This is an archive of the discontinued LLVM Phabricator instance.

Differential D9059

Add a no_sanitize_vptr function attribute.
Needs ReviewPublic

Authored by ochang on Apr 16 2015, 1:52 PM.

Details

Reviewers
samsonov
rsmith

Diff Detail

Event Timeline

ochang updated this revision to Diff 23879.Apr 16 2015, 1:52 PM
ochang retitled this revision from to Add a no_sanitize_vptr function attribute..
ochang updated this object.
ochang edited the test plan for this revision. (Show Details)
ochang added a reviewer: samsonov.Apr 16 2015, 1:53 PM
ochang added a subscriber: inferno.
ochang added a subscriber: Unknown Object (MLST).Apr 16 2015, 1:56 PM
ochang updated this revision to Diff 23880.Apr 16 2015, 1:57 PM

fix comment

ochang added a reviewer: rsmith.Apr 16 2015, 3:36 PM
ochang updated this revision to Diff 23885.Apr 16 2015, 3:48 PM

Move check

ochang updated this revision to Diff 23886.Apr 16 2015, 3:49 PM

Fix comment

rsmith edited edge metadata.Apr 16 2015, 4:26 PM

I'm not convinced that adding one attribute per sanitizer is the right design here -- it doesn't seem to scale very well. Have you considered an attribute like

__attribute__((no_sanitize("list,of,sanitizers"))) void fn() { ... }

where the list is parsed as if it were specified as -fno-sanitize=list,of,sanitizers on the command line?

include/clang/Basic/Attr.td
1406

UBSan is not usually capitalized this way.

include/clang/Basic/AttrDocs.td
965

Grammar error around "for should".

Quuxplusone added a subscriber: Quuxplusone.Apr 16 2015, 5:28 PM
Quuxplusone added inline comments.
test/CodeGen/no-sanitize-vtpr.cpp
1

Typo in the name of this test: vtpr should be vptr.

17

If I understand the feature correctly, the idea is that UBSan inserts runtime checks for various undefined behaviors, including the undefined behavior of down-casting Bar* to Foo* in the case that the original Bar* doesn't actually point to an instance of Foo.

However, this particular test case is statically detectable as undefined behavior, isn't it? and then on top of that, the assignment is dead and shouldn't really be generating any code at all. I don't think a proper implementation of UBSan would insert any runtime check here (and if the current implementation *does* insert a check here, it's not a proper implementation yet).

A real test case would be something like

Foo *testfunc1(Bar *bar) {
  // CHECK: testfunc1
  // CHECK: call void @__ubsan_handle_dynamic_type_cache_miss
  return static_cast<Foo*>(bar); // down-casting
}
__attribute__((no_sanitize_vptr)) Foo *testfunc2(Bar *bar) {
  // CHECK: testfunc2
  // CHECK-NOT: call void @__ubsan_handle_dynamic_type_cache_miss
  return static_cast<Foo*>(bar); // down-casting
}
ochang updated this revision to Diff 23942.Apr 17 2015, 10:00 AM
ochang edited edge metadata.

address some comments

ochang added a comment.Apr 17 2015, 10:03 AM
In D9059#157331, @rsmith wrote:

I'm not convinced that adding one attribute per sanitizer is the right design here -- it doesn't seem to scale very well. Have you considered an attribute like

__attribute__((no_sanitize("list,of,sanitizers"))) void fn() { ... }

where the list is parsed as if it were specified as -fno-sanitize=list,of,sanitizers on the command line?

This does seem like a much better way of doing this. Should I change this in this patch?

What does everyone else think?

include/clang/Basic/Attr.td
1406

Fixed

include/clang/Basic/AttrDocs.td
965

Fixed.

test/CodeGen/no-sanitize-vtpr.cpp
1

Good catch, fixed.

17

I based these tests off an existing test - ubsan-type-blacklist.cpp, which led me to assumed it was OK to assume that these checks will be inserted for those cases. Should I change that too?

I've replaced this with something similar to yours (with added CHECK: ret) since call void @__ubsan_handle_dynamic_type_cache_miss gets inserted somewhere after testfunc2 too.

samsonov edited edge metadata.Apr 20 2015, 4:38 PM
In D9059#157697, @ochang wrote:
In D9059#157331, @rsmith wrote:

I'm not convinced that adding one attribute per sanitizer is the right design here -- it doesn't seem to scale very well. Have you considered an attribute like

__attribute__((no_sanitize("list,of,sanitizers"))) void fn() { ... }

where the list is parsed as if it were specified as -fno-sanitize=list,of,sanitizers on the command line?

This does seem like a much better way of doing this. Should I change this in this patch?

