[PATCH] D12712: Implementation and testing for poisoning vtable ptr in dtor.

Naomi Musgrave via cfe-commits Tue, 08 Sep 2015 16:24:07 -0700

nmusgrave created this revision.
nmusgrave added reviewers: eugenis, kcc.
nmusgrave added a subscriber: cfe-commits.


After destruction, invocation of virtual functions prevented
by poisoning vtable pointer.

http://reviews.llvm.org/D12712

Files:
  lib/CodeGen/CGClass.cpp
  test/CodeGenCXX/sanitize-dtor-derived-class.cpp
  test/CodeGenCXX/sanitize-dtor-vtable.cpp

Index: test/CodeGenCXX/sanitize-dtor-vtable.cpp
===================================================================
--- /dev/null
+++ test/CodeGenCXX/sanitize-dtor-vtable.cpp
@@ -0,0 +1,16 @@
+// RUN: %clang_cc1 -O0 -fsanitize=memory -fsanitize-memory-use-after-dtor 
-disable-llvm-optzns -std=c++11 -triple=x86_64-pc-linux -emit-llvm -o - %s | 
FileCheck %s
+// RUN: %clang_cc1 -O1 -fsanitize=memory -fsanitize-memory-use-after-dtor 
-disable-llvm-optzns -std=c++11 -triple=x86_64-pc-linux -emit-llvm -o - %s | 
FileCheck %s
+
+class A {
+ public:
+  int x;
+  A() {}
+  virtual ~A() {}
+};
+A a;
+
+// CHECK-LABEL: define {{.*}}AD2Ev
+// CHECK: call void @__sanitizer_dtor_callback{{.*}}i64 8
+// CHECK: call void @__sanitizer_dtor_callback
+// CHECK-NOT: call void @__sanitizer_dtor_callback
+// CHECK: ret void
Index: test/CodeGenCXX/sanitize-dtor-derived-class.cpp
===================================================================
--- test/CodeGenCXX/sanitize-dtor-derived-class.cpp
+++ test/CodeGenCXX/sanitize-dtor-derived-class.cpp
@@ -52,13 +52,17 @@
 // CHECK-NOT: call void @__sanitizer_dtor_callback
 // CHECK: ret void
 
+// Poison member and vtable pointer.
 // CHECK-LABEL: define {{.*}}BaseD2Ev
 // CHECK: call void @__sanitizer_dtor_callback
+// CHECK: call void @__sanitizer_dtor_callback
 // CHECK-NOT: call void @__sanitizer_dtor_callback
 // CHECK: ret void
 
+// Poison member and vtable pointer.
 // CHECK-LABEL: define {{.*}}DerivedD2Ev
 // CHECK: call void @__sanitizer_dtor_callback
+// CHECK: call void @__sanitizer_dtor_callback
 // CHECK-NOT: call void @__sanitizer_dtor_callback
 // CHECK: call void {{.*}}BaseD2Ev
 // CHECK-NOT: call void @__sanitizer_dtor_callback
Index: lib/CodeGen/CGClass.cpp
===================================================================
--- lib/CodeGen/CGClass.cpp
+++ lib/CodeGen/CGClass.cpp
@@ -1668,9 +1668,20 @@
       // Prevent the current stack frame from disappearing from the stack 
trace.
       CGF.CurFn->addFnAttr("disable-tail-calls", "true");
 
+      ASTContext &Context = CGF.getContext();
+      // Poison vtable and vtable ptr if they exist for this class.
+      if (Dtor->getParent()->isDynamicClass()) {
+        llvm::Value *VTablePtr = CGF.LoadCXXThis();
+
+        CharUnits::QuantityType PoisonSize =
+            Context.toCharUnitsFromBits(CGF.PointerWidthInBits).getQuantity();
+        // Pass in void pointer and size of region as arguments to runtime
+        // function
+        Poison(CGF, VTablePtr, PoisonSize);
+      }
+
       // Construct pointer to region to begin poisoning, and calculate poison
       // size, so that only members declared in this class are poisoned.
-      ASTContext &Context = CGF.getContext();
       unsigned fieldIndex = 0;
       int startIndex = -1;
       // RecordDecl::field_iterator Field;
@@ -1732,10 +1743,16 @@
       if (PoisonSize == 0)
         return;
 
+      Poison(CGF, OffsetPtr, PoisonSize);
+    }
+
+    void Poison(CodeGenFunction &CGF, llvm::Value *OffsetPtr,
+                CharUnits::QuantityType PoisonSize) {
       // Pass in void pointer and size of region as arguments to runtime
       // function
-      llvm::Value *Args[] = {CGF.Builder.CreateBitCast(OffsetPtr, 
CGF.VoidPtrTy),
-                             llvm::ConstantInt::get(CGF.SizeTy, PoisonSize)};
+      llvm::Value *Args[] = {
+          CGF.Builder.CreateBitCast(OffsetPtr, CGF.VoidPtrTy),
+          llvm::ConstantInt::get(CGF.SizeTy, PoisonSize)};
 
       llvm::Type *ArgTypes[] = {CGF.VoidPtrTy, CGF.SizeTy};

