This is an archive of the discontinued LLVM Phabricator instance.

Differential D102901

[HWASan] Add basic stack tagging support for LAM.
ClosedPublic

Authored by morehouse on May 20 2021, 11:43 PM.

Details

Reviewers
vitalybuka
eugenis
xiangzhangllvm
Commits
rG0867edfc6438: [HWASan] Add basic stack tagging support for LAM.
Summary

Adds the basic instrumentation needed for stack tagging.

Currently does not support stack short granules or TLS stack histories,
since a different code path is followed for the callback instrumentation
we use.

We may simply wait to support these two features until we switch to
a custom calling convention.

Diff Detail

Event Timeline

xiangzhangllvm created this revision.May 20 2021, 11:43 PM
Herald added subscribers: pengfei, hiraditya. · View Herald TranscriptMay 20 2021, 11:43 PM
xiangzhangllvm requested review of this revision.May 20 2021, 11:43 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 20 2021, 11:43 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
xiangzhangllvm mentioned this in D102472: [HWASAN] Update the tag info for X86_64.May 20 2021, 11:45 PM
Harbormaster completed remote builds in B105567: Diff 346931.May 21 2021, 12:58 AM
morehouse added inline comments.May 24 2021, 1:03 PM
llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
190

Can we avoid creating ClUntagPointer for now? I am able to test locally with QEMU, and I'm also setting up a buildbot to ensure new patches don't break the LAM functionality.

192

Can we wire ClUsePageAlias up to fsanitize-hwaddress-experimental-aliasing in this patch? Then we can make ClUsePageAlias default to false and can remove this TODO.

193–194
269

Since getTargetTagShift and getTargetTagMask are used only during initializeModule, and since they are both tiny functions, let's remove them and inline the logic in initializeModule.

271

Since this is no longer constexpr, let's remove the k prefix.

502–509

For now we want to keep InstrumentWithCalls == true for x86 in general, even in LAM mode (no aliases). Please update this line.

556–558

We also want to avoid instrumenting globals for now, so please update this line to apply to x86 in general.

719

Please keep this check here for now. I want to avoid reintroducing untagging to x86.

983

The function name is confusing. Can we name it something like applyTagMask?

1004

This mask of the base tag seems unnecessary since we also mask the final tag.

1027

It seems like overkill to move the logic into this function. Let's leave it as part of tagPointer.

1034

Let's avoid implementing the kernel case for LAM, since we don't have a good way to test yet.

1501

Let's avoid doing this for now. I'd like to focus just on stack support in this patch. Future patches can address global support.

llvm/test/Instrumentation/HWAddressSanitizer/X86/stack.ll
5 ↗(On Diff #346931)

Instead of making a new test, can we reuse the alloca tests for aarch64 and update the expected instrumentation?

xiangzhangllvm added a comment.May 25 2021, 12:26 AM

Hello @morehouse, thanks very much for your careful review, I'll fix all your comments, just for "ClUntagPointer", I feel it very useful in my develop.

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
190

Yes, of course, we can. But here ClUntagPointer is disabled in default (false), no affect our current tests.
I and back this option, because I find It is very helpful for me in developing HWASAN without hardware or simulator supported. I can run most simple test on my local machine.

1004

make sense, it seem will handle at retagTargetTag fucntion.

morehouse added inline comments.May 25 2021, 8:31 AM
llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
190

It may be inconvenient for now, but as part of setting up a buildbot I'm also automating the process of setting up the custom QEMU and kernel required to test LAM. If all goes well, it should land later this week or next week. Then you can use that instead of the ClUntagPointer option.

For now, could you keep the ClUntagPointer patch locally for your testing purposes, and remove it from the patch we actually submit?

xiangzhangllvm added a comment.May 26 2021, 12:15 AM

NO problem, Thanks!

xiangzhangllvm updated this revision to Diff 349158.Jun 1 2021, 6:46 PM
xiangzhangllvm updated this revision to Diff 349160.Jun 1 2021, 6:54 PM
xiangzhangllvm marked 11 inline comments as done.
xiangzhangllvm marked 3 inline comments as done.Jun 1 2021, 6:57 PM

Sorry for late update, a little busy in these 2 month : )

Harbormaster completed remote builds in B107169: Diff 349160.Jun 1 2021, 7:55 PM
morehouse added a comment.Jun 2 2021, 4:45 PM

Thanks for the update. I'll take a closer look tomorrow and try testing locally. You can also use the new buildbot script to test in QEMU (see inline comment below).

@eugenis @vitalybuka If you could take a look as well that would be helpful. I'm not too familiar with the stack retagging instrumentation.

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
190

Thanks. FYI, the buildbot is now live: https://lab.llvm.org/buildbot/#/builders/169

You can test locally using the buildbot script here. You can comment out the Scudo stuff to avoid testing that.

You'll need a QEMU image located at /b/qemu_image. You can build one using this script.

193–194

This comment wasn't addressed.

llvm/test/Instrumentation/HWAddressSanitizer/X86/stack.ll
5 ↗(On Diff #346931)

I see this test is gone now, but I don't see any alloca tests copied into the X86 directory. Maybe you forgot to add them in the patch?

xiangzhangllvm added inline comments.Jun 2 2021, 5:45 PM
llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
190

Thanks for your work! let me do a try.

193–194

Oh, yes, I should use "hwasan-experimental-use-page-aliases", thank you very much!

llvm/test/Instrumentation/HWAddressSanitizer/X86/stack.ll
5 ↗(On Diff #346931)

Did you mean the llvm/test/Instrumentation/HWAddressSanitizer/alloca.ll ?
It already at the parent directory of this test (llvm/test/Instrumentation/HWAddressSanitizer/X86)
So, the check-all can test it.

morehouse added inline comments.Jun 2 2021, 5:49 PM
llvm/test/Instrumentation/HWAddressSanitizer/X86/stack.ll
5 ↗(On Diff #346931)

I meant that one and the other tests with alloca in the name. Those are testing instrumentation for aarch64. I want to also check the instrumentation for them on x86, since we have differences between the architectures.

xiangzhangllvm added inline comments.Jun 3 2021, 12:44 AM
llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
190

How can I run it online for this patch ? (it seems jobs in https://lab.llvm.org/buildbot/#/builders/169 are on line )

(For locally test, I can't download the QEMU in my company's server, for network permission and without root authority)

morehouse added inline comments.Jun 3 2021, 12:32 PM
llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
190

Can't run it online unless its been submitted.

Sounds like your setup isn't well suited for working on LAM support. I was planning to work on stack and globals support anyway, so perhaps I will commandeer these patches and work on them myself.

eugenis added inline comments.Jun 3 2021, 2:15 PM
llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
969

retagMaskX86

You could also make this non-static and get rid of the second argument. Or apply the mask in retagMask.

1004

It seems more efficient to mask StackTag, and then make sure that all retag constants are within the mask bits. This way you'll only need to apply the mask once per function.

1022

Why not simply replace 0xFF here with TagMaskByte?

xiangzhangllvm added inline comments.Jun 3 2021, 8:42 PM
llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
190

OK, no problem, feel free to use this patch, Let co-push the HWASAN work.
I'll continue to refine it (finish you and eugenis's comments).

1022

Because "xor" will let Tag > TagMask again : )

morehouse commandeered this revision.Jun 7 2021, 3:58 PM
morehouse edited reviewers, added: xiangzhangllvm; removed: morehouse.

I've addressed most comments locally; commandeering to prevent wasting Xiang's time addressing the feedback.

Will upload with tests tomorrow.

morehouse retitled this revision from [HWASAN] Update pointer tag for X86_64 to [HWASan] Add basic stack tagging support for LAM..Jun 9 2021, 12:29 PM
morehouse edited the summary of this revision. (Show Details)
morehouse updated this revision to Diff 350975.Jun 9 2021, 12:30 PM
morehouse marked 3 inline comments as done.
  • Rename flag as experimental.
  • Refactor and simplify code.
  • Apply mask to base tag only.
  • Enable some compiler-rt stack tests on x86.
  • Add IR tests.
Herald added a project: Restricted Project. · View Herald TranscriptJun 9 2021, 12:30 PM
Herald added subscribers: Restricted Project, cfe-commits. · View Herald Transcript
morehouse updated this revision to Diff 350976.Jun 9 2021, 12:38 PM
  • Privatize new member variables.
vitalybuka accepted this revision.Jun 9 2021, 1:17 PM
vitalybuka added inline comments.
llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
507

As is it's not technically correct

525

maybe move up and combine with other IsX86 checks about

962

const

This revision is now accepted and ready to land.Jun 9 2021, 1:17 PM
morehouse updated this revision to Diff 350989.Jun 9 2021, 1:26 PM
morehouse marked 2 inline comments as done.
  • - Address nits.
Harbormaster completed remote builds in B108484: Diff 350989.Jun 9 2021, 2:17 PM
morehouse updated this revision to Diff 351459.Jun 11 2021, 8:18 AM
  • Fix clang test failure on Windows.
This revision was landed with ongoing or failed builds.Jun 11 2021, 8:22 AM
Closed by commit rG0867edfc6438: [HWASan] Add basic stack tagging support for LAM. (authored by morehouse). · Explain Why
This revision was automatically updated to reflect the committed changes.
morehouse added a commit: rG0867edfc6438: [HWASan] Add basic stack tagging support for LAM..
Harbormaster completed remote builds in B108823: Diff 351459.Jun 11 2021, 9:28 AM

