Skip to content

[msan] Add optional flag to improve instrumentation of disjoint OR #145990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jun 27, 2025
Merged

[msan] Add optional flag to improve instrumentation of disjoint OR #145990

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
bb34b1d
[msan] Improve instrumentation of disjoint OR
thurstond Jun 26, 2025
6585af4
clang-format
thurstond Jun 26, 2025
3f8fc04
Update test comment
thurstond Jun 26, 2025
d5094b4
Control behavior using -msan-precise-disjoint-or and default to legacy
thurstond Jun 26, 2025
cadc15c
Undelete test line
thurstond Jun 26, 2025
7b9eff6
Refactor per Fldisjointorian
thurstond Jun 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 24 additions & 6 deletions llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,6 +282,12 @@ static cl::opt<bool> ClPoisonUndefVectors(
"unaffected by this flag (see -msan-poison-undef)."),
cl::Hidden, cl::init(false));

static cl::opt<bool> ClPreciseDisjointOr(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need a flag?

Copy link
Contributor Author

@thurstond thurstond Jun 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It fixes a false negative, hence some existing tests that currently pass will start failing when the fix is enabled.

Having the flag defaulted to off allows users to:

  • turn the flag on, to preemptively identify and fix such issues while the flag is still defaulted off
  • have an escape hatch for when the flag is eventually defaulted on in a future patch

"msan-precise-disjoint-or",
cl::desc("Precisely poison disjoint OR. If false (legacy behavior), "
"disjointedness is ignored (i.e., 1|1 is initialized)."),
cl::Hidden, cl::init(false));

static cl::opt<bool>
ClHandleICmp("msan-handle-icmp",
cl::desc("propagate shadow through ICmpEQ and ICmpNE"),
Expand Down Expand Up @@ -2497,11 +2503,16 @@ struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {

void visitOr(BinaryOperator &I) {
IRBuilder<> IRB(&I);
// "Or" of 1 and a poisoned value results in unpoisoned value.
// 1|1 => 1; 0|1 => 1; p|1 => 1;
// 1|0 => 1; 0|0 => 0; p|0 => p;
// 1|p => 1; 0|p => p; p|p => p;
// S = (S1 & S2) | (~V1 & S2) | (S1 & ~V2)
// "Or" of 1 and a poisoned value results in unpoisoned value:
// 1|1 => 1; 0|1 => 1; p|1 => 1;
// 1|0 => 1; 0|0 => 0; p|0 => p;
// 1|p => 1; 0|p => p; p|p => p;
//
// S = (S1 & S2) | (~V1 & S2) | (S1 & ~V2)
//
// Addendum if the "Or" is "disjoint":
// 1|1 => p;
// S = S | (V1 & V2)
Value *S1 = getShadow(&I, 0);
Value *S2 = getShadow(&I, 1);
Value *V1 = IRB.CreateNot(I.getOperand(0));
Expand All @@ -2513,7 +2524,14 @@ struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {
Value *S1S2 = IRB.CreateAnd(S1, S2);
Value *V1S2 = IRB.CreateAnd(V1, S2);
Value *S1V2 = IRB.CreateAnd(S1, V2);
setShadow(&I, IRB.CreateOr({S1S2, V1S2, S1V2}));

Value *S = IRB.CreateOr({S1S2, V1S2, S1V2});
if (ClPreciseDisjointOr && cast<PossiblyDisjointInst>(&I)->isDisjoint()) {
Value *V1V2 = IRB.CreateAnd(V1, V2);
S = IRB.CreateOr({S, V1V2});
}

setShadow(&I, S);
setOriginForNaryOp(I);
}

Expand Down
17 changes: 12 additions & 5 deletions llvm/test/Instrumentation/MemorySanitizer/or.ll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
; NOTE: Assertions have been autogenerated by utils/update_test_checks.py UTC_ARGS: --version 5
; RUN: opt < %s -S -passes=msan 2>&1 | FileCheck %s
; RUN: opt < %s -S -passes=msan -msan-precise-disjoint-or=false 2>&1 | FileCheck %s --check-prefixes=CHECK,CHECK-IMPRECISE
; RUN: opt < %s -S -passes=msan -msan-precise-disjoint-or=true 2>&1 | FileCheck %s --check-prefixes=CHECK,CHECK-PRECISE
;
; Test bitwise OR instructions, especially the "disjoint OR", which is
; currently handled incorrectly by MSan (as if it was a regular OR).
; Test bitwise OR instructions, including "disjoint OR".

target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
Expand Down Expand Up @@ -41,8 +41,15 @@ define i8 @test_disjoint_or(i8 %a, i8 %b) sanitize_memory {
; CHECK-NEXT: [[TMP7:%.*]] = and i8 [[TMP1]], [[TMP4]]
; CHECK-NEXT: [[TMP8:%.*]] = or i8 [[TMP5]], [[TMP6]]
; CHECK-NEXT: [[TMP11:%.*]] = or i8 [[TMP8]], [[TMP7]]
; CHECK-NEXT: [[C:%.*]] = or disjoint i8 [[A]], [[B]]
; CHECK-NEXT: store i8 [[TMP11]], ptr @__msan_retval_tls, align 8
;
; CHECK-IMPRECISE: [[C:%.*]] = or disjoint i8 [[A]], [[B]]
; CHECK-IMPRECISE-NEXT: store i8 [[TMP11]], ptr @__msan_retval_tls, align 8
;
; CHECK-PRECISE: [[TMP10:%.*]] = and i8 [[TMP3]], [[TMP4]]
; CHECK-PRECISE-NEXT: [[TMP12:%.*]] = or i8 [[TMP11]], [[TMP10]]
; CHECK-PRECISE-NEXT: [[C:%.*]] = or disjoint i8 [[A]], [[B]]
; CHECK-PRECISE-NEXT: store i8 [[TMP12]], ptr @__msan_retval_tls, align 8
;
; CHECK-NEXT: ret i8 [[C]]
;
%c = or disjoint i8 %a, %b
Expand Down