This is an archive of the discontinued LLVM Phabricator instance.

Differential D34451

Add KMSAN instrumentation to MSan pass
ClosedPublic

Authored by glider on Jun 21 2017, 7:39 AM.

Details

Reviewers
eugenis
kcc
dvyukov
Summary

Introduce the -msan-kernel flag, which enables the kernel instrumentation.

The main differences between KMSAN and MSan instrumentations are:

  • KMSAN implies msan-track-origins=2, msan-keep-going=true;
  • there're no explicit accesses to shadow and origin memory. Shadow and origin values for a particular X-byte memory location are read and written via pointers returned by __msan_metadata_ptr_for_load_X(u8 *addr) and __msan_store_shadow_origin_X(u8 *addr, uptr shadow, uptr origin);
  • TLS variables are stored in a single struct in per-task storage. A call to a function returning that struct is inserted into every instrumented function before the entry block;
  • __msan_warning() takes a 32-bit origin parameter;
  • local variables are poisoned with __msan_poison_alloca() upon function entry and unpoisoned with __msan_unpoison_alloca() before leaving the function;
  • the pass doesn't declare any global variables or add global constructors to the translation unit.

Diff Detail

Event Timeline

glider created this revision.Jun 21 2017, 7:39 AM
glider added a reviewer: dvyukov.Jun 21 2017, 7:40 AM
dvyukov edited edge metadata.Jun 22 2017, 1:28 AM

I know, not the feedback you was looking for :)

lib/Transforms/Instrumentation/MemorySanitizer.cpp
455

Looks like a bug in clang-format. Why is it 3 spaces here? All other members start with 2 and 2 is the proper style.

dvyukov added inline comments.Jun 22 2017, 1:45 AM
lib/Transforms/Instrumentation/MemorySanitizer.cpp
234

I see that for interface part (flags, pass ctor) you copied KASAN approach, so this looks good to me.

638

ShadowOriginStruct seems to be used only in the loop below. So drop it and use the actual types in the loop.

679

The interface looks bulky because of distinction between arg/param/retval/va_arg. It feels that we put too much details into the interface, such interfaces are usually unstable. Is it possible to combine all that data into a single struct including shadow and origins (for user-space as well) and then have just single function that requests data at offsets of that struct? Or maybe just returns a pointer to the thread-local struct. I should also reduce amount of differences between kernel and userspace.

We could go further and reuse __kmsan_load/store_shadow_origin functions by giving then some magic address that mean TLS. Not sure if it will be good or not.

dvyukov added inline comments.Jun 22 2017, 1:56 AM
lib/Transforms/Instrumentation/MemorySanitizer.cpp
679

Note that we can't version compiler and kernel atomically. This interface will have to stay basically forever. If we will want to improve it later, we will only make situation worse because we will have to support 2 interfaces.

dvyukov added a comment.Jun 22 2017, 1:57 AM

Evgenii, please take a look at actual pass changes.

glider added inline comments.Jun 22 2017, 2:19 AM
lib/Transforms/Instrumentation/MemorySanitizer.cpp
689

@eugenis: Dima suggested we merge all msan_XXX_tls globals into a single struct, this way I can replace all the kmsan_get_XXX_tls() callbacks with a single one.
WDYT?

glider added inline comments.Jun 22 2017, 2:28 AM
lib/Transforms/Instrumentation/MemorySanitizer.cpp
455

I think this is being caused by me formatting the diff, not the whole file.
clang-format handles this case correctly in the wild.

638

This is a legacy, will remove.

eugenis added inline comments.Jun 23 2017, 5:00 PM
lib/Transforms/Instrumentation/MemorySanitizer.cpp
679

That would be an ABI break on Linux. And hiding the arg/param/retval/etc details in a struct does not make the interface any more stable.
On the other hand, it makes the interface simpler, so if you think you can do it just for the kernel w/o complicating the runtime library too much, then go for it.

679

Are you sure there is no way to version compiler and the runtime atomically? As I imagine, the part that must be in sync with the kernel is basically shadow mapping and the bool are_we_initialized_already() function. Is it possible to make that the forever-stable interface, and tie everything on top of it to the compiler?

glider added inline comments.Jun 26 2017, 5:15 AM
lib/Transforms/Instrumentation/MemorySanitizer.cpp
679

Are you sure there is no way to version compiler and the runtime atomically?

If we're talking about the runtime residing in the upstream kernel, then yes.
Clang versions live long, so if we ever introduce a new API version, then the kernel will have to support all the existing versions.

As I imagine, the part that must be in sync with the kernel is basically shadow mapping and the bool are_we_initialized_already() function.

Neither is currently part of the compiler API. The kernel allocates the shadow on per-page basis (i.e. shadow is non-contiguous), and these details better be abstracted from the instrumentation.

Is it possible to make that the forever-stable interface, and tie everything on top of it to the compiler?

If we treat the userspace shadow mapping as an example of such a stable interface, we see that it's not enough (e.g. handling va_args require additional globals or functions).
The question is basically whether right now MSan interface is stable enough, or will there be changes to it in the future.

679

On the other hand, it makes the interface simpler, so if you think you can do it just for the kernel w/o complicating the runtime library too much, then go for it.

Ok, I'll make this change just for the kernel.

glider updated this revision to Diff 104658.Jun 29 2017, 8:38 AM
glider edited the summary of this revision. (Show Details)
glider updated this revision to Diff 105098.Jul 3 2017, 9:14 AM
glider edited the summary of this revision. (Show Details)

Updated the patch.
Now all KMSAN-specific functions bear the "__msan_" prefix so that they can be used in other contexts (e.g. MSan instrumentation for Android).
I've also dropped aliasing functions that were working with argument shadow, except for __msan_load_arg_shadow() and __msan_store_arg_shadow().

Please take another look.

eugenis edited edge metadata.Jul 5 2017, 6:02 PM

In general, way too many small pieces of kernel-specific code. Please try to come up with a set of common utility functions that would capture the difference between kernel and userspace.

lib/Transforms/Instrumentation/MemorySanitizer.cpp
1139

There is some code duplication between this function and materializeStoresUserspace. It could be better to implement a kernel-specific storeOrigin() and keep this one common.

1154

When can origin be less than 32 bit?

1702

I think this is the wrong level of abstraction. You don't want kernel-specific handling of LoadInst, you want kernel-specific primitives for writing and reading shadow. You can use them in handleVectorLoadIntrinsic as well as other similar places. Ideally, there should be no checks for MS.CompileKernel outside of such common utility functgions.

3104

How can it be? The call to this function is inserted in the Kmsan prologue, and we specifically step over the prologue when running the visitor in runOnFunction.

glider updated this revision to Diff 124592.Nov 28 2017, 9:30 AM
glider marked 3 inline comments as done.
glider edited the summary of this revision. (Show Details)

Updated the diff.
This is still work in progress, and I'm not sure what's the best way to proceed with it.
The diff of the instrumentation pass patch itself is around 1000 LoC, plus I've moved around some IR tests.
(In particular the tests that behave differently with and without -msan-kernel=1 were put into separate files, while those agnostic to the memory layout remained in msan_common_basic.ll)

We can try moving forward with this patch as a whole, or I can start landing small chunks of it just for the userspace (e.g. replace F.getEntryBlock() with MSV.ActualFnStart everywhere, factor some code into helper functions) so that it'll be easier to add a kernel-specific implementation to them.

glider added a comment.Nov 28 2017, 9:36 AM

Please disregard. Looks like I've missed some opportunities to move the CompileKernel() checks to the lower level.

glider updated this revision to Diff 140971.Apr 4 2018, 9:00 AM
glider edited the summary of this revision. (Show Details)

Updated the diff.
This is more or less the final version of the KMSAN API. I'm still working on the tests and fixing minor nits.
I'll be OOO till the end of April, so take your time.

eugenis added inline comments.Apr 6 2018, 11:05 AM
lib/Transforms/Instrumentation/MemorySanitizer.cpp
444

Lets make -mllvm flags take precedence, as in KASan (see ClRecover.getNumOccurrences() > 0).

675

What are these, why do they have "_arg_" in the name but not in the description, and why are they not used?

glider marked an inline comment as done.Jul 20 2018, 9:07 AM
glider added inline comments.
lib/Transforms/Instrumentation/MemorySanitizer.cpp
675

Removed these.

glider updated this revision to Diff 156510.Jul 20 2018, 9:09 AM

Major update after landing the kernel-inspecific parts.

eugenis added inline comments.Jul 23 2018, 1:58 PM
lib/Transforms/Instrumentation/MemorySanitizer.cpp
754–758

Please invert this check.

919–920

Please rebase on ToT.

1096–1102

Invert this check, and a few others below.

1337

I think you want DL.getTypeStoreSize() here.

1520

std::ignore instead of CpOriginPtr to avoid unused variable warning? Or is the compiler not smart enough to see that it is unused?

3294

Could you explain why this function is passed return address (i.e. the caller pc)?

Why is this api so different from userspace?

3497

I think you can detect this by looking at function attributes.

3580

This is not about kernel at all, is it?
Could you fix it for userspace as well, as a separate change?

test/Instrumentation/MemorySanitizer/msan_kernel_basic.ll
17

AFAIK, in no-asserts build IR temporary names are lost, so this "%param_shadow" is not going to match.

45

Please add checks for actual arguments etc. For example, make sure that the right member of context_state is called for param_shadow. No need to repeat this in every test case, just once would be enough.

Herald added a subscriber: jfb. · View Herald TranscriptJul 23 2018, 1:58 PM
glider updated this revision to Diff 159504.Aug 7 2018, 7:25 AM

Rebased to r339138.

glider marked 6 inline comments as done.Aug 8 2018, 4:13 AM
glider added inline comments.
lib/Transforms/Instrumentation/MemorySanitizer.cpp
1520

Looks like it isn't.
But I've replaced the variable with std::ignore anyway.

3294

It's too expensive to unwind the stack for each alloca, and __builtin_return_address(1) is unreliable, therefore we take the caller's return address to get two stack frames instead of one.

3497

I've only found mentions of SSE in the "target-features" string, where they look like: "-sse,-sse2,-sse3,...", not sure it's easier to parse those.

3580

This is gonna change the userspace ABI, as we'll need to introduce the origin tls var.
I can sure fix it for the userspace, we'll just need to be accurate deploying the new version.

test/Instrumentation/MemorySanitizer/msan_kernel_basic.ll
17

Hm, I don't see any difference between files built with -f[no-]discard-value-names using Clang built with/without assertions.
I've replaced the value names with seven getelementptr instructions.

glider updated this revision to Diff 159682.Aug 8 2018, 4:15 AM
glider marked an inline comment as done.
glider retitled this revision from [RFC] Add KMSAN instrumentation to MSan pass to Add KMSAN instrumentation to MSan pass.
glider edited the summary of this revision. (Show Details)
glider added a comment.Aug 8 2018, 5:36 AM

Re: value names, there's code in Clang that explicitly overrides discarding them for ASan/MSan builds.

eugenis added inline comments.Aug 8 2018, 2:10 PM
lib/Transforms/Instrumentation/MemorySanitizer.cpp
1520

Hmm, now it is clear that this chunk does not do anything at all.
Revert it (but keep the TODO)?

3294

Is that because you can not use frame pointers in the kernel for some reason?

Looking at the code for __msan_poison_alloca in kmsan, with the loops and the hash tables and origin setting (with even more loops), I find it hard to believe that taking one or even several steps through FP chain would slow it down.

Note that when a function has more than one local variable, you are doing some redundant work.

Having said that, I don't really mind this change.

It would be nice to change the function name though, because it has very different semantics from the userspace function.

3445

Remove this.

3497

It's not easier, but it is correct.

3580

It won't break old instrumented code running with new runtime library, right?

AFAIK that's all that we care about.

test/Instrumentation/MemorySanitizer/msan_kernel_basic.ll
17

Right. As you mention in the other changelist, we preserve value names in asan/msan builds.

Anyway, I like this new test more.

glider updated this revision to Diff 159910.Aug 9 2018, 6:26 AM
glider marked 2 inline comments as done.
glider edited the summary of this revision. (Show Details)
glider added inline comments.
lib/Transforms/Instrumentation/MemorySanitizer.cpp
3294

Is that because you can not use frame pointers in the kernel for some reason?

There are configurations that disable frame pointers and use a different unwinding scheme.

Looking at the code for __msan_poison_alloca in kmsan, with the loops and the hash tables and origin setting (with even more loops), I find it hard to believe that taking one or even several steps through FP chain would slow it down.

Fair point.

Note that when a function has more than one local variable, you are doing some redundant work.

It might be a good idea to cache the unwound stack somehow, e.g. call the unwinder at the function prologue.

Having said that, I don't really mind this change.

Looks like it really doesn't make any difference whether we pass the pc or unwind it.
I'd better drop it then.

It would be nice to change the function name though, because it has very different semantics from the userspace function.

It's already different :)
There's no __msan_poison_alloca in the userspace, we're defining it in createKernelApi()

3497

Ok, I'll send a separate patch along the lines of:

AMD64FpEndOffset = AMD64FpEndOffsetSSE;
for (const auto &Attr : F.getAttributes().getFnAttributes()) {
  if (Attr.isStringAttribute() && (Attr.getKindAsString() == "target-features")) {
    if (Attr.getValueAsString().contains("-sse"))
      AMD64FpEndOffset = AMD64FpEndOffsetNoSSE;
    break;
  }
}

I'm not sure though that we're guaranteed to have those attributes (e.g. we currently don't have them in the tests, so we default to 176 bytes)

3580

Guess it shouldn't.
Ok, will do.

eugenis added inline comments.Aug 9 2018, 2:24 PM
lib/Transforms/Instrumentation/MemorySanitizer.cpp
3294

It's already different :)
There's no __msan_poison_alloca in the userspace, we're defining it in createKernelApi()

Indeed.

3497

Then we should do whatever the target does when it does not find the attribute.

glider updated this revision to Diff 160070.Aug 10 2018, 1:28 AM

Picked r339414, updated the test, PTAL

eugenis added a comment.Aug 10 2018, 9:15 AM

Looks like all that's left is to split va_arg origin copy into a separate change and enable it in userspace.

glider updated this revision to Diff 163046.Aug 29 2018, 4:18 AM

Incorporate https://reviews.llvm.org/D51412 (va_arg origin support in userspace)

glider updated this revision to Diff 163052.Aug 29 2018, 4:42 AM

Now for realz (pulled the missing bit of va_arg support patch)

eugenis added a comment.Aug 30 2018, 1:24 PM

LGTM, but you probably want to rebase it on top of D51412, instead of including that change in this one.

glider added subscribers: eugenis, kcc.Aug 30 2018, 11:16 PM

Sure, will do.

glider added inline comments.Aug 31 2018, 2:27 AM
test/Instrumentation/MemorySanitizer/store-origin.ll
64

TODO: replace "01-9a-z" with "_0-9a-z"

glider updated this revision to Diff 164171.Sep 6 2018, 2:12 AM

Rebased the CL on top of recent vararg changes

eugenis accepted this revision.Sep 6 2018, 2:56 PM

LGTM

This revision is now accepted and ready to land.Sep 6 2018, 2:56 PM
glider closed this revision.Sep 7 2018, 2:11 AM

Landed r341637, hope it sticks!

