This is an archive of the discontinued LLVM Phabricator instance.

Differential D6465

[WIP] Use dynamic alloca for stack variables in ASan.
ClosedPublic

Authored by samsonov on Dec 1 2014, 11:56 AM.

Details

Reviewers
kcc
Summary

This is an experimental patch that changes the way we
instrument stack variables: instead of merging all static alloca
instructions into one large static alloca, we merge them into
one *dynamic* alloca. There are two main reasons for that:

  1. We significantly reduce the stack usage in "use-after-return"

mode. Currently, large static alloca is just unused in use-after-return
mode, as we actually use "fake stack" allocated by the ASan runtime.

  1. It can improve debug info for local variables, as their location

will now be calculated via %rbx register, not %rsp, that is assumed
to be clobbered by function calls.

I'm still running a SPEC for this patch to see if it slows down ASan
on benchmarks. I've also ran it on a large internal codebase, and it
unveiled numerous problems. I see problems with inline assembly
(e.g. inline assembly code for fetching cpuid doesn't properly
save/restore %rbx, or compile errors of the form "inline assembly requires
more registers than available"). I also see several runtime errors
on -O2 level, which I haven't debugged yet.

Sadly, deployment of this change will be hard (if possible). Still,
you're welcome to experiment with this patch and see if it solves
some problems you observe (esp. debug info issues).

Diff Detail

Event Timeline

samsonov updated this revision to Diff 16778.Dec 1 2014, 11:56 AM
samsonov retitled this revision from to [WIP] Use dynamic alloca for stack variables in ASan..
samsonov updated this object.
samsonov edited the test plan for this revision. (Show Details)
samsonov added subscribers: kcc, kubamracek, friss, Unknown Object (MLST).
kubamracek added a comment.Dec 2 2014, 4:38 PM

Hi,
I've tried this patch to see if it solves the missing debugging information issues that we're struggling with. I can confirm that most of the "regular" cases (regular local variables) are solved by this patch. However, there's still a few cases that don't work, for example __block variables:

#import <Foundation/Foundation.h>
int main(int argc, const char * argv[]) {
    __block int x = 7;
    printf("%d\n", x); // break here, cannot read value of 'x'
    return 0;
}

... or accessing variables from within a block:

#import <Foundation/Foundation.h>
int main(int argc, const char * argv[]) {
    int x = 7;
    ^{
        printf("%d\n", x); // break here, 'x' shows value of 0 instead of 7
    }();
    return 0;
}

Note that these two are broken in all other proposed solutions as well.

Anyway, I'm glad to see the progress, and we can surely focus on the regular (not blocks related) cases first.

samsonov updated this revision to Diff 16895.Dec 3 2014, 4:05 PM
  • Add a commandline flag to switch between new and old behavior
  • Don't use dynamic alloca if a function has inline assembly
  • Remove unnecessary argument in __asan_stack_free() function.

This is stil pretty much a WIP, I need to update the tests and check
performance. However, in this form the change seems to be pretty
stable on the codebases I've tested.

samsonov updated this revision to Diff 16896.Dec 3 2014, 4:06 PM

Try to upload the correct diff.

samsonov updated this revision to Diff 16974.Dec 4 2014, 6:10 PM

More changes.

  • Disable dynamic-alloca by default for now.
  • Slightly refactor the code and update the tests.
  • Bump __asan_init version.

I've tested this change (with and without enabling dynamic alloca) on a
lot of code for now, and it seems to be pretty stable (workaround to
disable dynamic alloca if there is inline assembly helps a lot). I've verified
that it helps with debug info in simple cases (reported here:
https://code.google.com/p/address-sanitizer/issues/detail?id=235), and I believe
Kuba that it helps his non-ObjC-blocks cases as well.

I've also ran a SPEC benchmarks, and observed no regression (although I'm not
sure that the results are robust/stable enough on my machine). Just this change,
which keeps static alloca, but changes the way we handle fake stack, shows
2.3% speedup on average, and if we enable dynamic alloca average speedup
goes up to 6.8% (for -O2/ASan).

Compiler-rt changes are trivial, I will send them for review in a sepate revision.

