This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
docs/
-
AddressSanitizer.rst
-
lib/
-
CodeGen/
1
SanitizerMetadata.cpp
-
Sema/
1/5
SemaDeclAttr.cpp
-
test/
-
CodeGen/
1/1
asan-globals.cpp
-
SemaCXX/
2
attr-no-sanitize-address.cpp

Differential D26454

Implement no_sanitize_address for global vars
Needs ReviewPublic

Authored by dougk on Nov 9 2016, 8:44 AM.

Download Raw Diff

Details

Reviewers

aaron.ballman
eugenis

Summary

This was already submitted as r284272.

Regarding the use of Attr as a local variable name, I would prefer to remain consistent with the existing code in CodeGenFunction.cpp which was not touched by this patch.

line 720: for (auto Attr : D->specific_attrs<NoSanitizeAttr>())

but I'm certainly not opposed to changing both places.

Diff Detail

Event Timeline

dougk updated this revision to Diff 77357.Nov 9 2016, 8:44 AM

dougk retitled this revision from to Implement no_sanitize_address for global vars.

dougk updated this object.

dougk added a reviewer: aaron.ballman.

dougk added a subscriber: cfe-commits.

kcc added a reviewer: eugenis.Nov 9 2016, 11:23 AM

Also note: In this change, the diagnostic messages are correct; it's the enum name that's bad. The diagnostic message is wrong for the 'section' attribute, which is fixed by https://reviews.llvm.org/D26459

aaron.ballman added inline comments.Nov 10 2016, 6:56 AM

lib/CodeGen/SanitizerMetadata.cpp
68	Should use `const auto *` (feel free to change the other use(s) in a separate commit, no review required).
lib/Sema/SemaDeclAttr.cpp
5316	This formatting change is unrelated.
5343	You diagnose this as an error, but don't early return if the attribute is invalid. Is that intentional?
5364	You diagnose it as an error, but then add the attribute anyway. Is that intentional?
test/CodeGen/asan-globals.cpp
10	You modified no_sanitize_address, but did not add any test cases for it.
test/SemaCXX/attr-no-sanitize-address.cpp
24	Please add a new test case to replace this one, showing that the attribute is properly diagnosed when applied to something the attribute cannot appertain to.
test/SemaCXX/attr-no-sanitize.cpp
5 ↗	(On Diff #77357)	Please add a new test case to replace this one, showing that the attribute is properly diagnosed when applied to something the attribute cannot appertain to.

changes per Aaron Ballman

Does this change deserve a documentation update?

add a sentence about the change in AddressSanitizer.rst

aaron.ballman added inline comments.Nov 15 2016, 10:36 AM

lib/Sema/SemaDeclAttr.cpp
5348	This is unfortunate because the declarative subject information from Attr.td does not match the semantics in SemaDeclAttr.cpp for many of the sanitizer names. For instance, this means that someone using `__attribute__((no_sanitize("thread"))`` on a static local variable will get a diagnostic telling them that it only applies to functions, methods, and global variables. If they make their static local variable into a global variable, they will then get a different diagnostic telling them, oops, just functions or methods. While I understand that this was already submitted in r284272, I don't see any rationale given in the commit log as to why this behavior is desirable in the first place. Can you give me some background information on why this is needed? Does it apply to other sanitizer names as well?

Suppression of sanitizing is necessary if the variable is magically a memory-mapped device I/O address.
The linker can arrange for this to be the case using fancy scripts, or even just as simple as a section attribute that requires that you take up exactly a certain number of bytes in the section.
There was some thought that any non-default section should preclude sanitization, but Kostya said that, no, it would make sense to require explicit no-sanitize. I (mistakenly) took that to mean "just do it", for which I apologize.

lib/Sema/SemaDeclAttr.cpp
5316	reverted. (clang-format-diff did that on account of proximity to the added lines)
5343	not intentional. fixed
5364	not intentional. fixed
test/SemaCXX/attr-no-sanitize-address.cpp
24	that's already tested by noanal_testfn which has no_sanitize_address on 'int x = y';

In D26454#609578, @dougk wrote:

Suppression of sanitizing is necessary if the variable is magically a memory-mapped device I/O address.
The linker can arrange for this to be the case using fancy scripts, or even just as simple as a section attribute that requires that you take up exactly a certain number of bytes in the section.
There was some thought that any non-default section should preclude sanitization, but Kostya said that, no, it would make sense to require explicit no-sanitize. I (mistakenly) took that to mean "just do it", for which I apologize.

