Commit Graph

53 Commits

Author SHA1 Message Date
Vedant Kumar aa4ea5fb45 [ubsan] Don't emit function signatures for non-static member functions
The function sanitizer only checks indirect calls through function
pointers. This excludes all non-static member functions (constructor
calls, calls through thunks, etc. all use a separate code path). Don't
emit function signatures for functions that won't be checked.

Apart from cutting down on code size, this should fix a regression on
Linux caused by r313096. For context, see the mailing list discussion:

r313096 - [ubsan] Function Sanitizer: Don't require writable text segments

Testing: check-clang, check-ubsan

Differential Revision: https://reviews.llvm.org/D38913

llvm-svn: 315786
2017-10-14 01:23:30 +00:00
Vedant Kumar 8e2baf96f0 Tighten up a test case. NFC.
llvm-svn: 313098
2017-09-13 00:04:36 +00:00
Vedant Kumar bb5d485cd3 [ubsan] Function Sanitizer: Don't require writable text segments
This change will make it possible to use -fsanitize=function on Darwin and
possibly on other platforms. It fixes an issue with the way RTTI is stored into
function prologue data.

On Darwin, addresses stored in prologue data can't require run-time fixups and
must be PC-relative. Run-time fixups are undesirable because they necessitate
writable text segments, which can lead to security issues. And absolute
addresses are undesirable because they break PIE mode.

The fix is to create a private global which points to the RTTI, and then to
encode a PC-relative reference to the global into prologue data.

Differential Revision: https://reviews.llvm.org/D37597

llvm-svn: 313096
2017-09-13 00:04:35 +00:00
Richard Smith 376c28e296 [ubsan] PR34266: When sanitizing the 'this' value for a member function that happens to be a lambda call operator, use the lambda's 'this' pointer, not the captured enclosing 'this' pointer (if any).
Do not sanitize the 'this' pointer of a member call operator for a lambda with
no capture-default, since that call operator can legitimately be called with a
null this pointer from the static invoker function. Any actual call with a null
this pointer should still be caught in the caller (if it is being sanitized).

This reinstates r311589 (reverted in r311680) with the above fix.

llvm-svn: 311695
2017-08-24 20:10:33 +00:00
Adrian Prantl 1b6d8713e4 Revert "[ubsan] PR34266: When sanitizing the 'this' value for a member function that happens to be a lambda call operator, use the lambda's 'this' pointer, not the captured enclosing 'this' pointer (if any)."
This reverts commit r311589 because of bot breakage.
http://green.lab.llvm.org/green/job/clang-stage2-cmake-RgSan_check/4115/consoleFull#15752874848254eaf0-7326-4999-85b0-388101f2d404.

llvm-svn: 311680
2017-08-24 18:18:24 +00:00
Richard Smith e3a5e8f03d [ubsan] PR34266: When sanitizing the 'this' value for a member function that happens to be a lambda call operator, use the lambda's 'this' pointer, not the captured enclosing 'this' pointer (if any).
llvm-svn: 311589
2017-08-23 19:39:04 +00:00
Vedant Kumar a0c3671b20 [ubsan] Have -fsanitize=vptr emit a null check if -fsanitize=null isn't available
In r309007, I made -fsanitize=null a hard prerequisite for -fsanitize=vptr. I
did not see the need for the two checks to have separate null checking logic
for the same pointer. I expected the two checks to either always be enabled
together, or to be mutually compatible.

In the mailing list discussion re: r309007 it became clear that that isn't the
case. If a codebase is -fsanitize=vptr clean but not -fsanitize=null clean,
it's useful to have -fsanitize=vptr emit its own null check. That's what this
patch does: with it, -fsanitize=vptr can be used without -fsanitize=null.

Differential Revision: https://reviews.llvm.org/D36112

llvm-svn: 309846
2017-08-02 18:10:31 +00:00
Vedant Kumar bbc953fed4 [ubsan] Null-check pointers in -fsanitize=vptr (PR33881)
The instrumentation generated by -fsanitize=vptr does not null check a
user pointer before loading from it. This causes crashes in the face of
UB member calls (this=nullptr), i.e it's causing user programs to crash
only after UBSan is turned on.

The fix is to make run-time null checking a prerequisite for enabling
-fsanitize=vptr, and to then teach UBSan to reuse these run-time null
checks to make -fsanitize=vptr safe.

