r297298 - [ubsan] Detect UB loads from bitfields
Evgenii Stepanov via cfe-commits
cfe-commits at lists.llvm.org
Wed Mar 8 16:25:21 PST 2017
This is crashing ubsan bootstrap:
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-bootstrap/builds/962/steps/build%20clang%2Fubsan/logs/stdio
clang-5.0: /mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm/include/llvm/IR/Instructions.h:1110:
void llvm::ICmpInst::AssertOK(): Assertion `getOperand(0)->getType()
== getOperand(1)->getType() && "Both operands to ICmp instruction are
not of the same type!"' failed.
#0 0x0000000001f571ba llvm::sys::PrintStackTrace(llvm::raw_ostream&)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x1f571ba)
#1 0x0000000001f54e5e llvm::sys::RunSignalHandlers()
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x1f54e5e)
#2 0x0000000001f54fd2 SignalHandler(int)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x1f54fd2)
#3 0x00007f7decc81390 __restore_rt
(/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)
#4 0x00007f7debc0e428 gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x35428)
#5 0x00007f7debc1002a abort (/lib/x86_64-linux-gnu/libc.so.6+0x3702a)
#6 0x00007f7debc06bd7 (/lib/x86_64-linux-gnu/libc.so.6+0x2dbd7)
#7 0x00007f7debc06c82 (/lib/x86_64-linux-gnu/libc.so.6+0x2dc82)
#8 0x0000000002155ded llvm::IRBuilder<llvm::ConstantFolder,
clang::CodeGen::CGBuilderInserter>::CreateICmp(llvm::CmpInst::Predicate,
llvm::Value*, llvm::Value*, llvm::Twine const&)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x2155ded)
#9 0x00000000022ade21
clang::CodeGen::CodeGenFunction::EmitScalarRangeCheck(llvm::Value*,
clang::QualType, clang::SourceLocation)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x22ade21)
#10 0x00000000022af0ce
clang::CodeGen::CodeGenFunction::EmitLoadOfBitfieldLValue(clang::CodeGen::LValue,
clang::SourceLocation)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x22af0ce)
#11 0x00000000022af48f
clang::CodeGen::CodeGenFunction::EmitLoadOfLValue(clang::CodeGen::LValue,
clang::SourceLocation)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x22af48f)
#12 0x00000000022df2ab (anonymous
namespace)::ScalarExprEmitter::EmitLoadOfLValue(clang::Expr const*)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x22df2ab)
#13 0x0000000000870194 (anonymous
namespace)::ScalarExprEmitter::VisitMemberExpr(clang::MemberExpr*)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x870194)
#14 0x00000000022dd7a4 (anonymous
namespace)::ScalarExprEmitter::Visit(clang::Expr*)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x22dd7a4)
#15 0x0000000000870973 (anonymous
namespace)::ScalarExprEmitter::VisitCastExpr(clang::CastExpr*)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x870973)
#16 0x00000000022ddad0 (anonymous
namespace)::ScalarExprEmitter::Visit(clang::Expr*)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x22ddad0)
#17 0x00000000022de763
clang::CodeGen::CodeGenFunction::EmitScalarExpr(clang::Expr const*,
bool) (/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x22de763)
#18 0x00000000022a023d
clang::CodeGen::CodeGenFunction::EvaluateExprAsBool(clang::Expr
const*) (/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x22a023d)
#19 0x000000000217f789
clang::CodeGen::CodeGenFunction::EmitBranchOnBoolExpr(clang::Expr
const*, llvm::BasicBlock*, llvm::BasicBlock*, unsigned long)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x217f789)
#20 0x000000000217fdaf
clang::CodeGen::CodeGenFunction::EmitBranchOnBoolExpr(clang::Expr
const*, llvm::BasicBlock*, llvm::BasicBlock*, unsigned long)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x217fdaf)
#21 0x0000000002148c63
clang::CodeGen::CodeGenFunction::EmitIfStmt(clang::IfStmt const&)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x2148c63)
#22 0x0000000002147b57