Thank you for the explanation, but I'm still wondering if this applies to only address sanitization, or to others as well, such as memory or thread. The fact that the declarative information in Attr.td is incorrect now is a concern. We can either address that concern by making the conflict go away for all sanitizer strings (which may not be sensible), or by making some complex changes to the way subject lists work (which may be more work than it's worth). The point to having a single no_sanitize attribute was so that we didn't need to add a new attribute every time we came up with a new sanitizer, but it was understood that this works because all of the sanitizers apply to the same constructs. This change breaks that assumption so that now one of the sanitizer strings diverges from all the rest, and I would like to avoid that.

I think it probably works to have the attribute appertain to any sanitizer. I did not know that it did, so I conservatively assumed that it didn't. I'll go ahead and make things consistent, and confirm that it dtrt.

Revision Contents

Path

Size

docs/

AddressSanitizer.rst

4 lines

lib/

CodeGen/

SanitizerMetadata.cpp

2 lines

Sema/

SemaDeclAttr.cpp

14 lines

test/

CodeGen/

asan-globals.cpp

17 lines

SemaCXX/

attr-no-sanitize-address.cpp

5 lines

Diff 77815

docs/AddressSanitizer.rst

Context not available.
	Some code should not be instrumented by AddressSanitizer. One may use the	Some code should not be instrumented by AddressSanitizer. One may use the
	function attribute ``__attribute__((no_sanitize("address")))`` (which has	function attribute ``__attribute__((no_sanitize("address")))`` (which has
	deprecated synonyms `no_sanitize_address` and `no_address_safety_analysis`) to	deprecated synonyms `no_sanitize_address` and `no_address_safety_analysis`) to
	disable instrumentation of a particular function. This attribute may not be	disable instrumentation of a particular function. A global variable may
		be similarly marked, as is typically necessary if its address corresponds
		to a memory-mapped I/O range. This attribute may not be
	supported by other compilers, so we suggest to use it together with	supported by other compilers, so we suggest to use it together with
	``__has_feature(address_sanitizer)``.	``__has_feature(address_sanitizer)``.

Context not available.

lib/CodeGen/SanitizerMetadata.cpp

Context not available.
	D.printQualifiedName(OS);	D.printQualifiedName(OS);

	bool IsBlacklisted = false;	bool IsBlacklisted = false;
	for (auto Attr : D.specific_attrs<NoSanitizeAttr>())	for (const auto *Attr : D.specific_attrs<NoSanitizeAttr>())
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions Should use `const auto ` (feel free to change the other use(s) in a separate commit, no review required). aaron.ballman:* Should use `const auto *` (feel free to change the other use(s) in a separate commit, no review…
	if (Attr->getMask() & SanitizerKind::Address)	if (Attr->getMask() & SanitizerKind::Address)
	IsBlacklisted = true;	IsBlacklisted = true;
	reportGlobalToASan(GV, D.getLocation(), OS.str(), D.getType(), IsDynInit,	reportGlobalToASan(GV, D.getLocation(), OS.str(), D.getType(), IsDynInit,
Context not available.

lib/Sema/SemaDeclAttr.cpp

Context not available.
	!(Attr.hasScope() && Attr.getScopeName()->isStr("gnu")))	!(Attr.hasScope() && Attr.getScopeName()->isStr("gnu")))
	S.Diag(Attr.getLoc(), diag::ext_cxx14_attr) << Attr.getName();	S.Diag(Attr.getLoc(), diag::ext_cxx14_attr) << Attr.getName();

	D->addAttr(::new (S.Context)	D->addAttr(::new (S.Context) DeprecatedAttr(Attr.getRange(), S.Context,
	DeprecatedAttr(Attr.getRange(), S.Context, Str, Replacement,	Str, Replacement,
	Attr.getAttributeSpellingListIndex()));	Attr.getAttributeSpellingListIndex()));
	}	}

	static bool isGlobalVar(const Decl *D) {	static bool isGlobalVar(const Decl *D) {
		aaron.ballmanUnsubmitted Done Reply Inline Actions You diagnose this as an error, but don't early return if the attribute is invalid. Is that intentional? aaron.ballman: You diagnose this as an error, but don't early return if the attribute is invalid. Is that…
		dougkAuthorUnsubmitted Not Done Reply Inline Actions not intentional. fixed dougk: not intentional. fixed
Context not available.

