This is an archive of the discontinued LLVM Phabricator instance.

Differential D75695

[StackProtector] Catch direct out-of-bounds when checking address-takenness
ClosedPublic

Authored by john.brawn on Mar 5 2020, 9:53 AM.

Details

Reviewers
probinson
eli.friedman
arsenm
efriedma
Commits
rGc09368313c23: [StackProtector] Catch direct out-of-bounds when checking address-takenness
Summary

With -fstack-protector-strong we check if a non-array variable has its address taken in a way that could cause a potential out-of-bounds access. However what we don't catch is when the address is directly used to create an out-of-bounds memory access.

Fix this by examining the offsets of GEPs that are ultimately derived from allocas and checking if the resulting address is out-of-bounds, and by checking that any memory operations using such addresses are not over-large.

Fixes PR43478.

Diff Detail

Event Timeline

john.brawn created this revision.Mar 5 2020, 9:53 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 5 2020, 9:53 AM
Herald added subscribers: hiraditya, wdng. · View Herald Transcript
efriedma added a subscriber: efriedma.Mar 5 2020, 10:28 AM
efriedma added inline comments.
llvm/lib/CodeGen/StackProtector.cpp
210

I think AllocaInst has a getAllocatedType, or something like that?

Should use getTypeAllocSize, since that's what actually determines the number of bytes allocated.

Harbormaster failed remote builds in B48227: Diff 248522!Mar 5 2020, 10:58 AM
john.brawn marked an inline comment as done.Mar 6 2020, 5:19 AM
john.brawn added inline comments.
llvm/lib/CodeGen/StackProtector.cpp
210

I think AllocaInst has a getAllocatedType, or something like that?

AI isn't necessarily an AllocaInst, e.g. we could be looking at a GEP of a GEP or a GEP of a PHI.

Should use getTypeAllocSize, since that's what actually determines the number of bytes allocated.

Will do.

john.brawn updated this revision to Diff 248710.Mar 6 2020, 5:20 AM

Use getTypeAllocSize, apply clang-format.

probinson added a comment.Mar 9 2020, 7:18 AM

I have to admit I didn't thoroughly look at the test, although I have to wonder if the loop cases in the test really provide any additional coverage? They're using phis as input, but you already have phi cases.

llvm/lib/CodeGen/StackProtector.cpp
202

potentially out-of-bounds

203

s/would also have to be/could also be/

llvm/test/CodeGen/Generic/stack-guard-oob.ll
6 ↗(On Diff #248710)

REQUIRES: aarch64-registered-target
REQUIRES: arm-registered-target
REQUIRES: x86-registered-target

7 ↗(On Diff #248710)

When CHECK-LABEL specifies an actual label, it's best to include the appropriate punctuation; so, CHECK-LABEL: in_bounds: and so on throughout.

john.brawn marked 5 inline comments as done.Mar 9 2020, 10:01 AM
john.brawn added inline comments.
llvm/test/CodeGen/Generic/stack-guard-oob.ll
6 ↗(On Diff #248710)

I think it makes more sense instead to split this into three separate tests (which just use the same input file in test/Codegen/Inputs, like we do with stack-guard-reassign.ll), so we don't need to requiring all targets if we want to test any of them.

john.brawn updated this revision to Diff 249145.Mar 9 2020, 10:04 AM
john.brawn marked an inline comment as done.

Update based on review comments.

probinson added a comment.Mar 9 2020, 10:32 AM

Changes look good, but there's still the question about whether you really need the loop tests.

john.brawn added a comment.Mar 10 2020, 5:13 AM
In D75695#1912905, @probinson wrote:

Changes look good, but there's still the question about whether you really need the loop tests.

I think I originally added these because of a previous attempt at a fix, which was more complicated (in a way that didn't improve anything) and did at one point have a problem with loops. I could remove them, though I don't see much reason to. I will if you really want though.

probinson added a comment.Mar 10 2020, 6:53 AM
In D75695#1914314, @john.brawn wrote:
In D75695#1912905, @probinson wrote:

Changes look good, but there's still the question about whether you really need the loop tests.

I think I originally added these because of a previous attempt at a fix, which was more complicated (in a way that didn't improve anything) and did at one point have a problem with loops. I could remove them, though I don't see much reason to. I will if you really want though.

