This is an archive of the discontinued LLVM Phabricator instance.

Differential D7670

[msan] Poison the entire stack frame with one memset
Needs ReviewPublic

Authored by eugenis on Feb 16 2015, 7:17 AM.

Details

Reviewers
kcc
samsonov
Summary

Fix current ineffective MSan function prologue by lumping all locals into a single alloca (a-la ASan, but without redzones) and poisoning it with a single memset call.

This sounds like it could share some code with ASan, but there are way too many little differencies between two tools, so I copied ASan implementation into MSan and greatly simplified it.

Diff Detail

Repository
rL LLVM

Event Timeline

eugenis updated this revision to Diff 20032.Feb 16 2015, 7:17 AM
eugenis retitled this revision from to [msan] Poison the entire stack frame with one memset.
eugenis updated this object.
eugenis edited the test plan for this revision. (Show Details)
eugenis added reviewers: samsonov, kcc.
eugenis set the repository for this revision to rL LLVM.
eugenis added a subscriber: Unknown Object (MLST).

This is a partial fix for
https://code.google.com/p/memory-sanitizer/issues/detail?id=74

Origin-related issues in function prologue will be fixed in a follow-up change.

eugenis added a comment.Feb 17 2015, 2:41 AM

Benchmarks show marginal perf and code size improvement (~2% on a few benchmarks, nothing on most).
And a significant increase in stack frame size. Must have something to do with stack reuse (did not know llvm does that).

Ex., current instrumentation poisons the same stack location several times in a row. I guess it is being reused for multiple local variable.

28e3f8:       49 bd f8 ff ff ff ff    movabs $0xffffbffffffffff8,%r13
28e445:       4c 21 eb                and    %r13,%rbx
28e490:       48 c7 43 18 ff ff ff    movq   $0xffffffffffffffff,0x18(%rbx)
28e497:       ff
28e498:       48 c7 43 10 ff ff ff    movq   $0xffffffffffffffff,0x10(%rbx)
28e49f:       ff
28e4a0:       48 c7 43 08 ff ff ff    movq   $0xffffffffffffffff,0x8(%rbx)
28e4a7:       ff
28e4a8:       48 c7 03 ff ff ff ff    movq   $0xffffffffffffffff,(%rbx)
28e4af:       48 c7 43 18 ff ff ff    movq   $0xffffffffffffffff,0x18(%rbx)
28e4b6:       ff
28e4b7:       48 c7 43 10 ff ff ff    movq   $0xffffffffffffffff,0x10(%rbx)
28e4be:       ff
28e4bf:       48 c7 43 08 ff ff ff    movq   $0xffffffffffffffff,0x8(%rbx)
28e4c6:       ff
28e4c7:       48 c7 03 ff ff ff ff    movq   $0xffffffffffffffff,(%rbx)
28e4ce:       48 c7 43 18 ff ff ff    movq   $0xffffffffffffffff,0x18(%rbx)
28e4d5:       ff
28e4d6:       48 c7 43 10 ff ff ff    movq   $0xffffffffffffffff,0x10(%rbx)
28e4dd:       ff
28e4de:       48 c7 43 08 ff ff ff    movq   $0xffffffffffffffff,0x8(%rbx)
28e4e5:       ff
28e4e6:       48 c7 03 ff ff ff ff    movq   $0xffffffffffffffff,(%rbx)

This function has stack frame of 0x198 with the current instrumentation and 0x388 with new one, which suppresses stack reuse (0x300 out of 0x388 is poisoned, the rest must be spill slots).

samsonov edited edge metadata.Feb 17 2015, 4:46 PM

You probably know better after examining the code, but it would still be very sad if we had to copy the logic. I will be able to review it later this week.

eugenis added a comment.Feb 17 2015, 11:33 PM

Please hold off the review. I don't really like the stack growth (note that this is an issue for ASan, as well!), I'm going to try a different approach.

kcc edited edge metadata.Feb 18 2015, 10:22 AM

I don't think this is an issue with asan as it deliberately disables stack reuse to find stack-use-after-{return,scope}

