This is an archive of the discontinued LLVM Phabricator instance.

Asan use-after-scope: don't poison allocas if there were untraced lifetime intrinsics in the function (PR41481)
ClosedPublic

Authored by hans on Apr 15 2019, 4:40 AM.

Download Raw Diff

Details

Reviewers

kcc
eugenis
vitalybuka

Commits

rG6ae05777b8c3: Asan use-after-scope: don't poison allocas if there were untraced lifetime…
rL358478: Asan use-after-scope: don't poison allocas if there were untraced lifetime…

Summary

If there are any intrinsics that cannot be traced back to an alloca, we might have missed the start of a variable's scope, leading to false error reports if the variable is poisoned at function entry. Instead, if there are some intrinsics that can't be traced, fail safe and don't poison the variables in that function.

Diff Detail

Event Timeline

hans created this revision.Apr 15 2019, 4:40 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 15 2019, 4:40 AM

Herald added a subscriber: hiraditya. · View Herald Transcript

nick added a subscriber: nick.Apr 15 2019, 8:03 AM

LGTM
Consider extending the test with another alloca which does not participate in any untraceable lifetimes, but has to be poisoned in entry block anyway.

llvm/test/Instrumentation/AddressSanitizer/stack-poisoning-and-lifetime.ll
223	did you mean "should poison"?

This revision is now accepted and ready to land.Apr 15 2019, 1:39 PM

vitalybuka added inline comments.Apr 15 2019, 2:56 PM

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
922	How often does this happen? If often then maybe we should try to limit only that to allocas involved into such conflicts?

In D60686#1467406, @eugenis wrote:

LGTM
Consider extending the test with another alloca which does not participate in any untraceable lifetimes, but has to be poisoned in entry block anyway.

But if there are untraceable lifetimes, we don't know what allocas might potentially be involved. At least not as the code currently works, where it doesn't trace selects and phis with different values.

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
922	I think it's very rare, but it happens. We didn't run into it in any Chromium tests, but one test in V8 did. I think just bailing out for such functions is okay.
llvm/test/Instrumentation/AddressSanitizer/stack-poisoning-and-lifetime.ll
223	No, I mean shouldn't poison. Since we don't know the lifetimes we can't poison it. Or am I missing something?

Closed by commit rL358478: Asan use-after-scope: don't poison allocas if there were untraced lifetime… (authored by hans). · Explain WhyApr 16 2019, 12:53 AM

This revision was automatically updated to reflect the committed changes.

eugenis added inline comments.Apr 16 2019, 5:27 PM

llvm/test/Instrumentation/AddressSanitizer/stack-poisoning-and-lifetime.ll
223	Well, we shouldn't poison them at lifetime intrinsic. We should poison them at function entry (and only there).

eugenis added inline comments.Apr 16 2019, 5:28 PM

llvm/test/Instrumentation/AddressSanitizer/stack-poisoning-and-lifetime.ll
223	Ah, I get what you mean. We should not poison alloca contents, only their redzones.

Revision Contents

Path

Size

llvm/

lib/

Transforms/

Instrumentation/

AddressSanitizer.cpp

15 lines

test/

Instrumentation/

AddressSanitizer/

stack-poisoning-and-lifetime.ll

36 lines

Diff 195133

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 Lines • Show All 878 Lines • ▼ Show 20 Lines	struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> {
struct AllocaPoisonCall {		struct AllocaPoisonCall {
IntrinsicInst *InsBefore;		IntrinsicInst *InsBefore;
AllocaInst *AI;		AllocaInst *AI;
uint64_t Size;		uint64_t Size;
bool DoPoison;		bool DoPoison;
};		};
SmallVector<AllocaPoisonCall, 8> DynamicAllocaPoisonCallVec;		SmallVector<AllocaPoisonCall, 8> DynamicAllocaPoisonCallVec;
SmallVector<AllocaPoisonCall, 8> StaticAllocaPoisonCallVec;		SmallVector<AllocaPoisonCall, 8> StaticAllocaPoisonCallVec;
		bool HasUntracedLifetimeIntrinsic = false;

