This is an archive of the discontinued LLVM Phabricator instance.

Differential D109847

[DFSan] Add force_zero_label abilist option to DFSan. This can be used as a work-around for overtainting.
ClosedPublic

Authored by browneee on Sep 15 2021, 1:02 PM.

Details

Reviewers
morehouse
Commits
rGc533b88a6dc9: [DFSan] Add force_zero_label abilist option to DFSan. This can be used as a…

Diff Detail

Event Timeline

browneee created this revision.Sep 15 2021, 1:02 PM
Herald added a subscriber: hiraditya. · View Herald TranscriptSep 15 2021, 1:02 PM
browneee requested review of this revision.Sep 15 2021, 1:02 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptSep 15 2021, 1:02 PM
Herald added subscribers: llvm-commits, Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B124070: Diff 372780.Sep 15 2021, 1:40 PM
morehouse added a comment.Sep 16 2021, 9:40 AM

What's the motivation for this feature?

I think discard already returns 0 labels. When do we also need to store 0 labels?

compiler-rt/test/dfsan/Inputs/force_zero_abilist.txt
1 ↗(On Diff #372780)

Why a separate abilist.txt?

compiler-rt/test/dfsan/force_zero.c
26

Wouldn't this also pass if we used uninstrumented or discard in the ABI list?

browneee added a comment.Sep 16 2021, 10:23 AM

The motivation for this change is to remove taint in functions which write out their return data...

e.g.

void GenerateData(char* out_buf, int out_buf_len) { ... }

This feature allows us to untaint the data produced by this function.

compiler-rt/test/dfsan/Inputs/force_zero_abilist.txt
1 ↗(On Diff #372780)

For separate test. Happy to combine them if you prefer.

compiler-rt/test/dfsan/force_zero.c
26

For the return value yes, but not for the shadow of the contents of the the out pointer.

morehouse added a comment.Sep 16 2021, 10:46 AM

Please also update the documentation: https://clang.llvm.org/docs/DataFlowSanitizer.html#abi-list

compiler-rt/test/dfsan/Inputs/force_zero_abilist.txt
1 ↗(On Diff #372780)

Yes, let's combine them for simplicity.

llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp
149

Nit: Could we make the distinction between uninstrumented and instrumented functions a little clearer?

I think we only use functional and discard with uninstrumented, while we only use force_zero_labels with instrumented.

1218

For consistency.

llvm/test/Instrumentation/DataFlowSanitizer/Inputs/force_zero_abilist.txt
1 ↗(On Diff #372780)

Let's also reuse the existing ABI list for llvm tests.

llvm/test/Instrumentation/DataFlowSanitizer/force_zero.ll
10

Let's check that 0 is being stored specifically to SHADOW_PTR.

browneee updated this revision to Diff 373041.Sep 16 2021, 1:00 PM
browneee marked 7 inline comments as done.

Address review comments.

morehouse added a comment.Sep 16 2021, 1:06 PM

Please also update the documentation: https://clang.llvm.org/docs/DataFlowSanitizer.html#abi-list

llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp
152
155
Harbormaster completed remote builds in B124262: Diff 373041.Sep 16 2021, 1:22 PM
browneee updated this revision to Diff 373065.Sep 16 2021, 2:12 PM

Docs

Herald added a project: Restricted Project. · View Herald TranscriptSep 16 2021, 2:12 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B124281: Diff 373065.Sep 16 2021, 2:32 PM
morehouse accepted this revision.Sep 17 2021, 8:42 AM
morehouse added inline comments.
clang/docs/DataFlowSanitizer.rst
141 ↗(On Diff #373065)
This revision is now accepted and ready to land.Sep 17 2021, 8:42 AM
browneee updated this revision to Diff 373271.Sep 17 2021, 10:15 AM

Rebase

browneee updated this revision to Diff 373274.Sep 17 2021, 10:21 AM
browneee marked 3 inline comments as done.

