[clang] Implement src:*=sanitize for UBSan (PR #139772)
https://github.com/vitalybuka closed https://github.com/llvm/llvm-project/pull/139772 ___ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
https://github.com/vitalybuka reopened https://github.com/llvm/llvm-project/pull/139772 ___ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
https://github.com/qinkunbao edited https://github.com/llvm/llvm-project/pull/139772 ___ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
https://github.com/qinkunbao edited https://github.com/llvm/llvm-project/pull/139772 ___ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
https://github.com/qinkunbao edited https://github.com/llvm/llvm-project/pull/139772 ___ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
@@ -0,0 +1,23 @@ +// RUN: rm -rf %t +// RUN: split-file %s %t +// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow -fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test1.c -o - | FileCheck %s -check-prefix=CHECK-ALLOWLIST +// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow -fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test2.c -o - | FileCheck %s -check-prefix=CHECK-IGNORELIST + + +// Verify ubsan only emits checks for files in the allowlist + +//--- src.ignorelist +src:* qinkunbao wrote: > But, SpecialCaseList::Sections for whatever reasons is StringMap, > so it's ordered by name, and it's not used anyway. Oh, I find the `key` of the StringMap `Sections` is actually used. Here is the [Link](https://github.com/llvm/llvm-project/blob/main/clang/lib/Basic/Diagnostic.cpp#L542). How about creating a vector to track the order? https://github.com/llvm/llvm-project/pull/139772 ___ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
https://github.com/qinkunbao updated
https://github.com/llvm/llvm-project/pull/139772
Rate limit ยท GitHub
body {
background-color: #f6f8fa;
color: #24292e;
font-family: -apple-system,BlinkMacSystemFont,Segoe
UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;
font-size: 14px;
line-height: 1.5;
margin: 0;
}
.container { margin: 50px auto; max-width: 600px; text-align: center;
padding: 0 24px; }
a { color: #0366d6; text-decoration: none; }
a:hover { text-decoration: underline; }
h1 { line-height: 60px; font-size: 48px; font-weight: 300; margin: 0px;
text-shadow: 0 1px 0 #fff; }
p { color: rgba(0, 0, 0, 0.5); margin: 20px 0 40px; }
ul { list-style: none; margin: 25px 0; padding: 0; }
li { display: table-cell; font-weight: bold; width: 1%; }
.logo { display: inline-block; margin-top: 35px; }
.logo-img-2x { display: none; }
@media
only screen and (-webkit-min-device-pixel-ratio: 2),
only screen and ( min--moz-device-pixel-ratio: 2),
only screen and ( -o-min-device-pixel-ratio: 2/1),
only screen and (min-device-pixel-ratio: 2),
only screen and (min-resolution: 192dpi),
only screen and (min-resolution: 2dppx) {
.logo-img-1x { display: none; }
.logo-img-2x { display: inline-block; }
}
#suggestions {
margin-top: 35px;
color: #ccc;
}
#suggestions a {
color: #66;
font-weight: 200;
font-size: 14px;
margin: 0 10px;
}
Whoa there!
You have exceeded a secondary rate limit.
Please wait a few minutes before you try again;
in some cases this may take up to an hour.