Revision Contents

PathSize
clang/
lib/
Driver/
5 lines
test/
Driver/
3 lines
compiler-rt/
test/
hwasan/
TestCases/
2 lines
5 lines
5 lines
7 lines
2 lines
2 lines
2 lines
3 lines
2 lines
llvm/
lib/
Transforms/
Instrumentation/
78 lines
test/
Instrumentation/
HWAddressSanitizer/
X86/
15 lines
23 lines
45 lines

Diff 351460

clang/lib/Driver/SanitizerArgs.cpp

Show First 20 LinesShow All 1,053 Lines▼ Show 20 Lines if (!TsanFuncEntryExit) {
CmdArgs.push_back("-mllvm"); CmdArgs.push_back("-mllvm");
CmdArgs.push_back("-tsan-instrument-func-entry-exit=0"); CmdArgs.push_back("-tsan-instrument-func-entry-exit=0");
} }
if (!TsanAtomics) { if (!TsanAtomics) {
CmdArgs.push_back("-mllvm"); CmdArgs.push_back("-mllvm");
CmdArgs.push_back("-tsan-instrument-atomics=0"); CmdArgs.push_back("-tsan-instrument-atomics=0");
} }
if (HwasanUseAliases) {
CmdArgs.push_back("-mllvm");
CmdArgs.push_back("-hwasan-experimental-use-page-aliases=1");
}
if (CfiCrossDso) if (CfiCrossDso)
CmdArgs.push_back("-fsanitize-cfi-cross-dso"); CmdArgs.push_back("-fsanitize-cfi-cross-dso");
if (CfiICallGeneralizePointers) if (CfiICallGeneralizePointers)
CmdArgs.push_back("-fsanitize-cfi-icall-generalize-pointers"); CmdArgs.push_back("-fsanitize-cfi-icall-generalize-pointers");
if (CfiCanonicalJumpTables) if (CfiCanonicalJumpTables)
CmdArgs.push_back("-fsanitize-cfi-canonical-jump-tables"); CmdArgs.push_back("-fsanitize-cfi-canonical-jump-tables");
▲ Show 20 LinesShow All 189 LinesShow Last 20 Lines

clang/test/Driver/fsanitize.c

Show First 20 LinesShow All 889 Lines▼ Show 20 Lines
// RUN: %clang -target x86_64-linux-gnu -fsanitize=hwaddress %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-HWASAN-INTERCEPTOR-ABI // RUN: %clang -target x86_64-linux-gnu -fsanitize=hwaddress %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-HWASAN-INTERCEPTOR-ABI
// RUN: %clang -target x86_64-linux-gnu -fsanitize=hwaddress -fsanitize-hwaddress-abi=interceptor %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-HWASAN-INTERCEPTOR-ABI // RUN: %clang -target x86_64-linux-gnu -fsanitize=hwaddress -fsanitize-hwaddress-abi=interceptor %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-HWASAN-INTERCEPTOR-ABI
// RUN: %clang -target x86_64-linux-gnu -fsanitize=hwaddress -fsanitize-hwaddress-abi=platform %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-HWASAN-PLATFORM-ABI // RUN: %clang -target x86_64-linux-gnu -fsanitize=hwaddress -fsanitize-hwaddress-abi=platform %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-HWASAN-PLATFORM-ABI
// RUN: %clang -target x86_64-linux-gnu -fsanitize=hwaddress -fsanitize-hwaddress-abi=foo %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-HWASAN-FOO-ABI // RUN: %clang -target x86_64-linux-gnu -fsanitize=hwaddress -fsanitize-hwaddress-abi=foo %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-HWASAN-FOO-ABI
// CHECK-HWASAN-INTERCEPTOR-ABI: "-default-function-attr" "hwasan-abi=interceptor" // CHECK-HWASAN-INTERCEPTOR-ABI: "-default-function-attr" "hwasan-abi=interceptor"
// CHECK-HWASAN-PLATFORM-ABI: "-default-function-attr" "hwasan-abi=platform" // CHECK-HWASAN-PLATFORM-ABI: "-default-function-attr" "hwasan-abi=platform"
// CHECK-HWASAN-FOO-ABI: error: invalid value 'foo' in '-fsanitize-hwaddress-abi=foo' // CHECK-HWASAN-FOO-ABI: error: invalid value 'foo' in '-fsanitize-hwaddress-abi=foo'
// RUN: %clang -target x86_64-linux-gnu -fsanitize=hwaddress -fsanitize-hwaddress-experimental-aliasing %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-HWASAN-ALIAS
// CHECK-HWASAN-ALIAS: "-mllvm" "-hwasan-experimental-use-page-aliases=1"
// RUN: %clang -target x86_64-linux-gnu -fsanitize=address,pointer-compare,pointer-subtract %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-POINTER-ALL // RUN: %clang -target x86_64-linux-gnu -fsanitize=address,pointer-compare,pointer-subtract %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-POINTER-ALL
// RUN: %clang -target x86_64-linux-gnu -fsanitize=pointer-compare %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-POINTER-CMP-NEEDS-ADDRESS // RUN: %clang -target x86_64-linux-gnu -fsanitize=pointer-compare %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-POINTER-CMP-NEEDS-ADDRESS
// RUN: %clang -target x86_64-linux-gnu -fsanitize=pointer-subtract %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-POINTER-SUB-NEEDS-ADDRESS // RUN: %clang -target x86_64-linux-gnu -fsanitize=pointer-subtract %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-POINTER-SUB-NEEDS-ADDRESS
// RUN: %clang -target x86_64-linux-gnu -fsanitize=pointer-subtract -fno-sanitize=pointer-subtract %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-POINTER-SUB // RUN: %clang -target x86_64-linux-gnu -fsanitize=pointer-subtract -fno-sanitize=pointer-subtract %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-POINTER-SUB
// RUN: %clang -target x86_64-linux-gnu -fsanitize=pointer-compare -fno-sanitize=pointer-compare %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-POINTER-CMP // RUN: %clang -target x86_64-linux-gnu -fsanitize=pointer-compare -fno-sanitize=pointer-compare %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-POINTER-CMP
// CHECK-POINTER-ALL: -cc1{{.*}}-fsanitize={{[^"]*}}pointer-compare,pointer-subtract{{.*}}" {{.*}} "-mllvm" "-asan-detect-invalid-pointer-cmp" {{.*}}"-mllvm" "-asan-detect-invalid-pointer-sub" // CHECK-POINTER-ALL: -cc1{{.*}}-fsanitize={{[^"]*}}pointer-compare,pointer-subtract{{.*}}" {{.*}} "-mllvm" "-asan-detect-invalid-pointer-cmp" {{.*}}"-mllvm" "-asan-detect-invalid-pointer-sub"
// CHECK-POINTER-CMP-NEEDS-ADDRESS: error: invalid argument '-fsanitize=pointer-compare' only allowed with '-fsanitize=address' // CHECK-POINTER-CMP-NEEDS-ADDRESS: error: invalid argument '-fsanitize=pointer-compare' only allowed with '-fsanitize=address'
// CHECK-POINTER-SUB-NEEDS-ADDRESS: error: invalid argument '-fsanitize=pointer-subtract' only allowed with '-fsanitize=address' // CHECK-POINTER-SUB-NEEDS-ADDRESS: error: invalid argument '-fsanitize=pointer-subtract' only allowed with '-fsanitize=address'
Show All 16 Lines

compiler-rt/test/hwasan/TestCases/deep-recursion.c

// RUN: %clang_hwasan -O1 %s -o %t // RUN: %clang_hwasan -O1 %s -o %t
// RUN: %env_hwasan_opts=stack_history_size=1 not %run %t 2>&1 | FileCheck %s --check-prefix=D1 // RUN: %env_hwasan_opts=stack_history_size=1 not %run %t 2>&1 | FileCheck %s --check-prefix=D1
// RUN: %env_hwasan_opts=stack_history_size=2 not %run %t 2>&1 | FileCheck %s --check-prefix=D2 // RUN: %env_hwasan_opts=stack_history_size=2 not %run %t 2>&1 | FileCheck %s --check-prefix=D2
// RUN: %env_hwasan_opts=stack_history_size=3 not %run %t 2>&1 | FileCheck %s --check-prefix=D3 // RUN: %env_hwasan_opts=stack_history_size=3 not %run %t 2>&1 | FileCheck %s --check-prefix=D3
// RUN: %env_hwasan_opts=stack_history_size=5 not %run %t 2>&1 | FileCheck %s --check-prefix=D5 // RUN: %env_hwasan_opts=stack_history_size=5 not %run %t 2>&1 | FileCheck %s --check-prefix=D5
// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=DEFAULT // RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=DEFAULT
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
// Stack aliasing is not implemented on x86. // Stack histories are currently not recorded on x86.
// XFAIL: x86_64 // XFAIL: x86_64
#include <stdlib.h> #include <stdlib.h>
// At least -O1 is needed for this function to not have a stack frame on // At least -O1 is needed for this function to not have a stack frame on
// AArch64. // AArch64.
void USE(void *x) { // pretend_to_do_something(void *x) void USE(void *x) { // pretend_to_do_something(void *x)
__asm__ __volatile__("" : : "r" (x) : "memory"); __asm__ __volatile__("" : : "r" (x) : "memory");
} }
▲ Show 20 LinesShow All 58 LinesShow Last 20 Lines

compiler-rt/test/hwasan/TestCases/longjmp.c

// RUN: %clang_hwasan -O0 -DNEGATIVE %s -o %t && %run %t 2>&1 // RUN: %clang_hwasan -O0 -DNEGATIVE %s -o %t && %run %t 2>&1
// RUN: %clang_hwasan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s // RUN: %clang_hwasan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
// REQUIRES: stable-runtime // REQUIRES: stable-runtime, pointer-tagging
// Stack aliasing is not implemented on x86.
// XFAIL: x86_64
#include <stdlib.h> #include <stdlib.h>
#include <assert.h> #include <assert.h>
#include <sanitizer/hwasan_interface.h> #include <sanitizer/hwasan_interface.h>
__attribute__((noinline)) __attribute__((noinline))
int f(void *caller_frame) { int f(void *caller_frame) {
int z = 0; int z = 0;
Show All 14 Lines

compiler-rt/test/hwasan/TestCases/mem-intrinsics.c

// RUN: %clang_hwasan %s -DTEST_NO=1 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=WRITE // RUN: %clang_hwasan %s -DTEST_NO=1 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=WRITE
// RUN: %clang_hwasan %s -DTEST_NO=2 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=READ // RUN: %clang_hwasan %s -DTEST_NO=2 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=READ
// RUN: %clang_hwasan %s -DTEST_NO=3 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=WRITE // RUN: %clang_hwasan %s -DTEST_NO=3 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=WRITE
// RUN: %clang_hwasan %s -DTEST_NO=2 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %env_hwasan_opts=halt_on_error=0 %run %t 2>&1 | FileCheck %s --check-prefix=RECOVER // RUN: %clang_hwasan %s -DTEST_NO=2 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %env_hwasan_opts=halt_on_error=0 %run %t 2>&1 | FileCheck %s --check-prefix=RECOVER
// REQUIRES: stable-runtime // REQUIRES: stable-runtime, pointer-tagging
// Stack aliasing is not implemented on x86.
// XFAIL: x86_64
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
int main() { int main() {
char Q[16] __attribute__((aligned(256))); char Q[16] __attribute__((aligned(256)));
char P[16] __attribute__((aligned(256))); char P[16] __attribute__((aligned(256)));
Show All 25 Lines

compiler-rt/test/hwasan/TestCases/rich-stack.c

// Test how stack frames are reported (not fully implemented yet). // Test how stack frames are reported (not fully implemented yet).
// RUN: %clang_hwasan %s -o %t // RUN: %clang_hwasan %s -o %t
// RUN: not %run %t 3 2 -1 2>&1 | FileCheck %s --check-prefix=R321 // RUN: not %run %t 3 2 -1 2>&1 | FileCheck %s --check-prefix=R321
// REQUIRES: stable-runtime // REQUIRES: stable-runtime, pointer-tagging
// Stack aliasing is not implemented on x86.
// XFAIL: x86_64
#include <stdint.h> #include <stdint.h>
#include <stdlib.h> #include <stdlib.h>
void USE(void *x) { // pretend_to_do_something(void *x) void USE(void *x) { // pretend_to_do_something(void *x)
__asm__ __volatile__("" : : "r" (x) : "memory"); __asm__ __volatile__("" : : "r" (x) : "memory");
} }
void USE2(void *a, void *b) { USE(a); USE(b); } void USE2(void *a, void *b) { USE(a); USE(b); }
void USE4(void *a, void *b, void *c, void *d) { USE2(a, b); USE2(c, d); } void USE4(void *a, void *b, void *c, void *d) { USE2(a, b); USE2(c, d); }
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Linesint main(int argc, char **argv) {
int err_depth = atoi(argv[2]); int err_depth = atoi(argv[2]);
int offset = atoi(argv[3]); int offset = atoi(argv[3]);
FOO(depth, err_depth, offset); FOO(depth, err_depth, offset);
return 0; return 0;
} }
// R321: HWAddressSanitizer: tag-mismatch // R321: HWAddressSanitizer: tag-mismatch
// R321-NEXT: WRITE of size 8 // R321-NEXT: WRITE of size 8
// R321-NEXT: in BAR // R321: in BAR
// R321-NEXT: in FOO // R321-NEXT: in FOO
// R321-NEXT: in main // R321-NEXT: in main
// R321: is located in stack of thread T0 // R321: is located in stack of thread T0

compiler-rt/test/hwasan/TestCases/stack-history-length.c

// RUN: %clang_hwasan -O1 %s -o %t // RUN: %clang_hwasan -O1 %s -o %t
// RUN: %env_hwasan_opts=stack_history_size=2048 not %run %t 2045 2>&1 | FileCheck %s --check-prefix=YES // RUN: %env_hwasan_opts=stack_history_size=2048 not %run %t 2045 2>&1 | FileCheck %s --check-prefix=YES
// RUN: %env_hwasan_opts=stack_history_size=2048 not %run %t 2047 2>&1 | FileCheck %s --check-prefix=NO // RUN: %env_hwasan_opts=stack_history_size=2048 not %run %t 2047 2>&1 | FileCheck %s --check-prefix=NO
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
// Stack aliasing is not implemented on x86. // Stack histories are currently not recorded on x86.
// XFAIL: x86_64 // XFAIL: x86_64
#include <stdlib.h> #include <stdlib.h>
void USE(void *x) { // pretend_to_do_something(void *x) void USE(void *x) { // pretend_to_do_something(void *x)
__asm__ __volatile__("" : : "r" (x) : "memory"); __asm__ __volatile__("" : : "r" (x) : "memory");
} }
Show All 27 Lines

compiler-rt/test/hwasan/TestCases/stack-oob.c

// RUN: %clang_hwasan_oldrt -DSIZE=2 -O0 %s -o %t && %run %t // RUN: %clang_hwasan_oldrt -DSIZE=2 -O0 %s -o %t && %run %t
// RUN: %clang_hwasan -DSIZE=2 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s // RUN: %clang_hwasan -DSIZE=2 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clang_hwasan_oldrt -DSIZE=15 -O0 %s -o %t && %run %t // RUN: %clang_hwasan_oldrt -DSIZE=15 -O0 %s -o %t && %run %t
// RUN: %clang_hwasan -DSIZE=15 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s // RUN: %clang_hwasan -DSIZE=15 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clang_hwasan_oldrt -DSIZE=16 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s // RUN: %clang_hwasan_oldrt -DSIZE=16 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clang_hwasan -DSIZE=16 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s // RUN: %clang_hwasan -DSIZE=16 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clang_hwasan -DSIZE=64 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s // RUN: %clang_hwasan -DSIZE=64 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clang_hwasan -DSIZE=0x1000 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s // RUN: %clang_hwasan -DSIZE=0x1000 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
// Stack aliasing is not implemented on x86. // Stack short granules are currently not implemented on x86.
// XFAIL: x86_64 // XFAIL: x86_64
#include <stdlib.h> #include <stdlib.h>
#include <sanitizer/hwasan_interface.h> #include <sanitizer/hwasan_interface.h>
__attribute__((noinline)) __attribute__((noinline))
int f() { int f() {
char z[SIZE]; char z[SIZE];
Show All 13 Lines

compiler-rt/test/hwasan/TestCases/stack-uar-dynamic.c

// RUN: %clang_hwasan -g %s -o %t && not %run %t 2>&1 | FileCheck %s // RUN: %clang_hwasan -g %s -o %t && not %run %t 2>&1 | FileCheck %s
// Dynamic allocation of stack objects does not affect FP, so the backend should // Dynamic allocation of stack objects does not affect FP, so the backend should
// still be using FP-relative debug info locations that we can use to find stack // still be using FP-relative debug info locations that we can use to find stack
// objects. // objects.
// Stack aliasing is not implemented on x86. // Stack histories are currently not recorded on x86.
// XFAIL: x86_64 // XFAIL: x86_64
__attribute((noinline)) __attribute((noinline))
char *buggy(int b) { char *buggy(int b) {
char c[64]; char c[64];
char *volatile p = c; char *volatile p = c;
if (b) { if (b) {
p = __builtin_alloca(64); p = __builtin_alloca(64);
Show All 11 Lines

