This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/Transforms/Instrumentation/
-
Transforms/
-
Instrumentation/
2
AddressSanitizer.cpp
-
projects/compiler-rt/test/asan/TestCases/Darwin/
-
compiler-rt/
-
test/
-
asan/
-
TestCases/
-
Darwin/
-
objc-odr.mm

Differential D6488

[compiler-rt] Don't instrument globals from __objc_classname
ClosedPublic

Authored by kubamracek on Dec 2 2014, 3:30 PM.

Download Raw Diff

Details

Reviewers

glider
samsonov
majnemer

Summary

Fixes https://code.google.com/p/address-sanitizer/issues/detail?id=360 – Using Obj-C blocks triggers a false-positive ODR violation

The change in r221451 (http://llvm.org/viewvc/llvm-project?view=revision&revision=221451) caused Obj-C related global constants to be instrumented, but the linker rearranges the sections, so the redzones break. We already added a check to skip objc_methname section from being instrumented because of this, see r221480 (http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Transforms/Instrumentation/AddressSanitizer.cpp?view=diff&r1=221479&r2=221480&pathrev=221480). The same issue still exists for class names in objc_classname, this patch skips the __objc_classname section from being instrumented, as well.

Diff Detail

Event Timeline

kubamracek updated this revision to Diff 16834.Dec 2 2014, 3:30 PM

kubamracek retitled this revision from to [compiler-rt] Don't instrument globals from __objc_classname.

kubamracek updated this object.

kubamracek edited the test plan for this revision. (Show Details)

kubamracek added reviewers: samsonov, glider.

kubamracek added subscribers: Unknown Object (MLST), samsonov, glider and 2 others.

LGTM, but let's see if glider@ has anything to add.

This revision is now accepted and ready to land.Dec 2 2014, 5:32 PM

Can you just generalize ShouldInstrumentGlobal() to return false for all cstring_literals sections? The linker is always going to coalesce sections of that type.

Changing the patch to disable instrumentation of all cstring_literals sections.

majnemer added a subscriber: majnemer.Dec 2 2014, 6:42 PM

majnemer added inline comments.

lib/Transforms/Instrumentation/AddressSanitizer.cpp
1047	This is not reliable, it could end with ", cstring_literals". Can you please use `MCSectionMachO::ParseSectionSpecifier` to parse the section string instead?

Modified the patch to use MCSectionMachO::ParseSectionSpecifier to correctly parse the section name, segment name and attributes.

I had to modify a couple of function prototypes to pass the llvm::Triple in order to avoid creating the Triple object for each global. Not sure if there's an easier way.

LGTM

lib/Transforms/Instrumentation/AddressSanitizer.cpp
1271–1272	How about making TargetTriple a class member?

Why does ShouldInstrumentGlobal need a triple argument? GlobalVariable has a getParent method which will return the Module.

Making TargetTriple a class member.

In D6488#17, @majnemer wrote:

Why does ShouldInstrumentGlobal need a triple argument? GlobalVariable has a getParent method which will return the Module.

Because Module only stores the triple as a string, and I wanted to avoid parsing the string for every single global.

Could someone comment on issues raised in GCC Bugzilla about related bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63888 ?

Is it okay to commit this patch?

I'm cool with it and @glider and @samsonov seem to be as well.

Landed in r223513 and r223514.

Revision Contents

Path

Size

lib/

Transforms/

Instrumentation/

AddressSanitizer.cpp

82 lines

projects/

compiler-rt/

test/

asan/

TestCases/

Darwin/

objc-odr.mm

23 lines

Diff 16870

lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show All 31 Lines
#include "llvm/IR/IRBuilder.h"		#include "llvm/IR/IRBuilder.h"
#include "llvm/IR/InlineAsm.h"		#include "llvm/IR/InlineAsm.h"
#include "llvm/IR/InstVisitor.h"		#include "llvm/IR/InstVisitor.h"
#include "llvm/IR/IntrinsicInst.h"		#include "llvm/IR/IntrinsicInst.h"
#include "llvm/IR/LLVMContext.h"		#include "llvm/IR/LLVMContext.h"
#include "llvm/IR/MDBuilder.h"		#include "llvm/IR/MDBuilder.h"
#include "llvm/IR/Module.h"		#include "llvm/IR/Module.h"
#include "llvm/IR/Type.h"		#include "llvm/IR/Type.h"
		#include "llvm/MC/MCSectionMachO.h"
#include "llvm/Support/CommandLine.h"		#include "llvm/Support/CommandLine.h"
#include "llvm/Support/DataTypes.h"		#include "llvm/Support/DataTypes.h"
#include "llvm/Support/Debug.h"		#include "llvm/Support/Debug.h"
#include "llvm/Support/Endian.h"		#include "llvm/Support/Endian.h"
#include "llvm/Support/SwapByteOrder.h"		#include "llvm/Support/SwapByteOrder.h"
#include "llvm/Transforms/Scalar.h"		#include "llvm/Transforms/Scalar.h"
#include "llvm/Transforms/Utils/ASanStackFrameLayout.h"		#include "llvm/Transforms/Utils/ASanStackFrameLayout.h"
#include "llvm/Transforms/Utils/BasicBlockUtils.h"		#include "llvm/Transforms/Utils/BasicBlockUtils.h"
▲ Show 20 Lines • Show All 235 Lines • ▼ Show 20 Lines
/// This struct defines the shadow mapping using the rule:		/// This struct defines the shadow mapping using the rule:
/// shadow = (mem >> Scale) ADD-or-OR Offset.		/// shadow = (mem >> Scale) ADD-or-OR Offset.
struct ShadowMapping {		struct ShadowMapping {
int Scale;		int Scale;
uint64_t Offset;		uint64_t Offset;
bool OrShadowOffset;		bool OrShadowOffset;
};		};

