1 //===-- MemorySanitizer.cpp - detector of uninitialized reads -------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 /// \file 10 /// This file is a part of MemorySanitizer, a detector of uninitialized 11 /// reads. 12 /// 13 /// The algorithm of the tool is similar to Memcheck 14 /// (http://goo.gl/QKbem). We associate a few shadow bits with every 15 /// byte of the application memory, poison the shadow of the malloc-ed 16 /// or alloca-ed memory, load the shadow bits on every memory read, 17 /// propagate the shadow bits through some of the arithmetic 18 /// instruction (including MOV), store the shadow bits on every memory 19 /// write, report a bug on some other instructions (e.g. JMP) if the 20 /// associated shadow is poisoned. 21 /// 22 /// But there are differences too. The first and the major one: 23 /// compiler instrumentation instead of binary instrumentation. This 24 /// gives us much better register allocation, possible compiler 25 /// optimizations and a fast start-up. But this brings the major issue 26 /// as well: msan needs to see all program events, including system 27 /// calls and reads/writes in system libraries, so we either need to 28 /// compile *everything* with msan or use a binary translation 29 /// component (e.g. DynamoRIO) to instrument pre-built libraries. 30 /// Another difference from Memcheck is that we use 8 shadow bits per 31 /// byte of application memory and use a direct shadow mapping. This 32 /// greatly simplifies the instrumentation code and avoids races on 33 /// shadow updates (Memcheck is single-threaded so races are not a 34 /// concern there. Memcheck uses 2 shadow bits per byte with a slow 35 /// path storage that uses 8 bits per byte). 36 /// 37 /// The default value of shadow is 0, which means "clean" (not poisoned). 38 /// 39 /// Every module initializer should call __msan_init to ensure that the 40 /// shadow memory is ready. On error, __msan_warning is called. Since 41 /// parameters and return values may be passed via registers, we have a 42 /// specialized thread-local shadow for return values 43 /// (__msan_retval_tls) and parameters (__msan_param_tls). 44 /// 45 /// Origin tracking. 46 /// 47 /// MemorySanitizer can track origins (allocation points) of all uninitialized 48 /// values. This behavior is controlled with a flag (msan-track-origins) and is 49 /// disabled by default. 50 /// 51 /// Origins are 4-byte values created and interpreted by the runtime library. 52 /// They are stored in a second shadow mapping, one 4-byte value for 4 bytes 53 /// of application memory. Propagation of origins is basically a bunch of 54 /// "select" instructions that pick the origin of a dirty argument, if an 55 /// instruction has one. 56 /// 57 /// Every 4 aligned, consecutive bytes of application memory have one origin 58 /// value associated with them. If these bytes contain uninitialized data 59 /// coming from 2 different allocations, the last store wins. Because of this, 60 /// MemorySanitizer reports can show unrelated origins, but this is unlikely in 61 /// practice. 62 /// 63 /// Origins are meaningless for fully initialized values, so MemorySanitizer 64 /// avoids storing origin to memory when a fully initialized value is stored. 65 /// This way it avoids needless overwritting origin of the 4-byte region on 66 /// a short (i.e. 1 byte) clean store, and it is also good for performance. 67 /// 68 /// Atomic handling. 69 /// 70 /// Ideally, every atomic store of application value should update the 71 /// corresponding shadow location in an atomic way. Unfortunately, atomic store 72 /// of two disjoint locations can not be done without severe slowdown. 73 /// 74 /// Therefore, we implement an approximation that may err on the safe side. 75 /// In this implementation, every atomically accessed location in the program 76 /// may only change from (partially) uninitialized to fully initialized, but 77 /// not the other way around. We load the shadow _after_ the application load, 78 /// and we store the shadow _before_ the app store. Also, we always store clean 79 /// shadow (if the application store is atomic). This way, if the store-load 80 /// pair constitutes a happens-before arc, shadow store and load are correctly 81 /// ordered such that the load will get either the value that was stored, or 82 /// some later value (which is always clean). 83 /// 84 /// This does not work very well with Compare-And-Swap (CAS) and 85 /// Read-Modify-Write (RMW) operations. To follow the above logic, CAS and RMW 86 /// must store the new shadow before the app operation, and load the shadow 87 /// after the app operation. Computers don't work this way. Current 88 /// implementation ignores the load aspect of CAS/RMW, always returning a clean 89 /// value. It implements the store part as a simple atomic store by storing a 90 /// clean shadow. 91 92 //===----------------------------------------------------------------------===// 93 94 #include "llvm/Transforms/Instrumentation.h" 95 #include "llvm/ADT/DepthFirstIterator.h" 96 #include "llvm/ADT/SmallString.h" 97 #include "llvm/ADT/SmallVector.h" 98 #include "llvm/ADT/StringExtras.h" 99 #include "llvm/ADT/Triple.h" 100 #include "llvm/IR/DataLayout.h" 101 #include "llvm/IR/Function.h" 102 #include "llvm/IR/IRBuilder.h" 103 #include "llvm/IR/InlineAsm.h" 104 #include "llvm/IR/InstVisitor.h" 105 #include "llvm/IR/IntrinsicInst.h" 106 #include "llvm/IR/LLVMContext.h" 107 #include "llvm/IR/MDBuilder.h" 108 #include "llvm/IR/Module.h" 109 #include "llvm/IR/Type.h" 110 #include "llvm/IR/ValueMap.h" 111 #include "llvm/Support/CommandLine.h" 112 #include "llvm/Support/Compiler.h" 113 #include "llvm/Support/Debug.h" 114 #include "llvm/Support/raw_ostream.h" 115 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 116 #include "llvm/Transforms/Utils/Local.h" 117 #include "llvm/Transforms/Utils/ModuleUtils.h" 118 119 using namespace llvm; 120 121 #define DEBUG_TYPE "msan" 122 123 // VMA size definition for architecture that support multiple sizes. 124 // AArch64 has 3 VMA sizes: 39, 42 and 48. 125 #ifndef SANITIZER_AARCH64_VMA 126 # define SANITIZER_AARCH64_VMA 39 127 #else 128 # if SANITIZER_AARCH64_VMA != 39 && SANITIZER_AARCH64_VMA != 42 129 # error "invalid SANITIZER_AARCH64_VMA size" 130 # endif 131 #endif 132 133 static const unsigned kOriginSize = 4; 134 static const unsigned kMinOriginAlignment = 4; 135 static const unsigned kShadowTLSAlignment = 8; 136 137 // These constants must be kept in sync with the ones in msan.h. 138 static const unsigned kParamTLSSize = 800; 139 static const unsigned kRetvalTLSSize = 800; 140 141 // Accesses sizes are powers of two: 1, 2, 4, 8. 142 static const size_t kNumberOfAccessSizes = 4; 143 144 /// \brief Track origins of uninitialized values. 145 /// 146 /// Adds a section to MemorySanitizer report that points to the allocation 147 /// (stack or heap) the uninitialized bits came from originally. 148 static cl::opt<int> ClTrackOrigins("msan-track-origins", 149 cl::desc("Track origins (allocation sites) of poisoned memory"), 150 cl::Hidden, cl::init(0)); 151 static cl::opt<bool> ClKeepGoing("msan-keep-going", 152 cl::desc("keep going after reporting a UMR"), 153 cl::Hidden, cl::init(false)); 154 static cl::opt<bool> ClPoisonStack("msan-poison-stack", 155 cl::desc("poison uninitialized stack variables"), 156 cl::Hidden, cl::init(true)); 157 static cl::opt<bool> ClPoisonStackWithCall("msan-poison-stack-with-call", 158 cl::desc("poison uninitialized stack variables with a call"), 159 cl::Hidden, cl::init(false)); 160 static cl::opt<int> ClPoisonStackPattern("msan-poison-stack-pattern", 161 cl::desc("poison uninitialized stack variables with the given patter"), 162 cl::Hidden, cl::init(0xff)); 163 static cl::opt<bool> ClPoisonUndef("msan-poison-undef", 164 cl::desc("poison undef temps"), 165 cl::Hidden, cl::init(true)); 166 167 static cl::opt<bool> ClHandleICmp("msan-handle-icmp", 168 cl::desc("propagate shadow through ICmpEQ and ICmpNE"), 169 cl::Hidden, cl::init(true)); 170 171 static cl::opt<bool> ClHandleICmpExact("msan-handle-icmp-exact", 172 cl::desc("exact handling of relational integer ICmp"), 173 cl::Hidden, cl::init(false)); 174 175 // This flag controls whether we check the shadow of the address 176 // operand of load or store. Such bugs are very rare, since load from 177 // a garbage address typically results in SEGV, but still happen 178 // (e.g. only lower bits of address are garbage, or the access happens 179 // early at program startup where malloc-ed memory is more likely to 180 // be zeroed. As of 2012-08-28 this flag adds 20% slowdown. 181 static cl::opt<bool> ClCheckAccessAddress("msan-check-access-address", 182 cl::desc("report accesses through a pointer which has poisoned shadow"), 183 cl::Hidden, cl::init(true)); 184 185 static cl::opt<bool> ClDumpStrictInstructions("msan-dump-strict-instructions", 186 cl::desc("print out instructions with default strict semantics"), 187 cl::Hidden, cl::init(false)); 188 189 static cl::opt<int> ClInstrumentationWithCallThreshold( 190 "msan-instrumentation-with-call-threshold", 191 cl::desc( 192 "If the function being instrumented requires more than " 193 "this number of checks and origin stores, use callbacks instead of " 194 "inline checks (-1 means never use callbacks)."), 195 cl::Hidden, cl::init(3500)); 196 197 // This is an experiment to enable handling of cases where shadow is a non-zero 198 // compile-time constant. For some unexplainable reason they were silently 199 // ignored in the instrumentation. 200 static cl::opt<bool> ClCheckConstantShadow("msan-check-constant-shadow", 201 cl::desc("Insert checks for constant shadow values"), 202 cl::Hidden, cl::init(false)); 203 204 static const char *const kMsanModuleCtorName = "msan.module_ctor"; 205 static const char *const kMsanInitName = "__msan_init"; 206 207 namespace { 208 209 // Memory map parameters used in application-to-shadow address calculation. 210 // Offset = (Addr & ~AndMask) ^ XorMask 211 // Shadow = ShadowBase + Offset 212 // Origin = OriginBase + Offset 213 struct MemoryMapParams { 214 uint64_t AndMask; 215 uint64_t XorMask; 216 uint64_t ShadowBase; 217 uint64_t OriginBase; 218 }; 219 220 struct PlatformMemoryMapParams { 221 const MemoryMapParams *bits32; 222 const MemoryMapParams *bits64; 223 }; 224 225 // i386 Linux 226 static const MemoryMapParams Linux_I386_MemoryMapParams = { 227 0x000080000000, // AndMask 228 0, // XorMask (not used) 229 0, // ShadowBase (not used) 230 0x000040000000, // OriginBase 231 }; 232 233 // x86_64 Linux 234 static const MemoryMapParams Linux_X86_64_MemoryMapParams = { 235 0x400000000000, // AndMask 236 0, // XorMask (not used) 237 0, // ShadowBase (not used) 238 0x200000000000, // OriginBase 239 }; 240 241 // mips64 Linux 242 static const MemoryMapParams Linux_MIPS64_MemoryMapParams = { 243 0x004000000000, // AndMask 244 0, // XorMask (not used) 245 0, // ShadowBase (not used) 246 0x002000000000, // OriginBase 247 }; 248 249 // ppc64 Linux 250 static const MemoryMapParams Linux_PowerPC64_MemoryMapParams = { 251 0x200000000000, // AndMask 252 0x100000000000, // XorMask 253 0x080000000000, // ShadowBase 254 0x1C0000000000, // OriginBase 255 }; 256 257 // aarch64 Linux 258 static const MemoryMapParams Linux_AArch64_MemoryMapParams = { 259 #if SANITIZER_AARCH64_VMA == 39 260 0x007C00000000, // AndMask 261 0x000100000000, // XorMask 262 0x004000000000, // ShadowBase 263 0x004300000000, // OriginBase 264 #elif SANITIZER_AARCH64_VMA == 42 265 0x03E000000000, // AndMask 266 0x001000000000, // XorMask 267 0x010000000000, // ShadowBase 268 0x012000000000, // OriginBase 269 #endif 270 }; 271 272 // i386 FreeBSD 273 static const MemoryMapParams FreeBSD_I386_MemoryMapParams = { 274 0x000180000000, // AndMask 275 0x000040000000, // XorMask 276 0x000020000000, // ShadowBase 277 0x000700000000, // OriginBase 278 }; 279 280 // x86_64 FreeBSD 281 static const MemoryMapParams FreeBSD_X86_64_MemoryMapParams = { 282 0xc00000000000, // AndMask 283 0x200000000000, // XorMask 284 0x100000000000, // ShadowBase 285 0x380000000000, // OriginBase 286 }; 287 288 static const PlatformMemoryMapParams Linux_X86_MemoryMapParams = { 289 &Linux_I386_MemoryMapParams, 290 &Linux_X86_64_MemoryMapParams, 291 }; 292 293 static const PlatformMemoryMapParams Linux_MIPS_MemoryMapParams = { 294 NULL, 295 &Linux_MIPS64_MemoryMapParams, 296 }; 297 298 static const PlatformMemoryMapParams Linux_PowerPC_MemoryMapParams = { 299 NULL, 300 &Linux_PowerPC64_MemoryMapParams, 301 }; 302 303 static const PlatformMemoryMapParams Linux_ARM_MemoryMapParams = { 304 NULL, 305 &Linux_AArch64_MemoryMapParams, 306 }; 307 308 static const PlatformMemoryMapParams FreeBSD_X86_MemoryMapParams = { 309 &FreeBSD_I386_MemoryMapParams, 310 &FreeBSD_X86_64_MemoryMapParams, 311 }; 312 313 /// \brief An instrumentation pass implementing detection of uninitialized 314 /// reads. 315 /// 316 /// MemorySanitizer: instrument the code in module to find 317 /// uninitialized reads. 318 class MemorySanitizer : public FunctionPass { 319 public: 320 MemorySanitizer(int TrackOrigins = 0) 321 : FunctionPass(ID), 322 TrackOrigins(std::max(TrackOrigins, (int)ClTrackOrigins)), 323 WarningFn(nullptr) {} 324 const char *getPassName() const override { return "MemorySanitizer"; } 325 bool runOnFunction(Function &F) override; 326 bool doInitialization(Module &M) override; 327 static char ID; // Pass identification, replacement for typeid. 328 329 private: 330 void initializeCallbacks(Module &M); 331 332 /// \brief Track origins (allocation points) of uninitialized values. 333 int TrackOrigins; 334 335 LLVMContext *C; 336 Type *IntptrTy; 337 Type *OriginTy; 338 /// \brief Thread-local shadow storage for function parameters. 339 GlobalVariable *ParamTLS; 340 /// \brief Thread-local origin storage for function parameters. 341 GlobalVariable *ParamOriginTLS; 342 /// \brief Thread-local shadow storage for function return value. 343 GlobalVariable *RetvalTLS; 344 /// \brief Thread-local origin storage for function return value. 345 GlobalVariable *RetvalOriginTLS; 346 /// \brief Thread-local shadow storage for in-register va_arg function 347 /// parameters (x86_64-specific). 348 GlobalVariable *VAArgTLS; 349 /// \brief Thread-local shadow storage for va_arg overflow area 350 /// (x86_64-specific). 351 GlobalVariable *VAArgOverflowSizeTLS; 352 /// \brief Thread-local space used to pass origin value to the UMR reporting 353 /// function. 354 GlobalVariable *OriginTLS; 355 356 /// \brief The run-time callback to print a warning. 357 Value *WarningFn; 358 // These arrays are indexed by log2(AccessSize). 359 Value *MaybeWarningFn[kNumberOfAccessSizes]; 360 Value *MaybeStoreOriginFn[kNumberOfAccessSizes]; 361 362 /// \brief Run-time helper that generates a new origin value for a stack 363 /// allocation. 364 Value *MsanSetAllocaOrigin4Fn; 365 /// \brief Run-time helper that poisons stack on function entry. 