1 //===- HWAddressSanitizer.cpp - detector of uninitialized reads -------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 /// \file 10 /// This file is a part of HWAddressSanitizer, an address sanity checker 11 /// based on tagged addressing. 12 //===----------------------------------------------------------------------===// 13 14 #include "llvm/Transforms/Instrumentation/HWAddressSanitizer.h" 15 #include "llvm/ADT/MapVector.h" 16 #include "llvm/ADT/SmallVector.h" 17 #include "llvm/ADT/StringExtras.h" 18 #include "llvm/ADT/StringRef.h" 19 #include "llvm/ADT/Triple.h" 20 #include "llvm/BinaryFormat/ELF.h" 21 #include "llvm/IR/Attributes.h" 22 #include "llvm/IR/BasicBlock.h" 23 #include "llvm/IR/Constant.h" 24 #include "llvm/IR/Constants.h" 25 #include "llvm/IR/DataLayout.h" 26 #include "llvm/IR/DebugInfoMetadata.h" 27 #include "llvm/IR/DerivedTypes.h" 28 #include "llvm/IR/Function.h" 29 #include "llvm/IR/IRBuilder.h" 30 #include "llvm/IR/InlineAsm.h" 31 #include "llvm/IR/InstVisitor.h" 32 #include "llvm/IR/Instruction.h" 33 #include "llvm/IR/Instructions.h" 34 #include "llvm/IR/IntrinsicInst.h" 35 #include "llvm/IR/Intrinsics.h" 36 #include "llvm/IR/LLVMContext.h" 37 #include "llvm/IR/MDBuilder.h" 38 #include "llvm/IR/Module.h" 39 #include "llvm/IR/Type.h" 40 #include "llvm/IR/Value.h" 41 #include "llvm/InitializePasses.h" 42 #include "llvm/Pass.h" 43 #include "llvm/Support/Casting.h" 44 #include "llvm/Support/CommandLine.h" 45 #include "llvm/Support/Debug.h" 46 #include "llvm/Support/raw_ostream.h" 47 #include "llvm/Transforms/Instrumentation.h" 48 #include "llvm/Transforms/Instrumentation/AddressSanitizerCommon.h" 49 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 50 #include "llvm/Transforms/Utils/ModuleUtils.h" 51 #include "llvm/Transforms/Utils/PromoteMemToReg.h" 52 #include <sstream> 53 54 using namespace llvm; 55 56 #define DEBUG_TYPE "hwasan" 57 58 static const char *const kHwasanModuleCtorName = "hwasan.module_ctor"; 59 static const char *const kHwasanNoteName = "hwasan.note"; 60 static const char *const kHwasanInitName = "__hwasan_init"; 61 static const char *const kHwasanPersonalityThunkName = 62 "__hwasan_personality_thunk"; 63 64 static const char *const kHwasanShadowMemoryDynamicAddress = 65 "__hwasan_shadow_memory_dynamic_address"; 66 67 // Accesses sizes are powers of two: 1, 2, 4, 8, 16. 68 static const size_t kNumberOfAccessSizes = 5; 69 70 static const size_t kDefaultShadowScale = 4; 71 static const uint64_t kDynamicShadowSentinel = 72 std::numeric_limits<uint64_t>::max(); 73 static const unsigned kPointerTagShift = 56; 74 75 static const unsigned kShadowBaseAlignment = 32; 76 77 static cl::opt<std::string> ClMemoryAccessCallbackPrefix( 78 "hwasan-memory-access-callback-prefix", 79 cl::desc("Prefix for memory access callbacks"), cl::Hidden, 80 cl::init("__hwasan_")); 81 82 static cl::opt<bool> 83 ClInstrumentWithCalls("hwasan-instrument-with-calls", 84 cl::desc("instrument reads and writes with callbacks"), 85 cl::Hidden, cl::init(false)); 86 87 static cl::opt<bool> ClInstrumentReads("hwasan-instrument-reads", 88 cl::desc("instrument read instructions"), 89 cl::Hidden, cl::init(true)); 90 91 static cl::opt<bool> ClInstrumentWrites( 92 "hwasan-instrument-writes", cl::desc("instrument write instructions"), 93 cl::Hidden, cl::init(true)); 94 95 static cl::opt<bool> ClInstrumentAtomics( 96 "hwasan-instrument-atomics", 97 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden, 98 cl::init(true)); 99 100 static cl::opt<bool> ClInstrumentByval("hwasan-instrument-byval", 101 cl::desc("instrument byval arguments"), 102 cl::Hidden, cl::init(true)); 103 104 static cl::opt<bool> ClRecover( 105 "hwasan-recover", 106 cl::desc("Enable recovery mode (continue-after-error)."), 107 cl::Hidden, cl::init(false)); 108 109 static cl::opt<bool> ClInstrumentStack("hwasan-instrument-stack", 110 cl::desc("instrument stack (allocas)"), 111 cl::Hidden, cl::init(true)); 112 113 static cl::opt<bool> ClUARRetagToZero( 114 "hwasan-uar-retag-to-zero", 115 cl::desc("Clear alloca tags before returning from the function to allow " 116 "non-instrumented and instrumented function calls mix. When set " 117 "to false, allocas are retagged before returning from the " 118 "function to detect use after return."), 119 cl::Hidden, cl::init(true)); 120 121 static cl::opt<bool> ClGenerateTagsWithCalls( 122 "hwasan-generate-tags-with-calls", 123 cl::desc("generate new tags with runtime library calls"), cl::Hidden, 124 cl::init(false)); 125 126 static cl::opt<bool> ClGlobals("hwasan-globals", cl::desc("Instrument globals"), 127 cl::Hidden, cl::init(false), cl::ZeroOrMore); 128 129 static cl::opt<int> ClMatchAllTag( 130 "hwasan-match-all-tag", 131 cl::desc("don't report bad accesses via pointers with this tag"), 132 cl::Hidden, cl::init(-1)); 133 134 static cl::opt<bool> ClEnableKhwasan( 135 "hwasan-kernel", 136 cl::desc("Enable KernelHWAddressSanitizer instrumentation"), 137 cl::Hidden, cl::init(false)); 138 139 // These flags allow to change the shadow mapping and control how shadow memory 140 // is accessed. The shadow mapping looks like: 141 // Shadow = (Mem >> scale) + offset 142 143 static cl::opt<uint64_t> 144 ClMappingOffset("hwasan-mapping-offset", 145 cl::desc("HWASan shadow mapping offset [EXPERIMENTAL]"), 146 cl::Hidden, cl::init(0)); 147 148 static cl::opt<bool> 149 ClWithIfunc("hwasan-with-ifunc", 150 cl::desc("Access dynamic shadow through an ifunc global on " 151 "platforms that support this"), 152 cl::Hidden, cl::init(false)); 153 154 static cl::opt<bool> ClWithTls( 155 "hwasan-with-tls", 156 cl::desc("Access dynamic shadow through an thread-local pointer on " 157 "platforms that support this"), 158 cl::Hidden, cl::init(true)); 159 160 static cl::opt<bool> 161 ClRecordStackHistory("hwasan-record-stack-history", 162 cl::desc("Record stack frames with tagged allocations " 163 "in a thread-local ring buffer"), 164 cl::Hidden, cl::init(true)); 165 static cl::opt<bool> 166 ClInstrumentMemIntrinsics("hwasan-instrument-mem-intrinsics", 167 cl::desc("instrument memory intrinsics"), 168 cl::Hidden, cl::init(true)); 169 170 static cl::opt<bool> 171 ClInstrumentLandingPads("hwasan-instrument-landing-pads", 172 cl::desc("instrument landing pads"), cl::Hidden, 173 cl::init(false), cl::ZeroOrMore); 174 175 static cl::opt<bool> ClUseShortGranules( 176 "hwasan-use-short-granules", 177 cl::desc("use short granules in allocas and outlined checks"), cl::Hidden, 178 cl::init(false), cl::ZeroOrMore); 179 180 static cl::opt<bool> ClInstrumentPersonalityFunctions( 181 "hwasan-instrument-personality-functions", 182 cl::desc("instrument personality functions"), cl::Hidden, cl::init(false), 183 cl::ZeroOrMore); 184 185 static cl::opt<bool> ClInlineAllChecks("hwasan-inline-all-checks", 186 cl::desc("inline all checks"), 187 cl::Hidden, cl::init(false)); 188 189 namespace { 190 191 /// An instrumentation pass implementing detection of addressability bugs 192 /// using tagged pointers. 193 class HWAddressSanitizer { 194 public: 195 explicit HWAddressSanitizer(Module &M, bool CompileKernel = false, 196 bool Recover = false) : M(M) { 197 this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover; 198 this->CompileKernel = ClEnableKhwasan.getNumOccurrences() > 0 ? 199 ClEnableKhwasan : CompileKernel; 200 201 initializeModule(); 202 } 203 204 bool sanitizeFunction(Function &F); 205 void initializeModule(); 206 void createHwasanCtorComdat(); 207 208 void initializeCallbacks(Module &M); 209 210 Value *getOpaqueNoopCast(IRBuilder<> &IRB, Value *Val); 211 212 Value *getDynamicShadowIfunc(IRBuilder<> &IRB); 213 Value *getShadowNonTls(IRBuilder<> &IRB); 214 215 void untagPointerOperand(Instruction *I, Value *Addr); 216 Value *shadowBase(); 217 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 218 void instrumentMemAccessInline(Value *Ptr, bool IsWrite, 219 unsigned AccessSizeIndex, 220 Instruction *InsertBefore); 221 void instrumentMemIntrinsic(MemIntrinsic *MI); 222 bool instrumentMemAccess(InterestingMemoryOperand &O); 223 bool ignoreAccess(Value *Ptr); 224 void getInterestingMemoryOperands( 225 Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting); 226 227 bool isInterestingAlloca(const AllocaInst &AI); 228 bool tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, Value *Tag, size_t Size); 229 Value *tagPointer(IRBuilder<> &IRB, Type *Ty, Value *PtrLong, Value *Tag); 230 Value *untagPointer(IRBuilder<> &IRB, Value *PtrLong); 231 bool instrumentStack( 232 SmallVectorImpl<AllocaInst *> &Allocas, 233 DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> &AllocaDbgMap, 234 SmallVectorImpl<Instruction *> &RetVec, Value *StackTag); 235 Value *readRegister(IRBuilder<> &IRB, StringRef Name); 236 bool instrumentLandingPads(SmallVectorImpl<Instruction *> &RetVec); 237 Value *getNextTagWithCall(IRBuilder<> &IRB); 238 Value *getStackBaseTag(IRBuilder<> &IRB); 239 Value *getAllocaTag(IRBuilder<> &IRB, Value *StackTag, AllocaInst *AI, 240 unsigned AllocaNo); 241 Value *getUARTag(IRBuilder<> &IRB, Value *StackTag); 242 243 Value *getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty); 244 void emitPrologue(IRBuilder<> &IRB, bool WithFrameRecord); 245 246 void instrumentGlobal(GlobalVariable *GV, uint8_t Tag); 247 void instrumentGlobals(); 248 249 void instrumentPersonalityFunctions(); 250 251 private: 252 LLVMContext *C; 253 Module &M; 254 Triple TargetTriple; 255 FunctionCallee HWAsanMemmove, HWAsanMemcpy, HWAsanMemset; 256 FunctionCallee HWAsanHandleVfork; 257 258 /// This struct defines the shadow mapping using the rule: 259 /// shadow = (mem >> Scale) + Offset. 260 /// If InGlobal is true, then 261 /// extern char __hwasan_shadow[]; 262 /// shadow = (mem >> Scale) + &__hwasan_shadow 263 /// If InTls is true, then 264 /// extern char *__hwasan_tls; 265 /// shadow = (mem>>Scale) + align_up(__hwasan_shadow, kShadowBaseAlignment) 266 struct ShadowMapping { 267 int Scale; 268 uint64_t Offset; 269 bool InGlobal; 270 bool InTls; 271 272 void init(Triple &TargetTriple); 273 unsigned getObjectAlignment() const { return 1U << Scale; } 274 }; 275 ShadowMapping Mapping; 276 277 Type *VoidTy = Type::getVoidTy(M.getContext()); 278 Type *IntptrTy; 279 Type *Int8PtrTy; 280 Type *Int8Ty; 281 Type *Int32Ty; 282 Type *Int64Ty = Type::getInt64Ty(M.getContext()); 283 284 bool CompileKernel; 285 bool Recover; 286 bool UseShortGranules; 287 bool InstrumentLandingPads; 288 289 Function *HwasanCtorFunction; 290 291 FunctionCallee HwasanMemoryAccessCallback[2][kNumberOfAccessSizes]; 292 FunctionCallee HwasanMemoryAccessCallbackSized[2]; 293 294 FunctionCallee HwasanTagMemoryFunc; 295 FunctionCallee HwasanGenerateTagFunc; 296 297 Constant *ShadowGlobal; 298 299 Value *ShadowBase = nullptr; 300 Value *StackBaseTag = nullptr; 301 GlobalValue *ThreadPtrGlobal = nullptr; 302 }; 303 304 class HWAddressSanitizerLegacyPass : public FunctionPass { 305 public: 306 // Pass identification, replacement for typeid. 307 static char ID; 308 309 explicit HWAddressSanitizerLegacyPass(bool CompileKernel = false, 310 bool Recover = false) 311 : FunctionPass(ID), CompileKernel(CompileKernel), Recover(Recover) { 312 initializeHWAddressSanitizerLegacyPassPass( 313 *PassRegistry::getPassRegistry()); 314 } 315 316 StringRef getPassName() const override { return "HWAddressSanitizer"; } 317 318 bool doInitialization(Module &M) override { 319 HWASan = std::make_unique<HWAddressSanitizer>(M, CompileKernel, Recover); 320 return true; 321 } 322 323 bool runOnFunction(Function &F) override { 324 return HWASan->sanitizeFunction(F); 325 } 326 327 bool doFinalization(Module &M) override { 328 HWASan.reset(); 329 return false; 330 } 331 332 private: 333 std::unique_ptr<HWAddressSanitizer> HWASan; 334 bool CompileKernel; 335 bool Recover; 336 }; 337 338 } // end anonymous namespace 339 340 char HWAddressSanitizerLegacyPass::ID = 0; 341 342 INITIALIZE_PASS_BEGIN( 343 HWAddressSanitizerLegacyPass, "hwasan", 344 "HWAddressSanitizer: detect memory bugs using tagged addressing.", false, 345 false) 346 INITIALIZE_PASS_END( 347 HWAddressSanitizerLegacyPass, "hwasan", 348 "HWAddressSanitizer: detect memory bugs using tagged addressing.", false, 349 false) 350 351 FunctionPass *llvm::createHWAddressSanitizerLegacyPassPass(bool CompileKernel, 352 bool Recover) { 353 assert(!CompileKernel || Recover); 354 return new HWAddressSanitizerLegacyPass(CompileKernel, Recover); 355 } 356 357 HWAddressSanitizerPass::HWAddressSanitizerPass(bool CompileKernel, bool Recover) 358 : CompileKernel(CompileKernel), Recover(Recover) {} 359 360 PreservedAnalyses HWAddressSanitizerPass::run(Module &M, 361 ModuleAnalysisManager &MAM) { 362 HWAddressSanitizer HWASan(M, CompileKernel, Recover); 363 bool Modified = false; 364 for (Function &F : M) 365 Modified |= HWASan.sanitizeFunction(F); 366 if (Modified) 367 return PreservedAnalyses::none(); 368 return PreservedAnalyses::all(); 369 } 370 371 void HWAddressSanitizer::createHwasanCtorComdat() { 372 std::tie(HwasanCtorFunction, std::ignore) = 373 getOrCreateSanitizerCtorAndInitFunctions( 374 M, kHwasanModuleCtorName, kHwasanInitName, 375 /*InitArgTypes=*/{}, 376 /*InitArgs=*/{}, 377 // This callback is invoked when the functions are created the first 378 // time. Hook them into the global ctors list in that case: 379 [&](Function *Ctor, FunctionCallee) { 380 Comdat *CtorComdat = M.getOrInsertComdat(kHwasanModuleCtorName); 381 Ctor->setComdat(CtorComdat); 382 appendToGlobalCtors(M, Ctor, 0, Ctor); 383 }); 384 385 // Create a note that contains pointers to the list of global 386 // descriptors. Adding a note to the output file will cause the linker to 387 // create a PT_NOTE program header pointing to the note that we can use to 388 // find the descriptor list starting from the program headers. A function 389 // provided by the runtime initializes the shadow memory for the globals by 390 // accessing the descriptor list via the note. The dynamic loader needs to 391 // call this function whenever a library is loaded. 392 // 393 // The reason why we use a note for this instead of a more conventional 394 // approach of having a global constructor pass a descriptor list pointer to 395 // the runtime is because of an order of initialization problem. With 396 // constructors we can encounter the following problematic scenario: 397 // 398 // 1) library A depends on library B and also interposes one of B's symbols 399 // 2) B's constructors are called before A's (as required for correctness) 400 // 3) during construction, B accesses one of its "own" globals (actually 401 // interposed by A) and triggers a HWASAN failure due to the initialization 402 // for A not having happened yet 403 // 404 // Even without interposition it is possible to run into similar situations in 405 // cases where two libraries mutually depend on each other. 