Project practice is to try to have regression tests that are fairly focused, and don't contain any extraneous or redundant cases. This helps future devs trying to read and understand your test. It also reduces testing time by an admittedly small increment, but when you add up those increments across 10s of Ks of tests and N-hundred developers running them many many times per day, it adds up.
There's a place for more thorough testing, IMO, but that place is not the lit tests.

john.brawn updated this revision to Diff 249381.Mar 10 2020, 7:57 AM

Removed loop tests.

efriedma added inline comments.Mar 10 2020, 3:28 PM
llvm/lib/CodeGen/StackProtector.cpp
210

Oh, I see, the function recurses.

I don't think the recursion works correctly in general. The values that actually matter are the current offset, determined recursively, the size of the original alloca, and the size of any memory operations using the result of the GEP. Using the size of the GEP's operand type doesn't work correctly in general; in particular, if there's another GEP or bitcast in the recursive chain of uses, you can come up with the wrong result.

john.brawn marked an inline comment as done.Mar 11 2020, 6:55 AM
john.brawn added inline comments.
llvm/lib/CodeGen/StackProtector.cpp
210

I think adding a check that bitcast doesn't bitcast to a larger type should be enough to handle this. If we have a GEP of a GEP then each one will make sure that the offset is within the bounds of the specific type it's handling. Doing it like this does mean that for something like

int fn() {
  int arr[4][4];
  return arr[0][5];
}

we say it's an out-of-bounds access when it doesn't actually access outside of the underlying object, but I don't think handling this kind of case is worth the added complexity.

john.brawn updated this revision to Diff 249611.Mar 11 2020, 6:59 AM

Added bitcast handling.

arsenm requested changes to this revision.Mar 11 2020, 7:29 AM
arsenm added inline comments.
llvm/lib/CodeGen/StackProtector.cpp
220–221

This is introducing new dependences on the deprecated pointee type. No decisions should be made based on this

This revision now requires changes to proceed.Mar 11 2020, 7:29 AM
john.brawn marked an inline comment as done.Mar 11 2020, 9:04 AM
john.brawn added inline comments.
llvm/lib/CodeGen/StackProtector.cpp
220–221

I don't see anything in Type.h about getPointerElementType being deprecated, but looking at Instructions.h I see mention of "opaque pointer types", is this what you're talking about? Looking at http://lists.llvm.org/pipermail/llvm-dev/2019-December/137684.html (which is the best I could find for what it means) it looks like instead of

%var = alloca i32, align 4
%bitcast = i32* %var to %i64
store i64 0, i32* %bitcast

we'll have

%var = alloca i32, align 4
store i64 0, p0 %var

So it looks like I should be checking the type at the load/store instead?

arsenm added inline comments.Mar 11 2020, 9:06 AM
llvm/lib/CodeGen/StackProtector.cpp
220–221

Yes, pointer types should be assumed to be opaque now. Only the type on the use instruction is meaningful

efriedma added inline comments.Mar 11 2020, 10:12 AM
llvm/lib/CodeGen/StackProtector.cpp
210

That's still not enough given the way you're doing the check. Consider if someone writes something like

struct X { int a[10][10]; int b; };
struct X x;
int (*p)[10] = &x.a[10];
int z = a[5];

This lowers to two GEPs; neither is "out-of-bounds" in the sense you're checking.

You could try to enforce that each index of each GEP is in the valid range, I guess.

john.brawn updated this revision to Diff 249970.Mar 12 2020, 10:18 AM
john.brawn edited the summary of this revision. (Show Details)

Adjusted to avoid looking through pointer types by passing around the allocated type and checking it against the size of memory accesses. Also correctly handle GEPs where the addressed member is partially outside of the allocated object.

Herald added a subscriber: jfb. · View Herald TranscriptMar 12 2020, 10:18 AM
efriedma added a comment.Mar 12 2020, 12:49 PM

I think it would be more straightforward to reason about the behavior here if you just pass down the number of bytes that are known safe to dereference, instead of "AllocType".

john.brawn updated this revision to Diff 250208.Mar 13 2020, 9:05 AM

Use the allocation size instead of the allocation type.

efriedma added inline comments.Mar 13 2020, 2:30 PM
llvm/lib/CodeGen/StackProtector.cpp
209

Can we just compute ResultSize as "AllocSize - Offset"? (That's obviously correct, and I'm not convinced that using the size of getResultElementType() does the right thing here.)

john.brawn marked an inline comment as done.Mar 16 2020, 6:37 AM
john.brawn added inline comments.
llvm/lib/CodeGen/StackProtector.cpp
209

I think we can. Currently the offset check is done in a way that also checks if the end of the addressed member is past the end of the allocation, but just checking that the start is within the allocation and then reducing the remaining size by the offset will mean we check at the time we see a memory access that it's not too large for the remaining space.

john.brawn updated this revision to Diff 250554.Mar 16 2020, 7:11 AM

Adjust GEP handling to reduce AllocSize by Offset instead of using the result size.

efriedma accepted this revision.Mar 16 2020, 11:44 AM

I don't think we're really getting much benefit out of testing this on multiple targets; as long as we have coverage for 32-bit and 64-bit targets, none of the relevant logic is actually target-specific. So I'd just get rid of the ARM/AArch64 tests, I think, since x86 conveniently has 32-bit and 64-bit targets.