Revision Contents

PathSize
lib/
Transforms/
Instrumentation/
324 lines
test/
Instrumentation/
MemorySanitizer/
23 lines

Diff 20032

lib/Transforms/Instrumentation/MemorySanitizer.cpp

Show First 20 LinesShow All 86 Lines▼ Show 20 Lines
/// after the app operation. Computers don't work this way. Current /// after the app operation. Computers don't work this way. Current
/// implementation ignores the load aspect of CAS/RMW, always returning a clean /// implementation ignores the load aspect of CAS/RMW, always returning a clean
/// value. It implements the store part as a simple atomic store by storing a /// value. It implements the store part as a simple atomic store by storing a
/// clean shadow. /// clean shadow.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "llvm/Transforms/Instrumentation.h" #include "llvm/Transforms/Instrumentation.h"
#include "llvm/IR/DIBuilder.h"
#include "llvm/ADT/DepthFirstIterator.h" #include "llvm/ADT/DepthFirstIterator.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
#include "llvm/ADT/Triple.h" #include "llvm/ADT/Triple.h"
#include "llvm/IR/DataLayout.h" #include "llvm/IR/DataLayout.h"
#include "llvm/IR/Function.h" #include "llvm/IR/Function.h"
#include "llvm/IR/IRBuilder.h" #include "llvm/IR/IRBuilder.h"
▲ Show 20 LinesShow All 83 Lines▼ Show 20 Lines
// This is an experiment to enable handling of cases where shadow is a non-zero // This is an experiment to enable handling of cases where shadow is a non-zero
// compile-time constant. For some unexplainable reason they were silently // compile-time constant. For some unexplainable reason they were silently
// ignored in the instrumentation. // ignored in the instrumentation.
static cl::opt<bool> ClCheckConstantShadow("msan-check-constant-shadow", static cl::opt<bool> ClCheckConstantShadow("msan-check-constant-shadow",
cl::desc("Insert checks for constant shadow values"), cl::desc("Insert checks for constant shadow values"),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(false));
static cl::opt<bool> ClOneBigAlloca("msan-one-big-alloca",
cl::desc("Lump all local variables into one alloca"),
cl::Hidden, cl::init(false));
namespace { namespace {
// Memory map parameters used in application-to-shadow address calculation. // Memory map parameters used in application-to-shadow address calculation.
// Offset = (Addr & ~AndMask) ^ XorMask // Offset = (Addr & ~AndMask) ^ XorMask
// Shadow = ShadowBase + Offset // Shadow = ShadowBase + Offset
// Origin = OriginBase + Offset // Origin = OriginBase + Offset
struct MemoryMapParams { struct MemoryMapParams {
uint64_t AndMask; uint64_t AndMask;
▲ Show 20 LinesShow All 129 Lines▼ Show 20 Lines private:
MDNode *ColdCallWeights; MDNode *ColdCallWeights;
/// \brief Branch weights for origin store. /// \brief Branch weights for origin store.
MDNode *OriginStoreWeights; MDNode *OriginStoreWeights;
/// \brief An empty volatile inline asm that prevents callback merge. /// \brief An empty volatile inline asm that prevents callback merge.
InlineAsm *EmptyAsm; InlineAsm *EmptyAsm;
friend struct MemorySanitizerVisitor; friend struct MemorySanitizerVisitor;
friend struct FunctionStackPoisoner;
friend struct VarArgAMD64Helper; friend struct VarArgAMD64Helper;
}; };
} // namespace } // namespace
char MemorySanitizer::ID = 0; char MemorySanitizer::ID = 0;
INITIALIZE_PASS(MemorySanitizer, "msan", INITIALIZE_PASS(MemorySanitizer, "msan",
