search

staticanalysis / memory-sanitizer

Automatically exported from code.google.com/p/memory-sanitizer
0 stars 0 forks source link

Inefficient function prologue #74

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Local variable poisoning in a function prologue does not use the fact that they 
are adjacent in memory and recalculates shadow address for each variable.

With origins is becomes even worse: we call a runtime function 
(__msan_set_alloca_origin4) for each local variable. It should be enough to do 
it once per function entry, or even less (with a fast path).

$ cat 1.cc
int use(long&, long&, long&, long&, long&, long&, long&, long&);
void f() {
  long a, b, c, d, e, f, g, h;
  use(a, b, c, d, e, f, g, h);
}

$ ./build/bin/clang++ 1.cc -fsanitize=memory -O2 -S -o -
    .text
    .file   "1.cc"
    .globl  _Z1fv
    .align  16, 0x90
    .type   _Z1fv,@function
_Z1fv:                                  # @_Z1fv
    .cfi_startproc
# BB#0:                                 # %entry
    pushq   %rbx
.Ltmp0:
    .cfi_def_cfa_offset 16
    subq    $80, %rsp
.Ltmp1:
    .cfi_def_cfa_offset 96
.Ltmp2:
    .cfi_offset %rbx, -16
    movabsq $-70368744177672, %r10  # imm = 0xFFFFBFFFFFFFFFF8
    leaq    72(%rsp), %rdi
    movq    %rdi, %rcx
    andq    %r10, %rcx
    movq    $-1, (%rcx)
    leaq    64(%rsp), %rsi
    movq    %rsi, %rcx
    andq    %r10, %rcx
    movq    $-1, (%rcx)
    leaq    56(%rsp), %rdx
    movq    %rdx, %rcx
    andq    %r10, %rcx
    movq    $-1, (%rcx)
    leaq    48(%rsp), %rcx
    movq    %rcx, %rax
    andq    %r10, %rax
    movq    $-1, (%rax)
    leaq    40(%rsp), %r8
    movq    %r8, %rax
    andq    %r10, %rax
    movq    $-1, (%rax)
    leaq    32(%rsp), %r9
    movq    %r9, %rax
    andq    %r10, %rax
    movq    $-1, (%rax)
    leaq    24(%rsp), %r11
    movq    %r11, %rax
    andq    %r10, %rax
    movq    $-1, (%rax)
    leaq    16(%rsp), %rbx
    andq    %rbx, %r10
    movq    $-1, (%r10)
    movq    __msan_param_tls@GOTTPOFF(%rip), %rax
    movq    $0, %fs:(%rax)
    movq    $0, %fs:8(%rax)
    movq    $0, %fs:16(%rax)
    movq    $0, %fs:24(%rax)
    movq    $0, %fs:32(%rax)
    movq    $0, %fs:40(%rax)
    movq    $0, %fs:48(%rax)
    movq    $0, %fs:56(%rax)
    movq    __msan_retval_tls@GOTTPOFF(%rip), %rax
    movl    $0, %fs:(%rax)
    movq    %rbx, 8(%rsp)
    movq    %r11, (%rsp)
    callq   _Z3useRlS_S_S_S_S_S_S_@PLT
    addq    $80, %rsp
    popq    %rbx
    retq
.Ltmp3:
    .size   _Z1fv, .Ltmp3-_Z1fv
    .cfi_endproc

    .section    .init_array.0,"aw",@init_array
    .align  8
    .quad   __msan_init

    .ident  "clang version 3.6.0 (trunk 222541)"
    .section    ".note.GNU-stack","",@progbits

Original issue reported on code.google.com by euge...@google.com on 24 Nov 2014 at 11:15

GoogleCodeExporter commented 9 years ago 
Per offline discussion, the action plan is:
* Reuse ASan code that bundles all locals into one aggregate, and unpoison it 
with memset.
* Assign base origin id for a function in a module constructor. Ids for locals 
within one function will be consecutive; function prologue would 
(unconditionally) load the base id from a global and use it to setup origins 
for all local variables.

Original comment by euge...@google.com on 24 Nov 2014 at 11:39