diff --git a/clang/include/clang/Basic/CodeGenOptions.h b/clang/include/clang/Basic/CodeGenOptions.h --- a/clang/include/clang/Basic/CodeGenOptions.h +++ b/clang/include/clang/Basic/CodeGenOptions.h @@ -494,7 +494,8 @@ // Check if any one of SanitizeBinaryMetadata* is enabled. bool hasSanitizeBinaryMetadata() const { - return SanitizeBinaryMetadataCovered || SanitizeBinaryMetadataAtomics; + return SanitizeBinaryMetadataCovered || SanitizeBinaryMetadataAtomics || + SanitizeBinaryMetadataUAR; } }; diff --git a/clang/include/clang/Basic/CodeGenOptions.def b/clang/include/clang/Basic/CodeGenOptions.def --- a/clang/include/clang/Basic/CodeGenOptions.def +++ b/clang/include/clang/Basic/CodeGenOptions.def @@ -288,6 +288,8 @@ CODEGENOPT(SanitizeCoverageTraceStores, 1, 0) ///< Enable tracing of stores. CODEGENOPT(SanitizeBinaryMetadataCovered, 1, 0) ///< Emit PCs for covered functions. CODEGENOPT(SanitizeBinaryMetadataAtomics, 1, 0) ///< Emit PCs for atomic operations. +CODEGENOPT(SanitizeBinaryMetadataUAR, 1, 0) ///< Emit PCs for start of functions + ///< that are subject for use-after-return checking. CODEGENOPT(SanitizeStats , 1, 0) ///< Collect statistics for sanitizers. CODEGENOPT(SimplifyLibCalls , 1, 1) ///< Set when -fbuiltin is enabled. CODEGENOPT(SoftFloat , 1, 0) ///< -soft-float. diff --git a/clang/include/clang/Driver/Options.td b/clang/include/clang/Driver/Options.td --- a/clang/include/clang/Driver/Options.td +++ b/clang/include/clang/Driver/Options.td @@ -5542,6 +5542,10 @@ : Flag<["-"], "fexperimental-sanitize-metadata=atomics">, HelpText<"Emit PCs for atomic operations used by binary analysis sanitizers">, MarshallingInfoFlag>; +def fexperimental_sanitize_metadata_EQ_uar + : Flag<["-"], "fexperimental-sanitize-metadata=uar">, + HelpText<"Emit PCs for start of functions that are subject for use-after-return checking.">, + MarshallingInfoFlag>; def fpatchable_function_entry_offset_EQ : Joined<["-"], "fpatchable-function-entry-offset=">, MetaVarName<"">, HelpText<"Generate M NOPs before function entry">, diff --git a/clang/lib/CodeGen/BackendUtil.cpp b/clang/lib/CodeGen/BackendUtil.cpp --- a/clang/lib/CodeGen/BackendUtil.cpp +++ b/clang/lib/CodeGen/BackendUtil.cpp @@ -234,6 +234,7 @@ SanitizerBinaryMetadataOptions Opts; Opts.Covered = CGOpts.SanitizeBinaryMetadataCovered; Opts.Atomics = CGOpts.SanitizeBinaryMetadataAtomics; + Opts.UAR = CGOpts.SanitizeBinaryMetadataUAR; return Opts; } diff --git a/clang/lib/Driver/SanitizerArgs.cpp b/clang/lib/Driver/SanitizerArgs.cpp --- a/clang/lib/Driver/SanitizerArgs.cpp +++ b/clang/lib/Driver/SanitizerArgs.cpp @@ -104,6 +104,7 @@ enum BinaryMetadataFeature { BinaryMetadataCovered = 1 << 0, BinaryMetadataAtomics = 1 << 1, + BinaryMetadataUAR = 1 << 2, }; /// Parse a -fsanitize= or -fno-sanitize= argument's values, diagnosing any @@ -1129,7 +1130,8 @@ // flags. Does not depend on any other sanitizers. const std::pair BinaryMetadataFlags[] = { std::make_pair(BinaryMetadataCovered, "covered"), - std::make_pair(BinaryMetadataAtomics, "atomics")}; + std::make_pair(BinaryMetadataAtomics, "atomics"), + std::make_pair(BinaryMetadataUAR, "uar")}; for (const auto &F : BinaryMetadataFlags) { if (BinaryMetadataFeatures & F.first) CmdArgs.push_back( @@ -1395,6 +1397,7 @@ int F = llvm::StringSwitch(Value) .Case("covered", BinaryMetadataCovered) .Case("atomics", BinaryMetadataAtomics) + .Case("uar", BinaryMetadataUAR) .Case("all", ~0) .Default(0); if (F == 0 && DiagnoseErrors) diff --git a/llvm/include/llvm/CodeGen/CodeGenPassBuilder.h b/llvm/include/llvm/CodeGen/CodeGenPassBuilder.h --- a/llvm/include/llvm/CodeGen/CodeGenPassBuilder.h +++ b/llvm/include/llvm/CodeGen/CodeGenPassBuilder.h @@ -926,6 +926,7 @@ addPass(StackMapLivenessPass()); addPass(LiveDebugValuesPass()); + addPass(MachineSanitizerMetadata()); if (TM.Options.EnableMachineOutliner && getOptLevel() != CodeGenOpt::None && Opt.EnableMachineOutliner != RunOutliner::NeverOutline) { diff --git a/llvm/include/llvm/CodeGen/MachinePassRegistry.def b/llvm/include/llvm/CodeGen/MachinePassRegistry.def --- a/llvm/include/llvm/CodeGen/MachinePassRegistry.def +++ b/llvm/include/llvm/CodeGen/MachinePassRegistry.def @@ -202,4 +202,5 @@ DUMMY_MACHINE_FUNCTION_PASS("reset-machine-function", ResetMachineFunctionPass, ()) DUMMY_MACHINE_FUNCTION_PASS("machineverifier", MachineVerifierPass, ()) DUMMY_MACHINE_FUNCTION_PASS("print-machine-cycles", MachineCycleInfoPrinterPass, ()) +DUMMY_MACHINE_FUNCTION_PASS("machine-sanmd", MachineSanitizerMetadata, ()) #undef DUMMY_MACHINE_FUNCTION_PASS diff --git a/llvm/include/llvm/CodeGen/Passes.h b/llvm/include/llvm/CodeGen/Passes.h --- a/llvm/include/llvm/CodeGen/Passes.h +++ b/llvm/include/llvm/CodeGen/Passes.h @@ -405,6 +405,8 @@ /// the intrinsic for later emission to the StackMap. extern char &StackMapLivenessID; + extern char &MachineSanitizerMetadataID; + /// RemoveRedundantDebugValues pass. extern char &RemoveRedundantDebugValuesID; diff --git a/llvm/include/llvm/InitializePasses.h b/llvm/include/llvm/InitializePasses.h --- a/llvm/include/llvm/InitializePasses.h +++ b/llvm/include/llvm/InitializePasses.h @@ -295,6 +295,7 @@ void initializeMachinePipelinerPass(PassRegistry&); void initializeMachinePostDominatorTreePass(PassRegistry&); void initializeMachineRegionInfoPassPass(PassRegistry&); +void initializeMachineSanitizerMetadataPass(PassRegistry &); void initializeMachineSchedulerPass(PassRegistry&); void initializeMachineSinkingPass(PassRegistry&); void initializeMachineTraceMetricsPass(PassRegistry&); diff --git a/llvm/include/llvm/Transforms/Instrumentation.h b/llvm/include/llvm/Transforms/Instrumentation.h --- a/llvm/include/llvm/Transforms/Instrumentation.h +++ b/llvm/include/llvm/Transforms/Instrumentation.h @@ -159,9 +159,18 @@ struct SanitizerBinaryMetadataOptions { bool Covered = false; bool Atomics = false; + bool UAR = false; SanitizerBinaryMetadataOptions() = default; }; +constexpr int kSanitizerMetadataAtomicsBit = 0; +constexpr int kSanitizerMetadataUARBit = 1; + +constexpr uint32_t kSanitizerMetadataNone = 0; +constexpr uint32_t kSanitizerMetadataAtomics = 1 + << kSanitizerMetadataAtomicsBit; +constexpr uint32_t kSanitizerMetadataUAR = 1 << kSanitizerMetadataUARBit; + /// Calculate what to divide by to scale counts. /// /// Given the maximum count, calculate a divisor that will scale all the diff --git a/llvm/lib/CodeGen/CMakeLists.txt b/llvm/lib/CodeGen/CMakeLists.txt --- a/llvm/lib/CodeGen/CMakeLists.txt +++ b/llvm/lib/CodeGen/CMakeLists.txt @@ -195,6 +195,7 @@ RegisterBankInfo.cpp SafeStack.cpp SafeStackLayout.cpp + SanitizerMetadata.cpp ScheduleDAG.cpp ScheduleDAGInstrs.cpp ScheduleDAGPrinter.cpp diff --git a/llvm/lib/CodeGen/CodeGen.cpp b/llvm/lib/CodeGen/CodeGen.cpp --- a/llvm/lib/CodeGen/CodeGen.cpp +++ b/llvm/lib/CodeGen/CodeGen.cpp @@ -83,6 +83,7 @@ initializeMachineOptimizationRemarkEmitterPassPass(Registry); initializeMachineOutlinerPass(Registry); initializeMachinePipelinerPass(Registry); + initializeMachineSanitizerMetadataPass(Registry); initializeModuloScheduleTestPass(Registry); initializeMachinePostDominatorTreePass(Registry); initializeMachineRegionInfoPassPass(Registry); diff --git a/llvm/lib/CodeGen/SanitizerMetadata.cpp b/llvm/lib/CodeGen/SanitizerMetadata.cpp new file mode 100644 --- /dev/null +++ b/llvm/lib/CodeGen/SanitizerMetadata.cpp @@ -0,0 +1,68 @@ +//===- SanitizerMetadata.cpp ----------------------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +// +// This file is a part of SanitizerBinaryMetadata. +// +//===----------------------------------------------------------------------===// + +#include "llvm/CodeGen/MachineFrameInfo.h" +#include "llvm/CodeGen/MachineFunction.h" +#include "llvm/CodeGen/MachineFunctionPass.h" +#include "llvm/CodeGen/Passes.h" +#include "llvm/IR/IRBuilder.h" +#include "llvm/IR/MDBuilder.h" +#include "llvm/InitializePasses.h" +#include "llvm/Pass.h" +#include "llvm/Transforms/Instrumentation.h" +#include + +using namespace llvm; + +class MachineSanitizerMetadata : public MachineFunctionPass { +public: + static char ID; + + MachineSanitizerMetadata(); + bool runOnMachineFunction(MachineFunction &F) override; +}; + +INITIALIZE_PASS(MachineSanitizerMetadata, "machine-sanmd", + "Machine Sanitizer Binary Metadata", false, false) + +char MachineSanitizerMetadata::ID = 0; +char &llvm::MachineSanitizerMetadataID = MachineSanitizerMetadata::ID; + +MachineSanitizerMetadata::MachineSanitizerMetadata() : MachineFunctionPass(ID) { + initializeMachineSanitizerMetadataPass(*PassRegistry::getPassRegistry()); +} + +bool MachineSanitizerMetadata::runOnMachineFunction(MachineFunction &MF) { + MDNode *MD = MF.getFunction().getMetadata(LLVMContext::MD_pcsections); + if (!MD) + return false; + auto &AuxMDs = *cast(MD->getOperand(1)); + const auto &Features = cast(AuxMDs.getOperand(0)) + ->getValue() + ->getUniqueInteger(); + if (!Features[kSanitizerMetadataUARBit]) + return false; + // Append stack args size to the function metadata. + int64_t Size = 0; + uint64_t Align = 0; + const MachineFrameInfo &MFI = MF.getFrameInfo(); + for (int i = -1; i >= (int)-MFI.getNumFixedObjects(); --i) { + Size = std::max(Size, MFI.getObjectOffset(i) + MFI.getObjectSize(i)); + Align = std::max(Align, MFI.getObjectAlign(i).value()); + } + Size = (Size + Align - 1) & ~(Align - 1); + auto &F = MF.getFunction(); + IRBuilder<> IRB(F.getContext()); + MDBuilder MDB(F.getContext()); + AuxMDs.push_back(MDB.createConstant(IRB.getInt32(Size))); + return false; +} diff --git a/llvm/lib/CodeGen/TargetPassConfig.cpp b/llvm/lib/CodeGen/TargetPassConfig.cpp --- a/llvm/lib/CodeGen/TargetPassConfig.cpp +++ b/llvm/lib/CodeGen/TargetPassConfig.cpp @@ -1268,6 +1268,7 @@ addPass(&StackMapLivenessID); addPass(&LiveDebugValuesID); + addPass(&MachineSanitizerMetadataID); if (TM->Options.EnableMachineOutliner && getOptLevel() != CodeGenOpt::None && EnableMachineOutliner != RunOutliner::NeverOutline) { diff --git a/llvm/lib/IR/MDBuilder.cpp b/llvm/lib/IR/MDBuilder.cpp --- a/llvm/lib/IR/MDBuilder.cpp +++ b/llvm/lib/IR/MDBuilder.cpp @@ -172,7 +172,8 @@ AuxMDs.reserve(AuxConsts.size()); for (Constant *C : AuxConsts) AuxMDs.push_back(createConstant(C)); - Ops.push_back(MDNode::get(Context, AuxMDs)); + // MachineSanitizerMetadata pass may modify it later. + Ops.push_back(MDNode::getDistinct(Context, AuxMDs)); } } diff --git a/llvm/lib/Transforms/Instrumentation/SanitizerBinaryMetadata.cpp b/llvm/lib/Transforms/Instrumentation/SanitizerBinaryMetadata.cpp --- a/llvm/lib/Transforms/Instrumentation/SanitizerBinaryMetadata.cpp +++ b/llvm/lib/Transforms/Instrumentation/SanitizerBinaryMetadata.cpp @@ -67,14 +67,14 @@ private: // Forbid construction elsewhere. explicit constexpr MetadataInfo(StringRef FunctionPrefix, - StringRef SectionSuffix, int Feature) + StringRef SectionSuffix, uint32_t Feature) : FunctionPrefix(FunctionPrefix), SectionSuffix(SectionSuffix), - FeatureMask(Feature != -1 ? (1u << Feature) : 0) {} + FeatureMask(Feature) {} }; -const MetadataInfo MetadataInfo::Covered{"__sanitizer_metadata_covered", - "sanmd_covered", -1}; -const MetadataInfo MetadataInfo::Atomics{"__sanitizer_metadata_atomics", - "sanmd_atomics", 0}; +const MetadataInfo MetadataInfo::Covered{ + "__sanitizer_metadata_covered", "sanmd_covered", kSanitizerMetadataNone}; +const MetadataInfo MetadataInfo::Atomics{ + "__sanitizer_metadata_atomics", "sanmd_atomics", kSanitizerMetadataAtomics}; // The only instances of MetadataInfo are the constants above, so a set of // them may simply store pointers to them. To deterministically generate code, @@ -89,11 +89,16 @@ cl::opt ClEmitAtomics("sanitizer-metadata-atomics", cl::desc("Emit PCs for atomic operations."), cl::Hidden, cl::init(false)); +cl::opt ClEmitUAR("sanitizer-metadata-uar", + cl::desc("Emit PCs for start of functions that are " + "subject for use-after-return checking"), + cl::Hidden, cl::init(false)); //===--- Statistics -------------------------------------------------------===// STATISTIC(NumMetadataCovered, "Metadata attached to covered functions"); STATISTIC(NumMetadataAtomics, "Metadata attached to atomics"); +STATISTIC(NumMetadataUAR, "Metadata attached to UAR functions"); //===----------------------------------------------------------------------===// @@ -102,6 +107,7 @@ transformOptionsFromCl(SanitizerBinaryMetadataOptions &&Opts) { Opts.Covered |= ClEmitCovered; Opts.Atomics |= ClEmitAtomics; + Opts.UAR |= ClEmitUAR; return std::move(Opts); } @@ -142,7 +148,8 @@ // function with memory operations (atomic or not) requires covered metadata // to determine if a memory operation is atomic or not in modules compiled // with SanitizerBinaryMetadata. - bool runOn(Instruction &I, MetadataInfoSet &MIS, MDBuilder &MDB); + bool runOn(Instruction &I, MetadataInfoSet &MIS, MDBuilder &MDB, + uint32_t &PerInstrFeatureMask); // Get start/end section marker pointer. GlobalVariable *getSectionMarker(const Twine &MarkerName, Type *Ty); @@ -235,16 +242,21 @@ uint32_t PerInstrFeatureMask = getEnabledPerInstructionFeature(); // Don't emit unnecessary covered metadata for all functions to save space. bool RequiresCovered = false; - if (PerInstrFeatureMask) { + if (PerInstrFeatureMask || Options.UAR) { for (BasicBlock &BB : F) for (Instruction &I : BB) - RequiresCovered |= runOn(I, MIS, MDB); + RequiresCovered |= runOn(I, MIS, MDB, PerInstrFeatureMask); } + if (F.isVarArg()) + PerInstrFeatureMask &= ~kSanitizerMetadataUAR; + if (PerInstrFeatureMask & kSanitizerMetadataUAR) + NumMetadataUAR++; + // Covered metadata is always emitted if explicitly requested, otherwise only // if some other metadata requires it to unambiguously interpret it for // modules compiled with SanitizerBinaryMetadata. - if (Options.Covered || RequiresCovered) { + if (Options.Covered || (PerInstrFeatureMask && RequiresCovered)) { NumMetadataCovered++; const auto *MI = &MetadataInfo::Covered; MIS.insert(MI); @@ -258,10 +270,25 @@ } bool SanitizerBinaryMetadata::runOn(Instruction &I, MetadataInfoSet &MIS, - MDBuilder &MDB) { + MDBuilder &MDB, + uint32_t &PerInstrFeatureMask) { SmallVector InstMetadata; bool RequiresCovered = false; + if (Options.UAR) { + for (unsigned i = 0; i < I.getNumOperands(); ++i) { + const Value *V = I.getOperand(i); + // TODO(dvyukov): check if V is an address of alloca/function arg. + // See isSafeAndProfitableToSinkLoad for addr-taken allocas + // and DeadArgumentEliminationPass::removeDeadStuffFromFunction + // for iteration over function args. + if (V) { + RequiresCovered = true; + PerInstrFeatureMask |= kSanitizerMetadataUAR; + } + } + } + if (Options.Atomics && I.mayReadOrWriteMemory()) { auto SSID = getAtomicSyncScopeID(&I); if (SSID.has_value() && SSID.value() != SyncScope::SingleThread) {