Fixed instruction corruption bug for multiple returns.

BUG=https://bugs.chromium.org/p/nativeclient/issues/detail?id=4374 R=kschimpf@google.com Review URL: https://codereview.chromium.org/2128643002 .

Fixed instruction corruption bug for multiple returns.
a7e5a951 · Thomas Lively · cf062799 · a7e5a951 · a7e5a951 · a7e5a951
Commit a7e5a951 authored Jul 06, 2016 by Thomas Lively
4 changed files
--- a/pydir/szbuild.py
+++ b/pydir/szbuild.py
@@ -266,11 +266,6 @@ def main():
    args = argparser.parse_args()
    pexe = args.pexe
    exe = args.output
-    if args.asan:
-        if args.sandbox or args.nonsfi:
-            print 'Can only use AddressSanitizer with a native build'
-            exit(1)
-        args.sz_args.append('-fsanitize-address')
    ProcessPexe(args, pexe, exe)

 def ProcessPexe(args, pexe, exe):
@@ -307,6 +302,12 @@ def ProcessPexe(args, pexe, exe):
    opt_level_map = { 'm1':'0', '-1':'0', '0':'0', '1':'1', '2':'2' }
    hybrid = args.include or args.exclude
    native = not args.sandbox and not args.nonsfi
+    if args.asan:
+        if args.sandbox or args.nonsfi:
+            print 'Can only use AddressSanitizer with a native build'
+            exit(1)
+        if '-fsanitize-address' not in args.sz_args:
+          args.sz_args.append('-fsanitize-address')

    if hybrid and (args.force or
                   NewerThanOrNotThere(pexe, obj_llc) or

--- a/src/IceASanInstrumentation.cpp
+++ b/src/IceASanInstrumentation.cpp
@@ -64,7 +64,6 @@ ICE_TLS_DEFINE_FIELD(std::vector<InstCall *> *, ASanInstrumentation,
 void ASanInstrumentation::instrumentGlobals(VariableDeclarationList &Globals) {
  if (DidProcessGlobals)
    return;
-
  VariableDeclarationList NewGlobals;
  // Global holding pointers to all redzones
  auto *RzArray = VariableDeclaration::create(&NewGlobals);
@@ -147,7 +146,6 @@ std::string ASanInstrumentation::nextRzName() {
 void ASanInstrumentation::instrumentFuncStart(LoweringContext &Context) {
  if (ICE_TLS_GET_FIELD(LocalDtors) == nullptr)
    ICE_TLS_SET_FIELD(LocalDtors, new std::vector<InstCall *>());
-
  Cfg *Func = Context.getNode()->getCfg();
  bool HasLocals = false;
  LoweringContext C;
@@ -294,10 +292,21 @@ void ASanInstrumentation::instrumentAccess(LoweringContext &Context,
 }

 void ASanInstrumentation::instrumentRet(LoweringContext &Context, InstRet *) {
+  Cfg *Func = Context.getNode()->getCfg();
  InstList::iterator Next = Context.getNext();
  Context.setInsertPoint(Context.getCur());
  for (InstCall *RzUnpoison : *ICE_TLS_GET_FIELD(LocalDtors)) {
-    Context.insert(RzUnpoison);
+    SizeT NumArgs = RzUnpoison->getNumArgs();
+    Variable *Dest = RzUnpoison->getDest();
+    Operand *CallTarget = RzUnpoison->getCallTarget();
+    bool HasTailCall = RzUnpoison->isTailcall();
+    bool IsTargetHelperCall = RzUnpoison->isTargetHelperCall();
+    auto *RzUnpoisonCpy = InstCall::create(Func, NumArgs, Dest, CallTarget,
+                                           HasTailCall, IsTargetHelperCall);
+    for (int I = 0, Args = RzUnpoison->getNumArgs(); I < Args; ++I) {
+      RzUnpoisonCpy->addArg(RzUnpoison->getArg(I));
+    }
+    Context.insert(RzUnpoisonCpy);
  }
  Context.setNext(Next);
 }

--- a/tests_lit/asan_tests/multiple_returns.ll
+++ b/tests_lit/asan_tests/multiple_returns.ll
+; Check that functions with multiple returns are correctly instrumented
+
+; REQUIRES: allow_dump
+
+; RUN: %p2i -i %s --args -verbose=inst -threads=0 -fsanitize-address \
+; RUN:     | FileCheck --check-prefix=DUMP %s
+
+define internal void @ret_twice(i32 %condarg) {
+  %local1 = alloca i8, i32 4, align 4
+  %local2 = alloca i8, i32 4, align 4
+  %cond = icmp ne i32 %condarg, 0
+  br i1 %cond, label %yes, label %no
+yes:
+  ret void
+no:
+  ret void
+}
+
+; DUMP-LABEL: ================ Instrumented CFG ================
+; DUMP-NEXT: define internal void @ret_twice(i32 %condarg) {
+; DUMP-NEXT: __0:
+; DUMP-NEXT:   %local1 = alloca i8, i32 64, align 8
+; DUMP-NEXT:   %local2 = alloca i8, i32 64, align 8
+; DUMP-NEXT:   %__$rz2 = alloca i8, i32 32, align 8
+; DUMP-NEXT:   call void @__asan_poison(i32 %__$rz2, i32 32)
+; DUMP-NEXT:   %__$rz0 = add i32 %local1, 4
+; DUMP-NEXT:   call void @__asan_poison(i32 %__$rz0, i32 60)
+; DUMP-NEXT:   %__$rz1 = add i32 %local2, 4
+; DUMP-NEXT:   call void @__asan_poison(i32 %__$rz1, i32 60)
+; DUMP-NEXT:   %cond = icmp ne i32 %condarg, 0
+; DUMP-NEXT:   br i1 %cond, label %yes, label %no
+; DUMP-NEXT: yes:
+; DUMP-NEXT:   call void @__asan_unpoison(i32 %__$rz0, i32 60)
+; DUMP-NEXT:   call void @__asan_unpoison(i32 %__$rz1, i32 60)
+; DUMP-NEXT:   call void @__asan_unpoison(i32 %__$rz2, i32 32)
+; DUMP-NEXT:   ret void
+; DUMP-NEXT: no:
+; DUMP-NEXT:   call void @__asan_unpoison(i32 %__$rz0, i32 60)
+; DUMP-NEXT:   call void @__asan_unpoison(i32 %__$rz1, i32 60)
+; DUMP-NEXT:   call void @__asan_unpoison(i32 %__$rz2, i32 32)
+; DUMP-NEXT:   ret void
+; DUMP-NEXT: }
\ No newline at end of file
--- a/tests_lit/asan_tests/wideloads.ll
+++ b/tests_lit/asan_tests/wideloads.ll
@@ -5,7 +5,7 @@
 ; check for wide load exception
 ; RUN: llvm-as %s -o - | pnacl-freeze > %t.pexe && %S/../../pydir/szbuild.py \
 ; RUN:     --fsanitize-address --sz="-allow-externally-defined-symbols" \
-; RUN:     %t.pexe -o %t && %t | FileCheck %s --check-prefix=WIDE
+; RUN:     %t.pexe -o %t && %t | FileCheck %s --check-prefix=WIDE --allow-empty

 ; check for error reporting
 ; RUN: llvm-as %s -o - | pnacl-freeze > %t.pexe && %S/../../pydir/szbuild.py \