This is an archive of the discontinued LLVM Phabricator instance.

Differential D71491

[ubsan] Check implicit casts in ObjC for-in statements
ClosedPublic

Authored by vsk on Dec 13 2019, 2:14 PM.

Details

Reviewers
rjmccall
jfb
arphaman
delcypher
Commits
rG8c4a65b9b2ca: [ubsan] Check implicit casts in ObjC for-in statements
Summary

Check that the implicit cast from id used to construct the element
variable in an ObjC for-in statement is valid.

This check is included as part of a new objc-cast sanitizer, outside
of the main 'undefined' group, as (IIUC) the behavior it's checking for
is not technically UB.

The check can be extended to cover other kinds of invalid casts in ObjC.

Partially addresses: rdar://12903059, rdar://9542496

Diff Detail

Event Timeline

vsk created this revision.Dec 13 2019, 2:14 PM
Herald added a project: Restricted Project. · View Herald TranscriptDec 13 2019, 2:14 PM
Herald added subscribers: llvm-commits, dexonsmith. · View Herald Transcript
delcypher added inline comments.Dec 13 2019, 9:22 PM
compiler-rt/lib/ubsan/ubsan_value.cpp
32

The compiler-rt codebase tends to use SANITIZER_MAC macro (defined to be 1 if Apple otherwise it's 0) rather than __APPLE__.

40

You might want some sort of lock here (or atomic variable) to ensure we don't race and try to dlopen() multiple times.

delcypher added inline comments.Dec 13 2019, 10:01 PM
clang/lib/Driver/ToolChain.cpp
953 ↗(On Diff #233881)

SanitizerKind::ObjCCast doesn't seem to fit the comment above. It is platform dependent (only really works for Apple platforms) and it does require runtime support (i.e. the Objective-C runtime).

vsk updated this revision to Diff 234136.Dec 16 2019, 1:35 PM
vsk marked 3 inline comments as done.

Address review feedback.

clang/lib/Driver/ToolChain.cpp
953 ↗(On Diff #233881)

The runtime dependency is optional, and there's nothing inherently Apple-specific about this check. However, perhaps it's best not to inadvertently advertise support for the GNU objc runtime before it's in tree.

compiler-rt/lib/ubsan/ubsan_value.cpp
32

I see. That seems problematic, as it makes it tricky to add macOS-specific (or iOS-specific) functionality down the road. I don't think SANITIZER_MAC should be defined unless TARGET_OS_MACOS is true.

40

Yes, thanks.

vsk updated this revision to Diff 234139.Dec 16 2019, 1:40 PM

Avoid a static initializer.

vsk updated this revision to Diff 234142.Dec 16 2019, 1:51 PM

Ignore an objc-cast report at a given SourceLocation after it's been reported once.

delcypher added inline comments.Dec 16 2019, 5:17 PM
compiler-rt/lib/ubsan/ubsan_value.cpp
32

Sorry I should clarify. SANITIZER_MAC is poorly named but it is defined to be 1 for Apple platforms and 0. I'm just pointing out the convention that exists today. You're absolutely right that we might want to do different things for different Apple platforms but I don't think we want to start doing a mass re-name until arm64e and arm64_32 support are completed landed in llvm's master.

vsk added inline comments.Dec 17 2019, 11:24 AM
compiler-rt/lib/ubsan/ubsan_value.cpp
32

I think 'SANITIZER_MAC' is confusing, and my preference would be to not use it. __APPLE__ seems clearer to me, and (IIUC) the plan is to replace usage of 'SANITIZER_MAC' with it down the line anyway?

delcypher added inline comments.Dec 20 2019, 2:12 PM
compiler-rt/lib/ubsan/ubsan_value.cpp
32

There aren't any plans to do it right now but cleaning this up seems like a reasonable thing to do. If you take a look at compiler-rt/lib/sanitizer_common/sanitizer_platform.h you'll see that we actually have SANITIZER_<platform> for the other platforms that seems to be set as you'd expect. It's just SANITIZER_MAC that's badly named.

I've filed a radar for this issue (rdar://problem/58124919). So if you prefer to use __APPLE__ could you leave a comment with something like

// TODO(dliew): Don't use unclear `SANITIZER_MAC` here. Instead wait for its replacement rdar://problem/58124919.

Note the TODO(<name>): style is enforced by the sanitizer specific linter so you have to put a name there.

vsk updated this revision to Diff 238393.Jan 15 2020, 4:39 PM
vsk marked an inline comment as done.
vsk added inline comments.
compiler-rt/lib/ubsan/ubsan_value.cpp
32

Thanks, done!

vsk added a comment.Feb 4 2020, 11:11 AM

Friendly ping.

delcypher added a comment.Feb 4 2020, 12:26 PM

@vsk The compiler-rt side seems fine to me but I'm not very familiar with the Clang side of things. @arphaman @jfb @rjmccall any thoughts?

vsk added subscribers: erik.pilkington, ahatanak.Feb 12 2020, 11:59 AM

+ Erik and Akira for IRgen expertise.

vsk updated this revision to Diff 271508.Jun 17 2020, 3:44 PM

Rebase.

Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptJun 17 2020, 3:44 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster failed remote builds in B60725: Diff 271508!Jun 17 2020, 5:49 PM
ahatanak added inline comments.Jun 26 2020, 1:15 AM
clang/lib/CodeGen/CGObjC.cpp
1855

Can you use GetUnarySelector here?

1859

It looks like Args should be cleared before adding the argument. Or should the argument be added to IsKindOfClassArg?

vsk marked 2 inline comments as done.Jun 26 2020, 12:25 PM
vsk added inline comments.
clang/lib/CodeGen/CGObjC.cpp
1859

Thanks for catching this. The argument should be added to IsKindOfClassArg. This wasn't working correctly before: a leftover %struct.__objcFastEnumerationState* was included in the message-send. I've added a runtime test to ensure that the diagnostic does not fire when the implicit cast is correct.

vsk updated this revision to Diff 273815.Jun 26 2020, 12:29 PM

Use the IsKindOfClass CallArgList when emitting the check, and add a runtime test to ensure that an objc-cast diagnostic is not emitted on correct code.

