Skip to content

Commit

Permalink
[HWASan] Port HWASan to Linux x86-64 (LLVM)
Browse files Browse the repository at this point in the history
Summary:
Porting HWASan to Linux x86-64, first of the three patches, LLVM part.

The approach is similar to ARM case, trap signal is used to communicate
memory tag check failure. int3 instruction is used to generate a signal,
access parameters are stored in nop [eax + offset] instruction immediately
following the int3 one.

One notable difference is that x86-64 has to untag the pointer before use
due to the lack of feature comparable to ARM's TBI (Top Byte Ignore).

Reviewers: eugenis

Subscribers: kristof.beyls, llvm-commits

Differential Revision: https://reviews.llvm.org/D44699

llvm-svn: 328342
alekseyshl committed Mar 23, 2018
1 parent 4157380 commit 83e7841
Showing 5 changed files with 314 additions and 13 deletions.
71 changes: 58 additions & 13 deletions llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
Original file line number Diff line number Diff line change
@@ -123,6 +123,7 @@ class HWAddressSanitizer : public FunctionPass {
bool doInitialization(Module &M) override;

void initializeCallbacks(Module &M);
void untagPointerOperand(Instruction *I, Value *Addr);
void instrumentMemAccessInline(Value *PtrLong, bool IsWrite,
unsigned AccessSizeIndex,
Instruction *InsertBefore);
@@ -145,6 +146,8 @@ class HWAddressSanitizer : public FunctionPass {

private:
LLVMContext *C;
Triple TargetTriple;

Type *IntptrTy;
Type *Int8Ty;

@@ -181,7 +184,7 @@ bool HWAddressSanitizer::doInitialization(Module &M) {
DEBUG(dbgs() << "Init " << M.getName() << "\n");
auto &DL = M.getDataLayout();

Triple TargetTriple(M.getTargetTriple());
TargetTriple = Triple(M.getTargetTriple());

C = &(M.getContext());
IRBuilder<> IRB(*C);
@@ -228,10 +231,10 @@ void HWAddressSanitizer::initializeCallbacks(Module &M) {
}

Value *HWAddressSanitizer::isInterestingMemoryAccess(Instruction *I,
bool *IsWrite,
uint64_t *TypeSize,
unsigned *Alignment,
Value **MaybeMask) {
bool *IsWrite,
uint64_t *TypeSize,
unsigned *Alignment,
Value **MaybeMask) {
// Skip memory accesses inserted by another instrumentation.
if (I->getMetadata("nosanitize")) return nullptr;

@@ -281,17 +284,42 @@ Value *HWAddressSanitizer::isInterestingMemoryAccess(Instruction *I,
return PtrOperand;
}

static unsigned getPointerOperandIndex(Instruction *I) {
if (LoadInst *LI = dyn_cast<LoadInst>(I))
return LI->getPointerOperandIndex();
if (StoreInst *SI = dyn_cast<StoreInst>(I))
return SI->getPointerOperandIndex();
if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I))
return RMW->getPointerOperandIndex();
if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I))
return XCHG->getPointerOperandIndex();
report_fatal_error("Unexpected instruction");
return -1;
}

static size_t TypeSizeToSizeIndex(uint32_t TypeSize) {
size_t Res = countTrailingZeros(TypeSize / 8);
assert(Res < kNumberOfAccessSizes);
return Res;
}

void HWAddressSanitizer::untagPointerOperand(Instruction *I, Value *Addr) {
if (TargetTriple.isAArch64())
return;

IRBuilder<> IRB(I);
Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy);
Value *UntaggedPtr =
IRB.CreateIntToPtr(untagPointer(IRB, AddrLong), Addr->getType());
I->setOperand(getPointerOperandIndex(I), UntaggedPtr);
}

void HWAddressSanitizer::instrumentMemAccessInline(Value *PtrLong, bool IsWrite,
unsigned AccessSizeIndex,
Instruction *InsertBefore) {
IRBuilder<> IRB(InsertBefore);
Value *PtrTag = IRB.CreateTrunc(IRB.CreateLShr(PtrLong, kPointerTagShift), IRB.getInt8Ty());
Value *PtrTag = IRB.CreateTrunc(IRB.CreateLShr(PtrLong, kPointerTagShift),
IRB.getInt8Ty());
Value *AddrLong = untagPointer(IRB, PtrLong);
Value *ShadowLong = IRB.CreateLShr(AddrLong, kShadowScale);
if (ClMappingOffset)
@@ -307,13 +335,29 @@ void HWAddressSanitizer::instrumentMemAccessInline(Value *PtrLong, bool IsWrite,
MDBuilder(*C).createBranchWeights(1, 100000));

