This is an archive of the discontinued LLVM Phabricator instance.

Differential D75695

[StackProtector] Catch direct out-of-bounds when checking address-takenness
ClosedPublic

Authored by john.brawn on Mar 5 2020, 9:53 AM.

Details

Reviewers
probinson
eli.friedman
arsenm
efriedma
Commits
rGc09368313c23: [StackProtector] Catch direct out-of-bounds when checking address-takenness
Summary

With -fstack-protector-strong we check if a non-array variable has its address taken in a way that could cause a potential out-of-bounds access. However what we don't catch is when the address is directly used to create an out-of-bounds memory access.

Fix this by examining the offsets of GEPs that are ultimately derived from allocas and checking if the resulting address is out-of-bounds, and by checking that any memory operations using such addresses are not over-large.

Fixes PR43478.

Diff Detail

Event Timeline

john.brawn created this revision.Mar 5 2020, 9:53 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 5 2020, 9:53 AM
Herald added subscribers: hiraditya, wdng. · View Herald Transcript
efriedma added a subscriber: efriedma.Mar 5 2020, 10:28 AM
efriedma added inline comments.
llvm/lib/CodeGen/StackProtector.cpp
202

I think AllocaInst has a getAllocatedType, or something like that?

Should use getTypeAllocSize, since that's what actually determines the number of bytes allocated.

Harbormaster failed remote builds in B48227: Diff 248522!Mar 5 2020, 10:58 AM
john.brawn marked an inline comment as done.Mar 6 2020, 5:19 AM
john.brawn added inline comments.
llvm/lib/CodeGen/StackProtector.cpp
202

I think AllocaInst has a getAllocatedType, or something like that?

AI isn't necessarily an AllocaInst, e.g. we could be looking at a GEP of a GEP or a GEP of a PHI.

Should use getTypeAllocSize, since that's what actually determines the number of bytes allocated.

Will do.

john.brawn updated this revision to Diff 248710.Mar 6 2020, 5:20 AM

Use getTypeAllocSize, apply clang-format.

probinson added a comment.Mar 9 2020, 7:18 AM

I have to admit I didn't thoroughly look at the test, although I have to wonder if the loop cases in the test really provide any additional coverage? They're using phis as input, but you already have phi cases.

llvm/lib/CodeGen/StackProtector.cpp
194

potentially out-of-bounds

195

s/would also have to be/could also be/

llvm/test/CodeGen/Generic/stack-guard-oob.ll
7

REQUIRES: aarch64-registered-target
REQUIRES: arm-registered-target
REQUIRES: x86-registered-target

8

When CHECK-LABEL specifies an actual label, it's best to include the appropriate punctuation; so, CHECK-LABEL: in_bounds: and so on throughout.

john.brawn marked 5 inline comments as done.Mar 9 2020, 10:01 AM
john.brawn added inline comments.
llvm/test/CodeGen/Generic/stack-guard-oob.ll
7

I think it makes more sense instead to split this into three separate tests (which just use the same input file in test/Codegen/Inputs, like we do with stack-guard-reassign.ll), so we don't need to requiring all targets if we want to test any of them.

john.brawn updated this revision to Diff 249145.Mar 9 2020, 10:04 AM
john.brawn marked an inline comment as done.

Update based on review comments.

probinson added a comment.Mar 9 2020, 10:32 AM

Changes look good, but there's still the question about whether you really need the loop tests.

john.brawn added a comment.Mar 10 2020, 5:13 AM
In D75695#1912905, @probinson wrote:

Changes look good, but there's still the question about whether you really need the loop tests.

I think I originally added these because of a previous attempt at a fix, which was more complicated (in a way that didn't improve anything) and did at one point have a problem with loops. I could remove them, though I don't see much reason to. I will if you really want though.

probinson added a comment.Mar 10 2020, 6:53 AM
In D75695#1914314, @john.brawn wrote:
In D75695#1912905, @probinson wrote:

Changes look good, but there's still the question about whether you really need the loop tests.

