This is an archive of the discontinued LLVM Phabricator instance.

Differential D51412

[MSan] store origins for variadic function parameters in __msan_va_arg_origin_tls
ClosedPublic

Authored by glider on Aug 29 2018, 4:07 AM.

Details

Reviewers
eugenis
kcc
dvyukov
Summary

Add the __msan_va_arg_origin_tls TLS array to keep the origins for variadic function parameters.
Change the instrumentation pass to store parameter origins in this array.

Diff Detail

Event Timeline

glider created this revision.Aug 29 2018, 4:07 AM
glider updated this revision to Diff 163045.Aug 29 2018, 4:13 AM

Added a TODO

eugenis added a comment.Aug 30 2018, 1:07 PM

Please add a test for accessing origin of a va_arg argument in the callee.
Please add a compiler-rt test (or extend an existing one).

eugenis mentioned this in D34451: Add KMSAN instrumentation to MSan pass.Aug 30 2018, 1:24 PM
glider updated this revision to Diff 163500.Aug 31 2018, 4:27 AM

Added a compiler-rt test, and an IR test for a variadic function

eugenis added inline comments.Aug 31 2018, 11:35 AM
projects/compiler-rt/test/msan/vararg.cc
20

why __builtin?

36

Perfect. Please also test with more arguments to use the overflow area.

glider marked an inline comment as done.Sep 3 2018, 9:57 AM
glider added inline comments.
projects/compiler-rt/test/msan/vararg.cc
36

I've started writing such a test, and noticed that when I call a function with 85 int arguments it passes wrong shadow of (at least) the first argument to the callee.
Trying to figure out what's going on.

glider added a comment.Sep 3 2018, 10:02 AM

To be precise, calling sum(84, init1, ..., init84, uninit) results in init1 having non-zero shadow in the callee.

glider updated this revision to Diff 163812.Sep 4 2018, 7:27 AM

Added the test for overflow area.
The aforementioned problem with too many arguments is handled in https://reviews.llvm.org/D51627

glider marked an inline comment as done.Sep 4 2018, 7:27 AM
eugenis added a comment.Sep 4 2018, 1:44 PM

Looks like you forgot to add the test.

glider added subscribers: eugenis, kcc.Sep 4 2018, 10:12 PM

It's right there, in vararg.cc

eugenis accepted this revision.Sep 5 2018, 12:42 PM

Right! Sorry I missed that.
LGTM.

This revision is now accepted and ready to land.Sep 5 2018, 12:42 PM
glider closed this revision.Sep 6 2018, 1:51 AM

Landed r341528.

glider updated this revision to Diff 164220.Sep 6 2018, 8:14 AM

Updated the patch before relanding.
test/msan/vararg.cc doesn't work on Mips, PPC and AArch64 (because this patch doesn't touch them), so I XFAIL these arches.
Also turned out Clang crashed on i80 vararg arguments because of incorrect origin type returned by getOriginPtrForVAArgument().
I've fixed it and added a test.

Revision Contents

PathSize
lib/
Transforms/
Instrumentation/
65 lines
projects/
compiler-rt/
lib/
msan/
6 lines
test/
msan/
60 lines
test/
Instrumentation/
MemorySanitizer/
X86/
117 lines

