Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assertion failure when KMSAN instruments a varargs function for aarch64 #69738

Closed
markjdb opened this issue Oct 20, 2023 · 2 comments · Fixed by #70660
Closed

assertion failure when KMSAN instruments a varargs function for aarch64 #69738

markjdb opened this issue Oct 20, 2023 · 2 comments · Fixed by #70660
Labels
compiler-rt:msan Memory sanitizer crash-on-valid

Comments

@markjdb
Copy link
Contributor

markjdb commented Oct 20, 2023 

$ cat varargs.c 
#include <stdarg.h>

void
func(int count, ...)
{
        va_list ap;

        va_start(ap, count);
        va_end(ap);
}
$ /usr/local/llvm-devel/bin/clang -target aarch64-unknown-freebsd15.0 -fsanitize=kernel-memory -c varargs.c                                                                                                                                                                                                 [25/1366]
Assertion failed: (Addr->getType()->isPointerTy()), function getShadowOriginPtrKernel, file /wrkdirs/usr/ports/devel/llvm-devel/work-default/llvm-project-07d2e90f28e36ac3c0a79d208ab74610f4b98546/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp, line 1796.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:        
0.      Program arguments: /usr/local/llvm-devel/bin/clang -target aarch64-unknown-freebsd15.0 -fsanitize=kernel-memory -c varargs.c
1.      <eof> parser at end of file
2.      Optimizer   
 #0 0x000000082d21d009 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x441d009)
 #1 0x000000082d21b0b5 llvm::sys::RunSignalHandlers() (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x441b0b5)
 #2 0x000000082d15ca94 (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x435ca94)
 #3 0x000000082123b58f handle_signal /root/freebsd/lib/libthr/thread/thr_sig.c:0:3
 #4 0x000000082123ab4b thr_sighandler /root/freebsd/lib/libthr/thread/thr_sig.c:245:1
 #5 0x00000008206da2d3 ([vdso]+0x2d3)
 #6 0x000000083298eb4a thr_kill /usr/obj/root/freebsd/amd64.amd64/lib/libc/thr_kill.S:4:0
 #7 0x00000008329073b4 _raise /root/freebsd/lib/libc/gen/raise.c:0:10
 #8 0x00000008329b94c9 abort /root/freebsd/lib/libc/stdlib/abort.c:71:17
 #9 0x00000008328ea741 (/lib/libc.so.7+0x93741)
#10 0x000000082e1b5207 (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x53b5207)
#11 0x000000082e1b9ce7 (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x53b9ce7)
#12 0x000000082e1ada0d llvm::MemorySanitizerPass::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x53ada0d)
#13 0x00000008252572a2 (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x28572a2)
#14 0x000000082d3eb341 llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x45eb341)
#15 0x00000008252500a5 (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x28500a5)
#16 0x0000000825247cef clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>, std::__1::unique_pt
r<llvm::raw_pwrite_stream, std::__1::default_delete<llvm::raw_pwrite_stream>>) (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x2847cef)
#17 0x0000000825644613 (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x2c44613)
#18 0x0000000823f25076 clang::ParseAST(clang::Sema&, bool, bool) (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x1525076)
#19 0x00000008261c8552 clang::FrontendAction::Execute() (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x37c8552)
#20 0x000000082614fc0d clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x374fc0d)
#21 0x000000082624de7c clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x384de7c)
#22 0x0000000000215702 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/usr/local/llvm-devel/bin/clang+0x215702)
#23 0x0000000000212a5c (/usr/local/llvm-devel/bin/clang+0x212a5c)
#24 0x0000000825db695e (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x33b695e)
#25 0x000000082d15c7a9 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x435c7a9)
#26 0x0000000825db6299 clang::driver::CC1Command::Execute(llvm::ArrayRef<std::__1::optional<llvm::StringRef>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*, bool*) const (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x33b6299)
#27 0x0000000825d7bdbf clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x337bdbf)
#28 0x0000000825d7c0a8 clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::__1::pair<int, clang::driver::Command const*>>&, bool) const (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x337c0a8)
#29 0x0000000825d99071 clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::__1::pair<int, clang::driver::Command const*>>&) (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x3399071)
#30 0x0000000000212081 clang_main(int, char**, llvm::ToolContext const&) (/usr/local/llvm-devel/bin/clang+0x212081)
#31 0x0000000000220503 main (/usr/local/llvm-devel/bin/clang+0x220503)
#32 0x00000008328dbf5a __libc_start1 /root/freebsd/lib/libc/csu/libc_start1.c:157:2
clang: error: clang frontend command failed with exit code 134 (use -v to see invocation)
clang version 18.0.0
Target: aarch64-unknown-freebsd15.0
Thread model: posix
InstalledDir: /usr/local/llvm-devel/bin
clang: note: diagnostic msg: 
********************

