This is an archive of the discontinued LLVM Phabricator instance.

Differential D119816

[SanitizerBounds] Add support for NoSanitizeBounds function
ClosedPublic

Authored by ztong0001 on Feb 15 2022, 1:14 AM.

Details

Reviewers
hiraditya
steven_wu
jdoerfert
dexonsmith
ormris
melver
nlopes
Commits
rG17ce89fa8016: [SanitizerBounds] Add support for NoSanitizeBounds function
Summary

This fix is very similar to D102772 that adds the ability to selectively
disable sanitizer pass on certain functions.
Currently adding attribute no_sanitize(bounds) isn't really disabling
-fsanitize=local-bounds (also enabled in -fsanitize=bounds).
Clang handles fsanitize=array-bounds which is already working.
LLVM(BoundsChecking pass in middle-end) handles fsanitize=local-bounds.
In this patch, if we detect no_sanitize(bounds) provided an additional
function attribute (NoSanitizeBounds) is attached to IR to let LLVM know
we want to disable local_bounds checking for this function as well.
In order to support this feature, IR is modified (similar to D102772) to make
clang able to preserve the information and let BoundsChecking pass know bounds
checking is disabled for certain function.

Diff Detail

Event Timeline

ztong0001 created this revision.Feb 15 2022, 1:14 AM
Herald added subscribers: ormris, dexonsmith, jdoerfert and 2 others. · View Herald TranscriptFeb 15 2022, 1:14 AM
ztong0001 requested review of this revision.Feb 15 2022, 1:14 AM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptFeb 15 2022, 1:14 AM
Herald added subscribers: llvm-commits, cfe-commits. · View Herald Transcript
ztong0001 edited the summary of this revision. (Show Details)Feb 15 2022, 1:16 AM
ztong0001 added reviewers: hiraditya, steven_wu, jdoerfert, dexonsmith, ormris.
ztong0001 edited the summary of this revision. (Show Details)
ztong0001 edited the summary of this revision. (Show Details)Feb 15 2022, 1:19 AM
Harbormaster completed remote builds in B149616: Diff 408742.Feb 15 2022, 2:28 AM
ztong0001 added reviewers: melver, nlopes.Feb 18 2022, 2:24 AM
nlopes added a comment.EditedFeb 18 2022, 2:47 AM

Well, this patch is just a band-aid and a disaster waiting to happen.
If kmalloc is tagged with an __attribute__ stating the allocation size, then you can't dereference beyond that limit or risk the alias analysis do something you don't want. You are triggering UB like that.
Can't you just remove the __attribute__ from kmalloc instead to avoid triggering UB?

melver added a comment.Feb 18 2022, 4:40 AM

What about this test then: https://github.com/llvm/llvm-project/blob/b0a0df980927ca54a7840a1b0c9766e98c05039b/clang/test/CodeGen/sanitize-coverage.c#L74

Can you show an independent C reproducer where no_sanitize does not work for you?

Is there an LKML discussion?

I also think sprinkling no_sanitize for UBSAN is again the wrong solution, as it was also for [1]. UBSAN has a tendency to generate too many false positives in the kernel, and we just have to work on finding solutions that tackle the problem wholesale rather than adding more band-aids.

In this case, I think the right solution is to simply make ksize() kill the optimizer's ability to know the object size. By definition ksize() will return the "true" allocation size, and it is fair to assume once that's called, the caller wants to use the full object size for its size-class.

[1] https://lore.kernel.org/all/20211111003519.1050494-1-tadeusz.struk@linaro.org/T/#u

melver added a comment.Feb 18 2022, 5:13 AM

Right, I was able to repro this. The problem is the trap, which generally sucks that no_sanitize still leaves in the trap.

We also have -fno-sanitize-undefined-trap-on-error, which seems to have no effect either (should it?).

So I think there are 2 problems:

  1. Clang still emitting traps even though it shouldn't.
  1. The Linux kernel problem.

I think it's fine if you address problem 1 with this, as it's an oversight. But I think problem 2 wants to be solved differently as I suggested.

ztong0001 added a comment.Feb 18 2022, 10:02 AM
In D119816#3331658, @nlopes wrote:

Well, this patch is just a band-aid and a disaster waiting to happen.
If kmalloc is tagged with an __attribute__ stating the allocation size, then you can't dereference beyond that limit or risk the alias analysis do something you don't want. You are triggering UB like that.
Can't you just remove the __attribute__ from kmalloc instead to avoid triggering UB?

I am not sure I fully get what you are saying.
What I am suggesting is something like below to avoid bounds check pass from running on this function.

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 9d0388bed0c1..186fca35266d 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1679,7 +1679,7 @@ EXPORT_SYMBOL(__pskb_copy_fclone);
  *     All the pointers pointing into skb header may change and must be
  *     reloaded after call to this function.
  */
-
+__attribute__((no_sanitize("bounds")))
 int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
                     gfp_t gfp_mask)
 {
nlopes added a comment.Feb 18 2022, 10:13 AM
In D119816#3332414, @ztong0001 wrote:
In D119816#3331658, @nlopes wrote:

Well, this patch is just a band-aid and a disaster waiting to happen.
If kmalloc is tagged with an __attribute__ stating the allocation size, then you can't dereference beyond that limit or risk the alias analysis do something you don't want. You are triggering UB like that.
Can't you just remove the __attribute__ from kmalloc instead to avoid triggering UB?

I am not sure I fully get what you are saying.
What I am suggesting is something like below to avoid bounds check pass from running on this function.

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 9d0388bed0c1..186fca35266d 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1679,7 +1679,7 @@ EXPORT_SYMBOL(__pskb_copy_fclone);
  *     All the pointers pointing into skb header may change and must be
  *     reloaded after call to this function.
  */
-
+__attribute__((no_sanitize("bounds")))
 int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
                     gfp_t gfp_mask)
 {

The main issue is that the kernel is wrong. It has a bug. The sanitizer's error is not a false-positive!
So what you are proposing is a band-aid. It's not a real solution and it's just masking a wider problem. LLVM knows that kmalloc(x) allocates x bytes because someone placed an __attribute__ ((alloc_size (1))) on kmalloc. That attribute is just wrong and should be removed. It allows LLVM to mark all accesses beyond kmalloc(x) + x - 1 as undefined behavior.

TL;DR: this patch is not the solution for your problems.

melver added a subscriber: kees.Feb 18 2022, 10:14 AM
ztong0001 added a comment.Feb 18 2022, 10:18 AM
In D119816#3331797, @melver wrote:

Right, I was able to repro this. The problem is the trap, which generally sucks that no_sanitize still leaves in the trap.

We also have -fno-sanitize-undefined-trap-on-error, which seems to have no effect either (should it?).

So I think there are 2 problems:

  1. Clang still emitting traps even though it shouldn't.
  1. The Linux kernel problem.

I think it's fine if you address problem 1 with this, as it's an oversight. But I think problem 2 wants to be solved differently as I suggested.

I haven't tried -fno-sanitize-undefined-trap-on-error yet.

IMO trap in kernel gives a generic crash message which is... hard to tell from other cases without further investigating. If I enable KASAN kernel will print out something like

`
[ 1.197953] BUG: KASAN: use-after-free in __pci_enable_msi_range+0x234/0x320
[ 1.198327] Freed by task 1:
[ 1.198327] kfree+0x8f/0x2b0
[ 1.198327] msi_free_msi_descs_range+0xf5/0x130
`

I agree with you that there are two problems.
I think it makes sense to let optimizer aware of ksize() if the kernel API won't change dramatically in the future.

ztong0001 added a comment.Feb 18 2022, 10:24 AM
In D119816#3332441, @nlopes wrote:

The main issue is that the kernel is wrong. It has a bug. The sanitizer's error is not a false-positive!
So what you are proposing is a band-aid. It's not a real solution and it's just masking a wider problem. LLVM knows that kmalloc(x) allocates x bytes because someone placed an __attribute__ ((alloc_size (1))) on kmalloc. That attribute is just wrong and should be removed. It allows LLVM to mark all accesses beyond kmalloc(x) + x - 1 as undefined behavior.

