[clang] [Clang][CodeGen] Check `isUnderlyingBasePointerConstantNull` in `emitPointerArithmetic` (PR #137849)

Yingwei Zheng via cfe-commits Tue, 29 Apr 2025 23:49:42 -0700

https://github.com/dtcxzyw updated 
https://github.com/llvm/llvm-project/pull/137849


>From f1db3a540ec1383451955efab62b64ed8d180349 Mon Sep 17 00:00:00 2001
From: Yingwei Zheng <dtcxzyw2...@gmail.com>
Date: Wed, 30 Apr 2025 01:26:41 +0800
Subject: [PATCH 1/2] [Clang][CodeGen] Check
 `isUnderlyingBasePointerConstantNull` in `emitPointerArithmetic`

---
 clang/lib/CodeGen/CGExprScalar.cpp                   |  3 ++-
 .../test/CodeGen/catch-nullptr-and-nonzero-offset.c  | 12 ++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/clang/lib/CodeGen/CGExprScalar.cpp 
b/clang/lib/CodeGen/CGExprScalar.cpp
index 8dbbcdaef25d8..d214d2af52563 100644
--- a/clang/lib/CodeGen/CGExprScalar.cpp
+++ b/clang/lib/CodeGen/CGExprScalar.cpp
@@ -4238,7 +4238,8 @@ static Value *emitPointerArithmetic(CodeGenFunction &CGF,
   else
     elemTy = CGF.ConvertTypeForMem(elementType);
 
-  if (CGF.getLangOpts().PointerOverflowDefined)
+  if (CGF.getLangOpts().PointerOverflowDefined ||
+      CGF.isUnderlyingBasePointerConstantNull(pointerOperand))
     return CGF.Builder.CreateGEP(elemTy, pointer, index, "add.ptr");
 
   return CGF.EmitCheckedInBoundsGEP(
diff --git a/clang/test/CodeGen/catch-nullptr-and-nonzero-offset.c 
b/clang/test/CodeGen/catch-nullptr-and-nonzero-offset.c
index 63b6db2c2adeb..c5ae3f8bcc368 100644
--- a/clang/test/CodeGen/catch-nullptr-and-nonzero-offset.c
+++ b/clang/test/CodeGen/catch-nullptr-and-nonzero-offset.c
@@ -431,6 +431,18 @@ char *void_ptr(void *base, unsigned long offset) {
   return base + offset;
 }
 
+int *constant_null_add(long offset) {
+  // CHECK: define{{.*}} ptr @constant_null_add(i64 noundef %[[OFFSET:.*]])
+  // CHECK-NEXT: [[ENTRY:.*]]:
+  // CHECK-NEXT:   %[[OFFSET_ADDR:.*]] = alloca i64, align 8
+  // CHECK-NEXT:   store i64 %[[OFFSET]], ptr %[[OFFSET_ADDR]], align 8
+  // CHECK-NEXT:   %[[OFFSET_RELOADED:.*]] = load i64, ptr %[[OFFSET_ADDR]], 
align 8
+  // CHECK-NEXT:   %[[ADD_PTR:.*]] = getelementptr i32, ptr null, i64 
%[[OFFSET_RELOADED]]
+  // CHECK-NEXT:   ret ptr %[[ADD_PTR]]
+#line 1800
+  return (int *)0 + offset;
+}
+
 #ifdef __cplusplus
 }
 #endif

>From 2796472ca05332419cade01afbea08d8f9446d76 Mon Sep 17 00:00:00 2001
From: Yingwei Zheng <dtcxzyw2...@gmail.com>
Date: Wed, 30 Apr 2025 14:48:54 +0800
Subject: [PATCH 2/2] [Clang][CodeGen] Re-enable ubsan check

---
 clang/lib/CodeGen/CGExprScalar.cpp            |  3 +-
 .../catch-nullptr-and-nonzero-offset.c        | 38 ++++++++++++++-----
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/clang/lib/CodeGen/CGExprScalar.cpp 
b/clang/lib/CodeGen/CGExprScalar.cpp
index d214d2af52563..96e48d65e8ace 100644
--- a/clang/lib/CodeGen/CGExprScalar.cpp
+++ b/clang/lib/CodeGen/CGExprScalar.cpp
@@ -4239,7 +4239,8 @@ static Value *emitPointerArithmetic(CodeGenFunction &CGF,
     elemTy = CGF.ConvertTypeForMem(elementType);
 
   if (CGF.getLangOpts().PointerOverflowDefined ||
-      CGF.isUnderlyingBasePointerConstantNull(pointerOperand))
+      (!CGF.SanOpts.has(SanitizerKind::PointerOverflow) &&
+       CGF.isUnderlyingBasePointerConstantNull(pointerOperand)))
     return CGF.Builder.CreateGEP(elemTy, pointer, index, "add.ptr");
 