Update comments.

Harbormaster completed remote builds in B124435: Diff 373274.Sep 17 2021, 11:04 AM
This revision was landed with ongoing or failed builds.Sep 17 2021, 12:58 PM
Closed by commit rGc533b88a6dc9: [DFSan] Add force_zero_label abilist option to DFSan. This can be used as a… (authored by browneee). · Explain Why
This revision was automatically updated to reflect the committed changes.
browneee added a commit: rGc533b88a6dc9: [DFSan] Add force_zero_label abilist option to DFSan. This can be used as a….

Revision Contents

PathSize
compiler-rt/
test/
dfsan/
Inputs/
5 lines
32 lines
llvm/
lib/
Transforms/
Instrumentation/
37 lines
test/
Instrumentation/
DataFlowSanitizer/
Inputs/
2 lines
16 lines

Diff 373041

compiler-rt/test/dfsan/Inputs/flags_abilist.txt

fun:f=uninstrumented fun:f=uninstrumented
fun:function_to_force_zero=force_zero_labels
fun:main=uninstrumented fun:main=uninstrumented
fun:main=discard fun:main=discard
fun:dfsan_create_label=uninstrumented
fun:dfsan_create_label=discard
fun:dfsan_set_label=uninstrumented fun:dfsan_set_label=uninstrumented
fun:dfsan_set_label=discard fun:dfsan_set_label=discard

compiler-rt/test/dfsan/force_zero.c

  • This file was added.
// RUN: %clang_dfsan %s -fsanitize-ignorelist=%S/Inputs/flags_abilist.txt -DFORCE_ZERO_LABELS -o %t && %run %t
// RUN: %clang_dfsan %s -o %t && %run %t
//
// REQUIRES: x86_64-target-arch
#include <sanitizer/dfsan_interface.h>
#include <assert.h>
int function_to_force_zero(int i, int* out) {
*out = i;
return i;
}
int main(void) {
int i = 1;
dfsan_label i_label = 2;
dfsan_set_label(i_label, &i, sizeof(i));
int out = 0;
int ret = function_to_force_zero(i, &out);
#ifdef FORCE_ZERO_LABELS
assert(dfsan_get_label(out) == 0);
assert(dfsan_get_label(ret) == 0);
#else
morehouseUnsubmitted
Done
ReplyInline Actions

Wouldn't this also pass if we used uninstrumented or discard in the ABI list?

morehouse: Wouldn't this also pass if we used `uninstrumented` or `discard` in the ABI list?
browneeeAuthorUnsubmitted
Done
ReplyInline Actions

For the return value yes, but not for the shadow of the contents of the the out pointer.

browneee: For the return value yes, but not for the shadow of the contents of the the out pointer.
assert(dfsan_get_label(out) == i_label);
assert(dfsan_get_label(ret) == i_label);
#endif
return 0;
}

llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp

Show First 20 LinesShow All 138 Lines▼ Show 20 Linesstatic cl::opt<bool> ClPreserveAlignment(
cl::desc("respect alignment requirements provided by input IR"), cl::Hidden, cl::desc("respect alignment requirements provided by input IR"), cl::Hidden,
cl::init(false)); cl::init(false));
// The ABI list files control how shadow parameters are passed. The pass treats // The ABI list files control how shadow parameters are passed. The pass treats
// every function labelled "uninstrumented" in the ABI list file as conforming // every function labelled "uninstrumented" in the ABI list file as conforming
// to the "native" (i.e. unsanitized) ABI. Unless the ABI list contains // to the "native" (i.e. unsanitized) ABI. Unless the ABI list contains
// additional annotations for those functions, a call to one of those functions // additional annotations for those functions, a call to one of those functions
// will produce a warning message, as the labelling behaviour of the function is // will produce a warning message, as the labelling behaviour of the function is
// unknown. The other supported annotations are "functional" and "discard", // unknown. The other supported annotations for uninstrumented functions are
// which are described below under DataFlowSanitizer::WrapperKind. // "functional" and "discard", which are described below under
// DataFlowSanitizer::WrapperKind.
morehouseUnsubmitted
Done
ReplyInline Actions

Nit: Could we make the distinction between uninstrumented and instrumented functions a little clearer?

