1 //===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file is a part of AddressSanitizer, an address sanity checker. 11 // Details of the algorithm: 12 // http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13 // 14 //===----------------------------------------------------------------------===// 15 16 #define DEBUG_TYPE "asan" 17 18 #include "llvm/Transforms/Instrumentation.h" 19 #include "BlackList.h" 20 #include "llvm/ADT/ArrayRef.h" 21 #include "llvm/ADT/OwningPtr.h" 22 #include "llvm/ADT/SmallSet.h" 23 #include "llvm/ADT/SmallString.h" 24 #include "llvm/ADT/SmallVector.h" 25 #include "llvm/ADT/StringExtras.h" 26 #include "llvm/ADT/Triple.h" 27 #include "llvm/DataLayout.h" 28 #include "llvm/Function.h" 29 #include "llvm/IRBuilder.h" 30 #include "llvm/InlineAsm.h" 31 #include "llvm/IntrinsicInst.h" 32 #include "llvm/LLVMContext.h" 33 #include "llvm/Module.h" 34 #include "llvm/Support/CommandLine.h" 35 #include "llvm/Support/DataTypes.h" 36 #include "llvm/Support/Debug.h" 37 #include "llvm/Support/raw_ostream.h" 38 #include "llvm/Support/system_error.h" 39 #include "llvm/Target/TargetMachine.h" 40 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 41 #include "llvm/Transforms/Utils/ModuleUtils.h" 42 #include "llvm/Type.h" 43 #include <algorithm> 44 #include <string> 45 46 using namespace llvm; 47 48 static const uint64_t kDefaultShadowScale = 3; 49 static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 50 static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 51 static const uint64_t kDefaultShadowOffsetAndroid = 0; 52 53 static const size_t kMaxStackMallocSize = 1 << 16; // 64K 54 static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 55 static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 56 57 static const char *kAsanModuleCtorName = "asan.module_ctor"; 58 static const char *kAsanModuleDtorName = "asan.module_dtor"; 59 static const int kAsanCtorAndCtorPriority = 1; 60 static const char *kAsanReportErrorTemplate = "__asan_report_"; 61 static const char *kAsanRegisterGlobalsName = "__asan_register_globals"; 62 static const char *kAsanUnregisterGlobalsName = "__asan_unregister_globals"; 63 static const char *kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; 64 static const char *kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; 65 static const char *kAsanInitName = "__asan_init"; 66 static const char *kAsanHandleNoReturnName = "__asan_handle_no_return"; 67 static const char *kAsanMappingOffsetName = "__asan_mapping_offset"; 68 static const char *kAsanMappingScaleName = "__asan_mapping_scale"; 69 static const char *kAsanStackMallocName = "__asan_stack_malloc"; 70 static const char *kAsanStackFreeName = "__asan_stack_free"; 71 static const char *kAsanGenPrefix = "__asan_gen_"; 72 static const char *kAsanPoisonStackMemoryName = "__asan_poison_stack_memory"; 73 static const char *kAsanUnpoisonStackMemoryName = 74 "__asan_unpoison_stack_memory"; 75 76 static const int kAsanStackLeftRedzoneMagic = 0xf1; 77 static const int kAsanStackMidRedzoneMagic = 0xf2; 78 static const int kAsanStackRightRedzoneMagic = 0xf3; 79 static const int kAsanStackPartialRedzoneMagic = 0xf4; 80 81 // Accesses sizes are powers of two: 1, 2, 4, 8, 16. 82 static const size_t kNumberOfAccessSizes = 5; 83 84 // Command-line flags. 85 86 // This flag may need to be replaced with -f[no-]asan-reads. 87 static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 88 cl::desc("instrument read instructions"), cl::Hidden, cl::init(true)); 89 static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes", 90 cl::desc("instrument write instructions"), cl::Hidden, cl::init(true)); 91 static cl::opt<bool> ClInstrumentAtomics("asan-instrument-atomics", 92 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), 93 cl::Hidden, cl::init(true)); 94 static cl::opt<bool> ClAlwaysSlowPath("asan-always-slow-path", 95 cl::desc("use instrumentation with slow path for all accesses"), 96 cl::Hidden, cl::init(false)); 97 // This flag limits the number of instructions to be instrumented 98 // in any given BB. Normally, this should be set to unlimited (INT_MAX), 99 // but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary 100 // set it to 10000. 101 static cl::opt<int> ClMaxInsnsToInstrumentPerBB("asan-max-ins-per-bb", 102 cl::init(10000), 103 cl::desc("maximal number of instructions to instrument in any given BB"), 104 cl::Hidden); 105 // This flag may need to be replaced with -f[no]asan-stack. 106 static cl::opt<bool> ClStack("asan-stack", 107 cl::desc("Handle stack memory"), cl::Hidden, cl::init(true)); 108 // This flag may need to be replaced with -f[no]asan-use-after-return. 109 static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 110 cl::desc("Check return-after-free"), cl::Hidden, cl::init(false)); 111 // This flag may need to be replaced with -f[no]asan-globals. 112 static cl::opt<bool> ClGlobals("asan-globals", 113 cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); 114 static cl::opt<bool> ClInitializers("asan-initialization-order", 115 cl::desc("Handle C++ initializer order"), cl::Hidden, cl::init(false)); 116 static cl::opt<bool> ClMemIntrin("asan-memintrin", 117 cl::desc("Handle memset/memcpy/memmove"), cl::Hidden, cl::init(true)); 118 static cl::opt<bool> ClRealignStack("asan-realign-stack", 119 cl::desc("Realign stack to 32"), cl::Hidden, cl::init(true)); 120 static cl::opt<std::string> ClBlacklistFile("asan-blacklist", 121 cl::desc("File containing the list of objects to ignore " 122 "during instrumentation"), cl::Hidden); 123 124 // These flags allow to change the shadow mapping. 125 // The shadow mapping looks like 126 // Shadow = (Mem >> scale) + (1 << offset_log) 127 static cl::opt<int> ClMappingScale("asan-mapping-scale", 128 cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0)); 129 static cl::opt<int> ClMappingOffsetLog("asan-mapping-offset-log", 130 cl::desc("offset of asan shadow mapping"), cl::Hidden, cl::init(-1)); 131 132 // Optimization flags. Not user visible, used mostly for testing 133 // and benchmarking the tool. 134 static cl::opt<bool> ClOpt("asan-opt", 135 cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true)); 136 static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp", 137 cl::desc("Instrument the same temp just once"), cl::Hidden, 138 cl::init(true)); 139 static cl::opt<bool> ClOptGlobals("asan-opt-globals", 140 cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); 141 142 static cl::opt<bool> ClCheckLifetime("asan-check-lifetime", 143 cl::desc("Use llvm.lifetime intrinsics to insert extra checks"), 144 cl::Hidden, cl::init(false)); 145 146 // Debug flags. 