This is an archive of the discontinued LLVM Phabricator instance.

Differential D108457

[hwasan] Do not instrument accesses to uninteresting allocas.
ClosedPublic

Authored by fmayer on Aug 20 2021, 5:03 AM.

Details

Reviewers
eugenis
Commits
rG09391e7e507f: [hwasan] Do not instrument accesses to uninteresting allocas.
Summary

This leads to a statistically significant improvement when using -hwasan-instrument-stack=0: https://bit.ly/3AZUIKI.
When enabling stack instrumentation, the data appears gets better but not statistically significantly so. This is consistent
with the very moderate improvements I have seen for stack safety otherwise, so I expect it to improve when the underlying
issue of that is resolved.

Diff Detail

Unit TestsFailed

TimeTest
0 msx64 windows > Clang.CodeGen/aarch64-sve-intrinsics::acle_sve_st1b.c
0 msx64 windows > Clang.CodeGen/aarch64-sve-intrinsics::acle_sve_st1h.c
10 msx64 windows > Clang.CodeGen/aarch64-sve-intrinsics::acle_sve_st1w.c

Event Timeline

fmayer created this revision.Aug 20 2021, 5:03 AM
Herald added a subscriber: hiraditya. · View Herald TranscriptAug 20 2021, 5:03 AM
fmayer retitled this revision from [hwasan] Do not instrument accesses to safe allocas. to [hwasan] Do not instrument accesses to uninteresting allocas..Aug 20 2021, 5:04 AM
Harbormaster completed remote builds in B120533: Diff 367761.Aug 20 2021, 5:42 AM
fmayer updated this revision to Diff 367778.Aug 20 2021, 6:31 AM

better test.

Harbormaster completed remote builds in B120545: Diff 367778.Aug 20 2021, 7:11 AM
fmayer updated this revision to Diff 367790.Aug 20 2021, 7:28 AM

ignore all alloca access if stack not instrumented

Harbormaster completed remote builds in B120554: Diff 367790.Aug 20 2021, 8:03 AM
fmayer edited the summary of this revision. (Show Details)Aug 20 2021, 9:25 AM
fmayer edited the summary of this revision. (Show Details)Aug 20 2021, 11:26 AM
fmayer updated this revision to Diff 367842.Aug 20 2021, 11:29 AM

better variable naming.

Harbormaster completed remote builds in B120587: Diff 367842.Aug 20 2021, 12:10 PM
fmayer updated this revision to Diff 368055.Aug 23 2021, 3:22 AM

add test

Harbormaster completed remote builds in B120751: Diff 368055.Aug 23 2021, 3:56 AM
fmayer updated this revision to Diff 368113.Aug 23 2021, 8:10 AM

allow to control strictness of alloc matching

fmayer updated this revision to Diff 368116.Aug 23 2021, 8:20 AM

format

fmayer updated this revision to Diff 368118.Aug 23 2021, 8:21 AM

remove comment

fmayer published this revision for review.Aug 23 2021, 8:23 AM
fmayer added a reviewer: eugenis.
Herald added a project: Restricted Project. · View Herald TranscriptAug 23 2021, 8:23 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
fmayer updated this revision to Diff 368120.Aug 23 2021, 8:40 AM

simplify code

Harbormaster completed remote builds in B120800: Diff 368120.Aug 23 2021, 9:21 AM
eugenis added a comment.Aug 24 2021, 3:01 PM

I don't like the new flag. If we want this as a mitigation, IMHO it's a bad idea to allow overflows from stack. Even constant sized ones. Well, maybe reasonably small constant overflows are ok.

Consider adopting AddressSanitizer::isSafeAccess instead.

eugenis added a comment.Aug 24 2021, 3:03 PM

In face, isSafeAccess seems pretty limited. Surely ScalarEvolution (similar to how it is used in StackSafetyAnalysis) can capture more cases, including a non-constant offset that can be proven to be within range?

fmayer updated this revision to Diff 370554.Sep 3 2021, 5:23 AM

rework to address comment

fmayer added a comment.Sep 3 2021, 5:24 AM
In D108457#2963679, @eugenis wrote:

In face, isSafeAccess seems pretty limited. Surely ScalarEvolution (similar to how it is used in StackSafetyAnalysis) can capture more cases, including a non-constant offset that can be proven to be within range?

Done. PTAL.

What I do right now is not emit any checks when we can we disable stack instrumentation and we can trace back an operation to an alloca. While we could potentially overflow towards other regions, I think it is not unexpected that we do not catch this if stack instrumentation is disabled. What do you think?

Harbormaster completed remote builds in B122497: Diff 370554.Sep 3 2021, 6:00 AM
fmayer added a child revision: D109233: [hwasan] Respect returns attribute when tracking values..Sep 3 2021, 6:28 AM
eugenis added a comment.Sep 3 2021, 2:41 PM

This is pretty cool, I thought it would be more complicated.

This change needs comprehensive tests in llvm/test/Analysis/StackSafetyAnalysis. Update the print() method to show safe/unsafe instructions (or maybe only list known safe instruction).

What if an instruction may access either stack or heap?

i32 *p = flag ? p_heap_i16 : &stack_i32;
*p = 42;

The analysis will say "safe" because it is only scanning from the stack roots.
This should probably be fixed in hwasan by tracking the underlying alloca.

fmayer updated this revision to Diff 370869.Sep 6 2021, 2:38 AM

handle stores that might or might not use an alloca

fmayer added a comment.Sep 6 2021, 2:38 AM
In D108457#2983236, @eugenis wrote:

What if an instruction may access either stack or heap?

i32 *p = flag ? p_heap_i16 : &stack_i32;
*p = 42;

The analysis will say "safe" because it is only scanning from the stack roots.
This should probably be fixed in hwasan by tracking the underlying alloca.

Ah yes, I did handle this but then accidentally lost that when I refactored around some stuff. Put that back and added an IR test.

fmayer updated this revision to Diff 370870.Sep 6 2021, 2:43 AM

don't use argument in select test

Harbormaster completed remote builds in B122731: Diff 370870.Sep 6 2021, 3:21 AM
fmayer added a comment.EditedSep 6 2021, 5:56 AM
In D108457#2984855, @fmayer wrote:
In D108457#2983236, @eugenis wrote:

What if an instruction may access either stack or heap?

i32 *p = flag ? p_heap_i16 : &stack_i32;
*p = 42;

The analysis will say "safe" because it is only scanning from the stack roots.
This should probably be fixed in hwasan by tracking the underlying alloca.

Ah yes, I did handle this but then accidentally lost that when I refactored around some stuff. Put that back and added an IR test.

