This is an archive of the discontinued LLVM Phabricator instance.

Differential D89191

[ASAN] Make sure we are only processing lifetime markers with offset 0 to alloca
ClosedPublic

Authored by lxfind on Oct 10 2020, 9:15 AM.

Details

Reviewers
vitalybuka
eugenis
Commits
rG0ccf9263cceb: [ASAN] Make sure we are only processing lifetime markers with offset 0 to alloca
Summary

This patch addresses https://bugs.llvm.org/show_bug.cgi?id=47787 (and hence https://bugs.llvm.org/show_bug.cgi?id=47767 as well).
In latter instrumentation code, we always use the beginning of the alloca as the base for instrumentation, ignoring any offset into the alloca.
Because of that, we should only instrument a lifetime marker if it's actually pointing to the beginning of the alloca.

Diff Detail

Unit TestsFailed

TimeTest
1,130 mslinux > libarcher.parallel::parallel-nosuppression.c

Event Timeline

lxfind created this revision.Oct 10 2020, 9:15 AM
Herald added a project: Restricted Project. · View Herald TranscriptOct 10 2020, 9:15 AM
Herald added subscribers: llvm-commits, modimo, hiraditya. · View Herald Transcript
lxfind requested review of this revision.Oct 10 2020, 9:15 AM
Harbormaster completed remote builds in B74702: Diff 297416.Oct 10 2020, 10:47 AM
vitalybuka accepted this revision.Oct 12 2020, 3:16 AM
vitalybuka added inline comments.
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1083

Similar problem is if the size of lifetime is smaller then alloca.
Would you like to handle that case, here or in the another patch?

llvm/test/Instrumentation/AddressSanitizer/alloca-offset-lifetime.ll
1

Would you like to try to use llvm/utils/update_test_checks.py

This revision is now accepted and ready to land.Oct 12 2020, 3:16 AM
lxfind added inline comments.Oct 12 2020, 9:51 AM
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1083

Is that a problem though? A lifetime marker should always be accurate, that is, if the marker indicates that only part of the region is alive, it should be ok to just mark that region alive?

lxfind added inline comments.Oct 13 2020, 10:20 AM
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1083

I will land this as it is for now. But please do let me know your thoughts on what we want to do when the size doesn't match.

This revision was landed with ongoing or failed builds.Oct 13 2020, 10:22 AM
Closed by commit rG0ccf9263cceb: [ASAN] Make sure we are only processing lifetime markers with offset 0 to alloca (authored by lxfind). · Explain Why
This revision was automatically updated to reflect the committed changes.
lxfind added a commit: rG0ccf9263cceb: [ASAN] Make sure we are only processing lifetime markers with offset 0 to alloca.
vitalybuka added inline comments.Oct 13 2020, 11:01 PM
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1083

if marker can point with offset, skipping the beginning of the alloca, then I assume sooner or later something may generate code which will set size smaller then alloca, skipping the tail of it.

vitalybuka added inline comments.Oct 13 2020, 11:16 PM
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1089–1091
lxfind added inline comments.Oct 13 2020, 11:18 PM
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1083

Not sure if I follow, but my point is if the lifetime points to the beginning of the alloca, the generated instrumentation code will always be correct, and hence it's fine even the size may be smaller than the alloca size.

Revision Contents

PathSize
llvm/
lib/
Transforms/
Instrumentation/
4 lines
test/
Instrumentation/
AddressSanitizer/
28 lines

Diff 297416

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 1,072 Lines▼ Show 20 Lines void visitIntrinsicInst(IntrinsicInst &II) {
if (Size->isMinusOne()) return; if (Size->isMinusOne()) return;
// Check that size doesn't saturate uint64_t and can // Check that size doesn't saturate uint64_t and can
// be stored in IntptrTy. // be stored in IntptrTy.
const uint64_t SizeValue = Size->getValue().getLimitedValue(); const uint64_t SizeValue = Size->getValue().getLimitedValue();
if (SizeValue == ~0ULL || if (SizeValue == ~0ULL ||
!ConstantInt::isValueValidForType(IntptrTy, SizeValue)) !ConstantInt::isValueValidForType(IntptrTy, SizeValue))
return; return;
// Find alloca instruction that corresponds to llvm.lifetime argument. // Find alloca instruction that corresponds to llvm.lifetime argument.
AllocaInst *AI = findAllocaForValue(II.getArgOperand(1)); // Currently we can only handle lifetime markers pointing to the
// beginning of the alloca.
AllocaInst *AI = findAllocaForValue(II.getArgOperand(1), true);
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Similar problem is if the size of lifetime is smaller then alloca.
Would you like to handle that case, here or in the another patch?

