[asan] experimental tracing for indirect calls, llvm part.

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@220699 91177308-0d34-0410-b5e6-96231b3b80d8
This commit is contained in:
Kostya Serebryany 2014-10-27 18:13:56 +00:00
parent 0059dd4dd1
commit 866ee52df3
2 changed files with 62 additions and 6 deletions

View File

@ -83,6 +83,7 @@ static const char *const kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init";
static const char *const kAsanInitName = "__asan_init_v4"; static const char *const kAsanInitName = "__asan_init_v4";
static const char *const kAsanCovModuleInitName = "__sanitizer_cov_module_init"; static const char *const kAsanCovModuleInitName = "__sanitizer_cov_module_init";
static const char *const kAsanCovName = "__sanitizer_cov"; static const char *const kAsanCovName = "__sanitizer_cov";
static const char *const kAsanCovIndirCallName = "__sanitizer_cov_indir_call16";
static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp"; static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp";
static const char *const kAsanPtrSub = "__sanitizer_ptr_sub"; static const char *const kAsanPtrSub = "__sanitizer_ptr_sub";
static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return"; static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return";
@ -136,7 +137,8 @@ static cl::opt<bool> ClGlobals("asan-globals",
cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); cl::desc("Handle global objects"), cl::Hidden, cl::init(true));
static cl::opt<int> ClCoverage("asan-coverage", static cl::opt<int> ClCoverage("asan-coverage",
cl::desc("ASan coverage. 0: none, 1: entry block, 2: all blocks, " cl::desc("ASan coverage. 0: none, 1: entry block, 2: all blocks, "
"3: all blocks and critical edges"), "3: all blocks and critical edges, "
"4: above plus indirect calls"),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(false));
static cl::opt<int> ClCoverageBlockThreshold("asan-coverage-block-threshold", static cl::opt<int> ClCoverageBlockThreshold("asan-coverage-block-threshold",
cl::desc("Add coverage instrumentation only to the entry block if there " cl::desc("Add coverage instrumentation only to the entry block if there "
@ -387,7 +389,10 @@ struct AddressSanitizer : public FunctionPass {
bool LooksLikeCodeInBug11395(Instruction *I); bool LooksLikeCodeInBug11395(Instruction *I);
bool GlobalIsLinkerInitialized(GlobalVariable *G); bool GlobalIsLinkerInitialized(GlobalVariable *G);
bool InjectCoverage(Function &F, ArrayRef<BasicBlock*> AllBlocks); void InjectCoverageForIndirectCalls(Function &F,
ArrayRef<Instruction *> IndirCalls);
bool InjectCoverage(Function &F, ArrayRef<BasicBlock *> AllBlocks,
ArrayRef<Instruction *> IndirCalls);
void InjectCoverageAtBlock(Function &F, BasicBlock &BB); void InjectCoverageAtBlock(Function &F, BasicBlock &BB);
LLVMContext *C; LLVMContext *C;
@ -399,6 +404,7 @@ struct AddressSanitizer : public FunctionPass {
Function *AsanInitFunction; Function *AsanInitFunction;
Function *AsanHandleNoReturnFunc; Function *AsanHandleNoReturnFunc;
Function *AsanCovFunction; Function *AsanCovFunction;
Function *AsanCovIndirCallFunction;
Function *AsanPtrCmpFunction, *AsanPtrSubFunction; Function *AsanPtrCmpFunction, *AsanPtrSubFunction;
// This array is indexed by AccessIsWrite and log2(AccessSize). // This array is indexed by AccessIsWrite and log2(AccessSize).
Function *AsanErrorCallback[2][kNumberOfAccessSizes]; Function *AsanErrorCallback[2][kNumberOfAccessSizes];
@ -1255,6 +1261,9 @@ void AddressSanitizer::initializeCallbacks(Module &M) {
M.getOrInsertFunction(kAsanHandleNoReturnName, IRB.getVoidTy(), NULL)); M.getOrInsertFunction(kAsanHandleNoReturnName, IRB.getVoidTy(), NULL));
AsanCovFunction = checkInterfaceFunction(M.getOrInsertFunction( AsanCovFunction = checkInterfaceFunction(M.getOrInsertFunction(
kAsanCovName, IRB.getVoidTy(), NULL)); kAsanCovName, IRB.getVoidTy(), NULL));
AsanCovIndirCallFunction = checkInterfaceFunction(M.getOrInsertFunction(
kAsanCovIndirCallName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL));
