This is an archive of the discontinued LLVM Phabricator instance.

Differential D80955

Fix UB in EmulateInstructionARM64.cpp
ClosedPublic

Authored by aprantl on Jun 1 2020, 2:22 PM.

Details

Reviewers
jasonmolenda
vsk
Commits
rGdba03f914a5d: Fix UB in EmulateInstructionARM64.cpp
rGa0b674fd7f06: Fix UB in EmulateInstructionARM64.cpp
Summary

This fixes an unhandled signed integer overflow in AddWithCarry() by using the llvm::checkedAdd() function. Thats to @vsk for the suggestion!

Diff Detail

Event Timeline

aprantl created this revision.Jun 1 2020, 2:22 PM
Herald added subscribers: danielkiss, kristof.beyls. · View Herald TranscriptJun 1 2020, 2:22 PM
vsk added a comment.Jun 1 2020, 2:48 PM

Any chance we can export AddWithCarry via EmulateInstructionARM64.h, then add a unit test in TestArm64InstEmulation.cpp?

vsk added a comment.Jun 1 2020, 2:53 PM

I should add: otherwise, this looks good!

lldb/source/Plugins/Instruction/ARM64/EmulateInstructionARM64.cpp
92

The docs [1] say 'integer signed_sum = SInt(x) + SInt(y) + UInt(carry_in)', but I bet checkedAdd doesn't support that, and anyway carry_in is 1-bit so it doesn't matter.

[1] https://developer.arm.com/docs/ddi0596/e/shared-pseudocode-functions/shared-functionsinteger-pseudocode#impl-shared.AddWithCarry.3

jasonmolenda added a comment.Jun 1 2020, 2:55 PM

Nice cleanup of a long standing undefined behavior warning.

shafik added a subscriber: shafik.Jun 1 2020, 3:21 PM
shafik added inline comments.
lldb/source/Plugins/Instruction/ARM64/EmulateInstructionARM64.cpp
25

Why? also should be cstdlib in C++.

davide added a subscriber: davide.Jun 1 2020, 3:53 PM
davide added inline comments.
lldb/source/Plugins/Instruction/ARM64/EmulateInstructionARM64.cpp
25

It's just something shuffled around, probably a side effect of clang-format.

davide added a comment.Jun 1 2020, 3:55 PM

This is great Adrian. I feel like there are several other instances of additions that should use llvm::checkAdd here instead of +. Is this the only UB triggered in the testsuite?

aprantl marked an inline comment as done.Jun 1 2020, 5:00 PM
aprantl added inline comments.
lldb/source/Plugins/Instruction/ARM64/EmulateInstructionARM64.cpp
92

Am I misreading this or are we also setting the C(arry) flag inverted according to the documentation?

aprantl added a comment.Jun 1 2020, 6:15 PM

This is great Adrian. I feel like there are several other instances of additions that should use llvm::checkAdd here instead of +. Is this the only UB triggered in the testsuite?

It's the only UB caught by the green dragon / ci.swift.org bots.

This revision was not accepted when it landed; it landed in state Needs Review.Jun 1 2020, 6:26 PM
Closed by commit rGa0b674fd7f06: Fix UB in EmulateInstructionARM64.cpp (authored by aprantl). · Explain Why
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptJun 1 2020, 6:26 PM
Herald added a subscriber: mgorny. · View Herald Transcript
vsk added inline comments.Jun 2 2020, 5:57 PM
lldb/source/Plugins/Instruction/ARM64/EmulateInstructionARM64.cpp
92

Oh wow.. nice catch.

Revision Contents

PathSize
lldb/
source/
Plugins/
Instruction/
ARM64/
3 lines
41 lines
unittests/
1 line
Instruction/
12 lines
62 lines

