maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity

[HWASan] do not replace lifetime intrinsics with tagged address. 

Quote from the LLVM Language Reference
  If ptr is a stack-allocated object and it points to the first byte of the
  object, the object is initially marked as dead. ptr is conservatively
  considered as a non-stack-allocated object if the stack coloring algorithm
  that is used in the optimization pipeline cannot conclude that ptr is a
  stack-allocated object.

By replacing the alloca pointer with the tagged address before this change,
we confused the stack coloring algorithm.

Reviewed By: eugenis

Differential Revision: https://reviews.llvm.org/D121835
This commit is contained in:
Florian Mayer 2022-03-10 15:17:26 -08:00
parent f5fea45d09
commit 208b923e74
4 changed files with 94 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
View File

@ -13,6 +13,7 @@
#include "llvm/Transforms/Instrumentation/HWAddressSanitizer.h"
#include "llvm/ADT/MapVector.h"
#include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/StringExtras.h"
#include "llvm/ADT/StringRef.h"
@ -1301,6 +1302,11 @@ bool HWAddressSanitizer::instrumentLandingPads(
return true;
}
static bool isLifetimeIntrinsic(Value *V) {
auto *II = dyn_cast<IntrinsicInst>(V);
return II && II->isLifetimeStartOrEnd();
}
bool HWAddressSanitizer::instrumentStack(
memtag::StackInfo &SInfo, Value *StackTag,
llvm::function_ref<const DominatorTree &()> GetDT,
@ -1326,8 +1332,32 @@ bool HWAddressSanitizer::instrumentStack(
AI->hasName() ? AI->getName().str() : "alloca." + itostr(N);
Replacement->setName(Name + ".hwasan");
AI->replaceUsesWithIf(Replacement,
[AILong](Use &U) { return U.getUser() != AILong; });
size_t Size = memtag::getAllocaSizeInBytes(*AI);
size_t AlignedSize = alignTo(Size, Mapping.getObjectAlignment());
Value *AICast = IRB.CreatePointerCast(AI, Int8PtrTy);
auto HandleLifetime = [&](IntrinsicInst *II) {
// Set the lifetime intrinsic to cover the whole alloca. This reduces the
// set of assumptions we need to make about the lifetime. Without this we
// would need to ensure that we can track the lifetime pointer to a
// constant offset from the alloca, and would still need to change the
// size to include the extra alignment we use for the untagging to make
// the size consistent.
//
// The check for standard lifetime below makes sure that we have exactly
// one set of start / end in any execution (i.e. the ends are not
// reachable from each other), so this will not cause any problems.
II->setArgOperand(0, ConstantInt::get(Int64Ty, AlignedSize));
II->setArgOperand(1, AICast);
};
llvm::for_each(Info.LifetimeStart, HandleLifetime);
llvm::for_each(Info.LifetimeEnd, HandleLifetime);
AI->replaceUsesWithIf(Replacement, [AICast, AILong](Use &U) {
auto *User = U.getUser();
return User != AILong && User != AICast && !isLifetimeIntrinsic(User);
});
for (auto *DDI : Info.DbgVariableIntrinsics) {
// Prepend "tag_offset, N" to the dwarf expression.
@ -1341,8 +1371,6 @@ bool HWAddressSanitizer::instrumentStack(
NewOps, LocNo));
}
size_t Size = memtag::getAllocaSizeInBytes(*AI);
size_t AlignedSize = alignTo(Size, Mapping.getObjectAlignment());
auto TagEnd = [&](Instruction *Node) {
IRB.SetInsertPoint(Node);
Value *UARTag = getUARTag(IRB, StackTag);

11
llvm/test/Instrumentation/HWAddressSanitizer/exception-lifetime.ll
View File

@ -21,11 +21,13 @@ entry:
%0 = bitcast i32* %x to i8*
call void @llvm.lifetime.start.p0i8(i64 8, i8* %0)
invoke void @mayFail(i32* %x) to label %invoke.cont unwind label %lpad
; CHECK: [[CAST:%.*]] = bitcast { i32, [12 x i8] }* %x to i32*
; CHECK: [[TMP1:%.*]] = bitcast i32* {{.*}}[[CAST]] to i8*
invoke.cont: ; preds = %entry
; CHECK: invoke.cont:
; CHECK: call void @llvm.memset.p0i8.i64(i8* align 1 %31, i8 0, i64 1, i1 false)
; CHECK: call void @llvm.lifetime.end.p0i8(i64 8, i8* %28)
; CHECK: call void @llvm.memset.p0i8.i64(i8* align 1 %{{.*}}, i8 0, i64 1, i1 false)
; CHECK: call void @llvm.lifetime.end.p0i8(i64 16, i8* {{.*}}[[TMP1]])
; CHECK: ret void
%1 = bitcast i32* %x to i8*
@ -34,9 +36,8 @@ invoke.cont: ; preds = %entry
lpad: ; preds = %entry
; CHECK: lpad
; CHECK: %41 = getelementptr i8, i8* %17, i64 %40
; CHECK: call void @llvm.memset.p0i8.i64(i8* align 1 %41, i8 0, i64 1, i1 false)
; CHECK: call void @llvm.lifetime.end.p0i8(i64 8, i8* %38)
; CHECK: call void @llvm.memset.p0i8.i64(i8* align 1 %{{.*}}, i8 0, i64 1, i1 false)
; CHECK: call void @llvm.lifetime.end.p0i8(i64 16, i8* {{.*}}[[TMP1]])
; CHECK: br label %eh.resume
%2 = landingpad { i8*, i32 }

41
llvm/test/Instrumentation/HWAddressSanitizer/stack-coloring.ll Normal file
View File

@ -0,0 +1,41 @@
; Test that storage for allocas with disjoint lifetimes is reused with
; use-after-scope.
; RUN: opt -S -passes=hwasan %s -hwasan-use-after-scope -o - | \
; RUN: llc -no-stack-coloring=false -o - | \
; RUN: FileCheck %s --check-prefix=COLOR
; RUN: opt -S -passes=hwasan -hwasan-use-after-scope %s -o - | \
; RUN: llc -no-stack-coloring=true -o - | \
; RUN: FileCheck %s --check-prefix=NOCOLOR
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64-unknown-linux-android29"
; COLOR: sub sp, sp, #240
; NOCOLOR: sub sp, sp, #368
define i32 @myCall_w2(i32 %in) sanitize_hwaddress {
entry:
%a = alloca [17 x i8*], align 8
%a2 = alloca [16 x i8*], align 8
%b = bitcast [17 x i8*]* %a to i8*
%b2 = bitcast [16 x i8*]* %a2 to i8*
call void @llvm.lifetime.start.p0i8(i64 136, i8* %b)
%t1 = call i32 @foo(i32 %in, i8* %b)
%t2 = call i32 @foo(i32 %in, i8* %b)
call void @llvm.lifetime.end.p0i8(i64 136, i8* %b)
call void @llvm.lifetime.start.p0i8(i64 128, i8* %b2)
%t3 = call i32 @foo(i32 %in, i8* %b2)
%t4 = call i32 @foo(i32 %in, i8* %b2)
call void @llvm.lifetime.end.p0i8(i64 128, i8* %b2)
%t5 = add i32 %t1, %t2
%t6 = add i32 %t3, %t4
%t7 = add i32 %t5, %t6
ret i32 %t7
}
declare void @llvm.lifetime.start.p0i8(i64, i8* nocapture) nounwind
declare void @llvm.lifetime.end.p0i8(i64, i8* nocapture) nounwind
declare i32 @foo(i32, i8*)

30
llvm/test/Instrumentation/HWAddressSanitizer/use-after-scope.ll
View File

@ -35,12 +35,12 @@ define dso_local i32 @standard_lifetime() local_unnamed_addr sanitize_hwaddress
; X86-SCOPE-NEXT: [[ALLOCA_0_HWASAN:%.*]] = inttoptr i64 [[TMP7]] to i8*
; X86-SCOPE-NEXT: br label [[TMP8:%.*]]
; X86-SCOPE: 8:
; X86-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; X86-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 16, i8* nonnull [[TMP2]])
; X86-SCOPE-NEXT: [[TMP9:%.*]] = trunc i64 [[TMP4]] to i8
; X86-SCOPE-NEXT: call void @__hwasan_tag_memory(i8* [[TMP2]], i8 [[TMP9]], i64 16)
; X86-SCOPE-NEXT: [[TMP10:%.*]] = tail call i1 (...) @cond()
; X86-SCOPE-NEXT: call void @__hwasan_tag_memory(i8* [[TMP2]], i8 0, i64 16)
; X86-SCOPE-NEXT: call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; X86-SCOPE-NEXT: call void @llvm.lifetime.end.p0i8(i64 16, i8* nonnull [[TMP2]])
; X86-SCOPE-NEXT: br i1 [[TMP10]], label [[TMP11:%.*]], label [[TMP8]]
; X86-SCOPE: 11:
; X86-SCOPE-NEXT: call void @use(i8* nonnull [[ALLOCA_0_HWASAN]])
@ -99,7 +99,7 @@ define dso_local i32 @standard_lifetime() local_unnamed_addr sanitize_hwaddress
; AARCH64-SCOPE-NEXT: [[ALLOCA_0_HWASAN:%.*]] = inttoptr i64 [[TMP25]] to i8*
; AARCH64-SCOPE-NEXT: br label [[TMP26:%.*]]
; AARCH64-SCOPE: 26:
; AARCH64-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; AARCH64-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 16, i8* nonnull [[TMP20]])
; AARCH64-SCOPE-NEXT: [[TMP27:%.*]] = trunc i64 [[TMP22]] to i8
; AARCH64-SCOPE-NEXT: [[TMP28:%.*]] = ptrtoint i8* [[TMP20]] to i64
; AARCH64-SCOPE-NEXT: [[TMP29:%.*]] = lshr i64 [[TMP28]], 4
@ -110,7 +110,7 @@ define dso_local i32 @standard_lifetime() local_unnamed_addr sanitize_hwaddress
; AARCH64-SCOPE-NEXT: [[TMP33:%.*]] = lshr i64 [[TMP32]], 4
; AARCH64-SCOPE-NEXT: [[TMP34:%.*]] = getelementptr i8, i8* [[TMP18]], i64 [[TMP33]]
; AARCH64-SCOPE-NEXT: call void @llvm.memset.p0i8.i64(i8* align 1 [[TMP34]], i8 0, i64 1, i1 false)
; AARCH64-SCOPE-NEXT: call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; AARCH64-SCOPE-NEXT: call void @llvm.lifetime.end.p0i8(i64 16, i8* nonnull [[TMP20]])
; AARCH64-SCOPE-NEXT: br i1 [[TMP31]], label [[TMP35:%.*]], label [[TMP26]]
; AARCH64-SCOPE: 35:
; AARCH64-SCOPE-NEXT: call void @use(i8* nonnull [[ALLOCA_0_HWASAN]])
@ -195,7 +195,7 @@ define dso_local i32 @standard_lifetime() local_unnamed_addr sanitize_hwaddress
; AARCH64-SHORT-SCOPE-NEXT: [[ALLOCA_0_HWASAN:%.*]] = inttoptr i64 [[TMP25]] to i8*
; AARCH64-SHORT-SCOPE-NEXT: br label [[TMP26:%.*]]
; AARCH64-SHORT-SCOPE: 26:
; AARCH64-SHORT-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; AARCH64-SHORT-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 16, i8* nonnull [[TMP20]])
; AARCH64-SHORT-SCOPE-NEXT: [[TMP27:%.*]] = trunc i64 [[TMP22]] to i8
; AARCH64-SHORT-SCOPE-NEXT: [[TMP28:%.*]] = ptrtoint i8* [[TMP20]] to i64
; AARCH64-SHORT-SCOPE-NEXT: [[TMP29:%.*]] = lshr i64 [[TMP28]], 4
@ -209,7 +209,7 @@ define dso_local i32 @standard_lifetime() local_unnamed_addr sanitize_hwaddress
; AARCH64-SHORT-SCOPE-NEXT: [[TMP35:%.*]] = lshr i64 [[TMP34]], 4
; AARCH64-SHORT-SCOPE-NEXT: [[TMP36:%.*]] = getelementptr i8, i8* [[TMP18]], i64 [[TMP35]]
; AARCH64-SHORT-SCOPE-NEXT: call void @llvm.memset.p0i8.i64(i8* align 1 [[TMP36]], i8 0, i64 1, i1 false)
; AARCH64-SHORT-SCOPE-NEXT: call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; AARCH64-SHORT-SCOPE-NEXT: call void @llvm.lifetime.end.p0i8(i64 16, i8* nonnull [[TMP20]])
; AARCH64-SHORT-SCOPE-NEXT: br i1 [[TMP33]], label [[TMP37:%.*]], label [[TMP26]]
; AARCH64-SHORT-SCOPE: 37:
; AARCH64-SHORT-SCOPE-NEXT: call void @use(i8* nonnull [[ALLOCA_0_HWASAN]])
@ -294,12 +294,12 @@ define dso_local i32 @standard_lifetime_optnone() local_unnamed_addr optnone noi
; X86-SCOPE-NEXT: [[ALLOCA_0_HWASAN:%.*]] = inttoptr i64 [[TMP7]] to i8*
; X86-SCOPE-NEXT: br label [[TMP8:%.*]]
; X86-SCOPE: 8:
; X86-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; X86-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 16, i8* nonnull [[TMP2]])
; X86-SCOPE-NEXT: [[TMP9:%.*]] = trunc i64 [[TMP4]] to i8
; X86-SCOPE-NEXT: call void @__hwasan_tag_memory(i8* [[TMP2]], i8 [[TMP9]], i64 16)
; X86-SCOPE-NEXT: [[TMP10:%.*]] = tail call i1 (...) @cond()
; X86-SCOPE-NEXT: call void @__hwasan_tag_memory(i8* [[TMP2]], i8 0, i64 16)
; X86-SCOPE-NEXT: call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; X86-SCOPE-NEXT: call void @llvm.lifetime.end.p0i8(i64 16, i8* nonnull [[TMP2]])
; X86-SCOPE-NEXT: br i1 [[TMP10]], label [[TMP11:%.*]], label [[TMP8]]
; X86-SCOPE: 11:
; X86-SCOPE-NEXT: call void @use(i8* nonnull [[ALLOCA_0_HWASAN]])
@ -358,7 +358,7 @@ define dso_local i32 @standard_lifetime_optnone() local_unnamed_addr optnone noi
; AARCH64-SCOPE-NEXT: [[ALLOCA_0_HWASAN:%.*]] = inttoptr i64 [[TMP25]] to i8*
; AARCH64-SCOPE-NEXT: br label [[TMP26:%.*]]
; AARCH64-SCOPE: 26:
; AARCH64-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; AARCH64-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 16, i8* nonnull [[TMP20]])
; AARCH64-SCOPE-NEXT: [[TMP27:%.*]] = trunc i64 [[TMP22]] to i8
; AARCH64-SCOPE-NEXT: [[TMP28:%.*]] = ptrtoint i8* [[TMP20]] to i64
; AARCH64-SCOPE-NEXT: [[TMP29:%.*]] = lshr i64 [[TMP28]], 4
@ -369,7 +369,7 @@ define dso_local i32 @standard_lifetime_optnone() local_unnamed_addr optnone noi
; AARCH64-SCOPE-NEXT: [[TMP33:%.*]] = lshr i64 [[TMP32]], 4
; AARCH64-SCOPE-NEXT: [[TMP34:%.*]] = getelementptr i8, i8* [[TMP18]], i64 [[TMP33]]
; AARCH64-SCOPE-NEXT: call void @llvm.memset.p0i8.i64(i8* align 1 [[TMP34]], i8 0, i64 1, i1 false)
; AARCH64-SCOPE-NEXT: call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; AARCH64-SCOPE-NEXT: call void @llvm.lifetime.end.p0i8(i64 16, i8* nonnull [[TMP20]])
; AARCH64-SCOPE-NEXT: br i1 [[TMP31]], label [[TMP35:%.*]], label [[TMP26]]
; AARCH64-SCOPE: 35:
; AARCH64-SCOPE-NEXT: call void @use(i8* nonnull [[ALLOCA_0_HWASAN]])
@ -454,7 +454,7 @@ define dso_local i32 @standard_lifetime_optnone() local_unnamed_addr optnone noi
; AARCH64-SHORT-SCOPE-NEXT: [[ALLOCA_0_HWASAN:%.*]] = inttoptr i64 [[TMP25]] to i8*
; AARCH64-SHORT-SCOPE-NEXT: br label [[TMP26:%.*]]
; AARCH64-SHORT-SCOPE: 26:
; AARCH64-SHORT-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; AARCH64-SHORT-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 16, i8* nonnull [[TMP20]])
; AARCH64-SHORT-SCOPE-NEXT: [[TMP27:%.*]] = trunc i64 [[TMP22]] to i8
; AARCH64-SHORT-SCOPE-NEXT: [[TMP28:%.*]] = ptrtoint i8* [[TMP20]] to i64
; AARCH64-SHORT-SCOPE-NEXT: [[TMP29:%.*]] = lshr i64 [[TMP28]], 4
@ -468,7 +468,7 @@ define dso_local i32 @standard_lifetime_optnone() local_unnamed_addr optnone noi
; AARCH64-SHORT-SCOPE-NEXT: [[TMP35:%.*]] = lshr i64 [[TMP34]], 4
; AARCH64-SHORT-SCOPE-NEXT: [[TMP36:%.*]] = getelementptr i8, i8* [[TMP18]], i64 [[TMP35]]
; AARCH64-SHORT-SCOPE-NEXT: call void @llvm.memset.p0i8.i64(i8* align 1 [[TMP36]], i8 0, i64 1, i1 false)
; AARCH64-SHORT-SCOPE-NEXT: call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; AARCH64-SHORT-SCOPE-NEXT: call void @llvm.lifetime.end.p0i8(i64 16, i8* nonnull [[TMP20]])
; AARCH64-SHORT-SCOPE-NEXT: br i1 [[TMP33]], label [[TMP37:%.*]], label [[TMP26]]
; AARCH64-SHORT-SCOPE: 37:
; AARCH64-SHORT-SCOPE-NEXT: call void @use(i8* nonnull [[ALLOCA_0_HWASAN]])
@ -776,7 +776,7 @@ define dso_local i32 @unreachable_exit() local_unnamed_addr sanitize_hwaddress {
; X86-SCOPE-NEXT: [[TMP6:%.*]] = shl i64 [[TMP4]], 57
; X86-SCOPE-NEXT: [[TMP7:%.*]] = or i64 [[TMP5]], [[TMP6]]
; X86-SCOPE-NEXT: [[ALLOCA_0_HWASAN:%.*]] = inttoptr i64 [[TMP7]] to i8*
; X86-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; X86-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 16, i8* nonnull [[TMP2]])
; X86-SCOPE-NEXT: [[TMP8:%.*]] = trunc i64 [[TMP4]] to i8
; X86-SCOPE-NEXT: call void @__hwasan_tag_memory(i8* [[TMP2]], i8 [[TMP8]], i64 16)
; X86-SCOPE-NEXT: [[TMP9:%.*]] = tail call i1 (...) @cond()
@ -841,7 +841,7 @@ define dso_local i32 @unreachable_exit() local_unnamed_addr sanitize_hwaddress {
; AARCH64-SCOPE-NEXT: [[TMP24:%.*]] = shl i64 [[TMP22]], 56
; AARCH64-SCOPE-NEXT: [[TMP25:%.*]] = or i64 [[TMP23]], [[TMP24]]
; AARCH64-SCOPE-NEXT: [[ALLOCA_0_HWASAN:%.*]] = inttoptr i64 [[TMP25]] to i8*
; AARCH64-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; AARCH64-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 16, i8* nonnull [[TMP20]])
; AARCH64-SCOPE-NEXT: [[TMP26:%.*]] = trunc i64 [[TMP22]] to i8
; AARCH64-SCOPE-NEXT: [[TMP27:%.*]] = ptrtoint i8* [[TMP20]] to i64
; AARCH64-SCOPE-NEXT: [[TMP28:%.*]] = lshr i64 [[TMP27]], 4
@ -944,7 +944,7 @@ define dso_local i32 @unreachable_exit() local_unnamed_addr sanitize_hwaddress {
; AARCH64-SHORT-SCOPE-NEXT: [[TMP24:%.*]] = shl i64 [[TMP22]], 56
; AARCH64-SHORT-SCOPE-NEXT: [[TMP25:%.*]] = or i64 [[TMP23]], [[TMP24]]
; AARCH64-SHORT-SCOPE-NEXT: [[ALLOCA_0_HWASAN:%.*]] = inttoptr i64 [[TMP25]] to i8*
; AARCH64-SHORT-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull [[ALLOCA_0_HWASAN]])
; AARCH64-SHORT-SCOPE-NEXT: call void @llvm.lifetime.start.p0i8(i64 16, i8* nonnull [[TMP20]])
; AARCH64-SHORT-SCOPE-NEXT: [[TMP26:%.*]] = trunc i64 [[TMP22]] to i8
; AARCH64-SHORT-SCOPE-NEXT: [[TMP27:%.*]] = ptrtoint i8* [[TMP20]] to i64
; AARCH64-SHORT-SCOPE-NEXT: [[TMP28:%.*]] = lshr i64 [[TMP27]], 4