147 static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 148 cl::init(0)); 149 static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 150 cl::Hidden, cl::init(0)); 151 static cl::opt<std::string> ClDebugFunc("asan-debug-func", 152 cl::Hidden, cl::desc("Debug func")); 153 static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 154 cl::Hidden, cl::init(-1)); 155 static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), 156 cl::Hidden, cl::init(-1)); 157 158 namespace { 159 /// A set of dynamically initialized globals extracted from metadata. 160 class SetOfDynamicallyInitializedGlobals { 161 public: 162 void Init(Module& M) { 163 // Clang generates metadata identifying all dynamically initialized globals. 164 NamedMDNode *DynamicGlobals = 165 M.getNamedMetadata("llvm.asan.dynamically_initialized_globals"); 166 if (!DynamicGlobals) 167 return; 168 for (int i = 0, n = DynamicGlobals->getNumOperands(); i < n; ++i) { 169 MDNode *MDN = DynamicGlobals->getOperand(i); 170 assert(MDN->getNumOperands() == 1); 171 Value *VG = MDN->getOperand(0); 172 // The optimizer may optimize away a global entirely, in which case we 173 // cannot instrument access to it. 174 if (!VG) 175 continue; 176 DynInitGlobals.insert(cast<GlobalVariable>(VG)); 177 } 178 } 179 bool Contains(GlobalVariable *G) { return DynInitGlobals.count(G) != 0; } 180 private: 181 SmallSet<GlobalValue*, 32> DynInitGlobals; 182 }; 183 184 static int MappingScale() { 185 return ClMappingScale ? ClMappingScale : kDefaultShadowScale; 186 } 187 188 static size_t RedzoneSize() { 189 // Redzone used for stack and globals is at least 32 bytes. 190 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 191 return std::max(32U, 1U << MappingScale()); 192 } 193 194 /// AddressSanitizer: instrument the code in module to find memory bugs. 195 struct AddressSanitizer : public FunctionPass { 196 AddressSanitizer(bool CheckInitOrder = false, 197 bool CheckUseAfterReturn = false, 198 bool CheckLifetime = false, 199 StringRef BlacklistFile = StringRef()) 200 : FunctionPass(ID), 201 CheckInitOrder(CheckInitOrder || ClInitializers), 202 CheckUseAfterReturn(CheckUseAfterReturn || ClUseAfterReturn), 203 CheckLifetime(CheckLifetime || ClCheckLifetime), 204 BlacklistFile(BlacklistFile.empty() ? ClBlacklistFile 205 : BlacklistFile) {} 206 virtual const char *getPassName() const { 207 return "AddressSanitizerFunctionPass"; 208 } 209 void instrumentMop(Instruction *I); 210 void instrumentAddress(Instruction *OrigIns, IRBuilder<> &IRB, 211 Value *Addr, uint32_t TypeSize, bool IsWrite); 212 Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 213 Value *ShadowValue, uint32_t TypeSize); 214 Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, 215 bool IsWrite, size_t AccessSizeIndex); 216 bool instrumentMemIntrinsic(MemIntrinsic *MI); 217 void instrumentMemIntrinsicParam(Instruction *OrigIns, Value *Addr, 218 Value *Size, 219 Instruction *InsertBefore, bool IsWrite); 220 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 221 bool runOnFunction(Function &F); 222 void createInitializerPoisonCalls(Module &M, 223 Value *FirstAddr, Value *LastAddr); 224 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 225 bool poisonStackInFunction(Function &F); 226 virtual bool doInitialization(Module &M); 227 static char ID; // Pass identification, replacement for typeid 228 229 private: 230 void initializeCallbacks(Module &M); 231 uint64_t getAllocaSizeInBytes(AllocaInst *AI) { 232 Type *Ty = AI->getAllocatedType(); 233 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 234 return SizeInBytes; 235 } 236 uint64_t getAlignedSize(uint64_t SizeInBytes) { 237 size_t RZ = RedzoneSize(); 238 return ((SizeInBytes + RZ - 1) / RZ) * RZ; 239 } 240 uint64_t getAlignedAllocaSize(AllocaInst *AI) { 241 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 242 return getAlignedSize(SizeInBytes); 243 } 244 245 bool ShouldInstrumentGlobal(GlobalVariable *G); 246 void PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, 247 Value *ShadowBase, bool DoPoison); 248 bool LooksLikeCodeInBug11395(Instruction *I); 249 void FindDynamicInitializers(Module &M); 250 /// Analyze lifetime intrinsics for given alloca. Use Value* instead of 251 /// AllocaInst* here, as we call this method after we merge all allocas into a 252 /// single one. Returns true if ASan added some instrumentation. 253 bool handleAllocaLifetime(Value *Alloca); 254 /// Analyze lifetime intrinsics for a specific value, casted from alloca. 255 /// Returns true if if ASan added some instrumentation. 256 bool handleValueLifetime(Value *V); 257 void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> IRB, bool DoPoison); 258 259 bool CheckInitOrder; 260 bool CheckUseAfterReturn; 261 bool CheckLifetime; 262 LLVMContext *C; 263 DataLayout *TD; 264 uint64_t MappingOffset; 265 int LongSize; 266 Type *IntptrTy; 267 Type *IntptrPtrTy; 268 Function *AsanCtorFunction; 269 Function *AsanInitFunction; 270 Function *AsanStackMallocFunc, *AsanStackFreeFunc; 271 Function *AsanPoisonStackMemoryFunc, *AsanUnpoisonStackMemoryFunc; 272 Function *AsanHandleNoReturnFunc; 273 SmallString<64> BlacklistFile; 274 OwningPtr<BlackList> BL; 275 // This array is indexed by AccessIsWrite and log2(AccessSize). 276 Function *AsanErrorCallback[2][kNumberOfAccessSizes]; 277 InlineAsm *EmptyAsm; 278 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 279 }; 280 281 class AddressSanitizerModule : public ModulePass { 282 public: 283 AddressSanitizerModule(bool CheckInitOrder = false, 284 StringRef BlacklistFile = StringRef()) 285 : ModulePass(ID), 286 CheckInitOrder(CheckInitOrder || ClInitializers), 287 BlacklistFile(BlacklistFile.empty() ? ClBlacklistFile 288 : BlacklistFile) {} 289 bool runOnModule(Module &M); 290 static char ID; // Pass identification, replacement for typeid 291 virtual const char *getPassName() const { 292 return "AddressSanitizerModule"; 293 } 294 295 private: 296 bool ShouldInstrumentGlobal(GlobalVariable *G); 297 void createInitializerPoisonCalls(Module &M, Value *FirstAddr, 298 Value *LastAddr); 299 300 bool CheckInitOrder; 301 SmallString<64> BlacklistFile; 302 OwningPtr<BlackList> BL; 303 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 304 Type *IntptrTy; 305 LLVMContext *C; 306 DataLayout *TD; 307 }; 308 309 } // namespace 310 311 char