[PATCH] D148785: -fsanitize=function: use type hashes instead of RTTI objects

Fangrui Song via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Thu Apr 20 00:54:18 PDT 2023 

MaskRay created this revision.
MaskRay added reviewers: Sanitizers, pcc, peter.smith, sberg, samitolvanen.
Herald added subscribers: Enna1, hiraditya.
Herald added a project: All.
MaskRay requested review of this revision.
Herald added projects: clang, Sanitizers, LLVM.
Herald added subscribers: llvm-commits, cfe-commits.

Currently we use RTTI objects to check type compatibility. To support non-unique
RTTI objects, commit 5745eccef54ddd3caca278d1d292a88b2281528b added a
`checkTypeInfoEquality` string matching to the runtime.
The scheme is inefficient.

  _Z1fv:
    .long   846595819                    # jmp
    .long   .L__llvm_rtti_proxy-_Z3funv
    ...
  
  main:
    ...
    # Load the second word (pointer to the RTTI object) and dereference it.
    movslq  4(%rsi), %rax
    movq    (%rax,%rsi), %rdx
    # Is it the desired typeinfo object?
    leaq    _ZTIFvvE(%rip), %rax
    # If not, call __ubsan_handle_function_type_mismatch_v1, which may recover if checkTypeInfoEquality allows
    cmpq    %rax, %rdx
    jne     .LBB1_2
    ...
  
  .section        .data.rel.ro,"aw", at progbits
    .p2align        3, 0x0
  .L__llvm_rtti_proxy:
    .quad   _ZTIFvvE

Let's replace the indirect `_ZTI` pointer with a type hash similar to
`-fsanitize=kcfi`.

  _Z1fv:
    .long   3238382334
    .long   2772461324  # type hash
  
  main:
    ...
    # Load the second word (callee type hash) and check whether it is expected
    cmpl    $-1522505972, -4(%rax)
    # If not, fail: call __ubsan_handle_function_type_mismatch
    jne     .LBB2_2

The RTTI object derives its name from `clang::MangleContext::mangleCXXRTTI`,
which uses `mangleType`. `mangleTypeName` uses `mangleType` as well. So the
type compatibility change is high-fidelity.

Since we no longer need RTTI pointers in
`__ubsan::__ubsan_handle_function_type_mismatch_v1`, let's switch it back to
version 0, the original signature before
e215996a2932ed7c472f4e94dc4345b30fd0c373 (2019).
`__ubsan::__ubsan_handle_function_type_mismatch_abort` is not
recoverable, so we can revert some changes from
e215996a2932ed7c472f4e94dc4345b30fd0c373.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D148785

Files:
  clang/docs/UndefinedBehaviorSanitizer.rst
  clang/lib/CodeGen/CGExpr.cpp
  clang/lib/CodeGen/CodeGenFunction.cpp
  clang/lib/CodeGen/CodeGenFunction.h
  clang/lib/Driver/SanitizerArgs.cpp
  clang/test/CodeGen/ubsan-function.cpp
  clang/test/CodeGenCXX/catch-undef-behavior.cpp
  clang/test/CodeGenCXX/ubsan-function-noexcept.cpp
  clang/test/Driver/fsanitize.c
  compiler-rt/lib/ubsan/ubsan_handlers_cxx.cpp
  compiler-rt/lib/ubsan/ubsan_handlers_cxx.h
  compiler-rt/lib/ubsan/ubsan_interface.inc
  llvm/lib/CodeGen/AsmPrinter/AsmPrinter.cpp

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D148785.515241.patch
Type: text/x-patch
Size: 21214 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20230420/53723468/attachment-0001.bin>

More information about the cfe-commits mailing list