This is an archive of the discontinued LLVM Phabricator instance.

Differential D148654

Modify BoundsSan to improve debuggability
Needs ReviewPublic

Authored by oskarwirga on Apr 18 2023, 12:45 PM.

Details

Reviewers
nlopes
chandlerc
jgalenson
melver
aeubanks
asbirlea
vitalybuka
Summary

Context

BoundsSanitizer is a mitigation that is part of UBSAN. It can be enabled in "trap" mode to crash on OOB array accesses.

Problem

BoundsSan has zero false positives meaning every crash is a OOB array access, unfortunately optimizations cause these crashes in production builds to be a bit useless because we only know which function is crashing but not which line of code.

Godbolt example of the optimization: https://godbolt.org/z/6qjax9z1b

This Diff

I wanted to provide a way to know exactly which LOC is responsible for the crash. What we do here is use the size of the basic block as an iterator to an immediate value for the ubsan trap.

Diff Detail

Event Timeline

oskarwirga created this revision.Apr 18 2023, 12:45 PM
oskarwirga created this object with visibility "oskarwirga (Oskar Wirga)".
oskarwirga created this object with edit policy "Subscribers".
Herald added a project: Restricted Project. · View Herald TranscriptApr 18 2023, 12:45 PM
oskarwirga requested review of this revision.Apr 18 2023, 12:45 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptApr 18 2023, 12:45 PM
oskarwirga changed the visibility from "oskarwirga (Oskar Wirga)" to "All Users".Apr 18 2023, 12:46 PM
oskarwirga changed the edit policy from "Subscribers" to "All Users".
Herald added subscribers: llvm-commits, cfe-commits, Enna1, hiraditya. · View Herald TranscriptApr 18 2023, 12:46 PM
smeenai added a comment.May 1 2023, 1:49 PM

You should upload this with full context and add some test cases :)

smeenai added a comment.May 2 2023, 8:04 AM

Thinking about this a bit more, should the trap not have an associated stack trace that can be symbolicated to tell you which line of code was crashing? If the issue is that multiple traps can get folded together, the nomerge attribute (D78659) could be useful.

oskarwirga added a comment.EditedMay 2 2023, 6:10 PM
In D148654#4312478, @smeenai wrote:

Thinking about this a bit more, should the trap not have an associated stack trace that can be symbolicated to tell you which line of code was crashing? If the issue is that multiple traps can get folded together, the nomerge attribute (D78659) could be useful.

I tried adding the nomerge attribute to TrapCall but I still found the call being optimized to a single site :(

Edit: Added it incorrectly, seems to work fine!

oskarwirga edited the summary of this revision. (Show Details)May 2 2023, 6:11 PM
oskarwirga updated this revision to Diff 518933.May 2 2023, 7:00 PM
oskarwirga edited the summary of this revision. (Show Details)

Update the diff to use the nomerge attribute

Harbormaster completed remote builds in B229586: Diff 518933.May 2 2023, 7:01 PM
oskarwirga updated this revision to Diff 519190.May 3 2023, 11:49 AM
oskarwirga edited the summary of this revision. (Show Details)

Turns out the lowering of ubsantrap() to a single instruction resulted in binaries that did NOT have nonmerged traps, so this is going back to what we had before. I also added tests to show that the trap gets preserved.

Harbormaster completed remote builds in B229769: Diff 519190.May 3 2023, 11:49 AM
oskarwirga updated this revision to Diff 521180.May 10 2023, 5:37 PM

Rebase on trunk :)

kyulee added a subscriber: kyulee.May 10 2023, 6:36 PM
Harbormaster completed remote builds in B231236: Diff 521180.May 10 2023, 7:06 PM
oskarwirga updated this revision to Diff 521525.May 11 2023, 6:52 PM

clang-format 😺

Harbormaster completed remote builds in B231504: Diff 521525.May 11 2023, 7:47 PM
oskarwirga added a comment.May 12 2023, 11:34 AM

CC: @nlopes @chandlerc @jgalenson

I have y'all added here because of your past work on BoundsSan, if you know of anyone else who may be able to provide review please tag them!

smeenai added a reviewer: melver.May 12 2023, 12:48 PM

The patch should be uploaded with full context to make review easier.

