1 //===- AddressSanitizer.cpp - memory error detector -----------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file is a part of AddressSanitizer, an address sanity checker. 11 // Details of the algorithm: 12 // https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm 13 // 14 //===----------------------------------------------------------------------===// 15 16 #include "llvm/ADT/ArrayRef.h" 17 #include "llvm/ADT/DenseMap.h" 18 #include "llvm/ADT/DepthFirstIterator.h" 19 #include "llvm/ADT/SmallPtrSet.h" 20 #include "llvm/ADT/SmallVector.h" 21 #include "llvm/ADT/Statistic.h" 22 #include "llvm/ADT/StringExtras.h" 23 #include "llvm/ADT/StringRef.h" 24 #include "llvm/ADT/Triple.h" 25 #include "llvm/ADT/Twine.h" 26 #include "llvm/Analysis/MemoryBuiltins.h" 27 #include "llvm/Analysis/TargetLibraryInfo.h" 28 #include "llvm/Transforms/Utils/Local.h" 29 #include "llvm/Analysis/ValueTracking.h" 30 #include "llvm/BinaryFormat/MachO.h" 31 #include "llvm/IR/Argument.h" 32 #include "llvm/IR/Attributes.h" 33 #include "llvm/IR/BasicBlock.h" 34 #include "llvm/IR/CallSite.h" 35 #include "llvm/IR/Comdat.h" 36 #include "llvm/IR/Constant.h" 37 #include "llvm/IR/Constants.h" 38 #include "llvm/IR/DIBuilder.h" 39 #include "llvm/IR/DataLayout.h" 40 #include "llvm/IR/DebugInfoMetadata.h" 41 #include "llvm/IR/DebugLoc.h" 42 #include "llvm/IR/DerivedTypes.h" 43 #include "llvm/IR/Dominators.h" 44 #include "llvm/IR/Function.h" 45 #include "llvm/IR/GlobalAlias.h" 46 #include "llvm/IR/GlobalValue.h" 47 #include "llvm/IR/GlobalVariable.h" 48 #include "llvm/IR/IRBuilder.h" 49 #include "llvm/IR/InlineAsm.h" 50 #include "llvm/IR/InstVisitor.h" 51 #include "llvm/IR/InstrTypes.h" 52 #include "llvm/IR/Instruction.h" 53 #include "llvm/IR/Instructions.h" 54 #include "llvm/IR/IntrinsicInst.h" 55 #include "llvm/IR/Intrinsics.h" 56 #include "llvm/IR/LLVMContext.h" 57 #include "llvm/IR/MDBuilder.h" 58 #include "llvm/IR/Metadata.h" 59 #include "llvm/IR/Module.h" 60 #include "llvm/IR/Type.h" 61 #include "llvm/IR/Use.h" 62 #include "llvm/IR/Value.h" 63 #include "llvm/MC/MCSectionMachO.h" 64 #include "llvm/Pass.h" 65 #include "llvm/Support/Casting.h" 66 #include "llvm/Support/CommandLine.h" 67 #include "llvm/Support/Debug.h" 68 #include "llvm/Support/ErrorHandling.h" 69 #include "llvm/Support/MathExtras.h" 70 #include "llvm/Support/ScopedPrinter.h" 71 #include "llvm/Support/raw_ostream.h" 72 #include "llvm/Transforms/Instrumentation.h" 73 #include "llvm/Transforms/Utils/ASanStackFrameLayout.h" 74 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 75 #include "llvm/Transforms/Utils/ModuleUtils.h" 76 #include "llvm/Transforms/Utils/PromoteMemToReg.h" 77 #include <algorithm> 78 #include <cassert> 79 #include <cstddef> 80 #include <cstdint> 81 #include <iomanip> 82 #include <limits> 83 #include <memory> 84 #include <sstream> 85 #include <string> 86 #include <tuple> 87 88 using namespace llvm; 89 90 #define DEBUG_TYPE "asan" 91 92 static const uint64_t kDefaultShadowScale = 3; 93 static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 94 static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 95 static const uint64_t kDynamicShadowSentinel = 96 std::numeric_limits<uint64_t>::max(); 97 static const uint64_t kIOSShadowOffset32 = 1ULL << 30; 98 static const uint64_t kIOSSimShadowOffset32 = 1ULL << 30; 99 static const uint64_t kIOSSimShadowOffset64 = kDefaultShadowOffset64; 100 static const uint64_t kSmallX86_64ShadowOffsetBase = 0x7FFFFFFF; // < 2G. 101 static const uint64_t kSmallX86_64ShadowOffsetAlignMask = ~0xFFFULL; 102 static const uint64_t kLinuxKasan_ShadowOffset64 = 0xdffffc0000000000; 103 static const uint64_t kPPC64_ShadowOffset64 = 1ULL << 44; 104 static const uint64_t kSystemZ_ShadowOffset64 = 1ULL << 52; 105 static const uint64_t kMIPS32_ShadowOffset32 = 0x0aaa0000; 106 static const uint64_t kMIPS64_ShadowOffset64 = 1ULL << 37; 107 static const uint64_t kAArch64_ShadowOffset64 = 1ULL << 36; 108 static const uint64_t kFreeBSD_ShadowOffset32 = 1ULL << 30; 109 static const uint64_t kFreeBSD_ShadowOffset64 = 1ULL << 46; 110 static const uint64_t kNetBSD_ShadowOffset32 = 1ULL << 30; 111 static const uint64_t kNetBSD_ShadowOffset64 = 1ULL << 46; 112 static const uint64_t kNetBSDKasan_ShadowOffset64 = 0xdfff900000000000; 113 static const uint64_t kPS4CPU_ShadowOffset64 = 1ULL << 40; 114 static const uint64_t kWindowsShadowOffset32 = 3ULL << 28; 115 116 static const uint64_t kMyriadShadowScale = 5; 117 static const uint64_t kMyriadMemoryOffset32 = 0x80000000ULL; 118 static const uint64_t kMyriadMemorySize32 = 0x20000000ULL; 119 static const uint64_t kMyriadTagShift = 29; 120 static const uint64_t kMyriadDDRTag = 4; 121 static const uint64_t kMyriadCacheBitMask32 = 0x40000000ULL; 122 123 // The shadow memory space is dynamically allocated. 124 static const uint64_t kWindowsShadowOffset64 = kDynamicShadowSentinel; 125 126 static const size_t kMinStackMallocSize = 1 << 6; // 64B 127 static const size_t kMaxStackMallocSize = 1 << 16; // 64K 128 static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 129 static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 130 131 static const char *const kAsanModuleCtorName = "asan.module_ctor"; 132 static const char *const kAsanModuleDtorName = "asan.module_dtor"; 133 static const uint64_t kAsanCtorAndDtorPriority = 1; 134 static const char *const kAsanReportErrorTemplate = "__asan_report_"; 135 static const char *const kAsanRegisterGlobalsName = "__asan_register_globals"; 136 static const char *const kAsanUnregisterGlobalsName = 137 "__asan_unregister_globals"; 138 static const char *const kAsanRegisterImageGlobalsName = 139 "__asan_register_image_globals"; 140 static const char *const kAsanUnregisterImageGlobalsName = 141 "__asan_unregister_image_globals"; 142 static const char *const kAsanRegisterElfGlobalsName = 143 "__asan_register_elf_globals"; 144 static const char *const kAsanUnregisterElfGlobalsName = 145 "__asan_unregister_elf_globals"; 146 static const char *const kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; 147 static const char *const kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; 148 static const char *const kAsanInitName = "__asan_init"; 149 static const char *const kAsanVersionCheckNamePrefix = 150 "__asan_version_mismatch_check_v"; 151 static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp"; 152 static const char *const kAsanPtrSub = "__sanitizer_ptr_sub"; 153 static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return"; 154 static const int kMaxAsanStackMallocSizeClass = 10; 155 static const char *const kAsanStackMallocNameTemplate = "__asan_stack_malloc_"; 156 static const char *const kAsanStackFreeNameTemplate = "__asan_stack_free_"; 157 static const char *const kAsanGenPrefix = "___asan_gen_"; 158 static const char *const kODRGenPrefix = "__odr_asan_gen_"; 159 static const char *const kSanCovGenPrefix = "__sancov_gen_"; 160 static const char *const kAsanSetShadowPrefix = "__asan_set_shadow_"; 161 static const char *const kAsanPoisonStackMemoryName = 162 "__asan_poison_stack_memory"; 163 static const char *const kAsanUnpoisonStackMemoryName = 164 "__asan_unpoison_stack_memory"; 165 166 // ASan version script has __asan_* wildcard. Triple underscore prevents a 167 // linker (gold) warning about attempting to export a local symbol. 168 static const char *const kAsanGlobalsRegisteredFlagName = 169 "___asan_globals_registered"; 170 171 static const char *const kAsanOptionDetectUseAfterReturn = 172 "__asan_option_detect_stack_use_after_return"; 173 174 static const char *const kAsanShadowMemoryDynamicAddress = 175 "__asan_shadow_memory_dynamic_address"; 176 177 static const char *const kAsanAllocaPoison = "__asan_alloca_poison"; 178 static const char *const kAsanAllocasUnpoison = "__asan_allocas_unpoison"; 179 180 // Accesses sizes are powers of two: 1, 2, 4, 8, 16. 181 static const size_t kNumberOfAccessSizes = 5; 182 183 static const unsigned kAllocaRzSize = 32; 184 185 // Command-line flags. 186 187 static cl::opt<bool> ClEnableKasan( 188 "asan-kernel", cl::desc("Enable KernelAddressSanitizer instrumentation"), 189 cl::Hidden, cl::init(false)); 190 191 static cl::opt<bool> ClRecover( 192 "asan-recover", 193 cl::desc("Enable recovery mode (continue-after-error)."), 194 cl::Hidden, cl::init(false)); 195 196 // This flag may need to be replaced with -f[no-]asan-reads. 197 static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 198 cl::desc("instrument read instructions"), 199 cl::Hidden, cl::init(true)); 200 201 static cl::opt<bool> ClInstrumentWrites( 202 "asan-instrument-writes", cl::desc("instrument write instructions"), 203 cl::Hidden, cl::init(true)); 204 205 static cl::opt<bool> ClInstrumentAtomics( 206 "asan-instrument-atomics", 207 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden, 208 cl::init(true)); 209 210 static cl::opt<bool> ClAlwaysSlowPath( 211 "asan-always-slow-path", 212 cl::desc("use instrumentation with slow path for all accesses"), cl::Hidden, 213 cl::init(false)); 214 215 static cl::opt<bool> ClForceDynamicShadow( 216 "asan-force-dynamic-shadow", 217 cl::desc("Load shadow address into a local variable for each function"), 218 cl::Hidden, cl::init(false)); 219 220 static cl::opt<bool> 221 ClWithIfunc("asan-with-ifunc", 222 cl::desc("Access dynamic shadow through an ifunc global on " 223 "platforms that support this"), 224 cl::Hidden, cl::init(true)); 225 226 static cl::opt<bool> ClWithIfuncSuppressRemat( 227 "asan-with-ifunc-suppress-remat", 228 cl::desc("Suppress rematerialization of dynamic shadow address by passing " 229 "it through inline asm in prologue."), 230 cl::Hidden, cl::init(true)); 231 232 // This flag limits the number of instructions to be instrumented 233 // in any given BB. Normally, this should be set to unlimited (INT_MAX), 234 // but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary 235 // set it to 10000. 236 static cl::opt<int> ClMaxInsnsToInstrumentPerBB( 237 "asan-max-ins-per-bb", cl::init(10000), 238 cl::desc("maximal number of instructions to instrument in any given BB"), 239 cl::Hidden); 240 241 // This flag may need to be replaced with -f[no]asan-stack. 242 static cl::opt<bool> ClStack("asan-stack", cl::desc("Handle stack memory"), 243 cl::Hidden, cl::init(true)); 244 static cl::opt<uint32_t> ClMaxInlinePoisoningSize( 245 "asan-max-inline-poisoning-size", 246 cl::desc( 247 "Inline shadow poisoning for blocks up to the given size in bytes."), 248 cl::Hidden, cl::init(64)); 249 250 static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 251 cl::desc("Check stack-use-after-return"), 252 cl::Hidden, cl::init(true)); 253 254 static cl::opt<bool> ClRedzoneByvalArgs("asan-redzone-byval-args", 255 cl::desc("Create redzones for byval " 256 "arguments (extra copy " 257 "required)"), cl::Hidden, 258 cl::init(true)); 259 260 static cl::opt<bool> ClUseAfterScope("asan-use-after-scope", 261 cl::desc("Check stack-use-after-scope"), 262 cl::Hidden, cl::init(false)); 263 264 // This flag may need to be replaced with -f[no]asan-globals. 265 static cl::opt<bool> ClGlobals("asan-globals", 266 cl::desc("Handle global objects"), cl::Hidden, 267 cl::init(true)); 268 269 static cl::opt<bool> ClInitializers("asan-initialization-order", 270 cl::desc("Handle C++ initializer order"), 271 cl::Hidden, cl::init(true)); 272 273 static cl::opt<bool> ClInvalidPointerPairs( 274 "asan-detect-invalid-pointer-pair", 275 cl::desc("Instrument <, <=, >, >=, - with pointer operands"), cl::Hidden, 276 cl::init(false)); 277 278 static cl::opt<unsigned> ClRealignStack( 279 "asan-realign-stack", 280 cl::desc("Realign stack to the value of this flag (power of two)"), 281 cl::Hidden, cl::init(32)); 282 283 static cl::opt<int> ClInstrumentationWithCallsThreshold( 284 "asan-instrumentation-with-call-threshold", 285 cl::desc( 286 "If the function being instrumented contains more than " 287 "this number of memory accesses, use callbacks instead of " 288 "inline checks (-1 means never use callbacks)."), 289 cl::Hidden, cl::init(7000)); 290 291 static cl::opt<std::string> ClMemoryAccessCallbackPrefix( 292 "asan-memory-access-callback-prefix", 293 cl::desc("Prefix for memory access callbacks"), cl::Hidden, 294 cl::init("__asan_")); 295 296 static cl::opt<bool> 297 ClInstrumentDynamicAllocas("asan-instrument-dynamic-allocas", 298 cl::desc("instrument dynamic allocas"), 299 cl::Hidden, cl::init(true)); 300 301 static cl::opt<bool> ClSkipPromotableAllocas( 302 "asan-skip-promotable-allocas", 303 cl::desc("Do not instrument promotable allocas"), cl::Hidden, 304 cl::init(true)); 305 306 // These flags allow to change the shadow mapping. 307 // The shadow mapping looks like 308 // Shadow = (Mem >> scale) + offset 309 310 static cl::opt<int> ClMappingScale("asan-mapping-scale", 311 cl::desc("scale of asan shadow mapping"), 312 cl::Hidden, cl::init(0)); 313 314 static cl::opt<unsigned long long> ClMappingOffset( 315 "asan-mapping-offset", 316 cl::desc("offset of asan shadow mapping [EXPERIMENTAL]"), cl::Hidden, 317 cl::init(0)); 318 319 // Optimization flags. Not user visible, used mostly for testing 320 // and benchmarking the tool. 321 322 static cl::opt<bool> ClOpt("asan-opt", cl::desc("Optimize instrumentation"), 323 cl::Hidden, cl::init(true)); 324 325 static cl::opt<bool> ClOptSameTemp( 326 "asan-opt-same-temp", cl::desc("Instrument the same temp just once"), 327 cl::Hidden, cl::init(true)); 328 329 static cl::opt<bool> ClOptGlobals("asan-opt-globals", 330 cl::desc("Don't instrument scalar globals"), 331 cl::Hidden, cl::init(true)); 332 333 static cl::opt<bool> ClOptStack( 334 "asan-opt-stack", cl::desc("Don't instrument scalar stack variables"), 335 cl::Hidden, cl::init(false)); 336 337 static cl::opt<bool> ClDynamicAllocaStack( 338 "asan-stack-dynamic-alloca", 339 cl::desc("Use dynamic alloca to represent stack variables"), cl::Hidden, 340 cl::init(true)); 341 342 static cl::opt<uint32_t> ClForceExperiment( 343 "asan-force-experiment", 344 cl::desc("Force optimization experiment (for testing)"), cl::Hidden, 345 cl::init(0)); 346 347 static cl::opt<bool> 348 ClUsePrivateAlias("asan-use-private-alias", 349 cl::desc("Use private aliases for global variables"), 350 cl::Hidden, cl::init(false)); 351 352 static cl::opt<bool> 353 ClUseOdrIndicator("asan-use-odr-indicator", 354 cl::desc("Use odr indicators to improve ODR reporting"), 355 cl::Hidden, cl::init(false)); 356 357 static cl::opt<bool> 358 ClUseGlobalsGC("asan-globals-live-support", 359 cl::desc("Use linker features to support dead " 360 "code stripping of globals"), 361 cl::Hidden, cl::init(true)); 362 363 // This is on by default even though there is a bug in gold: 364 // https://sourceware.org/bugzilla/show_bug.cgi?id=19002 365 static cl::opt<bool> 366 ClWithComdat("asan-with-comdat", 367 cl::desc("Place ASan constructors in comdat sections"), 368 cl::Hidden, cl::init(true)); 369 370 // Debug flags. 371 372 static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 373 cl::init(0)); 374 375 static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 376 cl::Hidden, cl::init(0)); 377 378 static cl::opt<std::string> ClDebugFunc("asan-debug-func", cl::Hidden, 379 cl::desc("Debug func")); 380 381 static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 382 cl::Hidden, cl::init(-1)); 383 384 static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug max inst"), 385 cl::Hidden, cl::init(-1)); 386 387 STATISTIC(NumInstrumentedReads, "Number of instrumented reads"); 388 STATISTIC(NumInstrumentedWrites, "Number of instrumented writes"); 389 STATISTIC(NumOptimizedAccessesToGlobalVar, 390 "Number of optimized accesses to global vars"); 391 STATISTIC(NumOptimizedAccessesToStackVar, 392 "Number of optimized accesses to stack vars"); 393 394 namespace { 395 396 /// Frontend-provided metadata for source location. 397 struct LocationMetadata { 398 StringRef Filename; 399 int LineNo = 0; 400 int ColumnNo = 0; 401 402 LocationMetadata() = default; 403 404 bool empty() const { return Filename.empty(); } 405 406 void parse(MDNode *MDN) { 407 assert(MDN->getNumOperands() == 3); 408 MDString *DIFilename = cast<MDString>(MDN->getOperand(0)); 409 Filename = DIFilename->getString(); 410 LineNo = 411 mdconst::extract<ConstantInt>(MDN->getOperand(1))->getLimitedValue(); 412 ColumnNo = 413 mdconst::extract<ConstantInt>(MDN->getOperand(2))->getLimitedValue(); 414 } 415 }; 416 417 /// Frontend-provided metadata for global variables. 