search for: _ztv1a

...ould perform a range check followed by a load of the appropriate bit from the bit set. To give a concrete example, suppose we have the following classes: struct A { virtual void f(); }; struct B : A { virtual void f(), g(); }; struct C : A { virtual void f(), h(); }; with the following vtables: _ZTV1A = { &A::rtti, &A::f }; _ZTV1B = { &B::rtti, &B::f, &B::g }; _ZTV1C = { &C::rtti, &C::f, &C::h }; The set of valid vtables for static class A is {&_ZTV1A[1], &_ZTV1B[1], &_ZTV1C[1]}, for B is {&_ZTV1B[1]} and for C is {&_ZTV1C[1]}. The toolchain w...

...>> >> To give a concrete example, suppose we have the following classes: >> >> struct A { virtual void f(); }; >> struct B : A { virtual void f(), g(); }; >> struct C : A { virtual void f(), h(); }; >> >> with the following vtables: >> >> _ZTV1A = { &A::rtti, &A::f }; >> _ZTV1B = { &B::rtti, &B::f, &B::g }; >> _ZTV1C = { &C::rtti, &C::f, &C::h }; >> >> The set of valid vtables for static class A is {&_ZTV1A[1], &_ZTV1B[1], >> &_ZTV1C[1]}, for B is {&_ZTV1B[1]} an...

...sses: > > >> > > >> struct A { virtual void f(); }; > > >> struct B : A { virtual void f(), g(); }; > > >> struct C : A { virtual void f(), h(); }; > > >> > > >> with the following vtables: > > >> > > >> _ZTV1A = { &A::rtti, &A::f }; > > >> _ZTV1B = { &B::rtti, &B::f, &B::g }; > > >> _ZTV1C = { &C::rtti, &C::f, &C::h }; > > >> > > >> The set of valid vtables for static class A is {&_ZTV1A[1], > &_ZTV1B[1], > >...

...taught to understand type metadata. To give an example of how this would look, suppose that we have the following declarations: class A { virtual void f() {} }; class B : public A { virtual void f() {} virtual void g() {} }; The vtables for A and B would be represented in IR like this: @_ZTV1A = constant [3 x i8*] [i8* ..., i8* ..., i8* @A::f], !type !0 @_ZTV1B = constant [4 x i8*] [i8* ..., i8* ..., i8* @B::f, i8* @B::g], type !0, !type !1 !0 = {i64 16, !"A"} !1 = {i64 16, !"B"} The metadata !0 indicates that the attached global has an address point for the type A...

...he appropriate bit from the bit set. > > To give a concrete example, suppose we have the following classes: > > struct A { virtual void f(); }; > struct B : A { virtual void f(), g(); }; > struct C : A { virtual void f(), h(); }; > > with the following vtables: > > _ZTV1A = { &A::rtti, &A::f }; > _ZTV1B = { &B::rtti, &B::f, &B::g }; > _ZTV1C = { &C::rtti, &C::f, &C::h }; > > The set of valid vtables for static class A is {&_ZTV1A[1], &_ZTV1B[1], > &_ZTV1C[1]}, for B is {&_ZTV1B[1]} and for C is {&_Z...

...Which implementation is called ( it can be manually figured out that _ZN1A5helloEv (A::hello() is called,how to figure it out in a pass ?) My initial thinking is trace back from "call void %3(%class.Base* %1)” until find %obj1 = alloca %class.A, align 8, but how can I associate %class.A with @_ZTV1A, so I can get the function from @_ZTV1A ? Thanks! ;virtual tables @_ZTV1A = linkonce_odr unnamed_addr constant { [3 x i8*] } { [3 x i8*] [i8* null, i8* bitcast ({ i8*, i8*, i8* }* @_ZTI1A to i8*), i8* bitcast (void (%class.A*)* @_ZN1A5helloEv to i8*)] }, align 8 @_ZTV1B = linkonce_odr unnamed_add...

...metadata !69) >   tail call void @llvm.dbg.value(metadata !{%class.A* %2}, i64 0, metadata > !66) >   tail call void @llvm.dbg.value(metadata !71, i64 0, metadata !67) >   %3 = bitcast i8* %1 to i32 (...)*** >   store i32 (...)** bitcast (i8** getelementptr inbounds ([5 x i8*]* > @_ZTV1A, i64 0, i64 2) to i32 (...)**), i32 (...)*** %3, align 8 >   %4 = getelementptr inbounds i8* %1, i64 8 >   %5 = bitcast i8* %4 to i32* >   store i32 1, i32* %5, align 4, !tbaa !72 >   tail call void @llvm.dbg.value(metadata !{%class.A* %2}, i64 0, metadata > !49), !dbg !70 >   %6...

...case, a valid vtable pointer). For example, this class hierarchy: class A { virtual void f(); }; class B : A { virtual void f(); }; class C : A { virtual void f(); }; would have these bitsets: !llvm.bitsets = !{!0, !1, !2, !3, !4} !0 = !{!"1A", i8* getelementptr inbounds ([3 x i8*]* @_ZTV1A, i32 0, i32 2)} !1 = !{!"1A", i8* getelementptr inbounds ([3 x i8*]* @_ZTV1B, i32 0, i32 2)} !2 = !{!"1A", i8* getelementptr inbounds ([3 x i8*]* @_ZTV1C, i32 0, i32 2)} !3 = !{!"1B", i8* getelementptr inbounds ([3 x i8*]* @_ZTV1B, i32 0, i32 2)} !4 = !{!"1C"...

...tail call void @llvm.dbg.value(metadata !{%class.A* %2}, i64 0, metadata >> !66) >>   tail call void @llvm.dbg.value(metadata !71, i64 0, metadata !67) >>   %3 = bitcast i8* %1 to i32 (...)*** >>   store i32 (...)** bitcast (i8** getelementptr inbounds ([5 x i8*]* >> @_ZTV1A, i64 0, i64 2) to i32 (...)**), i32 (...)*** %3, align 8 >>   %4 = getelementptr inbounds i8* %1, i64 8 >>   %5 = bitcast i8* %4 to i32* >>   store i32 1, i32* %5, align 4, !tbaa !72 >>   tail call void @llvm.dbg.value(metadata !{%class.A* %2}, i64 0, metadata >> !49),...

...bg.value(metadata !71, i64 0, metadata !69) tail call void @llvm.dbg.value(metadata !{%class.A* %2}, i64 0, metadata !66) tail call void @llvm.dbg.value(metadata !71, i64 0, metadata !67) %3 = bitcast i8* %1 to i32 (...)*** store i32 (...)** bitcast (i8** getelementptr inbounds ([5 x i8*]* @_ZTV1A, i64 0, i64 2) to i32 (...)**), i32 (...)*** %3, align 8 %4 = getelementptr inbounds i8* %1, i64 8 %5 = bitcast i8* %4 to i32* store i32 1, i32* %5, align 4, !tbaa !72 tail call void @llvm.dbg.value(metadata !{%class.A* %2}, i64 0, metadata !49), !dbg !70 %6 = tail call noalias i8* @_Znwm...

...his class hierarchy: > > class A { virtual void f(); }; > class B : A { virtual void f(); }; > class C : A { virtual void f(); }; > > would have these bitsets: > > !llvm.bitsets = !{!0, !1, !2, !3, !4} > > !0 = !{!"1A", i8* getelementptr inbounds ([3 x i8*]* @_ZTV1A, i32 0, i32 > 2)} > !1 = !{!"1A", i8* getelementptr inbounds ([3 x i8*]* @_ZTV1B, i32 0, i32 > 2)} > !2 = !{!"1A", i8* getelementptr inbounds ([3 x i8*]* @_ZTV1C, i32 0, i32 > 2)} > !3 = !{!"1B", i8* getelementptr inbounds ([3 x i8*]* @_ZTV1B, i32 0,...

...{ entry: * %a* = alloca %struct.A, align 8 %0 = bitcast %struct.A* %a to i8* call void @llvm.lifetime.start(i64 8, i8* nonnull %0) #3 * %1* = getelementptr inbounds %struct.A, %struct.A* %a, i64 0, i32 0 store i32 (...)** bitcast (i8** getelementptr inbounds ({ [3 x i8*] }, { [3 x i8*] }* @_ZTV1A, i64 0, inrange i32 0, i64 2) to i32 (...)**), i32 (...)*** *%1*, align 8, !tbaa !8, !invariant.group !10 call void @_Z1zR1A(%struct.A* nonnull dereferenceable(8) %a) #3 %2 = load i32, i32* @glob, align 4, !tbaa !4 %tobool.i = icmp eq i32 %2, 0 br i1 %tobool.i, label %_Z1gR1A.exit, label %i...

