This is an archive of the discontinued LLVM Phabricator instance.

Differential D7583

asan: do not instrument direct inbounds accesses to stack variables
AbandonedPublic

Authored by dvyukov on Feb 12 2015, 4:50 AM.

Details

Reviewers
kcc
nlopes
Summary

This is most likely wrong.

But it eliminates 33% of instrumentation on webrtc/modules_unittests (number of memory accesses goes down from 290152 to 193998) and reduces binary size by 15% (from 74M to 64M) _and_ all existing asan tests pass.
This means that either our tests are bad or we are missing a good optimization opportunity.

Currently we instrument even the following code, which looks wrong:

define void @foo() uwtable sanitize_address {
entry:

%a = alloca i32, align 4
store i32 42, i32* %a, align 4
ret void

}

I've found one case which fails with this change. We do not instrument the store in this case:

define void @bar() sanitize_address {
entry:

%a = alloca [10 x i32], align 4
%e = getelementptr inbounds [10 x i32]* %a, i32 0, i64 12
store i32 42, i32* %e, align 4
ret void

; CHECK-LABEL: define void @bar
; CHECK: __asan_report
; CHECK: ret void
}

However, compiler should be able to recognize such cases (and it does because it issues a warning).

I am a bit lost.
There is Value::isGEPWithNoNotionalOverIndexing which looks like what we need (should eliminate array accesses with constant inbounds indices and struct field accesses). However, it does not give the desired effect.
Value::stripInBoundsConstantOffsets also looks like what we need and it gives the desired effect. However, there is a note that "Value::isGEPWithNoNotionalOverIndexing is not equivalant to, a subset of, or a superset of the "inbounds" property". Which suggests that stripInBoundsConstantOffsets is not what we want.

Also, is it possible to refer to an AllocaInst outside of its lifetime? It is not possible in C/C++ due to scoping rules, you simply can't mention a name that is out of scope. However, I am not sure about llvm and its transformations.

I am looking for advice here.

Diff Detail

Event Timeline

dvyukov updated this revision to Diff 19817.Feb 12 2015, 4:50 AM
dvyukov retitled this revision from to asan: do not instrument direct inbounds accesses to stack variables.
dvyukov updated this object.
dvyukov edited the test plan for this revision. (Show Details)
dvyukov added reviewers: kcc, chandlerc.
dvyukov added a subscriber: Unknown Object (MLST).
dvyukov added a comment.Feb 12 2015, 5:29 AM

To make it clear, I want to eliminate instrumentation of locals within its lifetime (so it is not a use-after-scope) and that is known to be inbounds (that is, direct accesses, field accesses and array element accesses with constant indices; so it is not a out-of-bounds).

kcc added inline comments.Feb 17 2015, 5:34 PM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
920

mega cool.
Let's put it under a flag e.g. asan-opt-stack-inbounds (off by default) and play with it more.

924

remove this then?

dvyukov added inline comments.Feb 17 2015, 10:48 PM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
920

Is it possible to make it work correctly? I am lost in all possible llvm predicates and their meaning. I don't understand how "int x[10]; x[12] = 1" can be an "in bounds constant offset".

kcc mentioned this in D7741: Skip promotable allocas to improve performance at -O0.Feb 23 2015, 3:37 PM
zaks.anna added a subscriber: zaks.anna.Feb 23 2015, 4:18 PM

stripInBoundsConstantOffsets is not want you want, see the definition of "inbounds" ( http://llvm.org/docs/LangRef.html#getelementptr-instruction)
"If the inbounds keyword is present, the result value of the getelementptr is a poison value if the base pointer is not an in bounds address of an allocated object, or if any of the addresses that would be formed by successive addition of the offsets implied by the indices to the base address with infinitely precise signed arithmetic are not an in bounds address of that allocated object. The in bounds addresses for an allocated object are all the addresses that point into the object, plus the address one byte past the end. In cases where the base is a vector of pointers the inbounds keyword applies to each of the computations element-wise."

I recall Nuno Lopes working on reducing the number of bounce checks, but all I can find is this:
./lib/Transforms/Instrumentation/BoundsChecking.cpp

kubamracek added a subscriber: kubamracek.Feb 24 2015, 3:40 AM
dvyukov updated this revision to Diff 20592.Feb 24 2015, 6:01 AM

Rewrote to use SizeOffsetEvalType.compute to find inbounds accesses.

dvyukov added a comment.Feb 24 2015, 6:03 AM

Thank you, Anna!

Changed the code to use SizeOffsetEvalType.compute to find inbounds accesses.
This patch still eliminates ~33% of accesses and binaries are 15% smaller. All existing and new tests pass.

Anna, does it fix the issue that you are trying to solve in the other patch?

Kostya, PTAL.

zaks.anna added a comment.Feb 24 2015, 11:03 AM

How are you getting the speedup/size improvement measurements? Are these at -O1 or -O0?

When comparing to my patch, the intend of this patch is to be more aggressive in removing bounds checking. My patch does not introduce any improvement at optimization levels higher than -O0 and is trying to simulate mem2reg. On the other hand, the analysis here are more aggressive in the checks it removes. For example, my patch would not remove provably in bounds array accesses with constant offset and it does not do anything for non-alloca values.

On the other hand, with my patch, the allocas that are known not to have instrumented accesses do not get poisoned. Currently, this patch is only targeting removal of bounds checking. Also, I am not sure what is the compile time overhead this brings and how reliable it is since I don't think ObjectSizeOffsetEvaluator is used much.

I preference is to have this on top of non-promotable allocas.

lib/Transforms/Instrumentation/AddressSanitizer.cpp
18

These seem out of place - should be moved after ADT.

205

This makes me nervous. I don't think ObjectSizeOffsetEvaluator is used much. This should probably go through more testing, though I am not sure how to catch issues here since we are removing checking.

435

const?

1515

/*RoundToAlign=*/true

2064

Why not use getTypeStoreSize()?

uint64_t getTypeStoreSizeInBits(Type *Ty) const {
  return 8 * getTypeStoreSize(Ty);
}

Also, is overflow possible in these calculations?

zaks.anna added a comment.Feb 24 2015, 11:08 AM

Also, I believe removal of all unnecessary checks is a bigger task. If we want to ensure that all possible out of bounds accesses are instrumented, we'd have to do something similar to what Chandler suggested in the other thread. That would eliminate the false negatives that are now possible at -O1 and higher. We'd need to have an instrumentation pass that runs early on and instruments accesses before the optimizer kicks in. Later, we would work with LLVM analysis to remove those checks.

Here is the answer from Nuno on bounds check removal. Enjoy:)

"The file you mention is the instrumentation pass. It is pretty dumb: it basically instruments any memory write (it just performs one optimization to reduce the cost of the check if certain conditions hold; but it always introduces the check). So this one is not interesting for AddressSanitizer (the likelihood it can detect anything that ASan cannot detect is very small; the idea was to have something with a very small overhead to deploy on release builds). It can detect overflows that Valgrind cannot btw.

The part about removing checks is done by several passes which are run by default (with -O2). Instcombine can remove some checks, then Transforms/Scalar/CorrelatedValuePropagation.cpp performs range analysis to delete checks that are always safe. This analysis existed previously, but it had a bunch of problems and shortcomings.
The range analysis is in Analysis/LazyValueInfo.cpp. It's still fundamentally weak, because of the way it traverses basic-blocks to constrain the range due to branching conditions. We have discussed this quite a bit, but the major improvements were never implemented (ask me if you want more details).

There's also Analysis/MemoryBuiltins.cpp. This analysis provides (static or dynamic) information about the allocated size of an object (and knows about malloc, stack, etc).

A very important aspect of reducing the overhead of bounds checks is to hoist them out of loops. By default, LLVM cannot and won't do this. The reason is that it's not legal to move a function that has side-effects (namely terminate the application) because LLVM has precise exception semantics. However, for bounds checks we don't really care; if we know that the program will crash inside the loop, why not crash it sooner? (well, there's a price to pay, of course. the state of the program will be different when looking through a debugger, but I think that's ok).
Again, right now LLVM cannot do this transformation. At the time, I proposed that we introduced an "antecipable" trap to the IR. Something that the compiler could move freely up to the beginning of the function (or of the program), as long as we know it would only execute if it executed in the original program.
An example makes it clear I guess:

for (i=0; i < n; ++i) {

if (a[i] out of bounds)
  antecipable_trap();
a[i] = …;

}

Transform to:

if (any of a[0..n-1] out of bounds)

antecipable_trap();

for (i=0; i < n; ++i) {

a[i] = …;

}

This is an obvious transformation. Without it, vectorization will not kick in at all (since it is mostly oblivious about multiple exit loops). Anyway, this is something for the backend guys to work on. It isn't very hard to implement; it just hasn't been done.

The other thing that has been committed recently to LLVM (last month) is a loop splitter (Transforms/Scalar/InductiveRangeCheckElimination.cpp). The idea is that if we can prove that in the first x iterations of the loop, everything is in bounds, then we can duplicate the loop, and remove all checks from the first loop. This increases code size, but can enable many optimizations on the first x iterations (which we hope will be the majority, but that's only a hope).

Finally, how does all of this applies to ASan? I don't know. Sorry, I never took a look to how ASan instruments stuff. If it exposes, say, the bounds checks in the IR (i.e., if the comparison is inlined in the IR), then current transformation passes will look at that and try to optimized them away (with the caveat there is still work required on the backend). If ASan just introduces a function call (e.g., check_pointer_is_ok(%p)), then the optimizers have no clue what that function does and will not touch it. Of course it is possible to patch, say, the CVP pass to know about these ASan functions and then reuse the same range analysis. Or, alternatively, build a simple pass that is only runs when ASan is used and that queries current analyses.
So, yes, building analyses from scratch doesn't make sense IMHO. It should be possible to reuse what LLVM already has. Then, how to use the information is a different story, but grepping for ASan functions in the IR and using current analyses shouldn't be a hard task (again, I have no clue how ASan works).
ASan also has stronger guarantees that my bounds checkers. For example, I don't check if the object has been deleted in the meantime. And ASan does. So the analysis has to work a bit harder (basically check liveness of objects as well as the size; but then if we only managed to get one piece of information but not the other, probably it's possible to optimize the check).

Ok, so I think the email is already quite long, but feel free to ask me for more details. I just tried to give an overview of what LLVM can and cannot do. I'm sorry I don't know more about ASan to give you a more concrete answer.

Nuno"

kcc added inline comments.Feb 24 2015, 6:16 PM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
205

ouch. Indeed, don't make it true by default for now.
Unfortunately, I don't know any good way to test complex optimizations that eliminate checks,
and so I don't know what it will take us to enable this by default.
But at least having this code in trunk will simplify the experiments.

dvyukov updated this revision to Diff 20673.Feb 25 2015, 7:09 AM
dvyukov updated this revision to Diff 20674.Feb 25 2015, 7:12 AM

uploaded new patch

lib/Transforms/Instrumentation/AddressSanitizer.cpp
18

Done

205

changed default value to false

435

done

1515

done

2064

done

These are int64's. I don't see how overflow can happen.

dvyukov added a comment.Feb 25 2015, 7:18 AM
In D7583#129129, @zaks.anna wrote:

How are you getting the speedup/size improvement measurements? Are these at -O1 or -O0?

I compiled a large program with -O2 and measured binary size difference.
Then compiled with -O2 and call threshold set to -1 and objdump -d | grep "call.*__asan_report_" | wc -l

When comparing to my patch, the intend of this patch is to be more aggressive in removing bounds checking. My patch does not introduce any improvement at optimization levels higher than -O0 and is trying to simulate mem2reg. On the other hand, the analysis here are more aggressive in the checks it removes. For example, my patch would not remove provably in bounds array accesses with constant offset and it does not do anything for non-alloca values.

On the other hand, with my patch, the allocas that are known not to have instrumented accesses do not get poisoned. Currently, this patch is only targeting removal of bounds checking. Also, I am not sure what is the compile time overhead this brings and how reliable it is since I don't think ObjectSizeOffsetEvaluator is used much.

I preference is to have this on top of non-promotable allocas.

I am perfectly OK with it. But what do I know?

dvyukov added a comment.Feb 25 2015, 7:24 AM

Also, I believe removal of all unnecessary checks is a bigger task.

I would say it is an infinite task. Besides loops there are also access coalescing, inter-BB duduplication, range deduplication (if we checked [this, this+X), then we may omit checks of everything in [this, this+X)), figuring out what calls can actually free what objects, etc.

nlopes requested changes to this revision.Feb 25 2015, 8:40 AM
nlopes added a reviewer: nlopes.
nlopes added a subscriber: nlopes.

You should use ObjectSizeOffsetVisitor instead of ObjectSizeOffsetEvaluator. The interface is the similar, but it gives up when the object size is not constant, while the later may insert new instructions in the code. ObjectSizeOffsetVisitor is well tested (it's used by alias analysis, for example).

Second, the inbounds check is unsound (it may overflow -- check the prove here: http://rise4fun.com/Z3/PVrF). The correct set of checks are the following 3:

  • Offset >= 0 (signed; you have this one)
  • Size >= Offset (unsigned)
  • Size - Offset >= AccessSize (unsigned)

Finally, you cannot derive the access size from "DL->getTypeStoreSize(OrigTy)". For example, just because an array has elements of size 4, it doesn't mean that all stores must be of size 4. You can have done a bitcast, and stored 8 bytes. Basically you need to get hold of the element stored and check its store size.

After fixing these 3 issues, I think the patch becomes correct and desirable for commit.

This revision now requires changes to proceed.Feb 25 2015, 8:40 AM
dvyukov updated this revision to Diff 21107.Mar 3 2015, 8:05 AM
dvyukov edited edge metadata.

Thanks for the review, Nuno!
All you three comments are addressed. Please take another look.

dberlin added a subscriber: dberlin.Mar 3 2015, 12:50 PM

FWIW: This optimization looks right to me.
GVN uses similar logic to do an optimization to loads it can prove come directly from allocation functions.

lib/Transforms/Instrumentation/AddressSanitizer.cpp
2055

You may want to look if this does a better/worse job than GetPointerBaseWithConstantOffset

(This is what GVN, DeadStoreElimination, etc use to do what you are doing here - compute the pointer base and constant offset, make sure they match, then they use getTypeSizeInBits to compare the sizes)

chandlerc accepted this revision.Mar 3 2015, 4:55 PM
chandlerc edited edge metadata.

This looks very good to me as well. I think you can submit now. The remaining issues are I think quite minor.

However, I would love to find some form of naming that doesn't so easily confuse the GEP "inbounds" keyword with this check. Sadly, I can't come up with any good ideas. Maybe just talk about "safe" in the APIs and explain what the object size check is computing, etc.? Anyways, a minor point.

If this causes a compile-time regression, it should be easy to track down. You might do a quick sanity check for some big inputs Dmitry, since it seems like you have them.

Danny, I'm pretty sure that the object size code is newer and should at least in theory be more powerful than just getting the base address. I could be wrong though. Still, easy to switch to that in a follow-up if needed.

lib/Transforms/Instrumentation/AddressSanitizer.cpp
410–412

Surely clang-format puts this 'const' somewhere else...

dvyukov updated this revision to Diff 21178.Mar 4 2015, 1:29 AM
dvyukov edited edge metadata.

applied clang-format

dvyukov added a comment.Mar 4 2015, 1:38 AM

Chandler,

I've applied clang-format.

Renamed s/inbounds/safe/. Comment above the function explains the meaning of safe.