Harbormaster failed remote builds in B61979: Diff 273815!Jun 26 2020, 1:41 PM
ahatanak added a comment.Jun 30 2020, 7:54 PM

Thank you, LGTM.

This revision was not accepted when it landed; it landed in state Needs Review.Jul 13 2020, 3:11 PM
Closed by commit rG8c4a65b9b2ca: [ubsan] Check implicit casts in ObjC for-in statements (authored by vsk). · Explain Why
This revision was automatically updated to reflect the committed changes.
vsk mentioned this in rG004bf35ba048: Update ubsan_interface.inc for D71491.Jul 13 2020, 3:40 PM
vsk mentioned this in rGa8694eb56258: Update ubsan_interface.inc for D71491 (second try).Jul 14 2020, 11:16 AM
JohnTitor mentioned this in D127407: [ubsan][docs] Clarify `objc-cast` is not part of `-fsanitize=undefined`.Jun 9 2022, 8:32 AM

Revision Contents

PathSize
clang/
docs/
4 lines
include/
clang/
Basic/
2 lines
lib/
CodeGen/
34 lines
1 line
Driver/
10 lines
ToolChains/
1 line
test/
CodeGenObjC/
17 lines
compiler-rt/
lib/
ubsan/
1 line
8 lines
31 lines
3 lines
48 lines
ubsan_minimal/
1 line
test/
ubsan/
TestCases/
Misc/
27 lines

Diff 277584

clang/docs/UndefinedBehaviorSanitizer.rst

Show First 20 LinesShow All 121 Lines▼ Show 20 LinesAvailable checks are:
- ``-fsanitize=null``: Use of a null pointer or creation of a null - ``-fsanitize=null``: Use of a null pointer or creation of a null
reference. reference.
- ``-fsanitize=nullability-arg``: Passing null as a function parameter - ``-fsanitize=nullability-arg``: Passing null as a function parameter
which is annotated with ``_Nonnull``. which is annotated with ``_Nonnull``.
- ``-fsanitize=nullability-assign``: Assigning null to an lvalue which - ``-fsanitize=nullability-assign``: Assigning null to an lvalue which
is annotated with ``_Nonnull``. is annotated with ``_Nonnull``.
- ``-fsanitize=nullability-return``: Returning null from a function with - ``-fsanitize=nullability-return``: Returning null from a function with
a return type annotated with ``_Nonnull``. a return type annotated with ``_Nonnull``.
- ``-fsanitize=objc-cast``: Invalid implicit cast of an ObjC object pointer
to an incompatible type. This is often unintentional, but is not undefined
behavior, therefore the check is not a part of the ``undefined`` group.
Currently only supported on Darwin.
- ``-fsanitize=object-size``: An attempt to potentially use bytes which - ``-fsanitize=object-size``: An attempt to potentially use bytes which
the optimizer can determine are not part of the object being accessed. the optimizer can determine are not part of the object being accessed.
This will also detect some types of undefined behavior that may not This will also detect some types of undefined behavior that may not
directly access memory, but are provably incorrect given the size of directly access memory, but are provably incorrect given the size of
the objects involved, such as invalid downcasts and calling methods on the objects involved, such as invalid downcasts and calling methods on
invalid pointers. These checks are made in terms of invalid pointers. These checks are made in terms of
``__builtin_object_size``, and consequently may be able to detect more ``__builtin_object_size``, and consequently may be able to detect more
problems at higher optimization levels. problems at higher optimization levels.
▲ Show 20 LinesShow All 222 LinesShow Last 20 Lines

clang/include/clang/Basic/Sanitizers.def

Show First 20 LinesShow All 150 Lines▼ Show 20 LinesSANITIZER_GROUP("implicit-integer-truncation", ImplicitIntegerTruncation,
ImplicitSignedIntegerTruncation) ImplicitSignedIntegerTruncation)
SANITIZER("implicit-integer-sign-change", ImplicitIntegerSignChange) SANITIZER("implicit-integer-sign-change", ImplicitIntegerSignChange)
SANITIZER_GROUP("implicit-integer-arithmetic-value-change", SANITIZER_GROUP("implicit-integer-arithmetic-value-change",
ImplicitIntegerArithmeticValueChange, ImplicitIntegerArithmeticValueChange,
ImplicitIntegerSignChange | ImplicitSignedIntegerTruncation) ImplicitIntegerSignChange | ImplicitSignedIntegerTruncation)
SANITIZER("objc-cast", ObjCCast)
// FIXME: // FIXME:
//SANITIZER_GROUP("implicit-integer-conversion", ImplicitIntegerConversion, //SANITIZER_GROUP("implicit-integer-conversion", ImplicitIntegerConversion,
// ImplicitIntegerArithmeticValueChange | // ImplicitIntegerArithmeticValueChange |
// ImplicitUnsignedIntegerTruncation) // ImplicitUnsignedIntegerTruncation)
//SANITIZER_GROUP("implicit-conversion", ImplicitConversion, //SANITIZER_GROUP("implicit-conversion", ImplicitConversion,
// ImplicitIntegerConversion) // ImplicitIntegerConversion)
SANITIZER_GROUP("implicit-conversion", ImplicitConversion, SANITIZER_GROUP("implicit-conversion", ImplicitConversion,
Show All 19 Lines

