This is an archive of the discontinued LLVM Phabricator instance.

Differential D36465

[RFC] Change cmp instrumentation to distinguish comparisons with const operands
ClosedPublic

Authored by tch1bo on Aug 8 2017, 6:45 AM.

Details

Reviewers
glider
kcc
dvyukov
Summary

This implementation of SanitizerCoverage instrumentation inserts different callbacks depending on constantness of operands:

  1. If both operands are non-const, then a usual __sanitizer_cov_trace_cmp[1248] call is inserted.
  2. If exactly one operand is const, then a __sanitizer_cov_trace_const_cmp[1248] call is inserted. The first argument of the call is always the constant one.
  3. If both operands are const, then no callback is inserted.

This separation comes useful in fuzzing when tasks like "find one operand of the comparison in input arguments and replace it with the other one" have to be done. The new instrumentation allows us to not waste time on searching the constant operands in the input.

Diff Detail

Event Timeline

tch1bo created this revision.Aug 8 2017, 6:45 AM
glider added inline comments.Aug 8 2017, 7:31 AM
lib/Transforms/Instrumentation/SanitizerCoverage.cpp
675

Pay attention to the comment style: single-line comments start with a capital letter and end with a period.

677

Ditto.

679

Nested code should be indented with two spaces.

680

You don't need braces for one-line if body.

test/Instrumentation/SanitizerCoverage/const-cmp-tracing.ll
30

Please add tests for swapped arguments, e.g. "icmp slt 1, i8 %x"

glider added reviewers: kcc, dvyukov.Aug 8 2017, 7:31 AM
glider edited edge metadata.

Kostya, Dima,

Do we need to put this code behind a flag (probably yes, if we don't want to break the API for the existing users)?
Any other comments?

dvyukov edited edge metadata.Aug 8 2017, 7:51 AM
In D36465#835269, @glider wrote:

Kostya, Dima,

Do we need to put this code behind a flag (probably yes, if we don't want to break the API for the existing users)?
Any other comments?

We don't yet have support for this in kernel. When we add it, we add both const and non-const versions. So API issues only affect user-space. So the question goes to Kostya.

kcc edited edge metadata.Aug 8 2017, 11:11 AM

I am fine with breaking the API. Whoever uses this API will need to add a tiny bit of code to work with the new compiler (and that code will be compatible with the old version).
It's better to break the API this way than to introduce the flags or weak aliases, etc

Please update the documentation in this patch. (mention that these functions are emitted by clang >= 2017-08-XX)

Make sure to run 'ninja check-fuzzer'. Most likely it will break due to the API change, fix it in libFuzzer (in a simple way, by calling __sanitizer_cov_trace_cmpN)

Find all uses of __sanitizer_cov_trace_cmp1 in projects/compiler-rt/lib/sanitizer_common and update those files.

test/Instrumentation/SanitizerCoverage/const-cmp-tracing.ll
21

Adding CHECK-NEXT is a good idea, do it here and below

26

Add
CHECK: icmp slt i32 1, 0

dvyukov added a comment.Aug 8 2017, 11:13 AM
In D36465#835650, @kcc wrote:

I am fine with breaking the API. Whoever uses this API will need to add a tiny bit of code to work with the new compiler (and that code will be compatible with the old version).
It's better to break the API this way than to introduce the flags or weak aliases, etc

Please update the documentation in this patch. (mention that these functions are emitted by clang >= 2017-08-XX)

Make sure to run 'ninja check-fuzzer'. Most likely it will break due to the API change, fix it in libFuzzer (in a simple way, by calling __sanitizer_cov_trace_cmpN)

Find all uses of __sanitizer_cov_trace_cmp1 in projects/compiler-rt/lib/sanitizer_common and update those files.

To save one hop, who do you want this to be split in patches?

kcc added a comment.Aug 8 2017, 11:37 AM

To save one hop, who do you want this to be split in patches?

Up to you. But please make sure to not break the bots.

tch1bo updated this revision to Diff 110386.Aug 9 2017, 7:13 AM
glider added inline comments.Aug 9 2017, 7:49 AM
tools/clang/docs/SanitizerCoverage.rst
207 ↗(On Diff #110386)

Change to "Called before a comparison instruction with non-constant arguments."

231 ↗(On Diff #110386)

No need to write the dates here, this isn't a changelog.

243 ↗(On Diff #110386)

These are already listed at line 209. I suggest you move the above block there.

247 ↗(On Diff #110386)

Extra newline, please remove.

tch1bo updated this revision to Diff 110413.Aug 9 2017, 8:58 AM
tch1bo marked 11 inline comments as done.
kcc accepted this revision.Aug 9 2017, 1:04 PM

LGTM with nits, thanks!

tools/clang/docs/SanitizerCoverage.rst
235 ↗(On Diff #110413)

Move this inside the first block, just under __sanitizer_cov_trace_cmp8

Add a comment:
Arg1 and Arg2 are arguments of the comparison, Arg1 is a compile-time constant.
These callbacks are emitted by -fsanitize-coverage=trace-cmp since 2011-08-XX

242 ↗(On Diff #110413)

this comment is redundant.

This revision is now accepted and ready to land.Aug 9 2017, 1:04 PM
tch1bo updated this revision to Diff 110540.Aug 10 2017, 2:29 AM
glider closed this revision.Aug 10 2017, 8:01 AM

Landed r310600.
Good job!

Revision Contents

PathSize
lib/
Transforms/
Instrumentation/
45 lines
test/
Instrumentation/
SanitizerCoverage/
44 lines

Diff 110182

lib/Transforms/Instrumentation/SanitizerCoverage.cpp

Show All 40 Lines
static const char *const SanCovTracePCIndirName = static const char *const SanCovTracePCIndirName =
"__sanitizer_cov_trace_pc_indir"; "__sanitizer_cov_trace_pc_indir";
static const char *const SanCovTracePCName = "__sanitizer_cov_trace_pc"; static const char *const SanCovTracePCName = "__sanitizer_cov_trace_pc";
static const char *const SanCovTraceCmp1 = "__sanitizer_cov_trace_cmp1"; static const char *const SanCovTraceCmp1 = "__sanitizer_cov_trace_cmp1";
static const char *const SanCovTraceCmp2 = "__sanitizer_cov_trace_cmp2"; static const char *const SanCovTraceCmp2 = "__sanitizer_cov_trace_cmp2";
static const char *const SanCovTraceCmp4 = "__sanitizer_cov_trace_cmp4"; static const char *const SanCovTraceCmp4 = "__sanitizer_cov_trace_cmp4";
static const char *const SanCovTraceCmp8 = "__sanitizer_cov_trace_cmp8"; static const char *const SanCovTraceCmp8 = "__sanitizer_cov_trace_cmp8";
static const char *const SanCovTraceConstCmp1 =
"__sanitizer_cov_trace_const_cmp1";
static const char *const SanCovTraceConstCmp2 =
"__sanitizer_cov_trace_const_cmp2";
static const char *const SanCovTraceConstCmp4 =
"__sanitizer_cov_trace_const_cmp4";
static const char *const SanCovTraceConstCmp8 =
"__sanitizer_cov_trace_const_cmp8";
static const char *const SanCovTraceDiv4 = "__sanitizer_cov_trace_div4"; static const char *const SanCovTraceDiv4 = "__sanitizer_cov_trace_div4";
static const char *const SanCovTraceDiv8 = "__sanitizer_cov_trace_div8"; static const char *const SanCovTraceDiv8 = "__sanitizer_cov_trace_div8";
static const char *const SanCovTraceGep = "__sanitizer_cov_trace_gep"; static const char *const SanCovTraceGep = "__sanitizer_cov_trace_gep";
static const char *const SanCovTraceSwitchName = "__sanitizer_cov_trace_switch"; static const char *const SanCovTraceSwitchName = "__sanitizer_cov_trace_switch";
static const char *const SanCovModuleCtorName = "sancov.module_ctor"; static const char *const SanCovModuleCtorName = "sancov.module_ctor";
static const uint64_t SanCtorAndDtorPriority = 2; static const uint64_t SanCtorAndDtorPriority = 2;
static const char *const SanCovTracePCGuardName = static const char *const SanCovTracePCGuardName =
▲ Show 20 LinesShow All 142 Lines▼ Show 20 Linesprivate:
} }
std::string getSectionName(const std::string &Section) const; std::string getSectionName(const std::string &Section) const;
std::string getSectionStart(const std::string &Section) const; std::string getSectionStart(const std::string &Section) const;
std::string getSectionEnd(const std::string &Section) const; std::string getSectionEnd(const std::string &Section) const;
Function *SanCovTracePCIndir; Function *SanCovTracePCIndir;
Function *SanCovTracePC, *SanCovTracePCGuard; Function *SanCovTracePC, *SanCovTracePCGuard;
Function *SanCovTraceCmpFunction[4]; Function *SanCovTraceCmpFunction[4];
Function *SanCovTraceConstCmpFunction[4];
Function *SanCovTraceDivFunction[2]; Function *SanCovTraceDivFunction[2];
Function *SanCovTraceGepFunction; Function *SanCovTraceGepFunction;
Function *SanCovTraceSwitchFunction; Function *SanCovTraceSwitchFunction;
InlineAsm *EmptyAsm; InlineAsm *EmptyAsm;