Regarding compilation speed. On top of removing instrumentation and reducing binary size, it also speedups compilation (less stuff for backed to deal with). I've tested on llvm's largest source file lib/Target/X86/X86ISelLowering.cpp.

current without asan -O0:
real 0m4.847s
real 0m4.813s
real 0m4.776s
(I cross-checked that the new compiler has the same performance)

current -fsanitize=address -O0
real 0m7.191s
real 0m7.257s
real 0m7.183s

new -fsanitize=address -O0
real 0m6.619s
real 0m6.798s
real 0m6.722s
(~-6.4%)

current -fsanitize=address -O1
real 0m17.466s
real 0m17.553s
real 0m17.449s

new -fsanitize=address -O1
real 0m15.908s
real 0m15.853s
real 0m15.329s
(~-12.15%)

current -fsanitize=address -O2
real 0m24.337s
real 0m24.246s
real 0m24.604s

new -fsanitize=address -O2
real 0m23.662s
real 0m23.430s
real 0m23.400s
(~-3.49%)

Object file size:
w/o asan: 1228800
current with asan: 3658480 (+197.73%)
new with asan: 3444760 (-5.84%)

Amount of instrumentation (since it is just an object file, I grepped for "callq"):
w/o asan: 8235
current with asan: 37342
new with asan: 33706 (-12.5%)

dvyukov updated this revision to Diff 21193.Mar 4 2015, 5:25 AM

Reformat code with -style=Google, because otherwise linter in check-all barks.

dvyukov added a comment.Mar 4 2015, 5:30 AM

Committed in rev 231241.
We also need some plan for testing and enabling such optimization by default.

chandlerc removed a reviewer: chandlerc.Mar 29 2015, 7:58 PM
nlopes resigned from this revision.Jul 26 2017, 5:58 AM
dvyukov abandoned this revision.Apr 15 2021, 1:19 AM
Herald added a subscriber: jfb. · View Herald TranscriptApr 15 2021, 1:19 AM

Revision Contents

PathSize
lib/
Transforms/
Instrumentation/
550 lines
test/
Instrumentation/
AddressSanitizer/
48 lines

Diff 21193

lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show All 9 Lines
// This file is a part of AddressSanitizer, an address sanity checker. // This file is a part of AddressSanitizer, an address sanity checker.
// Details of the algorithm: // Details of the algorithm:
// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm // http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "llvm/Transforms/Instrumentation.h" #include "llvm/Transforms/Instrumentation.h"
#include "llvm/ADT/ArrayRef.h" #include "llvm/ADT/ArrayRef.h"
#include "llvm/ADT/DenseMap.h" #include "llvm/ADT/DenseMap.h"
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

These seem out of place - should be moved after ADT.

zaks.anna: These seem out of place - should be moved after ADT.
dvyukovAuthorUnsubmitted
Not Done
ReplyInline Actions

Done

dvyukov: Done
#include "llvm/ADT/DenseSet.h" #include "llvm/ADT/DenseSet.h"
#include "llvm/ADT/DepthFirstIterator.h" #include "llvm/ADT/DepthFirstIterator.h"
#include "llvm/ADT/SmallSet.h" #include "llvm/ADT/SmallSet.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
#include "llvm/ADT/Triple.h" #include "llvm/ADT/Triple.h"
#include "llvm/Analysis/MemoryBuiltins.h"
#include "llvm/Analysis/TargetLibraryInfo.h"
#include "llvm/Analysis/ValueTracking.h"
#include "llvm/IR/CallSite.h" #include "llvm/IR/CallSite.h"
#include "llvm/IR/DIBuilder.h" #include "llvm/IR/DIBuilder.h"
#include "llvm/IR/DataLayout.h" #include "llvm/IR/DataLayout.h"
#include "llvm/IR/Dominators.h" #include "llvm/IR/Dominators.h"
#include "llvm/IR/Function.h" #include "llvm/IR/Function.h"
#include "llvm/IR/IRBuilder.h" #include "llvm/IR/IRBuilder.h"
#include "llvm/IR/InlineAsm.h" #include "llvm/IR/InlineAsm.h"
#include "llvm/IR/InstVisitor.h" #include "llvm/IR/InstVisitor.h"
Show All 31 Lines
static const uint64_t kPPC64_ShadowOffset64 = 1ULL << 41; static const uint64_t kPPC64_ShadowOffset64 = 1ULL << 41;
static const uint64_t kMIPS32_ShadowOffset32 = 0x0aaa0000; static const uint64_t kMIPS32_ShadowOffset32 = 0x0aaa0000;
static const uint64_t kMIPS64_ShadowOffset64 = 1ULL << 37; static const uint64_t kMIPS64_ShadowOffset64 = 1ULL << 37;
static const uint64_t kAArch64_ShadowOffset64 = 1ULL << 36; static const uint64_t kAArch64_ShadowOffset64 = 1ULL << 36;
static const uint64_t kFreeBSD_ShadowOffset32 = 1ULL << 30; static const uint64_t kFreeBSD_ShadowOffset32 = 1ULL << 30;
static const uint64_t kFreeBSD_ShadowOffset64 = 1ULL << 46; static const uint64_t kFreeBSD_ShadowOffset64 = 1ULL << 46;
static const uint64_t kWindowsShadowOffset32 = 3ULL << 28; static const uint64_t kWindowsShadowOffset32 = 3ULL << 28;
static const size_t kMinStackMallocSize = 1 << 6; // 64B static const size_t kMinStackMallocSize = 1 << 6; // 64B
static const size_t kMaxStackMallocSize = 1 << 16; // 64K static const size_t kMaxStackMallocSize = 1 << 16; // 64K
static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3;
static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E;
static const char *const kAsanModuleCtorName = "asan.module_ctor"; static const char *const kAsanModuleCtorName = "asan.module_ctor";
static const char *const kAsanModuleDtorName = "asan.module_dtor"; static const char *const kAsanModuleDtorName = "asan.module_dtor";
static const uint64_t kAsanCtorAndDtorPriority = 1; static const uint64_t kAsanCtorAndDtorPriority = 1;
static const char *const kAsanReportErrorTemplate = "__asan_report_"; static const char *const kAsanReportErrorTemplate = "__asan_report_";
static const char *const kAsanReportLoadN = "__asan_report_load_n"; static const char *const kAsanReportLoadN = "__asan_report_load_n";
static const char *const kAsanReportStoreN = "__asan_report_store_n"; static const char *const kAsanReportStoreN = "__asan_report_store_n";
static const char *const kAsanRegisterGlobalsName = "__asan_register_globals"; static const char *const kAsanRegisterGlobalsName = "__asan_register_globals";
static const char *const kAsanUnregisterGlobalsName = static const char *const kAsanUnregisterGlobalsName =
"__asan_unregister_globals"; "__asan_unregister_globals";
static const char *const kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; static const char *const kAsanPoisonGlobalsName = "__asan_before_dynamic_init";
static const char *const kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; static const char *const kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init";
static const char *const kAsanInitName = "__asan_init_v5"; static const char *const kAsanInitName = "__asan_init_v5";
static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp"; static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp";
static const char *const kAsanPtrSub = "__sanitizer_ptr_sub"; static const char *const kAsanPtrSub = "__sanitizer_ptr_sub";
static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return"; static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return";
static const int kMaxAsanStackMallocSizeClass = 10; static const int kMaxAsanStackMallocSizeClass = 10;
static const char *const kAsanStackMallocNameTemplate = "__asan_stack_malloc_"; static const char *const kAsanStackMallocNameTemplate = "__asan_stack_malloc_";
static const char *const kAsanStackFreeNameTemplate = "__asan_stack_free_"; static const char *const kAsanStackFreeNameTemplate = "__asan_stack_free_";
static const char *const kAsanGenPrefix = "__asan_gen_"; static const char *const kAsanGenPrefix = "__asan_gen_";
static const char *const kSanCovGenPrefix = "__sancov_gen_"; static const char *const kSanCovGenPrefix = "__sancov_gen_";
static const char *const kAsanPoisonStackMemoryName = static const char *const kAsanPoisonStackMemoryName =
"__asan_poison_stack_memory"; "__asan_poison_stack_memory";
static const char *const kAsanUnpoisonStackMemoryName = static const char *const kAsanUnpoisonStackMemoryName =
"__asan_unpoison_stack_memory"; "__asan_unpoison_stack_memory";
Show All 13 Lines
static const unsigned kAsanAllocaRightMagic = 0xcbcbcbcbU; static const unsigned kAsanAllocaRightMagic = 0xcbcbcbcbU;
static const unsigned kAsanAllocaPartialVal1 = 0xcbcbcb00U; static const unsigned kAsanAllocaPartialVal1 = 0xcbcbcb00U;
static const unsigned kAsanAllocaPartialVal2 = 0x000000cbU; static const unsigned kAsanAllocaPartialVal2 = 0x000000cbU;
// Command-line flags. // Command-line flags.
// This flag may need to be replaced with -f[no-]asan-reads. // This flag may need to be replaced with -f[no-]asan-reads.
static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", static cl::opt<bool> ClInstrumentReads("asan-instrument-reads",
cl::desc("instrument read instructions"), cl::Hidden, cl::init(true)); cl::desc("instrument read instructions"),
static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes",
cl::desc("instrument write instructions"), cl::Hidden, cl::init(true));
static cl::opt<bool> ClInstrumentAtomics("asan-instrument-atomics",
cl::desc("instrument atomic instructions (rmw, cmpxchg)"),
cl::Hidden, cl::init(true)); cl::Hidden, cl::init(true));
static cl::opt<bool> ClAlwaysSlowPath("asan-always-slow-path", static cl::opt<bool> ClInstrumentWrites(
cl::desc("use instrumentation with slow path for all accesses"), "asan-instrument-writes", cl::desc("instrument write instructions"),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(true));
static cl::opt<bool> ClInstrumentAtomics(
"asan-instrument-atomics",
cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden,
cl::init(true));
static cl::opt<bool> ClAlwaysSlowPath(
"asan-always-slow-path",
cl::desc("use instrumentation with slow path for all accesses"), cl::Hidden,
cl::init(false));
// This flag limits the number of instructions to be instrumented // This flag limits the number of instructions to be instrumented
// in any given BB. Normally, this should be set to unlimited (INT_MAX), // in any given BB. Normally, this should be set to unlimited (INT_MAX),
// but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary // but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary
// set it to 10000. // set it to 10000.
static cl::opt<int> ClMaxInsnsToInstrumentPerBB("asan-max-ins-per-bb", static cl::opt<int> ClMaxInsnsToInstrumentPerBB(
cl::init(10000), "asan-max-ins-per-bb", cl::init(10000),
cl::desc("maximal number of instructions to instrument in any given BB"), cl::desc("maximal number of instructions to instrument in any given BB"),
cl::Hidden); cl::Hidden);
// This flag may need to be replaced with -f[no]asan-stack. // This flag may need to be replaced with -f[no]asan-stack.
static cl::opt<bool> ClStack("asan-stack", static cl::opt<bool> ClStack("asan-stack", cl::desc("Handle stack memory"),
cl::desc("Handle stack memory"), cl::Hidden, cl::init(true)); cl::Hidden, cl::init(true));
static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", static cl::opt<bool> ClUseAfterReturn("asan-use-after-return",
cl::desc("Check return-after-free"), cl::Hidden, cl::init(true)); cl::desc("Check return-after-free"),
cl::Hidden, cl::init(true));
// This flag may need to be replaced with -f[no]asan-globals. // This flag may need to be replaced with -f[no]asan-globals.
static cl::opt<bool> ClGlobals("asan-globals", static cl::opt<bool> ClGlobals("asan-globals",
cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); cl::desc("Handle global objects"), cl::Hidden,
cl::init(true));
static cl::opt<bool> ClInitializers("asan-initialization-order", static cl::opt<bool> ClInitializers("asan-initialization-order",
cl::desc("Handle C++ initializer order"), cl::Hidden, cl::init(true)); cl::desc("Handle C++ initializer order"),
static cl::opt<bool> ClInvalidPointerPairs("asan-detect-invalid-pointer-pair", cl::Hidden, cl::init(true));
cl::desc("Instrument <, <=, >, >=, - with pointer operands"), static cl::opt<bool> ClInvalidPointerPairs(
cl::Hidden, cl::init(false)); "asan-detect-invalid-pointer-pair",
static cl::opt<unsigned> ClRealignStack("asan-realign-stack", cl::desc("Instrument <, <=, >, >=, - with pointer operands"), cl::Hidden,
cl::init(false));
static cl::opt<unsigned> ClRealignStack(
"asan-realign-stack",
cl::desc("Realign stack to the value of this flag (power of two)"), cl::desc("Realign stack to the value of this flag (power of two)"),
cl::Hidden, cl::init(32)); cl::Hidden, cl::init(32));
static cl::opt<int> ClInstrumentationWithCallsThreshold( static cl::opt<int> ClInstrumentationWithCallsThreshold(
"asan-instrumentation-with-call-threshold", "asan-instrumentation-with-call-threshold",
cl::desc("If the function being instrumented contains more than " cl::desc(
"If the function being instrumented contains more than "
"this number of memory accesses, use callbacks instead of " "this number of memory accesses, use callbacks instead of "
"inline checks (-1 means never use callbacks)."), "inline checks (-1 means never use callbacks)."),
cl::Hidden, cl::init(7000)); cl::Hidden, cl::init(7000));
static cl::opt<std::string> ClMemoryAccessCallbackPrefix( static cl::opt<std::string> ClMemoryAccessCallbackPrefix(
"asan-memory-access-callback-prefix", "asan-memory-access-callback-prefix",
cl::desc("Prefix for memory access callbacks"), cl::Hidden, cl::desc("Prefix for memory access callbacks"), cl::Hidden,
cl::init("__asan_")); cl::init("__asan_"));
static cl::opt<bool> ClInstrumentAllocas("asan-instrument-allocas", static cl::opt<bool> ClInstrumentAllocas("asan-instrument-allocas",
cl::desc("instrument dynamic allocas"), cl::Hidden, cl::init(false)); cl::desc("instrument dynamic allocas"),
static cl::opt<bool> ClSkipPromotableAllocas("asan-skip-promotable-allocas", cl::Hidden, cl::init(false));
cl::desc("Do not instrument promotable allocas"), static cl::opt<bool> ClSkipPromotableAllocas(
cl::Hidden, cl::init(true)); "asan-skip-promotable-allocas",
cl::desc("Do not instrument promotable allocas"), cl::Hidden,
cl::init(true));
// These flags allow to change the shadow mapping. // These flags allow to change the shadow mapping.
// The shadow mapping looks like // The shadow mapping looks like
// Shadow = (Mem >> scale) + (1 << offset_log) // Shadow = (Mem >> scale) + (1 << offset_log)
static cl::opt<int> ClMappingScale("asan-mapping-scale", static cl::opt<int> ClMappingScale("asan-mapping-scale",
cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0)); cl::desc("scale of asan shadow mapping"),
cl::Hidden, cl::init(0));
// Optimization flags. Not user visible, used mostly for testing // Optimization flags. Not user visible, used mostly for testing
// and benchmarking the tool. // and benchmarking the tool.
static cl::opt<bool> ClOpt("asan-opt", static cl::opt<bool> ClOpt("asan-opt", cl::desc("Optimize instrumentation"),
cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true)); cl::Hidden, cl::init(true));
static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp", static cl::opt<bool> ClOptSameTemp(
cl::desc("Instrument the same temp just once"), cl::Hidden, "asan-opt-same-temp", cl::desc("Instrument the same temp just once"),
cl::init(true)); cl::Hidden, cl::init(true));
static cl::opt<bool> ClOptGlobals("asan-opt-globals", static cl::opt<bool> ClOptGlobals("asan-opt-globals",
cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); cl::desc("Don't instrument scalar globals"),
cl::Hidden, cl::init(true));
static cl::opt<bool> ClCheckLifetime("asan-check-lifetime", static cl::opt<bool> ClOptStack(
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

This makes me nervous. I don't think ObjectSizeOffsetEvaluator is used much. This should probably go through more testing, though I am not sure how to catch issues here since we are removing checking.

zaks.anna: This makes me nervous. I don't think ObjectSizeOffsetEvaluator is used much. This should…
kccUnsubmitted
Not Done
ReplyInline Actions

ouch. Indeed, don't make it true by default for now.
Unfortunately, I don't know any good way to test complex optimizations that eliminate checks,
and so I don't know what it will take us to enable this by default.
But at least having this code in trunk will simplify the experiments.