static ShadowMapping getShadowMapping(const Module &M, int LongSize) {		static ShadowMapping getShadowMapping(Triple &TargetTriple, int LongSize) {
llvm::Triple TargetTriple(M.getTargetTriple());
bool IsAndroid = TargetTriple.getEnvironment() == llvm::Triple::Android;		bool IsAndroid = TargetTriple.getEnvironment() == llvm::Triple::Android;
bool IsIOS = TargetTriple.isiOS();		bool IsIOS = TargetTriple.isiOS();
bool IsFreeBSD = TargetTriple.isOSFreeBSD();		bool IsFreeBSD = TargetTriple.isOSFreeBSD();
bool IsLinux = TargetTriple.isOSLinux();		bool IsLinux = TargetTriple.isOSLinux();
bool IsPPC64 = TargetTriple.getArch() == llvm::Triple::ppc64 \|\|		bool IsPPC64 = TargetTriple.getArch() == llvm::Triple::ppc64 \|\|
TargetTriple.getArch() == llvm::Triple::ppc64le;		TargetTriple.getArch() == llvm::Triple::ppc64le;
bool IsX86_64 = TargetTriple.getArch() == llvm::Triple::x86_64;		bool IsX86_64 = TargetTriple.getArch() == llvm::Triple::x86_64;
bool IsMIPS32 = TargetTriple.getArch() == llvm::Triple::mips \|\|		bool IsMIPS32 = TargetTriple.getArch() == llvm::Triple::mips \|\|
▲ Show 20 Lines • Show All 79 Lines • ▼ Show 20 Lines
private:		private:
void initializeCallbacks(Module &M);		void initializeCallbacks(Module &M);

bool LooksLikeCodeInBug11395(Instruction *I);		bool LooksLikeCodeInBug11395(Instruction *I);
bool GlobalIsLinkerInitialized(GlobalVariable *G);		bool GlobalIsLinkerInitialized(GlobalVariable *G);

LLVMContext *C;		LLVMContext *C;
const DataLayout *DL;		const DataLayout *DL;
		Triple TargetTriple;
int LongSize;		int LongSize;
Type *IntptrTy;		Type *IntptrTy;
ShadowMapping Mapping;		ShadowMapping Mapping;
DominatorTree *DT;		DominatorTree *DT;
Function *AsanCtorFunction;		Function *AsanCtorFunction;
Function *AsanInitFunction;		Function *AsanInitFunction;
Function *AsanHandleNoReturnFunc;		Function *AsanHandleNoReturnFunc;
Function AsanPtrCmpFunction, AsanPtrSubFunction;		Function AsanPtrCmpFunction, AsanPtrSubFunction;
Show All 29 Lines	private:
size_t MinRedzoneSizeForGlobal() const {		size_t MinRedzoneSizeForGlobal() const {
return RedzoneSizeForScale(Mapping.Scale);		return RedzoneSizeForScale(Mapping.Scale);
}		}

GlobalsMetadata GlobalsMD;		GlobalsMetadata GlobalsMD;
Type *IntptrTy;		Type *IntptrTy;
LLVMContext *C;		LLVMContext *C;
const DataLayout *DL;		const DataLayout *DL;
		Triple TargetTriple;
ShadowMapping Mapping;		ShadowMapping Mapping;
Function *AsanPoisonGlobals;		Function *AsanPoisonGlobals;
Function *AsanUnpoisonGlobals;		Function *AsanUnpoisonGlobals;
Function *AsanRegisterGlobals;		Function *AsanRegisterGlobals;
Function *AsanUnregisterGlobals;		Function *AsanUnregisterGlobals;
};		};

