1// RUN: %clangxx -frtti -fsanitize=vptr -fno-sanitize-recover=vptr -g %s -O3 -o %t
2// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-CORRUPTED-VTABLE --strict-whitespace
3
4// UNSUPPORTED: target={{.*windows-msvc.*}}
5// REQUIRES: stable-runtime, cxxabi
6
7#include <typeinfo>
8
9#if __has_feature(ptrauth_calls)
10#include <ptrauth.h>
11#endif
12
13struct S {
14 S() {}
15 ~S() {}
16 virtual int v() { return 0; }
17};
18
19// See the proper definition in ubsan_type_hash_itanium.cpp
20struct VtablePrefix {
21 signed long Offset;
22 std::type_info *TypeInfo;
23};
24
25int main(int argc, char **argv) {
26 // Test that we don't crash on corrupted vtable when
27 // offset is too large or too small.
28 S Obj;
29 void *Ptr = &Obj;
30 void *VtablePtr = *reinterpret_cast<void**>(Ptr);
31#if __has_feature(ptrauth_calls)
32 VtablePtr = ptrauth_strip(VtablePtr, 0);
33#endif
34 VtablePrefix* Prefix = reinterpret_cast<VtablePrefix*>(VtablePtr) - 1;
35
36 VtablePrefix FakePrefix[2];
37 FakePrefix[0].Offset = 1<<21; // Greater than VptrMaxOffset
38 FakePrefix[0].TypeInfo = Prefix->TypeInfo;
39
40 // Hack Vtable ptr for Obj.
41 void *FakeVtablePtr = static_cast<void*>(&FakePrefix[1]);
42#if __has_feature(ptrauth_calls)
43 FakeVtablePtr = ptrauth_sign_unauthenticated(
44 FakeVtablePtr, ptrauth_key_cxx_vtable_pointer, 0);
45#endif
46 *reinterpret_cast<void**>(Ptr) = FakeVtablePtr;
47
48 // CHECK-CORRUPTED-VTABLE: vptr-corrupted-vtable-itanium.cpp:[[@LINE+3]]:16: runtime error: member call on address [[PTR:0x[0-9a-f]*]] which does not point to an object of type 'S'
49 // CHECK-CORRUPTED-VTABLE-NEXT: [[PTR]]: note: object has a possibly invalid vptr: abs(offset to top) too big
50 S* Ptr2 = reinterpret_cast<S*>(Ptr);
51 return Ptr2->v();
52}
53

source code of compiler-rt/test/ubsan/TestCases/TypeCheck/vptr-corrupted-vtable-itanium.cpp