-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[libc++] Fix the behavior of throwing operator new under -fno-exceptions
#69498
Merged
Merged
Changes from all commits
Commits
Show all changes
15 commits
Select commit
Hold shift + click to select a range
6f89b11
[libc++] Fix the behavior of throwing `operator new` under -fno-excep…
ldionne 1b5144f
Improve diagnostic
ldionne 0f2b77f
Make sure to override operator new(nothrow) count_new tests
ldionne 82d3e73
Add __overridable_function to modulemap
ldionne 3980914
Fix implementation of count_new.h operators
ldionne e9863c3
Fix formatting
ldionne f05c8a3
Merge branch 'main' into review/fix-operator-new-nothrow
ldionne 12e3239
Add XFAILs for a few tests that can't work anymore
ldionne 170c592
Merge branch 'main' into review/fix-operator-new-nothrow
ldionne 14fe81e
Merge branch 'main' into review/fix-operator-new-nothrow
ldionne cf6209a
Move to src/
ldionne 64b2e5c
Merge branch 'main' into review/fix-operator-new-nothrow
ldionne f416bf0
Add the ability to match multiple death causes
ldionne d1a0648
Refactor
ldionne 609ba8d
Fix test
ldionne File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,119 @@ | ||
| // -*- C++ -*- | ||
| //===----------------------------------------------------------------------===// | ||
| // | ||
| // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. | ||
| // See https://llvm.org/LICENSE.txt for license information. | ||
| // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception | ||
| // | ||
| //===----------------------------------------------------------------------===// | ||
|
|
||
| #ifndef _LIBCPP_SRC_INCLUDE_OVERRIDABLE_FUNCTION_H | ||
| #define _LIBCPP_SRC_INCLUDE_OVERRIDABLE_FUNCTION_H | ||
|
|
||
| #include <__config> | ||
| #include <cstdint> | ||
|
|
||
| #if !defined(_LIBCPP_HAS_NO_PRAGMA_SYSTEM_HEADER) | ||
| # pragma GCC system_header | ||
| #endif | ||
|
|
||
| // | ||
| // This file provides the std::__is_function_overridden utility, which allows checking | ||
| // whether an overridable function (typically a weak symbol) like `operator new` | ||
| // has been overridden by a user or not. | ||
| // | ||
| // This is a low-level utility which does not work on all platforms, since it needs | ||
| // to make assumptions about the object file format in use. Furthermore, it requires | ||
| // the "base definition" of the function (the one we want to check whether it has been | ||
| // overridden) to be annotated with the _LIBCPP_MAKE_OVERRIDABLE_FUNCTION_DETECTABLE macro. | ||
| // | ||
| // This currently works with Mach-O files (used on Darwin) and with ELF files (used on Linux | ||
| // and others). On platforms where we know how to implement this detection, the macro | ||
| // _LIBCPP_CAN_DETECT_OVERRIDDEN_FUNCTION is defined to 1, and it is defined to 0 on | ||
| // other platforms. The _LIBCPP_MAKE_OVERRIDABLE_FUNCTION_DETECTABLE macro is defined to | ||
| // nothing on unsupported platforms so that it can be used to decorate functions regardless | ||
| // of whether detection is actually supported. | ||
| // | ||
| // How does this work? | ||
| // ------------------- | ||
| // | ||
| // Let's say we want to check whether a weak function `f` has been overridden by the user. | ||
| // The general mechanism works by placing `f`'s definition (in the libc++ built library) | ||
| // inside a special section, which we do using the `__section__` attribute via the | ||
| // _LIBCPP_MAKE_OVERRIDABLE_FUNCTION_DETECTABLE macro. | ||
| // | ||
| // Then, when comes the time to check whether the function has been overridden, we take | ||
| // the address of the function and we check whether it falls inside the special function | ||
| // we created. This can be done by finding pointers to the start and the end of the section | ||
