This is an archive of the discontinued LLVM Phabricator instance.

Differential D11307

Don't try to instrument allocas used by outlined SEH funclets
ClosedPublic

Authored by rnk on Jul 17 2015, 1:02 PM.

Details

Reviewers
kcc
samsonov
eugenis
Commits
rG87d03450a5a2: Don't try to instrument allocas used by outlined SEH funclets
rL242726: Don't try to instrument allocas used by outlined SEH funclets
Summary

Arguments to llvm.localescape must be static allocas. They must be at
some statically known offset from the frame or stack pointer so that
other functions can access them with localrecover.

If we ever want to instrument these, we can use more indirection to
recover the addresses of these local variables. We can do it during
clang irgen or with the asan module pass.

Diff Detail

Repository
rL LLVM

Event Timeline

rnk updated this revision to Diff 30023.Jul 17 2015, 1:02 PM
rnk retitled this revision from to Don't try to instrument allocas used by outlined SEH funclets.
rnk updated this object.
rnk added a reviewer: eugenis.
rnk added a subscriber: llvm-commits.
eugenis added reviewers: kcc, samsonov.Jul 17 2015, 1:12 PM
eugenis edited edge metadata.Jul 17 2015, 1:20 PM

LGTM, but please wait for kcc or samsonov review.
This code changed quite a bit since I last looked at it.

test/Instrumentation/AddressSanitizer/localescape.ll
1 ↗(On Diff #30023)

Add a test without -asan-use-after-return?
It should not be any different, but who knows.

samsonov accepted this revision.Jul 17 2015, 5:12 PM
samsonov edited edge metadata.

LGTM

lib/Transforms/Instrumentation/AddressSanitizer.cpp
560 ↗(On Diff #30023)

You can find llvm.localescape in FunctionStackPoisoner::visitIntrinsicInst rather than pass it around.

This revision is now accepted and ready to land.Jul 17 2015, 5:12 PM
rnk marked an inline comment as done.Jul 20 2015, 3:42 PM

thanks!

lib/Transforms/Instrumentation/AddressSanitizer.cpp
560 ↗(On Diff #30023)

Sure.

test/Instrumentation/AddressSanitizer/localescape.ll
1 ↗(On Diff #30023)

OK.

Closed by commit rL242726: Don't try to instrument allocas used by outlined SEH funclets (authored by rnk). · Explain WhyJul 20 2015, 3:50 PM
This revision was automatically updated to reflect the committed changes.
rnk marked an inline comment as done.

Revision Contents

PathSize
llvm/
trunk/
lib/
Transforms/
Instrumentation/
40 lines
test/
Instrumentation/
AddressSanitizer/
73 lines