418 class GlobalsMetadata { 419 public: 420 struct Entry { 421 LocationMetadata SourceLoc; 422 StringRef Name; 423 bool IsDynInit = false; 424 bool IsBlacklisted = false; 425 426 Entry() = default; 427 }; 428 429 GlobalsMetadata() = default; 430 431 void reset() { 432 inited_ = false; 433 Entries.clear(); 434 } 435 436 void init(Module &M) { 437 assert(!inited_); 438 inited_ = true; 439 NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals"); 440 if (!Globals) return; 441 for (auto MDN : Globals->operands()) { 442 // Metadata node contains the global and the fields of "Entry". 443 assert(MDN->getNumOperands() == 5); 444 auto *V = mdconst::extract_or_null<Constant>(MDN->getOperand(0)); 445 // The optimizer may optimize away a global entirely. 446 if (!V) continue; 447 auto *StrippedV = V->stripPointerCasts(); 448 auto *GV = dyn_cast<GlobalVariable>(StrippedV); 449 if (!GV) continue; 450 // We can already have an entry for GV if it was merged with another 451 // global. 452 Entry &E = Entries[GV]; 453 if (auto *Loc = cast_or_null<MDNode>(MDN->getOperand(1))) 454 E.SourceLoc.parse(Loc); 455 if (auto *Name = cast_or_null<MDString>(MDN->getOperand(2))) 456 E.Name = Name->getString(); 457 ConstantInt *IsDynInit = 458 mdconst::extract<ConstantInt>(MDN->getOperand(3)); 459 E.IsDynInit |= IsDynInit->isOne(); 460 ConstantInt *IsBlacklisted = 461 mdconst::extract<ConstantInt>(MDN->getOperand(4)); 462 E.IsBlacklisted |= IsBlacklisted->isOne(); 463 } 464 } 465 466 /// Returns metadata entry for a given global. 467 Entry get(GlobalVariable *G) const { 468 auto Pos = Entries.find(G); 469 return (Pos != Entries.end()) ? Pos->second : Entry(); 470 } 471 472 private: 473 bool inited_ = false; 474 DenseMap<GlobalVariable *, Entry> Entries; 475 }; 476 477 /// This struct defines the shadow mapping using the rule: 478 /// shadow = (mem >> Scale) ADD-or-OR Offset. 479 /// If InGlobal is true, then 480 /// extern char __asan_shadow[]; 481 /// shadow = (mem >> Scale) + &__asan_shadow 482 struct ShadowMapping { 483 int Scale; 484 uint64_t Offset; 485 bool OrShadowOffset; 486 bool InGlobal; 487 }; 488 489 } // end anonymous namespace 490 491 static ShadowMapping getShadowMapping(Triple &TargetTriple, int LongSize, 492 bool IsKasan) { 493 bool IsAndroid = TargetTriple.isAndroid(); 494 bool IsIOS = TargetTriple.isiOS() || TargetTriple.isWatchOS(); 495 bool IsFreeBSD = TargetTriple.isOSFreeBSD(); 496 bool IsNetBSD = TargetTriple.isOSNetBSD(); 497 bool IsPS4CPU = TargetTriple.isPS4CPU(); 498 bool IsLinux = TargetTriple.isOSLinux(); 499 bool IsPPC64 = TargetTriple.getArch() == Triple::ppc64 || 500 TargetTriple.getArch() == Triple::ppc64le; 501 bool IsSystemZ = TargetTriple.getArch() == Triple::systemz; 502 bool IsX86 = TargetTriple.getArch() == Triple::x86; 503 bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64; 504 bool IsMIPS32 = TargetTriple.isMIPS32(); 505 bool IsMIPS64 = TargetTriple.isMIPS64(); 506 bool IsArmOrThumb = TargetTriple.isARM() || TargetTriple.isThumb(); 507 bool IsAArch64 = TargetTriple.getArch() == Triple::aarch64; 508 bool IsWindows = TargetTriple.isOSWindows(); 509 bool IsFuchsia = TargetTriple.isOSFuchsia(); 510 bool IsMyriad = TargetTriple.getVendor() == llvm::Triple::Myriad; 511 512 ShadowMapping Mapping; 513 514 Mapping.Scale = IsMyriad ? kMyriadShadowScale : kDefaultShadowScale; 515 if (ClMappingScale.getNumOccurrences() > 0) { 516 Mapping.Scale = ClMappingScale; 517 } 518 519 if (LongSize == 32) { 520 if (IsAndroid) 521 Mapping.Offset = kDynamicShadowSentinel; 522 else if (IsMIPS32) 523 Mapping.Offset = kMIPS32_ShadowOffset32; 524 else if (IsFreeBSD) 525 Mapping.Offset = kFreeBSD_ShadowOffset32; 526 else if (IsNetBSD) 527 Mapping.Offset = kNetBSD_ShadowOffset32; 528 else if (IsIOS) 529 // If we're targeting iOS and x86, the binary is built for iOS simulator. 530 Mapping.Offset = IsX86 ? kIOSSimShadowOffset32 : kIOSShadowOffset32; 531 else if (IsWindows) 532 Mapping.Offset = kWindowsShadowOffset32; 533 else if (IsMyriad) { 534 uint64_t ShadowOffset = (kMyriadMemoryOffset32 + kMyriadMemorySize32 - 535 (kMyriadMemorySize32 >> Mapping.Scale)); 536 Mapping.Offset = ShadowOffset - (kMyriadMemoryOffset32 >> Mapping.Scale); 537 } 538 else 539 Mapping.Offset = kDefaultShadowOffset32; 540 } else { // LongSize == 64 541 // Fuchsia is always PIE, which means that the beginning of the address 542 // space is always available. 543 if (IsFuchsia) 544 Mapping.Offset = 0; 545 else if (IsPPC64) 546 Mapping.Offset = kPPC64_ShadowOffset64; 547 else if (IsSystemZ) 548 Mapping.Offset = kSystemZ_ShadowOffset64; 549 else if (IsFreeBSD && !IsMIPS64) 550 Mapping.Offset = kFreeBSD_ShadowOffset64; 551 else if (IsNetBSD) { 552 if (IsKasan) 553 Mapping.Offset = kNetBSDKasan_ShadowOffset64; 554 else 555 Mapping.Offset = kNetBSD_ShadowOffset64; 556 } else if (IsPS4CPU) 557 Mapping.Offset = kPS4CPU_ShadowOffset64; 558 else if (IsLinux && IsX86_64) { 559 if (IsKasan) 560 Mapping.Offset = kLinuxKasan_ShadowOffset64; 561 else 562 Mapping.Offset = (kSmallX86_64ShadowOffsetBase & 563 (kSmallX86_64ShadowOffsetAlignMask << Mapping.Scale)); 564 } else if (IsWindows && IsX86_64) { 565 Mapping.Offset = kWindowsShadowOffset64; 566 } else if (IsMIPS64) 567 Mapping.Offset = kMIPS64_ShadowOffset64; 568 else if (IsIOS) 569 // If we're targeting iOS and x86, the binary is built for iOS simulator. 570 // We are using dynamic shadow offset on the 64-bit devices. 571 Mapping.Offset = 572 IsX86_64 ? kIOSSimShadowOffset64 : kDynamicShadowSentinel; 573 else if (IsAArch64) 574 Mapping.Offset = kAArch64_ShadowOffset64; 575 else 576 Mapping.Offset = kDefaultShadowOffset64; 577 } 578 579 if (ClForceDynamicShadow) { 580 Mapping.Offset = kDynamicShadowSentinel; 581 } 582 583 if (ClMappingOffset.getNumOccurrences() > 0) { 584 Mapping.Offset = ClMappingOffset; 585 } 586 587 // OR-ing shadow offset if more efficient (at least on x86) if the offset 588 // is a power of two, but on ppc64 we have to use add since the shadow 589 // offset is not necessary 1/8-th of the address space. On SystemZ, 590 // we could OR the constant in a single instruction, but it's more 591 // efficient to load it once and use indexed addressing. 592 Mapping.OrShadowOffset = !IsAArch64 && !IsPPC64 && !IsSystemZ && !IsPS4CPU && 593 !(Mapping.Offset & (Mapping.Offset - 1)) && 594 Mapping.Offset != kDynamicShadowSentinel; 595 bool IsAndroidWithIfuncSupport = 596 IsAndroid && !TargetTriple.isAndroidVersionLT(21); 597 Mapping.InGlobal = ClWithIfunc && IsAndroidWithIfuncSupport && IsArmOrThumb; 598 599 return Mapping; 600 } 601 602 static size_t RedzoneSizeForScale(int MappingScale) { 603 // Redzone used for stack and globals is at least 32 bytes. 604 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 605 return std::max(32U, 1U << MappingScale); 606 } 607 608 namespace { 609 610 /// AddressSanitizer: instrument the code in module to find memory bugs. 611 struct AddressSanitizer : public FunctionPass { 612 // Pass identification, replacement for typeid 613 static char ID; 614 615 explicit AddressSanitizer(bool CompileKernel = false, bool Recover = false, 616 bool UseAfterScope = false) 617 : FunctionPass(ID), UseAfterScope(UseAfterScope || ClUseAfterScope) { 618 this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover; 619 this->CompileKernel = ClEnableKasan.getNumOccurrences() > 0 ? 620 ClEnableKasan : CompileKernel; 621 initializeAddressSanitizerPass(*PassRegistry::getPassRegistry()); 622 } 623 624 StringRef getPassName() const override { 625 return "AddressSanitizerFunctionPass"; 626 } 627 628 void getAnalysisUsage(AnalysisUsage &AU) const override { 629 AU.addRequired<DominatorTreeWrapperPass>(); 630 AU.addRequired<TargetLibraryInfoWrapperPass>(); 631 } 632 633 uint64_t getAllocaSizeInBytes(const AllocaInst &AI) const { 634 uint64_t ArraySize = 1; 635 if (AI.isArrayAllocation()) { 636 const ConstantInt *CI = dyn_cast<ConstantInt>(AI.getArraySize()); 637 assert(CI && "non-constant array size"); 638 ArraySize = CI->getZExtValue(); 639 } 640 Type *Ty = AI.getAllocatedType(); 641 uint64_t SizeInBytes = 642 AI.getModule()->getDataLayout().getTypeAllocSize(Ty); 643 return SizeInBytes * ArraySize; 644 } 645 646 /// Check if we want (and can) handle this alloca. 647 bool isInterestingAlloca(const AllocaInst &AI); 648 649 /// If it is an interesting memory access, return the PointerOperand 650 /// and set IsWrite/Alignment. Otherwise return nullptr. 651 /// MaybeMask is an output parameter for the mask Value, if we're looking at a 652 /// masked load/store. 653 Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite, 654 uint64_t *TypeSize, unsigned *Alignment, 655 Value **MaybeMask = nullptr); 656 657 void instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis, Instruction *I, 658 bool UseCalls, const DataLayout &DL); 659 void instrumentPointerComparisonOrSubtraction(Instruction *I); 660 void instrumentAddress(Instruction *OrigIns, Instruction *InsertBefore, 661 Value *Addr, uint32_t TypeSize, bool IsWrite, 662 Value *SizeArgument, bool UseCalls, uint32_t Exp); 663 void instrumentUnusualSizeOrAlignment(Instruction *I, 664 Instruction *InsertBefore, Value *Addr, 665 uint32_t TypeSize, bool IsWrite, 666 Value *SizeArgument, bool UseCalls, 667 uint32_t Exp); 668 Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 669 Value *ShadowValue, uint32_t TypeSize); 670 Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, 671 bool IsWrite, size_t AccessSizeIndex, 672 Value *SizeArgument, uint32_t Exp); 673 void instrumentMemIntrinsic(MemIntrinsic *MI); 674 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 675 bool runOnFunction(Function &F) override; 676 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 677 void maybeInsertDynamicShadowAtFunctionEntry(Function &F); 678 void markEscapedLocalAllocas(Function &F); 679 bool doInitialization(Module &M) override; 680 bool doFinalization(Module &M) override; 681 682 DominatorTree &getDominatorTree() const { return *DT; } 683 684 private: 685 friend struct FunctionStackPoisoner; 686 687 void initializeCallbacks(Module &M); 688 689 bool LooksLikeCodeInBug11395(Instruction *I); 690 bool GlobalIsLinkerInitialized(GlobalVariable *G); 691 bool isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, Value *Addr, 692 uint64_t TypeSize) const; 693 694 /// Helper to cleanup per-function state. 695 struct FunctionStateRAII { 696 AddressSanitizer *Pass; 697 698 FunctionStateRAII(AddressSanitizer *Pass) : Pass(Pass) { 699 assert(Pass->ProcessedAllocas.empty() && 700 "last pass forgot to clear cache"); 701 assert(!Pass->LocalDynamicShadow); 702 } 703 704 ~FunctionStateRAII() { 705 Pass->LocalDynamicShadow = nullptr; 706 Pass->ProcessedAllocas.clear(); 707 } 708 }; 709 710 LLVMContext *C; 711 Triple TargetTriple; 712 int LongSize; 713 bool CompileKernel; 714 bool Recover; 715 bool UseAfterScope; 716 Type *IntptrTy; 717 ShadowMapping Mapping; 718 DominatorTree *DT; 719 Function *AsanHandleNoReturnFunc; 720 Function *AsanPtrCmpFunction, *AsanPtrSubFunction; 721 Constant *AsanShadowGlobal; 722 723 // These arrays is indexed by AccessIsWrite, Experiment and log2(AccessSize). 724 Function *AsanErrorCallback[2][2][kNumberOfAccessSizes]; 725 Function *AsanMemoryAccessCallback[2][2][kNumberOfAccessSizes]; 726 727 // These arrays is indexed by AccessIsWrite and Experiment. 728 Function *AsanErrorCallbackSized[2][2]; 729 Function *AsanMemoryAccessCallbackSized[2][2]; 730 731 Function *AsanMemmove, *AsanMemcpy, *AsanMemset; 732 InlineAsm *EmptyAsm; 733 Value *LocalDynamicShadow = nullptr; 734 GlobalsMetadata GlobalsMD; 735 DenseMap<const AllocaInst *, bool> ProcessedAllocas; 736 }; 737 738 class AddressSanitizerModule : public ModulePass { 739 public: 740 // Pass identification, replacement for typeid 741 static char ID; 742 743 explicit AddressSanitizerModule(bool CompileKernel = false, 744 bool Recover = false, 745 bool UseGlobalsGC = true, 746 bool UseOdrIndicator = false) 747 : ModulePass(ID), UseGlobalsGC(UseGlobalsGC && ClUseGlobalsGC), 748 // Enable aliases as they should have no downside with ODR indicators. 749 UsePrivateAlias(UseOdrIndicator || ClUsePrivateAlias), 750 UseOdrIndicator(UseOdrIndicator || ClUseOdrIndicator), 751 // Not a typo: ClWithComdat is almost completely pointless without 752 // ClUseGlobalsGC (because then it only works on modules without 753 // globals, which are rare); it is a prerequisite for ClUseGlobalsGC; 754 // and both suffer from gold PR19002 for which UseGlobalsGC constructor 755 // argument is designed as workaround. Therefore, disable both 756 // ClWithComdat and ClUseGlobalsGC unless the frontend says it's ok to 757 // do globals-gc. 758 UseCtorComdat(UseGlobalsGC && ClWithComdat) { 759 this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover; 760 this->CompileKernel = 761 ClEnableKasan.getNumOccurrences() > 0 ? ClEnableKasan : CompileKernel; 762 } 763 764 bool runOnModule(Module &M) override; 765 StringRef getPassName() const override { return "AddressSanitizerModule"; } 766 767 private: 768 void initializeCallbacks(Module &M); 769 770 bool InstrumentGlobals(IRBuilder<> &IRB, Module &M, bool *CtorComdat); 771 void InstrumentGlobalsCOFF(IRBuilder<> &IRB, Module &M, 772 ArrayRef<GlobalVariable *> ExtendedGlobals, 773 ArrayRef<Constant *> MetadataInitializers); 774 void InstrumentGlobalsELF(IRBuilder<> &IRB, Module &M, 775 ArrayRef<GlobalVariable *> ExtendedGlobals, 776 ArrayRef<Constant *> MetadataInitializers, 777 const std::string &UniqueModuleId); 778 void InstrumentGlobalsMachO(IRBuilder<> &IRB, Module &M, 779 ArrayRef<GlobalVariable *> ExtendedGlobals, 780 ArrayRef<Constant *> MetadataInitializers); 781 void 782 InstrumentGlobalsWithMetadataArray(IRBuilder<> &IRB, Module &M, 783 ArrayRef<GlobalVariable *> ExtendedGlobals, 784 ArrayRef<Constant *> MetadataInitializers); 785 786 GlobalVariable *CreateMetadataGlobal(Module &M, Constant *Initializer, 787 StringRef OriginalName); 788 void SetComdatForGlobalMetadata(GlobalVariable *G, GlobalVariable *Metadata, 789 StringRef InternalSuffix); 790 IRBuilder<> CreateAsanModuleDtor(Module &M); 791 792 bool ShouldInstrumentGlobal(GlobalVariable *G); 793 bool ShouldUseMachOGlobalsSection() const; 794 StringRef getGlobalMetadataSection() const; 795 void poisonOneInitializer(Function &GlobalInit, GlobalValue *ModuleName); 796 void createInitializerPoisonCalls(Module &M, GlobalValue *ModuleName); 797 size_t MinRedzoneSizeForGlobal() const { 798 return RedzoneSizeForScale(Mapping.Scale); 799 } 800 int GetAsanVersion(const Module &M) const; 801 802 GlobalsMetadata GlobalsMD; 803 bool CompileKernel; 804 bool Recover; 805 bool UseGlobalsGC; 806 bool UsePrivateAlias; 807 bool UseOdrIndicator; 808 bool UseCtorComdat; 809 Type *IntptrTy; 810 LLVMContext *C; 811 Triple TargetTriple; 812 ShadowMapping Mapping; 813 Function *AsanPoisonGlobals; 814 Function *AsanUnpoisonGlobals; 815 Function *AsanRegisterGlobals; 816 Function *AsanUnregisterGlobals; 817 Function *AsanRegisterImageGlobals; 818 Function *AsanUnregisterImageGlobals; 819 Function *AsanRegisterElfGlobals; 820 Function *AsanUnregisterElfGlobals; 821 822 Function *AsanCtorFunction = nullptr; 823 Function *AsanDtorFunction = nullptr; 824 }; 825 826 // Stack poisoning does not play well with exception handling. 827 // When an exception is thrown, we essentially bypass the code 828 // that unpoisones the stack. This is why the run-time library has 829 // to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 830 // stack in the interceptor. This however does not work inside the 831 // actual function which catches the exception. Most likely because the 832 // compiler hoists the load of the shadow value somewhere too high. 833 // This causes asan to report a non-existing bug on 453.povray. 834 // It sounds like an LLVM bug. 835 struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> { 836 Function &F; 837 AddressSanitizer &ASan; 838 DIBuilder DIB; 839 LLVMContext *C; 840 Type *IntptrTy; 841 Type *IntptrPtrTy; 842 ShadowMapping Mapping; 843 844 SmallVector<AllocaInst *, 16> AllocaVec; 845 SmallVector<AllocaInst *, 16> StaticAllocasToMoveUp; 846 SmallVector<Instruction *, 8> RetVec; 847 unsigned StackAlignment; 848 849 Function *AsanStackMallocFunc[kMaxAsanStackMallocSizeClass + 1], 850 *AsanStackFreeFunc[kMaxAsanStackMallocSizeClass + 1]; 851 Function *AsanSetShadowFunc[0x100] = {}; 852 Function *AsanPoisonStackMemoryFunc, *AsanUnpoisonStackMemoryFunc; 853 Function *AsanAllocaPoisonFunc, *AsanAllocasUnpoisonFunc; 854 855 // Stores a place and arguments of poisoning/unpoisoning call for alloca. 