This is an archive of the discontinued LLVM Phabricator instance.

Differential D13403

Better handling of function calls in SafeStack
AbandonedPublic

Authored by eugenis on Oct 2 2015, 5:25 PM.

Details

Reviewers
dvyukov
majnemer
pcc
Summary

For a call to be safe, require that it does not capture the alloca pointer and also does not write to it.
Special case for memory intrinsics when they are known to be inbounds.

Diff Detail

Repository
rL LLVM

Event Timeline

eugenis updated this revision to Diff 36419.Oct 2 2015, 5:25 PM
eugenis retitled this revision from to Better handling of function calls in SafeStack.
eugenis updated this object.
eugenis added reviewers: majnemer, pcc, dvyukov.
eugenis set the repository for this revision to rL LLVM.
eugenis added a subscriber: llvm-commits.
eugenis updated this revision to Diff 36421.Oct 2 2015, 5:37 PM
dvyukov added inline comments.Oct 4 2015, 5:18 AM
lib/Transforms/Instrumentation/SafeStack.cpp
73

I guess a more correct description is "that are accessed in ways that we can't prove to be safe".

eugenis updated this revision to Diff 36558.Oct 5 2015, 2:37 PM

Added the same logic for plain stores.

eugenis updated this revision to Diff 36559.Oct 5 2015, 2:38 PM
eugenis marked an inline comment as done.
eugenis updated this revision to Diff 36560.Oct 5 2015, 2:39 PM

+ missing test file (store.ll)

jevinskie added a subscriber: jevinskie.Oct 12 2015, 12:37 PM
eugenis added a comment.Oct 14 2015, 11:29 AM

ping

dvyukov edited edge metadata.Oct 14 2015, 11:33 AM

I am not qualified to review the gist of this patch.

pcc edited edge metadata.Oct 26 2015, 7:05 PM

I suppose a higher level point is whether it is sufficient to rely only on the readonly attribute. Consider this function:

void *f(void **a, int x) {
  return a[x];
}

The a argument would be readonly and nocapture, but it could leak the address of the safe stack given an appropriate x. We already protect against this kind of thing within a function (via the gep case in SafeStack::IsSafeStackAlloca), but not across function call boundaries.

Maybe we do in fact need something like a global analysis like FunctionAttrs that attaches safestack attributes to parameters.

lib/Transforms/Instrumentation/SafeStack.cpp
238

It occurs to me that this isn't necessarily a valid assumption (consider for example an access with out-of-bounds indices that were constant folded by the optimizer from something that the frontend wasn't smart enough to warn about).

272

This comment should be updated.

281

I would just check for the attribute here. The FunctionAttrs pass should have already set attributes according to AA results.

eugenis added a comment.Oct 28 2015, 3:51 PM
In D13403#275791, @pcc wrote:

I suppose a higher level point is whether it is sufficient to rely only on the readonly attribute. Consider this function:

It would not protect us from information leaks, but it makes write-overflow impossible at least.

void *f(void **a, int x) {
  return a[x];
}

The a argument would be readonly and nocapture, but it could leak the address of the safe stack given an appropriate x. We already protect against this kind of thing within a function (via the gep case in SafeStack::IsSafeStackAlloca), but not across function call boundaries.

In fact, this is not handled correctly within a function. For example, bitcast to larger type + load are not checked at all.

Maybe we do in fact need something like a global analysis like FunctionAttrs that attaches safestack attributes to parameters.

I think we will need to do something like this in the end, but let's start with something simple. I'll stop relying on "readonly" attribute, keeping just a special case for memory intrinsics.

Would be great if this "safestack" attribute specified the range of memory accesses based on the parameter, so that it could describe memset(), for example.

eugenis abandoned this revision.Nov 11 2015, 5:00 PM

I've rewritten the whole thing using ScalarEvolution. The result looks simpler and is more powerful.
The code is significantly different, so I've uploaded it as a new revision. See D14599.
Closing this one.