I think we only use functional and discard with uninstrumented, while we only use force_zero_labels with instrumented.

morehouse: Nit: Could we make the distinction between uninstrumented and instrumented functions a little…
// Functions will often be labelled with both "uninstrumented" and one of
// "functional" or "discard". This will leave the function unchanged by this
// pass, and create a wrapper function with that will call the original.
morehouseUnsubmitted
Done
ReplyInline Actions
// "functional" or "discard". This will leave the function unchanged by this
- // pass, and create a wrapper function with that will call the original.
+ // pass, and create a wrapper function that will call the original.
//
// Instrumented functions can also be annotated as "force_zero_labels", which
morehouse:
//
// Instrumented functions can also be annotated as "force_zero_labels", which
// will make all shadow stores and label for return values set zero labels.
morehouseUnsubmitted
Done
ReplyInline Actions
// Instrumented functions can also be annotated as "force_zero_labels", which
- // will make all shadow stores and label for return values set zero labels.
+ // will make all stores and return values set zero labels.
// Functions should never be labelled with both "force_zero_labels" and
morehouse:
// Functions should never be labelled with both "force_zero_labels" and
// "uninstrumented" or any of the unistrumented wrapper kinds.
static cl::list<std::string> ClABIListFiles( static cl::list<std::string> ClABIListFiles(
"dfsan-abilist", "dfsan-abilist",
cl::desc("File listing native ABI functions and how the pass treats them"), cl::desc("File listing native ABI functions and how the pass treats them"),
cl::Hidden); cl::Hidden);
// Controls whether the pass uses IA_Args or IA_TLS as the ABI for instrumented // Controls whether the pass uses IA_Args or IA_TLS as the ABI for instrumented
// functions (see DataFlowSanitizer::InstrumentedABI below). // functions (see DataFlowSanitizer::InstrumentedABI below).
static cl::opt<bool> static cl::opt<bool>
▲ Show 20 LinesShow All 307 Lines▼ Show 20 Linesclass DataFlowSanitizer {
Value *getShadowOffset(Value *Addr, IRBuilder<> &IRB); Value *getShadowOffset(Value *Addr, IRBuilder<> &IRB);
Value *getShadowAddress(Value *Addr, Instruction *Pos); Value *getShadowAddress(Value *Addr, Instruction *Pos);
Value *getShadowAddress(Value *Addr, Instruction *Pos, Value *ShadowOffset); Value *getShadowAddress(Value *Addr, Instruction *Pos, Value *ShadowOffset);
std::pair<Value *, Value *> std::pair<Value *, Value *>
getShadowOriginAddress(Value *Addr, Align InstAlignment, Instruction *Pos); getShadowOriginAddress(Value *Addr, Align InstAlignment, Instruction *Pos);
bool isInstrumented(const Function *F); bool isInstrumented(const Function *F);
bool isInstrumented(const GlobalAlias *GA); bool isInstrumented(const GlobalAlias *GA);
bool isForceZeroLabels(const Function *F);
FunctionType *getArgsFunctionType(FunctionType *T); FunctionType *getArgsFunctionType(FunctionType *T);
FunctionType *getTrampolineFunctionType(FunctionType *T); FunctionType *getTrampolineFunctionType(FunctionType *T);
TransformedFunction getCustomFunctionType(FunctionType *T); TransformedFunction getCustomFunctionType(FunctionType *T);
InstrumentedABI getInstrumentedABI(); InstrumentedABI getInstrumentedABI();
WrapperKind getWrapperKind(Function *F); WrapperKind getWrapperKind(Function *F);
void addGlobalNameSuffix(GlobalValue *GV); void addGlobalNameSuffix(GlobalValue *GV);
Function *buildWrapperFunction(Function *F, StringRef NewFName, Function *buildWrapperFunction(Function *F, StringRef NewFName,
GlobalValue::LinkageTypes NewFLink, GlobalValue::LinkageTypes NewFLink,
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Lines
}; };
struct DFSanFunction { struct DFSanFunction {
DataFlowSanitizer &DFS; DataFlowSanitizer &DFS;
Function *F; Function *F;
DominatorTree DT; DominatorTree DT;
DataFlowSanitizer::InstrumentedABI IA; DataFlowSanitizer::InstrumentedABI IA;
bool IsNativeABI; bool IsNativeABI;
bool IsForceZeroLabels;
AllocaInst *LabelReturnAlloca = nullptr; AllocaInst *LabelReturnAlloca = nullptr;
AllocaInst *OriginReturnAlloca = nullptr; AllocaInst *OriginReturnAlloca = nullptr;
DenseMap<Value *, Value *> ValShadowMap; DenseMap<Value *, Value *> ValShadowMap;