Thinking again I remembered why I removed the explicit case for this during the refactoring: in this case, SCEV will not be able to calculate an in-range offset between the operant of the store and the alloca, so it will not be judged a safe access

fmayer updated this revision to Diff 370948.Sep 6 2021, 11:51 AM

add tests for stack safety analysis

Harbormaster completed remote builds in B122788: Diff 370948.Sep 6 2021, 12:22 PM
fmayer updated this revision to Diff 370961.Sep 6 2021, 12:39 PM

format

Harbormaster completed remote builds in B122799: Diff 370961.Sep 6 2021, 1:18 PM
fmayer added a comment.EditedSep 7 2021, 7:25 AM

EDIT: I ran pdfium benchmarks and had some results here, but I spoke too early and need to run some more.

eugenis added a subscriber: vitalybuka.Sep 7 2021, 3:41 PM

@vitalybuka

Ideas for more analysis tests:

  • unsafe alloca with a mix of safe and unsafe accesses
  • memcpy that is safe on one side and unsafe on the other. Either between two allocas, or within the same (memmove?). Or between alloca and non-stack memory.
In D108457#2985198, @fmayer wrote:
In D108457#2984855, @fmayer wrote:
In D108457#2983236, @eugenis wrote:

What if an instruction may access either stack or heap?

i32 *p = flag ? p_heap_i16 : &stack_i32;
*p = 42;

The analysis will say "safe" because it is only scanning from the stack roots.
This should probably be fixed in hwasan by tracking the underlying alloca.

Ah yes, I did handle this but then accidentally lost that when I refactored around some stuff. Put that back and added an IR test.

Thinking again I remembered why I removed the explicit case for this during the refactoring: in this case, SCEV will not be able to calculate an in-range offset between the operant of the store and the alloca, so it will not be judged a safe access

Right, of course. Any reachable instruction we would require to be *always* within the alloca range.

llvm/lib/Analysis/StackSafetyAnalysis.cpp
836

This affect compilation time and memory. Ideally we would not do it if the client can not use this info (ex. MTE).

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
787

if (findAllocaForValue(Ptr)) return true;

fmayer updated this revision to Diff 371276.Sep 8 2021, 1:45 AM

address comment

fmayer updated this revision to Diff 371279.Sep 8 2021, 1:55 AM
fmayer marked an inline comment as done.

remove unnecessary check

Harbormaster completed remote builds in B123012: Diff 371279.Sep 8 2021, 2:35 AM
fmayer updated this revision to Diff 371342.Sep 8 2021, 8:17 AM

only calculate address information when needed.

fmayer marked an inline comment as done.Sep 8 2021, 8:17 AM
fmayer updated this revision to Diff 371347.Sep 8 2021, 8:31 AM

revert unneeded change

Harbormaster completed remote builds in B123057: Diff 371347.Sep 8 2021, 9:24 AM
fmayer updated this revision to Diff 371382.Sep 8 2021, 10:03 AM

clang format

Harbormaster completed remote builds in B123079: Diff 371382.Sep 8 2021, 10:47 AM
eugenis added a comment.Sep 8 2021, 1:05 PM

still missing test cases for combinations of mixed safe/unsafe accesses

llvm/include/llvm/Analysis/StackSafetyAnalysis.h
68

you want either DenseMap or SmallPtrSet here. std::map is unnecessarily ordered, logarithmic, and wastes memory

vitalybuka added inline comments.Sep 8 2021, 1:59 PM
llvm/include/llvm/Analysis/StackSafetyAnalysis.h
67

why do we need bool if missing instruction is equivalent to false?
std::set?

67

just std::map<const Instruction *, bool>Accesses;

InfoTy in unique_ptr to avoid exposing it into the header.

68

std set/map seems fine
class is movable, DenseMap or SmallPtrSet don't support efficient move.

68

I don't see value in ::getAccesses when accessIsSafe can access the field.

llvm/lib/Analysis/StackSafetyAnalysis.cpp
135–138

Less boilerplate this way:
auto Ins = Accesses.emplace(I, R);
Then use Ins.first and Ins.second where needed.

140–142

the point of <it, bool> result that you can update if insert failed and avoid the second lookup

456

may I ask you to extract two NFC patches which you can land without review:

  1. break -> return !US.Range.isFullSet(); I assume no tests need updates.
  2. Wrap updateRange into trivial:
void addRange(I, R) {
   // the rest you will add in D108457
   updateRange(R);
 }

I assume also not tests should be affected.

814

this is a separate NFC patch

827

so we lazily construct this on the request
if so I am pretty sure we can have sorted std::vector<Instruction*> Accesses for free;
and accessIsSafe can use std::binary_search and it will be faster then map/set lookups.

836

I am a little bit skeptical that we can measure a difference. I'd rather keep it simple.

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
290

HWAsan and related tests should be in a separate patch

fmayer mentioned this in rG6e12c73316b7: [NFC] [stack-safety] add placeholder addRange..Sep 9 2021, 5:13 AM
fmayer updated this revision to Diff 371581.Sep 9 2021, 6:48 AM
fmayer marked 9 inline comments as done.

split change

fmayer added a comment.Sep 9 2021, 6:49 AM

I split the stack safety change to D109503 and added more tests to that.

llvm/include/llvm/Analysis/StackSafetyAnalysis.h
67

While I build this up, there are two cases:

the instruction hadn't been considered yet
the instruction was considered but wasn't safe.
This allows to conveniently keep them apart.

67

I reverted to calculating this in getInfo and putting it into the InfoTy.

@eugenis is that okay?

llvm/lib/Analysis/StackSafetyAnalysis.cpp
140–142

That doesn't work, because it's not move constructible (I think, I don't fully remember what exactly it complained about when I did that).

456

Actually no one looks at the return value, so I just made it void.

836

I reverted it to what it was before for simplicity. We can change it again later if it becomes a problem.

fmayer added a parent revision: D109503: [stack-safety] Allow to determine safe accesses..Sep 9 2021, 6:51 AM
Harbormaster completed remote builds in B123211: Diff 371581.Sep 9 2021, 7:01 AM
fmayer updated this revision to Diff 371583.Sep 9 2021, 7:06 AM

remove unnecessary check (again)

fmayer updated this revision to Diff 371585.Sep 9 2021, 7:09 AM

style

Harbormaster completed remote builds in B123215: Diff 371585.Sep 9 2021, 7:49 AM
eugenis accepted this revision.Sep 9 2021, 1:27 PM

LGTM

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
786

I'm still on the fence about this. A stack pointer can be used to access heap if the offset is attacker controlled, but that sounds a bit exotic.

But let's land it like this for now.

One thing I'd like to explore is applying the same SCEV computation as in StackSafetyAnalysis and excluding instrumentation for anything with offset provably within 32 bits or less - that should be reasonably common (indices are often int, not long) and safe (heap is unlikely to be within 4Gb from stack on 64-bit).

