This is an archive of the discontinued LLVM Phabricator instance.

Differential D68469

[AArch64] Ensure no tagged memory is left in the unallocated portion of the stack
ClosedPublic

Authored by chill on Oct 4 2019, 9:01 AM.

Details

Reviewers
eugenis
vitalybuka
ostannard
Commits
rGd037a5f06538: [AArch64] Ensure no tagged memory is left in the unallocated portion of the…
rL374182: [AArch64] Ensure no tagged memory is left in the unallocated portion of the
Summary

The memtag sanitizer may fail to clear the memory tags before a function exits.
This issue was originally noticed when running the libcxx testsuite in memtag configuration. A slightly
reduced testcase is attached (it's not very small but small enough to work with):

ex.cc5 KBDownload
.
In the patch, the test case
llvm/test/CodeGen/AArch64/stack-tagging-ex-1.ll is a hand-written one that has basically the same structure.
The test case llvm/test/CodeGen/AArch64/stack-tagging-ex-2.ll is another reproducer, see the comment at the top for the
equivalent C++ source.

This patch makes sure that if we tag some memory, we untag that memory before the function returns/throws via any
exit, reachable from the tag operation. For that we place the untag operation either at:
a) the lifetime end call for the alloca, if that call post-dominates the lifetime start call (where the tag operation is placed), or it (the lifetime end call) dominates all reachable exits, otherwise
b) at the reachable exits

Diff Detail

Event Timeline

chill created this revision.Oct 4 2019, 9:01 AM
Herald added a project: Restricted Project. · View Herald TranscriptOct 4 2019, 9:01 AM
Herald added subscribers: llvm-commits, hiraditya, kristof.beyls. · View Herald Transcript
chill edited the summary of this revision. (Show Details)Oct 4 2019, 9:02 AM
chill added a parent revision: D68468: [AArch64] Do not untag before returning via a `resume` instruction.
chill added reviewers: eugenis, vitalybuka, ostannard.Oct 4 2019, 9:09 AM
eugenis added inline comments.Oct 4 2019, 1:47 PM
llvm/lib/Target/AArch64/AArch64StackTagging.cpp
587

Now we compute domtree and postdomtree for all functions, even at -O0, even when building without memory tagging. Is it OK?

This can get resolved by switching to the new pass manager in the backend. Do you know if there are any plans to do so?

592

If we definitely have DT, then just pass it unconditionally.

626

Variable names start with an uppercase letter.

http://llvm.org/docs/CodingStandards.html#name-types-functions-variables-and-enumerators-properly

chill added a comment.Oct 6 2019, 5:40 AM

Just noticed patches lack context. Will upload a new version.

Regarding (post-)dominance analysis, indeed, we shouldn't run them at -O0. I'll look into how to go about requiring them only at -Os, -Oz, -O2, and -O3.

chill updated this revision to Diff 223626.Oct 7 2019, 10:35 AM
chill edited the summary of this revision. (Show Details)

Updated to not require dominance/post-dominance unconditionally. Removed dependency on the parent patch and will place untag
operations in front of resume, for now.

chill removed a parent revision: D68468: [AArch64] Do not untag before returning via a `resume` instruction.Oct 7 2019, 10:35 AM
chill marked 3 inline comments as done.
eugenis added a comment.Oct 7 2019, 3:20 PM

LGTM modulo the postDominates comment.

llvm/lib/Target/AArch64/AArch64StackTagging.cpp
501

I'm worried about the case when A and B in the same basic block, but in a opposite order - i.e. one lifetime ends when control enters the basic block, and a new one starts before it exits. I've never seen it happen in practice, but it seems to be valid IR.

I think you need to iterate over instructions here, same as DominatorTree::dominates does.

chill updated this revision to Diff 223821.Oct 8 2019, 4:06 AM
chill marked an inline comment as done.
eugenis accepted this revision.Oct 8 2019, 4:46 PM

Everything looks great, thanks!

llvm/lib/Target/AArch64/AArch64StackTagging.cpp
511

Remove this line, it's unreachable.

This revision is now accepted and ready to land.Oct 8 2019, 4:46 PM
Closed by commit rGd037a5f06538: [AArch64] Ensure no tagged memory is left in the unallocated portion of the… (authored by chill). · Explain WhyOct 9 2019, 9:31 AM
This revision was automatically updated to reflect the committed changes.
chill marked an inline comment as done.Oct 9 2019, 9:33 AM
eugenis mentioned this in D105141: [MTE] Remove redundant helper function..Jun 29 2021, 2:50 PM

Revision Contents

PathSize
llvm/
lib/
Target/
AArch64/
64 lines
test/
CodeGen/
AArch64/
2 lines
1 line
68 lines
183 lines
82 lines

Diff 223230

llvm/lib/Target/AArch64/AArch64StackTagging.cpp

Context not available.
#include "llvm/ADT/Optional.h" #include "llvm/ADT/Optional.h"
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/Analysis/CFG.h"
#include "llvm/Analysis/LoopInfo.h" #include "llvm/Analysis/LoopInfo.h"
#include "llvm/Analysis/ScalarEvolution.h" #include "llvm/Analysis/ScalarEvolution.h"
#include "llvm/Analysis/ScalarEvolutionExpressions.h" #include "llvm/Analysis/ScalarEvolutionExpressions.h"
Context not available.
AU.setPreservesCFG(); AU.setPreservesCFG();
if (MergeInit) if (MergeInit)
AU.addRequired<AAResultsWrapperPass>(); AU.addRequired<AAResultsWrapperPass>();
AU.addRequired<DominatorTreeWrapperPass>();
AU.addRequired<PostDominatorTreeWrapperPass>();
AU.addPreserved<DominatorTreeWrapperPass>();
AU.addPreserved<PostDominatorTreeWrapperPass>();
} }
}; };
Context not available.
Info.AI = NewAI; Info.AI = NewAI;
} }
// Helper function to check for post-dominance.
static bool postDominates(const PostDominatorTree &PDT, const IntrinsicInst *A,
const IntrinsicInst *B) {
eugenisUnsubmitted
Done
ReplyInline Actions

I'm worried about the case when A and B in the same basic block, but in a opposite order - i.e. one lifetime ends when control enters the basic block, and a new one starts before it exits. I've never seen it happen in practice, but it seems to be valid IR.

I think you need to iterate over instructions here, same as DominatorTree::dominates does.

eugenis: I'm worried about the case when A and B in the same basic block, but in a opposite order - i.e.
const BasicBlock *ABB = A->getParent();
const BasicBlock *BBB = B->getParent();
return ABB == BBB || PDT.dominates(ABB, BBB);
}
// FIXME: check for MTE extension // FIXME: check for MTE extension
bool AArch64StackTagging::runOnFunction(Function &Fn) { bool AArch64StackTagging::runOnFunction(Function &Fn) {
if (!Fn.hasFnAttribute(Attribute::SanitizeMemTag)) if (!Fn.hasFnAttribute(Attribute::SanitizeMemTag))
eugenisUnsubmitted
Done
ReplyInline Actions

Remove this line, it's unreachable.

eugenis: Remove this line, it's unreachable.
Context not available.
if (NumInterestingAllocas == 0) if (NumInterestingAllocas == 0)
return true; return true;
DominatorTreeWrapperPass &DTWP = getAnalysis<DominatorTreeWrapperPass>();
DominatorTree &DT = DTWP.getDomTree();
PostDominatorTreeWrapperPass &PDTWP = getAnalysis<PostDominatorTreeWrapperPass>();
PostDominatorTree &PDT = PDTWP.getPostDomTree();
eugenisUnsubmitted
Done
ReplyInline Actions

Now we compute domtree and postdomtree for all functions, even at -O0, even when building without memory tagging. Is it OK?

This can get resolved by switching to the new pass manager in the backend. Do you know if there are any plans to do so?

eugenis: Now we compute domtree and postdomtree for all functions, even at -O0, even when building…
SetTagFunc = SetTagFunc =
Intrinsic::getDeclaration(F->getParent(), Intrinsic::aarch64_settag); Intrinsic::getDeclaration(F->getParent(), Intrinsic::aarch64_settag);
Instruction *Base = insertBaseTaggedPointer(
// Compute DT only if the function has the attribute, there are more than 1 Allocas, NumInterestingAllocas > 1 ? &DT : nullptr);
eugenisUnsubmitted
Done
ReplyInline Actions

If we definitely have DT, then just pass it unconditionally.

eugenis: If we definitely have DT, then just pass it unconditionally.
// interesting allocas, and it is not available for free.
Instruction *Base;
if (NumInterestingAllocas > 1) {
auto *DTWP = getAnalysisIfAvailable<DominatorTreeWrapperPass>();
if (DTWP) {
Base = insertBaseTaggedPointer(Allocas, &DTWP->getDomTree());
} else {
DominatorTree DT(*F);
Base = insertBaseTaggedPointer(Allocas, &DT);
}
} else {
Base = insertBaseTaggedPointer(Allocas, nullptr);
}
for (auto &I : Allocas) { for (auto &I : Allocas) {
const AllocaInfo &Info = I.second; const AllocaInfo &Info = I.second;
Context not available.
if (UnrecognizedLifetimes.empty() && Info.LifetimeStart.size() == 1 && if (UnrecognizedLifetimes.empty() && Info.LifetimeStart.size() == 1 &&
Info.LifetimeEnd.size() == 1) { Info.LifetimeEnd.size() == 1) {
IntrinsicInst *Start = Info.LifetimeStart[0]; IntrinsicInst *Start = Info.LifetimeStart[0];
IntrinsicInst *End = Info.LifetimeEnd[0];
uint64_t Size = uint64_t Size =
dyn_cast<ConstantInt>(Start->getArgOperand(0))->getZExtValue(); dyn_cast<ConstantInt>(Start->getArgOperand(0))->getZExtValue();
Size = alignTo(Size, kTagGranuleSize); Size = alignTo(Size, kTagGranuleSize);
tagAlloca(AI, Start->getNextNode(), Start->getArgOperand(1), Size); tagAlloca(AI, Start->getNextNode(), Start->getArgOperand(1), Size);
untagAlloca(AI, Info.LifetimeEnd[0], Size); // We need to ensure that if we tag some object, we certainly untag it
// before the function exits.
if (postDominates(PDT, End, Start)) {
untagAlloca(AI, End, Size);
} else {
SmallVector<Instruction *, 8> ReachableRetVec;
unsigned numCoveredExits = 0;
eugenisUnsubmitted
Done
ReplyInline Actions

Variable names start with an uppercase letter.

http://llvm.org/docs/CodingStandards.html#name-types-functions-variables-and-enumerators-properly

eugenis: Variable names start with an uppercase letter. http://llvm.org/docs/CodingStandards.html#name…
for (auto &RI : RetVec) {
if (!isPotentiallyReachable(Start, RI, nullptr, &DT))
continue;
ReachableRetVec.push_back(RI);
if (DT.dominates(End, RI))
++numCoveredExits;
}
// If there's a mix of covered and non-covered exits, just put the untag
// on exits, so we avoid the redundancy of untagging twice.
if (numCoveredExits == ReachableRetVec.size()) {
untagAlloca(AI, End, Size);
} else {
for (auto &RI : ReachableRetVec)
untagAlloca(AI, RI, Size);
// We may have inserted untag outside of the lifetime interval.
// Remove the lifetime end call for this alloca.
End->eraseFromParent();
}
}
} else { } else {
uint64_t Size = Info.AI->getAllocationSizeInBits(*DL).getValue() / 8; uint64_t Size = Info.AI->getAllocationSizeInBits(*DL).getValue() / 8;
Value *Ptr = IRB.CreatePointerCast(TagPCall, IRB.getInt8PtrTy()); Value *Ptr = IRB.CreatePointerCast(TagPCall, IRB.getInt8PtrTy());
Context not available.

llvm/test/CodeGen/AArch64/O0-pipeline.ll

Context not available.
; CHECK-NEXT: Instrument function entry/exit with calls to e.g. mcount() (post inlining) ; CHECK-NEXT: Instrument function entry/exit with calls to e.g. mcount() (post inlining)
; CHECK-NEXT: Scalarize Masked Memory Intrinsics ; CHECK-NEXT: Scalarize Masked Memory Intrinsics
; CHECK-NEXT: Expand reduction intrinsics ; CHECK-NEXT: Expand reduction intrinsics
; CHECK-NEXT: Dominator Tree Construction
; CHECK-NEXT: Post-Dominator Tree Construction
; CHECK-NEXT: AArch64 Stack Tagging ; CHECK-NEXT: AArch64 Stack Tagging
; CHECK-NEXT: Rewrite Symbols ; CHECK-NEXT: Rewrite Symbols
; CHECK-NEXT: FunctionPass Manager ; CHECK-NEXT: FunctionPass Manager
Context not available.

