1 //===-- MemorySanitizer.cpp - detector of uninitialized reads -------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 /// \file 10 /// This file is a part of MemorySanitizer, a detector of uninitialized 11 /// reads. 12 /// 13 /// The algorithm of the tool is similar to Memcheck 14 /// (http://goo.gl/QKbem). We associate a few shadow bits with every 15 /// byte of the application memory, poison the shadow of the malloc-ed 16 /// or alloca-ed memory, load the shadow bits on every memory read, 17 /// propagate the shadow bits through some of the arithmetic 18 /// instruction (including MOV), store the shadow bits on every memory 19 /// write, report a bug on some other instructions (e.g. JMP) if the 20 /// associated shadow is poisoned. 21 /// 22 /// But there are differences too. The first and the major one: 23 /// compiler instrumentation instead of binary instrumentation. This 24 /// gives us much better register allocation, possible compiler 25 /// optimizations and a fast start-up. But this brings the major issue 26 /// as well: msan needs to see all program events, including system 27 /// calls and reads/writes in system libraries, so we either need to 28 /// compile *everything* with msan or use a binary translation 29 /// component (e.g. DynamoRIO) to instrument pre-built libraries. 30 /// Another difference from Memcheck is that we use 8 shadow bits per 31 /// byte of application memory and use a direct shadow mapping. This 32 /// greatly simplifies the instrumentation code and avoids races on 33 /// shadow updates (Memcheck is single-threaded so races are not a 34 /// concern there. Memcheck uses 2 shadow bits per byte with a slow 35 /// path storage that uses 8 bits per byte). 36 /// 37 /// The default value of shadow is 0, which means "clean" (not poisoned). 38 /// 39 /// Every module initializer should call __msan_init to ensure that the 40 /// shadow memory is ready. On error, __msan_warning is called. Since 41 /// parameters and return values may be passed via registers, we have a 42 /// specialized thread-local shadow for return values 43 /// (__msan_retval_tls) and parameters (__msan_param_tls). 44 /// 45 /// Origin tracking. 46 /// 47 /// MemorySanitizer can track origins (allocation points) of all uninitialized 48 /// values. This behavior is controlled with a flag (msan-track-origins) and is 49 /// disabled by default. 50 /// 51 /// Origins are 4-byte values created and interpreted by the runtime library. 52 /// They are stored in a second shadow mapping, one 4-byte value for 4 bytes 53 /// of application memory. Propagation of origins is basically a bunch of 54 /// "select" instructions that pick the origin of a dirty argument, if an 55 /// instruction has one. 56 /// 57 /// Every 4 aligned, consecutive bytes of application memory have one origin 58 /// value associated with them. If these bytes contain uninitialized data 59 /// coming from 2 different allocations, the last store wins. Because of this, 60 /// MemorySanitizer reports can show unrelated origins, but this is unlikely in 61 /// practice. 62 /// 63 /// Origins are meaningless for fully initialized values, so MemorySanitizer 64 /// avoids storing origin to memory when a fully initialized value is stored. 65 /// This way it avoids needless overwritting origin of the 4-byte region on 66 /// a short (i.e. 1 byte) clean store, and it is also good for performance. 67 /// 68 /// Atomic handling. 69 /// 70 /// Ideally, every atomic store of application value should update the 71 /// corresponding shadow location in an atomic way. Unfortunately, atomic store 72 /// of two disjoint locations can not be done without severe slowdown. 73 /// 74 /// Therefore, we implement an approximation that may err on the safe side. 75 /// In this implementation, every atomically accessed location in the program 76 /// may only change from (partially) uninitialized to fully initialized, but 77 /// not the other way around. We load the shadow _after_ the application load, 78 /// and we store the shadow _before_ the app store. Also, we always store clean 79 /// shadow (if the application store is atomic). This way, if the store-load 80 /// pair constitutes a happens-before arc, shadow store and load are correctly 81 /// ordered such that the load will get either the value that was stored, or 82 /// some later value (which is always clean). 83 /// 84 /// This does not work very well with Compare-And-Swap (CAS) and 85 /// Read-Modify-Write (RMW) operations. To follow the above logic, CAS and RMW 86 /// must store the new shadow before the app operation, and load the shadow 87 /// after the app operation. Computers don't work this way. Current 88 /// implementation ignores the load aspect of CAS/RMW, always returning a clean 89 /// value. It implements the store part as a simple atomic store by storing a 90 /// clean shadow. 91 92 //===----------------------------------------------------------------------===// 93 94 #include "llvm/Transforms/Instrumentation.h" 95 #include "llvm/ADT/DepthFirstIterator.h" 96 #include "llvm/ADT/SmallString.h" 97 #include "llvm/ADT/SmallVector.h" 98 #include "llvm/ADT/StringExtras.h" 99 #include "llvm/ADT/Triple.h" 100 #include "llvm/IR/DataLayout.h" 101 #include "llvm/IR/Function.h" 102 #include "llvm/IR/IRBuilder.h" 103 #include "llvm/IR/InlineAsm.h" 104 #include "llvm/IR/InstVisitor.h" 105 #include "llvm/IR/IntrinsicInst.h" 106 #include "llvm/IR/LLVMContext.h" 107 #include "llvm/IR/MDBuilder.h" 108 #include "llvm/IR/Module.h" 109 #include "llvm/IR/Type.h" 110 #include "llvm/IR/ValueMap.h" 111 #include "llvm/Support/CommandLine.h" 112 #include "llvm/Support/Compiler.h" 113 #include "llvm/Support/Debug.h" 114 #include "llvm/Support/raw_ostream.h" 115 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 116 #include "llvm/Transforms/Utils/Local.h" 117 #include "llvm/Transforms/Utils/ModuleUtils.h" 118 119 using namespace llvm; 120 121 #define DEBUG_TYPE "msan" 122 123 static const uint64_t kShadowMask32 = 1ULL << 31; 124 static const uint64_t kShadowMask64 = 1ULL << 46; 125 static const uint64_t kOriginOffset32 = 1ULL << 30; 126 static const uint64_t kOriginOffset64 = 1ULL << 45; 127 static const unsigned kMinOriginAlignment = 4; 128 static const unsigned kShadowTLSAlignment = 8; 129 130 // Accesses sizes are powers of two: 1, 2, 4, 8. 131 static const size_t kNumberOfAccessSizes = 4; 132 133 /// \brief Track origins of uninitialized values. 134 /// 135 /// Adds a section to MemorySanitizer report that points to the allocation 136 /// (stack or heap) the uninitialized bits came from originally. 137 static cl::opt<int> ClTrackOrigins("msan-track-origins", 138 cl::desc("Track origins (allocation sites) of poisoned memory"), 139 cl::Hidden, cl::init(0)); 140 static cl::opt<bool> ClKeepGoing("msan-keep-going", 141 cl::desc("keep going after reporting a UMR"), 142 cl::Hidden, cl::init(false)); 143 static cl::opt<bool> ClPoisonStack("msan-poison-stack", 144 cl::desc("poison uninitialized stack variables"), 145 cl::Hidden, cl::init(true)); 146 static cl::opt<bool> ClPoisonStackWithCall("msan-poison-stack-with-call", 147 cl::desc("poison uninitialized stack variables with a call"), 148 cl::Hidden, cl::init(false)); 149 static cl::opt<int> ClPoisonStackPattern("msan-poison-stack-pattern", 150 cl::desc("poison uninitialized stack variables with the given patter"), 151 cl::Hidden, cl::init(0xff)); 152 static cl::opt<bool> ClPoisonUndef("msan-poison-undef", 153 cl::desc("poison undef temps"), 154 cl::Hidden, cl::init(true)); 155 156 static cl::opt<bool> ClHandleICmp("msan-handle-icmp", 157 cl::desc("propagate shadow through ICmpEQ and ICmpNE"), 158 cl::Hidden, cl::init(true)); 159 160 static cl::opt<bool> ClHandleICmpExact("msan-handle-icmp-exact", 161 cl::desc("exact handling of relational integer ICmp"), 162 cl::Hidden, cl::init(false)); 163 164 // This flag controls whether we check the shadow of the address 165 // operand of load or store. Such bugs are very rare, since load from 166 // a garbage address typically results in SEGV, but still happen 167 // (e.g. only lower bits of address are garbage, or the access happens 168 // early at program startup where malloc-ed memory is more likely to 169 // be zeroed. As of 2012-08-28 this flag adds 20% slowdown. 170 static cl::opt<bool> ClCheckAccessAddress("msan-check-access-address", 171 cl::desc("report accesses through a pointer which has poisoned shadow"), 172 cl::Hidden, cl::init(true)); 173 174 static cl::opt<bool> ClDumpStrictInstructions("msan-dump-strict-instructions", 175 cl::desc("print out instructions with default strict semantics"), 176 cl::Hidden, cl::init(false)); 177 178 static cl::opt<int> ClInstrumentationWithCallThreshold( 179 "msan-instrumentation-with-call-threshold", 180 cl::desc( 181 "If the function being instrumented requires more than " 182 "this number of checks and origin stores, use callbacks instead of " 183 "inline checks (-1 means never use callbacks)."), 184 cl::Hidden, cl::init(3500)); 185 186 // Experimental. Wraps all indirect calls in the instrumented code with 187 // a call to the given function. This is needed to assist the dynamic 188 // helper tool (MSanDR) to regain control on transition between instrumented and 189 // non-instrumented code. 190 static cl::opt<std::string> ClWrapIndirectCalls("msan-wrap-indirect-calls", 191 cl::desc("Wrap indirect calls with a given function"), 192 cl::Hidden); 193 194 static cl::opt<bool> ClWrapIndirectCallsFast("msan-wrap-indirect-calls-fast", 195 cl::desc("Do not wrap indirect calls with target in the same module"), 196 cl::Hidden, cl::init(true)); 197 198 namespace { 199 200 /// \brief An instrumentation pass implementing detection of uninitialized 201 /// reads. 202 /// 203 /// MemorySanitizer: instrument the code in module to find 204 /// uninitialized reads. 205 class MemorySanitizer : public FunctionPass { 206 public: 207 MemorySanitizer(int TrackOrigins = 0) 208 : FunctionPass(ID), 209 TrackOrigins(std::max(TrackOrigins, (int)ClTrackOrigins)), 210 DL(nullptr), 211 WarningFn(nullptr), 212 WrapIndirectCalls(!ClWrapIndirectCalls.empty()) {} 213 const char *getPassName() const override { return "MemorySanitizer"; } 214 bool runOnFunction(Function &F) override; 215 bool doInitialization(Module &M) override; 216 static char ID; // Pass identification, replacement for typeid. 217 218 private: 219 void initializeCallbacks(Module &M); 220 221 /// \brief Track origins (allocation points) of uninitialized values. 222 int TrackOrigins; 223 224 const DataLayout *DL; 225 LLVMContext *C; 226 Type *IntptrTy; 227 Type *OriginTy; 228 /// \brief Thread-local shadow storage for function parameters. 229 GlobalVariable *ParamTLS; 230 /// \brief Thread-local origin storage for function parameters. 231 GlobalVariable *ParamOriginTLS; 232 /// \brief Thread-local shadow storage for function return value. 233 GlobalVariable *RetvalTLS; 234 /// \brief Thread-local origin storage for function return value. 235 GlobalVariable *RetvalOriginTLS; 236 /// \brief Thread-local shadow storage for in-register va_arg function 237 /// parameters (x86_64-specific). 238 GlobalVariable *VAArgTLS; 239 /// \brief Thread-local shadow storage for va_arg overflow area 240 /// (x86_64-specific). 241 GlobalVariable *VAArgOverflowSizeTLS; 242 /// \brief Thread-local space used to pass origin value to the UMR reporting 243 /// function. 244 GlobalVariable *OriginTLS; 245 246 GlobalVariable *MsandrModuleStart; 247 GlobalVariable *MsandrModuleEnd; 248 249 /// \brief The run-time callback to print a warning. 250 Value *WarningFn; 251 // These arrays are indexed by log2(AccessSize). 252 Value *MaybeWarningFn[kNumberOfAccessSizes]; 253 Value *MaybeStoreOriginFn[kNumberOfAccessSizes]; 254 255 /// \brief Run-time helper that generates a new origin value for a stack 256 /// allocation. 257 Value *MsanSetAllocaOrigin4Fn; 258 /// \brief Run-time helper that poisons stack on function entry. 259 Value *MsanPoisonStackFn; 260 /// \brief Run-time helper that records a store (or any event) of an 261 /// uninitialized value and returns an updated origin id encoding this info. 262 Value *MsanChainOriginFn; 263 /// \brief MSan runtime replacements for memmove, memcpy and memset. 264 Value *MemmoveFn, *MemcpyFn, *MemsetFn; 265 266 /// \brief Address mask used in application-to-shadow address calculation. 267 /// ShadowAddr is computed as ApplicationAddr & ~ShadowMask. 268 uint64_t ShadowMask; 269 /// \brief Offset of the origin shadow from the "normal" shadow. 270 /// OriginAddr is computed as (ShadowAddr + OriginOffset) & ~3ULL 271 uint64_t OriginOffset; 272 /// \brief Branch weights for error reporting. 273 MDNode *ColdCallWeights; 274 /// \brief Branch weights for origin store. 275 MDNode *OriginStoreWeights; 276 /// \brief An empty volatile inline asm that prevents callback merge. 277 InlineAsm *EmptyAsm; 278 279 bool WrapIndirectCalls; 280 /// \brief Run-time wrapper for indirect calls. 281 Value *IndirectCallWrapperFn; 282 // Argument and return type of IndirectCallWrapperFn: void (*f)(void). 283 Type *AnyFunctionPtrTy; 284 285 friend struct MemorySanitizerVisitor; 286 friend struct VarArgAMD64Helper; 287 }; 288 } // namespace 289 290 char MemorySanitizer::ID = 0; 291 INITIALIZE_PASS(MemorySanitizer, "msan", 292 "MemorySanitizer: detects uninitialized reads.", 293 false, false) 294 295 FunctionPass *llvm::createMemorySanitizerPass(int TrackOrigins) { 296 return new MemorySanitizer(TrackOrigins); 297 } 298 299 /// \brief Create a non-const global initialized with the given string. 