856 struct AllocaPoisonCall { 857 IntrinsicInst *InsBefore; 858 AllocaInst *AI; 859 uint64_t Size; 860 bool DoPoison; 861 }; 862 SmallVector<AllocaPoisonCall, 8> DynamicAllocaPoisonCallVec; 863 SmallVector<AllocaPoisonCall, 8> StaticAllocaPoisonCallVec; 864 865 SmallVector<AllocaInst *, 1> DynamicAllocaVec; 866 SmallVector<IntrinsicInst *, 1> StackRestoreVec; 867 AllocaInst *DynamicAllocaLayout = nullptr; 868 IntrinsicInst *LocalEscapeCall = nullptr; 869 870 // Maps Value to an AllocaInst from which the Value is originated. 871 using AllocaForValueMapTy = DenseMap<Value *, AllocaInst *>; 872 AllocaForValueMapTy AllocaForValue; 873 874 bool HasNonEmptyInlineAsm = false; 875 bool HasReturnsTwiceCall = false; 876 std::unique_ptr<CallInst> EmptyInlineAsm; 877 878 FunctionStackPoisoner(Function &F, AddressSanitizer &ASan) 879 : F(F), 880 ASan(ASan), 881 DIB(*F.getParent(), /*AllowUnresolved*/ false), 882 C(ASan.C), 883 IntptrTy(ASan.IntptrTy), 884 IntptrPtrTy(PointerType::get(IntptrTy, 0)), 885 Mapping(ASan.Mapping), 886 StackAlignment(1 << Mapping.Scale), 887 EmptyInlineAsm(CallInst::Create(ASan.EmptyAsm)) {} 888 889 bool runOnFunction() { 890 if (!ClStack) return false; 891 892 if (ClRedzoneByvalArgs) 893 copyArgsPassedByValToAllocas(); 894 895 // Collect alloca, ret, lifetime instructions etc. 896 for (BasicBlock *BB : depth_first(&F.getEntryBlock())) visit(*BB); 897 898 if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false; 899 900 initializeCallbacks(*F.getParent()); 901 902 processDynamicAllocas(); 903 processStaticAllocas(); 904 905 if (ClDebugStack) { 906 LLVM_DEBUG(dbgs() << F); 907 } 908 return true; 909 } 910 911 // Arguments marked with the "byval" attribute are implicitly copied without 912 // using an alloca instruction. To produce redzones for those arguments, we 913 // copy them a second time into memory allocated with an alloca instruction. 914 void copyArgsPassedByValToAllocas(); 915 916 // Finds all Alloca instructions and puts 917 // poisoned red zones around all of them. 918 // Then unpoison everything back before the function returns. 919 void processStaticAllocas(); 920 void processDynamicAllocas(); 921 922 void createDynamicAllocasInitStorage(); 923 924 // ----------------------- Visitors. 925 /// Collect all Ret instructions. 926 void visitReturnInst(ReturnInst &RI) { RetVec.push_back(&RI); } 927 928 /// Collect all Resume instructions. 929 void visitResumeInst(ResumeInst &RI) { RetVec.push_back(&RI); } 930 931 /// Collect all CatchReturnInst instructions. 932 void visitCleanupReturnInst(CleanupReturnInst &CRI) { RetVec.push_back(&CRI); } 933 934 void unpoisonDynamicAllocasBeforeInst(Instruction *InstBefore, 935 Value *SavedStack) { 936 IRBuilder<> IRB(InstBefore); 937 Value *DynamicAreaPtr = IRB.CreatePtrToInt(SavedStack, IntptrTy); 938 // When we insert _asan_allocas_unpoison before @llvm.stackrestore, we 939 // need to adjust extracted SP to compute the address of the most recent 940 // alloca. We have a special @llvm.get.dynamic.area.offset intrinsic for 941 // this purpose. 942 if (!isa<ReturnInst>(InstBefore)) { 943 Function *DynamicAreaOffsetFunc = Intrinsic::getDeclaration( 944 InstBefore->getModule(), Intrinsic::get_dynamic_area_offset, 945 {IntptrTy}); 946 947 Value *DynamicAreaOffset = IRB.CreateCall(DynamicAreaOffsetFunc, {}); 948 949 DynamicAreaPtr = IRB.CreateAdd(IRB.CreatePtrToInt(SavedStack, IntptrTy), 950 DynamicAreaOffset); 951 } 952 953 IRB.CreateCall(AsanAllocasUnpoisonFunc, 954 {IRB.CreateLoad(DynamicAllocaLayout), DynamicAreaPtr}); 955 } 956 957 // Unpoison dynamic allocas redzones. 958 void unpoisonDynamicAllocas() { 959 for (auto &Ret : RetVec) 960 unpoisonDynamicAllocasBeforeInst(Ret, DynamicAllocaLayout); 961 962 for (auto &StackRestoreInst : StackRestoreVec) 963 unpoisonDynamicAllocasBeforeInst(StackRestoreInst, 964 StackRestoreInst->getOperand(0)); 965 } 966 967 // Deploy and poison redzones around dynamic alloca call. To do this, we 968 // should replace this call with another one with changed parameters and 969 // replace all its uses with new address, so 970 // addr = alloca type, old_size, align 971 // is replaced by 972 // new_size = (old_size + additional_size) * sizeof(type) 973 // tmp = alloca i8, new_size, max(align, 32) 974 // addr = tmp + 32 (first 32 bytes are for the left redzone). 975 // Additional_size is added to make new memory allocation contain not only 976 // requested memory, but also left, partial and right redzones. 977 void handleDynamicAllocaCall(AllocaInst *AI); 978 979 /// Collect Alloca instructions we want (and can) handle. 980 void visitAllocaInst(AllocaInst &AI) { 981 if (!ASan.isInterestingAlloca(AI)) { 982 if (AI.isStaticAlloca()) { 983 // Skip over allocas that are present *before* the first instrumented 984 // alloca, we don't want to move those around. 985 if (AllocaVec.empty()) 986 return; 987 988 StaticAllocasToMoveUp.push_back(&AI); 989 } 990 return; 991 } 992 993 StackAlignment = std::max(StackAlignment, AI.getAlignment()); 994 if (!AI.isStaticAlloca()) 995 DynamicAllocaVec.push_back(&AI); 996 else 997 AllocaVec.push_back(&AI); 998 } 999 1000 /// Collect lifetime intrinsic calls to check for use-after-scope 1001 /// errors. 1002 void visitIntrinsicInst(IntrinsicInst &II) { 1003 Intrinsic::ID ID = II.getIntrinsicID(); 1004 if (ID == Intrinsic::stackrestore) StackRestoreVec.push_back(&II); 1005 if (ID == Intrinsic::localescape) LocalEscapeCall = &II; 1006 if (!ASan.UseAfterScope) 1007 return; 1008 if (ID != Intrinsic::lifetime_start && ID != Intrinsic::lifetime_end) 1009 return; 1010 // Found lifetime intrinsic, add ASan instrumentation if necessary. 1011 ConstantInt *Size = dyn_cast<ConstantInt>(II.getArgOperand(0)); 1012 // If size argument is undefined, don't do anything. 1013 if (Size->isMinusOne()) return; 1014 // Check that size doesn't saturate uint64_t and can 1015 // be stored in IntptrTy. 1016 const uint64_t SizeValue = Size->getValue().getLimitedValue(); 1017 if (SizeValue == ~0ULL || 1018 !ConstantInt::isValueValidForType(IntptrTy, SizeValue)) 1019 return; 1020 // Find alloca instruction that corresponds to llvm.lifetime argument. 1021 AllocaInst *AI = findAllocaForValue(II.getArgOperand(1)); 1022 if (!AI || !ASan.isInterestingAlloca(*AI)) 1023 return; 1024 bool DoPoison = (ID == Intrinsic::lifetime_end); 1025 AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison}; 1026 if (AI->isStaticAlloca()) 1027 StaticAllocaPoisonCallVec.push_back(APC); 1028 else if (ClInstrumentDynamicAllocas) 1029 DynamicAllocaPoisonCallVec.push_back(APC); 1030 } 1031 1032 void visitCallSite(CallSite CS) { 1033 Instruction *I = CS.getInstruction(); 1034 if (CallInst *CI = dyn_cast<CallInst>(I)) { 1035 HasNonEmptyInlineAsm |= CI->isInlineAsm() && 1036 !CI->isIdenticalTo(EmptyInlineAsm.get()) && 1037 I != ASan.LocalDynamicShadow; 1038 HasReturnsTwiceCall |= CI->canReturnTwice(); 1039 } 1040 } 1041 1042 // ---------------------- Helpers. 1043 void initializeCallbacks(Module &M); 1044 1045 bool doesDominateAllExits(const Instruction *I) const { 1046 for (auto Ret : RetVec) { 1047 if (!ASan.getDominatorTree().dominates(I, Ret)) return false; 1048 } 1049 return true; 1050 } 1051 1052 /// Finds alloca where the value comes from. 1053 AllocaInst *findAllocaForValue(Value *V); 1054 1055 // Copies bytes from ShadowBytes into shadow memory for indexes where 1056 // ShadowMask is not zero. If ShadowMask[i] is zero, we assume that 1057 // ShadowBytes[i] is constantly zero and doesn't need to be overwritten. 1058 void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes, 1059 IRBuilder<> &IRB, Value *ShadowBase); 1060 void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes, 1061 size_t Begin, size_t End, IRBuilder<> &IRB, 1062 Value *ShadowBase); 1063 void copyToShadowInline(ArrayRef<uint8_t> ShadowMask, 1064 ArrayRef<uint8_t> ShadowBytes, size_t Begin, 1065 size_t End, IRBuilder<> &IRB, Value *ShadowBase); 1066 1067 void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> &IRB, bool DoPoison); 1068 1069 Value *createAllocaForLayout(IRBuilder<> &IRB, const ASanStackFrameLayout &L, 1070 bool Dynamic); 1071 PHINode *createPHI(IRBuilder<> &IRB, Value *Cond, Value *ValueIfTrue, 1072 Instruction *ThenTerm, Value *ValueIfFalse); 1073 }; 1074 1075 } // end anonymous namespace 1076 1077 char AddressSanitizer::ID = 0; 1078 1079 INITIALIZE_PASS_BEGIN( 1080 AddressSanitizer, "asan", 1081 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false, 1082 false) 1083 INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass) 1084 INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass) 1085 INITIALIZE_PASS_END( 1086 AddressSanitizer, "asan", 1087 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false, 1088 false) 1089 1090 FunctionPass *llvm::createAddressSanitizerFunctionPass(bool CompileKernel, 1091 bool Recover, 1092 bool UseAfterScope) { 1093 assert(!CompileKernel || Recover); 1094 return new AddressSanitizer(CompileKernel, Recover, UseAfterScope); 1095 } 1096 1097 char AddressSanitizerModule::ID = 0; 1098 1099 INITIALIZE_PASS( 1100 AddressSanitizerModule, "asan-module", 1101 "AddressSanitizer: detects use-after-free and out-of-bounds bugs." 1102 "ModulePass", 1103 false, false) 1104 1105 ModulePass *llvm::createAddressSanitizerModulePass(bool CompileKernel, 1106 bool Recover, 1107 bool UseGlobalsGC, 1108 bool UseOdrIndicator) { 1109 assert(!CompileKernel || Recover); 1110 return new AddressSanitizerModule(CompileKernel, Recover, UseGlobalsGC, 1111 UseOdrIndicator); 1112 } 1113 1114 static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 1115 size_t Res = countTrailingZeros(TypeSize / 8); 1116 assert(Res < kNumberOfAccessSizes); 1117 return Res; 1118 } 1119 1120 /// Create a global describing a source location. 1121 static GlobalVariable *createPrivateGlobalForSourceLoc(Module &M, 1122 LocationMetadata MD) { 1123 Constant *LocData[] = { 1124 createPrivateGlobalForString(M, MD.Filename, true, kAsanGenPrefix), 1125 ConstantInt::get(Type::getInt32Ty(M.getContext()), MD.LineNo), 1126 ConstantInt::get(Type::getInt32Ty(M.getContext()), MD.ColumnNo), 1127 }; 1128 auto LocStruct = ConstantStruct::getAnon(LocData); 1129 auto GV = new GlobalVariable(M, LocStruct->getType(), true, 1130 GlobalValue::PrivateLinkage, LocStruct, 1131 kAsanGenPrefix); 1132 GV->setUnnamedAddr(GlobalValue::UnnamedAddr::Global); 1133 return GV; 1134 } 1135 1136 /// Check if \p G has been created by a trusted compiler pass. 1137 static bool GlobalWasGeneratedByCompiler(GlobalVariable *G) { 1138 // Do not instrument @llvm.global_ctors, @llvm.used, etc. 1139 if (G->getName().startswith("llvm.")) 1140 return true; 1141 1142 // Do not instrument asan globals. 1143 if (G->getName().startswith(kAsanGenPrefix) || 1144 G->getName().startswith(kSanCovGenPrefix) || 1145 G->getName().startswith(kODRGenPrefix)) 1146 return true; 1147 1148 // Do not instrument gcov counter arrays. 1149 if (G->getName() == "__llvm_gcov_ctr") 1150 return true; 1151 1152 return false; 1153 } 1154 1155 Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 1156 // Shadow >> scale 1157 Shadow = IRB.CreateLShr(Shadow, Mapping.Scale); 1158 if (Mapping.Offset == 0) return Shadow; 1159 // (Shadow >> scale) | offset 1160 Value *ShadowBase; 1161 if (LocalDynamicShadow) 1162 ShadowBase = LocalDynamicShadow; 1163 else 1164 ShadowBase = ConstantInt::get(IntptrTy, Mapping.Offset); 1165 if (Mapping.OrShadowOffset) 1166 return IRB.CreateOr(Shadow, ShadowBase); 1167 else 1168 return IRB.CreateAdd(Shadow, ShadowBase); 1169 } 1170 1171 // Instrument memset/memmove/memcpy 1172 void AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 1173 IRBuilder<> IRB(MI); 1174 if (isa<MemTransferInst>(MI)) { 1175 IRB.CreateCall( 1176 isa<MemMoveInst>(MI) ? AsanMemmove : AsanMemcpy, 1177 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 1178 IRB.CreatePointerCast(MI->getOperand(1), IRB.getInt8PtrTy()), 1179 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 1180 } else if (isa<MemSetInst>(MI)) { 1181 IRB.CreateCall( 1182 AsanMemset, 1183 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 1184 IRB.CreateIntCast(MI->getOperand(1), IRB.getInt32Ty(), false), 1185 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 1186 } 1187 MI->eraseFromParent(); 1188 } 1189 1190 /// Check if we want (and can) handle this alloca. 1191 bool AddressSanitizer::isInterestingAlloca(const AllocaInst &AI) { 1192 auto PreviouslySeenAllocaInfo = ProcessedAllocas.find(&AI); 1193 1194 if (PreviouslySeenAllocaInfo != ProcessedAllocas.end()) 1195 return PreviouslySeenAllocaInfo->getSecond(); 1196 1197 bool IsInteresting = 1198 (AI.getAllocatedType()->isSized() && 1199 // alloca() may be called with 0 size, ignore it. 1200 ((!AI.isStaticAlloca()) || getAllocaSizeInBytes(AI) > 0) && 1201 // We are only interested in allocas not promotable to registers. 1202 // Promotable allocas are common under -O0. 1203 (!ClSkipPromotableAllocas || !isAllocaPromotable(&AI)) && 1204 // inalloca allocas are not treated as static, and we don't want 1205 // dynamic alloca instrumentation for them as well. 1206 !AI.isUsedWithInAlloca() && 1207 // swifterror allocas are register promoted by ISel 1208 !AI.isSwiftError()); 1209 1210 ProcessedAllocas[&AI] = IsInteresting; 1211 return IsInteresting; 1212 } 1213 1214 Value *AddressSanitizer::isInterestingMemoryAccess(Instruction *I, 1215 bool *IsWrite, 1216 uint64_t *TypeSize, 1217 unsigned *Alignment, 1218 Value **MaybeMask) { 1219 // Skip memory accesses inserted by another instrumentation. 1220 if (I->getMetadata("nosanitize")) return nullptr; 1221 1222 // Do not instrument the load fetching the dynamic shadow address. 1223 if (LocalDynamicShadow == I) 1224 return nullptr; 1225 1226 Value *PtrOperand = nullptr; 1227 const DataLayout &DL = I->getModule()->getDataLayout(); 1228 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 1229 if (!ClInstrumentReads) return nullptr; 1230 *IsWrite = false; 1231 *TypeSize = DL.getTypeStoreSizeInBits(LI->getType()); 1232 *Alignment = LI->getAlignment(); 1233 PtrOperand = LI->getPointerOperand(); 1234 } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 1235 if (!ClInstrumentWrites) return nullptr; 1236 *IsWrite = true; 1237 *TypeSize = DL.getTypeStoreSizeInBits(SI->getValueOperand()->getType()); 1238 *Alignment = SI->getAlignment(); 1239 PtrOperand = SI->getPointerOperand(); 1240 } else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 1241 if (!ClInstrumentAtomics) return nullptr; 1242 *IsWrite = true; 1243 *TypeSize = DL.getTypeStoreSizeInBits(RMW->getValOperand()->getType()); 1244 *Alignment = 0; 1245 PtrOperand = RMW->getPointerOperand(); 1246 } else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 1247 if (!ClInstrumentAtomics) return nullptr; 1248 *IsWrite = true; 1249 *TypeSize = DL.getTypeStoreSizeInBits(XCHG->getCompareOperand()->getType()); 1250 *Alignment = 0; 1251 PtrOperand = XCHG->getPointerOperand(); 1252 } else if (auto CI = dyn_cast<CallInst>(I)) { 1253 auto *F = dyn_cast<Function>(CI->getCalledValue()); 1254 if (F && (F->getName().startswith("llvm.masked.load.") || 1255 F->getName().startswith("llvm.masked.store."))) { 1256 unsigned OpOffset = 0; 1257 if (F->getName().startswith("llvm.masked.store.")) { 1258 if (!ClInstrumentWrites) 1259 return nullptr; 1260 // Masked store has an initial operand for the value. 1261 OpOffset = 1; 1262 *IsWrite = true; 1263 } else { 1264 if (!ClInstrumentReads) 1265 return nullptr; 1266 *IsWrite = false; 1267 } 1268 1269 auto BasePtr = CI->getOperand(0 + OpOffset); 1270 auto Ty = cast<PointerType>(BasePtr->getType())->getElementType(); 1271 *TypeSize = DL.getTypeStoreSizeInBits(Ty); 1272 if (auto AlignmentConstant = 1273 dyn_cast<ConstantInt>(CI->getOperand(1 + OpOffset))) 1274 *Alignment = (unsigned)AlignmentConstant->getZExtValue(); 1275 else 1276 *Alignment = 1; // No alignment guarantees. We probably got Undef 1277 if (MaybeMask) 1278 *MaybeMask = CI->getOperand(2 + OpOffset); 1279 PtrOperand = BasePtr; 1280 } 1281 } 1282 1283 if (PtrOperand) { 1284 // Do not instrument acesses from different address spaces; we cannot deal 1285 // with them. 1286 Type *PtrTy = cast<PointerType>(PtrOperand->getType()->getScalarType()); 1287 if (PtrTy->getPointerAddressSpace() != 0) 1288 return nullptr; 1289 1290 // Ignore swifterror addresses. 