DenseMap<Value *, Value *> ValOriginMap; DenseMap<Value *, Value *> ValOriginMap;
DenseMap<AllocaInst *, AllocaInst *> AllocaShadowMap; DenseMap<AllocaInst *, AllocaInst *> AllocaShadowMap;
DenseMap<AllocaInst *, AllocaInst *> AllocaOriginMap; DenseMap<AllocaInst *, AllocaInst *> AllocaOriginMap;
struct PHIFixupElement { struct PHIFixupElement {
Show All 14 Linesstruct DFSanFunction {
DenseMap<std::pair<Value *, Value *>, CachedShadow> CachedShadows; DenseMap<std::pair<Value *, Value *>, CachedShadow> CachedShadows;
/// Maps a value to its latest collapsed shadow value it was converted to in /// Maps a value to its latest collapsed shadow value it was converted to in
/// terms of domination tree. When ClDebugNonzeroLabels is on, this cache is /// terms of domination tree. When ClDebugNonzeroLabels is on, this cache is
/// used at a post process where CFG blocks are split. So it does not cache /// used at a post process where CFG blocks are split. So it does not cache
/// BasicBlock like CachedShadows, but uses domination between values. /// BasicBlock like CachedShadows, but uses domination between values.
DenseMap<Value *, Value *> CachedCollapsedShadows; DenseMap<Value *, Value *> CachedCollapsedShadows;
DenseMap<Value *, std::set<Value *>> ShadowElements; DenseMap<Value *, std::set<Value *>> ShadowElements;
DFSanFunction(DataFlowSanitizer &DFS, Function *F, bool IsNativeABI) DFSanFunction(DataFlowSanitizer &DFS, Function *F, bool IsNativeABI,
: DFS(DFS), F(F), IA(DFS.getInstrumentedABI()), IsNativeABI(IsNativeABI) { bool IsForceZeroLabels)
: DFS(DFS), F(F), IA(DFS.getInstrumentedABI()), IsNativeABI(IsNativeABI),
IsForceZeroLabels(IsForceZeroLabels) {
DT.recalculate(*F); DT.recalculate(*F);
} }
/// Computes the shadow address for a given function argument. /// Computes the shadow address for a given function argument.
/// ///
/// Shadow = ArgTLS+ArgOffset. /// Shadow = ArgTLS+ArgOffset.
Value *getArgTLS(Type *T, unsigned ArgOffset, IRBuilder<> &IRB); Value *getArgTLS(Type *T, unsigned ArgOffset, IRBuilder<> &IRB);
▲ Show 20 LinesShow All 518 Lines▼ Show 20 Lines
bool DataFlowSanitizer::isInstrumented(const Function *F) { bool DataFlowSanitizer::isInstrumented(const Function *F) {
return !ABIList.isIn(*F, "uninstrumented"); return !ABIList.isIn(*F, "uninstrumented");
} }
bool DataFlowSanitizer::isInstrumented(const GlobalAlias *GA) { bool DataFlowSanitizer::isInstrumented(const GlobalAlias *GA) {
return !ABIList.isIn(*GA, "uninstrumented"); return !ABIList.isIn(*GA, "uninstrumented");
} }
bool DataFlowSanitizer::isForceZeroLabels(const Function *F) {
return ABIList.isIn(*F, "force_zero_labels");
}
DataFlowSanitizer::InstrumentedABI DataFlowSanitizer::getInstrumentedABI() { DataFlowSanitizer::InstrumentedABI DataFlowSanitizer::getInstrumentedABI() {
return ClArgsABI ? IA_Args : IA_TLS; return ClArgsABI ? IA_Args : IA_TLS;
} }
DataFlowSanitizer::WrapperKind DataFlowSanitizer::getWrapperKind(Function *F) { DataFlowSanitizer::WrapperKind DataFlowSanitizer::getWrapperKind(Function *F) {
if (ABIList.isIn(*F, "functional")) if (ABIList.isIn(*F, "functional"))
return WK_Functional; return WK_Functional;
if (ABIList.isIn(*F, "discard")) if (ABIList.isIn(*F, "discard"))
▲ Show 20 LinesShow All 74 Lines▼ Show 20 Lines for (unsigned N = FT->getNumParams(); N != 0; ++AI, --N)
Args.push_back(&*AI); Args.push_back(&*AI);
CallInst *CI = CallInst::Create(FT, &*F->arg_begin(), Args, "", BB); CallInst *CI = CallInst::Create(FT, &*F->arg_begin(), Args, "", BB);
Type *RetType = FT->getReturnType(); Type *RetType = FT->getReturnType();
ReturnInst *RI = RetType->isVoidTy() ? ReturnInst::Create(*Ctx, BB) ReturnInst *RI = RetType->isVoidTy() ? ReturnInst::Create(*Ctx, BB)
: ReturnInst::Create(*Ctx, CI, BB); : ReturnInst::Create(*Ctx, CI, BB);
// F is called by a wrapped custom function with primitive shadows. So // F is called by a wrapped custom function with primitive shadows. So
// its arguments and return value need conversion. // its arguments and return value need conversion.
DFSanFunction DFSF(*this, F, /*IsNativeABI=*/true); DFSanFunction DFSF(*this, F, /*IsNativeABI=*/true,
/*ForceZeroLabels=*/false);
morehouseUnsubmitted
Done
ReplyInline Actions
DFSanFunction DFSF(*this, F, /*IsNativeABI=*/true,
- /*ForceZeroLabels*/ false);
+ /*ForceZeroLabels=*/false);
Function::arg_iterator ValAI = F->arg_begin(), ShadowAI = AI;

