From 3ebd1ba64f3d6f1e75f43213c50f0d1bd3902228 Mon Sep 17 00:00:00 2001
From: Gui Andrade <guiand@google.com>
Date: Fri, 31 Jul 2020 18:53:15 +0000
Subject: [PATCH] [MSAN] Instrument freeze instruction by clearing shadow

Freeze always returns a defined value. This also prevents msan from
checking the input shadow, which happened because freeze wasn't
explicitly visited.

Differential Revision: https://reviews.llvm.org/D85040
---
 .../Instrumentation/MemorySanitizer.cpp       |  6 +++++
 .../Instrumentation/MemorySanitizer/freeze.ll | 23 +++++++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 llvm/test/Instrumentation/MemorySanitizer/freeze.ll

diff --git a/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp b/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
index edde80ce0ee8..0f354c1da490 100644
--- a/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
+++ b/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp
@@ -4068,6 +4068,12 @@ struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {
     setOrigin(&I, getCleanOrigin());
   }
 
+  void visitFreezeInst(FreezeInst &I) {
+    // Freeze always returns a fully defined value.
+    setShadow(&I, getCleanShadow(&I));
+    setOrigin(&I, getCleanOrigin());
+  }
+
   void visitInstruction(Instruction &I) {
     // Everything else: stop propagating and check for poisoned shadow.
     if (ClDumpStrictInstructions)
diff --git a/llvm/test/Instrumentation/MemorySanitizer/freeze.ll b/llvm/test/Instrumentation/MemorySanitizer/freeze.ll
new file mode 100644
index 000000000000..4be8d9efd631
--- /dev/null
+++ b/llvm/test/Instrumentation/MemorySanitizer/freeze.ll
@@ -0,0 +1,23 @@
+; RUN: opt < %s -msan-check-access-address=0 -S -passes=msan 2>&1 | FileCheck %s
+; RUN: opt < %s -msan-check-access-address=0 -msan-track-origins=2 -S -passes=msan 2>&1 | FileCheck %s -check-prefixes=CHECK,CHECK-ORIGIN
+; RUN: opt < %s -msan -msan-check-access-address=0 -S | FileCheck %s
+target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
+target triple = "x86_64-unknown-linux-gnu"
+
+define i32 @nofreeze(i32* %ptr) sanitize_memory {
+    ; CHECK-LABEL: @nofreeze
+    %val = load i32, i32* %ptr
+    ; CHECK: [[SHADOW_PTR:%.*]] = inttoptr
+    ; CHECK: [[SHADOW:%.*]] = load i32, i32* [[SHADOW_PTR]]
+    ; CHECK: store i32 [[SHADOW]], {{.*}} @__msan_retval_tls
+    ret i32 %val
+}
+
+define i32 @freeze_inst(i32* %ptr) sanitize_memory {
+    ; CHECK-LABEL: @freeze_inst
+    %val = load i32, i32* %ptr
+    %freeze_val = freeze i32 %val
+    ; CHECK-NOT: __msan_warning
+    ; CHECK: store i32 0, {{.*}} @__msan_retval_tls
+    ret i32 %freeze_val
+}