1291 // swifterror memory addresses are mem2reg promoted by instruction 1292 // selection. As such they cannot have regular uses like an instrumentation 1293 // function and it makes no sense to track them as memory. 1294 if (PtrOperand->isSwiftError()) 1295 return nullptr; 1296 } 1297 1298 // Treat memory accesses to promotable allocas as non-interesting since they 1299 // will not cause memory violations. This greatly speeds up the instrumented 1300 // executable at -O0. 1301 if (ClSkipPromotableAllocas) 1302 if (auto AI = dyn_cast_or_null<AllocaInst>(PtrOperand)) 1303 return isInterestingAlloca(*AI) ? AI : nullptr; 1304 1305 return PtrOperand; 1306 } 1307 1308 static bool isPointerOperand(Value *V) { 1309 return V->getType()->isPointerTy() || isa<PtrToIntInst>(V); 1310 } 1311 1312 // This is a rough heuristic; it may cause both false positives and 1313 // false negatives. The proper implementation requires cooperation with 1314 // the frontend. 1315 static bool isInterestingPointerComparisonOrSubtraction(Instruction *I) { 1316 if (ICmpInst *Cmp = dyn_cast<ICmpInst>(I)) { 1317 if (!Cmp->isRelational()) return false; 1318 } else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(I)) { 1319 if (BO->getOpcode() != Instruction::Sub) return false; 1320 } else { 1321 return false; 1322 } 1323 return isPointerOperand(I->getOperand(0)) && 1324 isPointerOperand(I->getOperand(1)); 1325 } 1326 1327 bool AddressSanitizer::GlobalIsLinkerInitialized(GlobalVariable *G) { 1328 // If a global variable does not have dynamic initialization we don't 1329 // have to instrument it. However, if a global does not have initializer 1330 // at all, we assume it has dynamic initializer (in other TU). 1331 return G->hasInitializer() && !GlobalsMD.get(G).IsDynInit; 1332 } 1333 1334 void AddressSanitizer::instrumentPointerComparisonOrSubtraction( 1335 Instruction *I) { 1336 IRBuilder<> IRB(I); 1337 Function *F = isa<ICmpInst>(I) ? AsanPtrCmpFunction : AsanPtrSubFunction; 1338 Value *Param[2] = {I->getOperand(0), I->getOperand(1)}; 1339 for (Value *&i : Param) { 1340 if (i->getType()->isPointerTy()) 1341 i = IRB.CreatePointerCast(i, IntptrTy); 1342 } 1343 IRB.CreateCall(F, Param); 1344 } 1345 1346 static void doInstrumentAddress(AddressSanitizer *Pass, Instruction *I, 1347 Instruction *InsertBefore, Value *Addr, 1348 unsigned Alignment, unsigned Granularity, 1349 uint32_t TypeSize, bool IsWrite, 1350 Value *SizeArgument, bool UseCalls, 1351 uint32_t Exp) { 1352 // Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check 1353 // if the data is properly aligned. 1354 if ((TypeSize == 8 || TypeSize == 16 || TypeSize == 32 || TypeSize == 64 || 1355 TypeSize == 128) && 1356 (Alignment >= Granularity || Alignment == 0 || Alignment >= TypeSize / 8)) 1357 return Pass->instrumentAddress(I, InsertBefore, Addr, TypeSize, IsWrite, 1358 nullptr, UseCalls, Exp); 1359 Pass->instrumentUnusualSizeOrAlignment(I, InsertBefore, Addr, TypeSize, 1360 IsWrite, nullptr, UseCalls, Exp); 1361 } 1362 1363 static void instrumentMaskedLoadOrStore(AddressSanitizer *Pass, 1364 const DataLayout &DL, Type *IntptrTy, 1365 Value *Mask, Instruction *I, 1366 Value *Addr, unsigned Alignment, 1367 unsigned Granularity, uint32_t TypeSize, 1368 bool IsWrite, Value *SizeArgument, 1369 bool UseCalls, uint32_t Exp) { 1370 auto *VTy = cast<PointerType>(Addr->getType())->getElementType(); 1371 uint64_t ElemTypeSize = DL.getTypeStoreSizeInBits(VTy->getScalarType()); 1372 unsigned Num = VTy->getVectorNumElements(); 1373 auto Zero = ConstantInt::get(IntptrTy, 0); 1374 for (unsigned Idx = 0; Idx < Num; ++Idx) { 1375 Value *InstrumentedAddress = nullptr; 1376 Instruction *InsertBefore = I; 1377 if (auto *Vector = dyn_cast<ConstantVector>(Mask)) { 1378 // dyn_cast as we might get UndefValue 1379 if (auto *Masked = dyn_cast<ConstantInt>(Vector->getOperand(Idx))) { 1380 if (Masked->isZero()) 1381 // Mask is constant false, so no instrumentation needed. 1382 continue; 1383 // If we have a true or undef value, fall through to doInstrumentAddress 1384 // with InsertBefore == I 1385 } 1386 } else { 1387 IRBuilder<> IRB(I); 1388 Value *MaskElem = IRB.CreateExtractElement(Mask, Idx); 1389 Instruction *ThenTerm = SplitBlockAndInsertIfThen(MaskElem, I, false); 1390 InsertBefore = ThenTerm; 1391 } 1392 1393 IRBuilder<> IRB(InsertBefore); 1394 InstrumentedAddress = 1395 IRB.CreateGEP(Addr, {Zero, ConstantInt::get(IntptrTy, Idx)}); 1396 doInstrumentAddress(Pass, I, InsertBefore, InstrumentedAddress, Alignment, 1397 Granularity, ElemTypeSize, IsWrite, SizeArgument, 1398 UseCalls, Exp); 1399 } 1400 } 1401 1402 void AddressSanitizer::instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis, 1403 Instruction *I, bool UseCalls, 1404 const DataLayout &DL) { 1405 bool IsWrite = false; 1406 unsigned Alignment = 0; 1407 uint64_t TypeSize = 0; 1408 Value *MaybeMask = nullptr; 1409 Value *Addr = 1410 isInterestingMemoryAccess(I, &IsWrite, &TypeSize, &Alignment, &MaybeMask); 1411 assert(Addr); 1412 1413 // Optimization experiments. 1414 // The experiments can be used to evaluate potential optimizations that remove 1415 // instrumentation (assess false negatives). Instead of completely removing 1416 // some instrumentation, you set Exp to a non-zero value (mask of optimization 1417 // experiments that want to remove instrumentation of this instruction). 1418 // If Exp is non-zero, this pass will emit special calls into runtime 1419 // (e.g. __asan_report_exp_load1 instead of __asan_report_load1). These calls 1420 // make runtime terminate the program in a special way (with a different 1421 // exit status). Then you run the new compiler on a buggy corpus, collect 1422 // the special terminations (ideally, you don't see them at all -- no false 1423 // negatives) and make the decision on the optimization. 1424 uint32_t Exp = ClForceExperiment; 1425 1426 if (ClOpt && ClOptGlobals) { 1427 // If initialization order checking is disabled, a simple access to a 1428 // dynamically initialized global is always valid. 1429 GlobalVariable *G = dyn_cast<GlobalVariable>(GetUnderlyingObject(Addr, DL)); 1430 if (G && (!ClInitializers || GlobalIsLinkerInitialized(G)) && 1431 isSafeAccess(ObjSizeVis, Addr, TypeSize)) { 1432 NumOptimizedAccessesToGlobalVar++; 1433 return; 1434 } 1435 } 1436 1437 if (ClOpt && ClOptStack) { 1438 // A direct inbounds access to a stack variable is always valid. 1439 if (isa<AllocaInst>(GetUnderlyingObject(Addr, DL)) && 1440 isSafeAccess(ObjSizeVis, Addr, TypeSize)) { 1441 NumOptimizedAccessesToStackVar++; 1442 return; 1443 } 1444 } 1445 1446 if (IsWrite) 1447 NumInstrumentedWrites++; 1448 else 1449 NumInstrumentedReads++; 1450 1451 unsigned Granularity = 1 << Mapping.Scale; 1452 if (MaybeMask) { 1453 instrumentMaskedLoadOrStore(this, DL, IntptrTy, MaybeMask, I, Addr, 1454 Alignment, Granularity, TypeSize, IsWrite, 1455 nullptr, UseCalls, Exp); 1456 } else { 1457 doInstrumentAddress(this, I, I, Addr, Alignment, Granularity, TypeSize, 1458 IsWrite, nullptr, UseCalls, Exp); 1459 } 1460 } 1461 1462 Instruction *AddressSanitizer::generateCrashCode(Instruction *InsertBefore, 1463 Value *Addr, bool IsWrite, 1464 size_t AccessSizeIndex, 1465 Value *SizeArgument, 1466 uint32_t Exp) { 1467 IRBuilder<> IRB(InsertBefore); 1468 Value *ExpVal = Exp == 0 ? nullptr : ConstantInt::get(IRB.getInt32Ty(), Exp); 1469 CallInst *Call = nullptr; 1470 if (SizeArgument) { 1471 if (Exp == 0) 1472 Call = IRB.CreateCall(AsanErrorCallbackSized[IsWrite][0], 1473 {Addr, SizeArgument}); 1474 else 1475 Call = IRB.CreateCall(AsanErrorCallbackSized[IsWrite][1], 1476 {Addr, SizeArgument, ExpVal}); 1477 } else { 1478 if (Exp == 0) 1479 Call = 1480 IRB.CreateCall(AsanErrorCallback[IsWrite][0][AccessSizeIndex], Addr); 1481 else 1482 Call = IRB.CreateCall(AsanErrorCallback[IsWrite][1][AccessSizeIndex], 1483 {Addr, ExpVal}); 1484 } 1485 1486 // We don't do Call->setDoesNotReturn() because the BB already has 1487 // UnreachableInst at the end. 1488 // This EmptyAsm is required to avoid callback merge. 1489 IRB.CreateCall(EmptyAsm, {}); 1490 return Call; 1491 } 1492 1493 Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 1494 Value *ShadowValue, 1495 uint32_t TypeSize) { 1496 size_t Granularity = static_cast<size_t>(1) << Mapping.Scale; 1497 // Addr & (Granularity - 1) 1498 Value *LastAccessedByte = 1499 IRB.CreateAnd(AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 1500 // (Addr & (Granularity - 1)) + size - 1 1501 if (TypeSize / 8 > 1) 1502 LastAccessedByte = IRB.CreateAdd( 1503 LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 1504 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 1505 LastAccessedByte = 1506 IRB.CreateIntCast(LastAccessedByte, ShadowValue->getType(), false); 1507 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 1508 return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue); 1509 } 1510 1511 void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 1512 Instruction *InsertBefore, Value *Addr, 1513 uint32_t TypeSize, bool IsWrite, 1514 Value *SizeArgument, bool UseCalls, 1515 uint32_t Exp) { 1516 bool IsMyriad = TargetTriple.getVendor() == llvm::Triple::Myriad; 1517 1518 IRBuilder<> IRB(InsertBefore); 1519 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 1520 size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize); 1521 1522 if (UseCalls) { 1523 if (Exp == 0) 1524 IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][0][AccessSizeIndex], 1525 AddrLong); 1526 else 1527 IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][1][AccessSizeIndex], 1528 {AddrLong, ConstantInt::get(IRB.getInt32Ty(), Exp)}); 1529 return; 1530 } 1531 1532 if (IsMyriad) { 1533 // Strip the cache bit and do range check. 1534 // AddrLong &= ~kMyriadCacheBitMask32 1535 AddrLong = IRB.CreateAnd(AddrLong, ~kMyriadCacheBitMask32); 1536 // Tag = AddrLong >> kMyriadTagShift 1537 Value *Tag = IRB.CreateLShr(AddrLong, kMyriadTagShift); 1538 // Tag == kMyriadDDRTag 1539 Value *TagCheck = 1540 IRB.CreateICmpEQ(Tag, ConstantInt::get(IntptrTy, kMyriadDDRTag)); 1541 1542 Instruction *TagCheckTerm = 1543 SplitBlockAndInsertIfThen(TagCheck, InsertBefore, false, 1544 MDBuilder(*C).createBranchWeights(1, 100000)); 1545 assert(cast<BranchInst>(TagCheckTerm)->isUnconditional()); 1546 IRB.SetInsertPoint(TagCheckTerm); 1547 InsertBefore = TagCheckTerm; 1548 } 1549 1550 Type *ShadowTy = 1551 IntegerType::get(*C, std::max(8U, TypeSize >> Mapping.Scale)); 1552 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 1553 Value *ShadowPtr = memToShadow(AddrLong, IRB); 1554 Value *CmpVal = Constant::getNullValue(ShadowTy); 1555 Value *ShadowValue = 1556 IRB.CreateLoad(IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 1557 1558 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 1559 size_t Granularity = 1ULL << Mapping.Scale; 1560 Instruction *CrashTerm = nullptr; 1561 1562 if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) { 1563 // We use branch weights for the slow path check, to indicate that the slow 1564 // path is rarely taken. This seems to be the case for SPEC benchmarks. 1565 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 1566 Cmp, InsertBefore, false, MDBuilder(*C).createBranchWeights(1, 100000)); 1567 assert(cast<BranchInst>(CheckTerm)->isUnconditional()); 1568 BasicBlock *NextBB = CheckTerm->getSuccessor(0); 1569 IRB.SetInsertPoint(CheckTerm); 1570 Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize); 1571 if (Recover) { 1572 CrashTerm = SplitBlockAndInsertIfThen(Cmp2, CheckTerm, false); 1573 } else { 1574 BasicBlock *CrashBlock = 1575 BasicBlock::Create(*C, "", NextBB->getParent(), NextBB); 1576 CrashTerm = new UnreachableInst(*C, CrashBlock); 1577 BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2); 1578 ReplaceInstWithInst(CheckTerm, NewTerm); 1579 } 1580 } else { 1581 CrashTerm = SplitBlockAndInsertIfThen(Cmp, InsertBefore, !Recover); 1582 } 1583 1584 Instruction *Crash = generateCrashCode(CrashTerm, AddrLong, IsWrite, 1585 AccessSizeIndex, SizeArgument, Exp); 1586 Crash->setDebugLoc(OrigIns->getDebugLoc()); 1587 } 1588 1589 // Instrument unusual size or unusual alignment. 1590 // We can not do it with a single check, so we do 1-byte check for the first 1591 // and the last bytes. We call __asan_report_*_n(addr, real_size) to be able 1592 // to report the actual access size. 1593 void AddressSanitizer::instrumentUnusualSizeOrAlignment( 1594 Instruction *I, Instruction *InsertBefore, Value *Addr, uint32_t TypeSize, 1595 bool IsWrite, Value *SizeArgument, bool UseCalls, uint32_t Exp) { 1596 IRBuilder<> IRB(InsertBefore); 1597 Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8); 1598 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 1599 if (UseCalls) { 1600 if (Exp == 0) 1601 IRB.CreateCall(AsanMemoryAccessCallbackSized[IsWrite][0], 1602 {AddrLong, Size}); 1603 else 1604 IRB.CreateCall(AsanMemoryAccessCallbackSized[IsWrite][1], 1605 {AddrLong, Size, ConstantInt::get(IRB.getInt32Ty(), Exp)}); 1606 } else { 1607 Value *LastByte = IRB.CreateIntToPtr( 1608 IRB.CreateAdd(AddrLong, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)), 1609 Addr->getType()); 1610 instrumentAddress(I, InsertBefore, Addr, 8, IsWrite, Size, false, Exp); 1611 instrumentAddress(I, InsertBefore, LastByte, 8, IsWrite, Size, false, Exp); 1612 } 1613 } 1614 1615 void AddressSanitizerModule::poisonOneInitializer(Function &GlobalInit, 1616 GlobalValue *ModuleName) { 1617 // Set up the arguments to our poison/unpoison functions. 1618 IRBuilder<> IRB(&GlobalInit.front(), 1619 GlobalInit.front().getFirstInsertionPt()); 1620 1621 // Add a call to poison all external globals before the given function starts. 1622 Value *ModuleNameAddr = ConstantExpr::getPointerCast(ModuleName, IntptrTy); 1623 IRB.CreateCall(AsanPoisonGlobals, ModuleNameAddr); 1624 1625 // Add calls to unpoison all globals before each return instruction. 1626 for (auto &BB : GlobalInit.getBasicBlockList()) 1627 if (ReturnInst *RI = dyn_cast<ReturnInst>(BB.getTerminator())) 1628 CallInst::Create(AsanUnpoisonGlobals, "", RI); 1629 } 1630 1631 void AddressSanitizerModule::createInitializerPoisonCalls( 1632 Module &M, GlobalValue *ModuleName) { 1633 GlobalVariable *GV = M.getGlobalVariable("llvm.global_ctors"); 1634 if (!GV) 1635 return; 1636 1637 ConstantArray *CA = dyn_cast<ConstantArray>(GV->getInitializer()); 1638 if (!CA) 1639 return; 1640 1641 for (Use &OP : CA->operands()) { 1642 if (isa<ConstantAggregateZero>(OP)) continue; 1643 ConstantStruct *CS = cast<ConstantStruct>(OP); 1644 1645 // Must have a function or null ptr. 1646 if (Function *F = dyn_cast<Function>(CS->getOperand(1))) { 1647 if (F->getName() == kAsanModuleCtorName) continue; 1648 ConstantInt *Priority = dyn_cast<ConstantInt>(CS->getOperand(0)); 1649 // Don't instrument CTORs that will run before asan.module_ctor. 1650 if (Priority->getLimitedValue() <= kAsanCtorAndDtorPriority) continue; 1651 poisonOneInitializer(*F, ModuleName); 1652 } 1653 } 1654 } 1655 1656 bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) { 1657 Type *Ty = G->getValueType(); 1658 LLVM_DEBUG(dbgs() << "GLOBAL: " << *G << "\n"); 1659 1660 if (GlobalsMD.get(G).IsBlacklisted) return false; 1661 if (!Ty->isSized()) return false; 1662 if (!G->hasInitializer()) return false; 1663 if (GlobalWasGeneratedByCompiler(G)) return false; // Our own globals. 1664 // Two problems with thread-locals: 1665 // - The address of the main thread's copy can't be computed at link-time. 1666 // - Need to poison all copies, not just the main thread's one. 1667 if (G->isThreadLocal()) return false; 1668 // For now, just ignore this Global if the alignment is large. 1669 if (G->getAlignment() > MinRedzoneSizeForGlobal()) return false; 1670 1671 // For non-COFF targets, only instrument globals known to be defined by this 1672 // TU. 1673 // FIXME: We can instrument comdat globals on ELF if we are using the 1674 // GC-friendly metadata scheme. 1675 if (!TargetTriple.isOSBinFormatCOFF()) { 1676 if (!G->hasExactDefinition() || G->hasComdat()) 1677 return false; 1678 } else { 1679 // On COFF, don't instrument non-ODR linkages. 1680 if (G->isInterposable()) 1681 return false; 1682 } 1683 1684 // If a comdat is present, it must have a selection kind that implies ODR 1685 // semantics: no duplicates, any, or exact match. 1686 if (Comdat *C = G->getComdat()) { 1687 switch (C->getSelectionKind()) { 1688 case Comdat::Any: 1689 case Comdat::ExactMatch: 1690 case Comdat::NoDuplicates: 1691 break; 1692 case Comdat::Largest: 1693 case Comdat::SameSize: 1694 return false; 1695 } 1696 } 1697 1698 if (G->hasSection()) { 1699 StringRef Section = G->getSection(); 1700 1701 // Globals from llvm.metadata aren't emitted, do not instrument them. 1702 if (Section == "llvm.metadata") return false; 1703 // Do not instrument globals from special LLVM sections. 1704 if (Section.find("__llvm") != StringRef::npos || Section.find("__LLVM") != StringRef::npos) return false; 1705 1706 // Do not instrument function pointers to initialization and termination 1707 // routines: dynamic linker will not properly handle redzones. 1708 if (Section.startswith(".preinit_array") || 1709 Section.startswith(".init_array") || 1710 Section.startswith(".fini_array")) { 1711 return false; 1712 } 1713 1714 // On COFF, if the section name contains '$', it is highly likely that the 1715 // user is using section sorting to create an array of globals similar to 1716 // the way initialization callbacks are registered in .init_array and 1717 // .CRT$XCU. The ATL also registers things in .ATL$__[azm]. Adding redzones 1718 // to such globals is counterproductive, because the intent is that they 1719 // will form an array, and out-of-bounds accesses are expected. 1720 // See https://github.com/google/sanitizers/issues/305 1721 // and http://msdn.microsoft.com/en-US/en-en/library/bb918180(v=vs.120).aspx 1722 if (TargetTriple.isOSBinFormatCOFF() && Section.contains('$')) { 1723 LLVM_DEBUG(dbgs() << "Ignoring global in sorted section (contains '$'): " 1724 << *G << "\n"); 1725 return false; 1726 } 1727 1728 if (TargetTriple.isOSBinFormatMachO()) { 1729 StringRef ParsedSegment, ParsedSection; 1730 unsigned TAA = 0, StubSize = 0; 1731 bool TAAParsed; 1732 std::string ErrorCode = MCSectionMachO::ParseSectionSpecifier( 1733 Section, ParsedSegment, ParsedSection, TAA, TAAParsed, StubSize); 1734 assert(ErrorCode.empty() && "Invalid section specifier."); 1735 1736 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 1737 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 1738 // them. 1739 if (ParsedSegment == "__OBJC" || 1740 (ParsedSegment == "__DATA" && ParsedSection.startswith("__objc_"))) { 1741 LLVM_DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G << "\n"); 1742 return false; 1743 } 1744 // See https://github.com/google/sanitizers/issues/32 1745 // Constant CFString instances are compiled in the following way: 1746 // -- the string buffer is emitted into 1747 // __TEXT,__cstring,cstring_literals 1748 // -- the constant NSConstantString structure referencing that buffer 1749 // is placed into __DATA,__cfstring 1750 // Therefore there's no point in placing redzones into __DATA,__cfstring. 1751 // Moreover, it causes the linker to crash on OS X 10.7 1752 if (ParsedSegment == "__DATA" && ParsedSection == "__cfstring") { 1753 LLVM_DEBUG(dbgs() << "Ignoring CFString: " << *G << "\n"); 1754 return false; 1755 } 1756 // The linker merges the contents of cstring_literals and removes the 1757 // trailing zeroes. 1758 if (ParsedSegment == "__TEXT" && (TAA & MachO::S_CSTRING_LITERALS)) { 1759 LLVM_DEBUG(dbgs() << "Ignoring a cstring literal: " << *G << "\n"); 1760 return false; 1761 } 1762 } 1763 } 1764 1765 return true; 1766 } 1767 1768 // On Mach-O platforms, we emit global metadata in a separate section of the 1769 // binary in order to allow the linker to properly dead strip. This is only 1770 // supported on recent versions of ld64. 1771 bool AddressSanitizerModule::ShouldUseMachOGlobalsSection() const { 1772 if (!TargetTriple.isOSBinFormatMachO()) 1773 return false; 1774 1775 if (TargetTriple.isMacOSX() && !TargetTriple.isMacOSXVersionLT(10, 11)) 1776 return true; 1777 if (TargetTriple.isiOS() /* or tvOS */ && !TargetTriple.isOSVersionLT(9)) 1778 return true; 1779 if (TargetTriple.isWatchOS() && !TargetTriple.isOSVersionLT(2)) 1780 return true; 1781 1782 return false; 1783 } 1784 1785 StringRef AddressSanitizerModule::getGlobalMetadataSection() const { 1786 switch (TargetTriple.getObjectFormat()) { 1787 case Triple::COFF: return ".ASAN$GL"; 1788 case Triple::ELF: return "asan_globals"; 1789 case Triple::MachO: return "__DATA,__asan_globals,regular"; 1790 default: break; 1791 } 1792 llvm_unreachable("unsupported object format"); 1793 } 1794 1795 void AddressSanitizerModule::initializeCallbacks(Module &M) { 1796 IRBuilder<> IRB(*C); 1797 1798 // Declare our poisoning and unpoisoning functions. 1799 AsanPoisonGlobals = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1800 kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy)); 1801 AsanPoisonGlobals->setLinkage(Function::ExternalLinkage); 1802 AsanUnpoisonGlobals = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1803 kAsanUnpoisonGlobalsName, IRB.getVoidTy())); 1804 AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage); 1805 1806 // Declare functions that register/unregister globals. 1807 AsanRegisterGlobals = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1808 kAsanRegisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy)); 1809 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 1810 AsanUnregisterGlobals = checkSanitizerInterfaceFunction( 1811 M.getOrInsertFunction(kAsanUnregisterGlobalsName, IRB.getVoidTy(), 1812 IntptrTy, IntptrTy)); 1813 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 1814 1815 // Declare the functions that find globals in a shared object and then invoke 1816 // the (un)register function on them. 1817 AsanRegisterImageGlobals = 1818 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1819 kAsanRegisterImageGlobalsName, IRB.getVoidTy(), IntptrTy)); 1820 AsanRegisterImageGlobals->setLinkage(Function::ExternalLinkage); 1821 1822 AsanUnregisterImageGlobals = 1823 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1824 kAsanUnregisterImageGlobalsName, IRB.getVoidTy(), IntptrTy)); 1825 AsanUnregisterImageGlobals->setLinkage(Function::ExternalLinkage); 1826 1827 AsanRegisterElfGlobals = checkSanitizerInterfaceFunction( 1828 M.getOrInsertFunction(kAsanRegisterElfGlobalsName, IRB.getVoidTy(), 1829 IntptrTy, IntptrTy, IntptrTy)); 1830 AsanRegisterElfGlobals->setLinkage(Function::ExternalLinkage); 1831 1832 AsanUnregisterElfGlobals = checkSanitizerInterfaceFunction( 1833 M.getOrInsertFunction(kAsanUnregisterElfGlobalsName, IRB.getVoidTy(), 1834 IntptrTy, IntptrTy, IntptrTy)); 1835 AsanUnregisterElfGlobals->setLinkage(Function::ExternalLinkage); 1836 } 1837 1838 // Put the metadata and the instrumented global in the same group. This ensures 1839 // that the metadata is discarded if the instrumented global is discarded. 1840 void AddressSanitizerModule::SetComdatForGlobalMetadata( 1841 GlobalVariable *G, GlobalVariable *Metadata, StringRef InternalSuffix) { 1842 Module &M = *G->getParent(); 1843 Comdat *C = G->getComdat(); 1844 if (!C) { 1845 if (!G->hasName()) { 1846 // If G is unnamed, it must be internal. Give it an artificial name 1847 // so we can put it in a comdat. 1848 assert(G->hasLocalLinkage()); 1849 G->setName(Twine(kAsanGenPrefix) + "_anon_global"); 1850 } 1851 1852 if (!InternalSuffix.empty() && G->hasLocalLinkage()) { 1853 std::string Name = G->getName(); 1854 Name += InternalSuffix; 1855 C = M.getOrInsertComdat(Name); 1856 } else { 1857 C = M.getOrInsertComdat(G->getName()); 1858 } 1859 1860 // Make this IMAGE_COMDAT_SELECT_NODUPLICATES on COFF. Also upgrade private 1861 // linkage to internal linkage so that a symbol table entry is emitted. This 1862 // is necessary in order to create the comdat group. 1863 if (TargetTriple.isOSBinFormatCOFF()) { 1864 C->setSelectionKind(Comdat::NoDuplicates); 1865 if (G->hasPrivateLinkage()) 1866 G->setLinkage(GlobalValue::InternalLinkage); 1867 } 1868 G->setComdat(C); 1869 } 1870 1871 assert(G->hasComdat()); 1872 Metadata->setComdat(G->getComdat()); 1873 } 1874 1875 // Create a separate metadata global and put it in the appropriate ASan 1876 // global registration section. 1877 GlobalVariable * 1878 AddressSanitizerModule::CreateMetadataGlobal(Module &M, Constant *Initializer, 1879 StringRef OriginalName) { 1880 auto Linkage = TargetTriple.isOSBinFormatMachO() 1881 ? GlobalVariable::InternalLinkage 1882 : GlobalVariable::PrivateLinkage; 1883 GlobalVariable *Metadata = new GlobalVariable( 1884 M, Initializer->getType(), false, Linkage, Initializer, 1885 Twine("__asan_global_") + GlobalValue::dropLLVMManglingEscape(OriginalName)); 1886 Metadata->setSection(getGlobalMetadataSection()); 1887 return Metadata; 1888 } 1889 1890 IRBuilder<> AddressSanitizerModule::CreateAsanModuleDtor(Module &M) { 1891 AsanDtorFunction = 1892 Function::Create(FunctionType::get(Type::getVoidTy(*C), false), 1893 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 1894 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 1895 1896 return IRBuilder<>(ReturnInst::Create(*C, AsanDtorBB)); 1897 } 1898 1899 void AddressSanitizerModule::InstrumentGlobalsCOFF( 1900 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 1901 ArrayRef<Constant *> MetadataInitializers) { 1902 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 1903 auto &DL = M.getDataLayout(); 1904 1905 for (size_t i = 0; i < ExtendedGlobals.size(); i++) { 1906 Constant *Initializer = MetadataInitializers[i]; 1907 GlobalVariable *G = ExtendedGlobals[i]; 1908 GlobalVariable *Metadata = 1909 CreateMetadataGlobal(M, Initializer, G->getName()); 1910 1911 // The MSVC linker always inserts padding when linking incrementally. We 1912 // cope with that by aligning each struct to its size, which must be a power 1913 // of two. 1914 unsigned SizeOfGlobalStruct = DL.getTypeAllocSize(Initializer->getType()); 1915 assert(isPowerOf2_32(SizeOfGlobalStruct) && 1916 "global metadata will not be padded appropriately"); 1917 Metadata->setAlignment(SizeOfGlobalStruct); 1918 1919 SetComdatForGlobalMetadata(G, Metadata, ""); 1920 } 1921 } 1922 1923 void AddressSanitizerModule::InstrumentGlobalsELF( 1924 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 1925 ArrayRef<Constant *> MetadataInitializers, 1926 const std::string &UniqueModuleId) { 1927 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 1928 1929 SmallVector<GlobalValue *, 16> MetadataGlobals(ExtendedGlobals.size()); 1930 for (size_t i = 0; i < ExtendedGlobals.size(); i++) { 1931 GlobalVariable *G = ExtendedGlobals[i]; 1932 GlobalVariable *Metadata = 1933 CreateMetadataGlobal(M, MetadataInitializers[i], G->getName()); 1934 MDNode *MD = MDNode::get(M.getContext(), ValueAsMetadata::get(G)); 1935 Metadata->setMetadata(LLVMContext::MD_associated, MD); 1936 MetadataGlobals[i] = Metadata; 1937 1938 SetComdatForGlobalMetadata(G, Metadata, UniqueModuleId); 1939 } 1940 1941 // Update llvm.compiler.used, adding the new metadata globals. This is 1942 // needed so that during LTO these variables stay alive. 1943 if (!MetadataGlobals.empty()) 1944 appendToCompilerUsed(M, MetadataGlobals); 1945 1946 // RegisteredFlag serves two purposes. First, we can pass it to dladdr() 1947 // to look up the loaded image that contains it. Second, we can store in it 1948 // whether registration has already occurred, to prevent duplicate 1949 // registration. 1950 // 1951 // Common linkage ensures that there is only one global per shared library. 1952 GlobalVariable *RegisteredFlag = new GlobalVariable( 1953 M, IntptrTy, false, GlobalVariable::CommonLinkage, 1954 ConstantInt::get(IntptrTy, 0), kAsanGlobalsRegisteredFlagName); 1955 RegisteredFlag->setVisibility(GlobalVariable::HiddenVisibility); 1956 1957 // Create start and stop symbols. 1958 GlobalVariable *StartELFMetadata = new GlobalVariable( 1959 M, IntptrTy, false, GlobalVariable::ExternalWeakLinkage, nullptr, 1960 "__start_" + getGlobalMetadataSection()); 1961 StartELFMetadata->setVisibility(GlobalVariable::HiddenVisibility); 1962 GlobalVariable *StopELFMetadata = new GlobalVariable( 1963 M, IntptrTy, false, GlobalVariable::ExternalWeakLinkage, nullptr, 1964 "__stop_" + getGlobalMetadataSection()); 1965 StopELFMetadata->setVisibility(GlobalVariable::HiddenVisibility); 1966 1967 // Create a call to register the globals with the runtime. 1968 IRB.CreateCall(AsanRegisterElfGlobals, 1969 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy), 1970 IRB.CreatePointerCast(StartELFMetadata, IntptrTy), 1971 IRB.CreatePointerCast(StopELFMetadata, IntptrTy)}); 1972 1973 // We also need to unregister globals at the end, e.g., when a shared library 1974 // gets closed. 1975 IRBuilder<> IRB_Dtor = CreateAsanModuleDtor(M); 1976 IRB_Dtor.CreateCall(AsanUnregisterElfGlobals, 1977 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy), 1978 IRB.CreatePointerCast(StartELFMetadata, IntptrTy), 1979 IRB.CreatePointerCast(StopELFMetadata, IntptrTy)}); 1980 } 1981 1982 void AddressSanitizerModule::InstrumentGlobalsMachO( 1983 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 1984 ArrayRef<Constant *> MetadataInitializers) { 1985 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 1986 1987 // On recent Mach-O platforms, use a structure which binds the liveness of 1988 // the global variable to the metadata struct. Keep the list of "Liveness" GV 1989 // created to be added to llvm.compiler.used 1990 StructType *LivenessTy = StructType::get(IntptrTy, IntptrTy); 1991 SmallVector<GlobalValue *, 16> LivenessGlobals(ExtendedGlobals.size()); 1992 1993 for (size_t i = 0; i < ExtendedGlobals.size(); i++) { 1994 Constant *Initializer = MetadataInitializers[i]; 1995 GlobalVariable *G = ExtendedGlobals[i]; 1996 GlobalVariable *Metadata = 1997 CreateMetadataGlobal(M, Initializer, G->getName()); 1998 1999 // On recent Mach-O platforms, we emit the global metadata in a way that 2000 // allows the linker to properly strip dead globals. 2001 auto LivenessBinder = 2002 ConstantStruct::get(LivenessTy, Initializer->getAggregateElement(0u), 2003 ConstantExpr::getPointerCast(Metadata, IntptrTy)); 2004 GlobalVariable *Liveness = new GlobalVariable( 2005 M, LivenessTy, false, GlobalVariable::InternalLinkage, LivenessBinder, 2006 Twine("__asan_binder_") + G->getName()); 2007 Liveness->setSection("__DATA,__asan_liveness,regular,live_support"); 2008 LivenessGlobals[i] = Liveness; 2009 } 2010 2011 // Update llvm.compiler.used, adding the new liveness globals. This is 2012 // needed so that during LTO these variables stay alive. The alternative 2013 // would be to have the linker handling the LTO symbols, but libLTO 2014 // current API does not expose access to the section for each symbol. 2015 if (!LivenessGlobals.empty()) 2016 appendToCompilerUsed(M, LivenessGlobals); 2017 2018 // RegisteredFlag serves two purposes. First, we can pass it to dladdr() 2019 // to look up the loaded image that contains it. Second, we can store in it 2020 // whether registration has already occurred, to prevent duplicate 2021 // registration. 2022 // 2023 // common linkage ensures that there is only one global per shared library. 2024 GlobalVariable *RegisteredFlag = new GlobalVariable( 2025 M, IntptrTy, false, GlobalVariable::CommonLinkage, 2026 ConstantInt::get(IntptrTy, 0), kAsanGlobalsRegisteredFlagName); 2027 RegisteredFlag->setVisibility(GlobalVariable::HiddenVisibility); 2028 2029 IRB.CreateCall(AsanRegisterImageGlobals, 2030 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy)}); 2031 2032 // We also need to unregister globals at the end, e.g., when a shared library 2033 // gets closed. 2034 IRBuilder<> IRB_Dtor = CreateAsanModuleDtor(M); 2035 IRB_Dtor.CreateCall(AsanUnregisterImageGlobals, 2036 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy)}); 2037 } 2038 2039 void AddressSanitizerModule::InstrumentGlobalsWithMetadataArray( 2040 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 2041 ArrayRef<Constant *> MetadataInitializers) { 2042 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 2043 unsigned N = ExtendedGlobals.size(); 2044 assert(N > 0); 2045 2046 // On platforms that don't have a custom metadata section, we emit an array 2047 // of global metadata structures. 