This is an archive of the discontinued LLVM Phabricator instance.

Differential D97065

[dfsan] Add origin address calculation
ClosedPublic

Authored by stephan.yichao.zhao on Feb 19 2021, 9:51 AM.

Details

Reviewers
morehouse
Commits
rGcb1f1aab9040: [dfsan] Add origin address calculation
Summary

This is a part of https://reviews.llvm.org/D95835.

Diff Detail

Event Timeline

stephan.yichao.zhao created this revision.Feb 19 2021, 9:51 AM
Herald added a subscriber: hiraditya. · View Herald TranscriptFeb 19 2021, 9:51 AM
stephan.yichao.zhao requested review of this revision.Feb 19 2021, 9:51 AM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 19 2021, 9:51 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
morehouse added inline comments.Feb 19 2021, 10:18 AM
llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp
1554

We can avoid this AND operation entirely by including it in the shadow mask.

Harbormaster completed remote builds in B89941: Diff 325020.Feb 19 2021, 10:30 AM
stephan.yichao.zhao added inline comments.Feb 19 2021, 11:04 AM
llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp
1554

Yeah. ~0x700...0003 works. It seems that the problem is we wanted to get both shadow and origin addresses. So

  1. with the current approach,

offset = addr & ~0x700...00
shadow = offset x 2
origin = offset + origin_base
// When align is < 4, we may need one more origin & 4

  1. if we use ~0x700...03

offset_s = addr & ~0x700...00
shadow = offset_s x 2
offset_o = addr & ~0x700...03
origin = offset_o + origin_base

So the case 1 actually uses 1 less IR instruction in most cases.

morehouse accepted this revision.Feb 19 2021, 1:04 PM

LGTM

This revision is now accepted and ready to land.Feb 19 2021, 1:04 PM
This revision was landed with ongoing or failed builds.Feb 19 2021, 1:31 PM
Closed by commit rGcb1f1aab9040: [dfsan] Add origin address calculation (authored by Jianzhou Zhao <jianzhouzh@google.com>). · Explain Why
This revision was automatically updated to reflect the committed changes.
Jianzhou Zhao <jianzhouzh@google.com> added a commit: rGcb1f1aab9040: [dfsan] Add origin address calculation.

