This is an archive of the discontinued LLVM Phabricator instance.

Differential D119594

[sancov] Don't instrument calls to bitcast funcs: they're not indirect.
ClosedPublic

Authored by ab on Feb 11 2022, 2:06 PM.

Details

Reviewers
kcc
MaskRay
apazos
Commits
rG1067f2177aa6: [sancov] Don't instrument calls to bitcast funcs: they're not indirect.
Summary

Currently, when instrumenting indirect calls, this uses
CallBase::getCalledFunction to determine whether a given callsite is
eligible.

However, that returns null if:

this is an indirect function invocation or the function signature
does not match the call signature.

So, we end up instrumenting direct calls where the callee is a bitcast
ConstantExpr, even though we presumably don't need to.

Use isIndirectCall to ignore those funky direct calls.

Diff Detail

Event Timeline

ab created this revision.Feb 11 2022, 2:06 PM
Herald added a reviewer: apazos. · View Herald TranscriptFeb 11 2022, 2:06 PM
Herald added a subscriber: hiraditya. · View Herald Transcript
ab requested review of this revision.Feb 11 2022, 2:06 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 11 2022, 2:06 PM
Harbormaster completed remote builds in B149105: Diff 408046.Feb 11 2022, 3:18 PM
MaskRay accepted this revision.Feb 24 2022, 4:44 PM

Sorry for the belated response. LGTM.

llvm/test/Instrumentation/SanitizerCoverage/trace-pc-guard.ll
66
67

Delete -NOT. Consecutive -NEXT patterns can ensure there is only one __sanitizer_cov_trace_* call.

This revision is now accepted and ready to land.Feb 24 2022, 4:44 PM
This revision was landed with ongoing or failed builds.Mar 7 2022, 12:44 PM
Closed by commit rG1067f2177aa6: [sancov] Don't instrument calls to bitcast funcs: they're not indirect. (authored by ab). · Explain Why
This revision was automatically updated to reflect the committed changes.
ab marked 2 inline comments as done.
ab added a commit: rG1067f2177aa6: [sancov] Don't instrument calls to bitcast funcs: they're not indirect..
Herald added a project: Restricted Project. · View Herald TranscriptMar 7 2022, 12:44 PM
ab added a comment.Mar 7 2022, 12:44 PM

Thanks!

llvm/test/Instrumentation/SanitizerCoverage/trace-pc-guard.ll
67

Sure; replaced with -NEXT of trace_pc_guard call

Revision Contents

PathSize
llvm/
lib/
Transforms/
Instrumentation/
2 lines
test/
Instrumentation/
SanitizerCoverage/
22 lines

Diff 413595

llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp

Show First 20 LinesShow All 689 Lines▼ Show 20 Linesvoid ModuleSanitizerCoverage::instrumentFunction(
bool IsLeafFunc = true; bool IsLeafFunc = true;
for (auto &BB : F) { for (auto &BB : F) {
if (shouldInstrumentBlock(F, &BB, DT, PDT, Options)) if (shouldInstrumentBlock(F, &BB, DT, PDT, Options))
BlocksToInstrument.push_back(&BB); BlocksToInstrument.push_back(&BB);
for (auto &Inst : BB) { for (auto &Inst : BB) {
if (Options.IndirectCalls) { if (Options.IndirectCalls) {
CallBase *CB = dyn_cast<CallBase>(&Inst); CallBase *CB = dyn_cast<CallBase>(&Inst);
if (CB && !CB->getCalledFunction()) if (CB && CB->isIndirectCall())
IndirCalls.push_back(&Inst); IndirCalls.push_back(&Inst);
} }
if (Options.TraceCmp) { if (Options.TraceCmp) {
if (ICmpInst *CMP = dyn_cast<ICmpInst>(&Inst)) if (ICmpInst *CMP = dyn_cast<ICmpInst>(&Inst))
if (IsInterestingCmp(CMP, DT, Options)) if (IsInterestingCmp(CMP, DT, Options))
CmpTraceTargets.push_back(&Inst); CmpTraceTargets.push_back(&Inst);
if (isa<SwitchInst>(&Inst)) if (isa<SwitchInst>(&Inst))
SwitchTraceTargets.push_back(&Inst); SwitchTraceTargets.push_back(&Inst);
▲ Show 20 LinesShow All 400 LinesShow Last 20 Lines

