This is an archive of the discontinued LLVM Phabricator instance.

Differential D77619

[AddressSanitizer] Instrument byval call arguments
ClosedPublic

Authored by thejh on Apr 6 2020, 6:08 PM.

Details

Reviewers
kcc
glider
Commits
rGa22685885d19: [AddressSanitizer] Instrument byval call arguments
Summary

In the LLVM IR, "call" instructions read memory for each byval operand.
For example:

$ cat blah.c
struct foo { void *a, *b, *c; };
struct bar { struct foo foo; };
void func1(const struct foo);
void func2(struct bar *bar) { func1(bar->foo); }
$ [...]/bin/clang -S -flto -c blah.c -O2 ; cat blah.s
[...]
define dso_local void @func2(%struct.bar* %bar) local_unnamed_addr #0 {
entry:
  %foo = getelementptr inbounds %struct.bar, %struct.bar* %bar, i64 0, i32 0
  tail call void @func1(%struct.foo* byval(%struct.foo) align 8 %foo) #2
  ret void
}
[...]
$ [...]/bin/clang -S -c blah.c -O2 ; cat blah.s
[...]
func2:                                  # @func2
[...]
        subq    $24, %rsp
[...]
        movq    16(%rdi), %rax
        movq    %rax, 16(%rsp)
        movups  (%rdi), %xmm0
        movups  %xmm0, (%rsp)
        callq   func1
        addq    $24, %rsp
[...]
        retq

Let ASAN instrument these hidden memory accesses.

This is patch 4/4 of a patch series:
https://reviews.llvm.org/D77616 [PATCH 1/4] [AddressSanitizer] Refactor ClDebug{Min,Max} handling
https://reviews.llvm.org/D77617 [PATCH 2/4] [AddressSanitizer] Split out memory intrinsic handling
https://reviews.llvm.org/D77618 [PATCH 3/4] [AddressSanitizer] Refactor: Permit >1 interesting operands per instruction
https://reviews.llvm.org/D77619 [PATCH 4/4] [AddressSanitizer] Instrument byval call arguments

Diff Detail

Event Timeline

thejh created this revision.Apr 6 2020, 6:08 PM
Herald added subscribers: llvm-commits, dexonsmith, hiraditya. · View Herald TranscriptApr 6 2020, 6:08 PM
thejh added a parent revision: D77618: [AddressSanitizer] Refactor: Permit >1 interesting operands per instruction.Apr 6 2020, 6:09 PM
thejh edited the summary of this revision. (Show Details)Apr 6 2020, 6:13 PM
thejh added reviewers: kcc, glider.
Harbormaster completed remote builds in B52089: Diff 255559.Apr 6 2020, 7:06 PM
thejh updated this revision to Diff 257388.Apr 14 2020, 9:50 AM

fix clang-format warnings

Harbormaster completed remote builds in B53174: Diff 257388.Apr 14 2020, 10:44 AM
thejh updated this revision to Diff 257439.Apr 14 2020, 12:04 PM

rebase onto changed preceding patches

Harbormaster completed remote builds in B53207: Diff 257439.Apr 14 2020, 1:31 PM
thejh updated this revision to Diff 259918.Apr 24 2020, 10:14 AM

I missed that Kostya commented a while back that it'd be better to have a flag to gate the new functionality... adding that now.

@glider I noticed that you marked the three preceding patches as Accepted, but not this one - with this change, is this series ready to land?

Harbormaster failed remote builds in B54587: Diff 259918!Apr 24 2020, 10:17 AM
thejh added a comment.Apr 24 2020, 10:25 AM

Ugh... so the build failed on this patch because actually a preceding patch no longer applies cleanly and LLVM's build infrastructure doesn't have base-commit support and therefore can't do an automatic 3-way merge?