366 Value *MsanPoisonStackFn; 367 /// \brief Run-time helper that records a store (or any event) of an 368 /// uninitialized value and returns an updated origin id encoding this info. 369 Value *MsanChainOriginFn; 370 /// \brief MSan runtime replacements for memmove, memcpy and memset. 371 Value *MemmoveFn, *MemcpyFn, *MemsetFn; 372 373 /// \brief Memory map parameters used in application-to-shadow calculation. 374 const MemoryMapParams *MapParams; 375 376 MDNode *ColdCallWeights; 377 /// \brief Branch weights for origin store. 378 MDNode *OriginStoreWeights; 379 /// \brief An empty volatile inline asm that prevents callback merge. 380 InlineAsm *EmptyAsm; 381 Function *MsanCtorFunction; 382 383 friend struct MemorySanitizerVisitor; 384 friend struct VarArgAMD64Helper; 385 friend struct VarArgMIPS64Helper; 386 }; 387 } // namespace 388 389 char MemorySanitizer::ID = 0; 390 INITIALIZE_PASS(MemorySanitizer, "msan", 391 "MemorySanitizer: detects uninitialized reads.", 392 false, false) 393 394 FunctionPass *llvm::createMemorySanitizerPass(int TrackOrigins) { 395 return new MemorySanitizer(TrackOrigins); 396 } 397 398 /// \brief Create a non-const global initialized with the given string. 399 /// 400 /// Creates a writable global for Str so that we can pass it to the 401 /// run-time lib. Runtime uses first 4 bytes of the string to store the 402 /// frame ID, so the string needs to be mutable. 403 static GlobalVariable *createPrivateNonConstGlobalForString(Module &M, 404 StringRef Str) { 405 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 406 return new GlobalVariable(M, StrConst->getType(), /*isConstant=*/false, 407 GlobalValue::PrivateLinkage, StrConst, ""); 408 } 409 410 411 /// \brief Insert extern declaration of runtime-provided functions and globals. 412 void MemorySanitizer::initializeCallbacks(Module &M) { 413 // Only do this once. 414 if (WarningFn) 415 return; 416 417 IRBuilder<> IRB(*C); 418 // Create the callback. 419 // FIXME: this function should have "Cold" calling conv, 420 // which is not yet implemented. 421 StringRef WarningFnName = ClKeepGoing ? "__msan_warning" 422 : "__msan_warning_noreturn"; 423 WarningFn = M.getOrInsertFunction(WarningFnName, IRB.getVoidTy(), nullptr); 424 425 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 426 AccessSizeIndex++) { 427 unsigned AccessSize = 1 << AccessSizeIndex; 428 std::string FunctionName = "__msan_maybe_warning_" + itostr(AccessSize); 429 MaybeWarningFn[AccessSizeIndex] = M.getOrInsertFunction( 430 FunctionName, IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), 431 IRB.getInt32Ty(), nullptr); 432 433 FunctionName = "__msan_maybe_store_origin_" + itostr(AccessSize); 434 MaybeStoreOriginFn[AccessSizeIndex] = M.getOrInsertFunction( 435 FunctionName, IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), 436 IRB.getInt8PtrTy(), IRB.getInt32Ty(), nullptr); 437 } 438 439 MsanSetAllocaOrigin4Fn = M.getOrInsertFunction( 440 "__msan_set_alloca_origin4", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy, 441 IRB.getInt8PtrTy(), IntptrTy, nullptr); 442 MsanPoisonStackFn = 443 M.getOrInsertFunction("__msan_poison_stack", IRB.getVoidTy(), 444 IRB.getInt8PtrTy(), IntptrTy, nullptr); 445 MsanChainOriginFn = M.getOrInsertFunction( 446 "__msan_chain_origin", IRB.getInt32Ty(), IRB.getInt32Ty(), nullptr); 447 MemmoveFn = M.getOrInsertFunction( 448 "__msan_memmove", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 449 IRB.getInt8PtrTy(), IntptrTy, nullptr); 450 MemcpyFn = M.getOrInsertFunction( 451 "__msan_memcpy", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 452 IntptrTy, nullptr); 453 MemsetFn = M.getOrInsertFunction( 454 "__msan_memset", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt32Ty(), 455 IntptrTy, nullptr); 456 457 // Create globals. 458 RetvalTLS = new GlobalVariable( 459 M, ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8), false, 460 GlobalVariable::ExternalLinkage, nullptr, "__msan_retval_tls", nullptr, 461 GlobalVariable::InitialExecTLSModel); 462 RetvalOriginTLS = new GlobalVariable( 463 M, OriginTy, false, GlobalVariable::ExternalLinkage, nullptr, 464 "__msan_retval_origin_tls", nullptr, GlobalVariable::InitialExecTLSModel); 465 466 ParamTLS = new GlobalVariable( 467 M, ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), false, 468 GlobalVariable::ExternalLinkage, nullptr, "__msan_param_tls", nullptr, 469 GlobalVariable::InitialExecTLSModel); 470 ParamOriginTLS = new GlobalVariable( 471 M, ArrayType::get(OriginTy, kParamTLSSize / 4), false, 472 GlobalVariable::ExternalLinkage, nullptr, "__msan_param_origin_tls", 473 nullptr, GlobalVariable::InitialExecTLSModel); 474 475 VAArgTLS = new GlobalVariable( 476 M, ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), false, 477 GlobalVariable::ExternalLinkage, nullptr, "__msan_va_arg_tls", nullptr, 478 GlobalVariable::InitialExecTLSModel); 479 VAArgOverflowSizeTLS = new GlobalVariable( 480 M, IRB.getInt64Ty(), false, GlobalVariable::ExternalLinkage, nullptr, 481 "__msan_va_arg_overflow_size_tls", nullptr, 482 GlobalVariable::InitialExecTLSModel); 483 OriginTLS = new GlobalVariable( 484 M, IRB.getInt32Ty(), false, GlobalVariable::ExternalLinkage, nullptr, 485 "__msan_origin_tls", nullptr, GlobalVariable::InitialExecTLSModel); 486 487 // We insert an empty inline asm after __msan_report* to avoid callback merge. 488 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 489 StringRef(""), StringRef(""), 490 /*hasSideEffects=*/true); 491 } 492 493 /// \brief Module-level initialization. 494 /// 495 /// inserts a call to __msan_init to the module's constructor list. 496 bool MemorySanitizer::doInitialization(Module &M) { 497 auto &DL = M.getDataLayout(); 498 499 Triple TargetTriple(M.getTargetTriple()); 500 switch (TargetTriple.getOS()) { 501 case Triple::FreeBSD: 502 switch (TargetTriple.getArch()) { 503 case Triple::x86_64: 504 MapParams = FreeBSD_X86_MemoryMapParams.bits64; 505 break; 506 case Triple::x86: 507 MapParams = FreeBSD_X86_MemoryMapParams.bits32; 508 break; 509 default: 510 report_fatal_error("unsupported architecture"); 511 } 512 break; 513 case Triple::Linux: 514 switch (TargetTriple.getArch()) { 515 case Triple::x86_64: 516 MapParams = Linux_X86_MemoryMapParams.bits64; 517 break; 518 case Triple::x86: 519 MapParams = Linux_X86_MemoryMapParams.bits32; 520 break; 521 case Triple::mips64: 522 case Triple::mips64el: 523 MapParams = Linux_MIPS_MemoryMapParams.bits64; 524 break; 525 case Triple::ppc64: 526 case Triple::ppc64le: 527 MapParams = Linux_PowerPC_MemoryMapParams.bits64; 528 break; 529 case Triple::aarch64: 530 case Triple::aarch64_be: 531 MapParams = Linux_ARM_MemoryMapParams.bits64; 532 break; 533 default: 534 report_fatal_error("unsupported architecture"); 535 } 536 break; 537 default: 538 report_fatal_error("unsupported operating system"); 539 } 540 541 C = &(M.getContext()); 542 IRBuilder<> IRB(*C); 543 IntptrTy = IRB.getIntPtrTy(DL); 544 OriginTy = IRB.getInt32Ty(); 545 546 ColdCallWeights = MDBuilder(*C).createBranchWeights(1, 1000); 547 OriginStoreWeights = MDBuilder(*C).createBranchWeights(1, 1000); 548 549 std::tie(MsanCtorFunction, std::ignore) = 550 createSanitizerCtorAndInitFunctions(M, kMsanModuleCtorName, kMsanInitName, 551 /*InitArgTypes=*/{}, 552 /*InitArgs=*/{}); 553 554 appendToGlobalCtors(M, MsanCtorFunction, 0); 555 556 if (TrackOrigins) 557 new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, 558 IRB.getInt32(TrackOrigins), "__msan_track_origins"); 559 560 if (ClKeepGoing) 561 new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, 562 IRB.getInt32(ClKeepGoing), "__msan_keep_going"); 563 564 return true; 565 } 566 567 namespace { 568 569 /// \brief A helper class that handles instrumentation of VarArg 570 /// functions on a particular platform. 571 /// 572 /// Implementations are expected to insert the instrumentation 573 /// necessary to propagate argument shadow through VarArg function 574 /// calls. Visit* methods are called during an InstVisitor pass over 575 /// the function, and should avoid creating new basic blocks. A new 576 /// instance of this class is created for each instrumented function. 577 struct VarArgHelper { 578 /// \brief Visit a CallSite. 579 virtual void visitCallSite(CallSite &CS, IRBuilder<> &IRB) = 0; 580 581 /// \brief Visit a va_start call. 582 virtual void visitVAStartInst(VAStartInst &I) = 0; 583 584 /// \brief Visit a va_copy call. 585 virtual void visitVACopyInst(VACopyInst &I) = 0; 586 587 /// \brief Finalize function instrumentation. 588 /// 589 /// This method is called after visiting all interesting (see above) 590 /// instructions in a function. 591 virtual void finalizeInstrumentation() = 0; 592 593 virtual ~VarArgHelper() {} 594 }; 595 596 struct MemorySanitizerVisitor; 597 598 VarArgHelper* 599 CreateVarArgHelper(Function &Func, MemorySanitizer &Msan, 600 MemorySanitizerVisitor &Visitor); 601 602 unsigned TypeSizeToSizeIndex(unsigned TypeSize) { 603 if (TypeSize <= 8) return 0; 604 return Log2_32_Ceil(TypeSize / 8); 605 } 606 607 /// This class does all the work for a given function. Store and Load 608 /// instructions store and load corresponding shadow and origin 609 /// values. Most instructions propagate shadow from arguments to their 610 /// return values. Certain instructions (most importantly, BranchInst) 611 /// test their argument shadow and print reports (with a runtime call) if it's 612 /// non-zero. 613 struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> { 614 Function &F; 615 MemorySanitizer &MS; 616 SmallVector<PHINode *, 16> ShadowPHINodes, OriginPHINodes; 617 ValueMap<Value*, Value*> ShadowMap, OriginMap; 618 std::unique_ptr<VarArgHelper> VAHelper; 619 620 // The following flags disable parts of MSan instrumentation based on 621 // blacklist contents and command-line options. 622 bool InsertChecks; 623 bool PropagateShadow; 624 bool PoisonStack; 625 bool PoisonUndef; 626 bool CheckReturnValue; 627 628 struct ShadowOriginAndInsertPoint { 629 Value *Shadow; 630 Value *Origin; 631 Instruction *OrigIns; 632 ShadowOriginAndInsertPoint(Value *S, Value *O, Instruction *I) 633 : Shadow(S), Origin(O), OrigIns(I) { } 634 }; 635 SmallVector<ShadowOriginAndInsertPoint, 16> InstrumentationList; 636 SmallVector<Instruction*, 16> StoreList; 637 638 MemorySanitizerVisitor(Function &F, MemorySanitizer &MS) 639 : F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)) { 640 bool SanitizeFunction = F.hasFnAttribute(Attribute::SanitizeMemory); 641 InsertChecks = SanitizeFunction; 642 PropagateShadow = SanitizeFunction; 643 PoisonStack = SanitizeFunction && ClPoisonStack; 644 PoisonUndef = SanitizeFunction && ClPoisonUndef; 645 // FIXME: Consider using SpecialCaseList to specify a list of functions that 646 // must always return fully initialized values. For now, we hardcode "main". 647 CheckReturnValue = SanitizeFunction && (F.getName() == "main"); 648 649 DEBUG(if (!InsertChecks) 650 dbgs() << "MemorySanitizer is not inserting checks into '" 651 << F.getName() << "'\n"); 652 } 653 654 Value *updateOrigin(Value *V, IRBuilder<> &IRB) { 655 if (MS.TrackOrigins <= 1) return V; 656 return IRB.CreateCall(MS.MsanChainOriginFn, V); 657 } 658 659 Value *originToIntptr(IRBuilder<> &IRB, Value *Origin) { 660 const DataLayout &DL = F.getParent()->getDataLayout(); 661 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy); 662 if (IntptrSize == kOriginSize) return Origin; 663 assert(IntptrSize == kOriginSize * 2); 664 Origin = IRB.CreateIntCast(Origin, MS.IntptrTy, /* isSigned */ false); 665 return IRB.CreateOr(Origin, IRB.CreateShl(Origin, kOriginSize * 8)); 666 } 667 668 /// \brief Fill memory range with the given origin value. 669 void paintOrigin(IRBuilder<> &IRB, Value *Origin, Value *OriginPtr, 670 unsigned Size, unsigned Alignment) { 671 const DataLayout &DL = F.getParent()->getDataLayout(); 672 unsigned IntptrAlignment = DL.getABITypeAlignment(MS.IntptrTy); 673 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy); 674 assert(IntptrAlignment >= kMinOriginAlignment); 675 assert(IntptrSize >= kOriginSize); 676 677 unsigned Ofs = 0; 678 unsigned CurrentAlignment = Alignment; 679 if (Alignment >= IntptrAlignment && IntptrSize > kOriginSize) { 680 Value *IntptrOrigin = originToIntptr(IRB, Origin); 681 Value *IntptrOriginPtr = 682 IRB.CreatePointerCast(OriginPtr, PointerType::get(MS.IntptrTy, 0)); 683 for (unsigned i = 0; i < Size / IntptrSize; ++i) { 684 Value *Ptr = i ? IRB.CreateConstGEP1_32(MS.IntptrTy, IntptrOriginPtr, i) 685 : IntptrOriginPtr; 686 IRB.CreateAlignedStore(IntptrOrigin, Ptr, CurrentAlignment); 687 Ofs += IntptrSize / kOriginSize; 688 CurrentAlignment = IntptrAlignment; 689 } 690 } 691 692 for (unsigned i = Ofs; i < (Size + kOriginSize - 1) / kOriginSize; ++i) { 693 Value *GEP = 694 i ? IRB.CreateConstGEP1_32(nullptr, OriginPtr, i) : OriginPtr; 695 IRB.CreateAlignedStore(Origin, GEP, CurrentAlignment); 696 CurrentAlignment = kMinOriginAlignment; 697 } 698 } 699 700 void storeOrigin(IRBuilder<> &IRB, Value *Addr, Value *Shadow, Value *Origin, 701 unsigned Alignment, bool AsCall) { 702 const DataLayout &DL = F.getParent()->getDataLayout(); 703 unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment); 704 unsigned StoreSize = DL.getTypeStoreSize(Shadow->getType()); 705 if (isa<StructType>(Shadow->getType())) { 706 paintOrigin(IRB, updateOrigin(Origin, IRB), 707 getOriginPtr(Addr, IRB, Alignment), StoreSize, 708 OriginAlignment); 709 } else { 710 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB); 711 Constant *ConstantShadow = dyn_cast_or_null<Constant>(ConvertedShadow); 712 if (ConstantShadow) { 713 if (ClCheckConstantShadow && !ConstantShadow->isZeroValue()) 714 paintOrigin(IRB, updateOrigin(Origin, IRB), 715 getOriginPtr(Addr, IRB, Alignment), StoreSize, 716 OriginAlignment); 717 return; 718 } 719 720 unsigned TypeSizeInBits = 721 DL.getTypeSizeInBits(ConvertedShadow->getType()); 722 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits); 723 if (AsCall && SizeIndex < kNumberOfAccessSizes) { 724 Value *Fn = MS.MaybeStoreOriginFn[SizeIndex]; 725 Value *ConvertedShadow2 = IRB.CreateZExt( 726 ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex))); 727 IRB.CreateCall(Fn, {ConvertedShadow2, 728 IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()), 729 Origin}); 730 } else { 731 Value *Cmp = IRB.CreateICmpNE( 732 ConvertedShadow, getCleanShadow(ConvertedShadow), "_mscmp"); 733 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 734 Cmp, IRB.GetInsertPoint(), false, MS.OriginStoreWeights); 735 IRBuilder<> IRBNew(CheckTerm); 736 paintOrigin(IRBNew, updateOrigin(Origin, IRBNew), 737 getOriginPtr(Addr, IRBNew, Alignment), StoreSize, 738 OriginAlignment); 739 } 740 } 741 } 742 743 void materializeStores(bool InstrumentWithCalls) { 744 for (auto Inst : StoreList) { 745 StoreInst &SI = *dyn_cast<StoreInst>(Inst); 746 747 IRBuilder<> IRB(&SI); 748 Value *Val = SI.getValueOperand(); 749 Value *Addr = SI.getPointerOperand(); 750 Value *Shadow = SI.isAtomic() ? getCleanShadow(Val) : getShadow(Val); 751 Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB); 752 753 StoreInst *NewSI = 754 IRB.CreateAlignedStore(Shadow, ShadowPtr, SI.getAlignment()); 755 DEBUG(dbgs() << " STORE: " << *NewSI << "\n"); 756 (void)NewSI; 757 758 if (ClCheckAccessAddress) insertShadowCheck(Addr, &SI); 759 760 if (SI.isAtomic()) SI.setOrdering(addReleaseOrdering(SI.getOrdering())); 761 762 if (MS.TrackOrigins && !SI.isAtomic()) 763 storeOrigin(IRB, Addr, Shadow, getOrigin(Val), SI.getAlignment(), 764 InstrumentWithCalls); 765 } 766 } 767 768 void materializeOneCheck(Instruction *OrigIns, Value *Shadow, Value *Origin, 769 bool AsCall) { 770 IRBuilder<> IRB(OrigIns); 771 DEBUG(dbgs() << " SHAD0 : " << *Shadow << "\n"); 772 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB); 773 DEBUG(dbgs() << " SHAD1 : " << *ConvertedShadow << "\n"); 774 775 Constant *ConstantShadow = dyn_cast_or_null<Constant>(ConvertedShadow); 776 if (ConstantShadow) { 777 if (ClCheckConstantShadow && !ConstantShadow->isZeroValue()) { 778 if (MS.TrackOrigins) { 779 IRB.CreateStore(Origin ? (Value *)Origin : (Value *)IRB.getInt32(0), 780 MS.OriginTLS); 781 } 782 IRB.CreateCall(MS.WarningFn, {}); 783 IRB.CreateCall(MS.EmptyAsm, {}); 784 // FIXME: Insert UnreachableInst if !ClKeepGoing? 