[hw-fuzzing] Turn MSan into bit-precise DFSan

Teemperor · AlviseDeFaveri · commit e0eee8478f9c · 2025-02-13T19:19:59.000Z
diff --git a/clang/lib/CodeGen/BackendUtil.cpp b/clang/lib/CodeGen/BackendUtil.cpp
@@ -696,6 +696,24 @@ static void addSanitizers(const Triple &TargetTriple,
 
     if (LangOpts.Sanitize.has(SanitizerKind::DataFlow)) {
       MPM.addPass(DataFlowSanitizerPass(LangOpts.NoSanitizeFiles));
+
+// PHANTOM_TRAILS
+      if (Level != OptimizationLevel::O0) {
+        FunctionPassManager FPM = PB.buildFunctionSimplificationPipeline(Level,
+                                                                         ThinOrFullLTOPhase::FullLTOPreLink);
+        MPM.addPass(createModuleToFunctionPassAdaptor(std::move(FPM)));
+      }
+// END PHANTOM_TRAILS
+    }
+
+    if (LangOpts.Sanitize.has(SanitizerKind::Memory)) {
+// PHANTOM_TRAILS
+      if (Level != OptimizationLevel::O0) {
+        FunctionPassManager FPM = PB.buildFunctionSimplificationPipeline(Level,
+                                                                         ThinOrFullLTOPhase::FullLTOPreLink);
+        MPM.addPass(createModuleToFunctionPassAdaptor(std::move(FPM)));
+      }
+// END
     }
   });
 }
diff --git a/compiler-rt/include/tainting.h b/compiler-rt/include/tainting.h
@@ -0,0 +1,43 @@
+#ifndef TAINTING_H
+#define TAINTING_H
+
+#include <cstdint>
+#include <cstdio>
+#include <cstring>
+
+class Tainting {
+  __attribute__((no_sanitize("memory", "dataflow")))
+  static char *toShadowAddr(void *ptr) {
+    return (char *)((intptr_t)(ptr) ^ 0x500000000000);
+  }
+
+public:
+  __attribute__((no_sanitize("memory", "dataflow")))
+  static void taintPtr(void *ptr, unsigned size) {
+    memset(toShadowAddr(ptr), 0xff, size);
+  }
+
+  __attribute__((no_sanitize("memory", "dataflow")))
+  static void untaintPtr(void *ptr, unsigned size) {
+    memset(toShadowAddr(ptr), 0x0, size);
+  }
+
+  __attribute__((no_sanitize("memory", "dataflow")))
+  static void taintBits(uint8_t *byte, uint8_t lbl) {
+    memset(toShadowAddr(byte), lbl, 1);
+  }
+
+  [[nodiscard]]
+  __attribute__((no_sanitize("memory", "dataflow")))
+  static bool check(void *ptr, unsigned size) {
+    char *addr = toShadowAddr(ptr);
+    char *end = addr + size;
+    for (; addr < end; ++addr) {
+      if (*addr != 0)
+        return true;
+    }
+    return false;
+  }
+};
+
+#endif // TAINTING_H
diff --git a/compiler-rt/lib/msan/msan_flags.inc b/compiler-rt/lib/msan/msan_flags.inc
@@ -18,17 +18,17 @@
 