kcc: ouch. Indeed, don't make it true by default for now. Unfortunately, I don't know any good way…
dvyukovAuthorUnsubmitted
Not Done
ReplyInline Actions

changed default value to false

dvyukov: changed default value to false
cl::desc("Use llvm.lifetime intrinsics to insert extra checks"), "asan-opt-stack", cl::desc("Don't instrument scalar stack variables"),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(false));
static cl::opt<bool> ClCheckLifetime(
"asan-check-lifetime",
cl::desc("Use llvm.lifetime intrinsics to insert extra checks"), cl::Hidden,
cl::init(false));
static cl::opt<bool> ClDynamicAllocaStack( static cl::opt<bool> ClDynamicAllocaStack(
"asan-stack-dynamic-alloca", "asan-stack-dynamic-alloca",
cl::desc("Use dynamic alloca to represent stack variables"), cl::Hidden, cl::desc("Use dynamic alloca to represent stack variables"), cl::Hidden,
cl::init(true)); cl::init(true));
// Debug flags. // Debug flags.
static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden,
cl::init(0)); cl::init(0));
static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"),
cl::Hidden, cl::init(0)); cl::Hidden, cl::init(0));
static cl::opt<std::string> ClDebugFunc("asan-debug-func", static cl::opt<std::string> ClDebugFunc("asan-debug-func", cl::Hidden,
cl::Hidden, cl::desc("Debug func")); cl::desc("Debug func"));
static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"),
cl::Hidden, cl::init(-1)); cl::Hidden, cl::init(-1));
static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"),
cl::Hidden, cl::init(-1)); cl::Hidden, cl::init(-1));
STATISTIC(NumInstrumentedReads, "Number of instrumented reads"); STATISTIC(NumInstrumentedReads, "Number of instrumented reads");
STATISTIC(NumInstrumentedWrites, "Number of instrumented writes"); STATISTIC(NumInstrumentedWrites, "Number of instrumented writes");
STATISTIC(NumInstrumentedDynamicAllocas, STATISTIC(NumInstrumentedDynamicAllocas,
"Number of instrumented dynamic allocas"); "Number of instrumented dynamic allocas");
STATISTIC(NumOptimizedAccessesToGlobalArray,
"Number of optimized accesses to global arrays");
STATISTIC(NumOptimizedAccessesToGlobalVar, STATISTIC(NumOptimizedAccessesToGlobalVar,
"Number of optimized accesses to global vars"); "Number of optimized accesses to global vars");
STATISTIC(NumOptimizedAccessesToStackVar,
"Number of optimized accesses to stack vars");
namespace { namespace {
/// Frontend-provided metadata for source location. /// Frontend-provided metadata for source location.
struct LocationMetadata { struct LocationMetadata {
StringRef Filename; StringRef Filename;
int LineNo; int LineNo;
int ColumnNo; int ColumnNo;
Show All 11 Lines ColumnNo =
mdconst::extract<ConstantInt>(MDN->getOperand(2))->getLimitedValue(); mdconst::extract<ConstantInt>(MDN->getOperand(2))->getLimitedValue();
} }
}; };
/// Frontend-provided metadata for global variables. /// Frontend-provided metadata for global variables.
class GlobalsMetadata { class GlobalsMetadata {
public: public:
struct Entry { struct Entry {
Entry() Entry() : SourceLoc(), Name(), IsDynInit(false), IsBlacklisted(false) {}
: SourceLoc(), Name(), IsDynInit(false),
IsBlacklisted(false) {}
LocationMetadata SourceLoc; LocationMetadata SourceLoc;
StringRef Name; StringRef Name;
bool IsDynInit; bool IsDynInit;
bool IsBlacklisted; bool IsBlacklisted;
}; };
GlobalsMetadata() : inited_(false) {} GlobalsMetadata() : inited_(false) {}
void init(Module& M) { void init(Module &M) {
assert(!inited_); assert(!inited_);
inited_ = true; inited_ = true;
NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals"); NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals");
if (!Globals) if (!Globals) return;
return;
for (auto MDN : Globals->operands()) { for (auto MDN : Globals->operands()) {
// Metadata node contains the global and the fields of "Entry". // Metadata node contains the global and the fields of "Entry".
assert(MDN->getNumOperands() == 5); assert(MDN->getNumOperands() == 5);
auto *GV = mdconst::extract_or_null<GlobalVariable>(MDN->getOperand(0)); auto *GV = mdconst::extract_or_null<GlobalVariable>(MDN->getOperand(0));
// The optimizer may optimize away a global entirely. // The optimizer may optimize away a global entirely.
if (!GV) if (!GV) continue;
continue;
// We can already have an entry for GV if it was merged with another // We can already have an entry for GV if it was merged with another
// global. // global.
Entry &E = Entries[GV]; Entry &E = Entries[GV];
if (auto *Loc = cast_or_null<MDNode>(MDN->getOperand(1))) if (auto *Loc = cast_or_null<MDNode>(MDN->getOperand(1)))
E.SourceLoc.parse(Loc); E.SourceLoc.parse(Loc);
if (auto *Name = cast_or_null<MDString>(MDN->getOperand(2))) if (auto *Name = cast_or_null<MDString>(MDN->getOperand(2)))
E.Name = Name->getString(); E.Name = Name->getString();
ConstantInt *IsDynInit = ConstantInt *IsDynInit =
mdconst::extract<ConstantInt>(MDN->getOperand(3)); mdconst::extract<ConstantInt>(MDN->getOperand(3));
E.IsDynInit |= IsDynInit->isOne(); E.IsDynInit |= IsDynInit->isOne();
ConstantInt *IsBlacklisted = ConstantInt *IsBlacklisted =
mdconst::extract<ConstantInt>(MDN->getOperand(4)); mdconst::extract<ConstantInt>(MDN->getOperand(4));
E.IsBlacklisted |= IsBlacklisted->isOne(); E.IsBlacklisted |= IsBlacklisted->isOne();
} }
} }
/// Returns metadata entry for a given global. /// Returns metadata entry for a given global.
Entry get(GlobalVariable *G) const { Entry get(GlobalVariable *G) const {
auto Pos = Entries.find(G); auto Pos = Entries.find(G);
return (Pos != Entries.end()) ? Pos->second : Entry(); return (Pos != Entries.end()) ? Pos->second : Entry();
} }
private: private:
bool inited_; bool inited_;
DenseMap<GlobalVariable*, Entry> Entries; DenseMap<GlobalVariable *, Entry> Entries;
}; };
/// This struct defines the shadow mapping using the rule: /// This struct defines the shadow mapping using the rule:
/// shadow = (mem >> Scale) ADD-or-OR Offset. /// shadow = (mem >> Scale) ADD-or-OR Offset.
struct ShadowMapping { struct ShadowMapping {
int Scale; int Scale;
uint64_t Offset; uint64_t Offset;
bool OrShadowOffset; bool OrShadowOffset;
▲ Show 20 LinesShow All 68 Lines▼ Show 20 Linesstruct AddressSanitizer : public FunctionPass {
AddressSanitizer() : FunctionPass(ID) { AddressSanitizer() : FunctionPass(ID) {
initializeAddressSanitizerPass(*PassRegistry::getPassRegistry()); initializeAddressSanitizerPass(*PassRegistry::getPassRegistry());
} }
const char *getPassName() const override { const char *getPassName() const override {
return "AddressSanitizerFunctionPass"; return "AddressSanitizerFunctionPass";
} }
void getAnalysisUsage(AnalysisUsage &AU) const override { void getAnalysisUsage(AnalysisUsage &AU) const override {
AU.addRequired<DominatorTreeWrapperPass>(); AU.addRequired<DominatorTreeWrapperPass>();
AU.addRequired<DataLayoutPass>();
AU.addRequired<TargetLibraryInfoWrapperPass>();
} }
uint64_t getAllocaSizeInBytes(AllocaInst *AI) const { uint64_t getAllocaSizeInBytes(AllocaInst *AI) const {
Type *Ty = AI->getAllocatedType(); Type *Ty = AI->getAllocatedType();
uint64_t SizeInBytes = DL->getTypeAllocSize(Ty); uint64_t SizeInBytes = DL->getTypeAllocSize(Ty);
return SizeInBytes; return SizeInBytes;
} }
/// Check if we want (and can) handle this alloca. /// Check if we want (and can) handle this alloca.
bool isInterestingAlloca(AllocaInst &AI) const; bool isInterestingAlloca(AllocaInst &AI) const;
/// If it is an interesting memory access, return the PointerOperand /// If it is an interesting memory access, return the PointerOperand
/// and set IsWrite/Alignment. Otherwise return nullptr. /// and set IsWrite/Alignment. Otherwise return nullptr.
Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite, Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite,
uint64_t *TypeSize,
unsigned *Alignment) const; unsigned *Alignment) const;
void instrumentMop(Instruction *I, bool UseCalls); void instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis, Instruction *I,
bool UseCalls);
void instrumentPointerComparisonOrSubtraction(Instruction *I); void instrumentPointerComparisonOrSubtraction(Instruction *I);
chandlercUnsubmitted
Not Done
ReplyInline Actions

Surely clang-format puts this 'const' somewhere else...

chandlerc: Surely clang-format puts this 'const' somewhere else...
void instrumentAddress(Instruction *OrigIns, Instruction *InsertBefore, void instrumentAddress(Instruction *OrigIns, Instruction *InsertBefore,
Value *Addr, uint32_t TypeSize, bool IsWrite, Value *Addr, uint32_t TypeSize, bool IsWrite,
Value *SizeArgument, bool UseCalls); Value *SizeArgument, bool UseCalls);
Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong,
Value *ShadowValue, uint32_t TypeSize); Value *ShadowValue, uint32_t TypeSize);
Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr,
bool IsWrite, size_t AccessSizeIndex, bool IsWrite, size_t AccessSizeIndex,
Value *SizeArgument); Value *SizeArgument);
void instrumentMemIntrinsic(MemIntrinsic *MI); void instrumentMemIntrinsic(MemIntrinsic *MI);
Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); Value *memToShadow(Value *Shadow, IRBuilder<> &IRB);
bool runOnFunction(Function &F) override; bool runOnFunction(Function &F) override;
bool maybeInsertAsanInitAtFunctionEntry(Function &F); bool maybeInsertAsanInitAtFunctionEntry(Function &F);
bool doInitialization(Module &M) override; bool doInitialization(Module &M) override;
static char ID; // Pass identification, replacement for typeid static char ID; // Pass identification, replacement for typeid
DominatorTree &getDominatorTree() const { return *DT; } DominatorTree &getDominatorTree() const { return *DT; }
private: private:
void initializeCallbacks(Module &M); void initializeCallbacks(Module &M);
bool LooksLikeCodeInBug11395(Instruction *I); bool LooksLikeCodeInBug11395(Instruction *I);
bool GlobalIsLinkerInitialized(GlobalVariable *G); bool GlobalIsLinkerInitialized(GlobalVariable *G);
bool isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, Value *Addr,
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

const?

