9ed20568e7
This commit introduces basic annotations for `std::basic_string`,
mirroring the approach used in `std::vector` and `std::deque`.
Initially, only long strings with the default allocator will be
annotated. Short strings (_SSO - short string optimization_) and strings
with non-default allocators will be annotated in the near future, with
separate commits dedicated to enabling them. The process will be similar
to the workflow employed for enabling annotations in `std::deque`.
**Please note**: these annotations function effectively only when libc++
and libc++abi dylibs are instrumented (with ASan). This aligns with the
prevailing behavior of Memory Sanitizer.
To avoid breaking everything, this commit also appends
`_LIBCPP_INSTRUMENTED_WITH_ASAN` to `__config_site` whenever libc++ is
compiled with ASan. If this macro is not defined, string annotations are
not enabled. However, linking a binary that does **not** annotate
strings with a dynamic library that annotates strings, is not permitted.
Originally proposed here: https://reviews.llvm.org/D132769
Related patches on Phabricator:
- Turning on annotations for short strings:
https://reviews.llvm.org/D147680
- Turning on annotations for all allocators:
https://reviews.llvm.org/D146214
This PR is a part of a series of patches extending AddressSanitizer C++
container overflow detection capabilities by adding annotations, similar
to those existing in `std::vector` and `std::deque` collections. These
enhancements empower ASan to effectively detect instances where the
instrumented program attempts to access memory within a collection's
internal allocation that remains unused. This includes cases where
access occurs before or after the stored elements in `std::deque`, or
between the `std::basic_string`'s size (including the null terminator)
and capacity bounds.
The introduction of these annotations was spurred by a real-world
software bug discovered by Trail of Bits, involving an out-of-bounds
memory access during the comparison of two strings using the
`std::equals` function. This function was taking iterators
(`iter1_begin`, `iter1_end`, `iter2_begin`) to perform the comparison,
using a custom comparison function. When the `iter1` object exceeded the
length of `iter2`, an out-of-bounds read could occur on the `iter2`
object. Container sanitization, upon enabling these annotations, would
effectively identify and flag this potential vulnerability.
This Pull Request introduces basic annotations for `std::basic_string`.
Long strings exhibit structural similarities to `std::vector` and will
be annotated accordingly. Short strings are already implemented, but
will be turned on separately in a forthcoming commit. Look at [a
comment](https://github.com/llvm/llvm-project/pull/72677#issuecomment-1850554465)
below to read about SSO issues at current moment.
Due to the functionality introduced in
[D132522](dd1b7b797a),
the `__sanitizer_annotate_contiguous_container` function now offers
compatibility with all allocators. However, enabling this support will
be done in a subsequent commit. For the time being, only strings with
the default allocator will be annotated.
If you have any questions, please email:
- advenam.tacet@trailofbits.com
- disconnect3d@trailofbits.com
132 lines
4.9 KiB
C++
132 lines
4.9 KiB
C++
//===----------------------------------------------------------------------===//
|
|
//
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
|
//
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
// UNSUPPORTED: c++03, c++11, c++14, c++17, c++20
|
|
|
|
// template<container-compatible-range<charT> R>
|
|
// constexpr basic_string(from_range_t, R&& rg, const Allocator& a = Allocator()); // since C++23
|
|
|
|
#include <algorithm>
|
|
#include <string>
|
|
#include <utility>
|
|
#include <vector>
|
|
|
|
#include "../../../containers/from_range_helpers.h"
|
|
#include "../../../containers/sequences/from_range_sequence_containers.h"
|
|
#include "test_macros.h"
|
|
#include "asan_testing.h"
|
|
|
|
template <class Container, class Range, class Alloc>
|
|
concept StringHasFromRangeAllocCtr =
|
|
requires(Range&& range, const Alloc& alloc) { Container(std::from_range, std::forward<Range>(range), alloc); };
|
|
|
|
constexpr bool test_constraints() {
|
|
// (from_range, range)
|
|
//
|
|
// Input range with the same value type.
|
|
static_assert(HasFromRangeCtr<std::string, InputRange<char>>);
|
|
// Input range with a convertible value type.
|
|
static_assert(HasFromRangeCtr<std::string, InputRange<int>>);
|
|
// Input range with a non-convertible value type.
|
|
static_assert(!HasFromRangeCtr<std::string, InputRange<Empty>>);
|
|
// Not an input range.
|
|
static_assert(!HasFromRangeCtr<std::string, InputRangeNotDerivedFrom>);
|
|
static_assert(!HasFromRangeCtr<std::string, InputRangeNotIndirectlyReadable>);
|
|
static_assert(!HasFromRangeCtr<std::string, InputRangeNotInputOrOutputIterator>);
|
|
|
|
// (from_range, range, alloc)
|
|
//
|
|
// Input range with the same value type.
