This is an archive of the discontinued LLVM Phabricator instance.

Differential D91234

[dfsan] Add a flag to control whether to propagate labels from condition values to results
ClosedPublic

Authored by stephan.yichao.zhao on Nov 10 2020, 10:14 PM.

Details

Reviewers
morehouse
Commits
rG0dd87825db2e: Add a flag to control whether to propagate labels from condition values to…
Summary

Before the change, DFSan always does the propagation. W/o
origin tracking, it is harder to understand such flows. After
the change, the flag is off by default.

Diff Detail

Event Timeline

stephan.yichao.zhao created this revision.Nov 10 2020, 10:14 PM
Herald added a project: Restricted Project. · View Herald TranscriptNov 10 2020, 10:14 PM
Herald added subscribers: llvm-commits, hiraditya. · View Herald Transcript
stephan.yichao.zhao requested review of this revision.Nov 10 2020, 10:14 PM
Harbormaster completed remote builds in B78409: Diff 304401.Nov 10 2020, 10:52 PM
morehouse added inline comments.Nov 11 2020, 7:23 AM
llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp
191

It only applies to selects, so maybe we should name it something like dfsan-track-select-control-flow. and update the description/comment.

193

This changes the default behavior. Does it cause any existing tests to fail?

Maybe we should default it to true.

llvm/test/Instrumentation/DataFlowSanitizer/select.ll
51

I think this tests the same case as select8. If we want to test the vector one, we need %c to be a vector.

lebedev.ri retitled this revision from Add a flag to control whether to propagate labels from condition values to results to [dfsan] Add a flag to control whether to propagate labels from condition values to results.Nov 11 2020, 7:27 AM
stephan.yichao.zhao updated this revision to Diff 304585.Nov 11 2020, 10:51 AM

addressed comments

stephan.yichao.zhao updated this revision to Diff 304596.Nov 11 2020, 11:16 AM

update

stephan.yichao.zhao marked 3 inline comments as done.Nov 11 2020, 11:17 AM
morehouse accepted this revision.Nov 11 2020, 11:36 AM

LGTM

This revision is now accepted and ready to land.Nov 11 2020, 11:36 AM
Harbormaster completed remote builds in B78497: Diff 304585.Nov 11 2020, 12:18 PM
This revision was landed with ongoing or failed builds.Nov 11 2020, 12:42 PM
Closed by commit rG0dd87825db2e: Add a flag to control whether to propagate labels from condition values to… (authored by Jianzhou Zhao <jianzhouzh@google.com>). · Explain Why
This revision was automatically updated to reflect the committed changes.
Jianzhou Zhao <jianzhouzh@google.com> added a commit: rG0dd87825db2e: Add a flag to control whether to propagate labels from condition values to….
Harbormaster completed remote builds in B78503: Diff 304596.Nov 11 2020, 12:48 PM

Revision Contents

PathSize
llvm/
lib/
Transforms/
Instrumentation/
18 lines
test/
Instrumentation/
DataFlowSanitizer/
76 lines

Diff 304624

llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp

Show First 20 LinesShow All 180 Lines▼ Show 20 Lines
// Use a distinct bit for each base label, enabling faster unions with less // Use a distinct bit for each base label, enabling faster unions with less
// instrumentation. Limits the max number of base labels to 16. // instrumentation. Limits the max number of base labels to 16.
static cl::opt<bool> ClFast16Labels( static cl::opt<bool> ClFast16Labels(
"dfsan-fast-16-labels", "dfsan-fast-16-labels",
cl::desc("Use more efficient instrumentation, limiting the number of " cl::desc("Use more efficient instrumentation, limiting the number of "
"labels to 16."), "labels to 16."),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(false));
// Controls whether the pass tracks the control flow of select instructions.
static cl::opt<bool> ClTrackSelectControlFlow(
"dfsan-track-select-control-flow",
morehouseUnsubmitted
Done
ReplyInline Actions

It only applies to selects, so maybe we should name it something like dfsan-track-select-control-flow. and update the description/comment.

morehouse: It only applies to selects, so maybe we should name it something like `dfsan-track-select…
cl::desc("Propagate labels from condition values of select instructions "
"to results."),
morehouseUnsubmitted
Done
ReplyInline Actions

This changes the default behavior. Does it cause any existing tests to fail?

