[UBSan][clang][compiler-rt] Applying non-zero offset to nullptr is undefined behaviour

Summary: Quote from http://eel.is/c++draft/expr.add#4: ``` 4 When an expression J that has integral type is added to or subtracted from an expression P of pointer type, the result has the type of P. (4.1) If P evaluates to a null pointer value and J evaluates to 0, the result is a null pointer value. (4.2) Otherwise, if P points to an array element i of an array object x with n elements ([dcl.array]), the expressions P + J and J + P (where J has the value j) point to the (possibly-hypothetical) array element i+j of x if 0≤i+j≤n and the expression P - J points to the (possibly-hypothetical) array element i−j of x if 0≤i−j≤n. (4.3) Otherwise, the behavior is undefined. ``` Therefore, as per the standard, applying non-zero offset to `nullptr` (or making non-`nullptr` a `nullptr`, by subtracting pointer's integral value from the pointer itself) is undefined behavior. (*if* `nullptr` is not defined, i.e. e.g. `-fno-delete-null-pointer-checks` was *not* specified.) To make things more fun, in C (6.5.6p8), applying *any* offset to null pointer is undefined, although Clang front-end pessimizes the code by not lowering that info, so this UB is "harmless". Since rL369789 (D66608 `[InstCombine] icmp eq/ne (gep inbounds P, Idx..), null -> icmp eq/ne P, null`) LLVM middle-end uses those guarantees for transformations. If the source contains such UB's, said code may now be miscompiled. Such miscompilations were already observed: * https://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20190826/687838.html * https://github.com/google/filament/pull/1566 Surprisingly, UBSan does not catch those issues ... until now. This diff teaches UBSan about these UB's. `getelementpointer inbounds` is a pretty frequent instruction, so this does have a measurable impact on performance; I've addressed most of the obvious missing folds (and thus decreased the performance impact by ~5%), and then re-performed some performance measurements using my [[ https://github.com/darktable-org/rawspeed | RawSpeed ]] benchmark: (all measurements done with LLVM ToT, the sanitizer never fired.) * no sanitization vs. existing check: average `+21.62%` slowdown * existing check vs. check after this patch: average `22.04%` slowdown * no sanitization vs. this patch: average `48.42%` slowdown Reviewers: vsk, filcab, rsmith, aaron.ballman, vitalybuka, rjmccall, #sanitizers Reviewed By: rsmith Subscribers: kristof.beyls, nickdesaulniers, nikic, ychen, dtzWill, xbolva00, dberris, arphaman, rupprecht, reames, regehr, llvm-commits, cfe-commits Tags: #clang, #sanitizers, #llvm Differential Revision: https://reviews.llvm.org/D67122 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@374293 91177308-0d34-0410-b5e6-96231b3b80d8
author: Roman Lebedev <lebedev.ri@gmail.com> 2019-10-10 09:25:02 +0000
committer: Roman Lebedev <lebedev.ri@gmail.com> 2019-10-10 09:25:02 +0000
commit: a8681c5ca1c1304e4b61c8cede444abc103b05bf (patch)
tree: 42a2119d5ff3d3a5475e2998a7f01003bf0ed134 /test/ubsan/TestCases/Pointer/nullptr-and-nonzero-offset-variable.cpp
parent: 51a6e79ff7df8a7a1ca79fdda4fe0aec571da26c (diff)
download: compiler-rt-a8681c5ca1c1304e4b61c8cede444abc103b05bf.tar.gz
1 files changed, 54 insertions, 0 deletions
diff --git a/test/ubsan/TestCases/Pointer/nullptr-and-nonzero-offset-variable.cpp b/test/ubsan/TestCases/Pointer/nullptr-and-nonzero-offset-variable.cpp
new file mode 100644
index 000000000..33fe836c5
--- /dev/null
+++ b/test/ubsan/TestCases/Pointer/nullptr-and-nonzero-offset-variable.cpp
@@ -0,0 +1,54 @@
+// R1UN: %clang -x c   -fsanitize=pointer-overflow -O0 %s -o %t && %run %t 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK-UB-C