The problem seems to be that in VarArgAArch64Helper::finalizeInstrumentation(), StackSaveAreaPtr, GrRegSaveAreaPtr and VrRegSaveAreaPtr have an integer type rather than a pointer type. Casting them with IRB.CreateIntToPtr() fixes the problem and allows the test program to compile, but I am unfamiliar with LLVM internals and am not sure if that's the right solution.

I did not test the latest development version of LLVM but I am fairly sure the problem is still there.
@ramosian-glider
Copy link
Contributor

cc @eugenis

@ramosian-glider
Copy link
Contributor

ramosian-glider commented Oct 27, 2023
edited

The following patch (almost identical to what Mark sent me offline) seems to fix the problem:

diff --git a/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp b/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
index e72db2d9d770..793f669de000 100644
--- a/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
+++ b/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
@@ -5258,21 +5258,27 @@ struct VarArgAArch64Helper : public VarArgHelper {
       // we need to adjust the offset for both GR and VR fields based on
       // the __{gr,vr}_offs value (since they are stores based on incoming
       // named arguments).
+      Type *RegSaveAreaPtrTy = IRB.getInt8PtrTy();
 
       // Read the stack pointer from the va_list.
-      Value *StackSaveAreaPtr = getVAField64(IRB, VAListTag, 0);
+      Value *StackSaveAreaPtr = IRB.CreateIntToPtr(getVAField64(IRB, VAListTag, 0),
+                                                   RegSaveAreaPtrTy);
 
       // Read both the __gr_top and __gr_off and add them up.
       Value *GrTopSaveAreaPtr = getVAField64(IRB, VAListTag, 8);
       Value *GrOffSaveArea = getVAField32(IRB, VAListTag, 24);
 
-      Value *GrRegSaveAreaPtr = IRB.CreateAdd(GrTopSaveAreaPtr, GrOffSaveArea);
+      Value *GrRegSaveAreaPtr = IRB.CreateIntToPtr(IRB.CreateAdd(GrTopSaveAreaPtr,
+                                                                 GrOffSaveArea),
+                                                   RegSaveAreaPtrTy);
 
       // Read both the __vr_top and __vr_off and add them up.
       Value *VrTopSaveAreaPtr = getVAField64(IRB, VAListTag, 16);
       Value *VrOffSaveArea = getVAField32(IRB, VAListTag, 28);
 
-      Value *VrRegSaveAreaPtr = IRB.CreateAdd(VrTopSaveAreaPtr, VrOffSaveArea);
+      Value *VrRegSaveAreaPtr = IRB.CreateIntToPtr(IRB.CreateAdd(VrTopSaveAreaPtr,
+                                                                 VrOffSaveArea),
+                                                   RegSaveAreaPtrTy);
 
       // It does not know how many named arguments is being used and, on the
       // callsite all the arguments were saved.  Since __gr_off is defined as

@ramosian-glider ramosian-glider mentioned this issue Oct 30, 2023
Closed
ramosian-glider added a commit to ramosian-glider/llvm-project that referenced this issue Oct 30, 2023
@ramosian-glider
[sanitizer][msan] fix AArch64 vararg support for KMSAN
3be71f4 
Cast StackSaveAreaPtr, GrRegSaveAreaPtr, VrRegSaveAreaPtr to pointers to
fix assertions in getShadowOriginPtrKernel().

Fixes: llvm#69738

Patch by Mark Johnston.
@ramosian-glider ramosian-glider mentioned this issue Oct 30, 2023
Merged
ramosian-glider added a commit to ramosian-glider/llvm-project that referenced this issue Nov 6, 2023
@ramosian-glider
[sanitizer][msan] fix AArch64 vararg support for KMSAN
2b3dda6 
Cast StackSaveAreaPtr, GrRegSaveAreaPtr, VrRegSaveAreaPtr to pointers to
fix assertions in getShadowOriginPtrKernel().

Also add an isPointerTy() assertion to getShadowOriginPtrUserspace() to
ensure both the userspace and the kernel implementations of
getShadowOriginPtr() have the same expectations.

Fixes: llvm#69738

Patch by Mark Johnston.
ramosian-glider added a commit that referenced this issue Nov 10, 2023
@ramosian-glider
[sanitizer][msan] fix AArch64 vararg support for KMSAN (#70660)
f577bfb 
Cast StackSaveAreaPtr, GrRegSaveAreaPtr, VrRegSaveAreaPtr to pointers to
fix assertions in getShadowOriginPtrKernel().

Fixes: #69738

Patch by Mark Johnston.
zahiraam pushed a commit to zahiraam/llvm-project that referenced this issue Nov 20, 2023
@ramosian-glider @zahiraam
[sanitizer][msan] fix AArch64 vararg support for KMSAN (llvm#70660)
d341813 
Cast StackSaveAreaPtr, GrRegSaveAreaPtr, VrRegSaveAreaPtr to pointers to
fix assertions in getShadowOriginPtrKernel().

Fixes: llvm#69738

Patch by Mark Johnston.
markjdb added a commit to markjdb/freebsd that referenced this issue Nov 27, 2023
@markjdb
llvm: Cast va_list entries to pointers when appropriate
45bfa38 
This fixes an assertion failure that occurs when compiling varargs
functions with KMSAN enabled.

See llvm/llvm-project#69738 for more context.
markjdb added a commit to markjdb/freebsd that referenced this issue Dec 18, 2023
@markjdb
llvm: Cast va_list entries to pointers when appropriate
b4fcd57 
This fixes an assertion failure that occurs when compiling varargs
functions with KMSAN enabled.

See llvm/llvm-project#69738 for more context.
markjdb added a commit to markjdb/freebsd that referenced this issue Dec 18, 2023
@markjdb
llvm: Cast va_list entries to pointers when appropriate
44aea0c 
This fixes an assertion failure that occurs when compiling varargs
functions with KMSAN enabled.

See llvm/llvm-project#69738 for more context.
markjdb added a commit to markjdb/freebsd that referenced this issue Dec 19, 2023
@markjdb
llvm: Cast va_list entries to pointers when appropriate
aeeb88d 
This fixes an assertion failure that occurs when compiling varargs
functions with KMSAN enabled.

See llvm/llvm-project#69738 for more context.
markjdb added a commit to markjdb/freebsd that referenced this issue Jan 11, 2024
@markjdb
llvm: Cast va_list entries to pointers when appropriate
44dfc29 
This fixes an assertion failure that occurs when compiling varargs
functions with KMSAN enabled.

See llvm/llvm-project#69738 for more context.
markjdb added a commit to markjdb/freebsd that referenced this issue Jan 12, 2024
@markjdb
llvm: Cast va_list entries to pointers when appropriate
db3d560 
This fixes an assertion failure that occurs when compiling varargs
functions with KMSAN enabled.