llvm/test/CodeGen/AArch64/O3-pipeline.ll

Context not available.
; CHECK-NEXT: Interleaved Access Pass ; CHECK-NEXT: Interleaved Access Pass
; CHECK-NEXT: Basic Alias Analysis (stateless AA impl) ; CHECK-NEXT: Basic Alias Analysis (stateless AA impl)
; CHECK-NEXT: Function Alias Analysis Results ; CHECK-NEXT: Function Alias Analysis Results
; CHECK-NEXT: Post-Dominator Tree Construction
; CHECK-NEXT: AArch64 Stack Tagging ; CHECK-NEXT: AArch64 Stack Tagging
; CHECK-NEXT: Natural Loop Information ; CHECK-NEXT: Natural Loop Information
; CHECK-NEXT: CodeGen Prepare ; CHECK-NEXT: CodeGen Prepare
Context not available.

llvm/test/CodeGen/AArch64/stack-tagging-ex-1.ll

  • This file was added.
; RUN: opt -S -stack-tagging %s -o - | FileCheck %s
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64-arm-unknown-eabi"
define void @f() local_unnamed_addr #0 personality i8* bitcast (i32 (...)* @__gxx_personality_v0 to i8*) {
start:
; CHECK-LABEL: start:
%a = alloca i8, i32 48, align 8
call void @llvm.lifetime.start.p0i8(i64 48, i8* nonnull %a) #2
; CHECK: call void @llvm.aarch64.settag(i8* %a.tag, i64 48)
%b = alloca i8, i32 48, align 8
call void @llvm.lifetime.start.p0i8(i64 48, i8* nonnull %b) #2
; CHECK: call void @llvm.aarch64.settag(i8* %b.tag, i64 48)
invoke void @g (i8 * nonnull %a, i8 * nonnull %b) to label %next0 unwind label %lpad0
; CHECK-NOT: settag
next0:
; CHECK-LABEL: next0:
call void @llvm.lifetime.end.p0i8(i64 40, i8* nonnull %a)
call void @llvm.lifetime.end.p0i8(i64 40, i8* nonnull %b)
br label %exit
; CHECK-NOT: settag
lpad0:
; CHECK-LABEL: lpad0:
%pad0v = landingpad { i8*, i32 } catch i8* null
%v = extractvalue { i8*, i32 } %pad0v, 0
%x = call i8* @__cxa_begin_catch(i8* %v) #2
invoke void @__cxa_end_catch() to label %next1 unwind label %lpad1
; CHECK-NOT: settag
next1:
; CHECK-LABEL: next1:
br label %exit
; CHECK-NOT: settag
lpad1:
; CHECK-LABEL: lpad1:
; CHECK-NOT: settag
%pad1v = landingpad { i8*, i32 } cleanup
resume { i8*, i32 } %pad1v
exit:
; CHECK-LABEL: exit:
; CHECK: call void @llvm.aarch64.settag(i8* %a, i64 48)
; CHECK: call void @llvm.aarch64.settag(i8* %b, i64 48)
ret void
; CHECK: ret void
}
declare void @g(i8 *, i8 *) #0
declare dso_local i32 @__gxx_personality_v0(...)
declare dso_local i8* @__cxa_begin_catch(i8*) local_unnamed_addr
declare dso_local void @__cxa_end_catch() local_unnamed_addr
; Function Attrs: argmemonly nounwind willreturn
declare void @llvm.lifetime.start.p0i8(i64 immarg, i8* nocapture) #1
; Function Attrs: argmemonly nounwind willreturn
declare void @llvm.lifetime.end.p0i8(i64 immarg, i8* nocapture) #1
attributes #0 = { sanitize_memtag "correctly-rounded-divide-sqrt-fp-math"="false" "denormal-fp-math"="preserve-sign" "disable-tail-calls"="false" "frame-pointer"="none" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="true" "no-jump-tables"="false" "no-nans-fp-math"="true" "no-signed-zeros-fp-math"="true" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="generic" "target-features"="+mte,+neon,+v8.5a" "unsafe-fp-math"="false" "use-soft-float"="false" }
attributes #1 = { argmemonly nounwind willreturn }
attributes #2 = { nounwind }

