1 //===- DataFlowSanitizer.cpp - dynamic data flow analysis -----------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 /// \file 10 /// This file is a part of DataFlowSanitizer, a generalised dynamic data flow 11 /// analysis. 12 /// 13 /// Unlike other Sanitizer tools, this tool is not designed to detect a specific 14 /// class of bugs on its own. Instead, it provides a generic dynamic data flow 15 /// analysis framework to be used by clients to help detect application-specific 16 /// issues within their own code. 17 /// 18 /// The analysis is based on automatic propagation of data flow labels (also 19 /// known as taint labels) through a program as it performs computation. Each 20 /// byte of application memory is backed by two bytes of shadow memory which 21 /// hold the label. On Linux/x86_64, memory is laid out as follows: 22 /// 23 /// +--------------------+ 0x800000000000 (top of memory) 24 /// | application memory | 25 /// +--------------------+ 0x700000008000 (kAppAddr) 26 /// | | 27 /// | unused | 28 /// | | 29 /// +--------------------+ 0x300200000000 (kUnusedAddr) 30 /// | union table | 31 /// +--------------------+ 0x300000000000 (kUnionTableAddr) 32 /// | origin | 33 /// +--------------------+ 0x200000008000 (kOriginAddr) 34 /// | shadow memory | 35 /// +--------------------+ 0x000000010000 (kShadowAddr) 36 /// | reserved by kernel | 37 /// +--------------------+ 0x000000000000 38 /// 39 /// To derive a shadow memory address from an application memory address, 40 /// bits 44-46 are cleared to bring the address into the range 41 /// [0x000000008000,0x100000000000). Then the address is shifted left by 1 to 42 /// account for the double byte representation of shadow labels and move the 43 /// address into the shadow memory range. See the function 44 /// DataFlowSanitizer::getShadowAddress below. 45 /// 46 /// For more information, please refer to the design document: 47 /// http://clang.llvm.org/docs/DataFlowSanitizerDesign.html 48 // 49 //===----------------------------------------------------------------------===// 50 51 #include "llvm/Transforms/Instrumentation/DataFlowSanitizer.h" 52 #include "llvm/ADT/DenseMap.h" 53 #include "llvm/ADT/DenseSet.h" 54 #include "llvm/ADT/DepthFirstIterator.h" 55 #include "llvm/ADT/None.h" 56 #include "llvm/ADT/SmallPtrSet.h" 57 #include "llvm/ADT/SmallVector.h" 58 #include "llvm/ADT/StringExtras.h" 59 #include "llvm/ADT/StringRef.h" 60 #include "llvm/ADT/Triple.h" 61 #include "llvm/Analysis/ValueTracking.h" 62 #include "llvm/IR/Argument.h" 63 #include "llvm/IR/Attributes.h" 64 #include "llvm/IR/BasicBlock.h" 65 #include "llvm/IR/Constant.h" 66 #include "llvm/IR/Constants.h" 67 #include "llvm/IR/DataLayout.h" 68 #include "llvm/IR/DerivedTypes.h" 69 #include "llvm/IR/Dominators.h" 70 #include "llvm/IR/Function.h" 71 #include "llvm/IR/GlobalAlias.h" 72 #include "llvm/IR/GlobalValue.h" 73 #include "llvm/IR/GlobalVariable.h" 74 #include "llvm/IR/IRBuilder.h" 75 #include "llvm/IR/InlineAsm.h" 76 #include "llvm/IR/InstVisitor.h" 77 #include "llvm/IR/InstrTypes.h" 78 #include "llvm/IR/Instruction.h" 79 #include "llvm/IR/Instructions.h" 80 #include "llvm/IR/IntrinsicInst.h" 81 #include "llvm/IR/LLVMContext.h" 82 #include "llvm/IR/MDBuilder.h" 83 #include "llvm/IR/Module.h" 84 #include "llvm/IR/PassManager.h" 85 #include "llvm/IR/Type.h" 86 #include "llvm/IR/User.h" 87 #include "llvm/IR/Value.h" 88 #include "llvm/InitializePasses.h" 89 #include "llvm/Pass.h" 90 #include "llvm/Support/Casting.h" 91 #include "llvm/Support/CommandLine.h" 92 #include "llvm/Support/ErrorHandling.h" 93 #include "llvm/Support/SpecialCaseList.h" 94 #include "llvm/Support/VirtualFileSystem.h" 95 #include "llvm/Transforms/Instrumentation.h" 96 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 97 #include "llvm/Transforms/Utils/Local.h" 98 #include <algorithm> 99 #include <cassert> 100 #include <cstddef> 101 #include <cstdint> 102 #include <iterator> 103 #include <memory> 104 #include <set> 105 #include <string> 106 #include <utility> 107 #include <vector> 108 109 using namespace llvm; 110 111 // This must be consistent with ShadowWidthBits. 112 static const Align kShadowTLSAlignment = Align(2); 113 114 static const Align kMinOriginAlignment = Align(4); 115 116 // The size of TLS variables. These constants must be kept in sync with the ones 117 // in dfsan.cpp. 118 static const unsigned kArgTLSSize = 800; 119 static const unsigned kRetvalTLSSize = 800; 120 121 // External symbol to be used when generating the shadow address for 122 // architectures with multiple VMAs. Instead of using a constant integer 123 // the runtime will set the external mask based on the VMA range. 124 const char kDFSanExternShadowPtrMask[] = "__dfsan_shadow_ptr_mask"; 125 126 // The -dfsan-preserve-alignment flag controls whether this pass assumes that 127 // alignment requirements provided by the input IR are correct. For example, 128 // if the input IR contains a load with alignment 8, this flag will cause 129 // the shadow load to have alignment 16. This flag is disabled by default as 130 // we have unfortunately encountered too much code (including Clang itself; 131 // see PR14291) which performs misaligned access. 132 static cl::opt<bool> ClPreserveAlignment( 133 "dfsan-preserve-alignment", 134 cl::desc("respect alignment requirements provided by input IR"), cl::Hidden, 135 cl::init(false)); 136 137 // The ABI list files control how shadow parameters are passed. The pass treats 138 // every function labelled "uninstrumented" in the ABI list file as conforming 139 // to the "native" (i.e. unsanitized) ABI. Unless the ABI list contains 140 // additional annotations for those functions, a call to one of those functions 141 // will produce a warning message, as the labelling behaviour of the function is 142 // unknown. The other supported annotations are "functional" and "discard", 143 // which are described below under DataFlowSanitizer::WrapperKind. 144 static cl::list<std::string> ClABIListFiles( 145 "dfsan-abilist", 146 cl::desc("File listing native ABI functions and how the pass treats them"), 147 cl::Hidden); 148 149 // Controls whether the pass uses IA_Args or IA_TLS as the ABI for instrumented 150 // functions (see DataFlowSanitizer::InstrumentedABI below). 151 static cl::opt<bool> ClArgsABI( 152 "dfsan-args-abi", 153 cl::desc("Use the argument ABI rather than the TLS ABI"), 154 cl::Hidden); 155 156 // Controls whether the pass includes or ignores the labels of pointers in load 157 // instructions. 158 static cl::opt<bool> ClCombinePointerLabelsOnLoad( 159 "dfsan-combine-pointer-labels-on-load", 160 cl::desc("Combine the label of the pointer with the label of the data when " 161 "loading from memory."), 162 cl::Hidden, cl::init(true)); 163 164 // Controls whether the pass includes or ignores the labels of pointers in 165 // stores instructions. 166 static cl::opt<bool> ClCombinePointerLabelsOnStore( 167 "dfsan-combine-pointer-labels-on-store", 168 cl::desc("Combine the label of the pointer with the label of the data when " 169 "storing in memory."), 170 cl::Hidden, cl::init(false)); 171 172 static cl::opt<bool> ClDebugNonzeroLabels( 173 "dfsan-debug-nonzero-labels", 174 cl::desc("Insert calls to __dfsan_nonzero_label on observing a parameter, " 175 "load or return with a nonzero label"), 176 cl::Hidden); 177 178 // Experimental feature that inserts callbacks for certain data events. 179 // Currently callbacks are only inserted for loads, stores, memory transfers 180 // (i.e. memcpy and memmove), and comparisons. 181 // 182 // If this flag is set to true, the user must provide definitions for the 183 // following callback functions: 184 // void __dfsan_load_callback(dfsan_label Label, void* addr); 185 // void __dfsan_store_callback(dfsan_label Label, void* addr); 186 // void __dfsan_mem_transfer_callback(dfsan_label *Start, size_t Len); 187 // void __dfsan_cmp_callback(dfsan_label CombinedLabel); 188 static cl::opt<bool> ClEventCallbacks( 189 "dfsan-event-callbacks", 190 cl::desc("Insert calls to __dfsan_*_callback functions on data events."), 191 cl::Hidden, cl::init(false)); 192 193 // Use a distinct bit for each base label, enabling faster unions with less 194 // instrumentation. Limits the max number of base labels to 16. 195 static cl::opt<bool> ClFast16Labels( 196 "dfsan-fast-16-labels", 197 cl::desc("Use more efficient instrumentation, limiting the number of " 198 "labels to 16."), 199 cl::Hidden, cl::init(false)); 200 201 // Controls whether the pass tracks the control flow of select instructions. 202 static cl::opt<bool> ClTrackSelectControlFlow( 203 "dfsan-track-select-control-flow", 204 cl::desc("Propagate labels from condition values of select instructions " 205 "to results."), 206 cl::Hidden, cl::init(true)); 207 208 // Controls how to track origins. 209 // * 0: do not track origins. 210 // * 1: track origins at memory store operations. 211 // * 2: TODO: track origins at memory store operations and callsites. 212 static cl::opt<int> ClTrackOrigins("dfsan-track-origins", 213 cl::desc("Track origins of labels"), 214 cl::Hidden, cl::init(0)); 215 216 static StringRef GetGlobalTypeString(const GlobalValue &G) { 217 // Types of GlobalVariables are always pointer types. 218 Type *GType = G.getValueType(); 219 // For now we support excluding struct types only. 220 if (StructType *SGType = dyn_cast<StructType>(GType)) { 221 if (!SGType->isLiteral()) 222 return SGType->getName(); 223 } 224 return "<unknown type>"; 225 } 226 227 namespace { 228 229 class DFSanABIList { 230 std::unique_ptr<SpecialCaseList> SCL; 231 232 public: 233 DFSanABIList() = default; 234 235 void set(std::unique_ptr<SpecialCaseList> List) { SCL = std::move(List); } 236 237 /// Returns whether either this function or its source file are listed in the 238 /// given category. 239 bool isIn(const Function &F, StringRef Category) const { 240 return isIn(*F.getParent(), Category) || 241 SCL->inSection("dataflow", "fun", F.getName(), Category); 242 } 243 244 /// Returns whether this global alias is listed in the given category. 245 /// 246 /// If GA aliases a function, the alias's name is matched as a function name 247 /// would be. Similarly, aliases of globals are matched like globals. 248 bool isIn(const GlobalAlias &GA, StringRef Category) const { 249 if (isIn(*GA.getParent(), Category)) 250 return true; 251 252 if (isa<FunctionType>(GA.getValueType())) 253 return SCL->inSection("dataflow", "fun", GA.getName(), Category); 254 255 return SCL->inSection("dataflow", "global", GA.getName(), Category) || 256 SCL->inSection("dataflow", "type", GetGlobalTypeString(GA), 257 Category); 258 } 259 260 /// Returns whether this module is listed in the given category. 261 bool isIn(const Module &M, StringRef Category) const { 262 return SCL->inSection("dataflow", "src", M.getModuleIdentifier(), Category); 263 } 264 }; 265 266 /// TransformedFunction is used to express the result of transforming one 267 /// function type into another. This struct is immutable. It holds metadata 268 /// useful for updating calls of the old function to the new type. 269 struct TransformedFunction { 270 TransformedFunction(FunctionType* OriginalType, 271 FunctionType* TransformedType, 272 std::vector<unsigned> ArgumentIndexMapping) 273 : OriginalType(OriginalType), 274 TransformedType(TransformedType), 275 ArgumentIndexMapping(ArgumentIndexMapping) {} 276 277 // Disallow copies. 278 TransformedFunction(const TransformedFunction&) = delete; 279 TransformedFunction& operator=(const TransformedFunction&) = delete; 280 281 // Allow moves. 282 TransformedFunction(TransformedFunction&&) = default; 283 TransformedFunction& operator=(TransformedFunction&&) = default; 284 285 /// Type of the function before the transformation. 286 FunctionType *OriginalType; 287 288 /// Type of the function after the transformation. 289 FunctionType *TransformedType; 290 291 /// Transforming a function may change the position of arguments. This 292 /// member records the mapping from each argument's old position to its new 293 /// position. Argument positions are zero-indexed. If the transformation 294 /// from F to F' made the first argument of F into the third argument of F', 295 /// then ArgumentIndexMapping[0] will equal 2. 296 std::vector<unsigned> ArgumentIndexMapping; 297 }; 298 299 /// Given function attributes from a call site for the original function, 300 /// return function attributes appropriate for a call to the transformed 301 /// function. 302 AttributeList TransformFunctionAttributes( 303 const TransformedFunction& TransformedFunction, 304 LLVMContext& Ctx, AttributeList CallSiteAttrs) { 305 306 // Construct a vector of AttributeSet for each function argument. 307 std::vector<llvm::AttributeSet> ArgumentAttributes( 308 TransformedFunction.TransformedType->getNumParams()); 309 310 // Copy attributes from the parameter of the original function to the 311 // transformed version. 'ArgumentIndexMapping' holds the mapping from 312 // old argument position to new. 313 for (unsigned i=0, ie = TransformedFunction.ArgumentIndexMapping.size(); 314 i < ie; ++i) { 315 unsigned TransformedIndex = TransformedFunction.ArgumentIndexMapping[i]; 316 ArgumentAttributes[TransformedIndex] = CallSiteAttrs.getParamAttributes(i); 317 } 318 319 // Copy annotations on varargs arguments. 320 for (unsigned i = TransformedFunction.OriginalType->getNumParams(), 321 ie = CallSiteAttrs.getNumAttrSets(); i<ie; ++i) { 322 ArgumentAttributes.push_back(CallSiteAttrs.getParamAttributes(i)); 323 } 324 325 return AttributeList::get( 326 Ctx, 327 CallSiteAttrs.getFnAttributes(), 328 CallSiteAttrs.getRetAttributes(), 329 llvm::makeArrayRef(ArgumentAttributes)); 330 } 331 332 class DataFlowSanitizer { 333 friend struct DFSanFunction; 334 friend class DFSanVisitor; 335 336 enum { 337 ShadowWidthBits = 16, 338 ShadowWidthBytes = ShadowWidthBits / 8, 339 OriginWidthBits = 32, 340 OriginWidthBytes = OriginWidthBits / 8 341 }; 342 343 /// Which ABI should be used for instrumented functions? 