This is an archive of the discontinued LLVM Phabricator instance.

Differential D37156

[SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
ClosedPublic

Authored by morehouse on Aug 25 2017, 11:31 AM.

Details

Reviewers
vitalybuka
kcc
george.karpenkov
Commits
rG034126e5070a: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
rG2ad8d948b26a: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
rGf42bd3132325: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
rCRT312185: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
rCRT312026: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
rCRT311801: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
rC312185: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
rC312026: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
rC311801: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
rL312185: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
rL312026: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
rL311801: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
Summary
  • Don't sanitize __sancov_lowest_stack.
  • Don't instrument leaf functions.
  • Add CoverageStackDepth to Fuzzer and FuzzerNoLink.
  • Only enable on Linux.

Diff Detail

Event Timeline

morehouse created this revision.Aug 25 2017, 11:31 AM
Herald added a subscriber: hiraditya. · View Herald TranscriptAug 25 2017, 11:31 AM
Harbormaster completed remote builds in B9639: Diff 112720.Aug 25 2017, 11:31 AM
kcc edited edge metadata.Aug 25 2017, 11:49 AM

Did you check this on something other than the unit tests?
E.g. a couple of benchmarks from fuzzer-test-suite?

llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
177

we already have a linear scan in SanitizerCoverageModule::runOnFunction -- don't introduce a second one.
Also, there is InvokeInst in addition to CallInst, see the loop in runOnFunction.

You can simply extend the loop in runOnFunction to set a flag if the function has non-intrin calls/ invokes

morehouse added a comment.Aug 25 2017, 1:43 PM
In D37156#852780, @kcc wrote:

Did you check this on something other than the unit tests?
E.g. a couple of benchmarks from fuzzer-test-suite?

Just tested on the proj4 and lcms benchmarks and no issues came up.

morehouse updated this revision to Diff 112739.Aug 25 2017, 1:43 PM
  • Use existing linear scan, and check for InvokeInst.
morehouse marked an inline comment as done.Aug 25 2017, 1:44 PM
kcc accepted this revision.Aug 25 2017, 2:07 PM

LGTM

This revision is now accepted and ready to land.Aug 25 2017, 2:07 PM
Closed by commit rL311801: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer (authored by morehouse). · Explain WhyAug 25 2017, 2:19 PM
This revision was automatically updated to reflect the committed changes.
morehouse reopened this revision.Aug 25 2017, 3:47 PM

Turns out I should have been testing the benchmarks with FUZZING_ENGINE=fsanitize_fuzzer. My mistake.

After adding the weak reference to SanitizerCoverage.cpp, both lcms and proj4 build with fsanitize_fuzzer.

This revision is now accepted and ready to land.Aug 25 2017, 3:47 PM
morehouse updated this revision to Diff 112756.Aug 25 2017, 3:49 PM
  • Add weak reference in SanitizerCoverage.cpp
Harbormaster completed remote builds in B9652: Diff 112756.Aug 25 2017, 3:49 PM
morehouse updated this revision to Diff 112759.Aug 25 2017, 3:56 PM

Full diff.

morehouse updated this revision to Diff 112923.Aug 28 2017, 11:18 AM
  • Add weak definition of __sancov_lowest_stack to runtime.
Harbormaster completed remote builds in B9698: Diff 112923.Aug 28 2017, 11:18 AM
Herald added a subscriber: kubamracek. · View Herald TranscriptAug 28 2017, 11:18 AM
kcc added a reviewer: george.karpenkov.Aug 28 2017, 11:31 AM

+George, in case he knows about attribute((tls_model("initial-exec"))) on Mac

compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
219

I wonder if this going to work on Mac.

george.karpenkov edited edge metadata.Aug 28 2017, 11:33 AM

I don't, but I can check whether tests pass.

george.karpenkov added a comment.Aug 28 2017, 1:12 PM

@kcc I've disabled the relevant test on Mac in r311916, please revert my change once this CR goes through.

morehouse updated this revision to Diff 113129.Aug 29 2017, 11:36 AM
  • Disable stack depth tracking on Mac.
Harbormaster completed remote builds in B9744: Diff 113129.Aug 29 2017, 11:37 AM
morehouse edited the summary of this revision. (Show Details)Aug 29 2017, 11:39 AM
kcc added inline comments.Aug 29 2017, 11:41 AM
clang/lib/Driver/SanitizerArgs.cpp
297

please use if(SomeCondition) instead of #if

In general: 99% of cases where you may want to use #if -- you shouldn't

compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
20

no standard hearder in this files. Just use the 'uptr' type.

