This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
llvm/
-
include/llvm/Analysis/
-
llvm/
-
Analysis/
1/4
StackSafetyAnalysis.h
-
lib/Transforms/Instrumentation/
-
Transforms/
-
Instrumentation/
13/17
AddressSanitizer.cpp
-
test/Instrumentation/AddressSanitizer/
-
Instrumentation/
-
AddressSanitizer/
-
asan-stack-safety.ll

Differential D112098

[ASan] Added stack safety support in address sanitizer.
ClosedPublic

Authored by kstoimenov on Oct 19 2021, 3:12 PM.

Download Raw Diff

Details

Reviewers

jdoerfert
vitalybuka
fmayer

Commits

rG3f1aca58df8f: [ASan] Added stack safety support in address sanitizer.

Summary

Added and implemented -asan-use-stack-safety flag, which control if ASan would use the Stack Safety results to emit less code for operations which are marked as 'safe' by the static analysis.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

kstoimenov created this revision.Oct 19 2021, 3:12 PM

Herald added subscribers: ormris, dexonsmith, dang, hiraditya. · View Herald TranscriptOct 19 2021, 3:12 PM

kstoimenov requested review of this revision.Oct 19 2021, 3:12 PM

Herald added a reviewer: jdoerfert. · View Herald TranscriptOct 19 2021, 3:12 PM

Herald added projects: Restricted Project, Restricted Project. · View Herald Transcript

Herald added subscribers: llvm-commits, cfe-commits, sstefan1. · View Herald Transcript

Harbormaster completed remote builds in B129613: Diff 380787.Oct 19 2021, 4:10 PM

Fixed the test to pass.

kstoimenov added reviewers: vitalybuka, fmayer.Oct 19 2021, 5:14 PM

kstoimenov added a subscriber: kda.

fmayer added inline comments.Oct 19 2021, 5:17 PM

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1509–1512	Doesn't need nested if. I would order this as ClUseStackSafety && SSI && findAllocaForValue(Ptr) && ... (cheapest first).

Harbormaster completed remote builds in B129644: Diff 380829.Oct 19 2021, 5:53 PM

vitalybuka added inline comments.Oct 19 2021, 6:13 PM

clang/include/clang/Basic/CodeGenOptions.def
227 ↗	(On Diff #380829)	We should avoid this flag. this is internal optimization. if it works we need to make it on for experiments -mllvm is enough. Also clang stuff better to extract to a separate patch.
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
815	functionality of the pass should be the same, so I don't see why this is the fatal error. so just ignore it? btw, why don't you want to support it?
1268	You can make this module pass to calculate StackSafetyGlobalAnalysis and use cached one below. This way we will avoid exposure of this logic to PM

fmayer added inline comments.Oct 20 2021, 1:52 PM

clang/test/CodeGen/asan-stack-safety-analysis.c
1 ↗	(On Diff #380829)	Should this file be in llvm/test/Instrumentation/ instead? Also consider porting some of the tests from HWASan (https://github.com/llvm/llvm-project/blob/main/llvm/test/Instrumentation/HWAddressSanitizer/stack-safety-analysis.ll).

fmayer added inline comments.Oct 20 2021, 1:55 PM

clang/test/CodeGen/asan-stack-safety-analysis.c
1 ↗	(On Diff #380829)	Uhm nevermind my first sentence, sorry about that. This is of course the right location.

Removed the top level flag and addressed comments.

kstoimenov edited the summary of this revision. (Show Details)Oct 21 2021, 12:46 PM

I think you also want to use SSI->isSafe(AllocaInst*) in isInterestingAlloca to prevent use-after-scope instrumentation if all accesses are safe.

kstoimenov marked 4 inline comments as done.Oct 21 2021, 12:53 PM

kstoimenov added inline comments.

clang/test/CodeGen/asan-stack-safety-analysis.c
1 ↗	(On Diff #380829)	I've removed this file. Also added a .ll test for the internal flag.
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
815	I would like to support it, but I am not sure how to get an instance of StackSafetyGlobalAnalysis, because in the legacy pass manger I don't have access to AnalysisManager<Function> &AM. If you know how to make this work, please let me know. As far as the report_fatal_error my logic is that if someone sets ClUseStackSafety flag they expect it to work and if it silently doesn't it is a bad user experience.

fmayer added inline comments.Oct 21 2021, 12:55 PM

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
815	Maybe it would help to look at the HWASan instrumentation pass, which uses the stack safety analysis for both old and new pass managers.

Harbormaster completed remote builds in B130018: Diff 381365.Oct 21 2021, 1:49 PM

Added support for legacy pass manager and a test for it.

kstoimenov added inline comments.Oct 21 2021, 2:27 PM

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
815	Thanks for the hint. I've used the HWAsan approach.