Type *IntptrTy, *IntptrPtrTy, *Int64Ty, *Int64PtrTy, *Int32Ty, *Int32PtrTy, Type *IntptrTy, *IntptrPtrTy, *Int64Ty, *Int64PtrTy, *Int32Ty, *Int32PtrTy,
*Int8Ty, *Int8PtrTy; *Int16Ty, *Int8Ty, *Int8PtrTy;
Module *CurModule; Module *CurModule;
Triple TargetTriple; Triple TargetTriple;
LLVMContext *C; LLVMContext *C;
const DataLayout *DL; const DataLayout *DL;
GlobalVariable *FunctionGuardArray; // for trace-pc-guard. GlobalVariable *FunctionGuardArray; // for trace-pc-guard.
GlobalVariable *Function8bitCounterArray; // for inline-8bit-counters. GlobalVariable *Function8bitCounterArray; // for inline-8bit-counters.
GlobalVariable *FunctionPCsArray; // for pc-table. GlobalVariable *FunctionPCsArray; // for pc-table.
▲ Show 20 LinesShow All 55 Lines▼ Show 20 Linesbool SanitizerCoverageModule::runOnModule(Module &M) {
IntptrPtrTy = PointerType::getUnqual(IntptrTy); IntptrPtrTy = PointerType::getUnqual(IntptrTy);
Type *VoidTy = Type::getVoidTy(*C); Type *VoidTy = Type::getVoidTy(*C);
IRBuilder<> IRB(*C); IRBuilder<> IRB(*C);
Int64PtrTy = PointerType::getUnqual(IRB.getInt64Ty()); Int64PtrTy = PointerType::getUnqual(IRB.getInt64Ty());
Int32PtrTy = PointerType::getUnqual(IRB.getInt32Ty()); Int32PtrTy = PointerType::getUnqual(IRB.getInt32Ty());
Int8PtrTy = PointerType::getUnqual(IRB.getInt8Ty()); Int8PtrTy = PointerType::getUnqual(IRB.getInt8Ty());
Int64Ty = IRB.getInt64Ty(); Int64Ty = IRB.getInt64Ty();
Int32Ty = IRB.getInt32Ty(); Int32Ty = IRB.getInt32Ty();
Int16Ty = IRB.getInt16Ty();
Int8Ty = IRB.getInt8Ty(); Int8Ty = IRB.getInt8Ty();
SanCovTracePCIndir = checkSanitizerInterfaceFunction( SanCovTracePCIndir = checkSanitizerInterfaceFunction(
M.getOrInsertFunction(SanCovTracePCIndirName, VoidTy, IntptrTy)); M.getOrInsertFunction(SanCovTracePCIndirName, VoidTy, IntptrTy));
SanCovTraceCmpFunction[0] = SanCovTraceCmpFunction[0] =
checkSanitizerInterfaceFunction(M.getOrInsertFunction( checkSanitizerInterfaceFunction(M.getOrInsertFunction(
SanCovTraceCmp1, VoidTy, IRB.getInt8Ty(), IRB.getInt8Ty())); SanCovTraceCmp1, VoidTy, IRB.getInt8Ty(), IRB.getInt8Ty()));
SanCovTraceCmpFunction[1] = checkSanitizerInterfaceFunction( SanCovTraceCmpFunction[1] = checkSanitizerInterfaceFunction(
M.getOrInsertFunction(SanCovTraceCmp2, VoidTy, IRB.getInt16Ty(), M.getOrInsertFunction(SanCovTraceCmp2, VoidTy, IRB.getInt16Ty(),
IRB.getInt16Ty())); IRB.getInt16Ty()));
SanCovTraceCmpFunction[2] = checkSanitizerInterfaceFunction( SanCovTraceCmpFunction[2] = checkSanitizerInterfaceFunction(
M.getOrInsertFunction(SanCovTraceCmp4, VoidTy, IRB.getInt32Ty(), M.getOrInsertFunction(SanCovTraceCmp4, VoidTy, IRB.getInt32Ty(),
IRB.getInt32Ty())); IRB.getInt32Ty()));
SanCovTraceCmpFunction[3] = SanCovTraceCmpFunction[3] =
checkSanitizerInterfaceFunction(M.getOrInsertFunction( checkSanitizerInterfaceFunction(M.getOrInsertFunction(
SanCovTraceCmp8, VoidTy, Int64Ty, Int64Ty)); SanCovTraceCmp8, VoidTy, Int64Ty, Int64Ty));
SanCovTraceConstCmpFunction[0] =
checkSanitizerInterfaceFunction(M.getOrInsertFunction(
SanCovTraceConstCmp1, VoidTy, Int8Ty, Int8Ty));
SanCovTraceConstCmpFunction[1] =
checkSanitizerInterfaceFunction(M.getOrInsertFunction(
SanCovTraceConstCmp2, VoidTy, Int16Ty, Int16Ty));
SanCovTraceConstCmpFunction[2] =
checkSanitizerInterfaceFunction(M.getOrInsertFunction(
SanCovTraceConstCmp4, VoidTy, Int32Ty, Int32Ty));
SanCovTraceConstCmpFunction[3] =
checkSanitizerInterfaceFunction(M.getOrInsertFunction(
SanCovTraceConstCmp8, VoidTy, Int64Ty, Int64Ty));
SanCovTraceDivFunction[0] = SanCovTraceDivFunction[0] =
checkSanitizerInterfaceFunction(M.getOrInsertFunction( checkSanitizerInterfaceFunction(M.getOrInsertFunction(
SanCovTraceDiv4, VoidTy, IRB.getInt32Ty())); SanCovTraceDiv4, VoidTy, IRB.getInt32Ty()));
SanCovTraceDivFunction[1] = SanCovTraceDivFunction[1] =
checkSanitizerInterfaceFunction(M.getOrInsertFunction( checkSanitizerInterfaceFunction(M.getOrInsertFunction(
SanCovTraceDiv8, VoidTy, Int64Ty)); SanCovTraceDiv8, VoidTy, Int64Ty));
SanCovTraceGepFunction = SanCovTraceGepFunction =
checkSanitizerInterfaceFunction(M.getOrInsertFunction( checkSanitizerInterfaceFunction(M.getOrInsertFunction(
SanCovTraceGep, VoidTy, IntptrTy)); SanCovTraceGep, VoidTy, IntptrTy));
SanCovTraceSwitchFunction = SanCovTraceSwitchFunction =
checkSanitizerInterfaceFunction(M.getOrInsertFunction( checkSanitizerInterfaceFunction(M.getOrInsertFunction(
SanCovTraceSwitchName, VoidTy, Int64Ty, Int64PtrTy)); SanCovTraceSwitchName, VoidTy, Int64Ty, Int64PtrTy));
// Make sure smaller parameters are zero-extended to i64 as required by the // Make sure smaller parameters are zero-extended to i64 as required by the
// x86_64 ABI. // x86_64 ABI.
if (TargetTriple.getArch() == Triple::x86_64) { if (TargetTriple.getArch() == Triple::x86_64) {
for (int i = 0; i < 3; i++) { for (int i = 0; i < 3; i++) {
SanCovTraceCmpFunction[i]->addParamAttr(0, Attribute::ZExt); SanCovTraceCmpFunction[i]->addParamAttr(0, Attribute::ZExt);
SanCovTraceCmpFunction[i]->addParamAttr(1, Attribute::ZExt); SanCovTraceCmpFunction[i]->addParamAttr(1, Attribute::ZExt);
SanCovTraceConstCmpFunction[i]->addParamAttr(0, Attribute::ZExt);
SanCovTraceConstCmpFunction[i]->addParamAttr(1, Attribute::ZExt);
} }
SanCovTraceDivFunction[0]->addParamAttr(0, Attribute::ZExt); SanCovTraceDivFunction[0]->addParamAttr(0, Attribute::ZExt);
} }
// We insert an empty inline asm after cov callbacks to avoid callback merge. // We insert an empty inline asm after cov callbacks to avoid callback merge.
EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false),
StringRef(""), StringRef(""), StringRef(""), StringRef(""),
▲ Show 20 LinesShow All 312 Lines▼ Show 20 Lines if (ICmpInst *ICMP = dyn_cast<ICmpInst>(I)) {
continue; continue;
uint64_t TypeSize = DL->getTypeStoreSizeInBits(A0->getType()); uint64_t TypeSize = DL->getTypeStoreSizeInBits(A0->getType());
int CallbackIdx = TypeSize == 8 ? 0 : int CallbackIdx = TypeSize == 8 ? 0 :
TypeSize == 16 ? 1 : TypeSize == 16 ? 1 :
TypeSize == 32 ? 2 : TypeSize == 32 ? 2 :
TypeSize == 64 ? 3 : -1; TypeSize == 64 ? 3 : -1;
if (CallbackIdx < 0) continue; if (CallbackIdx < 0) continue;
// __sanitizer_cov_trace_cmp((type_size << 32) | predicate, A0, A1); // __sanitizer_cov_trace_cmp((type_size << 32) | predicate, A0, A1);
auto CallbackFunc = SanCovTraceCmpFunction[CallbackIdx];
bool FirstIsConst = isa<ConstantInt>(A0);
bool SecondIsConst = isa<ConstantInt>(A1);
// if both are const we don't need such a comparison
gliderUnsubmitted
Done
ReplyInline Actions

