This is an archive of the discontinued LLVM Phabricator instance.

Differential D14599

[safestack] Rewrite isAllocaSafe using SCEV.
ClosedPublic

Authored by eugenis on Nov 11 2015, 4:59 PM.

Details

Reviewers
pcc
Summary

Use ScalarEvolution to calculate memory access bounds.
Handle function calls based on readnone/nocapture attributes.
Handle memory intrinsics with constant size.
Handle lifetime intrinsics.

This change improves both recall and precision of IsAllocaSafe.
See the new tests (ex. BitCastWide) for the kind of code that was wrongly
classified as safe.

SCEV efficiency seems to be limited by the fact the SafeStack runs late
(in CodeGenPrepare), and many loops are unrolled or otherwise not in LCSSA.

Diff Detail

Repository
rL LLVM

Event Timeline

eugenis updated this revision to Diff 39993.Nov 11 2015, 4:59 PM
eugenis retitled this revision from to [safestack] Rewrite isAllocaSafe using SCEV..
eugenis updated this object.
eugenis added a reviewer: pcc.
eugenis set the repository for this revision to rL LLVM.
eugenis added a subscriber: llvm-commits.
Herald added a subscriber: sanjoy. · View Herald TranscriptNov 11 2015, 4:59 PM
eugenis mentioned this in D13403: Better handling of function calls in SafeStack.Nov 11 2015, 5:00 PM
eugenis added a comment.Nov 11 2015, 5:02 PM

This version also attempts to protect against information leaks.
A function that returns an address of a stack variable (or some value computed based on that) would get a readnone attribute, which means we can not rely on that. This was the last use of AliasAnalysis in SafeStack, so it is now gone.

pcc edited edge metadata.Nov 11 2015, 5:53 PM

This is great, thanks for working on this. A few mostly minor comments.

lib/Transforms/Instrumentation/SafeStack.cpp
111

Why did you change this? The comment was correct before, I believe?

186

Isn't this equivalent to just SE->getUnsignedRange(Expr)?

188

Nit: you don't need to supply a third argument here (and below); false is the default.

301

Should this be the default behaviour? It seems like it would be safer to use explicit whitelisting of instructions as the old code does.

595–596

Did you leave this in intentionally?

eugenis updated this revision to Diff 39999.Nov 11 2015, 6:15 PM
eugenis updated this object.
eugenis edited edge metadata.
eugenis marked an inline comment as done.
eugenis added inline comments.
lib/Transforms/Instrumentation/SafeStack.cpp
111

I don't recall changing this. Weird.
Reverted.

186

The second one is supposed to be getSignedRange. This is actually quite inefficient as these calls do a lot of duplicate work.

301

This sounds like a awful lot of whitelisting. Unlike the previous algorithm where we explicitly supported a few instructions, ScalarEvolution can handle almost anything, and if not it would just say that the access range is full-set.

I think blacklisting would be a better approach.

595–596

Removed.

sanjoy added inline comments.Nov 11 2015, 6:24 PM
lib/Transforms/Instrumentation/SafeStack.cpp
186

I don't think you need to intersect here -- if the intersection returns a "better" (i.e. strictly smaller) range than either getUnsignedRange or getSignedRange, then it is a bug in ScalarEvolution. :)

Reading the surrounding code, I think you really only need getUnsignedRange.

eugenis updated this revision to Diff 40094.Nov 12 2015, 4:06 PM
eugenis added inline comments.Nov 12 2015, 4:09 PM
lib/Transforms/Instrumentation/SafeStack.cpp
186

Is it because we are comparing it with a non-negative alloca range, and even if the signed range is "smaller", it would still overflow in the negative direction?

Switched to getUnsignedRange.

pcc accepted this revision.Nov 12 2015, 4:54 PM
pcc edited edge metadata.

LGTM

lib/Transforms/Instrumentation/SafeStack.cpp
186

I agree that you just need getUnsignedRange. My understanding is that the two functions are supposed to return essentially the same thing but return slightly different results in the negative range for unknowns (e.g. for unknowns with m trailing zeros [0,2^n-2^m) vs [-2^(n-1)..2^(n-1)-2^m) ) which we don't care about here.

301

After sleeping on it I agree that your approach is correct.