Adding another potential reviewer.

oskarwirga updated this revision to Diff 521767.May 12 2023, 12:55 PM

Add full context

nlopes added inline comments.May 12 2023, 2:17 PM
llvm/lib/Transforms/Instrumentation/BoundsChecking.cpp
187–219

this seems like code duplication. This pass already has the single-trap flag to exactly control if you get a single trap BB or one per check for better debug info.

oskarwirga added inline comments.May 12 2023, 3:35 PM
llvm/lib/Transforms/Instrumentation/BoundsChecking.cpp
187–219

Unfortunately, even with the single trap flag it gets optimized out in later passes because the machine code emitted is the exact same

smeenai added inline comments.May 12 2023, 3:41 PM
llvm/lib/Transforms/Instrumentation/BoundsChecking.cpp
187–219

I believe we end up tail merging the trap instructions. A previous iteration of this patch attempted to use the nomerge attribute to directly avoid the tail merging, but that only works for function calls, not for the trap instruction ultimately emitted here.

Harbormaster completed remote builds in B231685: Diff 521767.May 12 2023, 3:49 PM
oskarwirga changed the visibility from "All Users" to "Public (No Login Required)".May 15 2023, 11:09 AM
oskarwirga added a comment.May 24 2023, 9:45 AM

Jobs are now passing, CC: @nlopes @chandlerc @jgalenson for review :)

oskarwirga added a comment.Jul 5 2023, 1:57 PM

ping :)

oskarwirga added reviewers: vitalybuka, aeubanks, asbirlea.Jul 13 2023, 11:16 AM
vitalybuka added inline comments.Jul 13 2023, 11:22 AM
clang/lib/CodeGen/CGExpr.cpp
3612–3633

looks like a lot of code duplication

3630

wouldn't be you issues solved with
TrapCall->setCannotMerge() here?

oskarwirga added inline comments.Jul 13 2023, 1:10 PM
clang/lib/CodeGen/CGExpr.cpp
3612–3633

Let me refactor this

3630

ubsantrap gets lowered to an instruction in MIR which then gets merged later. This was the only way I was able to create unique instruction per check.

oskarwirga updated this revision to Diff 540181.Jul 13 2023, 2:10 PM

Refactor CodeGen code

oskarwirga marked 2 inline comments as done.Jul 13 2023, 2:10 PM
aeubanks added inline comments.Jul 13 2023, 2:32 PM
clang/lib/CodeGen/CGExpr.cpp
3630

isn't that a nomerge bug that should get fixed instead?

oskarwirga added inline comments.Jul 13 2023, 2:44 PM
clang/lib/CodeGen/CGExpr.cpp
3630

I don't think so because nomerge is a function attribute and the ubsantrap intrinsic gets lowered as an instruction. Creating instruction attributes from lowered function attributes seems a bit involved to me.

Harbormaster completed remote builds in B245219: Diff 540181.Jul 13 2023, 7:28 PM
oskarwirga added a comment.Jul 21 2023, 9:59 AM

ping

oskarwirga updated this revision to Diff 543557.Jul 24 2023, 8:08 AM

Properly refactor the code bc my last attempt was flawed -_-

Harbormaster completed remote builds in B247684: Diff 543557.Jul 24 2023, 11:26 AM
oskarwirga planned changes to this revision.Aug 3 2023, 2:26 AM
oskarwirga updated this revision to Diff 550355.Aug 15 2023, 9:06 AM

Fix clang crash and retest

Harbormaster completed remote builds in B252659: Diff 550355.Aug 15 2023, 10:10 AM
oskarwirga added a comment.Sep 5 2023, 11:25 AM

ping

vitalybuka added inline comments.Sep 7 2023, 3:48 PM
clang/lib/CodeGen/CGExpr.cpp
47

this file and BoundsChecking.cpp belong to different patches

56

this applies only to fsanitize=undefined, and does not apply to llvm level sanitizers, like msan, asan
we need better name: maybe ubsan-unique-traps

BTW do we want this as frontend flag?