But isn't this something the author intended to do in order to catch an error?
ksize() case makes some exceptions out of this.

TL;DR: this patch is not the solution for your problems.

ztong0001 edited the summary of this revision. (Show Details)Feb 18 2022, 12:47 PM
ztong0001 added a comment.Feb 18 2022, 12:51 PM

Thank you all!
I have modified the summary, this patch focus on fixing non-working __attribute__((no_sanitize("bounds"))) attribute.
I will try to fix kernel ksize() related issue and -fno-sanitize-undefined-trap-on-error on separate patches.

melver added a comment.Feb 22 2022, 4:20 AM

Adding a new IR attribute comes with a whole slew of other required changes. Please see https://reviews.llvm.org/D102772 for an example.

In addition, please update the patch description to explain what the problem is exactly (remove the old kernel-specific problem, because it's only a distraction). In particular, what current no_sanitize does (because it does something for "bounds checking), and what is missing. Introducing a new IR attribute needs to be properly justified, so if you can explain why this can't be solved another way would also be useful (something like .. the local-bounds code generation happens in the middleend and not frontend unlike some other UBSAN checks).

Also, you need to add some IR tests.

ztong0001 added a comment.Feb 22 2022, 9:08 AM

Thank you @melver. I will revise patch as suggested.

ztong0001 updated this revision to Diff 411040.Feb 24 2022, 1:27 AM
ztong0001 edited the summary of this revision. (Show Details)

update patch and description as suggested by Marco

ztong0001 retitled this revision from Fix not working attribute no_sanitize bounds that affects linux kernel to [SanitizerBounds] Add support for NoSanitizeBounds function.Feb 24 2022, 1:28 AM
Harbormaster completed remote builds in B151206: Diff 411040.Feb 24 2022, 2:46 AM
melver requested changes to this revision.Feb 24 2022, 9:01 AM

Thanks - this looks good so far.

clang/test/CodeGen/sanitize-coverage.c
56

This test by itself is not sufficient, it's technically only for fsanitize-coverage.

2 places with more tests would be good:

  1. extend clang/test/CodeGen/bounds-checking.c
  2. add a pure IR test in llvm/test/Instrumentation/BoundsChecking

With that, it'll also be very clear what was broken before, and what is being fixed now.

This revision now requires changes to proceed.Feb 24 2022, 9:01 AM
ztong0001 updated this revision to Diff 411191.Feb 24 2022, 11:09 AM

Thank you, Marco! I have made the following changes:

  • extend clang/test/CodeGen/bounds-checking.c to include additional test for newly added nosanitize_bounds attribute
  • added a new pure IR test in llvm/test/Instrumentation/BoundsChecking/nosanitize-bounds.ll to test if the new attribute will prevent BoundsChecking pass running on the function
Harbormaster completed remote builds in B151326: Diff 411191.Feb 24 2022, 11:56 AM
melver requested changes to this revision.Feb 25 2022, 4:39 AM

Looks good. Few minor changes.

I did some more digging, and it's only fsanitize=local-bounds, so please verify this and also update the commit description. In fact, the Linux kernel already has a comment about Clang's weirdness of local-bounds vs. array-bounds here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/lib/Kconfig.ubsan#n62

This revision now requires changes to proceed.Feb 25 2022, 4:39 AM
melver added inline comments.Feb 25 2022, 4:42 AM
clang/lib/CodeGen/CodeGenFunction.cpp
757

These 2 checks can be reduced to 1 due to SanitizerKind::Bounds including both. However, as noted, this only affects local-bounds, so I'm not sure if we want to include both -- perhaps for completeness it makes sense, but in the array-bounds only case this attribute will be a nop (AFAIK).

Also, I think we don't want to attach the attribute if bounds checking isn't enabled -- at least it seems unnecessary to do so.

See the following suggested change:

diff --git a/clang/lib/CodeGen/CodeGenFunction.cpp b/clang/lib/CodeGen/CodeGenFunction.cpp
index 842ce0245d45..c1f3a3014a19 100644
--- a/clang/lib/CodeGen/CodeGenFunction.cpp
+++ b/clang/lib/CodeGen/CodeGenFunction.cpp
@@ -740,6 +740,7 @@ void CodeGenFunction::StartFunction(GlobalDecl GD, QualType RetTy,
   } while (false);
 
   if (D) {
+    const bool SanitizeBounds = SanOpts.hasOneOf(SanitizerKind::Bounds);
     bool NoSanitizeCoverage = false;
 
     for (auto Attr : D->specific_attrs<NoSanitizeAttr>()) {
@@ -754,16 +755,15 @@ void CodeGenFunction::StartFunction(GlobalDecl GD, QualType RetTy,
         SanOpts.set(SanitizerKind::KernelHWAddress, false);
       if (mask & SanitizerKind::KernelHWAddress)
         SanOpts.set(SanitizerKind::HWAddress, false);
-      if (mask & SanitizerKind::LocalBounds)
-        Fn->addFnAttr(llvm::Attribute::NoSanitizeBounds);
-      if (mask & SanitizerKind::ArrayBounds)
-        Fn->addFnAttr(llvm::Attribute::NoSanitizeBounds);
 
       // SanitizeCoverage is not handled by SanOpts.
       if (Attr->hasCoverage())
         NoSanitizeCoverage = true;
     }
 
+    if (SanitizeBounds && !SanOpts.hasOneOf(SanitizerKind::Bounds))
+      Fn->addFnAttr(llvm::Attribute::NoSanitizeBounds);
+
     if (NoSanitizeCoverage && CGM.getCodeGenOpts().hasSanitizeCoverage())
       Fn->addFnAttr(llvm::Attribute::NoSanitizeCoverage);
   }
ztong0001 added a comment.Feb 25 2022, 10:08 AM
In D119816#3345302, @melver wrote:

Looks good. Few minor changes.

I did some more digging, and it's only fsanitize=local-bounds, so please verify this and also update the commit description. In fact, the Linux kernel already has a comment about Clang's weirdness of local-bounds vs. array-bounds here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/lib/Kconfig.ubsan#n62

Yes I can confirm this. It is indeed fsanitize=local-bounds causing the kernel crash we discussed earlier. (UBSAN_LOCAL_BOUNDS=y)

ztong0001 added inline comments.Feb 25 2022, 10:11 AM
clang/lib/CodeGen/CodeGenFunction.cpp
757

Agreed. I will revise patch and commit description.

ztong0001 added inline comments.Feb 25 2022, 10:30 AM
clang/lib/CodeGen/CodeGenFunction.cpp
757

BTW: Just to double check we are on the same page

when no_sanitize(bounds) is provided, fsanitize=array-bounds is also disabled -- right ? I can confirm this attribute is also affecting array-bounds as this is handled in clang side and we are setting llvm::Attribute::NoSanitizeBounds so that clang's array-bounds can also see this.

I will also add another test for -fsanitize=array-bounds

ztong0001 updated this revision to Diff 411457.Feb 25 2022, 10:51 AM
  • update commit description
  • In: CodeGenFunction::StartFunction(), merge two checks(SanitizerKind::LocalBounds, SanitizerKind::ArrayBounds) into one(SanitizerKind::Bounds)
  • update test: clang/test/CodeGen/bounds-checking.c to show no_sanitize("bounds") can also affect fsanitize=array-bounds (clang)
ztong0001 edited the summary of this revision. (Show Details)Feb 25 2022, 10:51 AM
Harbormaster completed remote builds in B151508: Diff 411457.Feb 25 2022, 11:35 AM
melver added inline comments.Feb 25 2022, 12:15 PM
clang/lib/CodeGen/CodeGenFunction.cpp
757

Well, no_sanitize("bounds") already worked for array-bounds before this patch. But adding more tests never hurt.

ztong0001 edited the summary of this revision. (Show Details)Feb 25 2022, 12:25 PM
ztong0001 added inline comments.
clang/lib/CodeGen/CodeGenFunction.cpp
757

Got it. Thanks!

kees added a comment.Feb 25 2022, 2:11 PM

FWIW, related problems with pskb_expand_head were seen again here:
https://github.com/ClangBuiltLinux/linux/issues/1599

I have trouble reproducing it, but I think the kernel patch there solves the problem created by __alloc_size vs ksize().

ztong0001 added a comment.Feb 25 2022, 2:36 PM
In D119816#3346575, @kees wrote:

FWIW, related problems with pskb_expand_head were seen again here:
https://github.com/ClangBuiltLinux/linux/issues/1599

I have trouble reproducing it, but I think the kernel patch there solves the problem created by __alloc_size vs ksize().

yes, the asm ("" : "=r" (p) : "0" (p)); really did the trick

ztong0001 marked 2 inline comments as done.Feb 25 2022, 3:58 PM
melver accepted this revision.Feb 28 2022, 8:54 AM

LGTM

Let me know if you need help landing this.

This revision is now accepted and ready to land.Feb 28 2022, 8:54 AM
ztong0001 added a comment.EditedFeb 28 2022, 9:23 AM

Hi Marco,
@melver, Could you please help me landing it? I don't have write permission to the repo.
Please use Tong Zhang<ztong0001@gmail.com>
Thanks,

  • Tong
ztong0001 added a comment.Mar 1 2022, 9:25 AM

Hi Marco,
@melver, Could you please help me landing it? I don't have write permission to the repo.
Please use Tong Zhang<ztong0001@gmail.com>
Thanks,

Tong

melver added a comment.Mar 1 2022, 9:39 AM
In D119816#3349076, @ztong0001 wrote:

Hi Marco,
@melver, Could you please help me landing it? I don't have write permission to the repo.
Please use Tong Zhang<ztong0001@gmail.com>

Sure. I had already applied the patch locally to test, but then got distracted. Doing it now.

Thanks for your work.

This revision was landed with ongoing or failed builds.Mar 1 2022, 9:48 AM
Closed by commit rG17ce89fa8016: [SanitizerBounds] Add support for NoSanitizeBounds function (authored by ztong0001, committed by melver). · Explain Why
This revision was automatically updated to reflect the committed changes.
melver added a commit: rG17ce89fa8016: [SanitizerBounds] Add support for NoSanitizeBounds function.

Revision Contents

PathSize
clang/
lib/
CodeGen/
4 lines
test/
CodeGen/
9 lines
2 lines
llvm/
bindings/
go/
llvm/
1 line
docs/
1 line
3 lines
include/
llvm/
AsmParser/
1 line
Bitcode/
1 line
IR/
3 lines
lib/
AsmParser/
1 line
Bitcode/
Reader/
2 lines
Writer/
2 lines
Transforms/
Instrumentation/
3 lines
Utils/
1 line
test/
Bitcode/
7 lines
8 lines
Instrumentation/
BoundsChecking/
17 lines
utils/
emacs/
2 lines
1 line
vim/
syntax/
1 line
vscode/
llvm/
syntaxes/
1 line

Diff 412141

clang/lib/CodeGen/CodeGenFunction.cpp

Show First 20 LinesShow All 734 Lines▼ Show 20 Lines if (SanOpts.has(SanitizerKind::ID)) \
if (CGM.isInNoSanitizeList(SanitizerKind::ID, Fn, Loc)) \ if (CGM.isInNoSanitizeList(SanitizerKind::ID, Fn, Loc)) \
SanOpts.set(SanitizerKind::ID, false); SanOpts.set(SanitizerKind::ID, false);
#include "clang/Basic/Sanitizers.def" #include "clang/Basic/Sanitizers.def"
#undef SANITIZER #undef SANITIZER
} while (false); } while (false);
if (D) { if (D) {
const bool SanitizeBounds = SanOpts.hasOneOf(SanitizerKind::Bounds);
bool NoSanitizeCoverage = false; bool NoSanitizeCoverage = false;
for (auto Attr : D->specific_attrs<NoSanitizeAttr>()) { for (auto Attr : D->specific_attrs<NoSanitizeAttr>()) {
// Apply the no_sanitize* attributes to SanOpts. // Apply the no_sanitize* attributes to SanOpts.
SanitizerMask mask = Attr->getMask(); SanitizerMask mask = Attr->getMask();
SanOpts.Mask &= ~mask; SanOpts.Mask &= ~mask;
if (mask & SanitizerKind::Address) if (mask & SanitizerKind::Address)
SanOpts.set(SanitizerKind::KernelAddress, false); SanOpts.set(SanitizerKind::KernelAddress, false);
if (mask & SanitizerKind::KernelAddress) if (mask & SanitizerKind::KernelAddress)
SanOpts.set(SanitizerKind::Address, false); SanOpts.set(SanitizerKind::Address, false);
if (mask & SanitizerKind::HWAddress) if (mask & SanitizerKind::HWAddress)
SanOpts.set(SanitizerKind::KernelHWAddress, false); SanOpts.set(SanitizerKind::KernelHWAddress, false);
if (mask & SanitizerKind::KernelHWAddress) if (mask & SanitizerKind::KernelHWAddress)
SanOpts.set(SanitizerKind::HWAddress, false); SanOpts.set(SanitizerKind::HWAddress, false);
melverUnsubmitted
Done
ReplyInline Actions

These 2 checks can be reduced to 1 due to SanitizerKind::Bounds including both. However, as noted, this only affects local-bounds, so I'm not sure if we want to include both -- perhaps for completeness it makes sense, but in the array-bounds only case this attribute will be a nop (AFAIK).

Also, I think we don't want to attach the attribute if bounds checking isn't enabled -- at least it seems unnecessary to do so.

See the following suggested change:

diff --git a/clang/lib/CodeGen/CodeGenFunction.cpp b/clang/lib/CodeGen/CodeGenFunction.cpp
index 842ce0245d45..c1f3a3014a19 100644
--- a/clang/lib/CodeGen/CodeGenFunction.cpp
+++ b/clang/lib/CodeGen/CodeGenFunction.cpp
@@ -740,6 +740,7 @@ void CodeGenFunction::StartFunction(GlobalDecl GD, QualType RetTy,
   } while (false);
 
   if (D) {
+    const bool SanitizeBounds = SanOpts.hasOneOf(SanitizerKind::Bounds);
     bool NoSanitizeCoverage = false;
 
     for (auto Attr : D->specific_attrs<NoSanitizeAttr>()) {
@@ -754,16 +755,15 @@ void CodeGenFunction::StartFunction(GlobalDecl GD, QualType RetTy,
         SanOpts.set(SanitizerKind::KernelHWAddress, false);
       if (mask & SanitizerKind::KernelHWAddress)
         SanOpts.set(SanitizerKind::HWAddress, false);
-      if (mask & SanitizerKind::LocalBounds)
-        Fn->addFnAttr(llvm::Attribute::NoSanitizeBounds);
-      if (mask & SanitizerKind::ArrayBounds)
-        Fn->addFnAttr(llvm::Attribute::NoSanitizeBounds);
 
       // SanitizeCoverage is not handled by SanOpts.
       if (Attr->hasCoverage())
         NoSanitizeCoverage = true;
     }
 
+    if (SanitizeBounds && !SanOpts.hasOneOf(SanitizerKind::Bounds))
+      Fn->addFnAttr(llvm::Attribute::NoSanitizeBounds);
+
     if (NoSanitizeCoverage && CGM.getCodeGenOpts().hasSanitizeCoverage())
       Fn->addFnAttr(llvm::Attribute::NoSanitizeCoverage);
   }
melver: These 2 checks can be reduced to 1 due to SanitizerKind::Bounds including both. However, as…
ztong0001AuthorUnsubmitted
Done
ReplyInline Actions

Agreed. I will revise patch and commit description.

ztong0001: Agreed. I will revise patch and commit description.
ztong0001AuthorUnsubmitted
Done
ReplyInline Actions

BTW: Just to double check we are on the same page

when no_sanitize(bounds) is provided, fsanitize=array-bounds is also disabled -- right ? I can confirm this attribute is also affecting array-bounds as this is handled in clang side and we are setting llvm::Attribute::NoSanitizeBounds so that clang's array-bounds can also see this.

I will also add another test for -fsanitize=array-bounds

ztong0001: BTW: Just to double check we are on the same page when no_sanitize(bounds) is provided…
melverUnsubmitted
Done
ReplyInline Actions

Well, no_sanitize("bounds") already worked for array-bounds before this patch. But adding more tests never hurt.

melver: Well, no_sanitize("bounds") already worked for array-bounds before this patch. But adding more…
ztong0001AuthorUnsubmitted
Done
ReplyInline Actions

Got it. Thanks!

ztong0001: Got it. Thanks!
// SanitizeCoverage is not handled by SanOpts. // SanitizeCoverage is not handled by SanOpts.
if (Attr->hasCoverage()) if (Attr->hasCoverage())
NoSanitizeCoverage = true; NoSanitizeCoverage = true;
} }
if (SanitizeBounds && !SanOpts.hasOneOf(SanitizerKind::Bounds))
Fn->addFnAttr(llvm::Attribute::NoSanitizeBounds);
if (NoSanitizeCoverage && CGM.getCodeGenOpts().hasSanitizeCoverage()) if (NoSanitizeCoverage && CGM.getCodeGenOpts().hasSanitizeCoverage())
Fn->addFnAttr(llvm::Attribute::NoSanitizeCoverage); Fn->addFnAttr(llvm::Attribute::NoSanitizeCoverage);
} }
if (ShouldSkipSanitizerInstrumentation()) { if (ShouldSkipSanitizerInstrumentation()) {
CurFn->addFnAttr(llvm::Attribute::DisableSanitizerInstrumentation); CurFn->addFnAttr(llvm::Attribute::DisableSanitizerInstrumentation);
} else { } else {
// Apply sanitizer attributes to the function. // Apply sanitizer attributes to the function.
▲ Show 20 LinesShow All 1,993 LinesShow Last 20 Lines

clang/test/CodeGen/bounds-checking.c

Show First 20 LinesShow All 43 Lines▼ Show 20 Lines
// CHECK-LABEL: define {{.*}} @f5 // CHECK-LABEL: define {{.*}} @f5
int f5(union U *u, int i) { int f5(union U *u, int i) {
// c is not a flexible array member. // c is not a flexible array member.
// NONLOCAL: call {{.*}} @llvm.ubsantrap // NONLOCAL: call {{.*}} @llvm.ubsantrap
return u->c[i]; return u->c[i];
// CHECK: } // CHECK: }
} }
__attribute__((no_sanitize("bounds")))
int f6(int i) {
int b[64];
// CHECK-NOT: call void @llvm.trap()
// CHECK-NOT: trap:
// CHECK-NOT: cont:
return b[i];
}

clang/test/CodeGen/sanitize-coverage.c

Show First 20 LinesShow All 47 Lines▼ Show 20 Lines
// CHECK-LABEL: define dso_local void @test_no_sanitize_combined( // CHECK-LABEL: define dso_local void @test_no_sanitize_combined(
__attribute__((no_sanitize("address", "memory", "thread", "bounds", "undefined", "coverage"))) __attribute__((no_sanitize("address", "memory", "thread", "bounds", "undefined", "coverage")))
void test_no_sanitize_combined(int n) { void test_no_sanitize_combined(int n) {
// CHECK-NOT: call void @__sanitizer_cov_trace_pc // CHECK-NOT: call void @__sanitizer_cov_trace_pc
// CHECK-NOT: call void @__sanitizer_cov_trace_const_cmp // CHECK-NOT: call void @__sanitizer_cov_trace_const_cmp
// ASAN-NOT: call void @__asan_report_store // ASAN-NOT: call void @__asan_report_store
// MSAN-NOT: call void @__msan_warning // MSAN-NOT: call void @__msan_warning
// BOUNDS-NOT: call void @__ubsan_handle_out_of_bounds // BOUNDS-NOT: call void @__ubsan_handle_out_of_bounds
// BOUNDS-NOT: call void @llvm.trap()
melverUnsubmitted
Not Done
ReplyInline Actions

This test by itself is not sufficient, it's technically only for fsanitize-coverage.

2 places with more tests would be good:

  1. extend clang/test/CodeGen/bounds-checking.c
  2. add a pure IR test in llvm/test/Instrumentation/BoundsChecking

With that, it'll also be very clear what was broken before, and what is being fixed now.

melver: This test by itself is not sufficient, it's technically only for fsanitize-coverage. 2 places…
// TSAN-NOT: call void @__tsan_func_entry // TSAN-NOT: call void @__tsan_func_entry
// UBSAN-NOT: call void @__ubsan_handle // UBSAN-NOT: call void @__ubsan_handle
if (n) if (n)
x[n] = 42; x[n] = 42;
} }
// CHECK-LABEL: define dso_local void @test_no_sanitize_separate( // CHECK-LABEL: define dso_local void @test_no_sanitize_separate(
__attribute__((no_sanitize("address"))) __attribute__((no_sanitize("address")))
__attribute__((no_sanitize("memory"))) __attribute__((no_sanitize("memory")))
__attribute__((no_sanitize("thread"))) __attribute__((no_sanitize("thread")))
__attribute__((no_sanitize("bounds"))) __attribute__((no_sanitize("bounds")))
__attribute__((no_sanitize("undefined"))) __attribute__((no_sanitize("undefined")))
__attribute__((no_sanitize("coverage"))) __attribute__((no_sanitize("coverage")))
void test_no_sanitize_separate(int n) { void test_no_sanitize_separate(int n) {
// CHECK-NOT: call void @__sanitizer_cov_trace_pc // CHECK-NOT: call void @__sanitizer_cov_trace_pc
// CHECK-NOT: call void @__sanitizer_cov_trace_const_cmp // CHECK-NOT: call void @__sanitizer_cov_trace_const_cmp
// ASAN-NOT: call void @__asan_report_store // ASAN-NOT: call void @__asan_report_store
// MSAN-NOT: call void @__msan_warning // MSAN-NOT: call void @__msan_warning
// BOUNDS-NOT: call void @__ubsan_handle_out_of_bounds // BOUNDS-NOT: call void @__ubsan_handle_out_of_bounds
// BOUNDS-NOT: call void @llvm.trap()
// TSAN-NOT: call void @__tsan_func_entry // TSAN-NOT: call void @__tsan_func_entry
// UBSAN-NOT: call void @__ubsan_handle // UBSAN-NOT: call void @__ubsan_handle
if (n) if (n)
x[n] = 42; x[n] = 42;
} }
// CHECK-LABEL: define dso_local void @test_no_sanitize_always_inline( // CHECK-LABEL: define dso_local void @test_no_sanitize_always_inline(
__attribute__((no_sanitize("coverage"))) __attribute__((no_sanitize("coverage")))
void test_no_sanitize_always_inline(int n) { void test_no_sanitize_always_inline(int n) {
// CHECK-NOT: call void @__sanitizer_cov_trace_pc // CHECK-NOT: call void @__sanitizer_cov_trace_pc
// CHECK-NOT: call void @__sanitizer_cov_trace_const_cmp // CHECK-NOT: call void @__sanitizer_cov_trace_const_cmp
always_inlined_fn(n); always_inlined_fn(n);
} }
// CHECK-LABEL: declare void // CHECK-LABEL: declare void

llvm/bindings/go/llvm/ir_test.go

Show First 20 LinesShow All 63 Lines▼ Show 20 Lines attrTests := []string{
"noduplicate", "noduplicate",
"noimplicitfloat", "noimplicitfloat",
"noinline", "noinline",
"nonlazybind", "nonlazybind",
"nonnull", "nonnull",
"noredzone", "noredzone",
"noreturn", "noreturn",
"nounwind", "nounwind",
"nosanitize_bounds",
"nosanitize_coverage", "nosanitize_coverage",
"optnone", "optnone",
"optsize", "optsize",
"readnone", "readnone",
"readonly", "readonly",
"returned", "returned",
"returns_twice", "returns_twice",
"signext", "signext",
▲ Show 20 LinesShow All 84 LinesShow Last 20 Lines

