1 //===- AddressSanitizer.cpp - memory error detector -----------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file is a part of AddressSanitizer, an address sanity checker. 11 // Details of the algorithm: 12 // https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm 13 // 14 //===----------------------------------------------------------------------===// 15 16 #include "llvm/ADT/ArrayRef.h" 17 #include "llvm/ADT/DenseMap.h" 18 #include "llvm/ADT/DepthFirstIterator.h" 19 #include "llvm/ADT/SmallPtrSet.h" 20 #include "llvm/ADT/SmallVector.h" 21 #include "llvm/ADT/Statistic.h" 22 #include "llvm/ADT/StringExtras.h" 23 #include "llvm/ADT/StringRef.h" 24 #include "llvm/ADT/Triple.h" 25 #include "llvm/ADT/Twine.h" 26 #include "llvm/Analysis/MemoryBuiltins.h" 27 #include "llvm/Analysis/TargetLibraryInfo.h" 28 #include "llvm/Transforms/Utils/Local.h" 29 #include "llvm/Analysis/ValueTracking.h" 30 #include "llvm/BinaryFormat/MachO.h" 31 #include "llvm/IR/Argument.h" 32 #include "llvm/IR/Attributes.h" 33 #include "llvm/IR/BasicBlock.h" 34 #include "llvm/IR/CallSite.h" 35 #include "llvm/IR/Comdat.h" 36 #include "llvm/IR/Constant.h" 37 #include "llvm/IR/Constants.h" 38 #include "llvm/IR/DIBuilder.h" 39 #include "llvm/IR/DataLayout.h" 40 #include "llvm/IR/DebugInfoMetadata.h" 41 #include "llvm/IR/DebugLoc.h" 42 #include "llvm/IR/DerivedTypes.h" 43 #include "llvm/IR/Dominators.h" 44 #include "llvm/IR/Function.h" 45 #include "llvm/IR/GlobalAlias.h" 46 #include "llvm/IR/GlobalValue.h" 47 #include "llvm/IR/GlobalVariable.h" 48 #include "llvm/IR/IRBuilder.h" 49 #include "llvm/IR/InlineAsm.h" 50 #include "llvm/IR/InstVisitor.h" 51 #include "llvm/IR/InstrTypes.h" 52 #include "llvm/IR/Instruction.h" 53 #include "llvm/IR/Instructions.h" 54 #include "llvm/IR/IntrinsicInst.h" 55 #include "llvm/IR/Intrinsics.h" 56 #include "llvm/IR/LLVMContext.h" 57 #include "llvm/IR/MDBuilder.h" 58 #include "llvm/IR/Metadata.h" 59 #include "llvm/IR/Module.h" 60 #include "llvm/IR/Type.h" 61 #include "llvm/IR/Use.h" 62 #include "llvm/IR/Value.h" 63 #include "llvm/MC/MCSectionMachO.h" 64 #include "llvm/Pass.h" 65 #include "llvm/Support/Casting.h" 66 #include "llvm/Support/CommandLine.h" 67 #include "llvm/Support/Debug.h" 68 #include "llvm/Support/ErrorHandling.h" 69 #include "llvm/Support/MathExtras.h" 70 #include "llvm/Support/ScopedPrinter.h" 71 #include "llvm/Support/raw_ostream.h" 72 #include "llvm/Transforms/Instrumentation.h" 73 #include "llvm/Transforms/Utils/ASanStackFrameLayout.h" 74 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 75 #include "llvm/Transforms/Utils/ModuleUtils.h" 76 #include "llvm/Transforms/Utils/PromoteMemToReg.h" 77 #include <algorithm> 78 #include <cassert> 79 #include <cstddef> 80 #include <cstdint> 81 #include <iomanip> 82 #include <limits> 83 #include <memory> 84 #include <sstream> 85 #include <string> 86 #include <tuple> 87 88 using namespace llvm; 89 90 #define DEBUG_TYPE "asan" 91 92 static const uint64_t kDefaultShadowScale = 3; 93 static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 94 static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 95 static const uint64_t kDynamicShadowSentinel = 96 std::numeric_limits<uint64_t>::max(); 97 static const uint64_t kIOSShadowOffset32 = 1ULL << 30; 98 static const uint64_t kIOSSimShadowOffset32 = 1ULL << 30; 99 static const uint64_t kIOSSimShadowOffset64 = kDefaultShadowOffset64; 100 static const uint64_t kSmallX86_64ShadowOffsetBase = 0x7FFFFFFF; // < 2G. 101 static const uint64_t kSmallX86_64ShadowOffsetAlignMask = ~0xFFFULL; 102 static const uint64_t kLinuxKasan_ShadowOffset64 = 0xdffffc0000000000; 103 static const uint64_t kPPC64_ShadowOffset64 = 1ULL << 44; 104 static const uint64_t kSystemZ_ShadowOffset64 = 1ULL << 52; 105 static const uint64_t kMIPS32_ShadowOffset32 = 0x0aaa0000; 106 static const uint64_t kMIPS64_ShadowOffset64 = 1ULL << 37; 107 static const uint64_t kAArch64_ShadowOffset64 = 1ULL << 36; 108 static const uint64_t kFreeBSD_ShadowOffset32 = 1ULL << 30; 109 static const uint64_t kFreeBSD_ShadowOffset64 = 1ULL << 46; 110 static const uint64_t kNetBSD_ShadowOffset32 = 1ULL << 30; 111 static const uint64_t kNetBSD_ShadowOffset64 = 1ULL << 46; 112 static const uint64_t kNetBSDKasan_ShadowOffset64 = 0xdfff900000000000; 113 static const uint64_t kPS4CPU_ShadowOffset64 = 1ULL << 40; 114 static const uint64_t kWindowsShadowOffset32 = 3ULL << 28; 115 116 static const uint64_t kMyriadShadowScale = 5; 117 static const uint64_t kMyriadMemoryOffset32 = 0x80000000ULL; 118 static const uint64_t kMyriadMemorySize32 = 0x20000000ULL; 119 static const uint64_t kMyriadTagShift = 29; 120 static const uint64_t kMyriadDDRTag = 4; 121 static const uint64_t kMyriadCacheBitMask32 = 0x40000000ULL; 122 123 // The shadow memory space is dynamically allocated. 124 static const uint64_t kWindowsShadowOffset64 = kDynamicShadowSentinel; 125 126 static const size_t kMinStackMallocSize = 1 << 6; // 64B 127 static const size_t kMaxStackMallocSize = 1 << 16; // 64K 128 static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 129 static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 130 131 static const char *const kAsanModuleCtorName = "asan.module_ctor"; 132 static const char *const kAsanModuleDtorName = "asan.module_dtor"; 133 static const uint64_t kAsanCtorAndDtorPriority = 1; 134 static const char *const kAsanReportErrorTemplate = "__asan_report_"; 135 static const char *const kAsanRegisterGlobalsName = "__asan_register_globals"; 136 static const char *const kAsanUnregisterGlobalsName = 137 "__asan_unregister_globals"; 138 static const char *const kAsanRegisterImageGlobalsName = 139 "__asan_register_image_globals"; 140 static const char *const kAsanUnregisterImageGlobalsName = 141 "__asan_unregister_image_globals"; 142 static const char *const kAsanRegisterElfGlobalsName = 143 "__asan_register_elf_globals"; 144 static const char *const kAsanUnregisterElfGlobalsName = 145 "__asan_unregister_elf_globals"; 146 static const char *const kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; 147 static const char *const kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; 148 static const char *const kAsanInitName = "__asan_init"; 149 static const char *const kAsanVersionCheckNamePrefix = 150 "__asan_version_mismatch_check_v"; 151 static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp"; 152 static const char *const kAsanPtrSub = "__sanitizer_ptr_sub"; 153 static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return"; 154 static const int kMaxAsanStackMallocSizeClass = 10; 155 static const char *const kAsanStackMallocNameTemplate = "__asan_stack_malloc_"; 156 static const char *const kAsanStackFreeNameTemplate = "__asan_stack_free_"; 157 static const char *const kAsanGenPrefix = "___asan_gen_"; 158 static const char *const kODRGenPrefix = "__odr_asan_gen_"; 159 static const char *const kSanCovGenPrefix = "__sancov_gen_"; 160 static const char *const kAsanSetShadowPrefix = "__asan_set_shadow_"; 161 static const char *const kAsanPoisonStackMemoryName = 162 "__asan_poison_stack_memory"; 163 static const char *const kAsanUnpoisonStackMemoryName = 164 "__asan_unpoison_stack_memory"; 165 166 // ASan version script has __asan_* wildcard. Triple underscore prevents a 167 // linker (gold) warning about attempting to export a local symbol. 168 static const char *const kAsanGlobalsRegisteredFlagName = 169 "___asan_globals_registered"; 170 171 static const char *const kAsanOptionDetectUseAfterReturn = 172 "__asan_option_detect_stack_use_after_return"; 173 174 static const char *const kAsanShadowMemoryDynamicAddress = 175 "__asan_shadow_memory_dynamic_address"; 176 177 static const char *const kAsanAllocaPoison = "__asan_alloca_poison"; 178 static const char *const kAsanAllocasUnpoison = "__asan_allocas_unpoison"; 179 180 // Accesses sizes are powers of two: 1, 2, 4, 8, 16. 181 static const size_t kNumberOfAccessSizes = 5; 182 183 static const unsigned kAllocaRzSize = 32; 184 185 // Command-line flags. 186 187 static cl::opt<bool> ClEnableKasan( 188 "asan-kernel", cl::desc("Enable KernelAddressSanitizer instrumentation"), 189 cl::Hidden, cl::init(false)); 190 191 static cl::opt<bool> ClRecover( 192 "asan-recover", 193 cl::desc("Enable recovery mode (continue-after-error)."), 194 cl::Hidden, cl::init(false)); 195 196 // This flag may need to be replaced with -f[no-]asan-reads. 197 static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 198 cl::desc("instrument read instructions"), 199 cl::Hidden, cl::init(true)); 200 201 static cl::opt<bool> ClInstrumentWrites( 202 "asan-instrument-writes", cl::desc("instrument write instructions"), 203 cl::Hidden, cl::init(true)); 204 205 static cl::opt<bool> ClInstrumentAtomics( 206 "asan-instrument-atomics", 207 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden, 208 cl::init(true)); 209 210 static cl::opt<bool> ClAlwaysSlowPath( 211 "asan-always-slow-path", 212 cl::desc("use instrumentation with slow path for all accesses"), cl::Hidden, 213 cl::init(false)); 214 215 static cl::opt<bool> ClForceDynamicShadow( 216 "asan-force-dynamic-shadow", 217 cl::desc("Load shadow address into a local variable for each function"), 218 cl::Hidden, cl::init(false)); 219 220 static cl::opt<bool> 221 ClWithIfunc("asan-with-ifunc", 222 cl::desc("Access dynamic shadow through an ifunc global on " 223 "platforms that support this"), 224 cl::Hidden, cl::init(true)); 225 226 static cl::opt<bool> ClWithIfuncSuppressRemat( 227 "asan-with-ifunc-suppress-remat", 228 cl::desc("Suppress rematerialization of dynamic shadow address by passing " 229 "it through inline asm in prologue."), 230 cl::Hidden, cl::init(true)); 231 232 // This flag limits the number of instructions to be instrumented 233 // in any given BB. Normally, this should be set to unlimited (INT_MAX), 234 // but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary 235 // set it to 10000. 236 static cl::opt<int> ClMaxInsnsToInstrumentPerBB( 237 "asan-max-ins-per-bb", cl::init(10000), 238 cl::desc("maximal number of instructions to instrument in any given BB"), 239 cl::Hidden); 240 241 // This flag may need to be replaced with -f[no]asan-stack. 242 static cl::opt<bool> ClStack("asan-stack", cl::desc("Handle stack memory"), 243 cl::Hidden, cl::init(true)); 244 static cl::opt<uint32_t> ClMaxInlinePoisoningSize( 245 "asan-max-inline-poisoning-size", 246 cl::desc( 247 "Inline shadow poisoning for blocks up to the given size in bytes."), 248 cl::Hidden, cl::init(64)); 249 250 static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 251 cl::desc("Check stack-use-after-return"), 252 cl::Hidden, cl::init(true)); 253 254 static cl::opt<bool> ClRedzoneByvalArgs("asan-redzone-byval-args", 255 cl::desc("Create redzones for byval " 256 "arguments (extra copy " 257 "required)"), cl::Hidden, 258 cl::init(true)); 259 260 static cl::opt<bool> ClUseAfterScope("asan-use-after-scope", 261 cl::desc("Check stack-use-after-scope"), 262 cl::Hidden, cl::init(false)); 263 264 // This flag may need to be replaced with -f[no]asan-globals. 265 static cl::opt<bool> ClGlobals("asan-globals", 266 cl::desc("Handle global objects"), cl::Hidden, 267 cl::init(true)); 268 269 static cl::opt<bool> ClInitializers("asan-initialization-order", 270 cl::desc("Handle C++ initializer order"), 271 cl::Hidden, cl::init(true)); 272 273 static cl::opt<bool> ClInvalidPointerPairs( 274 "asan-detect-invalid-pointer-pair", 275 cl::desc("Instrument <, <=, >, >=, - with pointer operands"), cl::Hidden, 276 cl::init(false)); 277 278 static cl::opt<unsigned> ClRealignStack( 279 "asan-realign-stack", 280 cl::desc("Realign stack to the value of this flag (power of two)"), 281 cl::Hidden, cl::init(32)); 282 283 static cl::opt<int> ClInstrumentationWithCallsThreshold( 284 "asan-instrumentation-with-call-threshold", 285 cl::desc( 286 "If the function being instrumented contains more than " 287 "this number of memory accesses, use callbacks instead of " 288 "inline checks (-1 means never use callbacks)."), 289 cl::Hidden, cl::init(7000)); 290 291 static cl::opt<std::string> ClMemoryAccessCallbackPrefix( 292 "asan-memory-access-callback-prefix", 293 cl::desc("Prefix for memory access callbacks"), cl::Hidden, 294 cl::init("__asan_")); 295 296 static cl::opt<bool> 297 ClInstrumentDynamicAllocas("asan-instrument-dynamic-allocas", 298 cl::desc("instrument dynamic allocas"), 299 cl::Hidden, cl::init(true)); 300 301 static cl::opt<bool> ClSkipPromotableAllocas( 302 "asan-skip-promotable-allocas", 303 cl::desc("Do not instrument promotable allocas"), cl::Hidden, 304 cl::init(true)); 305 306 // These flags allow to change the shadow mapping. 307 // The shadow mapping looks like 308 // Shadow = (Mem >> scale) + offset 309 310 static cl::opt<int> ClMappingScale("asan-mapping-scale", 311 cl::desc("scale of asan shadow mapping"), 312 cl::Hidden, cl::init(0)); 313 314 static cl::opt<unsigned long long> ClMappingOffset( 315 "asan-mapping-offset", 316 cl::desc("offset of asan shadow mapping [EXPERIMENTAL]"), cl::Hidden, 317 cl::init(0)); 318 319 // Optimization flags. Not user visible, used mostly for testing 320 // and benchmarking the tool. 321 322 static cl::opt<bool> ClOpt("asan-opt", cl::desc("Optimize instrumentation"), 323 cl::Hidden, cl::init(true)); 324 325 static cl::opt<bool> ClOptSameTemp( 326 "asan-opt-same-temp", cl::desc("Instrument the same temp just once"), 327 cl::Hidden, cl::init(true)); 328 329 static cl::opt<bool> ClOptGlobals("asan-opt-globals", 330 cl::desc("Don't instrument scalar globals"), 331 cl::Hidden, cl::init(true)); 332 333 static cl::opt<bool> ClOptStack( 334 "asan-opt-stack", cl::desc("Don't instrument scalar stack variables"), 335 cl::Hidden, cl::init(false)); 336 337 static cl::opt<bool> ClDynamicAllocaStack( 338 "asan-stack-dynamic-alloca", 339 cl::desc("Use dynamic alloca to represent stack variables"), cl::Hidden, 340 cl::init(true)); 341 342 static cl::opt<uint32_t> ClForceExperiment( 343 "asan-force-experiment", 344 cl::desc("Force optimization experiment (for testing)"), cl::Hidden, 345 cl::init(0)); 346 347 static cl::opt<bool> 348 ClUsePrivateAlias("asan-use-private-alias", 349 cl::desc("Use private aliases for global variables"), 350 cl::Hidden, cl::init(false)); 351 352 static cl::opt<bool> 353 ClUseOdrIndicator("asan-use-odr-indicator", 354 cl::desc("Use odr indicators to improve ODR reporting"), 355 cl::Hidden, cl::init(false)); 356 357 static cl::opt<bool> 358 ClUseGlobalsGC("asan-globals-live-support", 359 cl::desc("Use linker features to support dead " 360 "code stripping of globals"), 361 cl::Hidden, cl::init(true)); 362 363 // This is on by default even though there is a bug in gold: 364 // https://sourceware.org/bugzilla/show_bug.cgi?id=19002 365 static cl::opt<bool> 366 ClWithComdat("asan-with-comdat", 367 cl::desc("Place ASan constructors in comdat sections"), 368 cl::Hidden, cl::init(true)); 369 370 // Debug flags. 371 372 static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 373 cl::init(0)); 374 375 static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 376 cl::Hidden, cl::init(0)); 377 378 static cl::opt<std::string> ClDebugFunc("asan-debug-func", cl::Hidden, 379 cl::desc("Debug func")); 380 381 static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 382 cl::Hidden, cl::init(-1)); 383 384 static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug max inst"), 385 cl::Hidden, cl::init(-1)); 386 387 STATISTIC(NumInstrumentedReads, "Number of instrumented reads"); 388 STATISTIC(NumInstrumentedWrites, "Number of instrumented writes"); 389 STATISTIC(NumOptimizedAccessesToGlobalVar, 390 "Number of optimized accesses to global vars"); 391 STATISTIC(NumOptimizedAccessesToStackVar, 392 "Number of optimized accesses to stack vars"); 393 394 namespace { 395 396 /// Frontend-provided metadata for source location. 397 struct LocationMetadata { 398 StringRef Filename; 399 int LineNo = 0; 400 int ColumnNo = 0; 401 402 LocationMetadata() = default; 403 404 bool empty() const { return Filename.empty(); } 405 406 void parse(MDNode *MDN) { 407 assert(MDN->getNumOperands() == 3); 408 MDString *DIFilename = cast<MDString>(MDN->getOperand(0)); 409 Filename = DIFilename->getString(); 410 LineNo = 411 mdconst::extract<ConstantInt>(MDN->getOperand(1))->getLimitedValue(); 412 ColumnNo = 413 mdconst::extract<ConstantInt>(MDN->getOperand(2))->getLimitedValue(); 414 } 415 }; 416 417 /// Frontend-provided metadata for global variables. 