[llvm] r318901 - [MSan] Move the access address check before the shadow access for that address

Alexander Potapenko via llvm-commits llvm-commits at lists.llvm.org
Thu Nov 23 00:34:32 PST 2017 

Author: glider
Date: Thu Nov 23 00:34:32 2017
New Revision: 318901

URL: http://llvm.org/viewvc/llvm-project?rev=318901&view=rev
Log:
[MSan] Move the access address check before the shadow access for that address

MSan used to insert the shadow check of the store pointer operand
_after_ the shadow of the value operand has been written.
This happens to work in the userspace, as the whole shadow range is
always mapped. However in the kernel the shadow page may not exist, so
the bug may cause a crash.

This patch moves the address check in front of the shadow access.

Modified:
    llvm/trunk/lib/Transforms/Instrumentation/MemorySanitizer.cpp
    llvm/trunk/test/Instrumentation/MemorySanitizer/check_access_address.ll

Modified: llvm/trunk/lib/Transforms/Instrumentation/MemorySanitizer.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Transforms/Instrumentation/MemorySanitizer.cpp?rev=318901&r1=318900&r2=318901&view=diff
==============================================================================
--- llvm/trunk/lib/Transforms/Instrumentation/MemorySanitizer.cpp (original)
+++ llvm/trunk/lib/Transforms/Instrumentation/MemorySanitizer.cpp Thu Nov 23 00:34:32 2017
@@ -830,10 +830,9 @@ struct MemorySanitizerVisitor : public I
       StoreInst *NewSI =
           IRB.CreateAlignedStore(Shadow, ShadowPtr, SI->getAlignment());
       DEBUG(dbgs() << "  STORE: " << *NewSI << "\n");
-      (void)NewSI;
 
       if (ClCheckAccessAddress)
-        insertShadowCheck(Addr, SI);
+        insertShadowCheck(Addr, NewSI);
 
       if (SI->isAtomic())
         SI->setOrdering(addReleaseOrdering(SI->getOrdering()));

Modified: llvm/trunk/test/Instrumentation/MemorySanitizer/check_access_address.ll
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Instrumentation/MemorySanitizer/check_access_address.ll?rev=318901&r1=318900&r2=318901&view=diff
==============================================================================
--- llvm/trunk/test/Instrumentation/MemorySanitizer/check_access_address.ll (original)
+++ llvm/trunk/test/Instrumentation/MemorySanitizer/check_access_address.ll Thu Nov 23 00:34:32 2017
@@ -26,3 +26,25 @@ entry:
 ; CHECK-LABEL: @ByValArgumentShadowSmallAlignment
 ; CHECK: call void @llvm.memcpy.p0i8.p0i8.i64(i8* {{.*}}, i8* {{.*}}, i64 2, i32 2, i1 false)
 ; CHECK: ret i16
+
+
+; Check instrumentation of stores. The check must precede the shadow store.
+
+define void @Store(i32* nocapture %p, i32 %x) nounwind uwtable sanitize_memory {
+entry:
+  store i32 %x, i32* %p, align 4
+  ret void
+}
+
+; CHECK-LABEL: @Store
+; CHECK: load {{.*}} @__msan_param_tls
+; CHECK: icmp
+; CHECK: br i1
+; CHECK: <label>
+; CHECK: call void @__msan_warning_noreturn
+; CHECK: <label>
+; CHECK: store
+; CHECK: store i32 %x
+; CHECK: ret void
+
+

More information about the llvm-commits mailing list