Harbormaster completed remote builds in B130041: Diff 381391.Oct 21 2021, 3:13 PM

This should be good for re-review now. PTAL.

vitalybuka added inline comments.Oct 21 2021, 11:17 PM

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
816	usually we don't use {} for one liners. But I'd prefer here: const StackSafetyGlobalInfo *SSI = ClUseStackSafety ? get...: nullptr
1268	It should probably be in ModuleAddressSanitizerPass, so it wll return ::all() and we don't care about invalidation.
1350	INITIALIZE_PASS_DEPENDENCY(StackSafetyGlobalInfoWrapperPass)

Fixed test.

Added a comment.

Removed {} after if.

Can you please fix in a separate patch llvm::runPassPipeline: it runs ModulePass after the function pass for -passes=asan-pipeline

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1509
1528	using poiter after the cast looks cleaner to me "ignoreAccess(LI, LI->"

This revision is now accepted and ready to land.Oct 26 2021, 4:46 PM

PTAL.

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1268	getCachedResult uses the invalidation so I couldn't get rid of it.

vitalybuka requested changes to this revision.Oct 26 2021, 4:50 PM

vitalybuka added inline comments.

llvm/include/llvm/Analysis/StackSafetyAnalysis.h
93	we still can't do that, some passes can make results irrelevant

This revision now requires changes to proceed.Oct 26 2021, 4:50 PM

s/I/LI/.

kstoimenov marked an inline comment as done.Oct 26 2021, 4:52 PM

Harbormaster completed remote builds in B130829: Diff 382486.Oct 26 2021, 7:24 PM

vitalybuka added subscribers: morehouse, pcc, eugenis.Oct 26 2021, 10:38 PM

vitalybuka added inline comments.

llvm/include/llvm/Analysis/StackSafetyAnalysis.h
93	Looks like only immutable analysis can be used through proxy, and this analysis cannot be immutable. Maybe we have to convert Asan into ModulePass, like HWAsan. Any other ideas? @eugenis @pcc @morehouse

eugenis added inline comments.Oct 27 2021, 5:34 PM

llvm/include/llvm/Analysis/StackSafetyAnalysis.h
93	Is the problem here that an invalidated analysis needs to be rerun, and the module-to-function proxy does not know how to do that? TBH, I'm not sure how big the performance benefits of a function pass are. With the amount of time we've sunk in working around function pass requirements and I'd say just go for it.

kstoimenov mentioned this in D112732: [ASan] Process functions in Asan module pass.Oct 28 2021, 9:52 AM

kstoimenov added inline comments.

llvm/include/llvm/Analysis/StackSafetyAnalysis.h
93	See https://reviews.llvm.org/D112732. I changed it for the new pass manager only.

vitalybuka added a parent revision: D112732: [ASan] Process functions in Asan module pass.Nov 2 2021, 7:18 PM

kstoimenov mentioned this in rG76ea87b94e5c: [ASan] Process functions in Asan module pass.Nov 3 2021, 10:51 AM

kstoimenov mentioned this in rGa55c4ec1cee7: [ASan] Process functions in Asan module pass.Nov 3 2021, 1:28 PM

After removing function pass.

Restored StackSafetyAnalysis.h.

Harbormaster completed remote builds in B132333: Diff 384587.Nov 3 2021, 3:04 PM

vitalybuka accepted this revision.Nov 3 2021, 5:39 PM

vitalybuka added inline comments.

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1509	check is not needed, we SSGI should be already null in this case
1509–1512	findAllocaForValue is DFS (expensive), stackAccessIsSafe is hash table lookup (cheep) so I would recommend to switch them

This revision is now accepted and ready to land.Nov 3 2021, 5:39 PM

Fixed tests.

kstoimenov requested review of this revision.Nov 4 2021, 3:02 PM

Harbormaster completed remote builds in B132548: Diff 384877.Nov 4 2021, 3:45 PM

vitalybuka accepted this revision.Nov 4 2021, 4:14 PM

vitalybuka added inline comments.

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1325	There is ::ProcessedAllocas which will be unnececary overpopulated with irrelevand allocas Maybe add FunctionSanitizer.Reset() But please do that in a separate patch, this optimization is unrelated to SSGI

This revision is now accepted and ready to land.Nov 4 2021, 4:14 PM

Moved AddressSanitizer back to the loop.

This revision was landed with ongoing or failed builds.Nov 4 2021, 5:23 PM

Closed by commit rG3f1aca58df8f: [ASan] Added stack safety support in address sanitizer. (authored by kstoimenov). · Explain Why

This revision was automatically updated to reflect the committed changes.

kstoimenov marked an inline comment as done.

kstoimenov added a commit: rG3f1aca58df8f: [ASan] Added stack safety support in address sanitizer..

