2010-05-11 19:42:16 +00:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
//
|
2019-01-19 10:56:40 +00:00
|
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
|
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
|
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
2010-05-11 19:42:16 +00:00
|
|
|
//
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
|
|
// <string>
|
|
|
|
|
|
[libc++] Implement P0980R1 (constexpr std::string)
Reviewed By: #libc, ldionne
Spies: daltenty, sdasgup3, ldionne, arichardson, MTC, ChuanqiXu, mehdi_amini, shauheen, antiagainst, nicolasvasilache, arpith-jacob, mgester, lucyrfox, aartbik, liufengdb, stephenneuendorffer, Joonsoo, grosul1, Kayjukh, jurahul, msifontes, tatianashp, rdzhabarov, teijeong, cota, dcaballe, Chia-hungDuan, wrengr, wenzhicui, arphaman, Mordante, miscco, Quuxplusone, smeenai, libcxx-commits
Differential Revision: https://reviews.llvm.org/D110598
2022-04-27 10:11:44 +02:00
|
|
|
// basic_string(const basic_string& str, const Allocator& alloc); // constexpr since C++20
|
2010-05-11 19:42:16 +00:00
|
|
|
|
|
|
|
|
#include <string>
|
|
|
|
|
#include <cassert>
|
|
|
|
|
|
2016-04-28 22:28:23 +00:00
|
|
|
#include "test_macros.h"
|
2013-12-03 00:18:10 +00:00
|
|
|
#include "test_allocator.h"
|
2013-11-26 20:58:02 +00:00
|
|
|
#include "min_allocator.h"
|
[ASan][libc++] std::basic_string annotations (#72677)
This commit introduces basic annotations for `std::basic_string`,
mirroring the approach used in `std::vector` and `std::deque`.
Initially, only long strings with the default allocator will be
annotated. Short strings (_SSO - short string optimization_) and strings
with non-default allocators will be annotated in the near future, with
separate commits dedicated to enabling them. The process will be similar
to the workflow employed for enabling annotations in `std::deque`.
**Please note**: these annotations function effectively only when libc++
and libc++abi dylibs are instrumented (with ASan). This aligns with the
prevailing behavior of Memory Sanitizer.
To avoid breaking everything, this commit also appends
`_LIBCPP_INSTRUMENTED_WITH_ASAN` to `__config_site` whenever libc++ is
compiled with ASan. If this macro is not defined, string annotations are
not enabled. However, linking a binary that does **not** annotate
strings with a dynamic library that annotates strings, is not permitted.
Originally proposed here: https://reviews.llvm.org/D132769
Related patches on Phabricator:
- Turning on annotations for short strings:
https://reviews.llvm.org/D147680
- Turning on annotations for all allocators:
https://reviews.llvm.org/D146214
This PR is a part of a series of patches extending AddressSanitizer C++
container overflow detection capabilities by adding annotations, similar
to those existing in `std::vector` and `std::deque` collections. These
enhancements empower ASan to effectively detect instances where the
instrumented program attempts to access memory within a collection's
internal allocation that remains unused. This includes cases where
access occurs before or after the stored elements in `std::deque`, or
between the `std::basic_string`'s size (including the null terminator)
and capacity bounds.
The introduction of these annotations was spurred by a real-world
software bug discovered by Trail of Bits, involving an out-of-bounds
memory access during the comparison of two strings using the
`std::equals` function. This function was taking iterators
(`iter1_begin`, `iter1_end`, `iter2_begin`) to perform the comparison,
using a custom comparison function. When the `iter1` object exceeded the
length of `iter2`, an out-of-bounds read could occur on the `iter2`
object. Container sanitization, upon enabling these annotations, would
effectively identify and flag this potential vulnerability.
This Pull Request introduces basic annotations for `std::basic_string`.
Long strings exhibit structural similarities to `std::vector` and will
be annotated accordingly. Short strings are already implemented, but
will be turned on separately in a forthcoming commit. Look at [a
comment](https://github.com/llvm/llvm-project/pull/72677#issuecomment-1850554465)
below to read about SSO issues at current moment.
