Commit Graph

157 Commits

Author SHA1 Message Date
Peter Collingbourne 82437bf7a5 Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).

The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.

Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.

This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:

- Add the safestack function attribute, similar to the ssp, sspstrong and
  sspreq attributes.

- Add the SafeStack instrumentation pass that applies the safe stack to all
  functions that have the safestack attribute. This pass moves all unsafe local
  variables to the unsafe stack with a separate stack pointer, whereas all
  safe variables remain on the regular stack that is managed by LLVM as usual.

- Invoke the pass as the last stage before code generation (at the same time
  the existing cookie-based stack protector pass is invoked).

- Add unit tests for the safe stack.

Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.

Differential Revision: http://reviews.llvm.org/D6094

llvm-svn: 239761
2015-06-15 21:07:11 +00:00
Owen Anderson 85fa7d5037 Add initial support for the convergent attribute.
llvm-svn: 238264
2015-05-26 23:48:40 +00:00
Pete Cooper 2777d88745 Change typeIncompatible to return an AttrBuilder instead of new-ing an AttributeSet.
This makes use of the new API which can remove attributes from a set given a builder.

This is much faster than creating a temporary set and reduces llc time by about 0.3% which was all spent creating temporary attributes sets on the context.

llvm-svn: 236668
2015-05-06 23:19:56 +00:00
Pete Cooper d2a44619e3 Add remove method to operate on AttrBuilder instead of AttributeSet.
Prior to this change we would have to construct a temporary AttributeSet (which isn't temporary at all given that its allocated on the context), just to contain the attributes in the builder, then call remove on that.

Now we can just remove any attributes from the (lightweight and really temporary) builder itself.

Will be used in a future commit to remove some temporary attributes sets.

llvm-svn: 236666
2015-05-06 23:19:43 +00:00
Pete Cooper cc151ccdcf Remove unnecessary #ifndef NDEBUG guard around assert. NFC.
Found by Hal Finkel in the review of AttributeSets.  http://lists.cs.uiuc.edu/pipermail/llvm-commits/Week-of-Mon-20150504/275058.html

llvm-svn: 236662
2015-05-06 22:55:46 +00:00
Sanjoy Das 06cf33fbea Add missing dereferenceable_or_null getters
Summary: Add missing dereferenceable_or_null getters required for
http://reviews.llvm.org/D9253 change. Separated from the D9253 review.

Patch by Artur Pilipenko!

Reviewers: sanjoy

Reviewed By: sanjoy

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D9499

llvm-svn: 236615
2015-05-06 17:41:54 +00:00
Sanjoy Das 31ea6d1590 [IR] Introduce a dereferenceable_or_null(N) attribute.
Summary:
If a pointer is marked as dereferenceable_or_null(N), LLVM assumes it
is either `null` or `dereferenceable(N)` or both.  This change only
introduces the attribute and adds a token test case for the `llvm-as`
/ `llvm-dis`.  It does not hook up other parts of the optimizer to
actually exploit the attribute -- those changes will come later.

For pointers in address space 0, `dereferenceable(N)` is now exactly
equivalent to `dereferenceable_or_null(N)` && `nonnull`.  For other
address spaces, `dereferenceable(N)` is potentially weaker than
`dereferenceable_or_null(N)` && `nonnull` (since we could have a null
`dereferenceable(N)` pointer).

The motivating case for this change is Java (and other managed
languages), where pointers are either `null` or dereferenceable up to
some usually known-at-compile-time constant offset.

Reviewers: rafael, hfinkel

Reviewed By: hfinkel

Subscribers: nicholas, llvm-commits

Differential Revision: http://reviews.llvm.org/D8650

llvm-svn: 235132
2015-04-16 20:29:50 +00:00
Yaron Keren 075759aadd Remove more superfluous .str() and replace std::string concatenation with Twine.
Following r233392, http://llvm.org/viewvc/llvm-project?rev=233392&view=rev.

llvm-svn: 233555
2015-03-30 15:42:36 +00:00
Ramkumar Ramachandra 8fcb498a9a InstCombine: propagate deref via new addDereferenceableAttr
The "dereferenceable" attribute cannot be added via .addAttribute(),
since it also expects a size in bytes. AttrBuilder#addAttribute or
AttributeSet#addAttribute is wrapped by classes Function, InvokeInst,
and CallInst. Add corresponding wrappers to
AttrBuilder#addDereferenceableAttr.

Having done this, propagate the dereferenceable attribute via
gc.relocate, adding a test to exercise it. Note that -datalayout is
required during execution over and above -instcombine, because
InstCombine only optionally requires DataLayoutPass.