Revision Contents

PathSize
include/
llvm/
Transforms/
3 lines
lib/
Transforms/
Instrumentation/
435 lines
test/
Instrumentation/
MemorySanitizer/
20 lines
404 lines
17 lines

Diff 163046

include/llvm/Transforms/Instrumentation.h

Show First 20 LinesShow All 128 Lines▼ Show 20 LinesFunctionPass *createAddressSanitizerFunctionPass(bool CompileKernel = false,
bool Recover = false, bool Recover = false,
bool UseAfterScope = false); bool UseAfterScope = false);
ModulePass *createAddressSanitizerModulePass(bool CompileKernel = false, ModulePass *createAddressSanitizerModulePass(bool CompileKernel = false,
bool Recover = false, bool Recover = false,
bool UseGlobalsGC = true); bool UseGlobalsGC = true);
// Insert MemorySanitizer instrumentation (detection of uninitialized reads) // Insert MemorySanitizer instrumentation (detection of uninitialized reads)
FunctionPass *createMemorySanitizerPass(int TrackOrigins = 0, FunctionPass *createMemorySanitizerPass(int TrackOrigins = 0,
bool Recover = false); bool Recover = false,
bool EnableKmsan = false);
FunctionPass *createHWAddressSanitizerPass(bool CompileKernel = false, FunctionPass *createHWAddressSanitizerPass(bool CompileKernel = false,
bool Recover = false); bool Recover = false);
// Insert ThreadSanitizer (race detection) instrumentation // Insert ThreadSanitizer (race detection) instrumentation
FunctionPass *createThreadSanitizerPass(); FunctionPass *createThreadSanitizerPass();
// Insert DataFlowSanitizer (dynamic data flow analysis) instrumentation // Insert DataFlowSanitizer (dynamic data flow analysis) instrumentation
▲ Show 20 LinesShow All 70 LinesShow Last 20 Lines

lib/Transforms/Instrumentation/MemorySanitizer.cpp

Show First 20 LinesShow All 83 Lines▼ Show 20 Lines
/// ///
/// This does not work very well with Compare-And-Swap (CAS) and /// This does not work very well with Compare-And-Swap (CAS) and
/// Read-Modify-Write (RMW) operations. To follow the above logic, CAS and RMW /// Read-Modify-Write (RMW) operations. To follow the above logic, CAS and RMW
/// must store the new shadow before the app operation, and load the shadow /// must store the new shadow before the app operation, and load the shadow
/// after the app operation. Computers don't work this way. Current /// after the app operation. Computers don't work this way. Current
/// implementation ignores the load aspect of CAS/RMW, always returning a clean /// implementation ignores the load aspect of CAS/RMW, always returning a clean
/// value. It implements the store part as a simple atomic store by storing a /// value. It implements the store part as a simple atomic store by storing a
/// clean shadow. /// clean shadow.
// ///
/// KernelMemorySanitizer (KMSAN) implementation.
///
/// The major differences between KMSAN and MSan instrumentation are:
/// - KMSAN always tracks the origins and implies msan-keep-going=true;
/// - KMSAN allocates shadow and origin memory for each page separately, so
/// there are no explicit accesses to shadow and origin in the
/// instrumentation.
/// Shadow and origin values for a particular X-byte memory location
/// (X=1,2,4,8) are accessed through pointers obtained via the
/// __msan_metadata_ptr_for_load_X(ptr)
/// __msan_metadata_ptr_for_store_X(ptr)
/// functions. The corresponding functions check that the X-byte accesses
/// are possible and returns the pointers to shadow and origin memory.
/// Arbitrary sized accesses are handled with:
/// __msan_metadata_ptr_for_load_n(ptr, size)
/// __msan_metadata_ptr_for_store_n(ptr, size);
/// - TLS variables are stored in a single per-task struct. A call to a
/// function __msan_get_context_state() returning a pointer to that struct
/// is inserted into every instrumented function before the entry block;
/// - __msan_warning() takes a 32-bit origin parameter;
/// - local variables are poisoned with __msan_poison_alloca() upon function
/// entry and unpoisoned with __msan_unpoison_alloca() before leaving the
/// function;
/// - the pass doesn't declare any global variables or add global constructors
/// to the translation unit.
///
/// Also, KMSAN currently ignores uninitialized memory passed into inline asm
/// calls, making sure we're on the safe side wrt. possible false positives.
///
/// KernelMemorySanitizer only supports X86_64 at the moment.
///
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "llvm/ADT/APInt.h" #include "llvm/ADT/APInt.h"
#include "llvm/ADT/ArrayRef.h" #include "llvm/ADT/ArrayRef.h"
#include "llvm/ADT/DepthFirstIterator.h" #include "llvm/ADT/DepthFirstIterator.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
▲ Show 20 LinesShow All 94 Lines▼ Show 20 Linesstatic cl::opt<bool> ClHandleICmp("msan-handle-icmp",
cl::desc("propagate shadow through ICmpEQ and ICmpNE"), cl::desc("propagate shadow through ICmpEQ and ICmpNE"),
cl::Hidden, cl::init(true)); cl::Hidden, cl::init(true));
static cl::opt<bool> ClHandleICmpExact("msan-handle-icmp-exact", static cl::opt<bool> ClHandleICmpExact("msan-handle-icmp-exact",
cl::desc("exact handling of relational integer ICmp"), cl::desc("exact handling of relational integer ICmp"),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(false));
// When compiling the Linux kernel, we sometimes see false positives related to // When compiling the Linux kernel, we sometimes see false positives related to
// MSan being unable to understand that inline assembly calls may initialize // MSan being unable to understand that inline assembly calls may initialize
dvyukovUnsubmitted
Not Done
ReplyInline Actions

I see that for interface part (flags, pass ctor) you copied KASAN approach, so this looks good to me.

dvyukov: I see that for interface part (flags, pass ctor) you copied KASAN approach, so this looks good…
// local variables. // local variables.
// This flag makes the compiler conservatively unpoison every memory location // This flag makes the compiler conservatively unpoison every memory location
// passed into an assembly call. Note that this may cause false positives. // passed into an assembly call. Note that this may cause false positives.
// Because it's impossible to figure out the array sizes, we can only unpoison // Because it's impossible to figure out the array sizes, we can only unpoison
// the first sizeof(type) bytes for each type* pointer. // the first sizeof(type) bytes for each type* pointer.
static cl::opt<bool> ClHandleAsmConservative( static cl::opt<bool> ClHandleAsmConservative(
"msan-handle-asm-conservative", "msan-handle-asm-conservative",
cl::desc("conservative handling of inline assembly"), cl::Hidden, cl::desc("conservative handling of inline assembly"), cl::Hidden,
Show All 16 Lines
static cl::opt<int> ClInstrumentationWithCallThreshold( static cl::opt<int> ClInstrumentationWithCallThreshold(
"msan-instrumentation-with-call-threshold", "msan-instrumentation-with-call-threshold",
cl::desc( cl::desc(
"If the function being instrumented requires more than " "If the function being instrumented requires more than "
"this number of checks and origin stores, use callbacks instead of " "this number of checks and origin stores, use callbacks instead of "
"inline checks (-1 means never use callbacks)."), "inline checks (-1 means never use callbacks)."),
cl::Hidden, cl::init(3500)); cl::Hidden, cl::init(3500));
static cl::opt<bool>
ClEnableKmsan("msan-kernel",
cl::desc("Enable KernelMemorySanitizer instrumentation"),
cl::Hidden, cl::init(false));
// This is an experiment to enable handling of cases where shadow is a non-zero // This is an experiment to enable handling of cases where shadow is a non-zero
// compile-time constant. For some unexplainable reason they were silently // compile-time constant. For some unexplainable reason they were silently
// ignored in the instrumentation. // ignored in the instrumentation.
static cl::opt<bool> ClCheckConstantShadow("msan-check-constant-shadow", static cl::opt<bool> ClCheckConstantShadow("msan-check-constant-shadow",
cl::desc("Insert checks for constant shadow values"), cl::desc("Insert checks for constant shadow values"),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(false));
// This is off by default because of a bug in gold: // This is off by default because of a bug in gold:
▲ Show 20 LinesShow All 151 Lines▼ Show 20 Lines
/// ///
/// MemorySanitizer: instrument the code in module to find /// MemorySanitizer: instrument the code in module to find
/// uninitialized reads. /// uninitialized reads.
class MemorySanitizer : public FunctionPass { class MemorySanitizer : public FunctionPass {
public: public:
// Pass identification, replacement for typeid. // Pass identification, replacement for typeid.
static char ID; static char ID;
MemorySanitizer(int TrackOrigins = 0, bool Recover = false) MemorySanitizer(int TrackOrigins = 0, bool Recover = false,
: FunctionPass(ID), bool EnableKmsan = false)
TrackOrigins(std::max(TrackOrigins, (int)ClTrackOrigins)), : FunctionPass(ID) {
Recover(Recover || ClKeepGoing) {} this->CompileKernel =
ClEnableKmsan.getNumOccurrences() > 0 ? ClEnableKmsan : EnableKmsan;
if (ClTrackOrigins.getNumOccurrences() > 0)
eugenisUnsubmitted
Done
ReplyInline Actions

Lets make -mllvm flags take precedence, as in KASan (see ClRecover.getNumOccurrences() > 0).

eugenis: Lets make -mllvm flags take precedence, as in KASan (see ClRecover.getNumOccurrences() > 0).
this->TrackOrigins = ClTrackOrigins;
else
this->TrackOrigins = this->CompileKernel ? 2 : TrackOrigins;
this->Recover = ClKeepGoing.getNumOccurrences() > 0
? ClKeepGoing
: (this->CompileKernel | Recover);
}
StringRef getPassName() const override { return "MemorySanitizer"; } StringRef getPassName() const override { return "MemorySanitizer"; }
void getAnalysisUsage(AnalysisUsage &AU) const override { void getAnalysisUsage(AnalysisUsage &AU) const override {
AU.addRequired<TargetLibraryInfoWrapperPass>(); AU.addRequired<TargetLibraryInfoWrapperPass>();
dvyukovUnsubmitted
Not Done
ReplyInline Actions

Looks like a bug in clang-format. Why is it 3 spaces here? All other members start with 2 and 2 is the proper style.

dvyukov: Looks like a bug in clang-format. Why is it 3 spaces here? All other members start with 2 and 2…
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

I think this is being caused by me formatting the diff, not the whole file.
clang-format handles this case correctly in the wild.

glider: I think this is being caused by me formatting the diff, not the whole file. clang-format…
} }
bool runOnFunction(Function &F) override; bool runOnFunction(Function &F) override;
bool doInitialization(Module &M) override; bool doInitialization(Module &M) override;
private: private:
friend struct MemorySanitizerVisitor; friend struct MemorySanitizerVisitor;
friend struct VarArgAMD64Helper; friend struct VarArgAMD64Helper;
friend struct VarArgMIPS64Helper; friend struct VarArgMIPS64Helper;
friend struct VarArgAArch64Helper; friend struct VarArgAArch64Helper;
friend struct VarArgPowerPC64Helper; friend struct VarArgPowerPC64Helper;
void initializeCallbacks(Module &M); void initializeCallbacks(Module &M);
void createKernelApi(Module &M);
void createUserspaceApi(Module &M); void createUserspaceApi(Module &M);
/// True if we're compiling the Linux kernel.
bool CompileKernel;
/// Track origins (allocation points) of uninitialized values. /// Track origins (allocation points) of uninitialized values.
int TrackOrigins; int TrackOrigins;
bool Recover; bool Recover;
LLVMContext *C; LLVMContext *C;
Type *IntptrTy; Type *IntptrTy;
Type *OriginTy; Type *OriginTy;
// XxxTLS variables represent the per-thread state in MSan and per-task state
// in KMSAN.
// For the userspace these point to thread-local globals. In the kernel land
// they point to the members of a per-task struct obtained via a call to
// __msan_get_context_state().
/// Thread-local shadow storage for function parameters. /// Thread-local shadow storage for function parameters.
GlobalVariable *ParamTLS; Value *ParamTLS;
/// Thread-local origin storage for function parameters. /// Thread-local origin storage for function parameters.
GlobalVariable *ParamOriginTLS; Value *ParamOriginTLS;
/// Thread-local shadow storage for function return value. /// Thread-local shadow storage for function return value.
GlobalVariable *RetvalTLS; Value *RetvalTLS;
/// Thread-local origin storage for function return value. /// Thread-local origin storage for function return value.
GlobalVariable *RetvalOriginTLS; Value *RetvalOriginTLS;
/// Thread-local shadow storage for in-register va_arg function /// Thread-local shadow storage for in-register va_arg function
/// parameters (x86_64-specific). /// parameters (x86_64-specific).
GlobalVariable *VAArgTLS; Value *VAArgTLS;
/// Thread-local shadow storage for in-register va_arg function
/// parameters (x86_64-specific, KMSAN only).
Value *VAArgOriginTLS;
/// Thread-local shadow storage for va_arg overflow area /// Thread-local shadow storage for va_arg overflow area
/// (x86_64-specific). /// (x86_64-specific).
GlobalVariable *VAArgOverflowSizeTLS; Value *VAArgOverflowSizeTLS;
/// Thread-local space used to pass origin value to the UMR reporting /// Thread-local space used to pass origin value to the UMR reporting
/// function. /// function.
GlobalVariable *OriginTLS; Value *OriginTLS;
/// Are the instrumentation callbacks set up? /// Are the instrumentation callbacks set up?
bool CallbacksInitialized = false; bool CallbacksInitialized = false;
/// The run-time callback to print a warning. /// The run-time callback to print a warning.
Value *WarningFn; Value *WarningFn;
// These arrays are indexed by log2(AccessSize). // These arrays are indexed by log2(AccessSize).
Show All 9 Linesprivate:
/// Run-time helper that records a store (or any event) of an /// Run-time helper that records a store (or any event) of an
/// uninitialized value and returns an updated origin id encoding this info. /// uninitialized value and returns an updated origin id encoding this info.
Value *MsanChainOriginFn; Value *MsanChainOriginFn;
/// MSan runtime replacements for memmove, memcpy and memset. /// MSan runtime replacements for memmove, memcpy and memset.
Value *MemmoveFn, *MemcpyFn, *MemsetFn; Value *MemmoveFn, *MemcpyFn, *MemsetFn;
/// KMSAN callback for task-local function argument shadow.
Value *MsanGetContextStateFn;
/// Functions for poisoning/unpoisoning local variables
Value *MsanPoisonAllocaFn, *MsanUnpoisonAllocaFn;
/// Each of the MsanMetadataPtrXxx functions returns a pair of shadow/origin
/// pointers.
Value *MsanMetadataPtrForLoadN, *MsanMetadataPtrForStoreN;
Value *MsanMetadataPtrForLoad_1_8[4];
Value *MsanMetadataPtrForStore_1_8[4];
/// Helper to choose between different MsanMetadataPtrXxx().
Value *getKmsanShadowOriginAccessFn(bool isStore, int size);
/// Memory map parameters used in application-to-shadow calculation. /// Memory map parameters used in application-to-shadow calculation.
const MemoryMapParams *MapParams; const MemoryMapParams *MapParams;
/// Custom memory map parameters used when -msan-shadow-base or /// Custom memory map parameters used when -msan-shadow-base or
// -msan-origin-base is provided. // -msan-origin-base is provided.
MemoryMapParams CustomMapParams; MemoryMapParams CustomMapParams;
MDNode *ColdCallWeights; MDNode *ColdCallWeights;
Show All 14 Lines
INITIALIZE_PASS_BEGIN( INITIALIZE_PASS_BEGIN(
MemorySanitizer, "msan", MemorySanitizer, "msan",
"MemorySanitizer: detects uninitialized reads.", false, false) "MemorySanitizer: detects uninitialized reads.", false, false)
INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass) INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass)
INITIALIZE_PASS_END( INITIALIZE_PASS_END(
MemorySanitizer, "msan", MemorySanitizer, "msan",
"MemorySanitizer: detects uninitialized reads.", false, false) "MemorySanitizer: detects uninitialized reads.", false, false)
FunctionPass *llvm::createMemorySanitizerPass(int TrackOrigins, bool Recover) { FunctionPass *llvm::createMemorySanitizerPass(int TrackOrigins, bool Recover,
return new MemorySanitizer(TrackOrigins, Recover); bool CompileKernel) {
return new MemorySanitizer(TrackOrigins, Recover, CompileKernel);
} }
/// Create a non-const global initialized with the given string. /// Create a non-const global initialized with the given string.
/// ///
/// Creates a writable global for Str so that we can pass it to the /// Creates a writable global for Str so that we can pass it to the
/// run-time lib. Runtime uses first 4 bytes of the string to store the /// run-time lib. Runtime uses first 4 bytes of the string to store the
/// frame ID, so the string needs to be mutable. /// frame ID, so the string needs to be mutable.
static GlobalVariable *createPrivateNonConstGlobalForString(Module &M, static GlobalVariable *createPrivateNonConstGlobalForString(Module &M,
StringRef Str) { StringRef Str) {
Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str);
return new GlobalVariable(M, StrConst->getType(), /*isConstant=*/false, return new GlobalVariable(M, StrConst->getType(), /*isConstant=*/false,
GlobalValue::PrivateLinkage, StrConst, ""); GlobalValue::PrivateLinkage, StrConst, "");
} }
/// Create KMSAN API callbacks.
void MemorySanitizer::createKernelApi(Module &M) {
IRBuilder<> IRB(*C);
// These will be initialized in insertKmsanPrologue().
RetvalTLS = nullptr;
RetvalOriginTLS = nullptr;
ParamTLS = nullptr;
ParamOriginTLS = nullptr;
VAArgTLS = nullptr;
VAArgOriginTLS = nullptr;
VAArgOverflowSizeTLS = nullptr;
// OriginTLS is unused in the kernel.
OriginTLS = nullptr;
// __msan_warning() in the kernel takes an origin.
WarningFn = M.getOrInsertFunction("__msan_warning", IRB.getVoidTy(),
IRB.getInt32Ty());
// Requests the per-task context state (kmsan_context_state*) from the
// runtime library.
MsanGetContextStateFn = M.getOrInsertFunction(
"__msan_get_context_state",
PointerType::get(
StructType::get(ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8),
ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8),
ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8),
ArrayType::get(IRB.getInt64Ty(),
kParamTLSSize / 8), /* va_arg_origin */
IRB.getInt64Ty(),
ArrayType::get(OriginTy, kParamTLSSize / 4), OriginTy,
OriginTy),
0));
Type *RetTy = StructType::get(PointerType::get(IRB.getInt8Ty(), 0),
PointerType::get(IRB.getInt32Ty(), 0));
dvyukovUnsubmitted
Not Done
ReplyInline Actions

ShadowOriginStruct seems to be used only in the loop below. So drop it and use the actual types in the loop.

dvyukov: ShadowOriginStruct seems to be used only in the loop below. So drop it and use the actual types…
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

This is a legacy, will remove.

glider: This is a legacy, will remove.
for (int ind = 0, size = 1; ind < 4; ind++, size <<= 1) {
std::string name_load =
"__msan_metadata_ptr_for_load_" + std::to_string(size);
std::string name_store =
"__msan_metadata_ptr_for_store_" + std::to_string(size);
MsanMetadataPtrForLoad_1_8[ind] = M.getOrInsertFunction(
name_load, RetTy, PointerType::get(IRB.getInt8Ty(), 0));
MsanMetadataPtrForStore_1_8[ind] = M.getOrInsertFunction(
name_store, RetTy, PointerType::get(IRB.getInt8Ty(), 0));
}
MsanMetadataPtrForLoadN = M.getOrInsertFunction(
"__msan_metadata_ptr_for_load_n", RetTy,
PointerType::get(IRB.getInt8Ty(), 0), IRB.getInt64Ty());
MsanMetadataPtrForStoreN = M.getOrInsertFunction(
"__msan_metadata_ptr_for_store_n", RetTy,
PointerType::get(IRB.getInt8Ty(), 0), IRB.getInt64Ty());
// Functions for poisoning and unpoisoning memory.
MsanPoisonAllocaFn =
M.getOrInsertFunction("__msan_poison_alloca", IRB.getVoidTy(),
IRB.getInt8PtrTy(), IntptrTy, IRB.getInt8PtrTy());
MsanUnpoisonAllocaFn = M.getOrInsertFunction(
"__msan_unpoison_alloca", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy);
}
/// Insert declarations for userspace-specific functions and globals. /// Insert declarations for userspace-specific functions and globals.
void MemorySanitizer::createUserspaceApi(Module &M) { void MemorySanitizer::createUserspaceApi(Module &M) {
IRBuilder<> IRB(*C); IRBuilder<> IRB(*C);
// Create the callback. // Create the callback.
// FIXME: this function should have "Cold" calling conv, // FIXME: this function should have "Cold" calling conv,
// which is not yet implemented. // which is not yet implemented.
StringRef WarningFnName = Recover ? "__msan_warning" StringRef WarningFnName = Recover ? "__msan_warning"
: "__msan_warning_noreturn"; : "__msan_warning_noreturn";
WarningFn = M.getOrInsertFunction(WarningFnName, IRB.getVoidTy()); WarningFn = M.getOrInsertFunction(WarningFnName, IRB.getVoidTy());
// Create the global TLS variables. // Create the global TLS variables.
eugenisUnsubmitted
Not Done
ReplyInline Actions

What are these, why do they have "_arg_" in the name but not in the description, and why are they not used?

eugenis: What are these, why do they have "_arg_" in the name but not in the description, and why are…
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

Removed these.

glider: Removed these.
RetvalTLS = new GlobalVariable( RetvalTLS = new GlobalVariable(
M, ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8), false, M, ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8), false,
GlobalVariable::ExternalLinkage, nullptr, "__msan_retval_tls", nullptr, GlobalVariable::ExternalLinkage, nullptr, "__msan_retval_tls", nullptr,
GlobalVariable::InitialExecTLSModel); GlobalVariable::InitialExecTLSModel);
dvyukovUnsubmitted
Not Done
ReplyInline Actions

The interface looks bulky because of distinction between arg/param/retval/va_arg. It feels that we put too much details into the interface, such interfaces are usually unstable. Is it possible to combine all that data into a single struct including shadow and origins (for user-space as well) and then have just single function that requests data at offsets of that struct? Or maybe just returns a pointer to the thread-local struct. I should also reduce amount of differences between kernel and userspace.

We could go further and reuse __kmsan_load/store_shadow_origin functions by giving then some magic address that mean TLS. Not sure if it will be good or not.

dvyukov: The interface looks bulky because of distinction between arg/param/retval/va_arg. It feels that…
dvyukovUnsubmitted
Not Done
ReplyInline Actions

Note that we can't version compiler and kernel atomically. This interface will have to stay basically forever. If we will want to improve it later, we will only make situation worse because we will have to support 2 interfaces.

dvyukov: Note that we can't version compiler and kernel atomically. This interface will have to stay…
eugenisUnsubmitted
Not Done
ReplyInline Actions

Are you sure there is no way to version compiler and the runtime atomically? As I imagine, the part that must be in sync with the kernel is basically shadow mapping and the bool are_we_initialized_already() function. Is it possible to make that the forever-stable interface, and tie everything on top of it to the compiler?

eugenis: Are you sure there is no way to version compiler and the runtime atomically? As I imagine, the…
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

Are you sure there is no way to version compiler and the runtime atomically?

If we're talking about the runtime residing in the upstream kernel, then yes.
Clang versions live long, so if we ever introduce a new API version, then the kernel will have to support all the existing versions.

As I imagine, the part that must be in sync with the kernel is basically shadow mapping and the bool are_we_initialized_already() function.

Neither is currently part of the compiler API. The kernel allocates the shadow on per-page basis (i.e. shadow is non-contiguous), and these details better be abstracted from the instrumentation.

Is it possible to make that the forever-stable interface, and tie everything on top of it to the compiler?

If we treat the userspace shadow mapping as an example of such a stable interface, we see that it's not enough (e.g. handling va_args require additional globals or functions).
The question is basically whether right now MSan interface is stable enough, or will there be changes to it in the future.

glider: > Are you sure there is no way to version compiler and the runtime atomically? If we're talking…
eugenisUnsubmitted
Not Done
ReplyInline Actions

That would be an ABI break on Linux. And hiding the arg/param/retval/etc details in a struct does not make the interface any more stable.
On the other hand, it makes the interface simpler, so if you think you can do it just for the kernel w/o complicating the runtime library too much, then go for it.

eugenis: That would be an ABI break on Linux. And hiding the arg/param/retval/etc details in a struct…
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

On the other hand, it makes the interface simpler, so if you think you can do it just for the kernel w/o complicating the runtime library too much, then go for it.

Ok, I'll make this change just for the kernel.

glider: > On the other hand, it makes the interface simpler, so if you think you can do it just for the…
RetvalOriginTLS = new GlobalVariable( RetvalOriginTLS = new GlobalVariable(
M, OriginTy, false, GlobalVariable::ExternalLinkage, nullptr, M, OriginTy, false, GlobalVariable::ExternalLinkage, nullptr,
"__msan_retval_origin_tls", nullptr, GlobalVariable::InitialExecTLSModel); "__msan_retval_origin_tls", nullptr, GlobalVariable::InitialExecTLSModel);
ParamTLS = new GlobalVariable( ParamTLS = new GlobalVariable(
M, ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), false, M, ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), false,
GlobalVariable::ExternalLinkage, nullptr, "__msan_param_tls", nullptr, GlobalVariable::ExternalLinkage, nullptr, "__msan_param_tls", nullptr,
GlobalVariable::InitialExecTLSModel); GlobalVariable::InitialExecTLSModel);
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

@eugenis: Dima suggested we merge all msan_XXX_tls globals into a single struct, this way I can replace all the kmsan_get_XXX_tls() callbacks with a single one.
WDYT?

glider: @eugenis: Dima suggested we merge all __msan_XXX_tls globals into a single struct, this way I…
ParamOriginTLS = new GlobalVariable( ParamOriginTLS = new GlobalVariable(
M, ArrayType::get(OriginTy, kParamTLSSize / 4), false, M, ArrayType::get(OriginTy, kParamTLSSize / 4), false,
GlobalVariable::ExternalLinkage, nullptr, "__msan_param_origin_tls", GlobalVariable::ExternalLinkage, nullptr, "__msan_param_origin_tls",
nullptr, GlobalVariable::InitialExecTLSModel); nullptr, GlobalVariable::InitialExecTLSModel);
VAArgTLS = new GlobalVariable( VAArgTLS = new GlobalVariable(
M, ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), false, M, ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), false,
GlobalVariable::ExternalLinkage, nullptr, "__msan_va_arg_tls", nullptr, GlobalVariable::ExternalLinkage, nullptr, "__msan_va_arg_tls", nullptr,
▲ Show 20 LinesShow All 48 Lines▼ Show 20 Linesvoid MemorySanitizer::initializeCallbacks(Module &M) {
MemsetFn = M.getOrInsertFunction( MemsetFn = M.getOrInsertFunction(
"__msan_memset", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt32Ty(), "__msan_memset", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt32Ty(),
IntptrTy); IntptrTy);
// We insert an empty inline asm after __msan_report* to avoid callback merge. // We insert an empty inline asm after __msan_report* to avoid callback merge.
EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false),
StringRef(""), StringRef(""), StringRef(""), StringRef(""),
/*hasSideEffects=*/true); /*hasSideEffects=*/true);
if (CompileKernel) {
createKernelApi(M);
} else {
createUserspaceApi(M); createUserspaceApi(M);
}
eugenisUnsubmitted
Done
ReplyInline Actions

Please invert this check.

eugenis: Please invert this check.
CallbacksInitialized = true; CallbacksInitialized = true;
} }
Value *MemorySanitizer::getKmsanShadowOriginAccessFn(bool isStore, int size) {
Value **Fns =
isStore ? MsanMetadataPtrForStore_1_8 : MsanMetadataPtrForLoad_1_8;
switch (size) {
case 1:
return Fns[0];
case 2:
return Fns[1];
case 4:
return Fns[2];
case 8:
return Fns[3];
default:
return nullptr;
}
}
/// Module-level initialization. /// Module-level initialization.
/// ///
/// inserts a call to __msan_init to the module's constructor list. /// inserts a call to __msan_init to the module's constructor list.
bool MemorySanitizer::doInitialization(Module &M) { bool MemorySanitizer::doInitialization(Module &M) {
auto &DL = M.getDataLayout(); auto &DL = M.getDataLayout();
bool ShadowPassed = ClShadowBase.getNumOccurrences() > 0; bool ShadowPassed = ClShadowBase.getNumOccurrences() > 0;
bool OriginPassed = ClOriginBase.getNumOccurrences() > 0; bool OriginPassed = ClOriginBase.getNumOccurrences() > 0;
▲ Show 20 LinesShow All 60 Lines▼ Show 20 Linesbool MemorySanitizer::doInitialization(Module &M) {
C = &(M.getContext()); C = &(M.getContext());
IRBuilder<> IRB(*C); IRBuilder<> IRB(*C);
IntptrTy = IRB.getIntPtrTy(DL); IntptrTy = IRB.getIntPtrTy(DL);
OriginTy = IRB.getInt32Ty(); OriginTy = IRB.getInt32Ty();
ColdCallWeights = MDBuilder(*C).createBranchWeights(1, 1000); ColdCallWeights = MDBuilder(*C).createBranchWeights(1, 1000);
OriginStoreWeights = MDBuilder(*C).createBranchWeights(1, 1000); OriginStoreWeights = MDBuilder(*C).createBranchWeights(1, 1000);
if (!CompileKernel) {
std::tie(MsanCtorFunction, std::ignore) = std::tie(MsanCtorFunction, std::ignore) =
createSanitizerCtorAndInitFunctions(M, kMsanModuleCtorName, kMsanInitName, createSanitizerCtorAndInitFunctions(M, kMsanModuleCtorName,
kMsanInitName,
/*InitArgTypes=*/{}, /*InitArgTypes=*/{},
/*InitArgs=*/{}); /*InitArgs=*/{});
if (ClWithComdat) { if (ClWithComdat) {
Comdat *MsanCtorComdat = M.getOrInsertComdat(kMsanModuleCtorName); Comdat *MsanCtorComdat = M.getOrInsertComdat(kMsanModuleCtorName);
MsanCtorFunction->setComdat(MsanCtorComdat); MsanCtorFunction->setComdat(MsanCtorComdat);
appendToGlobalCtors(M, MsanCtorFunction, 0, MsanCtorFunction); appendToGlobalCtors(M, MsanCtorFunction, 0, MsanCtorFunction);
} else { } else {
appendToGlobalCtors(M, MsanCtorFunction, 0); appendToGlobalCtors(M, MsanCtorFunction, 0);
} }
if (TrackOrigins) if (TrackOrigins)
new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage,
IRB.getInt32(TrackOrigins), "__msan_track_origins"); IRB.getInt32(TrackOrigins), "__msan_track_origins");
if (Recover) if (Recover)
new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage,
IRB.getInt32(Recover), "__msan_keep_going"); IRB.getInt32(Recover), "__msan_keep_going");
}
return true; return true;
} }
namespace { namespace {
/// A helper class that handles instrumentation of VarArg /// A helper class that handles instrumentation of VarArg
/// functions on a particular platform. /// functions on a particular platform.
/// ///
▲ Show 20 LinesShow All 77 Lines▼ Show 20 Lines MemorySanitizerVisitor(Function &F, MemorySanitizer &MS)
PoisonStack = SanitizeFunction && ClPoisonStack; PoisonStack = SanitizeFunction && ClPoisonStack;
PoisonUndef = SanitizeFunction && ClPoisonUndef; PoisonUndef = SanitizeFunction && ClPoisonUndef;
// FIXME: Consider using SpecialCaseList to specify a list of functions that // FIXME: Consider using SpecialCaseList to specify a list of functions that
// must always return fully initialized values. For now, we hardcode "main". // must always return fully initialized values. For now, we hardcode "main".
CheckReturnValue = SanitizeFunction && (F.getName() == "main"); CheckReturnValue = SanitizeFunction && (F.getName() == "main");
TLI = &MS.getAnalysis<TargetLibraryInfoWrapperPass>().getTLI(); TLI = &MS.getAnalysis<TargetLibraryInfoWrapperPass>().getTLI();
MS.initializeCallbacks(*F.getParent()); MS.initializeCallbacks(*F.getParent());
if (MS.CompileKernel)
ActualFnStart = insertKmsanPrologue(F);
else
ActualFnStart = &F.getEntryBlock(); ActualFnStart = &F.getEntryBlock();
LLVM_DEBUG(if (!InsertChecks) dbgs() LLVM_DEBUG(if (!InsertChecks) dbgs()
<< "MemorySanitizer is not inserting checks into '" << "MemorySanitizer is not inserting checks into '"
<< F.getName() << "'\n"); << F.getName() << "'\n");
} }
Value *updateOrigin(Value *V, IRBuilder<> &IRB) { Value *updateOrigin(Value *V, IRBuilder<> &IRB) {
if (MS.TrackOrigins <= 1) return V; if (MS.TrackOrigins <= 1) return V;
▲ Show 20 LinesShow All 57 Lines▼ Show 20 Lines if (Shadow->getType()->isAggregateType()) {
paintOrigin(IRB, updateOrigin(Origin, IRB), OriginPtr, StoreSize, paintOrigin(IRB, updateOrigin(Origin, IRB), OriginPtr, StoreSize,
OriginAlignment); OriginAlignment);
return; return;
} }
unsigned TypeSizeInBits = unsigned TypeSizeInBits =
DL.getTypeSizeInBits(ConvertedShadow->getType()); DL.getTypeSizeInBits(ConvertedShadow->getType());
unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits); unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits);
if (AsCall && SizeIndex < kNumberOfAccessSizes) { if (AsCall && SizeIndex < kNumberOfAccessSizes && !MS.CompileKernel) {
Value *Fn = MS.MaybeStoreOriginFn[SizeIndex]; Value *Fn = MS.MaybeStoreOriginFn[SizeIndex];
Value *ConvertedShadow2 = IRB.CreateZExt( Value *ConvertedShadow2 = IRB.CreateZExt(
ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex))); ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex)));
IRB.CreateCall(Fn, {ConvertedShadow2, IRB.CreateCall(Fn, {ConvertedShadow2,
IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()), IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()),
Origin}); Origin});
} else { } else {
Value *Cmp = IRB.CreateICmpNE( Value *Cmp = IRB.CreateICmpNE(
Show All 16 Lines for (StoreInst *SI : StoreList) {
Value *ShadowPtr, *OriginPtr; Value *ShadowPtr, *OriginPtr;
Type *ShadowTy = Shadow->getType(); Type *ShadowTy = Shadow->getType();
unsigned Alignment = SI->getAlignment(); unsigned Alignment = SI->getAlignment();
unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment); unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment);
std::tie(ShadowPtr, OriginPtr) = std::tie(ShadowPtr, OriginPtr) =
getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ true); getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ true);
StoreInst *NewSI = IRB.CreateAlignedStore(Shadow, ShadowPtr, Alignment); StoreInst *NewSI = IRB.CreateAlignedStore(Shadow, ShadowPtr, Alignment);
LLVM_DEBUG(dbgs() << " STORE: " << *NewSI << "\n"); LLVM_DEBUG(dbgs() << " STORE: " << *NewSI << "\n");
(void)NewSI; (void)NewSI;
eugenisUnsubmitted
Done
ReplyInline Actions

Please rebase on ToT.

eugenis: Please rebase on ToT.
if (SI->isAtomic()) if (SI->isAtomic())
SI->setOrdering(addReleaseOrdering(SI->getOrdering())); SI->setOrdering(addReleaseOrdering(SI->getOrdering()));
if (MS.TrackOrigins && !SI->isAtomic()) if (MS.TrackOrigins && !SI->isAtomic())
storeOrigin(IRB, Addr, Shadow, getOrigin(Val), OriginPtr, storeOrigin(IRB, Addr, Shadow, getOrigin(Val), OriginPtr,
OriginAlignment, InstrumentWithCalls); OriginAlignment, InstrumentWithCalls);
} }
} }
/// Helper function to insert a warning at IRB's current insert point. /// Helper function to insert a warning at IRB's current insert point.
void insertWarningFn(IRBuilder<> &IRB, Value *Origin) { void insertWarningFn(IRBuilder<> &IRB, Value *Origin) {
if (!Origin) if (!Origin)
Origin = (Value *)IRB.getInt32(0); Origin = (Value *)IRB.getInt32(0);
if (MS.CompileKernel) {
IRB.CreateCall(MS.WarningFn, Origin);
} else {
if (MS.TrackOrigins) { if (MS.TrackOrigins) {
IRB.CreateStore(Origin, MS.OriginTLS); IRB.CreateStore(Origin, MS.OriginTLS);
} }
IRB.CreateCall(MS.WarningFn, {}); IRB.CreateCall(MS.WarningFn, {});
eugenisUnsubmitted
Done
ReplyInline Actions

Invert this check, and a few others below.

eugenis: Invert this check, and a few others below.
}
IRB.CreateCall(MS.EmptyAsm, {}); IRB.CreateCall(MS.EmptyAsm, {});
// FIXME: Insert UnreachableInst if !MS.Recover? // FIXME: Insert UnreachableInst if !MS.Recover?
// This may invalidate some of the following checks and needs to be done // This may invalidate some of the following checks and needs to be done
// at the very end. // at the very end.
} }
void materializeOneCheck(Instruction *OrigIns, Value *Shadow, Value *Origin, void materializeOneCheck(Instruction *OrigIns, Value *Shadow, Value *Origin,
bool AsCall) { bool AsCall) {
Show All 9 Lines if (ConstantShadow) {
} }
return; return;
} }
const DataLayout &DL = OrigIns->getModule()->getDataLayout(); const DataLayout &DL = OrigIns->getModule()->getDataLayout();
unsigned TypeSizeInBits = DL.getTypeSizeInBits(ConvertedShadow->getType()); unsigned TypeSizeInBits = DL.getTypeSizeInBits(ConvertedShadow->getType());
unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits); unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits);
if (AsCall && SizeIndex < kNumberOfAccessSizes) { if (AsCall && SizeIndex < kNumberOfAccessSizes && !MS.CompileKernel) {
Value *Fn = MS.MaybeWarningFn[SizeIndex]; Value *Fn = MS.MaybeWarningFn[SizeIndex];
Value *ConvertedShadow2 = Value *ConvertedShadow2 =
IRB.CreateZExt(ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex))); IRB.CreateZExt(ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex)));
IRB.CreateCall(Fn, {ConvertedShadow2, MS.TrackOrigins && Origin IRB.CreateCall(Fn, {ConvertedShadow2, MS.TrackOrigins && Origin
? Origin ? Origin
: (Value *)IRB.getInt32(0)}); : (Value *)IRB.getInt32(0)});
} else { } else {
Value *Cmp = IRB.CreateICmpNE(ConvertedShadow, Value *Cmp = IRB.CreateICmpNE(ConvertedShadow,
getCleanShadow(ConvertedShadow), "_mscmp"); getCleanShadow(ConvertedShadow), "_mscmp");
Instruction *CheckTerm = SplitBlockAndInsertIfThen( Instruction *CheckTerm = SplitBlockAndInsertIfThen(
eugenisUnsubmitted
Done
ReplyInline Actions

There is some code duplication between this function and materializeStoresUserspace. It could be better to implement a kernel-specific storeOrigin() and keep this one common.

eugenis: There is some code duplication between this function and materializeStoresUserspace. It could…
Cmp, OrigIns, Cmp, OrigIns,
/* Unreachable */ !MS.Recover, MS.ColdCallWeights); /* Unreachable */ !MS.Recover, MS.ColdCallWeights);
IRB.SetInsertPoint(CheckTerm); IRB.SetInsertPoint(CheckTerm);
insertWarningFn(IRB, Origin); insertWarningFn(IRB, Origin);
LLVM_DEBUG(dbgs() << " CHECK: " << *Cmp << "\n"); LLVM_DEBUG(dbgs() << " CHECK: " << *Cmp << "\n");
} }
} }
void materializeChecks(bool InstrumentWithCalls) { void materializeChecks(bool InstrumentWithCalls) {
for (const auto &ShadowData : InstrumentationList) { for (const auto &ShadowData : InstrumentationList) {
Instruction *OrigIns = ShadowData.OrigIns; Instruction *OrigIns = ShadowData.OrigIns;
Value *Shadow = ShadowData.Shadow; Value *Shadow = ShadowData.Shadow;
Value *Origin = ShadowData.Origin; Value *Origin = ShadowData.Origin;
materializeOneCheck(OrigIns, Shadow, Origin, InstrumentWithCalls); materializeOneCheck(OrigIns, Shadow, Origin, InstrumentWithCalls);
eugenisUnsubmitted
Done
ReplyInline Actions

When can origin be less than 32 bit?

eugenis: When can origin be less than 32 bit?
} }
LLVM_DEBUG(dbgs() << "DONE:\n" << F); LLVM_DEBUG(dbgs() << "DONE:\n" << F);
} }
BasicBlock *insertKmsanPrologue(Function &F) {
BasicBlock *ret =
SplitBlock(&F.getEntryBlock(), F.getEntryBlock().getFirstNonPHI());
IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI());
Value *ContextState = IRB.CreateCall(MS.MsanGetContextStateFn, {});
Constant *Zero = IRB.getInt32(0);
MS.ParamTLS =
IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(0)}, "param_shadow");
MS.RetvalTLS =
IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(1)}, "retval_shadow");
MS.VAArgTLS =
IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(2)}, "va_arg_shadow");
MS.VAArgOriginTLS =
IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(3)}, "va_arg_origin");
MS.VAArgOverflowSizeTLS = IRB.CreateGEP(
ContextState, {Zero, IRB.getInt32(4)}, "va_arg_overflow_size");
MS.ParamOriginTLS =
IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(5)}, "param_origin");
MS.RetvalOriginTLS =
IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(6)}, "retval_origin");
return ret;
}
/// Add MemorySanitizer instrumentation to a function. /// Add MemorySanitizer instrumentation to a function.
bool runOnFunction() { bool runOnFunction() {
// In the presence of unreachable blocks, we may see Phi nodes with // In the presence of unreachable blocks, we may see Phi nodes with
// incoming nodes from such blocks. Since InstVisitor skips unreachable // incoming nodes from such blocks. Since InstVisitor skips unreachable
// blocks, such nodes will not have any shadow value associated with them. // blocks, such nodes will not have any shadow value associated with them.
// It's easier to remove unreachable blocks than deal with missing shadow. // It's easier to remove unreachable blocks than deal with missing shadow.
removeUnreachableBlocks(F); removeUnreachableBlocks(F);
▲ Show 20 LinesShow All 132 Lines▼ Show 20 Lines if (MS.TrackOrigins) {
IRB.CreateAnd(OriginLong, ConstantInt::get(MS.IntptrTy, ~Mask)); IRB.CreateAnd(OriginLong, ConstantInt::get(MS.IntptrTy, ~Mask));
} }
OriginPtr = OriginPtr =
IRB.CreateIntToPtr(OriginLong, PointerType::get(IRB.getInt32Ty(), 0)); IRB.CreateIntToPtr(OriginLong, PointerType::get(IRB.getInt32Ty(), 0));
} }
return std::make_pair(ShadowPtr, OriginPtr); return std::make_pair(ShadowPtr, OriginPtr);
} }
std::pair<Value *, Value *>
getShadowOriginPtrKernel(Value *Addr, IRBuilder<> &IRB, Type *ShadowTy,
unsigned Alignment, bool isStore) {
Value *ShadowOriginPtrs;
const DataLayout &DL = F.getParent()->getDataLayout();
int Size = DL.getTypeStoreSize(ShadowTy);
Value *Getter = MS.getKmsanShadowOriginAccessFn(isStore, Size);
eugenisUnsubmitted
Done
ReplyInline Actions

I think you want DL.getTypeStoreSize() here.