llvm/test/Instrumentation/SanitizerCoverage/trace-pc-guard.ll

; RUN: opt < %s -passes='module(sancov-module)' -sanitizer-coverage-level=4 -sanitizer-coverage-trace-pc-guard -mtriple=x86_64 -S | FileCheck %s --check-prefixes=CHECK,COMDAT,ELF ; RUN: opt < %s -passes='module(sancov-module)' -sanitizer-coverage-level=4 -sanitizer-coverage-trace-pc-guard -mtriple=x86_64 -S | FileCheck %s --check-prefixes=CHECK,COMDAT,ELF
; RUN: opt < %s -passes='module(sancov-module)' -sanitizer-coverage-level=4 -sanitizer-coverage-trace-pc-guard -mtriple=aarch64-apple-darwin -S | FileCheck %s --check-prefixes=CHECK,MACHO ; RUN: opt < %s -passes='module(sancov-module)' -sanitizer-coverage-level=4 -sanitizer-coverage-trace-pc-guard -mtriple=aarch64-apple-darwin -S | FileCheck %s --check-prefixes=CHECK,MACHO
; RUN: opt < %s -passes='module(sancov-module)' -sanitizer-coverage-level=4 -sanitizer-coverage-trace-pc-guard -mtriple=x86_64-windows -S | FileCheck %s --check-prefixes=CHECK,COMDAT,WIN ; RUN: opt < %s -passes='module(sancov-module)' -sanitizer-coverage-level=4 -sanitizer-coverage-trace-pc-guard -mtriple=x86_64-windows -S | FileCheck %s --check-prefixes=CHECK,COMDAT,WIN
; COMDAT: $foo = comdat nodeduplicate ; COMDAT: $foo = comdat nodeduplicate
; COMDAT: $CallViaVptr = comdat nodeduplicate ; COMDAT: $CallViaVptr = comdat nodeduplicate
; COMDAT: $DirectBitcastCall = comdat nodeduplicate
; ELF: @__sancov_gen_ = private global [3 x i32] zeroinitializer, section "__sancov_guards", comdat($foo), align 4{{$}} ; ELF: @__sancov_gen_ = private global [3 x i32] zeroinitializer, section "__sancov_guards", comdat($foo), align 4{{$}}
; ELF-NEXT: @__sancov_gen_.1 = private global [1 x i32] zeroinitializer, section "__sancov_guards", comdat($CallViaVptr), align 4{{$}} ; ELF-NEXT: @__sancov_gen_.1 = private global [1 x i32] zeroinitializer, section "__sancov_guards", comdat($CallViaVptr), align 4{{$}}
; ELF-NEXT: @__sancov_gen_.2 = private global [1 x i32] zeroinitializer, section "__sancov_guards", comdat($DirectBitcastCall), align 4{{$}}
; MACHO: @__sancov_gen_ = private global [3 x i32] zeroinitializer, section "__DATA,__sancov_guards", align 4{{$}} ; MACHO: @__sancov_gen_ = private global [3 x i32] zeroinitializer, section "__DATA,__sancov_guards", align 4{{$}}
; MACHO-NEXT: @__sancov_gen_.1 = private global [1 x i32] zeroinitializer, section "__DATA,__sancov_guards", align 4{{$}} ; MACHO-NEXT: @__sancov_gen_.1 = private global [1 x i32] zeroinitializer, section "__DATA,__sancov_guards", align 4{{$}}
; MACHO-NEXT: @__sancov_gen_.2 = private global [1 x i32] zeroinitializer, section "__DATA,__sancov_guards", align 4{{$}}
; WIN: @__sancov_gen_ = private global [3 x i32] zeroinitializer, section ".SCOV$GM", comdat($foo), align 4{{$}} ; WIN: @__sancov_gen_ = private global [3 x i32] zeroinitializer, section ".SCOV$GM", comdat($foo), align 4{{$}}
; WIN-NEXT: @__sancov_gen_.1 = private global [1 x i32] zeroinitializer, section ".SCOV$GM", comdat($CallViaVptr), align 4{{$}} ; WIN-NEXT: @__sancov_gen_.1 = private global [1 x i32] zeroinitializer, section ".SCOV$GM", comdat($CallViaVptr), align 4{{$}}
; WIN-NEXT: @__sancov_gen_.2 = private global [1 x i32] zeroinitializer, section ".SCOV$GM", comdat($DirectBitcastCall), align 4{{$}}
; ELF: @llvm.used = appending global [1 x i8*] [i8* bitcast (void ()* @sancov.module_ctor_trace_pc_guard to i8*)] ; ELF: @llvm.used = appending global [1 x i8*] [i8* bitcast (void ()* @sancov.module_ctor_trace_pc_guard to i8*)]
; ELF: @llvm.compiler.used = appending global [2 x i8*] [i8* bitcast ([3 x i32]* @__sancov_gen_ to i8*), i8* bitcast ([1 x i32]* @__sancov_gen_.1 to i8*)], section "llvm.metadata" ; ELF: @llvm.compiler.used = appending global [3 x i8*] [i8* bitcast ([3 x i32]* @__sancov_gen_ to i8*), i8* bitcast ([1 x i32]* @__sancov_gen_.1 to i8*), i8* bitcast ([1 x i32]* @__sancov_gen_.2 to i8*)], section "llvm.metadata"