406 // 407 // We only need one note per binary, so put everything for the note in a 408 // comdat. This needs to be a comdat with an .init_array section to prevent 409 // newer versions of lld from discarding the note. 410 // 411 // Create the note even if we aren't instrumenting globals. This ensures that 412 // binaries linked from object files with both instrumented and 413 // non-instrumented globals will end up with a note, even if a comdat from an 414 // object file with non-instrumented globals is selected. The note is harmless 415 // if the runtime doesn't support it, since it will just be ignored. 416 Comdat *NoteComdat = M.getOrInsertComdat(kHwasanModuleCtorName); 417 418 Type *Int8Arr0Ty = ArrayType::get(Int8Ty, 0); 419 auto Start = 420 new GlobalVariable(M, Int8Arr0Ty, true, GlobalVariable::ExternalLinkage, 421 nullptr, "__start_hwasan_globals"); 422 Start->setVisibility(GlobalValue::HiddenVisibility); 423 Start->setDSOLocal(true); 424 auto Stop = 425 new GlobalVariable(M, Int8Arr0Ty, true, GlobalVariable::ExternalLinkage, 426 nullptr, "__stop_hwasan_globals"); 427 Stop->setVisibility(GlobalValue::HiddenVisibility); 428 Stop->setDSOLocal(true); 429 430 // Null-terminated so actually 8 bytes, which are required in order to align 431 // the note properly. 432 auto *Name = ConstantDataArray::get(*C, "LLVM\0\0\0"); 433 434 auto *NoteTy = StructType::get(Int32Ty, Int32Ty, Int32Ty, Name->getType(), 435 Int32Ty, Int32Ty); 436 auto *Note = 437 new GlobalVariable(M, NoteTy, /*isConstant=*/true, 438 GlobalValue::PrivateLinkage, nullptr, kHwasanNoteName); 439 Note->setSection(".note.hwasan.globals"); 440 Note->setComdat(NoteComdat); 441 Note->setAlignment(Align(4)); 442 Note->setDSOLocal(true); 443 444 // The pointers in the note need to be relative so that the note ends up being 445 // placed in rodata, which is the standard location for notes. 446 auto CreateRelPtr = [&](Constant *Ptr) { 447 return ConstantExpr::getTrunc( 448 ConstantExpr::getSub(ConstantExpr::getPtrToInt(Ptr, Int64Ty), 449 ConstantExpr::getPtrToInt(Note, Int64Ty)), 450 Int32Ty); 451 }; 452 Note->setInitializer(ConstantStruct::getAnon( 453 {ConstantInt::get(Int32Ty, 8), // n_namesz 454 ConstantInt::get(Int32Ty, 8), // n_descsz 455 ConstantInt::get(Int32Ty, ELF::NT_LLVM_HWASAN_GLOBALS), // n_type 456 Name, CreateRelPtr(Start), CreateRelPtr(Stop)})); 457 appendToCompilerUsed(M, Note); 458 459 // Create a zero-length global in hwasan_globals so that the linker will 460 // always create start and stop symbols. 461 auto Dummy = new GlobalVariable( 462 M, Int8Arr0Ty, /*isConstantGlobal*/ true, GlobalVariable::PrivateLinkage, 463 Constant::getNullValue(Int8Arr0Ty), "hwasan.dummy.global"); 464 Dummy->setSection("hwasan_globals"); 465 Dummy->setComdat(NoteComdat); 466 Dummy->setMetadata(LLVMContext::MD_associated, 467 MDNode::get(*C, ValueAsMetadata::get(Note))); 468 appendToCompilerUsed(M, Dummy); 469 } 470 471 /// Module-level initialization. 472 /// 473 /// inserts a call to __hwasan_init to the module's constructor list. 474 void HWAddressSanitizer::initializeModule() { 475 LLVM_DEBUG(dbgs() << "Init " << M.getName() << "\n"); 476 auto &DL = M.getDataLayout(); 477 478 TargetTriple = Triple(M.getTargetTriple()); 479 480 Mapping.init(TargetTriple); 481 482 C = &(M.getContext()); 483 IRBuilder<> IRB(*C); 484 IntptrTy = IRB.getIntPtrTy(DL); 485 Int8PtrTy = IRB.getInt8PtrTy(); 486 Int8Ty = IRB.getInt8Ty(); 487 Int32Ty = IRB.getInt32Ty(); 488 489 HwasanCtorFunction = nullptr; 490 491 // Older versions of Android do not have the required runtime support for 492 // short granules, global or personality function instrumentation. On other 493 // platforms we currently require using the latest version of the runtime. 494 bool NewRuntime = 495 !TargetTriple.isAndroid() || !TargetTriple.isAndroidVersionLT(30); 496 497 UseShortGranules = 498 ClUseShortGranules.getNumOccurrences() ? ClUseShortGranules : NewRuntime; 499 500 // If we don't have personality function support, fall back to landing pads. 501 InstrumentLandingPads = ClInstrumentLandingPads.getNumOccurrences() 502 ? ClInstrumentLandingPads 503 : !NewRuntime; 504 505 if (!CompileKernel) { 506 createHwasanCtorComdat(); 507 bool InstrumentGlobals = 508 ClGlobals.getNumOccurrences() ? ClGlobals : NewRuntime; 509 if (InstrumentGlobals) 510 instrumentGlobals(); 511 512 bool InstrumentPersonalityFunctions = 513 ClInstrumentPersonalityFunctions.getNumOccurrences() 514 ? ClInstrumentPersonalityFunctions 515 : NewRuntime; 516 if (InstrumentPersonalityFunctions) 517 instrumentPersonalityFunctions(); 518 } 519 520 if (!TargetTriple.isAndroid()) { 521 Constant *C = M.getOrInsertGlobal("__hwasan_tls", IntptrTy, [&] { 522 auto *GV = new GlobalVariable(M, IntptrTy, /*isConstant=*/false, 523 GlobalValue::ExternalLinkage, nullptr, 524 "__hwasan_tls", nullptr, 525 GlobalVariable::InitialExecTLSModel); 526 appendToCompilerUsed(M, GV); 527 return GV; 528 }); 529 ThreadPtrGlobal = cast<GlobalVariable>(C); 530 } 531 } 532 533 void HWAddressSanitizer::initializeCallbacks(Module &M) { 534 IRBuilder<> IRB(*C); 535 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 536 const std::string TypeStr = AccessIsWrite ? "store" : "load"; 537 const std::string EndingStr = Recover ? "_noabort" : ""; 538 539 HwasanMemoryAccessCallbackSized[AccessIsWrite] = M.getOrInsertFunction( 540 ClMemoryAccessCallbackPrefix + TypeStr + "N" + EndingStr, 541 FunctionType::get(IRB.getVoidTy(), {IntptrTy, IntptrTy}, false)); 542 543 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 544 AccessSizeIndex++) { 545 HwasanMemoryAccessCallback[AccessIsWrite][AccessSizeIndex] = 546 M.getOrInsertFunction( 547 ClMemoryAccessCallbackPrefix + TypeStr + 548 itostr(1ULL << AccessSizeIndex) + EndingStr, 549 FunctionType::get(IRB.getVoidTy(), {IntptrTy}, false)); 550 } 551 } 552 553 HwasanTagMemoryFunc = M.getOrInsertFunction( 554 "__hwasan_tag_memory", IRB.getVoidTy(), Int8PtrTy, Int8Ty, IntptrTy); 555 HwasanGenerateTagFunc = 556 M.getOrInsertFunction("__hwasan_generate_tag", Int8Ty); 557 558 ShadowGlobal = M.getOrInsertGlobal("__hwasan_shadow", 559 ArrayType::get(IRB.getInt8Ty(), 0)); 560 561 const std::string MemIntrinCallbackPrefix = 562 CompileKernel ? std::string("") : ClMemoryAccessCallbackPrefix; 563 HWAsanMemmove = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memmove", 564 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 565 IRB.getInt8PtrTy(), IntptrTy); 566 HWAsanMemcpy = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memcpy", 567 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 568 IRB.getInt8PtrTy(), IntptrTy); 569 HWAsanMemset = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memset", 570 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 571 IRB.getInt32Ty(), IntptrTy); 572 573 HWAsanHandleVfork = 574 M.getOrInsertFunction("__hwasan_handle_vfork", IRB.getVoidTy(), IntptrTy); 575 } 576 577 Value *HWAddressSanitizer::getOpaqueNoopCast(IRBuilder<> &IRB, Value *Val) { 578 // An empty inline asm with input reg == output reg. 579 // An opaque no-op cast, basically. 580 // This prevents code bloat as a result of rematerializing trivial definitions 581 // such as constants or global addresses at every load and store. 