clang::CodeGen::CodeGenFunction::EmitStmt(clang::Stmt const*)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x2147b57)
#23 0x00000000021485ef
clang::CodeGen::CodeGenFunction::EmitCompoundStmtWithoutScope(clang::CompoundStmt
const&, bool, clang::CodeGen::AggValueSlot)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x21485ef)
#24 0x00000000021488f7
clang::CodeGen::CodeGenFunction::EmitCompoundStmt(clang::CompoundStmt
const&, bool, clang::CodeGen::AggValueSlot)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x21488f7)
#25 0x000000000214b7b3
clang::CodeGen::CodeGenFunction::EmitSimpleStmt(clang::Stmt const*)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x214b7b3)
#26 0x0000000002147435
clang::CodeGen::CodeGenFunction::EmitStmt(clang::Stmt const*)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x2147435)
#27 0x000000000227d4cc
clang::CodeGen::CodeGenFunction::EmitDestructorBody(clang::CodeGen::FunctionArgList&)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x227d4cc)
#28 0x0000000002185ceb
clang::CodeGen::CodeGenFunction::GenerateCode(clang::GlobalDecl,
llvm::Function*, clang::CodeGen::CGFunctionInfo const&)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x2185ceb)
#29 0x000000000224e2f8
clang::CodeGen::CodeGenModule::codegenCXXStructor(clang::CXXMethodDecl
const*, clang::CodeGen::StructorType)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x224e2f8)
#30 0x00000000021e8eb2 (anonymous
namespace)::ItaniumCXXABI::emitCXXStructor(clang::CXXMethodDecl
const*, clang::CodeGen::StructorType)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x21e8eb2)
#31 0x00000000021b626d
clang::CodeGen::CodeGenModule::EmitGlobalDefinition(clang::GlobalDecl,
llvm::GlobalValue*)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x21b626d)
#32 0x00000000021b64cc clang::CodeGen::CodeGenModule::EmitDeferred()
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x21b64cc)
#33 0x00000000021b64e6 clang::CodeGen::CodeGenModule::EmitDeferred()
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x21b64e6)
#34 0x00000000021b6684 clang::CodeGen::CodeGenModule::Release()
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x21b6684)
#35 0x00000000027bfd37 (anonymous
namespace)::CodeGeneratorImpl::HandleTranslationUnit(clang::ASTContext&)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x27bfd37)
#36 0x00000000027be875
clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x27be875)
#37 0x0000000002b5c578 clang::ParseAST(clang::Sema&, bool, bool)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x2b5c578)
#38 0x00000000027bdb5a clang::CodeGenAction::ExecuteAction()
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x27bdb5a)
#39 0x000000000248e3f6 clang::FrontendAction::Execute()
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x248e3f6)
#40 0x0000000002460d46
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x2460d46)
#41 0x000000000251658a
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0x251658a)
#42 0x0000000000a6e328 cc1_main(llvm::ArrayRef<char const*>, char
const*, void*) (/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0xa6e328)
#43 0x0000000000a028cc main
(/mnt/b/sanitizer-buildbot2/sanitizer-x86_64-linux-bootstrap/build/llvm_build0/bin/clang-5.0+0xa028cc)
On Wed, Mar 8, 2017 at 9:38 AM, Vedant Kumar via cfe-commits
<cfe-commits at lists.llvm.org> wrote:
> Author: vedantk
> Date: Wed Mar 8 11:38:57 2017
> New Revision: 297298
>
> URL: http://llvm.org/viewvc/llvm-project?rev=297298&view=rev
> Log:
> [ubsan] Detect UB loads from bitfields
>
> It's possible to load out-of-range values from bitfields backed by a
> boolean or an enum. Check for UB loads from bitfields.
>
> This is the motivating example:
>
> struct S {
> BOOL b : 1; // Signed ObjC BOOL.
> };
>
> S s;
> s.b = 1; // This is actually stored as -1.
> if (s.b == 1) // Evaluates to false, -1 != 1.
> ...
