From ac2dfaf387b701babb6fcad414df49cf44364094 Mon Sep 17 00:00:00 2001 From: Matt Morehouse Date: Wed, 30 Aug 2017 22:49:31 +0000 Subject: [PATCH] [SanitizeCoverage] Enable stack-depth coverage for -fsanitize=fuzzer Summary: - Don't sanitize __sancov_lowest_stack. - Don't instrument leaf functions. - Add CoverageStackDepth to Fuzzer and FuzzerNoLink. - Only enable on Linux. Reviewers: vitalybuka, kcc, george.karpenkov Reviewed By: kcc Subscribers: kubamracek, cfe-commits, llvm-commits, hiraditya Differential Revision: https://reviews.llvm.org/D37156 git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@312185 91177308-0d34-0410-b5e6-96231b3b80d8 --- .../Instrumentation/SanitizerCoverage.cpp | 30 +++++++++++++------ .../SanitizerCoverage/stack-depth.ll | 21 +++++-------- 2 files changed, 29 insertions(+), 22 deletions(-) diff --git a/lib/Transforms/Instrumentation/SanitizerCoverage.cpp b/lib/Transforms/Instrumentation/SanitizerCoverage.cpp index 0f2e7772c76..a3128fd089d 100644 --- a/lib/Transforms/Instrumentation/SanitizerCoverage.cpp +++ b/lib/Transforms/Instrumentation/SanitizerCoverage.cpp @@ -25,6 +25,7 @@ #include "llvm/IR/GlobalVariable.h" #include "llvm/IR/IRBuilder.h" #include "llvm/IR/InlineAsm.h" +#include "llvm/IR/IntrinsicInst.h" #include "llvm/IR/Intrinsics.h" #include "llvm/IR/LLVMContext.h" #include "llvm/IR/MDBuilder.h" @@ -200,13 +201,15 @@ private: ArrayRef GepTraceTargets); void InjectTraceForSwitch(Function &F, ArrayRef SwitchTraceTargets); - bool InjectCoverage(Function &F, ArrayRef AllBlocks); + bool InjectCoverage(Function &F, ArrayRef AllBlocks, + bool IsLeafFunc = true); GlobalVariable *CreateFunctionLocalArrayInSection(size_t NumElements, Function &F, Type *Ty, const char *Section); GlobalVariable *CreatePCArray(Function &F, ArrayRef AllBlocks); void CreateFunctionLocalArrays(Function &F, ArrayRef AllBlocks); - void InjectCoverageAtBlock(Function &F, BasicBlock &BB, size_t Idx); + void InjectCoverageAtBlock(Function &F, BasicBlock &BB, size_t Idx, + bool IsLeafFunc = true); Function *CreateInitCallsForSections(Module &M, const char *InitFunctionName, Type *Ty, const char *Section); std::pair @@ -491,6 +494,7 @@ bool SanitizerCoverageModule::runOnFunction(Function &F) { &getAnalysis(F).getDomTree(); const PostDominatorTree *PDT = &getAnalysis(F).getPostDomTree(); + bool IsLeafFunc = true; for (auto &BB : F) { if (shouldInstrumentBlock(F, &BB, DT, PDT, Options)) @@ -515,10 +519,14 @@ bool SanitizerCoverageModule::runOnFunction(Function &F) { if (Options.TraceGep) if (GetElementPtrInst *GEP = dyn_cast(&Inst)) GepTraceTargets.push_back(GEP); - } + if (Options.StackDepth) + if (isa(Inst) || + (isa(Inst) && !isa(Inst))) + IsLeafFunc = false; + } } - InjectCoverage(F, BlocksToInstrument); + InjectCoverage(F, BlocksToInstrument, IsLeafFunc); InjectCoverageForIndirectCalls(F, IndirCalls); InjectTraceForCmp(F, CmpTraceTargets); InjectTraceForSwitch(F, SwitchTraceTargets); @@ -593,11 +601,12 @@ void