1 //===- HWAddressSanitizer.cpp - detector of uninitialized reads -------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 /// \file 10 /// This file is a part of HWAddressSanitizer, an address basic correctness 11 /// checker based on tagged addressing. 12 //===----------------------------------------------------------------------===// 13 14 #include "llvm/Transforms/Instrumentation/HWAddressSanitizer.h" 15 #include "llvm/ADT/MapVector.h" 16 #include "llvm/ADT/STLExtras.h" 17 #include "llvm/ADT/SmallVector.h" 18 #include "llvm/ADT/StringExtras.h" 19 #include "llvm/ADT/StringRef.h" 20 #include "llvm/ADT/Triple.h" 21 #include "llvm/Analysis/PostDominators.h" 22 #include "llvm/Analysis/StackSafetyAnalysis.h" 23 #include "llvm/Analysis/ValueTracking.h" 24 #include "llvm/BinaryFormat/Dwarf.h" 25 #include "llvm/BinaryFormat/ELF.h" 26 #include "llvm/IR/Attributes.h" 27 #include "llvm/IR/BasicBlock.h" 28 #include "llvm/IR/Constant.h" 29 #include "llvm/IR/Constants.h" 30 #include "llvm/IR/DataLayout.h" 31 #include "llvm/IR/DebugInfoMetadata.h" 32 #include "llvm/IR/DerivedTypes.h" 33 #include "llvm/IR/Dominators.h" 34 #include "llvm/IR/Function.h" 35 #include "llvm/IR/IRBuilder.h" 36 #include "llvm/IR/InlineAsm.h" 37 #include "llvm/IR/InstIterator.h" 38 #include "llvm/IR/Instruction.h" 39 #include "llvm/IR/Instructions.h" 40 #include "llvm/IR/IntrinsicInst.h" 41 #include "llvm/IR/Intrinsics.h" 42 #include "llvm/IR/LLVMContext.h" 43 #include "llvm/IR/MDBuilder.h" 44 #include "llvm/IR/Module.h" 45 #include "llvm/IR/Type.h" 46 #include "llvm/IR/Value.h" 47 #include "llvm/InitializePasses.h" 48 #include "llvm/Pass.h" 49 #include "llvm/PassRegistry.h" 50 #include "llvm/Support/Casting.h" 51 #include "llvm/Support/CommandLine.h" 52 #include "llvm/Support/Debug.h" 53 #include "llvm/Support/raw_ostream.h" 54 #include "llvm/Transforms/Instrumentation/AddressSanitizerCommon.h" 55 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 56 #include "llvm/Transforms/Utils/MemoryTaggingSupport.h" 57 #include "llvm/Transforms/Utils/ModuleUtils.h" 58 #include "llvm/Transforms/Utils/PromoteMemToReg.h" 59 60 using namespace llvm; 61 62 #define DEBUG_TYPE "hwasan" 63 64 const char kHwasanModuleCtorName[] = "hwasan.module_ctor"; 65 const char kHwasanNoteName[] = "hwasan.note"; 66 const char kHwasanInitName[] = "__hwasan_init"; 67 const char kHwasanPersonalityThunkName[] = "__hwasan_personality_thunk"; 68 69 const char kHwasanShadowMemoryDynamicAddress[] = 70 "__hwasan_shadow_memory_dynamic_address"; 71 72 // Accesses sizes are powers of two: 1, 2, 4, 8, 16. 73 static const size_t kNumberOfAccessSizes = 5; 74 75 static const size_t kDefaultShadowScale = 4; 76 static const uint64_t kDynamicShadowSentinel = 77 std::numeric_limits<uint64_t>::max(); 78 79 static const unsigned kShadowBaseAlignment = 32; 80 81 static cl::opt<std::string> 82 ClMemoryAccessCallbackPrefix("hwasan-memory-access-callback-prefix", 83 cl::desc("Prefix for memory access callbacks"), 84 cl::Hidden, cl::init("__hwasan_")); 85 86 static cl::opt<bool> ClInstrumentWithCalls( 87 "hwasan-instrument-with-calls", 88 cl::desc("instrument reads and writes with callbacks"), cl::Hidden, 89 cl::init(false)); 90 91 static cl::opt<bool> ClInstrumentReads("hwasan-instrument-reads", 92 cl::desc("instrument read instructions"), 93 cl::Hidden, cl::init(true)); 94 95 static cl::opt<bool> 96 ClInstrumentWrites("hwasan-instrument-writes", 97 cl::desc("instrument write instructions"), cl::Hidden, 98 cl::init(true)); 99 100 static cl::opt<bool> ClInstrumentAtomics( 101 "hwasan-instrument-atomics", 102 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden, 103 cl::init(true)); 104 105 static cl::opt<bool> ClInstrumentByval("hwasan-instrument-byval", 106 cl::desc("instrument byval arguments"), 107 cl::Hidden, cl::init(true)); 108 109 static cl::opt<bool> 110 ClRecover("hwasan-recover", 111 cl::desc("Enable recovery mode (continue-after-error)."), 112 cl::Hidden, cl::init(false)); 113 114 static cl::opt<bool> ClInstrumentStack("hwasan-instrument-stack", 115 cl::desc("instrument stack (allocas)"), 116 cl::Hidden, cl::init(true)); 117 118 static cl::opt<bool> 119 ClUseStackSafety("hwasan-use-stack-safety", cl::Hidden, cl::init(true), 120 cl::Hidden, cl::desc("Use Stack Safety analysis results"), 121 cl::Optional); 122 123 static cl::opt<size_t> ClMaxLifetimes( 124 "hwasan-max-lifetimes-for-alloca", cl::Hidden, cl::init(3), 125 cl::ReallyHidden, 126 cl::desc("How many lifetime ends to handle for a single alloca."), 127 cl::Optional); 128 129 static cl::opt<bool> 130 ClUseAfterScope("hwasan-use-after-scope", 131 cl::desc("detect use after scope within function"), 132 cl::Hidden, cl::init(false)); 133 134 static cl::opt<bool> ClUARRetagToZero( 135 "hwasan-uar-retag-to-zero", 136 cl::desc("Clear alloca tags before returning from the function to allow " 137 "non-instrumented and instrumented function calls mix. When set " 138 "to false, allocas are retagged before returning from the " 139 "function to detect use after return."), 140 cl::Hidden, cl::init(true)); 141 142 static cl::opt<bool> ClGenerateTagsWithCalls( 143 "hwasan-generate-tags-with-calls", 144 cl::desc("generate new tags with runtime library calls"), cl::Hidden, 145 cl::init(false)); 146 147 static cl::opt<bool> ClGlobals("hwasan-globals", cl::desc("Instrument globals"), 148 cl::Hidden, cl::init(false), cl::ZeroOrMore); 149 150 static cl::opt<int> ClMatchAllTag( 151 "hwasan-match-all-tag", 152 cl::desc("don't report bad accesses via pointers with this tag"), 153 cl::Hidden, cl::init(-1)); 154 155 static cl::opt<bool> 156 ClEnableKhwasan("hwasan-kernel", 157 cl::desc("Enable KernelHWAddressSanitizer instrumentation"), 158 cl::Hidden, cl::init(false)); 159 160 // These flags allow to change the shadow mapping and control how shadow memory 161 // is accessed. The shadow mapping looks like: 162 // Shadow = (Mem >> scale) + offset 163 164 static cl::opt<uint64_t> 165 ClMappingOffset("hwasan-mapping-offset", 166 cl::desc("HWASan shadow mapping offset [EXPERIMENTAL]"), 167 cl::Hidden, cl::init(0)); 168 169 static cl::opt<bool> 170 ClWithIfunc("hwasan-with-ifunc", 171 cl::desc("Access dynamic shadow through an ifunc global on " 172 "platforms that support this"), 173 cl::Hidden, cl::init(false)); 174 175 static cl::opt<bool> ClWithTls( 176 "hwasan-with-tls", 177 cl::desc("Access dynamic shadow through an thread-local pointer on " 178 "platforms that support this"), 179 cl::Hidden, cl::init(true)); 180 181 static cl::opt<bool> 182 ClRecordStackHistory("hwasan-record-stack-history", 183 cl::desc("Record stack frames with tagged allocations " 184 "in a thread-local ring buffer"), 185 cl::Hidden, cl::init(true)); 186 static cl::opt<bool> 187 ClInstrumentMemIntrinsics("hwasan-instrument-mem-intrinsics", 188 cl::desc("instrument memory intrinsics"), 189 cl::Hidden, cl::init(true)); 190 191 static cl::opt<bool> 192 ClInstrumentLandingPads("hwasan-instrument-landing-pads", 193 cl::desc("instrument landing pads"), cl::Hidden, 194 cl::init(false), cl::ZeroOrMore); 195 196 static cl::opt<bool> ClUseShortGranules( 197 "hwasan-use-short-granules", 198 cl::desc("use short granules in allocas and outlined checks"), cl::Hidden, 199 cl::init(false), cl::ZeroOrMore); 200 201 static cl::opt<bool> ClInstrumentPersonalityFunctions( 202 "hwasan-instrument-personality-functions", 203 cl::desc("instrument personality functions"), cl::Hidden, cl::init(false), 204 cl::ZeroOrMore); 205 206 static cl::opt<bool> ClInlineAllChecks("hwasan-inline-all-checks", 207 cl::desc("inline all checks"), 208 cl::Hidden, cl::init(false)); 209 210 // Enabled from clang by "-fsanitize-hwaddress-experimental-aliasing". 211 static cl::opt<bool> ClUsePageAliases("hwasan-experimental-use-page-aliases", 212 cl::desc("Use page aliasing in HWASan"), 213 cl::Hidden, cl::init(false)); 214 215 namespace { 216 217 bool shouldUsePageAliases(const Triple &TargetTriple) { 218 return ClUsePageAliases && TargetTriple.getArch() == Triple::x86_64; 219 } 220 221 bool shouldInstrumentStack(const Triple &TargetTriple) { 222 return !shouldUsePageAliases(TargetTriple) && ClInstrumentStack; 223 } 224 225 bool shouldInstrumentWithCalls(const Triple &TargetTriple) { 226 return ClInstrumentWithCalls || TargetTriple.getArch() == Triple::x86_64; 227 } 228 229 bool mightUseStackSafetyAnalysis(bool DisableOptimization) { 230 return ClUseStackSafety.getNumOccurrences() ? ClUseStackSafety 231 : !DisableOptimization; 232 } 233 234 bool shouldUseStackSafetyAnalysis(const Triple &TargetTriple, 235 bool DisableOptimization) { 236 return shouldInstrumentStack(TargetTriple) && 237 mightUseStackSafetyAnalysis(DisableOptimization); 238 } 239 240 bool shouldDetectUseAfterScope(const Triple &TargetTriple) { 241 return ClUseAfterScope && shouldInstrumentStack(TargetTriple); 242 } 243 244 /// An instrumentation pass implementing detection of addressability bugs 245 /// using tagged pointers. 