[llvm] r311801 - [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
Matt Morehouse via llvm-commits
llvm-commits at lists.llvm.org
Fri Aug 25 14:18:30 PDT 2017
Author: morehouse
Date: Fri Aug 25 14:18:29 2017
New Revision: 311801
URL: http://llvm.org/viewvc/llvm-project?rev=311801&view=rev
Log:
[SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer
Summary:
- Don't sanitize __sancov_lowest_stack.
- Don't instrument leaf functions.
- Add CoverageStackDepth to Fuzzer and FuzzerNoLink.
Reviewers: vitalybuka, kcc
Reviewed By: kcc
Subscribers: cfe-commits, llvm-commits, hiraditya
Differential Revision: https://reviews.llvm.org/D37156
Modified:
llvm/trunk/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
llvm/trunk/test/Instrumentation/SanitizerCoverage/stack-depth.ll
Modified: llvm/trunk/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Transforms/Instrumentation/SanitizerCoverage.cpp?rev=311801&r1=311800&r2=311801&view=diff
==============================================================================
--- llvm/trunk/lib/Transforms/Instrumentation/SanitizerCoverage.cpp (original)
+++ llvm/trunk/lib/Transforms/Instrumentation/SanitizerCoverage.cpp Fri Aug 25 14:18:29 2017
@@ -25,6 +25,7 @@
#include "llvm/IR/GlobalVariable.h"
#include "llvm/IR/IRBuilder.h"
#include "llvm/IR/InlineAsm.h"
+#include "llvm/IR/IntrinsicInst.h"
#include "llvm/IR/Intrinsics.h"
#include "llvm/IR/LLVMContext.h"
#include "llvm/IR/MDBuilder.h"
@@ -200,13 +201,15 @@ private:
ArrayRef<GetElementPtrInst *> GepTraceTargets);
void InjectTraceForSwitch(Function &F,
ArrayRef<Instruction *> SwitchTraceTargets);
- bool InjectCoverage(Function &F, ArrayRef<BasicBlock *> AllBlocks);
+ bool InjectCoverage(Function &F, ArrayRef<BasicBlock *> AllBlocks,
+ bool IsLeafFunc = true);
GlobalVariable *CreateFunctionLocalArrayInSection(size_t NumElements,
Function &F, Type *Ty,
const char *Section);
void CreateFunctionLocalArrays(Function &F, ArrayRef<BasicBlock *> AllBlocks);
void CreatePCArray(Function &F, ArrayRef<BasicBlock *> AllBlocks);
- void InjectCoverageAtBlock(Function &F, BasicBlock &BB, size_t Idx);
+ void InjectCoverageAtBlock(Function &F, BasicBlock &BB, size_t Idx,
+ bool IsLeafFunc = true);
Function *CreateInitCallsForSections(Module &M, const char *InitFunctionName,
Type *Ty, const char *Section);
std::pair<GlobalVariable *, GlobalVariable *>
@@ -491,6 +494,7 @@ bool SanitizerCoverageModule::runOnFunct
&getAnalysis<DominatorTreeWrapperPass>(F).getDomTree();
const PostDominatorTree *PDT =
&getAnalysis<PostDominatorTreeWrapperPass>(F).getPostDomTree();
+ bool IsLeafFunc = true;
for (auto &BB : F) {
if (shouldInstrumentBlock(F, &BB, DT, PDT, Options))
@@ -515,10 +519,14 @@ bool SanitizerCoverageModule::runOnFunct
if (Options.TraceGep)
if (GetElementPtrInst *GEP = dyn_cast<GetElementPtrInst>(&Inst))
GepTraceTargets.push_back(GEP);
- }
+ if (Options.StackDepth)
+ if (isa<InvokeInst>(Inst) ||
+ (isa<CallInst>(Inst) && !isa<IntrinsicInst>(Inst)))
+ IsLeafFunc = false;
+ }
}
- InjectCoverage(F, BlocksToInstrument);
+ InjectCoverage(F, BlocksToInstrument, IsLeafFunc);
InjectCoverageForIndirectCalls(F, IndirCalls);
InjectTraceForCmp(F, CmpTraceTargets);
InjectTraceForSwitch(F, SwitchTraceTargets);
@@ -583,11 +591,12 @@ void SanitizerCoverageModule::CreateFunc
}
bool SanitizerCoverageModule::InjectCoverage(Function &F,
- ArrayRef<BasicBlock *> AllBlocks) {
+ ArrayRef<BasicBlock *> AllBlocks,
+ bool IsLeafFunc) {
if (AllBlocks.empty()) return false;
CreateFunctionLocalArrays(F, AllBlocks);
for (size_t i = 0, N = AllBlocks.size(); i < N; i++)
- InjectCoverageAtBlock(F, *AllBlocks[i], i);
+ InjectCoverageAtBlock(F, *AllBlocks[i], i, IsLeafFunc);
return true;
}
@@ -721,7 +730,8 @@ void SanitizerCoverageModule::InjectTrac
}
void SanitizerCoverageModule::InjectCoverageAtBlock(Function &F, BasicBlock &BB,
- size_t Idx) {
+ size_t Idx,
+ bool IsLeafFunc) {
BasicBlock::iterator IP = BB.getFirstInsertionPt();
bool IsEntryBB = &BB == &F.getEntryBlock();
DebugLoc EntryLoc;
@@ -760,7 +770,7 @@ void SanitizerCoverageModule::InjectCove
SetNoSanitizeMetadata(Load);
SetNoSanitizeMetadata(Store);
}
- if (Options.StackDepth && IsEntryBB) {
+ if (Options.StackDepth && IsEntryBB && !IsLeafFunc) {
// Check stack depth. If it's the deepest so far, record it.
Function *GetFrameAddr =
Intrinsic::getDeclaration(F.getParent(), Intrinsic::frameaddress);
@@ -771,7 +781,9 @@ void SanitizerCoverageModule::InjectCove
auto IsStackLower = IRB.CreateICmpULT(FrameAddrInt, LowestStack);
auto ThenTerm = SplitBlockAndInsertIfThen(IsStackLower, &*IP, false);
IRBuilder<> ThenIRB(ThenTerm);
- ThenIRB.CreateStore(FrameAddrInt, SanCovLowestStack);
+ auto Store = ThenIRB.CreateStore(FrameAddrInt, SanCovLowestStack);
+ SetNoSanitizeMetadata(LowestStack);
+ SetNoSanitizeMetadata(Store);
}
}
Modified: llvm/trunk/test/Instrumentation/SanitizerCoverage/stack-depth.ll
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Instrumentation/SanitizerCoverage/stack-depth.ll?rev=311801&r1=311800&r2=311801&view=diff
==============================================================================
--- llvm/trunk/test/Instrumentation/SanitizerCoverage/stack-depth.ll (original)
+++ llvm/trunk/test/Instrumentation/SanitizerCoverage/stack-depth.ll Fri Aug 25 14:18:29 2017
@@ -1,9 +1,9 @@
; This check verifies that stack depth instrumentation works correctly.
; RUN: opt < %s -sancov -sanitizer-coverage-level=1 \
-; RUN: -sanitizer-coverage-stack-depth -S | FileCheck %s --enable-var-scope
+; RUN: -sanitizer-coverage-stack-depth -S | FileCheck %s
; RUN: opt < %s -sancov -sanitizer-coverage-level=3 \
; RUN: -sanitizer-coverage-stack-depth -sanitizer-coverage-trace-pc-guard \
-; RUN: -S | FileCheck %s --enable-var-scope
+; RUN: -S | FileCheck %s
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
@@ -14,13 +14,8 @@ target triple = "x86_64-unknown-linux-gn
define i32 @foo() {
entry:
; CHECK-LABEL: define i32 @foo
-; CHECK: [[framePtr:%[^ \t]+]] = call i8* @llvm.frameaddress(i32 0)
-; CHECK: [[frameInt:%[^ \t]+]] = ptrtoint i8* [[framePtr]] to [[$intType:i[0-9]+]]
-; CHECK: [[lowest:%[^ \t]+]] = load [[$intType]], [[$intType]]* @__sancov_lowest_stack
-; CHECK: [[cmp:%[^ \t]+]] = icmp ult [[$intType]] [[frameInt]], [[lowest]]
-; CHECK: br i1 [[cmp]], label %[[ifLabel:[^ \t]+]], label
-; CHECK: <label>:[[ifLabel]]:
-; CHECK: store [[$intType]] [[frameInt]], [[$intType]]* @__sancov_lowest_stack
+; CHECK-NOT: call i8* @llvm.frameaddress(i32 0)
+; CHECK-NOT: @__sancov_lowest_stack
; CHECK: ret i32 7
ret i32 7
@@ -30,12 +25,12 @@ define i32 @bar() {
entry:
; CHECK-LABEL: define i32 @bar
; CHECK: [[framePtr:%[^ \t]+]] = call i8* @llvm.frameaddress(i32 0)
-; CHECK: [[frameInt:%[^ \t]+]] = ptrtoint i8* [[framePtr]] to [[$intType]]
-; CHECK: [[lowest:%[^ \t]+]] = load [[$intType]], [[$intType]]* @__sancov_lowest_stack
-; CHECK: [[cmp:%[^ \t]+]] = icmp ult [[$intType]] [[frameInt]], [[lowest]]
+; CHECK: [[frameInt:%[^ \t]+]] = ptrtoint i8* [[framePtr]] to [[intType:i[0-9]+]]
+; CHECK: [[lowest:%[^ \t]+]] = load [[intType]], [[intType]]* @__sancov_lowest_stack
+; CHECK: [[cmp:%[^ \t]+]] = icmp ult [[intType]] [[frameInt]], [[lowest]]
; CHECK: br i1 [[cmp]], label %[[ifLabel:[^ \t]+]], label
; CHECK: <label>:[[ifLabel]]:
-; CHECK: store [[$intType]] [[frameInt]], [[$intType]]* @__sancov_lowest_stack
+; CHECK: store [[intType]] [[frameInt]], [[intType]]* @__sancov_lowest_stack
; CHECK: %call = call i32 @foo()
; CHECK: ret i32 %call
More information about the llvm-commits
mailing list