1 //===- DataFlowSanitizer.cpp - dynamic data flow analysis -----------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 /// \file 10 /// This file is a part of DataFlowSanitizer, a generalised dynamic data flow 11 /// analysis. 12 /// 13 /// Unlike other Sanitizer tools, this tool is not designed to detect a specific 14 /// class of bugs on its own. Instead, it provides a generic dynamic data flow 15 /// analysis framework to be used by clients to help detect application-specific 16 /// issues within their own code. 17 /// 18 /// The analysis is based on automatic propagation of data flow labels (also 19 /// known as taint labels) through a program as it performs computation. Each 20 /// byte of application memory is backed by two bytes of shadow memory which 21 /// hold the label. On Linux/x86_64, memory is laid out as follows: 22 /// 23 /// +--------------------+ 0x800000000000 (top of memory) 24 /// | application memory | 25 /// +--------------------+ 0x700000008000 (kAppAddr) 26 /// | | 27 /// | unused | 28 /// | | 29 /// +--------------------+ 0x200200000000 (kUnusedAddr) 30 /// | union table | 31 /// +--------------------+ 0x200000000000 (kUnionTableAddr) 32 /// | shadow memory | 33 /// +--------------------+ 0x000000010000 (kShadowAddr) 34 /// | reserved by kernel | 35 /// +--------------------+ 0x000000000000 36 /// 37 /// To derive a shadow memory address from an application memory address, 38 /// bits 44-46 are cleared to bring the address into the range 39 /// [0x000000008000,0x100000000000). Then the address is shifted left by 1 to 40 /// account for the double byte representation of shadow labels and move the 41 /// address into the shadow memory range. See the function 42 /// DataFlowSanitizer::getShadowAddress below. 43 /// 44 /// For more information, please refer to the design document: 45 /// http://clang.llvm.org/docs/DataFlowSanitizerDesign.html 46 // 47 //===----------------------------------------------------------------------===// 48 49 #include "llvm/ADT/DenseMap.h" 50 #include "llvm/ADT/DenseSet.h" 51 #include "llvm/ADT/DepthFirstIterator.h" 52 #include "llvm/ADT/None.h" 53 #include "llvm/ADT/SmallPtrSet.h" 54 #include "llvm/ADT/SmallVector.h" 55 #include "llvm/ADT/StringExtras.h" 56 #include "llvm/ADT/StringRef.h" 57 #include "llvm/ADT/Triple.h" 58 #include "llvm/Analysis/ValueTracking.h" 59 #include "llvm/IR/Argument.h" 60 #include "llvm/IR/Attributes.h" 61 #include "llvm/IR/BasicBlock.h" 62 #include "llvm/IR/CallSite.h" 63 #include "llvm/IR/Constant.h" 64 #include "llvm/IR/Constants.h" 65 #include "llvm/IR/DataLayout.h" 66 #include "llvm/IR/DerivedTypes.h" 67 #include "llvm/IR/Dominators.h" 68 #include "llvm/IR/Function.h" 69 #include "llvm/IR/GlobalAlias.h" 70 #include "llvm/IR/GlobalValue.h" 71 #include "llvm/IR/GlobalVariable.h" 72 #include "llvm/IR/IRBuilder.h" 73 #include "llvm/IR/InlineAsm.h" 74 #include "llvm/IR/InstVisitor.h" 75 #include "llvm/IR/InstrTypes.h" 76 #include "llvm/IR/Instruction.h" 77 #include "llvm/IR/Instructions.h" 78 #include "llvm/IR/IntrinsicInst.h" 79 #include "llvm/IR/LLVMContext.h" 80 #include "llvm/IR/MDBuilder.h" 81 #include "llvm/IR/Module.h" 82 #include "llvm/IR/Type.h" 83 #include "llvm/IR/User.h" 84 #include "llvm/IR/Value.h" 85 #include "llvm/InitializePasses.h" 86 #include "llvm/Pass.h" 87 #include "llvm/Support/Casting.h" 88 #include "llvm/Support/CommandLine.h" 89 #include "llvm/Support/ErrorHandling.h" 90 #include "llvm/Support/SpecialCaseList.h" 91 #include "llvm/Support/VirtualFileSystem.h" 92 #include "llvm/Transforms/Instrumentation.h" 93 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 94 #include "llvm/Transforms/Utils/Local.h" 95 #include <algorithm> 96 #include <cassert> 97 #include <cstddef> 98 #include <cstdint> 99 #include <iterator> 100 #include <memory> 101 #include <set> 102 #include <string> 103 #include <utility> 104 #include <vector> 105 106 using namespace llvm; 107 108 // External symbol to be used when generating the shadow address for 109 // architectures with multiple VMAs. Instead of using a constant integer 110 // the runtime will set the external mask based on the VMA range. 111 static const char *const kDFSanExternShadowPtrMask = "__dfsan_shadow_ptr_mask"; 112 113 // The -dfsan-preserve-alignment flag controls whether this pass assumes that 114 // alignment requirements provided by the input IR are correct. For example, 115 // if the input IR contains a load with alignment 8, this flag will cause 116 // the shadow load to have alignment 16. This flag is disabled by default as 117 // we have unfortunately encountered too much code (including Clang itself; 118 // see PR14291) which performs misaligned access. 119 static cl::opt<bool> ClPreserveAlignment( 120 "dfsan-preserve-alignment", 121 cl::desc("respect alignment requirements provided by input IR"), cl::Hidden, 122 cl::init(false)); 123 124 // The ABI list files control how shadow parameters are passed. The pass treats 125 // every function labelled "uninstrumented" in the ABI list file as conforming 126 // to the "native" (i.e. unsanitized) ABI. Unless the ABI list contains 127 // additional annotations for those functions, a call to one of those functions 128 // will produce a warning message, as the labelling behaviour of the function is 129 // unknown. The other supported annotations are "functional" and "discard", 130 // which are described below under DataFlowSanitizer::WrapperKind. 131 static cl::list<std::string> ClABIListFiles( 132 "dfsan-abilist", 133 cl::desc("File listing native ABI functions and how the pass treats them"), 134 cl::Hidden); 135 136 // Controls whether the pass uses IA_Args or IA_TLS as the ABI for instrumented 137 // functions (see DataFlowSanitizer::InstrumentedABI below). 138 static cl::opt<bool> ClArgsABI( 139 "dfsan-args-abi", 140 cl::desc("Use the argument ABI rather than the TLS ABI"), 141 cl::Hidden); 142 143 // Controls whether the pass includes or ignores the labels of pointers in load 144 // instructions. 145 static cl::opt<bool> ClCombinePointerLabelsOnLoad( 146 "dfsan-combine-pointer-labels-on-load", 147 cl::desc("Combine the label of the pointer with the label of the data when " 148 "loading from memory."), 149 cl::Hidden, cl::init(true)); 150 151 // Controls whether the pass includes or ignores the labels of pointers in 152 // stores instructions. 153 static cl::opt<bool> ClCombinePointerLabelsOnStore( 154 "dfsan-combine-pointer-labels-on-store", 155 cl::desc("Combine the label of the pointer with the label of the data when " 156 "storing in memory."), 157 cl::Hidden, cl::init(false)); 158 159 static cl::opt<bool> ClDebugNonzeroLabels( 160 "dfsan-debug-nonzero-labels", 161 cl::desc("Insert calls to __dfsan_nonzero_label on observing a parameter, " 162 "load or return with a nonzero label"), 163 cl::Hidden); 164 165 // Experimental feature that inserts callbacks for certain data events. 166 // Currently callbacks are only inserted for loads, stores, memory transfers 167 // (i.e. memcpy and memmove), and comparisons. 168 // 169 // If this flag is set to true, the user must provide definitions for the 170 // following callback functions: 171 // void __dfsan_load_callback(dfsan_label Label); 172 // void __dfsan_store_callback(dfsan_label Label); 173 // void __dfsan_mem_transfer_callback(dfsan_label *Start, size_t Len); 174 // void __dfsan_cmp_callback(dfsan_label CombinedLabel); 175 static cl::opt<bool> ClEventCallbacks( 176 "dfsan-event-callbacks", 177 cl::desc("Insert calls to __dfsan_*_callback functions on data events."), 178 cl::Hidden, cl::init(false)); 179 180 static StringRef GetGlobalTypeString(const GlobalValue &G) { 181 // Types of GlobalVariables are always pointer types. 182 Type *GType = G.getValueType(); 183 // For now we support blacklisting struct types only. 184 if (StructType *SGType = dyn_cast<StructType>(GType)) { 185 if (!SGType->isLiteral()) 186 return SGType->getName(); 187 } 188 return "<unknown type>"; 189 } 190 191 namespace { 192 193 class DFSanABIList { 194 std::unique_ptr<SpecialCaseList> SCL; 195 196 public: 197 DFSanABIList() = default; 198 199 void set(std::unique_ptr<SpecialCaseList> List) { SCL = std::move(List); } 200 201 /// Returns whether either this function or its source file are listed in the 202 /// given category. 203 bool isIn(const Function &F, StringRef Category) const { 204 return isIn(*F.getParent(), Category) || 205 SCL->inSection("dataflow", "fun", F.getName(), Category); 206 } 207 208 /// Returns whether this global alias is listed in the given category. 209 /// 210 /// If GA aliases a function, the alias's name is matched as a function name 211 /// would be. Similarly, aliases of globals are matched like globals. 