1 //===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file is a part of AddressSanitizer, an address sanity checker. 11 // Details of the algorithm: 12 // http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13 // 14 //===----------------------------------------------------------------------===// 15 16 #include "llvm/Transforms/Instrumentation.h" 17 #include "llvm/ADT/ArrayRef.h" 18 #include "llvm/ADT/DenseMap.h" 19 #include "llvm/ADT/DenseSet.h" 20 #include "llvm/ADT/DepthFirstIterator.h" 21 #include "llvm/ADT/SetVector.h" 22 #include "llvm/ADT/SmallSet.h" 23 #include "llvm/ADT/SmallString.h" 24 #include "llvm/ADT/SmallVector.h" 25 #include "llvm/ADT/Statistic.h" 26 #include "llvm/ADT/StringExtras.h" 27 #include "llvm/ADT/Triple.h" 28 #include "llvm/Analysis/MemoryBuiltins.h" 29 #include "llvm/Analysis/TargetLibraryInfo.h" 30 #include "llvm/Analysis/ValueTracking.h" 31 #include "llvm/IR/CallSite.h" 32 #include "llvm/IR/DIBuilder.h" 33 #include "llvm/IR/DataLayout.h" 34 #include "llvm/IR/Dominators.h" 35 #include "llvm/IR/Function.h" 36 #include "llvm/IR/IRBuilder.h" 37 #include "llvm/IR/InlineAsm.h" 38 #include "llvm/IR/InstVisitor.h" 39 #include "llvm/IR/IntrinsicInst.h" 40 #include "llvm/IR/LLVMContext.h" 41 #include "llvm/IR/MDBuilder.h" 42 #include "llvm/IR/Module.h" 43 #include "llvm/IR/Type.h" 44 #include "llvm/MC/MCSectionMachO.h" 45 #include "llvm/Support/CommandLine.h" 46 #include "llvm/Support/DataTypes.h" 47 #include "llvm/Support/Debug.h" 48 #include "llvm/Support/Endian.h" 49 #include "llvm/Support/SwapByteOrder.h" 50 #include "llvm/Support/raw_ostream.h" 51 #include "llvm/Transforms/Scalar.h" 52 #include "llvm/Transforms/Utils/ASanStackFrameLayout.h" 53 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 54 #include "llvm/Transforms/Utils/Cloning.h" 55 #include "llvm/Transforms/Utils/Local.h" 56 #include "llvm/Transforms/Utils/ModuleUtils.h" 57 #include "llvm/Transforms/Utils/PromoteMemToReg.h" 58 #include <algorithm> 59 #include <string> 60 #include <system_error> 61 62 using namespace llvm; 63 64 #define DEBUG_TYPE "asan" 65 66 static const uint64_t kDefaultShadowScale = 3; 67 static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 68 static const uint64_t kIOSShadowOffset32 = 1ULL << 30; 69 static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 70 static const uint64_t kSmallX86_64ShadowOffset = 0x7FFF8000; // < 2G. 71 static const uint64_t kLinuxKasan_ShadowOffset64 = 0xdffffc0000000000; 72 static const uint64_t kPPC64_ShadowOffset64 = 1ULL << 41; 73 static const uint64_t kMIPS32_ShadowOffset32 = 0x0aaa0000; 74 static const uint64_t kMIPS64_ShadowOffset64 = 1ULL << 37; 75 static const uint64_t kAArch64_ShadowOffset64 = 1ULL << 36; 76 static const uint64_t kFreeBSD_ShadowOffset32 = 1ULL << 30; 77 static const uint64_t kFreeBSD_ShadowOffset64 = 1ULL << 46; 78 static const uint64_t kWindowsShadowOffset32 = 3ULL << 28; 79 80 static const size_t kMinStackMallocSize = 1 << 6; // 64B 81 static const size_t kMaxStackMallocSize = 1 << 16; // 64K 82 static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 83 static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 84 85 static const char *const kAsanModuleCtorName = "asan.module_ctor"; 86 static const char *const kAsanModuleDtorName = "asan.module_dtor"; 87 static const uint64_t kAsanCtorAndDtorPriority = 1; 88 static const char *const kAsanReportErrorTemplate = "__asan_report_"; 89 static const char *const kAsanRegisterGlobalsName = "__asan_register_globals"; 90 static const char *const kAsanUnregisterGlobalsName = 91 "__asan_unregister_globals"; 92 static const char *const kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; 93 static const char *const kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; 94 static const char *const kAsanInitName = "__asan_init"; 95 static const char *const kAsanVersionCheckName = 96 "__asan_version_mismatch_check_v6"; 97 static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp"; 98 static const char *const kAsanPtrSub = "__sanitizer_ptr_sub"; 99 static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return"; 100 static const int kMaxAsanStackMallocSizeClass = 10; 101 static const char *const kAsanStackMallocNameTemplate = "__asan_stack_malloc_"; 102 static const char *const kAsanStackFreeNameTemplate = "__asan_stack_free_"; 103 static const char *const kAsanGenPrefix = "__asan_gen_"; 104 static const char *const kSanCovGenPrefix = "__sancov_gen_"; 105 static const char *const kAsanPoisonStackMemoryName = 106 "__asan_poison_stack_memory"; 107 static const char *const kAsanUnpoisonStackMemoryName = 108 "__asan_unpoison_stack_memory"; 109 110 static const char *const kAsanOptionDetectUAR = 111 "__asan_option_detect_stack_use_after_return"; 112 113 static const char *const kAsanAllocaPoison = "__asan_alloca_poison"; 114 static const char *const kAsanAllocasUnpoison = "__asan_allocas_unpoison"; 115 116 // Accesses sizes are powers of two: 1, 2, 4, 8, 16. 117 static const size_t kNumberOfAccessSizes = 5; 118 119 static const unsigned kAllocaRzSize = 32; 120 121 // Command-line flags. 122 static cl::opt<bool> ClEnableKasan( 123 "asan-kernel", cl::desc("Enable KernelAddressSanitizer instrumentation"), 124 cl::Hidden, cl::init(false)); 125 static cl::opt<bool> ClRecover( 126 "asan-recover", 127 cl::desc("Enable recovery mode (continue-after-error)."), 128 cl::Hidden, cl::init(false)); 129 130 // This flag may need to be replaced with -f[no-]asan-reads. 131 static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 132 cl::desc("instrument read instructions"), 133 cl::Hidden, cl::init(true)); 134 static cl::opt<bool> ClInstrumentWrites( 135 "asan-instrument-writes", cl::desc("instrument write instructions"), 136 cl::Hidden, cl::init(true)); 137 static cl::opt<bool> ClInstrumentAtomics( 138 "asan-instrument-atomics", 139 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden, 140 cl::init(true)); 141 static cl::opt<bool> ClAlwaysSlowPath( 142 "asan-always-slow-path", 143 cl::desc("use instrumentation with slow path for all accesses"), cl::Hidden, 144 cl::init(false)); 145 // This flag limits the number of instructions to be instrumented 146 // in any given BB. Normally, this should be set to unlimited (INT_MAX), 147 // but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary 148 // set it to 10000. 149 static cl::opt<int> ClMaxInsnsToInstrumentPerBB( 150 "asan-max-ins-per-bb", cl::init(10000), 151 cl::desc("maximal number of instructions to instrument in any given BB"), 152 cl::Hidden); 153 // This flag may need to be replaced with -f[no]asan-stack. 154 static cl::opt<bool> ClStack("asan-stack", cl::desc("Handle stack memory"), 155 cl::Hidden, cl::init(true)); 156 static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 157 cl::desc("Check return-after-free"), 158 cl::Hidden, cl::init(true)); 159 // This flag may need to be replaced with -f[no]asan-globals. 160 static cl::opt<bool> ClGlobals("asan-globals", 161 cl::desc("Handle global objects"), cl::Hidden, 162 cl::init(true)); 163 static cl::opt<bool> ClInitializers("asan-initialization-order", 164 cl::desc("Handle C++ initializer order"), 165 cl::Hidden, cl::init(true)); 166 static cl::opt<bool> ClInvalidPointerPairs( 167 "asan-detect-invalid-pointer-pair", 168 cl::desc("Instrument <, <=, >, >=, - with pointer operands"), cl::Hidden, 169 cl::init(false)); 170 static cl::opt<unsigned> ClRealignStack( 171 "asan-realign-stack", 172 cl::desc("Realign stack to the value of this flag (power of two)"), 173 cl::Hidden, cl::init(32)); 174 static cl::opt<int> ClInstrumentationWithCallsThreshold( 175 "asan-instrumentation-with-call-threshold", 176 cl::desc( 177 "If the function being instrumented contains more than " 178 "this number of memory accesses, use callbacks instead of " 179 "inline checks (-1 means never use callbacks)."), 180 cl::Hidden, cl::init(7000)); 181 static cl::opt<std::string> ClMemoryAccessCallbackPrefix( 182 "asan-memory-access-callback-prefix", 183 cl::desc("Prefix for memory access callbacks"), cl::Hidden, 184 cl::init("__asan_")); 185 static cl::opt<bool> ClInstrumentAllocas("asan-instrument-allocas", 186 cl::desc("instrument dynamic allocas"), 187 cl::Hidden, cl::init(true)); 188 static cl::opt<bool> ClSkipPromotableAllocas( 189 "asan-skip-promotable-allocas", 190 cl::desc("Do not instrument promotable allocas"), cl::Hidden, 191 cl::init(true)); 192 193 // These flags allow to change the shadow mapping. 194 // The shadow mapping looks like 195 // Shadow = (Mem >> scale) + (1 << offset_log) 196 static cl::opt<int> ClMappingScale("asan-mapping-scale", 197 cl::desc("scale of asan shadow mapping"), 198 cl::Hidden, cl::init(0)); 199 200 // Optimization flags. Not user visible, used mostly for testing 201 // and benchmarking the tool. 202 static cl::opt<bool> ClOpt("asan-opt", cl::desc("Optimize instrumentation"), 203 cl::Hidden, cl::init(true)); 204 static cl::opt<bool> ClOptSameTemp( 205 "asan-opt-same-temp", cl::desc("Instrument the same temp just once"), 206 cl::Hidden, cl::init(true)); 207 static cl::opt<bool> ClOptGlobals("asan-opt-globals", 208 cl::desc("Don't instrument scalar globals"), 209 cl::Hidden, cl::init(true)); 210 static cl::opt<bool> ClOptStack( 211 "asan-opt-stack", cl::desc("Don't instrument scalar stack variables"), 212 cl::Hidden, cl::init(false)); 213 214 static cl::opt<bool> ClCheckLifetime( 215 "asan-check-lifetime", 216 cl::desc("Use llvm.lifetime intrinsics to insert extra checks"), cl::Hidden, 217 cl::init(false)); 218 219 static cl::opt<bool> ClDynamicAllocaStack( 220 "asan-stack-dynamic-alloca", 221 cl::desc("Use dynamic alloca to represent stack variables"), cl::Hidden, 222 cl::init(true)); 223 224 static cl::opt<uint32_t> ClForceExperiment( 225 "asan-force-experiment", 226 cl::desc("Force optimization experiment (for testing)"), cl::Hidden, 227 cl::init(0)); 228 229 // Debug flags. 230 static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 231 cl::init(0)); 232 static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 233 cl::Hidden, cl::init(0)); 234 static cl::opt<std::string> ClDebugFunc("asan-debug-func", cl::Hidden, 235 cl::desc("Debug func")); 236 static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 237 cl::Hidden, cl::init(-1)); 238 static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), 239 cl::Hidden, cl::init(-1)); 240 241 STATISTIC(NumInstrumentedReads, "Number of instrumented reads"); 242 STATISTIC(NumInstrumentedWrites, "Number of instrumented writes"); 243 STATISTIC(NumOptimizedAccessesToGlobalVar, 244 "Number of optimized accesses to global vars"); 245 STATISTIC(NumOptimizedAccessesToStackVar, 246 "Number of optimized accesses to stack vars"); 247 248 namespace { 249 /// Frontend-provided metadata for source location. 