[all-commits] [llvm/llvm-project] 88cbb2: [clang] Fix crash in dynamic_cast final class opti...

Oliver Hunt via All-commits all-commits at lists.llvm.org
Mon Aug 4 21:36:51 PDT 2025 

  Branch: refs/heads/users/ojhunt/PR-148088
  Home:   https://github.com/llvm/llvm-project
  Commit: 88cbb27092d25b1bcf774737c69c9be15ae9b85c
      https://github.com/llvm/llvm-project/commit/88cbb27092d25b1bcf774737c69c9be15ae9b85c
  Author: Oliver Hunt <oliver at apple.com>
  Date:   2025-08-04 (Mon, 04 Aug 2025)

  Changed paths:
    M clang/lib/CodeGen/CGExprCXX.cpp
    M clang/lib/CodeGen/ItaniumCXXABI.cpp
    M clang/test/CodeGenCXX/dynamic-cast-exact-disabled.cpp
    M clang/test/CodeGenCXX/dynamic-cast-exact.cpp
    A clang/test/CodeGenCXX/ptrauth-dynamic-cast-exact.cpp

  Log Message:
  -----------
  [clang] Fix crash in dynamic_cast final class optimization

This corrects the codegen for the final class optimization to
correct handle the case where there is no path to perform the
cast, and also corrects the codegen to handle ptrauth protected
vtable pointers.

As part of this fix we separate out the path computation as
that makes it easier to reason about the failure code paths
and more importantly means we can know what the type of the
this object is during the cast.

The allows us to use the GetVTablePointer interface which
correctly performs the authentication operations required
when pointer authentication is enabled.

There is one place where we still lose a fully authenticated
path, and that is if there multiple paths from the source
type to the destination type. In that case we're forced to
perform a dynamic_cast to void* to find the primary base. As
we do not know the primary base at this point we do not yet
know the dynamic type of the adjusted this object and so cannot
authenticate the vtable load. The approach this PR takes to
mitigate this gap is to authenticate the vtable of the original
object, and then if the stripped vtable pointer matches the
expected type we then know the type of the object and so
perform a fully authenticated load of the vtable from the
resulting object.

Fixes #148088



To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications

More information about the All-commits mailing list