This is an archive of the discontinued LLVM Phabricator instance.

Differential D6095

Protection against stack-based memory corruption errors using SafeStack: Clang command line option and function attribute
ClosedPublic

Authored by pcc on Nov 3 2014, 9:41 AM.

Details

Reviewers
theraven
samsonov
ksvladimir
jfb
Commits
rGc4122c17b473: Protection against stack-based memory corruption errors using SafeStack: Clang…
rC239762: Protection against stack-based memory corruption errors using SafeStack: Clang…
rL239762: Protection against stack-based memory corruption errors using SafeStack: Clang…
Summary

This patch adds the -fsafe-stack command line argument for clang, which enables the Safe Stack protection (see http://reviews.llvm.org/D6094 for the detailed description of the Safe Stack).

This patch is our implementation of the safe stack on top of the current SVN HEAD of Clang (r221154). The patches make the following changes:

  • Add -fsafe-stack and -fno-safe-stack options to clang to control safe stack usage (the safe stack is disabled by default).
  • Add attribute((no_safe_stack)) attribute to clang that can be used to disable the safe stack for individual functions even when enabled globally.

Diff Detail

Repository
rL LLVM

Event Timeline

ksvladimir updated this revision to Diff 15718.Nov 3 2014, 9:41 AM
ksvladimir retitled this revision from to Protection against stack-based memory corruption errors using SafeStack: Clang command line option and function attribute.
ksvladimir updated this object.
ksvladimir edited the test plan for this revision. (Show Details)
ksvladimir added a reviewer: theraven.
ksvladimir added a subscriber: Unknown Object (MLST).
colinl added a subscriber: colinl.Nov 3 2014, 10:25 AM
theraven added inline comments.Nov 3 2014, 10:44 AM
include/clang/Basic/AttrDocs.td
868 ↗(On Diff #15718)

It would be nice if this documentation didn't assume that everyone reading it knew what the safe stack instrumentation was. In particular, it should say what kind of functions might need to use this attribute (ones that do stack introspection?).

lib/Driver/Tools.cpp
2189 ↗(On Diff #15718)

This is Linux specific. Most other platforms don't need anything explicitly linked to support dl*()

lib/Frontend/InitPreprocessor.cpp
830 ↗(On Diff #15718)

It would be worth surveying a corpus of code and seeing what uses the __SSP defines. We may find that it's worth defining some of them in SafeStack mode, as it may cause the same kind of breakage.

kcc added a subscriber: kcc.Nov 3 2014, 3:18 PM
kcc added inline comments.Nov 3 2014, 3:18 PM
lib/Frontend/InitPreprocessor.cpp
830 ↗(On Diff #15718)

Note that AddressSanitizer does not define any preprocessor symbol.
I tried to introduce ADDRESS_SANITIZER but failed to convince the clang folks.
Instead, we use hasfeature(address_sanitizer), which is sadly incompatible with GCC's asan implementation, but works fine.

emaste added a subscriber: emaste.Nov 3 2014, 8:43 PM
ksvladimir updated this revision to Diff 15776.Nov 4 2014, 11:20 AM

Addresses comments on the previous submission.

lszekeres added a subscriber: lszekeres.Nov 4 2014, 11:35 AM
ksvladimir added a comment.Nov 4 2014, 1:43 PM

You can find the detailed changelog since the previous submission in our repo: https://github.com/cpi-llvm/clang/commits/safestack-r221153

amanone added a subscriber: amanone.Nov 6 2014, 2:26 AM
ksvladimir updated this revision to Diff 15992.Nov 10 2014, 9:45 AM

Added unittests for the -fsafe-stack and -fno-safe-stack options in clang and -fstack-protector 4 option in clang-cc1.

ksvladimir updated this revision to Diff 16078.Nov 12 2014, 2:34 AM

Added tests for attribute((no_safe_stack)).

abique added a subscriber: abique.Nov 14 2014, 12:16 AM
ksvladimir updated this revision to Diff 16226.Nov 14 2014, 10:16 AM
ksvladimir edited the test plan for this revision. (Show Details)

Added documentation for the no_safe_stack attribute. Simplified safestack public symbol names.

ksvladimir updated this revision to Diff 16262.Nov 14 2014, 9:54 PM

Fixed symbol naming on Mac.

pcc commandeered this revision.Apr 23 2015, 3:42 PM
pcc added a reviewer: ksvladimir.
pcc updated this revision to Diff 24338.Apr 23 2015, 3:45 PM

Refresh

kcc added a reviewer: samsonov.May 5 2015, 4:21 PM

I'd like Alexey to co-review the clang part.

A top-level comment so far: don't we want to have the flag as -f[no-]sanitize=safe_stack?
This will make it consistent with the rest of sanitizers, including cfi

kcc added a comment.May 5 2015, 4:39 PM

more comments

docs/SafeStack.rst
12 ↗(On Diff #24338)

.. based on stack-based...

I'd remove the second "based"

44 ↗(On Diff #24338)

is this true about libc?

83 ↗(On Diff #24338)

See my previous comment about macros and ADDRESS_SANITIZER.
You may have to change this to __has_feature(safe_stack)

gribozavr added a subscriber: gribozavr.May 6 2015, 9:54 AM
gribozavr added inline comments.
test/SemaCXX/attr-no-safestack.cpp
12 ↗(On Diff #24338)

Rather than relying on line continuations, you could use expected-error@-1.

pcc updated this revision to Diff 25097.May 6 2015, 3:43 PM
  • Rename flag to -fsanitize=safe-stack
  • SAFESTACK -> __has_feature(safe_stack), doc updates
pcc added inline comments.May 6 2015, 3:45 PM
docs/SafeStack.rst
12 ↗(On Diff #24338)

Done

44 ↗(On Diff #24338)

Not currently. Removed.