vitalybuka: Similar problem is if the size of lifetime is smaller then alloca. Would you like to handle…
lxfindAuthorUnsubmitted
Done
ReplyInline Actions

Is that a problem though? A lifetime marker should always be accurate, that is, if the marker indicates that only part of the region is alive, it should be ok to just mark that region alive?

lxfind: Is that a problem though? A lifetime marker should always be accurate, that is, if the marker…
lxfindAuthorUnsubmitted
Done
ReplyInline Actions

I will land this as it is for now. But please do let me know your thoughts on what we want to do when the size doesn't match.

lxfind: I will land this as it is for now. But please do let me know your thoughts on what we want to…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

if marker can point with offset, skipping the beginning of the alloca, then I assume sooner or later something may generate code which will set size smaller then alloca, skipping the tail of it.

vitalybuka: if marker can point with offset, skipping the beginning of the alloca, then I assume sooner or…
lxfindAuthorUnsubmitted
Done
ReplyInline Actions

Not sure if I follow, but my point is if the lifetime points to the beginning of the alloca, the generated instrumentation code will always be correct, and hence it's fine even the size may be smaller than the alloca size.

lxfind: Not sure if I follow, but my point is if the lifetime points to the beginning of the alloca…
if (!AI) { if (!AI) {
HasUntracedLifetimeIntrinsic = true; HasUntracedLifetimeIntrinsic = true;
return; return;
} }
// We're interested only in allocas we can handle. // We're interested only in allocas we can handle.
if (!ASan.isInterestingAlloca(*AI)) if (!ASan.isInterestingAlloca(*AI))
return; return;
bool DoPoison = (ID == Intrinsic::lifetime_end); bool DoPoison = (ID == Intrinsic::lifetime_end);
vitalybukaUnsubmitted
Not Done
ReplyInline Actions
// We're interested only in allocas we can handle.
if (!ASan.isInterestingAlloca(*AI))
return;
+ if (SizeValue < getAllocaSize(AI))) {
+ HasUntracedLifetimeIntrinsic = true;
+ return;
+ }
bool DoPoison = (ID == Intrinsic::lifetime_end);
AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison};
vitalybuka:
AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison}; AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison};
if (AI->isStaticAlloca()) if (AI->isStaticAlloca())
StaticAllocaPoisonCallVec.push_back(APC); StaticAllocaPoisonCallVec.push_back(APC);
else if (ClInstrumentDynamicAllocas) else if (ClInstrumentDynamicAllocas)
DynamicAllocaPoisonCallVec.push_back(APC); DynamicAllocaPoisonCallVec.push_back(APC);
} }
void visitCallBase(CallBase &CB) { void visitCallBase(CallBase &CB) {
▲ Show 20 LinesShow All 2,374 LinesShow Last 20 Lines

llvm/test/Instrumentation/AddressSanitizer/alloca-offset-lifetime.ll

  • This file was added.
; Test that ASAN will not instrument lifetime markers on alloca offsets.
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Would you like to try to use llvm/utils/update_test_checks.py

vitalybuka: Would you like to try to use llvm/utils/update_test_checks.py
;
; RUN: opt < %s --asan --asan-use-after-scope -S | FileCheck %s
target datalayout = "e-m:o-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-apple-macosx10.15.0"
%t = type { void (%t*)*, void (%t*)*, %sub, i64 }
%sub = type { i32 }
define void @foo() sanitize_address {
entry:
%0 = alloca %t, align 8
%x = getelementptr inbounds %t, %t* %0, i64 0, i32 2
%1 = bitcast %sub* %x to i8*
call void @llvm.lifetime.start.p0i8(i64 4, i8* nonnull %1)
call void @bar(%sub* nonnull %x)
call void @llvm.lifetime.end.p0i8(i64 4, i8* nonnull %1) #3
ret void
}
declare void @llvm.lifetime.start.p0i8(i64 immarg, i8* nocapture)
declare void @bar(%sub*)
declare void @llvm.lifetime.end.p0i8(i64 immarg, i8* nocapture)
; CHECK: store i64 %[[STACK_BASE:.+]], i64* %asan_local_stack_base, align 8
; CHECK-NOT: store i8 0
; CHECK: call void @bar(%sub* nonnull %x)