This revision is now accepted and ready to land.Nov 12 2015, 4:54 PM
eugenis closed this revision.Nov 13 2015, 1:24 PM

Submitted as r253083, thanks!

hiraditya mentioned this in D134129: [PATCH] [RISCV] Enable -msave-restore by default when optimizing for size.Mar 17 2023, 12:42 PM

Revision Contents

PathSize
lib/
Transforms/
Instrumentation/
274 lines
test/
Transforms/
SafeStack/
160 lines
28 lines
17 lines
63 lines

Diff 40094

lib/Transforms/Instrumentation/SafeStack.cpp

Show All 12 Lines
// //
// http://clang.llvm.org/docs/SafeStack.html // http://clang.llvm.org/docs/SafeStack.html
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "llvm/Transforms/Instrumentation.h" #include "llvm/Transforms/Instrumentation.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/ADT/Triple.h" #include "llvm/ADT/Triple.h"
#include "llvm/Analysis/AliasAnalysis.h" #include "llvm/Analysis/ScalarEvolution.h"
#include "llvm/Analysis/ScalarEvolutionExpressions.h"
#include "llvm/CodeGen/Passes.h" #include "llvm/CodeGen/Passes.h"
#include "llvm/IR/Constants.h" #include "llvm/IR/Constants.h"
#include "llvm/IR/DataLayout.h" #include "llvm/IR/DataLayout.h"
#include "llvm/IR/DerivedTypes.h" #include "llvm/IR/DerivedTypes.h"
#include "llvm/IR/DIBuilder.h" #include "llvm/IR/DIBuilder.h"
#include "llvm/IR/Function.h" #include "llvm/IR/Function.h"
#include "llvm/IR/InstIterator.h" #include "llvm/IR/InstIterator.h"
#include "llvm/IR/Instructions.h" #include "llvm/IR/Instructions.h"
Show All 27 Lines
STATISTIC(NumUnsafeStaticAllocas, "Number of unsafe static allocas"); STATISTIC(NumUnsafeStaticAllocas, "Number of unsafe static allocas");
STATISTIC(NumUnsafeDynamicAllocas, "Number of unsafe dynamic allocas"); STATISTIC(NumUnsafeDynamicAllocas, "Number of unsafe dynamic allocas");
STATISTIC(NumUnsafeStackRestorePoints, "Number of setjmps and landingpads"); STATISTIC(NumUnsafeStackRestorePoints, "Number of setjmps and landingpads");
} // namespace llvm } // namespace llvm
namespace { namespace {
/// Check whether a given alloca instruction (AI) should be put on the safe /// Rewrite an SCEV expression for a memory access address to an expression that
/// stack or not. The function analyzes all uses of AI and checks whether it is /// represents offset from the given alloca.
/// only accessed in a memory safe way (as decided statically). ///
bool IsSafeStackAlloca(const AllocaInst *AI) { /// The implementation simply replaces all mentions of the alloca with zero.
// Go through all uses of this alloca and check whether all accesses to the class AllocaOffsetRewriter : public SCEVRewriteVisitor<AllocaOffsetRewriter> {
// allocated object are statically known to be memory safe and, hence, the const AllocaInst *AI;
// object can be placed on the safe stack.
SmallPtrSet<const Value *, 16> Visited;
SmallVector<const Instruction *, 8> WorkList;
WorkList.push_back(AI);
// A DFS search through all uses of the alloca in bitcasts/PHI/GEPs/etc.
while (!WorkList.empty()) {
const Instruction *V = WorkList.pop_back_val();
for (const Use &UI : V->uses()) {
auto I = cast<const Instruction>(UI.getUser());
assert(V == UI.get());
switch (I->getOpcode()) {
case Instruction::Load:
// Loading from a pointer is safe.
break;
case Instruction::VAArg:
// "va-arg" from a pointer is safe.
break;
case Instruction::Store:
if (V == I->getOperand(0))
// Stored the pointer - conservatively assume it may be unsafe.
return false;
// Storing to the pointee is safe.
break;
case Instruction::GetElementPtr:
if (!cast<const GetElementPtrInst>(I)->hasAllConstantIndices())
// GEP with non-constant indices can lead to memory errors.
// This also applies to inbounds GEPs, as the inbounds attribute
// represents an assumption that the address is in bounds, rather than
// an assertion that it is.
return false;
// We assume that GEP on static alloca with constant indices is safe,
// otherwise a compiler would detect it and warn during compilation.
if (!isa<const ConstantInt>(AI->getArraySize()))
// However, if the array size itself is not constant, the access
// might still be unsafe at runtime.
return false;
/* fallthrough */
case Instruction::BitCast:
case Instruction::IntToPtr:
case Instruction::PHI:
case Instruction::PtrToInt:
case Instruction::Select:
// The object can be safe or not, depending on how the result of the
// instruction is used.
if (Visited.insert(I).second)
WorkList.push_back(cast<const Instruction>(I));
break;
case Instruction::Call:
case Instruction::Invoke: {
// FIXME: add support for memset and memcpy intrinsics.
ImmutableCallSite CS(I);
// LLVM 'nocapture' attribute is only set for arguments whose address
// is not stored, passed around, or used in any other non-trivial way.
// We assume that passing a pointer to an object as a 'nocapture'
// argument is safe.
// FIXME: a more precise solution would require an interprocedural
// analysis here, which would look at all uses of an argument inside
// the function being called.
ImmutableCallSite::arg_iterator B = CS.arg_begin(), E = CS.arg_end();
for (ImmutableCallSite::arg_iterator A = B; A != E; ++A)
if (A->get() == V && !CS.doesNotCapture(A - B))
// The parameter is not marked 'nocapture' - unsafe.
return false;
continue;
}
default:
// The object is unsafe if it is used in any other way.
return false;
}
}
}
// All uses of the alloca are safe, we can place it on the safe stack. public:
return true; AllocaOffsetRewriter(ScalarEvolution &SE, const AllocaInst *AI)
} : SCEVRewriteVisitor(SE), AI(AI) {}
/// The SafeStack pass splits the stack of each function into the const SCEV *visitUnknown(const SCEVUnknown *Expr) {
/// safe stack, which is only accessed through memory safe dereferences if (Expr->getValue() == AI)
/// (as determined statically), and the unsafe stack, which contains all return SE.getZero(Expr->getType());
/// local variables that are accessed in unsafe ways. return Expr;
}
};
/// The SafeStack pass splits the stack of each function into the safe
/// stack, which is only accessed through memory safe dereferences (as
/// determined statically), and the unsafe stack, which contains all
/// local variables that are accessed in ways that we can't prove to
/// be safe.
class SafeStack : public FunctionPass { class SafeStack : public FunctionPass {
const TargetMachine *TM; const TargetMachine *TM;
const TargetLoweringBase *TLI; const TargetLoweringBase *TL;
const DataLayout *DL; const DataLayout *DL;
ScalarEvolution *SE;
Type *StackPtrTy; Type *StackPtrTy;
Type *IntPtrTy; Type *IntPtrTy;
Type *Int32Ty; Type *Int32Ty;
Type *Int8Ty; Type *Int8Ty;
Value *UnsafeStackPtr = nullptr; Value *UnsafeStackPtr = nullptr;
/// Unsafe stack alignment. Each stack frame must ensure that the stack is /// Unsafe stack alignment. Each stack frame must ensure that the stack is
/// aligned to this value. We need to re-align the unsafe stack if the /// aligned to this value. We need to re-align the unsafe stack if the
/// alignment of any object on the stack exceeds this value. /// alignment of any object on the stack exceeds this value.
/// ///
/// 16 seems like a reasonable upper bound on the alignment of objects that we /// 16 seems like a reasonable upper bound on the alignment of objects that we
/// might expect to appear on the stack on most common targets. /// might expect to appear on the stack on most common targets.
enum { StackAlignment = 16 }; enum { StackAlignment = 16 };
/// \brief Build a value representing a pointer to the unsafe stack pointer. /// \brief Build a value representing a pointer to the unsafe stack pointer.
Value *getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F); Value *getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F);
pccUnsubmitted
Not Done
ReplyInline Actions

