1 //===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file is a part of AddressSanitizer, an address sanity checker. 11 // Details of the algorithm: 12 // http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13 // 14 //===----------------------------------------------------------------------===// 15 16 #include "llvm/ADT/ArrayRef.h" 17 #include "llvm/ADT/DenseMap.h" 18 #include "llvm/ADT/DepthFirstIterator.h" 19 #include "llvm/ADT/SetVector.h" 20 #include "llvm/ADT/SmallSet.h" 21 #include "llvm/ADT/SmallVector.h" 22 #include "llvm/ADT/Statistic.h" 23 #include "llvm/ADT/StringExtras.h" 24 #include "llvm/ADT/Triple.h" 25 #include "llvm/Analysis/MemoryBuiltins.h" 26 #include "llvm/Analysis/TargetLibraryInfo.h" 27 #include "llvm/Analysis/ValueTracking.h" 28 #include "llvm/IR/CallSite.h" 29 #include "llvm/IR/DIBuilder.h" 30 #include "llvm/IR/DataLayout.h" 31 #include "llvm/IR/Dominators.h" 32 #include "llvm/IR/Function.h" 33 #include "llvm/IR/IRBuilder.h" 34 #include "llvm/IR/InlineAsm.h" 35 #include "llvm/IR/InstVisitor.h" 36 #include "llvm/IR/IntrinsicInst.h" 37 #include "llvm/IR/LLVMContext.h" 38 #include "llvm/IR/MDBuilder.h" 39 #include "llvm/IR/Module.h" 40 #include "llvm/IR/Type.h" 41 #include "llvm/MC/MCSectionMachO.h" 42 #include "llvm/Support/CommandLine.h" 43 #include "llvm/Support/DataTypes.h" 44 #include "llvm/Support/Debug.h" 45 #include "llvm/Support/Endian.h" 46 #include "llvm/Support/SwapByteOrder.h" 47 #include "llvm/Support/raw_ostream.h" 48 #include "llvm/Transforms/Instrumentation.h" 49 #include "llvm/Transforms/Scalar.h" 50 #include "llvm/Transforms/Utils/ASanStackFrameLayout.h" 51 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 52 #include "llvm/Transforms/Utils/Cloning.h" 53 #include "llvm/Transforms/Utils/Local.h" 54 #include "llvm/Transforms/Utils/ModuleUtils.h" 55 #include "llvm/Transforms/Utils/PromoteMemToReg.h" 56 #include <algorithm> 57 #include <iomanip> 58 #include <limits> 59 #include <sstream> 60 #include <string> 61 #include <system_error> 62 63 using namespace llvm; 64 65 #define DEBUG_TYPE "asan" 66 67 static const uint64_t kDefaultShadowScale = 3; 68 static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 69 static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 70 static const uint64_t kDynamicShadowSentinel = ~(uint64_t)0; 71 static const uint64_t kIOSShadowOffset32 = 1ULL << 30; 72 static const uint64_t kIOSSimShadowOffset32 = 1ULL << 30; 73 static const uint64_t kIOSSimShadowOffset64 = kDefaultShadowOffset64; 74 static const uint64_t kSmallX86_64ShadowOffset = 0x7FFF8000; // < 2G. 75 static const uint64_t kLinuxKasan_ShadowOffset64 = 0xdffffc0000000000; 76 static const uint64_t kPPC64_ShadowOffset64 = 1ULL << 41; 77 static const uint64_t kSystemZ_ShadowOffset64 = 1ULL << 52; 78 static const uint64_t kMIPS32_ShadowOffset32 = 0x0aaa0000; 79 static const uint64_t kMIPS64_ShadowOffset64 = 1ULL << 37; 80 static const uint64_t kAArch64_ShadowOffset64 = 1ULL << 36; 81 static const uint64_t kFreeBSD_ShadowOffset32 = 1ULL << 30; 82 static const uint64_t kFreeBSD_ShadowOffset64 = 1ULL << 46; 83 static const uint64_t kPS4CPU_ShadowOffset64 = 1ULL << 40; 84 static const uint64_t kWindowsShadowOffset32 = 3ULL << 28; 85 // The shadow memory space is dynamically allocated. 86 static const uint64_t kWindowsShadowOffset64 = kDynamicShadowSentinel; 87 88 static const size_t kMinStackMallocSize = 1 << 6; // 64B 89 static const size_t kMaxStackMallocSize = 1 << 16; // 64K 90 static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 91 static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 92 93 static const char *const kAsanModuleCtorName = "asan.module_ctor"; 94 static const char *const kAsanModuleDtorName = "asan.module_dtor"; 95 static const uint64_t kAsanCtorAndDtorPriority = 1; 96 static const char *const kAsanReportErrorTemplate = "__asan_report_"; 97 static const char *const kAsanRegisterGlobalsName = "__asan_register_globals"; 98 static const char *const kAsanUnregisterGlobalsName = 99 "__asan_unregister_globals"; 100 static const char *const kAsanRegisterImageGlobalsName = 101 "__asan_register_image_globals"; 102 static const char *const kAsanUnregisterImageGlobalsName = 103 "__asan_unregister_image_globals"; 104 static const char *const kAsanRegisterElfGlobalsName = 105 "__asan_register_elf_globals"; 106 static const char *const kAsanUnregisterElfGlobalsName = 107 "__asan_unregister_elf_globals"; 108 static const char *const kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; 109 static const char *const kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; 110 static const char *const kAsanInitName = "__asan_init"; 111 static const char *const kAsanVersionCheckName = 112 "__asan_version_mismatch_check_v8"; 113 static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp"; 114 static const char *const kAsanPtrSub = "__sanitizer_ptr_sub"; 115 static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return"; 116 static const int kMaxAsanStackMallocSizeClass = 10; 117 static const char *const kAsanStackMallocNameTemplate = "__asan_stack_malloc_"; 118 static const char *const kAsanStackFreeNameTemplate = "__asan_stack_free_"; 119 static const char *const kAsanGenPrefix = "__asan_gen_"; 120 static const char *const kODRGenPrefix = "__odr_asan_gen_"; 121 static const char *const kSanCovGenPrefix = "__sancov_gen_"; 122 static const char *const kAsanSetShadowPrefix = "__asan_set_shadow_"; 123 static const char *const kAsanPoisonStackMemoryName = 124 "__asan_poison_stack_memory"; 125 static const char *const kAsanUnpoisonStackMemoryName = 126 "__asan_unpoison_stack_memory"; 127 128 // ASan version script has __asan_* wildcard. Triple underscore prevents a 129 // linker (gold) warning about attempting to export a local symbol. 130 static const char *const kAsanGlobalsRegisteredFlagName = 131 "___asan_globals_registered"; 132 133 static const char *const kAsanOptionDetectUseAfterReturn = 134 "__asan_option_detect_stack_use_after_return"; 135 136 static const char *const kAsanShadowMemoryDynamicAddress = 137 "__asan_shadow_memory_dynamic_address"; 138 139 static const char *const kAsanAllocaPoison = "__asan_alloca_poison"; 140 static const char *const kAsanAllocasUnpoison = "__asan_allocas_unpoison"; 141 142 // Accesses sizes are powers of two: 1, 2, 4, 8, 16. 143 static const size_t kNumberOfAccessSizes = 5; 144 145 static const unsigned kAllocaRzSize = 32; 146 147 // Command-line flags. 148 static cl::opt<bool> ClEnableKasan( 149 "asan-kernel", cl::desc("Enable KernelAddressSanitizer instrumentation"), 150 cl::Hidden, cl::init(false)); 151 static cl::opt<bool> ClRecover( 152 "asan-recover", 153 cl::desc("Enable recovery mode (continue-after-error)."), 154 cl::Hidden, cl::init(false)); 155 156 // This flag may need to be replaced with -f[no-]asan-reads. 157 static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 158 cl::desc("instrument read instructions"), 159 cl::Hidden, cl::init(true)); 160 static cl::opt<bool> ClInstrumentWrites( 161 "asan-instrument-writes", cl::desc("instrument write instructions"), 162 cl::Hidden, cl::init(true)); 163 static cl::opt<bool> ClInstrumentAtomics( 164 "asan-instrument-atomics", 165 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden, 166 cl::init(true)); 167 static cl::opt<bool> ClAlwaysSlowPath( 168 "asan-always-slow-path", 169 cl::desc("use instrumentation with slow path for all accesses"), cl::Hidden, 170 cl::init(false)); 171 static cl::opt<bool> ClForceDynamicShadow( 172 "asan-force-dynamic-shadow", 173 cl::desc("Load shadow address into a local variable for each function"), 174 cl::Hidden, cl::init(false)); 175 176 // This flag limits the number of instructions to be instrumented 177 // in any given BB. Normally, this should be set to unlimited (INT_MAX), 178 // but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary 179 // set it to 10000. 180 static cl::opt<int> ClMaxInsnsToInstrumentPerBB( 181 "asan-max-ins-per-bb", cl::init(10000), 182 cl::desc("maximal number of instructions to instrument in any given BB"), 183 cl::Hidden); 184 // This flag may need to be replaced with -f[no]asan-stack. 185 static cl::opt<bool> ClStack("asan-stack", cl::desc("Handle stack memory"), 186 cl::Hidden, cl::init(true)); 187 static cl::opt<uint32_t> ClMaxInlinePoisoningSize( 188 "asan-max-inline-poisoning-size", 189 cl::desc( 190 "Inline shadow poisoning for blocks up to the given size in bytes."), 191 cl::Hidden, cl::init(64)); 192 static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 193 cl::desc("Check stack-use-after-return"), 194 cl::Hidden, cl::init(true)); 195 static cl::opt<bool> ClUseAfterScope("asan-use-after-scope", 196 cl::desc("Check stack-use-after-scope"), 197 cl::Hidden, cl::init(false)); 198 // This flag may need to be replaced with -f[no]asan-globals. 199 static cl::opt<bool> ClGlobals("asan-globals", 200 cl::desc("Handle global objects"), cl::Hidden, 201 cl::init(true)); 202 static cl::opt<bool> ClInitializers("asan-initialization-order", 203 cl::desc("Handle C++ initializer order"), 204 cl::Hidden, cl::init(true)); 205 static cl::opt<bool> ClInvalidPointerPairs( 206 "asan-detect-invalid-pointer-pair", 207 cl::desc("Instrument <, <=, >, >=, - with pointer operands"), cl::Hidden, 208 cl::init(false)); 209 static cl::opt<unsigned> ClRealignStack( 210 "asan-realign-stack", 211 cl::desc("Realign stack to the value of this flag (power of two)"), 212 cl::Hidden, cl::init(32)); 213 static cl::opt<int> ClInstrumentationWithCallsThreshold( 214 "asan-instrumentation-with-call-threshold", 215 cl::desc( 216 "If the function being instrumented contains more than " 217 "this number of memory accesses, use callbacks instead of " 218 "inline checks (-1 means never use callbacks)."), 219 cl::Hidden, cl::init(7000)); 220 static cl::opt<std::string> ClMemoryAccessCallbackPrefix( 221 "asan-memory-access-callback-prefix", 222 cl::desc("Prefix for memory access callbacks"), cl::Hidden, 223 cl::init("__asan_")); 224 static cl::opt<bool> 225 ClInstrumentDynamicAllocas("asan-instrument-dynamic-allocas", 226 cl::desc("instrument dynamic allocas"), 227 cl::Hidden, cl::init(true)); 228 static cl::opt<bool> ClSkipPromotableAllocas( 229 "asan-skip-promotable-allocas", 230 cl::desc("Do not instrument promotable allocas"), cl::Hidden, 231 cl::init(true)); 232 233 // These flags allow to change the shadow mapping. 234 // The shadow mapping looks like 235 // Shadow = (Mem >> scale) + offset 236 static cl::opt<int> ClMappingScale("asan-mapping-scale", 237 cl::desc("scale of asan shadow mapping"), 238 cl::Hidden, cl::init(0)); 239 static cl::opt<unsigned long long> ClMappingOffset( 240 "asan-mapping-offset", 241 cl::desc("offset of asan shadow mapping [EXPERIMENTAL]"), cl::Hidden, 242 cl::init(0)); 243 244 // Optimization flags. Not user visible, used mostly for testing 245 // and benchmarking the tool. 246 static cl::opt<bool> ClOpt("asan-opt", cl::desc("Optimize instrumentation"), 247 cl::Hidden, cl::init(true)); 248 static cl::opt<bool> ClOptSameTemp( 249 "asan-opt-same-temp", cl::desc("Instrument the same temp just once"), 250 cl::Hidden, cl::init(true)); 251 static cl::opt<bool> ClOptGlobals("asan-opt-globals", 252 cl::desc("Don't instrument scalar globals"), 253 cl::Hidden, cl::init(true)); 254 static cl::opt<bool> ClOptStack( 255 "asan-opt-stack", cl::desc("Don't instrument scalar stack variables"), 256 cl::Hidden, cl::init(false)); 257 258 static cl::opt<bool> ClDynamicAllocaStack( 259 "asan-stack-dynamic-alloca", 260 cl::desc("Use dynamic alloca to represent stack variables"), cl::Hidden, 261 cl::init(true)); 262 263 static cl::opt<uint32_t> ClForceExperiment( 264 "asan-force-experiment", 265 cl::desc("Force optimization experiment (for testing)"), cl::Hidden, 266 cl::init(0)); 267 268 static cl::opt<bool> 269 ClUsePrivateAliasForGlobals("asan-use-private-alias", 270 cl::desc("Use private aliases for global" 271 " variables"), 272 cl::Hidden, cl::init(false)); 273 274 static cl::opt<bool> 275 ClUseGlobalsGC("asan-globals-live-support", 276 cl::desc("Use linker features to support dead " 277 "code stripping of globals"), 278 cl::Hidden, cl::init(true)); 279 280 // This is on by default even though there is a bug in gold: 281 // https://sourceware.org/bugzilla/show_bug.cgi?id=19002 282 static cl::opt<bool> 283 ClWithComdat("asan-with-comdat", 284 cl::desc("Place ASan constructors in comdat sections"), 285 cl::Hidden, cl::init(true)); 286 287 // Debug flags. 288 static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 289 cl::init(0)); 290 static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 291 cl::Hidden, cl::init(0)); 292 static cl::opt<std::string> ClDebugFunc("asan-debug-func", cl::Hidden, 293 cl::desc("Debug func")); 294 static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 295 cl::Hidden, cl::init(-1)); 296 static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug max inst"), 297 cl::Hidden, cl::init(-1)); 298 299 STATISTIC(NumInstrumentedReads, "Number of instrumented reads"); 300 STATISTIC(NumInstrumentedWrites, "Number of instrumented writes"); 301 STATISTIC(NumOptimizedAccessesToGlobalVar, 302 "Number of optimized accesses to global vars"); 303 STATISTIC(NumOptimizedAccessesToStackVar, 304 "Number of optimized accesses to stack vars"); 305 306 namespace { 307 /// Frontend-provided metadata for source location. 308 struct LocationMetadata { 309 StringRef Filename; 310 int LineNo; 311 int ColumnNo; 312 313 LocationMetadata() : Filename(), LineNo(0), ColumnNo(0) {} 314 315 bool empty() const { return Filename.empty(); } 316 317 void parse(MDNode *MDN) { 318 assert(MDN->getNumOperands() == 3); 319 MDString *DIFilename = cast<MDString>(MDN->getOperand(0)); 320 Filename = DIFilename->getString(); 321 LineNo = 322 mdconst::extract<ConstantInt>(MDN->getOperand(1))->getLimitedValue(); 323 ColumnNo = 324 mdconst::extract<ConstantInt>(MDN->getOperand(2))->getLimitedValue(); 325 } 326 }; 327 328 /// Frontend-provided metadata for global variables. 329 class GlobalsMetadata { 330 public: 331 struct Entry { 332 Entry() : SourceLoc(), Name(), IsDynInit(false), IsBlacklisted(false) {} 333 LocationMetadata SourceLoc; 334 StringRef Name; 335 bool IsDynInit; 336 bool IsBlacklisted; 337 }; 338 339 GlobalsMetadata() : inited_(false) {} 340 341 void reset() { 342 inited_ = false; 343 Entries.clear(); 344 } 345 346 void init(Module &M) { 347 assert(!inited_); 348 inited_ = true; 349 NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals"); 350 if (!Globals) return; 351 for (auto MDN : Globals->operands()) { 352 // Metadata node contains the global and the fields of "Entry". 353 assert(MDN->getNumOperands() == 5); 354 auto *GV = mdconst::extract_or_null<GlobalVariable>(MDN->getOperand(0)); 355 // The optimizer may optimize away a global entirely. 356 if (!GV) continue; 357 // We can already have an entry for GV if it was merged with another 358 // global. 359 Entry &E = Entries[GV]; 360 if (auto *Loc = cast_or_null<MDNode>(MDN->getOperand(1))) 361 E.SourceLoc.parse(Loc); 362 if (auto *Name = cast_or_null<MDString>(MDN->getOperand(2))) 363 E.Name = Name->getString(); 364 ConstantInt *IsDynInit = 365 mdconst::extract<ConstantInt>(MDN->getOperand(3)); 366 E.IsDynInit |= IsDynInit->isOne(); 367 ConstantInt *IsBlacklisted = 368 mdconst::extract<ConstantInt>(MDN->getOperand(4)); 369 E.IsBlacklisted |= IsBlacklisted->isOne(); 370 } 371 } 372 373 /// Returns metadata entry for a given global. 