Revision Contents

PathSize
lib/
Transforms/
Instrumentation/
249 lines
test/
Transforms/
SafeStack/
105 lines
63 lines

Diff 36560

lib/Transforms/Instrumentation/SafeStack.cpp

Show All 13 Lines
// http://clang.llvm.org/docs/SafeStack.html // http://clang.llvm.org/docs/SafeStack.html
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "llvm/Transforms/Instrumentation.h" #include "llvm/Transforms/Instrumentation.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/ADT/Triple.h" #include "llvm/ADT/Triple.h"
#include "llvm/Analysis/AliasAnalysis.h" #include "llvm/Analysis/AliasAnalysis.h"
#include "llvm/Analysis/MemoryBuiltins.h"
#include "llvm/Analysis/TargetLibraryInfo.h"
#include "llvm/CodeGen/Passes.h" #include "llvm/CodeGen/Passes.h"
#include "llvm/IR/Constants.h" #include "llvm/IR/Constants.h"
#include "llvm/IR/DataLayout.h" #include "llvm/IR/DataLayout.h"
#include "llvm/IR/DerivedTypes.h" #include "llvm/IR/DerivedTypes.h"
#include "llvm/IR/DIBuilder.h" #include "llvm/IR/DIBuilder.h"
#include "llvm/IR/Function.h" #include "llvm/IR/Function.h"
#include "llvm/IR/InstIterator.h" #include "llvm/IR/InstIterator.h"
#include "llvm/IR/Instructions.h" #include "llvm/IR/Instructions.h"
Show All 30 Lines
STATISTIC(NumUnsafeStaticAllocas, "Number of unsafe static allocas"); STATISTIC(NumUnsafeStaticAllocas, "Number of unsafe static allocas");
STATISTIC(NumUnsafeDynamicAllocas, "Number of unsafe dynamic allocas"); STATISTIC(NumUnsafeDynamicAllocas, "Number of unsafe dynamic allocas");
STATISTIC(NumUnsafeStackRestorePoints, "Number of setjmps and landingpads"); STATISTIC(NumUnsafeStackRestorePoints, "Number of setjmps and landingpads");
} // namespace llvm } // namespace llvm
namespace { namespace {
/// The SafeStack pass splits the stack of each function into the safe
/// stack, which is only accessed through memory safe dereferences (as
/// determined statically), and the unsafe stack, which contains all
/// local variables that are accessed in ways that we can't prove to
dvyukovUnsubmitted
Done
ReplyInline Actions

I guess a more correct description is "that are accessed in ways that we can't prove to be safe".

