[llvm-branch-commits] [clang] [compiler-rt] [TySan] A Type Sanitizer (Runtime Library) (PR #76261)
tavianator wrote:
I also needed
```diff
diff --git a/compiler-rt/cmake/config-ix.cmake
b/compiler-rt/cmake/config-ix.cmake
index ab13d8c03683..f480083231a1 100644
--- a/compiler-rt/cmake/config-ix.cmake
+++ b/compiler-rt/cmake/config-ix.cmake
@@ -677,6 +677,7 @@ else()
filter_available_targets(PROFILE_SUPPORTED_ARCH
${ALL_PROFILE_SUPPORTED_ARCH})
filter_available_targets(CTX_PROFILE_SUPPORTED_ARCH
${ALL_CTX_PROFILE_SUPPORTED_ARCH})
filter_available_targets(TSAN_SUPPORTED_ARCH ${ALL_TSAN_SUPPORTED_ARCH})
+ filter_available_targets(TYSAN_SUPPORTED_ARCH ${ALL_TYSAN_SUPPORTED_ARCH})
filter_available_targets(UBSAN_SUPPORTED_ARCH ${ALL_UBSAN_SUPPORTED_ARCH})
filter_available_targets(SAFESTACK_SUPPORTED_ARCH
${ALL_SAFESTACK_SUPPORTED_ARCH})
```
to build the runtime on LInux.
https://github.com/llvm/llvm-project/pull/76261
___
llvm-branch-commits mailing list
llvm-branch-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-branch-commits
[llvm-branch-commits] [compiler-rt] [TySan] Fix struct access with different bases (PR #108385)
@@ -128,6 +128,10 @@ static bool isAliasingLegalUp(tysan_type_descriptor *TDA, break; } + //You can't have negative offset, you must be partially inside the last type + if (TDA->Struct.Members[Idx].Offset > OffsetA) +Idx -=1; + tavianator wrote: ```suggestion Idx -= 1; ``` https://github.com/llvm/llvm-project/pull/108385 ___ llvm-branch-commits mailing list llvm-branch-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-branch-commits
[llvm-branch-commits] [compiler-rt] [TySan] Fix struct access with different bases (PR #108385)
https://github.com/tavianator commented: This fixes my reduced testcase but not the unreduced one. I'll try to make a new reduction. https://github.com/llvm/llvm-project/pull/108385 ___ llvm-branch-commits mailing list llvm-branch-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-branch-commits
[llvm-branch-commits] [compiler-rt] [TySan] Fix struct access with different bases (PR #108385)
https://github.com/tavianator edited https://github.com/llvm/llvm-project/pull/108385 ___ llvm-branch-commits mailing list llvm-branch-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-branch-commits
[llvm-branch-commits] [compiler-rt] [TySan] Fix struct access with different bases (PR #108385)
tavianator wrote:
Here's the new testcase. Not sure if this bug is related or not. It has to do
with `memcpy()`; if you replace the call with the commented-out line above it,
it works.
```c
struct node {
struct node *next;
};
struct list {
struct node *head, **tail;
};
int main(void) {
struct list *list = __builtin_malloc(sizeof(*list));
list->head = 0;
list->tail = &list->head;
struct node *node = __builtin_malloc(sizeof(*node));
node->next = 0;
*list->tail = node;
list->tail = &node->next;
while (list->head) {
struct node *node = list->head;
// list->head = node->next;
__builtin_memcpy(&list->head, &node->next, sizeof(list->head));
node->next = 0;
}
return 0;
}
```
```console
tavianator@tachyon $ ~/code/llvm/llvm-project/build/bin/clang -Wall -g
-fsanitize=type foo.c -o foo
tavianator@tachyon $ ./foo
==5885==ERROR: TypeSanitizer: type-aliasing-violation on address 0x55af02a8c2a0
(pc 0x55aef600fb36 bp 0x7ffcbf810cf0 sp 0x7ffcbf810c90 tid 5885)
READ of size 8 at 0x55af02a8c2a0 with type any pointer (in list at offset 0)
accesses an existing object of type any pointer (in node at offset 0)
#0 0x55aef600fb35 in main /home/tavianator/code/bfs/foo.c:20:15
```
https://github.com/llvm/llvm-project/pull/108385
___
llvm-branch-commits mailing list
llvm-branch-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-branch-commits
[llvm-branch-commits] [compiler-rt] [TySan] Fix struct access with different bases (PR #108385)
tavianator wrote: I guess the bug there is that the memcpy() interceptor literally copies the dynamic type from `node->next` to `list->head`. Then `list->head` is accessed but tysan thinks the memory has type `struct node::next` which doesn't match. https://github.com/llvm/llvm-project/pull/108385 ___ llvm-branch-commits mailing list llvm-branch-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-branch-commits
[llvm-branch-commits] [compiler-rt] [TySan] Fix struct access with different bases (PR #108385)
tavianator wrote: I have consulted with an expert in the strict aliasing rules and we came to the horrifying (to me) conclusion that TySan is actually **correct** in this case, at least according to the C standard. https://github.com/llvm/llvm-project/pull/108385 ___ llvm-branch-commits mailing list llvm-branch-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-branch-commits
[llvm-branch-commits] [compiler-rt] [TySan] Fix struct access with different bases (PR #108385)
tavianator wrote: > ! Oh wow! ... Should the commented out line cause a type violation too? No, `out->i = out->i->n;` is fine because the type of the expression `out->i->n` is just `struct inner *`, so that's the type that will be given to the storage for `out->i`. (Because `out` is dynamically allocated, it has no declared type and writes will set the effective type.) But `memcpy(&out->i, &out->i->n, sizeof(out->i))` is specified to exactly copy the effective type from the source to the destination (again because `out` is dynamically allocated). The type that gets copied includes knowledge of exactly which struct field it is (`struct inner::n`), and TySan is faithfully copying that over. The later access with type `struct outer::i` doesn't match. There are more details in this paper, for example: https://web.archive.org/web/20190219170809/https://trust-in-soft.com/wp-content/uploads/2017/01/vmcai.pdf https://github.com/llvm/llvm-project/pull/108385 ___ llvm-branch-commits mailing list llvm-branch-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-branch-commits
[llvm-branch-commits] [compiler-rt] [TySan] Fix struct access with different bases (PR #108385)
https://github.com/tavianator approved this pull request. https://github.com/llvm/llvm-project/pull/108385 ___ llvm-branch-commits mailing list llvm-branch-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-branch-commits