Due to the functionality introduced in
[D132522](https://github.com/llvm/llvm-project/commit/dd1b7b797a116eed588fd752fbe61d34deeb24e4),
the `__sanitizer_annotate_contiguous_container` function now offers
compatibility with all allocators. However, enabling this support will
be done in a subsequent commit. For the time being, only strings with
the default allocator will be annotated.
If you have any questions, please email:
- advenam.tacet@trailofbits.com
- disconnect3d@trailofbits.com
2023-12-13 06:05:34 +01:00
|
|
|
#include "asan_testing.h"
|
2010-05-11 19:42:16 +00:00
|
|
|
|
2017-01-31 13:12:32 +00:00
|
|
|
#ifndef TEST_HAS_NO_EXCEPTIONS
|
2017-01-31 03:40:52 +00:00
|
|
|
struct alloc_imp {
|
2023-09-01 13:27:26 -04:00
|
|
|
bool active;
|
2017-01-31 03:40:52 +00:00
|
|
|
|
2023-09-01 13:27:26 -04:00
|
|
|
TEST_CONSTEXPR alloc_imp() : active(true) {}
|
2017-01-31 03:40:52 +00:00
|
|
|
|
2023-09-01 13:27:26 -04:00
|
|
|
template <class T>
|
|
|
|
|
T* allocate(std::size_t n) {
|
|
|
|
|
if (active)
|
|
|
|
|
return static_cast<T*>(std::malloc(n * sizeof(T)));
|
|
|
|
|
else
|
|
|
|
|
throw std::bad_alloc();
|
|
|
|
|
}
|
2017-01-31 03:40:52 +00:00
|
|
|
|
2023-09-01 13:27:26 -04:00
|
|
|
template <class T>
|
|
|
|
|
void deallocate(T* p, std::size_t) {
|
|
|
|
|
std::free(p);
|
|
|
|
|
}
|
|
|
|
|
void activate() { active = true; }
|
|
|
|
|
void deactivate() { active = false; }
|
2017-01-31 03:40:52 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
template <class T>
|
|
|
|
|
struct poca_alloc {
|
2023-09-01 13:27:26 -04:00
|
|
|
typedef T value_type;
|
|
|
|
|
typedef std::true_type propagate_on_container_copy_assignment;
|
2017-01-31 03:40:52 +00:00
|
|
|
|
2023-09-01 13:27:26 -04:00
|
|
|
alloc_imp* imp;
|
2017-01-31 03:40:52 +00:00
|
|
|
|
2023-09-01 13:27:26 -04:00
|
|
|
TEST_CONSTEXPR poca_alloc(alloc_imp* imp_) : imp(imp_) {}
|
2017-01-31 03:40:52 +00:00
|
|
|
|
2023-09-01 13:27:26 -04:00
|
|
|
template <class U>
|
|
|
|
|
TEST_CONSTEXPR poca_alloc(const poca_alloc<U>& other) : imp(other.imp) {}
|
2017-01-31 03:40:52 +00:00
|
|
|
|
2023-09-01 13:27:26 -04:00
|
|
|
T* allocate(std::size_t n) { return imp->allocate<T>(n); }
|
|
|
|
|
void deallocate(T* p, std::size_t n) { imp->deallocate(p, n); }
|
2017-01-31 03:40:52 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
template <typename T, typename U>
|
2023-09-01 13:27:26 -04:00
|
|
|
bool operator==(const poca_alloc<T>& lhs, const poca_alloc<U>& rhs) {
|
|
|
|
|
return lhs.imp == rhs.imp;
|
2017-01-31 03:40:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
template <typename T, typename U>
|
2023-09-01 13:27:26 -04:00
|
|
|
bool operator!=(const poca_alloc<T>& lhs, const poca_alloc<U>& rhs) {
|
|
|
|
|
return lhs.imp != rhs.imp;
|
2017-01-31 03:40:52 +00:00
|
|
|
}
|
|
|
|
|
|
2017-01-31 13:12:32 +00:00
|
|
|
template <class S>
|
2023-09-01 13:27:26 -04:00
|
|
|
TEST_CONSTEXPR_CXX20 void test_assign(S& s1, const S& s2) {
|
|
|
|
|
try {
|
|
|
|
|
s1 = s2;
|
|
|
|
|
} catch (std::bad_alloc&) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
assert(false);
|
2017-01-31 13:12:32 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2010-05-11 19:42:16 +00:00
|
|
|
template <class S>
|
2023-09-01 13:27:26 -04:00
|
|
|
TEST_CONSTEXPR_CXX20 void test(S s1, const typename S::allocator_type& a) {
|
|
|
|
|
S s2(s1, a);
|
|
|
|
|
LIBCPP_ASSERT(s2.__invariants());
|
