[llvm] [msan] Add test cases for vector shadow track origins bug (PR #97611)

Thurston Dang via llvm-commits llvm-commits at lists.llvm.org
Wed Jul 3 10:33:51 PDT 2024 

https://github.com/thurstond created https://github.com/llvm/llvm-project/pull/97611

These test cases demonstrate a bug in MSan (vector shadow is not always converted to scalar before zext) that will shortly be fixed in https://github.com/llvm/llvm-project/pull/96722

The bug is not architecture-specific; we provide both x86 and Arm NEON test cases.

Since the test cases will crash the compiler (unless it is a release build), they are marked as UNSUPPORTED.

The buggy codepath is nested inside 'if (instrumentWithCalls(ConvertedShadow)'. To keep the test cases small, we set -msan-instrumentation-with-call-threshold=0, though we have observed this bug in the real world with default settings.

>From 48899f9b8a85629960e713c7a0716f54f557b17f Mon Sep 17 00:00:00 2001
From: Thurston Dang <thurston at google.com>
Date: Wed, 3 Jul 2024 17:28:12 +0000
Subject: [PATCH] [msan] Add test cases for vector shadow track origins bug

These test cases demonstrate a bug in MSan (vector shadow is not always
converted to scalar before zext) that will shortly be fixed in https://github.com/llvm/llvm-project/pull/96722

The bug is not architecture-specific; we provide both x86 and Arm NEON test
cases.

Since the test cases will crash the compiler (unless it is a release
build), they are marked as UNSUPPORTED.

The buggy codepath is nested inside 'if (instrumentWithCalls(ConvertedShadow)'. To keep the test cases small, we set -msan-instrumentation-with-call-threshold=0, though we have observed this bug in the real world with default settings.
---
 .../vector-track-origins-neon.ll              | 95 +++++++++++++++++++
 .../vector-track-origins-struct.ll            | 46 +++++++++
 2 files changed, 141 insertions(+)
 create mode 100644 llvm/test/Instrumentation/MemorySanitizer/vector-track-origins-neon.ll
 create mode 100644 llvm/test/Instrumentation/MemorySanitizer/vector-track-origins-struct.ll

