
AsanPoisonCustomArrayCookie);
// As a workaround for a bug in gold 2.26 and earlier, dead stripping of // As a workaround for a bug in gold 2.26 and earlier, dead stripping of
// globals in ASan is disabled by default on ELF targets. // globals in ASan is disabled by default on ELF targets.
// See https://sourceware.org/bugzilla/show_bug.cgi?id=19002 // See https://sourceware.org/bugzilla/show_bug.cgi?id=19002
AsanGlobalsDeadStripping = AsanGlobalsDeadStripping =
!TC.getTriple().isOSBinFormatELF() || TC.getTriple().isOSFuchsia() || !TC.getTriple().isOSBinFormatELF() || TC.getTriple().isOSFuchsia() ||
Args.hasArg(options::OPT_fsanitize_address_globals_dead_stripping); Args.hasArg(options::OPT_fsanitize_address_globals_dead_stripping);
} else { } else {
AsanUseAfterScope = false; AsanUseAfterScope = false;
▲ Show 20 LinesShow All 157 Lines▼ Show 20 Linesvoid SanitizerArgs::addArgs(const ToolChain &TC, const llvm::opt::ArgList &Args,
if (AsanFieldPadding) if (AsanFieldPadding)
CmdArgs.push_back(Args.MakeArgString("-fsanitize-address-field-padding=" + CmdArgs.push_back(Args.MakeArgString("-fsanitize-address-field-padding=" +
Twine(AsanFieldPadding))); Twine(AsanFieldPadding)));
if (AsanUseAfterScope) if (AsanUseAfterScope)
CmdArgs.push_back("-fsanitize-address-use-after-scope"); CmdArgs.push_back("-fsanitize-address-use-after-scope");
if (AsanPoisonCustomArrayCookie)
CmdArgs.push_back("-fsanitize-address-poison-custom-array-cookie");
if (AsanGlobalsDeadStripping) if (AsanGlobalsDeadStripping)
CmdArgs.push_back("-fsanitize-address-globals-dead-stripping"); CmdArgs.push_back("-fsanitize-address-globals-dead-stripping");
// MSan: Workaround for PR16386. // MSan: Workaround for PR16386.
// ASan: This is mainly to help LSan with cases such as // ASan: This is mainly to help LSan with cases such as
// https://github.com/google/sanitizers/issues/373 // https://github.com/google/sanitizers/issues/373
// We can't make this conditional on -fsanitize=leak, as that flag shouldn't // We can't make this conditional on -fsanitize=leak, as that flag shouldn't
// affect compilation. // affect compilation.
▲ Show 20 LinesShow All 116 LinesShow Last 20 Lines

cfe/trunk/lib/Frontend/CompilerInvocation.cpp

Show First 20 LinesShow All 963 Lines▼ Show 20 Lines Opts.SanitizeMemoryUseAfterDtor =
OPT_fno_sanitize_memory_use_after_dtor, OPT_fno_sanitize_memory_use_after_dtor,
false); false);
Opts.SanitizeMinimalRuntime = Args.hasArg(OPT_fsanitize_minimal_runtime); Opts.SanitizeMinimalRuntime = Args.hasArg(OPT_fsanitize_minimal_runtime);
Opts.SanitizeCfiCrossDso = Args.hasArg(OPT_fsanitize_cfi_cross_dso); Opts.SanitizeCfiCrossDso = Args.hasArg(OPT_fsanitize_cfi_cross_dso);
Opts.SanitizeCfiICallGeneralizePointers = Opts.SanitizeCfiICallGeneralizePointers =
Args.hasArg(OPT_fsanitize_cfi_icall_generalize_pointers); Args.hasArg(OPT_fsanitize_cfi_icall_generalize_pointers);
Opts.SanitizeStats = Args.hasArg(OPT_fsanitize_stats); Opts.SanitizeStats = Args.hasArg(OPT_fsanitize_stats);
if (Arg *A = Args.getLastArg( if (Arg *A = Args.getLastArg(
OPT_fsanitize_address_poison_class_member_array_new_cookie, OPT_fsanitize_address_poison_custom_array_cookie,
OPT_fno_sanitize_address_poison_class_member_array_new_cookie)) { OPT_fno_sanitize_address_poison_custom_array_cookie)) {
Opts.SanitizeAddressPoisonClassMemberArrayNewCookie = Opts.SanitizeAddressPoisonCustomArrayCookie =
A->getOption().getID() == A->getOption().getID() ==
OPT_fsanitize_address_poison_class_member_array_new_cookie; OPT_fsanitize_address_poison_custom_array_cookie;
} }
if (Arg *A = Args.getLastArg(OPT_fsanitize_address_use_after_scope, if (Arg *A = Args.getLastArg(OPT_fsanitize_address_use_after_scope,
OPT_fno_sanitize_address_use_after_scope)) { OPT_fno_sanitize_address_use_after_scope)) {
Opts.SanitizeAddressUseAfterScope = Opts.SanitizeAddressUseAfterScope =
A->getOption().getID() == OPT_fsanitize_address_use_after_scope; A->getOption().getID() == OPT_fsanitize_address_use_after_scope;
} }
Opts.SanitizeAddressGlobalsDeadStripping = Opts.SanitizeAddressGlobalsDeadStripping =
Args.hasArg(OPT_fsanitize_address_globals_dead_stripping); Args.hasArg(OPT_fsanitize_address_globals_dead_stripping);
▲ Show 20 LinesShow All 2,348 LinesShow Last 20 Lines