2048 ArrayType *ArrayOfGlobalStructTy = 2049 ArrayType::get(MetadataInitializers[0]->getType(), N); 2050 auto AllGlobals = new GlobalVariable( 2051 M, ArrayOfGlobalStructTy, false, GlobalVariable::InternalLinkage, 2052 ConstantArray::get(ArrayOfGlobalStructTy, MetadataInitializers), ""); 2053 if (Mapping.Scale > 3) 2054 AllGlobals->setAlignment(1ULL << Mapping.Scale); 2055 2056 IRB.CreateCall(AsanRegisterGlobals, 2057 {IRB.CreatePointerCast(AllGlobals, IntptrTy), 2058 ConstantInt::get(IntptrTy, N)}); 2059 2060 // We also need to unregister globals at the end, e.g., when a shared library 2061 // gets closed. 2062 IRBuilder<> IRB_Dtor = CreateAsanModuleDtor(M); 2063 IRB_Dtor.CreateCall(AsanUnregisterGlobals, 2064 {IRB.CreatePointerCast(AllGlobals, IntptrTy), 2065 ConstantInt::get(IntptrTy, N)}); 2066 } 2067 2068 // This function replaces all global variables with new variables that have 2069 // trailing redzones. It also creates a function that poisons 2070 // redzones and inserts this function into llvm.global_ctors. 2071 // Sets *CtorComdat to true if the global registration code emitted into the 2072 // asan constructor is comdat-compatible. 2073 bool AddressSanitizerModule::InstrumentGlobals(IRBuilder<> &IRB, Module &M, bool *CtorComdat) { 2074 *CtorComdat = false; 2075 GlobalsMD.init(M); 2076 2077 SmallVector<GlobalVariable *, 16> GlobalsToChange; 2078 2079 for (auto &G : M.globals()) { 2080 if (ShouldInstrumentGlobal(&G)) GlobalsToChange.push_back(&G); 2081 } 2082 2083 size_t n = GlobalsToChange.size(); 2084 if (n == 0) { 2085 *CtorComdat = true; 2086 return false; 2087 } 2088 2089 auto &DL = M.getDataLayout(); 2090 2091 // A global is described by a structure 2092 // size_t beg; 2093 // size_t size; 2094 // size_t size_with_redzone; 2095 // const char *name; 2096 // const char *module_name; 2097 // size_t has_dynamic_init; 2098 // void *source_location; 2099 // size_t odr_indicator; 2100 // We initialize an array of such structures and pass it to a run-time call. 2101 StructType *GlobalStructTy = 2102 StructType::get(IntptrTy, IntptrTy, IntptrTy, IntptrTy, IntptrTy, 2103 IntptrTy, IntptrTy, IntptrTy); 2104 SmallVector<GlobalVariable *, 16> NewGlobals(n); 2105 SmallVector<Constant *, 16> Initializers(n); 2106 2107 bool HasDynamicallyInitializedGlobals = false; 2108 2109 // We shouldn't merge same module names, as this string serves as unique 2110 // module ID in runtime. 2111 GlobalVariable *ModuleName = createPrivateGlobalForString( 2112 M, M.getModuleIdentifier(), /*AllowMerging*/ false, kAsanGenPrefix); 2113 2114 for (size_t i = 0; i < n; i++) { 2115 static const uint64_t kMaxGlobalRedzone = 1 << 18; 2116 GlobalVariable *G = GlobalsToChange[i]; 2117 2118 auto MD = GlobalsMD.get(G); 2119 StringRef NameForGlobal = G->getName(); 2120 // Create string holding the global name (use global name from metadata 2121 // if it's available, otherwise just write the name of global variable). 2122 GlobalVariable *Name = createPrivateGlobalForString( 2123 M, MD.Name.empty() ? NameForGlobal : MD.Name, 2124 /*AllowMerging*/ true, kAsanGenPrefix); 2125 2126 Type *Ty = G->getValueType(); 2127 uint64_t SizeInBytes = DL.getTypeAllocSize(Ty); 2128 uint64_t MinRZ = MinRedzoneSizeForGlobal(); 2129 // MinRZ <= RZ <= kMaxGlobalRedzone 2130 // and trying to make RZ to be ~ 1/4 of SizeInBytes. 2131 uint64_t RZ = std::max( 2132 MinRZ, std::min(kMaxGlobalRedzone, (SizeInBytes / MinRZ / 4) * MinRZ)); 2133 uint64_t RightRedzoneSize = RZ; 2134 // Round up to MinRZ 2135 if (SizeInBytes % MinRZ) RightRedzoneSize += MinRZ - (SizeInBytes % MinRZ); 2136 assert(((RightRedzoneSize + SizeInBytes) % MinRZ) == 0); 2137 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 2138 2139 StructType *NewTy = StructType::get(Ty, RightRedZoneTy); 2140 Constant *NewInitializer = ConstantStruct::get( 2141 NewTy, G->getInitializer(), Constant::getNullValue(RightRedZoneTy)); 2142 2143 // Create a new global variable with enough space for a redzone. 2144 GlobalValue::LinkageTypes Linkage = G->getLinkage(); 2145 if (G->isConstant() && Linkage == GlobalValue::PrivateLinkage) 2146 Linkage = GlobalValue::InternalLinkage; 2147 GlobalVariable *NewGlobal = 2148 new GlobalVariable(M, NewTy, G->isConstant(), Linkage, NewInitializer, 2149 "", G, G->getThreadLocalMode()); 2150 NewGlobal->copyAttributesFrom(G); 2151 NewGlobal->setComdat(G->getComdat()); 2152 NewGlobal->setAlignment(MinRZ); 2153 2154 // Move null-terminated C strings to "__asan_cstring" section on Darwin. 2155 if (TargetTriple.isOSBinFormatMachO() && !G->hasSection() && 2156 G->isConstant()) { 2157 auto Seq = dyn_cast<ConstantDataSequential>(G->getInitializer()); 2158 if (Seq && Seq->isCString()) 2159 NewGlobal->setSection("__TEXT,__asan_cstring,regular"); 2160 } 2161 2162 // Transfer the debug info. The payload starts at offset zero so we can 2163 // copy the debug info over as is. 2164 SmallVector<DIGlobalVariableExpression *, 1> GVs; 2165 G->getDebugInfo(GVs); 2166 for (auto *GV : GVs) 2167 NewGlobal->addDebugInfo(GV); 2168 2169 Value *Indices2[2]; 2170 Indices2[0] = IRB.getInt32(0); 2171 Indices2[1] = IRB.getInt32(0); 2172 2173 G->replaceAllUsesWith( 2174 ConstantExpr::getGetElementPtr(NewTy, NewGlobal, Indices2, true)); 2175 NewGlobal->takeName(G); 2176 G->eraseFromParent(); 2177 NewGlobals[i] = NewGlobal; 2178 2179 Constant *SourceLoc; 2180 if (!MD.SourceLoc.empty()) { 2181 auto SourceLocGlobal = createPrivateGlobalForSourceLoc(M, MD.SourceLoc); 2182 SourceLoc = ConstantExpr::getPointerCast(SourceLocGlobal, IntptrTy); 2183 } else { 2184 SourceLoc = ConstantInt::get(IntptrTy, 0); 2185 } 2186 2187 Constant *ODRIndicator = ConstantExpr::getNullValue(IRB.getInt8PtrTy()); 2188 GlobalValue *InstrumentedGlobal = NewGlobal; 2189 2190 bool CanUsePrivateAliases = 2191 TargetTriple.isOSBinFormatELF() || TargetTriple.isOSBinFormatMachO() || 2192 TargetTriple.isOSBinFormatWasm(); 2193 if (CanUsePrivateAliases && UsePrivateAlias) { 2194 // Create local alias for NewGlobal to avoid crash on ODR between 2195 // instrumented and non-instrumented libraries. 2196 InstrumentedGlobal = 2197 GlobalAlias::create(GlobalValue::PrivateLinkage, "", NewGlobal); 2198 } 2199 2200 // ODR check is not useful for the following, but we see false reports 2201 // caused by linker optimizations. 2202 if (NewGlobal->hasLocalLinkage() || NewGlobal->hasLinkOnceODRLinkage() || 2203 NewGlobal->hasWeakODRLinkage()) { 2204 ODRIndicator = ConstantExpr::getIntToPtr(ConstantInt::get(IntptrTy, -1), 2205 IRB.getInt8PtrTy()); 2206 } else if (UseOdrIndicator) { 2207 // With local aliases, we need to provide another externally visible 2208 // symbol __odr_asan_XXX to detect ODR violation. 2209 auto *ODRIndicatorSym = 2210 new GlobalVariable(M, IRB.getInt8Ty(), false, Linkage, 2211 Constant::getNullValue(IRB.getInt8Ty()), 2212 kODRGenPrefix + NameForGlobal, nullptr, 2213 NewGlobal->getThreadLocalMode()); 2214 2215 // Set meaningful attributes for indicator symbol. 2216 ODRIndicatorSym->setVisibility(NewGlobal->getVisibility()); 2217 ODRIndicatorSym->setDLLStorageClass(NewGlobal->getDLLStorageClass()); 2218 ODRIndicatorSym->setAlignment(1); 2219 ODRIndicator = ODRIndicatorSym; 2220 } 2221 2222 Constant *Initializer = ConstantStruct::get( 2223 GlobalStructTy, 2224 ConstantExpr::getPointerCast(InstrumentedGlobal, IntptrTy), 2225 ConstantInt::get(IntptrTy, SizeInBytes), 2226 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 2227 ConstantExpr::getPointerCast(Name, IntptrTy), 2228 ConstantExpr::getPointerCast(ModuleName, IntptrTy), 2229 ConstantInt::get(IntptrTy, MD.IsDynInit), SourceLoc, 2230 ConstantExpr::getPointerCast(ODRIndicator, IntptrTy)); 2231 2232 if (ClInitializers && MD.IsDynInit) HasDynamicallyInitializedGlobals = true; 2233 2234 LLVM_DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); 2235 2236 Initializers[i] = Initializer; 2237 } 2238 2239 // Add instrumented globals to llvm.compiler.used list to avoid LTO from 2240 // ConstantMerge'ing them. 2241 SmallVector<GlobalValue *, 16> GlobalsToAddToUsedList; 2242 for (size_t i = 0; i < n; i++) { 2243 GlobalVariable *G = NewGlobals[i]; 2244 if (G->getName().empty()) continue; 2245 GlobalsToAddToUsedList.push_back(G); 2246 } 2247 appendToCompilerUsed(M, ArrayRef<GlobalValue *>(GlobalsToAddToUsedList)); 2248 2249 std::string ELFUniqueModuleId = 2250 (UseGlobalsGC && TargetTriple.isOSBinFormatELF()) ? getUniqueModuleId(&M) 2251 : ""; 2252 2253 if (!ELFUniqueModuleId.empty()) { 2254 InstrumentGlobalsELF(IRB, M, NewGlobals, Initializers, ELFUniqueModuleId); 2255 *CtorComdat = true; 2256 } else if (UseGlobalsGC && TargetTriple.isOSBinFormatCOFF()) { 2257 InstrumentGlobalsCOFF(IRB, M, NewGlobals, Initializers); 2258 } else if (UseGlobalsGC && ShouldUseMachOGlobalsSection()) { 2259 InstrumentGlobalsMachO(IRB, M, NewGlobals, Initializers); 2260 } else { 2261 InstrumentGlobalsWithMetadataArray(IRB, M, NewGlobals, Initializers); 2262 } 2263 2264 // Create calls for poisoning before initializers run and unpoisoning after. 2265 if (HasDynamicallyInitializedGlobals) 2266 createInitializerPoisonCalls(M, ModuleName); 2267 2268 LLVM_DEBUG(dbgs() << M); 2269 return true; 2270 } 2271 2272 int AddressSanitizerModule::GetAsanVersion(const Module &M) const { 2273 int LongSize = M.getDataLayout().getPointerSizeInBits(); 2274 bool isAndroid = Triple(M.getTargetTriple()).isAndroid(); 2275 int Version = 8; 2276 // 32-bit Android is one version ahead because of the switch to dynamic 2277 // shadow. 2278 Version += (LongSize == 32 && isAndroid); 2279 return Version; 2280 } 2281 2282 bool AddressSanitizerModule::runOnModule(Module &M) { 2283 C = &(M.getContext()); 2284 int LongSize = M.getDataLayout().getPointerSizeInBits(); 2285 IntptrTy = Type::getIntNTy(*C, LongSize); 2286 TargetTriple = Triple(M.getTargetTriple()); 2287 Mapping = getShadowMapping(TargetTriple, LongSize, CompileKernel); 2288 initializeCallbacks(M); 2289 2290 if (CompileKernel) 2291 return false; 2292 2293 // Create a module constructor. A destructor is created lazily because not all 2294 // platforms, and not all modules need it. 2295 std::string VersionCheckName = 2296 kAsanVersionCheckNamePrefix + std::to_string(GetAsanVersion(M)); 2297 std::tie(AsanCtorFunction, std::ignore) = createSanitizerCtorAndInitFunctions( 2298 M, kAsanModuleCtorName, kAsanInitName, /*InitArgTypes=*/{}, 2299 /*InitArgs=*/{}, VersionCheckName); 2300 2301 bool CtorComdat = true; 2302 bool Changed = false; 2303 // TODO(glider): temporarily disabled globals instrumentation for KASan. 2304 if (ClGlobals) { 2305 IRBuilder<> IRB(AsanCtorFunction->getEntryBlock().getTerminator()); 2306 Changed |= InstrumentGlobals(IRB, M, &CtorComdat); 2307 } 2308 2309 // Put the constructor and destructor in comdat if both 2310 // (1) global instrumentation is not TU-specific 2311 // (2) target is ELF. 2312 if (UseCtorComdat && TargetTriple.isOSBinFormatELF() && CtorComdat) { 2313 AsanCtorFunction->setComdat(M.getOrInsertComdat(kAsanModuleCtorName)); 2314 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndDtorPriority, 2315 AsanCtorFunction); 2316 if (AsanDtorFunction) { 2317 AsanDtorFunction->setComdat(M.getOrInsertComdat(kAsanModuleDtorName)); 2318 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndDtorPriority, 2319 AsanDtorFunction); 2320 } 2321 } else { 2322 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndDtorPriority); 2323 if (AsanDtorFunction) 2324 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndDtorPriority); 2325 } 2326 2327 return Changed; 2328 } 2329 2330 void AddressSanitizer::initializeCallbacks(Module &M) { 2331 IRBuilder<> IRB(*C); 2332 // Create __asan_report* callbacks. 2333 // IsWrite, TypeSize and Exp are encoded in the function name. 2334 for (int Exp = 0; Exp < 2; Exp++) { 2335 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 2336 const std::string TypeStr = AccessIsWrite ? "store" : "load"; 2337 const std::string ExpStr = Exp ? "exp_" : ""; 2338 const std::string EndingStr = Recover ? "_noabort" : ""; 2339 2340 SmallVector<Type *, 3> Args2 = {IntptrTy, IntptrTy}; 2341 SmallVector<Type *, 2> Args1{1, IntptrTy}; 2342 if (Exp) { 2343 Type *ExpType = Type::getInt32Ty(*C); 2344 Args2.push_back(ExpType); 2345 Args1.push_back(ExpType); 2346 } 2347 AsanErrorCallbackSized[AccessIsWrite][Exp] = 2348 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2349 kAsanReportErrorTemplate + ExpStr + TypeStr + "_n" + EndingStr, 2350 FunctionType::get(IRB.getVoidTy(), Args2, false))); 2351 2352 AsanMemoryAccessCallbackSized[AccessIsWrite][Exp] = 2353 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2354 ClMemoryAccessCallbackPrefix + ExpStr + TypeStr + "N" + EndingStr, 2355 FunctionType::get(IRB.getVoidTy(), Args2, false))); 2356 2357 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 2358 AccessSizeIndex++) { 2359 const std::string Suffix = TypeStr + itostr(1ULL << AccessSizeIndex); 2360 AsanErrorCallback[AccessIsWrite][Exp][AccessSizeIndex] = 2361 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2362 kAsanReportErrorTemplate + ExpStr + Suffix + EndingStr, 2363 FunctionType::get(IRB.getVoidTy(), Args1, false))); 2364 2365 AsanMemoryAccessCallback[AccessIsWrite][Exp][AccessSizeIndex] = 2366 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2367 ClMemoryAccessCallbackPrefix + ExpStr + Suffix + EndingStr, 2368 FunctionType::get(IRB.getVoidTy(), Args1, false))); 2369 } 2370 } 2371 } 2372 2373 const std::string MemIntrinCallbackPrefix = 2374 CompileKernel ? std::string("") : ClMemoryAccessCallbackPrefix; 2375 AsanMemmove = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2376 MemIntrinCallbackPrefix + "memmove", IRB.getInt8PtrTy(), 2377 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IntptrTy)); 2378 AsanMemcpy = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2379 MemIntrinCallbackPrefix + "memcpy", IRB.getInt8PtrTy(), 2380 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IntptrTy)); 2381 AsanMemset = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2382 MemIntrinCallbackPrefix + "memset", IRB.getInt8PtrTy(), 2383 IRB.getInt8PtrTy(), IRB.getInt32Ty(), IntptrTy)); 2384 2385 AsanHandleNoReturnFunc = checkSanitizerInterfaceFunction( 2386 M.getOrInsertFunction(kAsanHandleNoReturnName, IRB.getVoidTy())); 2387 2388 AsanPtrCmpFunction = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2389 kAsanPtrCmp, IRB.getVoidTy(), IntptrTy, IntptrTy)); 2390 AsanPtrSubFunction = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2391 kAsanPtrSub, IRB.getVoidTy(), IntptrTy, IntptrTy)); 2392 // We insert an empty inline asm after __asan_report* to avoid callback merge. 2393 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 2394 StringRef(""), StringRef(""), 2395 /*hasSideEffects=*/true); 2396 if (Mapping.InGlobal) 2397 AsanShadowGlobal = M.getOrInsertGlobal("__asan_shadow", 2398 ArrayType::get(IRB.getInt8Ty(), 0)); 2399 } 2400 2401 // virtual 2402 bool AddressSanitizer::doInitialization(Module &M) { 2403 // Initialize the private fields. No one has accessed them before. 2404 GlobalsMD.init(M); 2405 2406 C = &(M.getContext()); 2407 LongSize = M.getDataLayout().getPointerSizeInBits(); 2408 IntptrTy = Type::getIntNTy(*C, LongSize); 2409 TargetTriple = Triple(M.getTargetTriple()); 2410 2411 Mapping = getShadowMapping(TargetTriple, LongSize, CompileKernel); 2412 return true; 2413 } 2414 2415 bool AddressSanitizer::doFinalization(Module &M) { 2416 GlobalsMD.reset(); 2417 return false; 2418 } 2419 2420 bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 2421 // For each NSObject descendant having a +load method, this method is invoked 2422 // by the ObjC runtime before any of the static constructors is called. 2423 // Therefore we need to instrument such methods with a call to __asan_init 2424 // at the beginning in order to initialize our runtime before any access to 2425 // the shadow memory. 2426 // We cannot just ignore these methods, because they may call other 2427 // instrumented functions. 2428 if (F.getName().find(" load]") != std::string::npos) { 2429 Function *AsanInitFunction = 2430 declareSanitizerInitFunction(*F.getParent(), kAsanInitName, {}); 2431 IRBuilder<> IRB(&F.front(), F.front().begin()); 2432 IRB.CreateCall(AsanInitFunction, {}); 2433 return true; 2434 } 2435 return false; 2436 } 2437 2438 void AddressSanitizer::maybeInsertDynamicShadowAtFunctionEntry(Function &F) { 2439 // Generate code only when dynamic addressing is needed. 2440 if (Mapping.Offset != kDynamicShadowSentinel) 2441 return; 2442 2443 IRBuilder<> IRB(&F.front().front()); 2444 if (Mapping.InGlobal) { 2445 if (ClWithIfuncSuppressRemat) { 2446 // An empty inline asm with input reg == output reg. 2447 // An opaque pointer-to-int cast, basically. 