Harbormaster completed remote builds in B132567: Diff 384902.Nov 4 2021, 5:30 PM

RKSimon added a subscriber: RKSimon.Jan 11 2022, 4:11 AM

RKSimon added inline comments.

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1533	@kstoimenov You're using the LI pointer for all IgnoreAccess calls which is causing nullptr dereference warnings in static analyzer. Should we just be using I or the dyn_cast<> pointers in each case? https://llvm.org/reports/scan-build/report-AddressSanitizer.cpp-ignoreAccess-21-f37ec0.html#EndPath

RKSimon added inline comments.Jan 30 2022, 2:50 AM

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1533	@kstoimenov Have you been able to check this at all please?

Sorry i just noticed this email. I will take a look next week.

dexonsmith removed a subscriber: dexonsmith.Jan 31 2022, 12:46 PM

dexonsmith added a subscriber: dexonsmith.

dexonsmith removed a subscriber: dexonsmith.

kstoimenov mentioned this in rGa5dd6c741955: [ASan] Fixed null pointer bug introduced in D112098..Jan 31 2022, 1:50 PM

kstoimenov mentioned this in D130503: [ASan] Use stack safety analysis to optimize allocas instrumentation..Jul 25 2022, 10:49 AM

vitalybuka mentioned this in rGd6e1e0a0190d: [ASan] Use stack safety analysis to optimize allocas instrumentation..Jul 26 2022, 6:48 PM

Revision Contents

Path

Size

llvm/

include/

llvm/

Analysis/

StackSafetyAnalysis.h

11 lines

lib/

Transforms/

Instrumentation/

AddressSanitizer.cpp

56 lines

test/

Instrumentation/

AddressSanitizer/

asan-stack-safety.ll

19 lines

Diff 382481

llvm/include/llvm/Analysis/StackSafetyAnalysis.h

Show First 20 Lines • Show All 80 Lines • ▼ Show 20 Lines	public:

// Returns true if the instruction can be proven to do only two types of		// Returns true if the instruction can be proven to do only two types of
// memory accesses:		// memory accesses:
// (1) live stack locations in-bounds or		// (1) live stack locations in-bounds or
// (2) non-stack locations.		// (2) non-stack locations.
bool stackAccessIsSafe(const Instruction &I) const;		bool stackAccessIsSafe(const Instruction &I) const;
void print(raw_ostream &O) const;		void print(raw_ostream &O) const;
void dump() const;		void dump() const;

		/// Handle invalidation from the pass manager.
		/// These results are never invalidated.
		bool invalidate(Module &, const PreservedAnalyses &,
		ModuleAnalysisManager::Invalidator &) {
		vitalybukaUnsubmitted Not Done Reply Inline Actions we still can't do that, some passes can make results irrelevant vitalybuka: we still can't do that, some passes can make results irrelevant
		vitalybukaUnsubmitted Not Done Reply Inline Actions Looks like only immutable analysis can be used through proxy, and this analysis cannot be immutable. Maybe we have to convert Asan into ModulePass, like HWAsan. Any other ideas? @eugenis @pcc @morehouse vitalybuka: Looks like only immutable analysis can be used through proxy, and this analysis cannot be…
		eugenisUnsubmitted Not Done Reply Inline Actions Is the problem here that an invalidated analysis needs to be rerun, and the module-to-function proxy does not know how to do that? TBH, I'm not sure how big the performance benefits of a function pass are. With the amount of time we've sunk in working around function pass requirements and I'd say just go for it. eugenis: Is the problem here that an invalidated analysis needs to be rerun, and the module-to-function…
		kstoimenovAuthorUnsubmitted Done Reply Inline Actions See https://reviews.llvm.org/D112732. I changed it for the new pass manager only. kstoimenov: See https://reviews.llvm.org/D112732. I changed it for the new pass manager only.
		return false;
		}
		bool invalidate(Function &, const PreservedAnalyses &,
		FunctionAnalysisManager::Invalidator &) {
		return false;
		}
};		};

/// StackSafetyInfo wrapper for the new pass manager.		/// StackSafetyInfo wrapper for the new pass manager.
class StackSafetyAnalysis : public AnalysisInfoMixin<StackSafetyAnalysis> {		class StackSafetyAnalysis : public AnalysisInfoMixin<StackSafetyAnalysis> {
friend AnalysisInfoMixin<StackSafetyAnalysis>;		friend AnalysisInfoMixin<StackSafetyAnalysis>;
static AnalysisKey Key;		static AnalysisKey Key;

public:		public:
▲ Show 20 Lines • Show All 77 Lines • Show Last 20 Lines

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show All 20 Lines

#include "llvm/ADT/SmallPtrSet.h"

