[llvm-dev] BoundsChecking Pass
Nuno Lopes via llvm-dev
llvm-dev at lists.llvm.org
Sun May 22 14:33:43 PDT 2016
I'm the author of the BoundsChecking pass.
It's true there's little documentation about it (only mentioned in:
You can run it with 'clang -fsanitize=bounds' or 'opt -bounds-checking'.
The BoundsChecking pass, AddressSanitizer and BaggyBoundsCheck are all
different code bases, each exploring a different set of tradeoffs. The goal
of the BoundsChecking pass was that the runtime penalty should be low enough
to enable usage in production.
Some information about the BoundsChecking pass:
- It is intra-procedural only. If you dereference a pointer that was passed
as argument, then it is not checked (with some exceptions).
- It supports heap allocations, provided that these allocations are done
using 1) standard functions that LLVM recognizes (malloc, new, strdup, etc)
or 2) functions are annotated with alloc_size
- It's helpful to compile with -O2, otherwise the pass will get confused
very quickly. The design of the analysis assumes at least a few
simplifications were done before.
- Sometimes LLVM transforms loops into intrinsics, like memcpy or memset.
Right now these are not checked (but should, though)
- Guards are mostly not hoisted out of loops by LLVM; this needs improvement
otherwise perf may suffer quite a bit.
- The analysis code is in lib/Analysis/MemoryBuiltins.cpp
Hope this helps. Please let us know if you have more questions.
From: Pierre Gagelin via llvm-dev
Sent: Friday, May 20, 2016 11:16 AM
To: llvm-dev at lists.llvm.org
Subject: [llvm-dev] BoundsChecking Pass
I am a final year French student doing an internship at the University of
Portsmouth. As I was taking hands on AddressSanitizer I took a look at
BoundsChecking (both are in the lib/Transforms/Instrumentation folder).
I found nothing on it except for the LLVM Documentation and references to
BaggyBoundsCheck (which is not the same project. As far as I understood it
is part of the SAFECode project). Does anyone knows about it
(BoundsChecking)? I have some inquiries I will try to explain just below...
I modified a bit the registration process of the Pass (the BoundsChecking
one) to get the .so generated file once llvm rebuild. I then ran the LLVM
opt with loading the .so for a C program that did both a stack and heap
- clang -emit-llvm overflow.c -c -o overflow.bc
- opt -load path-to-so/LLVMBoundsChecking.so -options < overflow.bc >
I then ran llc and gcc to get an executable:
- llc -filetype=obj overflow_instrumented.bc (generates a .o file with
- gcc overflow_instrumented.o -o overflow_instrumented
Once launched, the executable detects the stack access and crash the program
(you can see the checks on the assembly code which are followed by a
conditional jump on a UD2 instruction that basically crash a program) but
nothing is instrumented for the heap access. On the BoundsChecking file it
is said that run-time checks are maid but I don't see them. So my questions
- are there any heap checking made?
- if yes, where are they?
I am interested in this because I think I am going to try to do the same
work made on the stack to the heap.
Thank you for your help, any information or advice is welcome :)
More information about the llvm-dev