SmallVector<AllocaInst *, 1> DynamicAllocaVec;		SmallVector<AllocaInst *, 1> DynamicAllocaVec;
SmallVector<IntrinsicInst *, 1> StackRestoreVec;		SmallVector<IntrinsicInst *, 1> StackRestoreVec;
AllocaInst *DynamicAllocaLayout = nullptr;		AllocaInst *DynamicAllocaLayout = nullptr;
IntrinsicInst *LocalEscapeCall = nullptr;		IntrinsicInst *LocalEscapeCall = nullptr;

// Maps Value to an AllocaInst from which the Value is originated.		// Maps Value to an AllocaInst from which the Value is originated.
using AllocaForValueMapTy = DenseMap<Value , AllocaInst >;		using AllocaForValueMapTy = DenseMap<Value , AllocaInst >;
Show All 18 Lines	bool runOnFunction() {

// Collect alloca, ret, lifetime instructions etc.		// Collect alloca, ret, lifetime instructions etc.
for (BasicBlock BB : depth_first(&F.getEntryBlock())) visit(BB);		for (BasicBlock BB : depth_first(&F.getEntryBlock())) visit(BB);

if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false;		if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false;

initializeCallbacks(*F.getParent());		initializeCallbacks(*F.getParent());

		if (HasUntracedLifetimeIntrinsic) {
		vitalybukaUnsubmitted Not Done Reply Inline Actions How often does this happen? If often then maybe we should try to limit only that to allocas involved into such conflicts? vitalybuka: How often does this happen? If often then maybe we should try to limit only that to allocas…
		hansAuthorUnsubmitted Done Reply Inline Actions I think it's very rare, but it happens. We didn't run into it in any Chromium tests, but one test in V8 did. I think just bailing out for such functions is okay. hans: I think it's very rare, but it happens. We didn't run into it in any Chromium tests, but one…
		// If there are lifetime intrinsics which couldn't be traced back to an
		// alloca, we may not know exactly when a variable enters scope, and
		// therefore should "fail safe" by not poisoning them.
		StaticAllocaPoisonCallVec.clear();
		DynamicAllocaPoisonCallVec.clear();
		}

processDynamicAllocas();		processDynamicAllocas();
processStaticAllocas();		processStaticAllocas();

if (ClDebugStack) {		if (ClDebugStack) {
LLVM_DEBUG(dbgs() << F);		LLVM_DEBUG(dbgs() << F);
}		}
return true;		return true;
}		}
▲ Show 20 Lines • Show All 105 Lines • ▼ Show 20 Lines	void visitIntrinsicInst(IntrinsicInst &II) {
// Check that size doesn't saturate uint64_t and can		// Check that size doesn't saturate uint64_t and can
// be stored in IntptrTy.		// be stored in IntptrTy.
const uint64_t SizeValue = Size->getValue().getLimitedValue();		const uint64_t SizeValue = Size->getValue().getLimitedValue();
if (SizeValue == ~0ULL \|\|		if (SizeValue == ~0ULL \|\|
!ConstantInt::isValueValidForType(IntptrTy, SizeValue))		!ConstantInt::isValueValidForType(IntptrTy, SizeValue))
return;		return;
// Find alloca instruction that corresponds to llvm.lifetime argument.		// Find alloca instruction that corresponds to llvm.lifetime argument.
AllocaInst *AI = findAllocaForValue(II.getArgOperand(1));		AllocaInst *AI = findAllocaForValue(II.getArgOperand(1));
if (!AI \|\| !ASan.isInterestingAlloca(*AI))		if (!AI) {
		HasUntracedLifetimeIntrinsic = true;
		return;
		}
		if (!ASan.isInterestingAlloca(*AI))
return;		return;
bool DoPoison = (ID == Intrinsic::lifetime_end);		bool DoPoison = (ID == Intrinsic::lifetime_end);
AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison};		AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison};
if (AI->isStaticAlloca())		if (AI->isStaticAlloca())
StaticAllocaPoisonCallVec.push_back(APC);		StaticAllocaPoisonCallVec.push_back(APC);
else if (ClInstrumentDynamicAllocas)		else if (ClInstrumentDynamicAllocas)
DynamicAllocaPoisonCallVec.push_back(APC);		DynamicAllocaPoisonCallVec.push_back(APC);
}		}
▲ Show 20 Lines • Show All 2,293 Lines • Show Last 20 Lines

llvm/test/Instrumentation/AddressSanitizer/stack-poisoning-and-lifetime.ll

Show First 20 Lines • Show All 203 Lines • ▼ Show 20 Lines	entry:

; CHECK-NOT: add i64 [[SHADOW_BASE]]		; CHECK-NOT: add i64 [[SHADOW_BASE]]

ret void		ret void
; CHECK: {{^[0-9]+}}:		; CHECK: {{^[0-9]+}}:
; CHECK: ret void		; CHECK: ret void
}		}

		declare void @foo(i32*)
		define void @PR41481(i1 %b) sanitize_address {
		; CHECK-LABEL: @PR41481
		entry:
		%p1 = alloca i32
		%p2 = alloca i32
		%q1 = bitcast i32* %p1 to i8*
		%q2 = bitcast i32* %p2 to i8*
		br label %bb1

		; Since we cannot account for all lifetime intrinsics in this function, we
		; might have missed a lifetime.start one and therefore shouldn't poison the
		eugenisUnsubmitted Not Done Reply Inline Actions did you mean "should poison"? eugenis: did you mean "should poison"?
		hansAuthorUnsubmitted Done Reply Inline Actions No, I mean shouldn't poison. Since we don't know the lifetimes we can't poison it. Or am I missing something? hans: No, I mean shouldn't poison. Since we don't know the lifetimes we can't poison it. Or am I…
		eugenisUnsubmitted Not Done Reply Inline Actions Well, we shouldn't poison them at lifetime intrinsic. We should poison them at function entry (and only there). eugenis: Well, we shouldn't poison them at lifetime intrinsic. We should poison them at function entry…
		eugenisUnsubmitted Not Done Reply Inline Actions Ah, I get what you mean. We should not poison alloca contents, only their redzones. eugenis: Ah, I get what you mean. We should not poison alloca contents, only their redzones.
		; allocas at function entry.
		; ENTRY: store i64 -935356719533264399
		; ENTRY-UAS: store i64 -935356719533264399

		bb1:
		%p = select i1 %b, i32* %p1, i32* %p2
		%q = select i1 %b, i8* %q1, i8* %q2
		call void @llvm.lifetime.start.p0i8(i64 4, i8* %q)
		call void @foo(i32* %p)
		br i1 %b, label %bb2, label %bb3

		bb2:
		call void @llvm.lifetime.end.p0i8(i64 4, i8* %q1)
		br label %end

		bb3:
		call void @llvm.lifetime.end.p0i8(i64 4, i8* %q2)
		br label %end

		end:
		ret void
		}


declare void @llvm.lifetime.start.p0i8(i64, i8* nocapture)		declare void @llvm.lifetime.start.p0i8(i64, i8* nocapture)
declare void @llvm.lifetime.end.p0i8(i64, i8* nocapture)		declare void @llvm.lifetime.end.p0i8(i64, i8* nocapture)

; CHECK-ON: declare void @__asan_set_shadow_00(i64, i64)		; CHECK-ON: declare void @__asan_set_shadow_00(i64, i64)
; CHECK-ON: declare void @__asan_set_shadow_f1(i64, i64)		; CHECK-ON: declare void @__asan_set_shadow_f1(i64, i64)
; CHECK-ON: declare void @__asan_set_shadow_f2(i64, i64)		; CHECK-ON: declare void @__asan_set_shadow_f2(i64, i64)
; CHECK-ON: declare void @__asan_set_shadow_f3(i64, i64)		; CHECK-ON: declare void @__asan_set_shadow_f3(i64, i64)
; CHECK-ON: declare void @__asan_set_shadow_f5(i64, i64)		; CHECK-ON: declare void @__asan_set_shadow_f5(i64, i64)
; CHECK-ON: declare void @__asan_set_shadow_f8(i64, i64)		; CHECK-ON: declare void @__asan_set_shadow_f8(i64, i64)

; CHECK-OFF-NOT: declare void @__asan_set_shadow_		; CHECK-OFF-NOT: declare void @__asan_set_shadow_