| // (which is done differently for ELF and Mach-O), and then checking whether `f` falls | ||
| // within those bounds. If it falls within those bounds, then `f` is still inside the | ||
| // special section and so it is the version we defined in the libc++ built library, i.e. | ||
| // it was not overridden. Otherwise, it was overridden by the user because it falls | ||
| // outside of the section. | ||
| // | ||
| // Important note | ||
| // -------------- | ||
| // | ||
| // This mechanism should never be used outside of the libc++ built library. In particular, | ||
| // attempting to use this within the libc++ headers will not work at all because we don't | ||
| // want to be defining special sections inside user's executables which use our headers. | ||
| // This is provided inside libc++'s include tree solely to make it easier to share with | ||
| // libc++abi, which needs the same mechanism. | ||
| // | ||
|
|
||
| #if defined(_LIBCPP_OBJECT_FORMAT_MACHO) | ||
|
|
||
| # define _LIBCPP_CAN_DETECT_OVERRIDDEN_FUNCTION 1 | ||
| # define _LIBCPP_MAKE_OVERRIDABLE_FUNCTION_DETECTABLE \ | ||
| __attribute__((__section__("__TEXT,__lcxx_override,regular,pure_instructions"))) | ||
|
|
||
| _LIBCPP_BEGIN_NAMESPACE_STD | ||
| template <class _Ret, class... _Args> | ||
| _LIBCPP_HIDE_FROM_ABI bool __is_function_overridden(_Ret (*__fptr)(_Args...)) noexcept { | ||
| // Declare two dummy bytes and give them these special `__asm` values. These values are | ||
| // defined by the linker, which means that referring to `&__lcxx_override_start` will | ||
| // effectively refer to the address where the section starts (and same for the end). | ||
| extern char __lcxx_override_start __asm("section$start$__TEXT$__lcxx_override"); | ||
| extern char __lcxx_override_end __asm("section$end$__TEXT$__lcxx_override"); | ||
|
|
||
| // Now get a uintptr_t out of these locations, and out of the function pointer. | ||
| uintptr_t __start = reinterpret_cast<uintptr_t>(&__lcxx_override_start); | ||
| uintptr_t __end = reinterpret_cast<uintptr_t>(&__lcxx_override_end); | ||
| uintptr_t __ptr = reinterpret_cast<uintptr_t>(__fptr); | ||
|
|
||
| // Finally, the function was overridden if it falls outside of the section's bounds. | ||
| return __ptr < __start || __ptr > __end; | ||
| } | ||
| _LIBCPP_END_NAMESPACE_STD | ||
|
|
||
| #elif defined(_LIBCPP_OBJECT_FORMAT_ELF) | ||
|
|
||
| # define _LIBCPP_CAN_DETECT_OVERRIDDEN_FUNCTION 1 | ||
| # define _LIBCPP_MAKE_OVERRIDABLE_FUNCTION_DETECTABLE __attribute__((__section__("__lcxx_override"))) | ||
|
|
||
| // This is very similar to what we do for Mach-O above. The ELF linker will implicitly define | ||
| // variables with those names corresponding to the start and the end of the section. | ||
| // | ||
| // See https://stackoverflow.com/questions/16552710/how-do-you-get-the-start-and-end-addresses-of-a-custom-elf-section | ||
| extern char __start___lcxx_override; | ||
| extern char __stop___lcxx_override; | ||
|
|
||
| _LIBCPP_BEGIN_NAMESPACE_STD | ||
| template <class _Ret, class... _Args> | ||
| _LIBCPP_HIDE_FROM_ABI bool __is_function_overridden(_Ret (*__fptr)(_Args...)) noexcept { | ||
| uintptr_t __start = reinterpret_cast<uintptr_t>(&__start___lcxx_override); | ||
| uintptr_t __end = reinterpret_cast<uintptr_t>(&__stop___lcxx_override); | ||
| uintptr_t __ptr = reinterpret_cast<uintptr_t>(__fptr); | ||
|
|
||
| return __ptr < __start || __ptr > __end; | ||
| } | ||
| _LIBCPP_END_NAMESPACE_STD | ||
|
|
||
| #else | ||
|
|
||
| # define _LIBCPP_CAN_DETECT_OVERRIDDEN_FUNCTION 0 | ||
| # define _LIBCPP_MAKE_OVERRIDABLE_FUNCTION_DETECTABLE /* nothing */ | ||
|
|
||
| #endif | ||
|
|
||
| #endif // _LIBCPP_SRC_INCLUDE_OVERRIDABLE_FUNCTION_H |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
