This is an archive of the discontinued LLVM Phabricator instance.

Differential D34827

Add end-to-end tests for overflows of byval arguments.
ClosedPublic

Authored by morehouse on Jun 29 2017, 11:50 AM.

Details

Reviewers
eugenis
vitalybuka
Commits
rG74ddba0c95bc: Add end-to-end tests for overflows of byval arguments.
rG6d8fb107b271: Add end-to-end tests for overflows of byval arguments.
rG03542db81c9a: [asan] Add end-to-end tests for overflows of byval arguments.
rCRT309424: Add end-to-end tests for overflows of byval arguments.
rCRT308677: Add end-to-end tests for overflows of byval arguments.
rCRT307343: [asan] Add end-to-end tests for overflows of byval arguments.
rL309424: Add end-to-end tests for overflows of byval arguments.
rL308677: Add end-to-end tests for overflows of byval arguments.
rL307343: [asan] Add end-to-end tests for overflows of byval arguments.
Summary

Included is one test for passing structs by value and one test for passing C++
objects by value.

Diff Detail

Repository
rL LLVM

Event Timeline

morehouse created this revision.Jun 29 2017, 11:50 AM
Herald added a subscriber: kubamracek. · View Herald TranscriptJun 29 2017, 11:50 AM
morehouse edited the summary of this revision. (Show Details)Jun 29 2017, 11:51 AM
eugenis added inline comments.Jun 29 2017, 12:06 PM
test/asan/TestCases/pass-object-byval.cc
7 ↗(On Diff #104714)

But the pointer seems unused in the test. Is it possible to replace the IR check with smth like assert(a->me == &a) ?

vitalybuka edited edge metadata.Jun 29 2017, 12:16 PM

Probably we need test for UAR as well

A* f(A a) {

return &a;

}

viod b() {

A* a = f(A());
a->  // should likely crash with UAR and pass without it

}

test/asan/TestCases/pass-struct-byval.cc
1 ↗(On Diff #104714)

what is going to happen with -O1?

eugenis added inline comments.Jun 29 2017, 12:26 PM
test/asan/TestCases/pass-struct-byval.cc
1 ↗(On Diff #104714)

The code in bar() will be optimized to undef, I think.
"int * volatile ptr" should protect against that.

10 ↗(On Diff #104714)

(int *) cast seems unnecessary. (ptr - 1) is already that.

morehouse updated this revision to Diff 105350.Jul 5 2017, 3:47 PM

Add test for UAR. Remove unnecessary casts and make some pointers volatile.

eugenis accepted this revision.Jul 5 2017, 3:57 PM
eugenis added inline comments.
compiler-rt/test/asan/TestCases/pass-object-byval.cc
4 ↗(On Diff #105350)

--implicit-check-not

Nice!

compiler-rt/test/asan/TestCases/pass-struct-byval-uar.cc
28 ↗(On Diff #105350)

Don't need that many -NOT checks. This would be enough:
// CHECK-NO-UAR-NOT: ERROR: AddressSanitizer

Also I'm not sure the NO-UAR case is necessary at all. You are effectively testing undefined behavior.

This revision is now accepted and ready to land.Jul 5 2017, 3:57 PM
Closed by commit rL307343: [asan] Add end-to-end tests for overflows of byval arguments. (authored by eugenis). · Explain WhyJul 6 2017, 5:49 PM
This revision was automatically updated to reflect the committed changes.
morehouse added a comment.EditedJul 12 2017, 12:28 PM

Interesting development. It looks like on Android the IR produced doesn't use byval arguments for the pass-struct-byval-uar.cc test. As a result, foo() has no allocas to poison on return.

morehouse added a comment.Jul 12 2017, 3:29 PM

The byval attribute is avoided and instead the caller produces a copy of the struct and passes a pointer to it. So foo() can't do any poisoning to its argument for UAR, and instead main() would have to do it. However, ASAN currently does not handle this case. I would suspect that most of the test failures on other architectures are being caused by this same issue.

vitalybuka added a comment.Jul 12 2017, 3:39 PM
In D34827#807318, @morehouse wrote:

The byval attribute is avoided and instead the caller produces a copy of the struct and passes a pointer to it. So foo() can't do any poisoning to its argument for UAR, and instead main() would have to do it. However, ASAN currently does not handle this case. I would suspect that most of the test failures on other architectures are being caused by this same issue.

In this case I'd expect compiler creates llvm.lifetime.start/end and this detected as UAS bug

morehouse added a comment.Jul 13 2017, 10:41 AM

In this case I'd expect compiler creates llvm.lifetime.start/end and this detected as UAS bug

It looks like llvm.lifetime.start/end are set, but they do not encompass the proper lifetime of the copy. Thus even when compiling with -fsanitize-use-after-scope, UAS is not detected.

morehouse updated this revision to Diff 106501.Jul 13 2017, 1:05 PM

Mark pass-struct-byval-uar.cc as unsupported.

morehouse updated this revision to Diff 106533.Jul 13 2017, 2:24 PM

Change UNSUPPORTED option to REQUIRES. Test now works on x86_64 Linux and shouldn't cause the Android/ARM/Windows buildbots to fail.

Herald added a subscriber: srhines. · View Herald TranscriptJul 13 2017, 2:24 PM
morehouse updated this revision to Diff 106536.Jul 13 2017, 2:27 PM

Fix bad diff update.

morehouse added a comment.Jul 18 2017, 9:19 AM

@vitalybuka If this looks good, could you land this today since I don't yet have commit access?

morehouse reopened this revision.Jul 20 2017, 2:00 PM

@vitalybuka Does the latest diff look good? Just got commit access so I can land this if you approve.

This revision is now accepted and ready to land.Jul 20 2017, 2:00 PM
Closed by commit rL308677: Add end-to-end tests for overflows of byval arguments. (authored by vitalybuka). · Explain WhyJul 20 2017, 2:41 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
compiler-rt/
trunk/
compiler-rt/
test/
asan/
TestCases/
36 lines
38 lines
23 lines

Diff 107587

compiler-rt/trunk/compiler-rt/test/asan/TestCases/pass-object-byval.cc

// Verify that objects passed by value get red zones and that the copy
// constructor is called.
// RUN: %clangxx_asan -O0 %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s --implicit-check-not \
// RUN: Assertion{{.*}}failed
#include <cassert>
class A {
public:
A() : me(this) {}
A(const A &other) : me(this) {
for (int i = 0; i < 8; ++i) a[i] = other.a[i];
}
int a[8];
A *me;
};
int bar(A *a) {
int *volatile ptr = &a->a[0];
return *(ptr - 1);
}
void foo(A a) {
assert(a.me == &a);
bar(&a);
}
int main() {
A a;
foo(a);
}
// CHECK: ERROR: AddressSanitizer: stack-buffer-overflow
// CHECK: READ of size 4 at
// CHECK: is located in stack of thread

compiler-rt/trunk/compiler-rt/test/asan/TestCases/pass-struct-byval-uar.cc

// Test that use-after-return works with arguments passed by value.
// RUN: %clangxx_asan -O0 %s -o %t
// RUN: %env_asan_opts=detect_stack_use_after_return=0 %run %t 2>&1 | \
// RUN: FileCheck --check-prefix=CHECK-NO-UAR %s
// RUN: not %env_asan_opts=detect_stack_use_after_return=1 %run %t 2>&1 | \
// RUN: FileCheck --check-prefix=CHECK-UAR %s
//
// On several architectures, the IR does not use byval arguments for foo() and
// instead creates a copy in main() and gives foo() a pointer to the copy. In
// that case, ASAN has nothing to poison on return from foo() and will not
// detect the UAR.
// REQUIRES: x86_64-target-arch, linux, not-android
#include <cstdio>
struct A {
int a[8];
};
A *foo(A a) {
return &a;
}
int main() {
A *a = foo(A());
a->a[0] = 7;
std::fprintf(stderr, "\n"); // Ensures some output is generated for FileCheck
// to verify in the case where UAR is not
// detected.
}
// CHECK-NO-UAR-NOT: ERROR: AddressSanitizer: stack-use-after-return
// CHECK-NO-UAR-NOT: WRITE of size 4 at
// CHECK-NO-UAR-NOT: Memory access at offset {{[0-9]+}} is inside this variable
//
// CHECK-UAR: ERROR: AddressSanitizer: stack-use-after-return
// CHECK-UAR: WRITE of size 4 at
// CHECK-UAR: Memory access at offset {{[0-9]+}} is inside this variable

compiler-rt/trunk/compiler-rt/test/asan/TestCases/pass-struct-byval.cc

// RUN: %clangxx_asan -O0 %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
struct A {
int a[8];
};
int bar(A *a) {
int *volatile ptr = &a->a[0];
return *(ptr - 1);
}
void foo(A a) {
bar(&a);
}
int main() {
foo(A());
}
// CHECK: ERROR: AddressSanitizer: stack-buffer-underflow
// CHECK: READ of size 4 at
// CHECK: is located in stack of thread