IRB.SetInsertPoint(CheckTerm);
// The signal handler will find the data address in x0.
InlineAsm *Asm = InlineAsm::get(
FunctionType::get(IRB.getVoidTy(), {PtrLong->getType()}, false),
"brk #" +
itostr(0x900 + Recover * 0x20 + IsWrite * 0x10 + AccessSizeIndex),
"{x0}",
/*hasSideEffects=*/true);
const int64_t AccessInfo = Recover * 0x20 + IsWrite * 0x10 + AccessSizeIndex;
InlineAsm *Asm;
switch (TargetTriple.getArch()) {
case Triple::x86_64:
// The signal handler will find the data address in rdi.
Asm = InlineAsm::get(
FunctionType::get(IRB.getVoidTy(), {PtrLong->getType()}, false),
"int3\nnopl " + itostr(0x40 + AccessInfo) + "(%rax)",
"{rdi}",
/*hasSideEffects=*/true);
break;
case Triple::aarch64:
case Triple::aarch64_be:
// The signal handler will find the data address in x0.
Asm = InlineAsm::get(
FunctionType::get(IRB.getVoidTy(), {PtrLong->getType()}, false),
"brk #" + itostr(0x900 + AccessInfo),
"{x0}",
/*hasSideEffects=*/true);
break;
default:
report_fatal_error("unsupported architecture");
}
IRB.CreateCall(Asm, PtrLong);
}

@@ -349,6 +393,7 @@ bool HWAddressSanitizer::instrumentMemAccess(Instruction *I) {
IRB.CreateCall(HwasanMemoryAccessCallbackSized[IsWrite],
{AddrLong, ConstantInt::get(IntptrTy, TypeSize / 8)});
}
untagPointerOperand(I, Addr);

return true;
}
40 changes: 40 additions & 0 deletions llvm/test/Instrumentation/HWAddressSanitizer/X86/atomic.ll
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
; Test basic address sanitizer instrumentation.
;
; RUN: opt < %s -hwasan -S | FileCheck %s

target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "x86_64-unknown-linux-gnu"

define void @atomicrmw(i64* %ptr) sanitize_hwaddress {
; CHECK-LABEL: @atomicrmw(
; CHECK: %[[A:[^ ]*]] = ptrtoint i64* %ptr to i64

; CHECK: call void asm sideeffect "int3\0Anopl 83(%rax)", "{rdi}"(i64 %[[A]])

; CHECK: %[[A:[^ ]*]] = ptrtoint i64* %ptr to i64
; CHECK: %[[UNTAGGED:[^ ]*]] = and i64 %[[A]], 72057594037927935
; CHECK: %[[UNTAGGED_PTR:[^ ]*]] = inttoptr i64 %[[UNTAGGED]] to i64*
; CHECK: atomicrmw add i64* %[[UNTAGGED_PTR]], i64 1 seq_cst
; CHECK: ret void

entry:
%0 = atomicrmw add i64* %ptr, i64 1 seq_cst
ret void
}

define void @cmpxchg(i64* %ptr, i64 %compare_to, i64 %new_value) sanitize_hwaddress {
; CHECK-LABEL: @cmpxchg(
; CHECK: %[[A:[^ ]*]] = ptrtoint i64* %ptr to i64

; CHECK: call void asm sideeffect "int3\0Anopl 83(%rax)", "{rdi}"(i64 %[[A]])

