This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/CodeGen/
-
CodeGen/
2
SafeStack.cpp
-
test/Transforms/SafeStack/
-
Transforms/
-
SafeStack/
-
call.ll

Differential D17094

[safestack] Move allocations to support separate stack segment
AcceptedPublic

Authored by mlemay-intel on Feb 10 2016, 1:25 PM.

Download Raw Diff

Details

Reviewers

qcolombet
eugenis
pcc
ksvladimir

Summary

When some option is enabled that necessitates using only local stack
pointers, move allocations to the unsafe stack to help satisfy that
requirement. The only option of this type that is currently supported
is the separate stack segment option for x86-32.

Diff Detail

Event Timeline

mlemay-intel updated this revision to Diff 47513.Feb 10 2016, 1:25 PM

mlemay-intel retitled this revision from to [safestack] Add -safe-stack-subr-acc-as-unsafe option.

mlemay-intel updated this object.

mlemay-intel added a reviewer: eugenis.Feb 10 2016, 1:27 PM

eugenis added inline comments.Feb 10 2016, 3:57 PM

lib/CodeGen/SafeStack.cpp
61	This is hard to read, please change to something like safe-stack-subroutine-access-unsafe.

mlemay-intel added inline comments.Feb 10 2016, 4:40 PM

lib/CodeGen/SafeStack.cpp
61	That sounds good. I'll wait for any additional comments you may have on the patches so I can batch this in with other revisions, if you don't mind.

mlemay-intel added a reviewer: qcolombet.Feb 11 2016, 12:59 PM

mlemay-intel added a reviewer: hjl.tools.Feb 18 2016, 7:00 AM

Please add ll-commit as a subscriber as well.

Thanks,
-Quentin

mlemay-intel edited edge metadata.Feb 18 2016, 9:29 AM

mlemay-intel added a subscriber: llvm-commits.

mlemay-intel removed a reviewer: hjl.tools.Feb 23 2016, 9:27 AM

FWIW, LGTM but please address Eugenis’ comment.

I believe Eugenis is better suited to give the final LGTM.

Cheers,
-Quentin

Regarding the first motivation, the code is already being conservative. As far as I know, the nocapture readnone attributes are stronger than what safestack requires of a pointer. For example, they forbid loading from a pointer at a constant offset (which safestack could conceivably allow). Rather than adding this flag, we should in the long term be adding an attribute that specifically means what safestack requires.

Regarding the second motivation, if we do intend to start using segment selectors on x86 in some cases, we should probably make this behavior gated on the target (e.g. the separate-stack-seg feature you appear to be adding) rather than on a flag.

mlemay-intel added a reviewer: ksvladimir.Apr 4 2016, 5:09 PM

In D17094#375794, @pcc wrote:

I apologize for not responding to this until now. Email notifications of new activity on my patches are apparently not making it to my inbox for some reason.

Regarding the first motivation, the code is already being conservative. As far as I know, the nocapture readnone attributes are stronger than what safestack requires of a pointer. For example, they forbid loading from a pointer at a constant offset (which safestack could conceivably allow). Rather than adding this flag, we should in the long term be adding an attribute that specifically means what safestack requires.

Thank you for pointing out my misinterpretation of the FIXME. I will update the commit message accordingly.

Regarding the second motivation, if we do intend to start using segment selectors on x86 in some cases, we should probably make this behavior gated on the target (e.g. the separate-stack-seg feature you appear to be adding) rather than on a flag.

This would result in simpler command line option sequences. I'll try to revise this patch to do what you suggested.

mlemay-intel added a subscriber: mlemay-intel.Apr 5 2016, 11:19 AM

Check for the separate-stack-seg feature instead of defining a new command line option.

Please update the commit message and add a test case.

mlemay-intel retitled this revision from [safestack] Add -safe-stack-subr-acc-as-unsafe option to [safestack] Move allocations to support separate stack segment.Apr 15 2016, 11:44 AM

mlemay-intel updated this object.

Add test. Do not move allocations to unsafe stack simply due to them being passed to lifetime intrinsics.