Diff 164220

lib/Transforms/Instrumentation/MemorySanitizer.cpp

Show First 20 LinesShow All 442 Lines▼ Show 20 Linesprivate:
/// Thread-local origin storage for function return value. /// Thread-local origin storage for function return value.
GlobalVariable *RetvalOriginTLS; GlobalVariable *RetvalOriginTLS;
/// Thread-local shadow storage for in-register va_arg function /// Thread-local shadow storage for in-register va_arg function
/// parameters (x86_64-specific). /// parameters (x86_64-specific).
GlobalVariable *VAArgTLS; GlobalVariable *VAArgTLS;
/// Thread-local shadow storage for in-register va_arg function
/// parameters (x86_64-specific).
GlobalVariable *VAArgOriginTLS;
/// Thread-local shadow storage for va_arg overflow area /// Thread-local shadow storage for va_arg overflow area
/// (x86_64-specific). /// (x86_64-specific).
GlobalVariable *VAArgOverflowSizeTLS; GlobalVariable *VAArgOverflowSizeTLS;
/// Thread-local space used to pass origin value to the UMR reporting /// Thread-local space used to pass origin value to the UMR reporting
/// function. /// function.
GlobalVariable *OriginTLS; GlobalVariable *OriginTLS;
▲ Show 20 LinesShow All 96 Lines▼ Show 20 Lines ParamOriginTLS = new GlobalVariable(
M, ArrayType::get(OriginTy, kParamTLSSize / 4), false, M, ArrayType::get(OriginTy, kParamTLSSize / 4), false,
GlobalVariable::ExternalLinkage, nullptr, "__msan_param_origin_tls", GlobalVariable::ExternalLinkage, nullptr, "__msan_param_origin_tls",
nullptr, GlobalVariable::InitialExecTLSModel); nullptr, GlobalVariable::InitialExecTLSModel);
VAArgTLS = new GlobalVariable( VAArgTLS = new GlobalVariable(
M, ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), false, M, ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), false,
GlobalVariable::ExternalLinkage, nullptr, "__msan_va_arg_tls", nullptr, GlobalVariable::ExternalLinkage, nullptr, "__msan_va_arg_tls", nullptr,
GlobalVariable::InitialExecTLSModel); GlobalVariable::InitialExecTLSModel);
VAArgOriginTLS = new GlobalVariable(
M, ArrayType::get(OriginTy, kParamTLSSize / 4), false,
GlobalVariable::ExternalLinkage, nullptr, "__msan_va_arg_origin_tls",
nullptr, GlobalVariable::InitialExecTLSModel);
VAArgOverflowSizeTLS = new GlobalVariable( VAArgOverflowSizeTLS = new GlobalVariable(
M, IRB.getInt64Ty(), false, GlobalVariable::ExternalLinkage, nullptr, M, IRB.getInt64Ty(), false, GlobalVariable::ExternalLinkage, nullptr,
"__msan_va_arg_overflow_size_tls", nullptr, "__msan_va_arg_overflow_size_tls", nullptr,
GlobalVariable::InitialExecTLSModel); GlobalVariable::InitialExecTLSModel);
OriginTLS = new GlobalVariable( OriginTLS = new GlobalVariable(
M, IRB.getInt32Ty(), false, GlobalVariable::ExternalLinkage, nullptr, M, IRB.getInt32Ty(), false, GlobalVariable::ExternalLinkage, nullptr,
"__msan_origin_tls", nullptr, GlobalVariable::InitialExecTLSModel); "__msan_origin_tls", nullptr, GlobalVariable::InitialExecTLSModel);
▲ Show 20 LinesShow All 2,682 Lines▼ Show 20 Linesstruct VarArgAMD64Helper : public VarArgHelper {
// If SSE is disabled, fp_offset in va_list is zero. // If SSE is disabled, fp_offset in va_list is zero.
static const unsigned AMD64FpEndOffsetNoSSE = AMD64GpEndOffset; static const unsigned AMD64FpEndOffsetNoSSE = AMD64GpEndOffset;
unsigned AMD64FpEndOffset; unsigned AMD64FpEndOffset;
Function &F; Function &F;
MemorySanitizer &MS; MemorySanitizer &MS;
MemorySanitizerVisitor &MSV; MemorySanitizerVisitor &MSV;
Value *VAArgTLSCopy = nullptr; Value *VAArgTLSCopy = nullptr;
Value *VAArgTLSOriginCopy = nullptr;