This revision is now accepted and ready to land.Sep 9 2021, 1:27 PM
fmayer updated this revision to Diff 371924.Sep 10 2021, 8:00 AM

rebase

fmayer marked an inline comment as done.Sep 10 2021, 8:12 AM
Harbormaster completed remote builds in B123448: Diff 371924.Sep 10 2021, 8:39 AM
Closed by commit rG09391e7e507f: [hwasan] Do not instrument accesses to uninteresting allocas. (authored by fmayer). · Explain WhySep 10 2021, 11:29 AM
This revision was automatically updated to reflect the committed changes.
fmayer added a commit: rG09391e7e507f: [hwasan] Do not instrument accesses to uninteresting allocas..
fmayer removed a child revision: D109233: [hwasan] Respect returns attribute when tracking values..Sep 13 2021, 2:04 AM

Revision Contents

PathSize
llvm/
include/
llvm/
Analysis/
1 line
lib/
Analysis/
83 lines
Transforms/
Instrumentation/
21 lines
test/
Instrumentation/
HWAddressSanitizer/
2 lines
116 lines

Diff 370554

llvm/include/llvm/Analysis/StackSafetyAnalysis.h

Show First 20 LinesShow All 58 Lines▼ Show 20 Lines
public: public:
struct InfoTy; struct InfoTy;
private: private:
Module *M = nullptr; Module *M = nullptr;
std::function<const StackSafetyInfo &(Function &F)> GetSSI; std::function<const StackSafetyInfo &(Function &F)> GetSSI;
const ModuleSummaryIndex *Index = nullptr; const ModuleSummaryIndex *Index = nullptr;
mutable std::unique_ptr<InfoTy> Info; mutable std::unique_ptr<InfoTy> Info;
const InfoTy &getInfo() const; const InfoTy &getInfo() const;
vitalybukaUnsubmitted
Done
ReplyInline Actions

why do we need bool if missing instruction is equivalent to false?
std::set?

vitalybuka: why do we need bool if missing instruction is equivalent to false? std::set?
fmayerAuthorUnsubmitted
Done
ReplyInline Actions

While I build this up, there are two cases:

the instruction hadn't been considered yet
the instruction was considered but wasn't safe.
This allows to conveniently keep them apart.

fmayer: While I build this up, there are two cases: the instruction hadn't been considered yet the…
vitalybukaUnsubmitted
Done
ReplyInline Actions

just std::map<const Instruction *, bool>Accesses;

InfoTy in unique_ptr to avoid exposing it into the header.

vitalybuka: just std::map<const Instruction *, bool>Accesses; InfoTy in unique_ptr to avoid exposing it…
fmayerAuthorUnsubmitted
Done
ReplyInline Actions

I reverted to calculating this in getInfo and putting it into the InfoTy.

@eugenis is that okay?

fmayer: I reverted to calculating this in getInfo and putting it into the InfoTy. @eugenis is that…
eugenisUnsubmitted
Not Done
ReplyInline Actions

you want either DenseMap or SmallPtrSet here. std::map is unnecessarily ordered, logarithmic, and wastes memory

eugenis: you want either DenseMap or SmallPtrSet here. std::map is unnecessarily ordered, logarithmic…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

std set/map seems fine
class is movable, DenseMap or SmallPtrSet don't support efficient move.

vitalybuka: std set/map seems fine class is movable, DenseMap or SmallPtrSet don't support efficient move.
vitalybukaUnsubmitted
Done
ReplyInline Actions

I don't see value in ::getAccesses when accessIsSafe can access the field.

vitalybuka: I don't see value in ::getAccesses when accessIsSafe can access the field.
public: public:
StackSafetyGlobalInfo(); StackSafetyGlobalInfo();
StackSafetyGlobalInfo( StackSafetyGlobalInfo(
Module *M, std::function<const StackSafetyInfo &(Function &F)> GetSSI, Module *M, std::function<const StackSafetyInfo &(Function &F)> GetSSI,
const ModuleSummaryIndex *Index); const ModuleSummaryIndex *Index);
StackSafetyGlobalInfo(StackSafetyGlobalInfo &&); StackSafetyGlobalInfo(StackSafetyGlobalInfo &&);
StackSafetyGlobalInfo &operator=(StackSafetyGlobalInfo &&); StackSafetyGlobalInfo &operator=(StackSafetyGlobalInfo &&);
~StackSafetyGlobalInfo(); ~StackSafetyGlobalInfo();
bool isSafe(const AllocaInst &AI) const; bool isSafe(const AllocaInst &AI) const;
bool accessIsSafe(const Instruction *I) const;
void print(raw_ostream &O) const; void print(raw_ostream &O) const;
void dump() const; void dump() const;
}; };
/// StackSafetyInfo wrapper for the new pass manager. /// StackSafetyInfo wrapper for the new pass manager.
class StackSafetyAnalysis : public AnalysisInfoMixin<StackSafetyAnalysis> { class StackSafetyAnalysis : public AnalysisInfoMixin<StackSafetyAnalysis> {
friend AnalysisInfoMixin<StackSafetyAnalysis>; friend AnalysisInfoMixin<StackSafetyAnalysis>;
static AnalysisKey Key; static AnalysisKey Key;
▲ Show 20 LinesShow All 79 LinesShow Last 20 Lines

llvm/lib/Analysis/StackSafetyAnalysis.cpp

Show All 24 Lines
#include "llvm/IR/ModuleSummaryIndex.h" #include "llvm/IR/ModuleSummaryIndex.h"
#include "llvm/InitializePasses.h" #include "llvm/InitializePasses.h"
#include "llvm/Support/Casting.h" #include "llvm/Support/Casting.h"
#include "llvm/Support/CommandLine.h" #include "llvm/Support/CommandLine.h"
#include "llvm/Support/FormatVariadic.h" #include "llvm/Support/FormatVariadic.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
#include <algorithm> #include <algorithm>
#include <memory> #include <memory>
#include <tuple>
using namespace llvm; using namespace llvm;
#define DEBUG_TYPE "stack-safety" #define DEBUG_TYPE "stack-safety"
STATISTIC(NumAllocaStackSafe, "Number of safe allocas"); STATISTIC(NumAllocaStackSafe, "Number of safe allocas");
STATISTIC(NumAllocaTotal, "Number of total allocas"); STATISTIC(NumAllocaTotal, "Number of total allocas");
▲ Show 20 LinesShow All 70 Lines▼ Show 20 Linestemplate <typename CalleeTy> struct CallInfo {
}; };
}; };
/// Describe uses of address (alloca or parameter) inside of the function. /// Describe uses of address (alloca or parameter) inside of the function.
template <typename CalleeTy> struct UseInfo { template <typename CalleeTy> struct UseInfo {
// Access range if the address (alloca or parameters). // Access range if the address (alloca or parameters).
// It is allowed to be empty-set when there are no known accesses. // It is allowed to be empty-set when there are no known accesses.
ConstantRange Range; ConstantRange Range;
std::map<const Instruction *, const ConstantRange> Accesses;
// List of calls which pass address as an argument. // List of calls which pass address as an argument.
// Value is offset range of address from base address (alloca or calling // Value is offset range of address from base address (alloca or calling
// function argument). Range should never set to empty-set, that is an invalid // function argument). Range should never set to empty-set, that is an invalid
// access range that can cause empty-set to be propagated with // access range that can cause empty-set to be propagated with
// ConstantRange::add // ConstantRange::add
using CallsTy = std::map<CallInfo<CalleeTy>, ConstantRange, using CallsTy = std::map<CallInfo<CalleeTy>, ConstantRange,
typename CallInfo<CalleeTy>::Less>; typename CallInfo<CalleeTy>::Less>;
CallsTy Calls; CallsTy Calls;
UseInfo(unsigned PointerSize) : Range{PointerSize, false} {} UseInfo(unsigned PointerSize) : Range{PointerSize, false} {}
void updateRange(const ConstantRange &R) { Range = unionNoWrap(Range, R); } void updateRange(const ConstantRange &R) { Range = unionNoWrap(Range, R); }
void addRange(const Instruction *I, const ConstantRange &R) {
bool Inserted;
std::map<const Instruction *, const ConstantRange>::iterator It;
std::tie(It, Inserted) = Accesses.emplace(I, R);
if (!Inserted) {
vitalybukaUnsubmitted
Done
ReplyInline Actions