What does everyone else think?

I agree with this suggestion. It would be cool to have a single attribute like this, and later deprecate no_sanitize_address, no_sanitize_thread and no_sanitize_memory.

ochang added a comment.Apr 20 2015, 6:06 PM
In D9059#158733, @samsonov wrote:
In D9059#157697, @ochang wrote:
In D9059#157331, @rsmith wrote:

I'm not convinced that adding one attribute per sanitizer is the right design here -- it doesn't seem to scale very well. Have you considered an attribute like

__attribute__((no_sanitize("list,of,sanitizers"))) void fn() { ... }

where the list is parsed as if it were specified as -fno-sanitize=list,of,sanitizers on the command line?

This does seem like a much better way of doing this. Should I change this in this patch?

What does everyone else think?

I agree with this suggestion. It would be cool to have a single attribute like this, and later deprecate no_sanitize_address, no_sanitize_thread and no_sanitize_memory.

I can put together another patch in the next few days, unless someone else (more experienced) wants to take this?

samsonov added a subscriber: pcc.May 7 2015, 9:33 PM

+pcc who also encountered the requirement for this attribute in http://reviews.llvm.org/D6095

Revision Contents

PathSize
include/
clang/
Basic/
7 lines
8 lines
lib/
CodeGen/
3 lines
Sema/
3 lines
test/
CodeGen/
26 lines
SemaCXX/
37 lines

Diff 23886

include/clang/Basic/Attr.td

Show First 20 LinesShow All 1,397 Lines▼ Show 20 Lines
// Attribute to disable MemorySanitizer checks. // Attribute to disable MemorySanitizer checks.
def NoSanitizeMemory : InheritableAttr { def NoSanitizeMemory : InheritableAttr {
let Spellings = [GNU<"no_sanitize_memory">]; let Spellings = [GNU<"no_sanitize_memory">];
let Subjects = SubjectList<[Function], ErrorDiag>; let Subjects = SubjectList<[Function], ErrorDiag>;
let Documentation = [NoSanitizeMemoryDocs]; let Documentation = [NoSanitizeMemoryDocs];
} }
// Attribute to disable UBSAN vptr checks.
rsmithUnsubmitted
Not Done
ReplyInline Actions

UBSan is not usually capitalized this way.

rsmith: UBSan is not usually capitalized this way.
ochangAuthorUnsubmitted
Not Done
ReplyInline Actions

Fixed

ochang: Fixed
def NoSanitizeVptr : InheritableAttr {
let Spellings = [GNU<"no_sanitize_vptr">];
let Subjects = SubjectList<[Function], ErrorDiag>;
let Documentation = [NoSanitizeVptrDocs];
}
// C/C++ Thread safety attributes (e.g. for deadlock, data race checking) // C/C++ Thread safety attributes (e.g. for deadlock, data race checking)
def GuardedVar : InheritableAttr { def GuardedVar : InheritableAttr {
let Spellings = [GNU<"guarded_var">]; let Spellings = [GNU<"guarded_var">];
let Subjects = SubjectList<[Field, SharedVar], WarnDiag, let Subjects = SubjectList<[Field, SharedVar], WarnDiag,
"ExpectedFieldOrGlobalVar">; "ExpectedFieldOrGlobalVar">;
let Documentation = [Undocumented]; let Documentation = [Undocumented];
} }
▲ Show 20 LinesShow All 591 LinesShow Last 20 Lines

include/clang/Basic/AttrDocs.td

Show First 20 LinesShow All 952 Lines▼ Show 20 Lines
Use ``__attribute__((no_sanitize_memory))`` on a function declaration to Use ``__attribute__((no_sanitize_memory))`` on a function declaration to
specify that checks for uninitialized memory should not be inserted specify that checks for uninitialized memory should not be inserted
(e.g. by MemorySanitizer). The function may still be instrumented by the tool (e.g. by MemorySanitizer). The function may still be instrumented by the tool
to avoid false positives in other places. to avoid false positives in other places.
}]; }];
} }
def NoSanitizeVptrDocs : Documentation {
let Category = DocCatFunction;
let Content = [{
Use ``__attribute__((no_sanitize_vptr))`` on a function declaration to
specify that dynamic vptr checks for should not be inserted.
rsmithUnsubmitted
Not Done
ReplyInline Actions

Grammar error around "for should".

rsmith: Grammar error around "for should".
ochangAuthorUnsubmitted
Not Done
ReplyInline Actions

Fixed.

