This is an archive of the discontinued LLVM Phabricator instance.

Differential D34789

Copy arguments passed by value into explicit allocas for ASan
ClosedPublic

Authored by morehouse on Jun 28 2017, 4:52 PM.

Details

Reviewers
eugenis
vitalybuka
Commits
rG2a7a4bc1c925: Copy arguments passed by value into explicit allocas for ASan.
rL307342: Copy arguments passed by value into explicit allocas for ASan.
Summary

ASan determines the stack layout from alloca instructions. Since
arguments marked as "byval" do not have an explicit alloca instruction, ASan
does not produce red zones for them. This commit produces an explicit alloca
instruction and copies the byval argument into the allocated memory so that red
zones are produced.

Diff Detail

Repository
rL LLVM

Event Timeline

morehouse created this revision.Jun 28 2017, 4:52 PM
morehouse added a subscriber: llvm-commits.Jun 28 2017, 5:08 PM
eugenis added inline comments.Jun 28 2017, 6:03 PM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
2543 ↗(On Diff #104548)

Not sure if it matters here, but this is usually done with BasicBlock::getFirstInsertionPt()

2545 ↗(On Diff #104548)

Local variables start with a capital letter.

2553 ↗(On Diff #104548)

Better call it something like arg.getName() + ".byval", or whatever looks good in ASan error report. Please also add compiler-rt test for ASan detecting overflow of a byval arg.

2557 ↗(On Diff #104548)

F.getParent()

test/Instrumentation/AddressSanitizer/stack-poisoning-byval-args.ll
16 ↗(On Diff #104548)

Please make this test a little stronger: check that bar() gets a pointer in the combined alloca, not the original %a. Check that memcpy is from %a. Also the size of alloca (96) is irrelevant and checking it can only make the test more brittle.

morehouse updated this revision to Diff 104663.Jun 29 2017, 9:23 AM

Integrate eugenis' feedback

morehouse added a comment.Jun 29 2017, 9:26 AM

Can I add compiler-rt tests to this revision or do I need to open a separate one for that?

morehouse updated this revision to Diff 104666.Jun 29 2017, 9:32 AM

Remove ArgNum variable.

eugenis edited edge metadata.Jun 29 2017, 11:45 AM
In D34789#795337, @morehouse wrote:

Can I add compiler-rt tests to this revision or do I need to open a separate one for that?

You can if you use git-monorepo or plain svn. AFAIK it can not be done with multirepo-git. Anyway, could be easier to start a separate revision.

eugenis added inline comments.Jun 29 2017, 11:58 AM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
2544 ↗(On Diff #104666)

You can avoid the cast by using this constructor: http://llvm-cs.pcc.me.uk/include/llvm/IR/IRBuilder.h#703

IRBuilder(BB, BB.getFirstInsertionPt());

2551 ↗(On Diff #104666)

Check what happens if the arg has no name. AFAIK it can be referenced as %0 (%1, etc) in the function body in that case, but getName() would return nullptr.

2557 ↗(On Diff #104666)

Check what happens when byval argument has not explicit align attribute.
AFAIK, it must be handled this way:

unsigned ArgAlign = FArg.getParamAlignment();
if (ArgAlign == 0) {
  Type *EltType = A->getType()->getPointerElementType();
  ArgAlign = DL.getABITypeAlignment(EltType);
}
vitalybuka added inline comments.Jun 29 2017, 12:18 PM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
2541 ↗(On Diff #104666)

Should we poison original location?

eugenis added inline comments.Jun 29 2017, 12:24 PM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
2541 ↗(On Diff #104666)

I'm thinking not, because it is not adjacent to any alloca - it's just a random location on the stack at this point.

vitalybuka added inline comments.Jun 29 2017, 12:26 PM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
2541 ↗(On Diff #104666)

But access to that location is a sign of a bug

eugenis added a comment.Jun 29 2017, 12:29 PM

Right, but then why don't we add 5 new allocas in each function, poison them and never use them. Access to those would also be a bug.

morehouse updated this revision to Diff 104732.Jun 29 2017, 1:48 PM

Addressed eugenis' new comments.

eugenis added inline comments.Jun 29 2017, 2:19 PM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
2550 ↗(On Diff #104732)

It looks like single-line if() usually do not use braces, at least in this source file.