cfe/trunk/test/CodeGen/address-sanitizer-and-array-cookie.cpp

// RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - %s | FileCheck %s -check-prefix=PLAIN // RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - %s | FileCheck %s -check-prefix=PLAIN
// RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - -fsanitize=address %s | FileCheck %s -check-prefix=ASAN // RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - -fsanitize=address %s | FileCheck %s -check-prefix=ASAN
// RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - -fsanitize=address -fsanitize-address-poison-class-member-array-new-cookie %s | FileCheck %s -check-prefix=ASAN-POISON-ALL-NEW-ARRAY // RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - -fsanitize=address -fsanitize-address-poison-custom-array-cookie %s | FileCheck %s -check-prefix=ASAN-POISON-ALL-NEW-ARRAY
typedef __typeof__(sizeof(0)) size_t; typedef __typeof__(sizeof(0)) size_t;
namespace std { namespace std {
struct nothrow_t {}; struct nothrow_t {};
std::nothrow_t nothrow; std::nothrow_t nothrow;
} }
void *operator new[](size_t, const std::nothrow_t &) throw(); void *operator new[](size_t, const std::nothrow_t &) throw();
void *operator new[](size_t, char *); void *operator new[](size_t, char *);
▲ Show 20 LinesShow All 53 LinesShow Last 20 Lines

