This is an archive of the discontinued LLVM Phabricator instance.

[AddressSanitizer] Instrument byval call arguments
AbandonedPublic

Authored by thejh on Apr 6 2020, 5:40 PM.

Download Raw Diff

Details

Reviewers: None

Summary

In the LLVM IR, "call" instructions read memory for each byval operand.
For example:

$ cat blah.c
struct foo { void *a, *b, *c; };
struct bar { struct foo foo; };
void func1(const struct foo);
void func2(struct bar *bar) { func1(bar->foo); }
$ [...]/bin/clang -S -flto -c blah.c -O2 ; cat blah.s
[...]
define dso_local void @func2(%struct.bar* %bar) local_unnamed_addr #0 {
entry:

%foo = getelementptr inbounds %struct.bar, %struct.bar* %bar, i64 0, i32 0
tail call void @func1(%struct.foo* byval(%struct.foo) align 8 %foo) #2
ret void

}
[...]
$ [...]/bin/clang -S -c blah.c -O2 ; cat blah.s
[...]
func2: # @func2
[...]
subq $24, %rsp
[...]
movq 16(%rdi), %rax
movq %rax, 16(%rsp)
movups (%rdi), %xmm0
movups %xmm0, (%rsp)
callq func1
addq $24, %rsp
[...]
retq

Let ASAN instrument these hidden memory accesses.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

thejh created this revision.Apr 6 2020, 5:40 PM

Herald added a project: Restricted Project. · View Herald TranscriptApr 6 2020, 5:40 PM

Herald added subscribers: llvm-commits, dexonsmith, hiraditya. · View Herald Transcript

thejh abandoned this revision.Apr 6 2020, 5:42 PM

Harbormaster failed remote builds in B52078: Diff 255547!Apr 6 2020, 6:02 PM

Revision Contents

Path

Size

llvm/

lib/

Transforms/

Instrumentation/

AddressSanitizer.cpp

8 lines

HWAddressSanitizer.cpp

7 lines

test/

Instrumentation/

AddressSanitizer/

byval-args.ll

18 lines

Diff 255547

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp

//===- AddressSanitizer.cpp - memory error detector -----------------------===//		//===- AddressSanitizer.cpp - memory error detector -----------------------===//
		Lint: Lint Inline Actions clang-format-diff not found in user's PATH; not linting file. Lint: Lint: clang-format-diff not found in user's PATH; not linting file.
//		//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.		// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
//		//
▲ Show 20 Lines • Show All 1,401 Lines • ▼ Show 20 Lines	if (F && (F->getName().startswith("llvm.masked.load.") \|\|
auto Ty = cast<PointerType>(BasePtr->getType())->getElementType();		auto Ty = cast<PointerType>(BasePtr->getType())->getElementType();
unsigned Alignment = 1;		unsigned Alignment = 1;
// Otherwise no alignment guarantees. We probably got Undef.		// Otherwise no alignment guarantees. We probably got Undef.
if (auto AlignmentConstant =		if (auto AlignmentConstant =
dyn_cast<ConstantInt>(CI->getOperand(1 + OpOffset)))		dyn_cast<ConstantInt>(CI->getOperand(1 + OpOffset)))
Alignment = (unsigned)AlignmentConstant->getZExtValue();		Alignment = (unsigned)AlignmentConstant->getZExtValue();
Value *Mask = CI->getOperand(2 + OpOffset);		Value *Mask = CI->getOperand(2 + OpOffset);
Interesting.emplace_back(I, OpOffset, IsWrite, Ty, Alignment, Mask);		Interesting.emplace_back(I, OpOffset, IsWrite, Ty, Alignment, Mask);
		} else {
		for (unsigned ArgNo = 0; ArgNo < CI->getNumArgOperands(); ArgNo++) {
		if (!CI->isByValArgument(ArgNo) \|\|
		ignoreAccess(CI->getArgOperand(ArgNo)))
		continue;
		Type *Ty = CI->getParamByValType(ArgNo);
		Interesting.emplace_back(I, ArgNo, false, Ty, 1);
		}
}		}
}		}
}		}

static bool isPointerOperand(Value *V) {		static bool isPointerOperand(Value *V) {
return V->getType()->isPointerTy() \|\| isa<PtrToIntInst>(V);		return V->getType()->isPointerTy() \|\| isa<PtrToIntInst>(V);
}		}