SanitizerCoverageModule::CreateFunctionLocalArrays( } bool SanitizerCoverageModule::InjectCoverage(Function &F, - ArrayRef AllBlocks) { + ArrayRef AllBlocks, + bool IsLeafFunc) { if (AllBlocks.empty()) return false; CreateFunctionLocalArrays(F, AllBlocks); for (size_t i = 0, N = AllBlocks.size(); i < N; i++) - InjectCoverageAtBlock(F, *AllBlocks[i], i); + InjectCoverageAtBlock(F, *AllBlocks[i], i, IsLeafFunc); return true; } @@ -731,7 +740,8 @@ void SanitizerCoverageModule::InjectTraceForCmp( } void SanitizerCoverageModule::InjectCoverageAtBlock(Function &F, BasicBlock &BB, - size_t Idx) { + size_t Idx, + bool IsLeafFunc) { BasicBlock::iterator IP = BB.getFirstInsertionPt(); bool IsEntryBB = &BB == &F.getEntryBlock(); DebugLoc EntryLoc; @@ -770,7 +780,7 @@ void SanitizerCoverageModule::InjectCoverageAtBlock(Function &F, BasicBlock &BB, SetNoSanitizeMetadata(Load); SetNoSanitizeMetadata(Store); } - if (Options.StackDepth && IsEntryBB) { + if (Options.StackDepth && IsEntryBB && !IsLeafFunc) { // Check stack depth. If it's the deepest so far, record it. Function *GetFrameAddr = Intrinsic::getDeclaration(F.getParent(), Intrinsic::frameaddress); @@ -781,7 +791,9 @@ void SanitizerCoverageModule::InjectCoverageAtBlock(Function &F, BasicBlock &BB, auto IsStackLower = IRB.CreateICmpULT(FrameAddrInt, LowestStack); auto ThenTerm = SplitBlockAndInsertIfThen(IsStackLower, &*IP, false); IRBuilder<> ThenIRB(ThenTerm); - ThenIRB.CreateStore(FrameAddrInt, SanCovLowestStack); + auto Store = ThenIRB.CreateStore(FrameAddrInt, SanCovLowestStack); + SetNoSanitizeMetadata(LowestStack); + SetNoSanitizeMetadata(Store); } } diff --git a/test/Instrumentation/SanitizerCoverage/stack-depth.ll b/test/Instrumentation/SanitizerCoverage/stack-depth.ll index e88741553d5..878295cd653 100644 --- a/test/Instrumentation/SanitizerCoverage/stack-depth.ll +++ b/test/Instrumentation/SanitizerCoverage/stack-depth.ll @@ -1,9 +1,9 @@ ; This check verifies that stack depth instrumentation works correctly. ; RUN: opt < %s -sancov -sanitizer-coverage-level=1 \ -; RUN: -sanitizer-coverage-stack-depth -S | FileCheck %s --enable-var-scope +; RUN: -sanitizer-coverage-stack-depth -S | FileCheck %s ; RUN: opt < %s -sancov -sanitizer-coverage-level=3 \ ; RUN: -sanitizer-coverage-stack-depth -sanitizer-coverage-trace-pc-guard \ -; RUN: -S | FileCheck %s --enable-var-scope +; RUN: -S | FileCheck %s target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128" target triple = "x86_64-unknown-linux-gnu" @@ -14,13 +14,8 @@ target triple = "x86_64-unknown-linux-gnu" define i32 @foo() { entry: ; CHECK-LABEL: define i32 @foo -; CHECK: [[framePtr:%[^ \t]+]] = call i8* @llvm.frameaddress(i32 0) -; CHECK: [[frameInt:%[^ \t]+]] = ptrtoint i8* [[framePtr]] to [[$intType:i[0-9]+]] -; CHECK: [[lowest:%[^ \t]+]] = load [[$intType]], [[$intType]]* @__sancov_lowest_stack -; CHECK: [[cmp:%[^ \t]+]] = icmp ult [[$intType]] [[frameInt]], [[lowest]] -; CHECK: br i1 [[cmp]], label %[[ifLabel:[^ \t]+]], label -; CHECK: