This is an archive of the discontinued LLVM Phabricator instance.

Differential D115236

[msan] Implement -msan-disable-checks.
ClosedPublic

Authored by glider on Dec 7 2021, 4:32 AM.

Details

Reviewers
eugenis
vitalybuka
melver
Commits
rG1aa59ff2f789: [msan] Implement -msan-disable-checks.
Summary

[msan] Implement -msan-disable-checks.

To ease the deployment of KMSAN, we need a way to apply
attribute((no_sanitize("kernel-memory"))) to the whole source file.

Passing -msan-disable-checks=1 to the compiler will make it
treat every function in the file as if it was lacking the
sanitize_memory attribute.

Diff Detail

Event Timeline

glider created this revision.Dec 7 2021, 4:32 AM
Herald added a subscriber: hiraditya. · View Herald TranscriptDec 7 2021, 4:32 AM
glider requested review of this revision.Dec 7 2021, 4:32 AM
Herald added a project: Restricted Project. · View Herald TranscriptDec 7 2021, 4:32 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
glider added inline comments.Dec 7 2021, 4:34 AM
llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
312

This edit was suggested by clang-format, I am not particularly fond of it.

Harbormaster completed remote builds in B137873: Diff 392351.Dec 7 2021, 5:15 AM
vitalybuka added inline comments.Dec 7 2021, 10:24 AM
llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
312

I guess we need this because simple -fno-sanitize=memory will also remove shadow propagation?
What about SanitizerSpecialCaseList?

melver added inline comments.Dec 8 2021, 1:13 AM
llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
310

When does something compiled with LTO apply sanitizer passes?

Perhaps, to make it more general, I'd call it "msan-no-sanitize-all" or "msan-no-sanitize-all-functions", whichever you think is clearer.

311

__no_sanitize is the kernel spelling, should this be just no_sanitize?

Also, regarding formatting, I think I'd solve it by rewording the description slightly.

I think in this case, since this is about MSan, simply saying "Apply no_sanitize to the whole file" is probably unambiguous enough, and will make for nicer formatting.

llvm/test/Instrumentation/MemorySanitizer/msan_no_sanitize_whole_file.ll
4

This is not fully "noinstr", right? I.e. "noinstr" is slightly misleading since we still want instrumentation, just no checks.

27

This can be a "CHECK" because both are supposed to have this, right?

48

Aren't INSTR and NOINSTR supposed to be identical in the NoSanitizeFn case? I.e. you could just use CHECK throughout?

glider updated this revision to Diff 392714.Dec 8 2021, 4:46 AM

Addressed review comments

llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
310

IIUC, currently LTO works as follows:

  • kernel is built as usual, but with bitcode files instead of .o files;
  • these bitcode files are merged together, and additional optimization passes are ran on the resulting file.

Nobody ever tried this with KMSAN, but I would still expect it to work on a per-file basis.

But I agree not mentioning "file" is better. I'd go for "msan-no-sanitize-all" (we don't sanitize anything except functions anyway).

311

I actually failed to write "attribute((no_sanitize("memory")))" :)

But that's too verbose and might raise questions about the compatibility between "memory" and "kernel-memory", so perhaps just "no_sanitize" should be fine.

312

Yes, that's right, -fno-sanitize=memory doesn't work.

-fsanitize-ignorelist could be an option, but we want Makefiles to be the source of truth for the ignore lists.
Currently we disable KMSAN completely using the following syntax:

# One file in this dir: vclock_gettime.c
KMSAN_SANITIZE_vclock_gettime.o := n
# Either head32.c or head64.c, depending on $(BITS) exported from the parent Makefile
KMSAN_SANITIZE_head$(BITS).o := n
# All files in this directory and subdirectories
KMSAN_SANITIZE := n

The proposed flag will enable us to have the same syntax to disable shadow checking, but with -fsanitize-ignorelist we would need to generate the list on the fly, which might be tricky.

llvm/test/Instrumentation/MemorySanitizer/msan_no_sanitize_whole_file.ll
4

Changed to NOSANITIZE.

27

No. This instruction unpoisons the return value, which only happens in the "non-instrumented" case.