Less boilerplate this way:
auto Ins = Accesses.emplace(I, R);
Then use Ins.first and Ins.second where needed.

vitalybuka: Less boilerplate this way: auto Ins = Accesses.emplace(I, R); Then use Ins.first and Ins.second…
auto Union = unionNoWrap(It->second, R);
Accesses.erase(It);
std::tie(It, Inserted) = Accesses.emplace(I, Union);
assert(Inserted);
vitalybukaUnsubmitted
Done
ReplyInline Actions
auto Union = unionNoWrap(It->second, R);
- Accesses.erase(It);
- std::tie(It, Inserted) = Accesses.emplace(I, Union);
- assert(Inserted);
+ it->second = R;
+
}
updateRange(R);

the point of <it, bool> result that you can update if insert failed and avoid the second lookup

vitalybuka: the point of <it, bool> result that you can update if insert failed and avoid the second lookup
fmayerAuthorUnsubmitted
Done
ReplyInline Actions

That doesn't work, because it's not move constructible (I think, I don't fully remember what exactly it complained about when I did that).

fmayer: That doesn't work, because it's not move constructible (I think, I don't fully remember what…
}
updateRange(R);
}
}; };
template <typename CalleeTy> template <typename CalleeTy>
raw_ostream &operator<<(raw_ostream &OS, const UseInfo<CalleeTy> &U) { raw_ostream &operator<<(raw_ostream &OS, const UseInfo<CalleeTy> &U) {
OS << U.Range; OS << U.Range;
for (auto &Call : U.Calls) for (auto &Call : U.Calls)
OS << ", " OS << ", "
<< "@" << Call.first.Callee->getName() << "(arg" << Call.first.ParamNo << "@" << Call.first.Callee->getName() << "(arg" << Call.first.ParamNo
▲ Show 20 LinesShow All 78 Lines▼ Show 20 Lines
struct StackSafetyInfo::InfoTy { struct StackSafetyInfo::InfoTy {
FunctionInfo<GlobalValue> Info; FunctionInfo<GlobalValue> Info;
}; };
struct StackSafetyGlobalInfo::InfoTy { struct StackSafetyGlobalInfo::InfoTy {
GVToSSI Info; GVToSSI Info;
SmallPtrSet<const AllocaInst *, 8> SafeAllocas; SmallPtrSet<const AllocaInst *, 8> SafeAllocas;
std::map<const Instruction *, bool> Accesses;
}; };
namespace { namespace {
class StackSafetyLocalAnalysis { class StackSafetyLocalAnalysis {
Function &F; Function &F;
const DataLayout &DL; const DataLayout &DL;
ScalarEvolution &SE; ScalarEvolution &SE;
▲ Show 20 LinesShow All 110 Lines▼ Show 20 Lines for (const Use &UI : V->uses()) {
if (!SL.isReachable(I)) if (!SL.isReachable(I))
continue; continue;
assert(V == UI.get()); assert(V == UI.get());
switch (I->getOpcode()) { switch (I->getOpcode()) {
case Instruction::Load: { case Instruction::Load: {
if (AI && !SL.isAliveAfter(AI, I)) { if (AI && !SL.isAliveAfter(AI, I)) {
US.updateRange(UnknownRange); US.addRange(I, UnknownRange);
return false; break;
} }
US.updateRange( US.addRange(I,
getAccessRange(UI, Ptr, DL.getTypeStoreSize(I->getType()))); getAccessRange(UI, Ptr, DL.getTypeStoreSize(I->getType())));
break; break;
} }
case Instruction::VAArg: case Instruction::VAArg:
// "va-arg" from a pointer is safe. // "va-arg" from a pointer is safe.
break; break;
case Instruction::Store: { case Instruction::Store: {
if (V == I->getOperand(0)) { if (V == I->getOperand(0)) {
// Stored the pointer - conservatively assume it may be unsafe. // Stored the pointer - conservatively assume it may be unsafe.
US.updateRange(UnknownRange); US.addRange(I, UnknownRange);
return false; break;
} }
if (AI && !SL.isAliveAfter(AI, I)) { if (AI && !SL.isAliveAfter(AI, I)) {
US.updateRange(UnknownRange); US.addRange(I, UnknownRange);
return false; break;
} }
US.updateRange(getAccessRange( US.addRange(
I, getAccessRange(
UI, Ptr, DL.getTypeStoreSize(I->getOperand(0)->getType()))); UI, Ptr, DL.getTypeStoreSize(I->getOperand(0)->getType())));
break; break;
} }
case Instruction::Ret: case Instruction::Ret:
// Information leak. // Information leak.
// FIXME: Process parameters correctly. This is a leak only if we return // FIXME: Process parameters correctly. This is a leak only if we return
// alloca. // alloca.
US.updateRange(UnknownRange); US.addRange(I, UnknownRange);
return false; break;
case Instruction::Call: case Instruction::Call:
case Instruction::Invoke: { case Instruction::Invoke: {
if (I->isLifetimeStartOrEnd()) if (I->isLifetimeStartOrEnd())
break; break;
if (AI && !SL.isAliveAfter(AI, I)) { if (AI && !SL.isAliveAfter(AI, I)) {
US.updateRange(UnknownRange); US.addRange(I, UnknownRange);
return false; break;
} }
if (const MemIntrinsic *MI = dyn_cast<MemIntrinsic>(I)) { if (const MemIntrinsic *MI = dyn_cast<MemIntrinsic>(I)) {
US.updateRange(getMemIntrinsicAccessRange(MI, UI, Ptr)); US.addRange(I, getMemIntrinsicAccessRange(MI, UI, Ptr));
break; break;
} }
const auto &CB = cast<CallBase>(*I); const auto &CB = cast<CallBase>(*I);
if (!CB.isArgOperand(&UI)) { if (!CB.isArgOperand(&UI)) {
US.updateRange(UnknownRange); US.addRange(I, UnknownRange);
return false; break;
} }
unsigned ArgNo = CB.getArgOperandNo(&UI); unsigned ArgNo = CB.getArgOperandNo(&UI);
if (CB.isByValArgument(ArgNo)) { if (CB.isByValArgument(ArgNo)) {
US.updateRange(getAccessRange( US.addRange(I, getAccessRange(
UI, Ptr, DL.getTypeStoreSize(CB.getParamByValType(ArgNo)))); UI, Ptr,
DL.getTypeStoreSize(CB.getParamByValType(ArgNo))));
break; break;
} }
// FIXME: consult devirt? // FIXME: consult devirt?
// Do not follow aliases, otherwise we could inadvertently follow // Do not follow aliases, otherwise we could inadvertently follow
// dso_preemptable aliases or aliases with interposable linkage. // dso_preemptable aliases or aliases with interposable linkage.
const GlobalValue *Callee = const GlobalValue *Callee =
dyn_cast<GlobalValue>(CB.getCalledOperand()->stripPointerCasts()); dyn_cast<GlobalValue>(CB.getCalledOperand()->stripPointerCasts());
if (!Callee) { if (!Callee) {
US.updateRange(UnknownRange); US.addRange(I, UnknownRange);
return false; break;
} }
assert(isa<Function>(Callee) || isa<GlobalAlias>(Callee)); assert(isa<Function>(Callee) || isa<GlobalAlias>(Callee));
ConstantRange Offsets = offsetFrom(UI, Ptr); ConstantRange Offsets = offsetFrom(UI, Ptr);
auto Insert = auto Insert =
US.Calls.emplace(CallInfo<GlobalValue>(Callee, ArgNo), Offsets); US.Calls.emplace(CallInfo<GlobalValue>(Callee, ArgNo), Offsets);
if (!Insert.second) if (!Insert.second)
Insert.first->second = Insert.first->second.unionWith(Offsets); Insert.first->second = Insert.first->second.unionWith(Offsets);
break; break;
} }
default: default:
if (Visited.insert(I).second) if (Visited.insert(I).second)
WorkList.push_back(cast<const Instruction>(I)); WorkList.push_back(cast<const Instruction>(I));
} }
} }
} }
return true; return !US.Range.isFullSet();
vitalybukaUnsubmitted
Done
ReplyInline Actions