Value *VAArgOverflowSize = nullptr; Value *VAArgOverflowSize = nullptr;
SmallVector<CallInst*, 16> VAStartInstrumentationList; SmallVector<CallInst*, 16> VAStartInstrumentationList;
enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory }; enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory };
VarArgAMD64Helper(Function &F, MemorySanitizer &MS, VarArgAMD64Helper(Function &F, MemorySanitizer &MS,
MemorySanitizerVisitor &MSV) MemorySanitizerVisitor &MSV)
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Lines for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end();
// over by va_start, so don't count them towards the offset. // over by va_start, so don't count them towards the offset.
if (IsFixed) if (IsFixed)
continue; continue;
assert(A->getType()->isPointerTy()); assert(A->getType()->isPointerTy());
Type *RealTy = A->getType()->getPointerElementType(); Type *RealTy = A->getType()->getPointerElementType();
uint64_t ArgSize = DL.getTypeAllocSize(RealTy); uint64_t ArgSize = DL.getTypeAllocSize(RealTy);
Value *ShadowBase = getShadowPtrForVAArgument( Value *ShadowBase = getShadowPtrForVAArgument(
RealTy, IRB, OverflowOffset, alignTo(ArgSize, 8)); RealTy, IRB, OverflowOffset, alignTo(ArgSize, 8));
Value *OriginBase = nullptr;
if (MS.TrackOrigins)
OriginBase = getOriginPtrForVAArgument(RealTy, IRB, OverflowOffset);
OverflowOffset += alignTo(ArgSize, 8); OverflowOffset += alignTo(ArgSize, 8);
if (!ShadowBase) if (!ShadowBase)
continue; continue;
Value *ShadowPtr, *OriginPtr; Value *ShadowPtr, *OriginPtr;
std::tie(ShadowPtr, OriginPtr) = std::tie(ShadowPtr, OriginPtr) =
MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), kShadowTLSAlignment, MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), kShadowTLSAlignment,
/*isStore*/ false); /*isStore*/ false);
IRB.CreateMemCpy(ShadowBase, kShadowTLSAlignment, ShadowPtr, IRB.CreateMemCpy(ShadowBase, kShadowTLSAlignment, ShadowPtr,
kShadowTLSAlignment, ArgSize); kShadowTLSAlignment, ArgSize);
if (MS.TrackOrigins)
IRB.CreateMemCpy(OriginBase, kShadowTLSAlignment, OriginPtr,
kShadowTLSAlignment, ArgSize);
} else { } else {
ArgKind AK = classifyArgument(A); ArgKind AK = classifyArgument(A);
if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset) if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset)
AK = AK_Memory; AK = AK_Memory;
if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset) if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset)
AK = AK_Memory; AK = AK_Memory;
Value *ShadowBase; Value *ShadowBase, *OriginBase = nullptr;
switch (AK) { switch (AK) {
case AK_GeneralPurpose: case AK_GeneralPurpose:
ShadowBase = ShadowBase =
getShadowPtrForVAArgument(A->getType(), IRB, GpOffset, 8); getShadowPtrForVAArgument(A->getType(), IRB, GpOffset, 8);
if (MS.TrackOrigins)
OriginBase =
getOriginPtrForVAArgument(A->getType(), IRB, GpOffset);
GpOffset += 8; GpOffset += 8;
break; break;
case AK_FloatingPoint: case AK_FloatingPoint:
ShadowBase = ShadowBase =
getShadowPtrForVAArgument(A->getType(), IRB, FpOffset, 16); getShadowPtrForVAArgument(A->getType(), IRB, FpOffset, 16);
if (MS.TrackOrigins)
OriginBase =
getOriginPtrForVAArgument(A->getType(), IRB, FpOffset);
FpOffset += 16; FpOffset += 16;
break; break;
case AK_Memory: case AK_Memory:
if (IsFixed) if (IsFixed)
continue; continue;
uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
ShadowBase = ShadowBase =
getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset, 8); getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset, 8);
if (MS.TrackOrigins)
OriginBase =
getOriginPtrForVAArgument(A->getType(), IRB, OverflowOffset);
OverflowOffset += alignTo(ArgSize, 8); OverflowOffset += alignTo(ArgSize, 8);
} }
// Take fixed arguments into account for GpOffset and FpOffset, // Take fixed arguments into account for GpOffset and FpOffset,
// but don't actually store shadows for them. // but don't actually store shadows for them.
// TODO(glider): don't call get*PtrForVAArgument() for them.
if (IsFixed) if (IsFixed)
continue; continue;
if (!ShadowBase) if (!ShadowBase)
continue; continue;
IRB.CreateAlignedStore(MSV.getShadow(A), ShadowBase, Value *Shadow = MSV.getShadow(A);
kShadowTLSAlignment); IRB.CreateAlignedStore(Shadow, ShadowBase, kShadowTLSAlignment);
if (MS.TrackOrigins) {
Value *Origin = MSV.getOrigin(A);
unsigned StoreSize = DL.getTypeStoreSize(Shadow->getType());
MSV.paintOrigin(IRB, Origin, OriginBase, StoreSize,
std::max(kShadowTLSAlignment, kMinOriginAlignment));
}
} }
} }
Constant *OverflowSize = Constant *OverflowSize =
ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset); ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset);
IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS); IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
} }
/// Compute the shadow address for a given va_arg. /// Compute the shadow address for a given va_arg.
Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
unsigned ArgOffset, unsigned ArgSize) { unsigned ArgOffset, unsigned ArgSize) {
// Make sure we don't overflow __msan_va_arg_tls. // Make sure we don't overflow __msan_va_arg_tls.
if (ArgOffset + ArgSize > kParamTLSSize) if (ArgOffset + ArgSize > kParamTLSSize)
return nullptr; return nullptr;
Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
"_msarg"); "_msarg_va_s");
}
/// Compute the origin address for a given va_arg.
Value *getOriginPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, int ArgOffset) {
Value *Base = IRB.CreatePointerCast(MS.VAArgOriginTLS, MS.IntptrTy);
// getOriginPtrForVAArgument() is always called after
// getShadowPtrForVAArgument(), so __msan_va_arg_origin_tls can never
// overflow.
Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0),
"_msarg_va_o");
} }
void unpoisonVAListTagForInst(IntrinsicInst &I) { void unpoisonVAListTagForInst(IntrinsicInst &I) {
IRBuilder<> IRB(&I); IRBuilder<> IRB(&I);
Value *VAListTag = I.getArgOperand(0); Value *VAListTag = I.getArgOperand(0);
Value *ShadowPtr, *OriginPtr; Value *ShadowPtr, *OriginPtr;
unsigned Alignment = 8; unsigned Alignment = 8;
std::tie(ShadowPtr, OriginPtr) = std::tie(ShadowPtr, OriginPtr) =
Show All 28 Lines if (!VAStartInstrumentationList.empty()) {
// va_arg_tls somewhere in the function entry block. // va_arg_tls somewhere in the function entry block.
IRBuilder<> IRB(MSV.ActualFnStart->getFirstNonPHI()); IRBuilder<> IRB(MSV.ActualFnStart->getFirstNonPHI());
VAArgOverflowSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS); VAArgOverflowSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS);
Value *CopySize = Value *CopySize =
IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset), IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset),
VAArgOverflowSize); VAArgOverflowSize);
VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
IRB.CreateMemCpy(VAArgTLSCopy, 8, MS.VAArgTLS, 8, CopySize); IRB.CreateMemCpy(VAArgTLSCopy, 8, MS.VAArgTLS, 8, CopySize);
if (MS.TrackOrigins) {
VAArgTLSOriginCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
IRB.CreateMemCpy(VAArgTLSOriginCopy, 8, MS.VAArgOriginTLS, 8, CopySize);
}
} }
// Instrument va_start. // Instrument va_start.
// Copy va_list shadow from the backup copy of the TLS contents. // Copy va_list shadow from the backup copy of the TLS contents.
for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) { for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) {
CallInst *OrigInst = VAStartInstrumentationList[i]; CallInst *OrigInst = VAStartInstrumentationList[i];
IRBuilder<> IRB(OrigInst->getNextNode()); IRBuilder<> IRB(OrigInst->getNextNode());
Value *VAListTag = OrigInst->getArgOperand(0); Value *VAListTag = OrigInst->getArgOperand(0);
Value *RegSaveAreaPtrPtr = IRB.CreateIntToPtr( Value *RegSaveAreaPtrPtr = IRB.CreateIntToPtr(
IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
ConstantInt::get(MS.IntptrTy, 16)), ConstantInt::get(MS.IntptrTy, 16)),
PointerType::get(Type::getInt64PtrTy(*MS.C), 0)); PointerType::get(Type::getInt64PtrTy(*MS.C), 0));
Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr); Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr);
Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr; Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
unsigned Alignment = 16; unsigned Alignment = 16;
std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) = std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(), MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
Alignment, /*isStore*/ true); Alignment, /*isStore*/ true);
IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment, IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
AMD64FpEndOffset); AMD64FpEndOffset);
if (MS.TrackOrigins)
IRB.CreateMemCpy(RegSaveAreaOriginPtr, Alignment, VAArgTLSOriginCopy,
Alignment, AMD64FpEndOffset);
Value *OverflowArgAreaPtrPtr = IRB.CreateIntToPtr( Value *OverflowArgAreaPtrPtr = IRB.CreateIntToPtr(
IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
ConstantInt::get(MS.IntptrTy, 8)), ConstantInt::get(MS.IntptrTy, 8)),
PointerType::get(Type::getInt64PtrTy(*MS.C), 0)); PointerType::get(Type::getInt64PtrTy(*MS.C), 0));
Value *OverflowArgAreaPtr = IRB.CreateLoad(OverflowArgAreaPtrPtr); Value *OverflowArgAreaPtr = IRB.CreateLoad(OverflowArgAreaPtrPtr);
Value *OverflowArgAreaShadowPtr, *OverflowArgAreaOriginPtr; Value *OverflowArgAreaShadowPtr, *OverflowArgAreaOriginPtr;
std::tie(OverflowArgAreaShadowPtr, OverflowArgAreaOriginPtr) = std::tie(OverflowArgAreaShadowPtr, OverflowArgAreaOriginPtr) =
MSV.getShadowOriginPtr(OverflowArgAreaPtr, IRB, IRB.getInt8Ty(), MSV.getShadowOriginPtr(OverflowArgAreaPtr, IRB, IRB.getInt8Ty(),
Alignment, /*isStore*/ true); Alignment, /*isStore*/ true);
Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy, Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy,
AMD64FpEndOffset); AMD64FpEndOffset);
IRB.CreateMemCpy(OverflowArgAreaShadowPtr, Alignment, SrcPtr, Alignment, IRB.CreateMemCpy(OverflowArgAreaShadowPtr, Alignment, SrcPtr, Alignment,
VAArgOverflowSize); VAArgOverflowSize);
if (MS.TrackOrigins) {
SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSOriginCopy,
AMD64FpEndOffset);
IRB.CreateMemCpy(OverflowArgAreaOriginPtr, Alignment, SrcPtr, Alignment,
VAArgOverflowSize);
}
} }
} }
}; };
/// MIPS64-specific implementation of VarArgHelper. /// MIPS64-specific implementation of VarArgHelper.
struct VarArgMIPS64Helper : public VarArgHelper { struct VarArgMIPS64Helper : public VarArgHelper {
Function &F; Function &F;
MemorySanitizer &MS; MemorySanitizer &MS;
▲ Show 20 LinesShow All 592 LinesShow Last 20 Lines