eugenis: I think you want DL.getTypeStoreSize() here.
Value *AddrCast =
IRB.CreatePointerCast(Addr, PointerType::get(IRB.getInt8Ty(), 0));
if (Getter) {
ShadowOriginPtrs = IRB.CreateCall(Getter, AddrCast);
} else {
Value *SizeVal = ConstantInt::get(MS.IntptrTy, Size);
ShadowOriginPtrs = IRB.CreateCall(isStore ? MS.MsanMetadataPtrForStoreN
: MS.MsanMetadataPtrForLoadN,
{AddrCast, SizeVal});
}
Value *ShadowPtr = IRB.CreateExtractValue(ShadowOriginPtrs, 0);
ShadowPtr = IRB.CreatePointerCast(ShadowPtr, PointerType::get(ShadowTy, 0));
Value *OriginPtr = IRB.CreateExtractValue(ShadowOriginPtrs, 1);
return std::make_pair(ShadowPtr, OriginPtr);
}
std::pair<Value *, Value *> getShadowOriginPtr(Value *Addr, IRBuilder<> &IRB, std::pair<Value *, Value *> getShadowOriginPtr(Value *Addr, IRBuilder<> &IRB,
Type *ShadowTy, Type *ShadowTy,
unsigned Alignment, unsigned Alignment,
bool isStore) { bool isStore) {
std::pair<Value *, Value *> ret = std::pair<Value *, Value *> ret;
getShadowOriginPtrUserspace(Addr, IRB, ShadowTy, Alignment); if (MS.CompileKernel)
ret = getShadowOriginPtrKernel(Addr, IRB, ShadowTy, Alignment, isStore);
else
ret = getShadowOriginPtrUserspace(Addr, IRB, ShadowTy, Alignment);
return ret; return ret;
} }
/// Compute the shadow address for a given function argument. /// Compute the shadow address for a given function argument.
/// ///
/// Shadow = ParamTLS+ArgOffset. /// Shadow = ParamTLS+ArgOffset.
Value *getShadowPtrForArgument(Value *A, IRBuilder<> &IRB, Value *getShadowPtrForArgument(Value *A, IRBuilder<> &IRB,
int ArgOffset) { int ArgOffset) {
Value *Base = IRB.CreatePointerCast(MS.ParamTLS, MS.IntptrTy); Value *Base = IRB.CreatePointerCast(MS.ParamTLS, MS.IntptrTy);
if (ArgOffset) if (ArgOffset)
Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0), return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0),
"_msarg"); "_msarg");
} }
/// Compute the origin address for a given function argument. /// Compute the origin address for a given function argument.
Value *getOriginPtrForArgument(Value *A, IRBuilder<> &IRB, Value *getOriginPtrForArgument(Value *A, IRBuilder<> &IRB,
int ArgOffset) { int ArgOffset) {
if (!MS.TrackOrigins) return nullptr; if (!MS.TrackOrigins)
return nullptr;
Value *Base = IRB.CreatePointerCast(MS.ParamOriginTLS, MS.IntptrTy); Value *Base = IRB.CreatePointerCast(MS.ParamOriginTLS, MS.IntptrTy);
if (ArgOffset) if (ArgOffset)
Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0), return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0),
"_msarg_o"); "_msarg_o");
} }
/// Compute the shadow address for a retval. /// Compute the shadow address for a retval.
▲ Show 20 LinesShow All 120 Lines▼ Show 20 Lines if (Argument *A = dyn_cast<Argument>(V)) {
// argument shadow to the underlying memory. // argument shadow to the underlying memory.
// Figure out maximal valid memcpy alignment. // Figure out maximal valid memcpy alignment.
unsigned ArgAlign = FArg.getParamAlignment(); unsigned ArgAlign = FArg.getParamAlignment();
if (ArgAlign == 0) { if (ArgAlign == 0) {
Type *EltType = A->getType()->getPointerElementType(); Type *EltType = A->getType()->getPointerElementType();
ArgAlign = DL.getABITypeAlignment(EltType); ArgAlign = DL.getABITypeAlignment(EltType);
} }
Value *CpShadowPtr = Value *CpShadowPtr =
getShadowOriginPtr(V, EntryIRB, EntryIRB.getInt8Ty(), ArgAlign, getShadowOriginPtr(V, EntryIRB, EntryIRB.getInt8Ty(), ArgAlign,
eugenisUnsubmitted
Done
ReplyInline Actions

std::ignore instead of CpOriginPtr to avoid unused variable warning? Or is the compiler not smart enough to see that it is unused?

eugenis: std::ignore instead of CpOriginPtr to avoid unused variable warning? Or is the compiler not…
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

Looks like it isn't.
But I've replaced the variable with std::ignore anyway.

glider: Looks like it isn't. But I've replaced the variable with std::ignore anyway.
eugenisUnsubmitted
Done
ReplyInline Actions

Hmm, now it is clear that this chunk does not do anything at all.
Revert it (but keep the TODO)?

eugenis: Hmm, now it is clear that this chunk does not do anything at all. Revert it (but keep the TODO)?
/*isStore*/ true) /*isStore*/ true)
.first; .first;
// TODO(glider): need to copy origins.
if (Overflow) { if (Overflow) {
// ParamTLS overflow. // ParamTLS overflow.
EntryIRB.CreateMemSet( EntryIRB.CreateMemSet(
CpShadowPtr, Constant::getNullValue(EntryIRB.getInt8Ty()), CpShadowPtr, Constant::getNullValue(EntryIRB.getInt8Ty()),
Size, ArgAlign); Size, ArgAlign);
} else { } else {
unsigned CopyAlign = std::min(ArgAlign, kShadowTLSAlignment); unsigned CopyAlign = std::min(ArgAlign, kShadowTLSAlignment);
Value *Cpy = EntryIRB.CreateMemCpy(CpShadowPtr, CopyAlign, Base, Value *Cpy = EntryIRB.CreateMemCpy(CpShadowPtr, CopyAlign, Base,
▲ Show 20 LinesShow All 162 Lines▼ Show 20 Lines if (MS.TrackOrigins) {
if (PropagateShadow) { if (PropagateShadow) {
unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment); unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment);
setOrigin(&I, IRB.CreateAlignedLoad(OriginPtr, OriginAlignment)); setOrigin(&I, IRB.CreateAlignedLoad(OriginPtr, OriginAlignment));
} else { } else {
setOrigin(&I, getCleanOrigin()); setOrigin(&I, getCleanOrigin());
} }
} }
} }
eugenisUnsubmitted
Not Done
ReplyInline Actions

I think this is the wrong level of abstraction. You don't want kernel-specific handling of LoadInst, you want kernel-specific primitives for writing and reading shadow. You can use them in handleVectorLoadIntrinsic as well as other similar places. Ideally, there should be no checks for MS.CompileKernel outside of such common utility functgions.

eugenis: I think this is the wrong level of abstraction. You don't want kernel-specific handling of…
/// Instrument StoreInst /// Instrument StoreInst
/// ///
/// Stores the corresponding shadow and (optionally) origin. /// Stores the corresponding shadow and (optionally) origin.
/// Optionally, checks that the store address is fully defined. /// Optionally, checks that the store address is fully defined.
void visitStoreInst(StoreInst &I) { void visitStoreInst(StoreInst &I) {
StoreList.push_back(&I); StoreList.push_back(&I);
if (ClCheckAccessAddress) if (ClCheckAccessAddress)
insertShadowCheck(I.getPointerOperand(), &I); insertShadowCheck(I.getPointerOperand(), &I);
▲ Show 20 LinesShow All 1,385 Lines▼ Show 20 Lines if (CS.isCall()) {
assert(!isa<IntrinsicInst>(&I) && "intrinsics are handled elsewhere"); assert(!isa<IntrinsicInst>(&I) && "intrinsics are handled elsewhere");
// We are going to insert code that relies on the fact that the callee // We are going to insert code that relies on the fact that the callee
// will become a non-readonly function after it is instrumented by us. To // will become a non-readonly function after it is instrumented by us. To
// prevent this code from being optimized out, mark that function // prevent this code from being optimized out, mark that function
// non-readonly in advance. // non-readonly in advance.
if (Function *Func = Call->getCalledFunction()) { if (Function *Func = Call->getCalledFunction()) {
// Clear out readonly/readnone attributes. // Clear out readonly/readnone attributes.
AttrBuilder B; AttrBuilder B;
eugenisUnsubmitted
Done
ReplyInline Actions

How can it be? The call to this function is inserted in the Kmsan prologue, and we specifically step over the prologue when running the visitor in runOnFunction.

eugenis: How can it be? The call to this function is inserted in the Kmsan prologue, and we specifically…
B.addAttribute(Attribute::ReadOnly) B.addAttribute(Attribute::ReadOnly)
.addAttribute(Attribute::ReadNone); .addAttribute(Attribute::ReadNone);
Func->removeAttributes(AttributeList::FunctionIndex, B); Func->removeAttributes(AttributeList::FunctionIndex, B);
} }
maybeMarkSanitizerLibraryCallNoBuiltin(Call, TLI); maybeMarkSanitizerLibraryCallNoBuiltin(Call, TLI);
} }
IRBuilder<> IRB(&I); IRBuilder<> IRB(&I);
Show All 21 Lines for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end();
const DataLayout &DL = F.getParent()->getDataLayout(); const DataLayout &DL = F.getParent()->getDataLayout();
if (CS.paramHasAttr(i, Attribute::ByVal)) { if (CS.paramHasAttr(i, Attribute::ByVal)) {
assert(A->getType()->isPointerTy() && assert(A->getType()->isPointerTy() &&
"ByVal argument is not a pointer!"); "ByVal argument is not a pointer!");
Size = DL.getTypeAllocSize(A->getType()->getPointerElementType()); Size = DL.getTypeAllocSize(A->getType()->getPointerElementType());
if (ArgOffset + Size > kParamTLSSize) break; if (ArgOffset + Size > kParamTLSSize) break;
unsigned ParamAlignment = CS.getParamAlignment(i); unsigned ParamAlignment = CS.getParamAlignment(i);
unsigned Alignment = std::min(ParamAlignment, kShadowTLSAlignment); unsigned Alignment = std::min(ParamAlignment, kShadowTLSAlignment);
Value *AShadowPtr = getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), Value *AShadowPtr =
Alignment, /*isStore*/ false) getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), Alignment,
/*isStore*/ false)
.first; .first;
Store = IRB.CreateMemCpy(ArgShadowBase, Alignment, AShadowPtr, Store = IRB.CreateMemCpy(ArgShadowBase, Alignment, AShadowPtr,
Alignment, Size); Alignment, Size);
// TODO(glider): need to copy origins.
} else { } else {
Size = DL.getTypeAllocSize(A->getType()); Size = DL.getTypeAllocSize(A->getType());
if (ArgOffset + Size > kParamTLSSize) break; if (ArgOffset + Size > kParamTLSSize) break;
Store = IRB.CreateAlignedStore(ArgShadow, ArgShadowBase, Store = IRB.CreateAlignedStore(ArgShadow, ArgShadowBase,
kShadowTLSAlignment); kShadowTLSAlignment);
Constant *Cst = dyn_cast<Constant>(ArgShadow); Constant *Cst = dyn_cast<Constant>(ArgShadow);
if (Cst && Cst->isNullValue()) ArgIsInitialized = true; if (Cst && Cst->isNullValue()) ArgIsInitialized = true;
} }
▲ Show 20 LinesShow All 90 Lines▼ Show 20 Lines void visitPHINode(PHINode &I) {
ShadowPHINodes.push_back(&I); ShadowPHINodes.push_back(&I);
setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(), setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(),
"_msphi_s")); "_msphi_s"));
if (MS.TrackOrigins) if (MS.TrackOrigins)
setOrigin(&I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(), setOrigin(&I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(),
"_msphi_o")); "_msphi_o"));
} }
void visitAllocaInst(AllocaInst &I) { Value *getLocalVarDescription(AllocaInst &I) {
setShadow(&I, getCleanShadow(&I));
setOrigin(&I, getCleanOrigin());
IRBuilder<> IRB(I.getNextNode());
const DataLayout &DL = F.getParent()->getDataLayout();
uint64_t TypeSize = DL.getTypeAllocSize(I.getAllocatedType());
Value *Len = ConstantInt::get(MS.IntptrTy, TypeSize);
if (I.isArrayAllocation())
Len = IRB.CreateMul(Len, I.getArraySize());
if (PoisonStack && ClPoisonStackWithCall) {
IRB.CreateCall(MS.MsanPoisonStackFn,
{IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len});
} else {
Value *ShadowBase = getShadowOriginPtr(&I, IRB, IRB.getInt8Ty(),
I.getAlignment(), /*isStore*/ true)
.first;
Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0);
IRB.CreateMemSet(ShadowBase, PoisonValue, Len, I.getAlignment());
}
if (PoisonStack && MS.TrackOrigins) {
SmallString<2048> StackDescriptionStorage; SmallString<2048> StackDescriptionStorage;
raw_svector_ostream StackDescription(StackDescriptionStorage); raw_svector_ostream StackDescription(StackDescriptionStorage);
// We create a string with a description of the stack allocation and // We create a string with a description of the stack allocation and
// pass it into __msan_set_alloca_origin. // pass it into __msan_set_alloca_origin.
// It will be printed by the run-time if stack-originated UMR is found. // It will be printed by the run-time if stack-originated UMR is found.
// The first 4 bytes of the string are set to '----' and will be replaced // The first 4 bytes of the string are set to '----' and will be replaced
// by __msan_va_arg_overflow_size_tls at the first call. // by __msan_va_arg_overflow_size_tls at the first call.
StackDescription << "----" << I.getName() << "@" << F.getName(); StackDescription << "----" << I.getName() << "@" << F.getName();
Value *Descr = return createPrivateNonConstGlobalForString(*F.getParent(),
createPrivateNonConstGlobalForString(*F.getParent(),
StackDescription.str()); StackDescription.str());
}
void instrumentAllocaUserspace(AllocaInst &I, IRBuilder<> &IRB, Value *Len) {
if (PoisonStack && ClPoisonStackWithCall) {
IRB.CreateCall(MS.MsanPoisonStackFn,
{IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len});
} else {
Value *ShadowBase, *OriginBase;
std::tie(ShadowBase, OriginBase) =
getShadowOriginPtr(&I, IRB, IRB.getInt8Ty(), 1, /*isStore*/ true);
Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0);
IRB.CreateMemSet(ShadowBase, PoisonValue, Len, I.getAlignment());
}
if (PoisonStack && MS.TrackOrigins) {
Value *Descr = getLocalVarDescription(I);
IRB.CreateCall(MS.MsanSetAllocaOrigin4Fn, IRB.CreateCall(MS.MsanSetAllocaOrigin4Fn,
{IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len, {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len,
IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy()), IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy()),
IRB.CreatePointerCast(&F, MS.IntptrTy)}); IRB.CreatePointerCast(&F, MS.IntptrTy)});
} }
} }
void instrumentAllocaKmsan(AllocaInst &I, IRBuilder<> &IRB, Value *Len) {
Value *Descr = getLocalVarDescription(I);
if (PoisonStack) {
IRB.CreateCall(MS.MsanPoisonAllocaFn,
eugenisUnsubmitted
Not Done
ReplyInline Actions

Could you explain why this function is passed return address (i.e. the caller pc)?

Why is this api so different from userspace?

eugenis: Could you explain why this function is passed return address (i.e. the caller pc)? Why is this…
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

It's too expensive to unwind the stack for each alloca, and __builtin_return_address(1) is unreliable, therefore we take the caller's return address to get two stack frames instead of one.

glider: It's too expensive to unwind the stack for each alloca, and __builtin_return_address(1) is…
eugenisUnsubmitted
Not Done
ReplyInline Actions

Is that because you can not use frame pointers in the kernel for some reason?

Looking at the code for __msan_poison_alloca in kmsan, with the loops and the hash tables and origin setting (with even more loops), I find it hard to believe that taking one or even several steps through FP chain would slow it down.

Note that when a function has more than one local variable, you are doing some redundant work.

Having said that, I don't really mind this change.

It would be nice to change the function name though, because it has very different semantics from the userspace function.

eugenis: Is that because you can not use frame pointers in the kernel for some reason? Looking at the…
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

Is that because you can not use frame pointers in the kernel for some reason?

There are configurations that disable frame pointers and use a different unwinding scheme.

Looking at the code for __msan_poison_alloca in kmsan, with the loops and the hash tables and origin setting (with even more loops), I find it hard to believe that taking one or even several steps through FP chain would slow it down.

