From 46ce784d6404ded736405738ef812ce65806ea4e Mon Sep 17 00:00:00 2001
From: Thurston Dang <thurston@google.com>
Date: Wed, 8 Jan 2025 22:52:25 +0000
Subject: [PATCH 1/3] [hwasan] Add test case for null pointer dereference

This shows that HWASan will emit a memaccess intrinsic for null
pointer dereferences, with or without a fixed shadow.

This is a simplification of an internal bug report by dvyukov.
---
 llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll  | 130 ++++++++++++++++++
 .../HWAddressSanitizer/zero-ptr.ll            |  35 +++++
 2 files changed, 165 insertions(+)
 create mode 100644 llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll
 create mode 100644 llvm/test/Instrumentation/HWAddressSanitizer/zero-ptr.ll

diff --git a/llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll b/llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll
new file mode 100644
index 0000000000000..ee542d45cd58f
--- /dev/null
+++ b/llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll
@@ -0,0 +1,130 @@
+; NOTE: Assertions have been autogenerated by utils/update_llc_test_checks.py UTC_ARGS: --version 5
+; RUN: llc -filetype asm -o - %s | FileCheck %s
+
+; This shows that when dereferencing a null pointer, HWASan will call
+; __hwasan_check_x4294967071_19_fixed_0_short_v2
+; (N.B. 4294967071 == 2**32 - 239 + 14 == 2**32 - X0 + XZR
+;
+; The source was generated from llvm/test/Instrumentation/HWAddressSanitizer/zero-ptr.ll.
+
+; ModuleID = '<stdin>'
+source_filename = "<stdin>"
+target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
+target triple = "aarch64--linux-android10000"
+
+$hwasan.module_ctor = comdat any
+
+$__hwasan_personality_thunk = comdat any
+
+@llvm.used = appending global [1 x ptr] [ptr @hwasan.module_ctor], section "llvm.metadata"
+@llvm.global_ctors = appending global [1 x { i32, ptr, ptr }] [{ i32, ptr, ptr } { i32 0, ptr @hwasan.module_ctor, ptr @hwasan.module_ctor }]
+@__start_hwasan_globals = external hidden constant [0 x i8]
+@__stop_hwasan_globals = external hidden constant [0 x i8]
+@hwasan.note = private constant { i32, i32, i32, [8 x i8], i32, i32 } { i32 8, i32 8, i32 3, [8 x i8] c"LLVM\00\00\00\00", i32 trunc (i64 sub (i64 ptrtoint (ptr @__start_hwasan_globals to i64), i64 ptrtoint (ptr @hwasan.note to i64)) to i32), i32 trunc (i64 sub (i64 ptrtoint (ptr @__stop_hwasan_globals to i64), i64 ptrtoint (ptr @hwasan.note to i64)) to i32) }, section ".note.hwasan.globals", comdat($hwasan.module_ctor), align 4
+@hwasan.dummy.global = private constant [0 x i8] zeroinitializer, section "hwasan_globals", comdat($hwasan.module_ctor), !associated !0
+@llvm.compiler.used = appending global [2 x ptr] [ptr @hwasan.note, ptr @hwasan.dummy.global], section "llvm.metadata"
+@__hwasan_shadow = external global [0 x i8]
+
+; Function Attrs: sanitize_hwaddress
+define void @test_store_to_zeroptr() #0 {
+; CHECK-LABEL: test_store_to_zeroptr:
+; CHECK:       // %bb.0: // %entry
+; CHECK-NEXT:    str x30, [sp, #-16]! // 8-byte Folded Spill
+; CHECK-NEXT:    .cfi_def_cfa_offset 16
+; CHECK-NEXT:    .cfi_offset w30, -16
+; CHECK-NEXT:    bl __hwasan_check_x4294967071_19_fixed_0_short_v2
+; CHECK-NEXT:    mov x8, xzr
+; CHECK-NEXT:    mov w9, #42 // =0x2a
+; CHECK-NEXT:    str x9, [x8]
+; CHECK-NEXT:    ldr x30, [sp], #16 // 8-byte Folded Reload
+; CHECK-NEXT:    ret
+entry:
+  %.hwasan.shadow = call ptr asm "", "=r,0"(ptr null)
+  %b = inttoptr i64 0 to ptr
+  call void @llvm.hwasan.check.memaccess.shortgranules.fixedshadow(ptr %b, i32 19, i64 0)
+  store i64 42, ptr %b, align 8
+  ret void
+}
+
+declare void @__hwasan_init()
+
+; Function Attrs: nounwind
+define internal void @hwasan.module_ctor() #1 comdat {
+; CHECK-LABEL: hwasan.module_ctor:
+; CHECK:       // %bb.0:
+; CHECK-NEXT:    str x30, [sp, #-16]! // 8-byte Folded Spill
+; CHECK-NEXT:    bl __hwasan_init
+; CHECK-NEXT:    ldr x30, [sp], #16 // 8-byte Folded Reload
+; CHECK-NEXT:    ret
+  call void @__hwasan_init()
+  ret void
+}
+
+declare i32 @__hwasan_personality_wrapper(i32, i32, i64, ptr, ptr, ptr, ptr, ptr)
+
+declare void @_Unwind_GetGR()
+
+declare void @_Unwind_GetCFA()
+
+define linkonce_odr hidden i32 @__hwasan_personality_thunk(i32 %0, i32 %1, i64 %2, ptr %3, ptr %4) comdat {
+; CHECK-LABEL: __hwasan_personality_thunk:
+; CHECK:       // %bb.0: // %entry
+; CHECK-NEXT:    adrp x6, :got:_Unwind_GetGR
+; CHECK-NEXT:    adrp x7, :got:_Unwind_GetCFA
+; CHECK-NEXT:    mov x5, xzr
+; CHECK-NEXT:    ldr x6, [x6, :got_lo12:_Unwind_GetGR]
+; CHECK-NEXT:    ldr x7, [x7, :got_lo12:_Unwind_GetCFA]
+; CHECK-NEXT:    b __hwasan_personality_wrapper
+entry:
+  %5 = tail call i32 @__hwasan_personality_wrapper(i32 %0, i32 %1, i64 %2, ptr %3, ptr %4, ptr null, ptr @_Unwind_GetGR, ptr @_Unwind_GetCFA)
+  ret i32 %5
+}
+
+declare void @__hwasan_loadN(i64, i64)
+
+declare void @__hwasan_load1(i64)
+
+declare void @__hwasan_load2(i64)
+
+declare void @__hwasan_load4(i64)
+
+declare void @__hwasan_load8(i64)
+
+declare void @__hwasan_load16(i64)
+
+declare void @__hwasan_storeN(i64, i64)
+
+declare void @__hwasan_store1(i64)
+
+declare void @__hwasan_store2(i64)
+
+declare void @__hwasan_store4(i64)
+
+declare void @__hwasan_store8(i64)
+
+declare void @__hwasan_store16(i64)
+
+declare ptr @__hwasan_memmove(ptr, ptr, i64)