246 class HWAddressSanitizer { 247 public: 248 HWAddressSanitizer(Module &M, bool CompileKernel, bool Recover, 249 const StackSafetyGlobalInfo *SSI) 250 : M(M), SSI(SSI) { 251 this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover; 252 this->CompileKernel = ClEnableKhwasan.getNumOccurrences() > 0 253 ? ClEnableKhwasan 254 : CompileKernel; 255 256 initializeModule(); 257 } 258 259 void setSSI(const StackSafetyGlobalInfo *S) { SSI = S; } 260 261 bool sanitizeFunction(Function &F, 262 llvm::function_ref<const DominatorTree &()> GetDT, 263 llvm::function_ref<const PostDominatorTree &()> GetPDT); 264 void initializeModule(); 265 void createHwasanCtorComdat(); 266 267 void initializeCallbacks(Module &M); 268 269 Value *getOpaqueNoopCast(IRBuilder<> &IRB, Value *Val); 270 271 Value *getDynamicShadowIfunc(IRBuilder<> &IRB); 272 Value *getShadowNonTls(IRBuilder<> &IRB); 273 274 void untagPointerOperand(Instruction *I, Value *Addr); 275 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 276 277 int64_t getAccessInfo(bool IsWrite, unsigned AccessSizeIndex); 278 void instrumentMemAccessOutline(Value *Ptr, bool IsWrite, 279 unsigned AccessSizeIndex, 280 Instruction *InsertBefore); 281 void instrumentMemAccessInline(Value *Ptr, bool IsWrite, 282 unsigned AccessSizeIndex, 283 Instruction *InsertBefore); 284 bool ignoreMemIntrinsic(MemIntrinsic *MI); 285 void instrumentMemIntrinsic(MemIntrinsic *MI); 286 bool instrumentMemAccess(InterestingMemoryOperand &O); 287 bool ignoreAccess(Instruction *Inst, Value *Ptr); 288 void getInterestingMemoryOperands( 289 Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting); 290 291 bool isInterestingAlloca(const AllocaInst &AI); 292 void tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, Value *Tag, size_t Size); 293 Value *tagPointer(IRBuilder<> &IRB, Type *Ty, Value *PtrLong, Value *Tag); 294 Value *untagPointer(IRBuilder<> &IRB, Value *PtrLong); 295 bool instrumentStack(memtag::StackInfo &Info, Value *StackTag, 296 llvm::function_ref<const DominatorTree &()> GetDT, 297 llvm::function_ref<const PostDominatorTree &()> GetPDT); 298 Value *readRegister(IRBuilder<> &IRB, StringRef Name); 299 bool instrumentLandingPads(SmallVectorImpl<Instruction *> &RetVec); 300 Value *getNextTagWithCall(IRBuilder<> &IRB); 301 Value *getStackBaseTag(IRBuilder<> &IRB); 302 Value *getAllocaTag(IRBuilder<> &IRB, Value *StackTag, AllocaInst *AI, 303 unsigned AllocaNo); 304 Value *getUARTag(IRBuilder<> &IRB, Value *StackTag); 305 306 Value *getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty); 307 Value *applyTagMask(IRBuilder<> &IRB, Value *OldTag); 308 unsigned retagMask(unsigned AllocaNo); 309 310 void emitPrologue(IRBuilder<> &IRB, bool WithFrameRecord); 311 312 void instrumentGlobal(GlobalVariable *GV, uint8_t Tag); 313 void instrumentGlobals(); 314 315 void instrumentPersonalityFunctions(); 316 317 private: 318 LLVMContext *C; 319 Module &M; 320 const StackSafetyGlobalInfo *SSI; 321 Triple TargetTriple; 322 FunctionCallee HWAsanMemmove, HWAsanMemcpy, HWAsanMemset; 323 FunctionCallee HWAsanHandleVfork; 324 325 /// This struct defines the shadow mapping using the rule: 326 /// shadow = (mem >> Scale) + Offset. 327 /// If InGlobal is true, then 328 /// extern char __hwasan_shadow[]; 329 /// shadow = (mem >> Scale) + &__hwasan_shadow 330 /// If InTls is true, then 331 /// extern char *__hwasan_tls; 332 /// shadow = (mem>>Scale) + align_up(__hwasan_shadow, kShadowBaseAlignment) 333 /// 334 /// If WithFrameRecord is true, then __hwasan_tls will be used to access the 335 /// ring buffer for storing stack allocations on targets that support it. 336 struct ShadowMapping { 337 int Scale; 338 uint64_t Offset; 339 bool InGlobal; 340 bool InTls; 341 bool WithFrameRecord; 342 343 void init(Triple &TargetTriple, bool InstrumentWithCalls); 344 uint64_t getObjectAlignment() const { return 1ULL << Scale; } 345 }; 346 347 ShadowMapping Mapping; 348 349 Type *VoidTy = Type::getVoidTy(M.getContext()); 350 Type *IntptrTy; 351 Type *Int8PtrTy; 352 Type *Int8Ty; 353 Type *Int32Ty; 354 Type *Int64Ty = Type::getInt64Ty(M.getContext()); 355 356 bool CompileKernel; 357 bool Recover; 358 bool OutlinedChecks; 359 bool UseShortGranules; 360 bool InstrumentLandingPads; 361 bool InstrumentWithCalls; 362 bool InstrumentStack; 363 bool DetectUseAfterScope; 364 bool UsePageAliases; 365 366 bool HasMatchAllTag = false; 367 uint8_t MatchAllTag = 0; 368 369 unsigned PointerTagShift; 370 uint64_t TagMaskByte; 371 372 Function *HwasanCtorFunction; 373 374 FunctionCallee HwasanMemoryAccessCallback[2][kNumberOfAccessSizes]; 375 FunctionCallee HwasanMemoryAccessCallbackSized[2]; 376 377 FunctionCallee HwasanTagMemoryFunc; 378 FunctionCallee HwasanGenerateTagFunc; 379 380 Constant *ShadowGlobal; 381 382 Value *ShadowBase = nullptr; 383 Value *StackBaseTag = nullptr; 384 GlobalValue *ThreadPtrGlobal = nullptr; 385 }; 386 387 class HWAddressSanitizerLegacyPass : public FunctionPass { 388 public: 389 // Pass identification, replacement for typeid. 390 static char ID; 391 392 explicit HWAddressSanitizerLegacyPass(bool CompileKernel = false, 393 bool Recover = false, 394 bool DisableOptimization = false) 395 : FunctionPass(ID), CompileKernel(CompileKernel), Recover(Recover), 396 DisableOptimization(DisableOptimization) { 397 initializeHWAddressSanitizerLegacyPassPass( 398 *PassRegistry::getPassRegistry()); 399 } 400 401 StringRef getPassName() const override { return "HWAddressSanitizer"; } 402 403 bool doInitialization(Module &M) override { 404 HWASan = std::make_unique<HWAddressSanitizer>(M, CompileKernel, Recover, 405 /*SSI=*/nullptr); 406 return true; 407 } 408 409 bool runOnFunction(Function &F) override { 410 auto TargetTriple = Triple(F.getParent()->getTargetTriple()); 411 if (shouldUseStackSafetyAnalysis(TargetTriple, DisableOptimization)) { 412 // We cannot call getAnalysis in doInitialization, that would cause a 413 // crash as the required analyses are not initialized yet. 414 HWASan->setSSI( 415 &getAnalysis<StackSafetyGlobalInfoWrapperPass>().getResult()); 416 } 417 return HWASan->sanitizeFunction( 418 F, 419 [&]() -> const DominatorTree & { 420 return getAnalysis<DominatorTreeWrapperPass>().getDomTree(); 421 }, 422 [&]() -> const PostDominatorTree & { 423 return getAnalysis<PostDominatorTreeWrapperPass>().getPostDomTree(); 424 }); 425 } 426 427 bool doFinalization(Module &M) override { 428 HWASan.reset(); 429 return false; 430 } 431 432 void getAnalysisUsage(AnalysisUsage &AU) const override { 433 // This is an over-estimation of, in case we are building for an 434 // architecture that doesn't allow stack tagging we will still load the 435 // analysis. 436 // This is so we don't need to plumb TargetTriple all the way to here. 437 if (mightUseStackSafetyAnalysis(DisableOptimization)) 438 AU.addRequired<StackSafetyGlobalInfoWrapperPass>(); 439 AU.addRequired<DominatorTreeWrapperPass>(); 440 AU.addRequired<PostDominatorTreeWrapperPass>(); 441 } 442 443 private: 444 std::unique_ptr<HWAddressSanitizer> HWASan; 445 bool CompileKernel; 446 bool Recover; 447 bool DisableOptimization; 448 }; 449 450 } // end anonymous namespace 451 452 char HWAddressSanitizerLegacyPass::ID = 0; 453 454 INITIALIZE_PASS_BEGIN( 455 HWAddressSanitizerLegacyPass, "hwasan", 456 "HWAddressSanitizer: detect memory bugs using tagged addressing.", false, 457 false) 458 INITIALIZE_PASS_DEPENDENCY(StackSafetyGlobalInfoWrapperPass) 459 INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass) 460 INITIALIZE_PASS_DEPENDENCY(PostDominatorTreeWrapperPass) 461 INITIALIZE_PASS_END( 462 HWAddressSanitizerLegacyPass, "hwasan", 463 "HWAddressSanitizer: detect memory bugs using tagged addressing.", false, 464 false) 465 466 FunctionPass * 467 llvm::createHWAddressSanitizerLegacyPassPass(bool CompileKernel, bool Recover, 468 bool DisableOptimization) { 469 assert(!CompileKernel || Recover); 470 return new HWAddressSanitizerLegacyPass(CompileKernel, Recover, 471 DisableOptimization); 472 } 473 474 PreservedAnalyses HWAddressSanitizerPass::run(Module &M, 475 ModuleAnalysisManager &MAM) { 476 const StackSafetyGlobalInfo *SSI = nullptr; 477 auto TargetTriple = llvm::Triple(M.getTargetTriple()); 478 if (shouldUseStackSafetyAnalysis(TargetTriple, Options.DisableOptimization)) 479 SSI = &MAM.getResult<StackSafetyGlobalAnalysis>(M); 480 481 HWAddressSanitizer HWASan(M, Options.CompileKernel, Options.Recover, SSI); 482 bool Modified = false; 483 auto &FAM = MAM.getResult<FunctionAnalysisManagerModuleProxy>(M).getManager(); 484 for (Function &F : M) { 485 Modified |= HWASan.sanitizeFunction( 486 F, 487 [&]() -> const DominatorTree & { 488 return FAM.getResult<DominatorTreeAnalysis>(F); 489 }, 490 [&]() -> const PostDominatorTree & { 491 return FAM.getResult<PostDominatorTreeAnalysis>(F); 492 }); 493 } 494 if (Modified) 495 return PreservedAnalyses::none(); 496 return PreservedAnalyses::all(); 497 } 498 void HWAddressSanitizerPass::printPipeline( 499 raw_ostream &OS, function_ref<StringRef(StringRef)> MapClassName2PassName) { 500 static_cast<PassInfoMixin<HWAddressSanitizerPass> *>(this)->printPipeline( 501 OS, MapClassName2PassName); 502 OS << "<"; 503 if (Options.CompileKernel) 504 OS << "kernel;"; 505 if (Options.Recover) 506 OS << "recover"; 507 OS << ">"; 508 } 509 510 void HWAddressSanitizer::createHwasanCtorComdat() { 511 std::tie(HwasanCtorFunction, std::ignore) = 512 getOrCreateSanitizerCtorAndInitFunctions( 513 M, kHwasanModuleCtorName, kHwasanInitName, 514 /*InitArgTypes=*/{}, 515 /*InitArgs=*/{}, 516 // This callback is invoked when the functions are created the first 517 // time. Hook them into the global ctors list in that case: 518 [&](Function *Ctor, FunctionCallee) { 519 Comdat *CtorComdat = M.getOrInsertComdat(kHwasanModuleCtorName); 520 Ctor->setComdat(CtorComdat); 521 appendToGlobalCtors(M, Ctor, 0, Ctor); 522 }); 523 524 // Create a note that contains pointers to the list of global 525 // descriptors. Adding a note to the output file will cause the linker to 526 // create a PT_NOTE program header pointing to the note that we can use to 527 // find the descriptor list starting from the program headers. A function 528 // provided by the runtime initializes the shadow memory for the globals by 529 // accessing the descriptor list via the note. The dynamic loader needs to 530 // call this function whenever a library is loaded. 531 // 532 // The reason why we use a note for this instead of a more conventional 533 // approach of having a global constructor pass a descriptor list pointer to 534 // the runtime is because of an order of initialization problem. With 535 // constructors we can encounter the following problematic scenario: 536 // 537 // 1) library A depends on library B and also interposes one of B's symbols 538 // 2) B's constructors are called before A's (as required for correctness) 539 // 3) during construction, B accesses one of its "own" globals (actually 540 // interposed by A) and triggers a HWASAN failure due to the initialization 541 // for A not having happened yet 542 // 543 // Even without interposition it is possible to run into similar situations in 544 // cases where two libraries mutually depend on each other. 545 // 546 // We only need one note per binary, so put everything for the note in a 547 // comdat. This needs to be a comdat with an .init_array section to prevent 548 // newer versions of lld from discarding the note. 549 // 550 // Create the note even if we aren't instrumenting globals. This ensures that 551 // binaries linked from object files with both instrumented and 552 // non-instrumented globals will end up with a note, even if a comdat from an 553 // object file with non-instrumented globals is selected. The note is harmless 554 // if the runtime doesn't support it, since it will just be ignored. 555 Comdat *NoteComdat = M.getOrInsertComdat(kHwasanModuleCtorName); 556 557 Type *Int8Arr0Ty = ArrayType::get(Int8Ty, 0); 558 auto Start = 559 new GlobalVariable(M, Int8Arr0Ty, true, GlobalVariable::ExternalLinkage, 560 nullptr, "__start_hwasan_globals"); 561 Start->setVisibility(GlobalValue::HiddenVisibility); 562 Start->setDSOLocal(true); 563 auto Stop = 564 new GlobalVariable(M, Int8Arr0Ty, true, GlobalVariable::ExternalLinkage, 565 nullptr, "__stop_hwasan_globals"); 566 Stop->setVisibility(GlobalValue::HiddenVisibility); 567 Stop->setDSOLocal(true); 568 569 // Null-terminated so actually 8 bytes, which are required in order to align 570 // the note properly. 571 auto *Name = ConstantDataArray::get(*C, "LLVM\0\0\0"); 572 573 auto *NoteTy = StructType::get(Int32Ty, Int32Ty, Int32Ty, Name->getType(), 574 Int32Ty, Int32Ty); 575 auto *Note = 576 new GlobalVariable(M, NoteTy, /*isConstant=*/true, 577 GlobalValue::PrivateLinkage, nullptr, kHwasanNoteName); 578 Note->setSection(".note.hwasan.globals"); 579 Note->setComdat(NoteComdat); 580 Note->setAlignment(Align(4)); 581 Note->setDSOLocal(true); 582 583 // The pointers in the note need to be relative so that the note ends up being 584 // placed in rodata, which is the standard location for notes. 585 auto CreateRelPtr = [&](Constant *Ptr) { 586 return ConstantExpr::getTrunc( 587 ConstantExpr::getSub(ConstantExpr::getPtrToInt(Ptr, Int64Ty), 588 ConstantExpr::getPtrToInt(Note, Int64Ty)), 589 Int32Ty); 590 }; 591 Note->setInitializer(ConstantStruct::getAnon( 592 {ConstantInt::get(Int32Ty, 8), // n_namesz 593 ConstantInt::get(Int32Ty, 8), // n_descsz 594 ConstantInt::get(Int32Ty, ELF::NT_LLVM_HWASAN_GLOBALS), // n_type 595 Name, CreateRelPtr(Start), CreateRelPtr(Stop)})); 596 appendToCompilerUsed(M, Note); 597 598 // Create a zero-length global in hwasan_globals so that the linker will 599 // always create start and stop symbols. 600 auto Dummy = new GlobalVariable( 601 M, Int8Arr0Ty, /*isConstantGlobal*/ true, GlobalVariable::PrivateLinkage, 602 Constant::getNullValue(Int8Arr0Ty), "hwasan.dummy.global"); 603 Dummy->setSection("hwasan_globals"); 604 Dummy->setComdat(NoteComdat); 605 Dummy->setMetadata(LLVMContext::MD_associated, 606 MDNode::get(*C, ValueAsMetadata::get(Note))); 607 appendToCompilerUsed(M, Dummy); 608 } 609 610 /// Module-level initialization. 611 /// 612 /// inserts a call to __hwasan_init to the module's constructor list. 613 void HWAddressSanitizer::initializeModule() { 614 LLVM_DEBUG(dbgs() << "Init " << M.getName() << "\n"); 615 auto &DL = M.getDataLayout(); 616 617 TargetTriple = Triple(M.getTargetTriple()); 618 619 // x86_64 currently has two modes: 620 // - Intel LAM (default) 621 // - pointer aliasing (heap only) 622 bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64; 623 UsePageAliases = shouldUsePageAliases(TargetTriple); 624 InstrumentWithCalls = shouldInstrumentWithCalls(TargetTriple); 625 InstrumentStack = shouldInstrumentStack(TargetTriple); 626 DetectUseAfterScope = shouldDetectUseAfterScope(TargetTriple); 627 PointerTagShift = IsX86_64 ? 57 : 56; 628 TagMaskByte = IsX86_64 ? 0x3F : 0xFF; 629 630 Mapping.init(TargetTriple, InstrumentWithCalls); 631 632 C = &(M.getContext()); 633 IRBuilder<> IRB(*C); 634 IntptrTy = IRB.getIntPtrTy(DL); 635 Int8PtrTy = IRB.getInt8PtrTy(); 636 Int8Ty = IRB.getInt8Ty(); 637 Int32Ty = IRB.getInt32Ty(); 638 639 HwasanCtorFunction = nullptr; 640 641 // Older versions of Android do not have the required runtime support for 642 // short granules, global or personality function instrumentation. On other 643 // platforms we currently require using the latest version of the runtime. 644 bool NewRuntime = 645 !TargetTriple.isAndroid() || !TargetTriple.isAndroidVersionLT(30); 646 647 UseShortGranules = 648 ClUseShortGranules.getNumOccurrences() ? ClUseShortGranules : NewRuntime; 649 OutlinedChecks = 650 TargetTriple.isAArch64() && TargetTriple.isOSBinFormatELF() && 651 (ClInlineAllChecks.getNumOccurrences() ? !ClInlineAllChecks : !Recover); 652 653 if (ClMatchAllTag.getNumOccurrences()) { 654 if (ClMatchAllTag != -1) { 655 HasMatchAllTag = true; 656 MatchAllTag = ClMatchAllTag & 0xFF; 657 } 658 } else if (CompileKernel) { 659 HasMatchAllTag = true; 660 MatchAllTag = 0xFF; 661 } 662 663 // If we don't have personality function support, fall back to landing pads. 664 InstrumentLandingPads = ClInstrumentLandingPads.getNumOccurrences() 665 ? ClInstrumentLandingPads 666 : !NewRuntime; 667 668 if (!CompileKernel) { 669 createHwasanCtorComdat(); 670 bool InstrumentGlobals = 671 ClGlobals.getNumOccurrences() ? ClGlobals : NewRuntime; 672 673 if (InstrumentGlobals && !UsePageAliases) 674 instrumentGlobals(); 675 676 bool InstrumentPersonalityFunctions = 677 ClInstrumentPersonalityFunctions.getNumOccurrences() 678 ? ClInstrumentPersonalityFunctions 679 : NewRuntime; 680 if (InstrumentPersonalityFunctions) 681 instrumentPersonalityFunctions(); 682 } 683 684 if (!TargetTriple.isAndroid()) { 685 Constant *C = M.getOrInsertGlobal("__hwasan_tls", IntptrTy, [&] { 686 auto *GV = new GlobalVariable(M, IntptrTy, /*isConstant=*/false, 687 GlobalValue::ExternalLinkage, nullptr, 688 "__hwasan_tls", nullptr, 