llvm-project/clang/test/CodeGenCXX/catch-implicit-integer-sign...

150 lines
5.2 KiB
C++
Raw Normal View History

[clang][ubsan] Implicit Conversion Sanitizer - integer sign change - clang part This is the second half of Implicit Integer Conversion Sanitizer. It completes the first half, and finally makes the sanitizer fully functional! Only the bitfield handling is missing. Summary: C and C++ are interesting languages. They are statically typed, but weakly. The implicit conversions are allowed. This is nice, allows to write code while balancing between getting drowned in everything being convertible, and nothing being convertible. As usual, this comes with a price: ``` void consume(unsigned int val); void test(int val) { consume(val); // The 'val' is `signed int`, but `consume()` takes `unsigned int`. // If val is negative, then consume() will be operating on a large // unsigned value, and you may or may not have a bug. // But yes, sometimes this is intentional. // Making the conversion explicit silences the sanitizer. consume((unsigned int)val); } ``` Yes, there is a `-Wsign-conversion`` diagnostic group, but first, it is kinda noisy, since it warns on everything (unlike sanitizers, warning on an actual issues), and second, likely there are cases where it does **not** warn. The actual detection is pretty easy. We just need to check each of the values whether it is negative, and equality-compare the results of those comparisons. The unsigned value is obviously non-negative. Zero is non-negative too. https://godbolt.org/g/w93oj2 We do not have to emit the check *always*, there are obvious situations where we can avoid emitting it, since it would **always** get optimized-out. But i do think the tautological IR (`icmp ult %x, 0`, which is always false) should be emitted, and the middle-end should cleanup it. This sanitizer is in the `-fsanitize=implicit-conversion` group, and is a logical continuation of D48958 `-fsanitize=implicit-integer-truncation`. As for the ordering, i'we opted to emit the check **after** `-fsanitize=implicit-integer-truncation`. At least on these simple 16 test cases, this results in 1 of the 12 emitted checks being optimized away, as compared to 0 checks being optimized away if the order is reversed. This is a clang part. The compiler-rt part is D50251. Finishes fixing [[ https://bugs.llvm.org/show_bug.cgi?id=21530 | PR21530 ]], [[ https://bugs.llvm.org/show_bug.cgi?id=37552 | PR37552 ]], [[ https://bugs.llvm.org/show_bug.cgi?id=35409 | PR35409 ]]. Finishes partially fixing [[ https://bugs.llvm.org/show_bug.cgi?id=9821 | PR9821 ]]. Finishes fixing https://github.com/google/sanitizers/issues/940. Only the bitfield handling is missing. Reviewers: vsk, rsmith, rjmccall, #sanitizers, erichkeane Reviewed By: rsmith Subscribers: chandlerc, filcab, cfe-commits, regehr Tags: #sanitizers, #clang Differential Revision: https://reviews.llvm.org/D50250 llvm-svn: 345660
2018-10-31 05:58:56 +08:00
// RUN: %clang_cc1 -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefix=CHECK
// RUN: %clang_cc1 -fsanitize=implicit-integer-sign-change -fno-sanitize-recover=implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-NORECOVER
// RUN: %clang_cc1 -fsanitize=implicit-integer-sign-change -fsanitize-recover=implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-RECOVER
// RUN: %clang_cc1 -fsanitize=implicit-integer-sign-change -fsanitize-trap=implicit-integer-sign-change -emit-llvm %s -o - -triple x86_64-linux-gnu | FileCheck %s --check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-TRAP
extern "C" { // Disable name mangling.
// ========================================================================== //
// The expected true-negatives.
// ========================================================================== //
// Sanitization is explicitly disabled.
// ========================================================================== //
// CHECK-LABEL: @blacklist_0
__attribute__((no_sanitize("undefined"))) unsigned int blacklist_0(signed int src) {
// We are not in "undefined" group, so that doesn't work.
// CHECK-SANITIZE: call
// CHECK: }
return src;
}
// CHECK-LABEL: @blacklist_1
__attribute__((no_sanitize("integer"))) unsigned int blacklist_1(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return src;
}
// CHECK-LABEL: @blacklist_2
__attribute__((no_sanitize("implicit-conversion"))) unsigned int blacklist_2(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return src;
}
// CHECK-LABEL: @blacklist_3
__attribute__((no_sanitize("implicit-integer-sign-change"))) unsigned int blacklist_3(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return src;
}
// Explicit sign-changing conversions.
// ========================================================================== //
// CHECK-LABEL: @explicit_signed_int_to_unsigned_int
unsigned int explicit_signed_int_to_unsigned_int(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return (unsigned int)src;
}
// CHECK-LABEL: @explicit_unsigned_int_to_signed_int
signed int explicit_unsigned_int_to_signed_int(unsigned int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return (signed int)src;
}
// Explicit NOP conversions.
// ========================================================================== //
// CHECK-LABEL: @explicit_unsigned_int_to_unsigned_int
unsigned int explicit_unsigned_int_to_unsigned_int(unsigned int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return (unsigned int)src;
}
// CHECK-LABEL: @explicit_signed_int_to_signed_int
signed int explicit_signed_int_to_signed_int(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return (signed int)src;
}
// Explicit functional sign-changing casts.
// ========================================================================== //
using UnsignedInt = unsigned int;
using SignedInt = signed int;
// CHECK-LABEL: explicit_functional_unsigned_int_to_signed_int
signed int explicit_functional_unsigned_int_to_signed_int(unsigned int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return SignedInt(src);
}
// CHECK-LABEL: @explicit_functional_signed_int_to_unsigned_int
unsigned int explicit_functional_signed_int_to_unsigned_int(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return UnsignedInt(src);
}
// Explicit functional NOP casts.
// ========================================================================== //
// CHECK-LABEL: @explicit_functional_unsigned_int_to_unsigned_int
unsigned int explicit_functional_unsigned_int_to_unsigned_int(unsigned int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return UnsignedInt(src);
}
// CHECK-LABEL: @explicit_functional_signed_int_to_signed_int
signed int explicit_functional_signed_int_to_signed_int(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return SignedInt(src);
}
// Explicit C++-style sign-changing casts.
// ========================================================================== //
// CHECK-LABEL: @explicit_cppstyle_unsigned_int_to_signed_int
signed int explicit_cppstyle_unsigned_int_to_signed_int(unsigned int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return static_cast<signed int>(src);
}
// CHECK-LABEL: @explicit_cppstyle_signed_int_to_unsigned_int
unsigned int explicit_cppstyle_signed_int_to_unsigned_int(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return static_cast<unsigned int>(src);
}
// Explicit C++-style casts NOP casts.
// ========================================================================== //
// CHECK-LABEL: @explicit_cppstyle_unsigned_int_to_unsigned_int
unsigned int explicit_cppstyle_unsigned_int_to_unsigned_int(unsigned int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return static_cast<unsigned int>(src);
}
// CHECK-LABEL: @explicit_cppstyle_signed_int_to_signed_int
signed int explicit_cppstyle_signed_int_to_signed_int(signed int src) {
// CHECK-SANITIZE-NOT: call
// CHECK: }
return static_cast<signed int>(src);
}
} // extern "C"