; CHECK: %[[A:[^ ]*]] = ptrtoint i64* %ptr to i64
; CHECK: %[[UNTAGGED:[^ ]*]] = and i64 %[[A]], 72057594037927935
; CHECK: %[[UNTAGGED_PTR:[^ ]*]] = inttoptr i64 %[[UNTAGGED]] to i64*
; CHECK: cmpxchg i64* %[[UNTAGGED_PTR]], i64 %compare_to, i64 %new_value seq_cst seq_cst
; CHECK: ret void

entry:
%0 = cmpxchg i64* %ptr, i64 %compare_to, i64 %new_value seq_cst seq_cst
ret void
}
103 changes: 103 additions & 0 deletions llvm/test/Instrumentation/HWAddressSanitizer/X86/basic.ll
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
; Test basic address sanitizer instrumentation.
; Generic code is covered by ../basic.ll, only the x86_64 specific code is
; tested here.
;
; RUN: opt < %s -hwasan -hwasan-recover=0 -S | FileCheck %s --check-prefixes=CHECK,ABORT
; RUN: opt < %s -hwasan -hwasan-recover=1 -S | FileCheck %s --check-prefixes=CHECK,RECOVER

target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "x86_64-unknown-linux-gnu"

define i8 @test_load8(i8* %a) sanitize_hwaddress {
; CHECK-LABEL: @test_load8(
; CHECK: %[[A:[^ ]*]] = ptrtoint i8* %a to i64

; ABORT: call void asm sideeffect "int3\0Anopl 64(%rax)", "{rdi}"(i64 %[[A]])
; ABORT: unreachable
; RECOVER: call void asm sideeffect "int3\0Anopl 96(%rax)", "{rdi}"(i64 %[[A]])
; RECOVER: br label

; CHECK: %[[A:[^ ]*]] = ptrtoint i8* %a to i64
; CHECK: %[[UNTAGGED:[^ ]*]] = and i64 %[[A]], 72057594037927935
; CHECK: %[[UNTAGGED_PTR:[^ ]*]] = inttoptr i64 %[[UNTAGGED]] to i8*
; CHECK: %[[G:[^ ]*]] = load i8, i8* %[[UNTAGGED_PTR]], align 4
; CHECK: ret i8 %[[G]]

entry:
%b = load i8, i8* %a, align 4
ret i8 %b
}

define i40 @test_load40(i40* %a) sanitize_hwaddress {
; CHECK-LABEL: @test_load40(
; CHECK: %[[A:[^ ]*]] = ptrtoint i40* %a to i64

; ABORT: call void @__hwasan_loadN(i64 %[[A]], i64 5)
; RECOVER: call void @__hwasan_loadN_noabort(i64 %[[A]], i64 5)

; CHECK: %[[A:[^ ]*]] = ptrtoint i40* %a to i64
; CHECK: %[[UNTAGGED:[^ ]*]] = and i64 %[[A]], 72057594037927935
; CHECK: %[[UNTAGGED_PTR:[^ ]*]] = inttoptr i64 %[[UNTAGGED]] to i40*
; CHECK: %[[B:[^ ]*]] = load i40, i40* %[[UNTAGGED_PTR]]
; CHECK: ret i40 %[[B]]

entry:
%b = load i40, i40* %a, align 4
ret i40 %b
}

define void @test_store8(i8* %a, i8 %b) sanitize_hwaddress {
; CHECK-LABEL: @test_store8(
; CHECK: %[[A:[^ ]*]] = ptrtoint i8* %a to i64

; ABORT: call void asm sideeffect "int3\0Anopl 80(%rax)", "{rdi}"(i64 %[[A]])
; ABORT: unreachable
; RECOVER: call void asm sideeffect "int3\0Anopl 112(%rax)", "{rdi}"(i64 %[[A]])
; RECOVER: br label

; CHECK: %[[A:[^ ]*]] = ptrtoint i8* %a to i64
; CHECK: %[[UNTAGGED:[^ ]*]] = and i64 %[[A]], 72057594037927935
; CHECK: %[[UNTAGGED_PTR:[^ ]*]] = inttoptr i64 %[[UNTAGGED]] to i8*
; CHECK: store i8 %b, i8* %[[UNTAGGED_PTR]], align 4
; CHECK: ret void

entry:
store i8 %b, i8* %a, align 4
ret void
}

define void @test_store40(i40* %a, i40 %b) sanitize_hwaddress {
; CHECK-LABEL: @test_store40(
; CHECK: %[[A:[^ ]*]] = ptrtoint i40* %a to i64