llvm/test/CodeGen/AArch64/stack-tagging-ex-2.ll

  • This file was added.
; clang -target aarch64-eabi -O2 -march=armv8.5-a+memtag -fsanitize=memtag -S -emit-llvm test.cc
; void bar() {
; throw 42;
; }
; void foo() {
; int A0;
; __asm volatile("" : : "r"(&A0));
; try {
; bar();
; } catch (int exc) {
; }
; throw 15532;
; }
; int main() {
; try {
; foo();
; } catch (int exc) {
; }
; return 0;
; }
; RUN: opt -S -stack-tagging %s -o - | FileCheck %s
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64-unknown-unknown-eabi"
@_ZTIi = external dso_local constant i8*
; Function Attrs: noreturn sanitize_memtag
define dso_local void @_Z3barv() local_unnamed_addr #0 {
entry:
%exception = tail call i8* @__cxa_allocate_exception(i64 4) #4
%0 = bitcast i8* %exception to i32*
store i32 42, i32* %0, align 16, !tbaa !2
tail call void @__cxa_throw(i8* %exception, i8* bitcast (i8** @_ZTIi to i8*), i8* null) #5
unreachable
}
declare dso_local i8* @__cxa_allocate_exception(i64) local_unnamed_addr
declare dso_local void @__cxa_throw(i8*, i8*, i8*) local_unnamed_addr
; Function Attrs: noreturn sanitize_memtag
define dso_local void @_Z3foov() local_unnamed_addr #0 personality i8* bitcast (i32 (...)* @__gxx_personality_v0 to i8*) {
entry:
%A0 = alloca i32, align 4
%0 = bitcast i32* %A0 to i8*
call void @llvm.lifetime.start.p0i8(i64 4, i8* nonnull %0) #4
call void asm sideeffect "", "r"(i32* nonnull %A0) #4, !srcloc !6
invoke void @_Z3barv()
to label %try.cont unwind label %lpad
lpad: ; preds = %entry
%1 = landingpad { i8*, i32 }
cleanup
catch i8* bitcast (i8** @_ZTIi to i8*)
%2 = extractvalue { i8*, i32 } %1, 1
%3 = call i32 @llvm.eh.typeid.for(i8* bitcast (i8** @_ZTIi to i8*)) #4
%matches = icmp eq i32 %2, %3
br i1 %matches, label %catch, label %ehcleanup
catch: ; preds = %lpad
%4 = extractvalue { i8*, i32 } %1, 0
%5 = call i8* @__cxa_begin_catch(i8* %4) #4
call void @__cxa_end_catch() #4
br label %try.cont
try.cont: ; preds = %entry, %catch
%exception = call i8* @__cxa_allocate_exception(i64 4) #4
%6 = bitcast i8* %exception to i32*
store i32 15532, i32* %6, align 16, !tbaa !2
call void @__cxa_throw(i8* %exception, i8* bitcast (i8** @_ZTIi to i8*), i8* null) #5
unreachable
ehcleanup: ; preds = %lpad
call void @llvm.lifetime.end.p0i8(i64 4, i8* nonnull %0) #4
resume { i8*, i32 } %1
}
; Function Attrs: argmemonly nounwind willreturn
declare void @llvm.lifetime.start.p0i8(i64 immarg, i8* nocapture) #1
declare dso_local i32 @__gxx_personality_v0(...)
; Function Attrs: nounwind readnone
declare i32 @llvm.eh.typeid.for(i8*) #2
declare dso_local i8* @__cxa_begin_catch(i8*) local_unnamed_addr
declare dso_local void @__cxa_end_catch() local_unnamed_addr
; Function Attrs: argmemonly nounwind willreturn
declare void @llvm.lifetime.end.p0i8(i64 immarg, i8* nocapture) #1
; Function Attrs: norecurse sanitize_memtag
define dso_local i32 @main() local_unnamed_addr #3 personality i8* bitcast (i32 (...)* @__gxx_personality_v0 to i8*) {
entry:
; CHECK-LABEL: entry:
%A0.i = alloca i32, align 4
%0 = bitcast i32* %A0.i to i8*
call void @llvm.lifetime.start.p0i8(i64 4, i8* nonnull %0) #4
call void asm sideeffect "", "r"(i32* nonnull %A0.i) #4, !srcloc !6
; CHECK: call void @llvm.aarch64.settag(i8* %1, i64 16)
; CHECK-NEXT: call void asm sideeffect
%exception.i6 = call i8* @__cxa_allocate_exception(i64 4) #4
%1 = bitcast i8* %exception.i6 to i32*
store i32 42, i32* %1, align 16, !tbaa !2
invoke void @__cxa_throw(i8* %exception.i6, i8* bitcast (i8** @_ZTIi to i8*), i8* null) #5
to label %.noexc7 unwind label %lpad.i
.noexc7: ; preds = %entry
unreachable
lpad.i: ; preds = %entry
%2 = landingpad { i8*, i32 }
cleanup
catch i8* bitcast (i8** @_ZTIi to i8*)
%3 = extractvalue { i8*, i32 } %2, 1
%4 = call i32 @llvm.eh.typeid.for(i8* bitcast (i8** @_ZTIi to i8*)) #4
%matches.i = icmp eq i32 %3, %4
br i1 %matches.i, label %catch.i, label %ehcleanup.i
catch.i: ; preds = %lpad.i
%5 = extractvalue { i8*, i32 } %2, 0
%6 = call i8* @__cxa_begin_catch(i8* %5) #4
call void @__cxa_end_catch() #4
%exception.i = call i8* @__cxa_allocate_exception(i64 4) #4
%7 = bitcast i8* %exception.i to i32*
store i32 15532, i32* %7, align 16, !tbaa !2
invoke void @__cxa_throw(i8* %exception.i, i8* bitcast (i8** @_ZTIi to i8*), i8* null) #5
to label %.noexc unwind label %lpad
.noexc: ; preds = %catch.i
unreachable
ehcleanup.i: ; preds = %lpad.i
call void @llvm.lifetime.end.p0i8(i64 4, i8* nonnull %0) #4
br label %lpad.body
lpad: ; preds = %catch.i
%8 = landingpad { i8*, i32 }
catch i8* bitcast (i8** @_ZTIi to i8*)
%.pre = extractvalue { i8*, i32 } %8, 1
br label %lpad.body
lpad.body: ; preds = %ehcleanup.i, %lpad
%.pre-phi = phi i32 [ %3, %ehcleanup.i ], [ %.pre, %lpad ]
%eh.lpad-body = phi { i8*, i32 } [ %2, %ehcleanup.i ], [ %8, %lpad ]
%matches = icmp eq i32 %.pre-phi, %4
br i1 %matches, label %catch, label %eh.resume
catch: ; preds = %lpad.body
%9 = extractvalue { i8*, i32 } %eh.lpad-body, 0
%10 = call i8* @__cxa_begin_catch(i8* %9) #4
call void @__cxa_end_catch() #4
ret i32 0
eh.resume: ; preds = %lpad.body
resume { i8*, i32 } %eh.lpad-body
}
attributes #0 = { noreturn sanitize_memtag "correctly-rounded-divide-sqrt-fp-math"="false" "disable-tail-calls"="false" "frame-pointer"="all" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="false" "stack-protector-buffer-size"="8" "target-cpu"="generic" "target-features"="+mte,+neon,+v8.5a" "unsafe-fp-math"="false" "use-soft-float"="false" }
attributes #1 = { argmemonly nounwind willreturn }
attributes #2 = { nounwind readnone }
attributes #3 = { norecurse sanitize_memtag "correctly-rounded-divide-sqrt-fp-math"="false" "disable-tail-calls"="false" "frame-pointer"="all" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="false" "stack-protector-buffer-size"="8" "target-cpu"="generic" "target-features"="+mte,+neon,+v8.5a" "unsafe-fp-math"="false" "use-soft-float"="false" }
attributes #4 = { nounwind }
attributes #5 = { noreturn }
!llvm.module.flags = !{!0}
!llvm.ident = !{!1}
!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{!"clang version 10.0.0 (https://github.com/llvm/llvm-project.git c38188c5fe41751fda095edde1a878b2a051ae58)"}
!2 = !{!3, !3, i64 0}
!3 = !{!"int", !4, i64 0}
!4 = !{!"omnipotent char", !5, i64 0}
!5 = !{!"Simple C++ TBAA"}
!6 = !{i32 70}