#include "llvm/ADT/SmallVector.h"

#include "llvm/ADT/Statistic.h"

#include "llvm/ADT/StringExtras.h"

#include "llvm/ADT/StringRef.h"

#include "llvm/ADT/Triple.h"

#include "llvm/ADT/Twine.h"

#include "llvm/Analysis/MemoryBuiltins.h"

#include "llvm/Analysis/StackSafetyAnalysis.h"

#include "llvm/Analysis/TargetLibraryInfo.h"

#include "llvm/Analysis/ValueTracking.h"

#include "llvm/BinaryFormat/MachO.h"

#include "llvm/IR/Argument.h"

#include "llvm/IR/Attributes.h"

#include "llvm/IR/BasicBlock.h"

#include "llvm/IR/Comdat.h"

#include "llvm/IR/Constant.h"

#include "llvm/IR/Constants.h"

#include "llvm/IR/DIBuilder.h"

#include "llvm/IR/DataLayout.h"

#include "llvm/IR/DebugInfoMetadata.h"

#include "llvm/IR/DebugLoc.h"

#include "llvm/IR/DerivedTypes.h"

#include "llvm/IR/Dominators.h"

#include "llvm/IR/Function.h"

#include "llvm/IR/GlobalAlias.h"

#include "llvm/IR/GlobalValue.h"

#include "llvm/IR/GlobalVariable.h"

#include "llvm/IR/IRBuilder.h"

#include "llvm/IR/InlineAsm.h"

#include "llvm/IR/InstIterator.h"

#include "llvm/IR/InstVisitor.h"

#include "llvm/IR/InstrTypes.h"

#include "llvm/IR/Instruction.h"

#include "llvm/IR/Instructions.h"

#include "llvm/IR/IntrinsicInst.h"

#include "llvm/IR/Intrinsics.h"

#include "llvm/IR/LLVMContext.h"

#include "llvm/IR/MDBuilder.h"

▲ Show 20 Lines • Show All 148 Lines • ▼ Show 20 Lines

static cl::opt<bool> ClInstrumentReads("asan-instrument-reads",

cl::desc("instrument read instructions"),

cl::Hidden, cl::init(true));

static cl::opt<bool> ClInstrumentWrites(

"asan-instrument-writes", cl::desc("instrument write instructions"),

cl::Hidden, cl::init(true));

static cl::opt<bool>

ClUseStackSafety("asan-use-stack-safety", cl::Hidden, cl::init(false),

cl::Hidden, cl::desc("Use Stack Safety analysis results"),

cl::Optional);

static cl::opt<bool> ClInstrumentAtomics(

"asan-instrument-atomics",

cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden,

cl::init(true));

static cl::opt<bool>

ClInstrumentByval("asan-instrument-byval",

cl::desc("instrument byval call arguments"), cl::Hidden,

▲ Show 20 Lines • Show All 420 Lines • ▼ Show 20 Lines

private:

GlobalsMetadata GlobalsMD;

};

char ASanGlobalsMetadataWrapperPass::ID = 0;

/// AddressSanitizer: instrument the code in module to find memory bugs.

struct AddressSanitizer {

AddressSanitizer(Module &M, const GlobalsMetadata *GlobalsMD,

const StackSafetyGlobalInfo *SSGI,

bool CompileKernel = false, bool Recover = false,

bool UseAfterScope = false,

AsanDetectStackUseAfterReturnMode UseAfterReturn =

AsanDetectStackUseAfterReturnMode::Runtime)

: CompileKernel(ClEnableKasan.getNumOccurrences() > 0 ? ClEnableKasan

: CompileKernel),

Recover(ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover),

UseAfterScope(UseAfterScope || ClUseAfterScope),

UseAfterReturn(ClUseAfterReturn.getNumOccurrences() ? ClUseAfterReturn

: UseAfterReturn),

GlobalsMD(*GlobalsMD) {

GlobalsMD(*GlobalsMD), SSGI(SSGI) {

C = &(M.getContext());

LongSize = M.getDataLayout().getPointerSizeInBits();

IntptrTy = Type::getIntNTy(*C, LongSize);

Int8PtrTy = Type::getInt8PtrTy(*C);

Int32Ty = Type::getInt32Ty(*C);

TargetTriple = Triple(M.getTargetTriple());

Mapping = getShadowMapping(TargetTriple, LongSize, this->CompileKernel);

