[PATCH] D77619: [AddressSanitizer] Instrument byval call arguments
Jann Horn via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Mon Apr 6 18:34:13 PDT 2020
thejh created this revision.
thejh added a project: LLVM.
Herald added subscribers: llvm-commits, dexonsmith, hiraditya.
thejh added a parent revision: D77618: [AddressSanitizer] Refactor: Permit >1 interesting operands per instruction.
thejh edited the summary of this revision.
thejh added reviewers: kcc, glider.
In the LLVM IR, "call" instructions read memory for each byval operand.
For example:
$ cat blah.c
struct foo { void *a, *b, *c; };
struct bar { struct foo foo; };
void func1(const struct foo);
void func2(struct bar *bar) { func1(bar->foo); }
$ [...]/bin/clang -S -flto -c blah.c -O2 ; cat blah.s
[...]
define dso_local void @func2(%struct.bar* %bar) local_unnamed_addr #0 {
entry:
%foo = getelementptr inbounds %struct.bar, %struct.bar* %bar, i64 0, i32 0
tail call void @func1(%struct.foo* byval(%struct.foo) align 8 %foo) #2
ret void
}
[...]
$ [...]/bin/clang -S -c blah.c -O2 ; cat blah.s
[...]
func2: # @func2
[...]
subq $24, %rsp
[...]
movq 16(%rdi), %rax
movq %rax, 16(%rsp)
movups (%rdi), %xmm0
movups %xmm0, (%rsp)
callq func1
addq $24, %rsp
[...]
retq
Let ASAN instrument these hidden memory accesses.
This is patch 4/4 of a patch series:
https://reviews.llvm.org/D77616 [PATCH 1/4] [AddressSanitizer] Refactor ClDebug{Min,Max} handling
https://reviews.llvm.org/D77617 [PATCH 2/4] [AddressSanitizer] Split out memory intrinsic handling
https://reviews.llvm.org/D77618 [PATCH 3/4] [AddressSanitizer] Refactor: Permit >1 interesting operands per instruction
https://reviews.llvm.org/D77619 [PATCH 4/4] [AddressSanitizer] Instrument byval call arguments
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D77619
Files:
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
llvm/test/Instrumentation/AddressSanitizer/byval-args.ll
Index: llvm/test/Instrumentation/AddressSanitizer/byval-args.ll
===================================================================
--- /dev/null
+++ llvm/test/Instrumentation/AddressSanitizer/byval-args.ll
@@ -0,0 +1,18 @@
+; RUN: opt < %s -asan -S | FileCheck %s
+; Test that for call instructions, the by-value arguments are instrumented.
+
+target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128"
+target triple = "x86_64-unknown-linux-gnu"
+
+%struct.bar = type { %struct.foo }
+%struct.foo = type { i8*, i8*, i8* }
+define dso_local void @func2(%struct.foo* %foo) sanitize_address {
+; CHECK-LABEL: @func2
+ tail call void @func1(%struct.foo* byval(%struct.foo) align 8 %foo) #2
+; CHECK: call void @__asan_report_load
+ ret void
+; CHECK: ret void
+}
+declare dso_local void @func1(%struct.foo* byval(%struct.foo) align 8)
+
+!0 = !{i32 1, !"wchar_size", i32 4}
Index: llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
===================================================================
--- llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
+++ llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
@@ -548,6 +548,13 @@
return;
Interesting.emplace_back(I, XCHG->getPointerOperandIndex(), true,
XCHG->getCompareOperand()->getType(), 0);
+ } else if (auto CI = dyn_cast<CallInst>(I)) {
+ for (unsigned ArgNo = 0; ArgNo < CI->getNumArgOperands(); ArgNo++) {
+ if (!CI->isByValArgument(ArgNo) || ignoreAccess(CI->getArgOperand(ArgNo)))
+ continue;
+ Type *Ty = CI->getParamByValType(ArgNo);
+ Interesting.emplace_back(I, ArgNo, false, Ty, 1);
+ }
}
}
Index: llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
===================================================================
--- llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
+++ llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
@@ -1415,6 +1415,14 @@
Alignment = (unsigned)AlignmentConstant->getZExtValue();
Value *Mask = CI->getOperand(2 + OpOffset);
Interesting.emplace_back(I, OpOffset, IsWrite, Ty, Alignment, Mask);
+ } else {
+ for (unsigned ArgNo = 0; ArgNo < CI->getNumArgOperands(); ArgNo++) {
+ if (!CI->isByValArgument(ArgNo) ||
+ ignoreAccess(CI->getArgOperand(ArgNo)))
+ continue;
+ Type *Ty = CI->getParamByValType(ArgNo);
+ Interesting.emplace_back(I, ArgNo, false, Ty, 1);
+ }
}
}
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D77619.255559.patch
Type: text/x-patch
Size: 2504 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20200407/5e89d32f/attachment.bin>
More information about the llvm-commits
mailing list