This is an archive of the discontinued LLVM Phabricator instance.

Differential D11495

[ASan] Disable dynamic alloca and UAR detection in presence of returns_twice calls.
ClosedPublic

Authored by samsonov on Jul 24 2015, 2:09 PM.

Details

Reviewers
kcc
rnk
Commits
rG869a5ff37fe7: [ASan] Disable dynamic alloca and UAR detection in presence of returns_twice…
rL243561: [ASan] Disable dynamic alloca and UAR detection in presence of returns_twice…
Summary

returns_twice (most importantly, setjmp) functions are
optimization-hostile: if local variable is promoted to register, and is
changed between setjmp() and longjmp() calls, this update will be
undone. This is the reason why "man setjmp" advises to mark all these
locals as "volatile".

This can not be enough for ASan, though: when it replaces static alloca
with dynamic one, optionally called if UAR mode is enabled, it adds a
whole lot of SSA values, and computations of local variable addresses,
that can involve virtual registers, and cause unexpected behavior, when
these registers are restored from buffer saved in setjmp.

To fix this, just disable dynamic alloca and UAR tricks whenever we see
a returns_twice call in the function.

Diff Detail

Repository
rL LLVM

Event Timeline

samsonov updated this revision to Diff 30605.Jul 24 2015, 2:09 PM
samsonov retitled this revision from to [ASan] Disable dynamic alloca and UAR detection in presence of returns_twice calls..
samsonov updated this object.
samsonov added a reviewer: rnk.
samsonov added subscribers: kcc, llvm-commits.
kubamracek added a subscriber: kubamracek.Jul 25 2015, 6:26 AM
rnk added inline comments.Jul 27 2015, 11:42 AM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
685 ↗(On Diff #30605)

It is possible to invoke setjmp, so you should change this to visitCallSite(CallSite CS) to handle both.

samsonov updated this revision to Diff 30854.Jul 28 2015, 1:59 PM
  • Use "visitCallSite" to handle both call and invoke.
samsonov marked an inline comment as done.Jul 28 2015, 1:59 PM
samsonov added inline comments.
lib/Transforms/Instrumentation/AddressSanitizer.cpp
685 ↗(On Diff #30605)

Done

kcc accepted this revision.Jul 29 2015, 11:21 AM
kcc added a reviewer: kcc.

LGTM

This revision is now accepted and ready to land.Jul 29 2015, 11:21 AM
Closed by commit rL243561: [ASan] Disable dynamic alloca and UAR detection in presence of returns_twice… (authored by samsonov). · Explain WhyJul 29 2015, 12:36 PM
This revision was automatically updated to reflect the committed changes.
samsonov marked an inline comment as done.

Revision Contents

PathSize
llvm/
trunk/
lib/
Transforms/
Instrumentation/
27 lines
test/
Instrumentation/
AddressSanitizer/
31 lines

Diff 30939

llvm/trunk/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 562 Lines▼ Show 20 Linesstruct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> {
SmallVector<IntrinsicInst *, 1> StackRestoreVec; SmallVector<IntrinsicInst *, 1> StackRestoreVec;
AllocaInst *DynamicAllocaLayout = nullptr; AllocaInst *DynamicAllocaLayout = nullptr;
IntrinsicInst *LocalEscapeCall = nullptr; IntrinsicInst *LocalEscapeCall = nullptr;
// Maps Value to an AllocaInst from which the Value is originated. // Maps Value to an AllocaInst from which the Value is originated.
typedef DenseMap<Value *, AllocaInst *> AllocaForValueMapTy; typedef DenseMap<Value *, AllocaInst *> AllocaForValueMapTy;
AllocaForValueMapTy AllocaForValue; AllocaForValueMapTy AllocaForValue;
bool HasNonEmptyInlineAsm; bool HasNonEmptyInlineAsm = false;
bool HasReturnsTwiceCall = false;
std::unique_ptr<CallInst> EmptyInlineAsm; std::unique_ptr<CallInst> EmptyInlineAsm;
FunctionStackPoisoner(Function &F, AddressSanitizer &ASan) FunctionStackPoisoner(Function &F, AddressSanitizer &ASan)
: F(F), : F(F),
ASan(ASan), ASan(ASan),
DIB(*F.getParent(), /*AllowUnresolved*/ false), DIB(*F.getParent(), /*AllowUnresolved*/ false),
C(ASan.C), C(ASan.C),
IntptrTy(ASan.IntptrTy), IntptrTy(ASan.IntptrTy),
IntptrPtrTy(PointerType::get(IntptrTy, 0)), IntptrPtrTy(PointerType::get(IntptrTy, 0)),
Mapping(ASan.Mapping), Mapping(ASan.Mapping),
StackAlignment(1 << Mapping.Scale), StackAlignment(1 << Mapping.Scale),
HasNonEmptyInlineAsm(false),
EmptyInlineAsm(CallInst::Create(ASan.EmptyAsm)) {} EmptyInlineAsm(CallInst::Create(ASan.EmptyAsm)) {}
bool runOnFunction() { bool runOnFunction() {
if (!ClStack) return false; if (!ClStack) return false;
// Collect alloca, ret, lifetime instructions etc. // Collect alloca, ret, lifetime instructions etc.
for (BasicBlock *BB : depth_first(&F.getEntryBlock())) visit(*BB); for (BasicBlock *BB : depth_first(&F.getEntryBlock())) visit(*BB);
if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false; if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false;
▲ Show 20 LinesShow All 85 Lines▼ Show 20 Lines void visitIntrinsicInst(IntrinsicInst &II) {
// Find alloca instruction that corresponds to llvm.lifetime argument. // Find alloca instruction that corresponds to llvm.lifetime argument.
AllocaInst *AI = findAllocaForValue(II.getArgOperand(1)); AllocaInst *AI = findAllocaForValue(II.getArgOperand(1));
if (!AI) return; if (!AI) return;
bool DoPoison = (ID == Intrinsic::lifetime_end); bool DoPoison = (ID == Intrinsic::lifetime_end);
AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison}; AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison};
AllocaPoisonCallVec.push_back(APC); AllocaPoisonCallVec.push_back(APC);
} }
void visitCallInst(CallInst &CI) { void visitCallSite(CallSite CS) {
Instruction *I = CS.getInstruction();
if (CallInst *CI = dyn_cast<CallInst>(I)) {
HasNonEmptyInlineAsm |= HasNonEmptyInlineAsm |=
CI.isInlineAsm() && !CI.isIdenticalTo(EmptyInlineAsm.get()); CI->isInlineAsm() && !CI->isIdenticalTo(EmptyInlineAsm.get());
HasReturnsTwiceCall |= CI->canReturnTwice();
}
} }
// ---------------------- Helpers. // ---------------------- Helpers.
void initializeCallbacks(Module &M); void initializeCallbacks(Module &M);
bool doesDominateAllExits(const Instruction *I) const { bool doesDominateAllExits(const Instruction *I) const {
for (auto Ret : RetVec) { for (auto Ret : RetVec) {
if (!ASan.getDominatorTree().dominates(I, Ret)) return false; if (!ASan.getDominatorTree().dominates(I, Ret)) return false;
▲ Show 20 LinesShow All 1,119 Lines▼ Show 20 Linesvoid FunctionStackPoisoner::poisonStack() {
// i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms. // i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms.
size_t MinHeaderSize = ASan.LongSize / 2; size_t MinHeaderSize = ASan.LongSize / 2;
ASanStackFrameLayout L; ASanStackFrameLayout L;
ComputeASanStackFrameLayout(SVD, 1UL << Mapping.Scale, MinHeaderSize, &L); ComputeASanStackFrameLayout(SVD, 1UL << Mapping.Scale, MinHeaderSize, &L);
DEBUG(dbgs() << L.DescriptionString << " --- " << L.FrameSize << "\n"); DEBUG(dbgs() << L.DescriptionString << " --- " << L.FrameSize << "\n");
uint64_t LocalStackSize = L.FrameSize; uint64_t LocalStackSize = L.FrameSize;
bool DoStackMalloc = ClUseAfterReturn && !ASan.CompileKernel && bool DoStackMalloc = ClUseAfterReturn && !ASan.CompileKernel &&
LocalStackSize <= kMaxStackMallocSize; LocalStackSize <= kMaxStackMallocSize;
// Don't do dynamic alloca or stack malloc in presence of inline asm: bool DoDynamicAlloca = ClDynamicAllocaStack;
// too often it makes assumptions on which registers are available. // Don't do dynamic alloca or stack malloc if:
bool DoDynamicAlloca = ClDynamicAllocaStack && !HasNonEmptyInlineAsm; // 1) There is inline asm: too often it makes assumptions on which registers
DoStackMalloc &= !HasNonEmptyInlineAsm; // are available.
// 2) There is a returns_twice call (typically setjmp), which is
// optimization-hostile, and doesn't play well with introduced indirect
// register-relative calculation of local variable addresses.
DoDynamicAlloca &= !HasNonEmptyInlineAsm && !HasReturnsTwiceCall;
DoStackMalloc &= !HasNonEmptyInlineAsm && !HasReturnsTwiceCall;
Value *StaticAlloca = Value *StaticAlloca =
DoDynamicAlloca ? nullptr : createAllocaForLayout(IRB, L, false); DoDynamicAlloca ? nullptr : createAllocaForLayout(IRB, L, false);
Value *FakeStack; Value *FakeStack;
Value *LocalStackBase; Value *LocalStackBase;
if (DoStackMalloc) { if (DoStackMalloc) {
▲ Show 20 LinesShow All 271 LinesShow Last 20 Lines