clang/lib/CodeGen/CGObjC.cpp

Show First 20 LinesShow All 1,830 Lines▼ Show 20 Lines llvm::Value *EnumStateItems =
Builder.CreateLoad(StateItemsPtr, "stateitems"); Builder.CreateLoad(StateItemsPtr, "stateitems");
// Fetch the value at the current index from the buffer. // Fetch the value at the current index from the buffer.
llvm::Value *CurrentItemPtr = llvm::Value *CurrentItemPtr =
Builder.CreateGEP(EnumStateItems, index, "currentitem.ptr"); Builder.CreateGEP(EnumStateItems, index, "currentitem.ptr");
llvm::Value *CurrentItem = llvm::Value *CurrentItem =
Builder.CreateAlignedLoad(CurrentItemPtr, getPointerAlign()); Builder.CreateAlignedLoad(CurrentItemPtr, getPointerAlign());
if (SanOpts.has(SanitizerKind::ObjCCast)) {
// Before using an item from the collection, check that the implicit cast
// from id to the element type is valid. This is done with instrumentation
// roughly corresponding to:
//
// if (![item isKindOfClass:expectedCls]) { /* emit diagnostic */ }
const ObjCObjectPointerType *ObjPtrTy =
elementType->getAsObjCInterfacePointerType();
const ObjCInterfaceType *InterfaceTy =
ObjPtrTy ? ObjPtrTy->getInterfaceType() : nullptr;
if (InterfaceTy) {
SanitizerScope SanScope(this);
auto &C = CGM.getContext();
assert(InterfaceTy->getDecl() && "No decl for ObjC interface type");
Selector IsKindOfClassSel = GetUnarySelector("isKindOfClass", C);
CallArgList IsKindOfClassArgs;
llvm::Value *Cls =
ahatanakUnsubmitted
Done
ReplyInline Actions

Can you use GetUnarySelector here?

ahatanak: Can you use `GetUnarySelector` here?
CGM.getObjCRuntime().GetClass(*this, InterfaceTy->getDecl());
IsKindOfClassArgs.add(RValue::get(Cls), C.getObjCClassType());
llvm::Value *IsClass =
CGM.getObjCRuntime()
ahatanakUnsubmitted
Not Done
ReplyInline Actions

It looks like Args should be cleared before adding the argument. Or should the argument be added to IsKindOfClassArg?

ahatanak: It looks like `Args` should be cleared before adding the argument. Or should the argument be…
vskAuthorUnsubmitted
Done
ReplyInline Actions

Thanks for catching this. The argument should be added to IsKindOfClassArg. This wasn't working correctly before: a leftover %struct.__objcFastEnumerationState* was included in the message-send. I've added a runtime test to ensure that the diagnostic does not fire when the implicit cast is correct.

vsk: Thanks for catching this. The argument should be added to `IsKindOfClassArg`. This wasn't…
.GenerateMessageSend(*this, ReturnValueSlot(), C.BoolTy,
IsKindOfClassSel, CurrentItem,
IsKindOfClassArgs)
.getScalarVal();
llvm::Constant *StaticData[] = {
EmitCheckSourceLocation(S.getBeginLoc()),
EmitCheckTypeDescriptor(QualType(InterfaceTy, 0))};
EmitCheck({{IsClass, SanitizerKind::ObjCCast}},
SanitizerHandler::InvalidObjCCast,
ArrayRef<llvm::Constant *>(StaticData), CurrentItem);
}
}
// Cast that value to the right type. // Cast that value to the right type.
CurrentItem = Builder.CreateBitCast(CurrentItem, convertedElementType, CurrentItem = Builder.CreateBitCast(CurrentItem, convertedElementType,
"currentitem"); "currentitem");
// Make sure we have an l-value. Yes, this gets evaluated every // Make sure we have an l-value. Yes, this gets evaluated every
// time through the loop. // time through the loop.
if (!elementIsVariable) { if (!elementIsVariable) {
elementLValue = EmitLValue(cast<Expr>(S.getElement())); elementLValue = EmitLValue(cast<Expr>(S.getElement()));
▲ Show 20 LinesShow All 1,920 LinesShow Last 20 Lines

clang/lib/CodeGen/CodeGenFunction.h

Show First 20 LinesShow All 118 Lines▼ Show 20 Lines#define LIST_SANITIZER_CHECKS \
SANITIZER_CHECK(BuiltinUnreachable, builtin_unreachable, 0) \ SANITIZER_CHECK(BuiltinUnreachable, builtin_unreachable, 0) \
SANITIZER_CHECK(CFICheckFail, cfi_check_fail, 0) \ SANITIZER_CHECK(CFICheckFail, cfi_check_fail, 0) \
SANITIZER_CHECK(DivremOverflow, divrem_overflow, 0) \ SANITIZER_CHECK(DivremOverflow, divrem_overflow, 0) \
SANITIZER_CHECK(DynamicTypeCacheMiss, dynamic_type_cache_miss, 0) \ SANITIZER_CHECK(DynamicTypeCacheMiss, dynamic_type_cache_miss, 0) \
SANITIZER_CHECK(FloatCastOverflow, float_cast_overflow, 0) \ SANITIZER_CHECK(FloatCastOverflow, float_cast_overflow, 0) \
SANITIZER_CHECK(FunctionTypeMismatch, function_type_mismatch, 1) \ SANITIZER_CHECK(FunctionTypeMismatch, function_type_mismatch, 1) \
SANITIZER_CHECK(ImplicitConversion, implicit_conversion, 0) \ SANITIZER_CHECK(ImplicitConversion, implicit_conversion, 0) \
SANITIZER_CHECK(InvalidBuiltin, invalid_builtin, 0) \ SANITIZER_CHECK(InvalidBuiltin, invalid_builtin, 0) \
SANITIZER_CHECK(InvalidObjCCast, invalid_objc_cast, 0) \
SANITIZER_CHECK(LoadInvalidValue, load_invalid_value, 0) \ SANITIZER_CHECK(LoadInvalidValue, load_invalid_value, 0) \
SANITIZER_CHECK(MissingReturn, missing_return, 0) \ SANITIZER_CHECK(MissingReturn, missing_return, 0) \
SANITIZER_CHECK(MulOverflow, mul_overflow, 0) \ SANITIZER_CHECK(MulOverflow, mul_overflow, 0) \
SANITIZER_CHECK(NegateOverflow, negate_overflow, 0) \ SANITIZER_CHECK(NegateOverflow, negate_overflow, 0) \
SANITIZER_CHECK(NullabilityArg, nullability_arg, 0) \ SANITIZER_CHECK(NullabilityArg, nullability_arg, 0) \
SANITIZER_CHECK(NullabilityReturn, nullability_return, 1) \ SANITIZER_CHECK(NullabilityReturn, nullability_return, 1) \
SANITIZER_CHECK(NonnullArg, nonnull_arg, 0) \ SANITIZER_CHECK(NonnullArg, nonnull_arg, 0) \
SANITIZER_CHECK(NonnullReturn, nonnull_return, 1) \ SANITIZER_CHECK(NonnullReturn, nonnull_return, 1) \
▲ Show 20 LinesShow All 4,572 LinesShow Last 20 Lines