250 struct LocationMetadata { 251 StringRef Filename; 252 int LineNo; 253 int ColumnNo; 254 255 LocationMetadata() : Filename(), LineNo(0), ColumnNo(0) {} 256 257 bool empty() const { return Filename.empty(); } 258 259 void parse(MDNode *MDN) { 260 assert(MDN->getNumOperands() == 3); 261 MDString *DIFilename = cast<MDString>(MDN->getOperand(0)); 262 Filename = DIFilename->getString(); 263 LineNo = 264 mdconst::extract<ConstantInt>(MDN->getOperand(1))->getLimitedValue(); 265 ColumnNo = 266 mdconst::extract<ConstantInt>(MDN->getOperand(2))->getLimitedValue(); 267 } 268 }; 269 270 /// Frontend-provided metadata for global variables. 271 class GlobalsMetadata { 272 public: 273 struct Entry { 274 Entry() : SourceLoc(), Name(), IsDynInit(false), IsBlacklisted(false) {} 275 LocationMetadata SourceLoc; 276 StringRef Name; 277 bool IsDynInit; 278 bool IsBlacklisted; 279 }; 280 281 GlobalsMetadata() : inited_(false) {} 282 283 void init(Module &M) { 284 assert(!inited_); 285 inited_ = true; 286 NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals"); 287 if (!Globals) return; 288 for (auto MDN : Globals->operands()) { 289 // Metadata node contains the global and the fields of "Entry". 290 assert(MDN->getNumOperands() == 5); 291 auto *GV = mdconst::extract_or_null<GlobalVariable>(MDN->getOperand(0)); 292 // The optimizer may optimize away a global entirely. 293 if (!GV) continue; 294 // We can already have an entry for GV if it was merged with another 295 // global. 296 Entry &E = Entries[GV]; 297 if (auto *Loc = cast_or_null<MDNode>(MDN->getOperand(1))) 298 E.SourceLoc.parse(Loc); 299 if (auto *Name = cast_or_null<MDString>(MDN->getOperand(2))) 300 E.Name = Name->getString(); 301 ConstantInt *IsDynInit = 302 mdconst::extract<ConstantInt>(MDN->getOperand(3)); 303 E.IsDynInit |= IsDynInit->isOne(); 304 ConstantInt *IsBlacklisted = 305 mdconst::extract<ConstantInt>(MDN->getOperand(4)); 306 E.IsBlacklisted |= IsBlacklisted->isOne(); 307 } 308 } 309 310 /// Returns metadata entry for a given global. 311 Entry get(GlobalVariable *G) const { 312 auto Pos = Entries.find(G); 313 return (Pos != Entries.end()) ? Pos->second : Entry(); 314 } 315 316 private: 317 bool inited_; 318 DenseMap<GlobalVariable *, Entry> Entries; 319 }; 320 321 /// This struct defines the shadow mapping using the rule: 322 /// shadow = (mem >> Scale) ADD-or-OR Offset. 323 struct ShadowMapping { 324 int Scale; 325 uint64_t Offset; 326 bool OrShadowOffset; 327 }; 328 329 static ShadowMapping getShadowMapping(Triple &TargetTriple, int LongSize, 330 bool IsKasan) { 331 bool IsAndroid = TargetTriple.isAndroid(); 332 bool IsIOS = TargetTriple.isiOS(); 333 bool IsFreeBSD = TargetTriple.isOSFreeBSD(); 334 bool IsLinux = TargetTriple.isOSLinux(); 335 bool IsPPC64 = TargetTriple.getArch() == llvm::Triple::ppc64 || 336 TargetTriple.getArch() == llvm::Triple::ppc64le; 337 bool IsX86_64 = TargetTriple.getArch() == llvm::Triple::x86_64; 338 bool IsMIPS32 = TargetTriple.getArch() == llvm::Triple::mips || 339 TargetTriple.getArch() == llvm::Triple::mipsel; 340 bool IsMIPS64 = TargetTriple.getArch() == llvm::Triple::mips64 || 341 TargetTriple.getArch() == llvm::Triple::mips64el; 342 bool IsAArch64 = TargetTriple.getArch() == llvm::Triple::aarch64; 343 bool IsWindows = TargetTriple.isOSWindows(); 344 345 ShadowMapping Mapping; 346 347 if (LongSize == 32) { 348 // Android is always PIE, which means that the beginning of the address 349 // space is always available. 350 if (IsAndroid) 351 Mapping.Offset = 0; 352 else if (IsMIPS32) 353 Mapping.Offset = kMIPS32_ShadowOffset32; 354 else if (IsFreeBSD) 355 Mapping.Offset = kFreeBSD_ShadowOffset32; 356 else if (IsIOS) 357 Mapping.Offset = kIOSShadowOffset32; 358 else if (IsWindows) 359 Mapping.Offset = kWindowsShadowOffset32; 360 else 361 Mapping.Offset = kDefaultShadowOffset32; 362 } else { // LongSize == 64 363 if (IsPPC64) 364 Mapping.Offset = kPPC64_ShadowOffset64; 365 else if (IsFreeBSD) 366 Mapping.Offset = kFreeBSD_ShadowOffset64; 367 else if (IsLinux && IsX86_64) { 368 if (IsKasan) 369 Mapping.Offset = kLinuxKasan_ShadowOffset64; 370 else 371 Mapping.Offset = kSmallX86_64ShadowOffset; 372 } else if (IsMIPS64) 373 Mapping.Offset = kMIPS64_ShadowOffset64; 374 else if (IsAArch64) 375 Mapping.Offset = kAArch64_ShadowOffset64; 376 else 377 Mapping.Offset = kDefaultShadowOffset64; 378 } 379 380 Mapping.Scale = kDefaultShadowScale; 381 if (ClMappingScale) { 382 Mapping.Scale = ClMappingScale; 383 } 384 385 // OR-ing shadow offset if more efficient (at least on x86) if the offset 386 // is a power of two, but on ppc64 we have to use add since the shadow 387 // offset is not necessary 1/8-th of the address space. 388 Mapping.OrShadowOffset = !IsAArch64 && !IsPPC64 389 && !(Mapping.Offset & (Mapping.Offset - 1)); 390 391 return Mapping; 392 } 393 394 static size_t RedzoneSizeForScale(int MappingScale) { 395 // Redzone used for stack and globals is at least 32 bytes. 396 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 397 return std::max(32U, 1U << MappingScale); 398 } 399 400 /// AddressSanitizer: instrument the code in module to find memory bugs. 401 struct AddressSanitizer : public FunctionPass { 402 explicit AddressSanitizer(bool CompileKernel = false, bool Recover = false) 403 : FunctionPass(ID), CompileKernel(CompileKernel || ClEnableKasan), 404 Recover(Recover || ClRecover) { 405 initializeAddressSanitizerPass(*PassRegistry::getPassRegistry()); 406 } 407 const char *getPassName() const override { 408 return "AddressSanitizerFunctionPass"; 409 } 410 void getAnalysisUsage(AnalysisUsage &AU) const override { 411 AU.addRequired<DominatorTreeWrapperPass>(); 412 AU.addRequired<TargetLibraryInfoWrapperPass>(); 413 } 414 uint64_t getAllocaSizeInBytes(AllocaInst *AI) const { 415 Type *Ty = AI->getAllocatedType(); 416 uint64_t SizeInBytes = 417 AI->getModule()->getDataLayout().getTypeAllocSize(Ty); 418 return SizeInBytes; 419 } 420 /// Check if we want (and can) handle this alloca. 421 bool isInterestingAlloca(AllocaInst &AI); 422 423 // Check if we have dynamic alloca. 424 bool isDynamicAlloca(AllocaInst &AI) const { 425 return AI.isArrayAllocation() || !AI.isStaticAlloca(); 426 } 427 428 /// If it is an interesting memory access, return the PointerOperand 429 /// and set IsWrite/Alignment. Otherwise return nullptr. 430 Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite, 431 uint64_t *TypeSize, unsigned *Alignment); 432 void instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis, Instruction *I, 433 bool UseCalls, const DataLayout &DL); 434 void instrumentPointerComparisonOrSubtraction(Instruction *I); 435 void instrumentAddress(Instruction *OrigIns, Instruction *InsertBefore, 436 Value *Addr, uint32_t TypeSize, bool IsWrite, 437 Value *SizeArgument, bool UseCalls, uint32_t Exp); 438 void instrumentUnusualSizeOrAlignment(Instruction *I, Value *Addr, 439 uint32_t TypeSize, bool IsWrite, 440 Value *SizeArgument, bool UseCalls, 441 uint32_t Exp); 442 Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 443 Value *ShadowValue, uint32_t TypeSize); 444 Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, 445 bool IsWrite, size_t AccessSizeIndex, 446 Value *SizeArgument, uint32_t Exp); 447 void instrumentMemIntrinsic(MemIntrinsic *MI); 448 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 449 bool runOnFunction(Function &F) override; 450 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 451 void markEscapedLocalAllocas(Function &F); 452 bool doInitialization(Module &M) override; 453 static char ID; // Pass identification, replacement for typeid 454 455 DominatorTree &getDominatorTree() const { return *DT; } 456 457 private: 458 void initializeCallbacks(Module &M); 459 460 bool LooksLikeCodeInBug11395(Instruction *I); 461 bool GlobalIsLinkerInitialized(GlobalVariable *G); 462 bool isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, Value *Addr, 463 uint64_t TypeSize) const; 464 465 /// Helper to cleanup per-function state. 466 struct FunctionStateRAII { 467 AddressSanitizer *Pass; 468 FunctionStateRAII(AddressSanitizer *Pass) : Pass(Pass) { 469 assert(Pass->ProcessedAllocas.empty() && 470 "last pass forgot to clear cache"); 471 } 472 ~FunctionStateRAII() { Pass->ProcessedAllocas.clear(); } 473 }; 474 475 LLVMContext *C; 476 Triple TargetTriple; 477 int LongSize; 478 bool CompileKernel; 479 bool Recover; 480 Type *IntptrTy; 481 ShadowMapping Mapping; 482 DominatorTree *DT; 483 Function *AsanCtorFunction = nullptr; 484 Function *AsanInitFunction = nullptr; 485 Function *AsanHandleNoReturnFunc; 486 Function *AsanPtrCmpFunction, *AsanPtrSubFunction; 487 // This array is indexed by AccessIsWrite, Experiment and log2(AccessSize). 488 Function *AsanErrorCallback[2][2][kNumberOfAccessSizes]; 489 Function *AsanMemoryAccessCallback[2][2][kNumberOfAccessSizes]; 490 // This array is indexed by AccessIsWrite and Experiment. 491 Function *AsanErrorCallbackSized[2][2]; 492 Function *AsanMemoryAccessCallbackSized[2][2]; 493 Function *AsanMemmove, *AsanMemcpy, *AsanMemset; 494 InlineAsm *EmptyAsm; 495 GlobalsMetadata GlobalsMD; 496 DenseMap<AllocaInst *, bool> ProcessedAllocas; 497 498 friend struct FunctionStackPoisoner; 499 }; 500 501 class AddressSanitizerModule : public ModulePass { 502 public: 503 explicit AddressSanitizerModule(bool CompileKernel = false, 504 bool Recover = false) 505 : ModulePass(ID), CompileKernel(CompileKernel || ClEnableKasan), 506 Recover(Recover || ClRecover) {} 507 bool runOnModule(Module &M) override; 508 static char ID; // Pass identification, replacement for typeid 509 const char *getPassName() const override { return "AddressSanitizerModule"; } 510 511 private: 512 void initializeCallbacks(Module &M); 513 514 bool InstrumentGlobals(IRBuilder<> &IRB, Module &M); 515 bool ShouldInstrumentGlobal(GlobalVariable *G); 516 void poisonOneInitializer(Function &GlobalInit, GlobalValue *ModuleName); 517 void createInitializerPoisonCalls(Module &M, GlobalValue *ModuleName); 518 size_t MinRedzoneSizeForGlobal() const { 519 return RedzoneSizeForScale(Mapping.Scale); 520 } 521 522 GlobalsMetadata GlobalsMD; 523 bool CompileKernel; 524 bool Recover; 525 Type *IntptrTy; 526 LLVMContext *C; 527 Triple TargetTriple; 528 ShadowMapping Mapping; 529 Function *AsanPoisonGlobals; 530 Function *AsanUnpoisonGlobals; 531 Function *AsanRegisterGlobals; 532 Function *AsanUnregisterGlobals; 533 }; 534 535 // Stack poisoning does not play well with exception handling. 536 // When an exception is thrown, we essentially bypass the code 537 // that unpoisones the stack. This is why the run-time library has 538 // to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 539 // stack in the interceptor. This however does not work inside the 540 // actual function which catches the exception. Most likely because the 541 // compiler hoists the load of the shadow value somewhere too high. 542 // This causes asan to report a non-existing bug on 453.povray. 543 // It sounds like an LLVM bug. 544 struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> { 545 Function &F; 546 AddressSanitizer &ASan; 547 DIBuilder DIB; 548 LLVMContext *C; 549 Type *IntptrTy; 550 Type *IntptrPtrTy; 551 ShadowMapping Mapping; 552 553 SmallVector<AllocaInst *, 16> AllocaVec; 554 SmallSetVector<AllocaInst *, 16> NonInstrumentedStaticAllocaVec; 555 SmallVector<Instruction *, 8> RetVec; 556 unsigned StackAlignment; 557 558 Function *AsanStackMallocFunc[kMaxAsanStackMallocSizeClass + 1], 559 *AsanStackFreeFunc[kMaxAsanStackMallocSizeClass + 1]; 560 Function *AsanPoisonStackMemoryFunc, *AsanUnpoisonStackMemoryFunc; 561 Function *AsanAllocaPoisonFunc, *AsanAllocasUnpoisonFunc; 562 563 // Stores a place and arguments of poisoning/unpoisoning call for alloca. 564 struct AllocaPoisonCall { 565 IntrinsicInst *InsBefore; 566 AllocaInst *AI; 567 uint64_t Size; 568 bool DoPoison; 569 }; 570 SmallVector<AllocaPoisonCall, 8> AllocaPoisonCallVec; 571 572 SmallVector<AllocaInst *, 1> DynamicAllocaVec; 573 SmallVector<IntrinsicInst *, 1> StackRestoreVec; 574 AllocaInst *DynamicAllocaLayout = nullptr; 575 IntrinsicInst *LocalEscapeCall = nullptr; 576 577 // Maps Value to an AllocaInst from which the Value is originated. 578 typedef DenseMap<Value *, AllocaInst *> AllocaForValueMapTy; 579 AllocaForValueMapTy AllocaForValue; 580 581 bool HasNonEmptyInlineAsm = false; 582 bool HasReturnsTwiceCall = false; 583 std::unique_ptr<CallInst> EmptyInlineAsm; 584 585 FunctionStackPoisoner(Function &F, AddressSanitizer &ASan) 586 : F(F), 587 ASan(ASan), 588 DIB(*F.getParent(), /*AllowUnresolved*/ false), 589 C(ASan.C), 590 IntptrTy(ASan.IntptrTy), 591 IntptrPtrTy(PointerType::get(IntptrTy, 0)), 592 Mapping(ASan.Mapping), 593 StackAlignment(1 << Mapping.Scale), 594 EmptyInlineAsm(CallInst::Create(ASan.EmptyAsm)) {} 595 596 bool runOnFunction() { 597 if (!ClStack) return false; 598 // Collect alloca, ret, lifetime instructions etc. 599 for (BasicBlock *BB : depth_first(&F.getEntryBlock())) visit(*BB); 600 601 if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false; 602 603 initializeCallbacks(*F.getParent()); 604 605 poisonStack(); 606 607 if (ClDebugStack) { 608 DEBUG(dbgs() << F); 609 } 610 return true; 611 } 612 613 // Finds all Alloca instructions and puts 614 // poisoned red zones around all of them. 615 // Then unpoison everything back before the function returns. 616 void poisonStack(); 617 618 void createDynamicAllocasInitStorage(); 619 620 // ----------------------- Visitors. 621 /// \brief Collect all Ret instructions. 622 void visitReturnInst(ReturnInst &RI) { RetVec.push_back(&RI); } 623 624 void unpoisonDynamicAllocasBeforeInst(Instruction *InstBefore, 625 Value *SavedStack) { 626 IRBuilder<> IRB(InstBefore); 627 IRB.CreateCall(AsanAllocasUnpoisonFunc, 628 {IRB.CreateLoad(DynamicAllocaLayout), 629 IRB.CreatePtrToInt(SavedStack, IntptrTy)}); 630 } 631 632 // Unpoison dynamic allocas redzones. 633 void unpoisonDynamicAllocas() { 634 for (auto &Ret : RetVec) 635 unpoisonDynamicAllocasBeforeInst(Ret, DynamicAllocaLayout); 636 637 for (auto &StackRestoreInst : StackRestoreVec) 638 unpoisonDynamicAllocasBeforeInst(StackRestoreInst, 639 StackRestoreInst->getOperand(0)); 640 } 641 642 // Deploy and poison redzones around dynamic alloca call. To do this, we 643 // should replace this call with another one with changed parameters and 644 // replace all its uses with new address, so 645 // addr = alloca type, old_size, align 646 // is replaced by 647 // new_size = (old_size + additional_size) * sizeof(type) 648 // tmp = alloca i8, new_size, max(align, 32) 649 // addr = tmp + 32 (first 32 bytes are for the left redzone). 650 // Additional_size is added to make new memory allocation contain not only 651 // requested memory, but also left, partial and right redzones. 652 void handleDynamicAllocaCall(AllocaInst *AI); 653 654 /// \brief Collect Alloca instructions we want (and can) handle. 655 void visitAllocaInst(AllocaInst &AI) { 656 if (!ASan.isInterestingAlloca(AI)) { 657 if (AI.isStaticAlloca()) NonInstrumentedStaticAllocaVec.insert(&AI); 658 return; 659 } 660 661 StackAlignment = std::max(StackAlignment, AI.getAlignment()); 662 if (ASan.isDynamicAlloca(AI)) 663 DynamicAllocaVec.push_back(&AI); 664 else 665 AllocaVec.push_back(&AI); 666 } 667 668 /// \brief Collect lifetime intrinsic calls to check for use-after-scope 669 /// errors. 670 void visitIntrinsicInst(IntrinsicInst &II) { 671 Intrinsic::ID ID = II.getIntrinsicID(); 672 if (ID == Intrinsic::stackrestore) StackRestoreVec.push_back(&II); 673 if (ID == Intrinsic::localescape) LocalEscapeCall = &II; 674 if (!ClCheckLifetime) return; 675 if (ID != Intrinsic::lifetime_start && ID != Intrinsic::lifetime_end) 676 return; 677 // Found lifetime intrinsic, add ASan instrumentation if necessary. 678 ConstantInt *Size = dyn_cast<ConstantInt>(II.getArgOperand(0)); 679 // If size argument is undefined, don't do anything. 680 if (Size->isMinusOne()) return; 681 // Check that size doesn't saturate uint64_t and can 682 // be stored in IntptrTy. 683 const uint64_t SizeValue = Size->getValue().getLimitedValue(); 684 if (SizeValue == ~0ULL || 685 !ConstantInt::isValueValidForType(IntptrTy, SizeValue)) 686 return; 687 // Find alloca instruction that corresponds to llvm.lifetime argument. 688 AllocaInst *AI = findAllocaForValue(II.getArgOperand(1)); 689 if (!AI) return; 690 bool DoPoison = (ID == Intrinsic::lifetime_end); 691 AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison}; 692 AllocaPoisonCallVec.push_back(APC); 693 } 694 695 void visitCallSite(CallSite CS) { 696 Instruction *I = CS.getInstruction(); 697 if (CallInst *CI = dyn_cast<CallInst>(I)) { 698 HasNonEmptyInlineAsm |= 699 CI->isInlineAsm() && !CI->isIdenticalTo(EmptyInlineAsm.get()); 700 HasReturnsTwiceCall |= CI->canReturnTwice(); 701 } 702 } 703 704 // ---------------------- Helpers. 705 void initializeCallbacks(Module &M); 706 707 bool doesDominateAllExits(const Instruction *I) const { 708 for (auto Ret : RetVec) { 709 if (!ASan.getDominatorTree().dominates(I, Ret)) return false; 710 } 711 return true; 712 } 713 714 /// Finds alloca where the value comes from. 715 AllocaInst *findAllocaForValue(Value *V); 716 void poisonRedZones(ArrayRef<uint8_t> ShadowBytes, IRBuilder<> &IRB, 717 Value *ShadowBase, bool DoPoison); 718 void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> &IRB, bool DoPoison); 719 720 void SetShadowToStackAfterReturnInlined(IRBuilder<> &IRB, Value *ShadowBase, 721 int Size); 722 Value *createAllocaForLayout(IRBuilder<> &IRB, const ASanStackFrameLayout &L, 723 bool Dynamic); 724 PHINode *createPHI(IRBuilder<> &IRB, Value *Cond, Value *ValueIfTrue, 725 Instruction *ThenTerm, Value *ValueIfFalse); 726 }; 727 728 } // anonymous namespace 729 730 char AddressSanitizer::ID = 0; 731 INITIALIZE_PASS_BEGIN( 732 AddressSanitizer, "asan", 733 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false, 734 false) 735 INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass) 736 INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass) 737 INITIALIZE_PASS_END( 738 AddressSanitizer, "asan", 739 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false, 740 false) 741 FunctionPass *llvm::createAddressSanitizerFunctionPass(bool CompileKernel, 742 bool Recover) { 743 assert(!CompileKernel || Recover); 744 return new AddressSanitizer(CompileKernel, Recover); 745 } 746 747 char AddressSanitizerModule::ID = 0; 748 INITIALIZE_PASS( 749 AddressSanitizerModule, "asan-module", 750 "AddressSanitizer: detects use-after-free and out-of-bounds bugs." 751 "ModulePass", 752 false, false) 753 ModulePass *llvm::createAddressSanitizerModulePass(bool CompileKernel, 754 bool Recover) { 755 assert(!CompileKernel || Recover); 756 return new AddressSanitizerModule(CompileKernel, Recover); 757 } 758 759 static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 760 size_t Res = countTrailingZeros(TypeSize / 8); 761 assert(Res < kNumberOfAccessSizes); 762 return Res; 763 } 764 765 // \brief Create a constant for Str so that we can pass it to the run-time lib. 766 static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str, 767 bool AllowMerging) { 768 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 769 // We use private linkage for module-local strings. If they can be merged 770 // with another one, we set the unnamed_addr attribute. 771 GlobalVariable *GV = 772 new GlobalVariable(M, StrConst->getType(), true, 773 GlobalValue::PrivateLinkage, StrConst, kAsanGenPrefix); 774 if (AllowMerging) GV->setUnnamedAddr(true); 775 GV->setAlignment(1); // Strings may not be merged w/o setting align 1. 776 return GV; 777 } 778 779 /// \brief Create a global describing a source location. 780 static GlobalVariable *createPrivateGlobalForSourceLoc(Module &M, 781 LocationMetadata MD) { 782 Constant *LocData[] = { 783 createPrivateGlobalForString(M, MD.Filename, true), 784 ConstantInt::get(Type::getInt32Ty(M.getContext()), MD.LineNo), 785 ConstantInt::get(Type::getInt32Ty(M.getContext()), MD.ColumnNo), 786 }; 787 auto LocStruct = ConstantStruct::getAnon(LocData); 788 auto GV = new GlobalVariable(M, LocStruct->getType(), true, 789 GlobalValue::PrivateLinkage, LocStruct, 790 kAsanGenPrefix); 791 GV->setUnnamedAddr(true); 792 return GV; 793 } 794 795 static bool GlobalWasGeneratedByAsan(GlobalVariable *G) { 796 return G->getName().find(kAsanGenPrefix) == 0 || 797 G->getName().find(kSanCovGenPrefix) == 0; 798 } 799 800 Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 801 // Shadow >> scale 802 Shadow = IRB.CreateLShr(Shadow, Mapping.Scale); 803 if (Mapping.Offset == 0) return Shadow; 804 // (Shadow >> scale) | offset 805 if (Mapping.OrShadowOffset) 806 return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, Mapping.Offset)); 807 else 808 return IRB.CreateAdd(Shadow, ConstantInt::get(IntptrTy, Mapping.Offset)); 809 } 810 811 // Instrument memset/memmove/memcpy 812 void AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 813 IRBuilder<> IRB(MI); 814 if (isa<MemTransferInst>(MI)) { 815 IRB.CreateCall( 816 isa<MemMoveInst>(MI) ? AsanMemmove : AsanMemcpy, 817 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 818 IRB.CreatePointerCast(MI->getOperand(1), IRB.getInt8PtrTy()), 819 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 820 } else if (isa<MemSetInst>(MI)) { 821 IRB.CreateCall( 822 AsanMemset, 823 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 824 IRB.CreateIntCast(MI->getOperand(1), IRB.getInt32Ty(), false), 825 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 826 } 827 MI->eraseFromParent(); 828 } 829 830 /// Check if we want (and can) handle this alloca. 831 bool AddressSanitizer::isInterestingAlloca(AllocaInst &AI) { 832 auto PreviouslySeenAllocaInfo = ProcessedAllocas.find(&AI); 833 834 if (PreviouslySeenAllocaInfo != ProcessedAllocas.end()) 835 return PreviouslySeenAllocaInfo->getSecond(); 836 837 bool IsInteresting = 838 (AI.getAllocatedType()->isSized() && 839 // alloca() may be called with 0 size, ignore it. 840 getAllocaSizeInBytes(&AI) > 0 && 841 // We are only interested in allocas not promotable to registers. 842 // Promotable allocas are common under -O0. 