Revision Contents

PathSize
llvm/
lib/
Transforms/
Instrumentation/
56 lines

Diff 325081

llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp

Show All 20 Lines
/// hold the label. On Linux/x86_64, memory is laid out as follows: /// hold the label. On Linux/x86_64, memory is laid out as follows:
/// ///
/// +--------------------+ 0x800000000000 (top of memory) /// +--------------------+ 0x800000000000 (top of memory)
/// | application memory | /// | application memory |
/// +--------------------+ 0x700000008000 (kAppAddr) /// +--------------------+ 0x700000008000 (kAppAddr)
/// | | /// | |
/// | unused | /// | unused |
/// | | /// | |
/// +--------------------+ 0x200200000000 (kUnusedAddr) /// +--------------------+ 0x300200000000 (kUnusedAddr)
/// | union table | /// | union table |
/// +--------------------+ 0x200000000000 (kUnionTableAddr) /// +--------------------+ 0x300000000000 (kUnionTableAddr)
/// | origin |
/// +--------------------+ 0x200000008000 (kOriginAddr)
/// | shadow memory | /// | shadow memory |
/// +--------------------+ 0x000000010000 (kShadowAddr) /// +--------------------+ 0x000000010000 (kShadowAddr)
/// | reserved by kernel | /// | reserved by kernel |
/// +--------------------+ 0x000000000000 /// +--------------------+ 0x000000000000
/// ///
/// To derive a shadow memory address from an application memory address, /// To derive a shadow memory address from an application memory address,
/// bits 44-46 are cleared to bring the address into the range /// bits 44-46 are cleared to bring the address into the range
/// [0x000000008000,0x100000000000). Then the address is shifted left by 1 to /// [0x000000008000,0x100000000000). Then the address is shifted left by 1 to
▲ Show 20 LinesShow All 64 Lines▼ Show 20 Lines
#include <utility> #include <utility>
#include <vector> #include <vector>
using namespace llvm; using namespace llvm;
// This must be consistent with ShadowWidthBits. // This must be consistent with ShadowWidthBits.
static const Align kShadowTLSAlignment = Align(2); static const Align kShadowTLSAlignment = Align(2);
static const Align kMinOriginAlignment = Align(4);
// The size of TLS variables. These constants must be kept in sync with the ones // The size of TLS variables. These constants must be kept in sync with the ones
// in dfsan.cpp. // in dfsan.cpp.
static const unsigned kArgTLSSize = 800; static const unsigned kArgTLSSize = 800;
static const unsigned kRetvalTLSSize = 800; static const unsigned kRetvalTLSSize = 800;
// External symbol to be used when generating the shadow address for // External symbol to be used when generating the shadow address for
// architectures with multiple VMAs. Instead of using a constant integer // architectures with multiple VMAs. Instead of using a constant integer
// the runtime will set the external mask based on the VMA range. // the runtime will set the external mask based on the VMA range.
▲ Show 20 LinesShow All 252 Lines▼ Show 20 Lines enum WrapperKind {
WK_Custom WK_Custom
}; };
Module *Mod; Module *Mod;
LLVMContext *Ctx; LLVMContext *Ctx;
Type *Int8Ptr; Type *Int8Ptr;
IntegerType *OriginTy; IntegerType *OriginTy;
PointerType *OriginPtrTy; PointerType *OriginPtrTy;
ConstantInt *OriginBase;
/// The shadow type for all primitive types and vector types. /// The shadow type for all primitive types and vector types.
IntegerType *PrimitiveShadowTy; IntegerType *PrimitiveShadowTy;
PointerType *PrimitiveShadowPtrTy; PointerType *PrimitiveShadowPtrTy;
IntegerType *IntptrTy; IntegerType *IntptrTy;
ConstantInt *ZeroPrimitiveShadow; ConstantInt *ZeroPrimitiveShadow;
ConstantInt *ShadowPtrMask; ConstantInt *ShadowPtrMask;
ConstantInt *ShadowPtrMul; ConstantInt *ShadowPtrMul;
Constant *ArgTLS; Constant *ArgTLS;
Show All 33 Linesclass DataFlowSanitizer {
FunctionCallee DFSanMaybeStoreOriginFn; FunctionCallee DFSanMaybeStoreOriginFn;
SmallPtrSet<Value *, 16> DFSanRuntimeFunctions; SmallPtrSet<Value *, 16> DFSanRuntimeFunctions;
MDNode *ColdCallWeights; MDNode *ColdCallWeights;
DFSanABIList ABIList; DFSanABIList ABIList;
DenseMap<Value *, Function *> UnwrappedFnMap; DenseMap<Value *, Function *> UnwrappedFnMap;
AttrBuilder ReadOnlyNoneAttrs; AttrBuilder ReadOnlyNoneAttrs;
bool DFSanRuntimeShadowMask = false; bool DFSanRuntimeShadowMask = false;
Value *getShadowOffset(Value *Addr, IRBuilder<> &IRB);
Value *getShadowAddress(Value *Addr, Instruction *Pos); Value *getShadowAddress(Value *Addr, Instruction *Pos);
std::pair<Value *, Value *>
getShadowOriginAddress(Value *Addr, Align InstAlignment, Instruction *Pos);