Maybe we should default it to true.

morehouse: This changes the default behavior. Does it cause any existing tests to fail? Maybe we should…
cl::Hidden, cl::init(true));
static StringRef GetGlobalTypeString(const GlobalValue &G) { static StringRef GetGlobalTypeString(const GlobalValue &G) {
// Types of GlobalVariables are always pointer types. // Types of GlobalVariables are always pointer types.
Type *GType = G.getValueType(); Type *GType = G.getValueType();
// For now we support excluding struct types only. // For now we support excluding struct types only.
if (StructType *SGType = dyn_cast<StructType>(GType)) { if (StructType *SGType = dyn_cast<StructType>(GType)) {
if (!SGType->isLiteral()) if (!SGType->isLiteral())
return SGType->getName(); return SGType->getName();
} }
▲ Show 20 LinesShow All 1,339 Lines▼ Show 20 Linesvoid DFSanVisitor::visitAllocaInst(AllocaInst &I) {
} }
DFSF.setShadow(&I, DFSF.DFS.ZeroShadow); DFSF.setShadow(&I, DFSF.DFS.ZeroShadow);
} }
void DFSanVisitor::visitSelectInst(SelectInst &I) { void DFSanVisitor::visitSelectInst(SelectInst &I) {
Value *CondShadow = DFSF.getShadow(I.getCondition()); Value *CondShadow = DFSF.getShadow(I.getCondition());
Value *TrueShadow = DFSF.getShadow(I.getTrueValue()); Value *TrueShadow = DFSF.getShadow(I.getTrueValue());
Value *FalseShadow = DFSF.getShadow(I.getFalseValue()); Value *FalseShadow = DFSF.getShadow(I.getFalseValue());
Value *ShadowSel = nullptr;
if (isa<VectorType>(I.getCondition()->getType())) { if (isa<VectorType>(I.getCondition()->getType())) {
DFSF.setShadow( ShadowSel = DFSF.combineShadows(TrueShadow, FalseShadow, &I);
&I,
DFSF.combineShadows(
CondShadow, DFSF.combineShadows(TrueShadow, FalseShadow, &I), &I));
} else { } else {
Value *ShadowSel;
if (TrueShadow == FalseShadow) { if (TrueShadow == FalseShadow) {
ShadowSel = TrueShadow; ShadowSel = TrueShadow;
} else { } else {
ShadowSel = ShadowSel =
SelectInst::Create(I.getCondition(), TrueShadow, FalseShadow, "", &I); SelectInst::Create(I.getCondition(), TrueShadow, FalseShadow, "", &I);
} }
DFSF.setShadow(&I, DFSF.combineShadows(CondShadow, ShadowSel, &I));
} }
DFSF.setShadow(&I, ClTrackSelectControlFlow
? DFSF.combineShadows(CondShadow, ShadowSel, &I)
: ShadowSel);
} }
void DFSanVisitor::visitMemSetInst(MemSetInst &I) { void DFSanVisitor::visitMemSetInst(MemSetInst &I) {
IRBuilder<> IRB(&I); IRBuilder<> IRB(&I);
Value *ValShadow = DFSF.getShadow(I.getValue()); Value *ValShadow = DFSF.getShadow(I.getValue());
IRB.CreateCall(DFSF.DFS.DFSanSetLabelFn, IRB.CreateCall(DFSF.DFS.DFSanSetLabelFn,
{ValShadow, IRB.CreateBitCast(I.getDest(), Type::getInt8PtrTy( {ValShadow, IRB.CreateBitCast(I.getDest(), Type::getInt8PtrTy(
*DFSF.DFS.Ctx)), *DFSF.DFS.Ctx)),
▲ Show 20 LinesShow All 329 LinesShow Last 20 Lines