Show All 12 Lines

uint64_t getAllocaSizeInBytes(const AllocaInst &AI) const {

uint64_t SizeInBytes =

AI.getModule()->getDataLayout().getTypeAllocSize(Ty);

return SizeInBytes * ArraySize;

}

/// Check if we want (and can) handle this alloca.

bool isInterestingAlloca(const AllocaInst &AI);

bool ignoreAccess(Value *Ptr);

bool ignoreAccess(Instruction *Inst, Value *Ptr);

void getInterestingMemoryOperands(

Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting);

void instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis,

InterestingMemoryOperand &O, bool UseCalls,

const DataLayout &DL);

void instrumentPointerComparisonOrSubtraction(Instruction *I);

void instrumentAddress(Instruction *OrigIns, Instruction *InsertBefore,

▲ Show 20 Lines • Show All 68 Lines • ▼ Show 20 Lines

private:

// These arrays is indexed by AccessIsWrite and Experiment.

FunctionCallee AsanErrorCallbackSized[2][2];

FunctionCallee AsanMemoryAccessCallbackSized[2][2];

FunctionCallee AsanMemmove, AsanMemcpy, AsanMemset;

Value *LocalDynamicShadow = nullptr;

const GlobalsMetadata &GlobalsMD;

const StackSafetyGlobalInfo *SSGI;

DenseMap<const AllocaInst *, bool> ProcessedAllocas;

FunctionCallee AMDGPUAddressShared;

FunctionCallee AMDGPUAddressPrivate;

};

class AddressSanitizerLegacyPass : public FunctionPass {

public:

Show All 10 Lines

public:

}

StringRef getPassName() const override {

return "AddressSanitizerFunctionPass";

}

void getAnalysisUsage(AnalysisUsage &AU) const override {

AU.addRequired<ASanGlobalsMetadataWrapperPass>();

if (ClUseStackSafety)

AU.addRequired<StackSafetyGlobalInfoWrapperPass>();

AU.addRequired<TargetLibraryInfoWrapperPass>();

}

bool runOnFunction(Function &F) override {

GlobalsMetadata &GlobalsMD =

vitalybukaUnsubmitted

Done

functionality of the pass should be the same, so I don't see why this is the fatal error. so just ignore it?

btw, why don't you want to support it?

vitalybuka: functionality of the pass should be the same, so I don't see why this is the fatal error. so…

kstoimenovAuthorUnsubmitted

Done

I would like to support it, but I am not sure how to get an instance of StackSafetyGlobalAnalysis, because in the legacy pass manger I don't have access to AnalysisManager<Function> &AM. If you know how to make this work, please let me know.

As far as the report_fatal_error my logic is that if someone sets ClUseStackSafety flag they expect it to work and if it silently doesn't it is a bad user experience.

kstoimenov: I would like to support it, but I am not sure how to get an instance of…

fmayerUnsubmitted

Done

Maybe it would help to look at the HWASan instrumentation pass, which uses the stack safety analysis for both old and new pass managers.

fmayer: Maybe it would help to look at the HWASan instrumentation pass, which uses the stack safety…

kstoimenovAuthorUnsubmitted

Done

Thanks for the hint. I've used the HWAsan approach.

kstoimenov: Thanks for the hint. I've used the HWAsan approach.

getAnalysis<ASanGlobalsMetadataWrapperPass>().getGlobalsMD();

vitalybukaUnsubmitted

Done

usually we don't use {} for one liners.
But I'd prefer here:
const StackSafetyGlobalInfo *SSI = ClUseStackSafety ? get...: nullptr

vitalybuka: usually we don't use {} for one liners. But I'd prefer here: const StackSafetyGlobalInfo *SSI =…

const StackSafetyGlobalInfo *const SSGI =

ClUseStackSafety

? &getAnalysis<StackSafetyGlobalInfoWrapperPass>().getResult()

: nullptr;

const TargetLibraryInfo *TLI =

&getAnalysis<TargetLibraryInfoWrapperPass>().getTLI(F);

AddressSanitizer ASan(*F.getParent(), &GlobalsMD, CompileKernel, Recover,

AddressSanitizer ASan(*F.getParent(), &GlobalsMD, SSGI, CompileKernel,

UseAfterScope, UseAfterReturn);

Recover, UseAfterScope, UseAfterReturn);

return ASan.instrumentFunction(F, TLI);

}

private:

bool CompileKernel;

bool Recover;

bool UseAfterScope;

AsanDetectStackUseAfterReturnMode UseAfterReturn;

▲ Show 20 Lines • Show All 427 Lines • ▼ Show 20 Lines

ConstantInt *IsExcluded =

mdconst::extract<ConstantInt>(MDN->getOperand(4));