344 enum InstrumentedABI { 345 /// Argument and return value labels are passed through additional 346 /// arguments and by modifying the return type. 347 IA_Args, 348 349 /// Argument and return value labels are passed through TLS variables 350 /// __dfsan_arg_tls and __dfsan_retval_tls. 351 IA_TLS 352 }; 353 354 /// How should calls to uninstrumented functions be handled? 355 enum WrapperKind { 356 /// This function is present in an uninstrumented form but we don't know 357 /// how it should be handled. Print a warning and call the function anyway. 358 /// Don't label the return value. 359 WK_Warning, 360 361 /// This function does not write to (user-accessible) memory, and its return 362 /// value is unlabelled. 363 WK_Discard, 364 365 /// This function does not write to (user-accessible) memory, and the label 366 /// of its return value is the union of the label of its arguments. 367 WK_Functional, 368 369 /// Instead of calling the function, a custom wrapper __dfsw_F is called, 370 /// where F is the name of the function. This function may wrap the 371 /// original function or provide its own implementation. This is similar to 372 /// the IA_Args ABI, except that IA_Args uses a struct return type to 373 /// pass the return value shadow in a register, while WK_Custom uses an 374 /// extra pointer argument to return the shadow. This allows the wrapped 375 /// form of the function type to be expressed in C. 376 WK_Custom 377 }; 378 379 Module *Mod; 380 LLVMContext *Ctx; 381 Type *Int8Ptr; 382 IntegerType *OriginTy; 383 PointerType *OriginPtrTy; 384 ConstantInt *OriginBase; 385 ConstantInt *ZeroOrigin; 386 /// The shadow type for all primitive types and vector types. 387 IntegerType *PrimitiveShadowTy; 388 PointerType *PrimitiveShadowPtrTy; 389 IntegerType *IntptrTy; 390 ConstantInt *ZeroPrimitiveShadow; 391 ConstantInt *ShadowPtrMask; 392 ConstantInt *ShadowPtrMul; 393 Constant *ArgTLS; 394 ArrayType *ArgOriginTLSTy; 395 Constant *ArgOriginTLS; 396 Constant *RetvalTLS; 397 Constant *RetvalOriginTLS; 398 Constant *ExternalShadowMask; 399 FunctionType *DFSanUnionFnTy; 400 FunctionType *DFSanUnionLoadFnTy; 401 FunctionType *DFSanLoadLabelAndOriginFnTy; 402 FunctionType *DFSanUnimplementedFnTy; 403 FunctionType *DFSanSetLabelFnTy; 404 FunctionType *DFSanNonzeroLabelFnTy; 405 FunctionType *DFSanVarargWrapperFnTy; 406 FunctionType *DFSanCmpCallbackFnTy; 407 FunctionType *DFSanLoadStoreCallbackFnTy; 408 FunctionType *DFSanMemTransferCallbackFnTy; 409 FunctionType *DFSanChainOriginFnTy; 410 FunctionType *DFSanMemOriginTransferFnTy; 411 FunctionType *DFSanMaybeStoreOriginFnTy; 412 FunctionCallee DFSanUnionFn; 413 FunctionCallee DFSanCheckedUnionFn; 414 FunctionCallee DFSanUnionLoadFn; 415 FunctionCallee DFSanUnionLoadFast16LabelsFn; 416 FunctionCallee DFSanLoadLabelAndOriginFn; 417 FunctionCallee DFSanUnimplementedFn; 418 FunctionCallee DFSanSetLabelFn; 419 FunctionCallee DFSanNonzeroLabelFn; 420 FunctionCallee DFSanVarargWrapperFn; 421 FunctionCallee DFSanLoadCallbackFn; 422 FunctionCallee DFSanStoreCallbackFn; 423 FunctionCallee DFSanMemTransferCallbackFn; 424 FunctionCallee DFSanCmpCallbackFn; 425 FunctionCallee DFSanChainOriginFn; 426 FunctionCallee DFSanMemOriginTransferFn; 427 FunctionCallee DFSanMaybeStoreOriginFn; 428 SmallPtrSet<Value *, 16> DFSanRuntimeFunctions; 429 MDNode *ColdCallWeights; 430 DFSanABIList ABIList; 431 DenseMap<Value *, Function *> UnwrappedFnMap; 432 AttrBuilder ReadOnlyNoneAttrs; 433 bool DFSanRuntimeShadowMask = false; 434 435 Value *getShadowOffset(Value *Addr, IRBuilder<> &IRB); 436 Value *getShadowAddress(Value *Addr, Instruction *Pos); 437 // std::pair<Value *, Value *> 438 // getShadowOriginAddress(Value *Addr, Align InstAlignment, Instruction *Pos); 439 bool isInstrumented(const Function *F); 440 bool isInstrumented(const GlobalAlias *GA); 441 FunctionType *getArgsFunctionType(FunctionType *T); 442 FunctionType *getTrampolineFunctionType(FunctionType *T); 443 TransformedFunction getCustomFunctionType(FunctionType *T); 444 InstrumentedABI getInstrumentedABI(); 445 WrapperKind getWrapperKind(Function *F); 446 void addGlobalNamePrefix(GlobalValue *GV); 447 Function *buildWrapperFunction(Function *F, StringRef NewFName, 448 GlobalValue::LinkageTypes NewFLink, 449 FunctionType *NewFT); 450 Constant *getOrBuildTrampolineFunction(FunctionType *FT, StringRef FName); 451 void initializeCallbackFunctions(Module &M); 452 void initializeRuntimeFunctions(Module &M); 453 void injectMetadataGlobals(Module &M); 454 455 bool init(Module &M); 456 457 /// Returns whether the pass tracks origins. Support only fast16 mode in TLS 458 /// ABI mode. 459 bool shouldTrackOrigins(); 460 461 /// Returns whether the pass tracks labels for struct fields and array 462 /// indices. Support only fast16 mode in TLS ABI mode. 463 bool shouldTrackFieldsAndIndices(); 464 465 /// Returns a zero constant with the shadow type of OrigTy. 466 /// 467 /// getZeroShadow({T1,T2,...}) = {getZeroShadow(T1),getZeroShadow(T2,...} 468 /// getZeroShadow([n x T]) = [n x getZeroShadow(T)] 469 /// getZeroShadow(other type) = i16(0) 470 /// 471 /// Note that a zero shadow is always i16(0) when shouldTrackFieldsAndIndices 472 /// returns false. 473 Constant *getZeroShadow(Type *OrigTy); 474 /// Returns a zero constant with the shadow type of V's type. 475 Constant *getZeroShadow(Value *V); 476 477 /// Checks if V is a zero shadow. 478 bool isZeroShadow(Value *V); 479 480 /// Returns the shadow type of OrigTy. 481 /// 482 /// getShadowTy({T1,T2,...}) = {getShadowTy(T1),getShadowTy(T2),...} 483 /// getShadowTy([n x T]) = [n x getShadowTy(T)] 484 /// getShadowTy(other type) = i16 485 /// 486 /// Note that a shadow type is always i16 when shouldTrackFieldsAndIndices 487 /// returns false. 488 Type *getShadowTy(Type *OrigTy); 489 /// Returns the shadow type of of V's type. 490 Type *getShadowTy(Value *V); 491 492 const uint64_t kNumOfElementsInArgOrgTLS = kArgTLSSize / OriginWidthBytes; 493 494 public: 495 DataFlowSanitizer(const std::vector<std::string> &ABIListFiles); 496 497 bool runImpl(Module &M); 498 }; 499 500 struct DFSanFunction { 501 DataFlowSanitizer &DFS; 502 Function *F; 503 DominatorTree DT; 504 DataFlowSanitizer::InstrumentedABI IA; 505 bool IsNativeABI; 506 AllocaInst *LabelReturnAlloca = nullptr; 507 AllocaInst *OriginReturnAlloca = nullptr; 508 DenseMap<Value *, Value *> ValShadowMap; 509 DenseMap<Value *, Value *> ValOriginMap; 510 DenseMap<AllocaInst *, AllocaInst *> AllocaShadowMap; 511 std::vector<std::pair<PHINode *, PHINode *>> PHIFixups; 512 DenseSet<Instruction *> SkipInsts; 513 std::vector<Value *> NonZeroChecks; 514 bool AvoidNewBlocks; 515 516 struct CachedShadow { 517 BasicBlock *Block; // The block where Shadow is defined. 518 Value *Shadow; 519 }; 520 /// Maps a value to its latest shadow value in terms of domination tree. 521 DenseMap<std::pair<Value *, Value *>, CachedShadow> CachedShadows; 522 /// Maps a value to its latest collapsed shadow value it was converted to in 523 /// terms of domination tree. When ClDebugNonzeroLabels is on, this cache is 524 /// used at a post process where CFG blocks are split. So it does not cache 525 /// BasicBlock like CachedShadows, but uses domination between values. 526 DenseMap<Value *, Value *> CachedCollapsedShadows; 527 DenseMap<Value *, std::set<Value *>> ShadowElements; 528 529 DFSanFunction(DataFlowSanitizer &DFS, Function *F, bool IsNativeABI) 530 : DFS(DFS), F(F), IA(DFS.getInstrumentedABI()), IsNativeABI(IsNativeABI) { 531 DT.recalculate(*F); 532 // FIXME: Need to track down the register allocator issue which causes poor 533 // performance in pathological cases with large numbers of basic blocks. 534 AvoidNewBlocks = F->size() > 1000; 535 } 536 537 /// Computes the shadow address for a given function argument. 538 /// 539 /// Shadow = ArgTLS+ArgOffset. 540 Value *getArgTLS(Type *T, unsigned ArgOffset, IRBuilder<> &IRB); 541 542 /// Computes the shadow address for a return value. 543 Value *getRetvalTLS(Type *T, IRBuilder<> &IRB); 544 545 /// Computes the origin address for a given function argument. 546 /// 547 /// Origin = ArgOriginTLS[ArgNo]. 548 Value *getArgOriginTLS(unsigned ArgNo, IRBuilder<> &IRB); 549 550 /// Computes the origin address for a return value. 551 Value *getRetvalOriginTLS(); 552 553 Value *getOrigin(Value *V); 554 void setOrigin(Instruction *I, Value *Origin); 555 /// Generates IR to compute the origin of the last operand with a taint label. 556 Value *combineOperandOrigins(Instruction *Inst); 557 /// Before the instruction Pos, generates IR to compute the last origin with a 558 /// taint label. Labels and origins are from vectors Shadows and Origins 559 /// correspondingly. The generated IR is like 560 /// Sn-1 != Zero ? On-1: ... S2 != Zero ? O2: S1 != Zero ? O1: O0 561 /// When Zero is nullptr, it uses ZeroPrimitiveShadow. Otherwise it can be 562 /// zeros with other bitwidths. 563 Value *combineOrigins(const std::vector<Value *> &Shadows, 564 const std::vector<Value *> &Origins, Instruction *Pos, 565 ConstantInt *Zero = nullptr); 566 567 Value *getShadow(Value *V); 568 void setShadow(Instruction *I, Value *Shadow); 569 /// Generates IR to compute the union of the two given shadows, inserting it 570 /// before Pos. The combined value is with primitive type. 571 Value *combineShadows(Value *V1, Value *V2, Instruction *Pos); 572 /// Combines the shadow values of V1 and V2, then converts the combined value 573 /// with primitive type into a shadow value with the original type T. 574 Value *combineShadowsThenConvert(Type *T, Value *V1, Value *V2, 575 Instruction *Pos); 576 Value *combineOperandShadows(Instruction *Inst); 577 Value *loadShadow(Value *ShadowAddr, uint64_t Size, uint64_t Align, 578 Instruction *Pos); 579 void storePrimitiveShadow(Value *Addr, uint64_t Size, Align Alignment, 580 Value *PrimitiveShadow, Instruction *Pos); 581 /// Applies PrimitiveShadow to all primitive subtypes of T, returning 582 /// the expanded shadow value. 583 /// 584 /// EFP({T1,T2, ...}, PS) = {EFP(T1,PS),EFP(T2,PS),...} 585 /// EFP([n x T], PS) = [n x EFP(T,PS)] 586 /// EFP(other types, PS) = PS 587 Value *expandFromPrimitiveShadow(Type *T, Value *PrimitiveShadow, 588 Instruction *Pos); 589 /// Collapses Shadow into a single primitive shadow value, unioning all 590 /// primitive shadow values in the process. Returns the final primitive 591 /// shadow value. 592 /// 593 /// CTP({V1,V2, ...}) = UNION(CFP(V1,PS),CFP(V2,PS),...) 594 /// CTP([V1,V2,...]) = UNION(CFP(V1,PS),CFP(V2,PS),...) 595 /// CTP(other types, PS) = PS 596 Value *collapseToPrimitiveShadow(Value *Shadow, Instruction *Pos); 597 598 void storeZeroPrimitiveShadow(Value *Addr, uint64_t Size, Align ShadowAlign, 599 Instruction *Pos); 600 601 Align getShadowAlign(Align InstAlignment); 602 603 private: 604 /// Collapses the shadow with aggregate type into a single primitive shadow 605 /// value. 606 template <class AggregateType> 607 Value *collapseAggregateShadow(AggregateType *AT, Value *Shadow, 608 IRBuilder<> &IRB); 609 610 Value *collapseToPrimitiveShadow(Value *Shadow, IRBuilder<> &IRB); 611 612 /// Returns the shadow value of an argument A. 613 Value *getShadowForTLSArgument(Argument *A); 614 615 /// The fast path of loading shadow in legacy mode. 616 Value *loadLegacyShadowFast(Value *ShadowAddr, uint64_t Size, 617 Align ShadowAlign, Instruction *Pos); 618 619 /// The fast path of loading shadow in fast-16-label mode. 620 Value *loadFast16ShadowFast(Value *ShadowAddr, uint64_t Size, 621 Align ShadowAlign, Instruction *Pos); 622 }; 623 624 class DFSanVisitor : public InstVisitor<DFSanVisitor> { 625 public: 626 DFSanFunction &DFSF; 627 628 DFSanVisitor(DFSanFunction &DFSF) : DFSF(DFSF) {} 629 630 const DataLayout &getDataLayout() const { 631 return DFSF.F->getParent()->getDataLayout(); 632 } 633 634 // Combines shadow values and origins for all of I's operands. 635 void visitInstOperands(Instruction &I); 636 637 void visitUnaryOperator(UnaryOperator &UO); 638 void visitBinaryOperator(BinaryOperator &BO); 639 void visitCastInst(CastInst &CI); 640 void visitCmpInst(CmpInst &CI); 641 void visitGetElementPtrInst(GetElementPtrInst &GEPI); 642 void visitLoadInst(LoadInst &LI); 643 void visitStoreInst(StoreInst &SI); 644 void visitAtomicRMWInst(AtomicRMWInst &I); 645 void visitAtomicCmpXchgInst(AtomicCmpXchgInst &I); 646 void visitReturnInst(ReturnInst &RI); 647 void visitCallBase(CallBase &CB); 648 void visitPHINode(PHINode &PN); 649 void visitExtractElementInst(ExtractElementInst &I); 650 void visitInsertElementInst(InsertElementInst &I); 651 void visitShuffleVectorInst(ShuffleVectorInst &I); 652 void visitExtractValueInst(ExtractValueInst &I); 653 void visitInsertValueInst(InsertValueInst &I); 654 void visitAllocaInst(AllocaInst &I); 655 void visitSelectInst(SelectInst &I); 656 void visitMemSetInst(MemSetInst &I); 657 void visitMemTransferInst(MemTransferInst &I); 658 659 private: 660 void visitCASOrRMW(Align InstAlignment, Instruction &I); 661 662 // Returns false when this is an invoke of a custom function. 663 bool visitWrappedCallBase(Function &F, CallBase &CB); 664 665 // Combines origins for all of I's operands. 666 void visitInstOperandOrigins(Instruction &I); 667 668 void addShadowArguments(Function &F, CallBase &CB, std::vector<Value *> &Args, 669 IRBuilder<> &IRB); 670 671 void addOriginArguments(Function &F, CallBase &CB, std::vector<Value *> &Args, 672 IRBuilder<> &IRB); 673 }; 674 675 } // end anonymous namespace 676 677 DataFlowSanitizer::DataFlowSanitizer( 678 const std::vector<std::string> &ABIListFiles) { 679 std::vector<std::string> AllABIListFiles(std::move(ABIListFiles)); 680 llvm::append_range(AllABIListFiles, ClABIListFiles); 681 // FIXME: should we propagate vfs::FileSystem to this constructor? 