374 Entry get(GlobalVariable *G) const { 375 auto Pos = Entries.find(G); 376 return (Pos != Entries.end()) ? Pos->second : Entry(); 377 } 378 379 private: 380 bool inited_; 381 DenseMap<GlobalVariable *, Entry> Entries; 382 }; 383 384 /// This struct defines the shadow mapping using the rule: 385 /// shadow = (mem >> Scale) ADD-or-OR Offset. 386 struct ShadowMapping { 387 int Scale; 388 uint64_t Offset; 389 bool OrShadowOffset; 390 }; 391 392 static ShadowMapping getShadowMapping(Triple &TargetTriple, int LongSize, 393 bool IsKasan) { 394 bool IsAndroid = TargetTriple.isAndroid(); 395 bool IsIOS = TargetTriple.isiOS() || TargetTriple.isWatchOS(); 396 bool IsFreeBSD = TargetTriple.isOSFreeBSD(); 397 bool IsPS4CPU = TargetTriple.isPS4CPU(); 398 bool IsLinux = TargetTriple.isOSLinux(); 399 bool IsPPC64 = TargetTriple.getArch() == llvm::Triple::ppc64 || 400 TargetTriple.getArch() == llvm::Triple::ppc64le; 401 bool IsSystemZ = TargetTriple.getArch() == llvm::Triple::systemz; 402 bool IsX86 = TargetTriple.getArch() == llvm::Triple::x86; 403 bool IsX86_64 = TargetTriple.getArch() == llvm::Triple::x86_64; 404 bool IsMIPS32 = TargetTriple.getArch() == llvm::Triple::mips || 405 TargetTriple.getArch() == llvm::Triple::mipsel; 406 bool IsMIPS64 = TargetTriple.getArch() == llvm::Triple::mips64 || 407 TargetTriple.getArch() == llvm::Triple::mips64el; 408 bool IsAArch64 = TargetTriple.getArch() == llvm::Triple::aarch64; 409 bool IsWindows = TargetTriple.isOSWindows(); 410 bool IsFuchsia = TargetTriple.isOSFuchsia(); 411 412 ShadowMapping Mapping; 413 414 if (LongSize == 32) { 415 // Android is always PIE, which means that the beginning of the address 416 // space is always available. 417 if (IsAndroid) 418 Mapping.Offset = 0; 419 else if (IsMIPS32) 420 Mapping.Offset = kMIPS32_ShadowOffset32; 421 else if (IsFreeBSD) 422 Mapping.Offset = kFreeBSD_ShadowOffset32; 423 else if (IsIOS) 424 // If we're targeting iOS and x86, the binary is built for iOS simulator. 425 Mapping.Offset = IsX86 ? kIOSSimShadowOffset32 : kIOSShadowOffset32; 426 else if (IsWindows) 427 Mapping.Offset = kWindowsShadowOffset32; 428 else 429 Mapping.Offset = kDefaultShadowOffset32; 430 } else { // LongSize == 64 431 // Fuchsia is always PIE, which means that the beginning of the address 432 // space is always available. 433 if (IsFuchsia) 434 Mapping.Offset = 0; 435 else if (IsPPC64) 436 Mapping.Offset = kPPC64_ShadowOffset64; 437 else if (IsSystemZ) 438 Mapping.Offset = kSystemZ_ShadowOffset64; 439 else if (IsFreeBSD) 440 Mapping.Offset = kFreeBSD_ShadowOffset64; 441 else if (IsPS4CPU) 442 Mapping.Offset = kPS4CPU_ShadowOffset64; 443 else if (IsLinux && IsX86_64) { 444 if (IsKasan) 445 Mapping.Offset = kLinuxKasan_ShadowOffset64; 446 else 447 Mapping.Offset = kSmallX86_64ShadowOffset; 448 } else if (IsWindows && IsX86_64) { 449 Mapping.Offset = kWindowsShadowOffset64; 450 } else if (IsMIPS64) 451 Mapping.Offset = kMIPS64_ShadowOffset64; 452 else if (IsIOS) 453 // If we're targeting iOS and x86, the binary is built for iOS simulator. 454 // We are using dynamic shadow offset on the 64-bit devices. 455 Mapping.Offset = 456 IsX86_64 ? kIOSSimShadowOffset64 : kDynamicShadowSentinel; 457 else if (IsAArch64) 458 Mapping.Offset = kAArch64_ShadowOffset64; 459 else 460 Mapping.Offset = kDefaultShadowOffset64; 461 } 462 463 if (ClForceDynamicShadow) { 464 Mapping.Offset = kDynamicShadowSentinel; 465 } 466 467 Mapping.Scale = kDefaultShadowScale; 468 if (ClMappingScale.getNumOccurrences() > 0) { 469 Mapping.Scale = ClMappingScale; 470 } 471 472 if (ClMappingOffset.getNumOccurrences() > 0) { 473 Mapping.Offset = ClMappingOffset; 474 } 475 476 // OR-ing shadow offset if more efficient (at least on x86) if the offset 477 // is a power of two, but on ppc64 we have to use add since the shadow 478 // offset is not necessary 1/8-th of the address space. On SystemZ, 479 // we could OR the constant in a single instruction, but it's more 480 // efficient to load it once and use indexed addressing. 481 Mapping.OrShadowOffset = !IsAArch64 && !IsPPC64 && !IsSystemZ && !IsPS4CPU && 482 !(Mapping.Offset & (Mapping.Offset - 1)) && 483 Mapping.Offset != kDynamicShadowSentinel; 484 485 return Mapping; 486 } 487 488 static size_t RedzoneSizeForScale(int MappingScale) { 489 // Redzone used for stack and globals is at least 32 bytes. 490 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 491 return std::max(32U, 1U << MappingScale); 492 } 493 494 /// AddressSanitizer: instrument the code in module to find memory bugs. 495 struct AddressSanitizer : public FunctionPass { 496 explicit AddressSanitizer(bool CompileKernel = false, bool Recover = false, 497 bool UseAfterScope = false) 498 : FunctionPass(ID), CompileKernel(CompileKernel || ClEnableKasan), 499 Recover(Recover || ClRecover), 500 UseAfterScope(UseAfterScope || ClUseAfterScope), 501 LocalDynamicShadow(nullptr) { 502 initializeAddressSanitizerPass(*PassRegistry::getPassRegistry()); 503 } 504 StringRef getPassName() const override { 505 return "AddressSanitizerFunctionPass"; 506 } 507 void getAnalysisUsage(AnalysisUsage &AU) const override { 508 AU.addRequired<DominatorTreeWrapperPass>(); 509 AU.addRequired<TargetLibraryInfoWrapperPass>(); 510 } 511 uint64_t getAllocaSizeInBytes(const AllocaInst &AI) const { 512 uint64_t ArraySize = 1; 513 if (AI.isArrayAllocation()) { 514 const ConstantInt *CI = dyn_cast<ConstantInt>(AI.getArraySize()); 515 assert(CI && "non-constant array size"); 516 ArraySize = CI->getZExtValue(); 517 } 518 Type *Ty = AI.getAllocatedType(); 519 uint64_t SizeInBytes = 520 AI.getModule()->getDataLayout().getTypeAllocSize(Ty); 521 return SizeInBytes * ArraySize; 522 } 523 /// Check if we want (and can) handle this alloca. 524 bool isInterestingAlloca(const AllocaInst &AI); 525 526 /// If it is an interesting memory access, return the PointerOperand 527 /// and set IsWrite/Alignment. Otherwise return nullptr. 528 /// MaybeMask is an output parameter for the mask Value, if we're looking at a 529 /// masked load/store. 530 Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite, 531 uint64_t *TypeSize, unsigned *Alignment, 532 Value **MaybeMask = nullptr); 533 void instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis, Instruction *I, 534 bool UseCalls, const DataLayout &DL); 535 void instrumentPointerComparisonOrSubtraction(Instruction *I); 536 void instrumentAddress(Instruction *OrigIns, Instruction *InsertBefore, 537 Value *Addr, uint32_t TypeSize, bool IsWrite, 538 Value *SizeArgument, bool UseCalls, uint32_t Exp); 539 void instrumentUnusualSizeOrAlignment(Instruction *I, 540 Instruction *InsertBefore, Value *Addr, 541 uint32_t TypeSize, bool IsWrite, 542 Value *SizeArgument, bool UseCalls, 543 uint32_t Exp); 544 Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 545 Value *ShadowValue, uint32_t TypeSize); 546 Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, 547 bool IsWrite, size_t AccessSizeIndex, 548 Value *SizeArgument, uint32_t Exp); 549 void instrumentMemIntrinsic(MemIntrinsic *MI); 550 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 551 bool runOnFunction(Function &F) override; 552 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 553 void maybeInsertDynamicShadowAtFunctionEntry(Function &F); 554 void markEscapedLocalAllocas(Function &F); 555 bool doInitialization(Module &M) override; 556 bool doFinalization(Module &M) override; 557 static char ID; // Pass identification, replacement for typeid 558 559 DominatorTree &getDominatorTree() const { return *DT; } 560 561 private: 562 void initializeCallbacks(Module &M); 563 564 bool LooksLikeCodeInBug11395(Instruction *I); 565 bool GlobalIsLinkerInitialized(GlobalVariable *G); 566 bool isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, Value *Addr, 567 uint64_t TypeSize) const; 568 569 /// Helper to cleanup per-function state. 570 struct FunctionStateRAII { 571 AddressSanitizer *Pass; 572 FunctionStateRAII(AddressSanitizer *Pass) : Pass(Pass) { 573 assert(Pass->ProcessedAllocas.empty() && 574 "last pass forgot to clear cache"); 575 assert(!Pass->LocalDynamicShadow); 576 } 577 ~FunctionStateRAII() { 578 Pass->LocalDynamicShadow = nullptr; 579 Pass->ProcessedAllocas.clear(); 580 } 581 }; 582 583 LLVMContext *C; 584 Triple TargetTriple; 585 int LongSize; 586 bool CompileKernel; 587 bool Recover; 588 bool UseAfterScope; 589 Type *IntptrTy; 590 ShadowMapping Mapping; 591 DominatorTree *DT; 592 Function *AsanHandleNoReturnFunc; 593 Function *AsanPtrCmpFunction, *AsanPtrSubFunction; 594 // This array is indexed by AccessIsWrite, Experiment and log2(AccessSize). 595 Function *AsanErrorCallback[2][2][kNumberOfAccessSizes]; 596 Function *AsanMemoryAccessCallback[2][2][kNumberOfAccessSizes]; 597 // This array is indexed by AccessIsWrite and Experiment. 598 Function *AsanErrorCallbackSized[2][2]; 599 Function *AsanMemoryAccessCallbackSized[2][2]; 600 Function *AsanMemmove, *AsanMemcpy, *AsanMemset; 601 InlineAsm *EmptyAsm; 602 Value *LocalDynamicShadow; 603 GlobalsMetadata GlobalsMD; 604 DenseMap<const AllocaInst *, bool> ProcessedAllocas; 605 606 friend struct FunctionStackPoisoner; 607 }; 608 609 class AddressSanitizerModule : public ModulePass { 610 public: 611 explicit AddressSanitizerModule(bool CompileKernel = false, 612 bool Recover = false, 613 bool UseGlobalsGC = true) 614 : ModulePass(ID), CompileKernel(CompileKernel || ClEnableKasan), 615 Recover(Recover || ClRecover), 616 UseGlobalsGC(UseGlobalsGC && ClUseGlobalsGC), 617 // Not a typo: ClWithComdat is almost completely pointless without 618 // ClUseGlobalsGC (because then it only works on modules without 619 // globals, which are rare); it is a prerequisite for ClUseGlobalsGC; 620 // and both suffer from gold PR19002 for which UseGlobalsGC constructor 621 // argument is designed as workaround. Therefore, disable both 622 // ClWithComdat and ClUseGlobalsGC unless the frontend says it's ok to 623 // do globals-gc. 624 UseCtorComdat(UseGlobalsGC && ClWithComdat) {} 625 bool runOnModule(Module &M) override; 626 static char ID; // Pass identification, replacement for typeid 627 StringRef getPassName() const override { return "AddressSanitizerModule"; } 628 629 private: 630 void initializeCallbacks(Module &M); 631 632 bool InstrumentGlobals(IRBuilder<> &IRB, Module &M, bool *CtorComdat); 633 void InstrumentGlobalsCOFF(IRBuilder<> &IRB, Module &M, 634 ArrayRef<GlobalVariable *> ExtendedGlobals, 635 ArrayRef<Constant *> MetadataInitializers); 636 void InstrumentGlobalsELF(IRBuilder<> &IRB, Module &M, 637 ArrayRef<GlobalVariable *> ExtendedGlobals, 638 ArrayRef<Constant *> MetadataInitializers, 639 const std::string &UniqueModuleId); 640 void InstrumentGlobalsMachO(IRBuilder<> &IRB, Module &M, 641 ArrayRef<GlobalVariable *> ExtendedGlobals, 642 ArrayRef<Constant *> MetadataInitializers); 643 void 644 InstrumentGlobalsWithMetadataArray(IRBuilder<> &IRB, Module &M, 645 ArrayRef<GlobalVariable *> ExtendedGlobals, 646 ArrayRef<Constant *> MetadataInitializers); 647 648 GlobalVariable *CreateMetadataGlobal(Module &M, Constant *Initializer, 649 StringRef OriginalName); 650 void SetComdatForGlobalMetadata(GlobalVariable *G, GlobalVariable *Metadata, 651 StringRef InternalSuffix); 652 IRBuilder<> CreateAsanModuleDtor(Module &M); 653 654 bool ShouldInstrumentGlobal(GlobalVariable *G); 655 bool ShouldUseMachOGlobalsSection() const; 656 StringRef getGlobalMetadataSection() const; 657 void poisonOneInitializer(Function &GlobalInit, GlobalValue *ModuleName); 658 void createInitializerPoisonCalls(Module &M, GlobalValue *ModuleName); 659 size_t MinRedzoneSizeForGlobal() const { 660 return RedzoneSizeForScale(Mapping.Scale); 661 } 662 663 GlobalsMetadata GlobalsMD; 664 bool CompileKernel; 665 bool Recover; 666 bool UseGlobalsGC; 667 bool UseCtorComdat; 668 Type *IntptrTy; 669 LLVMContext *C; 670 Triple TargetTriple; 671 ShadowMapping Mapping; 672 Function *AsanPoisonGlobals; 673 Function *AsanUnpoisonGlobals; 674 Function *AsanRegisterGlobals; 675 Function *AsanUnregisterGlobals; 676 Function *AsanRegisterImageGlobals; 677 Function *AsanUnregisterImageGlobals; 678 Function *AsanRegisterElfGlobals; 679 Function *AsanUnregisterElfGlobals; 680 681 Function *AsanCtorFunction = nullptr; 682 Function *AsanDtorFunction = nullptr; 683 }; 684 685 // Stack poisoning does not play well with exception handling. 686 // When an exception is thrown, we essentially bypass the code 687 // that unpoisones the stack. This is why the run-time library has 688 // to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 689 // stack in the interceptor. This however does not work inside the 690 // actual function which catches the exception. Most likely because the 691 // compiler hoists the load of the shadow value somewhere too high. 692 // This causes asan to report a non-existing bug on 453.povray. 693 // It sounds like an LLVM bug. 694 struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> { 695 Function &F; 696 AddressSanitizer &ASan; 697 DIBuilder DIB; 698 LLVMContext *C; 699 Type *IntptrTy; 700 Type *IntptrPtrTy; 701 ShadowMapping Mapping; 702 703 SmallVector<AllocaInst *, 16> AllocaVec; 704 SmallVector<AllocaInst *, 16> StaticAllocasToMoveUp; 705 SmallVector<Instruction *, 8> RetVec; 706 unsigned StackAlignment; 707 708 Function *AsanStackMallocFunc[kMaxAsanStackMallocSizeClass + 1], 709 *AsanStackFreeFunc[kMaxAsanStackMallocSizeClass + 1]; 710 Function *AsanSetShadowFunc[0x100] = {}; 711 Function *AsanPoisonStackMemoryFunc, *AsanUnpoisonStackMemoryFunc; 712 Function *AsanAllocaPoisonFunc, *AsanAllocasUnpoisonFunc; 713 714 // Stores a place and arguments of poisoning/unpoisoning call for alloca. 715 struct AllocaPoisonCall { 716 IntrinsicInst *InsBefore; 717 AllocaInst *AI; 718 uint64_t Size; 719 bool DoPoison; 720 }; 721 SmallVector<AllocaPoisonCall, 8> DynamicAllocaPoisonCallVec; 722 SmallVector<AllocaPoisonCall, 8> StaticAllocaPoisonCallVec; 723 724 SmallVector<AllocaInst *, 1> DynamicAllocaVec; 725 SmallVector<IntrinsicInst *, 1> StackRestoreVec; 726 AllocaInst *DynamicAllocaLayout = nullptr; 727 IntrinsicInst *LocalEscapeCall = nullptr; 728 729 // Maps Value to an AllocaInst from which the Value is originated. 730 typedef DenseMap<Value *, AllocaInst *> AllocaForValueMapTy; 731 AllocaForValueMapTy AllocaForValue; 732 733 bool HasNonEmptyInlineAsm = false; 734 bool HasReturnsTwiceCall = false; 735 std::unique_ptr<CallInst> EmptyInlineAsm; 736 737 FunctionStackPoisoner(Function &F, AddressSanitizer &ASan) 738 : F(F), 739 ASan(ASan), 740 DIB(*F.getParent(), /*AllowUnresolved*/ false), 741 C(ASan.C), 742 IntptrTy(ASan.IntptrTy), 743 IntptrPtrTy(PointerType::get(IntptrTy, 0)), 744 Mapping(ASan.Mapping), 745 StackAlignment(1 << Mapping.Scale), 746 EmptyInlineAsm(CallInst::Create(ASan.EmptyAsm)) {} 747 748 bool runOnFunction() { 749 if (!ClStack) return false; 750 // Collect alloca, ret, lifetime instructions etc. 751 for (BasicBlock *BB : depth_first(&F.getEntryBlock())) visit(*BB); 752 753 if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false; 754 755 initializeCallbacks(*F.getParent()); 756 757 processDynamicAllocas(); 758 processStaticAllocas(); 759 760 if (ClDebugStack) { 761 DEBUG(dbgs() << F); 762 } 763 return true; 764 } 765 766 // Finds all Alloca instructions and puts 767 // poisoned red zones around all of them. 768 // Then unpoison everything back before the function returns. 