I think I originally added these because of a previous attempt at a fix, which was more complicated (in a way that didn't improve anything) and did at one point have a problem with loops. I could remove them, though I don't see much reason to. I will if you really want though.

Project practice is to try to have regression tests that are fairly focused, and don't contain any extraneous or redundant cases. This helps future devs trying to read and understand your test. It also reduces testing time by an admittedly small increment, but when you add up those increments across 10s of Ks of tests and N-hundred developers running them many many times per day, it adds up.
There's a place for more thorough testing, IMO, but that place is not the lit tests.

john.brawn updated this revision to Diff 249381.Mar 10 2020, 7:57 AM

Removed loop tests.

efriedma added inline comments.Mar 10 2020, 3:28 PM
llvm/lib/CodeGen/StackProtector.cpp
202

Oh, I see, the function recurses.

I don't think the recursion works correctly in general. The values that actually matter are the current offset, determined recursively, the size of the original alloca, and the size of any memory operations using the result of the GEP. Using the size of the GEP's operand type doesn't work correctly in general; in particular, if there's another GEP or bitcast in the recursive chain of uses, you can come up with the wrong result.

john.brawn marked an inline comment as done.Mar 11 2020, 6:55 AM
john.brawn added inline comments.
llvm/lib/CodeGen/StackProtector.cpp
202

I think adding a check that bitcast doesn't bitcast to a larger type should be enough to handle this. If we have a GEP of a GEP then each one will make sure that the offset is within the bounds of the specific type it's handling. Doing it like this does mean that for something like

int fn() {
  int arr[4][4];
  return arr[0][5];
}

we say it's an out-of-bounds access when it doesn't actually access outside of the underlying object, but I don't think handling this kind of case is worth the added complexity.

john.brawn updated this revision to Diff 249611.Mar 11 2020, 6:59 AM

Added bitcast handling.

arsenm requested changes to this revision.Mar 11 2020, 7:29 AM
arsenm added inline comments.
llvm/lib/CodeGen/StackProtector.cpp
211–212

This is introducing new dependences on the deprecated pointee type. No decisions should be made based on this

This revision now requires changes to proceed.Mar 11 2020, 7:29 AM
john.brawn marked an inline comment as done.Mar 11 2020, 9:04 AM
john.brawn added inline comments.
llvm/lib/CodeGen/StackProtector.cpp
211–212

I don't see anything in Type.h about getPointerElementType being deprecated, but looking at Instructions.h I see mention of "opaque pointer types", is this what you're talking about? Looking at http://lists.llvm.org/pipermail/llvm-dev/2019-December/137684.html (which is the best I could find for what it means) it looks like instead of

%var = alloca i32, align 4
%bitcast = i32* %var to %i64
store i64 0, i32* %bitcast

we'll have

%var = alloca i32, align 4
store i64 0, p0 %var

So it looks like I should be checking the type at the load/store instead?

arsenm added inline comments.Mar 11 2020, 9:06 AM
llvm/lib/CodeGen/StackProtector.cpp
211–212

Yes, pointer types should be assumed to be opaque now. Only the type on the use instruction is meaningful

efriedma added inline comments.Mar 11 2020, 10:12 AM
llvm/lib/CodeGen/StackProtector.cpp
202

That's still not enough given the way you're doing the check. Consider if someone writes something like

struct X { int a[10][10]; int b; };
struct X x;
int (*p)[10] = &x.a[10];
int z = a[5];

This lowers to two GEPs; neither is "out-of-bounds" in the sense you're checking.

You could try to enforce that each index of each GEP is in the valid range, I guess.

john.brawn updated this revision to Diff 249970.Mar 12 2020, 10:18 AM
john.brawn edited the summary of this revision. (Show Details)

Adjusted to avoid looking through pointer types by passing around the allocated type and checking it against the size of memory accesses. Also correctly handle GEPs where the addressed member is partially outside of the allocated object.

