This is an archive of the discontinued LLVM Phabricator instance.

Differential D143296

[MSan] Fix calling pointers to varargs functions on SystemZ
ClosedPublic

Authored by iii on Feb 3 2023, 2:11 PM.

Details

Reviewers
uweigand
jonpa
eugenis
vitalybuka
Commits
rG322e150e3392: [MSan] Fix calling pointers to varargs functions on SystemZ
Summary

VarArgSystemZHelper.visitCallBase() checks whether the callee has the
"use-soft-float" attribute, but if the callee is a function pointer, a
null pointer dereference happens.

Fix by checking this attribute on the current function. Alternatively,
one could try the callee first, but this is pointless, since one should
not be mixing hardfloat and softfloat code anyway.

Diff Detail

Event Timeline

iii created this revision.Feb 3 2023, 2:11 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 3 2023, 2:11 PM
Herald added subscribers: Enna1, hiraditya. · View Herald Transcript
iii requested review of this revision.Feb 3 2023, 2:11 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 3 2023, 2:11 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B211800: Diff 494734.Feb 3 2023, 3:06 PM
uweigand accepted this revision.Feb 6 2023, 9:24 AM

Fix by checking this attribute on the current function. Alternatively, one could try the callee first, but this is pointless, since one should not be mixing hardfloat and softfloat code anyway.

Agreed. If the current function is compiled for soft-float, it cannot use any FP registers and therefore could not set up arguments for a hard-float routine.

The patch LGTM.

This revision is now accepted and ready to land.Feb 6 2023, 9:24 AM
Closed by commit rG322e150e3392: [MSan] Fix calling pointers to varargs functions on SystemZ (authored by iii). · Explain WhyFeb 6 2023, 2:35 PM
This revision was automatically updated to reflect the committed changes.
iii added a commit: rG322e150e3392: [MSan] Fix calling pointers to varargs functions on SystemZ.

Revision Contents

PathSize
llvm/
lib/
Transforms/
Instrumentation/
11 lines
test/
Instrumentation/
MemorySanitizer/
SystemZ/
2 lines
13 lines