212 bool isIn(const GlobalAlias &GA, StringRef Category) const { 213 if (isIn(*GA.getParent(), Category)) 214 return true; 215 216 if (isa<FunctionType>(GA.getValueType())) 217 return SCL->inSection("dataflow", "fun", GA.getName(), Category); 218 219 return SCL->inSection("dataflow", "global", GA.getName(), Category) || 220 SCL->inSection("dataflow", "type", GetGlobalTypeString(GA), 221 Category); 222 } 223 224 /// Returns whether this module is listed in the given category. 225 bool isIn(const Module &M, StringRef Category) const { 226 return SCL->inSection("dataflow", "src", M.getModuleIdentifier(), Category); 227 } 228 }; 229 230 /// TransformedFunction is used to express the result of transforming one 231 /// function type into another. This struct is immutable. It holds metadata 232 /// useful for updating calls of the old function to the new type. 233 struct TransformedFunction { 234 TransformedFunction(FunctionType* OriginalType, 235 FunctionType* TransformedType, 236 std::vector<unsigned> ArgumentIndexMapping) 237 : OriginalType(OriginalType), 238 TransformedType(TransformedType), 239 ArgumentIndexMapping(ArgumentIndexMapping) {} 240 241 // Disallow copies. 242 TransformedFunction(const TransformedFunction&) = delete; 243 TransformedFunction& operator=(const TransformedFunction&) = delete; 244 245 // Allow moves. 246 TransformedFunction(TransformedFunction&&) = default; 247 TransformedFunction& operator=(TransformedFunction&&) = default; 248 249 /// Type of the function before the transformation. 250 FunctionType *OriginalType; 251 252 /// Type of the function after the transformation. 253 FunctionType *TransformedType; 254 255 /// Transforming a function may change the position of arguments. This 256 /// member records the mapping from each argument's old position to its new 257 /// position. Argument positions are zero-indexed. If the transformation 258 /// from F to F' made the first argument of F into the third argument of F', 259 /// then ArgumentIndexMapping[0] will equal 2. 260 std::vector<unsigned> ArgumentIndexMapping; 261 }; 262 263 /// Given function attributes from a call site for the original function, 264 /// return function attributes appropriate for a call to the transformed 265 /// function. 266 AttributeList TransformFunctionAttributes( 267 const TransformedFunction& TransformedFunction, 268 LLVMContext& Ctx, AttributeList CallSiteAttrs) { 269 270 // Construct a vector of AttributeSet for each function argument. 271 std::vector<llvm::AttributeSet> ArgumentAttributes( 272 TransformedFunction.TransformedType->getNumParams()); 273 274 // Copy attributes from the parameter of the original function to the 275 // transformed version. 'ArgumentIndexMapping' holds the mapping from 276 // old argument position to new. 277 for (unsigned i=0, ie = TransformedFunction.ArgumentIndexMapping.size(); 278 i < ie; ++i) { 279 unsigned TransformedIndex = TransformedFunction.ArgumentIndexMapping[i]; 280 ArgumentAttributes[TransformedIndex] = CallSiteAttrs.getParamAttributes(i); 281 } 282 283 // Copy annotations on varargs arguments. 284 for (unsigned i = TransformedFunction.OriginalType->getNumParams(), 285 ie = CallSiteAttrs.getNumAttrSets(); i<ie; ++i) { 286 ArgumentAttributes.push_back(CallSiteAttrs.getParamAttributes(i)); 287 } 288 289 return AttributeList::get( 290 Ctx, 291 CallSiteAttrs.getFnAttributes(), 292 CallSiteAttrs.getRetAttributes(), 293 llvm::makeArrayRef(ArgumentAttributes)); 294 } 295 296 class DataFlowSanitizer : public ModulePass { 297 friend struct DFSanFunction; 298 friend class DFSanVisitor; 299 300 enum { ShadowWidthBits = 16, ShadowWidthBytes = ShadowWidthBits / 8 }; 301 302 /// Which ABI should be used for instrumented functions? 303 enum InstrumentedABI { 304 /// Argument and return value labels are passed through additional 305 /// arguments and by modifying the return type. 306 IA_Args, 307 308 /// Argument and return value labels are passed through TLS variables 309 /// __dfsan_arg_tls and __dfsan_retval_tls. 310 IA_TLS 311 }; 312 313 /// How should calls to uninstrumented functions be handled? 314 enum WrapperKind { 315 /// This function is present in an uninstrumented form but we don't know 316 /// how it should be handled. Print a warning and call the function anyway. 317 /// Don't label the return value. 318 WK_Warning, 319 320 /// This function does not write to (user-accessible) memory, and its return 321 /// value is unlabelled. 322 WK_Discard, 323 324 /// This function does not write to (user-accessible) memory, and the label 325 /// of its return value is the union of the label of its arguments. 326 WK_Functional, 327 328 /// Instead of calling the function, a custom wrapper __dfsw_F is called, 329 /// where F is the name of the function. This function may wrap the 330 /// original function or provide its own implementation. This is similar to 331 /// the IA_Args ABI, except that IA_Args uses a struct return type to 332 /// pass the return value shadow in a register, while WK_Custom uses an 333 /// extra pointer argument to return the shadow. This allows the wrapped 334 /// form of the function type to be expressed in C. 335 WK_Custom 336 }; 337 338 Module *Mod; 339 LLVMContext *Ctx; 340 IntegerType *ShadowTy; 341 PointerType *ShadowPtrTy; 342 IntegerType *IntptrTy; 343 ConstantInt *ZeroShadow; 344 ConstantInt *ShadowPtrMask; 345 ConstantInt *ShadowPtrMul; 346 Constant *ArgTLS; 347 Constant *RetvalTLS; 348 void *(*GetArgTLSPtr)(); 349 void *(*GetRetvalTLSPtr)(); 350 FunctionType *GetArgTLSTy; 351 FunctionType *GetRetvalTLSTy; 352 Constant *GetArgTLS; 353 Constant *GetRetvalTLS; 354 Constant *ExternalShadowMask; 355 FunctionType *DFSanUnionFnTy; 356 FunctionType *DFSanUnionLoadFnTy; 357 FunctionType *DFSanUnimplementedFnTy; 358 FunctionType *DFSanSetLabelFnTy; 359 FunctionType *DFSanNonzeroLabelFnTy; 360 FunctionType *DFSanVarargWrapperFnTy; 361 FunctionType *DFSanLoadStoreCmpCallbackFnTy; 362 FunctionType *DFSanMemTransferCallbackFnTy; 363 FunctionCallee DFSanUnionFn; 364 FunctionCallee DFSanCheckedUnionFn; 365 FunctionCallee DFSanUnionLoadFn; 366 FunctionCallee DFSanUnimplementedFn; 367 FunctionCallee DFSanSetLabelFn; 368 FunctionCallee DFSanNonzeroLabelFn; 369 FunctionCallee DFSanVarargWrapperFn; 370 FunctionCallee DFSanLoadCallbackFn; 371 FunctionCallee DFSanStoreCallbackFn; 372 FunctionCallee DFSanMemTransferCallbackFn; 373 FunctionCallee DFSanCmpCallbackFn; 374 MDNode *ColdCallWeights; 375 DFSanABIList ABIList; 376 DenseMap<Value *, Function *> UnwrappedFnMap; 377 AttrBuilder ReadOnlyNoneAttrs; 378 bool DFSanRuntimeShadowMask = false; 379 380 Value *getShadowAddress(Value *Addr, Instruction *Pos); 381 bool isInstrumented(const Function *F); 382 bool isInstrumented(const GlobalAlias *GA); 383 FunctionType *getArgsFunctionType(FunctionType *T); 384 FunctionType *getTrampolineFunctionType(FunctionType *T); 385 TransformedFunction getCustomFunctionType(FunctionType *T); 386 InstrumentedABI getInstrumentedABI(); 387 WrapperKind getWrapperKind(Function *F); 388 void addGlobalNamePrefix(GlobalValue *GV); 389 Function *buildWrapperFunction(Function *F, StringRef NewFName, 390 GlobalValue::LinkageTypes NewFLink, 391 FunctionType *NewFT); 392 Constant *getOrBuildTrampolineFunction(FunctionType *FT, StringRef FName); 393 394 public: 395 static char ID; 396 397 DataFlowSanitizer( 398 const std::vector<std::string> &ABIListFiles = std::vector<std::string>(), 399 void *(*getArgTLS)() = nullptr, void *(*getRetValTLS)() = nullptr); 400 401 bool doInitialization(Module &M) override; 402 bool runOnModule(Module &M) override; 403 }; 404 405 struct DFSanFunction { 406 DataFlowSanitizer &DFS; 407 Function *F; 408 DominatorTree DT; 409 DataFlowSanitizer::InstrumentedABI IA; 410 bool IsNativeABI; 411 Value *ArgTLSPtr = nullptr; 412 Value *RetvalTLSPtr = nullptr; 413 AllocaInst *LabelReturnAlloca = nullptr; 414 DenseMap<Value *, Value *> ValShadowMap; 415 DenseMap<AllocaInst *, AllocaInst *> AllocaShadowMap; 416 std::vector<std::pair<PHINode *, PHINode *>> PHIFixups; 417 DenseSet<Instruction *> SkipInsts; 418 std::vector<Value *> NonZeroChecks; 419 bool AvoidNewBlocks; 420 421 struct CachedCombinedShadow { 422 BasicBlock *Block; 423 Value *Shadow; 424 }; 425 DenseMap<std::pair<Value *, Value *>, CachedCombinedShadow> 426 CachedCombinedShadows; 427 DenseMap<Value *, std::set<Value *>> ShadowElements; 428 429 DFSanFunction(DataFlowSanitizer &DFS, Function *F, bool IsNativeABI) 430 : DFS(DFS), F(F), IA(DFS.getInstrumentedABI()), IsNativeABI(IsNativeABI) { 431 DT.recalculate(*F); 432 // FIXME: Need to track down the register allocator issue which causes poor 433 // performance in pathological cases with large numbers of basic blocks. 