may I ask you to extract two NFC patches which you can land without review:

  1. break -> return !US.Range.isFullSet(); I assume no tests need updates.
  2. Wrap updateRange into trivial:
void addRange(I, R) {
   // the rest you will add in D108457
   updateRange(R);
 }

I assume also not tests should be affected.

vitalybuka: may I ask you to extract two NFC patches which you can land without review: 1. break -> return !
fmayerAuthorUnsubmitted
Done
ReplyInline Actions

Actually no one looks at the return value, so I just made it void.

fmayer: Actually no one looks at the return value, so I just made it `void`.
} }
FunctionInfo<GlobalValue> StackSafetyLocalAnalysis::run() { FunctionInfo<GlobalValue> StackSafetyLocalAnalysis::run() {
FunctionInfo<GlobalValue> Info; FunctionInfo<GlobalValue> Info;
assert(!F.isDeclaration() && assert(!F.isDeclaration() &&
"Can't run StackSafety on a function declaration"); "Can't run StackSafety on a function declaration");
LLVM_DEBUG(dbgs() << "[StackSafety] " << F.getName() << "\n"); LLVM_DEBUG(dbgs() << "[StackSafety] " << F.getName() << "\n");
▲ Show 20 LinesShow All 341 Lines▼ Show 20 Lines if (!Info) {
StackSafetyLocalAnalysis SSLA(*F, GetSE()); StackSafetyLocalAnalysis SSLA(*F, GetSE());
Info.reset(new InfoTy{SSLA.run()}); Info.reset(new InfoTy{SSLA.run()});
} }
return *Info; return *Info;
} }
void StackSafetyInfo::print(raw_ostream &O) const { void StackSafetyInfo::print(raw_ostream &O) const {
getInfo().Info.print(O, F->getName(), dyn_cast<Function>(F)); getInfo().Info.print(O, F->getName(), dyn_cast<Function>(F));
} }
vitalybukaUnsubmitted
Done
ReplyInline Actions

this is a separate NFC patch

vitalybuka: this is a separate NFC patch
const StackSafetyGlobalInfo::InfoTy &StackSafetyGlobalInfo::getInfo() const { const StackSafetyGlobalInfo::InfoTy &StackSafetyGlobalInfo::getInfo() const {
if (!Info) { if (!Info) {
std::map<const GlobalValue *, FunctionInfo<GlobalValue>> Functions; std::map<const GlobalValue *, FunctionInfo<GlobalValue>> Functions;
for (auto &F : M->functions()) { for (auto &F : M->functions()) {
if (!F.isDeclaration()) { if (!F.isDeclaration()) {
auto FI = GetSSI(F).getInfo().Info; auto FI = GetSSI(F).getInfo().Info;
Functions.emplace(&F, std::move(FI)); Functions.emplace(&F, std::move(FI));
} }
} }
Info.reset(new InfoTy{ Info.reset(new InfoTy{
createGlobalStackSafetyInfo(std::move(Functions), Index), {}}); createGlobalStackSafetyInfo(std::move(Functions), Index), {}, {}});
for (auto &FnKV : Info->Info) { for (auto &FnKV : Info->Info) {
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

so we lazily construct this on the request
if so I am pretty sure we can have sorted std::vector<Instruction*> Accesses for free;
and accessIsSafe can use std::binary_search and it will be faster then map/set lookups.

vitalybuka: so we lazily construct this on the request if so I am pretty sure we can have sorted std…
for (auto &KV : FnKV.second.Allocas) { for (auto &KV : FnKV.second.Allocas) {
++NumAllocaTotal; ++NumAllocaTotal;
const AllocaInst *AI = KV.first; const AllocaInst *AI = KV.first;
if (getStaticAllocaSizeRange(*AI).contains(KV.second.Range)) { auto AIRange = getStaticAllocaSizeRange(*AI);
if (AIRange.contains(KV.second.Range)) {
Info->SafeAllocas.insert(AI); Info->SafeAllocas.insert(AI);
++NumAllocaStackSafe; ++NumAllocaStackSafe;
} }
for (const auto &A : KV.second.Accesses) {
eugenisUnsubmitted
Done
ReplyInline Actions

This affect compilation time and memory. Ideally we would not do it if the client can not use this info (ex. MTE).

eugenis: This affect compilation time and memory. Ideally we would not do it if the client can not use…
vitalybukaUnsubmitted
Done
ReplyInline Actions

I am a little bit skeptical that we can measure a difference. I'd rather keep it simple.

vitalybuka: I am a little bit skeptical that we can measure a difference. I'd rather keep it simple.
fmayerAuthorUnsubmitted
Done
ReplyInline Actions

I reverted it to what it was before for simplicity. We can change it again later if it becomes a problem.