83 ↗(On Diff #24338)

Done

test/SemaCXX/attr-no-safestack.cpp
12 ↗(On Diff #24338)

Done

samsonov added inline comments.May 6 2015, 4:15 PM
docs/AttributeReference.rst
486 ↗(On Diff #25097)

Do you need this attribute right now? If we decide to finally implement universal no_sanitize attribute, this attribute will become deprecated in favor of __attribute__((no_sanitize("safe-stack"))).

lib/CodeGen/CodeGenModule.cpp
747 ↗(On Diff #25097)

Do you need to respect -fsanitize-blacklist for this?

lib/Driver/ToolChains.cpp
13 ↗(On Diff #25097)

Accidental change?

lib/Driver/Tools.cpp
2296 ↗(On Diff #25097)

Note that you're adding -ldl here, but we tend to add dependencies of compiler-rt runtimes later in the linker invocation (see NeedsSanitizerDeps vars) - so that they are added after AddLinkerInputs is called.

8392 ↗(On Diff #25097)

Do we really want to support OS we don't build safestack runtime for? I'd just use Linux/MacOS for a start.

pcc updated this revision to Diff 25220.May 7 2015, 1:11 PM
  • Move safestack driver code to collectSanitizerRuntimes; eliminate SSPSafeStack
  • Revert unnecessary change
  • Update tests for new flags
  • Revert changes to AttributeReference.rst (updated automatically)
docs/AttributeReference.rst
486 ↗(On Diff #25097)

It's needed for Chromium and FreeBSD so far as I understand it.

lib/CodeGen/CodeGenModule.cpp
747 ↗(On Diff #25097)

Done

lib/Driver/ToolChains.cpp
13 ↗(On Diff #25097)

Reverted

lib/Driver/Tools.cpp
2296 ↗(On Diff #25097)

This now works like the other sanitizers.

8392 ↗(On Diff #25097)

addSafeStackRT is now gone, as well as these call sites.

samsonov edited edge metadata.May 7 2015, 5:12 PM

I understand that you probably need no_safe_stack attribute for Chromium/FreeBSD integration *right now*, and rather proceed with this and not wait until someone implements generic no_sanitize attribute, but... maybe we should at least not document it?

lib/CodeGen/CodeGenModule.cpp
765 ↗(On Diff #25220)

Do you also need to add it to CodeGenModule::CreateGlobalInitOrDestructFunction?

lib/Driver/Tools.cpp
2354 ↗(On Diff #25220)

This code is now dead - presence of -shared is checked at the top of this function. Can we silently discard -fsanitize=safe-stack while linking DSO?

6251 ↗(On Diff #25220)

Looks like you should set AlwaysLink argument of AddLinkRuntimeLib to true.

pcc updated this revision to Diff 25273.May 7 2015, 6:30 PM
pcc edited edge metadata.
  • Address review comments
pcc added a comment.May 7 2015, 6:30 PM

maybe we should at least not document it?

I'd rather document it than have some undocumented attribute in use somewhere.

I'll take a shot at implementing no_sanitize tomorrow and hopefully make this a moot point.

lib/CodeGen/CodeGenModule.cpp
765 ↗(On Diff #25220)

Yes, done.

lib/Driver/Tools.cpp
2354 ↗(On Diff #25220)

We can, but only if the DSO is linked against a main executable that is linked against the safe stack runtime. (Generally for the other sanitizers we can make this true, but in deployment scenarios you might not be able to control the main executable.)

There are a number of possible solutions to this problem, which we plan to deal with in a future change, but at least removing the check makes things work in that specific scenario. So I've removed it.

6251 ↗(On Diff #25220)

Done

samsonov added a comment.May 7 2015, 9:36 PM

I'm fine with this patch, modulo the attribute issue.

pcc updated this revision to Diff 25533.May 11 2015, 5:19 PM
  • Remove no_safe_stack attribute
samsonov accepted this revision.May 12 2015, 10:14 AM
samsonov edited edge metadata.

LGTM

This revision is now accepted and ready to land.May 12 2015, 10:14 AM
pcc updated this revision to Diff 25887.May 15 2015, 11:59 AM
pcc edited edge metadata.
  • Implement attribute((no_sanitize("safe-stack")))
pcc updated this revision to Diff 25889.May 15 2015, 12:18 PM
  • Fix documentation typo
ksvladimir added inline comments.May 19 2015, 3:51 PM
include/clang/Basic/LangOptions.def
202 ↗(On Diff #25889)

Since SSPSafeStack no longer exists, this should be reverted as well.

lib/Driver/Tools.cpp
6283 ↗(On Diff #25889)

Is this still required, even though we have AlwaysLink=true above?

pcc updated this revision to Diff 26105.May 19 2015, 4:42 PM
  • Remove unnecessary linker flag
  • Revert langopts change
  • Improve precision of safestack-attr.cpp test
include/clang/Basic/LangOptions.def
202 ↗(On Diff #25889)

Done

lib/Driver/Tools.cpp
6283 ↗(On Diff #25889)

No, removed.

jfb added a subscriber: jfb.May 21 2015, 9:04 AM

The patch description mentions `__attribute__((no_safe_stack))` which isn't the name used anymore.

docs/SafeStack.rst
18 ↗(On Diff #26105)

It would be good to document the limitations that this approach has.

Off the top of my head:

  • The safe stack is merely hidden from attackers by being somewhere in the address space. That's nice, but can be predictable even on 64-bit address spaces because not all the bits are addressable, multiple threads each have their stack, ...
  • This approach doesn't prevent an attacker from "imbalancing" the safe stack by say having just one call, and doing two rets (thereby returning to an address that wasn't meant as a return address).
51 ↗(On Diff #26105)

Does this have any security implications by making Oilpan spill the SafeStack address? I'm assuming that care must be taken not to do so!