Differential Revision: http://reviews.llvm.org/D7510

llvm-svn: 229265
2015-02-14 19:37:54 +00:00
Matt Arsenault fb4308ed9a Revert accidentally committed r217107
"Don't treat 0 as a special value for int attributes."

llvm-svn: 217110
2014-09-03 23:38:05 +00:00
Matt Arsenault e1cef6e3be Don't treat 0 as a special value for int attributes.
Split the get() to not use a default value. This way
attributes can be added that have 0 as a legitimate value.

llvm-svn: 217107
2014-09-03 23:24:31 +00:00
Hal Finkel b0407ba071 Add a dereferenceable attribute
This attribute indicates that the parameter or return pointer is
dereferenceable. Practically speaking, loads from such a pointer within the
associated byte range are safe to speculatively execute. Such pointer
parameters are common in source languages (C++ references, for example).

llvm-svn: 213385
2014-07-18 15:51:28 +00:00
Hal Finkel e15442c8aa Rename AlignAttribute to IntAttribute
Currently the only kind of integer IR attributes that we have are alignment
attributes, and so the attribute kind that takes an integer parameter is called
AlignAttr, but that will change (we'll soon be adding a dereferenceable
attribute that also takes an integer value). Accordingly, rename AlignAttribute
to IntAttribute (class names, enums, etc.).

No functionality change intended.

llvm-svn: 213352
2014-07-18 06:51:55 +00:00
Eric Christopher 0eaa541ea5 Fix typos.
llvm-svn: 212228
2014-07-02 22:05:40 +00:00
Tom Roeder 44cb65fff1 Add a new attribute called 'jumptable' that creates jump-instruction tables for functions marked with this attribute.
It includes a pass that rewrites all indirect calls to jumptable functions to pass through these tables.

This also adds backend support for generating the jump-instruction tables on ARM and X86.
Note that since the jumptable attribute creates a second function pointer for a
function, any function marked with jumptable must also be marked with unnamed_addr.

llvm-svn: 210280
2014-06-05 19:29:43 +00:00
Nick Lewycky d52b1528c0 Add 'nonnull', a new parameter and return attribute which indicates that the pointer is not null. Instcombine will elide comparisons between these and null. Patch by Luqman Aden!
llvm-svn: 209185
2014-05-20 01:23:40 +00:00
David Majnemer cf63a79818 IR: Cleanup AttributeSet::get for AttrBuilder
We don't modify the AttrBuilder in AttributeSet::get, make the reference
argument const.

llvm-svn: 207924
2014-05-03 23:00:35 +00:00
Benjamin Kramer 502b9e1d7f Retire llvm::array_endof in favor of non-member std::end.
While there make array_lengthof constexpr if we have support for it.

llvm-svn: 206112
2014-04-12 16:15:53 +00:00
Craig Topper c620761ca5 [C++11] More 'nullptr' conversion or in some cases just using a boolean check instead of comparing to nullptr.
llvm-svn: 205831
2014-04-09 06:08:46 +00:00
Benjamin Kramer 17388a61b2 Revert "[C++11] Replace LLVM atomics with std::atomic."
Breaks the MSVC build.
DataStream.cpp(44): error C2552: 'llvm::Statistic::Value' : non-aggregates cannot be initialized with initializer list

llvm-svn: 202731
2014-03-03 18:02:34 +00:00
Benjamin Kramer 0b6eb591a4 [C++11] Replace LLVM atomics with std::atomic.
With C++11 we finally have a standardized way to specify atomic operations. Use
them to replace the existing custom implemention. Sadly the translation is not
entirely trivial as std::atomic allows more fine-grained control over the
atomicity. I tried to preserve the old semantics as well as possible.

Differential Revision: http://llvm-reviews.chandlerc.com/D2915

llvm-svn: 202730
2014-03-03 17:53:30 +00:00
Reid Kleckner a534a38130 Begin adding docs and IR-level support for the inalloca attribute
The inalloca attribute is designed to support passing C++ objects by
value in the Microsoft C++ ABI.  It behaves the same as byval, except
that it always implies that the argument is in memory and that the bytes
are never copied.  This attribute allows the caller to take the address
of an outgoing argument's memory and execute arbitrary code to store
into it.

This patch adds basic IR support, docs, and verification.  It does not
attempt to implement any lowering or fix any possibly broken transforms.

When this patch lands, a complete description of this feature should
appear at http://llvm.org/docs/InAlloca.html .

Differential Revision: http://llvm-reviews.chandlerc.com/D2173

llvm-svn: 197645
2013-12-19 02:14:12 +00:00
Juergen Ributzka d12ccbd343 [weak vtables] Remove a bunch of weak vtables
This patch removes most of the trivial cases of weak vtables by pinning them to
a single object file. The memory leaks in this version have been fixed. Thanks
Alexey for pointing them out.