785 // This may invalidate some of the following checks and needs to be done 786 // at the very end. 787 } 788 return; 789 } 790 791 const DataLayout &DL = OrigIns->getModule()->getDataLayout(); 792 793 unsigned TypeSizeInBits = DL.getTypeSizeInBits(ConvertedShadow->getType()); 794 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits); 795 if (AsCall && SizeIndex < kNumberOfAccessSizes) { 796 Value *Fn = MS.MaybeWarningFn[SizeIndex]; 797 Value *ConvertedShadow2 = 798 IRB.CreateZExt(ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex))); 799 IRB.CreateCall(Fn, {ConvertedShadow2, MS.TrackOrigins && Origin 800 ? Origin 801 : (Value *)IRB.getInt32(0)}); 802 } else { 803 Value *Cmp = IRB.CreateICmpNE(ConvertedShadow, 804 getCleanShadow(ConvertedShadow), "_mscmp"); 805 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 806 Cmp, OrigIns, 807 /* Unreachable */ !ClKeepGoing, MS.ColdCallWeights); 808 809 IRB.SetInsertPoint(CheckTerm); 810 if (MS.TrackOrigins) { 811 IRB.CreateStore(Origin ? (Value *)Origin : (Value *)IRB.getInt32(0), 812 MS.OriginTLS); 813 } 814 IRB.CreateCall(MS.WarningFn, {}); 815 IRB.CreateCall(MS.EmptyAsm, {}); 816 DEBUG(dbgs() << " CHECK: " << *Cmp << "\n"); 817 } 818 } 819 820 void materializeChecks(bool InstrumentWithCalls) { 821 for (const auto &ShadowData : InstrumentationList) { 822 Instruction *OrigIns = ShadowData.OrigIns; 823 Value *Shadow = ShadowData.Shadow; 824 Value *Origin = ShadowData.Origin; 825 materializeOneCheck(OrigIns, Shadow, Origin, InstrumentWithCalls); 826 } 827 DEBUG(dbgs() << "DONE:\n" << F); 828 } 829 830 /// \brief Add MemorySanitizer instrumentation to a function. 831 bool runOnFunction() { 832 MS.initializeCallbacks(*F.getParent()); 833 834 // In the presence of unreachable blocks, we may see Phi nodes with 835 // incoming nodes from such blocks. Since InstVisitor skips unreachable 836 // blocks, such nodes will not have any shadow value associated with them. 837 // It's easier to remove unreachable blocks than deal with missing shadow. 838 removeUnreachableBlocks(F); 839 840 // Iterate all BBs in depth-first order and create shadow instructions 841 // for all instructions (where applicable). 842 // For PHI nodes we create dummy shadow PHIs which will be finalized later. 843 for (BasicBlock *BB : depth_first(&F.getEntryBlock())) 844 visit(*BB); 845 846 847 // Finalize PHI nodes. 848 for (PHINode *PN : ShadowPHINodes) { 849 PHINode *PNS = cast<PHINode>(getShadow(PN)); 850 PHINode *PNO = MS.TrackOrigins ? cast<PHINode>(getOrigin(PN)) : nullptr; 851 size_t NumValues = PN->getNumIncomingValues(); 852 for (size_t v = 0; v < NumValues; v++) { 853 PNS->addIncoming(getShadow(PN, v), PN->getIncomingBlock(v)); 854 if (PNO) PNO->addIncoming(getOrigin(PN, v), PN->getIncomingBlock(v)); 855 } 856 } 857 858 VAHelper->finalizeInstrumentation(); 859 860 bool InstrumentWithCalls = ClInstrumentationWithCallThreshold >= 0 && 861 InstrumentationList.size() + StoreList.size() > 862 (unsigned)ClInstrumentationWithCallThreshold; 863 864 // Delayed instrumentation of StoreInst. 865 // This may add new checks to be inserted later. 866 materializeStores(InstrumentWithCalls); 867 868 // Insert shadow value checks. 869 materializeChecks(InstrumentWithCalls); 870 871 return true; 872 } 873 874 /// \brief Compute the shadow type that corresponds to a given Value. 875 Type *getShadowTy(Value *V) { 876 return getShadowTy(V->getType()); 877 } 878 879 /// \brief Compute the shadow type that corresponds to a given Type. 880 Type *getShadowTy(Type *OrigTy) { 881 if (!OrigTy->isSized()) { 882 return nullptr; 883 } 884 // For integer type, shadow is the same as the original type. 885 // This may return weird-sized types like i1. 886 if (IntegerType *IT = dyn_cast<IntegerType>(OrigTy)) 887 return IT; 888 const DataLayout &DL = F.getParent()->getDataLayout(); 889 if (VectorType *VT = dyn_cast<VectorType>(OrigTy)) { 890 uint32_t EltSize = DL.getTypeSizeInBits(VT->getElementType()); 891 return VectorType::get(IntegerType::get(*MS.C, EltSize), 892 VT->getNumElements()); 893 } 894 if (ArrayType *AT = dyn_cast<ArrayType>(OrigTy)) { 895 return ArrayType::get(getShadowTy(AT->getElementType()), 896 AT->getNumElements()); 897 } 898 if (StructType *ST = dyn_cast<StructType>(OrigTy)) { 899 SmallVector<Type*, 4> Elements; 900 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++) 901 Elements.push_back(getShadowTy(ST->getElementType(i))); 902 StructType *Res = StructType::get(*MS.C, Elements, ST->isPacked()); 903 DEBUG(dbgs() << "getShadowTy: " << *ST << " ===> " << *Res << "\n"); 904 return Res; 905 } 906 uint32_t TypeSize = DL.getTypeSizeInBits(OrigTy); 907 return IntegerType::get(*MS.C, TypeSize); 908 } 909 910 /// \brief Flatten a vector type. 911 Type *getShadowTyNoVec(Type *ty) { 912 if (VectorType *vt = dyn_cast<VectorType>(ty)) 913 return IntegerType::get(*MS.C, vt->getBitWidth()); 914 return ty; 915 } 916 917 /// \brief Convert a shadow value to it's flattened variant. 918 Value *convertToShadowTyNoVec(Value *V, IRBuilder<> &IRB) { 919 Type *Ty = V->getType(); 920 Type *NoVecTy = getShadowTyNoVec(Ty); 921 if (Ty == NoVecTy) return V; 922 return IRB.CreateBitCast(V, NoVecTy); 923 } 924 925 /// \brief Compute the integer shadow offset that corresponds to a given 926 /// application address. 927 /// 928 /// Offset = (Addr & ~AndMask) ^ XorMask 929 Value *getShadowPtrOffset(Value *Addr, IRBuilder<> &IRB) { 930 uint64_t AndMask = MS.MapParams->AndMask; 931 assert(AndMask != 0 && "AndMask shall be specified"); 932 Value *OffsetLong = 933 IRB.CreateAnd(IRB.CreatePointerCast(Addr, MS.IntptrTy), 934 ConstantInt::get(MS.IntptrTy, ~AndMask)); 935 936 uint64_t XorMask = MS.MapParams->XorMask; 937 if (XorMask != 0) 938 OffsetLong = IRB.CreateXor(OffsetLong, 939 ConstantInt::get(MS.IntptrTy, XorMask)); 940 return OffsetLong; 941 } 942 943 /// \brief Compute the shadow address that corresponds to a given application 944 /// address. 945 /// 946 /// Shadow = ShadowBase + Offset 947 Value *getShadowPtr(Value *Addr, Type *ShadowTy, 948 IRBuilder<> &IRB) { 949 Value *ShadowLong = getShadowPtrOffset(Addr, IRB); 950 uint64_t ShadowBase = MS.MapParams->ShadowBase; 951 if (ShadowBase != 0) 952 ShadowLong = 953 IRB.CreateAdd(ShadowLong, 954 ConstantInt::get(MS.IntptrTy, ShadowBase)); 955 return IRB.CreateIntToPtr(ShadowLong, PointerType::get(ShadowTy, 0)); 956 } 957 958 /// \brief Compute the origin address that corresponds to a given application 959 /// address. 960 /// 961 /// OriginAddr = (OriginBase + Offset) & ~3ULL 962 Value *getOriginPtr(Value *Addr, IRBuilder<> &IRB, unsigned Alignment) { 963 Value *OriginLong = getShadowPtrOffset(Addr, IRB); 964 uint64_t OriginBase = MS.MapParams->OriginBase; 965 if (OriginBase != 0) 966 OriginLong = 967 IRB.CreateAdd(OriginLong, 968 ConstantInt::get(MS.IntptrTy, OriginBase)); 969 if (Alignment < kMinOriginAlignment) { 970 uint64_t Mask = kMinOriginAlignment - 1; 971 OriginLong = IRB.CreateAnd(OriginLong, 972 ConstantInt::get(MS.IntptrTy, ~Mask)); 973 } 974 return IRB.CreateIntToPtr(OriginLong, 975 PointerType::get(IRB.getInt32Ty(), 0)); 976 } 977 978 /// \brief Compute the shadow address for a given function argument. 979 /// 980 /// Shadow = ParamTLS+ArgOffset. 981 Value *getShadowPtrForArgument(Value *A, IRBuilder<> &IRB, 982 int ArgOffset) { 983 Value *Base = IRB.CreatePointerCast(MS.ParamTLS, MS.IntptrTy); 984 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 985 return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0), 986 "_msarg"); 987 } 988 989 /// \brief Compute the origin address for a given function argument. 990 Value *getOriginPtrForArgument(Value *A, IRBuilder<> &IRB, 991 int ArgOffset) { 992 if (!MS.TrackOrigins) return nullptr; 993 Value *Base = IRB.CreatePointerCast(MS.ParamOriginTLS, MS.IntptrTy); 994 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 995 return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0), 996 "_msarg_o"); 997 } 998 999 /// \brief Compute the shadow address for a retval. 1000 Value *getShadowPtrForRetval(Value *A, IRBuilder<> &IRB) { 1001 Value *Base = IRB.CreatePointerCast(MS.RetvalTLS, MS.IntptrTy); 1002 return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0), 1003 "_msret"); 1004 } 1005 1006 /// \brief Compute the origin address for a retval. 1007 Value *getOriginPtrForRetval(IRBuilder<> &IRB) { 1008 // We keep a single origin for the entire retval. Might be too optimistic. 1009 return MS.RetvalOriginTLS; 1010 } 1011 1012 /// \brief Set SV to be the shadow value for V. 1013 void setShadow(Value *V, Value *SV) { 1014 assert(!ShadowMap.count(V) && "Values may only have one shadow"); 1015 ShadowMap[V] = PropagateShadow ? SV : getCleanShadow(V); 1016 } 1017 1018 /// \brief Set Origin to be the origin value for V. 1019 void setOrigin(Value *V, Value *Origin) { 1020 if (!MS.TrackOrigins) return; 1021 assert(!OriginMap.count(V) && "Values may only have one origin"); 1022 DEBUG(dbgs() << "ORIGIN: " << *V << " ==> " << *Origin << "\n"); 1023 OriginMap[V] = Origin; 1024 } 1025 1026 /// \brief Create a clean shadow value for a given value. 1027 /// 1028 /// Clean shadow (all zeroes) means all bits of the value are defined 1029 /// (initialized). 1030 Constant *getCleanShadow(Value *V) { 1031 Type *ShadowTy = getShadowTy(V); 1032 if (!ShadowTy) 1033 return nullptr; 1034 return Constant::getNullValue(ShadowTy); 1035 } 1036 1037 /// \brief Create a dirty shadow of a given shadow type. 1038 Constant *getPoisonedShadow(Type *ShadowTy) { 1039 assert(ShadowTy); 1040 if (isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy)) 1041 return Constant::getAllOnesValue(ShadowTy); 1042 if (ArrayType *AT = dyn_cast<ArrayType>(ShadowTy)) { 1043 SmallVector<Constant *, 4> Vals(AT->getNumElements(), 1044 getPoisonedShadow(AT->getElementType())); 1045 return ConstantArray::get(AT, Vals); 1046 } 1047 if (StructType *ST = dyn_cast<StructType>(ShadowTy)) { 1048 SmallVector<Constant *, 4> Vals; 1049 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++) 1050 Vals.push_back(getPoisonedShadow(ST->getElementType(i))); 1051 return ConstantStruct::get(ST, Vals); 1052 } 1053 llvm_unreachable("Unexpected shadow type"); 1054 } 1055 1056 /// \brief Create a dirty shadow for a given value. 1057 Constant *getPoisonedShadow(Value *V) { 1058 Type *ShadowTy = getShadowTy(V); 1059 if (!ShadowTy) 1060 return nullptr; 1061 return getPoisonedShadow(ShadowTy); 1062 } 1063 1064 /// \brief Create a clean (zero) origin. 1065 Value *getCleanOrigin() { 1066 return Constant::getNullValue(MS.OriginTy); 1067 } 1068 1069 /// \brief Get the shadow value for a given Value. 1070 /// 1071 /// This function either returns the value set earlier with setShadow, 1072 /// or extracts if from ParamTLS (for function arguments). 1073 Value *getShadow(Value *V) { 1074 if (!PropagateShadow) return getCleanShadow(V); 1075 if (Instruction *I = dyn_cast<Instruction>(V)) { 1076 // For instructions the shadow is already stored in the map. 1077 Value *Shadow = ShadowMap[V]; 1078 if (!Shadow) { 1079 DEBUG(dbgs() << "No shadow: " << *V << "\n" << *(I->getParent())); 1080 (void)I; 1081 assert(Shadow && "No shadow for a value"); 1082 } 1083 return Shadow; 1084 } 1085 if (UndefValue *U = dyn_cast<UndefValue>(V)) { 1086 Value *AllOnes = PoisonUndef ? getPoisonedShadow(V) : getCleanShadow(V); 1087 DEBUG(dbgs() << "Undef: " << *U << " ==> " << *AllOnes << "\n"); 1088 (void)U; 1089 return AllOnes; 1090 } 1091 if (Argument *A = dyn_cast<Argument>(V)) { 1092 // For arguments we compute the shadow on demand and store it in the map. 1093 Value **ShadowPtr = &ShadowMap[V]; 1094 if (*ShadowPtr) 1095 return *ShadowPtr; 1096 Function *F = A->getParent(); 1097 IRBuilder<> EntryIRB(F->getEntryBlock().getFirstNonPHI()); 1098 unsigned ArgOffset = 0; 1099 const DataLayout &DL = F->getParent()->getDataLayout(); 1100 for (auto &FArg : F->args()) { 1101 if (!FArg.getType()->isSized()) { 1102 DEBUG(dbgs() << "Arg is not sized\n"); 1103 continue; 1104 } 1105 unsigned Size = 1106 FArg.hasByValAttr() 1107 ? DL.getTypeAllocSize(FArg.getType()->getPointerElementType()) 1108 : DL.getTypeAllocSize(FArg.getType()); 1109 if (A == &FArg) { 1110 bool Overflow = ArgOffset + Size > kParamTLSSize; 1111 Value *Base = getShadowPtrForArgument(&FArg, EntryIRB, ArgOffset); 1112 if (FArg.hasByValAttr()) { 1113 // ByVal pointer itself has clean shadow. We copy the actual 1114 // argument shadow to the underlying memory. 1115 // Figure out maximal valid memcpy alignment. 1116 unsigned ArgAlign = FArg.getParamAlignment(); 1117 if (ArgAlign == 0) { 1118 Type *EltType = A->getType()->getPointerElementType(); 1119 ArgAlign = DL.getABITypeAlignment(EltType); 1120 } 1121 if (Overflow) { 1122 // ParamTLS overflow. 1123 EntryIRB.CreateMemSet( 1124 getShadowPtr(V, EntryIRB.getInt8Ty(), EntryIRB), 1125 Constant::getNullValue(EntryIRB.getInt8Ty()), Size, ArgAlign); 1126 } else { 1127 unsigned CopyAlign = std::min(ArgAlign, kShadowTLSAlignment); 1128 Value *Cpy = EntryIRB.CreateMemCpy( 1129 getShadowPtr(V, EntryIRB.getInt8Ty(), EntryIRB), Base, Size, 1130 CopyAlign); 1131 DEBUG(dbgs() << " ByValCpy: " << *Cpy << "\n"); 1132 (void)Cpy; 1133 } 1134 *ShadowPtr = getCleanShadow(V); 1135 } else { 1136 if (Overflow) { 1137 // ParamTLS overflow. 1138 *ShadowPtr = getCleanShadow(V); 1139 } else { 1140 *ShadowPtr = 1141 EntryIRB.CreateAlignedLoad(Base, kShadowTLSAlignment); 1142 } 1143 } 1144 DEBUG(dbgs() << " ARG: " << FArg << " ==> " << 1145 **ShadowPtr << "\n"); 1146 if (MS.TrackOrigins && !Overflow) { 1147 Value *OriginPtr = 1148 getOriginPtrForArgument(&FArg, EntryIRB, ArgOffset); 1149 setOrigin(A, EntryIRB.CreateLoad(OriginPtr)); 1150 } else { 1151 setOrigin(A, getCleanOrigin()); 1152 } 1153 } 1154 ArgOffset += RoundUpToAlignment(Size, kShadowTLSAlignment); 1155 } 1156 assert(*ShadowPtr && "Could not find shadow for an argument"); 1157 return *ShadowPtr; 1158 } 1159 // For everything else the shadow is zero. 1160 return getCleanShadow(V); 1161 } 1162 1163 /// \brief Get the shadow for i-th argument of the instruction I. 1164 Value *getShadow(Instruction *I, int i) { 1165 return getShadow(I->getOperand(i)); 1166 } 1167 1168 /// \brief Get the origin for a value. 1169 Value *getOrigin(Value *V) { 1170 if (!MS.TrackOrigins) return nullptr; 1171 if (!PropagateShadow) return getCleanOrigin(); 1172 if (isa<Constant>(V)) return getCleanOrigin(); 1173 assert((isa<Instruction>(V) || isa<Argument>(V)) && 1174 "Unexpected value type in getOrigin()"); 1175 Value *Origin = OriginMap[V]; 1176 assert(Origin && "Missing origin"); 1177 return Origin; 1178 } 1179 1180 /// \brief Get the origin for i-th argument of the instruction I. 1181 Value *getOrigin(Instruction *I, int i) { 1182 return getOrigin(I->getOperand(i)); 1183 } 1184 1185 /// \brief Remember the place where a shadow check should be inserted. 1186 /// 1187 /// This location will be later instrumented with a check that will print a 1188 /// UMR warning in runtime if the shadow value is not 0. 1189 void insertShadowCheck(Value *Shadow, Value *Origin, Instruction *OrigIns) { 1190 assert(Shadow); 1191 if (!InsertChecks) return; 1192 #ifndef NDEBUG 1193 Type *ShadowTy = Shadow->getType(); 1194 assert((isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy)) && 1195 "Can only insert checks for integer and vector shadow types"); 1196 #endif 1197 InstrumentationList.push_back( 1198 ShadowOriginAndInsertPoint(Shadow, Origin, OrigIns)); 1199 } 1200 1201 /// \brief Remember the place where a shadow check should be inserted. 1202 /// 1203 /// This location will be later instrumented with a check that will print a 1204 /// UMR warning in runtime if the value is not fully defined. 1205 void insertShadowCheck(Value *Val, Instruction *OrigIns) { 1206 assert(Val); 1207 Value *Shadow, *Origin; 1208 if (ClCheckConstantShadow) { 1209 Shadow = getShadow(Val); 1210 if (!Shadow) return; 1211 Origin = getOrigin(Val); 1212 } else { 1213 Shadow = dyn_cast_or_null<Instruction>(getShadow(Val)); 1214 if (!Shadow) return; 1215 Origin = dyn_cast_or_null<Instruction>(getOrigin(Val)); 1216 } 1217 insertShadowCheck(Shadow, Origin, OrigIns); 1218 } 1219 1220 AtomicOrdering addReleaseOrdering(AtomicOrdering a) { 1221 switch (a) { 1222 case NotAtomic: 1223 return NotAtomic; 1224 case Unordered: 1225 case Monotonic: 1226 case Release: 1227 return Release; 1228 case Acquire: 1229 case AcquireRelease: 1230 return AcquireRelease; 1231 case SequentiallyConsistent: 1232 return SequentiallyConsistent; 1233 } 1234 llvm_unreachable("Unknown ordering"); 1235 } 1236 1237 AtomicOrdering addAcquireOrdering(AtomicOrdering a) { 1238 switch (a) { 1239 case NotAtomic: 1240 return NotAtomic; 1241 case Unordered: 1242 case Monotonic: 1243 case Acquire: 1244 return Acquire; 1245 case Release: 1246 case AcquireRelease: 1247 return AcquireRelease; 1248 case SequentiallyConsistent: 1249 return SequentiallyConsistent; 1250 } 1251 llvm_unreachable("Unknown ordering"); 1252 } 1253 1254 // ------------------- Visitors. 1255 1256 /// \brief Instrument LoadInst 1257 /// 1258 /// Loads the corresponding shadow and (optionally) origin. 1259 /// Optionally, checks that the load address is fully defined. 1260 void visitLoadInst(LoadInst &I) { 1261 assert(I.getType()->isSized() && "Load type must have size"); 1262 IRBuilder<> IRB(I.getNextNode()); 1263 Type *ShadowTy = getShadowTy(&I); 1264 Value *Addr = I.getPointerOperand(); 1265 if (PropagateShadow && !I.getMetadata("nosanitize")) { 1266 Value *ShadowPtr = getShadowPtr(Addr, ShadowTy, IRB); 1267 setShadow(&I, 1268 IRB.CreateAlignedLoad(ShadowPtr, I.getAlignment(), "_msld")); 1269 } else { 1270 setShadow(&I, getCleanShadow(&I)); 1271 } 1272 1273 if (ClCheckAccessAddress) 1274 insertShadowCheck(I.getPointerOperand(), &I); 1275 1276 if (I.isAtomic()) 1277 I.setOrdering(addAcquireOrdering(I.getOrdering())); 1278 1279 if (MS.TrackOrigins) { 1280 if (PropagateShadow) { 1281 unsigned Alignment = I.getAlignment(); 1282 unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment); 1283 setOrigin(&I, IRB.CreateAlignedLoad(getOriginPtr(Addr, IRB, Alignment), 1284 OriginAlignment)); 1285 } else { 1286 setOrigin(&I, getCleanOrigin()); 1287 } 1288 } 1289 } 1290 1291 /// \brief Instrument StoreInst 1292 /// 1293 /// Stores the corresponding shadow and (optionally) origin. 1294 /// Optionally, checks that the store address is fully defined. 1295 void visitStoreInst(StoreInst &I) { 1296 StoreList.push_back(&I); 1297 } 1298 1299 void handleCASOrRMW(Instruction &I) { 1300 assert(isa<AtomicRMWInst>(I) || isa<AtomicCmpXchgInst>(I)); 1301 1302 IRBuilder<> IRB(&I); 1303 Value *Addr = I.getOperand(0); 1304 Value *ShadowPtr = getShadowPtr(Addr, I.getType(), IRB); 1305 1306 if (ClCheckAccessAddress) 1307 insertShadowCheck(Addr, &I); 1308 1309 // Only test the conditional argument of cmpxchg instruction. 1310 // The other argument can potentially be uninitialized, but we can not 1311 // detect this situation reliably without possible false positives. 1312 if (isa<AtomicCmpXchgInst>(I)) 1313 insertShadowCheck(I.getOperand(1), &I); 1314 1315 IRB.CreateStore(getCleanShadow(&I), ShadowPtr); 1316 1317 setShadow(&I, getCleanShadow(&I)); 1318 setOrigin(&I, getCleanOrigin()); 1319 } 1320 1321 void visitAtomicRMWInst(AtomicRMWInst &I) { 1322 handleCASOrRMW(I); 1323 I.setOrdering(addReleaseOrdering(I.getOrdering())); 1324 } 1325 1326 void visitAtomicCmpXchgInst(AtomicCmpXchgInst &I) { 1327 handleCASOrRMW(I); 1328 I.setSuccessOrdering(addReleaseOrdering(I.getSuccessOrdering())); 1329 } 1330 1331 // Vector manipulation. 1332 void visitExtractElementInst(ExtractElementInst &I) { 1333 insertShadowCheck(I.getOperand(1), &I); 1334 IRBuilder<> IRB(&I); 1335 setShadow(&I, IRB.CreateExtractElement(getShadow(&I, 0), I.getOperand(1), 1336 "_msprop")); 1337 setOrigin(&I, getOrigin(&I, 0)); 1338 } 1339 1340 void visitInsertElementInst(InsertElementInst &I) { 1341 insertShadowCheck(I.getOperand(2), &I); 1342 IRBuilder<> IRB(&I); 1343 setShadow(&I, IRB.CreateInsertElement(getShadow(&I, 0), getShadow(&I, 1), 1344 I.getOperand(2), "_msprop")); 1345 setOriginForNaryOp(I); 1346 } 1347 1348 void visitShuffleVectorInst(ShuffleVectorInst &I) { 1349 insertShadowCheck(I.getOperand(2), &I); 1350 IRBuilder<> IRB(&I); 1351 setShadow(&I, IRB.CreateShuffleVector(getShadow(&I, 0), getShadow(&I, 1), 1352 I.getOperand(2), "_msprop")); 1353 setOriginForNaryOp(I); 1354 } 1355 1356 // Casts. 1357 void visitSExtInst(SExtInst &I) { 1358 IRBuilder<> IRB(&I); 1359 setShadow(&I, IRB.CreateSExt(getShadow(&I, 0), I.getType(), "_msprop")); 1360 setOrigin(&I, getOrigin(&I, 0)); 1361 } 1362 1363 void visitZExtInst(ZExtInst &I) { 1364 IRBuilder<> IRB(&I); 1365 setShadow(&I, IRB.CreateZExt(getShadow(&I, 0), I.getType(), "_msprop")); 1366 setOrigin(&I, getOrigin(&I, 0)); 1367 } 1368 1369 void visitTruncInst(TruncInst &I) { 1370 IRBuilder<> IRB(&I); 1371 setShadow(&I, IRB.CreateTrunc(getShadow(&I, 0), I.getType(), "_msprop")); 1372 setOrigin(&I, getOrigin(&I, 0)); 1373 } 1374 1375 void visitBitCastInst(BitCastInst &I) { 1376 // Special case: if this is the bitcast (there is exactly 1 allowed) between 1377 // a musttail call and a ret, don't instrument. New instructions are not 1378 // allowed after a musttail call. 1379 if (auto *CI = dyn_cast<CallInst>(I.getOperand(0))) 1380 if (CI->isMustTailCall()) 1381 return; 1382 IRBuilder<> IRB(&I); 1383 setShadow(&I, IRB.CreateBitCast(getShadow(&I, 0), getShadowTy(&I))); 1384 setOrigin(&I, getOrigin(&I, 0)); 1385 } 1386 1387 void visitPtrToIntInst(PtrToIntInst &I) { 1388 IRBuilder<> IRB(&I); 1389 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false, 1390 "_msprop_ptrtoint")); 1391 setOrigin(&I, getOrigin(&I, 0)); 1392 } 1393 1394 void visitIntToPtrInst(IntToPtrInst &I) { 1395 IRBuilder<> IRB(&I); 1396 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false, 1397 "_msprop_inttoptr")); 1398 setOrigin(&I, getOrigin(&I, 0)); 1399 } 1400 1401 void visitFPToSIInst(CastInst& I) { handleShadowOr(I); } 1402 void visitFPToUIInst(CastInst& I) { handleShadowOr(I); } 1403 void visitSIToFPInst(CastInst& I) { handleShadowOr(I); } 1404 void visitUIToFPInst(CastInst& I) { handleShadowOr(I); } 1405 void visitFPExtInst(CastInst& I) { handleShadowOr(I); } 1406 void visitFPTruncInst(CastInst& I) { handleShadowOr(I); } 1407 1408 /// \brief Propagate shadow for bitwise AND. 1409 /// 1410 /// This code is exact, i.e. if, for example, a bit in the left argument 1411 /// is defined and 0, then neither the value not definedness of the 1412 /// corresponding bit in B don't affect the resulting shadow. 1413 void visitAnd(BinaryOperator &I) { 1414 IRBuilder<> IRB(&I); 1415 // "And" of 0 and a poisoned value results in unpoisoned value. 1416 // 1&1 => 1; 0&1 => 0; p&1 => p; 1417 // 1&0 => 0; 0&0 => 0; p&0 => 0; 1418 // 1&p => p; 0&p => 0; p&p => p; 1419 // S = (S1 & S2) | (V1 & S2) | (S1 & V2) 1420 Value *S1 = getShadow(&I, 0); 1421 Value *S2 = getShadow(&I, 1); 1422 Value *V1 = I.getOperand(0); 1423 Value *V2 = I.getOperand(1); 1424 if (V1->getType() != S1->getType()) { 1425 V1 = IRB.CreateIntCast(V1, S1->getType(), false); 1426 V2 = IRB.CreateIntCast(V2, S2->getType(), false); 1427 } 1428 Value *S1S2 = IRB.CreateAnd(S1, S2); 1429 Value *V1S2 = IRB.CreateAnd(V1, S2); 1430 Value *S1V2 = IRB.CreateAnd(S1, V2); 1431 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2))); 1432 setOriginForNaryOp(I); 1433 } 1434 1435 void visitOr(BinaryOperator &I) { 1436 IRBuilder<> IRB(&I); 1437 // "Or" of 1 and a poisoned value results in unpoisoned value. 1438 // 1|1 => 1; 0|1 => 1; p|1 => 1; 1439 // 1|0 => 1; 0|0 => 0; p|0 => p; 1440 // 1|p => 1; 0|p => p; p|p => p; 1441 // S = (S1 & S2) | (~V1 & S2) | (S1 & ~V2) 1442 Value *S1 = getShadow(&I, 0); 1443 Value *S2 = getShadow(&I, 1); 1444 Value *V1 = IRB.CreateNot(I.getOperand(0)); 1445 Value *V2 = IRB.CreateNot(I.getOperand(1)); 1446 if (V1->getType() != S1->getType()) { 1447 V1 = IRB.CreateIntCast(V1, S1->getType(), false); 1448 V2 = IRB.CreateIntCast(V2, S2->getType(), false); 1449 } 1450 Value *S1S2 = IRB.CreateAnd(S1, S2); 1451 Value *V1S2 = IRB.CreateAnd(V1, S2); 1452 Value *S1V2 = IRB.CreateAnd(S1, V2); 1453 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2))); 1454 setOriginForNaryOp(I); 1455 } 1456 1457 /// \brief Default propagation of shadow and/or origin. 1458 /// 1459 /// This class implements the general case of shadow propagation, used in all 1460 /// cases where we don't know and/or don't care about what the operation 1461 /// actually does. It converts all input shadow values to a common type 1462 /// (extending or truncating as necessary), and bitwise OR's them. 1463 /// 1464 /// This is much cheaper than inserting checks (i.e. requiring inputs to be 1465 /// fully initialized), and less prone to false positives. 1466 /// 1467 /// This class also implements the general case of origin propagation. For a 1468 /// Nary operation, result origin is set to the origin of an argument that is 1469 /// not entirely initialized. If there is more than one such arguments, the 1470 /// rightmost of them is picked. It does not matter which one is picked if all 1471 /// arguments are initialized. 1472 template <bool CombineShadow> 1473 class Combiner { 1474 Value *Shadow; 1475 Value *Origin; 1476 IRBuilder<> &IRB; 1477 MemorySanitizerVisitor *MSV; 1478 1479 public: 1480 Combiner(MemorySanitizerVisitor *MSV, IRBuilder<> &IRB) : 1481 Shadow(nullptr), Origin(nullptr), IRB(IRB), MSV(MSV) {} 1482 1483 /// \brief Add a pair of shadow and origin values to the mix. 1484 Combiner &Add(Value *OpShadow, Value *OpOrigin) { 1485 if (CombineShadow) { 1486 assert(OpShadow); 1487 if (!Shadow) 1488 Shadow = OpShadow; 1489 else { 1490 OpShadow = MSV->CreateShadowCast(IRB, OpShadow, Shadow->getType()); 1491 Shadow = IRB.CreateOr(Shadow, OpShadow, "_msprop"); 1492 } 1493 } 1494 1495 if (MSV->MS.TrackOrigins) { 1496 assert(OpOrigin); 1497 if (!Origin) { 1498 Origin = OpOrigin; 1499 } else { 1500 Constant *ConstOrigin = dyn_cast<Constant>(OpOrigin); 1501 // No point in adding something that might result in 0 origin value. 1502 if (!ConstOrigin || !ConstOrigin->isNullValue()) { 1503 Value *FlatShadow = MSV->convertToShadowTyNoVec(OpShadow, IRB); 1504 Value *Cond = 1505 IRB.CreateICmpNE(FlatShadow, MSV->getCleanShadow(FlatShadow)); 1506 Origin = IRB.CreateSelect(Cond, OpOrigin, Origin); 1507 } 1508 } 1509 } 1510 return *this; 1511 } 1512 1513 /// \brief Add an application value to the mix. 1514 Combiner &Add(Value *V) { 1515 Value *OpShadow = MSV->getShadow(V); 1516 Value *OpOrigin = MSV->MS.TrackOrigins ? MSV->getOrigin(V) : nullptr; 1517 return Add(OpShadow, OpOrigin); 1518 } 1519 1520 /// \brief Set the current combined values as the given instruction's shadow 1521 /// and origin. 1522 void Done(Instruction *I) { 1523 if (CombineShadow) { 1524 assert(Shadow); 1525 Shadow = MSV->CreateShadowCast(IRB, Shadow, MSV->getShadowTy(I)); 1526 MSV->setShadow(I, Shadow); 1527 } 1528 if (MSV->MS.TrackOrigins) { 1529 assert(Origin); 1530 MSV->setOrigin(I, Origin); 1531 } 1532 } 1533 }; 1534 1535 typedef Combiner<true> ShadowAndOriginCombiner; 1536 typedef Combiner<false> OriginCombiner; 1537 1538 /// \brief Propagate origin for arbitrary operation. 1539 void setOriginForNaryOp(Instruction &I) { 1540 if (!MS.TrackOrigins) return; 1541 IRBuilder<> IRB(&I); 1542 OriginCombiner OC(this, IRB); 1543 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI) 1544 OC.Add(OI->get()); 1545 OC.Done(&I); 1546 } 1547 1548 size_t VectorOrPrimitiveTypeSizeInBits(Type *Ty) { 1549 assert(!(Ty->isVectorTy() && Ty->getScalarType()->isPointerTy()) && 1550 "Vector of pointers is not a valid shadow type"); 1551 return Ty->isVectorTy() ? 1552 Ty->getVectorNumElements() * Ty->getScalarSizeInBits() : 1553 Ty->getPrimitiveSizeInBits(); 1554 } 1555 1556 /// \brief Cast between two shadow types, extending or truncating as 1557 /// necessary. 1558 Value *CreateShadowCast(IRBuilder<> &IRB, Value *V, Type *dstTy, 1559 bool Signed = false) { 1560 Type *srcTy = V->getType(); 1561 if (dstTy->isIntegerTy() && srcTy->isIntegerTy()) 1562 return IRB.CreateIntCast(V, dstTy, Signed); 1563 if (dstTy->isVectorTy() && srcTy->isVectorTy() && 1564 dstTy->getVectorNumElements() == srcTy->getVectorNumElements()) 1565 return IRB.CreateIntCast(V, dstTy, Signed); 1566 size_t srcSizeInBits = VectorOrPrimitiveTypeSizeInBits(srcTy); 1567 size_t dstSizeInBits = VectorOrPrimitiveTypeSizeInBits(dstTy); 1568 Value *V1 = IRB.CreateBitCast(V, Type::getIntNTy(*MS.C, srcSizeInBits)); 1569 Value *V2 = 1570 IRB.CreateIntCast(V1, Type::getIntNTy(*MS.C, dstSizeInBits), Signed); 1571 return IRB.CreateBitCast(V2, dstTy); 1572 // TODO: handle struct types. 1573 } 1574 1575 /// \brief Cast an application value to the type of its own shadow. 1576 Value *CreateAppToShadowCast(IRBuilder<> &IRB, Value *V) { 1577 Type *ShadowTy = getShadowTy(V); 1578 if (V->getType() == ShadowTy) 1579 return V; 1580 if (V->getType()->isPtrOrPtrVectorTy()) 1581 return IRB.CreatePtrToInt(V, ShadowTy); 1582 else 1583 return IRB.CreateBitCast(V, ShadowTy); 1584 } 1585 1586 /// \brief Propagate shadow for arbitrary operation. 1587 void handleShadowOr(Instruction &I) { 1588 IRBuilder<> IRB(&I); 1589 ShadowAndOriginCombiner SC(this, IRB); 1590 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI) 1591 SC.Add(OI->get()); 1592 SC.Done(&I); 1593 } 1594 1595 // \brief Handle multiplication by constant. 1596 // 1597 // Handle a special case of multiplication by constant that may have one or 1598 // more zeros in the lower bits. This makes corresponding number of lower bits 1599 // of the result zero as well. We model it by shifting the other operand 1600 // shadow left by the required number of bits. Effectively, we transform 1601 // (X * (A * 2**B)) to ((X << B) * A) and instrument (X << B) as (Sx << B). 1602 // We use multiplication by 2**N instead of shift to cover the case of 1603 // multiplication by 0, which may occur in some elements of a vector operand. 1604 void handleMulByConstant(BinaryOperator &I, Constant *ConstArg, 1605 Value *OtherArg) { 1606 Constant *ShadowMul; 1607 Type *Ty = ConstArg->getType(); 1608 if (Ty->isVectorTy()) { 1609 unsigned NumElements = Ty->getVectorNumElements(); 1610 Type *EltTy = Ty->getSequentialElementType(); 1611 SmallVector<Constant *, 16> Elements; 1612 for (unsigned Idx = 0; Idx < NumElements; ++Idx) { 1613 ConstantInt *Elt = 1614 dyn_cast<ConstantInt>(ConstArg->getAggregateElement(Idx)); 1615 APInt V = Elt->getValue(); 1616 APInt V2 = APInt(V.getBitWidth(), 1) << V.countTrailingZeros(); 1617 Elements.push_back(ConstantInt::get(EltTy, V2)); 1618 } 1619 ShadowMul = ConstantVector::get(Elements); 1620 } else { 1621 ConstantInt *Elt = dyn_cast<ConstantInt>(ConstArg); 1622 APInt V = Elt->getValue(); 1623 APInt V2 = APInt(V.getBitWidth(), 1) << V.countTrailingZeros(); 1624 ShadowMul = ConstantInt::get(Elt->getType(), V2); 1625 } 1626 1627 IRBuilder<> IRB(&I); 1628 setShadow(&I, 1629 IRB.CreateMul(getShadow(OtherArg), ShadowMul, "msprop_mul_cst")); 1630 setOrigin(&I, getOrigin(OtherArg)); 1631 } 1632 1633 void visitMul(BinaryOperator &I) { 1634 Constant *constOp0 = dyn_cast<Constant>(I.getOperand(0)); 1635 Constant *constOp1 = dyn_cast<Constant>(I.getOperand(1)); 1636 if (constOp0 && !constOp1) 1637 handleMulByConstant(I, constOp0, I.getOperand(1)); 1638 else if (constOp1 && !constOp0) 1639 handleMulByConstant(I, constOp1, I.getOperand(0)); 1640 else 1641 handleShadowOr(I); 1642 } 1643 1644 void visitFAdd(BinaryOperator &I) { handleShadowOr(I); } 1645 void visitFSub(BinaryOperator &I) { handleShadowOr(I); } 1646 void visitFMul(BinaryOperator &I) { handleShadowOr(I); } 1647 void visitAdd(BinaryOperator &I) { handleShadowOr(I); } 1648 void visitSub(BinaryOperator &I) { handleShadowOr(I); } 1649 void visitXor(BinaryOperator &I) { handleShadowOr(I); } 1650 1651 void handleDiv(Instruction &I) { 1652 IRBuilder<> IRB(&I); 1653 // Strict on the second argument. 1654 insertShadowCheck(I.getOperand(1), &I); 1655 setShadow(&I, getShadow(&I, 0)); 1656 setOrigin(&I, getOrigin(&I, 0)); 1657 } 1658 1659 void visitUDiv(BinaryOperator &I) { handleDiv(I); } 1660 void visitSDiv(BinaryOperator &I) { handleDiv(I); } 1661 void visitFDiv(BinaryOperator &I) { handleDiv(I); } 1662 void visitURem(BinaryOperator &I) { handleDiv(I); } 1663 void visitSRem(BinaryOperator &I) { handleDiv(I); } 1664 void visitFRem(BinaryOperator &I) { handleDiv(I); } 1665 1666 /// \brief Instrument == and != comparisons. 1667 /// 1668 /// Sometimes the comparison result is known even if some of the bits of the 1669 /// arguments are not. 1670 void handleEqualityComparison(ICmpInst &I) { 1671 IRBuilder<> IRB(&I); 1672 Value *A = I.getOperand(0); 1673 Value *B = I.getOperand(1); 1674 Value *Sa = getShadow(A); 1675 Value *Sb = getShadow(B); 1676 1677 // Get rid of pointers and vectors of pointers. 1678 // For ints (and vectors of ints), types of A and Sa match, 1679 // and this is a no-op. 1680 A = IRB.CreatePointerCast(A, Sa->getType()); 1681 B = IRB.CreatePointerCast(B, Sb->getType()); 1682 1683 // A == B <==> (C = A^B) == 0 1684 // A != B <==> (C = A^B) != 0 1685 // Sc = Sa | Sb 1686 Value *C = IRB.CreateXor(A, B); 1687 Value *Sc = IRB.CreateOr(Sa, Sb); 1688 // Now dealing with i = (C == 0) comparison (or C != 0, does not matter now) 1689 // Result is defined if one of the following is true 1690 // * there is a defined 1 bit in C 1691 // * C is fully defined 1692 // Si = !(C & ~Sc) && Sc 1693 Value *Zero = Constant::getNullValue(Sc->getType()); 1694 Value *MinusOne = Constant::getAllOnesValue(Sc->getType()); 1695 Value *Si = 1696 IRB.CreateAnd(IRB.CreateICmpNE(Sc, Zero), 1697 IRB.CreateICmpEQ( 1698 IRB.CreateAnd(IRB.CreateXor(Sc, MinusOne), C), Zero)); 1699 Si->setName("_msprop_icmp"); 1700 setShadow(&I, Si); 1701 setOriginForNaryOp(I); 1702 } 1703 1704 /// \brief Build the lowest possible value of V, taking into account V's 1705 /// uninitialized bits. 1706 Value *getLowestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa, 1707 bool isSigned) { 1708 if (isSigned) { 1709 // Split shadow into sign bit and other bits. 1710 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1); 1711 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits); 1712 // Maximise the undefined shadow bit, minimize other undefined bits. 1713 return 1714 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaOtherBits)), SaSignBit); 1715 } else { 1716 // Minimize undefined bits. 1717 return IRB.CreateAnd(A, IRB.CreateNot(Sa)); 1718 } 1719 } 1720 1721 /// \brief Build the highest possible value of V, taking into account V's 1722 /// uninitialized bits. 1723 Value *getHighestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa, 1724 bool isSigned) { 1725 if (isSigned) { 1726 // Split shadow into sign bit and other bits. 1727 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1); 1728 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits); 1729 // Minimise the undefined shadow bit, maximise other undefined bits. 1730 return 1731 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaSignBit)), SaOtherBits); 1732 } else { 1733 // Maximize undefined bits. 1734 return IRB.CreateOr(A, Sa); 1735 } 1736 } 1737 1738 /// \brief Instrument relational comparisons. 1739 /// 1740 /// This function does exact shadow propagation for all relational 1741 /// comparisons of integers, pointers and vectors of those. 1742 /// FIXME: output seems suboptimal when one of the operands is a constant 1743 void handleRelationalComparisonExact(ICmpInst &I) { 1744 IRBuilder<> IRB(&I); 1745 Value *A = I.getOperand(0); 1746 Value *B = I.getOperand(1); 1747 Value *Sa = getShadow(A); 1748 Value *Sb = getShadow(B); 1749 1750 // Get rid of pointers and vectors of pointers. 1751 // For ints (and vectors of ints), types of A and Sa match, 1752 // and this is a no-op. 1753 A = IRB.CreatePointerCast(A, Sa->getType()); 1754 B = IRB.CreatePointerCast(B, Sb->getType()); 1755 1756 // Let [a0, a1] be the interval of possible values of A, taking into account 1757 // its undefined bits. Let [b0, b1] be the interval of possible values of B. 1758 // Then (A cmp B) is defined iff (a0 cmp b1) == (a1 cmp b0). 1759 bool IsSigned = I.isSigned(); 1760 Value *S1 = IRB.CreateICmp(I.getPredicate(), 1761 getLowestPossibleValue(IRB, A, Sa, IsSigned), 1762 getHighestPossibleValue(IRB, B, Sb, IsSigned)); 1763 Value *S2 = IRB.CreateICmp(I.getPredicate(), 1764 getHighestPossibleValue(IRB, A, Sa, IsSigned), 1765 getLowestPossibleValue(IRB, B, Sb, IsSigned)); 1766 Value *Si = IRB.CreateXor(S1, S2); 1767 setShadow(&I, Si); 1768 setOriginForNaryOp(I); 1769 } 1770 1771 /// \brief Instrument signed relational comparisons. 1772 /// 1773 /// Handle sign bit tests: x<0, x>=0, x<=-1, x>-1 by propagating the highest 1774 /// bit of the shadow. Everything else is delegated to handleShadowOr(). 1775 void handleSignedRelationalComparison(ICmpInst &I) { 1776 Constant *constOp; 1777 Value *op = nullptr; 1778 CmpInst::Predicate pre; 1779 if ((constOp = dyn_cast<Constant>(I.getOperand(1)))) { 1780 op = I.getOperand(0); 1781 pre = I.getPredicate(); 1782 } else if ((constOp = dyn_cast<Constant>(I.getOperand(0)))) { 1783 op = I.getOperand(1); 1784 pre = I.getSwappedPredicate(); 1785 } else { 1786 handleShadowOr(I); 1787 return; 1788 } 1789 1790 if ((constOp->isNullValue() && 1791 (pre == CmpInst::ICMP_SLT || pre == CmpInst::ICMP_SGE)) || 1792 (constOp->isAllOnesValue() && 1793 (pre == CmpInst::ICMP_SGT || pre == CmpInst::ICMP_SLE))) { 1794 IRBuilder<> IRB(&I); 1795 Value *Shadow = IRB.CreateICmpSLT(getShadow(op), getCleanShadow(op), 1796 "_msprop_icmp_s"); 1797 setShadow(&I, Shadow); 1798 setOrigin(&I, getOrigin(op)); 1799 } else { 1800 handleShadowOr(I); 1801 } 1802 } 1803 1804 void visitICmpInst(ICmpInst &I) { 1805 if (!ClHandleICmp) { 1806 handleShadowOr(I); 1807 return; 1808 } 1809 if (I.isEquality()) { 1810 handleEqualityComparison(I); 1811 return; 1812 } 1813 1814 assert(I.isRelational()); 1815 if (ClHandleICmpExact) { 1816 handleRelationalComparisonExact(I); 1817 return; 1818 } 1819 if (I.isSigned()) { 1820 handleSignedRelationalComparison(I); 1821 return; 1822 } 1823 1824 assert(I.isUnsigned()); 1825 if ((isa<Constant>(I.getOperand(0)) || isa<Constant>(I.getOperand(1)))) { 1826 handleRelationalComparisonExact(I); 1827 return; 1828 } 1829 1830 handleShadowOr(I); 1831 } 1832 1833 void visitFCmpInst(FCmpInst &I) { 1834 handleShadowOr(I); 1835 } 1836 1837 void handleShift(BinaryOperator &I) { 1838 IRBuilder<> IRB(&I); 1839 // If any of the S2 bits are poisoned, the whole thing is poisoned. 1840 // Otherwise perform the same shift on S1. 1841 Value *S1 = getShadow(&I, 0); 1842 Value *S2 = getShadow(&I, 1); 1843 Value *S2Conv = IRB.CreateSExt(IRB.CreateICmpNE(S2, getCleanShadow(S2)), 1844 S2->getType()); 1845 Value *V2 = I.getOperand(1); 1846 Value *Shift = IRB.CreateBinOp(I.getOpcode(), S1, V2); 1847 setShadow(&I, IRB.CreateOr(Shift, S2Conv)); 1848 setOriginForNaryOp(I); 1849 } 1850 1851 void visitShl(BinaryOperator &I) { handleShift(I); } 1852 void visitAShr(BinaryOperator &I) { handleShift(I); } 1853 void visitLShr(BinaryOperator &I) { handleShift(I); } 1854 1855 /// \brief Instrument llvm.memmove 1856 /// 1857 /// At this point we don't know if llvm.memmove will be inlined or not. 1858 /// If we don't instrument it and it gets inlined, 1859 /// our interceptor will not kick in and we will lose the memmove. 1860 /// If we instrument the call here, but it does not get inlined, 1861 /// we will memove the shadow twice: which is bad in case 1862 /// of overlapping regions. So, we simply lower the intrinsic to a call. 1863 /// 1864 /// Similar situation exists for memcpy and memset. 1865 void visitMemMoveInst(MemMoveInst &I) { 1866 IRBuilder<> IRB(&I); 1867 IRB.CreateCall( 1868 MS.MemmoveFn, 1869 {IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1870 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()), 1871 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)}); 1872 I.eraseFromParent(); 1873 } 1874 1875 // Similar to memmove: avoid copying shadow twice. 1876 // This is somewhat unfortunate as it may slowdown small constant memcpys. 1877 // FIXME: consider doing manual inline for small constant sizes and proper 1878 // alignment. 1879 void visitMemCpyInst(MemCpyInst &I) { 1880 IRBuilder<> IRB(&I); 1881 IRB.CreateCall( 1882 MS.MemcpyFn, 1883 {IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1884 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()), 1885 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)}); 1886 I.eraseFromParent(); 1887 } 1888 1889 // Same as memcpy. 1890 void visitMemSetInst(MemSetInst &I) { 1891 IRBuilder<> IRB(&I); 1892 IRB.CreateCall( 1893 MS.MemsetFn, 1894 {IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1895 IRB.CreateIntCast(I.getArgOperand(1), IRB.getInt32Ty(), false), 1896 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)}); 1897 I.eraseFromParent(); 1898 } 1899 1900 void visitVAStartInst(VAStartInst &I) { 1901 VAHelper->visitVAStartInst(I); 1902 } 1903 1904 void visitVACopyInst(VACopyInst &I) { 1905 VAHelper->visitVACopyInst(I); 1906 } 1907 1908 enum IntrinsicKind { 1909 IK_DoesNotAccessMemory, 1910 IK_OnlyReadsMemory, 1911 IK_WritesMemory 1912 }; 1913 1914 static IntrinsicKind getIntrinsicKind(Intrinsic::ID iid) { 1915 const int FMRB_DoesNotAccessMemory = IK_DoesNotAccessMemory; 1916 const int FMRB_OnlyReadsArgumentPointees = IK_OnlyReadsMemory; 1917 const int FMRB_OnlyReadsMemory = IK_OnlyReadsMemory; 1918 const int FMRB_OnlyAccessesArgumentPointees = IK_WritesMemory; 1919 const int FMRB_UnknownModRefBehavior = IK_WritesMemory; 1920 #define GET_INTRINSIC_MODREF_BEHAVIOR 1921 #define FunctionModRefBehavior IntrinsicKind 1922 #include "llvm/IR/Intrinsics.gen" 1923 #undef FunctionModRefBehavior 1924 #undef GET_INTRINSIC_MODREF_BEHAVIOR 1925 } 1926 1927 /// \brief Handle vector store-like intrinsics. 1928 /// 1929 /// Instrument intrinsics that look like a simple SIMD store: writes memory, 1930 /// has 1 pointer argument and 1 vector argument, returns void. 1931 bool handleVectorStoreIntrinsic(IntrinsicInst &I) { 1932 IRBuilder<> IRB(&I); 1933 Value* Addr = I.getArgOperand(0); 1934 Value *Shadow = getShadow(&I, 1); 1935 Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB); 1936 1937 // We don't know the pointer alignment (could be unaligned SSE store!). 1938 // Have to assume to worst case. 1939 IRB.CreateAlignedStore(Shadow, ShadowPtr, 1); 1940 1941 if (ClCheckAccessAddress) 1942 insertShadowCheck(Addr, &I); 1943 1944 // FIXME: use ClStoreCleanOrigin 1945 // FIXME: factor out common code from materializeStores 1946 if (MS.TrackOrigins) 1947 IRB.CreateStore(getOrigin(&I, 1), getOriginPtr(Addr, IRB, 1)); 1948 return true; 1949 } 1950 1951 /// \brief Handle vector load-like intrinsics. 1952 /// 1953 /// Instrument intrinsics that look like a simple SIMD load: reads memory, 1954 /// has 1 pointer argument, returns a vector. 1955 bool handleVectorLoadIntrinsic(IntrinsicInst &I) { 1956 IRBuilder<> IRB(&I); 1957 Value *Addr = I.getArgOperand(0); 1958 1959 Type *ShadowTy = getShadowTy(&I); 1960 if (PropagateShadow) { 1961 Value *ShadowPtr = getShadowPtr(Addr, ShadowTy, IRB); 1962 // We don't know the pointer alignment (could be unaligned SSE load!). 1963 // Have to assume to worst case. 1964 setShadow(&I, IRB.CreateAlignedLoad(ShadowPtr, 1, "_msld")); 1965 } else { 1966 setShadow(&I, getCleanShadow(&I)); 1967 } 1968 1969 if (ClCheckAccessAddress) 1970 insertShadowCheck(Addr, &I); 1971 1972 if (MS.TrackOrigins) { 1973 if (PropagateShadow) 1974 setOrigin(&I, IRB.CreateLoad(getOriginPtr(Addr, IRB, 1))); 1975 else 1976 setOrigin(&I, getCleanOrigin()); 1977 } 1978 return true; 1979 } 1980 1981 /// \brief Handle (SIMD arithmetic)-like intrinsics. 1982 /// 1983 /// Instrument intrinsics with any number of arguments of the same type, 1984 /// equal to the return type. The type should be simple (no aggregates or 1985 /// pointers; vectors are fine). 1986 /// Caller guarantees that this intrinsic does not access memory. 1987 bool maybeHandleSimpleNomemIntrinsic(IntrinsicInst &I) { 1988 Type *RetTy = I.getType(); 1989 if (!(RetTy->isIntOrIntVectorTy() || 1990 RetTy->isFPOrFPVectorTy() || 1991 RetTy->isX86_MMXTy())) 1992 return false; 1993 1994 unsigned NumArgOperands = I.getNumArgOperands(); 1995 1996 for (unsigned i = 0; i < NumArgOperands; ++i) { 1997 Type *Ty = I.getArgOperand(i)->getType(); 1998 if (Ty != RetTy) 1999 return false; 2000 } 2001 2002 IRBuilder<> IRB(&I); 2003 ShadowAndOriginCombiner SC(this, IRB); 2004 for (unsigned i = 0; i < NumArgOperands; ++i) 2005 SC.Add(I.getArgOperand(i)); 2006 SC.Done(&I); 2007 2008 return true; 2009 } 2010 2011 /// \brief Heuristically instrument unknown intrinsics. 2012 /// 2013 /// The main purpose of this code is to do something reasonable with all 2014 /// random intrinsics we might encounter, most importantly - SIMD intrinsics. 2015 /// We recognize several classes of intrinsics by their argument types and 2016 /// ModRefBehaviour and apply special intrumentation when we are reasonably 2017 /// sure that we know what the intrinsic does. 2018 /// 2019 /// We special-case intrinsics where this approach fails. See llvm.bswap 2020 /// handling as an example of that. 2021 bool handleUnknownIntrinsic(IntrinsicInst &I) { 2022 unsigned NumArgOperands = I.getNumArgOperands(); 2023 if (NumArgOperands == 0) 2024 return false; 2025 2026 Intrinsic::ID iid = I.getIntrinsicID(); 2027 IntrinsicKind IK = getIntrinsicKind(iid); 2028 bool OnlyReadsMemory = IK == IK_OnlyReadsMemory; 2029 bool WritesMemory = IK == IK_WritesMemory; 2030 assert(!(OnlyReadsMemory && WritesMemory)); 2031 2032 if (NumArgOperands == 2 && 2033 I.getArgOperand(0)->getType()->isPointerTy() && 2034 I.getArgOperand(1)->getType()->isVectorTy() && 2035 I.getType()->isVoidTy() && 2036 WritesMemory) { 2037 // This looks like a vector store. 2038 return handleVectorStoreIntrinsic(I); 2039 } 2040 2041 if (NumArgOperands == 1 && 2042 I.getArgOperand(0)->getType()->isPointerTy() && 2043 I.getType()->isVectorTy() && 2044 OnlyReadsMemory) { 2045 // This looks like a vector load. 2046 return handleVectorLoadIntrinsic(I); 2047 } 2048 2049 if (!OnlyReadsMemory && !WritesMemory) 2050 if (maybeHandleSimpleNomemIntrinsic(I)) 2051 return true; 2052 2053 // FIXME: detect and handle SSE maskstore/maskload 2054 return false; 2055 } 2056 2057 void handleBswap(IntrinsicInst &I) { 2058 IRBuilder<> IRB(&I); 2059 Value *Op = I.getArgOperand(0); 2060 Type *OpType = Op->getType(); 2061 Function *BswapFunc = Intrinsic::getDeclaration( 2062 F.getParent(), Intrinsic::bswap, makeArrayRef(&OpType, 1)); 2063 setShadow(&I, IRB.CreateCall(BswapFunc, getShadow(Op))); 2064 setOrigin(&I, getOrigin(Op)); 2065 } 2066 2067 // \brief Instrument vector convert instrinsic. 2068 // 2069 // This function instruments intrinsics like cvtsi2ss: 2070 // %Out = int_xxx_cvtyyy(%ConvertOp) 2071 // or 2072 // %Out = int_xxx_cvtyyy(%CopyOp, %ConvertOp) 2073 // Intrinsic converts \p NumUsedElements elements of \p ConvertOp to the same 2074 // number \p Out elements, and (if has 2 arguments) copies the rest of the 2075 // elements from \p CopyOp. 2076 // In most cases conversion involves floating-point value which may trigger a 2077 // hardware exception when not fully initialized. For this reason we require 2078 // \p ConvertOp[0:NumUsedElements] to be fully initialized and trap otherwise. 2079 // We copy the shadow of \p CopyOp[NumUsedElements:] to \p 2080 // Out[NumUsedElements:]. This means that intrinsics without \p CopyOp always 2081 // return a fully initialized value. 2082 void handleVectorConvertIntrinsic(IntrinsicInst &I, int NumUsedElements) { 2083 IRBuilder<> IRB(&I); 2084 Value *CopyOp, *ConvertOp; 2085 2086 switch (I.getNumArgOperands()) { 2087 case 3: 2088 assert(isa<ConstantInt>(I.getArgOperand(2)) && "Invalid rounding mode"); 2089 case 2: 2090 CopyOp = I.getArgOperand(0); 2091 ConvertOp = I.getArgOperand(1); 2092 break; 2093 case 1: 2094 ConvertOp = I.getArgOperand(0); 2095 CopyOp = nullptr; 2096 break; 2097 default: 2098 llvm_unreachable("Cvt intrinsic with unsupported number of arguments."); 2099 } 2100 2101 // The first *NumUsedElements* elements of ConvertOp are converted to the 2102 // same number of output elements. The rest of the output is copied from 2103 // CopyOp, or (if not available) filled with zeroes. 2104 // Combine shadow for elements of ConvertOp that are used in this operation, 2105 // and insert a check. 2106 // FIXME: consider propagating shadow of ConvertOp, at least in the case of 2107 // int->any conversion. 2108 Value *ConvertShadow = getShadow(ConvertOp); 2109 Value *AggShadow = nullptr; 2110 if (ConvertOp->getType()->isVectorTy()) { 2111 AggShadow = IRB.CreateExtractElement( 2112 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), 0)); 2113 for (int i = 1; i < NumUsedElements; ++i) { 2114 Value *MoreShadow = IRB.CreateExtractElement( 2115 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), i)); 2116 AggShadow = IRB.CreateOr(AggShadow, MoreShadow); 2117 } 2118 } else { 2119 AggShadow = ConvertShadow; 2120 } 2121 assert(AggShadow->getType()->isIntegerTy()); 2122 insertShadowCheck(AggShadow, getOrigin(ConvertOp), &I); 2123 2124 // Build result shadow by zero-filling parts of CopyOp shadow that come from 2125 // ConvertOp. 2126 if (CopyOp) { 2127 assert(CopyOp->getType() == I.getType()); 2128 assert(CopyOp->getType()->isVectorTy()); 2129 Value *ResultShadow = getShadow(CopyOp); 2130 Type *EltTy = ResultShadow->getType()->getVectorElementType(); 2131 for (int i = 0; i < NumUsedElements; ++i) { 2132 ResultShadow = IRB.CreateInsertElement( 2133 ResultShadow, ConstantInt::getNullValue(EltTy), 2134 ConstantInt::get(IRB.getInt32Ty(), i)); 2135 } 2136 setShadow(&I, ResultShadow); 2137 setOrigin(&I, getOrigin(CopyOp)); 2138 } else { 2139 setShadow(&I, getCleanShadow(&I)); 2140 setOrigin(&I, getCleanOrigin()); 2141 } 2142 } 2143 2144 // Given a scalar or vector, extract lower 64 bits (or less), and return all 2145 // zeroes if it is zero, and all ones otherwise. 2146 Value *Lower64ShadowExtend(IRBuilder<> &IRB, Value *S, Type *T) { 2147 if (S->getType()->isVectorTy()) 2148 S = CreateShadowCast(IRB, S, IRB.getInt64Ty(), /* Signed */ true); 2149 assert(S->getType()->getPrimitiveSizeInBits() <= 64); 2150 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S)); 2151 return CreateShadowCast(IRB, S2, T, /* Signed */ true); 2152 } 2153 2154 Value *VariableShadowExtend(IRBuilder<> &IRB, Value *S) { 2155 Type *T = S->getType(); 2156 assert(T->isVectorTy()); 2157 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S)); 2158 return IRB.CreateSExt(S2, T); 2159 } 2160 2161 // \brief Instrument vector shift instrinsic. 2162 // 2163 // This function instruments intrinsics like int_x86_avx2_psll_w. 2164 // Intrinsic shifts %In by %ShiftSize bits. 2165 // %ShiftSize may be a vector. In that case the lower 64 bits determine shift 2166 // size, and the rest is ignored. Behavior is defined even if shift size is 2167 // greater than register (or field) width. 2168 void handleVectorShiftIntrinsic(IntrinsicInst &I, bool Variable) { 2169 assert(I.getNumArgOperands() == 2); 2170 IRBuilder<> IRB(&I); 2171 // If any of the S2 bits are poisoned, the whole thing is poisoned. 2172 // Otherwise perform the same shift on S1. 2173 Value *S1 = getShadow(&I, 0); 2174 Value *S2 = getShadow(&I, 1); 2175 Value *S2Conv = Variable ? VariableShadowExtend(IRB, S2) 2176 : Lower64ShadowExtend(IRB, S2, getShadowTy(&I)); 2177 Value *V1 = I.getOperand(0); 2178 Value *V2 = I.getOperand(1); 2179 Value *Shift = IRB.CreateCall(I.getCalledValue(), 2180 {IRB.CreateBitCast(S1, V1->getType()), V2}); 2181 Shift = IRB.CreateBitCast(Shift, getShadowTy(&I)); 2182 setShadow(&I, IRB.CreateOr(Shift, S2Conv)); 2183 setOriginForNaryOp(I); 2184 } 2185 2186 // \brief Get an X86_MMX-sized vector type. 2187 Type *getMMXVectorTy(unsigned EltSizeInBits) { 2188 const unsigned X86_MMXSizeInBits = 64; 2189 return VectorType::get(IntegerType::get(*MS.C, EltSizeInBits), 2190 X86_MMXSizeInBits / EltSizeInBits); 2191 } 2192 2193 // \brief Returns a signed counterpart for an (un)signed-saturate-and-pack 2194 // intrinsic. 2195 Intrinsic::ID getSignedPackIntrinsic(Intrinsic::ID id) { 2196 switch (id) { 2197 case llvm::Intrinsic::x86_sse2_packsswb_128: 2198 case llvm::Intrinsic::x86_sse2_packuswb_128: 2199 return llvm::Intrinsic::x86_sse2_packsswb_128; 2200 2201 case llvm::Intrinsic::x86_sse2_packssdw_128: 2202 case llvm::Intrinsic::x86_sse41_packusdw: 2203 return llvm::Intrinsic::x86_sse2_packssdw_128; 2204 2205 case llvm::Intrinsic::x86_avx2_packsswb: 2206 case llvm::Intrinsic::x86_avx2_packuswb: 2207 return llvm::Intrinsic::x86_avx2_packsswb; 2208 2209 case llvm::Intrinsic::x86_avx2_packssdw: 2210 case llvm::Intrinsic::x86_avx2_packusdw: 2211 return llvm::Intrinsic::x86_avx2_packssdw; 2212 2213 case llvm::Intrinsic::x86_mmx_packsswb: 2214 case llvm::Intrinsic::x86_mmx_packuswb: 2215 return llvm::Intrinsic::x86_mmx_packsswb; 2216 2217 case llvm::Intrinsic::x86_mmx_packssdw: 2218 return llvm::Intrinsic::x86_mmx_packssdw; 2219 default: 2220 llvm_unreachable("unexpected intrinsic id"); 2221 } 2222 } 2223 2224 // \brief Instrument vector pack instrinsic. 2225 // 2226 // This function instruments intrinsics like x86_mmx_packsswb, that 2227 // packs elements of 2 input vectors into half as many bits with saturation. 2228 // Shadow is propagated with the signed variant of the same intrinsic applied 2229 // to sext(Sa != zeroinitializer), sext(Sb != zeroinitializer). 2230 // EltSizeInBits is used only for x86mmx arguments. 2231 void handleVectorPackIntrinsic(IntrinsicInst &I, unsigned EltSizeInBits = 0) { 2232 assert(I.getNumArgOperands() == 2); 2233 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy(); 2234 IRBuilder<> IRB(&I); 2235 Value *S1 = getShadow(&I, 0); 2236 Value *S2 = getShadow(&I, 1); 2237 assert(isX86_MMX || S1->getType()->isVectorTy()); 2238 2239 // SExt and ICmpNE below must apply to individual elements of input vectors. 2240 // In case of x86mmx arguments, cast them to appropriate vector types and 2241 // back. 2242 Type *T = isX86_MMX ? getMMXVectorTy(EltSizeInBits) : S1->getType(); 2243 if (isX86_MMX) { 2244 S1 = IRB.CreateBitCast(S1, T); 2245 S2 = IRB.CreateBitCast(S2, T); 2246 } 2247 Value *S1_ext = IRB.CreateSExt( 2248 IRB.CreateICmpNE(S1, llvm::Constant::getNullValue(T)), T); 2249 Value *S2_ext = IRB.CreateSExt( 2250 IRB.CreateICmpNE(S2, llvm::Constant::getNullValue(T)), T); 2251 if (isX86_MMX) { 2252 Type *X86_MMXTy = Type::getX86_MMXTy(*MS.C); 2253 S1_ext = IRB.CreateBitCast(S1_ext, X86_MMXTy); 2254 S2_ext = IRB.CreateBitCast(S2_ext, X86_MMXTy); 2255 } 2256 2257 Function *ShadowFn = Intrinsic::getDeclaration( 2258 F.getParent(), getSignedPackIntrinsic(I.getIntrinsicID())); 2259 2260 Value *S = 2261 IRB.CreateCall(ShadowFn, {S1_ext, S2_ext}, "_msprop_vector_pack"); 2262 if (isX86_MMX) S = IRB.CreateBitCast(S, getShadowTy(&I)); 2263 setShadow(&I, S); 2264 setOriginForNaryOp(I); 2265 } 2266 2267 // \brief Instrument sum-of-absolute-differencies intrinsic. 2268 void handleVectorSadIntrinsic(IntrinsicInst &I) { 2269 const unsigned SignificantBitsPerResultElement = 16; 2270 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy(); 2271 Type *ResTy = isX86_MMX ? IntegerType::get(*MS.C, 64) : I.getType(); 2272 unsigned ZeroBitsPerResultElement = 2273 ResTy->getScalarSizeInBits() - SignificantBitsPerResultElement; 2274 2275 IRBuilder<> IRB(&I); 2276 Value *S = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1)); 2277 S = IRB.CreateBitCast(S, ResTy); 2278 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)), 2279 ResTy); 2280 S = IRB.CreateLShr(S, ZeroBitsPerResultElement); 2281 S = IRB.CreateBitCast(S, getShadowTy(&I)); 2282 setShadow(&I, S); 2283 setOriginForNaryOp(I); 2284 } 2285 2286 // \brief Instrument multiply-add intrinsic. 2287 void handleVectorPmaddIntrinsic(IntrinsicInst &I, 2288 unsigned EltSizeInBits = 0) { 2289 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy(); 2290 Type *ResTy = isX86_MMX ? getMMXVectorTy(EltSizeInBits * 2) : I.getType(); 2291 IRBuilder<> IRB(&I); 2292 Value *S = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1)); 2293 S = IRB.CreateBitCast(S, ResTy); 2294 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)), 2295 ResTy); 2296 S = IRB.CreateBitCast(S, getShadowTy(&I)); 2297 setShadow(&I, S); 2298 setOriginForNaryOp(I); 2299 } 2300 2301 void visitIntrinsicInst(IntrinsicInst &I) { 2302 switch (I.getIntrinsicID()) { 2303 case llvm::Intrinsic::bswap: 2304 handleBswap(I); 2305 break; 2306 case llvm::Intrinsic::x86_avx512_cvtsd2usi64: 2307 case llvm::Intrinsic::x86_avx512_cvtsd2usi: 2308 case llvm::Intrinsic::x86_avx512_cvtss2usi64: 2309 case llvm::Intrinsic::x86_avx512_cvtss2usi: 2310 case llvm::Intrinsic::x86_avx512_cvttss2usi64: 2311 case llvm::Intrinsic::x86_avx512_cvttss2usi: 2312 case llvm::Intrinsic::x86_avx512_cvttsd2usi64: 2313 case llvm::Intrinsic::x86_avx512_cvttsd2usi: 2314 case llvm::Intrinsic::x86_avx512_cvtusi2sd: 2315 case llvm::Intrinsic::x86_avx512_cvtusi2ss: 2316 case llvm::Intrinsic::x86_avx512_cvtusi642sd: 2317 case llvm::Intrinsic::x86_avx512_cvtusi642ss: 2318 case llvm::Intrinsic::x86_sse2_cvtsd2si64: 2319 case llvm::Intrinsic::x86_sse2_cvtsd2si: 2320 case llvm::Intrinsic::x86_sse2_cvtsd2ss: 2321 case llvm::Intrinsic::x86_sse2_cvtsi2sd: 2322 case llvm::Intrinsic::x86_sse2_cvtsi642sd: 2323 case llvm::Intrinsic::x86_sse2_cvtss2sd: 2324 case llvm::Intrinsic::x86_sse2_cvttsd2si64: 2325 case llvm::Intrinsic::x86_sse2_cvttsd2si: 2326 case llvm::Intrinsic::x86_sse_cvtsi2ss: 2327 case llvm::Intrinsic::x86_sse_cvtsi642ss: 2328 case llvm::Intrinsic::x86_sse_cvtss2si64: 2329 case llvm::Intrinsic::x86_sse_cvtss2si: 2330 case llvm::Intrinsic::x86_sse_cvttss2si64: 2331 case llvm::Intrinsic::x86_sse_cvttss2si: 2332 handleVectorConvertIntrinsic(I, 1); 2333 break; 2334 case llvm::Intrinsic::x86_sse2_cvtdq2pd: 2335 case llvm::Intrinsic::x86_sse2_cvtps2pd: 2336 case llvm::Intrinsic::x86_sse_cvtps2pi: 2337 case llvm::Intrinsic::x86_sse_cvttps2pi: 2338 handleVectorConvertIntrinsic(I, 2); 2339 break; 2340 case llvm::Intrinsic::x86_avx2_psll_w: 2341 case llvm::Intrinsic::x86_avx2_psll_d: 2342 case llvm::Intrinsic::x86_avx2_psll_q: 2343 case llvm::Intrinsic::x86_avx2_pslli_w: 2344 case llvm::Intrinsic::x86_avx2_pslli_d: 2345 case llvm::Intrinsic::x86_avx2_pslli_q: 2346 case llvm::Intrinsic::x86_avx2_psrl_w: 2347 case llvm::Intrinsic::x86_avx2_psrl_d: 2348 case llvm::Intrinsic::x86_avx2_psrl_q: 2349 case llvm::Intrinsic::x86_avx2_psra_w: 2350 case llvm::Intrinsic::x86_avx2_psra_d: 2351 case llvm::Intrinsic::x86_avx2_psrli_w: 2352 case llvm::Intrinsic::x86_avx2_psrli_d: 2353 case llvm::Intrinsic::x86_avx2_psrli_q: 2354 case llvm::Intrinsic::x86_avx2_psrai_w: 2355 case llvm::Intrinsic::x86_avx2_psrai_d: 2356 case llvm::Intrinsic::x86_sse2_psll_w: 2357 case llvm::Intrinsic::x86_sse2_psll_d: 2358 case llvm::Intrinsic::x86_sse2_psll_q: 2359 case llvm::Intrinsic::x86_sse2_pslli_w: 2360 case llvm::Intrinsic::x86_sse2_pslli_d: 2361 case llvm::Intrinsic::x86_sse2_pslli_q: 2362 case llvm::Intrinsic::x86_sse2_psrl_w: 2363 case llvm::Intrinsic::x86_sse2_psrl_d: 2364 case llvm::Intrinsic::x86_sse2_psrl_q: 2365 case llvm::Intrinsic::x86_sse2_psra_w: 2366 case llvm::Intrinsic::x86_sse2_psra_d: 2367 case llvm::Intrinsic::x86_sse2_psrli_w: 2368 case llvm::Intrinsic::x86_sse2_psrli_d: 2369 case llvm::Intrinsic::x86_sse2_psrli_q: 2370 case llvm::Intrinsic::x86_sse2_psrai_w: 2371 case llvm::Intrinsic::x86_sse2_psrai_d: 2372 case llvm::Intrinsic::x86_mmx_psll_w: 2373 case llvm::Intrinsic::x86_mmx_psll_d: 2374 case llvm::Intrinsic::x86_mmx_psll_q: 2375 case llvm::Intrinsic::x86_mmx_pslli_w: 2376 case llvm::Intrinsic::x86_mmx_pslli_d: 2377 case llvm::Intrinsic::x86_mmx_pslli_q: 2378 case llvm::Intrinsic::x86_mmx_psrl_w: 2379 case llvm::Intrinsic::x86_mmx_psrl_d: 2380 case llvm::Intrinsic::x86_mmx_psrl_q: 2381 case llvm::Intrinsic::x86_mmx_psra_w: 2382 case llvm::Intrinsic::x86_mmx_psra_d: 2383 case llvm::Intrinsic::x86_mmx_psrli_w: 2384 case llvm::Intrinsic::x86_mmx_psrli_d: 2385 case llvm::Intrinsic::x86_mmx_psrli_q: 2386 case llvm::Intrinsic::x86_mmx_psrai_w: 2387 case llvm::Intrinsic::x86_mmx_psrai_d: 2388 handleVectorShiftIntrinsic(I, /* Variable */ false); 2389 break; 2390 case llvm::Intrinsic::x86_avx2_psllv_d: 2391 case llvm::Intrinsic::x86_avx2_psllv_d_256: 2392 case llvm::Intrinsic::x86_avx2_psllv_q: 2393 case llvm::Intrinsic::x86_avx2_psllv_q_256: 2394 case llvm::Intrinsic::x86_avx2_psrlv_d: 2395 case llvm::Intrinsic::x86_avx2_psrlv_d_256: 2396 case llvm::Intrinsic::x86_avx2_psrlv_q: 2397 case llvm::Intrinsic::x86_avx2_psrlv_q_256: 2398 case llvm::Intrinsic::x86_avx2_psrav_d: 2399 case llvm::Intrinsic::x86_avx2_psrav_d_256: 2400 handleVectorShiftIntrinsic(I, /* Variable */ true); 2401 break; 2402 2403 case llvm::Intrinsic::x86_sse2_packsswb_128: 2404 case llvm::Intrinsic::x86_sse2_packssdw_128: 2405 case llvm::Intrinsic::x86_sse2_packuswb_128: 2406 case llvm::Intrinsic::x86_sse41_packusdw: 2407 case llvm::Intrinsic::x86_avx2_packsswb: 2408 case llvm::Intrinsic::x86_avx2_packssdw: 2409 case llvm::Intrinsic::x86_avx2_packuswb: 2410 case llvm::Intrinsic::x86_avx2_packusdw: 2411 handleVectorPackIntrinsic(I); 2412 break; 2413 2414 case llvm::Intrinsic::x86_mmx_packsswb: 2415 case llvm::Intrinsic::x86_mmx_packuswb: 2416 handleVectorPackIntrinsic(I, 16); 2417 break; 2418 2419 case llvm::Intrinsic::x86_mmx_packssdw: 2420 handleVectorPackIntrinsic(I, 32); 2421 break; 2422 2423 case llvm::Intrinsic::x86_mmx_psad_bw: 2424 case llvm::Intrinsic::x86_sse2_psad_bw: 2425 case llvm::Intrinsic::x86_avx2_psad_bw: 2426 handleVectorSadIntrinsic(I); 2427 break; 2428 2429 case llvm::Intrinsic::x86_sse2_pmadd_wd: 2430 case llvm::Intrinsic::x86_avx2_pmadd_wd: 2431 case llvm::Intrinsic::x86_ssse3_pmadd_ub_sw_128: 2432 case llvm::Intrinsic::x86_avx2_pmadd_ub_sw: 2433 handleVectorPmaddIntrinsic(I); 2434 break; 2435 2436 case llvm::Intrinsic::x86_ssse3_pmadd_ub_sw: 2437 handleVectorPmaddIntrinsic(I, 8); 2438 break; 2439 2440 case llvm::Intrinsic::x86_mmx_pmadd_wd: 2441 handleVectorPmaddIntrinsic(I, 16); 2442 break; 2443 2444 default: 2445 if (!handleUnknownIntrinsic(I)) 2446 visitInstruction(I); 2447 break; 2448 } 2449 } 2450 2451 void visitCallSite(CallSite CS) { 2452 Instruction &I = *CS.getInstruction(); 2453 assert((CS.isCall() || CS.isInvoke()) && "Unknown type of CallSite"); 2454 if (CS.isCall()) { 2455 CallInst *Call = cast<CallInst>(&I); 2456 2457 // For inline asm, do the usual thing: check argument shadow and mark all 2458 // outputs as clean. Note that any side effects of the inline asm that are 2459 // not immediately visible in its constraints are not handled. 2460 if (Call->isInlineAsm()) { 2461 visitInstruction(I); 2462 return; 2463 } 2464 2465 assert(!isa<IntrinsicInst>(&I) && "intrinsics are handled elsewhere"); 2466 2467 // We are going to insert code that relies on the fact that the callee 2468 // will become a non-readonly function after it is instrumented by us. To 2469 // prevent this code from being optimized out, mark that function 2470 // non-readonly in advance. 2471 if (Function *Func = Call->getCalledFunction()) { 2472 // Clear out readonly/readnone attributes. 2473 AttrBuilder B; 2474 B.addAttribute(Attribute::ReadOnly) 2475 .addAttribute(Attribute::ReadNone); 2476 Func->removeAttributes(AttributeSet::FunctionIndex, 2477 AttributeSet::get(Func->getContext(), 2478 AttributeSet::FunctionIndex, 2479 B)); 2480 } 2481 } 2482 IRBuilder<> IRB(&I); 2483 2484 unsigned ArgOffset = 0; 2485 DEBUG(dbgs() << " CallSite: " << I << "\n"); 2486 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 2487 ArgIt != End; ++ArgIt) { 2488 Value *A = *ArgIt; 2489 unsigned i = ArgIt - CS.arg_begin(); 2490 if (!A->getType()->isSized()) { 2491 DEBUG(dbgs() << "Arg " << i << " is not sized: " << I << "\n"); 2492 continue; 2493 } 2494 unsigned Size = 0; 2495 Value *Store = nullptr; 2496 // Compute the Shadow for arg even if it is ByVal, because 2497 // in that case getShadow() will copy the actual arg shadow to 2498 // __msan_param_tls. 2499 Value *ArgShadow = getShadow(A); 2500 Value *ArgShadowBase = getShadowPtrForArgument(A, IRB, ArgOffset); 2501 DEBUG(dbgs() << " Arg#" << i << ": " << *A << 2502 " Shadow: " << *ArgShadow << "\n"); 2503 bool ArgIsInitialized = false; 2504 const DataLayout &DL = F.getParent()->getDataLayout(); 2505 if (CS.paramHasAttr(i + 1, Attribute::ByVal)) { 2506 assert(A->getType()->isPointerTy() && 2507 "ByVal argument is not a pointer!"); 2508 Size = DL.getTypeAllocSize(A->getType()->getPointerElementType()); 2509 if (ArgOffset + Size > kParamTLSSize) break; 2510 unsigned ParamAlignment = CS.getParamAlignment(i + 1); 2511 unsigned Alignment = std::min(ParamAlignment, kShadowTLSAlignment); 2512 Store = IRB.CreateMemCpy(ArgShadowBase, 2513 getShadowPtr(A, Type::getInt8Ty(*MS.C), IRB), 2514 Size, Alignment); 2515 } else { 2516 Size = DL.getTypeAllocSize(A->getType()); 2517 if (ArgOffset + Size > kParamTLSSize) break; 2518 Store = IRB.CreateAlignedStore(ArgShadow, ArgShadowBase, 2519 kShadowTLSAlignment); 2520 Constant *Cst = dyn_cast<Constant>(ArgShadow); 2521 if (Cst && Cst->isNullValue()) ArgIsInitialized = true; 2522 } 2523 if (MS.TrackOrigins && !ArgIsInitialized) 2524 IRB.CreateStore(getOrigin(A), 2525 getOriginPtrForArgument(A, IRB, ArgOffset)); 2526 (void)Store; 2527 assert(Size != 0 && Store != nullptr); 2528 DEBUG(dbgs() << " Param:" << *Store << "\n"); 2529 ArgOffset += RoundUpToAlignment(Size, 8); 2530 } 2531 DEBUG(dbgs() << " done with call args\n"); 2532 2533 FunctionType *FT = 2534 cast<FunctionType>(CS.getCalledValue()->getType()->getContainedType(0)); 2535 if (FT->isVarArg()) { 2536 VAHelper->visitCallSite(CS, IRB); 2537 } 2538 2539 // Now, get the shadow for the RetVal. 2540 if (!I.getType()->isSized()) return; 2541 // Don't emit the epilogue for musttail call returns. 2542 if (CS.isCall() && cast<CallInst>(&I)->isMustTailCall()) return; 2543 IRBuilder<> IRBBefore(&I); 2544 // Until we have full dynamic coverage, make sure the retval shadow is 0. 2545 Value *Base = getShadowPtrForRetval(&I, IRBBefore); 2546 IRBBefore.CreateAlignedStore(getCleanShadow(&I), Base, kShadowTLSAlignment); 2547 Instruction *NextInsn = nullptr; 2548 if (CS.isCall()) { 2549 NextInsn = I.getNextNode(); 2550 } else { 2551 BasicBlock *NormalDest = cast<InvokeInst>(&I)->getNormalDest(); 2552 if (!NormalDest->getSinglePredecessor()) { 2553 // FIXME: this case is tricky, so we are just conservative here. 2554 // Perhaps we need to split the edge between this BB and NormalDest, 2555 // but a naive attempt to use SplitEdge leads to a crash. 2556 setShadow(&I, getCleanShadow(&I)); 2557 setOrigin(&I, getCleanOrigin()); 2558 return; 2559 } 2560 NextInsn = NormalDest->getFirstInsertionPt(); 2561 assert(NextInsn && 2562 "Could not find insertion point for retval shadow load"); 2563 } 2564 IRBuilder<> IRBAfter(NextInsn); 2565 Value *RetvalShadow = 2566 IRBAfter.CreateAlignedLoad(getShadowPtrForRetval(&I, IRBAfter), 2567 kShadowTLSAlignment, "_msret"); 2568 setShadow(&I, RetvalShadow); 2569 if (MS.TrackOrigins) 2570 setOrigin(&I, IRBAfter.CreateLoad(getOriginPtrForRetval(IRBAfter))); 2571 } 2572 2573 bool isAMustTailRetVal(Value *RetVal) { 2574 if (auto *I = dyn_cast<BitCastInst>(RetVal)) { 2575 RetVal = I->getOperand(0); 2576 } 2577 if (auto *I = dyn_cast<CallInst>(RetVal)) { 2578 return I->isMustTailCall(); 2579 } 2580 return false; 2581 } 2582 2583 void visitReturnInst(ReturnInst &I) { 2584 IRBuilder<> IRB(&I); 2585 Value *RetVal = I.getReturnValue(); 2586 if (!RetVal) return; 2587 // Don't emit the epilogue for musttail call returns. 2588 if (isAMustTailRetVal(RetVal)) return; 2589 Value *ShadowPtr = getShadowPtrForRetval(RetVal, IRB); 2590 if (CheckReturnValue) { 2591 insertShadowCheck(RetVal, &I); 2592 Value *Shadow = getCleanShadow(RetVal); 2593 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment); 2594 } else { 2595 Value *Shadow = getShadow(RetVal); 2596 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment); 2597 // FIXME: make it conditional if ClStoreCleanOrigin==0 2598 if (MS.TrackOrigins) 2599 IRB.CreateStore(getOrigin(RetVal), getOriginPtrForRetval(IRB)); 2600 } 2601 } 2602 2603 void visitPHINode(PHINode &I) { 2604 IRBuilder<> IRB(&I); 2605 if (!PropagateShadow) { 2606 setShadow(&I, getCleanShadow(&I)); 2607 setOrigin(&I, getCleanOrigin()); 2608 return; 2609 } 2610 2611 ShadowPHINodes.push_back(&I); 2612 setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(), 2613 "_msphi_s")); 2614 if (MS.TrackOrigins) 2615 setOrigin(&I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(), 2616 "_msphi_o")); 2617 } 2618 2619 void visitAllocaInst(AllocaInst &I) { 2620 setShadow(&I, getCleanShadow(&I)); 2621 setOrigin(&I, getCleanOrigin()); 2622 IRBuilder<> IRB(I.getNextNode()); 2623 const DataLayout &DL = F.getParent()->getDataLayout(); 2624 uint64_t Size = DL.getTypeAllocSize(I.getAllocatedType()); 2625 if (PoisonStack && ClPoisonStackWithCall) { 2626 IRB.CreateCall(MS.MsanPoisonStackFn, 2627 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), 2628 ConstantInt::get(MS.IntptrTy, Size)}); 2629 } else { 2630 Value *ShadowBase = getShadowPtr(&I, Type::getInt8PtrTy(*MS.C), IRB); 2631 Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0); 2632 IRB.CreateMemSet(ShadowBase, PoisonValue, Size, I.getAlignment()); 2633 } 2634 2635 if (PoisonStack && MS.TrackOrigins) { 2636 SmallString<2048> StackDescriptionStorage; 2637 raw_svector_ostream StackDescription(StackDescriptionStorage); 2638 // We create a string with a description of the stack allocation and 2639 // pass it into __msan_set_alloca_origin. 2640 // It will be printed by the run-time if stack-originated UMR is found. 2641 // The first 4 bytes of the string are set to '----' and will be replaced 2642 // by __msan_va_arg_overflow_size_tls at the first call. 2643 StackDescription << "----" << I.getName() << "@" << F.getName(); 2644 Value *Descr = 2645 createPrivateNonConstGlobalForString(*F.getParent(), 2646 StackDescription.str()); 2647 2648 IRB.CreateCall(MS.MsanSetAllocaOrigin4Fn, 2649 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), 2650 ConstantInt::get(MS.IntptrTy, Size), 2651 IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy()), 2652 IRB.CreatePointerCast(&F, MS.IntptrTy)}); 2653 } 2654 } 2655 2656 void visitSelectInst(SelectInst& I) { 2657 IRBuilder<> IRB(&I); 2658 // a = select b, c, d 2659 Value *B = I.getCondition(); 2660 Value *C = I.getTrueValue(); 2661 Value *D = I.getFalseValue(); 2662 Value *Sb = getShadow(B); 2663 Value *Sc = getShadow(C); 2664 Value *Sd = getShadow(D); 2665 2666 // Result shadow if condition shadow is 0. 2667 Value *Sa0 = IRB.CreateSelect(B, Sc, Sd); 2668 Value *Sa1; 2669 if (I.getType()->isAggregateType()) { 2670 // To avoid "sign extending" i1 to an arbitrary aggregate type, we just do 2671 // an extra "select". This results in much more compact IR. 2672 // Sa = select Sb, poisoned, (select b, Sc, Sd) 2673 Sa1 = getPoisonedShadow(getShadowTy(I.getType())); 2674 } else { 2675 // Sa = select Sb, [ (c^d) | Sc | Sd ], [ b ? Sc : Sd ] 2676 // If Sb (condition is poisoned), look for bits in c and d that are equal 2677 // and both unpoisoned. 2678 // If !Sb (condition is unpoisoned), simply pick one of Sc and Sd. 2679 2680 // Cast arguments to shadow-compatible type. 2681 C = CreateAppToShadowCast(IRB, C); 2682 D = CreateAppToShadowCast(IRB, D); 2683 2684 // Result shadow if condition shadow is 1. 2685 Sa1 = IRB.CreateOr(IRB.CreateXor(C, D), IRB.CreateOr(Sc, Sd)); 2686 } 2687 Value *Sa = IRB.CreateSelect(Sb, Sa1, Sa0, "_msprop_select"); 2688 setShadow(&I, Sa); 2689 if (MS.TrackOrigins) { 2690 // Origins are always i32, so any vector conditions must be flattened. 2691 // FIXME: consider tracking vector origins for app vectors? 2692 if (B->getType()->isVectorTy()) { 2693 Type *FlatTy = getShadowTyNoVec(B->getType()); 2694 B = IRB.CreateICmpNE(IRB.CreateBitCast(B, FlatTy), 2695 ConstantInt::getNullValue(FlatTy)); 2696 Sb = IRB.CreateICmpNE(IRB.CreateBitCast(Sb, FlatTy), 2697 ConstantInt::getNullValue(FlatTy)); 2698 } 2699 // a = select b, c, d 2700 // Oa = Sb ? Ob : (b ? Oc : Od) 2701 setOrigin( 2702 &I, IRB.CreateSelect(Sb, getOrigin(I.getCondition()), 2703 IRB.CreateSelect(B, getOrigin(I.getTrueValue()), 2704 getOrigin(I.getFalseValue())))); 2705 } 2706 } 2707 2708 void visitLandingPadInst(LandingPadInst &I) { 2709 // Do nothing. 