https://github.com/gbMattN updated https://github.com/llvm/llvm-project/pull/166170
>From 3c695df1dfd1c042c18f14e0465afb49e595eb2a Mon Sep 17 00:00:00 2001 From: gbMattN <[email protected]> Date: Fri, 31 Oct 2025 21:02:34 +0000 Subject: [PATCH 1/5] [TySan][Clang] Add clang flag to use tysan outlined instrumentation and update docs --- clang/docs/TypeSanitizer.rst | 27 ++++++++++++++++--- clang/docs/UsersManual.rst | 9 +++++++ clang/include/clang/Driver/Options.td | 12 +++++++++ clang/include/clang/Driver/SanitizerArgs.h | 2 ++ clang/lib/Driver/SanitizerArgs.cpp | 20 ++++++++++++++ clang/test/CodeGen/sanitize-type-outlined.cpp | 23 ++++++++++++++++ 6 files changed, 90 insertions(+), 3 deletions(-) create mode 100644 clang/test/CodeGen/sanitize-type-outlined.cpp diff --git a/clang/docs/TypeSanitizer.rst b/clang/docs/TypeSanitizer.rst index 3c683a6c24bb4..6420d9e1d0ebd 100644 --- a/clang/docs/TypeSanitizer.rst +++ b/clang/docs/TypeSanitizer.rst @@ -20,9 +20,13 @@ code is build with ``-fno-strict-aliasing``, sacrificing performance. TypeSanitizer is built to catch when these strict aliasing rules have been violated, helping users find where such bugs originate in their code despite the code looking valid at first glance. -As TypeSanitizer is still experimental, it can currently have a large impact on runtime speed, -memory use, and code size. It also has a large compile-time overhead. Work is being done to -reduce these impacts. +Typical memory overhead introduced by TypeSanitizer is about **8x**. Runtime slowdown varies greatly +depending on how often the instrumented code relies on type aliasing. In the best case slowdown is +**2x-3x**. + +The compiler instrumentation also has an impact on code size and compilation overhead. There is an +experimental :ref:`instrumentation outlining option<outlining_flag>` which can greatly reduce this +but this may decrease runtime performance. The TypeSanitizer Algorithm =========================== @@ -128,6 +132,23 @@ references to LLVM IR specific terms. Sanitizer features ================== +.. _outlining_flag: + +Instrumentation code outlining +------------------------------ + +By default TypeSanitizer inlines the instrumentation code. This leads to increased +binary size and compilation time. Using the clang flag +``-fsanitize-type-outline-instrumentation`` (default: ``false``) +forces all code instrumentation to be outlined. This reduces the size of the +generated code and reduces compile-time overhead, but it also reduces runtime +performance. + +This outlined instrumentation is new. If you wish to verify that the outlined instrumentation +is behaving in the same way as the inline instrumentation, you can force TypeSanitizer +to use both types of instrumentation. You can use the clang flag +``-fsanitize-type-verify-outlined-instrumentation`` (default: ``false``) to do this. + ``__has_feature(type_sanitizer)`` ------------------------------------ diff --git a/clang/docs/UsersManual.rst b/clang/docs/UsersManual.rst index fb22ad3c90af4..04da152bd0aff 100644 --- a/clang/docs/UsersManual.rst +++ b/clang/docs/UsersManual.rst @@ -2277,6 +2277,15 @@ are listed below. See :doc: `AddressSanitizer` for more details. +.. option:: -f[no-]sanitize-type-outline-instrumentation + + Controls how type sanitizer code is generated. If enabled will always use + a function call instead of inlining the code. Turning this option on may + reduce the binary size and compilation overhead, but might result in a worse + run-time performance. + + See :doc: `TypeSanitizer` for more details. + .. option:: -f[no-]sanitize-stats Enable simple