|
|
|
|
assert(s2 == s1);
|
|
|
|
|
assert(s2.capacity() >= s2.size());
|
|
|
|
|
assert(s2.get_allocator() == a);
|
[ASan][libc++] std::basic_string annotations (#72677)
This commit introduces basic annotations for `std::basic_string`,
mirroring the approach used in `std::vector` and `std::deque`.
Initially, only long strings with the default allocator will be
annotated. Short strings (_SSO - short string optimization_) and strings
with non-default allocators will be annotated in the near future, with
separate commits dedicated to enabling them. The process will be similar
to the workflow employed for enabling annotations in `std::deque`.
**Please note**: these annotations function effectively only when libc++
and libc++abi dylibs are instrumented (with ASan). This aligns with the
prevailing behavior of Memory Sanitizer.
To avoid breaking everything, this commit also appends
`_LIBCPP_INSTRUMENTED_WITH_ASAN` to `__config_site` whenever libc++ is
compiled with ASan. If this macro is not defined, string annotations are
not enabled. However, linking a binary that does **not** annotate
strings with a dynamic library that annotates strings, is not permitted.
Originally proposed here: https://reviews.llvm.org/D132769
Related patches on Phabricator:
- Turning on annotations for short strings:
https://reviews.llvm.org/D147680
- Turning on annotations for all allocators:
https://reviews.llvm.org/D146214
This PR is a part of a series of patches extending AddressSanitizer C++
container overflow detection capabilities by adding annotations, similar
to those existing in `std::vector` and `std::deque` collections. These
enhancements empower ASan to effectively detect instances where the
instrumented program attempts to access memory within a collection's
internal allocation that remains unused. This includes cases where
access occurs before or after the stored elements in `std::deque`, or
between the `std::basic_string`'s size (including the null terminator)
and capacity bounds.
The introduction of these annotations was spurred by a real-world
software bug discovered by Trail of Bits, involving an out-of-bounds
memory access during the comparison of two strings using the
`std::equals` function. This function was taking iterators
(`iter1_begin`, `iter1_end`, `iter2_begin`) to perform the comparison,
using a custom comparison function. When the `iter1` object exceeded the
length of `iter2`, an out-of-bounds read could occur on the `iter2`
object. Container sanitization, upon enabling these annotations, would
effectively identify and flag this potential vulnerability.
This Pull Request introduces basic annotations for `std::basic_string`.
Long strings exhibit structural similarities to `std::vector` and will
be annotated accordingly. Short strings are already implemented, but
will be turned on separately in a forthcoming commit. Look at [a
comment](https://github.com/llvm/llvm-project/pull/72677#issuecomment-1850554465)
below to read about SSO issues at current moment.
Due to the functionality introduced in
[D132522](https://github.com/llvm/llvm-project/commit/dd1b7b797a116eed588fd752fbe61d34deeb24e4),
the `__sanitizer_annotate_contiguous_container` function now offers
compatibility with all allocators. However, enabling this support will
be done in a subsequent commit. For the time being, only strings with
the default allocator will be annotated.