AddressSanitizer::ID = 0; 312 INITIALIZE_PASS(AddressSanitizer, "asan", 313 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", 314 false, false) 315 FunctionPass *llvm::createAddressSanitizerFunctionPass( 316 bool CheckInitOrder, bool CheckUseAfterReturn, bool CheckLifetime, 317 StringRef BlacklistFile) { 318 return new AddressSanitizer(CheckInitOrder, CheckUseAfterReturn, 319 CheckLifetime, BlacklistFile); 320 } 321 322 char AddressSanitizerModule::ID = 0; 323 INITIALIZE_PASS(AddressSanitizerModule, "asan-module", 324 "AddressSanitizer: detects use-after-free and out-of-bounds bugs." 325 "ModulePass", false, false) 326 ModulePass *llvm::createAddressSanitizerModulePass( 327 bool CheckInitOrder, StringRef BlacklistFile) { 328 return new AddressSanitizerModule(CheckInitOrder, BlacklistFile); 329 } 330 331 static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 332 size_t Res = CountTrailingZeros_32(TypeSize / 8); 333 assert(Res < kNumberOfAccessSizes); 334 return Res; 335 } 336 337 // Create a constant for Str so that we can pass it to the run-time lib. 338 static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str) { 339 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 340 return new GlobalVariable(M, StrConst->getType(), true, 341 GlobalValue::PrivateLinkage, StrConst, 342 kAsanGenPrefix); 343 } 344 345 static bool GlobalWasGeneratedByAsan(GlobalVariable *G) { 346 return G->getName().find(kAsanGenPrefix) == 0; 347 } 348 349 Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 350 // Shadow >> scale 351 Shadow = IRB.CreateLShr(Shadow, MappingScale()); 352 if (MappingOffset == 0) 353 return Shadow; 354 // (Shadow >> scale) | offset 355 return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, 356 MappingOffset)); 357 } 358 359 void AddressSanitizer::instrumentMemIntrinsicParam( 360 Instruction *OrigIns, 361 Value *Addr, Value *Size, Instruction *InsertBefore, bool IsWrite) { 362 // Check the first byte. 363 { 364 IRBuilder<> IRB(InsertBefore); 365 instrumentAddress(OrigIns, IRB, Addr, 8, IsWrite); 366 } 367 // Check the last byte. 368 { 369 IRBuilder<> IRB(InsertBefore); 370 Value *SizeMinusOne = IRB.CreateSub( 371 Size, ConstantInt::get(Size->getType(), 1)); 372 SizeMinusOne = IRB.CreateIntCast(SizeMinusOne, IntptrTy, false); 373 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 374 Value *AddrPlusSizeMinisOne = IRB.CreateAdd(AddrLong, SizeMinusOne); 375 instrumentAddress(OrigIns, IRB, AddrPlusSizeMinisOne, 8, IsWrite); 376 } 377 } 378 379 // Instrument memset/memmove/memcpy 380 bool AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 381 Value *Dst = MI->getDest(); 382 MemTransferInst *MemTran = dyn_cast<MemTransferInst>(MI); 383 Value *Src = MemTran ? MemTran->getSource() : 0; 384 Value *Length = MI->getLength(); 385 386 Constant *ConstLength = dyn_cast<Constant>(Length); 387 Instruction *InsertBefore = MI; 388 if (ConstLength) { 389 if (ConstLength->isNullValue()) return false; 390 } else { 391 // The size is not a constant so it could be zero -- check at run-time. 392 IRBuilder<> IRB(InsertBefore); 393 394 Value *Cmp = IRB.CreateICmpNE(Length, 395 Constant::getNullValue(Length->getType())); 396 InsertBefore = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 397 } 398 399 instrumentMemIntrinsicParam(MI, Dst, Length, InsertBefore, true); 400 if (Src) 401 instrumentMemIntrinsicParam(MI, Src, Length, InsertBefore, false); 402 return true; 403 } 404 405 // If I is an interesting memory access, return the PointerOperand 406 // and set IsWrite. Otherwise return NULL. 407 static Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite) { 408 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 409 if (!ClInstrumentReads) return NULL; 410 *IsWrite = false; 411 return LI->getPointerOperand(); 412 } 413 if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 414 if (!ClInstrumentWrites) return NULL; 415 *IsWrite = true; 416 return SI->getPointerOperand(); 417 } 418 if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 419 if (!ClInstrumentAtomics) return NULL; 420 *IsWrite = true; 421 return RMW->getPointerOperand(); 422 } 423 if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 424 if (!ClInstrumentAtomics) return NULL; 425 *IsWrite = true; 426 return XCHG->getPointerOperand(); 427 } 428 return NULL; 429 } 430 431 void AddressSanitizer::instrumentMop(Instruction *I) { 432 bool IsWrite = false; 433 Value *Addr = isInterestingMemoryAccess(I, &IsWrite); 434 assert(Addr); 435 if (ClOpt && ClOptGlobals) { 436 if (GlobalVariable *G = dyn_cast<GlobalVariable>(Addr)) { 437 // If initialization order checking is disabled, a simple access to a 438 // dynamically initialized global is always valid. 439 if (!CheckInitOrder) 440 return; 441 // If a global variable does not have dynamic initialization we don't 442 // have to instrument it. However, if a global does not have initailizer 443 // at all, we assume it has dynamic initializer (in other TU). 444 if (G->hasInitializer() && !DynamicallyInitializedGlobals.Contains(G)) 445 return; 446 } 447 } 448 449 Type *OrigPtrTy = Addr->getType(); 450 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 451 452 assert(OrigTy->isSized()); 453 uint32_t TypeSize = TD->getTypeStoreSizeInBits(OrigTy); 454 455 if (TypeSize != 8 && TypeSize != 16 && 456 TypeSize != 32 && TypeSize != 64 && TypeSize != 128) { 457 // Ignore all unusual sizes. 458 return; 459 } 460 461 IRBuilder<> IRB(I); 462 instrumentAddress(I, IRB, Addr, TypeSize, IsWrite); 463 } 464 465 // Validate the result of Module::getOrInsertFunction called for an interface 466 // function of AddressSanitizer. If the instrumented module defines a function 467 // with the same name, their prototypes must match, otherwise 468 // getOrInsertFunction returns a bitcast. 469 static Function *checkInterfaceFunction(Constant *FuncOrBitcast) { 470 if (isa<Function>(FuncOrBitcast)) return cast<Function>(FuncOrBitcast); 471 FuncOrBitcast->dump(); 472 report_fatal_error("trying to redefine an AddressSanitizer " 473 "interface function"); 474 } 475 476 Instruction *AddressSanitizer::generateCrashCode( 477 Instruction *InsertBefore, Value *Addr, 478 bool IsWrite, size_t AccessSizeIndex) { 479 IRBuilder<> IRB(InsertBefore); 480 CallInst *Call = IRB.CreateCall(AsanErrorCallback[IsWrite][AccessSizeIndex], 481 Addr); 482 // We don't do Call->setDoesNotReturn() because the BB already has 483 // UnreachableInst at the end. 484 // This EmptyAsm is required to avoid callback merge. 