LGTM

This revision is now accepted and ready to land.Apr 15 2016, 1:09 PM

mlemay-intel mentioned this in D19170: [safestack] Do not link SafeStack runtime for musl environments.Sep 23 2016, 4:20 PM

mlemay-intel added a child revision: D19170: [safestack] Do not link SafeStack runtime for musl environments.Sep 23 2016, 4:25 PM

mlemay-intel added a parent revision: D17095: [X86] Add X86FixupSeparateStack pass.Oct 19 2016, 4:40 PM

Revision Contents

Path

Size

lib/

CodeGen/

SafeStack.cpp

8 lines

test/

Transforms/

SafeStack/

call.ll

5 lines

Diff 47513

lib/CodeGen/SafeStack.cpp

Show First 20 Lines • Show All 52 Lines • ▼ Show 20 Lines	static cl::opt<UnsafeStackPtrStorageVal> USPStorage("safe-stack-usp-storage",
cl::Hidden, cl::init(ThreadLocalUSP),		cl::Hidden, cl::init(ThreadLocalUSP),
cl::desc("Type of storage for the unsafe stack pointer"),		cl::desc("Type of storage for the unsafe stack pointer"),
cl::values(clEnumValN(ThreadLocalUSP, "thread-local",		cl::values(clEnumValN(ThreadLocalUSP, "thread-local",
"Thread-local storage"),		"Thread-local storage"),
clEnumValN(SingleThreadUSP, "single-thread",		clEnumValN(SingleThreadUSP, "single-thread",
"Non-thread-local storage"),		"Non-thread-local storage"),
clEnumValEnd));		clEnumValEnd));

		static cl::opt<bool> SubroutineAccessAsUnsafe("safe-stack-subr-acc-as-unsafe",
		eugenisUnsubmitted Not Done Reply Inline Actions This is hard to read, please change to something like safe-stack-subroutine-access-unsafe. eugenis: This is hard to read, please change to something like safe-stack-subroutine-access-unsafe.
		mlemay-intelAuthorUnsubmitted Not Done Reply Inline Actions That sounds good. I'll wait for any additional comments you may have on the patches so I can batch this in with other revisions, if you don't mind. mlemay-intel: That sounds good. I'll wait for any additional comments you may have on the patches so I can…
		cl::Hidden, cl::init(false),
		cl::desc("Allocate memory on the unsafe stack if a pointer to it is passed "
		"to a subroutine"));

namespace llvm {		namespace llvm {

STATISTIC(NumFunctions, "Total number of functions");		STATISTIC(NumFunctions, "Total number of functions");
STATISTIC(NumUnsafeStackFunctions, "Number of functions with unsafe stack");		STATISTIC(NumUnsafeStackFunctions, "Number of functions with unsafe stack");
STATISTIC(NumUnsafeStackRestorePointsFunctions,		STATISTIC(NumUnsafeStackRestorePointsFunctions,
"Number of functions that use setjmp or exceptions");		"Number of functions that use setjmp or exceptions");

STATISTIC(NumAllocas, "Total number of allocas");		STATISTIC(NumAllocas, "Total number of allocas");
▲ Show 20 Lines • Show All 239 Lines • ▼ Show 20 Lines	for (const Use &UI : V->uses()) {
DEBUG(dbgs() << "[SafeStack] Unsafe alloca: " << *AllocaPtr		DEBUG(dbgs() << "[SafeStack] Unsafe alloca: " << *AllocaPtr
<< "\n unsafe memintrinsic: " << *I		<< "\n unsafe memintrinsic: " << *I
<< "\n");		<< "\n");
return false;		return false;
}		}
continue;		continue;
}		}

		if (SubroutineAccessAsUnsafe)
		return false;