// Stack poisoning does not play well with exception handling.		// Stack poisoning does not play well with exception handling.
▲ Show 20 Lines • Show All 596 Lines • ▼ Show 20 Lines	bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) {
// - Need to poison all copies, not just the main thread's one.		// - Need to poison all copies, not just the main thread's one.
if (G->isThreadLocal())		if (G->isThreadLocal())
return false;		return false;
// For now, just ignore this Global if the alignment is large.		// For now, just ignore this Global if the alignment is large.
if (G->getAlignment() > MinRedzoneSizeForGlobal()) return false;		if (G->getAlignment() > MinRedzoneSizeForGlobal()) return false;

if (G->hasSection()) {		if (G->hasSection()) {
StringRef Section(G->getSection());		StringRef Section(G->getSection());

		majnemerUnsubmitted Not Done Reply Inline Actions This is not reliable, it could end with ", cstring_literals". Can you please use `MCSectionMachO::ParseSectionSpecifier` to parse the section string instead? majnemer: This is not reliable, it could end with ", cstring_literals". Can you please use…
		if (TargetTriple.isOSBinFormatMachO()) {
		StringRef ParsedSegment, ParsedSection;
		unsigned TAA = 0, StubSize = 0;
		bool TAAParsed;
		std::string ErrorCode =
		MCSectionMachO::ParseSectionSpecifier(Section, ParsedSegment,
		ParsedSection, TAA, TAAParsed,
		StubSize);
		if (!ErrorCode.empty()) {
		report_fatal_error("Invalid section specifier '" + ParsedSection +
		"': " + ErrorCode + ".");
		}

// Ignore the globals from the __OBJC section. The ObjC runtime assumes		// Ignore the globals from the __OBJC section. The ObjC runtime assumes
// those conform to /usr/lib/objc/runtime.h, so we can't add redzones to		// those conform to /usr/lib/objc/runtime.h, so we can't add redzones to
// them.		// them.
if (Section.startswith("__OBJC,") \|\|		if (ParsedSegment == "__OBJC" \|\|
Section.startswith("__DATA, __objc_")) {		(ParsedSegment == "__DATA" && ParsedSection.startswith("__objc_"))) {
DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G << "\n");		DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G << "\n");
return false;		return false;
}		}
// See http://code.google.com/p/address-sanitizer/issues/detail?id=32		// See http://code.google.com/p/address-sanitizer/issues/detail?id=32
// Constant CFString instances are compiled in the following way:		// Constant CFString instances are compiled in the following way:
// -- the string buffer is emitted into		// -- the string buffer is emitted into
// __TEXT,__cstring,cstring_literals		// __TEXT,__cstring,cstring_literals
// -- the constant NSConstantString structure referencing that buffer		// -- the constant NSConstantString structure referencing that buffer
// is placed into __DATA,__cfstring		// is placed into __DATA,__cfstring
// Therefore there's no point in placing redzones into __DATA,__cfstring.		// Therefore there's no point in placing redzones into __DATA,__cfstring.
// Moreover, it causes the linker to crash on OS X 10.7		// Moreover, it causes the linker to crash on OS X 10.7
if (Section.startswith("__DATA,__cfstring")) {		if (ParsedSegment == "__DATA" && ParsedSection == "__cfstring") {
DEBUG(dbgs() << "Ignoring CFString: " << *G << "\n");		DEBUG(dbgs() << "Ignoring CFString: " << *G << "\n");
return false;		return false;
}		}
// The linker merges the contents of cstring_literals and removes the		// The linker merges the contents of cstring_literals and removes the
// trailing zeroes.		// trailing zeroes.
if (Section.startswith("__TEXT,__cstring,cstring_literals")) {		if (ParsedSegment == "__TEXT" && (TAA & MachO::S_CSTRING_LITERALS)) {
DEBUG(dbgs() << "Ignoring a cstring literal: " << *G << "\n");		DEBUG(dbgs() << "Ignoring a cstring literal: " << *G << "\n");
return false;		return false;
}		}
if (Section.startswith("__TEXT,__objc_methname,cstring_literals")) {
DEBUG(dbgs() << "Ignoring objc_methname cstring global: " << *G << "\n");
return false;
}		}