	if (parseSanitizerValue(SanitizerName, /AllowGroups=/true) == 0)	if (parseSanitizerValue(SanitizerName, /AllowGroups=/true) == 0)
	S.Diag(LiteralLoc, diag::warn_unknown_sanitizer_ignored) << SanitizerName;	S.Diag(LiteralLoc, diag::warn_unknown_sanitizer_ignored) << SanitizerName;
	else if (isGlobalVar(D) && SanitizerName != "address")	else if (isGlobalVar(D) && SanitizerName != "address") {
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions This is unfortunate because the declarative subject information from Attr.td does not match the semantics in SemaDeclAttr.cpp for many of the sanitizer names. For instance, this means that someone using `__attribute__((no_sanitize("thread"))`` on a static local variable will get a diagnostic telling them that it only applies to functions, methods, and global variables. If they make their static local variable into a global variable, they will then get a different diagnostic telling them, oops, just functions or methods. While I understand that this was already submitted in r284272, I don't see any rationale given in the commit log as to why this behavior is desirable in the first place. Can you give me some background information on why this is needed? Does it apply to other sanitizer names as well? aaron.ballman: This is unfortunate because the declarative subject information from Attr.td does not match the…
	S.Diag(D->getLocation(), diag::err_attribute_wrong_decl_type)	S.Diag(D->getLocation(), diag::err_attribute_wrong_decl_type)
	<< Attr.getName() << ExpectedFunctionOrMethod;	<< Attr.getName() << ExpectedFunctionOrMethod;
		return;
		}
	Sanitizers.push_back(SanitizerName);	Sanitizers.push_back(SanitizerName);
	}	}

		aaron.ballmanUnsubmitted Not Done Reply Inline Actions You diagnose it as an error, but then add the attribute anyway. Is that intentional? aaron.ballman: You diagnose it as an error, but then add the attribute anyway. Is that intentional?
		dougkAuthorUnsubmitted Not Done Reply Inline Actions not intentional. fixed dougk: not intentional. fixed
Context not available.
	.Case("no_sanitize_address", "address")	.Case("no_sanitize_address", "address")
	.Case("no_sanitize_thread", "thread")	.Case("no_sanitize_thread", "thread")
	.Case("no_sanitize_memory", "memory");	.Case("no_sanitize_memory", "memory");
	if (isGlobalVar(D) && SanitizerName != "address")	if (isGlobalVar(D) && SanitizerName != "address") {
	S.Diag(D->getLocation(), diag::err_attribute_wrong_decl_type)	S.Diag(D->getLocation(), diag::err_attribute_wrong_decl_type)
	<< Attr.getName() << ExpectedFunction;	<< Attr.getName() << ExpectedFunction;
		return;
		}
	D->addAttr(::new (S.Context)	D->addAttr(::new (S.Context)
	NoSanitizeAttr(Attr.getRange(), S.Context, &SanitizerName, 1,	NoSanitizeAttr(Attr.getRange(), S.Context, &SanitizerName, 1,
	Attr.getAttributeSpellingListIndex()));	Attr.getAttributeSpellingListIndex()));
Context not available.

test/CodeGen/asan-globals.cpp

Context not available.

	int global;	int global;
	int dyn_init_global = global;	int dyn_init_global = global;
	int __attribute__((no_sanitize("address"))) attributed_global;	int __attribute__((no_sanitize("address"))) attributed_global1;
		aaron.ballmanUnsubmitted Done Reply Inline Actions You modified no_sanitize_address, but did not add any test cases for it. aaron.ballman: You modified no_sanitize_address, but did not add any test cases for it.
		int __attribute__((no_sanitize_address)) attributed_global2;
	int blacklisted_global;	int blacklisted_global;

	void func() {	void func() {
Context not available.
	const char *literal = "Hello, world!";	const char *literal = "Hello, world!";
	}	}

	// CHECK: !llvm.asan.globals = !{![[EXTRA_GLOBAL:[0-9]+]], ![[GLOBAL:[0-9]+]], ![[DYN_INIT_GLOBAL:[0-9]+]], ![[ATTR_GLOBAL:[0-9]+]], ![[BLACKLISTED_GLOBAL:[0-9]+]], ![[STATIC_VAR:[0-9]+]], ![[LITERAL:[0-9]+]]}	// CHECK: !llvm.asan.globals = !{![[EXTRA_GLOBAL:[0-9]+]], ![[GLOBAL:[0-9]+]], ![[DYN_INIT_GLOBAL:[0-9]+]], ![[ATTR_GLOBAL1:[0-9]+]], ![[ATTR_GLOBAL2:[0-9]+]], ![[BLACKLISTED_GLOBAL:[0-9]+]], ![[STATIC_VAR:[0-9]+]], ![[LITERAL:[0-9]+]]}
	// CHECK: ![[EXTRA_GLOBAL]] = !{{{.*}} ![[EXTRA_GLOBAL_LOC:[0-9]+]], !"extra_global", i1 false, i1 false}	// CHECK: ![[EXTRA_GLOBAL]] = !{{{.*}} ![[EXTRA_GLOBAL_LOC:[0-9]+]], !"extra_global", i1 false, i1 false}
	// CHECK: ![[EXTRA_GLOBAL_LOC]] = !{!"{{.*}}extra-source.cpp", i32 1, i32 5}	// CHECK: ![[EXTRA_GLOBAL_LOC]] = !{!"{{.*}}extra-source.cpp", i32 1, i32 5}
	// CHECK: ![[GLOBAL]] = !{{{.*}} ![[GLOBAL_LOC:[0-9]+]], !"global", i1 false, i1 false}	// CHECK: ![[GLOBAL]] = !{{{.*}} ![[GLOBAL_LOC:[0-9]+]], !"global", i1 false, i1 false}
	// CHECK: ![[GLOBAL_LOC]] = !{!"{{.*}}asan-globals.cpp", i32 8, i32 5}	// CHECK: ![[GLOBAL_LOC]] = !{!"{{.*}}asan-globals.cpp", i32 8, i32 5}
	// CHECK: ![[DYN_INIT_GLOBAL]] = !{{{.*}} ![[DYN_INIT_LOC:[0-9]+]], !"dyn_init_global", i1 true, i1 false}	// CHECK: ![[DYN_INIT_GLOBAL]] = !{{{.*}} ![[DYN_INIT_LOC:[0-9]+]], !"dyn_init_global", i1 true, i1 false}
	// CHECK: ![[DYN_INIT_LOC]] = !{!"{{.*}}asan-globals.cpp", i32 9, i32 5}	// CHECK: ![[DYN_INIT_LOC]] = !{!"{{.*}}asan-globals.cpp", i32 9, i32 5}
	// CHECK: ![[ATTR_GLOBAL]] = !{{{.*}}, null, null, i1 false, i1 true}	// CHECK: ![[ATTR_GLOBAL1]] = !{{{.*}}, null, null, i1 false, i1 true}
		// CHECK: ![[ATTR_GLOBAL2]] = !{{{.*}}, null, null, i1 false, i1 true}
	// CHECK: ![[BLACKLISTED_GLOBAL]] = !{{{.*}}, null, null, i1 false, i1 true}	// CHECK: ![[BLACKLISTED_GLOBAL]] = !{{{.*}}, null, null, i1 false, i1 true}
	// CHECK: ![[STATIC_VAR]] = !{{{.*}} ![[STATIC_LOC:[0-9]+]], !"static_var", i1 false, i1 false}	// CHECK: ![[STATIC_VAR]] = !{{{.*}} ![[STATIC_LOC:[0-9]+]], !"static_var", i1 false, i1 false}
	// CHECK: ![[STATIC_LOC]] = !{!"{{.*}}asan-globals.cpp", i32 14, i32 14}	// CHECK: ![[STATIC_LOC]] = !{!"{{.*}}asan-globals.cpp", i32 15, i32 14}
	// CHECK: ![[LITERAL]] = !{{{.*}} ![[LITERAL_LOC:[0-9]+]], !"<string literal>", i1 false, i1 false}	// CHECK: ![[LITERAL]] = !{{{.*}} ![[LITERAL_LOC:[0-9]+]], !"<string literal>", i1 false, i1 false}
	// CHECK: ![[LITERAL_LOC]] = !{!"{{.*}}asan-globals.cpp", i32 15, i32 25}	// CHECK: ![[LITERAL_LOC]] = !{!"{{.*}}asan-globals.cpp", i32 16, i32 25}