843 (!ClSkipPromotableAllocas || !isAllocaPromotable(&AI)) && 844 // inalloca allocas are not treated as static, and we don't want 845 // dynamic alloca instrumentation for them as well. 846 !AI.isUsedWithInAlloca()); 847 848 ProcessedAllocas[&AI] = IsInteresting; 849 return IsInteresting; 850 } 851 852 /// If I is an interesting memory access, return the PointerOperand 853 /// and set IsWrite/Alignment. Otherwise return nullptr. 854 Value *AddressSanitizer::isInterestingMemoryAccess(Instruction *I, 855 bool *IsWrite, 856 uint64_t *TypeSize, 857 unsigned *Alignment) { 858 // Skip memory accesses inserted by another instrumentation. 859 if (I->getMetadata("nosanitize")) return nullptr; 860 861 Value *PtrOperand = nullptr; 862 const DataLayout &DL = I->getModule()->getDataLayout(); 863 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 864 if (!ClInstrumentReads) return nullptr; 865 *IsWrite = false; 866 *TypeSize = DL.getTypeStoreSizeInBits(LI->getType()); 867 *Alignment = LI->getAlignment(); 868 PtrOperand = LI->getPointerOperand(); 869 } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 870 if (!ClInstrumentWrites) return nullptr; 871 *IsWrite = true; 872 *TypeSize = DL.getTypeStoreSizeInBits(SI->getValueOperand()->getType()); 873 *Alignment = SI->getAlignment(); 874 PtrOperand = SI->getPointerOperand(); 875 } else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 876 if (!ClInstrumentAtomics) return nullptr; 877 *IsWrite = true; 878 *TypeSize = DL.getTypeStoreSizeInBits(RMW->getValOperand()->getType()); 879 *Alignment = 0; 880 PtrOperand = RMW->getPointerOperand(); 881 } else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 882 if (!ClInstrumentAtomics) return nullptr; 883 *IsWrite = true; 884 *TypeSize = DL.getTypeStoreSizeInBits(XCHG->getCompareOperand()->getType()); 885 *Alignment = 0; 886 PtrOperand = XCHG->getPointerOperand(); 887 } 888 889 // Treat memory accesses to promotable allocas as non-interesting since they 890 // will not cause memory violations. This greatly speeds up the instrumented 891 // executable at -O0. 892 if (ClSkipPromotableAllocas) 893 if (auto AI = dyn_cast_or_null<AllocaInst>(PtrOperand)) 894 return isInterestingAlloca(*AI) ? AI : nullptr; 895 896 return PtrOperand; 897 } 898 899 static bool isPointerOperand(Value *V) { 900 return V->getType()->isPointerTy() || isa<PtrToIntInst>(V); 901 } 902 903 // This is a rough heuristic; it may cause both false positives and 904 // false negatives. The proper implementation requires cooperation with 905 // the frontend. 906 static bool isInterestingPointerComparisonOrSubtraction(Instruction *I) { 907 if (ICmpInst *Cmp = dyn_cast<ICmpInst>(I)) { 908 if (!Cmp->isRelational()) return false; 909 } else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(I)) { 910 if (BO->getOpcode() != Instruction::Sub) return false; 911 } else { 912 return false; 913 } 914 return isPointerOperand(I->getOperand(0)) && 915 isPointerOperand(I->getOperand(1)); 916 } 917 918 bool AddressSanitizer::GlobalIsLinkerInitialized(GlobalVariable *G) { 919 // If a global variable does not have dynamic initialization we don't 920 // have to instrument it. However, if a global does not have initializer 921 // at all, we assume it has dynamic initializer (in other TU). 922 return G->hasInitializer() && !GlobalsMD.get(G).IsDynInit; 923 } 924 925 void AddressSanitizer::instrumentPointerComparisonOrSubtraction( 926 Instruction *I) { 927 IRBuilder<> IRB(I); 928 Function *F = isa<ICmpInst>(I) ? AsanPtrCmpFunction : AsanPtrSubFunction; 929 Value *Param[2] = {I->getOperand(0), I->getOperand(1)}; 930 for (int i = 0; i < 2; i++) { 931 if (Param[i]->getType()->isPointerTy()) 932 Param[i] = IRB.CreatePointerCast(Param[i], IntptrTy); 933 } 934 IRB.CreateCall(F, Param); 935 } 936 937 void AddressSanitizer::instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis, 938 Instruction *I, bool UseCalls, 939 const DataLayout &DL) { 940 bool IsWrite = false; 941 unsigned Alignment = 0; 942 uint64_t TypeSize = 0; 943 Value *Addr = isInterestingMemoryAccess(I, &IsWrite, &TypeSize, &Alignment); 944 assert(Addr); 945 946 // Optimization experiments. 947 // The experiments can be used to evaluate potential optimizations that remove 948 // instrumentation (assess false negatives). Instead of completely removing 949 // some instrumentation, you set Exp to a non-zero value (mask of optimization 950 // experiments that want to remove instrumentation of this instruction). 951 // If Exp is non-zero, this pass will emit special calls into runtime 952 // (e.g. __asan_report_exp_load1 instead of __asan_report_load1). These calls 953 // make runtime terminate the program in a special way (with a different 954 // exit status). Then you run the new compiler on a buggy corpus, collect 955 // the special terminations (ideally, you don't see them at all -- no false 956 // negatives) and make the decision on the optimization. 957 uint32_t Exp = ClForceExperiment; 958 959 if (ClOpt && ClOptGlobals) { 960 // If initialization order checking is disabled, a simple access to a 961 // dynamically initialized global is always valid. 962 GlobalVariable *G = dyn_cast<GlobalVariable>(GetUnderlyingObject(Addr, DL)); 963 if (G && (!ClInitializers || GlobalIsLinkerInitialized(G)) && 964 isSafeAccess(ObjSizeVis, Addr, TypeSize)) { 965 NumOptimizedAccessesToGlobalVar++; 966 return; 967 } 968 } 969 970 if (ClOpt && ClOptStack) { 971 // A direct inbounds access to a stack variable is always valid. 972 if (isa<AllocaInst>(GetUnderlyingObject(Addr, DL)) && 973 isSafeAccess(ObjSizeVis, Addr, TypeSize)) { 974 NumOptimizedAccessesToStackVar++; 975 return; 976 } 977 } 978 979 if (IsWrite) 980 NumInstrumentedWrites++; 981 else 982 NumInstrumentedReads++; 983 984 unsigned Granularity = 1 << Mapping.Scale; 985 // Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check 986 // if the data is properly aligned. 987 if ((TypeSize == 8 || TypeSize == 16 || TypeSize == 32 || TypeSize == 64 || 988 TypeSize == 128) && 989 (Alignment >= Granularity || Alignment == 0 || Alignment >= TypeSize / 8)) 990 return instrumentAddress(I, I, Addr, TypeSize, IsWrite, nullptr, UseCalls, 991 Exp); 992 instrumentUnusualSizeOrAlignment(I, Addr, TypeSize, IsWrite, nullptr, 993 UseCalls, Exp); 994 } 995 996 Instruction *AddressSanitizer::generateCrashCode(Instruction *InsertBefore, 997 Value *Addr, bool IsWrite, 998 size_t AccessSizeIndex, 999 Value *SizeArgument, 1000 uint32_t Exp) { 1001 IRBuilder<> IRB(InsertBefore); 1002 Value *ExpVal = Exp == 0 ? nullptr : ConstantInt::get(IRB.getInt32Ty(), Exp); 1003 CallInst *Call = nullptr; 1004 if (SizeArgument) { 1005 if (Exp == 0) 1006 Call = IRB.CreateCall(AsanErrorCallbackSized[IsWrite][0], 1007 {Addr, SizeArgument}); 1008 else 1009 Call = IRB.CreateCall(AsanErrorCallbackSized[IsWrite][1], 1010 {Addr, SizeArgument, ExpVal}); 1011 } else { 1012 if (Exp == 0) 1013 Call = 1014 IRB.CreateCall(AsanErrorCallback[IsWrite][0][AccessSizeIndex], Addr); 1015 else 1016 Call = IRB.CreateCall(AsanErrorCallback[IsWrite][1][AccessSizeIndex], 1017 {Addr, ExpVal}); 1018 } 1019 1020 // We don't do Call->setDoesNotReturn() because the BB already has 1021 // UnreachableInst at the end. 1022 // This EmptyAsm is required to avoid callback merge. 1023 IRB.CreateCall(EmptyAsm, {}); 1024 return Call; 1025 } 1026 1027 Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 1028 Value *ShadowValue, 1029 uint32_t TypeSize) { 1030 size_t Granularity = 1 << Mapping.Scale; 1031 // Addr & (Granularity - 1) 1032 Value *LastAccessedByte = 1033 IRB.CreateAnd(AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 1034 // (Addr & (Granularity - 1)) + size - 1 1035 if (TypeSize / 8 > 1) 1036 LastAccessedByte = IRB.CreateAdd( 1037 LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 1038 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 1039 LastAccessedByte = 1040 IRB.CreateIntCast(LastAccessedByte, ShadowValue->getType(), false); 1041 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 1042 return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue); 1043 } 1044 1045 void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 1046 Instruction *InsertBefore, Value *Addr, 1047 uint32_t TypeSize, bool IsWrite, 1048 Value *SizeArgument, bool UseCalls, 1049 uint32_t Exp) { 1050 IRBuilder<> IRB(InsertBefore); 1051 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 1052 size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize); 1053 1054 if (UseCalls) { 1055 if (Exp == 0) 1056 IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][0][AccessSizeIndex], 1057 AddrLong); 1058 else 1059 IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][1][AccessSizeIndex], 1060 {AddrLong, ConstantInt::get(IRB.getInt32Ty(), Exp)}); 1061 return; 1062 } 1063 1064 Type *ShadowTy = 1065 IntegerType::get(*C, std::max(8U, TypeSize >> Mapping.Scale)); 1066 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 1067 Value *ShadowPtr = memToShadow(AddrLong, IRB); 1068 Value *CmpVal = Constant::getNullValue(ShadowTy); 1069 Value *ShadowValue = 1070 IRB.CreateLoad(IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 1071 1072 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 1073 size_t Granularity = 1 << Mapping.Scale; 1074 TerminatorInst *CrashTerm = nullptr; 1075 1076 if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) { 1077 // We use branch weights for the slow path check, to indicate that the slow 1078 // path is rarely taken. This seems to be the case for SPEC benchmarks. 1079 TerminatorInst *CheckTerm = SplitBlockAndInsertIfThen( 1080 Cmp, InsertBefore, false, MDBuilder(*C).createBranchWeights(1, 100000)); 1081 assert(cast<BranchInst>(CheckTerm)->isUnconditional()); 1082 BasicBlock *NextBB = CheckTerm->getSuccessor(0); 1083 IRB.SetInsertPoint(CheckTerm); 1084 Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize); 1085 if (Recover) { 1086 CrashTerm = SplitBlockAndInsertIfThen(Cmp2, CheckTerm, false); 1087 } else { 1088 BasicBlock *CrashBlock = 1089 BasicBlock::Create(*C, "", NextBB->getParent(), NextBB); 1090 CrashTerm = new UnreachableInst(*C, CrashBlock); 1091 BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2); 1092 ReplaceInstWithInst(CheckTerm, NewTerm); 1093 } 1094 } else { 1095 CrashTerm = SplitBlockAndInsertIfThen(Cmp, InsertBefore, !Recover); 1096 } 1097 1098 Instruction *Crash = generateCrashCode(CrashTerm, AddrLong, IsWrite, 1099 AccessSizeIndex, SizeArgument, Exp); 1100 Crash->setDebugLoc(OrigIns->getDebugLoc()); 1101 } 1102 1103 // Instrument unusual size or unusual alignment. 1104 // We can not do it with a single check, so we do 1-byte check for the first 1105 // and the last bytes. We call __asan_report_*_n(addr, real_size) to be able 1106 // to report the actual access size. 1107 void AddressSanitizer::instrumentUnusualSizeOrAlignment( 1108 Instruction *I, Value *Addr, uint32_t TypeSize, bool IsWrite, 1109 Value *SizeArgument, bool UseCalls, uint32_t Exp) { 1110 IRBuilder<> IRB(I); 1111 Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8); 1112 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 1113 if (UseCalls) { 1114 if (Exp == 0) 1115 IRB.CreateCall(AsanMemoryAccessCallbackSized[IsWrite][0], 1116 {AddrLong, Size}); 1117 else 1118 IRB.CreateCall(AsanMemoryAccessCallbackSized[IsWrite][1], 1119 {AddrLong, Size, ConstantInt::get(IRB.getInt32Ty(), Exp)}); 1120 } else { 1121 Value *LastByte = IRB.CreateIntToPtr( 1122 IRB.CreateAdd(AddrLong, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)), 1123 Addr->getType()); 1124 instrumentAddress(I, I, Addr, 8, IsWrite, Size, false, Exp); 1125 instrumentAddress(I, I, LastByte, 8, IsWrite, Size, false, Exp); 1126 } 1127 } 1128 1129 void AddressSanitizerModule::poisonOneInitializer(Function &GlobalInit, 1130 GlobalValue *ModuleName) { 1131 // Set up the arguments to our poison/unpoison functions. 