3581

so here we have two problems?

  1. OptimizationLevel > 0 clang creates only one TrapBB per check type
  2. even if we create multiple bb here, branch-folder will merge them later
3597–3599
(TrapBB->getParent()->size() * 0x10000 + CheckHandlerID)
llvm/lib/Transforms/Instrumentation/BoundsChecking.cpp
187–219

branches of if (DebugTrapBB) condition has a lot of code duplication, can you try to imrove?

196

why Fn->size(), to make a counter?

202

can you please create a test where bounds-checking-single-trap=0 and setCannotMerge produce invalid result.

oskarwirga added inline comments.Sep 11 2023, 2:59 AM
clang/lib/CodeGen/CGExpr.cpp
47

Just to be clear on terms here, these changes should be two different commits?

56

Good point, as for being a frontend flag I don't feel strongly one way or the other, not sure how useful this is outside of my use-case.

3581

Yeah exactly, despite my best efforts to come up with an existing way to fix this issue, because the ubsantrap intrinsic ends up being an instruction in MIR, it loses any function attributes we tack on now.

3597–3599

Why * 0x10000 ?

llvm/lib/Transforms/Instrumentation/BoundsChecking.cpp
187–219

Yes, I will address all your comments in a new patch on github, thank you for your feedback I appreciate it :)

196

I was looking for a way to create a more or less unique value without creating a global iterator. It doesn't have to be this, I just thought that the fn->size would be increasing as checks go in so it would give a unique value per check.

202

Can do!

oskarwirga marked 5 inline comments as done.Sep 11 2023, 9:04 AM
vitalybuka resigned from this revision.Sep 26 2023, 4:02 PM

I assume we moved to https://github.com/llvm/llvm-project/pull/65972

GitHub <noreply@github.com> mentioned this in rG832b3b2462c1: Modify BoundsSan to improve debuggability (#65972).Sep 29 2023, 3:34 PM

Revision Contents

PathSize
clang/
lib/
CodeGen/
33 lines
test/
CodeGen/
15 lines
llvm/
lib/
Transforms/
Instrumentation/
55 lines

Diff 550355

clang/lib/CodeGen/CGExpr.cpp

Show All 38 Lines
#include "llvm/IR/MatrixBuilder.h" #include "llvm/IR/MatrixBuilder.h"
#include "llvm/Passes/OptimizationLevel.h" #include "llvm/Passes/OptimizationLevel.h"
#include "llvm/Support/ConvertUTF.h" #include "llvm/Support/ConvertUTF.h"
#include "llvm/Support/MathExtras.h" #include "llvm/Support/MathExtras.h"
#include "llvm/Support/Path.h" #include "llvm/Support/Path.h"
#include "llvm/Support/SaveAndRestore.h" #include "llvm/Support/SaveAndRestore.h"
#include "llvm/Support/xxhash.h" #include "llvm/Support/xxhash.h"
#include "llvm/Transforms/Utils/SanitizerStats.h" #include "llvm/Transforms/Utils/SanitizerStats.h"
vitalybukaUnsubmitted
Done
ReplyInline Actions

this file and BoundsChecking.cpp belong to different patches

vitalybuka: this file and BoundsChecking.cpp belong to different patches
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

Just to be clear on terms here, these changes should be two different commits?

oskarwirga: Just to be clear on terms here, these changes should be two different commits?
#include <optional> #include <optional>
#include <string> #include <string>
using namespace clang; using namespace clang;
using namespace CodeGen; using namespace CodeGen;
// Experiment to make sanitizers easier to debug
static llvm::cl::opt<bool> ClSanitizeDebugDeoptimization(
"sanitizer-de-opt-traps", llvm::cl::Optional,
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

this applies only to fsanitize=undefined, and does not apply to llvm level sanitizers, like msan, asan
we need better name: maybe ubsan-unique-traps

BTW do we want this as frontend flag?

vitalybuka: this applies only to fsanitize=undefined, and does not apply to llvm level sanitizers, like…
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

Good point, as for being a frontend flag I don't feel strongly one way or the other, not sure how useful this is outside of my use-case.

oskarwirga: Good point, as for being a frontend flag I don't feel strongly one way or the other, not sure…
llvm::cl::desc("Deoptimize traps for sanitizers"), llvm::cl::init(false));
//===--------------------------------------------------------------------===// //===--------------------------------------------------------------------===//
// Miscellaneous Helper Methods // Miscellaneous Helper Methods
//===--------------------------------------------------------------------===// //===--------------------------------------------------------------------===//
/// CreateTempAlloca - This creates a alloca and inserts it into the entry /// CreateTempAlloca - This creates a alloca and inserts it into the entry
/// block. /// block.
Address CodeGenFunction::CreateTempAllocaWithoutCast(llvm::Type *Ty, Address CodeGenFunction::CreateTempAllocaWithoutCast(llvm::Type *Ty,
CharUnits Align, CharUnits Align,
▲ Show 20 LinesShow All 3,503 Lines▼ Show 20 Lines
void CodeGenFunction::EmitTrapCheck(llvm::Value *Checked, void CodeGenFunction::EmitTrapCheck(llvm::Value *Checked,
SanitizerHandler CheckHandlerID) { SanitizerHandler CheckHandlerID) {
llvm::BasicBlock *Cont = createBasicBlock("cont"); llvm::BasicBlock *Cont = createBasicBlock("cont");
// If we're optimizing, collapse all calls to trap down to just one per // If we're optimizing, collapse all calls to trap down to just one per
// check-type per function to save on code size. // check-type per function to save on code size.
if (TrapBBs.size() <= CheckHandlerID) if (TrapBBs.size() <= CheckHandlerID)
TrapBBs.resize(CheckHandlerID + 1); TrapBBs.resize(CheckHandlerID + 1);
llvm::BasicBlock *&TrapBB = TrapBBs[CheckHandlerID]; llvm::BasicBlock *&TrapBB = TrapBBs[CheckHandlerID];
if (!CGM.getCodeGenOpts().OptimizationLevel || !TrapBB || if (!ClSanitizeDebugDeoptimization &&
vitalybukaUnsubmitted
Done
ReplyInline Actions

so here we have two problems?

  1. OptimizationLevel > 0 clang creates only one TrapBB per check type
  2. even if we create multiple bb here, branch-folder will merge them later
vitalybuka: so here we have two problems? 1. OptimizationLevel > 0 clang creates only one TrapBB per check…
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

Yeah exactly, despite my best efforts to come up with an existing way to fix this issue, because the ubsantrap intrinsic ends up being an instruction in MIR, it loses any function attributes we tack on now.