If you have any questions, please email:
- advenam.tacet@trailofbits.com
- disconnect3d@trailofbits.com
2023-12-13 06:05:34 +01:00
|
|
|
LIBCPP_ASSERT(is_string_asan_correct(s1));
|
|
|
|
|
LIBCPP_ASSERT(is_string_asan_correct(s2));
|
2010-05-11 19:42:16 +00:00
|
|
|
}
|
|
|
|
|
|
2023-09-01 13:45:43 -04:00
|
|
|
template <class Alloc>
|
|
|
|
|
TEST_CONSTEXPR_CXX20 void test_string(const Alloc& a) {
|
|
|
|
|
typedef std::basic_string<char, std::char_traits<char>, Alloc> S;
|
|
|
|
|
test(S(), Alloc(a));
|
|
|
|
|
test(S("1"), Alloc(a));
|
|
|
|
|
test(S("1234567890123456789012345678901234567890123456789012345678901234567890"), Alloc(a));
|
|
|
|
|
}
|
2017-01-31 03:40:52 +00:00
|
|
|
|
2023-09-01 13:45:43 -04:00
|
|
|
TEST_CONSTEXPR_CXX20 bool test() {
|
|
|
|
|
test_string(std::allocator<char>());
|
|
|
|
|
test_string(test_allocator<char>());
|
|
|
|
|
test_string(test_allocator<char>(3));
|
|
|
|
|
#if TEST_STD_VER >= 11
|
|
|
|
|
test_string(min_allocator<char>());
|
[ASan][libc++] std::basic_string annotations (#72677)
This commit introduces basic annotations for `std::basic_string`,
mirroring the approach used in `std::vector` and `std::deque`.
Initially, only long strings with the default allocator will be
annotated. Short strings (_SSO - short string optimization_) and strings
with non-default allocators will be annotated in the near future, with
separate commits dedicated to enabling them. The process will be similar
to the workflow employed for enabling annotations in `std::deque`.
**Please note**: these annotations function effectively only when libc++
and libc++abi dylibs are instrumented (with ASan). This aligns with the
prevailing behavior of Memory Sanitizer.
To avoid breaking everything, this commit also appends
`_LIBCPP_INSTRUMENTED_WITH_ASAN` to `__config_site` whenever libc++ is
compiled with ASan. If this macro is not defined, string annotations are
not enabled. However, linking a binary that does **not** annotate
strings with a dynamic library that annotates strings, is not permitted.
Originally proposed here: https://reviews.llvm.org/D132769
Related patches on Phabricator:
- Turning on annotations for short strings:
https://reviews.llvm.org/D147680
- Turning on annotations for all allocators:
https://reviews.llvm.org/D146214
This PR is a part of a series of patches extending AddressSanitizer C++
container overflow detection capabilities by adding annotations, similar
to those existing in `std::vector` and `std::deque` collections. These
enhancements empower ASan to effectively detect instances where the
instrumented program attempts to access memory within a collection's
internal allocation that remains unused. This includes cases where
access occurs before or after the stored elements in `std::deque`, or
between the `std::basic_string`'s size (including the null terminator)
and capacity bounds.
The introduction of these annotations was spurred by a real-world
software bug discovered by Trail of Bits, involving an out-of-bounds
memory access during the comparison of two strings using the
`std::equals` function. This function was taking iterators
(`iter1_begin`, `iter1_end`, `iter2_begin`) to perform the comparison,
using a custom comparison function. When the `iter1` object exceeded the
length of `iter2`, an out-of-bounds read could occur on the `iter2`
object. Container sanitization, upon enabling these annotations, would
effectively identify and flag this potential vulnerability.
This Pull Request introduces basic annotations for `std::basic_string`.
Long strings exhibit structural similarities to `std::vector` and will
be annotated accordingly. Short strings are already implemented, but
will be turned on separately in a forthcoming commit. Look at [a
comment](https://github.com/llvm/llvm-project/pull/72677#issuecomment-1850554465)
below to read about SSO issues at current moment.