zaks.anna: const?
dvyukovAuthorUnsubmitted
Not Done
ReplyInline Actions

done

dvyukov: done
uint64_t TypeSize) const;
LLVMContext *C; LLVMContext *C;
const DataLayout *DL; const DataLayout *DL;
Triple TargetTriple; Triple TargetTriple;
int LongSize; int LongSize;
Type *IntptrTy; Type *IntptrTy;
ShadowMapping Mapping; ShadowMapping Mapping;
DominatorTree *DT; DominatorTree *DT;
Function *AsanCtorFunction; Function *AsanCtorFunction;
Function *AsanInitFunction; Function *AsanInitFunction;
Function *AsanHandleNoReturnFunc; Function *AsanHandleNoReturnFunc;
Function *AsanPtrCmpFunction, *AsanPtrSubFunction; Function *AsanPtrCmpFunction, *AsanPtrSubFunction;
// This array is indexed by AccessIsWrite and log2(AccessSize). // This array is indexed by AccessIsWrite and log2(AccessSize).
Function *AsanErrorCallback[2][kNumberOfAccessSizes]; Function *AsanErrorCallback[2][kNumberOfAccessSizes];
Function *AsanMemoryAccessCallback[2][kNumberOfAccessSizes]; Function *AsanMemoryAccessCallback[2][kNumberOfAccessSizes];
// This array is indexed by AccessIsWrite. // This array is indexed by AccessIsWrite.
Function *AsanErrorCallbackSized[2], Function *AsanErrorCallbackSized[2], *AsanMemoryAccessCallbackSized[2];
*AsanMemoryAccessCallbackSized[2];
Function *AsanMemmove, *AsanMemcpy, *AsanMemset; Function *AsanMemmove, *AsanMemcpy, *AsanMemset;
InlineAsm *EmptyAsm; InlineAsm *EmptyAsm;
GlobalsMetadata GlobalsMD; GlobalsMetadata GlobalsMD;
friend struct FunctionStackPoisoner; friend struct FunctionStackPoisoner;
}; };
class AddressSanitizerModule : public ModulePass { class AddressSanitizerModule : public ModulePass {
public: public:
AddressSanitizerModule() : ModulePass(ID) {} AddressSanitizerModule() : ModulePass(ID) {}
bool runOnModule(Module &M) override; bool runOnModule(Module &M) override;
static char ID; // Pass identification, replacement for typeid static char ID; // Pass identification, replacement for typeid
const char *getPassName() const override { const char *getPassName() const override { return "AddressSanitizerModule"; }
return "AddressSanitizerModule";
}
private: private:
void initializeCallbacks(Module &M); void initializeCallbacks(Module &M);
bool InstrumentGlobals(IRBuilder<> &IRB, Module &M); bool InstrumentGlobals(IRBuilder<> &IRB, Module &M);
bool ShouldInstrumentGlobal(GlobalVariable *G); bool ShouldInstrumentGlobal(GlobalVariable *G);
void poisonOneInitializer(Function &GlobalInit, GlobalValue *ModuleName); void poisonOneInitializer(Function &GlobalInit, GlobalValue *ModuleName);
void createInitializerPoisonCalls(Module &M, GlobalValue *ModuleName); void createInitializerPoisonCalls(Module &M, GlobalValue *ModuleName);
Show All 26 Linesstruct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> {
Function &F; Function &F;
AddressSanitizer &ASan; AddressSanitizer &ASan;
DIBuilder DIB; DIBuilder DIB;
LLVMContext *C; LLVMContext *C;
Type *IntptrTy; Type *IntptrTy;
Type *IntptrPtrTy; Type *IntptrPtrTy;
ShadowMapping Mapping; ShadowMapping Mapping;
SmallVector<AllocaInst*, 16> AllocaVec; SmallVector<AllocaInst *, 16> AllocaVec;
SmallVector<Instruction*, 8> RetVec; SmallVector<Instruction *, 8> RetVec;
unsigned StackAlignment; unsigned StackAlignment;
Function *AsanStackMallocFunc[kMaxAsanStackMallocSizeClass + 1], Function *AsanStackMallocFunc[kMaxAsanStackMallocSizeClass + 1],
*AsanStackFreeFunc[kMaxAsanStackMallocSizeClass + 1]; *AsanStackFreeFunc[kMaxAsanStackMallocSizeClass + 1];
Function *AsanPoisonStackMemoryFunc, *AsanUnpoisonStackMemoryFunc; Function *AsanPoisonStackMemoryFunc, *AsanUnpoisonStackMemoryFunc;
// Stores a place and arguments of poisoning/unpoisoning call for alloca. // Stores a place and arguments of poisoning/unpoisoning call for alloca.
struct AllocaPoisonCall { struct AllocaPoisonCall {
IntrinsicInst *InsBefore; IntrinsicInst *InsBefore;
AllocaInst *AI; AllocaInst *AI;
uint64_t Size; uint64_t Size;
bool DoPoison; bool DoPoison;
}; };
SmallVector<AllocaPoisonCall, 8> AllocaPoisonCallVec; SmallVector<AllocaPoisonCall, 8> AllocaPoisonCallVec;
// Stores left and right redzone shadow addresses for dynamic alloca // Stores left and right redzone shadow addresses for dynamic alloca
// and pointer to alloca instruction itself. // and pointer to alloca instruction itself.
// LeftRzAddr is a shadow address for alloca left redzone. // LeftRzAddr is a shadow address for alloca left redzone.
// RightRzAddr is a shadow address for alloca right redzone. // RightRzAddr is a shadow address for alloca right redzone.
struct DynamicAllocaCall { struct DynamicAllocaCall {
AllocaInst *AI; AllocaInst *AI;
Value *LeftRzAddr; Value *LeftRzAddr;
Value *RightRzAddr; Value *RightRzAddr;
bool Poison; bool Poison;
explicit DynamicAllocaCall(AllocaInst *AI, explicit DynamicAllocaCall(AllocaInst *AI, Value *LeftRzAddr = nullptr,
Value *LeftRzAddr = nullptr,
Value *RightRzAddr = nullptr) Value *RightRzAddr = nullptr)
: AI(AI), LeftRzAddr(LeftRzAddr), RightRzAddr(RightRzAddr), Poison(true) : AI(AI),
{} LeftRzAddr(LeftRzAddr),
RightRzAddr(RightRzAddr),
Poison(true) {}
}; };
SmallVector<DynamicAllocaCall, 1> DynamicAllocaVec; SmallVector<DynamicAllocaCall, 1> DynamicAllocaVec;
// Maps Value to an AllocaInst from which the Value is originated. // Maps Value to an AllocaInst from which the Value is originated.
typedef DenseMap<Value*, AllocaInst*> AllocaForValueMapTy; typedef DenseMap<Value *, AllocaInst *> AllocaForValueMapTy;
AllocaForValueMapTy AllocaForValue; AllocaForValueMapTy AllocaForValue;
bool HasNonEmptyInlineAsm; bool HasNonEmptyInlineAsm;
std::unique_ptr<CallInst> EmptyInlineAsm; std::unique_ptr<CallInst> EmptyInlineAsm;
FunctionStackPoisoner(Function &F, AddressSanitizer &ASan) FunctionStackPoisoner(Function &F, AddressSanitizer &ASan)
: F(F), ASan(ASan), DIB(*F.getParent(), /*AllowUnresolved*/ false), : F(F),
C(ASan.C), IntptrTy(ASan.IntptrTy), ASan(ASan),
IntptrPtrTy(PointerType::get(IntptrTy, 0)), Mapping(ASan.Mapping), DIB(*F.getParent(), /*AllowUnresolved*/ false),
StackAlignment(1 << Mapping.Scale), HasNonEmptyInlineAsm(false), C(ASan.C),
IntptrTy(ASan.IntptrTy),
IntptrPtrTy(PointerType::get(IntptrTy, 0)),
Mapping(ASan.Mapping),
StackAlignment(1 << Mapping.Scale),
HasNonEmptyInlineAsm(false),
EmptyInlineAsm(CallInst::Create(ASan.EmptyAsm)) {} EmptyInlineAsm(CallInst::Create(ASan.EmptyAsm)) {}
bool runOnFunction() { bool runOnFunction() {
if (!ClStack) return false; if (!ClStack) return false;
// Collect alloca, ret, lifetime instructions etc. // Collect alloca, ret, lifetime instructions etc.
for (BasicBlock *BB : depth_first(&F.getEntryBlock())) for (BasicBlock *BB : depth_first(&F.getEntryBlock())) visit(*BB);
visit(*BB);
if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false; if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false;
initializeCallbacks(*F.getParent()); initializeCallbacks(*F.getParent());
poisonStack(); poisonStack();
if (ClDebugStack) { if (ClDebugStack) {
DEBUG(dbgs() << F); DEBUG(dbgs() << F);
} }
return true; return true;
} }
// Finds all Alloca instructions and puts // Finds all Alloca instructions and puts
// poisoned red zones around all of them. // poisoned red zones around all of them.
// Then unpoison everything back before the function returns. // Then unpoison everything back before the function returns.
void poisonStack(); void poisonStack();
// ----------------------- Visitors. // ----------------------- Visitors.
/// \brief Collect all Ret instructions. /// \brief Collect all Ret instructions.
void visitReturnInst(ReturnInst &RI) { void visitReturnInst(ReturnInst &RI) { RetVec.push_back(&RI); }
RetVec.push_back(&RI);
}
// Unpoison dynamic allocas redzones. // Unpoison dynamic allocas redzones.
void unpoisonDynamicAlloca(DynamicAllocaCall &AllocaCall) { void unpoisonDynamicAlloca(DynamicAllocaCall &AllocaCall) {
if (!AllocaCall.Poison) if (!AllocaCall.Poison) return;
return;
for (auto Ret : RetVec) { for (auto Ret : RetVec) {
IRBuilder<> IRBRet(Ret); IRBuilder<> IRBRet(Ret);
PointerType *Int32PtrTy = PointerType::getUnqual(IRBRet.getInt32Ty()); PointerType *Int32PtrTy = PointerType::getUnqual(IRBRet.getInt32Ty());
Value *Zero = Constant::getNullValue(IRBRet.getInt32Ty()); Value *Zero = Constant::getNullValue(IRBRet.getInt32Ty());
Value *PartialRzAddr = IRBRet.CreateSub(AllocaCall.RightRzAddr, Value *PartialRzAddr = IRBRet.CreateSub(AllocaCall.RightRzAddr,
ConstantInt::get(IntptrTy, 4)); ConstantInt::get(IntptrTy, 4));
IRBRet.CreateStore(Zero, IRBRet.CreateIntToPtr(AllocaCall.LeftRzAddr, IRBRet.CreateStore(
Int32PtrTy)); Zero, IRBRet.CreateIntToPtr(AllocaCall.LeftRzAddr, Int32PtrTy));
IRBRet.CreateStore(Zero, IRBRet.CreateIntToPtr(PartialRzAddr, IRBRet.CreateStore(Zero,
Int32PtrTy)); IRBRet.CreateIntToPtr(PartialRzAddr, Int32PtrTy));
IRBRet.CreateStore(Zero, IRBRet.CreateIntToPtr(AllocaCall.RightRzAddr, IRBRet.CreateStore(
Int32PtrTy)); Zero, IRBRet.CreateIntToPtr(AllocaCall.RightRzAddr, Int32PtrTy));
} }
} }
// Right shift for BigEndian and left shift for LittleEndian. // Right shift for BigEndian and left shift for LittleEndian.
Value *shiftAllocaMagic(Value *Val, IRBuilder<> &IRB, Value *Shift) { Value *shiftAllocaMagic(Value *Val, IRBuilder<> &IRB, Value *Shift) {
return ASan.DL->isLittleEndian() ? IRB.CreateShl(Val, Shift) return ASan.DL->isLittleEndian() ? IRB.CreateShl(Val, Shift)
: IRB.CreateLShr(Val, Shift); : IRB.CreateLShr(Val, Shift);
} }
Show All 33 Lines else
AllocaVec.push_back(&AI); AllocaVec.push_back(&AI);
} }
/// \brief Collect lifetime intrinsic calls to check for use-after-scope /// \brief Collect lifetime intrinsic calls to check for use-after-scope
/// errors. /// errors.
void visitIntrinsicInst(IntrinsicInst &II) { void visitIntrinsicInst(IntrinsicInst &II) {
if (!ClCheckLifetime) return; if (!ClCheckLifetime) return;
Intrinsic::ID ID = II.getIntrinsicID(); Intrinsic::ID ID = II.getIntrinsicID();
if (ID != Intrinsic::lifetime_start && if (ID != Intrinsic::lifetime_start && ID != Intrinsic::lifetime_end)
ID != Intrinsic::lifetime_end)
return; return;
// Found lifetime intrinsic, add ASan instrumentation if necessary. // Found lifetime intrinsic, add ASan instrumentation if necessary.
ConstantInt *Size = dyn_cast<ConstantInt>(II.getArgOperand(0)); ConstantInt *Size = dyn_cast<ConstantInt>(II.getArgOperand(0));
// If size argument is undefined, don't do anything. // If size argument is undefined, don't do anything.
if (Size->isMinusOne()) return; if (Size->isMinusOne()) return;
// Check that size doesn't saturate uint64_t and can // Check that size doesn't saturate uint64_t and can
// be stored in IntptrTy. // be stored in IntptrTy.
const uint64_t SizeValue = Size->getValue().getLimitedValue(); const uint64_t SizeValue = Size->getValue().getLimitedValue();
Show All 13 Lines HasNonEmptyInlineAsm |=
CI.isInlineAsm() && !CI.isIdenticalTo(EmptyInlineAsm.get()); CI.isInlineAsm() && !CI.isIdenticalTo(EmptyInlineAsm.get());
} }
// ---------------------- Helpers. // ---------------------- Helpers.
void initializeCallbacks(Module &M); void initializeCallbacks(Module &M);
bool doesDominateAllExits(const Instruction *I) const { bool doesDominateAllExits(const Instruction *I) const {
for (auto Ret : RetVec) { for (auto Ret : RetVec) {
if (!ASan.getDominatorTree().dominates(I, Ret)) if (!ASan.getDominatorTree().dominates(I, Ret)) return false;
return false;
} }
return true; return true;
} }
bool isDynamicAlloca(AllocaInst &AI) const { bool isDynamicAlloca(AllocaInst &AI) const {
return AI.isArrayAllocation() || !AI.isStaticAlloca(); return AI.isArrayAllocation() || !AI.isStaticAlloca();
} }
/// Finds alloca where the value comes from. /// Finds alloca where the value comes from.
AllocaInst *findAllocaForValue(Value *V); AllocaInst *findAllocaForValue(Value *V);
void poisonRedZones(ArrayRef<uint8_t> ShadowBytes, IRBuilder<> &IRB, void poisonRedZones(ArrayRef<uint8_t> ShadowBytes, IRBuilder<> &IRB,
Value *ShadowBase, bool DoPoison); Value *ShadowBase, bool DoPoison);
void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> &IRB, bool DoPoison); void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> &IRB, bool DoPoison);
void SetShadowToStackAfterReturnInlined(IRBuilder<> &IRB, Value *ShadowBase, void SetShadowToStackAfterReturnInlined(IRBuilder<> &IRB, Value *ShadowBase,
int Size); int Size);
Value *createAllocaForLayout(IRBuilder<> &IRB, const ASanStackFrameLayout &L, Value *createAllocaForLayout(IRBuilder<> &IRB, const ASanStackFrameLayout &L,