compiler-rt/test/hwasan/TestCases/stack-uar-realign.c

// RUN: %clang_hwasan -g %s -o %t && not %run %t 2>&1 | FileCheck %s // RUN: %clang_hwasan -g %s -o %t && not %run %t 2>&1 | FileCheck %s
// Dynamic stack realignment causes debug info locations to use non-FP-relative // Dynamic stack realignment causes debug info locations to use non-FP-relative
// offsets because stack frames are realigned below FP, which means that we // offsets because stack frames are realigned below FP, which means that we
// can't associate addresses with stack objects in this case. Ideally we should // can't associate addresses with stack objects in this case. Ideally we should
// be able to handle this case somehow (e.g. by using a different register for // be able to handle this case somehow (e.g. by using a different register for
// DW_AT_frame_base) but at least we shouldn't get confused by it. // DW_AT_frame_base) but at least we shouldn't get confused by it.
// Stack aliasing is not implemented on x86. // REQUIRES: pointer-tagging
// XFAIL: x86_64
__attribute((noinline)) __attribute((noinline))
char *buggy() { char *buggy() {
_Alignas(64) char c[64]; _Alignas(64) char c[64];
char *volatile p = c; char *volatile p = c;
return p; return p;
} }
int main() { int main() {
char *p = buggy(); char *p = buggy();
// CHECK-NOT: Potentially referenced stack objects: // CHECK-NOT: Potentially referenced stack objects:
p[0] = 0; p[0] = 0;
} }

compiler-rt/test/hwasan/TestCases/stack-uar.c

// Tests use-after-return detection and reporting. // Tests use-after-return detection and reporting.
// RUN: %clang_hwasan -g %s -o %t && not %run %t 2>&1 | FileCheck %s // RUN: %clang_hwasan -g %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clang_hwasan -g %s -o %t && not %env_hwasan_opts=symbolize=0 %run %t 2>&1 | FileCheck %s --check-prefix=NOSYM // RUN: %clang_hwasan -g %s -o %t && not %env_hwasan_opts=symbolize=0 %run %t 2>&1 | FileCheck %s --check-prefix=NOSYM
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
// Stack aliasing is not implemented on x86. // Stack histories currently are not recorded on x86.
// XFAIL: x86_64 // XFAIL: x86_64
void USE(void *x) { // pretend_to_do_something(void *x) void USE(void *x) { // pretend_to_do_something(void *x)
__asm__ __volatile__("" : : "r" (x) : "memory"); __asm__ __volatile__("" : : "r" (x) : "memory");
} }
__attribute__((noinline)) __attribute__((noinline))
char *buggy() { char *buggy() {
Show All 31 Lines

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp

Show First 20 LinesShow All 63 Lines▼ Show 20 Linesconst char kHwasanShadowMemoryDynamicAddress[] =
"__hwasan_shadow_memory_dynamic_address"; "__hwasan_shadow_memory_dynamic_address";
// Accesses sizes are powers of two: 1, 2, 4, 8, 16. // Accesses sizes are powers of two: 1, 2, 4, 8, 16.
static const size_t kNumberOfAccessSizes = 5; static const size_t kNumberOfAccessSizes = 5;
static const size_t kDefaultShadowScale = 4; static const size_t kDefaultShadowScale = 4;
static const uint64_t kDynamicShadowSentinel = static const uint64_t kDynamicShadowSentinel =
std::numeric_limits<uint64_t>::max(); std::numeric_limits<uint64_t>::max();
static const unsigned kPointerTagShift = 56;
static const unsigned kShadowBaseAlignment = 32; static const unsigned kShadowBaseAlignment = 32;
static cl::opt<std::string> static cl::opt<std::string>
ClMemoryAccessCallbackPrefix("hwasan-memory-access-callback-prefix", ClMemoryAccessCallbackPrefix("hwasan-memory-access-callback-prefix",
cl::desc("Prefix for memory access callbacks"), cl::desc("Prefix for memory access callbacks"),
cl::Hidden, cl::init("__hwasan_")); cl::Hidden, cl::init("__hwasan_"));
▲ Show 20 LinesShow All 100 Lines▼ Show 20 Linesstatic cl::opt<bool> ClInstrumentPersonalityFunctions(
"hwasan-instrument-personality-functions", "hwasan-instrument-personality-functions",
cl::desc("instrument personality functions"), cl::Hidden, cl::init(false), cl::desc("instrument personality functions"), cl::Hidden, cl::init(false),
cl::ZeroOrMore); cl::ZeroOrMore);
static cl::opt<bool> ClInlineAllChecks("hwasan-inline-all-checks", static cl::opt<bool> ClInlineAllChecks("hwasan-inline-all-checks",
cl::desc("inline all checks"), cl::desc("inline all checks"),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(false));
// Enabled from clang by "-fsanitize-hwaddress-experimental-aliasing".
static cl::opt<bool> ClUsePageAliases("hwasan-experimental-use-page-aliases",
cl::desc("Use page aliasing in HWASan"),
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

Can we avoid creating ClUntagPointer for now? I am able to test locally with QEMU, and I'm also setting up a buildbot to ensure new patches don't break the LAM functionality.

morehouse: Can we avoid creating `ClUntagPointer` for now? I am able to test locally with QEMU, and I'm…
xiangzhangllvmUnsubmitted
Done
ReplyInline Actions

Yes, of course, we can. But here ClUntagPointer is disabled in default (false), no affect our current tests.
I and back this option, because I find It is very helpful for me in developing HWASAN without hardware or simulator supported. I can run most simple test on my local machine.

xiangzhangllvm: Yes, of course, we can. But here ClUntagPointer is disabled in default (false), no affect our…
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

It may be inconvenient for now, but as part of setting up a buildbot I'm also automating the process of setting up the custom QEMU and kernel required to test LAM. If all goes well, it should land later this week or next week. Then you can use that instead of the ClUntagPointer option.

For now, could you keep the ClUntagPointer patch locally for your testing purposes, and remove it from the patch we actually submit?

morehouse: It may be inconvenient for now, but as part of setting up a buildbot I'm also automating the…
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

Thanks. FYI, the buildbot is now live: https://lab.llvm.org/buildbot/#/builders/169

You can test locally using the buildbot script here. You can comment out the Scudo stuff to avoid testing that.

You'll need a QEMU image located at /b/qemu_image. You can build one using this script.

morehouse: Thanks. FYI, the buildbot is now live: https://lab.llvm.org/buildbot/#/builders/169 You can…
xiangzhangllvmUnsubmitted
Done
ReplyInline Actions

Thanks for your work! let me do a try.

xiangzhangllvm: Thanks for your work! let me do a try.
xiangzhangllvmUnsubmitted
Done
ReplyInline Actions

How can I run it online for this patch ? (it seems jobs in https://lab.llvm.org/buildbot/#/builders/169 are on line )

(For locally test, I can't download the QEMU in my company's server, for network permission and without root authority)

xiangzhangllvm: How can I run it online for this patch ? (it seems jobs in https://lab.llvm.
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

Can't run it online unless its been submitted.

Sounds like your setup isn't well suited for working on LAM support. I was planning to work on stack and globals support anyway, so perhaps I will commandeer these patches and work on them myself.

morehouse: Can't run it online unless its been submitted. Sounds like your setup isn't well suited for…
xiangzhangllvmUnsubmitted
Done
ReplyInline Actions

OK, no problem, feel free to use this patch, Let co-push the HWASAN work.
I'll continue to refine it (finish you and eugenis's comments).

xiangzhangllvm: OK, no problem, feel free to use this patch, Let co-push the HWASAN work. I'll continue to…
cl::Hidden, cl::init(false));
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

Can we wire ClUsePageAlias up to fsanitize-hwaddress-experimental-aliasing in this patch? Then we can make ClUsePageAlias default to false and can remove this TODO.

morehouse: Can we wire `ClUsePageAlias` up to `fsanitize-hwaddress-experimental-aliasing` in this patch?
namespace { namespace {
morehouseAuthorUnsubmitted
Done
ReplyInline Actions
// TODO: Need to co-related with clang option.
- static cl::opt<bool> ClUsePageAlias("hwasan-use-page-alias",
- cl::desc("hwasan use page alias"),
+ static cl::opt<bool> ClUsePageAliases("hwasan-experimental-use-page-aliases",
+ cl::desc("Use page aliasing in HWASan"),
cl::Hidden, cl::init(true));
morehouse:
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

This comment wasn't addressed.

morehouse: This comment wasn't addressed.
xiangzhangllvmUnsubmitted
Done
ReplyInline Actions

Oh, yes, I should use "hwasan-experimental-use-page-aliases", thank you very much!