"MemorySanitizer: detects uninitialized reads.", "MemorySanitizer: detects uninitialized reads.",
false, false) false, false)
▲ Show 20 LinesShow All 160 Lines▼ Show 20 Lines if (ClKeepGoing)
new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage,
IRB.getInt32(ClKeepGoing), "__msan_keep_going"); IRB.getInt32(ClKeepGoing), "__msan_keep_going");
return true; return true;
} }
namespace { namespace {
struct MemorySanitizerVisitor;
struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> {
Function &F;
MemorySanitizer &MS;
MemorySanitizerVisitor &MSV;
bool PoisonStack;
DIBuilder DIB;
LLVMContext *C;
Type *IntptrTy;
Type *IntptrPtrTy;
SmallVector<AllocaInst *, 16> AllocaVec;
SmallVector<AllocaInst *, 16> DynamicAllocaVec;
bool HasNonEmptyInlineAsm;
std::unique_ptr<CallInst> EmptyInlineAsm;
FunctionStackPoisoner(Function &F, MemorySanitizer &MS,
MemorySanitizerVisitor &MSV, bool PoisonStack)
: F(F),
MS(MS),
MSV(MSV),
PoisonStack(PoisonStack),
DIB(*F.getParent(), /*AllowUnresolved*/ false),
C(MS.C),
IntptrTy(MS.IntptrTy),
IntptrPtrTy(PointerType::get(IntptrTy, 0)),
HasNonEmptyInlineAsm(false),
EmptyInlineAsm(CallInst::Create(MS.EmptyAsm)) {}
bool runOnFunction() {
// Collect alloca instructions.
for (BasicBlock *BB : depth_first(&F.getEntryBlock())) visit(*BB);
if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false;
poisonStack();
return true;
}
// Poison all found Alloca instructions.
void poisonStack();
// ----------------------- Visitors.
// Poison dynamic alloca.
void handleDynamicAllocaCall(AllocaInst &I);
struct MSanStackVariableDescription {
StringRef Name; // Name of the variable that will be displayed by MSan
// if a stack-related bug is reported.
uint64_t Size; // Size of the variable in bytes.
size_t Alignment; // Alignment of the variable (power of 2).
AllocaInst *AI; // The actual AllocaInst.
size_t Offset; // Offset from the beginning of the frame;
// set by ComputeMSanStackFrameLayout.
Value *NewAllocaPtr; // New address of the variable (points inside the big
// alloca).
};
struct MSanStackFrameLayout {
size_t FrameAlignment; // Alignment for the entire frame.
size_t FrameSize; // Size of the frame in bytes.
};
void ComputeStackFrameLayout(
SmallVectorImpl<MSanStackVariableDescription> &Vars,
MSanStackFrameLayout *Layout);
/// \brief Collect Alloca instructions we want (and can) handle.
void visitAllocaInst(AllocaInst &AI) {
if (!isInterestingAlloca(AI)) return;
if (isDynamicAlloca(AI))
DynamicAllocaVec.push_back(&AI);
else
AllocaVec.push_back(&AI);
}
void visitCallInst(CallInst &CI) {
HasNonEmptyInlineAsm |=
CI.isInlineAsm() && !CI.isIdenticalTo(EmptyInlineAsm.get());
}
// ---------------------- Helpers.
void initializeCallbacks(Module &M);
bool isDynamicAlloca(AllocaInst &AI) const {
return AI.isArrayAllocation() || !AI.isStaticAlloca();
}
// Check if we want (and can) handle this alloca.
bool isInterestingAlloca(AllocaInst &AI) const {
return (AI.getAllocatedType()->isSized() &&
// alloca() may be called with 0 size, ignore it.
getAllocaSizeInBytes(&AI) > 0);
}
uint64_t getAllocaSizeInBytes(AllocaInst *AI) const {
Type *Ty = AI->getAllocatedType();
uint64_t SizeInBytes = MS.DL->getTypeAllocSize(Ty);
return SizeInBytes;
}
Value *createAllocaForLayout(IRBuilder<> &IRB, const MSanStackFrameLayout &L,
bool Dynamic);
};
/// \brief A helper class that handles instrumentation of VarArg /// \brief A helper class that handles instrumentation of VarArg