Pay attention to the comment style: single-line comments start with a capital letter and end with a period.

glider: Pay attention to the comment style: single-line comments start with a capital letter and end…
if (FirstIsConst && SecondIsConst) continue;
// if only one is const then make it the first callback argument
gliderUnsubmitted
Done
ReplyInline Actions

Ditto.

glider: Ditto.
if (FirstIsConst || SecondIsConst) {
CallbackFunc = SanCovTraceConstCmpFunction[CallbackIdx];
gliderUnsubmitted
Done
ReplyInline Actions

Nested code should be indented with two spaces.

glider: Nested code should be indented with two spaces.
if (SecondIsConst) {
gliderUnsubmitted
Done
ReplyInline Actions

You don't need braces for one-line if body.

glider: You don't need braces for one-line if body.
std::swap(A0, A1);
}
}
auto Ty = Type::getIntNTy(*C, TypeSize); auto Ty = Type::getIntNTy(*C, TypeSize);
IRB.CreateCall( IRB.CreateCall(CallbackFunc, {IRB.CreateIntCast(A0, Ty, true),
SanCovTraceCmpFunction[CallbackIdx], IRB.CreateIntCast(A1, Ty, true)});
{IRB.CreateIntCast(A0, Ty, true), IRB.CreateIntCast(A1, Ty, true)});
} }
} }
} }
void SanitizerCoverageModule::InjectCoverageAtBlock(Function &F, BasicBlock &BB, void SanitizerCoverageModule::InjectCoverageAtBlock(Function &F, BasicBlock &BB,
size_t Idx) { size_t Idx) {
BasicBlock::iterator IP = BB.getFirstInsertionPt(); BasicBlock::iterator IP = BB.getFirstInsertionPt();
bool IsEntryBB = &BB == &F.getEntryBlock(); bool IsEntryBB = &BB == &F.getEntryBlock();
▲ Show 20 LinesShow All 77 LinesShow Last 20 Lines

test/Instrumentation/SanitizerCoverage/const-cmp-tracing.ll

; Test -sanitizer-coverage-trace-compares=1
; RUN: opt < %s -sancov -sanitizer-coverage-level=1 -sanitizer-coverage-trace-compares=1 -S | FileCheck %s
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64"
target triple = "x86_64-unknown-linux-gnu"
define i32 @foo(i32 %a, i32 %b) #0 {
entry:
; compare (non-const, non-const)
%cmp = icmp slt i32 %a, %b
; CHECK: call void @__sanitizer_cov_trace_cmp4
; CHECK-NEXT: icmp slt i32 %a, %b
; compare (const, non-const)
icmp slt i32 %a, 1
; CHECK: call void @__sanitizer_cov_trace_const_cmp4(i32 1, i32 %a)
; CHECK-NEXT: icmp slt i32 %a, 1
; compare (non-const, const)
icmp slt i32 1, %a
; CHECK: call void @__sanitizer_cov_trace_const_cmp4(i32 1, i32 %a)
kccUnsubmitted
Done
ReplyInline Actions

Adding CHECK-NEXT is a good idea, do it here and below

kcc: Adding CHECK-NEXT is a good idea, do it here and below
; compare (const, const) - should not be instrumented
icmp slt i32 1, 0
; CHECK-NOT: call void @__sanitizer_cov_trace
kccUnsubmitted
Done
ReplyInline Actions

Add
CHECK: icmp slt i32 1, 0

kcc: Add CHECK: icmp slt i32 1, 0
; compare variables of byte size
%x = trunc i32 %a to i8
icmp slt i8 %x, 1
; CHECK: call void @__sanitizer_cov_trace_const_cmp1(i8 1, i8 %x)
gliderUnsubmitted
Done
ReplyInline Actions

Please add tests for swapped arguments, e.g. "icmp slt 1, i8 %x"

glider: Please add tests for swapped arguments, e.g. "icmp slt 1, i8 %x"
; compare variables of word size
%y = trunc i32 %a to i16
icmp slt i16 %y, 1
; CHECK: call void @__sanitizer_cov_trace_const_cmp2(i16 1, i16 %y)
; compare variables of qword size
%z = zext i32 %a to i64
icmp slt i64 %z, 1
; CHECK: call void @__sanitizer_cov_trace_const_cmp8(i64 1, i64 %z)
%conv = zext i1 %cmp to i32
ret i32 %conv
}