55 ↗(On Diff #26105)

Format `dlopen()`

97 ↗(On Diff #26105)

What implications does this attribute have on the overall system's security?

109 ↗(On Diff #26105)

What happens when calling `__builtin_frame_address` with SafeStack?

pcc updated this revision to Diff 26542.May 26 2015, 3:02 PM
  • Implement attribute((no_sanitize("safe-stack")))
  • Fix documentation typo
  • Remove unnecessary linker flag
  • Revert langopts change
  • Improve precision of safestack-attr.cpp test
  • Document limitations
  • More documentation updates
  • More updates
pcc added inline comments.May 26 2015, 3:07 PM
docs/SafeStack.rst
18 ↗(On Diff #26105)

Done

51 ↗(On Diff #26105)

Yes. I now mention this in the limitations section.

55 ↗(On Diff #26105)

Done

97 ↗(On Diff #26105)

Added a relevant paragraph.

109 ↗(On Diff #26105)

I believe it will return a pointer to the safe stack. I've added some stuff to the Limitations section about this.

jfb added a comment.May 27 2015, 6:00 PM

You should also update the patch description.

Besides my new comment on warnings (which could be added separately), this patch LGTM.

docs/SafeStack.rst
109 ↗(On Diff #26105)

Would it be possible to have clang warn when doing safe-stack and __builtin_frame_address is used, or the stack leaks in other inadvertent ways? We want to avoid noisy warnings, but converting an existing codebase should probably require explicitly adding no-safe-stack attributes where required.

jfb added inline comments.May 28 2015, 2:10 PM
docs/SafeStack.rst
72 ↗(On Diff #26542)

Could you document the current limitations on DSO?

pcc updated this revision to Diff 26833.May 29 2015, 4:07 PM
  • Add a note regarding leak detection
  • Document DSO limitation
docs/SafeStack.rst
72 ↗(On Diff #26542)

Done

Closed by commit rL239762: Protection against stack-based memory corruption errors using SafeStack: Clang… (authored by pcc). · Explain WhyJun 15 2015, 2:12 PM
This revision was automatically updated to reflect the committed changes.
jfb added a reviewer: jfb.Sep 13 2015, 6:21 PM

Revision Contents

PathSize
cfe/
trunk/
docs/
3 lines
163 lines
2 lines
1 line
include/
clang/
Basic/
4 lines
3 lines
Driver/
3 lines
lib/
CodeGen/
2 lines
2 lines
Driver/
18 lines
Lex/
1 line
test/
CodeGen/
6 lines
4 lines
Driver/
12 lines

Diff 27719

cfe/trunk/docs/LanguageExtensions.rst

Show First 20 LinesShow All 1,839 Lines▼ Show 20 Lines
with :doc:`AddressSanitizer`. with :doc:`AddressSanitizer`.
Use ``__has_feature(thread_sanitizer)`` to check if the code is being built Use ``__has_feature(thread_sanitizer)`` to check if the code is being built
with :doc:`ThreadSanitizer`. with :doc:`ThreadSanitizer`.
Use ``__has_feature(memory_sanitizer)`` to check if the code is being built Use ``__has_feature(memory_sanitizer)`` to check if the code is being built
with :doc:`MemorySanitizer`. with :doc:`MemorySanitizer`.
Use ``__has_feature(safe_stack)`` to check if the code is being built
with :doc:`SafeStack`.
Extensions for selectively disabling optimization Extensions for selectively disabling optimization
================================================= =================================================
Clang provides a mechanism for selectively disabling optimizations in functions Clang provides a mechanism for selectively disabling optimizations in functions
and methods. and methods.
To disable optimizations in a single function definition, the GNU-style or C++11 To disable optimizations in a single function definition, the GNU-style or C++11
▲ Show 20 LinesShow All 178 LinesShow Last 20 Lines