; MACHO: @llvm.used = appending global [3 x i8*] [i8* bitcast (void ()* @sancov.module_ctor_trace_pc_guard to i8*), i8* bitcast ([3 x i32]* @__sancov_gen_ to i8*), i8* bitcast ([1 x i32]* @__sancov_gen_.1 to i8*)] ; MACHO: @llvm.used = appending global [4 x i8*] [i8* bitcast (void ()* @sancov.module_ctor_trace_pc_guard to i8*), i8* bitcast ([3 x i32]* @__sancov_gen_ to i8*), i8* bitcast ([1 x i32]* @__sancov_gen_.1 to i8*), i8* bitcast ([1 x i32]* @__sancov_gen_.2 to i8*)]
; MACHO-NOT: @llvm.compiler.used = ; MACHO-NOT: @llvm.compiler.used =
; WIN: @llvm.used = appending global [1 x i8*] [i8* bitcast (void ()* @sancov.module_ctor_trace_pc_guard to i8*)], section "llvm.metadata" ; WIN: @llvm.used = appending global [1 x i8*] [i8* bitcast (void ()* @sancov.module_ctor_trace_pc_guard to i8*)], section "llvm.metadata"
; WIN-NEXT: @llvm.compiler.used = appending global [2 x i8*] [i8* bitcast ([3 x i32]* @__sancov_gen_ to i8*), i8* bitcast ([1 x i32]* @__sancov_gen_.1 to i8*)], section "llvm.metadata" ; WIN-NEXT: @llvm.compiler.used = appending global [3 x i8*] [i8* bitcast ([3 x i32]* @__sancov_gen_ to i8*), i8* bitcast ([1 x i32]* @__sancov_gen_.1 to i8*), i8* bitcast ([1 x i32]* @__sancov_gen_.2 to i8*)], section "llvm.metadata"
; CHECK-LABEL: define void @foo ; CHECK-LABEL: define void @foo
; CHECK: call void @__sanitizer_cov_trace_pc ; CHECK: call void @__sanitizer_cov_trace_pc
; CHECK: ret void ; CHECK: ret void
define void @foo(i32* %a) sanitize_address { define void @foo(i32* %a) sanitize_address {
entry: entry:
%tobool = icmp eq i32* %a, null %tobool = icmp eq i32* %a, null
Show All 20 Linesentry:
%vtable = load void (%struct.StructWithVptr*)**, void (%struct.StructWithVptr*)*** %0, align 8 %vtable = load void (%struct.StructWithVptr*)**, void (%struct.StructWithVptr*)*** %0, align 8
%1 = load void (%struct.StructWithVptr*)*, void (%struct.StructWithVptr*)** %vtable, align 8 %1 = load void (%struct.StructWithVptr*)*, void (%struct.StructWithVptr*)** %vtable, align 8
tail call void %1(%struct.StructWithVptr* %foo) tail call void %1(%struct.StructWithVptr* %foo)
tail call void %1(%struct.StructWithVptr* %foo) tail call void %1(%struct.StructWithVptr* %foo)
tail call void asm sideeffect "", ""() tail call void asm sideeffect "", ""()
ret void ret void
} }
; CHECK-LABEL: define void @DirectBitcastCall
; CHECK-NEXT: call void @__sanitizer_cov_trace_pc_guard
MaskRayUnsubmitted
Done
ReplyInline Actions
; CHECK-LABEL: define void @DirectBitcastCall
- ; CHECK-NOT: call void @__sanitizer_cov_trace_pc_indir
+
; CHECK: call void bitcast (i32 ()* @direct_callee to void ()*)()
MaskRay:
; CHECK-NEXT: call void bitcast (i32 ()* @direct_callee to void ()*)()
MaskRayUnsubmitted
Done
ReplyInline Actions
; CHECK-NOT: call void @__sanitizer_cov_trace_pc_indir
- ; CHECK: call void bitcast (i32 ()* @direct_callee to void ()*)()
+ ; CHECK-NEXT: call void bitcast (i32 ()* @direct_callee to void ()*)()
; CHECK: ret void

Delete -NOT. Consecutive -NEXT patterns can ensure there is only one __sanitizer_cov_trace_* call.

MaskRay: Delete `-NOT`. Consecutive `-NEXT` patterns can ensure there is only one…
abAuthorUnsubmitted
Done
ReplyInline Actions

Sure; replaced with -NEXT of trace_pc_guard call

ab: Sure; replaced with `-NEXT` of `trace_pc_guard` call
; CHECK-NEXT: ret void
declare i32 @direct_callee()
define void @DirectBitcastCall() sanitize_address {
call void bitcast (i32 ()* @direct_callee to void ()*)()
ret void
}
; ELF-LABEL: define internal void @sancov.module_ctor_trace_pc_guard() #2 comdat { ; ELF-LABEL: define internal void @sancov.module_ctor_trace_pc_guard() #2 comdat {
; MACHO-LABEL: define internal void @sancov.module_ctor_trace_pc_guard() #2 { ; MACHO-LABEL: define internal void @sancov.module_ctor_trace_pc_guard() #2 {
; CHECK: attributes #2 = { nounwind } ; CHECK: attributes #2 = { nounwind }