Stack instrumentation errorneous

[ahueck]

Defect description

Instrumenting stack allocation without considering lifetime markers leads to stack re-use (overwrites).
(The stack coloring algorithm of LLVM tries to reduce stack space).

Example

void errorneous(int rank) {
  if (rank == 1) {
    int buffer[3][3] = {0, 1, 2, 3, 4, 5, 6, 7, 8}; 
    type_check(buffer);
  } else {
    int rcv[3] = {0, 1, 2};
    type_check(rcv);
  }
}

lea    0x10(%rsp),%rdi <- stack (1)
mov    $0x9,%edx
mov    $0x2,%esi
callq  401040 <__typeart_alloc_stack@plt>
lea    0x10(%rsp),%rdi <- stack (2) overwrite
mov    $0x3,%edx
mov    $0x2,%esi
callq  401040 <__typeart_alloc_stack@plt>

References

https://reviews.llvm.org/D93376
https://github.com/llvm/llvm-project/blob/release/14.x/llvm/lib/CodeGen/StackColoring.cpp#L163

[ahueck]

entry:
  alloca a;
  alloca b;
B1:
  start(a);
  ++stack;
  end(a);
B2:
  start(b);
  ++stack
  end(b);
fin:
  leave(stack);
  ret void;

Given a and b map to the same stack address X:

stack_vars == {X, X} with map == { X }

Can leave cause errorneous tracking?

[ahueck]

Setting nounwind for all callbacks fails test runtime/24_threads_type_check.cpp with error free on unregistered address.
Tested for Clang-10.

Output without stack lifetime

>> Here we overwrite int32 with class.std::thread:
[Trace] Alloc 0x7fffe060c080 2 int32 4 1 (0x401891) S
[Warning]AllocationTracking.cpp:doAlloc:166:Pointer already in map 0x7fffe060c080 278 class.std::thread 8 1 (0x4018a5)
[Trace] Alloc 0x7fffe060c080 278 class.std::thread 8 1 (0x4018a5) S
<< end
>> Here we overwrite the first int32 with class.std::thread:
[Trace] Alloc 0x7fffe060c070 2 int32 4 1 (0x4018b9) S
[Trace] Alloc 0x7fffe060c064 2 int32 4 1 (0x4018cd) S
[Warning]AllocationTracking.cpp:doAlloc:166:Pointer already in map 0x7fffe060c070 278 class.std::thread 8 1 (0x4018e1)
[Trace] Alloc 0x7fffe060c070 278 class.std::thread 8 1 (0x4018e1) S
<< end

.....
[Trace] Stack after free: 11
[Trace] Freeing stack (11)  11
...
[Trace] Free 0x7fffe060c080 278 class.std::thread 8 1 (0x4018a5)
[Error]AllocationTracking.cpp:operator():214:Free on unregistered address 0x7fffe060c080 (0x401a9f)
[Trace] Free 0x7fffe060c070 278 class.std::thread 8 1 (0x4018e1)
[Trace] Free 0x7fffe060c064 2 int32 4 1 (0x4018cd)
[Error]AllocationTracking.cpp:operator():214:Free on unregistered address 0x7fffe060c070 (0x401a9f)
[Trace] Stack after free: 0

############################################
Allocation type detail (heap, stack, global)
...
2   :    0 ,  2484 ,    0 , int32 
#########################################
Free allocation type detail (heap, stack)
...
2   :    0 ,  2482 , int32   

Output with stack lifetime

[Trace] Alloc 0x7ffecda47888 2 int32 4 1 (0x401902) S
....
[Warning]AllocationTracking.cpp:doAlloc:166:Pointer already in map 0x7ffecda47888 278 class.std::thread 8 1 (0x401936)
[Trace] Alloc 0x7ffecda47888 278 class.std::thread 8 1 (0x401936) S


[Trace] Alloc 0x7ffecda47878 2 int32 4 1 (0x40194d) S
...
[Warning]AllocationTracking.cpp:doAlloc:166:Pointer already in map 0x7ffecda47878 278 class.std::thread 8 1 (0x401986)
[Trace] Free 0x7f6bfc579d1c 2 int32 4 1 (0x401311)
[Trace] Alloc 0x7ffecda47878 278 class.std::thread 8 1 (0x401986) S

.....

[Trace] Stack after free: 11
[Trace] Freeing stack (11)  11
[Trace] Free 0x7ffecda47888 278 class.std::thread 8 1 (0x401936)
[Error]AllocationTracking.cpp:operator():214:Free on unregistered address 0x7ffecda47888 (0x401aaf)
[Trace] Free 0x7ffecda47878 278 class.std::thread 8 1 (0x401986)
[Error]AllocationTracking.cpp:operator():214:Free on unregistered address 0x7ffecda47878 (0x401aaf)
[Trace] Stack after free: 0