cfe/trunk/docs/SafeStack.rst

=========
SafeStack
=========
.. contents::
:local:
Introduction
============
SafeStack is an instrumentation pass that protects programs against attacks
based on stack buffer overflows, without introducing any measurable performance
overhead. It works by separating the program stack into two distinct regions:
the safe stack and the unsafe stack. The safe stack stores return addresses,
register spills, and local variables that are always accessed in a safe way,
while the unsafe stack stores everything else. This separation ensures that
buffer overflows on the unsafe stack cannot be used to overwrite anything
on the safe stack, which includes return addresses.
Performance
-----------
The performance overhead of the SafeStack instrumentation is less than 0.1% on
average across a variety of benchmarks (see the `Code-Pointer Integrity
<http://dslab.epfl.ch/pubs/cpi.pdf>`_ paper for details). This is mainly
because most small functions do not have any variables that require the unsafe
stack and, hence, do not need unsafe stack frames to be created. The cost of
creating unsafe stack frames for large functions is amortized by the cost of
executing the function.
In some cases, SafeStack actually improves the performance. Objects that end up
being moved to the unsafe stack are usually large arrays or variables that are
used through multiple stack frames. Moving such objects away from the safe
stack increases the locality of frequently accessed values on the stack, such
as register spills, return addresses, and small local variables.
Limitations
-----------
SafeStack has not been subjected to a comprehensive security review, and there
exist known weaknesses, including but not limited to the following.
In its current state, the separation of local variables provides protection
against stack buffer overflows, but the safe stack itself is not protected
from being corrupted through a pointer dereference. The Code-Pointer
Integrity paper describes two ways in which we may protect the safe stack:
hardware segmentation on the 32-bit x86 architecture or information hiding
on other architectures.
Even with information hiding, the safe stack would merely be hidden
from attackers by being somewhere in the address space. Depending on the
application, the address could be predictable even on 64-bit address spaces
because not all the bits are addressable, multiple threads each have their
stack, the application could leak the safe stack address to memory via
``__builtin_frame_address``, bugs in the low-level runtime support etc.
Safe stack leaks could be mitigated by writing and deploying a static binary
analysis or a dynamic binary instrumentation based tool to find leaks.
This approach doesn't prevent an attacker from "imbalancing" the safe
stack by say having just one call, and doing two rets (thereby returning
to an address that wasn't meant as a return address). This can be at least
partially mitigated by deploying SafeStack alongside a forward control-flow
integrity mechanism to ensure that calls are made using the correct calling
convention. Clang does not currently implement a comprehensive forward
control-flow integrity protection scheme; there exists one that protects
:doc:`virtual calls <ControlFlowIntegrity>` but not non-virtual indirect calls.
Compatibility
-------------
Most programs, static libraries, or individual files can be compiled
with SafeStack as is. SafeStack requires basic runtime support, which, on most
platforms, is implemented as a compiler-rt library that is automatically linked
in when the program is compiled with SafeStack.
Linking a DSO with SafeStack is not currently supported.
Known compatibility limitations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Certain code that relies on low-level stack manipulations requires adaption to
work with SafeStack. One example is mark-and-sweep garbage collection
implementations for C/C++ (e.g., Oilpan in chromium/blink), which must be
changed to look for the live pointers on both safe and unsafe stacks.
SafeStack supports linking together modules that are compiled with and without
SafeStack, both statically and dynamically. One corner case that is not
supported is using ``dlopen()`` to load a dynamic library that uses SafeStack into
a program that is not compiled with SafeStack but uses threads.
Signal handlers that use ``sigaltstack()`` must not use the unsafe stack (see
``__attribute__((no_sanitize("safe-stack")))`` below).
Programs that use APIs from ``ucontext.h`` are not supported yet.
Usage
=====
To enable SafeStack, just pass ``-fsanitize=safe-stack`` flag to both compile and link
command lines.
Supported Platforms
-------------------
SafeStack was tested on Linux, FreeBSD and MacOSX.
Low-level API
-------------
``__has_feature(safe_stack)``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In some rare cases one may need to execute different code depending on
whether SafeStack is enabled. The macro ``__has_feature(safe_stack)`` can
be used for this purpose.
.. code-block:: c
#if __has_feature(safe_stack)
// code that builds only under SafeStack
#endif
``__attribute__((no_sanitize("safe-stack")))``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use ``__attribute__((no_sanitize("safe-stack")))`` on a function declaration
to specify that the safe stack instrumentation should not be applied to that
function, even if enabled globally (see ``-fsanitize=safe-stack`` flag). This
attribute may be required for functions that make assumptions about the
exact layout of their stack frames.
Care should be taken when using this attribute. The return address is not
protected against stack buffer overflows, and it is easier to leak the
address of the safe stack to memory by taking the address of a local variable.
``__builtin___get_unsafe_stack_ptr()``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This builtin function returns current unsafe stack pointer of the current
thread.
``__builtin___get_unsafe_stack_start()``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This builtin function returns a pointer to the start of the unsafe stack of the
current thread.
Design
======
Please refer to
`http://dslab.epfl.ch/proj/cpi/ <http://dslab.epfl.ch/proj/cpi/>`_ for more
information about the design of the SafeStack and its related technologies.
Publications
------------
`Code-Pointer Integrity <http://dslab.epfl.ch/pubs/cpi.pdf>`_.
Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, Dawn Song.
USENIX Symposium on Operating Systems Design and Implementation
(`OSDI <https://www.usenix.org/conference/osdi14>`_), Broomfield, CO, October 2014

cfe/trunk/docs/UsersManual.rst

Show First 20 LinesShow All 974 Lines▼ Show 20 Lines - ``-fsanitize=undefined-trap``: This includes all sanitizers
runtime support. This group of sanitizers is intended to be runtime support. This group of sanitizers is intended to be
used in conjunction with the ``-fsanitize-undefined-trap-on-error`` used in conjunction with the ``-fsanitize-undefined-trap-on-error``
flag. This includes all of the checks listed below other than flag. This includes all of the checks listed below other than
``unsigned-integer-overflow`` and ``vptr``. ``unsigned-integer-overflow`` and ``vptr``.
- ``-fsanitize=dataflow``: :doc:`DataFlowSanitizer`, a general data - ``-fsanitize=dataflow``: :doc:`DataFlowSanitizer`, a general data
flow analysis. flow analysis.
- ``-fsanitize=cfi``: :doc:`control flow integrity <ControlFlowIntegrity>` - ``-fsanitize=cfi``: :doc:`control flow integrity <ControlFlowIntegrity>`
checks. Implies ``-flto``. checks. Implies ``-flto``.
- ``-fsanitize=safe-stack``: :doc:`safe stack <SafeStack>`
protection against stack-based memory corruption errors.
The following more fine-grained checks are also available: The following more fine-grained checks are also available:
- ``-fsanitize=alignment``: Use of a misaligned pointer or creation - ``-fsanitize=alignment``: Use of a misaligned pointer or creation
of a misaligned reference. of a misaligned reference.
- ``-fsanitize=bool``: Load of a ``bool`` value which is neither - ``-fsanitize=bool``: Load of a ``bool`` value which is neither
``true`` nor ``false``. ``true`` nor ``false``.
- ``-fsanitize=bounds``: Out of bounds array indexing, in cases - ``-fsanitize=bounds``: Out of bounds array indexing, in cases
▲ Show 20 LinesShow All 1,056 LinesShow Last 20 Lines

