1 ; RUN: opt < %s -msan -msan-check-access-address=0 -S | FileCheck %s 2 ; RUN: opt < %s -msan -msan-check-access-address=0 -msan-track-origins=1 -S | FileCheck -check-prefix=CHECK -check-prefix=CHECK-ORIGINS %s 3 4 target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128" 5 target triple = "x86_64-unknown-linux-gnu" 6 7 ; CHECK: @llvm.global_ctors {{.*}} @msan.module_ctor 8 9 ; Check the presence and the linkage type of __msan_track_origins and 10 ; other interface symbols. 11 ; CHECK-NOT: @__msan_track_origins 12 ; CHECK-ORIGINS: @__msan_track_origins = weak_odr constant i32 1 13 ; CHECK-NOT: @__msan_keep_going = weak_odr constant i32 0 14 ; CHECK: @__msan_retval_tls = external thread_local(initialexec) global [{{.*}}] 15 ; CHECK: @__msan_retval_origin_tls = external thread_local(initialexec) global i32 16 ; CHECK: @__msan_param_tls = external thread_local(initialexec) global [{{.*}}] 17 ; CHECK: @__msan_param_origin_tls = external thread_local(initialexec) global [{{.*}}] 18 ; CHECK: @__msan_va_arg_tls = external thread_local(initialexec) global [{{.*}}] 19 ; CHECK: @__msan_va_arg_overflow_size_tls = external thread_local(initialexec) global i64 20 ; CHECK: @__msan_origin_tls = external thread_local(initialexec) global i32 21 22 23 ; Check instrumentation of stores 24 25 define void @Store(i32* nocapture %p, i32 %x) nounwind uwtable sanitize_memory { 26 entry: 27 store i32 %x, i32* %p, align 4 28 ret void 29 } 30 31 ; CHECK-LABEL: @Store 32 ; CHECK: load {{.*}} @__msan_param_tls 33 ; CHECK-ORIGINS: load {{.*}} @__msan_param_origin_tls 34 ; CHECK: store 35 ; CHECK-ORIGINS: icmp 36 ; CHECK-ORIGINS: br i1 37 ; CHECK-ORIGINS: <label> 38 ; CHECK-ORIGINS: store 39 ; CHECK-ORIGINS: br label 40 ; CHECK-ORIGINS: <label> 41 ; CHECK: store 42 ; CHECK: ret void 43 44 45 ; Check instrumentation of aligned stores 46 ; Shadow store has the same alignment as the original store; origin store 47 ; does not specify explicit alignment. 48 49 define void @AlignedStore(i32* nocapture %p, i32 %x) nounwind uwtable sanitize_memory { 50 entry: 51 store i32 %x, i32* %p, align 32 52 ret void 53 } 54 55 ; CHECK-LABEL: @AlignedStore 56 ; CHECK: load {{.*}} @__msan_param_tls 57 ; CHECK-ORIGINS: load {{.*}} @__msan_param_origin_tls 58 ; CHECK: store {{.*}} align 32 59 ; CHECK-ORIGINS: icmp 60 ; CHECK-ORIGINS: br i1 61 ; CHECK-ORIGINS: <label> 62 ; CHECK-ORIGINS: store {{.*}} align 32 63 ; CHECK-ORIGINS: br label 64 ; CHECK-ORIGINS: <label> 65 ; CHECK: store {{.*}} align 32 66 ; CHECK: ret void 67 68 69 ; load followed by cmp: check that we load the shadow and call __msan_warning. 70 define void @LoadAndCmp(i32* nocapture %a) nounwind uwtable sanitize_memory { 71 entry: 72 %0 = load i32, i32* %a, align 4 73 %tobool = icmp eq i32 %0, 0 74 br i1 %tobool, label %if.end, label %if.then 75 76 if.then: ; preds = %entry 77 tail call void (...) @foo() nounwind 78 br label %if.end 79 80 if.end: ; preds = %entry, %if.then 81 ret void 82 } 83 84 declare void @foo(...) 85 86 ; CHECK-LABEL: @LoadAndCmp 87 ; CHECK: = load 88 ; CHECK: = load 89 ; CHECK: call void @__msan_warning_noreturn() 90 ; CHECK-NEXT: call void asm sideeffect 91 ; CHECK-NEXT: unreachable 92 ; CHECK: ret void 93 94 ; Check that we store the shadow for the retval. 95 define i32 @ReturnInt() nounwind uwtable readnone sanitize_memory { 96 entry: 97 ret i32 123 98 } 99 100 ; CHECK-LABEL: @ReturnInt 101 ; CHECK: store i32 0,{{.*}}__msan_retval_tls 102 ; CHECK: ret i32 103 104 ; Check that we get the shadow for the retval. 105 define void @CopyRetVal(i32* nocapture %a) nounwind uwtable sanitize_memory { 106 entry: 107 %call = tail call i32 @ReturnInt() nounwind 108 store i32 %call, i32* %a, align 4 109 ret void 110 } 111 112 ; CHECK-LABEL: @CopyRetVal 113 ; CHECK: load{{.*}}__msan_retval_tls 114 ; CHECK: store 115 ; CHECK: store 116 ; CHECK: ret void 117 118 119 ; Check that we generate PHIs for shadow. 120 define void @FuncWithPhi(i32* nocapture %a, i32* %b, i32* nocapture %c) nounwind uwtable sanitize_memory { 121 entry: 122 %tobool = icmp eq i32* %b, null 123 br i1 %tobool, label %if.else, label %if.then 124 125 if.then: ; preds = %entry 126 %0 = load i32, i32* %b, align 4 127 br label %if.end 128 129 if.else: ; preds = %entry 130 %1 = load i32, i32* %c, align 4 131 br label %if.end 132 133 if.end: ; preds = %if.else, %if.then 134 %t.0 = phi i32 [ %0, %if.then ], [ %1, %if.else ] 135 store i32 %t.0, i32* %a, align 4 136 ret void 137 } 138 139 ; CHECK-LABEL: @FuncWithPhi 140 ; CHECK: = phi 141 ; CHECK-NEXT: = phi 142 ; CHECK: store 143 ; CHECK: store 144 ; CHECK: ret void 145 146 ; Compute shadow for "x << 10" 147 define void @ShlConst(i32* nocapture %x) nounwind uwtable sanitize_memory { 148 entry: 149 %0 = load i32, i32* %x, align 4 150 %1 = shl i32 %0, 10 151 store i32 %1, i32* %x, align 4 152 ret void 153 } 154 155 ; CHECK-LABEL: @ShlConst 156 ; CHECK: = load 157 ; CHECK: = load 158 ; CHECK: shl 159 ; CHECK: shl 160 ; CHECK: store 161 ; CHECK: store 162 ; CHECK: ret void 163 164 ; Compute shadow for "10 << x": it should have 'sext i1'. 165 define void @ShlNonConst(i32* nocapture %x) nounwind uwtable sanitize_memory { 166 entry: 167 %0 = load i32, i32* %x, align 4 168 %1 = shl i32 10, %0 169 store i32 %1, i32* %x, align 4 170 ret void 171 } 172 173 ; CHECK-LABEL: @ShlNonConst 174 ; CHECK: = load 175 ; CHECK: = load 176 ; CHECK: = sext i1 177 ; CHECK: store 178 ; CHECK: store 179 ; CHECK: ret void 180 181 ; SExt 182 define void @SExt(i32* nocapture %a, i16* nocapture %b) nounwind uwtable sanitize_memory { 183 entry: 184 %0 = load i16, i16* %b, align 2 185 %1 = sext i16 %0 to i32 186 store i32 %1, i32* %a, align 4 187 ret void 188 } 189 190 ; CHECK-LABEL: @SExt 191 ; CHECK: = load 192 ; CHECK: = load 193 ; CHECK: = sext 194 ; CHECK: = sext 195 ; CHECK: store 196 ; CHECK: store 197 ; CHECK: ret void 198 199 200 ; memset 201 define void @MemSet(i8* nocapture %x) nounwind uwtable sanitize_memory { 202 entry: 203 call void @llvm.memset.p0i8.i64(i8* %x, i8 42, i64 10, i32 1, i1 false) 204 ret void 205 } 206 207 declare void @llvm.memset.p0i8.i64(i8* nocapture, i8, i64, i32, i1) nounwind 208 209 ; CHECK-LABEL: @MemSet 210 ; CHECK: call i8* @__msan_memset 211 ; CHECK: ret void 212 213 214 ; memcpy 215 define void @MemCpy(i8* nocapture %x, i8* nocapture %y) nounwind uwtable sanitize_memory { 216 entry: 217 call void @llvm.memcpy.p0i8.p0i8.i64(i8* %x, i8* %y, i64 10, i32 1, i1 false) 218 ret void 219 } 220 221 declare void @llvm.memcpy.p0i8.p0i8.i64(i8* nocapture, i8* nocapture, i64, i32, i1) nounwind 222 223 ; CHECK-LABEL: @MemCpy 224 ; CHECK: call i8* @__msan_memcpy 225 ; CHECK: ret void 226 227 228 ; memmove is lowered to a call 229 define void @MemMove(i8* nocapture %x, i8* nocapture %y) nounwind uwtable sanitize_memory { 230 entry: 231 call void @llvm.memmove.p0i8.p0i8.i64(i8* %x, i8* %y, i64 10, i32 1, i1 false) 232 ret void 233 } 234 235 declare void @llvm.memmove.p0i8.p0i8.i64(i8* nocapture, i8* nocapture, i64, i32, i1) nounwind 236 237 ; CHECK-LABEL: @MemMove 238 ; CHECK: call i8* @__msan_memmove 239 ; CHECK: ret void 240 241 242 ; Check that we propagate shadow for "select" 243 244 define i32 @Select(i32 %a, i32 %b, i1 %c) nounwind uwtable readnone sanitize_memory { 245 entry: 246 %cond = select i1 %c, i32 %a, i32 %b 247 ret i32 %cond 248 } 249 250 ; CHECK-LABEL: @Select 251 ; CHECK: select i1 252 ; CHECK-DAG: or i32 253 ; CHECK-DAG: xor i32 254 ; CHECK: or i32 255 ; CHECK-DAG: select i1 256 ; CHECK-ORIGINS-DAG: select 257 ; CHECK-ORIGINS-DAG: select 258 ; CHECK-DAG: select i1 259 ; CHECK: store i32{{.*}}@__msan_retval_tls 260 ; CHECK-ORIGINS: store i32{{.*}}@__msan_retval_origin_tls 261 ; CHECK: ret i32 262 263 264 ; Check that we propagate origin for "select" with vector condition. 265 ; Select condition is flattened to i1, which is then used to select one of the 266 ; argument origins. 267 268 define <8 x i16> @SelectVector(<8 x i16> %a, <8 x i16> %b, <8 x i1> %c) nounwind uwtable readnone sanitize_memory { 269 entry: 270 %cond = select <8 x i1> %c, <8 x i16> %a, <8 x i16> %b 271 ret <8 x i16> %cond 272 } 273 274 ; CHECK-LABEL: @SelectVector 275 ; CHECK: select <8 x i1> 276 ; CHECK-DAG: or <8 x i16> 277 ; CHECK-DAG: xor <8 x i16> 278 ; CHECK: or <8 x i16> 279 ; CHECK-DAG: select <8 x i1> 280 ; CHECK-ORIGINS-DAG: select 281 ; CHECK-ORIGINS-DAG: select 282 ; CHECK-DAG: select <8 x i1> 283 ; CHECK: store <8 x i16>{{.*}}@__msan_retval_tls 284 ; CHECK-ORIGINS: store i32{{.*}}@__msan_retval_origin_tls 285 ; CHECK: ret <8 x i16> 286 287 288 ; Check that we propagate origin for "select" with scalar condition and vector 289 ; arguments. Select condition shadow is sign-extended to the vector type and 290 ; mixed into the result shadow. 291 292 define <8 x i16> @SelectVector2(<8 x i16> %a, <8 x i16> %b, i1 %c) nounwind uwtable readnone sanitize_memory { 293 entry: 294 %cond = select i1 %c, <8 x i16> %a, <8 x i16> %b 295 ret <8 x i16> %cond 296 } 297 298 ; CHECK-LABEL: @SelectVector2 299 ; CHECK: select i1 300 ; CHECK-DAG: or <8 x i16> 301 ; CHECK-DAG: xor <8 x i16> 302 ; CHECK: or <8 x i16> 303 ; CHECK-DAG: select i1 304 ; CHECK-ORIGINS-DAG: select i1 305 ; CHECK-ORIGINS-DAG: select i1 306 ; CHECK-DAG: select i1 307 ; CHECK: ret <8 x i16> 308 309 310 define { i64, i64 } @SelectStruct(i1 zeroext %x, { i64, i64 } %a, { i64, i64 } %b) readnone sanitize_memory { 311 entry: 312 %c = select i1 %x, { i64, i64 } %a, { i64, i64 } %b 313 ret { i64, i64 } %c 314 } 315 316 ; CHECK-LABEL: @SelectStruct 317 ; CHECK: select i1 {{.*}}, { i64, i64 } 318 ; CHECK-NEXT: select i1 {{.*}}, { i64, i64 } { i64 -1, i64 -1 }, { i64, i64 } 319 ; CHECK-ORIGINS: select i1 320 ; CHECK-ORIGINS: select i1 321 ; CHECK-NEXT: select i1 {{.*}}, { i64, i64 } 322 ; CHECK: ret { i64, i64 } 323 324 325 define { i64*, double } @SelectStruct2(i1 zeroext %x, { i64*, double } %a, { i64*, double } %b) readnone sanitize_memory { 326 entry: 327 %c = select i1 %x, { i64*, double } %a, { i64*, double } %b 328 ret { i64*, double } %c 329 } 330 331 ; CHECK-LABEL: @SelectStruct2 332 ; CHECK: select i1 {{.*}}, { i64, i64 } 333 ; CHECK-NEXT: select i1 {{.*}}, { i64, i64 } { i64 -1, i64 -1 }, { i64, i64 } 334 ; CHECK-ORIGINS: select i1 335 ; CHECK-ORIGINS: select i1 336 ; CHECK-NEXT: select i1 {{.*}}, { i64*, double } 337 ; CHECK: ret { i64*, double } 338 339 340 define i8* @IntToPtr(i64 %x) nounwind uwtable readnone sanitize_memory { 341 entry: 342 %0 = inttoptr i64 %x to i8* 343 ret i8* %0 344 } 345 346 ; CHECK-LABEL: @IntToPtr 347 ; CHECK: load i64, i64*{{.*}}__msan_param_tls 348 ; CHECK-ORIGINS-NEXT: load i32, i32*{{.*}}__msan_param_origin_tls 349 ; CHECK-NEXT: inttoptr 350 ; CHECK-NEXT: store i64{{.*}}__msan_retval_tls 351 ; CHECK: ret i8* 352 353 354 define i8* @IntToPtr_ZExt(i16 %x) nounwind uwtable readnone sanitize_memory { 355 entry: 356 %0 = inttoptr i16 %x to i8* 357 ret i8* %0 358 } 359 360 ; CHECK-LABEL: @IntToPtr_ZExt 361 ; CHECK: load i16, i16*{{.*}}__msan_param_tls 362 ; CHECK: zext 363 ; CHECK-NEXT: inttoptr 364 ; CHECK-NEXT: store i64{{.*}}__msan_retval_tls 365 ; CHECK: ret i8* 366 367 368 ; Check that we insert exactly one check on udiv 369 ; (2nd arg shadow is checked, 1st arg shadow is propagated) 370 371 define i32 @Div(i32 %a, i32 %b) nounwind uwtable readnone sanitize_memory { 372 entry: 373 %div = udiv i32 %a, %b 374 ret i32 %div 375 } 376 377 ; CHECK-LABEL: @Div 378 ; CHECK: icmp 379 ; CHECK: call void @__msan_warning 380 ; CHECK-NOT: icmp 381 ; CHECK: udiv 382 ; CHECK-NOT: icmp 383 ; CHECK: ret i32 384 385 386 ; Check that we propagate shadow for x<0, x>=0, etc (i.e. sign bit tests) 387 388 define zeroext i1 @ICmpSLTZero(i32 %x) nounwind uwtable readnone sanitize_memory { 389 %1 = icmp slt i32 %x, 0 390 ret i1 %1 391 } 392 393 ; CHECK-LABEL: @ICmpSLTZero 394 ; CHECK: icmp slt 395 ; CHECK-NOT: call void @__msan_warning 396 ; CHECK: icmp slt 397 ; CHECK-NOT: call void @__msan_warning 398 ; CHECK: ret i1 399 400 define zeroext i1 @ICmpSGEZero(i32 %x) nounwind uwtable readnone sanitize_memory { 401 %1 = icmp sge i32 %x, 0 402 ret i1 %1 403 } 404 405 ; CHECK-LABEL: @ICmpSGEZero 406 ; CHECK: icmp slt 407 ; CHECK-NOT: call void @__msan_warning 408 ; CHECK: icmp sge 409 ; CHECK-NOT: call void @__msan_warning 410 ; CHECK: ret i1 411 412 define zeroext i1 @ICmpSGTZero(i32 %x) nounwind uwtable readnone sanitize_memory { 413 %1 = icmp sgt i32 0, %x 414 ret i1 %1 415 } 416 417 ; CHECK-LABEL: @ICmpSGTZero 418 ; CHECK: icmp slt 419 ; CHECK-NOT: call void @__msan_warning 420 ; CHECK: icmp sgt 421 ; CHECK-NOT: call void @__msan_warning 422 ; CHECK: ret i1 423 424 define zeroext i1 @ICmpSLEZero(i32 %x) nounwind uwtable readnone sanitize_memory { 425 %1 = icmp sle i32 0, %x 426 ret i1 %1 427 } 428 429 ; CHECK-LABEL: @ICmpSLEZero 430 ; CHECK: icmp slt 431 ; CHECK-NOT: call void @__msan_warning 432 ; CHECK: icmp sle 433 ; CHECK-NOT: call void @__msan_warning 434 ; CHECK: ret i1 435 436 437 ; Check that we propagate shadow for x<=-1, x>-1, etc (i.e. sign bit tests) 438 439 define zeroext i1 @ICmpSLTAllOnes(i32 %x) nounwind uwtable readnone sanitize_memory { 440 %1 = icmp slt i32 -1, %x 441 ret i1 %1 442 } 443 444 ; CHECK-LABEL: @ICmpSLTAllOnes 445 ; CHECK: icmp slt 446 ; CHECK-NOT: call void @__msan_warning 447 ; CHECK: icmp slt 448 ; CHECK-NOT: call void @__msan_warning 449 ; CHECK: ret i1 450 451 define zeroext i1 @ICmpSGEAllOnes(i32 %x) nounwind uwtable readnone sanitize_memory { 452 %1 = icmp sge i32 -1, %x 453 ret i1 %1 454 } 455 456 ; CHECK-LABEL: @ICmpSGEAllOnes 457 ; CHECK: icmp slt 458 ; CHECK-NOT: call void @__msan_warning 459 ; CHECK: icmp sge 460 ; CHECK-NOT: call void @__msan_warning 461 ; CHECK: ret i1 462 463 define zeroext i1 @ICmpSGTAllOnes(i32 %x) nounwind uwtable readnone sanitize_memory { 464 %1 = icmp sgt i32 %x, -1 465 ret i1 %1 466 } 467 468 ; CHECK-LABEL: @ICmpSGTAllOnes 469 ; CHECK: icmp slt 470 ; CHECK-NOT: call void @__msan_warning 471 ; CHECK: icmp sgt 472 ; CHECK-NOT: call void @__msan_warning 473 ; CHECK: ret i1 474 475 define zeroext i1 @ICmpSLEAllOnes(i32 %x) nounwind uwtable readnone sanitize_memory { 476 %1 = icmp sle i32 %x, -1 477 ret i1 %1 478 } 479 480 ; CHECK-LABEL: @ICmpSLEAllOnes 481 ; CHECK: icmp slt 482 ; CHECK-NOT: call void @__msan_warning 483 ; CHECK: icmp sle 484 ; CHECK-NOT: call void @__msan_warning 485 ; CHECK: ret i1 486 487 488 ; Check that we propagate shadow for x<0, x>=0, etc (i.e. sign bit tests) 489 ; of the vector arguments. 490 491 define <2 x i1> @ICmpSLT_vector_Zero(<2 x i32*> %x) nounwind uwtable readnone sanitize_memory { 492 %1 = icmp slt <2 x i32*> %x, zeroinitializer 493 ret <2 x i1> %1 494 } 495 496 ; CHECK-LABEL: @ICmpSLT_vector_Zero 497 ; CHECK: icmp slt <2 x i64> 498 ; CHECK-NOT: call void @__msan_warning 499 ; CHECK: icmp slt <2 x i32*> 500 ; CHECK-NOT: call void @__msan_warning 501 ; CHECK: ret <2 x i1> 502 503 ; Check that we propagate shadow for x<=-1, x>0, etc (i.e. sign bit tests) 504 ; of the vector arguments. 505 506 define <2 x i1> @ICmpSLT_vector_AllOnes(<2 x i32> %x) nounwind uwtable readnone sanitize_memory { 507 %1 = icmp slt <2 x i32> <i32 -1, i32 -1>, %x 508 ret <2 x i1> %1 509 } 510 511 ; CHECK-LABEL: @ICmpSLT_vector_AllOnes 512 ; CHECK: icmp slt <2 x i32> 513 ; CHECK-NOT: call void @__msan_warning 514 ; CHECK: icmp slt <2 x i32> 515 ; CHECK-NOT: call void @__msan_warning 516 ; CHECK: ret <2 x i1> 517 518 519 ; Check that we propagate shadow for unsigned relational comparisons with 520 ; constants 521 522 define zeroext i1 @ICmpUGTConst(i32 %x) nounwind uwtable readnone sanitize_memory { 523 entry: 524 %cmp = icmp ugt i32 %x, 7 525 ret i1 %cmp 526 } 527 528 ; CHECK-LABEL: @ICmpUGTConst 529 ; CHECK: icmp ugt i32 530 ; CHECK-NOT: call void @__msan_warning 531 ; CHECK: icmp ugt i32 532 ; CHECK-NOT: call void @__msan_warning 533 ; CHECK: icmp ugt i32 534 ; CHECK-NOT: call void @__msan_warning 535 ; CHECK: ret i1 536 537 538 ; Check that loads of shadow have the same aligment as the original loads. 539 ; Check that loads of origin have the aligment of max(4, original alignment). 540 541 define i32 @ShadowLoadAlignmentLarge() nounwind uwtable sanitize_memory { 542 %y = alloca i32, align 64 543 %1 = load volatile i32, i32* %y, align 64 544 ret i32 %1 545 } 546 547 ; CHECK-LABEL: @ShadowLoadAlignmentLarge 548 ; CHECK: load volatile i32, i32* {{.*}} align 64 549 ; CHECK: load i32, i32* {{.*}} align 64 550 ; CHECK: ret i32 551 552 define i32 @ShadowLoadAlignmentSmall() nounwind uwtable sanitize_memory { 553 %y = alloca i32, align 2 554 %1 = load volatile i32, i32* %y, align 2 555 ret i32 %1 556 } 557 558 ; CHECK-LABEL: @ShadowLoadAlignmentSmall 559 ; CHECK: load volatile i32, i32* {{.*}} align 2 560 ; CHECK: load i32, i32* {{.*}} align 2 561 ; CHECK-ORIGINS: load i32, i32* {{.*}} align 4 562 ; CHECK: ret i32 563 564 565 ; Test vector manipulation instructions. 566 ; Check that the same bit manipulation is applied to the shadow values. 567 ; Check that there is a zero test of the shadow of %idx argument, where present. 568 569 define i32 @ExtractElement(<4 x i32> %vec, i32 %idx) sanitize_memory { 570 %x = extractelement <4 x i32> %vec, i32 %idx 571 ret i32 %x 572 } 573 574 ; CHECK-LABEL: @ExtractElement 575 ; CHECK: extractelement 576 ; CHECK: call void @__msan_warning 577 ; CHECK: extractelement 578 ; CHECK: ret i32 579 580 define <4 x i32> @InsertElement(<4 x i32> %vec, i32 %idx, i32 %x) sanitize_memory { 581 %vec1 = insertelement <4 x i32> %vec, i32 %x, i32 %idx 582 ret <4 x i32> %vec1 583 } 584 585 ; CHECK-LABEL: @InsertElement 586 ; CHECK: insertelement 587 ; CHECK: call void @__msan_warning 588 ; CHECK: insertelement 589 ; CHECK: ret <4 x i32> 590 591 define <4 x i32> @ShuffleVector(<4 x i32> %vec, <4 x i32> %vec1) sanitize_memory { 592 %vec2 = shufflevector <4 x i32> %vec, <4 x i32> %vec1, 593 <4 x i32> <i32 0, i32 4, i32 1, i32 5> 594 ret <4 x i32> %vec2 595 } 596 597 ; CHECK-LABEL: @ShuffleVector 598 ; CHECK: shufflevector 599 ; CHECK-NOT: call void @__msan_warning 600 ; CHECK: shufflevector 601 ; CHECK: ret <4 x i32> 602 603 604 ; Test bswap intrinsic instrumentation 605 define i32 @BSwap(i32 %x) nounwind uwtable readnone sanitize_memory { 606 %y = tail call i32 @llvm.bswap.i32(i32 %x) 607 ret i32 %y 608 } 609 610 declare i32 @llvm.bswap.i32(i32) nounwind readnone 611 612 ; CHECK-LABEL: @BSwap 613 ; CHECK-NOT: call void @__msan_warning 614 ; CHECK: @llvm.bswap.i32 615 ; CHECK-NOT: call void @__msan_warning 616 ; CHECK: @llvm.bswap.i32 617 ; CHECK-NOT: call void @__msan_warning 618 ; CHECK: ret i32 619 620 621 ; Store intrinsic. 622 623 define void @StoreIntrinsic(i8* %p, <4 x float> %x) nounwind uwtable sanitize_memory { 624 call void @llvm.x86.sse.storeu.ps(i8* %p, <4 x float> %x) 625 ret void 626 } 627 628 declare void @llvm.x86.sse.storeu.ps(i8*, <4 x float>) nounwind 629 630 ; CHECK-LABEL: @StoreIntrinsic 631 ; CHECK-NOT: br 632 ; CHECK-NOT: = or 633 ; CHECK: store <4 x i32> {{.*}} align 1 634 ; CHECK: call void @llvm.x86.sse.storeu.ps 635 ; CHECK: ret void 636 637 638 ; Load intrinsic. 639 640 define <16 x i8> @LoadIntrinsic(i8* %p) nounwind uwtable sanitize_memory { 641 %call = call <16 x i8> @llvm.x86.sse3.ldu.dq(i8* %p) 642 ret <16 x i8> %call 643 } 644 645 declare <16 x i8> @llvm.x86.sse3.ldu.dq(i8* %p) nounwind 646 647 ; CHECK-LABEL: @LoadIntrinsic 648 ; CHECK: load <16 x i8>, <16 x i8>* {{.*}} align 1 649 ; CHECK-ORIGINS: [[ORIGIN:%[01-9a-z]+]] = load i32, i32* {{.*}} 650 ; CHECK-NOT: br 651 ; CHECK-NOT: = or 652 ; CHECK: call <16 x i8> @llvm.x86.sse3.ldu.dq 653 ; CHECK: store <16 x i8> {{.*}} @__msan_retval_tls 654 ; CHECK-ORIGINS: store i32 {{.*}}[[ORIGIN]], i32* @__msan_retval_origin_tls 655 ; CHECK: ret <16 x i8> 656 657 658 ; Simple NoMem intrinsic 659 ; Check that shadow is OR'ed, and origin is Select'ed 660 ; And no shadow checks! 661 662 define <8 x i16> @Paddsw128(<8 x i16> %a, <8 x i16> %b) nounwind uwtable sanitize_memory { 663 %call = call <8 x i16> @llvm.x86.sse2.padds.w(<8 x i16> %a, <8 x i16> %b) 664 ret <8 x i16> %call 665 } 666 667 declare <8 x i16> @llvm.x86.sse2.padds.w(<8 x i16> %a, <8 x i16> %b) nounwind 668 669 ; CHECK-LABEL: @Paddsw128 670 ; CHECK-NEXT: load <8 x i16>, <8 x i16>* {{.*}} @__msan_param_tls 671 ; CHECK-ORIGINS: load i32, i32* {{.*}} @__msan_param_origin_tls 672 ; CHECK-NEXT: load <8 x i16>, <8 x i16>* {{.*}} @__msan_param_tls 673 ; CHECK-ORIGINS: load i32, i32* {{.*}} @__msan_param_origin_tls 674 ; CHECK-NEXT: = or <8 x i16> 675 ; CHECK-ORIGINS: = bitcast <8 x i16> {{.*}} to i128 676 ; CHECK-ORIGINS-NEXT: = icmp ne i128 {{.*}}, 0 677 ; CHECK-ORIGINS-NEXT: = select i1 {{.*}}, i32 {{.*}}, i32 678 ; CHECK-NEXT: call <8 x i16> @llvm.x86.sse2.padds.w 679 ; CHECK-NEXT: store <8 x i16> {{.*}} @__msan_retval_tls 680 ; CHECK-ORIGINS: store i32 {{.*}} @__msan_retval_origin_tls 681 ; CHECK-NEXT: ret <8 x i16> 682 683 684 ; Test handling of vectors of pointers. 685 ; Check that shadow of such vector is a vector of integers. 686 687 define <8 x i8*> @VectorOfPointers(<8 x i8*>* %p) nounwind uwtable sanitize_memory { 688 %x = load <8 x i8*>, <8 x i8*>* %p 689 ret <8 x i8*> %x 690 } 691 692 ; CHECK-LABEL: @VectorOfPointers 693 ; CHECK: load <8 x i8*>, <8 x i8*>* 694 ; CHECK: load <8 x i64>, <8 x i64>* 695 ; CHECK: store <8 x i64> {{.*}} @__msan_retval_tls 696 ; CHECK: ret <8 x i8*> 697 698 ; Test handling of va_copy. 699 700 declare void @llvm.va_copy(i8*, i8*) nounwind 701 702 define void @VACopy(i8* %p1, i8* %p2) nounwind uwtable sanitize_memory { 703 call void @llvm.va_copy(i8* %p1, i8* %p2) nounwind 704 ret void 705 } 706 707 ; CHECK-LABEL: @VACopy 708 ; CHECK: call void @llvm.memset.p0i8.i64({{.*}}, i8 0, i64 24, i32 8, i1 false) 709 ; CHECK: ret void 710 711 712 ; Test that va_start instrumentation does not use va_arg_tls*. 713 ; It should work with a local stack copy instead. 714 715 %struct.__va_list_tag = type { i32, i32, i8*, i8* } 716 declare void @llvm.va_start(i8*) nounwind 717 718 ; Function Attrs: nounwind uwtable 719 define void @VAStart(i32 %x, ...) sanitize_memory { 720 entry: 721 %x.addr = alloca i32, align 4 722 %va = alloca [1 x %struct.__va_list_tag], align 16 723 store i32 %x, i32* %x.addr, align 4 724 %arraydecay = getelementptr inbounds [1 x %struct.__va_list_tag], [1 x %struct.__va_list_tag]* %va, i32 0, i32 0 725 %arraydecay1 = bitcast %struct.__va_list_tag* %arraydecay to i8* 726 call void @llvm.va_start(i8* %arraydecay1) 727 ret void 728 } 729 730 ; CHECK-LABEL: @VAStart 731 ; CHECK: call void @llvm.va_start 732 ; CHECK-NOT: @__msan_va_arg_tls 733 ; CHECK-NOT: @__msan_va_arg_overflow_size_tls 734 ; CHECK: ret void 735 736 737 ; Test handling of volatile stores. 738 ; Check that MemorySanitizer does not add a check of the value being stored. 739 740 define void @VolatileStore(i32* nocapture %p, i32 %x) nounwind uwtable sanitize_memory { 741 entry: 742 store volatile i32 %x, i32* %p, align 4 743 ret void 744 } 745 746 ; CHECK-LABEL: @VolatileStore 747 ; CHECK-NOT: @__msan_warning 748 ; CHECK: ret void 749 750 751 ; Test that checks are omitted and returned value is always initialized if 752 ; sanitize_memory attribute is missing. 753 754 define i32 @NoSanitizeMemory(i32 %x) uwtable { 755 entry: 756 %tobool = icmp eq i32 %x, 0 757 br i1 %tobool, label %if.end, label %if.then 758 759 if.then: ; preds = %entry 760 tail call void @bar() 761 br label %if.end 762 763 if.end: ; preds = %entry, %if.then 764 ret i32 %x 765 } 766 767 declare void @bar() 768 769 ; CHECK-LABEL: @NoSanitizeMemory 770 ; CHECK-NOT: @__msan_warning 771 ; CHECK: store i32 0, {{.*}} @__msan_retval_tls 772 ; CHECK-NOT: @__msan_warning 773 ; CHECK: ret i32 774 775 776 ; Test that stack allocations are unpoisoned in functions missing 777 ; sanitize_memory attribute 778 779 define i32 @NoSanitizeMemoryAlloca() { 780 entry: 781 %p = alloca i32, align 4 782 %x = call i32 @NoSanitizeMemoryAllocaHelper(i32* %p) 783 ret i32 %x 784 } 785 786 declare i32 @NoSanitizeMemoryAllocaHelper(i32* %p) 787 788 ; CHECK-LABEL: @NoSanitizeMemoryAlloca 789 ; CHECK: call void @llvm.memset.p0i8.i64(i8* {{.*}}, i8 0, i64 4, i32 4, i1 false) 790 ; CHECK: call i32 @NoSanitizeMemoryAllocaHelper(i32* 791 ; CHECK: ret i32 792 793 794 ; Test that undef is unpoisoned in functions missing 795 ; sanitize_memory attribute 796 797 define i32 @NoSanitizeMemoryUndef() { 798 entry: 799 %x = call i32 @NoSanitizeMemoryUndefHelper(i32 undef) 800 ret i32 %x 801 } 802 803 declare i32 @NoSanitizeMemoryUndefHelper(i32 %x) 804 805 ; CHECK-LABEL: @NoSanitizeMemoryUndef 806 ; CHECK: store i32 0, i32* {{.*}} @__msan_param_tls 807 ; CHECK: call i32 @NoSanitizeMemoryUndefHelper(i32 undef) 808 ; CHECK: ret i32 809 810 811 ; Test PHINode instrumentation in blacklisted functions 812 813 define i32 @NoSanitizeMemoryPHI(i32 %x) { 814 entry: 815 %tobool = icmp ne i32 %x, 0 816 br i1 %tobool, label %cond.true, label %cond.false 817 818 cond.true: ; preds = %entry 819 br label %cond.end 820 821 cond.false: ; preds = %entry 822 br label %cond.end 823 824 cond.end: ; preds = %cond.false, %cond.true 825 %cond = phi i32 [ undef, %cond.true ], [ undef, %cond.false ] 826 ret i32 %cond 827 } 828 829 ; CHECK: [[A:%.*]] = phi i32 [ undef, %cond.true ], [ undef, %cond.false ] 830 ; CHECK: store i32 0, i32* bitcast {{.*}} @__msan_retval_tls 831 ; CHECK: ret i32 [[A]] 832 833 834 ; Test that there are no __msan_param_origin_tls stores when 835 ; argument shadow is a compile-time zero constant (which is always the case 836 ; in functions missing sanitize_memory attribute). 837 838 define i32 @NoSanitizeMemoryParamTLS(i32* nocapture readonly %x) { 839 entry: 840 %0 = load i32, i32* %x, align 4 841 %call = tail call i32 @NoSanitizeMemoryParamTLSHelper(i32 %0) 842 ret i32 %call 843 } 844 845 declare i32 @NoSanitizeMemoryParamTLSHelper(i32 %x) 846 847 ; CHECK-LABEL: define i32 @NoSanitizeMemoryParamTLS( 848 ; CHECK-NOT: __msan_param_origin_tls 849 ; CHECK: ret i32 850 851 852 ; Test argument shadow alignment 853 854 define <2 x i64> @ArgumentShadowAlignment(i64 %a, <2 x i64> %b) sanitize_memory { 855 entry: 856 ret <2 x i64> %b 857 } 858 859 ; CHECK-LABEL: @ArgumentShadowAlignment 860 ; CHECK: load <2 x i64>, <2 x i64>* {{.*}} @__msan_param_tls {{.*}}, align 8 861 ; CHECK: store <2 x i64> {{.*}} @__msan_retval_tls {{.*}}, align 8 862 ; CHECK: ret <2 x i64> 863 864 865 ; Test origin propagation for insertvalue 866 867 define { i64, i32 } @make_pair_64_32(i64 %x, i32 %y) sanitize_memory { 868 entry: 869 %a = insertvalue { i64, i32 } undef, i64 %x, 0 870 %b = insertvalue { i64, i32 } %a, i32 %y, 1 871 ret { i64, i32 } %b 872 } 873 874 ; CHECK-ORIGINS: @make_pair_64_32 875 ; First element shadow 876 ; CHECK-ORIGINS: insertvalue { i64, i32 } { i64 -1, i32 -1 }, i64 {{.*}}, 0 877 ; First element origin 878 ; CHECK-ORIGINS: icmp ne i64 879 ; CHECK-ORIGINS: select i1 880 ; First element app value 881 ; CHECK-ORIGINS: insertvalue { i64, i32 } undef, i64 {{.*}}, 0 882 ; Second element shadow 883 ; CHECK-ORIGINS: insertvalue { i64, i32 } {{.*}}, i32 {{.*}}, 1 884 ; Second element origin 885 ; CHECK-ORIGINS: icmp ne i32 886 ; CHECK-ORIGINS: select i1 887 ; Second element app value 888 ; CHECK-ORIGINS: insertvalue { i64, i32 } {{.*}}, i32 {{.*}}, 1 889 ; CHECK-ORIGINS: ret { i64, i32 } 890 891 892 ; Test shadow propagation for aggregates passed through ellipsis. 893 894 %struct.StructByVal = type { i32, i32, i32, i32 } 895 896 declare void @VAArgStructFn(i32 %guard, ...) 897 898 define void @VAArgStruct(%struct.StructByVal* nocapture %s) sanitize_memory { 899 entry: 900 %agg.tmp2 = alloca %struct.StructByVal, align 8 901 %0 = bitcast %struct.StructByVal* %s to i8* 902 %agg.tmp.sroa.0.0..sroa_cast = bitcast %struct.StructByVal* %s to i64* 903 %agg.tmp.sroa.0.0.copyload = load i64, i64* %agg.tmp.sroa.0.0..sroa_cast, align 4 904 %agg.tmp.sroa.2.0..sroa_idx = getelementptr inbounds %struct.StructByVal, %struct.StructByVal* %s, i64 0, i32 2 905 %agg.tmp.sroa.2.0..sroa_cast = bitcast i32* %agg.tmp.sroa.2.0..sroa_idx to i64* 906 %agg.tmp.sroa.2.0.copyload = load i64, i64* %agg.tmp.sroa.2.0..sroa_cast, align 4 907 %1 = bitcast %struct.StructByVal* %agg.tmp2 to i8* 908 call void @llvm.memcpy.p0i8.p0i8.i64(i8* %1, i8* %0, i64 16, i32 4, i1 false) 909 call void (i32, ...) @VAArgStructFn(i32 undef, i64 %agg.tmp.sroa.0.0.copyload, i64 %agg.tmp.sroa.2.0.copyload, i64 %agg.tmp.sroa.0.0.copyload, i64 %agg.tmp.sroa.2.0.copyload, %struct.StructByVal* byval align 8 %agg.tmp2) 910 ret void 911 } 912 913 ; "undef" and the first 2 structs go to general purpose registers; 914 ; the third struct goes to the overflow area byval 915 916 ; CHECK-LABEL: @VAArgStruct 917 ; undef 918 ; CHECK: store i32 -1, i32* {{.*}}@__msan_va_arg_tls {{.*}}, align 8 919 ; first struct through general purpose registers 920 ; CHECK: store i64 {{.*}}, i64* {{.*}}@__msan_va_arg_tls{{.*}}, i64 8){{.*}}, align 8 921 ; CHECK: store i64 {{.*}}, i64* {{.*}}@__msan_va_arg_tls{{.*}}, i64 16){{.*}}, align 8 922 ; second struct through general purpose registers 923 ; CHECK: store i64 {{.*}}, i64* {{.*}}@__msan_va_arg_tls{{.*}}, i64 24){{.*}}, align 8 924 ; CHECK: store i64 {{.*}}, i64* {{.*}}@__msan_va_arg_tls{{.*}}, i64 32){{.*}}, align 8 925 ; third struct through the overflow area byval 926 ; CHECK: ptrtoint %struct.StructByVal* {{.*}} to i64 927 ; CHECK: bitcast { i32, i32, i32, i32 }* {{.*}}@__msan_va_arg_tls {{.*}}, i64 176 928 ; CHECK: call void @llvm.memcpy.p0i8.p0i8.i64 929 ; CHECK: store i64 16, i64* @__msan_va_arg_overflow_size_tls 930 ; CHECK: call void (i32, ...) @VAArgStructFn 931 ; CHECK: ret void 932 933 934 declare i32 @InnerTailCall(i32 %a) 935 936 define void @MismatchedReturnTypeTailCall(i32 %a) sanitize_memory { 937 %b = tail call i32 @InnerTailCall(i32 %a) 938 ret void 939 } 940 941 ; We used to strip off the 'tail' modifier, but now that we unpoison return slot 942 ; shadow before the call, we don't need to anymore. 943 944 ; CHECK-LABEL: define void @MismatchedReturnTypeTailCall 945 ; CHECK: tail call i32 @InnerTailCall 946 ; CHECK: ret void 947 948 949 declare i32 @MustTailCall(i32 %a) 950 951 define i32 @CallMustTailCall(i32 %a) sanitize_memory { 952 %b = musttail call i32 @MustTailCall(i32 %a) 953 ret i32 %b 954 } 955 956 ; For "musttail" calls we can not insert any shadow manipulating code between 957 ; call and the return instruction. And we don't need to, because everything is 958 ; taken care of in the callee. 959 960 ; CHECK-LABEL: define i32 @CallMustTailCall 961 ; CHECK: musttail call i32 @MustTailCall 962 ; No instrumentation between call and ret. 963 ; CHECK-NEXT: ret i32 964 965 declare i32* @MismatchingMustTailCall(i32 %a) 966 967 define i8* @MismatchingCallMustTailCall(i32 %a) sanitize_memory { 968 %b = musttail call i32* @MismatchingMustTailCall(i32 %a) 969 %c = bitcast i32* %b to i8* 970 ret i8* %c 971 } 972 973 ; For "musttail" calls we can not insert any shadow manipulating code between 974 ; call and the return instruction. And we don't need to, because everything is 975 ; taken care of in the callee. 976 977 ; CHECK-LABEL: define i8* @MismatchingCallMustTailCall 978 ; CHECK: musttail call i32* @MismatchingMustTailCall 979 ; No instrumentation between call and ret. 980 ; CHECK-NEXT: bitcast i32* {{.*}} to i8* 981 ; CHECK-NEXT: ret i8* 982 983 984 ; CHECK-LABEL: define internal void @msan.module_ctor 985 ; CHECK: call void @__msan_init() 986