769 void processStaticAllocas(); 770 void processDynamicAllocas(); 771 772 void createDynamicAllocasInitStorage(); 773 774 // ----------------------- Visitors. 775 /// \brief Collect all Ret instructions. 776 void visitReturnInst(ReturnInst &RI) { RetVec.push_back(&RI); } 777 778 /// \brief Collect all Resume instructions. 779 void visitResumeInst(ResumeInst &RI) { RetVec.push_back(&RI); } 780 781 /// \brief Collect all CatchReturnInst instructions. 782 void visitCleanupReturnInst(CleanupReturnInst &CRI) { RetVec.push_back(&CRI); } 783 784 void unpoisonDynamicAllocasBeforeInst(Instruction *InstBefore, 785 Value *SavedStack) { 786 IRBuilder<> IRB(InstBefore); 787 Value *DynamicAreaPtr = IRB.CreatePtrToInt(SavedStack, IntptrTy); 788 // When we insert _asan_allocas_unpoison before @llvm.stackrestore, we 789 // need to adjust extracted SP to compute the address of the most recent 790 // alloca. We have a special @llvm.get.dynamic.area.offset intrinsic for 791 // this purpose. 792 if (!isa<ReturnInst>(InstBefore)) { 793 Function *DynamicAreaOffsetFunc = Intrinsic::getDeclaration( 794 InstBefore->getModule(), Intrinsic::get_dynamic_area_offset, 795 {IntptrTy}); 796 797 Value *DynamicAreaOffset = IRB.CreateCall(DynamicAreaOffsetFunc, {}); 798 799 DynamicAreaPtr = IRB.CreateAdd(IRB.CreatePtrToInt(SavedStack, IntptrTy), 800 DynamicAreaOffset); 801 } 802 803 IRB.CreateCall(AsanAllocasUnpoisonFunc, 804 {IRB.CreateLoad(DynamicAllocaLayout), DynamicAreaPtr}); 805 } 806 807 // Unpoison dynamic allocas redzones. 808 void unpoisonDynamicAllocas() { 809 for (auto &Ret : RetVec) 810 unpoisonDynamicAllocasBeforeInst(Ret, DynamicAllocaLayout); 811 812 for (auto &StackRestoreInst : StackRestoreVec) 813 unpoisonDynamicAllocasBeforeInst(StackRestoreInst, 814 StackRestoreInst->getOperand(0)); 815 } 816 817 // Deploy and poison redzones around dynamic alloca call. To do this, we 818 // should replace this call with another one with changed parameters and 819 // replace all its uses with new address, so 820 // addr = alloca type, old_size, align 821 // is replaced by 822 // new_size = (old_size + additional_size) * sizeof(type) 823 // tmp = alloca i8, new_size, max(align, 32) 824 // addr = tmp + 32 (first 32 bytes are for the left redzone). 825 // Additional_size is added to make new memory allocation contain not only 826 // requested memory, but also left, partial and right redzones. 827 void handleDynamicAllocaCall(AllocaInst *AI); 828 829 /// \brief Collect Alloca instructions we want (and can) handle. 830 void visitAllocaInst(AllocaInst &AI) { 831 if (!ASan.isInterestingAlloca(AI)) { 832 if (AI.isStaticAlloca()) { 833 // Skip over allocas that are present *before* the first instrumented 834 // alloca, we don't want to move those around. 835 if (AllocaVec.empty()) 836 return; 837 838 StaticAllocasToMoveUp.push_back(&AI); 839 } 840 return; 841 } 842 843 StackAlignment = std::max(StackAlignment, AI.getAlignment()); 844 if (!AI.isStaticAlloca()) 845 DynamicAllocaVec.push_back(&AI); 846 else 847 AllocaVec.push_back(&AI); 848 } 849 850 /// \brief Collect lifetime intrinsic calls to check for use-after-scope 851 /// errors. 852 void visitIntrinsicInst(IntrinsicInst &II) { 853 Intrinsic::ID ID = II.getIntrinsicID(); 854 if (ID == Intrinsic::stackrestore) StackRestoreVec.push_back(&II); 855 if (ID == Intrinsic::localescape) LocalEscapeCall = &II; 856 if (!ASan.UseAfterScope) 857 return; 858 if (ID != Intrinsic::lifetime_start && ID != Intrinsic::lifetime_end) 859 return; 860 // Found lifetime intrinsic, add ASan instrumentation if necessary. 861 ConstantInt *Size = dyn_cast<ConstantInt>(II.getArgOperand(0)); 862 // If size argument is undefined, don't do anything. 863 if (Size->isMinusOne()) return; 864 // Check that size doesn't saturate uint64_t and can 865 // be stored in IntptrTy. 866 const uint64_t SizeValue = Size->getValue().getLimitedValue(); 867 if (SizeValue == ~0ULL || 868 !ConstantInt::isValueValidForType(IntptrTy, SizeValue)) 869 return; 870 // Find alloca instruction that corresponds to llvm.lifetime argument. 871 AllocaInst *AI = findAllocaForValue(II.getArgOperand(1)); 872 if (!AI || !ASan.isInterestingAlloca(*AI)) 873 return; 874 bool DoPoison = (ID == Intrinsic::lifetime_end); 875 AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison}; 876 if (AI->isStaticAlloca()) 877 StaticAllocaPoisonCallVec.push_back(APC); 878 else if (ClInstrumentDynamicAllocas) 879 DynamicAllocaPoisonCallVec.push_back(APC); 880 } 881 882 void visitCallSite(CallSite CS) { 883 Instruction *I = CS.getInstruction(); 884 if (CallInst *CI = dyn_cast<CallInst>(I)) { 885 HasNonEmptyInlineAsm |= 886 CI->isInlineAsm() && !CI->isIdenticalTo(EmptyInlineAsm.get()); 887 HasReturnsTwiceCall |= CI->canReturnTwice(); 888 } 889 } 890 891 // ---------------------- Helpers. 892 void initializeCallbacks(Module &M); 893 894 bool doesDominateAllExits(const Instruction *I) const { 895 for (auto Ret : RetVec) { 896 if (!ASan.getDominatorTree().dominates(I, Ret)) return false; 897 } 898 return true; 899 } 900 901 /// Finds alloca where the value comes from. 902 AllocaInst *findAllocaForValue(Value *V); 903 904 // Copies bytes from ShadowBytes into shadow memory for indexes where 905 // ShadowMask is not zero. If ShadowMask[i] is zero, we assume that 906 // ShadowBytes[i] is constantly zero and doesn't need to be overwritten. 907 void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes, 908 IRBuilder<> &IRB, Value *ShadowBase); 909 void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes, 910 size_t Begin, size_t End, IRBuilder<> &IRB, 911 Value *ShadowBase); 912 void copyToShadowInline(ArrayRef<uint8_t> ShadowMask, 913 ArrayRef<uint8_t> ShadowBytes, size_t Begin, 914 size_t End, IRBuilder<> &IRB, Value *ShadowBase); 915 916 void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> &IRB, bool DoPoison); 917 918 Value *createAllocaForLayout(IRBuilder<> &IRB, const ASanStackFrameLayout &L, 919 bool Dynamic); 920 PHINode *createPHI(IRBuilder<> &IRB, Value *Cond, Value *ValueIfTrue, 921 Instruction *ThenTerm, Value *ValueIfFalse); 922 }; 923 924 } // anonymous namespace 925 926 char AddressSanitizer::ID = 0; 927 INITIALIZE_PASS_BEGIN( 928 AddressSanitizer, "asan", 929 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false, 930 false) 931 INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass) 932 INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass) 933 INITIALIZE_PASS_END( 934 AddressSanitizer, "asan", 935 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false, 936 false) 937 FunctionPass *llvm::createAddressSanitizerFunctionPass(bool CompileKernel, 938 bool Recover, 939 bool UseAfterScope) { 940 assert(!CompileKernel || Recover); 941 return new AddressSanitizer(CompileKernel, Recover, UseAfterScope); 942 } 943 944 char AddressSanitizerModule::ID = 0; 945 INITIALIZE_PASS( 946 AddressSanitizerModule, "asan-module", 947 "AddressSanitizer: detects use-after-free and out-of-bounds bugs." 948 "ModulePass", 949 false, false) 950 ModulePass *llvm::createAddressSanitizerModulePass(bool CompileKernel, 951 bool Recover, 952 bool UseGlobalsGC) { 953 assert(!CompileKernel || Recover); 954 return new AddressSanitizerModule(CompileKernel, Recover, UseGlobalsGC); 955 } 956 957 static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 958 size_t Res = countTrailingZeros(TypeSize / 8); 959 assert(Res < kNumberOfAccessSizes); 960 return Res; 961 } 962 963 // \brief Create a constant for Str so that we can pass it to the run-time lib. 964 static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str, 965 bool AllowMerging) { 966 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 967 // We use private linkage for module-local strings. If they can be merged 968 // with another one, we set the unnamed_addr attribute. 969 GlobalVariable *GV = 970 new GlobalVariable(M, StrConst->getType(), true, 971 GlobalValue::PrivateLinkage, StrConst, kAsanGenPrefix); 972 if (AllowMerging) GV->setUnnamedAddr(GlobalValue::UnnamedAddr::Global); 973 GV->setAlignment(1); // Strings may not be merged w/o setting align 1. 974 return GV; 975 } 976 977 /// \brief Create a global describing a source location. 978 static GlobalVariable *createPrivateGlobalForSourceLoc(Module &M, 979 LocationMetadata MD) { 980 Constant *LocData[] = { 981 createPrivateGlobalForString(M, MD.Filename, true), 982 ConstantInt::get(Type::getInt32Ty(M.getContext()), MD.LineNo), 983 ConstantInt::get(Type::getInt32Ty(M.getContext()), MD.ColumnNo), 984 }; 985 auto LocStruct = ConstantStruct::getAnon(LocData); 986 auto GV = new GlobalVariable(M, LocStruct->getType(), true, 987 GlobalValue::PrivateLinkage, LocStruct, 988 kAsanGenPrefix); 989 GV->setUnnamedAddr(GlobalValue::UnnamedAddr::Global); 990 return GV; 991 } 992 993 /// \brief Check if \p G has been created by a trusted compiler pass. 994 static bool GlobalWasGeneratedByCompiler(GlobalVariable *G) { 995 // Do not instrument asan globals. 996 if (G->getName().startswith(kAsanGenPrefix) || 997 G->getName().startswith(kSanCovGenPrefix) || 998 G->getName().startswith(kODRGenPrefix)) 999 return true; 1000 1001 // Do not instrument gcov counter arrays. 1002 if (G->getName() == "__llvm_gcov_ctr") 1003 return true; 1004 1005 return false; 1006 } 1007 1008 Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 1009 // Shadow >> scale 1010 Shadow = IRB.CreateLShr(Shadow, Mapping.Scale); 1011 if (Mapping.Offset == 0) return Shadow; 1012 // (Shadow >> scale) | offset 1013 Value *ShadowBase; 1014 if (LocalDynamicShadow) 1015 ShadowBase = LocalDynamicShadow; 1016 else 1017 ShadowBase = ConstantInt::get(IntptrTy, Mapping.Offset); 1018 if (Mapping.OrShadowOffset) 1019 return IRB.CreateOr(Shadow, ShadowBase); 1020 else 1021 return IRB.CreateAdd(Shadow, ShadowBase); 1022 } 1023 1024 // Instrument memset/memmove/memcpy 1025 void AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 1026 IRBuilder<> IRB(MI); 1027 if (isa<MemTransferInst>(MI)) { 1028 IRB.CreateCall( 1029 isa<MemMoveInst>(MI) ? AsanMemmove : AsanMemcpy, 1030 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 1031 IRB.CreatePointerCast(MI->getOperand(1), IRB.getInt8PtrTy()), 1032 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 1033 } else if (isa<MemSetInst>(MI)) { 1034 IRB.CreateCall( 1035 AsanMemset, 1036 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 1037 IRB.CreateIntCast(MI->getOperand(1), IRB.getInt32Ty(), false), 1038 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 1039 } 1040 MI->eraseFromParent(); 1041 } 1042 1043 /// Check if we want (and can) handle this alloca. 1044 bool AddressSanitizer::isInterestingAlloca(const AllocaInst &AI) { 1045 auto PreviouslySeenAllocaInfo = ProcessedAllocas.find(&AI); 1046 1047 if (PreviouslySeenAllocaInfo != ProcessedAllocas.end()) 1048 return PreviouslySeenAllocaInfo->getSecond(); 1049 1050 bool IsInteresting = 1051 (AI.getAllocatedType()->isSized() && 1052 // alloca() may be called with 0 size, ignore it. 1053 ((!AI.isStaticAlloca()) || getAllocaSizeInBytes(AI) > 0) && 1054 // We are only interested in allocas not promotable to registers. 1055 // Promotable allocas are common under -O0. 1056 (!ClSkipPromotableAllocas || !isAllocaPromotable(&AI)) && 1057 // inalloca allocas are not treated as static, and we don't want 1058 // dynamic alloca instrumentation for them as well. 1059 !AI.isUsedWithInAlloca() && 1060 // swifterror allocas are register promoted by ISel 1061 !AI.isSwiftError()); 1062 1063 ProcessedAllocas[&AI] = IsInteresting; 1064 return IsInteresting; 1065 } 1066 1067 Value *AddressSanitizer::isInterestingMemoryAccess(Instruction *I, 1068 bool *IsWrite, 1069 uint64_t *TypeSize, 1070 unsigned *Alignment, 1071 Value **MaybeMask) { 1072 // Skip memory accesses inserted by another instrumentation. 1073 if (I->getMetadata("nosanitize")) return nullptr; 1074 1075 // Do not instrument the load fetching the dynamic shadow address. 1076 if (LocalDynamicShadow == I) 1077 return nullptr; 1078 1079 Value *PtrOperand = nullptr; 1080 const DataLayout &DL = I->getModule()->getDataLayout(); 1081 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 1082 if (!ClInstrumentReads) return nullptr; 1083 *IsWrite = false; 1084 *TypeSize = DL.getTypeStoreSizeInBits(LI->getType()); 1085 *Alignment = LI->getAlignment(); 1086 PtrOperand = LI->getPointerOperand(); 1087 } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 1088 if (!ClInstrumentWrites) return nullptr; 1089 *IsWrite = true; 1090 *TypeSize = DL.getTypeStoreSizeInBits(SI->getValueOperand()->getType()); 1091 *Alignment = SI->getAlignment(); 1092 PtrOperand = SI->getPointerOperand(); 1093 } else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 1094 if (!ClInstrumentAtomics) return nullptr; 1095 *IsWrite = true; 1096 *TypeSize = DL.getTypeStoreSizeInBits(RMW->getValOperand()->getType()); 1097 *Alignment = 0; 1098 PtrOperand = RMW->getPointerOperand(); 1099 } else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 1100 if (!ClInstrumentAtomics) return nullptr; 1101 *IsWrite = true; 1102 *TypeSize = DL.getTypeStoreSizeInBits(XCHG->getCompareOperand()->getType()); 1103 *Alignment = 0; 1104 PtrOperand = XCHG->getPointerOperand(); 1105 } else if (auto CI = dyn_cast<CallInst>(I)) { 1106 auto *F = dyn_cast<Function>(CI->getCalledValue()); 1107 if (F && (F->getName().startswith("llvm.masked.load.") || 1108 F->getName().startswith("llvm.masked.store."))) { 1109 unsigned OpOffset = 0; 1110 if (F->getName().startswith("llvm.masked.store.")) { 1111 if (!ClInstrumentWrites) 1112 return nullptr; 1113 // Masked store has an initial operand for the value. 1114 OpOffset = 1; 1115 *IsWrite = true; 1116 } else { 1117 if (!ClInstrumentReads) 1118 return nullptr; 1119 *IsWrite = false; 1120 } 1121 1122 auto BasePtr = CI->getOperand(0 + OpOffset); 1123 auto Ty = cast<PointerType>(BasePtr->getType())->getElementType(); 1124 *TypeSize = DL.getTypeStoreSizeInBits(Ty); 1125 if (auto AlignmentConstant = 1126 dyn_cast<ConstantInt>(CI->getOperand(1 + OpOffset))) 1127 *Alignment = (unsigned)AlignmentConstant->getZExtValue(); 1128 else 1129 *Alignment = 1; // No alignment guarantees. We probably got Undef 1130 if (MaybeMask) 1131 *MaybeMask = CI->getOperand(2 + OpOffset); 1132 PtrOperand = BasePtr; 1133 } 1134 } 1135 1136 if (PtrOperand) { 1137 // Do not instrument acesses from different address spaces; we cannot deal 1138 // with them. 1139 Type *PtrTy = cast<PointerType>(PtrOperand->getType()->getScalarType()); 1140 if (PtrTy->getPointerAddressSpace() != 0) 1141 return nullptr; 1142 1143 // Ignore swifterror addresses. 1144 // swifterror memory addresses are mem2reg promoted by instruction 1145 // selection. As such they cannot have regular uses like an instrumentation 1146 // function and it makes no sense to track them as memory. 