682 ABIList.set( 683 SpecialCaseList::createOrDie(AllABIListFiles, *vfs::getRealFileSystem())); 684 } 685 686 FunctionType *DataFlowSanitizer::getArgsFunctionType(FunctionType *T) { 687 SmallVector<Type *, 4> ArgTypes(T->param_begin(), T->param_end()); 688 ArgTypes.append(T->getNumParams(), PrimitiveShadowTy); 689 if (T->isVarArg()) 690 ArgTypes.push_back(PrimitiveShadowPtrTy); 691 Type *RetType = T->getReturnType(); 692 if (!RetType->isVoidTy()) 693 RetType = StructType::get(RetType, PrimitiveShadowTy); 694 return FunctionType::get(RetType, ArgTypes, T->isVarArg()); 695 } 696 697 FunctionType *DataFlowSanitizer::getTrampolineFunctionType(FunctionType *T) { 698 assert(!T->isVarArg()); 699 SmallVector<Type *, 4> ArgTypes; 700 ArgTypes.push_back(T->getPointerTo()); 701 ArgTypes.append(T->param_begin(), T->param_end()); 702 ArgTypes.append(T->getNumParams(), PrimitiveShadowTy); 703 Type *RetType = T->getReturnType(); 704 if (!RetType->isVoidTy()) 705 ArgTypes.push_back(PrimitiveShadowPtrTy); 706 707 if (shouldTrackOrigins()) { 708 ArgTypes.append(T->getNumParams(), OriginTy); 709 if (!RetType->isVoidTy()) 710 ArgTypes.push_back(OriginPtrTy); 711 } 712 713 return FunctionType::get(T->getReturnType(), ArgTypes, false); 714 } 715 716 TransformedFunction DataFlowSanitizer::getCustomFunctionType(FunctionType *T) { 717 SmallVector<Type *, 4> ArgTypes; 718 719 // Some parameters of the custom function being constructed are 720 // parameters of T. Record the mapping from parameters of T to 721 // parameters of the custom function, so that parameter attributes 722 // at call sites can be updated. 723 std::vector<unsigned> ArgumentIndexMapping; 724 for (unsigned I = 0, E = T->getNumParams(); I != E; ++I) { 725 Type *Param_type = T->getParamType(I); 726 FunctionType *FT; 727 if (isa<PointerType>(Param_type) && 728 (FT = dyn_cast<FunctionType>( 729 cast<PointerType>(Param_type)->getElementType()))) { 730 ArgumentIndexMapping.push_back(ArgTypes.size()); 731 ArgTypes.push_back(getTrampolineFunctionType(FT)->getPointerTo()); 732 ArgTypes.push_back(Type::getInt8PtrTy(*Ctx)); 733 } else { 734 ArgumentIndexMapping.push_back(ArgTypes.size()); 735 ArgTypes.push_back(Param_type); 736 } 737 } 738 for (unsigned I = 0, E = T->getNumParams(); I != E; ++I) 739 ArgTypes.push_back(PrimitiveShadowTy); 740 if (T->isVarArg()) 741 ArgTypes.push_back(PrimitiveShadowPtrTy); 742 Type *RetType = T->getReturnType(); 743 if (!RetType->isVoidTy()) 744 ArgTypes.push_back(PrimitiveShadowPtrTy); 745 746 if (shouldTrackOrigins()) { 747 for (unsigned I = 0, E = T->getNumParams(); I != E; ++I) 748 ArgTypes.push_back(OriginTy); 749 if (T->isVarArg()) 750 ArgTypes.push_back(OriginPtrTy); 751 if (!RetType->isVoidTy()) 752 ArgTypes.push_back(OriginPtrTy); 753 } 754 755 return TransformedFunction( 756 T, FunctionType::get(T->getReturnType(), ArgTypes, T->isVarArg()), 757 ArgumentIndexMapping); 758 } 759 760 bool DataFlowSanitizer::isZeroShadow(Value *V) { 761 if (!shouldTrackFieldsAndIndices()) 762 return ZeroPrimitiveShadow == V; 763 764 Type *T = V->getType(); 765 if (!isa<ArrayType>(T) && !isa<StructType>(T)) { 766 if (const ConstantInt *CI = dyn_cast<ConstantInt>(V)) 767 return CI->isZero(); 768 return false; 769 } 770 771 return isa<ConstantAggregateZero>(V); 772 } 773 774 bool DataFlowSanitizer::shouldTrackOrigins() { 775 static const bool kShouldTrackOrigins = 776 ClTrackOrigins && getInstrumentedABI() == DataFlowSanitizer::IA_TLS && 777 ClFast16Labels; 778 return kShouldTrackOrigins; 779 } 780 781 bool DataFlowSanitizer::shouldTrackFieldsAndIndices() { 782 return getInstrumentedABI() == DataFlowSanitizer::IA_TLS && ClFast16Labels; 783 } 784 785 Constant *DataFlowSanitizer::getZeroShadow(Type *OrigTy) { 786 if (!shouldTrackFieldsAndIndices()) 787 return ZeroPrimitiveShadow; 788 789 if (!isa<ArrayType>(OrigTy) && !isa<StructType>(OrigTy)) 790 return ZeroPrimitiveShadow; 791 Type *ShadowTy = getShadowTy(OrigTy); 792 return ConstantAggregateZero::get(ShadowTy); 793 } 794 795 Constant *DataFlowSanitizer::getZeroShadow(Value *V) { 796 return getZeroShadow(V->getType()); 797 } 798 799 static Value *expandFromPrimitiveShadowRecursive( 800 Value *Shadow, SmallVector<unsigned, 4> &Indices, Type *SubShadowTy, 801 Value *PrimitiveShadow, IRBuilder<> &IRB) { 802 if (!isa<ArrayType>(SubShadowTy) && !isa<StructType>(SubShadowTy)) 803 return IRB.CreateInsertValue(Shadow, PrimitiveShadow, Indices); 804 805 if (ArrayType *AT = dyn_cast<ArrayType>(SubShadowTy)) { 806 for (unsigned Idx = 0; Idx < AT->getNumElements(); Idx++) { 807 Indices.push_back(Idx); 808 Shadow = expandFromPrimitiveShadowRecursive( 809 Shadow, Indices, AT->getElementType(), PrimitiveShadow, IRB); 810 Indices.pop_back(); 811 } 812 return Shadow; 813 } 814 815 if (StructType *ST = dyn_cast<StructType>(SubShadowTy)) { 816 for (unsigned Idx = 0; Idx < ST->getNumElements(); Idx++) { 817 Indices.push_back(Idx); 818 Shadow = expandFromPrimitiveShadowRecursive( 819 Shadow, Indices, ST->getElementType(Idx), PrimitiveShadow, IRB); 820 Indices.pop_back(); 821 } 822 return Shadow; 823 } 824 llvm_unreachable("Unexpected shadow type"); 825 } 826 827 Value *DFSanFunction::expandFromPrimitiveShadow(Type *T, Value *PrimitiveShadow, 828 Instruction *Pos) { 829 Type *ShadowTy = DFS.getShadowTy(T); 830 831 if (!isa<ArrayType>(ShadowTy) && !isa<StructType>(ShadowTy)) 832 return PrimitiveShadow; 833 834 if (DFS.isZeroShadow(PrimitiveShadow)) 835 return DFS.getZeroShadow(ShadowTy); 836 837 IRBuilder<> IRB(Pos); 838 SmallVector<unsigned, 4> Indices; 839 Value *Shadow = UndefValue::get(ShadowTy); 840 Shadow = expandFromPrimitiveShadowRecursive(Shadow, Indices, ShadowTy, 841 PrimitiveShadow, IRB); 842 843 // Caches the primitive shadow value that built the shadow value. 844 CachedCollapsedShadows[Shadow] = PrimitiveShadow; 845 return Shadow; 846 } 847 848 template <class AggregateType> 849 Value *DFSanFunction::collapseAggregateShadow(AggregateType *AT, Value *Shadow, 850 IRBuilder<> &IRB) { 851 if (!AT->getNumElements()) 852 return DFS.ZeroPrimitiveShadow; 853 854 Value *FirstItem = IRB.CreateExtractValue(Shadow, 0); 855 Value *Aggregator = collapseToPrimitiveShadow(FirstItem, IRB); 856 857 for (unsigned Idx = 1; Idx < AT->getNumElements(); Idx++) { 858 Value *ShadowItem = IRB.CreateExtractValue(Shadow, Idx); 859 Value *ShadowInner = collapseToPrimitiveShadow(ShadowItem, IRB); 860 Aggregator = IRB.CreateOr(Aggregator, ShadowInner); 861 } 862 return Aggregator; 863 } 864 865 Value *DFSanFunction::collapseToPrimitiveShadow(Value *Shadow, 866 IRBuilder<> &IRB) { 867 Type *ShadowTy = Shadow->getType(); 868 if (!isa<ArrayType>(ShadowTy) && !isa<StructType>(ShadowTy)) 869 return Shadow; 870 if (ArrayType *AT = dyn_cast<ArrayType>(ShadowTy)) 871 return collapseAggregateShadow<>(AT, Shadow, IRB); 872 if (StructType *ST = dyn_cast<StructType>(ShadowTy)) 873 return collapseAggregateShadow<>(ST, Shadow, IRB); 874 llvm_unreachable("Unexpected shadow type"); 875 } 876 877 Value *DFSanFunction::collapseToPrimitiveShadow(Value *Shadow, 878 Instruction *Pos) { 879 Type *ShadowTy = Shadow->getType(); 880 if (!isa<ArrayType>(ShadowTy) && !isa<StructType>(ShadowTy)) 881 return Shadow; 882 883 assert(DFS.shouldTrackFieldsAndIndices()); 884 885 // Checks if the cached collapsed shadow value dominates Pos. 886 Value *&CS = CachedCollapsedShadows[Shadow]; 887 if (CS && DT.dominates(CS, Pos)) 888 return CS; 889 890 IRBuilder<> IRB(Pos); 891 Value *PrimitiveShadow = collapseToPrimitiveShadow(Shadow, IRB); 892 // Caches the converted primitive shadow value. 893 CS = PrimitiveShadow; 894 return PrimitiveShadow; 895 } 896 897 Type *DataFlowSanitizer::getShadowTy(Type *OrigTy) { 898 if (!shouldTrackFieldsAndIndices()) 899 return PrimitiveShadowTy; 900 901 if (!OrigTy->isSized()) 902 return PrimitiveShadowTy; 903 if (isa<IntegerType>(OrigTy)) 904 return PrimitiveShadowTy; 905 if (isa<VectorType>(OrigTy)) 906 return PrimitiveShadowTy; 907 if (ArrayType *AT = dyn_cast<ArrayType>(OrigTy)) 908 return ArrayType::get(getShadowTy(AT->getElementType()), 909 AT->getNumElements()); 910 if (StructType *ST = dyn_cast<StructType>(OrigTy)) { 911 SmallVector<Type *, 4> Elements; 912 for (unsigned I = 0, N = ST->getNumElements(); I < N; ++I) 913 Elements.push_back(getShadowTy(ST->getElementType(I))); 914 return StructType::get(*Ctx, Elements); 915 } 916 return PrimitiveShadowTy; 917 } 918 919 Type *DataFlowSanitizer::getShadowTy(Value *V) { 920 return getShadowTy(V->getType()); 921 } 922 923 bool DataFlowSanitizer::init(Module &M) { 924 Triple TargetTriple(M.getTargetTriple()); 925 bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64; 926 bool IsMIPS64 = TargetTriple.isMIPS64(); 927 bool IsAArch64 = TargetTriple.getArch() == Triple::aarch64 || 928 TargetTriple.getArch() == Triple::aarch64_be; 929 930 const DataLayout &DL = M.getDataLayout(); 931 932 Mod = &M; 933 Ctx = &M.getContext(); 934 Int8Ptr = Type::getInt8PtrTy(*Ctx); 935 OriginTy = IntegerType::get(*Ctx, OriginWidthBits); 936 OriginPtrTy = PointerType::getUnqual(OriginTy); 937 PrimitiveShadowTy = IntegerType::get(*Ctx, ShadowWidthBits); 938 PrimitiveShadowPtrTy = PointerType::getUnqual(PrimitiveShadowTy); 939 IntptrTy = DL.getIntPtrType(*Ctx); 940 ZeroPrimitiveShadow = ConstantInt::getSigned(PrimitiveShadowTy, 0); 941 ShadowPtrMul = ConstantInt::getSigned(IntptrTy, ShadowWidthBytes); 942 OriginBase = ConstantInt::get(IntptrTy, 0x200000000000LL); 943 ZeroOrigin = ConstantInt::getSigned(OriginTy, 0); 944 if (IsX86_64) 945 ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0x700000000000LL); 946 else if (IsMIPS64) 947 ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0xF000000000LL); 948 // AArch64 supports multiple VMAs and the shadow mask is set at runtime. 949 else if (IsAArch64) 950 DFSanRuntimeShadowMask = true; 951 else 952 report_fatal_error("unsupported triple"); 953 954 Type *DFSanUnionArgs[2] = {PrimitiveShadowTy, PrimitiveShadowTy}; 955 DFSanUnionFnTy = 956 FunctionType::get(PrimitiveShadowTy, DFSanUnionArgs, /*isVarArg=*/false); 957 Type *DFSanUnionLoadArgs[2] = {PrimitiveShadowPtrTy, IntptrTy}; 958 DFSanUnionLoadFnTy = FunctionType::get(PrimitiveShadowTy, DFSanUnionLoadArgs, 959 /*isVarArg=*/false); 960 Type *DFSanLoadLabelAndOriginArgs[2] = {Int8Ptr, IntptrTy}; 961 DFSanLoadLabelAndOriginFnTy = 962 FunctionType::get(IntegerType::get(*Ctx, 64), DFSanLoadLabelAndOriginArgs, 963 /*isVarArg=*/false); 964 DFSanUnimplementedFnTy = FunctionType::get( 965 Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false); 966 Type *DFSanSetLabelArgs[4] = {PrimitiveShadowTy, OriginTy, 967 Type::getInt8PtrTy(*Ctx), IntptrTy}; 968 DFSanSetLabelFnTy = FunctionType::get(Type::getVoidTy(*Ctx), 969 DFSanSetLabelArgs, /*isVarArg=*/false); 970 DFSanNonzeroLabelFnTy = 971 FunctionType::get(Type::getVoidTy(*Ctx), None, /*isVarArg=*/false); 972 DFSanVarargWrapperFnTy = FunctionType::get( 973 Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false); 974 DFSanCmpCallbackFnTy = 975 FunctionType::get(Type::getVoidTy(*Ctx), PrimitiveShadowTy, 976 /*isVarArg=*/false); 977 DFSanChainOriginFnTy = 978 FunctionType::get(OriginTy, OriginTy, /*isVarArg=*/false); 979 Type *DFSanMaybeStoreOriginArgs[4] = {IntegerType::get(*Ctx, ShadowWidthBits), 980 Int8Ptr, IntptrTy, OriginTy}; 981 DFSanMaybeStoreOriginFnTy = FunctionType::get( 982 Type::getVoidTy(*Ctx), DFSanMaybeStoreOriginArgs, /*isVarArg=*/false); 983 Type *DFSanMemOriginTransferArgs[3] = {Int8Ptr, Int8Ptr, IntptrTy}; 984 DFSanMemOriginTransferFnTy = FunctionType::get( 985 Type::getVoidTy(*Ctx), DFSanMemOriginTransferArgs, /*isVarArg=*/false); 986 Type *DFSanLoadStoreCallbackArgs[2] = {PrimitiveShadowTy, Int8Ptr}; 987 DFSanLoadStoreCallbackFnTy = 988 FunctionType::get(Type::getVoidTy(*Ctx), DFSanLoadStoreCallbackArgs, 989 /*isVarArg=*/false); 990 Type *DFSanMemTransferCallbackArgs[2] = {PrimitiveShadowPtrTy, IntptrTy}; 991 DFSanMemTransferCallbackFnTy = 992 FunctionType::get(Type::getVoidTy(*Ctx), DFSanMemTransferCallbackArgs, 993 /*isVarArg=*/false); 994 995 ColdCallWeights = MDBuilder(*Ctx).createBranchWeights(1, 1000); 996 return true; 997 } 998 999 bool DataFlowSanitizer::isInstrumented(const Function *F) { 1000 return !ABIList.isIn(*F, "uninstrumented"); 1001 } 1002 1003 bool DataFlowSanitizer::isInstrumented(const GlobalAlias *GA) { 1004 return !ABIList.isIn(*GA, "uninstrumented"); 1005 } 1006 1007 DataFlowSanitizer::InstrumentedABI DataFlowSanitizer::getInstrumentedABI() { 1008 return ClArgsABI ? IA_Args : IA_TLS; 1009 } 1010 1011 DataFlowSanitizer::WrapperKind DataFlowSanitizer::getWrapperKind(Function *F) { 1012 if (ABIList.isIn(*F, "functional")) 1013 return WK_Functional; 1014 if (ABIList.isIn(*F, "discard")) 1015 return WK_Discard; 1016 if (ABIList.isIn(*F, "custom")) 1017 return WK_Custom; 1018 1019 return WK_Warning; 1020 } 1021 1022 void DataFlowSanitizer::addGlobalNamePrefix(GlobalValue *GV) { 1023 std::string GVName = std::string(GV->getName()), Prefix = "dfs$"; 1024 GV->setName(Prefix + GVName); 1025 1026 // Try to change the name of the function in module inline asm. We only do 1027 // this for specific asm directives, currently only ".symver", to try to avoid 1028 // corrupting asm which happens to contain the symbol name as a substring. 