Otherwise LGTM

This revision was not accepted when it landed; it landed in state Needs Review.Mar 17 2020, 5:43 AM
Closed by commit rGc09368313c23: [StackProtector] Catch direct out-of-bounds when checking address-takenness (authored by john.brawn). · Explain Why
This revision was automatically updated to reflect the committed changes.
aemerson mentioned this in D87074: [StackProtector] Fix crash with vararg due to not checking LocationSize validity..Sep 2 2020, 11:21 PM

Revision Contents

PathSize
llvm/
include/
llvm/
CodeGen/
2 lines
lib/
CodeGen/
37 lines
test/
CodeGen/
X86/
415 lines

Diff 250735

llvm/include/llvm/CodeGen/StackProtector.h

Show First 20 LinesShow All 89 Lines▼ Show 20 Linesprivate:
/// for it. /// for it.
/// \param [out] IsLarge is set to true if a protectable array is found and /// \param [out] IsLarge is set to true if a protectable array is found and
/// it is "large" ( >= ssp-buffer-size). In the case of a structure with /// it is "large" ( >= ssp-buffer-size). In the case of a structure with
/// multiple arrays, this gets set if any of them is large. /// multiple arrays, this gets set if any of them is large.
bool ContainsProtectableArray(Type *Ty, bool &IsLarge, bool Strong = false, bool ContainsProtectableArray(Type *Ty, bool &IsLarge, bool Strong = false,
bool InStruct = false) const; bool InStruct = false) const;
/// Check whether a stack allocation has its address taken. /// Check whether a stack allocation has its address taken.
bool HasAddressTaken(const Instruction *AI); bool HasAddressTaken(const Instruction *AI, uint64_t AllocSize);
/// RequiresStackProtector - Check whether or not this function needs a /// RequiresStackProtector - Check whether or not this function needs a
/// stack protector based upon the stack protector level. /// stack protector based upon the stack protector level.
bool RequiresStackProtector(); bool RequiresStackProtector();
public: public:
static char ID; // Pass identification, replacement for typeid. static char ID; // Pass identification, replacement for typeid.
Show All 15 Lines