dvyukov: I guess a more correct description is "that are accessed in ways that we can't prove to be…
/// be safe.
class SafeStack : public FunctionPass {
const TargetMachine *TM;
const TargetLoweringBase *TL;
const TargetLibraryInfo *TLI;
const DataLayout *DL;
Type *StackPtrTy;
Type *IntPtrTy;
Type *Int32Ty;
Type *Int8Ty;
Value *UnsafeStackPtr = nullptr;
/// Unsafe stack alignment. Each stack frame must ensure that the stack is
/// aligned to this value. We need to re-align the unsafe stack if the
/// alignment of any object on the stack exceeds this value.
///
/// 16 seems like a reasonable upper bound on the alignment of objects that we
/// might expect to appear on the stack on most common targets.
enum { StackAlignment = 16 };
/// \brief Build a constant representing a pointer to the unsafe stack
/// pointer.
Value *getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F);
/// \brief Find all static allocas, dynamic allocas, return instructions and
/// stack restore points (exception unwind blocks and setjmp calls) in the
/// given function and append them to the respective vectors.
void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas,
SmallVectorImpl<AllocaInst *> &DynamicAllocas,
SmallVectorImpl<ReturnInst *> &Returns,
SmallVectorImpl<Instruction *> &StackRestorePoints);
/// \brief Allocate space for all static allocas in \p StaticAllocas,
/// replace allocas with pointers into the unsafe stack and generate code to
/// restore the stack pointer before all return instructions in \p Returns.
///
/// \returns A pointer to the top of the unsafe stack after all unsafe static
/// allocas are allocated.
Value *moveStaticAllocasToUnsafeStack(IRBuilder<> &IRB, Function &F,
ArrayRef<AllocaInst *> StaticAllocas,
ArrayRef<ReturnInst *> Returns);
/// \brief Generate code to restore the stack after all stack restore points
/// in \p StackRestorePoints.
///
/// \returns A local variable in which to maintain the dynamic top of the
/// unsafe stack if needed.
AllocaInst *
createStackRestorePoints(IRBuilder<> &IRB, Function &F,
ArrayRef<Instruction *> StackRestorePoints,
Value *StaticTop, bool NeedDynamicTop);
/// \brief Replace all allocas in \p DynamicAllocas with code to allocate
/// space dynamically on the unsafe stack and store the dynamic unsafe stack
/// top to \p DynamicTop if non-null.
void moveDynamicAllocasToUnsafeStack(Function &F, Value *UnsafeStackPtr,
AllocaInst *DynamicTop,
ArrayRef<AllocaInst *> DynamicAllocas);
bool IsSafeStackAlloca(const AllocaInst *AI,
ObjectSizeOffsetVisitor &Visitor);
bool IsMemIntrinsicSafe(const MemIntrinsic *MI, const Use &U,
ObjectSizeOffsetVisitor &Visitor);
bool IsAccessSafe(Value *Addr, uint64_t Size,
ObjectSizeOffsetVisitor &Visitor);
public:
static char ID; // Pass identification, replacement for typeid.
SafeStack(const TargetMachine *TM)
: FunctionPass(ID), TM(TM), TL(nullptr), TLI(nullptr), DL(nullptr) {
initializeSafeStackPass(*PassRegistry::getPassRegistry());
}
SafeStack() : SafeStack(nullptr) {}
void getAnalysisUsage(AnalysisUsage &AU) const override {
AU.addRequired<AAResultsWrapperPass>();
AU.addRequired<TargetLibraryInfoWrapperPass>();
}
bool doInitialization(Module &M) override {
DL = &M.getDataLayout();
StackPtrTy = Type::getInt8PtrTy(M.getContext());
IntPtrTy = DL->getIntPtrType(M.getContext());
Int32Ty = Type::getInt32Ty(M.getContext());
Int8Ty = Type::getInt8Ty(M.getContext());
return false;
}
bool runOnFunction(Function &F) override;
}; // class SafeStack
bool SafeStack::IsAccessSafe(Value *Addr, uint64_t Size,
ObjectSizeOffsetVisitor &Visitor) {
SizeOffsetType SizeOffset = Visitor.compute(Addr);
if (!Visitor.bothKnown(SizeOffset))
return false;
uint64_t ObjectSize = SizeOffset.first.getZExtValue();
int64_t Offset = SizeOffset.second.getSExtValue();
return Offset >= 0 && ObjectSize >= uint64_t(Offset) &&
ObjectSize - uint64_t(Offset) >= Size;
}
bool SafeStack::IsMemIntrinsicSafe(const MemIntrinsic *MI, const Use &U,
ObjectSizeOffsetVisitor &Visitor) {
// All MemIntrincis have destination address in Arg0 and size in Arg2.
if (MI->getRawDest() != U) return true;
const auto *Len = dyn_cast<ConstantInt>(MI->getLength());
// Non-constant size => unsafe.
if (!Len) return false;
return IsAccessSafe(U, Len->getZExtValue(), Visitor);
}
/// Check whether a given alloca instruction (AI) should be put on the safe /// Check whether a given alloca instruction (AI) should be put on the safe
/// stack or not. The function analyzes all uses of AI and checks whether it is /// stack or not. The function analyzes all uses of AI and checks whether it is
/// only accessed in a memory safe way (as decided statically). /// only accessed in a memory safe way (as decided statically).
bool IsSafeStackAlloca(const AllocaInst *AI) { bool SafeStack::IsSafeStackAlloca(const AllocaInst *AI,
ObjectSizeOffsetVisitor &Visitor) {
// Go through all uses of this alloca and check whether all accesses to the // Go through all uses of this alloca and check whether all accesses to the
// allocated object are statically known to be memory safe and, hence, the // allocated object are statically known to be memory safe and, hence, the
// object can be placed on the safe stack. // object can be placed on the safe stack.
auto AA = &getAnalysis<AAResultsWrapperPass>().getAAResults();
SmallPtrSet<const Value *, 16> Visited; SmallPtrSet<const Value *, 16> Visited;
SmallVector<const Instruction *, 8> WorkList; SmallVector<const Instruction *, 8> WorkList;
WorkList.push_back(AI); WorkList.push_back(AI);
// A DFS search through all uses of the alloca in bitcasts/PHI/GEPs/etc. // A DFS search through all uses of the alloca in bitcasts/PHI/GEPs/etc.
while (!WorkList.empty()) { while (!WorkList.empty()) {
const Instruction *V = WorkList.pop_back_val(); const Instruction *V = WorkList.pop_back_val();
for (const Use &UI : V->uses()) { for (const Use &UI : V->uses()) {
auto I = cast<const Instruction>(UI.getUser()); auto I = cast<const Instruction>(UI.getUser());
assert(V == UI.get()); assert(V == UI.get());
switch (I->getOpcode()) { switch (I->getOpcode()) {
case Instruction::Load: case Instruction::Load:
// Loading from a pointer is safe. // Loading from a pointer is safe.
break; break;
case Instruction::VAArg: case Instruction::VAArg:
// "va-arg" from a pointer is safe. // "va-arg" from a pointer is safe.
break; break;
case Instruction::Store: case Instruction::Store:
if (V == I->getOperand(0)) if (V == I->getOperand(0))
// Stored the pointer - conservatively assume it may be unsafe. // Stored the pointer - conservatively assume it may be unsafe.
return false; return false;
// Storing to the pointee is safe. if (!IsAccessSafe(UI, DL->getTypeStoreSize(I->getOperand(0)->getType()),
Visitor))
return false;
break; break;
case Instruction::GetElementPtr: case Instruction::GetElementPtr:
if (!cast<const GetElementPtrInst>(I)->hasAllConstantIndices()) if (!cast<const GetElementPtrInst>(I)->hasAllConstantIndices())
// GEP with non-constant indices can lead to memory errors. // GEP with non-constant indices can lead to memory errors.
// This also applies to inbounds GEPs, as the inbounds attribute // This also applies to inbounds GEPs, as the inbounds attribute
// represents an assumption that the address is in bounds, rather than // represents an assumption that the address is in bounds, rather than
// an assertion that it is. // an assertion that it is.
return false; return false;
// We assume that GEP on static alloca with constant indices is safe, // We assume that GEP on static alloca with constant indices is safe,
// otherwise a compiler would detect it and warn during compilation. // otherwise a compiler would detect it and warn during compilation.
pccUnsubmitted
Not Done
ReplyInline Actions