Why did you change this? The comment was correct before, I believe?

pcc: Why did you change this? The comment was correct before, I believe?
eugenisAuthorUnsubmitted
Not Done
ReplyInline Actions

I don't recall changing this. Weird.
Reverted.

eugenis: I don't recall changing this. Weird. Reverted.
/// \brief Find all static allocas, dynamic allocas, return instructions and /// \brief Find all static allocas, dynamic allocas, return instructions and
/// stack restore points (exception unwind blocks and setjmp calls) in the /// stack restore points (exception unwind blocks and setjmp calls) in the
/// given function and append them to the respective vectors. /// given function and append them to the respective vectors.
void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas, void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas,
SmallVectorImpl<AllocaInst *> &DynamicAllocas, SmallVectorImpl<AllocaInst *> &DynamicAllocas,
SmallVectorImpl<ReturnInst *> &Returns, SmallVectorImpl<ReturnInst *> &Returns,
SmallVectorImpl<Instruction *> &StackRestorePoints); SmallVectorImpl<Instruction *> &StackRestorePoints);
Show All 20 Linesclass SafeStack : public FunctionPass {
/// \brief Replace all allocas in \p DynamicAllocas with code to allocate /// \brief Replace all allocas in \p DynamicAllocas with code to allocate
/// space dynamically on the unsafe stack and store the dynamic unsafe stack /// space dynamically on the unsafe stack and store the dynamic unsafe stack
/// top to \p DynamicTop if non-null. /// top to \p DynamicTop if non-null.
void moveDynamicAllocasToUnsafeStack(Function &F, Value *UnsafeStackPtr, void moveDynamicAllocasToUnsafeStack(Function &F, Value *UnsafeStackPtr,
AllocaInst *DynamicTop, AllocaInst *DynamicTop,
ArrayRef<AllocaInst *> DynamicAllocas); ArrayRef<AllocaInst *> DynamicAllocas);
bool IsSafeStackAlloca(const AllocaInst *AI);
bool IsMemIntrinsicSafe(const MemIntrinsic *MI, const Use &U,
const AllocaInst *AI);
bool IsAccessSafe(Value *Addr, uint64_t Size, const AllocaInst *AI);
public: public:
static char ID; // Pass identification, replacement for typeid. static char ID; // Pass identification, replacement for typeid.
SafeStack(const TargetMachine *TM) SafeStack(const TargetMachine *TM)
: FunctionPass(ID), TM(TM), TLI(nullptr), DL(nullptr) { : FunctionPass(ID), TM(TM), TL(nullptr), DL(nullptr) {
initializeSafeStackPass(*PassRegistry::getPassRegistry()); initializeSafeStackPass(*PassRegistry::getPassRegistry());
} }
SafeStack() : SafeStack(nullptr) {} SafeStack() : SafeStack(nullptr) {}
void getAnalysisUsage(AnalysisUsage &AU) const override { void getAnalysisUsage(AnalysisUsage &AU) const override {
AU.addRequired<AAResultsWrapperPass>(); AU.addRequired<ScalarEvolutionWrapperPass>();
} }
bool doInitialization(Module &M) override { bool doInitialization(Module &M) override {
DL = &M.getDataLayout(); DL = &M.getDataLayout();
StackPtrTy = Type::getInt8PtrTy(M.getContext()); StackPtrTy = Type::getInt8PtrTy(M.getContext());
IntPtrTy = DL->getIntPtrType(M.getContext()); IntPtrTy = DL->getIntPtrType(M.getContext());
Int32Ty = Type::getInt32Ty(M.getContext()); Int32Ty = Type::getInt32Ty(M.getContext());
Int8Ty = Type::getInt8Ty(M.getContext()); Int8Ty = Type::getInt8Ty(M.getContext());
return false; return false;
} }
bool runOnFunction(Function &F) override; bool runOnFunction(Function &F) override;
}; // class SafeStack }; // class SafeStack
bool SafeStack::IsAccessSafe(Value *Addr, uint64_t Size, const AllocaInst *AI) {
AllocaOffsetRewriter Rewriter(*SE, AI);
const SCEV *Expr = Rewriter.visit(SE->getSCEV(Addr));
uint64_t BitWidth = SE->getTypeSizeInBits(Expr->getType());
ConstantRange AccessStartRange = SE->getUnsignedRange(Expr);
ConstantRange SizeRange =
pccUnsubmitted
Not Done
ReplyInline Actions