AsanPtrCmpFunction = checkInterfaceFunction(M.getOrInsertFunction( AsanPtrCmpFunction = checkInterfaceFunction(M.getOrInsertFunction(
kAsanPtrCmp, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); kAsanPtrCmp, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL));
AsanPtrSubFunction = checkInterfaceFunction(M.getOrInsertFunction( AsanPtrSubFunction = checkInterfaceFunction(M.getOrInsertFunction(
@ -1368,7 +1377,8 @@ void AddressSanitizer::InjectCoverageAtBlock(Function &F, BasicBlock &BB) {
// a) get the functionality to users earlier and // a) get the functionality to users earlier and
// b) collect usage statistics to help improve Clang coverage design. // b) collect usage statistics to help improve Clang coverage design.
bool AddressSanitizer::InjectCoverage(Function &F, bool AddressSanitizer::InjectCoverage(Function &F,
ArrayRef<BasicBlock *> AllBlocks) { ArrayRef<BasicBlock *> AllBlocks,
ArrayRef<Instruction*> IndirCalls) {
if (!ClCoverage) return false; if (!ClCoverage) return false;
if (ClCoverage == 1 || if (ClCoverage == 1 ||
@ -1378,9 +1388,36 @@ bool AddressSanitizer::InjectCoverage(Function &F,
for (auto BB : AllBlocks) for (auto BB : AllBlocks)
InjectCoverageAtBlock(F, *BB); InjectCoverageAtBlock(F, *BB);
} }
InjectCoverageForIndirectCalls(F, IndirCalls);
return true; return true;
} }
// On every indirect call we call a run-time function
// __sanitizer_cov_indir_call* with two parameters:
// - callee address,
// - global cache array that contains kCacheSize pointers (zero-initialed).
// The cache is used to speed up recording the caller-callee pairs.
// The address of the caller is passed implicitly via caller PC.
// kCacheSize is encoded in the name of the run-time function.
void AddressSanitizer::InjectCoverageForIndirectCalls(
Function &F, ArrayRef<Instruction *> IndirCalls) {
if (ClCoverage < 4 || IndirCalls.empty()) return;
const int kCacheSize = 16;
const int kCacheAlignment = 64; // Align for better performance.
Type *Ty = ArrayType::get(IntptrTy, kCacheSize);
GlobalVariable *CalleeCache =
new GlobalVariable(*F.getParent(), Ty, false, GlobalValue::PrivateLinkage,
Constant::getNullValue(Ty), "__asan_gen_callee_cache");
CalleeCache->setAlignment(kCacheAlignment);
for (auto I : IndirCalls) {
IRBuilder<> IRB(I);
CallSite CS(I);
IRB.CreateCall2(AsanCovIndirCallFunction,
IRB.CreatePointerCast(CS.getCalledValue(), IntptrTy),
IRB.CreatePointerCast(CalleeCache, IntptrTy));
}
}
bool AddressSanitizer::runOnFunction(Function &F) { bool AddressSanitizer::runOnFunction(Function &F) {
if (&F == AsanCtorFunction) return false; if (&F == AsanCtorFunction) return false;
if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false; if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false;
@ -1403,6 +1440,7 @@ bool AddressSanitizer::runOnFunction(Function &F) {
SmallVector<Instruction*, 8> NoReturnCalls; SmallVector<Instruction*, 8> NoReturnCalls;
SmallVector<BasicBlock*, 16> AllBlocks; SmallVector<BasicBlock*, 16> AllBlocks;
SmallVector<Instruction*, 16> PointerComparisonsOrSubtracts; SmallVector<Instruction*, 16> PointerComparisonsOrSubtracts;
SmallVector<Instruction*, 8> IndirCalls;
int NumAllocas = 0; int NumAllocas = 0;
bool IsWrite; bool IsWrite;
unsigned Alignment; unsigned Alignment;
@ -1435,6 +1473,8 @@ bool AddressSanitizer::runOnFunction(Function &F) {
TempsToInstrument.clear(); TempsToInstrument.clear();
if (CS.doesNotReturn()) if (CS.doesNotReturn())
NoReturnCalls.push_back(CS.getInstruction()); NoReturnCalls.push_back(CS.getInstruction());
if (ClCoverage >= 4 && !CS.getCalledFunction())
IndirCalls.push_back(&Inst);
} }
continue; continue;
} }
@ -1491,7 +1531,7 @@ bool AddressSanitizer::runOnFunction(Function &F) {
bool res = NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); bool res = NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty();
if (InjectCoverage(F, AllBlocks)) if (InjectCoverage(F, AllBlocks, IndirCalls))
res = true; res = true;
DEBUG(dbgs() << "ASAN done instrumenting: " << res << " " << F << "\n"); DEBUG(dbgs() << "ASAN done instrumenting: " << res << " " << F << "\n");