582 InlineAsm *Asm = 583 InlineAsm::get(FunctionType::get(Int8PtrTy, {Val->getType()}, false), 584 StringRef(""), StringRef("=r,0"), 585 /*hasSideEffects=*/false); 586 return IRB.CreateCall(Asm, {Val}, ".hwasan.shadow"); 587 } 588 589 Value *HWAddressSanitizer::getDynamicShadowIfunc(IRBuilder<> &IRB) { 590 return getOpaqueNoopCast(IRB, ShadowGlobal); 591 } 592 593 Value *HWAddressSanitizer::getShadowNonTls(IRBuilder<> &IRB) { 594 if (Mapping.Offset != kDynamicShadowSentinel) 595 return getOpaqueNoopCast( 596 IRB, ConstantExpr::getIntToPtr( 597 ConstantInt::get(IntptrTy, Mapping.Offset), Int8PtrTy)); 598 599 if (Mapping.InGlobal) { 600 return getDynamicShadowIfunc(IRB); 601 } else { 602 Value *GlobalDynamicAddress = 603 IRB.GetInsertBlock()->getParent()->getParent()->getOrInsertGlobal( 604 kHwasanShadowMemoryDynamicAddress, Int8PtrTy); 605 return IRB.CreateLoad(Int8PtrTy, GlobalDynamicAddress); 606 } 607 } 608 609 bool HWAddressSanitizer::ignoreAccess(Value *Ptr) { 610 // Do not instrument acesses from different address spaces; we cannot deal 611 // with them. 612 Type *PtrTy = cast<PointerType>(Ptr->getType()->getScalarType()); 613 if (PtrTy->getPointerAddressSpace() != 0) 614 return true; 615 616 // Ignore swifterror addresses. 617 // swifterror memory addresses are mem2reg promoted by instruction 618 // selection. As such they cannot have regular uses like an instrumentation 619 // function and it makes no sense to track them as memory. 620 if (Ptr->isSwiftError()) 621 return true; 622 623 return false; 624 } 625 626 void HWAddressSanitizer::getInterestingMemoryOperands( 627 Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting) { 628 // Skip memory accesses inserted by another instrumentation. 629 if (I->hasMetadata("nosanitize")) 630 return; 631 632 // Do not instrument the load fetching the dynamic shadow address. 633 if (ShadowBase == I) 634 return; 635 636 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 637 if (!ClInstrumentReads || ignoreAccess(LI->getPointerOperand())) 638 return; 639 Interesting.emplace_back(I, LI->getPointerOperandIndex(), false, 640 LI->getType(), LI->getAlign()); 641 } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 642 if (!ClInstrumentWrites || ignoreAccess(SI->getPointerOperand())) 643 return; 644 Interesting.emplace_back(I, SI->getPointerOperandIndex(), true, 645 SI->getValueOperand()->getType(), SI->getAlign()); 646 } else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 647 if (!ClInstrumentAtomics || ignoreAccess(RMW->getPointerOperand())) 648 return; 649 Interesting.emplace_back(I, RMW->getPointerOperandIndex(), true, 650 RMW->getValOperand()->getType(), None); 651 } else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 652 if (!ClInstrumentAtomics || ignoreAccess(XCHG->getPointerOperand())) 653 return; 654 Interesting.emplace_back(I, XCHG->getPointerOperandIndex(), true, 655 XCHG->getCompareOperand()->getType(), None); 656 } else if (auto CI = dyn_cast<CallInst>(I)) { 657 for (unsigned ArgNo = 0; ArgNo < CI->getNumArgOperands(); ArgNo++) { 658 if (!ClInstrumentByval || !CI->isByValArgument(ArgNo) || 659 ignoreAccess(CI->getArgOperand(ArgNo))) 660 continue; 661 Type *Ty = CI->getParamByValType(ArgNo); 662 Interesting.emplace_back(I, ArgNo, false, Ty, Align(1)); 663 } 664 } 665 } 666 667 static unsigned getPointerOperandIndex(Instruction *I) { 668 if (LoadInst *LI = dyn_cast<LoadInst>(I)) 669 return LI->getPointerOperandIndex(); 670 if (StoreInst *SI = dyn_cast<StoreInst>(I)) 671 return SI->getPointerOperandIndex(); 672 if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) 673 return RMW->getPointerOperandIndex(); 674 if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) 675 return XCHG->getPointerOperandIndex(); 676 report_fatal_error("Unexpected instruction"); 677 return -1; 678 } 679 680 static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 681 size_t Res = countTrailingZeros(TypeSize / 8); 682 assert(Res < kNumberOfAccessSizes); 683 return Res; 684 } 685 686 void HWAddressSanitizer::untagPointerOperand(Instruction *I, Value *Addr) { 687 if (TargetTriple.isAArch64()) 688 return; 689 690 IRBuilder<> IRB(I); 691 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 692 Value *UntaggedPtr = 693 IRB.CreateIntToPtr(untagPointer(IRB, AddrLong), Addr->getType()); 694 I->setOperand(getPointerOperandIndex(I), UntaggedPtr); 695 } 696 697 Value *HWAddressSanitizer::memToShadow(Value *Mem, IRBuilder<> &IRB) { 698 // Mem >> Scale 699 Value *Shadow = IRB.CreateLShr(Mem, Mapping.Scale); 700 if (Mapping.Offset == 0) 701 return IRB.CreateIntToPtr(Shadow, Int8PtrTy); 702 // (Mem >> Scale) + Offset 703 return IRB.CreateGEP(Int8Ty, ShadowBase, Shadow); 704 } 705 706 void HWAddressSanitizer::instrumentMemAccessInline(Value *Ptr, bool IsWrite, 707 unsigned AccessSizeIndex, 708 Instruction *InsertBefore) { 709 const int64_t AccessInfo = Recover * 0x20 + IsWrite * 0x10 + AccessSizeIndex; 710 IRBuilder<> IRB(InsertBefore); 711 712 if (!ClInlineAllChecks && TargetTriple.isAArch64() && 713 TargetTriple.isOSBinFormatELF() && !Recover) { 714 Module *M = IRB.GetInsertBlock()->getParent()->getParent(); 715 Ptr = IRB.CreateBitCast(Ptr, Int8PtrTy); 716 IRB.CreateCall(Intrinsic::getDeclaration( 717 M, UseShortGranules 718 ? Intrinsic::hwasan_check_memaccess_shortgranules 719 : Intrinsic::hwasan_check_memaccess), 720 {ShadowBase, Ptr, ConstantInt::get(Int32Ty, AccessInfo)}); 721 return; 722 } 723 724 Value *PtrLong = IRB.CreatePointerCast(Ptr, IntptrTy); 725 Value *PtrTag = IRB.CreateTrunc(IRB.CreateLShr(PtrLong, kPointerTagShift), 726 IRB.getInt8Ty()); 727 Value *AddrLong = untagPointer(IRB, PtrLong); 728 Value *Shadow = memToShadow(AddrLong, IRB); 729 Value *MemTag = IRB.CreateLoad(Int8Ty, Shadow); 730 Value *TagMismatch = IRB.CreateICmpNE(PtrTag, MemTag); 731 732 int matchAllTag = ClMatchAllTag.getNumOccurrences() > 0 ? 733 ClMatchAllTag : (CompileKernel ? 0xFF : -1); 734 if (matchAllTag != -1) { 735 Value *TagNotIgnored = IRB.CreateICmpNE(PtrTag, 736 ConstantInt::get(PtrTag->getType(), matchAllTag)); 737 TagMismatch = IRB.CreateAnd(TagMismatch, TagNotIgnored); 738 } 739 740 Instruction *CheckTerm = 741 SplitBlockAndInsertIfThen(TagMismatch, InsertBefore, false, 742 MDBuilder(*C).createBranchWeights(1, 100000)); 743 744 IRB.SetInsertPoint(CheckTerm); 745 Value *OutOfShortGranuleTagRange = 746 IRB.CreateICmpUGT(MemTag, ConstantInt::get(Int8Ty, 15)); 747 Instruction *CheckFailTerm = 748 SplitBlockAndInsertIfThen(OutOfShortGranuleTagRange, CheckTerm, !Recover, 749 MDBuilder(*C).createBranchWeights(1, 100000)); 750 751 IRB.SetInsertPoint(CheckTerm); 752 Value *PtrLowBits = IRB.CreateTrunc(IRB.CreateAnd(PtrLong, 15), Int8Ty); 753 PtrLowBits = IRB.CreateAdd( 754 PtrLowBits, ConstantInt::get(Int8Ty, (1 << AccessSizeIndex) - 1)); 755 Value *PtrLowBitsOOB = IRB.CreateICmpUGE(PtrLowBits, MemTag); 756 SplitBlockAndInsertIfThen(PtrLowBitsOOB, CheckTerm, false, 757 MDBuilder(*C).createBranchWeights(1, 100000), 758 nullptr, nullptr, CheckFailTerm->getParent()); 759 760 IRB.SetInsertPoint(CheckTerm); 761 Value *InlineTagAddr = IRB.CreateOr(AddrLong, 15); 762 InlineTagAddr = IRB.CreateIntToPtr(InlineTagAddr, Int8PtrTy); 763 Value *InlineTag = IRB.CreateLoad(Int8Ty, InlineTagAddr); 764 Value *InlineTagMismatch = IRB.CreateICmpNE(PtrTag, InlineTag); 765 SplitBlockAndInsertIfThen(InlineTagMismatch, CheckTerm, false, 766 MDBuilder(*C).createBranchWeights(1, 100000), 767 nullptr, nullptr, CheckFailTerm->getParent()); 768 769 IRB.SetInsertPoint(CheckFailTerm); 770 InlineAsm *Asm; 771 switch (TargetTriple.getArch()) { 772 case Triple::x86_64: 773 // The signal handler will find the data address in rdi. 774 Asm = InlineAsm::get( 775 FunctionType::get(IRB.getVoidTy(), {PtrLong->getType()}, false), 776 "int3\nnopl " + itostr(0x40 + AccessInfo) + "(%rax)", 777 "{rdi}", 778 /*hasSideEffects=*/true); 779 break; 780 case Triple::aarch64: 781 case Triple::aarch64_be: 782 // The signal handler will find the data address in x0. 