485 IRB.CreateCall(EmptyAsm); 486 return Call; 487 } 488 489 Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 490 Value *ShadowValue, 491 uint32_t TypeSize) { 492 size_t Granularity = 1 << MappingScale(); 493 // Addr & (Granularity - 1) 494 Value *LastAccessedByte = IRB.CreateAnd( 495 AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 496 // (Addr & (Granularity - 1)) + size - 1 497 if (TypeSize / 8 > 1) 498 LastAccessedByte = IRB.CreateAdd( 499 LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 500 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 501 LastAccessedByte = IRB.CreateIntCast( 502 LastAccessedByte, ShadowValue->getType(), false); 503 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 504 return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue); 505 } 506 507 void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 508 IRBuilder<> &IRB, Value *Addr, 509 uint32_t TypeSize, bool IsWrite) { 510 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 511 512 Type *ShadowTy = IntegerType::get( 513 *C, std::max(8U, TypeSize >> MappingScale())); 514 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 515 Value *ShadowPtr = memToShadow(AddrLong, IRB); 516 Value *CmpVal = Constant::getNullValue(ShadowTy); 517 Value *ShadowValue = IRB.CreateLoad( 518 IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 519 520 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 521 size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize); 522 size_t Granularity = 1 << MappingScale(); 523 TerminatorInst *CrashTerm = 0; 524 525 if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) { 526 TerminatorInst *CheckTerm = 527 SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 528 assert(dyn_cast<BranchInst>(CheckTerm)->isUnconditional()); 529 BasicBlock *NextBB = CheckTerm->getSuccessor(0); 530 IRB.SetInsertPoint(CheckTerm); 531 Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize); 532 BasicBlock *CrashBlock = 533 BasicBlock::Create(*C, "", NextBB->getParent(), NextBB); 534 CrashTerm = new UnreachableInst(*C, CrashBlock); 535 BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2); 536 ReplaceInstWithInst(CheckTerm, NewTerm); 537 } else { 538 CrashTerm = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), true); 539 } 540 541 Instruction *Crash = 542 generateCrashCode(CrashTerm, AddrLong, IsWrite, AccessSizeIndex); 543 Crash->setDebugLoc(OrigIns->getDebugLoc()); 544 } 545 546 void AddressSanitizerModule::createInitializerPoisonCalls( 547 Module &M, Value *FirstAddr, Value *LastAddr) { 548 // We do all of our poisoning and unpoisoning within _GLOBAL__I_a. 549 Function *GlobalInit = M.getFunction("_GLOBAL__I_a"); 550 // If that function is not present, this TU contains no globals, or they have 551 // all been optimized away 552 if (!GlobalInit) 553 return; 554 555 // Set up the arguments to our poison/unpoison functions. 556 IRBuilder<> IRB(GlobalInit->begin()->getFirstInsertionPt()); 557 558 // Declare our poisoning and unpoisoning functions. 559 Function *AsanPoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 560 kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 561 AsanPoisonGlobals->setLinkage(Function::ExternalLinkage); 562 Function *AsanUnpoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 563 kAsanUnpoisonGlobalsName, IRB.getVoidTy(), NULL)); 564 AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage); 565 566 // Add a call to poison all external globals before the given function starts. 567 IRB.CreateCall2(AsanPoisonGlobals, FirstAddr, LastAddr); 568 569 // Add calls to unpoison all globals before each return instruction. 570 for (Function::iterator I = GlobalInit->begin(), E = GlobalInit->end(); 571 I != E; ++I) { 572 if (ReturnInst *RI = dyn_cast<ReturnInst>(I->getTerminator())) { 573 CallInst::Create(AsanUnpoisonGlobals, "", RI); 574 } 575 } 576 } 577 578 bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) { 579 Type *Ty = cast<PointerType>(G->getType())->getElementType(); 580 DEBUG(dbgs() << "GLOBAL: " << *G << "\n"); 581 582 if (BL->isIn(*G)) return false; 583 if (!Ty->isSized()) return false; 584 if (!G->hasInitializer()) return false; 585 if (GlobalWasGeneratedByAsan(G)) return false; // Our own global. 586 // Touch only those globals that will not be defined in other modules. 587 // Don't handle ODR type linkages since other modules may be built w/o asan. 588 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 589 G->getLinkage() != GlobalVariable::PrivateLinkage && 590 G->getLinkage() != GlobalVariable::InternalLinkage) 591 return false; 592 // Two problems with thread-locals: 593 // - The address of the main thread's copy can't be computed at link-time. 594 // - Need to poison all copies, not just the main thread's one. 595 if (G->isThreadLocal()) 596 return false; 597 // For now, just ignore this Alloca if the alignment is large. 598 if (G->getAlignment() > RedzoneSize()) return false; 599 600 // Ignore all the globals with the names starting with "\01L_OBJC_". 601 // Many of those are put into the .cstring section. The linker compresses 602 // that section by removing the spare \0s after the string terminator, so 603 // our redzones get broken. 604 if ((G->getName().find("\01L_OBJC_") == 0) || 605 (G->getName().find("\01l_OBJC_") == 0)) { 606 DEBUG(dbgs() << "Ignoring \\01L_OBJC_* global: " << *G); 607 return false; 608 } 609 610 if (G->hasSection()) { 611 StringRef Section(G->getSection()); 612 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 613 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 614 // them. 615 if ((Section.find("__OBJC,") == 0) || 616 (Section.find("__DATA, __objc_") == 0)) { 617 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G); 618 return false; 619 } 620 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 621 // Constant CFString instances are compiled in the following way: 622 // -- the string buffer is emitted into 623 // __TEXT,__cstring,cstring_literals 624 // -- the constant NSConstantString structure referencing that buffer 625 // is placed into __DATA,__cfstring 626 // Therefore there's no point in placing redzones into __DATA,__cfstring. 627 // Moreover, it causes the linker to crash on OS X 10.7 628 if (Section.find("__DATA,__cfstring") == 0) { 629 DEBUG(dbgs() << "Ignoring CFString: " << *G); 630 return false; 631 } 632 } 633 634 return true; 635 } 636 637 // This function replaces all global variables with new variables that have 638 // trailing redzones. It also creates a function that poisons 639 // redzones and inserts this function into llvm.global_ctors. 