summaryrefslogtreecommitdiffstats
path: root/docs/UndefinedBehaviorSanitizer.rst
Commit message (Collapse)AuthorAgeFilesLines
* [ubsan] Diagnose noreturn functions which returnVedant Kumar2017-12-211-2/+2
| | | | | | | | | | | | | | | | | | Diagnose 'unreachable' UB when a noreturn function returns. 1. Insert a check at the end of functions marked noreturn. 2. A decl may be marked noreturn in the caller TU, but not marked in the TU where it's defined. To diagnose this scenario, strip away the noreturn attribute on the callee and insert check after calls to it. Testing: check-clang, check-ubsan, check-ubsan-minimal, D40700 rdar://33660464 Differential Revision: https://reviews.llvm.org/D40698 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@321231 91177308-0d34-0410-b5e6-96231b3b80d8
* [ubsan] Enable -fsanitize=function on DarwinVedant Kumar2017-09-131-1/+2
| | | | | | https://reviews.llvm.org/D37598 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@313099 91177308-0d34-0410-b5e6-96231b3b80d8
* [ubsan-minimal] Document the new runtimeVedant Kumar2017-09-111-0/+13
| | | | | | Differential Revision: https://reviews.llvm.org/D37647 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@312957 91177308-0d34-0410-b5e6-96231b3b80d8
* [docs] Remove accidental unindent to appease the sphinx botVedant Kumar2017-08-021-4/+4
| | | | | | | Bot failure: http://lab.llvm.org:8011/builders/clang-sphinx-docs/builds/12043/steps/docs-clang-html/logs/stdio git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@309852 91177308-0d34-0410-b5e6-96231b3b80d8
* [ubsan] Have -fsanitize=vptr emit a null check if -fsanitize=null isn't ↵Vedant Kumar2017-08-021-4/+4
| | | | | | | | | | | | | | | | | | available In r309007, I made -fsanitize=null a hard prerequisite for -fsanitize=vptr. I did not see the need for the two checks to have separate null checking logic for the same pointer. I expected the two checks to either always be enabled together, or to be mutually compatible. In the mailing list discussion re: r309007 it became clear that that isn't the case. If a codebase is -fsanitize=vptr clean but not -fsanitize=null clean, it's useful to have -fsanitize=vptr emit its own null check. That's what this patch does: with it, -fsanitize=vptr can be used without -fsanitize=null. Differential Revision: https://reviews.llvm.org/D36112 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@309846 91177308-0d34-0410-b5e6-96231b3b80d8
* [ubsan] Diagnose invalid uses of builtins (clang)Vedant Kumar2017-07-291-0/+1
| | | | | | | | | | | | | | | On some targets, passing zero to the clz() or ctz() builtins has undefined behavior. I ran into this issue while debugging UB in __hash_table from libcxx: the bug I was seeing manifested itself differently under -O0 vs -Os, due to a UB call to clz() (see: libcxx/r304617). This patch introduces a check which can detect UB calls to builtins. llvm.org/PR26979 Differential Revision: https://reviews.llvm.org/D34590 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@309459 91177308-0d34-0410-b5e6-96231b3b80d8
* [ubsan] Null-check pointers in -fsanitize=vptr (PR33881)Vedant Kumar2017-07-251-5/+5
| | | | | | | | | | | | | | | | | | | The instrumentation generated by -fsanitize=vptr does not null check a user pointer before loading from it. This causes crashes in the face of UB member calls (this=nullptr), i.e it's causing user programs to crash only after UBSan is turned on. The fix is to make run-time null checking a prerequisite for enabling -fsanitize=vptr, and to then teach UBSan to reuse these run-time null checks to make -fsanitize=vptr safe. Testing: check-clang, check-ubsan, a stage2 ubsan-enabled build Differential Revision: https://reviews.llvm.org/D35735 https://bugs.llvm.org/show_bug.cgi?id=33881 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@309007 91177308-0d34-0410-b5e6-96231b3b80d8
* [ubsan] docs: Add a note about pointers to volatileVedant Kumar2017-06-161-0/+6
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@305568 91177308-0d34-0410-b5e6-96231b3b80d8
* [ubsan] Add a check for pointer overflow UBVedant Kumar2017-06-011-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Check pointer arithmetic for overflow. For some more background on this check, see: https://wdtz.org/catching-pointer-overflow-bugs.html https://reviews.llvm.org/D20322 Patch by Will Dietz and John Regehr! This version of the patch is different from the original in a few ways: - It introduces the EmitCheckedInBoundsGEP utility which inserts checks when the pointer overflow check is enabled. - It does some constant-folding to reduce instrumentation overhead. - It does not check some GEPs in CGExprCXX. I'm not sure that inserting checks here, or in CGClass, would catch many bugs. Possible future directions for this check: - Introduce CGF.EmitCheckedStructGEP, to detect overflows when accessing structures. Testing: Apart from the added lit test, I ran check-llvm and check-clang with a stage2, ubsan-instrumented clang. Will and John have also done extensive testing on numerous open source projects. Differential Revision: https://reviews.llvm.org/D33305 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@304459 91177308-0d34-0410-b5e6-96231b3b80d8
* Revert "[docs] UBSan: Mention that print_stacktrace=1 is unsupported on Darwin"Vedant Kumar2017-05-021-2/+0
| | | | | | | | | This reverts commit r300295. It's no longer true, print_stacktrace=1 is supported on Darwin/Windows as of r301839. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@301960 91177308-0d34-0410-b5e6-96231b3b80d8
