interproc-basic.s

.intel_syntax noprefix

// Tests for basic inter-procedural analysis: callee initializes a stack argument,
// load-before-call ordering, and store-size mismatch detection.

// RUN: %clang %cflags --target=amd64-unknown-linux-gnu -nostdlib %s -o %t.exe
// RUN: llvm-bolt-binary-analysis -experimental-shrink-wrapping --scanners=stackinit --log-loads-stores %t.exe 2>&1 | tee %t.log


// struct abc {
//     int a;
//     int b;
//     int c;
// };
// __attribute__((noinline)) void other(struct abc* s) { s->a = 123; }
// int f1() {
//     struct abc s;
//     other(&s);
//     return s.a;
// }

// Test: callee initializes the stack argument before the load.
// RUN: not grep "Skipping.* function f_ok" %t.log
// RUN: grep "LOAD-STORE.*function f_ok.*load instruction.*movl.*0xc(%rsp).*%eax.*load range \[-0x14:-0x10).*store instruction.*related function other" %t.log
// RUN: not grep "Read from possibly uninitialized stack location.* function f_ok" %t.log
.globl  f_ok
.type   f_ok,@function
f_ok:
    sub rsp, 0x18
    lea rdi, [rsp + 0xc]
    call other
    mov eax, dword ptr [rsp + 0xc]
    add rsp, 0x18
    ret

// Helper: initializes the first field of the struct argument.
.globl  other
.type   other,@function
other:
    mov dword ptr [rdi], 0x7b
    ret


// Test: late call should not satisfy initialization.
// RUN: not grep "Skipping.* function f_err" %t.log
// RUN: grep "LOAD-STORE.*function f_err.*load instruction.*movl.*0xc(%rsp).*%eax.*load range \[-0x14:-0x10).*not satisfied" %t.log
// RUN: grep "Read from possibly uninitialized stack location.* function f_err at instruction.*movl.*0xc(%rsp).*%eax" %t.log
.globl  f_err
.type   f_err,@function
f_err:
    sub rsp, 0x18
    lea rdi, [rsp + 0xc]
    mov eax, dword ptr [rsp + 0xc]
    // The call occurs after the load, so it must not satisfy initialization.
    call other
    add rsp, 0x18
    ret


// Test: call that doesn't dominate the load should not satisfy initialisation.
// In this test, the call to other (which initialises the load) only executes on
// the path where edi != 0, and not on the path where edi == 0, so the load from
// [rsp + 8] should be reported as uninitialised.
//             ENTRY
//            /     \
//     bb_call        bb_skip
//   (call other)  (no store)
//            \     /
//            bb_load
//       (load from stack)
// RUN: not grep "Skipping.* function test_diamond" %t.log
// RUN: grep "LOAD-STORE.*function test_diamond.*load instruction.*movq 0x8(%rsp).*%rax.*load range \[-0x10:-0x8).*not satisfied" %t.log
// RUN: grep "Read from possibly uninitialized stack location.* function test_diamond at instruction.*movq.*0x8(%rsp).*%rax" %t.log
.globl  test_diamond
.type   test_diamond,@function
test_diamond:
    sub rsp, 0x10
    cmp edi, 0
    je .L_skip

    lea rdi, [rsp + 0x8]
    call other
    jmp .L_join

.L_skip:
    xor r14, r14

.L_join:
    mov rax, [rsp + 0x8]                // Load uninitialised if passing through .L_skip
    add rsp, 0x10
    ret


// Test: callee stores only 4 bytes but the caller performs an 8-byte load.
// The inter-procedural check must not satisfy the load because the callee's
// store does not cover the full load range.
// RUN: not grep "Skipping.* function test_partial_store" %t.log
// RUN: grep "LOAD-STORE.*function test_partial_store.*load instruction.*movq.*0x8(%rsp).*%rax.*load range \[-0x10:-0x8).*not satisfied" %t.log
// RUN: grep "Read from possibly uninitialized stack location (possible initialization in called function init_4b) in function test_partial_store at instruction.*movq.*0x8(%rsp).*%rax" %t.log
.globl  test_partial_store
.type   test_partial_store,@function
test_partial_store:
    sub rsp, 0x10
    lea rdi, [rsp + 0x8]
    call init_4b
    // 8-byte load: must not be satisfied by the 4-byte callee store.
    mov rax, [rsp + 0x8]
    add rsp, 0x10
    ret

// Helper: writes only 4 bytes to [rdi].
.globl  init_4b
.type   init_4b,@function
init_4b:
    mov dword ptr [rdi], 0
    ret