Skip to content

Commit 46ce784

Browse files
thurstondthurstond
committed
[hwasan] Add test case for null pointer dereference
This shows that HWASan will emit a memaccess intrinsic for null pointer dereferences, with or without a fixed shadow. This is a simplification of an internal bug report by dvyukov.
1 parent a15fedc commit 46ce784

File tree

2 files changed

+165
-0
lines changed

2 files changed

+165
-0
lines changed

llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll

Lines changed: 130 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,130 @@
1+
; NOTE: Assertions have been autogenerated by utils/update_llc_test_checks.py UTC_ARGS: --version 5
2+
; RUN: llc -filetype asm -o - %s | FileCheck %s
3+
4+
; This shows that when dereferencing a null pointer, HWASan will call
5+
; __hwasan_check_x4294967071_19_fixed_0_short_v2
6+
; (N.B. 4294967071 == 2**32 - 239 + 14 == 2**32 - X0 + XZR
7+
;
8+
; The source was generated from llvm/test/Instrumentation/HWAddressSanitizer/zero-ptr.ll.
9+
10+
; ModuleID = '<stdin>'
11+
source_filename = "<stdin>"
12+
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
13+
target triple = "aarch64--linux-android10000"
14+
15+
$hwasan.module_ctor = comdat any
16+
17+
$__hwasan_personality_thunk = comdat any
18+
19+
@llvm.used = appending global [1 x ptr] [ptr @hwasan.module_ctor], section "llvm.metadata"
20+
@llvm.global_ctors = appending global [1 x { i32, ptr, ptr }] [{ i32, ptr, ptr } { i32 0, ptr @hwasan.module_ctor, ptr @hwasan.module_ctor }]
21+
@__start_hwasan_globals = external hidden constant [0 x i8]
22+
@__stop_hwasan_globals = external hidden constant [0 x i8]
23+
@hwasan.note = private constant { i32, i32, i32, [8 x i8], i32, i32 } { i32 8, i32 8, i32 3, [8 x i8] c"LLVM\00\00\00\00", i32 trunc (i64 sub (i64 ptrtoint (ptr @__start_hwasan_globals to i64), i64 ptrtoint (ptr @hwasan.note to i64)) to i32), i32 trunc (i64 sub (i64 ptrtoint (ptr @__stop_hwasan_globals to i64), i64 ptrtoint (ptr @hwasan.note to i64)) to i32) }, section ".note.hwasan.globals", comdat($hwasan.module_ctor), align 4
24+
@hwasan.dummy.global = private constant [0 x i8] zeroinitializer, section "hwasan_globals", comdat($hwasan.module_ctor), !associated !0
25+
@llvm.compiler.used = appending global [2 x ptr] [ptr @hwasan.note, ptr @hwasan.dummy.global], section "llvm.metadata"
26+
@__hwasan_shadow = external global [0 x i8]
27+
28+
; Function Attrs: sanitize_hwaddress
29+
define void @test_store_to_zeroptr() #0 {
30+
; CHECK-LABEL: test_store_to_zeroptr:
31+
; CHECK: // %bb.0: // %entry
32+
; CHECK-NEXT: str x30, [sp, #-16]! // 8-byte Folded Spill
33+
; CHECK-NEXT: .cfi_def_cfa_offset 16
34+
; CHECK-NEXT: .cfi_offset w30, -16
35+
; CHECK-NEXT: bl __hwasan_check_x4294967071_19_fixed_0_short_v2
36+
; CHECK-NEXT: mov x8, xzr
37+
; CHECK-NEXT: mov w9, #42 // =0x2a
38+
; CHECK-NEXT: str x9, [x8]
39+
; CHECK-NEXT: ldr x30, [sp], #16 // 8-byte Folded Reload
40+
; CHECK-NEXT: ret
41+
entry:
42+
%.hwasan.shadow = call ptr asm "", "=r,0"(ptr null)
43+
%b = inttoptr i64 0 to ptr
44+
call void @llvm.hwasan.check.memaccess.shortgranules.fixedshadow(ptr %b, i32 19, i64 0)
45+
store i64 42, ptr %b, align 8
46+
ret void
47+
}
48+
49+
declare void @__hwasan_init()
50+
51+
; Function Attrs: nounwind
52+
define internal void @hwasan.module_ctor() #1 comdat {
53+
; CHECK-LABEL: hwasan.module_ctor:
54+
; CHECK: // %bb.0:
55+
; CHECK-NEXT: str x30, [sp, #-16]! // 8-byte Folded Spill
56+
; CHECK-NEXT: bl __hwasan_init
57+
; CHECK-NEXT: ldr x30, [sp], #16 // 8-byte Folded Reload
58+
; CHECK-NEXT: ret
59+
call void @__hwasan_init()
60+
ret void
61+
}
62+
63+
declare i32 @__hwasan_personality_wrapper(i32, i32, i64, ptr, ptr, ptr, ptr, ptr)
64+
65+
declare void @_Unwind_GetGR()
66+
67+
declare void @_Unwind_GetCFA()
68+
69+
define linkonce_odr hidden i32 @__hwasan_personality_thunk(i32 %0, i32 %1, i64 %2, ptr %3, ptr %4) comdat {
70+
; CHECK-LABEL: __hwasan_personality_thunk:
71+
; CHECK: // %bb.0: // %entry
72+
; CHECK-NEXT: adrp x6, :got:_Unwind_GetGR
73+
; CHECK-NEXT: adrp x7, :got:_Unwind_GetCFA
74+
; CHECK-NEXT: mov x5, xzr
75+
; CHECK-NEXT: ldr x6, [x6, :got_lo12:_Unwind_GetGR]
76+
; CHECK-NEXT: ldr x7, [x7, :got_lo12:_Unwind_GetCFA]
77+
; CHECK-NEXT: b __hwasan_personality_wrapper
78+
entry:
79+
%5 = tail call i32 @__hwasan_personality_wrapper(i32 %0, i32 %1, i64 %2, ptr %3, ptr %4, ptr null, ptr @_Unwind_GetGR, ptr @_Unwind_GetCFA)
80+
ret i32 %5
81+
}
82+
83+
declare void @__hwasan_loadN(i64, i64)
84+
85+
declare void @__hwasan_load1(i64)
86+
87+
declare void @__hwasan_load2(i64)
88+
89+
declare void @__hwasan_load4(i64)
90+
91+
declare void @__hwasan_load8(i64)
92+
93+
declare void @__hwasan_load16(i64)
94+
95+
declare void @__hwasan_storeN(i64, i64)
96+
97+
declare void @__hwasan_store1(i64)
98+
99+
declare void @__hwasan_store2(i64)
100+
101+
declare void @__hwasan_store4(i64)
102+
103+
declare void @__hwasan_store8(i64)
104+
105+
declare void @__hwasan_store16(i64)
106+
107+
declare ptr @__hwasan_memmove(ptr, ptr, i64)
108+
109+
declare ptr @__hwasan_memcpy(ptr, ptr, i64)
110+
111+
declare ptr @__hwasan_memset(ptr, i32, i64)
112+
113+
declare void @__hwasan_tag_memory(ptr, i8, i64)
114+
115+
declare i8 @__hwasan_generate_tag()
116+
117+
declare void @__hwasan_add_frame_record(i64)
118+
119+
declare void @__hwasan_handle_vfork(i64)
120+
121+
; Function Attrs: nounwind
122+
declare void @llvm.hwasan.check.memaccess.shortgranules.fixedshadow(ptr, i32 immarg, i64 immarg) #1
123+
124+
attributes #0 = { sanitize_hwaddress }
125+
attributes #1 = { nounwind }
126+
127+
!llvm.module.flags = !{!1}
128+
129+
!0 = !{ptr @hwasan.note}
130+
!1 = !{i32 4, !"nosanitize_hwaddress", i32 1}