llvm/docs/BitCodeFormat.rst

Show First 20 LinesShow All 1,072 Lines▼ Show 20 Lines
* code 68: ``noundef`` * code 68: ``noundef``
* code 69: ``byref`` * code 69: ``byref``
* code 70: ``mustprogress`` * code 70: ``mustprogress``
* code 74: ``vscale_range(<Min>[, <Max>])`` * code 74: ``vscale_range(<Min>[, <Max>])``
* code 75: ``swiftasync`` * code 75: ``swiftasync``
* code 76: ``nosanitize_coverage`` * code 76: ``nosanitize_coverage``
* code 77: ``elementtype`` * code 77: ``elementtype``
* code 78: ``disable_sanitizer_instrumentation`` * code 78: ``disable_sanitizer_instrumentation``
* code 79: ``nosanitize_bounds``
.. note:: .. note::
The ``allocsize`` attribute has a special encoding for its arguments. Its two The ``allocsize`` attribute has a special encoding for its arguments. Its two
arguments, which are 32-bit integers, are packed into one 64-bit integer value arguments, which are 32-bit integers, are packed into one 64-bit integer value
(i.e. ``(EltSizeParam << 32) | NumEltsParam``), with ``NumEltsParam`` taking on (i.e. ``(EltSizeParam << 32) | NumEltsParam``), with ``NumEltsParam`` taking on
the sentinel value -1 if it is not specified. the sentinel value -1 if it is not specified.
.. note:: .. note::
▲ Show 20 LinesShow All 308 LinesShow Last 20 Lines

llvm/docs/LangRef.rst

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 1,777 Lines▼ Show 20 Lines``nosync``
the behavior is undefined. the behavior is undefined.
``nounwind`` ``nounwind``
This function attribute indicates that the function never raises an This function attribute indicates that the function never raises an
exception. If the function does raise an exception, its runtime exception. If the function does raise an exception, its runtime
behavior is undefined. However, functions marked nounwind may still behavior is undefined. However, functions marked nounwind may still
trap or generate asynchronous exceptions. Exception handling schemes trap or generate asynchronous exceptions. Exception handling schemes
that are recognized by LLVM to handle asynchronous exceptions, such that are recognized by LLVM to handle asynchronous exceptions, such
as SEH, will still provide their implementation defined semantics. as SEH, will still provide their implementation defined semantics.
``nosanitize_bounds``
This attribute indicates that bounds checking sanitizer instrumentation
is disabled for this function.
``nosanitize_coverage`` ``nosanitize_coverage``
This attribute indicates that SanitizerCoverage instrumentation is disabled This attribute indicates that SanitizerCoverage instrumentation is disabled
for this function. for this function.
``null_pointer_is_valid`` ``null_pointer_is_valid``
If ``null_pointer_is_valid`` is set, then the ``null`` address If ``null_pointer_is_valid`` is set, then the ``null`` address
in address-space 0 is considered to be a valid address for memory loads and in address-space 0 is considered to be a valid address for memory loads and
stores. Any analysis or optimization should not treat dereferencing a stores. Any analysis or optimization should not treat dereferencing a
pointer to ``null`` as undefined behavior in this function. pointer to ``null`` as undefined behavior in this function.
▲ Show 20 LinesShow All 22,329 LinesShow Last 20 Lines

llvm/include/llvm/AsmParser/LLToken.h

Show First 20 LinesShow All 213 Lines▼ Show 20 Linesenum Kind {
kw_nomerge, kw_nomerge,
kw_nonnull, kw_nonnull,
kw_noprofile, kw_noprofile,
kw_noredzone, kw_noredzone,
kw_noreturn, kw_noreturn,
kw_nosync, kw_nosync,
kw_nocf_check, kw_nocf_check,
kw_nounwind, kw_nounwind,
kw_nosanitize_bounds,
kw_nosanitize_coverage, kw_nosanitize_coverage,
kw_null_pointer_is_valid, kw_null_pointer_is_valid,
kw_optforfuzzing, kw_optforfuzzing,
kw_optnone, kw_optnone,
kw_optsize, kw_optsize,
kw_preallocated, kw_preallocated,
kw_readnone, kw_readnone,
kw_readonly, kw_readonly,
▲ Show 20 LinesShow All 276 LinesShow Last 20 Lines

llvm/include/llvm/Bitcode/LLVMBitCodes.h

Show First 20 LinesShow All 671 Lines▼ Show 20 Linesenum AttributeKindCodes {
ATTR_KIND_NO_CALLBACK = 71, ATTR_KIND_NO_CALLBACK = 71,
ATTR_KIND_HOT = 72, ATTR_KIND_HOT = 72,
ATTR_KIND_NO_PROFILE = 73, ATTR_KIND_NO_PROFILE = 73,
ATTR_KIND_VSCALE_RANGE = 74, ATTR_KIND_VSCALE_RANGE = 74,
ATTR_KIND_SWIFT_ASYNC = 75, ATTR_KIND_SWIFT_ASYNC = 75,
ATTR_KIND_NO_SANITIZE_COVERAGE = 76, ATTR_KIND_NO_SANITIZE_COVERAGE = 76,
ATTR_KIND_ELEMENTTYPE = 77, ATTR_KIND_ELEMENTTYPE = 77,
ATTR_KIND_DISABLE_SANITIZER_INSTRUMENTATION = 78, ATTR_KIND_DISABLE_SANITIZER_INSTRUMENTATION = 78,
ATTR_KIND_NO_SANITIZE_BOUNDS = 79,
}; };
enum ComdatSelectionKindCodes { enum ComdatSelectionKindCodes {
COMDAT_SELECTION_KIND_ANY = 1, COMDAT_SELECTION_KIND_ANY = 1,
COMDAT_SELECTION_KIND_EXACT_MATCH = 2, COMDAT_SELECTION_KIND_EXACT_MATCH = 2,
COMDAT_SELECTION_KIND_LARGEST = 3, COMDAT_SELECTION_KIND_LARGEST = 3,
COMDAT_SELECTION_KIND_NO_DUPLICATES = 4, COMDAT_SELECTION_KIND_NO_DUPLICATES = 4,
COMDAT_SELECTION_KIND_SAME_SIZE = 5, COMDAT_SELECTION_KIND_SAME_SIZE = 5,
Show All 14 Lines

llvm/include/llvm/IR/Attributes.td

Show First 20 LinesShow All 169 Lines▼ Show 20 Lines
def NoCfCheck : EnumAttr<"nocf_check", [FnAttr]>; def NoCfCheck : EnumAttr<"nocf_check", [FnAttr]>;
/// Function should not be instrumented. /// Function should not be instrumented.
def NoProfile : EnumAttr<"noprofile", [FnAttr]>; def NoProfile : EnumAttr<"noprofile", [FnAttr]>;
/// Function doesn't unwind stack. /// Function doesn't unwind stack.
def NoUnwind : EnumAttr<"nounwind", [FnAttr]>; def NoUnwind : EnumAttr<"nounwind", [FnAttr]>;
/// No SanitizeBounds instrumentation.
def NoSanitizeBounds : EnumAttr<"nosanitize_bounds", [FnAttr]>;
/// No SanitizeCoverage instrumentation. /// No SanitizeCoverage instrumentation.
def NoSanitizeCoverage : EnumAttr<"nosanitize_coverage", [FnAttr]>; def NoSanitizeCoverage : EnumAttr<"nosanitize_coverage", [FnAttr]>;
/// Null pointer in address space zero is valid. /// Null pointer in address space zero is valid.
def NullPointerIsValid : EnumAttr<"null_pointer_is_valid", [FnAttr]>; def NullPointerIsValid : EnumAttr<"null_pointer_is_valid", [FnAttr]>;
/// Select optimizations for best fuzzing signal. /// Select optimizations for best fuzzing signal.
def OptForFuzzing : EnumAttr<"optforfuzzing", [FnAttr]>; def OptForFuzzing : EnumAttr<"optforfuzzing", [FnAttr]>;
▲ Show 20 LinesShow All 167 LinesShow Last 20 Lines