Diff 30204

llvm/trunk/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 433 Lines▼ Show 20 Lines Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong,
Value *ShadowValue, uint32_t TypeSize); Value *ShadowValue, uint32_t TypeSize);
Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr,
bool IsWrite, size_t AccessSizeIndex, bool IsWrite, size_t AccessSizeIndex,
Value *SizeArgument, uint32_t Exp); Value *SizeArgument, uint32_t Exp);
void instrumentMemIntrinsic(MemIntrinsic *MI); void instrumentMemIntrinsic(MemIntrinsic *MI);
Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); Value *memToShadow(Value *Shadow, IRBuilder<> &IRB);
bool runOnFunction(Function &F) override; bool runOnFunction(Function &F) override;
bool maybeInsertAsanInitAtFunctionEntry(Function &F); bool maybeInsertAsanInitAtFunctionEntry(Function &F);
void markEscapedLocalAllocas(Function &F);
bool doInitialization(Module &M) override; bool doInitialization(Module &M) override;
static char ID; // Pass identification, replacement for typeid static char ID; // Pass identification, replacement for typeid
DominatorTree &getDominatorTree() const { return *DT; } DominatorTree &getDominatorTree() const { return *DT; }
private: private:
void initializeCallbacks(Module &M); void initializeCallbacks(Module &M);
▲ Show 20 LinesShow All 93 Lines▼ Show 20 Lines struct AllocaPoisonCall {
uint64_t Size; uint64_t Size;
bool DoPoison; bool DoPoison;
}; };
SmallVector<AllocaPoisonCall, 8> AllocaPoisonCallVec; SmallVector<AllocaPoisonCall, 8> AllocaPoisonCallVec;
SmallVector<AllocaInst *, 1> DynamicAllocaVec; SmallVector<AllocaInst *, 1> DynamicAllocaVec;
SmallVector<IntrinsicInst *, 1> StackRestoreVec; SmallVector<IntrinsicInst *, 1> StackRestoreVec;
AllocaInst *DynamicAllocaLayout = nullptr; AllocaInst *DynamicAllocaLayout = nullptr;
IntrinsicInst *LocalEscapeCall = nullptr;
// Maps Value to an AllocaInst from which the Value is originated. // Maps Value to an AllocaInst from which the Value is originated.
typedef DenseMap<Value *, AllocaInst *> AllocaForValueMapTy; typedef DenseMap<Value *, AllocaInst *> AllocaForValueMapTy;
AllocaForValueMapTy AllocaForValue; AllocaForValueMapTy AllocaForValue;
bool HasNonEmptyInlineAsm; bool HasNonEmptyInlineAsm;
std::unique_ptr<CallInst> EmptyInlineAsm; std::unique_ptr<CallInst> EmptyInlineAsm;
▲ Show 20 LinesShow All 81 Lines▼ Show 20 Lines else
AllocaVec.push_back(&AI); AllocaVec.push_back(&AI);
} }
/// \brief Collect lifetime intrinsic calls to check for use-after-scope /// \brief Collect lifetime intrinsic calls to check for use-after-scope
/// errors. /// errors.
void visitIntrinsicInst(IntrinsicInst &II) { void visitIntrinsicInst(IntrinsicInst &II) {
Intrinsic::ID ID = II.getIntrinsicID(); Intrinsic::ID ID = II.getIntrinsicID();
if (ID == Intrinsic::stackrestore) StackRestoreVec.push_back(&II); if (ID == Intrinsic::stackrestore) StackRestoreVec.push_back(&II);
if (ID == Intrinsic::localescape) LocalEscapeCall = &II;
if (!ClCheckLifetime) return; if (!ClCheckLifetime) return;
if (ID != Intrinsic::lifetime_start && ID != Intrinsic::lifetime_end) if (ID != Intrinsic::lifetime_start && ID != Intrinsic::lifetime_end)
return; return;
// Found lifetime intrinsic, add ASan instrumentation if necessary. // Found lifetime intrinsic, add ASan instrumentation if necessary.
ConstantInt *Size = dyn_cast<ConstantInt>(II.getArgOperand(0)); ConstantInt *Size = dyn_cast<ConstantInt>(II.getArgOperand(0));
// If size argument is undefined, don't do anything. // If size argument is undefined, don't do anything.
if (Size->isMinusOne()) return; if (Size->isMinusOne()) return;
// Check that size doesn't saturate uint64_t and can // Check that size doesn't saturate uint64_t and can
▲ Show 20 LinesShow All 818 Lines▼ Show 20 Linesbool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) {
if (F.getName().find(" load]") != std::string::npos) { if (F.getName().find(" load]") != std::string::npos) {
IRBuilder<> IRB(F.begin()->begin()); IRBuilder<> IRB(F.begin()->begin());
IRB.CreateCall(AsanInitFunction, {}); IRB.CreateCall(AsanInitFunction, {});
return true; return true;
} }
return false; return false;
} }
void AddressSanitizer::markEscapedLocalAllocas(Function &F) {
// Find the one possible call to llvm.localescape and pre-mark allocas passed
// to it as uninteresting. This assumes we haven't started processing allocas
// yet. This check is done up front because iterating the use list in
// isInterestingAlloca would be algorithmically slower.
assert(ProcessedAllocas.empty() && "must process localescape before allocas");
// Try to get the declaration of llvm.localescape. If it's not in the module,
// we can exit early.
if (!F.getParent()->getFunction("llvm.localescape")) return;
// Look for a call to llvm.localescape call in the entry block. It can't be in
// any other block.
for (Instruction &I : F.getEntryBlock()) {
