This is an archive of the discontinued LLVM Phabricator instance.

Differential D129991

[sanitizer] Don't always instrument on every lifetime.start
AbandonedPublic

Authored by StephenFan on Jul 18 2022, 2:40 AM.

Details

Reviewers
vitalybuka
Summary

In D129448, the solution to deal with bypassed variables makes multiple
lifetime start intrinsics for the same alloca object appears in multiple
different basic block. But MemorySanitizer assumes that the variable is
always uninitialized at the place of lifetime.start intrinsic and
instruments poisoning code for it. After D129448, this assumption is broken.

This patch fix the broken assumption by analysis the dominance relation
of lifetime start/end intrinsics.

Diff Detail

Event Timeline

StephenFan created this revision.Jul 18 2022, 2:40 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 18 2022, 2:40 AM
Herald added subscribers: Enna1, hiraditya. · View Herald Transcript
StephenFan requested review of this revision.Jul 18 2022, 2:40 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 18 2022, 2:40 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B175985: Diff 445434.Jul 18 2022, 2:48 AM
StephenFan added a parent revision: D129448: [CodeGen][Asan] Emit lifetime intrinsic for bypassed label.Jul 18 2022, 7:24 AM
StephenFan mentioned this in D129448: [CodeGen][Asan] Emit lifetime intrinsic for bypassed label.Jul 20 2022, 10:35 PM
vitalybuka requested changes to this revision.Dec 7 2022, 1:50 PM

I assume we are going to abandon this?

This revision now requires changes to proceed.Dec 7 2022, 1:50 PM
StephenFan abandoned this revision.Dec 8 2022, 3:16 AM

Revision Contents

PathSize
llvm/
lib/
Transforms/
Instrumentation/
54 lines
test/
Instrumentation/
MemorySanitizer/
8 lines

Diff 445434

llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp

Show First 20 LinesShow All 188 Lines▼ Show 20 Lines
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
#include "llvm/Transforms/Utils/BasicBlockUtils.h" #include "llvm/Transforms/Utils/BasicBlockUtils.h"
#include "llvm/Transforms/Utils/Local.h" #include "llvm/Transforms/Utils/Local.h"
#include "llvm/Transforms/Utils/ModuleUtils.h" #include "llvm/Transforms/Utils/ModuleUtils.h"
#include <algorithm> #include <algorithm>
#include <cassert> #include <cassert>
#include <cstddef> #include <cstddef>
#include <cstdint> #include <cstdint>
#include <map>
#include <memory> #include <memory>
#include <string> #include <string>
#include <tuple> #include <tuple>
using namespace llvm; using namespace llvm;
#define DEBUG_TYPE "msan" #define DEBUG_TYPE "msan"
▲ Show 20 LinesShow All 817 Lines▼ Show 20 Lines
struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> { struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {
Function &F; Function &F;
MemorySanitizer &MS; MemorySanitizer &MS;
SmallVector<PHINode *, 16> ShadowPHINodes, OriginPHINodes; SmallVector<PHINode *, 16> ShadowPHINodes, OriginPHINodes;
ValueMap<Value*, Value*> ShadowMap, OriginMap; ValueMap<Value*, Value*> ShadowMap, OriginMap;
std::unique_ptr<VarArgHelper> VAHelper; std::unique_ptr<VarArgHelper> VAHelper;
const TargetLibraryInfo *TLI; const TargetLibraryInfo *TLI;
Instruction *FnPrologueEnd; Instruction *FnPrologueEnd;
std::unique_ptr<DominatorTree> DT;
// The following flags disable parts of MSan instrumentation based on // The following flags disable parts of MSan instrumentation based on
// exclusion list contents and command-line options. // exclusion list contents and command-line options.
bool InsertChecks; bool InsertChecks;
bool PropagateShadow; bool PropagateShadow;
bool PoisonStack; bool PoisonStack;
bool PoisonUndef; bool PoisonUndef;
struct ShadowOriginAndInsertPoint { struct ShadowOriginAndInsertPoint {
Value *Shadow; Value *Shadow;
Value *Origin; Value *Origin;
Instruction *OrigIns; Instruction *OrigIns;
ShadowOriginAndInsertPoint(Value *S, Value *O, Instruction *I) ShadowOriginAndInsertPoint(Value *S, Value *O, Instruction *I)
: Shadow(S), Origin(O), OrigIns(I) {} : Shadow(S), Origin(O), OrigIns(I) {}
}; };
SmallVector<ShadowOriginAndInsertPoint, 16> InstrumentationList; SmallVector<ShadowOriginAndInsertPoint, 16> InstrumentationList;
bool InstrumentLifetimeStart = ClHandleLifetimeIntrinsics; bool InstrumentLifetimeStart = ClHandleLifetimeIntrinsics;
SmallSet<AllocaInst *, 16> AllocaSet; SmallSet<AllocaInst *, 16> AllocaSet;
SmallVector<std::pair<IntrinsicInst *, AllocaInst *>, 16> LifetimeStartList; std::map<AllocaInst *, SmallVector<IntrinsicInst *, 1>> LifetimeStarts;
std::map<AllocaInst *, SmallVector<IntrinsicInst *, 1>> LifetimeEnds;
SmallVector<StoreInst *, 16> StoreList; SmallVector<StoreInst *, 16> StoreList;
MemorySanitizerVisitor(Function &F, MemorySanitizer &MS, MemorySanitizerVisitor(Function &F, MemorySanitizer &MS,
const TargetLibraryInfo &TLI) const TargetLibraryInfo &TLI)
: F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)), TLI(&TLI) { : F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)), TLI(&TLI),
DT(std::make_unique<DominatorTree>(F)) {
bool SanitizeFunction = bool SanitizeFunction =
F.hasFnAttribute(Attribute::SanitizeMemory) && !ClDisableChecks; F.hasFnAttribute(Attribute::SanitizeMemory) && !ClDisableChecks;
InsertChecks = SanitizeFunction; InsertChecks = SanitizeFunction;
PropagateShadow = SanitizeFunction; PropagateShadow = SanitizeFunction;
PoisonStack = SanitizeFunction && ClPoisonStack; PoisonStack = SanitizeFunction && ClPoisonStack;
PoisonUndef = SanitizeFunction && ClPoisonUndef; PoisonUndef = SanitizeFunction && ClPoisonUndef;
// In the presence of unreachable blocks, we may see Phi nodes with // In the presence of unreachable blocks, we may see Phi nodes with
▲ Show 20 LinesShow All 228 Lines▼ Show 20 Lines for (PHINode *PN : ShadowPHINodes) {
} }
} }
VAHelper->finalizeInstrumentation(); VAHelper->finalizeInstrumentation();
// Poison llvm.lifetime.start intrinsics, if we haven't fallen back to // Poison llvm.lifetime.start intrinsics, if we haven't fallen back to
// instrumenting only allocas. // instrumenting only allocas.
if (InstrumentLifetimeStart) { if (InstrumentLifetimeStart) {
for (auto Item : LifetimeStartList) { for (auto Item : LifetimeStarts) {
instrumentAlloca(*Item.second, Item.first); for (auto LifetimeStart : Item.second) {
AllocaSet.erase(Item.second); instrumentAlloca(*Item.first, LifetimeStart);
AllocaSet.erase(Item.first);
}
} }
} }
// Poison the allocas for which we didn't instrument the corresponding // Poison the allocas for which we didn't instrument the corresponding
// lifetime intrinsics. // lifetime intrinsics.
for (AllocaInst *AI : AllocaSet) for (AllocaInst *AI : AllocaSet)
instrumentAlloca(*AI); instrumentAlloca(*AI);
bool InstrumentWithCalls = ClInstrumentationWithCallThreshold >= 0 && bool InstrumentWithCalls = ClInstrumentationWithCallThreshold >= 0 &&
▲ Show 20 LinesShow All 1,386 Lines▼ Show 20 Lines#endif
} }
void handleLifetimeStart(IntrinsicInst &I) { void handleLifetimeStart(IntrinsicInst &I) {
if (!PoisonStack) if (!PoisonStack)
return; return;
AllocaInst *AI = llvm::findAllocaForValue(I.getArgOperand(1)); AllocaInst *AI = llvm::findAllocaForValue(I.getArgOperand(1));
if (!AI) if (!AI)
InstrumentLifetimeStart = false; InstrumentLifetimeStart = false;
LifetimeStartList.push_back(std::make_pair(&I, AI));
auto hasLifetimeEndInBetween = [this, AI](const IntrinsicInst *Former,
const IntrinsicInst *Latter) {
assert(DT->dominates(Former, Latter) && "Former doesn't dominate Latter");
for (auto *LifetimeEnd : LifetimeEnds[AI]) {
if (DT->dominates(Former, LifetimeEnd) &&
DT->dominates(LifetimeEnd, Latter))
return true;
}
return false;
};
for (auto &LifetimeStart : LifetimeStarts[AI]) {
// If there is no lifetime.end intrinsic between two lifetime.start
// intrinsics, the lifetime.start intrinsic that dominated by the other
// does not need to do instrumentation.
if (DT->dominates(&I, LifetimeStart) &&
!hasLifetimeEndInBetween(&I, LifetimeStart))
LifetimeStart = &I;
else if (DT->dominates(LifetimeStart, &I) &&
!hasLifetimeEndInBetween(LifetimeStart, &I))
return;
}
LifetimeStarts[AI].push_back(&I);
}
void handleLifetimeEnd(IntrinsicInst &I) {
if (!PoisonStack)
return;
AllocaInst *AI = llvm::findAllocaForValue(I.getArgOperand(1));
if (!AI)
InstrumentLifetimeStart = false;
LifetimeEnds[AI].push_back(&I);
} }
void handleBswap(IntrinsicInst &I) { void handleBswap(IntrinsicInst &I) {
IRBuilder<> IRB(&I); IRBuilder<> IRB(&I);
Value *Op = I.getArgOperand(0); Value *Op = I.getArgOperand(0);
Type *OpType = Op->getType(); Type *OpType = Op->getType();
Function *BswapFunc = Intrinsic::getDeclaration( Function *BswapFunc = Intrinsic::getDeclaration(
F.getParent(), Intrinsic::bswap, makeArrayRef(&OpType, 1)); F.getParent(), Intrinsic::bswap, makeArrayRef(&OpType, 1));
▲ Show 20 LinesShow All 539 Lines▼ Show 20 Lines
void visitIntrinsicInst(IntrinsicInst &I) { void visitIntrinsicInst(IntrinsicInst &I) {
switch (I.getIntrinsicID()) { switch (I.getIntrinsicID()) {
case Intrinsic::abs: case Intrinsic::abs:
handleAbsIntrinsic(I); handleAbsIntrinsic(I);
break; break;
case Intrinsic::lifetime_start: case Intrinsic::lifetime_start:
handleLifetimeStart(I); handleLifetimeStart(I);
break; break;
case Intrinsic::lifetime_end:
handleLifetimeEnd(I);
break;
case Intrinsic::launder_invariant_group: case Intrinsic::launder_invariant_group:
case Intrinsic::strip_invariant_group: case Intrinsic::strip_invariant_group:
handleInvariantGroup(I); handleInvariantGroup(I);
break; break;
case Intrinsic::bswap: case Intrinsic::bswap:
handleBswap(I); handleBswap(I);
break; break;
case Intrinsic::masked_store: case Intrinsic::masked_store:
▲ Show 20 LinesShow All 2,087 LinesShow Last 20 Lines

llvm/test/Instrumentation/MemorySanitizer/alloca.ll

Show First 20 LinesShow All 234 Lines▼ Show 20 Lines
; CHECK: %x = alloca i8 ; CHECK: %x = alloca i8
; INLINE: call void @llvm.memset.p0i8.i64(i8* align 1 {{.*}}, i8 -1, i64 1, i1 false) ; INLINE: call void @llvm.memset.p0i8.i64(i8* align 1 {{.*}}, i8 -1, i64 1, i1 false)
; CALL: call void @__msan_poison_stack(i8* {{.*}}, i64 1) ; CALL: call void @__msan_poison_stack(i8* {{.*}}, i64 1)
; ORIGIN: call void @__msan_set_alloca_origin4(i8* {{.*}}, i64 1, ; ORIGIN: call void @__msan_set_alloca_origin4(i8* {{.*}}, i64 1,
; KMSAN: call void @__msan_poison_alloca(i8* {{.*}}, i64 1, ; KMSAN: call void @__msan_poison_alloca(i8* {{.*}}, i64 1,
; FIXME: It is invalid to instrument here Since variable x may be initialized by callee bar. ; FIXME: It is invalid to instrument here Since variable x may be initialized by callee bar.
; CHECK-LABEL: l1: ; CHECK-LABEL: l1:
; INLINE: call void @llvm.memset.p0i8.i64(i8* align 1 {{.*}}, i8 -1, i64 1, i1 false) ; INLINE-NOT: call void @llvm.memset.p0i8.i64(i8* align 1 {{.*}}, i8 -1, i64 1, i1 false)
; CALL: call void @__msan_poison_stack(i8* {{.*}}, i64 1) ; CALL-NOT: call void @__msan_poison_stack(i8* {{.*}}, i64 1)
; ORIGIN: call void @__msan_set_alloca_origin4(i8* {{.*}}, i64 1, ; ORIGIN-NOT: call void @__msan_set_alloca_origin4(i8* {{.*}}, i64 1,
; KMSAN: call void @__msan_poison_alloca(i8* {{.*}}, i64 1, ; KMSAN-NOT: call void @__msan_poison_alloca(i8* {{.*}}, i64 1,
declare void @bar(i8* noundef, i32 noundef) declare void @bar(i8* noundef, i32 noundef)
declare void @llvm.lifetime.start.p0i8(i64 immarg, i8* nocapture) declare void @llvm.lifetime.start.p0i8(i64 immarg, i8* nocapture)
declare void @llvm.lifetime.end.p0i8(i64 immarg, i8* nocapture) declare void @llvm.lifetime.end.p0i8(i64 immarg, i8* nocapture)