This is an archive of the discontinued LLVM Phabricator instance.

Differential D77374

Fix -fsanitize=array-bounds with comma operator
Changes PlannedPublic

Authored by vitalybuka on Apr 3 2020, 1:37 AM.

Details

Reviewers
rsmith
Summary

Depends on D77373.

Diff Detail

Event Timeline

vitalybuka created this revision.Apr 3 2020, 1:37 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 3 2020, 1:37 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
vitalybuka added a reviewer: rsmith.Apr 3 2020, 1:42 AM
vitalybuka updated this revision to Diff 254728.Apr 3 2020, 1:48 AM

remove debug dump

vitalybuka marked 2 inline comments as done.Apr 3 2020, 1:50 AM
vitalybuka added inline comments.
clang/test/CodeGen/bounds-checking.c
116

C version works even without patch

vitalybuka mentioned this in D77363: Use git-clang-format as Arcanist linter.Apr 3 2020, 1:54 AM
Harbormaster completed remote builds in B51596: Diff 254726.Apr 3 2020, 2:39 AM
Harbormaster completed remote builds in B51598: Diff 254728.
vitalybuka updated this revision to Diff 255016.Apr 4 2020, 2:11 AM

try arc diff

vitalybuka added a comment.Apr 8 2020, 5:06 PM

ping

rsmith added inline comments.Apr 8 2020, 6:49 PM
clang/lib/CodeGen/CGExpr.cpp
882–887

If we're going to further extend what Clang considers to be a flexible array access, we should do so consistently across our warning machinery and our sanitizers. Perhaps we could start by unifying this function with IsTailPaddedMemberArray in SemaChecking?

vitalybuka marked an inline comment as done.Apr 9 2020, 2:16 PM
vitalybuka added inline comments.
clang/lib/CodeGen/CGExpr.cpp
882–887

There is one place in external code which is blocking me from enabling this at Google.

How much work it's going to be? To me these functions looks very different.

rsmith added inline comments.Apr 22 2020, 12:57 PM
clang/lib/CodeGen/CGExpr.cpp
882–887

If you don't want to do the refactoring, please at least update Sema::CheckArrayAccess to skip over commas when looking for a member access in BaseExpr. Testcase:

struct X { int a; int b[1]; } *p;
int n = (0, p->b)[3];

... currently warns and trips the array-bounds sanitizer; with this change it would still warn but not trip the sanitizer, which seems bad. (Though I suppose the opposite case is worse.)

vitalybuka planned changes to this revision.May 24 2023, 5:37 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 24 2023, 5:37 PM

Revision Contents

PathSize
clang/
lib/
CodeGen/
7 lines
test/
CodeGen/
16 lines
16 lines

Diff 254728

clang/lib/CodeGen/CGExpr.cpp

Show First 20 LinesShow All 873 Lines▼ Show 20 Lines if (const auto *CAT = dyn_cast<ConstantArrayType>(AT)) {
// was produced by macro expansion. // was produced by macro expansion.
if (CAT->getSize().ugt(1)) if (CAT->getSize().ugt(1))
return false; return false;
} else if (!isa<IncompleteArrayType>(AT)) } else if (!isa<IncompleteArrayType>(AT))
return false; return false;
E = E->IgnoreParens(); E = E->IgnoreParens();
while (const BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) {
if (!BO->isCommaOp())
break;
E = BO->getRHS();
E = E->IgnoreParens();
}
rsmithUnsubmitted
Not Done
ReplyInline Actions

If we're going to further extend what Clang considers to be a flexible array access, we should do so consistently across our warning machinery and our sanitizers. Perhaps we could start by unifying this function with IsTailPaddedMemberArray in SemaChecking?

rsmith: If we're going to further extend what Clang considers to be a flexible array access, we should…
vitalybukaAuthorUnsubmitted
Done
ReplyInline Actions

There is one place in external code which is blocking me from enabling this at Google.