783 Asm = InlineAsm::get( 784 FunctionType::get(IRB.getVoidTy(), {PtrLong->getType()}, false), 785 "brk #" + itostr(0x900 + AccessInfo), 786 "{x0}", 787 /*hasSideEffects=*/true); 788 break; 789 default: 790 report_fatal_error("unsupported architecture"); 791 } 792 IRB.CreateCall(Asm, PtrLong); 793 if (Recover) 794 cast<BranchInst>(CheckFailTerm)->setSuccessor(0, CheckTerm->getParent()); 795 } 796 797 void HWAddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 798 IRBuilder<> IRB(MI); 799 if (isa<MemTransferInst>(MI)) { 800 IRB.CreateCall( 801 isa<MemMoveInst>(MI) ? HWAsanMemmove : HWAsanMemcpy, 802 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 803 IRB.CreatePointerCast(MI->getOperand(1), IRB.getInt8PtrTy()), 804 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 805 } else if (isa<MemSetInst>(MI)) { 806 IRB.CreateCall( 807 HWAsanMemset, 808 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 809 IRB.CreateIntCast(MI->getOperand(1), IRB.getInt32Ty(), false), 810 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 811 } 812 MI->eraseFromParent(); 813 } 814 815 bool HWAddressSanitizer::instrumentMemAccess(InterestingMemoryOperand &O) { 816 Value *Addr = O.getPtr(); 817 818 LLVM_DEBUG(dbgs() << "Instrumenting: " << O.getInsn() << "\n"); 819 820 if (O.MaybeMask) 821 return false; //FIXME 822 823 IRBuilder<> IRB(O.getInsn()); 824 if (isPowerOf2_64(O.TypeSize) && 825 (O.TypeSize / 8 <= (1ULL << (kNumberOfAccessSizes - 1))) && 826 (!O.Alignment || *O.Alignment >= (1ULL << Mapping.Scale) || 827 *O.Alignment >= O.TypeSize / 8)) { 828 size_t AccessSizeIndex = TypeSizeToSizeIndex(O.TypeSize); 829 if (ClInstrumentWithCalls) { 830 IRB.CreateCall(HwasanMemoryAccessCallback[O.IsWrite][AccessSizeIndex], 831 IRB.CreatePointerCast(Addr, IntptrTy)); 832 } else { 833 instrumentMemAccessInline(Addr, O.IsWrite, AccessSizeIndex, O.getInsn()); 834 } 835 } else { 836 IRB.CreateCall(HwasanMemoryAccessCallbackSized[O.IsWrite], 837 {IRB.CreatePointerCast(Addr, IntptrTy), 838 ConstantInt::get(IntptrTy, O.TypeSize / 8)}); 839 } 840 untagPointerOperand(O.getInsn(), Addr); 841 842 return true; 843 } 844 845 static uint64_t getAllocaSizeInBytes(const AllocaInst &AI) { 846 uint64_t ArraySize = 1; 847 if (AI.isArrayAllocation()) { 848 const ConstantInt *CI = dyn_cast<ConstantInt>(AI.getArraySize()); 849 assert(CI && "non-constant array size"); 850 ArraySize = CI->getZExtValue(); 851 } 852 Type *Ty = AI.getAllocatedType(); 853 uint64_t SizeInBytes = AI.getModule()->getDataLayout().getTypeAllocSize(Ty); 854 return SizeInBytes * ArraySize; 855 } 856 857 bool HWAddressSanitizer::tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, 858 Value *Tag, size_t Size) { 859 size_t AlignedSize = alignTo(Size, Mapping.getObjectAlignment()); 860 if (!UseShortGranules) 861 Size = AlignedSize; 862 863 Value *JustTag = IRB.CreateTrunc(Tag, IRB.getInt8Ty()); 864 if (ClInstrumentWithCalls) { 865 IRB.CreateCall(HwasanTagMemoryFunc, 866 {IRB.CreatePointerCast(AI, Int8PtrTy), JustTag, 867 ConstantInt::get(IntptrTy, AlignedSize)}); 868 } else { 869 size_t ShadowSize = Size >> Mapping.Scale; 870 Value *ShadowPtr = memToShadow(IRB.CreatePointerCast(AI, IntptrTy), IRB); 871 // If this memset is not inlined, it will be intercepted in the hwasan 872 // runtime library. That's OK, because the interceptor skips the checks if 873 // the address is in the shadow region. 874 // FIXME: the interceptor is not as fast as real memset. Consider lowering 875 // llvm.memset right here into either a sequence of stores, or a call to 876 // hwasan_tag_memory. 877 if (ShadowSize) 878 IRB.CreateMemSet(ShadowPtr, JustTag, ShadowSize, Align(1)); 879 if (Size != AlignedSize) { 880 IRB.CreateStore( 881 ConstantInt::get(Int8Ty, Size % Mapping.getObjectAlignment()), 882 IRB.CreateConstGEP1_32(Int8Ty, ShadowPtr, ShadowSize)); 883 IRB.CreateStore(JustTag, IRB.CreateConstGEP1_32( 884 Int8Ty, IRB.CreateBitCast(AI, Int8PtrTy), 885 AlignedSize - 1)); 886 } 887 } 888 return true; 889 } 890 891 static unsigned RetagMask(unsigned AllocaNo) { 892 // A list of 8-bit numbers that have at most one run of non-zero bits. 893 // x = x ^ (mask << 56) can be encoded as a single armv8 instruction for these 894 // masks. 895 // The list does not include the value 255, which is used for UAR. 896 // 897 // Because we are more likely to use earlier elements of this list than later 898 // ones, it is sorted in increasing order of probability of collision with a 899 // mask allocated (temporally) nearby. The program that generated this list 900 // can be found at: 901 // https://github.com/google/sanitizers/blob/master/hwaddress-sanitizer/sort_masks.py 902 static unsigned FastMasks[] = {0, 128, 64, 192, 32, 96, 224, 112, 240, 903 48, 16, 120, 248, 56, 24, 8, 124, 252, 904 60, 28, 12, 4, 126, 254, 62, 30, 14, 905 6, 2, 127, 63, 31, 15, 7, 3, 1}; 906 return FastMasks[AllocaNo % (sizeof(FastMasks) / sizeof(FastMasks[0]))]; 907 } 908 909 Value *HWAddressSanitizer::getNextTagWithCall(IRBuilder<> &IRB) { 910 return IRB.CreateZExt(IRB.CreateCall(HwasanGenerateTagFunc), IntptrTy); 911 } 912 913 Value *HWAddressSanitizer::getStackBaseTag(IRBuilder<> &IRB) { 914 if (ClGenerateTagsWithCalls) 915 return getNextTagWithCall(IRB); 916 if (StackBaseTag) 917 return StackBaseTag; 918 // FIXME: use addressofreturnaddress (but implement it in aarch64 backend 919 // first). 920 Module *M = IRB.GetInsertBlock()->getParent()->getParent(); 921 auto GetStackPointerFn = Intrinsic::getDeclaration( 922 M, Intrinsic::frameaddress, 923 IRB.getInt8PtrTy(M->getDataLayout().getAllocaAddrSpace())); 924 Value *StackPointer = IRB.CreateCall( 925 GetStackPointerFn, {Constant::getNullValue(IRB.getInt32Ty())}); 926 927 // Extract some entropy from the stack pointer for the tags. 928 // Take bits 20..28 (ASLR entropy) and xor with bits 0..8 (these differ 929 // between functions). 930 Value *StackPointerLong = IRB.CreatePointerCast(StackPointer, IntptrTy); 931 Value *StackTag = 932 IRB.CreateXor(StackPointerLong, IRB.CreateLShr(StackPointerLong, 20), 933 "hwasan.stack.base.tag"); 934 return StackTag; 935 } 936 937 Value *HWAddressSanitizer::getAllocaTag(IRBuilder<> &IRB, Value *StackTag, 938 AllocaInst *AI, unsigned AllocaNo) { 939 if (ClGenerateTagsWithCalls) 940 return getNextTagWithCall(IRB); 941 return IRB.CreateXor(StackTag, 942 ConstantInt::get(IntptrTy, RetagMask(AllocaNo))); 943 } 944 945 Value *HWAddressSanitizer::getUARTag(IRBuilder<> &IRB, Value *StackTag) { 946 if (ClUARRetagToZero) 947 return ConstantInt::get(IntptrTy, 0); 948 if (ClGenerateTagsWithCalls) 949 return getNextTagWithCall(IRB); 950 return IRB.CreateXor(StackTag, ConstantInt::get(IntptrTy, 0xFFU)); 951 } 952 953 // Add a tag to an address. 