diff --git a/llvm/test/Instrumentation/MemorySanitizer/vector-track-origins-neon.ll b/llvm/test/Instrumentation/MemorySanitizer/vector-track-origins-neon.ll
new file mode 100644
index 0000000000000..0fe842e28ff92
--- /dev/null
+++ b/llvm/test/Instrumentation/MemorySanitizer/vector-track-origins-neon.ll
@@ -0,0 +1,95 @@
+; NOTE: Assertions have been autogenerated by utils/update_test_checks.py UTC_ARGS: --tool build-release/bin/opt --version 5
+; RUN: opt < %s -S -passes="msan<eager-checks;track-origins=2>" -msan-instrumentation-with-call-threshold=0 -disable-verify | FileCheck %s
+;
+; UNSUPPORTED: target={{.*}}
+;
+; This test illustrates a bug in MemorySanitizer that will shortly be fixed
+; (https://github.com/llvm/llvm-project/pull/96722).
+;
+; '-msan-instrumentation-with-call-threshold=0' makes it possible to detect the
+; bug with a short test case.
+;
+; '-disable-verify' with a release build is needed to avoid a compiler crash
+; (e.g., to autogenerate the assertions).
+;
+
+target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128-Fn32"
+target triple = "aarch64-grtev4-linux-gnu"
+
+; Function Attrs: mustprogress noreturn nounwind sanitize_memory
+define dso_local void @_Z1cv() local_unnamed_addr #0 {
+; CHECK-LABEL: define dso_local void @_Z1cv(
+; CHECK-SAME: ) local_unnamed_addr #[[ATTR0:[0-9]+]] {
+; CHECK-NEXT:  [[ENTRY:.*]]:
+; CHECK-NEXT:    call void @llvm.donothing()
+; CHECK-NEXT:    [[DOTPRE:%.*]] = load <4 x i16>, ptr @_Z1cv, align 8, !tbaa [[TBAA0:![0-9]+]]
+; CHECK-NEXT:    [[_MSLD:%.*]] = load <4 x i16>, ptr inttoptr (i64 xor (i64 ptrtoint (ptr @_Z1cv to i64), i64 193514046488576) to ptr), align 8
+; CHECK-NEXT:    [[TMP0:%.*]] = load i32, ptr inttoptr (i64 add (i64 xor (i64 ptrtoint (ptr @_Z1cv to i64), i64 193514046488576), i64 35184372088832) to ptr), align 8
+; CHECK-NEXT:    br label %[[FOR_COND:.*]]
+; CHECK:       [[FOR_COND]]:
+; CHECK-NEXT:    [[_MSPHI_S:%.*]] = phi <4 x i16> [ [[_MSLD]], %[[ENTRY]] ], [ [[_MSLD3:%.*]], %[[FOR_COND]] ]
+; CHECK-NEXT:    [[_MSPHI_O:%.*]] = phi i32 [ [[TMP0]], %[[ENTRY]] ], [ [[TMP15:%.*]], %[[FOR_COND]] ]
+; CHECK-NEXT:    [[TMP1:%.*]] = phi <4 x i16> [ [[DOTPRE]], %[[ENTRY]] ], [ [[TMP5:%.*]], %[[FOR_COND]] ]
+; CHECK-NEXT:    [[_MSPHI_S1:%.*]] = phi <4 x i16> [ <i16 -1, i16 -1, i16 -1, i16 -1>, %[[ENTRY]] ], [ [[_MSLD3]], %[[FOR_COND]] ]
+; CHECK-NEXT:    [[_MSPHI_O2:%.*]] = phi i32 [ 0, %[[ENTRY]] ], [ [[TMP15]], %[[FOR_COND]] ]
+; CHECK-NEXT:    [[E_0:%.*]] = phi <4 x i16> [ undef, %[[ENTRY]] ], [ [[TMP5]], %[[FOR_COND]] ]
+; CHECK-NEXT:    [[_MSPROP:%.*]] = shufflevector <4 x i16> [[_MSPHI_S1]], <4 x i16> <i16 -1, i16 -1, i16 -1, i16 -1>, <4 x i32> <i32 1, i32 1, i32 1, i32 1>
+; CHECK-NEXT:    [[LANE:%.*]] = shufflevector <4 x i16> [[E_0]], <4 x i16> poison, <4 x i32> <i32 1, i32 1, i32 1, i32 1>
+;
+; Editor's note: the following zext instructions are invalid
+; ('zext source and destination must both be a vector or neither')
+;
+; CHECK-NEXT:    [[TMP2:%.*]] = zext <4 x i16> [[_MSPHI_S]] to i64
+; CHECK-NEXT:    call void @__msan_maybe_warning_8(i64 zeroext [[TMP2]], i32 zeroext [[_MSPHI_O]])
+; CHECK-NEXT:    [[TMP3:%.*]] = zext <4 x i16> [[_MSPROP]] to i64
+;
+; CHECK-NEXT:    call void @__msan_maybe_warning_8(i64 zeroext [[TMP3]], i32 zeroext [[_MSPHI_O2]])
+; CHECK-NEXT:    [[CALL:%.*]] = tail call noundef i32 @_Z1b11__Int16x4_tS_(<4 x i16> noundef [[TMP1]], <4 x i16> noundef [[LANE]])
+; CHECK-NEXT:    [[CONV:%.*]] = sext i32 [[CALL]] to i64
+; CHECK-NEXT:    [[TMP8:%.*]] = inttoptr i64 [[CONV]] to ptr
+; CHECK-NEXT:    [[TMP5]] = load <4 x i16>, ptr [[TMP8]], align 8, !tbaa [[TBAA0]]
+; CHECK-NEXT:    [[TMP10:%.*]] = ptrtoint ptr [[TMP8]] to i64
+; CHECK-NEXT:    [[TMP11:%.*]] = xor i64 [[TMP10]], 193514046488576
+; CHECK-NEXT:    [[TMP12:%.*]] = inttoptr i64 [[TMP11]] to ptr
+; CHECK-NEXT:    [[TMP13:%.*]] = add i64 [[TMP11]], 35184372088832
+; CHECK-NEXT:    [[TMP14:%.*]] = inttoptr i64 [[TMP13]] to ptr
+; CHECK-NEXT:    [[_MSLD3]] = load <4 x i16>, ptr [[TMP12]], align 8
+; CHECK-NEXT:    [[TMP15]] = load i32, ptr [[TMP14]], align 8
+; CHECK-NEXT:    store <4 x i16> [[_MSLD3]], ptr inttoptr (i64 xor (i64 ptrtoint (ptr @_Z1cv to i64), i64 193514046488576) to ptr), align 8
+; CHECK-NEXT:    [[TMP16:%.*]] = bitcast <4 x i16> [[_MSLD3]] to i64
+; CHECK-NEXT:    call void @__msan_maybe_store_origin_8(i64 zeroext [[TMP16]], ptr @_Z1cv, i32 zeroext [[TMP15]])
+; CHECK-NEXT:    store <4 x i16> [[TMP5]], ptr @_Z1cv, align 8, !tbaa [[TBAA0]]
+; CHECK-NEXT:    br label %[[FOR_COND]], !llvm.loop [[LOOP3:![0-9]+]]
+;
+entry:
+  %.pre = load <4 x i16>, ptr @_Z1cv, align 8, !tbaa !2
+  br label %for.cond
+
+for.cond:                                         ; preds = %for.cond, %entry
+  %0 = phi <4 x i16> [ %.pre, %entry ], [ %2, %for.cond ]
+  %e.0 = phi <4 x i16> [ undef, %entry ], [ %2, %for.cond ]
+  %lane = shufflevector <4 x i16> %e.0, <4 x i16> poison, <4 x i32> <i32 1, i32 1, i32 1, i32 1>
+  %call = tail call noundef i32 @_Z1b11__Int16x4_tS_(<4 x i16> noundef %0, <4 x i16> noundef %lane) #2
+  %conv = sext i32 %call to i64
+  %1 = inttoptr i64 %conv to ptr
+  %2 = load <4 x i16>, ptr %1, align 8, !tbaa !2
+  store <4 x i16> %2, ptr @_Z1cv, align 8, !tbaa !2
+  br label %for.cond, !llvm.loop !5
+}
+
+declare noundef i32 @_Z1b11__Int16x4_tS_(<4 x i16> noundef, <4 x i16> noundef) local_unnamed_addr #1
+
+attributes #0 = { mustprogress noreturn nounwind sanitize_memory "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-features"="+neon" }
+
+!2 = !{!3, !3, i64 0}
+!3 = !{!"omnipotent char", !4, i64 0}
+!4 = !{!"Simple C++ TBAA"}
+!5 = distinct !{!5, !6}
+!6 = !{!"llvm.loop.mustprogress"}
+;.
+; CHECK: [[TBAA0]] = !{[[META1:![0-9]+]], [[META1]], i64 0}
+; CHECK: [[META1]] = !{!"omnipotent char", [[META2:![0-9]+]], i64 0}
+; CHECK: [[META2]] = !{!"Simple C++ TBAA"}
+; CHECK: [[LOOP3]] = distinct !{[[LOOP3]], [[META4:![0-9]+]]}
+; CHECK: [[META4]] = !{!"llvm.loop.mustprogress"}
+;.
diff --git a/llvm/test/Instrumentation/MemorySanitizer/vector-track-origins-struct.ll b/llvm/test/Instrumentation/MemorySanitizer/vector-track-origins-struct.ll
new file mode 100644
index 0000000000000..5eae441f05eae
--- /dev/null
+++ b/llvm/test/Instrumentation/MemorySanitizer/vector-track-origins-struct.ll
@@ -0,0 +1,46 @@
+; NOTE: Assertions have been autogenerated by utils/update_test_checks.py UTC_ARGS: --tool build-release/bin/opt --version 5
+; RUN: opt < %s -S -passes="msan<eager-checks;track-origins=2>" -msan-instrumentation-with-call-threshold=0 -disable-verify | FileCheck %s
+;
+; UNSUPPORTED: target={{.*}}
+;
+; This test illustrates a bug in MemorySanitizer that will shortly be fixed
+; (https://github.com/llvm/llvm-project/pull/96722).
+;
+; '-msan-instrumentation-with-call-threshold=0' makes it possible to detect the
+; bug with a short test case.
+;
+; '-disable-verify' with a release build is needed to avoid a compiler crash
+; (e.g., to autogenerate the assertions).
+;
+; This is based on check-struct.ll.
+
+target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
+target triple = "x86_64-unknown-linux-gnu"
+
+define { i32, i8 } @main() sanitize_memory {
+; CHECK-LABEL: define { i32, i8 } @main(
+; CHECK-SAME: ) #[[ATTR0:[0-9]+]] {
+; CHECK-NEXT:    call void @llvm.donothing()
+; CHECK-NEXT:    [[P:%.*]] = inttoptr i64 0 to ptr
+; CHECK-NEXT:    [[O:%.*]] = load { i32, i8 }, ptr [[P]], align 4
+; CHECK-NEXT:    [[TMP1:%.*]] = ptrtoint ptr [[P]] to i64
+; CHECK-NEXT:    [[TMP2:%.*]] = xor i64 [[TMP1]], 87960930222080
+; CHECK-NEXT:    [[TMP3:%.*]] = inttoptr i64 [[TMP2]] to ptr
+; CHECK-NEXT:    [[TMP4:%.*]] = add i64 [[TMP2]], 17592186044416
+; CHECK-NEXT:    [[TMP5:%.*]] = inttoptr i64 [[TMP4]] to ptr
+; CHECK-NEXT:    [[_MSLD:%.*]] = load { i32, i8 }, ptr [[TMP3]], align 4
+; CHECK-NEXT:    [[TMP6:%.*]] = load i32, ptr [[TMP5]], align 4
+; CHECK-NEXT:    store { i32, i8 } zeroinitializer, ptr @__msan_retval_tls, align 8
+;
+; Editor's note: the following zext instruction is invalid
+; ('ZExt only operates on integer')
+;
+; CHECK-NEXT:    [[TMP7:%.*]] = zext { i32, i8 } [[_MSLD]] to i64
+;
+; CHECK-NEXT:    call void @__msan_maybe_warning_8(i64 zeroext [[TMP7]], i32 zeroext [[TMP6]])
+; CHECK-NEXT:    ret { i32, i8 } [[O]]
+;
+  %p = inttoptr i64 0 to ptr
+  %o = load { i32, i8 }, ptr %p
+  ret { i32, i8 } %o
+}

More information about the llvm-commits mailing list