This is an archive of the discontinued LLVM Phabricator instance.

Differential D87777

[ASAN] Properly deal with musttail calls in ASAN
ClosedPublic

Authored by lxfind on Sep 16 2020, 10:26 AM.

Details

Reviewers
wenlei
kubamracek
kcc
Commits
rG11453740bc6f: [ASAN] Properly deal with musttail calls in ASAN
Summary

When address sanitizing a function, stack unpinsoning code is inserted before each ret instruction. However if the ret instruciton is preceded by a musttail call, such transformation broke the musttail call contract and generates invalid IR.
This patch fixes the issue by moving the insertion point prior to the musttail call if there is one.

Diff Detail

Event Timeline

lxfind created this revision.Sep 16 2020, 10:26 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 16 2020, 10:26 AM
Herald added subscribers: llvm-commits, modimo, hiraditya. · View Herald Transcript
lxfind requested review of this revision.Sep 16 2020, 10:26 AM
lxfind updated this revision to Diff 292265.Sep 16 2020, 10:33 AM

comments

lxfind updated this revision to Diff 292266.Sep 16 2020, 10:34 AM

add test

lxfind updated this revision to Diff 292268.Sep 16 2020, 10:38 AM

fix test

Harbormaster completed remote builds in B71899: Diff 292264.Sep 16 2020, 10:55 AM
Harbormaster completed remote builds in B71901: Diff 292266.Sep 16 2020, 11:07 AM
Harbormaster completed remote builds in B71900: Diff 292265.
Harbormaster completed remote builds in B71902: Diff 292268.
wenlei accepted this revision.Sep 16 2020, 5:25 PM

LGTM except a minor comment.

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
562

Is there a better place for this helper and avoid duplication? We have a few copies of it now, TSAN, ASAN and EntryExitInstrumenter...

This revision is now accepted and ready to land.Sep 16 2020, 5:25 PM
lxfind added inline comments.Sep 16 2020, 5:34 PM
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
562

Yeah I have been wondering about this too. There are more duplicates than TSAN and ASAN.
Do you have any suggestions? I couldn't find a good place for this.

wenlei added inline comments.Sep 16 2020, 5:53 PM
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
562

Was thinking about something like building this into SetInsertPoint of IRBuilder, perhaps with an extra boolean argument with default value. But doesn't look like good layering there - might be too specific for IRBuilder. I'm fine with the way it is now.

Closed by commit rG11453740bc6f: [ASAN] Properly deal with musttail calls in ASAN (authored by lxfind). · Explain WhySep 18 2020, 11:11 PM
This revision was automatically updated to reflect the committed changes.
lxfind added a commit: rG11453740bc6f: [ASAN] Properly deal with musttail calls in ASAN.

Revision Contents

PathSize
llvm/
lib/
Transforms/
Instrumentation/
30 lines
test/
Instrumentation/
AddressSanitizer/
35 lines

Diff 292946

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 550 Lines▼ Show 20 Lines
static uint64_t GetCtorAndDtorPriority(Triple &TargetTriple) { static uint64_t GetCtorAndDtorPriority(Triple &TargetTriple) {
if (TargetTriple.isOSEmscripten()) { if (TargetTriple.isOSEmscripten()) {
return kAsanEmscriptenCtorAndDtorPriority; return kAsanEmscriptenCtorAndDtorPriority;
} else { } else {
return kAsanCtorAndDtorPriority; return kAsanCtorAndDtorPriority;
} }
} }
// For a ret instruction followed by a musttail call, we cannot insert anything
// in between. Instead we use the musttail call instruction as the insertion
// point.
static Instruction *adjustForMusttailCall(Instruction *I) {
wenleiUnsubmitted
Not Done
ReplyInline Actions

Is there a better place for this helper and avoid duplication? We have a few copies of it now, TSAN, ASAN and EntryExitInstrumenter...

wenlei: Is there a better place for this helper and avoid duplication? We have a few copies of it now…
lxfindAuthorUnsubmitted
Done
ReplyInline Actions