; ABORT: call void @__hwasan_storeN(i64 %[[A]], i64 5)
; RECOVER: call void @__hwasan_storeN_noabort(i64 %[[A]], i64 5)

; CHECK: %[[A:[^ ]*]] = ptrtoint i40* %a to i64
; CHECK: %[[UNTAGGED:[^ ]*]] = and i64 %[[A]], 72057594037927935
; CHECK: %[[UNTAGGED_PTR:[^ ]*]] = inttoptr i64 %[[UNTAGGED]] to i40*
; CHECK: store i40 %b, i40* %[[UNTAGGED_PTR]]
; CHECK: ret void

entry:
store i40 %b, i40* %a, align 4
ret void
}

define void @test_store_unaligned(i64* %a, i64 %b) sanitize_hwaddress {
; CHECK-LABEL: @test_store_unaligned(
; CHECK: %[[A:[^ ]*]] = ptrtoint i64* %a to i64

; ABORT: call void @__hwasan_storeN(i64 %[[A]], i64 8)
; RECOVER: call void @__hwasan_storeN_noabort(i64 %[[A]], i64 8)

; CHECK: %[[A:[^ ]*]] = ptrtoint i64* %a to i64
; CHECK: %[[UNTAGGED:[^ ]*]] = and i64 %[[A]], 72057594037927935
; CHECK: %[[UNTAGGED_PTR:[^ ]*]] = inttoptr i64 %[[UNTAGGED]] to i64*
; CHECK: store i64 %b, i64* %[[UNTAGGED_PTR]], align 4
; CHECK: ret void

entry:
store i64 %b, i64* %a, align 4
ret void
}
34 changes: 34 additions & 0 deletions llvm/test/Instrumentation/HWAddressSanitizer/X86/kernel.ll
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
; Test kernel hwasan instrumentation.
; Generic code is covered by ../kernel.ll, only the x86_64 specific code is
; tested here.
;
; RUN: opt < %s -hwasan -hwasan-kernel=1 -S | FileCheck %s --allow-empty --check-prefixes=INIT
; RUN: opt < %s -hwasan -hwasan-kernel=1 -S | FileCheck %s
; RUN: opt < %s -hwasan -hwasan-kernel=1 -hwasan-mapping-offset=12345678 -S | FileCheck %s
; RUN: opt < %s -hwasan -hwasan-kernel=1 -hwasan-recover=0 -S | FileCheck %s --check-prefixes=CHECK,ABORT
; RUN: opt < %s -hwasan -hwasan-kernel=1 -hwasan-recover=1 -S | FileCheck %s --check-prefixes=CHECK,RECOVER

target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "x86_64-unknown-linux-gnu"

define i8 @test_load(i8* %a) sanitize_hwaddress {
; CHECK-LABEL: @test_load(
; CHECK: %[[A:[^ ]*]] = ptrtoint i8* %a to i64

; ABORT: call void asm sideeffect "int3\0Anopl 64(%rax)", "{rdi}"(i64 %[[A]])
; ABORT: unreachable
; RECOVER: call void asm sideeffect "int3\0Anopl 96(%rax)", "{rdi}"(i64 %[[A]])
; RECOVER: br label

; CHECK: %[[A:[^ ]*]] = ptrtoint i8* %a to i64
; CHECK: %[[UNTAGGED:[^ ]*]] = or i64 %[[A]], -72057594037927936
; CHECK: %[[UNTAGGED_PTR:[^ ]*]] = inttoptr i64 %[[UNTAGGED]] to i8*
; CHECK: %[[G:[^ ]*]] = load i8, i8* %[[UNTAGGED_PTR]], align 4
; CHECK: ret i8 %[[G]]

entry:
%b = load i8, i8* %a, align 4
ret i8 %b
}

; INIT-NOT: call void @__hwasan_init
79 changes: 79 additions & 0 deletions llvm/test/Instrumentation/HWAddressSanitizer/X86/with-calls.ll
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
; Test basic address sanitizer instrumentation.
;
; RUN: opt < %s -hwasan -hwasan-instrument-with-calls -S | FileCheck %s --check-prefixes=CHECK,ABORT
; RUN: opt < %s -hwasan -hwasan-instrument-with-calls -hwasan-recover=1 -S | FileCheck %s --check-prefixes=CHECK,RECOVER

target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "x86_64-unknown-linux-gnu"

define i8 @test_load8(i8* %a) sanitize_hwaddress {
; CHECK-LABEL: @test_load8(
; CHECK: %[[A:[^ ]*]] = ptrtoint i8* %a to i64

