1 //===- MemorySanitizer.cpp - detector of uninitialized reads --------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 /// \file 11 /// This file is a part of MemorySanitizer, a detector of uninitialized 12 /// reads. 13 /// 14 /// The algorithm of the tool is similar to Memcheck 15 /// (http://goo.gl/QKbem). We associate a few shadow bits with every 16 /// byte of the application memory, poison the shadow of the malloc-ed 17 /// or alloca-ed memory, load the shadow bits on every memory read, 18 /// propagate the shadow bits through some of the arithmetic 19 /// instruction (including MOV), store the shadow bits on every memory 20 /// write, report a bug on some other instructions (e.g. JMP) if the 21 /// associated shadow is poisoned. 22 /// 23 /// But there are differences too. The first and the major one: 24 /// compiler instrumentation instead of binary instrumentation. This 25 /// gives us much better register allocation, possible compiler 26 /// optimizations and a fast start-up. But this brings the major issue 27 /// as well: msan needs to see all program events, including system 28 /// calls and reads/writes in system libraries, so we either need to 29 /// compile *everything* with msan or use a binary translation 30 /// component (e.g. DynamoRIO) to instrument pre-built libraries. 31 /// Another difference from Memcheck is that we use 8 shadow bits per 32 /// byte of application memory and use a direct shadow mapping. This 33 /// greatly simplifies the instrumentation code and avoids races on 34 /// shadow updates (Memcheck is single-threaded so races are not a 35 /// concern there. Memcheck uses 2 shadow bits per byte with a slow 36 /// path storage that uses 8 bits per byte). 37 /// 38 /// The default value of shadow is 0, which means "clean" (not poisoned). 39 /// 40 /// Every module initializer should call __msan_init to ensure that the 41 /// shadow memory is ready. On error, __msan_warning is called. Since 42 /// parameters and return values may be passed via registers, we have a 43 /// specialized thread-local shadow for return values 44 /// (__msan_retval_tls) and parameters (__msan_param_tls). 45 /// 46 /// Origin tracking. 47 /// 48 /// MemorySanitizer can track origins (allocation points) of all uninitialized 49 /// values. This behavior is controlled with a flag (msan-track-origins) and is 50 /// disabled by default. 51 /// 52 /// Origins are 4-byte values created and interpreted by the runtime library. 53 /// They are stored in a second shadow mapping, one 4-byte value for 4 bytes 54 /// of application memory. Propagation of origins is basically a bunch of 55 /// "select" instructions that pick the origin of a dirty argument, if an 56 /// instruction has one. 57 /// 58 /// Every 4 aligned, consecutive bytes of application memory have one origin 59 /// value associated with them. If these bytes contain uninitialized data 60 /// coming from 2 different allocations, the last store wins. Because of this, 61 /// MemorySanitizer reports can show unrelated origins, but this is unlikely in 62 /// practice. 63 /// 64 /// Origins are meaningless for fully initialized values, so MemorySanitizer 65 /// avoids storing origin to memory when a fully initialized value is stored. 66 /// This way it avoids needless overwritting origin of the 4-byte region on 67 /// a short (i.e. 1 byte) clean store, and it is also good for performance. 68 /// 69 /// Atomic handling. 70 /// 71 /// Ideally, every atomic store of application value should update the 72 /// corresponding shadow location in an atomic way. Unfortunately, atomic store 73 /// of two disjoint locations can not be done without severe slowdown. 74 /// 75 /// Therefore, we implement an approximation that may err on the safe side. 76 /// In this implementation, every atomically accessed location in the program 77 /// may only change from (partially) uninitialized to fully initialized, but 78 /// not the other way around. We load the shadow _after_ the application load, 79 /// and we store the shadow _before_ the app store. Also, we always store clean 80 /// shadow (if the application store is atomic). This way, if the store-load 81 /// pair constitutes a happens-before arc, shadow store and load are correctly 82 /// ordered such that the load will get either the value that was stored, or 83 /// some later value (which is always clean). 