xiangzhangllvm: Oh, yes, I should use "hwasan-experimental-use-page-aliases", thank you very much!
/// An instrumentation pass implementing detection of addressability bugs /// An instrumentation pass implementing detection of addressability bugs
/// using tagged pointers. /// using tagged pointers.
class HWAddressSanitizer { class HWAddressSanitizer {
public: public:
explicit HWAddressSanitizer(Module &M, bool CompileKernel = false, explicit HWAddressSanitizer(Module &M, bool CompileKernel = false,
bool Recover = false) bool Recover = false)
: M(M) { : M(M) {
this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover; this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover;
Show All 38 Linespublic:
bool instrumentLandingPads(SmallVectorImpl<Instruction *> &RetVec); bool instrumentLandingPads(SmallVectorImpl<Instruction *> &RetVec);
Value *getNextTagWithCall(IRBuilder<> &IRB); Value *getNextTagWithCall(IRBuilder<> &IRB);
Value *getStackBaseTag(IRBuilder<> &IRB); Value *getStackBaseTag(IRBuilder<> &IRB);
Value *getAllocaTag(IRBuilder<> &IRB, Value *StackTag, AllocaInst *AI, Value *getAllocaTag(IRBuilder<> &IRB, Value *StackTag, AllocaInst *AI,
unsigned AllocaNo); unsigned AllocaNo);
Value *getUARTag(IRBuilder<> &IRB, Value *StackTag); Value *getUARTag(IRBuilder<> &IRB, Value *StackTag);
Value *getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty); Value *getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty);
Value *applyTagMask(IRBuilder<> &IRB, Value *OldTag);
unsigned retagMask(unsigned AllocaNo);
void emitPrologue(IRBuilder<> &IRB, bool WithFrameRecord); void emitPrologue(IRBuilder<> &IRB, bool WithFrameRecord);
void instrumentGlobal(GlobalVariable *GV, uint8_t Tag); void instrumentGlobal(GlobalVariable *GV, uint8_t Tag);
void instrumentGlobals(); void instrumentGlobals();
void instrumentPersonalityFunctions(); void instrumentPersonalityFunctions();
private: private:
LLVMContext *C; LLVMContext *C;
Module &M; Module &M;
Triple TargetTriple; Triple TargetTriple;
FunctionCallee HWAsanMemmove, HWAsanMemcpy, HWAsanMemset; FunctionCallee HWAsanMemmove, HWAsanMemcpy, HWAsanMemset;
FunctionCallee HWAsanHandleVfork; FunctionCallee HWAsanHandleVfork;
/// This struct defines the shadow mapping using the rule: /// This struct defines the shadow mapping using the rule:
/// shadow = (mem >> Scale) + Offset. /// shadow = (mem >> Scale) + Offset.
/// If InGlobal is true, then /// If InGlobal is true, then
/// extern char __hwasan_shadow[]; /// extern char __hwasan_shadow[];
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

Since getTargetTagShift and getTargetTagMask are used only during initializeModule, and since they are both tiny functions, let's remove them and inline the logic in initializeModule.

morehouse: Since `getTargetTagShift` and `getTargetTagMask` are used only during `initializeModule`, and…
/// shadow = (mem >> Scale) + &__hwasan_shadow /// shadow = (mem >> Scale) + &__hwasan_shadow
/// If InTls is true, then /// If InTls is true, then
morehouseAuthorUnsubmitted
Done
ReplyInline Actions
return 0xFFLL;
}
- unsigned kPointerTagShift;
+ unsigned PointerTagShift;
uint64_t TagMaskByte;

Since this is no longer constexpr, let's remove the k prefix.

morehouse: Since this is no longer constexpr, let's remove the `k` prefix.
/// extern char *__hwasan_tls; /// extern char *__hwasan_tls;
/// shadow = (mem>>Scale) + align_up(__hwasan_shadow, kShadowBaseAlignment) /// shadow = (mem>>Scale) + align_up(__hwasan_shadow, kShadowBaseAlignment)
/// ///
/// If WithFrameRecord is true, then __hwasan_tls will be used to access the /// If WithFrameRecord is true, then __hwasan_tls will be used to access the
/// ring buffer for storing stack allocations on targets that support it. /// ring buffer for storing stack allocations on targets that support it.
struct ShadowMapping { struct ShadowMapping {
int Scale; int Scale;
uint64_t Offset; uint64_t Offset;
Show All 20 Linesprivate:
bool InstrumentLandingPads; bool InstrumentLandingPads;
bool InstrumentWithCalls; bool InstrumentWithCalls;
bool InstrumentStack; bool InstrumentStack;
bool UsePageAliases; bool UsePageAliases;
bool HasMatchAllTag = false; bool HasMatchAllTag = false;
uint8_t MatchAllTag = 0; uint8_t MatchAllTag = 0;
unsigned PointerTagShift;
uint64_t TagMaskByte;
Function *HwasanCtorFunction; Function *HwasanCtorFunction;
FunctionCallee HwasanMemoryAccessCallback[2][kNumberOfAccessSizes]; FunctionCallee HwasanMemoryAccessCallback[2][kNumberOfAccessSizes];
FunctionCallee HwasanMemoryAccessCallbackSized[2]; FunctionCallee HwasanMemoryAccessCallbackSized[2];
FunctionCallee HwasanTagMemoryFunc; FunctionCallee HwasanTagMemoryFunc;
FunctionCallee HwasanGenerateTagFunc; FunctionCallee HwasanGenerateTagFunc;
▲ Show 20 LinesShow All 175 Lines▼ Show 20 Lines
/// ///
/// inserts a call to __hwasan_init to the module's constructor list. /// inserts a call to __hwasan_init to the module's constructor list.
void HWAddressSanitizer::initializeModule() { void HWAddressSanitizer::initializeModule() {
LLVM_DEBUG(dbgs() << "Init " << M.getName() << "\n"); LLVM_DEBUG(dbgs() << "Init " << M.getName() << "\n");
auto &DL = M.getDataLayout(); auto &DL = M.getDataLayout();
TargetTriple = Triple(M.getTargetTriple()); TargetTriple = Triple(M.getTargetTriple());
// x86_64 uses userspace pointer aliases, currently heap-only with callback // x86_64 currently has two modes:
// instrumentation only. // - Intel LAM (default)
UsePageAliases = TargetTriple.getArch() == Triple::x86_64; // - pointer aliasing
InstrumentWithCalls = UsePageAliases ? true : ClInstrumentWithCalls; // Pointer aliasing mode is heap only. LAM mode is heap+stack, with support
// planned for globals as well.
bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64;
vitalybukaUnsubmitted
Done
ReplyInline Actions
// planned for globals as well.
- bool IsX86 = TargetTriple.getArch() == Triple::x86_64;
+ bool Isx86_64 = TargetTriple.getArch() == Triple::x86_64;
UsePageAliases = ClUsePageAliases && IsX86;

As is it's not technically correct

vitalybuka: As is it's not technically correct
UsePageAliases = ClUsePageAliases && IsX86_64;
InstrumentWithCalls = IsX86_64 ? true : ClInstrumentWithCalls;
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

For now we want to keep InstrumentWithCalls == true for x86 in general, even in LAM mode (no aliases). Please update this line.

morehouse: For now we want to keep `InstrumentWithCalls == true` for x86 in general, even in LAM mode (no…
InstrumentStack = UsePageAliases ? false : ClInstrumentStack; InstrumentStack = UsePageAliases ? false : ClInstrumentStack;
PointerTagShift = IsX86_64 ? 57 : 56;
TagMaskByte = IsX86_64 ? 0x3F : 0xFF;
Mapping.init(TargetTriple, InstrumentWithCalls); Mapping.init(TargetTriple, InstrumentWithCalls);
C = &(M.getContext()); C = &(M.getContext());
IRBuilder<> IRB(*C); IRBuilder<> IRB(*C);
IntptrTy = IRB.getIntPtrTy(DL); IntptrTy = IRB.getIntPtrTy(DL);
Int8PtrTy = IRB.getInt8PtrTy(); Int8PtrTy = IRB.getInt8PtrTy();
Int8Ty = IRB.getInt8Ty(); Int8Ty = IRB.getInt8Ty();
Int32Ty = IRB.getInt32Ty(); Int32Ty = IRB.getInt32Ty();
HwasanCtorFunction = nullptr; HwasanCtorFunction = nullptr;
// Older versions of Android do not have the required runtime support for // Older versions of Android do not have the required runtime support for
vitalybukaUnsubmitted
Done
ReplyInline Actions

maybe move up and combine with other IsX86 checks about

vitalybuka: maybe move up and combine with other IsX86 checks about
// short granules, global or personality function instrumentation. On other // short granules, global or personality function instrumentation. On other
// platforms we currently require using the latest version of the runtime. // platforms we currently require using the latest version of the runtime.
bool NewRuntime = bool NewRuntime =
!TargetTriple.isAndroid() || !TargetTriple.isAndroidVersionLT(30); !TargetTriple.isAndroid() || !TargetTriple.isAndroidVersionLT(30);
UseShortGranules = UseShortGranules =
ClUseShortGranules.getNumOccurrences() ? ClUseShortGranules : NewRuntime; ClUseShortGranules.getNumOccurrences() ? ClUseShortGranules : NewRuntime;
OutlinedChecks = OutlinedChecks =
Show All 14 Linesvoid HWAddressSanitizer::initializeModule() {
InstrumentLandingPads = ClInstrumentLandingPads.getNumOccurrences() InstrumentLandingPads = ClInstrumentLandingPads.getNumOccurrences()
? ClInstrumentLandingPads ? ClInstrumentLandingPads
: !NewRuntime; : !NewRuntime;
if (!CompileKernel) { if (!CompileKernel) {
createHwasanCtorComdat(); createHwasanCtorComdat();
bool InstrumentGlobals = bool InstrumentGlobals =
ClGlobals.getNumOccurrences() ? ClGlobals : NewRuntime; ClGlobals.getNumOccurrences() ? ClGlobals : NewRuntime;
if (InstrumentGlobals && !UsePageAliases)
// TODO: Support globals for x86_64 in non-aliasing mode.
if (InstrumentGlobals && !IsX86_64)
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

