This is an archive of the discontinued LLVM Phabricator instance.

Ah, I just commented on the bug report, but your patch confirms what I thought. Thanks for the patch. So this is basically a CFI false positive, do we agree?

Another approach would be:

template <class _Pointer = _Tp*>
_Pointer __get_elem() _NOEXCEPT {
    _CompressedPair *__as_pair = reinterpret_cast<_CompressedPair*>(__blob_);
    typename _CompressedPair::_Base2* __second = _CompressedPair::__get_second_base(__as_pair);
    _Pointer __elem = reinterpret_cast<_Pointer>(__second);
    return __elem;
}

Then, we can use it as __get_elem<void*>() for the placement-new use case, and just __get_elem() for the normal case. What do you think?

libcxx/include/memory
2656	Indentation looks off.

In D95827#2535177, @ldionne wrote:

Ah, I just commented on the bug report, but your patch confirms what I thought. Thanks for the patch. So this is basically a CFI false positive, do we agree?

I think the code is fine, but I'm not 100% sure it isn't technically UB. I mean, I'd write it.

Then, we can use it as __get_elem<void*>() for the placement-new use case, and just __get_elem() for the normal case. What do you think?

That works, I tried it, but I realized the C++17+ cases are still broken.

libcxx/include/memory
2594	I realize that the same issue exists here. However, the prorotype of C++17 `std::construct_at` expects a `_Tp` argument, not `void`, so this change is really fighting uphill against future standards versions, and that makes me reconsider the whole effort. I guess I'll hold off on this change for now and go forward with the exclusion.

Harbormaster completed remote builds in B87435: Diff 320619.Feb 1 2021, 4:08 PM

We could add _LIBCPP_NO_CFI on the problematic method, like we do for std::addressof. Can you try that out?

use attribute to disable CFI

In D95827#2536611, @ldionne wrote:

We could add _LIBCPP_NO_CFI on the problematic method, like we do for std::addressof. Can you try that out?

Yep, it works.

I haven't put together a test for this. Are there existing tests for CFI or sanitizers that I could use to build a test for this?

In D95827#2537371, @rnk wrote:

In D95827#2536611, @ldionne wrote:

We could add _LIBCPP_NO_CFI on the problematic method, like we do for std::addressof. Can you try that out?

Yep, it works.

I haven't put together a test for this. Are there existing tests for CFI or sanitizers that I could use to build a test for this?

No, I don't think we have any. I see two options:

Add a buildbot that runs with CFI enabled.
Add a single .sh.cpp test that runs this specifically.

I think option (1) would be the best. Is it sufficient to add -fsanitize=cfi -flto when compiling a test file to reproduce the issue? If so, I think we could simply add a new CFI sanitizer configuration to Lit that does that, and add a corresponding job to run the whole test suite with CFI enabled. We can tackle that as a separate effort.

This revision is now accepted and ready to land.Feb 2 2021, 12:05 PM

This revision was landed with ongoing or failed builds.Feb 2 2021, 12:39 PM

Closed by commit rGbab74864168b: Disable CFI in __get_elem to allow casting a pointer to uninitialized memory (authored by rnk). · Explain Why

This revision was automatically updated to reflect the committed changes.

rnk added a commit: rGbab74864168b: Disable CFI in __get_elem to allow casting a pointer to uninitialized memory.

In D95827#2537382, @ldionne wrote:

I think option (1) would be the best. Is it sufficient to add -fsanitize=cfi -flto when compiling a test file to reproduce the issue? If so, I think we could simply add a new CFI sanitizer configuration to Lit that does that, and add a corresponding job to run the whole test suite with CFI enabled. We can tackle that as a separate effort.

Makes sense to me. I think CFI also requires -fvisibility=hidden to make its vtable checks work. -fno-sanitize-trap makes CFI violations produce diagnostics instead of simply trapping, so you would want to include it in a test config.