fmayer: I reverted it to what it was before for simplicity. We can change it again later if it becomes…
bool IsSafe = AIRange.contains(A.second);
bool Inserted;
std::map<const Instruction *, bool>::iterator It;
std::tie(It, Inserted) = Info->Accesses.emplace(A.first, IsSafe);
if (!Inserted)
It->second = It->second && IsSafe;
}
} }
} }
if (StackSafetyPrint) if (StackSafetyPrint)
print(errs()); print(errs());
} }
return *Info; return *Info;
} }
▲ Show 20 LinesShow All 55 Lines▼ Show 20 Lines
StackSafetyGlobalInfo::~StackSafetyGlobalInfo() = default; StackSafetyGlobalInfo::~StackSafetyGlobalInfo() = default;
bool StackSafetyGlobalInfo::isSafe(const AllocaInst &AI) const { bool StackSafetyGlobalInfo::isSafe(const AllocaInst &AI) const {
const auto &Info = getInfo(); const auto &Info = getInfo();
return Info.SafeAllocas.count(&AI); return Info.SafeAllocas.count(&AI);
} }
bool StackSafetyGlobalInfo::accessIsSafe(const Instruction *I) const {
const auto &Info = getInfo();
auto It = Info.Accesses.find(I);
if (It != Info.Accesses.end()) {
return It->second;
}
return false;
}
void StackSafetyGlobalInfo::print(raw_ostream &O) const { void StackSafetyGlobalInfo::print(raw_ostream &O) const {
auto &SSI = getInfo().Info; auto &SSI = getInfo().Info;
if (SSI.empty()) if (SSI.empty())
return; return;
const Module &M = *SSI.begin()->first->getParent(); const Module &M = *SSI.begin()->first->getParent();
for (auto &F : M.functions()) { for (auto &F : M.functions()) {
if (!F.isDeclaration()) { if (!F.isDeclaration()) {
SSI.find(&F)->second.print(O, F.getName(), &F); SSI.find(&F)->second.print(O, F.getName(), &F);
▲ Show 20 LinesShow All 201 LinesShow Last 20 Lines

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp

Show First 20 LinesShow All 281 Lines▼ Show 20 Linespublic:
void untagPointerOperand(Instruction *I, Value *Addr); void untagPointerOperand(Instruction *I, Value *Addr);
Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); Value *memToShadow(Value *Shadow, IRBuilder<> &IRB);
void instrumentMemAccessInline(Value *Ptr, bool IsWrite, void instrumentMemAccessInline(Value *Ptr, bool IsWrite,
unsigned AccessSizeIndex, unsigned AccessSizeIndex,
Instruction *InsertBefore); Instruction *InsertBefore);
void instrumentMemIntrinsic(MemIntrinsic *MI); void instrumentMemIntrinsic(MemIntrinsic *MI);
bool instrumentMemAccess(InterestingMemoryOperand &O); bool instrumentMemAccess(InterestingMemoryOperand &O);
bool ignoreAccess(Value *Ptr); bool ignoreAccess(Instruction *Inst, Value *Ptr);
vitalybukaUnsubmitted
Done
ReplyInline Actions

HWAsan and related tests should be in a separate patch

vitalybuka: HWAsan and related tests should be in a separate patch
void getInterestingMemoryOperands( void getInterestingMemoryOperands(
Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting); Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting);
bool isInterestingAlloca(const AllocaInst &AI); bool isInterestingAlloca(const AllocaInst &AI);
void tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, Value *Tag, size_t Size); void tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, Value *Tag, size_t Size);
Value *tagPointer(IRBuilder<> &IRB, Type *Ty, Value *PtrLong, Value *Tag); Value *tagPointer(IRBuilder<> &IRB, Type *Ty, Value *PtrLong, Value *Tag);
Value *untagPointer(IRBuilder<> &IRB, Value *PtrLong); Value *untagPointer(IRBuilder<> &IRB, Value *PtrLong);
static bool isStandardLifetime(const AllocaInfo &AllocaInfo, static bool isStandardLifetime(const AllocaInfo &AllocaInfo,
▲ Show 20 LinesShow All 464 Lines▼ Show 20 LinesValue *HWAddressSanitizer::getShadowNonTls(IRBuilder<> &IRB) {
} else { } else {
Value *GlobalDynamicAddress = Value *GlobalDynamicAddress =
IRB.GetInsertBlock()->getParent()->getParent()->getOrInsertGlobal( IRB.GetInsertBlock()->getParent()->getParent()->getOrInsertGlobal(
kHwasanShadowMemoryDynamicAddress, Int8PtrTy); kHwasanShadowMemoryDynamicAddress, Int8PtrTy);
return IRB.CreateLoad(Int8PtrTy, GlobalDynamicAddress); return IRB.CreateLoad(Int8PtrTy, GlobalDynamicAddress);
} }
} }
bool HWAddressSanitizer::ignoreAccess(Value *Ptr) { bool HWAddressSanitizer::ignoreAccess(Instruction *Inst, Value *Ptr) {
// Do not instrument acesses from different address spaces; we cannot deal // Do not instrument acesses from different address spaces; we cannot deal
// with them. // with them.
Type *PtrTy = cast<PointerType>(Ptr->getType()->getScalarType()); Type *PtrTy = cast<PointerType>(Ptr->getType()->getScalarType());
if (PtrTy->getPointerAddressSpace() != 0) if (PtrTy->getPointerAddressSpace() != 0)
return true; return true;
// Ignore swifterror addresses. // Ignore swifterror addresses.
// swifterror memory addresses are mem2reg promoted by instruction // swifterror memory addresses are mem2reg promoted by instruction
// selection. As such they cannot have regular uses like an instrumentation // selection. As such they cannot have regular uses like an instrumentation
// function and it makes no sense to track them as memory. // function and it makes no sense to track them as memory.
if (Ptr->isSwiftError()) if (Ptr->isSwiftError())
return true; return true;
if (!InstrumentStack) {
const AllocaInst *AI = findAllocaForValue(Ptr);
eugenisUnsubmitted
Done
ReplyInline Actions

I'm still on the fence about this. A stack pointer can be used to access heap if the offset is attacker controlled, but that sounds a bit exotic.

But let's land it like this for now.

One thing I'd like to explore is applying the same SCEV computation as in StackSafetyAnalysis and excluding instrumentation for anything with offset provably within 32 bits or less - that should be reasonably common (indices are often int, not long) and safe (heap is unlikely to be within 4Gb from stack on 64-bit).

eugenis: I'm still on the fence about this. A stack pointer can be used to access heap if the offset is…
if (AI)
eugenisUnsubmitted
Done
ReplyInline Actions

if (findAllocaForValue(Ptr)) return true;

