1 //===- HWAddressSanitizer.cpp - detector of uninitialized reads -------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 /// \file 10 /// This file is a part of HWAddressSanitizer, an address sanity checker 11 /// based on tagged addressing. 12 //===----------------------------------------------------------------------===// 13 14 #include "llvm/Transforms/Instrumentation/HWAddressSanitizer.h" 15 #include "llvm/ADT/MapVector.h" 16 #include "llvm/ADT/SmallVector.h" 17 #include "llvm/ADT/StringExtras.h" 18 #include "llvm/ADT/StringRef.h" 19 #include "llvm/ADT/Triple.h" 20 #include "llvm/BinaryFormat/ELF.h" 21 #include "llvm/IR/Attributes.h" 22 #include "llvm/IR/BasicBlock.h" 23 #include "llvm/IR/Constant.h" 24 #include "llvm/IR/Constants.h" 25 #include "llvm/IR/DataLayout.h" 26 #include "llvm/IR/DebugInfoMetadata.h" 27 #include "llvm/IR/DerivedTypes.h" 28 #include "llvm/IR/Function.h" 29 #include "llvm/IR/IRBuilder.h" 30 #include "llvm/IR/InlineAsm.h" 31 #include "llvm/IR/InstVisitor.h" 32 #include "llvm/IR/Instruction.h" 33 #include "llvm/IR/Instructions.h" 34 #include "llvm/IR/IntrinsicInst.h" 35 #include "llvm/IR/Intrinsics.h" 36 #include "llvm/IR/LLVMContext.h" 37 #include "llvm/IR/MDBuilder.h" 38 #include "llvm/IR/Module.h" 39 #include "llvm/IR/Type.h" 40 #include "llvm/IR/Value.h" 41 #include "llvm/InitializePasses.h" 42 #include "llvm/Pass.h" 43 #include "llvm/Support/Casting.h" 44 #include "llvm/Support/CommandLine.h" 45 #include "llvm/Support/Debug.h" 46 #include "llvm/Support/raw_ostream.h" 47 #include "llvm/Transforms/Instrumentation.h" 48 #include "llvm/Transforms/Instrumentation/AddressSanitizerCommon.h" 49 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 50 #include "llvm/Transforms/Utils/ModuleUtils.h" 51 #include "llvm/Transforms/Utils/PromoteMemToReg.h" 52 #include <sstream> 53 54 using namespace llvm; 55 56 #define DEBUG_TYPE "hwasan" 57 58 const char kHwasanModuleCtorName[] = "hwasan.module_ctor"; 59 const char kHwasanNoteName[] = "hwasan.note"; 60 const char kHwasanInitName[] = "__hwasan_init"; 61 const char kHwasanPersonalityThunkName[] = "__hwasan_personality_thunk"; 62 63 const char kHwasanShadowMemoryDynamicAddress[] = 64 "__hwasan_shadow_memory_dynamic_address"; 65 66 // Accesses sizes are powers of two: 1, 2, 4, 8, 16. 67 static const size_t kNumberOfAccessSizes = 5; 68 69 static const size_t kDefaultShadowScale = 4; 70 static const uint64_t kDynamicShadowSentinel = 71 std::numeric_limits<uint64_t>::max(); 72 73 static const unsigned kShadowBaseAlignment = 32; 74 75 static cl::opt<std::string> 76 ClMemoryAccessCallbackPrefix("hwasan-memory-access-callback-prefix", 77 cl::desc("Prefix for memory access callbacks"), 78 cl::Hidden, cl::init("__hwasan_")); 79 80 static cl::opt<bool> ClInstrumentWithCalls( 81 "hwasan-instrument-with-calls", 82 cl::desc("instrument reads and writes with callbacks"), cl::Hidden, 83 cl::init(false)); 84 85 static cl::opt<bool> ClInstrumentReads("hwasan-instrument-reads", 86 cl::desc("instrument read instructions"), 87 cl::Hidden, cl::init(true)); 88 89 static cl::opt<bool> 90 ClInstrumentWrites("hwasan-instrument-writes", 91 cl::desc("instrument write instructions"), cl::Hidden, 92 cl::init(true)); 93 94 static cl::opt<bool> ClInstrumentAtomics( 95 "hwasan-instrument-atomics", 96 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden, 97 cl::init(true)); 98 99 static cl::opt<bool> ClInstrumentByval("hwasan-instrument-byval", 100 cl::desc("instrument byval arguments"), 101 cl::Hidden, cl::init(true)); 102 103 static cl::opt<bool> 104 ClRecover("hwasan-recover", 105 cl::desc("Enable recovery mode (continue-after-error)."), 106 cl::Hidden, cl::init(false)); 107 108 static cl::opt<bool> ClInstrumentStack("hwasan-instrument-stack", 109 cl::desc("instrument stack (allocas)"), 110 cl::Hidden, cl::init(true)); 111 112 static cl::opt<bool> ClUARRetagToZero( 113 "hwasan-uar-retag-to-zero", 114 cl::desc("Clear alloca tags before returning from the function to allow " 115 "non-instrumented and instrumented function calls mix. When set " 116 "to false, allocas are retagged before returning from the " 117 "function to detect use after return."), 118 cl::Hidden, cl::init(true)); 119 120 static cl::opt<bool> ClGenerateTagsWithCalls( 121 "hwasan-generate-tags-with-calls", 122 cl::desc("generate new tags with runtime library calls"), cl::Hidden, 123 cl::init(false)); 124 125 static cl::opt<bool> ClGlobals("hwasan-globals", cl::desc("Instrument globals"), 126 cl::Hidden, cl::init(false), cl::ZeroOrMore); 127 128 static cl::opt<int> ClMatchAllTag( 129 "hwasan-match-all-tag", 130 cl::desc("don't report bad accesses via pointers with this tag"), 131 cl::Hidden, cl::init(-1)); 132 133 static cl::opt<bool> 134 ClEnableKhwasan("hwasan-kernel", 135 cl::desc("Enable KernelHWAddressSanitizer instrumentation"), 136 cl::Hidden, cl::init(false)); 137 138 // These flags allow to change the shadow mapping and control how shadow memory 139 // is accessed. The shadow mapping looks like: 140 // Shadow = (Mem >> scale) + offset 141 142 static cl::opt<uint64_t> 143 ClMappingOffset("hwasan-mapping-offset", 144 cl::desc("HWASan shadow mapping offset [EXPERIMENTAL]"), 145 cl::Hidden, cl::init(0)); 146 147 static cl::opt<bool> 148 ClWithIfunc("hwasan-with-ifunc", 149 cl::desc("Access dynamic shadow through an ifunc global on " 150 "platforms that support this"), 151 cl::Hidden, cl::init(false)); 152 153 static cl::opt<bool> ClWithTls( 154 "hwasan-with-tls", 155 cl::desc("Access dynamic shadow through an thread-local pointer on " 156 "platforms that support this"), 157 cl::Hidden, cl::init(true)); 158 159 static cl::opt<bool> 160 ClRecordStackHistory("hwasan-record-stack-history", 161 cl::desc("Record stack frames with tagged allocations " 162 "in a thread-local ring buffer"), 163 cl::Hidden, cl::init(true)); 164 static cl::opt<bool> 165 ClInstrumentMemIntrinsics("hwasan-instrument-mem-intrinsics", 166 cl::desc("instrument memory intrinsics"), 167 cl::Hidden, cl::init(true)); 168 169 static cl::opt<bool> 170 ClInstrumentLandingPads("hwasan-instrument-landing-pads", 171 cl::desc("instrument landing pads"), cl::Hidden, 172 cl::init(false), cl::ZeroOrMore); 173 174 static cl::opt<bool> ClUseShortGranules( 175 "hwasan-use-short-granules", 176 cl::desc("use short granules in allocas and outlined checks"), cl::Hidden, 177 cl::init(false), cl::ZeroOrMore); 178 179 static cl::opt<bool> ClInstrumentPersonalityFunctions( 180 "hwasan-instrument-personality-functions", 181 cl::desc("instrument personality functions"), cl::Hidden, cl::init(false), 182 cl::ZeroOrMore); 183 184 static cl::opt<bool> ClInlineAllChecks("hwasan-inline-all-checks", 185 cl::desc("inline all checks"), 186 cl::Hidden, cl::init(false)); 187 188 // Enabled from clang by "-fsanitize-hwaddress-experimental-aliasing". 189 static cl::opt<bool> ClUsePageAliases("hwasan-experimental-use-page-aliases", 190 cl::desc("Use page aliasing in HWASan"), 191 cl::Hidden, cl::init(false)); 192 193 namespace { 194 195 /// An instrumentation pass implementing detection of addressability bugs 196 /// using tagged pointers. 197 class HWAddressSanitizer { 198 public: 199 explicit HWAddressSanitizer(Module &M, bool CompileKernel = false, 200 bool Recover = false) 201 : M(M) { 202 this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover; 203 this->CompileKernel = ClEnableKhwasan.getNumOccurrences() > 0 204 ? ClEnableKhwasan 205 : CompileKernel; 206 207 initializeModule(); 208 } 209 210 bool sanitizeFunction(Function &F); 211 void initializeModule(); 212 void createHwasanCtorComdat(); 213 214 void initializeCallbacks(Module &M); 215 216 Value *getOpaqueNoopCast(IRBuilder<> &IRB, Value *Val); 217 218 Value *getDynamicShadowIfunc(IRBuilder<> &IRB); 219 Value *getShadowNonTls(IRBuilder<> &IRB); 220 221 void untagPointerOperand(Instruction *I, Value *Addr); 222 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 223 void instrumentMemAccessInline(Value *Ptr, bool IsWrite, 224 unsigned AccessSizeIndex, 225 Instruction *InsertBefore); 226 void instrumentMemIntrinsic(MemIntrinsic *MI); 227 bool instrumentMemAccess(InterestingMemoryOperand &O); 228 bool ignoreAccess(Value *Ptr); 229 void getInterestingMemoryOperands( 230 Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting); 231 232 bool isInterestingAlloca(const AllocaInst &AI); 233 bool tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, Value *Tag, size_t Size); 234 Value *tagPointer(IRBuilder<> &IRB, Type *Ty, Value *PtrLong, Value *Tag); 235 Value *untagPointer(IRBuilder<> &IRB, Value *PtrLong); 236 bool instrumentStack( 237 SmallVectorImpl<AllocaInst *> &Allocas, 238 DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> &AllocaDbgMap, 239 SmallVectorImpl<Instruction *> &RetVec, Value *StackTag); 240 Value *readRegister(IRBuilder<> &IRB, StringRef Name); 241 bool instrumentLandingPads(SmallVectorImpl<Instruction *> &RetVec); 242 Value *getNextTagWithCall(IRBuilder<> &IRB); 243 Value *getStackBaseTag(IRBuilder<> &IRB); 244 Value *getAllocaTag(IRBuilder<> &IRB, Value *StackTag, AllocaInst *AI, 245 unsigned AllocaNo); 246 Value *getUARTag(IRBuilder<> &IRB, Value *StackTag); 247 248 Value *getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty); 249 Value *applyTagMask(IRBuilder<> &IRB, Value *OldTag); 250 unsigned retagMask(unsigned AllocaNo); 251 252 void emitPrologue(IRBuilder<> &IRB, bool WithFrameRecord); 253 254 void instrumentGlobal(GlobalVariable *GV, uint8_t Tag); 255 void instrumentGlobals(); 256 257 void instrumentPersonalityFunctions(); 258 259 private: 260 LLVMContext *C; 261 Module &M; 262 Triple TargetTriple; 263 FunctionCallee HWAsanMemmove, HWAsanMemcpy, HWAsanMemset; 264 FunctionCallee HWAsanHandleVfork; 265 266 /// This struct defines the shadow mapping using the rule: 267 /// shadow = (mem >> Scale) + Offset. 268 /// If InGlobal is true, then 269 /// extern char __hwasan_shadow[]; 270 /// shadow = (mem >> Scale) + &__hwasan_shadow 271 /// If InTls is true, then 272 /// extern char *__hwasan_tls; 273 /// shadow = (mem>>Scale) + align_up(__hwasan_shadow, kShadowBaseAlignment) 274 /// 275 /// If WithFrameRecord is true, then __hwasan_tls will be used to access the 276 /// ring buffer for storing stack allocations on targets that support it. 277 struct ShadowMapping { 278 int Scale; 279 uint64_t Offset; 280 bool InGlobal; 281 bool InTls; 282 bool WithFrameRecord; 283 284 void init(Triple &TargetTriple, bool InstrumentWithCalls); 285 unsigned getObjectAlignment() const { return 1U << Scale; } 286 }; 287 ShadowMapping Mapping; 288 289 Type *VoidTy = Type::getVoidTy(M.getContext()); 290 Type *IntptrTy; 291 Type *Int8PtrTy; 292 Type *Int8Ty; 293 Type *Int32Ty; 294 Type *Int64Ty = Type::getInt64Ty(M.getContext()); 295 296 bool CompileKernel; 297 bool Recover; 298 bool OutlinedChecks; 299 bool UseShortGranules; 300 bool InstrumentLandingPads; 301 bool InstrumentWithCalls; 302 bool InstrumentStack; 303 bool UsePageAliases; 304 305 bool HasMatchAllTag = false; 306 uint8_t MatchAllTag = 0; 307 308 unsigned PointerTagShift; 309 uint64_t TagMaskByte; 310 311 Function *HwasanCtorFunction; 312 313 FunctionCallee HwasanMemoryAccessCallback[2][kNumberOfAccessSizes]; 314 FunctionCallee HwasanMemoryAccessCallbackSized[2]; 315 316 FunctionCallee HwasanTagMemoryFunc; 317 FunctionCallee HwasanGenerateTagFunc; 318 319 Constant *ShadowGlobal; 320 321 Value *ShadowBase = nullptr; 322 Value *StackBaseTag = nullptr; 323 GlobalValue *ThreadPtrGlobal = nullptr; 324 }; 325 326 class HWAddressSanitizerLegacyPass : public FunctionPass { 327 public: 328 // Pass identification, replacement for typeid. 329 static char ID; 330 331 explicit HWAddressSanitizerLegacyPass(bool CompileKernel = false, 332 bool Recover = false) 333 : FunctionPass(ID), CompileKernel(CompileKernel), Recover(Recover) { 334 initializeHWAddressSanitizerLegacyPassPass( 335 *PassRegistry::getPassRegistry()); 336 } 337 338 StringRef getPassName() const override { return "HWAddressSanitizer"; } 339 340 bool doInitialization(Module &M) override { 341 HWASan = std::make_unique<HWAddressSanitizer>(M, CompileKernel, Recover); 342 return true; 343 } 344 345 bool runOnFunction(Function &F) override { 346 return HWASan->sanitizeFunction(F); 347 } 348 349 bool doFinalization(Module &M) override { 350 HWASan.reset(); 351 return false; 352 } 353 354 private: 355 std::unique_ptr<HWAddressSanitizer> HWASan; 356 bool CompileKernel; 357 bool Recover; 358 }; 359 360 } // end anonymous namespace 361 362 char HWAddressSanitizerLegacyPass::ID = 0; 363 364 INITIALIZE_PASS_BEGIN( 365 HWAddressSanitizerLegacyPass, "hwasan", 366 "HWAddressSanitizer: detect memory bugs using tagged addressing.", false, 367 false) 368 INITIALIZE_PASS_END( 369 HWAddressSanitizerLegacyPass, "hwasan", 370 "HWAddressSanitizer: detect memory bugs using tagged addressing.", false, 371 false) 372 373 FunctionPass *llvm::createHWAddressSanitizerLegacyPassPass(bool CompileKernel, 374 bool Recover) { 375 assert(!CompileKernel || Recover); 376 return new HWAddressSanitizerLegacyPass(CompileKernel, Recover); 377 } 378 379 HWAddressSanitizerPass::HWAddressSanitizerPass(bool CompileKernel, bool Recover) 380 : CompileKernel(CompileKernel), Recover(Recover) {} 381 382 PreservedAnalyses HWAddressSanitizerPass::run(Module &M, 383 ModuleAnalysisManager &MAM) { 384 HWAddressSanitizer HWASan(M, CompileKernel, Recover); 385 bool Modified = false; 386 for (Function &F : M) 387 Modified |= HWASan.sanitizeFunction(F); 388 if (Modified) 389 return PreservedAnalyses::none(); 390 return PreservedAnalyses::all(); 391 } 392 393 void HWAddressSanitizer::createHwasanCtorComdat() { 394 std::tie(HwasanCtorFunction, std::ignore) = 395 getOrCreateSanitizerCtorAndInitFunctions( 396 M, kHwasanModuleCtorName, kHwasanInitName, 397 /*InitArgTypes=*/{}, 398 /*InitArgs=*/{}, 399 // This callback is invoked when the functions are created the first 400 // time. Hook them into the global ctors list in that case: 401 [&](Function *Ctor, FunctionCallee) { 402 Comdat *CtorComdat = M.getOrInsertComdat(kHwasanModuleCtorName); 403 Ctor->setComdat(CtorComdat); 404 appendToGlobalCtors(M, Ctor, 0, Ctor); 405 }); 406 407 // Create a note that contains pointers to the list of global 408 // descriptors. Adding a note to the output file will cause the linker to 409 // create a PT_NOTE program header pointing to the note that we can use to 410 // find the descriptor list starting from the program headers. A function 411 // provided by the runtime initializes the shadow memory for the globals by 412 // accessing the descriptor list via the note. The dynamic loader needs to 413 // call this function whenever a library is loaded. 414 // 415 // The reason why we use a note for this instead of a more conventional 416 // approach of having a global constructor pass a descriptor list pointer to 417 // the runtime is because of an order of initialization problem. With 418 // constructors we can encounter the following problematic scenario: 419 // 420 // 1) library A depends on library B and also interposes one of B's symbols 421 // 2) B's constructors are called before A's (as required for correctness) 422 // 3) during construction, B accesses one of its "own" globals (actually 423 // interposed by A) and triggers a HWASAN failure due to the initialization 424 // for A not having happened yet 425 // 426 // Even without interposition it is possible to run into similar situations in 427 // cases where two libraries mutually depend on each other. 428 // 429 // We only need one note per binary, so put everything for the note in a 430 // comdat. This needs to be a comdat with an .init_array section to prevent 431 // newer versions of lld from discarding the note. 432 // 433 // Create the note even if we aren't instrumenting globals. This ensures that 434 // binaries linked from object files with both instrumented and 435 // non-instrumented globals will end up with a note, even if a comdat from an 436 // object file with non-instrumented globals is selected. The note is harmless 437 // if the runtime doesn't support it, since it will just be ignored. 438 Comdat *NoteComdat = M.getOrInsertComdat(kHwasanModuleCtorName); 439 440 Type *Int8Arr0Ty = ArrayType::get(Int8Ty, 0); 441 auto Start = 442 new GlobalVariable(M, Int8Arr0Ty, true, GlobalVariable::ExternalLinkage, 443 nullptr, "__start_hwasan_globals"); 444 Start->setVisibility(GlobalValue::HiddenVisibility); 445 Start->setDSOLocal(true); 446 auto Stop = 447 new GlobalVariable(M, Int8Arr0Ty, true, GlobalVariable::ExternalLinkage, 448 nullptr, "__stop_hwasan_globals"); 449 Stop->setVisibility(GlobalValue::HiddenVisibility); 450 Stop->setDSOLocal(true); 451 452 // Null-terminated so actually 8 bytes, which are required in order to align 453 // the note properly. 454 auto *Name = ConstantDataArray::get(*C, "LLVM\0\0\0"); 455 456 auto *NoteTy = StructType::get(Int32Ty, Int32Ty, Int32Ty, Name->getType(), 457 Int32Ty, Int32Ty); 458 auto *Note = 459 new GlobalVariable(M, NoteTy, /*isConstant=*/true, 460 GlobalValue::PrivateLinkage, nullptr, kHwasanNoteName); 461 Note->setSection(".note.hwasan.globals"); 462 Note->setComdat(NoteComdat); 463 Note->setAlignment(Align(4)); 464 Note->setDSOLocal(true); 465 466 // The pointers in the note need to be relative so that the note ends up being 467 // placed in rodata, which is the standard location for notes. 468 auto CreateRelPtr = [&](Constant *Ptr) { 469 return ConstantExpr::getTrunc( 470 ConstantExpr::getSub(ConstantExpr::getPtrToInt(Ptr, Int64Ty), 471 ConstantExpr::getPtrToInt(Note, Int64Ty)), 472 Int32Ty); 473 }; 474 Note->setInitializer(ConstantStruct::getAnon( 475 {ConstantInt::get(Int32Ty, 8), // n_namesz 476 ConstantInt::get(Int32Ty, 8), // n_descsz 477 ConstantInt::get(Int32Ty, ELF::NT_LLVM_HWASAN_GLOBALS), // n_type 478 Name, CreateRelPtr(Start), CreateRelPtr(Stop)})); 479 appendToCompilerUsed(M, Note); 480 481 // Create a zero-length global in hwasan_globals so that the linker will 482 // always create start and stop symbols. 483 auto Dummy = new GlobalVariable( 484 M, Int8Arr0Ty, /*isConstantGlobal*/ true, GlobalVariable::PrivateLinkage, 485 Constant::getNullValue(Int8Arr0Ty), "hwasan.dummy.global"); 486 Dummy->setSection("hwasan_globals"); 487 Dummy->setComdat(NoteComdat); 488 Dummy->setMetadata(LLVMContext::MD_associated, 489 MDNode::get(*C, ValueAsMetadata::get(Note))); 490 appendToCompilerUsed(M, Dummy); 491 } 492 493 /// Module-level initialization. 494 /// 495 /// inserts a call to __hwasan_init to the module's constructor list. 496 void HWAddressSanitizer::initializeModule() { 497 LLVM_DEBUG(dbgs() << "Init " << M.getName() << "\n"); 498 auto &DL = M.getDataLayout(); 499 500 TargetTriple = Triple(M.getTargetTriple()); 501 502 // x86_64 currently has two modes: 503 // - Intel LAM (default) 504 // - pointer aliasing (heap only) 505 bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64; 506 UsePageAliases = ClUsePageAliases && IsX86_64; 507 InstrumentWithCalls = IsX86_64 ? true : ClInstrumentWithCalls; 508 InstrumentStack = UsePageAliases ? false : ClInstrumentStack; 509 PointerTagShift = IsX86_64 ? 57 : 56; 510 TagMaskByte = IsX86_64 ? 0x3F : 0xFF; 511 512 Mapping.init(TargetTriple, InstrumentWithCalls); 513 514 C = &(M.getContext()); 515 IRBuilder<> IRB(*C); 516 IntptrTy = IRB.getIntPtrTy(DL); 517 Int8PtrTy = IRB.getInt8PtrTy(); 518 Int8Ty = IRB.getInt8Ty(); 519 Int32Ty = IRB.getInt32Ty(); 520 521 HwasanCtorFunction = nullptr; 522 523 // Older versions of Android do not have the required runtime support for 524 // short granules, global or personality function instrumentation. On other 525 // platforms we currently require using the latest version of the runtime. 526 bool NewRuntime = 527 !TargetTriple.isAndroid() || !TargetTriple.isAndroidVersionLT(30); 528 529 UseShortGranules = 530 ClUseShortGranules.getNumOccurrences() ? ClUseShortGranules : NewRuntime; 531 OutlinedChecks = 532 TargetTriple.isAArch64() && TargetTriple.isOSBinFormatELF() && 533 (ClInlineAllChecks.getNumOccurrences() ? !ClInlineAllChecks : !Recover); 534 535 if (ClMatchAllTag.getNumOccurrences()) { 536 if (ClMatchAllTag != -1) { 537 HasMatchAllTag = true; 538 MatchAllTag = ClMatchAllTag & 0xFF; 539 } 540 } else if (CompileKernel) { 541 HasMatchAllTag = true; 542 MatchAllTag = 0xFF; 543 } 544 545 // If we don't have personality function support, fall back to landing pads. 546 InstrumentLandingPads = ClInstrumentLandingPads.getNumOccurrences() 547 ? ClInstrumentLandingPads 548 : !NewRuntime; 549 550 if (!CompileKernel) { 551 createHwasanCtorComdat(); 552 bool InstrumentGlobals = 553 ClGlobals.getNumOccurrences() ? ClGlobals : NewRuntime; 554 555 if (InstrumentGlobals && !UsePageAliases) 556 instrumentGlobals(); 557 558 bool InstrumentPersonalityFunctions = 559 ClInstrumentPersonalityFunctions.getNumOccurrences() 560 ? ClInstrumentPersonalityFunctions 561 : NewRuntime; 562 if (InstrumentPersonalityFunctions) 563 instrumentPersonalityFunctions(); 564 } 565 566 if (!TargetTriple.isAndroid()) { 567 Constant *C = M.getOrInsertGlobal("__hwasan_tls", IntptrTy, [&] { 568 auto *GV = new GlobalVariable(M, IntptrTy, /*isConstant=*/false, 569 GlobalValue::ExternalLinkage, nullptr, 570 "__hwasan_tls", nullptr, 571 GlobalVariable::InitialExecTLSModel); 572 appendToCompilerUsed(M, GV); 573 return GV; 574 }); 575 ThreadPtrGlobal = cast<GlobalVariable>(C); 576 } 577 } 578 579 void HWAddressSanitizer::initializeCallbacks(Module &M) { 580 IRBuilder<> IRB(*C); 581 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 582 const std::string TypeStr = AccessIsWrite ? "store" : "load"; 583 const std::string EndingStr = Recover ? "_noabort" : ""; 584 585 HwasanMemoryAccessCallbackSized[AccessIsWrite] = M.getOrInsertFunction( 586 ClMemoryAccessCallbackPrefix + TypeStr + "N" + EndingStr, 587 FunctionType::get(IRB.getVoidTy(), {IntptrTy, IntptrTy}, false)); 588 589 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 590 AccessSizeIndex++) { 591 HwasanMemoryAccessCallback[AccessIsWrite][AccessSizeIndex] = 592 M.getOrInsertFunction( 593 ClMemoryAccessCallbackPrefix + TypeStr + 594 itostr(1ULL << AccessSizeIndex) + EndingStr, 595 FunctionType::get(IRB.getVoidTy(), {IntptrTy}, false)); 596 } 597 } 598 599 HwasanTagMemoryFunc = M.getOrInsertFunction( 600 "__hwasan_tag_memory", IRB.getVoidTy(), Int8PtrTy, Int8Ty, IntptrTy); 601 HwasanGenerateTagFunc = 602 M.getOrInsertFunction("__hwasan_generate_tag", Int8Ty); 603 604 ShadowGlobal = M.getOrInsertGlobal("__hwasan_shadow", 605 ArrayType::get(IRB.getInt8Ty(), 0)); 606 607 const std::string MemIntrinCallbackPrefix = 608 CompileKernel ? std::string("") : ClMemoryAccessCallbackPrefix; 609 HWAsanMemmove = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memmove", 610 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 611 IRB.getInt8PtrTy(), IntptrTy); 612 HWAsanMemcpy = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memcpy", 613 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 614 IRB.getInt8PtrTy(), IntptrTy); 615 HWAsanMemset = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memset", 616 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 617 IRB.getInt32Ty(), IntptrTy); 618 619 HWAsanHandleVfork = 620 M.getOrInsertFunction("__hwasan_handle_vfork", IRB.getVoidTy(), IntptrTy); 621 } 622 623 Value *HWAddressSanitizer::getOpaqueNoopCast(IRBuilder<> &IRB, Value *Val) { 624 // An empty inline asm with input reg == output reg. 625 // An opaque no-op cast, basically. 626 // This prevents code bloat as a result of rematerializing trivial definitions 627 // such as constants or global addresses at every load and store. 