Diff 267776

lldb/source/Plugins/Instruction/ARM64/EmulateInstructionARM64.h

Show First 20 LinesShow All 146 Lines▼ Show 20 Lines uint32_t N : 1, V : 1, C : 1,
M : 5, // AArch32 only – mode encodings M : 5, // AArch32 only – mode encodings
RW : 1, // Current register width – 0 is AArch64, 1 is AArch32 RW : 1, // Current register width – 0 is AArch64, 1 is AArch32
EL : 2, // Current exception level (see ExceptionLevel enum) EL : 2, // Current exception level (see ExceptionLevel enum)
SP : 1; // AArch64 only - Stack Pointer selection (see SP : 1; // AArch64 only - Stack Pointer selection (see
// StackPointerSelection enum) // StackPointerSelection enum)
} ProcState; } ProcState;
protected: protected:
static uint64_t AddWithCarry(uint32_t N, uint64_t x, uint64_t y, bool carry_in,
EmulateInstructionARM64::ProcState &proc_state);
typedef struct { typedef struct {
uint32_t mask; uint32_t mask;
uint32_t value; uint32_t value;
uint32_t vfp_variants; uint32_t vfp_variants;
bool (EmulateInstructionARM64::*callback)(const uint32_t opcode); bool (EmulateInstructionARM64::*callback)(const uint32_t opcode);
const char *name; const char *name;
} Opcode; } Opcode;
Show All 30 Lines

lldb/source/Plugins/Instruction/ARM64/EmulateInstructionARM64.cpp

//===-- EmulateInstructionARM64.cpp ---------------------------------------===// //===-- EmulateInstructionARM64.cpp ---------------------------------------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "EmulateInstructionARM64.h" #include "EmulateInstructionARM64.h"
#include <stdlib.h>
#include "lldb/Core/Address.h" #include "lldb/Core/Address.h"
#include "lldb/Core/PluginManager.h" #include "lldb/Core/PluginManager.h"
#include "lldb/Symbol/UnwindPlan.h" #include "lldb/Symbol/UnwindPlan.h"
#include "lldb/Utility/ArchSpec.h" #include "lldb/Utility/ArchSpec.h"
#include "lldb/Utility/ConstString.h" #include "lldb/Utility/ConstString.h"
#include "lldb/Utility/RegisterValue.h" #include "lldb/Utility/RegisterValue.h"
#include "lldb/Utility/Stream.h" #include "lldb/Utility/Stream.h"
#include "llvm/Support/CheckedArithmetic.h"
#include "Plugins/Process/Utility/ARMDefines.h" #include "Plugins/Process/Utility/ARMDefines.h"
#include "Plugins/Process/Utility/ARMUtils.h" #include "Plugins/Process/Utility/ARMUtils.h"
#include "Plugins/Process/Utility/lldb-arm64-register-enums.h" #include "Plugins/Process/Utility/lldb-arm64-register-enums.h"
#include <cstdlib>
shafikUnsubmitted
Not Done
ReplyInline Actions

Why? also should be cstdlib in C++.

shafik: Why? also should be `cstdlib` in C++.
davideUnsubmitted
Not Done
ReplyInline Actions

It's just something shuffled around, probably a side effect of clang-format.

davide: It's just something shuffled around, probably a side effect of clang-format.
#define GPR_OFFSET(idx) ((idx)*8) #define GPR_OFFSET(idx) ((idx)*8)
#define GPR_OFFSET_NAME(reg) 0 #define GPR_OFFSET_NAME(reg) 0
#define FPU_OFFSET(idx) ((idx)*16) #define FPU_OFFSET(idx) ((idx)*16)
#define FPU_OFFSET_NAME(reg) 0 #define FPU_OFFSET_NAME(reg) 0
#define EXC_OFFSET_NAME(reg) 0 #define EXC_OFFSET_NAME(reg) 0
#define DBG_OFFSET_NAME(reg) 0 #define DBG_OFFSET_NAME(reg) 0
#define DBG_OFFSET_NAME(reg) 0 #define DBG_OFFSET_NAME(reg) 0
#define DEFINE_DBG(re, y) \ #define DEFINE_DBG(re, y) \
▲ Show 20 LinesShow All 47 Lines▼ Show 20 Lines
// ===== // =====
static inline uint64_t LSL(uint64_t x, integer shift) { static inline uint64_t LSL(uint64_t x, integer shift) {
if (shift == 0) if (shift == 0)
return x; return x;
return x << shift; return x << shift;
} }
// AddWithCarry()
// ===============
static inline uint64_t
AddWithCarry(uint32_t N, uint64_t x, uint64_t y, bit carry_in,
EmulateInstructionARM64::ProcState &proc_state) {
uint64_t unsigned_sum = UInt(x) + UInt(y) + UInt(carry_in);
int64_t signed_sum = SInt(x) + SInt(y) + UInt(carry_in);
uint64_t result = unsigned_sum;
if (N < 64)
result = Bits64(result, N - 1, 0);
proc_state.N = Bit64(result, N - 1);
proc_state.Z = IsZero(result);
proc_state.C = UInt(result) == unsigned_sum;
proc_state.V = SInt(result) == signed_sum;
return result;
}
// ConstrainUnpredictable() // ConstrainUnpredictable()
// ======================== // ========================
vskUnsubmitted
Not Done
ReplyInline Actions

The docs [1] say 'integer signed_sum = SInt(x) + SInt(y) + UInt(carry_in)', but I bet checkedAdd doesn't support that, and anyway carry_in is 1-bit so it doesn't matter.

