This is an archive of the discontinued LLVM Phabricator instance.

Differential D59220

[asan] Add options -asan-detect-invalid-pointer-cmp and -asan-detect-invalid-pointer-sub options.
ClosedPublic

Authored by pgousseau on Mar 11 2019, 10:07 AM.

Details

Reviewers
rsmith
filcab
kcc
riccibruno
wristow
probinson
gbedwell
morehouse
Commits
rGa833c2bd3e8b: [asan] Add options -asan-detect-invalid-pointer-cmp and -asan-detect-invalid…
rL357157: [asan] Add options -asan-detect-invalid-pointer-cmp and -asan-detect-invalid…
Summary

This is in preparation to a driver patch to add gcc 8's -fsanitize=pointer-compare and -fsanitize=pointer-subtract.
Disabled by default as this is still an experimental feature.
This is the llvm side of https://reviews.llvm.org/D59221

Diff Detail

Repository
rL LLVM

Event Timeline

pgousseau created this revision.Mar 11 2019, 10:07 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 11 2019, 10:07 AM
Herald added subscribers: llvm-commits, jdoerfert. · View Herald Transcript
pgousseau edited the summary of this revision. (Show Details)Mar 11 2019, 10:13 AM
pgousseau added a reviewer: gbedwell.
kcc added a reviewer: morehouse.Mar 11 2019, 5:59 PM
ormris added a subscriber: ormris.Mar 12 2019, 9:59 AM
pgousseau added a comment.Mar 26 2019, 5:06 AM

Ping!

ormris removed a subscriber: ormris.Mar 26 2019, 9:20 AM
morehouse added inline comments.Mar 26 2019, 9:36 AM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
575 ↗(On Diff #190117)

These parameter lists are getting too long. Do we need to store the options or can we just check ClInvalidPointer* instead? Or, can we use an options struct?

test/Instrumentation/AddressSanitizer/asan-detect-invalid-pointer-pair.ll
2 ↗(On Diff #190117)

I think we can do --check-prefixes=CMP,NOSUB.

12 ↗(On Diff #190117)

Do we also need to add --check-prefix=ALL?

vitalybuka added a subscriber: vitalybuka.Mar 26 2019, 2:59 PM

What is exactly going to be checked by -fsanitize=pointer-compare and -fsanitize=pointer-subtract?
Why this needs to be done in AddressSanitizer?
Is this going just checheck that pointers are from the same allocation?

pgousseau updated this revision to Diff 192445.Mar 27 2019, 8:09 AM

Use backend option directly rather than introducing new parameters.
Add missing ALL check to test.

pgousseau marked 4 inline comments as done.Mar 27 2019, 8:10 AM
pgousseau added inline comments.
lib/Transforms/Instrumentation/AddressSanitizer.cpp
575 ↗(On Diff #190117)

Yes the parameter are not necessary, I have removed them thanks!

pgousseau marked an inline comment as done.Mar 27 2019, 8:11 AM
In D59220#1443749, @vitalybuka wrote:

What is exactly going to be checked by -fsanitize=pointer-compare and -fsanitize=pointer-subtract?
Why this needs to be done in AddressSanitizer?
Is this going just checheck that pointers are from the same allocation?

-fsanitize=pointer-compare and -fsanitize=pointer-subtract instrument comparison operation (<, <=, >, >=) and '-' operation with pointer operands.
It relies on AddressSanitizer to check the origin of the allocation. gcc also requires -fsanitize=address for -fsanitize=pointer-compare and -fsanitize=pointer-subtract, so I think it is expected to depend on Asan? Thanks!

morehouse accepted this revision.Mar 27 2019, 10:19 AM
morehouse added inline comments.
test/Instrumentation/AddressSanitizer/asan-detect-invalid-pointer-pair.ll
2 ↗(On Diff #190117)

Well now we can just do --check-prefixes=CMP,NOSUB,ALL

This revision is now accepted and ready to land.Mar 27 2019, 10:19 AM
pgousseau marked 2 inline comments as done.Mar 28 2019, 3:51 AM
pgousseau added inline comments.
test/Instrumentation/AddressSanitizer/asan-detect-invalid-pointer-pair.ll
2 ↗(On Diff #190117)

Done thanks!

Closed by commit rL357157: [asan] Add options -asan-detect-invalid-pointer-cmp and -asan-detect-invalid… (authored by pgousseau). · Explain WhyMar 28 2019, 3:52 AM
This revision was automatically updated to reflect the committed changes.
pgousseau marked an inline comment as done.

Revision Contents

PathSize
llvm/
trunk/
lib/
Transforms/
Instrumentation/
37 lines
test/
Instrumentation/
AddressSanitizer/
33 lines

Diff 192600

llvm/trunk/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 269 Lines▼ Show 20 Linesstatic cl::opt<bool> ClInitializers("asan-initialization-order",
cl::desc("Handle C++ initializer order"), cl::desc("Handle C++ initializer order"),
cl::Hidden, cl::init(true)); cl::Hidden, cl::init(true));
static cl::opt<bool> ClInvalidPointerPairs( static cl::opt<bool> ClInvalidPointerPairs(
"asan-detect-invalid-pointer-pair", "asan-detect-invalid-pointer-pair",
cl::desc("Instrument <, <=, >, >=, - with pointer operands"), cl::Hidden, cl::desc("Instrument <, <=, >, >=, - with pointer operands"), cl::Hidden,
cl::init(false)); cl::init(false));
static cl::opt<bool> ClInvalidPointerCmp(
"asan-detect-invalid-pointer-cmp",
cl::desc("Instrument <, <=, >, >= with pointer operands"), cl::Hidden,
cl::init(false));
static cl::opt<bool> ClInvalidPointerSub(
"asan-detect-invalid-pointer-sub",
cl::desc("Instrument - operations with pointer operands"), cl::Hidden,
cl::init(false));
static cl::opt<unsigned> ClRealignStack( static cl::opt<unsigned> ClRealignStack(
"asan-realign-stack", "asan-realign-stack",
cl::desc("Realign stack to the value of this flag (power of two)"), cl::desc("Realign stack to the value of this flag (power of two)"),
cl::Hidden, cl::init(32)); cl::Hidden, cl::init(32));
static cl::opt<int> ClInstrumentationWithCallsThreshold( static cl::opt<int> ClInstrumentationWithCallsThreshold(
"asan-instrumentation-with-call-threshold", "asan-instrumentation-with-call-threshold",
cl::desc( cl::desc(
▲ Show 20 LinesShow All 1,117 Lines▼ Show 20 Lines
static bool isPointerOperand(Value *V) { static bool isPointerOperand(Value *V) {
return V->getType()->isPointerTy() || isa<PtrToIntInst>(V); return V->getType()->isPointerTy() || isa<PtrToIntInst>(V);
} }
// This is a rough heuristic; it may cause both false positives and // This is a rough heuristic; it may cause both false positives and
// false negatives. The proper implementation requires cooperation with // false negatives. The proper implementation requires cooperation with
// the frontend. // the frontend.
static bool isInterestingPointerComparisonOrSubtraction(Instruction *I) { static bool isInterestingPointerComparison(Instruction *I) {
if (ICmpInst *Cmp = dyn_cast<ICmpInst>(I)) { if (ICmpInst *Cmp = dyn_cast<ICmpInst>(I)) {
if (!Cmp->isRelational()) return false; if (!Cmp->isRelational())
} else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(I)) { return false;
if (BO->getOpcode() != Instruction::Sub) return false; } else {
return false;
}
return isPointerOperand(I->getOperand(0)) &&
isPointerOperand(I->getOperand(1));
}
// This is a rough heuristic; it may cause both false positives and
// false negatives. The proper implementation requires cooperation with
// the frontend.
static bool isInterestingPointerSubtraction(Instruction *I) {
if (BinaryOperator *BO = dyn_cast<BinaryOperator>(I)) {
if (BO->getOpcode() != Instruction::Sub)
return false;
} else { } else {
return false; return false;
} }
return isPointerOperand(I->getOperand(0)) && return isPointerOperand(I->getOperand(0)) &&
isPointerOperand(I->getOperand(1)); isPointerOperand(I->getOperand(1));
} }
bool AddressSanitizer::GlobalIsLinkerInitialized(GlobalVariable *G) { bool AddressSanitizer::GlobalIsLinkerInitialized(GlobalVariable *G) {
▲ Show 20 LinesShow All 1,190 Lines▼ Show 20 Lines for (auto &Inst : BB) {
if (MaybeMask) { if (MaybeMask) {
if (TempsToInstrument.count(Addr)) if (TempsToInstrument.count(Addr))
continue; // We've seen this (whole) temp in the current BB. continue; // We've seen this (whole) temp in the current BB.
} else { } else {
if (!TempsToInstrument.insert(Addr).second) if (!TempsToInstrument.insert(Addr).second)
continue; // We've seen this temp in the current BB. continue; // We've seen this temp in the current BB.
} }
} }
} else if (ClInvalidPointerPairs && } else if (((ClInvalidPointerPairs || ClInvalidPointerCmp) &&
isInterestingPointerComparisonOrSubtraction(&Inst)) { isInterestingPointerComparison(&Inst)) ||
((ClInvalidPointerPairs || ClInvalidPointerSub) &&
isInterestingPointerSubtraction(&Inst))) {
PointerComparisonsOrSubtracts.push_back(&Inst); PointerComparisonsOrSubtracts.push_back(&Inst);
continue; continue;
} else if (isa<MemIntrinsic>(Inst)) { } else if (isa<MemIntrinsic>(Inst)) {
// ok, take it. // ok, take it.
} else { } else {
if (isa<AllocaInst>(Inst)) NumAllocas++; if (isa<AllocaInst>(Inst)) NumAllocas++;
CallSite CS(&Inst); CallSite CS(&Inst);
if (CS) { if (CS) {
▲ Show 20 LinesShow All 687 LinesShow Last 20 Lines