statistics gathering for the enabled sanitizers. diff --git a/clang/include/clang/Driver/Options.td b/clang/include/clang/Driver/Options.td index 6e1c9425d8d75..adef9a592b55e 100644 --- a/clang/include/clang/Driver/Options.td +++ b/clang/include/clang/Driver/Options.td @@ -2454,6 +2454,18 @@ def fsanitize_address_outline_instrumentation : Flag<["-"], "fsanitize-address-o def fno_sanitize_address_outline_instrumentation : Flag<["-"], "fno-sanitize-address-outline-instrumentation">, Group<f_clang_Group>, HelpText<"Use default code inlining logic for the address sanitizer">; +def fsanitize_type_outline_instrumentation : Flag<["-"], "fsanitize-type-outline-instrumentation">, + Group<f_clang_Group>, + HelpText<"Always generate function calls for type sanitizer instrumentation">; +def fno_sanitize_type_outline_instrumentation : Flag<["-"], "fno-sanitize-type-outline-instrumentation">, + Group<f_clang_Group>, + HelpText<"Use default code inlining logic for the type sanitizer">; +def fsanitize_type_verify_outlined_instrumentation : Flag<["-"], "fsanitize_type_verify_outlined_instrumentation">, + Group<f_clang_Group>, + HelpText<"Use both inlined and outlined instrumentation for type sanitizer to verify equivilence">; +def fno_sanitize_type_verify_outlined_instrumentation : Flag<["-"], "fno_sanitize_type_verify_outlined_instrumentation">, + Group<f_clang_Group>, + HelpText<"Don't use both inlined and outlined instrumentation for type sanitizer to verify equivilence">; defm sanitize_stable_abi : OptInCC1FFlag<"sanitize-stable-abi", "Stable ", "Conventional ", "ABI instrumentation for sanitizer runtime. Default: Conventional">; diff --git a/clang/include/clang/Driver/SanitizerArgs.h b/clang/include/clang/Driver/SanitizerArgs.h index eea7897e96afd..29569bcf7fa25 100644 --- a/clang/include/clang/Driver/SanitizerArgs.h +++ b/clang/include/clang/Driver/SanitizerArgs.h @@ -67,6 +67,8 @@ class SanitizerArgs { bool TsanFuncEntryExit = true; bool TsanAtomics = true; bool MinimalRuntime = false; + bool TysanOutlineInstrumentation = false; + bool TysanVerifyOutlinedInstrumentation = false; // True if cross-dso CFI support if provided by the system (i.e. Android). bool ImplicitCfiRuntime = false; bool NeedsMemProfRt = false; diff --git a/clang/lib/Driver/SanitizerArgs.cpp b/clang/lib/Driver/SanitizerArgs.cpp index 5dd48f53b9069..c106dd63c2805 100644 --- a/clang/lib/Driver/SanitizerArgs.cpp +++ b/clang/lib/Driver/SanitizerArgs.cpp @@ -1176,6 +1176,17 @@ SanitizerArgs::SanitizerArgs(const ToolChain &TC, options::OPT_fno_sanitize_alloc_token_extended, AllocTokenExtended); } + if (AllAddedKinds & SanitizerKind::Type) { + TysanOutlineInstrumentation = + Args.hasFlag(options::OPT_fsanitize_type_outline_instrumentation, + options::OPT_fno_sanitize_type_outline_instrumentation, + TysanOutlineInstrumentation); + TysanVerifyOutlinedInstrumentation = Args.hasFlag( + options::OPT_fsanitize_type_verify_outlined_instrumentation, + options::OPT_fno_sanitize_type_verify_outlined_instrumentation, + TysanVerifyOutlinedInstrumentation); + } + LinkRuntimes = Args.hasFlag(options::OPT_fsanitize_link_runtime, options::OPT_fno_sanitize_link_runtime, !Args.hasArg(options::OPT_r)); @@ -1500,6 +1511,15 @@ void SanitizerArgs::addArgs(const ToolChain &TC, const llvm::opt::ArgList &Args, CmdArgs.push_back("-asan-instrumentation-with-call-threshold=0"); } + if (TysanOutlineInstrumentation || TysanVerifyOutlinedInstrumentation) { + CmdArgs.push_back("-mllvm"); + CmdArgs.push_back("-tysan-outline-instrumentation"); + } + if (TysanVerifyOutlinedInstrumentation) { + CmdArgs.push_back("-mllvm"); + CmdArgs.push_back("-tysan-verify-outlined-instrumentation"); + } + // When