640 bool AddressSanitizerModule::runOnModule(Module &M) { 641 if (!ClGlobals) return false; 642 TD = getAnalysisIfAvailable<DataLayout>(); 643 if (!TD) 644 return false; 645 BL.reset(new BlackList(BlacklistFile)); 646 if (BL->isIn(M)) return false; 647 DynamicallyInitializedGlobals.Init(M); 648 C = &(M.getContext()); 649 IntptrTy = Type::getIntNTy(*C, TD->getPointerSizeInBits()); 650 651 SmallVector<GlobalVariable *, 16> GlobalsToChange; 652 653 for (Module::GlobalListType::iterator G = M.global_begin(), 654 E = M.global_end(); G != E; ++G) { 655 if (ShouldInstrumentGlobal(G)) 656 GlobalsToChange.push_back(G); 657 } 658 659 size_t n = GlobalsToChange.size(); 660 if (n == 0) return false; 661 662 // A global is described by a structure 663 // size_t beg; 664 // size_t size; 665 // size_t size_with_redzone; 666 // const char *name; 667 // size_t has_dynamic_init; 668 // We initialize an array of such structures and pass it to a run-time call. 669 StructType *GlobalStructTy = StructType::get(IntptrTy, IntptrTy, 670 IntptrTy, IntptrTy, 671 IntptrTy, NULL); 672 SmallVector<Constant *, 16> Initializers(n), DynamicInit; 673 674 675 Function *CtorFunc = M.getFunction(kAsanModuleCtorName); 676 assert(CtorFunc); 677 IRBuilder<> IRB(CtorFunc->getEntryBlock().getTerminator()); 678 679 // The addresses of the first and last dynamically initialized globals in 680 // this TU. Used in initialization order checking. 681 Value *FirstDynamic = 0, *LastDynamic = 0; 682 683 for (size_t i = 0; i < n; i++) { 684 GlobalVariable *G = GlobalsToChange[i]; 685 PointerType *PtrTy = cast<PointerType>(G->getType()); 686 Type *Ty = PtrTy->getElementType(); 687 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 688 size_t RZ = RedzoneSize(); 689 uint64_t RightRedzoneSize = RZ + (RZ - (SizeInBytes % RZ)); 690 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 691 // Determine whether this global should be poisoned in initialization. 692 bool GlobalHasDynamicInitializer = 693 DynamicallyInitializedGlobals.Contains(G); 694 // Don't check initialization order if this global is blacklisted. 695 GlobalHasDynamicInitializer &= !BL->isInInit(*G); 696 697 StructType *NewTy = StructType::get(Ty, RightRedZoneTy, NULL); 698 Constant *NewInitializer = ConstantStruct::get( 699 NewTy, G->getInitializer(), 700 Constant::getNullValue(RightRedZoneTy), NULL); 701 702 SmallString<2048> DescriptionOfGlobal = G->getName(); 703 DescriptionOfGlobal += " ("; 704 DescriptionOfGlobal += M.getModuleIdentifier(); 705 DescriptionOfGlobal += ")"; 706 GlobalVariable *Name = createPrivateGlobalForString(M, DescriptionOfGlobal); 707 708 // Create a new global variable with enough space for a redzone. 709 GlobalVariable *NewGlobal = new GlobalVariable( 710 M, NewTy, G->isConstant(), G->getLinkage(), 711 NewInitializer, "", G, G->getThreadLocalMode()); 712 NewGlobal->copyAttributesFrom(G); 713 NewGlobal->setAlignment(RZ); 714 715 Value *Indices2[2]; 716 Indices2[0] = IRB.getInt32(0); 717 Indices2[1] = IRB.getInt32(0); 718 719 G->replaceAllUsesWith( 720 ConstantExpr::getGetElementPtr(NewGlobal, Indices2, true)); 721 NewGlobal->takeName(G); 722 G->eraseFromParent(); 723 724 Initializers[i] = ConstantStruct::get( 725 GlobalStructTy, 726 ConstantExpr::getPointerCast(NewGlobal, IntptrTy), 727 ConstantInt::get(IntptrTy, SizeInBytes), 728 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 729 ConstantExpr::getPointerCast(Name, IntptrTy), 730 ConstantInt::get(IntptrTy, GlobalHasDynamicInitializer), 731 NULL); 732 733 // Populate the first and last globals declared in this TU. 734 if (CheckInitOrder && GlobalHasDynamicInitializer) { 735 LastDynamic = ConstantExpr::getPointerCast(NewGlobal, IntptrTy); 736 if (FirstDynamic == 0) 737 FirstDynamic = LastDynamic; 738 } 739 740 DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); 741 } 742 743 ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); 744 GlobalVariable *AllGlobals = new GlobalVariable( 745 M, ArrayOfGlobalStructTy, false, GlobalVariable::PrivateLinkage, 746 ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); 747 748 // Create calls for poisoning before initializers run and unpoisoning after. 749 if (CheckInitOrder && FirstDynamic && LastDynamic) 750 createInitializerPoisonCalls(M, FirstDynamic, LastDynamic); 751 752 Function *AsanRegisterGlobals = checkInterfaceFunction(M.getOrInsertFunction( 753 kAsanRegisterGlobalsName, IRB.getVoidTy(), 754 IntptrTy, IntptrTy, NULL)); 755 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 756 757 IRB.CreateCall2(AsanRegisterGlobals, 758 IRB.CreatePointerCast(AllGlobals, IntptrTy), 759 ConstantInt::get(IntptrTy, n)); 760 761 // We also need to unregister globals at the end, e.g. when a shared library 762 // gets closed. 763 Function *AsanDtorFunction = Function::Create( 764 FunctionType::get(Type::getVoidTy(*C), false), 765 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 766 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 767 IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); 768 Function *AsanUnregisterGlobals = 769 checkInterfaceFunction(M.getOrInsertFunction( 770 kAsanUnregisterGlobalsName, 771 IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 772 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 773 774 IRB_Dtor.CreateCall2(AsanUnregisterGlobals, 775 IRB.CreatePointerCast(AllGlobals, IntptrTy), 776 ConstantInt::get(IntptrTy, n)); 777 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndCtorPriority); 778 779 DEBUG(dbgs() << M); 780 return true; 781 } 782 783 void AddressSanitizer::initializeCallbacks(Module &M) { 784 IRBuilder<> IRB(*C); 785 // Create __asan_report* callbacks. 786 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 787 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 788 AccessSizeIndex++) { 789 // IsWrite and TypeSize are encoded in the function name. 790 std::string FunctionName = std::string(kAsanReportErrorTemplate) + 791 (AccessIsWrite ? "store" : "load") + itostr(1 << AccessSizeIndex); 792 // If we are merging crash callbacks, they have two parameters. 793 AsanErrorCallback[AccessIsWrite][AccessSizeIndex] = 794 checkInterfaceFunction(M.getOrInsertFunction( 795 FunctionName, IRB.getVoidTy(), IntptrTy, NULL)); 796 } 797 } 798 799 AsanStackMallocFunc = checkInterfaceFunction(M.getOrInsertFunction( 800 kAsanStackMallocName, IntptrTy, IntptrTy, IntptrTy, NULL)); 801 AsanStackFreeFunc = checkInterfaceFunction(M.getOrInsertFunction( 802 kAsanStackFreeName, IRB.getVoidTy(), 803 IntptrTy, IntptrTy, IntptrTy, NULL)); 804 AsanHandleNoReturnFunc = checkInterfaceFunction(M.getOrInsertFunction( 805 kAsanHandleNoReturnName, IRB.getVoidTy(), NULL)); 806 AsanPoisonStackMemoryFunc = checkInterfaceFunction(M.getOrInsertFunction( 807 kAsanPoisonStackMemoryName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 808 AsanUnpoisonStackMemoryFunc = checkInterfaceFunction(M.getOrInsertFunction( 809 kAsanUnpoisonStackMemoryName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 810 811 // We insert an empty inline asm after __asan_report* to avoid callback merge. 812 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 813 StringRef(""), StringRef(""), 814 /*hasSideEffects=*/true); 815 } 816 817 // virtual 818 bool AddressSanitizer::doInitialization(Module &M) { 819 // Initialize the private fields. No one has accessed them before. 820 TD = getAnalysisIfAvailable<DataLayout>(); 821 822 if (!TD) 823 return false; 824 BL.reset(new BlackList(BlacklistFile)); 825 DynamicallyInitializedGlobals.Init(M); 826 827 C = &(M.getContext()); 828 LongSize = TD->getPointerSizeInBits(); 829 IntptrTy = Type::getIntNTy(*C, LongSize); 830 IntptrPtrTy = PointerType::get(IntptrTy, 0); 831 832 AsanCtorFunction = Function::Create( 833 FunctionType::get(Type::getVoidTy(*C), false), 834 GlobalValue::InternalLinkage, kAsanModuleCtorName, &M); 835 BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction); 836 // call __asan_init in the module ctor. 837 IRBuilder<> IRB(ReturnInst::Create(*C, AsanCtorBB)); 838 AsanInitFunction = checkInterfaceFunction( 839 M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), NULL)); 840 AsanInitFunction->setLinkage(Function::ExternalLinkage); 841 IRB.CreateCall(AsanInitFunction); 842 843 llvm::Triple targetTriple(M.getTargetTriple()); 844 bool isAndroid = targetTriple.getEnvironment() == llvm::Triple::Android; 845 846 MappingOffset = isAndroid ? kDefaultShadowOffsetAndroid : 847 (LongSize == 32 ? kDefaultShadowOffset32 : kDefaultShadowOffset64); 848 if (ClMappingOffsetLog >= 0) { 849 if (ClMappingOffsetLog == 0) { 850 // special case 851 MappingOffset = 0; 852 } else { 853 MappingOffset = 1ULL << ClMappingOffsetLog; 854 } 855 } 856 857 858 if (ClMappingOffsetLog >= 0) { 859 // Tell the run-time the current values of mapping offset and scale. 860 GlobalValue *asan_mapping_offset = 861 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 862 ConstantInt::get(IntptrTy, MappingOffset), 863 kAsanMappingOffsetName); 864 // Read the global, otherwise it may be optimized away. 865 IRB.CreateLoad(asan_mapping_offset, true); 866 } 867 if (ClMappingScale) { 868 GlobalValue *asan_mapping_scale = 869 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 870 ConstantInt::get(IntptrTy, MappingScale()), 871 kAsanMappingScaleName); 872 // Read the global, otherwise it may be optimized away. 873 IRB.CreateLoad(asan_mapping_scale, true); 874 } 875 876 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndCtorPriority); 877 878 return true; 879 } 880 881 bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 882 // For each NSObject descendant having a +load method, this method is invoked 883 // by the ObjC runtime before any of the static constructors is called. 884 // Therefore we need to instrument such methods with a call to __asan_init 885 // at the beginning in order to initialize our runtime before any access to 886 // the shadow memory. 887 // We cannot just ignore these methods, because they may call other 888 // instrumented functions. 889 if (F.getName().find(" load]") != std::string::npos) { 890 IRBuilder<> IRB(F.begin()->begin()); 891 IRB.CreateCall(AsanInitFunction); 892 return true; 893 } 894 return false; 895 } 896 897 bool AddressSanitizer::runOnFunction(Function &F) { 898 if (BL->isIn(F)) return false; 899 if (&F == AsanCtorFunction) return false; 900 DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); 901 initializeCallbacks(*F.getParent()); 902 903 // If needed, insert __asan_init before checking for AddressSafety attr. 904 maybeInsertAsanInitAtFunctionEntry(F); 905 906 if (!F.getFnAttributes().hasAttribute(Attributes::AddressSafety)) 907 return false; 908 909 if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) 910 return false; 911 912 // We want to instrument every address only once per basic block (unless there 913 // are calls between uses). 914 SmallSet<Value*, 16> TempsToInstrument; 915 SmallVector<Instruction*, 16> ToInstrument; 916 SmallVector<Instruction*, 8> NoReturnCalls; 917 bool IsWrite; 918 919 // Fill the set of memory operations to instrument. 920 for (Function::iterator FI = F.begin(), FE = F.end(); 921 FI != FE; ++FI) { 922 TempsToInstrument.clear(); 923 int NumInsnsPerBB = 0; 924 for (BasicBlock::iterator BI = FI->begin(), BE = FI->end(); 925 BI != BE; ++BI) { 926 if (LooksLikeCodeInBug11395(BI)) return false; 927 if (Value *Addr = isInterestingMemoryAccess(BI, &IsWrite)) { 928 if (ClOpt && ClOptSameTemp) { 929 if (!TempsToInstrument.insert(Addr)) 930 continue; // We've seen this temp in the current BB. 931 } 932 } else if (isa<MemIntrinsic>(BI) && ClMemIntrin) { 933 // ok, take it. 934 } else { 935 if (CallInst *CI = dyn_cast<CallInst>(BI)) { 936 // A call inside BB. 937 TempsToInstrument.clear(); 938 if (CI->doesNotReturn()) { 939 NoReturnCalls.push_back(CI); 940 } 941 } 942 continue; 943 } 944 ToInstrument.push_back(BI); 945 NumInsnsPerBB++; 946 if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) 947 break; 948 } 949 } 950 951 // Instrument. 