1 //===-- ubsan_handlers.cpp ------------------------------------------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // Error logging entry points for the UBSan runtime. 10 // 11 //===----------------------------------------------------------------------===// 12 13 #include "ubsan_platform.h" 14 #if CAN_SANITIZE_UB 15 #include "ubsan_handlers.h" 16 #include "ubsan_diag.h" 17 #include "ubsan_flags.h" 18 #include "ubsan_monitor.h" 19 #include "ubsan_value.h" 20 21 #include "sanitizer_common/sanitizer_common.h" 22 23 using namespace __sanitizer; 24 using namespace __ubsan; 25 26 namespace __ubsan { 27 bool ignoreReport(SourceLocation SLoc, ReportOptions Opts, ErrorType ET) { 28 // We are not allowed to skip error report: if we are in unrecoverable 29 // handler, we have to terminate the program right now, and therefore 30 // have to print some diagnostic. 31 // 32 // Even if source location is disabled, it doesn't mean that we have 33 // already report an error to the user: some concurrently running 34 // thread could have acquired it, but not yet printed the report. 35 if (Opts.FromUnrecoverableHandler) 36 return false; 37 return SLoc.isDisabled() || IsPCSuppressed(ET, Opts.pc, SLoc.getFilename()); 38 } 39 40 /// Situations in which we might emit a check for the suitability of a 41 /// pointer or glvalue. Needs to be kept in sync with CodeGenFunction.h in 42 /// clang. 43 enum TypeCheckKind { 44 /// Checking the operand of a load. Must be suitably sized and aligned. 45 TCK_Load, 46 /// Checking the destination of a store. Must be suitably sized and aligned. 47 TCK_Store, 48 /// Checking the bound value in a reference binding. Must be suitably sized 49 /// and aligned, but is not required to refer to an object (until the 50 /// reference is used), per core issue 453. 51 TCK_ReferenceBinding, 52 /// Checking the object expression in a non-static data member access. Must 53 /// be an object within its lifetime. 54 TCK_MemberAccess, 55 /// Checking the 'this' pointer for a call to a non-static member function. 56 /// Must be an object within its lifetime. 57 TCK_MemberCall, 58 /// Checking the 'this' pointer for a constructor call. 59 TCK_ConstructorCall, 60 /// Checking the operand of a static_cast to a derived pointer type. Must be 61 /// null or an object within its lifetime. 62 TCK_DowncastPointer, 63 /// Checking the operand of a static_cast to a derived reference type. Must 64 /// be an object within its lifetime. 65 TCK_DowncastReference, 66 /// Checking the operand of a cast to a base object. Must be suitably sized 67 /// and aligned. 68 TCK_Upcast, 69 /// Checking the operand of a cast to a virtual base object. Must be an 70 /// object within its lifetime. 71 TCK_UpcastToVirtualBase, 72 /// Checking the value assigned to a _Nonnull pointer. Must not be null. 73 TCK_NonnullAssign, 74 /// Checking the operand of a dynamic_cast or a typeid expression. Must be 75 /// null or an object within its lifetime. 76 TCK_DynamicOperation 77 }; 78 79 extern const char *const TypeCheckKinds[] = { 80 "load of", "store to", "reference binding to", "member access within", 81 "member call on", "constructor call on", "downcast of", "downcast of", 82 "upcast of", "cast to virtual base of", "_Nonnull binding to", 83 "dynamic operation on"}; 84 } 85 86 static void handleTypeMismatchImpl(TypeMismatchData *Data, ValueHandle Pointer, 87 ReportOptions Opts) { 88 Location Loc = Data->Loc.acquire(); 89 90 uptr Alignment = (uptr)1 << Data->LogAlignment; 91 ErrorType ET; 92 if (!Pointer) 93 ET = (Data->TypeCheckKind == TCK_NonnullAssign) 94 ? ErrorType::NullPointerUseWithNullability 95 : ErrorType::NullPointerUse; 96 else if (Pointer & (Alignment - 1)) 97 ET = ErrorType::MisalignedPointerUse; 98 else 99 ET = ErrorType::InsufficientObjectSize; 100 101 // Use the SourceLocation from Data to track deduplication, even if it's 102 // invalid. 103 if (ignoreReport(Loc.getSourceLocation(), Opts, ET)) 104 return; 105 106 SymbolizedStackHolder FallbackLoc; 107 if (Data->Loc.isInvalid()) { 108 FallbackLoc.reset(getCallerLocation(Opts.pc)); 109 Loc = FallbackLoc; 110 } 111 112 ScopedReport R(Opts, Loc, ET); 113 114 switch (ET) { 115 case ErrorType::NullPointerUse: 116 case ErrorType::NullPointerUseWithNullability: 117 Diag(Loc, DL_Error, ET, "%0 null pointer of type %1") 118 << TypeCheckKinds[Data->TypeCheckKind] << Data->Type; 119 break; 120 case ErrorType::MisalignedPointerUse: 121 Diag(Loc, DL_Error, ET, "%0 misaligned address %1 for type %3, " 122 "which requires %2 byte alignment") 123 << TypeCheckKinds[Data->TypeCheckKind] << (void *)Pointer << Alignment 124 << Data->Type; 125 break; 126 case ErrorType::InsufficientObjectSize: 127 Diag(Loc, DL_Error, ET, "%0 address %1 with insufficient space " 128 "for an object of type %2") 129 << TypeCheckKinds[Data->TypeCheckKind] << (void *)Pointer << Data->Type; 130 break; 131 default: 132 UNREACHABLE("unexpected error type!"); 133 } 134 135 if (Pointer) 136 Diag(Pointer, DL_Note, ET, "pointer points here"); 137 } 138 139 void __ubsan::__ubsan_handle_type_mismatch_v1(TypeMismatchData *Data, 140 ValueHandle Pointer) { 141 GET_REPORT_OPTIONS(false); 142 handleTypeMismatchImpl(Data, Pointer, Opts); 143 } 144 void __ubsan::__ubsan_handle_type_mismatch_v1_abort(TypeMismatchData *Data, 145 ValueHandle Pointer) { 146 GET_REPORT_OPTIONS(true); 147 handleTypeMismatchImpl(Data, Pointer, Opts); 148 Die(); 149 } 150 151 static void handleAlignmentAssumptionImpl(AlignmentAssumptionData *Data, 152 ValueHandle Pointer, 153 ValueHandle Alignment, 154 ValueHandle Offset, 155 ReportOptions Opts) { 156 Location Loc = Data->Loc.acquire(); 157 SourceLocation AssumptionLoc = Data->AssumptionLoc.acquire(); 158 159 ErrorType ET = ErrorType::AlignmentAssumption; 160 161 if (ignoreReport(Loc.getSourceLocation(), Opts, ET)) 162 return; 163 164 ScopedReport R(Opts, Loc, ET); 165 166 uptr RealPointer = Pointer - Offset; 167 uptr LSB = LeastSignificantSetBitIndex(RealPointer); 168 uptr ActualAlignment = uptr(1) << LSB; 169 170 uptr Mask = Alignment - 1; 171 uptr MisAlignmentOffset = RealPointer & Mask; 172 173 if (!Offset) { 174 Diag(Loc, DL_Error, ET, 175 "assumption of %0 byte alignment for pointer of type %1 failed") 176 << Alignment << Data->Type; 177 } else { 178 Diag(Loc, DL_Error, ET, 179 "assumption of %0 byte alignment (with offset of %1 byte) for pointer " 180 "of type %2 failed") 181 << Alignment << Offset << Data->Type; 182 } 183 184 if (!AssumptionLoc.isInvalid()) 185 Diag(AssumptionLoc, DL_Note, ET, "alignment assumption was specified here"); 186 187 Diag(RealPointer, DL_Note, ET, 188 "%0address is %1 aligned, misalignment offset is %2 bytes") 189 << (Offset ? "offset " : "") << ActualAlignment << MisAlignmentOffset; 190 } 191 192 void __ubsan::__ubsan_handle_alignment_assumption(AlignmentAssumptionData *Data, 193 ValueHandle Pointer, 194 ValueHandle Alignment, 195 ValueHandle Offset) { 196 GET_REPORT_OPTIONS(false); 197 handleAlignmentAssumptionImpl(Data, Pointer, Alignment, Offset, Opts); 198 } 199 void __ubsan::__ubsan_handle_alignment_assumption_abort( 200 AlignmentAssumptionData *Data, ValueHandle Pointer, ValueHandle Alignment, 201 ValueHandle Offset) { 202 GET_REPORT_OPTIONS(true); 203 handleAlignmentAssumptionImpl(Data, Pointer, Alignment, Offset, Opts); 204 Die(); 205 } 206 207 /// \brief Common diagnostic emission for various forms of integer overflow. 208 template <typename T> 209 static void handleIntegerOverflowImpl(OverflowData *Data, ValueHandle LHS, 210 const char *Operator, T RHS, 211 ReportOptions Opts) { 212 SourceLocation Loc = Data->Loc.acquire(); 213 bool IsSigned = Data->Type.isSignedIntegerTy(); 214 ErrorType ET = IsSigned ? ErrorType::SignedIntegerOverflow 215 : ErrorType::UnsignedIntegerOverflow; 216 217 if (ignoreReport(Loc, Opts, ET)) 218 return; 219 220 // If this is an unsigned overflow in non-fatal mode, potentially ignore it. 221 if (!IsSigned && !Opts.FromUnrecoverableHandler && 222 flags()->silence_unsigned_overflow) 223 return; 224 225 ScopedReport R(Opts, Loc, ET); 226 227 Diag(Loc, DL_Error, ET, "%0 integer overflow: " 228 "%1 %2 %3 cannot