434 AvoidNewBlocks = F->size() > 1000; 435 } 436 437 Value *getArgTLSPtr(); 438 Value *getArgTLS(unsigned Index, Instruction *Pos); 439 Value *getRetvalTLS(); 440 Value *getShadow(Value *V); 441 void setShadow(Instruction *I, Value *Shadow); 442 Value *combineShadows(Value *V1, Value *V2, Instruction *Pos); 443 Value *combineOperandShadows(Instruction *Inst); 444 Value *loadShadow(Value *ShadowAddr, uint64_t Size, uint64_t Align, 445 Instruction *Pos); 446 void storeShadow(Value *Addr, uint64_t Size, Align Alignment, Value *Shadow, 447 Instruction *Pos); 448 }; 449 450 class DFSanVisitor : public InstVisitor<DFSanVisitor> { 451 public: 452 DFSanFunction &DFSF; 453 454 DFSanVisitor(DFSanFunction &DFSF) : DFSF(DFSF) {} 455 456 const DataLayout &getDataLayout() const { 457 return DFSF.F->getParent()->getDataLayout(); 458 } 459 460 // Combines shadow values for all of I's operands. Returns the combined shadow 461 // value. 462 Value *visitOperandShadowInst(Instruction &I); 463 464 void visitUnaryOperator(UnaryOperator &UO); 465 void visitBinaryOperator(BinaryOperator &BO); 466 void visitCastInst(CastInst &CI); 467 void visitCmpInst(CmpInst &CI); 468 void visitGetElementPtrInst(GetElementPtrInst &GEPI); 469 void visitLoadInst(LoadInst &LI); 470 void visitStoreInst(StoreInst &SI); 471 void visitReturnInst(ReturnInst &RI); 472 void visitCallSite(CallSite CS); 473 void visitPHINode(PHINode &PN); 474 void visitExtractElementInst(ExtractElementInst &I); 475 void visitInsertElementInst(InsertElementInst &I); 476 void visitShuffleVectorInst(ShuffleVectorInst &I); 477 void visitExtractValueInst(ExtractValueInst &I); 478 void visitInsertValueInst(InsertValueInst &I); 479 void visitAllocaInst(AllocaInst &I); 480 void visitSelectInst(SelectInst &I); 481 void visitMemSetInst(MemSetInst &I); 482 void visitMemTransferInst(MemTransferInst &I); 483 }; 484 485 } // end anonymous namespace 486 487 char DataFlowSanitizer::ID; 488 489 INITIALIZE_PASS(DataFlowSanitizer, "dfsan", 490 "DataFlowSanitizer: dynamic data flow analysis.", false, false) 491 492 ModulePass * 493 llvm::createDataFlowSanitizerPass(const std::vector<std::string> &ABIListFiles, 494 void *(*getArgTLS)(), 495 void *(*getRetValTLS)()) { 496 return new DataFlowSanitizer(ABIListFiles, getArgTLS, getRetValTLS); 497 } 498 499 DataFlowSanitizer::DataFlowSanitizer( 500 const std::vector<std::string> &ABIListFiles, void *(*getArgTLS)(), 501 void *(*getRetValTLS)()) 502 : ModulePass(ID), GetArgTLSPtr(getArgTLS), GetRetvalTLSPtr(getRetValTLS) { 503 std::vector<std::string> AllABIListFiles(std::move(ABIListFiles)); 504 AllABIListFiles.insert(AllABIListFiles.end(), ClABIListFiles.begin(), 505 ClABIListFiles.end()); 506 // FIXME: should we propagate vfs::FileSystem to this constructor? 507 ABIList.set( 508 SpecialCaseList::createOrDie(AllABIListFiles, *vfs::getRealFileSystem())); 509 } 510 511 FunctionType *DataFlowSanitizer::getArgsFunctionType(FunctionType *T) { 512 SmallVector<Type *, 4> ArgTypes(T->param_begin(), T->param_end()); 513 ArgTypes.append(T->getNumParams(), ShadowTy); 514 if (T->isVarArg()) 515 ArgTypes.push_back(ShadowPtrTy); 516 Type *RetType = T->getReturnType(); 517 if (!RetType->isVoidTy()) 518 RetType = StructType::get(RetType, ShadowTy); 519 return FunctionType::get(RetType, ArgTypes, T->isVarArg()); 520 } 521 522 FunctionType *DataFlowSanitizer::getTrampolineFunctionType(FunctionType *T) { 523 assert(!T->isVarArg()); 524 SmallVector<Type *, 4> ArgTypes; 525 ArgTypes.push_back(T->getPointerTo()); 526 ArgTypes.append(T->param_begin(), T->param_end()); 527 ArgTypes.append(T->getNumParams(), ShadowTy); 528 Type *RetType = T->getReturnType(); 529 if (!RetType->isVoidTy()) 530 ArgTypes.push_back(ShadowPtrTy); 531 return FunctionType::get(T->getReturnType(), ArgTypes, false); 532 } 533 534 TransformedFunction DataFlowSanitizer::getCustomFunctionType(FunctionType *T) { 535 SmallVector<Type *, 4> ArgTypes; 536 537 // Some parameters of the custom function being constructed are 538 // parameters of T. Record the mapping from parameters of T to 539 // parameters of the custom function, so that parameter attributes 540 // at call sites can be updated. 541 std::vector<unsigned> ArgumentIndexMapping; 542 for (unsigned i = 0, ie = T->getNumParams(); i != ie; ++i) { 543 Type* param_type = T->getParamType(i); 544 FunctionType *FT; 545 if (isa<PointerType>(param_type) && (FT = dyn_cast<FunctionType>( 546 cast<PointerType>(param_type)->getElementType()))) { 547 ArgumentIndexMapping.push_back(ArgTypes.size()); 548 ArgTypes.push_back(getTrampolineFunctionType(FT)->getPointerTo()); 549 ArgTypes.push_back(Type::getInt8PtrTy(*Ctx)); 550 } else { 551 ArgumentIndexMapping.push_back(ArgTypes.size()); 552 ArgTypes.push_back(param_type); 553 } 554 } 555 for (unsigned i = 0, e = T->getNumParams(); i != e; ++i) 556 ArgTypes.push_back(ShadowTy); 557 if (T->isVarArg()) 558 ArgTypes.push_back(ShadowPtrTy); 559 Type *RetType = T->getReturnType(); 560 if (!RetType->isVoidTy()) 561 ArgTypes.push_back(ShadowPtrTy); 562 return TransformedFunction( 563 T, FunctionType::get(T->getReturnType(), ArgTypes, T->isVarArg()), 564 ArgumentIndexMapping); 565 } 566 567 bool DataFlowSanitizer::doInitialization(Module &M) { 568 Triple TargetTriple(M.getTargetTriple()); 569 bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64; 570 bool IsMIPS64 = TargetTriple.isMIPS64(); 571 bool IsAArch64 = TargetTriple.getArch() == Triple::aarch64 || 572 TargetTriple.getArch() == Triple::aarch64_be; 573 574 const DataLayout &DL = M.getDataLayout(); 575 576 Mod = &M; 577 Ctx = &M.getContext(); 578 ShadowTy = IntegerType::get(*Ctx, ShadowWidthBits); 579 ShadowPtrTy = PointerType::getUnqual(ShadowTy); 580 IntptrTy = DL.getIntPtrType(*Ctx); 581 ZeroShadow = ConstantInt::getSigned(ShadowTy, 0); 582 ShadowPtrMul = ConstantInt::getSigned(IntptrTy, ShadowWidthBytes); 583 if (IsX86_64) 584 ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0x700000000000LL); 585 else if (IsMIPS64) 586 ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0xF000000000LL); 587 // AArch64 supports multiple VMAs and the shadow mask is set at runtime. 588 else if (IsAArch64) 589 DFSanRuntimeShadowMask = true; 590 else 591 report_fatal_error("unsupported triple"); 592 593 Type *DFSanUnionArgs[2] = { ShadowTy, ShadowTy }; 594 DFSanUnionFnTy = 595 FunctionType::get(ShadowTy, DFSanUnionArgs, /*isVarArg=*/ false); 596 Type *DFSanUnionLoadArgs[2] = { ShadowPtrTy, IntptrTy }; 597 DFSanUnionLoadFnTy = 598 FunctionType::get(ShadowTy, DFSanUnionLoadArgs, /*isVarArg=*/ false); 599 DFSanUnimplementedFnTy = FunctionType::get( 600 Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false); 601 Type *DFSanSetLabelArgs[3] = { ShadowTy, Type::getInt8PtrTy(*Ctx), IntptrTy }; 602 DFSanSetLabelFnTy = FunctionType::get(Type::getVoidTy(*Ctx), 603 DFSanSetLabelArgs, /*isVarArg=*/false); 604 DFSanNonzeroLabelFnTy = FunctionType::get( 605 Type::getVoidTy(*Ctx), None, /*isVarArg=*/false); 606 DFSanVarargWrapperFnTy = FunctionType::get( 607 Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false); 608 DFSanLoadStoreCmpCallbackFnTy = 609 FunctionType::get(Type::getVoidTy(*Ctx), ShadowTy, /*isVarArg=*/false); 610 Type *DFSanMemTransferCallbackArgs[2] = {ShadowPtrTy, IntptrTy}; 611 DFSanMemTransferCallbackFnTy = 612 FunctionType::get(Type::getVoidTy(*Ctx), DFSanMemTransferCallbackArgs, 613 /*isVarArg=*/false); 614 615 if (GetArgTLSPtr) { 616 Type *ArgTLSTy = ArrayType::get(ShadowTy, 64); 617 ArgTLS = nullptr; 618 GetArgTLSTy = FunctionType::get(PointerType::getUnqual(ArgTLSTy), false); 619 GetArgTLS = ConstantExpr::getIntToPtr( 620 ConstantInt::get(IntptrTy, uintptr_t(GetArgTLSPtr)), 621 PointerType::getUnqual(GetArgTLSTy)); 622 } 623 if (GetRetvalTLSPtr) { 624 RetvalTLS = nullptr; 625 GetRetvalTLSTy = FunctionType::get(PointerType::getUnqual(ShadowTy), false); 626 GetRetvalTLS = ConstantExpr::getIntToPtr( 627 ConstantInt::get(IntptrTy, uintptr_t(GetRetvalTLSPtr)), 628 PointerType::getUnqual(GetRetvalTLSTy)); 629 } 630 631 ColdCallWeights = MDBuilder(*Ctx).createBranchWeights(1, 1000); 632 return true; 633 } 634 635 bool DataFlowSanitizer::isInstrumented(const Function *F) { 636 return !ABIList.isIn(*F, "uninstrumented"); 637 } 638 639 bool DataFlowSanitizer::isInstrumented(const GlobalAlias *GA) { 640 return !ABIList.isIn(*GA, "uninstrumented"); 641 } 642 643 DataFlowSanitizer::InstrumentedABI DataFlowSanitizer::getInstrumentedABI() { 644 return ClArgsABI ? IA_Args : IA_TLS; 645 } 646 647 DataFlowSanitizer::WrapperKind DataFlowSanitizer::getWrapperKind(Function *F) { 648 if (ABIList.isIn(*F, "functional")) 649 return WK_Functional; 650 if (ABIList.isIn(*F, "discard")) 651 return WK_Discard; 652 if (ABIList.isIn(*F, "custom")) 653 return WK_Custom; 654 655 return WK_Warning; 656 } 657 658 void DataFlowSanitizer::addGlobalNamePrefix(GlobalValue *GV) { 659 std::string GVName = std::string(GV->getName()), Prefix = "dfs$"; 660 GV->setName(Prefix + GVName); 661 662 // Try to change the name of the function in module inline asm. We only do 663 // this for specific asm directives, currently only ".symver", to try to avoid 664 // corrupting asm which happens to contain the symbol name as a substring. 665 // Note that the substitution for .symver assumes that the versioned symbol 666 // also has an instrumented name. 667 std::string Asm = GV->getParent()->getModuleInlineAsm(); 668 std::string SearchStr = ".symver " + GVName + ","; 669 size_t Pos = Asm.find(SearchStr); 670 if (Pos != std::string::npos) { 671 Asm.replace(Pos, SearchStr.size(), 672 ".symver " + Prefix + GVName + "," + Prefix); 673 GV->getParent()->setModuleInlineAsm(Asm); 674 } 675 } 676 677 Function * 678 DataFlowSanitizer::buildWrapperFunction(Function *F, StringRef NewFName, 679 GlobalValue::LinkageTypes NewFLink, 680 FunctionType *NewFT) { 681 FunctionType *FT = F->getFunctionType(); 682 Function *NewF = Function::Create(NewFT, NewFLink, F->getAddressSpace(), 683 NewFName, F->getParent()); 684 NewF->copyAttributesFrom(F); 685 NewF->removeAttributes( 686 AttributeList::ReturnIndex, 687 AttributeFuncs::typeIncompatible(NewFT->getReturnType())); 688 689 BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", NewF); 690 if (F->isVarArg()) { 691 NewF->removeAttributes(AttributeList::FunctionIndex, 692 AttrBuilder().addAttribute("split-stack")); 693 CallInst::Create(DFSanVarargWrapperFn, 694 IRBuilder<>(BB).CreateGlobalStringPtr(F->getName()), "", 695 BB); 696 new UnreachableInst(*Ctx, BB); 697 } else { 698 std::vector<Value *> Args; 699 unsigned n = FT->getNumParams(); 700 for (Function::arg_iterator ai = NewF->arg_begin(); n != 0; ++ai, --n) 701 Args.push_back(&*ai); 702 CallInst *CI = CallInst::Create(F, Args, "", BB); 703 if (FT->getReturnType()->isVoidTy()) 704 ReturnInst::Create(*Ctx, BB); 705 else 706 ReturnInst::Create(*Ctx, CI, BB); 707 } 708 709 return NewF; 710 } 711 712 Constant *DataFlowSanitizer::getOrBuildTrampolineFunction(FunctionType *FT, 713 StringRef FName) { 714 FunctionType *FTT = getTrampolineFunctionType(FT); 715 FunctionCallee C = Mod->getOrInsertFunction(FName, FTT); 716 Function *F = dyn_cast<Function>(C.getCallee()); 717 if (F && F->isDeclaration()) { 718 F->setLinkage(GlobalValue::LinkOnceODRLinkage); 719 BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", F); 720 std::vector<Value *> Args; 721 Function::arg_iterator AI = F->arg_begin(); ++AI; 722 for (unsigned N = FT->getNumParams(); N != 0; ++AI, --N) 723 Args.push_back(&*AI); 724 CallInst *CI = CallInst::Create(FT, &*F->arg_begin(), Args, "", BB); 725 ReturnInst *RI; 726 if (FT->getReturnType()->isVoidTy()) 727 RI = ReturnInst::Create(*Ctx, BB); 728 else 729 RI = ReturnInst::Create(*Ctx, CI, BB); 730 731 DFSanFunction DFSF(*this, F, /*IsNativeABI=*/true); 732 Function::arg_iterator ValAI = F->arg_begin(), ShadowAI = AI; ++ValAI; 733 for (unsigned N = FT->getNumParams(); N != 0; ++ValAI, ++ShadowAI, --N) 734 DFSF.ValShadowMap[&*ValAI] = &*ShadowAI; 735 DFSanVisitor(DFSF).visitCallInst(*CI); 736 if (!FT->getReturnType()->isVoidTy()) 737 new StoreInst(DFSF.getShadow(RI->getReturnValue()), 738 &*std::prev(F->arg_end()), RI); 739 } 740 741 return cast<Constant>(C.getCallee()); 742 } 743 744 bool DataFlowSanitizer::runOnModule(Module &M) { 745 if (ABIList.isIn(M, "skip")) 746 return false; 747 748 if (!GetArgTLSPtr) { 749 Type *ArgTLSTy = ArrayType::get(ShadowTy, 64); 750 ArgTLS = Mod->getOrInsertGlobal("__dfsan_arg_tls", ArgTLSTy); 751 if (GlobalVariable *G = dyn_cast<GlobalVariable>(ArgTLS)) 752 G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel); 753 } 754 if (!GetRetvalTLSPtr) { 755 RetvalTLS = Mod->getOrInsertGlobal("__dfsan_retval_tls", ShadowTy); 756 if (GlobalVariable *G = dyn_cast<GlobalVariable>(RetvalTLS)) 757 G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel); 758 } 759 760 ExternalShadowMask = 761 Mod->getOrInsertGlobal(kDFSanExternShadowPtrMask, IntptrTy); 762 763 { 764 AttributeList AL; 765 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 766 Attribute::NoUnwind); 767 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 768 Attribute::ReadNone); 769 AL = AL.addAttribute(M.getContext(), AttributeList::ReturnIndex, 770 Attribute::ZExt); 771 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 772 AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt); 773 DFSanUnionFn = 774 Mod->getOrInsertFunction("__dfsan_union", DFSanUnionFnTy, AL); 775 } 776 777 { 778 AttributeList AL; 779 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 780 Attribute::NoUnwind); 781 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 782 Attribute::ReadNone); 783 AL = AL.addAttribute(M.getContext(), AttributeList::ReturnIndex, 784 Attribute::ZExt); 785 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 786 AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt); 787 DFSanCheckedUnionFn = 788 Mod->getOrInsertFunction("dfsan_union", DFSanUnionFnTy, AL); 789 } 790 { 791 AttributeList AL; 792 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 793 Attribute::NoUnwind); 794 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 795 Attribute::ReadOnly); 796 AL = AL.addAttribute(M.getContext(), AttributeList::ReturnIndex, 797 Attribute::ZExt); 798 DFSanUnionLoadFn = 799 Mod->getOrInsertFunction("__dfsan_union_load", DFSanUnionLoadFnTy, AL); 800 } 801 DFSanUnimplementedFn = 802 Mod->getOrInsertFunction("__dfsan_unimplemented", DFSanUnimplementedFnTy); 803 { 804 AttributeList AL; 805 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 806 DFSanSetLabelFn = 807 Mod->getOrInsertFunction("__dfsan_set_label", DFSanSetLabelFnTy, AL); 808 } 809 DFSanNonzeroLabelFn = 810 Mod->getOrInsertFunction("__dfsan_nonzero_label", DFSanNonzeroLabelFnTy); 811 DFSanVarargWrapperFn = Mod->getOrInsertFunction("__dfsan_vararg_wrapper", 812 DFSanVarargWrapperFnTy); 813 814 DFSanLoadCallbackFn = Mod->getOrInsertFunction("__dfsan_load_callback", 815 DFSanLoadStoreCmpCallbackFnTy); 816 DFSanStoreCallbackFn = Mod->getOrInsertFunction( 817 "__dfsan_store_callback", DFSanLoadStoreCmpCallbackFnTy); 818 DFSanMemTransferCallbackFn = Mod->getOrInsertFunction( 819 "__dfsan_mem_transfer_callback", DFSanMemTransferCallbackFnTy); 820 DFSanCmpCallbackFn = Mod->getOrInsertFunction("__dfsan_cmp_callback", 821 DFSanLoadStoreCmpCallbackFnTy); 822 823 std::vector<Function *> FnsToInstrument; 824 SmallPtrSet<Function *, 2> FnsWithNativeABI; 825 for (Function &i : M) { 826 if (!i.isIntrinsic() && 827 &i != DFSanUnionFn.getCallee()->stripPointerCasts() && 828 &i != DFSanCheckedUnionFn.getCallee()->stripPointerCasts() && 829 &i != DFSanUnionLoadFn.getCallee()->stripPointerCasts() && 830 &i != DFSanUnimplementedFn.getCallee()->stripPointerCasts() && 831 &i != DFSanSetLabelFn.getCallee()->stripPointerCasts() && 832 &i != DFSanNonzeroLabelFn.getCallee()->stripPointerCasts() && 833 &i != DFSanVarargWrapperFn.getCallee()->stripPointerCasts() && 834 &i != DFSanLoadCallbackFn.getCallee()->stripPointerCasts() && 835 &i != DFSanStoreCallbackFn.getCallee()->stripPointerCasts() && 836 &i != DFSanMemTransferCallbackFn.getCallee()->stripPointerCasts() && 837 &i != DFSanCmpCallbackFn.getCallee()->stripPointerCasts()) 838 FnsToInstrument.push_back(&i); 839 } 840 841 // Give function aliases prefixes when necessary, and build wrappers where the 842 // instrumentedness is inconsistent. 843 for (Module::alias_iterator i = M.alias_begin(), e = M.alias_end(); i != e;) { 844 GlobalAlias *GA = &*i; 845 ++i; 846 // Don't stop on weak. We assume people aren't playing games with the 847 // instrumentedness of overridden weak aliases. 848 if (auto F = dyn_cast<Function>(GA->getBaseObject())) { 849 bool GAInst = isInstrumented(GA), FInst = isInstrumented(F); 850 if (GAInst && FInst) { 851 addGlobalNamePrefix(GA); 852 } else if (GAInst != FInst) { 853 // Non-instrumented alias of an instrumented function, or vice versa. 854 // Replace the alias with a native-ABI wrapper of the aliasee. The pass 855 // below will take care of instrumenting it. 856 Function *NewF = 857 buildWrapperFunction(F, "", GA->getLinkage(), F->getFunctionType()); 858 GA->replaceAllUsesWith(ConstantExpr::getBitCast(NewF, GA->getType())); 859 NewF->takeName(GA); 860 GA->eraseFromParent(); 861 FnsToInstrument.push_back(NewF); 862 } 863 } 864 } 865 866 ReadOnlyNoneAttrs.addAttribute(Attribute::ReadOnly) 867 .addAttribute(Attribute::ReadNone); 868 869 // First, change the ABI of every function in the module. ABI-listed 870 // functions keep their original ABI and get a wrapper function. 871 for (std::vector<Function *>::iterator i = FnsToInstrument.begin(), 872 e = FnsToInstrument.end(); 873 i != e; ++i) { 874 Function &F = **i; 875 FunctionType *FT = F.getFunctionType(); 876 877 bool IsZeroArgsVoidRet = (FT->getNumParams() == 0 && !FT->isVarArg() && 878 FT->getReturnType()->isVoidTy()); 879 880 if (isInstrumented(&F)) { 881 // Instrumented functions get a 'dfs$' prefix. This allows us to more 882 // easily identify cases of mismatching ABIs. 883 if (getInstrumentedABI() == IA_Args && !IsZeroArgsVoidRet) { 884 FunctionType *NewFT = getArgsFunctionType(FT); 885 Function *NewF = Function::Create(NewFT, F.getLinkage(), 886 F.getAddressSpace(), "", &M); 887 NewF->copyAttributesFrom(&F); 888 NewF->removeAttributes( 889 AttributeList::ReturnIndex, 890 AttributeFuncs::typeIncompatible(NewFT->getReturnType())); 891 for (Function::arg_iterator FArg = F.arg_begin(), 892 NewFArg = NewF->arg_begin(), 893 FArgEnd = F.arg_end(); 894 FArg != FArgEnd; ++FArg, ++NewFArg) { 895 FArg->replaceAllUsesWith(&*NewFArg); 896 } 897 NewF->getBasicBlockList().splice(NewF->begin(), F.getBasicBlockList()); 898 899 for (Function::user_iterator UI = F.user_begin(), UE = F.user_end(); 900 UI != UE;) { 901 BlockAddress *BA = dyn_cast<BlockAddress>(*UI); 902 ++UI; 903 if (BA) { 904 BA->replaceAllUsesWith( 905 BlockAddress::get(NewF, BA->getBasicBlock())); 906 delete BA; 907 } 908 } 909 F.replaceAllUsesWith( 910 ConstantExpr::getBitCast(NewF, PointerType::getUnqual(FT))); 911 NewF->takeName(&F); 912 F.eraseFromParent(); 913 *i = NewF; 914 addGlobalNamePrefix(NewF); 915 } else { 916 addGlobalNamePrefix(&F); 917 } 918 } else if (!IsZeroArgsVoidRet || getWrapperKind(&F) == WK_Custom) { 919 // Build a wrapper function for F. The wrapper simply calls F, and is 920 // added to FnsToInstrument so that any instrumentation according to its 921 // WrapperKind is done in the second pass below. 922 FunctionType *NewFT = getInstrumentedABI() == IA_Args 923 ? getArgsFunctionType(FT) 924 : FT; 925 926 // If the function being wrapped has local linkage, then preserve the 927 // function's linkage in the wrapper function. 928 GlobalValue::LinkageTypes wrapperLinkage = 929 F.hasLocalLinkage() 930 ? F.getLinkage() 931 : GlobalValue::LinkOnceODRLinkage; 932 933 Function *NewF = buildWrapperFunction( 934 &F, std::string("dfsw$") + std::string(F.getName()), 935 wrapperLinkage, NewFT); 936 if (getInstrumentedABI() == IA_TLS) 937 NewF->removeAttributes(AttributeList::FunctionIndex, ReadOnlyNoneAttrs); 938 939 Value *WrappedFnCst = 940 ConstantExpr::getBitCast(NewF, PointerType::getUnqual(FT)); 941 F.replaceAllUsesWith(WrappedFnCst); 942 943 UnwrappedFnMap[WrappedFnCst] = &F; 944 *i = NewF; 945 946 if (!F.isDeclaration()) { 947 // This function is probably defining an interposition of an 948 // uninstrumented function and hence needs to keep the original ABI. 949 // But any functions it may call need to use the instrumented ABI, so 950 // we instrument it in a mode which preserves the original ABI. 951 FnsWithNativeABI.insert(&F); 952 953 // This code needs to rebuild the iterators, as they may be invalidated 954 // by the push_back, taking care that the new range does not include 955 // any functions added by this code. 956 size_t N = i - FnsToInstrument.begin(), 957 Count = e - FnsToInstrument.begin(); 958 FnsToInstrument.push_back(&F); 959 i = FnsToInstrument.begin() + N; 960 e = FnsToInstrument.begin() + Count; 961 } 962 // Hopefully, nobody will try to indirectly call a vararg 963 // function... yet. 964 } else if (FT->isVarArg()) { 965 UnwrappedFnMap[&F] = &F; 966 *i = nullptr; 967 } 968 } 969 970 for (Function *i : FnsToInstrument) { 971 if (!i || i->isDeclaration()) 972 continue; 973 974 removeUnreachableBlocks(*i); 975 976 DFSanFunction DFSF(*this, i, FnsWithNativeABI.count(i)); 977 978 // DFSanVisitor may create new basic blocks, which confuses df_iterator. 979 // Build a copy of the list before iterating over it. 980 SmallVector<BasicBlock *, 4> BBList(depth_first(&i->getEntryBlock())); 981 982 for (BasicBlock *i : BBList) { 983 Instruction *Inst = &i->front(); 984 while (true) { 985 // DFSanVisitor may split the current basic block, changing the current 986 // instruction's next pointer and moving the next instruction to the 987 // tail block from which we should continue. 988 Instruction *Next = Inst->getNextNode(); 989 // DFSanVisitor may delete Inst, so keep track of whether it was a 990 // terminator. 991 bool IsTerminator = Inst->isTerminator(); 992 if (!DFSF.SkipInsts.count(Inst)) 993 DFSanVisitor(DFSF).visit(Inst); 994 if (IsTerminator) 995 break; 996 Inst = Next; 997 } 998 } 999 1000 // We will not necessarily be able to compute the shadow for every phi node 1001 // until we have visited every block. Therefore, the code that handles phi 1002 // nodes adds them to the PHIFixups list so that they can be properly 1003 // handled here. 1004 for (std::vector<std::pair<PHINode *, PHINode *>>::iterator 1005 i = DFSF.PHIFixups.begin(), 1006 e = DFSF.PHIFixups.end(); 1007 i != e; ++i) { 1008 for (unsigned val = 0, n = i->first->getNumIncomingValues(); val != n; 1009 ++val) { 1010 i->second->setIncomingValue( 1011 val, DFSF.getShadow(i->first->getIncomingValue(val))); 1012 } 1013 } 1014 1015 // -dfsan-debug-nonzero-labels will split the CFG in all kinds of crazy 1016 // places (i.e. instructions in basic blocks we haven't even begun visiting 1017 // yet). To make our life easier, do this work in a pass after the main 1018 // instrumentation. 1019 if (ClDebugNonzeroLabels) { 1020 for (Value *V : DFSF.NonZeroChecks) { 1021 Instruction *Pos; 1022 if (Instruction *I = dyn_cast<Instruction>(V)) 1023 Pos = I->getNextNode(); 1024 else 1025 Pos = &DFSF.F->getEntryBlock().front(); 1026 while (isa<PHINode>(Pos) || isa<AllocaInst>(Pos)) 1027 Pos = Pos->getNextNode(); 1028 IRBuilder<> IRB(Pos); 1029 Value *Ne = IRB.CreateICmpNE(V, DFSF.DFS.ZeroShadow); 1030 BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen( 1031 Ne, Pos, /*Unreachable=*/false, ColdCallWeights)); 1032 IRBuilder<> ThenIRB(BI); 1033 ThenIRB.CreateCall(DFSF.DFS.DFSanNonzeroLabelFn, {}); 1034 } 1035 } 1036 } 1037 1038 return false; 1039 } 1040 1041 Value *DFSanFunction::getArgTLSPtr() { 1042 if (ArgTLSPtr) 1043 return ArgTLSPtr; 1044 if (DFS.ArgTLS) 1045 return ArgTLSPtr = DFS.ArgTLS; 1046 1047 IRBuilder<> IRB(&F->getEntryBlock().front()); 1048 return ArgTLSPtr = IRB.CreateCall(DFS.GetArgTLSTy, DFS.GetArgTLS, {}); 1049 } 1050 1051 Value *DFSanFunction::getRetvalTLS() { 1052 if (RetvalTLSPtr) 1053 return RetvalTLSPtr; 1054 if (DFS.RetvalTLS) 1055 return RetvalTLSPtr = DFS.RetvalTLS; 1056 1057 IRBuilder<> IRB(&F->getEntryBlock().front()); 1058 return RetvalTLSPtr = 1059 IRB.CreateCall(DFS.GetRetvalTLSTy, DFS.GetRetvalTLS, {}); 1060 } 1061 1062 Value *DFSanFunction::getArgTLS(unsigned Idx, Instruction *Pos) { 1063 IRBuilder<> IRB(Pos); 1064 return IRB.CreateConstGEP2_64(ArrayType::get(DFS.ShadowTy, 64), 1065 getArgTLSPtr(), 0, Idx); 1066 } 1067 1068 Value *DFSanFunction::getShadow(Value *V) { 1069 if (!isa<Argument>(V) && !isa<Instruction>(V)) 1070 return DFS.ZeroShadow; 1071 Value *&Shadow = ValShadowMap[V]; 1072 if (!Shadow) { 1073 if (Argument *A = dyn_cast<Argument>(V)) { 1074 if (IsNativeABI) 1075 return DFS.ZeroShadow; 1076 switch (IA) { 1077 case DataFlowSanitizer::IA_TLS: { 1078 Value *ArgTLSPtr = getArgTLSPtr(); 1079 Instruction *ArgTLSPos = 1080 DFS.ArgTLS ? &*F->getEntryBlock().begin() 1081 : cast<Instruction>(ArgTLSPtr)->getNextNode(); 1082 IRBuilder<> IRB(ArgTLSPos); 1083 Shadow = 1084 IRB.CreateLoad(DFS.ShadowTy, getArgTLS(A->getArgNo(), ArgTLSPos)); 1085 break; 1086 } 1087 case DataFlowSanitizer::IA_Args: { 1088 unsigned ArgIdx = A->getArgNo() + F->arg_size() / 2; 1089 Function::arg_iterator i = F->arg_begin(); 1090 while (ArgIdx--) 1091 ++i; 1092 Shadow = &*i; 1093 assert(Shadow->getType() == DFS.ShadowTy); 1094 break; 1095 } 1096 } 1097 NonZeroChecks.push_back(Shadow); 1098 } else { 1099 Shadow = DFS.ZeroShadow; 1100 } 1101 } 1102 return Shadow; 1103 } 1104 1105 void DFSanFunction::setShadow(Instruction *I, Value *Shadow) { 1106 assert(!ValShadowMap.count(I)); 1107 assert(Shadow->getType() == DFS.ShadowTy); 1108 ValShadowMap[I] = Shadow; 1109 } 1110 1111 Value *DataFlowSanitizer::getShadowAddress(Value *Addr, Instruction *Pos) { 1112 assert(Addr != RetvalTLS && "Reinstrumenting?"); 1113 IRBuilder<> IRB(Pos); 1114 Value *ShadowPtrMaskValue; 1115 if (DFSanRuntimeShadowMask) 1116 ShadowPtrMaskValue = IRB.CreateLoad(IntptrTy, ExternalShadowMask); 1117 else 1118 ShadowPtrMaskValue = ShadowPtrMask; 1119 return IRB.CreateIntToPtr( 1120 IRB.CreateMul( 1121 IRB.CreateAnd(IRB.CreatePtrToInt(Addr, IntptrTy), 1122 IRB.CreatePtrToInt(ShadowPtrMaskValue, IntptrTy)), 1123 ShadowPtrMul), 1124 ShadowPtrTy); 1125 } 1126 1127 // Generates IR to compute the union of the two given shadows, inserting it 1128 // before Pos. Returns the computed union Value. 1129 Value *DFSanFunction::combineShadows(Value *V1, Value *V2, Instruction *Pos) { 1130 if (V1 == DFS.ZeroShadow) 1131 return V2; 1132 if (V2 == DFS.ZeroShadow) 1133 return V1; 1134 if (V1 == V2) 1135 return V1; 1136 1137 auto V1Elems = ShadowElements.find(V1); 1138 auto V2Elems = ShadowElements.find(V2); 1139 if (V1Elems != ShadowElements.end() && V2Elems != ShadowElements.end()) { 1140 if (std::includes(V1Elems->second.begin(), V1Elems->second.end(), 1141 V2Elems->second.begin(), V2Elems->second.end())) { 1142 return V1; 1143 } else if (std::includes(V2Elems->second.begin(), V2Elems->second.end(), 1144 V1Elems->second.begin(), V1Elems->second.end())) { 1145 return V2; 1146 } 1147 } else if (V1Elems != ShadowElements.end()) { 1148 if (V1Elems->second.count(V2)) 1149 return V1; 1150 } else if (V2Elems != ShadowElements.end()) { 1151 if (V2Elems->second.count(V1)) 1152 return V2; 1153 } 1154 1155 auto Key = std::make_pair(V1, V2); 1156 if (V1 > V2) 1157 std::swap(Key.first, Key.second); 1158 CachedCombinedShadow &CCS = CachedCombinedShadows[Key]; 1159 if (CCS.Block && DT.dominates(CCS.Block, Pos->getParent())) 1160 return CCS.Shadow; 1161 1162 IRBuilder<> IRB(Pos); 1163 if (AvoidNewBlocks) { 1164 CallInst *Call = IRB.CreateCall(DFS.DFSanCheckedUnionFn, {V1, V2}); 1165 Call->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt); 1166 Call->addParamAttr(0, Attribute::ZExt); 1167 Call->addParamAttr(1, Attribute::ZExt); 1168 1169 CCS.Block = Pos->getParent(); 1170 CCS.Shadow = Call; 1171 } else { 1172 BasicBlock *Head = Pos->getParent(); 1173 Value *Ne = IRB.CreateICmpNE(V1, V2); 1174 BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen( 1175 Ne, Pos, /*Unreachable=*/false, DFS.ColdCallWeights, &DT)); 1176 IRBuilder<> ThenIRB(BI); 1177 CallInst *Call = ThenIRB.CreateCall(DFS.DFSanUnionFn, {V1, V2}); 1178 Call->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt); 1179 Call->addParamAttr(0, Attribute::ZExt); 1180 Call->addParamAttr(1, Attribute::ZExt); 1181 1182 BasicBlock *Tail = BI->getSuccessor(0); 1183 PHINode *Phi = PHINode::Create(DFS.ShadowTy, 2, "", &Tail->front()); 1184 Phi->addIncoming(Call, Call->getParent()); 1185 Phi->addIncoming(V1, Head); 1186 1187 CCS.Block = Tail; 1188 CCS.Shadow = Phi; 1189 } 1190 1191 std::set<Value *> UnionElems; 1192 if (V1Elems != ShadowElements.end()) { 1193 UnionElems = V1Elems->second; 1194 } else { 1195 UnionElems.insert(V1); 1196 } 1197 if (V2Elems != ShadowElements.end()) { 1198 UnionElems.insert(V2Elems->second.begin(), V2Elems->second.end()); 1199 } else { 1200 UnionElems.insert(V2); 1201 } 1202 ShadowElements[CCS.Shadow] = std::move(UnionElems); 1203 1204 return CCS.Shadow; 1205 } 1206 1207 // A convenience function which folds the shadows of each of the operands 1208 // of the provided instruction Inst, inserting the IR before Inst. Returns 1209 // the computed union Value. 1210 Value *DFSanFunction::combineOperandShadows(Instruction *Inst) { 1211 if (Inst->getNumOperands() == 0) 1212 return DFS.ZeroShadow; 1213 1214 Value *Shadow = getShadow(Inst->getOperand(0)); 1215 for (unsigned i = 1, n = Inst->getNumOperands(); i != n; ++i) { 1216 Shadow = combineShadows(Shadow, getShadow(Inst->getOperand(i)), Inst); 1217 } 1218 return Shadow; 1219 } 1220 1221 Value *DFSanVisitor::visitOperandShadowInst(Instruction &I) { 1222 Value *CombinedShadow = DFSF.combineOperandShadows(&I); 1223 DFSF.setShadow(&I, CombinedShadow); 1224 return CombinedShadow; 1225 } 1226 1227 // Generates IR to load shadow corresponding to bytes [Addr, Addr+Size), where 1228 // Addr has alignment Align, and take the union of each of those shadows. 1229 Value *DFSanFunction::loadShadow(Value *Addr, uint64_t Size, uint64_t Align, 1230 Instruction *Pos) { 1231 if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) { 1232 const auto i = AllocaShadowMap.find(AI); 1233 if (i != AllocaShadowMap.end()) { 1234 IRBuilder<> IRB(Pos); 1235 return IRB.CreateLoad(DFS.ShadowTy, i->second); 1236 } 1237 } 1238 1239 const llvm::Align ShadowAlign(Align * DFS.ShadowWidthBytes); 1240 SmallVector<const Value *, 2> Objs; 1241 GetUnderlyingObjects(Addr, Objs, Pos->getModule()->getDataLayout()); 1242 bool AllConstants = true; 1243 for (const Value *Obj : Objs) { 1244 if (isa<Function>(Obj) || isa<BlockAddress>(Obj)) 1245 continue; 1246 if (isa<GlobalVariable>(Obj) && cast<GlobalVariable>(Obj)->isConstant()) 1247 continue; 1248 1249 AllConstants = false; 1250 break; 1251 } 1252 if (AllConstants) 1253 return DFS.ZeroShadow; 1254 1255 Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos); 1256 switch (Size) { 1257 case 0: 1258 return DFS.ZeroShadow; 1259 case 1: { 1260 LoadInst *LI = new LoadInst(DFS.ShadowTy, ShadowAddr, "", Pos); 1261 LI->setAlignment(ShadowAlign); 1262 return LI; 1263 } 1264 case 2: { 1265 IRBuilder<> IRB(Pos); 1266 Value *ShadowAddr1 = IRB.CreateGEP(DFS.ShadowTy, ShadowAddr, 1267 ConstantInt::get(DFS.IntptrTy, 1)); 1268 return combineShadows( 1269 IRB.CreateAlignedLoad(DFS.ShadowTy, ShadowAddr, ShadowAlign), 1270 IRB.CreateAlignedLoad(DFS.ShadowTy, ShadowAddr1, ShadowAlign), Pos); 1271 } 1272 } 1273 if (!AvoidNewBlocks && Size % (64 / DFS.ShadowWidthBits) == 0) { 1274 // Fast path for the common case where each byte has identical shadow: load 1275 // shadow 64 bits at a time, fall out to a __dfsan_union_load call if any 1276 // shadow is non-equal. 1277 BasicBlock *FallbackBB = BasicBlock::Create(*DFS.Ctx, "", F); 1278 IRBuilder<> FallbackIRB(FallbackBB); 1279 CallInst *FallbackCall = FallbackIRB.CreateCall( 1280 DFS.DFSanUnionLoadFn, 1281 {ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)}); 1282 FallbackCall->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt); 1283 1284 // Compare each of the shadows stored in the loaded 64 bits to each other, 1285 // by computing (WideShadow rotl ShadowWidthBits) == WideShadow. 1286 IRBuilder<> IRB(Pos); 1287 Value *WideAddr = 1288 IRB.CreateBitCast(ShadowAddr, Type::getInt64PtrTy(*DFS.Ctx)); 1289 Value *WideShadow = 1290 IRB.CreateAlignedLoad(IRB.getInt64Ty(), WideAddr, ShadowAlign); 1291 Value *TruncShadow = IRB.CreateTrunc(WideShadow, DFS.ShadowTy); 1292 Value *ShlShadow = IRB.CreateShl(WideShadow, DFS.ShadowWidthBits); 1293 Value *ShrShadow = IRB.CreateLShr(WideShadow, 64 - DFS.ShadowWidthBits); 1294 Value *RotShadow = IRB.CreateOr(ShlShadow, ShrShadow); 1295 Value *ShadowsEq = IRB.CreateICmpEQ(WideShadow, RotShadow); 1296 1297 BasicBlock *Head = Pos->getParent(); 1298 BasicBlock *Tail = Head->splitBasicBlock(Pos->getIterator()); 1299 1300 if (DomTreeNode *OldNode = DT.getNode(Head)) { 1301 std::vector<DomTreeNode *> Children(OldNode->begin(), OldNode->end()); 1302 1303 DomTreeNode *NewNode = DT.addNewBlock(Tail, Head); 1304 for (auto Child : Children) 1305 DT.changeImmediateDominator(Child, NewNode); 1306 } 1307 1308 // In the following code LastBr will refer to the previous basic block's 1309 // conditional branch instruction, whose true successor is fixed up to point 1310 // to the next block during the loop below or to the tail after the final 1311 // iteration. 1312 BranchInst *LastBr = BranchInst::Create(FallbackBB, FallbackBB, ShadowsEq); 1313 ReplaceInstWithInst(Head->getTerminator(), LastBr); 1314 DT.addNewBlock(FallbackBB, Head); 1315 1316 for (uint64_t Ofs = 64 / DFS.ShadowWidthBits; Ofs != Size; 1317 Ofs += 64 / DFS.ShadowWidthBits) { 1318 BasicBlock *NextBB = BasicBlock::Create(*DFS.Ctx, "", F); 1319 DT.addNewBlock(NextBB, LastBr->getParent()); 1320 IRBuilder<> NextIRB(NextBB); 1321 WideAddr = NextIRB.CreateGEP(Type::getInt64Ty(*DFS.Ctx), WideAddr, 1322 ConstantInt::get(DFS.IntptrTy, 1)); 1323 Value *NextWideShadow = NextIRB.CreateAlignedLoad(NextIRB.getInt64Ty(), 1324 WideAddr, ShadowAlign); 1325 ShadowsEq = NextIRB.CreateICmpEQ(WideShadow, NextWideShadow); 1326 LastBr->setSuccessor(0, NextBB); 1327 LastBr = NextIRB.CreateCondBr(ShadowsEq, FallbackBB, FallbackBB); 1328 } 1329 1330 LastBr->setSuccessor(0, Tail); 1331 FallbackIRB.CreateBr(Tail); 1332 PHINode *Shadow = PHINode::Create(DFS.ShadowTy, 2, "", &Tail->front()); 1333 Shadow->addIncoming(FallbackCall, FallbackBB); 1334 Shadow->addIncoming(TruncShadow, LastBr->getParent()); 1335 return Shadow; 1336 } 1337 1338 IRBuilder<> IRB(Pos); 1339 CallInst *FallbackCall = IRB.CreateCall( 1340 DFS.DFSanUnionLoadFn, {ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)}); 1341 FallbackCall->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt); 1342 return FallbackCall; 1343 } 1344 1345 void DFSanVisitor::visitLoadInst(LoadInst &LI) { 1346 auto &DL = LI.getModule()->getDataLayout(); 1347 uint64_t Size = DL.getTypeStoreSize(LI.getType()); 1348 if (Size == 0) { 1349 DFSF.setShadow(&LI, DFSF.DFS.ZeroShadow); 1350 return; 1351 } 1352 1353 uint64_t Align; 1354 if (ClPreserveAlignment) { 1355 Align = LI.getAlignment(); 1356 if (Align == 0) 1357 Align = DL.getABITypeAlignment(LI.getType()); 1358 } else { 1359 Align = 1; 1360 } 1361 Value *Shadow = DFSF.loadShadow(LI.getPointerOperand(), Size, Align, &LI); 1362 if (ClCombinePointerLabelsOnLoad) { 1363 Value *PtrShadow = DFSF.getShadow(LI.getPointerOperand()); 1364 Shadow = DFSF.combineShadows(Shadow, PtrShadow, &LI); 1365 } 1366 if (Shadow != DFSF.DFS.ZeroShadow) 1367 DFSF.NonZeroChecks.push_back(Shadow); 1368 1369 DFSF.setShadow(&LI, Shadow); 1370 if (ClEventCallbacks) { 1371 IRBuilder<> IRB(&LI); 1372 IRB.CreateCall(DFSF.DFS.DFSanLoadCallbackFn, Shadow); 1373 } 1374 } 1375 1376 void DFSanFunction::storeShadow(Value *Addr, uint64_t Size, Align Alignment, 1377 Value *Shadow, Instruction *Pos) { 1378 if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) { 1379 const auto i = AllocaShadowMap.find(AI); 1380 if (i != AllocaShadowMap.end()) { 1381 IRBuilder<> IRB(Pos); 1382 IRB.CreateStore(Shadow, i->second); 1383 return; 1384 } 1385 } 1386 1387 const Align ShadowAlign(Alignment.value() * DFS.ShadowWidthBytes); 1388 IRBuilder<> IRB(Pos); 1389 Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos); 1390 if (Shadow == DFS.ZeroShadow) { 1391 IntegerType *ShadowTy = 1392 IntegerType::get(*DFS.Ctx, Size * DFS.ShadowWidthBits); 1393 Value *ExtZeroShadow = ConstantInt::get(ShadowTy, 0); 1394 Value *ExtShadowAddr = 1395 IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowTy)); 1396 IRB.CreateAlignedStore(ExtZeroShadow, ExtShadowAddr, ShadowAlign); 1397 return; 1398 } 1399 1400 const unsigned ShadowVecSize = 128 / DFS.ShadowWidthBits; 1401 uint64_t Offset = 0; 1402 if (Size >= ShadowVecSize) { 1403 VectorType *ShadowVecTy = VectorType::get(DFS.ShadowTy, ShadowVecSize); 1404 Value *ShadowVec = UndefValue::get(ShadowVecTy); 1405 for (unsigned i = 0; i != ShadowVecSize; ++i) { 1406 ShadowVec = IRB.CreateInsertElement( 1407 ShadowVec, Shadow, ConstantInt::get(Type::getInt32Ty(*DFS.Ctx), i)); 1408 } 1409 Value *ShadowVecAddr = 1410 IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowVecTy)); 1411 do { 1412 Value *CurShadowVecAddr = 1413 IRB.CreateConstGEP1_32(ShadowVecTy, ShadowVecAddr, Offset); 1414 IRB.CreateAlignedStore(ShadowVec, CurShadowVecAddr, ShadowAlign); 1415 Size -= ShadowVecSize; 1416 ++Offset; 1417 } while (Size >= ShadowVecSize); 1418 Offset *= ShadowVecSize; 1419 } 1420 while (Size > 0) { 1421 Value *CurShadowAddr = 1422 IRB.CreateConstGEP1_32(DFS.ShadowTy, ShadowAddr, Offset); 1423 IRB.CreateAlignedStore(Shadow, CurShadowAddr, ShadowAlign); 1424 --Size; 1425 ++Offset; 1426 } 1427 } 1428 1429 void DFSanVisitor::visitStoreInst(StoreInst &SI) { 1430 auto &DL = SI.getModule()->getDataLayout(); 1431 uint64_t Size = DL.getTypeStoreSize(SI.getValueOperand()->getType()); 1432 if (Size == 0) 1433 return; 1434 1435 const Align Alignement = 1436 ClPreserveAlignment ? DL.getValueOrABITypeAlignment( 1437 SI.getAlign(), SI.getValueOperand()->getType()) 1438 : Align(1); 1439 1440 Value* Shadow = DFSF.getShadow(SI.getValueOperand()); 1441 if (ClCombinePointerLabelsOnStore) { 1442 Value *PtrShadow = DFSF.getShadow(SI.getPointerOperand()); 1443 Shadow = DFSF.combineShadows(Shadow, PtrShadow, &SI); 1444 } 1445 DFSF.storeShadow(SI.getPointerOperand(), Size, Alignement, Shadow, &SI); 1446 if (ClEventCallbacks) { 1447 IRBuilder<> IRB(&SI); 1448 IRB.CreateCall(DFSF.DFS.DFSanStoreCallbackFn, Shadow); 1449 } 1450 } 1451 1452 void DFSanVisitor::visitUnaryOperator(UnaryOperator &UO) { 1453 visitOperandShadowInst(UO); 1454 } 1455 1456 void DFSanVisitor::visitBinaryOperator(BinaryOperator &BO) { 1457 visitOperandShadowInst(BO); 1458 } 1459 1460 void DFSanVisitor::visitCastInst(CastInst &CI) { visitOperandShadowInst(CI); } 1461 1462 void DFSanVisitor::visitCmpInst(CmpInst &CI) { 1463 Value *CombinedShadow = visitOperandShadowInst(CI); 1464 if (ClEventCallbacks) { 1465 IRBuilder<> IRB(&CI); 1466 IRB.CreateCall(DFSF.DFS.DFSanCmpCallbackFn, CombinedShadow); 1467 } 1468 } 1469 1470 void DFSanVisitor::visitGetElementPtrInst(GetElementPtrInst &GEPI) { 1471 visitOperandShadowInst(GEPI); 1472 } 1473 1474 void DFSanVisitor::visitExtractElementInst(ExtractElementInst &I) { 1475 visitOperandShadowInst(I); 1476 } 1477 1478 void DFSanVisitor::visitInsertElementInst(InsertElementInst &I) { 1479 visitOperandShadowInst(I); 1480 } 1481 1482 void DFSanVisitor::visitShuffleVectorInst(ShuffleVectorInst &I) { 1483 visitOperandShadowInst(I); 1484 } 1485 1486 void DFSanVisitor::visitExtractValueInst(ExtractValueInst &I) { 1487 visitOperandShadowInst(I); 1488 } 1489 1490 void DFSanVisitor::visitInsertValueInst(InsertValueInst &I) { 1491 visitOperandShadowInst(I); 1492 } 1493 1494 void DFSanVisitor::visitAllocaInst(AllocaInst &I) { 1495 bool AllLoadsStores = true; 1496 for (User *U : I.users()) { 1497 if (isa<LoadInst>(U)) 1498 continue; 1499 1500 if (StoreInst *SI = dyn_cast<StoreInst>(U)) { 1501 if (SI->getPointerOperand() == &I) 1502 continue; 1503 } 1504 1505 AllLoadsStores = false; 1506 break; 1507 } 1508 if (AllLoadsStores) { 1509 IRBuilder<> IRB(&I); 1510 DFSF.AllocaShadowMap[&I] = IRB.CreateAlloca(DFSF.DFS.ShadowTy); 1511 } 1512 DFSF.setShadow(&I, DFSF.DFS.ZeroShadow); 1513 } 1514 1515 void DFSanVisitor::visitSelectInst(SelectInst &I) { 1516 Value *CondShadow = DFSF.getShadow(I.getCondition()); 1517 Value *TrueShadow = DFSF.getShadow(I.getTrueValue()); 1518 Value *FalseShadow = DFSF.getShadow(I.getFalseValue()); 1519 1520 if (isa<VectorType>(I.getCondition()->getType())) { 1521 DFSF.setShadow( 1522 &I, 1523 DFSF.combineShadows( 1524 CondShadow, DFSF.combineShadows(TrueShadow, FalseShadow, &I), &I)); 1525 } else { 1526 Value *ShadowSel; 1527 if (TrueShadow == FalseShadow) { 1528 ShadowSel = TrueShadow; 1529 } else { 1530 ShadowSel = 1531 SelectInst::Create(I.getCondition(), TrueShadow, FalseShadow, "", &I); 1532 } 1533 DFSF.setShadow(&I, DFSF.combineShadows(CondShadow, ShadowSel, &I)); 1534 } 1535 } 1536 1537 void DFSanVisitor::visitMemSetInst(MemSetInst &I) { 1538 IRBuilder<> IRB(&I); 1539 Value *ValShadow = DFSF.getShadow(I.getValue()); 1540 IRB.CreateCall(DFSF.DFS.DFSanSetLabelFn, 1541 {ValShadow, IRB.CreateBitCast(I.getDest(), Type::getInt8PtrTy( 1542 *DFSF.DFS.Ctx)), 1543 IRB.CreateZExtOrTrunc(I.getLength(), DFSF.DFS.IntptrTy)}); 1544 } 1545 1546 void DFSanVisitor::visitMemTransferInst(MemTransferInst &I) { 1547 IRBuilder<> IRB(&I); 1548 Value *RawDestShadow = DFSF.DFS.getShadowAddress(I.getDest(), &I); 1549 Value *SrcShadow = DFSF.DFS.getShadowAddress(I.getSource(), &I); 1550 Value *LenShadow = 1551 IRB.CreateMul(I.getLength(), ConstantInt::get(I.getLength()->getType(), 1552 DFSF.DFS.ShadowWidthBytes)); 1553 Type *Int8Ptr = Type::getInt8PtrTy(*DFSF.DFS.Ctx); 1554 Value *DestShadow = IRB.CreateBitCast(RawDestShadow, Int8Ptr); 1555 SrcShadow = IRB.CreateBitCast(SrcShadow, Int8Ptr); 1556 auto *MTI = cast<MemTransferInst>( 1557 IRB.CreateCall(I.getFunctionType(), I.getCalledValue(), 1558 {DestShadow, SrcShadow, LenShadow, I.getVolatileCst()})); 1559 if (ClPreserveAlignment) { 1560 MTI->setDestAlignment(I.getDestAlign() * DFSF.DFS.ShadowWidthBytes); 1561 MTI->setSourceAlignment(I.getSourceAlign() * DFSF.DFS.ShadowWidthBytes); 1562 } else { 1563 MTI->setDestAlignment(Align(DFSF.DFS.ShadowWidthBytes)); 1564 MTI->setSourceAlignment(Align(DFSF.DFS.ShadowWidthBytes)); 1565 } 1566 if (ClEventCallbacks) { 1567 IRB.CreateCall(DFSF.DFS.DFSanMemTransferCallbackFn, 1568 {RawDestShadow, I.getLength()}); 1569 } 1570 } 1571 1572 void DFSanVisitor::visitReturnInst(ReturnInst &RI) { 1573 if (!DFSF.IsNativeABI && RI.getReturnValue()) { 1574 switch (DFSF.IA) { 1575 case DataFlowSanitizer::IA_TLS: { 1576 Value *S = DFSF.getShadow(RI.getReturnValue()); 1577 IRBuilder<> IRB(&RI); 1578 IRB.CreateStore(S, DFSF.getRetvalTLS()); 1579 break; 1580 } 1581 case DataFlowSanitizer::IA_Args: { 1582 IRBuilder<> IRB(&RI); 1583 Type *RT = DFSF.F->getFunctionType()->getReturnType(); 1584 Value *InsVal = 1585 IRB.CreateInsertValue(UndefValue::get(RT), RI.getReturnValue(), 0); 1586 Value *InsShadow = 1587 IRB.CreateInsertValue(InsVal, DFSF.getShadow(RI.getReturnValue()), 1); 1588 RI.setOperand(0, InsShadow); 1589 break; 1590 } 1591 } 1592 } 1593 } 1594 1595 void DFSanVisitor::visitCallSite(CallSite CS) { 1596 Function *F = CS.getCalledFunction(); 1597 if ((F && F->isIntrinsic()) || isa<InlineAsm>(CS.getCalledValue())) { 1598 visitOperandShadowInst(*CS.getInstruction()); 1599 return; 1600 } 1601 1602 // Calls to this function are synthesized in wrappers, and we shouldn't 1603 // instrument them. 1604 if (F == DFSF.DFS.DFSanVarargWrapperFn.getCallee()->stripPointerCasts()) 1605 return; 1606 1607 IRBuilder<> IRB(CS.getInstruction()); 1608 1609 DenseMap<Value *, Function *>::iterator i = 1610 DFSF.DFS.UnwrappedFnMap.find(CS.getCalledValue()); 1611 if (i != DFSF.DFS.UnwrappedFnMap.end()) { 1612 Function *F = i->second; 1613 switch (DFSF.DFS.getWrapperKind(F)) { 1614 case DataFlowSanitizer::WK_Warning: 1615 CS.setCalledFunction(F); 1616 IRB.CreateCall(DFSF.DFS.DFSanUnimplementedFn, 1617 IRB.CreateGlobalStringPtr(F->getName())); 1618 DFSF.setShadow(CS.getInstruction(), DFSF.DFS.ZeroShadow); 1619 return; 1620 case DataFlowSanitizer::WK_Discard: 1621 CS.setCalledFunction(F); 1622 DFSF.setShadow(CS.getInstruction(), DFSF.DFS.ZeroShadow); 1623 return; 1624 case DataFlowSanitizer::WK_Functional: 1625 CS.setCalledFunction(F); 1626 visitOperandShadowInst(*CS.getInstruction()); 1627 return; 1628 case DataFlowSanitizer::WK_Custom: 1629 // Don't try to handle invokes of custom functions, it's too complicated. 