It occurs to me that this isn't necessarily a valid assumption (consider for example an access with out-of-bounds indices that were constant folded by the optimizer from something that the frontend wasn't smart enough to warn about).

pcc: It occurs to me that this isn't necessarily a valid assumption (consider for example an access…
if (!isa<const ConstantInt>(AI->getArraySize())) if (!isa<const ConstantInt>(AI->getArraySize()))
// However, if the array size itself is not constant, the access // However, if the array size itself is not constant, the access
// might still be unsafe at runtime. // might still be unsafe at runtime.
return false; return false;
/* fallthrough */ /* fallthrough */
case Instruction::BitCast: case Instruction::BitCast:
case Instruction::IntToPtr: case Instruction::IntToPtr:
case Instruction::PHI: case Instruction::PHI:
case Instruction::PtrToInt: case Instruction::PtrToInt:
case Instruction::Select: case Instruction::Select:
// The object can be safe or not, depending on how the result of the // The object can be safe or not, depending on how the result of the
// instruction is used. // instruction is used.
if (Visited.insert(I).second) if (Visited.insert(I).second)
WorkList.push_back(cast<const Instruction>(I)); WorkList.push_back(cast<const Instruction>(I));
break; break;
case Instruction::Call: case Instruction::Call:
case Instruction::Invoke: { case Instruction::Invoke: {
// FIXME: add support for memset and memcpy intrinsics. // FIXME: add support for memset and memcpy intrinsics.
ImmutableCallSite CS(I); ImmutableCallSite CS(I);
if (const MemIntrinsic *MI = dyn_cast<MemIntrinsic>(I)) {
if (!IsMemIntrinsicSafe(MI, UI, Visitor))
return false;
continue;
}
// LLVM 'nocapture' attribute is only set for arguments whose address // LLVM 'nocapture' attribute is only set for arguments whose address
// is not stored, passed around, or used in any other non-trivial way. // is not stored, passed around, or used in any other non-trivial way.
// We assume that passing a pointer to an object as a 'nocapture' // We assume that passing a pointer to an object as a 'nocapture'
// argument is safe. // argument is safe.
pccUnsubmitted
Not Done
ReplyInline Actions

