1 //===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file is a part of AddressSanitizer, an address sanity checker. 11 // Details of the algorithm: 12 // http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13 // 14 //===----------------------------------------------------------------------===// 15 16 #define DEBUG_TYPE "asan" 17 18 #include "llvm/ADT/ArrayRef.h" 19 #include "llvm/ADT/OwningPtr.h" 20 #include "llvm/ADT/SmallSet.h" 21 #include "llvm/ADT/SmallString.h" 22 #include "llvm/ADT/SmallVector.h" 23 #include "llvm/ADT/StringExtras.h" 24 #include "llvm/Function.h" 25 #include "llvm/IntrinsicInst.h" 26 #include "llvm/LLVMContext.h" 27 #include "llvm/Module.h" 28 #include "llvm/Support/CommandLine.h" 29 #include "llvm/Support/DataTypes.h" 30 #include "llvm/Support/Debug.h" 31 #include "llvm/Support/IRBuilder.h" 32 #include "llvm/Support/MemoryBuffer.h" 33 #include "llvm/Support/Regex.h" 34 #include "llvm/Support/raw_ostream.h" 35 #include "llvm/Support/system_error.h" 36 #include "llvm/Target/TargetData.h" 37 #include "llvm/Target/TargetMachine.h" 38 #include "llvm/Transforms/Instrumentation.h" 39 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 40 #include "llvm/Transforms/Utils/ModuleUtils.h" 41 #include "llvm/Type.h" 42 43 #include <string> 44 #include <algorithm> 45 46 using namespace llvm; 47 48 static const uint64_t kDefaultShadowScale = 3; 49 static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 50 static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 51 52 static const size_t kMaxStackMallocSize = 1 << 16; // 64K 53 static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 54 static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 55 56 static const char *kAsanModuleCtorName = "asan.module_ctor"; 57 static const char *kAsanModuleDtorName = "asan.module_dtor"; 58 static const int kAsanCtorAndCtorPriority = 1; 59 static const char *kAsanReportErrorTemplate = "__asan_report_"; 60 static const char *kAsanRegisterGlobalsName = "__asan_register_globals"; 61 static const char *kAsanUnregisterGlobalsName = "__asan_unregister_globals"; 62 static const char *kAsanInitName = "__asan_init"; 63 static const char *kAsanHandleNoReturnName = "__asan_handle_no_return"; 64 static const char *kAsanMappingOffsetName = "__asan_mapping_offset"; 65 static const char *kAsanMappingScaleName = "__asan_mapping_scale"; 66 static const char *kAsanStackMallocName = "__asan_stack_malloc"; 67 static const char *kAsanStackFreeName = "__asan_stack_free"; 68 69 static const int kAsanStackLeftRedzoneMagic = 0xf1; 70 static const int kAsanStackMidRedzoneMagic = 0xf2; 71 static const int kAsanStackRightRedzoneMagic = 0xf3; 72 static const int kAsanStackPartialRedzoneMagic = 0xf4; 73 74 // Command-line flags. 75 76 // This flag may need to be replaced with -f[no-]asan-reads. 77 static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 78 cl::desc("instrument read instructions"), cl::Hidden, cl::init(true)); 79 static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes", 80 cl::desc("instrument write instructions"), cl::Hidden, cl::init(true)); 81 // This flag may need to be replaced with -f[no]asan-stack. 82 static cl::opt<bool> ClStack("asan-stack", 83 cl::desc("Handle stack memory"), cl::Hidden, cl::init(true)); 84 // This flag may need to be replaced with -f[no]asan-use-after-return. 85 static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 86 cl::desc("Check return-after-free"), cl::Hidden, cl::init(false)); 87 // This flag may need to be replaced with -f[no]asan-globals. 88 static cl::opt<bool> ClGlobals("asan-globals", 89 cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); 90 static cl::opt<bool> ClMemIntrin("asan-memintrin", 91 cl::desc("Handle memset/memcpy/memmove"), cl::Hidden, cl::init(true)); 92 // This flag may need to be replaced with -fasan-blacklist. 93 static cl::opt<std::string> ClBlackListFile("asan-blacklist", 94 cl::desc("File containing the list of functions to ignore " 95 "during instrumentation"), cl::Hidden); 96 97 // These flags allow to change the shadow mapping. 98 // The shadow mapping looks like 99 // Shadow = (Mem >> scale) + (1 << offset_log) 100 static cl::opt<int> ClMappingScale("asan-mapping-scale", 101 cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0)); 102 static cl::opt<int> ClMappingOffsetLog("asan-mapping-offset-log", 103 cl::desc("offset of asan shadow mapping"), cl::Hidden, cl::init(-1)); 104 105 // Optimization flags. Not user visible, used mostly for testing 106 // and benchmarking the tool. 107 static cl::opt<bool> ClOpt("asan-opt", 108 cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true)); 109 static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp", 110 cl::desc("Instrument the same temp just once"), cl::Hidden, 111 cl::init(true)); 112 static cl::opt<bool> ClOptGlobals("asan-opt-globals", 113 cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); 114 115 // Debug flags. 