From 531c21057053b9dd7d77ef59ddd92a1d99f0e1bc Mon Sep 17 00:00:00 2001 From: Evgeniy Stepanov Date: Tue, 1 Dec 2015 00:06:13 +0000 Subject: [PATCH] [safestack] Fix handling of array allocas. The current code does not take alloca array size into account and, as a result, considers any access past the first array element to be unsafe. git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@254350 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Transforms/Instrumentation/SafeStack.cpp | 22 +++++++-- test/Transforms/SafeStack/array.ll | 48 ++++++++++++++++++++ 2 files changed, 65 insertions(+), 5 deletions(-) diff --git a/lib/Transforms/Instrumentation/SafeStack.cpp b/lib/Transforms/Instrumentation/SafeStack.cpp index 6071ca5a875..f8c4058ae22 100644 --- a/lib/Transforms/Instrumentation/SafeStack.cpp +++ b/lib/Transforms/Instrumentation/SafeStack.cpp @@ -118,6 +118,10 @@ class SafeStack : public FunctionPass { SmallVectorImpl &Returns, SmallVectorImpl &StackRestorePoints); + /// \brief Calculate the allocation size of a given alloca. Returns 0 if the + /// size can not be statically determined. + uint64_t getStaticAllocaAllocationSize(const AllocaInst* AI); + /// \brief Allocate space for all static allocas in \p StaticAllocas, /// replace allocas with pointers into the unsafe stack and generate code to /// restore the stack pointer before all return instructions in \p Returns. @@ -177,6 +181,17 @@ public: bool runOnFunction(Function &F) override; }; // class SafeStack +uint64_t SafeStack::getStaticAllocaAllocationSize(const AllocaInst* AI) { + uint64_t Size = DL->getTypeAllocSize(AI->getAllocatedType()); + if (AI->isArrayAllocation()) { + auto C = dyn_cast(AI->getArraySize()); + if (!C) + return 0; + Size *= C->getZExtValue(); + } + return Size; +} + bool SafeStack::IsAccessSafe(Value *Addr, uint64_t Size, const AllocaInst *AI) { AllocaOffsetRewriter Rewriter(*SE, AI); const SCEV *Expr = Rewriter.visit(SE->getSCEV(Addr)); @@ -187,8 +202,7 @@ bool SafeStack::IsAccessSafe(Value *Addr, uint64_t Size, const AllocaInst *AI) { ConstantRange(APInt(BitWidth, 0), APInt(BitWidth, Size)); ConstantRange AccessRange = AccessStartRange.add(SizeRange); ConstantRange AllocaRange = ConstantRange( - APInt(BitWidth, 0), - APInt(BitWidth, DL->getTypeStoreSize(AI->getAllocatedType()))); + APInt(BitWidth, 0), APInt(BitWidth, getStaticAllocaAllocationSize(AI))); bool Safe = AllocaRange.contains(AccessRange); DEBUG(dbgs() << "[SafeStack] Alloca " << *AI << "\n" @@ -463,10 +477,8 @@ SafeStack::moveStaticAllocasToUnsafeStack(IRBuilder<> &IRB, Function &F, for (AllocaInst *AI : StaticAllocas) { IRB.SetInsertPoint(AI); - auto CArraySize = cast(AI->getArraySize()); Type *Ty = AI->getAllocatedType(); - - uint64_t Size = DL->getTypeAllocSize(Ty) * CArraySize->getZExtValue(); + uint64_t Size = getStaticAllocaAllocationSize(AI); if (Size == 0) Size = 1; // Don't create zero-sized stack objects. diff --git a/test/Transforms/SafeStack/array.ll b/test/Transforms/SafeStack/array.ll index 6036bfc2c9c..b2454dc2bb9 100644 --- a/test/Transforms/SafeStack/array.ll +++ b/test/Transforms/SafeStack/array.ll @@ -35,4 +35,52 @@ entry: ret void } +; Load from an array at a fixed offset, no overflow. +define i8 @StaticArrayFixedSafe() nounwind uwtable safestack { +entry: + ; CHECK-LABEL: define i8 @StaticArrayFixedSafe( + ; CHECK-NOT: __safestack_unsafe_stack_ptr + ; CHECK: ret i8 + %buf = alloca i8, i32 4, align 1 + %gep = getelementptr inbounds i8, i8* %buf, i32 2 + %x = load i8, i8* %gep, align 1 + ret i8 %x +} + +; Load from an array at a fixed offset with overflow. +define i8 @StaticArrayFixedUnsafe() nounwind uwtable safestack { +entry: + ; CHECK-LABEL: define i8 @StaticArrayFixedUnsafe( + ; CHECK: __safestack_unsafe_stack_ptr + ; CHECK: ret i8 + %buf = alloca i8, i32 4, align 1 + %gep = getelementptr inbounds i8, i8* %buf, i32 5 + %x = load i8, i8* %gep, align 1 + ret i8 %x +} + +; Load from an array at an unknown offset. +define i8 @StaticArrayVariableUnsafe(i32 %ofs) nounwind uwtable safestack { +entry: + ; CHECK-LABEL: define i8 @StaticArrayVariableUnsafe( + ; CHECK: __safestack_unsafe_stack_ptr + ; CHECK: ret i8 + %buf = alloca i8, i32 4, align 1 + %gep = getelementptr inbounds i8, i8* %buf, i32 %ofs + %x = load i8, i8* %gep, align 1 + ret i8 %x +} + +; Load from an array of an unknown size. +define i8 @DynamicArrayUnsafe(i32 %sz) nounwind uwtable safestack { +entry: + ; CHECK-LABEL: define i8 @DynamicArrayUnsafe( + ; CHECK: __safestack_unsafe_stack_ptr + ; CHECK: ret i8 + %buf = alloca i8, i32 %sz, align 1 + %gep = getelementptr inbounds i8, i8* %buf, i32 2 + %x = load i8, i8* %gep, align 1 + ret i8 %x +} + declare i8* @strcpy(i8*, i8*) -- 2.34.1