689 GlobalVariable::InitialExecTLSModel); 690 appendToCompilerUsed(M, GV); 691 return GV; 692 }); 693 ThreadPtrGlobal = cast<GlobalVariable>(C); 694 } 695 } 696 697 void HWAddressSanitizer::initializeCallbacks(Module &M) { 698 IRBuilder<> IRB(*C); 699 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 700 const std::string TypeStr = AccessIsWrite ? "store" : "load"; 701 const std::string EndingStr = Recover ? "_noabort" : ""; 702 703 HwasanMemoryAccessCallbackSized[AccessIsWrite] = M.getOrInsertFunction( 704 ClMemoryAccessCallbackPrefix + TypeStr + "N" + EndingStr, 705 FunctionType::get(IRB.getVoidTy(), {IntptrTy, IntptrTy}, false)); 706 707 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 708 AccessSizeIndex++) { 709 HwasanMemoryAccessCallback[AccessIsWrite][AccessSizeIndex] = 710 M.getOrInsertFunction( 711 ClMemoryAccessCallbackPrefix + TypeStr + 712 itostr(1ULL << AccessSizeIndex) + EndingStr, 713 FunctionType::get(IRB.getVoidTy(), {IntptrTy}, false)); 714 } 715 } 716 717 HwasanTagMemoryFunc = M.getOrInsertFunction( 718 "__hwasan_tag_memory", IRB.getVoidTy(), Int8PtrTy, Int8Ty, IntptrTy); 719 HwasanGenerateTagFunc = 720 M.getOrInsertFunction("__hwasan_generate_tag", Int8Ty); 721 722 ShadowGlobal = M.getOrInsertGlobal("__hwasan_shadow", 723 ArrayType::get(IRB.getInt8Ty(), 0)); 724 725 const std::string MemIntrinCallbackPrefix = 726 CompileKernel ? std::string("") : ClMemoryAccessCallbackPrefix; 727 HWAsanMemmove = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memmove", 728 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 729 IRB.getInt8PtrTy(), IntptrTy); 730 HWAsanMemcpy = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memcpy", 731 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 732 IRB.getInt8PtrTy(), IntptrTy); 733 HWAsanMemset = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memset", 734 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 735 IRB.getInt32Ty(), IntptrTy); 736 737 HWAsanHandleVfork = 738 M.getOrInsertFunction("__hwasan_handle_vfork", IRB.getVoidTy(), IntptrTy); 739 } 740 741 Value *HWAddressSanitizer::getOpaqueNoopCast(IRBuilder<> &IRB, Value *Val) { 742 // An empty inline asm with input reg == output reg. 743 // An opaque no-op cast, basically. 744 // This prevents code bloat as a result of rematerializing trivial definitions 745 // such as constants or global addresses at every load and store. 746 InlineAsm *Asm = 747 InlineAsm::get(FunctionType::get(Int8PtrTy, {Val->getType()}, false), 748 StringRef(""), StringRef("=r,0"), 749 /*hasSideEffects=*/false); 750 return IRB.CreateCall(Asm, {Val}, ".hwasan.shadow"); 751 } 752 753 Value *HWAddressSanitizer::getDynamicShadowIfunc(IRBuilder<> &IRB) { 754 return getOpaqueNoopCast(IRB, ShadowGlobal); 755 } 756 757 Value *HWAddressSanitizer::getShadowNonTls(IRBuilder<> &IRB) { 758 if (Mapping.Offset != kDynamicShadowSentinel) 759 return getOpaqueNoopCast( 760 IRB, ConstantExpr::getIntToPtr( 761 ConstantInt::get(IntptrTy, Mapping.Offset), Int8PtrTy)); 762 763 if (Mapping.InGlobal) { 764 return getDynamicShadowIfunc(IRB); 765 } else { 766 Value *GlobalDynamicAddress = 767 IRB.GetInsertBlock()->getParent()->getParent()->getOrInsertGlobal( 768 kHwasanShadowMemoryDynamicAddress, Int8PtrTy); 769 return IRB.CreateLoad(Int8PtrTy, GlobalDynamicAddress); 770 } 771 } 772 773 bool HWAddressSanitizer::ignoreAccess(Instruction *Inst, Value *Ptr) { 774 // Do not instrument acesses from different address spaces; we cannot deal 775 // with them. 776 Type *PtrTy = cast<PointerType>(Ptr->getType()->getScalarType()); 777 if (PtrTy->getPointerAddressSpace() != 0) 778 return true; 779 780 // Ignore swifterror addresses. 781 // swifterror memory addresses are mem2reg promoted by instruction 782 // selection. As such they cannot have regular uses like an instrumentation 783 // function and it makes no sense to track them as memory. 784 if (Ptr->isSwiftError()) 785 return true; 786 787 if (findAllocaForValue(Ptr)) { 788 if (!InstrumentStack) 789 return true; 790 if (SSI && SSI->stackAccessIsSafe(*Inst)) 791 return true; 792 } 793 return false; 794 } 795 796 void HWAddressSanitizer::getInterestingMemoryOperands( 797 Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting) { 798 // Skip memory accesses inserted by another instrumentation. 799 if (I->hasMetadata("nosanitize")) 800 return; 801 802 // Do not instrument the load fetching the dynamic shadow address. 803 if (ShadowBase == I) 804 return; 805 806 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 807 if (!ClInstrumentReads || ignoreAccess(I, LI->getPointerOperand())) 808 return; 809 Interesting.emplace_back(I, LI->getPointerOperandIndex(), false, 810 LI->getType(), LI->getAlign()); 811 } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 812 if (!ClInstrumentWrites || ignoreAccess(I, SI->getPointerOperand())) 813 return; 814 Interesting.emplace_back(I, SI->getPointerOperandIndex(), true, 815 SI->getValueOperand()->getType(), SI->getAlign()); 816 } else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 817 if (!ClInstrumentAtomics || ignoreAccess(I, RMW->getPointerOperand())) 818 return; 819 Interesting.emplace_back(I, RMW->getPointerOperandIndex(), true, 820 RMW->getValOperand()->getType(), None); 821 } else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 822 if (!ClInstrumentAtomics || ignoreAccess(I, XCHG->getPointerOperand())) 823 return; 824 Interesting.emplace_back(I, XCHG->getPointerOperandIndex(), true, 825 XCHG->getCompareOperand()->getType(), None); 826 } else if (auto CI = dyn_cast<CallInst>(I)) { 827 for (unsigned ArgNo = 0; ArgNo < CI->arg_size(); ArgNo++) { 828 if (!ClInstrumentByval || !CI->isByValArgument(ArgNo) || 829 ignoreAccess(I, CI->getArgOperand(ArgNo))) 830 continue; 831 Type *Ty = CI->getParamByValType(ArgNo); 832 Interesting.emplace_back(I, ArgNo, false, Ty, Align(1)); 833 } 834 } 835 } 836 837 static unsigned getPointerOperandIndex(Instruction *I) { 838 if (LoadInst *LI = dyn_cast<LoadInst>(I)) 839 return LI->getPointerOperandIndex(); 840 if (StoreInst *SI = dyn_cast<StoreInst>(I)) 841 return SI->getPointerOperandIndex(); 842 if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) 843 return RMW->getPointerOperandIndex(); 844 if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) 845 return XCHG->getPointerOperandIndex(); 846 report_fatal_error("Unexpected instruction"); 847 return -1; 848 } 849 850 static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 851 size_t Res = countTrailingZeros(TypeSize / 8); 852 assert(Res < kNumberOfAccessSizes); 853 return Res; 854 } 855 856 void HWAddressSanitizer::untagPointerOperand(Instruction *I, Value *Addr) { 857 if (TargetTriple.isAArch64() || TargetTriple.getArch() == Triple::x86_64) 858 return; 859 860 IRBuilder<> IRB(I); 861 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 862 Value *UntaggedPtr = 863 IRB.CreateIntToPtr(untagPointer(IRB, AddrLong), Addr->getType()); 864 I->setOperand(getPointerOperandIndex(I), UntaggedPtr); 865 } 866 867 Value *HWAddressSanitizer::memToShadow(Value *Mem, IRBuilder<> &IRB) { 868 // Mem >> Scale 869 Value *Shadow = IRB.CreateLShr(Mem, Mapping.Scale); 870 if (Mapping.Offset == 0) 871 return IRB.CreateIntToPtr(Shadow, Int8PtrTy); 872 // (Mem >> Scale) + Offset 873 return IRB.CreateGEP(Int8Ty, ShadowBase, Shadow); 874 } 875 876 int64_t HWAddressSanitizer::getAccessInfo(bool IsWrite, 877 unsigned AccessSizeIndex) { 878 return (CompileKernel << HWASanAccessInfo::CompileKernelShift) + 879 (HasMatchAllTag << HWASanAccessInfo::HasMatchAllShift) + 880 (MatchAllTag << HWASanAccessInfo::MatchAllShift) + 881 (Recover << HWASanAccessInfo::RecoverShift) + 882 (IsWrite << HWASanAccessInfo::IsWriteShift) + 883 (AccessSizeIndex << HWASanAccessInfo::AccessSizeShift); 884 } 885 886 void HWAddressSanitizer::instrumentMemAccessOutline(Value *Ptr, bool IsWrite, 887 unsigned AccessSizeIndex, 888 Instruction *InsertBefore) { 889 assert(!UsePageAliases); 890 const int64_t AccessInfo = getAccessInfo(IsWrite, AccessSizeIndex); 891 IRBuilder<> IRB(InsertBefore); 892 Module *M = IRB.GetInsertBlock()->getParent()->getParent(); 893 Ptr = IRB.CreateBitCast(Ptr, Int8PtrTy); 894 IRB.CreateCall(Intrinsic::getDeclaration( 895 M, UseShortGranules 896 ? Intrinsic::hwasan_check_memaccess_shortgranules 897 : Intrinsic::hwasan_check_memaccess), 898 {ShadowBase, Ptr, ConstantInt::get(Int32Ty, AccessInfo)}); 899 } 900 901 void HWAddressSanitizer::instrumentMemAccessInline(Value *Ptr, bool IsWrite, 902 unsigned AccessSizeIndex, 903 Instruction *InsertBefore) { 904 assert(!UsePageAliases); 905 const int64_t AccessInfo = getAccessInfo(IsWrite, AccessSizeIndex); 906 