[msan] Add experimental '-mllvm -msan-print-faulting-instruction'

This adds an experimental flag, -mllvm -msan-print-faulting-instruction,
which will print the LLVM instruction that resulted in an MSan UUM
report.

Although MSan UUM reports will print out the line and column number
(assuming symbolization is available), inlining, macros and LLVM
"auto-upgraded" intrinsics can obscure the root cause.

This patch adds a test case,
compiler-rt/test/msan/print_faulting_inst.cpp, which illustrates that
-msan-print-faulting-instruction can provide more information than line
and column number.

Author: thurstond

compiler-rt/lib/msan/msan.cpp

@@ -352,6 +352,29 @@ void __sanitizer::BufferedStackTrace::UnwindImpl(
 
 using namespace __msan;
 
+#define PRINT_FAULTING_INSTRUCTION(instname)                          \
+  Printf("Instruction that failed the shadow check: %s\n", instname); \
+  Printf("\n");
+
+#define MSAN_MAYBE_WARNING_INSTNAME(type, size, instname)                    \
+  void __msan_maybe_warning_instname_##size(type s, u32 o, char *instname) { \
+    GET_CALLER_PC_BP;                                                        \
+    if (UNLIKELY(s)) {                                                       \
+      if (instname)                                                          \
+        PRINT_FAULTING_INSTRUCTION(instname);                                \
+      PrintWarningWithOrigin(pc, bp, o);                                     \
+      if (__msan::flags()->halt_on_error) {                                  \
+        Printf("Exiting\n");                                                 \
+        Die();                                                               \
+      }                                                                      \
+    }                                                                        \
+  }
+
+MSAN_MAYBE_WARNING_INSTNAME(u8, 1, instname)
+MSAN_MAYBE_WARNING_INSTNAME(u16, 2, instname)
+MSAN_MAYBE_WARNING_INSTNAME(u32, 4, instname)
+MSAN_MAYBE_WARNING_INSTNAME(u64, 8, instname)
+
 #define MSAN_MAYBE_WARNING(type, size)              \
   void __msan_maybe_warning_##size(type s, u32 o) { \
     GET_CALLER_PC_BP;                               \
@@ -426,6 +449,57 @@ void __msan_warning_with_origin_noreturn(u32 origin) {
   Die();
 }
 
+// We duplicate the non _instname function's body because we don't want to
+// pollute the stack traces with an additional function call.
+//
+// We can't use a simple macro wrapper, because the instrumentation pass
+// expects function symbols.
+// We don't add instname as a parameter everywhere (with a check whether the
+// value is null) to avoid polluting the fastpath.
+void __msan_warning_instname(char *instname) {
+  PRINT_FAULTING_INSTRUCTION(instname);
+  GET_CALLER_PC_BP;
+  PrintWarningWithOrigin(pc, bp, 0);
+  if (__msan::flags()->halt_on_error) {
+    if (__msan::flags()->print_stats)
+      ReportStats();
+    Printf("Exiting\n");
+    Die();
+  }
+}
+
+void __msan_warning_noreturn_instname(char *instname) {
+  PRINT_FAULTING_INSTRUCTION(instname);
+  GET_CALLER_PC_BP;
+  PrintWarningWithOrigin(pc, bp, 0);
+  if (__msan::flags()->print_stats)
+    ReportStats();
+  Printf("Exiting\n");
+  Die();
+}
+
+void __msan_warning_with_origin_instname(u32 origin, char *instname) {
+  PRINT_FAULTING_INSTRUCTION(instname);
+  GET_CALLER_PC_BP;
+  PrintWarningWithOrigin(pc, bp, origin);
+  if (__msan::flags()->halt_on_error) {
+    if (__msan::flags()->print_stats)
+      ReportStats();
+    Printf("Exiting\n");
+    Die();
+  }
+}
+
+void __msan_warning_with_origin_noreturn_instname(u32 origin, char *instname) {
+  PRINT_FAULTING_INSTRUCTION(instname);
+  GET_CALLER_PC_BP;
+  PrintWarningWithOrigin(pc, bp, origin);
+  if (__msan::flags()->print_stats)
+    ReportStats();
+  Printf("Exiting\n");
+  Die();
+}
+
 static void OnStackUnwind(const SignalContext &sig, const void *,
                           BufferedStackTrace *stack) {
   stack->Unwind(StackTrace::GetNextInstructionPc(sig.pc), sig.bp, sig.context,

compiler-rt/lib/msan/msan_interface_internal.h

@@ -30,12 +30,18 @@ void __msan_init();
 SANITIZER_INTERFACE_ATTRIBUTE
 void __msan_warning();
 