ochang: Fixed.
}];
}
def DocCatTypeSafety : DocumentationCategory<"Type Safety Checking"> { def DocCatTypeSafety : DocumentationCategory<"Type Safety Checking"> {
let Content = [{ let Content = [{
Clang supports additional attributes to enable checking type safety properties Clang supports additional attributes to enable checking type safety properties
that can't be enforced by the C type system. Use cases include: that can't be enforced by the C type system. Use cases include:
* MPI library implementations, where these attributes enable checking that * MPI library implementations, where these attributes enable checking that
the buffer type matches the passed ``MPI_Datatype``; the buffer type matches the passed ``MPI_Datatype``;
* for HDF5 library there is a similar use case to MPI; * for HDF5 library there is a similar use case to MPI;
▲ Show 20 LinesShow All 464 LinesShow Last 20 Lines

lib/CodeGen/CGExpr.cpp

Show First 20 LinesShow All 574 Lines▼ Show 20 Linesvoid CodeGenFunction::EmitTypeCheck(TypeCheckKind TCK, SourceLocation Loc,
// The program has undefined behavior if: // The program has undefined behavior if:
// -- the [pointer or glvalue] is used to access a non-static data member // -- the [pointer or glvalue] is used to access a non-static data member
// or call a non-static member function // or call a non-static member function
CXXRecordDecl *RD = Ty->getAsCXXRecordDecl(); CXXRecordDecl *RD = Ty->getAsCXXRecordDecl();
if (SanOpts.has(SanitizerKind::Vptr) && if (SanOpts.has(SanitizerKind::Vptr) &&
(TCK == TCK_MemberAccess || TCK == TCK_MemberCall || (TCK == TCK_MemberAccess || TCK == TCK_MemberCall ||
TCK == TCK_DowncastPointer || TCK == TCK_DowncastReference || TCK == TCK_DowncastPointer || TCK == TCK_DowncastReference ||
TCK == TCK_UpcastToVirtualBase) && TCK == TCK_UpcastToVirtualBase) &&
RD && RD->hasDefinition() && RD->isDynamicClass()) { RD && RD->hasDefinition() && RD->isDynamicClass() &&
!CurFuncDecl->hasAttr<NoSanitizeVptrAttr>()) {
// Compute a hash of the mangled name of the type. // Compute a hash of the mangled name of the type.
// //
// FIXME: This is not guaranteed to be deterministic! Move to a // FIXME: This is not guaranteed to be deterministic! Move to a
// fingerprinting mechanism once LLVM provides one. For the time // fingerprinting mechanism once LLVM provides one. For the time
// being the implementation happens to be deterministic. // being the implementation happens to be deterministic.
SmallString<64> MangledName; SmallString<64> MangledName;
llvm::raw_svector_ostream Out(MangledName); llvm::raw_svector_ostream Out(MangledName);
CGM.getCXXABI().getMangleContext().mangleCXXRTTI(Ty.getUnqualifiedType(), CGM.getCXXABI().getMangleContext().mangleCXXRTTI(Ty.getUnqualifiedType(),
▲ Show 20 LinesShow All 2,972 LinesShow Last 20 Lines

lib/Sema/SemaDeclAttr.cpp

Show First 20 LinesShow All 4,766 Lines▼ Show 20 Lines case AttributeList::AT_NoThreadSafetyAnalysis:
handleSimpleAttribute<NoThreadSafetyAnalysisAttr>(S, D, Attr); handleSimpleAttribute<NoThreadSafetyAnalysisAttr>(S, D, Attr);
break; break;
case AttributeList::AT_NoSanitizeThread: case AttributeList::AT_NoSanitizeThread:
handleSimpleAttribute<NoSanitizeThreadAttr>(S, D, Attr); handleSimpleAttribute<NoSanitizeThreadAttr>(S, D, Attr);
break; break;
case AttributeList::AT_NoSanitizeMemory: case AttributeList::AT_NoSanitizeMemory:
handleSimpleAttribute<NoSanitizeMemoryAttr>(S, D, Attr); handleSimpleAttribute<NoSanitizeMemoryAttr>(S, D, Attr);
break; break;
case AttributeList::AT_NoSanitizeVptr:
handleSimpleAttribute<NoSanitizeVptrAttr>(S, D, Attr);
break;
case AttributeList::AT_GuardedBy: case AttributeList::AT_GuardedBy:
handleGuardedByAttr(S, D, Attr); handleGuardedByAttr(S, D, Attr);
break; break;
case AttributeList::AT_PtGuardedBy: case AttributeList::AT_PtGuardedBy:
handlePtGuardedByAttr(S, D, Attr); handlePtGuardedByAttr(S, D, Attr);
break; break;
case AttributeList::AT_ExclusiveTrylockFunction: case AttributeList::AT_ExclusiveTrylockFunction:
handleExclusiveTrylockFunctionAttr(S, D, Attr); handleExclusiveTrylockFunctionAttr(S, D, Attr);
▲ Show 20 LinesShow All 507 LinesShow Last 20 Lines

test/CodeGen/no-sanitize-vtpr.cpp

  • This file was added.
// Verify ubsan doesn't emit checks for functions with the no_sanitize_vptr attribute.
QuuxplusoneUnsubmitted
Not Done
ReplyInline Actions

Typo in the name of this test: vtpr should be vptr.