952 int NumInstrumented = 0; 953 for (size_t i = 0, n = ToInstrument.size(); i != n; i++) { 954 Instruction *Inst = ToInstrument[i]; 955 if (ClDebugMin < 0 || ClDebugMax < 0 || 956 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 957 if (isInterestingMemoryAccess(Inst, &IsWrite)) 958 instrumentMop(Inst); 959 else 960 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 961 } 962 NumInstrumented++; 963 } 964 965 bool ChangedStack = poisonStackInFunction(F); 966 967 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 968 // See e.g. http://code.google.com/p/address-sanitizer/issues/detail?id=37 969 for (size_t i = 0, n = NoReturnCalls.size(); i != n; i++) { 970 Instruction *CI = NoReturnCalls[i]; 971 IRBuilder<> IRB(CI); 972 IRB.CreateCall(AsanHandleNoReturnFunc); 973 } 974 DEBUG(dbgs() << "ASAN done instrumenting:\n" << F << "\n"); 975 976 return NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); 977 } 978 979 static uint64_t ValueForPoison(uint64_t PoisonByte, size_t ShadowRedzoneSize) { 980 if (ShadowRedzoneSize == 1) return PoisonByte; 981 if (ShadowRedzoneSize == 2) return (PoisonByte << 8) + PoisonByte; 982 if (ShadowRedzoneSize == 4) 983 return (PoisonByte << 24) + (PoisonByte << 16) + 984 (PoisonByte << 8) + (PoisonByte); 985 llvm_unreachable("ShadowRedzoneSize is either 1, 2 or 4"); 986 } 987 988 static void PoisonShadowPartialRightRedzone(uint8_t *Shadow, 989 size_t Size, 990 size_t RZSize, 991 size_t ShadowGranularity, 992 uint8_t Magic) { 993 for (size_t i = 0; i < RZSize; 994 i+= ShadowGranularity, Shadow++) { 995 if (i + ShadowGranularity <= Size) { 996 *Shadow = 0; // fully addressable 997 } else if (i >= Size) { 998 *Shadow = Magic; // unaddressable 999 } else { 1000 *Shadow = Size - i; // first Size-i bytes are addressable 1001 } 1002 } 1003 } 1004 1005 void AddressSanitizer::PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, 1006 IRBuilder<> IRB, 1007 Value *ShadowBase, bool DoPoison) { 1008 size_t ShadowRZSize = RedzoneSize() >> MappingScale(); 1009 assert(ShadowRZSize >= 1 && ShadowRZSize <= 4); 1010 Type *RZTy = Type::getIntNTy(*C, ShadowRZSize * 8); 1011 Type *RZPtrTy = PointerType::get(RZTy, 0); 1012 1013 Value *PoisonLeft = ConstantInt::get(RZTy, 1014 ValueForPoison(DoPoison ? kAsanStackLeftRedzoneMagic : 0LL, ShadowRZSize)); 1015 Value *PoisonMid = ConstantInt::get(RZTy, 1016 ValueForPoison(DoPoison ? kAsanStackMidRedzoneMagic : 0LL, ShadowRZSize)); 1017 Value *PoisonRight = ConstantInt::get(RZTy, 1018 ValueForPoison(DoPoison ? kAsanStackRightRedzoneMagic : 0LL, ShadowRZSize)); 1019 1020 // poison the first red zone. 1021 IRB.CreateStore(PoisonLeft, IRB.CreateIntToPtr(ShadowBase, RZPtrTy)); 1022 1023 // poison all other red zones. 1024 uint64_t Pos = RedzoneSize(); 1025 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 1026 AllocaInst *AI = AllocaVec[i]; 1027 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 1028 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1029 assert(AlignedSize - SizeInBytes < RedzoneSize()); 1030 Value *Ptr = NULL; 1031 1032 Pos += AlignedSize; 1033 1034 assert(ShadowBase->getType() == IntptrTy); 1035 if (SizeInBytes < AlignedSize) { 1036 // Poison the partial redzone at right 1037 Ptr = IRB.CreateAdd( 1038 ShadowBase, ConstantInt::get(IntptrTy, 1039 (Pos >> MappingScale()) - ShadowRZSize)); 1040 size_t AddressableBytes = RedzoneSize() - (AlignedSize - SizeInBytes); 1041 uint32_t Poison = 0; 1042 if (DoPoison) { 1043 PoisonShadowPartialRightRedzone((uint8_t*)&Poison, AddressableBytes, 1044 RedzoneSize(), 1045 1ULL << MappingScale(), 1046 kAsanStackPartialRedzoneMagic); 1047 } 1048 Value *PartialPoison = ConstantInt::get(RZTy, Poison); 1049 IRB.CreateStore(PartialPoison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1050 } 1051 1052 // Poison the full redzone at right. 1053 Ptr = IRB.CreateAdd(ShadowBase, 1054 ConstantInt::get(IntptrTy, Pos >> MappingScale())); 1055 Value *Poison = i == AllocaVec.size() - 1 ? PoisonRight : PoisonMid; 1056 IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1057 1058 Pos += RedzoneSize(); 1059 } 1060 } 1061 1062 // Workaround for bug 11395: we don't want to instrument stack in functions 1063 // with large assembly blobs (32-bit only), otherwise reg alloc may crash. 1064 // FIXME: remove once the bug 11395 is fixed. 1065 bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 1066 if (LongSize != 32) return false; 1067 CallInst *CI = dyn_cast<CallInst>(I); 1068 if (!CI || !CI->isInlineAsm()) return false; 1069 if (CI->getNumArgOperands() <= 5) return false; 1070 // We have inline assembly with quite a few arguments. 1071 return true; 1072 } 1073 1074 // Handling llvm.lifetime intrinsics for a given %alloca: 1075 // (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca. 1076 // (2) if %size is constant, poison memory for llvm.lifetime.end (to detect 1077 // invalid accesses) and unpoison it for llvm.lifetime.start (the memory 1078 // could be poisoned by previous llvm.lifetime.end instruction, as the 1079 // variable may go in and out of scope several times, e.g. in loops). 1080 // (3) if we poisoned at least one %alloca in a function, 1081 // unpoison the whole stack frame at function exit. 1082 bool AddressSanitizer::handleAllocaLifetime(Value *Alloca) { 1083 assert(CheckLifetime); 1084 Type *AllocaType = Alloca->getType(); 1085 Type *Int8PtrTy = Type::getInt8PtrTy(AllocaType->getContext()); 1086 1087 bool Res = false; 1088 // Typical code looks like this: 1089 // %alloca = alloca <type>, <alignment> 1090 // ... some code ... 1091 // %val1 = bitcast <type>* %alloca to i8* 1092 // call void @llvm.lifetime.start(i64 <size>, i8* %val1) 1093 // ... more code ... 1094 // %val2 = bitcast <type>* %alloca to i8* 1095 // call void @llvm.lifetime.start(i64 <size>, i8* %val2) 1096 // That is, to handle %alloca we must find all its casts to 1097 // i8* values, and find lifetime instructions for these values. 1098 if (AllocaType == Int8PtrTy) 1099 Res |= handleValueLifetime(Alloca); 1100 for (Value::use_iterator UI = Alloca->use_begin(), UE = Alloca->use_end(); 1101 UI != UE; ++UI) { 1102 if (UI->getType() != Int8PtrTy) continue; 1103 if (UI->stripPointerCasts() != Alloca) continue; 1104 Res |= handleValueLifetime(*UI); 1105 } 1106 return Res; 1107 } 1108 1109 bool AddressSanitizer::handleValueLifetime(Value *V) { 1110 assert(CheckLifetime); 1111 bool Res = false; 1112 for (Value::use_iterator UI = V->use_begin(), UE = V->use_end(); UI != UE; 1113 ++UI) { 1114 IntrinsicInst *II = dyn_cast<IntrinsicInst>(*UI); 1115 if (!II) continue; 1116 Intrinsic::ID ID = II->getIntrinsicID(); 1117 if (ID != Intrinsic::lifetime_start && 1118 ID != Intrinsic::lifetime_end) 1119 continue; 1120 if (V != II->getArgOperand(1)) 1121 continue; 1122 // Found lifetime intrinsic, add ASan instrumentation if necessary. 1123 ConstantInt *Size = dyn_cast<ConstantInt>(II->getArgOperand(0)); 1124 // If size argument is undefined, don't do anything. 1125 if (Size->isMinusOne()) 1126 continue; 1127 // Check that size doesn't saturate uint64_t and can 1128 // be stored in IntptrTy. 1129 const uint64_t SizeValue = Size->getValue().getLimitedValue(); 1130 if (SizeValue == ~0ULL || 1131 !ConstantInt::isValueValidForType(IntptrTy, SizeValue)) { 1132 continue; 1133 } 1134 IRBuilder<> IRB(II); 1135 bool DoPoison = (ID == Intrinsic::lifetime_end); 1136 poisonAlloca(V, SizeValue, IRB, DoPoison); 1137 Res = true; 1138 } 1139 return Res; 1140 } 1141 1142 // Find all static Alloca instructions and put 1143 // poisoned red zones around all of them. 1144 // Then unpoison everything back before the function returns. 