1 | // RUN: %clangxx -frtti -fsanitize=vptr -fno-sanitize-recover=vptr -g %s -O3 -o %t |
2 | // RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-CORRUPTED-VTABLE --strict-whitespace |
3 | |
4 | // UNSUPPORTED: target={{.*windows-msvc.*}} |
5 | // REQUIRES: stable-runtime, cxxabi |
6 | |
7 | #include <typeinfo> |
8 | |
9 | #if __has_feature(ptrauth_calls) |
10 | #include <ptrauth.h> |
11 | #endif |
12 | |
13 | struct S { |
14 | S() {} |
15 | ~S() {} |
16 | virtual int v() { return 0; } |
17 | }; |
18 | |
19 | // See the proper definition in ubsan_type_hash_itanium.cpp |
20 | struct VtablePrefix { |
21 | signed long Offset; |
22 | std::type_info *TypeInfo; |
23 | }; |
24 | |
25 | int main(int argc, char **argv) { |
26 | // Test that we don't crash on corrupted vtable when |
27 | // offset is too large or too small. |
28 | S Obj; |
29 | void *Ptr = &Obj; |
30 | void *VtablePtr = *reinterpret_cast<void**>(Ptr); |
31 | #if __has_feature(ptrauth_calls) |
32 | VtablePtr = ptrauth_strip(VtablePtr, 0); |
33 | #endif |
34 | VtablePrefix* Prefix = reinterpret_cast<VtablePrefix*>(VtablePtr) - 1; |
35 | |
36 | VtablePrefix FakePrefix[2]; |
37 | FakePrefix[0].Offset = 1<<21; // Greater than VptrMaxOffset |
38 | FakePrefix[0].TypeInfo = Prefix->TypeInfo; |
39 | |
40 | // Hack Vtable ptr for Obj. |
41 | void *FakeVtablePtr = static_cast<void*>(&FakePrefix[1]); |
42 | #if __has_feature(ptrauth_calls) |
43 | FakeVtablePtr = ptrauth_sign_unauthenticated( |
44 | FakeVtablePtr, ptrauth_key_cxx_vtable_pointer, 0); |
45 | #endif |
46 | *reinterpret_cast<void**>(Ptr) = FakeVtablePtr; |
47 | |
48 | // CHECK-CORRUPTED-VTABLE: vptr-corrupted-vtable-itanium.cpp:[[@LINE+3]]:16: runtime error: member call on address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'S' |
49 | // CHECK-CORRUPTED-VTABLE-NEXT: [[PTR]]: note: object has a possibly invalid vptr: abs(offset to top) too big |
50 | S* Ptr2 = reinterpret_cast<S*>(Ptr); |
51 | return Ptr2->v(); |
52 | } |
53 | |