Please take a look.

samsonov added a reviewer: kcc.Dec 4 2014, 6:13 PM
kcc edited edge metadata.Dec 5 2014, 4:52 PM

Please update the commit message.

lib/Transforms/Instrumentation/AddressSanitizer.cpp
501

HasNonEmptyInlineAsm?

samsonov updated this revision to Diff 17014.Dec 5 2014, 6:00 PM
samsonov edited edge metadata.
  • Remove the extra argument of __asan_stack_malloc function: instead, calculate SP inside ASan runtime.
  • Compare FakeStack to null to check if we need to call __asan_stack_free.
  • Update the test cases accordingly.
  • Address review comment.
lib/Transforms/Instrumentation/AddressSanitizer.cpp
501

Done

samsonov updated this revision to Diff 17016.Dec 5 2014, 6:04 PM

Fixup the typo.

samsonov added a comment.Dec 8 2014, 11:25 AM

I've re-run the SPEC after the most recent changes, and still see a minor improvement in average results: this change as-is gives 4.5% improvement against the current code, and if/when we enable asan-stack-dynamic-alloca by default, the improvement against the current code is 3.5%.

kubamracek added a comment.Dec 8 2014, 3:47 PM
In D6465#16, @samsonov wrote:

I've re-run the SPEC after the most recent changes, and still see a minor improvement in average results: this change as-is gives 4.5% improvement against the current code, and if/when we enable asan-stack-dynamic-alloca by default, the improvement against the current code is 3.5%.

Awesome!

kubamracek added a comment.Dec 9 2014, 11:53 AM

Note that r223799 (Correctly handle complex locations expressions in replaceDbgDeclareForAlloca) by Frederic (@friss) fixes the Obj-C cases. Together with this patch and with -mllvm -asan-stack-dynamic-alloca, I don't see any more missing or invalid debug info.

kubamracek added a comment.Dec 9 2014, 5:33 PM

Disable dynamic-alloca by default for now.

Alexey, what is your plan about having this on/off by default? Is it off by default just for now?

Thanks,
Kuba

samsonov added a comment.Dec 9 2014, 6:29 PM
In D6465#19, @kubabrecka wrote:

Disable dynamic-alloca by default for now.

Alexey, what is your plan about having this on/off by default? Is it off by default just for now?

I plan to make this on by default, after more testing.

Kostya, do you have more comments about the current version of the patch?

Thanks,
Kuba

kcc added a comment.Dec 10 2014, 2:12 PM

First comment: please update the commit message

kcc accepted this revision.Dec 10 2014, 2:14 PM
kcc edited edge metadata.

LGTM otherwise

This revision is now accepted and ready to land.Dec 10 2014, 2:14 PM
samsonov closed this revision.Dec 11 2014, 1:59 PM

r224062

Revision Contents

PathSize
lib/
Transforms/
Instrumentation/
150 lines
test/
Instrumentation/
AddressSanitizer/
31 lines
20 lines

Diff 17016

lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 77 Lines▼ Show 20 Lines
static const char *const kAsanReportErrorTemplate = "__asan_report_"; static const char *const kAsanReportErrorTemplate = "__asan_report_";
static const char *const kAsanReportLoadN = "__asan_report_load_n"; static const char *const kAsanReportLoadN = "__asan_report_load_n";
static const char *const kAsanReportStoreN = "__asan_report_store_n"; static const char *const kAsanReportStoreN = "__asan_report_store_n";
static const char *const kAsanRegisterGlobalsName = "__asan_register_globals"; static const char *const kAsanRegisterGlobalsName = "__asan_register_globals";
static const char *const kAsanUnregisterGlobalsName = static const char *const kAsanUnregisterGlobalsName =
"__asan_unregister_globals"; "__asan_unregister_globals";
static const char *const kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; static const char *const kAsanPoisonGlobalsName = "__asan_before_dynamic_init";
static const char *const kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; static const char *const kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init";
static const char *const kAsanInitName = "__asan_init_v4"; static const char *const kAsanInitName = "__asan_init_v5";
static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp"; static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp";
static const char *const kAsanPtrSub = "__sanitizer_ptr_sub"; static const char *const kAsanPtrSub = "__sanitizer_ptr_sub";
static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return"; static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return";
static const int kMaxAsanStackMallocSizeClass = 10; static const int kMaxAsanStackMallocSizeClass = 10;
static const char *const kAsanStackMallocNameTemplate = "__asan_stack_malloc_"; static const char *const kAsanStackMallocNameTemplate = "__asan_stack_malloc_";
static const char *const kAsanStackFreeNameTemplate = "__asan_stack_free_"; static const char *const kAsanStackFreeNameTemplate = "__asan_stack_free_";
static const char *const kAsanGenPrefix = "__asan_gen_"; static const char *const kAsanGenPrefix = "__asan_gen_";
static const char *const kSanCovGenPrefix = "__sancov_gen_"; static const char *const kSanCovGenPrefix = "__sancov_gen_";
▲ Show 20 LinesShow All 83 Lines▼ Show 20 Linesstatic cl::opt<bool> ClOptSameTemp("asan-opt-same-temp",
cl::init(true)); cl::init(true));
static cl::opt<bool> ClOptGlobals("asan-opt-globals", static cl::opt<bool> ClOptGlobals("asan-opt-globals",
cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true));
static cl::opt<bool> ClCheckLifetime("asan-check-lifetime", static cl::opt<bool> ClCheckLifetime("asan-check-lifetime",
cl::desc("Use llvm.lifetime intrinsics to insert extra checks"), cl::desc("Use llvm.lifetime intrinsics to insert extra checks"),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(false));
static cl::opt<bool> ClDynamicAllocaStack(
"asan-stack-dynamic-alloca",
cl::desc("Use dynamic alloca to represent stack variables"), cl::Hidden,
cl::init(false));
// Debug flags. // Debug flags.
static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden,
cl::init(0)); cl::init(0));
static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"),
cl::Hidden, cl::init(0)); cl::Hidden, cl::init(0));
static cl::opt<std::string> ClDebugFunc("asan-debug-func", static cl::opt<std::string> ClDebugFunc("asan-debug-func",
cl::Hidden, cl::desc("Debug func")); cl::Hidden, cl::desc("Debug func"));
static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"),
▲ Show 20 LinesShow All 294 Lines▼ Show 20 Lines struct DynamicAllocaCall {
{} {}
}; };
SmallVector<DynamicAllocaCall, 1> DynamicAllocaVec; SmallVector<DynamicAllocaCall, 1> DynamicAllocaVec;
// Maps Value to an AllocaInst from which the Value is originated. // Maps Value to an AllocaInst from which the Value is originated.
typedef DenseMap<Value*, AllocaInst*> AllocaForValueMapTy; typedef DenseMap<Value*, AllocaInst*> AllocaForValueMapTy;
AllocaForValueMapTy AllocaForValue; AllocaForValueMapTy AllocaForValue;
bool HasNonEmptyInlineAsm;
kccUnsubmitted
Not Done
ReplyInline Actions

HasNonEmptyInlineAsm?

kcc: HasNonEmptyInlineAsm?
samsonovAuthorUnsubmitted
Not Done
ReplyInline Actions

Done

samsonov: Done
std::unique_ptr<CallInst> EmptyInlineAsm;
FunctionStackPoisoner(Function &F, AddressSanitizer &ASan) FunctionStackPoisoner(Function &F, AddressSanitizer &ASan)
: F(F), ASan(ASan), DIB(*F.getParent()), C(ASan.C), : F(F), ASan(ASan), DIB(*F.getParent()), C(ASan.C),
IntptrTy(ASan.IntptrTy), IntptrPtrTy(PointerType::get(IntptrTy, 0)), IntptrTy(ASan.IntptrTy), IntptrPtrTy(PointerType::get(IntptrTy, 0)),
Mapping(ASan.Mapping), Mapping(ASan.Mapping), StackAlignment(1 << Mapping.Scale),
StackAlignment(1 << Mapping.Scale) {} HasNonEmptyInlineAsm(false),
EmptyInlineAsm(CallInst::Create(ASan.EmptyAsm)) {}
bool runOnFunction() { bool runOnFunction() {
if (!ClStack) return false; if (!ClStack) return false;
// Collect alloca, ret, lifetime instructions etc. // Collect alloca, ret, lifetime instructions etc.
for (BasicBlock *BB : depth_first(&F.getEntryBlock())) for (BasicBlock *BB : depth_first(&F.getEntryBlock()))
visit(*BB); visit(*BB);
if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false; if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false;
▲ Show 20 LinesShow All 100 Lines▼ Show 20 Lines void visitIntrinsicInst(IntrinsicInst &II) {
// Find alloca instruction that corresponds to llvm.lifetime argument. // Find alloca instruction that corresponds to llvm.lifetime argument.
AllocaInst *AI = findAllocaForValue(II.getArgOperand(1)); AllocaInst *AI = findAllocaForValue(II.getArgOperand(1));
if (!AI) return; if (!AI) return;
bool DoPoison = (ID == Intrinsic::lifetime_end); bool DoPoison = (ID == Intrinsic::lifetime_end);
AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison}; AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison};
AllocaPoisonCallVec.push_back(APC); AllocaPoisonCallVec.push_back(APC);
} }
void visitCallInst(CallInst &CI) {
HasNonEmptyInlineAsm |=
CI.isInlineAsm() && !CI.isIdenticalTo(EmptyInlineAsm.get());
}
// ---------------------- Helpers. // ---------------------- Helpers.
void initializeCallbacks(Module &M); void initializeCallbacks(Module &M);
bool doesDominateAllExits(const Instruction *I) const { bool doesDominateAllExits(const Instruction *I) const {
for (auto Ret : RetVec) { for (auto Ret : RetVec) {
if (!ASan.getDominatorTree().dominates(I, Ret)) if (!ASan.getDominatorTree().dominates(I, Ret))
return false; return false;
} }
Show All 19 Linesstruct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> {
/// Finds alloca where the value comes from. /// Finds alloca where the value comes from.
AllocaInst *findAllocaForValue(Value *V); AllocaInst *findAllocaForValue(Value *V);
void poisonRedZones(ArrayRef<uint8_t> ShadowBytes, IRBuilder<> &IRB, void poisonRedZones(ArrayRef<uint8_t> ShadowBytes, IRBuilder<> &IRB,
Value *ShadowBase, bool DoPoison); Value *ShadowBase, bool DoPoison);
void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> &IRB, bool DoPoison); void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> &IRB, bool DoPoison);
void SetShadowToStackAfterReturnInlined(IRBuilder<> &IRB, Value *ShadowBase, void SetShadowToStackAfterReturnInlined(IRBuilder<> &IRB, Value *ShadowBase,
int Size); int Size);
Value *createAllocaForLayout(IRBuilder<> &IRB, const ASanStackFrameLayout &L,
bool Dynamic);
PHINode *createPHI(IRBuilder<> &IRB, Value *Cond, Value *ValueIfTrue,
Instruction *ThenTerm, Value *ValueIfFalse);
}; };
} // namespace } // namespace
char AddressSanitizer::ID = 0; char AddressSanitizer::ID = 0;
INITIALIZE_PASS_BEGIN(AddressSanitizer, "asan", INITIALIZE_PASS_BEGIN(AddressSanitizer, "asan",
"AddressSanitizer: detects use-after-free and out-of-bounds bugs.", "AddressSanitizer: detects use-after-free and out-of-bounds bugs.",
false, false) false, false)
▲ Show 20 LinesShow All 829 Lines▼ Show 20 Linesbool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) {
// We have inline assembly with quite a few arguments. // We have inline assembly with quite a few arguments.
return true; return true;
} }
void FunctionStackPoisoner::initializeCallbacks(Module &M) { void FunctionStackPoisoner::initializeCallbacks(Module &M) {
IRBuilder<> IRB(*C); IRBuilder<> IRB(*C);
for (int i = 0; i <= kMaxAsanStackMallocSizeClass; i++) { for (int i = 0; i <= kMaxAsanStackMallocSizeClass; i++) {
std::string Suffix = itostr(i); std::string Suffix = itostr(i);
AsanStackMallocFunc[i] = checkInterfaceFunction( AsanStackMallocFunc[i] = checkInterfaceFunction(M.getOrInsertFunction(
M.getOrInsertFunction(kAsanStackMallocNameTemplate + Suffix, IntptrTy, kAsanStackMallocNameTemplate + Suffix, IntptrTy, IntptrTy, nullptr));
IntptrTy, IntptrTy, nullptr)); AsanStackFreeFunc[i] = checkInterfaceFunction(
AsanStackFreeFunc[i] = checkInterfaceFunction(M.getOrInsertFunction( M.getOrInsertFunction(kAsanStackFreeNameTemplate + Suffix,
kAsanStackFreeNameTemplate + Suffix, IRB.getVoidTy(), IntptrTy, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));
IntptrTy, IntptrTy, nullptr));
} }
AsanPoisonStackMemoryFunc = checkInterfaceFunction( AsanPoisonStackMemoryFunc = checkInterfaceFunction(
M.getOrInsertFunction(kAsanPoisonStackMemoryName, IRB.getVoidTy(), M.getOrInsertFunction(kAsanPoisonStackMemoryName, IRB.getVoidTy(),
IntptrTy, IntptrTy, nullptr)); IntptrTy, IntptrTy, nullptr));
AsanUnpoisonStackMemoryFunc = checkInterfaceFunction( AsanUnpoisonStackMemoryFunc = checkInterfaceFunction(
M.getOrInsertFunction(kAsanUnpoisonStackMemoryName, IRB.getVoidTy(), M.getOrInsertFunction(kAsanUnpoisonStackMemoryName, IRB.getVoidTy(),
IntptrTy, IntptrTy, nullptr)); IntptrTy, IntptrTy, nullptr));
} }
▲ Show 20 LinesShow All 55 Lines▼ Show 20 Lines
static DebugLoc getFunctionEntryDebugLocation(Function &F) { static DebugLoc getFunctionEntryDebugLocation(Function &F) {
for (const auto &Inst : F.getEntryBlock()) for (const auto &Inst : F.getEntryBlock())
if (!isa<AllocaInst>(Inst)) if (!isa<AllocaInst>(Inst))
return Inst.getDebugLoc(); return Inst.getDebugLoc();
return DebugLoc(); return DebugLoc();
} }
PHINode *FunctionStackPoisoner::createPHI(IRBuilder<> &IRB, Value *Cond,
Value *ValueIfTrue,
Instruction *ThenTerm,
Value *ValueIfFalse) {
PHINode *PHI = IRB.CreatePHI(IntptrTy, 2);
BasicBlock *CondBlock = cast<Instruction>(Cond)->getParent();
PHI->addIncoming(ValueIfFalse, CondBlock);
BasicBlock *ThenBlock = ThenTerm->getParent();
PHI->addIncoming(ValueIfTrue, ThenBlock);
return PHI;
}
Value *FunctionStackPoisoner::createAllocaForLayout(
IRBuilder<> &IRB, const ASanStackFrameLayout &L, bool Dynamic) {
AllocaInst *Alloca;
if (Dynamic) {
Alloca = IRB.CreateAlloca(IRB.getInt8Ty(),