clang/lib/Driver/SanitizerArgs.cpp

Show All 21 Lines
using namespace clang; using namespace clang;
using namespace clang::driver; using namespace clang::driver;
using namespace llvm::opt; using namespace llvm::opt;
static const SanitizerMask NeedsUbsanRt = static const SanitizerMask NeedsUbsanRt =
SanitizerKind::Undefined | SanitizerKind::Integer | SanitizerKind::Undefined | SanitizerKind::Integer |
SanitizerKind::ImplicitConversion | SanitizerKind::Nullability | SanitizerKind::ImplicitConversion | SanitizerKind::Nullability |
SanitizerKind::CFI | SanitizerKind::FloatDivideByZero; SanitizerKind::CFI | SanitizerKind::FloatDivideByZero |
SanitizerKind::ObjCCast;
static const SanitizerMask NeedsUbsanCxxRt = static const SanitizerMask NeedsUbsanCxxRt =
SanitizerKind::Vptr | SanitizerKind::CFI; SanitizerKind::Vptr | SanitizerKind::CFI;
static const SanitizerMask NotAllowedWithTrap = SanitizerKind::Vptr; static const SanitizerMask NotAllowedWithTrap = SanitizerKind::Vptr;
static const SanitizerMask NotAllowedWithMinimalRuntime = static const SanitizerMask NotAllowedWithMinimalRuntime =
SanitizerKind::Function | SanitizerKind::Vptr; SanitizerKind::Function | SanitizerKind::Vptr;
static const SanitizerMask RequiresPIE = static const SanitizerMask RequiresPIE =
SanitizerKind::DataFlow | SanitizerKind::HWAddress | SanitizerKind::Scudo; SanitizerKind::DataFlow | SanitizerKind::HWAddress | SanitizerKind::Scudo;
static const SanitizerMask NeedsUnwindTables = static const SanitizerMask NeedsUnwindTables =
SanitizerKind::Address | SanitizerKind::HWAddress | SanitizerKind::Thread | SanitizerKind::Address | SanitizerKind::HWAddress | SanitizerKind::Thread |
SanitizerKind::Memory | SanitizerKind::DataFlow; SanitizerKind::Memory | SanitizerKind::DataFlow;
static const SanitizerMask SupportsCoverage = static const SanitizerMask SupportsCoverage =
SanitizerKind::Address | SanitizerKind::HWAddress | SanitizerKind::Address | SanitizerKind::HWAddress |
SanitizerKind::KernelAddress | SanitizerKind::KernelHWAddress | SanitizerKind::KernelAddress | SanitizerKind::KernelHWAddress |
SanitizerKind::MemTag | SanitizerKind::Memory | SanitizerKind::MemTag | SanitizerKind::Memory |
SanitizerKind::KernelMemory | SanitizerKind::Leak | SanitizerKind::KernelMemory | SanitizerKind::Leak |
SanitizerKind::Undefined | SanitizerKind::Integer | SanitizerKind::Bounds | SanitizerKind::Undefined | SanitizerKind::Integer | SanitizerKind::Bounds |
SanitizerKind::ImplicitConversion | SanitizerKind::Nullability | SanitizerKind::ImplicitConversion | SanitizerKind::Nullability |
SanitizerKind::DataFlow | SanitizerKind::Fuzzer | SanitizerKind::DataFlow | SanitizerKind::Fuzzer |
SanitizerKind::FuzzerNoLink | SanitizerKind::FloatDivideByZero | SanitizerKind::FuzzerNoLink | SanitizerKind::FloatDivideByZero |
SanitizerKind::SafeStack | SanitizerKind::ShadowCallStack | SanitizerKind::SafeStack | SanitizerKind::ShadowCallStack |
SanitizerKind::Thread; SanitizerKind::Thread | SanitizerKind::ObjCCast;
static const SanitizerMask RecoverableByDefault = static const SanitizerMask RecoverableByDefault =
SanitizerKind::Undefined | SanitizerKind::Integer | SanitizerKind::Undefined | SanitizerKind::Integer |
SanitizerKind::ImplicitConversion | SanitizerKind::Nullability | SanitizerKind::ImplicitConversion | SanitizerKind::Nullability |
SanitizerKind::FloatDivideByZero; SanitizerKind::FloatDivideByZero | SanitizerKind::ObjCCast;
static const SanitizerMask Unrecoverable = static const SanitizerMask Unrecoverable =
SanitizerKind::Unreachable | SanitizerKind::Return; SanitizerKind::Unreachable | SanitizerKind::Return;
static const SanitizerMask AlwaysRecoverable = static const SanitizerMask AlwaysRecoverable =
SanitizerKind::KernelAddress | SanitizerKind::KernelHWAddress; SanitizerKind::KernelAddress | SanitizerKind::KernelHWAddress;
static const SanitizerMask NeedsLTO = SanitizerKind::CFI; static const SanitizerMask NeedsLTO = SanitizerKind::CFI;
static const SanitizerMask TrappingSupported = static const SanitizerMask TrappingSupported =
(SanitizerKind::Undefined & ~SanitizerKind::Vptr) | (SanitizerKind::Undefined & ~SanitizerKind::Vptr) |
SanitizerKind::UnsignedIntegerOverflow | SanitizerKind::ImplicitConversion | SanitizerKind::UnsignedIntegerOverflow | SanitizerKind::ImplicitConversion |
SanitizerKind::Nullability | SanitizerKind::LocalBounds | SanitizerKind::Nullability | SanitizerKind::LocalBounds |
SanitizerKind::CFI | SanitizerKind::FloatDivideByZero; SanitizerKind::CFI | SanitizerKind::FloatDivideByZero |
SanitizerKind::ObjCCast;
static const SanitizerMask TrappingDefault = SanitizerKind::CFI; static const SanitizerMask TrappingDefault = SanitizerKind::CFI;
static const SanitizerMask CFIClasses = static const SanitizerMask CFIClasses =
SanitizerKind::CFIVCall | SanitizerKind::CFINVCall | SanitizerKind::CFIVCall | SanitizerKind::CFINVCall |
SanitizerKind::CFIMFCall | SanitizerKind::CFIDerivedCast | SanitizerKind::CFIMFCall | SanitizerKind::CFIDerivedCast |
SanitizerKind::CFIUnrelatedCast; SanitizerKind::CFIUnrelatedCast;
static const SanitizerMask CompatibleWithMinimalRuntime = static const SanitizerMask CompatibleWithMinimalRuntime =
TrappingSupported | SanitizerKind::Scudo | SanitizerKind::ShadowCallStack | TrappingSupported | SanitizerKind::Scudo | SanitizerKind::ShadowCallStack |
SanitizerKind::MemTag; SanitizerKind::MemTag;
▲ Show 20 LinesShow All 1,124 LinesShow Last 20 Lines