Herald added a subscriber: jfb. · View Herald TranscriptMar 12 2020, 10:18 AM
efriedma added a comment.Mar 12 2020, 12:49 PM

I think it would be more straightforward to reason about the behavior here if you just pass down the number of bytes that are known safe to dereference, instead of "AllocType".

john.brawn updated this revision to Diff 250208.Mar 13 2020, 9:05 AM

Use the allocation size instead of the allocation type.

efriedma added inline comments.Mar 13 2020, 2:30 PM
llvm/lib/CodeGen/StackProtector.cpp
201

Can we just compute ResultSize as "AllocSize - Offset"? (That's obviously correct, and I'm not convinced that using the size of getResultElementType() does the right thing here.)

john.brawn marked an inline comment as done.Mar 16 2020, 6:37 AM
john.brawn added inline comments.
llvm/lib/CodeGen/StackProtector.cpp
201

I think we can. Currently the offset check is done in a way that also checks if the end of the addressed member is past the end of the allocation, but just checking that the start is within the allocation and then reducing the remaining size by the offset will mean we check at the time we see a memory access that it's not too large for the remaining space.

john.brawn updated this revision to Diff 250554.Mar 16 2020, 7:11 AM

Adjust GEP handling to reduce AllocSize by Offset instead of using the result size.

efriedma accepted this revision.Mar 16 2020, 11:44 AM

I don't think we're really getting much benefit out of testing this on multiple targets; as long as we have coverage for 32-bit and 64-bit targets, none of the relevant logic is actually target-specific. So I'd just get rid of the ARM/AArch64 tests, I think, since x86 conveniently has 32-bit and 64-bit targets.

Otherwise LGTM

This revision was not accepted when it landed; it landed in state Needs Review.Mar 17 2020, 5:43 AM
Closed by commit rGc09368313c23: [StackProtector] Catch direct out-of-bounds when checking address-takenness (authored by john.brawn). · Explain Why
This revision was automatically updated to reflect the committed changes.
aemerson mentioned this in D87074: [StackProtector] Fix crash with vararg due to not checking LocationSize validity..Sep 2 2020, 11:21 PM

Revision Contents

PathSize
llvm/
lib/
CodeGen/
16 lines
test/
CodeGen/
Generic/
338 lines

Diff 248522

llvm/lib/CodeGen/StackProtector.cpp

Show First 20 LinesShow All 183 Lines▼ Show 20 Lines case Instruction::Call: {
// TODO: Narrow this to intrinsics that have store-like effects. // TODO: Narrow this to intrinsics that have store-like effects.
const auto *CI = cast<CallInst>(I); const auto *CI = cast<CallInst>(I);
if (!isa<DbgInfoIntrinsic>(CI) && !CI->isLifetimeStartOrEnd()) if (!isa<DbgInfoIntrinsic>(CI) && !CI->isLifetimeStartOrEnd())
return true; return true;
break; break;
} }
case Instruction::Invoke: case Instruction::Invoke:
return true; return true;
case Instruction::GetElementPtr: {
// If the GEP offset is out-of-bounds, or is non-constant and so has to be
// assumed to be out-of-bounds, then any memory access that would use it
probinsonUnsubmitted
Done
ReplyInline Actions

potentially out-of-bounds

probinson: potentially out-of-bounds
// would also have to be out-of-bounds meaning stack protection is
probinsonUnsubmitted
Done
ReplyInline Actions

s/would also have to be/could also be/

probinson: s/would also have to be/could also be/
// required.
const GetElementPtrInst *GEP = cast<GetElementPtrInst>(I);
const DataLayout &DL = M->getDataLayout();
unsigned TypeSize = DL.getIndexTypeSizeInBits(I->getType());
APInt Offset(TypeSize, 0);
APInt MaxOffset(TypeSize, DL.getTypeStoreSize(
efriedmaUnsubmitted
Not Done
ReplyInline Actions

Can we just compute ResultSize as "AllocSize - Offset"? (That's obviously correct, and I'm not convinced that using the size of getResultElementType() does the right thing here.)

efriedma: Can we just compute ResultSize as "AllocSize - Offset"? (That's obviously correct, and I'm not…
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

I think we can. Currently the offset check is done in a way that also checks if the end of the addressed member is past the end of the allocation, but just checking that the start is within the allocation and then reducing the remaining size by the offset will mean we check at the time we see a memory access that it's not too large for the remaining space.