IRBuilder<> IRB(InsertBefore); 907 908 Value *PtrLong = IRB.CreatePointerCast(Ptr, IntptrTy); 909 Value *PtrTag = IRB.CreateTrunc(IRB.CreateLShr(PtrLong, PointerTagShift), 910 IRB.getInt8Ty()); 911 Value *AddrLong = untagPointer(IRB, PtrLong); 912 Value *Shadow = memToShadow(AddrLong, IRB); 913 Value *MemTag = IRB.CreateLoad(Int8Ty, Shadow); 914 Value *TagMismatch = IRB.CreateICmpNE(PtrTag, MemTag); 915 916 if (HasMatchAllTag) { 917 Value *TagNotIgnored = IRB.CreateICmpNE( 918 PtrTag, ConstantInt::get(PtrTag->getType(), MatchAllTag)); 919 TagMismatch = IRB.CreateAnd(TagMismatch, TagNotIgnored); 920 } 921 922 Instruction *CheckTerm = 923 SplitBlockAndInsertIfThen(TagMismatch, InsertBefore, false, 924 MDBuilder(*C).createBranchWeights(1, 100000)); 925 926 IRB.SetInsertPoint(CheckTerm); 927 Value *OutOfShortGranuleTagRange = 928 IRB.CreateICmpUGT(MemTag, ConstantInt::get(Int8Ty, 15)); 929 Instruction *CheckFailTerm = 930 SplitBlockAndInsertIfThen(OutOfShortGranuleTagRange, CheckTerm, !Recover, 931 MDBuilder(*C).createBranchWeights(1, 100000)); 932 933 IRB.SetInsertPoint(CheckTerm); 934 Value *PtrLowBits = IRB.CreateTrunc(IRB.CreateAnd(PtrLong, 15), Int8Ty); 935 PtrLowBits = IRB.CreateAdd( 936 PtrLowBits, ConstantInt::get(Int8Ty, (1 << AccessSizeIndex) - 1)); 937 Value *PtrLowBitsOOB = IRB.CreateICmpUGE(PtrLowBits, MemTag); 938 SplitBlockAndInsertIfThen(PtrLowBitsOOB, CheckTerm, false, 939 MDBuilder(*C).createBranchWeights(1, 100000), 940 (DomTreeUpdater *)nullptr, nullptr, 941 CheckFailTerm->getParent()); 942 943 IRB.SetInsertPoint(CheckTerm); 944 Value *InlineTagAddr = IRB.CreateOr(AddrLong, 15); 945 InlineTagAddr = IRB.CreateIntToPtr(InlineTagAddr, Int8PtrTy); 946 Value *InlineTag = IRB.CreateLoad(Int8Ty, InlineTagAddr); 947 Value *InlineTagMismatch = IRB.CreateICmpNE(PtrTag, InlineTag); 948 SplitBlockAndInsertIfThen(InlineTagMismatch, CheckTerm, false, 949 MDBuilder(*C).createBranchWeights(1, 100000), 950 (DomTreeUpdater *)nullptr, nullptr, 951 CheckFailTerm->getParent()); 952 953 IRB.SetInsertPoint(CheckFailTerm); 954 InlineAsm *Asm; 955 switch (TargetTriple.getArch()) { 956 case Triple::x86_64: 957 // The signal handler will find the data address in rdi. 958 Asm = InlineAsm::get( 959 FunctionType::get(IRB.getVoidTy(), {PtrLong->getType()}, false), 960 "int3\nnopl " + 961 itostr(0x40 + (AccessInfo & HWASanAccessInfo::RuntimeMask)) + 962 "(%rax)", 963 "{rdi}", 964 /*hasSideEffects=*/true); 965 break; 966 case Triple::aarch64: 967 case Triple::aarch64_be: 968 // The signal handler will find the data address in x0. 969 Asm = InlineAsm::get( 970 FunctionType::get(IRB.getVoidTy(), {PtrLong->getType()}, false), 971 "brk #" + itostr(0x900 + (AccessInfo & HWASanAccessInfo::RuntimeMask)), 972 "{x0}", 973 /*hasSideEffects=*/true); 974 break; 975 default: 976 report_fatal_error("unsupported architecture"); 977 } 978 IRB.CreateCall(Asm, PtrLong); 979 if (Recover) 980 cast<BranchInst>(CheckFailTerm)->setSuccessor(0, CheckTerm->getParent()); 981 } 982 983 bool HWAddressSanitizer::ignoreMemIntrinsic(MemIntrinsic *MI) { 984 if (MemTransferInst *MTI = dyn_cast<MemTransferInst>(MI)) { 985 return (!ClInstrumentWrites || ignoreAccess(MTI, MTI->getDest())) && 986 (!ClInstrumentReads || ignoreAccess(MTI, MTI->getSource())); 987 } 988 if (isa<MemSetInst>(MI)) 989 return !ClInstrumentWrites || ignoreAccess(MI, MI->getDest()); 990 return false; 991 } 992 993 void HWAddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 994 IRBuilder<> IRB(MI); 995 if (isa<MemTransferInst>(MI)) { 996 IRB.CreateCall( 997 isa<MemMoveInst>(MI) ? HWAsanMemmove : HWAsanMemcpy, 998 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 999 IRB.CreatePointerCast(MI->getOperand(1), IRB.getInt8PtrTy()), 1000 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 1001 } else if (isa<MemSetInst>(MI)) { 1002 IRB.CreateCall( 1003 HWAsanMemset, 1004 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 1005 IRB.CreateIntCast(MI->getOperand(1), IRB.getInt32Ty(), false), 1006 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 1007 } 1008 MI->eraseFromParent(); 1009 } 1010 1011 bool HWAddressSanitizer::instrumentMemAccess(InterestingMemoryOperand &O) { 1012 Value *Addr = O.getPtr(); 1013 1014 LLVM_DEBUG(dbgs() << "Instrumenting: " << O.getInsn() << "\n"); 1015 1016 if (O.MaybeMask) 1017 return false; // FIXME 1018 1019 IRBuilder<> IRB(O.getInsn()); 1020 if (isPowerOf2_64(O.TypeSize) && 1021 (O.TypeSize / 8 <= (1ULL << (kNumberOfAccessSizes - 1))) && 1022 (!O.Alignment || *O.Alignment >= (1ULL << Mapping.Scale) || 1023 *O.Alignment >= O.TypeSize / 8)) { 1024 size_t AccessSizeIndex = TypeSizeToSizeIndex(O.TypeSize); 1025 if (InstrumentWithCalls) { 1026 IRB.CreateCall(HwasanMemoryAccessCallback[O.IsWrite][AccessSizeIndex], 1027 IRB.CreatePointerCast(Addr, IntptrTy)); 1028 } else if (OutlinedChecks) { 1029 instrumentMemAccessOutline(Addr, O.IsWrite, AccessSizeIndex, O.getInsn()); 1030 } else { 1031 instrumentMemAccessInline(Addr, O.IsWrite, AccessSizeIndex, O.getInsn()); 1032 } 1033 } else { 1034 IRB.CreateCall(HwasanMemoryAccessCallbackSized[O.IsWrite], 1035 {IRB.CreatePointerCast(Addr, IntptrTy), 1036 ConstantInt::get(IntptrTy, O.TypeSize / 8)}); 1037 } 1038 untagPointerOperand(O.getInsn(), Addr); 1039 1040 return true; 1041 } 1042 1043 void HWAddressSanitizer::tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, Value *Tag, 1044 size_t Size) { 1045 size_t AlignedSize = alignTo(Size, Mapping.getObjectAlignment()); 1046 if (!UseShortGranules) 1047 Size = AlignedSize; 1048 1049 Value *JustTag = IRB.CreateTrunc(Tag, IRB.getInt8Ty()); 1050 if (InstrumentWithCalls) { 1051 IRB.CreateCall(HwasanTagMemoryFunc, 1052 {IRB.CreatePointerCast(AI, Int8PtrTy), JustTag, 1053 ConstantInt::get(IntptrTy, AlignedSize)}); 1054 } else { 1055 size_t ShadowSize = Size >> Mapping.Scale; 1056 Value *ShadowPtr = memToShadow(IRB.CreatePointerCast(AI, IntptrTy), IRB); 1057 // If this memset is not inlined, it will be intercepted in the hwasan 1058 // runtime library. That's OK, because the interceptor skips the checks if 1059 // the address is in the shadow region. 1060 // FIXME: the interceptor is not as fast as real memset. Consider lowering 1061 // llvm.memset right here into either a sequence of stores, or a call to 1062 // hwasan_tag_memory. 1063 if (ShadowSize) 1064 IRB.CreateMemSet(ShadowPtr, JustTag, ShadowSize, Align(1)); 1065 if (Size != AlignedSize) { 1066 IRB.CreateStore( 1067 ConstantInt::get(Int8Ty, Size % Mapping.getObjectAlignment()), 1068 IRB.CreateConstGEP1_32(Int8Ty, ShadowPtr, ShadowSize)); 1069 IRB.CreateStore(JustTag, IRB.CreateConstGEP1_32( 1070 Int8Ty, IRB.CreateBitCast(AI, Int8PtrTy), 1071 AlignedSize - 1)); 1072 } 1073 } 1074 } 1075 1076 unsigned HWAddressSanitizer::retagMask(unsigned AllocaNo) { 1077 if (TargetTriple.getArch() == Triple::x86_64) 1078 return AllocaNo & TagMaskByte; 1079 1080 // A list of 8-bit numbers that have at most one run of non-zero bits. 1081 // x = x ^ (mask << 56) can be encoded as a single armv8 instruction for these 1082 // masks. 1083 // The list does not include the value 255, which is used for UAR. 1084 // 1085 // Because we are more likely to use earlier elements of this list than later 1086 // ones, it is sorted in increasing order of probability of collision with a 1087 // mask allocated (temporally) nearby. The program that generated this list 1088 // can be found at: 1089 // https://github.com/google/sanitizers/blob/master/hwaddress-sanitizer/sort_masks.py 1090 static unsigned FastMasks[] = {0, 128, 64, 192, 32, 96, 224, 112, 240, 1091 48, 16, 120, 248, 56, 24, 8, 124, 252, 1092 60, 28, 12, 4, 126, 254, 62, 30, 14, 1093 6, 2, 127, 63, 31, 15, 7, 3, 1}; 1094 return FastMasks[AllocaNo % (sizeof(FastMasks) / sizeof(FastMasks[0]))]; 1095 } 1096 1097 Value *HWAddressSanitizer::applyTagMask(IRBuilder<> &IRB, Value *OldTag) { 1098 if (TargetTriple.getArch() == Triple::x86_64) { 1099 Constant *TagMask = ConstantInt::get(IntptrTy, TagMaskByte); 1100 Value *NewTag = IRB.CreateAnd(OldTag, TagMask); 1101 return NewTag; 1102 } 1103 // aarch64 uses 8-bit tags, so no mask is needed. 1104 return OldTag; 1105 } 1106 1107 Value *HWAddressSanitizer::getNextTagWithCall(IRBuilder<> &IRB) { 1108 return IRB.CreateZExt(IRB.CreateCall(HwasanGenerateTagFunc), IntptrTy); 1109 } 1110 1111 Value *HWAddressSanitizer::getStackBaseTag(IRBuilder<> &IRB) { 1112 if (ClGenerateTagsWithCalls) 1113 return getNextTagWithCall(IRB); 1114 if (StackBaseTag) 1115 return StackBaseTag; 1116 // FIXME: use addressofreturnaddress (but implement it in aarch64 backend 1117 // first). 