ConstantInt::get(IRB.getInt64Ty(), L.FrameSize),
"MyAlloca");
} else {
Alloca = IRB.CreateAlloca(ArrayType::get(IRB.getInt8Ty(), L.FrameSize),
nullptr, "MyAlloca");
assert(Alloca->isStaticAlloca());
}
assert((ClRealignStack & (ClRealignStack - 1)) == 0);
size_t FrameAlignment = std::max(L.FrameAlignment, (size_t)ClRealignStack);
Alloca->setAlignment(FrameAlignment);
return IRB.CreatePointerCast(Alloca, IntptrTy);
}
void FunctionStackPoisoner::poisonStack() { void FunctionStackPoisoner::poisonStack() {
assert(AllocaVec.size() > 0 || DynamicAllocaVec.size() > 0); assert(AllocaVec.size() > 0 || DynamicAllocaVec.size() > 0);
if (ClInstrumentAllocas) if (ClInstrumentAllocas)
// Handle dynamic allocas. // Handle dynamic allocas.
for (auto &AllocaCall : DynamicAllocaVec) for (auto &AllocaCall : DynamicAllocaVec)
handleDynamicAllocaCall(AllocaCall); handleDynamicAllocaCall(AllocaCall);
Show All 18 Linesvoid FunctionStackPoisoner::poisonStack() {
// i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms. // i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms.
size_t MinHeaderSize = ASan.LongSize / 2; size_t MinHeaderSize = ASan.LongSize / 2;
ASanStackFrameLayout L; ASanStackFrameLayout L;
ComputeASanStackFrameLayout(SVD, 1UL << Mapping.Scale, MinHeaderSize, &L); ComputeASanStackFrameLayout(SVD, 1UL << Mapping.Scale, MinHeaderSize, &L);
DEBUG(dbgs() << L.DescriptionString << " --- " << L.FrameSize << "\n"); DEBUG(dbgs() << L.DescriptionString << " --- " << L.FrameSize << "\n");
uint64_t LocalStackSize = L.FrameSize; uint64_t LocalStackSize = L.FrameSize;
bool DoStackMalloc = bool DoStackMalloc =
ClUseAfterReturn && LocalStackSize <= kMaxStackMallocSize; ClUseAfterReturn && LocalStackSize <= kMaxStackMallocSize;
// Don't do dynamic alloca in presence of inline asm: too often it
// makes assumptions on which registers are available.
bool DoDynamicAlloca = ClDynamicAllocaStack && !HasNonEmptyInlineAsm;
Type *ByteArrayTy = ArrayType::get(IRB.getInt8Ty(), LocalStackSize); Value *StaticAlloca =
AllocaInst *MyAlloca = DoDynamicAlloca ? nullptr : createAllocaForLayout(IRB, L, false);
new AllocaInst(ByteArrayTy, "MyAlloca", InsBefore);
MyAlloca->setDebugLoc(EntryDebugLocation); Value *FakeStack;
assert((ClRealignStack & (ClRealignStack - 1)) == 0); Value *LocalStackBase;
size_t FrameAlignment = std::max(L.FrameAlignment, (size_t)ClRealignStack);
MyAlloca->setAlignment(FrameAlignment);
assert(MyAlloca->isStaticAlloca());
Value *OrigStackBase = IRB.CreatePointerCast(MyAlloca, IntptrTy);
Value *LocalStackBase = OrigStackBase;
if (DoStackMalloc) { if (DoStackMalloc) {
// LocalStackBase = OrigStackBase // void *FakeStack = __asan_option_detect_stack_use_after_return
// if (__asan_option_detect_stack_use_after_return) // ? __asan_stack_malloc_N(LocalStackSize)
// LocalStackBase = __asan_stack_malloc_N(LocalStackBase, OrigStackBase); // : nullptr;
StackMallocIdx = StackMallocSizeClass(LocalStackSize); // void *LocalStackBase = (FakeStack) ? FakeStack : alloca(LocalStackSize);
assert(StackMallocIdx <= kMaxAsanStackMallocSizeClass);
Constant *OptionDetectUAR = F.getParent()->getOrInsertGlobal( Constant *OptionDetectUAR = F.getParent()->getOrInsertGlobal(
kAsanOptionDetectUAR, IRB.getInt32Ty()); kAsanOptionDetectUAR, IRB.getInt32Ty());
Value *Cmp = IRB.CreateICmpNE(IRB.CreateLoad(OptionDetectUAR), Value *UARIsEnabled =
IRB.CreateICmpNE(IRB.CreateLoad(OptionDetectUAR),
Constant::getNullValue(IRB.getInt32Ty())); Constant::getNullValue(IRB.getInt32Ty()));
Instruction *Term = SplitBlockAndInsertIfThen(Cmp, InsBefore, false); Instruction *Term =
BasicBlock *CmpBlock = cast<Instruction>(Cmp)->getParent(); SplitBlockAndInsertIfThen(UARIsEnabled, InsBefore, false);
IRBuilder<> IRBIf(Term); IRBuilder<> IRBIf(Term);
IRBIf.SetCurrentDebugLocation(EntryDebugLocation); IRBIf.SetCurrentDebugLocation(EntryDebugLocation);
LocalStackBase = IRBIf.CreateCall2( StackMallocIdx = StackMallocSizeClass(LocalStackSize);
AsanStackMallocFunc[StackMallocIdx], assert(StackMallocIdx <= kMaxAsanStackMallocSizeClass);
ConstantInt::get(IntptrTy, LocalStackSize), OrigStackBase); Value *FakeStackValue =
BasicBlock *SetBlock = cast<Instruction>(LocalStackBase)->getParent(); IRBIf.CreateCall(AsanStackMallocFunc[StackMallocIdx],
ConstantInt::get(IntptrTy, LocalStackSize));
IRB.SetInsertPoint(InsBefore);
IRB.SetCurrentDebugLocation(EntryDebugLocation);
FakeStack = createPHI(IRB, UARIsEnabled, FakeStackValue, Term,
ConstantInt::get(IntptrTy, 0));
Value *NoFakeStack =
IRB.CreateICmpEQ(FakeStack, Constant::getNullValue(IntptrTy));
Term = SplitBlockAndInsertIfThen(NoFakeStack, InsBefore, false);
IRBIf.SetInsertPoint(Term);
IRBIf.SetCurrentDebugLocation(EntryDebugLocation);
Value *AllocaValue =
DoDynamicAlloca ? createAllocaForLayout(IRBIf, L, true) : StaticAlloca;
IRB.SetInsertPoint(InsBefore); IRB.SetInsertPoint(InsBefore);
IRB.SetCurrentDebugLocation(EntryDebugLocation); IRB.SetCurrentDebugLocation(EntryDebugLocation);
PHINode *Phi = IRB.CreatePHI(IntptrTy, 2); LocalStackBase = createPHI(IRB, NoFakeStack, AllocaValue, Term, FakeStack);
Phi->addIncoming(OrigStackBase, CmpBlock); } else {
Phi->addIncoming(LocalStackBase, SetBlock); // void *FakeStack = nullptr;
LocalStackBase = Phi; // void *LocalStackBase = alloca(LocalStackSize);
FakeStack = ConstantInt::get(IntptrTy, 0);
LocalStackBase =
DoDynamicAlloca ? createAllocaForLayout(IRB, L, true) : StaticAlloca;
} }
// Insert poison calls for lifetime intrinsics for alloca. // Insert poison calls for lifetime intrinsics for alloca.
bool HavePoisonedAllocas = false; bool HavePoisonedAllocas = false;
for (const auto &APC : AllocaPoisonCallVec) { for (const auto &APC : AllocaPoisonCallVec) {
assert(APC.InsBefore); assert(APC.InsBefore);
assert(APC.AI); assert(APC.AI);
IRBuilder<> IRB(APC.InsBefore); IRBuilder<> IRB(APC.InsBefore);
Show All 40 Linesvoid FunctionStackPoisoner::poisonStack() {
// (Un)poison the stack before all ret instructions. // (Un)poison the stack before all ret instructions.
for (auto Ret : RetVec) { for (auto Ret : RetVec) {
IRBuilder<> IRBRet(Ret); IRBuilder<> IRBRet(Ret);
// Mark the current frame as retired. // Mark the current frame as retired.
IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic),
BasePlus0); BasePlus0);
if (DoStackMalloc) { if (DoStackMalloc) {
assert(StackMallocIdx >= 0); assert(StackMallocIdx >= 0);
// if LocalStackBase != OrigStackBase: // if FakeStack != 0 // LocalStackBase == FakeStack
// // In use-after-return mode, poison the whole stack frame. // // In use-after-return mode, poison the whole stack frame.
// if StackMallocIdx <= 4 // if StackMallocIdx <= 4
// // For small sizes inline the whole thing: // // For small sizes inline the whole thing:
// memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize); // memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize);
// **SavedFlagPtr(LocalStackBase) = 0 // **SavedFlagPtr(FakeStack) = 0
// else // else
// __asan_stack_free_N(LocalStackBase, OrigStackBase) // __asan_stack_free_N(FakeStack, LocalStackSize)
// else // else
// <This is not a fake stack; unpoison the redzones> // <This is not a fake stack; unpoison the redzones>
Value *Cmp = IRBRet.CreateICmpNE(LocalStackBase, OrigStackBase); Value *Cmp =
IRBRet.CreateICmpNE(FakeStack, Constant::getNullValue(IntptrTy));
TerminatorInst *ThenTerm, *ElseTerm; TerminatorInst *ThenTerm, *ElseTerm;
SplitBlockAndInsertIfThenElse(Cmp, Ret, &ThenTerm, &ElseTerm); SplitBlockAndInsertIfThenElse(Cmp, Ret, &ThenTerm, &ElseTerm);
IRBuilder<> IRBPoison(ThenTerm); IRBuilder<> IRBPoison(ThenTerm);
if (StackMallocIdx <= 4) { if (StackMallocIdx <= 4) {
int ClassSize = kMinStackMallocSize << StackMallocIdx; int ClassSize = kMinStackMallocSize << StackMallocIdx;
SetShadowToStackAfterReturnInlined(IRBPoison, ShadowBase, SetShadowToStackAfterReturnInlined(IRBPoison, ShadowBase,
ClassSize >> Mapping.Scale); ClassSize >> Mapping.Scale);
Value *SavedFlagPtrPtr = IRBPoison.CreateAdd( Value *SavedFlagPtrPtr = IRBPoison.CreateAdd(
LocalStackBase, FakeStack,
ConstantInt::get(IntptrTy, ClassSize - ASan.LongSize / 8)); ConstantInt::get(IntptrTy, ClassSize - ASan.LongSize / 8));
Value *SavedFlagPtr = IRBPoison.CreateLoad( Value *SavedFlagPtr = IRBPoison.CreateLoad(
IRBPoison.CreateIntToPtr(SavedFlagPtrPtr, IntptrPtrTy)); IRBPoison.CreateIntToPtr(SavedFlagPtrPtr, IntptrPtrTy));
IRBPoison.CreateStore( IRBPoison.CreateStore(
Constant::getNullValue(IRBPoison.getInt8Ty()), Constant::getNullValue(IRBPoison.getInt8Ty()),
IRBPoison.CreateIntToPtr(SavedFlagPtr, IRBPoison.getInt8PtrTy())); IRBPoison.CreateIntToPtr(SavedFlagPtr, IRBPoison.getInt8PtrTy()));
} else { } else {
// For larger frames call __asan_stack_free_*. // For larger frames call __asan_stack_free_*.
IRBPoison.CreateCall3(AsanStackFreeFunc[StackMallocIdx], LocalStackBase, IRBPoison.CreateCall2(AsanStackFreeFunc[StackMallocIdx], FakeStack,
ConstantInt::get(IntptrTy, LocalStackSize), ConstantInt::get(IntptrTy, LocalStackSize));
OrigStackBase);
} }
IRBuilder<> IRBElse(ElseTerm); IRBuilder<> IRBElse(ElseTerm);
poisonRedZones(L.ShadowBytes, IRBElse, ShadowBase, false); poisonRedZones(L.ShadowBytes, IRBElse, ShadowBase, false);
} else if (HavePoisonedAllocas) { } else if (HavePoisonedAllocas) {
// If we poisoned some allocas in llvm.lifetime analysis, // If we poisoned some allocas in llvm.lifetime analysis,
// unpoison whole stack frame now. // unpoison whole stack frame now.
assert(LocalStackBase == OrigStackBase);
poisonAlloca(LocalStackBase, LocalStackSize, IRBRet, false); poisonAlloca(LocalStackBase, LocalStackSize, IRBRet, false);
} else { } else {
poisonRedZones(L.ShadowBytes, IRBRet, ShadowBase, false); poisonRedZones(L.ShadowBytes, IRBRet, ShadowBase, false);
} }
} }
if (ClInstrumentAllocas) if (ClInstrumentAllocas)
// Unpoison dynamic allocas. // Unpoison dynamic allocas.
▲ Show 20 LinesShow All 195 LinesShow Last 20 Lines