48

Right, thank you!

glider retitled this revision from [msan] Implement -msan-no-sanitize-whole-file. to [msan] Implement -msan-no-sanitize-all..Dec 8 2021, 5:16 AM
glider edited the summary of this revision. (Show Details)
melver accepted this revision.Dec 8 2021, 5:18 AM
melver added inline comments.
llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
311

s/ClNoSanitizeWholeFile/ClNoSanitizeAll/ ?

This revision is now accepted and ready to land.Dec 8 2021, 5:18 AM
Harbormaster completed remote builds in B138123: Diff 392714.Dec 8 2021, 5:30 AM
glider updated this revision to Diff 392740.Dec 8 2021, 6:21 AM

Fixed flag name

Harbormaster completed remote builds in B138143: Diff 392740.Dec 8 2021, 7:31 AM
glider updated this revision to Diff 392816.Dec 8 2021, 9:40 AM

Rebase

glider marked an inline comment as done.Dec 8 2021, 9:50 AM
Harbormaster completed remote builds in B138196: Diff 392816.Dec 8 2021, 10:15 AM
vitalybuka accepted this revision.Dec 8 2021, 11:04 AM
vitalybuka added inline comments.
llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
311

I don't see value in -all suffix on the flag applied to compilation unit. It's obvious that it's apply to "all"
"msan-no-sanitize-all" -> "msan-no-sanitize"

Maybe, but I am not sure: it's also a boolean flag why not just

static cl::opt<bool>
ClSanitize("msan-sanitize",
...
cl::init(true));

Are you going to add fronted flag? Usually they have -fsanitize-memory- prefix:
-fsanitize-memory-???? Also not sure what this could be.

-fsanitize-memory-ignore?

glider added inline comments.Dec 8 2021, 2:11 PM
llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
311

I don't see value in -all suffix on the flag applied to compilation unit. It's obvious that it's apply to "all"
"msan-no-sanitize-all" -> "msan-no-sanitize"

I imagine this being read as "apply no_sanitize to all functions", and "msan-no-sanitize" actually sounds very much like -fnosanitize=memory. Perhaps we need a better name...

Maybe, but I am not sure: it's also a boolean flag why not just

static cl::opt<bool>
ClSanitize("msan-sanitize",
...
cl::init(true));

Are you going to add fronted flag? Usually they have -fsanitize-memory- prefix:
-fsanitize-memory-???? Also not sure what this could be.

Good question, it didn't come to my mind. Not necessarily needed for KMSAN, but as long as we have the backend flag, might be a good idea.

-fsanitize-memory-ignore?

-fsanitize-memory-ignore-all-checks, maybe?

(and -mllvm -msan-ignore-all-checks ?)

melver added inline comments.Dec 9 2021, 3:31 AM
llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
311

Probably, like Vitaly pointed out, the "all" might be redundant.

The other question is, are checks "ignored", or "disabled".

Perhaps one of the following:

-fsanitize-memory-ignore-checks / -mllvm -msan-ignore-checks
-fsanitize-memory-disable-checks / -mllvm -msan-disable-checks

whichever you find to be clearest.

glider added inline comments.Dec 9 2021, 3:48 AM
llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
311

Probably, like Vitaly pointed out, the "all" might be redundant.

The other question is, are checks "ignored", or "disabled".

Perhaps one of the following:

-fsanitize-memory-ignore-checks / -mllvm -msan-ignore-checks
-fsanitize-memory-disable-checks / -mllvm -msan-disable-checks

whichever you find to be clearest.

I think "disable" should be better.
I'll go ahead and rename the -mllvm flag then.

glider updated this revision to Diff 393140.Dec 9 2021, 6:39 AM

Rename the flag

glider retitled this revision from [msan] Implement -msan-no-sanitize-all. to [msan] Implement -msan-disable-checks..Dec 9 2021, 6:41 AM
glider edited the summary of this revision. (Show Details)
Harbormaster completed remote builds in B138430: Diff 393140.Dec 9 2021, 7:26 AM
Closed by commit rG1aa59ff2f789: [msan] Implement -msan-disable-checks. (authored by glider). · Explain WhyDec 10 2021, 1:38 AM
This revision was automatically updated to reflect the committed changes.
glider added a commit: rG1aa59ff2f789: [msan] Implement -msan-disable-checks..