IntrinsicInst *II = dyn_cast<IntrinsicInst>(&I);
if (II && II->getIntrinsicID() == Intrinsic::localescape) {
// We found a call. Mark all the allocas passed in as uninteresting.
for (Value *Arg : II->arg_operands()) {
AllocaInst *AI = dyn_cast<AllocaInst>(Arg->stripPointerCasts());
assert(AI && AI->isStaticAlloca() &&
"non-static alloca arg to localescape");
ProcessedAllocas[AI] = false;
}
break;
}
}
}
bool AddressSanitizer::runOnFunction(Function &F) { bool AddressSanitizer::runOnFunction(Function &F) {
if (&F == AsanCtorFunction) return false; if (&F == AsanCtorFunction) return false;
if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false; if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false;
DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n");
initializeCallbacks(*F.getParent()); initializeCallbacks(*F.getParent());
DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree(); DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree();
// If needed, insert __asan_init before checking for SanitizeAddress attr. // If needed, insert __asan_init before checking for SanitizeAddress attr.
maybeInsertAsanInitAtFunctionEntry(F); maybeInsertAsanInitAtFunctionEntry(F);
if (!F.hasFnAttribute(Attribute::SanitizeAddress)) return false; if (!F.hasFnAttribute(Attribute::SanitizeAddress)) return false;
if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) return false; if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) return false;
// We can't instrument allocas used with llvm.localescape. Only static allocas
// can be passed to that intrinsic.
markEscapedLocalAllocas(F);
// We want to instrument every address only once per basic block (unless there // We want to instrument every address only once per basic block (unless there
// are calls between uses). // are calls between uses).
SmallSet<Value *, 16> TempsToInstrument; SmallSet<Value *, 16> TempsToInstrument;
SmallVector<Instruction *, 16> ToInstrument; SmallVector<Instruction *, 16> ToInstrument;
SmallVector<Instruction *, 8> NoReturnCalls; SmallVector<Instruction *, 8> NoReturnCalls;
SmallVector<BasicBlock *, 16> AllBlocks; SmallVector<BasicBlock *, 16> AllBlocks;
SmallVector<Instruction *, 16> PointerComparisonsOrSubtracts; SmallVector<Instruction *, 16> PointerComparisonsOrSubtracts;
int NumAllocas = 0; int NumAllocas = 0;
▲ Show 20 LinesShow All 74 Lines▼ Show 20 Lines for (auto Inst : PointerComparisonsOrSubtracts) {
instrumentPointerComparisonOrSubtraction(Inst); instrumentPointerComparisonOrSubtraction(Inst);
NumInstrumented++; NumInstrumented++;
} }
bool res = NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); bool res = NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty();
DEBUG(dbgs() << "ASAN done instrumenting: " << res << " " << F << "\n"); DEBUG(dbgs() << "ASAN done instrumenting: " << res << " " << F << "\n");
ProcessedAllocas.clear();
return res; return res;
} }
// Workaround for bug 11395: we don't want to instrument stack in functions // Workaround for bug 11395: we don't want to instrument stack in functions
// with large assembly blobs (32-bit only), otherwise reg alloc may crash. // with large assembly blobs (32-bit only), otherwise reg alloc may crash.
// FIXME: remove once the bug 11395 is fixed. // FIXME: remove once the bug 11395 is fixed.
bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) {
if (LongSize != 32) return false; if (LongSize != 32) return false;
▲ Show 20 LinesShow All 145 Lines▼ Show 20 Linesvoid FunctionStackPoisoner::poisonStack() {
IRBuilder<> IRB(InsBefore); IRBuilder<> IRB(InsBefore);
IRB.SetCurrentDebugLocation(EntryDebugLocation); IRB.SetCurrentDebugLocation(EntryDebugLocation);
// Make sure non-instrumented allocas stay in the first basic block. // Make sure non-instrumented allocas stay in the first basic block.
// Otherwise, debug info is broken, because only first-basic-block allocas are // Otherwise, debug info is broken, because only first-basic-block allocas are
// treated as regular stack slots. // treated as regular stack slots.
for (auto *AI : NonInstrumentedStaticAllocaVec) AI->moveBefore(InsBefore); for (auto *AI : NonInstrumentedStaticAllocaVec) AI->moveBefore(InsBefore);
// If we have a call to llvm.localescape, keep it in the entry block.
if (LocalEscapeCall) LocalEscapeCall->moveBefore(InsBefore);
SmallVector<ASanStackVariableDescription, 16> SVD; SmallVector<ASanStackVariableDescription, 16> SVD;
SVD.reserve(AllocaVec.size()); SVD.reserve(AllocaVec.size());
for (AllocaInst *AI : AllocaVec) { for (AllocaInst *AI : AllocaVec) {
ASanStackVariableDescription D = {AI->getName().data(), ASanStackVariableDescription D = {AI->getName().data(),
ASan.getAllocaSizeInBytes(AI), ASan.getAllocaSizeInBytes(AI),
AI->getAlignment(), AI, 0}; AI->getAlignment(), AI, 0};
SVD.push_back(D); SVD.push_back(D);
} }
▲ Show 20 LinesShow All 292 LinesShow Last 20 Lines

