Index: lib/Transforms/Instrumentation/AddressSanitizer.cpp =================================================================== --- lib/Transforms/Instrumentation/AddressSanitizer.cpp +++ lib/Transforms/Instrumentation/AddressSanitizer.cpp @@ -55,6 +55,7 @@ #include "llvm/Transforms/Utils/PromoteMemToReg.h" #include #include +#include #include #include #include @@ -812,9 +813,11 @@ /// Finds alloca where the value comes from. AllocaInst *findAllocaForValue(Value *V); void poisonStackFrameInline(ArrayRef ShadowBytes, size_t Begin, - size_t End, IRBuilder<> &IRB, Value *ShadowBase, + size_t End, uint8_t LastByteUnpoisoned, + IRBuilder<> &IRB, Value *ShadowBase, bool DoPoison); - void poisonStackFrame(ArrayRef ShadowBytes, IRBuilder<> &IRB, + void poisonStackFrame(ArrayRef ShadowBytes, size_t Begin, size_t End, + uint8_t LastByteUnpoisoned, IRBuilder<> &IRB, Value *ShadowBase, bool DoPoison); void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> &IRB, bool DoPoison); @@ -1965,8 +1968,10 @@ // will try to minimize writes into corresponding addresses of the real shadow // memory. void FunctionStackPoisoner::poisonStackFrameInline( - ArrayRef ShadowBytes, size_t Begin, size_t End, IRBuilder<> &IRB, - Value *ShadowBase, bool DoPoison) { + ArrayRef ShadowBytes, size_t Begin, size_t End, + uint8_t LastByteUnpoisoned, IRBuilder<> &IRB, Value *ShadowBase, + bool DoPoison) { + assert(LastByteUnpoisoned < 8); if (Begin >= End) return; @@ -2006,7 +2011,16 @@ } assert(Val); // Impossible because ShadowBytes[i] != 0 } else { - Val = 0; + if (i + StoreSizeInBytes == End) { + // Last byte can be partial. + if (IsLittleEndian) { + Val = (uint64_t)LastByteUnpoisoned << (8 * (StoreSizeInBytes - 1)); + } else { + Val = LastByteUnpoisoned; + } + } else { + Val = 0; + } } Value *Ptr = IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i)); @@ -2019,17 +2033,20 @@ } void FunctionStackPoisoner::poisonStackFrame(ArrayRef ShadowBytes, + size_t Begin, size_t End, + uint8_t LastByteUnpoisoned, IRBuilder<> &IRB, Value *ShadowBase, bool DoPoison) { auto ValueToWrite = [&](size_t i) { if (DoPoison) return ShadowBytes[i]; + if (i + 1 == End) + return LastByteUnpoisoned; return static_cast(0); }; - const size_t End = ShadowBytes.size(); - size_t Done = 0; - for (size_t i = 0, j = 1; i < End; i = j++) { + size_t Done = Begin; + for (size_t i = Begin, j = Begin + 1; i < End; i = j++) { if (!ShadowBytes[i]) continue; uint8_t Val = ValueToWrite(i); @@ -2041,7 +2058,9 @@ } if (j - i >= ClMaxInlinePoisoningSize) { - poisonStackFrameInline(ShadowBytes, Done, i, IRB, ShadowBase, DoPoison); + poisonStackFrameInline(ShadowBytes, Done, i, + i == End ? LastByteUnpoisoned : 0, IRB, ShadowBase, + DoPoison); IRB.CreateCall(AsanSetShadowFunc[Val], {IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i)), ConstantInt::get(IntptrTy, j - i)}); @@ -2049,7 +2068,8 @@ } } - poisonStackFrameInline(ShadowBytes, Done, End, IRB, ShadowBase, DoPoison); + poisonStackFrameInline(ShadowBytes, Done, End, LastByteUnpoisoned, IRB, + ShadowBase, DoPoison); } // Fake stack allocator (asan_fake_stack.h) has 11 size classes @@ -2155,33 +2175,46 @@ // If we have a call to llvm.localescape, keep it in the entry block. if (LocalEscapeCall) LocalEscapeCall->moveBefore(InsBefore); - // Insert poison calls for lifetime intrinsics for static allocas. + // Find static allocas with lifetime analysis. + DenseMap + AllocaToSVDMap; for (const auto &APC : StaticAllocaPoisonCallVec) { assert(APC.InsBefore); assert(APC.AI); assert(ASan.isInterestingAlloca(*APC.AI)); assert(APC.AI->isStaticAlloca()); - IRBuilder<> IRB(APC.InsBefore); - poisonAlloca(APC.AI, APC.Size, IRB, APC.DoPoison); + if (ClExperimentalPoisoning) { + AllocaToSVDMap[APC.AI] = nullptr; + } else { + IRBuilder<> IRB(APC.InsBefore); + poisonAlloca(APC.AI, APC.Size, IRB, APC.DoPoison); + } } SmallVector SVD; SVD.reserve(AllocaVec.size()); for (AllocaInst *AI : AllocaVec) { - ASanStackVariableDescription D = {AI->getName().data(), - ASan.getAllocaSizeInBytes(*AI), - 0, - AI->getAlignment(), - AI, - 0}; + size_t UseAfterScopePoisonSize = + AllocaToSVDMap.find(AI) != AllocaToSVDMap.end() + ? ASan.getAllocaSizeInBytes(*AI) + : 0; + ASanStackVariableDescription D = { + AI->getName().data(), + ASan.getAllocaSizeInBytes(*AI), + UseAfterScopePoisonSize, + AI->getAlignment(), + AI, + 0}; SVD.push_back(D); } // Minimal header size (left redzone) is 4 pointers, // i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms. size_t MinHeaderSize = ASan.LongSize / 2; ASanStackFrameLayout L; - ComputeASanStackFrameLayout(SVD, 1ULL << Mapping.Scale, MinHeaderSize, &L); + const size_t Granularity = 1ULL << Mapping.Scale; + ComputeASanStackFrameLayout(SVD, Granularity, MinHeaderSize, &L); + DEBUG(dbgs() << L.DescriptionString << " --- " << L.FrameSize << "\n"); uint64_t LocalStackSize = L.FrameSize; bool DoStackMalloc = ClUseAfterReturn && !ASan.CompileKernel && @@ -2278,13 +2311,40 @@ // Poison the stack redzones at the entry. Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB); - poisonStackFrame(L.ShadowBytes, IRB, ShadowBase, true); + poisonStackFrame(L.ShadowBytes, 0, L.ShadowBytes.size(), 0, IRB, ShadowBase, + true); + + if (ClExperimentalPoisoning) { + // Complete AllocaToSVDMap + for (const auto &Desc : SVD) { + auto It = AllocaToSVDMap.find(Desc.AI); + if (It != AllocaToSVDMap.end()) { + It->second = &Desc; + } + } + + // Poison static allocas near lifetime intrinsics. + for (const auto &APC : StaticAllocaPoisonCallVec) { + // Must be already set. + assert(AllocaToSVDMap[APC.AI]); + const auto &Desc = *AllocaToSVDMap[APC.AI]; + assert(Desc.Offset % Granularity == 0); + size_t Begin = Desc.Offset / Granularity; + size_t End = Begin + (Desc.Size + Granularity - 1) / Granularity; + uint8_t LastByteUnpoisoned = Desc.Size % Granularity; + + IRBuilder<> IRB(APC.InsBefore); + poisonStackFrame(L.ShadowBytes, Begin, End, LastByteUnpoisoned, IRB, + ShadowBase, APC.DoPoison); + } + } auto UnpoisonStack = [&](IRBuilder<> &IRB) { // Do this always as poisonAlloca can be disabled with // detect_stack_use_after_scope=0. - poisonStackFrame(L.ShadowBytes, IRB, ShadowBase, false); - if (!StaticAllocaPoisonCallVec.empty()) { + poisonStackFrame(L.ShadowBytes, 0, L.ShadowBytes.size(), 0, IRB, ShadowBase, + false); + if (!ClExperimentalPoisoning && !StaticAllocaPoisonCallVec.empty()) { // If we poisoned some allocas in llvm.lifetime analysis, // unpoison whole stack frame now. poisonAlloca(LocalStackBase, LocalStackSize, IRB, false); @@ -2319,9 +2379,11 @@ IRBuilder<> IRBPoison(ThenTerm); if (StackMallocIdx <= 4) { int ClassSize = kMinStackMallocSize << StackMallocIdx; - ShadowBytesAfterReturn.resize(ClassSize >> Mapping.Scale, + ShadowBytesAfterReturn.resize(ClassSize / Granularity, kAsanStackUseAfterReturnMagic); - poisonStackFrame(ShadowBytesAfterReturn, IRBPoison, ShadowBase, true); + poisonStackFrame(ShadowBytesAfterReturn, 0, + ShadowBytesAfterReturn.size(), 0, IRBPoison, + ShadowBase, true); Value *SavedFlagPtrPtr = IRBPoison.CreateAdd( FakeStack, ConstantInt::get(IntptrTy, ClassSize - ASan.LongSize / 8)); Index: test/Instrumentation/AddressSanitizer/stack-poisoning-experimental-be.ll =================================================================== --- /dev/null +++ test/Instrumentation/AddressSanitizer/stack-poisoning-experimental-be.ll @@ -0,0 +1,324 @@ +; Test check the following function parts: ENTRY, LIFE (lifetime), FAKE (fake stack) and EXIT. +; Test each part can have prefix: no prefix (regular), UAS (use-after-scope), EXP (new poisoning) and UAS-EXP (use-after-scope with new poisoning) + +; Regular stack poisoning. +; RUN: opt < %s -asan -asan-module -asan-experimental-poisoning=0 -asan-use-after-scope=0 -S | FileCheck --check-prefixes=CHECK,ENTRY,LIFE,FAKE,EXIT %s + +; Optimized poisoning. Only fake stack part is different from the first test. +; RUN: opt < %s -asan -asan-module -asan-experimental-poisoning=1 -asan-use-after-scope=0 -S | FileCheck --check-prefixes=CHECK,ENTRY,LIFE,FAKE-EXP,EXIT %s + +; Regular stack poisoning with stack-use-after-scope. Only lifetime checks are different from the first test. +; RUN: opt < %s -asan -asan-module -asan-experimental-poisoning=0 -asan-use-after-scope=1 -S | FileCheck --check-prefixes=CHECK,ENTRY,LIFE-UAS,FAKE,EXIT %s + +; Optimized poisoning with stack-use-after-scope. +; RUN: opt < %s -asan -asan-module -asan-experimental-poisoning=1 -asan-use-after-scope=1 -S | FileCheck --check-prefixes=CHECK,ENTRY-UAS-EXP,LIFE-UAS-EXP,FAKE-EXP,EXIT-EXP %s + +target datalayout = "E-m:e-i64:64-n32:64" +target triple = "powerpc64-unknown-linux-gnu" + +declare void @Foo(i8*) + +define void @Bar() uwtable sanitize_address { +entry: + %x = alloca [650 x i8], align 16 + %xx = getelementptr inbounds [650 x i8], [650 x i8]* %x, i64 0, i64 0 + + %y = alloca [13 x i8], align 1 + %yy = getelementptr inbounds [13 x i8], [13 x i8]* %y, i64 0, i64 0 + + %z = alloca [40 x i8], align 1 + %zz = getelementptr inbounds [40 x i8], [40 x i8]* %z, i64 0, i64 0 + + ; CHECK: [[SHADOW_BASE:%[0-9]+]] = add i64 %{{[0-9]+}}, 2199023255552 + + ; F1F1F1F1 + ; ENTRY-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 0 + ; ENTRY-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i32]]* + ; ENTRY-NEXT: store [[TYPE]] -235802127, [[TYPE]]* [[PTR]], align 1 + + ; 02F2F2F2F2F2F2F2 + ; ENTRY-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 85 + ; ENTRY-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i64]]* + ; ENTRY-NEXT: store [[TYPE]] 212499257711850226, [[TYPE]]* [[PTR]], align 1 + + ; F2F2F2F2F2F2F2F2 + ; ENTRY-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 93 + ; ENTRY-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i64]]* + ; ENTRY-NEXT: store [[TYPE]] -940422246894996750, [[TYPE]]* [[PTR]], align 1 + + ; F20005F2F2000000 + ; ENTRY-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 101 + ; ENTRY-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i64]]* + ; ENTRY-NEXT: store [[TYPE]] -1008799775530680320, [[TYPE]]* [[PTR]], align 1 + + ; F3F3F3F3 + ; ENTRY-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 111 + ; ENTRY-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i32]]* + ; ENTRY-NEXT: store [[TYPE]] -202116109, [[TYPE]]* [[PTR]], align 1 + + ; F3 + ; ENTRY-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 115 + ; ENTRY-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i8]]* + ; ENTRY-NEXT: store [[TYPE]] -13, [[TYPE]]* [[PTR]], align 1 + + ; F1F1F1F1 + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 0 + ; ENTRY-UAS-EXP-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i32]]* + ; ENTRY-UAS-EXP-NEXT: store [[TYPE]] -235802127, [[TYPE]]* [[PTR]], align 1 + + ; F8F8F8... + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 4 + ; ENTRY-UAS-EXP-NEXT: call void @__asan_set_shadow_f8(i64 [[OFFSET]], i64 82) + + ; F2F2F2F2F2F2F2F2 + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 86 + ; ENTRY-UAS-EXP-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i64]]* + ; ENTRY-UAS-EXP-NEXT: store [[TYPE]] -940422246894996750, [[TYPE]]* [[PTR]], align 1 + + ; F2F2F2F2F2F2F2F2 + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 94 + ; ENTRY-UAS-EXP-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i64]]* + ; ENTRY-UAS-EXP-NEXT: store [[TYPE]] -940422246894996750, [[TYPE]]* [[PTR]], align 1 + + ; F8F8F2F2F8F8F8F8 + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 102 + ; ENTRY-UAS-EXP-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i64]]* + ; ENTRY-UAS-EXP-NEXT: store [[TYPE]] -506387832706107144, [[TYPE]]* [[PTR]], align 1 + + ; F8F3F3F3 + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 110 + ; ENTRY-UAS-EXP-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i32]]* + ; ENTRY-UAS-EXP-NEXT: store [[TYPE]] -118230029, [[TYPE]]* [[PTR]], align 1 + + ; F3F3 + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 114 + ; ENTRY-UAS-EXP-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i16]]* + ; ENTRY-UAS-EXP-NEXT: store [[TYPE]] -3085, [[TYPE]]* [[PTR]], align 1 + + ; CHECK-LABEL: %xx = getelementptr inbounds + ; CHECK-NEXT: %yy = getelementptr inbounds + ; CHECK-NEXT: %zz = getelementptr inbounds + + + call void @llvm.lifetime.start(i64 650, i8* %xx) + ; LIFE-UAS: call void @__asan_unpoison_stack_memory(i64 %{{[0-9]+}}, i64 [[SIZE:650]]) + + ; 0000... + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 