E.IsExcluded |= IsExcluded->isOne();

}

AnalysisKey ASanGlobalsMetadataAnalysis::Key;

GlobalsMetadata ASanGlobalsMetadataAnalysis::run(Module &M,

ModuleAnalysisManager &AM) {

vitalybukaUnsubmitted

Done

You can make this module pass to calculate StackSafetyGlobalAnalysis and use cached one below.
This way we will avoid exposure of this logic to PM

vitalybuka: You can make this module pass to calculate StackSafetyGlobalAnalysis and use cached one below.

vitalybukaUnsubmitted

Not Done

It should probably be in ModuleAddressSanitizerPass, so it wll return ::all() and we don't care about invalidation.

vitalybuka: It should probably be in ModuleAddressSanitizerPass, so it wll return ::all() and we don't care…

kstoimenovAuthorUnsubmitted

Done

getCachedResult uses the invalidation so I couldn't get rid of it.

kstoimenov: getCachedResult uses the invalidation so I couldn't get rid of it.

return GlobalsMetadata(M);

}

PreservedAnalyses AddressSanitizerPass::run(Function &F,

AnalysisManager<Function> &AM) {

auto &MAMProxy = AM.getResult<ModuleAnalysisManagerFunctionProxy>(F);

Module &M = *F.getParent();

if (auto *R = MAMProxy.getCachedResult<ASanGlobalsMetadataAnalysis>(M)) {

const TargetLibraryInfo *TLI = &AM.getResult<TargetLibraryAnalysis>(F);

AddressSanitizer Sanitizer(M, R, Options.CompileKernel, Options.Recover,

const StackSafetyGlobalInfo *const SSGI =

Options.UseAfterScope, Options.UseAfterReturn);

ClUseStackSafety

? MAMProxy.getCachedResult<StackSafetyGlobalAnalysis>(M)

: nullptr;

AddressSanitizer Sanitizer(M, R, SSGI, Options.CompileKernel,

Options.Recover, Options.UseAfterScope,

Options.UseAfterReturn);

if (Sanitizer.instrumentFunction(F, TLI))

return PreservedAnalyses::none();

return PreservedAnalyses::all();

}

report_fatal_error(

"The ASanGlobalsMetadataAnalysis is required to run before "

"AddressSanitizer can run");

Show All 24 Lines

ModuleAddressSanitizerPass::ModuleAddressSanitizerPass(

bool CompileKernel, bool Recover, bool UseGlobalGC, bool UseOdrIndicator,

AsanDtorKind DestructorKind)

: CompileKernel(CompileKernel), Recover(Recover), UseGlobalGC(UseGlobalGC),

UseOdrIndicator(UseOdrIndicator), DestructorKind(DestructorKind) {}

PreservedAnalyses ModuleAddressSanitizerPass::run(Module &M,

AnalysisManager<Module> &AM) {

GlobalsMetadata &GlobalsMD = AM.getResult<ASanGlobalsMetadataAnalysis>(M);

const StackSafetyGlobalInfo *SSGI = nullptr;

vitalybukaUnsubmitted

Done

There is ::ProcessedAllocas which will be unnececary overpopulated with irrelevand allocas
Maybe add FunctionSanitizer.Reset()

But please do that in a separate patch, this optimization is unrelated to SSGI

vitalybuka: There is ::ProcessedAllocas which will be unnececary overpopulated with irrelevand allocas…

if (ClUseStackSafety && !AM.getCachedResult<StackSafetyGlobalAnalysis>(M)) {

SSGI = &AM.getResult<StackSafetyGlobalAnalysis>(M);

}

ModuleAddressSanitizer Sanitizer(M, &GlobalsMD, CompileKernel, Recover,

UseGlobalGC, UseOdrIndicator,

DestructorKind);

if (Sanitizer.instrumentModule(M))

return PreservedAnalyses::none();

return PreservedAnalyses::all();

}

INITIALIZE_PASS(ASanGlobalsMetadataWrapperPass, "asan-globals-md",

"Read metadata to mark which globals should be instrumented "

"when running ASan.",

false, true)

char AddressSanitizerLegacyPass::ID = 0;

INITIALIZE_PASS_BEGIN(

AddressSanitizerLegacyPass, "asan",

"AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false,

false)

INITIALIZE_PASS_DEPENDENCY(ASanGlobalsMetadataWrapperPass)

INITIALIZE_PASS_DEPENDENCY(StackSafetyGlobalInfoWrapperPass)

INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass)

vitalybukaUnsubmitted

Done

INITIALIZE_PASS_DEPENDENCY(StackSafetyGlobalInfoWrapperPass)

vitalybuka: INITIALIZE_PASS_DEPENDENCY(StackSafetyGlobalInfoWrapperPass)