2554 ↗(On Diff #104732)

Arg.hasName

2555 ↗(On Diff #104732)

Use Arg.getArgNo()

test/Instrumentation/AddressSanitizer/stack-poisoning-byval-args.ll
8 ↗(On Diff #104732)

Please add tests for unnamed arg and for arg w/o align attribute.

16 ↗(On Diff #104732)

Check alignment here and in the alloca instruction

vitalybuka edited edge metadata.Jun 29 2017, 2:40 PM
In D34789#795718, @eugenis wrote:

Right, but then why don't we add 5 new allocas in each function, poison them and never use them. Access to those would also be a bug.

This is not the same. We already have original space allocate on the stack, and we know that this should not be accessed.
We can investigate usefulness of this later.

eugenis added a comment.Jun 29 2017, 2:43 PM
In D34789#795883, @vitalybuka wrote:
In D34789#795718, @eugenis wrote:

Right, but then why don't we add 5 new allocas in each function, poison them and never use them. Access to those would also be a bug.

This is not the same. We already have original space allocate on the stack, and we know that this should not be accessed.
We can investigate usefulness of this later.

You are right. Still, this is unlikely to ever catch anything, and it increases code size and adds some complexity to the instrumentation pass. I don't mind either way.

vitalybuka added inline comments.Jun 29 2017, 8:58 PM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
194 ↗(On Diff #104732)

Probably we need compile time flag disabled by default

eugenis added inline comments.Jun 30 2017, 11:42 AM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
194 ↗(On Diff #104732)

A flag would not hurt, but I think it should be on by default.

morehouse updated this revision to Diff 105470.Jul 6 2017, 10:29 AM

Remove ArgNum counter. Add compile-time flag to disable redzones for byval arguments. Check memcpy alignment in test case. Add test case for unnamed argument with no explicit alignment.

Herald added a subscriber: hiraditya. · View Herald TranscriptJul 6 2017, 10:29 AM
morehouse added a comment.Jul 6 2017, 10:35 AM

@eugenis You mentioned the test case should also check alignment in the alloca, but it looks like the alignment there is specified by the default "-asan-realign-stack" option independent of the argument alignment.

eugenis added a comment.Jul 6 2017, 2:07 PM
In D34789#800988, @morehouse wrote:

@eugenis You mentioned the test case should also check alignment in the alloca, but it looks like the alignment there is specified by the default "-asan-realign-stack" option independent of the argument alignment.

Right, but what if the byval argument is aligned higher than ClRealignStack.

eugenis added inline comments.Jul 6 2017, 2:23 PM
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
2557 ↗(On Diff #105470)

This looks suspicious. You construct a temporary StringRef to a temporary std::string. The const reference extends the lifetime of StringRef, but I don't think it does anything to the std::string it points to, and StringRef does not own the buffer.

It's better to build the alloca name in a local std::string variable.

llvm/test/Instrumentation/AddressSanitizer/stack-poisoning-byval-args.ll
28 ↗(On Diff #105470)

I think you need "target datalayout" and "target triple" statements in the test, because type alignment is target-dependent.

morehouse updated this revision to Diff 105547.Jul 6 2017, 3:06 PM

Replace StringRef usage with std::string. Add target datalayout and target triple lines to test. Add alignment check in alloca.

eugenis accepted this revision.Jul 6 2017, 3:08 PM
This revision is now accepted and ready to land.Jul 6 2017, 3:08 PM
Closed by commit rL307342: Copy arguments passed by value into explicit allocas for ASan. (authored by eugenis). · Explain WhyJul 6 2017, 5:49 PM
This revision was automatically updated to reflect the committed changes.
eugenis added a comment.Jul 6 2017, 6:32 PM

I've reverted this and the other change in r307345, see the commit message for the (incomplete) list of failing bots.

morehouse added a comment.Jul 7 2017, 12:49 PM

How can I reproduce the failures?

morehouse updated this revision to Diff 106530.Jul 13 2017, 2:09 PM

Replace std::to_string with llvm::to_string for Android builds.

morehouse added a comment.Jul 18 2017, 9:18 AM

@vitalybuka If this looks good, could you land this today since I don't yet have commit access?

vitalybuka reopened this revision.Jul 18 2017, 2:57 PM

I usually reopen reviews for reverted patches.

