This is an archive of the discontinued LLVM Phabricator instance.

Differential D107901

[hwasan] Prevent reordering of tag checks.
ClosedPublic

Authored by fmayer on Aug 11 2021, 6:27 AM.

Details

Reviewers
eugenis
pcc
Commits
rG0deedaa23f71: [hwasan] Prevent reordering of tag checks.
Summary

They were previously unconstrained, which allowed them to be reordered
before the shadow memory write.

Diff Detail

Event Timeline

fmayer created this revision.Aug 11 2021, 6:27 AM
Herald added a subscriber: hiraditya. · View Herald TranscriptAug 11 2021, 6:27 AM
Harbormaster completed remote builds in B119062: Diff 365734.Aug 11 2021, 7:13 AM
fmayer updated this revision to Diff 365786.Aug 11 2021, 10:06 AM

commit message change

fmayer published this revision for review.Aug 11 2021, 10:08 AM
fmayer added reviewers: eugenis, pcc.

I ran 50 iterations of pdfium_test with baseline vs. this change and could see no statistically significant change (p-value is 88%): https://colab.research.google.com/drive/1BBOT0BYGnvS9bvbryMNyAsVBbVM30gx5#scrollTo=cfis4f2vI305

Herald added a project: Restricted Project. · View Herald TranscriptAug 11 2021, 10:08 AM
Herald added subscribers: llvm-commits, jdoerfert. · View Herald Transcript
Harbormaster completed remote builds in B119098: Diff 365786.Aug 11 2021, 10:48 AM
eugenis added a comment.Aug 11 2021, 2:21 PM

Is mayStore=1 necessary? It does not make any sense, these instruction do not write to memory.

fmayer updated this revision to Diff 366030.Aug 12 2021, 10:35 AM

only mayload

fmayer added a comment.Aug 12 2021, 10:35 AM
In D107901#2940403, @eugenis wrote:

Is mayStore=1 necessary? It does not make any sense, these instruction do not write to memory.

That also works. I don't think it's necessary to re-run the benchmarks as it's not expected that things are worse like this.

Harbormaster completed remote builds in B119280: Diff 366030.Aug 12 2021, 11:10 AM
eugenis added a comment.Aug 12 2021, 11:59 AM

It would be nice to have a test for this, maybe something like test/CodeGen/AArch64/irg-nomem.mir (but the opposite - you'd want store merging to not happen).

Another weird thing: even without this patch I see

{ 561,        2,      0,      0,      0,      0|(1ULL<<MCID::Pseudo)|(1ULL<<MCID::MayLoad)|(1ULL<<MCID::MayStore), 0x0ULL, ImplicitList4, ImplicitList5, OperandInfo65 },  // Inst #561 = HWASAN_CHECK_MEMACCESS
{ 562,        2,      0,      0,      0,      0|(1ULL<<MCID::Pseudo)|(1ULL<<MCID::MayLoad)|(1ULL<<MCID::MayStore), 0x0ULL, ImplicitList6, ImplicitList5, OperandInfo65 },  // Inst #562 = HWASAN_CHECK_MEMACCESS_SHORTGRANULES

in lib/Target/AArch64/AArch64GenInstrInfo.inc, i.e. these instructions are already mayLoad | mayStore.

eugenis added a comment.Aug 12 2021, 12:01 PM

I find this program useful to test aliasing behavior:

void zzz(long *x) {
  x[0] = 42;
  x[1] = 42;
}

With -fno-slp-vectorize it generates store - check - store sequence where two stores can be merged into store-pair (see AArch64LoadStoreOptimizer) if hwasan check is not mayLoadOrStore.

fmayer added a comment.Aug 13 2021, 7:16 AM
In D107901#2942065, @eugenis wrote:

Another weird thing: even without this patch I see

{ 561,        2,      0,      0,      0,      0|(1ULL<<MCID::Pseudo)|(1ULL<<MCID::MayLoad)|(1ULL<<MCID::MayStore), 0x0ULL, ImplicitList4, ImplicitList5, OperandInfo65 },  // Inst #561 = HWASAN_CHECK_MEMACCESS
{ 562,        2,      0,      0,      0,      0|(1ULL<<MCID::Pseudo)|(1ULL<<MCID::MayLoad)|(1ULL<<MCID::MayStore), 0x0ULL, ImplicitList6, ImplicitList5, OperandInfo65 },  // Inst #562 = HWASAN_CHECK_MEMACCESS_SHORTGRANULES

in lib/Target/AArch64/AArch64GenInstrInfo.inc, i.e. these instructions are already mayLoad | mayStore.

I tried to revert this part and it still solves the issues. I would still prefer to leave it as is to have it more explicit.

fmayer updated this revision to Diff 366335.Aug 13 2021, 12:34 PM

revert unnecessary change

Harbormaster completed remote builds in B119488: Diff 366335.Aug 13 2021, 1:02 PM
fmayer updated this revision to Diff 366639.Aug 16 2021, 8:22 AM

add test

fmayer updated this revision to Diff 366640.Aug 16 2021, 8:22 AM

add missing newline

fmayer added a comment.Aug 16 2021, 8:23 AM

I verified this test fails at baseline and passes with this change.

Harbormaster completed remote builds in B119720: Diff 366640.Aug 16 2021, 8:50 AM
eugenis accepted this revision.Aug 16 2021, 1:02 PM

LGTM

Please check that the test works in release-without-assertions build. It tends to loose names of temporaries like "%x.hwasan".