1029 // Note that the substitution for .symver assumes that the versioned symbol 1030 // also has an instrumented name. 1031 std::string Asm = GV->getParent()->getModuleInlineAsm(); 1032 std::string SearchStr = ".symver " + GVName + ","; 1033 size_t Pos = Asm.find(SearchStr); 1034 if (Pos != std::string::npos) { 1035 Asm.replace(Pos, SearchStr.size(), 1036 ".symver " + Prefix + GVName + "," + Prefix); 1037 GV->getParent()->setModuleInlineAsm(Asm); 1038 } 1039 } 1040 1041 Function * 1042 DataFlowSanitizer::buildWrapperFunction(Function *F, StringRef NewFName, 1043 GlobalValue::LinkageTypes NewFLink, 1044 FunctionType *NewFT) { 1045 FunctionType *FT = F->getFunctionType(); 1046 Function *NewF = Function::Create(NewFT, NewFLink, F->getAddressSpace(), 1047 NewFName, F->getParent()); 1048 NewF->copyAttributesFrom(F); 1049 NewF->removeAttributes( 1050 AttributeList::ReturnIndex, 1051 AttributeFuncs::typeIncompatible(NewFT->getReturnType())); 1052 1053 BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", NewF); 1054 if (F->isVarArg()) { 1055 NewF->removeAttributes(AttributeList::FunctionIndex, 1056 AttrBuilder().addAttribute("split-stack")); 1057 CallInst::Create(DFSanVarargWrapperFn, 1058 IRBuilder<>(BB).CreateGlobalStringPtr(F->getName()), "", 1059 BB); 1060 new UnreachableInst(*Ctx, BB); 1061 } else { 1062 std::vector<Value *> Args; 1063 unsigned n = FT->getNumParams(); 1064 for (Function::arg_iterator ai = NewF->arg_begin(); n != 0; ++ai, --n) 1065 Args.push_back(&*ai); 1066 CallInst *CI = CallInst::Create(F, Args, "", BB); 1067 if (FT->getReturnType()->isVoidTy()) 1068 ReturnInst::Create(*Ctx, BB); 1069 else 1070 ReturnInst::Create(*Ctx, CI, BB); 1071 } 1072 1073 return NewF; 1074 } 1075 1076 Constant *DataFlowSanitizer::getOrBuildTrampolineFunction(FunctionType *FT, 1077 StringRef FName) { 1078 FunctionType *FTT = getTrampolineFunctionType(FT); 1079 FunctionCallee C = Mod->getOrInsertFunction(FName, FTT); 1080 Function *F = dyn_cast<Function>(C.getCallee()); 1081 if (F && F->isDeclaration()) { 1082 F->setLinkage(GlobalValue::LinkOnceODRLinkage); 1083 BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", F); 1084 std::vector<Value *> Args; 1085 Function::arg_iterator AI = F->arg_begin(); ++AI; 1086 for (unsigned N = FT->getNumParams(); N != 0; ++AI, --N) 1087 Args.push_back(&*AI); 1088 CallInst *CI = CallInst::Create(FT, &*F->arg_begin(), Args, "", BB); 1089 ReturnInst *RI; 1090 Type *RetType = FT->getReturnType(); 1091 if (RetType->isVoidTy()) 1092 RI = ReturnInst::Create(*Ctx, BB); 1093 else 1094 RI = ReturnInst::Create(*Ctx, CI, BB); 1095 1096 // F is called by a wrapped custom function with primitive shadows. So 1097 // its arguments and return value need conversion. 1098 DFSanFunction DFSF(*this, F, /*IsNativeABI=*/true); 1099 Function::arg_iterator ValAI = F->arg_begin(), ShadowAI = AI; 1100 ++ValAI; 1101 for (unsigned N = FT->getNumParams(); N != 0; ++ValAI, ++ShadowAI, --N) { 1102 Value *Shadow = 1103 DFSF.expandFromPrimitiveShadow(ValAI->getType(), &*ShadowAI, CI); 1104 DFSF.ValShadowMap[&*ValAI] = Shadow; 1105 } 1106 Function::arg_iterator RetShadowAI = ShadowAI; 1107 const bool ShouldTrackOrigins = shouldTrackOrigins(); 1108 if (ShouldTrackOrigins) { 1109 ValAI = F->arg_begin(); 1110 ++ValAI; 1111 Function::arg_iterator OriginAI = ShadowAI; 1112 if (!RetType->isVoidTy()) 1113 ++OriginAI; 1114 for (unsigned N = FT->getNumParams(); N != 0; ++ValAI, ++OriginAI, --N) { 1115 DFSF.ValOriginMap[&*ValAI] = &*OriginAI; 1116 } 1117 } 1118 DFSanVisitor(DFSF).visitCallInst(*CI); 1119 if (!RetType->isVoidTy()) { 1120 Value *PrimitiveShadow = DFSF.collapseToPrimitiveShadow( 1121 DFSF.getShadow(RI->getReturnValue()), RI); 1122 new StoreInst(PrimitiveShadow, &*RetShadowAI, RI); 1123 if (ShouldTrackOrigins) { 1124 Value *Origin = DFSF.getOrigin(RI->getReturnValue()); 1125 new StoreInst(Origin, &*std::prev(F->arg_end()), RI); 1126 } 1127 } 1128 } 1129 1130 return cast<Constant>(C.getCallee()); 1131 } 1132 1133 // Initialize DataFlowSanitizer runtime functions and declare them in the module 1134 void DataFlowSanitizer::initializeRuntimeFunctions(Module &M) { 1135 { 1136 AttributeList AL; 1137 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 1138 Attribute::NoUnwind); 1139 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 1140 Attribute::ReadNone); 1141 AL = AL.addAttribute(M.getContext(), AttributeList::ReturnIndex, 1142 Attribute::ZExt); 1143 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 1144 AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt); 1145 DFSanUnionFn = 1146 Mod->getOrInsertFunction("__dfsan_union", DFSanUnionFnTy, AL); 1147 } 1148 { 1149 AttributeList AL; 1150 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 1151 Attribute::NoUnwind); 1152 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 1153 Attribute::ReadNone); 1154 AL = AL.addAttribute(M.getContext(), AttributeList::ReturnIndex, 1155 Attribute::ZExt); 1156 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 1157 AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt); 1158 DFSanCheckedUnionFn = 1159 Mod->getOrInsertFunction("dfsan_union", DFSanUnionFnTy, AL); 1160 } 1161 { 1162 AttributeList AL; 1163 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 1164 Attribute::NoUnwind); 1165 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 1166 Attribute::ReadOnly); 1167 AL = AL.addAttribute(M.getContext(), AttributeList::ReturnIndex, 1168 Attribute::ZExt); 1169 DFSanUnionLoadFn = 1170 Mod->getOrInsertFunction("__dfsan_union_load", DFSanUnionLoadFnTy, AL); 1171 } 1172 { 1173 AttributeList AL; 1174 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 1175 Attribute::NoUnwind); 1176 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 1177 Attribute::ReadOnly); 1178 AL = AL.addAttribute(M.getContext(), AttributeList::ReturnIndex, 1179 Attribute::ZExt); 1180 DFSanUnionLoadFast16LabelsFn = Mod->getOrInsertFunction( 1181 "__dfsan_union_load_fast16labels", DFSanUnionLoadFnTy, AL); 1182 } 1183 { 1184 AttributeList AL; 1185 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 1186 Attribute::NoUnwind); 1187 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex, 1188 Attribute::ReadOnly); 1189 AL = AL.addAttribute(M.getContext(), AttributeList::ReturnIndex, 1190 Attribute::ZExt); 1191 DFSanLoadLabelAndOriginFn = Mod->getOrInsertFunction( 1192 "__dfsan_load_label_and_origin", DFSanLoadLabelAndOriginFnTy, AL); 1193 } 1194 DFSanUnimplementedFn = 1195 Mod->getOrInsertFunction("__dfsan_unimplemented", DFSanUnimplementedFnTy); 1196 { 1197 AttributeList AL; 1198 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 1199 AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt); 1200 DFSanSetLabelFn = 1201 Mod->getOrInsertFunction("__dfsan_set_label", DFSanSetLabelFnTy, AL); 1202 } 1203 DFSanNonzeroLabelFn = 1204 Mod->getOrInsertFunction("__dfsan_nonzero_label", DFSanNonzeroLabelFnTy); 1205 DFSanVarargWrapperFn = Mod->getOrInsertFunction("__dfsan_vararg_wrapper", 1206 DFSanVarargWrapperFnTy); 1207 { 1208 AttributeList AL; 1209 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 1210 AL = AL.addAttribute(M.getContext(), AttributeList::ReturnIndex, 1211 Attribute::ZExt); 1212 DFSanChainOriginFn = Mod->getOrInsertFunction("__dfsan_chain_origin", 1213 DFSanChainOriginFnTy, AL); 1214 } 1215 DFSanMemOriginTransferFn = Mod->getOrInsertFunction( 1216 "__dfsan_mem_origin_transfer", DFSanMemOriginTransferFnTy); 1217 1218 { 1219 AttributeList AL; 1220 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 1221 AL = AL.addParamAttribute(M.getContext(), 3, Attribute::ZExt); 1222 DFSanMaybeStoreOriginFn = Mod->getOrInsertFunction( 1223 "__dfsan_maybe_store_origin", DFSanMaybeStoreOriginFnTy, AL); 1224 } 1225 1226 DFSanRuntimeFunctions.insert(DFSanUnionFn.getCallee()->stripPointerCasts()); 1227 DFSanRuntimeFunctions.insert( 1228 DFSanCheckedUnionFn.getCallee()->stripPointerCasts()); 1229 DFSanRuntimeFunctions.insert( 1230 DFSanUnionLoadFn.getCallee()->stripPointerCasts()); 1231 DFSanRuntimeFunctions.insert( 1232 DFSanUnionLoadFast16LabelsFn.getCallee()->stripPointerCasts()); 1233 DFSanRuntimeFunctions.insert( 1234 DFSanLoadLabelAndOriginFn.getCallee()->stripPointerCasts()); 1235 DFSanRuntimeFunctions.insert( 1236 DFSanUnimplementedFn.getCallee()->stripPointerCasts()); 1237 DFSanRuntimeFunctions.insert( 1238 DFSanSetLabelFn.getCallee()->stripPointerCasts()); 1239 DFSanRuntimeFunctions.insert( 1240 DFSanNonzeroLabelFn.getCallee()->stripPointerCasts()); 1241 DFSanRuntimeFunctions.insert( 1242 DFSanVarargWrapperFn.getCallee()->stripPointerCasts()); 1243 DFSanRuntimeFunctions.insert( 1244 DFSanLoadCallbackFn.getCallee()->stripPointerCasts()); 1245 DFSanRuntimeFunctions.insert( 1246 DFSanStoreCallbackFn.getCallee()->stripPointerCasts()); 1247 DFSanRuntimeFunctions.insert( 1248 DFSanMemTransferCallbackFn.getCallee()->stripPointerCasts()); 1249 DFSanRuntimeFunctions.insert( 1250 DFSanCmpCallbackFn.getCallee()->stripPointerCasts()); 1251 DFSanRuntimeFunctions.insert( 1252 DFSanChainOriginFn.getCallee()->stripPointerCasts()); 1253 DFSanRuntimeFunctions.insert( 1254 DFSanMemOriginTransferFn.getCallee()->stripPointerCasts()); 1255 DFSanRuntimeFunctions.insert( 1256 DFSanMaybeStoreOriginFn.getCallee()->stripPointerCasts()); 1257 } 1258 1259 // Initializes event callback functions and declare them in the module 1260 void DataFlowSanitizer::initializeCallbackFunctions(Module &M) { 1261 DFSanLoadCallbackFn = Mod->getOrInsertFunction("__dfsan_load_callback", 1262 DFSanLoadStoreCallbackFnTy); 1263 DFSanStoreCallbackFn = Mod->getOrInsertFunction("__dfsan_store_callback", 1264 DFSanLoadStoreCallbackFnTy); 1265 DFSanMemTransferCallbackFn = Mod->getOrInsertFunction( 1266 "__dfsan_mem_transfer_callback", DFSanMemTransferCallbackFnTy); 1267 DFSanCmpCallbackFn = 1268 Mod->getOrInsertFunction("__dfsan_cmp_callback", DFSanCmpCallbackFnTy); 1269 } 1270 1271 void DataFlowSanitizer::injectMetadataGlobals(Module &M) { 1272 // These variables can be used: 1273 // - by the runtime (to discover what the shadow width was, during 1274 // compilation) 1275 // - in testing (to avoid hardcoding the shadow width and type but instead 1276 // extract them by pattern matching) 1277 Type *IntTy = Type::getInt32Ty(*Ctx); 1278 (void)Mod->getOrInsertGlobal("__dfsan_shadow_width_bits", IntTy, [&] { 1279 return new GlobalVariable( 1280 M, IntTy, /*isConstant=*/true, GlobalValue::WeakODRLinkage, 1281 ConstantInt::get(IntTy, ShadowWidthBits), "__dfsan_shadow_width_bits"); 1282 }); 1283 (void)Mod->getOrInsertGlobal("__dfsan_shadow_width_bytes", IntTy, [&] { 1284 return new GlobalVariable(M, IntTy, /*isConstant=*/true, 1285 GlobalValue::WeakODRLinkage, 1286 ConstantInt::get(IntTy, ShadowWidthBytes), 1287 "__dfsan_shadow_width_bytes"); 1288 }); 1289 } 1290 1291 bool DataFlowSanitizer::runImpl(Module &M) { 1292 init(M); 1293 1294 if (ABIList.isIn(M, "skip")) 1295 return false; 1296 1297 const unsigned InitialGlobalSize = M.global_size(); 1298 const unsigned InitialModuleSize = M.size(); 1299 1300 bool Changed = false; 1301 1302 auto getOrInsertGlobal = [this, &Changed](StringRef Name, 1303 Type *Ty) -> Constant * { 1304 Constant *C = Mod->getOrInsertGlobal(Name, Ty); 1305 if (GlobalVariable *G = dyn_cast<GlobalVariable>(C)) { 1306 Changed |= G->getThreadLocalMode() != GlobalVariable::InitialExecTLSModel; 1307 G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel); 1308 } 1309 return C; 1310 }; 1311 1312 // These globals must be kept in sync with the ones in dfsan.cpp. 1313 ArgTLS = getOrInsertGlobal( 1314 "__dfsan_arg_tls", 1315 ArrayType::get(Type::getInt64Ty(*Ctx), kArgTLSSize / 8)); 1316 RetvalTLS = getOrInsertGlobal( 1317 "__dfsan_retval_tls", 1318 ArrayType::get(Type::getInt64Ty(*Ctx), kRetvalTLSSize / 8)); 1319 ArgOriginTLSTy = ArrayType::get(OriginTy, kNumOfElementsInArgOrgTLS); 1320 ArgOriginTLS = getOrInsertGlobal("__dfsan_arg_origin_tls", ArgOriginTLSTy); 1321 RetvalOriginTLS = getOrInsertGlobal("__dfsan_retval_origin_tls", OriginTy); 1322 1323 (void)Mod->getOrInsertGlobal("__dfsan_track_origins", OriginTy, [&] { 1324 Changed = true; 1325 return new GlobalVariable( 1326 M, OriginTy, true, GlobalValue::WeakODRLinkage, 1327 ConstantInt::getSigned(OriginTy, shouldTrackOrigins()), 1328 "__dfsan_track_origins"); 1329 }); 1330 1331 injectMetadataGlobals(M); 1332 1333 ExternalShadowMask = 1334 Mod->getOrInsertGlobal(kDFSanExternShadowPtrMask, IntptrTy); 1335 1336 initializeCallbackFunctions(M); 1337 initializeRuntimeFunctions(M); 1338 1339 std::vector<Function *> FnsToInstrument; 1340 SmallPtrSet<Function *, 2> FnsWithNativeABI; 1341 for (Function &i : M) 1342 if (!i.isIntrinsic() && !DFSanRuntimeFunctions.contains(&i)) 1343 FnsToInstrument.push_back(&i); 1344 1345 // Give function aliases prefixes when necessary, and build wrappers where the 1346 // instrumentedness is inconsistent. 1347 for (Module::alias_iterator i = M.alias_begin(), e = M.alias_end(); i != e;) { 1348 GlobalAlias *GA = &*i; 1349 ++i; 1350 // Don't stop on weak. We assume people aren't playing games with the 1351 // instrumentedness of overridden weak aliases. 1352 if (auto F = dyn_cast<Function>(GA->getBaseObject())) { 1353 bool GAInst = isInstrumented(GA), FInst = isInstrumented(F); 1354 if (GAInst && FInst) { 1355 addGlobalNamePrefix(GA); 1356 } else if (GAInst != FInst) { 1357 // Non-instrumented alias of an instrumented function, or vice versa. 1358 // Replace the alias with a native-ABI wrapper of the aliasee. The pass 1359 // below will take care of instrumenting it. 1360 Function *NewF = 1361 buildWrapperFunction(F, "", GA->getLinkage(), F->getFunctionType()); 1362 GA->replaceAllUsesWith(ConstantExpr::getBitCast(NewF, GA->getType())); 1363 NewF->takeName(GA); 1364 GA->eraseFromParent(); 1365 FnsToInstrument.push_back(NewF); 1366 } 1367 } 1368 } 1369 1370 ReadOnlyNoneAttrs.addAttribute(Attribute::ReadOnly) 1371 .addAttribute(Attribute::ReadNone); 1372 1373 // First, change the ABI of every function in the module. ABI-listed 1374 // functions keep their original ABI and get a wrapper function. 