bool Dynamic); bool Dynamic);
PHINode *createPHI(IRBuilder<> &IRB, Value *Cond, Value *ValueIfTrue, PHINode *createPHI(IRBuilder<> &IRB, Value *Cond, Value *ValueIfTrue,
Instruction *ThenTerm, Value *ValueIfFalse); Instruction *ThenTerm, Value *ValueIfFalse);
}; };
} // namespace } // namespace
char AddressSanitizer::ID = 0; char AddressSanitizer::ID = 0;
INITIALIZE_PASS_BEGIN(AddressSanitizer, "asan", INITIALIZE_PASS_BEGIN(
"AddressSanitizer: detects use-after-free and out-of-bounds bugs.", AddressSanitizer, "asan",
false, false) "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false,
false)
INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass) INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass)
INITIALIZE_PASS_END(AddressSanitizer, "asan", INITIALIZE_PASS_END(
"AddressSanitizer: detects use-after-free and out-of-bounds bugs.", AddressSanitizer, "asan",
false, false) "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false,
false)
FunctionPass *llvm::createAddressSanitizerFunctionPass() { FunctionPass *llvm::createAddressSanitizerFunctionPass() {
return new AddressSanitizer(); return new AddressSanitizer();
} }
char AddressSanitizerModule::ID = 0; char AddressSanitizerModule::ID = 0;
INITIALIZE_PASS(AddressSanitizerModule, "asan-module", INITIALIZE_PASS(
AddressSanitizerModule, "asan-module",
"AddressSanitizer: detects use-after-free and out-of-bounds bugs." "AddressSanitizer: detects use-after-free and out-of-bounds bugs."
"ModulePass", false, false) "ModulePass",
false, false)
ModulePass *llvm::createAddressSanitizerModulePass() { ModulePass *llvm::createAddressSanitizerModulePass() {
return new AddressSanitizerModule(); return new AddressSanitizerModule();
} }
static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { static size_t TypeSizeToSizeIndex(uint32_t TypeSize) {
size_t Res = countTrailingZeros(TypeSize / 8); size_t Res = countTrailingZeros(TypeSize / 8);
assert(Res < kNumberOfAccessSizes); assert(Res < kNumberOfAccessSizes);
return Res; return Res;
} }
// \brief Create a constant for Str so that we can pass it to the run-time lib. // \brief Create a constant for Str so that we can pass it to the run-time lib.
static GlobalVariable *createPrivateGlobalForString( static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str,
Module &M, StringRef Str, bool AllowMerging) { bool AllowMerging) {
Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str);
// We use private linkage for module-local strings. If they can be merged // We use private linkage for module-local strings. If they can be merged
// with another one, we set the unnamed_addr attribute. // with another one, we set the unnamed_addr attribute.
GlobalVariable *GV = GlobalVariable *GV =
new GlobalVariable(M, StrConst->getType(), true, new GlobalVariable(M, StrConst->getType(), true,
GlobalValue::PrivateLinkage, StrConst, kAsanGenPrefix); GlobalValue::PrivateLinkage, StrConst, kAsanGenPrefix);
if (AllowMerging) if (AllowMerging) GV->setUnnamedAddr(true);
GV->setUnnamedAddr(true);
GV->setAlignment(1); // Strings may not be merged w/o setting align 1. GV->setAlignment(1); // Strings may not be merged w/o setting align 1.
return GV; return GV;
} }
/// \brief Create a global describing a source location. /// \brief Create a global describing a source location.
static GlobalVariable *createPrivateGlobalForSourceLoc(Module &M, static GlobalVariable *createPrivateGlobalForSourceLoc(Module &M,
LocationMetadata MD) { LocationMetadata MD) {
Constant *LocData[] = { Constant *LocData[] = {
Show All 12 Lines
static bool GlobalWasGeneratedByAsan(GlobalVariable *G) { static bool GlobalWasGeneratedByAsan(GlobalVariable *G) {
return G->getName().find(kAsanGenPrefix) == 0 || return G->getName().find(kAsanGenPrefix) == 0 ||
G->getName().find(kSanCovGenPrefix) == 0; G->getName().find(kSanCovGenPrefix) == 0;
} }
Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) {
// Shadow >> scale // Shadow >> scale
Shadow = IRB.CreateLShr(Shadow, Mapping.Scale); Shadow = IRB.CreateLShr(Shadow, Mapping.Scale);
if (Mapping.Offset == 0) if (Mapping.Offset == 0) return Shadow;
return Shadow;
// (Shadow >> scale) | offset // (Shadow >> scale) | offset
if (Mapping.OrShadowOffset) if (Mapping.OrShadowOffset)
return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, Mapping.Offset)); return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, Mapping.Offset));
else else
return IRB.CreateAdd(Shadow, ConstantInt::get(IntptrTy, Mapping.Offset)); return IRB.CreateAdd(Shadow, ConstantInt::get(IntptrTy, Mapping.Offset));
} }
// Instrument memset/memmove/memcpy // Instrument memset/memmove/memcpy
Show All 24 Lines return (AI.getAllocatedType()->isSized() &&
// Promotable allocas are common under -O0. // Promotable allocas are common under -O0.
(!ClSkipPromotableAllocas || !isAllocaPromotable(&AI))); (!ClSkipPromotableAllocas || !isAllocaPromotable(&AI)));
} }
/// If I is an interesting memory access, return the PointerOperand /// If I is an interesting memory access, return the PointerOperand
/// and set IsWrite/Alignment. Otherwise return nullptr. /// and set IsWrite/Alignment. Otherwise return nullptr.
Value *AddressSanitizer::isInterestingMemoryAccess(Instruction *I, Value *AddressSanitizer::isInterestingMemoryAccess(Instruction *I,
bool *IsWrite, bool *IsWrite,
uint64_t *TypeSize,
unsigned *Alignment) const { unsigned *Alignment) const {
// Skip memory accesses inserted by another instrumentation. // Skip memory accesses inserted by another instrumentation.
if (I->getMetadata("nosanitize")) if (I->getMetadata("nosanitize")) return nullptr;
return nullptr;
Value *PtrOperand = nullptr; Value *PtrOperand = nullptr;
if (LoadInst *LI = dyn_cast<LoadInst>(I)) { if (LoadInst *LI = dyn_cast<LoadInst>(I)) {
if (!ClInstrumentReads) return nullptr; if (!ClInstrumentReads) return nullptr;
*IsWrite = false; *IsWrite = false;
*TypeSize = DL->getTypeStoreSizeInBits(LI->getType());
*Alignment = LI->getAlignment(); *Alignment = LI->getAlignment();
PtrOperand = LI->getPointerOperand(); PtrOperand = LI->getPointerOperand();
} else if (StoreInst *SI = dyn_cast<StoreInst>(I)) { } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) {
if (!ClInstrumentWrites) return nullptr; if (!ClInstrumentWrites) return nullptr;
*IsWrite = true; *IsWrite = true;
*TypeSize = DL->getTypeStoreSizeInBits(SI->getValueOperand()->getType());
*Alignment = SI->getAlignment(); *Alignment = SI->getAlignment();
PtrOperand = SI->getPointerOperand(); PtrOperand = SI->getPointerOperand();
} else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { } else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) {
if (!ClInstrumentAtomics) return nullptr; if (!ClInstrumentAtomics) return nullptr;
*IsWrite = true; *IsWrite = true;
*TypeSize = DL->getTypeStoreSizeInBits(RMW->getValOperand()->getType());
*Alignment = 0; *Alignment = 0;
PtrOperand = RMW->getPointerOperand(); PtrOperand = RMW->getPointerOperand();
} else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { } else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) {
if (!ClInstrumentAtomics) return nullptr; if (!ClInstrumentAtomics) return nullptr;
*IsWrite = true; *IsWrite = true;
*TypeSize =
DL->getTypeStoreSizeInBits(XCHG->getCompareOperand()->getType());
*Alignment = 0; *Alignment = 0;
PtrOperand = XCHG->getPointerOperand(); PtrOperand = XCHG->getPointerOperand();
} }
// Treat memory accesses to promotable allocas as non-interesting since they // Treat memory accesses to promotable allocas as non-interesting since they
// will not cause memory violations. This greatly speeds up the instrumented // will not cause memory violations. This greatly speeds up the instrumented
// executable at -O0. // executable at -O0.
if (ClSkipPromotableAllocas) if (ClSkipPromotableAllocas)
if (auto AI = dyn_cast_or_null<AllocaInst>(PtrOperand)) if (auto AI = dyn_cast_or_null<AllocaInst>(PtrOperand))
return isInterestingAlloca(*AI) ? AI : nullptr; return isInterestingAlloca(*AI) ? AI : nullptr;
return PtrOperand; return PtrOperand;
} }
static bool isPointerOperand(Value *V) { static bool isPointerOperand(Value *V) {
return V->getType()->isPointerTy() || isa<PtrToIntInst>(V); return V->getType()->isPointerTy() || isa<PtrToIntInst>(V);
} }
// This is a rough heuristic; it may cause both false positives and // This is a rough heuristic; it may cause both false positives and
// false negatives. The proper implementation requires cooperation with // false negatives. The proper implementation requires cooperation with
// the frontend. // the frontend.
static bool isInterestingPointerComparisonOrSubtraction(Instruction *I) { static bool isInterestingPointerComparisonOrSubtraction(Instruction *I) {
if (ICmpInst *Cmp = dyn_cast<ICmpInst>(I)) { if (ICmpInst *Cmp = dyn_cast<ICmpInst>(I)) {
if (!Cmp->isRelational()) if (!Cmp->isRelational()) return false;
return false;
} else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(I)) { } else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(I)) {
if (BO->getOpcode() != Instruction::Sub) if (BO->getOpcode() != Instruction::Sub) return false;
return false;
} else { } else {
return false; return false;
} }
if (!isPointerOperand(I->getOperand(0)) || if (!isPointerOperand(I->getOperand(0)) ||
!isPointerOperand(I->getOperand(1))) !isPointerOperand(I->getOperand(1)))
return false; return false;
return true; return true;
} }
bool AddressSanitizer::GlobalIsLinkerInitialized(GlobalVariable *G) { bool AddressSanitizer::GlobalIsLinkerInitialized(GlobalVariable *G) {
// If a global variable does not have dynamic initialization we don't // If a global variable does not have dynamic initialization we don't
// have to instrument it. However, if a global does not have initializer // have to instrument it. However, if a global does not have initializer
// at all, we assume it has dynamic initializer (in other TU). // at all, we assume it has dynamic initializer (in other TU).
return G->hasInitializer() && !GlobalsMD.get(G).IsDynInit; return G->hasInitializer() && !GlobalsMD.get(G).IsDynInit;
} }
void void AddressSanitizer::instrumentPointerComparisonOrSubtraction(
AddressSanitizer::instrumentPointerComparisonOrSubtraction(Instruction *I) { Instruction *I) {
IRBuilder<> IRB(I); IRBuilder<> IRB(I);
Function *F = isa<ICmpInst>(I) ? AsanPtrCmpFunction : AsanPtrSubFunction; Function *F = isa<ICmpInst>(I) ? AsanPtrCmpFunction : AsanPtrSubFunction;
Value *Param[2] = {I->getOperand(0), I->getOperand(1)}; Value *Param[2] = {I->getOperand(0), I->getOperand(1)};
for (int i = 0; i < 2; i++) { for (int i = 0; i < 2; i++) {
if (Param[i]->getType()->isPointerTy()) if (Param[i]->getType()->isPointerTy())
Param[i] = IRB.CreatePointerCast(Param[i], IntptrTy); Param[i] = IRB.CreatePointerCast(Param[i], IntptrTy);
} }
IRB.CreateCall2(F, Param[0], Param[1]); IRB.CreateCall2(F, Param[0], Param[1]);
} }
void AddressSanitizer::instrumentMop(Instruction *I, bool UseCalls) { void AddressSanitizer::instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis,
Instruction *I, bool UseCalls) {
bool IsWrite = false; bool IsWrite = false;
unsigned Alignment = 0; unsigned Alignment = 0;
Value *Addr = isInterestingMemoryAccess(I, &IsWrite, &Alignment); uint64_t TypeSize = 0;
Value *Addr = isInterestingMemoryAccess(I, &IsWrite, &TypeSize, &Alignment);
assert(Addr); assert(Addr);
if (ClOpt && ClOptGlobals) { if (ClOpt && ClOptGlobals) {
if (GlobalVariable *G = dyn_cast<GlobalVariable>(Addr)) {
// If initialization order checking is disabled, a simple access to a // If initialization order checking is disabled, a simple access to a
// dynamically initialized global is always valid. // dynamically initialized global is always valid.
if (!ClInitializers || GlobalIsLinkerInitialized(G)) { GlobalVariable *G =
dyn_cast<GlobalVariable>(GetUnderlyingObject(Addr, nullptr));
if (G != NULL && (!ClInitializers || GlobalIsLinkerInitialized(G)) &&
isSafeAccess(ObjSizeVis, Addr, TypeSize)) {
NumOptimizedAccessesToGlobalVar++; NumOptimizedAccessesToGlobalVar++;
return; return;
} }
} }
ConstantExpr *CE = dyn_cast<ConstantExpr>(Addr);
if (CE && CE->isGEPWithNoNotionalOverIndexing()) { if (ClOpt && ClOptStack) {
if (GlobalVariable *G = dyn_cast<GlobalVariable>(CE->getOperand(0))) { // A direct inbounds access to a stack variable is always valid.
kccUnsubmitted
Not Done
ReplyInline Actions

