This is an archive of the discontinued LLVM Phabricator instance.

Differential D54337

[ASan] Make AddressSanitizer a ModulePass
AbandonedPublic

Authored by leonardchan on Nov 9 2018, 11:21 AM.

Details

Reviewers
tamur
chandlerc
fedor.sergeev
philip.pfaffe
Summary

This patch changes AddressSanitizer from a FunctionPass to a ModulePass. The purpose of this is to make it simpler to eventually port this pass to the new pass manager. The class depends on the module for some initialization, but does this through doInitialization, but the new PM infra does not seem to have an equivalent overridable method for new PM passes. Making the sanitizer run on modules allows for performing this initialization at the start of every module run while still performing per-function instrumentation. This change is made so that the logic behind AddressSanitizer can be abstracted out and be used between separate module passes for the legacy and new PM.

This is part of the second attempt of porting ASan to the new PM after D52739.

Other changes:

  • Remove the unused DominatorTree dependency

Diff Detail

Repository
rL LLVM

Event Timeline

leonardchan created this revision.Nov 9 2018, 11:21 AM
Herald added a subscriber: hiraditya. · View Herald TranscriptNov 9 2018, 11:21 AM
leonardchan edited the summary of this revision. (Show Details)Nov 9 2018, 11:24 AM
philip.pfaffe added a comment.Nov 10 2018, 1:18 AM

Making this a module pass will cost us all the nice chaining and cache locality we get from a function pass. That will make the already slow instrumentation even more expensive. Do you see a way to keep this as a function pass?

fedor.sergeev added a comment.Nov 10 2018, 2:55 AM
In D54337#1294096, @philip.pfaffe wrote:

Making this a module pass will cost us all the nice chaining and cache locality we get from a function pass.
That will make the already slow instrumentation even more expensive. Do you see a way to keep this as a function pass?

I assume the main problem with this being function pass in NewPM is the need for initialization, which is too slow when being done per-function.

There are ways around this issue, perhaps the most logical one would be to implement analysis for this GlobalMetadata thing...

philip.pfaffe added a comment.Nov 10 2018, 3:01 AM

The problem is not speed but correctness. The initialization adds function definitions, which function passes can't do. So we need to initialize out-of-band, either with a separate module pass, or some function outside of the pass pipeline. I strongly prefer the latter, but it's not entirely clear to me how this function should be called. It's obviousl when running this through clang, but what about opt?

fedor.sergeev added a comment.Nov 10 2018, 3:51 AM
In D54337#1294149, @philip.pfaffe wrote:

The problem is not speed but correctness. The initialization adds function definitions, which function passes can't do.

Hmm... can you point me where function definitions are being added in doInitialization, I just dont see it (frankly I'm not familiar with this code at all).

So we need to initialize out-of-band, either with a separate module pass, or some function outside of the pass pipeline. I strongly prefer the latter, but it's not entirely clear to me how this function should be called. It's obviousl when running this through clang, but what about opt?

I dont see why do you prefer the latter, adding function definitions in module passes seems to be quite normal, and then it will definitely solve the problem with opt.

philip.pfaffe added a comment.Nov 10 2018, 4:01 AM

Hmm... can you point me where function definitions are being added in doInitialization, I just dont see it (frankly I'm not familiar with this code at all).

I might have been wrong here, I assumed the Asan function pass did this,too, because all sanitizers I've looked at do it. But it's possible that only the Module variant does it.

I dont see why do you prefer the latter, adding function definitions in module passes seems to be quite normal, and then it will definitely solve the problem with opt.

I'm against a module pass because it implies inter-pass-dependencies. If you run the function pass but not the module pass, you end up with a broken program. I'd really like to avoid that.

leonardchan added a comment.Nov 15 2018, 11:00 AM

Sorry for the delayed response. So the main problem is that AddressSantizer needs to perform some initialization involving reading stuff from global metadata and getting some target specific information. More specifically, just these 6 things which are all initialized in doInitialization:

GlobalsMD.init(M);
C = &(M.getContext());
LongSize = M.getDataLayout().getPointerSizeInBits();
IntptrTy = Type::getIntNTy(*C, LongSize);
TargetTriple = Triple(M.getTargetTriple());
Mapping = getShadowMapping(TargetTriple, LongSize, CompileKernel);

which are all accessible from the Module. (I think) this doesn't require adding any function definitions or changes to the module other than adding the declarations for functions used for the ASan runtime, and AddressSanitizerModule I think is the only ASan related pass that calls createSanitizerCtorAndInitFunctions for making these function definitions.

To me it seems that there just needs to be an equivalent doInitialization that accepts modules for function passes in the new PM, but it seems that given the way runs are performed in the new PM, there's no inherit way to access the "parent" IRUnit of a given IRUnit. Was this what you were suggesting with the function outside of the pass pipeline @philip.pfaffe ? An alternative idea that @tamur suggested was putting the global metadata and other initialized data into a lazy data structure that can be accessed by the AddressSanitizers.

Would having this as a ModulePass also make that much of an impact in instrumentation speed? From what I could determine, with AddressSanitizer as a FunctionPass, control of this is delegated to the FunctionPassManager whose 'runOnModule` method just iterates through every function in the module, and it seems that the only actions done between the FunctionPass's doInitialization and FunctionPassManager's runOnModule is counting the size of the module and initializing some analyses, but I could also be overlooking something big here.

philip.pfaffe added a comment.Nov 16 2018, 1:17 AM

Sorry for the delayed response. So the main problem is that AddressSantizer needs to perform some initialization involving reading stuff from global metadata and getting some target specific information. More specifically, just these 6 things which are all initialized in doInitialization:

GlobalsMD.init(M);
C = &(M.getContext());
LongSize = M.getDataLayout().getPointerSizeInBits();
IntptrTy = Type::getIntNTy(*C, LongSize);
TargetTriple = Triple(M.getTargetTriple());
Mapping = getShadowMapping(TargetTriple, LongSize, CompileKernel);

If asan doesn't modify the module for this ('this' meaning the Mapping and the GlobalsMD here), than this is an excellent candidate for an analysis.

To me it seems that there just needs to be an equivalent doInitialization that accepts modules for function passes in the new PM, but it seems that given the way runs are performed in the new PM, there's no inherit way to access the "parent" IRUnit of a given IRUnit. Was this what you were suggesting with the function outside of the pass pipeline @philip.pfaffe ? An alternative idea that @tamur suggested was putting the global metadata and other initialized data into a lazy data structure that can be accessed by the AddressSanitizers.

There can't be a doInitialization in the new pass manager. It really doesn't fit the design. There can be multiple instances of a pass, both in the same pass manager or in different managers. Who does the initialization?

The free function thing I suggested was to do the initialization bits that modify the module. Function passes currently are allowed to insert global variables, MD, and other function declarations, but no function bodies. If asan doesn't need that, great! Doing the rest of the initialization lazily works, though! A thing to keep in mind though is that multiple instances of the pass still initialize multiple times, so it should be both cheap(-ish) and reentrant (in the sense that it shouldn't add e.g. functions twice).

Would having this as a ModulePass also make that much of an impact in instrumentation speed? From what I could determine, with AddressSanitizer as a FunctionPass, control of this is delegated to the FunctionPassManager whose 'runOnModule` method just iterates through every function in the module, and it seems that the only actions done between the FunctionPass's doInitialization and FunctionPassManager's runOnModule is counting the size of the module and initializing some analyses, but I could also be overlooking something big here.

Function passes are pipelined per function. That means that for a given function you first run simplification, optimization, and then the sanitizer without touching another function. So everything is nice and local. With a module pass you loose all that locality.

leonardchan added a comment.Nov 19 2018, 1:19 PM
In D54337#1300858, @philip.pfaffe wrote:

Sorry for the delayed response. So the main problem is that AddressSantizer needs to perform some initialization involving reading stuff from global metadata and getting some target specific information. More specifically, just these 6 things which are all initialized in doInitialization:

GlobalsMD.init(M);
C = &(M.getContext());
LongSize = M.getDataLayout().getPointerSizeInBits();
IntptrTy = Type::getIntNTy(*C, LongSize);
TargetTriple = Triple(M.getTargetTriple());
Mapping = getShadowMapping(TargetTriple, LongSize, CompileKernel);

If asan doesn't modify the module for this ('this' meaning the Mapping and the GlobalsMD here), than this is an excellent candidate for an analysis.

When you say analysis, do you mean like the TargetLibraryInfoWrapperPass that AddressSanitizer is dependent on? Not sure what the difference between passes and analyses are, but if the purpose of TargetLibraryInfoWrapperPass is to just pass a TargetLibraryInfo to AddressSantizer, then it seems a new WrapperPass could similarly be made for this initialized data as a custom class made specifically for ASan.

tamur added a comment.Nov 26 2018, 10:12 PM

I am not an expert or have a good context, please excuse my trespassing, just as a guy reading the code and trying to understand, this is my understanding:

  1. GlobalsMD.init(M); is the only expensive part of the AddressSanitizer initialization.
  2. All data in GlobalsMD is obtained from a module, in GlobalsMetadata::init(Module& M).
  3. (Maybe this is not obvious) Function objects have a reference to their module via Function::getParent() method.
  4. Therefore, every expensive data that the function pass for AddressSanitizer needs, can be stored in Module objects:
  5. GlobalsMetadata class is probably no longer needed, at worst, the GlobalVariable* --> Entry mapping can be stored within the Module class.
  6. I haven't looked whether this mapping can be initialized within the constructor of Module. If yes, great. If not, some care needs to be taken to make the mapping be initialized only once on the first demand, also with care with respect to synchronization (multiple AddressSanitizers for functions of the same module may be running in parallel -if not now, in the future-), but these should be minor complications.

With these changes, AddressSanitizer can become a function level pass.

There is also an AddressSanitizerModule class in AddressSanitizer.cpp. If I understand correctly, now it is running as a module level pass before the AddressSanitizer the function level pass. The owners probably do not want to have this as a module level pass either. There may be a better way to accomplish this, but this is the simplest solution that comes to my mind:

  • It seems that AddressSanitizerModule is run only for its side effects on the Module. Which is good, so we don't need to find a place to store the calculated data. (If I'm wrong please ignore the rest of my comment)
  • Let's call the AddressSanitizerModule business logic ASM_BL.
  • Either add a boolean instance variable to Module, or have a global Module-->bool mapping to keep track of for which modules ASM_BL code has run.
  • Each address sanitizer function pass looks whether the ASM_BL for the function's module has already run, and if not runs it as the first thing.
  • But be careful about synchronization, protect ASM_BL with a mutex or something, be sure that it runs only once.
  • Alternatively, make AddressSanitizerModule pass a separate function level pass, make it a prerequisite of the AddressSanitizer the function level pass, and still take care of synchronization etc. i.e. hide ASM_BL behind some abstraction, so that even though every function of the module will call ASM_BL, it will actually run only once.

Any time your understanding or other reviewers' suggestions contradict mine, please feel free to ignore mine.

fedor.sergeev added a comment.Dec 3 2018, 12:47 PM
In D54337#1309109, @tamur wrote:

I am not an expert or have a good context, please excuse my trespassing, just as a guy reading the code and trying to understand, this is my understanding:

  1. GlobalsMD.init(M); is the only expensive part of the AddressSanitizer initialization.
  2. All data in GlobalsMD is obtained from a module, in GlobalsMetadata::init(Module& M).
  3. (Maybe this is not obvious) Function objects have a reference to their module via Function::getParent() method.
  4. Therefore, every expensive data that the function pass for AddressSanitizer needs, can be stored in Module objects:

Up to this point it kinda makes sense.
However, this suggestion of storing supplementary passes information into the IR itself does not sound like a good design decision.
A typical solution for LLVM to store supporting information is to introduce an Analysis, so it kinda floats around the IR, but
is not being stored directly into it.

fedor.sergeev added a comment.Dec 3 2018, 1:06 PM
In D54337#1303405, @leonardchan wrote:
In D54337#1300858, @philip.pfaffe wrote:

If asan doesn't modify the module for this ('this' meaning the Mapping and the GlobalsMD here), than this is an excellent candidate for an analysis.

When you say analysis, do you mean like the TargetLibraryInfoWrapperPass that AddressSanitizer is dependent on? Not sure what the difference between passes and analyses are, but if the purpose of TargetLibraryInfoWrapperPass is to just pass a TargetLibraryInfo to AddressSantizer, then it seems a new WrapperPass could similarly be made for this initialized data as a custom class made specifically for ASan.

Passes are transformations that are allowed (and actually expected) to mutate the IR.
Analyses are (well, in NewPM) not passes, they are run over IR and store their "analytics" as the analysis result into the Analysis Manager.
Passes can query Analysis Manager and get the results that are either cached or calculated on demand.

Analysis can be any information which is not an IR itself. TargetLibraryInfo, DominatorTree, GlobalsMetadata... whatever.
The only problem that you might find when using your custom analysis from the pass will be similar to the current dichotomy of module & function ASan.
You can not *run* module analysis from within a function pass. It can only be run on a module level.

philip.pfaffe mentioned this in D54394: [WIP][NewPM] Port msan.Dec 5 2018, 6:43 AM
leonardchan added a comment.Dec 11 2018, 12:48 PM

Analysis can be any information which is not an IR itself. TargetLibraryInfo, DominatorTree, GlobalsMetadata... whatever.
The only problem that you might find when using your custom analysis from the pass will be similar to the current dichotomy of module & function ASan.
You can not *run* module analysis from within a function pass. It can only be run on a module level.

Hmm. So if we keep ASan as a function pass, there doesn't seem to be a clean already existing way of performing one task before pass runs, especially if a pass for one IR unit cannot depend on/require running a pass on a different IR unit type first.

philip.pfaffe added a comment.Dec 14 2018, 2:38 AM

It depends on what you mean by task. There is no clean way for depending on changes between IR units. I.e. you can't express the requirement that two passes have to run in a specific order. But that's okay, implementing such requirements would incure insane complexity. Fortunately, if I recall correctly Asan oesn't need that! Correct me if I'm wrong.

But depending on information about other IR units is possible, that's why we have analyses. For asan this means: leave asan a function pass, but pull things pre-computed for the module into a module level analysis.

philip.pfaffe added a comment.Jan 3 2019, 6:15 AM

@leonardchan Are you making any progress here?

leonardchan added a comment.Jan 3 2019, 10:37 AM
In D54337#1345024, @philip.pfaffe wrote:

@leonardchan Are you making any progress here?

I haven't gotten back to this yet, but will do so after looking into what may be required for also porting SafeStack and ShadowCallStack to new PM.

It depends on what you mean by task. There is no clean way for depending on changes between IR units. I.e. you can't express the requirement that two passes have to run in a specific order. But that's okay, implementing such requirements would incure insane complexity. Fortunately, if I recall correctly Asan oesn't need that! Correct me if I'm wrong.
But depending on information about other IR units is possible, that's why we have analyses. For asan this means: leave asan a function pass, but pull things pre-computed for the module into a module level analysis.

You're right in that Asan doesn't need to keep track of changes between IR units. I haven't started this yet, but the main thing I was concerned about was that, for some reason, function passes in the new PM couldn't depend on module level analyses and only function level analyses, but I think this is false since TargetLibraryAnalysis is an example of an analysis that was ported but is required by many function passes.

philip.pfaffe added a comment.Jan 3 2019, 10:50 AM

I haven't gotten back to this yet, but will do so after looking into what may be required for also porting SafeStack and ShadowCallStack to new PM.

If I recall correctly, it was pointed out on the SafeStack thread that, since SafeStack is part of CodeGen, porting it is not possible right now.

You're right in that Asan doesn't need to keep track of changes between IR units. I haven't started this yet, but the main thing I was concerned about was that, for some reason, function passes in the new PM couldn't depend on module level analyses and only function level analyses, but I think this is false since TargetLibraryAnalysis is an example of an analysis that was ported but is required by many function passes.

TargetLibraryAnalysis is in fact a function analysis. Function analyses cannot request Module analyses to be ran, that is correct. They can, however, use analysis results that are already available.

leonardchan added a comment.Jan 8 2019, 6:59 PM

Posted second attempt at porting ASan using an analysis at D56470.

leonardchan mentioned this in D56470: [NewPM] Second attempt at porting ASan.Jan 9 2019, 11:06 AM
leonardchan abandoned this revision.Feb 19 2019, 6:46 PM

Addressed in rC353985

Herald added a project: Restricted Project. · View Herald TranscriptFeb 19 2019, 6:46 PM
Herald added a subscriber: jdoerfert. · View Herald Transcript
leonardchan mentioned this in D64843: hwasan: Initialize the pass only once..Jul 17 2019, 3:24 PM

Revision Contents

PathSize
clang/
lib/
CodeGen/
6 lines
llvm/
bindings/
go/
llvm/
2 lines
include/
llvm/
Transforms/
6 lines
lib/
Transforms/
Instrumentation/
81 lines

Diff 173390

clang/lib/CodeGen/BackendUtil.cpp

Show First 20 LinesShow All 230 Lines▼ Show 20 Linesstatic void addAddressSanitizerPasses(const PassManagerBuilder &Builder,
legacy::PassManagerBase &PM) { legacy::PassManagerBase &PM) {
const PassManagerBuilderWrapper &BuilderWrapper = const PassManagerBuilderWrapper &BuilderWrapper =
static_cast<const PassManagerBuilderWrapper&>(Builder); static_cast<const PassManagerBuilderWrapper&>(Builder);
const Triple &T = BuilderWrapper.getTargetTriple(); const Triple &T = BuilderWrapper.getTargetTriple();
const CodeGenOptions &CGOpts = BuilderWrapper.getCGOpts(); const CodeGenOptions &CGOpts = BuilderWrapper.getCGOpts();
bool Recover = CGOpts.SanitizeRecover.has(SanitizerKind::Address); bool Recover = CGOpts.SanitizeRecover.has(SanitizerKind::Address);
bool UseAfterScope = CGOpts.SanitizeAddressUseAfterScope; bool UseAfterScope = CGOpts.SanitizeAddressUseAfterScope;
bool UseGlobalsGC = asanUseGlobalsGC(T, CGOpts); bool UseGlobalsGC = asanUseGlobalsGC(T, CGOpts);
PM.add(createAddressSanitizerFunctionPass(/*CompileKernel*/ false, Recover, PM.add(createAddressSanitizerPass(/*CompileKernel*/ false, Recover,
UseAfterScope)); UseAfterScope));
PM.add(createAddressSanitizerModulePass(/*CompileKernel*/ false, Recover, PM.add(createAddressSanitizerModulePass(/*CompileKernel*/ false, Recover,
UseGlobalsGC)); UseGlobalsGC));
} }
static void addKernelAddressSanitizerPasses(const PassManagerBuilder &Builder, static void addKernelAddressSanitizerPasses(const PassManagerBuilder &Builder,
legacy::PassManagerBase &PM) { legacy::PassManagerBase &PM) {
PM.add(createAddressSanitizerFunctionPass( PM.add(createAddressSanitizerPass(
/*CompileKernel*/ true, /*Recover*/ true, /*UseAfterScope*/ false)); /*CompileKernel*/ true, /*Recover*/ true, /*UseAfterScope*/ false));
PM.add(createAddressSanitizerModulePass( PM.add(createAddressSanitizerModulePass(
/*CompileKernel*/ true, /*Recover*/ true)); /*CompileKernel*/ true, /*Recover*/ true));
} }
static void addHWAddressSanitizerPasses(const PassManagerBuilder &Builder, static void addHWAddressSanitizerPasses(const PassManagerBuilder &Builder,
legacy::PassManagerBase &PM) { legacy::PassManagerBase &PM) {
const PassManagerBuilderWrapper &BuilderWrapper = const PassManagerBuilderWrapper &BuilderWrapper =
▲ Show 20 LinesShow All 1,175 LinesShow Last 20 Lines

llvm/bindings/go/llvm/InstrumentationBindings.cpp

Show All 14 Lines
#include "llvm-c/Core.h" #include "llvm-c/Core.h"
#include "llvm/IR/LegacyPassManager.h" #include "llvm/IR/LegacyPassManager.h"
#include "llvm/IR/Module.h" #include "llvm/IR/Module.h"
#include "llvm/Transforms/Instrumentation.h" #include "llvm/Transforms/Instrumentation.h"
using namespace llvm; using namespace llvm;
void LLVMAddAddressSanitizerFunctionPass(LLVMPassManagerRef PM) { void LLVMAddAddressSanitizerFunctionPass(LLVMPassManagerRef PM) {
unwrap(PM)->add(createAddressSanitizerFunctionPass()); unwrap(PM)->add(createAddressSanitizerPass());
} }
void LLVMAddAddressSanitizerModulePass(LLVMPassManagerRef PM) { void LLVMAddAddressSanitizerModulePass(LLVMPassManagerRef PM) {
unwrap(PM)->add(createAddressSanitizerModulePass()); unwrap(PM)->add(createAddressSanitizerModulePass());
} }
void LLVMAddThreadSanitizerPass(LLVMPassManagerRef PM) { void LLVMAddThreadSanitizerPass(LLVMPassManagerRef PM) {
unwrap(PM)->add(createThreadSanitizerPass()); unwrap(PM)->add(createThreadSanitizerPass());
Show All 15 Lines

llvm/include/llvm/Transforms/Instrumentation.h

Show First 20 LinesShow All 132 Lines▼ Show 20 Linesstruct InstrProfOptions {
InstrProfOptions() = default; InstrProfOptions() = default;
}; };
/// Insert frontend instrumentation based profiling. /// Insert frontend instrumentation based profiling.
ModulePass *createInstrProfilingLegacyPass( ModulePass *createInstrProfilingLegacyPass(
const InstrProfOptions &Options = InstrProfOptions()); const InstrProfOptions &Options = InstrProfOptions());
// Insert AddressSanitizer (address sanity checking) instrumentation // Insert AddressSanitizer (address sanity checking) instrumentation
FunctionPass *createAddressSanitizerFunctionPass(bool CompileKernel = false, ModulePass *createAddressSanitizerPass(bool CompileKernel = false,
bool Recover = false, bool Recover = false,
bool UseAfterScope = false); bool UseAfterScope = false);
ModulePass *createAddressSanitizerModulePass(bool CompileKernel = false, ModulePass *createAddressSanitizerModulePass(bool CompileKernel = false,
bool Recover = false, bool Recover = false,
bool UseGlobalsGC = true); bool UseGlobalsGC = true);
// Insert MemorySanitizer instrumentation (detection of uninitialized reads) // Insert MemorySanitizer instrumentation (detection of uninitialized reads)
FunctionPass *createMemorySanitizerPass(int TrackOrigins = 0, FunctionPass *createMemorySanitizerPass(int TrackOrigins = 0,
bool Recover = false, bool Recover = false,
bool EnableKmsan = false); bool EnableKmsan = false);
▲ Show 20 LinesShow All 78 LinesShow Last 20 Lines