[1] https://developer.arm.com/docs/ddi0596/e/shared-pseudocode-functions/shared-functionsinteger-pseudocode#impl-shared.AddWithCarry.3

vsk: The docs [1] say 'integer signed_sum = SInt(x) + SInt(y) + UInt(carry_in)', but I bet…
aprantlAuthorUnsubmitted
Done
ReplyInline Actions

Am I misreading this or are we also setting the C(arry) flag inverted according to the documentation?

aprantl: Am I misreading this or are we also setting the C(arry) flag inverted according to the…
vskUnsubmitted
Not Done
ReplyInline Actions

Oh wow.. nice catch.

vsk: Oh wow.. nice catch.
EmulateInstructionARM64::ConstraintType EmulateInstructionARM64::ConstraintType
ConstrainUnpredictable(EmulateInstructionARM64::Unpredictable which) { ConstrainUnpredictable(EmulateInstructionARM64::Unpredictable which) {
EmulateInstructionARM64::ConstraintType result = EmulateInstructionARM64::ConstraintType result =
EmulateInstructionARM64::Constraint_UNKNOWN; EmulateInstructionARM64::Constraint_UNKNOWN;
switch (which) { switch (which) {
case EmulateInstructionARM64::Unpredictable_WBOVERLAP: case EmulateInstructionARM64::Unpredictable_WBOVERLAP:
case EmulateInstructionARM64::Unpredictable_LDPOVERLAP: case EmulateInstructionARM64::Unpredictable_LDPOVERLAP:
// TODO: don't know what to really do here? Pseudo code says: // TODO: don't know what to really do here? Pseudo code says:
▲ Show 20 LinesShow All 461 Lines▼ Show 20 Lines case 7:
return true; return true;
} }
if (cond & 1) if (cond & 1)
result = !result; result = !result;
return result; return result;
} }
uint64_t EmulateInstructionARM64::
AddWithCarry(uint32_t N, uint64_t x, uint64_t y, bit carry_in,
EmulateInstructionARM64::ProcState &proc_state) {
uint64_t unsigned_sum = UInt(x) + UInt(y) + UInt(carry_in);
llvm::Optional<int64_t> signed_sum = llvm::checkedAdd(SInt(x), SInt(y));
bool overflow = !signed_sum;
if (!overflow)
overflow |= !llvm::checkedAdd(*signed_sum, SInt(carry_in));
uint64_t result = unsigned_sum;
if (N < 64)
result = Bits64(result, N - 1, 0);
proc_state.N = Bit64(result, N - 1);
proc_state.Z = IsZero(result);
proc_state.C = UInt(result) != unsigned_sum;
proc_state.V = overflow;
return result;
}
bool EmulateInstructionARM64::EmulateADDSUBImm(const uint32_t opcode) { bool EmulateInstructionARM64::EmulateADDSUBImm(const uint32_t opcode) {
// integer d = UInt(Rd); // integer d = UInt(Rd);
// integer n = UInt(Rn); // integer n = UInt(Rn);
// integer datasize = if sf == 1 then 64 else 32; // integer datasize = if sf == 1 then 64 else 32;
// boolean sub_op = (op == 1); // boolean sub_op = (op == 1);
// boolean setflags = (S == 1); // boolean setflags = (S == 1);
// bits(datasize) imm; // bits(datasize) imm;
// //
▲ Show 20 LinesShow All 595 LinesShow Last 20 Lines