Testing: check-clang, check-ubsan, a stage2 ubsan-enabled build

Differential Revision: https://reviews.llvm.org/D35735

https://bugs.llvm.org/show_bug.cgi?id=33881

llvm-svn: 309007
2017-07-25 19:34:23 +00:00
Richard Smith 9e67b9922b P0145R3 (C++17 evaluation order tweaks): consistently emit the LHS of array
subscripting before the RHS, regardless of which is the base and which is the
index.

llvm-svn: 282453
2016-09-26 23:49:47 +00:00
NAKAMURA Takumi f9c52dc3e7 Make clang/test/CodeGen/catch-undef-behavior.c* capable of -Asserts with "opt -instnamer".
It reverts r231717.

llvm-svn: 247667
2015-09-15 09:50:24 +00:00
NAKAMURA Takumi f65421ad9f Suppress a couple of tests, clang/test/CodeGen/catch-undef-behavior.c and one, for -Asserts for now. They were introduced in r231711.
llvm-svn: 231717
2015-03-09 22:32:03 +00:00
Alexey Samsonov 21d2dda3d2 [UBSan] Split -fsanitize=shift into -fsanitize=shift-base and -fsanitize=shift-exponent.
This is a recommit of r231150, reverted in r231409. Turns out
that -fsanitize=shift-base check implementation only works if the
shift exponent is valid, otherwise it contains undefined behavior
itself.

Make sure we check that exponent is valid before we proceed to
check the base. Make sure that we actually report invalid values
of base or exponent if -fsanitize=shift-base or
-fsanitize=shift-exponent is specified, respectively.

llvm-svn: 231711
2015-03-09 21:50:19 +00:00
Alexey Samsonov 48a9db034a Revert "[UBSan] Split -fsanitize=shift into -fsanitize=shift-base and -fsanitize=shift-exponent."
It's not that easy. If we're only checking -fsanitize=shift-base we
still need to verify that exponent has sane value, otherwise
UBSan-inserted checks for base will contain undefined behavior
themselves.

llvm-svn: 231409
2015-03-05 21:57:35 +00:00
Alexey Samsonov 783b8174ad [UBSan] Split -fsanitize=shift into -fsanitize=shift-base and -fsanitize=shift-exponent.
-fsanitize=shift is now a group that includes both these checks, so
exisiting users should not be affected.

This change introduces two new UBSan kinds that sanitize only left-hand
side and right-hand side of shift operation. In practice, invalid
exponent value (negative or too large) tends to cause more portability
problems, including inconsistencies between different compilers, crashes
and inadequeate results on non-x86 architectures etc. That is,
-fsanitize=shift-exponent failures should generally be addressed first.

As a bonus, this change simplifies CodeGen implementation for emitting left
shift (separate checks for base and exponent are now merged by the
existing generic logic in EmitCheck()), and LLVM IR for these checks
(the number of basic blocks is reduced).

llvm-svn: 231150
2015-03-03 22:15:35 +00:00
David Blaikie a953f2825b Update Clang tests to handle explicitly typed load changes in LLVM.
llvm-svn: 230795
2015-02-27 21:19:58 +00:00
David Blaikie 218b783192 Update Clang tests to handle explicitly typed gep changes in LLVM.
llvm-svn: 230783
2015-02-27 19:18:17 +00:00
Peter Collingbourne 69b004d987 UBSan: Use the correct function prologue for x32.
llvm-svn: 230571
2015-02-25 23:18:42 +00:00
Rafael Espindola e5df59ff78 Emit DeferredDeclsToEmit in a DFS order.
Currently we emit DeferredDeclsToEmit in reverse order. This patch changes that.

The advantages of the change are that

* The output order is a bit closer to the source order. The change to
test/CodeGenCXX/pod-member-memcpys.cpp is a good example.

* If we decide to deffer more, it will not cause as large changes in the
estcases as it would without this patch.

llvm-svn: 226751
2015-01-22 00:24:57 +00:00
Alexey Samsonov 8845952b54 Reimplement -fsanitize-recover family of flags.
Introduce the following -fsanitize-recover flags:
  - -fsanitize-recover=<list>: Enable recovery for selected checks or
      group of checks. It is forbidden to explicitly list unrecoverable
      sanitizers here (that is, "address", "unreachable", "return").
  - -fno-sanitize-recover=<list>: Disable recovery for selected checks or
     group of checks.
  - -f(no-)?sanitize-recover is now a synonym for
    -f(no-)?sanitize-recover=undefined,integer and will soon be deprecated.

These flags are parsed left to right, and mask of "recoverable"
sanitizer is updated accordingly, much like what we do for -fsanitize= flags.
-fsanitize= and -fsanitize-recover= flag families are independent.