We also want to avoid instrumenting globals for now, so please update this line to apply to x86 in general.

morehouse: We also want to avoid instrumenting globals for now, so please update this line to apply to x86…
instrumentGlobals(); instrumentGlobals();
bool InstrumentPersonalityFunctions = bool InstrumentPersonalityFunctions =
ClInstrumentPersonalityFunctions.getNumOccurrences() ClInstrumentPersonalityFunctions.getNumOccurrences()
? ClInstrumentPersonalityFunctions ? ClInstrumentPersonalityFunctions
: NewRuntime; : NewRuntime;
if (InstrumentPersonalityFunctions) if (InstrumentPersonalityFunctions)
instrumentPersonalityFunctions(); instrumentPersonalityFunctions();
▲ Show 20 LinesShow All 162 Lines▼ Show 20 Lines
static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { static size_t TypeSizeToSizeIndex(uint32_t TypeSize) {
size_t Res = countTrailingZeros(TypeSize / 8); size_t Res = countTrailingZeros(TypeSize / 8);
assert(Res < kNumberOfAccessSizes); assert(Res < kNumberOfAccessSizes);
return Res; return Res;
} }
void HWAddressSanitizer::untagPointerOperand(Instruction *I, Value *Addr) { void HWAddressSanitizer::untagPointerOperand(Instruction *I, Value *Addr) {
if (TargetTriple.isAArch64() || TargetTriple.getArch() == Triple::x86_64) if (TargetTriple.isAArch64() || TargetTriple.getArch() == Triple::x86_64)
return; return;
morehouseAuthorUnsubmitted
Not Done
ReplyInline Actions

Please keep this check here for now. I want to avoid reintroducing untagging to x86.

morehouse: Please keep this check here for now. I want to avoid reintroducing untagging to x86.
IRBuilder<> IRB(I); IRBuilder<> IRB(I);
Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy);
Value *UntaggedPtr = Value *UntaggedPtr =
IRB.CreateIntToPtr(untagPointer(IRB, AddrLong), Addr->getType()); IRB.CreateIntToPtr(untagPointer(IRB, AddrLong), Addr->getType());
I->setOperand(getPointerOperandIndex(I), UntaggedPtr); I->setOperand(getPointerOperandIndex(I), UntaggedPtr);
} }
Show All 26 Lines IRB.CreateCall(Intrinsic::getDeclaration(
M, UseShortGranules M, UseShortGranules
? Intrinsic::hwasan_check_memaccess_shortgranules ? Intrinsic::hwasan_check_memaccess_shortgranules
: Intrinsic::hwasan_check_memaccess), : Intrinsic::hwasan_check_memaccess),
{ShadowBase, Ptr, ConstantInt::get(Int32Ty, AccessInfo)}); {ShadowBase, Ptr, ConstantInt::get(Int32Ty, AccessInfo)});
return; return;
} }
Value *PtrLong = IRB.CreatePointerCast(Ptr, IntptrTy); Value *PtrLong = IRB.CreatePointerCast(Ptr, IntptrTy);
Value *PtrTag = IRB.CreateTrunc(IRB.CreateLShr(PtrLong, kPointerTagShift), Value *PtrTag = IRB.CreateTrunc(IRB.CreateLShr(PtrLong, PointerTagShift),
IRB.getInt8Ty()); IRB.getInt8Ty());
Value *AddrLong = untagPointer(IRB, PtrLong); Value *AddrLong = untagPointer(IRB, PtrLong);
Value *Shadow = memToShadow(AddrLong, IRB); Value *Shadow = memToShadow(AddrLong, IRB);
Value *MemTag = IRB.CreateLoad(Int8Ty, Shadow); Value *MemTag = IRB.CreateLoad(Int8Ty, Shadow);
Value *TagMismatch = IRB.CreateICmpNE(PtrTag, MemTag); Value *TagMismatch = IRB.CreateICmpNE(PtrTag, MemTag);
if (HasMatchAllTag) { if (HasMatchAllTag) {
Value *TagNotIgnored = IRB.CreateICmpNE( Value *TagNotIgnored = IRB.CreateICmpNE(
▲ Show 20 LinesShow All 151 Lines▼ Show 20 Lines if (Size != AlignedSize) {
IRB.CreateStore(JustTag, IRB.CreateConstGEP1_32( IRB.CreateStore(JustTag, IRB.CreateConstGEP1_32(
Int8Ty, IRB.CreateBitCast(AI, Int8PtrTy), Int8Ty, IRB.CreateBitCast(AI, Int8PtrTy),
AlignedSize - 1)); AlignedSize - 1));
} }
} }
return true; return true;
} }
static unsigned RetagMask(unsigned AllocaNo) { unsigned HWAddressSanitizer::retagMask(unsigned AllocaNo) {
if (TargetTriple.getArch() == Triple::x86_64)
return AllocaNo & TagMaskByte;
// A list of 8-bit numbers that have at most one run of non-zero bits. // A list of 8-bit numbers that have at most one run of non-zero bits.
// x = x ^ (mask << 56) can be encoded as a single armv8 instruction for these // x = x ^ (mask << 56) can be encoded as a single armv8 instruction for these
// masks. // masks.
// The list does not include the value 255, which is used for UAR. // The list does not include the value 255, which is used for UAR.
// //
// Because we are more likely to use earlier elements of this list than later // Because we are more likely to use earlier elements of this list than later
// ones, it is sorted in increasing order of probability of collision with a // ones, it is sorted in increasing order of probability of collision with a
// mask allocated (temporally) nearby. The program that generated this list // mask allocated (temporally) nearby. The program that generated this list
// can be found at: // can be found at:
// https://github.com/google/sanitizers/blob/master/hwaddress-sanitizer/sort_masks.py // https://github.com/google/sanitizers/blob/master/hwaddress-sanitizer/sort_masks.py
static unsigned FastMasks[] = {0, 128, 64, 192, 32, 96, 224, 112, 240, static unsigned FastMasks[] = {0, 128, 64, 192, 32, 96, 224, 112, 240,
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

const

vitalybuka: const
48, 16, 120, 248, 56, 24, 8, 124, 252, 48, 16, 120, 248, 56, 24, 8, 124, 252,
60, 28, 12, 4, 126, 254, 62, 30, 14, 60, 28, 12, 4, 126, 254, 62, 30, 14,
6, 2, 127, 63, 31, 15, 7, 3, 1}; 6, 2, 127, 63, 31, 15, 7, 3, 1};
return FastMasks[AllocaNo % (sizeof(FastMasks) / sizeof(FastMasks[0]))]; return FastMasks[AllocaNo % (sizeof(FastMasks) / sizeof(FastMasks[0]))];
} }
Value *HWAddressSanitizer::applyTagMask(IRBuilder<> &IRB, Value *OldTag) {
eugenisUnsubmitted
Done
ReplyInline Actions

retagMaskX86

You could also make this non-static and get rid of the second argument. Or apply the mask in retagMask.

eugenis: retagMaskX86 You could also make this non-static and get rid of the second argument. Or apply…
if (TargetTriple.getArch() == Triple::x86_64) {
Constant *TagMask = ConstantInt::get(IntptrTy, TagMaskByte);
Value *NewTag = IRB.CreateAnd(OldTag, TagMask);
return NewTag;
}
// aarch64 uses 8-bit tags, so no mask is needed.
return OldTag;
}
Value *HWAddressSanitizer::getNextTagWithCall(IRBuilder<> &IRB) { Value *HWAddressSanitizer::getNextTagWithCall(IRBuilder<> &IRB) {
return IRB.CreateZExt(IRB.CreateCall(HwasanGenerateTagFunc), IntptrTy); return IRB.CreateZExt(IRB.CreateCall(HwasanGenerateTagFunc), IntptrTy);
} }
Value *HWAddressSanitizer::getStackBaseTag(IRBuilder<> &IRB) { Value *HWAddressSanitizer::getStackBaseTag(IRBuilder<> &IRB) {
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

The function name is confusing. Can we name it something like applyTagMask?