Sigh, I'll rebase and re-send the whole thing...

thejh updated this revision to Diff 259928.Apr 24 2020, 10:36 AM

rebase to make harbormaster happy

Harbormaster failed remote builds in B54594: Diff 259928!Apr 24 2020, 11:21 AM
thejh updated this revision to Diff 260224.Apr 27 2020, 12:00 AM

resend patch to trigger new build

Harbormaster completed remote builds in B54747: Diff 260224.Apr 27 2020, 1:01 AM
glider accepted this revision.Apr 28 2020, 2:26 AM
This revision is now accepted and ready to land.Apr 28 2020, 2:26 AM
thejh updated this revision to Diff 261152.Apr 30 2020, 2:02 AM
Harbormaster completed remote builds in B55264: Diff 261152.Apr 30 2020, 2:25 AM
glider updated this revision to Diff 261205.Apr 30 2020, 6:10 AM

Rebase

Harbormaster failed remote builds in B55289: Diff 261205!Apr 30 2020, 6:14 AM
glider updated this revision to Diff 261221.Apr 30 2020, 7:27 AM

rebase

glider updated this revision to Diff 261230.Apr 30 2020, 7:45 AM

fix what I broke

Harbormaster failed remote builds in B55298: Diff 261221!Apr 30 2020, 8:29 AM
Harbormaster failed remote builds in B55307: Diff 261230!
Closed by commit rGa22685885d19: [AddressSanitizer] Instrument byval call arguments (authored by thejh, committed by glider). · Explain WhyApr 30 2020, 8:30 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
lib/
Transforms/
Instrumentation/
13 lines
12 lines
test/
Instrumentation/
AddressSanitizer/
18 lines

Diff 261243

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 207 Lines▼ Show 20 Linesstatic cl::opt<bool> ClInstrumentWrites(
"asan-instrument-writes", cl::desc("instrument write instructions"), "asan-instrument-writes", cl::desc("instrument write instructions"),
cl::Hidden, cl::init(true)); cl::Hidden, cl::init(true));
static cl::opt<bool> ClInstrumentAtomics( static cl::opt<bool> ClInstrumentAtomics(
"asan-instrument-atomics", "asan-instrument-atomics",
cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden, cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden,
cl::init(true)); cl::init(true));
static cl::opt<bool>
ClInstrumentByval("asan-instrument-byval",
cl::desc("instrument byval call arguments"), cl::Hidden,
cl::init(true));
static cl::opt<bool> ClAlwaysSlowPath( static cl::opt<bool> ClAlwaysSlowPath(
"asan-always-slow-path", "asan-always-slow-path",
cl::desc("use instrumentation with slow path for all accesses"), cl::Hidden, cl::desc("use instrumentation with slow path for all accesses"), cl::Hidden,
cl::init(false)); cl::init(false));
static cl::opt<bool> ClForceDynamicShadow( static cl::opt<bool> ClForceDynamicShadow(
"asan-force-dynamic-shadow", "asan-force-dynamic-shadow",
cl::desc("Load shadow address into a local variable for each function"), cl::desc("Load shadow address into a local variable for each function"),
▲ Show 20 LinesShow All 1,185 Lines▼ Show 20 Lines if (F && (F->getName().startswith("llvm.masked.load.") ||
auto Ty = cast<PointerType>(BasePtr->getType())->getElementType(); auto Ty = cast<PointerType>(BasePtr->getType())->getElementType();
unsigned Alignment = 1; unsigned Alignment = 1;
// Otherwise no alignment guarantees. We probably got Undef. // Otherwise no alignment guarantees. We probably got Undef.
if (auto AlignmentConstant = if (auto AlignmentConstant =
dyn_cast<ConstantInt>(CI->getOperand(1 + OpOffset))) dyn_cast<ConstantInt>(CI->getOperand(1 + OpOffset)))
Alignment = (unsigned)AlignmentConstant->getZExtValue(); Alignment = (unsigned)AlignmentConstant->getZExtValue();
Value *Mask = CI->getOperand(2 + OpOffset); Value *Mask = CI->getOperand(2 + OpOffset);
Interesting.emplace_back(I, OpOffset, IsWrite, Ty, Alignment, Mask); Interesting.emplace_back(I, OpOffset, IsWrite, Ty, Alignment, Mask);
} else {
for (unsigned ArgNo = 0; ArgNo < CI->getNumArgOperands(); ArgNo++) {
if (!ClInstrumentByval || !CI->isByValArgument(ArgNo) ||
ignoreAccess(CI->getArgOperand(ArgNo)))
continue;
Type *Ty = CI->getParamByValType(ArgNo);
Interesting.emplace_back(I, ArgNo, false, Ty, 1);
}
} }
} }
} }
static bool isPointerOperand(Value *V) { static bool isPointerOperand(Value *V) {
return V->getType()->isPointerTy() || isa<PtrToIntInst>(V); return V->getType()->isPointerTy() || isa<PtrToIntInst>(V);
} }
▲ Show 20 LinesShow All 1,970 LinesShow Last 20 Lines

