This is an archive of the discontinued LLVM Phabricator instance.

Differential D51627

[MSan] Make sure variadic function arguments do not overflow __msan_va_arg_tls
ClosedPublic

Authored by glider on Sep 4 2018, 6:33 AM.

Details

Reviewers
eugenis
kcc
dvyukov
javed.absar
Summary

Turns out that calling a variadic function with too many (e.g. >100 i64's) arguments overflows __msan_va_arg_tls, which leads to smashing other TLS data with function argument shadow values.
getShadow() already checks for kParamTLSSize and returns clean shadow if the argument does not fit, so just skip storing argument shadow for such arguments.

Diff Detail

Event Timeline

glider created this revision.Sep 4 2018, 6:33 AM
glider updated this revision to Diff 163808.Sep 4 2018, 7:08 AM
glider edited the summary of this revision. (Show Details)

Replaced assert() with report_fatal_error(), added a test.

eugenis accepted this revision.Sep 4 2018, 1:36 PM

LGTM

This revision is now accepted and ready to land.Sep 4 2018, 1:36 PM
eugenis requested changes to this revision.Sep 4 2018, 1:37 PM
This revision now requires changes to proceed.Sep 4 2018, 1:37 PM
eugenis added a comment.Sep 4 2018, 1:39 PM

In fact, getShadow() already checks for kParamTLSSize and returns clean shadow if the argument does not fit.
We just need to skip storing argument shadow for such arguments instead of asserting.

glider updated this revision to Diff 163989.Sep 5 2018, 2:39 AM
glider retitled this revision from [MSan] Check that variadic function arguments do not overflow __msan_va_arg_tls to [MSan] Make sure variadic function arguments do not overflow __msan_va_arg_tls.
glider edited the summary of this revision. (Show Details)

Skip storing argument shadow instead of asserting, added tests for AArch64, Mips, PPC64

Herald added a reviewer: javed.absar. · View Herald TranscriptSep 5 2018, 2:39 AM
Herald added subscribers: atanasyan, kbarton, nemanjai, sdardis. · View Herald Transcript
eugenis accepted this revision.Sep 5 2018, 1:19 PM

LGTM

This revision is now accepted and ready to land.Sep 5 2018, 1:19 PM
glider closed this revision.Sep 6 2018, 1:24 AM

Landed r341525, thanks!

Revision Contents

PathSize
lib/
Transforms/
Instrumentation/
71 lines
test/
Instrumentation/
MemorySanitizer/
AArch64/
27 lines
Mips/
27 lines
27 lines
PowerPC/
28 lines
27 lines
X86/
33 lines

Diff 163989

lib/Transforms/Instrumentation/MemorySanitizer.cpp

Show First 20 LinesShow All 3,312 Lines▼ Show 20 Lines for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end();
// ByVal arguments always go to the overflow area. // ByVal arguments always go to the overflow area.
// Fixed arguments passed through the overflow area will be stepped // Fixed arguments passed through the overflow area will be stepped
// over by va_start, so don't count them towards the offset. // over by va_start, so don't count them towards the offset.
if (IsFixed) if (IsFixed)
continue; continue;
assert(A->getType()->isPointerTy()); assert(A->getType()->isPointerTy());
Type *RealTy = A->getType()->getPointerElementType(); Type *RealTy = A->getType()->getPointerElementType();
uint64_t ArgSize = DL.getTypeAllocSize(RealTy); uint64_t ArgSize = DL.getTypeAllocSize(RealTy);
Value *ShadowBase = Value *ShadowBase = getShadowPtrForVAArgument(
getShadowPtrForVAArgument(RealTy, IRB, OverflowOffset); RealTy, IRB, OverflowOffset, alignTo(ArgSize, 8));
OverflowOffset += alignTo(ArgSize, 8); OverflowOffset += alignTo(ArgSize, 8);
if (!ShadowBase)
continue;
Value *ShadowPtr, *OriginPtr; Value *ShadowPtr, *OriginPtr;
std::tie(ShadowPtr, OriginPtr) = std::tie(ShadowPtr, OriginPtr) =
MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), kShadowTLSAlignment, MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), kShadowTLSAlignment,
/*isStore*/ false); /*isStore*/ false);
IRB.CreateMemCpy(ShadowBase, kShadowTLSAlignment, ShadowPtr, IRB.CreateMemCpy(ShadowBase, kShadowTLSAlignment, ShadowPtr,
kShadowTLSAlignment, ArgSize); kShadowTLSAlignment, ArgSize);
} else { } else {
ArgKind AK = classifyArgument(A); ArgKind AK = classifyArgument(A);
if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset) if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset)
AK = AK_Memory; AK = AK_Memory;
if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset) if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset)
AK = AK_Memory; AK = AK_Memory;
Value *ShadowBase; Value *ShadowBase;
switch (AK) { switch (AK) {
case AK_GeneralPurpose: case AK_GeneralPurpose:
ShadowBase = getShadowPtrForVAArgument(A->getType(), IRB, GpOffset); ShadowBase =
getShadowPtrForVAArgument(A->getType(), IRB, GpOffset, 8);
GpOffset += 8; GpOffset += 8;
break; break;
case AK_FloatingPoint: case AK_FloatingPoint:
ShadowBase = getShadowPtrForVAArgument(A->getType(), IRB, FpOffset); ShadowBase =
getShadowPtrForVAArgument(A->getType(), IRB, FpOffset, 16);
FpOffset += 16; FpOffset += 16;
break; break;
case AK_Memory: case AK_Memory:
if (IsFixed) if (IsFixed)
continue; continue;
uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
ShadowBase = ShadowBase =
getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset); getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset, 8);
OverflowOffset += alignTo(ArgSize, 8); OverflowOffset += alignTo(ArgSize, 8);
} }
// Take fixed arguments into account for GpOffset and FpOffset, // Take fixed arguments into account for GpOffset and FpOffset,
// but don't actually store shadows for them. // but don't actually store shadows for them.
if (IsFixed) if (IsFixed)
continue; continue;
if (!ShadowBase)
continue;
IRB.CreateAlignedStore(MSV.getShadow(A), ShadowBase, IRB.CreateAlignedStore(MSV.getShadow(A), ShadowBase,
kShadowTLSAlignment); kShadowTLSAlignment);
} }
} }
Constant *OverflowSize = Constant *OverflowSize =
ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset); ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset);
IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS); IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
} }
/// Compute the shadow address for a given va_arg. /// Compute the shadow address for a given va_arg.
Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
int ArgOffset) { unsigned ArgOffset, unsigned ArgSize) {
// Make sure we don't overflow __msan_va_arg_tls.
if (ArgOffset + ArgSize > kParamTLSSize)
return nullptr;
Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
"_msarg"); "_msarg");
} }
void unpoisonVAListTagForInst(IntrinsicInst &I) { void unpoisonVAListTagForInst(IntrinsicInst &I) {
IRBuilder<> IRB(&I); IRBuilder<> IRB(&I);
▲ Show 20 LinesShow All 99 Lines▼ Show 20 Lines for (CallSite::arg_iterator ArgIt = CS.arg_begin() +
Value *Base; Value *Base;
uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
if (TargetTriple.getArch() == Triple::mips64) { if (TargetTriple.getArch() == Triple::mips64) {
// Adjusting the shadow for argument with size < 8 to match the placement // Adjusting the shadow for argument with size < 8 to match the placement
// of bits in big endian system // of bits in big endian system
if (ArgSize < 8) if (ArgSize < 8)
VAArgOffset += (8 - ArgSize); VAArgOffset += (8 - ArgSize);
} }
Base = getShadowPtrForVAArgument(A->getType(), IRB, VAArgOffset); Base = getShadowPtrForVAArgument(A->getType(), IRB, VAArgOffset, ArgSize);
VAArgOffset += ArgSize; VAArgOffset += ArgSize;
VAArgOffset = alignTo(VAArgOffset, 8); VAArgOffset = alignTo(VAArgOffset, 8);
if (!Base)
continue;
IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment); IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
} }
Constant *TotalVAArgSize = ConstantInt::get(IRB.getInt64Ty(), VAArgOffset); Constant *TotalVAArgSize = ConstantInt::get(IRB.getInt64Ty(), VAArgOffset);
// Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of
// a new class member i.e. it is the total size of all VarArgs. // a new class member i.e. it is the total size of all VarArgs.
IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS); IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS);
} }
/// Compute the shadow address for a given va_arg. /// Compute the shadow address for a given va_arg.
Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
int ArgOffset) { unsigned ArgOffset, unsigned ArgSize) {
// Make sure we don't overflow __msan_va_arg_tls.
if (ArgOffset + ArgSize > kParamTLSSize)
return nullptr;
Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
"_msarg"); "_msarg");
} }
void visitVAStartInst(VAStartInst &I) override { void visitVAStartInst(VAStartInst &I) override {
IRBuilder<> IRB(&I); IRBuilder<> IRB(&I);
▲ Show 20 LinesShow All 114 Lines▼ Show 20 Lines for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end();
ArgKind AK = classifyArgument(A); ArgKind AK = classifyArgument(A);
if (AK == AK_GeneralPurpose && GrOffset >= AArch64GrEndOffset) if (AK == AK_GeneralPurpose && GrOffset >= AArch64GrEndOffset)
AK = AK_Memory; AK = AK_Memory;
if (AK == AK_FloatingPoint && VrOffset >= AArch64VrEndOffset) if (AK == AK_FloatingPoint && VrOffset >= AArch64VrEndOffset)
AK = AK_Memory; AK = AK_Memory;
Value *Base; Value *Base;
switch (AK) { switch (AK) {
case AK_GeneralPurpose: case AK_GeneralPurpose:
Base = getShadowPtrForVAArgument(A->getType(), IRB, GrOffset); Base = getShadowPtrForVAArgument(A->getType(), IRB, GrOffset, 8);
GrOffset += 8; GrOffset += 8;
break; break;
case AK_FloatingPoint: case AK_FloatingPoint:
Base = getShadowPtrForVAArgument(A->getType(), IRB, VrOffset); Base = getShadowPtrForVAArgument(A->getType(), IRB, VrOffset, 8);
VrOffset += 16; VrOffset += 16;
break; break;
case AK_Memory: case AK_Memory:
// Don't count fixed arguments in the overflow area - va_start will // Don't count fixed arguments in the overflow area - va_start will
// skip right over them. // skip right over them.
if (IsFixed) if (IsFixed)
continue; continue;
uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
Base = getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset); Base = getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset,
alignTo(ArgSize, 8));
OverflowOffset += alignTo(ArgSize, 8); OverflowOffset += alignTo(ArgSize, 8);
break; break;
} }
// Count Gp/Vr fixed arguments to their respective offsets, but don't // Count Gp/Vr fixed arguments to their respective offsets, but don't
// bother to actually store a shadow. // bother to actually store a shadow.
if (IsFixed) if (IsFixed)
continue; continue;
if (!Base)
continue;
IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment); IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
} }
Constant *OverflowSize = Constant *OverflowSize =
ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AArch64VAEndOffset); ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AArch64VAEndOffset);
IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS); IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
} }
/// Compute the shadow address for a given va_arg. /// Compute the shadow address for a given va_arg.
Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
int ArgOffset) { unsigned ArgOffset, unsigned ArgSize) {
// Make sure we don't overflow __msan_va_arg_tls.
if (ArgOffset + ArgSize > kParamTLSSize)
return nullptr;
Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
"_msarg"); "_msarg");
} }
void visitVAStartInst(VAStartInst &I) override { void visitVAStartInst(VAStartInst &I) override {
IRBuilder<> IRB(&I); IRBuilder<> IRB(&I);
▲ Show 20 LinesShow All 188 Lines▼ Show 20 Lines for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end();
assert(A->getType()->isPointerTy()); assert(A->getType()->isPointerTy());
Type *RealTy = A->getType()->getPointerElementType(); Type *RealTy = A->getType()->getPointerElementType();
uint64_t ArgSize = DL.getTypeAllocSize(RealTy); uint64_t ArgSize = DL.getTypeAllocSize(RealTy);
uint64_t ArgAlign = CS.getParamAlignment(ArgNo); uint64_t ArgAlign = CS.getParamAlignment(ArgNo);
if (ArgAlign < 8) if (ArgAlign < 8)
ArgAlign = 8; ArgAlign = 8;
VAArgOffset = alignTo(VAArgOffset, ArgAlign); VAArgOffset = alignTo(VAArgOffset, ArgAlign);
if (!IsFixed) { if (!IsFixed) {
Value *Base = getShadowPtrForVAArgument(RealTy, IRB, Value *Base = getShadowPtrForVAArgument(
VAArgOffset - VAArgBase); RealTy, IRB, VAArgOffset - VAArgBase, ArgSize);
if (Base) {
Value *AShadowPtr, *AOriginPtr; Value *AShadowPtr, *AOriginPtr;
std::tie(AShadowPtr, AOriginPtr) = MSV.getShadowOriginPtr( std::tie(AShadowPtr, AOriginPtr) =
A, IRB, IRB.getInt8Ty(), kShadowTLSAlignment, /*isStore*/ false); MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(),
kShadowTLSAlignment, /*isStore*/ false);
IRB.CreateMemCpy(Base, kShadowTLSAlignment, AShadowPtr, IRB.CreateMemCpy(Base, kShadowTLSAlignment, AShadowPtr,
kShadowTLSAlignment, ArgSize); kShadowTLSAlignment, ArgSize);
} }
}
VAArgOffset += alignTo(ArgSize, 8); VAArgOffset += alignTo(ArgSize, 8);
} else { } else {
Value *Base; Value *Base;
uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
uint64_t ArgAlign = 8; uint64_t ArgAlign = 8;
if (A->getType()->isArrayTy()) { if (A->getType()->isArrayTy()) {
// Arrays are aligned to element size, except for long double // Arrays are aligned to element size, except for long double
// arrays, which are aligned to 8 bytes. // arrays, which are aligned to 8 bytes.
Show All 10 Lines for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end();
if (DL.isBigEndian()) { if (DL.isBigEndian()) {
// Adjusting the shadow for argument with size < 8 to match the placement // Adjusting the shadow for argument with size < 8 to match the placement
// of bits in big endian system // of bits in big endian system
if (ArgSize < 8) if (ArgSize < 8)
VAArgOffset += (8 - ArgSize); VAArgOffset += (8 - ArgSize);
} }
if (!IsFixed) { if (!IsFixed) {
Base = getShadowPtrForVAArgument(A->getType(), IRB, Base = getShadowPtrForVAArgument(A->getType(), IRB,
VAArgOffset - VAArgBase); VAArgOffset - VAArgBase, ArgSize);
if (Base)
IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment); IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
} }
VAArgOffset += ArgSize; VAArgOffset += ArgSize;
VAArgOffset = alignTo(VAArgOffset, 8); VAArgOffset = alignTo(VAArgOffset, 8);
} }
if (IsFixed) if (IsFixed)
VAArgBase = VAArgOffset; VAArgBase = VAArgOffset;
} }
Constant *TotalVAArgSize = ConstantInt::get(IRB.getInt64Ty(), Constant *TotalVAArgSize = ConstantInt::get(IRB.getInt64Ty(),
VAArgOffset - VAArgBase); VAArgOffset - VAArgBase);
// Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of
// a new class member i.e. it is the total size of all VarArgs. // a new class member i.e. it is the total size of all VarArgs.
IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS); IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS);
} }
/// Compute the shadow address for a given va_arg. /// Compute the shadow address for a given va_arg.
Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
int ArgOffset) { unsigned ArgOffset, unsigned ArgSize) {
// Make sure we don't overflow __msan_va_arg_tls.
if (ArgOffset + ArgSize > kParamTLSSize)
return nullptr;
Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
"_msarg"); "_msarg");
} }
void visitVAStartInst(VAStartInst &I) override { void visitVAStartInst(VAStartInst &I) override {
IRBuilder<> IRB(&I); IRBuilder<> IRB(&I);
▲ Show 20 LinesShow All 106 LinesShow Last 20 Lines

test/Instrumentation/MemorySanitizer/AArch64/vararg.ll

Show First 20 LinesShow All 68 Lines▼ Show 20 Lines
; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 24 ; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 24
; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 32 ; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 32
; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 96 ; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 96
; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 40 ; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 40
; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 48 ; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 48
; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 56 ; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 56
; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 192 ; CHECK: store {{.*}} @__msan_va_arg_tls {{.*}} 192
; CHECK: store {{.*}} 8, {{.*}} @__msan_va_arg_overflow_size_tls ; CHECK: store {{.*}} 8, {{.*}} @__msan_va_arg_overflow_size_tls
; Test that MSan doesn't generate code overflowing __msan_va_arg_tls when too many arguments are
; passed to a variadic function.
define dso_local i64 @many_args() {
entry:
%ret = call i64 (i64, ...) @sum(i64 120,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1
)
ret i64 %ret
}
; If the size of __msan_va_arg_tls changes the second argument of `add` must also be changed.
; CHECK: i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 792)
; CHECK-NOT: i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 800)
declare i64 @sum(i64 %n, ...)

test/Instrumentation/MemorySanitizer/Mips/vararg-mips64.ll

Show First 20 LinesShow All 47 Lines▼ Show 20 Linesdefine i32 @bar2() {
%1 = call i32 (i32, i32, ...) @foo2(i32 0, i32 1, i64 2, double 3.000000e+00) %1 = call i32 (i32, i32, ...) @foo2(i32 0, i32 1, i64 2, double 3.000000e+00)
ret i32 %1 ret i32 %1
} }
; CHECK-LABEL: @bar2 ; CHECK-LABEL: @bar2
; CHECK: store i64 0, i64* getelementptr inbounds ([100 x i64], [100 x i64]* @__msan_va_arg_tls, i32 0, i32 0), align 8 ; CHECK: store i64 0, i64* getelementptr inbounds ([100 x i64], [100 x i64]* @__msan_va_arg_tls, i32 0, i32 0), align 8
; CHECK: store i64 0, i64* inttoptr (i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 8) to i64*), align 8 ; CHECK: store i64 0, i64* inttoptr (i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 8) to i64*), align 8
; CHECK: store {{.*}} 16, {{.*}} @__msan_va_arg_overflow_size_tls ; CHECK: store {{.*}} 16, {{.*}} @__msan_va_arg_overflow_size_tls
; Test that MSan doesn't generate code overflowing __msan_va_arg_tls when too many arguments are
; passed to a variadic function.
define dso_local i64 @many_args() {
entry:
%ret = call i64 (i64, ...) @sum(i64 120,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1
)
ret i64 %ret
}
; If the size of __msan_va_arg_tls changes the second argument of `add` must also be changed.
; CHECK-LABEL: @many_args
; CHECK: i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 792)
; CHECK-NOT: i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 800)
declare i64 @sum(i64 %n, ...)

test/Instrumentation/MemorySanitizer/Mips/vararg-mips64el.ll

Show First 20 LinesShow All 46 Lines▼ Show 20 Linesdefine i32 @bar2() {
%1 = call i32 (i32, i32, ...) @foo2(i32 0, i32 1, i64 2, double 3.000000e+00) %1 = call i32 (i32, i32, ...) @foo2(i32 0, i32 1, i64 2, double 3.000000e+00)
ret i32 %1 ret i32 %1
} }
; CHECK-LABEL: @bar2 ; CHECK-LABEL: @bar2
; CHECK: store i64 0, i64* getelementptr inbounds ([100 x i64], [100 x i64]* @__msan_va_arg_tls, i32 0, i32 0), align 8 ; CHECK: store i64 0, i64* getelementptr inbounds ([100 x i64], [100 x i64]* @__msan_va_arg_tls, i32 0, i32 0), align 8
; CHECK: store i64 0, i64* inttoptr (i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 8) to i64*), align 8 ; CHECK: store i64 0, i64* inttoptr (i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 8) to i64*), align 8
; CHECK: store {{.*}} 16, {{.*}} @__msan_va_arg_overflow_size_tls ; CHECK: store {{.*}} 16, {{.*}} @__msan_va_arg_overflow_size_tls
; Test that MSan doesn't generate code overflowing __msan_va_arg_tls when too many arguments are
; passed to a variadic function.
define dso_local i64 @many_args() {
entry:
%ret = call i64 (i64, ...) @sum(i64 120,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1
)
ret i64 %ret
}
; If the size of __msan_va_arg_tls changes the second argument of `add` must also be changed.
; CHECK-LABEL: @many_args
; CHECK: i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 792)
; CHECK-NOT: i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 800)
declare i64 @sum(i64 %n, ...)

test/Instrumentation/MemorySanitizer/PowerPC/vararg-ppc64.ll

Show First 20 LinesShow All 105 Lines▼ Show 20 Linesdefine i32 @bar7([4 x i64]* %arg) {
%1 = call i32 (i32, ...) @foo(i32 0, [4 x i64]* byval align 16 %arg) %1 = call i32 (i32, ...) @foo(i32 0, [4 x i64]* byval align 16 %arg)
ret i32 %1 ret i32 %1
} }
; CHECK-LABEL: @bar7 ; CHECK-LABEL: @bar7
; CHECK: [[SHADOW:%[0-9]+]] = bitcast [4 x i64]* inttoptr (i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 8) to [4 x i64]*) ; CHECK: [[SHADOW:%[0-9]+]] = bitcast [4 x i64]* inttoptr (i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 8) to [4 x i64]*)
; CHECK: call void @llvm.memcpy.p0i8.p0i8.i64(i8* align 8 [[SHADOW]], i8* align 8 {{.*}}, i64 32, i1 false) ; CHECK: call void @llvm.memcpy.p0i8.p0i8.i64(i8* align 8 [[SHADOW]], i8* align 8 {{.*}}, i64 32, i1 false)
; CHECK: store {{.*}} 40, {{.*}} @__msan_va_arg_overflow_size_tls ; CHECK: store {{.*}} 40, {{.*}} @__msan_va_arg_overflow_size_tls
; Test that MSan doesn't generate code overflowing __msan_va_arg_tls when too many arguments are
; passed to a variadic function.
define dso_local i64 @many_args() {
entry:
%ret = call i64 (i64, ...) @sum(i64 120,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1
)
ret i64 %ret
}
; If the size of __msan_va_arg_tls changes the second argument of `add` must also be changed.
; CHECK-LABEL: @many_args
; CHECK: i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 792)
; CHECK-NOT: i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 800)
declare i64 @sum(i64 %n, ...)

test/Instrumentation/MemorySanitizer/PowerPC/vararg-ppc64le.ll

Show First 20 LinesShow All 89 Lines▼ Show 20 Linesdefine i32 @bar7([4 x i64]* %arg) {
%1 = call i32 (i32, ...) @foo(i32 0, [4 x i64]* byval align 16 %arg) %1 = call i32 (i32, ...) @foo(i32 0, [4 x i64]* byval align 16 %arg)
ret i32 %1 ret i32 %1
} }
; CHECK-LABEL: @bar7 ; CHECK-LABEL: @bar7
; CHECK: [[SHADOW:%[0-9]+]] = bitcast [4 x i64]* inttoptr (i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 8) to [4 x i64]*) ; CHECK: [[SHADOW:%[0-9]+]] = bitcast [4 x i64]* inttoptr (i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 8) to [4 x i64]*)
; CHECK: call void @llvm.memcpy.p0i8.p0i8.i64(i8* align 8 [[SHADOW]], i8* align 8 {{.*}}, i64 32, i1 false) ; CHECK: call void @llvm.memcpy.p0i8.p0i8.i64(i8* align 8 [[SHADOW]], i8* align 8 {{.*}}, i64 32, i1 false)
; CHECK: store {{.*}} 40, {{.*}} @__msan_va_arg_overflow_size_tls ; CHECK: store {{.*}} 40, {{.*}} @__msan_va_arg_overflow_size_tls
; Test that MSan doesn't generate code overflowing __msan_va_arg_tls when too many arguments are
; passed to a variadic function.
define dso_local i64 @many_args() {
entry:
%ret = call i64 (i64, ...) @sum(i64 120,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1
)
ret i64 %ret
}
; If the size of __msan_va_arg_tls changes the second argument of `add` must also be changed.
; CHECK-LABEL: @many_args
; CHECK: i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 792)
; CHECK-NOT: i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 800)
declare i64 @sum(i64 %n, ...)

test/Instrumentation/MemorySanitizer/X86/vararg-too-large.ll

; RUN: opt < %s -msan -msan-check-access-address=0 -S 2>&1 | FileCheck %s
; Test that MSan doesn't generate code overflowing __msan_va_arg_tls when too many arguments are
; passed to a variadic function.
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
define dso_local i64 @many_args() {
entry:
%ret = call i64 (i64, ...) @sum(i64 120,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1,
i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1, i64 1
)
ret i64 %ret
}
; If the size of __msan_va_arg_tls changes the second argument of `add` must also be changed.
; CHECK-LABEL: @many_args
; CHECK: i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 792)
; CHECK-NOT: i64 add (i64 ptrtoint ([100 x i64]* @__msan_va_arg_tls to i64), i64 800)
declare i64 @sum(i64 %n, ...)