https://support.github.com/contact";>Contact Support โ
https://githubstatus.com";>GitHub Status โ
https://twitter.com/githubstatus";>@githubstatus
___
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
https://github.com/qinkunbao edited https://github.com/llvm/llvm-project/pull/139772 ___ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
https://github.com/qinkunbao updated
https://github.com/llvm/llvm-project/pull/139772
>From 99dfb74ada8922218afcca173c1fc3b69315fc4f Mon Sep 17 00:00:00 2001
From: Qinkun Bao
Date: Tue, 13 May 2025 17:16:53 +
Subject: [PATCH] Implement src:*=sanitize for UBSan
---
clang/lib/Basic/NoSanitizeList.cpp| 3 +-
.../ubsan-src-ignorelist-category.test| 33 +++
2 files changed, 35 insertions(+), 1 deletion(-)
create mode 100644 clang/test/CodeGen/ubsan-src-ignorelist-category.test
diff --git a/clang/lib/Basic/NoSanitizeList.cpp
b/clang/lib/Basic/NoSanitizeList.cpp
index e7e63c1f419e6..c4db5a5a211d2 100644
--- a/clang/lib/Basic/NoSanitizeList.cpp
+++ b/clang/lib/Basic/NoSanitizeList.cpp
@@ -44,7 +44,8 @@ bool NoSanitizeList::containsFunction(SanitizerMask Mask,
bool NoSanitizeList::containsFile(SanitizerMask Mask, StringRef FileName,
StringRef Category) const {
- return SSCL->inSection(Mask, "src", FileName, Category);
+ bool allowList = SSCL->inSection(Mask, "src", FileName, "sanitize");
+ return SSCL->inSection(Mask, "src", FileName, Category) && !allowList;
}
bool NoSanitizeList::containsMainFile(SanitizerMask Mask, StringRef FileName,
diff --git a/clang/test/CodeGen/ubsan-src-ignorelist-category.test
b/clang/test/CodeGen/ubsan-src-ignorelist-category.test
new file mode 100644
index 0..30a7cae00cd75
--- /dev/null
+++ b/clang/test/CodeGen/ubsan-src-ignorelist-category.test
@@ -0,0 +1,33 @@
+// RUN: rm -rf %t
+// RUN: split-file %s %t
+// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow
-fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test1.c -o - | FileCheck
%s -check-prefix=CHECK-ALLOWLIST
+// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow
-fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test2.c -o - | FileCheck
%s -check-prefix=CHECK-IGNORELIST
+// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow
-fsanitize-ignorelist=%t/src.ignorelist.contradict -emit-llvm %t/test1.c -o - |
FileCheck %s -check-prefix=CHECK-ALLOWLIST
+// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow
-fsanitize-ignorelist=%t/src.ignorelist.contradict -emit-llvm %t/test2.c -o - |
FileCheck %s -check-prefix=CHECK-IGNORELIST
+
+
+// Verify ubsan only emits checks for files in the allowlist
+
+//--- src.ignorelist
+src:*
+src:*/test1.c=sanitize
+
+// If the same src appears within or across ignorelists with different
categories the sanitize category takes precedence โ regardless of order.
+//--- src.ignorelist.contradict
+src:*
+src:*/test1.c=sanitize
+src:*/test1.c
+
+//--- test1.c
+int add1(int a, int b) {
+// CHECK-ALLOWLIST: llvm.sadd.with.overflow.i32
+return a+b;
+}
+
+//--- test2.c
+int add2(int a, int b) {
+// CHECK-IGNORELIST-NOT: llvm.sadd.with.overflow.i32
+return a+b;
+}
+
+
___
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
https://github.com/qinkunbao edited https://github.com/llvm/llvm-project/pull/139772 ___ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
@@ -0,0 +1,23 @@ +// RUN: rm -rf %t +// RUN: split-file %s %t +// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow -fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test1.c -o - | FileCheck %s -check-prefix=CHECK-ALLOWLIST +// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow -fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test2.c -o - | FileCheck %s -check-prefix=CHECK-IGNORELIST + + +// Verify ubsan only emits checks for files in the allowlist + +//--- src.ignorelist +src:* qinkunbao wrote: > Looks like we have a problem with: >``` >src:* >src:*/mylib/*=sanitize >src:*/mylib/test.cc > ``` Yeah, I was a little hesitated about the change during implementing the feature. For example, if we have a ignore list file ``` type:int src:test.cc=sanitize ``` If a file `test.cc` has the type `int`, shall we still instrument the type `int` variable in the file `test.cc`? On the other hand, ``` src:test.cc type:int=sanitize ``` Shall we still instrument the type `int` variable in the file `test.cc`? I think the both answers are yes. Looks like if we have two lines that contradict each other, we should always stick to the `=sanitize` entry. It makes sense to me. I will create a new PR with using user branches in llvm/llvm-project to update `SpecialCaseList::Sections`. Thank you for the feedback. https://github.com/llvm/llvm-project/pull/139772 ___ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
@@ -0,0 +1,23 @@ +// RUN: rm -rf %t +// RUN: split-file %s %t +// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow -fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test1.c -o - | FileCheck %s -check-prefix=CHECK-ALLOWLIST +// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow -fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test2.c -o - | FileCheck %s -check-prefix=CHECK-IGNORELIST + + +// Verify ubsan only emits checks for files in the allowlist + +//--- src.ignorelist +src:* vitalybuka wrote: So I have some ideas how to fix this: 1. Right now order does not matter, if we say that it's matter now, we don't break existing stuff 2. Let's make =sanitize reset all above and = 3. So inSection need to return linenum in file which will compare with linenum of =sanitize. There is a version of function for that Problem: SanitizerSpecialCaseList tracks linenum, but if you check parsing code, it can represent multiple files! I suggest to start with updating SpecialCaseList to track (fileindex, linenum). But, SpecialCaseList::Sections for whatever reasons is StringMap, so it's ordered by name, and it's not used anyway. Let's first PR to make SpecialCaseList::Sections -> vector similar SanitizerSpecialCaseList? https://github.com/llvm/llvm-project/pull/139772 ___ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
@@ -44,7 +44,8 @@ bool NoSanitizeList::containsFunction(SanitizerMask Mask,
bool NoSanitizeList::containsFile(SanitizerMask Mask, StringRef FileName,
StringRef Category) const {
- return SSCL->inSection(Mask, "src", FileName, Category);
+ bool allowList = SSCL->inSection(Mask, "src", FileName, "sanitize");
vitalybuka wrote:
Probably don't do this yet.