   return CGF.EmitCheckedInBoundsGEP(
diff --git a/clang/test/CodeGen/catch-nullptr-and-nonzero-offset.c 
b/clang/test/CodeGen/catch-nullptr-and-nonzero-offset.c
index c5ae3f8bcc368..338f85f2d2fbd 100644
--- a/clang/test/CodeGen/catch-nullptr-and-nonzero-offset.c
+++ b/clang/test/CodeGen/catch-nullptr-and-nonzero-offset.c
@@ -1,9 +1,9 @@
-// RUN: %clang_cc1 -x c -emit-llvm %s -o - -triple x86_64-linux-gnu | 
FileCheck %s
+// RUN: %clang_cc1 -x c -emit-llvm %s -o - -triple x86_64-linux-gnu | 
FileCheck %s --check-prefixes=CHECK,CHECK-NOSANITIZE
 // RUN: %clang_cc1 -x c -fsanitize=pointer-overflow 
-fno-sanitize-recover=pointer-overflow -emit-llvm %s -o - -triple 
x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void 
@__ubsan_handle_pointer_overflow" 
--check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-NORECOVER,CHECK-SANITIZE-UNREACHABLE
 // RUN: %clang_cc1 -x c -fsanitize=pointer-overflow 
-fsanitize-recover=pointer-overflow -emit-llvm %s -o - -triple x86_64-linux-gnu 
| FileCheck %s -implicit-check-not="call void @__ubsan_handle_pointer_overflow" 
--check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-RECOVER
 // RUN: %clang_cc1 -x c -fsanitize=pointer-overflow 
-fsanitize-trap=pointer-overflow -emit-llvm %s -o - -triple x86_64-linux-gnu | 
FileCheck %s -implicit-check-not="call void @__ubsan_handle_pointer_overflow" 
--check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-TRAP,CHECK-SANITIZE-UNREACHABLE
 
-// RUN: %clang_cc1 -x c++ -emit-llvm %s -o - -triple x86_64-linux-gnu | 
FileCheck %s
+// RUN: %clang_cc1 -x c++ -emit-llvm %s -o - -triple x86_64-linux-gnu | 
FileCheck %s --check-prefixes=CHECK,CHECK-NOSANITIZE
 // RUN: %clang_cc1 -x c++ -fsanitize=pointer-overflow 
-fno-sanitize-recover=pointer-overflow -emit-llvm %s -o - -triple 
x86_64-linux-gnu | FileCheck %s -implicit-check-not="call void 
@__ubsan_handle_pointer_overflow" 
--check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-NORECOVER,CHECK-SANITIZE-UNREACHABLE
 // RUN: %clang_cc1 -x c++ -fsanitize=pointer-overflow 
-fsanitize-recover=pointer-overflow -emit-llvm %s -o - -triple x86_64-linux-gnu 
| FileCheck %s -implicit-check-not="call void @__ubsan_handle_pointer_overflow" 
--check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-ANYRECOVER,CHECK-SANITIZE-RECOVER
 // RUN: %clang_cc1 -x c++ -fsanitize=pointer-overflow 
-fsanitize-trap=pointer-overflow -emit-llvm %s -o - -triple x86_64-linux-gnu | 
FileCheck %s -implicit-check-not="call void @__ubsan_handle_pointer_overflow" 
--check-prefixes=CHECK,CHECK-SANITIZE,CHECK-SANITIZE-TRAP,CHECK-SANITIZE-UNREACHABLE
@@ -32,6 +32,7 @@
 // CHECK-SANITIZE-ANYRECOVER-DAG: @[[LINE_1500:.*]] = {{.*}}, i32 1500, i32 15 
} }
 // CHECK-SANITIZE-ANYRECOVER-DAG: @[[LINE_1600:.*]] = {{.*}}, i32 1600, i32 15 
} }
 // CHECK-SANITIZE-ANYRECOVER-DAG: @[[LINE_1700:.*]] = {{.*}}, i32 1700, i32 15 
} }
+// CHECK-SANITIZE-ANYRECOVER-DAG: @[[LINE_1800:.*]] = {{.*}}, i32 1800, i32 19 
} }
 
 #ifdef __cplusplus
 extern "C" {
@@ -431,14 +432,33 @@ char *void_ptr(void *base, unsigned long offset) {
   return base + offset;
 }
 