84 /// 85 /// This does not work very well with Compare-And-Swap (CAS) and 86 /// Read-Modify-Write (RMW) operations. To follow the above logic, CAS and RMW 87 /// must store the new shadow before the app operation, and load the shadow 88 /// after the app operation. Computers don't work this way. Current 89 /// implementation ignores the load aspect of CAS/RMW, always returning a clean 90 /// value. It implements the store part as a simple atomic store by storing a 91 /// clean shadow. 92 /// 93 /// KernelMemorySanitizer (KMSAN) implementation. 94 /// 95 /// The major differences between KMSAN and MSan instrumentation are: 96 /// - KMSAN always tracks the origins and implies msan-keep-going=true; 97 /// - KMSAN allocates shadow and origin memory for each page separately, so 98 /// there are no explicit accesses to shadow and origin in the 99 /// instrumentation. 100 /// Shadow and origin values for a particular X-byte memory location 101 /// (X=1,2,4,8) are accessed through pointers obtained via the 102 /// __msan_metadata_ptr_for_load_X(ptr) 103 /// __msan_metadata_ptr_for_store_X(ptr) 104 /// functions. The corresponding functions check that the X-byte accesses 105 /// are possible and returns the pointers to shadow and origin memory. 106 /// Arbitrary sized accesses are handled with: 107 /// __msan_metadata_ptr_for_load_n(ptr, size) 108 /// __msan_metadata_ptr_for_store_n(ptr, size); 109 /// - TLS variables are stored in a single per-task struct. A call to a 110 /// function __msan_get_context_state() returning a pointer to that struct 111 /// is inserted into every instrumented function before the entry block; 112 /// - __msan_warning() takes a 32-bit origin parameter; 113 /// - local variables are poisoned with __msan_poison_alloca() upon function 114 /// entry and unpoisoned with __msan_unpoison_alloca() before leaving the 115 /// function; 116 /// - the pass doesn't declare any global variables or add global constructors 117 /// to the translation unit. 118 /// 119 /// Also, KMSAN currently ignores uninitialized memory passed into inline asm 120 /// calls, making sure we're on the safe side wrt. possible false positives. 121 /// 122 /// KernelMemorySanitizer only supports X86_64 at the moment. 123 /// 124 //===----------------------------------------------------------------------===// 125 126 #include "llvm/ADT/APInt.h" 127 #include "llvm/ADT/ArrayRef.h" 128 #include "llvm/ADT/DepthFirstIterator.h" 129 #include "llvm/ADT/SmallString.h" 130 #include "llvm/ADT/SmallVector.h" 131 #include "llvm/ADT/StringExtras.h" 132 #include "llvm/ADT/StringRef.h" 133 #include "llvm/ADT/Triple.h" 134 #include "llvm/Analysis/TargetLibraryInfo.h" 135 #include "llvm/Transforms/Utils/Local.h" 136 #include "llvm/IR/Argument.h" 137 #include "llvm/IR/Attributes.h" 138 #include "llvm/IR/BasicBlock.h" 139 #include "llvm/IR/CallSite.h" 140 #include "llvm/IR/CallingConv.h" 141 #include "llvm/IR/Constant.h" 142 #include "llvm/IR/Constants.h" 143 #include "llvm/IR/DataLayout.h" 144 #include "llvm/IR/DerivedTypes.h" 145 #include "llvm/IR/Function.h" 146 #include "llvm/IR/GlobalValue.h" 147 #include "llvm/IR/GlobalVariable.h" 148 #include "llvm/IR/IRBuilder.h" 149 #include "llvm/IR/InlineAsm.h" 150 #include "llvm/IR/InstVisitor.h" 151 #include "llvm/IR/InstrTypes.h" 152 #include "llvm/IR/Instruction.h" 153 #include "llvm/IR/Instructions.h" 154 #include "llvm/IR/IntrinsicInst.h" 155 #include "llvm/IR/Intrinsics.h" 156 #include "llvm/IR/LLVMContext.h" 157 #include "llvm/IR/MDBuilder.h" 158 #include "llvm/IR/Module.h" 159 #include "llvm/IR/Type.h" 160 #include "llvm/IR/Value.h" 161 #include "llvm/IR/ValueMap.h" 162 #include "llvm/Pass.h" 163 #include "llvm/Support/AtomicOrdering.h" 164 #include "llvm/Support/Casting.h" 165 #include "llvm/Support/CommandLine.h" 166 #include "llvm/Support/Compiler.h" 167 #include "llvm/Support/Debug.h" 168 #include "llvm/Support/ErrorHandling.h" 169 #include "llvm/Support/MathExtras.h" 170 #include "llvm/Support/raw_ostream.h" 171 #include "llvm/Transforms/Instrumentation.h" 172 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 173 #include "llvm/Transforms/Utils/ModuleUtils.h" 174 #include <algorithm> 175 #include <cassert> 176 #include <cstddef> 177 #include <cstdint> 178 #include <memory> 179 #include <string> 180 #include <tuple> 181 182 using namespace llvm; 183 184 #define DEBUG_TYPE "msan" 185 186 static const unsigned kOriginSize = 4; 187 static const unsigned kMinOriginAlignment = 4; 188 static const unsigned kShadowTLSAlignment = 8; 189 190 // These constants must be kept in sync with the ones in msan.h. 191 static const unsigned kParamTLSSize = 800; 192 static const unsigned kRetvalTLSSize = 800; 193 194 // Accesses sizes are powers of two: 1, 2, 4, 8. 195 static const size_t kNumberOfAccessSizes = 4; 196 197 /// Track origins of uninitialized values. 198 /// 199 /// Adds a section to MemorySanitizer report that points to the allocation 200 /// (stack or heap) the uninitialized bits came from originally. 201 static cl::opt<int> ClTrackOrigins("msan-track-origins", 202 cl::desc("Track origins (allocation sites) of poisoned memory"), 203 cl::Hidden, cl::init(0)); 204 205 static cl::opt<bool> ClKeepGoing("msan-keep-going", 206 cl::desc("keep going after reporting a UMR"), 207 cl::Hidden, cl::init(false)); 208 209 static cl::opt<bool> ClPoisonStack("msan-poison-stack", 210 cl::desc("poison uninitialized stack variables"), 211 cl::Hidden, cl::init(true)); 212 213 static cl::opt<bool> ClPoisonStackWithCall("msan-poison-stack-with-call", 214 cl::desc("poison uninitialized stack variables with a call"), 215 cl::Hidden, cl::init(false)); 216 217 static cl::opt<int> ClPoisonStackPattern("msan-poison-stack-pattern", 218 cl::desc("poison uninitialized stack variables with the given pattern"), 219 cl::Hidden, cl::init(0xff)); 220 221 static cl::opt<bool> ClPoisonUndef("msan-poison-undef", 222 cl::desc("poison undef temps"), 223 cl::Hidden, cl::init(true)); 224 225 static cl::opt<bool> ClHandleICmp("msan-handle-icmp", 226 cl::desc("propagate shadow through ICmpEQ and ICmpNE"), 227 cl::Hidden, cl::init(true)); 228 229 static cl::opt<bool> ClHandleICmpExact("msan-handle-icmp-exact", 230 cl::desc("exact handling of relational integer ICmp"), 231 cl::Hidden, cl::init(false)); 232 233 // When compiling the Linux kernel, we sometimes see false positives related to 234 // MSan being unable to understand that inline assembly calls may initialize 235 // local variables. 236 // This flag makes the compiler conservatively unpoison every memory location 237 // passed into an assembly call. Note that this may cause false positives. 238 // Because it's impossible to figure out the array sizes, we can only unpoison 239 // the first sizeof(type) bytes for each type* pointer. 240 static cl::opt<bool> ClHandleAsmConservative( 241 "msan-handle-asm-conservative", 242 cl::desc("conservative handling of inline assembly"), cl::Hidden, 243 cl::init(false)); 244 245 // This flag controls whether we check the shadow of the address 246 // operand of load or store. Such bugs are very rare, since load from 247 // a garbage address typically results in SEGV, but still happen 248 // (e.g. only lower bits of address are garbage, or the access happens 249 // early at program startup where malloc-ed memory is more likely to 250 // be zeroed. As of 2012-08-28 this flag adds 20% slowdown. 251 static cl::opt<bool> ClCheckAccessAddress("msan-check-access-address", 252 cl::desc("report accesses through a pointer which has poisoned shadow"), 253 cl::Hidden, cl::init(true)); 254 255 static cl::opt<bool> ClDumpStrictInstructions("msan-dump-strict-instructions", 256 cl::desc("print out instructions with default strict semantics"), 257 cl::Hidden, cl::init(false)); 258 259 static cl::opt<int> ClInstrumentationWithCallThreshold( 260 "msan-instrumentation-with-call-threshold", 261 cl::desc( 262 "If the function being instrumented requires more than " 263 "this number of checks and origin stores, use callbacks instead of " 264 "inline checks (-1 means never use callbacks)."), 265 cl::Hidden, cl::init(3500)); 266 267 static cl::opt<bool> 268 ClEnableKmsan("msan-kernel", 269 cl::desc("Enable KernelMemorySanitizer instrumentation"), 270 cl::Hidden, cl::init(false)); 271 272 // This is an experiment to enable handling of cases where shadow is a non-zero 273 // compile-time constant. For some unexplainable reason they were silently 274 // ignored in the instrumentation. 275 static cl::opt<bool> ClCheckConstantShadow("msan-check-constant-shadow", 276 cl::desc("Insert checks for constant shadow values"), 277 cl::Hidden, cl::init(false)); 278 279 // This is off by default because of a bug in gold: 280 // https://sourceware.org/bugzilla/show_bug.cgi?id=19002 281 static cl::opt<bool> ClWithComdat("msan-with-comdat", 282 cl::desc("Place MSan constructors in comdat sections"), 283 cl::Hidden, cl::init(false)); 284 285 // These options allow to specify custom memory map parameters 286 // See MemoryMapParams for details. 