2710 // See http://code.google.com/p/memory-sanitizer/issues/detail?id=1 2711 setShadow(&I, getCleanShadow(&I)); 2712 setOrigin(&I, getCleanOrigin()); 2713 } 2714 2715 void visitCleanupPadInst(CleanupPadInst &I) { 2716 setShadow(&I, getCleanShadow(&I)); 2717 setOrigin(&I, getCleanOrigin()); 2718 } 2719 2720 void visitCatchPad(CatchPadInst &I) { 2721 setShadow(&I, getCleanShadow(&I)); 2722 setOrigin(&I, getCleanOrigin()); 2723 } 2724 2725 void visitTerminatePad(TerminatePadInst &I) { 2726 DEBUG(dbgs() << "TerminatePad: " << I << "\n"); 2727 // Nothing to do here. 2728 } 2729 2730 void visitCatchEndPadInst(CatchEndPadInst &I) { 2731 DEBUG(dbgs() << "CatchEndPad: " << I << "\n"); 2732 // Nothing to do here. 2733 } 2734 2735 void visitCleanupEndPadInst(CleanupEndPadInst &I) { 2736 DEBUG(dbgs() << "CleanupEndPad: " << I << "\n"); 2737 // Nothing to do here. 2738 } 2739 2740 void visitGetElementPtrInst(GetElementPtrInst &I) { 2741 handleShadowOr(I); 2742 } 2743 2744 void visitExtractValueInst(ExtractValueInst &I) { 2745 IRBuilder<> IRB(&I); 2746 Value *Agg = I.getAggregateOperand(); 2747 DEBUG(dbgs() << "ExtractValue: " << I << "\n"); 2748 Value *AggShadow = getShadow(Agg); 2749 DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n"); 2750 Value *ResShadow = IRB.CreateExtractValue(AggShadow, I.getIndices()); 2751 DEBUG(dbgs() << " ResShadow: " << *ResShadow << "\n"); 2752 setShadow(&I, ResShadow); 2753 setOriginForNaryOp(I); 2754 } 2755 2756 void visitInsertValueInst(InsertValueInst &I) { 2757 IRBuilder<> IRB(&I); 2758 DEBUG(dbgs() << "InsertValue: " << I << "\n"); 2759 Value *AggShadow = getShadow(I.getAggregateOperand()); 2760 Value *InsShadow = getShadow(I.getInsertedValueOperand()); 2761 DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n"); 2762 DEBUG(dbgs() << " InsShadow: " << *InsShadow << "\n"); 2763 Value *Res = IRB.CreateInsertValue(AggShadow, InsShadow, I.getIndices()); 2764 DEBUG(dbgs() << " Res: " << *Res << "\n"); 2765 setShadow(&I, Res); 2766 setOriginForNaryOp(I); 2767 } 2768 2769 void dumpInst(Instruction &I) { 2770 if (CallInst *CI = dyn_cast<CallInst>(&I)) { 2771 errs() << "ZZZ call " << CI->getCalledFunction()->getName() << "\n"; 2772 } else { 2773 errs() << "ZZZ " << I.getOpcodeName() << "\n"; 2774 } 2775 errs() << "QQQ " << I << "\n"; 2776 } 2777 2778 void visitResumeInst(ResumeInst &I) { 2779 DEBUG(dbgs() << "Resume: " << I << "\n"); 2780 // Nothing to do here. 2781 } 2782 2783 void visitCleanupReturnInst(CleanupReturnInst &CRI) { 2784 DEBUG(dbgs() << "CleanupReturn: " << CRI << "\n"); 2785 // Nothing to do here. 2786 } 2787 2788 void visitCatchReturnInst(CatchReturnInst &CRI) { 2789 DEBUG(dbgs() << "CatchReturn: " << CRI << "\n"); 2790 // Nothing to do here. 2791 } 2792 2793 void visitInstruction(Instruction &I) { 2794 // Everything else: stop propagating and check for poisoned shadow. 2795 if (ClDumpStrictInstructions) 2796 dumpInst(I); 2797 DEBUG(dbgs() << "DEFAULT: " << I << "\n"); 2798 for (size_t i = 0, n = I.getNumOperands(); i < n; i++) 2799 insertShadowCheck(I.getOperand(i), &I); 2800 setShadow(&I, getCleanShadow(&I)); 2801 setOrigin(&I, getCleanOrigin()); 2802 } 2803 }; 2804 2805 /// \brief AMD64-specific implementation of VarArgHelper. 2806 struct VarArgAMD64Helper : public VarArgHelper { 2807 // An unfortunate workaround for asymmetric lowering of va_arg stuff. 2808 // See a comment in visitCallSite for more details. 2809 static const unsigned AMD64GpEndOffset = 48; // AMD64 ABI Draft 0.99.6 p3.5.7 2810 static const unsigned AMD64FpEndOffset = 176; 2811 2812 Function &F; 2813 MemorySanitizer &MS; 2814 MemorySanitizerVisitor &MSV; 2815 Value *VAArgTLSCopy; 2816 Value *VAArgOverflowSize; 2817 2818 SmallVector<CallInst*, 16> VAStartInstrumentationList; 2819 2820 VarArgAMD64Helper(Function &F, MemorySanitizer &MS, 2821 MemorySanitizerVisitor &MSV) 2822 : F(F), MS(MS), MSV(MSV), VAArgTLSCopy(nullptr), 2823 VAArgOverflowSize(nullptr) {} 2824 2825 enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory }; 2826 2827 ArgKind classifyArgument(Value* arg) { 2828 // A very rough approximation of X86_64 argument classification rules. 2829 Type *T = arg->getType(); 2830 if (T->isFPOrFPVectorTy() || T->isX86_MMXTy()) 2831 return AK_FloatingPoint; 2832 if (T->isIntegerTy() && T->getPrimitiveSizeInBits() <= 64) 2833 return AK_GeneralPurpose; 2834 if (T->isPointerTy()) 2835 return AK_GeneralPurpose; 2836 return AK_Memory; 2837 } 2838 2839 // For VarArg functions, store the argument shadow in an ABI-specific format 2840 // that corresponds to va_list layout. 2841 // We do this because Clang lowers va_arg in the frontend, and this pass 2842 // only sees the low level code that deals with va_list internals. 2843 // A much easier alternative (provided that Clang emits va_arg instructions) 2844 // would have been to associate each live instance of va_list with a copy of 2845 // MSanParamTLS, and extract shadow on va_arg() call in the argument list 2846 // order. 2847 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override { 2848 unsigned GpOffset = 0; 2849 unsigned FpOffset = AMD64GpEndOffset; 2850 unsigned OverflowOffset = AMD64FpEndOffset; 2851 const DataLayout &DL = F.getParent()->getDataLayout(); 2852 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 2853 ArgIt != End; ++ArgIt) { 2854 Value *A = *ArgIt; 2855 unsigned ArgNo = CS.getArgumentNo(ArgIt); 2856 bool IsByVal = CS.paramHasAttr(ArgNo + 1, Attribute::ByVal); 2857 if (IsByVal) { 2858 // ByVal arguments always go to the overflow area. 2859 assert(A->getType()->isPointerTy()); 2860 Type *RealTy = A->getType()->getPointerElementType(); 2861 uint64_t ArgSize = DL.getTypeAllocSize(RealTy); 2862 Value *Base = getShadowPtrForVAArgument(RealTy, IRB, OverflowOffset); 2863 OverflowOffset += RoundUpToAlignment(ArgSize, 8); 2864 IRB.CreateMemCpy(Base, MSV.getShadowPtr(A, IRB.getInt8Ty(), IRB), 2865 ArgSize, kShadowTLSAlignment); 2866 } else { 2867 ArgKind AK = classifyArgument(A); 2868 if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset) 2869 AK = AK_Memory; 2870 if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset) 2871 AK = AK_Memory; 2872 Value *Base; 2873 switch (AK) { 2874 case AK_GeneralPurpose: 2875 Base = getShadowPtrForVAArgument(A->getType(), IRB, GpOffset); 2876 GpOffset += 8; 2877 break; 2878 case AK_FloatingPoint: 2879 Base = getShadowPtrForVAArgument(A->getType(), IRB, FpOffset); 2880 FpOffset += 16; 2881 break; 2882 case AK_Memory: 2883 uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); 2884 Base = getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset); 2885 OverflowOffset += RoundUpToAlignment(ArgSize, 8); 2886 } 2887 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment); 2888 } 2889 } 2890 Constant *OverflowSize = 2891 ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset); 2892 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS); 2893 } 2894 2895 /// \brief Compute the shadow address for a given va_arg. 2896 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, 2897 int ArgOffset) { 2898 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); 2899 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 2900 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), 2901 "_msarg"); 2902 } 2903 2904 void visitVAStartInst(VAStartInst &I) override { 2905 if (F.getCallingConv() == CallingConv::X86_64_Win64) 2906 return; 2907 IRBuilder<> IRB(&I); 2908 VAStartInstrumentationList.push_back(&I); 2909 Value *VAListTag = I.getArgOperand(0); 2910 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 2911 2912 // Unpoison the whole __va_list_tag. 2913 // FIXME: magic ABI constants. 2914 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 2915 /* size */24, /* alignment */8, false); 2916 } 2917 2918 void visitVACopyInst(VACopyInst &I) override { 2919 if (F.getCallingConv() == CallingConv::X86_64_Win64) 2920 return; 2921 IRBuilder<> IRB(&I); 2922 Value *VAListTag = I.getArgOperand(0); 2923 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 2924 2925 // Unpoison the whole __va_list_tag. 2926 // FIXME: magic ABI constants. 2927 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 2928 /* size */24, /* alignment */8, false); 2929 } 2930 2931 void finalizeInstrumentation() override { 2932 assert(!VAArgOverflowSize && !VAArgTLSCopy && 2933 "finalizeInstrumentation called twice"); 2934 if (!VAStartInstrumentationList.empty()) { 2935 // If there is a va_start in this function, make a backup copy of 2936 // va_arg_tls somewhere in the function entry block. 2937 IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI()); 2938 VAArgOverflowSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS); 2939 Value *CopySize = 2940 IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset), 2941 VAArgOverflowSize); 2942 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); 2943 IRB.CreateMemCpy(VAArgTLSCopy, MS.VAArgTLS, CopySize, 8); 2944 } 2945 2946 // Instrument va_start. 2947 // Copy va_list shadow from the backup copy of the TLS contents. 2948 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) { 2949 CallInst *OrigInst = VAStartInstrumentationList[i]; 2950 IRBuilder<> IRB(OrigInst->getNextNode()); 2951 Value *VAListTag = OrigInst->getArgOperand(0); 2952 2953 Value *RegSaveAreaPtrPtr = 2954 IRB.CreateIntToPtr( 2955 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 2956 ConstantInt::get(MS.IntptrTy, 16)), 2957 Type::getInt64PtrTy(*MS.C)); 2958 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr); 2959 Value *RegSaveAreaShadowPtr = 2960 MSV.getShadowPtr(RegSaveAreaPtr, IRB.getInt8Ty(), IRB); 2961 IRB.CreateMemCpy(RegSaveAreaShadowPtr, VAArgTLSCopy, 2962 AMD64FpEndOffset, 16); 2963 2964 Value *OverflowArgAreaPtrPtr = 2965 IRB.CreateIntToPtr( 2966 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 2967 ConstantInt::get(MS.IntptrTy, 8)), 2968 Type::getInt64PtrTy(*MS.C)); 2969 Value *OverflowArgAreaPtr = IRB.CreateLoad(OverflowArgAreaPtrPtr); 2970 Value *OverflowArgAreaShadowPtr = 2971 MSV.getShadowPtr(OverflowArgAreaPtr, IRB.getInt8Ty(), IRB); 2972 Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy, 2973 AMD64FpEndOffset); 2974 IRB.CreateMemCpy(OverflowArgAreaShadowPtr, SrcPtr, VAArgOverflowSize, 16); 2975 } 2976 } 2977 }; 2978 2979 /// \brief MIPS64-specific implementation of VarArgHelper. 2980 struct VarArgMIPS64Helper : public VarArgHelper { 2981 Function &F; 2982 MemorySanitizer &MS; 2983 MemorySanitizerVisitor &MSV; 2984 Value *VAArgTLSCopy; 2985 Value *VAArgSize; 2986 2987 SmallVector<CallInst*, 16> VAStartInstrumentationList; 2988 2989 VarArgMIPS64Helper(Function &F, MemorySanitizer &MS, 2990 MemorySanitizerVisitor &MSV) 2991 : F(F), MS(MS), MSV(MSV), VAArgTLSCopy(nullptr), 2992 VAArgSize(nullptr) {} 2993 2994 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override { 2995 unsigned VAArgOffset = 0; 2996 const DataLayout &DL = F.getParent()->getDataLayout(); 2997 for (CallSite::arg_iterator ArgIt = CS.arg_begin() + 1, End = CS.arg_end(); 2998 ArgIt != End; ++ArgIt) { 2999 Value *A = *ArgIt; 3000 Value *Base; 3001 uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); 3002 #if defined(__MIPSEB__) || defined(MIPSEB) 3003 // Adjusting the shadow for argument with size < 8 to match the placement 3004 // of bits in big endian system 3005 if (ArgSize < 8) 3006 VAArgOffset += (8 - ArgSize); 3007 #endif 3008 Base = getShadowPtrForVAArgument(A->getType(), IRB, VAArgOffset); 3009 VAArgOffset += ArgSize; 3010 VAArgOffset = RoundUpToAlignment(VAArgOffset, 8); 3011 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment); 3012 } 3013 3014 Constant *TotalVAArgSize = ConstantInt::get(IRB.getInt64Ty(), VAArgOffset); 3015 // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of 3016 // a new class member i.e. it is the total size of all VarArgs. 3017 IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS); 3018 } 3019 3020 /// \brief Compute the shadow address for a given va_arg. 3021 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, 3022 int ArgOffset) { 3023 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); 3024 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 3025 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), 3026 "_msarg"); 3027 } 3028 3029 void visitVAStartInst(VAStartInst &I) override { 3030 IRBuilder<> IRB(&I); 3031 VAStartInstrumentationList.push_back(&I); 3032 Value *VAListTag = I.getArgOperand(0); 3033 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 3034 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 3035 /* size */8, /* alignment */8, false); 3036 } 3037 3038 void visitVACopyInst(VACopyInst &I) override { 3039 IRBuilder<> IRB(&I); 3040 Value *VAListTag = I.getArgOperand(0); 3041 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 3042 // Unpoison the whole __va_list_tag. 3043 // FIXME: magic ABI constants. 3044 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 3045 /* size */8, /* alignment */8, false); 3046 } 3047 3048 void finalizeInstrumentation() override { 3049 assert(!VAArgSize && !VAArgTLSCopy && 3050 "finalizeInstrumentation called twice"); 3051 IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI()); 3052 VAArgSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS); 3053 Value *CopySize = IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, 0), 3054 VAArgSize); 3055 3056 if (!VAStartInstrumentationList.empty()) { 3057 // If there is a va_start in this function, make a backup copy of 3058 // va_arg_tls somewhere in the function entry block. 3059 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); 3060 IRB.CreateMemCpy(VAArgTLSCopy, MS.VAArgTLS, CopySize, 8); 3061 } 3062 3063 // Instrument va_start. 3064 // Copy va_list shadow from the backup copy of the TLS contents. 3065 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) { 3066 CallInst *OrigInst = VAStartInstrumentationList[i]; 3067 IRBuilder<> IRB(OrigInst->getNextNode()); 3068 Value *VAListTag = OrigInst->getArgOperand(0); 3069 Value *RegSaveAreaPtrPtr = 3070 IRB.CreateIntToPtr(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 3071 Type::getInt64PtrTy(*MS.C)); 3072 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr); 3073 Value *RegSaveAreaShadowPtr = 3074 MSV.getShadowPtr(RegSaveAreaPtr, IRB.getInt8Ty(), IRB); 3075 IRB.CreateMemCpy(RegSaveAreaShadowPtr, VAArgTLSCopy, CopySize, 8); 3076 } 3077 } 3078 }; 3079 3080 /// \brief A no-op implementation of VarArgHelper. 3081 struct VarArgNoOpHelper : public VarArgHelper { 3082 VarArgNoOpHelper(Function &F, MemorySanitizer &MS, 3083 MemorySanitizerVisitor &MSV) {} 3084 3085 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override {} 3086 3087 void visitVAStartInst(VAStartInst &I) override {} 3088 3089 void visitVACopyInst(VACopyInst &I) override {} 3090 3091 void finalizeInstrumentation() override {} 3092 }; 3093 3094 VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan, 3095 MemorySanitizerVisitor &Visitor) { 3096 // VarArg handling is only implemented on AMD64. False positives are possible 3097 // on other platforms. 3098 llvm::Triple TargetTriple(Func.getParent()->getTargetTriple()); 3099 if (TargetTriple.getArch() == llvm::Triple::x86_64) 3100 return new VarArgAMD64Helper(Func, Msan, Visitor); 3101 else if (TargetTriple.getArch() == llvm::Triple::mips64 || 3102 TargetTriple.getArch() == llvm::Triple::mips64el) 3103 return new VarArgMIPS64Helper(Func, Msan, Visitor); 3104 else 3105 return new VarArgNoOpHelper(Func, Msan, Visitor); 3106 } 3107 3108 } // namespace 3109 3110 bool MemorySanitizer::runOnFunction(Function &F) { 3111 if (&F == MsanCtorFunction) 3112 return false; 3113 MemorySanitizerVisitor Visitor(F, *this); 3114 3115 // Clear out readonly/readnone attributes. 3116 AttrBuilder B; 3117 B.addAttribute(Attribute::ReadOnly) 3118 .addAttribute(Attribute::ReadNone); 3119 F.removeAttributes(AttributeSet::FunctionIndex, 3120 AttributeSet::get(F.getContext(), 3121 AttributeSet::FunctionIndex, B)); 3122 3123 return Visitor.runOnFunction(); 3124 } 3125