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 422 Lines▼ Show 20 Linespublic:
GlobalsMetadata() = default; GlobalsMetadata() = default;
void reset() { void reset() {
inited_ = false; inited_ = false;
Entries.clear(); Entries.clear();
} }
void init(Module &M) { void init(const Module &M) {
assert(!inited_); assert(!inited_);
inited_ = true; inited_ = true;
NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals"); NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals");
if (!Globals) return; if (!Globals) return;
for (auto MDN : Globals->operands()) { for (auto MDN : Globals->operands()) {
// Metadata node contains the global and the fields of "Entry". // Metadata node contains the global and the fields of "Entry".
assert(MDN->getNumOperands() == 5); assert(MDN->getNumOperands() == 5);
auto *GV = mdconst::extract_or_null<GlobalVariable>(MDN->getOperand(0)); auto *GV = mdconst::extract_or_null<GlobalVariable>(MDN->getOperand(0));
▲ Show 20 LinesShow All 152 Lines▼ Show 20 Linesstatic size_t RedzoneSizeForScale(int MappingScale) {
// Redzone used for stack and globals is at least 32 bytes. // Redzone used for stack and globals is at least 32 bytes.
// For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively.
return std::max(32U, 1U << MappingScale); return std::max(32U, 1U << MappingScale);
} }
namespace { namespace {
/// AddressSanitizer: instrument the code in module to find memory bugs. /// AddressSanitizer: instrument the code in module to find memory bugs.
struct AddressSanitizer : public FunctionPass { struct AddressSanitizer : public ModulePass {
// Pass identification, replacement for typeid // Pass identification, replacement for typeid
static char ID; static char ID;
explicit AddressSanitizer(bool CompileKernel = false, bool Recover = false, explicit AddressSanitizer(bool CompileKernel = false, bool Recover = false,
bool UseAfterScope = false) bool UseAfterScope = false)
: FunctionPass(ID), UseAfterScope(UseAfterScope || ClUseAfterScope) { : ModulePass(ID), UseAfterScope(UseAfterScope || ClUseAfterScope) {
this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover; this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover;
this->CompileKernel = ClEnableKasan.getNumOccurrences() > 0 ? this->CompileKernel = ClEnableKasan.getNumOccurrences() > 0 ?
ClEnableKasan : CompileKernel; ClEnableKasan : CompileKernel;
initializeAddressSanitizerPass(*PassRegistry::getPassRegistry()); initializeAddressSanitizerPass(*PassRegistry::getPassRegistry());
} }
StringRef getPassName() const override { StringRef getPassName() const override {
return "AddressSanitizerFunctionPass"; return "AddressSanitizerFunctionPass";
} }
void getAnalysisUsage(AnalysisUsage &AU) const override { void getAnalysisUsage(AnalysisUsage &AU) const override {
AU.addRequired<DominatorTreeWrapperPass>();
AU.addRequired<TargetLibraryInfoWrapperPass>(); AU.addRequired<TargetLibraryInfoWrapperPass>();
} }
uint64_t getAllocaSizeInBytes(const AllocaInst &AI) const { uint64_t getAllocaSizeInBytes(const AllocaInst &AI) const {
uint64_t ArraySize = 1; uint64_t ArraySize = 1;
if (AI.isArrayAllocation()) { if (AI.isArrayAllocation()) {
const ConstantInt *CI = dyn_cast<ConstantInt>(AI.getArraySize()); const ConstantInt *CI = dyn_cast<ConstantInt>(AI.getArraySize());
assert(CI && "non-constant array size"); assert(CI && "non-constant array size");
Show All 29 Lines void instrumentUnusualSizeOrAlignment(Instruction *I,
uint32_t Exp); uint32_t Exp);
Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong,
Value *ShadowValue, uint32_t TypeSize); Value *ShadowValue, uint32_t TypeSize);
Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr,
bool IsWrite, size_t AccessSizeIndex, bool IsWrite, size_t AccessSizeIndex,
Value *SizeArgument, uint32_t Exp); Value *SizeArgument, uint32_t Exp);
void instrumentMemIntrinsic(MemIntrinsic *MI); void instrumentMemIntrinsic(MemIntrinsic *MI);
Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); Value *memToShadow(Value *Shadow, IRBuilder<> &IRB);
bool runOnFunction(Function &F) override; bool instrumentModule(Module &M, const TargetLibraryInfo *TLI);
bool runOnModule(Module &M) override;
bool maybeInsertAsanInitAtFunctionEntry(Function &F); bool maybeInsertAsanInitAtFunctionEntry(Function &F);
void maybeInsertDynamicShadowAtFunctionEntry(Function &F); void maybeInsertDynamicShadowAtFunctionEntry(Function &F);
void markEscapedLocalAllocas(Function &F); void markEscapedLocalAllocas(Function &F);
bool doInitialization(Module &M) override;
bool doFinalization(Module &M) override;
DominatorTree &getDominatorTree() const { return *DT; }
private: private:
friend struct FunctionStackPoisoner; friend struct FunctionStackPoisoner;
bool instrumentFunction(Function &F, const TargetLibraryInfo *TLI);
void initializeCallbacks(Module &M); void initializeCallbacks(Module &M);
bool LooksLikeCodeInBug11395(Instruction *I); bool LooksLikeCodeInBug11395(Instruction *I);
bool GlobalIsLinkerInitialized(GlobalVariable *G); bool GlobalIsLinkerInitialized(GlobalVariable *G);
bool isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, Value *Addr, bool isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, Value *Addr,
uint64_t TypeSize) const; uint64_t TypeSize) const;
/// Helper to cleanup per-function state. /// Helper to cleanup per-function state.
Show All 15 Linesprivate:
LLVMContext *C; LLVMContext *C;
Triple TargetTriple; Triple TargetTriple;
int LongSize; int LongSize;
bool CompileKernel; bool CompileKernel;
bool Recover; bool Recover;
bool UseAfterScope; bool UseAfterScope;
Type *IntptrTy; Type *IntptrTy;
ShadowMapping Mapping; ShadowMapping Mapping;
DominatorTree *DT;
Function *AsanHandleNoReturnFunc; Function *AsanHandleNoReturnFunc;
Function *AsanPtrCmpFunction, *AsanPtrSubFunction; Function *AsanPtrCmpFunction, *AsanPtrSubFunction;
Constant *AsanShadowGlobal; Constant *AsanShadowGlobal;
// These arrays is indexed by AccessIsWrite, Experiment and log2(AccessSize). // These arrays is indexed by AccessIsWrite, Experiment and log2(AccessSize).
Function *AsanErrorCallback[2][2][kNumberOfAccessSizes]; Function *AsanErrorCallback[2][2][kNumberOfAccessSizes];
Function *AsanMemoryAccessCallback[2][2][kNumberOfAccessSizes]; Function *AsanMemoryAccessCallback[2][2][kNumberOfAccessSizes];
▲ Show 20 LinesShow All 306 Lines▼ Show 20 Lines if (CallInst *CI = dyn_cast<CallInst>(I)) {
I != ASan.LocalDynamicShadow; I != ASan.LocalDynamicShadow;
HasReturnsTwiceCall |= CI->canReturnTwice(); HasReturnsTwiceCall |= CI->canReturnTwice();
} }
} }
// ---------------------- Helpers. // ---------------------- Helpers.
void initializeCallbacks(Module &M); void initializeCallbacks(Module &M);
bool doesDominateAllExits(const Instruction *I) const {
for (auto Ret : RetVec) {
if (!ASan.getDominatorTree().dominates(I, Ret)) return false;
}
return true;
}
/// Finds alloca where the value comes from. /// Finds alloca where the value comes from.
AllocaInst *findAllocaForValue(Value *V); AllocaInst *findAllocaForValue(Value *V);
// Copies bytes from ShadowBytes into shadow memory for indexes where // Copies bytes from ShadowBytes into shadow memory for indexes where
// ShadowMask is not zero. If ShadowMask[i] is zero, we assume that // ShadowMask is not zero. If ShadowMask[i] is zero, we assume that
// ShadowBytes[i] is constantly zero and doesn't need to be overwritten. // ShadowBytes[i] is constantly zero and doesn't need to be overwritten.
void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes, void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes,
IRBuilder<> &IRB, Value *ShadowBase); IRBuilder<> &IRB, Value *ShadowBase);
Show All 15 Lines
} // end anonymous namespace } // end anonymous namespace
char AddressSanitizer::ID = 0; char AddressSanitizer::ID = 0;
INITIALIZE_PASS_BEGIN( INITIALIZE_PASS_BEGIN(
AddressSanitizer, "asan", AddressSanitizer, "asan",
"AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false, "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false,
false) false)
INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass)
INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass) INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass)
INITIALIZE_PASS_END( INITIALIZE_PASS_END(
AddressSanitizer, "asan", AddressSanitizer, "asan",
"AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false, "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false,
false) false)
FunctionPass *llvm::createAddressSanitizerFunctionPass(bool CompileKernel, ModulePass *llvm::createAddressSanitizerPass(bool CompileKernel, bool Recover,
bool Recover,
bool UseAfterScope) { bool UseAfterScope) {
assert(!CompileKernel || Recover); assert(!CompileKernel || Recover);
return new AddressSanitizer(CompileKernel, Recover, UseAfterScope); return new AddressSanitizer(CompileKernel, Recover, UseAfterScope);
} }
char AddressSanitizerModule::ID = 0; char AddressSanitizerModule::ID = 0;
INITIALIZE_PASS( INITIALIZE_PASS(
AddressSanitizerModule, "asan-module", AddressSanitizerModule, "asan-module",
▲ Show 20 LinesShow All 1,283 Lines▼ Show 20 Linesvoid AddressSanitizer::initializeCallbacks(Module &M) {
EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false),
StringRef(""), StringRef(""), StringRef(""), StringRef(""),
/*hasSideEffects=*/true); /*hasSideEffects=*/true);
if (Mapping.InGlobal) if (Mapping.InGlobal)
AsanShadowGlobal = M.getOrInsertGlobal("__asan_shadow", AsanShadowGlobal = M.getOrInsertGlobal("__asan_shadow",
ArrayType::get(IRB.getInt8Ty(), 0)); ArrayType::get(IRB.getInt8Ty(), 0));
} }
// virtual
bool AddressSanitizer::doInitialization(Module &M) {
// Initialize the private fields. No one has accessed them before.
GlobalsMD.init(M);
C = &(M.getContext());
LongSize = M.getDataLayout().getPointerSizeInBits();
IntptrTy = Type::getIntNTy(*C, LongSize);
TargetTriple = Triple(M.getTargetTriple());
Mapping = getShadowMapping(TargetTriple, LongSize, CompileKernel);
return true;
}
bool AddressSanitizer::doFinalization(Module &M) {
GlobalsMD.reset();
return false;
}
bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) {
// For each NSObject descendant having a +load method, this method is invoked // For each NSObject descendant having a +load method, this method is invoked
// by the ObjC runtime before any of the static constructors is called. // by the ObjC runtime before any of the static constructors is called.
// Therefore we need to instrument such methods with a call to __asan_init // Therefore we need to instrument such methods with a call to __asan_init
// at the beginning in order to initialize our runtime before any access to // at the beginning in order to initialize our runtime before any access to
// the shadow memory. // the shadow memory.
// We cannot just ignore these methods, because they may call other // We cannot just ignore these methods, because they may call other
// instrumented functions. // instrumented functions.
▲ Show 20 LinesShow All 57 Lines▼ Show 20 Lines if (II && II->getIntrinsicID() == Intrinsic::localescape) {
"non-static alloca arg to localescape"); "non-static alloca arg to localescape");
ProcessedAllocas[AI] = false; ProcessedAllocas[AI] = false;
} }
break; break;
} }
} }
} }
bool AddressSanitizer::runOnFunction(Function &F) { bool AddressSanitizer::runOnModule(Module &M) {
const TargetLibraryInfo *TLI =
&getAnalysis<TargetLibraryInfoWrapperPass>().getTLI();
return instrumentModule(M, TLI);
}
bool AddressSanitizer::instrumentModule(Module &M,
const TargetLibraryInfo *TLI) {
bool Changed = false;
// Initialize the private fields. No one has accessed them before.
GlobalsMD.init(M);
C = &(M.getContext());
LongSize = M.getDataLayout().getPointerSizeInBits();
IntptrTy = Type::getIntNTy(*C, LongSize);
TargetTriple = Triple(M.getTargetTriple());
Mapping = getShadowMapping(TargetTriple, LongSize, CompileKernel);
for (Function &F : M)
Changed |= instrumentFunction(F, TLI);
GlobalsMD.reset();
return Changed;
}
bool AddressSanitizer::instrumentFunction(Function &F,
const TargetLibraryInfo *TLI) {
if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false; if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false;
if (!ClDebugFunc.empty() && ClDebugFunc == F.getName()) return false; if (!ClDebugFunc.empty() && ClDebugFunc == F.getName()) return false;
if (F.getName().startswith("__asan_")) return false; if (F.getName().startswith("__asan_")) return false;
bool FunctionModified = false; bool FunctionModified = false;
// If needed, insert __asan_init before checking for SanitizeAddress attr. // If needed, insert __asan_init before checking for SanitizeAddress attr.
// This function needs to be called even if the function body is not // This function needs to be called even if the function body is not
// instrumented. // instrumented.
if (maybeInsertAsanInitAtFunctionEntry(F)) if (maybeInsertAsanInitAtFunctionEntry(F))
FunctionModified = true; FunctionModified = true;
// Leave if the function doesn't need instrumentation. // Leave if the function doesn't need instrumentation.
if (!F.hasFnAttribute(Attribute::SanitizeAddress)) return FunctionModified; if (!F.hasFnAttribute(Attribute::SanitizeAddress)) return FunctionModified;
LLVM_DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); LLVM_DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n");
initializeCallbacks(*F.getParent()); initializeCallbacks(*F.getParent());
DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree();
FunctionStateRAII CleanupObj(this); FunctionStateRAII CleanupObj(this);
maybeInsertDynamicShadowAtFunctionEntry(F); maybeInsertDynamicShadowAtFunctionEntry(F);
// We can't instrument allocas used with llvm.localescape. Only static allocas // We can't instrument allocas used with llvm.localescape. Only static allocas
// can be passed to that intrinsic. // can be passed to that intrinsic.
markEscapedLocalAllocas(F); markEscapedLocalAllocas(F);
// We want to instrument every address only once per basic block (unless there // We want to instrument every address only once per basic block (unless there
// are calls between uses). // are calls between uses).
SmallPtrSet<Value *, 16> TempsToInstrument; SmallPtrSet<Value *, 16> TempsToInstrument;
SmallVector<Instruction *, 16> ToInstrument; SmallVector<Instruction *, 16> ToInstrument;
SmallVector<Instruction *, 8> NoReturnCalls; SmallVector<Instruction *, 8> NoReturnCalls;
SmallVector<BasicBlock *, 16> AllBlocks; SmallVector<BasicBlock *, 16> AllBlocks;
SmallVector<Instruction *, 16> PointerComparisonsOrSubtracts; SmallVector<Instruction *, 16> PointerComparisonsOrSubtracts;
int NumAllocas = 0; int NumAllocas = 0;
bool IsWrite; bool IsWrite;
unsigned Alignment; unsigned Alignment;
uint64_t TypeSize; uint64_t TypeSize;
const TargetLibraryInfo *TLI =
&getAnalysis<TargetLibraryInfoWrapperPass>().getTLI();
// Fill the set of memory operations to instrument. // Fill the set of memory operations to instrument.
for (auto &BB : F) { for (auto &BB : F) {
AllBlocks.push_back(&BB); AllBlocks.push_back(&BB);
TempsToInstrument.clear(); TempsToInstrument.clear();
int NumInsnsPerBB = 0; int NumInsnsPerBB = 0;
for (auto &Inst : BB) { for (auto &Inst : BB) {
if (LooksLikeCodeInBug11395(&Inst)) return false; if (LooksLikeCodeInBug11395(&Inst)) return false;
▲ Show 20 LinesShow All 716 LinesShow Last 20 Lines