clang/lib/Driver/ToolChains/Darwin.cpp

Show First 20 LinesShow All 2,715 Lines▼ Show 20 LinesSanitizerMask Darwin::getSupportedSanitizers() const {
SanitizerMask Res = ToolChain::getSupportedSanitizers(); SanitizerMask Res = ToolChain::getSupportedSanitizers();
Res |= SanitizerKind::Address; Res |= SanitizerKind::Address;
Res |= SanitizerKind::PointerCompare; Res |= SanitizerKind::PointerCompare;
Res |= SanitizerKind::PointerSubtract; Res |= SanitizerKind::PointerSubtract;
Res |= SanitizerKind::Leak; Res |= SanitizerKind::Leak;
Res |= SanitizerKind::Fuzzer; Res |= SanitizerKind::Fuzzer;
Res |= SanitizerKind::FuzzerNoLink; Res |= SanitizerKind::FuzzerNoLink;
Res |= SanitizerKind::Function; Res |= SanitizerKind::Function;
Res |= SanitizerKind::ObjCCast;
// Prior to 10.9, macOS shipped a version of the C++ standard library without // Prior to 10.9, macOS shipped a version of the C++ standard library without
// C++11 support. The same is true of iOS prior to version 5. These OS'es are // C++11 support. The same is true of iOS prior to version 5. These OS'es are
// incompatible with -fsanitize=vptr. // incompatible with -fsanitize=vptr.
if (!(isTargetMacOS() && isMacosxVersionLT(10, 9)) if (!(isTargetMacOS() && isMacosxVersionLT(10, 9))
&& !(isTargetIPhoneOS() && isIPhoneOSVersionLT(5, 0))) && !(isTargetIPhoneOS() && isIPhoneOSVersionLT(5, 0)))
Res |= SanitizerKind::Vptr; Res |= SanitizerKind::Vptr;
Show All 14 Lines

clang/test/CodeGenObjC/for-in.m

// RUN: %clang_cc1 -emit-llvm %s -o %t // RUN: %clang_cc1 %s -verify -o /dev/null
// RUN: %clang_cc1 %s -triple x86_64-apple-darwin -emit-llvm -fsanitize=objc-cast -o - | FileCheck %s
void p(const char*, ...); void p(const char*, ...);
@interface NSArray @interface NSArray
+(NSArray*) arrayWithObjects: (id) first, ...; +(NSArray*) arrayWithObjects: (id) first, ...;
-(unsigned) count; -(unsigned) count;
@end @end
@interface NSString @interface NSString
-(const char*) cString; -(const char*) cString;
@end @end
#define S(n) @#n #define S(n) @#n
#define L1(n) S(n+0),S(n+1) #define L1(n) S(n+0),S(n+1)
#define L2(n) L1(n+0),L1(n+2) #define L2(n) L1(n+0),L1(n+2)
#define L3(n) L2(n+0),L2(n+4) #define L3(n) L2(n+0),L2(n+4)
#define L4(n) L3(n+0),L3(n+8) #define L4(n) L3(n+0),L3(n+8)
#define L5(n) L4(n+0),L4(n+16) #define L5(n) L4(n+0),L4(n+16)
#define L6(n) L5(n+0),L5(n+32) #define L6(n) L5(n+0),L5(n+32)
// CHECK-LABEL: define void @t0
void t0() { void t0() {
NSArray *array = [NSArray arrayWithObjects: L1(0), (void*)0]; NSArray *array = [NSArray arrayWithObjects: L1(0), (void*)0];
p("array.length: %d\n", [array count]); p("array.length: %d\n", [array count]);
unsigned index = 0; unsigned index = 0;
for (NSString *i in array) { // expected-warning {{collection expression type 'NSArray *' may not respond}} for (NSString *i in array) { // expected-warning {{collection expression type 'NSArray *' may not respond}}
// CHECK: [[expectedCls:%.*]] = load %struct._class_t*, {{.*}}, !nosanitize
// CHECK-NEXT: [[kindOfClassSel:%.*]] = load i8*, i8** @OBJC_SELECTOR_REFERENCES{{.*}}, !nosanitize
// CHECK-NEXT: [[expectedClsI8:%.*]] = bitcast %struct._class_t* [[expectedCls]] to i8*, !nosanitize
// CHECK-NEXT: [[isCls:%.*]] = call zeroext i1 bitcast {{.*}}@objc_msgSend to i1 (i8*, i8*, {{.*}})(i8* [[theItem:%.*]], i8* [[kindOfClassSel]], i8* [[expectedClsI8]]), !nosanitize
// CHECK: br i1 [[isCls]]
// CHECK: ptrtoint i8* [[theItem]] to i64, !nosanitize
// CHECK-NEXT: call void @__ubsan_handle_invalid_objc_cast
// CHECK-NEXT: unreachable, !nosanitize
// CHECK: bitcast i8* [[theItem]]
p("element %d: %s\n", index++, [i cString]); p("element %d: %s\n", index++, [i cString]);
} }
} }
void t1() { void t1() {
NSArray *array = [NSArray arrayWithObjects: L6(0), (void*)0]; NSArray *array = [NSArray arrayWithObjects: L6(0), (void*)0];
p("array.length: %d\n", [array count]); p("array.length: %d\n", [array count]);
Show All 16 Lines