Due to the functionality introduced in
[D132522](https://github.com/llvm/llvm-project/commit/dd1b7b797a116eed588fd752fbe61d34deeb24e4),
the `__sanitizer_annotate_contiguous_container` function now offers
compatibility with all allocators. However, enabling this support will
be done in a subsequent commit. For the time being, only strings with
the default allocator will be annotated.
If you have any questions, please email:
- advenam.tacet@trailofbits.com
- disconnect3d@trailofbits.com
2023-12-13 06:05:34 +01:00
|
|
|
test_string(safe_allocator<char>());
|
2023-09-01 13:45:43 -04:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#if TEST_STD_VER >= 11
|
2023-09-01 13:27:26 -04:00
|
|
|
# ifndef TEST_HAS_NO_EXCEPTIONS
|
2022-03-10 20:15:23 +01:00
|
|
|
if (!TEST_IS_CONSTANT_EVALUATED) {
|
2017-01-31 03:40:52 +00:00
|
|
|
typedef poca_alloc<char> A;
|
|
|
|
|
typedef std::basic_string<char, std::char_traits<char>, A> S;
|
2023-09-01 13:27:26 -04:00
|
|
|
const char* p1 = "This is my first string";
|
|
|
|
|
const char* p2 = "This is my second string";
|
2017-02-05 22:48:27 +00:00
|
|
|
|
2019-04-03 00:05:49 +00:00
|
|
|
alloc_imp imp1;
|
|
|
|
|
alloc_imp imp2;
|
2017-07-29 00:55:10 +00:00
|
|
|
S s1(p1, A(&imp1));
|
|
|
|
|
S s2(p2, A(&imp2));
|
2017-02-05 22:48:27 +00:00
|
|
|
|
2017-07-29 00:55:10 +00:00
|
|
|
assert(s1 == p1);
|
|
|
|
|
assert(s2 == p2);
|
2017-02-05 22:48:27 +00:00
|
|
|
|
2017-07-29 00:55:10 +00:00
|
|
|
imp2.deactivate();
|
|
|
|
|
test_assign(s1, s2);
|
|
|
|
|
assert(s1 == p1);
|
|
|
|
|
assert(s2 == p2);
|
2022-02-07 21:54:49 +01:00
|
|
|
}
|
2023-09-01 13:27:26 -04:00
|
|
|
# endif
|
2013-06-28 16:59:19 +00:00
|
|
|
#endif
|
Support tests in freestanding
Summary:
Freestanding is *weird*. The standard allows it to differ in a bunch of odd
manners from regular C++, and the committee would like to improve that
situation. I'd like to make libc++ behave better with what freestanding should
be, so that it can be a tool we use in improving the standard. To do that we
need to try stuff out, both with "freestanding the language mode" and
"freestanding the library subset".
Let's start with the super basic: run the libc++ tests in freestanding, using
clang as the compiler, and see what works. The easiest hack to do this:
In utils/libcxx/test/config.py add:
self.cxx.compile_flags += ['-ffreestanding']
Run the tests and they all fail.
Why? Because in freestanding `main` isn't special. This "not special" property
has two effects: main doesn't get mangled, and main isn't allowed to omit its
`return` statement. The first means main gets mangled and the linker can't
create a valid executable for us to test. The second means we spew out warnings
(ew) and the compiler doesn't insert the `return` we omitted, and main just
falls of the end and does whatever undefined behavior (if you're luck, ud2
leading to non-zero return code).
Let's start my work with the basics. This patch changes all libc++ tests to
declare `main` as `int main(int, char**` so it mangles consistently (enabling us
to declare another `extern "C"` main for freestanding which calls the mangled
one), and adds `return 0;` to all places where it was missing. This touches 6124
files, and I apologize.
The former was done with The Magic Of Sed.
The later was done with a (not quite correct but decent) clang tool:
https://gist.github.com/jfbastien/793819ff360baa845483dde81170feed
This works for most tests, though I did have to adjust a few places when e.g.
the test runs with `-x c`, macros are used for main (such as for the filesystem
tests), etc.