628 InlineAsm *Asm = 629 InlineAsm::get(FunctionType::get(Int8PtrTy, {Val->getType()}, false), 630 StringRef(""), StringRef("=r,0"), 631 /*hasSideEffects=*/false); 632 return IRB.CreateCall(Asm, {Val}, ".hwasan.shadow"); 633 } 634 635 Value *HWAddressSanitizer::getDynamicShadowIfunc(IRBuilder<> &IRB) { 636 return getOpaqueNoopCast(IRB, ShadowGlobal); 637 } 638 639 Value *HWAddressSanitizer::getShadowNonTls(IRBuilder<> &IRB) { 640 if (Mapping.Offset != kDynamicShadowSentinel) 641 return getOpaqueNoopCast( 642 IRB, ConstantExpr::getIntToPtr( 643 ConstantInt::get(IntptrTy, Mapping.Offset), Int8PtrTy)); 644 645 if (Mapping.InGlobal) { 646 return getDynamicShadowIfunc(IRB); 647 } else { 648 Value *GlobalDynamicAddress = 649 IRB.GetInsertBlock()->getParent()->getParent()->getOrInsertGlobal( 650 kHwasanShadowMemoryDynamicAddress, Int8PtrTy); 651 return IRB.CreateLoad(Int8PtrTy, GlobalDynamicAddress); 652 } 653 } 654 655 bool HWAddressSanitizer::ignoreAccess(Value *Ptr) { 656 // Do not instrument acesses from different address spaces; we cannot deal 657 // with them. 658 Type *PtrTy = cast<PointerType>(Ptr->getType()->getScalarType()); 659 if (PtrTy->getPointerAddressSpace() != 0) 660 return true; 661 662 // Ignore swifterror addresses. 663 // swifterror memory addresses are mem2reg promoted by instruction 664 // selection. As such they cannot have regular uses like an instrumentation 665 // function and it makes no sense to track them as memory. 666 if (Ptr->isSwiftError()) 667 return true; 668 669 return false; 670 } 671 672 void HWAddressSanitizer::getInterestingMemoryOperands( 673 Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting) { 674 // Skip memory accesses inserted by another instrumentation. 675 if (I->hasMetadata("nosanitize")) 676 return; 677 678 // Do not instrument the load fetching the dynamic shadow address. 679 if (ShadowBase == I) 680 return; 681 682 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 683 if (!ClInstrumentReads || ignoreAccess(LI->getPointerOperand())) 684 return; 685 Interesting.emplace_back(I, LI->getPointerOperandIndex(), false, 686 LI->getType(), LI->getAlign()); 687 } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 688 if (!ClInstrumentWrites || ignoreAccess(SI->getPointerOperand())) 689 return; 690 Interesting.emplace_back(I, SI->getPointerOperandIndex(), true, 691 SI->getValueOperand()->getType(), SI->getAlign()); 692 } else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 693 if (!ClInstrumentAtomics || ignoreAccess(RMW->getPointerOperand())) 694 return; 695 Interesting.emplace_back(I, RMW->getPointerOperandIndex(), true, 696 RMW->getValOperand()->getType(), None); 697 } else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 698 if (!ClInstrumentAtomics || ignoreAccess(XCHG->getPointerOperand())) 699 return; 700 Interesting.emplace_back(I, XCHG->getPointerOperandIndex(), true, 701 XCHG->getCompareOperand()->getType(), None); 702 } else if (auto CI = dyn_cast<CallInst>(I)) { 703 for (unsigned ArgNo = 0; ArgNo < CI->getNumArgOperands(); ArgNo++) { 704 if (!ClInstrumentByval || !CI->isByValArgument(ArgNo) || 705 ignoreAccess(CI->getArgOperand(ArgNo))) 706 continue; 707 Type *Ty = CI->getParamByValType(ArgNo); 708 Interesting.emplace_back(I, ArgNo, false, Ty, Align(1)); 709 } 710 } 711 } 712 713 static unsigned getPointerOperandIndex(Instruction *I) { 714 if (LoadInst *LI = dyn_cast<LoadInst>(I)) 715 return LI->getPointerOperandIndex(); 716 if (StoreInst *SI = dyn_cast<StoreInst>(I)) 717 return SI->getPointerOperandIndex(); 718 if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) 719 return RMW->getPointerOperandIndex(); 720 if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) 721 return XCHG->getPointerOperandIndex(); 722 report_fatal_error("Unexpected instruction"); 723 return -1; 724 } 725 726 static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 727 size_t Res = countTrailingZeros(TypeSize / 8); 728 assert(Res < kNumberOfAccessSizes); 729 return Res; 730 } 731 732 void HWAddressSanitizer::untagPointerOperand(Instruction *I, Value *Addr) { 733 if (TargetTriple.isAArch64() || TargetTriple.getArch() == Triple::x86_64) 734 return; 735 736 IRBuilder<> IRB(I); 737 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 738 Value *UntaggedPtr = 739 IRB.CreateIntToPtr(untagPointer(IRB, AddrLong), Addr->getType()); 740 I->setOperand(getPointerOperandIndex(I), UntaggedPtr); 741 } 742 743 Value *HWAddressSanitizer::memToShadow(Value *Mem, IRBuilder<> &IRB) { 744 // Mem >> Scale 745 Value *Shadow = IRB.CreateLShr(Mem, Mapping.Scale); 746 if (Mapping.Offset == 0) 747 return IRB.CreateIntToPtr(Shadow, Int8PtrTy); 748 // (Mem >> Scale) + Offset 749 return IRB.CreateGEP(Int8Ty, ShadowBase, Shadow); 750 } 751 752 void HWAddressSanitizer::instrumentMemAccessInline(Value *Ptr, bool IsWrite, 753 unsigned AccessSizeIndex, 754 Instruction *InsertBefore) { 755 assert(!UsePageAliases); 756 const int64_t AccessInfo = 757 (CompileKernel << HWASanAccessInfo::CompileKernelShift) + 758 (HasMatchAllTag << HWASanAccessInfo::HasMatchAllShift) + 759 (MatchAllTag << HWASanAccessInfo::MatchAllShift) + 760 (Recover << HWASanAccessInfo::RecoverShift) + 761 (IsWrite << HWASanAccessInfo::IsWriteShift) + 762 (AccessSizeIndex << HWASanAccessInfo::AccessSizeShift); 763 IRBuilder<> IRB(InsertBefore); 764 765 if (OutlinedChecks) { 766 Module *M = IRB.GetInsertBlock()->getParent()->getParent(); 767 Ptr = IRB.CreateBitCast(Ptr, Int8PtrTy); 768 IRB.CreateCall(Intrinsic::getDeclaration( 769 M, UseShortGranules 770 ? Intrinsic::hwasan_check_memaccess_shortgranules 771 : Intrinsic::hwasan_check_memaccess), 772 {ShadowBase, Ptr, ConstantInt::get(Int32Ty, AccessInfo)}); 773 return; 774 } 775 776 Value *PtrLong = IRB.CreatePointerCast(Ptr, IntptrTy); 777 Value *PtrTag = IRB.CreateTrunc(IRB.CreateLShr(PtrLong, PointerTagShift), 778 IRB.getInt8Ty()); 779 Value *AddrLong = untagPointer(IRB, PtrLong); 780 Value *Shadow = memToShadow(AddrLong, IRB); 781 Value *MemTag = IRB.CreateLoad(Int8Ty, Shadow); 782 Value *TagMismatch = IRB.CreateICmpNE(PtrTag, MemTag); 783 784 if (HasMatchAllTag) { 785 Value *TagNotIgnored = IRB.CreateICmpNE( 786 PtrTag, ConstantInt::get(PtrTag->getType(), MatchAllTag)); 787 TagMismatch = IRB.CreateAnd(TagMismatch, TagNotIgnored); 788 } 789 790 Instruction *CheckTerm = 791 SplitBlockAndInsertIfThen(TagMismatch, InsertBefore, false, 792 MDBuilder(*C).createBranchWeights(1, 100000)); 793 794 IRB.SetInsertPoint(CheckTerm); 795 Value *OutOfShortGranuleTagRange = 796 IRB.CreateICmpUGT(MemTag, ConstantInt::get(Int8Ty, 15)); 797 Instruction *CheckFailTerm = 798 SplitBlockAndInsertIfThen(OutOfShortGranuleTagRange, CheckTerm, !Recover, 799 MDBuilder(*C).createBranchWeights(1, 100000)); 800 801 IRB.SetInsertPoint(CheckTerm); 802 Value *PtrLowBits = IRB.CreateTrunc(IRB.CreateAnd(PtrLong, 15), Int8Ty); 803 PtrLowBits = IRB.CreateAdd( 804 PtrLowBits, ConstantInt::get(Int8Ty, (1 << AccessSizeIndex) - 1)); 805 Value *PtrLowBitsOOB = IRB.CreateICmpUGE(PtrLowBits, MemTag); 806 SplitBlockAndInsertIfThen(PtrLowBitsOOB, CheckTerm, false, 807 MDBuilder(*C).createBranchWeights(1, 100000), 808 (DomTreeUpdater *)nullptr, nullptr, 809 CheckFailTerm->getParent()); 810 811 IRB.SetInsertPoint(CheckTerm); 812 Value *InlineTagAddr = IRB.CreateOr(AddrLong, 15); 813 InlineTagAddr = IRB.CreateIntToPtr(InlineTagAddr, Int8PtrTy); 814 Value *InlineTag = IRB.CreateLoad(Int8Ty, InlineTagAddr); 815 Value *InlineTagMismatch = IRB.CreateICmpNE(PtrTag, InlineTag); 816 SplitBlockAndInsertIfThen(InlineTagMismatch, CheckTerm, false, 817 MDBuilder(*C).createBranchWeights(1, 100000), 818 (DomTreeUpdater *)nullptr, nullptr, 819 CheckFailTerm->getParent()); 820 821 IRB.SetInsertPoint(CheckFailTerm); 822 InlineAsm *Asm; 823 switch (TargetTriple.getArch()) { 824 case Triple::x86_64: 825 // The signal handler will find the data address in rdi. 826 Asm = InlineAsm::get( 827 FunctionType::get(IRB.getVoidTy(), {PtrLong->getType()}, false), 828 "int3\nnopl " + 829 itostr(0x40 + (AccessInfo & HWASanAccessInfo::RuntimeMask)) + 830 "(%rax)", 831 "{rdi}", 832 /*hasSideEffects=*/true); 833 break; 834 case Triple::aarch64: 835 case Triple::aarch64_be: 836 // The signal handler will find the data address in x0. 837 Asm = InlineAsm::get( 838 FunctionType::get(IRB.getVoidTy(), {PtrLong->getType()}, false), 839 "brk #" + itostr(0x900 + (AccessInfo & HWASanAccessInfo::RuntimeMask)), 840 "{x0}", 841 /*hasSideEffects=*/true); 842 break; 843 default: 844 report_fatal_error("unsupported architecture"); 845 } 846 IRB.CreateCall(Asm, PtrLong); 847 if (Recover) 848 cast<BranchInst>(CheckFailTerm)->setSuccessor(0, CheckTerm->getParent()); 849 } 850 851 void HWAddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 852 IRBuilder<> IRB(MI); 853 if (isa<MemTransferInst>(MI)) { 854 IRB.CreateCall( 855 isa<MemMoveInst>(MI) ? HWAsanMemmove : HWAsanMemcpy, 856 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 857 IRB.CreatePointerCast(MI->getOperand(1), IRB.getInt8PtrTy()), 858 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 859 } else if (isa<MemSetInst>(MI)) { 860 IRB.CreateCall( 861 HWAsanMemset, 862 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 863 IRB.CreateIntCast(MI->getOperand(1), IRB.getInt32Ty(), false), 864 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 865 } 866 MI->eraseFromParent(); 867 } 868 869 bool HWAddressSanitizer::instrumentMemAccess(InterestingMemoryOperand &O) { 870 Value *Addr = O.getPtr(); 871 872 LLVM_DEBUG(dbgs() << "Instrumenting: " << O.getInsn() << "\n"); 873 874 if (O.MaybeMask) 875 return false; // FIXME 876 877 IRBuilder<> IRB(O.getInsn()); 878 if (isPowerOf2_64(O.TypeSize) && 879 (O.TypeSize / 8 <= (1ULL << (kNumberOfAccessSizes - 1))) && 880 (!O.Alignment || *O.Alignment >= (1ULL << Mapping.Scale) || 881 *O.Alignment >= O.TypeSize / 8)) { 882 size_t AccessSizeIndex = TypeSizeToSizeIndex(O.TypeSize); 883 if (InstrumentWithCalls) { 884 IRB.CreateCall(HwasanMemoryAccessCallback[O.IsWrite][AccessSizeIndex], 885 IRB.CreatePointerCast(Addr, IntptrTy)); 886 } else { 887 instrumentMemAccessInline(Addr, O.IsWrite, AccessSizeIndex, O.getInsn()); 888 } 889 } else { 890 IRB.CreateCall(HwasanMemoryAccessCallbackSized[O.IsWrite], 891 {IRB.CreatePointerCast(Addr, IntptrTy), 892 ConstantInt::get(IntptrTy, O.TypeSize / 8)}); 893 } 894 untagPointerOperand(O.getInsn(), Addr); 895 896 return true; 897 } 898 899 static uint64_t getAllocaSizeInBytes(const AllocaInst &AI) { 900 uint64_t ArraySize = 1; 901 if (AI.isArrayAllocation()) { 902 const ConstantInt *CI = dyn_cast<ConstantInt>(AI.getArraySize()); 903 assert(CI && "non-constant array size"); 904 ArraySize = CI->getZExtValue(); 905 } 906 Type *Ty = AI.getAllocatedType(); 907 uint64_t SizeInBytes = AI.getModule()->getDataLayout().getTypeAllocSize(Ty); 908 return SizeInBytes * ArraySize; 909 } 910 911 bool HWAddressSanitizer::tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, Value *Tag, 912 size_t Size) { 913 size_t AlignedSize = alignTo(Size, Mapping.getObjectAlignment()); 914 if (!UseShortGranules) 915 Size = AlignedSize; 916 917 Value *JustTag = IRB.CreateTrunc(Tag, IRB.getInt8Ty()); 918 if (InstrumentWithCalls) { 919 IRB.CreateCall(HwasanTagMemoryFunc, 920 {IRB.CreatePointerCast(AI, Int8PtrTy), JustTag, 921 ConstantInt::get(IntptrTy, AlignedSize)}); 922 } else { 923 size_t ShadowSize = Size >> Mapping.Scale; 924 Value *ShadowPtr = memToShadow(IRB.CreatePointerCast(AI, IntptrTy), IRB); 925 // If this memset is not inlined, it will be intercepted in the hwasan 926 // runtime library. That's OK, because the interceptor skips the checks if 927 // the address is in the shadow region. 928 // FIXME: the interceptor is not as fast as real memset. Consider lowering 929 // llvm.memset right here into either a sequence of stores, or a call to 930 // hwasan_tag_memory. 931 if (ShadowSize) 932 IRB.CreateMemSet(ShadowPtr, JustTag, ShadowSize, Align(1)); 933 if (Size != AlignedSize) { 934 IRB.CreateStore( 935 ConstantInt::get(Int8Ty, Size % Mapping.getObjectAlignment()), 936 IRB.CreateConstGEP1_32(Int8Ty, ShadowPtr, ShadowSize)); 937 IRB.CreateStore(JustTag, IRB.CreateConstGEP1_32( 938 Int8Ty, IRB.CreateBitCast(AI, Int8PtrTy), 939 AlignedSize - 1)); 940 } 941 } 942 return true; 943 } 944 945 unsigned HWAddressSanitizer::retagMask(unsigned AllocaNo) { 946 if (TargetTriple.getArch() == Triple::x86_64) 947 return AllocaNo & TagMaskByte; 948 949 // A list of 8-bit numbers that have at most one run of non-zero bits. 950 // x = x ^ (mask << 56) can be encoded as a single armv8 instruction for these 951 // masks. 952 // The list does not include the value 255, which is used for UAR. 953 // 954 // Because we are more likely to use earlier elements of this list than later 955 // ones, it is sorted in increasing order of probability of collision with a 956 // mask allocated (temporally) nearby. The program that generated this list 957 // can be found at: 958 // https://github.com/google/sanitizers/blob/master/hwaddress-sanitizer/sort_masks.py 959 static unsigned FastMasks[] = {0, 128, 64, 192, 32, 96, 224, 112, 240, 960 48, 16, 120, 248, 56, 24, 8, 124, 252, 961 60, 28, 12, 4, 126, 254, 62, 30, 14, 962 6, 2, 127, 63, 31, 15, 7, 3, 1}; 963 return FastMasks[AllocaNo % (sizeof(FastMasks) / sizeof(FastMasks[0]))]; 964 } 965 966 Value *HWAddressSanitizer::applyTagMask(IRBuilder<> &IRB, Value *OldTag) { 967 if (TargetTriple.getArch() == Triple::x86_64) { 968 Constant *TagMask = ConstantInt::get(IntptrTy, TagMaskByte); 969 Value *NewTag = IRB.CreateAnd(OldTag, TagMask); 970 return NewTag; 971 } 972 // aarch64 uses 8-bit tags, so no mask is needed. 973 return OldTag; 974 } 975 976 Value *HWAddressSanitizer::getNextTagWithCall(IRBuilder<> &IRB) { 977 return IRB.CreateZExt(IRB.CreateCall(HwasanGenerateTagFunc), IntptrTy); 978 } 979 980 Value *HWAddressSanitizer::getStackBaseTag(IRBuilder<> &IRB) { 981 if (ClGenerateTagsWithCalls) 982 return getNextTagWithCall(IRB); 983 if (StackBaseTag) 984 return StackBaseTag; 985 // FIXME: use addressofreturnaddress (but implement it in aarch64 backend 986 // first). 987 Module *M = IRB.GetInsertBlock()->getParent()->getParent(); 988 auto GetStackPointerFn = Intrinsic::getDeclaration( 989 M, Intrinsic::frameaddress, 990 IRB.getInt8PtrTy(M->getDataLayout().getAllocaAddrSpace())); 991 Value *StackPointer = IRB.CreateCall( 992 GetStackPointerFn, {Constant::getNullValue(IRB.getInt32Ty())}); 993 994 // Extract some entropy from the stack pointer for the tags. 995 // Take bits 20..28 (ASLR entropy) and xor with bits 0..8 (these differ 996 // between functions). 997 Value *StackPointerLong = IRB.CreatePointerCast(StackPointer, IntptrTy); 998 Value *StackTag = 999 applyTagMask(IRB, IRB.CreateXor(StackPointerLong, 1000 IRB.CreateLShr(StackPointerLong, 20))); 1001 StackTag->setName("hwasan.stack.base.tag"); 1002 return StackTag; 1003 } 1004 1005 Value *HWAddressSanitizer::getAllocaTag(IRBuilder<> &IRB, Value *StackTag, 1006 AllocaInst *AI, unsigned AllocaNo) { 1007 if (ClGenerateTagsWithCalls) 1008 return getNextTagWithCall(IRB); 1009 return IRB.CreateXor(StackTag, 1010 ConstantInt::get(IntptrTy, retagMask(AllocaNo))); 1011 } 1012 1013 Value *HWAddressSanitizer::getUARTag(IRBuilder<> &IRB, Value *StackTag) { 1014 if (ClUARRetagToZero) 1015 return ConstantInt::get(IntptrTy, 0); 1016 if (ClGenerateTagsWithCalls) 1017 return getNextTagWithCall(IRB); 1018 return IRB.CreateXor(StackTag, ConstantInt::get(IntptrTy, TagMaskByte)); 1019 } 1020 1021 // Add a tag to an address. 