Index: test/CodeGenCXX/sanitize-dtor-vtable.cpp
===================================================================
--- /dev/null
+++ test/CodeGenCXX/sanitize-dtor-vtable.cpp
@@ -0,0 +1,16 @@
+// RUN: %clang_cc1 -O0 -fsanitize=memory -fsanitize-memory-use-after-dtor -disable-llvm-optzns -std=c++11 -triple=x86_64-pc-linux -emit-llvm -o - %s | FileCheck %s
+// RUN: %clang_cc1 -O1 -fsanitize=memory -fsanitize-memory-use-after-dtor -disable-llvm-optzns -std=c++11 -triple=x86_64-pc-linux -emit-llvm -o - %s | FileCheck %s
+
+class A {
+ public:
+  int x;
+  A() {}
+  virtual ~A() {}
+};
+A a;
+
+// CHECK-LABEL: define {{.*}}AD2Ev
+// CHECK: call void @__sanitizer_dtor_callback{{.*}}i64 8
+// CHECK: call void @__sanitizer_dtor_callback
+// CHECK-NOT: call void @__sanitizer_dtor_callback
+// CHECK: ret void
Index: test/CodeGenCXX/sanitize-dtor-derived-class.cpp
===================================================================
--- test/CodeGenCXX/sanitize-dtor-derived-class.cpp
+++ test/CodeGenCXX/sanitize-dtor-derived-class.cpp
@@ -52,13 +52,17 @@
 // CHECK-NOT: call void @__sanitizer_dtor_callback
 // CHECK: ret void
 
+// Poison member and vtable pointer.
 // CHECK-LABEL: define {{.*}}BaseD2Ev
 // CHECK: call void @__sanitizer_dtor_callback
+// CHECK: call void @__sanitizer_dtor_callback
 // CHECK-NOT: call void @__sanitizer_dtor_callback
 // CHECK: ret void
 
+// Poison member and vtable pointer.
 // CHECK-LABEL: define {{.*}}DerivedD2Ev
 // CHECK: call void @__sanitizer_dtor_callback
+// CHECK: call void @__sanitizer_dtor_callback
 // CHECK-NOT: call void @__sanitizer_dtor_callback
 // CHECK: call void {{.*}}BaseD2Ev
 // CHECK-NOT: call void @__sanitizer_dtor_callback
Index: lib/CodeGen/CGClass.cpp
===================================================================
--- lib/CodeGen/CGClass.cpp
+++ lib/CodeGen/CGClass.cpp
@@ -1668,9 +1668,20 @@
       // Prevent the current stack frame from disappearing from the stack trace.
       CGF.CurFn->addFnAttr("disable-tail-calls", "true");
 
+      ASTContext &Context = CGF.getContext();
+      // Poison vtable and vtable ptr if they exist for this class.
+      if (Dtor->getParent()->isDynamicClass()) {
+        llvm::Value *VTablePtr = CGF.LoadCXXThis();
+
+        CharUnits::QuantityType PoisonSize =
+            Context.toCharUnitsFromBits(CGF.PointerWidthInBits).getQuantity();
+        // Pass in void pointer and size of region as arguments to runtime
+        // function
+        Poison(CGF, VTablePtr, PoisonSize);
+      }
+
       // Construct pointer to region to begin poisoning, and calculate poison
       // size, so that only members declared in this class are poisoned.
-      ASTContext &Context = CGF.getContext();
       unsigned fieldIndex = 0;
       int startIndex = -1;
       // RecordDecl::field_iterator Field;
@@ -1732,10 +1743,16 @@
       if (PoisonSize == 0)
         return;
 
+      Poison(CGF, OffsetPtr, PoisonSize);
+    }
+
+    void Poison(CodeGenFunction &CGF, llvm::Value *OffsetPtr,
+                CharUnits::QuantityType PoisonSize) {
       // Pass in void pointer and size of region as arguments to runtime
       // function
-      llvm::Value *Args[] = {CGF.Builder.CreateBitCast(OffsetPtr, CGF.VoidPtrTy),
-                             llvm::ConstantInt::get(CGF.SizeTy, PoisonSize)};
+      llvm::Value *Args[] = {
+          CGF.Builder.CreateBitCast(OffsetPtr, CGF.VoidPtrTy),
+          llvm::ConstantInt::get(CGF.SizeTy, PoisonSize)};
 
       llvm::Type *ArgTypes[] = {CGF.VoidPtrTy, CGF.SizeTy};

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D12712: Implementation and testing for poisoning vtable ptr in dtor.

Reply via email to