compiler-rt/lib/ubsan/ubsan_checks.inc

Show All 31 Lines
UBSAN_CHECK(SignedIntegerOverflow, "signed-integer-overflow", UBSAN_CHECK(SignedIntegerOverflow, "signed-integer-overflow",
"signed-integer-overflow") "signed-integer-overflow")
UBSAN_CHECK(UnsignedIntegerOverflow, "unsigned-integer-overflow", UBSAN_CHECK(UnsignedIntegerOverflow, "unsigned-integer-overflow",
"unsigned-integer-overflow") "unsigned-integer-overflow")
UBSAN_CHECK(IntegerDivideByZero, "integer-divide-by-zero", UBSAN_CHECK(IntegerDivideByZero, "integer-divide-by-zero",
"integer-divide-by-zero") "integer-divide-by-zero")
UBSAN_CHECK(FloatDivideByZero, "float-divide-by-zero", "float-divide-by-zero") UBSAN_CHECK(FloatDivideByZero, "float-divide-by-zero", "float-divide-by-zero")
UBSAN_CHECK(InvalidBuiltin, "invalid-builtin-use", "invalid-builtin-use") UBSAN_CHECK(InvalidBuiltin, "invalid-builtin-use", "invalid-builtin-use")
UBSAN_CHECK(InvalidObjCCast, "invalid-objc-cast", "invalid-objc-cast")
UBSAN_CHECK(ImplicitUnsignedIntegerTruncation, UBSAN_CHECK(ImplicitUnsignedIntegerTruncation,
"implicit-unsigned-integer-truncation", "implicit-unsigned-integer-truncation",
"implicit-unsigned-integer-truncation") "implicit-unsigned-integer-truncation")
UBSAN_CHECK(ImplicitSignedIntegerTruncation, UBSAN_CHECK(ImplicitSignedIntegerTruncation,
"implicit-signed-integer-truncation", "implicit-signed-integer-truncation",
"implicit-signed-integer-truncation") "implicit-signed-integer-truncation")
UBSAN_CHECK(ImplicitIntegerSignChange, UBSAN_CHECK(ImplicitIntegerSignChange,
"implicit-integer-sign-change", "implicit-integer-sign-change",
Show All 23 Lines

compiler-rt/lib/ubsan/ubsan_handlers.h

Show First 20 LinesShow All 162 Lines▼ Show 20 Lines
struct InvalidBuiltinData { struct InvalidBuiltinData {
SourceLocation Loc; SourceLocation Loc;
unsigned char Kind; unsigned char Kind;
}; };
/// Handle a builtin called in an invalid way. /// Handle a builtin called in an invalid way.
RECOVERABLE(invalid_builtin, InvalidBuiltinData *Data) RECOVERABLE(invalid_builtin, InvalidBuiltinData *Data)
struct InvalidObjCCast {
SourceLocation Loc;
const TypeDescriptor &ExpectedType;
};
/// Handle an invalid ObjC cast.
RECOVERABLE(invalid_objc_cast, InvalidObjCCast *Data, ValueHandle Pointer)
struct NonNullReturnData { struct NonNullReturnData {
SourceLocation AttrLoc; SourceLocation AttrLoc;
}; };
/// \brief Handle returning null from function with the returns_nonnull /// \brief Handle returning null from function with the returns_nonnull
/// attribute, or a return type annotated with _Nonnull. /// attribute, or a return type annotated with _Nonnull.
RECOVERABLE(nonnull_return_v1, NonNullReturnData *Data, SourceLocation *Loc) RECOVERABLE(nonnull_return_v1, NonNullReturnData *Data, SourceLocation *Loc)
RECOVERABLE(nullability_return_v1, NonNullReturnData *Data, SourceLocation *Loc) RECOVERABLE(nullability_return_v1, NonNullReturnData *Data, SourceLocation *Loc)
▲ Show 20 LinesShow All 50 LinesShow Last 20 Lines

compiler-rt/lib/ubsan/ubsan_handlers.cpp

Show All 10 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "ubsan_platform.h" #include "ubsan_platform.h"
#if CAN_SANITIZE_UB #if CAN_SANITIZE_UB
#include "ubsan_handlers.h" #include "ubsan_handlers.h"
#include "ubsan_diag.h" #include "ubsan_diag.h"
#include "ubsan_flags.h" #include "ubsan_flags.h"
#include "ubsan_monitor.h" #include "ubsan_monitor.h"
#include "ubsan_value.h"
#include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_common.h"
using namespace __sanitizer; using namespace __sanitizer;
using namespace __ubsan; using namespace __ubsan;
namespace __ubsan { namespace __ubsan {
bool ignoreReport(SourceLocation SLoc, ReportOptions Opts, ErrorType ET) { bool ignoreReport(SourceLocation SLoc, ReportOptions Opts, ErrorType ET) {
▲ Show 20 LinesShow All 608 Lines▼ Show 20 Linesvoid __ubsan::__ubsan_handle_invalid_builtin(InvalidBuiltinData *Data) {
handleInvalidBuiltin(Data, Opts); handleInvalidBuiltin(Data, Opts);
} }
void __ubsan::__ubsan_handle_invalid_builtin_abort(InvalidBuiltinData *Data) { void __ubsan::__ubsan_handle_invalid_builtin_abort(InvalidBuiltinData *Data) {
GET_REPORT_OPTIONS(true); GET_REPORT_OPTIONS(true);
handleInvalidBuiltin(Data, Opts); handleInvalidBuiltin(Data, Opts);
Die(); Die();
} }
static void handleInvalidObjCCast(InvalidObjCCast *Data, ValueHandle Pointer,
ReportOptions Opts) {
SourceLocation Loc = Data->Loc.acquire();
ErrorType ET = ErrorType::InvalidObjCCast;
if (ignoreReport(Loc, Opts, ET))
return;
ScopedReport R(Opts, Loc, ET);
const char *GivenClass = getObjCClassName(Pointer);
const char *GivenClassStr = GivenClass ? GivenClass : "<unknown type>";
Diag(Loc, DL_Error, ET,
"invalid ObjC cast, object is a '%0', but expected a %1")
<< GivenClassStr << Data->ExpectedType;
}
void __ubsan::__ubsan_handle_invalid_objc_cast(InvalidObjCCast *Data,
ValueHandle Pointer) {
GET_REPORT_OPTIONS(false);
handleInvalidObjCCast(Data, Pointer, Opts);
}
void __ubsan::__ubsan_handle_invalid_objc_cast_abort(InvalidObjCCast *Data,
ValueHandle Pointer) {
GET_REPORT_OPTIONS(true);
handleInvalidObjCCast(Data, Pointer, Opts);
Die();
}
static void handleNonNullReturn(NonNullReturnData *Data, SourceLocation *LocPtr, static void handleNonNullReturn(NonNullReturnData *Data, SourceLocation *LocPtr,
ReportOptions Opts, bool IsAttr) { ReportOptions Opts, bool IsAttr) {
if (!LocPtr) if (!LocPtr)
UNREACHABLE("source location pointer is null!"); UNREACHABLE("source location pointer is null!");
SourceLocation Loc = LocPtr->acquire(); SourceLocation Loc = LocPtr->acquire();
ErrorType ET = IsAttr ? ErrorType::InvalidNullReturn ErrorType ET = IsAttr ? ErrorType::InvalidNullReturn
: ErrorType::InvalidNullReturnWithNullability; : ErrorType::InvalidNullReturnWithNullability;
▲ Show 20 LinesShow All 237 LinesShow Last 20 Lines