1147 if (PtrOperand->isSwiftError()) 1148 return nullptr; 1149 } 1150 1151 // Treat memory accesses to promotable allocas as non-interesting since they 1152 // will not cause memory violations. This greatly speeds up the instrumented 1153 // executable at -O0. 1154 if (ClSkipPromotableAllocas) 1155 if (auto AI = dyn_cast_or_null<AllocaInst>(PtrOperand)) 1156 return isInterestingAlloca(*AI) ? AI : nullptr; 1157 1158 return PtrOperand; 1159 } 1160 1161 static bool isPointerOperand(Value *V) { 1162 return V->getType()->isPointerTy() || isa<PtrToIntInst>(V); 1163 } 1164 1165 // This is a rough heuristic; it may cause both false positives and 1166 // false negatives. The proper implementation requires cooperation with 1167 // the frontend. 1168 static bool isInterestingPointerComparisonOrSubtraction(Instruction *I) { 1169 if (ICmpInst *Cmp = dyn_cast<ICmpInst>(I)) { 1170 if (!Cmp->isRelational()) return false; 1171 } else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(I)) { 1172 if (BO->getOpcode() != Instruction::Sub) return false; 1173 } else { 1174 return false; 1175 } 1176 return isPointerOperand(I->getOperand(0)) && 1177 isPointerOperand(I->getOperand(1)); 1178 } 1179 1180 bool AddressSanitizer::GlobalIsLinkerInitialized(GlobalVariable *G) { 1181 // If a global variable does not have dynamic initialization we don't 1182 // have to instrument it. However, if a global does not have initializer 1183 // at all, we assume it has dynamic initializer (in other TU). 1184 return G->hasInitializer() && !GlobalsMD.get(G).IsDynInit; 1185 } 1186 1187 void AddressSanitizer::instrumentPointerComparisonOrSubtraction( 1188 Instruction *I) { 1189 IRBuilder<> IRB(I); 1190 Function *F = isa<ICmpInst>(I) ? AsanPtrCmpFunction : AsanPtrSubFunction; 1191 Value *Param[2] = {I->getOperand(0), I->getOperand(1)}; 1192 for (Value *&i : Param) { 1193 if (i->getType()->isPointerTy()) 1194 i = IRB.CreatePointerCast(i, IntptrTy); 1195 } 1196 IRB.CreateCall(F, Param); 1197 } 1198 1199 static void doInstrumentAddress(AddressSanitizer *Pass, Instruction *I, 1200 Instruction *InsertBefore, Value *Addr, 1201 unsigned Alignment, unsigned Granularity, 1202 uint32_t TypeSize, bool IsWrite, 1203 Value *SizeArgument, bool UseCalls, 1204 uint32_t Exp) { 1205 // Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check 1206 // if the data is properly aligned. 1207 if ((TypeSize == 8 || TypeSize == 16 || TypeSize == 32 || TypeSize == 64 || 1208 TypeSize == 128) && 1209 (Alignment >= Granularity || Alignment == 0 || Alignment >= TypeSize / 8)) 1210 return Pass->instrumentAddress(I, InsertBefore, Addr, TypeSize, IsWrite, 1211 nullptr, UseCalls, Exp); 1212 Pass->instrumentUnusualSizeOrAlignment(I, InsertBefore, Addr, TypeSize, 1213 IsWrite, nullptr, UseCalls, Exp); 1214 } 1215 1216 static void instrumentMaskedLoadOrStore(AddressSanitizer *Pass, 1217 const DataLayout &DL, Type *IntptrTy, 1218 Value *Mask, Instruction *I, 1219 Value *Addr, unsigned Alignment, 1220 unsigned Granularity, uint32_t TypeSize, 1221 bool IsWrite, Value *SizeArgument, 1222 bool UseCalls, uint32_t Exp) { 1223 auto *VTy = cast<PointerType>(Addr->getType())->getElementType(); 1224 uint64_t ElemTypeSize = DL.getTypeStoreSizeInBits(VTy->getScalarType()); 1225 unsigned Num = VTy->getVectorNumElements(); 1226 auto Zero = ConstantInt::get(IntptrTy, 0); 1227 for (unsigned Idx = 0; Idx < Num; ++Idx) { 1228 Value *InstrumentedAddress = nullptr; 1229 Instruction *InsertBefore = I; 1230 if (auto *Vector = dyn_cast<ConstantVector>(Mask)) { 1231 // dyn_cast as we might get UndefValue 1232 if (auto *Masked = dyn_cast<ConstantInt>(Vector->getOperand(Idx))) { 1233 if (Masked->isNullValue()) 1234 // Mask is constant false, so no instrumentation needed. 1235 continue; 1236 // If we have a true or undef value, fall through to doInstrumentAddress 1237 // with InsertBefore == I 1238 } 1239 } else { 1240 IRBuilder<> IRB(I); 1241 Value *MaskElem = IRB.CreateExtractElement(Mask, Idx); 1242 TerminatorInst *ThenTerm = SplitBlockAndInsertIfThen(MaskElem, I, false); 1243 InsertBefore = ThenTerm; 1244 } 1245 1246 IRBuilder<> IRB(InsertBefore); 1247 InstrumentedAddress = 1248 IRB.CreateGEP(Addr, {Zero, ConstantInt::get(IntptrTy, Idx)}); 1249 doInstrumentAddress(Pass, I, InsertBefore, InstrumentedAddress, Alignment, 1250 Granularity, ElemTypeSize, IsWrite, SizeArgument, 1251 UseCalls, Exp); 1252 } 1253 } 1254 1255 void AddressSanitizer::instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis, 1256 Instruction *I, bool UseCalls, 1257 const DataLayout &DL) { 1258 bool IsWrite = false; 1259 unsigned Alignment = 0; 1260 uint64_t TypeSize = 0; 1261 Value *MaybeMask = nullptr; 1262 Value *Addr = 1263 isInterestingMemoryAccess(I, &IsWrite, &TypeSize, &Alignment, &MaybeMask); 1264 assert(Addr); 1265 1266 // Optimization experiments. 1267 // The experiments can be used to evaluate potential optimizations that remove 1268 // instrumentation (assess false negatives). Instead of completely removing 1269 // some instrumentation, you set Exp to a non-zero value (mask of optimization 1270 // experiments that want to remove instrumentation of this instruction). 1271 // If Exp is non-zero, this pass will emit special calls into runtime 1272 // (e.g. __asan_report_exp_load1 instead of __asan_report_load1). These calls 1273 // make runtime terminate the program in a special way (with a different 1274 // exit status). Then you run the new compiler on a buggy corpus, collect 1275 // the special terminations (ideally, you don't see them at all -- no false 1276 // negatives) and make the decision on the optimization. 1277 uint32_t Exp = ClForceExperiment; 1278 1279 if (ClOpt && ClOptGlobals) { 1280 // If initialization order checking is disabled, a simple access to a 1281 // dynamically initialized global is always valid. 1282 GlobalVariable *G = dyn_cast<GlobalVariable>(GetUnderlyingObject(Addr, DL)); 1283 if (G && (!ClInitializers || GlobalIsLinkerInitialized(G)) && 1284 isSafeAccess(ObjSizeVis, Addr, TypeSize)) { 1285 NumOptimizedAccessesToGlobalVar++; 1286 return; 1287 } 1288 } 1289 1290 if (ClOpt && ClOptStack) { 1291 // A direct inbounds access to a stack variable is always valid. 1292 if (isa<AllocaInst>(GetUnderlyingObject(Addr, DL)) && 1293 isSafeAccess(ObjSizeVis, Addr, TypeSize)) { 1294 NumOptimizedAccessesToStackVar++; 1295 return; 1296 } 1297 } 1298 1299 if (IsWrite) 1300 NumInstrumentedWrites++; 1301 else 1302 NumInstrumentedReads++; 1303 1304 unsigned Granularity = 1 << Mapping.Scale; 1305 if (MaybeMask) { 1306 instrumentMaskedLoadOrStore(this, DL, IntptrTy, MaybeMask, I, Addr, 1307 Alignment, Granularity, TypeSize, IsWrite, 1308 nullptr, UseCalls, Exp); 1309 } else { 1310 doInstrumentAddress(this, I, I, Addr, Alignment, Granularity, TypeSize, 1311 IsWrite, nullptr, UseCalls, Exp); 1312 } 1313 } 1314 1315 Instruction *AddressSanitizer::generateCrashCode(Instruction *InsertBefore, 1316 Value *Addr, bool IsWrite, 1317 size_t AccessSizeIndex, 1318 Value *SizeArgument, 1319 uint32_t Exp) { 1320 IRBuilder<> IRB(InsertBefore); 1321 Value *ExpVal = Exp == 0 ? nullptr : ConstantInt::get(IRB.getInt32Ty(), Exp); 1322 CallInst *Call = nullptr; 1323 if (SizeArgument) { 1324 if (Exp == 0) 1325 Call = IRB.CreateCall(AsanErrorCallbackSized[IsWrite][0], 1326 {Addr, SizeArgument}); 1327 else 1328 Call = IRB.CreateCall(AsanErrorCallbackSized[IsWrite][1], 1329 {Addr, SizeArgument, ExpVal}); 1330 } else { 1331 if (Exp == 0) 1332 Call = 1333 IRB.CreateCall(AsanErrorCallback[IsWrite][0][AccessSizeIndex], Addr); 1334 else 1335 Call = IRB.CreateCall(AsanErrorCallback[IsWrite][1][AccessSizeIndex], 1336 {Addr, ExpVal}); 1337 } 1338 1339 // We don't do Call->setDoesNotReturn() because the BB already has 1340 // UnreachableInst at the end. 1341 // This EmptyAsm is required to avoid callback merge. 1342 IRB.CreateCall(EmptyAsm, {}); 1343 return Call; 1344 } 1345 1346 Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 1347 Value *ShadowValue, 1348 uint32_t TypeSize) { 1349 size_t Granularity = static_cast<size_t>(1) << Mapping.Scale; 1350 // Addr & (Granularity - 1) 1351 Value *LastAccessedByte = 1352 IRB.CreateAnd(AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 1353 // (Addr & (Granularity - 1)) + size - 1 1354 if (TypeSize / 8 > 1) 1355 LastAccessedByte = IRB.CreateAdd( 1356 LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 1357 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 1358 LastAccessedByte = 1359 IRB.CreateIntCast(LastAccessedByte, ShadowValue->getType(), false); 1360 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 1361 return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue); 1362 } 1363 1364 void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 1365 Instruction *InsertBefore, Value *Addr, 1366 uint32_t TypeSize, bool IsWrite, 1367 Value *SizeArgument, bool UseCalls, 1368 uint32_t Exp) { 1369 IRBuilder<> IRB(InsertBefore); 1370 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 1371 size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize); 1372 1373 if (UseCalls) { 1374 if (Exp == 0) 1375 IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][0][AccessSizeIndex], 1376 AddrLong); 1377 else 1378 IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][1][AccessSizeIndex], 1379 {AddrLong, ConstantInt::get(IRB.getInt32Ty(), Exp)}); 1380 return; 1381 } 1382 1383 Type *ShadowTy = 1384 IntegerType::get(*C, std::max(8U, TypeSize >> Mapping.Scale)); 1385 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 1386 Value *ShadowPtr = memToShadow(AddrLong, IRB); 1387 Value *CmpVal = Constant::getNullValue(ShadowTy); 1388 Value *ShadowValue = 1389 IRB.CreateLoad(IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 1390 1391 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 1392 size_t Granularity = 1ULL << Mapping.Scale; 1393 TerminatorInst *CrashTerm = nullptr; 1394 1395 if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) { 1396 // We use branch weights for the slow path check, to indicate that the slow 1397 // path is rarely taken. This seems to be the case for SPEC benchmarks. 1398 TerminatorInst *CheckTerm = SplitBlockAndInsertIfThen( 1399 Cmp, InsertBefore, false, MDBuilder(*C).createBranchWeights(1, 100000)); 1400 assert(cast<BranchInst>(CheckTerm)->isUnconditional()); 1401 BasicBlock *NextBB = CheckTerm->getSuccessor(0); 1402 IRB.SetInsertPoint(CheckTerm); 1403 Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize); 1404 if (Recover) { 1405 CrashTerm = SplitBlockAndInsertIfThen(Cmp2, CheckTerm, false); 1406 } else { 1407 BasicBlock *CrashBlock = 1408 BasicBlock::Create(*C, "", NextBB->getParent(), NextBB); 1409 CrashTerm = new UnreachableInst(*C, CrashBlock); 1410 BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2); 1411 ReplaceInstWithInst(CheckTerm, NewTerm); 1412 } 1413 } else { 1414 CrashTerm = SplitBlockAndInsertIfThen(Cmp, InsertBefore, !Recover); 1415 } 1416 1417 Instruction *Crash = generateCrashCode(CrashTerm, AddrLong, IsWrite, 1418 AccessSizeIndex, SizeArgument, Exp); 1419 Crash->setDebugLoc(OrigIns->getDebugLoc()); 1420 } 1421 1422 // Instrument unusual size or unusual alignment. 1423 // We can not do it with a single check, so we do 1-byte check for the first 1424 // and the last bytes. We call __asan_report_*_n(addr, real_size) to be able 1425 // to report the actual access size. 1426 void AddressSanitizer::instrumentUnusualSizeOrAlignment( 1427 Instruction *I, Instruction *InsertBefore, Value *Addr, uint32_t TypeSize, 1428 bool IsWrite, Value *SizeArgument, bool UseCalls, uint32_t Exp) { 1429 IRBuilder<> IRB(InsertBefore); 1430 Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8); 1431 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 1432 if (UseCalls) { 1433 if (Exp == 0) 1434 IRB.CreateCall(AsanMemoryAccessCallbackSized[IsWrite][0], 1435 {AddrLong, Size}); 1436 else 1437 IRB.CreateCall(AsanMemoryAccessCallbackSized[IsWrite][1], 1438 {AddrLong, Size, ConstantInt::get(IRB.getInt32Ty(), Exp)}); 1439 } else { 1440 Value *LastByte = IRB.CreateIntToPtr( 1441 IRB.CreateAdd(AddrLong, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)), 1442 Addr->getType()); 1443 instrumentAddress(I, InsertBefore, Addr, 8, IsWrite, Size, false, Exp); 1444 instrumentAddress(I, InsertBefore, LastByte, 8, IsWrite, Size, false, Exp); 1445 } 1446 } 1447 1448 void AddressSanitizerModule::poisonOneInitializer(Function &GlobalInit, 1449 GlobalValue *ModuleName) { 1450 // Set up the arguments to our poison/unpoison functions. 1451 IRBuilder<> IRB(&GlobalInit.front(), 1452 GlobalInit.front().getFirstInsertionPt()); 1453 1454 // Add a call to poison all external globals before the given function starts. 1455 Value *ModuleNameAddr = ConstantExpr::getPointerCast(ModuleName, IntptrTy); 1456 IRB.CreateCall(AsanPoisonGlobals, ModuleNameAddr); 1457 1458 // Add calls to unpoison all globals before each return instruction. 1459 for (auto &BB : GlobalInit.getBasicBlockList()) 1460 if (ReturnInst *RI = dyn_cast<ReturnInst>(BB.getTerminator())) 1461 CallInst::Create(AsanUnpoisonGlobals, "", RI); 1462 } 1463 1464 void AddressSanitizerModule::createInitializerPoisonCalls( 1465 Module &M, GlobalValue *ModuleName) { 1466 GlobalVariable *GV = M.getGlobalVariable("llvm.global_ctors"); 1467 if (!GV) 1468 return; 1469 1470 ConstantArray *CA = dyn_cast<ConstantArray>(GV->getInitializer()); 1471 if (!CA) 1472 return; 1473 1474 for (Use &OP : CA->operands()) { 1475 if (isa<ConstantAggregateZero>(OP)) continue; 1476 ConstantStruct *CS = cast<ConstantStruct>(OP); 1477 1478 // Must have a function or null ptr. 1479 if (Function *F = dyn_cast<Function>(CS->getOperand(1))) { 1480 if (F->getName() == kAsanModuleCtorName) continue; 1481 ConstantInt *Priority = dyn_cast<ConstantInt>(CS->getOperand(0)); 1482 // Don't instrument CTORs that will run before asan.module_ctor. 1483 if (Priority->getLimitedValue() <= kAsanCtorAndDtorPriority) continue; 1484 poisonOneInitializer(*F, ModuleName); 1485 } 1486 } 1487 } 1488 1489 bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) { 1490 Type *Ty = G->getValueType(); 1491 DEBUG(dbgs() << "GLOBAL: " << *G << "\n"); 1492 1493 if (GlobalsMD.get(G).IsBlacklisted) return false; 1494 if (!Ty->isSized()) return false; 1495 if (!G->hasInitializer()) return false; 1496 if (GlobalWasGeneratedByCompiler(G)) return false; // Our own globals. 1497 // Touch only those globals that will not be defined in other modules. 1498 // Don't handle ODR linkage types and COMDATs since other modules may be built 1499 // without ASan. 1500 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 1501 G->getLinkage() != GlobalVariable::PrivateLinkage && 1502 G->getLinkage() != GlobalVariable::InternalLinkage) 1503 return false; 1504 if (G->hasComdat()) return false; 1505 // Two problems with thread-locals: 1506 // - The address of the main thread's copy can't be computed at link-time. 1507 // - Need to poison all copies, not just the main thread's one. 1508 if (G->isThreadLocal()) return false; 1509 // For now, just ignore this Global if the alignment is large. 1510 if (G->getAlignment() > MinRedzoneSizeForGlobal()) return false; 1511 1512 if (G->hasSection()) { 1513 StringRef Section = G->getSection(); 1514 1515 // Globals from llvm.metadata aren't emitted, do not instrument them. 1516 if (Section == "llvm.metadata") return false; 1517 // Do not instrument globals from special LLVM sections. 1518 if (Section.find("__llvm") != StringRef::npos || Section.find("__LLVM") != StringRef::npos) return false; 1519 1520 // Do not instrument function pointers to initialization and termination 1521 // routines: dynamic linker will not properly handle redzones. 1522 if (Section.startswith(".preinit_array") || 1523 Section.startswith(".init_array") || 1524 Section.startswith(".fini_array")) { 1525 return false; 1526 } 1527 1528 // Callbacks put into the CRT initializer/terminator sections 1529 // should not be instrumented. 1530 // See https://code.google.com/p/address-sanitizer/issues/detail?id=305 1531 // and http://msdn.microsoft.com/en-US/en-en/library/bb918180(v=vs.120).aspx 1532 if (Section.startswith(".CRT")) { 1533 DEBUG(dbgs() << "Ignoring a global initializer callback: " << *G << "\n"); 1534 return false; 1535 } 1536 1537 if (TargetTriple.isOSBinFormatMachO()) { 1538 StringRef ParsedSegment, ParsedSection; 1539 unsigned TAA = 0, StubSize = 0; 1540 bool TAAParsed; 1541 std::string ErrorCode = MCSectionMachO::ParseSectionSpecifier( 1542 Section, ParsedSegment, ParsedSection, TAA, TAAParsed, StubSize); 1543 assert(ErrorCode.empty() && "Invalid section specifier."); 1544 1545 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 1546 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 1547 // them. 1548 if (ParsedSegment == "__OBJC" || 1549 (ParsedSegment == "__DATA" && ParsedSection.startswith("__objc_"))) { 1550 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G << "\n"); 1551 return false; 1552 } 1553 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 1554 // Constant CFString instances are compiled in the following way: 1555 // -- the string buffer is emitted into 1556 // __TEXT,__cstring,cstring_literals 1557 // -- the constant NSConstantString structure referencing that buffer 1558 // is placed into __DATA,__cfstring 1559 // Therefore there's no point in placing redzones into __DATA,__cfstring. 1560 // Moreover, it causes the linker to crash on OS X 10.7 1561 if (ParsedSegment == "__DATA" && ParsedSection == "__cfstring") { 1562 DEBUG(dbgs() << "Ignoring CFString: " << *G << "\n"); 1563 return false; 1564 } 1565 // The linker merges the contents of cstring_literals and removes the 1566 // trailing zeroes. 1567 if (ParsedSegment == "__TEXT" && (TAA & MachO::S_CSTRING_LITERALS)) { 1568 DEBUG(dbgs() << "Ignoring a cstring literal: " << *G << "\n"); 1569 return false; 1570 } 1571 } 1572 } 1573 1574 return true; 1575 } 1576 1577 // On Mach-O platforms, we emit global metadata in a separate section of the 1578 // binary in order to allow the linker to properly dead strip. This is only 1579 // supported on recent versions of ld64. 1580 bool AddressSanitizerModule::ShouldUseMachOGlobalsSection() const { 1581 if (!TargetTriple.isOSBinFormatMachO()) 1582 return false; 1583 1584 if (TargetTriple.isMacOSX() && !TargetTriple.isMacOSXVersionLT(10, 11)) 1585 return true; 1586 if (TargetTriple.isiOS() /* or tvOS */ && !TargetTriple.isOSVersionLT(9)) 1587 return true; 1588 if (TargetTriple.isWatchOS() && !TargetTriple.isOSVersionLT(2)) 1589 return true; 1590 1591 return false; 1592 } 1593 1594 StringRef AddressSanitizerModule::getGlobalMetadataSection() const { 1595 switch (TargetTriple.getObjectFormat()) { 1596 case Triple::COFF: return ".ASAN$GL"; 1597 case Triple::ELF: return "asan_globals"; 1598 case Triple::MachO: return "__DATA,__asan_globals,regular"; 1599 default: break; 1600 } 1601 llvm_unreachable("unsupported object format"); 1602 } 1603 1604 void AddressSanitizerModule::initializeCallbacks(Module &M) { 1605 IRBuilder<> IRB(*C); 1606 1607 // Declare our poisoning and unpoisoning functions. 1608 AsanPoisonGlobals = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1609 kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy)); 1610 AsanPoisonGlobals->setLinkage(Function::ExternalLinkage); 1611 AsanUnpoisonGlobals = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1612 kAsanUnpoisonGlobalsName, IRB.getVoidTy())); 1613 AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage); 1614 1615 // Declare functions that register/unregister globals. 1616 AsanRegisterGlobals = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1617 kAsanRegisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy)); 1618 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 1619 AsanUnregisterGlobals = checkSanitizerInterfaceFunction( 1620 M.getOrInsertFunction(kAsanUnregisterGlobalsName, IRB.getVoidTy(), 1621 IntptrTy, IntptrTy)); 1622 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 1623 1624 // Declare the functions that find globals in a shared object and then invoke 1625 // the (un)register function on them. 1626 AsanRegisterImageGlobals = 1627 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1628 kAsanRegisterImageGlobalsName, IRB.getVoidTy(), IntptrTy)); 1629 AsanRegisterImageGlobals->setLinkage(Function::ExternalLinkage); 1630 1631 AsanUnregisterImageGlobals = 1632 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1633 kAsanUnregisterImageGlobalsName, IRB.getVoidTy(), IntptrTy)); 1634 AsanUnregisterImageGlobals->setLinkage(Function::ExternalLinkage); 1635 1636 AsanRegisterElfGlobals = checkSanitizerInterfaceFunction( 1637 M.getOrInsertFunction(kAsanRegisterElfGlobalsName, IRB.getVoidTy(), 1638 IntptrTy, IntptrTy, IntptrTy)); 1639 AsanRegisterElfGlobals->setLinkage(Function::ExternalLinkage); 1640 1641 AsanUnregisterElfGlobals = checkSanitizerInterfaceFunction( 1642 M.getOrInsertFunction(kAsanUnregisterElfGlobalsName, IRB.getVoidTy(), 1643 IntptrTy, IntptrTy, IntptrTy)); 1644 AsanUnregisterElfGlobals->setLinkage(Function::ExternalLinkage); 1645 } 1646 1647 // Put the metadata and the instrumented global in the same group. This ensures 1648 // that the metadata is discarded if the instrumented global is discarded. 1649 void AddressSanitizerModule::SetComdatForGlobalMetadata( 1650 GlobalVariable *G, GlobalVariable *Metadata, StringRef InternalSuffix) { 1651 Module &M = *G->getParent(); 1652 Comdat *C = G->getComdat(); 1653 if (!C) { 1654 if (!G->hasName()) { 1655 // If G is unnamed, it must be internal. Give it an artificial name 1656 // so we can put it in a comdat. 1657 assert(G->hasLocalLinkage()); 1658 G->setName(Twine(kAsanGenPrefix) + "_anon_global"); 1659 } 1660 1661 if (!InternalSuffix.empty() && G->hasLocalLinkage()) { 1662 std::string Name = G->getName(); 1663 Name += InternalSuffix; 1664 C = M.getOrInsertComdat(Name); 1665 } else { 1666 C = M.getOrInsertComdat(G->getName()); 1667 } 1668 1669 // Make this IMAGE_COMDAT_SELECT_NODUPLICATES on COFF. 1670 if (TargetTriple.isOSBinFormatCOFF()) 1671 C->setSelectionKind(Comdat::NoDuplicates); 1672 G->setComdat(C); 1673 } 1674 1675 assert(G->hasComdat()); 1676 Metadata->setComdat(G->getComdat()); 1677 } 1678 1679 // Create a separate metadata global and put it in the appropriate ASan 1680 // global registration section. 1681 GlobalVariable * 1682 AddressSanitizerModule::CreateMetadataGlobal(Module &M, Constant *Initializer, 1683 StringRef OriginalName) { 1684 auto Linkage = TargetTriple.isOSBinFormatMachO() 1685 ? GlobalVariable::InternalLinkage 1686 : GlobalVariable::PrivateLinkage; 1687 GlobalVariable *Metadata = new GlobalVariable( 1688 M, Initializer->getType(), false, Linkage, Initializer, 1689 Twine("__asan_global_") + GlobalValue::dropLLVMManglingEscape(OriginalName)); 1690 Metadata->setSection(getGlobalMetadataSection()); 1691 return Metadata; 1692 } 1693 1694 IRBuilder<> AddressSanitizerModule::CreateAsanModuleDtor(Module &M) { 1695 AsanDtorFunction = 1696 Function::Create(FunctionType::get(Type::getVoidTy(*C), false), 1697 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 1698 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 1699 1700 return IRBuilder<>(ReturnInst::Create(*C, AsanDtorBB)); 1701 } 1702 1703 void AddressSanitizerModule::InstrumentGlobalsCOFF( 1704 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 1705 ArrayRef<Constant *> MetadataInitializers) { 1706 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 1707 auto &DL = M.getDataLayout(); 1708 1709 for (size_t i = 0; i < ExtendedGlobals.size(); i++) { 1710 Constant *Initializer = MetadataInitializers[i]; 1711 GlobalVariable *G = ExtendedGlobals[i]; 1712 GlobalVariable *Metadata = 1713 CreateMetadataGlobal(M, Initializer, G->getName()); 1714 1715 // The MSVC linker always inserts padding when linking incrementally. We 1716 // cope with that by aligning each struct to its size, which must be a power 1717 // of two. 1718 unsigned SizeOfGlobalStruct = DL.getTypeAllocSize(Initializer->getType()); 1719 assert(isPowerOf2_32(SizeOfGlobalStruct) && 1720 "global metadata will not be padded appropriately"); 1721 Metadata->setAlignment(SizeOfGlobalStruct); 1722 1723 SetComdatForGlobalMetadata(G, Metadata, ""); 1724 } 1725 } 1726 1727 void AddressSanitizerModule::InstrumentGlobalsELF( 1728 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 1729 ArrayRef<Constant *> MetadataInitializers, 1730 const std::string &UniqueModuleId) { 1731 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 1732 1733 SmallVector<GlobalValue *, 16> MetadataGlobals(ExtendedGlobals.size()); 1734 for (size_t i = 0; i < ExtendedGlobals.size(); i++) { 1735 GlobalVariable *G = ExtendedGlobals[i]; 1736 GlobalVariable *Metadata = 1737 CreateMetadataGlobal(M, MetadataInitializers[i], G->getName()); 1738 MDNode *MD = MDNode::get(M.getContext(), ValueAsMetadata::get(G)); 1739 Metadata->setMetadata(LLVMContext::MD_associated, MD); 1740 MetadataGlobals[i] = Metadata; 1741 1742 SetComdatForGlobalMetadata(G, Metadata, UniqueModuleId); 1743 } 1744 1745 // Update llvm.compiler.used, adding the new metadata globals. This is 1746 // needed so that during LTO these variables stay alive. 1747 if (!MetadataGlobals.empty()) 1748 appendToCompilerUsed(M, MetadataGlobals); 1749 1750 // RegisteredFlag serves two purposes. First, we can pass it to dladdr() 1751 // to look up the loaded image that contains it. Second, we can store in it 1752 // whether registration has already occurred, to prevent duplicate 1753 // registration. 1754 // 1755 // Common linkage ensures that there is only one global per shared library. 1756 GlobalVariable *RegisteredFlag = new GlobalVariable( 1757 M, IntptrTy, false, GlobalVariable::CommonLinkage, 1758 ConstantInt::get(IntptrTy, 0), kAsanGlobalsRegisteredFlagName); 1759 RegisteredFlag->setVisibility(GlobalVariable::HiddenVisibility); 1760 1761 // Create start and stop symbols. 1762 GlobalVariable *StartELFMetadata = new GlobalVariable( 1763 M, IntptrTy, false, GlobalVariable::ExternalWeakLinkage, nullptr, 1764 "__start_" + getGlobalMetadataSection()); 1765 StartELFMetadata->setVisibility(GlobalVariable::HiddenVisibility); 1766 GlobalVariable *StopELFMetadata = new GlobalVariable( 1767 M, IntptrTy, false, GlobalVariable::ExternalWeakLinkage, nullptr, 1768 "__stop_" + getGlobalMetadataSection()); 1769 StopELFMetadata->setVisibility(GlobalVariable::HiddenVisibility); 1770 1771 // Create a call to register the globals with the runtime. 1772 IRB.CreateCall(AsanRegisterElfGlobals, 1773 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy), 1774 IRB.CreatePointerCast(StartELFMetadata, IntptrTy), 1775 IRB.CreatePointerCast(StopELFMetadata, IntptrTy)}); 1776 1777 // We also need to unregister globals at the end, e.g., when a shared library 1778 // gets closed. 1779 IRBuilder<> IRB_Dtor = CreateAsanModuleDtor(M); 1780 IRB_Dtor.CreateCall(AsanUnregisterElfGlobals, 1781 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy), 1782 IRB.CreatePointerCast(StartELFMetadata, IntptrTy), 1783 IRB.CreatePointerCast(StopELFMetadata, IntptrTy)}); 1784 } 1785 1786 void AddressSanitizerModule::InstrumentGlobalsMachO( 1787 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 1788 ArrayRef<Constant *> MetadataInitializers) { 1789 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 1790 1791 // On recent Mach-O platforms, use a structure which binds the liveness of 1792 // the global variable to the metadata struct. Keep the list of "Liveness" GV 1793 // created to be added to llvm.compiler.used 1794 StructType *LivenessTy = StructType::get(IntptrTy, IntptrTy); 1795 SmallVector<GlobalValue *, 16> LivenessGlobals(ExtendedGlobals.size()); 1796 1797 for (size_t i = 0; i < ExtendedGlobals.size(); i++) { 1798 Constant *Initializer = MetadataInitializers[i]; 1799 GlobalVariable *G = ExtendedGlobals[i]; 1800 GlobalVariable *Metadata = 1801 CreateMetadataGlobal(M, Initializer, G->getName()); 1802 1803 // On recent Mach-O platforms, we emit the global metadata in a way that 1804 // allows the linker to properly strip dead globals. 1805 auto LivenessBinder = 1806 ConstantStruct::get(LivenessTy, Initializer->getAggregateElement(0u), 1807 ConstantExpr::getPointerCast(Metadata, IntptrTy)); 1808 GlobalVariable *Liveness = new GlobalVariable( 1809 M, LivenessTy, false, GlobalVariable::InternalLinkage, LivenessBinder, 1810 Twine("__asan_binder_") + G->getName()); 1811 Liveness->setSection("__DATA,__asan_liveness,regular,live_support"); 1812 LivenessGlobals[i] = Liveness; 1813 } 1814 1815 // Update llvm.compiler.used, adding the new liveness globals. This is 1816 // needed so that during LTO these variables stay alive. The alternative 1817 // would be to have the linker handling the LTO symbols, but libLTO 1818 // current API does not expose access to the section for each symbol. 1819 if (!LivenessGlobals.empty()) 1820 appendToCompilerUsed(M, LivenessGlobals); 1821 1822 // RegisteredFlag serves two purposes. First, we can pass it to dladdr() 1823 // to look up the loaded image that contains it. Second, we can store in it 1824 // whether registration has already occurred, to prevent duplicate 1825 // registration. 1826 // 1827 // common linkage ensures that there is only one global per shared library. 1828 GlobalVariable *RegisteredFlag = new GlobalVariable( 1829 M, IntptrTy, false, GlobalVariable::CommonLinkage, 1830 ConstantInt::get(IntptrTy, 0), kAsanGlobalsRegisteredFlagName); 1831 RegisteredFlag->setVisibility(GlobalVariable::HiddenVisibility); 1832 1833 IRB.CreateCall(AsanRegisterImageGlobals, 1834 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy)}); 1835 1836 // We also need to unregister globals at the end, e.g., when a shared library 1837 // gets closed. 1838 IRBuilder<> IRB_Dtor = CreateAsanModuleDtor(M); 1839 IRB_Dtor.CreateCall(AsanUnregisterImageGlobals, 1840 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy)}); 1841 } 1842 1843 void AddressSanitizerModule::InstrumentGlobalsWithMetadataArray( 1844 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 1845 ArrayRef<Constant *> MetadataInitializers) { 1846 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 1847 unsigned N = ExtendedGlobals.size(); 1848 assert(N > 0); 1849 1850 // On platforms that don't have a custom metadata section, we emit an array 1851 // of global metadata structures. 