This is an archive of the discontinued LLVM Phabricator instance.

Differential D32895

[ASAN] Insert call to __asan_init and load of dynamic shadow address in correct order
AbandonedPublic

Authored by evgeny777 on May 5 2017, 3:08 AM.

Details

Reviewers
kcc
Summary

Good time of the day!

I've ported ASAN to proprietary system, where I (besides everything else) need to instrument application startup code. To accomplish this task I've added check for appropriate function name and triple in maybeInsertAsanInitAtFunctionEntry(). However I got following IR after that:

define void @_startup() #0 {
entry:
  %0 = load i64, i64* @__asan_shadow_memory_dynamic_address
  call void @__asan_init()
  .....

Needless to say that it doesn't work as expected, because asan_shadow_memory_dynamic_address is initialized in asan_init().
This patch fixes the problem for me, by enforcing correct order of operations.
I don't know how to write unit test for it, so any suggestions/comments are appreciated.

Thanks.

Diff Detail

Event Timeline

evgeny777 created this revision.May 5 2017, 3:08 AM
dvyukov edited reviewers, added: alekseyshl; removed: dvyukov.May 5 2017, 7:29 AM
kcc edited edge metadata.May 5 2017, 10:41 AM

I don't think this is the right fix.
Please explain more: why does this load from __asan_shadow_memory_dynamic_address happen in a function that does not have sanitize_address attribute?

I don't know how to write unit test for it, so any suggestions/comments are appreciated.

Check the test/Instrumentation/AddressSanitizer/ dir.
Maybe, a proper test will help explain the fix.

evgeny777 added a comment.May 5 2017, 11:10 AM

Thanks for looking at it.

Let's assume we have function which *does* have sanitize_address attribute. Now imagine we have function for which both maybeInsertAsanInitAtFunctionEntry and maybeInsertDynamicShadowAtFunctionEntry return true.
If so then:

  • Line 2250 (maybeInsertAsanInitAtFunctionEntry) will insert call to __asan_init at the top of our function
  • Then Line 2263 (maybeInsertDynamicShadowAtFunctionEntry) will insert load of dynamic shadow address at the top of our function (before __asan_init)

We'll get both things inserted in reverse order (and undefined behavior when running app).

kcc added a comment.May 5 2017, 11:23 AM

Ok.. makes sense. These did not collide before because maybeInsertDynamicShadowAtFunctionEntry is mostly used on WIndows and maybeInsertAsanInitAtFunctionEntry only on Mac. grrr.
Now it does make sense, but I would prefer if the code did not have a duplicated call to maybeInsertAsanInitAtFunctionEntry
(and, of course, a test)

alekseyshl removed a reviewer: alekseyshl.Jul 19 2018, 10:51 AM
evgeny777 abandoned this revision.Jan 15 2019, 7:35 AM

Revision Contents

PathSize
lib/
Transforms/
Instrumentation/
14 lines

Diff 97920

lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 2,236 Lines▼ Show 20 Linesvoid AddressSanitizer::markEscapedLocalAllocas(Function &F) {
} }
} }
bool AddressSanitizer::runOnFunction(Function &F) { bool AddressSanitizer::runOnFunction(Function &F) {
if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false; if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false;
if (!ClDebugFunc.empty() && ClDebugFunc == F.getName()) return false; if (!ClDebugFunc.empty() && ClDebugFunc == F.getName()) return false;
if (F.getName().startswith("__asan_")) return false; if (F.getName().startswith("__asan_")) return false;
bool FunctionModified = false;
// If needed, insert __asan_init before checking for SanitizeAddress attr.
// This function needs to be called even if the function body is not
// instrumented.
if (maybeInsertAsanInitAtFunctionEntry(F))
FunctionModified = true;
// Leave if the function doesn't need instrumentation. // Leave if the function doesn't need instrumentation.
if (!F.hasFnAttribute(Attribute::SanitizeAddress)) return FunctionModified; // The __asan_init function needs to be called even if the function body is
// not instrumented.
if (!F.hasFnAttribute(Attribute::SanitizeAddress))
return maybeInsertAsanInitAtFunctionEntry(F);
DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n");
initializeCallbacks(*F.getParent()); initializeCallbacks(*F.getParent());
DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree(); DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree();
FunctionStateRAII CleanupObj(this); FunctionStateRAII CleanupObj(this);
maybeInsertDynamicShadowAtFunctionEntry(F); maybeInsertDynamicShadowAtFunctionEntry(F);
bool FunctionModified = maybeInsertAsanInitAtFunctionEntry(F);
// We can't instrument allocas used with llvm.localescape. Only static allocas // We can't instrument allocas used with llvm.localescape. Only static allocas
// can be passed to that intrinsic. // can be passed to that intrinsic.
markEscapedLocalAllocas(F); markEscapedLocalAllocas(F);
// We want to instrument every address only once per basic block (unless there // We want to instrument every address only once per basic block (unless there
// are calls between uses). // are calls between uses).
SmallSet<Value *, 16> TempsToInstrument; SmallSet<Value *, 16> TempsToInstrument;
▲ Show 20 LinesShow All 694 LinesShow Last 20 Lines