418 class GlobalsMetadata { 419 public: 420 struct Entry { 421 LocationMetadata SourceLoc; 422 StringRef Name; 423 bool IsDynInit = false; 424 bool IsBlacklisted = false; 425 426 Entry() = default; 427 }; 428 429 GlobalsMetadata() = default; 430 431 void reset() { 432 inited_ = false; 433 Entries.clear(); 434 } 435 436 void init(Module &M) { 437 assert(!inited_); 438 inited_ = true; 439 NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals"); 440 if (!Globals) return; 441 for (auto MDN : Globals->operands()) { 442 // Metadata node contains the global and the fields of "Entry". 443 assert(MDN->getNumOperands() == 5); 444 auto *V = mdconst::extract_or_null<Constant>(MDN->getOperand(0)); 445 // The optimizer may optimize away a global entirely. 446 if (!V) continue; 447 auto *StrippedV = V->stripPointerCasts(); 448 auto *GV = dyn_cast<GlobalVariable>(StrippedV); 449 if (!GV) continue; 450 // We can already have an entry for GV if it was merged with another 451 // global. 452 Entry &E = Entries[GV]; 453 if (auto *Loc = cast_or_null<MDNode>(MDN->getOperand(1))) 454 E.SourceLoc.parse(Loc); 455 if (auto *Name = cast_or_null<MDString>(MDN->getOperand(2))) 456 E.Name = Name->getString(); 457 ConstantInt *IsDynInit = 458 mdconst::extract<ConstantInt>(MDN->getOperand(3)); 459 E.IsDynInit |= IsDynInit->isOne(); 460 ConstantInt *IsBlacklisted = 461 mdconst::extract<ConstantInt>(MDN->getOperand(4)); 462 E.IsBlacklisted |= IsBlacklisted->isOne(); 463 } 464 } 465 466 /// Returns metadata entry for a given global. 467 Entry get(GlobalVariable *G) const { 468 auto Pos = Entries.find(G); 469 return (Pos != Entries.end()) ? Pos->second : Entry(); 470 } 471 472 private: 473 bool inited_ = false; 474 DenseMap<GlobalVariable *, Entry> Entries; 475 }; 476 477 /// This struct defines the shadow mapping using the rule: 478 /// shadow = (mem >> Scale) ADD-or-OR Offset. 479 /// If InGlobal is true, then 480 /// extern char __asan_shadow[]; 481 /// shadow = (mem >> Scale) + &__asan_shadow 482 struct ShadowMapping { 483 int Scale; 484 uint64_t Offset; 485 bool OrShadowOffset; 486 bool InGlobal; 487 }; 488 489 } // end anonymous namespace 490 491 static ShadowMapping getShadowMapping(Triple &TargetTriple, int LongSize, 492 bool IsKasan) { 493 bool IsAndroid = TargetTriple.isAndroid(); 494 bool IsIOS = TargetTriple.isiOS() || TargetTriple.isWatchOS(); 495 bool IsFreeBSD = TargetTriple.isOSFreeBSD(); 496 bool IsNetBSD = TargetTriple.isOSNetBSD(); 497 bool IsPS4CPU = TargetTriple.isPS4CPU(); 498 bool IsLinux = TargetTriple.isOSLinux(); 499 bool IsPPC64 = TargetTriple.getArch() == Triple::ppc64 || 500 TargetTriple.getArch() == Triple::ppc64le; 501 bool IsSystemZ = TargetTriple.getArch() == Triple::systemz; 502 bool IsX86 = TargetTriple.getArch() == Triple::x86; 503 bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64; 504 bool IsMIPS32 = TargetTriple.isMIPS32(); 505 bool IsMIPS64 = TargetTriple.isMIPS64(); 506 bool IsArmOrThumb = TargetTriple.isARM() || TargetTriple.isThumb(); 507 bool IsAArch64 = TargetTriple.getArch() == Triple::aarch64; 508 bool IsWindows = TargetTriple.isOSWindows(); 509 bool IsFuchsia = TargetTriple.isOSFuchsia(); 510 bool IsMyriad = TargetTriple.getVendor() == llvm::Triple::Myriad; 511 512 ShadowMapping Mapping; 513 514 Mapping.Scale = IsMyriad ? kMyriadShadowScale : kDefaultShadowScale; 515 if (ClMappingScale.getNumOccurrences() > 0) { 516 Mapping.Scale = ClMappingScale; 517 } 518 519 if (LongSize == 32) { 520 if (IsAndroid) 521 Mapping.Offset = kDynamicShadowSentinel; 522 else if (IsMIPS32) 523 Mapping.Offset = kMIPS32_ShadowOffset32; 524 else if (IsFreeBSD) 525 Mapping.Offset = kFreeBSD_ShadowOffset32; 526 else if (IsNetBSD) 527 Mapping.Offset = kNetBSD_ShadowOffset32; 528 else if (IsIOS) 529 // If we're targeting iOS and x86, the binary is built for iOS simulator. 530 Mapping.Offset = IsX86 ? kIOSSimShadowOffset32 : kIOSShadowOffset32; 531 else if (IsWindows) 532 Mapping.Offset = kWindowsShadowOffset32; 533 else if (IsMyriad) { 534 uint64_t ShadowOffset = (kMyriadMemoryOffset32 + kMyriadMemorySize32 - 535 (kMyriadMemorySize32 >> Mapping.Scale)); 536 Mapping.Offset = ShadowOffset - (kMyriadMemoryOffset32 >> Mapping.Scale); 537 } 538 else 539 Mapping.Offset = kDefaultShadowOffset32; 540 } else { // LongSize == 64 541 // Fuchsia is always PIE, which means that the beginning of the address 542 // space is always available. 543 if (IsFuchsia) 544 Mapping.Offset = 0; 545 else if (IsPPC64) 546 Mapping.Offset = kPPC64_ShadowOffset64; 547 else if (IsSystemZ) 548 Mapping.Offset = kSystemZ_ShadowOffset64; 549 else if (IsFreeBSD && !IsMIPS64) 550 Mapping.Offset = kFreeBSD_ShadowOffset64; 551 else if (IsNetBSD) { 552 if (IsKasan) 553 Mapping.Offset = kNetBSDKasan_ShadowOffset64; 554 else 555 Mapping.Offset = kNetBSD_ShadowOffset64; 556 } else if (IsPS4CPU) 557 Mapping.Offset = kPS4CPU_ShadowOffset64; 558 else if (IsLinux && IsX86_64) { 559 if (IsKasan) 560 Mapping.Offset = kLinuxKasan_ShadowOffset64; 561 else 562 Mapping.Offset = (kSmallX86_64ShadowOffsetBase & 563 (kSmallX86_64ShadowOffsetAlignMask << Mapping.Scale)); 564 } else if (IsWindows && IsX86_64) { 565 Mapping.Offset = kWindowsShadowOffset64; 566 } else if (IsMIPS64) 567 Mapping.Offset = kMIPS64_ShadowOffset64; 568 else if (IsIOS) 569 // If we're targeting iOS and x86, the binary is built for iOS simulator. 570 // We are using dynamic shadow offset on the 64-bit devices. 571 Mapping.Offset = 572 IsX86_64 ? kIOSSimShadowOffset64 : kDynamicShadowSentinel; 573 else if (IsAArch64) 574 Mapping.Offset = kAArch64_ShadowOffset64; 575 else 576 Mapping.Offset = kDefaultShadowOffset64; 577 } 578 579 if (ClForceDynamicShadow) { 580 Mapping.Offset = kDynamicShadowSentinel; 581 } 582 583 if (ClMappingOffset.getNumOccurrences() > 0) { 584 Mapping.Offset = ClMappingOffset; 585 } 586 587 // OR-ing shadow offset if more efficient (at least on x86) if the offset 588 // is a power of two, but on ppc64 we have to use add since the shadow 589 // offset is not necessary 1/8-th of the address space. On SystemZ, 590 // we could OR the constant in a single instruction, but it's more 591 // efficient to load it once and use indexed addressing. 592 Mapping.OrShadowOffset = !IsAArch64 && !IsPPC64 && !IsSystemZ && !IsPS4CPU && 593 !(Mapping.Offset & (Mapping.Offset - 1)) && 594 Mapping.Offset != kDynamicShadowSentinel; 595 bool IsAndroidWithIfuncSupport = 596 IsAndroid && !TargetTriple.isAndroidVersionLT(21); 597 Mapping.InGlobal = ClWithIfunc && IsAndroidWithIfuncSupport && IsArmOrThumb; 598 599 return Mapping; 600 } 601 602 static size_t RedzoneSizeForScale(int MappingScale) { 603 // Redzone used for stack and globals is at least 32 bytes. 604 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 605 return std::max(32U, 1U << MappingScale); 606 } 607 608 namespace { 609 610 /// AddressSanitizer: instrument the code in module to find memory bugs. 611 struct AddressSanitizer : public FunctionPass { 612 // Pass identification, replacement for typeid 613 static char ID; 614 615 explicit AddressSanitizer(bool CompileKernel = false, bool Recover = false, 616 bool UseAfterScope = false) 617 : FunctionPass(ID), UseAfterScope(UseAfterScope || ClUseAfterScope) { 618 this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover; 619 this->CompileKernel = ClEnableKasan.getNumOccurrences() > 0 ? 620 ClEnableKasan : CompileKernel; 621 initializeAddressSanitizerPass(*PassRegistry::getPassRegistry()); 622 } 623 624 StringRef getPassName() const override { 625 return "AddressSanitizerFunctionPass"; 626 } 627 628 void getAnalysisUsage(AnalysisUsage &AU) const override { 629 AU.addRequired<DominatorTreeWrapperPass>(); 630 AU.addRequired<TargetLibraryInfoWrapperPass>(); 631 } 632 633 uint64_t getAllocaSizeInBytes(const AllocaInst &AI) const { 634 uint64_t ArraySize = 1; 635 if (AI.isArrayAllocation()) { 636 const ConstantInt *CI = dyn_cast<ConstantInt>(AI.getArraySize()); 637 assert(CI && "non-constant array size"); 638 ArraySize = CI->getZExtValue(); 639 } 640 Type *Ty = AI.getAllocatedType(); 641 uint64_t SizeInBytes = 642 AI.getModule()->getDataLayout().getTypeAllocSize(Ty); 643 return SizeInBytes * ArraySize; 644 } 645 646 /// Check if we want (and can) handle this alloca. 647 bool isInterestingAlloca(const AllocaInst &AI); 648 649 /// If it is an interesting memory access, return the PointerOperand 650 /// and set IsWrite/Alignment. Otherwise return nullptr. 651 /// MaybeMask is an output parameter for the mask Value, if we're looking at a 652 /// masked load/store. 653 Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite, 654 uint64_t *TypeSize, unsigned *Alignment, 655 Value **MaybeMask = nullptr); 656 657 void instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis, Instruction *I, 658 bool UseCalls, const DataLayout &DL); 659 void instrumentPointerComparisonOrSubtraction(Instruction *I); 660 void instrumentAddress(Instruction *OrigIns, Instruction *InsertBefore, 661 Value *Addr, uint32_t TypeSize, bool IsWrite, 662 Value *SizeArgument, bool UseCalls, uint32_t Exp); 663 void instrumentUnusualSizeOrAlignment(Instruction *I, 664 Instruction *InsertBefore, Value *Addr, 665 uint32_t TypeSize, bool IsWrite, 666 Value *SizeArgument, bool UseCalls, 667 uint32_t Exp); 668 Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 669 Value *ShadowValue, uint32_t TypeSize); 670 Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, 671 bool IsWrite, size_t AccessSizeIndex, 672 Value *SizeArgument, uint32_t Exp); 673 void instrumentMemIntrinsic(MemIntrinsic *MI); 674 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 675 bool runOnFunction(Function &F) override; 676 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 677 void maybeInsertDynamicShadowAtFunctionEntry(Function &F); 678 void markEscapedLocalAllocas(Function &F); 679 bool doInitialization(Module &M) override; 680 bool doFinalization(Module &M) override; 681 682 DominatorTree &getDominatorTree() const { return *DT; } 683 684 private: 685 friend struct FunctionStackPoisoner; 686 687 void initializeCallbacks(Module &M); 688 689 bool LooksLikeCodeInBug11395(Instruction *I); 690 bool GlobalIsLinkerInitialized(GlobalVariable *G); 691 bool isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, Value *Addr, 692 uint64_t TypeSize) const; 693 694 /// Helper to cleanup per-function state. 695 struct FunctionStateRAII { 696 AddressSanitizer *Pass; 697 698 FunctionStateRAII(AddressSanitizer *Pass) : Pass(Pass) { 699 assert(Pass->ProcessedAllocas.empty() && 700 "last pass forgot to clear cache"); 701 assert(!Pass->LocalDynamicShadow); 702 } 703 704 ~FunctionStateRAII() { 705 Pass->LocalDynamicShadow = nullptr; 706 Pass->ProcessedAllocas.clear(); 707 } 708 }; 709 710 LLVMContext *C; 711 Triple TargetTriple; 712 int LongSize; 713 bool CompileKernel; 714 bool Recover; 715 bool UseAfterScope; 716 Type *IntptrTy; 717 ShadowMapping Mapping; 718 DominatorTree *DT; 719 Function *AsanHandleNoReturnFunc; 720 Function *AsanPtrCmpFunction, *AsanPtrSubFunction; 721 Constant *AsanShadowGlobal; 722 723 // These arrays is indexed by AccessIsWrite, Experiment and log2(AccessSize). 724 Function *AsanErrorCallback[2][2][kNumberOfAccessSizes]; 725 Function *AsanMemoryAccessCallback[2][2][kNumberOfAccessSizes]; 726 727 // These arrays is indexed by AccessIsWrite and Experiment. 728 Function *AsanErrorCallbackSized[2][2]; 729 Function *AsanMemoryAccessCallbackSized[2][2]; 730 731 Function *AsanMemmove, *AsanMemcpy, *AsanMemset; 732 InlineAsm *EmptyAsm; 733 Value *LocalDynamicShadow = nullptr; 734 GlobalsMetadata GlobalsMD; 735 DenseMap<const AllocaInst *, bool> ProcessedAllocas; 736 }; 737 738 class AddressSanitizerModule : public ModulePass { 739 public: 740 // Pass identification, replacement for typeid 741 static char ID; 742 743 explicit AddressSanitizerModule(bool CompileKernel = false, 744 bool Recover = false, 745 bool UseGlobalsGC = true, 746 bool UseOdrIndicator = false) 747 : ModulePass(ID), UseGlobalsGC(UseGlobalsGC && ClUseGlobalsGC), 748 // Enable aliases as they should have no downside with ODR indicators. 749 UsePrivateAlias(UseOdrIndicator || ClUsePrivateAlias), 750 UseOdrIndicator(UseOdrIndicator || ClUseOdrIndicator), 751 // Not a typo: ClWithComdat is almost completely pointless without 752 // ClUseGlobalsGC (because then it only works on modules without 753 // globals, which are rare); it is a prerequisite for ClUseGlobalsGC; 754 // and both suffer from gold PR19002 for which UseGlobalsGC constructor 755 // argument is designed as workaround. Therefore, disable both 756 // ClWithComdat and ClUseGlobalsGC unless the frontend says it's ok to 757 // do globals-gc. 758 UseCtorComdat(UseGlobalsGC && ClWithComdat) { 759 this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover; 760 this->CompileKernel = 761 ClEnableKasan.getNumOccurrences() > 0 ? ClEnableKasan : CompileKernel; 762 } 763 764 bool runOnModule(Module &M) override; 765 StringRef getPassName() const override { return "AddressSanitizerModule"; } 766 767 private: 768 void initializeCallbacks(Module &M); 769 770 bool InstrumentGlobals(IRBuilder<> &IRB, Module &M, bool *CtorComdat); 771 void InstrumentGlobalsCOFF(IRBuilder<> &IRB, Module &M, 772 ArrayRef<GlobalVariable *> ExtendedGlobals, 773 ArrayRef<Constant *> MetadataInitializers); 774 void InstrumentGlobalsELF(IRBuilder<> &IRB, Module &M, 775 ArrayRef<GlobalVariable *> ExtendedGlobals, 776 ArrayRef<Constant *> MetadataInitializers, 777 const std::string &UniqueModuleId); 778 void InstrumentGlobalsMachO(IRBuilder<> &IRB, Module &M, 779 ArrayRef<GlobalVariable *> ExtendedGlobals, 780 ArrayRef<Constant *> MetadataInitializers); 781 void 782 InstrumentGlobalsWithMetadataArray(IRBuilder<> &IRB, Module &M, 783 ArrayRef<GlobalVariable *> ExtendedGlobals, 784 ArrayRef<Constant *> MetadataInitializers); 785 786 GlobalVariable *CreateMetadataGlobal(Module &M, Constant *Initializer, 787 StringRef OriginalName); 788 void SetComdatForGlobalMetadata(GlobalVariable *G, GlobalVariable *Metadata, 789 StringRef InternalSuffix); 790 IRBuilder<> CreateAsanModuleDtor(Module &M); 791 792 bool ShouldInstrumentGlobal(GlobalVariable *G); 793 bool ShouldUseMachOGlobalsSection() const; 794 StringRef getGlobalMetadataSection() const; 795 void poisonOneInitializer(Function &GlobalInit, GlobalValue *ModuleName); 796 void createInitializerPoisonCalls(Module &M, GlobalValue *ModuleName); 797 size_t MinRedzoneSizeForGlobal() const { 798 return RedzoneSizeForScale(Mapping.Scale); 799 } 800 int GetAsanVersion(const Module &M) const; 801 802 GlobalsMetadata GlobalsMD; 803 bool CompileKernel; 804 bool Recover; 805 bool UseGlobalsGC; 806 bool UsePrivateAlias; 807 bool UseOdrIndicator; 808 bool UseCtorComdat; 809 Type *IntptrTy; 810 LLVMContext *C; 811 Triple TargetTriple; 812 ShadowMapping Mapping; 813 Function *AsanPoisonGlobals; 814 Function *AsanUnpoisonGlobals; 815 Function *AsanRegisterGlobals; 816 Function *AsanUnregisterGlobals; 817 Function *AsanRegisterImageGlobals; 818 Function *AsanUnregisterImageGlobals; 819 Function *AsanRegisterElfGlobals; 820 Function *AsanUnregisterElfGlobals; 821 822 Function *AsanCtorFunction = nullptr; 823 Function *AsanDtorFunction = nullptr; 824 }; 825 826 // Stack poisoning does not play well with exception handling. 827 // When an exception is thrown, we essentially bypass the code 828 // that unpoisones the stack. This is why the run-time library has 829 // to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 830 // stack in the interceptor. This however does not work inside the 831 // actual function which catches the exception. Most likely because the 832 // compiler hoists the load of the shadow value somewhere too high. 833 // This causes asan to report a non-existing bug on 453.povray. 834 // It sounds like an LLVM bug. 835 struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> { 836 Function &F; 837 AddressSanitizer &ASan; 838 DIBuilder DIB; 839 LLVMContext *C; 840 Type *IntptrTy; 841 Type *IntptrPtrTy; 842 ShadowMapping Mapping; 843 844 SmallVector<AllocaInst *, 16> AllocaVec; 845 SmallVector<AllocaInst *, 16> StaticAllocasToMoveUp; 846 SmallVector<Instruction *, 8> RetVec; 847 unsigned StackAlignment; 848 849 Function *AsanStackMallocFunc[kMaxAsanStackMallocSizeClass + 1], 850 *AsanStackFreeFunc[kMaxAsanStackMallocSizeClass + 1]; 851 Function *AsanSetShadowFunc[0x100] = {}; 852 Function *AsanPoisonStackMemoryFunc, *AsanUnpoisonStackMemoryFunc; 853 Function *AsanAllocaPoisonFunc, *AsanAllocasUnpoisonFunc; 854 855 // Stores a place and arguments of poisoning/unpoisoning call for alloca. 