cfe/trunk/docs/index.rst

Show All 23 Lines.. toctree::
AddressSanitizer AddressSanitizer
ThreadSanitizer ThreadSanitizer
MemorySanitizer MemorySanitizer
DataFlowSanitizer DataFlowSanitizer
LeakSanitizer LeakSanitizer
SanitizerCoverage SanitizerCoverage
SanitizerSpecialCaseList SanitizerSpecialCaseList
ControlFlowIntegrity ControlFlowIntegrity
SafeStack
Modules Modules
MSVCCompatibility MSVCCompatibility
FAQ FAQ
Using Clang as a Library Using Clang as a Library
======================== ========================
.. toctree:: .. toctree::
▲ Show 20 LinesShow All 44 LinesShow Last 20 Lines

cfe/trunk/include/clang/Basic/Builtins.def

Show First 20 LinesShow All 1,234 Lines▼ Show 20 Lines
BUILTIN(__builtin_smull_overflow, "bSLiCSLiCSLi*", "n") BUILTIN(__builtin_smull_overflow, "bSLiCSLiCSLi*", "n")
BUILTIN(__builtin_smulll_overflow, "bSLLiCSLLiCSLLi*", "n") BUILTIN(__builtin_smulll_overflow, "bSLLiCSLLiCSLLi*", "n")
// Clang builtins (not available in GCC). // Clang builtins (not available in GCC).
BUILTIN(__builtin_addressof, "v*v&", "nct") BUILTIN(__builtin_addressof, "v*v&", "nct")
BUILTIN(__builtin_operator_new, "v*z", "c") BUILTIN(__builtin_operator_new, "v*z", "c")
BUILTIN(__builtin_operator_delete, "vv*", "n") BUILTIN(__builtin_operator_delete, "vv*", "n")
// Safestack builtins
BUILTIN(__builtin___get_unsafe_stack_start, "v*", "Fn")
BUILTIN(__builtin___get_unsafe_stack_ptr, "v*", "Fn")
#undef BUILTIN #undef BUILTIN
#undef LIBBUILTIN #undef LIBBUILTIN
#undef LANGBUILTIN #undef LANGBUILTIN

cfe/trunk/include/clang/Basic/Sanitizers.def

Show First 20 LinesShow All 81 Lines▼ Show 20 Lines
SANITIZER("cfi-cast-strict", CFICastStrict) SANITIZER("cfi-cast-strict", CFICastStrict)
SANITIZER("cfi-derived-cast", CFIDerivedCast) SANITIZER("cfi-derived-cast", CFIDerivedCast)
SANITIZER("cfi-unrelated-cast", CFIUnrelatedCast) SANITIZER("cfi-unrelated-cast", CFIUnrelatedCast)
SANITIZER("cfi-nvcall", CFINVCall) SANITIZER("cfi-nvcall", CFINVCall)
SANITIZER("cfi-vcall", CFIVCall) SANITIZER("cfi-vcall", CFIVCall)
SANITIZER_GROUP("cfi", CFI, SANITIZER_GROUP("cfi", CFI,
CFIDerivedCast | CFIUnrelatedCast | CFINVCall | CFIVCall) CFIDerivedCast | CFIUnrelatedCast | CFINVCall | CFIVCall)
// Safe Stack
SANITIZER("safe-stack", SafeStack)
// -fsanitize=undefined-trap includes sanitizers from -fsanitize=undefined // -fsanitize=undefined-trap includes sanitizers from -fsanitize=undefined
// that can be used without runtime support, generally by providing extra // that can be used without runtime support, generally by providing extra
// -fsanitize-undefined-trap-on-error flag. // -fsanitize-undefined-trap-on-error flag.
SANITIZER_GROUP("undefined-trap", UndefinedTrap, SANITIZER_GROUP("undefined-trap", UndefinedTrap,
Alignment | Bool | ArrayBounds | Enum | FloatCastOverflow | Alignment | Bool | ArrayBounds | Enum | FloatCastOverflow |
FloatDivideByZero | IntegerDivideByZero | NonnullAttribute | FloatDivideByZero | IntegerDivideByZero | NonnullAttribute |
Null | ObjectSize | Return | ReturnsNonnullAttribute | Null | ObjectSize | Return | ReturnsNonnullAttribute |
Shift | SignedIntegerOverflow | Unreachable | VLABound) Shift | SignedIntegerOverflow | Unreachable | VLABound)
Show All 18 Lines

cfe/trunk/include/clang/Driver/SanitizerArgs.h

Show First 20 LinesShow All 41 Lines▼ Show 20 Lines public:
bool needsTsanRt() const { return Sanitizers.has(SanitizerKind::Thread); } bool needsTsanRt() const { return Sanitizers.has(SanitizerKind::Thread); }
bool needsMsanRt() const { return Sanitizers.has(SanitizerKind::Memory); } bool needsMsanRt() const { return Sanitizers.has(SanitizerKind::Memory); }
bool needsLsanRt() const { bool needsLsanRt() const {
return Sanitizers.has(SanitizerKind::Leak) && return Sanitizers.has(SanitizerKind::Leak) &&
!Sanitizers.has(SanitizerKind::Address); !Sanitizers.has(SanitizerKind::Address);
} }
bool needsUbsanRt() const; bool needsUbsanRt() const;
bool needsDfsanRt() const { return Sanitizers.has(SanitizerKind::DataFlow); } bool needsDfsanRt() const { return Sanitizers.has(SanitizerKind::DataFlow); }
bool needsSafeStackRt() const {
return Sanitizers.has(SanitizerKind::SafeStack);
}
bool requiresPIE() const; bool requiresPIE() const;
bool needsUnwindTables() const; bool needsUnwindTables() const;
bool needsLTO() const; bool needsLTO() const;
bool linkCXXRuntimes() const { return LinkCXXRuntimes; } bool linkCXXRuntimes() const { return LinkCXXRuntimes; }
void addArgs(const llvm::opt::ArgList &Args, void addArgs(const llvm::opt::ArgList &Args,
llvm::opt::ArgStringList &CmdArgs) const; llvm::opt::ArgStringList &CmdArgs) const;
private: private:
void clear(); void clear();
}; };
} // namespace driver } // namespace driver
} // namespace clang } // namespace clang
#endif #endif