1118 Module *M = IRB.GetInsertBlock()->getParent()->getParent(); 1119 auto GetStackPointerFn = Intrinsic::getDeclaration( 1120 M, Intrinsic::frameaddress, 1121 IRB.getInt8PtrTy(M->getDataLayout().getAllocaAddrSpace())); 1122 Value *StackPointer = IRB.CreateCall( 1123 GetStackPointerFn, {Constant::getNullValue(IRB.getInt32Ty())}); 1124 1125 // Extract some entropy from the stack pointer for the tags. 1126 // Take bits 20..28 (ASLR entropy) and xor with bits 0..8 (these differ 1127 // between functions). 1128 Value *StackPointerLong = IRB.CreatePointerCast(StackPointer, IntptrTy); 1129 Value *StackTag = 1130 applyTagMask(IRB, IRB.CreateXor(StackPointerLong, 1131 IRB.CreateLShr(StackPointerLong, 20))); 1132 StackTag->setName("hwasan.stack.base.tag"); 1133 return StackTag; 1134 } 1135 1136 Value *HWAddressSanitizer::getAllocaTag(IRBuilder<> &IRB, Value *StackTag, 1137 AllocaInst *AI, unsigned AllocaNo) { 1138 if (ClGenerateTagsWithCalls) 1139 return getNextTagWithCall(IRB); 1140 return IRB.CreateXor(StackTag, 1141 ConstantInt::get(IntptrTy, retagMask(AllocaNo))); 1142 } 1143 1144 Value *HWAddressSanitizer::getUARTag(IRBuilder<> &IRB, Value *StackTag) { 1145 if (ClUARRetagToZero) 1146 return ConstantInt::get(IntptrTy, 0); 1147 if (ClGenerateTagsWithCalls) 1148 return getNextTagWithCall(IRB); 1149 return IRB.CreateXor(StackTag, ConstantInt::get(IntptrTy, TagMaskByte)); 1150 } 1151 1152 // Add a tag to an address. 1153 Value *HWAddressSanitizer::tagPointer(IRBuilder<> &IRB, Type *Ty, 1154 Value *PtrLong, Value *Tag) { 1155 assert(!UsePageAliases); 1156 Value *TaggedPtrLong; 1157 if (CompileKernel) { 1158 // Kernel addresses have 0xFF in the most significant byte. 1159 Value *ShiftedTag = 1160 IRB.CreateOr(IRB.CreateShl(Tag, PointerTagShift), 1161 ConstantInt::get(IntptrTy, (1ULL << PointerTagShift) - 1)); 1162 TaggedPtrLong = IRB.CreateAnd(PtrLong, ShiftedTag); 1163 } else { 1164 // Userspace can simply do OR (tag << PointerTagShift); 1165 Value *ShiftedTag = IRB.CreateShl(Tag, PointerTagShift); 1166 TaggedPtrLong = IRB.CreateOr(PtrLong, ShiftedTag); 1167 } 1168 return IRB.CreateIntToPtr(TaggedPtrLong, Ty); 1169 } 1170 1171 // Remove tag from an address. 1172 Value *HWAddressSanitizer::untagPointer(IRBuilder<> &IRB, Value *PtrLong) { 1173 assert(!UsePageAliases); 1174 Value *UntaggedPtrLong; 1175 if (CompileKernel) { 1176 // Kernel addresses have 0xFF in the most significant byte. 1177 UntaggedPtrLong = 1178 IRB.CreateOr(PtrLong, ConstantInt::get(PtrLong->getType(), 1179 0xFFULL << PointerTagShift)); 1180 } else { 1181 // Userspace addresses have 0x00. 1182 UntaggedPtrLong = 1183 IRB.CreateAnd(PtrLong, ConstantInt::get(PtrLong->getType(), 1184 ~(0xFFULL << PointerTagShift))); 1185 } 1186 return UntaggedPtrLong; 1187 } 1188 1189 Value *HWAddressSanitizer::getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty) { 1190 Module *M = IRB.GetInsertBlock()->getParent()->getParent(); 1191 if (TargetTriple.isAArch64() && TargetTriple.isAndroid()) { 1192 // Android provides a fixed TLS slot for sanitizers. See TLS_SLOT_SANITIZER 1193 // in Bionic's libc/private/bionic_tls.h. 1194 Function *ThreadPointerFunc = 1195 Intrinsic::getDeclaration(M, Intrinsic::thread_pointer); 1196 Value *SlotPtr = IRB.CreatePointerCast( 1197 IRB.CreateConstGEP1_32(IRB.getInt8Ty(), 1198 IRB.CreateCall(ThreadPointerFunc), 0x30), 1199 Ty->getPointerTo(0)); 1200 return SlotPtr; 1201 } 1202 if (ThreadPtrGlobal) 1203 return ThreadPtrGlobal; 1204 1205 return nullptr; 1206 } 1207 1208 void HWAddressSanitizer::emitPrologue(IRBuilder<> &IRB, bool WithFrameRecord) { 1209 if (!Mapping.InTls) 1210 ShadowBase = getShadowNonTls(IRB); 1211 else if (!WithFrameRecord && TargetTriple.isAndroid()) 1212 ShadowBase = getDynamicShadowIfunc(IRB); 1213 1214 if (!WithFrameRecord && ShadowBase) 1215 return; 1216 1217 Value *SlotPtr = getHwasanThreadSlotPtr(IRB, IntptrTy); 1218 assert(SlotPtr); 1219 1220 Value *ThreadLong = IRB.CreateLoad(IntptrTy, SlotPtr); 1221 // Extract the address field from ThreadLong. Unnecessary on AArch64 with TBI. 1222 Value *ThreadLongMaybeUntagged = 1223 TargetTriple.isAArch64() ? ThreadLong : untagPointer(IRB, ThreadLong); 1224 1225 if (WithFrameRecord) { 1226 Function *F = IRB.GetInsertBlock()->getParent(); 1227 StackBaseTag = IRB.CreateAShr(ThreadLong, 3); 1228 1229 // Prepare ring buffer data. 1230 Value *PC; 1231 if (TargetTriple.getArch() == Triple::aarch64) 1232 PC = readRegister(IRB, "pc"); 1233 else 1234 PC = IRB.CreatePtrToInt(F, IntptrTy); 1235 Module *M = F->getParent(); 1236 auto GetStackPointerFn = Intrinsic::getDeclaration( 1237 M, Intrinsic::frameaddress, 1238 IRB.getInt8PtrTy(M->getDataLayout().getAllocaAddrSpace())); 1239 Value *SP = IRB.CreatePtrToInt( 1240 IRB.CreateCall(GetStackPointerFn, 1241 {Constant::getNullValue(IRB.getInt32Ty())}), 1242 IntptrTy); 1243 // Mix SP and PC. 1244 // Assumptions: 1245 // PC is 0x0000PPPPPPPPPPPP (48 bits are meaningful, others are zero) 1246 // SP is 0xsssssssssssSSSS0 (4 lower bits are zero) 1247 // We only really need ~20 lower non-zero bits (SSSS), so we mix like this: 1248 // 0xSSSSPPPPPPPPPPPP 1249 SP = IRB.CreateShl(SP, 44); 1250 1251 // Store data to ring buffer. 1252 Value *RecordPtr = 1253 IRB.CreateIntToPtr(ThreadLongMaybeUntagged, IntptrTy->getPointerTo(0)); 1254 IRB.CreateStore(IRB.CreateOr(PC, SP), RecordPtr); 1255 1256 // Update the ring buffer. Top byte of ThreadLong defines the size of the 1257 // buffer in pages, it must be a power of two, and the start of the buffer 1258 // must be aligned by twice that much. Therefore wrap around of the ring 1259 // buffer is simply Addr &= ~((ThreadLong >> 56) << 12). 1260 // The use of AShr instead of LShr is due to 1261 // https://bugs.llvm.org/show_bug.cgi?id=39030 1262 // Runtime library makes sure not to use the highest bit. 1263 Value *WrapMask = IRB.CreateXor( 1264 IRB.CreateShl(IRB.CreateAShr(ThreadLong, 56), 12, "", true, true), 1265 ConstantInt::get(IntptrTy, (uint64_t)-1)); 1266 Value *ThreadLongNew = IRB.CreateAnd( 1267 IRB.CreateAdd(ThreadLong, ConstantInt::get(IntptrTy, 8)), WrapMask); 1268 IRB.CreateStore(ThreadLongNew, SlotPtr); 1269 } 1270 1271 if (!ShadowBase) { 1272 // Get shadow base address by aligning RecordPtr up. 1273 // Note: this is not correct if the pointer is already aligned. 1274 // Runtime library will make sure this never happens. 1275 ShadowBase = IRB.CreateAdd( 1276 IRB.CreateOr( 1277 ThreadLongMaybeUntagged, 1278 ConstantInt::get(IntptrTy, (1ULL << kShadowBaseAlignment) - 1)), 1279 ConstantInt::get(IntptrTy, 1), "hwasan.shadow"); 1280 ShadowBase = IRB.CreateIntToPtr(ShadowBase, Int8PtrTy); 1281 } 1282 } 1283 1284 Value *HWAddressSanitizer::readRegister(IRBuilder<> &IRB, StringRef Name) { 1285 Module *M = IRB.GetInsertBlock()->getParent()->getParent(); 1286 Function *ReadRegister = 1287 Intrinsic::getDeclaration(M, Intrinsic::read_register, IntptrTy); 1288 MDNode *MD = MDNode::get(*C, {MDString::get(*C, Name)}); 1289 Value *Args[] = {MetadataAsValue::get(*C, MD)}; 1290 return IRB.CreateCall(ReadRegister, Args); 1291 } 1292 1293 bool HWAddressSanitizer::instrumentLandingPads( 1294 SmallVectorImpl<Instruction *> &LandingPadVec) { 1295 for (auto *LP : LandingPadVec) { 1296 IRBuilder<> IRB(LP->getNextNode()); 1297 IRB.CreateCall( 1298 HWAsanHandleVfork, 1299 {readRegister(IRB, (TargetTriple.getArch() == Triple::x86_64) ? "rsp" 1300 : "sp")}); 1301 } 1302 return true; 1303 } 1304 1305 static bool isLifetimeIntrinsic(Value *V) { 1306 auto *II = dyn_cast<IntrinsicInst>(V); 1307 return II && II->isLifetimeStartOrEnd(); 1308 } 1309 1310 bool HWAddressSanitizer::instrumentStack( 1311 memtag::StackInfo &SInfo, Value *StackTag, 1312 llvm::function_ref<const DominatorTree &()> GetDT, 1313 llvm::function_ref<const PostDominatorTree &()> GetPDT) { 1314 // Ideally, we want to calculate tagged stack base pointer, and rewrite all 1315 // alloca addresses using that. Unfortunately, offsets are not known yet 1316 // (unless we use ASan-style mega-alloca). Instead we keep the base tag in a 1317 // temp, shift-OR it into each alloca address and xor with the retag mask. 1318 // This generates one extra instruction per alloca use. 1319 unsigned int I = 0; 1320 1321 for (auto &KV : SInfo.AllocasToInstrument) { 1322 auto N = I++; 1323 auto *AI = KV.first; 1324 memtag::AllocaInfo &Info = KV.second; 1325 IRBuilder<> IRB(AI->getNextNode()); 1326 1327 // Replace uses of the alloca with tagged address. 1328 Value *Tag = getAllocaTag(IRB, StackTag, AI, N); 1329 Value *AILong = IRB.CreatePointerCast(AI, IntptrTy); 1330 Value *Replacement = tagPointer(IRB, AI->getType(), AILong, Tag); 1331 std::string Name = 1332 AI->hasName() ? AI->getName().str() : "alloca." + itostr(N); 1333 Replacement->setName(Name + ".hwasan"); 1334 1335 size_t Size = memtag::getAllocaSizeInBytes(*AI); 1336 size_t AlignedSize = alignTo(Size, Mapping.getObjectAlignment()); 1337 1338 Value *AICast = IRB.CreatePointerCast(AI, Int8PtrTy); 1339 1340 auto HandleLifetime = [&](IntrinsicInst *II) { 1341 // Set the lifetime intrinsic to cover the whole alloca. This reduces the 1342 // set of assumptions we need to make about the lifetime. Without this we 1343 // would need to ensure that we can track the lifetime pointer to a 1344 // constant offset from the alloca, and would still need to change the 1345 // size to include the extra alignment we use for the untagging to make 1346 // the size consistent. 1347 // 1348 // The check for standard lifetime below makes sure that we have exactly 1349 // one set of start / end in any execution (i.e. the ends are not 1350 // reachable from each other), so this will not cause any problems. 1351 II->setArgOperand(0, ConstantInt::get(Int64Ty, AlignedSize)); 1352 II->setArgOperand(1, AICast); 1353 }; 1354 llvm::for_each(Info.LifetimeStart, HandleLifetime); 1355 llvm::for_each(Info.LifetimeEnd, HandleLifetime); 1356 1357 AI->replaceUsesWithIf(Replacement, [AICast, AILong](Use &U) { 1358 auto *User = U.getUser(); 1359 return User != AILong && User != AICast && !isLifetimeIntrinsic(User); 1360 }); 1361 1362 for (auto *DDI : Info.DbgVariableIntrinsics) { 1363 // Prepend "tag_offset, N" to the dwarf expression. 1364 // Tag offset logically applies to the alloca pointer, and it makes sense 1365 // to put it at the beginning of the expression. 1366 SmallVector<uint64_t, 8> NewOps = {dwarf::DW_OP_LLVM_tag_offset, 1367 retagMask(N)}; 1368 for (size_t LocNo = 0; LocNo < DDI->getNumVariableLocationOps(); ++LocNo) 1369 if (DDI->getVariableLocationOp(LocNo) == AI) 1370 DDI->setExpression(DIExpression::appendOpsToArg(DDI->getExpression(), 1371 NewOps, LocNo)); 1372 } 1373 1374 auto TagEnd = [&](Instruction *Node) { 1375 IRB.SetInsertPoint(Node); 1376 Value *UARTag = getUARTag(IRB, StackTag); 1377 // When untagging, use the `AlignedSize` because we need to set the tags 1378 // for the entire alloca to zero. If we used `Size` here, we would 1379 // keep the last granule tagged, and store zero in the last byte of the 1380 // last granule, due to how short granules are implemented. 1381 tagAlloca(IRB, AI, UARTag, AlignedSize); 1382 }; 1383 // Calls to functions that may return twice (e.g. setjmp) confuse the 1384 // postdominator analysis, and will leave us to keep memory tagged after 1385 // function return. Work around this by always untagging at every return 1386 // statement if return_twice functions are called. 1387 bool StandardLifetime = 1388 SInfo.UnrecognizedLifetimes.empty() && 1389 memtag::isStandardLifetime(Info.LifetimeStart, Info.LifetimeEnd, 1390 &GetDT(), ClMaxLifetimes) && 1391 !SInfo.CallsReturnTwice; 1392 if (DetectUseAfterScope && StandardLifetime) { 1393 IntrinsicInst *Start = Info.LifetimeStart[0]; 1394 IRB.SetInsertPoint(Start->getNextNode()); 1395 tagAlloca(IRB, AI, Tag, Size); 1396 if (!memtag::forAllReachableExits(GetDT(), GetPDT(), Start, 1397 Info.LifetimeEnd, SInfo.RetVec, 1398 TagEnd)) { 1399 for (auto *End : Info.LifetimeEnd) 1400 End->eraseFromParent(); 1401 } 1402 } else { 1403 tagAlloca(IRB, AI, Tag, Size); 1404 for (auto *RI : SInfo.RetVec) 1405 TagEnd(RI); 1406 // We inserted tagging outside of the lifetimes, so we have to remove 1407 // them. 1408 for (auto &II : Info.LifetimeStart) 1409 II->eraseFromParent(); 1410 for (auto &II : Info.LifetimeEnd) 1411 II->eraseFromParent(); 1412 } 1413 memtag::alignAndPadAlloca(Info, Align(Mapping.getObjectAlignment())); 1414 } 1415 for (auto &I : SInfo.UnrecognizedLifetimes) 1416 I->eraseFromParent(); 1417 return true; 1418 } 1419 1420 bool HWAddressSanitizer::isInterestingAlloca(const AllocaInst &AI) { 1421 return (AI.getAllocatedType()->isSized() && 1422 // FIXME: instrument dynamic allocas, too 1423 AI.isStaticAlloca() && 1424 // alloca() may be called with 0 size, ignore it. 1425 memtag::getAllocaSizeInBytes(AI) > 0 && 1426 // We are only interested in allocas not promotable to registers. 1427 // Promotable allocas are common under -O0. 1428 !isAllocaPromotable(&AI) && 1429 // inalloca allocas are not treated as static, and we don't want 1430 // dynamic alloca instrumentation for them as well. 1431 !AI.isUsedWithInAlloca() && 1432 // swifterror allocas are register promoted by ISel 1433 !AI.isSwiftError()) && 1434 // safe allocas are not interesting 1435 !(SSI && SSI->isSafe(AI)); 1436 } 1437 1438 bool HWAddressSanitizer::sanitizeFunction( 1439 Function &F, llvm::function_ref<const DominatorTree &()> GetDT, 1440 llvm::function_ref<const PostDominatorTree &()> GetPDT) { 1441 if (&F == HwasanCtorFunction) 1442 return false; 1443 1444 if (!F.hasFnAttribute(Attribute::SanitizeHWAddress)) 1445 return false; 1446 1447 LLVM_DEBUG(dbgs() << "Function: " << F.getName() << "\n"); 1448 1449 SmallVector<InterestingMemoryOperand, 16> OperandsToInstrument; 1450 SmallVector<MemIntrinsic *, 16> IntrinToInstrument; 1451 SmallVector<Instruction *, 8> LandingPadVec; 1452 1453 memtag::StackInfoBuilder SIB( 1454 [this](const AllocaInst &AI) { return isInterestingAlloca(AI); }); 1455 for (auto &Inst : instructions(F)) { 1456 if (InstrumentStack) { 1457 SIB.visit(Inst); 1458 } 1459 1460 if (InstrumentLandingPads && isa<LandingPadInst>(Inst)) 1461 LandingPadVec.push_back(&Inst); 1462 1463 getInterestingMemoryOperands(&Inst, OperandsToInstrument); 1464 1465 if (MemIntrinsic *MI = dyn_cast<MemIntrinsic>(&Inst)) 1466 if (!ignoreMemIntrinsic(MI)) 1467 IntrinToInstrument.push_back(MI); 1468 } 1469 1470 memtag::StackInfo &SInfo = SIB.get(); 1471 1472 initializeCallbacks(*F.getParent()); 1473 1474 bool Changed = false; 1475 1476 if (!LandingPadVec.empty()) 1477 Changed |= instrumentLandingPads(LandingPadVec); 1478 1479 if (SInfo.AllocasToInstrument.empty() && F.hasPersonalityFn() && 1480 F.getPersonalityFn()->getName() == kHwasanPersonalityThunkName) { 1481 // __hwasan_personality_thunk is a no-op for functions without an 1482 // instrumented stack, so we can drop it. 1483 F.setPersonalityFn(nullptr); 1484 Changed = true; 1485 } 1486 1487 if (SInfo.AllocasToInstrument.empty() && OperandsToInstrument.empty() && 1488 IntrinToInstrument.empty()) 1489 return Changed; 1490 1491 assert(!ShadowBase); 1492 1493 Instruction *InsertPt = &*F.getEntryBlock().begin(); 1494 IRBuilder<> EntryIRB(InsertPt); 1495 emitPrologue(EntryIRB, 1496 /*WithFrameRecord*/ ClRecordStackHistory && 1497 Mapping.WithFrameRecord && 1498 !SInfo.AllocasToInstrument.empty()); 1499 1500 if (!SInfo.AllocasToInstrument.empty()) { 1501 Value *StackTag = 1502 ClGenerateTagsWithCalls ? nullptr : getStackBaseTag(EntryIRB); 1503 instrumentStack(SInfo, StackTag, GetDT, GetPDT); 1504 } 1505 1506 // If we split the entry block, move any allocas that were originally in the 1507 // entry block back into the entry block so that they aren't treated as 1508 // dynamic allocas. 1509 if (EntryIRB.GetInsertBlock() != &F.getEntryBlock()) { 1510 InsertPt = &*F.getEntryBlock().begin(); 1511 for (Instruction &I : 1512 llvm::make_early_inc_range(*EntryIRB.GetInsertBlock())) { 1513 if (auto *AI = dyn_cast<AllocaInst>(&I)) 1514 if (isa<ConstantInt>(AI->getArraySize())) 1515 I.moveBefore(InsertPt); 1516 } 1517 } 1518 1519 for (auto &Operand : OperandsToInstrument) 1520 instrumentMemAccess(Operand); 1521 1522 if (ClInstrumentMemIntrinsics && !IntrinToInstrument.empty()) { 1523 for (auto Inst : IntrinToInstrument) 1524 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 1525 } 1526 1527 ShadowBase = nullptr; 1528 StackBaseTag = nullptr; 1529 1530 return true; 1531 } 1532 1533 void HWAddressSanitizer::instrumentGlobal(GlobalVariable *GV, uint8_t Tag) { 1534 assert(!UsePageAliases); 1535 Constant *Initializer = GV->getInitializer(); 1536 uint64_t SizeInBytes = 1537 M.getDataLayout().getTypeAllocSize(Initializer->getType()); 1538 uint64_t NewSize = alignTo(SizeInBytes, Mapping.getObjectAlignment()); 1539 if (SizeInBytes != NewSize) { 1540 // Pad the initializer out to the next multiple of 16 bytes and add the 1541 // required short granule tag. 1542 std::vector<uint8_t> Init(NewSize - SizeInBytes, 0); 1543 Init.back() = Tag; 1544 Constant *Padding = ConstantDataArray::get(*C, Init); 1545 Initializer = ConstantStruct::getAnon({Initializer, Padding}); 1546 } 1547 1548 auto *NewGV = new GlobalVariable(M, Initializer->getType(), GV->isConstant(), 1549 GlobalValue::ExternalLinkage, Initializer, 1550 GV->getName() + ".hwasan"); 1551 NewGV->copyAttributesFrom(GV); 1552 NewGV->setLinkage(GlobalValue::PrivateLinkage); 1553 NewGV->copyMetadata(GV, 0); 1554 NewGV->setAlignment( 1555 MaybeAlign(std::max(GV->getAlignment(), Mapping.getObjectAlignment()))); 1556 1557 // It is invalid to ICF two globals that have different tags. In the case 1558 // where the size of the global is a multiple of the tag granularity the 1559 // contents of the globals may be the same but the tags (i.e. symbol values) 1560 // may be different, and the symbols are not considered during ICF. In the 1561 // case where the size is not a multiple of the granularity, the short granule 1562 // tags would discriminate two globals with different tags, but there would 1563 // otherwise be nothing stopping such a global from being incorrectly ICF'd 1564 // with an uninstrumented (i.e. tag 0) global that happened to have the short 1565 // granule tag in the last byte. 1566 NewGV->setUnnamedAddr(GlobalValue::UnnamedAddr::None); 1567 1568 // Descriptor format (assuming little-endian): 1569 // bytes 0-3: relative address of global 1570 // bytes 4-6: size of global (16MB ought to be enough for anyone, but in case 1571 // it isn't, we create multiple descriptors) 1572 // byte 7: tag 1573 auto *DescriptorTy = StructType::get(Int32Ty, Int32Ty); 1574 const uint64_t MaxDescriptorSize = 0xfffff0; 1575 for (uint64_t DescriptorPos = 0; DescriptorPos < SizeInBytes; 1576 DescriptorPos += MaxDescriptorSize) { 1577 auto *Descriptor = 1578 new GlobalVariable(M, DescriptorTy, true, GlobalValue::PrivateLinkage, 1579 nullptr, GV->getName() + ".hwasan.descriptor"); 1580 auto *GVRelPtr = ConstantExpr::getTrunc( 1581 ConstantExpr::getAdd( 1582 ConstantExpr::getSub( 1583 ConstantExpr::getPtrToInt(NewGV, Int64Ty), 1584 ConstantExpr::getPtrToInt(Descriptor, Int64Ty)), 1585 ConstantInt::get(Int64Ty, DescriptorPos)), 1586 Int32Ty); 1587 uint32_t Size = std::min(SizeInBytes - DescriptorPos, MaxDescriptorSize); 1588 auto *SizeAndTag = ConstantInt::get(Int32Ty, Size | (uint32_t(Tag) << 24)); 1589 Descriptor->setComdat(NewGV->getComdat()); 1590 Descriptor->setInitializer(ConstantStruct::getAnon({GVRelPtr, SizeAndTag})); 1591 Descriptor->setSection("hwasan_globals"); 1592 Descriptor->setMetadata(LLVMContext::MD_associated, 1593 MDNode::get(*C, ValueAsMetadata::get(NewGV))); 1594 appendToCompilerUsed(M, Descriptor); 1595 } 1596 1597 Constant *Aliasee = ConstantExpr::getIntToPtr( 1598 ConstantExpr::getAdd( 1599 ConstantExpr::getPtrToInt(NewGV, Int64Ty), 1600 ConstantInt::get(Int64Ty, uint64_t(Tag) << PointerTagShift)), 1601 GV->getType()); 1602 auto *Alias = GlobalAlias::create(GV->getValueType(), GV->getAddressSpace(), 1603 GV->getLinkage(), "", Aliasee, &M); 1604 Alias->setVisibility(GV->getVisibility()); 1605 Alias->takeName(GV); 1606 GV->replaceAllUsesWith(Alias); 1607 GV->eraseFromParent(); 1608 } 1609 1610 static DenseSet<GlobalVariable *> getExcludedGlobals(Module &M) { 1611 NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals"); 1612 if (!Globals) 1613 return DenseSet<GlobalVariable *>(); 1614 DenseSet<GlobalVariable *> Excluded(Globals->getNumOperands()); 1615 for (auto MDN : Globals->operands()) { 1616 // Metadata node contains the global and the fields of "Entry". 1617 assert(MDN->getNumOperands() == 5); 1618 auto *V = mdconst::extract_or_null<Constant>(MDN->getOperand(0)); 1619 // The optimizer may optimize away a global entirely. 1620 if (!V) 1621 continue; 1622 auto *StrippedV = V->stripPointerCasts(); 1623 auto *GV = dyn_cast<GlobalVariable>(StrippedV); 1624 if (!GV) 1625 continue; 1626 ConstantInt *IsExcluded = mdconst::extract<ConstantInt>(MDN->getOperand(4)); 1627 if (IsExcluded->isOne()) 1628 Excluded.insert(GV); 1629 } 1630 return Excluded; 1631 } 1632 1633 void HWAddressSanitizer::instrumentGlobals() { 1634 std::vector<GlobalVariable *> Globals; 1635 auto ExcludedGlobals = getExcludedGlobals(M); 1636 for (GlobalVariable &GV : M.globals()) { 1637 if (ExcludedGlobals.count(&GV)) 1638 continue; 1639 1640 if (GV.isDeclarationForLinker() || GV.getName().startswith("llvm.") || 1641 GV.isThreadLocal()) 1642 continue; 1643 1644 // Common symbols can't have aliases point to them, so they can't be tagged. 1645 if (GV.hasCommonLinkage()) 1646 continue; 1647 1648 // Globals with custom sections may be used in __start_/__stop_ enumeration, 1649 // which would be broken both by adding tags and potentially by the extra 1650 // padding/alignment that we insert. 1651 if (GV.hasSection()) 1652 continue; 1653 1654 Globals.push_back(&GV); 1655 } 1656 1657 MD5 Hasher; 1658 Hasher.update(M.getSourceFileName()); 1659 MD5::MD5Result Hash; 1660 Hasher.final(Hash); 1661 uint8_t Tag = Hash[0]; 1662 1663 for (GlobalVariable *GV : Globals) { 1664 Tag &= TagMaskByte; 1665 // Skip tag 0 in order to avoid collisions with untagged memory. 1666 if (Tag == 0) 1667 Tag = 1; 1668 instrumentGlobal(GV, Tag++); 1669 } 1670 } 1671 1672 void HWAddressSanitizer::instrumentPersonalityFunctions() { 1673 // We need to untag stack frames as we unwind past them. That is the job of 1674 // the personality function wrapper, which either wraps an existing 1675 // personality function or acts as a personality function on its own. Each 1676 // function that has a personality function or that can be unwound past has 1677 // its personality function changed to a thunk that calls the personality 1678 // function wrapper in the runtime. 1679 MapVector<Constant *, std::vector<Function *>> PersonalityFns; 1680 for (Function &F : M) { 1681 if (F.isDeclaration() || !F.hasFnAttribute(Attribute::SanitizeHWAddress)) 1682 continue; 1683 1684 if (F.hasPersonalityFn()) { 1685 PersonalityFns[F.getPersonalityFn()->stripPointerCasts()].push_back(&F); 1686 } else if (!F.hasFnAttribute(Attribute::NoUnwind)) { 1687 PersonalityFns[nullptr].push_back(&F); 1688 } 1689 } 1690 1691 if (PersonalityFns.empty()) 1692 return; 1693 1694 FunctionCallee HwasanPersonalityWrapper = M.getOrInsertFunction( 1695 "__hwasan_personality_wrapper", Int32Ty, Int32Ty, Int32Ty, Int64Ty, 1696 Int8PtrTy, Int8PtrTy, Int8PtrTy, Int8PtrTy, Int8PtrTy); 1697 FunctionCallee UnwindGetGR = M.getOrInsertFunction("_Unwind_GetGR", VoidTy); 1698 FunctionCallee UnwindGetCFA = M.getOrInsertFunction("_Unwind_GetCFA", VoidTy); 1699 1700 for (auto &P : PersonalityFns) { 1701 std::string ThunkName = kHwasanPersonalityThunkName; 1702 if (P.first) 1703 ThunkName += ("." + P.first->getName()).str(); 1704 FunctionType *ThunkFnTy = FunctionType::get( 1705 Int32Ty, {Int32Ty, Int32Ty, Int64Ty, Int8PtrTy, Int8PtrTy}, false); 1706 bool IsLocal = P.first && (!isa<GlobalValue>(P.first) || 1707 cast<GlobalValue>(P.first)->hasLocalLinkage()); 1708 auto *ThunkFn = Function::Create(ThunkFnTy, 1709 IsLocal ? GlobalValue::InternalLinkage 1710 : GlobalValue::LinkOnceODRLinkage, 1711 ThunkName, &M); 1712 if (!IsLocal) { 1713 ThunkFn->setVisibility(GlobalValue::HiddenVisibility); 1714 ThunkFn->setComdat(M.getOrInsertComdat(ThunkName)); 1715 } 1716 1717 auto *BB = BasicBlock::Create(*C, "entry", ThunkFn); 1718 IRBuilder<> IRB(BB); 1719 CallInst *WrapperCall = IRB.CreateCall( 1720 HwasanPersonalityWrapper, 1721 {ThunkFn->getArg(0), ThunkFn->getArg(1), ThunkFn->getArg(2), 1722 ThunkFn->getArg(3), ThunkFn->getArg(4), 1723 P.first ? IRB.CreateBitCast(P.first, Int8PtrTy) 1724 : Constant::getNullValue(Int8PtrTy), 1725 IRB.CreateBitCast(UnwindGetGR.getCallee(), Int8PtrTy), 1726 IRB.CreateBitCast(UnwindGetCFA.getCallee(), Int8PtrTy)}); 1727 WrapperCall->setTailCall(); 1728 IRB.CreateRet(WrapperCall); 1729 1730 for (Function *F : P.second) 1731 F->setPersonalityFn(ThunkFn); 1732 } 1733 } 1734 1735 void HWAddressSanitizer::ShadowMapping::init(Triple &TargetTriple, 1736 bool InstrumentWithCalls) { 1737 Scale = kDefaultShadowScale; 1738 if (TargetTriple.isOSFuchsia()) { 1739 // Fuchsia is always PIE, which means that the beginning of the address 1740 // space is always available. 1741 InGlobal = false; 1742 InTls = false; 1743 Offset = 0; 1744 WithFrameRecord = true; 1745 } else if (ClMappingOffset.getNumOccurrences() > 0) { 1746 InGlobal = false; 1747 InTls = false; 1748 Offset = ClMappingOffset; 1749 WithFrameRecord = false; 1750 } else if (ClEnableKhwasan || InstrumentWithCalls) { 1751 InGlobal = false; 1752 InTls = false; 1753 Offset = 0; 1754 WithFrameRecord = false; 1755 } else if (ClWithIfunc) { 1756 InGlobal = true; 1757 InTls = false; 1758 Offset = kDynamicShadowSentinel; 1759 WithFrameRecord = false; 1760 } else if (ClWithTls) { 1761 InGlobal = false; 1762 InTls = true; 1763 Offset = kDynamicShadowSentinel; 1764 WithFrameRecord = true; 1765 } else { 1766 InGlobal = false; 1767 InTls = false; 1768 Offset = kDynamicShadowSentinel; 1769 WithFrameRecord = false; 1770 } 1771 } 1772