[PATCH] D47567: [wip] Implement CFI for indirect calls via a member function pointer.
Peter Collingbourne via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Wed May 30 19:44:03 PDT 2018
pcc created this revision.
pcc added a reviewer: vlad.tsyrklevich.
Herald added a subscriber: mgrang.
Similarly to CFI on virtual and indirect calls, this implementation
tries to use program type information to make the checks as precise
as possible. The basic way that it works is as follows, where `C`
is the name of the class being defined or the target of a call and
the function type is assumed to be `void()`.
For virtual calls:
- Attach type metadata to the addresses of function pointers in vtables (not the functions themselves) of type `void (B::*)()` for each `B` that is a recursive dynamic base class of `C`, including `C` itself. This type metadata has an annotation that the type is for virtual calls (to distinguish it from the non-virtual case).
- At the call site, check that the computed address of the function pointer in the vtable has type `void (C::*)()`.
For non-virtual calls:
- Attach type metadata to each non-virtual member function whose address can be taken with a member function pointer. The type of a function in class `C` of type `void()` is each of the types `void (B::*)()` where `B` is a most-base class of `C`. A most-base class of `C` is defined as a recursive base class of `C`, including `C` itself, that does not have any bases.
- At the call site, check that the function pointer has one of the types `void (B::*)()` where `B` is a most-base class of `C`.
TODO:
- Implement a fallback for the case where the class type is incomplete at the call site.
- Implement non-trapping and cross-DSO support.
- Mark this as unsupported with the Microsoft ABI for now.
- Write tests.
https://reviews.llvm.org/D47567
Files:
clang/include/clang/Basic/Sanitizers.def
clang/lib/CodeGen/CGVTables.cpp
clang/lib/CodeGen/CodeGenModule.cpp
clang/lib/CodeGen/CodeGenModule.h
clang/lib/CodeGen/ItaniumCXXABI.cpp
clang/lib/Driver/SanitizerArgs.cpp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D47567.149229.patch
Type: text/x-patch
Size: 13802 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20180531/4edd7052/attachment-0001.bin>
More information about the cfe-commits
mailing list