Once this is in we can create a freestanding bot which will prevent further
regressions. After that, we can start the real work of supporting C++
freestanding fairly well in libc++.
<rdar://problem/47754795>
Reviewers: ldionne, mclow.lists, EricWF
Subscribers: christof, jkorous, dexonsmith, arphaman, miyuki, libcxx-commits
Differential Revision: https://reviews.llvm.org/D57624
llvm-svn: 353086
2019-02-04 20:31:13 +00:00
|
|
|
|
2022-02-07 21:54:49 +01:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-01 13:27:26 -04:00
|
|
|
int main(int, char**) {
|
2022-02-07 21:54:49 +01:00
|
|
|
test();
|
|
|
|
|
#if TEST_STD_VER > 17
|
[libc++] Implement P0980R1 (constexpr std::string)
Reviewed By: #libc, ldionne
Spies: daltenty, sdasgup3, ldionne, arichardson, MTC, ChuanqiXu, mehdi_amini, shauheen, antiagainst, nicolasvasilache, arpith-jacob, mgester, lucyrfox, aartbik, liufengdb, stephenneuendorffer, Joonsoo, grosul1, Kayjukh, jurahul, msifontes, tatianashp, rdzhabarov, teijeong, cota, dcaballe, Chia-hungDuan, wrengr, wenzhicui, arphaman, Mordante, miscco, Quuxplusone, smeenai, libcxx-commits
Differential Revision: https://reviews.llvm.org/D110598
2022-04-27 10:11:44 +02:00
|
|
|
static_assert(test());
|
2022-02-07 21:54:49 +01:00
|
|
|
#endif
|
|
|
|
|
|
Support tests in freestanding
Summary:
Freestanding is *weird*. The standard allows it to differ in a bunch of odd
manners from regular C++, and the committee would like to improve that
situation. I'd like to make libc++ behave better with what freestanding should
be, so that it can be a tool we use in improving the standard. To do that we
need to try stuff out, both with "freestanding the language mode" and
"freestanding the library subset".
Let's start with the super basic: run the libc++ tests in freestanding, using
clang as the compiler, and see what works. The easiest hack to do this:
In utils/libcxx/test/config.py add:
self.cxx.compile_flags += ['-ffreestanding']
Run the tests and they all fail.
Why? Because in freestanding `main` isn't special. This "not special" property
has two effects: main doesn't get mangled, and main isn't allowed to omit its
`return` statement. The first means main gets mangled and the linker can't
create a valid executable for us to test. The second means we spew out warnings
(ew) and the compiler doesn't insert the `return` we omitted, and main just
falls of the end and does whatever undefined behavior (if you're luck, ud2
leading to non-zero return code).
Let's start my work with the basics. This patch changes all libc++ tests to
declare `main` as `int main(int, char**` so it mangles consistently (enabling us
to declare another `extern "C"` main for freestanding which calls the mangled
one), and adds `return 0;` to all places where it was missing. This touches 6124
files, and I apologize.
The former was done with The Magic Of Sed.
The later was done with a (not quite correct but decent) clang tool:
https://gist.github.com/jfbastien/793819ff360baa845483dde81170feed
This works for most tests, though I did have to adjust a few places when e.g.
the test runs with `-x c`, macros are used for main (such as for the filesystem
tests), etc.
Once this is in we can create a freestanding bot which will prevent further
regressions. After that, we can start the real work of supporting C++
freestanding fairly well in libc++.
<rdar://problem/47754795>
Reviewers: ldionne, mclow.lists, EricWF
Subscribers: christof, jkorous, dexonsmith, arphaman, miyuki, libcxx-commits
Differential Revision: https://reviews.llvm.org/D57624
llvm-svn: 353086
2019-02-04 20:31:13 +00:00
|
|
|
return 0;
|
2010-05-11 19:42:16 +00:00
|
|
|
}
|