Diff 495278

llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp

Show First 20 LinesShow All 5,410 Lines▼ Show 20 Linesstruct VarArgSystemZHelper : public VarArgHelper {
static const unsigned SystemZOverflowOffset = 160; static const unsigned SystemZOverflowOffset = 160;
static const unsigned SystemZVAListTagSize = 32; static const unsigned SystemZVAListTagSize = 32;
static const unsigned SystemZOverflowArgAreaPtrOffset = 16; static const unsigned SystemZOverflowArgAreaPtrOffset = 16;
static const unsigned SystemZRegSaveAreaPtrOffset = 24; static const unsigned SystemZRegSaveAreaPtrOffset = 24;
Function &F; Function &F;
MemorySanitizer &MS; MemorySanitizer &MS;
MemorySanitizerVisitor &MSV; MemorySanitizerVisitor &MSV;
bool IsSoftFloatABI;
Value *VAArgTLSCopy = nullptr; Value *VAArgTLSCopy = nullptr;
Value *VAArgTLSOriginCopy = nullptr; Value *VAArgTLSOriginCopy = nullptr;
Value *VAArgOverflowSize = nullptr; Value *VAArgOverflowSize = nullptr;
SmallVector<CallInst *, 16> VAStartInstrumentationList; SmallVector<CallInst *, 16> VAStartInstrumentationList;
enum class ArgKind { enum class ArgKind {
GeneralPurpose, GeneralPurpose,
FloatingPoint, FloatingPoint,
Vector, Vector,
Memory, Memory,
Indirect, Indirect,
}; };
enum class ShadowExtension { None, Zero, Sign }; enum class ShadowExtension { None, Zero, Sign };
VarArgSystemZHelper(Function &F, MemorySanitizer &MS, VarArgSystemZHelper(Function &F, MemorySanitizer &MS,
MemorySanitizerVisitor &MSV) MemorySanitizerVisitor &MSV)
: F(F), MS(MS), MSV(MSV) {} : F(F), MS(MS), MSV(MSV),
IsSoftFloatABI(F.getFnAttribute("use-soft-float").getValueAsBool()) {}
ArgKind classifyArgument(Type *T, bool IsSoftFloatABI) { ArgKind classifyArgument(Type *T) {
// T is a SystemZABIInfo::classifyArgumentType() output, and there are // T is a SystemZABIInfo::classifyArgumentType() output, and there are
// only a few possibilities of what it can be. In particular, enums, single // only a few possibilities of what it can be. In particular, enums, single
// element structs and large types have already been taken care of. // element structs and large types have already been taken care of.
// Some i128 and fp128 arguments are converted to pointers only in the // Some i128 and fp128 arguments are converted to pointers only in the
// back end. // back end.
if (T->isIntegerTy(128) || T->isFP128Ty()) if (T->isIntegerTy(128) || T->isFP128Ty())
return ArgKind::Indirect; return ArgKind::Indirect;
Show All 21 Lines ShadowExtension getShadowExtension(const CallBase &CB, unsigned ArgNo) {
if (SExt) { if (SExt) {
assert(!ZExt); assert(!ZExt);
return ShadowExtension::Sign; return ShadowExtension::Sign;
} }
return ShadowExtension::None; return ShadowExtension::None;
} }
void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override { void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
bool IsSoftFloatABI = CB.getCalledFunction()
->getFnAttribute("use-soft-float")
.getValueAsBool();
unsigned GpOffset = SystemZGpOffset; unsigned GpOffset = SystemZGpOffset;
unsigned FpOffset = SystemZFpOffset; unsigned FpOffset = SystemZFpOffset;
unsigned VrIndex = 0; unsigned VrIndex = 0;
unsigned OverflowOffset = SystemZOverflowOffset; unsigned OverflowOffset = SystemZOverflowOffset;
const DataLayout &DL = F.getParent()->getDataLayout(); const DataLayout &DL = F.getParent()->getDataLayout();
for (const auto &[ArgNo, A] : llvm::enumerate(CB.args())) { for (const auto &[ArgNo, A] : llvm::enumerate(CB.args())) {
bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams(); bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
// SystemZABIInfo does not produce ByVal parameters. // SystemZABIInfo does not produce ByVal parameters.
assert(!CB.paramHasAttr(ArgNo, Attribute::ByVal)); assert(!CB.paramHasAttr(ArgNo, Attribute::ByVal));
Type *T = A->getType(); Type *T = A->getType();
ArgKind AK = classifyArgument(T, IsSoftFloatABI); ArgKind AK = classifyArgument(T);
if (AK == ArgKind::Indirect) { if (AK == ArgKind::Indirect) {
T = PointerType::get(T, 0); T = PointerType::get(T, 0);
AK = ArgKind::GeneralPurpose; AK = ArgKind::GeneralPurpose;
} }
if (AK == ArgKind::GeneralPurpose && GpOffset >= SystemZGpEndOffset) if (AK == ArgKind::GeneralPurpose && GpOffset >= SystemZGpEndOffset)
AK = ArgKind::Memory; AK = ArgKind::Memory;
if (AK == ArgKind::FloatingPoint && FpOffset >= SystemZFpEndOffset) if (AK == ArgKind::FloatingPoint && FpOffset >= SystemZFpEndOffset)
AK = ArgKind::Memory; AK = ArgKind::Memory;
▲ Show 20 LinesShow All 265 LinesShow Last 20 Lines

llvm/test/Instrumentation/MemorySanitizer/SystemZ/vararg-kernel.ll

Show All 25 Linesdefine i64 @bar() #1 {
%1 = call i64 (i64, ...) @foo(i64 1, i32 zeroext %arg2, float %arg3, %1 = call i64 (i64, ...) @foo(i64 1, i32 zeroext %arg2, float %arg3,
i32 signext %arg4, double %arg5, i64 %arg6, i32 signext %arg4, double %arg5, i64 %arg6,
i64 7, double 8.0, i32 zeroext %arg9, i64 7, double 8.0, i32 zeroext %arg9,
double 10.0, float %arg11, i32 signext %arg12, double 10.0, float %arg11, i32 signext %arg12,
double %arg13, i64 %arg14) double %arg13, i64 %arg14)
ret i64 %1 ret i64 %1
} }
attributes #1 = { sanitize_memory } attributes #1 = { sanitize_memory "target-features"="+soft-float" "use-soft-float"="true" }
; In kernel the floating point values are passed in GPRs: ; In kernel the floating point values are passed in GPRs:
; - r2@16 == i64 1 - skipped, because it's fixed ; - r2@16 == i64 1 - skipped, because it's fixed
; - r3@24 == i32 zext %arg2 - shadow is zero-extended ; - r3@24 == i32 zext %arg2 - shadow is zero-extended
; - r4@(32 + 4) == float %arg3 - right-justified, shadow is 32-bit ; - r4@(32 + 4) == float %arg3 - right-justified, shadow is 32-bit
; - r5@40 == i32 sext %arg4 - shadow is sign-extended ; - r5@40 == i32 sext %arg4 - shadow is sign-extended
; - r6@48 == double %arg5 - straightforward ; - r6@48 == double %arg5 - straightforward
; - overflow@160 == i64 %arg6 - straightforward ; - overflow@160 == i64 %arg6 - straightforward
▲ Show 20 LinesShow All 82 LinesShow Last 20 Lines

llvm/test/Instrumentation/MemorySanitizer/SystemZ/vararg.ll

Show First 20 LinesShow All 191 Lines▼ Show 20 Lines
; CHECK: declare void @__msan_maybe_warning_1(i8 zeroext, i32 zeroext) ; CHECK: declare void @__msan_maybe_warning_1(i8 zeroext, i32 zeroext)
; CHECK: declare void @__msan_maybe_store_origin_1(i8 zeroext, ptr, i32 zeroext) ; CHECK: declare void @__msan_maybe_store_origin_1(i8 zeroext, ptr, i32 zeroext)
; CHECK: declare void @__msan_maybe_warning_2(i16 zeroext, i32 zeroext) ; CHECK: declare void @__msan_maybe_warning_2(i16 zeroext, i32 zeroext)
; CHECK: declare void @__msan_maybe_store_origin_2(i16 zeroext, ptr, i32 zeroext) ; CHECK: declare void @__msan_maybe_store_origin_2(i16 zeroext, ptr, i32 zeroext)
; CHECK: declare void @__msan_maybe_warning_4(i32 zeroext, i32 zeroext) ; CHECK: declare void @__msan_maybe_warning_4(i32 zeroext, i32 zeroext)
; CHECK: declare void @__msan_maybe_store_origin_4(i32 zeroext, ptr, i32 zeroext) ; CHECK: declare void @__msan_maybe_store_origin_4(i32 zeroext, ptr, i32 zeroext)
; CHECK: declare void @__msan_maybe_warning_8(i64 zeroext, i32 zeroext) ; CHECK: declare void @__msan_maybe_warning_8(i64 zeroext, i32 zeroext)
; CHECK: declare void @__msan_maybe_store_origin_8(i64 zeroext, ptr, i32 zeroext) ; CHECK: declare void @__msan_maybe_store_origin_8(i64 zeroext, ptr, i32 zeroext)
; Test vararg function pointers.
;
; void (*ptr)(int, ...);
; void call_ptr(void) { ptr(0); }
@ptr = dso_local global ptr null, align 8
define dso_local void @call_ptr() {
%1 = load ptr, ptr @ptr, align 8
call void (i32, ...) %1(i32 noundef signext 0)
ret void
}