llvm/test/CodeGen/AArch64/stack-tagging-untag-placement.ll

  • This file was added.
;; RUN: opt -S -stack-tagging %s -o - | FileCheck %s
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64-arm-unknown-eabi"
define void @f() local_unnamed_addr #0 {
S0:
; CHECK-LABEL: S0:
; CHECK: %basetag = call i8* @llvm.aarch64.irg.sp(i64 0)
%v = alloca i8, i32 48, align 8
; CHECK: %v.tag = call i8* @llvm.aarch64.tagp.p0i8(i8* %v, i8* %basetag, i64 0)
%w = alloca i8, i32 48, align 16
; CHECK: %w.tag = call i8* @llvm.aarch64.tagp.p0i8(i8* %w, i8* %basetag, i64 1)
%t0 = call i32 @g0() #1
%b0 = icmp eq i32 %t0, 0
br i1 %b0, label %S1, label %exit3
S1:
; CHECK-LABEL: S1:
call void @llvm.lifetime.start.p0i8(i64 48, i8 * nonnull %v) #1
; CHECK: call void @llvm.aarch64.settag(i8* %v.tag, i64 48)
call void @llvm.lifetime.start.p0i8(i64 48, i8 * nonnull %w) #1
; CHECK: call void @llvm.aarch64.settag(i8* %w.tag, i64 48)
%t1 = call i32 @g1(i8 * nonnull %v, i8 * nonnull %w) #1
; CHECK: call i32 @g1
; CHECK-NOT: settag{{.*}}%v
; CHECK: call void @llvm.aarch64.settag(i8* %w, i64 48)
; CHECK-NOT: settag{{.*}}%v
call void @llvm.lifetime.end.p0i8(i64 48, i8 * nonnull %w) #1
; CHECK: call void @llvm.lifetime.end.p0i8(i64 48, i8* nonnull %w.tag)
%b1 = icmp eq i32 %t1, 0
br i1 %b1, label %S2, label %S3
; CHECK-NOT: settag
S2:
; CHECK-LABEL: S2:
call void @z0() #1
br label %exit1
; CHECK-NOT: settag
S3:
; CHECK-LABEL: S3:
call void @llvm.lifetime.end.p0i8(i64 48, i8 * nonnull %v) #1
tail call void @z1() #1
br label %exit2
; CHECK-NOT: settag
exit1:
; CHECK-LABEL: exit1:
; CHECK: call void @llvm.aarch64.settag(i8* %v, i64 48)
ret void
exit2:
; CHECK-LABEL: exit2:
; CHECK: call void @llvm.aarch64.settag(i8* %v, i64 48)
ret void
exit3:
; CHECK-LABEL: exit3:
call void @z2() #1
; CHECK-NOT: settag
ret void
; CHECK: ret void
}
declare i32 @g0() #0
declare i32 @g1(i8 *, i8 *) #0
declare void @z0() #0
declare void @z1() #0
declare void @z2() #0
declare void @llvm.lifetime.start.p0i8(i64 immarg, i8 * nocapture) #1
declare void @llvm.lifetime.end.p0i8(i64 immarg, i8 * nocapture) #1
attributes #0 = { sanitize_memtag "correctly-rounded-divide-sqrt-fp-math"="false" "denormal-fp-math"="preserve-sign" "disable-tail-calls"="false" "frame-pointer"="none" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="true" "no-jump-tables"="false" "no-nans-fp-math"="true" "no-signed-zeros-fp-math"="true" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="generic" "target-features"="+mte,+neon,+v8.5a" "unsafe-fp-math"="false" "use-soft-float"="false" }
attributes #1 = { nounwind }