4 + ; ENTRY-UAS-EXP-NEXT: call void @__asan_set_shadow_00(i64 [[OFFSET]], i64 81) + ; 02 + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 85 + ; ENTRY-UAS-EXP-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i8]]* + ; ENTRY-UAS-EXP-NEXT: store [[TYPE]] 2, [[TYPE]]* [[PTR]], align 1 + + ; CHECK-NEXT: call void @llvm.lifetime.start(i64 650, i8* %xx) + + call void @Foo(i8* %xx) + ; CHECK-NEXT: call void @Foo(i8* %xx) + + call void @llvm.lifetime.end(i64 650, i8* %xx) + ; LIFE-UAS: call void @__asan_poison_stack_memory(i64 %{{[0-9]+}}, i64 [[SIZE]]) + + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 4 + ; ENTRY-UAS-EXP-NEXT: call void @__asan_set_shadow_f8(i64 [[OFFSET]], i64 82) + + ; CHECK-NEXT: call void @llvm.lifetime.end(i64 650, i8* %xx) + + + call void @llvm.lifetime.start(i64 13, i8* %yy) + ; LIFE-UAS: call void @__asan_unpoison_stack_memory(i64 %{{[0-9]+}}, i64 [[SIZE:13]]) + + ; 0005 + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 102 + ; ENTRY-UAS-EXP-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i16]]* + ; ENTRY-UAS-EXP-NEXT: store [[TYPE]] 5, [[TYPE]]* [[PTR]], align 1 + + ; CHECK-NEXT: call void @llvm.lifetime.start(i64 13, i8* %yy) + + call void @Foo(i8* %yy) + ; CHECK-NEXT: call void @Foo(i8* %yy) + + call void @llvm.lifetime.end(i64 13, i8* %yy) + ; LIFE-UAS: call void @__asan_poison_stack_memory(i64 %{{[0-9]+}}, i64 [[SIZE]]) + + ; F8F8 + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 102 + ; ENTRY-UAS-EXP-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i16]]* + ; ENTRY-UAS-EXP-NEXT: store [[TYPE]] -1800, [[TYPE]]* [[PTR]], align 1 + + ; CHECK-NEXT: call void @llvm.lifetime.end(i64 13, i8* %yy) + + + call void @llvm.lifetime.start(i64 40, i8* %zz) + ; LIFE-UAS: call void @__asan_unpoison_stack_memory(i64 %{{[0-9]+}}, i64 [[SIZE:40]]) + + ; 00000000 + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 106 + ; ENTRY-UAS-EXP-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i32]]* + ; ENTRY-UAS-EXP-NEXT: store [[TYPE]] 0, [[TYPE]]* [[PTR]], align 1 + ; 00 + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 110 + ; ENTRY-UAS-EXP-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i8]]* + ; ENTRY-UAS-EXP-NEXT: store [[TYPE]] 0, [[TYPE]]* [[PTR]], align 1 + + ; CHECK-NEXT: call void @llvm.lifetime.start(i64 40, i8* %zz) + + call void @Foo(i8* %zz) + ; CHECK-NEXT: call void @Foo(i8* %zz) + + call void @llvm.lifetime.end(i64 40, i8* %zz) + ; LIFE-UAS: call void @__asan_poison_stack_memory(i64 %{{[0-9]+}}, i64 [[SIZE]]) + + ; F8F8F8F8 + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 106 + ; ENTRY-UAS-EXP-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i32]]* + ; ENTRY-UAS-EXP-NEXT: store [[TYPE]] -117901064, [[TYPE]]* [[PTR]], align 1 + ; F8 + ; ENTRY-UAS-EXP-NEXT: [[OFFSET:%[0-9]+]] = add i64 [[SHADOW_BASE]], 110 + ; ENTRY-UAS-EXP-NEXT: [[PTR:%[0-9]+]] = inttoptr i64 [[OFFSET]] to [[TYPE:i8]]* + ; ENTRY-UAS-EXP-NEXT: store [[TYPE]] -8, [[TYPE]]* [[PTR]], align 1 + + ; CHECK-NEXT: call void @llvm.lifetime.end(i64 40, i8* %zz) + + + ; CHECK-LABEL: