File: use-after-scope-setjmp.ll

package info (click to toggle)
llvm-toolchain-17 1%3A17.0.6-22
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 1,799,624 kB
  • sloc: cpp: 6,428,607; ansic: 1,383,196; asm: 793,408; python: 223,504; objc: 75,364; f90: 60,502; lisp: 33,869; pascal: 15,282; sh: 9,684; perl: 7,453; ml: 4,937; awk: 3,523; makefile: 2,889; javascript: 2,149; xml: 888; fortran: 619; cs: 573
file content (100 lines) | stat: -rw-r--r-- 5,110 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
; NOTE: Assertions have been autogenerated by utils/update_test_checks.py UTC_ARGS: --version 2
; RUN: opt -passes=hwasan -hwasan-use-stack-safety=0 -hwasan-use-after-scope -S < %s | FileCheck %s
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64-unknown-linux-android29"

@stackbuf = dso_local local_unnamed_addr global ptr null, align 8
@jbuf = dso_local global [32 x i64] zeroinitializer, align 8

declare void @may_jump()

define dso_local noundef i1 @_Z6targetv() sanitize_hwaddress {
; CHECK-LABEL: define dso_local noundef i1 @_Z6targetv
; CHECK-SAME: () #[[ATTR0:[0-9]+]] {
; CHECK-NEXT:  entry:
; CHECK-NEXT:    [[TMP0:%.*]] = call ptr @llvm.thread.pointer()
; CHECK-NEXT:    [[TMP1:%.*]] = getelementptr i8, ptr [[TMP0]], i32 48
; CHECK-NEXT:    [[TMP2:%.*]] = load i64, ptr [[TMP1]], align 8
; CHECK-NEXT:    [[TMP3:%.*]] = ashr i64 [[TMP2]], 3
; CHECK-NEXT:    [[TMP4:%.*]] = call i64 @llvm.read_register.i64(metadata [[META1:![0-9]+]])
; CHECK-NEXT:    [[TMP5:%.*]] = call ptr @llvm.frameaddress.p0(i32 0)
; CHECK-NEXT:    [[TMP6:%.*]] = ptrtoint ptr [[TMP5]] to i64
; CHECK-NEXT:    [[TMP7:%.*]] = shl i64 [[TMP6]], 44
; CHECK-NEXT:    [[TMP8:%.*]] = or i64 [[TMP4]], [[TMP7]]
; CHECK-NEXT:    [[TMP9:%.*]] = inttoptr i64 [[TMP2]] to ptr
; CHECK-NEXT:    store i64 [[TMP8]], ptr [[TMP9]], align 8
; CHECK-NEXT:    [[TMP10:%.*]] = ashr i64 [[TMP2]], 56
; CHECK-NEXT:    [[TMP11:%.*]] = shl nuw nsw i64 [[TMP10]], 12
; CHECK-NEXT:    [[TMP12:%.*]] = xor i64 [[TMP11]], -1
; CHECK-NEXT:    [[TMP13:%.*]] = add i64 [[TMP2]], 8
; CHECK-NEXT:    [[TMP14:%.*]] = and i64 [[TMP13]], [[TMP12]]
; CHECK-NEXT:    store i64 [[TMP14]], ptr [[TMP1]], align 8
; CHECK-NEXT:    [[TMP15:%.*]] = or i64 [[TMP2]], 4294967295
; CHECK-NEXT:    [[HWASAN_SHADOW:%.*]] = add i64 [[TMP15]], 1
; CHECK-NEXT:    [[TMP16:%.*]] = inttoptr i64 [[HWASAN_SHADOW]] to ptr
; CHECK-NEXT:    [[HWASAN_UAR_TAG:%.*]] = lshr i64 [[TMP6]], 56
; CHECK-NEXT:    [[BUF:%.*]] = alloca [4096 x i8], align 16
; CHECK-NEXT:    [[TMP17:%.*]] = xor i64 [[TMP3]], 0
; CHECK-NEXT:    [[TMP18:%.*]] = ptrtoint ptr [[BUF]] to i64
; CHECK-NEXT:    [[TMP19:%.*]] = and i64 [[TMP18]], 72057594037927935
; CHECK-NEXT:    [[TMP20:%.*]] = shl i64 [[TMP17]], 56
; CHECK-NEXT:    [[TMP21:%.*]] = or i64 [[TMP19]], [[TMP20]]
; CHECK-NEXT:    [[BUF_HWASAN:%.*]] = inttoptr i64 [[TMP21]] to ptr
; CHECK-NEXT:    [[TMP22:%.*]] = trunc i64 [[TMP17]] to i8
; CHECK-NEXT:    [[TMP23:%.*]] = ptrtoint ptr [[BUF]] to i64
; CHECK-NEXT:    [[TMP24:%.*]] = and i64 [[TMP23]], 72057594037927935
; CHECK-NEXT:    [[TMP25:%.*]] = lshr i64 [[TMP24]], 4
; CHECK-NEXT:    [[TMP26:%.*]] = getelementptr i8, ptr [[TMP16]], i64 [[TMP25]]
; CHECK-NEXT:    call void @llvm.memset.p0.i64(ptr align 1 [[TMP26]], i8 [[TMP22]], i64 256, i1 false)
; CHECK-NEXT:    [[CALL:%.*]] = call i32 @setjmp(ptr noundef @jbuf)
; CHECK-NEXT:    switch i32 [[CALL]], label [[WHILE_BODY:%.*]] [
; CHECK-NEXT:    i32 1, label [[RETURN:%.*]]
; CHECK-NEXT:    i32 2, label [[SW_BB1:%.*]]
; CHECK-NEXT:    ]
; CHECK:       sw.bb1:
; CHECK-NEXT:    br label [[RETURN]]
; CHECK:       while.body:
; CHECK-NEXT:    call void @llvm.hwasan.check.memaccess(ptr [[TMP16]], ptr @stackbuf, i32 19)
; CHECK-NEXT:    store ptr [[BUF_HWASAN]], ptr @stackbuf, align 8
; CHECK-NEXT:    call void @may_jump()
; CHECK-NEXT:    br label [[RETURN]]
; CHECK:       return:
; CHECK-NEXT:    [[RETVAL_0:%.*]] = phi i1 [ true, [[WHILE_BODY]] ], [ true, [[SW_BB1]] ], [ false, [[ENTRY:%.*]] ]
; CHECK-NEXT:    [[TMP27:%.*]] = trunc i64 [[HWASAN_UAR_TAG]] to i8
; CHECK-NEXT:    [[TMP28:%.*]] = ptrtoint ptr [[BUF]] to i64
; CHECK-NEXT:    [[TMP29:%.*]] = and i64 [[TMP28]], 72057594037927935
; CHECK-NEXT:    [[TMP30:%.*]] = lshr i64 [[TMP29]], 4
; CHECK-NEXT:    [[TMP31:%.*]] = getelementptr i8, ptr [[TMP16]], i64 [[TMP30]]
; CHECK-NEXT:    call void @llvm.memset.p0.i64(ptr align 1 [[TMP31]], i8 [[TMP27]], i64 256, i1 false)
; CHECK-NEXT:    ret i1 [[RETVAL_0]]
;
entry:
  %buf = alloca [4096 x i8], align 1
  %call = call i32 @setjmp(ptr noundef @jbuf)
  switch i32 %call, label %while.body [
  i32 1, label %return
  i32 2, label %sw.bb1
  ]

sw.bb1:                                           ; preds = %entry
  br label %return

while.body:                                       ; preds = %entry
  call void @llvm.lifetime.start.p0(i64 4096, ptr nonnull %buf) #10
  store ptr %buf, ptr @stackbuf, align 8
  ; may_jump may call longjmp, going back to the switch (and then the return),
  ; bypassing the lifetime.end. This is why we need to untag on the return,
  ; rather than the lifetime.end.
  call void @may_jump()
  call void @llvm.lifetime.end.p0(i64 4096, ptr nonnull %buf) #10
  br label %return

return:                                           ; preds = %entry, %while.body, %sw.bb1
  %retval.0 = phi i1 [ true, %while.body ], [ true, %sw.bb1 ], [ false, %entry ]
  ret i1 %retval.0
}

declare i32 @setjmp(ptr noundef) returns_twice

declare void @llvm.lifetime.start.p0(i64 immarg, ptr nocapture)
declare void @llvm.lifetime.end.p0(i64 immarg, ptr nocapture)