116 static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 117 cl::init(0)); 118 static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 119 cl::Hidden, cl::init(0)); 120 static cl::opt<std::string> ClDebugFunc("asan-debug-func", 121 cl::Hidden, cl::desc("Debug func")); 122 static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 123 cl::Hidden, cl::init(-1)); 124 static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), 125 cl::Hidden, cl::init(-1)); 126 127 namespace { 128 129 // Blacklisted functions are not instrumented. 130 // The blacklist file contains one or more lines like this: 131 // --- 132 // fun:FunctionWildCard 133 // --- 134 // This is similar to the "ignore" feature of ThreadSanitizer. 135 // http://code.google.com/p/data-race-test/wiki/ThreadSanitizerIgnores 136 class BlackList { 137 public: 138 BlackList(const std::string &Path); 139 bool isIn(const Function &F); 140 private: 141 Regex *Functions; 142 }; 143 144 /// AddressSanitizer: instrument the code in module to find memory bugs. 145 struct AddressSanitizer : public ModulePass { 146 AddressSanitizer(); 147 virtual const char *getPassName() const; 148 void instrumentMop(Instruction *I); 149 void instrumentAddress(Instruction *OrigIns, IRBuilder<> &IRB, 150 Value *Addr, uint32_t TypeSize, bool IsWrite); 151 Instruction *generateCrashCode(IRBuilder<> &IRB, Value *Addr, 152 bool IsWrite, uint32_t TypeSize); 153 bool instrumentMemIntrinsic(MemIntrinsic *MI); 154 void instrumentMemIntrinsicParam(Instruction *OrigIns, Value *Addr, 155 Value *Size, 156 Instruction *InsertBefore, bool IsWrite); 157 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 158 bool handleFunction(Module &M, Function &F); 159 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 160 bool poisonStackInFunction(Module &M, Function &F); 161 virtual bool runOnModule(Module &M); 162 bool insertGlobalRedzones(Module &M); 163 BranchInst *splitBlockAndInsertIfThen(Instruction *SplitBefore, Value *Cmp); 164 static char ID; // Pass identification, replacement for typeid 165 166 private: 167 168 uint64_t getAllocaSizeInBytes(AllocaInst *AI) { 169 Type *Ty = AI->getAllocatedType(); 170 uint64_t SizeInBytes = TD->getTypeStoreSizeInBits(Ty) / 8; 171 return SizeInBytes; 172 } 173 uint64_t getAlignedSize(uint64_t SizeInBytes) { 174 return ((SizeInBytes + RedzoneSize - 1) 175 / RedzoneSize) * RedzoneSize; 176 } 177 uint64_t getAlignedAllocaSize(AllocaInst *AI) { 178 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 179 return getAlignedSize(SizeInBytes); 180 } 181 182 void PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, 183 Value *ShadowBase, bool DoPoison); 184 bool LooksLikeCodeInBug11395(Instruction *I); 185 186 Module *CurrentModule; 187 LLVMContext *C; 188 TargetData *TD; 189 uint64_t MappingOffset; 190 int MappingScale; 191 size_t RedzoneSize; 192 int LongSize; 193 Type *IntptrTy; 194 Type *IntptrPtrTy; 195 Function *AsanCtorFunction; 196 Function *AsanInitFunction; 197 Instruction *CtorInsertBefore; 198 OwningPtr<BlackList> BL; 199 }; 200 } // namespace 201 202 char AddressSanitizer::ID = 0; 203 INITIALIZE_PASS(AddressSanitizer, "asan", 204 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", 205 false, false) 206 AddressSanitizer::AddressSanitizer() : ModulePass(ID) { } 207 ModulePass *llvm::createAddressSanitizerPass() { 208 return new AddressSanitizer(); 209 } 210 211 const char *AddressSanitizer::getPassName() const { 212 return "AddressSanitizer"; 213 } 214 215 // Create a constant for Str so that we can pass it to the run-time lib. 216 static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str) { 217 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 218 return new GlobalVariable(M, StrConst->getType(), true, 219 GlobalValue::PrivateLinkage, StrConst, ""); 220 } 221 222 // Split the basic block and insert an if-then code. 223 // Before: 224 // Head 225 // SplitBefore 226 // Tail 227 // After: 228 // Head 229 // if (Cmp) 230 // NewBasicBlock 231 // SplitBefore 232 // Tail 233 // 234 // Returns the NewBasicBlock's terminator. 