Isn't this equivalent to just SE->getUnsignedRange(Expr)?

pcc: Isn't this equivalent to just `SE->getUnsignedRange(Expr)`?
eugenisAuthorUnsubmitted
Not Done
ReplyInline Actions

The second one is supposed to be getSignedRange. This is actually quite inefficient as these calls do a lot of duplicate work.

eugenis: The second one is supposed to be getSignedRange. This is actually quite inefficient as these…
sanjoyUnsubmitted
Not Done
ReplyInline Actions

I don't think you need to intersect here -- if the intersection returns a "better" (i.e. strictly smaller) range than either getUnsignedRange or getSignedRange, then it is a bug in ScalarEvolution. :)

Reading the surrounding code, I think you really only need getUnsignedRange.

sanjoy: I don't think you need to intersect here -- if the intersection returns a "better" (i.e.
eugenisAuthorUnsubmitted
Not Done
ReplyInline Actions

Is it because we are comparing it with a non-negative alloca range, and even if the signed range is "smaller", it would still overflow in the negative direction?

Switched to getUnsignedRange.

eugenis: Is it because we are comparing it with a non-negative alloca range, and even if the signed…
pccUnsubmitted
Not Done
ReplyInline Actions

I agree that you just need getUnsignedRange. My understanding is that the two functions are supposed to return essentially the same thing but return slightly different results in the negative range for unknowns (e.g. for unknowns with m trailing zeros [0,2^n-2^m) vs [-2^(n-1)..2^(n-1)-2^m) ) which we don't care about here.

pcc: I agree that you just need `getUnsignedRange`. My understanding is that the two functions are…
ConstantRange(APInt(BitWidth, 0), APInt(BitWidth, Size));
ConstantRange AccessRange = AccessStartRange.add(SizeRange);
pccUnsubmitted
Done
ReplyInline Actions

Nit: you don't need to supply a third argument here (and below); false is the default.