emitting Stable ABI instrumentation, force outlining calls and avoid // inlining shadow memory poisoning. While this is a big performance burden // for now it allows full abstraction from implementation details. diff --git a/clang/test/CodeGen/sanitize-type-outlined.cpp b/clang/test/CodeGen/sanitize-type-outlined.cpp new file mode 100644 index 0000000000000..3c22f15c93d94 --- /dev/null +++ b/clang/test/CodeGen/sanitize-type-outlined.cpp @@ -0,0 +1,23 @@ +// RUN: %clang -S -fsanitize=type -emit-llvm -o - -fsanitize=type %s \ +// RUN: | FileCheck %s --check-prefixes=CHECK-NO-OUTLINE +// RUN: %clang -S -fsanitize=type -emit-llvm -o - -fsanitize=type %s \ +// RUN: -fsanitize-type-outline-instrumentation \ +// RUN: | FileCheck %s --check-prefixes=CHECK-OUTLINE + +// RUN: %clang -S -fsanitize=type -emit-llvm -o - -fsanitize=type %s \ +// RUN: -fsanitize-type-outline-instrumentation \ +// RUN: -fsanitize-type-verify-outlined-instrumentation \ +// RUN: | FileCheck %s --check-prefixes=CHECK-OUTLINE-VERIFY +// RUN: %clang -S -fsanitize=type -emit-llvm -o - -fsanitize=type %s \ +// RUN: -fsanitize-type-verify-outlined-instrumentation \ +// RUN: | FileCheck %s --check-prefixes=CHECK-VERIFY + +// CHECK-NO-OUTLINE-NOT: call{{.*}}@__tysan_instrument_mem_inst +// CHECK-OUTLINE: call{{.*}}@__tysan_instrument_mem_inst +// CHECK-OUTLINE-VERIFY: call{{.*}}@__tysan_instrument_mem_inst +// CHECK-VERIFY: call{{.*}}@__tysan_instrument_mem_inst + +float alias(int *ptr){ + float *aliasedPtr = (float *)ptr; + return *aliasedPtr; +} >From 550b90e217673a2c3300dd10d9f13bb782f3ddc6 Mon Sep 17 00:00:00 2001 From: gbMattN <[email protected]> Date: Mon, 3 Nov 2025 15:06:23 +0000 Subject: [PATCH 2/5] Fix typo in Option.td --- clang/include/clang/Driver/Options.td | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clang/include/clang/Driver/Options.td b/clang/include/clang/Driver/Options.td index adef9a592b55e..b60580fcef1b0 100644 --- a/clang/include/clang/Driver/Options.td +++ b/clang/include/clang/Driver/Options.td @@ -2460,10 +2460,10 @@ def fsanitize_type_outline_instrumentation : Flag<["-"], "fsanitize-type-outline def fno_sanitize_type_outline_instrumentation : Flag<["-"], "fno-sanitize-type-outline-instrumentation">, Group<f_clang_Group>, HelpText<"Use default code inlining logic for the type sanitizer">; -def fsanitize_type_verify_outlined_instrumentation : Flag<["-"], "fsanitize_type_verify_outlined_instrumentation">, +def fsanitize_type_verify_outlined_instrumentation : Flag<["-"], "fsanitize-type-verify-outlined-instrumentation">, Group<f_clang_Group>, HelpText<"Use both inlined and outlined instrumentation for type sanitizer to verify equivilence">; -def fno_sanitize_type_verify_outlined_instrumentation : Flag<["-"], "fno_sanitize_type_verify_outlined_instrumentation">, +def fno_sanitize_type_verify_outlined_instrumentation : Flag<["-"], "fno_sanitize-type-verify-outlined-instrumentation">, Group<f_clang_Group>, HelpText<"Don't use both inlined and outlined instrumentation for type sanitizer to verify equivilence">; defm sanitize_stable_abi >From 817efc13a32ec624482182adb03c74e5583fca15 Mon Sep 17 00:00:00 2001 From: gbMattN <[email protected]> Date: Mon, 3 Nov 2025 15:33:54 +0000 Subject: [PATCH 3/5] Windows doesnt support tysan so unsupport in the test --- clang/test/CodeGen/sanitize-type-outlined.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/clang/test/CodeGen/sanitize-type-outlined.cpp b/clang/test/CodeGen/sanitize-type-outlined.cpp index 3c22f15c93d94..de21b903621fc 100644 --- a/clang/test/CodeGen/sanitize-type-outlined.cpp +++ b/clang/test/CodeGen/sanitize-type-outlined.cpp @@ -1,3 +1,5 @@ +// UNSUPPORTED: target={{.*}}-windows-{{.*}} + // RUN: %clang -S -fsanitize=type -emit-llvm -o - -fsanitize=type %s \ // RUN: | FileCheck %s --check-prefixes=CHECK-NO-OUTLINE // RUN: %clang -S -fsanitize=type -emit-llvm -o - -fsanitize=type %s \ >From 0b71745099e1d36dd97e8b1ee3629f4bb5e067cd Mon Sep 17 00:00:00 2001 From: gbMattN <[email protected]> Date: Mon, 3 Nov 2025 16:29:44 +0000 Subject: [PATCH 4/5] type and test firming --- clang/include/clang/Driver/Options.td | 4 ++-- ...ze-type-outlined.cpp => sanitize-type-outlined.c} | 12 ++++++++---- llvm/docs/ReleaseNotes.md | 2 ++ 3 files changed, 12 insertions(+), 6 deletions(-) rename clang/test/CodeGen/{sanitize-type-outlined.cpp => sanitize-type-outlined.c} (70%) diff --git a/clang/include/clang/Driver/Options.td b/clang/include/clang/Driver/Options.td index b60580fcef1b0..6391e9a36ff74 100644 --- a/clang/include/clang/Driver/Options.td +++ b/clang/include/clang/Driver/Options.td @@ -2462,10 +2462,10 @@ def fno_sanitize_type_outline_instrumentation : Flag<["-"], "fno-sanitize-type-o HelpText<"Use default code inlining logic for the type sanitizer">; def fsanitize_type_verify_outlined_instrumentation : Flag<["-"], "fsanitize-type-verify-outlined-instrumentation">, Group<f_clang_Group>, - HelpText<"Use both inlined and outlined instrumentation for type sanitizer to verify equivilence">; + HelpText<"Use both inlined and outlined instrumentation for type sanitizer to verify equivalence">; def fno_sanitize_type_verify_outlined_instrumentation : Flag<["-"], "fno_sanitize-type-verify-outlined-instrumentation">, Group<f_clang_Group>, - HelpText<"Don't use both inlined and outlined instrumentation for type sanitizer to verify equivilence">; + HelpText<"Don't use both inlined and outlined instrumentation for type sanitizer to verify equivalence">; defm sanitize_stable_abi : OptInCC1FFlag<"sanitize-stable-abi", "Stable ", "Conventional ", "ABI instrumentation for sanitizer runtime. Default: Conventional">; diff --git a/clang/test/CodeGen/sanitize-type-outlined.cpp b/clang/test/CodeGen/sanitize-type-outlined.c similarity index 70% rename from clang/test/CodeGen/sanitize-type-outlined.cpp rename to clang/test/CodeGen/sanitize-type-outlined.c index de21b903621fc..9bbd5d519c6a6 100644 --- a/clang/test/CodeGen/sanitize-type-outlined.cpp +++ b/clang/test/CodeGen/sanitize-type-outlined.c @@ -9,17 +9,21 @@ // RUN: %clang -S -fsanitize=type -emit-llvm -o - -fsanitize=type %s \ // RUN: -fsanitize-type-outline-instrumentation \ // RUN: -fsanitize-type-verify-outlined-instrumentation \ -// RUN: | FileCheck %s --check-prefixes=CHECK-OUTLINE-VERIFY +// RUN: | FileCheck %s --check-prefixes=CHECK-OUTLINE // RUN: %clang -S -fsanitize=type -emit-llvm -o - -fsanitize=type %s \ // RUN: -fsanitize-type-verify-outlined-instrumentation \ -// RUN: | FileCheck %s --check-prefixes=CHECK-VERIFY +// RUN: | FileCheck %s --check-prefixes=CHECK-OUTLINE +// CHECK-LABEL: @alias +// CHECK: __tysan_app_memory_mask +// CHECK: __tysan_shadow_memory_address // CHECK-NO-OUTLINE-NOT: call{{.*}}@__tysan_instrument_mem_inst +// CHECK-NO-OUTLINE-NOT: call{{.*}}@__tysan_instrument_with_shadow_update // CHECK-OUTLINE: call{{.*}}@__tysan_instrument_mem_inst -// CHECK-OUTLINE-VERIFY: call{{.*}}@__tysan_instrument_mem_inst -// CHECK-VERIFY: call{{.*}}@__tysan_instrument_mem_inst +// CHECK-OUTLINE: call{{.