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp

Show First 20 LinesShow All 91 Lines▼ Show 20 Linesstatic cl::opt<bool> ClInstrumentWrites(
"hwasan-instrument-writes", cl::desc("instrument write instructions"), "hwasan-instrument-writes", cl::desc("instrument write instructions"),
cl::Hidden, cl::init(true)); cl::Hidden, cl::init(true));
static cl::opt<bool> ClInstrumentAtomics( static cl::opt<bool> ClInstrumentAtomics(
"hwasan-instrument-atomics", "hwasan-instrument-atomics",
cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden, cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden,
cl::init(true)); cl::init(true));
static cl::opt<bool> ClInstrumentByval("hwasan-instrument-byval",
cl::desc("instrument byval arguments"),
cl::Hidden, cl::init(true));
static cl::opt<bool> ClRecover( static cl::opt<bool> ClRecover(
"hwasan-recover", "hwasan-recover",
cl::desc("Enable recovery mode (continue-after-error)."), cl::desc("Enable recovery mode (continue-after-error)."),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(false));
static cl::opt<bool> ClInstrumentStack("hwasan-instrument-stack", static cl::opt<bool> ClInstrumentStack("hwasan-instrument-stack",
cl::desc("instrument stack (allocas)"), cl::desc("instrument stack (allocas)"),
cl::Hidden, cl::init(true)); cl::Hidden, cl::init(true));
▲ Show 20 LinesShow All 436 Lines▼ Show 20 Lines if (!ClInstrumentAtomics || ignoreAccess(RMW->getPointerOperand()))
return; return;
Interesting.emplace_back(I, RMW->getPointerOperandIndex(), true, Interesting.emplace_back(I, RMW->getPointerOperandIndex(), true,
RMW->getValOperand()->getType(), 0); RMW->getValOperand()->getType(), 0);
} else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { } else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) {
if (!ClInstrumentAtomics || ignoreAccess(XCHG->getPointerOperand())) if (!ClInstrumentAtomics || ignoreAccess(XCHG->getPointerOperand()))
return; return;
Interesting.emplace_back(I, XCHG->getPointerOperandIndex(), true, Interesting.emplace_back(I, XCHG->getPointerOperandIndex(), true,
XCHG->getCompareOperand()->getType(), 0); XCHG->getCompareOperand()->getType(), 0);
} else if (auto CI = dyn_cast<CallInst>(I)) {
for (unsigned ArgNo = 0; ArgNo < CI->getNumArgOperands(); ArgNo++) {
if (!ClInstrumentByval || !CI->isByValArgument(ArgNo) ||
ignoreAccess(CI->getArgOperand(ArgNo)))
continue;
Type *Ty = CI->getParamByValType(ArgNo);
Interesting.emplace_back(I, ArgNo, false, Ty, 1);
}
} }
} }
static unsigned getPointerOperandIndex(Instruction *I) { static unsigned getPointerOperandIndex(Instruction *I) {
if (LoadInst *LI = dyn_cast<LoadInst>(I)) if (LoadInst *LI = dyn_cast<LoadInst>(I))
return LI->getPointerOperandIndex(); return LI->getPointerOperandIndex();
if (StoreInst *SI = dyn_cast<StoreInst>(I)) if (StoreInst *SI = dyn_cast<StoreInst>(I))
return SI->getPointerOperandIndex(); return SI->getPointerOperandIndex();
▲ Show 20 LinesShow All 929 LinesShow Last 20 Lines

llvm/test/Instrumentation/AddressSanitizer/byval-args.ll

  • This file was added.
; RUN: opt < %s -asan -S | FileCheck %s
; Test that for call instructions, the by-value arguments are instrumented.
target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
%struct.bar = type { %struct.foo }
%struct.foo = type { i8*, i8*, i8* }
define dso_local void @func2(%struct.foo* %foo) sanitize_address {
; CHECK-LABEL: @func2
tail call void @func1(%struct.foo* byval(%struct.foo) align 8 %foo) #2
; CHECK: call void @__asan_report_load
ret void
; CHECK: ret void
}
declare dso_local void @func1(%struct.foo* byval(%struct.foo) align 8)
!0 = !{i32 1, !"wchar_size", i32 4}