; ABORT: call void @__hwasan_load1(i64 %[[A]])
; RECOVER: call void @__hwasan_load1_noabort(i64 %[[A]])

; CHECK: %[[A:[^ ]*]] = ptrtoint i8* %a to i64
; CHECK: %[[UNTAGGED:[^ ]*]] = and i64 %[[A]], 72057594037927935
; CHECK: %[[UNTAGGED_PTR:[^ ]*]] = inttoptr i64 %[[UNTAGGED]] to i8*
; CHECK: %[[B:[^ ]*]] = load i8, i8* %[[UNTAGGED_PTR]]
; CHECK: ret i8 %[[B]]

entry:
%b = load i8, i8* %a, align 4
ret i8 %b
}

define i40 @test_load40(i40* %a) sanitize_hwaddress {
; CHECK-LABEL: @test_load40(
; CHECK: %[[A:[^ ]*]] = ptrtoint i40* %a to i64

; ABORT: call void @__hwasan_loadN(i64 %[[A]], i64 5)
; RECOVER: call void @__hwasan_loadN_noabort(i64 %[[A]], i64 5)

; CHECK: %[[A:[^ ]*]] = ptrtoint i40* %a to i64
; CHECK: %[[UNTAGGED:[^ ]*]] = and i64 %[[A]], 72057594037927935
; CHECK: %[[UNTAGGED_PTR:[^ ]*]] = inttoptr i64 %[[UNTAGGED]] to i40*
; CHECK: %[[B:[^ ]*]] = load i40, i40* %[[UNTAGGED_PTR]]
; CHECK: ret i40 %[[B]]

entry:
%b = load i40, i40* %a, align 4
ret i40 %b
}

define void @test_store8(i8* %a, i8 %b) sanitize_hwaddress {
; CHECK-LABEL: @test_store8(
; CHECK: %[[A:[^ ]*]] = ptrtoint i8* %a to i64

; ABORT: call void @__hwasan_store1(i64 %[[A]])
; RECOVER: call void @__hwasan_store1_noabort(i64 %[[A]])

; CHECK: %[[A:[^ ]*]] = ptrtoint i8* %a to i64
; CHECK: %[[UNTAGGED:[^ ]*]] = and i64 %[[A]], 72057594037927935
; CHECK: %[[UNTAGGED_PTR:[^ ]*]] = inttoptr i64 %[[UNTAGGED]] to i8*
; CHECK: store i8 %b, i8* %[[UNTAGGED_PTR]]
; CHECK: ret void

entry:
store i8 %b, i8* %a, align 4
ret void
}

define void @test_store40(i40* %a, i40 %b) sanitize_hwaddress {
; CHECK-LABEL: @test_store40(
; CHECK: %[[A:[^ ]*]] = ptrtoint i40* %a to i64

; ABORT: call void @__hwasan_storeN(i64 %[[A]], i64 5)
; RECOVER: call void @__hwasan_storeN_noabort(i64 %[[A]], i64 5)

; CHECK: %[[A:[^ ]*]] = ptrtoint i40* %a to i64
; CHECK: %[[UNTAGGED:[^ ]*]] = and i64 %[[A]], 72057594037927935
; CHECK: %[[UNTAGGED_PTR:[^ ]*]] = inttoptr i64 %[[UNTAGGED]] to i40*
; CHECK: store i40 %b, i40* %[[UNTAGGED_PTR]]
; CHECK: ret void

entry:
store i40 %b, i40* %a, align 4
ret void
}

0 comments on commit 83e7841

Please sign in to comment.