gcc 4.9 just got more aggressive and is now exploiting the fact that input
pointers to memcpy/memmove cannot be null (even if the size is 0).
This patch adds support to ubsan to check for this UB. Very important since
it's already being exploited by gcc.
REPOSITORY
rL LLVM
http://reviews.llvm.org/D9673
Files:
lib/CodeGen/CGBuiltin.cpp
lib/CodeGen/CGCall.cpp
lib/CodeGen/CodeGenFunction.h
test/CodeGen/catch-undef-behavior.c
EMAIL PREFERENCES
http://reviews.llvm.org/settings/panel/emailpreferences/
Index: lib/CodeGen/CGBuiltin.cpp
===================================================================
--- lib/CodeGen/CGBuiltin.cpp
+++ lib/CodeGen/CGBuiltin.cpp
@@ -709,6 +709,10 @@
EmitPointerWithAlignment(E->getArg(1));
Value *SizeVal = EmitScalarExpr(E->getArg(2));
unsigned Align = std::min(Dest.second, Src.second);
+ EmitNonNullArgCheck(RValue::get(Dest.first), E->getArg(0)->getType(),
+ E->getArg(0)->getExprLoc(), FD, 0);
+ EmitNonNullArgCheck(RValue::get(Src.first), E->getArg(1)->getType(),
+ E->getArg(1)->getExprLoc(), FD, 0);
Builder.CreateMemCpy(Dest.first, Src.first, SizeVal, Align, false);
return RValue::get(Dest.first);
}
@@ -766,6 +770,10 @@
EmitPointerWithAlignment(E->getArg(1));
Value *SizeVal = EmitScalarExpr(E->getArg(2));
unsigned Align = std::min(Dest.second, Src.second);
+ EmitNonNullArgCheck(RValue::get(Dest.first), E->getArg(0)->getType(),
+ E->getArg(0)->getExprLoc(), FD, 0);
+ EmitNonNullArgCheck(RValue::get(Src.first), E->getArg(1)->getType(),
+ E->getArg(1)->getExprLoc(), FD, 0);
Builder.CreateMemMove(Dest.first, Src.first, SizeVal, Align, false);
return RValue::get(Dest.first);
}
Index: lib/CodeGen/CGCall.cpp
===================================================================
--- lib/CodeGen/CGCall.cpp
+++ lib/CodeGen/CGCall.cpp
@@ -2715,27 +2715,28 @@
}
}
-static void emitNonNullArgCheck(CodeGenFunction &CGF, RValue RV,
- QualType ArgType, SourceLocation ArgLoc,
- const FunctionDecl *FD, unsigned ParmNum) {
- if (!CGF.SanOpts.has(SanitizerKind::NonnullAttribute) || !FD)
+void CodeGenFunction::EmitNonNullArgCheck(RValue RV, QualType ArgType,
+ SourceLocation ArgLoc,
+ const FunctionDecl *FD,
+ unsigned ParmNum) {
+ if (!SanOpts.has(SanitizerKind::NonnullAttribute) || !FD)
return;
auto PVD = ParmNum < FD->getNumParams() ? FD->getParamDecl(ParmNum) : nullptr;
unsigned ArgNo = PVD ? PVD->getFunctionScopeIndex() : ParmNum;
auto NNAttr = getNonNullAttr(FD, PVD, ArgType, ArgNo);
if (!NNAttr)
return;
- CodeGenFunction::SanitizerScope SanScope(&CGF);
+ SanitizerScope SanScope(this);
assert(RV.isScalar());
llvm::Value *V = RV.getScalarVal();
llvm::Value *Cond =
- CGF.Builder.CreateICmpNE(V, llvm::Constant::getNullValue(V->getType()));
+ Builder.CreateICmpNE(V, llvm::Constant::getNullValue(V->getType()));
llvm::Constant *StaticData[] = {
- CGF.EmitCheckSourceLocation(ArgLoc),
- CGF.EmitCheckSourceLocation(NNAttr->getLocation()),
- llvm::ConstantInt::get(CGF.Int32Ty, ArgNo + 1),
+ EmitCheckSourceLocation(ArgLoc),
+ EmitCheckSourceLocation(NNAttr->getLocation()),