1022 Value *HWAddressSanitizer::tagPointer(IRBuilder<> &IRB, Type *Ty, 1023 Value *PtrLong, Value *Tag) { 1024 assert(!UsePageAliases); 1025 Value *TaggedPtrLong; 1026 if (CompileKernel) { 1027 // Kernel addresses have 0xFF in the most significant byte. 1028 Value *ShiftedTag = 1029 IRB.CreateOr(IRB.CreateShl(Tag, PointerTagShift), 1030 ConstantInt::get(IntptrTy, (1ULL << PointerTagShift) - 1)); 1031 TaggedPtrLong = IRB.CreateAnd(PtrLong, ShiftedTag); 1032 } else { 1033 // Userspace can simply do OR (tag << PointerTagShift); 1034 Value *ShiftedTag = IRB.CreateShl(Tag, PointerTagShift); 1035 TaggedPtrLong = IRB.CreateOr(PtrLong, ShiftedTag); 1036 } 1037 return IRB.CreateIntToPtr(TaggedPtrLong, Ty); 1038 } 1039 1040 // Remove tag from an address. 1041 Value *HWAddressSanitizer::untagPointer(IRBuilder<> &IRB, Value *PtrLong) { 1042 assert(!UsePageAliases); 1043 Value *UntaggedPtrLong; 1044 if (CompileKernel) { 1045 // Kernel addresses have 0xFF in the most significant byte. 1046 UntaggedPtrLong = 1047 IRB.CreateOr(PtrLong, ConstantInt::get(PtrLong->getType(), 1048 0xFFULL << PointerTagShift)); 1049 } else { 1050 // Userspace addresses have 0x00. 1051 UntaggedPtrLong = 1052 IRB.CreateAnd(PtrLong, ConstantInt::get(PtrLong->getType(), 1053 ~(0xFFULL << PointerTagShift))); 1054 } 1055 return UntaggedPtrLong; 1056 } 1057 1058 Value *HWAddressSanitizer::getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty) { 1059 Module *M = IRB.GetInsertBlock()->getParent()->getParent(); 1060 if (TargetTriple.isAArch64() && TargetTriple.isAndroid()) { 1061 // Android provides a fixed TLS slot for sanitizers. See TLS_SLOT_SANITIZER 1062 // in Bionic's libc/private/bionic_tls.h. 1063 Function *ThreadPointerFunc = 1064 Intrinsic::getDeclaration(M, Intrinsic::thread_pointer); 1065 Value *SlotPtr = IRB.CreatePointerCast( 1066 IRB.CreateConstGEP1_32(IRB.getInt8Ty(), 1067 IRB.CreateCall(ThreadPointerFunc), 0x30), 1068 Ty->getPointerTo(0)); 1069 return SlotPtr; 1070 } 1071 if (ThreadPtrGlobal) 1072 return ThreadPtrGlobal; 1073 1074 return nullptr; 1075 } 1076 1077 void HWAddressSanitizer::emitPrologue(IRBuilder<> &IRB, bool WithFrameRecord) { 1078 if (!Mapping.InTls) 1079 ShadowBase = getShadowNonTls(IRB); 1080 else if (!WithFrameRecord && TargetTriple.isAndroid()) 1081 ShadowBase = getDynamicShadowIfunc(IRB); 1082 1083 if (!WithFrameRecord && ShadowBase) 1084 return; 1085 1086 Value *SlotPtr = getHwasanThreadSlotPtr(IRB, IntptrTy); 1087 assert(SlotPtr); 1088 1089 Value *ThreadLong = IRB.CreateLoad(IntptrTy, SlotPtr); 1090 // Extract the address field from ThreadLong. Unnecessary on AArch64 with TBI. 1091 Value *ThreadLongMaybeUntagged = 1092 TargetTriple.isAArch64() ? ThreadLong : untagPointer(IRB, ThreadLong); 1093 1094 if (WithFrameRecord) { 1095 Function *F = IRB.GetInsertBlock()->getParent(); 1096 StackBaseTag = IRB.CreateAShr(ThreadLong, 3); 1097 1098 // Prepare ring buffer data. 1099 Value *PC; 1100 if (TargetTriple.getArch() == Triple::aarch64) 1101 PC = readRegister(IRB, "pc"); 1102 else 1103 PC = IRB.CreatePtrToInt(F, IntptrTy); 1104 Module *M = F->getParent(); 1105 auto GetStackPointerFn = Intrinsic::getDeclaration( 1106 M, Intrinsic::frameaddress, 1107 IRB.getInt8PtrTy(M->getDataLayout().getAllocaAddrSpace())); 1108 Value *SP = IRB.CreatePtrToInt( 1109 IRB.CreateCall(GetStackPointerFn, 1110 {Constant::getNullValue(IRB.getInt32Ty())}), 1111 IntptrTy); 1112 // Mix SP and PC. 1113 // Assumptions: 1114 // PC is 0x0000PPPPPPPPPPPP (48 bits are meaningful, others are zero) 1115 // SP is 0xsssssssssssSSSS0 (4 lower bits are zero) 1116 // We only really need ~20 lower non-zero bits (SSSS), so we mix like this: 1117 // 0xSSSSPPPPPPPPPPPP 1118 SP = IRB.CreateShl(SP, 44); 1119 1120 // Store data to ring buffer. 1121 Value *RecordPtr = 1122 IRB.CreateIntToPtr(ThreadLongMaybeUntagged, IntptrTy->getPointerTo(0)); 1123 IRB.CreateStore(IRB.CreateOr(PC, SP), RecordPtr); 1124 1125 // Update the ring buffer. Top byte of ThreadLong defines the size of the 1126 // buffer in pages, it must be a power of two, and the start of the buffer 1127 // must be aligned by twice that much. Therefore wrap around of the ring 1128 // buffer is simply Addr &= ~((ThreadLong >> 56) << 12). 1129 // The use of AShr instead of LShr is due to 1130 // https://bugs.llvm.org/show_bug.cgi?id=39030 1131 // Runtime library makes sure not to use the highest bit. 1132 Value *WrapMask = IRB.CreateXor( 1133 IRB.CreateShl(IRB.CreateAShr(ThreadLong, 56), 12, "", true, true), 1134 ConstantInt::get(IntptrTy, (uint64_t)-1)); 1135 Value *ThreadLongNew = IRB.CreateAnd( 1136 IRB.CreateAdd(ThreadLong, ConstantInt::get(IntptrTy, 8)), WrapMask); 1137 IRB.CreateStore(ThreadLongNew, SlotPtr); 1138 } 1139 1140 if (!ShadowBase) { 1141 // Get shadow base address by aligning RecordPtr up. 1142 // Note: this is not correct if the pointer is already aligned. 1143 // Runtime library will make sure this never happens. 1144 ShadowBase = IRB.CreateAdd( 1145 IRB.CreateOr( 1146 ThreadLongMaybeUntagged, 1147 ConstantInt::get(IntptrTy, (1ULL << kShadowBaseAlignment) - 1)), 1148 ConstantInt::get(IntptrTy, 1), "hwasan.shadow"); 1149 ShadowBase = IRB.CreateIntToPtr(ShadowBase, Int8PtrTy); 1150 } 1151 } 1152 1153 Value *HWAddressSanitizer::readRegister(IRBuilder<> &IRB, StringRef Name) { 1154 Module *M = IRB.GetInsertBlock()->getParent()->getParent(); 1155 Function *ReadRegister = 1156 Intrinsic::getDeclaration(M, Intrinsic::read_register, IntptrTy); 1157 MDNode *MD = MDNode::get(*C, {MDString::get(*C, Name)}); 1158 Value *Args[] = {MetadataAsValue::get(*C, MD)}; 1159 return IRB.CreateCall(ReadRegister, Args); 1160 } 1161 1162 bool HWAddressSanitizer::instrumentLandingPads( 1163 SmallVectorImpl<Instruction *> &LandingPadVec) { 1164 for (auto *LP : LandingPadVec) { 1165 IRBuilder<> IRB(LP->getNextNode()); 1166 IRB.CreateCall( 1167 HWAsanHandleVfork, 1168 {readRegister(IRB, (TargetTriple.getArch() == Triple::x86_64) ? "rsp" 1169 : "sp")}); 1170 } 1171 return true; 1172 } 1173 1174 bool HWAddressSanitizer::instrumentStack( 1175 SmallVectorImpl<AllocaInst *> &Allocas, 1176 DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> &AllocaDbgMap, 1177 SmallVectorImpl<Instruction *> &RetVec, Value *StackTag) { 1178 // Ideally, we want to calculate tagged stack base pointer, and rewrite all 1179 // alloca addresses using that. Unfortunately, offsets are not known yet 1180 // (unless we use ASan-style mega-alloca). Instead we keep the base tag in a 1181 // temp, shift-OR it into each alloca address and xor with the retag mask. 1182 // This generates one extra instruction per alloca use. 1183 for (unsigned N = 0; N < Allocas.size(); ++N) { 1184 auto *AI = Allocas[N]; 1185 IRBuilder<> IRB(AI->getNextNode()); 1186 1187 // Replace uses of the alloca with tagged address. 1188 Value *Tag = getAllocaTag(IRB, StackTag, AI, N); 1189 Value *AILong = IRB.CreatePointerCast(AI, IntptrTy); 1190 Value *Replacement = tagPointer(IRB, AI->getType(), AILong, Tag); 1191 std::string Name = 1192 AI->hasName() ? AI->getName().str() : "alloca." + itostr(N); 1193 Replacement->setName(Name + ".hwasan"); 1194 1195 AI->replaceUsesWithIf(Replacement, 1196 [AILong](Use &U) { return U.getUser() != AILong; }); 1197 1198 for (auto *DDI : AllocaDbgMap.lookup(AI)) { 1199 // Prepend "tag_offset, N" to the dwarf expression. 1200 // Tag offset logically applies to the alloca pointer, and it makes sense 1201 // to put it at the beginning of the expression. 1202 SmallVector<uint64_t, 8> NewOps = {dwarf::DW_OP_LLVM_tag_offset, 1203 retagMask(N)}; 1204 auto Locations = DDI->location_ops(); 1205 unsigned LocNo = std::distance(Locations.begin(), find(Locations, AI)); 1206 DDI->setExpression( 1207 DIExpression::appendOpsToArg(DDI->getExpression(), NewOps, LocNo)); 1208 } 1209 1210 size_t Size = getAllocaSizeInBytes(*AI); 1211 tagAlloca(IRB, AI, Tag, Size); 1212 1213 for (auto RI : RetVec) { 1214 IRB.SetInsertPoint(RI); 1215 1216 // Re-tag alloca memory with the special UAR tag. 1217 Value *Tag = getUARTag(IRB, StackTag); 1218 tagAlloca(IRB, AI, Tag, alignTo(Size, Mapping.getObjectAlignment())); 1219 } 1220 } 1221 1222 return true; 1223 } 1224 1225 bool HWAddressSanitizer::isInterestingAlloca(const AllocaInst &AI) { 1226 return (AI.getAllocatedType()->isSized() && 1227 // FIXME: instrument dynamic allocas, too 1228 AI.isStaticAlloca() && 1229 // alloca() may be called with 0 size, ignore it. 1230 getAllocaSizeInBytes(AI) > 0 && 1231 // We are only interested in allocas not promotable to registers. 1232 // Promotable allocas are common under -O0. 1233 !isAllocaPromotable(&AI) && 1234 // inalloca allocas are not treated as static, and we don't want 1235 // dynamic alloca instrumentation for them as well. 1236 !AI.isUsedWithInAlloca() && 1237 // swifterror allocas are register promoted by ISel 1238 !AI.isSwiftError()); 1239 } 1240 1241 bool HWAddressSanitizer::sanitizeFunction(Function &F) { 1242 if (&F == HwasanCtorFunction) 1243 return false; 1244 1245 if (!F.hasFnAttribute(Attribute::SanitizeHWAddress)) 1246 return false; 1247 1248 LLVM_DEBUG(dbgs() << "Function: " << F.getName() << "\n"); 1249 1250 SmallVector<InterestingMemoryOperand, 16> OperandsToInstrument; 1251 SmallVector<MemIntrinsic *, 16> IntrinToInstrument; 1252 SmallVector<AllocaInst *, 8> AllocasToInstrument; 1253 SmallVector<Instruction *, 8> RetVec; 1254 SmallVector<Instruction *, 8> LandingPadVec; 1255 DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> AllocaDbgMap; 1256 for (auto &BB : F) { 1257 for (auto &Inst : BB) { 1258 if (InstrumentStack) 1259 if (AllocaInst *AI = dyn_cast<AllocaInst>(&Inst)) { 1260 if (isInterestingAlloca(*AI)) 1261 AllocasToInstrument.push_back(AI); 1262 continue; 1263 } 1264 1265 if (isa<ReturnInst>(Inst) || isa<ResumeInst>(Inst) || 1266 isa<CleanupReturnInst>(Inst)) 1267 RetVec.push_back(&Inst); 1268 1269 if (auto *DVI = dyn_cast<DbgVariableIntrinsic>(&Inst)) 1270 for (Value *V : DVI->location_ops()) 1271 if (auto *Alloca = dyn_cast_or_null<AllocaInst>(V)) 1272 AllocaDbgMap[Alloca].push_back(DVI); 1273 1274 if (InstrumentLandingPads && isa<LandingPadInst>(Inst)) 1275 LandingPadVec.push_back(&Inst); 1276 1277 getInterestingMemoryOperands(&Inst, OperandsToInstrument); 1278 1279 if (MemIntrinsic *MI = dyn_cast<MemIntrinsic>(&Inst)) 1280 IntrinToInstrument.push_back(MI); 1281 } 1282 } 1283 1284 initializeCallbacks(*F.getParent()); 1285 1286 bool Changed = false; 1287 1288 if (!LandingPadVec.empty()) 1289 Changed |= instrumentLandingPads(LandingPadVec); 1290 1291 if (AllocasToInstrument.empty() && F.hasPersonalityFn() && 1292 F.getPersonalityFn()->getName() == kHwasanPersonalityThunkName) { 1293 // __hwasan_personality_thunk is a no-op for functions without an 1294 // instrumented stack, so we can drop it. 1295 F.setPersonalityFn(nullptr); 1296 Changed = true; 1297 } 1298 1299 if (AllocasToInstrument.empty() && OperandsToInstrument.empty() && 1300 IntrinToInstrument.empty()) 1301 return Changed; 1302 1303 assert(!ShadowBase); 1304 1305 Instruction *InsertPt = &*F.getEntryBlock().begin(); 1306 IRBuilder<> EntryIRB(InsertPt); 1307 emitPrologue(EntryIRB, 1308 /*WithFrameRecord*/ ClRecordStackHistory && 1309 Mapping.WithFrameRecord && !AllocasToInstrument.empty()); 1310 1311 if (!AllocasToInstrument.empty()) { 1312 Value *StackTag = 1313 ClGenerateTagsWithCalls ? nullptr : getStackBaseTag(EntryIRB); 1314 instrumentStack(AllocasToInstrument, AllocaDbgMap, RetVec, StackTag); 1315 } 1316 // Pad and align each of the allocas that we instrumented to stop small 1317 // uninteresting allocas from hiding in instrumented alloca's padding and so 1318 // that we have enough space to store real tags for short granules. 1319 DenseMap<AllocaInst *, AllocaInst *> AllocaToPaddedAllocaMap; 1320 for (AllocaInst *AI : AllocasToInstrument) { 1321 uint64_t Size = getAllocaSizeInBytes(*AI); 1322 uint64_t AlignedSize = alignTo(Size, Mapping.getObjectAlignment()); 1323 AI->setAlignment( 1324 Align(std::max(AI->getAlignment(), Mapping.getObjectAlignment()))); 1325 if (Size != AlignedSize) { 1326 Type *AllocatedType = AI->getAllocatedType(); 1327 if (AI->isArrayAllocation()) { 1328 uint64_t ArraySize = 1329 cast<ConstantInt>(AI->getArraySize())->getZExtValue(); 1330 AllocatedType = ArrayType::get(AllocatedType, ArraySize); 1331 } 1332 Type *TypeWithPadding = StructType::get( 1333 AllocatedType, ArrayType::get(Int8Ty, AlignedSize - Size)); 1334 auto *NewAI = new AllocaInst( 1335 TypeWithPadding, AI->getType()->getAddressSpace(), nullptr, "", AI); 1336 NewAI->takeName(AI); 1337 NewAI->setAlignment(AI->getAlign()); 1338 NewAI->setUsedWithInAlloca(AI->isUsedWithInAlloca()); 1339 NewAI->setSwiftError(AI->isSwiftError()); 1340 NewAI->copyMetadata(*AI); 1341 auto *Bitcast = new BitCastInst(NewAI, AI->getType(), "", AI); 1342 AI->replaceAllUsesWith(Bitcast); 1343 AllocaToPaddedAllocaMap[AI] = NewAI; 1344 } 1345 } 1346 1347 if (!AllocaToPaddedAllocaMap.empty()) { 1348 for (auto &BB : F) { 1349 for (auto &Inst : BB) { 1350 if (auto *DVI = dyn_cast<DbgVariableIntrinsic>(&Inst)) { 1351 for (Value *V : DVI->location_ops()) { 1352 if (auto *AI = dyn_cast_or_null<AllocaInst>(V)) { 1353 if (auto *NewAI = AllocaToPaddedAllocaMap.lookup(AI)) 1354 DVI->replaceVariableLocationOp(V, NewAI); 1355 } 1356 } 1357 } 1358 } 1359 } 1360 for (auto &P : AllocaToPaddedAllocaMap) 1361 P.first->eraseFromParent(); 1362 } 1363 1364 // If we split the entry block, move any allocas that were originally in the 1365 // entry block back into the entry block so that they aren't treated as 1366 // dynamic allocas. 1367 if (EntryIRB.GetInsertBlock() != &F.getEntryBlock()) { 1368 InsertPt = &*F.getEntryBlock().begin(); 1369 for (auto II = EntryIRB.GetInsertBlock()->begin(), 1370 IE = EntryIRB.GetInsertBlock()->end(); 1371 II != IE;) { 1372 Instruction *I = &*II++; 1373 if (auto *AI = dyn_cast<AllocaInst>(I)) 1374 if (isa<ConstantInt>(AI->getArraySize())) 1375 I->moveBefore(InsertPt); 1376 } 1377 } 1378 1379 for (auto &Operand : OperandsToInstrument) 1380 instrumentMemAccess(Operand); 1381 1382 if (ClInstrumentMemIntrinsics && !IntrinToInstrument.empty()) { 1383 for (auto Inst : IntrinToInstrument) 1384 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 1385 } 1386 1387 ShadowBase = nullptr; 1388 StackBaseTag = nullptr; 1389 1390 return true; 1391 } 1392 1393 void HWAddressSanitizer::instrumentGlobal(GlobalVariable *GV, uint8_t Tag) { 1394 assert(!UsePageAliases); 1395 Constant *Initializer = GV->getInitializer(); 1396 uint64_t SizeInBytes = 1397 M.getDataLayout().getTypeAllocSize(Initializer->getType()); 1398 uint64_t NewSize = alignTo(SizeInBytes, Mapping.getObjectAlignment()); 1399 if (SizeInBytes != NewSize) { 1400 // Pad the initializer out to the next multiple of 16 bytes and add the 1401 // required short granule tag. 1402 std::vector<uint8_t> Init(NewSize - SizeInBytes, 0); 1403 Init.back() = Tag; 1404 Constant *Padding = ConstantDataArray::get(*C, Init); 1405 Initializer = ConstantStruct::getAnon({Initializer, Padding}); 1406 } 1407 1408 auto *NewGV = new GlobalVariable(M, Initializer->getType(), GV->isConstant(), 1409 GlobalValue::ExternalLinkage, Initializer, 1410 GV->getName() + ".hwasan"); 1411 NewGV->copyAttributesFrom(GV); 1412 NewGV->setLinkage(GlobalValue::PrivateLinkage); 1413 NewGV->copyMetadata(GV, 0); 1414 NewGV->setAlignment( 1415 MaybeAlign(std::max(GV->getAlignment(), Mapping.getObjectAlignment()))); 1416 1417 // It is invalid to ICF two globals that have different tags. In the case 1418 // where the size of the global is a multiple of the tag granularity the 1419 // contents of the globals may be the same but the tags (i.e. symbol values) 1420 // may be different, and the symbols are not considered during ICF. In the 1421 // case where the size is not a multiple of the granularity, the short granule 1422 // tags would discriminate two globals with different tags, but there would 1423 // otherwise be nothing stopping such a global from being incorrectly ICF'd 1424 // with an uninstrumented (i.e. tag 0) global that happened to have the short 1425 // granule tag in the last byte. 1426 NewGV->setUnnamedAddr(GlobalValue::UnnamedAddr::None); 1427 1428 // Descriptor format (assuming little-endian): 1429 // bytes 0-3: relative address of global 1430 // bytes 4-6: size of global (16MB ought to be enough for anyone, but in case 1431 // it isn't, we create multiple descriptors) 1432 // byte 7: tag 1433 auto *DescriptorTy = StructType::get(Int32Ty, Int32Ty); 1434 const uint64_t MaxDescriptorSize = 0xfffff0; 1435 for (uint64_t DescriptorPos = 0; DescriptorPos < SizeInBytes; 1436 DescriptorPos += MaxDescriptorSize) { 1437 auto *Descriptor = 1438 new GlobalVariable(M, DescriptorTy, true, GlobalValue::PrivateLinkage, 1439 nullptr, GV->getName() + ".hwasan.descriptor"); 1440 auto *GVRelPtr = ConstantExpr::getTrunc( 1441 ConstantExpr::getAdd( 1442 ConstantExpr::getSub( 1443 ConstantExpr::getPtrToInt(NewGV, Int64Ty), 1444 ConstantExpr::getPtrToInt(Descriptor, Int64Ty)), 1445 ConstantInt::get(Int64Ty, DescriptorPos)), 1446 Int32Ty); 1447 uint32_t Size = std::min(SizeInBytes - DescriptorPos, MaxDescriptorSize); 1448 auto *SizeAndTag = ConstantInt::get(Int32Ty, Size | (uint32_t(Tag) << 24)); 1449 Descriptor->setComdat(NewGV->getComdat()); 1450 Descriptor->setInitializer(ConstantStruct::getAnon({GVRelPtr, SizeAndTag})); 1451 Descriptor->setSection("hwasan_globals"); 1452 Descriptor->setMetadata(LLVMContext::MD_associated, 1453 MDNode::get(*C, ValueAsMetadata::get(NewGV))); 1454 appendToCompilerUsed(M, Descriptor); 1455 } 1456 1457 Constant *Aliasee = ConstantExpr::getIntToPtr( 1458 ConstantExpr::getAdd( 1459 ConstantExpr::getPtrToInt(NewGV, Int64Ty), 1460 ConstantInt::get(Int64Ty, uint64_t(Tag) << PointerTagShift)), 1461 GV->getType()); 1462 auto *Alias = GlobalAlias::create(GV->getValueType(), GV->getAddressSpace(), 1463 GV->getLinkage(), "", Aliasee, &M); 1464 Alias->setVisibility(GV->getVisibility()); 1465 Alias->takeName(GV); 1466 GV->replaceAllUsesWith(Alias); 1467 GV->eraseFromParent(); 1468 } 1469 1470 static DenseSet<GlobalVariable *> getExcludedGlobals(Module &M) { 1471 NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals"); 1472 if (!Globals) 1473 return DenseSet<GlobalVariable *>(); 1474 DenseSet<GlobalVariable *> Excluded(Globals->getNumOperands()); 1475 for (auto MDN : Globals->operands()) { 1476 // Metadata node contains the global and the fields of "Entry". 1477 assert(MDN->getNumOperands() == 5); 1478 auto *V = mdconst::extract_or_null<Constant>(MDN->getOperand(0)); 1479 // The optimizer may optimize away a global entirely. 1480 if (!V) 1481 continue; 1482 auto *StrippedV = V->stripPointerCasts(); 1483 auto *GV = dyn_cast<GlobalVariable>(StrippedV); 1484 if (!GV) 1485 continue; 1486 ConstantInt *IsExcluded = mdconst::extract<ConstantInt>(MDN->getOperand(4)); 1487 if (IsExcluded->isOne()) 1488 Excluded.insert(GV); 1489 } 1490 return Excluded; 1491 } 1492 1493 void HWAddressSanitizer::instrumentGlobals() { 1494 std::vector<GlobalVariable *> Globals; 1495 auto ExcludedGlobals = getExcludedGlobals(M); 1496 for (GlobalVariable &GV : M.globals()) { 1497 if (ExcludedGlobals.count(&GV)) 1498 continue; 1499 1500 if (GV.isDeclarationForLinker() || GV.getName().startswith("llvm.") || 1501 GV.isThreadLocal()) 1502 continue; 1503 1504 // Common symbols can't have aliases point to them, so they can't be tagged. 1505 if (GV.hasCommonLinkage()) 1506 continue; 1507 1508 // Globals with custom sections may be used in __start_/__stop_ enumeration, 1509 // which would be broken both by adding tags and potentially by the extra 1510 // padding/alignment that we insert. 1511 if (GV.hasSection()) 1512 continue; 1513 1514 Globals.push_back(&GV); 1515 } 1516 1517 MD5 Hasher; 1518 Hasher.update(M.getSourceFileName()); 1519 MD5::MD5Result Hash; 1520 Hasher.final(Hash); 1521 uint8_t Tag = Hash[0] & TagMaskByte; 1522 1523 for (GlobalVariable *GV : Globals) { 1524 // Skip tag 0 in order to avoid collisions with untagged memory. 1525 if (Tag == 0) 1526 Tag = 1; 1527 instrumentGlobal(GV, Tag++); 1528 } 1529 } 1530 1531 void HWAddressSanitizer::instrumentPersonalityFunctions() { 1532 // We need to untag stack frames as we unwind past them. That is the job of 1533 // the personality function wrapper, which either wraps an existing 1534 // personality function or acts as a personality function on its own. Each 1535 // function that has a personality function or that can be unwound past has 1536 // its personality function changed to a thunk that calls the personality 1537 // function wrapper in the runtime. 1538 MapVector<Constant *, std::vector<Function *>> PersonalityFns; 1539 for (Function &F : M) { 1540 if (F.isDeclaration() || !F.hasFnAttribute(Attribute::SanitizeHWAddress)) 1541 continue; 1542 1543 if (F.hasPersonalityFn()) { 1544 PersonalityFns[F.getPersonalityFn()->stripPointerCasts()].push_back(&F); 1545 } else if (!F.hasFnAttribute(Attribute::NoUnwind)) { 1546 PersonalityFns[nullptr].push_back(&F); 1547 } 1548 } 1549 1550 if (PersonalityFns.empty()) 1551 return; 1552 1553 FunctionCallee HwasanPersonalityWrapper = M.getOrInsertFunction( 1554 "__hwasan_personality_wrapper", Int32Ty, Int32Ty, Int32Ty, Int64Ty, 1555 Int8PtrTy, Int8PtrTy, Int8PtrTy, Int8PtrTy, Int8PtrTy); 1556 FunctionCallee UnwindGetGR = M.getOrInsertFunction("_Unwind_GetGR", VoidTy); 1557 FunctionCallee UnwindGetCFA = M.getOrInsertFunction("_Unwind_GetCFA", VoidTy); 1558 1559 for (auto &P : PersonalityFns) { 1560 std::string ThunkName = kHwasanPersonalityThunkName; 1561 if (P.first) 1562 ThunkName += ("." + P.first->getName()).str(); 1563 FunctionType *ThunkFnTy = FunctionType::get( 1564 Int32Ty, {Int32Ty, Int32Ty, Int64Ty, Int8PtrTy, Int8PtrTy}, false); 1565 bool IsLocal = P.first && (!isa<GlobalValue>(P.first) || 1566 cast<GlobalValue>(P.first)->hasLocalLinkage()); 1567 auto *ThunkFn = Function::Create(ThunkFnTy, 1568 IsLocal ? GlobalValue::InternalLinkage 1569 : GlobalValue::LinkOnceODRLinkage, 1570 ThunkName, &M); 1571 if (!IsLocal) { 1572 ThunkFn->setVisibility(GlobalValue::HiddenVisibility); 1573 ThunkFn->setComdat(M.getOrInsertComdat(ThunkName)); 1574 } 1575 1576 auto *BB = BasicBlock::Create(*C, "entry", ThunkFn); 1577 IRBuilder<> IRB(BB); 1578 CallInst *WrapperCall = IRB.CreateCall( 1579 HwasanPersonalityWrapper, 1580 {ThunkFn->getArg(0), ThunkFn->getArg(1), ThunkFn->getArg(2), 1581 ThunkFn->getArg(3), ThunkFn->getArg(4), 1582 P.first ? IRB.CreateBitCast(P.first, Int8PtrTy) 1583 : Constant::getNullValue(Int8PtrTy), 1584 IRB.CreateBitCast(UnwindGetGR.getCallee(), Int8PtrTy), 1585 IRB.CreateBitCast(UnwindGetCFA.getCallee(), Int8PtrTy)}); 1586 WrapperCall->setTailCall(); 1587 IRB.CreateRet(WrapperCall); 1588 1589 for (Function *F : P.second) 1590 F->setPersonalityFn(ThunkFn); 1591 } 1592 } 1593 1594 void HWAddressSanitizer::ShadowMapping::init(Triple &TargetTriple, 1595 bool InstrumentWithCalls) { 1596 Scale = kDefaultShadowScale; 1597 if (TargetTriple.isOSFuchsia()) { 1598 // Fuchsia is always PIE, which means that the beginning of the address 1599 // space is always available. 1600 InGlobal = false; 1601 InTls = false; 1602 Offset = 0; 1603 WithFrameRecord = true; 1604 } else if (ClMappingOffset.getNumOccurrences() > 0) { 1605 InGlobal = false; 1606 InTls = false; 1607 Offset = ClMappingOffset; 1608 WithFrameRecord = false; 1609 } else if (ClEnableKhwasan || InstrumentWithCalls) { 1610 InGlobal = false; 1611 InTls = false; 1612 Offset = 0; 1613 WithFrameRecord = false; 1614 } else if (ClWithIfunc) { 1615 InGlobal = true; 1616 InTls = false; 1617 Offset = kDynamicShadowSentinel; 1618 WithFrameRecord = false; 1619 } else if (ClWithTls) { 1620 InGlobal = false; 1621 InTls = true; 1622 Offset = kDynamicShadowSentinel; 1623 WithFrameRecord = true; 1624 } else { 1625 InGlobal = false; 1626 InTls = false; 1627 Offset = kDynamicShadowSentinel; 1628 WithFrameRecord = false; 1629 } 1630 } 1631