compiler-rt/lib/ubsan/ubsan_value.h

Show First 20 LinesShow All 129 Lines▼ Show 20 Lines unsigned getFloatBitWidth() const {
CHECK(isFloatTy()); CHECK(isFloatTy());
return TypeInfo; return TypeInfo;
} }
}; };
/// \brief An opaque handle to a value. /// \brief An opaque handle to a value.
typedef uptr ValueHandle; typedef uptr ValueHandle;
/// Returns the class name of the given ObjC object, or null if the name
/// cannot be found.
const char *getObjCClassName(ValueHandle Pointer);
/// \brief Representation of an operand value provided by the instrumented code. /// \brief Representation of an operand value provided by the instrumented code.
/// ///
/// This is a combination of a TypeDescriptor (which is emitted as constant data /// This is a combination of a TypeDescriptor (which is emitted as constant data
/// as an operand to a handler function) and a ValueHandle (which is passed at /// as an operand to a handler function) and a ValueHandle (which is passed at
/// runtime when a check failure occurs). /// runtime when a check failure occurs).
class Value { class Value {
/// The type of the value. /// The type of the value.
▲ Show 20 LinesShow All 51 LinesShow Last 20 Lines

compiler-rt/lib/ubsan/ubsan_value.cpp

Show All 10 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "ubsan_platform.h" #include "ubsan_platform.h"
#if CAN_SANITIZE_UB #if CAN_SANITIZE_UB
#include "ubsan_value.h" #include "ubsan_value.h"
#include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_libc.h" #include "sanitizer_common/sanitizer_libc.h"
#include "sanitizer_common/sanitizer_mutex.h"
// TODO(dliew): Prefer '__APPLE__' here over 'SANITIZER_MAC', as the latter is
// unclear. rdar://58124919 tracks using a more obviously portable guard.
#if defined(__APPLE__)
#include <dlfcn.h>
#endif
using namespace __ubsan; using namespace __ubsan;
typedef const char *(*ObjCGetClassNameTy)(void *);
const char *__ubsan::getObjCClassName(ValueHandle Pointer) {
#if defined(__APPLE__)
delcypherUnsubmitted
Not Done
ReplyInline Actions

The compiler-rt codebase tends to use SANITIZER_MAC macro (defined to be 1 if Apple otherwise it's 0) rather than __APPLE__.

delcypher: The compiler-rt codebase tends to use `SANITIZER_MAC` macro (defined to be 1 if Apple otherwise…
vskAuthorUnsubmitted
Done
ReplyInline Actions

I see. That seems problematic, as it makes it tricky to add macOS-specific (or iOS-specific) functionality down the road. I don't think SANITIZER_MAC should be defined unless TARGET_OS_MACOS is true.

vsk: I see. That seems problematic, as it makes it tricky to add macOS-specific (or iOS-specific)…
delcypherUnsubmitted
Not Done
ReplyInline Actions

Sorry I should clarify. SANITIZER_MAC is poorly named but it is defined to be 1 for Apple platforms and 0. I'm just pointing out the convention that exists today. You're absolutely right that we might want to do different things for different Apple platforms but I don't think we want to start doing a mass re-name until arm64e and arm64_32 support are completed landed in llvm's master.

delcypher: Sorry I should clarify. `SANITIZER_MAC` is poorly named but it is defined to be `1` for Apple…
vskAuthorUnsubmitted
Not Done
ReplyInline Actions

I think 'SANITIZER_MAC' is confusing, and my preference would be to not use it. __APPLE__ seems clearer to me, and (IIUC) the plan is to replace usage of 'SANITIZER_MAC' with it down the line anyway?

vsk: I think 'SANITIZER_MAC' is confusing, and my preference would be to not use it. `__APPLE__`…
delcypherUnsubmitted
Not Done
ReplyInline Actions

There aren't any plans to do it right now but cleaning this up seems like a reasonable thing to do. If you take a look at compiler-rt/lib/sanitizer_common/sanitizer_platform.h you'll see that we actually have SANITIZER_<platform> for the other platforms that seems to be set as you'd expect. It's just SANITIZER_MAC that's badly named.

I've filed a radar for this issue (rdar://problem/58124919). So if you prefer to use __APPLE__ could you leave a comment with something like

// TODO(dliew): Don't use unclear `SANITIZER_MAC` here. Instead wait for its replacement rdar://problem/58124919.