For consistency.

morehouse: For consistency.
Function::arg_iterator ValAI = F->arg_begin(), ShadowAI = AI; Function::arg_iterator ValAI = F->arg_begin(), ShadowAI = AI;
++ValAI; ++ValAI;
for (unsigned N = FT->getNumParams(); N != 0; ++ValAI, ++ShadowAI, --N) { for (unsigned N = FT->getNumParams(); N != 0; ++ValAI, ++ShadowAI, --N) {
Value *Shadow = Value *Shadow =
DFSF.expandFromPrimitiveShadow(ValAI->getType(), &*ShadowAI, CI); DFSF.expandFromPrimitiveShadow(ValAI->getType(), &*ShadowAI, CI);
DFSF.ValShadowMap[&*ValAI] = Shadow; DFSF.ValShadowMap[&*ValAI] = Shadow;
} }
Function::arg_iterator RetShadowAI = ShadowAI; Function::arg_iterator RetShadowAI = ShadowAI;
▲ Show 20 LinesShow All 185 Lines▼ Show 20 Linesbool DataFlowSanitizer::runImpl(Module &M) {
injectMetadataGlobals(M); injectMetadataGlobals(M);
initializeCallbackFunctions(M); initializeCallbackFunctions(M);
initializeRuntimeFunctions(M); initializeRuntimeFunctions(M);
std::vector<Function *> FnsToInstrument; std::vector<Function *> FnsToInstrument;
SmallPtrSet<Function *, 2> FnsWithNativeABI; SmallPtrSet<Function *, 2> FnsWithNativeABI;
SmallPtrSet<Function *, 2> FnsWithForceZeroLabel;
for (Function &F : M) for (Function &F : M)
if (!F.isIntrinsic() && !DFSanRuntimeFunctions.contains(&F)) if (!F.isIntrinsic() && !DFSanRuntimeFunctions.contains(&F))
FnsToInstrument.push_back(&F); FnsToInstrument.push_back(&F);
// Give function aliases prefixes when necessary, and build wrappers where the // Give function aliases prefixes when necessary, and build wrappers where the
// instrumentedness is inconsistent. // instrumentedness is inconsistent.
for (Module::alias_iterator AI = M.alias_begin(), AE = M.alias_end(); for (Module::alias_iterator AI = M.alias_begin(), AE = M.alias_end();
AI != AE;) { AI != AE;) {
Show All 31 Lines for (std::vector<Function *>::iterator FI = FnsToInstrument.begin(),
FI != FE; ++FI) { FI != FE; ++FI) {
Function &F = **FI; Function &F = **FI;
FunctionType *FT = F.getFunctionType(); FunctionType *FT = F.getFunctionType();
bool IsZeroArgsVoidRet = (FT->getNumParams() == 0 && !FT->isVarArg() && bool IsZeroArgsVoidRet = (FT->getNumParams() == 0 && !FT->isVarArg() &&
FT->getReturnType()->isVoidTy()); FT->getReturnType()->isVoidTy());
if (isInstrumented(&F)) { if (isInstrumented(&F)) {
if (isForceZeroLabels(&F))
FnsWithForceZeroLabel.insert(&F);
// Instrumented functions get a '.dfsan' suffix. This allows us to more // Instrumented functions get a '.dfsan' suffix. This allows us to more
// easily identify cases of mismatching ABIs. This naming scheme is // easily identify cases of mismatching ABIs. This naming scheme is
