This is an archive of the discontinued LLVM Phabricator instance.

Differential D22657

[ASAN] Fix detection of stack-use-after scope for char arrays.
ClosedPublic

Authored by vitalybuka on Jul 21 2016, 4:23 PM.

Details

Reviewers
kcc
eugenis
Commits
rG53054a7024f6: Fix detection of stack-use-after scope for char arrays.
rL276374: Fix detection of stack-use-after scope for char arrays.
Summary

Clang inserts GetElementPtrInst so findAllocaForValue was not
able to find allocas.

PR27453

Diff Detail

Repository
rL LLVM

Event Timeline

vitalybuka updated this revision to Diff 64989.Jul 21 2016, 4:23 PM
vitalybuka retitled this revision from to Fix detection of stack-use-after scope for char arrays..
vitalybuka updated this object.
vitalybuka added reviewers: kcc, eugenis.
vitalybuka mentioned this in D22658: [ASAN] Add test to check detection of stack-use-after-scope on various types.Jul 21 2016, 4:26 PM
vitalybuka retitled this revision from Fix detection of stack-use-after scope for char arrays. to [ASAN] Fix detection of stack-use-after scope for char arrays..Jul 21 2016, 4:27 PM
eugenis edited edge metadata.Jul 21 2016, 4:30 PM

This needs an IR-level test that shows that proper instrumentation appears on lifetime-after-gep allocas.

vitalybuka updated this revision to Diff 65001.Jul 21 2016, 5:21 PM
vitalybuka edited edge metadata.

ll test

vitalybuka added a comment.Jul 21 2016, 5:21 PM
In D22657#492216, @eugenis wrote:

This needs an IR-level test that shows that proper instrumentation appears on lifetime-after-gep allocas.

Done.

eugenis added inline comments.Jul 21 2016, 5:26 PM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
2294 ↗(On Diff #65001)

We definitely should not crash if we see something we don't understand.
A dbg() message at most.

vitalybuka updated this revision to Diff 65002.Jul 21 2016, 5:37 PM

removed assert

eugenis accepted this revision.Jul 21 2016, 5:43 PM
eugenis edited edge metadata.

LGTM

lib/Transforms/Instrumentation/AddressSanitizer.cpp
2292 ↗(On Diff #65002)

The message should probably say something about alloca or lifetime.

This revision is now accepted and ready to land.Jul 21 2016, 5:43 PM
vitalybuka updated this revision to Diff 65005.Jul 21 2016, 6:02 PM
vitalybuka marked an inline comment as done.
vitalybuka edited edge metadata.

updated message

Closed by commit rL276374: Fix detection of stack-use-after scope for char arrays. (authored by vitalybuka). · Explain WhyJul 21 2016, 6:03 PM
This revision was automatically updated to reflect the committed changes.
vitalybuka marked an inline comment as done.
vitalybuka mentioned this in rL276375: Add test to check detection of stack-use-after-scope on various types.

Revision Contents

PathSize
llvm/
trunk/
lib/
Transforms/
Instrumentation/
4 lines
test/
Instrumentation/
AddressSanitizer/
20 lines

Diff 65006

llvm/trunk/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 2,280 Lines▼ Show 20 Lines for (Value *IncValue : PN->incoming_values()) {
// Allow self-referencing phi-nodes. // Allow self-referencing phi-nodes.
if (IncValue == PN) continue; if (IncValue == PN) continue;
AllocaInst *IncValueAI = findAllocaForValue(IncValue); AllocaInst *IncValueAI = findAllocaForValue(IncValue);
// AI for incoming values should exist and should all be equal. // AI for incoming values should exist and should all be equal.
if (IncValueAI == nullptr || (Res != nullptr && IncValueAI != Res)) if (IncValueAI == nullptr || (Res != nullptr && IncValueAI != Res))
return nullptr; return nullptr;
Res = IncValueAI; Res = IncValueAI;
} }
} else if (GetElementPtrInst *EP = dyn_cast<GetElementPtrInst>(V)) {
Res = findAllocaForValue(EP->getPointerOperand());
} else {
DEBUG(dbgs() << "Alloca search canceled on unknown instruction: " << *V << "\n");
} }
if (Res) AllocaForValue[V] = Res; if (Res) AllocaForValue[V] = Res;
return Res; return Res;
} }
void FunctionStackPoisoner::handleDynamicAllocaCall(AllocaInst *AI) { void FunctionStackPoisoner::handleDynamicAllocaCall(AllocaInst *AI) {
IRBuilder<> IRB(AI); IRBuilder<> IRB(AI);
▲ Show 20 LinesShow All 75 LinesShow Last 20 Lines

llvm/trunk/test/Instrumentation/AddressSanitizer/lifetime.ll

Show First 20 LinesShow All 85 Lines▼ Show 20 Lines
bb1: bb1:
%i.phi = phi i8* [ %i.ptr, %entry ], [ %i.ptr2, %bb0 ] %i.phi = phi i8* [ %i.ptr, %entry ], [ %i.ptr2, %bb0 ]
call void @llvm.lifetime.end(i64 8, i8* %i.phi) call void @llvm.lifetime.end(i64 8, i8* %i.phi)
; CHECK: __asan_poison_stack_memory ; CHECK: __asan_poison_stack_memory
; CHECK: ret void ; CHECK: ret void
ret void ret void
} }
; Check that arguments of lifetime may come from getelementptr nodes.
define void @getelementptr_args() sanitize_address{
; CHECK-LABEL: define void @getelementptr_args
entry:
%x = alloca [1024 x i8], align 16
%d = alloca i8*, align 8
%0 = getelementptr inbounds [1024 x i8], [1024 x i8]* %x, i64 0, i64 0
call void @llvm.lifetime.start(i64 1024, i8* %0)
; CHECK: __asan_unpoison_stack_memory
store i8* %0, i8** %d, align 8
call void @llvm.lifetime.end(i64 1024, i8* %0)
; CHECK: __asan_poison_stack_memory
ret void
; CHECK: __asan_unpoison_stack_memory
}
define void @zero_sized(i64 %a) #0 { define void @zero_sized(i64 %a) #0 {
; CHECK-LABEL: define void @zero_sized(i64 %a) ; CHECK-LABEL: define void @zero_sized(i64 %a)
entry: entry:
%a.addr = alloca i64, align 8 %a.addr = alloca i64, align 8
%b = alloca [0 x i8], align 1 %b = alloca [0 x i8], align 1
store i64 %a, i64* %a.addr, align 8 store i64 %a, i64* %a.addr, align 8
%0 = bitcast [0 x i8]* %b to i8* %0 = bitcast [0 x i8]* %b to i8*
call void @llvm.lifetime.start(i64 0, i8* %0) #2 call void @llvm.lifetime.start(i64 0, i8* %0) #2
; CHECK-NOT: call void @__asan_unpoison_stack_memory ; CHECK-NOT: call void @__asan_unpoison_stack_memory
%1 = bitcast [0 x i8]* %b to i8* %1 = bitcast [0 x i8]* %b to i8*
call void @llvm.lifetime.end(i64 0, i8* %1) #2 call void @llvm.lifetime.end(i64 0, i8* %1) #2
; CHECK-NOT: call void @__asan_poison_stack_memory ; CHECK-NOT: call void @__asan_poison_stack_memory
ret void ret void
} }