Index: lib/Transforms/Instrumentation/HWAddressSanitizer.cpp =================================================================== --- lib/Transforms/Instrumentation/HWAddressSanitizer.cpp +++ lib/Transforms/Instrumentation/HWAddressSanitizer.cpp @@ -95,6 +95,14 @@ cl::desc("instrument stack (allocas)"), cl::Hidden, cl::init(true)); +static cl::opt ClUARRetagToZero( + "hwasan-uar-retag-to-zero", + cl::desc("Clear alloca tags before returning from the function to allow " + "non-instrumented and instrumented function calls mix. When set " + "to false, allocas are retagged before returning from the " + "function to detect use after return."), + cl::Hidden, cl::init(true)); + static cl::opt ClGenerateTagsWithCalls( "hwasan-generate-tags-with-calls", cl::desc("generate new tags with runtime library calls"), cl::Hidden, @@ -577,6 +585,8 @@ } Value *HWAddressSanitizer::getUARTag(IRBuilder<> &IRB, Value *StackTag) { + if (ClUARRetagToZero) + return ConstantInt::get(IntptrTy, 0); if (ClGenerateTagsWithCalls) return getNextTagWithCall(IRB); return IRB.CreateXor(StackTag, ConstantInt::get(IntptrTy, 0xFFU)); Index: test/Instrumentation/HWAddressSanitizer/alloca-with-calls.ll =================================================================== --- /dev/null +++ test/Instrumentation/HWAddressSanitizer/alloca-with-calls.ll @@ -0,0 +1,22 @@ +; Test alloca instrumentation when tags are generated by HWASan function. +; +; RUN: opt < %s -hwasan -hwasan-generate-tags-with-calls -S | FileCheck %s + +target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128" +target triple = "aarch64--linux-android" + +declare void @use32(i32*) + +define void @test_alloca() sanitize_hwaddress { +; CHECK-LABEL: @test_alloca( +; CHECK: %[[T1:[^ ]*]] = call i8 @__hwasan_generate_tag() +; CHECK: %[[A:[^ ]*]] = zext i8 %[[T1]] to i64 +; CHECK: %[[B:[^ ]*]] = ptrtoint i32* %x to i64 +; CHECK: %[[C:[^ ]*]] = shl i64 %[[A]], 56 +; CHECK: or i64 %[[B]], %[[C]] + +entry: + %x = alloca i32, align 4 + call void @use32(i32* nonnull %x) + ret void +} Index: test/Instrumentation/HWAddressSanitizer/alloca.ll =================================================================== --- test/Instrumentation/HWAddressSanitizer/alloca.ll +++ test/Instrumentation/HWAddressSanitizer/alloca.ll @@ -1,8 +1,8 @@ -; Test basic address sanitizer instrumentation. +; Test alloca instrumentation. ; -; RUN: opt < %s -hwasan -S | FileCheck %s --check-prefixes=CHECK,DYNAMIC-SHADOW -; RUN: opt < %s -hwasan -hwasan-mapping-offset=0 -S | FileCheck %s --check-prefixes=CHECK,ZERO-BASED-SHADOW -; RUN: opt < %s -hwasan -hwasan-generate-tags-with-calls -S | FileCheck %s --check-prefix=WITH-CALLS +; RUN: opt < %s -hwasan -S | FileCheck %s --check-prefixes=CHECK,DYNAMIC-SHADOW,NO-UAR-TAGS +; RUN: opt < %s -hwasan -hwasan-mapping-offset=0 -S | FileCheck %s --check-prefixes=CHECK,ZERO-BASED-SHADOW,NO-UAR-TAGS +; RUN: opt < %s -hwasan -hwasan-uar-retag-to-zero=0 -S | FileCheck %s --check-prefixes=CHECK,DYNAMIC-SHADOW,UAR-TAGS target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128" target triple = "aarch64--linux-android" @@ -32,14 +32,15 @@ ; CHECK: call void @llvm.memset.p0i8.i64(i8* align 1 %[[X_SHADOW]], i8 %[[X_TAG2]], i64 1, i1 false) ; CHECK: call void @use32(i32* nonnull %[[X_HWASAN]]) -; CHECK: %[[X_TAG_UAR:[^ ]*]] = xor i64 %[[BASE_TAG]], 255 -; CHECK: %[[X_TAG_UAR2:[^ ]*]] = trunc i64 %[[X_TAG_UAR]] to i8 +; UAR-TAGS: %[[BASE_TAG_COMPL:[^ ]*]] = xor i64 %[[BASE_TAG]], 255 +; UAR-TAGS: %[[X_TAG_UAR:[^ ]*]] = trunc i64 %[[BASE_TAG_COMPL]] to i8 ; CHECK: %[[E2:[^ ]*]] = ptrtoint i32* %[[X]] to i64 ; CHECK: %[[F2:[^ ]*]] = lshr i64 %[[E2]], 4 ; DYNAMIC-SHADOW: %[[F2_DYN:[^ ]*]] = add i64 %[[F2]], %.hwasan.shadow ; DYNAMIC-SHADOW: %[[X_SHADOW2:[^ ]*]] = inttoptr i64 %[[F2_DYN]] to i8* ; ZERO-BASED-SHADOW: %[[X_SHADOW2:[^ ]*]] = inttoptr i64 %[[F2]] to i8* -; CHECK: call void @llvm.memset.p0i8.i64(i8* align 1 %[[X_SHADOW2]], i8 %[[X_TAG_UAR2]], i64 1, i1 false) +; NO-UAR-TAGS: call void @llvm.memset.p0i8.i64(i8* align 1 %[[X_SHADOW2]], i8 0, i64 1, i1 false) +; UAR-TAGS: call void @llvm.memset.p0i8.i64(i8* align 1 %[[X_SHADOW2]], i8 %[[X_TAG_UAR]], i64 1, i1 false) ; CHECK: ret void @@ -48,10 +49,3 @@ call void @use32(i32* nonnull %x) ret void } - -; WITH-CALLS-LABEL: @test_alloca( -; WITH-CALLS: %[[T1:[^ ]*]] = call i8 @__hwasan_generate_tag() -; WITH-CALLS: %[[A:[^ ]*]] = zext i8 %[[T1]] to i64 -; WITH-CALLS: %[[B:[^ ]*]] = ptrtoint i32* %x to i64 -; WITH-CALLS: %[[C:[^ ]*]] = shl i64 %[[A]], 56 -; WITH-CALLS: or i64 %[[B]], %[[C]]