pcc: Nit: you don't need to supply a third argument here (and below); `false` is the default.
ConstantRange AllocaRange = ConstantRange(
APInt(BitWidth, 0),
APInt(BitWidth, DL->getTypeStoreSize(AI->getAllocatedType())));
bool Safe = AllocaRange.contains(AccessRange);
DEBUG(dbgs() << "[SafeStack] Alloca " << *AI << "\n"
<< " Access " << *Addr << "\n"
<< " SCEV " << *Expr
<< " U: " << SE->getUnsignedRange(Expr)
<< ", S: " << SE->getSignedRange(Expr) << "\n"
<< " Range " << AccessRange << "\n"
<< " AllocaRange " << AllocaRange << "\n"
<< " " << (Safe ? "safe" : "unsafe") << "\n");
return Safe;
}
bool SafeStack::IsMemIntrinsicSafe(const MemIntrinsic *MI, const Use &U,
const AllocaInst *AI) {
// All MemIntrinsics have destination address in Arg0 and size in Arg2.
if (MI->getRawDest() != U) return true;
const auto *Len = dyn_cast<ConstantInt>(MI->getLength());
// Non-constant size => unsafe. FIXME: try SCEV getRange.
if (!Len) return false;
return IsAccessSafe(U, Len->getZExtValue(), AI);
}
/// Check whether a given alloca instruction (AI) should be put on the safe
/// stack or not. The function analyzes all uses of AI and checks whether it is
/// only accessed in a memory safe way (as decided statically).
bool SafeStack::IsSafeStackAlloca(const AllocaInst *AI) {
// Go through all uses of this alloca and check whether all accesses to the
// allocated object are statically known to be memory safe and, hence, the
// object can be placed on the safe stack.
SmallPtrSet<const Value *, 16> Visited;
SmallVector<const Instruction *, 8> WorkList;
WorkList.push_back(AI);
// A DFS search through all uses of the alloca in bitcasts/PHI/GEPs/etc.
while (!WorkList.empty()) {
const Instruction *V = WorkList.pop_back_val();
for (const Use &UI : V->uses()) {
auto I = cast<const Instruction>(UI.getUser());
assert(V == UI.get());
switch (I->getOpcode()) {
case Instruction::Load: {
if (!IsAccessSafe(UI, DL->getTypeStoreSize(I->getType()), AI))
return false;
break;
}
case Instruction::VAArg:
// "va-arg" from a pointer is safe.
break;
case Instruction::Store: {
if (V == I->getOperand(0)) {
// Stored the pointer - conservatively assume it may be unsafe.
DEBUG(dbgs() << "[SafeStack] Unsafe alloca: " << *AI
<< "\n store of address: " << *I << "\n");
return false;
}
if (!IsAccessSafe(
UI, DL->getTypeStoreSize(I->getOperand(0)->getType()), AI))
return false;
break;
}
case Instruction::Ret: {
// Information leak.
return false;
}
case Instruction::Call:
case Instruction::Invoke: {
ImmutableCallSite CS(I);
if (const IntrinsicInst *II = dyn_cast<IntrinsicInst>(I)) {
if (II->getIntrinsicID() == Intrinsic::lifetime_start ||
II->getIntrinsicID() == Intrinsic::lifetime_end)
continue;
}
if (const MemIntrinsic *MI = dyn_cast<MemIntrinsic>(I)) {
if (!IsMemIntrinsicSafe(MI, UI, AI)) {
DEBUG(dbgs() << "[SafeStack] Unsafe alloca: " << *AI
<< "\n unsafe memintrinsic: " << *I
<< "\n");
return false;
}
continue;
}
// LLVM 'nocapture' attribute is only set for arguments whose address
// is not stored, passed around, or used in any other non-trivial way.
// We assume that passing a pointer to an object as a 'nocapture
// readnone' argument is safe.
// FIXME: a more precise solution would require an interprocedural
// analysis here, which would look at all uses of an argument inside
// the function being called.
ImmutableCallSite::arg_iterator B = CS.arg_begin(), E = CS.arg_end();
for (ImmutableCallSite::arg_iterator A = B; A != E; ++A)
if (A->get() == V)
if (!(CS.doesNotCapture(A - B) &&
(CS.doesNotAccessMemory(A - B) || CS.doesNotAccessMemory()))) {
DEBUG(dbgs() << "[SafeStack] Unsafe alloca: " << *AI
<< "\n unsafe call: " << *I << "\n");
return false;
}
continue;
}
default:
if (Visited.insert(I).second)
pccUnsubmitted
Not Done
ReplyInline Actions

Should this be the default behaviour? It seems like it would be safer to use explicit whitelisting of instructions as the old code does.

pcc: Should this be the default behaviour? It seems like it would be safer to use explicit…
eugenisAuthorUnsubmitted
Not Done
ReplyInline Actions

This sounds like a awful lot of whitelisting. Unlike the previous algorithm where we explicitly supported a few instructions, ScalarEvolution can handle almost anything, and if not it would just say that the access range is full-set.

I think blacklisting would be a better approach.

eugenis: This sounds like a awful lot of whitelisting. Unlike the previous algorithm where we explicitly…
pccUnsubmitted
Not Done
ReplyInline Actions

After sleeping on it I agree that your approach is correct.