Fair point.

Note that when a function has more than one local variable, you are doing some redundant work.

It might be a good idea to cache the unwound stack somehow, e.g. call the unwinder at the function prologue.

Having said that, I don't really mind this change.

Looks like it really doesn't make any difference whether we pass the pc or unwind it.
I'd better drop it then.

It would be nice to change the function name though, because it has very different semantics from the userspace function.

It's already different :)
There's no __msan_poison_alloca in the userspace, we're defining it in createKernelApi()

glider: > Is that because you can not use frame pointers in the kernel for some reason? There are…
eugenisUnsubmitted
Not Done
ReplyInline Actions

It's already different :)
There's no __msan_poison_alloca in the userspace, we're defining it in createKernelApi()

Indeed.

eugenis: > It's already different :) > There's no __msan_poison_alloca in the userspace, we're defining…
{IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len,
IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy())});
} else {
IRB.CreateCall(MS.MsanUnpoisonAllocaFn,
{IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len});
}
}
void visitAllocaInst(AllocaInst &I) {
setShadow(&I, getCleanShadow(&I));
setOrigin(&I, getCleanOrigin());
IRBuilder<> IRB(I.getNextNode());
const DataLayout &DL = F.getParent()->getDataLayout();
uint64_t TypeSize = DL.getTypeAllocSize(I.getAllocatedType());
Value *Len = ConstantInt::get(MS.IntptrTy, TypeSize);
if (I.isArrayAllocation())
Len = IRB.CreateMul(Len, I.getArraySize());
if (MS.CompileKernel)
instrumentAllocaKmsan(I, IRB, Len);
else
instrumentAllocaUserspace(I, IRB, Len);
}
void visitSelectInst(SelectInst& I) { void visitSelectInst(SelectInst& I) {
IRBuilder<> IRB(&I); IRBuilder<> IRB(&I);
// a = select b, c, d // a = select b, c, d
Value *B = I.getCondition(); Value *B = I.getCondition();
Value *C = I.getTrueValue(); Value *C = I.getTrueValue();
Value *D = I.getFalseValue(); Value *D = I.getFalseValue();
Value *Sb = getShadow(B); Value *Sb = getShadow(B);
Value *Sc = getShadow(C); Value *Sc = getShadow(C);
▲ Show 20 LinesShow All 110 Lines▼ Show 20 Lines void visitCatchReturnInst(CatchReturnInst &CRI) {
LLVM_DEBUG(dbgs() << "CatchReturn: " << CRI << "\n"); LLVM_DEBUG(dbgs() << "CatchReturn: " << CRI << "\n");
// Nothing to do here. // Nothing to do here.
} }
void visitAsmInstruction(Instruction &I) { void visitAsmInstruction(Instruction &I) {
// Conservative inline assembly handling: check for poisoned shadow of // Conservative inline assembly handling: check for poisoned shadow of
// asm() arguments, then unpoison the result and all the memory locations // asm() arguments, then unpoison the result and all the memory locations
// pointed to by those arguments. // pointed to by those arguments.
CallInst *CI = dyn_cast<CallInst>(&I); CallInst *CI = dyn_cast<CallInst>(&I);
eugenisUnsubmitted
Done
ReplyInline Actions

Remove this.

eugenis: Remove this.
for (size_t i = 0, n = CI->getNumOperands(); i < n; i++) { for (size_t i = 0, n = CI->getNumOperands(); i < n; i++) {
Value *Operand = CI->getOperand(i); Value *Operand = CI->getOperand(i);
if (Operand->getType()->isSized()) if (Operand->getType()->isSized())
insertShadowCheck(Operand, &I); insertShadowCheck(Operand, &I);
} }
setShadow(&I, getCleanShadow(&I)); setShadow(&I, getCleanShadow(&I));
setOrigin(&I, getCleanOrigin()); setOrigin(&I, getCleanOrigin());
Show All 35 Lines
/// AMD64-specific implementation of VarArgHelper. /// AMD64-specific implementation of VarArgHelper.
struct VarArgAMD64Helper : public VarArgHelper { struct VarArgAMD64Helper : public VarArgHelper {
// An unfortunate workaround for asymmetric lowering of va_arg stuff. // An unfortunate workaround for asymmetric lowering of va_arg stuff.
// See a comment in visitCallSite for more details. // See a comment in visitCallSite for more details.
static const unsigned AMD64GpEndOffset = 48; // AMD64 ABI Draft 0.99.6 p3.5.7 static const unsigned AMD64GpEndOffset = 48; // AMD64 ABI Draft 0.99.6 p3.5.7
static const unsigned AMD64FpEndOffsetSSE = 176; static const unsigned AMD64FpEndOffsetSSE = 176;
// If SSE is disabled, fp_offset in va_list is zero. // If SSE is disabled, fp_offset in va_list is zero.
static const unsigned AMD64FpEndOffsetNoSSE = AMD64GpEndOffset; static const unsigned AMD64FpEndOffsetNoSSE = AMD64GpEndOffset;
eugenisUnsubmitted
Not Done
ReplyInline Actions

I think you can detect this by looking at function attributes.

eugenis: I think you can detect this by looking at function attributes.
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

I've only found mentions of SSE in the "target-features" string, where they look like: "-sse,-sse2,-sse3,...", not sure it's easier to parse those.

glider: I've only found mentions of SSE in the "target-features" string, where they look like: "-sse…
eugenisUnsubmitted
Not Done
ReplyInline Actions

It's not easier, but it is correct.

eugenis: It's not easier, but it is correct.
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

Ok, I'll send a separate patch along the lines of:

AMD64FpEndOffset = AMD64FpEndOffsetSSE;
for (const auto &Attr : F.getAttributes().getFnAttributes()) {
  if (Attr.isStringAttribute() && (Attr.getKindAsString() == "target-features")) {
    if (Attr.getValueAsString().contains("-sse"))
      AMD64FpEndOffset = AMD64FpEndOffsetNoSSE;
    break;
  }
}

I'm not sure though that we're guaranteed to have those attributes (e.g. we currently don't have them in the tests, so we default to 176 bytes)

glider: Ok, I'll send a separate patch along the lines of: ``` AMD64FpEndOffset =…
eugenisUnsubmitted
Not Done
ReplyInline Actions

Then we should do whatever the target does when it does not find the attribute.

eugenis: Then we should do whatever the target does when it does not find the attribute.
unsigned AMD64FpEndOffset; unsigned AMD64FpEndOffset;
Function &F; Function &F;
MemorySanitizer &MS; MemorySanitizer &MS;
MemorySanitizerVisitor &MSV; MemorySanitizerVisitor &MSV;
Value *VAArgTLSCopy = nullptr; Value *VAArgTLSCopy = nullptr;
Value *VAArgTLSOriginCopy = nullptr;
Value *VAArgOverflowSize = nullptr; Value *VAArgOverflowSize = nullptr;
SmallVector<CallInst*, 16> VAStartInstrumentationList; SmallVector<CallInst*, 16> VAStartInstrumentationList;
enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory }; enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory };
VarArgAMD64Helper(Function &F, MemorySanitizer &MS, VarArgAMD64Helper(Function &F, MemorySanitizer &MS,
MemorySanitizerVisitor &MSV) MemorySanitizerVisitor &MSV)
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Lines for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end();
// over by va_start, so don't count them towards the offset. // over by va_start, so don't count them towards the offset.
if (IsFixed) if (IsFixed)
continue; continue;
assert(A->getType()->isPointerTy()); assert(A->getType()->isPointerTy());
Type *RealTy = A->getType()->getPointerElementType(); Type *RealTy = A->getType()->getPointerElementType();
uint64_t ArgSize = DL.getTypeAllocSize(RealTy); uint64_t ArgSize = DL.getTypeAllocSize(RealTy);
Value *ShadowBase = Value *ShadowBase =
getShadowPtrForVAArgument(RealTy, IRB, OverflowOffset); getShadowPtrForVAArgument(RealTy, IRB, OverflowOffset);
Value *OriginBase = nullptr;
if (MS.TrackOrigins)
OriginBase = getOriginPtrForVAArgument(RealTy, IRB, OverflowOffset);
OverflowOffset += alignTo(ArgSize, 8); OverflowOffset += alignTo(ArgSize, 8);
Value *ShadowPtr, *OriginPtr; Value *ShadowPtr, *OriginPtr;
std::tie(ShadowPtr, OriginPtr) = std::tie(ShadowPtr, OriginPtr) =
MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), kShadowTLSAlignment, MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), kShadowTLSAlignment,
/*isStore*/ false); /*isStore*/ false);
IRB.CreateMemCpy(ShadowBase, kShadowTLSAlignment, ShadowPtr, IRB.CreateMemCpy(ShadowBase, kShadowTLSAlignment, ShadowPtr,
kShadowTLSAlignment, ArgSize); kShadowTLSAlignment, ArgSize);
if (MS.TrackOrigins)
IRB.CreateMemCpy(OriginBase, kShadowTLSAlignment, OriginPtr,
kShadowTLSAlignment, ArgSize);
} else { } else {
eugenisUnsubmitted
Not Done
ReplyInline Actions

This is not about kernel at all, is it?
Could you fix it for userspace as well, as a separate change?

eugenis: This is not about kernel at all, is it? Could you fix it for userspace as well, as a separate…
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

This is gonna change the userspace ABI, as we'll need to introduce the origin tls var.
I can sure fix it for the userspace, we'll just need to be accurate deploying the new version.

glider: This is gonna change the userspace ABI, as we'll need to introduce the origin tls var. I can…
eugenisUnsubmitted
Not Done
ReplyInline Actions

It won't break old instrumented code running with new runtime library, right?

AFAIK that's all that we care about.

eugenis: It won't break old instrumented code running with new runtime library, right? AFAIK that's all…
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

Guess it shouldn't.
Ok, will do.

glider: Guess it shouldn't. Ok, will do.
ArgKind AK = classifyArgument(A); ArgKind AK = classifyArgument(A);
if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset) if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset)
AK = AK_Memory; AK = AK_Memory;
if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset) if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset)
AK = AK_Memory; AK = AK_Memory;
Value *ShadowBase; Value *ShadowBase, *OriginBase = nullptr;
switch (AK) { switch (AK) {
case AK_GeneralPurpose: case AK_GeneralPurpose:
ShadowBase = getShadowPtrForVAArgument(A->getType(), IRB, GpOffset); ShadowBase = getShadowPtrForVAArgument(A->getType(), IRB, GpOffset);
if (MS.TrackOrigins)
OriginBase =
getOriginPtrForVAArgument(A->getType(), IRB, GpOffset);
GpOffset += 8; GpOffset += 8;
break; break;
case AK_FloatingPoint: case AK_FloatingPoint:
ShadowBase = getShadowPtrForVAArgument(A->getType(), IRB, FpOffset); ShadowBase = getShadowPtrForVAArgument(A->getType(), IRB, FpOffset);
if (MS.TrackOrigins)
OriginBase =
getOriginPtrForVAArgument(A->getType(), IRB, FpOffset);
FpOffset += 16; FpOffset += 16;
break; break;
case AK_Memory: case AK_Memory:
if (IsFixed) if (IsFixed)
continue; continue;
uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
ShadowBase = ShadowBase =
getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset); getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset);
if (MS.TrackOrigins)
OriginBase =
getOriginPtrForVAArgument(A->getType(), IRB, OverflowOffset);
OverflowOffset += alignTo(ArgSize, 8); OverflowOffset += alignTo(ArgSize, 8);
} }
// Take fixed arguments into account for GpOffset and FpOffset, // Take fixed arguments into account for GpOffset and FpOffset,
// but don't actually store shadows for them. // but don't actually store shadows for them.
// TODO(glider): don't call get*PtrForVAArgument() for them.
if (IsFixed) if (IsFixed)
continue; continue;
IRB.CreateAlignedStore(MSV.getShadow(A), ShadowBase, Value *Shadow = MSV.getShadow(A);
kShadowTLSAlignment); IRB.CreateAlignedStore(Shadow, ShadowBase, kShadowTLSAlignment);
if (MS.TrackOrigins) {
unsigned StoreSize = DL.getTypeStoreSize(Shadow->getType());
MSV.paintOrigin(IRB, MSV.getOrigin(A), OriginBase, StoreSize,
std::max(kShadowTLSAlignment, kMinOriginAlignment));
}
} }
} }
Constant *OverflowSize = Constant *OverflowSize =
ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset); ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset);
IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS); IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
} }
/// Compute the shadow address for a given va_arg. /// Compute the shadow address for a given va_arg.
Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
int ArgOffset) { int ArgOffset) {
Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
"_msarg"); "_msarg_va_s");
}
/// Compute the origin address for a given va_arg.
Value *getOriginPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, int ArgOffset) {
Value *Base = IRB.CreatePointerCast(MS.VAArgOriginTLS, MS.IntptrTy);
Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
"_msarg_va_o");
} }
void unpoisonVAListTagForInst(IntrinsicInst &I) { void unpoisonVAListTagForInst(IntrinsicInst &I) {
IRBuilder<> IRB(&I); IRBuilder<> IRB(&I);
Value *VAListTag = I.getArgOperand(0); Value *VAListTag = I.getArgOperand(0);
Value *ShadowPtr, *OriginPtr; Value *ShadowPtr, *OriginPtr;
unsigned Alignment = 8; unsigned Alignment = 8;
std::tie(ShadowPtr, OriginPtr) = std::tie(ShadowPtr, OriginPtr) =
Show All 28 Lines if (!VAStartInstrumentationList.empty()) {
// va_arg_tls somewhere in the function entry block. // va_arg_tls somewhere in the function entry block.
IRBuilder<> IRB(MSV.ActualFnStart->getFirstNonPHI()); IRBuilder<> IRB(MSV.ActualFnStart->getFirstNonPHI());
VAArgOverflowSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS); VAArgOverflowSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS);
Value *CopySize = Value *CopySize =
IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset), IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset),
VAArgOverflowSize); VAArgOverflowSize);
VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
IRB.CreateMemCpy(VAArgTLSCopy, 8, MS.VAArgTLS, 8, CopySize); IRB.CreateMemCpy(VAArgTLSCopy, 8, MS.VAArgTLS, 8, CopySize);
if (MS.TrackOrigins) {
VAArgTLSOriginCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
IRB.CreateMemCpy(VAArgTLSOriginCopy, 8, MS.VAArgOriginTLS, 8, CopySize);
}
} }
// Instrument va_start. // Instrument va_start.
// Copy va_list shadow from the backup copy of the TLS contents. // Copy va_list shadow from the backup copy of the TLS contents.
for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) { for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) {
CallInst *OrigInst = VAStartInstrumentationList[i]; CallInst *OrigInst = VAStartInstrumentationList[i];
IRBuilder<> IRB(OrigInst->getNextNode()); IRBuilder<> IRB(OrigInst->getNextNode());
Value *VAListTag = OrigInst->getArgOperand(0); Value *VAListTag = OrigInst->getArgOperand(0);
Value *RegSaveAreaPtrPtr = IRB.CreateIntToPtr( Value *RegSaveAreaPtrPtr = IRB.CreateIntToPtr(
IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
ConstantInt::get(MS.IntptrTy, 16)), ConstantInt::get(MS.IntptrTy, 16)),
PointerType::get(Type::getInt64PtrTy(*MS.C), 0)); PointerType::get(Type::getInt64PtrTy(*MS.C), 0));
Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr); Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr);
Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr; Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
unsigned Alignment = 16; unsigned Alignment = 16;
std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) = std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(), MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
Alignment, /*isStore*/ true); Alignment, /*isStore*/ true);
IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment, IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
AMD64FpEndOffset); AMD64FpEndOffset);
if (MS.TrackOrigins)
IRB.CreateMemCpy(RegSaveAreaOriginPtr, Alignment, VAArgTLSOriginCopy,
Alignment, AMD64FpEndOffset);
Value *OverflowArgAreaPtrPtr = IRB.CreateIntToPtr( Value *OverflowArgAreaPtrPtr = IRB.CreateIntToPtr(
IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
ConstantInt::get(MS.IntptrTy, 8)), ConstantInt::get(MS.IntptrTy, 8)),
PointerType::get(Type::getInt64PtrTy(*MS.C), 0)); PointerType::get(Type::getInt64PtrTy(*MS.C), 0));
Value *OverflowArgAreaPtr = IRB.CreateLoad(OverflowArgAreaPtrPtr); Value *OverflowArgAreaPtr = IRB.CreateLoad(OverflowArgAreaPtrPtr);
Value *OverflowArgAreaShadowPtr, *OverflowArgAreaOriginPtr; Value *OverflowArgAreaShadowPtr, *OverflowArgAreaOriginPtr;
std::tie(OverflowArgAreaShadowPtr, OverflowArgAreaOriginPtr) = std::tie(OverflowArgAreaShadowPtr, OverflowArgAreaOriginPtr) =
MSV.getShadowOriginPtr(OverflowArgAreaPtr, IRB, IRB.getInt8Ty(), MSV.getShadowOriginPtr(OverflowArgAreaPtr, IRB, IRB.getInt8Ty(),
Alignment, /*isStore*/ true); Alignment, /*isStore*/ true);
Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy, Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy,
AMD64FpEndOffset); AMD64FpEndOffset);
IRB.CreateMemCpy(OverflowArgAreaShadowPtr, Alignment, SrcPtr, Alignment, IRB.CreateMemCpy(OverflowArgAreaShadowPtr, Alignment, SrcPtr, Alignment,
VAArgOverflowSize); VAArgOverflowSize);
if (MS.TrackOrigins) {
SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSOriginCopy,
AMD64FpEndOffset);
IRB.CreateMemCpy(OverflowArgAreaOriginPtr, Alignment, SrcPtr, Alignment,
VAArgOverflowSize);
}
} }
} }
}; };
/// MIPS64-specific implementation of VarArgHelper. /// MIPS64-specific implementation of VarArgHelper.
struct VarArgMIPS64Helper : public VarArgHelper { struct VarArgMIPS64Helper : public VarArgHelper {
Function &F; Function &F;
MemorySanitizer &MS; MemorySanitizer &MS;
▲ Show 20 LinesShow All 574 LinesShow Last 20 Lines