llvm/trunk/test/Instrumentation/AddressSanitizer/stack_dynamic_alloca.ll

Show All 38 Lines
; CHECK: ret void ; CHECK: ret void
%XXX = alloca [20 x i8], align 1 %XXX = alloca [20 x i8], align 1
%arr.ptr = bitcast [20 x i8]* %XXX to i8* %arr.ptr = bitcast [20 x i8]* %XXX to i8*
store volatile i8 0, i8* %arr.ptr store volatile i8 0, i8* %arr.ptr
call void asm sideeffect "mov %%rbx, %%rcx", "~{dirflag},~{fpsr},~{flags}"() nounwind call void asm sideeffect "mov %%rbx, %%rcx", "~{dirflag},~{fpsr},~{flags}"() nounwind
ret void ret void
} }
; Test that dynamic alloca is not used when setjmp is present.
%struct.__jmp_buf_tag = type { [8 x i64], i32, %struct.__sigset_t }
%struct.__sigset_t = type { [16 x i64] }
@_ZL3buf = internal global [1 x %struct.__jmp_buf_tag] zeroinitializer, align 16
define void @Func3() uwtable sanitize_address {
; CHECK-LABEL: define void @Func3
; CHECK-NOT: __asan_option_detect_stack_use_after_return
; CHECK-NOT: __asan_stack_malloc
; CHECK: call void @__asan_handle_no_return
; CHECK: call void @longjmp
; CHECK: ret void
entry:
%a = alloca i32, align 4
%call = call i32 @_setjmp(%struct.__jmp_buf_tag* getelementptr inbounds ([1 x %struct.__jmp_buf_tag], [1 x %struct.__jmp_buf_tag]* @_ZL3buf, i32 0, i32 0)) nounwind returns_twice
%cmp = icmp eq i32 0, %call
br i1 %cmp, label %if.then, label %if.end
if.then: ; preds = %entry
call void @longjmp(%struct.__jmp_buf_tag* getelementptr inbounds ([1 x %struct.__jmp_buf_tag], [1 x %struct.__jmp_buf_tag]* @_ZL3buf, i32 0, i32 0), i32 1) noreturn nounwind
unreachable
if.end: ; preds = %entry
call void @_Z10escape_ptrPi(i32* %a)
ret void
}
declare i32 @_setjmp(%struct.__jmp_buf_tag*) nounwind returns_twice
declare void @longjmp(%struct.__jmp_buf_tag*, i32) noreturn nounwind
declare void @_Z10escape_ptrPi(i32*)