856 struct AllocaPoisonCall { 857 IntrinsicInst *InsBefore; 858 AllocaInst *AI; 859 uint64_t Size; 860 bool DoPoison; 861 }; 862 SmallVector<AllocaPoisonCall, 8> DynamicAllocaPoisonCallVec; 863 SmallVector<AllocaPoisonCall, 8> StaticAllocaPoisonCallVec; 864 865 SmallVector<AllocaInst *, 1> DynamicAllocaVec; 866 SmallVector<IntrinsicInst *, 1> StackRestoreVec; 867 AllocaInst *DynamicAllocaLayout = nullptr; 868 IntrinsicInst *LocalEscapeCall = nullptr; 869 870 // Maps Value to an AllocaInst from which the Value is originated. 871 using AllocaForValueMapTy = DenseMap<Value *, AllocaInst *>; 872 AllocaForValueMapTy AllocaForValue; 873 874 bool HasNonEmptyInlineAsm = false; 875 bool HasReturnsTwiceCall = false; 876 std::unique_ptr<CallInst> EmptyInlineAsm; 877 878 FunctionStackPoisoner(Function &F, AddressSanitizer &ASan) 879 : F(F), 880 ASan(ASan), 881 DIB(*F.getParent(), /*AllowUnresolved*/ false), 882 C(ASan.C), 883 IntptrTy(ASan.IntptrTy), 884 IntptrPtrTy(PointerType::get(IntptrTy, 0)), 885 Mapping(ASan.Mapping), 886 StackAlignment(1 << Mapping.Scale), 887 EmptyInlineAsm(CallInst::Create(ASan.EmptyAsm)) {} 888 889 bool runOnFunction() { 890 if (!ClStack) return false; 891 892 if (ClRedzoneByvalArgs) 893 copyArgsPassedByValToAllocas(); 894 895 // Collect alloca, ret, lifetime instructions etc. 896 for (BasicBlock *BB : depth_first(&F.getEntryBlock())) visit(*BB); 897 898 if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false; 899 900 initializeCallbacks(*F.getParent()); 901 902 processDynamicAllocas(); 903 processStaticAllocas(); 904 905 if (ClDebugStack) { 906 LLVM_DEBUG(dbgs() << F); 907 } 908 return true; 909 } 910 911 // Arguments marked with the "byval" attribute are implicitly copied without 912 // using an alloca instruction. To produce redzones for those arguments, we 913 // copy them a second time into memory allocated with an alloca instruction. 914 void copyArgsPassedByValToAllocas(); 915 916 // Finds all Alloca instructions and puts 917 // poisoned red zones around all of them. 918 // Then unpoison everything back before the function returns. 919 void processStaticAllocas(); 920 void processDynamicAllocas(); 921 922 void createDynamicAllocasInitStorage(); 923 924 // ----------------------- Visitors. 925 /// Collect all Ret instructions. 926 void visitReturnInst(ReturnInst &RI) { RetVec.push_back(&RI); } 927 928 /// Collect all Resume instructions. 929 void visitResumeInst(ResumeInst &RI) { RetVec.push_back(&RI); } 930 931 /// Collect all CatchReturnInst instructions. 932 void visitCleanupReturnInst(CleanupReturnInst &CRI) { RetVec.push_back(&CRI); } 933 934 void unpoisonDynamicAllocasBeforeInst(Instruction *InstBefore, 935 Value *SavedStack) { 936 IRBuilder<> IRB(InstBefore); 937 Value *DynamicAreaPtr = IRB.CreatePtrToInt(SavedStack, IntptrTy); 938 // When we insert _asan_allocas_unpoison before @llvm.stackrestore, we 939 // need to adjust extracted SP to compute the address of the most recent 940 // alloca. We have a special @llvm.get.dynamic.area.offset intrinsic for 941 // this purpose. 942 if (!isa<ReturnInst>(InstBefore)) { 943 Function *DynamicAreaOffsetFunc = Intrinsic::getDeclaration( 944 InstBefore->getModule(), Intrinsic::get_dynamic_area_offset, 945 {IntptrTy}); 946 947 Value *DynamicAreaOffset = IRB.CreateCall(DynamicAreaOffsetFunc, {}); 948 949 DynamicAreaPtr = IRB.CreateAdd(IRB.CreatePtrToInt(SavedStack, IntptrTy), 950 DynamicAreaOffset); 951 } 952 953 IRB.CreateCall(AsanAllocasUnpoisonFunc, 954 {IRB.CreateLoad(DynamicAllocaLayout), DynamicAreaPtr}); 955 } 956 957 // Unpoison dynamic allocas redzones. 958 void unpoisonDynamicAllocas() { 959 for (auto &Ret : RetVec) 960 unpoisonDynamicAllocasBeforeInst(Ret, DynamicAllocaLayout); 961 962 for (auto &StackRestoreInst : StackRestoreVec) 963 unpoisonDynamicAllocasBeforeInst(StackRestoreInst, 964 StackRestoreInst->getOperand(0)); 965 } 966 967 // Deploy and poison redzones around dynamic alloca call. To do this, we 968 // should replace this call with another one with changed parameters and 969 // replace all its uses with new address, so 970 // addr = alloca type, old_size, align 971 // is replaced by 972 // new_size = (old_size + additional_size) * sizeof(type) 973 // tmp = alloca i8, new_size, max(align, 32) 974 // addr = tmp + 32 (first 32 bytes are for the left redzone). 975 // Additional_size is added to make new memory allocation contain not only 976 // requested memory, but also left, partial and right redzones. 977 void handleDynamicAllocaCall(AllocaInst *AI); 978 979 /// Collect Alloca instructions we want (and can) handle. 980 void visitAllocaInst(AllocaInst &AI) { 981 if (!ASan.isInterestingAlloca(AI)) { 982 if (AI.isStaticAlloca()) { 983 // Skip over allocas that are present *before* the first instrumented 984 // alloca, we don't want to move those around. 985 if (AllocaVec.empty()) 986 return; 987 988 StaticAllocasToMoveUp.push_back(&AI); 989 } 990 return; 991 } 992 993 StackAlignment = std::max(StackAlignment, AI.getAlignment()); 994 if (!AI.isStaticAlloca()) 995 DynamicAllocaVec.push_back(&AI); 996 else 997 AllocaVec.push_back(&AI); 998 } 999 1000 /// Collect lifetime intrinsic calls to check for use-after-scope 1001 /// errors. 1002 void visitIntrinsicInst(IntrinsicInst &II) { 1003 Intrinsic::ID ID = II.getIntrinsicID(); 1004 if (ID == Intrinsic::stackrestore) StackRestoreVec.push_back(&II); 1005 if (ID == Intrinsic::localescape) LocalEscapeCall = &II; 1006 if (!ASan.UseAfterScope) 1007 return; 1008 if (!II.isLifetimeStartOrEnd()) 1009 return; 1010 // Found lifetime intrinsic, add ASan instrumentation if necessary. 1011 ConstantInt *Size = dyn_cast<ConstantInt>(II.getArgOperand(0)); 1012 // If size argument is undefined, don't do anything. 1013 if (Size->isMinusOne()) return; 1014 // Check that size doesn't saturate uint64_t and can 1015 // be stored in IntptrTy. 1016 const uint64_t SizeValue = Size->getValue().getLimitedValue(); 1017 if (SizeValue == ~0ULL || 1018 !ConstantInt::isValueValidForType(IntptrTy, SizeValue)) 1019 return; 1020 // Find alloca instruction that corresponds to llvm.lifetime argument. 1021 AllocaInst *AI = findAllocaForValue(II.getArgOperand(1)); 1022 if (!AI || !ASan.isInterestingAlloca(*AI)) 1023 return; 1024 bool DoPoison = (ID == Intrinsic::lifetime_end); 1025 AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison}; 1026 if (AI->isStaticAlloca()) 1027 StaticAllocaPoisonCallVec.push_back(APC); 1028 else if (ClInstrumentDynamicAllocas) 1029 DynamicAllocaPoisonCallVec.push_back(APC); 1030 } 1031 1032 void visitCallSite(CallSite CS) { 1033 Instruction *I = CS.getInstruction(); 1034 if (CallInst *CI = dyn_cast<CallInst>(I)) { 1035 HasNonEmptyInlineAsm |= CI->isInlineAsm() && 1036 !CI->isIdenticalTo(EmptyInlineAsm.get()) && 1037 I != ASan.LocalDynamicShadow; 1038 HasReturnsTwiceCall |= CI->canReturnTwice(); 1039 } 1040 } 1041 1042 // ---------------------- Helpers. 1043 void initializeCallbacks(Module &M); 1044 1045 bool doesDominateAllExits(const Instruction *I) const { 1046 for (auto Ret : RetVec) { 1047 if (!ASan.getDominatorTree().dominates(I, Ret)) return false; 1048 } 1049 return true; 1050 } 1051 1052 /// Finds alloca where the value comes from. 1053 AllocaInst *findAllocaForValue(Value *V); 1054 1055 // Copies bytes from ShadowBytes into shadow memory for indexes where 1056 // ShadowMask is not zero. If ShadowMask[i] is zero, we assume that 1057 // ShadowBytes[i] is constantly zero and doesn't need to be overwritten. 1058 void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes, 1059 IRBuilder<> &IRB, Value *ShadowBase); 1060 void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes, 1061 size_t Begin, size_t End, IRBuilder<> &IRB, 1062 Value *ShadowBase); 1063 void copyToShadowInline(ArrayRef<uint8_t> ShadowMask, 1064 ArrayRef<uint8_t> ShadowBytes, size_t Begin, 1065 size_t End, IRBuilder<> &IRB, Value *ShadowBase); 1066 1067 void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> &IRB, bool DoPoison); 1068 1069 Value *createAllocaForLayout(IRBuilder<> &IRB, const ASanStackFrameLayout &L, 1070 bool Dynamic); 1071 PHINode *createPHI(IRBuilder<> &IRB, Value *Cond, Value *ValueIfTrue, 1072 Instruction *ThenTerm, Value *ValueIfFalse); 1073 }; 1074 1075 } // end anonymous namespace 1076 1077 char AddressSanitizer::ID = 0; 1078 1079 INITIALIZE_PASS_BEGIN( 1080 AddressSanitizer, "asan", 1081 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false, 1082 false) 1083 INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass) 1084 INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass) 1085 INITIALIZE_PASS_END( 1086 AddressSanitizer, "asan", 1087 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false, 1088 false) 1089 1090 FunctionPass *llvm::createAddressSanitizerFunctionPass(bool CompileKernel, 1091 bool Recover, 1092 bool UseAfterScope) { 1093 assert(!CompileKernel || Recover); 1094 return new AddressSanitizer(CompileKernel, Recover, UseAfterScope); 1095 } 1096 1097 char AddressSanitizerModule::ID = 0; 1098 1099 INITIALIZE_PASS( 1100 AddressSanitizerModule, "asan-module", 1101 "AddressSanitizer: detects use-after-free and out-of-bounds bugs." 1102 "ModulePass", 1103 false, false) 1104 1105 ModulePass *llvm::createAddressSanitizerModulePass(bool CompileKernel, 1106 bool Recover, 1107 bool UseGlobalsGC, 1108 bool UseOdrIndicator) { 1109 assert(!CompileKernel || Recover); 1110 return new AddressSanitizerModule(CompileKernel, Recover, UseGlobalsGC, 1111 UseOdrIndicator); 1112 } 1113 1114 static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 1115 size_t Res = countTrailingZeros(TypeSize / 8); 1116 assert(Res < kNumberOfAccessSizes); 1117 return Res; 1118 } 1119 1120 /// Create a global describing a source location. 1121 static GlobalVariable *createPrivateGlobalForSourceLoc(Module &M, 1122 LocationMetadata MD) { 1123 Constant *LocData[] = { 1124 createPrivateGlobalForString(M, MD.Filename, true, kAsanGenPrefix), 1125 ConstantInt::get(Type::getInt32Ty(M.getContext()), MD.LineNo), 1126 ConstantInt::get(Type::getInt32Ty(M.getContext()), MD.ColumnNo), 1127 }; 1128 auto LocStruct = ConstantStruct::getAnon(LocData); 1129 auto GV = new GlobalVariable(M, LocStruct->getType(), true, 1130 GlobalValue::PrivateLinkage, LocStruct, 1131 kAsanGenPrefix); 1132 GV->setUnnamedAddr(GlobalValue::UnnamedAddr::Global); 1133 return GV; 1134 } 1135 1136 /// Check if \p G has been created by a trusted compiler pass. 1137 static bool GlobalWasGeneratedByCompiler(GlobalVariable *G) { 1138 // Do not instrument @llvm.global_ctors, @llvm.used, etc. 1139 if (G->getName().startswith("llvm.")) 1140 return true; 1141 1142 // Do not instrument asan globals. 1143 if (G->getName().startswith(kAsanGenPrefix) || 1144 G->getName().startswith(kSanCovGenPrefix) || 1145 G->getName().startswith(kODRGenPrefix)) 1146 return true; 1147 1148 // Do not instrument gcov counter arrays. 1149 if (G->getName() == "__llvm_gcov_ctr") 1150 return true; 1151 1152 return false; 1153 } 1154 1155 Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 1156 // Shadow >> scale 1157 Shadow = IRB.CreateLShr(Shadow, Mapping.Scale); 1158 if (Mapping.Offset == 0) return Shadow; 1159 // (Shadow >> scale) | offset 1160 Value *ShadowBase; 1161 if (LocalDynamicShadow) 1162 ShadowBase = LocalDynamicShadow; 1163 else 1164 ShadowBase = ConstantInt::get(IntptrTy, Mapping.Offset); 1165 if (Mapping.OrShadowOffset) 1166 return IRB.CreateOr(Shadow, ShadowBase); 1167 else 1168 return IRB.CreateAdd(Shadow, ShadowBase); 1169 } 1170 1171 // Instrument memset/memmove/memcpy 1172 void AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 1173 IRBuilder<> IRB(MI); 1174 if (isa<MemTransferInst>(MI)) { 1175 IRB.CreateCall( 1176 isa<MemMoveInst>(MI) ? AsanMemmove : AsanMemcpy, 1177 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 1178 IRB.CreatePointerCast(MI->getOperand(1), IRB.getInt8PtrTy()), 1179 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 1180 } else if (isa<MemSetInst>(MI)) { 1181 IRB.CreateCall( 1182 AsanMemset, 1183 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 1184 IRB.CreateIntCast(MI->getOperand(1), IRB.getInt32Ty(), false), 1185 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 1186 } 1187 MI->eraseFromParent(); 1188 } 1189 1190 /// Check if we want (and can) handle this alloca. 1191 bool AddressSanitizer::isInterestingAlloca(const AllocaInst &AI) { 1192 auto PreviouslySeenAllocaInfo = ProcessedAllocas.find(&AI); 1193 1194 if (PreviouslySeenAllocaInfo != ProcessedAllocas.end()) 1195 return PreviouslySeenAllocaInfo->getSecond(); 1196 1197 bool IsInteresting = 1198 (AI.getAllocatedType()->isSized() && 1199 // alloca() may be called with 0 size, ignore it. 1200 ((!AI.isStaticAlloca()) || getAllocaSizeInBytes(AI) > 0) && 1201 // We are only interested in allocas not promotable to registers. 1202 // Promotable allocas are common under -O0. 1203 (!ClSkipPromotableAllocas || !isAllocaPromotable(&AI)) && 1204 // inalloca allocas are not treated as static, and we don't want 1205 // dynamic alloca instrumentation for them as well. 1206 !AI.isUsedWithInAlloca() && 1207 // swifterror allocas are register promoted by ISel 1208 !AI.isSwiftError()); 1209 1210 ProcessedAllocas[&AI] = IsInteresting; 1211 return IsInteresting; 1212 } 1213 1214 Value *AddressSanitizer::isInterestingMemoryAccess(Instruction *I, 1215 bool *IsWrite, 1216 uint64_t *TypeSize, 1217 unsigned *Alignment, 1218 Value **MaybeMask) { 1219 // Skip memory accesses inserted by another instrumentation. 1220 if (I->getMetadata("nosanitize")) return nullptr; 1221 1222 // Do not instrument the load fetching the dynamic shadow address. 1223 if (LocalDynamicShadow == I) 1224 return nullptr; 1225 1226 Value *PtrOperand = nullptr; 1227 const DataLayout &DL = I->getModule()->getDataLayout(); 1228 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 1229 if (!ClInstrumentReads) return nullptr; 1230 *IsWrite = false; 1231 *TypeSize = DL.getTypeStoreSizeInBits(LI->getType()); 1232 *Alignment = LI->getAlignment(); 1233 PtrOperand = LI->getPointerOperand(); 1234 } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 1235 if (!ClInstrumentWrites) return nullptr; 1236 *IsWrite = true; 1237 *TypeSize = DL.getTypeStoreSizeInBits(SI->getValueOperand()->getType()); 1238 *Alignment = SI->getAlignment(); 1239 PtrOperand = SI->getPointerOperand(); 1240 } else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 1241 if (!ClInstrumentAtomics) return nullptr; 1242 *IsWrite = true; 1243 *TypeSize = DL.getTypeStoreSizeInBits(RMW->getValOperand()->getType()); 1244 *Alignment = 0; 1245 PtrOperand = RMW->getPointerOperand(); 1246 } else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 1247 if (!ClInstrumentAtomics) return nullptr; 1248 *IsWrite = true; 1249 *TypeSize = DL.getTypeStoreSizeInBits(XCHG->getCompareOperand()->getType()); 1250 *Alignment = 0; 1251 PtrOperand = XCHG->getPointerOperand(); 1252 } else if (auto CI = dyn_cast<CallInst>(I)) { 1253 auto *F = dyn_cast<Function>(CI->getCalledValue()); 1254 if (F && (F->getName().startswith("llvm.masked.load.") || 1255 F->getName().startswith("llvm.masked.store."))) { 1256 unsigned OpOffset = 0; 1257 if (F->getName().startswith("llvm.masked.store.")) { 1258 if (!ClInstrumentWrites) 1259 return nullptr; 1260 // Masked store has an initial operand for the value. 1261 OpOffset = 1; 1262 *IsWrite = true; 1263 } else { 1264 if (!ClInstrumentReads) 1265 return nullptr; 1266 *IsWrite = false; 1267 } 1268 1269 auto BasePtr = CI->getOperand(0 + OpOffset); 1270 auto Ty = cast<PointerType>(BasePtr->getType())->getElementType(); 1271 *TypeSize = DL.getTypeStoreSizeInBits(Ty); 1272 if (auto AlignmentConstant = 1273 dyn_cast<ConstantInt>(CI->getOperand(1 + OpOffset))) 1274 *Alignment = (unsigned)AlignmentConstant->getZExtValue(); 1275 else 1276 *Alignment = 1; // No alignment guarantees. We probably got Undef 1277 if (MaybeMask) 1278 *MaybeMask = CI->getOperand(2 + OpOffset); 1279 PtrOperand = BasePtr; 1280 } 1281 } 1282 1283 if (PtrOperand) { 1284 // Do not instrument acesses from different address spaces; we cannot deal 1285 // with them. 1286 Type *PtrTy = cast<PointerType>(PtrOperand->getType()->getScalarType()); 1287 if (PtrTy->getPointerAddressSpace() != 0) 1288 return nullptr; 1289 1290 // Ignore swifterror addresses. 