test/Instrumentation/MemorySanitizer/alloca.ll

; RUN: opt < %s -msan -msan-check-access-address=0 -S | FileCheck %s --check-prefixes=CHECK,INLINE ; RUN: opt < %s -msan -msan-check-access-address=0 -S | FileCheck %s --check-prefixes=CHECK,INLINE
; RUN: opt < %s -msan -msan-check-access-address=0 -msan-poison-stack-with-call=1 -S | FileCheck %s --check-prefixes=CHECK,CALL ; RUN: opt < %s -msan -msan-check-access-address=0 -msan-poison-stack-with-call=1 -S | FileCheck %s --check-prefixes=CHECK,CALL
; RUN: opt < %s -msan -msan-check-access-address=0 -msan-track-origins=1 -S | FileCheck %s --check-prefixes=CHECK,ORIGIN ; RUN: opt < %s -msan -msan-check-access-address=0 -msan-track-origins=1 -S | FileCheck %s --check-prefixes=CHECK,ORIGIN
; RUN: opt < %s -msan -msan-check-access-address=0 -msan-track-origins=2 -S | FileCheck %s --check-prefixes=CHECK,ORIGIN ; RUN: opt < %s -msan -msan-check-access-address=0 -msan-track-origins=2 -S | FileCheck %s --check-prefixes=CHECK,ORIGIN
; RUN: opt < %s -msan -msan-kernel=1 -S | FileCheck %s --check-prefixes=CHECK,KMSAN
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128" target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu" target triple = "x86_64-unknown-linux-gnu"
define void @static() sanitize_memory { define void @static() sanitize_memory {
entry: entry:
%x = alloca i32, align 4 %x = alloca i32, align 4
ret void ret void
} }
; CHECK-LABEL: define void @static( ; CHECK-LABEL: define void @static(
; INLINE: call void @llvm.memset.p0i8.i64(i8* align 4 {{.*}}, i8 -1, i64 4, i1 false) ; INLINE: call void @llvm.memset.p0i8.i64(i8* align 4 {{.*}}, i8 -1, i64 4, i1 false)
; CALL: call void @__msan_poison_stack(i8* {{.*}}, i64 4) ; CALL: call void @__msan_poison_stack(i8* {{.*}}, i64 4)
; ORIGIN: call void @__msan_set_alloca_origin4(i8* {{.*}}, i64 4, ; ORIGIN: call void @__msan_set_alloca_origin4(i8* {{.*}}, i64 4,
; KMSAN: call void @__msan_poison_alloca(i8* {{.*}}, i64 4,
; CHECK: ret void ; CHECK: ret void
define void @dynamic() sanitize_memory { define void @dynamic() sanitize_memory {
entry: entry:
br label %l br label %l
l: l:
%x = alloca i32, align 4 %x = alloca i32, align 4
ret void ret void
} }
; CHECK-LABEL: define void @dynamic( ; CHECK-LABEL: define void @dynamic(
; INLINE: call void @llvm.memset.p0i8.i64(i8* align 4 {{.*}}, i8 -1, i64 4, i1 false) ; INLINE: call void @llvm.memset.p0i8.i64(i8* align 4 {{.*}}, i8 -1, i64 4, i1 false)
; CALL: call void @__msan_poison_stack(i8* {{.*}}, i64 4) ; CALL: call void @__msan_poison_stack(i8* {{.*}}, i64 4)
; ORIGIN: call void @__msan_set_alloca_origin4(i8* {{.*}}, i64 4, ; ORIGIN: call void @__msan_set_alloca_origin4(i8* {{.*}}, i64 4,
; KMSAN: call void @__msan_poison_alloca(i8* {{.*}}, i64 4,
; CHECK: ret void ; CHECK: ret void
define void @array() sanitize_memory { define void @array() sanitize_memory {
entry: entry:
%x = alloca i32, i64 5, align 4 %x = alloca i32, i64 5, align 4
ret void ret void
} }
; CHECK-LABEL: define void @array( ; CHECK-LABEL: define void @array(
; INLINE: call void @llvm.memset.p0i8.i64(i8* align 4 {{.*}}, i8 -1, i64 20, i1 false) ; INLINE: call void @llvm.memset.p0i8.i64(i8* align 4 {{.*}}, i8 -1, i64 20, i1 false)
; CALL: call void @__msan_poison_stack(i8* {{.*}}, i64 20) ; CALL: call void @__msan_poison_stack(i8* {{.*}}, i64 20)
; ORIGIN: call void @__msan_set_alloca_origin4(i8* {{.*}}, i64 20, ; ORIGIN: call void @__msan_set_alloca_origin4(i8* {{.*}}, i64 20,
; KMSAN: call void @__msan_poison_alloca(i8* {{.*}}, i64 20,
; CHECK: ret void ; CHECK: ret void
define void @array_non_const(i64 %cnt) sanitize_memory { define void @array_non_const(i64 %cnt) sanitize_memory {
entry: entry:
%x = alloca i32, i64 %cnt, align 4 %x = alloca i32, i64 %cnt, align 4
ret void ret void
} }
; CHECK-LABEL: define void @array_non_const( ; CHECK-LABEL: define void @array_non_const(
; CHECK: %[[A:.*]] = mul i64 4, %cnt ; CHECK: %[[A:.*]] = mul i64 4, %cnt
; INLINE: call void @llvm.memset.p0i8.i64(i8* align 4 {{.*}}, i8 -1, i64 %[[A]], i1 false) ; INLINE: call void @llvm.memset.p0i8.i64(i8* align 4 {{.*}}, i8 -1, i64 %[[A]], i1 false)
; CALL: call void @__msan_poison_stack(i8* {{.*}}, i64 %[[A]]) ; CALL: call void @__msan_poison_stack(i8* {{.*}}, i64 %[[A]])
; ORIGIN: call void @__msan_set_alloca_origin4(i8* {{.*}}, i64 %[[A]], ; ORIGIN: call void @__msan_set_alloca_origin4(i8* {{.*}}, i64 %[[A]],
; KMSAN: call void @__msan_poison_alloca(i8* {{.*}}, i64 %[[A]],
; CHECK: ret void ; CHECK: ret void
; Check that the local is unpoisoned in the absence of sanitize_memory
define void @unpoison_local() {
entry:
%x = alloca i32, i64 5, align 4
ret void
}
; CHECK-LABEL: define void @unpoison_local(
; INLINE: call void @llvm.memset.p0i8.i64(i8* align 4 {{.*}}, i8 0, i64 20, i1 false)
; CALL: call void @llvm.memset.p0i8.i64(i8* align 4 {{.*}}, i8 0, i64 20, i1 false)
; ORIGIN-NOT: call void @__msan_set_alloca_origin4(i8* {{.*}}, i64 20,
; KMSAN: call void @__msan_unpoison_alloca(i8* {{.*}}, i64 20)
; CHECK: ret void

test/Instrumentation/MemorySanitizer/msan_kernel_basic.ll

; KMSAN instrumentation tests
; RUN: opt < %s -msan -msan-kernel=1 -S | FileCheck %s -check-prefixes=CHECK
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
; Check the instrumentation prologue.
define void @Empty() nounwind uwtable sanitize_memory {
entry:
ret void
}
; CHECK-LABEL: @Empty
; CHECK: entry:
; CHECK: @__msan_get_context_state()
; %param_shadow:
; CHECK: getelementptr {{.*}} i32 0, i32 0
eugenisUnsubmitted
Not Done
ReplyInline Actions

AFAIK, in no-asserts build IR temporary names are lost, so this "%param_shadow" is not going to match.

eugenis: AFAIK, in no-asserts build IR temporary names are lost, so this "%param_shadow" is not going to…
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

Hm, I don't see any difference between files built with -f[no-]discard-value-names using Clang built with/without assertions.
I've replaced the value names with seven getelementptr instructions.

glider: Hm, I don't see any difference between files built with -f[no-]discard-value-names using Clang…
eugenisUnsubmitted
Not Done
ReplyInline Actions

Right. As you mention in the other changelist, we preserve value names in asan/msan builds.

Anyway, I like this new test more.

eugenis: Right. As you mention in the other changelist, we preserve value names in asan/msan builds.
; %retval_shadow:
; CHECK: getelementptr {{.*}} i32 0, i32 1
; %va_arg_shadow:
; CHECK: getelementptr {{.*}} i32 0, i32 2
; %va_arg_origin:
; CHECK: getelementptr {{.*}} i32 0, i32 3
; %va_arg_overflow_size:
; CHECK: getelementptr {{.*}} i32 0, i32 4
; %param_origin:
; CHECK: getelementptr {{.*}} i32 0, i32 5
; %retval_origin:
; CHECK: getelementptr {{.*}} i32 0, i32 6
; CHECK: entry.split:
; Check instrumentation of stores
define void @Store1(i8* nocapture %p, i8 %x) nounwind uwtable sanitize_memory {
entry:
store i8 %x, i8* %p
ret void
}
; CHECK-LABEL: @Store1
; CHECK-LABEL: entry:
; CHECK: @__msan_get_context_state()
; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
; CHECK-LABEL: entry.split:
; CHECK: [[BASE2:%[0-9]+]] = ptrtoint {{.*}} [[PARAM_SHADOW]]
eugenisUnsubmitted
Done
ReplyInline Actions

Please add checks for actual arguments etc. For example, make sure that the right member of context_state is called for param_shadow. No need to repeat this in every test case, just once would be enough.