1375 for (std::vector<Function *>::iterator i = FnsToInstrument.begin(), 1376 e = FnsToInstrument.end(); 1377 i != e; ++i) { 1378 Function &F = **i; 1379 FunctionType *FT = F.getFunctionType(); 1380 1381 bool IsZeroArgsVoidRet = (FT->getNumParams() == 0 && !FT->isVarArg() && 1382 FT->getReturnType()->isVoidTy()); 1383 1384 if (isInstrumented(&F)) { 1385 // Instrumented functions get a 'dfs$' prefix. This allows us to more 1386 // easily identify cases of mismatching ABIs. 1387 if (getInstrumentedABI() == IA_Args && !IsZeroArgsVoidRet) { 1388 FunctionType *NewFT = getArgsFunctionType(FT); 1389 Function *NewF = Function::Create(NewFT, F.getLinkage(), 1390 F.getAddressSpace(), "", &M); 1391 NewF->copyAttributesFrom(&F); 1392 NewF->removeAttributes( 1393 AttributeList::ReturnIndex, 1394 AttributeFuncs::typeIncompatible(NewFT->getReturnType())); 1395 for (Function::arg_iterator FArg = F.arg_begin(), 1396 NewFArg = NewF->arg_begin(), 1397 FArgEnd = F.arg_end(); 1398 FArg != FArgEnd; ++FArg, ++NewFArg) { 1399 FArg->replaceAllUsesWith(&*NewFArg); 1400 } 1401 NewF->getBasicBlockList().splice(NewF->begin(), F.getBasicBlockList()); 1402 1403 for (Function::user_iterator UI = F.user_begin(), UE = F.user_end(); 1404 UI != UE;) { 1405 BlockAddress *BA = dyn_cast<BlockAddress>(*UI); 1406 ++UI; 1407 if (BA) { 1408 BA->replaceAllUsesWith( 1409 BlockAddress::get(NewF, BA->getBasicBlock())); 1410 delete BA; 1411 } 1412 } 1413 F.replaceAllUsesWith( 1414 ConstantExpr::getBitCast(NewF, PointerType::getUnqual(FT))); 1415 NewF->takeName(&F); 1416 F.eraseFromParent(); 1417 *i = NewF; 1418 addGlobalNamePrefix(NewF); 1419 } else { 1420 addGlobalNamePrefix(&F); 1421 } 1422 } else if (!IsZeroArgsVoidRet || getWrapperKind(&F) == WK_Custom) { 1423 // Build a wrapper function for F. The wrapper simply calls F, and is 1424 // added to FnsToInstrument so that any instrumentation according to its 1425 // WrapperKind is done in the second pass below. 1426 FunctionType *NewFT = getInstrumentedABI() == IA_Args 1427 ? getArgsFunctionType(FT) 1428 : FT; 1429 1430 // If the function being wrapped has local linkage, then preserve the 1431 // function's linkage in the wrapper function. 1432 GlobalValue::LinkageTypes wrapperLinkage = 1433 F.hasLocalLinkage() 1434 ? F.getLinkage() 1435 : GlobalValue::LinkOnceODRLinkage; 1436 1437 Function *NewF = buildWrapperFunction( 1438 &F, 1439 (shouldTrackOrigins() ? std::string("dfso$") : std::string("dfsw$")) + 1440 std::string(F.getName()), 1441 wrapperLinkage, NewFT); 1442 if (getInstrumentedABI() == IA_TLS) 1443 NewF->removeAttributes(AttributeList::FunctionIndex, ReadOnlyNoneAttrs); 1444 1445 Value *WrappedFnCst = 1446 ConstantExpr::getBitCast(NewF, PointerType::getUnqual(FT)); 1447 F.replaceAllUsesWith(WrappedFnCst); 1448 1449 UnwrappedFnMap[WrappedFnCst] = &F; 1450 *i = NewF; 1451 1452 if (!F.isDeclaration()) { 1453 // This function is probably defining an interposition of an 1454 // uninstrumented function and hence needs to keep the original ABI. 1455 // But any functions it may call need to use the instrumented ABI, so 1456 // we instrument it in a mode which preserves the original ABI. 1457 FnsWithNativeABI.insert(&F); 1458 1459 // This code needs to rebuild the iterators, as they may be invalidated 1460 // by the push_back, taking care that the new range does not include 1461 // any functions added by this code. 1462 size_t N = i - FnsToInstrument.begin(), 1463 Count = e - FnsToInstrument.begin(); 1464 FnsToInstrument.push_back(&F); 1465 i = FnsToInstrument.begin() + N; 1466 e = FnsToInstrument.begin() + Count; 1467 } 1468 // Hopefully, nobody will try to indirectly call a vararg 1469 // function... yet. 1470 } else if (FT->isVarArg()) { 1471 UnwrappedFnMap[&F] = &F; 1472 *i = nullptr; 1473 } 1474 } 1475 1476 for (Function *i : FnsToInstrument) { 1477 if (!i || i->isDeclaration()) 1478 continue; 1479 1480 removeUnreachableBlocks(*i); 1481 1482 DFSanFunction DFSF(*this, i, FnsWithNativeABI.count(i)); 1483 1484 // DFSanVisitor may create new basic blocks, which confuses df_iterator. 1485 // Build a copy of the list before iterating over it. 1486 SmallVector<BasicBlock *, 4> BBList(depth_first(&i->getEntryBlock())); 1487 1488 for (BasicBlock *i : BBList) { 1489 Instruction *Inst = &i->front(); 1490 while (true) { 1491 // DFSanVisitor may split the current basic block, changing the current 1492 // instruction's next pointer and moving the next instruction to the 1493 // tail block from which we should continue. 1494 Instruction *Next = Inst->getNextNode(); 1495 // DFSanVisitor may delete Inst, so keep track of whether it was a 1496 // terminator. 1497 bool IsTerminator = Inst->isTerminator(); 1498 if (!DFSF.SkipInsts.count(Inst)) 1499 DFSanVisitor(DFSF).visit(Inst); 1500 if (IsTerminator) 1501 break; 1502 Inst = Next; 1503 } 1504 } 1505 1506 // We will not necessarily be able to compute the shadow for every phi node 1507 // until we have visited every block. Therefore, the code that handles phi 1508 // nodes adds them to the PHIFixups list so that they can be properly 1509 // handled here. 1510 for (std::vector<std::pair<PHINode *, PHINode *>>::iterator 1511 i = DFSF.PHIFixups.begin(), 1512 e = DFSF.PHIFixups.end(); 1513 i != e; ++i) { 1514 for (unsigned val = 0, n = i->first->getNumIncomingValues(); val != n; 1515 ++val) { 1516 i->second->setIncomingValue( 1517 val, DFSF.getShadow(i->first->getIncomingValue(val))); 1518 } 1519 } 1520 1521 // -dfsan-debug-nonzero-labels will split the CFG in all kinds of crazy 1522 // places (i.e. instructions in basic blocks we haven't even begun visiting 1523 // yet). To make our life easier, do this work in a pass after the main 1524 // instrumentation. 1525 if (ClDebugNonzeroLabels) { 1526 for (Value *V : DFSF.NonZeroChecks) { 1527 Instruction *Pos; 1528 if (Instruction *I = dyn_cast<Instruction>(V)) 1529 Pos = I->getNextNode(); 1530 else 1531 Pos = &DFSF.F->getEntryBlock().front(); 1532 while (isa<PHINode>(Pos) || isa<AllocaInst>(Pos)) 1533 Pos = Pos->getNextNode(); 1534 IRBuilder<> IRB(Pos); 1535 Value *PrimitiveShadow = DFSF.collapseToPrimitiveShadow(V, Pos); 1536 Value *Ne = 1537 IRB.CreateICmpNE(PrimitiveShadow, DFSF.DFS.ZeroPrimitiveShadow); 1538 BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen( 1539 Ne, Pos, /*Unreachable=*/false, ColdCallWeights)); 1540 IRBuilder<> ThenIRB(BI); 1541 ThenIRB.CreateCall(DFSF.DFS.DFSanNonzeroLabelFn, {}); 1542 } 1543 } 1544 } 1545 1546 return Changed || !FnsToInstrument.empty() || 1547 M.global_size() != InitialGlobalSize || M.size() != InitialModuleSize; 1548 } 1549 1550 Value *DFSanFunction::getArgTLS(Type *T, unsigned ArgOffset, IRBuilder<> &IRB) { 1551 Value *Base = IRB.CreatePointerCast(DFS.ArgTLS, DFS.IntptrTy); 1552 if (ArgOffset) 1553 Base = IRB.CreateAdd(Base, ConstantInt::get(DFS.IntptrTy, ArgOffset)); 1554 return IRB.CreateIntToPtr(Base, PointerType::get(DFS.getShadowTy(T), 0), 1555 "_dfsarg"); 1556 } 1557 1558 Value *DFSanFunction::getRetvalTLS(Type *T, IRBuilder<> &IRB) { 1559 return IRB.CreatePointerCast( 1560 DFS.RetvalTLS, PointerType::get(DFS.getShadowTy(T), 0), "_dfsret"); 1561 } 1562 1563 Value *DFSanFunction::getRetvalOriginTLS() { return DFS.RetvalOriginTLS; } 1564 1565 Value *DFSanFunction::getArgOriginTLS(unsigned ArgNo, IRBuilder<> &IRB) { 1566 return IRB.CreateConstGEP2_64(DFS.ArgOriginTLSTy, DFS.ArgOriginTLS, 0, ArgNo, 1567 "_dfsarg_o"); 1568 } 1569 1570 Value *DFSanFunction::getOrigin(Value *V) { 1571 assert(DFS.shouldTrackOrigins()); 1572 if (!isa<Argument>(V) && !isa<Instruction>(V)) 1573 return DFS.ZeroOrigin; 1574 Value *&Origin = ValOriginMap[V]; 1575 if (!Origin) { 1576 if (Argument *A = dyn_cast<Argument>(V)) { 1577 if (IsNativeABI) 1578 return DFS.ZeroOrigin; 1579 switch (IA) { 1580 case DataFlowSanitizer::IA_TLS: { 1581 if (A->getArgNo() < DFS.kNumOfElementsInArgOrgTLS) { 1582 Instruction *ArgOriginTLSPos = &*F->getEntryBlock().begin(); 1583 IRBuilder<> IRB(ArgOriginTLSPos); 1584 Value *ArgOriginPtr = getArgOriginTLS(A->getArgNo(), IRB); 1585 Origin = IRB.CreateLoad(DFS.OriginTy, ArgOriginPtr); 1586 } else { 1587 // Overflow 1588 Origin = DFS.ZeroOrigin; 1589 } 1590 break; 1591 } 1592 case DataFlowSanitizer::IA_Args: { 1593 Origin = DFS.ZeroOrigin; 1594 break; 1595 } 1596 } 1597 } else { 1598 Origin = DFS.ZeroOrigin; 1599 } 1600 } 1601 return Origin; 1602 } 1603 1604 void DFSanFunction::setOrigin(Instruction *I, Value *Origin) { 1605 if (!DFS.shouldTrackOrigins()) 1606 return; 1607 assert(!ValOriginMap.count(I)); 1608 assert(Origin->getType() == DFS.OriginTy); 1609 ValOriginMap[I] = Origin; 1610 } 1611 1612 Value *DFSanFunction::getShadowForTLSArgument(Argument *A) { 1613 unsigned ArgOffset = 0; 1614 const DataLayout &DL = F->getParent()->getDataLayout(); 1615 for (auto &FArg : F->args()) { 1616 if (!FArg.getType()->isSized()) { 1617 if (A == &FArg) 1618 break; 1619 continue; 1620 } 1621 1622 unsigned Size = DL.getTypeAllocSize(DFS.getShadowTy(&FArg)); 1623 if (A != &FArg) { 1624 ArgOffset += alignTo(Size, kShadowTLSAlignment); 1625 if (ArgOffset > kArgTLSSize) 1626 break; // ArgTLS overflows, uses a zero shadow. 1627 continue; 1628 } 1629 1630 if (ArgOffset + Size > kArgTLSSize) 1631 break; // ArgTLS overflows, uses a zero shadow. 1632 1633 Instruction *ArgTLSPos = &*F->getEntryBlock().begin(); 1634 IRBuilder<> IRB(ArgTLSPos); 1635 Value *ArgShadowPtr = getArgTLS(FArg.getType(), ArgOffset, IRB); 1636 return IRB.CreateAlignedLoad(DFS.getShadowTy(&FArg), ArgShadowPtr, 1637 kShadowTLSAlignment); 1638 } 1639 1640 return DFS.getZeroShadow(A); 1641 } 1642 1643 Value *DFSanFunction::getShadow(Value *V) { 1644 if (!isa<Argument>(V) && !isa<Instruction>(V)) 1645 return DFS.getZeroShadow(V); 1646 Value *&Shadow = ValShadowMap[V]; 1647 if (!Shadow) { 1648 if (Argument *A = dyn_cast<Argument>(V)) { 1649 if (IsNativeABI) 1650 return DFS.getZeroShadow(V); 1651 switch (IA) { 1652 case DataFlowSanitizer::IA_TLS: { 1653 Shadow = getShadowForTLSArgument(A); 1654 break; 1655 } 1656 case DataFlowSanitizer::IA_Args: { 1657 unsigned ArgIdx = A->getArgNo() + F->arg_size() / 2; 1658 Function::arg_iterator i = F->arg_begin(); 1659 while (ArgIdx--) 1660 ++i; 1661 Shadow = &*i; 1662 assert(Shadow->getType() == DFS.PrimitiveShadowTy); 1663 break; 1664 } 1665 } 1666 NonZeroChecks.push_back(Shadow); 1667 } else { 1668 Shadow = DFS.getZeroShadow(V); 1669 } 1670 } 1671 return Shadow; 1672 } 1673 1674 void DFSanFunction::setShadow(Instruction *I, Value *Shadow) { 1675 assert(!ValShadowMap.count(I)); 1676 assert(DFS.shouldTrackFieldsAndIndices() || 1677 Shadow->getType() == DFS.PrimitiveShadowTy); 1678 ValShadowMap[I] = Shadow; 1679 } 1680 1681 Value *DataFlowSanitizer::getShadowOffset(Value *Addr, IRBuilder<> &IRB) { 1682 // Returns Addr & shadow_mask 1683 assert(Addr != RetvalTLS && "Reinstrumenting?"); 1684 Value *ShadowPtrMaskValue; 1685 if (DFSanRuntimeShadowMask) 1686 ShadowPtrMaskValue = IRB.CreateLoad(IntptrTy, ExternalShadowMask); 1687 else 1688 ShadowPtrMaskValue = ShadowPtrMask; 1689 return IRB.CreateAnd(IRB.CreatePtrToInt(Addr, IntptrTy), 1690 IRB.CreatePtrToInt(ShadowPtrMaskValue, IntptrTy)); 1691 } 1692 /* 1693 std::pair<Value *, Value *> 1694 DataFlowSanitizer::getShadowOriginAddress(Value *Addr, Align InstAlignment, 1695 Instruction *Pos) { 1696 // Returns ((Addr & shadow_mask) + origin_base) & ~4UL 1697 IRBuilder<> IRB(Pos); 1698 Value *ShadowOffset = getShadowOffset(Addr, IRB); 1699 Value *ShadowPtr = IRB.CreateIntToPtr( 1700 IRB.CreateMul(ShadowOffset, ShadowPtrMul), PrimitiveShadowPtrTy); 1701 Value *OriginPtr = nullptr; 1702 if (shouldTrackOrigins()) { 1703 Value *OriginLong = IRB.CreateAdd(ShadowOffset, OriginBase); 1704 const Align Alignment = llvm::assumeAligned(InstAlignment.value()); 1705 // When alignment is >= 4, Addr must be aligned to 4, otherwise it is UB. 1706 // So Mask is unnecessary. 1707 if (Alignment < kMinOriginAlignment) { 1708 uint64_t Mask = kMinOriginAlignment.value() - 1; 1709 OriginLong = IRB.CreateAnd(OriginLong, ConstantInt::get(IntptrTy, ~Mask)); 1710 } 1711 OriginPtr = IRB.CreateIntToPtr(OriginLong, OriginPtrTy); 1712 } 1713 return {ShadowPtr, OriginPtr}; 1714 } 1715 */ 1716 Value *DataFlowSanitizer::getShadowAddress(Value *Addr, Instruction *Pos) { 1717 // Returns (Addr & shadow_mask) x 2 1718 IRBuilder<> IRB(Pos); 1719 Value *ShadowOffset = getShadowOffset(Addr, IRB); 1720 return IRB.CreateIntToPtr(IRB.CreateMul(ShadowOffset, ShadowPtrMul), 1721 PrimitiveShadowPtrTy); 1722 } 1723 1724 Value *DFSanFunction::combineShadowsThenConvert(Type *T, Value *V1, Value *V2, 1725 Instruction *Pos) { 1726 Value *PrimitiveValue = combineShadows(V1, V2, Pos); 1727 return expandFromPrimitiveShadow(T, PrimitiveValue, Pos); 1728 } 1729 1730 // Generates IR to compute the union of the two given shadows, inserting it 1731 // before Pos. The combined value is with primitive type. 1732 Value *DFSanFunction::combineShadows(Value *V1, Value *V2, Instruction *Pos) { 1733 if (DFS.isZeroShadow(V1)) 1734 return collapseToPrimitiveShadow(V2, Pos); 1735 if (DFS.isZeroShadow(V2)) 1736 return collapseToPrimitiveShadow(V1, Pos); 1737 if (V1 == V2) 1738 return collapseToPrimitiveShadow(V1, Pos); 1739 1740 auto V1Elems = ShadowElements.find(V1); 1741 auto V2Elems = ShadowElements.find(V2); 1742 if (V1Elems != ShadowElements.end() && V2Elems != ShadowElements.end()) { 1743 if (std::includes(V1Elems->second.begin(), V1Elems->second.end(), 1744 V2Elems->second.begin(), V2Elems->second.end())) { 1745 return collapseToPrimitiveShadow(V1, Pos); 1746 } else if (std::includes(V2Elems->second.begin(), V2Elems->second.end(), 1747 V1Elems->second.begin(), V1Elems->second.end())) { 1748 return collapseToPrimitiveShadow(V2, Pos); 1749 } 1750 } else if (V1Elems != ShadowElements.end()) { 1751 if (V1Elems->second.count(V2)) 1752 return collapseToPrimitiveShadow(V1, Pos); 1753 } else if (V2Elems != ShadowElements.end()) { 1754 if (V2Elems->second.count(V1)) 1755 return collapseToPrimitiveShadow(V2, Pos); 1756 } 1757 1758 auto Key = std::make_pair(V1, V2); 1759 if (V1 > V2) 1760 std::swap(Key.first, Key.second); 1761 CachedShadow &CCS = CachedShadows[Key]; 1762 if (CCS.Block && DT.dominates(CCS.Block, Pos->getParent())) 1763 return CCS.Shadow; 1764 1765 // Converts inputs shadows to shadows with primitive types. 