Revision Contents

PathSize
llvm/
lib/
Transforms/
Instrumentation/
9 lines
test/
Instrumentation/
MemorySanitizer/
50 lines

Diff 392351

llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp

Show First 20 LinesShow All 301 Lines▼ Show 20 Lines cl::desc(
"inline checks (-1 means never use callbacks)."), "inline checks (-1 means never use callbacks)."),
cl::Hidden, cl::init(3500)); cl::Hidden, cl::init(3500));
static cl::opt<bool> static cl::opt<bool>
ClEnableKmsan("msan-kernel", ClEnableKmsan("msan-kernel",
cl::desc("Enable KernelMemorySanitizer instrumentation"), cl::desc("Enable KernelMemorySanitizer instrumentation"),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(false));
static cl::opt<bool> ClNoSanitizeWholeFile("msan-no-sanitize-whole-file",
melverUnsubmitted
Not Done
ReplyInline Actions

When does something compiled with LTO apply sanitizer passes?

Perhaps, to make it more general, I'd call it "msan-no-sanitize-all" or "msan-no-sanitize-all-functions", whichever you think is clearer.

melver: When does something compiled with LTO apply sanitizer passes? Perhaps, to make it more general…
gliderAuthorUnsubmitted
Done
ReplyInline Actions

IIUC, currently LTO works as follows:

  • kernel is built as usual, but with bitcode files instead of .o files;
  • these bitcode files are merged together, and additional optimization passes are ran on the resulting file.

Nobody ever tried this with KMSAN, but I would still expect it to work on a per-file basis.

But I agree not mentioning "file" is better. I'd go for "msan-no-sanitize-all" (we don't sanitize anything except functions anyway).

glider: IIUC, currently LTO works as follows: - kernel is built as usual, but with bitcode files…
cl::desc("Apply __no_sanitize(("
melverUnsubmitted
Not Done
ReplyInline Actions

__no_sanitize is the kernel spelling, should this be just no_sanitize?

Also, regarding formatting, I think I'd solve it by rewording the description slightly.

I think in this case, since this is about MSan, simply saying "Apply no_sanitize to the whole file" is probably unambiguous enough, and will make for nicer formatting.

melver: `__no_sanitize` is the kernel spelling, should this be just `no_sanitize`? Also, regarding…
gliderAuthorUnsubmitted
Done
ReplyInline Actions

I actually failed to write "attribute((no_sanitize("memory")))" :)

But that's too verbose and might raise questions about the compatibility between "memory" and "kernel-memory", so perhaps just "no_sanitize" should be fine.

glider: I actually failed to write "__attribute__((no_sanitize("memory")))" :) But that's too verbose…
melverUnsubmitted
Done
ReplyInline Actions

s/ClNoSanitizeWholeFile/ClNoSanitizeAll/ ?

melver: s/ClNoSanitizeWholeFile/ClNoSanitizeAll/ ?
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

I don't see value in -all suffix on the flag applied to compilation unit. It's obvious that it's apply to "all"
"msan-no-sanitize-all" -> "msan-no-sanitize"

Maybe, but I am not sure: it's also a boolean flag why not just

static cl::opt<bool>
ClSanitize("msan-sanitize",
...
cl::init(true));

Are you going to add fronted flag? Usually they have -fsanitize-memory- prefix:
-fsanitize-memory-???? Also not sure what this could be.

-fsanitize-memory-ignore?

vitalybuka: I don't see value in -all suffix on the flag applied to compilation unit. It's obvious that…
gliderAuthorUnsubmitted
Done
ReplyInline Actions

I don't see value in -all suffix on the flag applied to compilation unit. It's obvious that it's apply to "all"
"msan-no-sanitize-all" -> "msan-no-sanitize"

I imagine this being read as "apply no_sanitize to all functions", and "msan-no-sanitize" actually sounds very much like -fnosanitize=memory. Perhaps we need a better name...

Maybe, but I am not sure: it's also a boolean flag why not just

static cl::opt<bool>
ClSanitize("msan-sanitize",
...
cl::init(true));

Are you going to add fronted flag? Usually they have -fsanitize-memory- prefix:
-fsanitize-memory-???? Also not sure what this could be.

Good question, it didn't come to my mind. Not necessarily needed for KMSAN, but as long as we have the backend flag, might be a good idea.

-fsanitize-memory-ignore?

-fsanitize-memory-ignore-all-checks, maybe?

(and -mllvm -msan-ignore-all-checks ?)

glider: > I don't see value in -all suffix on the flag applied to compilation unit. It's obvious that…
melverUnsubmitted
Not Done
ReplyInline Actions

Probably, like Vitaly pointed out, the "all" might be redundant.

The other question is, are checks "ignored", or "disabled".

Perhaps one of the following:

-fsanitize-memory-ignore-checks / -mllvm -msan-ignore-checks
-fsanitize-memory-disable-checks / -mllvm -msan-disable-checks

whichever you find to be clearest.

melver: Probably, like Vitaly pointed out, the "all" might be redundant. The other question is, are…
gliderAuthorUnsubmitted
Done
ReplyInline Actions

Probably, like Vitaly pointed out, the "all" might be redundant.

The other question is, are checks "ignored", or "disabled".

Perhaps one of the following:

-fsanitize-memory-ignore-checks / -mllvm -msan-ignore-checks
-fsanitize-memory-disable-checks / -mllvm -msan-disable-checks

whichever you find to be clearest.

I think "disable" should be better.
I'll go ahead and rename the -mllvm flag then.

glider: > Probably, like Vitaly pointed out, the "all" might be redundant. > > The other question is…
"memory"
gliderAuthorUnsubmitted
Done
ReplyInline Actions

This edit was suggested by clang-format, I am not particularly fond of it.

glider: This edit was suggested by clang-format, I am not particularly fond of it.
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

I guess we need this because simple -fno-sanitize=memory will also remove shadow propagation?
What about SanitizerSpecialCaseList?

vitalybuka: I guess we need this because simple -fno-sanitize=memory will also remove shadow propagation?
gliderAuthorUnsubmitted
Done
ReplyInline Actions

Yes, that's right, -fno-sanitize=memory doesn't work.

-fsanitize-ignorelist could be an option, but we want Makefiles to be the source of truth for the ignore lists.
Currently we disable KMSAN completely using the following syntax:

# One file in this dir: vclock_gettime.c
KMSAN_SANITIZE_vclock_gettime.o := n
# Either head32.c or head64.c, depending on $(BITS) exported from the parent Makefile
KMSAN_SANITIZE_head$(BITS).o := n
# All files in this directory and subdirectories
KMSAN_SANITIZE := n

The proposed flag will enable us to have the same syntax to disable shadow checking, but with -fsanitize-ignorelist we would need to generate the list on the fly, which might be tricky.

glider: Yes, that's right, -fno-sanitize=memory doesn't work. -fsanitize-ignorelist could be an option…
")) to the whole file"),
cl::Hidden, cl::init(false));
// This is an experiment to enable handling of cases where shadow is a non-zero // This is an experiment to enable handling of cases where shadow is a non-zero
// compile-time constant. For some unexplainable reason they were silently // compile-time constant. For some unexplainable reason they were silently
// ignored in the instrumentation. // ignored in the instrumentation.
static cl::opt<bool> ClCheckConstantShadow("msan-check-constant-shadow", static cl::opt<bool> ClCheckConstantShadow("msan-check-constant-shadow",
cl::desc("Insert checks for constant shadow values"), cl::desc("Insert checks for constant shadow values"),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(false));
// This is off by default because of a bug in gold: // This is off by default because of a bug in gold:
▲ Show 20 LinesShow All 772 Lines▼ Show 20 Linesstruct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {
bool InstrumentLifetimeStart = ClHandleLifetimeIntrinsics; bool InstrumentLifetimeStart = ClHandleLifetimeIntrinsics;
SmallSet<AllocaInst *, 16> AllocaSet; SmallSet<AllocaInst *, 16> AllocaSet;
SmallVector<std::pair<IntrinsicInst *, AllocaInst *>, 16> LifetimeStartList; SmallVector<std::pair<IntrinsicInst *, AllocaInst *>, 16> LifetimeStartList;
SmallVector<StoreInst *, 16> StoreList; SmallVector<StoreInst *, 16> StoreList;
MemorySanitizerVisitor(Function &F, MemorySanitizer &MS, MemorySanitizerVisitor(Function &F, MemorySanitizer &MS,
const TargetLibraryInfo &TLI) const TargetLibraryInfo &TLI)
: F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)), TLI(&TLI) { : F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)), TLI(&TLI) {
bool SanitizeFunction = F.hasFnAttribute(Attribute::SanitizeMemory); bool SanitizeFunction =
F.hasFnAttribute(Attribute::SanitizeMemory) && !ClNoSanitizeWholeFile;
InsertChecks = SanitizeFunction; InsertChecks = SanitizeFunction;
PropagateShadow = SanitizeFunction; PropagateShadow = SanitizeFunction;
PoisonStack = SanitizeFunction && ClPoisonStack; PoisonStack = SanitizeFunction && ClPoisonStack;
PoisonUndef = SanitizeFunction && ClPoisonUndef; PoisonUndef = SanitizeFunction && ClPoisonUndef;
// In the presence of unreachable blocks, we may see Phi nodes with // In the presence of unreachable blocks, we may see Phi nodes with
// incoming nodes from such blocks. Since InstVisitor skips unreachable // incoming nodes from such blocks. Since InstVisitor skips unreachable
// blocks, such nodes will not have any shadow value associated with them. // blocks, such nodes will not have any shadow value associated with them.
▲ Show 20 LinesShow All 4,260 LinesShow Last 20 Lines

llvm/test/Instrumentation/MemorySanitizer/msan_no_sanitize_whole_file.ll

  • This file was added.
; Test for -msan-no-sanitize-whole-file, which should treat every function in the file
; as if it didn't have the sanitize_memory attribute.
; RUN: opt < %s -msan-check-access-address=0 -S -passes='module(msan-module),function(msan)' 2>&1 | FileCheck -allow-deprecated-dag-overlap -check-prefixes=CHECK,INSTR %s
; RUN: opt < %s -msan-check-access-address=0 -S -passes='module(msan-module),function(msan)' -msan-no-sanitize-whole-file=1 2>&1 | FileCheck -allow-deprecated-dag-overlap -check-prefixes=CHECK,NOINSTR %s
melverUnsubmitted
Not Done
ReplyInline Actions

This is not fully "noinstr", right? I.e. "noinstr" is slightly misleading since we still want instrumentation, just no checks.

melver: This is not fully "noinstr", right? I.e. "noinstr" is slightly misleading since we still want…
gliderAuthorUnsubmitted
Done
ReplyInline Actions

Changed to NOSANITIZE.

glider: Changed to NOSANITIZE.
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
declare void @bar()
define i32 @SanitizeFn(i32 %x) uwtable sanitize_memory {
entry:
%tobool = icmp eq i32 %x, 0
br i1 %tobool, label %if.end, label %if.then
if.then: ; preds = %entry
tail call void @bar()
br label %if.end
if.end: ; preds = %entry, %if.then
ret i32 %x
}
; CHECK-LABEL: @SanitizeFn
; INSTR: @__msan_warning
; NOINSTR-NOT: @__msan_warning
; NOINSTR: store i32 0, {{.*}} @__msan_retval_tls
melverUnsubmitted
Not Done
ReplyInline Actions

This can be a "CHECK" because both are supposed to have this, right?

melver: This can be a "CHECK" because both are supposed to have this, right?
gliderAuthorUnsubmitted
Done
ReplyInline Actions

No. This instruction unpoisons the return value, which only happens in the "non-instrumented" case.

glider: No. This instruction unpoisons the return value, which only happens in the "non-instrumented"…
; CHECK: ret i32
define i32 @NoSanitizeFn(i32 %x) uwtable {
entry:
%tobool = icmp eq i32 %x, 0
br i1 %tobool, label %if.end, label %if.then
if.then: ; preds = %entry
tail call void @bar()
br label %if.end
if.end: ; preds = %entry, %if.then
ret i32 %x
}
; CHECK-LABEL: @NoSanitizeFn
; INSTR-NOT: @__msan_warning
; NOINSTR-NOT: @__msan_warning
; NOINSTR: store i32 0, {{.*}} @__msan_retval_tls
melverUnsubmitted
Not Done
ReplyInline Actions

Aren't INSTR and NOINSTR supposed to be identical in the NoSanitizeFn case? I.e. you could just use CHECK throughout?

melver: Aren't INSTR and NOINSTR supposed to be identical in the NoSanitizeFn case? I.e. you could just…
gliderAuthorUnsubmitted
Done
ReplyInline Actions

Right, thank you!

glider: Right, thank you!
; CHECK: ret i32