 MSAN_FLAG(int, exit_code, -1,
           "DEPRECATED. Use exitcode from common flags instead.")
-MSAN_FLAG(int, origin_history_size, Origin::kMaxDepth, "")
-MSAN_FLAG(int, origin_history_per_stack_limit, 20000, "")
+MSAN_FLAG(int, origin_history_size, 0, "")
+MSAN_FLAG(int, origin_history_per_stack_limit, 0, "")
 MSAN_FLAG(bool, poison_heap_with_zeroes, false, "")
 MSAN_FLAG(bool, poison_stack_with_zeroes, false, "")
-MSAN_FLAG(bool, poison_in_malloc, true, "")
-MSAN_FLAG(bool, poison_in_free, true, "")
-MSAN_FLAG(bool, poison_in_dtor, true, "")
-MSAN_FLAG(bool, report_umrs, true, "")
+MSAN_FLAG(bool, poison_in_malloc, false, "")
+MSAN_FLAG(bool, poison_in_free, false, "")
+MSAN_FLAG(bool, poison_in_dtor, false, "")
+MSAN_FLAG(bool, report_umrs, false, "")
 MSAN_FLAG(bool, wrap_signals, true, "")
 MSAN_FLAG(bool, print_stats, false, "")
-MSAN_FLAG(bool, halt_on_error, !&__msan_keep_going, "")
-MSAN_FLAG(bool, atexit, false, "")
-MSAN_FLAG(int, store_context_size, 20,
+MSAN_FLAG(bool, halt_on_error, false, "")
+MSAN_FLAG(bool, atexit, true, "")
+MSAN_FLAG(int, store_context_size, 0,
           "Like malloc_context_size, but for uninit stores.")
diff --git a/llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp b/llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp
@@ -1541,7 +1541,9 @@ bool DataFlowSanitizer::runImpl(Module &M) {
         // DFSanVisitor may delete Inst, so keep track of whether it was a
         // terminator.
         bool IsTerminator = Inst->isTerminator();
-        if (!DFSF.SkipInsts.count(Inst))
+
+        if (!DFSF.SkipInsts.count(Inst) &&
+            !Inst->hasMetadata(LLVMContext::MD_nosanitize))
           DFSanVisitor(DFSF).visit(Inst);
         if (IsTerminator)
           break;
diff --git a/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp b/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
@@ -227,7 +227,7 @@ static cl::opt<bool> ClKeepGoing("msan-keep-going",
 
 static cl::opt<bool> ClPoisonStack("msan-poison-stack",
        cl::desc("poison uninitialized stack variables"),
-       cl::Hidden, cl::init(true));
+       cl::Hidden, cl::init(false));
 
 static cl::opt<bool> ClPoisonStackWithCall("msan-poison-stack-with-call",
        cl::desc("poison uninitialized stack variables with a call"),
@@ -239,7 +239,7 @@ static cl::opt<int> ClPoisonStackPattern("msan-poison-stack-pattern",
 
 static cl::opt<bool> ClPoisonUndef("msan-poison-undef",
        cl::desc("poison undef temps"),
-       cl::Hidden, cl::init(true));
+       cl::Hidden, cl::init(false));
 
 static cl::opt<bool> ClHandleICmp("msan-handle-icmp",
        cl::desc("propagate shadow through ICmpEQ and ICmpNE"),
@@ -279,7 +279,7 @@ static cl::opt<bool> ClHandleAsmConservative(
 // be zeroed. As of 2012-08-28 this flag adds 20% slowdown.
 static cl::opt<bool> ClCheckAccessAddress("msan-check-access-address",
        cl::desc("report accesses through a pointer which has poisoned shadow"),
-       cl::Hidden, cl::init(true));
+       cl::Hidden, cl::init(false));
 
 static cl::opt<bool> ClEagerChecks(
     "msan-eager-checks",
@@ -650,10 +650,10 @@ template <class T> T getOptOrDefault(const cl::opt<T> &Opt, T Default) {
 
 MemorySanitizerOptions::MemorySanitizerOptions(int TO, bool R, bool K,
                                                bool EagerChecks)
-    : Kernel(getOptOrDefault(ClEnableKmsan, K)),
-      TrackOrigins(getOptOrDefault(ClTrackOrigins, Kernel ? 2 : TO)),
-      Recover(getOptOrDefault(ClKeepGoing, Kernel || R)),
-      EagerChecks(getOptOrDefault(ClEagerChecks, EagerChecks)) {}
+    : Kernel(false), // BFSAN: Overwrite defaults.
+      TrackOrigins(false),
+      Recover(true),
+      EagerChecks(false) {}
 
 PreservedAnalyses MemorySanitizerPass::run(Function &F,
                                            FunctionAnalysisManager &FAM) {
@@ -1208,6 +1208,8 @@ struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {
 
   /// Helper function to insert a warning at IRB's current insert point.
   void insertWarningFn(IRBuilder<> &IRB, Value *Origin) {
+    return; // BFSAN: Ignore taint checks.
+
     if (!Origin)
       Origin = (Value *)IRB.getInt32(0);
     assert(Origin->getType()->isIntegerTy());
@@ -1791,6 +1793,8 @@ struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {
   /// This location will be later instrumented with a check that will print a
   /// UMR warning in runtime if the value is not fully defined.
   void insertShadowCheck(Value *Val, Instruction *OrigIns) {
+    return; // BFSAN: Disable checks
+
     assert(Val);
     Value *Shadow, *Origin;
     if (ClCheckConstantShadow) {
@@ -2323,37 +2327,8 @@ struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {
   /// Sometimes the comparison result is known even if some of the bits of the
   /// arguments are not.
   void handleEqualityComparison(ICmpInst &I) {
-    IRBuilder<> IRB(&I);
-    Value *A = I.getOperand(0);
-    Value *B = I.getOperand(1);
-    Value *Sa = getShadow(A);
-    Value *Sb = getShadow(B);
-
-    // Get rid of pointers and vectors of pointers.
-    // For ints (and vectors of ints), types of A and Sa match,
-    // and this is a no-op.
-    A = IRB.CreatePointerCast(A, Sa->getType());
-    B = IRB.CreatePointerCast(B, Sb->getType());
-
-    // A == B  <==>  (C = A^B) == 0
-    // A != B  <==>  (C = A^B) != 0
-    // Sc = Sa | Sb
-    Value *C = IRB.CreateXor(A, B);
-    Value *Sc = IRB.CreateOr(Sa, Sb);
-    // Now dealing with i = (C == 0) comparison (or C != 0, does not matter now)
-    // Result is defined if one of the following is true
-    // * there is a defined 1 bit in C
-    // * C is fully defined
-    // Si = !(C & ~Sc) && Sc
-    Value *Zero = Constant::getNullValue(Sc->getType());
-    Value *MinusOne = Constant::getAllOnesValue(Sc->getType());
-    Value *Si =
-      IRB.CreateAnd(IRB.CreateICmpNE(Sc, Zero),
-                    IRB.CreateICmpEQ(
-                      IRB.CreateAnd(IRB.CreateXor(Sc, MinusOne), C), Zero));
-    Si->setName("_msprop_icmp");
-    setShadow(&I, Si);
-    setOriginForNaryOp(I);
+    setShadow(&I, getCleanShadow(&I));
+    setOrigin(&I, getCleanOrigin());
   }
 
   /// Build the lowest possible value of V, taking into account V's
@@ -3970,7 +3945,7 @@ struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {
       Sa1 = IRB.CreateOr({IRB.CreateXor(C, D), Sc, Sd});
     }
     Value *Sa = IRB.CreateSelect(Sb, Sa1, Sa0, "_msprop_select");
-    setShadow(&I, Sa);
+    setShadow(&I, Sa0); // BFSAN: Avoid checking condition taint.
     if (MS.TrackOrigins) {
       // Origins are always i32, so any vector conditions must be flattened.
       // FIXME: consider tracking vector origins for app vectors?
@@ -4008,7 +3983,8 @@ struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {
   }
 
   void visitGetElementPtrInst(GetElementPtrInst &I) {
-    handleShadowOr(I);
+    setShadow(&I, getCleanShadow(&I));
+    setOrigin(&I, getCleanOrigin());
   }
 
   void visitExtractValueInst(ExtractValueInst &I) {