1630 // Instead, invoke the dfsw$ wrapper, which will in turn call the __dfsw_ 1631 // wrapper. 1632 if (CallInst *CI = dyn_cast<CallInst>(CS.getInstruction())) { 1633 FunctionType *FT = F->getFunctionType(); 1634 TransformedFunction CustomFn = DFSF.DFS.getCustomFunctionType(FT); 1635 std::string CustomFName = "__dfsw_"; 1636 CustomFName += F->getName(); 1637 FunctionCallee CustomF = DFSF.DFS.Mod->getOrInsertFunction( 1638 CustomFName, CustomFn.TransformedType); 1639 if (Function *CustomFn = dyn_cast<Function>(CustomF.getCallee())) { 1640 CustomFn->copyAttributesFrom(F); 1641 1642 // Custom functions returning non-void will write to the return label. 1643 if (!FT->getReturnType()->isVoidTy()) { 1644 CustomFn->removeAttributes(AttributeList::FunctionIndex, 1645 DFSF.DFS.ReadOnlyNoneAttrs); 1646 } 1647 } 1648 1649 std::vector<Value *> Args; 1650 1651 CallSite::arg_iterator i = CS.arg_begin(); 1652 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) { 1653 Type *T = (*i)->getType(); 1654 FunctionType *ParamFT; 1655 if (isa<PointerType>(T) && 1656 (ParamFT = dyn_cast<FunctionType>( 1657 cast<PointerType>(T)->getElementType()))) { 1658 std::string TName = "dfst"; 1659 TName += utostr(FT->getNumParams() - n); 1660 TName += "$"; 1661 TName += F->getName(); 1662 Constant *T = DFSF.DFS.getOrBuildTrampolineFunction(ParamFT, TName); 1663 Args.push_back(T); 1664 Args.push_back( 1665 IRB.CreateBitCast(*i, Type::getInt8PtrTy(*DFSF.DFS.Ctx))); 1666 } else { 1667 Args.push_back(*i); 1668 } 1669 } 1670 1671 i = CS.arg_begin(); 1672 const unsigned ShadowArgStart = Args.size(); 1673 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) 1674 Args.push_back(DFSF.getShadow(*i)); 1675 1676 if (FT->isVarArg()) { 1677 auto *LabelVATy = ArrayType::get(DFSF.DFS.ShadowTy, 1678 CS.arg_size() - FT->getNumParams()); 1679 auto *LabelVAAlloca = new AllocaInst( 1680 LabelVATy, getDataLayout().getAllocaAddrSpace(), 1681 "labelva", &DFSF.F->getEntryBlock().front()); 1682 1683 for (unsigned n = 0; i != CS.arg_end(); ++i, ++n) { 1684 auto LabelVAPtr = IRB.CreateStructGEP(LabelVATy, LabelVAAlloca, n); 1685 IRB.CreateStore(DFSF.getShadow(*i), LabelVAPtr); 1686 } 1687 1688 Args.push_back(IRB.CreateStructGEP(LabelVATy, LabelVAAlloca, 0)); 1689 } 1690 1691 if (!FT->getReturnType()->isVoidTy()) { 1692 if (!DFSF.LabelReturnAlloca) { 1693 DFSF.LabelReturnAlloca = 1694 new AllocaInst(DFSF.DFS.ShadowTy, 1695 getDataLayout().getAllocaAddrSpace(), 1696 "labelreturn", &DFSF.F->getEntryBlock().front()); 1697 } 1698 Args.push_back(DFSF.LabelReturnAlloca); 1699 } 1700 1701 for (i = CS.arg_begin() + FT->getNumParams(); i != CS.arg_end(); ++i) 1702 Args.push_back(*i); 1703 1704 CallInst *CustomCI = IRB.CreateCall(CustomF, Args); 1705 CustomCI->setCallingConv(CI->getCallingConv()); 1706 CustomCI->setAttributes(TransformFunctionAttributes(CustomFn, 1707 CI->getContext(), CI->getAttributes())); 1708 1709 // Update the parameter attributes of the custom call instruction to 1710 // zero extend the shadow parameters. This is required for targets 1711 // which consider ShadowTy an illegal type. 1712 for (unsigned n = 0; n < FT->getNumParams(); n++) { 1713 const unsigned ArgNo = ShadowArgStart + n; 1714 if (CustomCI->getArgOperand(ArgNo)->getType() == DFSF.DFS.ShadowTy) 1715 CustomCI->addParamAttr(ArgNo, Attribute::ZExt); 1716 } 1717 1718 if (!FT->getReturnType()->isVoidTy()) { 1719 LoadInst *LabelLoad = 1720 IRB.CreateLoad(DFSF.DFS.ShadowTy, DFSF.LabelReturnAlloca); 1721 DFSF.setShadow(CustomCI, LabelLoad); 1722 } 1723 1724 CI->replaceAllUsesWith(CustomCI); 1725 CI->eraseFromParent(); 1726 return; 1727 } 1728 break; 1729 } 1730 } 1731 1732 FunctionType *FT = cast<FunctionType>( 1733 CS.getCalledValue()->getType()->getPointerElementType()); 1734 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) { 1735 for (unsigned i = 0, n = FT->getNumParams(); i != n; ++i) { 1736 IRB.CreateStore(DFSF.getShadow(CS.getArgument(i)), 1737 DFSF.getArgTLS(i, CS.getInstruction())); 1738 } 1739 } 1740 1741 Instruction *Next = nullptr; 1742 if (!CS.getType()->isVoidTy()) { 1743 if (InvokeInst *II = dyn_cast<InvokeInst>(CS.getInstruction())) { 1744 if (II->getNormalDest()->getSinglePredecessor()) { 1745 Next = &II->getNormalDest()->front(); 1746 } else { 1747 BasicBlock *NewBB = 1748 SplitEdge(II->getParent(), II->getNormalDest(), &DFSF.DT); 1749 Next = &NewBB->front(); 1750 } 1751 } else { 1752 assert(CS->getIterator() != CS->getParent()->end()); 1753 Next = CS->getNextNode(); 1754 } 1755 1756 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) { 1757 IRBuilder<> NextIRB(Next); 1758 LoadInst *LI = NextIRB.CreateLoad(DFSF.DFS.ShadowTy, DFSF.getRetvalTLS()); 1759 DFSF.SkipInsts.insert(LI); 1760 DFSF.setShadow(CS.getInstruction(), LI); 1761 DFSF.NonZeroChecks.push_back(LI); 1762 } 1763 } 1764 1765 // Do all instrumentation for IA_Args down here to defer tampering with the 1766 // CFG in a way that SplitEdge may be able to detect. 1767 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_Args) { 1768 FunctionType *NewFT = DFSF.DFS.getArgsFunctionType(FT); 1769 Value *Func = 1770 IRB.CreateBitCast(CS.getCalledValue(), PointerType::getUnqual(NewFT)); 1771 std::vector<Value *> Args; 1772 1773 CallSite::arg_iterator i = CS.arg_begin(), e = CS.arg_end(); 1774 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) 1775 Args.push_back(*i); 1776 1777 i = CS.arg_begin(); 1778 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) 1779 Args.push_back(DFSF.getShadow(*i)); 1780 1781 if (FT->isVarArg()) { 1782 unsigned VarArgSize = CS.arg_size() - FT->getNumParams(); 1783 ArrayType *VarArgArrayTy = ArrayType::get(DFSF.DFS.ShadowTy, VarArgSize); 1784 AllocaInst *VarArgShadow = 1785 new AllocaInst(VarArgArrayTy, getDataLayout().getAllocaAddrSpace(), 1786 "", &DFSF.F->getEntryBlock().front()); 1787 Args.push_back(IRB.CreateConstGEP2_32(VarArgArrayTy, VarArgShadow, 0, 0)); 1788 for (unsigned n = 0; i != e; ++i, ++n) { 1789 IRB.CreateStore( 1790 DFSF.getShadow(*i), 1791 IRB.CreateConstGEP2_32(VarArgArrayTy, VarArgShadow, 0, n)); 1792 Args.push_back(*i); 1793 } 1794 } 1795 1796 CallSite NewCS; 1797 if (InvokeInst *II = dyn_cast<InvokeInst>(CS.getInstruction())) { 1798 NewCS = IRB.CreateInvoke(NewFT, Func, II->getNormalDest(), 1799 II->getUnwindDest(), Args); 1800 } else { 1801 NewCS = IRB.CreateCall(NewFT, Func, Args); 1802 } 1803 NewCS.setCallingConv(CS.getCallingConv()); 1804 NewCS.setAttributes(CS.getAttributes().removeAttributes( 1805 *DFSF.DFS.Ctx, AttributeList::ReturnIndex, 1806 AttributeFuncs::typeIncompatible(NewCS.getInstruction()->getType()))); 1807 1808 if (Next) { 1809 ExtractValueInst *ExVal = 1810 ExtractValueInst::Create(NewCS.getInstruction(), 0, "", Next); 1811 DFSF.SkipInsts.insert(ExVal); 1812 ExtractValueInst *ExShadow = 1813 ExtractValueInst::Create(NewCS.getInstruction(), 1, "", Next); 1814 DFSF.SkipInsts.insert(ExShadow); 1815 DFSF.setShadow(ExVal, ExShadow); 1816 DFSF.NonZeroChecks.push_back(ExShadow); 1817 1818 CS.getInstruction()->replaceAllUsesWith(ExVal); 1819 } 1820 1821 CS.getInstruction()->eraseFromParent(); 1822 } 1823 } 1824 1825 void DFSanVisitor::visitPHINode(PHINode &PN) { 1826 PHINode *ShadowPN = 1827 PHINode::Create(DFSF.DFS.ShadowTy, PN.getNumIncomingValues(), "", &PN); 1828 1829 // Give the shadow phi node valid predecessors to fool SplitEdge into working. 1830 Value *UndefShadow = UndefValue::get(DFSF.DFS.ShadowTy); 1831 for (PHINode::block_iterator i = PN.block_begin(), e = PN.block_end(); i != e; 1832 ++i) { 1833 ShadowPN->addIncoming(UndefShadow, *i); 1834 } 1835 1836 DFSF.PHIFixups.push_back(std::make_pair(&PN, ShadowPN)); 1837 DFSF.setShadow(&PN, ShadowPN); 1838 } 1839