[PR] Stack Instrumentation Fixup#196
Open
elazaro-riverside wants to merge 60 commits into
Open
Conversation
elazaro-riverside
changed the title
added 5 commits
April 28, 2026 08:39
…as with typedPtr not paddedAlloca.
elazaro-riverside
force-pushed
the
stack-instrumentation-fixup
branch
from
271bc1b to
bf74fa1
Compare
added 8 commits
April 28, 2026 08:46
…n not whole program.
…on fixes build problems.
…t to have whole program instrumentation with low overhead.
added 11 commits
April 29, 2026 10:46
…loca or the padded version?
… with one value in them.
…basic block and only contain a single element in them.
added 8 commits
May 13, 2026 13:48
…alloca instruction is a statically sized array or dynamically sized array alloca.
…s during compilation for extra debugging and readability.
…e_transformed_array_alloca if the type is not an array type.
…h sizes greater than 1.
…etter approach than using size. This commit removes commented code and formats using clang-format.
added 15 commits
May 14, 2026 13:35
…has occured to prevent instruction insertion invalidation.
…tor datastructure.
…individual hasStart and hasEnd.
…llocas in stack instrumentation.
…hanism and CFG sensitive alloca tracking works.
…ores that have cve.noinstrument metadata attached.
added 2 commits
May 19, 2026 13:41
…lude glaze_INSTALL command reflecting the latest change in the subproject.
…ed for shadow slots to skip instrumentation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes inconsistencies with our stack instrumentation approach. During the E-BOSS PI meeting, we observed that the stack instrumentation was inconsistent for the challenge problems supplied by TA2.
The implementation before this PR, tried to pad each LLVM stack allocation (
alloca) instruction with an additional byte to act as a guard bit between allocations. There was an effort to implement the padding using a struct with an additionali8field but LLVM's optimizations would change the layout of the transformedallocacausing the instrumentation to be inconsistent. Changing the form of theallocais dangerous because LLVM apply optimizations based on the shape and size of it. The solution we arrived at takes the original array typeallocaand creates anotherallocawith [N + 1 x T] elements in it by creating a newallocawith a new shape. Getting this right was tricky but now it works. In the non-constant size case, we need to insert anaddinstruction after the size argument is zero-extended but before the allocation occurs.We also realized in the challenge problems that Clang lowers VLA's (variable length arrays) into
alloca's of a single type and a non-constant argument. This also caused issues for the instrumentation because we had not considered handling VLA's which live on the stack but have dynamic sizing.An additional consideration, it is possible that an
allocais not executed along a particular control flow path even though it appears in the IR. To address this, Jackson proposed a per function pointer variable (shadow slot) initialized to null. After each instrumentedalloca, the instrumentation inserts astoreinstruction to store the stack address. At the function epilogue, the instrumentation insertsloadinstruction to load the pointer from memory and pass it as an argument to__resolve_invalidate_stackto invalidate the associated stack region. If the variable remains null the call becomes a no-op, ensuring that no invalid stack deallocation occurs foralloca's that were never executed along the taken control flow path.