2448 InlineAsm *Asm = InlineAsm::get( 2449 FunctionType::get(IntptrTy, {AsanShadowGlobal->getType()}, false), 2450 StringRef(""), StringRef("=r,0"), 2451 /*hasSideEffects=*/false); 2452 LocalDynamicShadow = 2453 IRB.CreateCall(Asm, {AsanShadowGlobal}, ".asan.shadow"); 2454 } else { 2455 LocalDynamicShadow = 2456 IRB.CreatePointerCast(AsanShadowGlobal, IntptrTy, ".asan.shadow"); 2457 } 2458 } else { 2459 Value *GlobalDynamicAddress = F.getParent()->getOrInsertGlobal( 2460 kAsanShadowMemoryDynamicAddress, IntptrTy); 2461 LocalDynamicShadow = IRB.CreateLoad(GlobalDynamicAddress); 2462 } 2463 } 2464 2465 void AddressSanitizer::markEscapedLocalAllocas(Function &F) { 2466 // Find the one possible call to llvm.localescape and pre-mark allocas passed 2467 // to it as uninteresting. This assumes we haven't started processing allocas 2468 // yet. This check is done up front because iterating the use list in 2469 // isInterestingAlloca would be algorithmically slower. 2470 assert(ProcessedAllocas.empty() && "must process localescape before allocas"); 2471 2472 // Try to get the declaration of llvm.localescape. If it's not in the module, 2473 // we can exit early. 2474 if (!F.getParent()->getFunction("llvm.localescape")) return; 2475 2476 // Look for a call to llvm.localescape call in the entry block. It can't be in 2477 // any other block. 2478 for (Instruction &I : F.getEntryBlock()) { 2479 IntrinsicInst *II = dyn_cast<IntrinsicInst>(&I); 2480 if (II && II->getIntrinsicID() == Intrinsic::localescape) { 2481 // We found a call. Mark all the allocas passed in as uninteresting. 2482 for (Value *Arg : II->arg_operands()) { 2483 AllocaInst *AI = dyn_cast<AllocaInst>(Arg->stripPointerCasts()); 2484 assert(AI && AI->isStaticAlloca() && 2485 "non-static alloca arg to localescape"); 2486 ProcessedAllocas[AI] = false; 2487 } 2488 break; 2489 } 2490 } 2491 } 2492 2493 bool AddressSanitizer::runOnFunction(Function &F) { 2494 if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false; 2495 if (!ClDebugFunc.empty() && ClDebugFunc == F.getName()) return false; 2496 if (F.getName().startswith("__asan_")) return false; 2497 2498 bool FunctionModified = false; 2499 2500 // If needed, insert __asan_init before checking for SanitizeAddress attr. 2501 // This function needs to be called even if the function body is not 2502 // instrumented. 2503 if (maybeInsertAsanInitAtFunctionEntry(F)) 2504 FunctionModified = true; 2505 2506 // Leave if the function doesn't need instrumentation. 2507 if (!F.hasFnAttribute(Attribute::SanitizeAddress)) return FunctionModified; 2508 2509 LLVM_DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); 2510 2511 initializeCallbacks(*F.getParent()); 2512 DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree(); 2513 2514 FunctionStateRAII CleanupObj(this); 2515 2516 maybeInsertDynamicShadowAtFunctionEntry(F); 2517 2518 // We can't instrument allocas used with llvm.localescape. Only static allocas 2519 // can be passed to that intrinsic. 2520 markEscapedLocalAllocas(F); 2521 2522 // We want to instrument every address only once per basic block (unless there 2523 // are calls between uses). 2524 SmallPtrSet<Value *, 16> TempsToInstrument; 2525 SmallVector<Instruction *, 16> ToInstrument; 2526 SmallVector<Instruction *, 8> NoReturnCalls; 2527 SmallVector<BasicBlock *, 16> AllBlocks; 2528 SmallVector<Instruction *, 16> PointerComparisonsOrSubtracts; 2529 int NumAllocas = 0; 2530 bool IsWrite; 2531 unsigned Alignment; 2532 uint64_t TypeSize; 2533 const TargetLibraryInfo *TLI = 2534 &getAnalysis<TargetLibraryInfoWrapperPass>().getTLI(); 2535 2536 // Fill the set of memory operations to instrument. 2537 for (auto &BB : F) { 2538 AllBlocks.push_back(&BB); 2539 TempsToInstrument.clear(); 2540 int NumInsnsPerBB = 0; 2541 for (auto &Inst : BB) { 2542 if (LooksLikeCodeInBug11395(&Inst)) return false; 2543 Value *MaybeMask = nullptr; 2544 if (Value *Addr = isInterestingMemoryAccess(&Inst, &IsWrite, &TypeSize, 2545 &Alignment, &MaybeMask)) { 2546 if (ClOpt && ClOptSameTemp) { 2547 // If we have a mask, skip instrumentation if we've already 2548 // instrumented the full object. But don't add to TempsToInstrument 2549 // because we might get another load/store with a different mask. 2550 if (MaybeMask) { 2551 if (TempsToInstrument.count(Addr)) 2552 continue; // We've seen this (whole) temp in the current BB. 2553 } else { 2554 if (!TempsToInstrument.insert(Addr).second) 2555 continue; // We've seen this temp in the current BB. 2556 } 2557 } 2558 } else if (ClInvalidPointerPairs && 2559 isInterestingPointerComparisonOrSubtraction(&Inst)) { 2560 PointerComparisonsOrSubtracts.push_back(&Inst); 2561 continue; 2562 } else if (isa<MemIntrinsic>(Inst)) { 2563 // ok, take it. 2564 } else { 2565 if (isa<AllocaInst>(Inst)) NumAllocas++; 2566 CallSite CS(&Inst); 2567 if (CS) { 2568 // A call inside BB. 2569 TempsToInstrument.clear(); 2570 if (CS.doesNotReturn()) NoReturnCalls.push_back(CS.getInstruction()); 2571 } 2572 if (CallInst *CI = dyn_cast<CallInst>(&Inst)) 2573 maybeMarkSanitizerLibraryCallNoBuiltin(CI, TLI); 2574 continue; 2575 } 2576 ToInstrument.push_back(&Inst); 2577 NumInsnsPerBB++; 2578 if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) break; 2579 } 2580 } 2581 2582 bool UseCalls = 2583 (ClInstrumentationWithCallsThreshold >= 0 && 2584 ToInstrument.size() > (unsigned)ClInstrumentationWithCallsThreshold); 2585 const DataLayout &DL = F.getParent()->getDataLayout(); 2586 ObjectSizeOpts ObjSizeOpts; 2587 ObjSizeOpts.RoundToAlign = true; 2588 ObjectSizeOffsetVisitor ObjSizeVis(DL, TLI, F.getContext(), ObjSizeOpts); 2589 2590 // Instrument. 2591 int NumInstrumented = 0; 2592 for (auto Inst : ToInstrument) { 2593 if (ClDebugMin < 0 || ClDebugMax < 0 || 2594 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 2595 if (isInterestingMemoryAccess(Inst, &IsWrite, &TypeSize, &Alignment)) 2596 instrumentMop(ObjSizeVis, Inst, UseCalls, 2597 F.getParent()->getDataLayout()); 2598 else 2599 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 2600 } 2601 NumInstrumented++; 2602 } 2603 2604 FunctionStackPoisoner FSP(F, *this); 2605 bool ChangedStack = FSP.runOnFunction(); 2606 2607 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 2608 // See e.g. https://github.com/google/sanitizers/issues/37 2609 for (auto CI : NoReturnCalls) { 2610 IRBuilder<> IRB(CI); 2611 IRB.CreateCall(AsanHandleNoReturnFunc, {}); 2612 } 2613 2614 for (auto Inst : PointerComparisonsOrSubtracts) { 2615 instrumentPointerComparisonOrSubtraction(Inst); 2616 NumInstrumented++; 2617 } 2618 2619 if (NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty()) 2620 FunctionModified = true; 2621 2622 LLVM_DEBUG(dbgs() << "ASAN done instrumenting: " << FunctionModified << " " 2623 << F << "\n"); 2624 2625 return FunctionModified; 2626 } 2627 2628 // Workaround for bug 11395: we don't want to instrument stack in functions 2629 // with large assembly blobs (32-bit only), otherwise reg alloc may crash. 2630 // FIXME: remove once the bug 11395 is fixed. 2631 bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 2632 if (LongSize != 32) return false; 2633 CallInst *CI = dyn_cast<CallInst>(I); 2634 if (!CI || !CI->isInlineAsm()) return false; 2635 if (CI->getNumArgOperands() <= 5) return false; 2636 // We have inline assembly with quite a few arguments. 2637 return true; 2638 } 2639 2640 void FunctionStackPoisoner::initializeCallbacks(Module &M) { 2641 IRBuilder<> IRB(*C); 2642 for (int i = 0; i <= kMaxAsanStackMallocSizeClass; i++) { 2643 std::string Suffix = itostr(i); 2644 AsanStackMallocFunc[i] = checkSanitizerInterfaceFunction( 2645 M.getOrInsertFunction(kAsanStackMallocNameTemplate + Suffix, IntptrTy, 2646 IntptrTy)); 2647 AsanStackFreeFunc[i] = checkSanitizerInterfaceFunction( 2648 M.getOrInsertFunction(kAsanStackFreeNameTemplate + Suffix, 2649 IRB.getVoidTy(), IntptrTy, IntptrTy)); 2650 } 2651 if (ASan.UseAfterScope) { 2652 AsanPoisonStackMemoryFunc = checkSanitizerInterfaceFunction( 2653 M.getOrInsertFunction(kAsanPoisonStackMemoryName, IRB.getVoidTy(), 2654 IntptrTy, IntptrTy)); 2655 AsanUnpoisonStackMemoryFunc = checkSanitizerInterfaceFunction( 2656 M.getOrInsertFunction(kAsanUnpoisonStackMemoryName, IRB.getVoidTy(), 2657 IntptrTy, IntptrTy)); 2658 } 2659 2660 for (size_t Val : {0x00, 0xf1, 0xf2, 0xf3, 0xf5, 0xf8}) { 2661 std::ostringstream Name; 2662 Name << kAsanSetShadowPrefix; 2663 Name << std::setw(2) << std::setfill('0') << std::hex << Val; 2664 AsanSetShadowFunc[Val] = 2665 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2666 Name.str(), IRB.getVoidTy(), IntptrTy, IntptrTy)); 2667 } 2668 2669 AsanAllocaPoisonFunc = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2670 kAsanAllocaPoison, IRB.getVoidTy(), IntptrTy, IntptrTy)); 2671 AsanAllocasUnpoisonFunc = 2672 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 2673 kAsanAllocasUnpoison, IRB.getVoidTy(), IntptrTy, IntptrTy)); 2674 } 2675 2676 void FunctionStackPoisoner::copyToShadowInline(ArrayRef<uint8_t> ShadowMask, 2677 ArrayRef<uint8_t> ShadowBytes, 2678 size_t Begin, size_t End, 2679 IRBuilder<> &IRB, 2680 Value *ShadowBase) { 2681 if (Begin >= End) 2682 return; 2683 2684 const size_t LargestStoreSizeInBytes = 2685 std::min<size_t>(sizeof(uint64_t), ASan.LongSize / 8); 2686 2687 const bool IsLittleEndian = F.getParent()->getDataLayout().isLittleEndian(); 2688 2689 // Poison given range in shadow using larges store size with out leading and 2690 // trailing zeros in ShadowMask. Zeros never change, so they need neither 2691 // poisoning nor up-poisoning. Still we don't mind if some of them get into a 2692 // middle of a store. 2693 for (size_t i = Begin; i < End;) { 2694 if (!ShadowMask[i]) { 2695 assert(!ShadowBytes[i]); 2696 ++i; 2697 continue; 2698 } 2699 2700 size_t StoreSizeInBytes = LargestStoreSizeInBytes; 2701 // Fit store size into the range. 2702 while (StoreSizeInBytes > End - i) 2703 StoreSizeInBytes /= 2; 2704 2705 // Minimize store size by trimming trailing zeros. 2706 for (size_t j = StoreSizeInBytes - 1; j && !ShadowMask[i + j]; --j) { 2707 while (j <= StoreSizeInBytes / 2) 2708 StoreSizeInBytes /= 2; 2709 } 2710 2711 uint64_t Val = 0; 2712 for (size_t j = 0; j < StoreSizeInBytes; j++) { 2713 if (IsLittleEndian) 2714 Val |= (uint64_t)ShadowBytes[i + j] << (8 * j); 2715 else 2716 Val = (Val << 8) | ShadowBytes[i + j]; 2717 } 2718 2719 Value *Ptr = IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i)); 2720 Value *Poison = IRB.getIntN(StoreSizeInBytes * 8, Val); 2721 IRB.CreateAlignedStore( 2722 Poison, IRB.CreateIntToPtr(Ptr, Poison->getType()->getPointerTo()), 1); 2723 2724 i += StoreSizeInBytes; 2725 } 2726 } 2727 2728 void FunctionStackPoisoner::copyToShadow(ArrayRef<uint8_t> ShadowMask, 2729 ArrayRef<uint8_t> ShadowBytes, 2730 IRBuilder<> &IRB, Value *ShadowBase) { 2731 copyToShadow(ShadowMask, ShadowBytes, 0, ShadowMask.size(), IRB, ShadowBase); 2732 } 2733 2734 void FunctionStackPoisoner::copyToShadow(ArrayRef<uint8_t> ShadowMask, 2735 ArrayRef<uint8_t> ShadowBytes, 2736 size_t Begin, size_t End, 2737 IRBuilder<> &IRB, Value *ShadowBase) { 2738 assert(ShadowMask.size() == ShadowBytes.size()); 2739 size_t Done = Begin; 2740 for (size_t i = Begin, j = Begin + 1; i < End; i = j++) { 2741 if (!ShadowMask[i]) { 2742 assert(!ShadowBytes[i]); 2743 continue; 2744 } 2745 uint8_t Val = ShadowBytes[i]; 2746 if (!AsanSetShadowFunc[Val]) 2747 continue; 2748 2749 // Skip same values. 2750 for (; j < End && ShadowMask[j] && Val == ShadowBytes[j]; ++j) { 2751 } 2752 2753 if (j - i >= ClMaxInlinePoisoningSize) { 2754 copyToShadowInline(ShadowMask, ShadowBytes, Done, i, IRB, ShadowBase); 2755 IRB.CreateCall(AsanSetShadowFunc[Val], 2756 {IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i)), 2757 ConstantInt::get(IntptrTy, j - i)}); 2758 Done = j; 2759 } 2760 } 2761 2762 copyToShadowInline(ShadowMask, ShadowBytes, Done, End, IRB, ShadowBase); 2763 } 2764 2765 // Fake stack allocator (asan_fake_stack.h) has 11 size classes 2766 // for every power of 2 from kMinStackMallocSize to kMaxAsanStackMallocSizeClass 2767 static int StackMallocSizeClass(uint64_t LocalStackSize) { 2768 assert(LocalStackSize <= kMaxStackMallocSize); 2769 uint64_t MaxSize = kMinStackMallocSize; 2770 for (int i = 0;; i++, MaxSize *= 2) 2771 if (LocalStackSize <= MaxSize) return i; 2772 llvm_unreachable("impossible LocalStackSize"); 2773 } 2774 2775 void FunctionStackPoisoner::copyArgsPassedByValToAllocas() { 2776 Instruction *CopyInsertPoint = &F.front().front(); 2777 if (CopyInsertPoint == ASan.LocalDynamicShadow) { 2778 // Insert after the dynamic shadow location is determined 2779 CopyInsertPoint = CopyInsertPoint->getNextNode(); 2780 assert(CopyInsertPoint); 2781 } 2782 IRBuilder<> IRB(CopyInsertPoint); 2783 const DataLayout &DL = F.getParent()->getDataLayout(); 2784 for (Argument &Arg : F.args()) { 2785 if (Arg.hasByValAttr()) { 2786 Type *Ty = Arg.getType()->getPointerElementType(); 2787 unsigned Align = Arg.getParamAlignment(); 2788 if (Align == 0) Align = DL.getABITypeAlignment(Ty); 2789 2790 AllocaInst *AI = IRB.CreateAlloca( 2791 Ty, nullptr, 2792 (Arg.hasName() ? Arg.getName() : "Arg" + Twine(Arg.getArgNo())) + 2793 ".byval"); 2794 AI->setAlignment(Align); 2795 Arg.replaceAllUsesWith(AI); 2796 2797 uint64_t AllocSize = DL.getTypeAllocSize(Ty); 2798 IRB.CreateMemCpy(AI, Align, &Arg, Align, AllocSize); 2799 } 2800 } 2801 } 2802 2803 PHINode *FunctionStackPoisoner::createPHI(IRBuilder<> &IRB, Value *Cond, 2804 Value *ValueIfTrue, 2805 Instruction *ThenTerm, 2806 Value *ValueIfFalse) { 2807 PHINode *PHI = IRB.CreatePHI(IntptrTy, 2); 2808 BasicBlock *CondBlock = cast<Instruction>(Cond)->getParent(); 2809 PHI->addIncoming(ValueIfFalse, CondBlock); 2810 BasicBlock *ThenBlock = ThenTerm->getParent(); 2811 PHI->addIncoming(ValueIfTrue, ThenBlock); 2812 return PHI; 2813 } 2814 2815 Value *FunctionStackPoisoner::createAllocaForLayout( 2816 IRBuilder<> &IRB, const ASanStackFrameLayout &L, bool Dynamic) { 2817 AllocaInst *Alloca; 2818 if (Dynamic) { 2819 Alloca = IRB.CreateAlloca(IRB.getInt8Ty(), 2820 ConstantInt::get(IRB.getInt64Ty(), L.FrameSize), 2821 "MyAlloca"); 2822 } else { 2823 Alloca = IRB.CreateAlloca(ArrayType::get(IRB.getInt8Ty(), L.FrameSize), 2824 nullptr, "MyAlloca"); 2825 assert(Alloca->isStaticAlloca()); 2826 } 2827 assert((ClRealignStack & (ClRealignStack - 1)) == 0); 2828 size_t FrameAlignment = std::max(L.FrameAlignment, (size_t)ClRealignStack); 2829 Alloca->setAlignment(FrameAlignment); 2830 return IRB.CreatePointerCast(Alloca, IntptrTy); 2831 } 2832 2833 void FunctionStackPoisoner::createDynamicAllocasInitStorage() { 2834 BasicBlock &FirstBB = *F.begin(); 2835 IRBuilder<> IRB(dyn_cast<Instruction>(FirstBB.begin())); 2836 DynamicAllocaLayout = IRB.CreateAlloca(IntptrTy, nullptr); 2837 IRB.CreateStore(Constant::getNullValue(IntptrTy), DynamicAllocaLayout); 2838 DynamicAllocaLayout->setAlignment(32); 2839 } 2840 2841 void FunctionStackPoisoner::processDynamicAllocas() { 2842 if (!ClInstrumentDynamicAllocas || DynamicAllocaVec.empty()) { 2843 assert(DynamicAllocaPoisonCallVec.empty()); 2844 return; 2845 } 2846 2847 // Insert poison calls for lifetime intrinsics for dynamic allocas. 2848 for (const auto &APC : DynamicAllocaPoisonCallVec) { 2849 assert(APC.InsBefore); 2850 assert(APC.AI); 2851 assert(ASan.isInterestingAlloca(*APC.AI)); 2852 assert(!APC.AI->isStaticAlloca()); 2853 2854 IRBuilder<> IRB(APC.InsBefore); 2855 poisonAlloca(APC.AI, APC.Size, IRB, APC.DoPoison); 2856 // Dynamic allocas will be unpoisoned unconditionally below in 2857 // unpoisonDynamicAllocas. 2858 // Flag that we need unpoison static allocas. 2859 } 2860 2861 // Handle dynamic allocas. 2862 createDynamicAllocasInitStorage(); 2863 for (auto &AI : DynamicAllocaVec) 2864 handleDynamicAllocaCall(AI); 2865 unpoisonDynamicAllocas(); 2866 } 2867 2868 void FunctionStackPoisoner::processStaticAllocas() { 2869 if (AllocaVec.empty()) { 2870 assert(StaticAllocaPoisonCallVec.empty()); 2871 return; 2872 } 2873 2874 int StackMallocIdx = -1; 2875 DebugLoc EntryDebugLocation; 2876 if (auto SP = F.getSubprogram()) 2877 EntryDebugLocation = DebugLoc::get(SP->getScopeLine(), 0, SP); 2878 2879 Instruction *InsBefore = AllocaVec[0]; 2880 IRBuilder<> IRB(InsBefore); 2881 IRB.SetCurrentDebugLocation(EntryDebugLocation); 2882 2883 // Make sure non-instrumented allocas stay in the entry block. Otherwise, 2884 // debug info is broken, because only entry-block allocas are treated as 2885 // regular stack slots. 