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
14 ↗(On Diff #106530)

I suspect not all new headers are rely needed

This revision is now accepted and ready to land.Jul 18 2017, 2:57 PM
vitalybuka added a comment.Jul 18 2017, 2:58 PM

Please ignore comments about headers.

vitalybuka closed this revision.Jul 18 2017, 3:31 PM

https://reviews.llvm.org/rL308387

Revision Contents

PathSize
llvm/
trunk/
lib/
Transforms/
Instrumentation/
37 lines
test/
Instrumentation/
AddressSanitizer/
48 lines

Diff 105568

llvm/trunk/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show All 16 Lines
#include "llvm/ADT/DenseMap.h" #include "llvm/ADT/DenseMap.h"
#include "llvm/ADT/DepthFirstIterator.h" #include "llvm/ADT/DepthFirstIterator.h"
#include "llvm/ADT/SetVector.h" #include "llvm/ADT/SetVector.h"
#include "llvm/ADT/SmallSet.h" #include "llvm/ADT/SmallSet.h"
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
#include "llvm/ADT/Triple.h" #include "llvm/ADT/Triple.h"
#include "llvm/ADT/Twine.h"
#include "llvm/Analysis/MemoryBuiltins.h" #include "llvm/Analysis/MemoryBuiltins.h"
#include "llvm/Analysis/TargetLibraryInfo.h" #include "llvm/Analysis/TargetLibraryInfo.h"
#include "llvm/Analysis/ValueTracking.h" #include "llvm/Analysis/ValueTracking.h"
#include "llvm/IR/Argument.h"
#include "llvm/IR/CallSite.h" #include "llvm/IR/CallSite.h"
#include "llvm/IR/DIBuilder.h" #include "llvm/IR/DIBuilder.h"
#include "llvm/IR/DataLayout.h" #include "llvm/IR/DataLayout.h"
#include "llvm/IR/Dominators.h" #include "llvm/IR/Dominators.h"
#include "llvm/IR/Function.h" #include "llvm/IR/Function.h"
#include "llvm/IR/IRBuilder.h" #include "llvm/IR/IRBuilder.h"
#include "llvm/IR/InlineAsm.h" #include "llvm/IR/InlineAsm.h"
#include "llvm/IR/InstVisitor.h" #include "llvm/IR/InstVisitor.h"
▲ Show 20 LinesShow All 151 Lines▼ Show 20 Lines
static cl::opt<uint32_t> ClMaxInlinePoisoningSize( static cl::opt<uint32_t> ClMaxInlinePoisoningSize(
"asan-max-inline-poisoning-size", "asan-max-inline-poisoning-size",
cl::desc( cl::desc(
"Inline shadow poisoning for blocks up to the given size in bytes."), "Inline shadow poisoning for blocks up to the given size in bytes."),
cl::Hidden, cl::init(64)); cl::Hidden, cl::init(64));
static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", static cl::opt<bool> ClUseAfterReturn("asan-use-after-return",
cl::desc("Check stack-use-after-return"), cl::desc("Check stack-use-after-return"),
cl::Hidden, cl::init(true)); cl::Hidden, cl::init(true));
static cl::opt<bool> ClRedzoneByvalArgs("asan-redzone-byval-args",
cl::desc("Create redzones for byval "
"arguments (extra copy "
"required)"), cl::Hidden,
cl::init(true));
static cl::opt<bool> ClUseAfterScope("asan-use-after-scope", static cl::opt<bool> ClUseAfterScope("asan-use-after-scope",
cl::desc("Check stack-use-after-scope"), cl::desc("Check stack-use-after-scope"),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(false));
// This flag may need to be replaced with -f[no]asan-globals. // This flag may need to be replaced with -f[no]asan-globals.
static cl::opt<bool> ClGlobals("asan-globals", static cl::opt<bool> ClGlobals("asan-globals",
cl::desc("Handle global objects"), cl::Hidden, cl::desc("Handle global objects"), cl::Hidden,
cl::init(true)); cl::init(true));
static cl::opt<bool> ClInitializers("asan-initialization-order", static cl::opt<bool> ClInitializers("asan-initialization-order",
▲ Show 20 LinesShow All 539 Lines▼ Show 20 Lines FunctionStackPoisoner(Function &F, AddressSanitizer &ASan)
IntptrTy(ASan.IntptrTy), IntptrTy(ASan.IntptrTy),
IntptrPtrTy(PointerType::get(IntptrTy, 0)), IntptrPtrTy(PointerType::get(IntptrTy, 0)),
Mapping(ASan.Mapping), Mapping(ASan.Mapping),
StackAlignment(1 << Mapping.Scale), StackAlignment(1 << Mapping.Scale),
EmptyInlineAsm(CallInst::Create(ASan.EmptyAsm)) {} EmptyInlineAsm(CallInst::Create(ASan.EmptyAsm)) {}
bool runOnFunction() { bool runOnFunction() {
if (!ClStack) return false; if (!ClStack) return false;
if (ClRedzoneByvalArgs) copyArgsPassedByValToAllocas();
// Collect alloca, ret, lifetime instructions etc. // Collect alloca, ret, lifetime instructions etc.
for (BasicBlock *BB : depth_first(&F.getEntryBlock())) visit(*BB); for (BasicBlock *BB : depth_first(&F.getEntryBlock())) visit(*BB);
if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false; if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false;
initializeCallbacks(*F.getParent()); initializeCallbacks(*F.getParent());
processDynamicAllocas(); processDynamicAllocas();
processStaticAllocas(); processStaticAllocas();
if (ClDebugStack) { if (ClDebugStack) {
DEBUG(dbgs() << F); DEBUG(dbgs() << F);
} }
return true; return true;
} }
// Arguments marked with the "byval" attribute are implicitly copied without
// using an alloca instruction. To produce redzones for those arguments, we
// copy them a second time into memory allocated with an alloca instruction.
void copyArgsPassedByValToAllocas();
// Finds all Alloca instructions and puts // Finds all Alloca instructions and puts
// poisoned red zones around all of them. // poisoned red zones around all of them.
// Then unpoison everything back before the function returns. // Then unpoison everything back before the function returns.
void processStaticAllocas(); void processStaticAllocas();
void processDynamicAllocas(); void processDynamicAllocas();
void createDynamicAllocasInitStorage(); void createDynamicAllocasInitStorage();
▲ Show 20 LinesShow All 1,749 Lines▼ Show 20 Lines
static int StackMallocSizeClass(uint64_t LocalStackSize) { static int StackMallocSizeClass(uint64_t LocalStackSize) {
assert(LocalStackSize <= kMaxStackMallocSize); assert(LocalStackSize <= kMaxStackMallocSize);
uint64_t MaxSize = kMinStackMallocSize; uint64_t MaxSize = kMinStackMallocSize;
for (int i = 0;; i++, MaxSize *= 2) for (int i = 0;; i++, MaxSize *= 2)
if (LocalStackSize <= MaxSize) return i; if (LocalStackSize <= MaxSize) return i;
llvm_unreachable("impossible LocalStackSize"); llvm_unreachable("impossible LocalStackSize");
} }
void FunctionStackPoisoner::copyArgsPassedByValToAllocas() {
BasicBlock &FirstBB = *F.begin();
IRBuilder<> IRB(&FirstBB, FirstBB.getFirstInsertionPt());
const DataLayout &DL = F.getParent()->getDataLayout();
for (Argument &Arg : F.args()) {
if (Arg.hasByValAttr()) {
Type *Ty = Arg.getType()->getPointerElementType();
unsigned Align = Arg.getParamAlignment();
if (Align == 0) Align = DL.getABITypeAlignment(Ty);
const std::string &Name = Arg.hasName() ? Arg.getName().str() :
"Arg" + std::to_string(Arg.getArgNo());
AllocaInst *AI = IRB.CreateAlloca(Ty, nullptr, Twine(Name) + ".byval");
AI->setAlignment(Align);
Arg.replaceAllUsesWith(AI);
uint64_t AllocSize = DL.getTypeAllocSize(Ty);
IRB.CreateMemCpy(AI, &Arg, AllocSize, Align);
}
}
}
PHINode *FunctionStackPoisoner::createPHI(IRBuilder<> &IRB, Value *Cond, PHINode *FunctionStackPoisoner::createPHI(IRBuilder<> &IRB, Value *Cond,
Value *ValueIfTrue, Value *ValueIfTrue,
Instruction *ThenTerm, Instruction *ThenTerm,
Value *ValueIfFalse) { Value *ValueIfFalse) {
PHINode *PHI = IRB.CreatePHI(IntptrTy, 2); PHINode *PHI = IRB.CreatePHI(IntptrTy, 2);
BasicBlock *CondBlock = cast<Instruction>(Cond)->getParent(); BasicBlock *CondBlock = cast<Instruction>(Cond)->getParent();
PHI->addIncoming(ValueIfFalse, CondBlock); PHI->addIncoming(ValueIfFalse, CondBlock);
BasicBlock *ThenBlock = ThenTerm->getParent(); BasicBlock *ThenBlock = ThenTerm->getParent();
▲ Show 20 LinesShow All 435 LinesShow Last 20 Lines