INITIALIZE_PASS_END(

AddressSanitizerLegacyPass, "asan",

"AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false,

false)

FunctionPass *llvm::createAddressSanitizerFunctionPass(

bool CompileKernel, bool Recover, bool UseAfterScope,

AsanDetectStackUseAfterReturnMode UseAfterReturn) {

▲ Show 20 Lines • Show All 121 Lines • ▼ Show 20 Lines

bool IsInteresting =

!AI.isUsedWithInAlloca() &&

// swifterror allocas are register promoted by ISel

!AI.isSwiftError());

ProcessedAllocas[&AI] = IsInteresting;

return IsInteresting;

}

bool AddressSanitizer::ignoreAccess(Value *Ptr) {

bool AddressSanitizer::ignoreAccess(Instruction *Inst, Value *Ptr) {

// Instrument acesses from different address spaces only for AMDGPU.

Type *PtrTy = cast<PointerType>(Ptr->getType()->getScalarType());

if (PtrTy->getPointerAddressSpace() != 0 &&

!(TargetTriple.isAMDGPU() && !isUnsupportedAMDGPUAddrspace(Ptr)))

return true;

// Ignore swifterror addresses.

// swifterror memory addresses are mem2reg promoted by instruction

// selection. As such they cannot have regular uses like an instrumentation

// function and it makes no sense to track them as memory.

if (Ptr->isSwiftError())

return true;

// Treat memory accesses to promotable allocas as non-interesting since they

// will not cause memory violations. This greatly speeds up the instrumented

// executable at -O0.

if (auto AI = dyn_cast_or_null<AllocaInst>(Ptr))

if (ClSkipPromotableAllocas && !isInterestingAlloca(*AI))

return true;

if (ClUseStackSafety && SSGI != nullptr && findAllocaForValue(Ptr) &&

vitalybukaUnsubmitted

Not Done

return true;

- if (ClUseStackSafety && SSGI != nullptr && findAllocaForValue(Ptr) &&

+ if (SSGI && ClUseStackSafety && findAllocaForValue(Ptr) &&

SSGI->stackAccessIsSafe(*Inst)) {

vitalybuka:

vitalybukaUnsubmitted

Done

check is not needed, we SSGI should be already null in this case

vitalybuka: check is not needed, we SSGI should be already null in this case

SSGI->stackAccessIsSafe(*Inst)) {

return true;

}

fmayerUnsubmitted

Done

Doesn't need nested if.

I would order this as ClUseStackSafety && SSI && findAllocaForValue(Ptr) && ... (cheapest first).

fmayer: Doesn't need nested if. I would order this as ClUseStackSafety && SSI && findAllocaForValue…

vitalybukaUnsubmitted

Done

findAllocaForValue is DFS (expensive), stackAccessIsSafe is hash table lookup (cheep)
so I would recommend to switch them

vitalybuka: findAllocaForValue is DFS (expensive), stackAccessIsSafe is hash table lookup (cheep) so I…

return false;

}

void AddressSanitizer::getInterestingMemoryOperands(

Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting) {

// Skip memory accesses inserted by another instrumentation.

if (I->hasMetadata("nosanitize"))

return;

// Do not instrument the load fetching the dynamic shadow address.

if (LocalDynamicShadow == I)

return;

if (LoadInst *LI = dyn_cast<LoadInst>(I)) {

if (!ClInstrumentReads || ignoreAccess(LI->getPointerOperand()))

if (!ClInstrumentReads || ignoreAccess(I, LI->getPointerOperand()))

vitalybukaUnsubmitted

Done

using poiter after the cast looks cleaner to me
"ignoreAccess(LI, LI->"

vitalybuka: using poiter after the cast looks cleaner to me "ignoreAccess(LI, LI->"

return;

Interesting.emplace_back(I, LI->getPointerOperandIndex(), false,

LI->getType(), LI->getAlign());

} else if (StoreInst *SI = dyn_cast<StoreInst>(I)) {

if (!ClInstrumentWrites || ignoreAccess(SI->getPointerOperand()))

if (!ClInstrumentWrites || ignoreAccess(I, SI->getPointerOperand()))

RKSimonUnsubmitted

Not Done

@kstoimenov You're using the LI pointer for all IgnoreAccess calls which is causing nullptr dereference warnings in static analyzer.

Should we just be using I or the dyn_cast<> pointers in each case?

https://llvm.org/reports/scan-build/report-AddressSanitizer.cpp-ignoreAccess-21-f37ec0.html#EndPath

RKSimon: @kstoimenov You're using the LI pointer for all IgnoreAccess calls which is causing nullptr…

RKSimonUnsubmitted

Not Done

@kstoimenov Have you been able to check this at all please?