oskarwirga: Yeah exactly, despite my best efforts to come up with an existing way to fix this issue…
(CurCodeDecl && CurCodeDecl->hasAttr<OptimizeNoneAttr>())) { CGM.getCodeGenOpts().OptimizationLevel && TrapBB &&
(!CurCodeDecl || !CurCodeDecl->hasAttr<OptimizeNoneAttr>())) {
auto Call = TrapBB->begin();
assert(isa<llvm::CallInst>(Call) && "Expected call in trap BB");
Call->applyMergedLocation(Call->getDebugLoc(),
Builder.getCurrentDebugLocation());
Builder.CreateCondBr(Checked, Cont, TrapBB);
} else {
TrapBB = createBasicBlock("trap"); TrapBB = createBasicBlock("trap");
Builder.CreateCondBr(Checked, Cont, TrapBB); Builder.CreateCondBr(Checked, Cont, TrapBB);
EmitBlock(TrapBB); EmitBlock(TrapBB);
llvm::CallInst *TrapCall = llvm::CallInst *TrapCall = Builder.CreateCall(
Builder.CreateCall(CGM.getIntrinsic(llvm::Intrinsic::ubsantrap), CGM.getIntrinsic(llvm::Intrinsic::ubsantrap),
llvm::ConstantInt::get(CGM.Int8Ty, CheckHandlerID)); llvm::ConstantInt::get(CGM.Int8Ty, ClSanitizeDebugDeoptimization
? TrapBB->getParent()->size()
: CheckHandlerID));
vitalybukaUnsubmitted
Not Done
ReplyInline Actions
(TrapBB->getParent()->size() * 0x10000 + CheckHandlerID)
vitalybuka: (TrapBB->getParent()->size() * 0x10000 +…
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

Why * 0x10000 ?

oskarwirga: Why `* 0x10000` ?
if (!CGM.getCodeGenOpts().TrapFuncName.empty()) { if (!CGM.getCodeGenOpts().TrapFuncName.empty()) {
auto A = llvm::Attribute::get(getLLVMContext(), "trap-func-name", auto A = llvm::Attribute::get(getLLVMContext(), "trap-func-name",
CGM.getCodeGenOpts().TrapFuncName); CGM.getCodeGenOpts().TrapFuncName);
TrapCall->addFnAttr(A); TrapCall->addFnAttr(A);
} }
TrapCall->setDoesNotReturn(); TrapCall->setDoesNotReturn();
TrapCall->setDoesNotThrow(); TrapCall->setDoesNotThrow();
Builder.CreateUnreachable(); Builder.CreateUnreachable();
} else {
auto Call = TrapBB->begin();
assert(isa<llvm::CallInst>(Call) && "Expected call in trap BB");
Call->applyMergedLocation(Call->getDebugLoc(),
Builder.getCurrentDebugLocation());
Builder.CreateCondBr(Checked, Cont, TrapBB);
} }
EmitBlock(Cont); EmitBlock(Cont);
} }
llvm::CallInst *CodeGenFunction::EmitTrapCall(llvm::Intrinsic::ID IntrID) { llvm::CallInst *CodeGenFunction::EmitTrapCall(llvm::Intrinsic::ID IntrID) {
llvm::CallInst *TrapCall = llvm::CallInst *TrapCall =
Builder.CreateCall(CGM.getIntrinsic(IntrID)); Builder.CreateCall(CGM.getIntrinsic(IntrID));
if (!CGM.getCodeGenOpts().TrapFuncName.empty()) { if (!CGM.getCodeGenOpts().TrapFuncName.empty()) {
auto A = llvm::Attribute::get(getLLVMContext(), "trap-func-name", auto A = llvm::Attribute::get(getLLVMContext(), "trap-func-name",
CGM.getCodeGenOpts().TrapFuncName); CGM.getCodeGenOpts().TrapFuncName);
TrapCall->addFnAttr(A); TrapCall->addFnAttr(A);
} }
return TrapCall; return TrapCall;
} }
Address CodeGenFunction::EmitArrayToPointerDecay(const Expr *E, Address CodeGenFunction::EmitArrayToPointerDecay(const Expr *E,
LValueBaseInfo *BaseInfo, LValueBaseInfo *BaseInfo,
TBAAAccessInfo *TBAAInfo) { TBAAAccessInfo *TBAAInfo) {
assert(E->getType()->isArrayType() && assert(E->getType()->isArrayType() &&
vitalybukaUnsubmitted
Done
ReplyInline Actions

wouldn't be you issues solved with
TrapCall->setCannotMerge() here?

