[DeviceMSAN] Check use-of-uninitialized value on private memory (#17309)

Support check use-of-uninitialized value on private memory

Author: AllanZyne

clang/lib/Driver/SanitizerArgs.cpp

@@ -1278,6 +1278,9 @@ void SanitizerArgs::addArgs(const ToolChain &TC, const llvm::opt::ArgList &Args,
 
       CmdArgs.push_back("-mllvm");
       CmdArgs.push_back("-msan-eager-checks=1");
+
+      CmdArgs.push_back("-mllvm");
+      CmdArgs.push_back("-msan-poison-stack-with-call=1");
     } else if (Sanitizers.has(SanitizerKind::Thread)) {
       CmdArgs.push_back("-fsanitize=thread");
       // The tsan function entry/exit builtins are used to record stack

libdevice/sanitizer/asan_rtl.cpp

@@ -881,6 +881,8 @@ static __SYCL_CONSTANT__ const char __mem_set_shadow_private_end[] =
 static __SYCL_CONSTANT__ const char __mem_set_shadow_private[] =
     "[kernel] set_shadow_private(beg=%p, end=%p, val:%02X)\n";
 
+// We outline the function of setting shadow memory of private memory, because
+// it may allocate failed on UR
 DEVICE_EXTERN_C_NOINLINE void __asan_set_shadow_private(uptr begin, uptr size,
                                                         char val) {
   if (!__AsanLaunchInfo)

libdevice/sanitizer/msan_rtl.cpp

@@ -1,4 +1,4 @@
-; RUN: opt < %s -passes=msan -msan-instrumentation-with-call-threshold=0 -msan-eager-checks=1 -S | FileCheck %s
+; RUN: opt < %s -passes=msan -msan-instrumentation-with-call-threshold=0 -msan-eager-checks=1 -msan-spir-privates=0 -S | FileCheck %s
 target datalayout = "e-i64:64-v16:16-v24:32-v32:32-v48:64-v96:128-v192:256-v256:256-v512:512-v1024:1024-n8:16:32:64-G1"
 target triple = "spir64-unknown-unknown"
 

llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp

@@ -0,0 +1,35 @@
+; RUN: opt < %s -passes=msan -msan-instrumentation-with-call-threshold=0 -msan-eager-checks=1 -msan-spir-privates=1 -msan-poison-stack-with-call=1 -S | FileCheck %s
+target datalayout = "e-i64:64-v16:16-v24:32-v32:32-v48:64-v96:128-v192:256-v256:256-v512:512-v1024:1024-n8:16:32:64-G1"
+target triple = "spir64-unknown-unknown"
+
+define spir_kernel void @MyKernel() sanitize_memory {
+; CHECK-LABEL: @MyKernel
+entry:
+  %array = alloca [4 x i32], align 4
+  ; CHECK: call void @__msan_poison_stack(ptr %array, i64 16)
+  ret void
+}
+
+%"class.sycl::_V1::range" = type { %"class.sycl::_V1::detail::array" }
+%"class.sycl::_V1::detail::array" = type { [1 x i64] }
+
+define spir_func void @ByValFunc(ptr noundef byval(%"class.sycl::_V1::range") align 8 %_arg_array12) sanitize_memory {
+; CHECK-LABEL: @ByValFunc
+entry:
+  ; CHECK: %0 = ptrtoint ptr %_arg_array12 to i64
+  ; CHECK: %1 = call i64 @__msan_get_shadow(i64 %0, i32 0, ptr addrspace(2) null)
+  ; CHECK: %2 = inttoptr i64 %1 to ptr addrspace(1)
+  ; CHECK: call void @llvm.memset.p1.i64(ptr addrspace(1) align 8 %2, i8 0, i64 8, i1 false)
+  %_arg_array12.ascast = addrspacecast ptr %_arg_array12 to ptr addrspace(4)
+  ret void
+}
+
+define spir_kernel void @ByValKernel(ptr noundef byval(%"class.sycl::_V1::range") align 8 %_arg_array12) sanitize_memory {
+; CHECK-LABEL: @ByValKernel
+entry:
+  ; CHECK: %_arg_array12.byval = alloca %"class.sycl::_V1::range", align 8
+  ; CHECK: call void @__msan_unpoison_stack(ptr %_arg_array12.byval, i64 8), !nosanitize
+  ; CHECK: call void @llvm.memcpy.p0.p0.i64(ptr align 8 %_arg_array12.byval, ptr align 8 %_arg_array12, i64 8, i1 false), !nosanitize
+  call void @ByValFunc(ptr %_arg_array12)
+  ret void
+}