1291 // swifterror memory addresses are mem2reg promoted by instruction 1292 // selection. As such they cannot have regular uses like an instrumentation 1293 // function and it makes no sense to track them as memory. 1294 if (PtrOperand->isSwiftError()) 1295 return nullptr; 1296 } 1297 1298 // Treat memory accesses to promotable allocas as non-interesting since they 1299 // will not cause memory violations. This greatly speeds up the instrumented 1300 // executable at -O0. 1301 if (ClSkipPromotableAllocas) 1302 if (auto AI = dyn_cast_or_null<AllocaInst>(PtrOperand)) 1303 return isInterestingAlloca(*AI) ? AI : nullptr; 1304 1305 return PtrOperand; 1306 } 1307 1308 static bool isPointerOperand(Value *V) { 1309 return V->getType()->isPointerTy() || isa<PtrToIntInst>(V); 1310 } 1311 1312 // This is a rough heuristic; it may cause both false positives and 1313 // false negatives. The proper implementation requires cooperation with 1314 // the frontend. 1315 static bool isInterestingPointerComparisonOrSubtraction(Instruction *I) { 1316 if (ICmpInst *Cmp = dyn_cast<ICmpInst>(I)) { 1317 if (!Cmp->isRelational()) return false; 1318 } else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(I)) { 1319 if (BO->getOpcode() != Instruction::Sub) return false; 1320 } else { 1321 return false; 1322 } 1323 return isPointerOperand(I->getOperand(0)) && 1324 isPointerOperand(I->getOperand(1)); 1325 } 1326 1327 bool AddressSanitizer::GlobalIsLinkerInitialized(GlobalVariable *G) { 1328 // If a global variable does not have dynamic initialization we don't 1329 // have to instrument it. However, if a global does not have initializer 1330 // at all, we assume it has dynamic initializer (in other TU). 1331 return G->hasInitializer() && !GlobalsMD.get(G).IsDynInit; 1332 } 1333 1334 void AddressSanitizer::instrumentPointerComparisonOrSubtraction( 1335 Instruction *I) { 1336 IRBuilder<> IRB(I); 1337 Function *F = isa<ICmpInst>(I) ? AsanPtrCmpFunction : AsanPtrSubFunction; 1338 Value *Param[2] = {I->getOperand(0), I->getOperand(1)}; 1339 for (Value *&i : Param) { 1340 if (i->getType()->isPointerTy()) 1341 i = IRB.CreatePointerCast(i, IntptrTy); 1342 } 1343 IRB.CreateCall(F, Param); 1344 } 1345 1346 static void doInstrumentAddress(AddressSanitizer *Pass, Instruction *I, 1347 Instruction *InsertBefore, Value *Addr, 1348 unsigned Alignment, unsigned Granularity, 1349 uint32_t TypeSize, bool IsWrite, 1350 Value *SizeArgument, bool UseCalls, 1351 uint32_t Exp) { 1352 // Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check 1353 // if the data is properly aligned. 1354 if ((TypeSize == 8 || TypeSize == 16 || TypeSize == 32 || TypeSize == 64 || 1355 TypeSize == 128) && 1356 (Alignment >= Granularity || Alignment == 0 || Alignment >= TypeSize / 8)) 1357 return Pass->instrumentAddress(I, InsertBefore, Addr, TypeSize, IsWrite, 1358 nullptr, UseCalls, Exp); 1359 Pass->instrumentUnusualSizeOrAlignment(I, InsertBefore, Addr, TypeSize, 1360 IsWrite, nullptr, UseCalls, Exp); 1361 } 1362 1363 static void instrumentMaskedLoadOrStore(AddressSanitizer *Pass, 1364 const DataLayout &DL, Type *IntptrTy, 1365 Value *Mask, Instruction *I, 1366 Value *Addr, unsigned Alignment, 1367 unsigned Granularity, uint32_t TypeSize, 1368 bool IsWrite, Value *SizeArgument, 1369 bool UseCalls, uint32_t Exp) { 1370 auto *VTy = cast<PointerType>(Addr->getType())->getElementType(); 1371 uint64_t ElemTypeSize = DL.getTypeStoreSizeInBits(VTy->getScalarType()); 1372 unsigned Num = VTy->getVectorNumElements(); 1373 auto Zero = ConstantInt::get(IntptrTy, 0); 1374 for (unsigned Idx = 0; Idx < Num; ++Idx) { 1375 Value *InstrumentedAddress = nullptr; 1376 Instruction *InsertBefore = I; 1377 if (auto *Vector = dyn_cast<ConstantVector>(Mask)) { 1378 // dyn_cast as we might get UndefValue 1379 if (auto *Masked = dyn_cast<ConstantInt>(Vector->getOperand(Idx))) { 1380 if (Masked->isZero()) 1381 // Mask is constant false, so no instrumentation needed. 1382 continue; 1383 // If we have a true or undef value, fall through to doInstrumentAddress 1384 // with InsertBefore == I 1385 } 1386 } else { 1387 IRBuilder<> IRB(I); 1388 Value *MaskElem = IRB.CreateExtractElement(Mask, Idx); 1389 Instruction *ThenTerm = SplitBlockAndInsertIfThen(MaskElem, I, false); 1390 InsertBefore = ThenTerm; 1391 } 1392 1393 IRBuilder<> IRB(InsertBefore); 1394 InstrumentedAddress = 1395 IRB.CreateGEP(Addr, {Zero, ConstantInt::get(IntptrTy, Idx)}); 1396 doInstrumentAddress(Pass, I, InsertBefore, InstrumentedAddress, Alignment, 1397 Granularity, ElemTypeSize, IsWrite, SizeArgument, 1398 UseCalls, Exp); 1399 } 1400 } 1401 1402 void AddressSanitizer::instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis, 1403 Instruction *I, bool UseCalls, 1404 const DataLayout &DL) { 1405 bool IsWrite = false; 1406 unsigned Alignment = 0; 1407 uint64_t TypeSize = 0; 1408 Value *MaybeMask = nullptr; 1409 Value *Addr = 1410 isInterestingMemoryAccess(I, &IsWrite, &TypeSize, &Alignment, &MaybeMask); 1411 assert(Addr); 1412 1413 // Optimization experiments. 1414 // The experiments can be used to evaluate potential optimizations that remove 1415 // instrumentation (assess false negatives). Instead of completely removing 1416 // some instrumentation, you set Exp to a non-zero value (mask of optimization 1417 // experiments that want to remove instrumentation of this instruction). 1418 // If Exp is non-zero, this pass will emit special calls into runtime 1419 // (e.g. __asan_report_exp_load1 instead of __asan_report_load1). These calls 1420 // make runtime terminate the program in a special way (with a different 1421 // exit status). Then you run the new compiler on a buggy corpus, collect 1422 // the special terminations (ideally, you don't see them at all -- no false 1423 // negatives) and make the decision on the optimization. 1424 uint32_t Exp = ClForceExperiment; 1425 1426 if (ClOpt && ClOptGlobals) { 1427 // If initialization order checking is disabled, a simple access to a 1428 // dynamically initialized global is always valid. 1429 GlobalVariable *G = dyn_cast<GlobalVariable>(GetUnderlyingObject(Addr, DL)); 1430 if (G && (!ClInitializers || GlobalIsLinkerInitialized(G)) && 1431 isSafeAccess(ObjSizeVis, Addr, TypeSize)) { 1432 NumOptimizedAccessesToGlobalVar++; 1433 return; 1434 } 1435 } 1436 1437 if (ClOpt && ClOptStack) { 1438 // A direct inbounds access to a stack variable is always valid. 1439 if (isa<AllocaInst>(GetUnderlyingObject(Addr, DL)) && 1440 isSafeAccess(ObjSizeVis, Addr, TypeSize)) { 1441 NumOptimizedAccessesToStackVar++; 1442 return; 1443 } 1444 } 1445 1446 if (IsWrite) 1447 NumInstrumentedWrites++; 1448 else 1449 NumInstrumentedReads++; 1450 1451 unsigned Granularity = 1 << Mapping.Scale; 1452 if (MaybeMask) { 1453 instrumentMaskedLoadOrStore(this, DL, IntptrTy, MaybeMask, I, Addr, 1454 Alignment, Granularity, TypeSize, IsWrite, 1455 nullptr, UseCalls, Exp); 1456 } else { 1457 doInstrumentAddress(this, I, I, Addr, Alignment, Granularity, TypeSize, 1458 IsWrite, nullptr, UseCalls, Exp); 1459 } 1460 } 1461 1462 Instruction *AddressSanitizer::generateCrashCode(Instruction *InsertBefore, 1463 Value *Addr, bool IsWrite, 1464 size_t AccessSizeIndex, 1465 Value *SizeArgument, 1466 uint32_t Exp) { 1467 IRBuilder<> IRB(InsertBefore); 1468 Value *ExpVal = Exp == 0 ? nullptr : ConstantInt::get(IRB.getInt32Ty(), Exp); 1469 CallInst *Call = nullptr; 1470 if (SizeArgument) { 1471 if (Exp == 0) 1472 Call = IRB.CreateCall(AsanErrorCallbackSized[IsWrite][0], 1473 {Addr, SizeArgument}); 1474 else 1475 Call = IRB.CreateCall(AsanErrorCallbackSized[IsWrite][1], 1476 {Addr, SizeArgument, ExpVal}); 1477 } else { 1478 if (Exp == 0) 1479 Call = 1480 IRB.CreateCall(AsanErrorCallback[IsWrite][0][AccessSizeIndex], Addr); 1481 else 1482 Call = IRB.CreateCall(AsanErrorCallback[IsWrite][1][AccessSizeIndex], 1483 {Addr, ExpVal}); 1484 } 1485 1486 // We don't do Call->setDoesNotReturn() because the BB already has 1487 // UnreachableInst at the end. 1488 // This EmptyAsm is required to avoid callback merge. 1489 IRB.CreateCall(EmptyAsm, {}); 1490 return Call; 1491 } 1492 1493 Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 1494 Value *ShadowValue, 1495 uint32_t TypeSize) { 1496 size_t Granularity = static_cast<size_t>(1) << Mapping.Scale; 1497 // Addr & (Granularity - 1) 1498 Value *LastAccessedByte = 1499 IRB.CreateAnd(AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 1500 // (Addr & (Granularity - 1)) + size - 1 1501 if (TypeSize / 8 > 1) 1502 LastAccessedByte = IRB.CreateAdd( 1503 LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 1504 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 1505 LastAccessedByte = 1506 IRB.CreateIntCast(LastAccessedByte, ShadowValue->getType(), false); 1507 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 1508 return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue); 1509 } 1510 1511 void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 1512 Instruction *InsertBefore, Value *Addr, 1513 uint32_t TypeSize, bool IsWrite, 1514 Value *SizeArgument, bool UseCalls, 1515 uint32_t Exp) { 1516 bool IsMyriad = TargetTriple.getVendor() == llvm::Triple::Myriad; 1517 1518 IRBuilder<> IRB(InsertBefore); 1519 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 1520 size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize); 1521 1522 if (UseCalls) { 1523 if (Exp == 0) 1524 IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][0][AccessSizeIndex], 1525 AddrLong); 1526 else 1527 IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][1][AccessSizeIndex], 1528 {AddrLong, ConstantInt::get(IRB.getInt32Ty(), Exp)}); 1529 return; 1530 } 1531 1532 if (IsMyriad) { 1533 // Strip the cache bit and do range check. 1534 // AddrLong &= ~kMyriadCacheBitMask32 1535 AddrLong = IRB.CreateAnd(AddrLong, ~kMyriadCacheBitMask32); 1536 // Tag = AddrLong >> kMyriadTagShift 1537 Value *Tag = IRB.CreateLShr(AddrLong, kMyriadTagShift); 1538 // Tag == kMyriadDDRTag 1539 Value *TagCheck = 1540 IRB.CreateICmpEQ(Tag, ConstantInt::get(IntptrTy, kMyriadDDRTag)); 1541 1542 Instruction *TagCheckTerm = 1543 SplitBlockAndInsertIfThen(TagCheck, InsertBefore, false, 1544 MDBuilder(*C).createBranchWeights(1, 100000)); 1545 assert(cast<BranchInst>(TagCheckTerm)->isUnconditional()); 1546 IRB.SetInsertPoint(TagCheckTerm); 1547 InsertBefore = TagCheckTerm; 1548 } 1549 1550 Type *ShadowTy = 1551 IntegerType::get(*C, std::max(8U, TypeSize >> Mapping.Scale)); 1552 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 1553 Value *ShadowPtr = memToShadow(AddrLong, IRB); 1554 Value *CmpVal = Constant::getNullValue(ShadowTy); 1555 Value *ShadowValue = 1556 IRB.CreateLoad(IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 1557 1558 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 1559 size_t Granularity = 1ULL << Mapping.Scale; 1560 Instruction *CrashTerm = nullptr; 1561 1562 if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) { 1563 // We use branch weights for the slow path check, to indicate that the slow 1564 // path is rarely taken. This seems to be the case for SPEC benchmarks. 1565 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 1566 Cmp, InsertBefore, false, MDBuilder(*C).createBranchWeights(1, 100000)); 1567 assert(cast<BranchInst>(CheckTerm)->isUnconditional()); 1568 BasicBlock *NextBB = CheckTerm->getSuccessor(0); 1569 IRB.SetInsertPoint(CheckTerm); 1570 Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize); 1571 if (Recover) { 1572 CrashTerm = SplitBlockAndInsertIfThen(Cmp2, CheckTerm, false); 1573 } else { 1574 BasicBlock *CrashBlock = 1575 BasicBlock::Create(*C, "", NextBB->getParent(), NextBB); 1576 CrashTerm = new UnreachableInst(*C, CrashBlock); 1577 BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2); 1578 ReplaceInstWithInst(CheckTerm, NewTerm); 1579 } 1580 } else { 1581 CrashTerm = SplitBlockAndInsertIfThen(Cmp, InsertBefore, !Recover); 1582 } 1583 1584 Instruction *Crash = generateCrashCode(CrashTerm, AddrLong, IsWrite, 1585 AccessSizeIndex, SizeArgument, Exp); 1586 Crash->setDebugLoc(OrigIns->getDebugLoc()); 1587 } 1588 1589 // Instrument unusual size or unusual alignment. 1590 // We can not do it with a single check, so we do 1-byte check for the first 1591 // and the last bytes. We call __asan_report_*_n(addr, real_size) to be able 1592 // to report the actual access size. 1593 void AddressSanitizer::instrumentUnusualSizeOrAlignment( 1594 Instruction *I, Instruction *InsertBefore, Value *Addr, uint32_t TypeSize, 1595 bool IsWrite, Value *SizeArgument, bool UseCalls, uint32_t Exp) { 1596 IRBuilder<> IRB(InsertBefore); 1597 Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8); 1598 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 1599 if (UseCalls) { 1600 if (Exp == 0) 1601 IRB.CreateCall(AsanMemoryAccessCallbackSized[IsWrite][0], 1602 {AddrLong, Size}); 1603 else 1604 IRB.CreateCall(AsanMemoryAccessCallbackSized[IsWrite][1], 1605 {AddrLong, Size, ConstantInt::get(IRB.getInt32Ty(), Exp)}); 1606 } else { 1607 Value *LastByte = IRB.CreateIntToPtr( 1608 IRB.CreateAdd(AddrLong, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)), 1609 Addr->getType()); 1610 instrumentAddress(I, InsertBefore, Addr, 8, IsWrite, Size, false, Exp); 1611 instrumentAddress(I, InsertBefore, LastByte, 8, IsWrite, Size, false, Exp); 1612 } 1613 } 1614 1615 void AddressSanitizerModule::poisonOneInitializer(Function &GlobalInit, 1616 GlobalValue *ModuleName) { 1617 // Set up the arguments to our poison/unpoison functions. 1618 IRBuilder<> IRB(&GlobalInit.front(), 1619 GlobalInit.front().getFirstInsertionPt()); 1620 1621 // Add a call to poison all external globals before the given function starts. 1622 Value *ModuleNameAddr = ConstantExpr::getPointerCast(ModuleName, IntptrTy); 1623 IRB.CreateCall(AsanPoisonGlobals, ModuleNameAddr); 1624 1625 // Add calls to unpoison all globals before each return instruction. 1626 for (auto &BB : GlobalInit.getBasicBlockList()) 1627 if (ReturnInst *RI = dyn_cast<ReturnInst>(BB.getTerminator())) 1628 CallInst::Create(AsanUnpoisonGlobals, "", RI); 1629 } 1630 1631 void AddressSanitizerModule::createInitializerPoisonCalls( 1632 Module &M, GlobalValue *ModuleName) { 1633 GlobalVariable *GV = M.getGlobalVariable("llvm.global_ctors"); 1634 if (!GV) 1635 return; 1636 1637 ConstantArray *CA = dyn_cast<ConstantArray>(GV->getInitializer()); 1638 if (!CA) 1639 return; 1640 1641 for (Use &OP : CA->operands()) { 1642 if (isa<ConstantAggregateZero>(OP)) continue; 1643 ConstantStruct *CS = cast<ConstantStruct>(OP); 1644 1645 // Must have a function or null ptr. 1646 if (Function *F = dyn_cast<Function>(CS->getOperand(1))) { 1647 if (F->getName() == kAsanModuleCtorName) continue; 1648 ConstantInt *Priority = dyn_cast<ConstantInt>(CS->getOperand(0)); 1649 // Don't instrument CTORs that will run before asan.module_ctor. 1650 if (Priority->getLimitedValue() <= kAsanCtorAndDtorPriority) continue; 1651 poisonOneInitializer(*F, ModuleName); 1652 } 1653 } 1654 } 1655 1656 bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) { 1657 Type *Ty = G->getValueType(); 1658 LLVM_DEBUG(dbgs() << "GLOBAL: " << *G << "\n"); 1659 1660 if (GlobalsMD.get(G).IsBlacklisted) return false; 1661 if (!Ty->isSized()) return false; 1662 if (!G->hasInitializer()) return false; 1663 if (GlobalWasGeneratedByCompiler(G)) return false; // Our own globals. 1664 // Two problems with thread-locals: 1665 // - The address of the main thread's copy can't be computed at link-time. 1666 // - Need to poison all copies, not just the main thread's one. 1667 if (G->isThreadLocal()) return false; 1668 // For now, just ignore this Global if the alignment is large. 1669 if (G->getAlignment() > MinRedzoneSizeForGlobal()) return false; 1670 1671 // For non-COFF targets, only instrument globals known to be defined by this 1672 // TU. 1673 // FIXME: We can instrument comdat globals on ELF if we are using the 1674 // GC-friendly metadata scheme. 1675 if (!TargetTriple.isOSBinFormatCOFF()) { 1676 if (!G->hasExactDefinition() || G->hasComdat()) 1677 return false; 1678 } else { 1679 // On COFF, don't instrument non-ODR linkages. 1680 if (G->isInterposable()) 1681 return false; 1682 } 1683 1684 // If a comdat is present, it must have a selection kind that implies ODR 1685 // semantics: no duplicates, any, or exact match. 