llvm/test/Instrumentation/HWAddressSanitizer/zero-ptr.ll

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
; NOTE: Assertions have been autogenerated by utils/update_test_checks.py UTC_ARGS: --version 2
2+
; RUN: opt < %s -passes=hwasan -S | FileCheck %s
3+
; RUN: opt < %s -passes=hwasan -hwasan-recover=0 -hwasan-mapping-offset=0 -S | FileCheck %s --check-prefixes=ABORT-ZERO-BASED-SHADOW
4+
5+
; This shows that HWASan will emit a memaccess check when dereferencing a null
6+
; pointer.
7+
; The output is used as the source for llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll.
8+
9+
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
10+
target triple = "aarch64--linux-android10000"
11+
12+
define void @test_store_to_zeroptr() sanitize_hwaddress {
13+
; CHECK-LABEL: define void @test_store_to_zeroptr
14+
; CHECK-SAME: () #[[ATTR0:[0-9]+]] {
15+
; CHECK-NEXT: entry:
16+
; CHECK-NEXT: [[DOTHWASAN_SHADOW:%.*]] = call ptr asm "", "=r,0"(ptr @__hwasan_shadow)
17+
; CHECK-NEXT: [[B:%.*]] = inttoptr i64 0 to ptr
18+
; CHECK-NEXT: call void @llvm.hwasan.check.memaccess.shortgranules(ptr [[DOTHWASAN_SHADOW]], ptr [[B]], i32 19)
19+
; CHECK-NEXT: store i64 42, ptr [[B]], align 8
20+
; CHECK-NEXT: ret void
21+
;
22+
; ABORT-ZERO-BASED-SHADOW-LABEL: define void @test_store_to_zeroptr
23+
; ABORT-ZERO-BASED-SHADOW-SAME: () #[[ATTR0:[0-9]+]] {
24+
; ABORT-ZERO-BASED-SHADOW-NEXT: entry:
25+
; ABORT-ZERO-BASED-SHADOW-NEXT: [[DOTHWASAN_SHADOW:%.*]] = call ptr asm "", "=r,0"(ptr null)
26+
; ABORT-ZERO-BASED-SHADOW-NEXT: [[B:%.*]] = inttoptr i64 0 to ptr
27+
; ABORT-ZERO-BASED-SHADOW-NEXT: call void @llvm.hwasan.check.memaccess.shortgranules.fixedshadow(ptr [[B]], i32 19, i64 0)
28+
; ABORT-ZERO-BASED-SHADOW-NEXT: store i64 42, ptr [[B]], align 8
29+
; ABORT-ZERO-BASED-SHADOW-NEXT: ret void
30+
;
31+
entry:
32+
%b = inttoptr i64 0 to i64*
33+
store i64 42, ptr %b
34+
ret void
35+
}

0 commit comments

Comments
 (0)