+SANITIZER_INTERFACE_ATTRIBUTE
+void __msan_warning_instname(char *instname);
+
 // Print a warning and die.
 // Instrumentation inserts calls to this function when building in "fast" mode
 // (i.e. -mllvm -msan-keep-going)
 SANITIZER_INTERFACE_ATTRIBUTE __attribute__((noreturn))
 void __msan_warning_noreturn();
 
+SANITIZER_INTERFACE_ATTRIBUTE __attribute__((noreturn)) void
+__msan_warning_noreturn_instname(char *instname);
+
 using __sanitizer::uptr;
 using __sanitizer::sptr;
 using __sanitizer::uu64;
@@ -49,8 +55,13 @@ using __sanitizer::u8;
 // Versions of the above which take Origin as a parameter
 SANITIZER_INTERFACE_ATTRIBUTE
 void __msan_warning_with_origin(u32 origin);
+SANITIZER_INTERFACE_ATTRIBUTE
+void __msan_warning_with_origin_instname(u32 origin, char *instname);
+
 SANITIZER_INTERFACE_ATTRIBUTE __attribute__((noreturn)) void
 __msan_warning_with_origin_noreturn(u32 origin);
+SANITIZER_INTERFACE_ATTRIBUTE __attribute__((noreturn)) void
+__msan_warning_with_origin_noreturn_instname(u32 origin, char *instname);
 
 SANITIZER_INTERFACE_ATTRIBUTE
 void __msan_maybe_warning_1(u8 s, u32 o);
@@ -61,6 +72,15 @@ void __msan_maybe_warning_4(u32 s, u32 o);
 SANITIZER_INTERFACE_ATTRIBUTE
 void __msan_maybe_warning_8(u64 s, u32 o);
 
+SANITIZER_INTERFACE_ATTRIBUTE
+void __msan_maybe_warning_1_instname(u8 s, u32 o, char *instname);
+SANITIZER_INTERFACE_ATTRIBUTE
+void __msan_maybe_warning_2_instname(u16 s, u32 o, char *instname);
+SANITIZER_INTERFACE_ATTRIBUTE
+void __msan_maybe_warning_4_instname(u32 s, u32 o, char *instname);
+SANITIZER_INTERFACE_ATTRIBUTE
+void __msan_maybe_warning_8_instname(u64 s, u32 o, char *instname);
+
 SANITIZER_INTERFACE_ATTRIBUTE
 void __msan_maybe_store_origin_1(u8 s, void *p, u32 o);
 SANITIZER_INTERFACE_ATTRIBUTE