...ll void %6(%class.X* %2) ret i32 0 } ; Function Attrs: inlinehint nounwind uwtable define linkonce_odr void @_ZN1AC2Ev(%class.X* %this) unnamed_addr #5 comdat align 2 { %1 = bitcast %class.X* %this to i32 (...)*** store i32 (...)** bitcast (i8** getelementptr inbounds ([3 x i8*], [3 x i8*]* @_ZTV1A, i64 0, i64 2) to i32 (...)**), i32 (...)*** %1, align 8 ret void } ; Function Attrs: uwtable define linkonce_odr void @_ZN1A1fEv(%class.X* %this) unnamed_addr #0 comdat align 2 { %1 = call dereferenceable(272) %"class.std::basic_ostream"* @_ZStlsISt11char_traitsIcEERSt13basic_ostrea...

Trying to summarize all opinions expressed here: Peter is proposing an initial implementation that would only work with LTO. Folks seem put off by this implementation affecting IR without having proven itself, and having shortcomings (as Jim pointed out). Kostya proposed going through metadata (and Chris kind of did too by mentioning tbaa), but Peter points out that this will make the

...fter calling the constructor, we load virtual pointer (with invariant group) and compare it with the vtable it should point to and then pass it to the assume. > > call void @_ZN1AC1Ev(%struct.A* %a) ; call ctor > %3 = load {...} %a ; Load vptr > %4 = icmp eq %3, @_ZTV1A ; compare vptr with vtable > call void @llvm.assume(i1 %4) > > (from http://blog.llvm.org/2017/03/devirtualization-in-llvm-and-clang.html <http://blog.llvm.org/2017/03/devirtualization-in-llvm-and-clang.html> ) > > If I understand it correctly, you should be able to u...

...ing the constructor, we load virtual pointer (with > invariant group) and compare it with the vtable it should point to and then > pass it to the assume. > > call void @_ZN1AC1Ev(%struct.A* %a) ; call ctor > %3 = load {...} %a ; Load vptr > %4 = icmp eq %3, @_ZTV1A ; compare vptr with vtable > call void @llvm.assume(i1 %4) > > (from http://blog.llvm.org/2017/03/devirtualization-in-llvm-and-clang.html > ) > > If I understand it correctly, you should be able to use the same technique > for the constructor-like functions in Swift :) &...

...virtual void f(); }; > > class B : A { virtual void f(); }; > > class C : A { virtual void f(); }; > > > > would have these bitsets: > > > > !llvm.bitsets = !{!0, !1, !2, !3, !4} > > > > !0 = !{!"1A", i8* getelementptr inbounds ([3 x i8*]* @_ZTV1A, i32 0, i32 > > 2)} > > !1 = !{!"1A", i8* getelementptr inbounds ([3 x i8*]* @_ZTV1B, i32 0, i32 > > 2)} > > !2 = !{!"1A", i8* getelementptr inbounds ([3 x i8*]* @_ZTV1C, i32 0, i32 > > 2)} > > !3 = !{!"1B", i8* getelementptr inbound...

....assume intrinsic. After calling the constructor, we load virtual pointer (with invariant group) and compare it with the vtable it should point to and then pass it to the assume. call void @_ZN1AC1Ev(%struct.A* %a) ; call ctor %3 = load {...} %a ; Load vptr %4 = icmp eq %3, @_ZTV1A ; compare vptr with vtable call void @llvm.assume(i1 %4) (from http://blog.llvm.org/2017/03/devirtualization-in-llvm-and-clang.html ) If I understand it correctly, you should be able to use the same technique for the constructor-like functions in Swift :) > > > *LLVMBecause LTO b...

Hi Chris, I wanted to start by giving an explanation of what I am trying to achieve and how I am trying to achieve it. I am working towards introducing into LLVM a security mechanism, Forward Control Flow Integrity (CFI), that is designed to mitigate against vulnerabilities that allow attacks based on corrupting vtable or function pointers in memory in order to subvert a program's control

On Thu, Dec 8, 2011 at 9:56 AM, Vitor Luis Menezes <vitor at utexas.edu> wrote: > Hello all, > > Our compilers class has been using LLVM, and a partner and I decided to > implement devirtualization of virtual C++ calls in LLVM as a class project. > We quickly realized that existing debug metadata generated by Clang didn't > give us enough info to (precisely) implement