john.brawn: I think we can. Currently the offset check is done in a way that also checks if the end of the…
AI->getType()->getPointerElementType()));
Lint: Pre-merge checks
Inline Actions

clang-format: please reformat the code

-                        AI->getType()->getPointerElementType()));
+                                    AI->getType()->getPointerElementType()));
Lint: Pre-merge checks: clang-format: please reformat the code ``` - AI->getType()…
efriedmaUnsubmitted
Not Done
ReplyInline Actions

I think AllocaInst has a getAllocatedType, or something like that?

Should use getTypeAllocSize, since that's what actually determines the number of bytes allocated.

efriedma: I think AllocaInst has a getAllocatedType, or something like that? Should use getTypeAllocSize…
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

I think AllocaInst has a getAllocatedType, or something like that?

AI isn't necessarily an AllocaInst, e.g. we could be looking at a GEP of a GEP or a GEP of a PHI.

Should use getTypeAllocSize, since that's what actually determines the number of bytes allocated.

Will do.

john.brawn: > I think AllocaInst has a getAllocatedType, or something like that? AI isn't necessarily an…
efriedmaUnsubmitted
Not Done
ReplyInline Actions

Oh, I see, the function recurses.

I don't think the recursion works correctly in general. The values that actually matter are the current offset, determined recursively, the size of the original alloca, and the size of any memory operations using the result of the GEP. Using the size of the GEP's operand type doesn't work correctly in general; in particular, if there's another GEP or bitcast in the recursive chain of uses, you can come up with the wrong result.

efriedma: Oh, I see, the function recurses. I don't think the recursion works correctly in general. The…
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

I think adding a check that bitcast doesn't bitcast to a larger type should be enough to handle this. If we have a GEP of a GEP then each one will make sure that the offset is within the bounds of the specific type it's handling. Doing it like this does mean that for something like

int fn() {
  int arr[4][4];
  return arr[0][5];
}

we say it's an out-of-bounds access when it doesn't actually access outside of the underlying object, but I don't think handling this kind of case is worth the added complexity.

john.brawn: I think adding a check that bitcast doesn't bitcast to a larger type should be enough to handle…
efriedmaUnsubmitted
Not Done
ReplyInline Actions

That's still not enough given the way you're doing the check. Consider if someone writes something like

struct X { int a[10][10]; int b; };
struct X x;
int (*p)[10] = &x.a[10];
int z = a[5];

This lowers to two GEPs; neither is "out-of-bounds" in the sense you're checking.

You could try to enforce that each index of each GEP is in the valid range, I guess.

efriedma: That's still not enough given the way you're doing the check. Consider if someone writes…
if (!GEP->accumulateConstantOffset(DL, Offset) || Offset.uge(MaxOffset))
return true;
}
LLVM_FALLTHROUGH;
case Instruction::BitCast: case Instruction::BitCast:
case Instruction::GetElementPtr:
case Instruction::Select: case Instruction::Select:
case Instruction::AddrSpaceCast: case Instruction::AddrSpaceCast:
if (HasAddressTaken(I)) if (HasAddressTaken(I))
return true; return true;
break; break;
arsenmUnsubmitted
Not Done
ReplyInline Actions

This is introducing new dependences on the deprecated pointee type. No decisions should be made based on this

arsenm: This is introducing new dependences on the deprecated pointee type. No decisions should be made…
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

I don't see anything in Type.h about getPointerElementType being deprecated, but looking at Instructions.h I see mention of "opaque pointer types", is this what you're talking about? Looking at http://lists.llvm.org/pipermail/llvm-dev/2019-December/137684.html (which is the best I could find for what it means) it looks like instead of

%var = alloca i32, align 4
%bitcast = i32* %var to %i64
store i64 0, i32* %bitcast

we'll have

%var = alloca i32, align 4
store i64 0, p0 %var

So it looks like I should be checking the type at the load/store instead?

john.brawn: I don't see anything in Type.h about getPointerElementType being deprecated, but looking at…
arsenmUnsubmitted
Not Done
ReplyInline Actions