235 BranchInst *AddressSanitizer::splitBlockAndInsertIfThen( 236 Instruction *SplitBefore, Value *Cmp) { 237 BasicBlock *Head = SplitBefore->getParent(); 238 BasicBlock *Tail = Head->splitBasicBlock(SplitBefore); 239 TerminatorInst *HeadOldTerm = Head->getTerminator(); 240 BasicBlock *NewBasicBlock = 241 BasicBlock::Create(*C, "", Head->getParent()); 242 BranchInst *HeadNewTerm = BranchInst::Create(/*ifTrue*/NewBasicBlock, 243 /*ifFalse*/Tail, 244 Cmp); 245 ReplaceInstWithInst(HeadOldTerm, HeadNewTerm); 246 247 BranchInst *CheckTerm = BranchInst::Create(Tail, NewBasicBlock); 248 return CheckTerm; 249 } 250 251 Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 252 // Shadow >> scale 253 Shadow = IRB.CreateLShr(Shadow, MappingScale); 254 if (MappingOffset == 0) 255 return Shadow; 256 // (Shadow >> scale) | offset 257 return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, 258 MappingOffset)); 259 } 260 261 void AddressSanitizer::instrumentMemIntrinsicParam(Instruction *OrigIns, 262 Value *Addr, Value *Size, Instruction *InsertBefore, bool IsWrite) { 263 // Check the first byte. 264 { 265 IRBuilder<> IRB(InsertBefore); 266 instrumentAddress(OrigIns, IRB, Addr, 8, IsWrite); 267 } 268 // Check the last byte. 269 { 270 IRBuilder<> IRB(InsertBefore); 271 Value *SizeMinusOne = IRB.CreateSub( 272 Size, ConstantInt::get(Size->getType(), 1)); 273 SizeMinusOne = IRB.CreateIntCast(SizeMinusOne, IntptrTy, false); 274 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 275 Value *AddrPlusSizeMinisOne = IRB.CreateAdd(AddrLong, SizeMinusOne); 276 instrumentAddress(OrigIns, IRB, AddrPlusSizeMinisOne, 8, IsWrite); 277 } 278 } 279 280 // Instrument memset/memmove/memcpy 281 bool AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 282 Value *Dst = MI->getDest(); 283 MemTransferInst *MemTran = dyn_cast<MemTransferInst>(MI); 284 Value *Src = MemTran ? MemTran->getSource() : NULL; 285 Value *Length = MI->getLength(); 286 287 Constant *ConstLength = dyn_cast<Constant>(Length); 288 Instruction *InsertBefore = MI; 289 if (ConstLength) { 290 if (ConstLength->isNullValue()) return false; 291 } else { 292 // The size is not a constant so it could be zero -- check at run-time. 293 IRBuilder<> IRB(InsertBefore); 294 295 Value *Cmp = IRB.CreateICmpNE(Length, 296 Constant::getNullValue(Length->getType())); 297 InsertBefore = splitBlockAndInsertIfThen(InsertBefore, Cmp); 298 } 299 300 instrumentMemIntrinsicParam(MI, Dst, Length, InsertBefore, true); 301 if (Src) 302 instrumentMemIntrinsicParam(MI, Src, Length, InsertBefore, false); 303 return true; 304 } 305 306 static Value *getLDSTOperand(Instruction *I) { 307 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 308 return LI->getPointerOperand(); 309 } 310 return cast<StoreInst>(*I).getPointerOperand(); 311 } 312 313 void AddressSanitizer::instrumentMop(Instruction *I) { 314 int IsWrite = isa<StoreInst>(*I); 315 Value *Addr = getLDSTOperand(I); 316 if (ClOpt && ClOptGlobals && isa<GlobalVariable>(Addr)) { 317 // We are accessing a global scalar variable. Nothing to catch here. 318 return; 319 } 320 Type *OrigPtrTy = Addr->getType(); 321 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 322 323 assert(OrigTy->isSized()); 324 uint32_t TypeSize = TD->getTypeStoreSizeInBits(OrigTy); 325 326 if (TypeSize != 8 && TypeSize != 16 && 327 TypeSize != 32 && TypeSize != 64 && TypeSize != 128) { 328 // Ignore all unusual sizes. 329 return; 330 } 331 332 IRBuilder<> IRB(I); 333 instrumentAddress(I, IRB, Addr, TypeSize, IsWrite); 334 } 335 336 Instruction *AddressSanitizer::generateCrashCode( 337 IRBuilder<> &IRB, Value *Addr, bool IsWrite, uint32_t TypeSize) { 338 // IsWrite and TypeSize are encoded in the function name. 339 std::string FunctionName = std::string(kAsanReportErrorTemplate) + 340 (IsWrite ? "store" : "load") + itostr(TypeSize / 8); 341 Value *ReportWarningFunc = CurrentModule->getOrInsertFunction( 342 FunctionName, IRB.getVoidTy(), IntptrTy, NULL); 343 CallInst *Call = IRB.CreateCall(ReportWarningFunc, Addr); 344 Call->setDoesNotReturn(); 345 return Call; 346 } 347 348 void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 349 IRBuilder<> &IRB, Value *Addr, 350 uint32_t TypeSize, bool IsWrite) { 351 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 352 353 Type *ShadowTy = IntegerType::get( 354 *C, std::max(8U, TypeSize >> MappingScale)); 355 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 356 Value *ShadowPtr = memToShadow(AddrLong, IRB); 357 Value *CmpVal = Constant::getNullValue(ShadowTy); 358 Value *ShadowValue = IRB.CreateLoad( 359 IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 360 361 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 362 363 Instruction *CheckTerm = splitBlockAndInsertIfThen( 364 cast<Instruction>(Cmp)->getNextNode(), Cmp); 365 IRBuilder<> IRB2(CheckTerm); 366 367 size_t Granularity = 1 << MappingScale; 368 if (TypeSize < 8 * Granularity) { 369 // Addr & (Granularity - 1) 370 Value *Lower3Bits = IRB2.CreateAnd( 371 AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 