Differential Revision: http://llvm-reviews.chandlerc.com/D2068

Reviewed by Andy

llvm-svn: 195064
2013-11-19 00:57:56 +00:00
Alexey Samsonov 49109a279c Revert r194865 and r194874.
This change is incorrect. If you delete virtual destructor of both a base class
and a subclass, then the following code:
  Base *foo = new Child();
  delete foo;
will not cause the destructor for members of Child class. As a result, I observe
plently of memory leaks. Notable examples I investigated are:
ObjectBuffer and ObjectBufferStream, AttributeImpl and StringSAttributeImpl.

llvm-svn: 194997
2013-11-18 09:31:53 +00:00
Juergen Ributzka dbedae89b9 [weak vtables] Remove a bunch of weak vtables
This patch removes most of the trivial cases of weak vtables by pinning them to
a single object file.

Differential Revision: http://llvm-reviews.chandlerc.com/D2068

Reviewed by Andy

llvm-svn: 194865
2013-11-15 22:34:48 +00:00
Andrea Di Biagio 377496bbad Add function attribute 'optnone'.
This function attribute indicates that the function is not optimized
by any optimization or code generator passes with the 
exception of interprocedural optimization passes.

llvm-svn: 189101
2013-08-23 11:53:55 +00:00
Peter Collingbourne abca2ecaab Add a AttributeSetImpl::dump function.
This is for the benefit of those of us with inferior debuggers which
do not permit member function calls on value types.

llvm-svn: 187685
2013-08-02 22:34:30 +00:00
Peter Collingbourne bd6c7459bb Make one of the AttributeSet ctors maintain the invariant that the
attribute list is ordered by index.

Differential Revision: http://llvm-reviews.chandlerc.com/D1265

llvm-svn: 187682
2013-08-02 22:29:40 +00:00
Bill Wendling 3b2f61066c Add a way to add a kind-value string pair to an attribute.
llvm-svn: 187138
2013-07-25 18:34:24 +00:00
Bill Wendling 440e9d81bf Replace the "NoFramePointerElimNonLeaf" target option with a function attribute.
There's no need to specify a flag to omit frame pointer elimination on non-leaf
nodes...(Honestly, I can't parse that option out.) Use the function attribute
stuff instead.

llvm-svn: 187093
2013-07-25 00:34:29 +00:00
Benjamin Kramer 741146b825 Reduce the number of indirections in the attributes implementation.
- Coallocate entires for AttributeSetImpls and Nodes after the class itself.
- Remove mutable iterators from immutable classes.
- Remove unused context field from AttributeImpl.
- Derive Enum/Align/String attribute implementations from AttributeImpl instead
  of having a whole new inheritance tree for them.
- Derive AlignAttributeImpl from EnumAttributeImpl.

llvm-svn: 186075
2013-07-11 12:13:16 +00:00
Nick Lewycky c2ec0725ce Extend 'readonly' and 'readnone' to work on function arguments as well as
functions. Make the function attributes pass add it to known library functions
and when it can deduce it.

llvm-svn: 185735
2013-07-06 00:29:58 +00:00
Michael Gottesman 41748d7c86 Added support for the Builtin attribute.
The Builtin attribute is an attribute that can be placed on function call site that signal that even though a function is declared as being a builtin,

rdar://problem/13727199

llvm-svn: 185049
2013-06-27 00:25:01 +00:00
Diego Novillo c63995394d Add a new function attribute 'cold' to functions.
Other than recognizing the attribute, the patch does little else.
It changes the branch probability analyzer so that edges into
blocks postdominated by a cold function are given low weight.

Added analysis and code generation tests.  Added documentation for the
new attribute.

llvm-svn: 182638
2013-05-24 12:26:52 +00:00
Rafael Espindola cbf5a7ad06 Now that the underlying issue is fixed, revert r180750 and r180722.
The cause of the windows failures was fixed by r180791. Revert to the state
after Sabre's original revert.

Original message:

revert r179735, it has no testcases, and doesn't really make sense.

llvm-svn: 180844
2013-05-01 13:07:03 +00:00
Rafael Espindola dd27530a44 Change getSlotIndex to return unsigned.
The actual storage was already using unsigned, but the interface was using
uint64_t. This is wasteful on 32 bits and looks to be the root causes of
a miscompilation on Windows where a value was being sign extended to 64bits
to compare with the result of getSlotIndex.