1686 if (Comdat *C = G->getComdat()) { 1687 switch (C->getSelectionKind()) { 1688 case Comdat::Any: 1689 case Comdat::ExactMatch: 1690 case Comdat::NoDuplicates: 1691 break; 1692 case Comdat::Largest: 1693 case Comdat::SameSize: 1694 return false; 1695 } 1696 } 1697 1698 if (G->hasSection()) { 1699 StringRef Section = G->getSection(); 1700 1701 // Globals from llvm.metadata aren't emitted, do not instrument them. 1702 if (Section == "llvm.metadata") return false; 1703 // Do not instrument globals from special LLVM sections. 1704 if (Section.find("__llvm") != StringRef::npos || Section.find("__LLVM") != StringRef::npos) return false; 1705 1706 // Do not instrument function pointers to initialization and termination 1707 // routines: dynamic linker will not properly handle redzones. 1708 if (Section.startswith(".preinit_array") || 1709 Section.startswith(".init_array") || 1710 Section.startswith(".fini_array")) { 1711 return false; 1712 } 1713 1714 // On COFF, if the section name contains '$', it is highly likely that the 1715 // user is using section sorting to create an array of globals similar to 1716 // the way initialization callbacks are registered in .init_array and 1717 // .CRT$XCU. The ATL also registers things in .ATL$__[azm]. Adding redzones 1718 // to such globals is counterproductive, because the intent is that they 1719 // will form an array, and out-of-bounds accesses are expected. 1720 // See https://github.com/google/sanitizers/issues/305 1721 // and http://msdn.microsoft.com/en-US/en-en/library/bb918180(v=vs.120).aspx 1722 if (TargetTriple.isOSBinFormatCOFF() && Section.contains('$')) { 1723 LLVM_DEBUG(dbgs() << "Ignoring global in sorted section (contains '$'): " 1724 << *G << "\n"); 1725 return false; 1726 } 1727 1728 if (TargetTriple.isOSBinFormatMachO()) { 1729 StringRef ParsedSegment, ParsedSection; 1730 unsigned TAA = 0, StubSize = 0; 1731 bool TAAParsed; 1732 std::string ErrorCode = MCSectionMachO::ParseSectionSpecifier( 1733 Section, ParsedSegment, ParsedSection, TAA, TAAParsed, StubSize); 1734 assert(ErrorCode.empty() && "Invalid section specifier."); 1735 1736 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 1737 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 1738 // them. 1739 if (ParsedSegment == "__OBJC" || 1740 (ParsedSegment == "__DATA" && ParsedSection.startswith("__objc_"))) { 1741 LLVM_DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G << "\n"); 1742 return false; 1743 } 1744 // See https://github.com/google/sanitizers/issues/32 1745 // Constant CFString instances are compiled in the following way: 1746 // -- the string buffer is emitted into 1747 // __TEXT,__cstring,cstring_literals 1748 // -- the constant NSConstantString structure referencing that buffer 1749 // is placed into __DATA,__cfstring 1750 // Therefore there's no point in placing redzones into __DATA,__cfstring. 1751 // Moreover, it causes the linker to crash on OS X 10.7 1752 if (ParsedSegment == "__DATA" && ParsedSection == "__cfstring") { 1753 LLVM_DEBUG(dbgs() << "Ignoring CFString: " << *G << "\n"); 1754 return false; 1755 } 1756 // The linker merges the contents of cstring_literals and removes the 1757 // trailing zeroes. 1758 if (ParsedSegment == "__TEXT" && (TAA & MachO::S_CSTRING_LITERALS)) { 1759 LLVM_DEBUG(dbgs() << "Ignoring a cstring literal: " << *G << "\n"); 1760 return false; 1761 } 1762 } 1763 } 1764 1765 return true; 1766 } 1767 1768 // On Mach-O platforms, we emit global metadata in a separate section of the 1769 // binary in order to allow the linker to properly dead strip. This is only 1770 // supported on recent versions of ld64. 1771 bool AddressSanitizerModule::ShouldUseMachOGlobalsSection() const { 1772 if (!TargetTriple.isOSBinFormatMachO()) 1773 return false; 1774 1775 if (TargetTriple.isMacOSX() && !TargetTriple.isMacOSXVersionLT(10, 11)) 1776 return true; 1777 if (TargetTriple.isiOS() /* or tvOS */ && !TargetTriple.isOSVersionLT(9)) 1778 return true; 1779 if (TargetTriple.isWatchOS() && !TargetTriple.isOSVersionLT(2)) 1780 return true; 1781 1782 return false; 1783 } 1784 1785 StringRef AddressSanitizerModule::getGlobalMetadataSection() const { 1786 switch (TargetTriple.getObjectFormat()) { 1787 case Triple::COFF: return ".ASAN$GL"; 1788 case Triple::ELF: return "asan_globals"; 1789 case Triple::MachO: return "__DATA,__asan_globals,regular"; 1790 default: break; 1791 } 1792 llvm_unreachable("unsupported object format"); 1793 } 1794 1795 void AddressSanitizerModule::initializeCallbacks(Module &M) { 1796 IRBuilder<> IRB(*C); 1797 1798 // Declare our poisoning and unpoisoning functions. 1799 AsanPoisonGlobals = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1800 kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy)); 1801 AsanPoisonGlobals->setLinkage(Function::ExternalLinkage); 1802 AsanUnpoisonGlobals = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1803 kAsanUnpoisonGlobalsName, IRB.getVoidTy())); 1804 AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage); 1805 1806 // Declare functions that register/unregister globals. 1807 AsanRegisterGlobals = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1808 kAsanRegisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy)); 1809 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 1810 AsanUnregisterGlobals = checkSanitizerInterfaceFunction( 1811 M.getOrInsertFunction(kAsanUnregisterGlobalsName, IRB.getVoidTy(), 1812 IntptrTy, IntptrTy)); 1813 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 1814 1815 // Declare the functions that find globals in a shared object and then invoke 1816 // the (un)register function on them. 1817 AsanRegisterImageGlobals = 1818 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1819 kAsanRegisterImageGlobalsName, IRB.getVoidTy(), IntptrTy)); 1820 AsanRegisterImageGlobals->setLinkage(Function::ExternalLinkage); 1821 1822 AsanUnregisterImageGlobals = 1823 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1824 kAsanUnregisterImageGlobalsName, IRB.getVoidTy(), IntptrTy)); 1825 AsanUnregisterImageGlobals->setLinkage(Function::ExternalLinkage); 1826 1827 AsanRegisterElfGlobals = checkSanitizerInterfaceFunction( 1828 M.getOrInsertFunction(kAsanRegisterElfGlobalsName, IRB.getVoidTy(), 1829 IntptrTy, IntptrTy, IntptrTy)); 1830 AsanRegisterElfGlobals->setLinkage(Function::ExternalLinkage); 1831 1832 AsanUnregisterElfGlobals = checkSanitizerInterfaceFunction( 1833 M.getOrInsertFunction(kAsanUnregisterElfGlobalsName, IRB.getVoidTy(), 1834 IntptrTy, IntptrTy, IntptrTy)); 1835 AsanUnregisterElfGlobals->setLinkage(Function::ExternalLinkage); 1836 } 1837 1838 // Put the metadata and the instrumented global in the same group. This ensures 1839 // that the metadata is discarded if the instrumented global is discarded. 1840 void AddressSanitizerModule::SetComdatForGlobalMetadata( 1841 GlobalVariable *G, GlobalVariable *Metadata, StringRef InternalSuffix) { 1842 Module &M = *G->getParent(); 1843 Comdat *C = G->getComdat(); 1844 if (!C) { 1845 if (!G->hasName()) { 1846 // If G is unnamed, it must be internal. Give it an artificial name 1847 // so we can put it in a comdat. 1848 assert(G->hasLocalLinkage()); 1849 G->setName(Twine(kAsanGenPrefix) + "_anon_global"); 1850 } 1851 1852 if (!InternalSuffix.empty() && G->hasLocalLinkage()) { 1853 std::string Name = G->getName(); 1854 Name += InternalSuffix; 1855 C = M.getOrInsertComdat(Name); 1856 } else { 1857 C = M.getOrInsertComdat(G->getName()); 1858 } 1859 1860 // Make this IMAGE_COMDAT_SELECT_NODUPLICATES on COFF. Also upgrade private 1861 // linkage to internal linkage so that a symbol table entry is emitted. This 1862 // is necessary in order to create the comdat group. 1863 if (TargetTriple.isOSBinFormatCOFF()) { 1864 C->setSelectionKind(Comdat::NoDuplicates); 1865 if (G->hasPrivateLinkage()) 1866 G->setLinkage(GlobalValue::InternalLinkage); 1867 } 1868 G->setComdat(C); 1869 } 1870 1871 assert(G->hasComdat()); 1872 Metadata->setComdat(G->getComdat()); 1873 } 1874 1875 // Create a separate metadata global and put it in the appropriate ASan 1876 // global registration section. 1877 GlobalVariable * 1878 AddressSanitizerModule::CreateMetadataGlobal(Module &M, Constant *Initializer, 1879 StringRef OriginalName) { 1880 auto Linkage = TargetTriple.isOSBinFormatMachO() 1881 ? GlobalVariable::InternalLinkage 1882 : GlobalVariable::PrivateLinkage; 1883 GlobalVariable *Metadata = new GlobalVariable( 1884 M, Initializer->getType(), false, Linkage, Initializer, 1885 Twine("__asan_global_") + GlobalValue::dropLLVMManglingEscape(OriginalName)); 1886 Metadata->setSection(getGlobalMetadataSection()); 1887 return Metadata; 1888 } 1889 1890 IRBuilder<> AddressSanitizerModule::CreateAsanModuleDtor(Module &M) { 1891 AsanDtorFunction = 1892 Function::Create(FunctionType::get(Type::getVoidTy(*C), false), 1893 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 1894 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 1895 1896 return IRBuilder<>(ReturnInst::Create(*C, AsanDtorBB)); 1897 } 1898 1899 void AddressSanitizerModule::InstrumentGlobalsCOFF( 1900 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 1901 ArrayRef<Constant *> MetadataInitializers) { 1902 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 1903 auto &DL = M.getDataLayout(); 1904 1905 for (size_t i = 0; i < ExtendedGlobals.size(); i++) { 1906 Constant *Initializer = MetadataInitializers[i]; 1907 GlobalVariable *G = ExtendedGlobals[i]; 1908 GlobalVariable *Metadata = 1909 CreateMetadataGlobal(M, Initializer, G->getName()); 1910 1911 // The MSVC linker always inserts padding when linking incrementally. We 1912 // cope with that by aligning each struct to its size, which must be a power 1913 // of two. 1914 unsigned SizeOfGlobalStruct = DL.getTypeAllocSize(Initializer->getType()); 1915 assert(isPowerOf2_32(SizeOfGlobalStruct) && 1916 "global metadata will not be padded appropriately"); 1917 Metadata->setAlignment(SizeOfGlobalStruct); 1918 1919 SetComdatForGlobalMetadata(G, Metadata, ""); 1920 } 1921 } 1922 1923 void AddressSanitizerModule::InstrumentGlobalsELF( 1924 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 1925 ArrayRef<Constant *> MetadataInitializers, 1926 const std::string &UniqueModuleId) { 1927 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 1928 1929 SmallVector<GlobalValue *, 16> MetadataGlobals(ExtendedGlobals.size()); 1930 for (size_t i = 0; i < ExtendedGlobals.size(); i++) { 1931 GlobalVariable *G = ExtendedGlobals[i]; 1932 GlobalVariable *Metadata = 1933 CreateMetadataGlobal(M, MetadataInitializers[i], G->getName()); 1934 MDNode *MD = MDNode::get(M.getContext(), ValueAsMetadata::get(G)); 1935 Metadata->setMetadata(LLVMContext::MD_associated, MD); 1936 MetadataGlobals[i] = Metadata; 1937 1938 SetComdatForGlobalMetadata(G, Metadata, UniqueModuleId); 1939 } 1940 1941 // Update llvm.compiler.used, adding the new metadata globals. This is 1942 // needed so that during LTO these variables stay alive. 1943 if (!MetadataGlobals.empty()) 1944 appendToCompilerUsed(M, MetadataGlobals); 1945 1946 // RegisteredFlag serves two purposes. First, we can pass it to dladdr() 1947 // to look up the loaded image that contains it. Second, we can store in it 1948 // whether registration has already occurred, to prevent duplicate 1949 // registration. 1950 // 1951 // Common linkage ensures that there is only one global per shared library. 1952 GlobalVariable *RegisteredFlag = new GlobalVariable( 1953 M, IntptrTy, false, GlobalVariable::CommonLinkage, 1954 ConstantInt::get(IntptrTy, 0), kAsanGlobalsRegisteredFlagName); 1955 RegisteredFlag->setVisibility(GlobalVariable::HiddenVisibility); 1956 1957 // Create start and stop symbols. 1958 GlobalVariable *StartELFMetadata = new GlobalVariable( 1959 M, IntptrTy, false, GlobalVariable::ExternalWeakLinkage, nullptr, 1960 "__start_" + getGlobalMetadataSection()); 1961 StartELFMetadata->setVisibility(GlobalVariable::HiddenVisibility); 1962 GlobalVariable *StopELFMetadata = new GlobalVariable( 1963 M, IntptrTy, false, GlobalVariable::ExternalWeakLinkage, nullptr, 1964 "__stop_" + getGlobalMetadataSection()); 1965 StopELFMetadata->setVisibility(GlobalVariable::HiddenVisibility); 1966 1967 // Create a call to register the globals with the runtime. 1968 IRB.CreateCall(AsanRegisterElfGlobals, 1969 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy), 1970 IRB.CreatePointerCast(StartELFMetadata, IntptrTy), 1971 IRB.CreatePointerCast(StopELFMetadata, IntptrTy)}); 1972 1973 // We also need to unregister globals at the end, e.g., when a shared library 1974 // gets closed. 1975 IRBuilder<> IRB_Dtor = CreateAsanModuleDtor(M); 1976 IRB_Dtor.CreateCall(AsanUnregisterElfGlobals, 1977 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy), 1978 IRB.CreatePointerCast(StartELFMetadata, IntptrTy), 1979 IRB.CreatePointerCast(StopELFMetadata, IntptrTy)}); 1980 } 1981 1982 void AddressSanitizerModule::InstrumentGlobalsMachO( 1983 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 1984 ArrayRef<Constant *> MetadataInitializers) { 1985 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 1986 1987 // On recent Mach-O platforms, use a structure which binds the liveness of 1988 // the global variable to the metadata struct. Keep the list of "Liveness" GV 1989 // created to be added to llvm.compiler.used 1990 StructType *LivenessTy = StructType::get(IntptrTy, IntptrTy); 1991 SmallVector<GlobalValue *, 16> LivenessGlobals(ExtendedGlobals.size()); 1992 1993 for (size_t i = 0; i < ExtendedGlobals.size(); i++) { 1994 Constant *Initializer = MetadataInitializers[i]; 1995 GlobalVariable *G = ExtendedGlobals[i]; 1996 GlobalVariable *Metadata = 1997 CreateMetadataGlobal(M, Initializer, G->getName()); 1998 1999 // On recent Mach-O platforms, we emit the global metadata in a way that 2000 // allows the linker to properly strip dead globals. 2001 auto LivenessBinder = 2002 ConstantStruct::get(LivenessTy, Initializer->getAggregateElement(0u), 2003 ConstantExpr::getPointerCast(Metadata, IntptrTy)); 2004 GlobalVariable *Liveness = new GlobalVariable( 2005 M, LivenessTy, false, GlobalVariable::InternalLinkage, LivenessBinder, 2006 Twine("__asan_binder_") + G->getName()); 2007 Liveness->setSection("__DATA,__asan_liveness,regular,live_support"); 2008 LivenessGlobals[i] = Liveness; 2009 } 2010 2011 // Update llvm.compiler.used, adding the new liveness globals. This is 2012 // needed so that during LTO these variables stay alive. The alternative 2013 // would be to have the linker handling the LTO symbols, but libLTO 2014 // current API does not expose access to the section for each symbol. 2015 if (!LivenessGlobals.empty()) 2016 appendToCompilerUsed(M, LivenessGlobals); 2017 2018 // RegisteredFlag serves two purposes. First, we can pass it to dladdr() 2019 // to look up the loaded image that contains it. Second, we can store in it 2020 // whether registration has already occurred, to prevent duplicate 2021 // registration. 2022 // 2023 // common linkage ensures that there is only one global per shared library. 2024 GlobalVariable *RegisteredFlag = new GlobalVariable( 2025 M, IntptrTy, false, GlobalVariable::CommonLinkage, 2026 ConstantInt::get(IntptrTy, 0), kAsanGlobalsRegisteredFlagName); 2027 RegisteredFlag->setVisibility(GlobalVariable::HiddenVisibility); 2028 2029 IRB.CreateCall(AsanRegisterImageGlobals, 2030 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy)}); 2031 2032 // We also need to unregister globals at the end, e.g., when a shared library 2033 // gets closed. 2034 IRBuilder<> IRB_Dtor = CreateAsanModuleDtor(M); 2035 IRB_Dtor.CreateCall(AsanUnregisterImageGlobals, 2036 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy)}); 2037 } 2038 2039 void AddressSanitizerModule::InstrumentGlobalsWithMetadataArray( 2040 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 2041 ArrayRef<Constant *> MetadataInitializers) { 2042 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 2043 unsigned N = ExtendedGlobals.size(); 2044 assert(N > 0); 2045 2046 // On platforms that don't have a custom metadata section, we emit an array 2047 // of global metadata structures. 2048 ArrayType *ArrayOfGlobalStructTy = 2049 ArrayType::get(MetadataInitializers[0]->getType(), N); 2050 auto AllGlobals = new GlobalVariable( 2051 M, ArrayOfGlobalStructTy, false, GlobalVariable::InternalLinkage, 2052 ConstantArray::get(ArrayOfGlobalStructTy, MetadataInitializers), ""); 2053 if (Mapping.Scale > 3) 2054 AllGlobals->setAlignment(1ULL << Mapping.Scale); 2055 2056 IRB.CreateCall(AsanRegisterGlobals, 2057 {IRB.CreatePointerCast(AllGlobals, IntptrTy), 2058 ConstantInt::get(IntptrTy, N)}); 2059 2060 // We also need to unregister globals at the end, e.g., when a shared library 2061 // gets closed. 2062 IRBuilder<> IRB_Dtor = CreateAsanModuleDtor(M); 2063 IRB_Dtor.CreateCall(AsanUnregisterGlobals, 2064 {IRB.CreatePointerCast(AllGlobals, IntptrTy), 2065 ConstantInt::get(IntptrTy, N)}); 2066 } 2067 2068 // This function replaces all global variables with new variables that have 2069 // trailing redzones. It also creates a function that poisons 2070 // redzones and inserts this function into llvm.global_ctors. 2071 // Sets *CtorComdat to true if the global registration code emitted into the 2072 // asan constructor is comdat-compatible. 2073 bool AddressSanitizerModule::InstrumentGlobals(IRBuilder<> &IRB, Module &M, bool *CtorComdat) { 2074 *CtorComdat = false; 2075 GlobalsMD.init(M); 2076 2077 SmallVector<GlobalVariable *, 16> GlobalsToChange; 2078 2079 for (auto &G : M.globals()) { 2080 if (ShouldInstrumentGlobal(&G)) GlobalsToChange.push_back(&G); 2081 } 2082 2083 size_t n = GlobalsToChange.size(); 2084 if (n == 0) { 2085 *CtorComdat = true; 2086 return false; 2087 } 2088 2089 auto &DL = M.getDataLayout(); 2090 2091 // A global is described by a structure 2092 // size_t beg; 2093 // size_t size; 2094 // size_t size_with_redzone; 2095 // const char *name; 2096 // const char *module_name; 2097 // size_t has_dynamic_init; 2098 // void *source_location; 2099 // size_t odr_indicator; 2100 // We initialize an array of such structures and pass it to a run-time call. 2101 StructType *GlobalStructTy = 2102 StructType::get(IntptrTy, IntptrTy, IntptrTy, IntptrTy, IntptrTy, 2103 IntptrTy, IntptrTy, IntptrTy); 2104 SmallVector<GlobalVariable *, 16> NewGlobals(n); 2105 SmallVector<Constant *, 16> Initializers(n); 2106 2107 bool HasDynamicallyInitializedGlobals = false; 2108 2109 // We shouldn't merge same module names, as this string serves as unique 2110 // module ID in runtime. 2111 GlobalVariable *ModuleName = createPrivateGlobalForString( 2112 M, M.getModuleIdentifier(), /*AllowMerging*/ false, kAsanGenPrefix); 2113 2114 for (size_t i = 0; i < n; i++) { 2115 static const uint64_t kMaxGlobalRedzone = 1 << 18; 2116 GlobalVariable *G = GlobalsToChange[i]; 2117 2118 auto MD = GlobalsMD.get(G); 2119 StringRef NameForGlobal = G->getName(); 2120 // Create string holding the global name (use global name from metadata 2121 // if it's available, otherwise just write the name of global variable). 2122 GlobalVariable *Name = createPrivateGlobalForString( 2123 M, MD.Name.empty() ? NameForGlobal : MD.Name, 2124 /*AllowMerging*/ true, kAsanGenPrefix); 2125 2126 Type *Ty = G->getValueType(); 2127 uint64_t SizeInBytes = DL.getTypeAllocSize(Ty); 2128 uint64_t MinRZ = MinRedzoneSizeForGlobal(); 2129 // MinRZ <= RZ <= kMaxGlobalRedzone 2130 // and trying to make RZ to be ~ 1/4 of SizeInBytes. 2131 uint64_t RZ = std::max( 2132 MinRZ, std::min(kMaxGlobalRedzone, (SizeInBytes / MinRZ / 4) * MinRZ)); 2133 uint64_t RightRedzoneSize = RZ; 2134 // Round up to MinRZ 2135 if (SizeInBytes % MinRZ) RightRedzoneSize += MinRZ - (SizeInBytes % MinRZ); 2136 assert(((RightRedzoneSize + SizeInBytes) % MinRZ) == 0); 2137 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 2138 2139 StructType *NewTy = StructType::get(Ty, RightRedZoneTy); 2140 Constant *NewInitializer = ConstantStruct::get( 2141 NewTy, G->getInitializer(), Constant::getNullValue(RightRedZoneTy)); 2142 2143 // Create a new global variable with enough space for a redzone. 2144 GlobalValue::LinkageTypes Linkage = G->getLinkage(); 2145 if (G->isConstant() && Linkage == GlobalValue::PrivateLinkage) 2146 Linkage = GlobalValue::InternalLinkage; 2147 GlobalVariable *NewGlobal = 2148 new GlobalVariable(M, NewTy, G->isConstant(), Linkage, NewInitializer, 2149 "", G, G->getThreadLocalMode()); 2150 NewGlobal->copyAttributesFrom(G); 2151 NewGlobal->setComdat(G->getComdat()); 2152 NewGlobal->setAlignment(MinRZ); 2153 // Don't fold globals with redzones. ODR violation detector and redzone 2154 // poisoning implicitly creates a dependence on the global's address, so it 2155 // is no longer valid for it to be marked unnamed_addr. 2156 NewGlobal->setUnnamedAddr(GlobalValue::UnnamedAddr::None); 2157 2158 // Move null-terminated C strings to "__asan_cstring" section on Darwin. 2159 if (TargetTriple.isOSBinFormatMachO() && !G->hasSection() && 2160 G->isConstant()) { 2161 auto Seq = dyn_cast<ConstantDataSequential>(G->getInitializer()); 2162 if (Seq && Seq->isCString()) 2163 NewGlobal->setSection("__TEXT,__asan_cstring,regular"); 2164 } 2165 2166 // Transfer the debug info. The payload starts at offset zero so we can 2167 // copy the debug info over as is. 2168 SmallVector<DIGlobalVariableExpression *, 1> GVs; 2169 G->getDebugInfo(GVs); 2170 for (auto *GV : GVs) 2171 NewGlobal->addDebugInfo(GV); 2172 2173 Value *Indices2[2]; 2174 Indices2[0] = IRB.getInt32(0); 2175 Indices2[1] = IRB.getInt32(0); 2176 2177 G->replaceAllUsesWith( 2178 ConstantExpr::getGetElementPtr(NewTy, NewGlobal, Indices2, true)); 2179 NewGlobal->takeName(G); 2180 G->eraseFromParent(); 2181 NewGlobals[i] = NewGlobal; 2182 2183 Constant *SourceLoc; 2184 if (!MD.SourceLoc.empty()) { 2185 auto SourceLocGlobal = createPrivateGlobalForSourceLoc(M, MD.SourceLoc); 2186 SourceLoc = ConstantExpr::getPointerCast(SourceLocGlobal, IntptrTy); 2187 } else { 2188 SourceLoc = ConstantInt::get(IntptrTy, 0); 2189 } 2190 2191 Constant *ODRIndicator = ConstantExpr::getNullValue(IRB.getInt8PtrTy()); 2192 GlobalValue *InstrumentedGlobal = NewGlobal; 2193 2194 bool CanUsePrivateAliases = 2195 TargetTriple.isOSBinFormatELF() || TargetTriple.isOSBinFormatMachO() || 2196 TargetTriple.isOSBinFormatWasm(); 2197 if (CanUsePrivateAliases && UsePrivateAlias) { 2198 // Create local alias for NewGlobal to avoid crash on ODR between 2199 // instrumented and non-instrumented libraries. 2200 InstrumentedGlobal = 2201 GlobalAlias::create(GlobalValue::PrivateLinkage, "", NewGlobal); 2202 } 2203 2204 // ODR should not happen for local linkage. 2205 if (NewGlobal->hasLocalLinkage()) { 2206 ODRIndicator = ConstantExpr::getIntToPtr(ConstantInt::get(IntptrTy, -1), 2207 IRB.getInt8PtrTy()); 2208 } else if (UseOdrIndicator) { 2209 // With local aliases, we need to provide another externally visible 2210 // symbol __odr_asan_XXX to detect ODR violation. 2211 auto *ODRIndicatorSym = 2212 new GlobalVariable(M, IRB.getInt8Ty(), false, Linkage, 2213 Constant::getNullValue(IRB.getInt8Ty()), 2214 kODRGenPrefix + NameForGlobal, nullptr, 2215 NewGlobal->getThreadLocalMode()); 2216 2217 // Set meaningful attributes for indicator symbol. 2218 ODRIndicatorSym->setVisibility(NewGlobal->getVisibility()); 2219 ODRIndicatorSym->setDLLStorageClass(NewGlobal->getDLLStorageClass()); 2220 ODRIndicatorSym->setAlignment(1); 2221 ODRIndicator = ODRIndicatorSym; 2222 } 2223 2224 Constant *Initializer = ConstantStruct::get( 2225 GlobalStructTy, 2226 ConstantExpr::getPointerCast(InstrumentedGlobal, IntptrTy), 2227 ConstantInt::get(IntptrTy, SizeInBytes), 2228 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 2229 ConstantExpr::getPointerCast(Name, IntptrTy), 2230 ConstantExpr::getPointerCast(ModuleName, IntptrTy), 2231 ConstantInt::get(IntptrTy, MD.IsDynInit), SourceLoc, 2232 ConstantExpr::getPointerCast(ODRIndicator, IntptrTy)); 2233 2234 if (ClInitializers && MD.IsDynInit) HasDynamicallyInitializedGlobals = true; 2235 2236 LLVM_DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); 2237 2238 Initializers[i] = Initializer; 2239 } 2240 2241 // Add instrumented globals to llvm.compiler.used list to avoid LTO from 2242 // ConstantMerge'ing them. 2243 SmallVector<GlobalValue *, 16> GlobalsToAddToUsedList; 2244 for (size_t i = 0; i < n; i++) { 2245 GlobalVariable *G = NewGlobals[i]; 2246 if (G->getName().empty()) continue; 2247 GlobalsToAddToUsedList.push_back(G); 2248 } 2249 appendToCompilerUsed(M, ArrayRef<GlobalValue *>(GlobalsToAddToUsedList)); 2250 2251 std::string ELFUniqueModuleId = 2252 (UseGlobalsGC && TargetTriple.isOSBinFormatELF()) ? getUniqueModuleId(&M) 2253 : ""; 2254 2255 if (!ELFUniqueModuleId.empty()) { 2256 InstrumentGlobalsELF(IRB, M, NewGlobals, Initializers, ELFUniqueModuleId); 2257 *CtorComdat = true; 2258 } else if (UseGlobalsGC && TargetTriple.isOSBinFormatCOFF()) { 2259 InstrumentGlobalsCOFF(IRB, M, NewGlobals, Initializers); 2260 } else if (UseGlobalsGC && ShouldUseMachOGlobalsSection()) { 2261 InstrumentGlobalsMachO(IRB, M, NewGlobals, Initializers); 2262 } else { 2263 InstrumentGlobalsWithMetadataArray(IRB, M, NewGlobals, Initializers); 2264 } 2265 2266 // Create calls for poisoning before initializers run and unpoisoning after. 2267 if (HasDynamicallyInitializedGlobals) 2268 createInitializerPoisonCalls(M, ModuleName); 2269 2270 LLVM_DEBUG(dbgs() << M); 2271 return true; 2272 } 2273 2274 int AddressSanitizerModule::GetAsanVersion(const Module &M) const { 2275 int LongSize = M.getDataLayout().getPointerSizeInBits(); 2276 bool isAndroid = Triple(M.getTargetTriple()).isAndroid(); 2277 int Version = 8; 2278 // 32-bit Android is one version ahead because of the switch to dynamic 2279 // shadow. 2280 Version += (LongSize == 32 && isAndroid); 2281 return Version; 2282 } 2283 2284 bool AddressSanitizerModule::runOnModule(Module &M) { 2285 C = &(M.getContext()); 2286 int LongSize = M.getDataLayout().getPointerSizeInBits(); 2287 IntptrTy = Type::getIntNTy(*C, LongSize); 2288 TargetTriple = Triple(M.getTargetTriple()); 2289 Mapping = getShadowMapping(TargetTriple, LongSize, CompileKernel); 2290 initializeCallbacks(M); 2291 2292 if (CompileKernel) 2293 return false; 2294 2295 // Create a module constructor. A destructor is created lazily because not all 2296 // platforms, and not all modules need it. 2297 std::string VersionCheckName = 2298 kAsanVersionCheckNamePrefix + std::to_string(GetAsanVersion(M)); 2299 std::tie(AsanCtorFunction, std::ignore) = createSanitizerCtorAndInitFunctions( 2300 M, kAsanModuleCtorName, kAsanInitName, /*InitArgTypes=*/{}, 2301 /*InitArgs=*/{}, VersionCheckName); 2302 2303 bool CtorComdat = true; 2304 bool Changed = false; 2305 // TODO(glider): temporarily disabled globals instrumentation for KASan. 2306 if (ClGlobals) { 2307 IRBuilder<> IRB(AsanCtorFunction->getEntryBlock().getTerminator()); 2308 Changed |= InstrumentGlobals(IRB, M, &CtorComdat); 2309 } 2310 2311 // Put the constructor and destructor in comdat if both 2312 // (1) global instrumentation is not TU-specific 2313 // (2) target is ELF. 2314 if (UseCtorComdat && TargetTriple.isOSBinFormatELF() && CtorComdat) { 2315 AsanCtorFunction->setComdat(M.getOrInsertComdat(kAsanModuleCtorName)); 2316 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndDtorPriority, 2317 AsanCtorFunction); 2318 if (AsanDtorFunction) { 2319 AsanDtorFunction->setComdat(M.getOrInsertComdat(kAsanModuleDtorName)); 2320 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndDtorPriority, 2321 AsanDtorFunction); 2322 } 2323 } else { 2324 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndDtorPriority); 2325 if (AsanDtorFunction) 2326 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndDtorPriority); 2327 } 2328 2329 return Changed; 2330 } 2331 2332 void AddressSanitizer::initializeCallbacks(Module &M) { 2333 IRBuilder<> IRB(*C); 2334 // Create __asan_report* callbacks. 2335 // IsWrite, TypeSize and Exp are encoded in the function name. 2336 for (int Exp = 0; Exp < 2; Exp++) { 2337 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 2338 const std::string TypeStr = AccessIsWrite ? "store" : "load"; 2339 const std::string ExpStr = Exp ? "exp_" : ""; 2340 const std::string EndingStr = Recover ? "_noabort" : ""; 2341 2342 SmallVector<Type *, 3> Args2 = {IntptrTy, IntptrTy}; 2343 SmallVector<Type *, 2> Args1{1, IntptrTy}; 2344 if (Exp) { 2345 Type *ExpType = Type::getInt32Ty(*C); 2346 Args2.push_back(ExpType); 2347 Args1.push_back(ExpType); 2348 } 2349 AsanErrorCallbackSized[AccessIsWrite][Exp] = 2350 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2351 kAsanReportErrorTemplate + ExpStr + TypeStr + "_n" + EndingStr, 2352 FunctionType::get(IRB.getVoidTy(), Args2, false))); 2353 2354 AsanMemoryAccessCallbackSized[AccessIsWrite][Exp] = 2355 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2356 ClMemoryAccessCallbackPrefix + ExpStr + TypeStr + "N" + EndingStr, 2357 FunctionType::get(IRB.getVoidTy(), Args2, false))); 2358 2359 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 2360 AccessSizeIndex++) { 2361 const std::string Suffix = TypeStr + itostr(1ULL << AccessSizeIndex); 2362 AsanErrorCallback[AccessIsWrite][Exp][AccessSizeIndex] = 2363 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2364 kAsanReportErrorTemplate + ExpStr + Suffix + EndingStr, 2365 FunctionType::get(IRB.getVoidTy(), Args1, false))); 2366 2367 AsanMemoryAccessCallback[AccessIsWrite][Exp][AccessSizeIndex] = 2368 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2369 ClMemoryAccessCallbackPrefix + ExpStr + Suffix + EndingStr, 2370 FunctionType::get(IRB.getVoidTy(), Args1, false))); 2371 } 2372 } 2373 } 2374 2375 const std::string MemIntrinCallbackPrefix = 2376 CompileKernel ? std::string("") : ClMemoryAccessCallbackPrefix; 2377 AsanMemmove = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2378 MemIntrinCallbackPrefix + "memmove", IRB.getInt8PtrTy(), 2379 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IntptrTy)); 2380 AsanMemcpy = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2381 MemIntrinCallbackPrefix + "memcpy", IRB.getInt8PtrTy(), 2382 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IntptrTy)); 2383 AsanMemset = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2384 MemIntrinCallbackPrefix + "memset", IRB.getInt8PtrTy(), 2385 IRB.getInt8PtrTy(), IRB.getInt32Ty(), IntptrTy)); 2386 2387 AsanHandleNoReturnFunc = checkSanitizerInterfaceFunction( 2388 M.getOrInsertFunction(kAsanHandleNoReturnName, IRB.getVoidTy())); 2389 2390 AsanPtrCmpFunction = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2391 kAsanPtrCmp, IRB.getVoidTy(), IntptrTy, IntptrTy)); 2392 AsanPtrSubFunction = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2393 kAsanPtrSub, IRB.getVoidTy(), IntptrTy, IntptrTy)); 2394 // We insert an empty inline asm after __asan_report* to avoid callback merge. 2395 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 2396 StringRef(""), StringRef(""), 2397 /*hasSideEffects=*/true); 2398 if (Mapping.InGlobal) 2399 AsanShadowGlobal = M.getOrInsertGlobal("__asan_shadow", 2400 ArrayType::get(IRB.getInt8Ty(), 0)); 2401 } 2402 2403 // virtual 2404 bool AddressSanitizer::doInitialization(Module &M) { 2405 // Initialize the private fields. No one has accessed them before. 2406 GlobalsMD.init(M); 2407 2408 C = &(M.getContext()); 2409 LongSize = M.getDataLayout().getPointerSizeInBits(); 2410 IntptrTy = Type::getIntNTy(*C, LongSize); 2411 TargetTriple = Triple(M.getTargetTriple()); 2412 2413 Mapping = getShadowMapping(TargetTriple, LongSize, CompileKernel); 2414 return true; 2415 } 2416 2417 bool AddressSanitizer::doFinalization(Module &M) { 2418 GlobalsMD.reset(); 2419 return false; 2420 } 2421 2422 bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 2423 // For each NSObject descendant having a +load method, this method is invoked 2424 // by the ObjC runtime before any of the static constructors is called. 2425 // Therefore we need to instrument such methods with a call to __asan_init 2426 // at the beginning in order to initialize our runtime before any access to 2427 // the shadow memory. 2428 // We cannot just ignore these methods, because they may call other 2429 // instrumented functions. 2430 if (F.getName().find(" load]") != std::string::npos) { 2431 Function *AsanInitFunction = 2432 declareSanitizerInitFunction(*F.getParent(), kAsanInitName, {}); 2433 IRBuilder<> IRB(&F.front(), F.front().begin()); 2434 IRB.CreateCall(AsanInitFunction, {}); 2435 return true; 2436 } 2437 return false; 2438 } 2439 2440 void AddressSanitizer::maybeInsertDynamicShadowAtFunctionEntry(Function &F) { 2441 // Generate code only when dynamic addressing is needed. 2442 if (Mapping.Offset != kDynamicShadowSentinel) 2443 return; 2444 2445 IRBuilder<> IRB(&F.front().front()); 2446 if (Mapping.InGlobal) { 2447 if (ClWithIfuncSuppressRemat) { 2448 // An empty inline asm with input reg == output reg. 2449 // An opaque pointer-to-int cast, basically. 