+// R1UN: %clang -x c   -fsanitize=pointer-overflow -O1 %s -o %t && %run %t 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK-UB-C
+// R1UN: %clang -x c   -fsanitize=pointer-overflow -O2 %s -o %t && %run %t 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK-UB-C
+// R1UN: %clang -x c   -fsanitize=pointer-overflow -O3 %s -o %t && %run %t 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK-UB-C
+
+// RUN: %clang -x c++ -fsanitize=pointer-overflow -O0 %s -o %t && %run %t 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK
+// RUN: %clang -x c++ -fsanitize=pointer-overflow -O1 %s -o %t && %run %t 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK
+// RUN: %clang -x c++ -fsanitize=pointer-overflow -O2 %s -o %t && %run %t 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK
+// RUN: %clang -x c++ -fsanitize=pointer-overflow -O3 %s -o %t && %run %t 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK
+
+// RUN: %clang -x c   -fsanitize=pointer-overflow -O0 %s -o %t && %run %t I_AM_UB 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK-UB
+// RUN: %clang -x c   -fsanitize=pointer-overflow -O1 %s -o %t && %run %t I_AM_UB 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK-UB
+// RUN: %clang -x c   -fsanitize=pointer-overflow -O2 %s -o %t && %run %t I_AM_UB 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK-UB
+// RUN: %clang -x c   -fsanitize=pointer-overflow -O3 %s -o %t && %run %t I_AM_UB 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK-UB
+
+// RUN: %clang -x c++ -fsanitize=pointer-overflow -O0 %s -o %t && %run %t I_AM_UB 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK-UB
+// RUN: %clang -x c++ -fsanitize=pointer-overflow -O1 %s -o %t && %run %t I_AM_UB 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK-UB
+// RUN: %clang -x c++ -fsanitize=pointer-overflow -O2 %s -o %t && %run %t I_AM_UB 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK-UB
+// RUN: %clang -x c++ -fsanitize=pointer-overflow -O3 %s -o %t && %run %t I_AM_UB 2>&1 | FileCheck %s --implicit-check-not="error:" --check-prefix=CHECK-UB
+
+#include <stdint.h>
+#include <stdio.h>
+
+// Just so deduplication doesn't do anything.
+static char *getelementpointer_inbounds_v0(char *base, unsigned long offset) {
+  // Potentially UB.
+  return base + offset;
+}
+static char *getelementpointer_inbounds_v1(char *base, unsigned long offset) {
+  // Potentially UB.
+  return base + offset;
+}
+
+int main(int argc, char *argv[]) {
+  char *base;
+  unsigned long offset;
+
+  printf("Dummy\n");
+  // CHECK: Dummy
+
+  base = (char *)0;
+  offset = argc - 1;
+  (void)getelementpointer_inbounds_v0(base, offset);
+  // CHECK-UB: {{.*}}.cpp:[[@LINE-17]]:15: runtime error: applying non-zero offset 1 to null pointer
+  // CHECK-UB-C: {{.*}}.cpp:[[@LINE-17]]:15: runtime error: applying offset to null pointer
+
+  base = (char *)(intptr_t)(argc - 1);
+  offset = argc == 1 ? 0 : -(argc - 1);
+  (void)getelementpointer_inbounds_v1(base, offset);
+  // CHECK-UB: {{.*}}.cpp:[[@LINE-19]]:15: runtime error: applying non-zero offset to non-null pointer 0x{{.*}} produced null pointer
+  // CHECK-UB-C: {{.*}}.cpp:[[@LINE-20]]:15: runtime error: applying offset to null pointer
+
+  return 0;
+}
author	Roman Lebedev <lebedev.ri@gmail.com>	2019-10-10 09:25:02 +0000
committer	Roman Lebedev <lebedev.ri@gmail.com>	2019-10-10 09:25:02 +0000
commit	a8681c5ca1c1304e4b61c8cede444abc103b05bf (patch)
tree	42a2119d5ff3d3a5475e2998a7f01003bf0ed134 /test/ubsan/TestCases/Pointer/nullptr-and-nonzero-offset-variable.cpp
parent	51a6e79ff7df8a7a1ca79fdda4fe0aec571da26c (diff)
download	compiler-rt-a8681c5ca1c1304e4b61c8cede444abc103b05bf.tar.gz