test/Instrumentation/AddressSanitizer/stack_dynamic_alloca.ll

  • This file was added.
; RUN: opt < %s -asan -asan-module -asan-stack-dynamic-alloca \
; RUN: -asan-use-after-return -S | FileCheck %s
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
define void @Func1() sanitize_address {
entry:
; CHECK-LABEL: Func1
; CHECK: entry:
; CHECK: load i32* @__asan_option_detect_stack_use_after_return
; CHECK: <label>:[[UAR_ENABLED_BB:[0-9]+]]
; CHECK: [[FAKE_STACK_RT:%[0-9]+]] = call i64 @__asan_stack_malloc_
; CHECK: <label>:[[FAKE_STACK_BB:[0-9]+]]
; CHECK: [[FAKE_STACK:%[0-9]+]] = phi i64 [ 0, %entry ], [ [[FAKE_STACK_RT]], %[[UAR_ENABLED_BB]] ]
; CHECK: icmp eq i64 [[FAKE_STACK]], 0
; CHECK: <label>:[[NO_FAKE_STACK_BB:[0-9]+]]
; CHECK: %MyAlloca = alloca i8, i64
; CHECK: [[ALLOCA:%[0-9]+]] = ptrtoint i8* %MyAlloca
; CHECK: phi i64 [ [[FAKE_STACK]], %[[FAKE_STACK_BB]] ], [ [[ALLOCA]], %[[NO_FAKE_STACK_BB]] ]
; CHECK: ret void
%XXX = alloca [20 x i8], align 1
ret void
}

test/Instrumentation/AddressSanitizer/stack_layout.ll

; Test the ASan's stack layout. ; Test the ASan's stack layout.
; More tests in tests/Transforms/Utils/ASanStackFrameLayoutTest.cpp ; More tests in tests/Transforms/Utils/ASanStackFrameLayoutTest.cpp
; RUN: opt < %s -asan -asan-module -S | FileCheck %s ; RUN: opt < %s -asan -asan-module -asan-stack-dynamic-alloca=0 -S \
; RUN: | FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-STATIC
; RUN: opt < %s -asan -asan-module -asan-stack-dynamic-alloca=1 -S \
; RUN: | FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-DYNAMIC
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128" target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu" target triple = "x86_64-unknown-linux-gnu"
declare void @Use(i8*) declare void @Use(i8*)
; CHECK: private unnamed_addr constant{{.*}}3 32 10 3 XXX 64 20 3 YYY 128 30 3 ZZZ ; CHECK: private unnamed_addr constant{{.*}}3 32 10 3 XXX 64 20 3 YYY 128 30 3 ZZZ
; CHECK: private unnamed_addr constant{{.*}}3 32 5 3 AAA 64 55 3 BBB 160 555 3 CCC ; CHECK: private unnamed_addr constant{{.*}}3 32 5 3 AAA 64 55 3 BBB 160 555 3 CCC
; CHECK: private unnamed_addr constant{{.*}}3 256 128 3 CCC 448 128 3 BBB 608 128 3 AAA ; CHECK: private unnamed_addr constant{{.*}}3 256 128 3 CCC 448 128 3 BBB 608 128 3 AAA
define void @Func1() sanitize_address { define void @Func1() sanitize_address {
entry: entry:
; CHECK-LABEL: Func1 ; CHECK-LABEL: Func1
; CHECK: alloca [192 x i8]
; CHECK-STATIC: alloca [192 x i8]
; CHECK-DYNAMIC: alloca i8, i64 192
; CHECK-NOT: alloca ; CHECK-NOT: alloca
; CHECK: ret void ; CHECK: ret void
%XXX = alloca [10 x i8], align 1 %XXX = alloca [10 x i8], align 1
%YYY = alloca [20 x i8], align 1 %YYY = alloca [20 x i8], align 1
%ZZZ = alloca [30 x i8], align 1 %ZZZ = alloca [30 x i8], align 1
ret void ret void
} }
define void @Func2() sanitize_address { define void @Func2() sanitize_address {
entry: entry:
; CHECK-LABEL: Func2 ; CHECK-LABEL: Func2
; CHECK: alloca [864 x i8]
; CHECK-STATIC: alloca [864 x i8]
; CHECK-DYNAMIC: alloca i8, i64 864
; CHECK-NOT: alloca ; CHECK-NOT: alloca
; CHECK: ret void ; CHECK: ret void
%AAA = alloca [5 x i8], align 1 %AAA = alloca [5 x i8], align 1
%BBB = alloca [55 x i8], align 1 %BBB = alloca [55 x i8], align 1
%CCC = alloca [555 x i8], align 1 %CCC = alloca [555 x i8], align 1
ret void ret void
} }
; Check that we reorder vars according to alignment and handle large alignments. ; Check that we reorder vars according to alignment and handle large alignments.
define void @Func3() sanitize_address { define void @Func3() sanitize_address {
entry: entry:
; CHECK-LABEL: Func3 ; CHECK-LABEL: Func3
; CHECK: alloca [768 x i8]
; CHECK-STATIC: alloca [768 x i8]
; CHECK-DYNAMIC: alloca i8, i64 768
; CHECK-NOT: alloca ; CHECK-NOT: alloca
; CHECK: ret void ; CHECK: ret void
%AAA = alloca [128 x i8], align 16 %AAA = alloca [128 x i8], align 16
%BBB = alloca [128 x i8], align 64 %BBB = alloca [128 x i8], align 64
%CCC = alloca [128 x i8], align 256 %CCC = alloca [128 x i8], align 256
ret void ret void
} }