llvm/lib/AsmParser/LLLexer.cpp

Show First 20 LinesShow All 666 Lines▼ Show 20 Lines#define KEYWORD(STR) \
KEYWORD(nonnull); KEYWORD(nonnull);
KEYWORD(noprofile); KEYWORD(noprofile);
KEYWORD(noredzone); KEYWORD(noredzone);
KEYWORD(noreturn); KEYWORD(noreturn);
KEYWORD(nosync); KEYWORD(nosync);
KEYWORD(nocf_check); KEYWORD(nocf_check);
KEYWORD(noundef); KEYWORD(noundef);
KEYWORD(nounwind); KEYWORD(nounwind);
KEYWORD(nosanitize_bounds);
KEYWORD(nosanitize_coverage); KEYWORD(nosanitize_coverage);
KEYWORD(null_pointer_is_valid); KEYWORD(null_pointer_is_valid);
KEYWORD(optforfuzzing); KEYWORD(optforfuzzing);
KEYWORD(optnone); KEYWORD(optnone);
KEYWORD(optsize); KEYWORD(optsize);
KEYWORD(preallocated); KEYWORD(preallocated);
KEYWORD(readnone); KEYWORD(readnone);
KEYWORD(readonly); KEYWORD(readonly);
▲ Show 20 LinesShow All 513 LinesShow Last 20 Lines

llvm/lib/Bitcode/Reader/BitcodeReader.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 1,487 Lines▼ Show 20 Linesstatic Attribute::AttrKind getAttrFromCode(uint64_t Code) {
case bitc::ATTR_KIND_NOSYNC: case bitc::ATTR_KIND_NOSYNC:
return Attribute::NoSync; return Attribute::NoSync;
case bitc::ATTR_KIND_NOCF_CHECK: case bitc::ATTR_KIND_NOCF_CHECK:
return Attribute::NoCfCheck; return Attribute::NoCfCheck;
case bitc::ATTR_KIND_NO_PROFILE: case bitc::ATTR_KIND_NO_PROFILE:
return Attribute::NoProfile; return Attribute::NoProfile;
case bitc::ATTR_KIND_NO_UNWIND: case bitc::ATTR_KIND_NO_UNWIND:
return Attribute::NoUnwind; return Attribute::NoUnwind;
case bitc::ATTR_KIND_NO_SANITIZE_BOUNDS:
return Attribute::NoSanitizeBounds;
case bitc::ATTR_KIND_NO_SANITIZE_COVERAGE: case bitc::ATTR_KIND_NO_SANITIZE_COVERAGE:
return Attribute::NoSanitizeCoverage; return Attribute::NoSanitizeCoverage;
case bitc::ATTR_KIND_NULL_POINTER_IS_VALID: case bitc::ATTR_KIND_NULL_POINTER_IS_VALID:
return Attribute::NullPointerIsValid; return Attribute::NullPointerIsValid;
case bitc::ATTR_KIND_OPT_FOR_FUZZING: case bitc::ATTR_KIND_OPT_FOR_FUZZING:
return Attribute::OptForFuzzing; return Attribute::OptForFuzzing;
case bitc::ATTR_KIND_OPTIMIZE_FOR_SIZE: case bitc::ATTR_KIND_OPTIMIZE_FOR_SIZE:
return Attribute::OptimizeForSize; return Attribute::OptimizeForSize;
▲ Show 20 LinesShow All 5,851 LinesShow Last 20 Lines

llvm/lib/Bitcode/Writer/BitcodeWriter.cpp

Show First 20 LinesShow All 682 Lines▼ Show 20 Linesstatic uint64_t getAttrKindEncoding(Attribute::AttrKind Kind) {
case Attribute::NoSync: case Attribute::NoSync:
return bitc::ATTR_KIND_NOSYNC; return bitc::ATTR_KIND_NOSYNC;
case Attribute::NoCfCheck: case Attribute::NoCfCheck:
return bitc::ATTR_KIND_NOCF_CHECK; return bitc::ATTR_KIND_NOCF_CHECK;
case Attribute::NoProfile: case Attribute::NoProfile:
return bitc::ATTR_KIND_NO_PROFILE; return bitc::ATTR_KIND_NO_PROFILE;
case Attribute::NoUnwind: case Attribute::NoUnwind:
return bitc::ATTR_KIND_NO_UNWIND; return bitc::ATTR_KIND_NO_UNWIND;
case Attribute::NoSanitizeBounds:
return bitc::ATTR_KIND_NO_SANITIZE_BOUNDS;
case Attribute::NoSanitizeCoverage: case Attribute::NoSanitizeCoverage:
return bitc::ATTR_KIND_NO_SANITIZE_COVERAGE; return bitc::ATTR_KIND_NO_SANITIZE_COVERAGE;
case Attribute::NullPointerIsValid: case Attribute::NullPointerIsValid:
return bitc::ATTR_KIND_NULL_POINTER_IS_VALID; return bitc::ATTR_KIND_NULL_POINTER_IS_VALID;
case Attribute::OptForFuzzing: case Attribute::OptForFuzzing:
return bitc::ATTR_KIND_OPT_FOR_FUZZING; return bitc::ATTR_KIND_OPT_FOR_FUZZING;
case Attribute::OptimizeForSize: case Attribute::OptimizeForSize:
return bitc::ATTR_KIND_OPTIMIZE_FOR_SIZE; return bitc::ATTR_KIND_OPTIMIZE_FOR_SIZE;
▲ Show 20 LinesShow All 4,277 LinesShow Last 20 Lines

llvm/lib/Transforms/Instrumentation/BoundsChecking.cpp

Show First 20 LinesShow All 136 Lines▼ Show 20 Linesstatic void insertBoundsCheck(Value *Or, BuilderTy &IRB, GetTrapBBT GetTrapBB) {
} }
// Create the conditional branch. // Create the conditional branch.
BranchInst::Create(GetTrapBB(IRB), Cont, Or, OldBB); BranchInst::Create(GetTrapBB(IRB), Cont, Or, OldBB);
} }
static bool addBoundsChecking(Function &F, TargetLibraryInfo &TLI, static bool addBoundsChecking(Function &F, TargetLibraryInfo &TLI,
ScalarEvolution &SE) { ScalarEvolution &SE) {
if (F.hasFnAttribute(Attribute::NoSanitizeBounds))
return false;
const DataLayout &DL = F.getParent()->getDataLayout(); const DataLayout &DL = F.getParent()->getDataLayout();
ObjectSizeOpts EvalOpts; ObjectSizeOpts EvalOpts;
EvalOpts.RoundToAlign = true; EvalOpts.RoundToAlign = true;
ObjectSizeOffsetEvaluator ObjSizeEval(DL, &TLI, F.getContext(), EvalOpts); ObjectSizeOffsetEvaluator ObjSizeEval(DL, &TLI, F.getContext(), EvalOpts);
// check HANDLE_MEMORY_INST in include/llvm/Instruction.def for memory // check HANDLE_MEMORY_INST in include/llvm/Instruction.def for memory
// touching instructions // touching instructions
SmallVector<std::pair<Instruction *, Value *>, 4> TrapInfo; SmallVector<std::pair<Instruction *, Value *>, 4> TrapInfo;
▲ Show 20 LinesShow All 102 LinesShow Last 20 Lines

llvm/lib/Transforms/Utils/CodeExtractor.cpp

Show First 20 LinesShow All 933 Lines▼ Show 20 Lines if (Attr.isStringAttribute()) {
case Attribute::NoCallback: case Attribute::NoCallback:
case Attribute::NoDuplicate: case Attribute::NoDuplicate:
case Attribute::NoFree: case Attribute::NoFree:
case Attribute::NoImplicitFloat: case Attribute::NoImplicitFloat:
case Attribute::NoInline: case Attribute::NoInline:
case Attribute::NonLazyBind: case Attribute::NonLazyBind:
case Attribute::NoRedZone: case Attribute::NoRedZone:
case Attribute::NoUnwind: case Attribute::NoUnwind:
case Attribute::NoSanitizeBounds:
case Attribute::NoSanitizeCoverage: case Attribute::NoSanitizeCoverage:
case Attribute::NullPointerIsValid: case Attribute::NullPointerIsValid:
case Attribute::OptForFuzzing: case Attribute::OptForFuzzing:
case Attribute::OptimizeNone: case Attribute::OptimizeNone:
case Attribute::OptimizeForSize: case Attribute::OptimizeForSize:
case Attribute::SafeStack: case Attribute::SafeStack:
case Attribute::ShadowCallStack: case Attribute::ShadowCallStack:
case Attribute::SanitizeAddress: case Attribute::SanitizeAddress:
▲ Show 20 LinesShow All 930 LinesShow Last 20 Lines

llvm/test/Bitcode/attributes.ll

Show First 20 LinesShow All 520 Lines▼ Show 20 Linesdefine void @f84() uwtable(sync) {
ret void; ret void;
} }
; CHECK: define void @f85() #15 ; CHECK: define void @f85() #15
define void @f85() uwtable(async) { define void @f85() uwtable(async) {
ret void; ret void;
} }
; CHECK: define void @f86() #52
define void @f86() nosanitize_bounds
{
ret void;
}
; CHECK: attributes #0 = { noreturn } ; CHECK: attributes #0 = { noreturn }
; CHECK: attributes #1 = { nounwind } ; CHECK: attributes #1 = { nounwind }
; CHECK: attributes #2 = { readnone } ; CHECK: attributes #2 = { readnone }
; CHECK: attributes #3 = { readonly } ; CHECK: attributes #3 = { readonly }
; CHECK: attributes #4 = { noinline } ; CHECK: attributes #4 = { noinline }
; CHECK: attributes #5 = { alwaysinline } ; CHECK: attributes #5 = { alwaysinline }
; CHECK: attributes #6 = { optsize } ; CHECK: attributes #6 = { optsize }
; CHECK: attributes #7 = { ssp } ; CHECK: attributes #7 = { ssp }
Show All 36 Lines
; CHECK: attributes #44 = { hot } ; CHECK: attributes #44 = { hot }
; CHECK: attributes #45 = { vscale_range(8,8) } ; CHECK: attributes #45 = { vscale_range(8,8) }
; CHECK: attributes #46 = { vscale_range(1,8) } ; CHECK: attributes #46 = { vscale_range(1,8) }
; CHECK: attributes #47 = { vscale_range(1,0) } ; CHECK: attributes #47 = { vscale_range(1,0) }
; CHECK: attributes #48 = { nosanitize_coverage } ; CHECK: attributes #48 = { nosanitize_coverage }
; CHECK: attributes #49 = { noprofile } ; CHECK: attributes #49 = { noprofile }
; CHECK: attributes #50 = { disable_sanitizer_instrumentation } ; CHECK: attributes #50 = { disable_sanitizer_instrumentation }
; CHECK: attributes #51 = { uwtable(sync) } ; CHECK: attributes #51 = { uwtable(sync) }
; CHECK: attributes #52 = { nosanitize_bounds }
; CHECK: attributes #[[NOBUILTIN]] = { nobuiltin } ; CHECK: attributes #[[NOBUILTIN]] = { nobuiltin }

llvm/test/Bitcode/compatibility.ll

Show First 20 LinesShow All 1,504 Lines▼ Show 20 Linesexit:
; CHECK: phi i32 [ %v1, %L1 ], [ %v2, %L2 ], [ %op1, %entry ] ; CHECK: phi i32 [ %v1, %L1 ], [ %v2, %L2 ], [ %op1, %entry ]
select i1 true, i32 0, i32 1 select i1 true, i32 0, i32 1
; CHECK: select i1 true, i32 0, i32 1 ; CHECK: select i1 true, i32 0, i32 1
select <2 x i1> <i1 true, i1 false>, <2 x i8> <i8 2, i8 3>, <2 x i8> <i8 3, i8 2> select <2 x i1> <i1 true, i1 false>, <2 x i8> <i8 2, i8 3>, <2 x i8> <i8 3, i8 2>
; CHECK: select <2 x i1> <i1 true, i1 false>, <2 x i8> <i8 2, i8 3>, <2 x i8> <i8 3, i8 2> ; CHECK: select <2 x i1> <i1 true, i1 false>, <2 x i8> <i8 2, i8 3>, <2 x i8> <i8 3, i8 2>
call void @f.nobuiltin() builtin call void @f.nobuiltin() builtin
; CHECK: call void @f.nobuiltin() #48 ; CHECK: call void @f.nobuiltin() #49
call fastcc noalias i32* @f.noalias() noinline call fastcc noalias i32* @f.noalias() noinline
; CHECK: call fastcc noalias i32* @f.noalias() #12 ; CHECK: call fastcc noalias i32* @f.noalias() #12
tail call ghccc nonnull i32* @f.nonnull() minsize tail call ghccc nonnull i32* @f.nonnull() minsize
; CHECK: tail call ghccc nonnull i32* @f.nonnull() #7 ; CHECK: tail call ghccc nonnull i32* @f.nonnull() #7
freeze i32 %op1 freeze i32 %op1
; CHECK: freeze i32 %op1 ; CHECK: freeze i32 %op1
▲ Show 20 LinesShow All 403 Lines▼ Show 20 Lines
declare void @f.allocsize_one(i32) allocsize(0) declare void @f.allocsize_one(i32) allocsize(0)
declare void @f.allocsize_two(i32, i32) allocsize(1, 0) declare void @f.allocsize_two(i32, i32) allocsize(1, 0)
; CHECK: Function Attrs: allocsize(0) ; CHECK: Function Attrs: allocsize(0)
; CHECK: declare void @f.allocsize_one(i32) ; CHECK: declare void @f.allocsize_one(i32)
; CHECK: Function Attrs: allocsize(1,0) ; CHECK: Function Attrs: allocsize(1,0)
; CHECK: declare void @f.allocsize_two(i32, i32) ; CHECK: declare void @f.allocsize_two(i32, i32)
declare void @f.nosanitize_bounds() nosanitize_bounds
; CHECK: declare void @f.nosanitize_bounds() #48
; CHECK: attributes #0 = { alignstack=4 } ; CHECK: attributes #0 = { alignstack=4 }
; CHECK: attributes #1 = { alignstack=8 } ; CHECK: attributes #1 = { alignstack=8 }
; CHECK: attributes #2 = { alwaysinline } ; CHECK: attributes #2 = { alwaysinline }
; CHECK: attributes #3 = { cold } ; CHECK: attributes #3 = { cold }
; CHECK: attributes #4 = { convergent } ; CHECK: attributes #4 = { convergent }
; CHECK: attributes #5 = { inlinehint } ; CHECK: attributes #5 = { inlinehint }
; CHECK: attributes #6 = { jumptable } ; CHECK: attributes #6 = { jumptable }
; CHECK: attributes #7 = { minsize } ; CHECK: attributes #7 = { minsize }
Show All 32 Lines
; CHECK: attributes #40 = { inaccessiblemem_or_argmemonly nofree nosync nounwind willreturn } ; CHECK: attributes #40 = { inaccessiblemem_or_argmemonly nofree nosync nounwind willreturn }
; CHECK: attributes #41 = { writeonly } ; CHECK: attributes #41 = { writeonly }
; CHECK: attributes #42 = { speculatable } ; CHECK: attributes #42 = { speculatable }
; CHECK: attributes #43 = { strictfp } ; CHECK: attributes #43 = { strictfp }
; CHECK: attributes #44 = { nosanitize_coverage } ; CHECK: attributes #44 = { nosanitize_coverage }
; CHECK: attributes #45 = { disable_sanitizer_instrumentation } ; CHECK: attributes #45 = { disable_sanitizer_instrumentation }
; CHECK: attributes #46 = { allocsize(0) } ; CHECK: attributes #46 = { allocsize(0) }
; CHECK: attributes #47 = { allocsize(1,0) } ; CHECK: attributes #47 = { allocsize(1,0) }
; CHECK: attributes #48 = { builtin } ; CHECK: attributes #48 = { nosanitize_bounds }
; CHECK: attributes #49 = { builtin }
;; Metadata ;; Metadata
; Metadata -- Module flags ; Metadata -- Module flags
!llvm.module.flags = !{!0, !1, !2, !4, !5, !6} !llvm.module.flags = !{!0, !1, !2, !4, !5, !6}
; CHECK: !llvm.module.flags = !{!0, !1, !2, !4, !5, !6} ; CHECK: !llvm.module.flags = !{!0, !1, !2, !4, !5, !6}
!0 = !{i32 1, !"mod1", i32 0} !0 = !{i32 1, !"mod1", i32 0}
Show All 23 Lines

llvm/test/Instrumentation/BoundsChecking/nosanitize-bounds.ll

  • This file was added.
; RUN: opt < %s -passes=bounds-checking -S | FileCheck %s
target datalayout = "e-p:64:64:64-p1:16:16:16-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
; CHECK: @foo
define i32 @foo(i32 %i) nosanitize_bounds {
entry:
%i.addr = alloca i32, align 4
%b = alloca [64 x i32], align 16
store i32 %i, i32* %i.addr, align 4
%0 = load i32, i32* %i.addr, align 4
%idxprom = sext i32 %0 to i64
%arrayidx = getelementptr inbounds [64 x i32], [64 x i32]* %b, i64 0, i64 %idxprom
%1 = load i32, i32* %arrayidx, align 4
ret i32 %1
; CHECK-NOT: call void @llvm.trap()
}

llvm/utils/emacs/llvm-mode.el

Show All 19 Lines
(defvar llvm-font-lock-keywords (defvar llvm-font-lock-keywords
(list (list
;; Attributes ;; Attributes
`(,(regexp-opt `(,(regexp-opt
'("alwaysinline" "argmemonly" "allocsize" "builtin" "cold" "convergent" "dereferenceable" "dereferenceable_or_null" "hot" "inaccessiblememonly" '("alwaysinline" "argmemonly" "allocsize" "builtin" "cold" "convergent" "dereferenceable" "dereferenceable_or_null" "hot" "inaccessiblememonly"
"inaccessiblemem_or_argmemonly" "inalloca" "inlinehint" "jumptable" "minsize" "mustprogress" "naked" "nobuiltin" "nonnull" "inaccessiblemem_or_argmemonly" "inalloca" "inlinehint" "jumptable" "minsize" "mustprogress" "naked" "nobuiltin" "nonnull"
"nocallback" "nocf_check" "noduplicate" "nofree" "noimplicitfloat" "noinline" "nomerge" "nonlazybind" "noprofile" "noredzone" "noreturn" "nocallback" "nocf_check" "noduplicate" "nofree" "noimplicitfloat" "noinline" "nomerge" "nonlazybind" "noprofile" "noredzone" "noreturn"
"norecurse" "nosync" "noundef" "nounwind" "nosanitize_coverage" "null_pointer_is_valid" "optforfuzzing" "optnone" "optsize" "preallocated" "readnone" "readonly" "returned" "returns_twice" "norecurse" "nosync" "noundef" "nounwind" "nosanitize_bounds" "nosanitize_coverage" "null_pointer_is_valid" "optforfuzzing" "optnone" "optsize" "preallocated" "readnone" "readonly" "returned" "returns_twice"
"shadowcallstack" "speculatable" "speculative_load_hardening" "ssp" "sspreq" "sspstrong" "safestack" "sanitize_address" "sanitize_hwaddress" "sanitize_memtag" "shadowcallstack" "speculatable" "speculative_load_hardening" "ssp" "sspreq" "sspstrong" "safestack" "sanitize_address" "sanitize_hwaddress" "sanitize_memtag"
"sanitize_thread" "sanitize_memory" "strictfp" "swifterror" "uwtable" "vscale_range" "willreturn" "writeonly" "immarg") 'symbols) . font-lock-constant-face) "sanitize_thread" "sanitize_memory" "strictfp" "swifterror" "uwtable" "vscale_range" "willreturn" "writeonly" "immarg") 'symbols) . font-lock-constant-face)
;; Variables ;; Variables
'("%[-a-zA-Z$._][-a-zA-Z$._0-9]*" . font-lock-variable-name-face) '("%[-a-zA-Z$._][-a-zA-Z$._0-9]*" . font-lock-variable-name-face)
;; Labels ;; Labels
'("[-a-zA-Z$._0-9]+:" . font-lock-variable-name-face) '("[-a-zA-Z$._0-9]+:" . font-lock-variable-name-face)
;; Unnamed variable slots ;; Unnamed variable slots
'("%[-]?[0-9]+" . font-lock-variable-name-face) '("%[-]?[0-9]+" . font-lock-variable-name-face)
▲ Show 20 LinesShow All 76 LinesShow Last 20 Lines

llvm/utils/llvm.grm

Show First 20 LinesShow All 170 Lines▼ Show 20 Lines
| ssp | ssp
| sspreq | sspreq
| returns_twice | returns_twice
| nonlazybind | nonlazybind
| sanitize_address | sanitize_address
| sanitize_thread | sanitize_thread
| sanitize_memory | sanitize_memory
| mustprogress | mustprogress
| nosanitize_bounds
| nosanitize_coverage | nosanitize_coverage
; ;
OptFuncAttrs ::= + _ | OptFuncAttrs FuncAttr ; OptFuncAttrs ::= + _ | OptFuncAttrs FuncAttr ;
OptGC ::= + _ | gc STRINGCONSTANT ; OptGC ::= + _ | gc STRINGCONSTANT ;
OptAlign ::= + _ | align EUINT64VAL ; OptAlign ::= + _ | align EUINT64VAL ;
▲ Show 20 LinesShow All 237 LinesShow Last 20 Lines

llvm/utils/vim/syntax/llvm.vim

Show First 20 LinesShow All 133 Lines▼ Show 20 Linessyn keyword llvmKeyword
\ nonnull \ nonnull
\ noprofile \ noprofile
\ norecurse \ norecurse
\ noredzone \ noredzone
\ noreturn \ noreturn
\ nosync \ nosync
\ noundef \ noundef
\ nounwind \ nounwind
\ nosanitize_bounds
\ nosanitize_coverage \ nosanitize_coverage
\ null_pointer_is_valid \ null_pointer_is_valid
\ optforfuzzing \ optforfuzzing
\ optnone \ optnone
\ optsize \ optsize
\ personality \ personality
\ preallocated \ preallocated
\ private \ private
▲ Show 20 LinesShow All 121 LinesShow Last 20 Lines

llvm/utils/vscode/llvm/syntaxes/ll.tmLanguage.yaml

Show First 20 LinesShow All 232 Lines▼ Show 20 Lines - match: "\\bacq_rel\\b|\
\\bnonnull\\b|\ \\bnonnull\\b|\
\\bnoprofile\\b|\ \\bnoprofile\\b|\
\\bnorecurse\\b|\ \\bnorecurse\\b|\
\\bnoredzone\\b|\ \\bnoredzone\\b|\
\\bnoreturn\\b|\ \\bnoreturn\\b|\
\\bnosync\\b|\ \\bnosync\\b|\
\\bnoundef\\b|\ \\bnoundef\\b|\
\\bnounwind\\b|\ \\bnounwind\\b|\
\\bnosanitize_bounds\\b|\
\\bnosanitize_coverage\\b|\ \\bnosanitize_coverage\\b|\
\\bnull_pointer_is_valid\\b|\ \\bnull_pointer_is_valid\\b|\
\\boptforfuzzing\\b|\ \\boptforfuzzing\\b|\
\\boptnone\\b|\ \\boptnone\\b|\
\\boptsize\\b|\ \\boptsize\\b|\
\\bpersonality\\b|\ \\bpersonality\\b|\
\\bpreallocated\\b|\ \\bpreallocated\\b|\
\\bprivate\\b|\ \\bprivate\\b|\
▲ Show 20 LinesShow All 117 LinesShow Last 20 Lines