projects/compiler-rt/lib/msan/msan.cc

Show First 20 LinesShow All 53 Lines▼ Show 20 Lines
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
THREADLOCAL u32 __msan_retval_origin_tls; THREADLOCAL u32 __msan_retval_origin_tls;
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
ALIGNED(16) THREADLOCAL u64 __msan_va_arg_tls[kMsanParamTlsSize / sizeof(u64)]; ALIGNED(16) THREADLOCAL u64 __msan_va_arg_tls[kMsanParamTlsSize / sizeof(u64)];
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
ALIGNED(16)
THREADLOCAL u32 __msan_va_arg_origin_tls[kMsanParamTlsSize / sizeof(u32)];
SANITIZER_INTERFACE_ATTRIBUTE
THREADLOCAL u64 __msan_va_arg_overflow_size_tls; THREADLOCAL u64 __msan_va_arg_overflow_size_tls;
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
THREADLOCAL u32 __msan_origin_tls; THREADLOCAL u32 __msan_origin_tls;
static THREADLOCAL int is_in_symbolizer; static THREADLOCAL int is_in_symbolizer;
extern "C" SANITIZER_WEAK_ATTRIBUTE const int __msan_track_origins; extern "C" SANITIZER_WEAK_ATTRIBUTE const int __msan_track_origins;
▲ Show 20 LinesShow All 202 Lines▼ Show 20 Lines
void ScopedThreadLocalStateBackup::Restore() { void ScopedThreadLocalStateBackup::Restore() {
// A lame implementation that only keeps essential state and resets the rest. // A lame implementation that only keeps essential state and resets the rest.
__msan_va_arg_overflow_size_tls = va_arg_overflow_size_tls; __msan_va_arg_overflow_size_tls = va_arg_overflow_size_tls;
internal_memset(__msan_param_tls, 0, sizeof(__msan_param_tls)); internal_memset(__msan_param_tls, 0, sizeof(__msan_param_tls));
internal_memset(__msan_retval_tls, 0, sizeof(__msan_retval_tls)); internal_memset(__msan_retval_tls, 0, sizeof(__msan_retval_tls));
internal_memset(__msan_va_arg_tls, 0, sizeof(__msan_va_arg_tls)); internal_memset(__msan_va_arg_tls, 0, sizeof(__msan_va_arg_tls));
internal_memset(__msan_va_arg_origin_tls, 0,
sizeof(__msan_va_arg_origin_tls));
if (__msan_get_track_origins()) { if (__msan_get_track_origins()) {
internal_memset(&__msan_retval_origin_tls, 0, internal_memset(&__msan_retval_origin_tls, 0,
sizeof(__msan_retval_origin_tls)); sizeof(__msan_retval_origin_tls));
internal_memset(__msan_param_origin_tls, 0, internal_memset(__msan_param_origin_tls, 0,
sizeof(__msan_param_origin_tls)); sizeof(__msan_param_origin_tls));
} }
} }
▲ Show 20 LinesShow All 382 LinesShow Last 20 Lines

projects/compiler-rt/test/msan/vararg.cc

// RUN: %clangxx_msan -fsanitize-memory-track-origins=0 -O3 %s -o %t && \
// RUN: not %run %t va_arg_tls >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK < %t.out
// RUN: %clangxx_msan -fsanitize-memory-track-origins=0 -O3 %s -o %t && \
// RUN: not %run %t overflow >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK < %t.out
// RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -O3 %s -o %t && \
// RUN: not %run %t va_arg_tls >%t.out 2>&1
// RUN: FileCheck %s --check-prefixes=CHECK,CHECK-ORIGIN < %t.out
// RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -O3 %s -o %t && \
// RUN: not %run %t overflow >%t.out 2>&1
// RUN: FileCheck %s --check-prefixes=CHECK,CHECK-ORIGIN < %t.out
// Check that shadow and origin are passed through va_args.
// Copying origins on AArch64, MIPS and PowerPC isn't supported yet.
// XFAIL: aarch64
eugenisUnsubmitted
Done
ReplyInline Actions

why __builtin?

eugenis: why __builtin?
// XFAIL: mips
// XFAIL: powerpc64
#include <stdarg.h>
#include <string.h>
__attribute__((noinline))
int sum(int n, ...) {
va_list args;
int i, sum = 0, arg;
volatile int temp;
va_start(args, n);
for (i = 0; i < n; i++) {
arg = va_arg(args, int);
sum += arg;
}
eugenisUnsubmitted
Done
ReplyInline Actions

Perfect. Please also test with more arguments to use the overflow area.

eugenis: Perfect. Please also test with more arguments to use the overflow area.
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

I've started writing such a test, and noticed that when I call a function with 85 int arguments it passes wrong shadow of (at least) the first argument to the callee.
Trying to figure out what's going on.

glider: I've started writing such a test, and noticed that when I call a function with 85 int arguments…
va_end(args);
return sum;
}
int main(int argc, char *argv[]) {
volatile int uninit;
volatile int a = 1, b = 2;
if (argc == 2) {
// Shadow/origin will be passed via va_arg_tls/va_arg_origin_tls.
if (strcmp(argv[1], "va_arg_tls") == 0) {
return sum(3, uninit, a, b);
}
// Shadow/origin of |uninit| will be passed via overflow area.
if (strcmp(argv[1], "overflow") == 0) {
return sum(7,
a, a, a, a, a, a, uninit
);
}
}
return 0;
}
// CHECK: WARNING: MemorySanitizer: use-of-uninitialized-value
// CHECK-ORIGIN: Uninitialized value was created by an allocation of 'uninit' in the stack frame of function 'main'

test/Instrumentation/MemorySanitizer/X86/vararg_call.ll

; RUN: opt < %s -msan -msan-check-access-address=0 -S | FileCheck %s
; RUN: opt < %s -msan -msan-check-access-address=0 -msan-track-origins=1 -S | FileCheck %s --check-prefixes=CHECK,CHECK-ORIGIN
; RUN: opt < %s -msan -msan-check-access-address=0 -msan-track-origins=2 -S | FileCheck %s --check-prefixes=CHECK,CHECK-ORIGIN
; Test that shadow and origin are stored for variadic function params.
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
%struct.__va_list_tag = type { i32, i32, i8*, i8* }
define dso_local i32 @test(i32 %a, i32 %b, i32 %c) local_unnamed_addr {
entry:
%call = tail call i32 (i32, ...) @sum(i32 3, i32 %a, i32 %b, i32 %c)
ret i32 %call
}
; CHECK: store i32 0, {{.*}} @__msan_param_tls {{.*}} i64 8
; CHECK: store i32 0, {{.*}} @__msan_param_tls {{.*}} i64 16
; CHECK: store i32 0, {{.*}} @__msan_param_tls {{.*}} i64 24
; CHECK: store i32 0, {{.*}} @__msan_va_arg_tls {{.*}} i64 8
; CHECK-ORIGIN: store i32 0, {{.*}} @__msan_va_arg_origin_tls {{.*}} i64 8
; CHECK: store i32 0, {{.*}} @__msan_va_arg_tls {{.*}} i64 16
; CHECK-ORIGIN: store i32 0, {{.*}} @__msan_va_arg_origin_tls {{.*}} i64 16
; CHECK: store i32 0, {{.*}} @__msan_va_arg_tls {{.*}} i64 24
; CHECK-ORIGIN: store i32 0, {{.*}} @__msan_va_arg_origin_tls {{.*}} i64 24
define dso_local i32 @sum(i32 %n, ...) local_unnamed_addr #0 {
entry:
%args = alloca [1 x %struct.__va_list_tag], align 16
%0 = bitcast [1 x %struct.__va_list_tag]* %args to i8*
call void @llvm.lifetime.start.p0i8(i64 24, i8* nonnull %0) #2
call void @llvm.va_start(i8* nonnull %0)
%cmp9 = icmp sgt i32 %n, 0
br i1 %cmp9, label %for.body.lr.ph, label %for.end
; CHECK: [[VA_ARG_TLS:%[_0-9a-z]+]] = bitcast {{.*}} @__msan_va_arg_tls
; CHECK: call void @llvm.memcpy.{{.*}} [[SHADOW_COPY:%[_0-9a-z]+]], {{.*}} [[VA_ARG_TLS]]
; CHECK-ORIGIN: [[VA_ARG_ORIGIN_TLS:%[_0-9a-z]+]] = bitcast {{.*}} @__msan_va_arg_origin_tls
; CHECK-ORIGIN: call void @llvm.memcpy{{.*}} [[ORIGIN_COPY:%[_0-9a-z]+]], {{.*}} [[VA_ARG_ORIGIN_TLS]]
; CHECK: call void @llvm.va_start
; CHECK: call void @llvm.memcpy.{{.*}}, {{.*}} [[SHADOW_COPY]], i{{.*}} [[REGSAVE:[0-9]+]]
; CHECK-ORIGIN: call void @llvm.memcpy.{{.*}}, {{.*}} [[ORIGIN_COPY]], i{{.*}} [[REGSAVE]]