1132 IRBuilder<> IRB(&GlobalInit.front(), 1133 GlobalInit.front().getFirstInsertionPt()); 1134 1135 // Add a call to poison all external globals before the given function starts. 1136 Value *ModuleNameAddr = ConstantExpr::getPointerCast(ModuleName, IntptrTy); 1137 IRB.CreateCall(AsanPoisonGlobals, ModuleNameAddr); 1138 1139 // Add calls to unpoison all globals before each return instruction. 1140 for (auto &BB : GlobalInit.getBasicBlockList()) 1141 if (ReturnInst *RI = dyn_cast<ReturnInst>(BB.getTerminator())) 1142 CallInst::Create(AsanUnpoisonGlobals, "", RI); 1143 } 1144 1145 void AddressSanitizerModule::createInitializerPoisonCalls( 1146 Module &M, GlobalValue *ModuleName) { 1147 GlobalVariable *GV = M.getGlobalVariable("llvm.global_ctors"); 1148 1149 ConstantArray *CA = cast<ConstantArray>(GV->getInitializer()); 1150 for (Use &OP : CA->operands()) { 1151 if (isa<ConstantAggregateZero>(OP)) continue; 1152 ConstantStruct *CS = cast<ConstantStruct>(OP); 1153 1154 // Must have a function or null ptr. 1155 if (Function *F = dyn_cast<Function>(CS->getOperand(1))) { 1156 if (F->getName() == kAsanModuleCtorName) continue; 1157 ConstantInt *Priority = dyn_cast<ConstantInt>(CS->getOperand(0)); 1158 // Don't instrument CTORs that will run before asan.module_ctor. 1159 if (Priority->getLimitedValue() <= kAsanCtorAndDtorPriority) continue; 1160 poisonOneInitializer(*F, ModuleName); 1161 } 1162 } 1163 } 1164 1165 bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) { 1166 Type *Ty = cast<PointerType>(G->getType())->getElementType(); 1167 DEBUG(dbgs() << "GLOBAL: " << *G << "\n"); 1168 1169 if (GlobalsMD.get(G).IsBlacklisted) return false; 1170 if (!Ty->isSized()) return false; 1171 if (!G->hasInitializer()) return false; 1172 if (GlobalWasGeneratedByAsan(G)) return false; // Our own global. 1173 // Touch only those globals that will not be defined in other modules. 1174 // Don't handle ODR linkage types and COMDATs since other modules may be built 1175 // without ASan. 1176 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 1177 G->getLinkage() != GlobalVariable::PrivateLinkage && 1178 G->getLinkage() != GlobalVariable::InternalLinkage) 1179 return false; 1180 if (G->hasComdat()) return false; 1181 // Two problems with thread-locals: 1182 // - The address of the main thread's copy can't be computed at link-time. 1183 // - Need to poison all copies, not just the main thread's one. 1184 if (G->isThreadLocal()) return false; 1185 // For now, just ignore this Global if the alignment is large. 1186 if (G->getAlignment() > MinRedzoneSizeForGlobal()) return false; 1187 1188 if (G->hasSection()) { 1189 StringRef Section(G->getSection()); 1190 1191 // Globals from llvm.metadata aren't emitted, do not instrument them. 1192 if (Section == "llvm.metadata") return false; 1193 // Do not instrument globals from special LLVM sections. 1194 if (Section.find("__llvm") != StringRef::npos) return false; 1195 1196 // Do not instrument function pointers to initialization and termination 1197 // routines: dynamic linker will not properly handle redzones. 1198 if (Section.startswith(".preinit_array") || 1199 Section.startswith(".init_array") || 1200 Section.startswith(".fini_array")) { 1201 return false; 1202 } 1203 1204 // Callbacks put into the CRT initializer/terminator sections 1205 // should not be instrumented. 1206 // See https://code.google.com/p/address-sanitizer/issues/detail?id=305 1207 // and http://msdn.microsoft.com/en-US/en-en/library/bb918180(v=vs.120).aspx 1208 if (Section.startswith(".CRT")) { 1209 DEBUG(dbgs() << "Ignoring a global initializer callback: " << *G << "\n"); 1210 return false; 1211 } 1212 1213 if (TargetTriple.isOSBinFormatMachO()) { 1214 StringRef ParsedSegment, ParsedSection; 1215 unsigned TAA = 0, StubSize = 0; 1216 bool TAAParsed; 1217 std::string ErrorCode = MCSectionMachO::ParseSectionSpecifier( 1218 Section, ParsedSegment, ParsedSection, TAA, TAAParsed, StubSize); 1219 if (!ErrorCode.empty()) { 1220 assert(false && "Invalid section specifier."); 1221 return false; 1222 } 1223 1224 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 1225 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 1226 // them. 1227 if (ParsedSegment == "__OBJC" || 1228 (ParsedSegment == "__DATA" && ParsedSection.startswith("__objc_"))) { 1229 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G << "\n"); 1230 return false; 1231 } 1232 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 1233 // Constant CFString instances are compiled in the following way: 1234 // -- the string buffer is emitted into 1235 // __TEXT,__cstring,cstring_literals 1236 // -- the constant NSConstantString structure referencing that buffer 1237 // is placed into __DATA,__cfstring 1238 // Therefore there's no point in placing redzones into __DATA,__cfstring. 1239 // Moreover, it causes the linker to crash on OS X 10.7 1240 if (ParsedSegment == "__DATA" && ParsedSection == "__cfstring") { 1241 DEBUG(dbgs() << "Ignoring CFString: " << *G << "\n"); 1242 return false; 1243 } 1244 // The linker merges the contents of cstring_literals and removes the 1245 // trailing zeroes. 1246 if (ParsedSegment == "__TEXT" && (TAA & MachO::S_CSTRING_LITERALS)) { 1247 DEBUG(dbgs() << "Ignoring a cstring literal: " << *G << "\n"); 1248 return false; 1249 } 1250 } 1251 } 1252 1253 return true; 1254 } 1255 1256 void AddressSanitizerModule::initializeCallbacks(Module &M) { 1257 IRBuilder<> IRB(*C); 1258 // Declare our poisoning and unpoisoning functions. 1259 AsanPoisonGlobals = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1260 kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy, nullptr)); 1261 AsanPoisonGlobals->setLinkage(Function::ExternalLinkage); 1262 AsanUnpoisonGlobals = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1263 kAsanUnpoisonGlobalsName, IRB.getVoidTy(), nullptr)); 1264 AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage); 1265 // Declare functions that register/unregister globals. 1266 AsanRegisterGlobals = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1267 kAsanRegisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr)); 1268 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 1269 AsanUnregisterGlobals = checkSanitizerInterfaceFunction( 1270 M.getOrInsertFunction(kAsanUnregisterGlobalsName, IRB.getVoidTy(), 1271 IntptrTy, IntptrTy, nullptr)); 1272 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 1273 } 1274 1275 // This function replaces all global variables with new variables that have 1276 // trailing redzones. It also creates a function that poisons 1277 // redzones and inserts this function into llvm.global_ctors. 1278 bool AddressSanitizerModule::InstrumentGlobals(IRBuilder<> &IRB, Module &M) { 1279 GlobalsMD.init(M); 1280 1281 SmallVector<GlobalVariable *, 16> GlobalsToChange; 1282 1283 for (auto &G : M.globals()) { 1284 if (ShouldInstrumentGlobal(&G)) GlobalsToChange.push_back(&G); 1285 } 1286 1287 size_t n = GlobalsToChange.size(); 1288 if (n == 0) return false; 1289 1290 // A global is described by a structure 1291 // size_t beg; 1292 // size_t size; 1293 // size_t size_with_redzone; 1294 // const char *name; 1295 // const char *module_name; 1296 // size_t has_dynamic_init; 1297 // void *source_location; 1298 // We initialize an array of such structures and pass it to a run-time call. 1299 StructType *GlobalStructTy = 1300 StructType::get(IntptrTy, IntptrTy, IntptrTy, IntptrTy, IntptrTy, 1301 IntptrTy, IntptrTy, nullptr); 1302 SmallVector<Constant *, 16> Initializers(n); 1303 1304 bool HasDynamicallyInitializedGlobals = false; 1305 1306 // We shouldn't merge same module names, as this string serves as unique 1307 // module ID in runtime. 1308 GlobalVariable *ModuleName = createPrivateGlobalForString( 1309 M, M.getModuleIdentifier(), /*AllowMerging*/ false); 1310 1311 auto &DL = M.getDataLayout(); 1312 for (size_t i = 0; i < n; i++) { 1313 static const uint64_t kMaxGlobalRedzone = 1 << 18; 1314 GlobalVariable *G = GlobalsToChange[i]; 1315 1316 auto MD = GlobalsMD.get(G); 1317 // Create string holding the global name (use global name from metadata 1318 // if it's available, otherwise just write the name of global variable). 1319 GlobalVariable *Name = createPrivateGlobalForString( 1320 M, MD.Name.empty() ? G->getName() : MD.Name, 1321 /*AllowMerging*/ true); 1322 1323 PointerType *PtrTy = cast<PointerType>(G->getType()); 1324 Type *Ty = PtrTy->getElementType(); 1325 uint64_t SizeInBytes = DL.getTypeAllocSize(Ty); 1326 uint64_t MinRZ = MinRedzoneSizeForGlobal(); 1327 // MinRZ <= RZ <= kMaxGlobalRedzone 1328 // and trying to make RZ to be ~ 1/4 of SizeInBytes. 1329 uint64_t RZ = std::max( 1330 MinRZ, std::min(kMaxGlobalRedzone, (SizeInBytes / MinRZ / 4) * MinRZ)); 1331 uint64_t RightRedzoneSize = RZ; 1332 // Round up to MinRZ 1333 if (SizeInBytes % MinRZ) RightRedzoneSize += MinRZ - (SizeInBytes % MinRZ); 1334 assert(((RightRedzoneSize + SizeInBytes) % MinRZ) == 0); 1335 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 1336 1337 StructType *NewTy = StructType::get(Ty, RightRedZoneTy, nullptr); 1338 Constant *NewInitializer = 1339 ConstantStruct::get(NewTy, G->getInitializer(), 1340 Constant::getNullValue(RightRedZoneTy), nullptr); 1341 1342 // Create a new global variable with enough space for a redzone. 1343 GlobalValue::LinkageTypes Linkage = G->getLinkage(); 1344 if (G->isConstant() && Linkage == GlobalValue::PrivateLinkage) 1345 Linkage = GlobalValue::InternalLinkage; 1346 GlobalVariable *NewGlobal = 1347 new GlobalVariable(M, NewTy, G->isConstant(), Linkage, NewInitializer, 1348 "", G, G->getThreadLocalMode()); 1349 NewGlobal->copyAttributesFrom(G); 1350 NewGlobal->setAlignment(MinRZ); 1351 1352 Value *Indices2[2]; 1353 Indices2[0] = IRB.getInt32(0); 1354 Indices2[1] = IRB.getInt32(0); 1355 1356 G->replaceAllUsesWith( 1357 ConstantExpr::getGetElementPtr(NewTy, NewGlobal, Indices2, true)); 1358 NewGlobal->takeName(G); 1359 G->eraseFromParent(); 1360 1361 Constant *SourceLoc; 1362 if (!MD.SourceLoc.empty()) { 1363 auto SourceLocGlobal = createPrivateGlobalForSourceLoc(M, MD.SourceLoc); 1364 SourceLoc = ConstantExpr::getPointerCast(SourceLocGlobal, IntptrTy); 1365 } else { 1366 SourceLoc = ConstantInt::get(IntptrTy, 0); 1367 } 1368 1369 Initializers[i] = ConstantStruct::get( 1370 GlobalStructTy, ConstantExpr::getPointerCast(NewGlobal, IntptrTy), 1371 ConstantInt::get(IntptrTy, SizeInBytes), 1372 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 1373 ConstantExpr::getPointerCast(Name, IntptrTy), 1374 ConstantExpr::getPointerCast(ModuleName, IntptrTy), 1375 ConstantInt::get(IntptrTy, MD.IsDynInit), SourceLoc, nullptr); 1376 1377 if (ClInitializers && MD.IsDynInit) HasDynamicallyInitializedGlobals = true; 1378 1379 DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); 1380 } 1381 1382 ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); 1383 GlobalVariable *AllGlobals = new GlobalVariable( 1384 M, ArrayOfGlobalStructTy, false, GlobalVariable::InternalLinkage, 1385 ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); 1386 1387 // Create calls for poisoning before initializers run and unpoisoning after. 1388 if (HasDynamicallyInitializedGlobals) 1389 createInitializerPoisonCalls(M, ModuleName); 1390 IRB.CreateCall(AsanRegisterGlobals, 1391 {IRB.CreatePointerCast(AllGlobals, IntptrTy), 1392 ConstantInt::get(IntptrTy, n)}); 1393 1394 // We also need to unregister globals at the end, e.g. when a shared library 1395 // gets closed. 1396 Function *AsanDtorFunction = 1397 Function::Create(FunctionType::get(Type::getVoidTy(*C), false), 1398 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 1399 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 1400 IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); 1401 IRB_Dtor.CreateCall(AsanUnregisterGlobals, 1402 {IRB.CreatePointerCast(AllGlobals, IntptrTy), 1403 ConstantInt::get(IntptrTy, n)}); 1404 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndDtorPriority); 1405 1406 DEBUG(dbgs() << M); 1407 return true; 1408 } 1409 1410 bool AddressSanitizerModule::runOnModule(Module &M) { 1411 C = &(M.getContext()); 1412 int LongSize = M.getDataLayout().getPointerSizeInBits(); 1413 IntptrTy = Type::getIntNTy(*C, LongSize); 1414 TargetTriple = Triple(M.getTargetTriple()); 1415 Mapping = getShadowMapping(TargetTriple, LongSize, CompileKernel); 1416 initializeCallbacks(M); 1417 1418 bool Changed = false; 1419 1420 // TODO(glider): temporarily disabled globals instrumentation for KASan. 1421 if (ClGlobals && !CompileKernel) { 1422 Function *CtorFunc = M.getFunction(kAsanModuleCtorName); 1423 assert(CtorFunc); 1424 IRBuilder<> IRB(CtorFunc->getEntryBlock().getTerminator()); 1425 Changed |= InstrumentGlobals(IRB, M); 1426 } 1427 1428 return Changed; 1429 } 1430 1431 void AddressSanitizer::initializeCallbacks(Module &M) { 1432 IRBuilder<> IRB(*C); 1433 // Create __asan_report* callbacks. 1434 // IsWrite, TypeSize and Exp are encoded in the function name. 1435 for (int Exp = 0; Exp < 2; Exp++) { 1436 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 1437 const std::string TypeStr = AccessIsWrite ? "store" : "load"; 1438 const std::string ExpStr = Exp ? "exp_" : ""; 1439 const std::string SuffixStr = CompileKernel ? "N" : "_n"; 1440 const std::string EndingStr = Recover ? "_noabort" : ""; 1441 Type *ExpType = Exp ? Type::getInt32Ty(*C) : nullptr; 1442 AsanErrorCallbackSized[AccessIsWrite][Exp] = 1443 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1444 kAsanReportErrorTemplate + ExpStr + TypeStr + SuffixStr + EndingStr, 1445 IRB.getVoidTy(), IntptrTy, IntptrTy, ExpType, nullptr)); 1446 AsanMemoryAccessCallbackSized[AccessIsWrite][Exp] = 1447 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1448 ClMemoryAccessCallbackPrefix + ExpStr + TypeStr + "N" + EndingStr, 1449 IRB.getVoidTy(), IntptrTy, IntptrTy, ExpType, nullptr)); 1450 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 1451 AccessSizeIndex++) { 1452 const std::string Suffix = TypeStr + itostr(1 << AccessSizeIndex); 1453 AsanErrorCallback[AccessIsWrite][Exp][AccessSizeIndex] = 1454 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1455 kAsanReportErrorTemplate + ExpStr + Suffix + EndingStr, 1456 IRB.getVoidTy(), IntptrTy, ExpType, nullptr)); 1457 AsanMemoryAccessCallback[AccessIsWrite][Exp][AccessSizeIndex] = 1458 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1459 ClMemoryAccessCallbackPrefix + ExpStr + Suffix + EndingStr, 1460 IRB.getVoidTy(), IntptrTy, ExpType, nullptr)); 1461 } 1462 } 1463 } 1464 1465 const std::string MemIntrinCallbackPrefix = 1466 CompileKernel ? std::string("") : ClMemoryAccessCallbackPrefix; 1467 AsanMemmove = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1468 MemIntrinCallbackPrefix + "memmove", IRB.getInt8PtrTy(), 1469 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IntptrTy, nullptr)); 1470 AsanMemcpy = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1471 MemIntrinCallbackPrefix + "memcpy", IRB.getInt8PtrTy(), 1472 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IntptrTy, nullptr)); 1473 AsanMemset = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1474 MemIntrinCallbackPrefix + "memset", IRB.getInt8PtrTy(), 1475 IRB.getInt8PtrTy(), IRB.getInt32Ty(), IntptrTy, nullptr)); 1476 1477 AsanHandleNoReturnFunc = checkSanitizerInterfaceFunction( 1478 M.getOrInsertFunction(kAsanHandleNoReturnName, IRB.getVoidTy(), nullptr)); 1479 1480 AsanPtrCmpFunction = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1481 kAsanPtrCmp, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr)); 1482 AsanPtrSubFunction = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1483 kAsanPtrSub, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr)); 1484 // We insert an empty inline asm after __asan_report* to avoid callback merge. 1485 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 1486 StringRef(""), StringRef(""), 1487 /*hasSideEffects=*/true); 1488 } 1489 1490 // virtual 1491 bool AddressSanitizer::doInitialization(Module &M) { 1492 // Initialize the private fields. No one has accessed them before. 1493 1494 GlobalsMD.init(M); 1495 1496 C = &(M.getContext()); 1497 LongSize = M.getDataLayout().getPointerSizeInBits(); 1498 IntptrTy = Type::getIntNTy(*C, LongSize); 1499 TargetTriple = Triple(M.getTargetTriple()); 1500 1501 if (!CompileKernel) { 1502 std::tie(AsanCtorFunction, AsanInitFunction) = 1503 createSanitizerCtorAndInitFunctions( 1504 M, kAsanModuleCtorName, kAsanInitName, 1505 /*InitArgTypes=*/{}, /*InitArgs=*/{}, kAsanVersionCheckName); 1506 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndDtorPriority); 1507 } 1508 Mapping = getShadowMapping(TargetTriple, LongSize, CompileKernel); 1509 return true; 1510 } 1511 1512 bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 1513 // For each NSObject descendant having a +load method, this method is invoked 1514 // by the ObjC runtime before any of the static constructors is called. 1515 // Therefore we need to instrument such methods with a call to __asan_init 1516 // at the beginning in order to initialize our runtime before any access to 1517 // the shadow memory. 1518 // We cannot just ignore these methods, because they may call other 1519 // instrumented functions. 1520 if (F.getName().find(" load]") != std::string::npos) { 1521 IRBuilder<> IRB(&F.front(), F.front().begin()); 1522 IRB.CreateCall(AsanInitFunction, {}); 1523 return true; 1524 } 1525 return false; 1526 } 1527 1528 void AddressSanitizer::markEscapedLocalAllocas(Function &F) { 1529 // Find the one possible call to llvm.localescape and pre-mark allocas passed 1530 // to it as uninteresting. This assumes we haven't started processing allocas 1531 // yet. This check is done up front because iterating the use list in 1532 // isInterestingAlloca would be algorithmically slower. 1533 assert(ProcessedAllocas.empty() && "must process localescape before allocas"); 1534 1535 // Try to get the declaration of llvm.localescape. If it's not in the module, 1536 // we can exit early. 1537 if (!F.getParent()->getFunction("llvm.localescape")) return; 1538 1539 // Look for a call to llvm.localescape call in the entry block. It can't be in 1540 // any other block. 1541 for (Instruction &I : F.getEntryBlock()) { 1542 IntrinsicInst *II = dyn_cast<IntrinsicInst>(&I); 1543 if (II && II->getIntrinsicID() == Intrinsic::localescape) { 1544 // We found a call. Mark all the allocas passed in as uninteresting. 1545 for (Value *Arg : II->arg_operands()) { 1546 AllocaInst *AI = dyn_cast<AllocaInst>(Arg->stripPointerCasts()); 1547 assert(AI && AI->isStaticAlloca() && 1548 "non-static alloca arg to localescape"); 1549 ProcessedAllocas[AI] = false; 1550 } 1551 break; 1552 } 1553 } 1554 } 1555 1556 bool AddressSanitizer::runOnFunction(Function &F) { 1557 if (&F == AsanCtorFunction) return false; 1558 if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false; 1559 DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); 1560 initializeCallbacks(*F.getParent()); 1561 1562 DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree(); 1563 1564 // If needed, insert __asan_init before checking for SanitizeAddress attr. 1565 maybeInsertAsanInitAtFunctionEntry(F); 1566 1567 if (!F.hasFnAttribute(Attribute::SanitizeAddress)) return false; 1568 1569 if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) return false; 1570 1571 FunctionStateRAII CleanupObj(this); 1572 1573 // We can't instrument allocas used with llvm.localescape. Only static allocas 1574 // can be passed to that intrinsic. 1575 markEscapedLocalAllocas(F); 1576 1577 // We want to instrument every address only once per basic block (unless there 1578 // are calls between uses). 1579 SmallSet<Value *, 16> TempsToInstrument; 1580 SmallVector<Instruction *, 16> ToInstrument; 1581 SmallVector<Instruction *, 8> NoReturnCalls; 1582 SmallVector<BasicBlock *, 16> AllBlocks; 1583 SmallVector<Instruction *, 16> PointerComparisonsOrSubtracts; 1584 int NumAllocas = 0; 1585 bool IsWrite; 1586 unsigned Alignment; 1587 uint64_t TypeSize; 1588 1589 // Fill the set of memory operations to instrument. 1590 for (auto &BB : F) { 1591 AllBlocks.push_back(&BB); 1592 TempsToInstrument.clear(); 1593 int NumInsnsPerBB = 0; 1594 for (auto &Inst : BB) { 1595 if (LooksLikeCodeInBug11395(&Inst)) return false; 1596 if (Value *Addr = isInterestingMemoryAccess(&Inst, &IsWrite, &TypeSize, 1597 &Alignment)) { 1598 if (ClOpt && ClOptSameTemp) { 1599 if (!TempsToInstrument.insert(Addr).second) 1600 continue; // We've seen this temp in the current BB. 1601 } 1602 } else if (ClInvalidPointerPairs && 1603 isInterestingPointerComparisonOrSubtraction(&Inst)) { 1604 PointerComparisonsOrSubtracts.push_back(&Inst); 1605 continue; 1606 } else if (isa<MemIntrinsic>(Inst)) { 1607 // ok, take it. 1608 } else { 1609 if (isa<AllocaInst>(Inst)) NumAllocas++; 1610 CallSite CS(&Inst); 1611 if (CS) { 1612 // A call inside BB. 1613 TempsToInstrument.clear(); 1614 if (CS.doesNotReturn()) NoReturnCalls.push_back(CS.getInstruction()); 1615 } 1616 continue; 1617 } 1618 ToInstrument.push_back(&Inst); 1619 NumInsnsPerBB++; 1620 if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) break; 1621 } 1622 } 1623 1624 bool UseCalls = 1625 CompileKernel || 1626 (ClInstrumentationWithCallsThreshold >= 0 && 1627 ToInstrument.size() > (unsigned)ClInstrumentationWithCallsThreshold); 1628 const TargetLibraryInfo *TLI = 1629 &getAnalysis<TargetLibraryInfoWrapperPass>().getTLI(); 1630 const DataLayout &DL = F.getParent()->getDataLayout(); 1631 ObjectSizeOffsetVisitor ObjSizeVis(DL, TLI, F.getContext(), 1632 /*RoundToAlign=*/true); 1633 1634 // Instrument. 