mega cool.
Let's put it under a flag e.g. asan-opt-stack-inbounds (off by default) and play with it more.

kcc: mega cool. Let's put it under a flag e.g. asan-opt-stack-inbounds (off by default) and play…
dvyukovAuthorUnsubmitted
Not Done
ReplyInline Actions

Is it possible to make it work correctly? I am lost in all possible llvm predicates and their meaning. I don't understand how "int x[10]; x[12] = 1" can be an "in bounds constant offset".

dvyukov: Is it possible to make it work correctly? I am lost in all possible llvm predicates and their…
if (CE->getOperand(1)->isNullValue() && GlobalIsLinkerInitialized(G)) { if (isa<AllocaInst>(GetUnderlyingObject(Addr, nullptr)) &&
NumOptimizedAccessesToGlobalArray++; isSafeAccess(ObjSizeVis, Addr, TypeSize)) {
NumOptimizedAccessesToStackVar++;
return; return;
kccUnsubmitted
Not Done
ReplyInline Actions

remove this then?

kcc: remove this then?
} }
} }
}
}
Type *OrigPtrTy = Addr->getType();
Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType();
assert(OrigTy->isSized());
uint32_t TypeSize = DL->getTypeStoreSizeInBits(OrigTy);
assert((TypeSize % 8) == 0);
if (IsWrite) if (IsWrite)
NumInstrumentedWrites++; NumInstrumentedWrites++;
else else
NumInstrumentedReads++; NumInstrumentedReads++;
unsigned Granularity = 1 << Mapping.Scale; unsigned Granularity = 1 << Mapping.Scale;
// Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check // Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check
Show All 9 Linesvoid AddressSanitizer::instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis,
IRBuilder<> IRB(I); IRBuilder<> IRB(I);
Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8); Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8);
Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy);
if (UseCalls) { if (UseCalls) {
IRB.CreateCall2(AsanMemoryAccessCallbackSized[IsWrite], AddrLong, Size); IRB.CreateCall2(AsanMemoryAccessCallbackSized[IsWrite], AddrLong, Size);
} else { } else {
Value *LastByte = IRB.CreateIntToPtr( Value *LastByte = IRB.CreateIntToPtr(
IRB.CreateAdd(AddrLong, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)), IRB.CreateAdd(AddrLong, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)),
OrigPtrTy); Addr->getType());
instrumentAddress(I, I, Addr, 8, IsWrite, Size, false); instrumentAddress(I, I, Addr, 8, IsWrite, Size, false);
instrumentAddress(I, I, LastByte, 8, IsWrite, Size, false); instrumentAddress(I, I, LastByte, 8, IsWrite, Size, false);
} }
} }
// Validate the result of Module::getOrInsertFunction called for an interface // Validate the result of Module::getOrInsertFunction called for an interface
// function of AddressSanitizer. If the instrumented module defines a function // function of AddressSanitizer. If the instrumented module defines a function
// with the same name, their prototypes must match, otherwise // with the same name, their prototypes must match, otherwise
// getOrInsertFunction returns a bitcast. // getOrInsertFunction returns a bitcast.
static Function *checkInterfaceFunction(Constant *FuncOrBitcast) { static Function *checkInterfaceFunction(Constant *FuncOrBitcast) {
if (isa<Function>(FuncOrBitcast)) return cast<Function>(FuncOrBitcast); if (isa<Function>(FuncOrBitcast)) return cast<Function>(FuncOrBitcast);
FuncOrBitcast->dump(); FuncOrBitcast->dump();
report_fatal_error("trying to redefine an AddressSanitizer " report_fatal_error(
"trying to redefine an AddressSanitizer "
"interface function"); "interface function");
} }
Instruction *AddressSanitizer::generateCrashCode( Instruction *AddressSanitizer::generateCrashCode(Instruction *InsertBefore,
Instruction *InsertBefore, Value *Addr, Value *Addr, bool IsWrite,
bool IsWrite, size_t AccessSizeIndex, Value *SizeArgument) { size_t AccessSizeIndex,
Value *SizeArgument) {
IRBuilder<> IRB(InsertBefore); IRBuilder<> IRB(InsertBefore);
CallInst *Call = SizeArgument CallInst *Call =
SizeArgument
? IRB.CreateCall2(AsanErrorCallbackSized[IsWrite], Addr, SizeArgument) ? IRB.CreateCall2(AsanErrorCallbackSized[IsWrite], Addr, SizeArgument)
: IRB.CreateCall(AsanErrorCallback[IsWrite][AccessSizeIndex], Addr); : IRB.CreateCall(AsanErrorCallback[IsWrite][AccessSizeIndex], Addr);
// We don't do Call->setDoesNotReturn() because the BB already has // We don't do Call->setDoesNotReturn() because the BB already has
// UnreachableInst at the end. // UnreachableInst at the end.
// This EmptyAsm is required to avoid callback merge. // This EmptyAsm is required to avoid callback merge.
IRB.CreateCall(EmptyAsm); IRB.CreateCall(EmptyAsm);
return Call; return Call;
} }
Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong,
Value *ShadowValue, Value *ShadowValue,
uint32_t TypeSize) { uint32_t TypeSize) {
size_t Granularity = 1 << Mapping.Scale; size_t Granularity = 1 << Mapping.Scale;
// Addr & (Granularity - 1) // Addr & (Granularity - 1)
Value *LastAccessedByte = IRB.CreateAnd( Value *LastAccessedByte =
AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); IRB.CreateAnd(AddrLong, ConstantInt::get(IntptrTy, Granularity - 1));
// (Addr & (Granularity - 1)) + size - 1 // (Addr & (Granularity - 1)) + size - 1
if (TypeSize / 8 > 1) if (TypeSize / 8 > 1)
LastAccessedByte = IRB.CreateAdd( LastAccessedByte = IRB.CreateAdd(
LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1));
// (uint8_t) ((Addr & (Granularity-1)) + size - 1) // (uint8_t) ((Addr & (Granularity-1)) + size - 1)
LastAccessedByte = IRB.CreateIntCast( LastAccessedByte =
LastAccessedByte, ShadowValue->getType(), false); IRB.CreateIntCast(LastAccessedByte, ShadowValue->getType(), false);
// ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue
return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue); return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue);
} }
void AddressSanitizer::instrumentAddress(Instruction *OrigIns, void AddressSanitizer::instrumentAddress(Instruction *OrigIns,
Instruction *InsertBefore, Value *Addr, Instruction *InsertBefore, Value *Addr,
uint32_t TypeSize, bool IsWrite, uint32_t TypeSize, bool IsWrite,
Value *SizeArgument, bool UseCalls) { Value *SizeArgument, bool UseCalls) {
IRBuilder<> IRB(InsertBefore); IRBuilder<> IRB(InsertBefore);
Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy);
size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize); size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize);
if (UseCalls) { if (UseCalls) {
IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][AccessSizeIndex], IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][AccessSizeIndex],
AddrLong); AddrLong);
return; return;
} }
Type *ShadowTy = IntegerType::get( Type *ShadowTy =
*C, std::max(8U, TypeSize >> Mapping.Scale)); IntegerType::get(*C, std::max(8U, TypeSize >> Mapping.Scale));
Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); Type *ShadowPtrTy = PointerType::get(ShadowTy, 0);
Value *ShadowPtr = memToShadow(AddrLong, IRB); Value *ShadowPtr = memToShadow(AddrLong, IRB);
Value *CmpVal = Constant::getNullValue(ShadowTy); Value *CmpVal = Constant::getNullValue(ShadowTy);
Value *ShadowValue = IRB.CreateLoad( Value *ShadowValue =
IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); IRB.CreateLoad(IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy));
Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal);
size_t Granularity = 1 << Mapping.Scale; size_t Granularity = 1 << Mapping.Scale;
TerminatorInst *CrashTerm = nullptr; TerminatorInst *CrashTerm = nullptr;
if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) { if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) {
// We use branch weights for the slow path check, to indicate that the slow // We use branch weights for the slow path check, to indicate that the slow
// path is rarely taken. This seems to be the case for SPEC benchmarks. // path is rarely taken. This seems to be the case for SPEC benchmarks.
TerminatorInst *CheckTerm = TerminatorInst *CheckTerm = SplitBlockAndInsertIfThen(
SplitBlockAndInsertIfThen(Cmp, InsertBefore, false, Cmp, InsertBefore, false, MDBuilder(*C).createBranchWeights(1, 100000));
MDBuilder(*C).createBranchWeights(1, 100000));
assert(dyn_cast<BranchInst>(CheckTerm)->isUnconditional()); assert(dyn_cast<BranchInst>(CheckTerm)->isUnconditional());
BasicBlock *NextBB = CheckTerm->getSuccessor(0); BasicBlock *NextBB = CheckTerm->getSuccessor(0);
IRB.SetInsertPoint(CheckTerm); IRB.SetInsertPoint(CheckTerm);
Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize); Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize);
BasicBlock *CrashBlock = BasicBlock *CrashBlock =
BasicBlock::Create(*C, "", NextBB->getParent(), NextBB); BasicBlock::Create(*C, "", NextBB->getParent(), NextBB);
CrashTerm = new UnreachableInst(*C, CrashBlock); CrashTerm = new UnreachableInst(*C, CrashBlock);
BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2); BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2);
ReplaceInstWithInst(CheckTerm, NewTerm); ReplaceInstWithInst(CheckTerm, NewTerm);
} else { } else {
CrashTerm = SplitBlockAndInsertIfThen(Cmp, InsertBefore, true); CrashTerm = SplitBlockAndInsertIfThen(Cmp, InsertBefore, true);
} }
Instruction *Crash = generateCrashCode( Instruction *Crash = generateCrashCode(CrashTerm, AddrLong, IsWrite,
CrashTerm, AddrLong, IsWrite, AccessSizeIndex, SizeArgument); AccessSizeIndex, SizeArgument);
Crash->setDebugLoc(OrigIns->getDebugLoc()); Crash->setDebugLoc(OrigIns->getDebugLoc());
} }
void AddressSanitizerModule::poisonOneInitializer(Function &GlobalInit, void AddressSanitizerModule::poisonOneInitializer(Function &GlobalInit,
GlobalValue *ModuleName) { GlobalValue *ModuleName) {
// Set up the arguments to our poison/unpoison functions. // Set up the arguments to our poison/unpoison functions.
IRBuilder<> IRB(GlobalInit.begin()->getFirstInsertionPt()); IRBuilder<> IRB(GlobalInit.begin()->getFirstInsertionPt());
// Add a call to poison all external globals before the given function starts. // Add a call to poison all external globals before the given function starts.
Value *ModuleNameAddr = ConstantExpr::getPointerCast(ModuleName, IntptrTy); Value *ModuleNameAddr = ConstantExpr::getPointerCast(ModuleName, IntptrTy);
IRB.CreateCall(AsanPoisonGlobals, ModuleNameAddr); IRB.CreateCall(AsanPoisonGlobals, ModuleNameAddr);
// Add calls to unpoison all globals before each return instruction. // Add calls to unpoison all globals before each return instruction.
for (auto &BB : GlobalInit.getBasicBlockList()) for (auto &BB : GlobalInit.getBasicBlockList())
if (ReturnInst *RI = dyn_cast<ReturnInst>(BB.getTerminator())) if (ReturnInst *RI = dyn_cast<ReturnInst>(BB.getTerminator()))
CallInst::Create(AsanUnpoisonGlobals, "", RI); CallInst::Create(AsanUnpoisonGlobals, "", RI);
} }
void AddressSanitizerModule::createInitializerPoisonCalls( void AddressSanitizerModule::createInitializerPoisonCalls(
Module &M, GlobalValue *ModuleName) { Module &M, GlobalValue *ModuleName) {
GlobalVariable *GV = M.getGlobalVariable("llvm.global_ctors"); GlobalVariable *GV = M.getGlobalVariable("llvm.global_ctors");
ConstantArray *CA = cast<ConstantArray>(GV->getInitializer()); ConstantArray *CA = cast<ConstantArray>(GV->getInitializer());
for (Use &OP : CA->operands()) { for (Use &OP : CA->operands()) {
if (isa<ConstantAggregateZero>(OP)) if (isa<ConstantAggregateZero>(OP)) continue;
continue;
ConstantStruct *CS = cast<ConstantStruct>(OP); ConstantStruct *CS = cast<ConstantStruct>(OP);
// Must have a function or null ptr. // Must have a function or null ptr.
if (Function* F = dyn_cast<Function>(CS->getOperand(1))) { if (Function *F = dyn_cast<Function>(CS->getOperand(1))) {
if (F->getName() == kAsanModuleCtorName) continue; if (F->getName() == kAsanModuleCtorName) continue;
ConstantInt *Priority = dyn_cast<ConstantInt>(CS->getOperand(0)); ConstantInt *Priority = dyn_cast<ConstantInt>(CS->getOperand(0));
// Don't instrument CTORs that will run before asan.module_ctor. // Don't instrument CTORs that will run before asan.module_ctor.
if (Priority->getLimitedValue() <= kAsanCtorAndDtorPriority) continue; if (Priority->getLimitedValue() <= kAsanCtorAndDtorPriority) continue;
poisonOneInitializer(*F, ModuleName); poisonOneInitializer(*F, ModuleName);
} }
} }
} }
bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) { bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) {
Type *Ty = cast<PointerType>(G->getType())->getElementType(); Type *Ty = cast<PointerType>(G->getType())->getElementType();
DEBUG(dbgs() << "GLOBAL: " << *G << "\n"); DEBUG(dbgs() << "GLOBAL: " << *G << "\n");
if (GlobalsMD.get(G).IsBlacklisted) return false; if (GlobalsMD.get(G).IsBlacklisted) return false;
if (!Ty->isSized()) return false; if (!Ty->isSized()) return false;
if (!G->hasInitializer()) return false; if (!G->hasInitializer()) return false;
if (GlobalWasGeneratedByAsan(G)) return false; // Our own global. if (GlobalWasGeneratedByAsan(G)) return false; // Our own global.
// Touch only those globals that will not be defined in other modules. // Touch only those globals that will not be defined in other modules.
// Don't handle ODR linkage types and COMDATs since other modules may be built // Don't handle ODR linkage types and COMDATs since other modules may be built
// without ASan. // without ASan.
if (G->getLinkage() != GlobalVariable::ExternalLinkage && if (G->getLinkage() != GlobalVariable::ExternalLinkage &&
G->getLinkage() != GlobalVariable::PrivateLinkage && G->getLinkage() != GlobalVariable::PrivateLinkage &&
G->getLinkage() != GlobalVariable::InternalLinkage) G->getLinkage() != GlobalVariable::InternalLinkage)
return false; return false;
if (G->hasComdat()) if (G->hasComdat()) return false;
return false;
// Two problems with thread-locals: // Two problems with thread-locals:
// - The address of the main thread's copy can't be computed at link-time. // - The address of the main thread's copy can't be computed at link-time.
// - Need to poison all copies, not just the main thread's one. // - Need to poison all copies, not just the main thread's one.
if (G->isThreadLocal()) if (G->isThreadLocal()) return false;
return false;
// For now, just ignore this Global if the alignment is large. // For now, just ignore this Global if the alignment is large.
if (G->getAlignment() > MinRedzoneSizeForGlobal()) return false; if (G->getAlignment() > MinRedzoneSizeForGlobal()) return false;
if (G->hasSection()) { if (G->hasSection()) {
StringRef Section(G->getSection()); StringRef Section(G->getSection());
if (TargetTriple.isOSBinFormatMachO()) { if (TargetTriple.isOSBinFormatMachO()) {
StringRef ParsedSegment, ParsedSection; StringRef ParsedSegment, ParsedSection;
unsigned TAA = 0, StubSize = 0; unsigned TAA = 0, StubSize = 0;
bool TAAParsed; bool TAAParsed;
std::string ErrorCode = std::string ErrorCode = MCSectionMachO::ParseSectionSpecifier(
MCSectionMachO::ParseSectionSpecifier(Section, ParsedSegment, Section, ParsedSegment, ParsedSection, TAA, TAAParsed, StubSize);
ParsedSection, TAA, TAAParsed,
StubSize);
if (!ErrorCode.empty()) { if (!ErrorCode.empty()) {
report_fatal_error("Invalid section specifier '" + ParsedSection + report_fatal_error("Invalid section specifier '" + ParsedSection +
"': " + ErrorCode + "."); "': " + ErrorCode + ".");
} }
// Ignore the globals from the __OBJC section. The ObjC runtime assumes // Ignore the globals from the __OBJC section. The ObjC runtime assumes
// those conform to /usr/lib/objc/runtime.h, so we can't add redzones to // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to
// them. // them.
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Linesvoid AddressSanitizerModule::initializeCallbacks(Module &M) {
AsanPoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( AsanPoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction(
kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy, nullptr)); kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy, nullptr));
AsanPoisonGlobals->setLinkage(Function::ExternalLinkage); AsanPoisonGlobals->setLinkage(Function::ExternalLinkage);
AsanUnpoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( AsanUnpoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction(
kAsanUnpoisonGlobalsName, IRB.getVoidTy(), nullptr)); kAsanUnpoisonGlobalsName, IRB.getVoidTy(), nullptr));
AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage); AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage);
// Declare functions that register/unregister globals. // Declare functions that register/unregister globals.
AsanRegisterGlobals = checkInterfaceFunction(M.getOrInsertFunction( AsanRegisterGlobals = checkInterfaceFunction(M.getOrInsertFunction(
kAsanRegisterGlobalsName, IRB.getVoidTy(), kAsanRegisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));
IntptrTy, IntptrTy, nullptr));
AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); AsanRegisterGlobals->setLinkage(Function::ExternalLinkage);
AsanUnregisterGlobals = checkInterfaceFunction(M.getOrInsertFunction( AsanUnregisterGlobals = checkInterfaceFunction(
kAsanUnregisterGlobalsName, M.getOrInsertFunction(kAsanUnregisterGlobalsName, IRB.getVoidTy(),
IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr)); IntptrTy, IntptrTy, nullptr));
AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage);
} }
// This function replaces all global variables with new variables that have // This function replaces all global variables with new variables that have
// trailing redzones. It also creates a function that poisons // trailing redzones. It also creates a function that poisons
// redzones and inserts this function into llvm.global_ctors. // redzones and inserts this function into llvm.global_ctors.
bool AddressSanitizerModule::InstrumentGlobals(IRBuilder<> &IRB, Module &M) { bool AddressSanitizerModule::InstrumentGlobals(IRBuilder<> &IRB, Module &M) {
GlobalsMD.init(M); GlobalsMD.init(M);
SmallVector<GlobalVariable *, 16> GlobalsToChange; SmallVector<GlobalVariable *, 16> GlobalsToChange;
for (auto &G : M.globals()) { for (auto &G : M.globals()) {