cfe/trunk/lib/CodeGen/CGDeclCXX.cpp

Show First 20 LinesShow All 267 Lines▼ Show 20 Linesllvm::Function *CodeGenModule::CreateGlobalInitOrDestructFunction(
if (!isInSanitizerBlacklist(Fn, Loc)) { if (!isInSanitizerBlacklist(Fn, Loc)) {
if (getLangOpts().Sanitize.has(SanitizerKind::Address)) if (getLangOpts().Sanitize.has(SanitizerKind::Address))
Fn->addFnAttr(llvm::Attribute::SanitizeAddress); Fn->addFnAttr(llvm::Attribute::SanitizeAddress);
if (getLangOpts().Sanitize.has(SanitizerKind::Thread)) if (getLangOpts().Sanitize.has(SanitizerKind::Thread))
Fn->addFnAttr(llvm::Attribute::SanitizeThread); Fn->addFnAttr(llvm::Attribute::SanitizeThread);
if (getLangOpts().Sanitize.has(SanitizerKind::Memory)) if (getLangOpts().Sanitize.has(SanitizerKind::Memory))
Fn->addFnAttr(llvm::Attribute::SanitizeMemory); Fn->addFnAttr(llvm::Attribute::SanitizeMemory);
if (getLangOpts().Sanitize.has(SanitizerKind::SafeStack))
Fn->addFnAttr(llvm::Attribute::SafeStack);
} }
return Fn; return Fn;
} }
/// Create a global pointer to a function that will initialize a global /// Create a global pointer to a function that will initialize a global
/// variable. The user has requested that this pointer be emitted in a specific /// variable. The user has requested that this pointer be emitted in a specific
/// section. /// section.
▲ Show 20 LinesShow All 313 LinesShow Last 20 Lines

cfe/trunk/lib/CodeGen/CodeGenFunction.cpp

Show First 20 LinesShow All 615 Lines▼ Show 20 Linesvoid CodeGenFunction::StartFunction(GlobalDecl GD,
// Apply sanitizer attributes to the function. // Apply sanitizer attributes to the function.
if (SanOpts.has(SanitizerKind::Address)) if (SanOpts.has(SanitizerKind::Address))
Fn->addFnAttr(llvm::Attribute::SanitizeAddress); Fn->addFnAttr(llvm::Attribute::SanitizeAddress);
if (SanOpts.has(SanitizerKind::Thread)) if (SanOpts.has(SanitizerKind::Thread))
Fn->addFnAttr(llvm::Attribute::SanitizeThread); Fn->addFnAttr(llvm::Attribute::SanitizeThread);
if (SanOpts.has(SanitizerKind::Memory)) if (SanOpts.has(SanitizerKind::Memory))
Fn->addFnAttr(llvm::Attribute::SanitizeMemory); Fn->addFnAttr(llvm::Attribute::SanitizeMemory);
if (SanOpts.has(SanitizerKind::SafeStack))
Fn->addFnAttr(llvm::Attribute::SafeStack);
// Pass inline keyword to optimizer if it appears explicitly on any // Pass inline keyword to optimizer if it appears explicitly on any
// declaration. Also, in the case of -fno-inline attach NoInline // declaration. Also, in the case of -fno-inline attach NoInline
// attribute to all function that are not marked AlwaysInline. // attribute to all function that are not marked AlwaysInline.
if (const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D)) { if (const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D)) {
if (!CGM.getCodeGenOpts().NoInline) { if (!CGM.getCodeGenOpts().NoInline) {
for (auto RI : FD->redecls()) for (auto RI : FD->redecls())
if (RI->isInlineSpecified()) { if (RI->isInlineSpecified()) {
▲ Show 20 LinesShow All 1,141 LinesShow Last 20 Lines