; CHECK: [[OVERFLOW_SHADOW:%[_0-9a-z]+]] = getelementptr i8, i8* [[SHADOW_COPY]], i{{.*}} [[REGSAVE]]
; CHECK: call void @llvm.memcpy.{{.*}}[[OVERFLOW_SHADOW]]
; CHECK-ORIGIN: [[OVERFLOW_ORIGIN:%[_0-9a-z]+]] = getelementptr i8, i8* [[ORIGIN_COPY]], i{{.*}} [[REGSAVE]]
; CHECK-ORIGIN: call void @llvm.memcpy.{{.*}}[[OVERFLOW_ORIGIN]]
for.body.lr.ph: ; preds = %entry
%gp_offset_p = getelementptr inbounds [1 x %struct.__va_list_tag], [1 x %struct.__va_list_tag]* %args, i64 0, i64 0, i32 0
%1 = getelementptr inbounds [1 x %struct.__va_list_tag], [1 x %struct.__va_list_tag]* %args, i64 0, i64 0, i32 3
%overflow_arg_area_p = getelementptr inbounds [1 x %struct.__va_list_tag], [1 x %struct.__va_list_tag]* %args, i64 0, i64 0, i32 2
%gp_offset.pre = load i32, i32* %gp_offset_p, align 16
br label %for.body
for.body: ; preds = %vaarg.end, %for.body.lr.ph
%gp_offset = phi i32 [ %gp_offset.pre, %for.body.lr.ph ], [ %gp_offset12, %vaarg.end ]
%sum.011 = phi i32 [ 0, %for.body.lr.ph ], [ %add, %vaarg.end ]
%i.010 = phi i32 [ 0, %for.body.lr.ph ], [ %inc, %vaarg.end ]
%fits_in_gp = icmp ult i32 %gp_offset, 41
br i1 %fits_in_gp, label %vaarg.in_reg, label %vaarg.in_mem
vaarg.in_reg: ; preds = %for.body
%reg_save_area = load i8*, i8** %1, align 16
%2 = sext i32 %gp_offset to i64
%3 = getelementptr i8, i8* %reg_save_area, i64 %2
%4 = add i32 %gp_offset, 8
store i32 %4, i32* %gp_offset_p, align 16
br label %vaarg.end
vaarg.in_mem: ; preds = %for.body
%overflow_arg_area = load i8*, i8** %overflow_arg_area_p, align 8
%overflow_arg_area.next = getelementptr i8, i8* %overflow_arg_area, i64 8
store i8* %overflow_arg_area.next, i8** %overflow_arg_area_p, align 8
br label %vaarg.end
vaarg.end: ; preds = %vaarg.in_mem, %vaarg.in_reg
%gp_offset12 = phi i32 [ %4, %vaarg.in_reg ], [ %gp_offset, %vaarg.in_mem ]
%vaarg.addr.in = phi i8* [ %3, %vaarg.in_reg ], [ %overflow_arg_area, %vaarg.in_mem ]
%vaarg.addr = bitcast i8* %vaarg.addr.in to i32*
%5 = load i32, i32* %vaarg.addr, align 4
%add = add nsw i32 %5, %sum.011
%inc = add nuw nsw i32 %i.010, 1
%exitcond = icmp eq i32 %inc, %n
br i1 %exitcond, label %for.end, label %for.body
for.end: ; preds = %vaarg.end, %entry
%sum.0.lcssa = phi i32 [ 0, %entry ], [ %add, %vaarg.end ]
call void @llvm.va_end(i8* nonnull %0)
call void @llvm.lifetime.end.p0i8(i64 24, i8* nonnull %0) #2
ret i32 %sum.0.lcssa
}
; Function Attrs: argmemonly nounwind
declare void @llvm.lifetime.start.p0i8(i64, i8* nocapture) #1
; Function Attrs: nounwind
declare void @llvm.va_start(i8*) #2
; Function Attrs: nounwind
declare void @llvm.va_end(i8*) #2
; Function Attrs: argmemonly nounwind
declare void @llvm.lifetime.end.p0i8(i64, i8* nocapture) #1
declare dso_local i80 @sum_i80(i32, ...) local_unnamed_addr
; Unaligned types like i80 should also work.
define dso_local i80 @test_i80(i80 %a, i80 %b, i80 %c) local_unnamed_addr {
entry:
%call = tail call i80 (i32, ...) @sum_i80(i32 3, i80 %a, i80 %b, i80 %c)
ret i80 %call
}