llvm/trunk/test/Instrumentation/AddressSanitizer/stack-poisoning-byval-args.ll

; This check verifies that arguments passed by value get redzones.
; RUN: opt < %s -asan -asan-realign-stack=32 -S | FileCheck %s
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64"
target triple = "x86_64-unknown-linux-gnu"
%struct.A = type { [8 x i32] }
declare i32 @bar(%struct.A*)
; Test behavior for named argument with explicit alignment. The memcpy and
; alloca alignments should match the explicit alignment of 64.
define void @foo(%struct.A* byval align 64 %a) sanitize_address {
entry:
; CHECK-LABEL: foo
; CHECK: call i64 @__asan_stack_malloc
; CHECK: alloca i8, i64 {{.*}} align 64
; CHECK: [[copyPtr:%[^ \t]+]] = inttoptr i64 %{{[^ \t]+}} to %struct.A*
; CHECK: [[copyBytePtr:%[^ \t]+]] = bitcast %struct.A* [[copyPtr]]
; CHECK: [[aBytePtr:%[^ \t]+]] = bitcast %struct.A* %a
; CHECK: call void @llvm.memcpy{{[^%]+}}[[copyBytePtr]]{{[^%]+}}[[aBytePtr]],{{[^,]+}}, i32 64
; CHECK: call i32 @bar(%struct.A* [[copyPtr]])
; CHECK: ret void
%call = call i32 @bar(%struct.A* %a)
ret void
}
; Test behavior for unnamed argument without explicit alignment. In this case,
; the first argument is referenced by the identifier %0 and the ABI requires a
; minimum alignment of 4 bytes since struct.A contains i32s which have 4-byte
; alignment. However, the alloca alignment will be 32 since that is the value
; passed via the -asan-realign-stack option, which is greater than 4.
define void @baz(%struct.A* byval) sanitize_address {
entry:
; CHECK-LABEL: baz
; CHECK: call i64 @__asan_stack_malloc
; CHECK: alloca i8, i64 {{.*}} align 32
; CHECK: [[copyPtr:%[^ \t]+]] = inttoptr i64 %{{[^ \t]+}} to %struct.A*
; CHECK: [[copyBytePtr:%[^ \t]+]] = bitcast %struct.A* [[copyPtr]]
; CHECK: [[aBytePtr:%[^ \t]+]] = bitcast %struct.A* %0
; CHECK: call void @llvm.memcpy{{[^%]+}}[[copyBytePtr]]{{[^%]+}}[[aBytePtr]],{{[^,]+}}, i32 4
; CHECK: call i32 @bar(%struct.A* [[copyPtr]])
; CHECK: ret void
%call = call i32 @bar(%struct.A* %0)
ret void
}