llvm/trunk/test/Instrumentation/AddressSanitizer/localescape.ll

; RUN: opt < %s -asan -asan-module -asan-use-after-return -asan-stack-dynamic-alloca -S | FileCheck %s
; RUN: opt < %s -asan -asan-module -asan-use-after-return=0 -asan-stack-dynamic-alloca=0 -S | FileCheck %s
target datalayout = "e-m:o-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-apple-macosx10.10.0"
declare i32 @llvm.eh.typeid.for(i8*) #2
declare i8* @llvm.frameaddress(i32)
declare i8* @llvm.x86.seh.recoverfp(i8*, i8*)
declare i8* @llvm.localrecover(i8*, i8*, i32)
declare void @llvm.localescape(...) #1
declare i32 @_except_handler3(...)
declare void @may_throw(i32* %r)
define i32 @main() sanitize_address personality i8* bitcast (i32 (...)* @_except_handler3 to i8*) {
entry:
%r = alloca i32, align 4
%__exception_code = alloca i32, align 4
call void (...) @llvm.localescape(i32* nonnull %__exception_code)
%0 = bitcast i32* %r to i8*
store i32 0, i32* %r, align 4
invoke void @may_throw(i32* nonnull %r) #4
to label %__try.cont unwind label %lpad
lpad: ; preds = %entry
%1 = landingpad { i8*, i32 }
catch i8* bitcast (i32 ()* @"\01?filt$0@0@main@@" to i8*)
%2 = extractvalue { i8*, i32 } %1, 1
%3 = call i32 @llvm.eh.typeid.for(i8* bitcast (i32 ()* @"\01?filt$0@0@main@@" to i8*)) #1
%matches = icmp eq i32 %2, %3
br i1 %matches, label %__except, label %eh.resume
__except: ; preds = %lpad
store i32 1, i32* %r, align 4
br label %__try.cont
__try.cont: ; preds = %entry, %__except
%4 = load i32, i32* %r, align 4
ret i32 %4
eh.resume: ; preds = %lpad
resume { i8*, i32 } %1
}
; Check that the alloca remains static and the localescape call remains in the
; entry block.
; CHECK-LABEL: define i32 @main()
; CHECK-NOT: br {{.*}}label
; CHECK: %__exception_code = alloca i32, align 4
; CHECK-NOT: br {{.*}}label
; CHECK: call void (...) @llvm.localescape(i32* nonnull %__exception_code)
; Function Attrs: nounwind
define internal i32 @"\01?filt$0@0@main@@"() #1 {
entry:
%0 = tail call i8* @llvm.frameaddress(i32 1)
%1 = tail call i8* @llvm.x86.seh.recoverfp(i8* bitcast (i32 ()* @main to i8*), i8* %0)
%2 = tail call i8* @llvm.localrecover(i8* bitcast (i32 ()* @main to i8*), i8* %1, i32 0)
%__exception_code = bitcast i8* %2 to i32*
%3 = getelementptr inbounds i8, i8* %0, i32 -20
%4 = bitcast i8* %3 to { i32*, i8* }**
%5 = load { i32*, i8* }*, { i32*, i8* }** %4, align 4
%6 = getelementptr inbounds { i32*, i8* }, { i32*, i8* }* %5, i32 0, i32 0
%7 = load i32*, i32** %6, align 4
%8 = load i32, i32* %7, align 4
store i32 %8, i32* %__exception_code, align 4
ret i32 1
}
; CHECK-LABEL: define internal i32 @"\01?filt$0@0@main@@"()
; CHECK: tail call i8* @llvm.localrecover(i8* bitcast (i32 ()* @main to i8*), i8* {{.*}}, i32 0)