This comment should be updated.

pcc: This comment should be updated.
// FIXME: a more precise solution would require an interprocedural // FIXME: a more precise solution would require an interprocedural
// analysis here, which would look at all uses of an argument inside // analysis here, which would look at all uses of an argument inside
// the function being called. // the function being called.
ImmutableCallSite::arg_iterator B = CS.arg_begin(), E = CS.arg_end(); ImmutableCallSite::arg_iterator B = CS.arg_begin(), E = CS.arg_end();
for (ImmutableCallSite::arg_iterator A = B; A != E; ++A) for (ImmutableCallSite::arg_iterator A = B; A != E; ++A) {
if (A->get() == V && !CS.doesNotCapture(A - B)) if (A->get() == V) {
// The parameter is not marked 'nocapture' - unsafe. if (!CS.doesNotCapture(A - B))
return false;
if (!AA->onlyReadsMemory(CS) && !CS.onlyReadsMemory(A - B))
pccUnsubmitted
Not Done
ReplyInline Actions

I would just check for the attribute here. The FunctionAttrs pass should have already set attributes according to AA results.

pcc: I would just check for the attribute here. The `FunctionAttrs` pass should have already set…
return false; return false;
}
}
continue; continue;
} }
default: default:
// The object is unsafe if it is used in any other way. // The object is unsafe if it is used in any other way.
return false; return false;
} }
} }
} }
// All uses of the alloca are safe, we can place it on the safe stack. // All uses of the alloca are safe, we can place it on the safe stack.
return true; return true;
} }
/// The SafeStack pass splits the stack of each function into the
/// safe stack, which is only accessed through memory safe dereferences
/// (as determined statically), and the unsafe stack, which contains all
/// local variables that are accessed in unsafe ways.
class SafeStack : public FunctionPass {
const TargetMachine *TM;
const TargetLoweringBase *TLI;
const DataLayout *DL;
Type *StackPtrTy;
Type *IntPtrTy;
Type *Int32Ty;
Type *Int8Ty;
Value *UnsafeStackPtr = nullptr;
/// Unsafe stack alignment. Each stack frame must ensure that the stack is
/// aligned to this value. We need to re-align the unsafe stack if the
/// alignment of any object on the stack exceeds this value.
///
/// 16 seems like a reasonable upper bound on the alignment of objects that we
/// might expect to appear on the stack on most common targets.
enum { StackAlignment = 16 };
/// \brief Build a constant representing a pointer to the unsafe stack
/// pointer.
Value *getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F);
/// \brief Find all static allocas, dynamic allocas, return instructions and
/// stack restore points (exception unwind blocks and setjmp calls) in the
/// given function and append them to the respective vectors.
void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas,
SmallVectorImpl<AllocaInst *> &DynamicAllocas,
SmallVectorImpl<ReturnInst *> &Returns,
SmallVectorImpl<Instruction *> &StackRestorePoints);
/// \brief Allocate space for all static allocas in \p StaticAllocas,
/// replace allocas with pointers into the unsafe stack and generate code to
/// restore the stack pointer before all return instructions in \p Returns.
///
/// \returns A pointer to the top of the unsafe stack after all unsafe static
/// allocas are allocated.
Value *moveStaticAllocasToUnsafeStack(IRBuilder<> &IRB, Function &F,
ArrayRef<AllocaInst *> StaticAllocas,
ArrayRef<ReturnInst *> Returns);
/// \brief Generate code to restore the stack after all stack restore points
/// in \p StackRestorePoints.
///
/// \returns A local variable in which to maintain the dynamic top of the
/// unsafe stack if needed.
AllocaInst *
createStackRestorePoints(IRBuilder<> &IRB, Function &F,
ArrayRef<Instruction *> StackRestorePoints,
Value *StaticTop, bool NeedDynamicTop);
/// \brief Replace all allocas in \p DynamicAllocas with code to allocate
/// space dynamically on the unsafe stack and store the dynamic unsafe stack
/// top to \p DynamicTop if non-null.
void moveDynamicAllocasToUnsafeStack(Function &F, Value *UnsafeStackPtr,
AllocaInst *DynamicTop,
ArrayRef<AllocaInst *> DynamicAllocas);
public:
static char ID; // Pass identification, replacement for typeid.
SafeStack(const TargetMachine *TM)