bool isInstrumented(const Function *F); bool isInstrumented(const Function *F);
bool isInstrumented(const GlobalAlias *GA); bool isInstrumented(const GlobalAlias *GA);
FunctionType *getArgsFunctionType(FunctionType *T); FunctionType *getArgsFunctionType(FunctionType *T);
FunctionType *getTrampolineFunctionType(FunctionType *T); FunctionType *getTrampolineFunctionType(FunctionType *T);
TransformedFunction getCustomFunctionType(FunctionType *T); TransformedFunction getCustomFunctionType(FunctionType *T);
InstrumentedABI getInstrumentedABI(); InstrumentedABI getInstrumentedABI();
WrapperKind getWrapperKind(Function *F); WrapperKind getWrapperKind(Function *F);
void addGlobalNamePrefix(GlobalValue *GV); void addGlobalNamePrefix(GlobalValue *GV);
▲ Show 20 LinesShow All 425 Lines▼ Show 20 Linesbool DataFlowSanitizer::init(Module &M) {
Int8Ptr = Type::getInt8PtrTy(*Ctx); Int8Ptr = Type::getInt8PtrTy(*Ctx);
OriginTy = IntegerType::get(*Ctx, OriginWidthBits); OriginTy = IntegerType::get(*Ctx, OriginWidthBits);
OriginPtrTy = PointerType::getUnqual(OriginTy); OriginPtrTy = PointerType::getUnqual(OriginTy);
PrimitiveShadowTy = IntegerType::get(*Ctx, ShadowWidthBits); PrimitiveShadowTy = IntegerType::get(*Ctx, ShadowWidthBits);
PrimitiveShadowPtrTy = PointerType::getUnqual(PrimitiveShadowTy); PrimitiveShadowPtrTy = PointerType::getUnqual(PrimitiveShadowTy);
IntptrTy = DL.getIntPtrType(*Ctx); IntptrTy = DL.getIntPtrType(*Ctx);
ZeroPrimitiveShadow = ConstantInt::getSigned(PrimitiveShadowTy, 0); ZeroPrimitiveShadow = ConstantInt::getSigned(PrimitiveShadowTy, 0);
ShadowPtrMul = ConstantInt::getSigned(IntptrTy, ShadowWidthBytes); ShadowPtrMul = ConstantInt::getSigned(IntptrTy, ShadowWidthBytes);
OriginBase = ConstantInt::get(IntptrTy, 0x200000000000LL);
if (IsX86_64) if (IsX86_64)
ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0x700000000000LL); ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0x700000000000LL);
else if (IsMIPS64) else if (IsMIPS64)
ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0xF000000000LL); ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0xF000000000LL);
// AArch64 supports multiple VMAs and the shadow mask is set at runtime. // AArch64 supports multiple VMAs and the shadow mask is set at runtime.
else if (IsAArch64) else if (IsAArch64)
DFSanRuntimeShadowMask = true; DFSanRuntimeShadowMask = true;
else else
▲ Show 20 LinesShow All 629 Lines▼ Show 20 Lines
void DFSanFunction::setShadow(Instruction *I, Value *Shadow) { void DFSanFunction::setShadow(Instruction *I, Value *Shadow) {
assert(!ValShadowMap.count(I)); assert(!ValShadowMap.count(I));
assert(DFS.shouldTrackFieldsAndIndices() || assert(DFS.shouldTrackFieldsAndIndices() ||
Shadow->getType() == DFS.PrimitiveShadowTy); Shadow->getType() == DFS.PrimitiveShadowTy);
ValShadowMap[I] = Shadow; ValShadowMap[I] = Shadow;
} }
Value *DataFlowSanitizer::getShadowAddress(Value *Addr, Instruction *Pos) { Value *DataFlowSanitizer::getShadowOffset(Value *Addr, IRBuilder<> &IRB) {
// Returns Addr & shadow_mask
assert(Addr != RetvalTLS && "Reinstrumenting?"); assert(Addr != RetvalTLS && "Reinstrumenting?");
IRBuilder<> IRB(Pos);
Value *ShadowPtrMaskValue; Value *ShadowPtrMaskValue;
if (DFSanRuntimeShadowMask) if (DFSanRuntimeShadowMask)
ShadowPtrMaskValue = IRB.CreateLoad(IntptrTy, ExternalShadowMask); ShadowPtrMaskValue = IRB.CreateLoad(IntptrTy, ExternalShadowMask);
else else
ShadowPtrMaskValue = ShadowPtrMask; ShadowPtrMaskValue = ShadowPtrMask;
return IRB.CreateIntToPtr( return IRB.CreateAnd(IRB.CreatePtrToInt(Addr, IntptrTy),
IRB.CreateMul( IRB.CreatePtrToInt(ShadowPtrMaskValue, IntptrTy));
IRB.CreateAnd(IRB.CreatePtrToInt(Addr, IntptrTy), }
IRB.CreatePtrToInt(ShadowPtrMaskValue, IntptrTy)),
ShadowPtrMul), std::pair<Value *, Value *>
DataFlowSanitizer::getShadowOriginAddress(Value *Addr, Align InstAlignment,
Instruction *Pos) {
// Returns ((Addr & shadow_mask) + origin_base) & ~4UL
IRBuilder<> IRB(Pos);
Value *ShadowOffset = getShadowOffset(Addr, IRB);
Value *ShadowPtr = IRB.CreateIntToPtr(
IRB.CreateMul(ShadowOffset, ShadowPtrMul), PrimitiveShadowPtrTy);
Value *OriginPtr = nullptr;
if (shouldTrackOrigins()) {
Value *OriginLong = IRB.CreateAdd(ShadowOffset, OriginBase);
const Align Alignment = llvm::assumeAligned(InstAlignment.value());
// When alignment is >= 4, Addr must be aligned to 4, otherwise it is UB.
// So Mask is unnecessary.
if (Alignment < kMinOriginAlignment) {
uint64_t Mask = kMinOriginAlignment.value() - 1;
OriginLong = IRB.CreateAnd(OriginLong, ConstantInt::get(IntptrTy, ~Mask));
}
morehouseUnsubmitted
Not Done
ReplyInline Actions

