llvm-project/llvm/test/CodeGen/X86/stack-protector-2.ll
Nick Desaulniers b7926ce6d7 [IR] add fn attr for no_stack_protector; prevent inlining on mismatch
It's currently ambiguous in IR whether the source language explicitly
did not want a stack a stack protector (in C, via function attribute
no_stack_protector) or doesn't care for any given function.

It's common for code that manipulates the stack via inline assembly or
that has to set up its own stack canary (such as the Linux kernel) would
like to avoid stack protectors in certain functions. In this case, we've
been bitten by numerous bugs where a callee with a stack protector is
inlined into an __attribute__((__no_stack_protector__)) caller, which
generally breaks the caller's assumptions about not having a stack
protector. LTO exacerbates the issue.

While developers can avoid this by putting all no_stack_protector
functions in one translation unit together and compiling those with
-fno-stack-protector, it's generally not very ergonomic or as
ergonomic as a function attribute, and still doesn't work for LTO. See also:
https://lore.kernel.org/linux-pm/20200915172658.1432732-1-rkir@google.com/
https://lore.kernel.org/lkml/20200918201436.2932360-30-samitolvanen@google.com/T/#u

Typically, when inlining a callee into a caller, the caller will be
upgraded in its level of stack protection (see adjustCallerSSPLevel()).
By adding an explicit attribute in the IR when the function attribute is
used in the source language, we can now identify such cases and prevent
inlining.  Block inlining when the callee and caller differ in the case that one
contains `nossp` when the other has `ssp`, `sspstrong`, or `sspreq`.

Fixes pr/47479.

Reviewed By: void

Differential Revision: https://reviews.llvm.org/D87956
2020-10-23 11:55:39 -07:00

