This is an archive of the discontinued LLVM Phabricator instance.

Differential D47599

[UBSan] DO NOT COMMIT: precise UBSan checks experiment
AbandonedPublic

Authored by alekseyshl on May 31 2018, 11:50 AM.

Details

Reviewers
javed.absar
Summary

LLVM part of the two part patch (LLVM + clang)

clang part: https://reviews.llvm.org/D47600

An experiment: implement precise UBSan checks on 32-bit ARM.

The current UBSan's "one trap per function" approach has a few issues:

  • the report doesn't tell us the exact offending instruction since all conditional branches lead to the same trap instruction
  • trap instruction costs some code size, even though it's never executed
  • *MAYBE* the branch predictor is polluted by lots of un-taken branches

The idea is to inject a "conditional trap" instruction (does not exist
in the current instruction set) into each potential failure point to get
the precise reporting and avoid polluting the branch predictor.
To simulate it on the current instruction set, SVCxx 0xFFFFFF was chosen,
where "xx" is a predicate (overflow etc.), so the UBSan-instrumented code
changes from this:

adds    r0, r0, r1
bvc     L
udf     #65006

L: bx lr

to this:

adds    r0, r0, r1
svcvs   0x00ffffff
bx      lr

Two UBSan heavy projects were used for benchmarking, bzip2
(http://www.bzip.org/1.0.6/bzip2-1.0.6.tar.gz) and 464.h264ref from
SPEC_CPU2006v1.2 package, comparing two instrumented versions, one
with the current UBSan implementation and another with the simulated
conditional trap.

Measurements show that code size increased for both projects:

  • bzip2 - ~3%
  • h264ref - ~5%

The size increase might be attributed to more precise checks, for example,
a + b + c with overflow check:

adds    r0, r0, r1
addsvc  r0, r0, r2
bvc     trap

now looks like this:

adds    r0, r0, r1
svcvs   0x00ffffff
adds    r0, r0, r2
svcvs   0x00ffffff

Likely, other optimisations are inhibited by these new checks too.

The performance is also worse both on little and big cores:

  • bzip2 - ~108% (little core) and ~415% (big core) of base line
  • h264ref - ~117% (little core) and ~340% (big core) of base line

Using other instructions instead of SVCxx (NOPxx, for one example) shows
that there is still the performance hit, although not as dramatic difference
on big core as with SVCxx, but still in a range of 2% - 35% on various
tests and instructions.

The conclusion: using the existing ARM instructions to implement
precise UBSan checks achieves this exact goal, precise error reports,
but seem to be impractical in terms of the code size and performance.

Diff Detail

Event Timeline

alekseyshl created this revision.May 31 2018, 11:50 AM
Harbormaster completed remote builds in B18785: Diff 149333.May 31 2018, 11:50 AM
Herald added a reviewer: javed.absar. · View Herald TranscriptMay 31 2018, 11:50 AM
Herald added a reviewer: javed.absar. · View Herald Transcript
Herald added subscribers: kristof.beyls, mgorny. · View Herald Transcript
alekseyshl mentioned this in D47600: [UBSan] DO NOT COMMIT: precise UBSan checks experiment.May 31 2018, 11:55 AM
alekseyshl edited the summary of this revision. (Show Details)May 31 2018, 11:55 AM
alekseyshl removed a reviewer: javed.absar.
alekseyshl removed subscribers: mgorny, kristof.beyls.
Herald added a reviewer: javed.absar. · View Herald TranscriptMay 31 2018, 11:56 AM
alekseyshl removed a reviewer: javed.absar.May 31 2018, 11:56 AM
Herald added a reviewer: javed.absar. · View Herald TranscriptMay 31 2018, 11:56 AM
alekseyshl removed a reviewer: javed.absar.May 31 2018, 11:56 AM
Herald added a reviewer: javed.absar. · View Herald TranscriptMay 31 2018, 11:56 AM
alekseyshl added a comment.May 31 2018, 12:56 PM

No need to review it, Javed. I uploaded it for sharing and history.

javed.absar added a comment.May 31 2018, 1:32 PM
In D47599#1118079, @alekseyshl wrote:

No need to review it, Javed. I uploaded it for sharing and history.

I won't. Thanks for sharing though.

alekseyshl abandoned this revision.Jun 5 2018, 10:29 AM

Experimental.

Revision Contents

PathSize
include/
llvm/
IR/
2 lines
lib/
Target/
ARM/
1 line
102 lines
7 lines
5 lines
1 line

Diff 149333

include/llvm/IR/Intrinsics.td

Show First 20 LinesShow All 806 Lines▼ Show 20 Lines
///===-------------------------- Other Intrinsics --------------------------===// ///===-------------------------- Other Intrinsics --------------------------===//
// //
def int_flt_rounds : Intrinsic<[llvm_i32_ty]>, def int_flt_rounds : Intrinsic<[llvm_i32_ty]>,
GCCBuiltin<"__builtin_flt_rounds">; GCCBuiltin<"__builtin_flt_rounds">;
def int_trap : Intrinsic<[], [], [IntrNoReturn]>, def int_trap : Intrinsic<[], [], [IntrNoReturn]>,
GCCBuiltin<"__builtin_trap">; GCCBuiltin<"__builtin_trap">;
def int_debugtrap : Intrinsic<[]>, def int_debugtrap : Intrinsic<[]>,
GCCBuiltin<"__builtin_debugtrap">; GCCBuiltin<"__builtin_debugtrap">;
def int_condtrap : Intrinsic<[], [],
[IntrReadMem, IntrWriteMem, IntrHasSideEffects]>;
// Support for dynamic deoptimization (or de-specialization) // Support for dynamic deoptimization (or de-specialization)
def int_experimental_deoptimize : Intrinsic<[llvm_any_ty], [llvm_vararg_ty], def int_experimental_deoptimize : Intrinsic<[llvm_any_ty], [llvm_vararg_ty],
[Throws]>; [Throws]>;
// Support for speculative runtime guards // Support for speculative runtime guards
def int_experimental_guard : Intrinsic<[], [llvm_i1_ty, llvm_vararg_ty], def int_experimental_guard : Intrinsic<[], [llvm_i1_ty, llvm_vararg_ty],
[Throws]>; [Throws]>;
▲ Show 20 LinesShow All 179 LinesShow Last 20 Lines

lib/Target/ARM/ARM.h

Show All 31 Lines
class MachineBasicBlock; class MachineBasicBlock;
class MachineFunction; class MachineFunction;
class MachineInstr; class MachineInstr;
class MCInst; class MCInst;
class PassRegistry; class PassRegistry;
FunctionPass *createARMISelDag(ARMBaseTargetMachine &TM, FunctionPass *createARMISelDag(ARMBaseTargetMachine &TM,
CodeGenOpt::Level OptLevel); CodeGenOpt::Level OptLevel);
FunctionPass *createARMCondTrapPass();
FunctionPass *createA15SDOptimizerPass(); FunctionPass *createA15SDOptimizerPass();
FunctionPass *createARMLoadStoreOptimizationPass(bool PreAlloc = false); FunctionPass *createARMLoadStoreOptimizationPass(bool PreAlloc = false);
FunctionPass *createARMExpandPseudoPass(); FunctionPass *createARMExpandPseudoPass();
FunctionPass *createARMConstantIslandPass(); FunctionPass *createARMConstantIslandPass();
FunctionPass *createMLxExpansionPass(); FunctionPass *createMLxExpansionPass();
FunctionPass *createThumb2ITBlockPass(); FunctionPass *createThumb2ITBlockPass();
FunctionPass *createARMOptimizeBarriersPass(); FunctionPass *createARMOptimizeBarriersPass();
FunctionPass *createThumb2SizeReductionPass( FunctionPass *createThumb2SizeReductionPass(
Show All 21 Lines

lib/Target/ARM/ARMCondTrapPass.cpp

  • This file was added.
//===-- ARMCondTrapPass - replaces cond traps with NOPs -------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "ARM.h"
#include "ARMInstrInfo.h"
#include "ARMMachineFunctionInfo.h"
#include "ARMSubtarget.h"
#include "llvm/ADT/Statistic.h"
#include "llvm/CodeGen/MachineFunctionPass.h"
#include "llvm/CodeGen/TargetInstrInfo.h"
#include "llvm/Support/CommandLine.h"
#include "llvm/Support/Debug.h"
#include "llvm/Support/raw_ostream.h"
using namespace llvm;
#define DEBUG_TYPE "arm-cond-trap"
cl::opt<bool>
CondTrapToNop("arm-cond-trap-to-nop", cl::init(false), cl::Hidden);
cl::opt<bool>
CondTrapToMov("arm-cond-trap-to-mov", cl::init(false), cl::Hidden);
cl::opt<bool>
KeepCondTrapPred("arm-keep-cond-trap-pred", cl::init(false), cl::Hidden);
namespace {
class ARMCondTrapPass : public MachineFunctionPass {
public:
static char ID;
ARMCondTrapPass() : MachineFunctionPass(ID), TII(nullptr) {}
bool runOnMachineFunction(MachineFunction &Fn) override;
StringRef getPassName() const override { return "cond trap pass"; }
private:
bool updateCondTrapPredicates(MachineFunction &MF);
bool RunOnTrapBlock(MachineBasicBlock &TrapBB);
const ARMBaseInstrInfo *TII;
};
char ARMCondTrapPass::ID = 0;
}
bool ARMCondTrapPass::updateCondTrapPredicates(MachineFunction &MF) {
unsigned long Changed = 0;
for (auto &BB : MF) {
for (MachineBasicBlock::iterator I = BB.begin(); I != BB.end();) {
MachineInstr &MI = *I;
++I;
if (MI.getOpcode() == ARM::CONDTRAP) {
ARMCC::CondCodes pred =
KeepCondTrapPred ? TII->getPredicate(MI) : ARMCC::AL;
if (CondTrapToNop) {
BuildMI(*MI.getParent(), &MI, MI.getDebugLoc(), TII->get(ARM::HINT))
.addImm(0)
.add(predOps(pred));
} else {
BuildMI(*MI.getParent(), &MI, MI.getDebugLoc(), TII->get(ARM::MOVr),
ARM::R0)
.addReg(ARM::R0)
.add(predOps(pred))
.add(condCodeOp());
}
MI.eraseFromParent();
Changed++;
}
}
}
if (Changed)
DEBUG(dbgs() << "Updated " << Changed << " conditional traps\n");
return Changed > 0;
}
bool ARMCondTrapPass::runOnMachineFunction(MachineFunction &MF) {
if (!CondTrapToNop && !CondTrapToMov)
return false;
TII = static_cast<const ARMSubtarget &>(MF.getSubtarget()).getInstrInfo();
DEBUG(dbgs() << "********** ARM Cond Trap **********\n"
<< "********** Function: " << MF.getName() <<'\n';
MF.dump());
return updateCondTrapPredicates(MF);
}
FunctionPass *llvm::createARMCondTrapPass() {
return new ARMCondTrapPass();
}

lib/Target/ARM/ARMInstrInfo.td

Show First 20 LinesShow All 1,991 Lines▼ Show 20 Linesdef HINT : AI<(outs), (ins imm0_239:$imm), MiscFrm, NoItinerary,
"hint", "\t$imm", [(int_arm_hint imm0_239:$imm)]>, "hint", "\t$imm", [(int_arm_hint imm0_239:$imm)]>,
Requires<[IsARM, HasV6]> { Requires<[IsARM, HasV6]> {
bits<8> imm; bits<8> imm;
let Inst{27-8} = 0b00110010000011110000; let Inst{27-8} = 0b00110010000011110000;
let Inst{7-0} = imm; let Inst{7-0} = imm;
let DecoderMethod = "DecodeHINTInstruction"; let DecoderMethod = "DecodeHINTInstruction";
} }
def CONDTRAP : AI<(outs), (ins), MiscFrm, IIC_Br, "svc$p", "",
[(int_condtrap)]>, Requires<[IsARM]>, Sched<[WriteBr]> {
// SVCxx 0xFFFFFF
let Inst{27-24} = 0b1111;
let Inst{23-0} = 0b111111111111111111111111;
}
def : InstAlias<"nop$p", (HINT 0, pred:$p)>, Requires<[IsARM, HasV6K]>; def : InstAlias<"nop$p", (HINT 0, pred:$p)>, Requires<[IsARM, HasV6K]>;
def : InstAlias<"yield$p", (HINT 1, pred:$p)>, Requires<[IsARM, HasV6K]>; def : InstAlias<"yield$p", (HINT 1, pred:$p)>, Requires<[IsARM, HasV6K]>;
def : InstAlias<"wfe$p", (HINT 2, pred:$p)>, Requires<[IsARM, HasV6K]>; def : InstAlias<"wfe$p", (HINT 2, pred:$p)>, Requires<[IsARM, HasV6K]>;
def : InstAlias<"wfi$p", (HINT 3, pred:$p)>, Requires<[IsARM, HasV6K]>; def : InstAlias<"wfi$p", (HINT 3, pred:$p)>, Requires<[IsARM, HasV6K]>;
def : InstAlias<"sev$p", (HINT 4, pred:$p)>, Requires<[IsARM, HasV6K]>; def : InstAlias<"sev$p", (HINT 4, pred:$p)>, Requires<[IsARM, HasV6K]>;
def : InstAlias<"sevl$p", (HINT 5, pred:$p)>, Requires<[IsARM, HasV8]>; def : InstAlias<"sevl$p", (HINT 5, pred:$p)>, Requires<[IsARM, HasV8]>;
def : InstAlias<"esb$p", (HINT 16, pred:$p)>, Requires<[IsARM, HasRAS]>; def : InstAlias<"esb$p", (HINT 16, pred:$p)>, Requires<[IsARM, HasRAS]>;
def : InstAlias<"csdb$p", (HINT 20, pred:$p)>, Requires<[IsARM, HasV6K]>; def : InstAlias<"csdb$p", (HINT 20, pred:$p)>, Requires<[IsARM, HasV6K]>;
▲ Show 20 LinesShow All 4,128 LinesShow Last 20 Lines

