1; KMSAN instrumentation tests
2; RUN: opt < %s -msan-kernel=1 -S -passes=msan 2>&1 | FileCheck %s             \
3; RUN: -check-prefixes=CHECK
4
5target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
6target triple = "x86_64-unknown-linux-gnu"
7
8; Check the instrumentation prologue.
9define void @Empty() nounwind uwtable sanitize_memory {
10entry:
11  ret void
12}
13
14; CHECK-LABEL: @Empty
15; CHECK: entry:
16; CHECK: @__msan_get_context_state()
17; %param_shadow:
18; CHECK: getelementptr {{.*}} i32 0, i32 0
19; %retval_shadow:
20; CHECK: getelementptr {{.*}} i32 0, i32 1
21; %va_arg_shadow:
22; CHECK: getelementptr {{.*}} i32 0, i32 2
23; %va_arg_origin:
24; CHECK: getelementptr {{.*}} i32 0, i32 3
25; %va_arg_overflow_size:
26; CHECK: getelementptr {{.*}} i32 0, i32 4
27; %param_origin:
28; CHECK: getelementptr {{.*}} i32 0, i32 5
29; %retval_origin:
30; CHECK: getelementptr {{.*}} i32 0, i32 6
31
32; Check instrumentation of stores
33
34define void @Store1(i8* nocapture %p, i8 %x) nounwind uwtable sanitize_memory {
35entry:
36  store i8 %x, i8* %p
37  ret void
38}
39
40; CHECK-LABEL: @Store1
41; CHECK: entry:
42; CHECK: @__msan_get_context_state()
43; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
44; CHECK: [[BASE:%[0-9]+]] = ptrtoint {{.*}} [[PARAM_SHADOW]]
45; CHECK: [[SHADOW_PTR:%[a-z0-9_]+]] = inttoptr {{.*}} [[BASE]]
46; CHECK: [[SHADOW:%[a-z0-9]+]] = load i64, i64* [[SHADOW_PTR]]
47; CHECK: [[BASE2:%[0-9]+]] = ptrtoint {{.*}} [[PARAM_SHADOW]]
48; Load the shadow of %p and check it
49; CHECK: icmp ne i64 [[SHADOW]]
50; CHECK: br i1
51; CHECK: {{^[0-9]+}}:
52; CHECK: @__msan_metadata_ptr_for_store_1(i8* %p)
53; CHECK: store i8
54; If the new shadow is non-zero, jump to __msan_chain_origin()
55; CHECK: icmp
56; CHECK: br i1
57; CHECK: {{^[0-9]+}}:
58; CHECK: @__msan_chain_origin
59; Storing origin here:
60; CHECK: store i32
61; CHECK: br label
62; CHECK: {{^[0-9]+}}:
63; CHECK: store i8
64; CHECK: ret void
65
66define void @Store2(i16* nocapture %p, i16 %x) nounwind uwtable sanitize_memory {
67entry:
68  store i16 %x, i16* %p
69  ret void
70}
71
72; CHECK-LABEL: @Store2
73; CHECK: entry:
74; CHECK: @__msan_get_context_state()
75; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
76; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
77; Load the shadow of %p and check it
78; CHECK: load i64
79; CHECK: icmp
80; CHECK: br i1
81; CHECK: {{^[0-9]+}}:
82; CHECK: [[REG:%[0-9]+]] = bitcast i16* %p to i8*
83; CHECK: @__msan_metadata_ptr_for_store_2(i8* [[REG]])
84; CHECK: store i16
85; If the new shadow is non-zero, jump to __msan_chain_origin()
86; CHECK: icmp
87; CHECK: br i1
88; CHECK: {{^[0-9]+}}:
89; CHECK: @__msan_chain_origin
90; Storing origin here:
91; CHECK: store i32
92; CHECK: br label
93; CHECK: {{^[0-9]+}}:
94; CHECK: store i16
95; CHECK: ret void
96
97
98define void @Store4(i32* nocapture %p, i32 %x) nounwind uwtable sanitize_memory {
99entry:
100  store i32 %x, i32* %p
101  ret void
102}
103
104; CHECK-LABEL: @Store4
105; CHECK: entry:
106; CHECK: @__msan_get_context_state()
107; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
108; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
109; Load the shadow of %p and check it
110; CHECK: load i32
111; CHECK: icmp
112; CHECK: br i1
113; CHECK: {{^[0-9]+}}:
114; CHECK: [[REG:%[0-9]+]] = bitcast i32* %p to i8*
115; CHECK: @__msan_metadata_ptr_for_store_4(i8* [[REG]])
116; CHECK: store i32
117; If the new shadow is non-zero, jump to __msan_chain_origin()
118; CHECK: icmp
119; CHECK: br i1
120; CHECK: {{^[0-9]+}}:
121; CHECK: @__msan_chain_origin
122; Storing origin here:
123; CHECK: store i32
124; CHECK: br label
125; CHECK: {{^[0-9]+}}:
126; CHECK: store i32
127; CHECK: ret void
128
129define void @Store8(i64* nocapture %p, i64 %x) nounwind uwtable sanitize_memory {
130entry:
131  store i64 %x, i64* %p
132  ret void
133}
134
135; CHECK-LABEL: @Store8
136; CHECK: entry:
137; CHECK: @__msan_get_context_state()
138; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
139; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
140; Load the shadow of %p and check it
141; CHECK: load i64
142; CHECK: icmp
143; CHECK: br i1
144; CHECK: {{^[0-9]+}}:
145; CHECK: [[REG:%[0-9]+]] = bitcast i64* %p to i8*
146; CHECK: @__msan_metadata_ptr_for_store_8(i8* [[REG]])
147; CHECK: store i64
148; If the new shadow is non-zero, jump to __msan_chain_origin()
149; CHECK: icmp
150; CHECK: br i1
151; CHECK: {{^[0-9]+}}:
152; CHECK: @__msan_chain_origin
153; Storing origin here:
154; CHECK: store i64
155; CHECK: br label
156; CHECK: {{^[0-9]+}}:
157; CHECK: store i64
158; CHECK: ret void
159
160define void @Store16(i128* nocapture %p, i128 %x) nounwind uwtable sanitize_memory {
161entry:
162  store i128 %x, i128* %p
163  ret void
164}
165
166; CHECK-LABEL: @Store16
167; CHECK: entry:
168; CHECK: @__msan_get_context_state()
169; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
170; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
171; Load the shadow of %p and check it
172; CHECK: load i64
173; CHECK: icmp
174; CHECK: br i1
175; CHECK: {{^[0-9]+}}:
176; CHECK: [[REG:%[0-9]+]] = bitcast i128* %p to i8*
177; CHECK: @__msan_metadata_ptr_for_store_n(i8* [[REG]], i64 16)
178; CHECK: store i128
179; If the new shadow is non-zero, jump to __msan_chain_origin()
180; CHECK: icmp
181; CHECK: br i1
182; CHECK: {{^[0-9]+}}:
183; CHECK: @__msan_chain_origin
184; Storing origin here:
185; CHECK: store i64
186; CHECK: br label
187; CHECK: {{^[0-9]+}}:
188; CHECK: store i128
189; CHECK: ret void
190
191
192; Check instrumentation of loads
193
194define i8 @Load1(i8* nocapture %p) nounwind uwtable sanitize_memory {
195entry:
196  %0 = load i8, i8* %p
197  ret i8 %0
198}
199
200; CHECK-LABEL: @Load1
201; CHECK: entry:
202; CHECK: @__msan_get_context_state()
203; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
204; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
205; Load the shadow of %p and check it
206; CHECK: load i64
207; CHECK: icmp
208; CHECK: br i1
209; CHECK: {{^[0-9]+}}:
210; Load the value from %p. This is done before accessing the shadow
211; to ease atomic handling.
212; CHECK: load i8
213; CHECK: @__msan_metadata_ptr_for_load_1(i8* %p)
214; Load the shadow and origin.
215; CHECK: load i8
216; CHECK: load i32
217
218
219define i16 @Load2(i16* nocapture %p) nounwind uwtable sanitize_memory {
220entry:
221  %0 = load i16, i16* %p
222  ret i16 %0
223}
224
225; CHECK-LABEL: @Load2
226; CHECK: entry:
227; CHECK: @__msan_get_context_state()
228; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
229; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
230; Load the shadow of %p and check it
231; CHECK: load i64
232; CHECK: icmp
233; CHECK: br i1
234; CHECK: {{^[0-9]+}}:
235; Load the value from %p. This is done before accessing the shadow
236; to ease atomic handling.
237; CHECK: load i16
238; CHECK: [[REG:%[0-9]+]] = bitcast i16* %p to i8*
239; CHECK: @__msan_metadata_ptr_for_load_2(i8* [[REG]])
240; Load the shadow and origin.
241; CHECK: load i16
242; CHECK: load i32
243
244
245define i32 @Load4(i32* nocapture %p) nounwind uwtable sanitize_memory {
246entry:
247  %0 = load i32, i32* %p
248  ret i32 %0
249}
250
251; CHECK-LABEL: @Load4
252; CHECK: entry:
253; CHECK: @__msan_get_context_state()
254; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
255; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
256; Load the shadow of %p and check it
257; CHECK: load i64
258; CHECK: icmp
259; CHECK: br i1
260; CHECK: {{^[0-9]+}}:
261; Load the value from %p. This is done before accessing the shadow
262; to ease atomic handling.
263; CHECK: load i32
264; CHECK: [[REG:%[0-9]+]] = bitcast i32* %p to i8*
265; CHECK: @__msan_metadata_ptr_for_load_4(i8* [[REG]])
266; Load the shadow and origin.
267; CHECK: load i32
268; CHECK: load i32
269
270define i64 @Load8(i64* nocapture %p) nounwind uwtable sanitize_memory {
271entry:
272  %0 = load i64, i64* %p
273  ret i64 %0
274}
275
276; CHECK-LABEL: @Load8
277; CHECK: entry:
278; CHECK: @__msan_get_context_state()
279; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
280; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
281; Load the shadow of %p and check it
282; CHECK: load i64
283; CHECK: icmp
284; CHECK: br i1
285; CHECK: {{^[0-9]+}}:
286; Load the value from %p. This is done before accessing the shadow
287; to ease atomic handling.
288; CHECK: load i64
289; CHECK: [[REG:%[0-9]+]] = bitcast i64* %p to i8*
290; CHECK: @__msan_metadata_ptr_for_load_8(i8* [[REG]])
291; Load the shadow and origin.
292; CHECK: load i64
293; CHECK: load i32
294
295define i128 @Load16(i128* nocapture %p) nounwind uwtable sanitize_memory {
296entry:
297  %0 = load i128, i128* %p
298  ret i128 %0
299}
300
301; CHECK-LABEL: @Load16
302; CHECK: entry:
303; CHECK: @__msan_get_context_state()
304; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
305; CHECK: ptrtoint {{.*}} [[PARAM_SHADOW]]
306; Load the shadow of %p and check it
307; CHECK: load i64
308; CHECK: icmp
309; CHECK: br i1
310; CHECK: {{^[0-9]+}}:
311; Load the value from %p. This is done before accessing the shadow
312; to ease atomic handling.
313; CHECK: load i128
314; CHECK: [[REG:%[0-9]+]] = bitcast i128* %p to i8*
315; CHECK: @__msan_metadata_ptr_for_load_n(i8* [[REG]], i64 16)
316; Load the shadow and origin.
317; CHECK: load i128
318; CHECK: load i32
319
320
321; Test kernel-specific va_list instrumentation
322
323%struct.__va_list_tag = type { i32, i32, i8*, i8* }
324declare void @llvm.va_start(i8*) nounwind
325declare void @llvm.va_end(i8*)
326@.str = private unnamed_addr constant [4 x i8] c"%d\0A\00", align 1
327declare dso_local i32 @VAListFn(i8*, %struct.__va_list_tag*) local_unnamed_addr
328
329; Function Attrs: nounwind uwtable
330define dso_local i32 @VarArgFn(i8* %fmt, ...) local_unnamed_addr sanitize_memory #0 {
331entry:
332  %args = alloca [1 x %struct.__va_list_tag], align 16
333  %0 = bitcast [1 x %struct.__va_list_tag]* %args to i8*
334  %arraydecay = getelementptr inbounds [1 x %struct.__va_list_tag], [1 x %struct.__va_list_tag]* %args, i64 0, i64 0
335  call void @llvm.va_start(i8* nonnull %0)
336  %call = call i32 @VAListFn(i8* %fmt, %struct.__va_list_tag* nonnull %arraydecay)
337  call void @llvm.va_end(i8* nonnull %0)
338  ret i32 %call
339}
340
341; Kernel is built without SSE support.
342attributes #0 = { "target-features"="+fxsr,+x87,-sse" }
343
344; CHECK-LABEL: @VarArgFn
345; CHECK: @__msan_get_context_state()
346; CHECK: [[VA_ARG_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 2
347; CHECK: [[VA_ARG_ORIGIN:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 3
348; CHECK: [[VA_ARG_OVERFLOW_SIZE:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 4
349
350; CHECK: [[OSIZE:%[0-9]+]] = load i64, i64* [[VA_ARG_OVERFLOW_SIZE]]
351; Register save area is 48 bytes for non-SSE builds.
352; CHECK: [[SIZE:%[0-9]+]] = add i64 48, [[OSIZE]]
353; CHECK: [[SHADOWS:%[0-9]+]] = alloca i8, i64 [[SIZE]]
354; CHECK: [[VA_ARG_SHADOW]]
355; CHECK: call void @llvm.memcpy{{.*}}(i8* align 8 [[SHADOWS]], {{.*}}, i64 [[SIZE]]
356; CHECK: [[ORIGINS:%[0-9]+]] = alloca i8, i64 [[SIZE]]
357; CHECK: [[VA_ARG_ORIGIN]]
358; CHECK: call void @llvm.memcpy{{.*}}(i8* align 8 [[ORIGINS]], {{.*}}, i64 [[SIZE]]
359; CHECK: call i32 @VAListFn
360
361; Function Attrs: nounwind uwtable
362define dso_local void @VarArgCaller() local_unnamed_addr sanitize_memory {
363entry:
364  %call = tail call i32 (i8*, ...) @VarArgFn(i8* getelementptr inbounds ([4 x i8], [4 x i8]* @.str, i64 0, i64 0), i32 123)
365  ret void
366}
367
368; CHECK-LABEL: @VarArgCaller
369
370; CHECK: entry:
371; CHECK: @__msan_get_context_state()
372; CHECK: [[PARAM_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 0
373; CHECK: [[VA_ARG_SHADOW:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 2
374; CHECK: [[VA_ARG_OVERFLOW_SIZE:%[a-z0-9_]+]] = getelementptr {{.*}} i32 0, i32 4
375
376; CHECK: [[PARAM_SI:%[_a-z0-9]+]] = ptrtoint {{.*}} [[PARAM_SHADOW]]
377; CHECK: [[ARG1_S:%[_a-z0-9]+]] = inttoptr i64 [[PARAM_SI]] to i64*
378; First argument is initialized
379; CHECK: store i64 0, i64* [[ARG1_S]]
380
381; Dangling cast of va_arg_shadow[0], unused because the first argument is fixed.
382; CHECK: [[VA_CAST0:%[_a-z0-9]+]] = ptrtoint {{.*}} [[VA_ARG_SHADOW]] to i64
383
384; CHECK: [[VA_CAST1:%[_a-z0-9]+]] = ptrtoint {{.*}} [[VA_ARG_SHADOW]] to i64
385; CHECK: [[ARG1_SI:%[_a-z0-9]+]] = add i64 [[VA_CAST1]], 8
386; CHECK: [[PARG1_S:%[_a-z0-9]+]] = inttoptr i64 [[ARG1_SI]] to i32*
387
388; Shadow for 123 is 0.
389; CHECK: store i32 0, i32* [[ARG1_S]]
390
391; CHECK: store i64 0, i64* [[VA_ARG_OVERFLOW_SIZE]]
392; CHECK: call i32 (i8*, ...) @VarArgFn({{.*}} @.str{{.*}} i32 123)
393