193 lines
8.0 KiB
LLVM

; RUN: llc -mtriple=x86_64-pc-linux-gnu -start-before=stack-protector -stop-after=stack-protector -o - < %s | FileCheck %s
; Bugs 42238/43308/47479: Test some additional situations not caught previously.
define void @store_captures() #0 {
; CHECK-LABEL: @store_captures(
; CHECK-NEXT: entry:
; CHECK-NEXT: [[STACKGUARDSLOT:%.*]] = alloca i8*
; CHECK-NEXT: [[STACKGUARD:%.*]] = load volatile i8*, i8* addrspace(257)* inttoptr (i32 40 to i8* addrspace(257)*)
; CHECK-NEXT: call void @llvm.stackprotector(i8* [[STACKGUARD]], i8** [[STACKGUARDSLOT]])
; CHECK-NEXT: [[RETVAL:%.*]] = alloca i32, align 4
; CHECK-NEXT: [[A:%.*]] = alloca i32, align 4
; CHECK-NEXT: [[J:%.*]] = alloca i32*, align 8
; CHECK-NEXT: store i32 0, i32* [[RETVAL]]
; CHECK-NEXT: [[LOAD:%.*]] = load i32, i32* [[A]], align 4
; CHECK-NEXT: [[ADD:%.*]] = add nsw i32 [[LOAD]], 1
; CHECK-NEXT: store i32 [[ADD]], i32* [[A]], align 4
; CHECK-NEXT: store i32* [[A]], i32** [[J]], align 8
; CHECK-NEXT: [[STACKGUARD1:%.*]] = load volatile i8*, i8* addrspace(257)* inttoptr (i32 40 to i8* addrspace(257)*)
; CHECK-NEXT: [[TMP0:%.*]] = load volatile i8*, i8** [[STACKGUARDSLOT]]
; CHECK-NEXT: [[TMP1:%.*]] = icmp eq i8* [[STACKGUARD1]], [[TMP0]]
; CHECK-NEXT: br i1 [[TMP1]], label [[SP_RETURN:%.*]], label [[CALLSTACKCHECKFAILBLK:%.*]], !prof !0
; CHECK: SP_return:
; CHECK-NEXT: ret void
; CHECK: CallStackCheckFailBlk:
; CHECK-NEXT: call void @__stack_chk_fail()
; CHECK-NEXT: unreachable
;
entry:
%retval = alloca i32, align 4
%a = alloca i32, align 4
%j = alloca i32*, align 8
store i32 0, i32* %retval
%load = load i32, i32* %a, align 4
%add = add nsw i32 %load, 1
store i32 %add, i32* %a, align 4
store i32* %a, i32** %j, align 8
ret void
}
define i32* @non_captures() #0 {
; load, atomicrmw, and ret do not trigger a stack protector.
; CHECK-LABEL: @non_captures(
; CHECK-NEXT: entry:
; CHECK-NEXT: [[A:%.*]] = alloca i32, align 4
; CHECK-NEXT: [[LOAD:%.*]] = load i32, i32* [[A]], align 4
; CHECK-NEXT: [[ATOM:%.*]] = atomicrmw add i32* [[A]], i32 1 seq_cst
; CHECK-NEXT: ret i32* [[A]]
;
entry:
%a = alloca i32, align 4
%load = load i32, i32* %a, align 4
%atom = atomicrmw add i32* %a, i32 1 seq_cst
ret i32* %a
}
define void @store_addrspacecast_captures() #0 {
; CHECK-LABEL: @store_addrspacecast_captures(
; CHECK-NEXT: entry:
; CHECK-NEXT: [[STACKGUARDSLOT:%.*]] = alloca i8*
; CHECK-NEXT: [[STACKGUARD:%.*]] = load volatile i8*, i8* addrspace(257)* inttoptr (i32 40 to i8* addrspace(257)*)
; CHECK-NEXT: call void @llvm.stackprotector(i8* [[STACKGUARD]], i8** [[STACKGUARDSLOT]])
; CHECK-NEXT: [[RETVAL:%.*]] = alloca i32, align 4
; CHECK-NEXT: [[A:%.*]] = alloca i32, align 4
; CHECK-NEXT: [[J:%.*]] = alloca i32 addrspace(1)*, align 8
; CHECK-NEXT: store i32 0, i32* [[RETVAL]]
; CHECK-NEXT: [[LOAD:%.*]] = load i32, i32* [[A]], align 4
; CHECK-NEXT: [[ADD:%.*]] = add nsw i32 [[LOAD]], 1
; CHECK-NEXT: store i32 [[ADD]], i32* [[A]], align 4
; CHECK-NEXT: [[A_ADDRSPACECAST:%.*]] = addrspacecast i32* [[A]] to i32 addrspace(1)*
; CHECK-NEXT: store i32 addrspace(1)* [[A_ADDRSPACECAST]], i32 addrspace(1)** [[J]], align 8
; CHECK-NEXT: [[STACKGUARD1:%.*]] = load volatile i8*, i8* addrspace(257)* inttoptr (i32 40 to i8* addrspace(257)*)
; CHECK-NEXT: [[TMP0:%.*]] = load volatile i8*, i8** [[STACKGUARDSLOT]]
; CHECK-NEXT: [[TMP1:%.*]] = icmp eq i8* [[STACKGUARD1]], [[TMP0]]
; CHECK-NEXT: br i1 [[TMP1]], label [[SP_RETURN:%.*]], label [[CALLSTACKCHECKFAILBLK:%.*]], !prof !0
; CHECK: SP_return:
; CHECK-NEXT: ret void
; CHECK: CallStackCheckFailBlk:
; CHECK-NEXT: call void @__stack_chk_fail()
; CHECK-NEXT: unreachable
;
entry:
%retval = alloca i32, align 4
%a = alloca i32, align 4
%j = alloca i32 addrspace(1)*, align 8
store i32 0, i32* %retval
%load = load i32, i32* %a, align 4
%add = add nsw i32 %load, 1
store i32 %add, i32* %a, align 4
%a.addrspacecast = addrspacecast i32* %a to i32 addrspace(1)*