2450 InlineAsm *Asm = InlineAsm::get( 2451 FunctionType::get(IntptrTy, {AsanShadowGlobal->getType()}, false), 2452 StringRef(""), StringRef("=r,0"), 2453 /*hasSideEffects=*/false); 2454 LocalDynamicShadow = 2455 IRB.CreateCall(Asm, {AsanShadowGlobal}, ".asan.shadow"); 2456 } else { 2457 LocalDynamicShadow = 2458 IRB.CreatePointerCast(AsanShadowGlobal, IntptrTy, ".asan.shadow"); 2459 } 2460 } else { 2461 Value *GlobalDynamicAddress = F.getParent()->getOrInsertGlobal( 2462 kAsanShadowMemoryDynamicAddress, IntptrTy); 2463 LocalDynamicShadow = IRB.CreateLoad(GlobalDynamicAddress); 2464 } 2465 } 2466 2467 void AddressSanitizer::markEscapedLocalAllocas(Function &F) { 2468 // Find the one possible call to llvm.localescape and pre-mark allocas passed 2469 // to it as uninteresting. This assumes we haven't started processing allocas 2470 // yet. This check is done up front because iterating the use list in 2471 // isInterestingAlloca would be algorithmically slower. 2472 assert(ProcessedAllocas.empty() && "must process localescape before allocas"); 2473 2474 // Try to get the declaration of llvm.localescape. If it's not in the module, 2475 // we can exit early. 2476 if (!F.getParent()->getFunction("llvm.localescape")) return; 2477 2478 // Look for a call to llvm.localescape call in the entry block. It can't be in 2479 // any other block. 2480 for (Instruction &I : F.getEntryBlock()) { 2481 IntrinsicInst *II = dyn_cast<IntrinsicInst>(&I); 2482 if (II && II->getIntrinsicID() == Intrinsic::localescape) { 2483 // We found a call. Mark all the allocas passed in as uninteresting. 2484 for (Value *Arg : II->arg_operands()) { 2485 AllocaInst *AI = dyn_cast<AllocaInst>(Arg->stripPointerCasts()); 2486 assert(AI && AI->isStaticAlloca() && 2487 "non-static alloca arg to localescape"); 2488 ProcessedAllocas[AI] = false; 2489 } 2490 break; 2491 } 2492 } 2493 } 2494 2495 bool AddressSanitizer::runOnFunction(Function &F) { 2496 if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false; 2497 if (!ClDebugFunc.empty() && ClDebugFunc == F.getName()) return false; 2498 if (F.getName().startswith("__asan_")) return false; 2499 2500 bool FunctionModified = false; 2501 2502 // If needed, insert __asan_init before checking for SanitizeAddress attr. 2503 // This function needs to be called even if the function body is not 2504 // instrumented. 2505 if (maybeInsertAsanInitAtFunctionEntry(F)) 2506 FunctionModified = true; 2507 2508 // Leave if the function doesn't need instrumentation. 2509 if (!F.hasFnAttribute(Attribute::SanitizeAddress)) return FunctionModified; 2510 2511 LLVM_DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); 2512 2513 initializeCallbacks(*F.getParent()); 2514 DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree(); 2515 2516 FunctionStateRAII CleanupObj(this); 2517 2518 maybeInsertDynamicShadowAtFunctionEntry(F); 2519 2520 // We can't instrument allocas used with llvm.localescape. Only static allocas 2521 // can be passed to that intrinsic. 2522 markEscapedLocalAllocas(F); 2523 2524 // We want to instrument every address only once per basic block (unless there 2525 // are calls between uses). 2526 SmallPtrSet<Value *, 16> TempsToInstrument; 2527 SmallVector<Instruction *, 16> ToInstrument; 2528 SmallVector<Instruction *, 8> NoReturnCalls; 2529 SmallVector<BasicBlock *, 16> AllBlocks; 2530 SmallVector<Instruction *, 16> PointerComparisonsOrSubtracts; 2531 int NumAllocas = 0; 2532 bool IsWrite; 2533 unsigned Alignment; 2534 uint64_t TypeSize; 2535 const TargetLibraryInfo *TLI = 2536 &getAnalysis<TargetLibraryInfoWrapperPass>().getTLI(); 2537 2538 // Fill the set of memory operations to instrument. 2539 for (auto &BB : F) { 2540 AllBlocks.push_back(&BB); 2541 TempsToInstrument.clear(); 2542 int NumInsnsPerBB = 0; 2543 for (auto &Inst : BB) { 2544 if (LooksLikeCodeInBug11395(&Inst)) return false; 2545 Value *MaybeMask = nullptr; 2546 if (Value *Addr = isInterestingMemoryAccess(&Inst, &IsWrite, &TypeSize, 2547 &Alignment, &MaybeMask)) { 2548 if (ClOpt && ClOptSameTemp) { 2549 // If we have a mask, skip instrumentation if we've already 2550 // instrumented the full object. But don't add to TempsToInstrument 2551 // because we might get another load/store with a different mask. 2552 if (MaybeMask) { 2553 if (TempsToInstrument.count(Addr)) 2554 continue; // We've seen this (whole) temp in the current BB. 2555 } else { 2556 if (!TempsToInstrument.insert(Addr).second) 2557 continue; // We've seen this temp in the current BB. 2558 } 2559 } 2560 } else if (ClInvalidPointerPairs && 2561 isInterestingPointerComparisonOrSubtraction(&Inst)) { 2562 PointerComparisonsOrSubtracts.push_back(&Inst); 2563 continue; 2564 } else if (isa<MemIntrinsic>(Inst)) { 2565 // ok, take it. 2566 } else { 2567 if (isa<AllocaInst>(Inst)) NumAllocas++; 2568 CallSite CS(&Inst); 2569 if (CS) { 2570 // A call inside BB. 2571 TempsToInstrument.clear(); 2572 if (CS.doesNotReturn()) NoReturnCalls.push_back(CS.getInstruction()); 2573 } 2574 if (CallInst *CI = dyn_cast<CallInst>(&Inst)) 2575 maybeMarkSanitizerLibraryCallNoBuiltin(CI, TLI); 2576 continue; 2577 } 2578 ToInstrument.push_back(&Inst); 2579 NumInsnsPerBB++; 2580 if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) break; 2581 } 2582 } 2583 2584 bool UseCalls = 2585 (ClInstrumentationWithCallsThreshold >= 0 && 2586 ToInstrument.size() > (unsigned)ClInstrumentationWithCallsThreshold); 2587 const DataLayout &DL = F.getParent()->getDataLayout(); 2588 ObjectSizeOpts ObjSizeOpts; 2589 ObjSizeOpts.RoundToAlign = true; 2590 ObjectSizeOffsetVisitor ObjSizeVis(DL, TLI, F.getContext(), ObjSizeOpts); 2591 2592 // Instrument. 2593 int NumInstrumented = 0; 2594 for (auto Inst : ToInstrument) { 2595 if (ClDebugMin < 0 || ClDebugMax < 0 || 2596 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 2597 if (isInterestingMemoryAccess(Inst, &IsWrite, &TypeSize, &Alignment)) 2598 instrumentMop(ObjSizeVis, Inst, UseCalls, 2599 F.getParent()->getDataLayout()); 2600 else 2601 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 2602 } 2603 NumInstrumented++; 2604 } 2605 2606 FunctionStackPoisoner FSP(F, *this); 2607 bool ChangedStack = FSP.runOnFunction(); 2608 2609 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 2610 // See e.g. https://github.com/google/sanitizers/issues/37 2611 for (auto CI : NoReturnCalls) { 2612 IRBuilder<> IRB(CI); 2613 IRB.CreateCall(AsanHandleNoReturnFunc, {}); 2614 } 2615 2616 for (auto Inst : PointerComparisonsOrSubtracts) { 2617 instrumentPointerComparisonOrSubtraction(Inst); 2618 NumInstrumented++; 2619 } 2620 2621 if (NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty()) 2622 FunctionModified = true; 2623 2624 LLVM_DEBUG(dbgs() << "ASAN done instrumenting: " << FunctionModified << " " 2625 << F << "\n"); 2626 2627 return FunctionModified; 2628 } 2629 2630 // Workaround for bug 11395: we don't want to instrument stack in functions 2631 // with large assembly blobs (32-bit only), otherwise reg alloc may crash. 2632 // FIXME: remove once the bug 11395 is fixed. 2633 bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 2634 if (LongSize != 32) return false; 2635 CallInst *CI = dyn_cast<CallInst>(I); 2636 if (!CI || !CI->isInlineAsm()) return false; 2637 if (CI->getNumArgOperands() <= 5) return false; 2638 // We have inline assembly with quite a few arguments. 2639 return true; 2640 } 2641 2642 void FunctionStackPoisoner::initializeCallbacks(Module &M) { 2643 IRBuilder<> IRB(*C); 2644 for (int i = 0; i <= kMaxAsanStackMallocSizeClass; i++) { 2645 std::string Suffix = itostr(i); 2646 AsanStackMallocFunc[i] = checkSanitizerInterfaceFunction( 2647 M.getOrInsertFunction(kAsanStackMallocNameTemplate + Suffix, IntptrTy, 2648 IntptrTy)); 2649 AsanStackFreeFunc[i] = checkSanitizerInterfaceFunction( 2650 M.getOrInsertFunction(kAsanStackFreeNameTemplate + Suffix, 2651 IRB.getVoidTy(), IntptrTy, IntptrTy)); 2652 } 2653 if (ASan.UseAfterScope) { 2654 AsanPoisonStackMemoryFunc = checkSanitizerInterfaceFunction( 2655 M.getOrInsertFunction(kAsanPoisonStackMemoryName, IRB.getVoidTy(), 2656 IntptrTy, IntptrTy)); 2657 AsanUnpoisonStackMemoryFunc = checkSanitizerInterfaceFunction( 2658 M.getOrInsertFunction(kAsanUnpoisonStackMemoryName, IRB.getVoidTy(), 2659 IntptrTy, IntptrTy)); 2660 } 2661 2662 for (size_t Val : {0x00, 0xf1, 0xf2, 0xf3, 0xf5, 0xf8}) { 2663 std::ostringstream Name; 2664 Name << kAsanSetShadowPrefix; 2665 Name << std::setw(2) << std::setfill('0') << std::hex << Val; 2666 AsanSetShadowFunc[Val] = 2667 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2668 Name.str(), IRB.getVoidTy(), IntptrTy, IntptrTy)); 2669 } 2670 2671 AsanAllocaPoisonFunc = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2672 kAsanAllocaPoison, IRB.getVoidTy(), IntptrTy, IntptrTy)); 2673 AsanAllocasUnpoisonFunc = 2674 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2675 kAsanAllocasUnpoison, IRB.getVoidTy(), IntptrTy, IntptrTy)); 2676 } 2677 2678 void FunctionStackPoisoner::copyToShadowInline(ArrayRef<uint8_t> ShadowMask, 2679 ArrayRef<uint8_t> ShadowBytes, 2680 size_t Begin, size_t End, 2681 IRBuilder<> &IRB, 2682 Value *ShadowBase) { 2683 if (Begin >= End) 2684 return; 2685 2686 const size_t LargestStoreSizeInBytes = 2687 std::min<size_t>(sizeof(uint64_t), ASan.LongSize / 8); 2688 2689 const bool IsLittleEndian = F.getParent()->getDataLayout().isLittleEndian(); 2690 2691 // Poison given range in shadow using larges store size with out leading and 2692 // trailing zeros in ShadowMask. Zeros never change, so they need neither 2693 // poisoning nor up-poisoning. Still we don't mind if some of them get into a 2694 // middle of a store. 2695 for (size_t i = Begin; i < End;) { 2696 if (!ShadowMask[i]) { 2697 assert(!ShadowBytes[i]); 2698 ++i; 2699 continue; 2700 } 2701 2702 size_t StoreSizeInBytes = LargestStoreSizeInBytes; 2703 // Fit store size into the range. 2704 while (StoreSizeInBytes > End - i) 2705 StoreSizeInBytes /= 2; 2706 2707 // Minimize store size by trimming trailing zeros. 2708 for (size_t j = StoreSizeInBytes - 1; j && !ShadowMask[i + j]; --j) { 2709 while (j <= StoreSizeInBytes / 2) 2710 StoreSizeInBytes /= 2; 2711 } 2712 2713 uint64_t Val = 0; 2714 for (size_t j = 0; j < StoreSizeInBytes; j++) { 2715 if (IsLittleEndian) 2716 Val |= (uint64_t)ShadowBytes[i + j] << (8 * j); 2717 else 2718 Val = (Val << 8) | ShadowBytes[i + j]; 2719 } 2720 2721 Value *Ptr = IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i)); 2722 Value *Poison = IRB.getIntN(StoreSizeInBytes * 8, Val); 2723 IRB.CreateAlignedStore( 2724 Poison, IRB.CreateIntToPtr(Ptr, Poison->getType()->getPointerTo()), 1); 2725 2726 i += StoreSizeInBytes; 2727 } 2728 } 2729 2730 void FunctionStackPoisoner::copyToShadow(ArrayRef<uint8_t> ShadowMask, 2731 ArrayRef<uint8_t> ShadowBytes, 2732 IRBuilder<> &IRB, Value *ShadowBase) { 2733 copyToShadow(ShadowMask, ShadowBytes, 0, ShadowMask.size(), IRB, ShadowBase); 2734 } 2735 2736 void FunctionStackPoisoner::copyToShadow(ArrayRef<uint8_t> ShadowMask, 2737 ArrayRef<uint8_t> ShadowBytes, 2738 size_t Begin, size_t End, 2739 IRBuilder<> &IRB, Value *ShadowBase) { 2740 assert(ShadowMask.size() == ShadowBytes.size()); 2741 size_t Done = Begin; 2742 for (size_t i = Begin, j = Begin + 1; i < End; i = j++) { 2743 if (!ShadowMask[i]) { 2744 assert(!ShadowBytes[i]); 2745 continue; 2746 } 2747 uint8_t Val = ShadowBytes[i]; 2748 if (!AsanSetShadowFunc[Val]) 2749 continue; 2750 2751 // Skip same values. 2752 for (; j < End && ShadowMask[j] && Val == ShadowBytes[j]; ++j) { 2753 } 2754 2755 if (j - i >= ClMaxInlinePoisoningSize) { 2756 copyToShadowInline(ShadowMask, ShadowBytes, Done, i, IRB, ShadowBase); 2757 IRB.CreateCall(AsanSetShadowFunc[Val], 2758 {IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i)), 2759 ConstantInt::get(IntptrTy, j - i)}); 2760 Done = j; 2761 } 2762 } 2763 2764 copyToShadowInline(ShadowMask, ShadowBytes, Done, End, IRB, ShadowBase); 2765 } 2766 2767 // Fake stack allocator (asan_fake_stack.h) has 11 size classes 2768 // for every power of 2 from kMinStackMallocSize to kMaxAsanStackMallocSizeClass 2769 static int StackMallocSizeClass(uint64_t LocalStackSize) { 2770 assert(LocalStackSize <= kMaxStackMallocSize); 2771 uint64_t MaxSize = kMinStackMallocSize; 2772 for (int i = 0;; i++, MaxSize *= 2) 2773 if (LocalStackSize <= MaxSize) return i; 2774 llvm_unreachable("impossible LocalStackSize"); 2775 } 2776 2777 void FunctionStackPoisoner::copyArgsPassedByValToAllocas() { 2778 Instruction *CopyInsertPoint = &F.front().front(); 2779 if (CopyInsertPoint == ASan.LocalDynamicShadow) { 2780 // Insert after the dynamic shadow location is determined 2781 CopyInsertPoint = CopyInsertPoint->getNextNode(); 2782 assert(CopyInsertPoint); 2783 } 2784 IRBuilder<> IRB(CopyInsertPoint); 2785 const DataLayout &DL = F.getParent()->getDataLayout(); 2786 for (Argument &Arg : F.args()) { 2787 if (Arg.hasByValAttr()) { 2788 Type *Ty = Arg.getType()->getPointerElementType(); 2789 unsigned Align = Arg.getParamAlignment(); 2790 if (Align == 0) Align = DL.getABITypeAlignment(Ty); 2791 2792 AllocaInst *AI = IRB.CreateAlloca( 2793 Ty, nullptr, 2794 (Arg.hasName() ? Arg.getName() : "Arg" + Twine(Arg.getArgNo())) + 2795 ".byval"); 2796 AI->setAlignment(Align); 2797 Arg.replaceAllUsesWith(AI); 2798 2799 uint64_t AllocSize = DL.getTypeAllocSize(Ty); 2800 IRB.CreateMemCpy(AI, Align, &Arg, Align, AllocSize); 2801 } 2802 } 2803 } 2804 2805 PHINode *FunctionStackPoisoner::createPHI(IRBuilder<> &IRB, Value *Cond, 2806 Value *ValueIfTrue, 2807 Instruction *ThenTerm, 2808 Value *ValueIfFalse) { 2809 PHINode *PHI = IRB.CreatePHI(IntptrTy, 2); 2810 BasicBlock *CondBlock = cast<Instruction>(Cond)->getParent(); 2811 PHI->addIncoming(ValueIfFalse, CondBlock); 2812 BasicBlock *ThenBlock = ThenTerm->getParent(); 2813 PHI->addIncoming(ValueIfTrue, ThenBlock); 2814 return PHI; 2815 } 2816 2817 Value *FunctionStackPoisoner::createAllocaForLayout( 2818 IRBuilder<> &IRB, const ASanStackFrameLayout &L, bool Dynamic) { 2819 AllocaInst *Alloca; 2820 if (Dynamic) { 2821 Alloca = IRB.CreateAlloca(IRB.getInt8Ty(), 2822 ConstantInt::get(IRB.getInt64Ty(), L.FrameSize), 2823 "MyAlloca"); 2824 } else { 2825 Alloca = IRB.CreateAlloca(ArrayType::get(IRB.getInt8Ty(), L.FrameSize), 2826 nullptr, "MyAlloca"); 2827 assert(Alloca->isStaticAlloca()); 2828 } 2829 assert((ClRealignStack & (ClRealignStack - 1)) == 0); 2830 size_t FrameAlignment = std::max(L.FrameAlignment, (size_t)ClRealignStack); 2831 Alloca->setAlignment(FrameAlignment); 2832 return IRB.CreatePointerCast(Alloca, IntptrTy); 2833 } 2834 2835 void FunctionStackPoisoner::createDynamicAllocasInitStorage() { 2836 BasicBlock &FirstBB = *F.begin(); 2837 IRBuilder<> IRB(dyn_cast<Instruction>(FirstBB.begin())); 2838 DynamicAllocaLayout = IRB.CreateAlloca(IntptrTy, nullptr); 2839 IRB.CreateStore(Constant::getNullValue(IntptrTy), DynamicAllocaLayout); 2840 DynamicAllocaLayout->setAlignment(32); 2841 } 2842 2843 void FunctionStackPoisoner::processDynamicAllocas() { 2844 if (!ClInstrumentDynamicAllocas || DynamicAllocaVec.empty()) { 2845 assert(DynamicAllocaPoisonCallVec.empty()); 2846 return; 2847 } 2848 2849 // Insert poison calls for lifetime intrinsics for dynamic allocas. 2850 for (const auto &APC : DynamicAllocaPoisonCallVec) { 2851 assert(APC.InsBefore); 2852 assert(APC.AI); 2853 assert(ASan.isInterestingAlloca(*APC.AI)); 2854 assert(!APC.AI->isStaticAlloca()); 2855 2856 IRBuilder<> IRB(APC.InsBefore); 2857 poisonAlloca(APC.AI, APC.Size, IRB, APC.DoPoison); 2858 // Dynamic allocas will be unpoisoned unconditionally below in 2859 // unpoisonDynamicAllocas. 2860 // Flag that we need unpoison static allocas. 2861 } 2862 2863 // Handle dynamic allocas. 2864 createDynamicAllocasInitStorage(); 2865 for (auto &AI : DynamicAllocaVec) 2866 handleDynamicAllocaCall(AI); 2867 unpoisonDynamicAllocas(); 2868 } 2869 2870 void FunctionStackPoisoner::processStaticAllocas() { 2871 if (AllocaVec.empty()) { 2872 assert(StaticAllocaPoisonCallVec.empty()); 2873 return; 2874 } 2875 2876 int StackMallocIdx = -1; 2877 DebugLoc EntryDebugLocation; 2878 if (auto SP = F.getSubprogram()) 2879 EntryDebugLocation = DebugLoc::get(SP->getScopeLine(), 0, SP); 2880 2881 Instruction *InsBefore = AllocaVec[0]; 2882 IRBuilder<> IRB(InsBefore); 2883 IRB.SetCurrentDebugLocation(EntryDebugLocation); 2884 2885 // Make sure non-instrumented allocas stay in the entry block. Otherwise, 2886 // debug info is broken, because only entry-block allocas are treated as 2887 // regular stack slots. 2888 auto InsBeforeB = InsBefore->getParent(); 2889 assert(InsBeforeB == &F.getEntryBlock()); 2890 for (auto *AI : StaticAllocasToMoveUp) 2891 if (AI->getParent() == InsBeforeB) 2892 AI->moveBefore(InsBefore); 2893 2894 // If we have a call to llvm.localescape, keep it in the entry block. 2895 if (LocalEscapeCall) LocalEscapeCall->moveBefore(InsBefore); 2896 2897 SmallVector<ASanStackVariableDescription, 16> SVD; 2898 SVD.reserve(AllocaVec.size()); 2899 for (AllocaInst *AI : AllocaVec) { 2900 ASanStackVariableDescription D = {AI->getName().data(), 2901 ASan.getAllocaSizeInBytes(*AI), 2902 0, 2903 AI->getAlignment(), 2904 AI, 2905 0, 2906 0}; 2907 SVD.push_back(D); 2908 } 2909 2910 // Minimal header size (left redzone) is 4 pointers, 2911 // i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms. 2912 size_t Granularity = 1ULL << Mapping.Scale; 2913 size_t MinHeaderSize = std::max((size_t)ASan.LongSize / 2, Granularity); 2914 const ASanStackFrameLayout &L = 2915 ComputeASanStackFrameLayout(SVD, Granularity, MinHeaderSize); 2916 2917 // Build AllocaToSVDMap for ASanStackVariableDescription lookup. 2918 DenseMap<const AllocaInst *, ASanStackVariableDescription *> AllocaToSVDMap; 2919 for (auto &Desc : SVD) 2920 AllocaToSVDMap[Desc.AI] = &Desc; 2921 2922 // Update SVD with information from lifetime intrinsics. 2923 for (const auto &APC : StaticAllocaPoisonCallVec) { 2924 assert(APC.InsBefore); 2925 assert(APC.AI); 2926 assert(ASan.isInterestingAlloca(*APC.AI)); 2927 assert(APC.AI->isStaticAlloca()); 2928 2929 ASanStackVariableDescription &Desc = *AllocaToSVDMap[APC.AI]; 2930 Desc.LifetimeSize = Desc.Size; 2931 if (const DILocation *FnLoc = EntryDebugLocation.get()) { 2932 if (const DILocation *LifetimeLoc = APC.InsBefore->getDebugLoc().get()) { 2933 if (LifetimeLoc->getFile() == FnLoc->getFile()) 2934 if (unsigned Line = LifetimeLoc->getLine()) 2935 Desc.Line = std::min(Desc.Line ? Desc.Line : Line, Line); 2936 } 2937 } 2938 } 2939 2940 auto DescriptionString = ComputeASanStackFrameDescription(SVD); 2941 LLVM_DEBUG(dbgs() << DescriptionString << " --- " << L.FrameSize << "\n"); 2942 uint64_t LocalStackSize = L.FrameSize; 2943 bool DoStackMalloc = ClUseAfterReturn && !ASan.CompileKernel && 2944 LocalStackSize <= kMaxStackMallocSize; 2945 bool DoDynamicAlloca = ClDynamicAllocaStack; 2946 // Don't do dynamic alloca or stack malloc if: 2947 // 1) There is inline asm: too often it makes assumptions on which registers 2948 // are available. 2949 // 2) There is a returns_twice call (typically setjmp), which is 2950 // optimization-hostile, and doesn't play well with introduced indirect 2951 // register-relative calculation of local variable addresses. 2952 DoDynamicAlloca &= !HasNonEmptyInlineAsm && !HasReturnsTwiceCall; 2953 DoStackMalloc &= !HasNonEmptyInlineAsm && !HasReturnsTwiceCall; 2954 2955 Value *StaticAlloca = 2956 DoDynamicAlloca ? nullptr : createAllocaForLayout(IRB, L, false); 2957 2958 Value *FakeStack; 2959 Value *LocalStackBase; 2960 Value *LocalStackBaseAlloca; 2961 bool Deref; 2962 2963 if (DoStackMalloc) { 2964 LocalStackBaseAlloca = 2965 IRB.CreateAlloca(IntptrTy, nullptr, "asan_local_stack_base"); 2966 // void *FakeStack = __asan_option_detect_stack_use_after_return 2967 // ? __asan_stack_malloc_N(LocalStackSize) 2968 // : nullptr; 2969 // void *LocalStackBase = (FakeStack) ? FakeStack : alloca(LocalStackSize); 2970 Constant *OptionDetectUseAfterReturn = F.getParent()->getOrInsertGlobal( 2971 kAsanOptionDetectUseAfterReturn, IRB.getInt32Ty()); 2972 Value *UseAfterReturnIsEnabled = 2973 IRB.CreateICmpNE(IRB.CreateLoad(OptionDetectUseAfterReturn), 2974 Constant::getNullValue(IRB.getInt32Ty())); 2975 Instruction *Term = 2976 SplitBlockAndInsertIfThen(UseAfterReturnIsEnabled, InsBefore, false); 2977 IRBuilder<> IRBIf(Term); 2978 IRBIf.SetCurrentDebugLocation(EntryDebugLocation); 2979 StackMallocIdx = StackMallocSizeClass(LocalStackSize); 2980 assert(StackMallocIdx <= kMaxAsanStackMallocSizeClass); 2981 Value *FakeStackValue = 2982 IRBIf.CreateCall(AsanStackMallocFunc[StackMallocIdx], 2983 ConstantInt::get(IntptrTy, LocalStackSize)); 2984 IRB.SetInsertPoint(InsBefore); 2985 IRB.SetCurrentDebugLocation(EntryDebugLocation); 2986 FakeStack = createPHI(IRB, UseAfterReturnIsEnabled, FakeStackValue, Term, 2987 ConstantInt::get(IntptrTy, 0)); 2988 2989 Value *NoFakeStack = 2990 IRB.CreateICmpEQ(FakeStack, Constant::getNullValue(IntptrTy)); 2991 Term = SplitBlockAndInsertIfThen(NoFakeStack, InsBefore, false); 2992 IRBIf.SetInsertPoint(Term); 2993 IRBIf.SetCurrentDebugLocation(EntryDebugLocation); 2994 Value *AllocaValue = 2995 DoDynamicAlloca ? createAllocaForLayout(IRBIf, L, true) : StaticAlloca; 2996 2997 IRB.SetInsertPoint(InsBefore); 2998 IRB.SetCurrentDebugLocation(EntryDebugLocation); 2999 LocalStackBase = createPHI(IRB, NoFakeStack, AllocaValue, Term, FakeStack); 3000 IRB.SetCurrentDebugLocation(EntryDebugLocation); 3001 IRB.CreateStore(LocalStackBase, LocalStackBaseAlloca); 3002 Deref = true; 3003 } else { 3004 // void *FakeStack = nullptr; 3005 // void *LocalStackBase = alloca(LocalStackSize); 3006 FakeStack = ConstantInt::get(IntptrTy, 0); 3007 LocalStackBase = 3008 DoDynamicAlloca ? createAllocaForLayout(IRB, L, true) : StaticAlloca; 3009 LocalStackBaseAlloca = LocalStackBase; 3010 Deref = false; 3011 } 3012 3013 // Replace Alloca instructions with base+offset. 3014 for (const auto &Desc : SVD) { 3015 AllocaInst *AI = Desc.AI; 3016 replaceDbgDeclareForAlloca(AI, LocalStackBaseAlloca, DIB, Deref, 3017 Desc.Offset, DIExpression::NoDeref); 3018 Value *NewAllocaPtr = IRB.CreateIntToPtr( 3019 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Desc.Offset)), 3020 AI->getType()); 3021 AI->replaceAllUsesWith(NewAllocaPtr); 3022 } 3023 3024 // The left-most redzone has enough space for at least 4 pointers. 3025 // Write the Magic value to redzone[0]. 3026 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 3027 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 3028 BasePlus0); 3029 // Write the frame description constant to redzone[1]. 3030 Value *BasePlus1 = IRB.CreateIntToPtr( 3031 IRB.CreateAdd(LocalStackBase, 3032 ConstantInt::get(IntptrTy, ASan.LongSize / 8)), 3033 IntptrPtrTy); 3034 GlobalVariable *StackDescriptionGlobal = 3035 createPrivateGlobalForString(*F.getParent(), DescriptionString, 3036 /*AllowMerging*/ true, kAsanGenPrefix); 3037 Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, IntptrTy); 3038 IRB.CreateStore(Description, BasePlus1); 3039 // Write the PC to redzone[2]. 3040 Value *BasePlus2 = IRB.CreateIntToPtr( 3041 IRB.CreateAdd(LocalStackBase, 3042 ConstantInt::get(IntptrTy, 2 * ASan.LongSize / 8)), 3043 IntptrPtrTy); 3044 IRB.CreateStore(IRB.CreatePointerCast(&F, IntptrTy), BasePlus2); 3045 3046 const auto &ShadowAfterScope = GetShadowBytesAfterScope(SVD, L); 3047 3048 // Poison the stack red zones at the entry. 3049 Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB); 3050 // As mask we must use most poisoned case: red zones and after scope. 3051 // As bytes we can use either the same or just red zones only. 3052 copyToShadow(ShadowAfterScope, ShadowAfterScope, IRB, ShadowBase); 3053 3054 if (!StaticAllocaPoisonCallVec.empty()) { 3055 const auto &ShadowInScope = GetShadowBytes(SVD, L); 3056 3057 // Poison static allocas near lifetime intrinsics. 3058 for (const auto &APC : StaticAllocaPoisonCallVec) { 3059 const ASanStackVariableDescription &Desc = *AllocaToSVDMap[APC.AI]; 3060 assert(Desc.Offset % L.Granularity == 0); 3061 size_t Begin = Desc.Offset / L.Granularity; 3062 size_t End = Begin + (APC.Size + L.Granularity - 1) / L.Granularity; 3063 3064 IRBuilder<> IRB(APC.InsBefore); 3065 copyToShadow(ShadowAfterScope, 3066 APC.DoPoison ? ShadowAfterScope : ShadowInScope, Begin, End, 3067 IRB, ShadowBase); 3068 } 3069 } 3070 3071 SmallVector<uint8_t, 64> ShadowClean(ShadowAfterScope.size(), 0); 3072 SmallVector<uint8_t, 64> ShadowAfterReturn; 3073 3074 // (Un)poison the stack before all ret instructions. 3075 for (auto Ret : RetVec) { 3076 IRBuilder<> IRBRet(Ret); 3077 // Mark the current frame as retired. 3078 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 3079 BasePlus0); 3080 if (DoStackMalloc) { 3081 assert(StackMallocIdx >= 0); 3082 // if FakeStack != 0 // LocalStackBase == FakeStack 3083 // // In use-after-return mode, poison the whole stack frame. 3084 // if StackMallocIdx <= 4 3085 // // For small sizes inline the whole thing: 3086 // memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize); 3087 // **SavedFlagPtr(FakeStack) = 0 3088 // else 3089 // __asan_stack_free_N(FakeStack, LocalStackSize) 3090 // else 3091 // <This is not a fake stack; unpoison the redzones> 3092 Value *Cmp = 3093 IRBRet.CreateICmpNE(FakeStack, Constant::getNullValue(IntptrTy)); 3094 Instruction *ThenTerm, *ElseTerm; 3095 SplitBlockAndInsertIfThenElse(Cmp, Ret, &ThenTerm, &ElseTerm); 3096 3097 IRBuilder<> IRBPoison(ThenTerm); 3098 if (StackMallocIdx <= 4) { 3099 int ClassSize = kMinStackMallocSize << StackMallocIdx; 3100 ShadowAfterReturn.resize(ClassSize / L.Granularity, 3101 kAsanStackUseAfterReturnMagic); 3102 copyToShadow(ShadowAfterReturn, ShadowAfterReturn, IRBPoison, 3103 ShadowBase); 3104 Value *SavedFlagPtrPtr = IRBPoison.CreateAdd( 3105 FakeStack, 3106 ConstantInt::get(IntptrTy, ClassSize - ASan.LongSize / 8)); 3107 Value *SavedFlagPtr = IRBPoison.CreateLoad( 3108 IRBPoison.CreateIntToPtr(SavedFlagPtrPtr, IntptrPtrTy)); 3109 IRBPoison.CreateStore( 3110 Constant::getNullValue(IRBPoison.getInt8Ty()), 3111 IRBPoison.CreateIntToPtr(SavedFlagPtr, IRBPoison.getInt8PtrTy())); 3112 } else { 3113 // For larger frames call __asan_stack_free_*. 3114 IRBPoison.CreateCall( 3115 AsanStackFreeFunc[StackMallocIdx], 3116 {FakeStack, ConstantInt::get(IntptrTy, LocalStackSize)}); 3117 } 3118 3119 IRBuilder<> IRBElse(ElseTerm); 3120 copyToShadow(ShadowAfterScope, ShadowClean, IRBElse, ShadowBase); 3121 } else { 3122 copyToShadow(ShadowAfterScope, ShadowClean, IRBRet, ShadowBase); 3123 } 3124 } 3125 3126 // We are done. Remove the old unused alloca instructions. 3127 for (auto AI : AllocaVec) AI->eraseFromParent(); 3128 } 3129 3130 void FunctionStackPoisoner::poisonAlloca(Value *V, uint64_t Size, 3131 IRBuilder<> &IRB, bool DoPoison) { 3132 // For now just insert the call to ASan runtime. 3133 Value *AddrArg = IRB.CreatePointerCast(V, IntptrTy); 3134 Value *SizeArg = ConstantInt::get(IntptrTy, Size); 3135 IRB.CreateCall( 3136 DoPoison ? AsanPoisonStackMemoryFunc : AsanUnpoisonStackMemoryFunc, 3137 {AddrArg, SizeArg}); 3138 } 3139 3140 // Handling llvm.lifetime intrinsics for a given %alloca: 3141 // (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca. 3142 // (2) if %size is constant, poison memory for llvm.lifetime.end (to detect 3143 // invalid accesses) and unpoison it for llvm.lifetime.start (the memory 3144 // could be poisoned by previous llvm.lifetime.end instruction, as the 3145 // variable may go in and out of scope several times, e.g. in loops). 3146 // (3) if we poisoned at least one %alloca in a function, 3147 // unpoison the whole stack frame at function exit. 3148 3149 AllocaInst *FunctionStackPoisoner::findAllocaForValue(Value *V) { 3150 if (AllocaInst *AI = dyn_cast<AllocaInst>(V)) 3151 // We're interested only in allocas we can handle. 3152 return ASan.isInterestingAlloca(*AI) ? AI : nullptr; 3153 // See if we've already calculated (or started to calculate) alloca for a 3154 // given value. 3155 AllocaForValueMapTy::iterator I = AllocaForValue.find(V); 3156 if (I != AllocaForValue.end()) return I->second; 3157 // Store 0 while we're calculating alloca for value V to avoid 3158 // infinite recursion if the value references itself. 3159 AllocaForValue[V] = nullptr; 3160 AllocaInst *Res = nullptr; 3161 if (CastInst *CI = dyn_cast<CastInst>(V)) 3162 Res = findAllocaForValue(CI->getOperand(0)); 3163 else if (PHINode *PN = dyn_cast<PHINode>(V)) { 3164 for (Value *IncValue : PN->incoming_values()) { 3165 // Allow self-referencing phi-nodes. 3166 if (IncValue == PN) continue; 3167 AllocaInst *IncValueAI = findAllocaForValue(IncValue); 3168 // AI for incoming values should exist and should all be equal. 3169 if (IncValueAI == nullptr || (Res != nullptr && IncValueAI != Res)) 3170 return nullptr; 3171 Res = IncValueAI; 3172 } 3173 } else if (GetElementPtrInst *EP = dyn_cast<GetElementPtrInst>(V)) { 3174 Res = findAllocaForValue(EP->getPointerOperand()); 3175 } else { 3176 LLVM_DEBUG(dbgs() << "Alloca search canceled on unknown instruction: " << *V 3177 << "\n"); 3178 } 3179 if (Res) AllocaForValue[V] = Res; 3180 return Res; 3181 } 3182 3183 void FunctionStackPoisoner::handleDynamicAllocaCall(AllocaInst *AI) { 3184 IRBuilder<> IRB(AI); 3185 3186 const unsigned Align = std::max(kAllocaRzSize, AI->getAlignment()); 3187 const uint64_t AllocaRedzoneMask = kAllocaRzSize - 1; 3188 3189 Value *Zero = Constant::getNullValue(IntptrTy); 3190 Value *AllocaRzSize = ConstantInt::get(IntptrTy, kAllocaRzSize); 3191 Value *AllocaRzMask = ConstantInt::get(IntptrTy, AllocaRedzoneMask); 3192 3193 // Since we need to extend alloca with additional memory to locate 3194 // redzones, and OldSize is number of allocated blocks with 3195 // ElementSize size, get allocated memory size in bytes by 3196 // OldSize * ElementSize. 3197 const unsigned ElementSize = 3198 F.getParent()->getDataLayout().getTypeAllocSize(AI->getAllocatedType()); 3199 Value *OldSize = 3200 IRB.CreateMul(IRB.CreateIntCast(AI->getArraySize(), IntptrTy, false), 3201 ConstantInt::get(IntptrTy, ElementSize)); 3202 3203 // PartialSize = OldSize % 32 3204 Value *PartialSize = IRB.CreateAnd(OldSize, AllocaRzMask); 3205 3206 // Misalign = kAllocaRzSize - PartialSize; 3207 Value *Misalign = IRB.CreateSub(AllocaRzSize, PartialSize); 3208 3209 // PartialPadding = Misalign != kAllocaRzSize ? Misalign : 0; 3210 Value *Cond = IRB.CreateICmpNE(Misalign, AllocaRzSize); 3211 Value *PartialPadding = IRB.CreateSelect(Cond, Misalign, Zero); 3212 3213 // AdditionalChunkSize = Align + PartialPadding + kAllocaRzSize 3214 // Align is added to locate left redzone, PartialPadding for possible 3215 // partial redzone and kAllocaRzSize for right redzone respectively. 3216 Value *AdditionalChunkSize = IRB.CreateAdd( 3217 ConstantInt::get(IntptrTy, Align + kAllocaRzSize), PartialPadding); 3218 3219 Value *NewSize = IRB.CreateAdd(OldSize, AdditionalChunkSize); 3220 3221 // Insert new alloca with new NewSize and Align params. 3222 AllocaInst *NewAlloca = IRB.CreateAlloca(IRB.getInt8Ty(), NewSize); 3223 NewAlloca->setAlignment(Align); 3224 3225 // NewAddress = Address + Align 3226 Value *NewAddress = IRB.CreateAdd(IRB.CreatePtrToInt(NewAlloca, IntptrTy), 3227 ConstantInt::get(IntptrTy, Align)); 3228 3229 // Insert __asan_alloca_poison call for new created alloca. 3230 IRB.CreateCall(AsanAllocaPoisonFunc, {NewAddress, OldSize}); 3231 3232 // Store the last alloca's address to DynamicAllocaLayout. We'll need this 3233 // for unpoisoning stuff. 3234 IRB.CreateStore(IRB.CreatePtrToInt(NewAlloca, IntptrTy), DynamicAllocaLayout); 3235 3236 Value *NewAddressPtr = IRB.CreateIntToPtr(NewAddress, AI->getType()); 3237 3238 // Replace all uses of AddessReturnedByAlloca with NewAddressPtr. 3239 AI->replaceAllUsesWith(NewAddressPtr); 3240 3241 // We are done. Erase old alloca from parent. 3242 AI->eraseFromParent(); 3243 } 3244 3245 // isSafeAccess returns true if Addr is always inbounds with respect to its 3246 // base object. For example, it is a field access or an array access with 3247 // constant inbounds index. 3248 bool AddressSanitizer::isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, 3249 Value *Addr, uint64_t TypeSize) const { 3250 SizeOffsetType SizeOffset = ObjSizeVis.compute(Addr); 3251 if (!ObjSizeVis.bothKnown(SizeOffset)) return false; 3252 uint64_t Size = SizeOffset.first.getZExtValue(); 3253 int64_t Offset = SizeOffset.second.getSExtValue(); 3254 // Three checks are required to ensure safety: 3255 // . Offset >= 0 (since the offset is given from the base ptr) 3256 // . Size >= Offset (unsigned) 3257 // . Size - Offset >= NeededSize (unsigned) 3258 return Offset >= 0 && Size >= uint64_t(Offset) && 3259 Size - uint64_t(Offset) >= TypeSize / 8; 3260 } 3261