How much work it's going to be? To me these functions looks very different.

vitalybuka: There is one place in external code which is blocking me from enabling this at Google. How…
rsmithUnsubmitted
Not Done
ReplyInline Actions

If you don't want to do the refactoring, please at least update Sema::CheckArrayAccess to skip over commas when looking for a member access in BaseExpr. Testcase:

struct X { int a; int b[1]; } *p;
int n = (0, p->b)[3];

... currently warns and trips the array-bounds sanitizer; with this change it would still warn but not trip the sanitizer, which seems bad. (Though I suppose the opposite case is worse.)

rsmith: If you don't want to do the refactoring, please at least update `Sema::CheckArrayAccess` to…
// A flexible array member must be the last member in the class. // A flexible array member must be the last member in the class.
if (const auto *ME = dyn_cast<MemberExpr>(E)) { if (const auto *ME = dyn_cast<MemberExpr>(E)) {
// FIXME: If the base type of the member expr is not FD->getParent(), // FIXME: If the base type of the member expr is not FD->getParent(),
// this should not be treated as a flexible array member access. // this should not be treated as a flexible array member access.
if (const auto *FD = dyn_cast<FieldDecl>(ME->getMemberDecl())) { if (const auto *FD = dyn_cast<FieldDecl>(ME->getMemberDecl())) {
// FIXME: Sema doesn't treat a T[1] union member as a flexible array // FIXME: Sema doesn't treat a T[1] union member as a flexible array
// member, only a T[0] or T[] member gets that treatment. // member, only a T[0] or T[] member gets that treatment.
if (FD->getParent()->isUnion()) if (FD->getParent()->isUnion())
▲ Show 20 LinesShow All 4,327 LinesShow Last 20 Lines

clang/test/CodeGen/bounds-checking.c

Show First 20 LinesShow All 94 Lines▼ Show 20 Lines
// CHECK-LABEL: define {{.*}} @SFlex // CHECK-LABEL: define {{.*}} @SFlex
int SFlex(struct SFlex *s, int i) { int SFlex(struct SFlex *s, int i) {
// a and b are treated as flexible array members. // a and b are treated as flexible array members.
// CHECK-NOT: @llvm.trap // CHECK-NOT: @llvm.trap
return s->a[i]; return s->a[i];
// CHECK: } // CHECK: }
} }
// CHECK-LABEL: define {{.*}} @SFlexComma
int SFlexComma(struct SFlex *s, int i) {
// a and b are treated as flexible array members.
// CHECK-NOT: @llvm.trap
return (s->t, s->a)[i];
// CHECK: }
}
// CHECK-LABEL: define {{.*}} @S1Comma
int S1Comma(struct S1 *s, int i) {
// a and b are treated as flexible array members.
// CHECK-NOT: @llvm.trap
return (s->t, s->a)[i];
vitalybukaAuthorUnsubmitted
Done
ReplyInline Actions

C version works even without patch

vitalybuka: C version works even without patch
// CHECK: }
}

clang/test/CodeGen/bounds-checking.cpp

Show First 20 LinesShow All 92 Lines▼ Show 20 Lines
// CHECK-LABEL: define {{.*}} @_Z5SFlex // CHECK-LABEL: define {{.*}} @_Z5SFlex
int SFlex(struct SFlex *s, int i) { int SFlex(struct SFlex *s, int i) {
// a and b are treated as flexible array members. // a and b are treated as flexible array members.
// CHECK-NOT: @llvm.trap // CHECK-NOT: @llvm.trap
return s->a[i]; return s->a[i];
// CHECK: } // CHECK: }
} }
// CHECK-LABEL: define {{.*}} @_Z10SFlexComma
int SFlexComma(struct SFlex *s, int i) {
// a and b are treated as flexible array members.
// CHECK-NOT: @llvm.trap
return (s->t, s->a)[i];
// CHECK: }
}
// CHECK-LABEL: define {{.*}} @_Z7S1Comma
int S1Comma(struct S1 *s, int i) {
// a and b are treated as flexible array members.
// CHECK-NOT: @llvm.trap
return ((s->t, (1, s->a)))[i];
// CHECK: }
}