eugenis: Please add checks for actual arguments etc. For example, make sure that the right member of…
; CHECK: [[BASE:%[0-9]+]] = ptrtoint {{.*}} [[PARAM_SHADOW]]
; CHECK: [[SHADOW:%[a-z0-9_]+]] = inttoptr {{.*}} [[BASE]]
; Load the shadow of %p and check it
; CHECK: load i64, i64* [[SHADOW]]
; CHECK: icmp
; CHECK: br i1
; CHECK-LABEL: <label>
; CHECK: @__msan_metadata_ptr_for_store_1(i8* %p)
; CHECK: store i8
; If the new shadow is non-zero, jump to __msan_chain_origin()
; CHECK: icmp
; CHECK: br i1
; CHECK: <label>
; CHECK: @__msan_chain_origin
; Storing origin here:
; CHECK: store i32
; CHECK: br label
; CHECK: <label>
; CHECK: store i8
; CHECK: ret void
define void @Store2(i16* nocapture %p, i16 %x) nounwind uwtable sanitize_memory {
entry:
store i16 %x, i16* %p
ret void
}
; CHECK-LABEL: @Store2
; CHECK-LABEL: entry:
; CHECK: @__msan_get_context_state()
; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
; CHECK-LABEL: entry.split:
; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
; Load the shadow of %p and check it
; CHECK: load i64
; CHECK: icmp
; CHECK: br i1
; CHECK-LABEL: <label>
; CHECK: [[REG:%[0-9]+]] = bitcast i16* %p to i8*
; CHECK: @__msan_metadata_ptr_for_store_2(i8* [[REG]])
; CHECK: store i16
; If the new shadow is non-zero, jump to __msan_chain_origin()
; CHECK: icmp
; CHECK: br i1
; CHECK: <label>
; CHECK: @__msan_chain_origin
; Storing origin here:
; CHECK: store i32
; CHECK: br label
; CHECK: <label>
; CHECK: store i16
; CHECK: ret void
define void @Store4(i32* nocapture %p, i32 %x) nounwind uwtable sanitize_memory {
entry:
store i32 %x, i32* %p
ret void
}
; CHECK-LABEL: @Store4
; CHECK-LABEL: entry:
; CHECK: @__msan_get_context_state()
; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
; CHECK-LABEL: entry.split:
; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
; Load the shadow of %p and check it
; CHECK: load i32
; CHECK: icmp
; CHECK: br i1
; CHECK-LABEL: <label>
; CHECK: [[REG:%[0-9]+]] = bitcast i32* %p to i8*
; CHECK: @__msan_metadata_ptr_for_store_4(i8* [[REG]])
; CHECK: store i32
; If the new shadow is non-zero, jump to __msan_chain_origin()
; CHECK: icmp
; CHECK: br i1
; CHECK: <label>
; CHECK: @__msan_chain_origin
; Storing origin here:
; CHECK: store i32
; CHECK: br label
; CHECK: <label>
; CHECK: store i32
; CHECK: ret void
define void @Store8(i64* nocapture %p, i64 %x) nounwind uwtable sanitize_memory {
entry:
store i64 %x, i64* %p
ret void
}
; CHECK-LABEL: @Store8
; CHECK-LABEL: entry:
; CHECK: @__msan_get_context_state()
; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
; CHECK-LABEL: entry.split:
; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
; Load the shadow of %p and check it
; CHECK: load i64
; CHECK: icmp
; CHECK: br i1
; CHECK-LABEL: <label>
; CHECK: [[REG:%[0-9]+]] = bitcast i64* %p to i8*
; CHECK: @__msan_metadata_ptr_for_store_8(i8* [[REG]])
; CHECK: store i64
; If the new shadow is non-zero, jump to __msan_chain_origin()
; CHECK: icmp
; CHECK: br i1
; CHECK: <label>
; CHECK: @__msan_chain_origin
; Storing origin here:
; CHECK: store i32
; CHECK: br label
; CHECK: <label>
; CHECK: store i64
; CHECK: ret void
define void @Store16(i128* nocapture %p, i128 %x) nounwind uwtable sanitize_memory {
entry:
store i128 %x, i128* %p
ret void
}
; CHECK-LABEL: @Store16
; CHECK-LABEL: entry:
; CHECK: @__msan_get_context_state()
; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
; CHECK-LABEL: entry.split:
; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
; Load the shadow of %p and check it
; CHECK: load i64
; CHECK: icmp
; CHECK: br i1
; CHECK-LABEL: <label>
; CHECK: [[REG:%[0-9]+]] = bitcast i128* %p to i8*
; CHECK: @__msan_metadata_ptr_for_store_n(i8* [[REG]], i64 16)
; CHECK: store i128
; If the new shadow is non-zero, jump to __msan_chain_origin()
; CHECK: icmp
; CHECK: br i1
; CHECK: <label>
; CHECK: @__msan_chain_origin
; Storing origin here:
; CHECK: store i32
; CHECK: br label
; CHECK: <label>
; CHECK: store i128
; CHECK: ret void
; Check instrumentation of loads
define i8 @Load1(i8* nocapture %p) nounwind uwtable sanitize_memory {
entry:
%0 = load i8, i8* %p
ret i8 %0
}
; CHECK-LABEL: @Load1
; CHECK-LABEL: entry:
; CHECK: @__msan_get_context_state()
; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
; CHECK-LABEL: entry.split:
; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
; Load the shadow of %p and check it
; CHECK: load i64
; CHECK: icmp
; CHECK: br i1
; CHECK-LABEL: <label>
; Load the value from %p. This is done before accessing the shadow
; to ease atomic handling.
; CHECK: load i8
; CHECK: @__msan_metadata_ptr_for_load_1(i8* %p)
; Load the shadow and origin.
; CHECK: load i8
; CHECK: load i32
define i16 @Load2(i16* nocapture %p) nounwind uwtable sanitize_memory {
entry:
%0 = load i16, i16* %p
ret i16 %0
}
; CHECK-LABEL: @Load2
; CHECK-LABEL: entry:
; CHECK: @__msan_get_context_state()
; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
; CHECK-LABEL: entry.split:
; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
; Load the shadow of %p and check it
; CHECK: load i64
; CHECK: icmp
; CHECK: br i1
; CHECK-LABEL: <label>
; Load the value from %p. This is done before accessing the shadow
; to ease atomic handling.
; CHECK: load i16
; CHECK: [[REG:%[0-9]+]] = bitcast i16* %p to i8*
; CHECK: @__msan_metadata_ptr_for_load_2(i8* [[REG]])
; Load the shadow and origin.
; CHECK: load i16
; CHECK: load i32
define i32 @Load4(i32* nocapture %p) nounwind uwtable sanitize_memory {
entry:
%0 = load i32, i32* %p
ret i32 %0
}
; CHECK-LABEL: @Load4
; CHECK-LABEL: entry:
; CHECK: @__msan_get_context_state()
; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
; CHECK-LABEL: entry.split:
; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
; Load the shadow of %p and check it
; CHECK: load i64
; CHECK: icmp
; CHECK: br i1
; CHECK-LABEL: <label>
; Load the value from %p. This is done before accessing the shadow
; to ease atomic handling.
; CHECK: load i32
; CHECK: [[REG:%[0-9]+]] = bitcast i32* %p to i8*
; CHECK: @__msan_metadata_ptr_for_load_4(i8* [[REG]])
; Load the shadow and origin.
; CHECK: load i32
; CHECK: load i32
define i64 @Load8(i64* nocapture %p) nounwind uwtable sanitize_memory {
entry:
%0 = load i64, i64* %p
ret i64 %0
}
; CHECK-LABEL: @Load8
; CHECK-LABEL: entry:
; CHECK: @__msan_get_context_state()
; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
; CHECK-LABEL: entry.split:
; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
; Load the shadow of %p and check it
; CHECK: load i64
; CHECK: icmp
; CHECK: br i1
; CHECK-LABEL: <label>
; Load the value from %p. This is done before accessing the shadow
; to ease atomic handling.
; CHECK: load i64
; CHECK: [[REG:%[0-9]+]] = bitcast i64* %p to i8*
; CHECK: @__msan_metadata_ptr_for_load_8(i8* [[REG]])
; Load the shadow and origin.
; CHECK: load i64
; CHECK: load i32
define i128 @Load16(i128* nocapture %p) nounwind uwtable sanitize_memory {
entry:
%0 = load i128, i128* %p
ret i128 %0
}
; CHECK-LABEL: @Load16
; CHECK-LABEL: entry:
; CHECK: @__msan_get_context_state()
; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
; CHECK-LABEL: entry.split:
; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
; Load the shadow of %p and check it
; CHECK: load i64
; CHECK: icmp
; CHECK: br i1
; CHECK-LABEL: <label>
; Load the value from %p. This is done before accessing the shadow
; to ease atomic handling.
; CHECK: load i128
; CHECK: [[REG:%[0-9]+]] = bitcast i128* %p to i8*
; CHECK: @__msan_metadata_ptr_for_load_n(i8* [[REG]], i64 16)
; Load the shadow and origin.
; CHECK: load i128
; CHECK: load i32
; Test kernel-specific va_list instrumentation
%struct.__va_list_tag = type { i32, i32, i8*, i8* }
declare void @llvm.va_start(i8*) nounwind
declare void @llvm.va_end(i8*)
@.str = private unnamed_addr constant [4 x i8] c"%d\0A\00", align 1
declare dso_local i32 @VAListFn(i8*, %struct.__va_list_tag*) local_unnamed_addr
; Function Attrs: nounwind uwtable
define dso_local i32 @VarArgFn(i8* %fmt, ...) local_unnamed_addr sanitize_memory #0 {
entry:
%args = alloca [1 x %struct.__va_list_tag], align 16
%0 = bitcast [1 x %struct.__va_list_tag]* %args to i8*
%arraydecay = getelementptr inbounds [1 x %struct.__va_list_tag], [1 x %struct.__va_list_tag]* %args, i64 0, i64 0
call void @llvm.va_start(i8* nonnull %0)
%call = call i32 @VAListFn(i8* %fmt, %struct.__va_list_tag* nonnull %arraydecay)
call void @llvm.va_end(i8* nonnull %0)
ret i32 %call
}
; Kernel is built without SSE support.
attributes #0 = { "target-features"="+fxsr,+x87,-sse" }
; CHECK-LABEL: @VarArgFn
; CHECK: @__msan_get_context_state()
; CHECK: [[VA_ARG_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 2
; CHECK: [[VA_ARG_ORIGIN:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 3
; CHECK: [[VA_ARG_OVERFLOW_SIZE:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 4
; CHECK-LABEL: entry.split:
; CHECK: [[OSIZE:%[0-9]+]] = load i64, i64* [[VA_ARG_OVERFLOW_SIZE]]
; Register save area is 48 bytes for non-SSE builds.
; CHECK: [[SIZE:%[0-9]+]] = add i64 48, [[OSIZE]]
; CHECK: [[SHADOWS:%[0-9]+]] = alloca i8, i64 [[SIZE]]
; CHECK: [[VA_ARG_SHADOW]]
; CHECK: call void @llvm.memcpy{{.*}}(i8* align 8 [[SHADOWS]], {{.*}}, i64 [[SIZE]]
; CHECK: [[ORIGINS:%[0-9]+]] = alloca i8, i64 [[SIZE]]
; CHECK: [[VA_ARG_ORIGIN]]
; CHECK: call void @llvm.memcpy{{.*}}(i8* align 8 [[ORIGINS]], {{.*}}, i64 [[SIZE]]
; CHECK: call i32 @VAListFn
; Function Attrs: nounwind uwtable
define dso_local void @VarArgCaller() local_unnamed_addr sanitize_memory {
entry:
%call = tail call i32 (i8*, ...) @VarArgFn(i8* getelementptr inbounds ([4 x i8], [4 x i8]* @.str, i64 0, i64 0), i32 123)
ret void
}
; CHECK-LABEL: @VarArgCaller
; CHECK-LABEL: entry:
; CHECK: @__msan_get_context_state()
; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
; CHECK: [[VA_ARG_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 2
; CHECK: [[VA_ARG_OVERFLOW_SIZE:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 4
; CHECK-LABEL: entry.split:
; CHECK: [[PARAM_SI:%[_a-z0-9]+]] = ptrtoint {{.*}} [[PARAM_SHADOW]]
; CHECK: [[ARG1_S:%[_a-z0-9]+]] = inttoptr i64 [[PARAM_SI]] to i64*
; First argument is initialized
; CHECK: store i64 0, i64* [[ARG1_S]]
; Dangling cast of va_arg_shadow[0], unused because the first argument is fixed.
; CHECK: [[VA_CAST0:%[_a-z0-9]+]] = ptrtoint {{.*}} [[VA_ARG_SHADOW]] to i64
; CHECK: [[VA_CAST1:%[_a-z0-9]+]] = ptrtoint {{.*}} [[VA_ARG_SHADOW]] to i64
; CHECK: [[ARG1_SI:%[_a-z0-9]+]] = add i64 [[VA_CAST1]], 8
; CHECK: [[PARG1_S:%[_a-z0-9]+]] = inttoptr i64 [[ARG1_SI]] to i32*
; Shadow for 123 is 0.
; CHECK: store i32 0, i32* [[ARG1_S]]
; CHECK: store i64 0, i64* [[VA_ARG_OVERFLOW_SIZE]]
; CHECK: call i32 (i8*, ...) @VarArgFn({{.*}} @.str{{.*}} i32 123)

test/Instrumentation/MemorySanitizer/store-origin.ll

; RUN: opt < %s -msan -msan-check-access-address=0 -msan-track-origins=1 -S | FileCheck -check-prefix=CHECK -check-prefix=CHECK-ORIGINS1 %s ; RUN: opt < %s -msan -msan-check-access-address=0 -msan-track-origins=1 -S | FileCheck -check-prefixes=CHECK,CHECK-MSAN,CHECK-ORIGINS1 %s
; RUN: opt < %s -msan -msan-check-access-address=0 -msan-track-origins=2 -S | FileCheck -check-prefix=CHECK -check-prefix=CHECK-ORIGINS2 %s ; RUN: opt < %s -msan -msan-check-access-address=0 -msan-track-origins=2 -S | FileCheck -check-prefixes=CHECK,CHECK-MSAN,CHECK-ORIGINS2 %s
; RUN: opt < %s -msan -msan-kernel=1 -msan-check-access-address=0 -S | FileCheck -check-prefixes=CHECK,CHECK-KMSAN,CHECK-ORIGINS2 %s
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128" target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu" target triple = "x86_64-unknown-linux-gnu"
; Check origin instrumentation of stores. ; Check origin instrumentation of stores.
; Check that debug info for origin propagation code is set correctly. ; Check that debug info for origin propagation code is set correctly.
Show All 36 Lines
!18 = !{!19, !19, i64 0} !18 = !{!19, !19, i64 0}
!19 = !{!"int", !20, i64 0} !19 = !{!"int", !20, i64 0}
!20 = !{!"omnipotent char", !21, i64 0} !20 = !{!"omnipotent char", !21, i64 0}
!21 = !{!"Simple C/C++ TBAA"} !21 = !{!"Simple C/C++ TBAA"}
!22 = !DILocation(line: 3, scope: !4) !22 = !DILocation(line: 3, scope: !4)
; CHECK-LABEL: @Store ; CHECK-LABEL: @Store
; CHECK: load {{.*}} @__msan_param_tls
; CHECK: [[ORIGIN:%[01-9a-z]+]] = load {{.*}} @__msan_param_origin_tls ; CHECK-MSAN: load {{.*}} @__msan_param_tls
; CHECK-MSAN: [[ORIGIN:%[01-9a-z]+]] = load {{.*}} @__msan_param_origin_tls
; CHECK-KMSAN-LABEL: entry.split:
; CHECK-KMSAN: %param_shadow
; CHECK-KMSAN: load i32, i32*
; CHECK-KMSAN: %param_origin
; CHECK-KMSAN: [[ORIGIN:%[01-9a-z]+]] = load i32, i32*
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

TODO: replace "01-9a-z" with "_0-9a-z"

glider: TODO: replace "01-9a-z" with "_0-9a-z"
; CHECK: store {{.*}}!dbg ![[DBG:[01-9]+]] ; CHECK: store {{.*}}!dbg ![[DBG:[01-9]+]]
; CHECK: icmp ; CHECK: icmp
; CHECK: br i1 ; CHECK: br i1
; CHECK: <label> ; CHECK: <label>
; Origin tracking level 1: simply store the origin value ; Origin tracking level 1: simply store the origin value
; CHECK-ORIGINS1: store i32 {{.*}}[[ORIGIN]],{{.*}}!dbg !{{.*}}[[DBG]] ; CHECK-ORIGINS1: store i32 {{.*}}[[ORIGIN]],{{.*}}!dbg !{{.*}}[[DBG]]
; Origin tracking level 2: pass origin value through __msan_chain_origin and store the result. ; Origin tracking level 2: pass origin value through __msan_chain_origin and store the result.
; CHECK-ORIGINS2: [[ORIGIN2:%[01-9a-z]+]] = call i32 @__msan_chain_origin(i32 {{.*}}[[ORIGIN]]) ; CHECK-ORIGINS2: [[ORIGIN2:%[01-9a-z]+]] = call i32 @__msan_chain_origin(i32 {{.*}}[[ORIGIN]])
; CHECK-ORIGINS2: store i32 {{.*}}[[ORIGIN2]],{{.*}}!dbg !{{.*}}[[DBG]] ; CHECK-ORIGINS2: store i32 {{.*}}[[ORIGIN2]],{{.*}}!dbg !{{.*}}[[DBG]]
; CHECK: br label{{.*}}!dbg !{{.*}}[[DBG]] ; CHECK: br label{{.*}}!dbg !{{.*}}[[DBG]]
; CHECK: <label> ; CHECK: <label>
; CHECK: store{{.*}}!dbg !{{.*}}[[DBG]] ; CHECK: store{{.*}}!dbg !{{.*}}[[DBG]]
; CHECK: ret void ; CHECK: ret void