llvm/test/Instrumentation/DataFlowSanitizer/select.ll

  • This file was added.
; RUN: opt < %s -dfsan -dfsan-track-select-control-flow=1 -S | FileCheck %s --check-prefix=TRACK_CONTROL_FLOW
; RUN: opt < %s -dfsan -dfsan-track-select-control-flow=0 -S | FileCheck %s --check-prefix=NO_TRACK_CONTROL_FLOW
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
define i8 @select8(i1 %c, i8 %t, i8 %f) {
; TRACK_CONTROL_FLOW: %1 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 2)
; TRACK_CONTROL_FLOW: %2 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 1)
; TRACK_CONTROL_FLOW: %3 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 0)
; TRACK_CONTROL_FLOW: %4 = select i1 %c, i16 %2, i16 %1
; TRACK_CONTROL_FLOW: %5 = icmp ne i16 %3, %4
; TRACK_CONTROL_FLOW: %7 = call {{.*}} i16 @__dfsan_union(i16 {{.*}} %3, i16 {{.*}} %4)
; TRACK_CONTROL_FLOW: %9 = phi i16 [ %7, {{.*}} ], [ %3, {{.*}} ]
; TRACK_CONTROL_FLOW: %a = select i1 %c, i8 %t, i8 %f
; TRACK_CONTROL_FLOW: store i16 %9, i16* @__dfsan_retval_tls
; TRACK_CONTROL_FLOW: ret i8 %a
; NO_TRACK_CONTROL_FLOW: %1 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 2)
; NO_TRACK_CONTROL_FLOW: %2 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 1)
; NO_TRACK_CONTROL_FLOW: %3 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 0)
; NO_TRACK_CONTROL_FLOW: %4 = select i1 %c, i16 %2, i16 %1
; NO_TRACK_CONTROL_FLOW: %a = select i1 %c, i8 %t, i8 %f
; NO_TRACK_CONTROL_FLOW: store i16 %4, i16* @__dfsan_retval_tls
; NO_TRACK_CONTROL_FLOW: ret i8 %a
%a = select i1 %c, i8 %t, i8 %f
ret i8 %a
}
define i8 @select8e(i1 %c, i8 %tf) {
; TRACK_CONTROL_FLOW: %1 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 1)
; TRACK_CONTROL_FLOW: %2 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 0)
; TRACK_CONTROL_FLOW: %3 = icmp ne i16 %2, %1
; TRACK_CONTROL_FLOW: %5 = call {{.*}} i16 @__dfsan_union(i16 {{.*}} %2, i16 {{.*}} %1)
; TRACK_CONTROL_FLOW: %7 = phi i16 [ %5, {{.*}} ], [ %2, {{.*}} ]
; TRACK_CONTROL_FLOW: %a = select i1 %c, i8 %tf, i8 %tf
; TRACK_CONTROL_FLOW: store i16 %7, i16* @__dfsan_retval_tls
; TRACK_CONTROL_FLOW: ret i8 %a
; NO_TRACK_CONTROL_FLOW: %1 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 1)
; NO_TRACK_CONTROL_FLOW: %2 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 0)
; NO_TRACK_CONTROL_FLOW: %a = select i1 %c, i8 %tf, i8 %tf
; NO_TRACK_CONTROL_FLOW: store i16 %1, i16* @__dfsan_retval_tls
; NO_TRACK_CONTROL_FLOW: ret i8 %a
%a = select i1 %c, i8 %tf, i8 %tf
ret i8 %a
}
define <4 x i8> @select8v(<4 x i1> %c, <4 x i8> %t, <4 x i8> %f) {
; TRACK_CONTROL_FLOW: %1 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 2)
morehouseUnsubmitted
Done
ReplyInline Actions

I think this tests the same case as select8. If we want to test the vector one, we need %c to be a vector.

morehouse: I think this tests the same case as `select8`. If we want to test the vector one, we need `%c`…
; TRACK_CONTROL_FLOW: %2 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 1)
; TRACK_CONTROL_FLOW: %3 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 0)
; TRACK_CONTROL_FLOW: %4 = icmp ne i16 %2, %1
; TRACK_CONTROL_FLOW: %6 = call {{.*}} i16 @__dfsan_union(i16 {{.*}} %2, i16 zeroext %1)
; TRACK_CONTROL_FLOW: %8 = phi i16 [ %6, {{.*}} ], [ %2, {{.*}} ]
; TRACK_CONTROL_FLOW: %9 = icmp ne i16 %3, %8
; TRACK_CONTROL_FLOW: %11 = call {{.*}} i16 @__dfsan_union(i16 {{.*}} %3, i16 zeroext %8)
; TRACK_CONTROL_FLOW: %13 = phi i16 [ %11, {{.*}} ], [ %3, {{.*}} ]
; TRACK_CONTROL_FLOW: %a = select <4 x i1> %c, <4 x i8> %t, <4 x i8> %f
; TRACK_CONTROL_FLOW: store i16 %13, i16* @__dfsan_retval_tls
; TRACK_CONTROL_FLOW: ret <4 x i8> %a
; NO_TRACK_CONTROL_FLOW: %1 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 2)
; NO_TRACK_CONTROL_FLOW: %2 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 1)
; NO_TRACK_CONTROL_FLOW: %3 = load i16, i16* getelementptr inbounds ([64 x i16], [64 x i16]* @__dfsan_arg_tls, i64 0, i64 0)
; NO_TRACK_CONTROL_FLOW: %4 = icmp ne i16 %2, %1
; NO_TRACK_CONTROL_FLOW: %6 = call {{.*}} i16 @__dfsan_union(i16 {{.*}} %2, i16 {{.*}} %1)
; NO_TRACK_CONTROL_FLOW: %8 = phi i16 [ %6, {{.*}} ], [ %2, {{.*}} ]
; NO_TRACK_CONTROL_FLOW: %a = select <4 x i1> %c, <4 x i8> %t, <4 x i8> %f
; NO_TRACK_CONTROL_FLOW: store i16 %8, i16* @__dfsan_retval_tls
; NO_TRACK_CONTROL_FLOW: ret <4 x i8> %a
%a = select <4 x i1> %c, <4 x i8> %t, <4 x i8> %f
ret <4 x i8> %a
}
No newline at end of file