Yes, pointer types should be assumed to be opaque now. Only the type on the use instruction is meaningful

arsenm: Yes, pointer types should be assumed to be opaque now. Only the type on the use instruction is…
case Instruction::PHI: { case Instruction::PHI: {
// Keep track of what PHI nodes we have already visited to ensure // Keep track of what PHI nodes we have already visited to ensure
// they are only visited once. // they are only visited once.
const auto *PN = cast<PHINode>(I); const auto *PN = cast<PHINode>(I);
if (VisitedPHIs.insert(PN).second) if (VisitedPHIs.insert(PN).second)
if (HasAddressTaken(PN)) if (HasAddressTaken(PN))
return true; return true;
break; break;
▲ Show 20 LinesShow All 365 LinesShow Last 20 Lines

llvm/test/CodeGen/Generic/stack-guard-oob.ll

  • This file was added.
; RUN: llc -mtriple=aarch64 -O0 < %s | FileCheck %s
; RUN: llc -mtriple=armv7a -O0 < %s | FileCheck %s
; RUN: llc -mtriple=thumbv7m -O0 < %s | FileCheck %s
; RUN: llc -mtriple=i686 -O0 < %s | FileCheck %s
; RUN: llc -mtriple=x86_64 -O0 < %s | FileCheck %s
; CHECK-LABEL: in_bounds
probinsonUnsubmitted
Done
ReplyInline Actions

REQUIRES: aarch64-registered-target
REQUIRES: arm-registered-target
REQUIRES: x86-registered-target

probinson: REQUIRES: aarch64-registered-target REQUIRES: arm-registered-target REQUIRES: x86-registered…
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

I think it makes more sense instead to split this into three separate tests (which just use the same input file in test/Codegen/Inputs, like we do with stack-guard-reassign.ll), so we don't need to requiring all targets if we want to test any of them.

john.brawn: I think it makes more sense instead to split this into three separate tests (which just use the…
; CHECK-NOT: __stack_chk_guard
probinsonUnsubmitted
Done
ReplyInline Actions

When CHECK-LABEL specifies an actual label, it's best to include the appropriate punctuation; so, CHECK-LABEL: in_bounds: and so on throughout.

probinson: When CHECK-LABEL specifies an actual label, it's best to include the appropriate punctuation…
define i32 @in_bounds() #0 {
%var = alloca i32, align 4
store i32 0, i32* %var, align 4
%gep = getelementptr inbounds i32, i32* %var, i32 0
%ret = load i32, i32* %gep, align 4
ret i32 %ret
}
; CHECK-LABEL: constant_out_of_bounds
; CHECK: __stack_chk_guard
define i32 @constant_out_of_bounds() #0 {
%var = alloca i32, align 4
store i32 0, i32* %var, align 4
%gep = getelementptr inbounds i32, i32* %var, i32 1
%ret = load i32, i32* %gep, align 4
ret i32 %ret
}
; CHECK-LABEL: nonconstant_out_of_bounds
; CHECK: __stack_chk_guard
define i32 @nonconstant_out_of_bounds(i32 %n) #0 {
%var = alloca i32, align 4
store i32 0, i32* %var, align 4
%gep = getelementptr inbounds i32, i32* %var, i32 %n
%ret = load i32, i32* %gep, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_before_gep_in_bounds
; CHECK-NOT: __stack_chk_guard
define i32 @phi_before_gep_in_bounds(i32 %k) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %then
if:
br label %then
then:
%ptr = phi i32* [ %var1, %entry ], [ %var2, %if ]
%gep = getelementptr inbounds i32, i32* %ptr, i32 0
%ret = load i32, i32* %gep, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_before_gep_constant_out_of_bounds
; CHECK: __stack_chk_guard
define i32 @phi_before_gep_constant_out_of_bounds(i32 %k) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %then
if:
br label %then
then:
%ptr = phi i32* [ %var1, %entry ], [ %var2, %if ]
%gep = getelementptr inbounds i32, i32* %ptr, i32 1
%ret = load i32, i32* %gep, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_before_gep_nonconstant_out_of_bounds
; CHECK: __stack_chk_guard
define i32 @phi_before_gep_nonconstant_out_of_bounds(i32 %k, i32 %n) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %then
if:
br label %then
then:
%ptr = phi i32* [ %var1, %entry ], [ %var2, %if ]
%gep = getelementptr inbounds i32, i32* %ptr, i32 %n
%ret = load i32, i32* %gep, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_after_gep_in_bounds
; CHECK-NOT: __stack_chk_guard
define i32 @phi_after_gep_in_bounds(i32 %k) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %else
if:
%gep1 = getelementptr inbounds i32, i32* %var1, i32 0
br label %then
else:
%gep2 = getelementptr inbounds i32, i32* %var2, i32 0
br label %then
then:
%ptr = phi i32* [ %gep1, %if ], [ %gep2, %else ]
%ret = load i32, i32* %ptr, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_after_gep_constant_out_of_bounds_a
; CHECK: __stack_chk_guard
define i32 @phi_after_gep_constant_out_of_bounds_a(i32 %k) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %else
if:
%gep1 = getelementptr inbounds i32, i32* %var1, i32 0
br label %then
else:
%gep2 = getelementptr inbounds i32, i32* %var2, i32 1
br label %then
then:
%ptr = phi i32* [ %gep1, %if ], [ %gep2, %else ]
%ret = load i32, i32* %ptr, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_after_gep_constant_out_of_bounds_b
; CHECK: __stack_chk_guard
define i32 @phi_after_gep_constant_out_of_bounds_b(i32 %k) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %else
if:
%gep1 = getelementptr inbounds i32, i32* %var1, i32 1
br label %then
else:
%gep2 = getelementptr inbounds i32, i32* %var2, i32 0
br label %then
then:
%ptr = phi i32* [ %gep1, %if ], [ %gep2, %else ]
%ret = load i32, i32* %ptr, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_after_gep_nonconstant_out_of_bounds_a
; CHECK: __stack_chk_guard
define i32 @phi_after_gep_nonconstant_out_of_bounds_a(i32 %k, i32 %n) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %else
if:
%gep1 = getelementptr inbounds i32, i32* %var1, i32 0
br label %then
else:
%gep2 = getelementptr inbounds i32, i32* %var2, i32 %n
br label %then
then:
%ptr = phi i32* [ %gep1, %if ], [ %gep2, %else ]
%ret = load i32, i32* %ptr, align 4
ret i32 %ret
}
; CHECK-LABEL: phi_after_gep_nonconstant_out_of_bounds_b
; CHECK: __stack_chk_guard
define i32 @phi_after_gep_nonconstant_out_of_bounds_b(i32 %k, i32 %n) #0 {
entry:
%var1 = alloca i32, align 4
%var2 = alloca i32, align 4
store i32 0, i32* %var1, align 4
store i32 0, i32* %var2, align 4
%cmp = icmp ne i32 %k, 0
br i1 %cmp, label %if, label %else
if:
%gep1 = getelementptr inbounds i32, i32* %var1, i32 %n
br label %then
else:
%gep2 = getelementptr inbounds i32, i32* %var2, i32 0
br label %then
then:
%ptr = phi i32* [ %gep1, %if ], [ %gep2, %else ]
%ret = load i32, i32* %ptr, align 4
ret i32 %ret
}
%struct.outer = type { %struct.inner, %struct.inner }
%struct.inner = type { i32, i32 }
; CHECK-LABEL: struct_in_bounds
; CHECK-NOT: __stack_chk_guard
define void @struct_in_bounds() #0 {
%var = alloca %struct.outer, align 4
%outergep = getelementptr inbounds %struct.outer, %struct.outer* %var, i32 0, i32 1
%innergep = getelementptr inbounds %struct.inner, %struct.inner* %outergep, i32 0, i32 1
store i32 0, i32* %innergep, align 4
ret void
}
; CHECK-LABEL: struct_constant_out_of_bounds_a
; CHECK: __stack_chk_guard
define void @struct_constant_out_of_bounds_a() #0 {
%var = alloca %struct.outer, align 4
%outergep = getelementptr inbounds %struct.outer, %struct.outer* %var, i32 1, i32 0
%innergep = getelementptr inbounds %struct.inner, %struct.inner* %outergep, i32 0, i32 0
store i32 0, i32* %innergep, align 4
ret void
}
; CHECK-LABEL: struct_constant_out_of_bounds_b
; CHECK: __stack_chk_guard
define void @struct_constant_out_of_bounds_b() #0 {
%var = alloca %struct.outer, align 4
%outergep = getelementptr inbounds %struct.outer, %struct.outer* %var, i32 0, i32 0
%innergep = getelementptr inbounds %struct.inner, %struct.inner* %outergep, i32 1, i32 0
store i32 0, i32* %innergep, align 4
ret void
}
; CHECK-LABEL: struct_nonconstant_out_of_bounds_a
; CHECK: __stack_chk_guard
define void @struct_nonconstant_out_of_bounds_a(i32 %n) #0 {
%var = alloca %struct.outer, align 4
%outergep = getelementptr inbounds %struct.outer, %struct.outer* %var, i32 %n, i32 0
%innergep = getelementptr inbounds %struct.inner, %struct.inner* %outergep, i32 0, i32 0
store i32 0, i32* %innergep, align 4
ret void
}
; CHECK-LABEL: struct_nonconstant_out_of_bounds_b
; CHECK: __stack_chk_guard
define void @struct_nonconstant_out_of_bounds_b(i32 %n) #0 {
%var = alloca %struct.outer, align 4
%outergep = getelementptr inbounds %struct.outer, %struct.outer* %var, i32 0, i32 0
%innergep = getelementptr inbounds %struct.inner, %struct.inner* %outergep, i32 %n, i32 0
store i32 0, i32* %innergep, align 4
ret void
}
; CHECK-LABEL: loop_inbounds
; CHECK-NOT: __stack_chk_guard
define void @loop_inbounds(i32 %k) #0 {
entry:
%var = alloca i32, align 4
br label %loop
loop:
%idx = phi i32 [ %k, %entry ], [ %idx.next, %loop ]
%ptr = phi i32* [ %var, %entry ], [ %ptr.next, %loop ]
store i32 %idx, i32* %ptr, align 4
%ptr.next = getelementptr inbounds i32, i32* %ptr, i64 0
%idx.next = add nsw i32 %idx, -1
%cond = icmp eq i32 %idx.next, 0
br i1 %cond, label %exit, label %loop
exit:
ret void
}
; CHECK-LABEL: loop_constant_out_of_bounds
; CHECK: __stack_chk_guard
define void @loop_constant_out_of_bounds(i32 %k) #0 {
entry:
%var = alloca i32, align 4
br label %loop
loop:
%idx = phi i32 [ %k, %entry ], [ %idx.next, %loop ]
%ptr = phi i32* [ %var, %entry ], [ %ptr.next, %loop ]
store i32 %idx, i32* %ptr, align 4
%ptr.next = getelementptr inbounds i32, i32* %ptr, i32 1
%idx.next = add nsw i32 %idx, -1
%cond = icmp eq i32 %idx.next, 0
br i1 %cond, label %exit, label %loop
exit:
ret void
}
; CHECK-LABEL: loop_nonconstant_out_of_bounds
; CHECK: __stack_chk_guard
define void @loop_nonconstant_out_of_bounds(i32 %k, i32 %n) #0 {
entry:
%var = alloca i32, align 4
br label %loop
loop:
%idx = phi i32 [ %k, %entry ], [ %idx.next, %loop ]
%ptr = phi i32* [ %var, %entry ], [ %ptr.next, %loop ]
store i32 %idx, i32* %ptr, align 4
%ptr.next = getelementptr inbounds i32, i32* %ptr, i32 %n
%idx.next = add nsw i32 %idx, -1
%cond = icmp eq i32 %idx.next, 0
br i1 %cond, label %exit, label %loop
exit:
ret void
}
attributes #0 = { sspstrong }