+ llvm::ConstantInt::get(Int32Ty, ArgNo + 1),
};
- CGF.EmitCheck(std::make_pair(Cond, SanitizerKind::NonnullAttribute),
+ EmitCheck(std::make_pair(Cond, SanitizerKind::NonnullAttribute),
"nonnull_arg", StaticData, None);
}
@@ -2763,7 +2764,7 @@
for (int I = ArgTypes.size() - 1; I >= 0; --I) {
CallExpr::const_arg_iterator Arg = ArgBeg + I;
EmitCallArg(Args, *Arg, ArgTypes[I]);
- emitNonNullArgCheck(*this, Args.back().RV, ArgTypes[I], Arg->getExprLoc(),
+ EmitNonNullArgCheck(Args.back().RV, ArgTypes[I], Arg->getExprLoc(),
CalleeDecl, ParamsToSkip + I);
}
@@ -2777,7 +2778,7 @@
CallExpr::const_arg_iterator Arg = ArgBeg + I;
assert(Arg != ArgEnd);
EmitCallArg(Args, *Arg, ArgTypes[I]);
- emitNonNullArgCheck(*this, Args.back().RV, ArgTypes[I], Arg->getExprLoc(),
+ EmitNonNullArgCheck(Args.back().RV, ArgTypes[I], Arg->getExprLoc(),
CalleeDecl, ParamsToSkip + I);
}
}
Index: lib/CodeGen/CodeGenFunction.h
===================================================================
--- lib/CodeGen/CodeGenFunction.h
+++ lib/CodeGen/CodeGenFunction.h
@@ -2843,6 +2843,11 @@
/// conditional branch to it, for the -ftrapv checks.
void EmitTrapCheck(llvm::Value *Checked);
+ /// \brief Create a check for a function parameter that may potentially be
+ /// declared as non-null.
+ void EmitNonNullArgCheck(RValue RV, QualType ArgType, SourceLocation ArgLoc,
+ const FunctionDecl *FD, unsigned ParmNum);
+
/// EmitCallArg - Emit a single call argument.
void EmitCallArg(CallArgList &args, const Expr *E, QualType ArgType);
Index: test/CodeGen/catch-undef-behavior.c
===================================================================
--- test/CodeGen/catch-undef-behavior.c
+++ test/CodeGen/catch-undef-behavior.c
@@ -371,6 +371,34 @@
decl_nonnull(a);
}
+extern void *memcpy (void *, const void *, unsigned) __attribute__((nonnull(1, 2)));
+
+// CHECK-COMMON-LABEL: @call_memcpy_nonnull
+void call_memcpy_nonnull(void *p, void *q, int sz) {
+ // CHECK-COMMON: icmp ne i8* {{.*}}, null
+ // CHECK-UBSAN: call void @__ubsan_handle_nonnull_arg
+ // CHECK-TRAP: call void @llvm.trap()
+
+ // CHECK-COMMON: icmp ne i8* {{.*}}, null
+ // CHECK-UBSAN: call void @__ubsan_handle_nonnull_arg
+ // CHECK-TRAP: call void @llvm.trap()
+ memcpy(p, q, sz);
+}
+
+extern void *memmove (void *, const void *, unsigned) __attribute__((nonnull(1, 2)));
+
+// CHECK-COMMON-LABEL: @call_memmove_nonnull
+void call_memmove_nonnull(void *p, void *q, int sz) {
+ // CHECK-COMMON: icmp ne i8* {{.*}}, null
+ // CHECK-UBSAN: call void @__ubsan_handle_nonnull_arg
+ // CHECK-TRAP: call void @llvm.trap()
+
+ // CHECK-COMMON: icmp ne i8* {{.*}}, null
+ // CHECK-UBSAN: call void @__ubsan_handle_nonnull_arg
+ // CHECK-TRAP: call void @llvm.trap()
+ memmove(p, q, sz);
+}
+
// CHECK-COMMON-LABEL: @call_nonnull_variadic
__attribute__((nonnull)) void nonnull_variadic(int a, ...);
void call_nonnull_variadic(int a, int *b) {
_______________________________________________
cfe-commits mailing list
[email protected]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