58 changes: 58 additions & 0 deletions
58
...anguage.support/support.dynamic/assert.nothrow_new_not_overridden_fno_exceptions.pass.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| //===----------------------------------------------------------------------===// | ||
| // | ||
| // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. | ||
| // See https://llvm.org/LICENSE.txt for license information. | ||
| // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception | ||
| // | ||
| //===----------------------------------------------------------------------===// | ||
|
|
||
| // void* operator new(std::size_t, const std::nothrow_t&); | ||
| // void* operator new(std::size_t, std::align_val_t, const std::nothrow_t&); | ||
| // void* operator new[](std::size_t, const std::nothrow_t&); | ||
| // void* operator new[](std::size_t, std::align_val_t, const std::nothrow_t&); | ||
|
|
||
| // This test ensures that we catch the case where `new` has been overridden but `new(nothrow)` | ||
| // has not been overridden, and the library is compiled with -fno-exceptions. | ||
| // | ||
| // In that case, it is impossible for libc++ to provide a Standards conforming implementation | ||
| // of `new(nothrow)`, so the only viable option is to terminate the program. | ||
|
|
||
| // REQUIRES: has-unix-headers | ||
| // UNSUPPORTED: c++03 | ||
|
|
||
| // We only know how to diagnose this on platforms that use the ELF or Mach-O object file formats. | ||
| // XFAIL: target={{.+}}-windows-{{.+}} | ||
|
|
||
| // TODO: We currently don't have a way to express that the built library was | ||
| // compiled with -fno-exceptions, so if the library was built with support | ||
| // for exceptions but we run the test suite without exceptions, this will | ||
| // spuriously fail. | ||
| // REQUIRES: no-exceptions | ||
|
|
||
| #include <cstddef> | ||
| #include <new> | ||
|
|
||
| #include "check_assertion.h" | ||
|
|
||
| // Override the throwing versions of operator new, but not the nothrow versions. | ||
| alignas(32) char DummyData[32 * 3]; | ||
| void* operator new(std::size_t) { return DummyData; } | ||
| void* operator new(std::size_t, std::align_val_t) { return DummyData; } | ||
| void* operator new[](std::size_t) { return DummyData; } | ||
| void* operator new[](std::size_t, std::align_val_t) { return DummyData; } | ||
|
|
||
| void operator delete(void*) noexcept {} | ||
| void operator delete(void*, std::align_val_t) noexcept {} | ||
| void operator delete[](void*) noexcept {} | ||
| void operator delete[](void*, std::align_val_t) noexcept {} | ||
|
|
||
| int main(int, char**) { | ||
| std::size_t size = 3; | ||
| std::align_val_t align = static_cast<std::align_val_t>(32); | ||
| EXPECT_ANY_DEATH((void)operator new(size, std::nothrow)); | ||
| EXPECT_ANY_DEATH((void)operator new(size, align, std::nothrow)); | ||
| EXPECT_ANY_DEATH((void)operator new[](size, std::nothrow)); | ||
| EXPECT_ANY_DEATH((void)operator new[](size, align, std::nothrow)); | ||
|
|
||
| return 0; | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@var-const This is a rare example of a case where I think it makes sense to unconditionally have a
_LIBCPP_ASSERT-- this should be enabled regardless of the hardening mode IMO. It is similar to when we callstd::__throw_logic_error()and friends with-fno-exceptions-- that aborts the program regardless of the hardening mode.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you're forgetting how hot of a path this is. I don't think we want to be doing anything more than we need in the majority of cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could make this part of the
DEBUG_LITEmode then, I guess. Would that address your concerns?