RKSimon: @kstoimenov Have you been able to check this at all please?

return;

Interesting.emplace_back(I, SI->getPointerOperandIndex(), true,

SI->getValueOperand()->getType(), SI->getAlign());

} else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) {

if (!ClInstrumentAtomics || ignoreAccess(RMW->getPointerOperand()))

if (!ClInstrumentAtomics || ignoreAccess(I, RMW->getPointerOperand()))

return;

Interesting.emplace_back(I, RMW->getPointerOperandIndex(), true,

RMW->getValOperand()->getType(), None);

} else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) {

if (!ClInstrumentAtomics || ignoreAccess(XCHG->getPointerOperand()))

if (!ClInstrumentAtomics || ignoreAccess(I, XCHG->getPointerOperand()))

return;

Interesting.emplace_back(I, XCHG->getPointerOperandIndex(), true,

XCHG->getCompareOperand()->getType(), None);

} else if (auto CI = dyn_cast<CallInst>(I)) {

auto *F = CI->getCalledFunction();

if (F && (F->getName().startswith("llvm.masked.load.") ||

F->getName().startswith("llvm.masked.store."))) {

bool IsWrite = F->getName().startswith("llvm.masked.store.");

// Masked store has an initial operand for the value.

unsigned OpOffset = IsWrite ? 1 : 0;

if (IsWrite ? !ClInstrumentWrites : !ClInstrumentReads)

return;

auto BasePtr = CI->getOperand(OpOffset);

if (ignoreAccess(BasePtr))

if (ignoreAccess(I, BasePtr))

return;

auto Ty = cast<PointerType>(BasePtr->getType())->getElementType();

MaybeAlign Alignment = Align(1);

// Otherwise no alignment guarantees. We probably got Undef.

if (auto *Op = dyn_cast<ConstantInt>(CI->getOperand(1 + OpOffset)))

Alignment = Op->getMaybeAlignValue();

Value *Mask = CI->getOperand(2 + OpOffset);

Interesting.emplace_back(I, OpOffset, IsWrite, Ty, Alignment, Mask);

} else {

for (unsigned ArgNo = 0; ArgNo < CI->arg_size(); ArgNo++) {

if (!ClInstrumentByval || !CI->isByValArgument(ArgNo) ||

ignoreAccess(CI->getArgOperand(ArgNo)))

ignoreAccess(I, CI->getArgOperand(ArgNo)))

continue;

Type *Ty = CI->getParamByValType(ArgNo);

Interesting.emplace_back(I, ArgNo, false, Ty, Align(1));

}

▲ Show 20 Lines • Show All 2,107 Lines • Show Last 20 Lines

llvm/test/Instrumentation/AddressSanitizer/asan-stack-safety.ll

This file was added.

				; REQUIRES: x86-registered-target

				; RUN: opt < %s -S -enable-new-pm=0 -asan-instrumentation-with-call-threshold=0 -asan \
				; RUN: -asan-use-stack-safety=0 -o - \| FileCheck %s --check-prefixes=NOSAFETY
				; RUN: opt < %s -S -enable-new-pm=0 -asan-instrumentation-with-call-threshold=0 -asan \
				; RUN: -asan-use-stack-safety=1 -o - \| FileCheck %s --check-prefixes=SAFETY
				; RUN: opt < %s -S -enable-new-pm=1 -asan-instrumentation-with-call-threshold=0 \
				; RUN: -passes='asan-module,asan' -asan-use-stack-safety=0 -o - \| FileCheck %s --check-prefixes=NOSAFETY
				; RUN: opt < %s -S -enable-new-pm=1 -asan-instrumentation-with-call-threshold=0 \
				; RUN: -passes='asan-module,asan' -asan-use-stack-safety=1 -o - \| FileCheck %s --check-prefixes=SAFETY
				; NOSAFETY: call void @__asan_load1
				; SAFETY-NOT: call void @__asan_load1

				define i32 @stack-safety() sanitize_address {
				%buf = alloca [10 x i8], align 1
				%arrayidx = getelementptr inbounds [10 x i8], [10 x i8]* %buf, i64 0, i64 0
				%1 = load i8, i8* %arrayidx, align 1
				ret i32 0
				}

This is an archive of the discontinued LLVM Phabricator instance.

[ASan] Added stack safety support in address sanitizer.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 382481

llvm/include/llvm/Analysis/StackSafetyAnalysis.h

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp

llvm/test/Instrumentation/AddressSanitizer/asan-stack-safety.ll

[ASan] Added stack safety support in address sanitizer.
ClosedPublic