// Callbacks put into the CRT initializer/terminator sections		// Callbacks put into the CRT initializer/terminator sections
// should not be instrumented.		// should not be instrumented.
// See https://code.google.com/p/address-sanitizer/issues/detail?id=305		// See https://code.google.com/p/address-sanitizer/issues/detail?id=305
// and http://msdn.microsoft.com/en-US/en-en/library/bb918180(v=vs.120).aspx		// and http://msdn.microsoft.com/en-US/en-en/library/bb918180(v=vs.120).aspx
if (Section.startswith(".CRT")) {		if (Section.startswith(".CRT")) {
DEBUG(dbgs() << "Ignoring a global initializer callback: " << *G << "\n");		DEBUG(dbgs() << "Ignoring a global initializer callback: " << *G << "\n");
return false;		return false;
}		}
▲ Show 20 Lines • Show All 166 Lines • ▼ Show 20 Lines
bool AddressSanitizerModule::runOnModule(Module &M) {		bool AddressSanitizerModule::runOnModule(Module &M) {
DataLayoutPass *DLP = getAnalysisIfAvailable<DataLayoutPass>();		DataLayoutPass *DLP = getAnalysisIfAvailable<DataLayoutPass>();
if (!DLP)		if (!DLP)
return false;		return false;
DL = &DLP->getDataLayout();		DL = &DLP->getDataLayout();
C = &(M.getContext());		C = &(M.getContext());
int LongSize = DL->getPointerSizeInBits();		int LongSize = DL->getPointerSizeInBits();
IntptrTy = Type::getIntNTy(*C, LongSize);		IntptrTy = Type::getIntNTy(*C, LongSize);
Mapping = getShadowMapping(M, LongSize);		TargetTriple = Triple(M.getTargetTriple());
		Mapping = getShadowMapping(TargetTriple, LongSize);
		gliderUnsubmitted Not Done Reply Inline Actions How about making TargetTriple a class member? glider: How about making TargetTriple a class member?
initializeCallbacks(M);		initializeCallbacks(M);

bool Changed = false;		bool Changed = false;

Function *CtorFunc = M.getFunction(kAsanModuleCtorName);		Function *CtorFunc = M.getFunction(kAsanModuleCtorName);
assert(CtorFunc);		assert(CtorFunc);
IRBuilder<> IRB(CtorFunc->getEntryBlock().getTerminator());		IRBuilder<> IRB(CtorFunc->getEntryBlock().getTerminator());

▲ Show 20 Lines • Show All 65 Lines • ▼ Show 20 Lines	if (!DLP)
report_fatal_error("data layout missing");		report_fatal_error("data layout missing");
DL = &DLP->getDataLayout();		DL = &DLP->getDataLayout();

GlobalsMD.init(M);		GlobalsMD.init(M);

C = &(M.getContext());		C = &(M.getContext());
LongSize = DL->getPointerSizeInBits();		LongSize = DL->getPointerSizeInBits();
IntptrTy = Type::getIntNTy(*C, LongSize);		IntptrTy = Type::getIntNTy(*C, LongSize);
		TargetTriple = Triple(M.getTargetTriple());

AsanCtorFunction = Function::Create(		AsanCtorFunction = Function::Create(
FunctionType::get(Type::getVoidTy(*C), false),		FunctionType::get(Type::getVoidTy(*C), false),
GlobalValue::InternalLinkage, kAsanModuleCtorName, &M);		GlobalValue::InternalLinkage, kAsanModuleCtorName, &M);
BasicBlock AsanCtorBB = BasicBlock::Create(C, "", AsanCtorFunction);		BasicBlock AsanCtorBB = BasicBlock::Create(C, "", AsanCtorFunction);
// call __asan_init in the module ctor.		// call __asan_init in the module ctor.
IRBuilder<> IRB(ReturnInst::Create(*C, AsanCtorBB));		IRBuilder<> IRB(ReturnInst::Create(*C, AsanCtorBB));
AsanInitFunction = checkInterfaceFunction(		AsanInitFunction = checkInterfaceFunction(
M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), nullptr));		M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), nullptr));
AsanInitFunction->setLinkage(Function::ExternalLinkage);		AsanInitFunction->setLinkage(Function::ExternalLinkage);
IRB.CreateCall(AsanInitFunction);		IRB.CreateCall(AsanInitFunction);

Mapping = getShadowMapping(M, LongSize);		Mapping = getShadowMapping(TargetTriple, LongSize);

appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndDtorPriority);		appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndDtorPriority);
return true;		return true;
}		}

bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) {		bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) {
// For each NSObject descendant having a +load method, this method is invoked		// For each NSObject descendant having a +load method, this method is invoked
// by the ObjC runtime before any of the static constructors is called.		// by the ObjC runtime before any of the static constructors is called.
▲ Show 20 Lines • Show All 581 Lines • Show Last 20 Lines

projects/compiler-rt/test/asan/TestCases/Darwin/objc-odr.mm

				// Regression test for
				// https://code.google.com/p/address-sanitizer/issues/detail?id=360.

				// RUN: %clang_asan %s -o %t -framework Foundation
				// RUN: %run %t 2>&1 \| FileCheck %s

				#import <Foundation/Foundation.h>

				void f() {
				int y = 7;
				dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0), ^{
				dispatch_sync(dispatch_get_main_queue(), ^{
				printf("num = %d\n", y);
				});
				});
				}

				int main() {
				NSLog(@"Hello world");
				}

				// CHECK-NOT: AddressSanitizer: odr-violation
				// CHECK: Hello world