morehouse updated this revision to Diff 113133.Aug 29 2017, 12:17 PM
  • Eliminate "#if".
  • Replace uintptr_t with uptr.
Harbormaster completed remote builds in B9745: Diff 113133.Aug 29 2017, 12:17 PM
morehouse marked 2 inline comments as done.Aug 29 2017, 12:17 PM
kcc accepted this revision.Aug 29 2017, 12:47 PM

LGTM

Closed by commit rL312026: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer (authored by morehouse). · Explain WhyAug 29 2017, 12:49 PM
This revision was automatically updated to reflect the committed changes.
morehouse reopened this revision.Aug 29 2017, 5:26 PM
This revision is now accepted and ready to land.Aug 29 2017, 5:26 PM
morehouse updated this revision to Diff 113177.Aug 29 2017, 5:26 PM
  • Only enable stack depth tracking on Linux.
  • Ignore __sancov_lowest_stack in interface symbols tests.
Harbormaster completed remote builds in B9757: Diff 113177.Aug 29 2017, 5:27 PM
morehouse edited the summary of this revision. (Show Details)Aug 29 2017, 5:32 PM
Closed by commit rL312185: [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer (authored by morehouse). · Explain WhyAug 30 2017, 3:50 PM
This revision was automatically updated to reflect the committed changes.
hctim mentioned this in D146351: sanitizer_common: Use plain thread_local for __sancov_lowest_stack definition..Mar 20 2023, 10:28 AM

Revision Contents

PathSize
clang/
lib/
Driver/
7 lines
compiler-rt/
lib/
sanitizer_common/
6 lines
8 lines
test/
fuzzer/
2 lines
llvm/
lib/
Transforms/
Instrumentation/
30 lines
test/
Instrumentation/
SanitizerCoverage/
21 lines

Diff 113129

clang/lib/Driver/SanitizerArgs.cpp

Show First 20 LinesShow All 285 Lines▼ Show 20 Lines if (Arg->getOption().matches(options::OPT_fsanitize_EQ)) {
// group expansion. // group expansion.
Add &= ~InvalidTrappingKinds; Add &= ~InvalidTrappingKinds;
Add &= Supported; Add &= Supported;
if (Add & Fuzzer) if (Add & Fuzzer)
Add |= FuzzerNoLink; Add |= FuzzerNoLink;
// Enable coverage if the fuzzing flag is set. // Enable coverage if the fuzzing flag is set.
if (Add & FuzzerNoLink) if (Add & FuzzerNoLink) {
CoverageFeatures |= CoverageTracePCGuard | CoverageIndirCall | CoverageFeatures |= CoverageTracePCGuard | CoverageIndirCall |
CoverageTraceCmp | CoveragePCTable; CoverageTraceCmp | CoveragePCTable;
#if !defined(__APPLE__)
kccUnsubmitted
Done
ReplyInline Actions

please use if(SomeCondition) instead of #if

In general: 99% of cases where you may want to use #if -- you shouldn't

kcc: please use if(SomeCondition) instead of #if In general: 99% of cases where you may want to use…
// Due to TLS differences, stack depth tracking is disabled on Mac.
CoverageFeatures |= CoverageStackDepth;
#endif
}
Kinds |= Add; Kinds |= Add;
} else if (Arg->getOption().matches(options::OPT_fno_sanitize_EQ)) { } else if (Arg->getOption().matches(options::OPT_fno_sanitize_EQ)) {
Arg->claim(); Arg->claim();
SanitizerMask Remove = parseArgValues(D, Arg, true); SanitizerMask Remove = parseArgValues(D, Arg, true);
AllRemove |= expandSanitizerGroups(Remove); AllRemove |= expandSanitizerGroups(Remove);
} }
} }
▲ Show 20 LinesShow All 587 LinesShow Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc

Show All 11 Lines
#if !SANITIZER_FUCHSIA #if !SANITIZER_FUCHSIA
#include "sancov_flags.h" #include "sancov_flags.h"
#include "sanitizer_allocator_internal.h" #include "sanitizer_allocator_internal.h"
#include "sanitizer_atomic.h" #include "sanitizer_atomic.h"
#include "sanitizer_common.h" #include "sanitizer_common.h"
#include "sanitizer_file.h" #include "sanitizer_file.h"
#include "sanitizer_symbolizer.h" #include "sanitizer_symbolizer.h"
#include <cstdint>
kccUnsubmitted
Done
ReplyInline Actions

no standard hearder in this files. Just use the 'uptr' type.