vitalybuka: wouldn't be you issues solved with TrapCall->setCannotMerge() here?
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

ubsantrap gets lowered to an instruction in MIR which then gets merged later. This was the only way I was able to create unique instruction per check.

oskarwirga: ubsantrap gets lowered to an instruction in MIR which then gets merged later. This was the only…
aeubanksUnsubmitted
Not Done
ReplyInline Actions

isn't that a nomerge bug that should get fixed instead?

aeubanks: isn't that a `nomerge` bug that should get fixed instead?
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

I don't think so because nomerge is a function attribute and the ubsantrap intrinsic gets lowered as an instruction. Creating instruction attributes from lowered function attributes seems a bit involved to me.

oskarwirga: I don't think so because nomerge is a function attribute and the ubsantrap intrinsic gets…
"Array to pointer decay must have array source type!"); "Array to pointer decay must have array source type!");
// Expressions of array type can't be bitfields or vector elements. // Expressions of array type can't be bitfields or vector elements.
vitalybukaUnsubmitted
Done
ReplyInline Actions

looks like a lot of code duplication

vitalybuka: looks like a lot of code duplication
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

Let me refactor this

oskarwirga: Let me refactor this
LValue LV = EmitLValue(E); LValue LV = EmitLValue(E);
Address Addr = LV.getAddress(*this); Address Addr = LV.getAddress(*this);
// If the array type was an incomplete type, we need to make sure // If the array type was an incomplete type, we need to make sure
// the decay ends up being the right type. // the decay ends up being the right type.
llvm::Type *NewTy = ConvertType(E->getType()); llvm::Type *NewTy = ConvertType(E->getType());
Addr = Addr.withElementType(NewTy); Addr = Addr.withElementType(NewTy);
▲ Show 20 LinesShow All 2,034 LinesShow Last 20 Lines

clang/test/CodeGen/bounds-checking.c

// RUN: %clang_cc1 -fsanitize=local-bounds -emit-llvm -triple x86_64-apple-darwin10 %s -o - | FileCheck %s // RUN: %clang_cc1 -fsanitize=local-bounds -emit-llvm -triple x86_64-apple-darwin10 %s -o - | FileCheck %s
// RUN: %clang_cc1 -fsanitize=array-bounds -O -fsanitize-trap=array-bounds -emit-llvm -triple x86_64-apple-darwin10 -DNO_DYNAMIC %s -o - | FileCheck %s // RUN: %clang_cc1 -fsanitize=array-bounds -O -fsanitize-trap=array-bounds -emit-llvm -triple x86_64-apple-darwin10 -DNO_DYNAMIC %s -o - | FileCheck %s
// RUN: %clang_cc1 -fsanitize=local-bounds -fsanitize-trap=local-bounds -O3 -mllvm -bounds-checking-debug-trap -emit-llvm -triple x86_64-apple-darwin10 %s -o - | FileCheck %s --check-prefixes=NOOPTLOCAL
// RUN: %clang_cc1 -fsanitize=array-bounds -fsanitize-trap=array-bounds -O3 -mllvm -sanitizer-de-opt-traps -emit-llvm -triple x86_64-apple-darwin10 %s -o - | FileCheck %s --check-prefixes=NOOPTARRAY
// //
// REQUIRES: x86-registered-target // REQUIRES: x86-registered-target
// CHECK-LABEL: @f1 // CHECK-LABEL: @f1
double f1(int b, int i) { double f1(int b, int i) {
double a[b]; double a[b];
// CHECK: call {{.*}} @llvm.{{(ubsan)?trap}} // CHECK: call {{.*}} @llvm.{{(ubsan)?trap}}
return a[i]; return a[i];
▲ Show 20 LinesShow All 50 Lines▼ Show 20 Lines
} }
// CHECK-LABEL: @f7 // CHECK-LABEL: @f7
int f7(union U *u, int i) { int f7(union U *u, int i) {
// c is treated as a flexible array member. // c is treated as a flexible array member.
// CHECK-NOT: @llvm.ubsantrap // CHECK-NOT: @llvm.ubsantrap
return u->c[i]; return u->c[i];
} }
char B[10];
char B2[10];
// CHECK-LABEL: @f8
void f8(int i, int k) {
// NOOPTLOCAL: call void @llvm.ubsantrap(i8 3)
// NOOPTARRAY: call void @llvm.ubsantrap(i8 2)
B[i] = '\0';
// NOOPTLOCAL: call void @llvm.ubsantrap(i8 5)
// NOOPTARRAY: call void @llvm.ubsantrap(i8 4)
B2[k] = '\0';
}

