Author: kcc Date: Thu Aug 28 20:01:32 2014 New Revision: 216702 URL: http://llvm.org/viewvc/llvm-project?rev=216702&view=rev Log: call __asan_load_cxx_array_cookie when loading array cookie in asan mode.
Summary: The current implementation of asan cookie is incorrect: we add nosanitize metadata to the cookie load, but the metadata may be lost and we will instrument the load from poisoned memory. This change replaces the load with a call to __asan_load_cxx_array_cookie (r216692) Reviewers: rsmith Reviewed By: rsmith Subscribers: cfe-commits Differential Revision: http://reviews.llvm.org/D5111 Modified: cfe/trunk/lib/CodeGen/ItaniumCXXABI.cpp cfe/trunk/test/CodeGen/address-sanitizer-and-array-cookie.cpp Modified: cfe/trunk/lib/CodeGen/ItaniumCXXABI.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/CodeGen/ItaniumCXXABI.cpp?rev=216702&r1=216701&r2=216702&view=diff ============================================================================== --- cfe/trunk/lib/CodeGen/ItaniumCXXABI.cpp (original) +++ cfe/trunk/lib/CodeGen/ItaniumCXXABI.cpp Thu Aug 28 20:01:32 2014 @@ -1476,8 +1476,9 @@ llvm::Value *ItaniumCXXABI::InitializeAr llvm::Value *NumElementsPtr = CGF.Builder.CreateBitCast(CookiePtr, NumElementsTy); llvm::Instruction *SI = CGF.Builder.CreateStore(NumElements, NumElementsPtr); - if (CGM.getLangOpts().Sanitize.Address && + if (CGM.getLangOpts().Sanitize.Address && AS == 0 && expr->getOperatorNew()->isReplaceableGlobalAllocationFunction()) { + // The store to the CookiePtr does not need to be instrumented. CGM.getSanitizerMetadata()->disableSanitizerForInstruction(SI); llvm::FunctionType *FTy = llvm::FunctionType::get(CGM.VoidTy, NumElementsTy, false); @@ -1507,10 +1508,18 @@ llvm::Value *ItaniumCXXABI::readArrayCoo unsigned AS = allocPtr->getType()->getPointerAddressSpace(); numElementsPtr = CGF.Builder.CreateBitCast(numElementsPtr, CGF.SizeTy->getPointerTo(AS)); - llvm::Instruction *LI = CGF.Builder.CreateLoad(numElementsPtr); - if (CGM.getLangOpts().Sanitize.Address) - CGM.getSanitizerMetadata()->disableSanitizerForInstruction(LI); - return LI; + if (!CGM.getLangOpts().Sanitize.Address || AS != 0) + return CGF.Builder.CreateLoad(numElementsPtr); + // In asan mode emit a function call instead of a regular load and let the + // run-time deal with it: if the shadow is properly poisoned return the + // cookie, otherwise return 0 to avoid an infinite loop calling DTORs. + // We can't simply ignore this load using nosanitize metadata because + // the metadata may be lost. + llvm::FunctionType *FTy = + llvm::FunctionType::get(CGF.SizeTy, CGF.SizeTy->getPointerTo(0), false); + llvm::Constant *F = + CGM.CreateRuntimeFunction(FTy, "__asan_load_cxx_array_cookie"); + return CGF.Builder.CreateCall(F, numElementsPtr); } CharUnits ARMCXXABI::getArrayCookieSizeImpl(QualType elementType) { Modified: cfe/trunk/test/CodeGen/address-sanitizer-and-array-cookie.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/CodeGen/address-sanitizer-and-array-cookie.cpp?rev=216702&r1=216701&r2=216702&view=diff ============================================================================== --- cfe/trunk/test/CodeGen/address-sanitizer-and-array-cookie.cpp (original) +++ cfe/trunk/test/CodeGen/address-sanitizer-and-array-cookie.cpp Thu Aug 28 20:01:32 2014 @@ -43,7 +43,8 @@ void CallDelete(C *c) { // PLAIN-LABEL: CallDelete // PLAIN-NOT: nosanitize // ASAN-LABEL: CallDelete -// ASAN: load{{.*}}!nosanitize +// ASAN-NOT: nosanitize +// ASAN: call i64 @__asan_load_cxx_array_cookie // ASAN-NOT: nosanitize char Buffer[20]; _______________________________________________ cfe-commits mailing list [email protected] http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
