[BoundsSafety] Implement compiler instrumentation for a soft trap mode

This patch implements a "soft trap mode" for `-fbounds-safety` where
hard traps are replaced with calls to a runtime function. It is assumed
the runtime function can return so code is generated so that execution
can proceed past the "soft trap" (i.e. as if the bounds check passed
even though it didn't). It is expected implementations of the runtime
function log the issue in some way.

The motivation behind this is to provide a smoother path to adopting
`-fbounds-safety` in existing codebases. Using soft trap mode with an
appropriate runtime allows:

* Improved stability of the program because bounds safety violations
  are no longer fatal because execution continues.
* The ability to collect all the soft traps that occurred to get an
  overview of how many issues there are.

Note this patch does not implement the actual runtime itself. This will
be done in a separate patch.

This patch introduces the `-fbounds-safety-soft-traps=` driver and CC1
flag. This allows enabling the soft trap compilation mode. It currently
has two different modes which offer different trade-offs.

* `call_with_str` - This generates calls that pass a constant C string
  describing the reason for trapping. This greatly simplifies logging
  but at the cost of increasing code size because a global string needs
  to be emitted for every "trap reason".
* `call_with_code` - This generates calls that pass an integer constant
  to identify the reason for trapping. This produces better codesize
  than `call_with_str` but the reason for trapping is much less
  descriptive. Currently the integer constant is hard coded to zero
  because we don't currently have a good stable integer representation
  of trap reasons. This will be fixed in rdar://162824128.

We may want to add a third `soft_trap_instruction` option one day that
emits a special trap instruction that uses its immediate to identify
itself as a trap that should be treated as soft by program host (e.g.
the kernel). Implementing that is out-of-scope for this patch because
we'd need a new LLVM IR intrinsic and backend support.

This patch also introduces a new `-fbounds-safety-soft-trap-function=`
CC1 flag. It is not intended users use this flag. This flag is for Clang
driver to communicate to CC1 what the function name should be. Currently
the driver doesn't pass anything so CC1 picks these function names:

* `__bounds_safety_soft_trap_s` for `call_with_str`
* `__bounds_safety_soft_trap_c` for `call_with_code`

As implementations of Bounds Safety soft trap runtimes are brought up
the driver logic will need add support for them. We will likely need
a new driver flag to control which implementation to use (if any).

The soft trap function names and API are defined in a new header
(`bounds_safety_soft_traps.h`) that ships with the compiler. Having the
interface defined in header provides several advantages:

* Runtime implementations can include the header to check they conform
  to the current interface which might evolve over time.
* It provides an explicit interface that runtime implementers can
  implement. In contrast `-ftrap-function` has an implicit interface
  that basically can't be evolved without causing a silent ABI break.

Note this implementation deliberately doesn't re-use `-ftrap-function`
and `-ftrap-function-returns` so that these features can be used
independently. In particular it allows using `-fbounds-safety` in soft
trap mode with trapping UBSan in any mode (see test cases).

Note this implementation continues to deliberately use "trap reasons".
This is the compiler feature where artificial inline frames are added to
debug info on traps to describe the reason for trapping. This means the
string representation for reason from trapping is still available in the
`call_with_code` case provided debug information is available. This can
be seen the in the LLDB tests added. This does mean that technically
there is some redundancy here (trap reasons passed as arguments and in
the debug info) but this is intentional because it means in the
`call_with_str` case without debug info can still do a good job of
logging problems.

rdar://158088757
(cherry picked from commit c49eb6e)

Author: delcypher

clang/include/clang/Basic/CodeGenOptions.def

@@ -339,6 +339,8 @@ CODEGENOPT(BoundsSafetyUniqueTraps, 1, 0, Benign) ///< When true, merging of
                                                   /// prevented.
 
 ENUM_CODEGENOPT(BoundsSafetyDebugTrapReasons, SanitizeDebugTrapReasonKind, 2, SanitizeDebugTrapReasonKind::Detailed, Benign) ///< Control how "trap reasons" are emitted in debug info
+
+ENUM_CODEGENOPT(BoundsSafetyTrapMode, BoundsSafetyTrapModeKind, 2, BoundsSafetyTrapModeKind::Hard, Benign) ///< Control how BoundsSafety traps are emitted
 /* TO_UPSTREAM(BoundsSafety) OFF*/
 
 /// Treat loops as finite: language, always, never.

clang/include/clang/Basic/CodeGenOptions.h

@@ -188,6 +188,24 @@ class CodeGenOptions : public CodeGenOptionsBase {
               ///< larger debug info than `Basic`.
   };
 
+  /* TO_UPSTREAM(BoundsSafety) ON*/
+  enum class BoundsSafetyTrapModeKind {
+    Hard,                   ///< Emit a fatal trap instruction (default).
+    SoftCallWithTrapString, ///< Emit a non-fatal call. The call
+                            ///< is passed a string description of the failed
+                            ///< bounds check.
+    SoftCallWithTrapCode,   ///< Emit a non-fatal call. The call
+                            ///< is passed an integer describing the failed
+                            ///< bounds check.
+  };
+
+  /// The name of the function to call for BoundsSafety soft traps. This is used
+  /// with `BoundsSafetyTrapModeKind::SoftCallWithTrapString` and
+  // `BoundsSafetyTrapModeKind::SoftCallWithTrapCode`.
+  std::string BoundsSafetySoftTrapFuncName;
+
+  /* TO_UPSTREAM(BoundsSafety) OFF*/
+
   /// The code model to use (-mcmodel).
   std::string CodeModel;
 

clang/include/clang/Driver/Options.td

@@ -2059,6 +2059,32 @@ def fbounds_safety_debug_trap_reasons_EQ
     NormalizedValues<["None", "Basic", "Detailed"]>,
     MarshallingInfoEnum<CodeGenOpts<"BoundsSafetyDebugTrapReasons">, "Detailed">;
 
+def fbounds_safety_soft_traps_EQ
+  : Joined<["-"], "fbounds-safety-soft-traps=">, Group<f_Group>,
+    Visibility<[ClangOption, CC1Option]>,
+    HelpText<"Enables soft traps which causes the compiler to emit a non-fatal "
+      "instruction sequence when a bounds check fails. After this instruction "
+      "sequence execution resumes as if the bounds check had succeeded."
+      "For `call-with-*` modes see 'bounds_safety_soft_traps.h' for the runtime"
+      " function interface. This option supports the following modes: "
+      "`none` - No soft traps, i.e. use hard traps (default)."
+      "`call-with-str` - Emit a call to a runtime function that receives the "
+      "trap reason as a string."
+      "`call-with-code` - Emit a call to a runtime function that receives an "
+      "integer describing the trap reason. This is better for codesize than "
+      "`call-with-str` but is harder to debug if debug info is missing.">,
+    Values<"none,call-with-str,call-with-code">,
+    NormalizedValuesScope<"CodeGenOptions::BoundsSafetyTrapModeKind">,
+    NormalizedValues<["Hard", "SoftCallWithTrapString", "SoftCallWithTrapCode"]>,
+    MarshallingInfoEnum<CodeGenOpts<"BoundsSafetyTrapMode">, "Hard">;
+
+def fbounds_safety_soft_trap_function_EQ : Joined<["-"],
+  "fbounds-safety-soft-trap-function=">,
+  Group<f_Group>, Visibility<[CC1Option]>,
+  HelpText<"Set the name of the BoundsSafety soft trap function. See the "
+  "'bounds_safety_soft_traps.h' file for the API of this function.">,
+  MarshallingInfoString<CodeGenOpts<"BoundsSafetySoftTrapFuncName">>;
+
 // TO_UPSTREAM(BoundsSafety) OFF
 
 defm lifetime_safety : BoolFOption<

clang/lib/CodeGen/CGExpr.cpp

@@ -4658,7 +4658,9 @@ void CodeGenFunction::EmitTrapCheck(llvm::Value *Checked,
   llvm::MDBuilder MDHelper(getLLVMContext());
 
   /*TO_UPSTREAM(BoundsSafety) ON*/
-  NoMerge |= CGM.getCodeGenOpts().TrapFuncReturns;
+  NoMerge |= CGM.getCodeGenOpts().TrapFuncReturns ||
+             CGM.getCodeGenOpts().getBoundsSafetyTrapMode() !=
+                 CodeGenOptions::BoundsSafetyTrapModeKind::Hard;
   /*TO_UPSTREAM(BoundsSafety) OFF*/
 
   if (TrapBB && !NoMerge) {
@@ -4700,7 +4702,45 @@ void CodeGenFunction::EmitTrapCheck(llvm::Value *Checked,
     /*TO_UPSTREAM(BoundsSafety) ON*/
     ApplyDebugLocation applyTrapDI(*this, TrapLocation);
     llvm::CallInst *TrapCall = nullptr;
-    if (CGM.getCodeGenOpts().TrapFuncReturns) {
+    if (CGM.getCodeGenOpts().getBoundsSafetyTrapMode() !=
+            CodeGenOptions::BoundsSafetyTrapModeKind::Hard &&
+        CheckHandlerID == SanitizerHandler::BoundsSafety) {
+      // BoundsSafety soft-trap mode. This takes prescendence over
+      // `-ftrap-function-returns`. Note: Make sure to bump
+      // `__CLANG_BOUNDS_SAFETY_SOFT_TRAP_API_VERSION` and adjust the interface
+      // in `bounds_safety_soft_traps.h` if the API is changed.
+      llvm::FunctionType *FnType = nullptr;
+      llvm::Constant *SoftTrapCallArg = nullptr;
+      // Emit calls to one of the interfaces defined in
+      // `bounds_safety_soft_traps.h`
+      switch (CGM.getCodeGenOpts().getBoundsSafetyTrapMode()) {
+      case CodeGenOptions::BoundsSafetyTrapModeKind::SoftCallWithTrapCode: {
+        // void __bounds_safety_soft_trap_c(uint16_t);
+        // TODO: Set correct value from the `TrapReason` object
+        // (rdar://162824128).
+        SoftTrapCallArg = llvm::ConstantInt::get(CGM.Int16Ty, 0);
+        break;
+      }
+      case CodeGenOptions::BoundsSafetyTrapModeKind::SoftCallWithTrapString: {
+        // void __bounds_safety_soft_trap_s(const char*);
+        if (!TrapMessage.empty()) {
+          SoftTrapCallArg =
+              CGM.GetOrCreateGlobalStr(TrapMessage, Builder, "trap.reason");
+        } else {
+          SoftTrapCallArg = llvm::Constant::getNullValue(CGM.Int8PtrTy);
+        }
+        break;
+      }
+      default:
+        llvm_unreachable("Unhandled BoundsSafetyTrapMode");
+      }
+      FnType = llvm::FunctionType::get(CGM.VoidTy, {SoftTrapCallArg->getType()},
+                                       false);
+      auto TrapFunc = CGM.CreateRuntimeFunction(
+          FnType, CGM.getCodeGenOpts().BoundsSafetySoftTrapFuncName);
+      TrapCall = EmitNounwindRuntimeCall(TrapFunc, {SoftTrapCallArg});
+      Builder.CreateBr(Cont);
+    } else if (CGM.getCodeGenOpts().TrapFuncReturns) {
       auto *TrapID = llvm::ConstantInt::get(CGM.Int8Ty, CheckHandlerID);
       llvm::FunctionType *FnType =
         llvm::FunctionType::get(CGM.VoidTy, {TrapID->getType()}, false);

clang/lib/CodeGen/CodeGenModule.cpp

@@ -5413,6 +5413,23 @@ CodeGenModule::GetAddrOfGlobal(GlobalDecl GD, ForDefinition_t IsForDefinition) {
   return GetAddrOfGlobalVar(cast<VarDecl>(D), /*Ty=*/nullptr, IsForDefinition);
 }
 
+/*TO_UPSTREAM(BoundsSafety) ON*/
+llvm::Constant *CodeGenModule::GetOrCreateGlobalStr(StringRef Value,
+                                                    CGBuilderTy &Builder,
+                                                    const Twine &Name) {
+  auto globalStrIt = CachedGlobalStrings.find(Value);
+  if (globalStrIt != CachedGlobalStrings.end()) {
+    return globalStrIt->second;
+  }
+
+  llvm::GlobalVariable *GlobalStringArr =
+      Builder.CreateGlobalString(Value, Name);
+
+  CachedGlobalStrings[Value] = GlobalStringArr;
+  return GlobalStringArr;
+}
+/*TO_UPSTREAM(BoundsSafety) OFF*/
+
 llvm::GlobalVariable *CodeGenModule::CreateOrReplaceCXXRuntimeVariable(
     StringRef Name, llvm::Type *Ty, llvm::GlobalValue::LinkageTypes Linkage,
     llvm::Align Alignment) {

clang/lib/CodeGen/CodeGenModule.h

@@ -689,6 +689,10 @@ class CodeGenModule : public CodeGenTypeCache {
   // The list is sorted for binary-searching.
   std::vector<std::string> MSHotPatchFunctions;
 
+  /* TO_UPSTREAM(BoundsSafety) ON*/
+  llvm::StringMap<llvm::Constant *> CachedGlobalStrings;
+  /* TO_UPSTREAM(BoundsSafety) OFF*/
+
 public:
   CodeGenModule(ASTContext &C, IntrusiveRefCntPtr<llvm::vfs::FileSystem> FS,
                 const HeaderSearchOptions &headersearchopts,
@@ -1754,6 +1758,11 @@ class CodeGenModule : public CodeGenTypeCache {
                         const VarDecl *D,
                         ForDefinition_t IsForDefinition = NotForDefinition);
 
+  /* TO_UPSTREAM(BoundsSafety) ON*/
+  llvm::Constant *GetOrCreateGlobalStr(StringRef Value, CGBuilderTy &Builder,
+                                       const Twine &Name = "");
+  /* TO_UPSTREAM(BoundsSafety) OFF*/
+
   // FIXME: Hardcoding priority here is gross.
   void AddGlobalCtor(llvm::Function *Ctor, int Priority = 65535,
                      unsigned LexOrder = ~0U,

clang/lib/Driver/ToolChains/Clang.cpp

@@ -7138,6 +7138,7 @@ void Clang::ConstructJob(Compilation &C, const JobAction &Job,
   }
 
   Args.AddLastArg(CmdArgs, options::OPT_fbounds_safety_debug_trap_reasons_EQ);
+  Args.AddLastArg(CmdArgs, options::OPT_fbounds_safety_soft_traps_EQ);
   /* TO_UPSTREAM(BoundsSafety) OFF*/
 
   // Handle -f[no-]wrapv and -f[no-]strict-overflow, which are used by both

clang/lib/Frontend/CompilerInvocation.cpp

@@ -2598,6 +2598,24 @@ bool CompilerInvocation::ParseCodeGenArgs(CodeGenOptions &Opts, ArgList &Args,
 
   Opts.StaticClosure = Args.hasArg(options::OPT_static_libclosure);
 
+  /* TO_UPSTREAM(BoundsSafety) ON*/
+  if (LangOpts->hasBoundsSafety() &&
+      Opts.BoundsSafetySoftTrapFuncName.empty()) {
+    // Set the default function name if the driver didn't provide one.
+    // Different function names are used for the different ABIs.
+    switch (Opts.getBoundsSafetyTrapMode()) {
+    case CodeGenOptions::BoundsSafetyTrapModeKind::SoftCallWithTrapString:
+      Opts.BoundsSafetySoftTrapFuncName = "__bounds_safety_soft_trap_s";
+      break;
+    case CodeGenOptions::BoundsSafetyTrapModeKind::SoftCallWithTrapCode:
+      Opts.BoundsSafetySoftTrapFuncName = "__bounds_safety_soft_trap_c";
+      break;
+    case CodeGenOptions::BoundsSafetyTrapModeKind::Hard:
+      break;
+    }
+  }
+  /* TO_UPSTREAM(BoundsSafety) OFF*/
+
   return Diags.getNumErrors() == NumErrorsBefore;
 }
 

clang/lib/Headers/CMakeLists.txt

@@ -337,6 +337,7 @@ set(files
 
 # TO_UPSTREAM(BoundsSafety)
 list(APPEND files ptrcheck.h)
+list(APPEND files bounds_safety_soft_traps.h)
 
 # TO_UPSTREAM(Lifetimebound)
 list(APPEND files lifetimebound.h)

clang/lib/Headers/bounds_safety_soft_traps.h

@@ -0,0 +1,48 @@
+/*===---- bounds_safety_soft_traps.h ----------------------------------------===
+ *
+ * Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+ * See https://llvm.org/LICENSE.txt for license information.
+ * SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+ *
+ *===------------------------------------------------------------------------===
+  This file defines the interface used by `-fbounds-safety`'s trap mode. Note
+  this interface isn't yet considered stable
+ *===------------------------------------------------------------------------===
+ */
+
+#ifndef __CLANG_BOUNDS_SAFETY_SOFT_TRAPS_H
+#define __CLANG_BOUNDS_SAFETY_SOFT_TRAPS_H
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/// Macro that defines the current API version. This value can be queried at
+/// compile time to know which interface version the compiler uses.
+#define __CLANG_BOUNDS_SAFETY_SOFT_TRAP_API_VERSION 0
+
+/// Called when a `-fbounds-safety` bounds check fails when building with
+/// `-fbounds-safety-soft-traps=call-with-str`. This function is allowed to
+/// to return.
+///
+/// \param reason A string constant describing the reason for trapping or
+///        NULL.
+void __bounds_safety_soft_trap_s(const char *reason);
+
+// TODO(dliew): Document the `reason_code` values (rdar://162824128)
+
+/// Called when a `-fbounds-safety` bounds check fails when building with
+/// `-fbounds-safety-soft-traps=call-with-code`. This function is allowed to
+/// to return.
+///
+/// \param reason_code. An integer the represents the reason for trapping.
+///        The values are currently not documented but will be in the future.
+///
+void __bounds_safety_soft_trap_c(uint16_t reason_code);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif