This is an archive of the discontinued LLVM Phabricator instance.

Differential D63360

hwasan: Use bits [3..11) of the ring buffer entry address as the base stack tag.
ClosedPublic

Authored by pcc on Jun 14 2019, 1:48 PM.

Details

Reviewers
eugenis
Commits
rGd57f7cc15e22: hwasan: Use bits [3..11) of the ring buffer entry address as the base stack tag.
rL363636: hwasan: Use bits [3..11) of the ring buffer entry address as the base stack tag.
rCRT363636: hwasan: Use bits [3..11) of the ring buffer entry address as the base stack tag.
Summary

This saves roughly 32 bytes of instructions per function with stack objects
and causes us to preserve enough information that we can recover the original
tags of all stack variables.

Now that stack tags are deterministic, we no longer need to pass
-hwasan-generate-tags-with-calls during check-hwasan. This also means that the
new stack tag generation mechanism is exercised by check-hwasan.

Depends on D63119

Diff Detail

Repository
rL LLVM

Event Timeline

pcc created this revision.Jun 14 2019, 1:48 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptJun 14 2019, 1:48 PM
Herald added subscribers: Restricted Project, hiraditya, kubamracek, srhines. · View Herald Transcript
Harbormaster completed remote builds in B33423: Diff 204843.Jun 14 2019, 1:48 PM
eugenis added inline comments.Jun 14 2019, 1:54 PM
llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
1007 ↗(On Diff #204843)

We are losing a lot of entropy by allowing these zero bits in the base tag. Single-alloca functions, for example, will only have 32 different tags.

How about using bits 3 .. 11 ?

pcc updated this revision to Diff 204877.Jun 14 2019, 4:15 PM
pcc marked an inline comment as done.
  • Address review comments
Harbormaster completed remote builds in B33435: Diff 204877.Jun 14 2019, 4:15 PM
pcc added inline comments.Jun 14 2019, 4:19 PM
llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
1007 ↗(On Diff #204843)

Done. Now tag 0 is as likely as any other tag.

To fix the tests that were assuming that they would never get tag 0, I've added a call to a helper function that bumps the base tag to 128 to the tests that would otherwise fail.

pcc retitled this revision from hwasan: Use the lower 8 bits of the ring buffer entry address as the base stack tag. to hwasan: Use bits [3..11) of the ring buffer entry address as the base stack tag..Jun 14 2019, 4:20 PM
pcc edited the summary of this revision. (Show Details)
eugenis added a comment.Jun 14 2019, 5:00 PM

We can make the tags undeterministic again by starting each ring buffer at a random index.

pcc updated this revision to Diff 205130.Jun 17 2019, 11:25 AM
  • Sort FastMasks by increasing probability of collisions
eugenis added inline comments.Jun 17 2019, 2:50 PM
compiler-rt/test/hwasan/TestCases/random-align-right.c
30 ↗(On Diff #205130)

why did you copy this line?

compiler-rt/test/hwasan/TestCases/stack-history-length.c
20 ↗(On Diff #205130)

I don't understand this. How does a single additional call to FUNC help guarantee that property?

pcc marked 2 inline comments as done.Jun 17 2019, 3:07 PM
pcc added inline comments.
compiler-rt/test/hwasan/TestCases/random-align-right.c
30 ↗(On Diff #205130)

Because the additional call to GenerateRandomTag in InitRandomState causes the values that we assign to tail_magic in HwasanAllocatorInit to change in such a way that we catch the second bad access and not the first one. Without copying this line the CHECK?-NEXT lines fail to match because the failure doesn't happen on the line after the first message.

compiler-rt/test/hwasan/TestCases/stack-history-length.c
20 ↗(On Diff #205130)

In the case where there are 2046 calls to FUNC we have:

  • tag 1 for FUNC0
  • tag 2..2047 (mod 256) for FUNC1
  • tag 2048 (mod 256) for OOB (i.e. 0)

Adding the call to FUNC shifts all of the tags by 1 so that OOB gets tag 1.

eugenis added inline comments.Jun 17 2019, 3:15 PM
compiler-rt/test/hwasan/TestCases/random-align-right.c
30 ↗(On Diff #205130)

Wait, so the comment above the loop lies? We are testing for the bug on the first iteration, not an any iteration. Maybe remove -NEXT?

compiler-rt/test/hwasan/TestCases/stack-history-length.c
20 ↗(On Diff #205130)

Could we call OOB twice instead? And weaken the test a bit so that it is ok with result being off by 1 or 2 in any direction?

pcc updated this revision to Diff 205204.Jun 17 2019, 3:47 PM
pcc marked 2 inline comments as done.
  • Address review comments
compiler-rt/test/hwasan/TestCases/random-align-right.c
30 ↗(On Diff #205130)

Yeah, looks like a mistake in the test. The intent here was apparently that we'd let any access fail, but the test actually only lets the first access fail (and because of determinism that is always what happens).

We can't just remove -NEXT because it would prevent the test from determining which access found the bug. So I've rewritten this test a bit so that we can do that.

compiler-rt/test/hwasan/TestCases/stack-history-length.c
20 ↗(On Diff #205130)

Works for me, done.

Harbormaster completed remote builds in B33515: Diff 205204.Jun 17 2019, 3:51 PM
eugenis accepted this revision.Jun 17 2019, 4:06 PM

LGTM

This revision is now accepted and ready to land.Jun 17 2019, 4:06 PM
Closed by commit rL363636: hwasan: Use bits [3..11) of the ring buffer entry address as the base stack tag. (authored by pcc). · Explain WhyJun 17 2019, 4:36 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: delcypher. · View Herald TranscriptJun 17 2019, 4:36 PM

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
hwasan/
5 lines
test/
hwasan/
TestCases/
22 lines
5 lines
2 lines
llvm/
trunk/
lib/
Transforms/
Instrumentation/
50 lines
test/
Instrumentation/
HWAddressSanitizer/
8 lines
7 lines

Diff 205218

compiler-rt/trunk/lib/hwasan/hwasan_thread.cpp

Show All 21 Lines if (UNLIKELY(!GetRandom(reinterpret_cast<void *>(&seed), sizeof(seed),
(reinterpret_cast<uptr>(__builtin_frame_address(0)) >> 4)); (reinterpret_cast<uptr>(__builtin_frame_address(0)) >> 4));
} }
} while (!seed); } while (!seed);
return seed; return seed;
} }
void Thread::InitRandomState() { void Thread::InitRandomState() {
random_state_ = flags()->random_tags ? RandomSeed() : unique_id_; random_state_ = flags()->random_tags ? RandomSeed() : unique_id_;
// Push a random number of zeros onto the ring buffer so that the first stack
// tag base will be random.
for (tag_t i = 0, e = GenerateRandomTag(); i != e; ++i)
stack_allocations_->push(0);
} }
void Thread::Init(uptr stack_buffer_start, uptr stack_buffer_size) { void Thread::Init(uptr stack_buffer_start, uptr stack_buffer_size) {
static u64 unique_id; static u64 unique_id;
unique_id_ = unique_id++; unique_id_ = unique_id++;
if (auto sz = flags()->heap_history_size) if (auto sz = flags()->heap_history_size)
heap_allocations_ = HeapAllocationsRingBuffer::New(sz); heap_allocations_ = HeapAllocationsRingBuffer::New(sz);
▲ Show 20 LinesShow All 85 LinesShow Last 20 Lines

compiler-rt/trunk/test/hwasan/TestCases/random-align-right.c

// Tests malloc_align_right=1 and 8 (randomly aligning right). // Tests malloc_align_right=1 and 8 (randomly aligning right).
// RUN: %clang_hwasan %s -o %t // RUN: %clang_hwasan %s -o %t
// //
// RUN: %run %t // RUN: %run %t 20
// RUN: %env_hwasan_opts=malloc_align_right=1 not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK1 // RUN: %run %t 30
// RUN: %env_hwasan_opts=malloc_align_right=8 not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK8 // RUN: %env_hwasan_opts=malloc_align_right=1 not %run %t 20 2>&1 | FileCheck %s --check-prefix=CHECK20
// RUN: %env_hwasan_opts=malloc_align_right=1 not %run %t 30 2>&1 | FileCheck %s --check-prefix=CHECK30
// RUN: %env_hwasan_opts=malloc_align_right=8 not %run %t 30 2>&1 | FileCheck %s --check-prefix=CHECK30
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
#include <stdlib.h> #include <stdlib.h>
#include <stdio.h> #include <stdio.h>
#include <sanitizer/hwasan_interface.h> #include <sanitizer/hwasan_interface.h>
static volatile void *sink; static volatile void *sink;
int main(int argc, char **argv) { int main(int argc, char **argv) {
__hwasan_enable_allocator_tagging(); __hwasan_enable_allocator_tagging();
int index = atoi(argv[1]);
// Perform 1000 buffer overflows within the 16-byte granule, // Perform 1000 buffer overflows within the 16-byte granule,
// so that random right-alignment has a very high chance of // so that random right-alignment has a very high chance of
// catching at least one of them. // catching at least one of them.
for (int i = 0; i < 1000; i++) { for (int i = 0; i < 1000; i++) {
char *p = (char*)malloc(20); char *p = (char*)malloc(20);
sink = p; sink = p;
fprintf(stderr, "[%d] p: %p; accessing p[20]:\n", i, p); p[index] = 0;
p[20 * argc] = 0; // requires malloc_align_right=1 to catch // index=20 requires malloc_align_right=1 to catch
fprintf(stderr, "[%d] p: %p; accessing p[30]:\n", i, p); // CHECK20: HWAddressSanitizer: tag-mismatch
p[30 * argc] = 0; // requires malloc_align_right={1,8} to catch // index=30 requires malloc_align_right={1,8} to catch
// CHECK1: accessing p[20] // CHECK30: HWAddressSanitizer: tag-mismatch
// CHECK1-NEXT: HWAddressSanitizer: tag-mismatch
// CHECK8: accessing p[30]:
// CHECK8-NEXT: HWAddressSanitizer: tag-mismatch
} }
} }

compiler-rt/trunk/test/hwasan/TestCases/stack-history-length.c

// RUN: %clang_hwasan -O1 %s -o %t // RUN: %clang_hwasan -O1 %s -o %t
// RUN: %env_hwasan_opts=stack_history_size=2048 not %run %t 2046 2>&1 | FileCheck %s --check-prefix=YES // RUN: %env_hwasan_opts=stack_history_size=2048 not %run %t 2045 2>&1 | FileCheck %s --check-prefix=YES
// RUN: %env_hwasan_opts=stack_history_size=2048 not %run %t 2047 2>&1 | FileCheck %s --check-prefix=NO // RUN: %env_hwasan_opts=stack_history_size=2048 not %run %t 2047 2>&1 | FileCheck %s --check-prefix=NO
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
#include <stdlib.h> #include <stdlib.h>
void USE(void *x) { // pretend_to_do_something(void *x) void USE(void *x) { // pretend_to_do_something(void *x)
__asm__ __volatile__("" : : "r" (x) : "memory"); __asm__ __volatile__("" : : "r" (x) : "memory");
} }
volatile int four = 4; volatile int four = 4;
__attribute__((noinline)) void FUNC0() { int x[4]; USE(&x[0]); } __attribute__((noinline)) void FUNC0() { int x[4]; USE(&x[0]); }
__attribute__((noinline)) void FUNC() { int x[4]; USE(&x[0]); } __attribute__((noinline)) void FUNC() { int x[4]; USE(&x[0]); }
__attribute__((noinline)) void OOB() { int x[4]; x[four] = 0; USE(&x[0]); } __attribute__((noinline)) void OOB() { int x[4]; x[four] = 0; USE(&x[0]); }
int main(int argc, char **argv) { int main(int argc, char **argv) {
int X = argc == 2 ? atoi(argv[1]) : 10; int X = argc == 2 ? atoi(argv[1]) : 10;
// FUNC0 is X+2's element of the ring buffer. // FUNC0 is X+2's element of the ring buffer.
// If runtime buffer size is less than it, FUNC0 record will be lost. // If runtime buffer size is less than it, FUNC0 record will be lost.
FUNC0(); FUNC0();
for (int i = 0; i < X; ++i) for (int i = 0; i < X; ++i)
FUNC(); FUNC();
// Make at least one call to OOB where base tag != 0 so that the bug is caught
// at least once.
OOB();
OOB(); OOB();
} }
// YES: Previously allocated frames // YES: Previously allocated frames
// YES: OOB // YES: OOB
// YES: FUNC // YES: FUNC
// YES: FUNC0 // YES: FUNC0
// NO: Previously allocated frames // NO: Previously allocated frames
// NO: OOB // NO: OOB
// NO: FUNC // NO: FUNC
// NO-NOT: FUNC0 // NO-NOT: FUNC0

compiler-rt/trunk/test/hwasan/lit.cfg

# -*- Python -*- # -*- Python -*-
import os import os
# Setup config name. # Setup config name.
config.name = 'HWAddressSanitizer' + getattr(config, 'name_suffix', 'default') config.name = 'HWAddressSanitizer' + getattr(config, 'name_suffix', 'default')
# Setup source root. # Setup source root.
config.test_source_root = os.path.dirname(__file__) config.test_source_root = os.path.dirname(__file__)
# Setup default compiler flags used with -fsanitize=memory option. # Setup default compiler flags used with -fsanitize=memory option.
clang_cflags = [config.target_cflags] + config.debug_info_flags clang_cflags = [config.target_cflags] + config.debug_info_flags
clang_cxxflags = config.cxx_mode_flags + clang_cflags clang_cxxflags = config.cxx_mode_flags + clang_cflags
clang_hwasan_cflags = ["-fsanitize=hwaddress", "-mllvm", "-hwasan-generate-tags-with-calls"] + clang_cflags clang_hwasan_cflags = ["-fsanitize=hwaddress"] + clang_cflags
clang_hwasan_cxxflags = config.cxx_mode_flags + clang_hwasan_cflags clang_hwasan_cxxflags = config.cxx_mode_flags + clang_hwasan_cflags
def build_invocation(compile_flags): def build_invocation(compile_flags):
return " " + " ".join([config.clang] + compile_flags) + " " return " " + " ".join([config.clang] + compile_flags) + " "
config.substitutions.append( ("%clangxx ", build_invocation(clang_cxxflags)) ) config.substitutions.append( ("%clangxx ", build_invocation(clang_cxxflags)) )
config.substitutions.append( ("%clang_hwasan ", build_invocation(clang_hwasan_cflags)) ) config.substitutions.append( ("%clang_hwasan ", build_invocation(clang_hwasan_cflags)) )
config.substitutions.append( ("%clangxx_hwasan ", build_invocation(clang_hwasan_cxxflags)) ) config.substitutions.append( ("%clangxx_hwasan ", build_invocation(clang_hwasan_cxxflags)) )
Show All 14 Lines

llvm/trunk/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp

Show First 20 LinesShow All 212 Lines▼ Show 20 Linespublic:
bool instrumentLandingPads(SmallVectorImpl<Instruction *> &RetVec); bool instrumentLandingPads(SmallVectorImpl<Instruction *> &RetVec);
Value *getNextTagWithCall(IRBuilder<> &IRB); Value *getNextTagWithCall(IRBuilder<> &IRB);
Value *getStackBaseTag(IRBuilder<> &IRB); Value *getStackBaseTag(IRBuilder<> &IRB);
Value *getAllocaTag(IRBuilder<> &IRB, Value *StackTag, AllocaInst *AI, Value *getAllocaTag(IRBuilder<> &IRB, Value *StackTag, AllocaInst *AI,
unsigned AllocaNo); unsigned AllocaNo);
Value *getUARTag(IRBuilder<> &IRB, Value *StackTag); Value *getUARTag(IRBuilder<> &IRB, Value *StackTag);
Value *getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty); Value *getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty);
Value *emitPrologue(IRBuilder<> &IRB, bool WithFrameRecord); void emitPrologue(IRBuilder<> &IRB, bool WithFrameRecord);
private: private:
LLVMContext *C; LLVMContext *C;
std::string CurModuleUniqueId; std::string CurModuleUniqueId;
Triple TargetTriple; Triple TargetTriple;
FunctionCallee HWAsanMemmove, HWAsanMemcpy, HWAsanMemset; FunctionCallee HWAsanMemmove, HWAsanMemcpy, HWAsanMemset;
FunctionCallee HWAsanHandleVfork; FunctionCallee HWAsanHandleVfork;
▲ Show 20 LinesShow All 49 Lines▼ Show 20 Linesprivate:
FunctionCallee HwasanTagMemoryFunc; FunctionCallee HwasanTagMemoryFunc;
FunctionCallee HwasanGenerateTagFunc; FunctionCallee HwasanGenerateTagFunc;
FunctionCallee HwasanThreadEnterFunc; FunctionCallee HwasanThreadEnterFunc;
Constant *ShadowGlobal; Constant *ShadowGlobal;
Value *LocalDynamicShadow = nullptr; Value *LocalDynamicShadow = nullptr;
Value *StackBaseTag = nullptr;
GlobalValue *ThreadPtrGlobal = nullptr; GlobalValue *ThreadPtrGlobal = nullptr;
}; };
class HWAddressSanitizerLegacyPass : public FunctionPass { class HWAddressSanitizerLegacyPass : public FunctionPass {
public: public:
// Pass identification, replacement for typeid. // Pass identification, replacement for typeid.
static char ID; static char ID;
▲ Show 20 LinesShow All 450 Lines▼ Show 20 Linesbool HWAddressSanitizer::tagAlloca(IRBuilder<> &IRB, AllocaInst *AI,
return true; return true;
} }
static unsigned RetagMask(unsigned AllocaNo) { static unsigned RetagMask(unsigned AllocaNo) {
// A list of 8-bit numbers that have at most one run of non-zero bits. // A list of 8-bit numbers that have at most one run of non-zero bits.
// x = x ^ (mask << 56) can be encoded as a single armv8 instruction for these // x = x ^ (mask << 56) can be encoded as a single armv8 instruction for these
// masks. // masks.
// The list does not include the value 255, which is used for UAR. // The list does not include the value 255, which is used for UAR.
static unsigned FastMasks[] = { //
0, 1, 2, 3, 4, 6, 7, 8, 12, 14, 15, 16, 24, // Because we are more likely to use earlier elements of this list than later
28, 30, 31, 32, 48, 56, 60, 62, 63, 64, 96, 112, 120, // ones, it is sorted in increasing order of probability of collision with a
124, 126, 127, 128, 192, 224, 240, 248, 252, 254}; // mask allocated (temporally) nearby. The program that generated this list
// can be found at:
// https://github.com/google/sanitizers/blob/master/hwaddress-sanitizer/sort_masks.py
static unsigned FastMasks[] = {0, 128, 64, 192, 32, 96, 224, 112, 240,
48, 16, 120, 248, 56, 24, 8, 124, 252,
60, 28, 12, 4, 126, 254, 62, 30, 14,
6, 2, 127, 63, 31, 15, 7, 3, 1};
return FastMasks[AllocaNo % (sizeof(FastMasks) / sizeof(FastMasks[0]))]; return FastMasks[AllocaNo % (sizeof(FastMasks) / sizeof(FastMasks[0]))];
} }
Value *HWAddressSanitizer::getNextTagWithCall(IRBuilder<> &IRB) { Value *HWAddressSanitizer::getNextTagWithCall(IRBuilder<> &IRB) {
return IRB.CreateZExt(IRB.CreateCall(HwasanGenerateTagFunc), IntptrTy); return IRB.CreateZExt(IRB.CreateCall(HwasanGenerateTagFunc), IntptrTy);
} }
Value *HWAddressSanitizer::getStackBaseTag(IRBuilder<> &IRB) { Value *HWAddressSanitizer::getStackBaseTag(IRBuilder<> &IRB) {
if (ClGenerateTagsWithCalls) if (ClGenerateTagsWithCalls)
return getNextTagWithCall(IRB); return getNextTagWithCall(IRB);
if (StackBaseTag)
return StackBaseTag;
// FIXME: use addressofreturnaddress (but implement it in aarch64 backend // FIXME: use addressofreturnaddress (but implement it in aarch64 backend
// first). // first).
Module *M = IRB.GetInsertBlock()->getParent()->getParent(); Module *M = IRB.GetInsertBlock()->getParent()->getParent();
auto GetStackPointerFn = auto GetStackPointerFn =
Intrinsic::getDeclaration(M, Intrinsic::frameaddress); Intrinsic::getDeclaration(M, Intrinsic::frameaddress);
Value *StackPointer = IRB.CreateCall( Value *StackPointer = IRB.CreateCall(
GetStackPointerFn, {Constant::getNullValue(IRB.getInt32Ty())}); GetStackPointerFn, {Constant::getNullValue(IRB.getInt32Ty())});
▲ Show 20 LinesShow All 101 Lines▼ Show 20 Linesvoid HWAddressSanitizer::createFrameGlobal(Function &F,
GV->setSection(getFrameSection()); GV->setSection(getFrameSection());
appendToCompilerUsed(M, GV); appendToCompilerUsed(M, GV);
// Put GV into the F's Comadat so that if F is deleted GV can be deleted too. // Put GV into the F's Comadat so that if F is deleted GV can be deleted too.
if (auto Comdat = if (auto Comdat =
GetOrCreateFunctionComdat(F, TargetTriple, CurModuleUniqueId)) GetOrCreateFunctionComdat(F, TargetTriple, CurModuleUniqueId))
GV->setComdat(Comdat); GV->setComdat(Comdat);
} }
Value *HWAddressSanitizer::emitPrologue(IRBuilder<> &IRB, void HWAddressSanitizer::emitPrologue(IRBuilder<> &IRB, bool WithFrameRecord) {
bool WithFrameRecord) { if (!Mapping.InTls) {
if (!Mapping.InTls) LocalDynamicShadow = getDynamicShadowNonTls(IRB);
return getDynamicShadowNonTls(IRB); return;
}
if (!WithFrameRecord && TargetTriple.isAndroid()) if (!WithFrameRecord && TargetTriple.isAndroid()) {
return getDynamicShadowIfunc(IRB); LocalDynamicShadow = getDynamicShadowIfunc(IRB);
return;
}
Value *SlotPtr = getHwasanThreadSlotPtr(IRB, IntptrTy); Value *SlotPtr = getHwasanThreadSlotPtr(IRB, IntptrTy);
assert(SlotPtr); assert(SlotPtr);
Instruction *ThreadLong = IRB.CreateLoad(IntptrTy, SlotPtr); Instruction *ThreadLong = IRB.CreateLoad(IntptrTy, SlotPtr);
Function *F = IRB.GetInsertBlock()->getParent(); Function *F = IRB.GetInsertBlock()->getParent();
if (F->getFnAttribute("hwasan-abi").getValueAsString() == "interceptor") { if (F->getFnAttribute("hwasan-abi").getValueAsString() == "interceptor") {
Show All 16 Lines if (F->getFnAttribute("hwasan-abi").getValueAsString() == "interceptor") {
ThreadLong = ThreadLongPhi; ThreadLong = ThreadLongPhi;
} }
// Extract the address field from ThreadLong. Unnecessary on AArch64 with TBI. // Extract the address field from ThreadLong. Unnecessary on AArch64 with TBI.
Value *ThreadLongMaybeUntagged = Value *ThreadLongMaybeUntagged =
TargetTriple.isAArch64() ? ThreadLong : untagPointer(IRB, ThreadLong); TargetTriple.isAArch64() ? ThreadLong : untagPointer(IRB, ThreadLong);
if (WithFrameRecord) { if (WithFrameRecord) {
StackBaseTag = IRB.CreateAShr(ThreadLong, 3);
// Prepare ring buffer data. // Prepare ring buffer data.
auto PC = IRB.CreatePtrToInt(F, IntptrTy); auto PC = IRB.CreatePtrToInt(F, IntptrTy);
auto GetStackPointerFn = auto GetStackPointerFn =
Intrinsic::getDeclaration(F->getParent(), Intrinsic::frameaddress); Intrinsic::getDeclaration(F->getParent(), Intrinsic::frameaddress);
Value *SP = IRB.CreatePtrToInt( Value *SP = IRB.CreatePtrToInt(
IRB.CreateCall(GetStackPointerFn, IRB.CreateCall(GetStackPointerFn,
{Constant::getNullValue(IRB.getInt32Ty())}), {Constant::getNullValue(IRB.getInt32Ty())}),
IntptrTy); IntptrTy);
// Mix SP and PC. TODO: also add the tag to the mix. // Mix SP and PC.
// Assumptions: // Assumptions:
// PC is 0x0000PPPPPPPPPPPP (48 bits are meaningful, others are zero) // PC is 0x0000PPPPPPPPPPPP (48 bits are meaningful, others are zero)
// SP is 0xsssssssssssSSSS0 (4 lower bits are zero) // SP is 0xsssssssssssSSSS0 (4 lower bits are zero)