llvm/lib/CodeGen/StackProtector.cpp

Show All 12 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "llvm/CodeGen/StackProtector.h" #include "llvm/CodeGen/StackProtector.h"
#include "llvm/ADT/SmallPtrSet.h" #include "llvm/ADT/SmallPtrSet.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/Analysis/BranchProbabilityInfo.h" #include "llvm/Analysis/BranchProbabilityInfo.h"
#include "llvm/Analysis/EHPersonalities.h" #include "llvm/Analysis/EHPersonalities.h"
#include "llvm/Analysis/MemoryLocation.h"
#include "llvm/Analysis/OptimizationRemarkEmitter.h" #include "llvm/Analysis/OptimizationRemarkEmitter.h"
#include "llvm/CodeGen/Passes.h" #include "llvm/CodeGen/Passes.h"
#include "llvm/CodeGen/TargetLowering.h" #include "llvm/CodeGen/TargetLowering.h"
#include "llvm/CodeGen/TargetPassConfig.h" #include "llvm/CodeGen/TargetPassConfig.h"
#include "llvm/CodeGen/TargetSubtargetInfo.h" #include "llvm/CodeGen/TargetSubtargetInfo.h"
#include "llvm/IR/Attributes.h" #include "llvm/IR/Attributes.h"
#include "llvm/IR/BasicBlock.h" #include "llvm/IR/BasicBlock.h"
#include "llvm/IR/Constants.h" #include "llvm/IR/Constants.h"
▲ Show 20 LinesShow All 127 Lines▼ Show 20 Lines if (ContainsProtectableArray(*I, IsLarge, Strong, true)) {
if (IsLarge) if (IsLarge)
return true; return true;
NeedsProtector = true; NeedsProtector = true;
} }
return NeedsProtector; return NeedsProtector;
} }
bool StackProtector::HasAddressTaken(const Instruction *AI) { bool StackProtector::HasAddressTaken(const Instruction *AI,
uint64_t AllocSize) {
const DataLayout &DL = M->getDataLayout();
for (const User *U : AI->users()) { for (const User *U : AI->users()) {
const auto *I = cast<Instruction>(U); const auto *I = cast<Instruction>(U);
// If this instruction accesses memory make sure it doesn't access beyond
// the bounds of the allocated object.
Optional<MemoryLocation> MemLoc = MemoryLocation::getOrNone(I);
if (MemLoc.hasValue() && MemLoc->Size.getValue() > AllocSize)
return true;
switch (I->getOpcode()) { switch (I->getOpcode()) {
case Instruction::Store: case Instruction::Store:
if (AI == cast<StoreInst>(I)->getValueOperand()) if (AI == cast<StoreInst>(I)->getValueOperand())
return true; return true;
break; break;
case Instruction::AtomicCmpXchg: case Instruction::AtomicCmpXchg:
// cmpxchg conceptually includes both a load and store from the same // cmpxchg conceptually includes both a load and store from the same
// location. So, like store, the value being stored is what matters. // location. So, like store, the value being stored is what matters.
Show All 9 Lines case Instruction::Call: {
// TODO: Narrow this to intrinsics that have store-like effects. // TODO: Narrow this to intrinsics that have store-like effects.
const auto *CI = cast<CallInst>(I); const auto *CI = cast<CallInst>(I);
if (!isa<DbgInfoIntrinsic>(CI) && !CI->isLifetimeStartOrEnd()) if (!isa<DbgInfoIntrinsic>(CI) && !CI->isLifetimeStartOrEnd())
return true; return true;
break; break;
} }
case Instruction::Invoke: case Instruction::Invoke:
return true; return true;
case Instruction::GetElementPtr: {
// If the GEP offset is out-of-bounds, or is non-constant and so has to be
// assumed to be potentially out-of-bounds, then any memory access that
probinsonUnsubmitted
Done
ReplyInline Actions

potentially out-of-bounds

probinson: potentially out-of-bounds
// would use it could also be out-of-bounds meaning stack protection is
probinsonUnsubmitted
Done
ReplyInline Actions

s/would also have to be/could also be/

probinson: s/would also have to be/could also be/
// required.
const GetElementPtrInst *GEP = cast<GetElementPtrInst>(I);
unsigned TypeSize = DL.getIndexTypeSizeInBits(I->getType());
APInt Offset(TypeSize, 0);
APInt MaxOffset(TypeSize, AllocSize);
if (!GEP->accumulateConstantOffset(DL, Offset) || Offset.ugt(MaxOffset))
efriedmaUnsubmitted
Not Done
ReplyInline Actions

Can we just compute ResultSize as "AllocSize - Offset"? (That's obviously correct, and I'm not convinced that using the size of getResultElementType() does the right thing here.)

efriedma: Can we just compute ResultSize as "AllocSize - Offset"? (That's obviously correct, and I'm not…
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

I think we can. Currently the offset check is done in a way that also checks if the end of the addressed member is past the end of the allocation, but just checking that the start is within the allocation and then reducing the remaining size by the offset will mean we check at the time we see a memory access that it's not too large for the remaining space.

john.brawn: I think we can. Currently the offset check is done in a way that also checks if the end of the…
return true;
efriedmaUnsubmitted
Not Done
ReplyInline Actions

I think AllocaInst has a getAllocatedType, or something like that?

Should use getTypeAllocSize, since that's what actually determines the number of bytes allocated.

efriedma: I think AllocaInst has a getAllocatedType, or something like that? Should use getTypeAllocSize…
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

I think AllocaInst has a getAllocatedType, or something like that?

AI isn't necessarily an AllocaInst, e.g. we could be looking at a GEP of a GEP or a GEP of a PHI.

Should use getTypeAllocSize, since that's what actually determines the number of bytes allocated.

Will do.

john.brawn: > I think AllocaInst has a getAllocatedType, or something like that? AI isn't necessarily an…
efriedmaUnsubmitted
Not Done
ReplyInline Actions

Oh, I see, the function recurses.