pcc: After sleeping on it I agree that your approach is correct.
WorkList.push_back(cast<const Instruction>(I));
}
}
}
// All uses of the alloca are safe, we can place it on the safe stack.
return true;
}
Value *SafeStack::getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F) { Value *SafeStack::getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F) {
// Check if there is a target-specific location for the unsafe stack pointer. // Check if there is a target-specific location for the unsafe stack pointer.
if (TLI) if (TL)
if (Value *V = TLI->getSafeStackPointerLocation(IRB)) if (Value *V = TL->getSafeStackPointerLocation(IRB))
return V; return V;
// Otherwise, assume the target links with compiler-rt, which provides a // Otherwise, assume the target links with compiler-rt, which provides a
// thread-local variable with a magic name. // thread-local variable with a magic name.
Module &M = *F.getParent(); Module &M = *F.getParent();
const char *UnsafeStackPtrVar = "__safestack_unsafe_stack_ptr"; const char *UnsafeStackPtrVar = "__safestack_unsafe_stack_ptr";
auto UnsafeStackPtr = auto UnsafeStackPtr =
dyn_cast_or_null<GlobalVariable>(M.getNamedValue(UnsafeStackPtrVar)); dyn_cast_or_null<GlobalVariable>(M.getNamedValue(UnsafeStackPtrVar));
▲ Show 20 LinesShow All 262 Lines▼ Show 20 Linesbool SafeStack::runOnFunction(Function &F) {
} }
if (F.isDeclaration()) { if (F.isDeclaration()) {
DEBUG(dbgs() << "[SafeStack] function definition" DEBUG(dbgs() << "[SafeStack] function definition"
" is not available\n"); " is not available\n");
return false; return false;
} }
auto AA = &getAnalysis<AAResultsWrapperPass>().getAAResults(); TL = TM ? TM->getSubtargetImpl(F)->getTargetLowering() : nullptr;
SE = &getAnalysis<ScalarEvolutionWrapperPass>().getSE();
TLI = TM ? TM->getSubtargetImpl(F)->getTargetLowering() : nullptr;
{ {
pccUnsubmitted
Not Done
ReplyInline Actions

Did you leave this in intentionally?

pcc: Did you leave this in intentionally?
eugenisAuthorUnsubmitted
Not Done
ReplyInline Actions

Removed.

eugenis: Removed.
// Make sure the regular stack protector won't run on this function // Make sure the regular stack protector won't run on this function
// (safestack attribute takes precedence). // (safestack attribute takes precedence).
AttrBuilder B; AttrBuilder B;
B.addAttribute(Attribute::StackProtect) B.addAttribute(Attribute::StackProtect)
.addAttribute(Attribute::StackProtectReq) .addAttribute(Attribute::StackProtectReq)
.addAttribute(Attribute::StackProtectStrong); .addAttribute(Attribute::StackProtectStrong);
F.removeAttributes( F.removeAttributes(
AttributeSet::FunctionIndex, AttributeSet::FunctionIndex,
AttributeSet::get(F.getContext(), AttributeSet::FunctionIndex, B)); AttributeSet::get(F.getContext(), AttributeSet::FunctionIndex, B));
} }
if (AA->onlyReadsMemory(&F)) {
// XXX: we don't protect against information leak attacks for now.
DEBUG(dbgs() << "[SafeStack] function only reads memory\n");
return false;
}
++NumFunctions; ++NumFunctions;
SmallVector<AllocaInst *, 16> StaticAllocas; SmallVector<AllocaInst *, 16> StaticAllocas;
SmallVector<AllocaInst *, 4> DynamicAllocas; SmallVector<AllocaInst *, 4> DynamicAllocas;
SmallVector<ReturnInst *, 4> Returns; SmallVector<ReturnInst *, 4> Returns;
// Collect all points where stack gets unwound and needs to be restored // Collect all points where stack gets unwound and needs to be restored
// This is only necessary because the runtime (setjmp and unwind code) is // This is only necessary because the runtime (setjmp and unwind code) is
▲ Show 20 LinesShow All 53 LinesShow Last 20 Lines