Quuxplusone: Typo in the name of this test: `vtpr` should be `vptr`.
ochangAuthorUnsubmitted
Not Done
ReplyInline Actions

Good catch, fixed.

ochang: Good catch, fixed.
// RUN: %clang_cc1 -fsanitize=vptr -emit-llvm %s -o - | FileCheck %s
// REQUIRES: shell
class Bar {
public:
virtual ~Bar() {}
};
class Foo : public Bar {};
Bar bar;
__attribute__((no_sanitize_vptr)) void testfunc() {
// CHECK: testfunc
// CHECK-NOT: call void @__ubsan_handle_dynamic_type_cache_miss
Foo* foo = static_cast<Foo*>(&bar); // down-casting
QuuxplusoneUnsubmitted
Not Done
ReplyInline Actions

If I understand the feature correctly, the idea is that UBSan inserts runtime checks for various undefined behaviors, including the undefined behavior of down-casting Bar* to Foo* in the case that the original Bar* doesn't actually point to an instance of Foo.

However, this particular test case is statically detectable as undefined behavior, isn't it? and then on top of that, the assignment is dead and shouldn't really be generating any code at all. I don't think a proper implementation of UBSan would insert any runtime check here (and if the current implementation *does* insert a check here, it's not a proper implementation yet).

A real test case would be something like

Foo *testfunc1(Bar *bar) {
  // CHECK: testfunc1
  // CHECK: call void @__ubsan_handle_dynamic_type_cache_miss
  return static_cast<Foo*>(bar); // down-casting
}
__attribute__((no_sanitize_vptr)) Foo *testfunc2(Bar *bar) {
  // CHECK: testfunc2
  // CHECK-NOT: call void @__ubsan_handle_dynamic_type_cache_miss
  return static_cast<Foo*>(bar); // down-casting
}
Quuxplusone: If I understand the feature correctly, the idea is that UBSan inserts runtime checks for…
ochangAuthorUnsubmitted
Not Done
ReplyInline Actions

I based these tests off an existing test - ubsan-type-blacklist.cpp, which led me to assumed it was OK to assume that these checks will be inserted for those cases. Should I change that too?

I've replaced this with something similar to yours (with added CHECK: ret) since call void @__ubsan_handle_dynamic_type_cache_miss gets inserted somewhere after testfunc2 too.

ochang: I based these tests off an existing test - ubsan-type-blacklist.cpp, which led me to assumed it…
// CHECK: ret void
}
void testfunc2() {
// CHECK: testfunc2
// CHECK: call void @__ubsan_handle_dynamic_type_cache_miss
Foo* foo = static_cast<Foo*>(&bar); // down-casting
// CHECK: ret void
}

test/SemaCXX/attr-no-sanitize-vptr.cpp

  • This file was added.
// RUN: %clang_cc1 -fsyntax-only -verify %s
#define NO_SANITIZE_VPTR __attribute__((no_sanitize_vptr))
#if !__has_attribute(no_sanitize_vptr)
#error "Should support no_sanitize_vptr"
#endif
void noanal_fun() NO_SANITIZE_VPTR;
void noanal_fun_args() __attribute__((no_sanitize_vptr(1))); // \
// expected-error {{'no_sanitize_vptr' attribute takes no arguments}}
int noanal_testfn(int y) NO_SANITIZE_VPTR;
int noanal_testfn(int y) {
int x NO_SANITIZE_VPTR = y; // \
// expected-error {{'no_sanitize_vptr' attribute only applies to functions}}
return x;
}
int noanal_test_var NO_SANITIZE_VPTR; // \
// expected-error {{'no_sanitize_vptr' attribute only applies to functions}}
class NoanalFoo {
private:
int test_field NO_SANITIZE_VPTR; // \
// expected-error {{'no_sanitize_vptr' attribute only applies to functions}}
void test_method() NO_SANITIZE_VPTR;
};
class NO_SANITIZE_VPTR NoanalTestClass { // \
// expected-error {{'no_sanitize_vptr' attribute only applies to functions}}
};
void noanal_fun_params(int lvar NO_SANITIZE_VPTR); // \
// expected-error {{'no_sanitize_vptr' attribute only applies to functions}}