Patch by Pasi Parviainen!

llvm-svn: 180791
2013-04-30 16:53:38 +00:00
Bill Wendling 0494597566 Revert the command line option patch. However, keep the part that makes this pass on Windows. I.e., we don't emit the target dependent attributes in a comment before the function.
llvm-svn: 180750
2013-04-29 23:48:06 +00:00
Reid Kleckner e02c622baa Revert "revert r179735, it has no testcases, and doesn't really make sense."
This un-reverts r179735 and reverts commit r180574.

This fixes assertion failures for me locally and should fix the failures
on Windows reported widely on llvm-dev.  We should check if the bots
caught this and if so why not.

llvm-svn: 180722
2013-04-29 18:23:53 +00:00
Chris Lattner 6b2702a6cc revert r179735, it has no testcases, and doesn't really make sense.
llvm-svn: 180574
2013-04-25 20:34:16 +00:00
Stephen Lin b8bd232a3d Add CodeGen support for functions that always return arguments via a new parameter attribute 'returned', which is taken advantage of in target-independent tail call opportunity detection and in ARM call lowering (when placed on an integral first parameter).
llvm-svn: 179925
2013-04-20 05:14:40 +00:00
Benjamin Kramer 0baf8f4279 Attributes: Don't print trailing whitespace on the function attribute comment.
llvm-svn: 179849
2013-04-19 11:43:21 +00:00
Bill Wendling 6a97e89df6 Make the TargetIndependent flag have the right boolean value.
llvm-svn: 179798
2013-04-18 21:45:04 +00:00
Bill Wendling 211316cc54 Cleanup patch:
Semantics of parameters named Index and Idx were inconsistent between
"include/llvm/IR/Attributes.h", "lib/IR/AttributeImpl.h" and
"lib/IR/Attributes.cpp": sometimes these were fixed 1-based indexes of IR
parameters (or AttributeSet::ReturnIndex for IR return values or
AttributeSet::FunctionIndex for IR functions), other times they were the
internal slot for storage in the underlying AttributeSetImpl. I renamed usage of
the former to "Index" and usage of the latter to "Slot" ("Slot" was already
being used consistently for the latter in a subset of cases)

Patch by Stephen Lin!

llvm-svn: 179791
2013-04-18 20:17:28 +00:00
Bill Wendling e3a60a9bc0 This patch addresses two cleanup issues:
1. Verify::VerifyParameterAttrs in "lib/IR/Verifier.cpp" and
   AttrBuilder::removeFunctionOnlyAttrs in "lib/IR/Attributes.cpp" (only called
   by Verify::VerifyFunctionAttrs) separately maintained a list of function-only
   attribute types. I've consolidated the logic into a new function used for
   both cases in "lib/IR/Verifier.cpp", so this logic is in one place (other
   than the AsmParser front-end)

2. Various functions in "lib/IR/Verifier.cpp" passed AttributeSet around by
   reference needlessly, as it's just a handle to an immutable pimpl body.

Patch by Stephen Lin!

llvm-svn: 179790
2013-04-18 20:15:25 +00:00
Bill Wendling 877cf534ab Add an option `-enable-old-style-attr-syntax' to print out function attributes in the "old" style.
It's sometimes beneficial to emit a testcase with the old style attribute
syntax. Allow someone to do this.
<rdar://problem/13563209>

llvm-svn: 179735
2013-04-17 23:35:59 +00:00
Reed Kotler 795c7b455c Add some additonal attribute helper functions. Test will be on follow
up putback to clang for mips16.

llvm-svn: 176968
2013-03-13 20:20:08 +00:00
Bill Wendling 8c8f9871c3 Don't add an attribute that already exists and don't remove an attribute that doesn't exist.
llvm-svn: 176289
2013-02-28 19:17:40 +00:00
Kostya Serebryany cf880b9443 Unify clang/llvm attributes for asan/tsan/msan (LLVM part)
These are two related changes (one in llvm, one in clang).
LLVM: 
- rename address_safety => sanitize_address (the enum value is the same, so we preserve binary compatibility with old bitcode)
- rename thread_safety => sanitize_thread
- rename no_uninitialized_checks -> sanitize_memory

CLANG: 
- add __attribute__((no_sanitize_address)) as a synonym for __attribute__((no_address_safety_analysis))
- add __attribute__((no_sanitize_thread))
- add __attribute__((no_sanitize_memory))

for S in address thread memory
If -fsanitize=S is present and __attribute__((no_sanitize_S)) is not
set llvm attribute sanitize_S

llvm-svn: 176075
2013-02-26 06:58:09 +00:00
Bill Wendling 25342e126f Remove warning about default covering no cases.
llvm-svn: 175846
2013-02-22 00:50:09 +00:00
Bill Wendling 7bfdfe7317 Add a bitmask for NoBuiltin. This should *not* be used.
llvm-svn: 175843
2013-02-22 00:40:12 +00:00