Advances in Software Engineering

Research Article

Tag-Protector: An Effective and Dynamic Detection of Illegal Memory Accesses through Compile Time Code Instrumentation

Listing 4

LLVM-IR code (instrumented with tag-protection pass) for C code presented in Listing 2.
//Dedicated Tag address creation for dangling pointer checks
1:  %0 = tail call noalias i8  @malloc(i64 2)
2:  store volatile i8  %0, i8  @globaltag, align 8
3:  %1 = load volatile i8  @globaltag, align 8
4:  store volatile i8 107, i8  %1, align 1
5:  %call = tail call noalias i8  @malloc (i64 800) #1
6:  %2 = bitcast i8  %call to i8
7:  store i8  %2, i8  @buffer, align 8
  //Tag marks creation
8:  %3 = ptrtoint i8  %call to i64
9:  %add3 = add i64 %3, 800
10:  %t_tag4 = inttoptr i64 %add3 to i8
11:  store volatile i8  %t_tag4, i8  @buffer_glb_tag_end, align 8
12:  %sub5 = add i64 %3, -1
13:  %t_a6 = inttoptr i64 %sub5 to i8
14:  store volatile i8  %t_a6, i8  @buffer_glb_tag_start, align 8
15:  br label %for.body
16:  for.body:; preds = %t_bf.exit.for.body_crit_edge, %entry
17:  %load_tag_end = phi i8  [%load_tag_end.pr,
  %t_bf.exit.for.body_crit_edge],[%t_tag4, %entry]
18:  %load_tag_start = phi i8  [%load_tag_start.pre,
  %t_bf.exit.for.body_crit_edge],[%t_a6, %entry]
19:  % indvars.iv = phi i64
  [%indvars.iv.next,%t_bf.exit.for.body_crit_edge],[0,%entry]
20:  %4 = load i8***  @buffer, align 8
21:  %arrayidx = getelementptr inbounds i8  %4, i64 %indvars.iv
  //Tag marks check instructions before STORE instruction
22:  %5 = ptrtoint i8  %load_tag_start to i64
23:  %6 = ptrtoint i8  %arrayidx to i64
24:  %cmp_null_chk.i = icmp eq i8  %load_tag_end, null
25:  br i1 %cmp_null_chk.i, label %tag_check_storeinst_bf.exit,label %entry.i
26:entry.i:; preds = %for.body
27:  %7 = load i8  @globaltag, align 8
28:  %cmp.i = icmp eq i8  %7, %load_tag_end
29:  br i1 %cmp.i, label %abortBB_funheap.i, label %if.else.i
30:if.else.i:; preds = %entry.i
31:  %8 = bitcast i8  %load_tag_end to i8
32:  %cmp2.i = icmp ult i8  %arrayidx, %8
33:  br i1 %cmp2.i, label %if.else5.i, label %abortBB_heap_overwrite.i
34:if.else5.i:; preds = %if.else.i
35:  %9 = bitcast i8  %load_tag_start to i8
36:  %cmp6.i = icmp ule i8  %arrayidx, %9
37:  br i1 %cmp6.i, label %abortBB_heap_underwrite.i,
  label %tag_check_storeinst_bf.exit
38:tag_check_storeinst_bf.exit :; preds = %if.else5.i, %for.body
39:  store i8  null, i8  %arrayidx, align 8
40:  %indvars.iv.next = add nuw nsw i64 %indvars.iv, 1
41:  %10 = trunc i64 %indvars.iv.next to i32
42:  %cmp = icmp slt i32 %10, 101
43:  br i1 %cmp, label %t_bf.exit.for.body_crit_edge, label %for.end
44:t_bf.exit.for.body_crit_edge:; preds = %tag_check_storeinst_bf.exit
45:  %load_tag_start.pre = load i8  @buffer_glb_tag_start, align 8
46:  %load_tag_end.pr = load i8  @buffer_glb_tag_end, align 8
47:  br label %for.body
48:for.end:; preds = %tag_check_storeinst_bf.exit
49:  ret i32 0