kcc: no standard hearder in this files. Just use the 'uptr' type.
using namespace __sanitizer; using namespace __sanitizer;
using AddressRange = LoadedModule::AddressRange; using AddressRange = LoadedModule::AddressRange;
namespace __sancov { namespace __sancov {
namespace { namespace {
▲ Show 20 LinesShow All 178 Lines▼ Show 20 Lines
SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_switch, void) {} SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_switch, void) {}
SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_div4, void) {} SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_div4, void) {}
SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_div8, void) {} SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_div8, void) {}
SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_gep, void) {} SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_gep, void) {}
SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_pc_indir, void) {} SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_pc_indir, void) {}
SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_8bit_counters_init, void) {} SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_8bit_counters_init, void) {}
SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_pcs_init, void) {} SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_pcs_init, void) {}
} // extern "C" } // extern "C"
// Weak definition for code instrumented with -fsanitize-coverage=stack-depth
// and later linked with code containing a strong definition.
// E.g., -fsanitize=fuzzer-no-link
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE
SANITIZER_TLS_INITIAL_EXEC_ATTRIBUTE uintptr_t __sancov_lowest_stack;
kccUnsubmitted
Not Done
ReplyInline Actions

I wonder if this going to work on Mac.

kcc: I wonder if this going to work on Mac.
#endif // !SANITIZER_FUCHSIA #endif // !SANITIZER_FUCHSIA

compiler-rt/lib/sanitizer_common/sanitizer_internal_defs.h

Show All 29 Lines
#elif SANITIZER_GO #elif SANITIZER_GO
# define SANITIZER_INTERFACE_ATTRIBUTE # define SANITIZER_INTERFACE_ATTRIBUTE
# define SANITIZER_WEAK_ATTRIBUTE # define SANITIZER_WEAK_ATTRIBUTE
#else #else
# define SANITIZER_INTERFACE_ATTRIBUTE __attribute__((visibility("default"))) # define SANITIZER_INTERFACE_ATTRIBUTE __attribute__((visibility("default")))
# define SANITIZER_WEAK_ATTRIBUTE __attribute__((weak)) # define SANITIZER_WEAK_ATTRIBUTE __attribute__((weak))
#endif #endif
// Mac handles TLS differently
#if SANITIZER_MAC
# define SANITIZER_TLS_INITIAL_EXEC_ATTRIBUTE
#else
# define SANITIZER_TLS_INITIAL_EXEC_ATTRIBUTE \
__attribute((tls_model("initial-exec"))) thread_local
#endif
//--------------------------- WEAK FUNCTIONS ---------------------------------// //--------------------------- WEAK FUNCTIONS ---------------------------------//
// When working with weak functions, to simplify the code and make it more // When working with weak functions, to simplify the code and make it more
// portable, when possible define a default implementation using this macro: // portable, when possible define a default implementation using this macro:
// //
// SANITIZER_INTERFACE_WEAK_DEF(<return_type>, <name>, <parameter list>) // SANITIZER_INTERFACE_WEAK_DEF(<return_type>, <name>, <parameter list>)
// //
// For example: // For example:
// SANITIZER_INTERFACE_WEAK_DEF(bool, compare, int a, int b) { return a > b; } // SANITIZER_INTERFACE_WEAK_DEF(bool, compare, int a, int b) { return a > b; }
▲ Show 20 LinesShow All 349 LinesShow Last 20 Lines

compiler-rt/test/fuzzer/deep-recursion.test

# Test that we can find a stack overflow # Test that we can find a stack overflow
REQUIRES: linux REQUIRES: linux
RUN: %cpp_compiler -fsanitize-coverage=stack-depth %S/DeepRecursionTest.cpp -o %t RUN: %cpp_compiler %S/DeepRecursionTest.cpp -o %t
RUN: not %t -seed=1 -runs=100000000 2>&1 | FileCheck %s RUN: not %t -seed=1 -runs=100000000 2>&1 | FileCheck %s
CHECK: ERROR: libFuzzer: deadly signal CHECK: ERROR: libFuzzer: deadly signal

llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp

Show All 19 Lines
#include "llvm/IR/Constant.h" #include "llvm/IR/Constant.h"
#include "llvm/IR/DataLayout.h" #include "llvm/IR/DataLayout.h"
#include "llvm/IR/DebugInfo.h" #include "llvm/IR/DebugInfo.h"
#include "llvm/IR/Dominators.h" #include "llvm/IR/Dominators.h"
#include "llvm/IR/Function.h" #include "llvm/IR/Function.h"
#include "llvm/IR/GlobalVariable.h" #include "llvm/IR/GlobalVariable.h"
#include "llvm/IR/IRBuilder.h" #include "llvm/IR/IRBuilder.h"
#include "llvm/IR/InlineAsm.h" #include "llvm/IR/InlineAsm.h"
#include "llvm/IR/IntrinsicInst.h"
#include "llvm/IR/Intrinsics.h" #include "llvm/IR/Intrinsics.h"
#include "llvm/IR/LLVMContext.h" #include "llvm/IR/LLVMContext.h"
#include "llvm/IR/MDBuilder.h" #include "llvm/IR/MDBuilder.h"
#include "llvm/IR/Module.h" #include "llvm/IR/Module.h"
#include "llvm/IR/Type.h" #include "llvm/IR/Type.h"
#include "llvm/Support/CommandLine.h" #include "llvm/Support/CommandLine.h"
#include "llvm/Support/Debug.h" #include "llvm/Support/Debug.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
▲ Show 20 LinesShow All 132 Lines▼ Show 20 LinesSanitizerCoverageOptions OverrideFromCL(SanitizerCoverageOptions Options) {
Options.NoPrune |= !ClPruneBlocks; Options.NoPrune |= !ClPruneBlocks;
Options.StackDepth |= ClStackDepth; Options.StackDepth |= ClStackDepth;
if (!Options.TracePCGuard && !Options.TracePC && if (!Options.TracePCGuard && !Options.TracePC &&
!Options.Inline8bitCounters && !Options.StackDepth) !Options.Inline8bitCounters && !Options.StackDepth)
Options.TracePCGuard = true; // TracePCGuard is default. Options.TracePCGuard = true; // TracePCGuard is default.
return Options; return Options;
} }
class SanitizerCoverageModule : public ModulePass { class SanitizerCoverageModule : public ModulePass {
kccUnsubmitted
Done
ReplyInline Actions

we already have a linear scan in SanitizerCoverageModule::runOnFunction -- don't introduce a second one.
Also, there is InvokeInst in addition to CallInst, see the loop in runOnFunction.

You can simply extend the loop in runOnFunction to set a flag if the function has non-intrin calls/ invokes

kcc: we already have a linear scan in SanitizerCoverageModule::runOnFunction -- don't introduce a…
public: public:
SanitizerCoverageModule( SanitizerCoverageModule(
const SanitizerCoverageOptions &Options = SanitizerCoverageOptions()) const SanitizerCoverageOptions &Options = SanitizerCoverageOptions())
: ModulePass(ID), Options(OverrideFromCL(Options)) { : ModulePass(ID), Options(OverrideFromCL(Options)) {
initializeSanitizerCoverageModulePass(*PassRegistry::getPassRegistry()); initializeSanitizerCoverageModulePass(*PassRegistry::getPassRegistry());
} }
bool runOnModule(Module &M) override; bool runOnModule(Module &M) override;
bool runOnFunction(Function &F); bool runOnFunction(Function &F);
Show All 10 Lines void InjectCoverageForIndirectCalls(Function &F,
ArrayRef<Instruction *> IndirCalls); ArrayRef<Instruction *> IndirCalls);
void InjectTraceForCmp(Function &F, ArrayRef<Instruction *> CmpTraceTargets); void InjectTraceForCmp(Function &F, ArrayRef<Instruction *> CmpTraceTargets);
void InjectTraceForDiv(Function &F, void InjectTraceForDiv(Function &F,
ArrayRef<BinaryOperator *> DivTraceTargets); ArrayRef<BinaryOperator *> DivTraceTargets);
void InjectTraceForGep(Function &F, void InjectTraceForGep(Function &F,
ArrayRef<GetElementPtrInst *> GepTraceTargets); ArrayRef<GetElementPtrInst *> GepTraceTargets);
void InjectTraceForSwitch(Function &F, void InjectTraceForSwitch(Function &F,
ArrayRef<Instruction *> SwitchTraceTargets); ArrayRef<Instruction *> SwitchTraceTargets);
bool InjectCoverage(Function &F, ArrayRef<BasicBlock *> AllBlocks); bool InjectCoverage(Function &F, ArrayRef<BasicBlock *> AllBlocks,
bool IsLeafFunc = true);
GlobalVariable *CreateFunctionLocalArrayInSection(size_t NumElements, GlobalVariable *CreateFunctionLocalArrayInSection(size_t NumElements,
Function &F, Type *Ty, Function &F, Type *Ty,
const char *Section); const char *Section);
GlobalVariable *CreatePCArray(Function &F, ArrayRef<BasicBlock *> AllBlocks); GlobalVariable *CreatePCArray(Function &F, ArrayRef<BasicBlock *> AllBlocks);
void CreateFunctionLocalArrays(Function &F, ArrayRef<BasicBlock *> AllBlocks); void CreateFunctionLocalArrays(Function &F, ArrayRef<BasicBlock *> AllBlocks);
void InjectCoverageAtBlock(Function &F, BasicBlock &BB, size_t Idx); void InjectCoverageAtBlock(Function &F, BasicBlock &BB, size_t Idx,
bool IsLeafFunc = true);
Function *CreateInitCallsForSections(Module &M, const char *InitFunctionName, Function *CreateInitCallsForSections(Module &M, const char *InitFunctionName,
Type *Ty, const char *Section); Type *Ty, const char *Section);
std::pair<GlobalVariable *, GlobalVariable *> std::pair<GlobalVariable *, GlobalVariable *>
CreateSecStartEnd(Module &M, const char *Section, Type *Ty); CreateSecStartEnd(Module &M, const char *Section, Type *Ty);
void SetNoSanitizeMetadata(Instruction *I) { void SetNoSanitizeMetadata(Instruction *I) {
I->setMetadata(I->getModule()->getMDKindID("nosanitize"), I->setMetadata(I->getModule()->getMDKindID("nosanitize"),
MDNode::get(*C, None)); MDNode::get(*C, None));
▲ Show 20 LinesShow All 268 Lines▼ Show 20 Linesbool SanitizerCoverageModule::runOnFunction(Function &F) {
SmallVector<Instruction *, 8> SwitchTraceTargets; SmallVector<Instruction *, 8> SwitchTraceTargets;
SmallVector<BinaryOperator *, 8> DivTraceTargets; SmallVector<BinaryOperator *, 8> DivTraceTargets;
SmallVector<GetElementPtrInst *, 8> GepTraceTargets; SmallVector<GetElementPtrInst *, 8> GepTraceTargets;
const DominatorTree *DT = const DominatorTree *DT =
&getAnalysis<DominatorTreeWrapperPass>(F).getDomTree(); &getAnalysis<DominatorTreeWrapperPass>(F).getDomTree();
const PostDominatorTree *PDT = const PostDominatorTree *PDT =
&getAnalysis<PostDominatorTreeWrapperPass>(F).getPostDomTree(); &getAnalysis<PostDominatorTreeWrapperPass>(F).getPostDomTree();
bool IsLeafFunc = true;
for (auto &BB : F) { for (auto &BB : F) {
if (shouldInstrumentBlock(F, &BB, DT, PDT, Options)) if (shouldInstrumentBlock(F, &BB, DT, PDT, Options))
BlocksToInstrument.push_back(&BB); BlocksToInstrument.push_back(&BB);
for (auto &Inst : BB) { for (auto &Inst : BB) {
if (Options.IndirectCalls) { if (Options.IndirectCalls) {
CallSite CS(&Inst); CallSite CS(&Inst);
if (CS && !CS.getCalledFunction()) if (CS && !CS.getCalledFunction())
IndirCalls.push_back(&Inst); IndirCalls.push_back(&Inst);
} }
if (Options.TraceCmp) { if (Options.TraceCmp) {
if (isa<ICmpInst>(&Inst)) if (isa<ICmpInst>(&Inst))
CmpTraceTargets.push_back(&Inst); CmpTraceTargets.push_back(&Inst);
if (isa<SwitchInst>(&Inst)) if (isa<SwitchInst>(&Inst))
SwitchTraceTargets.push_back(&Inst); SwitchTraceTargets.push_back(&Inst);
} }
if (Options.TraceDiv) if (Options.TraceDiv)
if (BinaryOperator *BO = dyn_cast<BinaryOperator>(&Inst)) if (BinaryOperator *BO = dyn_cast<BinaryOperator>(&Inst))
if (BO->getOpcode() == Instruction::SDiv || if (BO->getOpcode() == Instruction::SDiv ||
BO->getOpcode() == Instruction::UDiv) BO->getOpcode() == Instruction::UDiv)
DivTraceTargets.push_back(BO); DivTraceTargets.push_back(BO);
if (Options.TraceGep) if (Options.TraceGep)
if (GetElementPtrInst *GEP = dyn_cast<GetElementPtrInst>(&Inst)) if (GetElementPtrInst *GEP = dyn_cast<GetElementPtrInst>(&Inst))
GepTraceTargets.push_back(GEP); GepTraceTargets.push_back(GEP);
if (Options.StackDepth)
if (isa<InvokeInst>(Inst) ||
(isa<CallInst>(Inst) && !isa<IntrinsicInst>(Inst)))
IsLeafFunc = false;
} }
} }
InjectCoverage(F, BlocksToInstrument); InjectCoverage(F, BlocksToInstrument, IsLeafFunc);
InjectCoverageForIndirectCalls(F, IndirCalls); InjectCoverageForIndirectCalls(F, IndirCalls);
InjectTraceForCmp(F, CmpTraceTargets); InjectTraceForCmp(F, CmpTraceTargets);
InjectTraceForSwitch(F, SwitchTraceTargets); InjectTraceForSwitch(F, SwitchTraceTargets);
InjectTraceForDiv(F, DivTraceTargets); InjectTraceForDiv(F, DivTraceTargets);
InjectTraceForGep(F, GepTraceTargets); InjectTraceForGep(F, GepTraceTargets);
return true; return true;
} }
▲ Show 20 LinesShow All 58 Lines▼ Show 20 Linesvoid SanitizerCoverageModule::CreateFunctionLocalArrays(
} }
// We don't reference these arrays directly in any of our runtime functions, // We don't reference these arrays directly in any of our runtime functions,
// so we need to prevent them from being dead stripped. // so we need to prevent them from being dead stripped.
appendToUsed(*F.getParent(), LocalArrays); appendToUsed(*F.getParent(), LocalArrays);
} }
bool SanitizerCoverageModule::InjectCoverage(Function &F, bool SanitizerCoverageModule::InjectCoverage(Function &F,
ArrayRef<BasicBlock *> AllBlocks) { ArrayRef<BasicBlock *> AllBlocks,
bool IsLeafFunc) {
if (AllBlocks.empty()) return false; if (AllBlocks.empty()) return false;
CreateFunctionLocalArrays(F, AllBlocks); CreateFunctionLocalArrays(F, AllBlocks);
for (size_t i = 0, N = AllBlocks.size(); i < N; i++) for (size_t i = 0, N = AllBlocks.size(); i < N; i++)
InjectCoverageAtBlock(F, *AllBlocks[i], i); InjectCoverageAtBlock(F, *AllBlocks[i], i, IsLeafFunc);
return true; return true;
} }
// On every indirect call we call a run-time function // On every indirect call we call a run-time function
// __sanitizer_cov_indir_call* with two parameters: // __sanitizer_cov_indir_call* with two parameters:
// - callee address, // - callee address,
// - global cache array that contains CacheSize pointers (zero-initialized). // - global cache array that contains CacheSize pointers (zero-initialized).
// The cache is used to speed up recording the caller-callee pairs. // The cache is used to speed up recording the caller-callee pairs.