▲ Show 20 Lines • Show All 1,908 Lines • Show Last 20 Lines

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp

//===- HWAddressSanitizer.cpp - detector of uninitialized reads -------===//		//===- HWAddressSanitizer.cpp - detector of uninitialized reads -------===//
		Lint: Lint Inline Actions clang-format-diff not found in user's PATH; not linting file. Lint: Lint: clang-format-diff not found in user's PATH; not linting file.
//		//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.		// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
//		//
▲ Show 20 Lines • Show All 534 Lines • ▼ Show 20 Lines	if (!ClInstrumentAtomics \|\| ignoreAccess(RMW->getPointerOperand()))
return;		return;
Interesting.emplace_back(I, RMW->getPointerOperandIndex(), true,		Interesting.emplace_back(I, RMW->getPointerOperandIndex(), true,
RMW->getValOperand()->getType(), 0);		RMW->getValOperand()->getType(), 0);
} else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) {		} else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) {
if (!ClInstrumentAtomics \|\| ignoreAccess(XCHG->getPointerOperand()))		if (!ClInstrumentAtomics \|\| ignoreAccess(XCHG->getPointerOperand()))
return;		return;
Interesting.emplace_back(I, XCHG->getPointerOperandIndex(), true,		Interesting.emplace_back(I, XCHG->getPointerOperandIndex(), true,
XCHG->getCompareOperand()->getType(), 0);		XCHG->getCompareOperand()->getType(), 0);
		} else if (auto CI = dyn_cast<CallInst>(I)) {
		for (unsigned ArgNo = 0; ArgNo < CI->getNumArgOperands(); ArgNo++) {
		if (!CI->isByValArgument(ArgNo) \|\| ignoreAccess(CI->getArgOperand(ArgNo)))
		continue;
		Type *Ty = CI->getParamByValType(ArgNo);
		Interesting.emplace_back(I, ArgNo, false, Ty, 1);
		}
}		}
}		}

static unsigned getPointerOperandIndex(Instruction *I) {		static unsigned getPointerOperandIndex(Instruction *I) {
if (LoadInst *LI = dyn_cast<LoadInst>(I))		if (LoadInst *LI = dyn_cast<LoadInst>(I))
return LI->getPointerOperandIndex();		return LI->getPointerOperandIndex();
if (StoreInst *SI = dyn_cast<StoreInst>(I))		if (StoreInst *SI = dyn_cast<StoreInst>(I))
return SI->getPointerOperandIndex();		return SI->getPointerOperandIndex();
▲ Show 20 Lines • Show All 929 Lines • Show Last 20 Lines

llvm/test/Instrumentation/AddressSanitizer/byval-args.ll

This file was added.

				; RUN: opt < %s -asan -S \| FileCheck %s
				; Test that for call instructions, the by-value arguments are instrumented.

				target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128"
				target triple = "x86_64-unknown-linux-gnu"

				%struct.bar = type { %struct.foo }
				%struct.foo = type { i8, i8, i8* }
				define dso_local void @func2(%struct.foo* %foo) sanitize_address {
				; CHECK-LABEL: @func2
				tail call void @func1(%struct.foo* byval(%struct.foo) align 8 %foo) #2
				; CHECK: call void @__asan_report_load
				ret void
				; CHECK: ret void
				}
				declare dso_local void @func1(%struct.foo* byval(%struct.foo) align 8)

				!0 = !{i32 1, !"wchar_size", i32 4}