CodeGen change: If there is a single UBSan handler function, responsible
for implementing multiple checks, which have different recoverable setting,
then we emit two handler calls instead of one:
the first one for the set of "unrecoverable" checks, another one - for
set of "recoverable" checks. If all checks implemented by a handler have the
same recoverability setting, then the generated code will be the same.

llvm-svn: 225719
2015-01-12 22:39:12 +00:00
Peter Collingbourne 6b46e381e6 Update test to check for prologue instead of prefix
llvm-svn: 223191
2014-12-03 02:37:10 +00:00
Alexey Samsonov e396bfc064 Bundle conditions checked by UBSan with sanitizer kinds they implement.
Summary:
This change makes CodeGenFunction::EmitCheck() take several
conditions that needs to be checked (all of them need to be true),
together with sanitizer kinds these checks are for. This would allow
to split one call into UBSan runtime into several calls in case
different sanitizer kinds would have different recoverability
settings.

Tests should be fixed accordingly, I'm working on it.

Test Plan: regression test suite.

Reviewers: rsmith

Reviewed By: rsmith

Subscribers: cfe-commits

Differential Revision: http://reviews.llvm.org/D6219

llvm-svn: 221716
2014-11-11 22:03:54 +00:00
Alexey Samsonov eb47d8a2c8 Sanitize upcasts and conversion to virtual base.
This change adds UBSan check to upcasts. Namely, when we
perform derived-to-base conversion, we:
1) check that the pointer-to-derived has suitable alignment
   and underlying storage, if this pointer is non-null.
2) if vptr-sanitizer is enabled, and we perform conversion to
   virtual base, we check that pointer-to-derived has a matching vptr.

llvm-svn: 219642
2014-10-13 23:59:00 +00:00
Alexey Samsonov 32f59d8e1e [UBsan] Skip -fsanitize=vptr instrumentations when the pointer value is null.
Otherwise -fsanitize=vptr causes the program to crash when it downcasts
a null pointer.

Reviewed in http://reviews.llvm.org/D4412.
Patch by Byoungyoung Lee!

llvm-svn: 213393
2014-07-18 18:15:39 +00:00
Alexey Samsonov 6c12414358 Make sure globals created by UBSan are not instrumented by ASan.
Summary:
This change adds description of globals created by UBSan
instrumentation (UBSan handlers, type descriptors, filenames) to
llvm.asan.globals metadata, effectively "blacklisting" them. This can
dramatically decrease the data section in binaries built with UBSan+ASan,
as UBSan tends to create a lot of handlers, and ASan instrumentation
increases the global size to at least 64 bytes.

Test Plan: clang regression test suite

Reviewers: rsmith

Reviewed By: rsmith

Subscribers: cfe-commits, byoungyoung, kcc

Differential Revision: http://reviews.llvm.org/D4575

llvm-svn: 213392
2014-07-18 17:50:06 +00:00
Hal Finkel a2347baaec Mark C++ reference parameters as dereferenceable
Because references must be initialized using some evaluated expression, they
must point to something, and a callee can assume the reference parameter is
dereferenceable. Taking advantage of a new attribute just added to LLVM, mark
them as such.

Because dereferenceability in addrspace(0) implies nonnull in the backend, we
don't need both attributes. However, we need to know the size of the object to
use the dereferenceable attribute, so for incomplete types we still emit only
nonnull.

llvm-svn: 213386
2014-07-18 15:52:10 +00:00
Alexey Samsonov c993933e78 Check-labelize ubsan tests
llvm-svn: 213334
2014-07-17 23:53:44 +00:00
Nick Lewycky 9b46eb8112 Add 'nonnull' parameter or return attribute when producing an llvm pointer type in a function type where the C++ type is a reference. Update the tests.
llvm-svn: 209723
2014-05-28 09:56:42 +00:00
Richard Smith 6b53e224eb Split -fsanitize=bounds to -fsanitize=array-bounds (for the frontend-inserted
check using the ubsan runtime) and -fsanitize=local-bounds (for the middle-end
check which inserts traps).

Remove -fsanitize=local-bounds from -fsanitize=undefined. It does not produce
useful diagnostics and has false positives (PR17635), and is not a good
compromise position between UBSan's checks and ASan's checks.

Map -fbounds-checking to -fsanitize=local-bounds to restore Clang's historical
behavior for that flag.

llvm-svn: 193205
2013-10-22 22:51:04 +00:00
Peter Collingbourne b453cd64a7 Implement function type checker for the undefined behavior sanitizer.
This uses function prefix data to store function type information at the
function pointer.

Differential Revision: http://llvm-reviews.chandlerc.com/D1338

llvm-svn: 193058
2013-10-20 21:29:19 +00:00
Matt Arsenault 2f15263807 Fix objectsize tests after r192117
llvm-svn: 192120
2013-10-07 19:00:18 +00:00
Nick Lewycky 8b4e379de3 Disable the bool and enum sanitizers when emitting the implicitly-defined copy
constructor, copy assignment operator and move assignment operator.

llvm-svn: 190481
2013-09-11 02:03:20 +00:00
Stephen Lin 4362261b00 CHECK-LABEL-ify some code gen tests to improve diagnostic experience when tests fail.
llvm-svn: 188447
2013-08-15 06:47:53 +00:00
Filipe Cabecinhas b2eb1d9129 catch-undefined-behavior.cpp: Remove names that don't appear in every build.
llvm-svn: 187952
2013-08-08 01:24:29 +00:00
Filipe Cabecinhas 496fec4991 UBSan: Fix naming for IR variables in catch-undef-behavior.cpp
llvm-svn: 187951
2013-08-08 01:18:31 +00:00
Filipe Cabecinhas 178a8df660 UBSan: Fix alignment checks emitted in downcasts.
Summary:
UBSan was checking for alignment of the derived class on the pointer to
the base class, before converting. With some class hierarchies, this could
generate false positives.

Added test-case.

llvm-svn: 187948
2013-08-08 01:08:17 +00:00
Will Dietz 11d0a9f278 [ubsan] Emit single check for left shift.
Avoids warning twice on same shift.

llvm-svn: 176056
2013-02-25 22:37:49 +00:00
Richard Smith 2847b22029 PR15338: Don't assert if -fsanitize=bounds sees array indexing on an incomplete
array type.

llvm-svn: 175982
2013-02-24 01:56:24 +00:00
Richard Smith 539e4a77bb ubsan: Emit bounds checks for array indexing, vector indexing, and (in really simple cases) pointer arithmetic. This augments the existing bounds checking with language-level array bounds information.
llvm-svn: 175949
2013-02-23 02:53:19 +00:00
Bill Wendling e1c4a1babd Update to use references to attribute groups instead of listing the attributes on the call/invoke instructions.
llvm-svn: 175878
2013-02-22 09:10:20 +00:00
Richard Smith 2c5868c334 ubsan: Add checking for invalid downcasts. Per [expr.static.cast]p2 and p11,
base-to-derived casts have undefined behavior if the object is not actually an
instance of the derived type.

llvm-svn: 175078
2013-02-13 21:18:23 +00:00
Will Dietz 3676d56b71 [ubsan] Recover by default, use -fno-sanitize-recover to disable.
llvm-svn: 171264
2012-12-30 20:53:28 +00:00
Richard Smith be024a8150 Rein ubsan's vptr sanitizer back a bit. Per core issue 453, binding a reference
to an object outside its lifetime does not have undefined behavior.

llvm-svn: 170387
2012-12-18 00:22:45 +00:00
Richard Smith 1629da95fe ubsan: Add -fsanitize=bool and -fsanitize=enum, which check for loads of
bit-patterns which are not valid values for enumerated or boolean types.
These checks are the ubsan analogue of !range metadata.

llvm-svn: 170108
2012-12-13 07:11:50 +00:00
Will Dietz 88e0233ff4 [ubsan] Add flag to enable recovery from checks when possible.
llvm-svn: 169114
2012-12-02 19:50:33 +00:00
Will Dietz 1897cb3b9c Add -fsanitize=integer for reporting suspicious integer behaviors.
Introduces new sanitizer "unsigned-integer-overflow".

llvm-svn: 168701
2012-11-27 15:01:55 +00:00
Richard Smith b1b0ab41e7 Use the individual -fsanitize=<...> arguments to control which of the UBSan
checks to enable. Remove frontend support for -fcatch-undefined-behavior,
-faddress-sanitizer and -fthread-sanitizer now that they don't do anything.

llvm-svn: 167413
2012-11-05 22:21:05 +00:00
Richard Smith 3750e7776b Fix the other occurrence of the problem fixed by r166731.
llvm-svn: 166735
2012-10-25 23:05:00 +00:00
Richard Smith 9421156acc LLVM's hashing routines produce a size_t, and thus generate different values for 32- and 64-bit host compilers. This really needs to be fixed -- the IR generated should not depend on the host -- but this change will get the bots green again. Proper fix to follow.
llvm-svn: 166731
2012-10-25 22:27:30 +00:00
Richard Smith 1048356524 Add a more direct test for r166661.
llvm-svn: 166727
2012-10-25 21:59:45 +00:00
Richard Smith e30752c93b -fcatch-undefined-behavior: emit calls to the runtime library whenever one of the checks fails.
llvm-svn: 165536
2012-10-09 19:52:38 +00:00