1852 ArrayType *ArrayOfGlobalStructTy = 1853 ArrayType::get(MetadataInitializers[0]->getType(), N); 1854 auto AllGlobals = new GlobalVariable( 1855 M, ArrayOfGlobalStructTy, false, GlobalVariable::InternalLinkage, 1856 ConstantArray::get(ArrayOfGlobalStructTy, MetadataInitializers), ""); 1857 1858 IRB.CreateCall(AsanRegisterGlobals, 1859 {IRB.CreatePointerCast(AllGlobals, IntptrTy), 1860 ConstantInt::get(IntptrTy, N)}); 1861 1862 // We also need to unregister globals at the end, e.g., when a shared library 1863 // gets closed. 1864 IRBuilder<> IRB_Dtor = CreateAsanModuleDtor(M); 1865 IRB_Dtor.CreateCall(AsanUnregisterGlobals, 1866 {IRB.CreatePointerCast(AllGlobals, IntptrTy), 1867 ConstantInt::get(IntptrTy, N)}); 1868 } 1869 1870 // This function replaces all global variables with new variables that have 1871 // trailing redzones. It also creates a function that poisons 1872 // redzones and inserts this function into llvm.global_ctors. 1873 // Sets *CtorComdat to true if the global registration code emitted into the 1874 // asan constructor is comdat-compatible. 1875 bool AddressSanitizerModule::InstrumentGlobals(IRBuilder<> &IRB, Module &M, bool *CtorComdat) { 1876 *CtorComdat = false; 1877 GlobalsMD.init(M); 1878 1879 SmallVector<GlobalVariable *, 16> GlobalsToChange; 1880 1881 for (auto &G : M.globals()) { 1882 if (ShouldInstrumentGlobal(&G)) GlobalsToChange.push_back(&G); 1883 } 1884 1885 size_t n = GlobalsToChange.size(); 1886 if (n == 0) { 1887 *CtorComdat = true; 1888 return false; 1889 } 1890 1891 auto &DL = M.getDataLayout(); 1892 1893 // A global is described by a structure 1894 // size_t beg; 1895 // size_t size; 1896 // size_t size_with_redzone; 1897 // const char *name; 1898 // const char *module_name; 1899 // size_t has_dynamic_init; 1900 // void *source_location; 1901 // size_t odr_indicator; 1902 // We initialize an array of such structures and pass it to a run-time call. 1903 StructType *GlobalStructTy = 1904 StructType::get(IntptrTy, IntptrTy, IntptrTy, IntptrTy, IntptrTy, 1905 IntptrTy, IntptrTy, IntptrTy); 1906 SmallVector<GlobalVariable *, 16> NewGlobals(n); 1907 SmallVector<Constant *, 16> Initializers(n); 1908 1909 bool HasDynamicallyInitializedGlobals = false; 1910 1911 // We shouldn't merge same module names, as this string serves as unique 1912 // module ID in runtime. 1913 GlobalVariable *ModuleName = createPrivateGlobalForString( 1914 M, M.getModuleIdentifier(), /*AllowMerging*/ false); 1915 1916 for (size_t i = 0; i < n; i++) { 1917 static const uint64_t kMaxGlobalRedzone = 1 << 18; 1918 GlobalVariable *G = GlobalsToChange[i]; 1919 1920 auto MD = GlobalsMD.get(G); 1921 StringRef NameForGlobal = G->getName(); 1922 // Create string holding the global name (use global name from metadata 1923 // if it's available, otherwise just write the name of global variable). 1924 GlobalVariable *Name = createPrivateGlobalForString( 1925 M, MD.Name.empty() ? NameForGlobal : MD.Name, 1926 /*AllowMerging*/ true); 1927 1928 Type *Ty = G->getValueType(); 1929 uint64_t SizeInBytes = DL.getTypeAllocSize(Ty); 1930 uint64_t MinRZ = MinRedzoneSizeForGlobal(); 1931 // MinRZ <= RZ <= kMaxGlobalRedzone 1932 // and trying to make RZ to be ~ 1/4 of SizeInBytes. 1933 uint64_t RZ = std::max( 1934 MinRZ, std::min(kMaxGlobalRedzone, (SizeInBytes / MinRZ / 4) * MinRZ)); 1935 uint64_t RightRedzoneSize = RZ; 1936 // Round up to MinRZ 1937 if (SizeInBytes % MinRZ) RightRedzoneSize += MinRZ - (SizeInBytes % MinRZ); 1938 assert(((RightRedzoneSize + SizeInBytes) % MinRZ) == 0); 1939 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 1940 1941 StructType *NewTy = StructType::get(Ty, RightRedZoneTy); 1942 Constant *NewInitializer = ConstantStruct::get( 1943 NewTy, G->getInitializer(), Constant::getNullValue(RightRedZoneTy)); 1944 1945 // Create a new global variable with enough space for a redzone. 1946 GlobalValue::LinkageTypes Linkage = G->getLinkage(); 1947 if (G->isConstant() && Linkage == GlobalValue::PrivateLinkage) 1948 Linkage = GlobalValue::InternalLinkage; 1949 GlobalVariable *NewGlobal = 1950 new GlobalVariable(M, NewTy, G->isConstant(), Linkage, NewInitializer, 1951 "", G, G->getThreadLocalMode()); 1952 NewGlobal->copyAttributesFrom(G); 1953 NewGlobal->setAlignment(MinRZ); 1954 1955 // Move null-terminated C strings to "__asan_cstring" section on Darwin. 1956 if (TargetTriple.isOSBinFormatMachO() && !G->hasSection() && 1957 G->isConstant()) { 1958 auto Seq = dyn_cast<ConstantDataSequential>(G->getInitializer()); 1959 if (Seq && Seq->isCString()) 1960 NewGlobal->setSection("__TEXT,__asan_cstring,regular"); 1961 } 1962 1963 // Transfer the debug info. The payload starts at offset zero so we can 1964 // copy the debug info over as is. 1965 SmallVector<DIGlobalVariableExpression *, 1> GVs; 1966 G->getDebugInfo(GVs); 1967 for (auto *GV : GVs) 1968 NewGlobal->addDebugInfo(GV); 1969 1970 Value *Indices2[2]; 1971 Indices2[0] = IRB.getInt32(0); 1972 Indices2[1] = IRB.getInt32(0); 1973 1974 G->replaceAllUsesWith( 1975 ConstantExpr::getGetElementPtr(NewTy, NewGlobal, Indices2, true)); 1976 NewGlobal->takeName(G); 1977 G->eraseFromParent(); 1978 NewGlobals[i] = NewGlobal; 1979 1980 Constant *SourceLoc; 1981 if (!MD.SourceLoc.empty()) { 1982 auto SourceLocGlobal = createPrivateGlobalForSourceLoc(M, MD.SourceLoc); 1983 SourceLoc = ConstantExpr::getPointerCast(SourceLocGlobal, IntptrTy); 1984 } else { 1985 SourceLoc = ConstantInt::get(IntptrTy, 0); 1986 } 1987 1988 Constant *ODRIndicator = ConstantExpr::getNullValue(IRB.getInt8PtrTy()); 1989 GlobalValue *InstrumentedGlobal = NewGlobal; 1990 1991 bool CanUsePrivateAliases = 1992 TargetTriple.isOSBinFormatELF() || TargetTriple.isOSBinFormatMachO() || 1993 TargetTriple.isOSBinFormatWasm(); 1994 if (CanUsePrivateAliases && ClUsePrivateAliasForGlobals) { 1995 // Create local alias for NewGlobal to avoid crash on ODR between 1996 // instrumented and non-instrumented libraries. 1997 auto *GA = GlobalAlias::create(GlobalValue::InternalLinkage, 1998 NameForGlobal + M.getName(), NewGlobal); 1999 2000 // With local aliases, we need to provide another externally visible 2001 // symbol __odr_asan_XXX to detect ODR violation. 2002 auto *ODRIndicatorSym = 2003 new GlobalVariable(M, IRB.getInt8Ty(), false, Linkage, 2004 Constant::getNullValue(IRB.getInt8Ty()), 2005 kODRGenPrefix + NameForGlobal, nullptr, 2006 NewGlobal->getThreadLocalMode()); 2007 2008 // Set meaningful attributes for indicator symbol. 2009 ODRIndicatorSym->setVisibility(NewGlobal->getVisibility()); 2010 ODRIndicatorSym->setDLLStorageClass(NewGlobal->getDLLStorageClass()); 2011 ODRIndicatorSym->setAlignment(1); 2012 ODRIndicator = ODRIndicatorSym; 2013 InstrumentedGlobal = GA; 2014 } 2015 2016 Constant *Initializer = ConstantStruct::get( 2017 GlobalStructTy, 2018 ConstantExpr::getPointerCast(InstrumentedGlobal, IntptrTy), 2019 ConstantInt::get(IntptrTy, SizeInBytes), 2020 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 2021 ConstantExpr::getPointerCast(Name, IntptrTy), 2022 ConstantExpr::getPointerCast(ModuleName, IntptrTy), 2023 ConstantInt::get(IntptrTy, MD.IsDynInit), SourceLoc, 2024 ConstantExpr::getPointerCast(ODRIndicator, IntptrTy)); 2025 2026 if (ClInitializers && MD.IsDynInit) HasDynamicallyInitializedGlobals = true; 2027 2028 DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); 2029 2030 Initializers[i] = Initializer; 2031 } 2032 2033 std::string ELFUniqueModuleId = 2034 (UseGlobalsGC && TargetTriple.isOSBinFormatELF()) ? getUniqueModuleId(&M) 2035 : ""; 2036 2037 if (!ELFUniqueModuleId.empty()) { 2038 InstrumentGlobalsELF(IRB, M, NewGlobals, Initializers, ELFUniqueModuleId); 2039 *CtorComdat = true; 2040 } else if (UseGlobalsGC && TargetTriple.isOSBinFormatCOFF()) { 2041 InstrumentGlobalsCOFF(IRB, M, NewGlobals, Initializers); 2042 } else if (UseGlobalsGC && ShouldUseMachOGlobalsSection()) { 2043 InstrumentGlobalsMachO(IRB, M, NewGlobals, Initializers); 2044 } else { 2045 InstrumentGlobalsWithMetadataArray(IRB, M, NewGlobals, Initializers); 2046 } 2047 2048 // Create calls for poisoning before initializers run and unpoisoning after. 2049 if (HasDynamicallyInitializedGlobals) 2050 createInitializerPoisonCalls(M, ModuleName); 2051 2052 DEBUG(dbgs() << M); 2053 return true; 2054 } 2055 2056 bool AddressSanitizerModule::runOnModule(Module &M) { 2057 C = &(M.getContext()); 2058 int LongSize = M.getDataLayout().getPointerSizeInBits(); 2059 IntptrTy = Type::getIntNTy(*C, LongSize); 2060 TargetTriple = Triple(M.getTargetTriple()); 2061 Mapping = getShadowMapping(TargetTriple, LongSize, CompileKernel); 2062 initializeCallbacks(M); 2063 2064 if (CompileKernel) 2065 return false; 2066 2067 // Create a module constructor. A destructor is created lazily because not all 2068 // platforms, and not all modules need it. 2069 std::tie(AsanCtorFunction, std::ignore) = createSanitizerCtorAndInitFunctions( 2070 M, kAsanModuleCtorName, kAsanInitName, /*InitArgTypes=*/{}, 2071 /*InitArgs=*/{}, kAsanVersionCheckName); 2072 2073 bool CtorComdat = true; 2074 bool Changed = false; 2075 // TODO(glider): temporarily disabled globals instrumentation for KASan. 2076 if (ClGlobals) { 2077 IRBuilder<> IRB(AsanCtorFunction->getEntryBlock().getTerminator()); 2078 Changed |= InstrumentGlobals(IRB, M, &CtorComdat); 2079 } 2080 2081 // Put the constructor and destructor in comdat if both 2082 // (1) global instrumentation is not TU-specific 2083 // (2) target is ELF. 2084 if (UseCtorComdat && TargetTriple.isOSBinFormatELF() && CtorComdat) { 2085 AsanCtorFunction->setComdat(M.getOrInsertComdat(kAsanModuleCtorName)); 2086 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndDtorPriority, 2087 AsanCtorFunction); 2088 if (AsanDtorFunction) { 2089 AsanDtorFunction->setComdat(M.getOrInsertComdat(kAsanModuleDtorName)); 2090 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndDtorPriority, 2091 AsanDtorFunction); 2092 } 2093 } else { 2094 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndDtorPriority); 2095 if (AsanDtorFunction) 2096 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndDtorPriority); 2097 } 2098 2099 return Changed; 2100 } 2101 2102 void AddressSanitizer::initializeCallbacks(Module &M) { 2103 IRBuilder<> IRB(*C); 2104 // Create __asan_report* callbacks. 2105 // IsWrite, TypeSize and Exp are encoded in the function name. 2106 for (int Exp = 0; Exp < 2; Exp++) { 2107 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 2108 const std::string TypeStr = AccessIsWrite ? "store" : "load"; 2109 const std::string ExpStr = Exp ? "exp_" : ""; 2110 const std::string SuffixStr = CompileKernel ? "N" : "_n"; 2111 const std::string EndingStr = Recover ? "_noabort" : ""; 2112 2113 SmallVector<Type *, 3> Args2 = {IntptrTy, IntptrTy}; 2114 SmallVector<Type *, 2> Args1{1, IntptrTy}; 2115 if (Exp) { 2116 Type *ExpType = Type::getInt32Ty(*C); 2117 Args2.push_back(ExpType); 2118 Args1.push_back(ExpType); 2119 } 2120 AsanErrorCallbackSized[AccessIsWrite][Exp] = 2121 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2122 kAsanReportErrorTemplate + ExpStr + TypeStr + SuffixStr + 2123 EndingStr, 2124 FunctionType::get(IRB.getVoidTy(), Args2, false))); 2125 2126 AsanMemoryAccessCallbackSized[AccessIsWrite][Exp] = 2127 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2128 ClMemoryAccessCallbackPrefix + ExpStr + TypeStr + "N" + EndingStr, 2129 FunctionType::get(IRB.getVoidTy(), Args2, false))); 2130 2131 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 2132 AccessSizeIndex++) { 2133 const std::string Suffix = TypeStr + itostr(1ULL << AccessSizeIndex); 2134 AsanErrorCallback[AccessIsWrite][Exp][AccessSizeIndex] = 2135 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2136 kAsanReportErrorTemplate + ExpStr + Suffix + EndingStr, 2137 FunctionType::get(IRB.getVoidTy(), Args1, false))); 2138 2139 AsanMemoryAccessCallback[AccessIsWrite][Exp][AccessSizeIndex] = 2140 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2141 ClMemoryAccessCallbackPrefix + ExpStr + Suffix + EndingStr, 2142 FunctionType::get(IRB.getVoidTy(), Args1, false))); 2143 } 2144 } 2145 } 2146 2147 const std::string MemIntrinCallbackPrefix = 2148 CompileKernel ? std::string("") : ClMemoryAccessCallbackPrefix; 2149 AsanMemmove = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2150 MemIntrinCallbackPrefix + "memmove", IRB.getInt8PtrTy(), 2151 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IntptrTy)); 2152 AsanMemcpy = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2153 MemIntrinCallbackPrefix + "memcpy", IRB.getInt8PtrTy(), 2154 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IntptrTy)); 2155 AsanMemset = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2156 MemIntrinCallbackPrefix + "memset", IRB.getInt8PtrTy(), 2157 IRB.getInt8PtrTy(), IRB.getInt32Ty(), IntptrTy)); 2158 2159 AsanHandleNoReturnFunc = checkSanitizerInterfaceFunction( 2160 M.getOrInsertFunction(kAsanHandleNoReturnName, IRB.getVoidTy())); 2161 2162 AsanPtrCmpFunction = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2163 kAsanPtrCmp, IRB.getVoidTy(), IntptrTy, IntptrTy)); 2164 AsanPtrSubFunction = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2165 kAsanPtrSub, IRB.getVoidTy(), IntptrTy, IntptrTy)); 2166 // We insert an empty inline asm after __asan_report* to avoid callback merge. 2167 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 2168 StringRef(""), StringRef(""), 2169 /*hasSideEffects=*/true); 2170 } 2171 2172 // virtual 2173 bool AddressSanitizer::doInitialization(Module &M) { 2174 // Initialize the private fields. No one has accessed them before. 2175 GlobalsMD.init(M); 2176 2177 C = &(M.getContext()); 2178 LongSize = M.getDataLayout().getPointerSizeInBits(); 2179 IntptrTy = Type::getIntNTy(*C, LongSize); 2180 TargetTriple = Triple(M.getTargetTriple()); 2181 2182 Mapping = getShadowMapping(TargetTriple, LongSize, CompileKernel); 2183 return true; 2184 } 2185 2186 bool AddressSanitizer::doFinalization(Module &M) { 2187 GlobalsMD.reset(); 2188 return false; 2189 } 2190 2191 bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 2192 // For each NSObject descendant having a +load method, this method is invoked 2193 // by the ObjC runtime before any of the static constructors is called. 2194 // Therefore we need to instrument such methods with a call to __asan_init 2195 // at the beginning in order to initialize our runtime before any access to 2196 // the shadow memory. 2197 // We cannot just ignore these methods, because they may call other 2198 // instrumented functions. 2199 if (F.getName().find(" load]") != std::string::npos) { 2200 Function *AsanInitFunction = 2201 declareSanitizerInitFunction(*F.getParent(), kAsanInitName, {}); 2202 IRBuilder<> IRB(&F.front(), F.front().begin()); 2203 IRB.CreateCall(AsanInitFunction, {}); 2204 return true; 2205 } 2206 return false; 2207 } 2208 2209 void AddressSanitizer::maybeInsertDynamicShadowAtFunctionEntry(Function &F) { 2210 // Generate code only when dynamic addressing is needed. 2211 if (Mapping.Offset != kDynamicShadowSentinel) 2212 return; 2213 2214 IRBuilder<> IRB(&F.front().front()); 2215 Value *GlobalDynamicAddress = F.getParent()->getOrInsertGlobal( 2216 kAsanShadowMemoryDynamicAddress, IntptrTy); 2217 LocalDynamicShadow = IRB.CreateLoad(GlobalDynamicAddress); 2218 } 2219 2220 void AddressSanitizer::markEscapedLocalAllocas(Function &F) { 2221 // Find the one possible call to llvm.localescape and pre-mark allocas passed 2222 // to it as uninteresting. This assumes we haven't started processing allocas 2223 // yet. This check is done up front because iterating the use list in 2224 // isInterestingAlloca would be algorithmically slower. 