From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 123448 invoked by alias); 9 Sep 2015 13:53:11 -0000 Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-bugs-owner@gcc.gnu.org Received: (qmail 123365 invoked by uid 48); 9 Sep 2015 13:53:07 -0000 From: "trippels at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/67258] "invalid vptr" false positive from ubsan for virtual inheritance Date: Wed, 09 Sep 2015 13:53:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: sanitizer X-Bugzilla-Version: 5.1.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: trippels at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status cf_reconfirmed_on cc everconfirmed Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-09/txt/msg00731.txt.bz2 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67258 Markus Trippelsdorf changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Last reconfirmed| |2015-09-09 CC| |trippels at gcc dot gnu.org Ever confirmed|0 |1 --- Comment #2 from Markus Trippelsdorf --- This was fixed upstream by: commit 1d2477faafda9ad2cc19927b3c31efd22747f013 Author: Alexey Samsonov Date: Wed Aug 5 19:35:46 2015 +0000 [UBSan] Fix UBSan-vptr false positive. Offset from vptr to the start of most-derived object can actually be positive in some virtual base class vtables. Patch by Stephan Bergmann! git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@244101 91177308-0d34-0410-b5e6-96231b3b80d8 diff --git a/lib/ubsan/ubsan_type_hash_itanium.cc b/lib/ubsan/ubsan_type_hash_itanium.cc index 5cd46df16a33..b84e88d4c71d 100644 --- a/lib/ubsan/ubsan_type_hash_itanium.cc +++ b/lib/ubsan/ubsan_type_hash_itanium.cc @@ -185,8 +185,8 @@ namespace { struct VtablePrefix { /// The offset from the vptr to the start of the most-derived object. - /// This should never be greater than zero, and will usually be exactly - /// zero. + /// This will only be greater than zero in some virtual base class vtables + /// used during object con-/destruction, and will usually be exactly zero. sptr Offset; /// The type_info object describing the most-derived class type. std::type_info *TypeInfo; @@ -196,7 +196,7 @@ VtablePrefix *getVtablePrefix(void *Vtable) { if (!Vptr) return 0; VtablePrefix *Prefix = Vptr - 1; - if (Prefix->Offset > 0 || !Prefix->TypeInfo) + if (!Prefix->TypeInfo) // This can't possibly be a valid vtable. return 0; return Prefix; diff --git a/test/ubsan/TestCases/TypeCheck/vptr-virtual-base-construction.cpp b/test/ubsan/TestCases/TypeCheck/vptr-virtual-base-construction.cpp new file mode 100644 index 000000000000..dc27d9f39ce3 --- /dev/null +++ b/test/ubsan/TestCases/TypeCheck/vptr-virtual-base-construction.cpp @@ -0,0 +1,13 @@ +// RUN: %clangxx -frtti -fsanitize=vptr -fno-sanitize-recover=vptr %s -o %t +// RUN: %run %t + +// REQUIRES: cxxabi + +int volatile n; + +struct A { virtual ~A() {} }; +struct B: virtual A {}; +struct C: virtual A { ~C() { n = 0; } }; +struct D: virtual B, virtual C {}; + +int main() { delete new D; } Analogous gcc patch would be: diff --git a/libsanitizer/ubsan/ubsan_type_hash.cc b/libsanitizer/ubsan/ubsan_type_hash.cc index d01009426db0..495ec5386cf3 100644 --- a/libsanitizer/ubsan/ubsan_type_hash.cc +++ b/libsanitizer/ubsan/ubsan_type_hash.cc @@ -197,7 +197,7 @@ VtablePrefix *getVtablePrefix(void *Object) { if (!*VptrPtr) return 0; VtablePrefix *Prefix = *VptrPtr - 1; - if (Prefix->Offset > 0 || !Prefix->TypeInfo) + if (!Prefix->TypeInfo) // This can't possibly be a valid vtable. return 0; return Prefix;