>
> Differential Revision: https://reviews.llvm.org/D30423
>
> Added:
> cfe/trunk/test/CodeGenCXX/ubsan-bitfields.cpp
> Modified:
> cfe/trunk/lib/CodeGen/CGAtomic.cpp
> cfe/trunk/lib/CodeGen/CGExpr.cpp
> cfe/trunk/lib/CodeGen/CodeGenFunction.h
> cfe/trunk/test/CodeGenObjC/ubsan-bool.m
>
> Modified: cfe/trunk/lib/CodeGen/CGAtomic.cpp
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/CodeGen/CGAtomic.cpp?rev=297298&r1=297297&r2=297298&view=diff
> ==============================================================================
> --- cfe/trunk/lib/CodeGen/CGAtomic.cpp (original)
> +++ cfe/trunk/lib/CodeGen/CGAtomic.cpp Wed Mar 8 11:38:57 2017
> @@ -1181,7 +1181,7 @@ RValue AtomicInfo::convertAtomicTempToRV
> if (LVal.isBitField())
> return CGF.EmitLoadOfBitfieldLValue(
> LValue::MakeBitfield(addr, LVal.getBitFieldInfo(), LVal.getType(),
> - LVal.getAlignmentSource()));
> + LVal.getAlignmentSource()), loc);
> if (LVal.isVectorElt())
> return CGF.EmitLoadOfLValue(
> LValue::MakeVectorElt(addr, LVal.getVectorIdx(), LVal.getType(),
>
> Modified: cfe/trunk/lib/CodeGen/CGExpr.cpp
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/CodeGen/CGExpr.cpp?rev=297298&r1=297297&r2=297298&view=diff
> ==============================================================================
> --- cfe/trunk/lib/CodeGen/CGExpr.cpp (original)
> +++ cfe/trunk/lib/CodeGen/CGExpr.cpp Wed Mar 8 11:38:57 2017
> @@ -1549,10 +1549,11 @@ RValue CodeGenFunction::EmitLoadOfLValue
> return EmitLoadOfGlobalRegLValue(LV);
>
> assert(LV.isBitField() && "Unknown LValue type!");
> - return EmitLoadOfBitfieldLValue(LV);
> + return EmitLoadOfBitfieldLValue(LV, Loc);
> }
>
> -RValue CodeGenFunction::EmitLoadOfBitfieldLValue(LValue LV) {
> +RValue CodeGenFunction::EmitLoadOfBitfieldLValue(LValue LV,
> + SourceLocation Loc) {
> const CGBitFieldInfo &Info = LV.getBitFieldInfo();
>
> // Get the output type.
> @@ -1577,7 +1578,7 @@ RValue CodeGenFunction::EmitLoadOfBitfie
> "bf.clear");
> }
> Val = Builder.CreateIntCast(Val, ResLTy, Info.IsSigned, "bf.cast");
> -
> + EmitScalarRangeCheck(Val, LV.getType(), Loc);
> return RValue::get(Val);
> }
>
>
> Modified: cfe/trunk/lib/CodeGen/CodeGenFunction.h
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/CodeGen/CodeGenFunction.h?rev=297298&r1=297297&r2=297298&view=diff
> ==============================================================================
> --- cfe/trunk/lib/CodeGen/CodeGenFunction.h (original)
> +++ cfe/trunk/lib/CodeGen/CodeGenFunction.h Wed Mar 8 11:38:57 2017
> @@ -2943,7 +2943,7 @@ public:
> /// rvalue, returning the rvalue.
> RValue EmitLoadOfLValue(LValue V, SourceLocation Loc);
> RValue EmitLoadOfExtVectorElementLValue(LValue V);
> - RValue EmitLoadOfBitfieldLValue(LValue LV);
> + RValue EmitLoadOfBitfieldLValue(LValue LV, SourceLocation Loc);
> RValue EmitLoadOfGlobalRegLValue(LValue LV);
>
> /// EmitStoreThroughLValue - Store the specified rvalue into the specified
>
> Added: cfe/trunk/test/CodeGenCXX/ubsan-bitfields.cpp
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/CodeGenCXX/ubsan-bitfields.cpp?rev=297298&view=auto
> ==============================================================================
> --- cfe/trunk/test/CodeGenCXX/ubsan-bitfields.cpp (added)
> +++ cfe/trunk/test/CodeGenCXX/ubsan-bitfields.cpp Wed Mar 8 11:38:57 2017
> @@ -0,0 +1,21 @@
> +// RUN: %clang_cc1 -std=c++11 -triple x86_64-apple-darwin10 -emit-llvm -o - %s -fsanitize=enum | FileCheck %s
> +