	// BLACKLIST-SRC: !llvm.asan.globals = !{![[EXTRA_GLOBAL:[0-9]+]], ![[GLOBAL:[0-9]+]], ![[DYN_INIT_GLOBAL:[0-9]+]], ![[ATTR_GLOBAL:[0-9]+]], ![[BLACKLISTED_GLOBAL:[0-9]+]], ![[STATIC_VAR:[0-9]+]], ![[LITERAL:[0-9]+]]}	// BLACKLIST-SRC: !llvm.asan.globals = !{![[EXTRA_GLOBAL:[0-9]+]], ![[GLOBAL:[0-9]+]], ![[DYN_INIT_GLOBAL:[0-9]+]], ![[ATTR_GLOBAL1:[0-9]+]], ![[ATTR_GLOBAL2:[0-9]+]], ![[BLACKLISTED_GLOBAL:[0-9]+]], ![[STATIC_VAR:[0-9]+]], ![[LITERAL:[0-9]+]]}
	// BLACKLIST-SRC: ![[EXTRA_GLOBAL]] = !{{{.*}} ![[EXTRA_GLOBAL_LOC:[0-9]+]], !"extra_global", i1 false, i1 false}	// BLACKLIST-SRC: ![[EXTRA_GLOBAL]] = !{{{.*}} ![[EXTRA_GLOBAL_LOC:[0-9]+]], !"extra_global", i1 false, i1 false}
	// BLACKLIST-SRC: ![[EXTRA_GLOBAL_LOC]] = !{!"{{.*}}extra-source.cpp", i32 1, i32 5}	// BLACKLIST-SRC: ![[EXTRA_GLOBAL_LOC]] = !{!"{{.*}}extra-source.cpp", i32 1, i32 5}
	// BLACKLIST-SRC: ![[GLOBAL]] = !{{{.*}} null, null, i1 false, i1 true}	// BLACKLIST-SRC: ![[GLOBAL]] = !{{{.*}} null, null, i1 false, i1 true}
	// BLACKLIST-SRC: ![[DYN_INIT_GLOBAL]] = !{{{.*}} null, null, i1 true, i1 true}	// BLACKLIST-SRC: ![[DYN_INIT_GLOBAL]] = !{{{.*}} null, null, i1 true, i1 true}
	// BLACKLIST-SRC: ![[ATTR_GLOBAL]] = !{{{.*}}, null, null, i1 false, i1 true}	// BLACKLIST-SRC: ![[ATTR_GLOBAL1]] = !{{{.*}}, null, null, i1 false, i1 true}
		// BLACKLIST-SRC: ![[ATTR_GLOBAL2]] = !{{{.*}}, null, null, i1 false, i1 true}
	// BLACKLIST-SRC: ![[BLACKLISTED_GLOBAL]] = !{{{.*}}, null, null, i1 false, i1 true}	// BLACKLIST-SRC: ![[BLACKLISTED_GLOBAL]] = !{{{.*}}, null, null, i1 false, i1 true}
	// BLACKLIST-SRC: ![[STATIC_VAR]] = !{{{.*}} null, null, i1 false, i1 true}	// BLACKLIST-SRC: ![[STATIC_VAR]] = !{{{.*}} null, null, i1 false, i1 true}
	// BLACKLIST-SRC: ![[LITERAL]] = !{{{.*}} null, null, i1 false, i1 true}	// BLACKLIST-SRC: ![[LITERAL]] = !{{{.*}} null, null, i1 false, i1 true}
Context not available.

test/SemaCXX/attr-no-sanitize-address.cpp

Context not available.
	int noanal_testfn(int y) NO_SANITIZE_ADDRESS;	int noanal_testfn(int y) NO_SANITIZE_ADDRESS;

	int noanal_testfn(int y) {	int noanal_testfn(int y) {
		// Test the deprecated spelling of no_sanitize("address")
	int x NO_SANITIZE_ADDRESS = y; // \	int x NO_SANITIZE_ADDRESS = y; // \
	// expected-error {{'no_sanitize_address' attribute only applies to functions}}	// expected-error {{'no_sanitize_address' attribute only applies to functions and global variables}}
		int x2 __attribute__((no_sanitize("address"))) = y; // \
		// expected-error {{'no_sanitize' attribute only applies to functions, methods, and global variables}}
	return x;	return x;
	}	}

Context not available.
	aaron.ballmanUnsubmitted Not Done Reply Inline Actions Please add a new test case to replace this one, showing that the attribute is properly diagnosed when applied to something the attribute cannot appertain to. aaron.ballman: Please add a new test case to replace this one, showing that the attribute is properly…
	dougkAuthorUnsubmitted Not Done Reply Inline Actions that's already tested by noanal_testfn which has no_sanitize_address on 'int x = y'; dougk: that's already tested by noanal_testfn which has no_sanitize_address on 'int x = y';