[llvm-bugs] [Bug 43390] New: CFI: wrong type passed to llvm.type.test with multiple inheritance devirtualization

via llvm-bugs llvm-bugs at lists.llvm.org
Fri Sep 20 14:43:32 PDT 2019 

https://bugs.llvm.org/show_bug.cgi?id=43390

            Bug ID: 43390
           Summary: CFI: wrong type passed to llvm.type.test with multiple
                    inheritance devirtualization
           Product: clang
           Version: trunk
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: C++
          Assignee: unassignedclangbugs at nondot.org
          Reporter: dmitry.mikulin at sony.com
                CC: blitzrakete at gmail.com, dgregor at apple.com,
                    erik.pilkington at gmail.com, llvm-bugs at lists.llvm.org,
                    richard-llvm at metafoo.co.uk

In the following example, a call to a virtual function through the second base
class pointer fails the nvcall CFI check at run time. Similar call through the
first base class pointer works as expected.

========== x.cpp ==============
#include <iostream>
class A1 {
public:
    virtual void f1() = 0;
};

class A2 {
public:
    virtual void f2() = 0;
};

class B : public A1, public A2 {
public:
    void f2() final { fprintf(stderr, "f2\n"); }
    void f1() final { fprintf(stderr, "f1\n"); }
};

int main() {
    B b;
    // Doesn't raise a CFI error
    static_cast<A1*>(&b)->f1();
    // Raises a CFI error
    static_cast<A2*>(&b)->f2();
}
=============================

# clang++ -flto -fvisibility=hidden  -fsanitize=cfi -fno-sanitize-trap=cfi
-fsanitize-recover=cfi -fuse-ld=lld x.cpp
# ./a.out
f1
x.cpp:26:5: runtime error: control flow integrity check for type 'A2' failed
during non-virtual call (vtable address 0x00000020b780)
0x00000020b780: note: vtable is of type 'B'
 00 00 00 00  40 34 24 00 00 00 00 00  70 34 24 00 00 00 00 00  00 00 00 00 00
00 00 00  48 b7 20 00
              ^ 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior x.cpp:26:5 in 
f2

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20190920/4ebac8ff/attachment.html>

More information about the llvm-bugs mailing list