1145 // 1146 // Stack poisoning does not play well with exception handling. 1147 // When an exception is thrown, we essentially bypass the code 1148 // that unpoisones the stack. This is why the run-time library has 1149 // to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 1150 // stack in the interceptor. This however does not work inside the 1151 // actual function which catches the exception. Most likely because the 1152 // compiler hoists the load of the shadow value somewhere too high. 1153 // This causes asan to report a non-existing bug on 453.povray. 1154 // It sounds like an LLVM bug. 1155 bool AddressSanitizer::poisonStackInFunction(Function &F) { 1156 if (!ClStack) return false; 1157 SmallVector<AllocaInst*, 16> AllocaVec; 1158 SmallVector<Instruction*, 8> RetVec; 1159 uint64_t TotalSize = 0; 1160 bool HavePoisonedAllocas = false; 1161 1162 // Filter out Alloca instructions we want (and can) handle. 1163 // Collect Ret instructions. 1164 unsigned ResultAlignment = 1 << MappingScale(); 1165 for (Function::iterator FI = F.begin(), FE = F.end(); 1166 FI != FE; ++FI) { 1167 BasicBlock &BB = *FI; 1168 for (BasicBlock::iterator BI = BB.begin(), BE = BB.end(); 1169 BI != BE; ++BI) { 1170 if (isa<ReturnInst>(BI)) { 1171 RetVec.push_back(BI); 1172 continue; 1173 } 1174 1175 AllocaInst *AI = dyn_cast<AllocaInst>(BI); 1176 if (!AI) continue; 1177 if (AI->isArrayAllocation()) continue; 1178 if (!AI->isStaticAlloca()) continue; 1179 if (!AI->getAllocatedType()->isSized()) continue; 1180 ResultAlignment = std::max(ResultAlignment, AI->getAlignment()); 1181 AllocaVec.push_back(AI); 1182 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1183 TotalSize += AlignedSize; 1184 } 1185 } 1186 1187 if (AllocaVec.empty()) return false; 1188 1189 uint64_t LocalStackSize = TotalSize + (AllocaVec.size() + 1) * RedzoneSize(); 1190 1191 bool DoStackMalloc = CheckUseAfterReturn 1192 && LocalStackSize <= kMaxStackMallocSize; 1193 1194 Instruction *InsBefore = AllocaVec[0]; 1195 IRBuilder<> IRB(InsBefore); 1196 1197 1198 Type *ByteArrayTy = ArrayType::get(IRB.getInt8Ty(), LocalStackSize); 1199 AllocaInst *MyAlloca = 1200 new AllocaInst(ByteArrayTy, "MyAlloca", InsBefore); 1201 if (ClRealignStack && ResultAlignment < RedzoneSize()) 1202 ResultAlignment = RedzoneSize(); 1203 MyAlloca->setAlignment(ResultAlignment); 1204 assert(MyAlloca->isStaticAlloca()); 1205 Value *OrigStackBase = IRB.CreatePointerCast(MyAlloca, IntptrTy); 1206 Value *LocalStackBase = OrigStackBase; 1207 1208 if (DoStackMalloc) { 1209 LocalStackBase = IRB.CreateCall2(AsanStackMallocFunc, 1210 ConstantInt::get(IntptrTy, LocalStackSize), OrigStackBase); 1211 } 1212 1213 // This string will be parsed by the run-time (DescribeStackAddress). 1214 SmallString<2048> StackDescriptionStorage; 1215 raw_svector_ostream StackDescription(StackDescriptionStorage); 1216 StackDescription << F.getName() << " " << AllocaVec.size() << " "; 1217 1218 uint64_t Pos = RedzoneSize(); 1219 // Replace Alloca instructions with base+offset. 1220 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 1221 AllocaInst *AI = AllocaVec[i]; 1222 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 1223 StringRef Name = AI->getName(); 1224 StackDescription << Pos << " " << SizeInBytes << " " 1225 << Name.size() << " " << Name << " "; 1226 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1227 assert((AlignedSize % RedzoneSize()) == 0); 1228 Value *NewAllocaPtr = IRB.CreateIntToPtr( 1229 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Pos)), 1230 AI->getType()); 1231 AI->replaceAllUsesWith(NewAllocaPtr); 1232 // Analyze lifetime intrinsics only for static allocas we handle. 1233 if (CheckLifetime) 1234 HavePoisonedAllocas |= handleAllocaLifetime(NewAllocaPtr); 1235 Pos += AlignedSize + RedzoneSize(); 1236 } 1237 assert(Pos == LocalStackSize); 1238 1239 // Write the Magic value and the frame description constant to the redzone. 1240 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 1241 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 1242 BasePlus0); 1243 Value *BasePlus1 = IRB.CreateAdd(LocalStackBase, 1244 ConstantInt::get(IntptrTy, LongSize/8)); 1245 BasePlus1 = IRB.CreateIntToPtr(BasePlus1, IntptrPtrTy); 1246 GlobalVariable *StackDescriptionGlobal = 1247 createPrivateGlobalForString(*F.getParent(), StackDescription.str()); 1248 Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, IntptrTy); 1249 IRB.CreateStore(Description, BasePlus1); 1250 1251 // Poison the stack redzones at the entry. 1252 Value *ShadowBase = memToShadow(LocalStackBase, IRB); 1253 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRB, ShadowBase, true); 1254 1255 // Unpoison the stack before all ret instructions. 1256 for (size_t i = 0, n = RetVec.size(); i < n; i++) { 1257 Instruction *Ret = RetVec[i]; 1258 IRBuilder<> IRBRet(Ret); 1259 1260 // Mark the current frame as retired. 1261 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 1262 BasePlus0); 1263 // Unpoison the stack. 1264 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRBRet, ShadowBase, false); 1265 1266 if (DoStackMalloc) { 1267 // In use-after-return mode, mark the whole stack frame unaddressable. 1268 IRBRet.CreateCall3(AsanStackFreeFunc, LocalStackBase, 1269 ConstantInt::get(IntptrTy, LocalStackSize), 1270 OrigStackBase); 1271 } else if (HavePoisonedAllocas) { 1272 // If we poisoned some allocas in llvm.lifetime analysis, 1273 // unpoison whole stack frame now. 1274 assert(LocalStackBase == OrigStackBase); 1275 poisonAlloca(LocalStackBase, LocalStackSize, IRBRet, false); 1276 } 1277 } 1278 1279 // We are done. Remove the old unused alloca instructions. 1280 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) 1281 AllocaVec[i]->eraseFromParent(); 1282 1283 if (ClDebugStack) { 1284 DEBUG(dbgs() << F); 1285 } 1286 1287 return true; 1288 } 1289 1290 void AddressSanitizer::poisonAlloca(Value *V, uint64_t Size, IRBuilder<> IRB, 1291 bool DoPoison) { 1292 // For now just insert the call to ASan runtime. 1293 Value *AddrArg = IRB.CreatePointerCast(V, IntptrTy); 1294 Value *SizeArg = ConstantInt::get(IntptrTy, Size); 1295 IRB.CreateCall2(DoPoison ? AsanPoisonStackMemoryFunc 1296 : AsanUnpoisonStackMemoryFunc, 1297 AddrArg, SizeArg); 1298 } 1299