372 // (Addr & (Granularity - 1)) + size - 1 373 Value *LastAccessedByte = IRB2.CreateAdd( 374 Lower3Bits, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 375 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 376 LastAccessedByte = IRB2.CreateIntCast( 377 LastAccessedByte, IRB.getInt8Ty(), false); 378 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 379 Value *Cmp2 = IRB2.CreateICmpSGE(LastAccessedByte, ShadowValue); 380 381 CheckTerm = splitBlockAndInsertIfThen(CheckTerm, Cmp2); 382 } 383 384 IRBuilder<> IRB1(CheckTerm); 385 Instruction *Crash = generateCrashCode(IRB1, AddrLong, IsWrite, TypeSize); 386 Crash->setDebugLoc(OrigIns->getDebugLoc()); 387 ReplaceInstWithInst(CheckTerm, new UnreachableInst(*C)); 388 } 389 390 // This function replaces all global variables with new variables that have 391 // trailing redzones. It also creates a function that poisons 392 // redzones and inserts this function into llvm.global_ctors. 393 bool AddressSanitizer::insertGlobalRedzones(Module &M) { 394 SmallVector<GlobalVariable *, 16> GlobalsToChange; 395 396 for (Module::GlobalListType::iterator G = M.getGlobalList().begin(), 397 E = M.getGlobalList().end(); G != E; ++G) { 398 Type *Ty = cast<PointerType>(G->getType())->getElementType(); 399 DEBUG(dbgs() << "GLOBAL: " << *G); 400 401 if (!Ty->isSized()) continue; 402 if (!G->hasInitializer()) continue; 403 // Touch only those globals that will not be defined in other modules. 404 // Don't handle ODR type linkages since other modules may be built w/o asan. 405 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 406 G->getLinkage() != GlobalVariable::PrivateLinkage && 407 G->getLinkage() != GlobalVariable::InternalLinkage) 408 continue; 409 // Two problems with thread-locals: 410 // - The address of the main thread's copy can't be computed at link-time. 411 // - Need to poison all copies, not just the main thread's one. 412 if (G->isThreadLocal()) 413 continue; 414 // For now, just ignore this Alloca if the alignment is large. 415 if (G->getAlignment() > RedzoneSize) continue; 416 417 // Ignore all the globals with the names starting with "\01L_OBJC_". 418 // Many of those are put into the .cstring section. The linker compresses 419 // that section by removing the spare \0s after the string terminator, so 420 // our redzones get broken. 421 if ((G->getName().find("\01L_OBJC_") == 0) || 422 (G->getName().find("\01l_OBJC_") == 0)) { 423 DEBUG(dbgs() << "Ignoring \\01L_OBJC_* global: " << *G); 424 continue; 425 } 426 427 if (G->hasSection()) { 428 StringRef Section(G->getSection()); 429 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 430 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 431 // them. 432 if ((Section.find("__OBJC,") == 0) || 433 (Section.find("__DATA, __objc_") == 0)) { 434 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G); 435 continue; 436 } 437 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 438 // Constant CFString instances are compiled in the following way: 439 // -- the string buffer is emitted into 440 // __TEXT,__cstring,cstring_literals 441 // -- the constant NSConstantString structure referencing that buffer 442 // is placed into __DATA,__cfstring 443 // Therefore there's no point in placing redzones into __DATA,__cfstring. 444 // Moreover, it causes the linker to crash on OS X 10.7 445 if (Section.find("__DATA,__cfstring") == 0) { 446 DEBUG(dbgs() << "Ignoring CFString: " << *G); 447 continue; 448 } 449 } 450 451 GlobalsToChange.push_back(G); 452 } 453 454 size_t n = GlobalsToChange.size(); 455 if (n == 0) return false; 456 457 // A global is described by a structure 458 // size_t beg; 459 // size_t size; 460 // size_t size_with_redzone; 461 // const char *name; 462 // We initialize an array of such structures and pass it to a run-time call. 463 StructType *GlobalStructTy = StructType::get(IntptrTy, IntptrTy, 464 IntptrTy, IntptrTy, NULL); 465 SmallVector<Constant *, 16> Initializers(n); 466 467 IRBuilder<> IRB(CtorInsertBefore); 468 469 for (size_t i = 0; i < n; i++) { 470 GlobalVariable *G = GlobalsToChange[i]; 471 PointerType *PtrTy = cast<PointerType>(G->getType()); 472 Type *Ty = PtrTy->getElementType(); 473 uint64_t SizeInBytes = TD->getTypeStoreSizeInBits(Ty) / 8; 474 uint64_t RightRedzoneSize = RedzoneSize + 475 (RedzoneSize - (SizeInBytes % RedzoneSize)); 476 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 477 478 StructType *NewTy = StructType::get(Ty, RightRedZoneTy, NULL); 479 Constant *NewInitializer = ConstantStruct::get( 480 NewTy, G->getInitializer(), 481 Constant::getNullValue(RightRedZoneTy), NULL); 482 483 SmallString<2048> DescriptionOfGlobal = G->getName(); 484 DescriptionOfGlobal += " ("; 485 DescriptionOfGlobal += M.getModuleIdentifier(); 486 DescriptionOfGlobal += ")"; 487 GlobalVariable *Name = createPrivateGlobalForString(M, DescriptionOfGlobal); 488 489 // Create a new global variable with enough space for a redzone. 490 GlobalVariable *NewGlobal = new GlobalVariable( 491 M, NewTy, G->isConstant(), G->getLinkage(), 492 NewInitializer, "", G, G->isThreadLocal()); 493 NewGlobal->copyAttributesFrom(G); 494 NewGlobal->setAlignment(RedzoneSize); 495 496 Value *Indices2[2]; 497 Indices2[0] = IRB.getInt32(0); 498 Indices2[1] = IRB.getInt32(0); 499 500 G->replaceAllUsesWith( 501 ConstantExpr::getGetElementPtr(NewGlobal, Indices2, true)); 502 NewGlobal->takeName(G); 503 G->eraseFromParent(); 504 505 Initializers[i] = ConstantStruct::get( 506 GlobalStructTy, 507 ConstantExpr::getPointerCast(NewGlobal, IntptrTy), 508 ConstantInt::get(IntptrTy, SizeInBytes), 509 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 510 ConstantExpr::getPointerCast(Name, IntptrTy), 511 NULL); 512 DEBUG(dbgs() << "NEW GLOBAL:\n" << *NewGlobal); 513 } 514 515 ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); 516 GlobalVariable *AllGlobals = new GlobalVariable( 517 M, ArrayOfGlobalStructTy, false, GlobalVariable::PrivateLinkage, 518 ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); 519 520 Function *AsanRegisterGlobals = cast<Function>(M.getOrInsertFunction( 521 kAsanRegisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 522 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 523 524 IRB.CreateCall2(AsanRegisterGlobals, 525 IRB.CreatePointerCast(AllGlobals, IntptrTy), 526 ConstantInt::get(IntptrTy, n)); 527 528 // We also need to unregister globals at the end, e.g. when a shared library 529 // gets closed. 530 Function *AsanDtorFunction = Function::Create( 531 FunctionType::get(Type::getVoidTy(*C), false), 532 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 533 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 534 IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); 535 Function *AsanUnregisterGlobals = cast<Function>(M.getOrInsertFunction( 536 kAsanUnregisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 537 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 538 539 IRB_Dtor.CreateCall2(AsanUnregisterGlobals, 540 IRB.CreatePointerCast(AllGlobals, IntptrTy), 541 ConstantInt::get(IntptrTy, n)); 542 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndCtorPriority); 543 544 DEBUG(dbgs() << M); 545 return true; 546 } 547 548 // virtual 549 bool AddressSanitizer::runOnModule(Module &M) { 550 // Initialize the private fields. No one has accessed them before. 551 TD = getAnalysisIfAvailable<TargetData>(); 552 if (!TD) 553 return false; 554 BL.reset(new BlackList(ClBlackListFile)); 555 556 CurrentModule = &M; 557 C = &(M.getContext()); 558 LongSize = TD->getPointerSizeInBits(); 559 IntptrTy = Type::getIntNTy(*C, LongSize); 560 IntptrPtrTy = PointerType::get(IntptrTy, 0); 561 562 AsanCtorFunction = Function::Create( 563 FunctionType::get(Type::getVoidTy(*C), false), 564 GlobalValue::InternalLinkage, kAsanModuleCtorName, &M); 565 BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction); 566 CtorInsertBefore = ReturnInst::Create(*C, AsanCtorBB); 567 568 // call __asan_init in the module ctor. 569 IRBuilder<> IRB(CtorInsertBefore); 570 AsanInitFunction = cast<Function>( 571 M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), NULL)); 572 AsanInitFunction->setLinkage(Function::ExternalLinkage); 573 IRB.CreateCall(AsanInitFunction); 574 575 MappingOffset = LongSize == 32 576 ? kDefaultShadowOffset32 : kDefaultShadowOffset64; 577 if (ClMappingOffsetLog >= 0) { 578 if (ClMappingOffsetLog == 0) { 579 // special case 580 MappingOffset = 0; 581 } else { 582 MappingOffset = 1ULL << ClMappingOffsetLog; 583 } 584 } 585 MappingScale = kDefaultShadowScale; 586 if (ClMappingScale) { 587 MappingScale = ClMappingScale; 588 } 589 // Redzone used for stack and globals is at least 32 bytes. 590 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 591 RedzoneSize = std::max(32, (int)(1 << MappingScale)); 592 593 bool Res = false; 594 595 if (ClGlobals) 596 Res |= insertGlobalRedzones(M); 597 598 // Tell the run-time the current values of mapping offset and scale. 