Yeah I have been wondering about this too. There are more duplicates than TSAN and ASAN.
Do you have any suggestions? I couldn't find a good place for this.

lxfind: Yeah I have been wondering about this too. There are more duplicates than TSAN and ASAN. Do you…
wenleiUnsubmitted
Not Done
ReplyInline Actions

Was thinking about something like building this into SetInsertPoint of IRBuilder, perhaps with an extra boolean argument with default value. But doesn't look like good layering there - might be too specific for IRBuilder. I'm fine with the way it is now.

wenlei: Was thinking about something like building this into `SetInsertPoint` of IRBuilder, perhaps…
ReturnInst *RI = dyn_cast<ReturnInst>(I);
if (!RI)
return I;
Instruction *Prev = RI->getPrevNode();
if (BitCastInst *BCI = dyn_cast_or_null<BitCastInst>(Prev))
Prev = BCI->getPrevNode();
if (CallInst *CI = dyn_cast_or_null<CallInst>(Prev))
if (CI->isMustTailCall())
return CI;
return RI;
}
namespace { namespace {
/// Module analysis for getting various metadata about the module. /// Module analysis for getting various metadata about the module.
class ASanGlobalsMetadataWrapperPass : public ModulePass { class ASanGlobalsMetadataWrapperPass : public ModulePass {
public: public:
static char ID; static char ID;
ASanGlobalsMetadataWrapperPass() : ModulePass(ID) { ASanGlobalsMetadataWrapperPass() : ModulePass(ID) {
▲ Show 20 LinesShow All 427 Lines▼ Show 20 Lines void unpoisonDynamicAllocasBeforeInst(Instruction *InstBefore,
IRB.CreateCall( IRB.CreateCall(
AsanAllocasUnpoisonFunc, AsanAllocasUnpoisonFunc,
{IRB.CreateLoad(IntptrTy, DynamicAllocaLayout), DynamicAreaPtr}); {IRB.CreateLoad(IntptrTy, DynamicAllocaLayout), DynamicAreaPtr});
} }
// Unpoison dynamic allocas redzones. // Unpoison dynamic allocas redzones.
void unpoisonDynamicAllocas() { void unpoisonDynamicAllocas() {
for (auto &Ret : RetVec) for (Instruction *Ret : RetVec)
unpoisonDynamicAllocasBeforeInst(Ret, DynamicAllocaLayout); unpoisonDynamicAllocasBeforeInst(adjustForMusttailCall(Ret),
DynamicAllocaLayout);
for (auto &StackRestoreInst : StackRestoreVec) for (Instruction *StackRestoreInst : StackRestoreVec)
unpoisonDynamicAllocasBeforeInst(StackRestoreInst, unpoisonDynamicAllocasBeforeInst(StackRestoreInst,
StackRestoreInst->getOperand(0)); StackRestoreInst->getOperand(0));
} }
// Deploy and poison redzones around dynamic alloca call. To do this, we // Deploy and poison redzones around dynamic alloca call. To do this, we
// should replace this call with another one with changed parameters and // should replace this call with another one with changed parameters and
// replace all its uses with new address, so // replace all its uses with new address, so
// addr = alloca type, old_size, align // addr = alloca type, old_size, align
▲ Show 20 LinesShow All 2,284 Lines▼ Show 20 Lines for (const auto &APC : StaticAllocaPoisonCallVec) {
IRB, ShadowBase); IRB, ShadowBase);
} }
} }
SmallVector<uint8_t, 64> ShadowClean(ShadowAfterScope.size(), 0); SmallVector<uint8_t, 64> ShadowClean(ShadowAfterScope.size(), 0);
SmallVector<uint8_t, 64> ShadowAfterReturn; SmallVector<uint8_t, 64> ShadowAfterReturn;
// (Un)poison the stack before all ret instructions. // (Un)poison the stack before all ret instructions.
for (auto Ret : RetVec) { for (Instruction *Ret : RetVec) {
IRBuilder<> IRBRet(Ret); Instruction *Adjusted = adjustForMusttailCall(Ret);
IRBuilder<> IRBRet(Adjusted);
// Mark the current frame as retired. // Mark the current frame as retired.
IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic),
BasePlus0); BasePlus0);
if (DoStackMalloc) { if (DoStackMalloc) {
assert(StackMallocIdx >= 0); assert(StackMallocIdx >= 0);
// if FakeStack != 0 // LocalStackBase == FakeStack // if FakeStack != 0 // LocalStackBase == FakeStack
// // In use-after-return mode, poison the whole stack frame. // // In use-after-return mode, poison the whole stack frame.
// if StackMallocIdx <= 4 // if StackMallocIdx <= 4
// // For small sizes inline the whole thing: // // For small sizes inline the whole thing:
// memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize); // memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize);
// **SavedFlagPtr(FakeStack) = 0 // **SavedFlagPtr(FakeStack) = 0
// else // else
// __asan_stack_free_N(FakeStack, LocalStackSize) // __asan_stack_free_N(FakeStack, LocalStackSize)
// else // else
// <This is not a fake stack; unpoison the redzones> // <This is not a fake stack; unpoison the redzones>
Value *Cmp = Value *Cmp =
IRBRet.CreateICmpNE(FakeStack, Constant::getNullValue(IntptrTy)); IRBRet.CreateICmpNE(FakeStack, Constant::getNullValue(IntptrTy));
Instruction *ThenTerm, *ElseTerm; Instruction *ThenTerm, *ElseTerm;
SplitBlockAndInsertIfThenElse(Cmp, Ret, &ThenTerm, &ElseTerm); SplitBlockAndInsertIfThenElse(Cmp, Adjusted, &ThenTerm, &ElseTerm);
IRBuilder<> IRBPoison(ThenTerm); IRBuilder<> IRBPoison(ThenTerm);
if (StackMallocIdx <= 4) { if (StackMallocIdx <= 4) {
int ClassSize = kMinStackMallocSize << StackMallocIdx; int ClassSize = kMinStackMallocSize << StackMallocIdx;
ShadowAfterReturn.resize(ClassSize / L.Granularity, ShadowAfterReturn.resize(ClassSize / L.Granularity,
kAsanStackUseAfterReturnMagic); kAsanStackUseAfterReturnMagic);
copyToShadow(ShadowAfterReturn, ShadowAfterReturn, IRBPoison, copyToShadow(ShadowAfterReturn, ShadowAfterReturn, IRBPoison,
ShadowBase); ShadowBase);
▲ Show 20 LinesShow All 122 LinesShow Last 20 Lines