llvm/test/Instrumentation/MemorySanitizer/SPIRV/check_large_access_size.ll

@@ -1,4 +1,4 @@
-; RUN: opt < %s -passes=msan -msan-instrumentation-with-call-threshold=0 -msan-eager-checks=1 -msan-spir-locals=1 -S | FileCheck %s
+; RUN: opt < %s -passes=msan -msan-instrumentation-with-call-threshold=0 -msan-eager-checks=1 -msan-spir-locals=1 -msan-spir-privates=0 -S | FileCheck %s
 target datalayout = "e-i64:64-v16:16-v24:32-v32:32-v48:64-v96:128-v192:256-v256:256-v512:512-v1024:1024-n8:16:32:64-G1"
 target triple = "spir64-unknown-unknown"
 

llvm/test/Instrumentation/MemorySanitizer/SPIRV/check_unsupported_access.ll

@@ -8,20 +8,17 @@
 
 #include <sycl/detail/core.hpp>
 
-__attribute__((noinline)) long long foo(int data1, long long data2) {
+__attribute__((noinline)) int foo(int data1, int data2) {
   return data1 + data2;
 }
 
 int main() {
   sycl::queue q;
 
   sycl::buffer<int, 1> buf1(sycl::range<1>(1));
-  sycl::buffer<long long, 1> buf2(sycl::range<1>(1));
   q.submit([&](sycl::handler &h) {
      auto array1 = buf1.get_access<sycl::access::mode::read_write>(h);
-     auto array2 = buf2.get_access<sycl::access::mode::read_write>(h);
-     h.single_task<class MyKernel>(
-         [=]() { array1[0] = foo(array1[0], array2[0]); });
+     h.single_task<class MyKernel>([=]() { foo(array1[0], array1[0]); });
    }).wait();
   // CHECK: use-of-uninitialized-value
   // CHECK: kernel <{{.*MyKernel}}>

llvm/test/Instrumentation/MemorySanitizer/SPIRV/instrument_private_mem.ll

@@ -0,0 +1,32 @@
+// REQUIRES: linux, cpu || (gpu && level_zero)
+// RUN: %{build} %device_msan_flags -O0 -g -o %t1.out
+// RUN: %{run} not %t1.out 2>&1 | FileCheck %s
+// RUN: %{build} %device_msan_flags -O1 -g -o %t2.out
+// RUN: %{run} not %t2.out 2>&1 | FileCheck %s
+// RUN: %{build} %device_msan_flags -O2 -g -o %t3.out
+// RUN: %{run} not %t3.out 2>&1 | FileCheck %s
+
+#include <sycl/detail/core.hpp>
+#include <sycl/usm.hpp>
+
+__attribute__((noinline)) int check(int p) { return p; }
+__attribute__((noinline)) int foo(int *p) { return check(*p); }
+// CHECK-NOT: [kernel]
+// CHECK: DeviceSanitizer: use-of-uninitialized-value
+// CHECK: #0 {{foo.*}} {{.*single_private.cpp}}:[[@LINE-3]]
+
+int main() {
+  sycl::queue Q;
+  auto *array = sycl::malloc_device<int>(1, Q);
+
+  Q.submit([&](sycl::handler &h) {
+    h.single_task<class MyKernel>([=]() {
+      int p[4];
+      *array += foo(p);
+    });
+  });
+  Q.wait();
+
+  sycl::free(array, Q);
+  return 0;
+}