See llvm/llvm-project#69738 for more context.
markjdb added a commit to markjdb/freebsd that referenced this issue Jan 18, 2024
@markjdb
llvm: Cast va_list entries to pointers when appropriate
6a0db23 
This fixes an assertion failure that occurs when compiling varargs
functions with KMSAN enabled.

See llvm/llvm-project#69738 for more context.
markjdb added a commit to markjdb/freebsd that referenced this issue Jan 26, 2024
@markjdb
llvm: Cast va_list entries to pointers when appropriate
99ffb93 
This fixes an assertion failure that occurs when compiling varargs
functions with KMSAN enabled.

See llvm/llvm-project#69738 for more context.
markjdb added a commit to markjdb/freebsd that referenced this issue Jan 30, 2024
@markjdb
llvm: Cast va_list entries to pointers when appropriate
6f56b99 
This fixes an assertion failure that occurs when compiling varargs
functions with KMSAN enabled.

See llvm/llvm-project#69738 for more context.
markjdb added a commit to markjdb/freebsd that referenced this issue Feb 8, 2024
@markjdb
llvm: Cast va_list entries to pointers when appropriate
e29c7c8 
This fixes an assertion failure that occurs when compiling varargs
functions with KMSAN enabled.

See llvm/llvm-project#69738 for more context.
freebsd-git pushed a commit to freebsd/freebsd-src that referenced this issue Feb 8, 2024
@DimitryAndric
Merge commit f577bfb99528 from llvm-project (by Alexander Potapenko):
cf67576 
  [sanitizer][msan] fix AArch64 vararg support for KMSAN (#70660)

  Cast StackSaveAreaPtr, GrRegSaveAreaPtr, VrRegSaveAreaPtr to pointers to
  fix assertions in getShadowOriginPtrKernel().

  Fixes: llvm/llvm-project#69738

  Patch by Mark Johnston.

Requested by:	markj
MFC after:	3 days
freebsd-git pushed a commit to freebsd/freebsd-src that referenced this issue Feb 13, 2024
@DimitryAndric
Merge commit f577bfb99528 from llvm-project (by Alexander Potapenko):
2292dff 
  [sanitizer][msan] fix AArch64 vararg support for KMSAN (#70660)

  Cast StackSaveAreaPtr, GrRegSaveAreaPtr, VrRegSaveAreaPtr to pointers to
  fix assertions in getShadowOriginPtrKernel().

  Fixes: llvm/llvm-project#69738

  Patch by Mark Johnston.

Requested by:	markj
MFC after:	3 days

(cherry picked from commit cf67576)
freebsd-git pushed a commit to freebsd/freebsd-src that referenced this issue Feb 13, 2024
@DimitryAndric
Merge commit f577bfb99528 from llvm-project (by Alexander Potapenko):
24b0131 
  [sanitizer][msan] fix AArch64 vararg support for KMSAN (#70660)

  Cast StackSaveAreaPtr, GrRegSaveAreaPtr, VrRegSaveAreaPtr to pointers to
  fix assertions in getShadowOriginPtrKernel().

  Fixes: llvm/llvm-project#69738

  Patch by Mark Johnston.

Requested by:	markj
MFC after:	3 days

(cherry picked from commit cf67576)
5u623l20 pushed a commit to 5u623l20/freebsd-src that referenced this issue Feb 16, 2024
@DimitryAndric @5u623l20
Merge commit f577bfb99528 from llvm-project (by Alexander Potapenko):
f19d500 
  [sanitizer][msan] fix AArch64 vararg support for KMSAN (#70660)

  Cast StackSaveAreaPtr, GrRegSaveAreaPtr, VrRegSaveAreaPtr to pointers to
  fix assertions in getShadowOriginPtrKernel().

  Fixes: llvm/llvm-project#69738

  Patch by Mark Johnston.

Requested by:	markj
MFC after:	3 days
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
compiler-rt:msan Memory sanitizer crash-on-valid
Projects
None yet
Milestone
No milestone
3 participants
@markjdb @ramosian-glider @dtcxzyw