Commit Graph

32 Commits

Author SHA1 Message Date
Alexey Samsonov 8e1162c71d Implement nonnull-attribute sanitizer
Summary:
This patch implements a new UBSan check, which verifies
that function arguments declared to be nonnull with __attribute__((nonnull))
are actually nonnull in runtime.

To implement this check, we pass FunctionDecl to CodeGenFunction::EmitCallArgs
(where applicable) and if function declaration has nonnull attribute specified
for a certain formal parameter, we compare the corresponding RValue to null as
soon as it's calculated.

Test Plan: regression test suite

Reviewers: rsmith

Reviewed By: rsmith

Subscribers: cfe-commits, rnk

Differential Revision: http://reviews.llvm.org/D5082

llvm-svn: 217389
2014-09-08 17:22:45 +00:00
Alexey Samsonov de443c5002 [UBSan] Add returns-nonnull sanitizer.
Summary:
This patch adds a runtime check verifying that functions
annotated with "returns_nonnull" attribute do in fact return nonnull pointers.
It is based on suggestion by Jakub Jelinek:
http://lists.cs.uiuc.edu/pipermail/llvm-commits/Week-of-Mon-20140623/223693.html.

Test Plan: regression test suite

Reviewers: rsmith

Reviewed By: rsmith

Subscribers: cfe-commits

Differential Revision: http://reviews.llvm.org/D4849

llvm-svn: 215485
2014-08-13 00:26:40 +00:00
Alexey Samsonov c993933e78 Check-labelize ubsan tests
llvm-svn: 213334
2014-07-17 23:53:44 +00:00
Alexey Samsonov 24cad99307 [UBSan] Add !nosanitize metadata to the code generated by UBSan.
This is used to mark the instructions emitted by Clang to implement
variety of UBSan checks. Generally, we don't want to instrument these
instructions with another sanitizers (like ASan).

Reviewed in http://reviews.llvm.org/D4544

llvm-svn: 213291
2014-07-17 18:46:27 +00:00
Matt Arsenault 2f15263807 Fix objectsize tests after r192117
llvm-svn: 192120
2013-10-07 19:00:18 +00:00
Richard Smith 2b01d5089b UBSan: Don't diagnose inf/nan conversions between floating-point types. It's far from clear whether these have undefined behavior, and these checks are helping no-one. Keep the double->float overflow warnings, though, since those are useful in practice, even though it's unclear whether such operations have defined behavior.
llvm-svn: 178194
2013-03-27 23:20:25 +00:00
Richard Smith 48366f7af9 ubsan: Pass floating-point arguments to the runtime by value if they fit the
value argument. If not, be sure we don't accidentally use a dynamic alloca.

llvm-svn: 177690
2013-03-22 00:47:07 +00:00
Richard Smith 4af40c4083 PR15383: When -fsanitize=float-cast-overflow checks a float-to-int conversion,
it wasn't taking into account that the float should be truncated *before* the
range check happens. Thus (unsigned)-0.99 and (unsigned char)255.9 have defined
behavior and should not be trapped.

llvm-svn: 177362
2013-03-19 00:01:12 +00:00
Will Dietz 11d0a9f278 [ubsan] Emit single check for left shift.
Avoids warning twice on same shift.

llvm-svn: 176056
2013-02-25 22:37:49 +00:00
Bill Wendling e1c4a1babd Update to use references to attribute groups instead of listing the attributes on the call/invoke instructions.
llvm-svn: 175878
2013-02-22 09:10:20 +00:00
Chad Rosier ae229d599b [ubsan] Implement the -fcatch-undefined-behavior flag using a trapping
implementation; this is much more inline with the original implementation
(i.e., pre-ubsan) and does not require run-time library support.

The trapping implementation can be invoked using either '-fcatch-undefined-behavior'
or '-fsanitize=undefined-trap -fsanitize-undefined-trap-on-error', with the latter
being preferred.  Eventually, the -fcatch-undefined-behavior' flag will be removed.

llvm-svn: 173848
2013-01-29 23:31:22 +00:00
Will Dietz 450f1a1f45 [ubsan] Make static check data non-const so it can be used for deduplication.
llvm-svn: 171947
2013-01-09 03:39:41 +00:00
David Tweed 042e0883cb Scalar shifts in the OpenCL specification (as of v. 1.2) are defined to be
with respect to the lower "left-hand-side bitwidth" bits, even when negative);
see OpenCL spec 6.3j. This patch both implements this behaviour in the code
generator and "constant folding" bits of Sema, and also prevents tests
to detect undefinedness in terms of the weaker C99 or C++ specifications
from being applied. 