/// functions on a particular platform. /// functions on a particular platform.
/// ///
/// Implementations are expected to insert the instrumentation /// Implementations are expected to insert the instrumentation
/// necessary to propagate argument shadow through VarArg function /// necessary to propagate argument shadow through VarArg function
/// calls. Visit* methods are called during an InstVisitor pass over /// calls. Visit* methods are called during an InstVisitor pass over
/// the function, and should avoid creating new basic blocks. A new /// the function, and should avoid creating new basic blocks. A new
/// instance of this class is created for each instrumented function. /// instance of this class is created for each instrumented function.
▲ Show 20 LinesShow All 257 Lines▼ Show 20 Lines bool runOnFunction() {
removeUnreachableBlocks(F); removeUnreachableBlocks(F);
// Iterate all BBs in depth-first order and create shadow instructions // Iterate all BBs in depth-first order and create shadow instructions
// for all instructions (where applicable). // for all instructions (where applicable).
// For PHI nodes we create dummy shadow PHIs which will be finalized later. // For PHI nodes we create dummy shadow PHIs which will be finalized later.
for (BasicBlock *BB : depth_first(&F.getEntryBlock())) for (BasicBlock *BB : depth_first(&F.getEntryBlock()))
visit(*BB); visit(*BB);
// Finalize PHI nodes. // Finalize PHI nodes.
for (PHINode *PN : ShadowPHINodes) { for (PHINode *PN : ShadowPHINodes) {
PHINode *PNS = cast<PHINode>(getShadow(PN)); PHINode *PNS = cast<PHINode>(getShadow(PN));
PHINode *PNO = MS.TrackOrigins ? cast<PHINode>(getOrigin(PN)) : nullptr; PHINode *PNO = MS.TrackOrigins ? cast<PHINode>(getOrigin(PN)) : nullptr;
size_t NumValues = PN->getNumIncomingValues(); size_t NumValues = PN->getNumIncomingValues();
for (size_t v = 0; v < NumValues; v++) { for (size_t v = 0; v < NumValues; v++) {
PNS->addIncoming(getShadow(PN, v), PN->getIncomingBlock(v)); PNS->addIncoming(getShadow(PN, v), PN->getIncomingBlock(v));
if (PNO) PNO->addIncoming(getOrigin(PN, v), PN->getIncomingBlock(v)); if (PNO) PNO->addIncoming(getOrigin(PN, v), PN->getIncomingBlock(v));
} }
} }
VAHelper->finalizeInstrumentation(); VAHelper->finalizeInstrumentation();
bool InstrumentWithCalls = ClInstrumentationWithCallThreshold >= 0 && bool InstrumentWithCalls = ClInstrumentationWithCallThreshold >= 0 &&
InstrumentationList.size() + StoreList.size() > InstrumentationList.size() + StoreList.size() >
(unsigned)ClInstrumentationWithCallThreshold; (unsigned)ClInstrumentationWithCallThreshold;
// Delayed instrumentation of StoreInst. // Delayed instrumentation of StoreInst.
// This may add new checks to be inserted later. // This may add new checks to be inserted later.
materializeStores(InstrumentWithCalls); materializeStores(InstrumentWithCalls);
// Insert shadow value checks. // Insert shadow value checks.
materializeChecks(InstrumentWithCalls); materializeChecks(InstrumentWithCalls);
if (ClOneBigAlloca) {
FunctionStackPoisoner FSP(F, MS, *this, PoisonStack);
FSP.runOnFunction();
}
return true; return true;
} }
/// \brief Compute the shadow type that corresponds to a given Value. /// \brief Compute the shadow type that corresponds to a given Value.
Type *getShadowTy(Value *V) { Type *getShadowTy(Value *V) {
return getShadowTy(V->getType()); return getShadowTy(V->getType());
} }
▲ Show 20 LinesShow All 1,714 Lines▼ Show 20 Lines void visitPHINode(PHINode &I) {
ShadowPHINodes.push_back(&I); ShadowPHINodes.push_back(&I);
setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(), setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(),
"_msphi_s")); "_msphi_s"));
if (MS.TrackOrigins) if (MS.TrackOrigins)
setOrigin(&I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(), setOrigin(&I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(),
"_msphi_o")); "_msphi_o"));
} }
void SetAllocaOrigin(IRBuilder<> &IRB, StringRef Name, Value *Ptr,
Value *Size) {
SmallString<2048> StackDescriptionStorage;
raw_svector_ostream StackDescription(StackDescriptionStorage);
// We create a string with a description of the stack allocation and
// pass it into __msan_set_alloca_origin.
// It will be printed by the run-time if stack-originated UMR is found.
// The first 4 bytes of the string are set to '----' and will be replaced
// by __msan_va_arg_overflow_size_tls at the first call.
StackDescription << "----" << Name << "@" << F.getName();
Value *Descr = createPrivateNonConstGlobalForString(*F.getParent(),
StackDescription.str());
IRB.CreateCall4(MS.MsanSetAllocaOrigin4Fn,
IRB.CreatePointerCast(Ptr, IRB.getInt8PtrTy()), Size,
IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy()),
IRB.CreatePointerCast(&F, MS.IntptrTy));
}
void visitAllocaInst(AllocaInst &I) { void visitAllocaInst(AllocaInst &I) {
setShadow(&I, getCleanShadow(&I)); setShadow(&I, getCleanShadow(&I));
setOrigin(&I, getCleanOrigin()); setOrigin(&I, getCleanOrigin());
if (!ClOneBigAlloca) {
IRBuilder<> IRB(I.getNextNode()); IRBuilder<> IRB(I.getNextNode());
uint64_t Size = MS.DL->getTypeAllocSize(I.getAllocatedType()); uint64_t Size = MS.DL->getTypeAllocSize(I.getAllocatedType());
if (PoisonStack && ClPoisonStackWithCall) { if (PoisonStack && ClPoisonStackWithCall) {
IRB.CreateCall2(MS.MsanPoisonStackFn, IRB.CreateCall2(MS.MsanPoisonStackFn,
IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()),
ConstantInt::get(MS.IntptrTy, Size)); ConstantInt::get(MS.IntptrTy, Size));
} else { } else {
Value *ShadowBase = getShadowPtr(&I, Type::getInt8PtrTy(*MS.C), IRB); Value *ShadowBase = getShadowPtr(&I, Type::getInt8PtrTy(*MS.C), IRB);
Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0); Value *PoisonValue =
IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0);
IRB.CreateMemSet(ShadowBase, PoisonValue, Size, I.getAlignment()); IRB.CreateMemSet(ShadowBase, PoisonValue, Size, I.getAlignment());
} }
if (PoisonStack && MS.TrackOrigins) { if (PoisonStack && MS.TrackOrigins)
SmallString<2048> StackDescriptionStorage; SetAllocaOrigin(IRB, I.getName(), &I,
raw_svector_ostream StackDescription(StackDescriptionStorage); ConstantInt::get(MS.IntptrTy, Size));
// We create a string with a description of the stack allocation and
// pass it into __msan_set_alloca_origin.
// It will be printed by the run-time if stack-originated UMR is found.
// The first 4 bytes of the string are set to '----' and will be replaced
// by __msan_va_arg_overflow_size_tls at the first call.
StackDescription << "----" << I.getName() << "@" << F.getName();
Value *Descr =
createPrivateNonConstGlobalForString(*F.getParent(),
StackDescription.str());
IRB.CreateCall4(MS.MsanSetAllocaOrigin4Fn,
IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()),
ConstantInt::get(MS.IntptrTy, Size),
IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy()),
IRB.CreatePointerCast(&F, MS.IntptrTy));