Let's resolve for file, and then expand to the rest.
https://github.com/llvm/llvm-project/pull/139772
___
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
@@ -0,0 +1,23 @@ +// RUN: rm -rf %t +// RUN: split-file %s %t +// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow -fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test1.c -o - | FileCheck %s -check-prefix=CHECK-ALLOWLIST +// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow -fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test2.c -o - | FileCheck %s -check-prefix=CHECK-IGNORELIST + + +// Verify ubsan only emits checks for files in the allowlist + +//--- src.ignorelist +src:* vitalybuka wrote: Looks like we have a problem with: ``` src:* src:*/mylib/*=sanitize src:*/mylib/test.cc ``` https://github.com/llvm/llvm-project/pull/139772 ___ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
vitalybuka wrote: Reminder to @thurstond as well :) Please figure out https://llvm.org/docs/GitHub.html#stacked-pull-requests https://github.com/llvm/llvm-project/pull/139772 ___ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
@@ -44,7 +44,8 @@ bool NoSanitizeList::containsFunction(SanitizerMask Mask,
bool NoSanitizeList::containsFile(SanitizerMask Mask, StringRef FileName,
StringRef Category) const {
- return SSCL->inSection(Mask, "src", FileName, Category);
+ bool allowList = SSCL->inSection(Mask, "src", FileName, "sanitize");
vitalybuka wrote:
I guess we need to move "sanitize" handling from
ASTContext::isTypeIgnoredBySanitizer in here.
https://github.com/llvm/llvm-project/pull/139772
___
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
https://github.com/qinkunbao edited https://github.com/llvm/llvm-project/pull/139772 ___ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
llvmbot wrote:
@llvm/pr-subscribers-clang
Author: Qinkun Bao (qinkunbao)
Changes
It is a draft implementation for "src:*=sanitize". It should be applied to all
sanitizers.
Any srcs assigned to the sanitize category will have their sanitizer
instrumentation remained ignored by "src:". For example,
```
src:*
src:*/test1.c=sanitize
```
`test1.c` will still have the UBSan instrumented.
However
```
type:int
src:*/test1.c=sanitize
```
`test1.c` does not have the int type check.
---
Full diff: https://github.com/llvm/llvm-project/pull/139772.diff
2 Files Affected:
- (modified) clang/lib/Basic/NoSanitizeList.cpp (+2-1)
- (added) clang/test/CodeGen/ubsan-src-ignorelist-category.test (+23)
``diff
diff --git a/clang/lib/Basic/NoSanitizeList.cpp
b/clang/lib/Basic/NoSanitizeList.cpp
index e7e63c1f419e6..c4db5a5a211d2 100644
--- a/clang/lib/Basic/NoSanitizeList.cpp
+++ b/clang/lib/Basic/NoSanitizeList.cpp
@@ -44,7 +44,8 @@ bool NoSanitizeList::containsFunction(SanitizerMask Mask,
bool NoSanitizeList::containsFile(SanitizerMask Mask, StringRef FileName,
StringRef Category) const {
- return SSCL->inSection(Mask, "src", FileName, Category);
+ bool allowList = SSCL->inSection(Mask, "src", FileName, "sanitize");
+ return SSCL->inSection(Mask, "src", FileName, Category) && !allowList;
}
bool NoSanitizeList::containsMainFile(SanitizerMask Mask, StringRef FileName,
diff --git a/clang/test/CodeGen/ubsan-src-ignorelist-category.test
b/clang/test/CodeGen/ubsan-src-ignorelist-category.test
new file mode 100644
index 0..5242c10bdeec7
--- /dev/null
+++ b/clang/test/CodeGen/ubsan-src-ignorelist-category.test
@@ -0,0 +1,23 @@
+// RUN: rm -rf %t
+// RUN: split-file %s %t
+// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow
-fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test1.c -o - | FileCheck
%s -check-prefix=CHECK-ALLOWLIST
+// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow
-fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test2.c -o - | FileCheck
%s -check-prefix=CHECK-IGNORELIST
+
+
+// Verify ubsan only emits checks for files in the allowlist
+
+//--- src.ignorelist
+src:*
+src:*/test1.c=sanitize
+
+//--- test1.c
+int add1(int a, int b) {
+// CHECK-ALLOWLIST: llvm.sadd.with.overflow.i32
+return a+b;
+}
+
+//--- test2.c
+int add2(int a, int b) {
+// CHECK-IGNORELIST-NOT: llvm.sadd.with.overflow.i32
+return a+b;
+}
``
https://github.com/llvm/llvm-project/pull/139772
___
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] Implement src:*=sanitize for UBSan (PR #139772)
https://github.com/qinkunbao created
https://github.com/llvm/llvm-project/pull/139772
It is a draft implementation for "src:*=sanitize". It should be applied to all
sanitizers.
Any srcs assigned to the sanitize category will have their sanitizer
instrumentation remained ignored by "src:". For example,
```
src:*
src:*/test1.c=sanitize
```
`test1.c` will still have the UBSan instrumented.
However
```
type:int
src:*/test1.c=sanitize
```
`test1.c` does not have the int type check.
>From 508f81a2bc09017a70897d1d29ed65627e6fe77d Mon Sep 17 00:00:00 2001
From: Qinkun Bao
Date: Tue, 13 May 2025 17:16:53 +
Subject: [PATCH] Implement src:*=sanitize for UBSan
---
clang/lib/Basic/NoSanitizeList.cpp| 3 ++-
.../ubsan-src-ignorelist-category.test| 23 +++
2 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 clang/test/CodeGen/ubsan-src-ignorelist-category.test
diff --git a/clang/lib/Basic/NoSanitizeList.cpp
b/clang/lib/Basic/NoSanitizeList.cpp
index e7e63c1f419e6..c4db5a5a211d2 100644
--- a/clang/lib/Basic/NoSanitizeList.cpp
+++ b/clang/lib/Basic/NoSanitizeList.cpp
@@ -44,7 +44,8 @@ bool NoSanitizeList::containsFunction(SanitizerMask Mask,
bool NoSanitizeList::containsFile(SanitizerMask Mask, StringRef FileName,
StringRef Category) const {
- return SSCL->inSection(Mask, "src", FileName, Category);
+ bool allowList = SSCL->inSection(Mask, "src", FileName, "sanitize");
+ return SSCL->inSection(Mask, "src", FileName, Category) && !allowList;
}
bool NoSanitizeList::containsMainFile(SanitizerMask Mask, StringRef FileName,
diff --git a/clang/test/CodeGen/ubsan-src-ignorelist-category.test
b/clang/test/CodeGen/ubsan-src-ignorelist-category.test
new file mode 100644
index 0..5242c10bdeec7
--- /dev/null
+++ b/clang/test/CodeGen/ubsan-src-ignorelist-category.test
@@ -0,0 +1,23 @@
+// RUN: rm -rf %t
+// RUN: split-file %s %t
+// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow
-fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test1.c -o - | FileCheck
%s -check-prefix=CHECK-ALLOWLIST
+// RUN: %clang_cc1 -triple x86_64-linux-gnu -fsanitize=signed-integer-overflow
-fsanitize-ignorelist=%t/src.ignorelist -emit-llvm %t/test2.c -o - | FileCheck
%s -check-prefix=CHECK-IGNORELIST
+
+
+// Verify ubsan only emits checks for files in the allowlist
+
+//--- src.ignorelist
+src:*
+src:*/test1.c=sanitize
+
+//--- test1.c
+int add1(int a, int b) {
+// CHECK-ALLOWLIST: llvm.sadd.with.overflow.i32
+return a+b;
+}
+
+//--- test2.c
+int add2(int a, int b) {
+// CHECK-IGNORELIST-NOT: llvm.sadd.with.overflow.i32
+return a+b;
+}
___
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