: FunctionPass(ID), TM(TM), TLI(nullptr), DL(nullptr) {
initializeSafeStackPass(*PassRegistry::getPassRegistry());
}
SafeStack() : SafeStack(nullptr) {}
void getAnalysisUsage(AnalysisUsage &AU) const override {
AU.addRequired<AAResultsWrapperPass>();
}
bool doInitialization(Module &M) override {
DL = &M.getDataLayout();
StackPtrTy = Type::getInt8PtrTy(M.getContext());
IntPtrTy = DL->getIntPtrType(M.getContext());
Int32Ty = Type::getInt32Ty(M.getContext());
Int8Ty = Type::getInt8Ty(M.getContext());
return false;
}
bool runOnFunction(Function &F) override;
}; // class SafeStack
Value *SafeStack::getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F) { Value *SafeStack::getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F) {
Module &M = *F.getParent(); Module &M = *F.getParent();
Triple TargetTriple(M.getTargetTriple()); Triple TargetTriple(M.getTargetTriple());
unsigned Offset; unsigned Offset;
unsigned AddressSpace; unsigned AddressSpace;
// Check if the target keeps the unsafe stack pointer at a fixed offset. // Check if the target keeps the unsafe stack pointer at a fixed offset.
if (TLI && TLI->getSafeStackPointerLocation(AddressSpace, Offset)) { if (TL && TL->getSafeStackPointerLocation(AddressSpace, Offset)) {
Constant *OffsetVal = Constant *OffsetVal =
ConstantInt::get(Type::getInt32Ty(F.getContext()), Offset); ConstantInt::get(Type::getInt32Ty(F.getContext()), Offset);
return ConstantExpr::getIntToPtr(OffsetVal, return ConstantExpr::getIntToPtr(OffsetVal,
StackPtrTy->getPointerTo(AddressSpace)); StackPtrTy->getPointerTo(AddressSpace));
} }
// Android provides a libc function that returns the stack pointer address. // Android provides a libc function that returns the stack pointer address.
if (TargetTriple.getEnvironment() == llvm::Triple::Android) { if (TargetTriple.getEnvironment() == llvm::Triple::Android) {
Show All 29 LinesValue *SafeStack::getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F) {
} }
} }
void SafeStack::findInsts(Function &F, void SafeStack::findInsts(Function &F,
SmallVectorImpl<AllocaInst *> &StaticAllocas, SmallVectorImpl<AllocaInst *> &StaticAllocas,
SmallVectorImpl<AllocaInst *> &DynamicAllocas, SmallVectorImpl<AllocaInst *> &DynamicAllocas,
SmallVectorImpl<ReturnInst *> &Returns, SmallVectorImpl<ReturnInst *> &Returns,
SmallVectorImpl<Instruction *> &StackRestorePoints) { SmallVectorImpl<Instruction *> &StackRestorePoints) {
ObjectSizeOffsetVisitor Visitor(*DL, TLI, F.getContext(),
/*RoundToAlign=*/true);
for (Instruction &I : instructions(&F)) { for (Instruction &I : instructions(&F)) {
if (auto AI = dyn_cast<AllocaInst>(&I)) { if (auto AI = dyn_cast<AllocaInst>(&I)) {
++NumAllocas; ++NumAllocas;
if (IsSafeStackAlloca(AI)) if (IsSafeStackAlloca(AI, Visitor))
continue; continue;
if (AI->isStaticAlloca()) { if (AI->isStaticAlloca()) {
++NumUnsafeStaticAllocas; ++NumUnsafeStaticAllocas;
StaticAllocas.push_back(AI); StaticAllocas.push_back(AI);
} else { } else {
++NumUnsafeDynamicAllocas; ++NumUnsafeDynamicAllocas;
DynamicAllocas.push_back(AI); DynamicAllocas.push_back(AI);
▲ Show 20 LinesShow All 227 Lines▼ Show 20 Linesbool SafeStack::runOnFunction(Function &F) {
if (F.isDeclaration()) { if (F.isDeclaration()) {
DEBUG(dbgs() << "[SafeStack] function definition" DEBUG(dbgs() << "[SafeStack] function definition"
" is not available\n"); " is not available\n");
return false; return false;
} }
auto AA = &getAnalysis<AAResultsWrapperPass>().getAAResults(); auto AA = &getAnalysis<AAResultsWrapperPass>().getAAResults();
TL = TM ? TM->getSubtargetImpl(F)->getTargetLowering() : nullptr;
TLI = TM ? TM->getSubtargetImpl(F)->getTargetLowering() : nullptr; TLI = &getAnalysis<TargetLibraryInfoWrapperPass>().getTLI();
{ {
// Make sure the regular stack protector won't run on this function // Make sure the regular stack protector won't run on this function
// (safestack attribute takes precedence). // (safestack attribute takes precedence).
AttrBuilder B; AttrBuilder B;
B.addAttribute(Attribute::StackProtect) B.addAttribute(Attribute::StackProtect)
.addAttribute(Attribute::StackProtectReq) .addAttribute(Attribute::StackProtectReq)
.addAttribute(Attribute::StackProtectStrong); .addAttribute(Attribute::StackProtectStrong);
▲ Show 20 LinesShow All 72 LinesShow Last 20 Lines

