1//===-- ubsan_handlers_cxx.cpp --------------------------------------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// Error logging entry points for the UBSan runtime, which are only used for C++
10// compilations. This file is permitted to use language features which require
11// linking against a C++ ABI library.
12//
13//===----------------------------------------------------------------------===//
14
15#include "ubsan_platform.h"
16#if CAN_SANITIZE_UB
17#include "ubsan_handlers.h"
18#include "ubsan_handlers_cxx.h"
19#include "ubsan_diag.h"
20#include "ubsan_type_hash.h"
21
22#include "sanitizer_common/sanitizer_common.h"
23#include "sanitizer_common/sanitizer_suppressions.h"
24
25using namespace __sanitizer;
26using namespace __ubsan;
27
28namespace __ubsan {
29 extern const char *const TypeCheckKinds[];
30}
31
32// Returns true if UBSan has printed an error report.
33static bool HandleDynamicTypeCacheMiss(
34 DynamicTypeCacheMissData *Data, ValueHandle Pointer, ValueHandle Hash,
35 ReportOptions Opts) {
36 if (checkDynamicType(Object: (void*)Pointer, Type: Data->TypeInfo, Hash))
37 // Just a cache miss. The type matches after all.
38 return false;
39
40 // Check if error report should be suppressed.
41 DynamicTypeInfo DTI = getDynamicTypeInfoFromObject(Object: (void*)Pointer);
42 if (DTI.isValid() && IsVptrCheckSuppressed(TypeName: DTI.getMostDerivedTypeName()))
43 return false;
44
45 SourceLocation Loc = Data->Loc.acquire();
46 ErrorType ET = ErrorType::DynamicTypeMismatch;
47 if (ignoreReport(SLoc: Loc, Opts, ET))
48 return false;
49
50 ScopedReport R(Opts, Loc, ET);
51
52 Diag(Loc, DL_Error, ET,
53 "%0 address %1 which does not point to an object of type %2")
54 << TypeCheckKinds[Data->TypeCheckKind] << (void*)Pointer << Data->Type;
55
56 // If possible, say what type it actually points to.
57 if (!DTI.isValid()) {
58 if (DTI.getOffset() < -VptrMaxOffsetToTop || DTI.getOffset() > VptrMaxOffsetToTop) {
59 Diag(Pointer, DL_Note, ET,
60 "object has a possibly invalid vptr: abs(offset to top) too big")
61 << TypeName(DTI.getMostDerivedTypeName())
62 << Range(Pointer, Pointer + sizeof(uptr), "possibly invalid vptr");
63 } else {
64 Diag(Pointer, DL_Note, ET, "object has invalid vptr")
65 << TypeName(DTI.getMostDerivedTypeName())
66 << Range(Pointer, Pointer + sizeof(uptr), "invalid vptr");
67 }
68 } else if (!DTI.getOffset())
69 Diag(Pointer, DL_Note, ET, "object is of type %0")
70 << TypeName(DTI.getMostDerivedTypeName())
71 << Range(Pointer, Pointer + sizeof(uptr), "vptr for %0");
72 else
73 // FIXME: Find the type at the specified offset, and include that
74 // in the note.
75 Diag(Pointer - DTI.getOffset(), DL_Note, ET,
76 "object is base class subobject at offset %0 within object of type %1")
77 << DTI.getOffset() << TypeName(DTI.getMostDerivedTypeName())
78 << TypeName(DTI.getSubobjectTypeName())
79 << Range(Pointer, Pointer + sizeof(uptr),
80 "vptr for %2 base class of %1");
81 return true;
82}
83
84void __ubsan::__ubsan_handle_dynamic_type_cache_miss(
85 DynamicTypeCacheMissData *Data, ValueHandle Pointer, ValueHandle Hash) {
86 GET_REPORT_OPTIONS(false);
87 HandleDynamicTypeCacheMiss(Data, Pointer, Hash, Opts);
88}
89void __ubsan::__ubsan_handle_dynamic_type_cache_miss_abort(
90 DynamicTypeCacheMissData *Data, ValueHandle Pointer, ValueHandle Hash) {
91 // Note: -fsanitize=vptr is always recoverable.
92 GET_REPORT_OPTIONS(false);
93 if (HandleDynamicTypeCacheMiss(Data, Pointer, Hash, Opts))
94 Die();
95}
96
97namespace __ubsan {
98void __ubsan_handle_cfi_bad_type(CFICheckFailData *Data, ValueHandle Vtable,
99 bool ValidVtable, ReportOptions Opts) {
100 SourceLocation Loc = Data->Loc.acquire();
101 ErrorType ET = ErrorType::CFIBadType;
102
103 if (ignoreReport(SLoc: Loc, Opts, ET))
104 return;
105
106 ScopedReport R(Opts, Loc, ET);
107 DynamicTypeInfo DTI = ValidVtable
108 ? getDynamicTypeInfoFromVtable(Vtable: (void *)Vtable)
109 : DynamicTypeInfo(0, 0, 0);
110
111 const char *CheckKindStr;
112 switch (Data->CheckKind) {
113 case CFITCK_VCall:
114 CheckKindStr = "virtual call";
115 break;
116 case CFITCK_NVCall:
117 CheckKindStr = "non-virtual call";
118 break;
119 case CFITCK_DerivedCast:
120 CheckKindStr = "base-to-derived cast";
121 break;
122 case CFITCK_UnrelatedCast:
123 CheckKindStr = "cast to unrelated type";
124 break;
125 case CFITCK_VMFCall:
126 CheckKindStr = "virtual pointer to member function call";
127 break;
128 case CFITCK_ICall:
129 case CFITCK_NVMFCall:
130 Die();
131 }
132
133 Diag(Loc, DL_Error, ET,
134 "control flow integrity check for type %0 failed during "
135 "%1 (vtable address %2)")
136 << Data->Type << CheckKindStr << (void *)Vtable;
137
138 // If possible, say what type it actually points to.
139 if (!DTI.isValid())
140 Diag(Vtable, DL_Note, ET, "invalid vtable");
141 else
142 Diag(Vtable, DL_Note, ET, "vtable is of type %0")
143 << TypeName(DTI.getMostDerivedTypeName());
144
145 // If the failure involved different DSOs for the check location and vtable,
146 // report the DSO names.
147 const char *DstModule = Symbolizer::GetOrInit()->GetModuleNameForPc(pc: Vtable);
148 if (!DstModule)
149 DstModule = "(unknown)";
150
151 const char *SrcModule = Symbolizer::GetOrInit()->GetModuleNameForPc(pc: Opts.pc);
152 if (!SrcModule)
153 SrcModule = "(unknown)";
154
155 if (internal_strcmp(s1: SrcModule, s2: DstModule))
156 Diag(Loc, DL_Note, ET, "check failed in %0, vtable located in %1")
157 << SrcModule << DstModule;
158}
159} // namespace __ubsan
160
161#endif // CAN_SANITIZE_UB
162