compiler-rt/test/msan/print_faulting_inst.cpp

@@ -0,0 +1,83 @@
+// Try parameter '0' (program runs cleanly)
+// -------------------------------------------------------
+// RUN: %clangxx_msan -g %s -o %t && %run %t 0
+
+// Try parameter '1'
+// -------------------------------------------------------
+// RUN: %clangxx_msan -g %s -o %t && not %run %t 1 >%t.out 2>&1
+// RUN: FileCheck --check-prefix STORE-CHECK %s < %t.out
+
+// RUN: %clangxx_msan -mllvm -msan-print-faulting-instruction=1 -g %s -o %t && not %run %t 1 >%t.out 2>&1
+// RUN: FileCheck --check-prefixes VERBOSE-STORE-CHECK,STORE-CHECK %s < %t.out
+
+// RUN: %clangxx_msan -mllvm -msan-print-faulting-instruction=2 -g %s -o %t && not %run %t 1 >%t.out 2>&1
+// RUN: FileCheck --check-prefixes VERY-VERBOSE-STORE-CHECK,STORE-CHECK %s < %t.out
+
+// Try parameter '2', with -fsanitize-memory-param-retval
+// -------------------------------------------------------
+// RUN: %clangxx_msan -fsanitize-memory-param-retval -g %s -o %t && not %run %t 2 >%t.out 2>&1
+// RUN: FileCheck --check-prefix PARAM-CHECK %s < %t.out
+
+// RUN: %clangxx_msan -fsanitize-memory-param-retval -mllvm -msan-print-faulting-instruction=1 -g %s -o %t && not %run %t 2 >%t.out 2>&1
+// RUN: FileCheck --check-prefixes VERBOSE-PARAM-CHECK,PARAM-CHECK %s < %t.out
+
+// RUN: %clangxx_msan -fsanitize-memory-param-retval -mllvm -msan-print-faulting-instruction=2 -g %s -o %t && not %run %t 2 >%t.out 2>&1
+// RUN: FileCheck --check-prefixes VERY-VERBOSE-PARAM-CHECK,PARAM-CHECK %s < %t.out
+
+// Try parameter '2', with -fno-sanitize-memory-param-retval
+// -------------------------------------------------------
+// RUN: %clangxx_msan -fno-sanitize-memory-param-retval -g %s -o %t && not %run %t 2 >%t.out 2>&1
+// RUN: FileCheck --check-prefix NO-PARAM-CHECK %s < %t.out
+
+// RUN: %clangxx_msan -fno-sanitize-memory-param-retval -mllvm -msan-print-faulting-instruction=1 -g %s -o %t && not %run %t 2 >%t.out 2>&1
+// RUN: FileCheck --check-prefixes VERBOSE-NO-PARAM-CHECK,NO-PARAM-CHECK %s < %t.out
+
+// RUN: %clangxx_msan -fno-sanitize-memory-param-retval -mllvm -msan-print-faulting-instruction=2 -g %s -o %t && not %run %t 2 >%t.out 2>&1
+// RUN: FileCheck --check-prefixes VERY-VERBOSE-NO-PARAM-CHECK,NO-PARAM-CHECK %s < %t.out
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#define THRICE(o,t) twice(o,t)
+
+__attribute__((noinline)) extern "C" int twice(int o, int t) {
+  return o + t < 3;
+}
+
+int main(int argc, char *argv[]) {
+  int buf[100];
+  buf[0] = 42;
+  buf[1] = 43;
+
+  if (argc != 2) {
+    printf("Usage: %s index\n", argv[0]);
+    return 1;
+  }
+
+  int index = atoi(argv[1]);
+  int val = buf[index];
+
+  printf("index %d, abs(val) %d, THRICE(val,5) %d\n", index, abs(val), THRICE(val,5));
+  // VERY-VERBOSE-PARAM-CHECK: Instruction that failed the shadow check: %{{.*}} = call noundef i32 @twice(i32 noundef %{{.*}}, i32 noundef 5)
+  // VERBOSE-PARAM-CHECK: Instruction that failed the shadow check: call twice
+  // PARAM-CHECK: WARNING: MemorySanitizer: use-of-uninitialized-value
+  // PARAM-CHECK: {{#0 0x.* in main .*print_faulting_inst.cpp:}}[[@LINE-4]]
+
+  if (val)
+    // VERY-VERBOSE-NO-PARAM-CHECK: Instruction that failed the shadow check:  br i1 %{{.*}}, label %{{.*}}, label %{{.*}}
+    // VERBOSE-NO-PARAM-CHECK: Instruction that failed the shadow check: br
+    // NO-PARAM-CHECK: WARNING: MemorySanitizer: use-of-uninitialized-value
+    // NO-PARAM-CHECK: {{#0 0x.* in main .*print_faulting_inst.cpp:}}[[@LINE-4]]
+    printf("Variable is non-zero\n");
+  else
+    printf("Variable is zero\n");
+
+  int nextval = buf[index + 1];
+  buf[nextval + abs(index)] = twice(index,6);
+  // VERY-VERBOSE-STORE-CHECK: Instruction that failed the shadow check: store i32 %{{.*}}, ptr %{{.*}}
+  // VERBOSE-STORE-CHECK: Instruction that failed the shadow check: store
+  // STORE-CHECK: WARNING: MemorySanitizer: use-of-uninitialized-value
+  // STORE-CHECK: {{#0 0x.* in main .*print_faulting_inst.cpp:}}[[@LINE-4]]
+
+  return 0;
+}