+
+declare ptr @__hwasan_memcpy(ptr, ptr, i64)
+
+declare ptr @__hwasan_memset(ptr, i32, i64)
+
+declare void @__hwasan_tag_memory(ptr, i8, i64)
+
+declare i8 @__hwasan_generate_tag()
+
+declare void @__hwasan_add_frame_record(i64)
+
+declare void @__hwasan_handle_vfork(i64)
+
+; Function Attrs: nounwind
+declare void @llvm.hwasan.check.memaccess.shortgranules.fixedshadow(ptr, i32 immarg, i64 immarg) #1
+
+attributes #0 = { sanitize_hwaddress }
+attributes #1 = { nounwind }
+
+!llvm.module.flags = !{!1}
+
+!0 = !{ptr @hwasan.note}
+!1 = !{i32 4, !"nosanitize_hwaddress", i32 1}
diff --git a/llvm/test/Instrumentation/HWAddressSanitizer/zero-ptr.ll b/llvm/test/Instrumentation/HWAddressSanitizer/zero-ptr.ll
new file mode 100644
index 0000000000000..a201174df995b
--- /dev/null
+++ b/llvm/test/Instrumentation/HWAddressSanitizer/zero-ptr.ll
@@ -0,0 +1,35 @@
+; NOTE: Assertions have been autogenerated by utils/update_test_checks.py UTC_ARGS: --version 2
+; RUN: opt < %s -passes=hwasan -S | FileCheck %s
+; RUN: opt < %s -passes=hwasan -hwasan-recover=0 -hwasan-mapping-offset=0 -S | FileCheck %s --check-prefixes=ABORT-ZERO-BASED-SHADOW
+
+; This shows that HWASan will emit a memaccess check when dereferencing a null
+; pointer.
+; The output is used as the source for llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll.
+
+target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
+target triple = "aarch64--linux-android10000"
+
+define void @test_store_to_zeroptr() sanitize_hwaddress {
+; CHECK-LABEL: define void @test_store_to_zeroptr
+; CHECK-SAME: () #[[ATTR0:[0-9]+]] {
+; CHECK-NEXT:  entry:
+; CHECK-NEXT:    [[DOTHWASAN_SHADOW:%.*]] = call ptr asm "", "=r,0"(ptr @__hwasan_shadow)
+; CHECK-NEXT:    [[B:%.*]] = inttoptr i64 0 to ptr
+; CHECK-NEXT:    call void @llvm.hwasan.check.memaccess.shortgranules(ptr [[DOTHWASAN_SHADOW]], ptr [[B]], i32 19)
+; CHECK-NEXT:    store i64 42, ptr [[B]], align 8
+; CHECK-NEXT:    ret void
+;
+; ABORT-ZERO-BASED-SHADOW-LABEL: define void @test_store_to_zeroptr
+; ABORT-ZERO-BASED-SHADOW-SAME: () #[[ATTR0:[0-9]+]] {
+; ABORT-ZERO-BASED-SHADOW-NEXT:  entry:
+; ABORT-ZERO-BASED-SHADOW-NEXT:    [[DOTHWASAN_SHADOW:%.*]] = call ptr asm "", "=r,0"(ptr null)
+; ABORT-ZERO-BASED-SHADOW-NEXT:    [[B:%.*]] = inttoptr i64 0 to ptr
+; ABORT-ZERO-BASED-SHADOW-NEXT:    call void @llvm.hwasan.check.memaccess.shortgranules.fixedshadow(ptr [[B]], i32 19, i64 0)
+; ABORT-ZERO-BASED-SHADOW-NEXT:    store i64 42, ptr [[B]], align 8
+; ABORT-ZERO-BASED-SHADOW-NEXT:    ret void
+;
+entry:
+  %b = inttoptr i64 0 to i64*
+  store i64 42, ptr %b
+  ret void
+}

