[PATCH] D25448: [ubsan] Use the object pointer's type info for devirtualized calls

[Vedant Kumar via cfe-commits]

vsk retitled this revision from "[ubsan] Disable -fsanitize=vptr checks for devirtualized calls" to "[ubsan] Use the object pointer's type info for devirtualized calls".
vsk updated the summary for this revision.
vsk added a subscriber: rsmith.
vsk updated this revision to Diff 74916.
vsk added a comment.

Patch update: Pass along the type info of the derived class to the ubsan runtime when we devirtualize a method call. This squashes the FP. I tested this with 'check-ubsan' in addition to adding a lit test.

> A pointer to the vtable pointer for Base1 is a pointer to a Derived.  You have a multiple inheritance bug, or really a general inheritance bug.  It's being covered up in the case of single, non-virtual inheritance because that's the case in which a pointer to a base-class object is the same as a pointer to the derived class object.

I imagine that it would be difficult to extend the runtime to handle this case. I.e, given a pointer to vtable pointer for Base1 and the type info for Base2, recognize that we may _actually_ be looking at an instance of Derived, and therefore claim that the types match. I wonder if that would result in a false negative in this case:

  Base1 b1;
  reinterpret_cast<Base2 *>(b1)->method_from_base2_only()

We are currently able to diagnose this.

> ... it should also be changing its notion of what class the pointer points to.

I'm taking this to mean that we should pass along the type information for 'Derived'. This is also what @rsmith suggests.


https://reviews.llvm.org/D25448

Files:
  lib/CodeGen/CGExprCXX.cpp
  lib/CodeGen/CodeGenFunction.h
  test/CodeGenCXX/ubsan-devirtualized-calls.cpp

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D25448.74916.patch
Type: text/x-patch
Size: 8815 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20161017/2b96ae8d/attachment.bin>