*}}@__tysan_instrument_with_shadow_update float alias(int *ptr){ float *aliasedPtr = (float *)ptr; + *aliasedPtr *= 2.0f; return *aliasedPtr; } diff --git a/llvm/docs/ReleaseNotes.md b/llvm/docs/ReleaseNotes.md index 49158fb4217b6..47dadd0e07bdc 100644 --- a/llvm/docs/ReleaseNotes.md +++ b/llvm/docs/ReleaseNotes.md @@ -202,6 +202,8 @@ Changes to BOLT Changes to Sanitizers --------------------- +* TypeSanitizer no longer inlines all instrumentation by default. + Other Changes ------------- >From e9cecd6781766d708091f899c7047dad5938a94b Mon Sep 17 00:00:00 2001 From: gbMattN <[email protected]> Date: Mon, 17 Nov 2025 14:24:10 +0000 Subject: [PATCH 5/5] Update docs --- clang/docs/TypeSanitizer.rst | 25 ++++--------------------- 1 file changed, 4 insertions(+), 21 deletions(-) diff --git a/clang/docs/TypeSanitizer.rst b/clang/docs/TypeSanitizer.rst index 6420d9e1d0ebd..9035fe630ff14 100644 --- a/clang/docs/TypeSanitizer.rst +++ b/clang/docs/TypeSanitizer.rst @@ -24,10 +24,6 @@ Typical memory overhead introduced by TypeSanitizer is about **8x**. Runtime slo depending on how often the instrumented code relies on type aliasing. In the best case slowdown is **2x-3x**. -The compiler instrumentation also has an impact on code size and compilation overhead. There is an -experimental :ref:`instrumentation outlining option<outlining_flag>` which can greatly reduce this -but this may decrease runtime performance. - The TypeSanitizer Algorithm =========================== For each TBAA type-access descriptor, encoded in LLVM IR using TBAA Metadata, the instrumentation @@ -132,22 +128,13 @@ references to LLVM IR specific terms. Sanitizer features ================== -.. _outlining_flag: - Instrumentation code outlining ------------------------------ -By default TypeSanitizer inlines the instrumentation code. This leads to increased -binary size and compilation time. Using the clang flag -``-fsanitize-type-outline-instrumentation`` (default: ``false``) -forces all code instrumentation to be outlined. This reduces the size of the -generated code and reduces compile-time overhead, but it also reduces runtime -performance. - -This outlined instrumentation is new. If you wish to verify that the outlined instrumentation -is behaving in the same way as the inline instrumentation, you can force TypeSanitizer -to use both types of instrumentation. You can use the clang flag -``-fsanitize-type-verify-outlined-instrumentation`` (default: ``false``) to do this. +By default TypeSanitizer inserts instrumentation through function calls. This may lead to a reduction in +runtime performance. ``-fno-sanitize-type-outline-instrumentation`` (default: ``false``) forces all +code instrumentation to be inlined. This will increase the size of the generated code and compiler +overhead, but may improve the runtime performance of the resulting code. ``__has_feature(type_sanitizer)`` ------------------------------------ @@ -200,10 +187,6 @@ Limitations shadow memory for each byte of user memory. * There are transformation passes which run before TypeSanitizer. If these passes optimize out an aliasing violation, TypeSanitizer cannot catch it. -* Currently, all instrumentation is inlined. This can result in a **15x** - (on average) increase in generated file size, and **3x** to **7x** increase - in compile time. In some documented cases this can cause the compiler to hang. - There are plans to improve this in the future. * Codebases that use unions and struct-initialized variables can see incorrect results, as TypeSanitizer doesn't yet instrument these reliably. * Since Clang & LLVM's TBAA system is used to generate the checks used by the _______________________________________________ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