I don't think the recursion works correctly in general. The values that actually matter are the current offset, determined recursively, the size of the original alloca, and the size of any memory operations using the result of the GEP. Using the size of the GEP's operand type doesn't work correctly in general; in particular, if there's another GEP or bitcast in the recursive chain of uses, you can come up with the wrong result.

efriedma: Oh, I see, the function recurses. I don't think the recursion works correctly in general. The…
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

I think adding a check that bitcast doesn't bitcast to a larger type should be enough to handle this. If we have a GEP of a GEP then each one will make sure that the offset is within the bounds of the specific type it's handling. Doing it like this does mean that for something like

int fn() {
  int arr[4][4];
  return arr[0][5];
}

we say it's an out-of-bounds access when it doesn't actually access outside of the underlying object, but I don't think handling this kind of case is worth the added complexity.

john.brawn: I think adding a check that bitcast doesn't bitcast to a larger type should be enough to handle…
efriedmaUnsubmitted
Not Done
ReplyInline Actions

That's still not enough given the way you're doing the check. Consider if someone writes something like

struct X { int a[10][10]; int b; };
struct X x;
int (*p)[10] = &x.a[10];
int z = a[5];

This lowers to two GEPs; neither is "out-of-bounds" in the sense you're checking.

You could try to enforce that each index of each GEP is in the valid range, I guess.

efriedma: That's still not enough given the way you're doing the check. Consider if someone writes…
// Adjust AllocSize to be the space remaining after this offset.
if (HasAddressTaken(I, AllocSize - Offset.getLimitedValue()))
return true;
break;
}
case Instruction::BitCast: case Instruction::BitCast:
case Instruction::GetElementPtr:
case Instruction::Select: case Instruction::Select:
case Instruction::AddrSpaceCast: case Instruction::AddrSpaceCast:
if (HasAddressTaken(I)) if (HasAddressTaken(I, AllocSize))
return true; return true;
break; break;
arsenmUnsubmitted
Not Done
ReplyInline Actions

This is introducing new dependences on the deprecated pointee type. No decisions should be made based on this

arsenm: This is introducing new dependences on the deprecated pointee type. No decisions should be made…
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

I don't see anything in Type.h about getPointerElementType being deprecated, but looking at Instructions.h I see mention of "opaque pointer types", is this what you're talking about? Looking at http://lists.llvm.org/pipermail/llvm-dev/2019-December/137684.html (which is the best I could find for what it means) it looks like instead of

%var = alloca i32, align 4
%bitcast = i32* %var to %i64
store i64 0, i32* %bitcast

we'll have

%var = alloca i32, align 4
store i64 0, p0 %var

So it looks like I should be checking the type at the load/store instead?

john.brawn: I don't see anything in Type.h about getPointerElementType being deprecated, but looking at…
arsenmUnsubmitted
Not Done
ReplyInline Actions

Yes, pointer types should be assumed to be opaque now. Only the type on the use instruction is meaningful

arsenm: Yes, pointer types should be assumed to be opaque now. Only the type on the use instruction is…
case Instruction::PHI: { case Instruction::PHI: {
// Keep track of what PHI nodes we have already visited to ensure // Keep track of what PHI nodes we have already visited to ensure
// they are only visited once. // they are only visited once.
const auto *PN = cast<PHINode>(I); const auto *PN = cast<PHINode>(I);
if (VisitedPHIs.insert(PN).second) if (VisitedPHIs.insert(PN).second)
if (HasAddressTaken(PN)) if (HasAddressTaken(PN, AllocSize))
return true; return true;
break; break;
} }
case Instruction::Load: case Instruction::Load:
case Instruction::AtomicRMW: case Instruction::AtomicRMW:
case Instruction::Ret: case Instruction::Ret:
// These instructions take an address operand, but have load-like or // These instructions take an address operand, but have load-like or
// other innocuous behavior that should not trigger a stack protector. // other innocuous behavior that should not trigger a stack protector.
▲ Show 20 LinesShow All 112 Lines▼ Show 20 Lines for (const Instruction &I : BB) {
<< ore::NV("Function", F) << ore::NV("Function", F)
<< " due to a stack allocated buffer or struct containing a " << " due to a stack allocated buffer or struct containing a "
"buffer"; "buffer";
}); });
NeedsProtector = true; NeedsProtector = true;
continue; continue;
} }
if (Strong && HasAddressTaken(AI)) { if (Strong && HasAddressTaken(AI, M->getDataLayout().getTypeAllocSize(
AI->getAllocatedType()))) {
++NumAddrTaken; ++NumAddrTaken;
Layout.insert(std::make_pair(AI, MachineFrameInfo::SSPLK_AddrOf)); Layout.insert(std::make_pair(AI, MachineFrameInfo::SSPLK_AddrOf));
ORE.emit([&]() { ORE.emit([&]() {
return OptimizationRemark(DEBUG_TYPE, "StackProtectorAddressTaken", return OptimizationRemark(DEBUG_TYPE, "StackProtectorAddressTaken",
&I) &I)
<< "Stack protection applied to function " << "Stack protection applied to function "
<< ore::NV("Function", F) << ore::NV("Function", F)
<< " due to the address of a local variable being taken"; << " due to the address of a local variable being taken";
}); });
NeedsProtector = true; NeedsProtector = true;
} }
// Clear any PHIs that we visited, to make sure we examine all uses of
// any subsequent allocas that we look at.
VisitedPHIs.clear();
} }
} }
} }
return NeedsProtector; return NeedsProtector;
} }
/// Create a stack guard loading and populate whether SelectionDAG SSP is /// Create a stack guard loading and populate whether SelectionDAG SSP is
▲ Show 20 LinesShow All 219 LinesShow Last 20 Lines

llvm/test/CodeGen/X86/stack-guard-oob.ll

  • This file was added.
; RUN: llc -mtriple=i686 -O0 < %s | FileCheck %s
; RUN: llc -mtriple=x86_64 -O0 < %s | FileCheck %s
; CHECK-LABEL: in_bounds:
; CHECK-NOT: __stack_chk_guard
define i32 @in_bounds() #0 {
%var = alloca i32, align 4
store i32 0, i32* %var, align 4
%gep = getelementptr inbounds i32, i32* %var, i32 0
%ret = load i32, i32* %gep, align 4
ret i32 %ret
}
; CHECK-LABEL: constant_out_of_bounds:
; CHECK: __stack_chk_guard
define i32 @constant_out_of_bounds() #0 {
%var = alloca i32, align 4
store i32 0, i32* %var, align 4
%gep = getelementptr inbounds i32, i32* %var, i32 1
%ret = load i32, i32* %gep, align 4
ret i32 %ret
}
; CHECK-LABEL: nonconstant_out_of_bounds:
; CHECK: __stack_chk_guard
define i32 @nonconstant_out_of_bounds(i32 %n) #0 {
%var = alloca i32, align 4
store i32 0, i32* %var, align 4
%gep = getelementptr inbounds i32, i32* %var, i32 %n
%ret = load i32, i32* %gep, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_before_gep_in_bounds:
; CHECK-NOT: __stack_chk_guard
define i32 @phi_before_gep_in_bounds(i32 %k) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %then
if:
br label %then
then:
%ptr = phi i32* [ %var1, %entry ], [ %var2, %if ]
%gep = getelementptr inbounds i32, i32* %ptr, i32 0
%ret = load i32, i32* %gep, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_before_gep_constant_out_of_bounds:
; CHECK: __stack_chk_guard
define i32 @phi_before_gep_constant_out_of_bounds(i32 %k) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %then
if:
br label %then
then:
%ptr = phi i32* [ %var1, %entry ], [ %var2, %if ]
%gep = getelementptr inbounds i32, i32* %ptr, i32 1
%ret = load i32, i32* %gep, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_before_gep_nonconstant_out_of_bounds:
; CHECK: __stack_chk_guard
define i32 @phi_before_gep_nonconstant_out_of_bounds(i32 %k, i32 %n) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %then
if:
br label %then
then:
%ptr = phi i32* [ %var1, %entry ], [ %var2, %if ]
%gep = getelementptr inbounds i32, i32* %ptr, i32 %n
%ret = load i32, i32* %gep, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_after_gep_in_bounds:
; CHECK-NOT: __stack_chk_guard
define i32 @phi_after_gep_in_bounds(i32 %k) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %else
if:
%gep1 = getelementptr inbounds i32, i32* %var1, i32 0
br label %then
else:
%gep2 = getelementptr inbounds i32, i32* %var2, i32 0
br label %then
then:
%ptr = phi i32* [ %gep1, %if ], [ %gep2, %else ]
%ret = load i32, i32* %ptr, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_after_gep_constant_out_of_bounds_a:
; CHECK: __stack_chk_guard
define i32 @phi_after_gep_constant_out_of_bounds_a(i32 %k) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %else
if:
%gep1 = getelementptr inbounds i32, i32* %var1, i32 0
br label %then
else:
%gep2 = getelementptr inbounds i32, i32* %var2, i32 1
br label %then
then:
%ptr = phi i32* [ %gep1, %if ], [ %gep2, %else ]
%ret = load i32, i32* %ptr, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_after_gep_constant_out_of_bounds_b:
; CHECK: __stack_chk_guard
define i32 @phi_after_gep_constant_out_of_bounds_b(i32 %k) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %else
if:
%gep1 = getelementptr inbounds i32, i32* %var1, i32 1
br label %then
else:
%gep2 = getelementptr inbounds i32, i32* %var2, i32 0
br label %then
then:
%ptr = phi i32* [ %gep1, %if ], [ %gep2, %else ]
%ret = load i32, i32* %ptr, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_different_types_a:
; CHECK: __stack_chk_guard
define i64 @phi_different_types_a(i32 %k) #0 {
entry:
%var1 = alloca i64, align 4
%var2 = alloca i32, align 4
store i64 0, i64* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %then
if:
%bitcast = bitcast i32* %var2 to i64*
br label %then
then:
%ptr = phi i64* [ %var1, %entry ], [ %bitcast, %if ]
%ret = load i64, i64* %ptr, align 4
ret i64 %ret
}
; CHECK-LABEL: phi_different_types_b:
; CHECK: __stack_chk_guard
define i64 @phi_different_types_b(i32 %k) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i64, align 4
store i32 0, i32* %var1, align 4
store i64 0, i64* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %then
if:
%bitcast = bitcast i32* %var1 to i64*
br label %then
then:
%ptr = phi i64* [ %var2, %entry ], [ %bitcast, %if ]
%ret = load i64, i64* %ptr, align 4
ret i64 %ret
}
; CHECK-LABEL: phi_after_gep_nonconstant_out_of_bounds_a:
; CHECK: __stack_chk_guard
define i32 @phi_after_gep_nonconstant_out_of_bounds_a(i32 %k, i32 %n) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %else
if:
%gep1 = getelementptr inbounds i32, i32* %var1, i32 0
br label %then
else:
%gep2 = getelementptr inbounds i32, i32* %var2, i32 %n
br label %then
then:
%ptr = phi i32* [ %gep1, %if ], [ %gep2, %else ]
%ret = load i32, i32* %ptr, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_after_gep_nonconstant_out_of_bounds_b:
; CHECK: __stack_chk_guard
define i32 @phi_after_gep_nonconstant_out_of_bounds_b(i32 %k, i32 %n) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %else
if:
%gep1 = getelementptr inbounds i32, i32* %var1, i32 %n
br label %then
else:
%gep2 = getelementptr inbounds i32, i32* %var2, i32 0
br label %then
then:
%ptr = phi i32* [ %gep1, %if ], [ %gep2, %else ]
%ret = load i32, i32* %ptr, align 4
ret i32 %ret
}
%struct.outer = type { %struct.inner, %struct.inner }
%struct.inner = type { i32, i32 }
; CHECK-LABEL: struct_in_bounds:
; CHECK-NOT: __stack_chk_guard
define void @struct_in_bounds() #0 {
%var = alloca %struct.outer, align 4
%outergep = getelementptr inbounds %struct.outer, %struct.outer* %var, i32 0, i32 1
%innergep = getelementptr inbounds %struct.inner, %struct.inner* %outergep, i32 0, i32 1
store i32 0, i32* %innergep, align 4
ret void
}
; CHECK-LABEL: struct_constant_out_of_bounds_a:
; CHECK: __stack_chk_guard
define void @struct_constant_out_of_bounds_a() #0 {
%var = alloca %struct.outer, align 4
%outergep = getelementptr inbounds %struct.outer, %struct.outer* %var, i32 1, i32 0
%innergep = getelementptr inbounds %struct.inner, %struct.inner* %outergep, i32 0, i32 0
store i32 0, i32* %innergep, align 4
ret void
}
; CHECK-LABEL: struct_constant_out_of_bounds_b:
; Here the offset is out-of-bounds of the addressed struct.inner member, but
; still within bounds of the outer struct so no stack guard is needed.
; CHECK-NOT: __stack_chk_guard
define void @struct_constant_out_of_bounds_b() #0 {
%var = alloca %struct.outer, align 4
%outergep = getelementptr inbounds %struct.outer, %struct.outer* %var, i32 0, i32 0
%innergep = getelementptr inbounds %struct.inner, %struct.inner* %outergep, i32 1, i32 0
store i32 0, i32* %innergep, align 4
ret void
}
; CHECK-LABEL: struct_constant_out_of_bounds_c:
; Here we are out-of-bounds of both the inner and outer struct.
; CHECK: __stack_chk_guard
define void @struct_constant_out_of_bounds_c() #0 {
%var = alloca %struct.outer, align 4
%outergep = getelementptr inbounds %struct.outer, %struct.outer* %var, i32 0, i32 1