Harbormaster completed remote builds in B87564: Diff 320871.Feb 2 2021, 5:11 PM

Revision Contents

Path

Size

libcxx/

include/

memory

2 lines

Diff 320885

libcxx/include/memory

Show First 20 Lines • Show All 2,585 Lines • ▼ Show 20 Lines	struct __shared_ptr_emplace
template<class ..._Args>		template<class ..._Args>
_LIBCPP_HIDE_FROM_ABI		_LIBCPP_HIDE_FROM_ABI
explicit __shared_ptr_emplace(_Alloc __a, _Args&& ...__args)		explicit __shared_ptr_emplace(_Alloc __a, _Args&& ...__args)
: __storage_(_VSTD::move(__a))		: __storage_(_VSTD::move(__a))
{		{
#if _LIBCPP_STD_VER > 17		#if _LIBCPP_STD_VER > 17
using _TpAlloc = typename __allocator_traits_rebind<_Alloc, _Tp>::type;		using _TpAlloc = typename __allocator_traits_rebind<_Alloc, _Tp>::type;
_TpAlloc __tmp(*__get_alloc());		_TpAlloc __tmp(*__get_alloc());
allocator_traits<_TpAlloc>::construct(__tmp, __get_elem(), _VSTD::forward<_Args>(__args)...);		allocator_traits<_TpAlloc>::construct(__tmp, __get_elem(), _VSTD::forward<_Args>(__args)...);
		rnkAuthorUnsubmitted Done Reply Inline Actions I realize that the same issue exists here. However, the prorotype of C++17 `std::construct_at` expects a `_Tp` argument, not `void`, so this change is really fighting uphill against future standards versions, and that makes me reconsider the whole effort. I guess I'll hold off on this change for now and go forward with the exclusion. rnk: I realize that the same issue exists here. However, the prorotype of C++17 `std::construct_at`…
#else		#else
::new ((void*)__get_elem()) _Tp(_VSTD::forward<_Args>(__args)...);		::new ((void*)__get_elem()) _Tp(_VSTD::forward<_Args>(__args)...);
#endif		#endif
}		}

_LIBCPP_HIDE_FROM_ABI		_LIBCPP_HIDE_FROM_ABI
_Alloc* __get_alloc() _NOEXCEPT { return __storage_.__get_alloc(); }		_Alloc* __get_alloc() _NOEXCEPT { return __storage_.__get_alloc(); }

Show All 39 Lines	struct _ALIGNAS_TYPE(_CompressedPair) _Storage {
__get_alloc()->~_Alloc();		__get_alloc()->~_Alloc();
}		}
_Alloc* __get_alloc() _NOEXCEPT {		_Alloc* __get_alloc() _NOEXCEPT {
_CompressedPair __as_pair = reinterpret_cast<_CompressedPair>(__blob_);		_CompressedPair __as_pair = reinterpret_cast<_CompressedPair>(__blob_);
typename _CompressedPair::_Base1* __first = _CompressedPair::__get_first_base(__as_pair);		typename _CompressedPair::_Base1* __first = _CompressedPair::__get_first_base(__as_pair);
_Alloc __alloc = reinterpret_cast<_Alloc>(__first);		_Alloc __alloc = reinterpret_cast<_Alloc>(__first);
return __alloc;		return __alloc;
}		}
_Tp* __get_elem() _NOEXCEPT {		_LIBCPP_NO_CFI _Tp* __get_elem() _NOEXCEPT {
_CompressedPair __as_pair = reinterpret_cast<_CompressedPair>(__blob_);		_CompressedPair __as_pair = reinterpret_cast<_CompressedPair>(__blob_);
typename _CompressedPair::_Base2* __second = _CompressedPair::__get_second_base(__as_pair);		typename _CompressedPair::_Base2* __second = _CompressedPair::__get_second_base(__as_pair);
_Tp __elem = reinterpret_cast<_Tp>(__second);		_Tp __elem = reinterpret_cast<_Tp>(__second);
return __elem;		return __elem;
}		}
};		};
		ldionneUnsubmitted Not Done Reply Inline Actions Indentation looks off. ldionne: Indentation looks off.

static_assert(_LIBCPP_ALIGNOF(_Storage) == _LIBCPP_ALIGNOF(_CompressedPair), "");		static_assert(_LIBCPP_ALIGNOF(_Storage) == _LIBCPP_ALIGNOF(_CompressedPair), "");
static_assert(sizeof(_Storage) == sizeof(_CompressedPair), "");		static_assert(sizeof(_Storage) == sizeof(_CompressedPair), "");
_Storage __storage_;		_Storage __storage_;
};		};

struct __shared_ptr_dummy_rebind_allocator_type;		struct __shared_ptr_dummy_rebind_allocator_type;
template <>		template <>
▲ Show 20 Lines • Show All 1,630 Lines • Show Last 20 Lines

This is an archive of the discontinued LLVM Phabricator instance.

Avoid cast<T*> before T is constructed to pacify CFI checksClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 320885

libcxx/include/memory

Avoid cast<T*> before T is constructed to pacify CFI checks
ClosedPublic