llvm/lib/Transforms/Instrumentation/BoundsChecking.cpp

Show All 31 Lines
using namespace llvm; using namespace llvm;
#define DEBUG_TYPE "bounds-checking" #define DEBUG_TYPE "bounds-checking"
static cl::opt<bool> SingleTrapBB("bounds-checking-single-trap", static cl::opt<bool> SingleTrapBB("bounds-checking-single-trap",
cl::desc("Use one trap block per function")); cl::desc("Use one trap block per function"));
static cl::opt<bool>
DebugTrapBB("bounds-checking-debug-trap",
cl::desc("Use one trap block per check despite optimizations"));
STATISTIC(ChecksAdded, "Bounds checks added"); STATISTIC(ChecksAdded, "Bounds checks added");
STATISTIC(ChecksSkipped, "Bounds checks skipped"); STATISTIC(ChecksSkipped, "Bounds checks skipped");
STATISTIC(ChecksUnable, "Bounds checks unable to add"); STATISTIC(ChecksUnable, "Bounds checks unable to add");
using BuilderTy = IRBuilder<TargetFolder>; using BuilderTy = IRBuilder<TargetFolder>;
/// Gets the conditions under which memory accessing instructions will overflow. /// Gets the conditions under which memory accessing instructions will overflow.
/// ///
▲ Show 20 LinesShow All 127 Lines▼ Show 20 Lines if (Or)
TrapInfo.push_back(std::make_pair(&I, Or)); TrapInfo.push_back(std::make_pair(&I, Or));
} }
// Create a trapping basic block on demand using a callback. Depending on // Create a trapping basic block on demand using a callback. Depending on
// flags, this will either create a single block for the entire function or // flags, this will either create a single block for the entire function or
// will create a fresh block every time it is called. // will create a fresh block every time it is called.
BasicBlock *TrapBB = nullptr; BasicBlock *TrapBB = nullptr;
auto GetTrapBB = [&TrapBB](BuilderTy &IRB) { auto GetTrapBB = [&TrapBB](BuilderTy &IRB) {
if (DebugTrapBB) {
Function *Fn = IRB.GetInsertBlock()->getParent();
auto DebugLoc = IRB.getCurrentDebugLocation();
IRBuilder<>::InsertPointGuard Guard(IRB);
TrapBB = BasicBlock::Create(Fn->getContext(), "trap", Fn);
IRB.SetInsertPoint(TrapBB);
auto *F =
Intrinsic::getDeclaration(Fn->getParent(), Intrinsic::ubsantrap);
CallInst *TrapCall =
IRB.CreateCall(F, ConstantInt::get(IRB.getInt8Ty(), Fn->size()));
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

why Fn->size(), to make a counter?

vitalybuka: why Fn->size(), to make a counter?
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

I was looking for a way to create a more or less unique value without creating a global iterator. It doesn't have to be this, I just thought that the fn->size would be increasing as checks go in so it would give a unique value per check.

oskarwirga: I was looking for a way to create a more or less unique value without creating a global…
TrapCall->setDoesNotReturn();
TrapCall->setDoesNotThrow();
TrapCall->setDebugLoc(DebugLoc);
IRB.CreateUnreachable();
} else {
if (TrapBB && SingleTrapBB) if (TrapBB && SingleTrapBB)
vitalybukaUnsubmitted
Done
ReplyInline Actions

can you please create a test where bounds-checking-single-trap=0 and setCannotMerge produce invalid result.