// mangling-compatible (see Itanium ABI), using a vendor-specific suffix. // mangling-compatible (see Itanium ABI), using a vendor-specific suffix.
if (getInstrumentedABI() == IA_Args && !IsZeroArgsVoidRet) { if (getInstrumentedABI() == IA_Args && !IsZeroArgsVoidRet) {
FunctionType *NewFT = getArgsFunctionType(FT); FunctionType *NewFT = getArgsFunctionType(FT);
Function *NewF = Function::Create(NewFT, F.getLinkage(), Function *NewF = Function::Create(NewFT, F.getLinkage(),
F.getAddressSpace(), "", &M); F.getAddressSpace(), "", &M);
NewF->copyAttributesFrom(&F); NewF->copyAttributesFrom(&F);
▲ Show 20 LinesShow All 79 Lines▼ Show 20 Linesbool DataFlowSanitizer::runImpl(Module &M) {
} }
for (Function *F : FnsToInstrument) { for (Function *F : FnsToInstrument) {
if (!F || F->isDeclaration()) if (!F || F->isDeclaration())
continue; continue;
removeUnreachableBlocks(*F); removeUnreachableBlocks(*F);
DFSanFunction DFSF(*this, F, FnsWithNativeABI.count(F)); DFSanFunction DFSF(*this, F, FnsWithNativeABI.count(F),
FnsWithForceZeroLabel.count(F));
// DFSanVisitor may create new basic blocks, which confuses df_iterator. // DFSanVisitor may create new basic blocks, which confuses df_iterator.
// Build a copy of the list before iterating over it. // Build a copy of the list before iterating over it.
SmallVector<BasicBlock *, 4> BBList(depth_first(&F->getEntryBlock())); SmallVector<BasicBlock *, 4> BBList(depth_first(&F->getEntryBlock()));
for (BasicBlock *BB : BBList) { for (BasicBlock *BB : BBList) {
Instruction *Inst = &BB->front(); Instruction *Inst = &BB->front();
while (true) { while (true) {
▲ Show 20 LinesShow All 147 Lines▼ Show 20 LinesValue *DFSanFunction::getShadowForTLSArgument(Argument *A) {
} }
return DFS.getZeroShadow(A); return DFS.getZeroShadow(A);
} }
Value *DFSanFunction::getShadow(Value *V) { Value *DFSanFunction::getShadow(Value *V) {
if (!isa<Argument>(V) && !isa<Instruction>(V)) if (!isa<Argument>(V) && !isa<Instruction>(V))
return DFS.getZeroShadow(V); return DFS.getZeroShadow(V);
if (IsForceZeroLabels)
return DFS.getZeroShadow(V);
Value *&Shadow = ValShadowMap[V]; Value *&Shadow = ValShadowMap[V];
if (!Shadow) { if (!Shadow) {
if (Argument *A = dyn_cast<Argument>(V)) { if (Argument *A = dyn_cast<Argument>(V)) {
if (IsNativeABI) if (IsNativeABI)
return DFS.getZeroShadow(V); return DFS.getZeroShadow(V);
switch (IA) { switch (IA) {
case DataFlowSanitizer::IA_TLS: { case DataFlowSanitizer::IA_TLS: {
Shadow = getShadowForTLSArgument(A); Shadow = getShadowForTLSArgument(A);
▲ Show 20 LinesShow All 1,529 LinesShow Last 20 Lines