1766 Value *PV1 = collapseToPrimitiveShadow(V1, Pos); 1767 Value *PV2 = collapseToPrimitiveShadow(V2, Pos); 1768 1769 IRBuilder<> IRB(Pos); 1770 if (ClFast16Labels) { 1771 CCS.Block = Pos->getParent(); 1772 CCS.Shadow = IRB.CreateOr(PV1, PV2); 1773 } else if (AvoidNewBlocks) { 1774 CallInst *Call = IRB.CreateCall(DFS.DFSanCheckedUnionFn, {PV1, PV2}); 1775 Call->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt); 1776 Call->addParamAttr(0, Attribute::ZExt); 1777 Call->addParamAttr(1, Attribute::ZExt); 1778 1779 CCS.Block = Pos->getParent(); 1780 CCS.Shadow = Call; 1781 } else { 1782 BasicBlock *Head = Pos->getParent(); 1783 Value *Ne = IRB.CreateICmpNE(PV1, PV2); 1784 BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen( 1785 Ne, Pos, /*Unreachable=*/false, DFS.ColdCallWeights, &DT)); 1786 IRBuilder<> ThenIRB(BI); 1787 CallInst *Call = ThenIRB.CreateCall(DFS.DFSanUnionFn, {PV1, PV2}); 1788 Call->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt); 1789 Call->addParamAttr(0, Attribute::ZExt); 1790 Call->addParamAttr(1, Attribute::ZExt); 1791 1792 BasicBlock *Tail = BI->getSuccessor(0); 1793 PHINode *Phi = 1794 PHINode::Create(DFS.PrimitiveShadowTy, 2, "", &Tail->front()); 1795 Phi->addIncoming(Call, Call->getParent()); 1796 Phi->addIncoming(PV1, Head); 1797 1798 CCS.Block = Tail; 1799 CCS.Shadow = Phi; 1800 } 1801 1802 std::set<Value *> UnionElems; 1803 if (V1Elems != ShadowElements.end()) { 1804 UnionElems = V1Elems->second; 1805 } else { 1806 UnionElems.insert(V1); 1807 } 1808 if (V2Elems != ShadowElements.end()) { 1809 UnionElems.insert(V2Elems->second.begin(), V2Elems->second.end()); 1810 } else { 1811 UnionElems.insert(V2); 1812 } 1813 ShadowElements[CCS.Shadow] = std::move(UnionElems); 1814 1815 return CCS.Shadow; 1816 } 1817 1818 // A convenience function which folds the shadows of each of the operands 1819 // of the provided instruction Inst, inserting the IR before Inst. Returns 1820 // the computed union Value. 1821 Value *DFSanFunction::combineOperandShadows(Instruction *Inst) { 1822 if (Inst->getNumOperands() == 0) 1823 return DFS.getZeroShadow(Inst); 1824 1825 Value *Shadow = getShadow(Inst->getOperand(0)); 1826 for (unsigned i = 1, n = Inst->getNumOperands(); i != n; ++i) { 1827 Shadow = combineShadows(Shadow, getShadow(Inst->getOperand(i)), Inst); 1828 } 1829 return expandFromPrimitiveShadow(Inst->getType(), Shadow, Inst); 1830 } 1831 1832 void DFSanVisitor::visitInstOperands(Instruction &I) { 1833 Value *CombinedShadow = DFSF.combineOperandShadows(&I); 1834 DFSF.setShadow(&I, CombinedShadow); 1835 visitInstOperandOrigins(I); 1836 } 1837 1838 Value *DFSanFunction::combineOrigins(const std::vector<Value *> &Shadows, 1839 const std::vector<Value *> &Origins, 1840 Instruction *Pos, ConstantInt *Zero) { 1841 assert(Shadows.size() == Origins.size()); 1842 size_t Size = Origins.size(); 1843 if (Size == 0) 1844 return DFS.ZeroOrigin; 1845 Value *Origin = nullptr; 1846 if (!Zero) 1847 Zero = DFS.ZeroPrimitiveShadow; 1848 for (size_t I = 0; I != Size; ++I) { 1849 Value *OpOrigin = Origins[I]; 1850 Constant *ConstOpOrigin = dyn_cast<Constant>(OpOrigin); 1851 if (ConstOpOrigin && ConstOpOrigin->isNullValue()) 1852 continue; 1853 if (!Origin) { 1854 Origin = OpOrigin; 1855 continue; 1856 } 1857 Value *OpShadow = Shadows[I]; 1858 Value *PrimitiveShadow = collapseToPrimitiveShadow(OpShadow, Pos); 1859 IRBuilder<> IRB(Pos); 1860 Value *Cond = IRB.CreateICmpNE(PrimitiveShadow, Zero); 1861 Origin = IRB.CreateSelect(Cond, OpOrigin, Origin); 1862 } 1863 return Origin ? Origin : DFS.ZeroOrigin; 1864 } 1865 1866 Value *DFSanFunction::combineOperandOrigins(Instruction *Inst) { 1867 size_t Size = Inst->getNumOperands(); 1868 std::vector<Value *> Shadows(Size); 1869 std::vector<Value *> Origins(Size); 1870 for (unsigned I = 0; I != Size; ++I) { 1871 Shadows[I] = getShadow(Inst->getOperand(I)); 1872 Origins[I] = getOrigin(Inst->getOperand(I)); 1873 } 1874 return combineOrigins(Shadows, Origins, Inst); 1875 } 1876 1877 void DFSanVisitor::visitInstOperandOrigins(Instruction &I) { 1878 if (!DFSF.DFS.shouldTrackOrigins()) 1879 return; 1880 Value *CombinedOrigin = DFSF.combineOperandOrigins(&I); 1881 DFSF.setOrigin(&I, CombinedOrigin); 1882 } 1883 1884 Align DFSanFunction::getShadowAlign(Align InstAlignment) { 1885 const Align Alignment = ClPreserveAlignment ? InstAlignment : Align(1); 1886 return Align(Alignment.value() * DFS.ShadowWidthBytes); 1887 } 1888 1889 Value *DFSanFunction::loadFast16ShadowFast(Value *ShadowAddr, uint64_t Size, 1890 Align ShadowAlign, 1891 Instruction *Pos) { 1892 // First OR all the WideShadows, then OR individual shadows within the 1893 // combined WideShadow. This is fewer instructions than ORing shadows 1894 // individually. 1895 IRBuilder<> IRB(Pos); 1896 Value *WideAddr = 1897 IRB.CreateBitCast(ShadowAddr, Type::getInt64PtrTy(*DFS.Ctx)); 1898 Value *CombinedWideShadow = 1899 IRB.CreateAlignedLoad(IRB.getInt64Ty(), WideAddr, ShadowAlign); 1900 for (uint64_t Ofs = 64 / DFS.ShadowWidthBits; Ofs != Size; 1901 Ofs += 64 / DFS.ShadowWidthBits) { 1902 WideAddr = IRB.CreateGEP(Type::getInt64Ty(*DFS.Ctx), WideAddr, 1903 ConstantInt::get(DFS.IntptrTy, 1)); 1904 Value *NextWideShadow = 1905 IRB.CreateAlignedLoad(IRB.getInt64Ty(), WideAddr, ShadowAlign); 1906 CombinedWideShadow = IRB.CreateOr(CombinedWideShadow, NextWideShadow); 1907 } 1908 for (unsigned Width = 32; Width >= DFS.ShadowWidthBits; Width >>= 1) { 1909 Value *ShrShadow = IRB.CreateLShr(CombinedWideShadow, Width); 1910 CombinedWideShadow = IRB.CreateOr(CombinedWideShadow, ShrShadow); 1911 } 1912 return IRB.CreateTrunc(CombinedWideShadow, DFS.PrimitiveShadowTy); 1913 } 1914 1915 Value *DFSanFunction::loadLegacyShadowFast(Value *ShadowAddr, uint64_t Size, 1916 Align ShadowAlign, 1917 Instruction *Pos) { 1918 // Fast path for the common case where each byte has identical shadow: load 1919 // shadow 64 bits at a time, fall out to a __dfsan_union_load call if any 1920 // shadow is non-equal. 1921 BasicBlock *FallbackBB = BasicBlock::Create(*DFS.Ctx, "", F); 1922 IRBuilder<> FallbackIRB(FallbackBB); 1923 CallInst *FallbackCall = FallbackIRB.CreateCall( 1924 DFS.DFSanUnionLoadFn, {ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)}); 1925 FallbackCall->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt); 1926 1927 // Compare each of the shadows stored in the loaded 64 bits to each other, 1928 // by computing (WideShadow rotl ShadowWidthBits) == WideShadow. 1929 IRBuilder<> IRB(Pos); 1930 Value *WideAddr = 1931 IRB.CreateBitCast(ShadowAddr, Type::getInt64PtrTy(*DFS.Ctx)); 1932 Value *WideShadow = 1933 IRB.CreateAlignedLoad(IRB.getInt64Ty(), WideAddr, ShadowAlign); 1934 Value *TruncShadow = IRB.CreateTrunc(WideShadow, DFS.PrimitiveShadowTy); 1935 Value *ShlShadow = IRB.CreateShl(WideShadow, DFS.ShadowWidthBits); 1936 Value *ShrShadow = IRB.CreateLShr(WideShadow, 64 - DFS.ShadowWidthBits); 1937 Value *RotShadow = IRB.CreateOr(ShlShadow, ShrShadow); 1938 Value *ShadowsEq = IRB.CreateICmpEQ(WideShadow, RotShadow); 1939 1940 BasicBlock *Head = Pos->getParent(); 1941 BasicBlock *Tail = Head->splitBasicBlock(Pos->getIterator()); 1942 1943 if (DomTreeNode *OldNode = DT.getNode(Head)) { 1944 std::vector<DomTreeNode *> Children(OldNode->begin(), OldNode->end()); 1945 1946 DomTreeNode *NewNode = DT.addNewBlock(Tail, Head); 1947 for (auto *Child : Children) 1948 DT.changeImmediateDominator(Child, NewNode); 1949 } 1950 1951 // In the following code LastBr will refer to the previous basic block's 1952 // conditional branch instruction, whose true successor is fixed up to point 1953 // to the next block during the loop below or to the tail after the final 1954 // iteration. 1955 BranchInst *LastBr = BranchInst::Create(FallbackBB, FallbackBB, ShadowsEq); 1956 ReplaceInstWithInst(Head->getTerminator(), LastBr); 1957 DT.addNewBlock(FallbackBB, Head); 1958 1959 for (uint64_t Ofs = 64 / DFS.ShadowWidthBits; Ofs != Size; 1960 Ofs += 64 / DFS.ShadowWidthBits) { 1961 BasicBlock *NextBB = BasicBlock::Create(*DFS.Ctx, "", F); 1962 DT.addNewBlock(NextBB, LastBr->getParent()); 1963 IRBuilder<> NextIRB(NextBB); 1964 WideAddr = NextIRB.CreateGEP(Type::getInt64Ty(*DFS.Ctx), WideAddr, 1965 ConstantInt::get(DFS.IntptrTy, 1)); 1966 Value *NextWideShadow = 1967 NextIRB.CreateAlignedLoad(NextIRB.getInt64Ty(), WideAddr, ShadowAlign); 1968 ShadowsEq = NextIRB.CreateICmpEQ(WideShadow, NextWideShadow); 1969 LastBr->setSuccessor(0, NextBB); 1970 LastBr = NextIRB.CreateCondBr(ShadowsEq, FallbackBB, FallbackBB); 1971 } 1972 1973 LastBr->setSuccessor(0, Tail); 1974 FallbackIRB.CreateBr(Tail); 1975 PHINode *Shadow = 1976 PHINode::Create(DFS.PrimitiveShadowTy, 2, "", &Tail->front()); 1977 Shadow->addIncoming(FallbackCall, FallbackBB); 1978 Shadow->addIncoming(TruncShadow, LastBr->getParent()); 1979 return Shadow; 1980 } 1981 1982 // Generates IR to load shadow corresponding to bytes [Addr, Addr+Size), where 1983 // Addr has alignment Align, and take the union of each of those shadows. The 1984 // returned shadow always has primitive type. 1985 Value *DFSanFunction::loadShadow(Value *Addr, uint64_t Size, uint64_t Align, 1986 Instruction *Pos) { 1987 if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) { 1988 const auto i = AllocaShadowMap.find(AI); 1989 if (i != AllocaShadowMap.end()) { 1990 IRBuilder<> IRB(Pos); 1991 return IRB.CreateLoad(DFS.PrimitiveShadowTy, i->second); 1992 } 1993 } 1994 1995 const llvm::Align ShadowAlign(Align * DFS.ShadowWidthBytes); 1996 SmallVector<const Value *, 2> Objs; 1997 getUnderlyingObjects(Addr, Objs); 1998 bool AllConstants = true; 1999 for (const Value *Obj : Objs) { 2000 if (isa<Function>(Obj) || isa<BlockAddress>(Obj)) 2001 continue; 2002 if (isa<GlobalVariable>(Obj) && cast<GlobalVariable>(Obj)->isConstant()) 2003 continue; 2004 2005 AllConstants = false; 2006 break; 2007 } 2008 if (AllConstants) 2009 return DFS.ZeroPrimitiveShadow; 2010 2011 Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos); 2012 switch (Size) { 2013 case 0: 2014 return DFS.ZeroPrimitiveShadow; 2015 case 1: { 2016 LoadInst *LI = new LoadInst(DFS.PrimitiveShadowTy, ShadowAddr, "", Pos); 2017 LI->setAlignment(ShadowAlign); 2018 return LI; 2019 } 2020 case 2: { 2021 IRBuilder<> IRB(Pos); 2022 Value *ShadowAddr1 = IRB.CreateGEP(DFS.PrimitiveShadowTy, ShadowAddr, 2023 ConstantInt::get(DFS.IntptrTy, 1)); 2024 return combineShadows( 2025 IRB.CreateAlignedLoad(DFS.PrimitiveShadowTy, ShadowAddr, ShadowAlign), 2026 IRB.CreateAlignedLoad(DFS.PrimitiveShadowTy, ShadowAddr1, ShadowAlign), 2027 Pos); 2028 } 2029 } 2030 2031 if (ClFast16Labels && Size % (64 / DFS.ShadowWidthBits) == 0) 2032 return loadFast16ShadowFast(ShadowAddr, Size, ShadowAlign, Pos); 2033 2034 if (!AvoidNewBlocks && Size % (64 / DFS.ShadowWidthBits) == 0) 2035 return loadLegacyShadowFast(ShadowAddr, Size, ShadowAlign, Pos); 2036 2037 IRBuilder<> IRB(Pos); 2038 FunctionCallee &UnionLoadFn = 2039 ClFast16Labels ? DFS.DFSanUnionLoadFast16LabelsFn : DFS.DFSanUnionLoadFn; 2040 CallInst *FallbackCall = IRB.CreateCall( 2041 UnionLoadFn, {ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)}); 2042 FallbackCall->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt); 2043 return FallbackCall; 2044 } 2045 2046 static AtomicOrdering addAcquireOrdering(AtomicOrdering AO) { 2047 switch (AO) { 2048 case AtomicOrdering::NotAtomic: 2049 return AtomicOrdering::NotAtomic; 2050 case AtomicOrdering::Unordered: 2051 case AtomicOrdering::Monotonic: 2052 case AtomicOrdering::Acquire: 2053 return AtomicOrdering::Acquire; 2054 case AtomicOrdering::Release: 2055 case AtomicOrdering::AcquireRelease: 2056 return AtomicOrdering::AcquireRelease; 2057 case AtomicOrdering::SequentiallyConsistent: 2058 return AtomicOrdering::SequentiallyConsistent; 2059 } 2060 llvm_unreachable("Unknown ordering"); 2061 } 2062 2063 void DFSanVisitor::visitLoadInst(LoadInst &LI) { 2064 auto &DL = LI.getModule()->getDataLayout(); 2065 uint64_t Size = DL.getTypeStoreSize(LI.getType()); 2066 if (Size == 0) { 2067 DFSF.setShadow(&LI, DFSF.DFS.getZeroShadow(&LI)); 2068 return; 2069 } 2070 2071 // When an application load is atomic, increase atomic ordering between 2072 // atomic application loads and stores to ensure happen-before order; load 2073 // shadow data after application data; store zero shadow data before 2074 // application data. This ensure shadow loads return either labels of the 2075 // initial application data or zeros. 