[llvm-dev] clang and -D_FORTIFY_SOURCE=1
Serge Guelton via llvm-dev
As a follow-up to that old thread about -D_FORTIFY_SOURCE=n
http://lists.llvm.org/pipermail/cfe-dev/2015-November/045845.html
And, more recently, to this fedora thread where clang/llvm -D_FORTIFY_SOURCE
support is claimed to be only partial:
https://pagure.io/fesco/issue/2020
I dig into the glibc headers in order to have a better understanding of what's
going on, and wrote my notes here:
https://sergesanspaille.fedorapeople.org/fortify_source_requirements.rst
TL;DR: clang does provide a similar compile-time checking as gcc, but no runtime
checking. To assert that I wrote a small test suite:
https://github.com/serge-sans-paille/fortify-test-suite
And indeed, clang doesn't pass it, mostly because it turns call to
__builtin__(.*)_chk into calls to __builtin__\1.
We need to support the runtime behavior of the following builtins:
- __builtin___memcpy_chk
- __builtin___memmove_chk
- __builtin___mempcpy_chk
- __builtin___memset_chk
- __builtin___snprintf_chk
- __builtin___sprintf_chk
- __builtin___stpcpy_chk
- __builtin___strcat_chk
- __builtin___strcpy_chk
- __builtin___strncat_chk
- __builtin___strncpy_chk
- __builtin___vsnprintf_chk
- __builtin___vsprintf_chk
And I'd like to implement them at clang level, leveraging their existing
implementation. Is that the right way to go / any comments / issue with that
approach ?
_______________________________________________
LLVM Developers mailing list
llvm...@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
Eli Friedman via llvm-dev
-Eli
> cfe...@lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Martin Storsjö via llvm-dev
> Hi folks (CCing llvm-dev, but that's probably more of a cfe-dev topic),
>
> As a follow-up to that old thread about -D_FORTIFY_SOURCE=n
>
> http://lists.llvm.org/pipermail/cfe-dev/2015-November/045845.html
>
> And, more recently, to this fedora thread where clang/llvm -D_FORTIFY_SOURCE
> support is claimed to be only partial:
>
> https://pagure.io/fesco/issue/2020
>
> I dig into the glibc headers in order to have a better understanding of what's
> going on, and wrote my notes here:
>
> https://sergesanspaille.fedorapeople.org/fortify_source_requirements.rst
>
> TL;DR: clang does provide a similar compile-time checking as gcc, but no runtime
> checking. To assert that I wrote a small test suite:
>
> https://github.com/serge-sans-paille/fortify-test-suite
>
> And indeed, clang doesn't pass it, mostly because it turns call to
> __builtin__(.*)_chk into calls to __builtin__\1.
I remember looking at the fortify macros recently, and iirc the issue was
that the __builtin_object_size builtin, when used in an inline function,
can't evaluate the size of the object in the context where it is inlined,
which the glibc fortify macros/inline functions depend on.
This has been discussed before, e.g. here:
http://lists.llvm.org/pipermail/cfe-dev/2015-November/045846.html
// Martin
James Y Knight via llvm-dev
If anyone is interested in glibc fully supporting fortify mode with clang, way to achieve this would be to look at the implementation in the bionic libc's headers, and then implement the same technique in glibc.
Joerg Sonnenberger via llvm-dev
> On Tue, 3 Dec 2019, Serge Guelton via cfe-dev wrote:
>
> > Hi folks (CCing llvm-dev, but that's probably more of a cfe-dev topic),
> >
> > As a follow-up to that old thread about -D_FORTIFY_SOURCE=n
> >
> > http://lists.llvm.org/pipermail/cfe-dev/2015-November/045845.html
> >
> > And, more recently, to this fedora thread where clang/llvm -D_FORTIFY_SOURCE
> > support is claimed to be only partial:
> >
> > https://pagure.io/fesco/issue/2020
> >
> > I dig into the glibc headers in order to have a better understanding of what's
> > going on, and wrote my notes here:
> >
> > https://sergesanspaille.fedorapeople.org/fortify_source_requirements.rst
> >
> > TL;DR: clang does provide a similar compile-time checking as gcc, but no runtime
> > checking. To assert that I wrote a small test suite:
> >
> > https://github.com/serge-sans-paille/fortify-test-suite
> >
> > And indeed, clang doesn't pass it, mostly because it turns call to
> > __builtin__(.*)_chk into calls to __builtin__\1.
>
> I remember looking at the fortify macros recently, and iirc the issue was
> that the __builtin_object_size builtin, when used in an inline function,
> can't evaluate the size of the object in the context where it is inlined,
> which the glibc fortify macros/inline functions depend on.
>
> This has been discussed before, e.g. here:
> http://lists.llvm.org/pipermail/cfe-dev/2015-November/045846.html
That discussion is no longer relevant. __bos is only lowered to a
result, if the answer is definitely known and otherwise kept through a
good chunk of the pass pipeline, most importantly until after inlining
is done.
Joerg
Martin Storsjö via llvm-dev
Hmm, when I looked at some cases of it (_FORTIFY_SOURCE macros in
mingw-w64, modelled after the ones in glibc), __bos didn't seem to be able
to figure out the size as long when the use of it was in an inlined
function (built with optimization) while the buffer to measure was in the
caller's scope. As I found that ML post I didn't dig into the matter
further. Maybe I should look at it again why it didn't work, if it is
supposed to work these days...
// Martin
George Burgess IV via llvm-dev
Serge Guelton via llvm-dev
static char dest[10];
char* square(int n) {
memcpy(dest, "hello", n);
return dest;
}
Martin Storsjö via llvm-dev
> > Are you sure you've diagnosed the issue correctly? __builtin___memcpy_chk
> works correctly, as far as I know.
>
> #include <string.h>
> static char dest[10];
> char* square(int n) {
> memcpy(dest, "hello", n);
> return dest;
> }
>
> compiled with -D_FORTIFY_SOURCE=1 -O1 : https://godbolt.org/z/UvABWp
>
> Clang issues a call to memcpy, while gcc issues a call to __memcpy_chk.
> The call to __memcpy_chk performs extra runtime checks memcpy doesn't,
> and clang doesn't generate the extra checks inline either. This is a
> separate
> concern from the accuracy of __builtin_object_size, just a different runtime
> behavior.
>
> Clang could generate the call to __memcpy_chk if its declaration is
> available, which is the case for the glibc.
I expanded your testcase by removing the string.h include and replacing it
with the relevant bits of it:
https://godbolt.org/z/NKUQbW
The regular call to memcpy ends up without the extra safety checks and
just generates a call to memcpy. But if I call __builtin___memcpy_chk
directly, it does generate a call to __memcpy_chk.
So I would conclude that the builtin works just fine, but the issue is
with the exact rules for when and how the inline function is preferred
over the externally available version.
I added a "#define VISIBIILTY extern" to ease testing and changing it. If
you change that into static, you'll see that the inline version of the
function actually ends up used, and it does generate a call to
__memcpy_chk even there.
And this does seem to show that __builtin_object_size does work fine from
within an inlined function now, contrary to my earlier comments.
// Martin
Serge Guelton via llvm-dev
> over the externally available version.