store i32 addrspace(1)* %a.addrspacecast, i32 addrspace(1)** %j, align 8
ret void
}
define void @cmpxchg_captures() #0 {
; CHECK-LABEL: @cmpxchg_captures(
; CHECK-NEXT: entry:
; CHECK-NEXT: [[STACKGUARDSLOT:%.*]] = alloca i8*
; CHECK-NEXT: [[STACKGUARD:%.*]] = load volatile i8*, i8* addrspace(257)* inttoptr (i32 40 to i8* addrspace(257)*)
; CHECK-NEXT: call void @llvm.stackprotector(i8* [[STACKGUARD]], i8** [[STACKGUARDSLOT]])
; CHECK-NEXT: [[RETVAL:%.*]] = alloca i32, align 4
; CHECK-NEXT: [[A:%.*]] = alloca i32, align 4
; CHECK-NEXT: [[J:%.*]] = alloca i32*, align 8
; CHECK-NEXT: store i32 0, i32* [[RETVAL]]
; CHECK-NEXT: [[LOAD:%.*]] = load i32, i32* [[A]], align 4
; CHECK-NEXT: [[ADD:%.*]] = add nsw i32 [[LOAD]], 1
; CHECK-NEXT: store i32 [[ADD]], i32* [[A]], align 4
; CHECK-NEXT: [[TMP0:%.*]] = cmpxchg i32** [[J]], i32* null, i32* [[A]] seq_cst monotonic
; CHECK-NEXT: [[STACKGUARD1:%.*]] = load volatile i8*, i8* addrspace(257)* inttoptr (i32 40 to i8* addrspace(257)*)
; CHECK-NEXT: [[TMP1:%.*]] = load volatile i8*, i8** [[STACKGUARDSLOT]]
; CHECK-NEXT: [[TMP2:%.*]] = icmp eq i8* [[STACKGUARD1]], [[TMP1]]
; CHECK-NEXT: br i1 [[TMP2]], label [[SP_RETURN:%.*]], label [[CALLSTACKCHECKFAILBLK:%.*]], !prof !0
; CHECK: SP_return:
; CHECK-NEXT: ret void
; CHECK: CallStackCheckFailBlk:
; CHECK-NEXT: call void @__stack_chk_fail()
; CHECK-NEXT: unreachable
;
entry:
%retval = alloca i32, align 4
%a = alloca i32, align 4
%j = alloca i32*, align 8
store i32 0, i32* %retval
%load = load i32, i32* %a, align 4
%add = add nsw i32 %load, 1
store i32 %add, i32* %a, align 4
cmpxchg i32** %j, i32* null, i32* %a seq_cst monotonic
ret void
}
define void @memset_captures(i64 %c) #0 {
; CHECK-LABEL: @memset_captures(
; CHECK-NEXT: entry:
; CHECK-NEXT: [[STACKGUARDSLOT:%.*]] = alloca i8*
; CHECK-NEXT: [[STACKGUARD:%.*]] = load volatile i8*, i8* addrspace(257)* inttoptr (i32 40 to i8* addrspace(257)*)
; CHECK-NEXT: call void @llvm.stackprotector(i8* [[STACKGUARD]], i8** [[STACKGUARDSLOT]])
; CHECK-NEXT: [[CADDR:%.*]] = alloca i64, align 8
; CHECK-NEXT: store i64 %c, i64* [[CADDR]], align 8
; CHECK-NEXT: [[I:%.*]] = alloca i32, align 4
; CHECK-NEXT: [[IPTR:%.*]] = bitcast i32* [[I]] to i8*
; CHECK-NEXT: [[COUNT:%.*]] = load i64, i64* [[CADDR]], align 8
; CHECK-NEXT: call void @llvm.memset.p0i8.i64(i8* align 4 [[IPTR]], i8 0, i64 [[COUNT]], i1 false)
; CHECK-NEXT: [[STACKGUARD1:%.*]] = load volatile i8*, i8* addrspace(257)* inttoptr (i32 40 to i8* addrspace(257)*)
; CHECK-NEXT: [[TMP1:%.*]] = load volatile i8*, i8** [[STACKGUARDSLOT]]
; CHECK-NEXT: [[TMP2:%.*]] = icmp eq i8* [[STACKGUARD1]], [[TMP1]]
; CHECK-NEXT: br i1 [[TMP2]], label [[SP_RETURN:%.*]], label [[CALLSTACKCHECKFAILBLK:%.*]], !prof !0
; CHECK: SP_return:
; CHECK-NEXT: ret void
; CHECK: CallStackCheckFailBlk:
; CHECK-NEXT: call void @__stack_chk_fail()
; CHECK-NEXT: unreachable
;
entry:
%c.addr = alloca i64, align 8
store i64 %c, i64* %c.addr, align 8
%i = alloca i32, align 4
%i.ptr = bitcast i32* %i to i8*
%count = load i64, i64* %c.addr, align 8
call void @llvm.memset.p0i8.i64(i8* align 4 %i.ptr, i8 0, i64 %count, i1 false)
ret void
}
declare void @llvm.memset.p0i8.i64(i8* nocapture writeonly, i8, i64, i1 immarg)
; Test that the same function does not get a canary if nossp fn attr is set.
declare dso_local void @foo(i8*)
define dso_local void @bar_sspstrong(i64 %0) #0 {
; CHECK-LABEL: @bar_sspstrong
; CHECK-NEXT: %StackGuardSlot = alloca i8*
%2 = alloca i64, align 8
store i64 %0, i64* %2, align 8
%3 = load i64, i64* %2, align 8
%4 = alloca i8, i64 %3, align 16
call void @foo(i8* %4)
ret void
}
define dso_local void @bar_nossp(i64 %0) #1 {
; CHECK-LABEL: @bar_nossp
; CHECK-NEXT: %2 = alloca i64
%2 = alloca i64, align 8
store i64 %0, i64* %2, align 8
%3 = load i64, i64* %2, align 8
%4 = alloca i8, i64 %3, align 16
call void @foo(i8* %4)
ret void
}
attributes #0 = { sspstrong }
attributes #1 = { nossp }