[UBSan] Fix UBSan-vptr false positive.

Offset from vptr to the start of most-derived object can actually
be positive in some virtual base class vtables.

Patch by Stephan Bergmann!

llvm-svn: 244101

diff --git a/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc b/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc
index 5cd46df..b84e88d 100644 (file)
--- a/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc
+++ b/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc
@@ -185,8 +185,8 @@ namespace {
 
 struct VtablePrefix {
   /// The offset from the vptr to the start of the most-derived object.
-  /// This should never be greater than zero, and will usually be exactly
-  /// zero.
+  /// This will only be greater than zero in some virtual base class vtables
+  /// used during object con-/destruction, and will usually be exactly zero.
   sptr Offset;
   /// The type_info object describing the most-derived class type.
   std::type_info *TypeInfo;
@@ -196,7 +196,7 @@ VtablePrefix *getVtablePrefix(void *Vtable) {
   if (!Vptr)
     return 0;
   VtablePrefix *Prefix = Vptr - 1;
-  if (Prefix->Offset > 0 || !Prefix->TypeInfo)
+  if (!Prefix->TypeInfo)
     // This can't possibly be a valid vtable.
     return 0;
   return Prefix;

diff --git a/compiler-rt/test/ubsan/TestCases/TypeCheck/vptr-virtual-base-construction.cpp b/compiler-rt/test/ubsan/TestCases/TypeCheck/vptr-virtual-base-construction.cpp
new file mode 100644 (file)
index 0000000..dc27d9f
--- /dev/null
+++ b/compiler-rt/test/ubsan/TestCases/TypeCheck/vptr-virtual-base-construction.cpp
@@ -0,0 +1,13 @@
+// RUN: %clangxx -frtti -fsanitize=vptr -fno-sanitize-recover=vptr %s -o %t
+// RUN: %run %t
+
+// REQUIRES: cxxabi
+
+int volatile n;
+
+struct A { virtual ~A() {} };
+struct B: virtual A {};
+struct C: virtual A { ~C() { n = 0; } };
+struct D: virtual B, virtual C {};
+
+int main() { delete new D; }