This is an archive of the discontinued LLVM Phabricator instance.

Differential D15002

[safestack] Fix handling of array allocas.
ClosedPublic

Authored by eugenis on Nov 25 2015, 4:33 PM.

Details

Reviewers
eugenis
pcc
Summary

The current code does not take alloca array size into account and,
as a result, considers any access past the first array element to be
unsafe.

Diff Detail

Repository
rL LLVM

Event Timeline

eugenis updated this revision to Diff 41197.Nov 25 2015, 4:33 PM
eugenis retitled this revision from to [safestack] Fix handling of array allocas..
eugenis updated this object.
eugenis added a reviewer: pcc.
eugenis set the repository for this revision to rL LLVM.
eugenis added a subscriber: llvm-commits.
pcc added inline comments.Nov 25 2015, 5:00 PM
lib/Transforms/Instrumentation/SafeStack.cpp
185

AI can be a dynamic alloca at this point, I believe (see findInsts -> IsSafeStackAlloca -> IsAccessSafe -> getStaticAllocaAllocationSize), so this may not be a constant.

eugenis updated this revision to Diff 41203.Nov 25 2015, 5:07 PM
eugenis added inline comments.
lib/Transforms/Instrumentation/SafeStack.cpp
185

Right. Returning 0 for unknown size allocas.

eugenis added inline comments.Nov 25 2015, 5:12 PM
lib/Transforms/Instrumentation/SafeStack.cpp
185

This would check such allocas for safety as if they are size 0, i.e. some operations are still allowed, but not any loads or stores.
We could actually do better by passing down the size as a Value and applying the SCEV magic to it. But (a) one thing at a time and (b) I doubt it actually matters.

pcc edited edge metadata.Nov 25 2015, 6:13 PM
pcc added a subscriber: pcc.

Lgtm

eugenis accepted this revision.Nov 30 2015, 4:09 PM
eugenis added a reviewer: eugenis.
This revision is now accepted and ready to land.Nov 30 2015, 4:09 PM
eugenis closed this revision.Nov 30 2015, 4:09 PM

r254350

Revision Contents

PathSize
lib/
Transforms/
Instrumentation/
18 lines
test/
Transforms/
SafeStack/
36 lines

Diff 41197

lib/Transforms/Instrumentation/SafeStack.cpp

Show First 20 LinesShow All 112 Lines▼ Show 20 Linesclass SafeStack : public FunctionPass {
/// \brief Find all static allocas, dynamic allocas, return instructions and /// \brief Find all static allocas, dynamic allocas, return instructions and
/// stack restore points (exception unwind blocks and setjmp calls) in the /// stack restore points (exception unwind blocks and setjmp calls) in the
/// given function and append them to the respective vectors. /// given function and append them to the respective vectors.
void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas, void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas,
SmallVectorImpl<AllocaInst *> &DynamicAllocas, SmallVectorImpl<AllocaInst *> &DynamicAllocas,
SmallVectorImpl<ReturnInst *> &Returns, SmallVectorImpl<ReturnInst *> &Returns,
SmallVectorImpl<Instruction *> &StackRestorePoints); SmallVectorImpl<Instruction *> &StackRestorePoints);
uint64_t getStaticAllocaAllocationSize(const AllocaInst* AI);
/// \brief Allocate space for all static allocas in \p StaticAllocas, /// \brief Allocate space for all static allocas in \p StaticAllocas,
/// replace allocas with pointers into the unsafe stack and generate code to /// replace allocas with pointers into the unsafe stack and generate code to
/// restore the stack pointer before all return instructions in \p Returns. /// restore the stack pointer before all return instructions in \p Returns.
/// ///
/// \returns A pointer to the top of the unsafe stack after all unsafe static /// \returns A pointer to the top of the unsafe stack after all unsafe static
/// allocas are allocated. /// allocas are allocated.
Value *moveStaticAllocasToUnsafeStack(IRBuilder<> &IRB, Function &F, Value *moveStaticAllocasToUnsafeStack(IRBuilder<> &IRB, Function &F,
ArrayRef<AllocaInst *> StaticAllocas, ArrayRef<AllocaInst *> StaticAllocas,
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Lines bool doInitialization(Module &M) override {
Int8Ty = Type::getInt8Ty(M.getContext()); Int8Ty = Type::getInt8Ty(M.getContext());
return false; return false;
} }
bool runOnFunction(Function &F) override; bool runOnFunction(Function &F) override;
}; // class SafeStack }; // class SafeStack
uint64_t SafeStack::getStaticAllocaAllocationSize(const AllocaInst* AI) {
uint64_t Size = DL->getTypeAllocSize(AI->getAllocatedType());
if (AI->isArrayAllocation()) {
auto C = dyn_cast<ConstantInt>(AI->getArraySize());
pccUnsubmitted
Not Done
ReplyInline Actions