be represented in type %4") 229 << (IsSigned ? "signed" : "unsigned") << Value(Data->Type, LHS) 230 << Operator << RHS << Data->Type; 231 } 232 233 #define UBSAN_OVERFLOW_HANDLER(handler_name, op, unrecoverable) \ 234 void __ubsan::handler_name(OverflowData *Data, ValueHandle LHS, \ 235 ValueHandle RHS) { \ 236 GET_REPORT_OPTIONS(unrecoverable); \ 237 handleIntegerOverflowImpl(Data, LHS, op, Value(Data->Type, RHS), Opts); \ 238 if (unrecoverable) \ 239 Die(); \ 240 } 241 242 UBSAN_OVERFLOW_HANDLER(__ubsan_handle_add_overflow, "+", false) 243 UBSAN_OVERFLOW_HANDLER(__ubsan_handle_add_overflow_abort, "+", true) 244 UBSAN_OVERFLOW_HANDLER(__ubsan_handle_sub_overflow, "-", false) 245 UBSAN_OVERFLOW_HANDLER(__ubsan_handle_sub_overflow_abort, "-", true) 246 UBSAN_OVERFLOW_HANDLER(__ubsan_handle_mul_overflow, "*", false) 247 UBSAN_OVERFLOW_HANDLER(__ubsan_handle_mul_overflow_abort, "*", true) 248 249 static void handleNegateOverflowImpl(OverflowData *Data, ValueHandle OldVal, 250 ReportOptions Opts) { 251 SourceLocation Loc = Data->Loc.acquire(); 252 bool IsSigned = Data->Type.isSignedIntegerTy(); 253 ErrorType ET = IsSigned ? ErrorType::SignedIntegerOverflow 254 : ErrorType::UnsignedIntegerOverflow; 255 256 if (ignoreReport(Loc, Opts, ET)) 257 return; 258 259 if (!IsSigned && flags()->silence_unsigned_overflow) 260 return; 261 262 ScopedReport R(Opts, Loc, ET); 263 264 if (IsSigned) 265 Diag(Loc, DL_Error, ET, 266 "negation of %0 cannot be represented in type %1; " 267 "cast to an unsigned type to negate this value to itself") 268 << Value(Data->Type, OldVal) << Data->Type; 269 else 270 Diag(Loc, DL_Error, ET, "negation of %0 cannot be represented in type %1") 271 << Value(Data->Type, OldVal) << Data->Type; 272 } 273 274 void __ubsan::__ubsan_handle_negate_overflow(OverflowData *Data, 275 ValueHandle OldVal) { 276 GET_REPORT_OPTIONS(false); 277 handleNegateOverflowImpl(Data, OldVal, Opts); 278 } 279 void __ubsan::__ubsan_handle_negate_overflow_abort(OverflowData *Data, 280 ValueHandle OldVal) { 281 GET_REPORT_OPTIONS(true); 282 handleNegateOverflowImpl(Data, OldVal, Opts); 283 Die(); 284 } 285 286 static void handleDivremOverflowImpl(OverflowData *Data, ValueHandle LHS, 287 ValueHandle RHS, ReportOptions Opts) { 288 SourceLocation Loc = Data->Loc.acquire(); 289 Value LHSVal(Data->Type, LHS); 290 Value RHSVal(Data->Type, RHS); 291 292 ErrorType ET; 293 if (RHSVal.isMinusOne()) 294 ET = ErrorType::SignedIntegerOverflow; 295 else if (Data->Type.isIntegerTy()) 296 ET = ErrorType::IntegerDivideByZero; 297 else 298 ET = ErrorType::FloatDivideByZero; 299 300 if (ignoreReport(Loc, Opts, ET)) 301 return; 302 303 ScopedReport R(Opts, Loc, ET); 304 305 switch (ET) { 306 case ErrorType::SignedIntegerOverflow: 307 Diag(Loc, DL_Error, ET, 308 "division of %0 by -1 cannot be represented in type %1") 309 << LHSVal << Data->Type; 310 break; 311 default: 312 Diag(Loc, DL_Error, ET, "division by zero"); 313 break; 314 } 315 } 316 317 void __ubsan::__ubsan_handle_divrem_overflow(OverflowData *Data, 318 ValueHandle LHS, ValueHandle RHS) { 319 GET_REPORT_OPTIONS(false); 320 handleDivremOverflowImpl(Data, LHS, RHS, Opts); 321 } 322 void __ubsan::__ubsan_handle_divrem_overflow_abort(OverflowData *Data, 323 ValueHandle LHS, 324 ValueHandle RHS) { 325 GET_REPORT_OPTIONS(true); 326 handleDivremOverflowImpl(Data, LHS, RHS, Opts); 327 Die(); 328 } 329 330 static void handleShiftOutOfBoundsImpl(ShiftOutOfBoundsData *Data, 331 ValueHandle LHS, ValueHandle RHS, 332 ReportOptions Opts) { 333 SourceLocation Loc = Data->Loc.acquire(); 334 Value LHSVal(Data->LHSType, LHS); 335 Value RHSVal(Data->RHSType, RHS); 336 337 ErrorType ET; 338 if (RHSVal.isNegative() || 339 RHSVal.getPositiveIntValue() >= Data->LHSType.getIntegerBitWidth()) 340 ET = ErrorType::InvalidShiftExponent; 341 else 342 ET = ErrorType::InvalidShiftBase; 343 344 if (ignoreReport(Loc, Opts, ET)) 345 return; 346 347 ScopedReport R(Opts, Loc, ET); 348 349 if (ET == ErrorType::InvalidShiftExponent) { 350 if (RHSVal.isNegative()) 351 Diag(Loc, DL_Error, ET, "shift exponent %0 is negative") << RHSVal; 352 else 353 Diag(Loc, DL_Error, ET, 354 "shift exponent %0 is too large for %1-bit type %2") 355 << RHSVal << Data->LHSType.getIntegerBitWidth() << Data->LHSType; 356 } else { 357 if (LHSVal.isNegative()) 358 Diag(Loc, DL_Error, ET, "left shift of negative value %0") << LHSVal; 359 else 360 Diag(Loc, DL_Error, ET, 361 "left shift of %0 by %1 places cannot be represented in type %2") 362 << LHSVal << RHSVal << Data->LHSType; 363 } 364 } 365 366 void __ubsan::__ubsan_handle_shift_out_of_bounds(ShiftOutOfBoundsData *Data, 367 ValueHandle LHS, 368 ValueHandle RHS) { 369 GET_REPORT_OPTIONS(false); 370 handleShiftOutOfBoundsImpl(Data, LHS, RHS, Opts); 371 } 372 void __ubsan::__ubsan_handle_shift_out_of_bounds_abort( 373 ShiftOutOfBoundsData *Data, 374 ValueHandle LHS, 375 ValueHandle RHS) { 376 GET_REPORT_OPTIONS(true); 377 handleShiftOutOfBoundsImpl(Data, LHS, RHS, Opts); 378 Die(); 379 } 380 381 static void handleOutOfBoundsImpl(OutOfBoundsData *Data, ValueHandle Index, 382 ReportOptions Opts) { 383 SourceLocation Loc = Data->Loc.acquire(); 384 ErrorType ET = ErrorType::OutOfBoundsIndex; 385 386 if (ignoreReport(Loc, Opts, ET)) 387 return; 388 389 ScopedReport R(Opts, Loc, ET); 390 391 Value IndexVal(Data->IndexType, Index); 392 Diag(Loc, DL_Error, ET, "index %0 out of bounds for type %1") 393 << IndexVal << Data->ArrayType; 394 } 395 396 void __ubsan::__ubsan_handle_out_of_bounds(OutOfBoundsData *Data, 397 ValueHandle Index) { 398 GET_REPORT_OPTIONS(false); 399 handleOutOfBoundsImpl(Data, Index, Opts); 400 } 401 void __ubsan::__ubsan_handle_out_of_bounds_abort(OutOfBoundsData *Data, 402 ValueHandle Index) { 403 GET_REPORT_OPTIONS(true); 404 handleOutOfBoundsImpl(Data, Index, Opts); 405 Die(); 406 } 407 408 static void handleBuiltinUnreachableImpl(UnreachableData *Data, 409 ReportOptions Opts) { 410 ErrorType ET = ErrorType::UnreachableCall; 411 ScopedReport R(Opts, Data->Loc, ET); 412 Diag(Data->Loc, DL_Error, ET, 413 "execution reached an unreachable program point"); 414 } 415 416 void __ubsan::__ubsan_handle_builtin_unreachable(UnreachableData *Data) { 417 GET_REPORT_OPTIONS(true); 418 handleBuiltinUnreachableImpl(Data, Opts); 419 Die(); 420 } 421 422 static void handleMissingReturnImpl(UnreachableData *Data, ReportOptions Opts) { 423 ErrorType ET = ErrorType::MissingReturn; 424 ScopedReport R(Opts, Data->Loc, ET); 425 Diag(Data->Loc, DL_Error, ET, 426 "execution reached the end of a value-returning function " 427 "without returning a value"); 428 } 429 430 void __ubsan::__ubsan_handle_missing_return(UnreachableData *Data) { 431 GET_REPORT_OPTIONS(true); 432 handleMissingReturnImpl(Data, Opts); 433 Die(); 434 } 435 436 static void handleVLABoundNotPositive(VLABoundData *Data, ValueHandle Bound, 437 ReportOptions Opts) { 438 SourceLocation Loc = Data->Loc.acquire(); 439 ErrorType ET = ErrorType::NonPositiveVLAIndex; 440 441 if (ignoreReport(Loc, Opts, ET)) 442 return; 443 444 ScopedReport R(Opts, Loc, ET); 445 446 Diag(Loc, DL_Error, ET, "variable length array bound evaluates to " 447 "non-positive value %0") 448 << Value(Data->Type, Bound); 449 } 450 451 void __ubsan::__ubsan_handle_vla_bound_not_positive(VLABoundData *Data, 452 ValueHandle Bound) { 453 GET_REPORT_OPTIONS(false); 454 handleVLABoundNotPositive(Data, Bound, Opts); 455 } 456 void __ubsan::__ubsan_handle_vla_bound_not_positive_abort(VLABoundData *Data, 457 ValueHandle Bound) { 458 GET_REPORT_OPTIONS(true); 459 handleVLABoundNotPositive(Data, Bound, Opts); 460 Die(); 461 } 462 463 static bool looksLikeFloatCastOverflowDataV1(void *Data) { 464 // First field is either a pointer to filename or a pointer to a 465 // TypeDescriptor. 466 u8 *FilenameOrTypeDescriptor; 467 internal_memcpy(&FilenameOrTypeDescriptor, Data, 468 sizeof(FilenameOrTypeDescriptor)); 469 470 // Heuristic: For float_cast_overflow, the TypeKind will be either TK_Integer 471 // (0x0), TK_Float (0x1) or TK_Unknown (0xff). If both types are known, 472 // adding both bytes will be 0 or 1 (for BE or LE). If it were a filename, 473 // adding two printable characters will not yield such a value. Otherwise, 474 // if one of them is 0xff, this is most likely TK_Unknown type descriptor. 