test/Transforms/SafeStack/call.ll

; RUN: opt -safe-stack -S -mtriple=i386-pc-linux-gnu < %s -o - | FileCheck %s ; RUN: opt -safe-stack -S -mtriple=i386-pc-linux-gnu < %s -o - | FileCheck %s
; RUN: opt -safe-stack -S -mtriple=x86_64-pc-linux-gnu < %s -o - | FileCheck %s ; RUN: opt -safe-stack -S -mtriple=x86_64-pc-linux-gnu < %s -o - | FileCheck %s
@.str = private unnamed_addr constant [4 x i8] c"%s\0A\00", align 1 @.str = private unnamed_addr constant [4 x i8] c"%s\0A\00", align 1
; no arrays / no nested arrays ; no arrays / no nested arrays
; Requires no protector. ; Requires no protector.
; CHECK-LABEL: @foo(
define void @foo(i8* %a) nounwind uwtable safestack { define void @foo(i8* %a) nounwind uwtable safestack {
entry: entry:
; CHECK-LABEL: define void @foo(
; CHECK-NOT: __safestack_unsafe_stack_ptr ; CHECK-NOT: __safestack_unsafe_stack_ptr
; CHECK: ret void
%a.addr = alloca i8*, align 8 %a.addr = alloca i8*, align 8
store i8* %a, i8** %a.addr, align 8 store i8* %a, i8** %a.addr, align 8
%0 = load i8*, i8** %a.addr, align 8 %0 = load i8*, i8** %a.addr, align 8
%call = call i32 (i8*, ...) @printf(i8* getelementptr inbounds ([4 x i8], [4 x i8]* @.str, i32 0, i32 0), i8* %0) %call = call i32 (i8*, ...) @printf(i8* getelementptr inbounds ([4 x i8], [4 x i8]* @.str, i32 0, i32 0), i8* %0)
ret void ret void
} }
declare i32 @printf(i8*, ...) declare i32 @printf(i8*, ...)
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
define void @call_memset(i64 %len) safestack {
entry:
; CHECK-LABEL: define void @call_memset
; CHECK: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @llvm.memset.p0i8.i64(i8* %arraydecay, i8 1, i64 %len, i32 1, i1 false)
ret void
}
define void @call_constant_memset() safestack {
entry:
; CHECK-LABEL: define void @call_constant_memset
; CHECK-NOT: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 2
call void @llvm.memset.p0i8.i64(i8* %arraydecay, i8 1, i64 7, i32 1, i1 false)
ret void
}
define void @call_constant_overflow_memset() safestack {
entry:
; CHECK-LABEL: define void @call_constant_overflow_memset
; CHECK: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 7
call void @llvm.memset.p0i8.i64(i8* %arraydecay, i8 1, i64 5, i32 1, i1 false)
ret void
}
define void @call_constant_underflow_memset() safestack {
entry:
; CHECK-LABEL: define void @call_constant_underflow_memset
; CHECK: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr [10 x i8], [10 x i8]* %q, i32 0, i32 -1
call void @llvm.memset.p0i8.i64(i8* %arraydecay, i8 1, i64 3, i32 1, i1 false)
ret void
}
; Readonly nocapture -> safe
define void @call_readonly(i64 %len) safestack {
entry:
; CHECK-LABEL: define void @call_readonly
; CHECK-NOT: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @readonly(i8* %arraydecay)
ret void
}
; Readonly nocapture -> safe
define void @call_arg_readonly(i64 %len) safestack {
entry:
; CHECK-LABEL: define void @call_arg_readonly
; CHECK-NOT: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @arg_readonly(i8* %arraydecay)
ret void
}
; Readwrite nocapture -> unsafe
define void @call_readwrite(i64 %len) safestack {
entry:
; CHECK-LABEL: define void @call_readwrite
; CHECK: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @readwrite(i8* %arraydecay)
ret void
}
; Captures the argument -> unsafe
define void @call_capture(i64 %len) safestack {
entry:
; CHECK-LABEL: define void @call_capture
; CHECK: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @capture(i8* %arraydecay)
ret void
}
declare void @readonly(i8* nocapture) readonly
declare void @arg_readonly(i8* readonly nocapture)
declare void @readwrite(i8* nocapture)
declare void @capture(i8* readonly) readonly
declare void @llvm.memset.p0i8.i64(i8* nocapture, i8, i64, i32, i1) nounwind argmemonly