morehouse: The function name is confusing. Can we name it something like `applyTagMask`?
if (ClGenerateTagsWithCalls) if (ClGenerateTagsWithCalls)
return getNextTagWithCall(IRB); return getNextTagWithCall(IRB);
if (StackBaseTag) if (StackBaseTag)
return StackBaseTag; return StackBaseTag;
// FIXME: use addressofreturnaddress (but implement it in aarch64 backend // FIXME: use addressofreturnaddress (but implement it in aarch64 backend
// first). // first).
Module *M = IRB.GetInsertBlock()->getParent()->getParent(); Module *M = IRB.GetInsertBlock()->getParent()->getParent();
auto GetStackPointerFn = Intrinsic::getDeclaration( auto GetStackPointerFn = Intrinsic::getDeclaration(
M, Intrinsic::frameaddress, M, Intrinsic::frameaddress,
IRB.getInt8PtrTy(M->getDataLayout().getAllocaAddrSpace())); IRB.getInt8PtrTy(M->getDataLayout().getAllocaAddrSpace()));
Value *StackPointer = IRB.CreateCall( Value *StackPointer = IRB.CreateCall(
GetStackPointerFn, {Constant::getNullValue(IRB.getInt32Ty())}); GetStackPointerFn, {Constant::getNullValue(IRB.getInt32Ty())});
// Extract some entropy from the stack pointer for the tags. // Extract some entropy from the stack pointer for the tags.
// Take bits 20..28 (ASLR entropy) and xor with bits 0..8 (these differ // Take bits 20..28 (ASLR entropy) and xor with bits 0..8 (these differ
// between functions). // between functions).
Value *StackPointerLong = IRB.CreatePointerCast(StackPointer, IntptrTy); Value *StackPointerLong = IRB.CreatePointerCast(StackPointer, IntptrTy);
Value *StackTag = Value *StackTag =
IRB.CreateXor(StackPointerLong, IRB.CreateLShr(StackPointerLong, 20), applyTagMask(IRB, IRB.CreateXor(StackPointerLong,
"hwasan.stack.base.tag"); IRB.CreateLShr(StackPointerLong, 20)));
StackTag->setName("hwasan.stack.base.tag");
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

This mask of the base tag seems unnecessary since we also mask the final tag.

morehouse: This mask of the base tag seems unnecessary since we also mask the final tag.
xiangzhangllvmUnsubmitted
Done
ReplyInline Actions

make sense, it seem will handle at retagTargetTag fucntion.

xiangzhangllvm: make sense, it seem will handle at retagTargetTag fucntion.
eugenisUnsubmitted
Done
ReplyInline Actions

It seems more efficient to mask StackTag, and then make sure that all retag constants are within the mask bits. This way you'll only need to apply the mask once per function.

eugenis: It seems more efficient to mask StackTag, and then make sure that all retag constants are…
return StackTag; return StackTag;
} }
Value *HWAddressSanitizer::getAllocaTag(IRBuilder<> &IRB, Value *StackTag, Value *HWAddressSanitizer::getAllocaTag(IRBuilder<> &IRB, Value *StackTag,
AllocaInst *AI, unsigned AllocaNo) { AllocaInst *AI, unsigned AllocaNo) {
if (ClGenerateTagsWithCalls) if (ClGenerateTagsWithCalls)
return getNextTagWithCall(IRB); return getNextTagWithCall(IRB);
return IRB.CreateXor(StackTag, return IRB.CreateXor(StackTag,
ConstantInt::get(IntptrTy, RetagMask(AllocaNo))); ConstantInt::get(IntptrTy, retagMask(AllocaNo)));
} }
Value *HWAddressSanitizer::getUARTag(IRBuilder<> &IRB, Value *StackTag) { Value *HWAddressSanitizer::getUARTag(IRBuilder<> &IRB, Value *StackTag) {
if (ClUARRetagToZero) if (ClUARRetagToZero)
return ConstantInt::get(IntptrTy, 0); return ConstantInt::get(IntptrTy, 0);
if (ClGenerateTagsWithCalls) if (ClGenerateTagsWithCalls)
return getNextTagWithCall(IRB); return getNextTagWithCall(IRB);
return IRB.CreateXor(StackTag, ConstantInt::get(IntptrTy, 0xFFU)); return IRB.CreateXor(StackTag, ConstantInt::get(IntptrTy, TagMaskByte));
} }
eugenisUnsubmitted
Done
ReplyInline Actions

Why not simply replace 0xFF here with TagMaskByte?

eugenis: Why not simply replace 0xFF here with TagMaskByte?
xiangzhangllvmUnsubmitted
Done
ReplyInline Actions

Because "xor" will let Tag > TagMask again : )

xiangzhangllvm: Because "xor" will let Tag > TagMask again : )
// Add a tag to an address. // Add a tag to an address.
Value *HWAddressSanitizer::tagPointer(IRBuilder<> &IRB, Type *Ty, Value *HWAddressSanitizer::tagPointer(IRBuilder<> &IRB, Type *Ty,
Value *PtrLong, Value *Tag) { Value *PtrLong, Value *Tag) {
assert(!UsePageAliases); assert(!UsePageAliases);
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

It seems like overkill to move the logic into this function. Let's leave it as part of tagPointer.

morehouse: It seems like overkill to move the logic into this function. Let's leave it as part of…
Value *TaggedPtrLong; Value *TaggedPtrLong;
if (CompileKernel) { if (CompileKernel) {
// Kernel addresses have 0xFF in the most significant byte. // Kernel addresses have 0xFF in the most significant byte.
Value *ShiftedTag = IRB.CreateOr( Value *ShiftedTag =
IRB.CreateShl(Tag, kPointerTagShift), IRB.CreateOr(IRB.CreateShl(Tag, PointerTagShift),
ConstantInt::get(IntptrTy, (1ULL << kPointerTagShift) - 1)); ConstantInt::get(IntptrTy, (1ULL << PointerTagShift) - 1));
TaggedPtrLong = IRB.CreateAnd(PtrLong, ShiftedTag); TaggedPtrLong = IRB.CreateAnd(PtrLong, ShiftedTag);
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

Let's avoid implementing the kernel case for LAM, since we don't have a good way to test yet.

morehouse: Let's avoid implementing the kernel case for LAM, since we don't have a good way to test yet.
} else { } else {
// Userspace can simply do OR (tag << 56); // Userspace can simply do OR (tag << PointerTagShift);
Value *ShiftedTag = IRB.CreateShl(Tag, kPointerTagShift); Value *ShiftedTag = IRB.CreateShl(Tag, PointerTagShift);
TaggedPtrLong = IRB.CreateOr(PtrLong, ShiftedTag); TaggedPtrLong = IRB.CreateOr(PtrLong, ShiftedTag);
} }
return IRB.CreateIntToPtr(TaggedPtrLong, Ty); return IRB.CreateIntToPtr(TaggedPtrLong, Ty);
} }
// Remove tag from an address. // Remove tag from an address.
Value *HWAddressSanitizer::untagPointer(IRBuilder<> &IRB, Value *PtrLong) { Value *HWAddressSanitizer::untagPointer(IRBuilder<> &IRB, Value *PtrLong) {
assert(!UsePageAliases); assert(!UsePageAliases);
Value *UntaggedPtrLong; Value *UntaggedPtrLong;
if (CompileKernel) { if (CompileKernel) {
// Kernel addresses have 0xFF in the most significant byte. // Kernel addresses have 0xFF in the most significant byte.
UntaggedPtrLong = UntaggedPtrLong =
IRB.CreateOr(PtrLong, ConstantInt::get(PtrLong->getType(), IRB.CreateOr(PtrLong, ConstantInt::get(PtrLong->getType(),
0xFFULL << kPointerTagShift)); 0xFFULL << PointerTagShift));
} else { } else {
// Userspace addresses have 0x00. // Userspace addresses have 0x00.
UntaggedPtrLong = IRB.CreateAnd( UntaggedPtrLong =
PtrLong, IRB.CreateAnd(PtrLong, ConstantInt::get(PtrLong->getType(),
ConstantInt::get(PtrLong->getType(), ~(0xFFULL << kPointerTagShift))); ~(0xFFULL << PointerTagShift)));
} }
return UntaggedPtrLong; return UntaggedPtrLong;
} }
Value *HWAddressSanitizer::getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty) { Value *HWAddressSanitizer::getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty) {
Module *M = IRB.GetInsertBlock()->getParent()->getParent(); Module *M = IRB.GetInsertBlock()->getParent()->getParent();
if (TargetTriple.isAArch64() && TargetTriple.isAndroid()) { if (TargetTriple.isAArch64() && TargetTriple.isAndroid()) {
// Android provides a fixed TLS slot for sanitizers. See TLS_SLOT_SANITIZER // Android provides a fixed TLS slot for sanitizers. See TLS_SLOT_SANITIZER
▲ Show 20 LinesShow All 133 Lines▼ Show 20 Lines for (unsigned N = 0; N < Allocas.size(); ++N) {
AI->replaceUsesWithIf(Replacement, AI->replaceUsesWithIf(Replacement,
[AILong](Use &U) { return U.getUser() != AILong; }); [AILong](Use &U) { return U.getUser() != AILong; });
for (auto *DDI : AllocaDbgMap.lookup(AI)) { for (auto *DDI : AllocaDbgMap.lookup(AI)) {
// Prepend "tag_offset, N" to the dwarf expression. // Prepend "tag_offset, N" to the dwarf expression.
// Tag offset logically applies to the alloca pointer, and it makes sense // Tag offset logically applies to the alloca pointer, and it makes sense
// to put it at the beginning of the expression. // to put it at the beginning of the expression.
SmallVector<uint64_t, 8> NewOps = {dwarf::DW_OP_LLVM_tag_offset, SmallVector<uint64_t, 8> NewOps = {dwarf::DW_OP_LLVM_tag_offset,
RetagMask(N)}; retagMask(N)};
auto Locations = DDI->location_ops(); auto Locations = DDI->location_ops();
unsigned LocNo = std::distance(Locations.begin(), find(Locations, AI)); unsigned LocNo = std::distance(Locations.begin(), find(Locations, AI));
DDI->setExpression( DDI->setExpression(
DIExpression::appendOpsToArg(DDI->getExpression(), NewOps, LocNo)); DIExpression::appendOpsToArg(DDI->getExpression(), NewOps, LocNo));
} }
size_t Size = getAllocaSizeInBytes(*AI); size_t Size = getAllocaSizeInBytes(*AI);
tagAlloca(IRB, AI, Tag, Size); tagAlloca(IRB, AI, Tag, Size);
▲ Show 20 LinesShow All 240 Lines▼ Show 20 Lines for (uint64_t DescriptorPos = 0; DescriptorPos < SizeInBytes;
Descriptor->setMetadata(LLVMContext::MD_associated, Descriptor->setMetadata(LLVMContext::MD_associated,
MDNode::get(*C, ValueAsMetadata::get(NewGV))); MDNode::get(*C, ValueAsMetadata::get(NewGV)));
appendToCompilerUsed(M, Descriptor); appendToCompilerUsed(M, Descriptor);
} }
Constant *Aliasee = ConstantExpr::getIntToPtr( Constant *Aliasee = ConstantExpr::getIntToPtr(
ConstantExpr::getAdd( ConstantExpr::getAdd(
ConstantExpr::getPtrToInt(NewGV, Int64Ty), ConstantExpr::getPtrToInt(NewGV, Int64Ty),
ConstantInt::get(Int64Ty, uint64_t(Tag) << kPointerTagShift)), ConstantInt::get(Int64Ty, uint64_t(Tag) << PointerTagShift)),
GV->getType()); GV->getType());
auto *Alias = GlobalAlias::create(GV->getValueType(), GV->getAddressSpace(), auto *Alias = GlobalAlias::create(GV->getValueType(), GV->getAddressSpace(),
GV->getLinkage(), "", Aliasee, &M); GV->getLinkage(), "", Aliasee, &M);
Alias->setVisibility(GV->getVisibility()); Alias->setVisibility(GV->getVisibility());
Alias->takeName(GV); Alias->takeName(GV);
GV->replaceAllUsesWith(Alias); GV->replaceAllUsesWith(Alias);
GV->eraseFromParent(); GV->eraseFromParent();
} }
Show All 21 Linesvoid HWAddressSanitizer::instrumentGlobals() {
MD5 Hasher; MD5 Hasher;
Hasher.update(M.getSourceFileName()); Hasher.update(M.getSourceFileName());
MD5::MD5Result Hash; MD5::MD5Result Hash;
Hasher.final(Hash); Hasher.final(Hash);
uint8_t Tag = Hash[0]; uint8_t Tag = Hash[0];
for (GlobalVariable *GV : Globals) { for (GlobalVariable *GV : Globals) {
// Skip tag 0 in order to avoid collisions with untagged memory. // Skip tag 0 in order to avoid collisions with untagged memory.
if (Tag == 0) if (Tag == 0)
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

Let's avoid doing this for now. I'd like to focus just on stack support in this patch. Future patches can address global support.

morehouse: Let's avoid doing this for now. I'd like to focus just on stack support in this patch. Future…
Tag = 1; Tag = 1;
instrumentGlobal(GV, Tag++); instrumentGlobal(GV, Tag++);
} }
} }
void HWAddressSanitizer::instrumentPersonalityFunctions() { void HWAddressSanitizer::instrumentPersonalityFunctions() {
// We need to untag stack frames as we unwind past them. That is the job of // We need to untag stack frames as we unwind past them. That is the job of
// the personality function wrapper, which either wraps an existing // the personality function wrapper, which either wraps an existing
▲ Show 20 LinesShow All 97 LinesShow Last 20 Lines

llvm/test/Instrumentation/HWAddressSanitizer/X86/alloca-array.ll

  • This file was added.
; RUN: opt < %s -hwasan -S | FileCheck %s
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
declare void @use(i8*, i8*)
define void @test_alloca() sanitize_hwaddress {
; CHECK: alloca { [4 x i8], [12 x i8] }, align 16
%x = alloca i8, i64 4
; CHECK: alloca i8, i64 16, align 16
%y = alloca i8, i64 16
call void @use(i8* %x, i8* %y)
ret void
}

llvm/test/Instrumentation/HWAddressSanitizer/X86/alloca-with-calls.ll

  • This file was added.
; Test alloca instrumentation when tags are generated by HWASan function.
;
; RUN: opt < %s -hwasan -hwasan-generate-tags-with-calls -S | FileCheck %s
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
declare void @use32(i32*)
define void @test_alloca() sanitize_hwaddress {
; CHECK-LABEL: @test_alloca(
; CHECK: %[[BC:[^ ]*]] = bitcast { i32, [12 x i8] }* %x to i32*
; CHECK: %[[T1:[^ ]*]] = call i8 @__hwasan_generate_tag()
; CHECK: %[[A:[^ ]*]] = zext i8 %[[T1]] to i64
; CHECK: %[[B:[^ ]*]] = ptrtoint i32* %[[BC]] to i64
; CHECK: %[[C:[^ ]*]] = shl i64 %[[A]], 57
; CHECK: or i64 %[[B]], %[[C]]
entry:
%x = alloca i32, align 4
call void @use32(i32* nonnull %x)
ret void
}

llvm/test/Instrumentation/HWAddressSanitizer/X86/alloca.ll

  • This file was added.
; Test alloca instrumentation.
;
; RUN: opt < %s -hwasan -S | FileCheck %s --check-prefixes=CHECK,NO-UAR-TAGS
; RUN: opt < %s -hwasan -hwasan-uar-retag-to-zero=0 -S | FileCheck %s --check-prefixes=CHECK,UAR-TAGS
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
declare void @use32(i32*)
define void @test_alloca() sanitize_hwaddress {
; CHECK-LABEL: @test_alloca(
; CHECK: %[[FP:[^ ]*]] = call i8* @llvm.frameaddress.p0i8(i32 0)
; CHECK: %[[A:[^ ]*]] = ptrtoint i8* %[[FP]] to i64
; CHECK: %[[B:[^ ]*]] = lshr i64 %[[A]], 20
; CHECK: %[[A_XOR_B:[^ ]*]] = xor i64 %[[A]], %[[B]]
; CHECK: %[[BASE_TAG:[^ ]*]] = and i64 %[[A_XOR_B]], 63
; CHECK: %[[X:[^ ]*]] = alloca { i32, [12 x i8] }, align 16
; CHECK: %[[X_BC:[^ ]*]] = bitcast { i32, [12 x i8] }* %[[X]] to i32*
; CHECK: %[[X_TAG:[^ ]*]] = xor i64 %[[BASE_TAG]], 0
; CHECK: %[[X1:[^ ]*]] = ptrtoint i32* %[[X_BC]] to i64
; CHECK: %[[C:[^ ]*]] = shl i64 %[[X_TAG]], 57
; CHECK: %[[D:[^ ]*]] = or i64 %[[X1]], %[[C]]
; CHECK: %[[X_HWASAN:[^ ]*]] = inttoptr i64 %[[D]] to i32*
; CHECK: %[[X_TAG2:[^ ]*]] = trunc i64 %[[X_TAG]] to i8
; CHECK: %[[X_I8:[^ ]*]] = bitcast i32* %[[X_BC]] to i8*
; CHECK: call void @__hwasan_tag_memory(i8* %[[X_I8]], i8 %[[X_TAG2]], i64 16)
; CHECK: call void @use32(i32* nonnull %[[X_HWASAN]])
; UAR-TAGS: %[[BASE_TAG_COMPL:[^ ]*]] = xor i64 %[[BASE_TAG]], 63
; UAR-TAGS: %[[X_TAG_UAR:[^ ]*]] = trunc i64 %[[BASE_TAG_COMPL]] to i8
; CHECK: %[[X_I8_2:[^ ]*]] = bitcast i32* %[[X_BC]] to i8*
; NO-UAR-TAGS: call void @__hwasan_tag_memory(i8* %[[X_I8_2]], i8 0, i64 16)
; UAR-TAGS: call void @__hwasan_tag_memory(i8* %[[X_I8_2]], i8 %[[X_TAG_UAR]], i64 16)
; CHECK: ret void
entry:
%x = alloca i32, align 4
call void @use32(i32* nonnull %x)
ret void
}