cfe/trunk/test/Driver/fsanitize.c

Show First 20 LinesShow All 217 Lines▼ Show 20 Lines
// CHECK-USE-AFTER-SCOPE-BOTH: -cc1{{.*}}-fsanitize-address-use-after-scope // CHECK-USE-AFTER-SCOPE-BOTH: -cc1{{.*}}-fsanitize-address-use-after-scope
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fsanitize-address-use-after-scope -fno-sanitize-address-use-after-scope %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-USE-AFTER-SCOPE-BOTH-OFF // RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fsanitize-address-use-after-scope -fno-sanitize-address-use-after-scope %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-USE-AFTER-SCOPE-BOTH-OFF
// CHECK-USE-AFTER-SCOPE-BOTH-OFF-NOT: -cc1{{.*}}address-use-after-scope // CHECK-USE-AFTER-SCOPE-BOTH-OFF-NOT: -cc1{{.*}}address-use-after-scope
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-WITHOUT-USE-AFTER-SCOPE // RUN: %clang -target x86_64-linux-gnu -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-WITHOUT-USE-AFTER-SCOPE
// CHECK-ASAN-WITHOUT-USE-AFTER-SCOPE: -cc1{{.*}}address-use-after-scope // CHECK-ASAN-WITHOUT-USE-AFTER-SCOPE: -cc1{{.*}}address-use-after-scope
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fsanitize-address-poison-custom-array-cookie %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-POISON-CUSTOM-ARRAY-NEW-COOKIE
// RUN: %clang_cl --target=x86_64-windows -fsanitize=address -fsanitize-address-poison-custom-array-cookie -### -- %s 2>&1 | FileCheck %s --check-prefix=CHECK-POISON-CUSTOM-ARRAY-NEW-COOKIE
// CHECK-POISON-CUSTOM-ARRAY-NEW-COOKIE: -cc1{{.*}}-fsanitize-address-poison-custom-array-cookie
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fno-sanitize-address-poison-custom-array-cookie %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-POISON-CUSTOM-ARRAY-NEW-COOKIE-OFF
// RUN: %clang_cl --target=x86_64-windows -fsanitize=address -fno-sanitize-address-poison-custom-array-cookie -### -- %s 2>&1 | FileCheck %s --check-prefix=CHECK-POISON-CUSTOM-ARRAY-NEW-COOKIE-OFF
// CHECK-POISON-CUSTOM-ARRAY-NEW-COOKIE-OFF-NOT: -cc1{{.*}}address-poison-custom-array-cookie
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fno-sanitize-address-poison-custom-array-cookie -fsanitize-address-poison-custom-array-cookie %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-POISON-CUSTOM-ARRAY-NEW-COOKIE-BOTH
// RUN: %clang_cl --target=x86_64-windows -fsanitize=address -fno-sanitize-address-poison-custom-array-cookie -fsanitize-address-poison-custom-array-cookie -### -- %s 2>&1 | FileCheck %s --check-prefix=CHECK-POISON-CUSTOM-ARRAY-NEW-COOKIE-BOTH
// CHECK-POISON-CUSTOM-ARRAY-NEW-COOKIE-BOTH: -cc1{{.*}}-fsanitize-address-poison-custom-array-cookie
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fsanitize-address-poison-custom-array-cookie -fno-sanitize-address-poison-custom-array-cookie %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-POISON-CUSTOM-ARRAY-NEW-COOKIE-BOTH-OFF
// CHECK-POISON-CUSTOM-ARRAY-NEW-COOKIE-BOTH-OFF-NOT: -cc1{{.*}}address-poison-custom-array-cookie
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-WITHOUT-POISON-CUSTOM-ARRAY-NEW-COOKIE
// CHECK-ASAN-WITHOUT-POISON-CUSTOM-ARRAY-NEW-COOKIE-NOT: -cc1{{.*}}address-poison-custom-array-cookie
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fsanitize-address-globals-dead-stripping %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-GLOBALS // RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fsanitize-address-globals-dead-stripping %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-GLOBALS
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-ASAN-GLOBALS // RUN: %clang -target x86_64-linux-gnu -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-ASAN-GLOBALS
// RUN: %clang_cl --target=x86_64-windows-msvc -fsanitize=address -fsanitize-address-globals-dead-stripping -### -- %s 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-GLOBALS // RUN: %clang_cl --target=x86_64-windows-msvc -fsanitize=address -fsanitize-address-globals-dead-stripping -### -- %s 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-GLOBALS
// RUN: %clang_cl --target=x86_64-windows-msvc -fsanitize=address -### -- %s 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-GLOBALS // RUN: %clang_cl --target=x86_64-windows-msvc -fsanitize=address -### -- %s 2>&1 | FileCheck %s --check-prefix=CHECK-ASAN-GLOBALS
// CHECK-ASAN-GLOBALS: -cc1{{.*}}-fsanitize-address-globals-dead-stripping // CHECK-ASAN-GLOBALS: -cc1{{.*}}-fsanitize-address-globals-dead-stripping
// CHECK-NO-ASAN-GLOBALS-NOT: -cc1{{.*}}-fsanitize-address-globals-dead-stripping // CHECK-NO-ASAN-GLOBALS-NOT: -cc1{{.*}}-fsanitize-address-globals-dead-stripping
// RUN: %clang -target x86_64-linux-gnu -fsanitize-memory-track-origins -pie %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ONLY-TRACK-ORIGINS // RUN: %clang -target x86_64-linux-gnu -fsanitize-memory-track-origins -pie %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-ONLY-TRACK-ORIGINS
▲ Show 20 LinesShow All 562 LinesShow Last 20 Lines