475 u16 MaybeFromTypeKind = 476 FilenameOrTypeDescriptor[0] + FilenameOrTypeDescriptor[1]; 477 return MaybeFromTypeKind < 2 || FilenameOrTypeDescriptor[0] == 0xff || 478 FilenameOrTypeDescriptor[1] == 0xff; 479 } 480 481 static void handleFloatCastOverflow(void *DataPtr, ValueHandle From, 482 ReportOptions Opts) { 483 SymbolizedStackHolder CallerLoc; 484 Location Loc; 485 const TypeDescriptor *FromType, *ToType; 486 ErrorType ET = ErrorType::FloatCastOverflow; 487 488 if (looksLikeFloatCastOverflowDataV1(DataPtr)) { 489 auto Data = reinterpret_cast<FloatCastOverflowData *>(DataPtr); 490 CallerLoc.reset(getCallerLocation(Opts.pc)); 491 Loc = CallerLoc; 492 FromType = &Data->FromType; 493 ToType = &Data->ToType; 494 } else { 495 auto Data = reinterpret_cast<FloatCastOverflowDataV2 *>(DataPtr); 496 SourceLocation SLoc = Data->Loc.acquire(); 497 if (ignoreReport(SLoc, Opts, ET)) 498 return; 499 Loc = SLoc; 500 FromType = &Data->FromType; 501 ToType = &Data->ToType; 502 } 503 504 ScopedReport R(Opts, Loc, ET); 505 506 Diag(Loc, DL_Error, ET, 507 "%0 is outside the range of representable values of type %2") 508 << Value(*FromType, From) << *FromType << *ToType; 509 } 510 511 void __ubsan::__ubsan_handle_float_cast_overflow(void *Data, ValueHandle From) { 512 GET_REPORT_OPTIONS(false); 513 handleFloatCastOverflow(Data, From, Opts); 514 } 515 void __ubsan::__ubsan_handle_float_cast_overflow_abort(void *Data, 516 ValueHandle From) { 517 GET_REPORT_OPTIONS(true); 518 handleFloatCastOverflow(Data, From, Opts); 519 Die(); 520 } 521 522 static void handleLoadInvalidValue(InvalidValueData *Data, ValueHandle Val, 523 ReportOptions Opts) { 524 SourceLocation Loc = Data->Loc.acquire(); 525 // This check could be more precise if we used different handlers for 526 // -fsanitize=bool and -fsanitize=enum. 527 bool IsBool = (0 == internal_strcmp(Data->Type.getTypeName(), "'bool'")) || 528 (0 == internal_strncmp(Data->Type.getTypeName(), "'BOOL'", 6)); 529 ErrorType ET = 530 IsBool ? ErrorType::InvalidBoolLoad : ErrorType::InvalidEnumLoad; 531 532 if (ignoreReport(Loc, Opts, ET)) 533 return; 534 535 ScopedReport R(Opts, Loc, ET); 536 537 Diag(Loc, DL_Error, ET, 538 "load of value %0, which is not a valid value for type %1") 539 << Value(Data->Type, Val) << Data->Type; 540 } 541 542 void __ubsan::__ubsan_handle_load_invalid_value(InvalidValueData *Data, 543 ValueHandle Val) { 544 GET_REPORT_OPTIONS(false); 545 handleLoadInvalidValue(Data, Val, Opts); 546 } 547 void __ubsan::__ubsan_handle_load_invalid_value_abort(InvalidValueData *Data, 548 ValueHandle Val) { 549 GET_REPORT_OPTIONS(true); 550 handleLoadInvalidValue(Data, Val, Opts); 551 Die(); 552 } 553 554 static void handleImplicitConversion(ImplicitConversionData *Data, 555 ReportOptions Opts, ValueHandle Src, 556 ValueHandle Dst) { 557 SourceLocation Loc = Data->Loc.acquire(); 558 const TypeDescriptor &SrcTy = Data->FromType; 559 const TypeDescriptor &DstTy = Data->ToType; 560 bool SrcSigned = SrcTy.isSignedIntegerTy(); 561 bool DstSigned = DstTy.isSignedIntegerTy(); 562 ErrorType ET = ErrorType::GenericUB; 563 564 switch (Data->Kind) { 565 case ICCK_IntegerTruncation: { // Legacy, no longer used. 566 // Let's figure out what it should be as per the new types, and upgrade. 567 // If both types are unsigned, then it's an unsigned truncation. 568 // Else, it is a signed truncation. 569 if (!SrcSigned && !DstSigned) { 570 ET = ErrorType::ImplicitUnsignedIntegerTruncation; 571 } else { 572 ET = ErrorType::ImplicitSignedIntegerTruncation; 573 } 574 break; 575 } 576 case ICCK_UnsignedIntegerTruncation: 577 ET = ErrorType::ImplicitUnsignedIntegerTruncation; 578 break; 579 case ICCK_SignedIntegerTruncation: 580 ET = ErrorType::ImplicitSignedIntegerTruncation; 581 break; 582 case ICCK_IntegerSignChange: 583 ET = ErrorType::ImplicitIntegerSignChange; 584 break; 585 case ICCK_SignedIntegerTruncationOrSignChange: 586 ET = ErrorType::ImplicitSignedIntegerTruncationOrSignChange; 587 break; 588 } 589 590 if (ignoreReport(Loc, Opts, ET)) 591 return; 592 593 ScopedReport R(Opts, Loc, ET); 594 595 // In the case we have a bitfield, we want to explicitly say so in the 596 // error message. 597 // FIXME: is it possible to dump the values as hex with fixed width? 598 if (Data->BitfieldBits) 599 Diag(Loc, DL_Error, ET, 600 "implicit conversion from type %0 of value %1 (%2-bit, %3signed) to " 601 "type %4 changed the value to %5 (%6-bit bitfield, %7signed)") 602 << SrcTy << Value(SrcTy, Src) << SrcTy.getIntegerBitWidth() 603 << (SrcSigned ? "" : "un") << DstTy << Value(DstTy, Dst) 604 << Data->BitfieldBits << (DstSigned ? "" : "un"); 605 else 606 Diag(Loc, DL_Error, ET, 607 "implicit conversion from type %0 of value %1 (%2-bit, %3signed) to " 608 "type %4 changed the value to %5 (%6-bit, %7signed)") 609 << SrcTy << Value(SrcTy, Src) << SrcTy.getIntegerBitWidth() 610 << (SrcSigned ? "" : "un") << DstTy << Value(DstTy, Dst) 611 << DstTy.getIntegerBitWidth() << (DstSigned ? "" : "un"); 612 } 613 614 void __ubsan::__ubsan_handle_implicit_conversion(ImplicitConversionData *Data, 615 ValueHandle Src, 616 ValueHandle Dst) { 617 GET_REPORT_OPTIONS(false); 618 handleImplicitConversion(Data, Opts, Src, Dst); 619 } 620 void __ubsan::__ubsan_handle_implicit_conversion_abort( 621 ImplicitConversionData *Data, ValueHandle Src, ValueHandle Dst) { 622 GET_REPORT_OPTIONS(true); 623 handleImplicitConversion(Data, Opts, Src, Dst); 624 Die(); 625 } 626 627 static void handleInvalidBuiltin(InvalidBuiltinData *Data, ReportOptions Opts) { 628 SourceLocation Loc = Data->Loc.acquire(); 629 ErrorType ET = ErrorType::InvalidBuiltin; 630 631 if (ignoreReport(Loc, Opts, ET)) 632 return; 633 634 ScopedReport R(Opts, Loc, ET); 635 636 Diag(Loc, DL_Error, ET, 637 "passing zero to %0, which is not a valid argument") 638 << ((Data->Kind == BCK_CTZPassedZero) ? "ctz()" : "clz()"); 639 } 640 641 void __ubsan::__ubsan_handle_invalid_builtin(InvalidBuiltinData *Data) { 642 GET_REPORT_OPTIONS(true); 643 handleInvalidBuiltin(Data, Opts); 644 } 645 void __ubsan::__ubsan_handle_invalid_builtin_abort(InvalidBuiltinData *Data) { 646 GET_REPORT_OPTIONS(true); 647 handleInvalidBuiltin(Data, Opts); 648 Die(); 649 } 650 651 static void handleInvalidObjCCast(InvalidObjCCast *Data, ValueHandle Pointer, 652 ReportOptions Opts) { 653 SourceLocation Loc = Data->Loc.acquire(); 654 ErrorType ET = ErrorType::InvalidObjCCast; 655 656 if (ignoreReport(Loc, Opts, ET)) 657 return; 658 659 ScopedReport R(Opts, Loc, ET); 660 661 const char *GivenClass = getObjCClassName(Pointer); 662 const char *GivenClassStr = GivenClass ? GivenClass : "<unknown type>"; 663 664 Diag(Loc, DL_Error, ET, 665 "invalid ObjC cast, object is a '%0', but expected a %1") 666 << GivenClassStr << Data->ExpectedType; 667 } 668 669 void __ubsan::__ubsan_handle_invalid_objc_cast(InvalidObjCCast *Data, 670 ValueHandle Pointer) { 671 GET_REPORT_OPTIONS(false); 672 handleInvalidObjCCast(Data, Pointer, Opts); 673 } 674 void __ubsan::__ubsan_handle_invalid_objc_cast_abort(InvalidObjCCast *Data, 675 ValueHandle Pointer) { 676 GET_REPORT_OPTIONS(true); 677 handleInvalidObjCCast(Data, Pointer, Opts); 678 Die(); 679 } 680 681 static void handleNonNullReturn(NonNullReturnData *Data, SourceLocation *LocPtr, 682 ReportOptions Opts, bool IsAttr) { 683 if (!LocPtr) 684 UNREACHABLE("source location pointer is null!"); 685 686 SourceLocation Loc = LocPtr->acquire(); 687 ErrorType ET = IsAttr ? ErrorType::InvalidNullReturn 688 : ErrorType::InvalidNullReturnWithNullability; 689 690 if (ignoreReport(Loc, Opts, ET)) 691 return; 692 693 ScopedReport R(Opts, Loc, ET); 694 695 Diag(Loc, DL_Error, ET, 696 "null pointer returned from function declared to never return null"); 697 if (!Data->AttrLoc.isInvalid()) 698 Diag(Data->AttrLoc, DL_Note, ET, "%0 specified here") 699 << (IsAttr ? "returns_nonnull attribute" 700 : "_Nonnull return type annotation"); 701 } 702 703 void __ubsan::__ubsan_handle_nonnull_return_v1(NonNullReturnData *Data, 