-int *constant_null_add(long offset) {
+int *constant_null_add(unsigned long offset) {
   // CHECK: define{{.*}} ptr @constant_null_add(i64 noundef %[[OFFSET:.*]])
-  // CHECK-NEXT: [[ENTRY:.*]]:
-  // CHECK-NEXT:   %[[OFFSET_ADDR:.*]] = alloca i64, align 8
-  // CHECK-NEXT:   store i64 %[[OFFSET]], ptr %[[OFFSET_ADDR]], align 8
-  // CHECK-NEXT:   %[[OFFSET_RELOADED:.*]] = load i64, ptr %[[OFFSET_ADDR]], 
align 8
-  // CHECK-NEXT:   %[[ADD_PTR:.*]] = getelementptr i32, ptr null, i64 
%[[OFFSET_RELOADED]]
-  // CHECK-NEXT:   ret ptr %[[ADD_PTR]]
+  // CHECK-NEXT:                      [[ENTRY:.*]]:
+  // CHECK-NEXT:                        %[[OFFSET_ADDR:.*]] = alloca i64, 
align 8
+  // CHECK-NEXT:                        store i64 %[[OFFSET]], ptr 
%[[OFFSET_ADDR]], align 8
+  // CHECK-NEXT:                        %[[OFFSET_RELOADED:.*]] = load i64, 
ptr %[[OFFSET_ADDR]], align 8
+  // CHECK-NOSANITIZE-NEXT:             %[[ADD_PTR:.*]] = getelementptr i32, 
ptr null, i64 %[[OFFSET_RELOADED]]
+  // CHECK-SANITIZE-NEXT:               %[[ADD_PTR:.*]] = getelementptr 
inbounds nuw i32, ptr null, i64 %[[OFFSET_RELOADED]]
+  // CHECK-SANITIZE-NEXT:               %[[COMPUTED_OFFSET_AGGREGATE:.*]] = 
call { i64, i1 } @llvm.smul.with.overflow.i64(i64 4, i64 %[[OFFSET_RELOADED]]), 
!nosanitize
+  // CHECK-SANITIZE-NEXT:               %[[COMPUTED_OFFSET_OVERFLOWED:.*]] = 
extractvalue { i64, i1 } %[[COMPUTED_OFFSET_AGGREGATE]], 1, !nosanitize
+  // CHECK-SANITIZE-NEXT:               %[[OR_OV:.+]] = or i1 
%[[COMPUTED_OFFSET_OVERFLOWED]], false, !nosanitize
+  // CHECK-SANITIZE-NEXT:               %[[COMPUTED_OFFSET:.*]] = extractvalue 
{ i64, i1 } %[[COMPUTED_OFFSET_AGGREGATE]], 0, !nosanitize
+  // CHECK-SANITIZE-NEXT:               %[[COMPUTED_GEP:.*]] = add i64 0, 
%[[COMPUTED_OFFSET]], !nosanitize
+  // CHECK-SANITIZE-NEXT:               %[[COMPUTED_GEP_IS_NOT_NULL:.*]] = 
icmp ne i64 %[[COMPUTED_GEP]], 0, !nosanitize
+  // CHECK-SANITIZE-NEXT:               
%[[BOTH_POINTERS_ARE_NULL_OR_BOTH_ARE_NONNULL:.*]] = icmp eq i1 false, 
%[[COMPUTED_GEP_IS_NOT_NULL]], !nosanitize
+  // CHECK-SANITIZE-NEXT:               
%[[COMPUTED_OFFSET_DID_NOT_OVERFLOW:.*]] = xor i1 %[[OR_OV]], true, !nosanitize
+  // CHECK-SANITIZE-NEXT:               %[[COMPUTED_GEP_IS_UGE_BASE:.*]] = 
icmp uge i64 %[[COMPUTED_GEP]], 0, !nosanitize
+  // CHECK-SANITIZE-NEXT:               %[[GEP_DID_NOT_OVERFLOW:.*]] = and i1 
%[[COMPUTED_GEP_IS_UGE_BASE]], %[[COMPUTED_OFFSET_DID_NOT_OVERFLOW]], 
!nosanitize
+  // CHECK-SANITIZE-NEXT:               %[[GEP_IS_OKAY:.*]] = and i1 
%[[BOTH_POINTERS_ARE_NULL_OR_BOTH_ARE_NONNULL]], %[[GEP_DID_NOT_OVERFLOW]], 
!nosanitize
+  // CHECK-SANITIZE-NEXT:               br i1 %[[GEP_IS_OKAY]], label 
%[[CONT:.*]], label %[[HANDLER_POINTER_OVERFLOW:[^,]+]],{{.*}} !nosanitize
+  // CHECK-SANITIZE:                  [[HANDLER_POINTER_OVERFLOW]]:
+  // CHECK-SANITIZE-NORECOVER-NEXT:     call void 
@__ubsan_handle_pointer_overflow_abort(ptr @[[LINE_1800]], i64 0, i64 
%[[COMPUTED_GEP]])
+  // CHECK-SANITIZE-RECOVER-NEXT:       call void 
@__ubsan_handle_pointer_overflow(ptr @[[LINE_1800]], i64 0, i64 
%[[COMPUTED_GEP]])
+  // CHECK-SANITIZE-TRAP-NEXT:          call void @llvm.ubsantrap(i8 
19){{.*}}, !nosanitize
+  // CHECK-SANITIZE-UNREACHABLE-NEXT:   unreachable, !nosanitize
+  // CHECK-SANITIZE:                  [[CONT]]:
+  // CHECK-NEXT:                        ret ptr %[[ADD_PTR]]
 #line 1800
   return (int *)0 + offset;
 }

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [Clang][CodeGen] Check `isUnderlyingBasePointerConstantNull` in `emitPointerArithmetic` (PR #137849)

Reply via email to