Merge pull request #6476 from trailofbits/fix_docker_jq

Fixes `jq` docker example

Author: ESultanik

examples/Dockerfile-jq.demo

@@ -1,25 +1,14 @@
-FROM trailofbits/polytracker
-MAINTAINER Evan Sultanik <[email protected]>
+FROM trailofbits/polytracker:latest
+LABEL org.opencontainers.image.authors="[email protected]"
 
 WORKDIR /polytracker/the_klondike
 
-#ENV CC=clang
-#ENV CXX=clang++
+RUN apt-get update && apt-get install -y flex bison libtool make automake autoconf build-essential
 
-RUN apt-get update && apt-get install -y flex bison libtool make automake autoconf
-
-RUN git clone https://github.com/stedolan/jq.git
+RUN git clone --recursive https://github.com/stedolan/jq.git
 
 WORKDIR /polytracker/the_klondike/jq
-
-RUN git submodule update --init
 RUN autoreconf -fi
-RUN ./configure --with-oniguruma=builtin --disable-valgrind --enable-all-static --prefix=/usr/local \
-    CFLAGS="-DNDEBUG" LDFLAGS=-all-static
-RUN make LDFLAGS=-all-static -j`nproc`
-# && make check
-RUN get-bc -b jq && ${CC} --lower-bitcode -i jq.bc -o jq_track --libs m && mv jq_track /usr/local/bin/jq
-
-# Note, the /workdir directory is intended to be mounted at runtime
-VOLUME ["/workdir"]
-WORKDIR /workdir
+RUN ./configure --with-oniguruma=builtin CC=clang
+RUN polytracker build make -j$((`nproc`+1))
+RUN polytracker instrument-targets jq

polytracker/build.py

@@ -187,6 +187,8 @@ def _instrument_bitcode(
     for item in ignore_lists:
         cmd.append(f"-dfsan-abilist={ABI_PATH}/{item}")
 
+    cmd.append("-fn_attr_remove")
+
     cmd += [str(input_bitcode), "-o", str(output_bitcode)]
     subprocess.check_call(cmd)
 

polytracker/include/polytracker/polytracker_pass.h

@@ -67,6 +67,14 @@ struct PolytrackerPass : public llvm::ModulePass,
   std::unordered_map<std::string, bool> ignore_funcs;
 };
 
+struct FnAttrRemovePass : public llvm::ModulePass,
+                          public llvm::InstVisitor<FnAttrRemovePass> {
+  static char ID;
+  FnAttrRemovePass() : ModulePass(ID) {}
+  bool runOnModule(llvm::Module &module) override;
+  void visitCallInst(llvm::CallInst &ci);
+};
+
 }; // namespace polytracker
 
 #endif /* POLYTRACKER_INCLUDE_POLYTRACKER_PASS_H_ */

polytracker/src/passes/polytracker_pass.cpp

@@ -668,8 +668,44 @@ bool PolytrackerPass::runOnModule(llvm::Module &mod) {
 
 char PolytrackerPass::ID = 0;
 
+void FnAttrRemovePass::visitCallInst(llvm::CallInst &ci) {
+  auto fn = ci.getCalledFunction();
+  if (!fn) {
+    return;
+  }
+  auto fname = fn->getName();
+  if (fname.startswith("__dfsw") || fname.startswith("dfs$")) {
+    ci.removeAttribute(llvm::AttributeList::FunctionIndex,
+                       llvm::Attribute::InaccessibleMemOnly);
+    ci.removeAttribute(llvm::AttributeList::FunctionIndex,
+                       llvm::Attribute::InaccessibleMemOrArgMemOnly);
+    ci.removeAttribute(llvm::AttributeList::FunctionIndex,
+                       llvm::Attribute::ReadOnly);
+  }
+}
+
+bool FnAttrRemovePass::runOnModule(llvm::Module &module) {
+  for (auto &fn : module) {
+    auto fname = fn.getName();
+    if (fname.startswith("__dfsw") || fname.startswith("dfs$")) {
+      fn.removeFnAttr(llvm::Attribute::InaccessibleMemOnly);
+      fn.removeFnAttr(llvm::Attribute::InaccessibleMemOrArgMemOnly);
+      fn.removeFnAttr(llvm::Attribute::ReadOnly);
+    }
+    visit(fn);
+  }
+  return false;
+}
+
+char FnAttrRemovePass::ID = 0;
+
 }; // namespace polytracker
 
 static llvm::RegisterPass<polytracker::PolytrackerPass>
     X("ptrack", "Adds runtime monitoring calls to polytracker runtime",
       false /* Only looks at CFG */, false /* Analysis Pass */);
+
+static llvm::RegisterPass<polytracker::FnAttrRemovePass>
+    Y("fn_attr_remove",
+      "Removes memory-related function attributes from dfsan wrappers",
+      false /* Only looks at CFG */, false /* Analysis Pass */);