* [docs] UBSan: Mention that print_stacktrace=1 is unsupported on DarwinVedant Kumar2017-04-141-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Printing out stack traces along with UBSan diagnostics is unsupported on Darwin. That's because it isn't possible to use the fast unwinder or the slow unwinder. Apparently, it's inappropriate to use the fast unwinder for UBSan issues. I'm not exactly sure why (see the comment in ubsan_diag.cc). Forcing use of the fast unwinder produces decent results, AFAICT. Darwin also does not appear to have a slow unwinder suitable for use with the sanitizers. Apparently that's because of PR20800 [1][2]. But that bug has been fixed. I'm not sure if there is anything preventing use of the slow unwinder now. Currently, passing UBSAN_OPTIONS=print_stacktrace=1 does nothing on Darwin. This isn't good, but it might be a while before we can fix the situation, so we should at least document it. [1] https://github.com/google/sanitizers/issues/137 "We can't use the slow unwinder on OSX now, because Clang produces incorrect unwind info for the ASan runtime functions on OSX (http://llvm.org/PR20800)." [2] https://bugs.llvm.org/show_bug.cgi?id=20800 Bug 20800 - Invalid compact unwind info generated for a function without frame pointers on OSX git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@300295 91177308-0d34-0410-b5e6-96231b3b80d8
* [docs] Clarify sanitizer flag behaviorVedant Kumar2017-03-201-3/+3
| | | | | | | | PR32346 suggests that UBSan's docs about the -fsanitize, -fno-sanitize-recover, and -fsanitize-trap options are not explicit enough. Try to improve the wording. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@298310 91177308-0d34-0410-b5e6-96231b3b80d8
* [ubsan] Add a nullability sanitizerVedant Kumar2017-03-141-1/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Teach UBSan to detect when a value with the _Nonnull type annotation assumes a null value. Call expressions, initializers, assignments, and return statements are all checked. Because _Nonnull does not affect IRGen, the new checks are disabled by default. The new driver flags are: -fsanitize=nullability-arg (_Nonnull violation in call) -fsanitize=nullability-assign (_Nonnull violation in assignment) -fsanitize=nullability-return (_Nonnull violation in return stmt) -fsanitize=nullability (all of the above) This patch builds on top of UBSan's existing support for detecting violations of the nonnull attributes ('nonnull' and 'returns_nonnull'), and relies on the compiler-rt support for those checks. Eventually we will need to update the diagnostic messages in compiler-rt (there are FIXME's for this, which will be addressed in a follow-up). One point of note is that the nullability-return check is only allowed to kick in if all arguments to the function satisfy their nullability preconditions. This makes it necessary to emit some null checks in the function body itself. Testing: check-clang and check-ubsan. I also built some Apple ObjC frameworks with an asserts-enabled compiler, and verified that we get valid reports. Differential Revision: https://reviews.llvm.org/D30762 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@297700 91177308-0d34-0410-b5e6-96231b3b80d8
* UBSan docs: Explicitly mention that `-fsanitize=unsigned-integer-overflow` ↵Nico Weber2017-02-271-1/+3
| | | | | | | | | does not catch UB. https://reviews.llvm.org/D27455 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@296387 91177308-0d34-0410-b5e6-96231b3b80d8
* Fix typo in documentation.Nick Lewycky2016-09-201-2/+2
| | | | | | | Since this is a header it will break links to this section. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@281996 91177308-0d34-0410-b5e6-96231b3b80d8
* [ubsan] Add -fsanitize-undefined-strip-path-components=NFilipe Cabecinhas2016-05-121-0/+20
| | | | | | | | | | | | | | | | | | | Summary: This option allows the user to control how much of the file name is emitted by UBSan. Tuning this option allows one to save space in the resulting binary, which is helpful for restricted execution environments. With a positive N, UBSan skips the first N path components. With a negative N, UBSan only keeps the last N path components. Reviewers: rsmith Subscribers: cfe-commits Differential Revision: http://reviews.llvm.org/D19666 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@269309 91177308-0d34-0410-b5e6-96231b3b80d8
* [Docs] Fix indentation error introduced by r267447.George Burgess IV2016-04-261-7/+7
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@267501 91177308-0d34-0410-b5e6-96231b3b80d8
* [Docs] Clarify what the object-size sanitizer does.George Burgess IV2016-04-251-5/+8
| | | | | | | | | | | | Currently, the UBSan docs make it sound like the object-size sanitizer will only detect out-of-bounds reads/writes. It also catches some operations that don't necessarily access memory (invalid downcasts, calls of methods on invalid pointers, ...). This patch adds a note about this behavior in the docs. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@267447 91177308-0d34-0410-b5e6-96231b3b80d8
* [UBSan] Add documentation for runtime issue suppression.Alexey Samsonov2016-01-291-0/+32
| | | | git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@259260 91177308-0d34-0410-b5e6-96231b3b80d8
* [Docs] One more cleanup of -fsanitize= section.Alexey Samsonov2015-12-041-1/+3
| | | | | | | Describe -fsanitize-blacklist flags in separate paragraphs, move notes about importance of clang++ for vptr down to UBSan docs. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@254798 91177308-0d34-0410-b5e6-96231b3b80d8
* Clang documentation for UBSan.Alexey Samsonov2015-12-041-0/+202
Summary: Create a separate page describing UBSan tool, move the description of fine-grained checks there, provide extra information about supported platforms, symbolization etc. This text is compiled from four parts: * Existing documentation copied from User's Manual * Layout used in documentation for another sanitizers (ASan, MSan etc.) * Text written from scratch * Small parts taken from Michael Morrison's attempt at creating UBSan page: http://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20141215/249503.html Reviewers: kcc, rsmith, silvas Subscribers: tberghammer, danalbert, srhines, kcc Differential Revision: http://reviews.llvm.org/D15217 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@254733 91177308-0d34-0410-b5e6-96231b3b80d8
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-28 07:24:29 +0000