llvm/trunk/test/Instrumentation/AddressSanitizer/asan-detect-invalid-pointer-pair.ll

; RUN: opt < %s -asan -asan-detect-invalid-pointer-cmp -S \
; RUN: | FileCheck %s --check-prefixes=CMP,NOSUB,ALL
; RUN: opt < %s -asan -asan-detect-invalid-pointer-sub -S \
; RUN: | FileCheck %s --check-prefixes=SUB,NOCMP,ALL
; RUN: opt < %s -asan -asan-detect-invalid-pointer-pair -S \
; RUN: | FileCheck %s --check-prefixes=CMP,SUB,ALL
; Support instrumentation of invalid pointer pair detection.
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
define i32 @mycmp(i8* %p, i8* %q) sanitize_address {
; ALL-LABEL: @mycmp
; NOCMP-NOT: call void @__sanitizer_ptr_cmp
; CMP: [[P:%[0-9A-Za-z]+]] = ptrtoint i8* %p to i64
; CMP: [[Q:%[0-9A-Za-z]+]] = ptrtoint i8* %q to i64
%x = icmp ule i8* %p, %q
; CMP: call void @__sanitizer_ptr_cmp(i64 [[P]], i64 [[Q]])
%y = zext i1 %x to i32
ret i32 %y
}
define i32 @mysub(i8* %p, i8* %q) sanitize_address {
; ALL-LABEL: @mysub
; NOSUB-NOT: call void @__sanitizer_ptr_sub
; SUB: [[P:%[0-9A-Za-z]+]] = ptrtoint i8* %p to i64
; SUB: [[Q:%[0-9A-Za-z]+]] = ptrtoint i8* %q to i64
%x = ptrtoint i8* %p to i64
%y = ptrtoint i8* %q to i64
%z = sub i64 %x, %y
; SUB: call void @__sanitizer_ptr_sub(i64 [[P]], i64 [[Q]])
%w = trunc i64 %z to i32
ret i32 %w
}