From 119579083bef36ab9a162d5c6a491747513a9fc3 Mon Sep 17 00:00:00 2001
From: Thurston Dang <thurston@google.com>
Date: Wed, 8 Jan 2025 23:05:22 +0000
Subject: [PATCH 2/3] Prune llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll

---
 llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll | 64 ++------------------
 1 file changed, 6 insertions(+), 58 deletions(-)

diff --git a/llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll b/llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll
index ee542d45cd58f..9e81d4611a69a 100644
--- a/llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll
+++ b/llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll
@@ -46,6 +46,12 @@ entry:
   ret void
 }
 
+; Function Attrs: nounwind
+declare void @llvm.hwasan.check.memaccess.shortgranules.fixedshadow(ptr, i32 immarg, i64 immarg) #1
+
+attributes #0 = { sanitize_hwaddress }
+attributes #1 = { nounwind }
+
 declare void @__hwasan_init()
 
 ; Function Attrs: nounwind
@@ -66,64 +72,6 @@ declare void @_Unwind_GetGR()
 
 declare void @_Unwind_GetCFA()
 
-define linkonce_odr hidden i32 @__hwasan_personality_thunk(i32 %0, i32 %1, i64 %2, ptr %3, ptr %4) comdat {
-; CHECK-LABEL: __hwasan_personality_thunk:
-; CHECK:       // %bb.0: // %entry
-; CHECK-NEXT:    adrp x6, :got:_Unwind_GetGR
-; CHECK-NEXT:    adrp x7, :got:_Unwind_GetCFA
-; CHECK-NEXT:    mov x5, xzr
-; CHECK-NEXT:    ldr x6, [x6, :got_lo12:_Unwind_GetGR]
-; CHECK-NEXT:    ldr x7, [x7, :got_lo12:_Unwind_GetCFA]
-; CHECK-NEXT:    b __hwasan_personality_wrapper
-entry:
-  %5 = tail call i32 @__hwasan_personality_wrapper(i32 %0, i32 %1, i64 %2, ptr %3, ptr %4, ptr null, ptr @_Unwind_GetGR, ptr @_Unwind_GetCFA)
-  ret i32 %5
-}
-
-declare void @__hwasan_loadN(i64, i64)
-
-declare void @__hwasan_load1(i64)
-
-declare void @__hwasan_load2(i64)
-
-declare void @__hwasan_load4(i64)
-
-declare void @__hwasan_load8(i64)
-
-declare void @__hwasan_load16(i64)
-
-declare void @__hwasan_storeN(i64, i64)
-
-declare void @__hwasan_store1(i64)
-
-declare void @__hwasan_store2(i64)
-
-declare void @__hwasan_store4(i64)
-
-declare void @__hwasan_store8(i64)
-
-declare void @__hwasan_store16(i64)
-
-declare ptr @__hwasan_memmove(ptr, ptr, i64)
-
-declare ptr @__hwasan_memcpy(ptr, ptr, i64)
-
-declare ptr @__hwasan_memset(ptr, i32, i64)
-
-declare void @__hwasan_tag_memory(ptr, i8, i64)
-
-declare i8 @__hwasan_generate_tag()
-
-declare void @__hwasan_add_frame_record(i64)
-
-declare void @__hwasan_handle_vfork(i64)
-
-; Function Attrs: nounwind
-declare void @llvm.hwasan.check.memaccess.shortgranules.fixedshadow(ptr, i32 immarg, i64 immarg) #1
-
-attributes #0 = { sanitize_hwaddress }
-attributes #1 = { nounwind }
-
 !llvm.module.flags = !{!1}
 
 !0 = !{ptr @hwasan.note}

From cb3a9bebd5866c77fdc2324db2057a59abd49359 Mon Sep 17 00:00:00 2001
From: Thurston Dang <thurston@google.com>
Date: Wed, 8 Jan 2025 23:12:10 +0000
Subject: [PATCH 3/3] Prune more

---
 llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll b/llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll
index 9e81d4611a69a..dca39fe03fb10 100644
--- a/llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll
+++ b/llvm/test/CodeGen/AArch64/hwasan-zero-ptr.ll
@@ -14,16 +14,9 @@ target triple = "aarch64--linux-android10000"
 
 $hwasan.module_ctor = comdat any
 
-$__hwasan_personality_thunk = comdat any
-
-@llvm.used = appending global [1 x ptr] [ptr @hwasan.module_ctor], section "llvm.metadata"
-@llvm.global_ctors = appending global [1 x { i32, ptr, ptr }] [{ i32, ptr, ptr } { i32 0, ptr @hwasan.module_ctor, ptr @hwasan.module_ctor }]
 @__start_hwasan_globals = external hidden constant [0 x i8]
 @__stop_hwasan_globals = external hidden constant [0 x i8]
 @hwasan.note = private constant { i32, i32, i32, [8 x i8], i32, i32 } { i32 8, i32 8, i32 3, [8 x i8] c"LLVM\00\00\00\00", i32 trunc (i64 sub (i64 ptrtoint (ptr @__start_hwasan_globals to i64), i64 ptrtoint (ptr @hwasan.note to i64)) to i32), i32 trunc (i64 sub (i64 ptrtoint (ptr @__stop_hwasan_globals to i64), i64 ptrtoint (ptr @hwasan.note to i64)) to i32) }, section ".note.hwasan.globals", comdat($hwasan.module_ctor), align 4
-@hwasan.dummy.global = private constant [0 x i8] zeroinitializer, section "hwasan_globals", comdat($hwasan.module_ctor), !associated !0
-@llvm.compiler.used = appending global [2 x ptr] [ptr @hwasan.note, ptr @hwasan.dummy.global], section "llvm.metadata"
-@__hwasan_shadow = external global [0 x i8]
 
 ; Function Attrs: sanitize_hwaddress
 define void @test_store_to_zeroptr() #0 {
@@ -66,12 +59,6 @@ define internal void @hwasan.module_ctor() #1 comdat {
   ret void
 }
 
-declare i32 @__hwasan_personality_wrapper(i32, i32, i64, ptr, ptr, ptr, ptr, ptr)
-
-declare void @_Unwind_GetGR()
-
-declare void @_Unwind_GetCFA()
-
 !llvm.module.flags = !{!1}
 
 !0 = !{ptr @hwasan.note}