test/Transforms/SafeStack/call.ll

; RUN: opt -safe-stack -S -mtriple=i386-pc-linux-gnu < %s -o - | FileCheck %s ; RUN: opt -safe-stack -S -mtriple=i386-pc-linux-gnu < %s -o - | FileCheck %s
; RUN: opt -safe-stack -S -mtriple=x86_64-pc-linux-gnu < %s -o - | FileCheck %s ; RUN: opt -safe-stack -S -mtriple=x86_64-pc-linux-gnu < %s -o - | FileCheck %s
@.str = private unnamed_addr constant [4 x i8] c"%s\0A\00", align 1 @.str = private unnamed_addr constant [4 x i8] c"%s\0A\00", align 1
; no arrays / no nested arrays ; no arrays / no nested arrays
; Requires no protector. ; Requires no protector.
; CHECK-LABEL: @foo(
define void @foo(i8* %a) nounwind uwtable safestack { define void @foo(i8* %a) nounwind uwtable safestack {
entry: entry:
; CHECK-LABEL: define void @foo(
; CHECK-NOT: __safestack_unsafe_stack_ptr ; CHECK-NOT: __safestack_unsafe_stack_ptr
; CHECK: ret void
%a.addr = alloca i8*, align 8 %a.addr = alloca i8*, align 8
store i8* %a, i8** %a.addr, align 8 store i8* %a, i8** %a.addr, align 8
%0 = load i8*, i8** %a.addr, align 8 %0 = load i8*, i8** %a.addr, align 8
%call = call i32 (i8*, ...) @printf(i8* getelementptr inbounds ([4 x i8], [4 x i8]* @.str, i32 0, i32 0), i8* %0) %call = call i32 (i8*, ...) @printf(i8* getelementptr inbounds ([4 x i8], [4 x i8]* @.str, i32 0, i32 0), i8* %0)
ret void ret void
} }
declare i32 @printf(i8*, ...) declare i32 @printf(i8*, ...)
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
define void @call_memset(i64 %len) safestack {
entry:
; CHECK-LABEL: define void @call_memset
; CHECK: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @llvm.memset.p0i8.i64(i8* %arraydecay, i8 1, i64 %len, i32 1, i1 false)
ret void
}
define void @call_constant_memset() safestack {
entry:
; CHECK-LABEL: define void @call_constant_memset
; CHECK-NOT: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 2
call void @llvm.memset.p0i8.i64(i8* %arraydecay, i8 1, i64 7, i32 1, i1 false)
ret void
}
define void @call_constant_overflow_memset() safestack {
entry:
; CHECK-LABEL: define void @call_constant_overflow_memset
; CHECK: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 7
call void @llvm.memset.p0i8.i64(i8* %arraydecay, i8 1, i64 5, i32 1, i1 false)
ret void
}
define void @call_constant_underflow_memset() safestack {
entry:
; CHECK-LABEL: define void @call_constant_underflow_memset
; CHECK: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr [10 x i8], [10 x i8]* %q, i32 0, i32 -1
call void @llvm.memset.p0i8.i64(i8* %arraydecay, i8 1, i64 3, i32 1, i1 false)
ret void
}
; Readnone nocapture -> safe
define void @call_readnone(i64 %len) safestack {
entry:
; CHECK-LABEL: define void @call_readnone
; CHECK-NOT: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @readnone(i8* %arraydecay)
ret void
}
; Arg0 is readnone, arg1 is not. Pass alloca ptr as arg0 -> safe
define void @call_readnone0_0(i64 %len) safestack {
entry:
; CHECK-LABEL: define void @call_readnone0_0
; CHECK-NOT: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @readnone0(i8* %arraydecay, i8* zeroinitializer)
ret void
}
; Arg0 is readnone, arg1 is not. Pass alloca ptr as arg1 -> unsafe
define void @call_readnone0_1(i64 %len) safestack {
entry:
; CHECK-LABEL: define void @call_readnone0_1
; CHECK: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @readnone0(i8 *zeroinitializer, i8* %arraydecay)
ret void
}
; Readonly nocapture -> unsafe
define void @call_readonly(i64 %len) safestack {
entry:
; CHECK-LABEL: define void @call_readonly
; CHECK: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @readonly(i8* %arraydecay)
ret void
}
; Readonly nocapture -> unsafe
define void @call_arg_readonly(i64 %len) safestack {
entry:
; CHECK-LABEL: define void @call_arg_readonly
; CHECK: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @arg_readonly(i8* %arraydecay)
ret void
}
; Readwrite nocapture -> unsafe
define void @call_readwrite(i64 %len) safestack {
entry:
; CHECK-LABEL: define void @call_readwrite
; CHECK: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @readwrite(i8* %arraydecay)
ret void
}
; Captures the argument -> unsafe
define void @call_capture(i64 %len) safestack {
entry:
; CHECK-LABEL: define void @call_capture
; CHECK: @__safestack_unsafe_stack_ptr
; CHECK: ret void
%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @capture(i8* %arraydecay)
ret void
}
; Lifetime intrinsics are always safe.
define void @call_lifetime(i32* %p) {
; CHECK-LABEL: define void @call_lifetime
; CHECK-NOT: @__safestack_unsafe_stack_ptr
; CHECK: ret void
entry:
%q = alloca [100 x i8], align 16
%0 = bitcast [100 x i8]* %q to i8*
call void @llvm.lifetime.start(i64 100, i8* %0)
call void @llvm.lifetime.end(i64 100, i8* %0)
ret void
}
declare void @readonly(i8* nocapture) readonly
declare void @arg_readonly(i8* readonly nocapture)
declare void @readwrite(i8* nocapture)
declare void @capture(i8* readnone) readnone
declare void @readnone(i8* nocapture) readnone
declare void @readnone0(i8* nocapture readnone, i8* nocapture)
declare void @llvm.memset.p0i8.i64(i8* nocapture, i8, i64, i32, i1) nounwind argmemonly
declare void @llvm.lifetime.start(i64, i8* nocapture) nounwind argmemonly
declare void @llvm.lifetime.end(i64, i8* nocapture) nounwind argmemonly

test/Transforms/SafeStack/cast.ll

; RUN: opt -safe-stack -S -mtriple=i386-pc-linux-gnu < %s -o - | FileCheck %s ; RUN: opt -safe-stack -S -mtriple=i386-pc-linux-gnu < %s -o - | FileCheck %s
; RUN: opt -safe-stack -S -mtriple=x86_64-pc-linux-gnu < %s -o - | FileCheck %s ; RUN: opt -safe-stack -S -mtriple=x86_64-pc-linux-gnu < %s -o - | FileCheck %s
@.str = private unnamed_addr constant [4 x i8] c"%s\0A\00", align 1 @.str = private unnamed_addr constant [4 x i8] c"%s\0A\00", align 1
; PtrToInt/IntToPtr Cast ; PtrToInt/IntToPtr Cast
; Requires no protector.
; CHECK-LABEL: @foo( define void @IntToPtr() nounwind uwtable safestack {
define void @foo() nounwind uwtable safestack {
entry: entry:
; CHECK-LABEL: @IntToPtr(
; CHECK-NOT: __safestack_unsafe_stack_ptr ; CHECK-NOT: __safestack_unsafe_stack_ptr
; CHECK: ret void
%a = alloca i32, align 4 %a = alloca i32, align 4
%0 = ptrtoint i32* %a to i64 %0 = ptrtoint i32* %a to i64
%1 = inttoptr i64 %0 to i32* %1 = inttoptr i64 %0 to i32*
ret void ret void
} }
define i8 @BitCastNarrow() nounwind uwtable safestack {
entry:
; CHECK-LABEL: @BitCastNarrow(
; CHECK-NOT: __safestack_unsafe_stack_ptr
; CHECK: ret i8
%a = alloca i32, align 4
%0 = bitcast i32* %a to i8*
%1 = load i8, i8* %0, align 1
ret i8 %1
}
define i64 @BitCastWide() nounwind uwtable safestack {
entry:
; CHECK-LABEL: @BitCastWide(
; CHECK: __safestack_unsafe_stack_ptr
; CHECK: ret i64
%a = alloca i32, align 4
%0 = bitcast i32* %a to i64*
%1 = load i64, i64* %0, align 1
ret i64 %1
}

test/Transforms/SafeStack/ret.ll

  • This file was added.
; RUN: opt -safe-stack -S -mtriple=i386-pc-linux-gnu < %s -o - | FileCheck %s
; RUN: opt -safe-stack -S -mtriple=x86_64-pc-linux-gnu < %s -o - | FileCheck %s
@.str = private unnamed_addr constant [4 x i8] c"%s\0A\00", align 1
; Returns an alloca address.
; Requires protector.
define i64 @foo() nounwind readnone safestack {
entry:
; CHECK-LABEL: define i64 @foo(
; CHECK: __safestack_unsafe_stack_ptr
; CHECK: ret i64
%x = alloca [100 x i32], align 16
%0 = ptrtoint [100 x i32]* %x to i64
ret i64 %0
}

test/Transforms/SafeStack/store.ll

  • This file was added.
; RUN: opt -safe-stack -S -mtriple=i386-pc-linux-gnu < %s -o - | FileCheck %s
; RUN: opt -safe-stack -S -mtriple=x86_64-pc-linux-gnu < %s -o - | FileCheck %s
@.str = private unnamed_addr constant [4 x i8] c"%s\0A\00", align 1
define void @bad_store() nounwind uwtable safestack {
entry:
; CHECK-LABEL: @bad_store(
; CHECK: __safestack_unsafe_stack_ptr
; CHECK: ret void
%a = alloca i32, align 4
%0 = ptrtoint i32* %a to i64
%1 = inttoptr i64 %0 to i64*
store i64 zeroinitializer, i64* %1
ret void
}
define void @good_store() nounwind uwtable safestack {
entry:
; CHECK-LABEL: @good_store(
; CHECK-NOT: __safestack_unsafe_stack_ptr
; CHECK: ret void
%a = alloca i32, align 4
%0 = bitcast i32* %a to i8*
store i8 zeroinitializer, i8* %0
ret void
}
define void @overflow_gep_store() nounwind uwtable safestack {
entry:
; CHECK-LABEL: @overflow_gep_store(
; CHECK: __safestack_unsafe_stack_ptr
; CHECK: ret void
%a = alloca i32, align 4
%0 = bitcast i32* %a to i8*
%1 = getelementptr i8, i8* %0, i32 4
store i8 zeroinitializer, i8* %1
ret void
}
define void @underflow_gep_store() nounwind uwtable safestack {
entry:
; CHECK-LABEL: @underflow_gep_store(
; CHECK: __safestack_unsafe_stack_ptr
; CHECK: ret void
%a = alloca i32, align 4
%0 = bitcast i32* %a to i8*
%1 = getelementptr i8, i8* %0, i32 -1
store i8 zeroinitializer, i8* %1
ret void
}
define void @good_gep_store() nounwind uwtable safestack {
entry:
; CHECK-LABEL: @good_gep_store(
; CHECK-NOT: __safestack_unsafe_stack_ptr
; CHECK: ret void
%a = alloca i32, align 4
%0 = bitcast i32* %a to i8*
%1 = getelementptr i8, i8* %0, i32 3
store i8 zeroinitializer, i8* %1
ret void
}