AI can be a dynamic alloca at this point, I believe (see findInsts -> IsSafeStackAlloca -> IsAccessSafe -> getStaticAllocaAllocationSize), so this may not be a constant.

pcc: `AI` can be a dynamic alloca at this point, I believe (see findInsts -> IsSafeStackAlloca ->…
eugenisAuthorUnsubmitted
Not Done
ReplyInline Actions

Right. Returning 0 for unknown size allocas.

eugenis: Right. Returning 0 for unknown size allocas.
eugenisAuthorUnsubmitted
Not Done
ReplyInline Actions

This would check such allocas for safety as if they are size 0, i.e. some operations are still allowed, but not any loads or stores.
We could actually do better by passing down the size as a Value and applying the SCEV magic to it. But (a) one thing at a time and (b) I doubt it actually matters.

eugenis: This would check such allocas for safety as if they are size 0, i.e. some operations are still…
Size *= C->getZExtValue();
}
return Size;
}
bool SafeStack::IsAccessSafe(Value *Addr, uint64_t Size, const AllocaInst *AI) { bool SafeStack::IsAccessSafe(Value *Addr, uint64_t Size, const AllocaInst *AI) {
AllocaOffsetRewriter Rewriter(*SE, AI); AllocaOffsetRewriter Rewriter(*SE, AI);
const SCEV *Expr = Rewriter.visit(SE->getSCEV(Addr)); const SCEV *Expr = Rewriter.visit(SE->getSCEV(Addr));
uint64_t BitWidth = SE->getTypeSizeInBits(Expr->getType()); uint64_t BitWidth = SE->getTypeSizeInBits(Expr->getType());
ConstantRange AccessStartRange = SE->getUnsignedRange(Expr); ConstantRange AccessStartRange = SE->getUnsignedRange(Expr);
ConstantRange SizeRange = ConstantRange SizeRange =
ConstantRange(APInt(BitWidth, 0), APInt(BitWidth, Size)); ConstantRange(APInt(BitWidth, 0), APInt(BitWidth, Size));
ConstantRange AccessRange = AccessStartRange.add(SizeRange); ConstantRange AccessRange = AccessStartRange.add(SizeRange);
ConstantRange AllocaRange = ConstantRange( ConstantRange AllocaRange = ConstantRange(
APInt(BitWidth, 0), APInt(BitWidth, 0), APInt(BitWidth, getStaticAllocaAllocationSize(AI)));
APInt(BitWidth, DL->getTypeStoreSize(AI->getAllocatedType())));
bool Safe = AllocaRange.contains(AccessRange); bool Safe = AllocaRange.contains(AccessRange);
DEBUG(dbgs() << "[SafeStack] Alloca " << *AI << "\n" DEBUG(dbgs() << "[SafeStack] Alloca " << *AI << "\n"
<< " Access " << *Addr << "\n" << " Access " << *Addr << "\n"
<< " SCEV " << *Expr << " SCEV " << *Expr
<< " U: " << SE->getUnsignedRange(Expr) << " U: " << SE->getUnsignedRange(Expr)
<< ", S: " << SE->getSignedRange(Expr) << "\n" << ", S: " << SE->getSignedRange(Expr) << "\n"
<< " Range " << AccessRange << "\n" << " Range " << AccessRange << "\n"
▲ Show 20 LinesShow All 258 Lines▼ Show 20 Lines BasePointer = cast<Instruction>(IRB.CreateIntToPtr(
StackPtrTy)); StackPtrTy));
} }
// Allocate space for every unsafe static AllocaInst on the unsafe stack. // Allocate space for every unsafe static AllocaInst on the unsafe stack.
int64_t StaticOffset = 0; // Current stack top. int64_t StaticOffset = 0; // Current stack top.
for (AllocaInst *AI : StaticAllocas) { for (AllocaInst *AI : StaticAllocas) {
IRB.SetInsertPoint(AI); IRB.SetInsertPoint(AI);
auto CArraySize = cast<ConstantInt>(AI->getArraySize());
Type *Ty = AI->getAllocatedType(); Type *Ty = AI->getAllocatedType();
uint64_t Size = getStaticAllocaAllocationSize(AI);
uint64_t Size = DL->getTypeAllocSize(Ty) * CArraySize->getZExtValue();
if (Size == 0) if (Size == 0)
Size = 1; // Don't create zero-sized stack objects. Size = 1; // Don't create zero-sized stack objects.
// Ensure the object is properly aligned. // Ensure the object is properly aligned.
unsigned Align = unsigned Align =
std::max((unsigned)DL->getPrefTypeAlignment(Ty), AI->getAlignment()); std::max((unsigned)DL->getPrefTypeAlignment(Ty), AI->getAlignment());
// Add alignment. // Add alignment.
▲ Show 20 LinesShow All 191 LinesShow Last 20 Lines