2076 if (LI.isAtomic()) 2077 LI.setOrdering(addAcquireOrdering(LI.getOrdering())); 2078 2079 Align Alignment = ClPreserveAlignment ? LI.getAlign() : Align(1); 2080 Instruction *Pos = LI.isAtomic() ? LI.getNextNode() : &LI; 2081 Value *PrimitiveShadow = 2082 DFSF.loadShadow(LI.getPointerOperand(), Size, Alignment.value(), Pos); 2083 if (ClCombinePointerLabelsOnLoad) { 2084 Value *PtrShadow = DFSF.getShadow(LI.getPointerOperand()); 2085 PrimitiveShadow = DFSF.combineShadows(PrimitiveShadow, PtrShadow, Pos); 2086 } 2087 if (!DFSF.DFS.isZeroShadow(PrimitiveShadow)) 2088 DFSF.NonZeroChecks.push_back(PrimitiveShadow); 2089 2090 Value *Shadow = 2091 DFSF.expandFromPrimitiveShadow(LI.getType(), PrimitiveShadow, Pos); 2092 DFSF.setShadow(&LI, Shadow); 2093 if (ClEventCallbacks) { 2094 IRBuilder<> IRB(Pos); 2095 Value *Addr8 = IRB.CreateBitCast(LI.getPointerOperand(), DFSF.DFS.Int8Ptr); 2096 IRB.CreateCall(DFSF.DFS.DFSanLoadCallbackFn, {PrimitiveShadow, Addr8}); 2097 } 2098 } 2099 2100 void DFSanFunction::storeZeroPrimitiveShadow(Value *Addr, uint64_t Size, 2101 Align ShadowAlign, 2102 Instruction *Pos) { 2103 IRBuilder<> IRB(Pos); 2104 IntegerType *ShadowTy = 2105 IntegerType::get(*DFS.Ctx, Size * DFS.ShadowWidthBits); 2106 Value *ExtZeroShadow = ConstantInt::get(ShadowTy, 0); 2107 Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos); 2108 Value *ExtShadowAddr = 2109 IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowTy)); 2110 IRB.CreateAlignedStore(ExtZeroShadow, ExtShadowAddr, ShadowAlign); 2111 // Do not write origins for 0 shadows because we do not trace origins for 2112 // untainted sinks. 2113 } 2114 void DFSanFunction::storePrimitiveShadow(Value *Addr, uint64_t Size, 2115 Align Alignment, 2116 Value *PrimitiveShadow, 2117 Instruction *Pos) { 2118 if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) { 2119 const auto i = AllocaShadowMap.find(AI); 2120 if (i != AllocaShadowMap.end()) { 2121 IRBuilder<> IRB(Pos); 2122 IRB.CreateStore(PrimitiveShadow, i->second); 2123 return; 2124 } 2125 } 2126 2127 const Align ShadowAlign(Alignment.value() * DFS.ShadowWidthBytes); 2128 if (DFS.isZeroShadow(PrimitiveShadow)) { 2129 storeZeroPrimitiveShadow(Addr, Size, ShadowAlign, Pos); 2130 return; 2131 } 2132 2133 IRBuilder<> IRB(Pos); 2134 Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos); 2135 const unsigned ShadowVecSize = 128 / DFS.ShadowWidthBits; 2136 uint64_t Offset = 0; 2137 if (Size >= ShadowVecSize) { 2138 auto *ShadowVecTy = 2139 FixedVectorType::get(DFS.PrimitiveShadowTy, ShadowVecSize); 2140 Value *ShadowVec = UndefValue::get(ShadowVecTy); 2141 for (unsigned i = 0; i != ShadowVecSize; ++i) { 2142 ShadowVec = IRB.CreateInsertElement( 2143 ShadowVec, PrimitiveShadow, 2144 ConstantInt::get(Type::getInt32Ty(*DFS.Ctx), i)); 2145 } 2146 Value *ShadowVecAddr = 2147 IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowVecTy)); 2148 do { 2149 Value *CurShadowVecAddr = 2150 IRB.CreateConstGEP1_32(ShadowVecTy, ShadowVecAddr, Offset); 2151 IRB.CreateAlignedStore(ShadowVec, CurShadowVecAddr, ShadowAlign); 2152 Size -= ShadowVecSize; 2153 ++Offset; 2154 } while (Size >= ShadowVecSize); 2155 Offset *= ShadowVecSize; 2156 } 2157 while (Size > 0) { 2158 Value *CurShadowAddr = 2159 IRB.CreateConstGEP1_32(DFS.PrimitiveShadowTy, ShadowAddr, Offset); 2160 IRB.CreateAlignedStore(PrimitiveShadow, CurShadowAddr, ShadowAlign); 2161 --Size; 2162 ++Offset; 2163 } 2164 } 2165 2166 static AtomicOrdering addReleaseOrdering(AtomicOrdering AO) { 2167 switch (AO) { 2168 case AtomicOrdering::NotAtomic: 2169 return AtomicOrdering::NotAtomic; 2170 case AtomicOrdering::Unordered: 2171 case AtomicOrdering::Monotonic: 2172 case AtomicOrdering::Release: 2173 return AtomicOrdering::Release; 2174 case AtomicOrdering::Acquire: 2175 case AtomicOrdering::AcquireRelease: 2176 return AtomicOrdering::AcquireRelease; 2177 case AtomicOrdering::SequentiallyConsistent: 2178 return AtomicOrdering::SequentiallyConsistent; 2179 } 2180 llvm_unreachable("Unknown ordering"); 2181 } 2182 2183 void DFSanVisitor::visitStoreInst(StoreInst &SI) { 2184 auto &DL = SI.getModule()->getDataLayout(); 2185 Value *Val = SI.getValueOperand(); 2186 uint64_t Size = DL.getTypeStoreSize(Val->getType()); 2187 if (Size == 0) 2188 return; 2189 2190 // When an application store is atomic, increase atomic ordering between 2191 // atomic application loads and stores to ensure happen-before order; load 2192 // shadow data after application data; store zero shadow data before 2193 // application data. This ensure shadow loads return either labels of the 2194 // initial application data or zeros. 2195 if (SI.isAtomic()) 2196 SI.setOrdering(addReleaseOrdering(SI.getOrdering())); 2197 2198 const Align Alignment = ClPreserveAlignment ? SI.getAlign() : Align(1); 2199 2200 Value *Shadow = 2201 SI.isAtomic() ? DFSF.DFS.getZeroShadow(Val) : DFSF.getShadow(Val); 2202 Value *PrimitiveShadow; 2203 if (ClCombinePointerLabelsOnStore) { 2204 Value *PtrShadow = DFSF.getShadow(SI.getPointerOperand()); 2205 PrimitiveShadow = DFSF.combineShadows(Shadow, PtrShadow, &SI); 2206 } else { 2207 PrimitiveShadow = DFSF.collapseToPrimitiveShadow(Shadow, &SI); 2208 } 2209 DFSF.storePrimitiveShadow(SI.getPointerOperand(), Size, Alignment, 2210 PrimitiveShadow, &SI); 2211 if (ClEventCallbacks) { 2212 IRBuilder<> IRB(&SI); 2213 Value *Addr8 = IRB.CreateBitCast(SI.getPointerOperand(), DFSF.DFS.Int8Ptr); 2214 IRB.CreateCall(DFSF.DFS.DFSanStoreCallbackFn, {PrimitiveShadow, Addr8}); 2215 } 2216 } 2217 2218 void DFSanVisitor::visitCASOrRMW(Align InstAlignment, Instruction &I) { 2219 assert(isa<AtomicRMWInst>(I) || isa<AtomicCmpXchgInst>(I)); 2220 2221 Value *Val = I.getOperand(1); 2222 const auto &DL = I.getModule()->getDataLayout(); 2223 uint64_t Size = DL.getTypeStoreSize(Val->getType()); 2224 if (Size == 0) 2225 return; 2226 2227 // Conservatively set data at stored addresses and return with zero shadow to 2228 // prevent shadow data races. 2229 IRBuilder<> IRB(&I); 2230 Value *Addr = I.getOperand(0); 2231 const Align ShadowAlign = DFSF.getShadowAlign(InstAlignment); 2232 DFSF.storeZeroPrimitiveShadow(Addr, Size, ShadowAlign, &I); 2233 DFSF.setShadow(&I, DFSF.DFS.getZeroShadow(&I)); 2234 } 2235 2236 void DFSanVisitor::visitAtomicRMWInst(AtomicRMWInst &I) { 2237 visitCASOrRMW(I.getAlign(), I); 2238 // TODO: The ordering change follows MSan. It is possible not to change 2239 // ordering because we always set and use 0 shadows. 2240 I.setOrdering(addReleaseOrdering(I.getOrdering())); 2241 } 2242 2243 void DFSanVisitor::visitAtomicCmpXchgInst(AtomicCmpXchgInst &I) { 2244 visitCASOrRMW(I.getAlign(), I); 2245 // TODO: The ordering change follows MSan. It is possible not to change 2246 // ordering because we always set and use 0 shadows. 2247 I.setSuccessOrdering(addReleaseOrdering(I.getSuccessOrdering())); 2248 } 2249 2250 void DFSanVisitor::visitUnaryOperator(UnaryOperator &UO) { 2251 visitInstOperands(UO); 2252 } 2253 2254 void DFSanVisitor::visitBinaryOperator(BinaryOperator &BO) { 2255 visitInstOperands(BO); 2256 } 2257 2258 void DFSanVisitor::visitCastInst(CastInst &CI) { visitInstOperands(CI); } 2259 2260 void DFSanVisitor::visitCmpInst(CmpInst &CI) { 2261 visitInstOperands(CI); 2262 if (ClEventCallbacks) { 2263 IRBuilder<> IRB(&CI); 2264 Value *CombinedShadow = DFSF.getShadow(&CI); 2265 IRB.CreateCall(DFSF.DFS.DFSanCmpCallbackFn, CombinedShadow); 2266 } 2267 } 2268 2269 void DFSanVisitor::visitGetElementPtrInst(GetElementPtrInst &GEPI) { 2270 visitInstOperands(GEPI); 2271 } 2272 2273 void DFSanVisitor::visitExtractElementInst(ExtractElementInst &I) { 2274 visitInstOperands(I); 2275 } 2276 2277 void DFSanVisitor::visitInsertElementInst(InsertElementInst &I) { 2278 visitInstOperands(I); 2279 } 2280 2281 void DFSanVisitor::visitShuffleVectorInst(ShuffleVectorInst &I) { 2282 visitInstOperands(I); 2283 } 2284 2285 void DFSanVisitor::visitExtractValueInst(ExtractValueInst &I) { 2286 if (!DFSF.DFS.shouldTrackFieldsAndIndices()) { 2287 visitInstOperands(I); 2288 return; 2289 } 2290 2291 IRBuilder<> IRB(&I); 2292 Value *Agg = I.getAggregateOperand(); 2293 Value *AggShadow = DFSF.getShadow(Agg); 2294 Value *ResShadow = IRB.CreateExtractValue(AggShadow, I.getIndices()); 2295 DFSF.setShadow(&I, ResShadow); 2296 visitInstOperandOrigins(I); 2297 } 2298 2299 void DFSanVisitor::visitInsertValueInst(InsertValueInst &I) { 2300 if (!DFSF.DFS.shouldTrackFieldsAndIndices()) { 2301 visitInstOperands(I); 2302 return; 2303 } 2304 2305 IRBuilder<> IRB(&I); 2306 Value *AggShadow = DFSF.getShadow(I.getAggregateOperand()); 2307 Value *InsShadow = DFSF.getShadow(I.getInsertedValueOperand()); 2308 Value *Res = IRB.CreateInsertValue(AggShadow, InsShadow, I.getIndices()); 2309 DFSF.setShadow(&I, Res); 2310 visitInstOperandOrigins(I); 2311 } 2312 2313 void DFSanVisitor::visitAllocaInst(AllocaInst &I) { 2314 bool AllLoadsStores = true; 2315 for (User *U : I.users()) { 2316 if (isa<LoadInst>(U)) 2317 continue; 2318 2319 if (StoreInst *SI = dyn_cast<StoreInst>(U)) { 2320 if (SI->getPointerOperand() == &I) 2321 continue; 2322 } 2323 2324 AllLoadsStores = false; 2325 break; 2326 } 2327 if (AllLoadsStores) { 2328 IRBuilder<> IRB(&I); 2329 DFSF.AllocaShadowMap[&I] = IRB.CreateAlloca(DFSF.DFS.PrimitiveShadowTy); 2330 } 2331 DFSF.setShadow(&I, DFSF.DFS.ZeroPrimitiveShadow); 2332 } 2333 2334 void DFSanVisitor::visitSelectInst(SelectInst &I) { 2335 Value *CondShadow = DFSF.getShadow(I.getCondition()); 2336 Value *TrueShadow = DFSF.getShadow(I.getTrueValue()); 2337 Value *FalseShadow = DFSF.getShadow(I.getFalseValue()); 2338 Value *ShadowSel = nullptr; 2339 const bool ShouldTrackOrigins = DFSF.DFS.shouldTrackOrigins(); 2340 std::vector<Value *> Shadows; 2341 std::vector<Value *> Origins; 2342 Value *TrueOrigin = 2343 ShouldTrackOrigins ? DFSF.getOrigin(I.getTrueValue()) : nullptr; 2344 Value *FalseOrigin = 2345 ShouldTrackOrigins ? DFSF.getOrigin(I.getFalseValue()) : nullptr; 2346 2347 if (isa<VectorType>(I.getCondition()->getType())) { 2348 ShadowSel = DFSF.combineShadowsThenConvert(I.getType(), TrueShadow, 2349 FalseShadow, &I); 2350 if (ShouldTrackOrigins) { 2351 Shadows.push_back(TrueShadow); 2352 Shadows.push_back(FalseShadow); 2353 Origins.push_back(TrueOrigin); 2354 Origins.push_back(FalseOrigin); 2355 } 2356 } else { 2357 if (TrueShadow == FalseShadow) { 2358 ShadowSel = TrueShadow; 2359 if (ShouldTrackOrigins) { 2360 Shadows.push_back(TrueShadow); 2361 Origins.push_back(TrueOrigin); 2362 } 2363 } else { 2364 ShadowSel = 2365 SelectInst::Create(I.getCondition(), TrueShadow, FalseShadow, "", &I); 2366 if (ShouldTrackOrigins) { 2367 Shadows.push_back(ShadowSel); 2368 Origins.push_back(SelectInst::Create(I.getCondition(), TrueOrigin, 2369 FalseOrigin, "", &I)); 2370 } 2371 } 2372 } 2373 DFSF.setShadow(&I, ClTrackSelectControlFlow 2374 ? DFSF.combineShadowsThenConvert( 2375 I.getType(), CondShadow, ShadowSel, &I) 2376 : ShadowSel); 2377 if (ShouldTrackOrigins) { 2378 if (ClTrackSelectControlFlow) { 2379 Shadows.push_back(CondShadow); 2380 Origins.push_back(DFSF.getOrigin(I.getCondition())); 2381 } 2382 DFSF.setOrigin(&I, DFSF.combineOrigins(Shadows, Origins, &I)); 2383 } 2384 } 2385 2386 void DFSanVisitor::visitMemSetInst(MemSetInst &I) { 2387 IRBuilder<> IRB(&I); 2388 Value *ValShadow = DFSF.getShadow(I.getValue()); 2389 Value *ValOrigin = DFSF.DFS.shouldTrackOrigins() 2390 ? DFSF.getOrigin(I.getValue()) 2391 : DFSF.DFS.ZeroOrigin; 2392 IRB.CreateCall( 2393 DFSF.DFS.DFSanSetLabelFn, 2394 {ValShadow, ValOrigin, 2395 IRB.CreateBitCast(I.getDest(), Type::getInt8PtrTy(*DFSF.DFS.Ctx)), 2396 IRB.CreateZExtOrTrunc(I.getLength(), DFSF.DFS.IntptrTy)}); 2397 } 2398 2399 void DFSanVisitor::visitMemTransferInst(MemTransferInst &I) { 2400 IRBuilder<> IRB(&I); 2401 Value *RawDestShadow = DFSF.DFS.getShadowAddress(I.getDest(), &I); 2402 Value *SrcShadow = DFSF.DFS.getShadowAddress(I.getSource(), &I); 2403 Value *LenShadow = 2404 IRB.CreateMul(I.getLength(), ConstantInt::get(I.getLength()->getType(), 2405 DFSF.DFS.ShadowWidthBytes)); 2406 Type *Int8Ptr = Type::getInt8PtrTy(*DFSF.DFS.Ctx); 2407 Value *DestShadow = IRB.CreateBitCast(RawDestShadow, Int8Ptr); 2408 SrcShadow = IRB.CreateBitCast(SrcShadow, Int8Ptr); 2409 auto *MTI = cast<MemTransferInst>( 2410 IRB.CreateCall(I.getFunctionType(), I.getCalledOperand(), 2411 {DestShadow, SrcShadow, LenShadow, I.getVolatileCst()})); 2412 if (ClPreserveAlignment) { 2413 MTI->setDestAlignment(I.getDestAlign() * DFSF.DFS.ShadowWidthBytes); 2414 MTI->setSourceAlignment(I.getSourceAlign() * DFSF.DFS.ShadowWidthBytes); 2415 } else { 2416 MTI->setDestAlignment(Align(DFSF.DFS.ShadowWidthBytes)); 2417 MTI->setSourceAlignment(Align(DFSF.DFS.ShadowWidthBytes)); 2418 } 2419 if (ClEventCallbacks) { 2420 IRB.CreateCall(DFSF.DFS.DFSanMemTransferCallbackFn, 2421 {RawDestShadow, I.getLength()}); 2422 } 2423 } 2424 2425 void DFSanVisitor::visitReturnInst(ReturnInst &RI) { 2426 if (!DFSF.IsNativeABI && RI.getReturnValue()) { 2427 switch (DFSF.IA) { 2428 case DataFlowSanitizer::IA_TLS: { 2429 Value *S = DFSF.getShadow(RI.getReturnValue()); 2430 IRBuilder<> IRB(&RI); 2431 Type *RT = DFSF.F->getFunctionType()->getReturnType(); 2432 unsigned Size = 2433 getDataLayout().getTypeAllocSize(DFSF.DFS.getShadowTy(RT)); 2434 if (Size <= kRetvalTLSSize) { 2435 // If the size overflows, stores nothing. At callsite, oversized return 2436 // shadows are set to zero. 2437 IRB.CreateAlignedStore(S, DFSF.getRetvalTLS(RT, IRB), 2438 kShadowTLSAlignment); 2439 } 2440 if (DFSF.DFS.shouldTrackOrigins()) { 2441 Value *O = DFSF.getOrigin(RI.getReturnValue()); 2442 IRB.CreateStore(O, DFSF.getRetvalOriginTLS()); 2443 } 2444 break; 2445 } 2446 case DataFlowSanitizer::IA_Args: { 2447 IRBuilder<> IRB(&RI); 2448 Type *RT = DFSF.F->getFunctionType()->getReturnType(); 2449 Value *InsVal = 2450 IRB.CreateInsertValue(UndefValue::get(RT), RI.getReturnValue(), 0); 2451 Value *InsShadow = 2452 IRB.CreateInsertValue(InsVal, DFSF.getShadow(RI.getReturnValue()), 1); 2453 RI.setOperand(0, InsShadow); 2454 break; 2455 } 2456 } 2457 } 2458 } 2459 2460 void DFSanVisitor::addShadowArguments(Function &F, CallBase &CB, 2461 std::vector<Value *> &Args, 2462 IRBuilder<> &IRB) { 2463 FunctionType *FT = F.getFunctionType(); 2464 2465 auto *I = CB.arg_begin(); 2466 2467 // Adds non-variable argument shadows. 2468 for (unsigned N = FT->getNumParams(); N != 0; ++I, --N) 2469 Args.push_back(DFSF.collapseToPrimitiveShadow(DFSF.getShadow(*I), &CB)); 2470 2471 // Adds variable argument shadows. 2472 if (FT->isVarArg()) { 2473 auto *LabelVATy = ArrayType::get(DFSF.DFS.PrimitiveShadowTy, 2474 CB.arg_size() - FT->getNumParams()); 2475 auto *LabelVAAlloca = 2476 new AllocaInst(LabelVATy, getDataLayout().getAllocaAddrSpace(), 2477 "labelva", &DFSF.F->getEntryBlock().front()); 2478 2479 for (unsigned N = 0; I != CB.arg_end(); ++I, ++N) { 2480 auto *LabelVAPtr = IRB.CreateStructGEP(LabelVATy, LabelVAAlloca, N); 2481 IRB.CreateStore(DFSF.collapseToPrimitiveShadow(DFSF.getShadow(*I), &CB), 2482 LabelVAPtr); 2483 } 2484 2485 Args.push_back(IRB.CreateStructGEP(LabelVATy, LabelVAAlloca, 0)); 2486 } 2487 2488 // Adds the return value shadow. 2489 if (!FT->getReturnType()->isVoidTy()) { 2490 if (!DFSF.LabelReturnAlloca) { 2491 DFSF.LabelReturnAlloca = new AllocaInst( 2492 DFSF.DFS.PrimitiveShadowTy, getDataLayout().getAllocaAddrSpace(), 2493 "labelreturn", &DFSF.F->getEntryBlock().front()); 2494 } 2495 Args.push_back(DFSF.LabelReturnAlloca); 2496 } 2497 } 2498 2499 void DFSanVisitor::addOriginArguments(Function &F, CallBase &CB, 2500 std::vector<Value *> &Args, 2501 IRBuilder<> &IRB) { 2502 FunctionType *FT = F.getFunctionType(); 2503 2504 auto *I = CB.arg_begin(); 2505 2506 // Add non-variable argument origins. 2507 for (unsigned N = FT->getNumParams(); N != 0; ++I, --N) 2508 Args.push_back(DFSF.getOrigin(*I)); 2509 2510 // Add variable argument origins. 2511 if (FT->isVarArg()) { 2512 auto *OriginVATy = 2513 ArrayType::get(DFSF.DFS.OriginTy, CB.arg_size() - FT->getNumParams()); 2514 auto *OriginVAAlloca = 2515 new AllocaInst(OriginVATy, getDataLayout().getAllocaAddrSpace(), 2516 "originva", &DFSF.F->getEntryBlock().front()); 2517 2518 for (unsigned N = 0; I != CB.arg_end(); ++I, ++N) { 2519 auto *OriginVAPtr = IRB.CreateStructGEP(OriginVATy, OriginVAAlloca, N); 2520 IRB.CreateStore(DFSF.getOrigin(*I), OriginVAPtr); 2521 } 2522 2523 Args.push_back(IRB.CreateStructGEP(OriginVATy, OriginVAAlloca, 0)); 2524 } 2525 2526 // Add the return value origin. 2527 if (!FT->getReturnType()->isVoidTy()) { 2528 if (!DFSF.OriginReturnAlloca) { 2529 DFSF.OriginReturnAlloca = new AllocaInst( 2530 DFSF.DFS.OriginTy, getDataLayout().getAllocaAddrSpace(), 2531 "originreturn", &DFSF.F->getEntryBlock().front()); 2532 } 2533 Args.push_back(DFSF.OriginReturnAlloca); 2534 } 2535 } 2536 2537 bool DFSanVisitor::visitWrappedCallBase(Function &F, CallBase &CB) { 2538 IRBuilder<> IRB(&CB); 2539 switch (DFSF.DFS.getWrapperKind(&F)) { 2540 case DataFlowSanitizer::WK_Warning: 2541 CB.setCalledFunction(&F); 2542 IRB.CreateCall(DFSF.DFS.DFSanUnimplementedFn, 2543 IRB.CreateGlobalStringPtr(F.getName())); 2544 DFSF.setShadow(&CB, DFSF.DFS.getZeroShadow(&CB)); 2545 DFSF.setOrigin(&CB, DFSF.DFS.ZeroOrigin); 2546 return true; 2547 case DataFlowSanitizer::WK_Discard: 2548 CB.setCalledFunction(&F); 2549 DFSF.setShadow(&CB, DFSF.DFS.getZeroShadow(&CB)); 2550 DFSF.setOrigin(&CB, DFSF.DFS.ZeroOrigin); 2551 return true; 2552 case DataFlowSanitizer::WK_Functional: 2553 CB.setCalledFunction(&F); 2554 visitInstOperands(CB); 2555 return true; 2556 case DataFlowSanitizer::WK_Custom: 2557 // Don't try to handle invokes of custom functions, it's too complicated. 2558 // Instead, invoke the dfsw$ wrapper, which will in turn call the __dfsw_ 2559 // wrapper. 2560 CallInst *CI = dyn_cast<CallInst>(&CB); 2561 if (!CI) 2562 return false; 2563 2564 const bool ShouldTrackOrigins = DFSF.DFS.shouldTrackOrigins(); 2565 FunctionType *FT = F.getFunctionType(); 2566 TransformedFunction CustomFn = DFSF.DFS.getCustomFunctionType(FT); 2567 std::string CustomFName = ShouldTrackOrigins ? "__dfso_" : "__dfsw_"; 2568 CustomFName += F.getName(); 2569 FunctionCallee CustomF = DFSF.DFS.Mod->getOrInsertFunction( 2570 CustomFName, CustomFn.TransformedType); 2571 if (Function *CustomFn = dyn_cast<Function>(CustomF.getCallee())) { 2572 CustomFn->copyAttributesFrom(&F); 2573 2574 // Custom functions returning non-void will write to the return label. 2575 if (!FT->getReturnType()->isVoidTy()) { 2576 CustomFn->removeAttributes(AttributeList::FunctionIndex, 2577 DFSF.DFS.ReadOnlyNoneAttrs); 2578 } 2579 } 2580 2581 std::vector<Value *> Args; 2582 2583 // Adds non-variable arguments. 2584 auto *I = CB.arg_begin(); 2585 for (unsigned n = FT->getNumParams(); n != 0; ++I, --n) { 2586 Type *T = (*I)->getType(); 2587 FunctionType *ParamFT; 2588 if (isa<PointerType>(T) && 2589 (ParamFT = dyn_cast<FunctionType>( 2590 cast<PointerType>(T)->getElementType()))) { 2591 std::string TName = "dfst"; 2592 TName += utostr(FT->getNumParams() - n); 2593 TName += "$"; 2594 TName += F.getName(); 2595 Constant *T = DFSF.DFS.getOrBuildTrampolineFunction(ParamFT, TName); 2596 Args.push_back(T); 2597 Args.push_back( 2598 IRB.CreateBitCast(*I, Type::getInt8PtrTy(*DFSF.DFS.Ctx))); 2599 } else { 2600 Args.push_back(*I); 2601 } 2602 } 2603 2604 // Adds shadow arguments. 2605 const unsigned ShadowArgStart = Args.size(); 2606 addShadowArguments(F, CB, Args, IRB); 2607 2608 // Adds origin arguments. 2609 const unsigned OriginArgStart = Args.size(); 2610 if (ShouldTrackOrigins) 2611 addOriginArguments(F, CB, Args, IRB); 2612 2613 // Adds variable arguments. 2614 append_range(Args, drop_begin(CB.args(), FT->getNumParams())); 2615 2616 CallInst *CustomCI = IRB.CreateCall(CustomF, Args); 2617 CustomCI->setCallingConv(CI->getCallingConv()); 2618 CustomCI->setAttributes(TransformFunctionAttributes( 2619 CustomFn, CI->getContext(), CI->getAttributes())); 2620 2621 // Update the parameter attributes of the custom call instruction to 2622 // zero extend the shadow parameters. This is required for targets 2623 // which consider PrimitiveShadowTy an illegal type. 2624 for (unsigned N = 0; N < FT->getNumParams(); N++) { 2625 const unsigned ArgNo = ShadowArgStart + N; 2626 if (CustomCI->getArgOperand(ArgNo)->getType() == 2627 DFSF.DFS.PrimitiveShadowTy) 2628 CustomCI->addParamAttr(ArgNo, Attribute::ZExt); 2629 if (ShouldTrackOrigins) { 2630 const unsigned OriginArgNo = OriginArgStart + N; 2631 if (CustomCI->getArgOperand(OriginArgNo)->getType() == 2632 DFSF.DFS.OriginTy) 2633 CustomCI->addParamAttr(OriginArgNo, Attribute::ZExt); 2634 } 2635 } 2636 2637 // Loads the return value shadow and origin. 2638 if (!FT->getReturnType()->isVoidTy()) { 2639 LoadInst *LabelLoad = 2640 IRB.CreateLoad(DFSF.DFS.PrimitiveShadowTy, DFSF.LabelReturnAlloca); 2641 DFSF.setShadow(CustomCI, DFSF.expandFromPrimitiveShadow( 2642 FT->getReturnType(), LabelLoad, &CB)); 2643 if (ShouldTrackOrigins) { 2644 LoadInst *OriginLoad = 2645 IRB.CreateLoad(DFSF.DFS.OriginTy, DFSF.OriginReturnAlloca); 2646 DFSF.setOrigin(CustomCI, OriginLoad); 2647 } 2648 } 2649 2650 CI->replaceAllUsesWith(CustomCI); 2651 CI->eraseFromParent(); 2652 return true; 2653 } 2654 return false; 2655 } 2656 2657 void DFSanVisitor::visitCallBase(CallBase &CB) { 2658 Function *F = CB.getCalledFunction(); 2659 if ((F && F->isIntrinsic()) || CB.isInlineAsm()) { 2660 visitInstOperands(CB); 2661 return; 2662 } 2663 2664 // Calls to this function are synthesized in wrappers, and we shouldn't 2665 // instrument them. 2666 if (F == DFSF.DFS.DFSanVarargWrapperFn.getCallee()->stripPointerCasts()) 2667 return; 2668 2669 DenseMap<Value *, Function *>::iterator i = 2670 DFSF.DFS.UnwrappedFnMap.find(CB.getCalledOperand()); 2671 if (i != DFSF.DFS.UnwrappedFnMap.end()) 2672 if (visitWrappedCallBase(*i->second, CB)) 2673 return; 2674 2675 IRBuilder<> IRB(&CB); 2676 2677 const bool ShouldTrackOrigins = DFSF.DFS.shouldTrackOrigins(); 2678 FunctionType *FT = CB.getFunctionType(); 2679 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) { 2680 // Stores argument shadows. 2681 unsigned ArgOffset = 0; 2682 const DataLayout &DL = getDataLayout(); 2683 for (unsigned I = 0, N = FT->getNumParams(); I != N; ++I) { 2684 if (ShouldTrackOrigins) { 2685 // Ignore overflowed origins 2686 Value *ArgShadow = DFSF.getShadow(CB.getArgOperand(I)); 2687 if (I < DFSF.DFS.kNumOfElementsInArgOrgTLS && 2688 !DFSF.DFS.isZeroShadow(ArgShadow)) 2689 IRB.CreateStore(DFSF.getOrigin(CB.getArgOperand(I)), 2690 DFSF.getArgOriginTLS(I, IRB)); 2691 } 2692 2693 unsigned Size = 2694 DL.getTypeAllocSize(DFSF.DFS.getShadowTy(FT->getParamType(I))); 2695 // Stop storing if arguments' size overflows. Inside a function, arguments 2696 // after overflow have zero shadow values. 2697 if (ArgOffset + Size > kArgTLSSize) 2698 break; 2699 IRB.CreateAlignedStore( 2700 DFSF.getShadow(CB.getArgOperand(I)), 2701 DFSF.getArgTLS(FT->getParamType(I), ArgOffset, IRB), 2702 kShadowTLSAlignment); 2703 ArgOffset += alignTo(Size, kShadowTLSAlignment); 2704 } 2705 } 2706 2707 Instruction *Next = nullptr; 2708 if (!CB.getType()->isVoidTy()) { 2709 if (InvokeInst *II = dyn_cast<InvokeInst>(&CB)) { 2710 if (II->getNormalDest()->getSinglePredecessor()) { 2711 Next = &II->getNormalDest()->front(); 2712 } else { 2713 BasicBlock *NewBB = 2714 SplitEdge(II->getParent(), II->getNormalDest(), &DFSF.DT); 2715 Next = &NewBB->front(); 2716 } 2717 } else { 2718 assert(CB.getIterator() != CB.getParent()->end()); 2719 Next = CB.getNextNode(); 2720 } 2721 2722 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) { 2723 // Loads the return value shadow. 2724 IRBuilder<> NextIRB(Next); 2725 const DataLayout &DL = getDataLayout(); 2726 unsigned Size = DL.getTypeAllocSize(DFSF.DFS.getShadowTy(&CB)); 2727 if (Size > kRetvalTLSSize) { 2728 // Set overflowed return shadow to be zero. 2729 DFSF.setShadow(&CB, DFSF.DFS.getZeroShadow(&CB)); 2730 } else { 2731 LoadInst *LI = NextIRB.CreateAlignedLoad( 2732 DFSF.DFS.getShadowTy(&CB), DFSF.getRetvalTLS(CB.getType(), NextIRB), 2733 kShadowTLSAlignment, "_dfsret"); 2734 DFSF.SkipInsts.insert(LI); 2735 DFSF.setShadow(&CB, LI); 2736 DFSF.NonZeroChecks.push_back(LI); 2737 } 2738 2739 if (ShouldTrackOrigins) { 2740 LoadInst *LI = NextIRB.CreateLoad( 2741 DFSF.DFS.OriginTy, DFSF.getRetvalOriginTLS(), "_dfsret_o"); 2742 DFSF.SkipInsts.insert(LI); 2743 DFSF.setOrigin(&CB, LI); 2744 } 2745 } 2746 } 2747 2748 // Do all instrumentation for IA_Args down here to defer tampering with the 2749 // CFG in a way that SplitEdge may be able to detect. 2750 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_Args) { 2751 FunctionType *NewFT = DFSF.DFS.getArgsFunctionType(FT); 2752 Value *Func = 2753 IRB.CreateBitCast(CB.getCalledOperand(), PointerType::getUnqual(NewFT)); 2754 std::vector<Value *> Args; 2755 2756 auto i = CB.arg_begin(), E = CB.arg_end(); 2757 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) 2758 Args.push_back(*i); 2759 2760 i = CB.arg_begin(); 2761 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) 2762 Args.push_back(DFSF.getShadow(*i)); 2763 2764 if (FT->isVarArg()) { 2765 unsigned VarArgSize = CB.arg_size() - FT->getNumParams(); 2766 ArrayType *VarArgArrayTy = 2767 ArrayType::get(DFSF.DFS.PrimitiveShadowTy, VarArgSize); 2768 AllocaInst *VarArgShadow = 2769 new AllocaInst(VarArgArrayTy, getDataLayout().getAllocaAddrSpace(), 2770 "", &DFSF.F->getEntryBlock().front()); 2771 Args.push_back(IRB.CreateConstGEP2_32(VarArgArrayTy, VarArgShadow, 0, 0)); 2772 for (unsigned n = 0; i != E; ++i, ++n) { 2773 IRB.CreateStore( 2774 DFSF.getShadow(*i), 2775 IRB.CreateConstGEP2_32(VarArgArrayTy, VarArgShadow, 0, n)); 2776 Args.push_back(*i); 2777 } 2778 } 2779 2780 CallBase *NewCB; 2781 if (InvokeInst *II = dyn_cast<InvokeInst>(&CB)) { 2782 NewCB = IRB.CreateInvoke(NewFT, Func, II->getNormalDest(), 2783 II->getUnwindDest(), Args); 2784 } else { 2785 NewCB = IRB.CreateCall(NewFT, Func, Args); 2786 } 2787 NewCB->setCallingConv(CB.getCallingConv()); 2788 NewCB->setAttributes(CB.getAttributes().removeAttributes( 2789 *DFSF.DFS.Ctx, AttributeList::ReturnIndex, 2790 AttributeFuncs::typeIncompatible(NewCB->getType()))); 2791 2792 if (Next) { 2793 ExtractValueInst *ExVal = ExtractValueInst::Create(NewCB, 0, "", Next); 2794 DFSF.SkipInsts.insert(ExVal); 2795 ExtractValueInst *ExShadow = ExtractValueInst::Create(NewCB, 1, "", Next); 2796 DFSF.SkipInsts.insert(ExShadow); 2797 DFSF.setShadow(ExVal, ExShadow); 2798 DFSF.NonZeroChecks.push_back(ExShadow); 2799 2800 CB.replaceAllUsesWith(ExVal); 2801 } 2802 2803 CB.eraseFromParent(); 2804 } 2805 } 2806 2807 void DFSanVisitor::visitPHINode(PHINode &PN) { 2808 Type *ShadowTy = DFSF.DFS.getShadowTy(&PN); 2809 PHINode *ShadowPN = 2810 PHINode::Create(ShadowTy, PN.getNumIncomingValues(), "", &PN); 2811 2812 // Give the shadow phi node valid predecessors to fool SplitEdge into working. 2813 Value *UndefShadow = UndefValue::get(ShadowTy); 2814 for (PHINode::block_iterator i = PN.block_begin(), e = PN.block_end(); i != e; 2815 ++i) { 2816 ShadowPN->addIncoming(UndefShadow, *i); 2817 } 2818 2819 DFSF.PHIFixups.push_back(std::make_pair(&PN, ShadowPN)); 2820 DFSF.setShadow(&PN, ShadowPN); 2821 } 2822 2823 namespace { 2824 class DataFlowSanitizerLegacyPass : public ModulePass { 2825 private: 2826 std::vector<std::string> ABIListFiles; 2827 2828 public: 2829 static char ID; 2830 2831 DataFlowSanitizerLegacyPass( 2832 const std::vector<std::string> &ABIListFiles = std::vector<std::string>()) 2833 : ModulePass(ID), ABIListFiles(ABIListFiles) {} 2834 2835 bool runOnModule(Module &M) override { 2836 return DataFlowSanitizer(ABIListFiles).runImpl(M); 2837 } 2838 }; 2839 } // namespace 2840 2841 char DataFlowSanitizerLegacyPass::ID; 2842 2843 INITIALIZE_PASS(DataFlowSanitizerLegacyPass, "dfsan", 2844 "DataFlowSanitizer: dynamic data flow analysis.", false, false) 2845 2846 ModulePass *llvm::createDataFlowSanitizerLegacyPassPass( 2847 const std::vector<std::string> &ABIListFiles) { 2848 return new DataFlowSanitizerLegacyPass(ABIListFiles); 2849 } 2850 2851 PreservedAnalyses DataFlowSanitizerPass::run(Module &M, 2852 ModuleAnalysisManager &AM) { 2853 if (DataFlowSanitizer(ABIListFiles).runImpl(M)) { 2854 return PreservedAnalyses::none(); 2855 } 2856 return PreservedAnalyses::all(); 2857 } 2858