// We only really need ~20 lower non-zero bits (SSSS), so we mix like this: // We only really need ~20 lower non-zero bits (SSSS), so we mix like this:
// 0xSSSSPPPPPPPPPPPP // 0xSSSSPPPPPPPPPPPP
SP = IRB.CreateShl(SP, 44); SP = IRB.CreateShl(SP, 44);
// Store data to ring buffer. // Store data to ring buffer.
Show All 14 Lines if (WithFrameRecord) {
Value *ThreadLongNew = IRB.CreateAnd( Value *ThreadLongNew = IRB.CreateAnd(
IRB.CreateAdd(ThreadLong, ConstantInt::get(IntptrTy, 8)), WrapMask); IRB.CreateAdd(ThreadLong, ConstantInt::get(IntptrTy, 8)), WrapMask);
IRB.CreateStore(ThreadLongNew, SlotPtr); IRB.CreateStore(ThreadLongNew, SlotPtr);
} }
// Get shadow base address by aligning RecordPtr up. // Get shadow base address by aligning RecordPtr up.
// Note: this is not correct if the pointer is already aligned. // Note: this is not correct if the pointer is already aligned.
// Runtime library will make sure this never happens. // Runtime library will make sure this never happens.
Value *ShadowBase = IRB.CreateAdd( LocalDynamicShadow = IRB.CreateAdd(
IRB.CreateOr( IRB.CreateOr(
ThreadLongMaybeUntagged, ThreadLongMaybeUntagged,
ConstantInt::get(IntptrTy, (1ULL << kShadowBaseAlignment) - 1)), ConstantInt::get(IntptrTy, (1ULL << kShadowBaseAlignment) - 1)),
ConstantInt::get(IntptrTy, 1), "hwasan.shadow"); ConstantInt::get(IntptrTy, 1), "hwasan.shadow");
ShadowBase = IRB.CreateIntToPtr(ShadowBase, Int8PtrTy); LocalDynamicShadow = IRB.CreateIntToPtr(LocalDynamicShadow, Int8PtrTy);
return ShadowBase;
} }
bool HWAddressSanitizer::instrumentLandingPads( bool HWAddressSanitizer::instrumentLandingPads(
SmallVectorImpl<Instruction *> &LandingPadVec) { SmallVectorImpl<Instruction *> &LandingPadVec) {
Module *M = LandingPadVec[0]->getModule(); Module *M = LandingPadVec[0]->getModule();
Function *ReadRegister = Function *ReadRegister =
Intrinsic::getDeclaration(M, Intrinsic::read_register, IntptrTy); Intrinsic::getDeclaration(M, Intrinsic::read_register, IntptrTy);
const char *RegName = const char *RegName =
▲ Show 20 LinesShow All 133 Lines▼ Show 20 Linesbool HWAddressSanitizer::sanitizeFunction(Function &F) {
if (ClCreateFrameDescriptions && !AllocasToInstrument.empty()) if (ClCreateFrameDescriptions && !AllocasToInstrument.empty())
createFrameGlobal(F, createFrameString(AllocasToInstrument)); createFrameGlobal(F, createFrameString(AllocasToInstrument));
assert(!LocalDynamicShadow); assert(!LocalDynamicShadow);
Instruction *InsertPt = &*F.getEntryBlock().begin(); Instruction *InsertPt = &*F.getEntryBlock().begin();
IRBuilder<> EntryIRB(InsertPt); IRBuilder<> EntryIRB(InsertPt);
LocalDynamicShadow = emitPrologue(EntryIRB, emitPrologue(EntryIRB,
/*WithFrameRecord*/ ClRecordStackHistory && /*WithFrameRecord*/ ClRecordStackHistory &&
!AllocasToInstrument.empty()); !AllocasToInstrument.empty());
bool Changed = false; bool Changed = false;
if (!AllocasToInstrument.empty()) { if (!AllocasToInstrument.empty()) {
Value *StackTag = Value *StackTag =
ClGenerateTagsWithCalls ? nullptr : getStackBaseTag(EntryIRB); ClGenerateTagsWithCalls ? nullptr : getStackBaseTag(EntryIRB);
Changed |= instrumentStack(AllocasToInstrument, AllocaDeclareMap, RetVec, Changed |= instrumentStack(AllocasToInstrument, AllocaDeclareMap, RetVec,
StackTag); StackTag);
} }
Show All 12 Lines for (auto II = EntryIRB.GetInsertBlock()->begin(),
I->moveBefore(InsertPt); I->moveBefore(InsertPt);
} }
} }
for (auto Inst : ToInstrument) for (auto Inst : ToInstrument)
Changed |= instrumentMemAccess(Inst); Changed |= instrumentMemAccess(Inst);
LocalDynamicShadow = nullptr; LocalDynamicShadow = nullptr;
StackBaseTag = nullptr;
return Changed; return Changed;
} }
void HWAddressSanitizer::ShadowMapping::init(Triple &TargetTriple) { void HWAddressSanitizer::ShadowMapping::init(Triple &TargetTriple) {
Scale = kDefaultShadowScale; Scale = kDefaultShadowScale;
if (ClMappingOffset.getNumOccurrences() > 0) { if (ClMappingOffset.getNumOccurrences() > 0) {
InGlobal = false; InGlobal = false;
Show All 20 Lines

llvm/trunk/test/Instrumentation/HWAddressSanitizer/dbg-declare-tag-offset.ll

; RUN: opt -hwasan -S -o - %s | FileCheck %s ; RUN: opt -hwasan -S -o - %s | FileCheck %s
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128" target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64--linux-android" target triple = "aarch64--linux-android"
declare void @g(i8**, i8**, i8**, i8**, i8**, i8**) declare void @g(i8**, i8**, i8**, i8**, i8**, i8**)
define void @f() sanitize_hwaddress !dbg !6 { define void @f() sanitize_hwaddress !dbg !6 {
entry: entry:
%nodebug0 = alloca i8* %nodebug0 = alloca i8*
%nodebug1 = alloca i8* %nodebug1 = alloca i8*
%nodebug2 = alloca i8* %nodebug2 = alloca i8*
%nodebug3 = alloca i8* %nodebug3 = alloca i8*
%a = alloca i8* %a = alloca i8*
%b = alloca i8* %b = alloca i8*
; CHECK: @llvm.dbg.declare{{.*}} !DIExpression(DW_OP_LLVM_tag_offset, 4) ; CHECK: @llvm.dbg.declare{{.*}} !DIExpression(DW_OP_LLVM_tag_offset, 32)
call void @llvm.dbg.declare(metadata i8** %a, metadata !12, metadata !DIExpression()), !dbg !14 call void @llvm.dbg.declare(metadata i8** %a, metadata !12, metadata !DIExpression()), !dbg !14
; CHECK: @llvm.dbg.declare{{.*}} !DIExpression(DW_OP_LLVM_tag_offset, 4) ; CHECK: @llvm.dbg.declare{{.*}} !DIExpression(DW_OP_LLVM_tag_offset, 32)
call void @llvm.dbg.declare(metadata i8** %a, metadata !12, metadata !DIExpression()), !dbg !14 call void @llvm.dbg.declare(metadata i8** %a, metadata !12, metadata !DIExpression()), !dbg !14
; CHECK: @llvm.dbg.declare{{.*}} !DIExpression(DW_OP_LLVM_tag_offset, 6) ; CHECK: @llvm.dbg.declare{{.*}} !DIExpression(DW_OP_LLVM_tag_offset, 96)
call void @llvm.dbg.declare(metadata i8** %b, metadata !13, metadata !DIExpression()), !dbg !14 call void @llvm.dbg.declare(metadata i8** %b, metadata !13, metadata !DIExpression()), !dbg !14
; CHECK: @llvm.dbg.declare{{.*}} !DIExpression(DW_OP_LLVM_tag_offset, 6) ; CHECK: @llvm.dbg.declare{{.*}} !DIExpression(DW_OP_LLVM_tag_offset, 96)
call void @llvm.dbg.declare(metadata i8** %b, metadata !13, metadata !DIExpression()), !dbg !14 call void @llvm.dbg.declare(metadata i8** %b, metadata !13, metadata !DIExpression()), !dbg !14
call void @g(i8** %nodebug0, i8** %nodebug1, i8** %nodebug2, i8** %nodebug3, i8** %a, i8** %b) call void @g(i8** %nodebug0, i8** %nodebug1, i8** %nodebug2, i8** %nodebug3, i8** %a, i8** %b)
ret void, !dbg !15 ret void, !dbg !15
} }
declare void @llvm.dbg.declare(metadata, metadata, metadata) declare void @llvm.dbg.declare(metadata, metadata, metadata)
!llvm.dbg.cu = !{!0} !llvm.dbg.cu = !{!0}
Show All 20 Lines

llvm/trunk/test/Instrumentation/HWAddressSanitizer/prologue.ll

Show First 20 LinesShow All 50 Lines▼ Show 20 Lines
; CHECK-IFUNC: getelementptr i8, i8* %[[A]] ; CHECK-IFUNC: getelementptr i8, i8* %[[A]]
; CHECK-GLOBAL: load i8*, i8** @__hwasan_shadow_memory_dynamic_address ; CHECK-GLOBAL: load i8*, i8** @__hwasan_shadow_memory_dynamic_address
; CHECK-TLS: %[[A:[^ ]*]] = call i8* @llvm.thread.pointer() ; CHECK-TLS: %[[A:[^ ]*]] = call i8* @llvm.thread.pointer()
; CHECK-TLS: %[[B:[^ ]*]] = getelementptr i8, i8* %[[A]], i32 48 ; CHECK-TLS: %[[B:[^ ]*]] = getelementptr i8, i8* %[[A]], i32 48
; CHECK-TLS: %[[C:[^ ]*]] = bitcast i8* %[[B]] to i64* ; CHECK-TLS: %[[C:[^ ]*]] = bitcast i8* %[[B]] to i64*
; CHECK-TLS: %[[D:[^ ]*]] = load i64, i64* %[[C]] ; CHECK-TLS: %[[D:[^ ]*]] = load i64, i64* %[[C]]
; CHECK-TLS: %[[E:[^ ]*]] = ashr i64 %[[D]], 3
; CHECK-NOHISTORY-NOT: store i64 ; CHECK-NOHISTORY-NOT: store i64
; CHECK-HISTORY: %[[PTR:[^ ]*]] = inttoptr i64 %[[D]] to i64* ; CHECK-HISTORY: %[[PTR:[^ ]*]] = inttoptr i64 %[[D]] to i64*
; CHECK-HISTORY: store i64 %{{.*}}, i64* %[[PTR]] ; CHECK-HISTORY: store i64 %{{.*}}, i64* %[[PTR]]
; CHECK-HISTORY: %[[D1:[^ ]*]] = ashr i64 %[[D]], 56 ; CHECK-HISTORY: %[[D1:[^ ]*]] = ashr i64 %[[D]], 56
; CHECK-HISTORY: %[[D2:[^ ]*]] = shl nuw nsw i64 %[[D1]], 12 ; CHECK-HISTORY: %[[D2:[^ ]*]] = shl nuw nsw i64 %[[D1]], 12
; CHECK-HISTORY: %[[D3:[^ ]*]] = xor i64 %[[D2]], -1 ; CHECK-HISTORY: %[[D3:[^ ]*]] = xor i64 %[[D2]], -1
; CHECK-HISTORY: %[[D4:[^ ]*]] = add i64 %[[D]], 8 ; CHECK-HISTORY: %[[D4:[^ ]*]] = add i64 %[[D]], 8
; CHECK-HISTORY: %[[D5:[^ ]*]] = and i64 %[[D4]], %[[D3]] ; CHECK-HISTORY: %[[D5:[^ ]*]] = and i64 %[[D4]], %[[D3]]
; CHECK-HISTORY: store i64 %[[D5]], i64* %[[C]] ; CHECK-HISTORY: store i64 %[[D5]], i64* %[[C]]
; CHECK-TLS: %[[E:[^ ]*]] = or i64 %[[D]], 4294967295 ; CHECK-TLS: %[[F:[^ ]*]] = or i64 %[[D]], 4294967295
; CHECK-TLS: = add i64 %[[E]], 1 ; CHECK-TLS: = add i64 %[[F]], 1
; CHECK-HISTORY: = xor i64 %[[E]], 0
; CHECK-NOHISTORY-NOT: store i64 ; CHECK-NOHISTORY-NOT: store i64
entry: entry:
%x = alloca i32, align 4 %x = alloca i32, align 4
call void @use(i32* %x) call void @use(i32* %x)
ret void ret void
} }