eugenis: `if (findAllocaForValue(Ptr)) return true;`
return true;
} else if (SSI && SSI->accessIsSafe(Inst)) {
return true;
}
return false; return false;
} }
void HWAddressSanitizer::getInterestingMemoryOperands( void HWAddressSanitizer::getInterestingMemoryOperands(
Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting) { Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting) {
// Skip memory accesses inserted by another instrumentation. // Skip memory accesses inserted by another instrumentation.
if (I->hasMetadata("nosanitize")) if (I->hasMetadata("nosanitize"))
return; return;
// Do not instrument the load fetching the dynamic shadow address. // Do not instrument the load fetching the dynamic shadow address.
if (ShadowBase == I) if (ShadowBase == I)
return; return;
if (LoadInst *LI = dyn_cast<LoadInst>(I)) { if (LoadInst *LI = dyn_cast<LoadInst>(I)) {
if (!ClInstrumentReads || ignoreAccess(LI->getPointerOperand())) if (!ClInstrumentReads || ignoreAccess(I, LI->getPointerOperand()))
return; return;
Interesting.emplace_back(I, LI->getPointerOperandIndex(), false, Interesting.emplace_back(I, LI->getPointerOperandIndex(), false,
LI->getType(), LI->getAlign()); LI->getType(), LI->getAlign());
} else if (StoreInst *SI = dyn_cast<StoreInst>(I)) { } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) {
if (!ClInstrumentWrites || ignoreAccess(SI->getPointerOperand())) if (!ClInstrumentWrites || ignoreAccess(I, SI->getPointerOperand()))
return; return;
Interesting.emplace_back(I, SI->getPointerOperandIndex(), true, Interesting.emplace_back(I, SI->getPointerOperandIndex(), true,
SI->getValueOperand()->getType(), SI->getAlign()); SI->getValueOperand()->getType(), SI->getAlign());
} else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { } else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) {
if (!ClInstrumentAtomics || ignoreAccess(RMW->getPointerOperand())) if (!ClInstrumentAtomics || ignoreAccess(I, RMW->getPointerOperand()))
return; return;
Interesting.emplace_back(I, RMW->getPointerOperandIndex(), true, Interesting.emplace_back(I, RMW->getPointerOperandIndex(), true,
RMW->getValOperand()->getType(), None); RMW->getValOperand()->getType(), None);
} else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { } else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) {
if (!ClInstrumentAtomics || ignoreAccess(XCHG->getPointerOperand())) if (!ClInstrumentAtomics || ignoreAccess(I, XCHG->getPointerOperand()))
return; return;
Interesting.emplace_back(I, XCHG->getPointerOperandIndex(), true, Interesting.emplace_back(I, XCHG->getPointerOperandIndex(), true,
XCHG->getCompareOperand()->getType(), None); XCHG->getCompareOperand()->getType(), None);
} else if (auto CI = dyn_cast<CallInst>(I)) { } else if (auto CI = dyn_cast<CallInst>(I)) {
for (unsigned ArgNo = 0; ArgNo < CI->getNumArgOperands(); ArgNo++) { for (unsigned ArgNo = 0; ArgNo < CI->getNumArgOperands(); ArgNo++) {
if (!ClInstrumentByval || !CI->isByValArgument(ArgNo) || if (!ClInstrumentByval || !CI->isByValArgument(ArgNo) ||
ignoreAccess(CI->getArgOperand(ArgNo))) ignoreAccess(I, CI->getArgOperand(ArgNo)))
continue; continue;
Type *Ty = CI->getParamByValType(ArgNo); Type *Ty = CI->getParamByValType(ArgNo);
Interesting.emplace_back(I, ArgNo, false, Ty, Align(1)); Interesting.emplace_back(I, ArgNo, false, Ty, Align(1));
} }
} }
} }
static unsigned getPointerOperandIndex(Instruction *I) { static unsigned getPointerOperandIndex(Instruction *I) {
▲ Show 20 LinesShow All 1,012 LinesShow Last 20 Lines

llvm/test/Instrumentation/HWAddressSanitizer/memaccess-clobber.ll

; Make sure memaccess checks preceed the following reads. ; Make sure memaccess checks preceed the following reads.
; ;
; RUN: opt < %s -S -enable-new-pm=0 -hwasan -basic-aa -memdep -print-memdeps -analyze -mtriple aarch64-linux-android30 | FileCheck %s ; RUN: opt < %s -S -enable-new-pm=0 -hwasan -hwasan-use-stack-safety=0 -basic-aa -memdep -print-memdeps -analyze -mtriple aarch64-linux-android30 | FileCheck %s
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128" target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64--linux-android10000" target triple = "aarch64--linux-android10000"
declare void @use32(i32*) declare void @use32(i32*)
define i32 @test_alloca() sanitize_hwaddress { define i32 @test_alloca() sanitize_hwaddress {
entry: entry:
Show All 9 Lines

llvm/test/Instrumentation/HWAddressSanitizer/stack-safety-analysis.ll

; RUN: opt -hwasan -hwasan-use-stack-safety=1 -hwasan-generate-tags-with-calls -S < %s | FileCheck %s --check-prefixes=SAFETY ; RUN: opt -hwasan -hwasan-instrument-with-calls -hwasan-use-stack-safety=1 -hwasan-generate-tags-with-calls -S < %s | FileCheck %s --check-prefixes=SAFETY,CHECK
; RUN: opt -hwasan -hwasan-use-stack-safety=0 -hwasan-generate-tags-with-calls -S < %s | FileCheck %s --check-prefixes=NOSAFETY ; RUN: opt -hwasan -hwasan-instrument-with-calls -hwasan-use-stack-safety=0 -hwasan-generate-tags-with-calls -S < %s | FileCheck %s --check-prefixes=NOSAFETY,CHECK
; RUN: opt -hwasan -hwasan-generate-tags-with-calls -S < %s | FileCheck %s --check-prefixes=SAFETY ; RUN: opt -hwasan -hwasan-instrument-with-calls -hwasan-generate-tags-with-calls -S < %s | FileCheck %s --check-prefixes=SAFETY,CHECK
; RUN: opt -hwasan -hwasan-instrument-stack=0 -hwasan-instrument-with-calls -hwasan-generate-tags-with-calls -S < %s | FileCheck %s --check-prefixes=NOSTACK,CHECK
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128" target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64-unknown-linux-gnu" target triple = "aarch64-unknown-linux-gnu"
; Check a safe alloca to ensure it does not get a tag. ; Check a safe alloca to ensure it does not get a tag.
define i32 @test_load(i32* %a) sanitize_hwaddress { define i32 @test_simple(i32* %a) sanitize_hwaddress {
entry: entry:
; CHECK-LABEL: @test_simple
; NOSAFETY: call {{.*}}__hwasan_generate_tag ; NOSAFETY: call {{.*}}__hwasan_generate_tag
; NOSAFETY: call {{.*}}__hwasan_store
; SAFETY-NOT: call {{.*}}__hwasan_generate_tag ; SAFETY-NOT: call {{.*}}__hwasan_generate_tag
; SAFETY-NOT: call {{.*}}__hwasan_store
; NOSTACK-NOT: call {{.*}}__hwasan_generate_tag
; NOSTACK-NOT: call {{.*}}__hwasan_store
%buf.sroa.0 = alloca i8, align 4 %buf.sroa.0 = alloca i8, align 4
call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull %buf.sroa.0) call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull %buf.sroa.0)
store volatile i8 0, i8* %buf.sroa.0, align 4, !tbaa !8 store volatile i8 0, i8* %buf.sroa.0, align 4, !tbaa !8
call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull %buf.sroa.0) call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull %buf.sroa.0)
ret i32 0 ret i32 0
} }
; Check a non-safe alloca to ensure it gets a tag. ; Check a non-safe alloca to ensure it gets a tag.
define i32 @test_use(i32* %a) sanitize_hwaddress { define i32 @test_use(i32* %a) sanitize_hwaddress {
entry: entry:
; CHECK-LABEL: @test_use
; NOSAFETY: call {{.*}}__hwasan_generate_tag ; NOSAFETY: call {{.*}}__hwasan_generate_tag
; NOSAFETY: call {{.*}}__hwasan_store
; SAFETY: call {{.*}}__hwasan_generate_tag ; SAFETY: call {{.*}}__hwasan_generate_tag
; SAFETY-NOT: call {{.*}}__hwasan_store
; NOSTACK-NOT: call {{.*}}__hwasan_generate_tag
; NOSTACK-NOT: call {{.*}}__hwasan_store
%buf.sroa.0 = alloca i8, align 4 %buf.sroa.0 = alloca i8, align 4
call void @use(i8* nonnull %buf.sroa.0) call void @use(i8* nonnull %buf.sroa.0)
call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull %buf.sroa.0) call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull %buf.sroa.0)
store volatile i8 0, i8* %buf.sroa.0, align 4, !tbaa !8 store volatile i8 0, i8* %buf.sroa.0, align 4, !tbaa !8
call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull %buf.sroa.0) call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull %buf.sroa.0)
ret i32 0 ret i32 0
} }
; Check an alloca with in range GEP to ensure it does not get a tag or check.
define i32 @test_in_range(i32* %a) sanitize_hwaddress {
entry:
; CHECK-LABEL: @test_in_range
; NOSAFETY: call {{.*}}__hwasan_generate_tag
; NOSAFETY: call {{.*}}__hwasan_store
; SAFETY-NOT: call {{.*}}__hwasan_generate_tag
; SAFETY-NOT: call {{.*}}__hwasan_store
; NOSTACK-NOT: call {{.*}}__hwasan_generate_tag
; NOSTACK-NOT: call {{.*}}__hwasan_store
%buf.sroa.0 = alloca [10 x i8], align 4
%ptr = getelementptr [10 x i8], [10 x i8]* %buf.sroa.0, i32 0, i32 0
call void @llvm.lifetime.start.p0i8(i64 10, i8* nonnull %ptr)
store volatile i8 0, i8* %ptr, align 4, !tbaa !8
call void @llvm.lifetime.end.p0i8(i64 10, i8* nonnull %ptr)
ret i32 0
}
; Check an alloca with in range GEP to ensure it does not get a tag or check.
define i32 @test_in_range2(i32* %a) sanitize_hwaddress {
entry:
; CHECK-LABEL: @test_in_range2
; NOSAFETY: call {{.*}}__hwasan_generate_tag
; NOSAFETY: call {{.*}}__hwasan_store
; SAFETY-NOT: call {{.*}}__hwasan_generate_tag
; SAFETY-NOT: call {{.*}}__hwasan_store
; NOSTACK-NOT: call {{.*}}__hwasan_generate_tag
; NOSTACK-NOT: call {{.*}}__hwasan_store
%buf.sroa.0 = alloca [10 x i8], align 4
%ptr = getelementptr [10 x i8], [10 x i8]* %buf.sroa.0, i32 0, i32 9
%x = bitcast [10 x i8]* %buf.sroa.0 to i8*
call void @llvm.lifetime.start.p0i8(i64 10, i8* nonnull %x)
store volatile i8 0, i8* %ptr, align 4, !tbaa !8
call void @llvm.lifetime.end.p0i8(i64 10, i8* nonnull %x)
ret i32 0
}
; Check an alloca with out of range GEP to ensure it gets a tag and check.
define i32 @test_out_of_range(i32* %a) sanitize_hwaddress {
entry:
; CHECK-LABEL: @test_out_of_range
; NOSAFETY: call {{.*}}__hwasan_generate_tag
; NOSAFETY: call {{.*}}__hwasan_store
; SAFETY: call {{.*}}__hwasan_generate_tag
; SAFETY: call {{.*}}__hwasan_store
; NOSTACK-NOT: call {{.*}}__hwasan_generate_tag
; NOSTACK-NOT: call {{.*}}__hwasan_store
%buf.sroa.0 = alloca [10 x i8], align 4
%ptr = getelementptr [10 x i8], [10 x i8]* %buf.sroa.0, i32 0, i32 10
%x = bitcast [10 x i8]* %buf.sroa.0 to i8*
call void @llvm.lifetime.start.p0i8(i64 10, i8* nonnull %x)
store volatile i8 0, i8* %ptr, align 4, !tbaa !8
call void @llvm.lifetime.end.p0i8(i64 10, i8* nonnull %x)
ret i32 0
}
; Check an alloca with potentially out of range GEP to ensure it gets a tag and
; check.
define i32 @test_potentially_out_of_range(i32* %a) sanitize_hwaddress {
entry:
; CHECK-LABEL: @test_potentially_out_of_range
; NOSAFETY: call {{.*}}__hwasan_generate_tag
; NOSAFETY: call {{.*}}__hwasan_store
; SAFETY: call {{.*}}__hwasan_generate_tag
; SAFETY: call {{.*}}__hwasan_store
; NOSTACK-NOT: call {{.*}}__hwasan_generate_tag
; NOSTACK-NOT: call {{.*}}__hwasan_store
%buf.sroa.0 = alloca [10 x i8], align 4
%off = call i32 @getoffset()
%ptr = getelementptr [10 x i8], [10 x i8]* %buf.sroa.0, i32 0, i32 %off
call void @llvm.lifetime.start.p0i8(i64 10, i8* nonnull %ptr)
store volatile i8 0, i8* %ptr, align 4, !tbaa !8
call void @llvm.lifetime.end.p0i8(i64 10, i8* nonnull %ptr)
ret i32 0
}
; Check an alloca with potentially out of range GEP to ensure it gets a tag and
; check.
define i32 @test_unclear(i32* %a) sanitize_hwaddress {
entry:
; CHECK-LABEL: @test_unclear
; NOSAFETY: call {{.*}}__hwasan_generate_tag
; NOSAFETY: call {{.*}}__hwasan_store
; SAFETY: call {{.*}}__hwasan_generate_tag
; SAFETY: call {{.*}}__hwasan_store
; NOSTACK-NOT: call {{.*}}__hwasan_generate_tag
; NOSTACK: call {{.*}}__hwasan_store
%buf.sroa.0 = alloca i8, align 4
%ptr = call i8* @getptr(i8* %buf.sroa.0)
call void @llvm.lifetime.start.p0i8(i64 10, i8* nonnull %ptr)
store volatile i8 0, i8* %ptr, align 4, !tbaa !8
call void @llvm.lifetime.end.p0i8(i64 10, i8* nonnull %ptr)
ret i32 0
}
; Function Attrs: argmemonly mustprogress nofree nosync nounwind willreturn ; Function Attrs: argmemonly mustprogress nofree nosync nounwind willreturn
declare void @llvm.lifetime.start.p0i8(i64 immarg, i8* nocapture) declare void @llvm.lifetime.start.p0i8(i64 immarg, i8* nocapture)
; Function Attrs: argmemonly mustprogress nofree nosync nounwind willreturn ; Function Attrs: argmemonly mustprogress nofree nosync nounwind willreturn
declare void @llvm.lifetime.end.p0i8(i64 immarg, i8* nocapture) declare void @llvm.lifetime.end.p0i8(i64 immarg, i8* nocapture)
declare void @use(i8* nocapture) declare void @use(i8* nocapture)
declare i32 @getoffset()
declare i8* @getptr(i8* nocapture)
!8 = !{!9, !9, i64 0} !8 = !{!9, !9, i64 0}
!9 = !{!"omnipotent char", !10, i64 0} !9 = !{!"omnipotent char", !10, i64 0}
!10 = !{!"Simple C/C++ TBAA"} !10 = !{!"Simple C/C++ TBAA"}