1635 int NumInstrumented = 0; 1636 for (auto Inst : ToInstrument) { 1637 if (ClDebugMin < 0 || ClDebugMax < 0 || 1638 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 1639 if (isInterestingMemoryAccess(Inst, &IsWrite, &TypeSize, &Alignment)) 1640 instrumentMop(ObjSizeVis, Inst, UseCalls, 1641 F.getParent()->getDataLayout()); 1642 else 1643 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 1644 } 1645 NumInstrumented++; 1646 } 1647 1648 FunctionStackPoisoner FSP(F, *this); 1649 bool ChangedStack = FSP.runOnFunction(); 1650 1651 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 1652 // See e.g. http://code.google.com/p/address-sanitizer/issues/detail?id=37 1653 for (auto CI : NoReturnCalls) { 1654 IRBuilder<> IRB(CI); 1655 IRB.CreateCall(AsanHandleNoReturnFunc, {}); 1656 } 1657 1658 for (auto Inst : PointerComparisonsOrSubtracts) { 1659 instrumentPointerComparisonOrSubtraction(Inst); 1660 NumInstrumented++; 1661 } 1662 1663 bool res = NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); 1664 1665 DEBUG(dbgs() << "ASAN done instrumenting: " << res << " " << F << "\n"); 1666 1667 return res; 1668 } 1669 1670 // Workaround for bug 11395: we don't want to instrument stack in functions 1671 // with large assembly blobs (32-bit only), otherwise reg alloc may crash. 1672 // FIXME: remove once the bug 11395 is fixed. 1673 bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 1674 if (LongSize != 32) return false; 1675 CallInst *CI = dyn_cast<CallInst>(I); 1676 if (!CI || !CI->isInlineAsm()) return false; 1677 if (CI->getNumArgOperands() <= 5) return false; 1678 // We have inline assembly with quite a few arguments. 1679 return true; 1680 } 1681 1682 void FunctionStackPoisoner::initializeCallbacks(Module &M) { 1683 IRBuilder<> IRB(*C); 1684 for (int i = 0; i <= kMaxAsanStackMallocSizeClass; i++) { 1685 std::string Suffix = itostr(i); 1686 AsanStackMallocFunc[i] = checkSanitizerInterfaceFunction( 1687 M.getOrInsertFunction(kAsanStackMallocNameTemplate + Suffix, IntptrTy, 1688 IntptrTy, nullptr)); 1689 AsanStackFreeFunc[i] = checkSanitizerInterfaceFunction( 1690 M.getOrInsertFunction(kAsanStackFreeNameTemplate + Suffix, 1691 IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr)); 1692 } 1693 AsanPoisonStackMemoryFunc = checkSanitizerInterfaceFunction( 1694 M.getOrInsertFunction(kAsanPoisonStackMemoryName, IRB.getVoidTy(), 1695 IntptrTy, IntptrTy, nullptr)); 1696 AsanUnpoisonStackMemoryFunc = checkSanitizerInterfaceFunction( 1697 M.getOrInsertFunction(kAsanUnpoisonStackMemoryName, IRB.getVoidTy(), 1698 IntptrTy, IntptrTy, nullptr)); 1699 AsanAllocaPoisonFunc = checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1700 kAsanAllocaPoison, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr)); 1701 AsanAllocasUnpoisonFunc = 1702 checkSanitizerInterfaceFunction(M.getOrInsertFunction( 1703 kAsanAllocasUnpoison, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr)); 1704 } 1705 1706 void FunctionStackPoisoner::poisonRedZones(ArrayRef<uint8_t> ShadowBytes, 1707 IRBuilder<> &IRB, Value *ShadowBase, 1708 bool DoPoison) { 1709 size_t n = ShadowBytes.size(); 1710 size_t i = 0; 1711 // We need to (un)poison n bytes of stack shadow. Poison as many as we can 1712 // using 64-bit stores (if we are on 64-bit arch), then poison the rest 1713 // with 32-bit stores, then with 16-byte stores, then with 8-byte stores. 1714 for (size_t LargeStoreSizeInBytes = ASan.LongSize / 8; 1715 LargeStoreSizeInBytes != 0; LargeStoreSizeInBytes /= 2) { 1716 for (; i + LargeStoreSizeInBytes - 1 < n; i += LargeStoreSizeInBytes) { 1717 uint64_t Val = 0; 1718 for (size_t j = 0; j < LargeStoreSizeInBytes; j++) { 1719 if (F.getParent()->getDataLayout().isLittleEndian()) 1720 Val |= (uint64_t)ShadowBytes[i + j] << (8 * j); 1721 else 1722 Val = (Val << 8) | ShadowBytes[i + j]; 1723 } 1724 if (!Val) continue; 1725 Value *Ptr = IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i)); 1726 Type *StoreTy = Type::getIntNTy(*C, LargeStoreSizeInBytes * 8); 1727 Value *Poison = ConstantInt::get(StoreTy, DoPoison ? Val : 0); 1728 IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, StoreTy->getPointerTo())); 1729 } 1730 } 1731 } 1732 1733 // Fake stack allocator (asan_fake_stack.h) has 11 size classes 1734 // for every power of 2 from kMinStackMallocSize to kMaxAsanStackMallocSizeClass 1735 static int StackMallocSizeClass(uint64_t LocalStackSize) { 1736 assert(LocalStackSize <= kMaxStackMallocSize); 1737 uint64_t MaxSize = kMinStackMallocSize; 1738 for (int i = 0;; i++, MaxSize *= 2) 1739 if (LocalStackSize <= MaxSize) return i; 1740 llvm_unreachable("impossible LocalStackSize"); 1741 } 1742 1743 // Set Size bytes starting from ShadowBase to kAsanStackAfterReturnMagic. 1744 // We can not use MemSet intrinsic because it may end up calling the actual 1745 // memset. Size is a multiple of 8. 1746 // Currently this generates 8-byte stores on x86_64; it may be better to 1747 // generate wider stores. 1748 void FunctionStackPoisoner::SetShadowToStackAfterReturnInlined( 1749 IRBuilder<> &IRB, Value *ShadowBase, int Size) { 1750 assert(!(Size % 8)); 1751 1752 // kAsanStackAfterReturnMagic is 0xf5. 1753 const uint64_t kAsanStackAfterReturnMagic64 = 0xf5f5f5f5f5f5f5f5ULL; 1754 1755 for (int i = 0; i < Size; i += 8) { 1756 Value *p = IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i)); 1757 IRB.CreateStore( 1758 ConstantInt::get(IRB.getInt64Ty(), kAsanStackAfterReturnMagic64), 1759 IRB.CreateIntToPtr(p, IRB.getInt64Ty()->getPointerTo())); 1760 } 1761 } 1762 1763 PHINode *FunctionStackPoisoner::createPHI(IRBuilder<> &IRB, Value *Cond, 1764 Value *ValueIfTrue, 1765 Instruction *ThenTerm, 1766 Value *ValueIfFalse) { 1767 PHINode *PHI = IRB.CreatePHI(IntptrTy, 2); 1768 BasicBlock *CondBlock = cast<Instruction>(Cond)->getParent(); 1769 PHI->addIncoming(ValueIfFalse, CondBlock); 1770 BasicBlock *ThenBlock = ThenTerm->getParent(); 1771 PHI->addIncoming(ValueIfTrue, ThenBlock); 1772 return PHI; 1773 } 1774 1775 Value *FunctionStackPoisoner::createAllocaForLayout( 1776 IRBuilder<> &IRB, const ASanStackFrameLayout &L, bool Dynamic) { 1777 AllocaInst *Alloca; 1778 if (Dynamic) { 1779 Alloca = IRB.CreateAlloca(IRB.getInt8Ty(), 1780 ConstantInt::get(IRB.getInt64Ty(), L.FrameSize), 1781 "MyAlloca"); 1782 } else { 1783 Alloca = IRB.CreateAlloca(ArrayType::get(IRB.getInt8Ty(), L.FrameSize), 1784 nullptr, "MyAlloca"); 1785 assert(Alloca->isStaticAlloca()); 1786 } 1787 assert((ClRealignStack & (ClRealignStack - 1)) == 0); 1788 size_t FrameAlignment = std::max(L.FrameAlignment, (size_t)ClRealignStack); 1789 Alloca->setAlignment(FrameAlignment); 1790 return IRB.CreatePointerCast(Alloca, IntptrTy); 1791 } 1792 1793 void FunctionStackPoisoner::createDynamicAllocasInitStorage() { 1794 BasicBlock &FirstBB = *F.begin(); 1795 IRBuilder<> IRB(dyn_cast<Instruction>(FirstBB.begin())); 1796 DynamicAllocaLayout = IRB.CreateAlloca(IntptrTy, nullptr); 1797 IRB.CreateStore(Constant::getNullValue(IntptrTy), DynamicAllocaLayout); 1798 DynamicAllocaLayout->setAlignment(32); 1799 } 1800 1801 void FunctionStackPoisoner::poisonStack() { 1802 assert(AllocaVec.size() > 0 || DynamicAllocaVec.size() > 0); 1803 1804 // Insert poison calls for lifetime intrinsics for alloca. 1805 bool HavePoisonedAllocas = false; 1806 for (const auto &APC : AllocaPoisonCallVec) { 1807 assert(APC.InsBefore); 1808 assert(APC.AI); 1809 IRBuilder<> IRB(APC.InsBefore); 1810 poisonAlloca(APC.AI, APC.Size, IRB, APC.DoPoison); 1811 HavePoisonedAllocas |= APC.DoPoison; 1812 } 1813 1814 if (ClInstrumentAllocas && DynamicAllocaVec.size() > 0) { 1815 // Handle dynamic allocas. 1816 createDynamicAllocasInitStorage(); 1817 for (auto &AI : DynamicAllocaVec) handleDynamicAllocaCall(AI); 1818 1819 unpoisonDynamicAllocas(); 1820 } 1821 1822 if (AllocaVec.empty()) return; 1823 1824 int StackMallocIdx = -1; 1825 DebugLoc EntryDebugLocation; 1826 if (auto SP = getDISubprogram(&F)) 1827 EntryDebugLocation = DebugLoc::get(SP->getScopeLine(), 0, SP); 1828 1829 Instruction *InsBefore = AllocaVec[0]; 1830 IRBuilder<> IRB(InsBefore); 1831 IRB.SetCurrentDebugLocation(EntryDebugLocation); 1832 1833 // Make sure non-instrumented allocas stay in the entry block. Otherwise, 1834 // debug info is broken, because only entry-block allocas are treated as 1835 // regular stack slots. 1836 auto InsBeforeB = InsBefore->getParent(); 1837 assert(InsBeforeB == &F.getEntryBlock()); 1838 for (BasicBlock::iterator I(InsBefore); I != InsBeforeB->end(); ++I) 1839 if (auto *AI = dyn_cast<AllocaInst>(I)) 1840 if (NonInstrumentedStaticAllocaVec.count(AI) > 0) 1841 AI->moveBefore(InsBefore); 1842 1843 // If we have a call to llvm.localescape, keep it in the entry block. 1844 if (LocalEscapeCall) LocalEscapeCall->moveBefore(InsBefore); 1845 1846 SmallVector<ASanStackVariableDescription, 16> SVD; 1847 SVD.reserve(AllocaVec.size()); 1848 for (AllocaInst *AI : AllocaVec) { 1849 ASanStackVariableDescription D = {AI->getName().data(), 1850 ASan.getAllocaSizeInBytes(AI), 1851 AI->getAlignment(), AI, 0}; 1852 SVD.push_back(D); 1853 } 1854 // Minimal header size (left redzone) is 4 pointers, 1855 // i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms. 1856 size_t MinHeaderSize = ASan.LongSize / 2; 1857 ASanStackFrameLayout L; 1858 ComputeASanStackFrameLayout(SVD, 1UL << Mapping.Scale, MinHeaderSize, &L); 1859 DEBUG(dbgs() << L.DescriptionString << " --- " << L.FrameSize << "\n"); 1860 uint64_t LocalStackSize = L.FrameSize; 1861 bool DoStackMalloc = ClUseAfterReturn && !ASan.CompileKernel && 1862 LocalStackSize <= kMaxStackMallocSize; 1863 bool DoDynamicAlloca = ClDynamicAllocaStack; 1864 // Don't do dynamic alloca or stack malloc if: 1865 // 1) There is inline asm: too often it makes assumptions on which registers 1866 // are available. 1867 // 2) There is a returns_twice call (typically setjmp), which is 1868 // optimization-hostile, and doesn't play well with introduced indirect 1869 // register-relative calculation of local variable addresses. 