300 /// 301 /// Creates a writable global for Str so that we can pass it to the 302 /// run-time lib. Runtime uses first 4 bytes of the string to store the 303 /// frame ID, so the string needs to be mutable. 304 static GlobalVariable *createPrivateNonConstGlobalForString(Module &M, 305 StringRef Str) { 306 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 307 return new GlobalVariable(M, StrConst->getType(), /*isConstant=*/false, 308 GlobalValue::PrivateLinkage, StrConst, ""); 309 } 310 311 312 /// \brief Insert extern declaration of runtime-provided functions and globals. 313 void MemorySanitizer::initializeCallbacks(Module &M) { 314 // Only do this once. 315 if (WarningFn) 316 return; 317 318 IRBuilder<> IRB(*C); 319 // Create the callback. 320 // FIXME: this function should have "Cold" calling conv, 321 // which is not yet implemented. 322 StringRef WarningFnName = ClKeepGoing ? "__msan_warning" 323 : "__msan_warning_noreturn"; 324 WarningFn = M.getOrInsertFunction(WarningFnName, IRB.getVoidTy(), NULL); 325 326 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 327 AccessSizeIndex++) { 328 unsigned AccessSize = 1 << AccessSizeIndex; 329 std::string FunctionName = "__msan_maybe_warning_" + itostr(AccessSize); 330 MaybeWarningFn[AccessSizeIndex] = M.getOrInsertFunction( 331 FunctionName, IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), 332 IRB.getInt32Ty(), NULL); 333 334 FunctionName = "__msan_maybe_store_origin_" + itostr(AccessSize); 335 MaybeStoreOriginFn[AccessSizeIndex] = M.getOrInsertFunction( 336 FunctionName, IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), 337 IRB.getInt8PtrTy(), IRB.getInt32Ty(), NULL); 338 } 339 340 MsanSetAllocaOrigin4Fn = M.getOrInsertFunction( 341 "__msan_set_alloca_origin4", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy, 342 IRB.getInt8PtrTy(), IntptrTy, NULL); 343 MsanPoisonStackFn = M.getOrInsertFunction( 344 "__msan_poison_stack", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy, NULL); 345 MsanChainOriginFn = M.getOrInsertFunction( 346 "__msan_chain_origin", IRB.getInt32Ty(), IRB.getInt32Ty(), NULL); 347 MemmoveFn = M.getOrInsertFunction( 348 "__msan_memmove", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 349 IRB.getInt8PtrTy(), IntptrTy, NULL); 350 MemcpyFn = M.getOrInsertFunction( 351 "__msan_memcpy", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 352 IntptrTy, NULL); 353 MemsetFn = M.getOrInsertFunction( 354 "__msan_memset", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt32Ty(), 355 IntptrTy, NULL); 356 357 // Create globals. 358 RetvalTLS = new GlobalVariable( 359 M, ArrayType::get(IRB.getInt64Ty(), 8), false, 360 GlobalVariable::ExternalLinkage, nullptr, "__msan_retval_tls", nullptr, 361 GlobalVariable::InitialExecTLSModel); 362 RetvalOriginTLS = new GlobalVariable( 363 M, OriginTy, false, GlobalVariable::ExternalLinkage, nullptr, 364 "__msan_retval_origin_tls", nullptr, GlobalVariable::InitialExecTLSModel); 365 366 ParamTLS = new GlobalVariable( 367 M, ArrayType::get(IRB.getInt64Ty(), 1000), false, 368 GlobalVariable::ExternalLinkage, nullptr, "__msan_param_tls", nullptr, 369 GlobalVariable::InitialExecTLSModel); 370 ParamOriginTLS = new GlobalVariable( 371 M, ArrayType::get(OriginTy, 1000), false, GlobalVariable::ExternalLinkage, 372 nullptr, "__msan_param_origin_tls", nullptr, 373 GlobalVariable::InitialExecTLSModel); 374 375 VAArgTLS = new GlobalVariable( 376 M, ArrayType::get(IRB.getInt64Ty(), 1000), false, 377 GlobalVariable::ExternalLinkage, nullptr, "__msan_va_arg_tls", nullptr, 378 GlobalVariable::InitialExecTLSModel); 379 VAArgOverflowSizeTLS = new GlobalVariable( 380 M, IRB.getInt64Ty(), false, GlobalVariable::ExternalLinkage, nullptr, 381 "__msan_va_arg_overflow_size_tls", nullptr, 382 GlobalVariable::InitialExecTLSModel); 383 OriginTLS = new GlobalVariable( 384 M, IRB.getInt32Ty(), false, GlobalVariable::ExternalLinkage, nullptr, 385 "__msan_origin_tls", nullptr, GlobalVariable::InitialExecTLSModel); 386 387 // We insert an empty inline asm after __msan_report* to avoid callback merge. 388 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 389 StringRef(""), StringRef(""), 390 /*hasSideEffects=*/true); 391 392 if (WrapIndirectCalls) { 393 AnyFunctionPtrTy = 394 PointerType::getUnqual(FunctionType::get(IRB.getVoidTy(), false)); 395 IndirectCallWrapperFn = M.getOrInsertFunction( 396 ClWrapIndirectCalls, AnyFunctionPtrTy, AnyFunctionPtrTy, NULL); 397 } 398 399 if (WrapIndirectCalls && ClWrapIndirectCallsFast) { 400 MsandrModuleStart = new GlobalVariable( 401 M, IRB.getInt32Ty(), false, GlobalValue::ExternalLinkage, 402 nullptr, "__executable_start"); 403 MsandrModuleStart->setVisibility(GlobalVariable::HiddenVisibility); 404 MsandrModuleEnd = new GlobalVariable( 405 M, IRB.getInt32Ty(), false, GlobalValue::ExternalLinkage, 406 nullptr, "_end"); 407 MsandrModuleEnd->setVisibility(GlobalVariable::HiddenVisibility); 408 } 409 } 410 411 /// \brief Module-level initialization. 412 /// 413 /// inserts a call to __msan_init to the module's constructor list. 414 bool MemorySanitizer::doInitialization(Module &M) { 415 DataLayoutPass *DLP = getAnalysisIfAvailable<DataLayoutPass>(); 416 if (!DLP) 417 report_fatal_error("data layout missing"); 418 DL = &DLP->getDataLayout(); 419 420 C = &(M.getContext()); 421 unsigned PtrSize = DL->getPointerSizeInBits(/* AddressSpace */0); 422 switch (PtrSize) { 423 case 64: 424 ShadowMask = kShadowMask64; 425 OriginOffset = kOriginOffset64; 426 break; 427 case 32: 428 ShadowMask = kShadowMask32; 429 OriginOffset = kOriginOffset32; 430 break; 431 default: 432 report_fatal_error("unsupported pointer size"); 433 break; 434 } 435 436 IRBuilder<> IRB(*C); 437 IntptrTy = IRB.getIntPtrTy(DL); 438 OriginTy = IRB.getInt32Ty(); 439 440 ColdCallWeights = MDBuilder(*C).createBranchWeights(1, 1000); 441 OriginStoreWeights = MDBuilder(*C).createBranchWeights(1, 1000); 442 443 // Insert a call to __msan_init/__msan_track_origins into the module's CTORs. 444 appendToGlobalCtors(M, cast<Function>(M.getOrInsertFunction( 445 "__msan_init", IRB.getVoidTy(), NULL)), 0); 446 447 if (TrackOrigins) 448 new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, 449 IRB.getInt32(TrackOrigins), "__msan_track_origins"); 450 451 if (ClKeepGoing) 452 new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, 453 IRB.getInt32(ClKeepGoing), "__msan_keep_going"); 454 455 return true; 456 } 457 458 namespace { 459 460 /// \brief A helper class that handles instrumentation of VarArg 461 /// functions on a particular platform. 462 /// 463 /// Implementations are expected to insert the instrumentation 464 /// necessary to propagate argument shadow through VarArg function 465 /// calls. Visit* methods are called during an InstVisitor pass over 466 /// the function, and should avoid creating new basic blocks. A new 467 /// instance of this class is created for each instrumented function. 468 struct VarArgHelper { 469 /// \brief Visit a CallSite. 470 virtual void visitCallSite(CallSite &CS, IRBuilder<> &IRB) = 0; 471 472 /// \brief Visit a va_start call. 473 virtual void visitVAStartInst(VAStartInst &I) = 0; 474 475 /// \brief Visit a va_copy call. 476 virtual void visitVACopyInst(VACopyInst &I) = 0; 477 478 /// \brief Finalize function instrumentation. 479 /// 480 /// This method is called after visiting all interesting (see above) 481 /// instructions in a function. 482 virtual void finalizeInstrumentation() = 0; 483 484 virtual ~VarArgHelper() {} 485 }; 486 487 struct MemorySanitizerVisitor; 488 489 VarArgHelper* 490 CreateVarArgHelper(Function &Func, MemorySanitizer &Msan, 491 MemorySanitizerVisitor &Visitor); 492 493 unsigned TypeSizeToSizeIndex(unsigned TypeSize) { 494 if (TypeSize <= 8) return 0; 495 return Log2_32_Ceil(TypeSize / 8); 496 } 497 498 /// This class does all the work for a given function. Store and Load 499 /// instructions store and load corresponding shadow and origin 500 /// values. Most instructions propagate shadow from arguments to their 501 /// return values. Certain instructions (most importantly, BranchInst) 502 /// test their argument shadow and print reports (with a runtime call) if it's 503 /// non-zero. 504 struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> { 505 Function &F; 506 MemorySanitizer &MS; 507 SmallVector<PHINode *, 16> ShadowPHINodes, OriginPHINodes; 508 ValueMap<Value*, Value*> ShadowMap, OriginMap; 509 std::unique_ptr<VarArgHelper> VAHelper; 510 511 // The following flags disable parts of MSan instrumentation based on 512 // blacklist contents and command-line options. 513 bool InsertChecks; 514 bool PropagateShadow; 515 bool PoisonStack; 516 bool PoisonUndef; 517 bool CheckReturnValue; 518 519 struct ShadowOriginAndInsertPoint { 520 Value *Shadow; 521 Value *Origin; 522 Instruction *OrigIns; 523 ShadowOriginAndInsertPoint(Value *S, Value *O, Instruction *I) 524 : Shadow(S), Origin(O), OrigIns(I) { } 525 }; 526 SmallVector<ShadowOriginAndInsertPoint, 16> InstrumentationList; 527 SmallVector<Instruction*, 16> StoreList; 528 SmallVector<CallSite, 16> IndirectCallList; 529 530 MemorySanitizerVisitor(Function &F, MemorySanitizer &MS) 531 : F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)) { 532 bool SanitizeFunction = F.getAttributes().hasAttribute( 533 AttributeSet::FunctionIndex, Attribute::SanitizeMemory); 534 InsertChecks = SanitizeFunction; 535 PropagateShadow = SanitizeFunction; 536 PoisonStack = SanitizeFunction && ClPoisonStack; 537 PoisonUndef = SanitizeFunction && ClPoisonUndef; 538 // FIXME: Consider using SpecialCaseList to specify a list of functions that 539 // must always return fully initialized values. For now, we hardcode "main". 540 CheckReturnValue = SanitizeFunction && (F.getName() == "main"); 541 542 DEBUG(if (!InsertChecks) 543 dbgs() << "MemorySanitizer is not inserting checks into '" 544 << F.getName() << "'\n"); 545 } 546 547 Value *updateOrigin(Value *V, IRBuilder<> &IRB) { 548 if (MS.TrackOrigins <= 1) return V; 549 return IRB.CreateCall(MS.MsanChainOriginFn, V); 550 } 551 552 void storeOrigin(IRBuilder<> &IRB, Value *Addr, Value *Shadow, Value *Origin, 553 unsigned Alignment, bool AsCall) { 554 if (isa<StructType>(Shadow->getType())) { 555 IRB.CreateAlignedStore(updateOrigin(Origin, IRB), getOriginPtr(Addr, IRB), 556 Alignment); 557 } else { 558 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB); 559 // TODO(eugenis): handle non-zero constant shadow by inserting an 560 // unconditional check (can not simply fail compilation as this could 561 // be in the dead code). 562 if (isa<Constant>(ConvertedShadow)) return; 563 unsigned TypeSizeInBits = 564 MS.DL->getTypeSizeInBits(ConvertedShadow->getType()); 565 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits); 566 if (AsCall && SizeIndex < kNumberOfAccessSizes) { 567 Value *Fn = MS.MaybeStoreOriginFn[SizeIndex]; 568 Value *ConvertedShadow2 = IRB.CreateZExt( 569 ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex))); 570 IRB.CreateCall3(Fn, ConvertedShadow2, 571 IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()), 572 Origin); 573 } else { 574 Value *Cmp = IRB.CreateICmpNE( 575 ConvertedShadow, getCleanShadow(ConvertedShadow), "_mscmp"); 576 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 577 Cmp, IRB.GetInsertPoint(), false, MS.OriginStoreWeights); 578 IRBuilder<> IRBNew(CheckTerm); 579 IRBNew.CreateAlignedStore(updateOrigin(Origin, IRBNew), 580 getOriginPtr(Addr, IRBNew), Alignment); 581 } 582 } 583 } 584 585 void materializeStores(bool InstrumentWithCalls) { 586 for (auto Inst : StoreList) { 587 StoreInst &SI = *dyn_cast<StoreInst>(Inst); 588 589 IRBuilder<> IRB(&SI); 590 Value *Val = SI.getValueOperand(); 591 Value *Addr = SI.getPointerOperand(); 592 Value *Shadow = SI.isAtomic() ? getCleanShadow(Val) : getShadow(Val); 593 Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB); 594 595 StoreInst *NewSI = 596 IRB.CreateAlignedStore(Shadow, ShadowPtr, SI.getAlignment()); 597 DEBUG(dbgs() << " STORE: " << *NewSI << "\n"); 598 (void)NewSI; 599 600 if (ClCheckAccessAddress) insertShadowCheck(Addr, &SI); 601 602 if (SI.isAtomic()) SI.setOrdering(addReleaseOrdering(SI.getOrdering())); 603 604 if (MS.TrackOrigins) { 605 unsigned Alignment = std::max(kMinOriginAlignment, SI.getAlignment()); 606 storeOrigin(IRB, Addr, Shadow, getOrigin(Val), Alignment, 607 InstrumentWithCalls); 608 } 609 } 610 } 611 612 void materializeOneCheck(Instruction *OrigIns, Value *Shadow, Value *Origin, 613 bool AsCall) { 614 IRBuilder<> IRB(OrigIns); 615 DEBUG(dbgs() << " SHAD0 : " << *Shadow << "\n"); 616 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB); 617 DEBUG(dbgs() << " SHAD1 : " << *ConvertedShadow << "\n"); 618 // See the comment in materializeStores(). 619 if (isa<Constant>(ConvertedShadow)) return; 620 unsigned TypeSizeInBits = 621 MS.DL->getTypeSizeInBits(ConvertedShadow->getType()); 622 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits); 623 if (AsCall && SizeIndex < kNumberOfAccessSizes) { 624 Value *Fn = MS.MaybeWarningFn[SizeIndex]; 625 Value *ConvertedShadow2 = 626 IRB.CreateZExt(ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex))); 627 IRB.CreateCall2(Fn, ConvertedShadow2, MS.TrackOrigins && Origin 628 ? Origin 629 : (Value *)IRB.getInt32(0)); 630 } else { 631 Value *Cmp = IRB.CreateICmpNE(ConvertedShadow, 632 getCleanShadow(ConvertedShadow), "_mscmp"); 633 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 634 Cmp, OrigIns, 635 /* Unreachable */ !ClKeepGoing, MS.ColdCallWeights); 636 637 IRB.SetInsertPoint(CheckTerm); 638 if (MS.TrackOrigins) { 639 IRB.CreateStore(Origin ? (Value *)Origin : (Value *)IRB.getInt32(0), 640 MS.OriginTLS); 641 } 642 IRB.CreateCall(MS.WarningFn); 643 IRB.CreateCall(MS.EmptyAsm); 644 DEBUG(dbgs() << " CHECK: " << *Cmp << "\n"); 645 } 646 } 647 648 void materializeChecks(bool InstrumentWithCalls) { 649 for (const auto &ShadowData : InstrumentationList) { 650 Instruction *OrigIns = ShadowData.OrigIns; 651 Value *Shadow = ShadowData.Shadow; 652 Value *Origin = ShadowData.Origin; 653 materializeOneCheck(OrigIns, Shadow, Origin, InstrumentWithCalls); 654 } 655 DEBUG(dbgs() << "DONE:\n" << F); 656 } 657 658 void materializeIndirectCalls() { 659 for (auto &CS : IndirectCallList) { 660 Instruction *I = CS.getInstruction(); 661 BasicBlock *B = I->getParent(); 662 IRBuilder<> IRB(I); 663 Value *Fn0 = CS.getCalledValue(); 664 Value *Fn = IRB.CreateBitCast(Fn0, MS.AnyFunctionPtrTy); 665 666 if (ClWrapIndirectCallsFast) { 667 // Check that call target is inside this module limits. 668 Value *Start = 669 IRB.CreateBitCast(MS.MsandrModuleStart, MS.AnyFunctionPtrTy); 670 Value *End = IRB.CreateBitCast(MS.MsandrModuleEnd, MS.AnyFunctionPtrTy); 671 672 Value *NotInThisModule = IRB.CreateOr(IRB.CreateICmpULT(Fn, Start), 673 IRB.CreateICmpUGE(Fn, End)); 674 675 PHINode *NewFnPhi = 676 IRB.CreatePHI(Fn0->getType(), 2, "msandr.indirect_target"); 677 678 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 679 NotInThisModule, NewFnPhi, 680 /* Unreachable */ false, MS.ColdCallWeights); 681 682 IRB.SetInsertPoint(CheckTerm); 683 // Slow path: call wrapper function to possibly transform the call 684 // target. 685 Value *NewFn = IRB.CreateBitCast( 686 IRB.CreateCall(MS.IndirectCallWrapperFn, Fn), Fn0->getType()); 687 688 NewFnPhi->addIncoming(Fn0, B); 689 NewFnPhi->addIncoming(NewFn, dyn_cast<Instruction>(NewFn)->getParent()); 690 CS.setCalledFunction(NewFnPhi); 691 } else { 692 Value *NewFn = IRB.CreateBitCast( 693 IRB.CreateCall(MS.IndirectCallWrapperFn, Fn), Fn0->getType()); 694 CS.setCalledFunction(NewFn); 695 } 696 } 697 } 698 699 /// \brief Add MemorySanitizer instrumentation to a function. 700 bool runOnFunction() { 701 MS.initializeCallbacks(*F.getParent()); 702 if (!MS.DL) return false; 703 704 // In the presence of unreachable blocks, we may see Phi nodes with 705 // incoming nodes from such blocks. Since InstVisitor skips unreachable 706 // blocks, such nodes will not have any shadow value associated with them. 707 // It's easier to remove unreachable blocks than deal with missing shadow. 708 removeUnreachableBlocks(F); 709 710 // Iterate all BBs in depth-first order and create shadow instructions 711 // for all instructions (where applicable). 712 // For PHI nodes we create dummy shadow PHIs which will be finalized later. 713 for (BasicBlock *BB : depth_first(&F.getEntryBlock())) 714 visit(*BB); 715 716 717 // Finalize PHI nodes. 718 for (PHINode *PN : ShadowPHINodes) { 719 PHINode *PNS = cast<PHINode>(getShadow(PN)); 720 PHINode *PNO = MS.TrackOrigins ? cast<PHINode>(getOrigin(PN)) : nullptr; 721 size_t NumValues = PN->getNumIncomingValues(); 722 for (size_t v = 0; v < NumValues; v++) { 723 PNS->addIncoming(getShadow(PN, v), PN->getIncomingBlock(v)); 724 if (PNO) PNO->addIncoming(getOrigin(PN, v), PN->getIncomingBlock(v)); 725 } 726 } 727 728 VAHelper->finalizeInstrumentation(); 729 730 bool InstrumentWithCalls = ClInstrumentationWithCallThreshold >= 0 && 731 InstrumentationList.size() + StoreList.size() > 732 (unsigned)ClInstrumentationWithCallThreshold; 733 734 // Delayed instrumentation of StoreInst. 735 // This may add new checks to be inserted later. 736 materializeStores(InstrumentWithCalls); 737 738 // Insert shadow value checks. 739 materializeChecks(InstrumentWithCalls); 740 741 // Wrap indirect calls. 742 materializeIndirectCalls(); 743 744 return true; 745 } 746 747 /// \brief Compute the shadow type that corresponds to a given Value. 748 Type *getShadowTy(Value *V) { 749 return getShadowTy(V->getType()); 750 } 751 752 /// \brief Compute the shadow type that corresponds to a given Type. 753 Type *getShadowTy(Type *OrigTy) { 754 if (!OrigTy->isSized()) { 755 return nullptr; 756 } 757 // For integer type, shadow is the same as the original type. 758 // This may return weird-sized types like i1. 759 if (IntegerType *IT = dyn_cast<IntegerType>(OrigTy)) 760 return IT; 761 if (VectorType *VT = dyn_cast<VectorType>(OrigTy)) { 762 uint32_t EltSize = MS.DL->getTypeSizeInBits(VT->getElementType()); 763 return VectorType::get(IntegerType::get(*MS.C, EltSize), 764 VT->getNumElements()); 765 } 766 if (ArrayType *AT = dyn_cast<ArrayType>(OrigTy)) { 767 return ArrayType::get(getShadowTy(AT->getElementType()), 768 AT->getNumElements()); 769 } 770 if (StructType *ST = dyn_cast<StructType>(OrigTy)) { 771 SmallVector<Type*, 4> Elements; 772 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++) 773 Elements.push_back(getShadowTy(ST->getElementType(i))); 774 StructType *Res = StructType::get(*MS.C, Elements, ST->isPacked()); 775 DEBUG(dbgs() << "getShadowTy: " << *ST << " ===> " << *Res << "\n"); 776 return Res; 777 } 778 uint32_t TypeSize = MS.DL->getTypeSizeInBits(OrigTy); 779 return IntegerType::get(*MS.C, TypeSize); 780 } 781 782 /// \brief Flatten a vector type. 783 Type *getShadowTyNoVec(Type *ty) { 784 if (VectorType *vt = dyn_cast<VectorType>(ty)) 785 return IntegerType::get(*MS.C, vt->getBitWidth()); 786 return ty; 787 } 788 789 /// \brief Convert a shadow value to it's flattened variant. 790 Value *convertToShadowTyNoVec(Value *V, IRBuilder<> &IRB) { 791 Type *Ty = V->getType(); 792 Type *NoVecTy = getShadowTyNoVec(Ty); 793 if (Ty == NoVecTy) return V; 794 return IRB.CreateBitCast(V, NoVecTy); 795 } 796 797 /// \brief Compute the shadow address that corresponds to a given application 798 /// address. 799 /// 800 /// Shadow = Addr & ~ShadowMask. 801 Value *getShadowPtr(Value *Addr, Type *ShadowTy, 802 IRBuilder<> &IRB) { 803 Value *ShadowLong = 804 IRB.CreateAnd(IRB.CreatePointerCast(Addr, MS.IntptrTy), 805 ConstantInt::get(MS.IntptrTy, ~MS.ShadowMask)); 806 return IRB.CreateIntToPtr(ShadowLong, PointerType::get(ShadowTy, 0)); 807 } 808 809 /// \brief Compute the origin address that corresponds to a given application 810 /// address. 811 /// 812 /// OriginAddr = (ShadowAddr + OriginOffset) & ~3ULL 813 Value *getOriginPtr(Value *Addr, IRBuilder<> &IRB) { 814 Value *ShadowLong = 815 IRB.CreateAnd(IRB.CreatePointerCast(Addr, MS.IntptrTy), 816 ConstantInt::get(MS.IntptrTy, ~MS.ShadowMask)); 817 Value *Add = 818 IRB.CreateAdd(ShadowLong, 819 ConstantInt::get(MS.IntptrTy, MS.OriginOffset)); 820 Value *SecondAnd = 821 IRB.CreateAnd(Add, ConstantInt::get(MS.IntptrTy, ~3ULL)); 822 return IRB.CreateIntToPtr(SecondAnd, PointerType::get(IRB.getInt32Ty(), 0)); 823 } 824 825 /// \brief Compute the shadow address for a given function argument. 826 /// 827 /// Shadow = ParamTLS+ArgOffset. 828 Value *getShadowPtrForArgument(Value *A, IRBuilder<> &IRB, 829 int ArgOffset) { 830 Value *Base = IRB.CreatePointerCast(MS.ParamTLS, MS.IntptrTy); 831 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 832 return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0), 833 "_msarg"); 834 } 835 836 /// \brief Compute the origin address for a given function argument. 837 Value *getOriginPtrForArgument(Value *A, IRBuilder<> &IRB, 838 int ArgOffset) { 839 if (!MS.TrackOrigins) return nullptr; 840 Value *Base = IRB.CreatePointerCast(MS.ParamOriginTLS, MS.IntptrTy); 841 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 842 return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0), 843 "_msarg_o"); 844 } 845 846 /// \brief Compute the shadow address for a retval. 847 Value *getShadowPtrForRetval(Value *A, IRBuilder<> &IRB) { 848 Value *Base = IRB.CreatePointerCast(MS.RetvalTLS, MS.IntptrTy); 849 return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0), 850 "_msret"); 851 } 852 853 /// \brief Compute the origin address for a retval. 854 Value *getOriginPtrForRetval(IRBuilder<> &IRB) { 855 // We keep a single origin for the entire retval. Might be too optimistic. 856 return MS.RetvalOriginTLS; 857 } 858 859 /// \brief Set SV to be the shadow value for V. 860 void setShadow(Value *V, Value *SV) { 861 assert(!ShadowMap.count(V) && "Values may only have one shadow"); 862 ShadowMap[V] = PropagateShadow ? SV : getCleanShadow(V); 863 } 864 865 /// \brief Set Origin to be the origin value for V. 866 void setOrigin(Value *V, Value *Origin) { 867 if (!MS.TrackOrigins) return; 868 assert(!OriginMap.count(V) && "Values may only have one origin"); 869 DEBUG(dbgs() << "ORIGIN: " << *V << " ==> " << *Origin << "\n"); 870 OriginMap[V] = Origin; 871 } 872 873 /// \brief Create a clean shadow value for a given value. 874 /// 875 /// Clean shadow (all zeroes) means all bits of the value are defined 876 /// (initialized). 877 Constant *getCleanShadow(Value *V) { 878 Type *ShadowTy = getShadowTy(V); 879 if (!ShadowTy) 880 return nullptr; 881 return Constant::getNullValue(ShadowTy); 882 } 883 884 /// \brief Create a dirty shadow of a given shadow type. 885 Constant *getPoisonedShadow(Type *ShadowTy) { 886 assert(ShadowTy); 887 if (isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy)) 888 return Constant::getAllOnesValue(ShadowTy); 889 if (ArrayType *AT = dyn_cast<ArrayType>(ShadowTy)) { 890 SmallVector<Constant *, 4> Vals(AT->getNumElements(), 891 getPoisonedShadow(AT->getElementType())); 892 return ConstantArray::get(AT, Vals); 893 } 894 if (StructType *ST = dyn_cast<StructType>(ShadowTy)) { 895 SmallVector<Constant *, 4> Vals; 896 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++) 897 Vals.push_back(getPoisonedShadow(ST->getElementType(i))); 898 return ConstantStruct::get(ST, Vals); 899 } 900 llvm_unreachable("Unexpected shadow type"); 901 } 902 903 /// \brief Create a dirty shadow for a given value. 904 Constant *getPoisonedShadow(Value *V) { 905 Type *ShadowTy = getShadowTy(V); 906 if (!ShadowTy) 907 return nullptr; 908 return getPoisonedShadow(ShadowTy); 909 } 910 911 /// \brief Create a clean (zero) origin. 912 Value *getCleanOrigin() { 913 return Constant::getNullValue(MS.OriginTy); 914 } 915 916 /// \brief Get the shadow value for a given Value. 917 /// 918 /// This function either returns the value set earlier with setShadow, 919 /// or extracts if from ParamTLS (for function arguments). 920 Value *getShadow(Value *V) { 921 if (!PropagateShadow) return getCleanShadow(V); 922 if (Instruction *I = dyn_cast<Instruction>(V)) { 923 // For instructions the shadow is already stored in the map. 924 Value *Shadow = ShadowMap[V]; 925 if (!Shadow) { 926 DEBUG(dbgs() << "No shadow: " << *V << "\n" << *(I->getParent())); 927 (void)I; 928 assert(Shadow && "No shadow for a value"); 929 } 930 return Shadow; 931 } 932 if (UndefValue *U = dyn_cast<UndefValue>(V)) { 933 Value *AllOnes = PoisonUndef ? getPoisonedShadow(V) : getCleanShadow(V); 934 DEBUG(dbgs() << "Undef: " << *U << " ==> " << *AllOnes << "\n"); 935 (void)U; 936 return AllOnes; 937 } 938 if (Argument *A = dyn_cast<Argument>(V)) { 939 // For arguments we compute the shadow on demand and store it in the map. 940 Value **ShadowPtr = &ShadowMap[V]; 941 if (*ShadowPtr) 942 return *ShadowPtr; 943 Function *F = A->getParent(); 944 IRBuilder<> EntryIRB(F->getEntryBlock().getFirstNonPHI()); 945 unsigned ArgOffset = 0; 946 for (auto &FArg : F->args()) { 947 if (!FArg.getType()->isSized()) { 948 DEBUG(dbgs() << "Arg is not sized\n"); 949 continue; 950 } 951 unsigned Size = FArg.hasByValAttr() 952 ? MS.DL->getTypeAllocSize(FArg.getType()->getPointerElementType()) 953 : MS.DL->getTypeAllocSize(FArg.getType()); 954 if (A == &FArg) { 955 Value *Base = getShadowPtrForArgument(&FArg, EntryIRB, ArgOffset); 956 if (FArg.hasByValAttr()) { 957 // ByVal pointer itself has clean shadow. We copy the actual 958 // argument shadow to the underlying memory. 959 // Figure out maximal valid memcpy alignment. 960 unsigned ArgAlign = FArg.getParamAlignment(); 961 if (ArgAlign == 0) { 962 Type *EltType = A->getType()->getPointerElementType(); 963 ArgAlign = MS.DL->getABITypeAlignment(EltType); 964 } 965 unsigned CopyAlign = std::min(ArgAlign, kShadowTLSAlignment); 966 Value *Cpy = EntryIRB.CreateMemCpy( 967 getShadowPtr(V, EntryIRB.getInt8Ty(), EntryIRB), Base, Size, 968 CopyAlign); 969 DEBUG(dbgs() << " ByValCpy: " << *Cpy << "\n"); 970 (void)Cpy; 971 *ShadowPtr = getCleanShadow(V); 972 } else { 973 *ShadowPtr = EntryIRB.CreateAlignedLoad(Base, kShadowTLSAlignment); 974 } 975 DEBUG(dbgs() << " ARG: " << FArg << " ==> " << 976 **ShadowPtr << "\n"); 977 if (MS.TrackOrigins) { 978 Value *OriginPtr = 979 getOriginPtrForArgument(&FArg, EntryIRB, ArgOffset); 980 setOrigin(A, EntryIRB.CreateLoad(OriginPtr)); 981 } 982 } 983 ArgOffset += DataLayout::RoundUpAlignment(Size, kShadowTLSAlignment); 984 } 985 assert(*ShadowPtr && "Could not find shadow for an argument"); 986 return *ShadowPtr; 987 } 988 // For everything else the shadow is zero. 989 return getCleanShadow(V); 990 } 991 992 /// \brief Get the shadow for i-th argument of the instruction I. 993 Value *getShadow(Instruction *I, int i) { 994 return getShadow(I->getOperand(i)); 995 } 996 997 /// \brief Get the origin for a value. 998 Value *getOrigin(Value *V) { 999 if (!MS.TrackOrigins) return nullptr; 1000 if (isa<Instruction>(V) || isa<Argument>(V)) { 1001 Value *Origin = OriginMap[V]; 1002 if (!Origin) { 1003 DEBUG(dbgs() << "NO ORIGIN: " << *V << "\n"); 1004 Origin = getCleanOrigin(); 1005 } 1006 return Origin; 1007 } 1008 return getCleanOrigin(); 1009 } 1010 1011 /// \brief Get the origin for i-th argument of the instruction I. 1012 Value *getOrigin(Instruction *I, int i) { 1013 return getOrigin(I->getOperand(i)); 1014 } 1015 1016 /// \brief Remember the place where a shadow check should be inserted. 1017 /// 1018 /// This location will be later instrumented with a check that will print a 1019 /// UMR warning in runtime if the shadow value is not 0. 1020 void insertShadowCheck(Value *Shadow, Value *Origin, Instruction *OrigIns) { 1021 assert(Shadow); 1022 if (!InsertChecks) return; 1023 #ifndef NDEBUG 1024 Type *ShadowTy = Shadow->getType(); 1025 assert((isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy)) && 1026 "Can only insert checks for integer and vector shadow types"); 1027 #endif 1028 InstrumentationList.push_back( 1029 ShadowOriginAndInsertPoint(Shadow, Origin, OrigIns)); 1030 } 1031 1032 /// \brief Remember the place where a shadow check should be inserted. 1033 /// 1034 /// This location will be later instrumented with a check that will print a 1035 /// UMR warning in runtime if the value is not fully defined. 1036 void insertShadowCheck(Value *Val, Instruction *OrigIns) { 1037 assert(Val); 1038 Instruction *Shadow = dyn_cast_or_null<Instruction>(getShadow(Val)); 1039 if (!Shadow) return; 1040 Instruction *Origin = dyn_cast_or_null<Instruction>(getOrigin(Val)); 1041 insertShadowCheck(Shadow, Origin, OrigIns); 1042 } 1043 1044 AtomicOrdering addReleaseOrdering(AtomicOrdering a) { 1045 switch (a) { 1046 case NotAtomic: 1047 return NotAtomic; 1048 case Unordered: 1049 case Monotonic: 1050 case Release: 1051 return Release; 1052 case Acquire: 1053 case AcquireRelease: 1054 return AcquireRelease; 1055 case SequentiallyConsistent: 1056 return SequentiallyConsistent; 1057 } 1058 llvm_unreachable("Unknown ordering"); 1059 } 1060 1061 AtomicOrdering addAcquireOrdering(AtomicOrdering a) { 1062 switch (a) { 1063 case NotAtomic: 1064 return NotAtomic; 1065 case Unordered: 1066 case Monotonic: 1067 case Acquire: 1068 return Acquire; 1069 case Release: 1070 case AcquireRelease: 1071 return AcquireRelease; 1072 case SequentiallyConsistent: 1073 return SequentiallyConsistent; 1074 } 1075 llvm_unreachable("Unknown ordering"); 1076 } 1077 1078 // ------------------- Visitors. 1079 1080 /// \brief Instrument LoadInst 1081 /// 1082 /// Loads the corresponding shadow and (optionally) origin. 1083 /// Optionally, checks that the load address is fully defined. 1084 void visitLoadInst(LoadInst &I) { 1085 assert(I.getType()->isSized() && "Load type must have size"); 1086 IRBuilder<> IRB(I.getNextNode()); 1087 Type *ShadowTy = getShadowTy(&I); 1088 Value *Addr = I.getPointerOperand(); 1089 if (PropagateShadow) { 1090 Value *ShadowPtr = getShadowPtr(Addr, ShadowTy, IRB); 1091 setShadow(&I, 1092 IRB.CreateAlignedLoad(ShadowPtr, I.getAlignment(), "_msld")); 1093 } else { 1094 setShadow(&I, getCleanShadow(&I)); 1095 } 1096 1097 if (ClCheckAccessAddress) 1098 insertShadowCheck(I.getPointerOperand(), &I); 1099 1100 if (I.isAtomic()) 1101 I.setOrdering(addAcquireOrdering(I.getOrdering())); 1102 1103 if (MS.TrackOrigins) { 1104 if (PropagateShadow) { 1105 unsigned Alignment = std::max(kMinOriginAlignment, I.getAlignment()); 1106 setOrigin(&I, 1107 IRB.CreateAlignedLoad(getOriginPtr(Addr, IRB), Alignment)); 1108 } else { 1109 setOrigin(&I, getCleanOrigin()); 1110 } 1111 } 1112 } 1113 1114 /// \brief Instrument StoreInst 1115 /// 1116 /// Stores the corresponding shadow and (optionally) origin. 1117 /// Optionally, checks that the store address is fully defined. 1118 void visitStoreInst(StoreInst &I) { 1119 StoreList.push_back(&I); 1120 } 1121 1122 void handleCASOrRMW(Instruction &I) { 1123 assert(isa<AtomicRMWInst>(I) || isa<AtomicCmpXchgInst>(I)); 1124 1125 IRBuilder<> IRB(&I); 1126 Value *Addr = I.getOperand(0); 1127 Value *ShadowPtr = getShadowPtr(Addr, I.getType(), IRB); 1128 1129 if (ClCheckAccessAddress) 1130 insertShadowCheck(Addr, &I); 1131 1132 // Only test the conditional argument of cmpxchg instruction. 1133 // The other argument can potentially be uninitialized, but we can not 1134 // detect this situation reliably without possible false positives. 1135 if (isa<AtomicCmpXchgInst>(I)) 1136 insertShadowCheck(I.getOperand(1), &I); 1137 1138 IRB.CreateStore(getCleanShadow(&I), ShadowPtr); 1139 1140 setShadow(&I, getCleanShadow(&I)); 1141 } 1142 1143 void visitAtomicRMWInst(AtomicRMWInst &I) { 1144 handleCASOrRMW(I); 1145 I.setOrdering(addReleaseOrdering(I.getOrdering())); 1146 } 1147 1148 void visitAtomicCmpXchgInst(AtomicCmpXchgInst &I) { 1149 handleCASOrRMW(I); 1150 I.setSuccessOrdering(addReleaseOrdering(I.getSuccessOrdering())); 1151 } 1152 1153 // Vector manipulation. 1154 void visitExtractElementInst(ExtractElementInst &I) { 1155 insertShadowCheck(I.getOperand(1), &I); 1156 IRBuilder<> IRB(&I); 1157 setShadow(&I, IRB.CreateExtractElement(getShadow(&I, 0), I.getOperand(1), 1158 "_msprop")); 1159 setOrigin(&I, getOrigin(&I, 0)); 1160 } 1161 1162 void visitInsertElementInst(InsertElementInst &I) { 1163 insertShadowCheck(I.getOperand(2), &I); 1164 IRBuilder<> IRB(&I); 1165 setShadow(&I, IRB.CreateInsertElement(getShadow(&I, 0), getShadow(&I, 1), 1166 I.getOperand(2), "_msprop")); 1167 setOriginForNaryOp(I); 1168 } 1169 1170 void visitShuffleVectorInst(ShuffleVectorInst &I) { 1171 insertShadowCheck(I.getOperand(2), &I); 1172 IRBuilder<> IRB(&I); 1173 setShadow(&I, IRB.CreateShuffleVector(getShadow(&I, 0), getShadow(&I, 1), 1174 I.getOperand(2), "_msprop")); 1175 setOriginForNaryOp(I); 1176 } 1177 1178 // Casts. 1179 void visitSExtInst(SExtInst &I) { 1180 IRBuilder<> IRB(&I); 1181 setShadow(&I, IRB.CreateSExt(getShadow(&I, 0), I.getType(), "_msprop")); 1182 setOrigin(&I, getOrigin(&I, 0)); 1183 } 1184 1185 void visitZExtInst(ZExtInst &I) { 1186 IRBuilder<> IRB(&I); 1187 setShadow(&I, IRB.CreateZExt(getShadow(&I, 0), I.getType(), "_msprop")); 1188 setOrigin(&I, getOrigin(&I, 0)); 1189 } 1190 1191 void visitTruncInst(TruncInst &I) { 1192 IRBuilder<> IRB(&I); 1193 setShadow(&I, IRB.CreateTrunc(getShadow(&I, 0), I.getType(), "_msprop")); 1194 setOrigin(&I, getOrigin(&I, 0)); 1195 } 1196 1197 void visitBitCastInst(BitCastInst &I) { 1198 IRBuilder<> IRB(&I); 1199 setShadow(&I, IRB.CreateBitCast(getShadow(&I, 0), getShadowTy(&I))); 1200 setOrigin(&I, getOrigin(&I, 0)); 1201 } 1202 1203 void visitPtrToIntInst(PtrToIntInst &I) { 1204 IRBuilder<> IRB(&I); 1205 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false, 1206 "_msprop_ptrtoint")); 1207 setOrigin(&I, getOrigin(&I, 0)); 1208 } 1209 1210 void visitIntToPtrInst(IntToPtrInst &I) { 1211 IRBuilder<> IRB(&I); 1212 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false, 1213 "_msprop_inttoptr")); 1214 setOrigin(&I, getOrigin(&I, 0)); 1215 } 1216 1217 void visitFPToSIInst(CastInst& I) { handleShadowOr(I); } 1218 void visitFPToUIInst(CastInst& I) { handleShadowOr(I); } 1219 void visitSIToFPInst(CastInst& I) { handleShadowOr(I); } 1220 void visitUIToFPInst(CastInst& I) { handleShadowOr(I); } 1221 void visitFPExtInst(CastInst& I) { handleShadowOr(I); } 1222 void visitFPTruncInst(CastInst& I) { handleShadowOr(I); } 1223 1224 /// \brief Propagate shadow for bitwise AND. 1225 /// 1226 /// This code is exact, i.e. if, for example, a bit in the left argument 1227 /// is defined and 0, then neither the value not definedness of the 1228 /// corresponding bit in B don't affect the resulting shadow. 1229 void visitAnd(BinaryOperator &I) { 1230 IRBuilder<> IRB(&I); 1231 // "And" of 0 and a poisoned value results in unpoisoned value. 1232 // 1&1 => 1; 0&1 => 0; p&1 => p; 1233 // 1&0 => 0; 0&0 => 0; p&0 => 0; 1234 // 1&p => p; 0&p => 0; p&p => p; 1235 // S = (S1 & S2) | (V1 & S2) | (S1 & V2) 1236 Value *S1 = getShadow(&I, 0); 1237 Value *S2 = getShadow(&I, 1); 1238 Value *V1 = I.getOperand(0); 1239 Value *V2 = I.getOperand(1); 1240 if (V1->getType() != S1->getType()) { 1241 V1 = IRB.CreateIntCast(V1, S1->getType(), false); 1242 V2 = IRB.CreateIntCast(V2, S2->getType(), false); 1243 } 1244 Value *S1S2 = IRB.CreateAnd(S1, S2); 1245 Value *V1S2 = IRB.CreateAnd(V1, S2); 1246 Value *S1V2 = IRB.CreateAnd(S1, V2); 1247 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2))); 1248 setOriginForNaryOp(I); 1249 } 1250 1251 void visitOr(BinaryOperator &I) { 1252 IRBuilder<> IRB(&I); 1253 // "Or" of 1 and a poisoned value results in unpoisoned value. 1254 // 1|1 => 1; 0|1 => 1; p|1 => 1; 1255 // 1|0 => 1; 0|0 => 0; p|0 => p; 1256 // 1|p => 1; 0|p => p; p|p => p; 1257 // S = (S1 & S2) | (~V1 & S2) | (S1 & ~V2) 1258 Value *S1 = getShadow(&I, 0); 1259 Value *S2 = getShadow(&I, 1); 1260 Value *V1 = IRB.CreateNot(I.getOperand(0)); 1261 Value *V2 = IRB.CreateNot(I.getOperand(1)); 1262 if (V1->getType() != S1->getType()) { 1263 V1 = IRB.CreateIntCast(V1, S1->getType(), false); 1264 V2 = IRB.CreateIntCast(V2, S2->getType(), false); 1265 } 1266 Value *S1S2 = IRB.CreateAnd(S1, S2); 1267 Value *V1S2 = IRB.CreateAnd(V1, S2); 1268 Value *S1V2 = IRB.CreateAnd(S1, V2); 1269 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2))); 1270 setOriginForNaryOp(I); 1271 } 1272 1273 /// \brief Default propagation of shadow and/or origin. 1274 /// 1275 /// This class implements the general case of shadow propagation, used in all 1276 /// cases where we don't know and/or don't care about what the operation 1277 /// actually does. It converts all input shadow values to a common type 1278 /// (extending or truncating as necessary), and bitwise OR's them. 1279 /// 1280 /// This is much cheaper than inserting checks (i.e. requiring inputs to be 1281 /// fully initialized), and less prone to false positives. 1282 /// 1283 /// This class also implements the general case of origin propagation. For a 1284 /// Nary operation, result origin is set to the origin of an argument that is 1285 /// not entirely initialized. If there is more than one such arguments, the 1286 /// rightmost of them is picked. It does not matter which one is picked if all 1287 /// arguments are initialized. 1288 template <bool CombineShadow> 1289 class Combiner { 1290 Value *Shadow; 1291 Value *Origin; 1292 IRBuilder<> &IRB; 1293 MemorySanitizerVisitor *MSV; 1294 1295 public: 1296 Combiner(MemorySanitizerVisitor *MSV, IRBuilder<> &IRB) : 1297 Shadow(nullptr), Origin(nullptr), IRB(IRB), MSV(MSV) {} 1298 1299 /// \brief Add a pair of shadow and origin values to the mix. 1300 Combiner &Add(Value *OpShadow, Value *OpOrigin) { 1301 if (CombineShadow) { 1302 assert(OpShadow); 1303 if (!Shadow) 1304 Shadow = OpShadow; 1305 else { 1306 OpShadow = MSV->CreateShadowCast(IRB, OpShadow, Shadow->getType()); 1307 Shadow = IRB.CreateOr(Shadow, OpShadow, "_msprop"); 1308 } 1309 } 1310 1311 if (MSV->MS.TrackOrigins) { 1312 assert(OpOrigin); 1313 if (!Origin) { 1314 Origin = OpOrigin; 1315 } else { 1316 Constant *ConstOrigin = dyn_cast<Constant>(OpOrigin); 1317 // No point in adding something that might result in 0 origin value. 1318 if (!ConstOrigin || !ConstOrigin->isNullValue()) { 1319 Value *FlatShadow = MSV->convertToShadowTyNoVec(OpShadow, IRB); 1320 Value *Cond = 1321 IRB.CreateICmpNE(FlatShadow, MSV->getCleanShadow(FlatShadow)); 1322 Origin = IRB.CreateSelect(Cond, OpOrigin, Origin); 1323 } 1324 } 1325 } 1326 return *this; 1327 } 1328 1329 /// \brief Add an application value to the mix. 1330 Combiner &Add(Value *V) { 1331 Value *OpShadow = MSV->getShadow(V); 1332 Value *OpOrigin = MSV->MS.TrackOrigins ? MSV->getOrigin(V) : nullptr; 1333 return Add(OpShadow, OpOrigin); 1334 } 1335 1336 /// \brief Set the current combined values as the given instruction's shadow 1337 /// and origin. 1338 void Done(Instruction *I) { 1339 if (CombineShadow) { 1340 assert(Shadow); 1341 Shadow = MSV->CreateShadowCast(IRB, Shadow, MSV->getShadowTy(I)); 1342 MSV->setShadow(I, Shadow); 1343 } 1344 if (MSV->MS.TrackOrigins) { 1345 assert(Origin); 1346 MSV->setOrigin(I, Origin); 1347 } 1348 } 1349 }; 1350 1351 typedef Combiner<true> ShadowAndOriginCombiner; 1352 typedef Combiner<false> OriginCombiner; 1353 1354 /// \brief Propagate origin for arbitrary operation. 1355 void setOriginForNaryOp(Instruction &I) { 1356 if (!MS.TrackOrigins) return; 1357 IRBuilder<> IRB(&I); 1358 OriginCombiner OC(this, IRB); 1359 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI) 1360 OC.Add(OI->get()); 1361 OC.Done(&I); 1362 } 1363 1364 size_t VectorOrPrimitiveTypeSizeInBits(Type *Ty) { 1365 assert(!(Ty->isVectorTy() && Ty->getScalarType()->isPointerTy()) && 1366 "Vector of pointers is not a valid shadow type"); 1367 return Ty->isVectorTy() ? 1368 Ty->getVectorNumElements() * Ty->getScalarSizeInBits() : 1369 Ty->getPrimitiveSizeInBits(); 1370 } 1371 1372 /// \brief Cast between two shadow types, extending or truncating as 1373 /// necessary. 1374 Value *CreateShadowCast(IRBuilder<> &IRB, Value *V, Type *dstTy, 1375 bool Signed = false) { 1376 Type *srcTy = V->getType(); 1377 if (dstTy->isIntegerTy() && srcTy->isIntegerTy()) 1378 return IRB.CreateIntCast(V, dstTy, Signed); 1379 if (dstTy->isVectorTy() && srcTy->isVectorTy() && 1380 dstTy->getVectorNumElements() == srcTy->getVectorNumElements()) 1381 return IRB.CreateIntCast(V, dstTy, Signed); 1382 size_t srcSizeInBits = VectorOrPrimitiveTypeSizeInBits(srcTy); 1383 size_t dstSizeInBits = VectorOrPrimitiveTypeSizeInBits(dstTy); 1384 Value *V1 = IRB.CreateBitCast(V, Type::getIntNTy(*MS.C, srcSizeInBits)); 1385 Value *V2 = 1386 IRB.CreateIntCast(V1, Type::getIntNTy(*MS.C, dstSizeInBits), Signed); 1387 return IRB.CreateBitCast(V2, dstTy); 1388 // TODO: handle struct types. 1389 } 1390 1391 /// \brief Cast an application value to the type of its own shadow. 1392 Value *CreateAppToShadowCast(IRBuilder<> &IRB, Value *V) { 1393 Type *ShadowTy = getShadowTy(V); 1394 if (V->getType() == ShadowTy) 1395 return V; 1396 if (V->getType()->isPtrOrPtrVectorTy()) 1397 return IRB.CreatePtrToInt(V, ShadowTy); 1398 else 1399 return IRB.CreateBitCast(V, ShadowTy); 1400 } 1401 1402 /// \brief Propagate shadow for arbitrary operation. 1403 void handleShadowOr(Instruction &I) { 1404 IRBuilder<> IRB(&I); 1405 ShadowAndOriginCombiner SC(this, IRB); 1406 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI) 1407 SC.Add(OI->get()); 1408 SC.Done(&I); 1409 } 1410 1411 // \brief Handle multiplication by constant. 1412 // 1413 // Handle a special case of multiplication by constant that may have one or 1414 // more zeros in the lower bits. This makes corresponding number of lower bits 1415 // of the result zero as well. We model it by shifting the other operand 1416 // shadow left by the required number of bits. Effectively, we transform 1417 // (X * (A * 2**B)) to ((X << B) * A) and instrument (X << B) as (Sx << B). 1418 // We use multiplication by 2**N instead of shift to cover the case of 1419 // multiplication by 0, which may occur in some elements of a vector operand. 1420 void handleMulByConstant(BinaryOperator &I, Constant *ConstArg, 1421 Value *OtherArg) { 1422 Constant *ShadowMul; 1423 Type *Ty = ConstArg->getType(); 1424 if (Ty->isVectorTy()) { 1425 unsigned NumElements = Ty->getVectorNumElements(); 1426 Type *EltTy = Ty->getSequentialElementType(); 1427 SmallVector<Constant *, 16> Elements; 1428 for (unsigned Idx = 0; Idx < NumElements; ++Idx) { 1429 ConstantInt *Elt = 1430 dyn_cast<ConstantInt>(ConstArg->getAggregateElement(Idx)); 1431 APInt V = Elt->getValue(); 1432 APInt V2 = APInt(V.getBitWidth(), 1) << V.countTrailingZeros(); 1433 Elements.push_back(ConstantInt::get(EltTy, V2)); 1434 } 1435 ShadowMul = ConstantVector::get(Elements); 1436 } else { 1437 ConstantInt *Elt = dyn_cast<ConstantInt>(ConstArg); 1438 APInt V = Elt->getValue(); 1439 APInt V2 = APInt(V.getBitWidth(), 1) << V.countTrailingZeros(); 1440 ShadowMul = ConstantInt::get(Elt->getType(), V2); 1441 } 1442 1443 IRBuilder<> IRB(&I); 1444 setShadow(&I, 1445 IRB.CreateMul(getShadow(OtherArg), ShadowMul, "msprop_mul_cst")); 1446 setOrigin(&I, getOrigin(OtherArg)); 1447 } 1448 1449 void visitMul(BinaryOperator &I) { 1450 Constant *constOp0 = dyn_cast<Constant>(I.getOperand(0)); 1451 Constant *constOp1 = dyn_cast<Constant>(I.getOperand(1)); 1452 if (constOp0 && !constOp1) 1453 handleMulByConstant(I, constOp0, I.getOperand(1)); 1454 else if (constOp1 && !constOp0) 1455 handleMulByConstant(I, constOp1, I.getOperand(0)); 1456 else 1457 handleShadowOr(I); 1458 } 1459 1460 void visitFAdd(BinaryOperator &I) { handleShadowOr(I); } 1461 void visitFSub(BinaryOperator &I) { handleShadowOr(I); } 1462 void visitFMul(BinaryOperator &I) { handleShadowOr(I); } 1463 void visitAdd(BinaryOperator &I) { handleShadowOr(I); } 1464 void visitSub(BinaryOperator &I) { handleShadowOr(I); } 1465 void visitXor(BinaryOperator &I) { handleShadowOr(I); } 1466 1467 void handleDiv(Instruction &I) { 1468 IRBuilder<> IRB(&I); 1469 // Strict on the second argument. 1470 insertShadowCheck(I.getOperand(1), &I); 1471 setShadow(&I, getShadow(&I, 0)); 1472 setOrigin(&I, getOrigin(&I, 0)); 1473 } 1474 1475 void visitUDiv(BinaryOperator &I) { handleDiv(I); } 1476 void visitSDiv(BinaryOperator &I) { handleDiv(I); } 1477 void visitFDiv(BinaryOperator &I) { handleDiv(I); } 1478 void visitURem(BinaryOperator &I) { handleDiv(I); } 1479 void visitSRem(BinaryOperator &I) { handleDiv(I); } 1480 void visitFRem(BinaryOperator &I) { handleDiv(I); } 1481 1482 /// \brief Instrument == and != comparisons. 1483 /// 1484 /// Sometimes the comparison result is known even if some of the bits of the 1485 /// arguments are not. 1486 void handleEqualityComparison(ICmpInst &I) { 1487 IRBuilder<> IRB(&I); 1488 Value *A = I.getOperand(0); 1489 Value *B = I.getOperand(1); 1490 Value *Sa = getShadow(A); 1491 Value *Sb = getShadow(B); 1492 1493 // Get rid of pointers and vectors of pointers. 1494 // For ints (and vectors of ints), types of A and Sa match, 1495 // and this is a no-op. 1496 A = IRB.CreatePointerCast(A, Sa->getType()); 1497 B = IRB.CreatePointerCast(B, Sb->getType()); 1498 1499 // A == B <==> (C = A^B) == 0 1500 // A != B <==> (C = A^B) != 0 1501 // Sc = Sa | Sb 1502 Value *C = IRB.CreateXor(A, B); 1503 Value *Sc = IRB.CreateOr(Sa, Sb); 1504 // Now dealing with i = (C == 0) comparison (or C != 0, does not matter now) 1505 // Result is defined if one of the following is true 1506 // * there is a defined 1 bit in C 1507 // * C is fully defined 1508 // Si = !(C & ~Sc) && Sc 1509 Value *Zero = Constant::getNullValue(Sc->getType()); 1510 Value *MinusOne = Constant::getAllOnesValue(Sc->getType()); 1511 Value *Si = 1512 IRB.CreateAnd(IRB.CreateICmpNE(Sc, Zero), 1513 IRB.CreateICmpEQ( 1514 IRB.CreateAnd(IRB.CreateXor(Sc, MinusOne), C), Zero)); 1515 Si->setName("_msprop_icmp"); 1516 setShadow(&I, Si); 1517 setOriginForNaryOp(I); 1518 } 1519 1520 /// \brief Build the lowest possible value of V, taking into account V's 1521 /// uninitialized bits. 1522 Value *getLowestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa, 1523 bool isSigned) { 1524 if (isSigned) { 1525 // Split shadow into sign bit and other bits. 1526 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1); 1527 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits); 1528 // Maximise the undefined shadow bit, minimize other undefined bits. 1529 return 1530 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaOtherBits)), SaSignBit); 1531 } else { 1532 // Minimize undefined bits. 1533 return IRB.CreateAnd(A, IRB.CreateNot(Sa)); 1534 } 1535 } 1536 1537 /// \brief Build the highest possible value of V, taking into account V's 1538 /// uninitialized bits. 1539 Value *getHighestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa, 1540 bool isSigned) { 1541 if (isSigned) { 1542 // Split shadow into sign bit and other bits. 1543 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1); 1544 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits); 1545 // Minimise the undefined shadow bit, maximise other undefined bits. 1546 return 1547 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaSignBit)), SaOtherBits); 1548 } else { 1549 // Maximize undefined bits. 1550 return IRB.CreateOr(A, Sa); 1551 } 1552 } 1553 1554 /// \brief Instrument relational comparisons. 1555 /// 1556 /// This function does exact shadow propagation for all relational 1557 /// comparisons of integers, pointers and vectors of those. 1558 /// FIXME: output seems suboptimal when one of the operands is a constant 1559 void handleRelationalComparisonExact(ICmpInst &I) { 1560 IRBuilder<> IRB(&I); 1561 Value *A = I.getOperand(0); 1562 Value *B = I.getOperand(1); 1563 Value *Sa = getShadow(A); 1564 Value *Sb = getShadow(B); 1565 1566 // Get rid of pointers and vectors of pointers. 1567 // For ints (and vectors of ints), types of A and Sa match, 1568 // and this is a no-op. 1569 A = IRB.CreatePointerCast(A, Sa->getType()); 1570 B = IRB.CreatePointerCast(B, Sb->getType()); 1571 1572 // Let [a0, a1] be the interval of possible values of A, taking into account 1573 // its undefined bits. Let [b0, b1] be the interval of possible values of B. 1574 // Then (A cmp B) is defined iff (a0 cmp b1) == (a1 cmp b0). 1575 bool IsSigned = I.isSigned(); 1576 Value *S1 = IRB.CreateICmp(I.getPredicate(), 1577 getLowestPossibleValue(IRB, A, Sa, IsSigned), 1578 getHighestPossibleValue(IRB, B, Sb, IsSigned)); 1579 Value *S2 = IRB.CreateICmp(I.getPredicate(), 1580 getHighestPossibleValue(IRB, A, Sa, IsSigned), 1581 getLowestPossibleValue(IRB, B, Sb, IsSigned)); 1582 Value *Si = IRB.CreateXor(S1, S2); 1583 setShadow(&I, Si); 1584 setOriginForNaryOp(I); 1585 } 1586 1587 /// \brief Instrument signed relational comparisons. 1588 /// 1589 /// Handle (x<0) and (x>=0) comparisons (essentially, sign bit tests) by 1590 /// propagating the highest bit of the shadow. Everything else is delegated 1591 /// to handleShadowOr(). 1592 void handleSignedRelationalComparison(ICmpInst &I) { 1593 Constant *constOp0 = dyn_cast<Constant>(I.getOperand(0)); 1594 Constant *constOp1 = dyn_cast<Constant>(I.getOperand(1)); 1595 Value* op = nullptr; 1596 CmpInst::Predicate pre = I.getPredicate(); 1597 if (constOp0 && constOp0->isNullValue() && 1598 (pre == CmpInst::ICMP_SGT || pre == CmpInst::ICMP_SLE)) { 1599 op = I.getOperand(1); 1600 } else if (constOp1 && constOp1->isNullValue() && 1601 (pre == CmpInst::ICMP_SLT || pre == CmpInst::ICMP_SGE)) { 1602 op = I.getOperand(0); 1603 } 1604 if (op) { 1605 IRBuilder<> IRB(&I); 1606 Value* Shadow = 1607 IRB.CreateICmpSLT(getShadow(op), getCleanShadow(op), "_msprop_icmpslt"); 1608 setShadow(&I, Shadow); 1609 setOrigin(&I, getOrigin(op)); 1610 } else { 1611 handleShadowOr(I); 1612 } 1613 } 1614 1615 void visitICmpInst(ICmpInst &I) { 1616 if (!ClHandleICmp) { 1617 handleShadowOr(I); 1618 return; 1619 } 1620 if (I.isEquality()) { 1621 handleEqualityComparison(I); 1622 return; 1623 } 1624 1625 assert(I.isRelational()); 1626 if (ClHandleICmpExact) { 1627 handleRelationalComparisonExact(I); 1628 return; 1629 } 1630 if (I.isSigned()) { 1631 handleSignedRelationalComparison(I); 1632 return; 1633 } 1634 1635 assert(I.isUnsigned()); 1636 if ((isa<Constant>(I.getOperand(0)) || isa<Constant>(I.getOperand(1)))) { 1637 handleRelationalComparisonExact(I); 1638 return; 1639 } 1640 1641 handleShadowOr(I); 1642 } 1643 1644 void visitFCmpInst(FCmpInst &I) { 1645 handleShadowOr(I); 1646 } 1647 1648 void handleShift(BinaryOperator &I) { 1649 IRBuilder<> IRB(&I); 1650 // If any of the S2 bits are poisoned, the whole thing is poisoned. 1651 // Otherwise perform the same shift on S1. 1652 Value *S1 = getShadow(&I, 0); 1653 Value *S2 = getShadow(&I, 1); 1654 Value *S2Conv = IRB.CreateSExt(IRB.CreateICmpNE(S2, getCleanShadow(S2)), 1655 S2->getType()); 1656 Value *V2 = I.getOperand(1); 1657 Value *Shift = IRB.CreateBinOp(I.getOpcode(), S1, V2); 1658 setShadow(&I, IRB.CreateOr(Shift, S2Conv)); 1659 setOriginForNaryOp(I); 1660 } 1661 1662 void visitShl(BinaryOperator &I) { handleShift(I); } 1663 void visitAShr(BinaryOperator &I) { handleShift(I); } 1664 void visitLShr(BinaryOperator &I) { handleShift(I); } 1665 1666 /// \brief Instrument llvm.memmove 1667 /// 1668 /// At this point we don't know if llvm.memmove will be inlined or not. 1669 /// If we don't instrument it and it gets inlined, 1670 /// our interceptor will not kick in and we will lose the memmove. 1671 /// If we instrument the call here, but it does not get inlined, 1672 /// we will memove the shadow twice: which is bad in case 1673 /// of overlapping regions. So, we simply lower the intrinsic to a call. 1674 /// 1675 /// Similar situation exists for memcpy and memset. 1676 void visitMemMoveInst(MemMoveInst &I) { 1677 IRBuilder<> IRB(&I); 1678 IRB.CreateCall3( 1679 MS.MemmoveFn, 1680 IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1681 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()), 1682 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)); 1683 I.eraseFromParent(); 1684 } 1685 1686 // Similar to memmove: avoid copying shadow twice. 1687 // This is somewhat unfortunate as it may slowdown small constant memcpys. 1688 // FIXME: consider doing manual inline for small constant sizes and proper 1689 // alignment. 1690 void visitMemCpyInst(MemCpyInst &I) { 1691 IRBuilder<> IRB(&I); 1692 IRB.CreateCall3( 1693 MS.MemcpyFn, 1694 IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1695 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()), 1696 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)); 1697 I.eraseFromParent(); 1698 } 1699 1700 // Same as memcpy. 1701 void visitMemSetInst(MemSetInst &I) { 1702 IRBuilder<> IRB(&I); 1703 IRB.CreateCall3( 1704 MS.MemsetFn, 1705 IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1706 IRB.CreateIntCast(I.getArgOperand(1), IRB.getInt32Ty(), false), 1707 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)); 1708 I.eraseFromParent(); 1709 } 1710 1711 void visitVAStartInst(VAStartInst &I) { 1712 VAHelper->visitVAStartInst(I); 1713 } 1714 1715 void visitVACopyInst(VACopyInst &I) { 1716 VAHelper->visitVACopyInst(I); 1717 } 1718 1719 enum IntrinsicKind { 1720 IK_DoesNotAccessMemory, 1721 IK_OnlyReadsMemory, 1722 IK_WritesMemory 1723 }; 1724 1725 static IntrinsicKind getIntrinsicKind(Intrinsic::ID iid) { 1726 const int DoesNotAccessMemory = IK_DoesNotAccessMemory; 1727 const int OnlyReadsArgumentPointees = IK_OnlyReadsMemory; 1728 const int OnlyReadsMemory = IK_OnlyReadsMemory; 1729 const int OnlyAccessesArgumentPointees = IK_WritesMemory; 1730 const int UnknownModRefBehavior = IK_WritesMemory; 1731 #define GET_INTRINSIC_MODREF_BEHAVIOR 1732 #define ModRefBehavior IntrinsicKind 1733 #include "llvm/IR/Intrinsics.gen" 1734 #undef ModRefBehavior 1735 #undef GET_INTRINSIC_MODREF_BEHAVIOR 1736 } 1737 1738 /// \brief Handle vector store-like intrinsics. 1739 /// 1740 /// Instrument intrinsics that look like a simple SIMD store: writes memory, 1741 /// has 1 pointer argument and 1 vector argument, returns void. 1742 bool handleVectorStoreIntrinsic(IntrinsicInst &I) { 1743 IRBuilder<> IRB(&I); 1744 Value* Addr = I.getArgOperand(0); 1745 Value *Shadow = getShadow(&I, 1); 1746 Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB); 1747 1748 // We don't know the pointer alignment (could be unaligned SSE store!). 1749 // Have to assume to worst case. 1750 IRB.CreateAlignedStore(Shadow, ShadowPtr, 1); 1751 1752 if (ClCheckAccessAddress) 1753 insertShadowCheck(Addr, &I); 1754 1755 // FIXME: use ClStoreCleanOrigin 1756 // FIXME: factor out common code from materializeStores 1757 if (MS.TrackOrigins) 1758 IRB.CreateStore(getOrigin(&I, 1), getOriginPtr(Addr, IRB)); 1759 return true; 1760 } 1761 1762 /// \brief Handle vector load-like intrinsics. 1763 /// 1764 /// Instrument intrinsics that look like a simple SIMD load: reads memory, 1765 /// has 1 pointer argument, returns a vector. 1766 bool handleVectorLoadIntrinsic(IntrinsicInst &I) { 1767 IRBuilder<> IRB(&I); 1768 Value *Addr = I.getArgOperand(0); 1769 1770 Type *ShadowTy = getShadowTy(&I); 1771 if (PropagateShadow) { 1772 Value *ShadowPtr = getShadowPtr(Addr, ShadowTy, IRB); 1773 // We don't know the pointer alignment (could be unaligned SSE load!). 1774 // Have to assume to worst case. 1775 setShadow(&I, IRB.CreateAlignedLoad(ShadowPtr, 1, "_msld")); 1776 } else { 1777 setShadow(&I, getCleanShadow(&I)); 1778 } 1779 1780 if (ClCheckAccessAddress) 1781 insertShadowCheck(Addr, &I); 1782 1783 if (MS.TrackOrigins) { 1784 if (PropagateShadow) 1785 setOrigin(&I, IRB.CreateLoad(getOriginPtr(Addr, IRB))); 1786 else 1787 setOrigin(&I, getCleanOrigin()); 1788 } 1789 return true; 1790 } 1791 1792 /// \brief Handle (SIMD arithmetic)-like intrinsics. 1793 /// 1794 /// Instrument intrinsics with any number of arguments of the same type, 1795 /// equal to the return type. The type should be simple (no aggregates or 1796 /// pointers; vectors are fine). 1797 /// Caller guarantees that this intrinsic does not access memory. 1798 bool maybeHandleSimpleNomemIntrinsic(IntrinsicInst &I) { 1799 Type *RetTy = I.getType(); 1800 if (!(RetTy->isIntOrIntVectorTy() || 1801 RetTy->isFPOrFPVectorTy() || 1802 RetTy->isX86_MMXTy())) 1803 return false; 1804 1805 unsigned NumArgOperands = I.getNumArgOperands(); 1806 1807 for (unsigned i = 0; i < NumArgOperands; ++i) { 1808 Type *Ty = I.getArgOperand(i)->getType(); 1809 if (Ty != RetTy) 1810 return false; 1811 } 1812 1813 IRBuilder<> IRB(&I); 1814 ShadowAndOriginCombiner SC(this, IRB); 1815 for (unsigned i = 0; i < NumArgOperands; ++i) 1816 SC.Add(I.getArgOperand(i)); 1817 SC.Done(&I); 1818 1819 return true; 1820 } 1821 1822 /// \brief Heuristically instrument unknown intrinsics. 1823 /// 1824 /// The main purpose of this code is to do something reasonable with all 1825 /// random intrinsics we might encounter, most importantly - SIMD intrinsics. 1826 /// We recognize several classes of intrinsics by their argument types and 1827 /// ModRefBehaviour and apply special intrumentation when we are reasonably 1828 /// sure that we know what the intrinsic does. 1829 /// 1830 /// We special-case intrinsics where this approach fails. See llvm.bswap 1831 /// handling as an example of that. 1832 bool handleUnknownIntrinsic(IntrinsicInst &I) { 1833 unsigned NumArgOperands = I.getNumArgOperands(); 1834 if (NumArgOperands == 0) 1835 return false; 1836 1837 Intrinsic::ID iid = I.getIntrinsicID(); 1838 IntrinsicKind IK = getIntrinsicKind(iid); 1839 bool OnlyReadsMemory = IK == IK_OnlyReadsMemory; 1840 bool WritesMemory = IK == IK_WritesMemory; 1841 assert(!(OnlyReadsMemory && WritesMemory)); 1842 1843 if (NumArgOperands == 2 && 1844 I.getArgOperand(0)->getType()->isPointerTy() && 1845 I.getArgOperand(1)->getType()->isVectorTy() && 1846 I.getType()->isVoidTy() && 1847 WritesMemory) { 1848 // This looks like a vector store. 1849 return handleVectorStoreIntrinsic(I); 1850 } 1851 1852 if (NumArgOperands == 1 && 1853 I.getArgOperand(0)->getType()->isPointerTy() && 1854 I.getType()->isVectorTy() && 1855 OnlyReadsMemory) { 1856 // This looks like a vector load. 1857 return handleVectorLoadIntrinsic(I); 1858 } 1859 1860 if (!OnlyReadsMemory && !WritesMemory) 1861 if (maybeHandleSimpleNomemIntrinsic(I)) 1862 return true; 1863 1864 // FIXME: detect and handle SSE maskstore/maskload 1865 return false; 1866 } 1867 1868 void handleBswap(IntrinsicInst &I) { 1869 IRBuilder<> IRB(&I); 1870 Value *Op = I.getArgOperand(0); 1871 Type *OpType = Op->getType(); 1872 Function *BswapFunc = Intrinsic::getDeclaration( 1873 F.getParent(), Intrinsic::bswap, ArrayRef<Type*>(&OpType, 1)); 1874 setShadow(&I, IRB.CreateCall(BswapFunc, getShadow(Op))); 1875 setOrigin(&I, getOrigin(Op)); 1876 } 1877 1878 // \brief Instrument vector convert instrinsic. 1879 // 1880 // This function instruments intrinsics like cvtsi2ss: 1881 // %Out = int_xxx_cvtyyy(%ConvertOp) 1882 // or 1883 // %Out = int_xxx_cvtyyy(%CopyOp, %ConvertOp) 1884 // Intrinsic converts \p NumUsedElements elements of \p ConvertOp to the same 1885 // number \p Out elements, and (if has 2 arguments) copies the rest of the 1886 // elements from \p CopyOp. 1887 // In most cases conversion involves floating-point value which may trigger a 1888 // hardware exception when not fully initialized. For this reason we require 1889 // \p ConvertOp[0:NumUsedElements] to be fully initialized and trap otherwise. 1890 // We copy the shadow of \p CopyOp[NumUsedElements:] to \p 1891 // Out[NumUsedElements:]. This means that intrinsics without \p CopyOp always 1892 // return a fully initialized value. 1893 void handleVectorConvertIntrinsic(IntrinsicInst &I, int NumUsedElements) { 1894 IRBuilder<> IRB(&I); 1895 Value *CopyOp, *ConvertOp; 1896 1897 switch (I.getNumArgOperands()) { 1898 case 2: 1899 CopyOp = I.getArgOperand(0); 1900 ConvertOp = I.getArgOperand(1); 1901 break; 1902 case 1: 1903 ConvertOp = I.getArgOperand(0); 1904 CopyOp = nullptr; 1905 break; 1906 default: 1907 llvm_unreachable("Cvt intrinsic with unsupported number of arguments."); 1908 } 1909 1910 // The first *NumUsedElements* elements of ConvertOp are converted to the 1911 // same number of output elements. The rest of the output is copied from 1912 // CopyOp, or (if not available) filled with zeroes. 1913 // Combine shadow for elements of ConvertOp that are used in this operation, 1914 // and insert a check. 1915 // FIXME: consider propagating shadow of ConvertOp, at least in the case of 1916 // int->any conversion. 1917 Value *ConvertShadow = getShadow(ConvertOp); 1918 Value *AggShadow = nullptr; 1919 if (ConvertOp->getType()->isVectorTy()) { 1920 AggShadow = IRB.CreateExtractElement( 1921 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), 0)); 1922 for (int i = 1; i < NumUsedElements; ++i) { 1923 Value *MoreShadow = IRB.CreateExtractElement( 1924 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), i)); 1925 AggShadow = IRB.CreateOr(AggShadow, MoreShadow); 1926 } 1927 } else { 1928 AggShadow = ConvertShadow; 1929 } 1930 assert(AggShadow->getType()->isIntegerTy()); 1931 insertShadowCheck(AggShadow, getOrigin(ConvertOp), &I); 1932 1933 // Build result shadow by zero-filling parts of CopyOp shadow that come from 1934 // ConvertOp. 1935 if (CopyOp) { 1936 assert(CopyOp->getType() == I.getType()); 1937 assert(CopyOp->getType()->isVectorTy()); 1938 Value *ResultShadow = getShadow(CopyOp); 1939 Type *EltTy = ResultShadow->getType()->getVectorElementType(); 1940 for (int i = 0; i < NumUsedElements; ++i) { 1941 ResultShadow = IRB.CreateInsertElement( 1942 ResultShadow, ConstantInt::getNullValue(EltTy), 1943 ConstantInt::get(IRB.getInt32Ty(), i)); 1944 } 1945 setShadow(&I, ResultShadow); 1946 setOrigin(&I, getOrigin(CopyOp)); 1947 } else { 1948 setShadow(&I, getCleanShadow(&I)); 1949 } 1950 } 1951 1952 // Given a scalar or vector, extract lower 64 bits (or less), and return all 1953 // zeroes if it is zero, and all ones otherwise. 1954 Value *Lower64ShadowExtend(IRBuilder<> &IRB, Value *S, Type *T) { 1955 if (S->getType()->isVectorTy()) 1956 S = CreateShadowCast(IRB, S, IRB.getInt64Ty(), /* Signed */ true); 1957 assert(S->getType()->getPrimitiveSizeInBits() <= 64); 1958 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S)); 1959 return CreateShadowCast(IRB, S2, T, /* Signed */ true); 1960 } 1961 1962 Value *VariableShadowExtend(IRBuilder<> &IRB, Value *S) { 1963 Type *T = S->getType(); 1964 assert(T->isVectorTy()); 1965 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S)); 1966 return IRB.CreateSExt(S2, T); 1967 } 1968 1969 // \brief Instrument vector shift instrinsic. 1970 // 1971 // This function instruments intrinsics like int_x86_avx2_psll_w. 1972 // Intrinsic shifts %In by %ShiftSize bits. 1973 // %ShiftSize may be a vector. In that case the lower 64 bits determine shift 1974 // size, and the rest is ignored. Behavior is defined even if shift size is 1975 // greater than register (or field) width. 1976 void handleVectorShiftIntrinsic(IntrinsicInst &I, bool Variable) { 1977 assert(I.getNumArgOperands() == 2); 1978 IRBuilder<> IRB(&I); 1979 // If any of the S2 bits are poisoned, the whole thing is poisoned. 1980 // Otherwise perform the same shift on S1. 1981 Value *S1 = getShadow(&I, 0); 1982 Value *S2 = getShadow(&I, 1); 1983 Value *S2Conv = Variable ? VariableShadowExtend(IRB, S2) 1984 : Lower64ShadowExtend(IRB, S2, getShadowTy(&I)); 1985 Value *V1 = I.getOperand(0); 1986 Value *V2 = I.getOperand(1); 1987 Value *Shift = IRB.CreateCall2(I.getCalledValue(), 1988 IRB.CreateBitCast(S1, V1->getType()), V2); 1989 Shift = IRB.CreateBitCast(Shift, getShadowTy(&I)); 1990 setShadow(&I, IRB.CreateOr(Shift, S2Conv)); 1991 setOriginForNaryOp(I); 1992 } 1993 1994 // \brief Get an X86_MMX-sized vector type. 1995 Type *getMMXVectorTy(unsigned EltSizeInBits) { 1996 const unsigned X86_MMXSizeInBits = 64; 1997 return VectorType::get(IntegerType::get(*MS.C, EltSizeInBits), 1998 X86_MMXSizeInBits / EltSizeInBits); 1999 } 2000 2001 // \brief Returns a signed counterpart for an (un)signed-saturate-and-pack 2002 // intrinsic. 2003 Intrinsic::ID getSignedPackIntrinsic(Intrinsic::ID id) { 2004 switch (id) { 2005 case llvm::Intrinsic::x86_sse2_packsswb_128: 2006 case llvm::Intrinsic::x86_sse2_packuswb_128: 2007 return llvm::Intrinsic::x86_sse2_packsswb_128; 2008 2009 case llvm::Intrinsic::x86_sse2_packssdw_128: 2010 case llvm::Intrinsic::x86_sse41_packusdw: 2011 return llvm::Intrinsic::x86_sse2_packssdw_128; 2012 2013 case llvm::Intrinsic::x86_avx2_packsswb: 2014 case llvm::Intrinsic::x86_avx2_packuswb: 2015 return llvm::Intrinsic::x86_avx2_packsswb; 2016 2017 case llvm::Intrinsic::x86_avx2_packssdw: 2018 case llvm::Intrinsic::x86_avx2_packusdw: 2019 return llvm::Intrinsic::x86_avx2_packssdw; 2020 2021 case llvm::Intrinsic::x86_mmx_packsswb: 2022 case llvm::Intrinsic::x86_mmx_packuswb: 2023 return llvm::Intrinsic::x86_mmx_packsswb; 2024 2025 case llvm::Intrinsic::x86_mmx_packssdw: 2026 return llvm::Intrinsic::x86_mmx_packssdw; 2027 default: 2028 llvm_unreachable("unexpected intrinsic id"); 2029 } 2030 } 2031 2032 // \brief Instrument vector pack instrinsic. 2033 // 2034 // This function instruments intrinsics like x86_mmx_packsswb, that 2035 // packs elements of 2 input vectors into half as many bits with saturation. 2036 // Shadow is propagated with the signed variant of the same intrinsic applied 2037 // to sext(Sa != zeroinitializer), sext(Sb != zeroinitializer). 2038 // EltSizeInBits is used only for x86mmx arguments. 2039 void handleVectorPackIntrinsic(IntrinsicInst &I, unsigned EltSizeInBits = 0) { 2040 assert(I.getNumArgOperands() == 2); 2041 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy(); 2042 IRBuilder<> IRB(&I); 2043 Value *S1 = getShadow(&I, 0); 2044 Value *S2 = getShadow(&I, 1); 2045 assert(isX86_MMX || S1->getType()->isVectorTy()); 2046 2047 // SExt and ICmpNE below must apply to individual elements of input vectors. 2048 // In case of x86mmx arguments, cast them to appropriate vector types and 2049 // back. 2050 Type *T = isX86_MMX ? getMMXVectorTy(EltSizeInBits) : S1->getType(); 2051 if (isX86_MMX) { 2052 S1 = IRB.CreateBitCast(S1, T); 2053 S2 = IRB.CreateBitCast(S2, T); 2054 } 2055 Value *S1_ext = IRB.CreateSExt( 2056 IRB.CreateICmpNE(S1, llvm::Constant::getNullValue(T)), T); 2057 Value *S2_ext = IRB.CreateSExt( 2058 IRB.CreateICmpNE(S2, llvm::Constant::getNullValue(T)), T); 2059 if (isX86_MMX) { 2060 Type *X86_MMXTy = Type::getX86_MMXTy(*MS.C); 2061 S1_ext = IRB.CreateBitCast(S1_ext, X86_MMXTy); 2062 S2_ext = IRB.CreateBitCast(S2_ext, X86_MMXTy); 2063 } 2064 2065 Function *ShadowFn = Intrinsic::getDeclaration( 2066 F.getParent(), getSignedPackIntrinsic(I.getIntrinsicID())); 2067 2068 Value *S = IRB.CreateCall2(ShadowFn, S1_ext, S2_ext, "_msprop_vector_pack"); 2069 if (isX86_MMX) S = IRB.CreateBitCast(S, getShadowTy(&I)); 2070 setShadow(&I, S); 2071 setOriginForNaryOp(I); 2072 } 2073 2074 // \brief Instrument sum-of-absolute-differencies intrinsic. 2075 void handleVectorSadIntrinsic(IntrinsicInst &I) { 2076 const unsigned SignificantBitsPerResultElement = 16; 2077 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy(); 2078 Type *ResTy = isX86_MMX ? IntegerType::get(*MS.C, 64) : I.getType(); 2079 unsigned ZeroBitsPerResultElement = 2080 ResTy->getScalarSizeInBits() - SignificantBitsPerResultElement; 2081 2082 IRBuilder<> IRB(&I); 2083 Value *S = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1)); 2084 S = IRB.CreateBitCast(S, ResTy); 2085 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)), 2086 ResTy); 2087 S = IRB.CreateLShr(S, ZeroBitsPerResultElement); 2088 S = IRB.CreateBitCast(S, getShadowTy(&I)); 2089 setShadow(&I, S); 2090 setOriginForNaryOp(I); 2091 } 2092 2093 // \brief Instrument multiply-add intrinsic. 