We can avoid this AND operation entirely by including it in the shadow mask.

morehouse: We can avoid this AND operation entirely by including it in the shadow mask.
stephan.yichao.zhaoAuthorUnsubmitted
Done
ReplyInline Actions

Yeah. ~0x700...0003 works. It seems that the problem is we wanted to get both shadow and origin addresses. So

  1. with the current approach,

offset = addr & ~0x700...00
shadow = offset x 2
origin = offset + origin_base
// When align is < 4, we may need one more origin & 4

  1. if we use ~0x700...03

offset_s = addr & ~0x700...00
shadow = offset_s x 2
offset_o = addr & ~0x700...03
origin = offset_o + origin_base

So the case 1 actually uses 1 less IR instruction in most cases.

stephan.yichao.zhao: Yeah. ~0x700...0003 works. It seems that the problem is we wanted to get both shadow and origin…
OriginPtr = IRB.CreateIntToPtr(OriginLong, OriginPtrTy);
}
return {ShadowPtr, OriginPtr};
}
Value *DataFlowSanitizer::getShadowAddress(Value *Addr, Instruction *Pos) {
// Returns (Addr & shadow_mask) x 2
IRBuilder<> IRB(Pos);
Value *ShadowOffset = getShadowOffset(Addr, IRB);
return IRB.CreateIntToPtr(IRB.CreateMul(ShadowOffset, ShadowPtrMul),
PrimitiveShadowPtrTy); PrimitiveShadowPtrTy);
} }
Value *DFSanFunction::combineShadowsThenConvert(Type *T, Value *V1, Value *V2, Value *DFSanFunction::combineShadowsThenConvert(Type *T, Value *V1, Value *V2,
Instruction *Pos) { Instruction *Pos) {
Value *PrimitiveValue = combineShadows(V1, V2, Pos); Value *PrimitiveValue = combineShadows(V1, V2, Pos);
return expandFromPrimitiveShadow(T, PrimitiveValue, Pos); return expandFromPrimitiveShadow(T, PrimitiveValue, Pos);
} }
▲ Show 20 LinesShow All 859 LinesShow Last 20 Lines