This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/CodeGen/
-
CodeGen/
4
CodeGenFunction.cpp
-
test/CodeGen/
-
CodeGen/
-
ubsan-assume-aligned-crash.c

Differential D92001

[ubsan] Fix crash on __builtin_assume_aligned
AbandonedPublic

Authored by MaskRay on Nov 23 2020, 9:27 PM.

Download Raw Diff

Details

Reviewers

Tyker
rsmith
aaron.ballman
orivej
lebedev.ri

Summary

Fixes PR45813

Diff Detail

Event Timeline

orivej created this revision.Nov 23 2020, 9:27 PM

Herald added a subscriber: cfe-commits. · View Herald TranscriptNov 23 2020, 9:27 PM

orivej requested review of this revision.Nov 23 2020, 9:27 PM

orivej updated this revision to Diff 307239.

Sorry, I don't understand the issue and can't write a better description.
Since this test triggers an assert in getCommonPtr that it "Cannot retrieve a NULL type pointer" of Ty->getPointeeType(), the fix just checks that the pointee is not null before using isVolatileQualified.

Harbormaster completed remote builds in B79889: Diff 307238.Nov 23 2020, 10:00 PM

Could somebody review this?

vsk added a subscriber: vsk.Dec 2 2020, 9:49 AM

vsk added inline comments.

clang/lib/CodeGen/CodeGenFunction.cpp
2524	Is the pointee type associated with a PointerType QualType ever supposed to be null? I wonder why this happens, and whether it can cause problems in other places.

lebedev.ri added inline comments.Dec 2 2020, 9:51 AM

clang/lib/CodeGen/CodeGenFunction.cpp
2524	Basically, we can't just use `getPointeeType()` here, but i'm not sure what should be used instead.

lebedev.ri added a reviewer: aaron.ballman.Dec 2 2020, 9:52 AM

aaron.ballman added inline comments.Dec 2 2020, 1:13 PM

clang/lib/CodeGen/CodeGenFunction.cpp
2524	I'm not super familiar with `__builtin_assume_aligned` but from the GCC docs, it looks like the code from the test case is valid code (so we don't need to add semantic checking that would ensure we don't reach this code path). However, it seems a bit odd to me that we'd get an array type here as opposed to a decayed type which would actually be a pointer. I think the issue is further up the call chain, perhaps. `EmitBuiltinExpr()` gets the argument expression and passes it to `emitAlignmentAssumption()` which pulls the type directly out of the expression. It seems like there's an lvalue to rvalue conversion step missing to adjust the type.

@orivej please can you look where we create AST nodes for these builtins and ensure that the "pointer" argument is actually converted into a pointer beforehand?
I'm afraid i can't readily point at the examples, but it should be easy-ish..

clang/lib/CodeGen/CodeGenFunction.cpp
2524	Aha, yes, that does sound like the underying problem. I was thinking about that beforehand, but wasn't sure.

This revision now requires changes to proceed.Dec 3 2020, 1:56 PM

This review seems to be stuck/dead, consider abandoning if no longer relevant.

This revision now requires review to proceed.Jan 12 2023, 4:46 PM

Herald added a project: Restricted Project. · View Herald TranscriptJan 12 2023, 4:46 PM

Herald added a subscriber: StephenFan. · View Herald Transcript

-fsanitize=alignment -c a.c -O[012] no longer crashes for the test. From the comment that the problem was up the call chain, I think we can close this revision now.

MaskRay commandeered this revision.Jan 12 2023, 6:01 PM

MaskRay abandoned this revision.

MaskRay added a reviewer: orivej.

Revision Contents

Path

Size

clang/

lib/

CodeGen/

CodeGenFunction.cpp

2 lines

test/

CodeGen/

ubsan-assume-aligned-crash.c

9 lines

Diff 307239

clang/lib/CodeGen/CodeGenFunction.cpp

Show First 20 Lines • Show All 2,515 Lines • ▼ Show 20 Lines	assert(&(Builder.GetInsertBlock()->back()) == Assumption &&
"Assumption should be the last instruction of the basic block, "		"Assumption should be the last instruction of the basic block, "
"since the basic block is still being generated.");		"since the basic block is still being generated.");

if (!SanOpts.has(SanitizerKind::Alignment))		if (!SanOpts.has(SanitizerKind::Alignment))
return;		return;

// Don't check pointers to volatile data. The behavior here is implementation-		// Don't check pointers to volatile data. The behavior here is implementation-
// defined.		// defined.
if (Ty->getPointeeType().isVolatileQualified())		if (!Ty->getPointeeType().isNull() && Ty->getPointeeType().isVolatileQualified())
		vskUnsubmitted Not Done Reply Inline Actions Is the pointee type associated with a PointerType QualType ever supposed to be null? I wonder why this happens, and whether it can cause problems in other places. vsk: Is the pointee type associated with a PointerType QualType ever supposed to be null? I wonder…
		lebedev.riUnsubmitted Not Done Reply Inline Actions Basically, we can't just use `getPointeeType()` here, but i'm not sure what should be used instead. lebedev.ri: Basically, we can't just use `getPointeeType()` here, but i'm not sure what should be used…
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions I'm not super familiar with `__builtin_assume_aligned` but from the GCC docs, it looks like the code from the test case is valid code (so we don't need to add semantic checking that would ensure we don't reach this code path). However, it seems a bit odd to me that we'd get an array type here as opposed to a decayed type which would actually be a pointer. I think the issue is further up the call chain, perhaps. `EmitBuiltinExpr()` gets the argument expression and passes it to `emitAlignmentAssumption()` which pulls the type directly out of the expression. It seems like there's an lvalue to rvalue conversion step missing to adjust the type. aaron.ballman: I'm not super familiar with `__builtin_assume_aligned` but from the GCC docs, it looks like the…
		lebedev.riUnsubmitted Not Done Reply Inline Actions Aha, yes, that does sound like the underying problem. I was thinking about that beforehand, but wasn't sure. lebedev.ri: Aha, yes, that does sound like the underying problem. I was thinking about that beforehand, but…
return;		return;

// We need to temorairly remove the assumption so we can insert the		// We need to temorairly remove the assumption so we can insert the
// sanitizer check before it, else the check will be dropped by optimizations.		// sanitizer check before it, else the check will be dropped by optimizations.
Assumption->removeFromParent();		Assumption->removeFromParent();

{		{
SanitizerScope SanScope(this);		SanitizerScope SanScope(this);
▲ Show 20 Lines • Show All 59 Lines • Show Last 20 Lines

clang/test/CodeGen/ubsan-assume-aligned-crash.c

This file was added.

				// RUN: %clang_cc1 -fsanitize=alignment -emit-llvm %s -o /dev/null

				/* Testcase for PR45813 - clang crashes checking isVolatileQualified of isNull pointee. */

				__attribute__((aligned(8))) int data[2];

				int* test() {
				return __builtin_assume_aligned(data, 8);
				}