2886 auto InsBeforeB = InsBefore->getParent(); 2887 assert(InsBeforeB == &F.getEntryBlock()); 2888 for (auto *AI : StaticAllocasToMoveUp) 2889 if (AI->getParent() == InsBeforeB) 2890 AI->moveBefore(InsBefore); 2891 2892 // If we have a call to llvm.localescape, keep it in the entry block. 2893 if (LocalEscapeCall) LocalEscapeCall->moveBefore(InsBefore); 2894 2895 SmallVector<ASanStackVariableDescription, 16> SVD; 2896 SVD.reserve(AllocaVec.size()); 2897 for (AllocaInst *AI : AllocaVec) { 2898 ASanStackVariableDescription D = {AI->getName().data(), 2899 ASan.getAllocaSizeInBytes(*AI), 2900 0, 2901 AI->getAlignment(), 2902 AI, 2903 0, 2904 0}; 2905 SVD.push_back(D); 2906 } 2907 2908 // Minimal header size (left redzone) is 4 pointers, 2909 // i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms. 2910 size_t Granularity = 1ULL << Mapping.Scale; 2911 size_t MinHeaderSize = std::max((size_t)ASan.LongSize / 2, Granularity); 2912 const ASanStackFrameLayout &L = 2913 ComputeASanStackFrameLayout(SVD, Granularity, MinHeaderSize); 2914 2915 // Build AllocaToSVDMap for ASanStackVariableDescription lookup. 2916 DenseMap<const AllocaInst *, ASanStackVariableDescription *> AllocaToSVDMap; 2917 for (auto &Desc : SVD) 2918 AllocaToSVDMap[Desc.AI] = &Desc; 2919 2920 // Update SVD with information from lifetime intrinsics. 2921 for (const auto &APC : StaticAllocaPoisonCallVec) { 2922 assert(APC.InsBefore); 2923 assert(APC.AI); 2924 assert(ASan.isInterestingAlloca(*APC.AI)); 2925 assert(APC.AI->isStaticAlloca()); 2926 2927 ASanStackVariableDescription &Desc = *AllocaToSVDMap[APC.AI]; 2928 Desc.LifetimeSize = Desc.Size; 2929 if (const DILocation *FnLoc = EntryDebugLocation.get()) { 2930 if (const DILocation *LifetimeLoc = APC.InsBefore->getDebugLoc().get()) { 2931 if (LifetimeLoc->getFile() == FnLoc->getFile()) 2932 if (unsigned Line = LifetimeLoc->getLine()) 2933 Desc.Line = std::min(Desc.Line ? Desc.Line : Line, Line); 2934 } 2935 } 2936 } 2937 2938 auto DescriptionString = ComputeASanStackFrameDescription(SVD); 2939 LLVM_DEBUG(dbgs() << DescriptionString << " --- " << L.FrameSize << "\n"); 2940 uint64_t LocalStackSize = L.FrameSize; 2941 bool DoStackMalloc = ClUseAfterReturn && !ASan.CompileKernel && 2942 LocalStackSize <= kMaxStackMallocSize; 2943 bool DoDynamicAlloca = ClDynamicAllocaStack; 2944 // Don't do dynamic alloca or stack malloc if: 2945 // 1) There is inline asm: too often it makes assumptions on which registers 2946 // are available. 2947 // 2) There is a returns_twice call (typically setjmp), which is 2948 // optimization-hostile, and doesn't play well with introduced indirect 2949 // register-relative calculation of local variable addresses. 2950 DoDynamicAlloca &= !HasNonEmptyInlineAsm && !HasReturnsTwiceCall; 2951 DoStackMalloc &= !HasNonEmptyInlineAsm && !HasReturnsTwiceCall; 2952 2953 Value *StaticAlloca = 2954 DoDynamicAlloca ? nullptr : createAllocaForLayout(IRB, L, false); 2955 2956 Value *FakeStack; 2957 Value *LocalStackBase; 2958 Value *LocalStackBaseAlloca; 2959 bool Deref; 2960 2961 if (DoStackMalloc) { 2962 LocalStackBaseAlloca = 2963 IRB.CreateAlloca(IntptrTy, nullptr, "asan_local_stack_base"); 2964 // void *FakeStack = __asan_option_detect_stack_use_after_return 2965 // ? __asan_stack_malloc_N(LocalStackSize) 2966 // : nullptr; 2967 // void *LocalStackBase = (FakeStack) ? FakeStack : alloca(LocalStackSize); 2968 Constant *OptionDetectUseAfterReturn = F.getParent()->getOrInsertGlobal( 2969 kAsanOptionDetectUseAfterReturn, IRB.getInt32Ty()); 2970 Value *UseAfterReturnIsEnabled = 2971 IRB.CreateICmpNE(IRB.CreateLoad(OptionDetectUseAfterReturn), 2972 Constant::getNullValue(IRB.getInt32Ty())); 2973 Instruction *Term = 2974 SplitBlockAndInsertIfThen(UseAfterReturnIsEnabled, InsBefore, false); 2975 IRBuilder<> IRBIf(Term); 2976 IRBIf.SetCurrentDebugLocation(EntryDebugLocation); 2977 StackMallocIdx = StackMallocSizeClass(LocalStackSize); 2978 assert(StackMallocIdx <= kMaxAsanStackMallocSizeClass); 2979 Value *FakeStackValue = 2980 IRBIf.CreateCall(AsanStackMallocFunc[StackMallocIdx], 2981 ConstantInt::get(IntptrTy, LocalStackSize)); 2982 IRB.SetInsertPoint(InsBefore); 2983 IRB.SetCurrentDebugLocation(EntryDebugLocation); 2984 FakeStack = createPHI(IRB, UseAfterReturnIsEnabled, FakeStackValue, Term, 2985 ConstantInt::get(IntptrTy, 0)); 2986 2987 Value *NoFakeStack = 2988 IRB.CreateICmpEQ(FakeStack, Constant::getNullValue(IntptrTy)); 2989 Term = SplitBlockAndInsertIfThen(NoFakeStack, InsBefore, false); 2990 IRBIf.SetInsertPoint(Term); 2991 IRBIf.SetCurrentDebugLocation(EntryDebugLocation); 2992 Value *AllocaValue = 2993 DoDynamicAlloca ? createAllocaForLayout(IRBIf, L, true) : StaticAlloca; 2994 2995 IRB.SetInsertPoint(InsBefore); 2996 IRB.SetCurrentDebugLocation(EntryDebugLocation); 2997 LocalStackBase = createPHI(IRB, NoFakeStack, AllocaValue, Term, FakeStack); 2998 IRB.SetCurrentDebugLocation(EntryDebugLocation); 2999 IRB.CreateStore(LocalStackBase, LocalStackBaseAlloca); 3000 Deref = true; 3001 } else { 3002 // void *FakeStack = nullptr; 3003 // void *LocalStackBase = alloca(LocalStackSize); 3004 FakeStack = ConstantInt::get(IntptrTy, 0); 3005 LocalStackBase = 3006 DoDynamicAlloca ? createAllocaForLayout(IRB, L, true) : StaticAlloca; 3007 LocalStackBaseAlloca = LocalStackBase; 3008 Deref = false; 3009 } 3010 3011 // Replace Alloca instructions with base+offset. 3012 for (const auto &Desc : SVD) { 3013 AllocaInst *AI = Desc.AI; 3014 replaceDbgDeclareForAlloca(AI, LocalStackBaseAlloca, DIB, Deref, 3015 Desc.Offset, DIExpression::NoDeref); 3016 Value *NewAllocaPtr = IRB.CreateIntToPtr( 3017 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Desc.Offset)), 3018 AI->getType()); 3019 AI->replaceAllUsesWith(NewAllocaPtr); 3020 } 3021 3022 // The left-most redzone has enough space for at least 4 pointers. 3023 // Write the Magic value to redzone[0]. 3024 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 3025 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 3026 BasePlus0); 3027 // Write the frame description constant to redzone[1]. 3028 Value *BasePlus1 = IRB.CreateIntToPtr( 3029 IRB.CreateAdd(LocalStackBase, 3030 ConstantInt::get(IntptrTy, ASan.LongSize / 8)), 3031 IntptrPtrTy); 3032 GlobalVariable *StackDescriptionGlobal = 3033 createPrivateGlobalForString(*F.getParent(), DescriptionString, 3034 /*AllowMerging*/ true, kAsanGenPrefix); 3035 Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, IntptrTy); 3036 IRB.CreateStore(Description, BasePlus1); 3037 // Write the PC to redzone[2]. 3038 Value *BasePlus2 = IRB.CreateIntToPtr( 3039 IRB.CreateAdd(LocalStackBase, 3040 ConstantInt::get(IntptrTy, 2 * ASan.LongSize / 8)), 3041 IntptrPtrTy); 3042 IRB.CreateStore(IRB.CreatePointerCast(&F, IntptrTy), BasePlus2); 3043 3044 const auto &ShadowAfterScope = GetShadowBytesAfterScope(SVD, L); 3045 3046 // Poison the stack red zones at the entry. 3047 Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB); 3048 // As mask we must use most poisoned case: red zones and after scope. 3049 // As bytes we can use either the same or just red zones only. 3050 copyToShadow(ShadowAfterScope, ShadowAfterScope, IRB, ShadowBase); 3051 3052 if (!StaticAllocaPoisonCallVec.empty()) { 3053 const auto &ShadowInScope = GetShadowBytes(SVD, L); 3054 3055 // Poison static allocas near lifetime intrinsics. 3056 for (const auto &APC : StaticAllocaPoisonCallVec) { 3057 const ASanStackVariableDescription &Desc = *AllocaToSVDMap[APC.AI]; 3058 assert(Desc.Offset % L.Granularity == 0); 3059 size_t Begin = Desc.Offset / L.Granularity; 3060 size_t End = Begin + (APC.Size + L.Granularity - 1) / L.Granularity; 3061 3062 IRBuilder<> IRB(APC.InsBefore); 3063 copyToShadow(ShadowAfterScope, 3064 APC.DoPoison ? ShadowAfterScope : ShadowInScope, Begin, End, 3065 IRB, ShadowBase); 3066 } 3067 } 3068 3069 SmallVector<uint8_t, 64> ShadowClean(ShadowAfterScope.size(), 0); 3070 SmallVector<uint8_t, 64> ShadowAfterReturn; 3071 3072 // (Un)poison the stack before all ret instructions. 3073 for (auto Ret : RetVec) { 3074 IRBuilder<> IRBRet(Ret); 3075 // Mark the current frame as retired. 3076 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 3077 BasePlus0); 3078 if (DoStackMalloc) { 3079 assert(StackMallocIdx >= 0); 3080 // if FakeStack != 0 // LocalStackBase == FakeStack 3081 // // In use-after-return mode, poison the whole stack frame. 3082 // if StackMallocIdx <= 4 3083 // // For small sizes inline the whole thing: 3084 // memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize); 3085 // **SavedFlagPtr(FakeStack) = 0 3086 // else 3087 // __asan_stack_free_N(FakeStack, LocalStackSize) 3088 // else 3089 // <This is not a fake stack; unpoison the redzones> 3090 Value *Cmp = 3091 IRBRet.CreateICmpNE(FakeStack, Constant::getNullValue(IntptrTy)); 3092 Instruction *ThenTerm, *ElseTerm; 3093 SplitBlockAndInsertIfThenElse(Cmp, Ret, &ThenTerm, &ElseTerm); 3094 3095 IRBuilder<> IRBPoison(ThenTerm); 3096 if (StackMallocIdx <= 4) { 3097 int ClassSize = kMinStackMallocSize << StackMallocIdx; 3098 ShadowAfterReturn.resize(ClassSize / L.Granularity, 3099 kAsanStackUseAfterReturnMagic); 3100 copyToShadow(ShadowAfterReturn, ShadowAfterReturn, IRBPoison, 3101 ShadowBase); 3102 Value *SavedFlagPtrPtr = IRBPoison.CreateAdd( 3103 FakeStack, 3104 ConstantInt::get(IntptrTy, ClassSize - ASan.LongSize / 8)); 3105 Value *SavedFlagPtr = IRBPoison.CreateLoad( 3106 IRBPoison.CreateIntToPtr(SavedFlagPtrPtr, IntptrPtrTy)); 3107 IRBPoison.CreateStore( 3108 Constant::getNullValue(IRBPoison.getInt8Ty()), 3109 IRBPoison.CreateIntToPtr(SavedFlagPtr, IRBPoison.getInt8PtrTy())); 3110 } else { 3111 // For larger frames call __asan_stack_free_*. 3112 IRBPoison.CreateCall( 3113 AsanStackFreeFunc[StackMallocIdx], 3114 {FakeStack, ConstantInt::get(IntptrTy, LocalStackSize)}); 3115 } 3116 3117 IRBuilder<> IRBElse(ElseTerm); 3118 copyToShadow(ShadowAfterScope, ShadowClean, IRBElse, ShadowBase); 3119 } else { 3120 copyToShadow(ShadowAfterScope, ShadowClean, IRBRet, ShadowBase); 3121 } 3122 } 3123 3124 // We are done. Remove the old unused alloca instructions. 3125 for (auto AI : AllocaVec) AI->eraseFromParent(); 3126 } 3127 3128 void FunctionStackPoisoner::poisonAlloca(Value *V, uint64_t Size, 3129 IRBuilder<> &IRB, bool DoPoison) { 3130 // For now just insert the call to ASan runtime. 3131 Value *AddrArg = IRB.CreatePointerCast(V, IntptrTy); 3132 Value *SizeArg = ConstantInt::get(IntptrTy, Size); 3133 IRB.CreateCall( 3134 DoPoison ? AsanPoisonStackMemoryFunc : AsanUnpoisonStackMemoryFunc, 3135 {AddrArg, SizeArg}); 3136 } 3137 3138 // Handling llvm.lifetime intrinsics for a given %alloca: 3139 // (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca. 3140 // (2) if %size is constant, poison memory for llvm.lifetime.end (to detect 3141 // invalid accesses) and unpoison it for llvm.lifetime.start (the memory 3142 // could be poisoned by previous llvm.lifetime.end instruction, as the 3143 // variable may go in and out of scope several times, e.g. in loops). 3144 // (3) if we poisoned at least one %alloca in a function, 3145 // unpoison the whole stack frame at function exit. 3146 3147 AllocaInst *FunctionStackPoisoner::findAllocaForValue(Value *V) { 3148 if (AllocaInst *AI = dyn_cast<AllocaInst>(V)) 3149 // We're interested only in allocas we can handle. 3150 return ASan.isInterestingAlloca(*AI) ? AI : nullptr; 3151 // See if we've already calculated (or started to calculate) alloca for a 3152 // given value. 3153 AllocaForValueMapTy::iterator I = AllocaForValue.find(V); 3154 if (I != AllocaForValue.end()) return I->second; 3155 // Store 0 while we're calculating alloca for value V to avoid 3156 // infinite recursion if the value references itself. 3157 AllocaForValue[V] = nullptr; 3158 AllocaInst *Res = nullptr; 3159 if (CastInst *CI = dyn_cast<CastInst>(V)) 3160 Res = findAllocaForValue(CI->getOperand(0)); 3161 else if (PHINode *PN = dyn_cast<PHINode>(V)) { 3162 for (Value *IncValue : PN->incoming_values()) { 3163 // Allow self-referencing phi-nodes. 3164 if (IncValue == PN) continue; 3165 AllocaInst *IncValueAI = findAllocaForValue(IncValue); 3166 // AI for incoming values should exist and should all be equal. 3167 if (IncValueAI == nullptr || (Res != nullptr && IncValueAI != Res)) 3168 return nullptr; 3169 Res = IncValueAI; 3170 } 3171 } else if (GetElementPtrInst *EP = dyn_cast<GetElementPtrInst>(V)) { 3172 Res = findAllocaForValue(EP->getPointerOperand()); 3173 } else { 3174 LLVM_DEBUG(dbgs() << "Alloca search canceled on unknown instruction: " << *V 3175 << "\n"); 3176 } 3177 if (Res) AllocaForValue[V] = Res; 3178 return Res; 3179 } 3180 3181 void FunctionStackPoisoner::handleDynamicAllocaCall(AllocaInst *AI) { 3182 IRBuilder<> IRB(AI); 3183 3184 const unsigned Align = std::max(kAllocaRzSize, AI->getAlignment()); 3185 const uint64_t AllocaRedzoneMask = kAllocaRzSize - 1; 3186 3187 Value *Zero = Constant::getNullValue(IntptrTy); 3188 Value *AllocaRzSize = ConstantInt::get(IntptrTy, kAllocaRzSize); 3189 Value *AllocaRzMask = ConstantInt::get(IntptrTy, AllocaRedzoneMask); 3190 3191 // Since we need to extend alloca with additional memory to locate 3192 // redzones, and OldSize is number of allocated blocks with 3193 // ElementSize size, get allocated memory size in bytes by 3194 // OldSize * ElementSize. 3195 const unsigned ElementSize = 3196 F.getParent()->getDataLayout().getTypeAllocSize(AI->getAllocatedType()); 3197 Value *OldSize = 3198 IRB.CreateMul(IRB.CreateIntCast(AI->getArraySize(), IntptrTy, false), 3199 ConstantInt::get(IntptrTy, ElementSize)); 3200 3201 // PartialSize = OldSize % 32 3202 Value *PartialSize = IRB.CreateAnd(OldSize, AllocaRzMask); 3203 3204 // Misalign = kAllocaRzSize - PartialSize; 3205 Value *Misalign = IRB.CreateSub(AllocaRzSize, PartialSize); 3206 3207 // PartialPadding = Misalign != kAllocaRzSize ? Misalign : 0; 3208 Value *Cond = IRB.CreateICmpNE(Misalign, AllocaRzSize); 3209 Value *PartialPadding = IRB.CreateSelect(Cond, Misalign, Zero); 3210 3211 // AdditionalChunkSize = Align + PartialPadding + kAllocaRzSize 3212 // Align is added to locate left redzone, PartialPadding for possible 3213 // partial redzone and kAllocaRzSize for right redzone respectively. 3214 Value *AdditionalChunkSize = IRB.CreateAdd( 3215 ConstantInt::get(IntptrTy, Align + kAllocaRzSize), PartialPadding); 3216 3217 Value *NewSize = IRB.CreateAdd(OldSize, AdditionalChunkSize); 3218 3219 // Insert new alloca with new NewSize and Align params. 3220 AllocaInst *NewAlloca = IRB.CreateAlloca(IRB.getInt8Ty(), NewSize); 3221 NewAlloca->setAlignment(Align); 3222 3223 // NewAddress = Address + Align 3224 Value *NewAddress = IRB.CreateAdd(IRB.CreatePtrToInt(NewAlloca, IntptrTy), 3225 ConstantInt::get(IntptrTy, Align)); 3226 3227 // Insert __asan_alloca_poison call for new created alloca. 3228 IRB.CreateCall(AsanAllocaPoisonFunc, {NewAddress, OldSize}); 3229 3230 // Store the last alloca's address to DynamicAllocaLayout. We'll need this 3231 // for unpoisoning stuff. 3232 IRB.CreateStore(IRB.CreatePtrToInt(NewAlloca, IntptrTy), DynamicAllocaLayout); 3233 3234 Value *NewAddressPtr = IRB.CreateIntToPtr(NewAddress, AI->getType()); 3235 3236 // Replace all uses of AddessReturnedByAlloca with NewAddressPtr. 3237 AI->replaceAllUsesWith(NewAddressPtr); 3238 3239 // We are done. Erase old alloca from parent. 3240 AI->eraseFromParent(); 3241 } 3242 3243 // isSafeAccess returns true if Addr is always inbounds with respect to its 3244 // base object. For example, it is a field access or an array access with 3245 // constant inbounds index. 3246 bool AddressSanitizer::isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, 3247 Value *Addr, uint64_t TypeSize) const { 3248 SizeOffsetType SizeOffset = ObjSizeVis.compute(Addr); 3249 if (!ObjSizeVis.bothKnown(SizeOffset)) return false; 3250 uint64_t Size = SizeOffset.first.getZExtValue(); 3251 int64_t Offset = SizeOffset.second.getSExtValue(); 3252 // Three checks are required to ensure safety: 3253 // . Offset >= 0 (since the offset is given from the base ptr) 3254 // . Size >= Offset (unsigned) 3255 // . Size - Offset >= NeededSize (unsigned) 3256 return Offset >= 0 && Size >= uint64_t(Offset) && 3257 Size - uint64_t(Offset) >= TypeSize / 8; 3258 } 3259