lib/Target/ARM/ARMTargetMachine.cpp

Show First 20 LinesShow All 350 Lines▼ Show 20 Linespublic:
bool addInstSelector() override; bool addInstSelector() override;
bool addIRTranslator() override; bool addIRTranslator() override;
bool addLegalizeMachineIR() override; bool addLegalizeMachineIR() override;
bool addRegBankSelect() override; bool addRegBankSelect() override;
bool addGlobalInstructionSelect() override; bool addGlobalInstructionSelect() override;
void addPreRegAlloc() override; void addPreRegAlloc() override;
void addPreSched2() override; void addPreSched2() override;
void addPreEmitPass() override; void addPreEmitPass() override;
void addPreEmitPass2() override;
}; };
class ARMExecutionDomainFix : public ExecutionDomainFix { class ARMExecutionDomainFix : public ExecutionDomainFix {
public: public:
static char ID; static char ID;
ARMExecutionDomainFix() : ExecutionDomainFix(ID, ARM::DPRRegClass) {} ARMExecutionDomainFix() : ExecutionDomainFix(ID, ARM::DPRRegClass) {}
StringRef getPassName() const override { StringRef getPassName() const override {
return "ARM Execution Domain Fix"; return "ARM Execution Domain Fix";
▲ Show 20 LinesShow All 131 Lines▼ Show 20 Linesvoid ARMPassConfig::addPreEmitPass() {
})); }));
// Don't optimize barriers at -O0. // Don't optimize barriers at -O0.
if (getOptLevel() != CodeGenOpt::None) if (getOptLevel() != CodeGenOpt::None)
addPass(createARMOptimizeBarriersPass()); addPass(createARMOptimizeBarriersPass());
addPass(createARMConstantIslandPass()); addPass(createARMConstantIslandPass());
} }
void ARMPassConfig::addPreEmitPass2() {
addPass(createARMCondTrapPass());
}

lib/Target/ARM/CMakeLists.txt

Show First 20 LinesShow All 48 Lines▼ Show 20 Linesadd_llvm_target(ARMCodeGen
MLxExpansionPass.cpp MLxExpansionPass.cpp
Thumb1FrameLowering.cpp Thumb1FrameLowering.cpp
Thumb1InstrInfo.cpp Thumb1InstrInfo.cpp
ThumbRegisterInfo.cpp ThumbRegisterInfo.cpp
Thumb2ITBlockPass.cpp Thumb2ITBlockPass.cpp
Thumb2InstrInfo.cpp Thumb2InstrInfo.cpp
Thumb2SizeReduction.cpp Thumb2SizeReduction.cpp
ARMComputeBlockSize.cpp ARMComputeBlockSize.cpp
ARMCondTrapPass.cpp
) )
add_subdirectory(AsmParser) add_subdirectory(AsmParser)
add_subdirectory(Disassembler) add_subdirectory(Disassembler)
add_subdirectory(InstPrinter) add_subdirectory(InstPrinter)
add_subdirectory(MCTargetDesc) add_subdirectory(MCTargetDesc)
add_subdirectory(TargetInfo) add_subdirectory(TargetInfo)
add_subdirectory(Utils) add_subdirectory(Utils)