cfe/trunk/lib/Driver/Tools.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 2,427 Lines▼ Show 20 Lines if (SanArgs.needsTsanRt()) {
if (SanArgs.linkCXXRuntimes()) if (SanArgs.linkCXXRuntimes())
StaticRuntimes.push_back("tsan_cxx"); StaticRuntimes.push_back("tsan_cxx");
} }
if (SanArgs.needsUbsanRt()) { if (SanArgs.needsUbsanRt()) {
StaticRuntimes.push_back("ubsan_standalone"); StaticRuntimes.push_back("ubsan_standalone");
if (SanArgs.linkCXXRuntimes()) if (SanArgs.linkCXXRuntimes())
StaticRuntimes.push_back("ubsan_standalone_cxx"); StaticRuntimes.push_back("ubsan_standalone_cxx");
} }
if (SanArgs.needsSafeStackRt())
StaticRuntimes.push_back("safestack");
} }
// Should be called before we add system libraries (C++ ABI, libstdc++/libc++, // Should be called before we add system libraries (C++ ABI, libstdc++/libc++,
// C runtime, etc). Returns true if sanitizer system deps need to be linked in. // C runtime, etc). Returns true if sanitizer system deps need to be linked in.
static bool addSanitizerRuntimes(const ToolChain &TC, const ArgList &Args, static bool addSanitizerRuntimes(const ToolChain &TC, const ArgList &Args,
ArgStringList &CmdArgs) { ArgStringList &CmdArgs) {
SmallVector<StringRef, 4> SharedRuntimes, StaticRuntimes, SmallVector<StringRef, 4> SharedRuntimes, StaticRuntimes,
HelperStaticRuntimes; HelperStaticRuntimes;
▲ Show 20 LinesShow All 1,552 Lines▼ Show 20 Lines
Args.AddLastArg(CmdArgs, options::OPT_funroll_loops, Args.AddLastArg(CmdArgs, options::OPT_funroll_loops,
options::OPT_fno_unroll_loops); options::OPT_fno_unroll_loops);
Args.AddLastArg(CmdArgs, options::OPT_pthread); Args.AddLastArg(CmdArgs, options::OPT_pthread);
// -stack-protector=0 is default. // -stack-protector=0 is default.
unsigned StackProtectorLevel = 0; unsigned StackProtectorLevel = 0;
if (Arg *A = Args.getLastArg(options::OPT_fno_stack_protector, if (getToolChain().getSanitizerArgs().needsSafeStackRt()) {
Args.ClaimAllArgs(options::OPT_fno_stack_protector);
Args.ClaimAllArgs(options::OPT_fstack_protector_all);
Args.ClaimAllArgs(options::OPT_fstack_protector_strong);
Args.ClaimAllArgs(options::OPT_fstack_protector);
} else if (Arg *A = Args.getLastArg(options::OPT_fno_stack_protector,
options::OPT_fstack_protector_all, options::OPT_fstack_protector_all,
options::OPT_fstack_protector_strong, options::OPT_fstack_protector_strong,
options::OPT_fstack_protector)) { options::OPT_fstack_protector)) {
if (A->getOption().matches(options::OPT_fstack_protector)) { if (A->getOption().matches(options::OPT_fstack_protector)) {
StackProtectorLevel = std::max<unsigned>(LangOptions::SSPOn, StackProtectorLevel = std::max<unsigned>(LangOptions::SSPOn,
getToolChain().GetDefaultStackProtectorLevel(KernelOrKext)); getToolChain().GetDefaultStackProtectorLevel(KernelOrKext));
} else if (A->getOption().matches(options::OPT_fstack_protector_strong)) } else if (A->getOption().matches(options::OPT_fstack_protector_strong))
StackProtectorLevel = LangOptions::SSPStrong; StackProtectorLevel = LangOptions::SSPStrong;
▲ Show 20 LinesShow All 2,346 Lines▼ Show 20 Linesvoid darwin::Link::ConstructJob(Compilation &C, const JobAction &JA,
CmdArgs.push_back("-o"); CmdArgs.push_back("-o");
CmdArgs.push_back(Output.getFilename()); CmdArgs.push_back(Output.getFilename());
if (!Args.hasArg(options::OPT_nostdlib) && if (!Args.hasArg(options::OPT_nostdlib) &&
!Args.hasArg(options::OPT_nostartfiles)) !Args.hasArg(options::OPT_nostartfiles))
getMachOToolChain().addStartObjectFileArgs(Args, CmdArgs); getMachOToolChain().addStartObjectFileArgs(Args, CmdArgs);
// SafeStack requires its own runtime libraries
// These libraries should be linked first, to make sure the
// __safestack_init constructor executes before everything else
if (getToolChain().getSanitizerArgs().needsSafeStackRt()) {
getMachOToolChain().AddLinkRuntimeLib(Args, CmdArgs,
"libclang_rt.safestack_osx.a",
/*AlwaysLink=*/true);
}
Args.AddAllArgs(CmdArgs, options::OPT_L); Args.AddAllArgs(CmdArgs, options::OPT_L);
if (Args.hasFlag(options::OPT_fopenmp, options::OPT_fopenmp_EQ, if (Args.hasFlag(options::OPT_fopenmp, options::OPT_fopenmp_EQ,
options::OPT_fno_openmp, false)) { options::OPT_fno_openmp, false)) {
switch (getOpenMPRuntime(getToolChain(), Args)) { switch (getOpenMPRuntime(getToolChain(), Args)) {
case OMPRT_OMP: case OMPRT_OMP:
CmdArgs.push_back("-lomp"); CmdArgs.push_back("-lomp");
break; break;
▲ Show 20 LinesShow All 2,689 LinesShow Last 20 Lines

cfe/trunk/lib/Lex/PPMacroExpansion.cpp

Show First 20 LinesShow All 1,184 Lines▼ Show 20 Lines return llvm::StringSwitch<bool>(Feature)
.Case("is_polymorphic", LangOpts.CPlusPlus) .Case("is_polymorphic", LangOpts.CPlusPlus)
.Case("is_sealed", LangOpts.MicrosoftExt) .Case("is_sealed", LangOpts.MicrosoftExt)
.Case("is_trivial", LangOpts.CPlusPlus) .Case("is_trivial", LangOpts.CPlusPlus)
.Case("is_trivially_assignable", LangOpts.CPlusPlus) .Case("is_trivially_assignable", LangOpts.CPlusPlus)
.Case("is_trivially_constructible", LangOpts.CPlusPlus) .Case("is_trivially_constructible", LangOpts.CPlusPlus)
.Case("is_trivially_copyable", LangOpts.CPlusPlus) .Case("is_trivially_copyable", LangOpts.CPlusPlus)
.Case("is_union", LangOpts.CPlusPlus) .Case("is_union", LangOpts.CPlusPlus)
.Case("modules", LangOpts.Modules) .Case("modules", LangOpts.Modules)
.Case("safe_stack", LangOpts.Sanitize.has(SanitizerKind::SafeStack))
.Case("tls", PP.getTargetInfo().isTLSSupported()) .Case("tls", PP.getTargetInfo().isTLSSupported())
.Case("underlying_type", LangOpts.CPlusPlus) .Case("underlying_type", LangOpts.CPlusPlus)
.Default(false); .Default(false);
} }
/// HasExtension - Return true if we recognize and implement the feature /// HasExtension - Return true if we recognize and implement the feature
/// specified by the identifier, either as an extension or a standard language /// specified by the identifier, either as an extension or a standard language
/// feature. /// feature.
▲ Show 20 LinesShow All 574 LinesShow Last 20 Lines

cfe/trunk/test/CodeGen/safestack-attr.cpp

// RUN: %clang_cc1 -triple x86_64-linux-unknown -emit-llvm -o - %s -fsanitize=safe-stack | FileCheck -check-prefix=SP %s
__attribute__((no_sanitize("safe-stack")))
int foo(int *a) { return *a; }
// SP-NOT: attributes #{{.*}} = { {{.*}}safestack{{.*}} }

cfe/trunk/test/CodeGen/stack-protector.c

// RUN: %clang_cc1 -emit-llvm -o - %s -stack-protector 0 | FileCheck -check-prefix=NOSSP %s // RUN: %clang_cc1 -emit-llvm -o - %s -stack-protector 0 | FileCheck -check-prefix=NOSSP %s
// NOSSP: define void @test1(i8* %msg) #0 { // NOSSP: define void @test1(i8* %msg) #0 {
// RUN: %clang_cc1 -emit-llvm -o - %s -stack-protector 1 | FileCheck -check-prefix=WITHSSP %s // RUN: %clang_cc1 -emit-llvm -o - %s -stack-protector 1 | FileCheck -check-prefix=WITHSSP %s
// WITHSSP: define void @test1(i8* %msg) #0 { // WITHSSP: define void @test1(i8* %msg) #0 {
// RUN: %clang_cc1 -emit-llvm -o - %s -stack-protector 2 | FileCheck -check-prefix=SSPSTRONG %s // RUN: %clang_cc1 -emit-llvm -o - %s -stack-protector 2 | FileCheck -check-prefix=SSPSTRONG %s
// SSPSTRONG: define void @test1(i8* %msg) #0 { // SSPSTRONG: define void @test1(i8* %msg) #0 {
// RUN: %clang_cc1 -emit-llvm -o - %s -stack-protector 3 | FileCheck -check-prefix=SSPREQ %s // RUN: %clang_cc1 -emit-llvm -o - %s -stack-protector 3 | FileCheck -check-prefix=SSPREQ %s
// SSPREQ: define void @test1(i8* %msg) #0 { // SSPREQ: define void @test1(i8* %msg) #0 {
// RUN: %clang_cc1 -emit-llvm -o - %s -fsanitize=safe-stack | FileCheck -check-prefix=SAFESTACK %s
// SAFESTACK: define void @test1(i8* %msg) #0 {
typedef __SIZE_TYPE__ size_t; typedef __SIZE_TYPE__ size_t;
int printf(const char * _Format, ...); int printf(const char * _Format, ...);
size_t strlen(const char *s); size_t strlen(const char *s);
char *strcpy(char *s1, const char *s2); char *strcpy(char *s1, const char *s2);
void test1(const char *msg) { void test1(const char *msg) {
char a[strlen(msg) + 1]; char a[strlen(msg) + 1];
strcpy(a, msg); strcpy(a, msg);
printf("%s\n", a); printf("%s\n", a);
} }
// NOSSP: attributes #{{.*}} = { nounwind{{.*}} } // NOSSP: attributes #{{.*}} = { nounwind{{.*}} }
// WITHSSP: attributes #{{.*}} = { nounwind ssp{{.*}} } // WITHSSP: attributes #{{.*}} = { nounwind ssp{{.*}} }
// SSPSTRONG: attributes #{{.*}} = { nounwind sspstrong{{.*}} } // SSPSTRONG: attributes #{{.*}} = { nounwind sspstrong{{.*}} }
// SSPREQ: attributes #{{.*}} = { nounwind sspreq{{.*}} } // SSPREQ: attributes #{{.*}} = { nounwind sspreq{{.*}} }
// SAFESTACK: attributes #{{.*}} = { nounwind safestack{{.*}} }

cfe/trunk/test/Driver/fsanitize.c

Show First 20 LinesShow All 210 Lines▼ Show 20 Lines
// RUN: %clang_cl -fsanitize=address -c -MT -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-RELEASERTL // RUN: %clang_cl -fsanitize=address -c -MT -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-RELEASERTL
// RUN: %clang_cl -fsanitize=address -c -MD -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-RELEASERTL // RUN: %clang_cl -fsanitize=address -c -MD -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-RELEASERTL
// RUN: %clang_cl -fsanitize=address -c -LD -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-RELEASERTL // RUN: %clang_cl -fsanitize=address -c -LD -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-RELEASERTL
// RUN: %clang_cl -fsanitize=address -c -MTd -MT -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-RELEASERTL // RUN: %clang_cl -fsanitize=address -c -MTd -MT -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-RELEASERTL
// RUN: %clang_cl -fsanitize=address -c -MDd -MD -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-RELEASERTL // RUN: %clang_cl -fsanitize=address -c -MDd -MD -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-RELEASERTL
// RUN: %clang_cl -fsanitize=address -c -LDd -LD -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-RELEASERTL // RUN: %clang_cl -fsanitize=address -c -LDd -LD -### -- %s 2>&1 | FileCheck %s -check-prefix=CHECK-ASAN-RELEASERTL
// CHECK-ASAN-RELEASERTL-NOT: error: invalid argument // CHECK-ASAN-RELEASERTL-NOT: error: invalid argument
// RUN: %clang -fno-sanitize=safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=NOSP
// NOSP-NOT: "-fsanitize=safe-stack"
// RUN: %clang -target x86_64-linux-gnu -fsanitize=safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=SP
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address,safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=SP-ASAN
// RUN: %clang -target x86_64-linux-gnu -fstack-protector -fsanitize=safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=SP
// RUN: %clang -target x86_64-linux-gnu -fsanitize=safe-stack -fstack-protector-all -### %s 2>&1 | FileCheck %s -check-prefix=SP
// SP-NOT: stack-protector
// SP: "-fsanitize=safe-stack"
// SP-ASAN-NOT: stack-protector
// SP-ASAN: "-fsanitize=address,safe-stack"