View File

@ -4,6 +4,7 @@
; RUN: opt < %s -asan -asan-module -asan-coverage=2 -asan-coverage-block-threshold=10 -S | FileCheck %s --check-prefix=CHECK2 ; RUN: opt < %s -asan -asan-module -asan-coverage=2 -asan-coverage-block-threshold=10 -S | FileCheck %s --check-prefix=CHECK2
; RUN: opt < %s -asan -asan-module -asan-coverage=2 -asan-coverage-block-threshold=1 -S | FileCheck %s --check-prefix=CHECK1 ; RUN: opt < %s -asan -asan-module -asan-coverage=2 -asan-coverage-block-threshold=1 -S | FileCheck %s --check-prefix=CHECK1
; RUN: opt < %s -asan -asan-module -asan-coverage=3 -asan-coverage-block-threshold=10 -S | FileCheck %s --check-prefix=CHECK3 ; RUN: opt < %s -asan -asan-module -asan-coverage=3 -asan-coverage-block-threshold=10 -S | FileCheck %s --check-prefix=CHECK3
; RUN: opt < %s -asan -asan-module -asan-coverage=4 -S | FileCheck %s --check-prefix=CHECK4
; RUN: opt < %s -asan -asan-module -asan-coverage=0 -asan-globals=0 -S | \ ; RUN: opt < %s -asan -asan-module -asan-coverage=0 -asan-globals=0 -S | \
; RUN: FileCheck %s --check-prefix=CHECK0 ; RUN: FileCheck %s --check-prefix=CHECK0
@ -44,7 +45,7 @@ entry:
; CHECK1-LABEL: define internal void @asan.module_ctor ; CHECK1-LABEL: define internal void @asan.module_ctor
; CHECK1-NOT: ret ; CHECK1-NOT: ret
; CHECK1: call void @__sanitizer_cov_module_init(i64 1) ; CHECK1: call void @__sanitizer_cov_module_init(i64 2)
; CHECK1: ret ; CHECK1: ret
@ -57,7 +58,7 @@ entry:
; CHECK2-LABEL: define internal void @asan.module_ctor ; CHECK2-LABEL: define internal void @asan.module_ctor
; CHECK2-NOT: ret ; CHECK2-NOT: ret
; CHECK2: call void @__sanitizer_cov_module_init(i64 3) ; CHECK2: call void @__sanitizer_cov_module_init(i64 4)
; CHECK2: ret ; CHECK2: ret
; CHECK3-LABEL: define void @foo ; CHECK3-LABEL: define void @foo
@ -68,3 +69,18 @@ entry:
; CHECK3-NOT: call void @__sanitizer_cov ; CHECK3-NOT: call void @__sanitizer_cov
; CHECK3: ret void ; CHECK3: ret void
%struct.StructWithVptr = type { i32 (...)** }
define void @CallViaVptr(%struct.StructWithVptr* %foo) uwtable sanitize_address {
entry:
%0 = bitcast %struct.StructWithVptr* %foo to void (%struct.StructWithVptr*)***
%vtable = load void (%struct.StructWithVptr*)*** %0, align 8
%1 = load void (%struct.StructWithVptr*)** %vtable, align 8
tail call void %1(%struct.StructWithVptr* %foo)
ret void
}
; CHECK4-LABEL: define void @CallViaVptr
; CHECK4: call void @__sanitizer_cov_indir_call16
; CHECK4: ret void