599 GlobalValue *asan_mapping_offset = 600 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 601 ConstantInt::get(IntptrTy, MappingOffset), 602 kAsanMappingOffsetName); 603 GlobalValue *asan_mapping_scale = 604 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 605 ConstantInt::get(IntptrTy, MappingScale), 606 kAsanMappingScaleName); 607 // Read these globals, otherwise they may be optimized away. 608 IRB.CreateLoad(asan_mapping_scale, true); 609 IRB.CreateLoad(asan_mapping_offset, true); 610 611 612 for (Module::iterator F = M.begin(), E = M.end(); F != E; ++F) { 613 if (F->isDeclaration()) continue; 614 Res |= handleFunction(M, *F); 615 } 616 617 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndCtorPriority); 618 619 return Res; 620 } 621 622 bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 623 // For each NSObject descendant having a +load method, this method is invoked 624 // by the ObjC runtime before any of the static constructors is called. 625 // Therefore we need to instrument such methods with a call to __asan_init 626 // at the beginning in order to initialize our runtime before any access to 627 // the shadow memory. 628 // We cannot just ignore these methods, because they may call other 629 // instrumented functions. 630 if (F.getName().find(" load]") != std::string::npos) { 631 IRBuilder<> IRB(F.begin()->begin()); 632 IRB.CreateCall(AsanInitFunction); 633 return true; 634 } 635 return false; 636 } 637 638 bool AddressSanitizer::handleFunction(Module &M, Function &F) { 639 if (BL->isIn(F)) return false; 640 if (&F == AsanCtorFunction) return false; 641 642 // If needed, insert __asan_init before checking for AddressSafety attr. 643 maybeInsertAsanInitAtFunctionEntry(F); 644 645 if (!F.hasFnAttr(Attribute::AddressSafety)) return false; 646 647 if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) 648 return false; 649 // We want to instrument every address only once per basic block 650 // (unless there are calls between uses). 651 SmallSet<Value*, 16> TempsToInstrument; 652 SmallVector<Instruction*, 16> ToInstrument; 653 SmallVector<Instruction*, 8> NoReturnCalls; 654 655 // Fill the set of memory operations to instrument. 656 for (Function::iterator FI = F.begin(), FE = F.end(); 657 FI != FE; ++FI) { 658 TempsToInstrument.clear(); 659 for (BasicBlock::iterator BI = FI->begin(), BE = FI->end(); 660 BI != BE; ++BI) { 661 if (LooksLikeCodeInBug11395(BI)) return false; 662 if ((isa<LoadInst>(BI) && ClInstrumentReads) || 663 (isa<StoreInst>(BI) && ClInstrumentWrites)) { 664 Value *Addr = getLDSTOperand(BI); 665 if (ClOpt && ClOptSameTemp) { 666 if (!TempsToInstrument.insert(Addr)) 667 continue; // We've seen this temp in the current BB. 668 } 669 } else if (isa<MemIntrinsic>(BI) && ClMemIntrin) { 670 // ok, take it. 671 } else { 672 if (CallInst *CI = dyn_cast<CallInst>(BI)) { 673 // A call inside BB. 674 TempsToInstrument.clear(); 675 if (CI->doesNotReturn()) { 676 NoReturnCalls.push_back(CI); 677 } 678 } 679 continue; 680 } 681 ToInstrument.push_back(BI); 682 } 683 } 684 685 // Instrument. 686 int NumInstrumented = 0; 687 for (size_t i = 0, n = ToInstrument.size(); i != n; i++) { 688 Instruction *Inst = ToInstrument[i]; 689 if (ClDebugMin < 0 || ClDebugMax < 0 || 690 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 691 if (isa<StoreInst>(Inst) || isa<LoadInst>(Inst)) 692 instrumentMop(Inst); 693 else 694 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 695 } 696 NumInstrumented++; 697 } 698 699 DEBUG(dbgs() << F); 700 701 bool ChangedStack = poisonStackInFunction(M, F); 702 703 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 704 // See e.g. http://code.google.com/p/address-sanitizer/issues/detail?id=37 705 for (size_t i = 0, n = NoReturnCalls.size(); i != n; i++) { 706 Instruction *CI = NoReturnCalls[i]; 707 IRBuilder<> IRB(CI); 708 IRB.CreateCall(M.getOrInsertFunction(kAsanHandleNoReturnName, 709 IRB.getVoidTy(), NULL)); 710 } 711 712 return NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); 713 } 714 715 static uint64_t ValueForPoison(uint64_t PoisonByte, size_t ShadowRedzoneSize) { 716 if (ShadowRedzoneSize == 1) return PoisonByte; 717 if (ShadowRedzoneSize == 2) return (PoisonByte << 8) + PoisonByte; 718 if (ShadowRedzoneSize == 4) 719 return (PoisonByte << 24) + (PoisonByte << 16) + 720 (PoisonByte << 8) + (PoisonByte); 721 llvm_unreachable("ShadowRedzoneSize is either 1, 2 or 4"); 722 } 723 724 static void PoisonShadowPartialRightRedzone(uint8_t *Shadow, 725 size_t Size, 726 size_t RedzoneSize, 727 size_t ShadowGranularity, 728 uint8_t Magic) { 729 for (size_t i = 0; i < RedzoneSize; 730 i+= ShadowGranularity, Shadow++) { 731 if (i + ShadowGranularity <= Size) { 732 *Shadow = 0; // fully addressable 733 } else if (i >= Size) { 734 *Shadow = Magic; // unaddressable 735 } else { 736 *Shadow = Size - i; // first Size-i bytes are addressable 737 } 738 } 739 } 740 741 void AddressSanitizer::PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, 742 IRBuilder<> IRB, 743 Value *ShadowBase, bool DoPoison) { 744 size_t ShadowRZSize = RedzoneSize >> MappingScale; 745 assert(ShadowRZSize >= 1 && ShadowRZSize <= 4); 746 Type *RZTy = Type::getIntNTy(*C, ShadowRZSize * 8); 747 Type *RZPtrTy = PointerType::get(RZTy, 0); 748 749 Value *PoisonLeft = ConstantInt::get(RZTy, 750 ValueForPoison(DoPoison ? kAsanStackLeftRedzoneMagic : 0LL, ShadowRZSize)); 751 Value *PoisonMid = ConstantInt::get(RZTy, 752 ValueForPoison(DoPoison ? kAsanStackMidRedzoneMagic : 0LL, ShadowRZSize)); 753 Value *PoisonRight = ConstantInt::get(RZTy, 754 ValueForPoison(DoPoison ? kAsanStackRightRedzoneMagic : 0LL, ShadowRZSize)); 755 756 // poison the first red zone. 757 IRB.CreateStore(PoisonLeft, IRB.CreateIntToPtr(ShadowBase, RZPtrTy)); 758 759 // poison all other red zones. 760 uint64_t Pos = RedzoneSize; 761 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 762 AllocaInst *AI = AllocaVec[i]; 763 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 764 uint64_t AlignedSize = getAlignedAllocaSize(AI); 765 assert(AlignedSize - SizeInBytes < RedzoneSize); 766 Value *Ptr = NULL; 767 768 Pos += AlignedSize; 769 770 assert(ShadowBase->getType() == IntptrTy); 771 if (SizeInBytes < AlignedSize) { 772 // Poison the partial redzone at right 773 Ptr = IRB.CreateAdd( 774 ShadowBase, ConstantInt::get(IntptrTy, 775 (Pos >> MappingScale) - ShadowRZSize)); 776 size_t AddressableBytes = RedzoneSize - (AlignedSize - SizeInBytes); 777 uint32_t Poison = 0; 778 if (DoPoison) { 779 PoisonShadowPartialRightRedzone((uint8_t*)&Poison, AddressableBytes, 780 RedzoneSize, 781 1ULL << MappingScale, 782 kAsanStackPartialRedzoneMagic); 783 } 784 Value *PartialPoison = ConstantInt::get(RZTy, Poison); 785 IRB.CreateStore(PartialPoison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 786 } 787 788 // Poison the full redzone at right. 789 Ptr = IRB.CreateAdd(ShadowBase, 790 ConstantInt::get(IntptrTy, Pos >> MappingScale)); 791 Value *Poison = i == AllocaVec.size() - 1 ? PoisonRight : PoisonMid; 792 IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 793 794 Pos += RedzoneSize; 795 } 796 } 797 798 // Workaround for bug 11395: we don't want to instrument stack in functions 799 // with large assembly blobs (32-bit only), otherwise reg alloc may crash. 800 // FIXME: remove once the bug 11395 is fixed. 801 bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 802 if (LongSize != 32) return false; 803 CallInst *CI = dyn_cast<CallInst>(I); 804 if (!CI || !CI->isInlineAsm()) return false; 805 if (CI->getNumArgOperands() <= 5) return false; 806 // We have inline assembly with quite a few arguments. 807 return true; 808 } 809 810 // Find all static Alloca instructions and put 811 // poisoned red zones around all of them. 812 // Then unpoison everything back before the function returns. 813 // 814 // Stack poisoning does not play well with exception handling. 815 // When an exception is thrown, we essentially bypass the code 816 // that unpoisones the stack. This is why the run-time library has 817 // to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 818 // stack in the interceptor. This however does not work inside the 819 // actual function which catches the exception. Most likely because the 820 // compiler hoists the load of the shadow value somewhere too high. 821 // This causes asan to report a non-existing bug on 453.povray. 822 // It sounds like an LLVM bug. 823 bool AddressSanitizer::poisonStackInFunction(Module &M, Function &F) { 824 if (!ClStack) return false; 825 SmallVector<AllocaInst*, 16> AllocaVec; 826 SmallVector<Instruction*, 8> RetVec; 827 uint64_t TotalSize = 0; 828 829 // Filter out Alloca instructions we want (and can) handle. 830 // Collect Ret instructions. 831 for (Function::iterator FI = F.begin(), FE = F.end(); 832 FI != FE; ++FI) { 833 BasicBlock &BB = *FI; 834 for (BasicBlock::iterator BI = BB.begin(), BE = BB.end(); 835 BI != BE; ++BI) { 836 if (isa<ReturnInst>(BI)) { 837 RetVec.push_back(BI); 838 continue; 839 } 840 841 AllocaInst *AI = dyn_cast<AllocaInst>(BI); 842 if (!AI) continue; 843 if (AI->isArrayAllocation()) continue; 844 if (!AI->isStaticAlloca()) continue; 845 if (!AI->getAllocatedType()->isSized()) continue; 846 if (AI->getAlignment() > RedzoneSize) continue; 847 AllocaVec.push_back(AI); 848 uint64_t AlignedSize = getAlignedAllocaSize(AI); 849 TotalSize += AlignedSize; 850 } 851 } 852 853 if (AllocaVec.empty()) return false; 854 855 uint64_t LocalStackSize = TotalSize + (AllocaVec.size() + 1) * RedzoneSize; 856 857 bool DoStackMalloc = ClUseAfterReturn 858 && LocalStackSize <= kMaxStackMallocSize; 859 860 Instruction *InsBefore = AllocaVec[0]; 861 IRBuilder<> IRB(InsBefore); 862 863 864 Type *ByteArrayTy = ArrayType::get(IRB.getInt8Ty(), LocalStackSize); 865 AllocaInst *MyAlloca = 866 new AllocaInst(ByteArrayTy, "MyAlloca", InsBefore); 867 MyAlloca->setAlignment(RedzoneSize); 868 assert(MyAlloca->isStaticAlloca()); 869 Value *OrigStackBase = IRB.CreatePointerCast(MyAlloca, IntptrTy); 870 Value *LocalStackBase = OrigStackBase; 871 872 if (DoStackMalloc) { 873 Value *AsanStackMallocFunc = M.getOrInsertFunction( 874 kAsanStackMallocName, IntptrTy, IntptrTy, IntptrTy, NULL); 875 LocalStackBase = IRB.CreateCall2(AsanStackMallocFunc, 876 ConstantInt::get(IntptrTy, LocalStackSize), OrigStackBase); 877 } 878 879 // This string will be parsed by the run-time (DescribeStackAddress). 