%innergep = getelementptr inbounds %struct.inner, %struct.inner* %outergep, i32 1, i32 0
store i32 0, i32* %innergep, align 4
ret void
}
; CHECK-LABEL: struct_nonconstant_out_of_bounds_a:
; CHECK: __stack_chk_guard
define void @struct_nonconstant_out_of_bounds_a(i32 %n) #0 {
%var = alloca %struct.outer, align 4
%outergep = getelementptr inbounds %struct.outer, %struct.outer* %var, i32 %n, i32 0
%innergep = getelementptr inbounds %struct.inner, %struct.inner* %outergep, i32 0, i32 0
store i32 0, i32* %innergep, align 4
ret void
}
; CHECK-LABEL: struct_nonconstant_out_of_bounds_b:
; CHECK: __stack_chk_guard
define void @struct_nonconstant_out_of_bounds_b(i32 %n) #0 {
%var = alloca %struct.outer, align 4
%outergep = getelementptr inbounds %struct.outer, %struct.outer* %var, i32 0, i32 0
%innergep = getelementptr inbounds %struct.inner, %struct.inner* %outergep, i32 %n, i32 0
store i32 0, i32* %innergep, align 4
ret void
}
; CHECK-LABEL: bitcast_smaller_load
; CHECK-NOT: __stack_chk_guard
define i32 @bitcast_smaller_load() #0 {
%var = alloca i64, align 4
store i64 0, i64* %var, align 4
%bitcast = bitcast i64* %var to i32*
%ret = load i32, i32* %bitcast, align 4
ret i32 %ret
}
; CHECK-LABEL: bitcast_same_size_load
; CHECK-NOT: __stack_chk_guard
define i32 @bitcast_same_size_load() #0 {
%var = alloca i64, align 4
store i64 0, i64* %var, align 4
%bitcast = bitcast i64* %var to %struct.inner*
%gep = getelementptr inbounds %struct.inner, %struct.inner* %bitcast, i32 0, i32 1
%ret = load i32, i32* %gep, align 4
ret i32 %ret
}
; CHECK-LABEL: bitcast_larger_load
; CHECK: __stack_chk_guard
define i64 @bitcast_larger_load() #0 {
%var = alloca i32, align 4
store i32 0, i32* %var, align 4
%bitcast = bitcast i32* %var to i64*
%ret = load i64, i64* %bitcast, align 4
ret i64 %ret
}
; CHECK-LABEL: bitcast_larger_store
; CHECK: __stack_chk_guard
define i32 @bitcast_larger_store() #0 {
%var = alloca i32, align 4
%bitcast = bitcast i32* %var to i64*
store i64 0, i64* %bitcast, align 4
%ret = load i32, i32* %var, align 4
ret i32 %ret
}
; CHECK-LABEL: bitcast_larger_cmpxchg
; CHECK: __stack_chk_guard
define i64 @bitcast_larger_cmpxchg(i64 %desired, i64 %new) #0 {
%var = alloca i32, align 4
%bitcast = bitcast i32* %var to i64*
%pair = cmpxchg i64* %bitcast, i64 %desired, i64 %new seq_cst monotonic
%ret = extractvalue { i64, i1 } %pair, 0
ret i64 %ret
}
; CHECK-LABEL: bitcast_larger_atomic_rmw
; CHECK: __stack_chk_guard
define i64 @bitcast_larger_atomic_rmw() #0 {
%var = alloca i32, align 4
%bitcast = bitcast i32* %var to i64*
%ret = atomicrmw add i64* %bitcast, i64 1 monotonic
ret i64 %ret
}
%struct.packed = type <{ i16, i32 }>
; CHECK-LABEL: bitcast_overlap
; CHECK: __stack_chk_guard
define i32 @bitcast_overlap() #0 {
%var = alloca i32, align 4
%bitcast = bitcast i32* %var to %struct.packed*
%gep = getelementptr inbounds %struct.packed, %struct.packed* %bitcast, i32 0, i32 1
%ret = load i32, i32* %gep, align 2
ret i32 %ret
}
%struct.multi_dimensional = type { [10 x [10 x i32]], i32 }
; CHECK-LABEL: multi_dimensional_array
; CHECK: __stack_chk_guard
define i32 @multi_dimensional_array() #0 {
%var = alloca %struct.multi_dimensional, align 4
%gep1 = getelementptr inbounds %struct.multi_dimensional, %struct.multi_dimensional* %var, i32 0, i32 0
%gep2 = getelementptr inbounds [10 x [10 x i32]], [10 x [10 x i32]]* %gep1, i32 0, i32 10
%gep3 = getelementptr inbounds [10 x i32], [10 x i32]* %gep2, i32 0, i32 5
%ret = load i32, i32* %gep3, align 4
ret i32 %ret
}
attributes #0 = { sspstrong }