lldb/unittests/CMakeLists.txt

Show First 20 LinesShow All 65 Lines▼ Show 20 Lines
add_subdirectory(Breakpoint) add_subdirectory(Breakpoint)
add_subdirectory(Core) add_subdirectory(Core)
add_subdirectory(DataFormatter) add_subdirectory(DataFormatter)
add_subdirectory(Disassembler) add_subdirectory(Disassembler)
add_subdirectory(Editline) add_subdirectory(Editline)
add_subdirectory(Expression) add_subdirectory(Expression)
add_subdirectory(Host) add_subdirectory(Host)
add_subdirectory(Interpreter) add_subdirectory(Interpreter)
add_subdirectory(Instruction)
add_subdirectory(Language) add_subdirectory(Language)
add_subdirectory(ObjectFile) add_subdirectory(ObjectFile)
add_subdirectory(Platform) add_subdirectory(Platform)
add_subdirectory(Process) add_subdirectory(Process)
add_subdirectory(ScriptInterpreter) add_subdirectory(ScriptInterpreter)
add_subdirectory(Signals) add_subdirectory(Signals)
add_subdirectory(Symbol) add_subdirectory(Symbol)
add_subdirectory(SymbolFile) add_subdirectory(SymbolFile)
add_subdirectory(Target) add_subdirectory(Target)
add_subdirectory(tools) add_subdirectory(tools)
add_subdirectory(UnwindAssembly) add_subdirectory(UnwindAssembly)
add_subdirectory(Utility) add_subdirectory(Utility)
if(LLDB_CAN_USE_DEBUGSERVER AND LLDB_TOOL_DEBUGSERVER_BUILD AND NOT LLDB_USE_SYSTEM_DEBUGSERVER) if(LLDB_CAN_USE_DEBUGSERVER AND LLDB_TOOL_DEBUGSERVER_BUILD AND NOT LLDB_USE_SYSTEM_DEBUGSERVER)
add_subdirectory(debugserver) add_subdirectory(debugserver)
endif() endif()

lldb/unittests/Instruction/CMakeLists.txt

  • This file was added.
if("ARM" IN_LIST LLVM_TARGETS_TO_BUILD)
add_lldb_unittest(EmulatorTests
TestAArch64Emulator.cpp
LINK_LIBS
lldbCore
lldbSymbol
lldbTarget
lldbPluginInstructionARM64
LINK_COMPONENTS
Support
${LLVM_TARGETS_TO_BUILD})
endif()

lldb/unittests/Instruction/TestAArch64Emulator.cpp

  • This file was added.
//===-- TestAArch64Emulator.cpp ------------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "gtest/gtest.h"
#include "lldb/Core/Address.h"
#include "lldb/Core/Disassembler.h"
#include "lldb/Target/ExecutionContext.h"
#include "lldb/Utility/ArchSpec.h"
#include "Plugins/Instruction/ARM64/EmulateInstructionARM64.h"
using namespace lldb;
using namespace lldb_private;
struct Arch64EmulatorTester : public EmulateInstructionARM64 {
Arch64EmulatorTester()
: EmulateInstructionARM64(ArchSpec("arm64-apple-ios")) {}
static uint64_t AddWithCarry(uint32_t N, uint64_t x, uint64_t y, bool carry_in,
EmulateInstructionARM64::ProcState &proc_state) {
return EmulateInstructionARM64::AddWithCarry(N, x, y, carry_in, proc_state);
}
};
class TestAArch64Emulator : public testing::Test {
public:
static void SetUpTestCase();
static void TearDownTestCase();
protected:
};
void TestAArch64Emulator::SetUpTestCase() {
EmulateInstructionARM64::Initialize();
}
void TestAArch64Emulator::TearDownTestCase() {
EmulateInstructionARM64::Terminate();
}
TEST_F(TestAArch64Emulator, TestOverflow) {
EmulateInstructionARM64::ProcState pstate;
memset(&pstate, 0, sizeof(pstate));
uint64_t ll_max = std::numeric_limits<int64_t>::max();
Arch64EmulatorTester emu;
ASSERT_EQ(emu.AddWithCarry(64, ll_max, 0, 0, pstate), ll_max);
ASSERT_EQ(pstate.V, 0ULL);
ASSERT_EQ(pstate.C, 0ULL);
ASSERT_EQ(emu.AddWithCarry(64, ll_max, 1, 0, pstate), (uint64_t)(ll_max + 1));
ASSERT_EQ(pstate.V, 1ULL);
ASSERT_EQ(pstate.C, 0ULL);
ASSERT_EQ(emu.AddWithCarry(64, ll_max, 0, 1, pstate), (uint64_t)(ll_max + 1));
ASSERT_EQ(pstate.V, 1ULL);
ASSERT_EQ(pstate.C, 0ULL);
}