} }
} }
void visitSelectInst(SelectInst& I) { void visitSelectInst(SelectInst& I) {
IRBuilder<> IRB(&I); IRBuilder<> IRB(&I);
// a = select b, c, d // a = select b, c, d
Value *B = I.getCondition(); Value *B = I.getCondition();
Value *C = I.getTrueValue(); Value *C = I.getTrueValue();
▲ Show 20 LinesShow All 294 Lines▼ Show 20 LinesVarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan,
// on other platforms. // on other platforms.
llvm::Triple TargetTriple(Func.getParent()->getTargetTriple()); llvm::Triple TargetTriple(Func.getParent()->getTargetTriple());
if (TargetTriple.getArch() == llvm::Triple::x86_64) if (TargetTriple.getArch() == llvm::Triple::x86_64)
return new VarArgAMD64Helper(Func, Msan, Visitor); return new VarArgAMD64Helper(Func, Msan, Visitor);
else else
return new VarArgNoOpHelper(Func, Msan, Visitor); return new VarArgNoOpHelper(Func, Msan, Visitor);
} }
static DebugLoc getFunctionEntryDebugLocation(Function &F) {
for (const auto &Inst : F.getEntryBlock())
if (!isa<AllocaInst>(Inst)) return Inst.getDebugLoc();
return DebugLoc();
}
Value *FunctionStackPoisoner::createAllocaForLayout(
IRBuilder<> &IRB, const MSanStackFrameLayout &L, bool Dynamic) {
AllocaInst *Alloca;
if (Dynamic) {
Alloca = IRB.CreateAlloca(IRB.getInt8Ty(),
ConstantInt::get(IRB.getInt64Ty(), L.FrameSize),
"MSanAlloca");
} else {
Alloca = IRB.CreateAlloca(ArrayType::get(IRB.getInt8Ty(), L.FrameSize),
nullptr, "MSanAlloca");
assert(Alloca->isStaticAlloca());
}
Alloca->setAlignment(L.FrameAlignment);
return IRB.CreatePointerCast(Alloca, IntptrTy);
}
void FunctionStackPoisoner::handleDynamicAllocaCall(AllocaInst &I) {
IRBuilder<> IRB(I.getNextNode());
uint64_t Size = MS.DL->getTypeAllocSize(I.getAllocatedType());
if (PoisonStack && ClPoisonStackWithCall) {
IRB.CreateCall2(MS.MsanPoisonStackFn,
IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()),
ConstantInt::get(MS.IntptrTy, Size));
} else {
Value *ShadowBase = MSV.getShadowPtr(&I, Type::getInt8PtrTy(*MS.C), IRB);
Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0);
IRB.CreateMemSet(ShadowBase, PoisonValue, Size, I.getAlignment());
}
if (PoisonStack && MS.TrackOrigins)
MSV.SetAllocaOrigin(IRB, I.getName(), &I,
ConstantInt::get(MS.IntptrTy, Size));
}
void FunctionStackPoisoner::ComputeStackFrameLayout(
SmallVectorImpl<MSanStackVariableDescription> &Vars,
MSanStackFrameLayout *Layout) {
size_t NumVars = Vars.size();
assert(NumVars > 0);
std::stable_sort(Vars.begin(), Vars.end(),
[](const MSanStackVariableDescription &a,
const MSanStackVariableDescription &b) {
return a.Alignment > b.Alignment;
});
Layout->FrameAlignment = Vars[0].Alignment;
size_t Offset = 0;
for (size_t i = 0; i < NumVars; i++) {
size_t Alignment = Vars[i].Alignment;
size_t Size = Vars[i].Size;
assert((Alignment & (Alignment - 1)) == 0);
assert(Layout->FrameAlignment >= Alignment);
assert(Size > 0);
Offset = RoundUpToAlignment(Offset, Alignment);
Vars[i].Offset = Offset;
Offset += Size;
}
Layout->FrameSize = Offset;
}
void FunctionStackPoisoner::poisonStack() {
assert(AllocaVec.size() > 0 || DynamicAllocaVec.size() > 0);
// Handle dynamic allocas.
for (auto &AllocaCall : DynamicAllocaVec)
handleDynamicAllocaCall(*AllocaCall);
if (AllocaVec.size() == 0) return;
DebugLoc EntryDebugLocation = getFunctionEntryDebugLocation(F);
Instruction *InsBefore = AllocaVec[0];
IRBuilder<> IRB(InsBefore);
IRB.SetCurrentDebugLocation(EntryDebugLocation);
SmallVector<MSanStackVariableDescription, 16> SVD;
SVD.reserve(AllocaVec.size());
for (AllocaInst *AI : AllocaVec) {
unsigned Alignment = AI->getAlignment();
if (Alignment == 0) {
Type *Ty = AI->getType(); // FIXME???
Alignment = std::max(Alignment, MS.DL->getABITypeAlignment(Ty));
}
// We want each local to get its own origin id.
// Pad everything to 4 bytes.
Alignment = std::max(Alignment, kMinOriginAlignment);
MSanStackVariableDescription D = {AI->getName(), getAllocaSizeInBytes(AI),
Alignment, AI, 0, 0};
SVD.push_back(D);
}
MSanStackFrameLayout L;
ComputeStackFrameLayout(SVD, &L);
// Don't do dynamic alloca in presence of inline asm: too often it
// makes assumptions on which registers are available.
bool DoDynamicAlloca = !HasNonEmptyInlineAsm;
Value *LocalStackBase = createAllocaForLayout(IRB, L, DoDynamicAlloca);
// Replace Alloca instructions with base+offset.
for (auto &Desc : SVD) {
AllocaInst *AI = Desc.AI;
Desc.NewAllocaPtr = IRB.CreateIntToPtr(
IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Desc.Offset)),
AI->getType());
replaceDbgDeclareForAlloca(AI, Desc.NewAllocaPtr, DIB, /*Deref=*/true);
AI->replaceAllUsesWith(Desc.NewAllocaPtr);
}
// Poison the stack frame at the entry.
if (ClPoisonStackWithCall) {
IRB.CreateCall2(MS.MsanPoisonStackFn, LocalStackBase,
ConstantInt::get(MS.IntptrTy, L.FrameSize));
} else {
Value *ShadowBase =
MSV.getShadowPtr(LocalStackBase, Type::getInt8PtrTy(*MS.C), IRB);
Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0);
IRB.CreateMemSet(ShadowBase, PoisonValue, L.FrameSize, L.FrameAlignment);
}
if (PoisonStack && MS.TrackOrigins)
for (const auto &Desc : SVD)
MSV.SetAllocaOrigin(IRB, Desc.Name, Desc.NewAllocaPtr,
ConstantInt::get(MS.IntptrTy, Desc.Size));
// We are done. Remove the old unused alloca instructions.
for (auto AI : AllocaVec) AI->eraseFromParent();
}
} // namespace } // namespace
bool MemorySanitizer::runOnFunction(Function &F) { bool MemorySanitizer::runOnFunction(Function &F) {
MemorySanitizerVisitor Visitor(F, *this); MemorySanitizerVisitor Visitor(F, *this);
// Clear out readonly/readnone attributes. // Clear out readonly/readnone attributes.
AttrBuilder B; AttrBuilder B;
B.addAttribute(Attribute::ReadOnly) B.addAttribute(Attribute::ReadOnly)
.addAttribute(Attribute::ReadNone); .addAttribute(Attribute::ReadNone);
F.removeAttributes(AttributeSet::FunctionIndex, F.removeAttributes(AttributeSet::FunctionIndex,
AttributeSet::get(F.getContext(), AttributeSet::get(F.getContext(),
AttributeSet::FunctionIndex, B)); AttributeSet::FunctionIndex, B));
return Visitor.runOnFunction(); return Visitor.runOnFunction();
} }

test/Instrumentation/MemorySanitizer/alloca.ll

; RUN: opt < %s -msan -msan-check-access-address=0 -msan-one-big-alloca=1 -S | FileCheck %s
; RUN: opt < %s -msan -msan-check-access-address=0 -msan-one-big-alloca=1 -msan-track-origins=1 -S | FileCheck -check-prefix=CHECK -check-prefix=CHECK-ORIGINS %s
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
; Test that stack allocations are unpoisoned in one memset call
define i32 @ManyAlloca() sanitize_memory {
entry:
%p = alloca i8, align 1
%q = alloca i32, align 8
%r = alloca i64, align 8
%x = call i32 @ManyAllocaHelper(i8* %p, i32* %q, i64* %r)
ret i32 %x
}
declare i32 @ManyAllocaHelper(i8* %p, i32* %q, i64* %r)
; CHECK: @ManyAlloca
; CHECK: call void @llvm.memset.p0i8.i64(i8* {{.*}}, i8 -1, i64 17, i32 8, i1 false)
; CHECK: call i32 @ManyAllocaHelper(
; CHECK: ret i32