llvm-svn: 171755
2013-01-07 16:43:27 +00:00
Will Dietz 3676d56b71 [ubsan] Recover by default, use -fno-sanitize-recover to disable.
llvm-svn: 171264
2012-12-30 20:53:28 +00:00
Will Dietz ddd282addb [ubsan] Emit branch weight metadata to hint towards common case.
Results in better block placement that helps close the
performance gap when making ubsan checks recoverable.

llvm-svn: 170263
2012-12-15 01:39:14 +00:00
Richard Smith 1629da95fe ubsan: Add -fsanitize=bool and -fsanitize=enum, which check for loads of
bit-patterns which are not valid values for enumerated or boolean types.
These checks are the ubsan analogue of !range metadata.

llvm-svn: 170108
2012-12-13 07:11:50 +00:00
Will Dietz 88e0233ff4 [ubsan] Add flag to enable recovery from checks when possible.
llvm-svn: 169114
2012-12-02 19:50:33 +00:00
Will Dietz 1897cb3b9c Add -fsanitize=integer for reporting suspicious integer behaviors.
Introduces new sanitizer "unsigned-integer-overflow".

llvm-svn: 168701
2012-11-27 15:01:55 +00:00
Richard Smith c86a114409 Classify the INT_MIN/-1 check as -fsanitize=signed-integer-overflow, not as -fsanitize=divide-by-zero.
llvm-svn: 167433
2012-11-06 02:30:30 +00:00
Richard Smith b1b0ab41e7 Use the individual -fsanitize=<...> arguments to control which of the UBSan
checks to enable. Remove frontend support for -fcatch-undefined-behavior,
-faddress-sanitizer and -fthread-sanitizer now that they don't do anything.

llvm-svn: 167413
2012-11-05 22:21:05 +00:00
Richard Smith 2d8b294b3c -fcatch-undefined-behavior: Start checking loads and stores for null pointers.
We want the diagnostic, and if the load is optimized away, we still want to
trap it. Stop checking non-default address spaces; that doesn't work in
general.

llvm-svn: 167219
2012-11-01 07:22:08 +00:00
Richard Smith f9a1e4ab7d -fcatch-undefined-behavior: Trap undefined behavior due to conversions to or
from a floating-point type where the source value is not in the range of
representable values of the destination type.

llvm-svn: 165843
2012-10-12 22:57:06 +00:00
Richard Smith 481652b3e3 -fcatch-undefined-behavior: catch a VLA bound which evalutes to a non-positive value.
llvm-svn: 165583
2012-10-10 01:11:12 +00:00
Richard Smith fe782158b2 Fix test broken by r165572.
llvm-svn: 165581
2012-10-10 01:02:07 +00:00
Richard Smith e30752c93b -fcatch-undefined-behavior: emit calls to the runtime library whenever one of the checks fails.
llvm-svn: 165536
2012-10-09 19:52:38 +00:00
Richard Smith 9f9e5826f2 If we flow off the end of a value-returning function:
- outside C++, return undef (behavior is not undefined unless the value is used)
 - in C++, with -fcatch-undefined-behavior, perform an appropriate trap
 - in C++, produce an 'unreachable' (behavior is undefined immediately)

llvm-svn: 165273
2012-10-04 23:52:29 +00:00
Richard Smith 3e056dea1b -fcatch-undefined-behavior: add the -ftrapv checks to the set of things caught
by this mode, and also check for signed left shift overflow. The rules for the
latter are a little subtle:

 * neither C89 nor C++98 specify the behavior of a signed left shift at all
 * in C99 and C11, shifting a 1 bit into the sign bit has undefined behavior
 * in C++11, with core issue 1457, shifting a 1 bit *out* of the sign bit has
   undefined behavior

As of this change, we use the C99 rules for all C language variants, and the
C++11 rules for all C++ language variants. Once we have individual
-fcatch-undefined-behavior= flags, this should be revisited.

llvm-svn: 162634
2012-08-25 00:32:28 +00:00
Richard Smith 69d0d2626a New -fcatch-undefined-behavior features:
* when checking that a pointer or reference refers to appropriate storage for a type, also check the alignment and perform a null check
 * check that references are bound to appropriate storage
 * check that 'this' has appropriate storage in member accesses and member function calls

llvm-svn: 162523
2012-08-24 00:54:33 +00:00
Nuno Lopes 9f5616a005 hopefully unbreak some buildbots
llvm-svn: 156357
2012-05-08 01:54:53 +00:00
Nuno Lopes f4c7679f35 make this test a little more useful. I'll add more tests for bound checking once -fbounds-checking patch gets in
llvm-svn: 156321
2012-05-07 20:23:03 +00:00
Benjamin Kramer 249f50ca04 Fix run line so this test actually tests something.
llvm-svn: 100962
2010-04-11 09:39:39 +00:00
Chris Lattner bc3be65d2e fix PR6805: llvm.objectsize changed to take an i1 instead of an i32.
llvm-svn: 100938
2010-04-10 18:34:14 +00:00