|
|
using Alloc = test_allocator<char>;
|
|
using StringWithAlloc = std::basic_string<char, std::char_traits<char>, Alloc>;
|
|
static_assert(StringHasFromRangeAllocCtr<StringWithAlloc, InputRange<char>, Alloc>);
|
|
// Input range with a convertible value type.
|
|
static_assert(StringHasFromRangeAllocCtr<StringWithAlloc, InputRange<int>, Alloc>);
|
|
// Input range with a non-convertible value type.
|
|
static_assert(!StringHasFromRangeAllocCtr<StringWithAlloc, InputRange<Empty>, Alloc>);
|
|
// Not an input range.
|
|
static_assert(!StringHasFromRangeAllocCtr<StringWithAlloc, InputRangeNotDerivedFrom, Alloc>);
|
|
static_assert(!StringHasFromRangeAllocCtr<StringWithAlloc, InputRangeNotIndirectlyReadable, Alloc>);
|
|
static_assert(!StringHasFromRangeAllocCtr<StringWithAlloc, InputRangeNotInputOrOutputIterator, Alloc>);
|
|
// Not an allocator.
|
|
static_assert(!StringHasFromRangeAllocCtr<StringWithAlloc, InputRange<char>, Empty>);
|
|
|
|
return true;
|
|
}
|
|
|
|
template <class Iter, class Sent, class Alloc>
|
|
constexpr void test_with_input(std::vector<char> input) {
|
|
auto b = Iter(input.data());
|
|
auto e = Iter(input.data() + input.size());
|
|
std::ranges::subrange in(std::move(b), Sent(std::move(e)));
|
|
|
|
{ // (range)
|
|
std::string c(std::from_range, in);
|
|
|
|
LIBCPP_ASSERT(c.__invariants());
|
|
assert(c.size() == static_cast<std::size_t>(std::distance(c.begin(), c.end())));
|
|
assert(std::ranges::equal(in, c));
|
|
LIBCPP_ASSERT(is_string_asan_correct(c));
|
|
}
|
|
|
|
{ // (range, allocator)
|
|
Alloc alloc;
|
|
std::basic_string<char, std::char_traits<char>, Alloc> c(std::from_range, in, alloc);
|
|
|
|
LIBCPP_ASSERT(c.__invariants());
|
|
assert(c.get_allocator() == alloc);
|
|
assert(c.size() == static_cast<std::size_t>(std::distance(c.begin(), c.end())));
|
|
assert(std::ranges::equal(in, c));
|
|
LIBCPP_ASSERT(is_string_asan_correct(c));
|
|
}
|
|
}
|
|
|
|
void test_string_exception_safety_throwing_allocator() {
|
|
#if !defined(TEST_HAS_NO_EXCEPTIONS)
|
|
try {
|
|
ThrowingAllocator<char> alloc;
|
|
|
|
globalMemCounter.reset();
|
|
// Note: the input string must be long enough to prevent SSO, otherwise the allocator won't be used.
|
|
std::basic_string<char, std::char_traits<char>, ThrowingAllocator<char>> c(
|
|
std::from_range, std::vector<char>(64, 'A'), alloc);
|
|
assert(false); // The constructor call should throw.
|
|
|
|
} catch (int) {
|
|
assert(globalMemCounter.new_called == globalMemCounter.delete_called);
|
|
}
|
|
#endif
|
|
}
|
|
|
|
constexpr bool test_inputs() {
|
|
for_all_iterators_and_allocators<char>([]<class Iter, class Sent, class Alloc>() {
|
|
// Shorter input -- SSO.
|
|
test_with_input<Iter, Sent, Alloc>({'a', 'b', 'c', 'd', 'e'});
|
|
// Longer input -- no SSO.
|
|
test_with_input<Iter, Sent, Alloc>(std::vector<char>(64, 'A'));
|
|
// Empty input.
|
|
test_with_input<Iter, Sent, Alloc>({});
|
|
// Single-element input.
|
|
test_with_input<Iter, Sent, Alloc>({'a'});
|
|
});
|
|
|
|
return true;
|
|
}
|
|
|
|
int main(int, char**) {
|
|
test_inputs();
|
|
static_assert(test_inputs());
|
|
|
|
static_assert(test_constraints());
|
|
|
|
// Note: `test_exception_safety_throwing_copy` doesn't apply because copying a `char` cannot throw.
|
|
test_string_exception_safety_throwing_allocator();
|
|
|
|
return 0;
|
|
}
|