954 Value *HWAddressSanitizer::tagPointer(IRBuilder<> &IRB, Type *Ty, 955 Value *PtrLong, Value *Tag) { 956 Value *TaggedPtrLong; 957 if (CompileKernel) { 958 // Kernel addresses have 0xFF in the most significant byte. 959 Value *ShiftedTag = IRB.CreateOr( 960 IRB.CreateShl(Tag, kPointerTagShift), 961 ConstantInt::get(IntptrTy, (1ULL << kPointerTagShift) - 1)); 962 TaggedPtrLong = IRB.CreateAnd(PtrLong, ShiftedTag); 963 } else { 964 // Userspace can simply do OR (tag << 56); 965 Value *ShiftedTag = IRB.CreateShl(Tag, kPointerTagShift); 966 TaggedPtrLong = IRB.CreateOr(PtrLong, ShiftedTag); 967 } 968 return IRB.CreateIntToPtr(TaggedPtrLong, Ty); 969 } 970 971 // Remove tag from an address. 972 Value *HWAddressSanitizer::untagPointer(IRBuilder<> &IRB, Value *PtrLong) { 973 Value *UntaggedPtrLong; 974 if (CompileKernel) { 975 // Kernel addresses have 0xFF in the most significant byte. 976 UntaggedPtrLong = IRB.CreateOr(PtrLong, 977 ConstantInt::get(PtrLong->getType(), 0xFFULL << kPointerTagShift)); 978 } else { 979 // Userspace addresses have 0x00. 980 UntaggedPtrLong = IRB.CreateAnd(PtrLong, 981 ConstantInt::get(PtrLong->getType(), ~(0xFFULL << kPointerTagShift))); 982 } 983 return UntaggedPtrLong; 984 } 985 986 Value *HWAddressSanitizer::getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty) { 987 Module *M = IRB.GetInsertBlock()->getParent()->getParent(); 988 if (TargetTriple.isAArch64() && TargetTriple.isAndroid()) { 989 // Android provides a fixed TLS slot for sanitizers. See TLS_SLOT_SANITIZER 990 // in Bionic's libc/private/bionic_tls.h. 991 Function *ThreadPointerFunc = 992 Intrinsic::getDeclaration(M, Intrinsic::thread_pointer); 993 Value *SlotPtr = IRB.CreatePointerCast( 994 IRB.CreateConstGEP1_32(IRB.getInt8Ty(), 995 IRB.CreateCall(ThreadPointerFunc), 0x30), 996 Ty->getPointerTo(0)); 997 return SlotPtr; 998 } 999 if (ThreadPtrGlobal) 1000 return ThreadPtrGlobal; 1001 1002 1003 return nullptr; 1004 } 1005 1006 void HWAddressSanitizer::emitPrologue(IRBuilder<> &IRB, bool WithFrameRecord) { 1007 if (!Mapping.InTls) { 1008 ShadowBase = getShadowNonTls(IRB); 1009 return; 1010 } 1011 1012 if (!WithFrameRecord && TargetTriple.isAndroid()) { 1013 ShadowBase = getDynamicShadowIfunc(IRB); 1014 return; 1015 } 1016 1017 Value *SlotPtr = getHwasanThreadSlotPtr(IRB, IntptrTy); 1018 assert(SlotPtr); 1019 1020 Value *ThreadLong = IRB.CreateLoad(IntptrTy, SlotPtr); 1021 // Extract the address field from ThreadLong. Unnecessary on AArch64 with TBI. 1022 Value *ThreadLongMaybeUntagged = 1023 TargetTriple.isAArch64() ? ThreadLong : untagPointer(IRB, ThreadLong); 1024 1025 if (WithFrameRecord) { 1026 Function *F = IRB.GetInsertBlock()->getParent(); 1027 StackBaseTag = IRB.CreateAShr(ThreadLong, 3); 1028 1029 // Prepare ring buffer data. 1030 Value *PC; 1031 if (TargetTriple.getArch() == Triple::aarch64) 1032 PC = readRegister(IRB, "pc"); 1033 else 1034 PC = IRB.CreatePtrToInt(F, IntptrTy); 1035 Module *M = F->getParent(); 1036 auto GetStackPointerFn = Intrinsic::getDeclaration( 1037 M, Intrinsic::frameaddress, 1038 IRB.getInt8PtrTy(M->getDataLayout().getAllocaAddrSpace())); 1039 Value *SP = IRB.CreatePtrToInt( 1040 IRB.CreateCall(GetStackPointerFn, 1041 {Constant::getNullValue(IRB.getInt32Ty())}), 1042 IntptrTy); 1043 // Mix SP and PC. 1044 // Assumptions: 1045 // PC is 0x0000PPPPPPPPPPPP (48 bits are meaningful, others are zero) 1046 // SP is 0xsssssssssssSSSS0 (4 lower bits are zero) 1047 // We only really need ~20 lower non-zero bits (SSSS), so we mix like this: 1048 // 0xSSSSPPPPPPPPPPPP 1049 SP = IRB.CreateShl(SP, 44); 1050 1051 // Store data to ring buffer. 1052 Value *RecordPtr = 1053 IRB.CreateIntToPtr(ThreadLongMaybeUntagged, IntptrTy->getPointerTo(0)); 1054 IRB.CreateStore(IRB.CreateOr(PC, SP), RecordPtr); 1055 1056 // Update the ring buffer. Top byte of ThreadLong defines the size of the 1057 // buffer in pages, it must be a power of two, and the start of the buffer 1058 // must be aligned by twice that much. Therefore wrap around of the ring 1059 // buffer is simply Addr &= ~((ThreadLong >> 56) << 12). 1060 // The use of AShr instead of LShr is due to 1061 // https://bugs.llvm.org/show_bug.cgi?id=39030 1062 // Runtime library makes sure not to use the highest bit. 1063 Value *WrapMask = IRB.CreateXor( 1064 IRB.CreateShl(IRB.CreateAShr(ThreadLong, 56), 12, "", true, true), 1065 ConstantInt::get(IntptrTy, (uint64_t)-1)); 1066 Value *ThreadLongNew = IRB.CreateAnd( 1067 IRB.CreateAdd(ThreadLong, ConstantInt::get(IntptrTy, 8)), WrapMask); 1068 IRB.CreateStore(ThreadLongNew, SlotPtr); 1069 } 1070 1071 // Get shadow base address by aligning RecordPtr up. 1072 // Note: this is not correct if the pointer is already aligned. 1073 // Runtime library will make sure this never happens. 1074 ShadowBase = IRB.CreateAdd( 1075 IRB.CreateOr( 1076 ThreadLongMaybeUntagged, 1077 ConstantInt::get(IntptrTy, (1ULL << kShadowBaseAlignment) - 1)), 1078 ConstantInt::get(IntptrTy, 1), "hwasan.shadow"); 1079 ShadowBase = IRB.CreateIntToPtr(ShadowBase, Int8PtrTy); 1080 } 1081 1082 Value *HWAddressSanitizer::readRegister(IRBuilder<> &IRB, StringRef Name) { 1083 Module *M = IRB.GetInsertBlock()->getParent()->getParent(); 1084 Function *ReadRegister = 1085 Intrinsic::getDeclaration(M, Intrinsic::read_register, IntptrTy); 1086 MDNode *MD = MDNode::get(*C, {MDString::get(*C, Name)}); 1087 Value *Args[] = {MetadataAsValue::get(*C, MD)}; 1088 return IRB.CreateCall(ReadRegister, Args); 1089 } 1090 1091 bool HWAddressSanitizer::instrumentLandingPads( 1092 SmallVectorImpl<Instruction *> &LandingPadVec) { 1093 for (auto *LP : LandingPadVec) { 1094 IRBuilder<> IRB(LP->getNextNode()); 1095 IRB.CreateCall( 1096 HWAsanHandleVfork, 1097 {readRegister(IRB, (TargetTriple.getArch() == Triple::x86_64) ? "rsp" 1098 : "sp")}); 1099 } 1100 return true; 1101 } 1102 1103 bool HWAddressSanitizer::instrumentStack( 1104 SmallVectorImpl<AllocaInst *> &Allocas, 1105 DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> &AllocaDbgMap, 1106 SmallVectorImpl<Instruction *> &RetVec, Value *StackTag) { 1107 // Ideally, we want to calculate tagged stack base pointer, and rewrite all 1108 // alloca addresses using that. Unfortunately, offsets are not known yet 1109 // (unless we use ASan-style mega-alloca). Instead we keep the base tag in a 1110 // temp, shift-OR it into each alloca address and xor with the retag mask. 1111 // This generates one extra instruction per alloca use. 1112 for (unsigned N = 0; N < Allocas.size(); ++N) { 1113 auto *AI = Allocas[N]; 1114 IRBuilder<> IRB(AI->getNextNode()); 1115 1116 // Replace uses of the alloca with tagged address. 1117 Value *Tag = getAllocaTag(IRB, StackTag, AI, N); 1118 Value *AILong = IRB.CreatePointerCast(AI, IntptrTy); 1119 Value *Replacement = tagPointer(IRB, AI->getType(), AILong, Tag); 1120 std::string Name = 1121 AI->hasName() ? AI->getName().str() : "alloca." + itostr(N); 1122 Replacement->setName(Name + ".hwasan"); 1123 1124 AI->replaceUsesWithIf(Replacement, 1125 [AILong](Use &U) { return U.getUser() != AILong; }); 1126 1127 for (auto *DDI : AllocaDbgMap.lookup(AI)) { 1128 // Prepend "tag_offset, N" to the dwarf expression. 1129 // Tag offset logically applies to the alloca pointer, and it makes sense 1130 // to put it at the beginning of the expression. 