This revision is now accepted and ready to land.Aug 16 2021, 1:02 PM
fmayer added a comment.Aug 17 2021, 2:17 AM
In D107901#2947723, @eugenis wrote:

LGTM

Please check that the test works in release-without-assertions build. It tends to loose names of temporaries like "%x.hwasan".

passes with -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_ASSERTIONS=0

Closed by commit rG0deedaa23f71: [hwasan] Prevent reordering of tag checks. (authored by fmayer). · Explain WhyAug 17 2021, 2:21 AM
This revision was automatically updated to reflect the committed changes.
fmayer added a commit: rG0deedaa23f71: [hwasan] Prevent reordering of tag checks..
fmayer mentioned this in D107495: [hwasan] barrier after tagging and before tag check..Aug 17 2021, 2:38 AM
aeubanks added a subscriber: aeubanks.Feb 9 2022, 4:05 PM
aeubanks added inline comments.
llvm/test/Instrumentation/HWAddressSanitizer/memaccess-clobber.ll
3

this is the only user of print-memdeps which is a legacy PM-specific pass. -analyze is also a legacy PM-specific feature.
is there a better way of testing this? memdep is deprecated anyway

fmayer added inline comments.Feb 9 2022, 4:15 PM
llvm/test/Instrumentation/HWAddressSanitizer/memaccess-clobber.ll
3

I don't know of any more direct way to test this. Is there in the new PM that you know about that can give information about memory dependencies / what can't be reordered?

aeubanks added inline comments.Feb 9 2022, 5:07 PM
llvm/test/Instrumentation/HWAddressSanitizer/memaccess-clobber.ll
3

D119393

Revision Contents

PathSize
llvm/
include/
llvm/
IR/
4 lines
test/
Instrumentation/
HWAddressSanitizer/
20 lines

Diff 366843

llvm/include/llvm/IR/Intrinsics.td

Show First 20 LinesShow All 1,564 Lines▼ Show 20 Lines
// callees. This needs to be a musttail call. // callees. This needs to be a musttail call.
def int_icall_branch_funnel : DefaultAttrsIntrinsic<[], [llvm_vararg_ty], []>; def int_icall_branch_funnel : DefaultAttrsIntrinsic<[], [llvm_vararg_ty], []>;
def int_load_relative: DefaultAttrsIntrinsic<[llvm_ptr_ty], [llvm_ptr_ty, llvm_anyint_ty], def int_load_relative: DefaultAttrsIntrinsic<[llvm_ptr_ty], [llvm_ptr_ty, llvm_anyint_ty],
[IntrReadMem, IntrArgMemOnly]>; [IntrReadMem, IntrArgMemOnly]>;
def int_hwasan_check_memaccess : def int_hwasan_check_memaccess :
Intrinsic<[], [llvm_ptr_ty, llvm_ptr_ty, llvm_i32_ty], Intrinsic<[], [llvm_ptr_ty, llvm_ptr_ty, llvm_i32_ty],
[IntrInaccessibleMemOnly, ImmArg<ArgIndex<2>>]>; [ImmArg<ArgIndex<2>>]>;
def int_hwasan_check_memaccess_shortgranules : def int_hwasan_check_memaccess_shortgranules :
Intrinsic<[], [llvm_ptr_ty, llvm_ptr_ty, llvm_i32_ty], Intrinsic<[], [llvm_ptr_ty, llvm_ptr_ty, llvm_i32_ty],
[IntrInaccessibleMemOnly, ImmArg<ArgIndex<2>>]>; [ImmArg<ArgIndex<2>>]>;
// Xray intrinsics // Xray intrinsics
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Custom event logging for x-ray. // Custom event logging for x-ray.
// Takes a pointer to a string and the length of the string. // Takes a pointer to a string and the length of the string.
def int_xray_customevent : Intrinsic<[], [llvm_ptr_ty, llvm_i32_ty], def int_xray_customevent : Intrinsic<[], [llvm_ptr_ty, llvm_i32_ty],
[IntrWriteMem, NoCapture<ArgIndex<0>>, [IntrWriteMem, NoCapture<ArgIndex<0>>,
ReadOnly<ArgIndex<0>>]>; ReadOnly<ArgIndex<0>>]>;
▲ Show 20 LinesShow All 209 LinesShow Last 20 Lines

llvm/test/Instrumentation/HWAddressSanitizer/memaccess-clobber.ll

  • This file was added.
; Make sure memaccess checks preceed the following reads.
;
; RUN: opt < %s -S -enable-new-pm=0 -hwasan -basic-aa -memdep -print-memdeps -analyze -mtriple aarch64-linux-android30 | FileCheck %s
aeubanksUnsubmitted
Not Done
ReplyInline Actions

this is the only user of print-memdeps which is a legacy PM-specific pass. -analyze is also a legacy PM-specific feature.
is there a better way of testing this? memdep is deprecated anyway

aeubanks: this is the only user of `print-memdeps` which is a legacy PM-specific pass. `-analyze` is also…
fmayerAuthorUnsubmitted
Done
ReplyInline Actions

I don't know of any more direct way to test this. Is there in the new PM that you know about that can give information about memory dependencies / what can't be reordered?

fmayer: I don't know of any more direct way to test this. Is there in the new PM that you know about…
aeubanksUnsubmitted
Not Done
ReplyInline Actions

D119393

aeubanks: D119393
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64--linux-android10000"
declare void @use32(i32*)
define i32 @test_alloca() sanitize_hwaddress {
entry:
%x = alloca i32, align 4
call void @use32(i32* nonnull %x)
; CHECK: Clobber from: call void @llvm.hwasan.check.memaccess.shortgranule
; CHECK-NEXT: load i32, i32* %x.hwasan, align 4
%y = load i32, i32* %x
; CHECK: Clobber from: %y = load i32, i32* %x.hwasan, align 4
; CHECK-NEXT: call void @llvm.memset.p0i8.i64(i8* align 1 {{.*}}, i8 0, i64 1, i1 false)
ret i32 %y
}