llvm/test/Instrumentation/AddressSanitizer/musttail.ll

  • This file was added.
; To test that asan does not break the musttail call contract.
;
; RUN: opt < %s -asan -asan-module -S -enable-new-pm=0 | FileCheck %s
; RUN: opt < %s -passes='asan-pipeline' -S | FileCheck %s
define internal i32 @foo(i32* %p) sanitize_address {
%rv = load i32, i32* %p
ret i32 %rv
}
declare void @alloca_test_use([10 x i8]*)
define i32 @call_foo(i32* %a) sanitize_address {
%x = alloca [10 x i8], align 1
call void @alloca_test_use([10 x i8]* %x)
%r = musttail call i32 @foo(i32* %a)
ret i32 %r
}
; CHECK-LABEL: define i32 @call_foo(i32* %a)
; CHECK: %r = musttail call i32 @foo(i32* %a)
; CHECK-NEXT: ret i32 %r
define i32 @call_foo_cast(i32* %a) sanitize_address {
%x = alloca [10 x i8], align 1
call void @alloca_test_use([10 x i8]* %x)
%r = musttail call i32 @foo(i32* %a)
%t = bitcast i32 %r to i32
ret i32 %t
}
; CHECK-LABEL: define i32 @call_foo_cast(i32* %a)
; CHECK: %r = musttail call i32 @foo(i32* %a)
; CHECK-NEXT: %t = bitcast i32 %r to i32
; CHECK-NEXT: ret i32 %t