2225 assert(ProcessedAllocas.empty() && "must process localescape before allocas"); 2226 2227 // Try to get the declaration of llvm.localescape. If it's not in the module, 2228 // we can exit early. 2229 if (!F.getParent()->getFunction("llvm.localescape")) return; 2230 2231 // Look for a call to llvm.localescape call in the entry block. It can't be in 2232 // any other block. 2233 for (Instruction &I : F.getEntryBlock()) { 2234 IntrinsicInst *II = dyn_cast<IntrinsicInst>(&I); 2235 if (II && II->getIntrinsicID() == Intrinsic::localescape) { 2236 // We found a call. Mark all the allocas passed in as uninteresting. 2237 for (Value *Arg : II->arg_operands()) { 2238 AllocaInst *AI = dyn_cast<AllocaInst>(Arg->stripPointerCasts()); 2239 assert(AI && AI->isStaticAlloca() && 2240 "non-static alloca arg to localescape"); 2241 ProcessedAllocas[AI] = false; 2242 } 2243 break; 2244 } 2245 } 2246 } 2247 2248 bool AddressSanitizer::runOnFunction(Function &F) { 2249 if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false; 2250 if (!ClDebugFunc.empty() && ClDebugFunc == F.getName()) return false; 2251 if (F.getName().startswith("__asan_")) return false; 2252 2253 bool FunctionModified = false; 2254 2255 // If needed, insert __asan_init before checking for SanitizeAddress attr. 2256 // This function needs to be called even if the function body is not 2257 // instrumented. 2258 if (maybeInsertAsanInitAtFunctionEntry(F)) 2259 FunctionModified = true; 2260 2261 // Leave if the function doesn't need instrumentation. 2262 if (!F.hasFnAttribute(Attribute::SanitizeAddress)) return FunctionModified; 2263 2264 DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); 2265 2266 initializeCallbacks(*F.getParent()); 2267 DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree(); 2268 2269 FunctionStateRAII CleanupObj(this); 2270 2271 maybeInsertDynamicShadowAtFunctionEntry(F); 2272 2273 // We can't instrument allocas used with llvm.localescape. Only static allocas 2274 // can be passed to that intrinsic. 2275 markEscapedLocalAllocas(F); 2276 2277 // We want to instrument every address only once per basic block (unless there 2278 // are calls between uses). 2279 SmallSet<Value *, 16> TempsToInstrument; 2280 SmallVector<Instruction *, 16> ToInstrument; 2281 SmallVector<Instruction *, 8> NoReturnCalls; 2282 SmallVector<BasicBlock *, 16> AllBlocks; 2283 SmallVector<Instruction *, 16> PointerComparisonsOrSubtracts; 2284 int NumAllocas = 0; 2285 bool IsWrite; 2286 unsigned Alignment; 2287 uint64_t TypeSize; 2288 const TargetLibraryInfo *TLI = 2289 &getAnalysis<TargetLibraryInfoWrapperPass>().getTLI(); 2290 2291 // Fill the set of memory operations to instrument. 2292 for (auto &BB : F) { 2293 AllBlocks.push_back(&BB); 2294 TempsToInstrument.clear(); 2295 int NumInsnsPerBB = 0; 2296 for (auto &Inst : BB) { 2297 if (LooksLikeCodeInBug11395(&Inst)) return false; 2298 Value *MaybeMask = nullptr; 2299 if (Value *Addr = isInterestingMemoryAccess(&Inst, &IsWrite, &TypeSize, 2300 &Alignment, &MaybeMask)) { 2301 if (ClOpt && ClOptSameTemp) { 2302 // If we have a mask, skip instrumentation if we've already 2303 // instrumented the full object. But don't add to TempsToInstrument 2304 // because we might get another load/store with a different mask. 2305 if (MaybeMask) { 2306 if (TempsToInstrument.count(Addr)) 2307 continue; // We've seen this (whole) temp in the current BB. 2308 } else { 2309 if (!TempsToInstrument.insert(Addr).second) 2310 continue; // We've seen this temp in the current BB. 2311 } 2312 } 2313 } else if (ClInvalidPointerPairs && 2314 isInterestingPointerComparisonOrSubtraction(&Inst)) { 2315 PointerComparisonsOrSubtracts.push_back(&Inst); 2316 continue; 2317 } else if (isa<MemIntrinsic>(Inst)) { 2318 // ok, take it. 2319 } else { 2320 if (isa<AllocaInst>(Inst)) NumAllocas++; 2321 CallSite CS(&Inst); 2322 if (CS) { 2323 // A call inside BB. 2324 TempsToInstrument.clear(); 2325 if (CS.doesNotReturn()) NoReturnCalls.push_back(CS.getInstruction()); 2326 } 2327 if (CallInst *CI = dyn_cast<CallInst>(&Inst)) 2328 maybeMarkSanitizerLibraryCallNoBuiltin(CI, TLI); 2329 continue; 2330 } 2331 ToInstrument.push_back(&Inst); 2332 NumInsnsPerBB++; 2333 if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) break; 2334 } 2335 } 2336 2337 bool UseCalls = 2338 CompileKernel || 2339 (ClInstrumentationWithCallsThreshold >= 0 && 2340 ToInstrument.size() > (unsigned)ClInstrumentationWithCallsThreshold); 2341 const DataLayout &DL = F.getParent()->getDataLayout(); 2342 ObjectSizeOpts ObjSizeOpts; 2343 ObjSizeOpts.RoundToAlign = true; 2344 ObjectSizeOffsetVisitor ObjSizeVis(DL, TLI, F.getContext(), ObjSizeOpts); 2345 2346 // Instrument. 2347 int NumInstrumented = 0; 2348 for (auto Inst : ToInstrument) { 2349 if (ClDebugMin < 0 || ClDebugMax < 0 || 2350 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 2351 if (isInterestingMemoryAccess(Inst, &IsWrite, &TypeSize, &Alignment)) 2352 instrumentMop(ObjSizeVis, Inst, UseCalls, 2353 F.getParent()->getDataLayout()); 2354 else 2355 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 2356 } 2357 NumInstrumented++; 2358 } 2359 2360 FunctionStackPoisoner FSP(F, *this); 2361 bool ChangedStack = FSP.runOnFunction(); 2362 2363 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 2364 // See e.g. http://code.google.com/p/address-sanitizer/issues/detail?id=37 2365 for (auto CI : NoReturnCalls) { 2366 IRBuilder<> IRB(CI); 2367 IRB.CreateCall(AsanHandleNoReturnFunc, {}); 2368 } 2369 2370 for (auto Inst : PointerComparisonsOrSubtracts) { 2371 instrumentPointerComparisonOrSubtraction(Inst); 2372 NumInstrumented++; 2373 } 2374 2375 if (NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty()) 2376 FunctionModified = true; 2377 2378 DEBUG(dbgs() << "ASAN done instrumenting: " << FunctionModified << " " 2379 << F << "\n"); 2380 2381 return FunctionModified; 2382 } 2383 2384 // Workaround for bug 11395: we don't want to instrument stack in functions 2385 // with large assembly blobs (32-bit only), otherwise reg alloc may crash. 2386 // FIXME: remove once the bug 11395 is fixed. 2387 bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 2388 if (LongSize != 32) return false; 2389 CallInst *CI = dyn_cast<CallInst>(I); 2390 if (!CI || !CI->isInlineAsm()) return false; 2391 if (CI->getNumArgOperands() <= 5) return false; 2392 // We have inline assembly with quite a few arguments. 2393 return true; 2394 } 2395 2396 void FunctionStackPoisoner::initializeCallbacks(Module &M) { 2397 IRBuilder<> IRB(*C); 2398 for (int i = 0; i <= kMaxAsanStackMallocSizeClass; i++) { 2399 std::string Suffix = itostr(i); 2400 AsanStackMallocFunc[i] = checkSanitizerInterfaceFunction( 2401 M.getOrInsertFunction(kAsanStackMallocNameTemplate + Suffix, IntptrTy, 2402 IntptrTy)); 2403 AsanStackFreeFunc[i] = checkSanitizerInterfaceFunction( 2404 M.getOrInsertFunction(kAsanStackFreeNameTemplate + Suffix, 2405 IRB.getVoidTy(), IntptrTy, IntptrTy)); 2406 } 2407 if (ASan.UseAfterScope) { 2408 AsanPoisonStackMemoryFunc = checkSanitizerInterfaceFunction( 2409 M.getOrInsertFunction(kAsanPoisonStackMemoryName, IRB.getVoidTy(), 2410 IntptrTy, IntptrTy)); 2411 AsanUnpoisonStackMemoryFunc = checkSanitizerInterfaceFunction( 2412 M.getOrInsertFunction(kAsanUnpoisonStackMemoryName, IRB.getVoidTy(), 2413 IntptrTy, IntptrTy)); 2414 } 2415 2416 for (size_t Val : {0x00, 0xf1, 0xf2, 0xf3, 0xf5, 0xf8}) { 2417 std::ostringstream Name; 2418 Name << kAsanSetShadowPrefix; 2419 Name << std::setw(2) << std::setfill('0') << std::hex << Val; 2420 AsanSetShadowFunc[Val] = 2421 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2422 Name.str(), IRB.getVoidTy(), IntptrTy, IntptrTy)); 2423 } 2424 2425 AsanAllocaPoisonFunc = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2426 kAsanAllocaPoison, IRB.getVoidTy(), IntptrTy, IntptrTy)); 2427 AsanAllocasUnpoisonFunc = 2428 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2429 kAsanAllocasUnpoison, IRB.getVoidTy(), IntptrTy, IntptrTy)); 2430 } 2431 2432 void FunctionStackPoisoner::copyToShadowInline(ArrayRef<uint8_t> ShadowMask, 2433 ArrayRef<uint8_t> ShadowBytes, 2434 size_t Begin, size_t End, 2435 IRBuilder<> &IRB, 2436 Value *ShadowBase) { 2437 if (Begin >= End) 2438 return; 2439 2440 const size_t LargestStoreSizeInBytes = 2441 std::min<size_t>(sizeof(uint64_t), ASan.LongSize / 8); 2442 2443 const bool IsLittleEndian = F.getParent()->getDataLayout().isLittleEndian(); 2444 2445 // Poison given range in shadow using larges store size with out leading and 2446 // trailing zeros in ShadowMask. Zeros never change, so they need neither 2447 // poisoning nor up-poisoning. Still we don't mind if some of them get into a 2448 // middle of a store. 2449 for (size_t i = Begin; i < End;) { 2450 if (!ShadowMask[i]) { 2451 assert(!ShadowBytes[i]); 2452 ++i; 2453 continue; 2454 } 2455 2456 size_t StoreSizeInBytes = LargestStoreSizeInBytes; 2457 // Fit store size into the range. 2458 while (StoreSizeInBytes > End - i) 2459 StoreSizeInBytes /= 2; 2460 2461 // Minimize store size by trimming trailing zeros. 2462 for (size_t j = StoreSizeInBytes - 1; j && !ShadowMask[i + j]; --j) { 2463 while (j <= StoreSizeInBytes / 2) 2464 StoreSizeInBytes /= 2; 2465 } 2466 2467 uint64_t Val = 0; 2468 for (size_t j = 0; j < StoreSizeInBytes; j++) { 2469 if (IsLittleEndian) 2470 Val |= (uint64_t)ShadowBytes[i + j] << (8 * j); 2471 else 2472 Val = (Val << 8) | ShadowBytes[i + j]; 2473 } 2474 2475 Value *Ptr = IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i)); 2476 Value *Poison = IRB.getIntN(StoreSizeInBytes * 8, Val); 2477 IRB.CreateAlignedStore( 2478 Poison, IRB.CreateIntToPtr(Ptr, Poison->getType()->getPointerTo()), 1); 2479 2480 i += StoreSizeInBytes; 2481 } 2482 } 2483 2484 void FunctionStackPoisoner::copyToShadow(ArrayRef<uint8_t> ShadowMask, 2485 ArrayRef<uint8_t> ShadowBytes, 2486 IRBuilder<> &IRB, Value *ShadowBase) { 2487 copyToShadow(ShadowMask, ShadowBytes, 0, ShadowMask.size(), IRB, ShadowBase); 2488 } 2489 2490 void FunctionStackPoisoner::copyToShadow(ArrayRef<uint8_t> ShadowMask, 2491 ArrayRef<uint8_t> ShadowBytes, 2492 size_t Begin, size_t End, 2493 IRBuilder<> &IRB, Value *ShadowBase) { 2494 assert(ShadowMask.size() == ShadowBytes.size()); 2495 size_t Done = Begin; 2496 for (size_t i = Begin, j = Begin + 1; i < End; i = j++) { 2497 if (!ShadowMask[i]) { 2498 assert(!ShadowBytes[i]); 2499 continue; 2500 } 2501 uint8_t Val = ShadowBytes[i]; 2502 if (!AsanSetShadowFunc[Val]) 2503 continue; 2504 2505 // Skip same values. 2506 for (; j < End && ShadowMask[j] && Val == ShadowBytes[j]; ++j) { 2507 } 2508 2509 if (j - i >= ClMaxInlinePoisoningSize) { 2510 copyToShadowInline(ShadowMask, ShadowBytes, Done, i, IRB, ShadowBase); 2511 IRB.CreateCall(AsanSetShadowFunc[Val], 2512 {IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i)), 2513 ConstantInt::get(IntptrTy, j - i)}); 2514 Done = j; 2515 } 2516 } 2517 2518 copyToShadowInline(ShadowMask, ShadowBytes, Done, End, IRB, ShadowBase); 2519 } 2520 2521 // Fake stack allocator (asan_fake_stack.h) has 11 size classes 2522 // for every power of 2 from kMinStackMallocSize to kMaxAsanStackMallocSizeClass 2523 static int StackMallocSizeClass(uint64_t LocalStackSize) { 2524 assert(LocalStackSize <= kMaxStackMallocSize); 2525 uint64_t MaxSize = kMinStackMallocSize; 2526 for (int i = 0;; i++, MaxSize *= 2) 2527 if (LocalStackSize <= MaxSize) return i; 2528 llvm_unreachable("impossible LocalStackSize"); 2529 } 2530 2531 PHINode *FunctionStackPoisoner::createPHI(IRBuilder<> &IRB, Value *Cond, 2532 Value *ValueIfTrue, 2533 Instruction *ThenTerm, 2534 Value *ValueIfFalse) { 2535 PHINode *PHI = IRB.CreatePHI(IntptrTy, 2); 2536 BasicBlock *CondBlock = cast<Instruction>(Cond)->getParent(); 2537 PHI->addIncoming(ValueIfFalse, CondBlock); 2538 BasicBlock *ThenBlock = ThenTerm->getParent(); 2539 PHI->addIncoming(ValueIfTrue, ThenBlock); 2540 return PHI; 2541 } 2542 2543 Value *FunctionStackPoisoner::createAllocaForLayout( 2544 IRBuilder<> &IRB, const ASanStackFrameLayout &L, bool Dynamic) { 2545 AllocaInst *Alloca; 2546 if (Dynamic) { 2547 Alloca = IRB.CreateAlloca(IRB.getInt8Ty(), 2548 ConstantInt::get(IRB.getInt64Ty(), L.FrameSize), 2549 "MyAlloca"); 2550 } else { 2551 Alloca = IRB.CreateAlloca(ArrayType::get(IRB.getInt8Ty(), L.FrameSize), 2552 nullptr, "MyAlloca"); 2553 assert(Alloca->isStaticAlloca()); 2554 } 2555 assert((ClRealignStack & (ClRealignStack - 1)) == 0); 2556 size_t FrameAlignment = std::max(L.FrameAlignment, (size_t)ClRealignStack); 2557 Alloca->setAlignment(FrameAlignment); 2558 return IRB.CreatePointerCast(Alloca, IntptrTy); 2559 } 2560 2561 void FunctionStackPoisoner::createDynamicAllocasInitStorage() { 2562 BasicBlock &FirstBB = *F.begin(); 2563 IRBuilder<> IRB(dyn_cast<Instruction>(FirstBB.begin())); 2564 DynamicAllocaLayout = IRB.CreateAlloca(IntptrTy, nullptr); 2565 IRB.CreateStore(Constant::getNullValue(IntptrTy), DynamicAllocaLayout); 2566 DynamicAllocaLayout->setAlignment(32); 2567 } 2568 2569 void FunctionStackPoisoner::processDynamicAllocas() { 2570 if (!ClInstrumentDynamicAllocas || DynamicAllocaVec.empty()) { 2571 assert(DynamicAllocaPoisonCallVec.empty()); 2572 return; 2573 } 2574 2575 // Insert poison calls for lifetime intrinsics for dynamic allocas. 2576 for (const auto &APC : DynamicAllocaPoisonCallVec) { 2577 assert(APC.InsBefore); 2578 assert(APC.AI); 2579 assert(ASan.isInterestingAlloca(*APC.AI)); 2580 assert(!APC.AI->isStaticAlloca()); 2581 2582 IRBuilder<> IRB(APC.InsBefore); 2583 poisonAlloca(APC.AI, APC.Size, IRB, APC.DoPoison); 2584 // Dynamic allocas will be unpoisoned unconditionally below in 2585 // unpoisonDynamicAllocas. 2586 // Flag that we need unpoison static allocas. 2587 } 2588 2589 // Handle dynamic allocas. 2590 createDynamicAllocasInitStorage(); 2591 for (auto &AI : DynamicAllocaVec) 2592 handleDynamicAllocaCall(AI); 2593 unpoisonDynamicAllocas(); 2594 } 2595 2596 void FunctionStackPoisoner::processStaticAllocas() { 2597 if (AllocaVec.empty()) { 2598 assert(StaticAllocaPoisonCallVec.empty()); 2599 return; 2600 } 2601 2602 int StackMallocIdx = -1; 2603 DebugLoc EntryDebugLocation; 2604 if (auto SP = F.getSubprogram()) 2605 EntryDebugLocation = DebugLoc::get(SP->getScopeLine(), 0, SP); 2606 2607 Instruction *InsBefore = AllocaVec[0]; 2608 IRBuilder<> IRB(InsBefore); 2609 IRB.SetCurrentDebugLocation(EntryDebugLocation); 2610 2611 // Make sure non-instrumented allocas stay in the entry block. Otherwise, 2612 // debug info is broken, because only entry-block allocas are treated as 2613 // regular stack slots. 2614 auto InsBeforeB = InsBefore->getParent(); 2615 assert(InsBeforeB == &F.getEntryBlock()); 2616 for (auto *AI : StaticAllocasToMoveUp) 2617 if (AI->getParent() == InsBeforeB) 2618 AI->moveBefore(InsBefore); 2619 2620 // If we have a call to llvm.localescape, keep it in the entry block. 2621 if (LocalEscapeCall) LocalEscapeCall->moveBefore(InsBefore); 2622 2623 SmallVector<ASanStackVariableDescription, 16> SVD; 2624 SVD.reserve(AllocaVec.size()); 2625 for (AllocaInst *AI : AllocaVec) { 2626 ASanStackVariableDescription D = {AI->getName().data(), 2627 ASan.getAllocaSizeInBytes(*AI), 2628 0, 2629 AI->getAlignment(), 2630 AI, 2631 0, 2632 0}; 2633 SVD.push_back(D); 2634 } 2635 2636 // Minimal header size (left redzone) is 4 pointers, 2637 // i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms. 2638 size_t MinHeaderSize = ASan.LongSize / 2; 2639 const ASanStackFrameLayout &L = 2640 ComputeASanStackFrameLayout(SVD, 1ULL << Mapping.Scale, MinHeaderSize); 2641 2642 // Build AllocaToSVDMap for ASanStackVariableDescription lookup. 2643 DenseMap<const AllocaInst *, ASanStackVariableDescription *> AllocaToSVDMap; 2644 for (auto &Desc : SVD) 2645 AllocaToSVDMap[Desc.AI] = &Desc; 2646 2647 // Update SVD with information from lifetime intrinsics. 2648 for (const auto &APC : StaticAllocaPoisonCallVec) { 2649 assert(APC.InsBefore); 2650 assert(APC.AI); 2651 assert(ASan.isInterestingAlloca(*APC.AI)); 2652 assert(APC.AI->isStaticAlloca()); 2653 2654 ASanStackVariableDescription &Desc = *AllocaToSVDMap[APC.AI]; 2655 Desc.LifetimeSize = Desc.Size; 2656 if (const DILocation *FnLoc = EntryDebugLocation.get()) { 2657 if (const DILocation *LifetimeLoc = APC.InsBefore->getDebugLoc().get()) { 2658 if (LifetimeLoc->getFile() == FnLoc->getFile()) 2659 if (unsigned Line = LifetimeLoc->getLine()) 2660 Desc.Line = std::min(Desc.Line ? Desc.Line : Line, Line); 2661 } 2662 } 2663 } 2664 2665 auto DescriptionString = ComputeASanStackFrameDescription(SVD); 2666 DEBUG(dbgs() << DescriptionString << " --- " << L.FrameSize << "\n"); 2667 uint64_t LocalStackSize = L.FrameSize; 2668 bool DoStackMalloc = ClUseAfterReturn && !ASan.CompileKernel && 2669 LocalStackSize <= kMaxStackMallocSize; 2670 bool DoDynamicAlloca = ClDynamicAllocaStack; 2671 // Don't do dynamic alloca or stack malloc if: 2672 // 1) There is inline asm: too often it makes assumptions on which registers 2673 // are available. 2674 // 2) There is a returns_twice call (typically setjmp), which is 2675 // optimization-hostile, and doesn't play well with introduced indirect 2676 // register-relative calculation of local variable addresses. 2677 DoDynamicAlloca &= !HasNonEmptyInlineAsm && !HasReturnsTwiceCall; 2678 DoStackMalloc &= !HasNonEmptyInlineAsm && !HasReturnsTwiceCall; 2679 2680 Value *StaticAlloca = 2681 DoDynamicAlloca ? nullptr : createAllocaForLayout(IRB, L, false); 2682 2683 Value *FakeStack; 2684 Value *LocalStackBase; 2685 2686 if (DoStackMalloc) { 2687 // void *FakeStack = __asan_option_detect_stack_use_after_return 2688 // ? __asan_stack_malloc_N(LocalStackSize) 2689 // : nullptr; 2690 // void *LocalStackBase = (FakeStack) ? FakeStack : alloca(LocalStackSize); 2691 Constant *OptionDetectUseAfterReturn = F.getParent()->getOrInsertGlobal( 2692 kAsanOptionDetectUseAfterReturn, IRB.getInt32Ty()); 2693 Value *UseAfterReturnIsEnabled = 2694 IRB.CreateICmpNE(IRB.CreateLoad(OptionDetectUseAfterReturn), 2695 Constant::getNullValue(IRB.getInt32Ty())); 2696 Instruction *Term = 2697 SplitBlockAndInsertIfThen(UseAfterReturnIsEnabled, InsBefore, false); 2698 IRBuilder<> IRBIf(Term); 2699 IRBIf.SetCurrentDebugLocation(EntryDebugLocation); 2700 StackMallocIdx = StackMallocSizeClass(LocalStackSize); 2701 assert(StackMallocIdx <= kMaxAsanStackMallocSizeClass); 2702 Value *FakeStackValue = 2703 IRBIf.CreateCall(AsanStackMallocFunc[StackMallocIdx], 2704 ConstantInt::get(IntptrTy, LocalStackSize)); 2705 IRB.SetInsertPoint(InsBefore); 2706 IRB.SetCurrentDebugLocation(EntryDebugLocation); 2707 FakeStack = createPHI(IRB, UseAfterReturnIsEnabled, FakeStackValue, Term, 2708 ConstantInt::get(IntptrTy, 0)); 2709 2710 Value *NoFakeStack = 2711 IRB.CreateICmpEQ(FakeStack, Constant::getNullValue(IntptrTy)); 2712 Term = SplitBlockAndInsertIfThen(NoFakeStack, InsBefore, false); 2713 IRBIf.SetInsertPoint(Term); 2714 IRBIf.SetCurrentDebugLocation(EntryDebugLocation); 2715 Value *AllocaValue = 2716 DoDynamicAlloca ? createAllocaForLayout(IRBIf, L, true) : StaticAlloca; 2717 IRB.SetInsertPoint(InsBefore); 2718 IRB.SetCurrentDebugLocation(EntryDebugLocation); 2719 LocalStackBase = createPHI(IRB, NoFakeStack, AllocaValue, Term, FakeStack); 2720 } else { 2721 // void *FakeStack = nullptr; 2722 // void *LocalStackBase = alloca(LocalStackSize); 2723 FakeStack = ConstantInt::get(IntptrTy, 0); 2724 LocalStackBase = 2725 DoDynamicAlloca ? createAllocaForLayout(IRB, L, true) : StaticAlloca; 2726 } 2727 2728 // Replace Alloca instructions with base+offset. 2729 for (const auto &Desc : SVD) { 2730 AllocaInst *AI = Desc.AI; 2731 Value *NewAllocaPtr = IRB.CreateIntToPtr( 2732 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Desc.Offset)), 2733 AI->getType()); 2734 replaceDbgDeclareForAlloca(AI, NewAllocaPtr, DIB, DIExpression::NoDeref); 2735 AI->replaceAllUsesWith(NewAllocaPtr); 2736 } 2737 2738 // The left-most redzone has enough space for at least 4 pointers. 2739 // Write the Magic value to redzone[0]. 2740 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 2741 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 2742 BasePlus0); 2743 // Write the frame description constant to redzone[1]. 2744 Value *BasePlus1 = IRB.CreateIntToPtr( 2745 IRB.CreateAdd(LocalStackBase, 2746 ConstantInt::get(IntptrTy, ASan.LongSize / 8)), 2747 IntptrPtrTy); 2748 GlobalVariable *StackDescriptionGlobal = 2749 createPrivateGlobalForString(*F.getParent(), DescriptionString, 2750 /*AllowMerging*/ true); 2751 Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, IntptrTy); 2752 IRB.CreateStore(Description, BasePlus1); 2753 // Write the PC to redzone[2]. 2754 Value *BasePlus2 = IRB.CreateIntToPtr( 2755 IRB.CreateAdd(LocalStackBase, 2756 ConstantInt::get(IntptrTy, 2 * ASan.LongSize / 8)), 2757 IntptrPtrTy); 2758 IRB.CreateStore(IRB.CreatePointerCast(&F, IntptrTy), BasePlus2); 2759 2760 const auto &ShadowAfterScope = GetShadowBytesAfterScope(SVD, L); 2761 2762 // Poison the stack red zones at the entry. 2763 Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB); 2764 // As mask we must use most poisoned case: red zones and after scope. 2765 // As bytes we can use either the same or just red zones only. 2766 copyToShadow(ShadowAfterScope, ShadowAfterScope, IRB, ShadowBase); 2767 2768 if (!StaticAllocaPoisonCallVec.empty()) { 2769 const auto &ShadowInScope = GetShadowBytes(SVD, L); 2770 2771 // Poison static allocas near lifetime intrinsics. 2772 for (const auto &APC : StaticAllocaPoisonCallVec) { 2773 const ASanStackVariableDescription &Desc = *AllocaToSVDMap[APC.AI]; 2774 assert(Desc.Offset % L.Granularity == 0); 2775 size_t Begin = Desc.Offset / L.Granularity; 2776 size_t End = Begin + (APC.Size + L.Granularity - 1) / L.Granularity; 2777 2778 IRBuilder<> IRB(APC.InsBefore); 2779 copyToShadow(ShadowAfterScope, 2780 APC.DoPoison ? ShadowAfterScope : ShadowInScope, Begin, End, 2781 IRB, ShadowBase); 2782 } 2783 } 2784 2785 SmallVector<uint8_t, 64> ShadowClean(ShadowAfterScope.size(), 0); 2786 SmallVector<uint8_t, 64> ShadowAfterReturn; 2787 2788 // (Un)poison the stack before all ret instructions. 2789 for (auto Ret : RetVec) { 2790 IRBuilder<> IRBRet(Ret); 2791 // Mark the current frame as retired. 2792 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 2793 BasePlus0); 2794 if (DoStackMalloc) { 2795 assert(StackMallocIdx >= 0); 2796 // if FakeStack != 0 // LocalStackBase == FakeStack 2797 // // In use-after-return mode, poison the whole stack frame. 2798 // if StackMallocIdx <= 4 2799 // // For small sizes inline the whole thing: 2800 // memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize); 2801 // **SavedFlagPtr(FakeStack) = 0 2802 // else 2803 // __asan_stack_free_N(FakeStack, LocalStackSize) 2804 // else 2805 // <This is not a fake stack; unpoison the redzones> 2806 Value *Cmp = 2807 IRBRet.CreateICmpNE(FakeStack, Constant::getNullValue(IntptrTy)); 2808 TerminatorInst *ThenTerm, *ElseTerm; 2809 SplitBlockAndInsertIfThenElse(Cmp, Ret, &ThenTerm, &ElseTerm); 2810 2811 IRBuilder<> IRBPoison(ThenTerm); 2812 if (StackMallocIdx <= 4) { 2813 int ClassSize = kMinStackMallocSize << StackMallocIdx; 2814 ShadowAfterReturn.resize(ClassSize / L.Granularity, 2815 kAsanStackUseAfterReturnMagic); 2816 copyToShadow(ShadowAfterReturn, ShadowAfterReturn, IRBPoison, 2817 ShadowBase); 2818 Value *SavedFlagPtrPtr = IRBPoison.CreateAdd( 2819 FakeStack, 2820 ConstantInt::get(IntptrTy, ClassSize - ASan.LongSize / 8)); 2821 Value *SavedFlagPtr = IRBPoison.CreateLoad( 2822 IRBPoison.CreateIntToPtr(SavedFlagPtrPtr, IntptrPtrTy)); 2823 IRBPoison.CreateStore( 2824 Constant::getNullValue(IRBPoison.getInt8Ty()), 2825 IRBPoison.CreateIntToPtr(SavedFlagPtr, IRBPoison.getInt8PtrTy())); 2826 } else { 2827 // For larger frames call __asan_stack_free_*. 2828 IRBPoison.CreateCall( 2829 AsanStackFreeFunc[StackMallocIdx], 2830 {FakeStack, ConstantInt::get(IntptrTy, LocalStackSize)}); 2831 } 2832 2833 IRBuilder<> IRBElse(ElseTerm); 2834 copyToShadow(ShadowAfterScope, ShadowClean, IRBElse, ShadowBase); 2835 } else { 2836 copyToShadow(ShadowAfterScope, ShadowClean, IRBRet, ShadowBase); 2837 } 2838 } 2839 2840 // We are done. Remove the old unused alloca instructions. 2841 for (auto AI : AllocaVec) AI->eraseFromParent(); 2842 } 2843 2844 void FunctionStackPoisoner::poisonAlloca(Value *V, uint64_t Size, 2845 IRBuilder<> &IRB, bool DoPoison) { 2846 // For now just insert the call to ASan runtime. 2847 Value *AddrArg = IRB.CreatePointerCast(V, IntptrTy); 2848 Value *SizeArg = ConstantInt::get(IntptrTy, Size); 2849 IRB.CreateCall( 2850 DoPoison ? AsanPoisonStackMemoryFunc : AsanUnpoisonStackMemoryFunc, 2851 {AddrArg, SizeArg}); 2852 } 2853 2854 // Handling llvm.lifetime intrinsics for a given %alloca: 2855 // (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca. 2856 // (2) if %size is constant, poison memory for llvm.lifetime.end (to detect 2857 // invalid accesses) and unpoison it for llvm.lifetime.start (the memory 2858 // could be poisoned by previous llvm.lifetime.end instruction, as the 2859 // variable may go in and out of scope several times, e.g. in loops). 2860 // (3) if we poisoned at least one %alloca in a function, 2861 // unpoison the whole stack frame at function exit. 2862 2863 AllocaInst *FunctionStackPoisoner::findAllocaForValue(Value *V) { 2864 if (AllocaInst *AI = dyn_cast<AllocaInst>(V)) 2865 // We're interested only in allocas we can handle. 2866 return ASan.isInterestingAlloca(*AI) ? AI : nullptr; 2867 // See if we've already calculated (or started to calculate) alloca for a 2868 // given value. 2869 AllocaForValueMapTy::iterator I = AllocaForValue.find(V); 2870 if (I != AllocaForValue.end()) return I->second; 2871 // Store 0 while we're calculating alloca for value V to avoid 2872 // infinite recursion if the value references itself. 2873 AllocaForValue[V] = nullptr; 2874 AllocaInst *Res = nullptr; 2875 if (CastInst *CI = dyn_cast<CastInst>(V)) 2876 Res = findAllocaForValue(CI->getOperand(0)); 2877 else if (PHINode *PN = dyn_cast<PHINode>(V)) { 2878 for (Value *IncValue : PN->incoming_values()) { 2879 // Allow self-referencing phi-nodes. 2880 if (IncValue == PN) continue; 2881 AllocaInst *IncValueAI = findAllocaForValue(IncValue); 2882 // AI for incoming values should exist and should all be equal. 2883 if (IncValueAI == nullptr || (Res != nullptr && IncValueAI != Res)) 2884 return nullptr; 2885 Res = IncValueAI; 2886 } 2887 } else if (GetElementPtrInst *EP = dyn_cast<GetElementPtrInst>(V)) { 2888 Res = findAllocaForValue(EP->getPointerOperand()); 2889 } else { 2890 DEBUG(dbgs() << "Alloca search canceled on unknown instruction: " << *V << "\n"); 2891 } 2892 if (Res) AllocaForValue[V] = Res; 2893 return Res; 2894 } 2895 2896 void FunctionStackPoisoner::handleDynamicAllocaCall(AllocaInst *AI) { 2897 IRBuilder<> IRB(AI); 2898 2899 const unsigned Align = std::max(kAllocaRzSize, AI->getAlignment()); 2900 const uint64_t AllocaRedzoneMask = kAllocaRzSize - 1; 2901 2902 Value *Zero = Constant::getNullValue(IntptrTy); 2903 Value *AllocaRzSize = ConstantInt::get(IntptrTy, kAllocaRzSize); 2904 Value *AllocaRzMask = ConstantInt::get(IntptrTy, AllocaRedzoneMask); 2905 2906 // Since we need to extend alloca with additional memory to locate 2907 // redzones, and OldSize is number of allocated blocks with 2908 // ElementSize size, get allocated memory size in bytes by 2909 // OldSize * ElementSize. 2910 const unsigned ElementSize = 2911 F.getParent()->getDataLayout().getTypeAllocSize(AI->getAllocatedType()); 2912 Value *OldSize = 2913 IRB.CreateMul(IRB.CreateIntCast(AI->getArraySize(), IntptrTy, false), 2914 ConstantInt::get(IntptrTy, ElementSize)); 2915 2916 // PartialSize = OldSize % 32 2917 Value *PartialSize = IRB.CreateAnd(OldSize, AllocaRzMask); 2918 2919 // Misalign = kAllocaRzSize - PartialSize; 2920 Value *Misalign = IRB.CreateSub(AllocaRzSize, PartialSize); 2921 2922 // PartialPadding = Misalign != kAllocaRzSize ? Misalign : 0; 2923 Value *Cond = IRB.CreateICmpNE(Misalign, AllocaRzSize); 2924 Value *PartialPadding = IRB.CreateSelect(Cond, Misalign, Zero); 2925 2926 // AdditionalChunkSize = Align + PartialPadding + kAllocaRzSize 2927 // Align is added to locate left redzone, PartialPadding for possible 2928 // partial redzone and kAllocaRzSize for right redzone respectively. 2929 Value *AdditionalChunkSize = IRB.CreateAdd( 2930 ConstantInt::get(IntptrTy, Align + kAllocaRzSize), PartialPadding); 2931 2932 Value *NewSize = IRB.CreateAdd(OldSize, AdditionalChunkSize); 2933 2934 // Insert new alloca with new NewSize and Align params. 2935 AllocaInst *NewAlloca = IRB.CreateAlloca(IRB.getInt8Ty(), NewSize); 2936 NewAlloca->setAlignment(Align); 2937 2938 // NewAddress = Address + Align 2939 Value *NewAddress = IRB.CreateAdd(IRB.CreatePtrToInt(NewAlloca, IntptrTy), 2940 ConstantInt::get(IntptrTy, Align)); 2941 2942 // Insert __asan_alloca_poison call for new created alloca. 2943 IRB.CreateCall(AsanAllocaPoisonFunc, {NewAddress, OldSize}); 2944 2945 // Store the last alloca's address to DynamicAllocaLayout. We'll need this 2946 // for unpoisoning stuff. 2947 IRB.CreateStore(IRB.CreatePtrToInt(NewAlloca, IntptrTy), DynamicAllocaLayout); 2948 2949 Value *NewAddressPtr = IRB.CreateIntToPtr(NewAddress, AI->getType()); 2950 2951 // Replace all uses of AddessReturnedByAlloca with NewAddressPtr. 2952 AI->replaceAllUsesWith(NewAddressPtr); 2953 2954 // We are done. Erase old alloca from parent. 2955 AI->eraseFromParent(); 2956 } 2957 2958 // isSafeAccess returns true if Addr is always inbounds with respect to its 2959 // base object. For example, it is a field access or an array access with 2960 // constant inbounds index. 2961 bool AddressSanitizer::isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, 2962 Value *Addr, uint64_t TypeSize) const { 2963 SizeOffsetType SizeOffset = ObjSizeVis.compute(Addr); 2964 if (!ObjSizeVis.bothKnown(SizeOffset)) return false; 2965 uint64_t Size = SizeOffset.first.getZExtValue(); 2966 int64_t Offset = SizeOffset.second.getSExtValue(); 2967 // Three checks are required to ensure safety: 2968 // . Offset >= 0 (since the offset is given from the base ptr) 2969 // . Size >= Offset (unsigned) 2970 // . Size - Offset >= NeededSize (unsigned) 2971 return Offset >= 0 && Size >= uint64_t(Offset) && 2972 Size - uint64_t(Offset) >= TypeSize / 8; 2973 } 2974