This is an archive of the discontinued LLVM Phabricator instance.

Differential D131001

[BoundsChecking] Fix merging of sizes
ClosedPublic

Authored by aeubanks on Aug 2 2022, 10:55 AM.

Details

Reviewers
vitalybuka
asbirlea
Commits
rG203296d642c3: [BoundsChecking] Fix merging of sizes
Summary

BoundsChecking uses ObjectSizeOffsetEvaluator to keep track of the
underlying size/offset of pointers in allocations. However,
ObjectSizeOffsetVisitor (something ObjectSizeOffsetEvaluator
uses to check for constant sizes/offsets)
doesn't quite treat sizes and offsets the same way as
BoundsChecking. BoundsChecking wants to know the size of the
underlying allocation and the current pointer's offset within
it, but ObjectSizeOffsetVisitor only cares about the size
from the pointer to the end of the underlying allocation.

This only comes up when merging two size/offset pairs. Add a new mode to
ObjectSizeOffsetVisitor which cares about the underlying size/offset
rather than the size from the current pointer to the end of the
allocation.

Fixes a false positive with -fsanitize=bounds.

Diff Detail

Event Timeline

aeubanks created this revision.Aug 2 2022, 10:55 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 2 2022, 10:55 AM
Herald added subscribers: Enna1, hiraditya. · View Herald Transcript
aeubanks requested review of this revision.Aug 2 2022, 10:55 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 2 2022, 10:55 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
aeubanks added reviewers: vitalybuka, asbirlea.Aug 2 2022, 10:57 AM
Harbormaster completed remote builds in B178798: Diff 449347.Aug 2 2022, 12:10 PM
asbirlea accepted this revision.Aug 3 2022, 3:54 PM
This revision is now accepted and ready to land.Aug 3 2022, 3:54 PM
vitalybuka accepted this revision.Aug 3 2022, 4:59 PM
vitalybuka added inline comments.
llvm/lib/Analysis/MemoryBuiltins.cpp
1006
1006

or even

aeubanks added inline comments.Aug 3 2022, 5:21 PM
llvm/lib/Analysis/MemoryBuiltins.cpp
1006

derp, I even had that at some point

This revision was landed with ongoing or failed builds.Aug 3 2022, 5:21 PM
Closed by commit rG203296d642c3: [BoundsChecking] Fix merging of sizes (authored by aeubanks). · Explain Why
This revision was automatically updated to reflect the committed changes.
aeubanks added a commit: rG203296d642c3: [BoundsChecking] Fix merging of sizes.
aeubanks mentioned this in rG0944eea8232c: [NFC][ObjectSizeOffsetVisitor] Remove redundant equality check.Sep 22 2023, 1:16 PM

Revision Contents

PathSize
llvm/
include/
llvm/
Analysis/
12 lines
lib/
Analysis/
6 lines
Transforms/
Instrumentation/
1 line
test/
Instrumentation/
BoundsChecking/
19 lines

Diff 449840

llvm/include/llvm/Analysis/MemoryBuiltins.h

Show First 20 LinesShow All 128 Lines▼ Show 20 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Utility functions to compute size of objects. // Utility functions to compute size of objects.
// //
/// Various options to control the behavior of getObjectSize. /// Various options to control the behavior of getObjectSize.
struct ObjectSizeOpts { struct ObjectSizeOpts {
/// Controls how we handle conditional statements with unknown conditions. /// Controls how we handle conditional statements with unknown conditions.
enum class Mode : uint8_t { enum class Mode : uint8_t {
/// Fail to evaluate an unknown condition. /// All branches must be known and have the same size, starting from the
Exact, /// offset, to be merged.
ExactSizeFromOffset,
/// All branches must be known and have the same underlying size and offset
/// to be merged.
ExactUnderlyingSizeAndOffset,
/// Evaluate all branches of an unknown condition. If all evaluations /// Evaluate all branches of an unknown condition. If all evaluations
/// succeed, pick the minimum size. /// succeed, pick the minimum size.
Min, Min,
/// Same as Min, except we pick the maximum size of all of the branches. /// Same as Min, except we pick the maximum size of all of the branches.
Max Max,
}; };
/// How we want to evaluate this object's size. /// How we want to evaluate this object's size.
Mode EvalMode = Mode::Exact; Mode EvalMode = Mode::ExactSizeFromOffset;
/// Whether to round the result up to the alignment of allocas, byval /// Whether to round the result up to the alignment of allocas, byval
/// arguments, and global variables. /// arguments, and global variables.
bool RoundToAlign = false; bool RoundToAlign = false;
/// If this is true, null pointers in address space 0 will be treated as /// If this is true, null pointers in address space 0 will be treated as
/// though they can't be evaluated. Otherwise, null is always considered to /// though they can't be evaluated. Otherwise, null is always considered to
/// point to a 0 byte region of memory. /// point to a 0 byte region of memory.
bool NullIsUnknownSize = false; bool NullIsUnknownSize = false;
/// If set, used for more accurate evaluation /// If set, used for more accurate evaluation
▲ Show 20 LinesShow All 154 LinesShow Last 20 Lines

llvm/lib/Analysis/MemoryBuiltins.cpp

Show First 20 LinesShow All 635 Lines▼ Show 20 LinesValue *llvm::lowerObjectSizeCall(IntrinsicInst *ObjectSize,
EvalOptions.AA = AA; EvalOptions.AA = AA;
// Unless we have to fold this to something, try to be as accurate as // Unless we have to fold this to something, try to be as accurate as
// possible. // possible.
if (MustSucceed) if (MustSucceed)
EvalOptions.EvalMode = EvalOptions.EvalMode =
MaxVal ? ObjectSizeOpts::Mode::Max : ObjectSizeOpts::Mode::Min; MaxVal ? ObjectSizeOpts::Mode::Max : ObjectSizeOpts::Mode::Min;
else else
EvalOptions.EvalMode = ObjectSizeOpts::Mode::Exact; EvalOptions.EvalMode = ObjectSizeOpts::Mode::ExactSizeFromOffset;
EvalOptions.NullIsUnknownSize = EvalOptions.NullIsUnknownSize =
cast<ConstantInt>(ObjectSize->getArgOperand(2))->isOne(); cast<ConstantInt>(ObjectSize->getArgOperand(2))->isOne();
auto *ResultType = cast<IntegerType>(ObjectSize->getType()); auto *ResultType = cast<IntegerType>(ObjectSize->getType());
bool StaticOnly = cast<ConstantInt>(ObjectSize->getArgOperand(3))->isZero(); bool StaticOnly = cast<ConstantInt>(ObjectSize->getArgOperand(3))->isZero();
if (StaticOnly) { if (StaticOnly) {
// FIXME: Does it make sense to just return a failure value if the size won't // FIXME: Does it make sense to just return a failure value if the size won't
▲ Show 20 LinesShow All 341 Lines▼ Show 20 LinesSizeOffsetType ObjectSizeOffsetVisitor::combineSizeOffset(SizeOffsetType LHS,
if (!bothKnown(LHS) || !bothKnown(RHS)) if (!bothKnown(LHS) || !bothKnown(RHS))
return unknown(); return unknown();
switch (Options.EvalMode) { switch (Options.EvalMode) {
case ObjectSizeOpts::Mode::Min: case ObjectSizeOpts::Mode::Min:
return (getSizeWithOverflow(LHS).slt(getSizeWithOverflow(RHS))) ? LHS : RHS; return (getSizeWithOverflow(LHS).slt(getSizeWithOverflow(RHS))) ? LHS : RHS;
case ObjectSizeOpts::Mode::Max: case ObjectSizeOpts::Mode::Max:
return (getSizeWithOverflow(LHS).sgt(getSizeWithOverflow(RHS))) ? LHS : RHS; return (getSizeWithOverflow(LHS).sgt(getSizeWithOverflow(RHS))) ? LHS : RHS;
case ObjectSizeOpts::Mode::Exact: case ObjectSizeOpts::Mode::ExactSizeFromOffset:
return (getSizeWithOverflow(LHS).eq(getSizeWithOverflow(RHS))) ? LHS return (getSizeWithOverflow(LHS).eq(getSizeWithOverflow(RHS))) ? LHS
: unknown(); : unknown();
case ObjectSizeOpts::Mode::ExactUnderlyingSizeAndOffset:
return LHS == RHS && LHS.second.eq(RHS.second) ? LHS : unknown();
vitalybukaUnsubmitted
Not Done
ReplyInline Actions
case ObjectSizeOpts::Mode::ExactUnderlyingSizeAndOffset:
- return LHS.first.eq(RHS.first) && LHS.second.eq(RHS.second) ? LHS : unknown();
+ return (LHS.first.eq(RHS.first) && LHS.second.eq(RHS.second)) ? LHS : unknown();
}
llvm_unreachable("missing an eval mode");
vitalybuka:
vitalybukaUnsubmitted
Not Done
ReplyInline Actions
case ObjectSizeOpts::Mode::ExactUnderlyingSizeAndOffset:
- return LHS.first.eq(RHS.first) && LHS.second.eq(RHS.second) ? LHS : unknown();
+ return LHS == RHS ? LHS : unknown();
}
llvm_unreachable("missing an eval mode");

or even

vitalybuka: or even
aeubanksAuthorUnsubmitted
Done
ReplyInline Actions

derp, I even had that at some point

aeubanks: derp, I even had that at some point
} }
llvm_unreachable("missing an eval mode"); llvm_unreachable("missing an eval mode");
} }
SizeOffsetType ObjectSizeOffsetVisitor::visitPHINode(PHINode &PN) { SizeOffsetType ObjectSizeOffsetVisitor::visitPHINode(PHINode &PN) {
auto IncomingValues = PN.incoming_values(); auto IncomingValues = PN.incoming_values();
return std::accumulate(IncomingValues.begin() + 1, IncomingValues.end(), return std::accumulate(IncomingValues.begin() + 1, IncomingValues.end(),
compute(*IncomingValues.begin()), compute(*IncomingValues.begin()),
▲ Show 20 LinesShow All 248 LinesShow Last 20 Lines

llvm/lib/Transforms/Instrumentation/BoundsChecking.cpp

Show First 20 LinesShow All 140 Lines▼ Show 20 Lines
static bool addBoundsChecking(Function &F, TargetLibraryInfo &TLI, static bool addBoundsChecking(Function &F, TargetLibraryInfo &TLI,
ScalarEvolution &SE) { ScalarEvolution &SE) {
if (F.hasFnAttribute(Attribute::NoSanitizeBounds)) if (F.hasFnAttribute(Attribute::NoSanitizeBounds))
return false; return false;
const DataLayout &DL = F.getParent()->getDataLayout(); const DataLayout &DL = F.getParent()->getDataLayout();
ObjectSizeOpts EvalOpts; ObjectSizeOpts EvalOpts;
EvalOpts.RoundToAlign = true; EvalOpts.RoundToAlign = true;
EvalOpts.EvalMode = ObjectSizeOpts::Mode::ExactUnderlyingSizeAndOffset;
ObjectSizeOffsetEvaluator ObjSizeEval(DL, &TLI, F.getContext(), EvalOpts); ObjectSizeOffsetEvaluator ObjSizeEval(DL, &TLI, F.getContext(), EvalOpts);
// check HANDLE_MEMORY_INST in include/llvm/Instruction.def for memory // check HANDLE_MEMORY_INST in include/llvm/Instruction.def for memory
// touching instructions // touching instructions
SmallVector<std::pair<Instruction *, Value *>, 4> TrapInfo; SmallVector<std::pair<Instruction *, Value *>, 4> TrapInfo;
for (Instruction &I : instructions(F)) { for (Instruction &I : instructions(F)) {
Value *Or = nullptr; Value *Or = nullptr;
BuilderTy IRB(I.getParent(), BasicBlock::iterator(&I), TargetFolder(DL)); BuilderTy IRB(I.getParent(), BasicBlock::iterator(&I), TargetFolder(DL));
▲ Show 20 LinesShow All 99 LinesShow Last 20 Lines

llvm/test/Instrumentation/BoundsChecking/simple.ll

Show First 20 LinesShow All 324 Lines▼ Show 20 Linesdead:
%l = load i32, ptr %incdec.ptr %l = load i32, ptr %incdec.ptr
br label %alive br label %alive
alive: alive:
ret void ret void
} }
; Check that merging sizes in a phi works. ; Check that merging sizes in a phi works.
; FIXME: bounds-checking thinks that %alloc has an underlying size of 0.
define i8 @f14(i1 %i) { define i8 @f14(i1 %i) {
; CHECK-LABEL: @f14( ; CHECK-LABEL: @f14(
; CHECK-NEXT: entry: ; CHECK-NEXT: entry:
; CHECK-NEXT: br i1 [[I:%.*]], label [[BB1:%.*]], label [[BB2:%.*]] ; CHECK-NEXT: br i1 [[I:%.*]], label [[BB1:%.*]], label [[BB2:%.*]]
; CHECK: bb1: ; CHECK: bb1:
; CHECK-NEXT: [[A:%.*]] = alloca [32 x i8], align 1 ; CHECK-NEXT: [[A:%.*]] = alloca [32 x i8], align 1
; CHECK-NEXT: [[G:%.*]] = getelementptr i8, ptr [[A]], i32 32 ; CHECK-NEXT: [[G:%.*]] = getelementptr i8, ptr [[A]], i32 32
; CHECK-NEXT: br label [[BB2]] ; CHECK-NEXT: br label [[BB2]]
; CHECK: bb2: ; CHECK: bb2:
; CHECK-NEXT: [[ALLOC:%.*]] = phi ptr [ null, [[ENTRY:%.*]] ], [ [[G]], [[BB1]] ] ; CHECK-NEXT: [[TMP0:%.*]] = phi i64 [ 0, [[ENTRY:%.*]] ], [ 32, [[BB1]] ]
; CHECK-NEXT: [[TMP1:%.*]] = phi i64 [ 0, [[ENTRY]] ], [ 32, [[BB1]] ]
; CHECK-NEXT: [[ALLOC:%.*]] = phi ptr [ null, [[ENTRY]] ], [ [[G]], [[BB1]] ]
; CHECK-NEXT: [[IND:%.*]] = phi i64 [ 0, [[ENTRY]] ], [ -4, [[BB1]] ] ; CHECK-NEXT: [[IND:%.*]] = phi i64 [ 0, [[ENTRY]] ], [ -4, [[BB1]] ]
; CHECK-NEXT: [[TMP0:%.*]] = add i64 0, [[IND]] ; CHECK-NEXT: [[TMP2:%.*]] = add i64 [[TMP1]], [[IND]]
; CHECK-NEXT: [[P:%.*]] = getelementptr i8, ptr [[ALLOC]], i64 [[IND]] ; CHECK-NEXT: [[P:%.*]] = getelementptr i8, ptr [[ALLOC]], i64 [[IND]]
; CHECK-NEXT: [[TMP1:%.*]] = sub i64 0, [[TMP0]] ; CHECK-NEXT: [[TMP3:%.*]] = sub i64 [[TMP0]], [[TMP2]]
; CHECK-NEXT: [[TMP2:%.*]] = icmp ult i64 0, [[TMP0]] ; CHECK-NEXT: [[TMP4:%.*]] = icmp ult i64 [[TMP0]], [[TMP2]]
; CHECK-NEXT: [[TMP3:%.*]] = icmp ult i64 [[TMP1]], 1 ; CHECK-NEXT: [[TMP5:%.*]] = icmp ult i64 [[TMP3]], 1
; CHECK-NEXT: [[TMP4:%.*]] = or i1 [[TMP2]], [[TMP3]] ; CHECK-NEXT: [[TMP6:%.*]] = or i1 [[TMP4]], [[TMP5]]
; CHECK-NEXT: br i1 [[TMP4]], label [[TRAP:%.*]], label [[TMP5:%.*]] ; CHECK-NEXT: br i1 [[TMP6]], label [[TRAP:%.*]], label [[TMP7:%.*]]
; CHECK: 5: ; CHECK: 7:
; CHECK-NEXT: [[RET:%.*]] = load i8, ptr [[P]], align 1 ; CHECK-NEXT: [[RET:%.*]] = load i8, ptr [[P]], align 1
; CHECK-NEXT: ret i8 [[RET]] ; CHECK-NEXT: ret i8 [[RET]]
; CHECK: trap: ; CHECK: trap:
; CHECK-NEXT: call void @llvm.trap() #[[ATTR5]] ; CHECK-NEXT: call void @llvm.trap() #[[ATTR5]]
; CHECK-NEXT: unreachable ; CHECK-NEXT: unreachable
; ;
entry: entry:
br i1 %i, label %bb1, label %bb2 br i1 %i, label %bb1, label %bb2
▲ Show 20 LinesShow All 55 LinesShow Last 20 Lines