test/Transforms/SafeStack/store.ll

  • This file was added.
; RUN: opt -safe-stack -S -mtriple=i386-pc-linux-gnu < %s -o - | FileCheck %s
; RUN: opt -safe-stack -S -mtriple=x86_64-pc-linux-gnu < %s -o - | FileCheck %s
@.str = private unnamed_addr constant [4 x i8] c"%s\0A\00", align 1
define void @bad_store() nounwind uwtable safestack {
entry:
; CHECK-LABEL: @bad_store(
; CHECK: __safestack_unsafe_stack_ptr
; CHECK: ret void
%a = alloca i32, align 4
%0 = ptrtoint i32* %a to i64
%1 = inttoptr i64 %0 to i64*
store i64 zeroinitializer, i64* %1
ret void
}
define void @good_store() nounwind uwtable safestack {
entry:
; CHECK-LABEL: @good_store(
; CHECK-NOT: __safestack_unsafe_stack_ptr
; CHECK: ret void
%a = alloca i32, align 4
%0 = bitcast i32* %a to i8*
store i8 zeroinitializer, i8* %0
ret void
}
define void @overflow_gep_store() nounwind uwtable safestack {
entry:
; CHECK-LABEL: @overflow_gep_store(
; CHECK: __safestack_unsafe_stack_ptr
; CHECK: ret void
%a = alloca i32, align 4
%0 = bitcast i32* %a to i8*
%1 = getelementptr i8, i8* %0, i32 4
store i8 zeroinitializer, i8* %1
ret void
}
define void @underflow_gep_store() nounwind uwtable safestack {
entry:
; CHECK-LABEL: @underflow_gep_store(
; CHECK: __safestack_unsafe_stack_ptr
; CHECK: ret void
%a = alloca i32, align 4
%0 = bitcast i32* %a to i8*
%1 = getelementptr i8, i8* %0, i32 -1
store i8 zeroinitializer, i8* %1
ret void
}
define void @good_gep_store() nounwind uwtable safestack {
entry:
; CHECK-LABEL: @good_gep_store(
; CHECK-NOT: __safestack_unsafe_stack_ptr
; CHECK: ret void
%a = alloca i32, align 4
%0 = bitcast i32* %a to i8*
%1 = getelementptr i8, i8* %0, i32 3
store i8 zeroinitializer, i8* %1
ret void
}