// LLVM 'nocapture' attribute is only set for arguments whose address		// LLVM 'nocapture' attribute is only set for arguments whose address
// is not stored, passed around, or used in any other non-trivial way.		// is not stored, passed around, or used in any other non-trivial way.
// We assume that passing a pointer to an object as a 'nocapture		// We assume that passing a pointer to an object as a 'nocapture
// readnone' argument is safe.		// readnone' argument is safe.
// FIXME: a more precise solution would require an interprocedural		// FIXME: a more precise solution would require an interprocedural
// analysis here, which would look at all uses of an argument inside		// analysis here, which would look at all uses of an argument inside
// the function being called.		// the function being called.
ImmutableCallSite::arg_iterator B = CS.arg_begin(), E = CS.arg_end();		ImmutableCallSite::arg_iterator B = CS.arg_begin(), E = CS.arg_end();
▲ Show 20 Lines • Show All 436 Lines • Show Last 20 Lines

test/Transforms/SafeStack/call.ll

; RUN: opt -safe-stack -S -mtriple=i386-pc-linux-gnu < %s -o - \| FileCheck %s		; RUN: opt -safe-stack -S -mtriple=i386-pc-linux-gnu < %s -o - \| FileCheck %s
; RUN: opt -safe-stack -S -mtriple=x86_64-pc-linux-gnu < %s -o - \| FileCheck %s		; RUN: opt -safe-stack -S -mtriple=x86_64-pc-linux-gnu < %s -o - \| FileCheck %s
		; RUN: opt -safe-stack -safe-stack-subr-acc-as-unsafe -S -mtriple=i386-pc-linux-gnu < %s -o - \| FileCheck -check-prefix=SUBR-ACC-AS-UNSAFE %s
		; RUN: opt -safe-stack -safe-stack-subr-acc-as-unsafe -S -mtriple=x86_64-pc-linux-gnu < %s -o - \| FileCheck -check-prefix=SUBR-ACC-AS-UNSAFE %s

@.str = private unnamed_addr constant [4 x i8] c"%s\0A\00", align 1		@.str = private unnamed_addr constant [4 x i8] c"%s\0A\00", align 1

; no arrays / no nested arrays		; no arrays / no nested arrays
; Requires no protector.		; Requires no protector.

define void @foo(i8* %a) nounwind uwtable safestack {		define void @foo(i8* %a) nounwind uwtable safestack {
entry:		entry:
▲ Show 20 Lines • Show All 63 Lines • ▼ Show 20 Lines	entry:
; CHECK-NOT: @__safestack_unsafe_stack_ptr		; CHECK-NOT: @__safestack_unsafe_stack_ptr
; CHECK: ret void		; CHECK: ret void
%q = alloca [10 x i8], align 1		%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0		%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @readnone(i8* %arraydecay)		call void @readnone(i8* %arraydecay)
ret void		ret void
}		}

; Arg0 is readnone, arg1 is not. Pass alloca ptr as arg0 -> safe		; Arg0 is readnone, arg1 is not. Pass alloca ptr as arg0 -> safe unless -safe-stack-subr-acc-as-unsafe is set.
define void @call_readnone0_0(i64 %len) safestack {		define void @call_readnone0_0(i64 %len) safestack {
entry:		entry:
; CHECK-LABEL: define void @call_readnone0_0		; CHECK-LABEL: define void @call_readnone0_0
; CHECK-NOT: @__safestack_unsafe_stack_ptr		; CHECK-NOT: @__safestack_unsafe_stack_ptr
		; SUBR-ACC-AS-UNSAFE: @__safestack_unsafe_stack_ptr
; CHECK: ret void		; CHECK: ret void
%q = alloca [10 x i8], align 1		%q = alloca [10 x i8], align 1
%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0		%arraydecay = getelementptr inbounds [10 x i8], [10 x i8]* %q, i32 0, i32 0
call void @readnone0(i8* %arraydecay, i8* zeroinitializer)		call void @readnone0(i8* %arraydecay, i8* zeroinitializer)
ret void		ret void
}		}

; Arg0 is readnone, arg1 is not. Pass alloca ptr as arg1 -> unsafe		; Arg0 is readnone, arg1 is not. Pass alloca ptr as arg1 -> unsafe
▲ Show 20 Lines • Show All 84 Lines • Show Last 20 Lines