2094 void handleVectorPmaddIntrinsic(IntrinsicInst &I, 2095 unsigned EltSizeInBits = 0) { 2096 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy(); 2097 Type *ResTy = isX86_MMX ? getMMXVectorTy(EltSizeInBits * 2) : I.getType(); 2098 IRBuilder<> IRB(&I); 2099 Value *S = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1)); 2100 S = IRB.CreateBitCast(S, ResTy); 2101 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)), 2102 ResTy); 2103 S = IRB.CreateBitCast(S, getShadowTy(&I)); 2104 setShadow(&I, S); 2105 setOriginForNaryOp(I); 2106 } 2107 2108 void visitIntrinsicInst(IntrinsicInst &I) { 2109 switch (I.getIntrinsicID()) { 2110 case llvm::Intrinsic::bswap: 2111 handleBswap(I); 2112 break; 2113 case llvm::Intrinsic::x86_avx512_cvtsd2usi64: 2114 case llvm::Intrinsic::x86_avx512_cvtsd2usi: 2115 case llvm::Intrinsic::x86_avx512_cvtss2usi64: 2116 case llvm::Intrinsic::x86_avx512_cvtss2usi: 2117 case llvm::Intrinsic::x86_avx512_cvttss2usi64: 2118 case llvm::Intrinsic::x86_avx512_cvttss2usi: 2119 case llvm::Intrinsic::x86_avx512_cvttsd2usi64: 2120 case llvm::Intrinsic::x86_avx512_cvttsd2usi: 2121 case llvm::Intrinsic::x86_avx512_cvtusi2sd: 2122 case llvm::Intrinsic::x86_avx512_cvtusi2ss: 2123 case llvm::Intrinsic::x86_avx512_cvtusi642sd: 2124 case llvm::Intrinsic::x86_avx512_cvtusi642ss: 2125 case llvm::Intrinsic::x86_sse2_cvtsd2si64: 2126 case llvm::Intrinsic::x86_sse2_cvtsd2si: 2127 case llvm::Intrinsic::x86_sse2_cvtsd2ss: 2128 case llvm::Intrinsic::x86_sse2_cvtsi2sd: 2129 case llvm::Intrinsic::x86_sse2_cvtsi642sd: 2130 case llvm::Intrinsic::x86_sse2_cvtss2sd: 2131 case llvm::Intrinsic::x86_sse2_cvttsd2si64: 2132 case llvm::Intrinsic::x86_sse2_cvttsd2si: 2133 case llvm::Intrinsic::x86_sse_cvtsi2ss: 2134 case llvm::Intrinsic::x86_sse_cvtsi642ss: 2135 case llvm::Intrinsic::x86_sse_cvtss2si64: 2136 case llvm::Intrinsic::x86_sse_cvtss2si: 2137 case llvm::Intrinsic::x86_sse_cvttss2si64: 2138 case llvm::Intrinsic::x86_sse_cvttss2si: 2139 handleVectorConvertIntrinsic(I, 1); 2140 break; 2141 case llvm::Intrinsic::x86_sse2_cvtdq2pd: 2142 case llvm::Intrinsic::x86_sse2_cvtps2pd: 2143 case llvm::Intrinsic::x86_sse_cvtps2pi: 2144 case llvm::Intrinsic::x86_sse_cvttps2pi: 2145 handleVectorConvertIntrinsic(I, 2); 2146 break; 2147 case llvm::Intrinsic::x86_avx512_psll_dq: 2148 case llvm::Intrinsic::x86_avx512_psrl_dq: 2149 case llvm::Intrinsic::x86_avx2_psll_w: 2150 case llvm::Intrinsic::x86_avx2_psll_d: 2151 case llvm::Intrinsic::x86_avx2_psll_q: 2152 case llvm::Intrinsic::x86_avx2_pslli_w: 2153 case llvm::Intrinsic::x86_avx2_pslli_d: 2154 case llvm::Intrinsic::x86_avx2_pslli_q: 2155 case llvm::Intrinsic::x86_avx2_psll_dq: 2156 case llvm::Intrinsic::x86_avx2_psrl_w: 2157 case llvm::Intrinsic::x86_avx2_psrl_d: 2158 case llvm::Intrinsic::x86_avx2_psrl_q: 2159 case llvm::Intrinsic::x86_avx2_psra_w: 2160 case llvm::Intrinsic::x86_avx2_psra_d: 2161 case llvm::Intrinsic::x86_avx2_psrli_w: 2162 case llvm::Intrinsic::x86_avx2_psrli_d: 2163 case llvm::Intrinsic::x86_avx2_psrli_q: 2164 case llvm::Intrinsic::x86_avx2_psrai_w: 2165 case llvm::Intrinsic::x86_avx2_psrai_d: 2166 case llvm::Intrinsic::x86_avx2_psrl_dq: 2167 case llvm::Intrinsic::x86_sse2_psll_w: 2168 case llvm::Intrinsic::x86_sse2_psll_d: 2169 case llvm::Intrinsic::x86_sse2_psll_q: 2170 case llvm::Intrinsic::x86_sse2_pslli_w: 2171 case llvm::Intrinsic::x86_sse2_pslli_d: 2172 case llvm::Intrinsic::x86_sse2_pslli_q: 2173 case llvm::Intrinsic::x86_sse2_psll_dq: 2174 case llvm::Intrinsic::x86_sse2_psrl_w: 2175 case llvm::Intrinsic::x86_sse2_psrl_d: 2176 case llvm::Intrinsic::x86_sse2_psrl_q: 2177 case llvm::Intrinsic::x86_sse2_psra_w: 2178 case llvm::Intrinsic::x86_sse2_psra_d: 2179 case llvm::Intrinsic::x86_sse2_psrli_w: 2180 case llvm::Intrinsic::x86_sse2_psrli_d: 2181 case llvm::Intrinsic::x86_sse2_psrli_q: 2182 case llvm::Intrinsic::x86_sse2_psrai_w: 2183 case llvm::Intrinsic::x86_sse2_psrai_d: 2184 case llvm::Intrinsic::x86_sse2_psrl_dq: 2185 case llvm::Intrinsic::x86_mmx_psll_w: 2186 case llvm::Intrinsic::x86_mmx_psll_d: 2187 case llvm::Intrinsic::x86_mmx_psll_q: 2188 case llvm::Intrinsic::x86_mmx_pslli_w: 2189 case llvm::Intrinsic::x86_mmx_pslli_d: 2190 case llvm::Intrinsic::x86_mmx_pslli_q: 2191 case llvm::Intrinsic::x86_mmx_psrl_w: 2192 case llvm::Intrinsic::x86_mmx_psrl_d: 2193 case llvm::Intrinsic::x86_mmx_psrl_q: 2194 case llvm::Intrinsic::x86_mmx_psra_w: 2195 case llvm::Intrinsic::x86_mmx_psra_d: 2196 case llvm::Intrinsic::x86_mmx_psrli_w: 2197 case llvm::Intrinsic::x86_mmx_psrli_d: 2198 case llvm::Intrinsic::x86_mmx_psrli_q: 2199 case llvm::Intrinsic::x86_mmx_psrai_w: 2200 case llvm::Intrinsic::x86_mmx_psrai_d: 2201 handleVectorShiftIntrinsic(I, /* Variable */ false); 2202 break; 2203 case llvm::Intrinsic::x86_avx2_psllv_d: 2204 case llvm::Intrinsic::x86_avx2_psllv_d_256: 2205 case llvm::Intrinsic::x86_avx2_psllv_q: 2206 case llvm::Intrinsic::x86_avx2_psllv_q_256: 2207 case llvm::Intrinsic::x86_avx2_psrlv_d: 2208 case llvm::Intrinsic::x86_avx2_psrlv_d_256: 2209 case llvm::Intrinsic::x86_avx2_psrlv_q: 2210 case llvm::Intrinsic::x86_avx2_psrlv_q_256: 2211 case llvm::Intrinsic::x86_avx2_psrav_d: 2212 case llvm::Intrinsic::x86_avx2_psrav_d_256: 2213 handleVectorShiftIntrinsic(I, /* Variable */ true); 2214 break; 2215 2216 // Byte shifts are not implemented. 2217 // case llvm::Intrinsic::x86_avx512_psll_dq_bs: 2218 // case llvm::Intrinsic::x86_avx512_psrl_dq_bs: 2219 // case llvm::Intrinsic::x86_avx2_psll_dq_bs: 2220 // case llvm::Intrinsic::x86_avx2_psrl_dq_bs: 2221 // case llvm::Intrinsic::x86_sse2_psll_dq_bs: 2222 // case llvm::Intrinsic::x86_sse2_psrl_dq_bs: 2223 2224 case llvm::Intrinsic::x86_sse2_packsswb_128: 2225 case llvm::Intrinsic::x86_sse2_packssdw_128: 2226 case llvm::Intrinsic::x86_sse2_packuswb_128: 2227 case llvm::Intrinsic::x86_sse41_packusdw: 2228 case llvm::Intrinsic::x86_avx2_packsswb: 2229 case llvm::Intrinsic::x86_avx2_packssdw: 2230 case llvm::Intrinsic::x86_avx2_packuswb: 2231 case llvm::Intrinsic::x86_avx2_packusdw: 2232 handleVectorPackIntrinsic(I); 2233 break; 2234 2235 case llvm::Intrinsic::x86_mmx_packsswb: 2236 case llvm::Intrinsic::x86_mmx_packuswb: 2237 handleVectorPackIntrinsic(I, 16); 2238 break; 2239 2240 case llvm::Intrinsic::x86_mmx_packssdw: 2241 handleVectorPackIntrinsic(I, 32); 2242 break; 2243 2244 case llvm::Intrinsic::x86_mmx_psad_bw: 2245 case llvm::Intrinsic::x86_sse2_psad_bw: 2246 case llvm::Intrinsic::x86_avx2_psad_bw: 2247 handleVectorSadIntrinsic(I); 2248 break; 2249 2250 case llvm::Intrinsic::x86_sse2_pmadd_wd: 2251 case llvm::Intrinsic::x86_avx2_pmadd_wd: 2252 case llvm::Intrinsic::x86_ssse3_pmadd_ub_sw_128: 2253 case llvm::Intrinsic::x86_avx2_pmadd_ub_sw: 2254 handleVectorPmaddIntrinsic(I); 2255 break; 2256 2257 case llvm::Intrinsic::x86_ssse3_pmadd_ub_sw: 2258 handleVectorPmaddIntrinsic(I, 8); 2259 break; 2260 2261 case llvm::Intrinsic::x86_mmx_pmadd_wd: 2262 handleVectorPmaddIntrinsic(I, 16); 2263 break; 2264 2265 default: 2266 if (!handleUnknownIntrinsic(I)) 2267 visitInstruction(I); 2268 break; 2269 } 2270 } 2271 2272 void visitCallSite(CallSite CS) { 2273 Instruction &I = *CS.getInstruction(); 2274 assert((CS.isCall() || CS.isInvoke()) && "Unknown type of CallSite"); 2275 if (CS.isCall()) { 2276 CallInst *Call = cast<CallInst>(&I); 2277 2278 // For inline asm, do the usual thing: check argument shadow and mark all 2279 // outputs as clean. Note that any side effects of the inline asm that are 2280 // not immediately visible in its constraints are not handled. 2281 if (Call->isInlineAsm()) { 2282 visitInstruction(I); 2283 return; 2284 } 2285 2286 assert(!isa<IntrinsicInst>(&I) && "intrinsics are handled elsewhere"); 2287 2288 // We are going to insert code that relies on the fact that the callee 2289 // will become a non-readonly function after it is instrumented by us. To 2290 // prevent this code from being optimized out, mark that function 2291 // non-readonly in advance. 2292 if (Function *Func = Call->getCalledFunction()) { 2293 // Clear out readonly/readnone attributes. 2294 AttrBuilder B; 2295 B.addAttribute(Attribute::ReadOnly) 2296 .addAttribute(Attribute::ReadNone); 2297 Func->removeAttributes(AttributeSet::FunctionIndex, 2298 AttributeSet::get(Func->getContext(), 2299 AttributeSet::FunctionIndex, 2300 B)); 2301 } 2302 } 2303 IRBuilder<> IRB(&I); 2304 2305 if (MS.WrapIndirectCalls && !CS.getCalledFunction()) 2306 IndirectCallList.push_back(CS); 2307 2308 unsigned ArgOffset = 0; 2309 DEBUG(dbgs() << " CallSite: " << I << "\n"); 2310 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 2311 ArgIt != End; ++ArgIt) { 2312 Value *A = *ArgIt; 2313 unsigned i = ArgIt - CS.arg_begin(); 2314 if (!A->getType()->isSized()) { 2315 DEBUG(dbgs() << "Arg " << i << " is not sized: " << I << "\n"); 2316 continue; 2317 } 2318 unsigned Size = 0; 2319 Value *Store = nullptr; 2320 // Compute the Shadow for arg even if it is ByVal, because 2321 // in that case getShadow() will copy the actual arg shadow to 2322 // __msan_param_tls. 2323 Value *ArgShadow = getShadow(A); 2324 Value *ArgShadowBase = getShadowPtrForArgument(A, IRB, ArgOffset); 2325 DEBUG(dbgs() << " Arg#" << i << ": " << *A << 2326 " Shadow: " << *ArgShadow << "\n"); 2327 bool ArgIsInitialized = false; 2328 if (CS.paramHasAttr(i + 1, Attribute::ByVal)) { 2329 assert(A->getType()->isPointerTy() && 2330 "ByVal argument is not a pointer!"); 2331 Size = MS.DL->getTypeAllocSize(A->getType()->getPointerElementType()); 2332 unsigned Alignment = CS.getParamAlignment(i + 1); 2333 Store = IRB.CreateMemCpy(ArgShadowBase, 2334 getShadowPtr(A, Type::getInt8Ty(*MS.C), IRB), 2335 Size, Alignment); 2336 } else { 2337 Size = MS.DL->getTypeAllocSize(A->getType()); 2338 Store = IRB.CreateAlignedStore(ArgShadow, ArgShadowBase, 2339 kShadowTLSAlignment); 2340 Constant *Cst = dyn_cast<Constant>(ArgShadow); 2341 if (Cst && Cst->isNullValue()) ArgIsInitialized = true; 2342 } 2343 if (MS.TrackOrigins && !ArgIsInitialized) 2344 IRB.CreateStore(getOrigin(A), 2345 getOriginPtrForArgument(A, IRB, ArgOffset)); 2346 (void)Store; 2347 assert(Size != 0 && Store != nullptr); 2348 DEBUG(dbgs() << " Param:" << *Store << "\n"); 2349 ArgOffset += DataLayout::RoundUpAlignment(Size, 8); 2350 } 2351 DEBUG(dbgs() << " done with call args\n"); 2352 2353 FunctionType *FT = 2354 cast<FunctionType>(CS.getCalledValue()->getType()->getContainedType(0)); 2355 if (FT->isVarArg()) { 2356 VAHelper->visitCallSite(CS, IRB); 2357 } 2358 2359 // If this is a musttail call site, we can't insert propagation code here. 2360 // The return type of the caller must match the callee, so the shadow should 2361 // already be set up for an immediate return. 2362 if (CS.isMustTailCall()) 2363 return; 2364 2365 // Now, get the shadow for the RetVal. 2366 if (!I.getType()->isSized()) return; 2367 IRBuilder<> IRBBefore(&I); 2368 // Until we have full dynamic coverage, make sure the retval shadow is 0. 2369 Value *Base = getShadowPtrForRetval(&I, IRBBefore); 2370 IRBBefore.CreateAlignedStore(getCleanShadow(&I), Base, kShadowTLSAlignment); 2371 Instruction *NextInsn = nullptr; 2372 if (CS.isCall()) { 2373 NextInsn = I.getNextNode(); 2374 } else { 2375 BasicBlock *NormalDest = cast<InvokeInst>(&I)->getNormalDest(); 2376 if (!NormalDest->getSinglePredecessor()) { 2377 // FIXME: this case is tricky, so we are just conservative here. 2378 // Perhaps we need to split the edge between this BB and NormalDest, 2379 // but a naive attempt to use SplitEdge leads to a crash. 2380 setShadow(&I, getCleanShadow(&I)); 2381 setOrigin(&I, getCleanOrigin()); 2382 return; 2383 } 2384 NextInsn = NormalDest->getFirstInsertionPt(); 2385 assert(NextInsn && 2386 "Could not find insertion point for retval shadow load"); 2387 } 2388 IRBuilder<> IRBAfter(NextInsn); 2389 Value *RetvalShadow = 2390 IRBAfter.CreateAlignedLoad(getShadowPtrForRetval(&I, IRBAfter), 2391 kShadowTLSAlignment, "_msret"); 2392 setShadow(&I, RetvalShadow); 2393 if (MS.TrackOrigins) 2394 setOrigin(&I, IRBAfter.CreateLoad(getOriginPtrForRetval(IRBAfter))); 2395 } 2396 2397 void visitReturnInst(ReturnInst &I) { 2398 // Don't propagate shadow between musttail calls and the return. 2399 if (I.getParent()->getTerminatingMustTailCall()) 2400 return; 2401 2402 IRBuilder<> IRB(&I); 2403 Value *RetVal = I.getReturnValue(); 2404 if (!RetVal) return; 2405 Value *ShadowPtr = getShadowPtrForRetval(RetVal, IRB); 2406 if (CheckReturnValue) { 2407 insertShadowCheck(RetVal, &I); 2408 Value *Shadow = getCleanShadow(RetVal); 2409 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment); 2410 } else { 2411 Value *Shadow = getShadow(RetVal); 2412 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment); 2413 // FIXME: make it conditional if ClStoreCleanOrigin==0 2414 if (MS.TrackOrigins) 2415 IRB.CreateStore(getOrigin(RetVal), getOriginPtrForRetval(IRB)); 2416 } 2417 } 2418 2419 void visitPHINode(PHINode &I) { 2420 IRBuilder<> IRB(&I); 2421 if (!PropagateShadow) { 2422 setShadow(&I, getCleanShadow(&I)); 2423 return; 2424 } 2425 2426 ShadowPHINodes.push_back(&I); 2427 setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(), 2428 "_msphi_s")); 2429 if (MS.TrackOrigins) 2430 setOrigin(&I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(), 2431 "_msphi_o")); 2432 } 2433 2434 void visitAllocaInst(AllocaInst &I) { 2435 setShadow(&I, getCleanShadow(&I)); 2436 IRBuilder<> IRB(I.getNextNode()); 2437 uint64_t Size = MS.DL->getTypeAllocSize(I.getAllocatedType()); 2438 if (PoisonStack && ClPoisonStackWithCall) { 2439 IRB.CreateCall2(MS.MsanPoisonStackFn, 2440 IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), 2441 ConstantInt::get(MS.IntptrTy, Size)); 2442 } else { 2443 Value *ShadowBase = getShadowPtr(&I, Type::getInt8PtrTy(*MS.C), IRB); 2444 Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0); 2445 IRB.CreateMemSet(ShadowBase, PoisonValue, Size, I.getAlignment()); 2446 } 2447 2448 if (PoisonStack && MS.TrackOrigins) { 2449 setOrigin(&I, getCleanOrigin()); 2450 SmallString<2048> StackDescriptionStorage; 2451 raw_svector_ostream StackDescription(StackDescriptionStorage); 2452 // We create a string with a description of the stack allocation and 2453 // pass it into __msan_set_alloca_origin. 2454 // It will be printed by the run-time if stack-originated UMR is found. 2455 // The first 4 bytes of the string are set to '----' and will be replaced 2456 // by __msan_va_arg_overflow_size_tls at the first call. 2457 StackDescription << "----" << I.getName() << "@" << F.getName(); 2458 Value *Descr = 2459 createPrivateNonConstGlobalForString(*F.getParent(), 2460 StackDescription.str()); 2461 2462 IRB.CreateCall4(MS.MsanSetAllocaOrigin4Fn, 2463 IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), 2464 ConstantInt::get(MS.IntptrTy, Size), 2465 IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy()), 2466 IRB.CreatePointerCast(&F, MS.IntptrTy)); 2467 } 2468 } 2469 2470 void visitSelectInst(SelectInst& I) { 2471 IRBuilder<> IRB(&I); 2472 // a = select b, c, d 2473 Value *B = I.getCondition(); 2474 Value *C = I.getTrueValue(); 2475 Value *D = I.getFalseValue(); 2476 Value *Sb = getShadow(B); 2477 Value *Sc = getShadow(C); 2478 Value *Sd = getShadow(D); 2479 2480 // Result shadow if condition shadow is 0. 2481 Value *Sa0 = IRB.CreateSelect(B, Sc, Sd); 2482 Value *Sa1; 2483 if (I.getType()->isAggregateType()) { 2484 // To avoid "sign extending" i1 to an arbitrary aggregate type, we just do 2485 // an extra "select". This results in much more compact IR. 2486 // Sa = select Sb, poisoned, (select b, Sc, Sd) 2487 Sa1 = getPoisonedShadow(getShadowTy(I.getType())); 2488 } else { 2489 // Sa = select Sb, [ (c^d) | Sc | Sd ], [ b ? Sc : Sd ] 2490 // If Sb (condition is poisoned), look for bits in c and d that are equal 2491 // and both unpoisoned. 2492 // If !Sb (condition is unpoisoned), simply pick one of Sc and Sd. 2493 2494 // Cast arguments to shadow-compatible type. 2495 C = CreateAppToShadowCast(IRB, C); 2496 D = CreateAppToShadowCast(IRB, D); 2497 2498 // Result shadow if condition shadow is 1. 2499 Sa1 = IRB.CreateOr(IRB.CreateXor(C, D), IRB.CreateOr(Sc, Sd)); 2500 } 2501 Value *Sa = IRB.CreateSelect(Sb, Sa1, Sa0, "_msprop_select"); 2502 setShadow(&I, Sa); 2503 if (MS.TrackOrigins) { 2504 // Origins are always i32, so any vector conditions must be flattened. 2505 // FIXME: consider tracking vector origins for app vectors? 2506 if (B->getType()->isVectorTy()) { 2507 Type *FlatTy = getShadowTyNoVec(B->getType()); 2508 B = IRB.CreateICmpNE(IRB.CreateBitCast(B, FlatTy), 2509 ConstantInt::getNullValue(FlatTy)); 2510 Sb = IRB.CreateICmpNE(IRB.CreateBitCast(Sb, FlatTy), 2511 ConstantInt::getNullValue(FlatTy)); 2512 } 2513 // a = select b, c, d 2514 // Oa = Sb ? Ob : (b ? Oc : Od) 2515 setOrigin(&I, IRB.CreateSelect( 2516 Sb, getOrigin(I.getCondition()), 2517 IRB.CreateSelect(B, getOrigin(C), getOrigin(D)))); 2518 } 2519 } 2520 2521 void visitLandingPadInst(LandingPadInst &I) { 2522 // Do nothing. 2523 // See http://code.google.com/p/memory-sanitizer/issues/detail?id=1 2524 setShadow(&I, getCleanShadow(&I)); 2525 setOrigin(&I, getCleanOrigin()); 2526 } 2527 2528 void visitGetElementPtrInst(GetElementPtrInst &I) { 2529 handleShadowOr(I); 2530 } 2531 2532 void visitExtractValueInst(ExtractValueInst &I) { 2533 IRBuilder<> IRB(&I); 2534 Value *Agg = I.getAggregateOperand(); 2535 DEBUG(dbgs() << "ExtractValue: " << I << "\n"); 2536 Value *AggShadow = getShadow(Agg); 2537 DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n"); 2538 Value *ResShadow = IRB.CreateExtractValue(AggShadow, I.getIndices()); 2539 DEBUG(dbgs() << " ResShadow: " << *ResShadow << "\n"); 2540 setShadow(&I, ResShadow); 2541 setOriginForNaryOp(I); 2542 } 2543 2544 void visitInsertValueInst(InsertValueInst &I) { 2545 IRBuilder<> IRB(&I); 2546 DEBUG(dbgs() << "InsertValue: " << I << "\n"); 2547 Value *AggShadow = getShadow(I.getAggregateOperand()); 2548 Value *InsShadow = getShadow(I.getInsertedValueOperand()); 2549 DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n"); 2550 DEBUG(dbgs() << " InsShadow: " << *InsShadow << "\n"); 2551 Value *Res = IRB.CreateInsertValue(AggShadow, InsShadow, I.getIndices()); 2552 DEBUG(dbgs() << " Res: " << *Res << "\n"); 2553 setShadow(&I, Res); 2554 setOriginForNaryOp(I); 2555 } 2556 2557 void dumpInst(Instruction &I) { 2558 if (CallInst *CI = dyn_cast<CallInst>(&I)) { 2559 errs() << "ZZZ call " << CI->getCalledFunction()->getName() << "\n"; 2560 } else { 2561 errs() << "ZZZ " << I.getOpcodeName() << "\n"; 2562 } 2563 errs() << "QQQ " << I << "\n"; 2564 } 2565 2566 void visitResumeInst(ResumeInst &I) { 2567 DEBUG(dbgs() << "Resume: " << I << "\n"); 2568 // Nothing to do here. 2569 } 2570 2571 void visitInstruction(Instruction &I) { 2572 // Everything else: stop propagating and check for poisoned shadow. 2573 if (ClDumpStrictInstructions) 2574 dumpInst(I); 2575 DEBUG(dbgs() << "DEFAULT: " << I << "\n"); 2576 for (size_t i = 0, n = I.getNumOperands(); i < n; i++) 2577 insertShadowCheck(I.getOperand(i), &I); 2578 setShadow(&I, getCleanShadow(&I)); 2579 setOrigin(&I, getCleanOrigin()); 2580 } 2581 }; 2582 2583 /// \brief AMD64-specific implementation of VarArgHelper. 2584 struct VarArgAMD64Helper : public VarArgHelper { 2585 // An unfortunate workaround for asymmetric lowering of va_arg stuff. 2586 // See a comment in visitCallSite for more details. 2587 static const unsigned AMD64GpEndOffset = 48; // AMD64 ABI Draft 0.99.6 p3.5.7 2588 static const unsigned AMD64FpEndOffset = 176; 2589 2590 Function &F; 2591 MemorySanitizer &MS; 2592 MemorySanitizerVisitor &MSV; 2593 Value *VAArgTLSCopy; 2594 Value *VAArgOverflowSize; 2595 2596 SmallVector<CallInst*, 16> VAStartInstrumentationList; 2597 2598 VarArgAMD64Helper(Function &F, MemorySanitizer &MS, 2599 MemorySanitizerVisitor &MSV) 2600 : F(F), MS(MS), MSV(MSV), VAArgTLSCopy(nullptr), 2601 VAArgOverflowSize(nullptr) {} 2602 2603 enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory }; 2604 2605 ArgKind classifyArgument(Value* arg) { 2606 // A very rough approximation of X86_64 argument classification rules. 2607 Type *T = arg->getType(); 2608 if (T->isFPOrFPVectorTy() || T->isX86_MMXTy()) 2609 return AK_FloatingPoint; 2610 if (T->isIntegerTy() && T->getPrimitiveSizeInBits() <= 64) 2611 return AK_GeneralPurpose; 2612 if (T->isPointerTy()) 2613 return AK_GeneralPurpose; 2614 return AK_Memory; 2615 } 2616 2617 // For VarArg functions, store the argument shadow in an ABI-specific format 2618 // that corresponds to va_list layout. 2619 // We do this because Clang lowers va_arg in the frontend, and this pass 2620 // only sees the low level code that deals with va_list internals. 2621 // A much easier alternative (provided that Clang emits va_arg instructions) 2622 // would have been to associate each live instance of va_list with a copy of 2623 // MSanParamTLS, and extract shadow on va_arg() call in the argument list 2624 // order. 2625 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override { 2626 unsigned GpOffset = 0; 2627 unsigned FpOffset = AMD64GpEndOffset; 2628 unsigned OverflowOffset = AMD64FpEndOffset; 2629 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 2630 ArgIt != End; ++ArgIt) { 2631 Value *A = *ArgIt; 2632 unsigned ArgNo = CS.getArgumentNo(ArgIt); 2633 bool IsByVal = CS.paramHasAttr(ArgNo + 1, Attribute::ByVal); 2634 if (IsByVal) { 2635 // ByVal arguments always go to the overflow area. 2636 assert(A->getType()->isPointerTy()); 2637 Type *RealTy = A->getType()->getPointerElementType(); 2638 uint64_t ArgSize = MS.DL->getTypeAllocSize(RealTy); 2639 Value *Base = getShadowPtrForVAArgument(RealTy, IRB, OverflowOffset); 2640 OverflowOffset += DataLayout::RoundUpAlignment(ArgSize, 8); 2641 IRB.CreateMemCpy(Base, MSV.getShadowPtr(A, IRB.getInt8Ty(), IRB), 2642 ArgSize, kShadowTLSAlignment); 2643 } else { 2644 ArgKind AK = classifyArgument(A); 2645 if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset) 2646 AK = AK_Memory; 2647 if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset) 2648 AK = AK_Memory; 2649 Value *Base; 2650 switch (AK) { 2651 case AK_GeneralPurpose: 2652 Base = getShadowPtrForVAArgument(A->getType(), IRB, GpOffset); 2653 GpOffset += 8; 2654 break; 2655 case AK_FloatingPoint: 2656 Base = getShadowPtrForVAArgument(A->getType(), IRB, FpOffset); 2657 FpOffset += 16; 2658 break; 2659 case AK_Memory: 2660 uint64_t ArgSize = MS.DL->getTypeAllocSize(A->getType()); 2661 Base = getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset); 2662 OverflowOffset += DataLayout::RoundUpAlignment(ArgSize, 8); 2663 } 2664 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment); 2665 } 2666 } 2667 Constant *OverflowSize = 2668 ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset); 2669 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS); 2670 } 2671 2672 /// \brief Compute the shadow address for a given va_arg. 2673 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, 2674 int ArgOffset) { 2675 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); 2676 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 2677 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), 2678 "_msarg"); 2679 } 2680 2681 void visitVAStartInst(VAStartInst &I) override { 2682 IRBuilder<> IRB(&I); 2683 VAStartInstrumentationList.push_back(&I); 2684 Value *VAListTag = I.getArgOperand(0); 2685 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 2686 2687 // Unpoison the whole __va_list_tag. 2688 // FIXME: magic ABI constants. 2689 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 2690 /* size */24, /* alignment */8, false); 2691 } 2692 2693 void visitVACopyInst(VACopyInst &I) override { 2694 IRBuilder<> IRB(&I); 2695 Value *VAListTag = I.getArgOperand(0); 2696 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 2697 2698 // Unpoison the whole __va_list_tag. 2699 // FIXME: magic ABI constants. 2700 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 2701 /* size */24, /* alignment */8, false); 2702 } 2703 2704 void finalizeInstrumentation() override { 2705 assert(!VAArgOverflowSize && !VAArgTLSCopy && 2706 "finalizeInstrumentation called twice"); 2707 if (!VAStartInstrumentationList.empty()) { 2708 // If there is a va_start in this function, make a backup copy of 2709 // va_arg_tls somewhere in the function entry block. 2710 IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI()); 2711 VAArgOverflowSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS); 2712 Value *CopySize = 2713 IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset), 2714 VAArgOverflowSize); 2715 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); 2716 IRB.CreateMemCpy(VAArgTLSCopy, MS.VAArgTLS, CopySize, 8); 2717 } 2718 2719 // Instrument va_start. 2720 // Copy va_list shadow from the backup copy of the TLS contents. 2721 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) { 2722 CallInst *OrigInst = VAStartInstrumentationList[i]; 2723 IRBuilder<> IRB(OrigInst->getNextNode()); 2724 Value *VAListTag = OrigInst->getArgOperand(0); 2725 2726 Value *RegSaveAreaPtrPtr = 2727 IRB.CreateIntToPtr( 2728 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 2729 ConstantInt::get(MS.IntptrTy, 16)), 2730 Type::getInt64PtrTy(*MS.C)); 2731 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr); 2732 Value *RegSaveAreaShadowPtr = 2733 MSV.getShadowPtr(RegSaveAreaPtr, IRB.getInt8Ty(), IRB); 2734 IRB.CreateMemCpy(RegSaveAreaShadowPtr, VAArgTLSCopy, 2735 AMD64FpEndOffset, 16); 2736 2737 Value *OverflowArgAreaPtrPtr = 2738 IRB.CreateIntToPtr( 2739 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 2740 ConstantInt::get(MS.IntptrTy, 8)), 2741 Type::getInt64PtrTy(*MS.C)); 2742 Value *OverflowArgAreaPtr = IRB.CreateLoad(OverflowArgAreaPtrPtr); 2743 Value *OverflowArgAreaShadowPtr = 2744 MSV.getShadowPtr(OverflowArgAreaPtr, IRB.getInt8Ty(), IRB); 2745 Value *SrcPtr = IRB.CreateConstGEP1_32(VAArgTLSCopy, AMD64FpEndOffset); 2746 IRB.CreateMemCpy(OverflowArgAreaShadowPtr, SrcPtr, VAArgOverflowSize, 16); 2747 } 2748 } 2749 }; 2750 2751 /// \brief A no-op implementation of VarArgHelper. 2752 struct VarArgNoOpHelper : public VarArgHelper { 2753 VarArgNoOpHelper(Function &F, MemorySanitizer &MS, 2754 MemorySanitizerVisitor &MSV) {} 2755 2756 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override {} 2757 2758 void visitVAStartInst(VAStartInst &I) override {} 2759 2760 void visitVACopyInst(VACopyInst &I) override {} 2761 2762 void finalizeInstrumentation() override {} 2763 }; 2764 2765 VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan, 2766 MemorySanitizerVisitor &Visitor) { 2767 // VarArg handling is only implemented on AMD64. False positives are possible 2768 // on other platforms. 2769 llvm::Triple TargetTriple(Func.getParent()->getTargetTriple()); 2770 if (TargetTriple.getArch() == llvm::Triple::x86_64) 2771 return new VarArgAMD64Helper(Func, Msan, Visitor); 2772 else 2773 return new VarArgNoOpHelper(Func, Msan, Visitor); 2774 } 2775 2776 } // namespace 2777 2778 bool MemorySanitizer::runOnFunction(Function &F) { 2779 MemorySanitizerVisitor Visitor(F, *this); 2780 2781 // Clear out readonly/readnone attributes. 2782 AttrBuilder B; 2783 B.addAttribute(Attribute::ReadOnly) 2784 .addAttribute(Attribute::ReadNone); 2785 F.removeAttributes(AttributeSet::FunctionIndex, 2786 AttributeSet::get(F.getContext(), 2787 AttributeSet::FunctionIndex, B)); 2788 2789 return Visitor.runOnFunction(); 2790 } 2791