704 SourceLocation *LocPtr) { 705 GET_REPORT_OPTIONS(false); 706 handleNonNullReturn(Data, LocPtr, Opts, true); 707 } 708 709 void __ubsan::__ubsan_handle_nonnull_return_v1_abort(NonNullReturnData *Data, 710 SourceLocation *LocPtr) { 711 GET_REPORT_OPTIONS(true); 712 handleNonNullReturn(Data, LocPtr, Opts, true); 713 Die(); 714 } 715 716 void __ubsan::__ubsan_handle_nullability_return_v1(NonNullReturnData *Data, 717 SourceLocation *LocPtr) { 718 GET_REPORT_OPTIONS(false); 719 handleNonNullReturn(Data, LocPtr, Opts, false); 720 } 721 722 void __ubsan::__ubsan_handle_nullability_return_v1_abort( 723 NonNullReturnData *Data, SourceLocation *LocPtr) { 724 GET_REPORT_OPTIONS(true); 725 handleNonNullReturn(Data, LocPtr, Opts, false); 726 Die(); 727 } 728 729 static void handleNonNullArg(NonNullArgData *Data, ReportOptions Opts, 730 bool IsAttr) { 731 SourceLocation Loc = Data->Loc.acquire(); 732 ErrorType ET = IsAttr ? ErrorType::InvalidNullArgument 733 : ErrorType::InvalidNullArgumentWithNullability; 734 735 if (ignoreReport(Loc, Opts, ET)) 736 return; 737 738 ScopedReport R(Opts, Loc, ET); 739 740 Diag(Loc, DL_Error, ET, 741 "null pointer passed as argument %0, which is declared to " 742 "never be null") 743 << Data->ArgIndex; 744 if (!Data->AttrLoc.isInvalid()) 745 Diag(Data->AttrLoc, DL_Note, ET, "%0 specified here") 746 << (IsAttr ? "nonnull attribute" : "_Nonnull type annotation"); 747 } 748 749 void __ubsan::__ubsan_handle_nonnull_arg(NonNullArgData *Data) { 750 GET_REPORT_OPTIONS(false); 751 handleNonNullArg(Data, Opts, true); 752 } 753 754 void __ubsan::__ubsan_handle_nonnull_arg_abort(NonNullArgData *Data) { 755 GET_REPORT_OPTIONS(true); 756 handleNonNullArg(Data, Opts, true); 757 Die(); 758 } 759 760 void __ubsan::__ubsan_handle_nullability_arg(NonNullArgData *Data) { 761 GET_REPORT_OPTIONS(false); 762 handleNonNullArg(Data, Opts, false); 763 } 764 765 void __ubsan::__ubsan_handle_nullability_arg_abort(NonNullArgData *Data) { 766 GET_REPORT_OPTIONS(true); 767 handleNonNullArg(Data, Opts, false); 768 Die(); 769 } 770 771 static void handlePointerOverflowImpl(PointerOverflowData *Data, 772 ValueHandle Base, 773 ValueHandle Result, 774 ReportOptions Opts) { 775 SourceLocation Loc = Data->Loc.acquire(); 776 ErrorType ET; 777 778 if (Base == 0 && Result == 0) 779 ET = ErrorType::NullptrWithOffset; 780 else if (Base == 0 && Result != 0) 781 ET = ErrorType::NullptrWithNonZeroOffset; 782 else if (Base != 0 && Result == 0) 783 ET = ErrorType::NullptrAfterNonZeroOffset; 784 else 785 ET = ErrorType::PointerOverflow; 786 787 if (ignoreReport(Loc, Opts, ET)) 788 return; 789 790 ScopedReport R(Opts, Loc, ET); 791 792 if (ET == ErrorType::NullptrWithOffset) { 793 Diag(Loc, DL_Error, ET, "applying zero offset to null pointer"); 794 } else if (ET == ErrorType::NullptrWithNonZeroOffset) { 795 Diag(Loc, DL_Error, ET, "applying non-zero offset %0 to null pointer") 796 << Result; 797 } else if (ET == ErrorType::NullptrAfterNonZeroOffset) { 798 Diag( 799 Loc, DL_Error, ET, 800 "applying non-zero offset to non-null pointer %0 produced null pointer") 801 << (void *)Base; 802 } else if ((sptr(Base) >= 0) == (sptr(Result) >= 0)) { 803 if (Base > Result) 804 Diag(Loc, DL_Error, ET, 805 "addition of unsigned offset to %0 overflowed to %1") 806 << (void *)Base << (void *)Result; 807 else 808 Diag(Loc, DL_Error, ET, 809 "subtraction of unsigned offset from %0 overflowed to %1") 810 << (void *)Base << (void *)Result; 811 } else { 812 Diag(Loc, DL_Error, ET, 813 "pointer index expression with base %0 overflowed to %1") 814 << (void *)Base << (void *)Result; 815 } 816 } 817 818 void __ubsan::__ubsan_handle_pointer_overflow(PointerOverflowData *Data, 819 ValueHandle Base, 820 ValueHandle Result) { 821 GET_REPORT_OPTIONS(false); 822 handlePointerOverflowImpl(Data, Base, Result, Opts); 823 } 824 825 void __ubsan::__ubsan_handle_pointer_overflow_abort(PointerOverflowData *Data, 826 ValueHandle Base, 827 ValueHandle Result) { 828 GET_REPORT_OPTIONS(true); 829 handlePointerOverflowImpl(Data, Base, Result, Opts); 830 Die(); 