1870 DoDynamicAlloca &= !HasNonEmptyInlineAsm && !HasReturnsTwiceCall; 1871 DoStackMalloc &= !HasNonEmptyInlineAsm && !HasReturnsTwiceCall; 1872 1873 Value *StaticAlloca = 1874 DoDynamicAlloca ? nullptr : createAllocaForLayout(IRB, L, false); 1875 1876 Value *FakeStack; 1877 Value *LocalStackBase; 1878 1879 if (DoStackMalloc) { 1880 // void *FakeStack = __asan_option_detect_stack_use_after_return 1881 // ? __asan_stack_malloc_N(LocalStackSize) 1882 // : nullptr; 1883 // void *LocalStackBase = (FakeStack) ? FakeStack : alloca(LocalStackSize); 1884 Constant *OptionDetectUAR = F.getParent()->getOrInsertGlobal( 1885 kAsanOptionDetectUAR, IRB.getInt32Ty()); 1886 Value *UARIsEnabled = 1887 IRB.CreateICmpNE(IRB.CreateLoad(OptionDetectUAR), 1888 Constant::getNullValue(IRB.getInt32Ty())); 1889 Instruction *Term = 1890 SplitBlockAndInsertIfThen(UARIsEnabled, InsBefore, false); 1891 IRBuilder<> IRBIf(Term); 1892 IRBIf.SetCurrentDebugLocation(EntryDebugLocation); 1893 StackMallocIdx = StackMallocSizeClass(LocalStackSize); 1894 assert(StackMallocIdx <= kMaxAsanStackMallocSizeClass); 1895 Value *FakeStackValue = 1896 IRBIf.CreateCall(AsanStackMallocFunc[StackMallocIdx], 1897 ConstantInt::get(IntptrTy, LocalStackSize)); 1898 IRB.SetInsertPoint(InsBefore); 1899 IRB.SetCurrentDebugLocation(EntryDebugLocation); 1900 FakeStack = createPHI(IRB, UARIsEnabled, FakeStackValue, Term, 1901 ConstantInt::get(IntptrTy, 0)); 1902 1903 Value *NoFakeStack = 1904 IRB.CreateICmpEQ(FakeStack, Constant::getNullValue(IntptrTy)); 1905 Term = SplitBlockAndInsertIfThen(NoFakeStack, InsBefore, false); 1906 IRBIf.SetInsertPoint(Term); 1907 IRBIf.SetCurrentDebugLocation(EntryDebugLocation); 1908 Value *AllocaValue = 1909 DoDynamicAlloca ? createAllocaForLayout(IRBIf, L, true) : StaticAlloca; 1910 IRB.SetInsertPoint(InsBefore); 1911 IRB.SetCurrentDebugLocation(EntryDebugLocation); 1912 LocalStackBase = createPHI(IRB, NoFakeStack, AllocaValue, Term, FakeStack); 1913 } else { 1914 // void *FakeStack = nullptr; 1915 // void *LocalStackBase = alloca(LocalStackSize); 1916 FakeStack = ConstantInt::get(IntptrTy, 0); 1917 LocalStackBase = 1918 DoDynamicAlloca ? createAllocaForLayout(IRB, L, true) : StaticAlloca; 1919 } 1920 1921 // Replace Alloca instructions with base+offset. 1922 for (const auto &Desc : SVD) { 1923 AllocaInst *AI = Desc.AI; 1924 Value *NewAllocaPtr = IRB.CreateIntToPtr( 1925 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Desc.Offset)), 1926 AI->getType()); 1927 replaceDbgDeclareForAlloca(AI, NewAllocaPtr, DIB, /*Deref=*/true); 1928 AI->replaceAllUsesWith(NewAllocaPtr); 1929 } 1930 1931 // The left-most redzone has enough space for at least 4 pointers. 1932 // Write the Magic value to redzone[0]. 1933 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 1934 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 1935 BasePlus0); 1936 // Write the frame description constant to redzone[1]. 1937 Value *BasePlus1 = IRB.CreateIntToPtr( 1938 IRB.CreateAdd(LocalStackBase, 1939 ConstantInt::get(IntptrTy, ASan.LongSize / 8)), 1940 IntptrPtrTy); 1941 GlobalVariable *StackDescriptionGlobal = 1942 createPrivateGlobalForString(*F.getParent(), L.DescriptionString, 1943 /*AllowMerging*/ true); 1944 Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, IntptrTy); 1945 IRB.CreateStore(Description, BasePlus1); 1946 // Write the PC to redzone[2]. 1947 Value *BasePlus2 = IRB.CreateIntToPtr( 1948 IRB.CreateAdd(LocalStackBase, 1949 ConstantInt::get(IntptrTy, 2 * ASan.LongSize / 8)), 1950 IntptrPtrTy); 1951 IRB.CreateStore(IRB.CreatePointerCast(&F, IntptrTy), BasePlus2); 1952 1953 // Poison the stack redzones at the entry. 1954 Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB); 1955 poisonRedZones(L.ShadowBytes, IRB, ShadowBase, true); 1956 1957 // (Un)poison the stack before all ret instructions. 1958 for (auto Ret : RetVec) { 1959 IRBuilder<> IRBRet(Ret); 1960 // Mark the current frame as retired. 1961 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 1962 BasePlus0); 1963 if (DoStackMalloc) { 1964 assert(StackMallocIdx >= 0); 1965 // if FakeStack != 0 // LocalStackBase == FakeStack 1966 // // In use-after-return mode, poison the whole stack frame. 1967 // if StackMallocIdx <= 4 1968 // // For small sizes inline the whole thing: 1969 // memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize); 1970 // **SavedFlagPtr(FakeStack) = 0 1971 // else 1972 // __asan_stack_free_N(FakeStack, LocalStackSize) 1973 // else 1974 // <This is not a fake stack; unpoison the redzones> 1975 Value *Cmp = 1976 IRBRet.CreateICmpNE(FakeStack, Constant::getNullValue(IntptrTy)); 1977 TerminatorInst *ThenTerm, *ElseTerm; 1978 SplitBlockAndInsertIfThenElse(Cmp, Ret, &ThenTerm, &ElseTerm); 1979 1980 IRBuilder<> IRBPoison(ThenTerm); 1981 if (StackMallocIdx <= 4) { 1982 int ClassSize = kMinStackMallocSize << StackMallocIdx; 1983 SetShadowToStackAfterReturnInlined(IRBPoison, ShadowBase, 1984 ClassSize >> Mapping.Scale); 1985 Value *SavedFlagPtrPtr = IRBPoison.CreateAdd( 1986 FakeStack, 1987 ConstantInt::get(IntptrTy, ClassSize - ASan.LongSize / 8)); 1988 Value *SavedFlagPtr = IRBPoison.CreateLoad( 1989 IRBPoison.CreateIntToPtr(SavedFlagPtrPtr, IntptrPtrTy)); 1990 IRBPoison.CreateStore( 1991 Constant::getNullValue(IRBPoison.getInt8Ty()), 1992 IRBPoison.CreateIntToPtr(SavedFlagPtr, IRBPoison.getInt8PtrTy())); 1993 } else { 1994 // For larger frames call __asan_stack_free_*. 1995 IRBPoison.CreateCall( 1996 AsanStackFreeFunc[StackMallocIdx], 1997 {FakeStack, ConstantInt::get(IntptrTy, LocalStackSize)}); 1998 } 1999 2000 IRBuilder<> IRBElse(ElseTerm); 2001 poisonRedZones(L.ShadowBytes, IRBElse, ShadowBase, false); 2002 } else if (HavePoisonedAllocas) { 2003 // If we poisoned some allocas in llvm.lifetime analysis, 2004 // unpoison whole stack frame now. 2005 poisonAlloca(LocalStackBase, LocalStackSize, IRBRet, false); 2006 } else { 2007 poisonRedZones(L.ShadowBytes, IRBRet, ShadowBase, false); 2008 } 2009 } 2010 2011 // We are done. Remove the old unused alloca instructions. 2012 for (auto AI : AllocaVec) AI->eraseFromParent(); 2013 } 2014 2015 void FunctionStackPoisoner::poisonAlloca(Value *V, uint64_t Size, 2016 IRBuilder<> &IRB, bool DoPoison) { 2017 // For now just insert the call to ASan runtime. 2018 Value *AddrArg = IRB.CreatePointerCast(V, IntptrTy); 2019 Value *SizeArg = ConstantInt::get(IntptrTy, Size); 2020 IRB.CreateCall( 2021 DoPoison ? AsanPoisonStackMemoryFunc : AsanUnpoisonStackMemoryFunc, 2022 {AddrArg, SizeArg}); 2023 } 2024 2025 // Handling llvm.lifetime intrinsics for a given %alloca: 2026 // (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca. 2027 // (2) if %size is constant, poison memory for llvm.lifetime.end (to detect 2028 // invalid accesses) and unpoison it for llvm.lifetime.start (the memory 2029 // could be poisoned by previous llvm.lifetime.end instruction, as the 2030 // variable may go in and out of scope several times, e.g. in loops). 2031 // (3) if we poisoned at least one %alloca in a function, 2032 // unpoison the whole stack frame at function exit. 2033 2034 AllocaInst *FunctionStackPoisoner::findAllocaForValue(Value *V) { 2035 if (AllocaInst *AI = dyn_cast<AllocaInst>(V)) 2036 // We're intested only in allocas we can handle. 2037 return ASan.isInterestingAlloca(*AI) ? AI : nullptr; 2038 // See if we've already calculated (or started to calculate) alloca for a 2039 // given value. 2040 AllocaForValueMapTy::iterator I = AllocaForValue.find(V); 2041 if (I != AllocaForValue.end()) return I->second; 2042 // Store 0 while we're calculating alloca for value V to avoid 2043 // infinite recursion if the value references itself. 2044 AllocaForValue[V] = nullptr; 2045 AllocaInst *Res = nullptr; 2046 if (CastInst *CI = dyn_cast<CastInst>(V)) 2047 Res = findAllocaForValue(CI->getOperand(0)); 2048 else if (PHINode *PN = dyn_cast<PHINode>(V)) { 2049 for (Value *IncValue : PN->incoming_values()) { 2050 // Allow self-referencing phi-nodes. 2051 if (IncValue == PN) continue; 2052 AllocaInst *IncValueAI = findAllocaForValue(IncValue); 2053 // AI for incoming values should exist and should all be equal. 2054 if (IncValueAI == nullptr || (Res != nullptr && IncValueAI != Res)) 2055 return nullptr; 2056 Res = IncValueAI; 2057 } 2058 } 2059 if (Res) AllocaForValue[V] = Res; 2060 return Res; 2061 } 2062 2063 void FunctionStackPoisoner::handleDynamicAllocaCall(AllocaInst *AI) { 2064 IRBuilder<> IRB(AI); 2065 2066 const unsigned Align = std::max(kAllocaRzSize, AI->getAlignment()); 2067 const uint64_t AllocaRedzoneMask = kAllocaRzSize - 1; 2068 2069 Value *Zero = Constant::getNullValue(IntptrTy); 2070 Value *AllocaRzSize = ConstantInt::get(IntptrTy, kAllocaRzSize); 2071 Value *AllocaRzMask = ConstantInt::get(IntptrTy, AllocaRedzoneMask); 2072 2073 // Since we need to extend alloca with additional memory to locate 2074 // redzones, and OldSize is number of allocated blocks with 2075 // ElementSize size, get allocated memory size in bytes by 2076 // OldSize * ElementSize. 2077 const unsigned ElementSize = 2078 F.getParent()->getDataLayout().getTypeAllocSize(AI->getAllocatedType()); 2079 Value *OldSize = 2080 IRB.CreateMul(IRB.CreateIntCast(AI->getArraySize(), IntptrTy, false), 2081 ConstantInt::get(IntptrTy, ElementSize)); 2082 2083 // PartialSize = OldSize % 32 2084 Value *PartialSize = IRB.CreateAnd(OldSize, AllocaRzMask); 2085 2086 // Misalign = kAllocaRzSize - PartialSize; 2087 Value *Misalign = IRB.CreateSub(AllocaRzSize, PartialSize); 2088 2089 // PartialPadding = Misalign != kAllocaRzSize ? Misalign : 0; 2090 Value *Cond = IRB.CreateICmpNE(Misalign, AllocaRzSize); 2091 Value *PartialPadding = IRB.CreateSelect(Cond, Misalign, Zero); 2092 2093 // AdditionalChunkSize = Align + PartialPadding + kAllocaRzSize 2094 // Align is added to locate left redzone, PartialPadding for possible 2095 // partial redzone and kAllocaRzSize for right redzone respectively. 2096 Value *AdditionalChunkSize = IRB.CreateAdd( 2097 ConstantInt::get(IntptrTy, Align + kAllocaRzSize), PartialPadding); 2098 2099 Value *NewSize = IRB.CreateAdd(OldSize, AdditionalChunkSize); 2100 2101 // Insert new alloca with new NewSize and Align params. 2102 AllocaInst *NewAlloca = IRB.CreateAlloca(IRB.getInt8Ty(), NewSize); 2103 NewAlloca->setAlignment(Align); 2104 2105 // NewAddress = Address + Align 2106 Value *NewAddress = IRB.CreateAdd(IRB.CreatePtrToInt(NewAlloca, IntptrTy), 2107 ConstantInt::get(IntptrTy, Align)); 2108 2109 // Insert __asan_alloca_poison call for new created alloca. 2110 IRB.CreateCall(AsanAllocaPoisonFunc, {NewAddress, OldSize}); 2111 2112 // Store the last alloca's address to DynamicAllocaLayout. We'll need this 2113 // for unpoisoning stuff. 2114 IRB.CreateStore(IRB.CreatePtrToInt(NewAlloca, IntptrTy), DynamicAllocaLayout); 2115 2116 Value *NewAddressPtr = IRB.CreateIntToPtr(NewAddress, AI->getType()); 2117 2118 // Replace all uses of AddessReturnedByAlloca with NewAddressPtr. 2119 AI->replaceAllUsesWith(NewAddressPtr); 2120 2121 // We are done. Erase old alloca from parent. 2122 AI->eraseFromParent(); 2123 } 2124 2125 // isSafeAccess returns true if Addr is always inbounds with respect to its 2126 // base object. For example, it is a field access or an array access with 2127 // constant inbounds index. 2128 bool AddressSanitizer::isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, 2129 Value *Addr, uint64_t TypeSize) const { 2130 SizeOffsetType SizeOffset = ObjSizeVis.compute(Addr); 2131 if (!ObjSizeVis.bothKnown(SizeOffset)) return false; 2132 uint64_t Size = SizeOffset.first.getZExtValue(); 2133 int64_t Offset = SizeOffset.second.getSExtValue(); 2134 // Three checks are required to ensure safety: 2135 // . Offset >= 0 (since the offset is given from the base ptr) 2136 // . Size >= Offset (unsigned) 2137 // . Size - Offset >= NeededSize (unsigned) 2138 return Offset >= 0 && Size >= uint64_t(Offset) && 2139 Size - uint64_t(Offset) >= TypeSize / 8; 2140 } 2141