Note the TODO(<name>): style is enforced by the sanitizer specific linter so you have to put a name there.

delcypher: There aren't any plans to do it right now but cleaning this up seems like a reasonable thing to…
vskAuthorUnsubmitted
Done
ReplyInline Actions

Thanks, done!

vsk: Thanks, done!
// We need to query the ObjC runtime for some information, but do not want
// to introduce a static dependency from the ubsan runtime onto ObjC. Try to
// grab a handle to the ObjC runtime used by the process.
static bool AttemptedDlopen = false;
static void *ObjCHandle = nullptr;
static void *ObjCObjectGetClassName = nullptr;
// Prevent threads from racing to dlopen().
delcypherUnsubmitted
Not Done
ReplyInline Actions

You might want some sort of lock here (or atomic variable) to ensure we don't race and try to dlopen() multiple times.

delcypher: You might want some sort of lock here (or atomic variable) to ensure we don't race and try to…
vskAuthorUnsubmitted
Done
ReplyInline Actions

Yes, thanks.

vsk: Yes, thanks.
static __sanitizer::StaticSpinMutex Lock;
{
__sanitizer::SpinMutexLock Guard(&Lock);
if (!AttemptedDlopen) {
ObjCHandle = dlopen(
"/usr/lib/libobjc.A.dylib",
RTLD_LAZY // Only bind symbols when used.
| RTLD_LOCAL // Only make symbols available via the handle.
| RTLD_NOLOAD // Do not load the dylib, just grab a handle if the
// image is already loaded.
| RTLD_FIRST // Only search the image pointed-to by the handle.
);
AttemptedDlopen = true;
if (!ObjCHandle)
return nullptr;
ObjCObjectGetClassName = dlsym(ObjCHandle, "object_getClassName");
}
}
if (!ObjCObjectGetClassName)
return nullptr;
return ObjCGetClassNameTy(ObjCObjectGetClassName)((void *)Pointer);
#else
return nullptr;
#endif
}
SIntMax Value::getSIntValue() const { SIntMax Value::getSIntValue() const {
CHECK(getType().isSignedIntegerTy()); CHECK(getType().isSignedIntegerTy());
if (isInlineInt()) { if (isInlineInt()) {
// Val was zero-extended to ValueHandle. Sign-extend from original width // Val was zero-extended to ValueHandle. Sign-extend from original width
// to SIntMax. // to SIntMax.
const unsigned ExtraBits = const unsigned ExtraBits =
sizeof(SIntMax) * 8 - getType().getIntegerBitWidth(); sizeof(SIntMax) * 8 - getType().getIntegerBitWidth();
return SIntMax(Val) << ExtraBits >> ExtraBits; return SIntMax(Val) << ExtraBits >> ExtraBits;
▲ Show 20 LinesShow All 83 LinesShow Last 20 Lines

compiler-rt/lib/ubsan_minimal/ubsan_minimal_handlers.cpp

Show First 20 LinesShow All 103 Lines▼ Show 20 Lines
HANDLER(shift_out_of_bounds, "shift-out-of-bounds") HANDLER(shift_out_of_bounds, "shift-out-of-bounds")
HANDLER(out_of_bounds, "out-of-bounds") HANDLER(out_of_bounds, "out-of-bounds")
HANDLER_RECOVER(builtin_unreachable, "builtin-unreachable") HANDLER_RECOVER(builtin_unreachable, "builtin-unreachable")
HANDLER_RECOVER(missing_return, "missing-return") HANDLER_RECOVER(missing_return, "missing-return")
HANDLER(vla_bound_not_positive, "vla-bound-not-positive") HANDLER(vla_bound_not_positive, "vla-bound-not-positive")
HANDLER(float_cast_overflow, "float-cast-overflow") HANDLER(float_cast_overflow, "float-cast-overflow")
HANDLER(load_invalid_value, "load-invalid-value") HANDLER(load_invalid_value, "load-invalid-value")
HANDLER(invalid_builtin, "invalid-builtin") HANDLER(invalid_builtin, "invalid-builtin")
HANDLER(invalid_objc_cast, "invalid-objc-cast")
HANDLER(function_type_mismatch, "function-type-mismatch") HANDLER(function_type_mismatch, "function-type-mismatch")
HANDLER(implicit_conversion, "implicit-conversion") HANDLER(implicit_conversion, "implicit-conversion")
HANDLER(nonnull_arg, "nonnull-arg") HANDLER(nonnull_arg, "nonnull-arg")
HANDLER(nonnull_return, "nonnull-return") HANDLER(nonnull_return, "nonnull-return")
HANDLER(nullability_arg, "nullability-arg") HANDLER(nullability_arg, "nullability-arg")
HANDLER(nullability_return, "nullability-return") HANDLER(nullability_return, "nullability-return")
HANDLER(pointer_overflow, "pointer-overflow") HANDLER(pointer_overflow, "pointer-overflow")
HANDLER(cfi_check_fail, "cfi-check-fail") HANDLER(cfi_check_fail, "cfi-check-fail")

compiler-rt/test/ubsan/TestCases/Misc/objc-cast.m

  • This file was added.
// REQUIRES: darwin
//
// RUN: %clang -framework Foundation -fsanitize=objc-cast %s -O1 -o %t
// RUN: %run %t 2>&1 | FileCheck %s
//
// RUN: %clang -framework Foundation -fsanitize=objc-cast -fno-sanitize-recover=objc-cast %s -O1 -o %t.trap
// RUN: not %run %t.trap 2>&1 | FileCheck %s
#include <Foundation/Foundation.h>
int main() {
NSArray *arrayOfInt = [NSArray arrayWithObjects:@1, @2, @3, (void *)0];
// CHECK: objc-cast.m:[[@LINE+1]]:{{.*}}: runtime error: invalid ObjC cast, object is a '__NSCFNumber', but expected a 'NSString'
for (NSString *str in arrayOfInt) {
NSLog(@"%@", str);
}
NSArray *arrayOfStr = [NSArray arrayWithObjects:@"a", @"b", @"c", (void *)0];
for (NSString *str in arrayOfStr) {
NSLog(@"%@", str);
}
// The diagnostic should only be printed once.
// CHECK-NOT: runtime error
return 0;
}