> +enum E {
> + a = 1,
> + b = 2,
> + c = 3
> +};
> +
> +struct S {
> + E e1 : 10;
> +};
> +
> +// CHECK-LABEL: define i32 @_Z4loadP1S
> +E load(S *s) {
> + // CHECK: [[LOAD:%.*]] = load i16, i16* {{.*}}
> + // CHECK: [[CLEAR:%.*]] = and i16 [[LOAD]], 1023
> + // CHECK: [[CAST:%.*]] = zext i16 [[CLEAR]] to i32
> + // CHECK: icmp ule i32 [[CAST]], 3, !nosanitize
> + // CHECK: call void @__ubsan_handle_load_invalid_value
> + return s->e1;
> +}
>
> Modified: cfe/trunk/test/CodeGenObjC/ubsan-bool.m
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/CodeGenObjC/ubsan-bool.m?rev=297298&r1=297297&r2=297298&view=diff
> ==============================================================================
> --- cfe/trunk/test/CodeGenObjC/ubsan-bool.m (original)
> +++ cfe/trunk/test/CodeGenObjC/ubsan-bool.m Wed Mar 8 11:38:57 2017
> @@ -1,5 +1,5 @@
> -// RUN: %clang_cc1 -x objective-c -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - | FileCheck %s -check-prefixes=SHARED,OBJC
> -// RUN: %clang_cc1 -x objective-c++ -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - | FileCheck %s -check-prefixes=SHARED,OBJC
> +// RUN: %clang_cc1 -x objective-c -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - -w | FileCheck %s -check-prefixes=SHARED,OBJC
> +// RUN: %clang_cc1 -x objective-c++ -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - -w | FileCheck %s -check-prefixes=SHARED,OBJC
> // RUN: %clang_cc1 -x c -emit-llvm -triple x86_64-apple-macosx10.10.0 -fsanitize=bool %s -o - | FileCheck %s -check-prefixes=SHARED,C
>
> typedef signed char BOOL;
> @@ -10,4 +10,57 @@ BOOL f1() {
> // C-NOT: call void @__ubsan_handle_load_invalid_value
> BOOL a = 2;
> return a + 1;
> + // SHARED: ret i8
> }
> +
> +struct S1 {
> + BOOL b1 : 1;
> +};
> +
> +// SHARED-LABEL: f2
> +BOOL f2(struct S1 *s) {
> + // OBJC: [[LOAD:%.*]] = load i8, i8* {{.*}}
> + // OBJC: [[SHL:%.*]] = shl i8 [[LOAD]], 7
> + // OBJC: [[ASHR:%.*]] = ashr i8 [[SHL]], 7
> + // OBJC: icmp ule i8 [[ASHR]], 1, !nosanitize
> + // OBJC: call void @__ubsan_handle_load_invalid_value
> +
> + // C-NOT: call void @__ubsan_handle_load_invalid_value
> + return s->b1;
> + // SHARED: ret i8
> +}
> +
> +#ifdef __OBJC__
> + at interface I1 {
> + at public
> + BOOL b1 : 1;
> +}
> + at property (nonatomic) BOOL b1;
> + at end
> + at implementation I1
> + at synthesize b1;
> + at end
> +
> +// Check the synthesized getter.
> +// OBJC-LABEL: define internal signext i8 @"\01-[I1 b1]"
> +// OBJC: [[IVAR:%.*]] = load i64, i64* @"OBJC_IVAR_$_I1.b1"
> +// OBJC: [[ADDR:%.*]] = getelementptr inbounds i8, i8* {{.*}}, i64 [[IVAR]]
> +// OBJC: [[LOAD:%.*]] = load i8, i8* {{.*}}
> +// OBJC: [[SHL:%.*]] = shl i8 [[LOAD]], 7
> +// OBJC: [[ASHR:%.*]] = ashr i8 [[SHL]], 7
> +// OBJC: icmp ule i8 [[ASHR]], 1, !nosanitize
> +// OBJC: call void @__ubsan_handle_load_invalid_value
> +
> +// Also check direct accesses to the ivar.
> +// OBJC-LABEL: f3
> +BOOL f3(I1 *i) {
> + // OBJC: [[LOAD:%.*]] = load i8, i8* {{.*}}
> + // OBJC: [[SHL:%.*]] = shl i8 [[LOAD]], 7
> + // OBJC: [[ASHR:%.*]] = ashr i8 [[SHL]], 7
> + // OBJC: icmp ule i8 [[ASHR]], 1, !nosanitize
> + // OBJC: call void @__ubsan_handle_load_invalid_value
> +
> + return i->b1;
> + // OBJC: ret i8
> +}
> +#endif /* __OBJC__ */
>
>
> _______________________________________________
> cfe-commits mailing list
> cfe-commits at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
More information about the cfe-commits
mailing list