▲ Show 20 LinesShow All 117 Lines▼ Show 20 Lines if (ICmpInst *ICMP = dyn_cast<ICmpInst>(I)) {
auto Ty = Type::getIntNTy(*C, TypeSize); auto Ty = Type::getIntNTy(*C, TypeSize);
IRB.CreateCall(CallbackFunc, {IRB.CreateIntCast(A0, Ty, true), IRB.CreateCall(CallbackFunc, {IRB.CreateIntCast(A0, Ty, true),
IRB.CreateIntCast(A1, Ty, true)}); IRB.CreateIntCast(A1, Ty, true)});
} }
} }
} }
void SanitizerCoverageModule::InjectCoverageAtBlock(Function &F, BasicBlock &BB, void SanitizerCoverageModule::InjectCoverageAtBlock(Function &F, BasicBlock &BB,
size_t Idx) { size_t Idx,
bool IsLeafFunc) {
BasicBlock::iterator IP = BB.getFirstInsertionPt(); BasicBlock::iterator IP = BB.getFirstInsertionPt();
bool IsEntryBB = &BB == &F.getEntryBlock(); bool IsEntryBB = &BB == &F.getEntryBlock();
DebugLoc EntryLoc; DebugLoc EntryLoc;
if (IsEntryBB) { if (IsEntryBB) {
if (auto SP = F.getSubprogram()) if (auto SP = F.getSubprogram())
EntryLoc = DebugLoc::get(SP->getScopeLine(), 0, SP); EntryLoc = DebugLoc::get(SP->getScopeLine(), 0, SP);
// Keep static allocas and llvm.localescape calls in the entry block. Even // Keep static allocas and llvm.localescape calls in the entry block. Even
// if we aren't splitting the block, it's nice for allocas to be before // if we aren't splitting the block, it's nice for allocas to be before
Show All 22 Lines auto CounterPtr = IRB.CreateGEP(
Function8bitCounterArray, Function8bitCounterArray,
{ConstantInt::get(IntptrTy, 0), ConstantInt::get(IntptrTy, Idx)}); {ConstantInt::get(IntptrTy, 0), ConstantInt::get(IntptrTy, Idx)});
auto Load = IRB.CreateLoad(CounterPtr); auto Load = IRB.CreateLoad(CounterPtr);
auto Inc = IRB.CreateAdd(Load, ConstantInt::get(Int8Ty, 1)); auto Inc = IRB.CreateAdd(Load, ConstantInt::get(Int8Ty, 1));
auto Store = IRB.CreateStore(Inc, CounterPtr); auto Store = IRB.CreateStore(Inc, CounterPtr);
SetNoSanitizeMetadata(Load); SetNoSanitizeMetadata(Load);
SetNoSanitizeMetadata(Store); SetNoSanitizeMetadata(Store);
} }
if (Options.StackDepth && IsEntryBB) { if (Options.StackDepth && IsEntryBB && !IsLeafFunc) {
// Check stack depth. If it's the deepest so far, record it. // Check stack depth. If it's the deepest so far, record it.
Function *GetFrameAddr = Function *GetFrameAddr =
Intrinsic::getDeclaration(F.getParent(), Intrinsic::frameaddress); Intrinsic::getDeclaration(F.getParent(), Intrinsic::frameaddress);
auto FrameAddrPtr = auto FrameAddrPtr =
IRB.CreateCall(GetFrameAddr, {Constant::getNullValue(Int32Ty)}); IRB.CreateCall(GetFrameAddr, {Constant::getNullValue(Int32Ty)});
auto FrameAddrInt = IRB.CreatePtrToInt(FrameAddrPtr, IntptrTy); auto FrameAddrInt = IRB.CreatePtrToInt(FrameAddrPtr, IntptrTy);
auto LowestStack = IRB.CreateLoad(SanCovLowestStack); auto LowestStack = IRB.CreateLoad(SanCovLowestStack);
auto IsStackLower = IRB.CreateICmpULT(FrameAddrInt, LowestStack); auto IsStackLower = IRB.CreateICmpULT(FrameAddrInt, LowestStack);
auto ThenTerm = SplitBlockAndInsertIfThen(IsStackLower, &*IP, false); auto ThenTerm = SplitBlockAndInsertIfThen(IsStackLower, &*IP, false);
IRBuilder<> ThenIRB(ThenTerm); IRBuilder<> ThenIRB(ThenTerm);
ThenIRB.CreateStore(FrameAddrInt, SanCovLowestStack); auto Store = ThenIRB.CreateStore(FrameAddrInt, SanCovLowestStack);
SetNoSanitizeMetadata(LowestStack);
SetNoSanitizeMetadata(Store);
} }
} }
std::string std::string
SanitizerCoverageModule::getSectionName(const std::string &Section) const { SanitizerCoverageModule::getSectionName(const std::string &Section) const {
if (TargetTriple.getObjectFormat() == Triple::COFF) if (TargetTriple.getObjectFormat() == Triple::COFF)
return ".SCOV$M"; return ".SCOV$M";
if (TargetTriple.isOSBinFormatMachO()) if (TargetTriple.isOSBinFormatMachO())
Show All 34 Lines

llvm/test/Instrumentation/SanitizerCoverage/stack-depth.ll

; This check verifies that stack depth instrumentation works correctly. ; This check verifies that stack depth instrumentation works correctly.
; RUN: opt < %s -sancov -sanitizer-coverage-level=1 \ ; RUN: opt < %s -sancov -sanitizer-coverage-level=1 \
; RUN: -sanitizer-coverage-stack-depth -S | FileCheck %s --enable-var-scope ; RUN: -sanitizer-coverage-stack-depth -S | FileCheck %s
; RUN: opt < %s -sancov -sanitizer-coverage-level=3 \ ; RUN: opt < %s -sancov -sanitizer-coverage-level=3 \
; RUN: -sanitizer-coverage-stack-depth -sanitizer-coverage-trace-pc-guard \ ; RUN: -sanitizer-coverage-stack-depth -sanitizer-coverage-trace-pc-guard \
; RUN: -S | FileCheck %s --enable-var-scope ; RUN: -S | FileCheck %s
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128" target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu" target triple = "x86_64-unknown-linux-gnu"
; CHECK: @__sancov_lowest_stack = thread_local(initialexec) global i64 -1 ; CHECK: @__sancov_lowest_stack = thread_local(initialexec) global i64 -1
@__sancov_lowest_stack = thread_local global i64 0, align 8 @__sancov_lowest_stack = thread_local global i64 0, align 8
define i32 @foo() { define i32 @foo() {
entry: entry:
; CHECK-LABEL: define i32 @foo ; CHECK-LABEL: define i32 @foo
; CHECK: [[framePtr:%[^ \t]+]] = call i8* @llvm.frameaddress(i32 0) ; CHECK-NOT: call i8* @llvm.frameaddress(i32 0)
; CHECK: [[frameInt:%[^ \t]+]] = ptrtoint i8* [[framePtr]] to [[$intType:i[0-9]+]] ; CHECK-NOT: @__sancov_lowest_stack
; CHECK: [[lowest:%[^ \t]+]] = load [[$intType]], [[$intType]]* @__sancov_lowest_stack
; CHECK: [[cmp:%[^ \t]+]] = icmp ult [[$intType]] [[frameInt]], [[lowest]]
; CHECK: br i1 [[cmp]], label %[[ifLabel:[^ \t]+]], label
; CHECK: <label>:[[ifLabel]]:
; CHECK: store [[$intType]] [[frameInt]], [[$intType]]* @__sancov_lowest_stack
; CHECK: ret i32 7 ; CHECK: ret i32 7
ret i32 7 ret i32 7
} }
define i32 @bar() { define i32 @bar() {
entry: entry:
; CHECK-LABEL: define i32 @bar ; CHECK-LABEL: define i32 @bar
; CHECK: [[framePtr:%[^ \t]+]] = call i8* @llvm.frameaddress(i32 0) ; CHECK: [[framePtr:%[^ \t]+]] = call i8* @llvm.frameaddress(i32 0)
; CHECK: [[frameInt:%[^ \t]+]] = ptrtoint i8* [[framePtr]] to [[$intType]] ; CHECK: [[frameInt:%[^ \t]+]] = ptrtoint i8* [[framePtr]] to [[intType:i[0-9]+]]
; CHECK: [[lowest:%[^ \t]+]] = load [[$intType]], [[$intType]]* @__sancov_lowest_stack ; CHECK: [[lowest:%[^ \t]+]] = load [[intType]], [[intType]]* @__sancov_lowest_stack
; CHECK: [[cmp:%[^ \t]+]] = icmp ult [[$intType]] [[frameInt]], [[lowest]] ; CHECK: [[cmp:%[^ \t]+]] = icmp ult [[intType]] [[frameInt]], [[lowest]]
; CHECK: br i1 [[cmp]], label %[[ifLabel:[^ \t]+]], label ; CHECK: br i1 [[cmp]], label %[[ifLabel:[^ \t]+]], label
; CHECK: <label>:[[ifLabel]]: ; CHECK: <label>:[[ifLabel]]:
; CHECK: store [[$intType]] [[frameInt]], [[$intType]]* @__sancov_lowest_stack ; CHECK: store [[intType]] [[frameInt]], [[intType]]* @__sancov_lowest_stack
; CHECK: %call = call i32 @foo() ; CHECK: %call = call i32 @foo()
; CHECK: ret i32 %call ; CHECK: ret i32 %call
%call = call i32 @foo() %call = call i32 @foo()
ret i32 %call ret i32 %call
} }
define weak_odr hidden i64* @_ZTW21__sancov_lowest_stack() { define weak_odr hidden i64* @_ZTW21__sancov_lowest_stack() {
ret i64* @__sancov_lowest_stack ret i64* @__sancov_lowest_stack
} }