1131 SmallVector<uint64_t, 8> NewOps = {dwarf::DW_OP_LLVM_tag_offset, 1132 RetagMask(N)}; 1133 DDI->setArgOperand( 1134 2, MetadataAsValue::get(*C, DIExpression::prependOpcodes( 1135 DDI->getExpression(), NewOps))); 1136 } 1137 1138 size_t Size = getAllocaSizeInBytes(*AI); 1139 tagAlloca(IRB, AI, Tag, Size); 1140 1141 for (auto RI : RetVec) { 1142 IRB.SetInsertPoint(RI); 1143 1144 // Re-tag alloca memory with the special UAR tag. 1145 Value *Tag = getUARTag(IRB, StackTag); 1146 tagAlloca(IRB, AI, Tag, alignTo(Size, Mapping.getObjectAlignment())); 1147 } 1148 } 1149 1150 return true; 1151 } 1152 1153 bool HWAddressSanitizer::isInterestingAlloca(const AllocaInst &AI) { 1154 return (AI.getAllocatedType()->isSized() && 1155 // FIXME: instrument dynamic allocas, too 1156 AI.isStaticAlloca() && 1157 // alloca() may be called with 0 size, ignore it. 1158 getAllocaSizeInBytes(AI) > 0 && 1159 // We are only interested in allocas not promotable to registers. 1160 // Promotable allocas are common under -O0. 1161 !isAllocaPromotable(&AI) && 1162 // inalloca allocas are not treated as static, and we don't want 1163 // dynamic alloca instrumentation for them as well. 1164 !AI.isUsedWithInAlloca() && 1165 // swifterror allocas are register promoted by ISel 1166 !AI.isSwiftError()); 1167 } 1168 1169 bool HWAddressSanitizer::sanitizeFunction(Function &F) { 1170 if (&F == HwasanCtorFunction) 1171 return false; 1172 1173 if (!F.hasFnAttribute(Attribute::SanitizeHWAddress)) 1174 return false; 1175 1176 LLVM_DEBUG(dbgs() << "Function: " << F.getName() << "\n"); 1177 1178 SmallVector<InterestingMemoryOperand, 16> OperandsToInstrument; 1179 SmallVector<MemIntrinsic *, 16> IntrinToInstrument; 1180 SmallVector<AllocaInst*, 8> AllocasToInstrument; 1181 SmallVector<Instruction*, 8> RetVec; 1182 SmallVector<Instruction*, 8> LandingPadVec; 1183 DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> AllocaDbgMap; 1184 for (auto &BB : F) { 1185 for (auto &Inst : BB) { 1186 if (ClInstrumentStack) 1187 if (AllocaInst *AI = dyn_cast<AllocaInst>(&Inst)) { 1188 if (isInterestingAlloca(*AI)) 1189 AllocasToInstrument.push_back(AI); 1190 continue; 1191 } 1192 1193 if (isa<ReturnInst>(Inst) || isa<ResumeInst>(Inst) || 1194 isa<CleanupReturnInst>(Inst)) 1195 RetVec.push_back(&Inst); 1196 1197 if (auto *DDI = dyn_cast<DbgVariableIntrinsic>(&Inst)) 1198 if (auto *Alloca = 1199 dyn_cast_or_null<AllocaInst>(DDI->getVariableLocation())) 1200 AllocaDbgMap[Alloca].push_back(DDI); 1201 1202 if (InstrumentLandingPads && isa<LandingPadInst>(Inst)) 1203 LandingPadVec.push_back(&Inst); 1204 1205 getInterestingMemoryOperands(&Inst, OperandsToInstrument); 1206 1207 if (MemIntrinsic *MI = dyn_cast<MemIntrinsic>(&Inst)) 1208 IntrinToInstrument.push_back(MI); 1209 } 1210 } 1211 1212 initializeCallbacks(*F.getParent()); 1213 1214 bool Changed = false; 1215 1216 if (!LandingPadVec.empty()) 1217 Changed |= instrumentLandingPads(LandingPadVec); 1218 1219 if (AllocasToInstrument.empty() && F.hasPersonalityFn() && 1220 F.getPersonalityFn()->getName() == kHwasanPersonalityThunkName) { 1221 // __hwasan_personality_thunk is a no-op for functions without an 1222 // instrumented stack, so we can drop it. 1223 F.setPersonalityFn(nullptr); 1224 Changed = true; 1225 } 1226 1227 if (AllocasToInstrument.empty() && OperandsToInstrument.empty() && 1228 IntrinToInstrument.empty()) 1229 return Changed; 1230 1231 assert(!ShadowBase); 1232 1233 Instruction *InsertPt = &*F.getEntryBlock().begin(); 1234 IRBuilder<> EntryIRB(InsertPt); 1235 emitPrologue(EntryIRB, 1236 /*WithFrameRecord*/ ClRecordStackHistory && 1237 !AllocasToInstrument.empty()); 1238 1239 if (!AllocasToInstrument.empty()) { 1240 Value *StackTag = 1241 ClGenerateTagsWithCalls ? nullptr : getStackBaseTag(EntryIRB); 1242 instrumentStack(AllocasToInstrument, AllocaDbgMap, RetVec, StackTag); 1243 } 1244 // Pad and align each of the allocas that we instrumented to stop small 1245 // uninteresting allocas from hiding in instrumented alloca's padding and so 1246 // that we have enough space to store real tags for short granules. 1247 DenseMap<AllocaInst *, AllocaInst *> AllocaToPaddedAllocaMap; 1248 for (AllocaInst *AI : AllocasToInstrument) { 1249 uint64_t Size = getAllocaSizeInBytes(*AI); 1250 uint64_t AlignedSize = alignTo(Size, Mapping.getObjectAlignment()); 1251 AI->setAlignment( 1252 Align(std::max(AI->getAlignment(), Mapping.getObjectAlignment()))); 1253 if (Size != AlignedSize) { 1254 Type *AllocatedType = AI->getAllocatedType(); 1255 if (AI->isArrayAllocation()) { 1256 uint64_t ArraySize = 1257 cast<ConstantInt>(AI->getArraySize())->getZExtValue(); 1258 AllocatedType = ArrayType::get(AllocatedType, ArraySize); 1259 } 1260 Type *TypeWithPadding = StructType::get( 1261 AllocatedType, ArrayType::get(Int8Ty, AlignedSize - Size)); 1262 auto *NewAI = new AllocaInst( 1263 TypeWithPadding, AI->getType()->getAddressSpace(), nullptr, "", AI); 1264 NewAI->takeName(AI); 1265 NewAI->setAlignment(AI->getAlign()); 1266 NewAI->setUsedWithInAlloca(AI->isUsedWithInAlloca()); 1267 NewAI->setSwiftError(AI->isSwiftError()); 1268 NewAI->copyMetadata(*AI); 1269 auto *Bitcast = new BitCastInst(NewAI, AI->getType(), "", AI); 1270 AI->replaceAllUsesWith(Bitcast); 1271 AllocaToPaddedAllocaMap[AI] = NewAI; 1272 } 1273 } 1274 1275 if (!AllocaToPaddedAllocaMap.empty()) { 1276 for (auto &BB : F) 1277 for (auto &Inst : BB) 1278 if (auto *DVI = dyn_cast<DbgVariableIntrinsic>(&Inst)) 1279 if (auto *AI = 1280 dyn_cast_or_null<AllocaInst>(DVI->getVariableLocation())) 1281 if (auto *NewAI = AllocaToPaddedAllocaMap.lookup(AI)) 1282 DVI->setArgOperand( 1283 0, MetadataAsValue::get(*C, LocalAsMetadata::get(NewAI))); 1284 for (auto &P : AllocaToPaddedAllocaMap) 1285 P.first->eraseFromParent(); 1286 } 1287 1288 // If we split the entry block, move any allocas that were originally in the 1289 // entry block back into the entry block so that they aren't treated as 1290 // dynamic allocas. 1291 if (EntryIRB.GetInsertBlock() != &F.getEntryBlock()) { 1292 InsertPt = &*F.getEntryBlock().begin(); 1293 for (auto II = EntryIRB.GetInsertBlock()->begin(), 1294 IE = EntryIRB.GetInsertBlock()->end(); 1295 II != IE;) { 1296 Instruction *I = &*II++; 1297 if (auto *AI = dyn_cast<AllocaInst>(I)) 1298 if (isa<ConstantInt>(AI->getArraySize())) 1299 I->moveBefore(InsertPt); 1300 } 1301 } 1302 1303 for (auto &Operand : OperandsToInstrument) 1304 instrumentMemAccess(Operand); 1305 1306 if (ClInstrumentMemIntrinsics && !IntrinToInstrument.empty()) { 1307 for (auto Inst : IntrinToInstrument) 1308 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 1309 } 1310 1311 ShadowBase = nullptr; 1312 StackBaseTag = nullptr; 1313 1314 return true; 1315 } 1316 1317 void HWAddressSanitizer::instrumentGlobal(GlobalVariable *GV, uint8_t Tag) { 1318 Constant *Initializer = GV->getInitializer(); 1319 uint64_t SizeInBytes = 1320 M.getDataLayout().getTypeAllocSize(Initializer->getType()); 1321 uint64_t NewSize = alignTo(SizeInBytes, Mapping.getObjectAlignment()); 1322 if (SizeInBytes != NewSize) { 1323 // Pad the initializer out to the next multiple of 16 bytes and add the 1324 // required short granule tag. 1325 std::vector<uint8_t> Init(NewSize - SizeInBytes, 0); 1326 Init.back() = Tag; 1327 Constant *Padding = ConstantDataArray::get(*C, Init); 1328 Initializer = ConstantStruct::getAnon({Initializer, Padding}); 1329 } 1330 1331 auto *NewGV = new GlobalVariable(M, Initializer->getType(), GV->isConstant(), 1332 GlobalValue::ExternalLinkage, Initializer, 1333 GV->getName() + ".hwasan"); 1334 NewGV->copyAttributesFrom(GV); 1335 NewGV->setLinkage(GlobalValue::PrivateLinkage); 1336 NewGV->copyMetadata(GV, 0); 1337 NewGV->setAlignment( 1338 MaybeAlign(std::max(GV->getAlignment(), Mapping.getObjectAlignment()))); 1339 1340 // It is invalid to ICF two globals that have different tags. In the case 1341 // where the size of the global is a multiple of the tag granularity the 1342 // contents of the globals may be the same but the tags (i.e. symbol values) 1343 // may be different, and the symbols are not considered during ICF. In the 1344 // case where the size is not a multiple of the granularity, the short granule 1345 // tags would discriminate two globals with different tags, but there would 1346 // otherwise be nothing stopping such a global from being incorrectly ICF'd 1347 // with an uninstrumented (i.e. tag 0) global that happened to have the short 1348 // granule tag in the last byte. 1349 NewGV->setUnnamedAddr(GlobalValue::UnnamedAddr::None); 1350 1351 // Descriptor format (assuming little-endian): 1352 // bytes 0-3: relative address of global 1353 // bytes 4-6: size of global (16MB ought to be enough for anyone, but in case 1354 // it isn't, we create multiple descriptors) 1355 // byte 7: tag 1356 auto *DescriptorTy = StructType::get(Int32Ty, Int32Ty); 1357 const uint64_t MaxDescriptorSize = 0xfffff0; 1358 for (uint64_t DescriptorPos = 0; DescriptorPos < SizeInBytes; 1359 DescriptorPos += MaxDescriptorSize) { 1360 auto *Descriptor = 1361 new GlobalVariable(M, DescriptorTy, true, GlobalValue::PrivateLinkage, 1362 nullptr, GV->getName() + ".hwasan.descriptor"); 1363 auto *GVRelPtr = ConstantExpr::getTrunc( 1364 ConstantExpr::getAdd( 1365 ConstantExpr::getSub( 1366 ConstantExpr::getPtrToInt(NewGV, Int64Ty), 1367 ConstantExpr::getPtrToInt(Descriptor, Int64Ty)), 1368 ConstantInt::get(Int64Ty, DescriptorPos)), 1369 Int32Ty); 1370 uint32_t Size = std::min(SizeInBytes - DescriptorPos, MaxDescriptorSize); 1371 auto *SizeAndTag = ConstantInt::get(Int32Ty, Size | (uint32_t(Tag) << 24)); 1372 Descriptor->setComdat(NewGV->getComdat()); 1373 Descriptor->setInitializer(ConstantStruct::getAnon({GVRelPtr, SizeAndTag})); 1374 Descriptor->setSection("hwasan_globals"); 1375 Descriptor->setMetadata(LLVMContext::MD_associated, 1376 MDNode::get(*C, ValueAsMetadata::get(NewGV))); 1377 appendToCompilerUsed(M, Descriptor); 1378 } 1379 1380 Constant *Aliasee = ConstantExpr::getIntToPtr( 1381 ConstantExpr::getAdd( 1382 ConstantExpr::getPtrToInt(NewGV, Int64Ty), 1383 ConstantInt::get(Int64Ty, uint64_t(Tag) << kPointerTagShift)), 1384 GV->getType()); 1385 auto *Alias = GlobalAlias::create(GV->getValueType(), GV->getAddressSpace(), 1386 GV->getLinkage(), "", Aliasee, &M); 1387 Alias->setVisibility(GV->getVisibility()); 1388 Alias->takeName(GV); 1389 GV->replaceAllUsesWith(Alias); 1390 GV->eraseFromParent(); 1391 } 1392 1393 void HWAddressSanitizer::instrumentGlobals() { 1394 std::vector<GlobalVariable *> Globals; 1395 for (GlobalVariable &GV : M.globals()) { 1396 if (GV.isDeclarationForLinker() || GV.getName().startswith("llvm.") || 1397 GV.isThreadLocal()) 1398 continue; 1399 1400 // Common symbols can't have aliases point to them, so they can't be tagged. 1401 if (GV.hasCommonLinkage()) 1402 continue; 1403 1404 // Globals with custom sections may be used in __start_/__stop_ enumeration, 1405 // which would be broken both by adding tags and potentially by the extra 1406 // padding/alignment that we insert. 1407 if (GV.hasSection()) 1408 continue; 1409 1410 Globals.push_back(&GV); 1411 } 1412 1413 MD5 Hasher; 1414 Hasher.update(M.getSourceFileName()); 1415 MD5::MD5Result Hash; 1416 Hasher.final(Hash); 1417 uint8_t Tag = Hash[0]; 1418 1419 for (GlobalVariable *GV : Globals) { 1420 // Skip tag 0 in order to avoid collisions with untagged memory. 1421 if (Tag == 0) 1422 Tag = 1; 1423 instrumentGlobal(GV, Tag++); 1424 } 1425 } 1426 1427 void HWAddressSanitizer::instrumentPersonalityFunctions() { 1428 // We need to untag stack frames as we unwind past them. That is the job of 1429 // the personality function wrapper, which either wraps an existing 1430 // personality function or acts as a personality function on its own. Each 1431 // function that has a personality function or that can be unwound past has 1432 // its personality function changed to a thunk that calls the personality 1433 // function wrapper in the runtime. 1434 MapVector<Constant *, std::vector<Function *>> PersonalityFns; 1435 for (Function &F : M) { 1436 if (F.isDeclaration() || !F.hasFnAttribute(Attribute::SanitizeHWAddress)) 1437 continue; 1438 1439 if (F.hasPersonalityFn()) { 1440 PersonalityFns[F.getPersonalityFn()->stripPointerCasts()].push_back(&F); 1441 } else if (!F.hasFnAttribute(Attribute::NoUnwind)) { 1442 PersonalityFns[nullptr].push_back(&F); 1443 } 1444 } 1445 1446 if (PersonalityFns.empty()) 1447 return; 1448 1449 FunctionCallee HwasanPersonalityWrapper = M.getOrInsertFunction( 1450 "__hwasan_personality_wrapper", Int32Ty, Int32Ty, Int32Ty, Int64Ty, 1451 Int8PtrTy, Int8PtrTy, Int8PtrTy, Int8PtrTy, Int8PtrTy); 1452 FunctionCallee UnwindGetGR = M.getOrInsertFunction("_Unwind_GetGR", VoidTy); 1453 FunctionCallee UnwindGetCFA = M.getOrInsertFunction("_Unwind_GetCFA", VoidTy); 1454 1455 for (auto &P : PersonalityFns) { 1456 std::string ThunkName = kHwasanPersonalityThunkName; 1457 if (P.first) 1458 ThunkName += ("." + P.first->getName()).str(); 1459 FunctionType *ThunkFnTy = FunctionType::get( 1460 Int32Ty, {Int32Ty, Int32Ty, Int64Ty, Int8PtrTy, Int8PtrTy}, false); 1461 bool IsLocal = P.first && (!isa<GlobalValue>(P.first) || 1462 cast<GlobalValue>(P.first)->hasLocalLinkage()); 1463 auto *ThunkFn = Function::Create(ThunkFnTy, 1464 IsLocal ? GlobalValue::InternalLinkage 1465 : GlobalValue::LinkOnceODRLinkage, 1466 ThunkName, &M); 1467 if (!IsLocal) { 1468 ThunkFn->setVisibility(GlobalValue::HiddenVisibility); 1469 ThunkFn->setComdat(M.getOrInsertComdat(ThunkName)); 1470 } 1471 1472 auto *BB = BasicBlock::Create(*C, "entry", ThunkFn); 1473 IRBuilder<> IRB(BB); 1474 CallInst *WrapperCall = IRB.CreateCall( 1475 HwasanPersonalityWrapper, 1476 {ThunkFn->getArg(0), ThunkFn->getArg(1), ThunkFn->getArg(2), 1477 ThunkFn->getArg(3), ThunkFn->getArg(4), 1478 P.first ? IRB.CreateBitCast(P.first, Int8PtrTy) 1479 : Constant::getNullValue(Int8PtrTy), 1480 IRB.CreateBitCast(UnwindGetGR.getCallee(), Int8PtrTy), 1481 IRB.CreateBitCast(UnwindGetCFA.getCallee(), Int8PtrTy)}); 1482 WrapperCall->setTailCall(); 1483 IRB.CreateRet(WrapperCall); 1484 1485 for (Function *F : P.second) 1486 F->setPersonalityFn(ThunkFn); 1487 } 1488 } 1489 1490 void HWAddressSanitizer::ShadowMapping::init(Triple &TargetTriple) { 1491 Scale = kDefaultShadowScale; 1492 if (ClMappingOffset.getNumOccurrences() > 0) { 1493 InGlobal = false; 1494 InTls = false; 1495 Offset = ClMappingOffset; 1496 } else if (ClEnableKhwasan || ClInstrumentWithCalls) { 1497 InGlobal = false; 1498 InTls = false; 1499 Offset = 0; 1500 } else if (ClWithIfunc) { 1501 InGlobal = true; 1502 InTls = false; 1503 Offset = kDynamicShadowSentinel; 1504 } else if (ClWithTls) { 1505 InGlobal = false; 1506 InTls = true; 1507 Offset = kDynamicShadowSentinel; 1508 } else { 1509 InGlobal = false; 1510 InTls = false; 1511 Offset = kDynamicShadowSentinel; 1512 } 1513 } 1514