vitalybuka: can you please create a test where bounds-checking-single-trap=0 and setCannotMerge produce…
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

Can do!

oskarwirga: Can do!
return TrapBB; return TrapBB;
Function *Fn = IRB.GetInsertBlock()->getParent(); Function *Fn = IRB.GetInsertBlock()->getParent();
// FIXME: This debug location doesn't make a lot of sense in the // FIXME: This debug location doesn't make a lot of sense in the
// `SingleTrapBB` case. // `SingleTrapBB` case.
auto DebugLoc = IRB.getCurrentDebugLocation(); auto DebugLoc = IRB.getCurrentDebugLocation();
IRBuilder<>::InsertPointGuard Guard(IRB); IRBuilder<>::InsertPointGuard Guard(IRB);
TrapBB = BasicBlock::Create(Fn->getContext(), "trap", Fn); TrapBB = BasicBlock::Create(Fn->getContext(), "trap", Fn);
IRB.SetInsertPoint(TrapBB); IRB.SetInsertPoint(TrapBB);
auto *F = Intrinsic::getDeclaration(Fn->getParent(), Intrinsic::trap); auto *F = Intrinsic::getDeclaration(Fn->getParent(), Intrinsic::trap);
CallInst *TrapCall = IRB.CreateCall(F, {}); CallInst *TrapCall = IRB.CreateCall(F, {});
TrapCall->setDoesNotReturn(); TrapCall->setDoesNotReturn();
TrapCall->setDoesNotThrow(); TrapCall->setDoesNotThrow();
TrapCall->setDebugLoc(DebugLoc); TrapCall->setDebugLoc(DebugLoc);
IRB.CreateUnreachable(); IRB.CreateUnreachable();
}
nlopesUnsubmitted
Done
ReplyInline Actions

this seems like code duplication. This pass already has the single-trap flag to exactly control if you get a single trap BB or one per check for better debug info.

nlopes: this seems like code duplication. This pass already has the single-trap flag to exactly control…
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

Unfortunately, even with the single trap flag it gets optimized out in later passes because the machine code emitted is the exact same

oskarwirga: Unfortunately, even with the single trap flag it gets optimized out in later passes because the…
smeenaiUnsubmitted
Not Done
ReplyInline Actions

I believe we end up tail merging the trap instructions. A previous iteration of this patch attempted to use the nomerge attribute to directly avoid the tail merging, but that only works for function calls, not for the trap instruction ultimately emitted here.

smeenai: I believe we end up tail merging the trap instructions. A previous iteration of this patch…
vitalybukaUnsubmitted
Done
ReplyInline Actions

branches of if (DebugTrapBB) condition has a lot of code duplication, can you try to imrove?

vitalybuka: branches of `if (DebugTrapBB) ` condition has a lot of code duplication, can you try to imrove?
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

Yes, I will address all your comments in a new patch on github, thank you for your feedback I appreciate it :)

oskarwirga: Yes, I will address all your comments in a new patch on github, thank you for your feedback I…
return TrapBB; return TrapBB;
}; };
// Add the checks. // Add the checks.
for (const auto &Entry : TrapInfo) { for (const auto &Entry : TrapInfo) {
Instruction *Inst = Entry.first; Instruction *Inst = Entry.first;
BuilderTy IRB(Inst->getParent(), BasicBlock::iterator(Inst), TargetFolder(DL)); BuilderTy IRB(Inst->getParent(), BasicBlock::iterator(Inst), TargetFolder(DL));
insertBoundsCheck(Entry.second, IRB, GetTrapBB); insertBoundsCheck(Entry.second, IRB, GetTrapBB);
Show All 14 Lines