test/Transforms/SafeStack/array.ll

Show All 29 Linesentry:
; CHECK: call i8* @strcpy(i8* %[[GEP]], i8* %[[A2]]) ; CHECK: call i8* @strcpy(i8* %[[GEP]], i8* %[[A2]])
%call = call i8* @strcpy(i8* %gep, i8* %a2) %call = call i8* @strcpy(i8* %gep, i8* %a2)
; CHECK: store i8* %[[USP]], i8** @__safestack_unsafe_stack_ptr ; CHECK: store i8* %[[USP]], i8** @__safestack_unsafe_stack_ptr
ret void ret void
} }
; Load from the array at a fixed offset, no overflow.
define i8 @ArrayFixedSafe() nounwind uwtable safestack {
entry:
; CHECK-LABEL: define i8 @ArrayFixedSafe(
; CHECK-NOT: __safestack_unsafe_stack_ptr
; CHECK: ret i8
%buf = alloca i8, i32 4, align 1
%gep = getelementptr inbounds i8, i8* %buf, i32 2
%x = load i8, i8* %gep, align 1
ret i8 %x
}
; Load from the array at a fixed offset with overflow.
define i8 @ArrayFixedUnsafe() nounwind uwtable safestack {
entry:
; CHECK-LABEL: define i8 @ArrayFixedUnsafe(
; CHECK: __safestack_unsafe_stack_ptr
; CHECK: ret i8
%buf = alloca i8, i32 4, align 1
%gep = getelementptr inbounds i8, i8* %buf, i32 5
%x = load i8, i8* %gep, align 1
ret i8 %x
}
; Load from the array at an unknown offset.
define i8 @ArrayVariableUnsafe(i32 %ofs) nounwind uwtable safestack {
entry:
; CHECK-LABEL: define i8 @ArrayVariableUnsafe(
; CHECK: __safestack_unsafe_stack_ptr
; CHECK: ret i8
%buf = alloca i8, i32 4, align 1
%gep = getelementptr inbounds i8, i8* %buf, i32 %ofs
%x = load i8, i8* %gep, align 1
ret i8 %x
}
declare i8* @strcpy(i8*, i8*) declare i8* @strcpy(i8*, i8*)