880 SmallString<2048> StackDescriptionStorage; 881 raw_svector_ostream StackDescription(StackDescriptionStorage); 882 StackDescription << F.getName() << " " << AllocaVec.size() << " "; 883 884 uint64_t Pos = RedzoneSize; 885 // Replace Alloca instructions with base+offset. 886 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 887 AllocaInst *AI = AllocaVec[i]; 888 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 889 StringRef Name = AI->getName(); 890 StackDescription << Pos << " " << SizeInBytes << " " 891 << Name.size() << " " << Name << " "; 892 uint64_t AlignedSize = getAlignedAllocaSize(AI); 893 assert((AlignedSize % RedzoneSize) == 0); 894 AI->replaceAllUsesWith( 895 IRB.CreateIntToPtr( 896 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Pos)), 897 AI->getType())); 898 Pos += AlignedSize + RedzoneSize; 899 } 900 assert(Pos == LocalStackSize); 901 902 // Write the Magic value and the frame description constant to the redzone. 903 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 904 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 905 BasePlus0); 906 Value *BasePlus1 = IRB.CreateAdd(LocalStackBase, 907 ConstantInt::get(IntptrTy, LongSize/8)); 908 BasePlus1 = IRB.CreateIntToPtr(BasePlus1, IntptrPtrTy); 909 Value *Description = IRB.CreatePointerCast( 910 createPrivateGlobalForString(M, StackDescription.str()), 911 IntptrTy); 912 IRB.CreateStore(Description, BasePlus1); 913 914 // Poison the stack redzones at the entry. 915 Value *ShadowBase = memToShadow(LocalStackBase, IRB); 916 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRB, ShadowBase, true); 917 918 Value *AsanStackFreeFunc = NULL; 919 if (DoStackMalloc) { 920 AsanStackFreeFunc = M.getOrInsertFunction( 921 kAsanStackFreeName, IRB.getVoidTy(), 922 IntptrTy, IntptrTy, IntptrTy, NULL); 923 } 924 925 // Unpoison the stack before all ret instructions. 926 for (size_t i = 0, n = RetVec.size(); i < n; i++) { 927 Instruction *Ret = RetVec[i]; 928 IRBuilder<> IRBRet(Ret); 929 930 // Mark the current frame as retired. 931 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 932 BasePlus0); 933 // Unpoison the stack. 934 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRBRet, ShadowBase, false); 935 936 if (DoStackMalloc) { 937 IRBRet.CreateCall3(AsanStackFreeFunc, LocalStackBase, 938 ConstantInt::get(IntptrTy, LocalStackSize), 939 OrigStackBase); 940 } 941 } 942 943 if (ClDebugStack) { 944 DEBUG(dbgs() << F); 945 } 946 947 return true; 948 } 949 950 BlackList::BlackList(const std::string &Path) { 951 Functions = NULL; 952 const char *kFunPrefix = "fun:"; 953 if (!ClBlackListFile.size()) return; 954 std::string Fun; 955 956 OwningPtr<MemoryBuffer> File; 957 if (error_code EC = MemoryBuffer::getFile(ClBlackListFile.c_str(), File)) { 958 report_fatal_error("Can't open blacklist file " + ClBlackListFile + ": " + 959 EC.message()); 960 } 961 MemoryBuffer *Buff = File.take(); 962 const char *Data = Buff->getBufferStart(); 963 size_t DataLen = Buff->getBufferSize(); 964 SmallVector<StringRef, 16> Lines; 965 SplitString(StringRef(Data, DataLen), Lines, "\n\r"); 966 for (size_t i = 0, numLines = Lines.size(); i < numLines; i++) { 967 if (Lines[i].startswith(kFunPrefix)) { 968 std::string ThisFunc = Lines[i].substr(strlen(kFunPrefix)); 969 std::string ThisFuncRE; 970 // add ThisFunc replacing * with .* 971 for (size_t j = 0, n = ThisFunc.size(); j < n; j++) { 972 if (ThisFunc[j] == '*') 973 ThisFuncRE += '.'; 974 ThisFuncRE += ThisFunc[j]; 975 } 976 // Check that the regexp is valid. 977 Regex CheckRE(ThisFuncRE); 978 std::string Error; 979 if (!CheckRE.isValid(Error)) 980 report_fatal_error("malformed blacklist regex: " + ThisFunc + 981 ": " + Error); 982 // Append to the final regexp. 983 if (Fun.size()) 984 Fun += "|"; 985 Fun += ThisFuncRE; 986 } 987 } 988 if (Fun.size()) { 989 Functions = new Regex(Fun); 990 } 991 } 992 993 bool BlackList::isIn(const Function &F) { 994 if (Functions) { 995 bool Res = Functions->match(F.getName()); 996 return Res; 997 } 998 return false; 999 } 1000