llvm/test/Instrumentation/DataFlowSanitizer/Inputs/abilist.txt

fun:discard*=uninstrumented fun:discard*=uninstrumented
fun:discard*=discard fun:discard*=discard
fun:functional=uninstrumented fun:functional=uninstrumented
fun:functional=functional fun:functional=functional
fun:custom*=uninstrumented fun:custom*=uninstrumented
fun:custom*=custom fun:custom*=custom
fun:uninstrumented*=uninstrumented fun:uninstrumented*=uninstrumented
fun:function_to_force_zero=force_zero_labels

llvm/test/Instrumentation/DataFlowSanitizer/force_zero.ll

  • This file was added.
; RUN: opt < %s -dfsan -dfsan-abilist=%S/Inputs/abilist.txt -S | FileCheck %s -DSHADOW_XOR_MASK=87960930222080
target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-pc-linux-gnu"
define i32 @function_to_force_zero(i32 %0, i32* %1) {
; CHECK-LABEL: define i32 @function_to_force_zero.dfsan
; CHECK: %[[#SHADOW_XOR:]] = xor i64 {{.*}}, [[SHADOW_XOR_MASK]]
; CHECK: %[[#SHADOW_PTR:]] = inttoptr i64 %[[#SHADOW_XOR]] to i8*
; CHECK: %[[#SHADOW_BITCAST:]] = bitcast i8* %[[#SHADOW_PTR]] to i32*
; CHECK: store i32 0, i32* %[[#SHADOW_BITCAST]]
morehouseUnsubmitted
Done
ReplyInline Actions

Let's check that 0 is being stored specifically to SHADOW_PTR.

morehouse: Let's check that 0 is being stored specifically to `SHADOW_PTR`.
; CHECK: store i32 %{{.*}}
store i32 %0, i32* %1, align 4
; CHECK: store i8 0, {{.*}}@__dfsan_retval_tls
; CHECK: ret i32
ret i32 %0
}