831 } 832 833 static void handleCFIBadIcall(CFICheckFailData *Data, ValueHandle Function, 834 ReportOptions Opts) { 835 if (Data->CheckKind != CFITCK_ICall && Data->CheckKind != CFITCK_NVMFCall) 836 Die(); 837 838 SourceLocation Loc = Data->Loc.acquire(); 839 ErrorType ET = ErrorType::CFIBadType; 840 841 if (ignoreReport(Loc, Opts, ET)) 842 return; 843 844 ScopedReport R(Opts, Loc, ET); 845 846 const char *CheckKindStr = Data->CheckKind == CFITCK_NVMFCall 847 ? "non-virtual pointer to member function call" 848 : "indirect function call"; 849 Diag(Loc, DL_Error, ET, 850 "control flow integrity check for type %0 failed during %1") 851 << Data->Type << CheckKindStr; 852 853 SymbolizedStackHolder FLoc(getSymbolizedLocation(Function)); 854 const char *FName = FLoc.get()->info.function; 855 if (!FName) 856 FName = "(unknown)"; 857 Diag(FLoc, DL_Note, ET, "%0 defined here") << FName; 858 859 // If the failure involved different DSOs for the check location and icall 860 // target, report the DSO names. 861 const char *DstModule = FLoc.get()->info.module; 862 if (!DstModule) 863 DstModule = "(unknown)"; 864 865 const char *SrcModule = Symbolizer::GetOrInit()->GetModuleNameForPc(Opts.pc); 866 if (!SrcModule) 867 SrcModule = "(unknown)"; 868 869 if (internal_strcmp(SrcModule, DstModule)) 870 Diag(Loc, DL_Note, ET, 871 "check failed in %0, destination function located in %1") 872 << SrcModule << DstModule; 873 } 874 875 namespace __ubsan { 876 877 #ifdef UBSAN_CAN_USE_CXXABI 878 879 #ifdef _WIN32 880 881 extern "C" void __ubsan_handle_cfi_bad_type_default(CFICheckFailData *Data, 882 ValueHandle Vtable, 883 bool ValidVtable, 884 ReportOptions Opts) { 885 Die(); 886 } 887 888 WIN_WEAK_ALIAS(__ubsan_handle_cfi_bad_type, __ubsan_handle_cfi_bad_type_default) 889 #else 890 SANITIZER_WEAK_ATTRIBUTE 891 #endif 892 void __ubsan_handle_cfi_bad_type(CFICheckFailData *Data, ValueHandle Vtable, 893 bool ValidVtable, ReportOptions Opts); 894 895 #else 896 void __ubsan_handle_cfi_bad_type(CFICheckFailData *Data, ValueHandle Vtable, 897 bool ValidVtable, ReportOptions Opts) { 898 Die(); 899 } 900 #endif 901 902 } // namespace __ubsan 903 904 void __ubsan::__ubsan_handle_cfi_check_fail(CFICheckFailData *Data, 905 ValueHandle Value, 906 uptr ValidVtable) { 907 GET_REPORT_OPTIONS(false); 908 if (Data->CheckKind == CFITCK_ICall || Data->CheckKind == CFITCK_NVMFCall) 909 handleCFIBadIcall(Data, Value, Opts); 910 else 911 __ubsan_handle_cfi_bad_type(Data, Value, ValidVtable, Opts); 912 } 913 914 void __ubsan::__ubsan_handle_cfi_check_fail_abort(CFICheckFailData *Data, 915 ValueHandle Value, 916 uptr ValidVtable) { 917 GET_REPORT_OPTIONS(true); 918 if (Data->CheckKind == CFITCK_ICall || Data->CheckKind == CFITCK_NVMFCall) 919 handleCFIBadIcall(Data, Value, Opts); 920 else 921 __ubsan_handle_cfi_bad_type(Data, Value, ValidVtable, Opts); 922 Die(); 923 } 924 925 static bool handleFunctionTypeMismatch(FunctionTypeMismatchData *Data, 926 ValueHandle Function, 927 ReportOptions Opts) { 928 SourceLocation CallLoc = Data->Loc.acquire(); 929 ErrorType ET = ErrorType::FunctionTypeMismatch; 930 if (ignoreReport(CallLoc, Opts, ET)) 931 return true; 932 933 ScopedReport R(Opts, CallLoc, ET); 934 935 SymbolizedStackHolder FLoc(getSymbolizedLocation(Function)); 936 const char *FName = FLoc.get()->info.function; 937 if (!FName) 938 FName = "(unknown)"; 939 940 Diag(CallLoc, DL_Error, ET, 941 "call to function %0 through pointer to incorrect function type %1") 942 << FName << Data->Type; 943 Diag(FLoc, DL_Note, ET, "%0 defined here") << FName; 944 return true; 945 } 946 947 void __ubsan::__ubsan_handle_function_type_mismatch( 948 FunctionTypeMismatchData *Data, ValueHandle Function) { 949 GET_REPORT_OPTIONS(false); 950 handleFunctionTypeMismatch(Data, Function, Opts); 951 } 952 953 void __ubsan::__ubsan_handle_function_type_mismatch_abort( 954 FunctionTypeMismatchData *Data, ValueHandle Function) { 955 GET_REPORT_OPTIONS(true); 956 if (handleFunctionTypeMismatch(Data, Function, Opts)) 957 Die(); 958 } 959 960 #endif // CAN_SANITIZE_UB 961