[UBSan] Fix isDerivedFromAtOffset on iOS ARM64

filcab · filcab · commit b7692bc3e9ad · 2016-02-27T19:57:44.000Z
Summary: iOS on ARM64 doesn't unique RTTI. Ref: clang's iOS64CXXABI::shouldRTTIBeUnique() Due to this, pointer-equality will not necessarily work in this architecture, across dylib boundaries. dynamic_cast<>() will (as expected) still work, since Apple ships with one prepared for this, but we can't rely on the type names being pointer-equal. I've limited the expensive strcmp check to the specific architecture which needs it. Example which triggers this bug: lib.h: struct X { virtual ~X() {} }; X *libCall(); lib.mm: X *libCall() { return new X; } prog.mm: int main() { X *px = libCall(); delete px; } Expected output: Nothing Actual output: <unknown>: runtime error: member call on address 0x00017001ef50 which does not point to an object of type 'X' 0x00017001ef50: note: object is of type 'X' 00 00 00 00 60 00 0f 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for ‘X’ Reviewers: kubabrecka, samsonov, eugenis, rsmith Subscribers: aemerson, llvm-commits, rengolin Differential Revision: http://reviews.llvm.org/D11502 llvm-svn: 262147
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_platform.h b/compiler-rt/lib/sanitizer_common/sanitizer_platform.h
@@ -162,4 +162,10 @@
 # define MSC_PREREQ(version) 0
 #endif
 
+#if defined(__arm64__) && SANITIZER_IOS
+# define SANITIZER_NON_UNIQUE_TYPEINFO 1
+#else
+# define SANITIZER_NON_UNIQUE_TYPEINFO 0
+#endif
+
 #endif // SANITIZER_PLATFORM_H
diff --git a/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc b/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc
@@ -115,7 +115,9 @@ static __ubsan::HashValue *getTypeCacheHashTableBucket(__ubsan::HashValue V) {
 static bool isDerivedFromAtOffset(const abi::__class_type_info *Derived,
                                   const abi::__class_type_info *Base,
                                   sptr Offset) {
-  if (Derived->__type_name == Base->__type_name)
+  if (Derived->__type_name == Base->__type_name ||
+      (SANITIZER_NON_UNIQUE_TYPEINFO &&
+       !internal_strcmp(Derived->__type_name, Base->__type_name)))
     return Offset == 0;
 
   if (const abi::__si_class_type_info *SI =
diff --git a/compiler-rt/test/ubsan/TestCases/TypeCheck/Helpers/lit.local.cfg b/compiler-rt/test/ubsan/TestCases/TypeCheck/Helpers/lit.local.cfg
@@ -0,0 +1,3 @@
+# Sources in this directory are helper files for tests which test functionality
+# involving multiple translation units.
+config.suffixes = []
diff --git a/compiler-rt/test/ubsan/TestCases/TypeCheck/Helpers/vptr-non-unique-typeinfo-lib.cpp b/compiler-rt/test/ubsan/TestCases/TypeCheck/Helpers/vptr-non-unique-typeinfo-lib.cpp
@@ -0,0 +1,5 @@
+#include "vptr-non-unique-typeinfo-lib.h"
+
+X *libCall() {
+  return new X;
+}
diff --git a/compiler-rt/test/ubsan/TestCases/TypeCheck/Helpers/vptr-non-unique-typeinfo-lib.h b/compiler-rt/test/ubsan/TestCases/TypeCheck/Helpers/vptr-non-unique-typeinfo-lib.h
@@ -0,0 +1,4 @@
+struct X {
+  virtual ~X() {}
+};
+X *libCall();
diff --git a/compiler-rt/test/ubsan/TestCases/TypeCheck/vptr-non-unique-typeinfo.cpp b/compiler-rt/test/ubsan/TestCases/TypeCheck/vptr-non-unique-typeinfo.cpp
@@ -0,0 +1,10 @@
+// RUN: %clangxx -frtti -fsanitize=vptr -fno-sanitize-recover=vptr -I%p/Helpers %p/Helpers/vptr-non-unique-typeinfo-lib.cpp -fPIC -shared -o %t-lib.so
+// RUN: %clangxx -frtti -fsanitize=vptr -fno-sanitize-recover=vptr -I%p/Helpers -g %s -O3 -o %t %t-lib.so
+// RUN: %run %t
+
+#include "vptr-non-unique-typeinfo-lib.h"
+
+int main() {
+  X *px = libCall();
+  delete px;
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Sources in this directory are helper files for tests which test functionality`
	`2`	`+# involving multiple translation units.`
	`3`	`+config.suffixes = []`