Svadev mailing list

[John Criswell <criswell AT illinois.edu>]

On 5/31/12 9:34 AM, Baozeng wrote:
> Dear John,
> Also for the same test (int p[33]; p[35]=8), we compile it using
> "clang -fmemsafety ...", run it and it shows:
>
> SAFECode:Violation Type 0x6 when accessing  0x80626f4 at IP=0x80496cf
>
> =======+++++++    SAFECODE RUNTIME ALERT +++++++=======
> = Error type                            :       Load/Store Error
> = CWE ID                                :       120
> = Faulting pointer                      :       0x80626f4
> = Program counter                       :       0x80496cf
> = Fault PC Source                       :       main:1
>
> Then we compile it with "clang -fmemsafety -bbc ...", run it and it
> does not shows any violation.
>
> Then I compare the IR files they generated respectively.
>
> Without BBC, it is:
> @p = common global [33 x i32] zeroinitializer, align 4
>
> define i32 @main() nounwind {
>    call void @fastlscheck_debug(i8* bitcast ([33 x i32]* @p to i8*),
> i8* bitcast (i32* getelementptr inbounds ([33 x i32]* @p, i64 1, i32
> 2) to i8*), i32 132, i32 4, i32 0, i8* getelementptr inbounds ([28 x
> i8]* @sourcefile, i32 0, i32 0), i32 5)
>    store i32 8, i32* getelementptr inbounds ([33 x i32]* @p, i64 1, i32
> 2), align 4, !dbg !18
>    ret i32 0, !dbg !20
> }
>
> With BBC, it is:
>
> @p = common global { [33 x i32], [116 x i8], { i32, i32* } }
> zeroinitializer, align 256
>
> define i32 @main() nounwind {
>    call void @fastlscheck_debug(i8* bitcast ({ [33 x i32], [116 x i8],
> { i32, i32* } }* @p to i8*), i8* bitcast (i32* getelementptr inbounds
> ([33 x i32]* getelementptr inbounds ({ [33 x i32], [116 x i8], { i32,
> i32* } }* @p, i32 0, i32 0), i64 1, i32 2) to i8*), i32 132, i32 4,
> i32 0, i8* getelementptr inbounds ({ [28 x i8], [28 x i8], { i32, i32*
> } }* @sourcefile, i32 0, i32 0, i32 0), i32 5)
>
>    store i32 8, i32* getelementptr inbounds ([33 x i32]* getelementptr
> inbounds ({ [33 x i32], [116 x i8], { i32, i32* } }* @p, i32 0, i32
> 0), i64 1, i32 2), align 4, !dbg !18
>    ret i32 0, !dbg !20
> }
>
> So I think fastlscheck_debug does not work for BBC, am I right?

The fastlscheck_debug should work for BBC.  It is not clear to me why it 
doesn't.  That's something that will need to get fixed.

> I am also confused by so many "getelementptr" instructions in the
> argument of fastlscheck_debug function.

That is expected.  Since you're placing variables into a structure to 
pad them, you need to add getelementptr instructions or constant 
expressions to access them.  The code in BaggyBoundsChecking.cpp already 
does that.

>   Another thing, in the test
> file, there is  p[

> ]=8, why in the store instruction above, there is
> no 35?

The getelementptr operations are doing the pointer arithmetic, so you 
won't see it there.  The GEPs do the indexing, and looking at the 
indices, they are a little odd but correct (instead of indexing by 32, 
they pretend the pointer is a multi-dimensional array of and index into 
the second element of the second row.

-- John T.