Subzero: Replace pointers to allocation functions in loads
BUG=https://bugs.chromium.org/p/nativeclient/issues/detail?id=4374
R=kschimpf@google.com, stichnot@chromium.org
Review URL: https://codereview.chromium.org/2241383006 .
diff --git a/src/IceASanInstrumentation.cpp b/src/IceASanInstrumentation.cpp
index e7c531b..3978706 100644
--- a/src/IceASanInstrumentation.cpp
+++ b/src/IceASanInstrumentation.cpp
@@ -363,6 +363,24 @@
void ASanInstrumentation::instrumentLoad(LoweringContext &Context,
InstLoad *Instr) {
+ Operand *Src = Instr->getSourceAddress();
+ if (auto *Reloc = llvm::dyn_cast<ConstantRelocatable>(Src)) {
+ std::string SrcName = Reloc->getName().toStringOrEmpty();
+ assert(!SrcName.empty());
+ StringMap::const_iterator SrcSub = FuncSubstitutions.find(SrcName);
+ if (SrcSub != FuncSubstitutions.end()) {
+ auto *NewSrc = ConstantRelocatable::create(
+ Ctx, Reloc->getType(),
+ RelocatableTuple(Reloc->getOffset(), RelocOffsetArray(0),
+ Ctx->getGlobalString(SrcSub->second),
+ Reloc->getEmitString()));
+ auto *NewLoad = InstLoad::create(Context.getNode()->getCfg(),
+ Instr->getDest(), NewSrc);
+ Instr->setDeleted();
+ Context.insert(NewLoad);
+ Instr = NewLoad;
+ }
+ }
Constant *Func =
Ctx->getConstantExternSym(Ctx->getGlobalString("__asan_check_load"));
instrumentAccess(Context, Instr->getSourceAddress(),
diff --git a/tests_lit/asan_tests/localreplacement.ll b/tests_lit/asan_tests/localreplacement.ll
new file mode 100644
index 0000000..06b810c
--- /dev/null
+++ b/tests_lit/asan_tests/localreplacement.ll
@@ -0,0 +1,48 @@
+; Test that loads of local pointers to allocation functions are instrumented
+
+; REQUIRES: allow_dump
+
+; RUN: %p2i -i %s --args -verbose=inst -threads=0 -fsanitize-address \
+; RUN: -allow-externally-defined-symbols | FileCheck --check-prefix=DUMP %s
+
+declare external i32 @malloc(i32)
+declare external i32 @realloc(i32, i32)
+declare external i32 @calloc(i32, i32)
+declare external void @free(i32)
+
+define internal void @func() {
+ %malloc_addr = bitcast i32 (i32)* @malloc to i32*
+ %realloc_addr = bitcast i32 (i32, i32)* @realloc to i32*
+ %calloc_addr = bitcast i32 (i32, i32)* @calloc to i32*
+ %free_addr = bitcast void (i32)* @free to i32*
+
+ %local_malloc = load i32, i32* %malloc_addr, align 1
+ %local_realloc = load i32, i32* %realloc_addr, align 1
+ %local_calloc = load i32, i32* %calloc_addr, align 1
+ %local_free = load i32, i32* %free_addr, align 1
+
+ %local_mallocfunc = inttoptr i32 %local_malloc to i32 (i32)*
+ %local_reallocfunc = inttoptr i32 %local_realloc to i32 (i32, i32)*
+ %local_callocfunc = inttoptr i32 %local_calloc to i32 (i32, i32)*
+ %local_freefunc = inttoptr i32 %local_free to void (i32)*
+
+ %buf = call i32 %local_mallocfunc(i32 42)
+ call void %local_freefunc(i32 %buf)
+ ret void
+}
+
+; DUMP-LABEL: ================ Instrumented CFG ================
+; DUMP-NEXT: @func() {
+; DUMP-NEXT: __0:
+; DUMP-NEXT: call void @__asan_check_load(i32 @__asan_malloc, i32 4)
+; DUMP-NEXT: %local_malloc = load i32, i32* @__asan_malloc, align 1
+; DUMP-NEXT: call void @__asan_check_load(i32 @__asan_realloc, i32 4)
+; DUMP-NEXT: %local_realloc = load i32, i32* @__asan_realloc, align 1
+; DUMP-NEXT: call void @__asan_check_load(i32 @__asan_calloc, i32 4)
+; DUMP-NEXT: %local_calloc = load i32, i32* @__asan_calloc, align 1
+; DUMP-NEXT: call void @__asan_check_load(i32 @__asan_free, i32 4)
+; DUMP-NEXT: %local_free = load i32, i32* @__asan_free, align 1
+; DUMP-NEXT: %buf = call i32 %local_malloc(i32 42)
+; DUMP-NEXT: call void %local_free(i32 %buf)
+; DUMP-NEXT: ret void
+; DUMP-NEXT: }
