Advances in Software Engineering

Research Article

Tag-Protector: An Effective and Dynamic Detection of Illegal Memory Accesses through Compile Time Code Instrumentation

Listing 7

LLVM-IR code (instrumented with tag-protection pass) for C code presented in Listing 5.

//Dedicated Tag address creation for dangling pointer checks
1: %0 = tail call noalias i8 @malloc(i64 2)
2: store volatile i8 %0, i8 @globaltag, align 8
3: %1 = load volatile i8 @globaltag, align 8
4: store volatile i8 107, i8 %1, align 1
5: %call = tail call noalias i8 @malloc (i64 80) #1
6: %2 = bitcast i8 % call to i8
7: store i8 %2, i8*** @buffer, align 8
//Tag marks creation
8: %3 = ptrtoint i8 %call to i64
9: %add3 = add i64 %3, 80
10: %t_tag4 = inttoptr i64 %add3 to i8
11: store volatile i8 %t_tag4, i8 @buffer_glb_tag_end, align 8
12: %sub5 = add i64 %3, -1
13: %t_a6 = inttoptr i64 %sub5 to i8
14: store volatile i8 %t_a6, i8 @buffer_glb_tag_start, align 8
15: %3 = load i8 @buffer, align 8
16: %arrayidx = getelementptr inbounds i8 %argv, i64 1
17: %4 = load i8 % arrayidx, align 8
//Reading tag mark before "strcpy" function call
18: %fun_load_bf = load volatile i8 @buffer_glb_tag_end, align 8
19: %cmpchek_null= icmp eq i8 %fun_load_bf, null
20: br i1 %cmpchek_null, label %5, label %if.bf_funcall
21: ; <label>:5 ; preds = %if.notUAF, %entry
22: %call1 = tail call i8 @strcpy (i8 %3, i8 %4) #1
//Tag mark value check instructions after "strcpy" function call
23: %load_tagchk_en = load volatile i8 @tagchk_en, align 1
24: %cmp = icmp eq i8 %load_tagchk_en, 1
25: br i1 %cmp, label %if.TagChkEn, label %6
26: ; <label >:6 ; preds = %if.TagChkEn, %5
27: ret i32 0
28: if.bf_funcall:; preds = %entry
29: %load_glbtag = load volatile i8 @globaltag, align 8
30: %cmpcheck= icmp eq i8 %fun_load_bf, %load_glbtag
31: br i1 %cmpcheck, label %abortBB_funheap, label %if.notUAF
32: if.notUAF:; preds = %if.bf_funcall
33: store volatile i8 1, i8 @tagchk_en, align 1
34: %load_t = load volatile i8 %fun_load_bf, align 1
35: store volatile i8 %load_t, i8 @tagval_bfFuncall, align 1
36: br label %5
37: if.TagChkEn:; preds = %5
38: store volatile i8 0, i8 @tagchk_en, align 1
39: %load_bf= load volatile i8 @tagval_bfFuncall, align 1
40: %load_af = load volatile i8 %fun_load_bf, align 1
41: %cmpcheck_tagval = icmp eq i8 %load_bf, %load_af
42: br i1 %cmpcheck_tagval, label %6, label %abortBB_funheap