if (ShouldInstrumentGlobal(&G)) if (ShouldInstrumentGlobal(&G)) GlobalsToChange.push_back(&G);
GlobalsToChange.push_back(&G);
} }
size_t n = GlobalsToChange.size(); size_t n = GlobalsToChange.size();
if (n == 0) return false; if (n == 0) return false;
// A global is described by a structure // A global is described by a structure
// size_t beg; // size_t beg;
// size_t size; // size_t size;
// size_t size_with_redzone; // size_t size_with_redzone;
// const char *name; // const char *name;
// const char *module_name; // const char *module_name;
// size_t has_dynamic_init; // size_t has_dynamic_init;
// void *source_location; // void *source_location;
// We initialize an array of such structures and pass it to a run-time call. // We initialize an array of such structures and pass it to a run-time call.
StructType *GlobalStructTy = StructType *GlobalStructTy =
StructType::get(IntptrTy, IntptrTy, IntptrTy, IntptrTy, IntptrTy, StructType::get(IntptrTy, IntptrTy, IntptrTy, IntptrTy, IntptrTy,
IntptrTy, IntptrTy, nullptr); IntptrTy, IntptrTy, nullptr);
SmallVector<Constant *, 16> Initializers(n); SmallVector<Constant *, 16> Initializers(n);
bool HasDynamicallyInitializedGlobals = false; bool HasDynamicallyInitializedGlobals = false;
// We shouldn't merge same module names, as this string serves as unique // We shouldn't merge same module names, as this string serves as unique
// module ID in runtime. // module ID in runtime.
GlobalVariable *ModuleName = createPrivateGlobalForString( GlobalVariable *ModuleName = createPrivateGlobalForString(
M, M.getModuleIdentifier(), /*AllowMerging*/false); M, M.getModuleIdentifier(), /*AllowMerging*/ false);
for (size_t i = 0; i < n; i++) { for (size_t i = 0; i < n; i++) {
static const uint64_t kMaxGlobalRedzone = 1 << 18; static const uint64_t kMaxGlobalRedzone = 1 << 18;
GlobalVariable *G = GlobalsToChange[i]; GlobalVariable *G = GlobalsToChange[i];
auto MD = GlobalsMD.get(G); auto MD = GlobalsMD.get(G);
// Create string holding the global name (use global name from metadata // Create string holding the global name (use global name from metadata
// if it's available, otherwise just write the name of global variable). // if it's available, otherwise just write the name of global variable).
GlobalVariable *Name = createPrivateGlobalForString( GlobalVariable *Name = createPrivateGlobalForString(
M, MD.Name.empty() ? G->getName() : MD.Name, M, MD.Name.empty() ? G->getName() : MD.Name,
/*AllowMerging*/ true); /*AllowMerging*/ true);
PointerType *PtrTy = cast<PointerType>(G->getType()); PointerType *PtrTy = cast<PointerType>(G->getType());
Type *Ty = PtrTy->getElementType(); Type *Ty = PtrTy->getElementType();
uint64_t SizeInBytes = DL->getTypeAllocSize(Ty); uint64_t SizeInBytes = DL->getTypeAllocSize(Ty);
uint64_t MinRZ = MinRedzoneSizeForGlobal(); uint64_t MinRZ = MinRedzoneSizeForGlobal();
// MinRZ <= RZ <= kMaxGlobalRedzone // MinRZ <= RZ <= kMaxGlobalRedzone
// and trying to make RZ to be ~ 1/4 of SizeInBytes. // and trying to make RZ to be ~ 1/4 of SizeInBytes.
uint64_t RZ = std::max(MinRZ, uint64_t RZ = std::max(
std::min(kMaxGlobalRedzone, MinRZ, std::min(kMaxGlobalRedzone, (SizeInBytes / MinRZ / 4) * MinRZ));
(SizeInBytes / MinRZ / 4) * MinRZ));
uint64_t RightRedzoneSize = RZ; uint64_t RightRedzoneSize = RZ;
// Round up to MinRZ // Round up to MinRZ
if (SizeInBytes % MinRZ) if (SizeInBytes % MinRZ) RightRedzoneSize += MinRZ - (SizeInBytes % MinRZ);
RightRedzoneSize += MinRZ - (SizeInBytes % MinRZ);
assert(((RightRedzoneSize + SizeInBytes) % MinRZ) == 0); assert(((RightRedzoneSize + SizeInBytes) % MinRZ) == 0);
Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize);
StructType *NewTy = StructType::get(Ty, RightRedZoneTy, nullptr); StructType *NewTy = StructType::get(Ty, RightRedZoneTy, nullptr);
Constant *NewInitializer = ConstantStruct::get( Constant *NewInitializer =
NewTy, G->getInitializer(), ConstantStruct::get(NewTy, G->getInitializer(),
Constant::getNullValue(RightRedZoneTy), nullptr); Constant::getNullValue(RightRedZoneTy), nullptr);
// Create a new global variable with enough space for a redzone. // Create a new global variable with enough space for a redzone.
GlobalValue::LinkageTypes Linkage = G->getLinkage(); GlobalValue::LinkageTypes Linkage = G->getLinkage();
if (G->isConstant() && Linkage == GlobalValue::PrivateLinkage) if (G->isConstant() && Linkage == GlobalValue::PrivateLinkage)
Linkage = GlobalValue::InternalLinkage; Linkage = GlobalValue::InternalLinkage;
GlobalVariable *NewGlobal = new GlobalVariable( GlobalVariable *NewGlobal =
M, NewTy, G->isConstant(), Linkage, new GlobalVariable(M, NewTy, G->isConstant(), Linkage, NewInitializer,
NewInitializer, "", G, G->getThreadLocalMode()); "", G, G->getThreadLocalMode());
NewGlobal->copyAttributesFrom(G); NewGlobal->copyAttributesFrom(G);
NewGlobal->setAlignment(MinRZ); NewGlobal->setAlignment(MinRZ);
Value *Indices2[2]; Value *Indices2[2];
Indices2[0] = IRB.getInt32(0); Indices2[0] = IRB.getInt32(0);
Indices2[1] = IRB.getInt32(0); Indices2[1] = IRB.getInt32(0);
G->replaceAllUsesWith( G->replaceAllUsesWith(
Show All 12 Lines for (size_t i = 0; i < n; i++) {
Initializers[i] = ConstantStruct::get( Initializers[i] = ConstantStruct::get(
GlobalStructTy, ConstantExpr::getPointerCast(NewGlobal, IntptrTy), GlobalStructTy, ConstantExpr::getPointerCast(NewGlobal, IntptrTy),
ConstantInt::get(IntptrTy, SizeInBytes), ConstantInt::get(IntptrTy, SizeInBytes),
ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize),
ConstantExpr::getPointerCast(Name, IntptrTy), ConstantExpr::getPointerCast(Name, IntptrTy),
ConstantExpr::getPointerCast(ModuleName, IntptrTy), ConstantExpr::getPointerCast(ModuleName, IntptrTy),
ConstantInt::get(IntptrTy, MD.IsDynInit), SourceLoc, nullptr); ConstantInt::get(IntptrTy, MD.IsDynInit), SourceLoc, nullptr);
if (ClInitializers && MD.IsDynInit) if (ClInitializers && MD.IsDynInit) HasDynamicallyInitializedGlobals = true;
HasDynamicallyInitializedGlobals = true;
DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n");
} }
ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n);
GlobalVariable *AllGlobals = new GlobalVariable( GlobalVariable *AllGlobals = new GlobalVariable(
M, ArrayOfGlobalStructTy, false, GlobalVariable::InternalLinkage, M, ArrayOfGlobalStructTy, false, GlobalVariable::InternalLinkage,
ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); ConstantArray::get(ArrayOfGlobalStructTy, Initializers), "");
// Create calls for poisoning before initializers run and unpoisoning after. // Create calls for poisoning before initializers run and unpoisoning after.
if (HasDynamicallyInitializedGlobals) if (HasDynamicallyInitializedGlobals)
createInitializerPoisonCalls(M, ModuleName); createInitializerPoisonCalls(M, ModuleName);
IRB.CreateCall2(AsanRegisterGlobals, IRB.CreateCall2(AsanRegisterGlobals,
IRB.CreatePointerCast(AllGlobals, IntptrTy), IRB.CreatePointerCast(AllGlobals, IntptrTy),
ConstantInt::get(IntptrTy, n)); ConstantInt::get(IntptrTy, n));
// We also need to unregister globals at the end, e.g. when a shared library // We also need to unregister globals at the end, e.g. when a shared library
// gets closed. // gets closed.
Function *AsanDtorFunction = Function::Create( Function *AsanDtorFunction =
FunctionType::get(Type::getVoidTy(*C), false), Function::Create(FunctionType::get(Type::getVoidTy(*C), false),
GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); GlobalValue::InternalLinkage, kAsanModuleDtorName, &M);
BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction);
IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB));
IRB_Dtor.CreateCall2(AsanUnregisterGlobals, IRB_Dtor.CreateCall2(AsanUnregisterGlobals,
IRB.CreatePointerCast(AllGlobals, IntptrTy), IRB.CreatePointerCast(AllGlobals, IntptrTy),
ConstantInt::get(IntptrTy, n)); ConstantInt::get(IntptrTy, n));
appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndDtorPriority); appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndDtorPriority);
DEBUG(dbgs() << M); DEBUG(dbgs() << M);
return true; return true;
} }
bool AddressSanitizerModule::runOnModule(Module &M) { bool AddressSanitizerModule::runOnModule(Module &M) {
DataLayoutPass *DLP = getAnalysisIfAvailable<DataLayoutPass>(); DataLayoutPass *DLP = getAnalysisIfAvailable<DataLayoutPass>();
if (!DLP) if (!DLP) return false;
return false;
DL = &DLP->getDataLayout(); DL = &DLP->getDataLayout();
C = &(M.getContext()); C = &(M.getContext());
int LongSize = DL->getPointerSizeInBits(); int LongSize = DL->getPointerSizeInBits();
IntptrTy = Type::getIntNTy(*C, LongSize); IntptrTy = Type::getIntNTy(*C, LongSize);
TargetTriple = Triple(M.getTargetTriple()); TargetTriple = Triple(M.getTargetTriple());
Mapping = getShadowMapping(TargetTriple, LongSize); Mapping = getShadowMapping(TargetTriple, LongSize);
initializeCallbacks(M); initializeCallbacks(M);
bool Changed = false; bool Changed = false;
Function *CtorFunc = M.getFunction(kAsanModuleCtorName); Function *CtorFunc = M.getFunction(kAsanModuleCtorName);
assert(CtorFunc); assert(CtorFunc);
IRBuilder<> IRB(CtorFunc->getEntryBlock().getTerminator()); IRBuilder<> IRB(CtorFunc->getEntryBlock().getTerminator());
if (ClGlobals) if (ClGlobals) Changed |= InstrumentGlobals(IRB, M);
Changed |= InstrumentGlobals(IRB, M);
return Changed; return Changed;
} }
void AddressSanitizer::initializeCallbacks(Module &M) { void AddressSanitizer::initializeCallbacks(Module &M) {
IRBuilder<> IRB(*C); IRBuilder<> IRB(*C);
// Create __asan_report* callbacks. // Create __asan_report* callbacks.
for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) {
for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes;
AccessSizeIndex++) { AccessSizeIndex++) {
// IsWrite and TypeSize are encoded in the function name. // IsWrite and TypeSize are encoded in the function name.
std::string Suffix = std::string Suffix =
(AccessIsWrite ? "store" : "load") + itostr(1 << AccessSizeIndex); (AccessIsWrite ? "store" : "load") + itostr(1 << AccessSizeIndex);
AsanErrorCallback[AccessIsWrite][AccessSizeIndex] = AsanErrorCallback[AccessIsWrite][AccessSizeIndex] =
checkInterfaceFunction( checkInterfaceFunction(
M.getOrInsertFunction(kAsanReportErrorTemplate + Suffix, M.getOrInsertFunction(kAsanReportErrorTemplate + Suffix,
IRB.getVoidTy(), IntptrTy, nullptr)); IRB.getVoidTy(), IntptrTy, nullptr));
AsanMemoryAccessCallback[AccessIsWrite][AccessSizeIndex] = AsanMemoryAccessCallback[AccessIsWrite][AccessSizeIndex] =
checkInterfaceFunction( checkInterfaceFunction(
M.getOrInsertFunction(ClMemoryAccessCallbackPrefix + Suffix, M.getOrInsertFunction(ClMemoryAccessCallbackPrefix + Suffix,
IRB.getVoidTy(), IntptrTy, nullptr)); IRB.getVoidTy(), IntptrTy, nullptr));
} }
} }
AsanErrorCallbackSized[0] = checkInterfaceFunction(M.getOrInsertFunction( AsanErrorCallbackSized[0] = checkInterfaceFunction(M.getOrInsertFunction(
kAsanReportLoadN, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr)); kAsanReportLoadN, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));
AsanErrorCallbackSized[1] = checkInterfaceFunction(M.getOrInsertFunction( AsanErrorCallbackSized[1] = checkInterfaceFunction(M.getOrInsertFunction(
kAsanReportStoreN, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr)); kAsanReportStoreN, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));
AsanMemoryAccessCallbackSized[0] = checkInterfaceFunction( AsanMemoryAccessCallbackSized[0] = checkInterfaceFunction(
M.getOrInsertFunction(ClMemoryAccessCallbackPrefix + "loadN", M.getOrInsertFunction(ClMemoryAccessCallbackPrefix + "loadN",
IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr)); IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));
AsanMemoryAccessCallbackSized[1] = checkInterfaceFunction( AsanMemoryAccessCallbackSized[1] = checkInterfaceFunction(
M.getOrInsertFunction(ClMemoryAccessCallbackPrefix + "storeN", M.getOrInsertFunction(ClMemoryAccessCallbackPrefix + "storeN",
IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr)); IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));
Show All 19 Lines EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false),
StringRef(""), StringRef(""), StringRef(""), StringRef(""),
/*hasSideEffects=*/true); /*hasSideEffects=*/true);
} }
// virtual // virtual
bool AddressSanitizer::doInitialization(Module &M) { bool AddressSanitizer::doInitialization(Module &M) {
// Initialize the private fields. No one has accessed them before. // Initialize the private fields. No one has accessed them before.
DataLayoutPass *DLP = getAnalysisIfAvailable<DataLayoutPass>(); DataLayoutPass *DLP = getAnalysisIfAvailable<DataLayoutPass>();
if (!DLP) if (!DLP) report_fatal_error("data layout missing");
report_fatal_error("data layout missing");
DL = &DLP->getDataLayout(); DL = &DLP->getDataLayout();
GlobalsMD.init(M); GlobalsMD.init(M);
C = &(M.getContext()); C = &(M.getContext());
LongSize = DL->getPointerSizeInBits(); LongSize = DL->getPointerSizeInBits();
IntptrTy = Type::getIntNTy(*C, LongSize); IntptrTy = Type::getIntNTy(*C, LongSize);
TargetTriple = Triple(M.getTargetTriple()); TargetTriple = Triple(M.getTargetTriple());
AsanCtorFunction = Function::Create( AsanCtorFunction =
FunctionType::get(Type::getVoidTy(*C), false), Function::Create(FunctionType::get(Type::getVoidTy(*C), false),
GlobalValue::InternalLinkage, kAsanModuleCtorName, &M); GlobalValue::InternalLinkage, kAsanModuleCtorName, &M);
BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction); BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction);
// call __asan_init in the module ctor. // call __asan_init in the module ctor.
IRBuilder<> IRB(ReturnInst::Create(*C, AsanCtorBB)); IRBuilder<> IRB(ReturnInst::Create(*C, AsanCtorBB));
AsanInitFunction = checkInterfaceFunction( AsanInitFunction = checkInterfaceFunction(
M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), nullptr)); M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), nullptr));
AsanInitFunction->setLinkage(Function::ExternalLinkage); AsanInitFunction->setLinkage(Function::ExternalLinkage);
IRB.CreateCall(AsanInitFunction); IRB.CreateCall(AsanInitFunction);
Show All 25 Linesbool AddressSanitizer::runOnFunction(Function &F) {
DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n");
initializeCallbacks(*F.getParent()); initializeCallbacks(*F.getParent());
DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree(); DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree();
// If needed, insert __asan_init before checking for SanitizeAddress attr. // If needed, insert __asan_init before checking for SanitizeAddress attr.
maybeInsertAsanInitAtFunctionEntry(F); maybeInsertAsanInitAtFunctionEntry(F);
if (!F.hasFnAttribute(Attribute::SanitizeAddress)) if (!F.hasFnAttribute(Attribute::SanitizeAddress)) return false;
return false;
if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) return false;
return false;
// We want to instrument every address only once per basic block (unless there // We want to instrument every address only once per basic block (unless there
// are calls between uses). // are calls between uses).
SmallSet<Value*, 16> TempsToInstrument; SmallSet<Value *, 16> TempsToInstrument;
SmallVector<Instruction*, 16> ToInstrument; SmallVector<Instruction *, 16> ToInstrument;
SmallVector<Instruction*, 8> NoReturnCalls; SmallVector<Instruction *, 8> NoReturnCalls;
SmallVector<BasicBlock*, 16> AllBlocks; SmallVector<BasicBlock *, 16> AllBlocks;
SmallVector<Instruction*, 16> PointerComparisonsOrSubtracts; SmallVector<Instruction *, 16> PointerComparisonsOrSubtracts;
int NumAllocas = 0; int NumAllocas = 0;
bool IsWrite; bool IsWrite;
unsigned Alignment; unsigned Alignment;
uint64_t TypeSize;
// Fill the set of memory operations to instrument. // Fill the set of memory operations to instrument.
for (auto &BB : F) { for (auto &BB : F) {
AllBlocks.push_back(&BB); AllBlocks.push_back(&BB);
TempsToInstrument.clear(); TempsToInstrument.clear();
int NumInsnsPerBB = 0; int NumInsnsPerBB = 0;
for (auto &Inst : BB) { for (auto &Inst : BB) {
if (LooksLikeCodeInBug11395(&Inst)) return false; if (LooksLikeCodeInBug11395(&Inst)) return false;
if (Value *Addr = if (Value *Addr = isInterestingMemoryAccess(&Inst, &IsWrite, &TypeSize,
isInterestingMemoryAccess(&Inst, &IsWrite, &Alignment)) { &Alignment)) {
if (ClOpt && ClOptSameTemp) { if (ClOpt && ClOptSameTemp) {
if (!TempsToInstrument.insert(Addr).second) if (!TempsToInstrument.insert(Addr).second)
continue; // We've seen this temp in the current BB. continue; // We've seen this temp in the current BB.
} }
} else if (ClInvalidPointerPairs && } else if (ClInvalidPointerPairs &&
isInterestingPointerComparisonOrSubtraction(&Inst)) { isInterestingPointerComparisonOrSubtraction(&Inst)) {
PointerComparisonsOrSubtracts.push_back(&Inst); PointerComparisonsOrSubtracts.push_back(&Inst);
continue; continue;
} else if (isa<MemIntrinsic>(Inst)) { } else if (isa<MemIntrinsic>(Inst)) {
// ok, take it. // ok, take it.
} else { } else {
if (isa<AllocaInst>(Inst)) if (isa<AllocaInst>(Inst)) NumAllocas++;
NumAllocas++;
CallSite CS(&Inst); CallSite CS(&Inst);
if (CS) { if (CS) {
// A call inside BB. // A call inside BB.
TempsToInstrument.clear(); TempsToInstrument.clear();
if (CS.doesNotReturn()) if (CS.doesNotReturn()) NoReturnCalls.push_back(CS.getInstruction());
NoReturnCalls.push_back(CS.getInstruction());
} }
continue; continue;
} }
ToInstrument.push_back(&Inst); ToInstrument.push_back(&Inst);
NumInsnsPerBB++; NumInsnsPerBB++;
if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) break;
break;
} }
} }
bool UseCalls = false; bool UseCalls = false;
if (ClInstrumentationWithCallsThreshold >= 0 && if (ClInstrumentationWithCallsThreshold >= 0 &&
ToInstrument.size() > (unsigned)ClInstrumentationWithCallsThreshold) ToInstrument.size() > (unsigned)ClInstrumentationWithCallsThreshold)
UseCalls = true; UseCalls = true;
const TargetLibraryInfo *TLI =
&getAnalysis<TargetLibraryInfoWrapperPass>().getTLI();
ObjectSizeOffsetVisitor ObjSizeVis(DL, TLI, F.getContext(),
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

/*RoundToAlign=*/true

zaks.anna: /*RoundToAlign=*/true
dvyukovAuthorUnsubmitted
Not Done
ReplyInline Actions

done

dvyukov: done
/*RoundToAlign=*/true);
// Instrument. // Instrument.
int NumInstrumented = 0; int NumInstrumented = 0;
for (auto Inst : ToInstrument) { for (auto Inst : ToInstrument) {
if (ClDebugMin < 0 || ClDebugMax < 0 || if (ClDebugMin < 0 || ClDebugMax < 0 ||
(NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) {
if (isInterestingMemoryAccess(Inst, &IsWrite, &Alignment)) if (isInterestingMemoryAccess(Inst, &IsWrite, &TypeSize, &Alignment))
instrumentMop(Inst, UseCalls); instrumentMop(ObjSizeVis, Inst, UseCalls);
else else
instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); instrumentMemIntrinsic(cast<MemIntrinsic>(Inst));
} }
NumInstrumented++; NumInstrumented++;
} }
FunctionStackPoisoner FSP(F, *this); FunctionStackPoisoner FSP(F, *this);
bool ChangedStack = FSP.runOnFunction(); bool ChangedStack = FSP.runOnFunction();
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Linesvoid FunctionStackPoisoner::initializeCallbacks(Module &M) {
AsanPoisonStackMemoryFunc = checkInterfaceFunction( AsanPoisonStackMemoryFunc = checkInterfaceFunction(
M.getOrInsertFunction(kAsanPoisonStackMemoryName, IRB.getVoidTy(), M.getOrInsertFunction(kAsanPoisonStackMemoryName, IRB.getVoidTy(),
IntptrTy, IntptrTy, nullptr)); IntptrTy, IntptrTy, nullptr));
AsanUnpoisonStackMemoryFunc = checkInterfaceFunction( AsanUnpoisonStackMemoryFunc = checkInterfaceFunction(
M.getOrInsertFunction(kAsanUnpoisonStackMemoryName, IRB.getVoidTy(), M.getOrInsertFunction(kAsanUnpoisonStackMemoryName, IRB.getVoidTy(),
IntptrTy, IntptrTy, nullptr)); IntptrTy, IntptrTy, nullptr));
} }
void void FunctionStackPoisoner::poisonRedZones(ArrayRef<uint8_t> ShadowBytes,
FunctionStackPoisoner::poisonRedZones(ArrayRef<uint8_t> ShadowBytes,
IRBuilder<> &IRB, Value *ShadowBase, IRBuilder<> &IRB, Value *ShadowBase,
bool DoPoison) { bool DoPoison) {
size_t n = ShadowBytes.size(); size_t n = ShadowBytes.size();
size_t i = 0; size_t i = 0;
// We need to (un)poison n bytes of stack shadow. Poison as many as we can // We need to (un)poison n bytes of stack shadow. Poison as many as we can
// using 64-bit stores (if we are on 64-bit arch), then poison the rest // using 64-bit stores (if we are on 64-bit arch), then poison the rest
// with 32-bit stores, then with 16-byte stores, then with 8-byte stores. // with 32-bit stores, then with 16-byte stores, then with 8-byte stores.
for (size_t LargeStoreSizeInBytes = ASan.LongSize / 8; for (size_t LargeStoreSizeInBytes = ASan.LongSize / 8;
LargeStoreSizeInBytes != 0; LargeStoreSizeInBytes /= 2) { LargeStoreSizeInBytes != 0; LargeStoreSizeInBytes /= 2) {
for (; i + LargeStoreSizeInBytes - 1 < n; i += LargeStoreSizeInBytes) { for (; i + LargeStoreSizeInBytes - 1 < n; i += LargeStoreSizeInBytes) {
Show All 13 Linesvoid FunctionStackPoisoner::poisonRedZones(ArrayRef<uint8_t> ShadowBytes,
} }
} }
// Fake stack allocator (asan_fake_stack.h) has 11 size classes // Fake stack allocator (asan_fake_stack.h) has 11 size classes
// for every power of 2 from kMinStackMallocSize to kMaxAsanStackMallocSizeClass // for every power of 2 from kMinStackMallocSize to kMaxAsanStackMallocSizeClass
static int StackMallocSizeClass(uint64_t LocalStackSize) { static int StackMallocSizeClass(uint64_t LocalStackSize) {
assert(LocalStackSize <= kMaxStackMallocSize); assert(LocalStackSize <= kMaxStackMallocSize);
uint64_t MaxSize = kMinStackMallocSize; uint64_t MaxSize = kMinStackMallocSize;
for (int i = 0; ; i++, MaxSize *= 2) for (int i = 0;; i++, MaxSize *= 2)
if (LocalStackSize <= MaxSize) if (LocalStackSize <= MaxSize) return i;
return i;
llvm_unreachable("impossible LocalStackSize"); llvm_unreachable("impossible LocalStackSize");
} }
// Set Size bytes starting from ShadowBase to kAsanStackAfterReturnMagic. // Set Size bytes starting from ShadowBase to kAsanStackAfterReturnMagic.
// We can not use MemSet intrinsic because it may end up calling the actual // We can not use MemSet intrinsic because it may end up calling the actual
// memset. Size is a multiple of 8. // memset. Size is a multiple of 8.
// Currently this generates 8-byte stores on x86_64; it may be better to // Currently this generates 8-byte stores on x86_64; it may be better to
// generate wider stores. // generate wider stores.
void FunctionStackPoisoner::SetShadowToStackAfterReturnInlined( void FunctionStackPoisoner::SetShadowToStackAfterReturnInlined(
IRBuilder<> &IRB, Value *ShadowBase, int Size) { IRBuilder<> &IRB, Value *ShadowBase, int Size) {
assert(!(Size % 8)); assert(!(Size % 8));
assert(kAsanStackAfterReturnMagic == 0xf5); assert(kAsanStackAfterReturnMagic == 0xf5);
for (int i = 0; i < Size; i += 8) { for (int i = 0; i < Size; i += 8) {
Value *p = IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i)); Value *p = IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i));
IRB.CreateStore(ConstantInt::get(IRB.getInt64Ty(), 0xf5f5f5f5f5f5f5f5ULL), IRB.CreateStore(ConstantInt::get(IRB.getInt64Ty(), 0xf5f5f5f5f5f5f5f5ULL),
IRB.CreateIntToPtr(p, IRB.getInt64Ty()->getPointerTo())); IRB.CreateIntToPtr(p, IRB.getInt64Ty()->getPointerTo()));
} }
} }
static DebugLoc getFunctionEntryDebugLocation(Function &F) { static DebugLoc getFunctionEntryDebugLocation(Function &F) {
for (const auto &Inst : F.getEntryBlock()) for (const auto &Inst : F.getEntryBlock())
if (!isa<AllocaInst>(Inst)) if (!isa<AllocaInst>(Inst)) return Inst.getDebugLoc();
return Inst.getDebugLoc();
return DebugLoc(); return DebugLoc();
} }
PHINode *FunctionStackPoisoner::createPHI(IRBuilder<> &IRB, Value *Cond, PHINode *FunctionStackPoisoner::createPHI(IRBuilder<> &IRB, Value *Cond,
Value *ValueIfTrue, Value *ValueIfTrue,
Instruction *ThenTerm, Instruction *ThenTerm,
Value *ValueIfFalse) { Value *ValueIfFalse) {
PHINode *PHI = IRB.CreatePHI(IntptrTy, 2); PHINode *PHI = IRB.CreatePHI(IntptrTy, 2);
Show All 40 Linesvoid FunctionStackPoisoner::poisonStack() {
Instruction *InsBefore = AllocaVec[0]; Instruction *InsBefore = AllocaVec[0];
IRBuilder<> IRB(InsBefore); IRBuilder<> IRB(InsBefore);
IRB.SetCurrentDebugLocation(EntryDebugLocation); IRB.SetCurrentDebugLocation(EntryDebugLocation);
SmallVector<ASanStackVariableDescription, 16> SVD; SmallVector<ASanStackVariableDescription, 16> SVD;
SVD.reserve(AllocaVec.size()); SVD.reserve(AllocaVec.size());
for (AllocaInst *AI : AllocaVec) { for (AllocaInst *AI : AllocaVec) {
ASanStackVariableDescription D = { AI->getName().data(), ASanStackVariableDescription D = {AI->getName().data(),
ASan.getAllocaSizeInBytes(AI), ASan.getAllocaSizeInBytes(AI),
AI->getAlignment(), AI, 0}; AI->getAlignment(), AI, 0};
SVD.push_back(D); SVD.push_back(D);
} }
// Minimal header size (left redzone) is 4 pointers, // Minimal header size (left redzone) is 4 pointers,
// i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms. // i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms.
size_t MinHeaderSize = ASan.LongSize / 2; size_t MinHeaderSize = ASan.LongSize / 2;
ASanStackFrameLayout L; ASanStackFrameLayout L;
ComputeASanStackFrameLayout(SVD, 1UL << Mapping.Scale, MinHeaderSize, &L); ComputeASanStackFrameLayout(SVD, 1UL << Mapping.Scale, MinHeaderSize, &L);
DEBUG(dbgs() << L.DescriptionString << " --- " << L.FrameSize << "\n"); DEBUG(dbgs() << L.DescriptionString << " --- " << L.FrameSize << "\n");
▲ Show 20 LinesShow All 74 Lines▼ Show 20 Linesvoid FunctionStackPoisoner::poisonStack() {
// The left-most redzone has enough space for at least 4 pointers. // The left-most redzone has enough space for at least 4 pointers.
// Write the Magic value to redzone[0]. // Write the Magic value to redzone[0].
Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy);
IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic),
BasePlus0); BasePlus0);
// Write the frame description constant to redzone[1]. // Write the frame description constant to redzone[1].
Value *BasePlus1 = IRB.CreateIntToPtr( Value *BasePlus1 = IRB.CreateIntToPtr(
IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, ASan.LongSize/8)), IRB.CreateAdd(LocalStackBase,
ConstantInt::get(IntptrTy, ASan.LongSize / 8)),
IntptrPtrTy); IntptrPtrTy);
GlobalVariable *StackDescriptionGlobal = GlobalVariable *StackDescriptionGlobal =
createPrivateGlobalForString(*F.getParent(), L.DescriptionString, createPrivateGlobalForString(*F.getParent(), L.DescriptionString,
/*AllowMerging*/true); /*AllowMerging*/ true);
Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, IntptrTy);
IntptrTy);
IRB.CreateStore(Description, BasePlus1); IRB.CreateStore(Description, BasePlus1);
// Write the PC to redzone[2]. // Write the PC to redzone[2].
Value *BasePlus2 = IRB.CreateIntToPtr( Value *BasePlus2 = IRB.CreateIntToPtr(
IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, IRB.CreateAdd(LocalStackBase,
2 * ASan.LongSize/8)), ConstantInt::get(IntptrTy, 2 * ASan.LongSize / 8)),
IntptrPtrTy); IntptrPtrTy);
IRB.CreateStore(IRB.CreatePointerCast(&F, IntptrTy), BasePlus2); IRB.CreateStore(IRB.CreatePointerCast(&F, IntptrTy), BasePlus2);
// Poison the stack redzones at the entry. // Poison the stack redzones at the entry.
Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB); Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB);
poisonRedZones(L.ShadowBytes, IRB, ShadowBase, true); poisonRedZones(L.ShadowBytes, IRB, ShadowBase, true);
// (Un)poison the stack before all ret instructions. // (Un)poison the stack before all ret instructions.
for (auto Ret : RetVec) { for (auto Ret : RetVec) {
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Lines if (DoStackMalloc) {
// unpoison whole stack frame now. // unpoison whole stack frame now.
poisonAlloca(LocalStackBase, LocalStackSize, IRBRet, false); poisonAlloca(LocalStackBase, LocalStackSize, IRBRet, false);
} else { } else {
poisonRedZones(L.ShadowBytes, IRBRet, ShadowBase, false); poisonRedZones(L.ShadowBytes, IRBRet, ShadowBase, false);
} }
} }
// We are done. Remove the old unused alloca instructions. // We are done. Remove the old unused alloca instructions.
for (auto AI : AllocaVec) for (auto AI : AllocaVec) AI->eraseFromParent();
AI->eraseFromParent();
} }
void FunctionStackPoisoner::poisonAlloca(Value *V, uint64_t Size, void FunctionStackPoisoner::poisonAlloca(Value *V, uint64_t Size,
IRBuilder<> &IRB, bool DoPoison) { IRBuilder<> &IRB, bool DoPoison) {
// For now just insert the call to ASan runtime. // For now just insert the call to ASan runtime.
Value *AddrArg = IRB.CreatePointerCast(V, IntptrTy); Value *AddrArg = IRB.CreatePointerCast(V, IntptrTy);
Value *SizeArg = ConstantInt::get(IntptrTy, Size); Value *SizeArg = ConstantInt::get(IntptrTy, Size);
IRB.CreateCall2(DoPoison ? AsanPoisonStackMemoryFunc IRB.CreateCall2(
: AsanUnpoisonStackMemoryFunc, DoPoison ? AsanPoisonStackMemoryFunc : AsanUnpoisonStackMemoryFunc,
AddrArg, SizeArg); AddrArg, SizeArg);
} }
// Handling llvm.lifetime intrinsics for a given %alloca: // Handling llvm.lifetime intrinsics for a given %alloca:
// (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca. // (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca.
// (2) if %size is constant, poison memory for llvm.lifetime.end (to detect // (2) if %size is constant, poison memory for llvm.lifetime.end (to detect
// invalid accesses) and unpoison it for llvm.lifetime.start (the memory // invalid accesses) and unpoison it for llvm.lifetime.start (the memory
// could be poisoned by previous llvm.lifetime.end instruction, as the // could be poisoned by previous llvm.lifetime.end instruction, as the
// variable may go in and out of scope several times, e.g. in loops). // variable may go in and out of scope several times, e.g. in loops).
// (3) if we poisoned at least one %alloca in a function, // (3) if we poisoned at least one %alloca in a function,
// unpoison the whole stack frame at function exit. // unpoison the whole stack frame at function exit.
AllocaInst *FunctionStackPoisoner::findAllocaForValue(Value *V) { AllocaInst *FunctionStackPoisoner::findAllocaForValue(Value *V) {
if (AllocaInst *AI = dyn_cast<AllocaInst>(V)) if (AllocaInst *AI = dyn_cast<AllocaInst>(V))
// We're intested only in allocas we can handle. // We're intested only in allocas we can handle.
return ASan.isInterestingAlloca(*AI) ? AI : nullptr; return ASan.isInterestingAlloca(*AI) ? AI : nullptr;
// See if we've already calculated (or started to calculate) alloca for a // See if we've already calculated (or started to calculate) alloca for a
// given value. // given value.
AllocaForValueMapTy::iterator I = AllocaForValue.find(V); AllocaForValueMapTy::iterator I = AllocaForValue.find(V);
if (I != AllocaForValue.end()) if (I != AllocaForValue.end()) return I->second;
return I->second;
// Store 0 while we're calculating alloca for value V to avoid // Store 0 while we're calculating alloca for value V to avoid
// infinite recursion if the value references itself. // infinite recursion if the value references itself.
AllocaForValue[V] = nullptr; AllocaForValue[V] = nullptr;
AllocaInst *Res = nullptr; AllocaInst *Res = nullptr;
if (CastInst *CI = dyn_cast<CastInst>(V)) if (CastInst *CI = dyn_cast<CastInst>(V))
Res = findAllocaForValue(CI->getOperand(0)); Res = findAllocaForValue(CI->getOperand(0));
else if (PHINode *PN = dyn_cast<PHINode>(V)) { else if (PHINode *PN = dyn_cast<PHINode>(V)) {
for (unsigned i = 0, e = PN->getNumIncomingValues(); i != e; ++i) { for (unsigned i = 0, e = PN->getNumIncomingValues(); i != e; ++i) {
Value *IncValue = PN->getIncomingValue(i); Value *IncValue = PN->getIncomingValue(i);
// Allow self-referencing phi-nodes. // Allow self-referencing phi-nodes.
if (IncValue == PN) continue; if (IncValue == PN) continue;
AllocaInst *IncValueAI = findAllocaForValue(IncValue); AllocaInst *IncValueAI = findAllocaForValue(IncValue);
// AI for incoming values should exist and should all be equal. // AI for incoming values should exist and should all be equal.
if (IncValueAI == nullptr || (Res != nullptr && IncValueAI != Res)) if (IncValueAI == nullptr || (Res != nullptr && IncValueAI != Res))
return nullptr; return nullptr;
Res = IncValueAI; Res = IncValueAI;
} }
} }
if (Res) if (Res) AllocaForValue[V] = Res;
AllocaForValue[V] = Res;
return Res; return Res;
} }
// Compute PartialRzMagic for dynamic alloca call. PartialRzMagic is // Compute PartialRzMagic for dynamic alloca call. PartialRzMagic is
// constructed from two separate 32-bit numbers: PartialRzMagic = Val1 | Val2. // constructed from two separate 32-bit numbers: PartialRzMagic = Val1 | Val2.
// (1) Val1 is resposible for forming base value for PartialRzMagic, containing // (1) Val1 is resposible for forming base value for PartialRzMagic, containing
// only 00 for fully addressable and 0xcb for fully poisoned bytes for each // only 00 for fully addressable and 0xcb for fully poisoned bytes for each
// 8-byte chunk of user memory respectively. // 8-byte chunk of user memory respectively.
▲ Show 20 LinesShow All 123 Lines▼ Show 20 Linesvoid FunctionStackPoisoner::handleDynamicAllocaCall(
// Replace all uses of AddessReturnedByAlloca with NewAddress. // Replace all uses of AddessReturnedByAlloca with NewAddress.
AI->replaceAllUsesWith(NewAddressPtr); AI->replaceAllUsesWith(NewAddressPtr);
// We are done. Erase old alloca and store left, partial and right redzones // We are done. Erase old alloca and store left, partial and right redzones
// shadow addresses for future unpoisoning. // shadow addresses for future unpoisoning.
AI->eraseFromParent(); AI->eraseFromParent();
NumInstrumentedDynamicAllocas++; NumInstrumentedDynamicAllocas++;
} }
// isSafeAccess returns true if Addr is always inbounds with respect to its
// base object. For example, it is a field access or an array access with
// constant inbounds index.
bool AddressSanitizer::isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis,
Value *Addr, uint64_t TypeSize) const {
SizeOffsetType SizeOffset = ObjSizeVis.compute(Addr);
dberlinUnsubmitted
Not Done
ReplyInline Actions

You may want to look if this does a better/worse job than GetPointerBaseWithConstantOffset

(This is what GVN, DeadStoreElimination, etc use to do what you are doing here - compute the pointer base and constant offset, make sure they match, then they use getTypeSizeInBits to compare the sizes)

dberlin: You may want to look if this does a better/worse job than GetPointerBaseWithConstantOffset…
if (!ObjSizeVis.bothKnown(SizeOffset)) return false;
int64_t Size = SizeOffset.first.getSExtValue();
int64_t Offset = SizeOffset.second.getSExtValue();
// Three checks are required to ensure safety:
// . Offset >= 0 (since the offset is given from the base ptr)
// . Size >= Offset (unsigned)
// . Size - Offset >= NeededSize (unsigned)
return Offset >= 0 && Size >= Offset &&
uint64_t(Size - Offset) >= TypeSize / 8;
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

Why not use getTypeStoreSize()?

uint64_t getTypeStoreSizeInBits(Type *Ty) const {
  return 8 * getTypeStoreSize(Ty);
}

Also, is overflow possible in these calculations?

zaks.anna: Why not use getTypeStoreSize()? uint64_t getTypeStoreSizeInBits(Type *Ty) const { return…
dvyukovAuthorUnsubmitted
Not Done
ReplyInline Actions

done

These are int64's. I don't see how overflow can happen.

dvyukov: done These are int64's. I don't see how overflow can happen.
}

test/Instrumentation/AddressSanitizer/instrument-stack.ll

; This test checks that we are not instrumenting direct inbound stack accesses.
; RUN: opt < %s -asan -asan-module -asan-opt-stack -S | FileCheck %s
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
;@sink = global i32* null, align 4
; Ignore direct inbounds stack access.
define void @foo() uwtable sanitize_address {
entry:
%a = alloca i32, align 4
store i32 42, i32* %a, align 4
ret void
; CHECK-LABEL: define void @foo
; CHECK-NOT: __asan_report
; CHECK: ret void
}
; Don't ignore dynamic indexing.
define void @baz(i64 %i) sanitize_address {
entry:
%a = alloca [10 x i32], align 4
%e = getelementptr inbounds [10 x i32], [10 x i32]* %a, i32 0, i64 %i
store i32 42, i32* %e, align 4
ret void
; CHECK-LABEL: define void @baz
; CHECK: __asan_report
; CHECK: ret void
}
define void @bar() sanitize_address {
entry:
%a = alloca [10 x i32], align 4
%e = getelementptr inbounds [10 x i32], [10 x i32]* %a, i32 0, i64 12
store i32 42, i32* %e, align 4
ret void
; CHECK-LABEL: define void @bar
; CHECK: __asan_report
; CHECK: ret void
}
define void @endoftests() sanitize_address {
entry:
ret void
; CHECK-LABEL: define void @endoftests
}