287 static cl::opt<unsigned long long> ClAndMask("msan-and-mask", 288 cl::desc("Define custom MSan AndMask"), 289 cl::Hidden, cl::init(0)); 290 291 static cl::opt<unsigned long long> ClXorMask("msan-xor-mask", 292 cl::desc("Define custom MSan XorMask"), 293 cl::Hidden, cl::init(0)); 294 295 static cl::opt<unsigned long long> ClShadowBase("msan-shadow-base", 296 cl::desc("Define custom MSan ShadowBase"), 297 cl::Hidden, cl::init(0)); 298 299 static cl::opt<unsigned long long> ClOriginBase("msan-origin-base", 300 cl::desc("Define custom MSan OriginBase"), 301 cl::Hidden, cl::init(0)); 302 303 static const char *const kMsanModuleCtorName = "msan.module_ctor"; 304 static const char *const kMsanInitName = "__msan_init"; 305 306 namespace { 307 308 // Memory map parameters used in application-to-shadow address calculation. 309 // Offset = (Addr & ~AndMask) ^ XorMask 310 // Shadow = ShadowBase + Offset 311 // Origin = OriginBase + Offset 312 struct MemoryMapParams { 313 uint64_t AndMask; 314 uint64_t XorMask; 315 uint64_t ShadowBase; 316 uint64_t OriginBase; 317 }; 318 319 struct PlatformMemoryMapParams { 320 const MemoryMapParams *bits32; 321 const MemoryMapParams *bits64; 322 }; 323 324 } // end anonymous namespace 325 326 // i386 Linux 327 static const MemoryMapParams Linux_I386_MemoryMapParams = { 328 0x000080000000, // AndMask 329 0, // XorMask (not used) 330 0, // ShadowBase (not used) 331 0x000040000000, // OriginBase 332 }; 333 334 // x86_64 Linux 335 static const MemoryMapParams Linux_X86_64_MemoryMapParams = { 336 #ifdef MSAN_LINUX_X86_64_OLD_MAPPING 337 0x400000000000, // AndMask 338 0, // XorMask (not used) 339 0, // ShadowBase (not used) 340 0x200000000000, // OriginBase 341 #else 342 0, // AndMask (not used) 343 0x500000000000, // XorMask 344 0, // ShadowBase (not used) 345 0x100000000000, // OriginBase 346 #endif 347 }; 348 349 // mips64 Linux 350 static const MemoryMapParams Linux_MIPS64_MemoryMapParams = { 351 0, // AndMask (not used) 352 0x008000000000, // XorMask 353 0, // ShadowBase (not used) 354 0x002000000000, // OriginBase 355 }; 356 357 // ppc64 Linux 358 static const MemoryMapParams Linux_PowerPC64_MemoryMapParams = { 359 0xE00000000000, // AndMask 360 0x100000000000, // XorMask 361 0x080000000000, // ShadowBase 362 0x1C0000000000, // OriginBase 363 }; 364 365 // aarch64 Linux 366 static const MemoryMapParams Linux_AArch64_MemoryMapParams = { 367 0, // AndMask (not used) 368 0x06000000000, // XorMask 369 0, // ShadowBase (not used) 370 0x01000000000, // OriginBase 371 }; 372 373 // i386 FreeBSD 374 static const MemoryMapParams FreeBSD_I386_MemoryMapParams = { 375 0x000180000000, // AndMask 376 0x000040000000, // XorMask 377 0x000020000000, // ShadowBase 378 0x000700000000, // OriginBase 379 }; 380 381 // x86_64 FreeBSD 382 static const MemoryMapParams FreeBSD_X86_64_MemoryMapParams = { 383 0xc00000000000, // AndMask 384 0x200000000000, // XorMask 385 0x100000000000, // ShadowBase 386 0x380000000000, // OriginBase 387 }; 388 389 // x86_64 NetBSD 390 static const MemoryMapParams NetBSD_X86_64_MemoryMapParams = { 391 0, // AndMask 392 0x500000000000, // XorMask 393 0, // ShadowBase 394 0x100000000000, // OriginBase 395 }; 396 397 static const PlatformMemoryMapParams Linux_X86_MemoryMapParams = { 398 &Linux_I386_MemoryMapParams, 399 &Linux_X86_64_MemoryMapParams, 400 }; 401 402 static const PlatformMemoryMapParams Linux_MIPS_MemoryMapParams = { 403 nullptr, 404 &Linux_MIPS64_MemoryMapParams, 405 }; 406 407 static const PlatformMemoryMapParams Linux_PowerPC_MemoryMapParams = { 408 nullptr, 409 &Linux_PowerPC64_MemoryMapParams, 410 }; 411 412 static const PlatformMemoryMapParams Linux_ARM_MemoryMapParams = { 413 nullptr, 414 &Linux_AArch64_MemoryMapParams, 415 }; 416 417 static const PlatformMemoryMapParams FreeBSD_X86_MemoryMapParams = { 418 &FreeBSD_I386_MemoryMapParams, 419 &FreeBSD_X86_64_MemoryMapParams, 420 }; 421 422 static const PlatformMemoryMapParams NetBSD_X86_MemoryMapParams = { 423 nullptr, 424 &NetBSD_X86_64_MemoryMapParams, 425 }; 426 427 namespace { 428 429 /// An instrumentation pass implementing detection of uninitialized 430 /// reads. 431 /// 432 /// MemorySanitizer: instrument the code in module to find 433 /// uninitialized reads. 434 class MemorySanitizer : public FunctionPass { 435 public: 436 // Pass identification, replacement for typeid. 437 static char ID; 438 439 MemorySanitizer(int TrackOrigins = 0, bool Recover = false, 440 bool EnableKmsan = false) 441 : FunctionPass(ID) { 442 this->CompileKernel = 443 ClEnableKmsan.getNumOccurrences() > 0 ? ClEnableKmsan : EnableKmsan; 444 if (ClTrackOrigins.getNumOccurrences() > 0) 445 this->TrackOrigins = ClTrackOrigins; 446 else 447 this->TrackOrigins = this->CompileKernel ? 2 : TrackOrigins; 448 this->Recover = ClKeepGoing.getNumOccurrences() > 0 449 ? ClKeepGoing 450 : (this->CompileKernel | Recover); 451 } 452 StringRef getPassName() const override { return "MemorySanitizer"; } 453 454 void getAnalysisUsage(AnalysisUsage &AU) const override { 455 AU.addRequired<TargetLibraryInfoWrapperPass>(); 456 } 457 458 bool runOnFunction(Function &F) override; 459 bool doInitialization(Module &M) override; 460 461 private: 462 friend struct MemorySanitizerVisitor; 463 friend struct VarArgAMD64Helper; 464 friend struct VarArgMIPS64Helper; 465 friend struct VarArgAArch64Helper; 466 friend struct VarArgPowerPC64Helper; 467 468 void initializeCallbacks(Module &M); 469 void createKernelApi(Module &M); 470 void createUserspaceApi(Module &M); 471 472 /// True if we're compiling the Linux kernel. 473 bool CompileKernel; 474 475 /// Track origins (allocation points) of uninitialized values. 476 int TrackOrigins; 477 bool Recover; 478 479 LLVMContext *C; 480 Type *IntptrTy; 481 Type *OriginTy; 482 483 // XxxTLS variables represent the per-thread state in MSan and per-task state 484 // in KMSAN. 485 // For the userspace these point to thread-local globals. In the kernel land 486 // they point to the members of a per-task struct obtained via a call to 487 // __msan_get_context_state(). 488 489 /// Thread-local shadow storage for function parameters. 490 Value *ParamTLS; 491 492 /// Thread-local origin storage for function parameters. 493 Value *ParamOriginTLS; 494 495 /// Thread-local shadow storage for function return value. 496 Value *RetvalTLS; 497 498 /// Thread-local origin storage for function return value. 499 Value *RetvalOriginTLS; 500 501 /// Thread-local shadow storage for in-register va_arg function 502 /// parameters (x86_64-specific). 503 Value *VAArgTLS; 504 505 /// Thread-local shadow storage for in-register va_arg function 506 /// parameters (x86_64-specific). 507 Value *VAArgOriginTLS; 508 509 /// Thread-local shadow storage for va_arg overflow area 510 /// (x86_64-specific). 511 Value *VAArgOverflowSizeTLS; 512 513 /// Thread-local space used to pass origin value to the UMR reporting 514 /// function. 515 Value *OriginTLS; 516 517 /// Are the instrumentation callbacks set up? 518 bool CallbacksInitialized = false; 519 520 /// The run-time callback to print a warning. 521 Value *WarningFn; 522 523 // These arrays are indexed by log2(AccessSize). 524 Value *MaybeWarningFn[kNumberOfAccessSizes]; 525 Value *MaybeStoreOriginFn[kNumberOfAccessSizes]; 526 527 /// Run-time helper that generates a new origin value for a stack 528 /// allocation. 529 Value *MsanSetAllocaOrigin4Fn; 530 531 /// Run-time helper that poisons stack on function entry. 532 Value *MsanPoisonStackFn; 533 534 /// Run-time helper that records a store (or any event) of an 535 /// uninitialized value and returns an updated origin id encoding this info. 536 Value *MsanChainOriginFn; 537 538 /// MSan runtime replacements for memmove, memcpy and memset. 539 Value *MemmoveFn, *MemcpyFn, *MemsetFn; 540 541 /// KMSAN callback for task-local function argument shadow. 542 Value *MsanGetContextStateFn; 543 544 /// Functions for poisoning/unpoisoning local variables 545 Value *MsanPoisonAllocaFn, *MsanUnpoisonAllocaFn; 546 547 /// Each of the MsanMetadataPtrXxx functions returns a pair of shadow/origin 548 /// pointers. 549 Value *MsanMetadataPtrForLoadN, *MsanMetadataPtrForStoreN; 550 Value *MsanMetadataPtrForLoad_1_8[4]; 551 Value *MsanMetadataPtrForStore_1_8[4]; 552 553 /// Helper to choose between different MsanMetadataPtrXxx(). 554 Value *getKmsanShadowOriginAccessFn(bool isStore, int size); 555 556 /// Memory map parameters used in application-to-shadow calculation. 557 const MemoryMapParams *MapParams; 558 559 /// Custom memory map parameters used when -msan-shadow-base or 560 // -msan-origin-base is provided. 561 MemoryMapParams CustomMapParams; 562 563 MDNode *ColdCallWeights; 564 565 /// Branch weights for origin store. 566 MDNode *OriginStoreWeights; 567 568 /// An empty volatile inline asm that prevents callback merge. 569 InlineAsm *EmptyAsm; 570 571 Function *MsanCtorFunction; 572 }; 573 574 } // end anonymous namespace 575 576 char MemorySanitizer::ID = 0; 577 578 INITIALIZE_PASS_BEGIN( 579 MemorySanitizer, "msan", 580 "MemorySanitizer: detects uninitialized reads.", false, false) 581 INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass) 582 INITIALIZE_PASS_END( 583 MemorySanitizer, "msan", 584 "MemorySanitizer: detects uninitialized reads.", false, false) 585 586 FunctionPass *llvm::createMemorySanitizerPass(int TrackOrigins, bool Recover, 587 bool CompileKernel) { 588 return new MemorySanitizer(TrackOrigins, Recover, CompileKernel); 589 } 590 591 /// Create a non-const global initialized with the given string. 592 /// 593 /// Creates a writable global for Str so that we can pass it to the 594 /// run-time lib. Runtime uses first 4 bytes of the string to store the 595 /// frame ID, so the string needs to be mutable. 596 static GlobalVariable *createPrivateNonConstGlobalForString(Module &M, 597 StringRef Str) { 598 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 599 return new GlobalVariable(M, StrConst->getType(), /*isConstant=*/false, 600 GlobalValue::PrivateLinkage, StrConst, ""); 601 } 602 603 /// Create KMSAN API callbacks. 604 void MemorySanitizer::createKernelApi(Module &M) { 605 IRBuilder<> IRB(*C); 606 607 // These will be initialized in insertKmsanPrologue(). 608 RetvalTLS = nullptr; 609 RetvalOriginTLS = nullptr; 610 ParamTLS = nullptr; 611 ParamOriginTLS = nullptr; 612 VAArgTLS = nullptr; 613 VAArgOriginTLS = nullptr; 614 VAArgOverflowSizeTLS = nullptr; 615 // OriginTLS is unused in the kernel. 616 OriginTLS = nullptr; 617 618 // __msan_warning() in the kernel takes an origin. 619 WarningFn = M.getOrInsertFunction("__msan_warning", IRB.getVoidTy(), 620 IRB.getInt32Ty()); 621 // Requests the per-task context state (kmsan_context_state*) from the 622 // runtime library. 623 MsanGetContextStateFn = M.getOrInsertFunction( 624 "__msan_get_context_state", 625 PointerType::get( 626 StructType::get(ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), 627 ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8), 628 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), 629 ArrayType::get(IRB.getInt64Ty(), 630 kParamTLSSize / 8), /* va_arg_origin */ 631 IRB.getInt64Ty(), 632 ArrayType::get(OriginTy, kParamTLSSize / 4), OriginTy, 633 OriginTy), 634 0)); 635 636 Type *RetTy = StructType::get(PointerType::get(IRB.getInt8Ty(), 0), 637 PointerType::get(IRB.getInt32Ty(), 0)); 638 639 for (int ind = 0, size = 1; ind < 4; ind++, size <<= 1) { 640 std::string name_load = 641 "__msan_metadata_ptr_for_load_" + std::to_string(size); 642 std::string name_store = 643 "__msan_metadata_ptr_for_store_" + std::to_string(size); 644 MsanMetadataPtrForLoad_1_8[ind] = M.getOrInsertFunction( 645 name_load, RetTy, PointerType::get(IRB.getInt8Ty(), 0)); 646 MsanMetadataPtrForStore_1_8[ind] = M.getOrInsertFunction( 647 name_store, RetTy, PointerType::get(IRB.getInt8Ty(), 0)); 648 } 649 650 MsanMetadataPtrForLoadN = M.getOrInsertFunction( 651 "__msan_metadata_ptr_for_load_n", RetTy, 652 PointerType::get(IRB.getInt8Ty(), 0), IRB.getInt64Ty()); 653 MsanMetadataPtrForStoreN = M.getOrInsertFunction( 654 "__msan_metadata_ptr_for_store_n", RetTy, 655 PointerType::get(IRB.getInt8Ty(), 0), IRB.getInt64Ty()); 656 657 // Functions for poisoning and unpoisoning memory. 658 MsanPoisonAllocaFn = 659 M.getOrInsertFunction("__msan_poison_alloca", IRB.getVoidTy(), 660 IRB.getInt8PtrTy(), IntptrTy, IRB.getInt8PtrTy()); 661 MsanUnpoisonAllocaFn = M.getOrInsertFunction( 662 "__msan_unpoison_alloca", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy); 663 } 664 665 /// Insert declarations for userspace-specific functions and globals. 666 void MemorySanitizer::createUserspaceApi(Module &M) { 667 IRBuilder<> IRB(*C); 668 // Create the callback. 669 // FIXME: this function should have "Cold" calling conv, 670 // which is not yet implemented. 671 StringRef WarningFnName = Recover ? "__msan_warning" 672 : "__msan_warning_noreturn"; 673 WarningFn = M.getOrInsertFunction(WarningFnName, IRB.getVoidTy()); 674 675 // Create the global TLS variables. 676 RetvalTLS = new GlobalVariable( 677 M, ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8), false, 678 GlobalVariable::ExternalLinkage, nullptr, "__msan_retval_tls", nullptr, 679 GlobalVariable::InitialExecTLSModel); 680 681 RetvalOriginTLS = new GlobalVariable( 682 M, OriginTy, false, GlobalVariable::ExternalLinkage, nullptr, 683 "__msan_retval_origin_tls", nullptr, GlobalVariable::InitialExecTLSModel); 684 685 ParamTLS = new GlobalVariable( 686 M, ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), false, 687 GlobalVariable::ExternalLinkage, nullptr, "__msan_param_tls", nullptr, 688 GlobalVariable::InitialExecTLSModel); 689 690 ParamOriginTLS = new GlobalVariable( 691 M, ArrayType::get(OriginTy, kParamTLSSize / 4), false, 692 GlobalVariable::ExternalLinkage, nullptr, "__msan_param_origin_tls", 693 nullptr, GlobalVariable::InitialExecTLSModel); 694 695 VAArgTLS = new GlobalVariable( 696 M, ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), false, 697 GlobalVariable::ExternalLinkage, nullptr, "__msan_va_arg_tls", nullptr, 698 GlobalVariable::InitialExecTLSModel); 699 700 VAArgOriginTLS = new GlobalVariable( 701 M, ArrayType::get(OriginTy, kParamTLSSize / 4), false, 702 GlobalVariable::ExternalLinkage, nullptr, "__msan_va_arg_origin_tls", 703 nullptr, GlobalVariable::InitialExecTLSModel); 704 705 VAArgOverflowSizeTLS = new GlobalVariable( 706 M, IRB.getInt64Ty(), false, GlobalVariable::ExternalLinkage, nullptr, 707 "__msan_va_arg_overflow_size_tls", nullptr, 708 GlobalVariable::InitialExecTLSModel); 709 OriginTLS = new GlobalVariable( 710 M, IRB.getInt32Ty(), false, GlobalVariable::ExternalLinkage, nullptr, 711 "__msan_origin_tls", nullptr, GlobalVariable::InitialExecTLSModel); 712 713 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 714 AccessSizeIndex++) { 715 unsigned AccessSize = 1 << AccessSizeIndex; 716 std::string FunctionName = "__msan_maybe_warning_" + itostr(AccessSize); 717 MaybeWarningFn[AccessSizeIndex] = M.getOrInsertFunction( 718 FunctionName, IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), 719 IRB.getInt32Ty()); 720 721 FunctionName = "__msan_maybe_store_origin_" + itostr(AccessSize); 722 MaybeStoreOriginFn[AccessSizeIndex] = M.getOrInsertFunction( 723 FunctionName, IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), 724 IRB.getInt8PtrTy(), IRB.getInt32Ty()); 725 } 726 727 MsanSetAllocaOrigin4Fn = M.getOrInsertFunction( 728 "__msan_set_alloca_origin4", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy, 729 IRB.getInt8PtrTy(), IntptrTy); 730 MsanPoisonStackFn = 731 M.getOrInsertFunction("__msan_poison_stack", IRB.getVoidTy(), 732 IRB.getInt8PtrTy(), IntptrTy); 733 } 734 735 /// Insert extern declaration of runtime-provided functions and globals. 736 void MemorySanitizer::initializeCallbacks(Module &M) { 737 // Only do this once. 738 if (CallbacksInitialized) 739 return; 740 741 IRBuilder<> IRB(*C); 742 // Initialize callbacks that are common for kernel and userspace 743 // instrumentation. 744 MsanChainOriginFn = M.getOrInsertFunction( 745 "__msan_chain_origin", IRB.getInt32Ty(), IRB.getInt32Ty()); 746 MemmoveFn = M.getOrInsertFunction( 747 "__msan_memmove", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 748 IRB.getInt8PtrTy(), IntptrTy); 749 MemcpyFn = M.getOrInsertFunction( 750 "__msan_memcpy", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 751 IntptrTy); 752 MemsetFn = M.getOrInsertFunction( 753 "__msan_memset", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt32Ty(), 754 IntptrTy); 755 // We insert an empty inline asm after __msan_report* to avoid callback merge. 756 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 757 StringRef(""), StringRef(""), 758 /*hasSideEffects=*/true); 759 760 if (CompileKernel) { 761 createKernelApi(M); 762 } else { 763 createUserspaceApi(M); 764 } 765 CallbacksInitialized = true; 766 } 767 768 Value *MemorySanitizer::getKmsanShadowOriginAccessFn(bool isStore, int size) { 769 Value **Fns = 770 isStore ? MsanMetadataPtrForStore_1_8 : MsanMetadataPtrForLoad_1_8; 771 switch (size) { 772 case 1: 773 return Fns[0]; 774 case 2: 775 return Fns[1]; 776 case 4: 777 return Fns[2]; 778 case 8: 779 return Fns[3]; 780 default: 781 return nullptr; 782 } 783 } 784 785 /// Module-level initialization. 786 /// 787 /// inserts a call to __msan_init to the module's constructor list. 788 bool MemorySanitizer::doInitialization(Module &M) { 789 auto &DL = M.getDataLayout(); 790 791 bool ShadowPassed = ClShadowBase.getNumOccurrences() > 0; 792 bool OriginPassed = ClOriginBase.getNumOccurrences() > 0; 793 // Check the overrides first 794 if (ShadowPassed || OriginPassed) { 795 CustomMapParams.AndMask = ClAndMask; 796 CustomMapParams.XorMask = ClXorMask; 797 CustomMapParams.ShadowBase = ClShadowBase; 798 CustomMapParams.OriginBase = ClOriginBase; 799 MapParams = &CustomMapParams; 800 } else { 801 Triple TargetTriple(M.getTargetTriple()); 802 switch (TargetTriple.getOS()) { 803 case Triple::FreeBSD: 804 switch (TargetTriple.getArch()) { 805 case Triple::x86_64: 806 MapParams = FreeBSD_X86_MemoryMapParams.bits64; 807 break; 808 case Triple::x86: 809 MapParams = FreeBSD_X86_MemoryMapParams.bits32; 810 break; 811 default: 812 report_fatal_error("unsupported architecture"); 813 } 814 break; 815 case Triple::NetBSD: 816 switch (TargetTriple.getArch()) { 817 case Triple::x86_64: 818 MapParams = NetBSD_X86_MemoryMapParams.bits64; 819 break; 820 default: 821 report_fatal_error("unsupported architecture"); 822 } 823 break; 824 case Triple::Linux: 825 switch (TargetTriple.getArch()) { 826 case Triple::x86_64: 827 MapParams = Linux_X86_MemoryMapParams.bits64; 828 break; 829 case Triple::x86: 830 MapParams = Linux_X86_MemoryMapParams.bits32; 831 break; 832 case Triple::mips64: 833 case Triple::mips64el: 834 MapParams = Linux_MIPS_MemoryMapParams.bits64; 835 break; 836 case Triple::ppc64: 837 case Triple::ppc64le: 838 MapParams = Linux_PowerPC_MemoryMapParams.bits64; 839 break; 840 case Triple::aarch64: 841 case Triple::aarch64_be: 842 MapParams = Linux_ARM_MemoryMapParams.bits64; 843 break; 844 default: 845 report_fatal_error("unsupported architecture"); 846 } 847 break; 848 default: 849 report_fatal_error("unsupported operating system"); 850 } 851 } 852 853 C = &(M.getContext()); 854 IRBuilder<> IRB(*C); 855 IntptrTy = IRB.getIntPtrTy(DL); 856 OriginTy = IRB.getInt32Ty(); 857 858 ColdCallWeights = MDBuilder(*C).createBranchWeights(1, 1000); 859 OriginStoreWeights = MDBuilder(*C).createBranchWeights(1, 1000); 860 861 if (!CompileKernel) { 862 std::tie(MsanCtorFunction, std::ignore) = 863 createSanitizerCtorAndInitFunctions(M, kMsanModuleCtorName, 864 kMsanInitName, 865 /*InitArgTypes=*/{}, 866 /*InitArgs=*/{}); 867 if (ClWithComdat) { 868 Comdat *MsanCtorComdat = M.getOrInsertComdat(kMsanModuleCtorName); 869 MsanCtorFunction->setComdat(MsanCtorComdat); 870 appendToGlobalCtors(M, MsanCtorFunction, 0, MsanCtorFunction); 871 } else { 872 appendToGlobalCtors(M, MsanCtorFunction, 0); 873 } 874 875 if (TrackOrigins) 876 new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, 877 IRB.getInt32(TrackOrigins), "__msan_track_origins"); 878 879 if (Recover) 880 new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, 881 IRB.getInt32(Recover), "__msan_keep_going"); 882 } 883 return true; 884 } 885 886 namespace { 887 888 /// A helper class that handles instrumentation of VarArg 889 /// functions on a particular platform. 890 /// 891 /// Implementations are expected to insert the instrumentation 892 /// necessary to propagate argument shadow through VarArg function 893 /// calls. Visit* methods are called during an InstVisitor pass over 894 /// the function, and should avoid creating new basic blocks. A new 895 /// instance of this class is created for each instrumented function. 896 struct VarArgHelper { 897 virtual ~VarArgHelper() = default; 898 899 /// Visit a CallSite. 900 virtual void visitCallSite(CallSite &CS, IRBuilder<> &IRB) = 0; 901 902 /// Visit a va_start call. 903 virtual void visitVAStartInst(VAStartInst &I) = 0; 904 905 /// Visit a va_copy call. 906 virtual void visitVACopyInst(VACopyInst &I) = 0; 907 908 /// Finalize function instrumentation. 909 /// 910 /// This method is called after visiting all interesting (see above) 911 /// instructions in a function. 912 virtual void finalizeInstrumentation() = 0; 913 }; 914 915 struct MemorySanitizerVisitor; 916 917 } // end anonymous namespace 918 919 static VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan, 920 MemorySanitizerVisitor &Visitor); 921 922 static unsigned TypeSizeToSizeIndex(unsigned TypeSize) { 923 if (TypeSize <= 8) return 0; 924 return Log2_32_Ceil((TypeSize + 7) / 8); 925 } 926 927 namespace { 928 929 /// This class does all the work for a given function. Store and Load 930 /// instructions store and load corresponding shadow and origin 931 /// values. Most instructions propagate shadow from arguments to their 932 /// return values. Certain instructions (most importantly, BranchInst) 933 /// test their argument shadow and print reports (with a runtime call) if it's 934 /// non-zero. 935 struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> { 936 Function &F; 937 MemorySanitizer &MS; 938 SmallVector<PHINode *, 16> ShadowPHINodes, OriginPHINodes; 939 ValueMap<Value*, Value*> ShadowMap, OriginMap; 940 std::unique_ptr<VarArgHelper> VAHelper; 941 const TargetLibraryInfo *TLI; 942 BasicBlock *ActualFnStart; 943 944 // The following flags disable parts of MSan instrumentation based on 945 // blacklist contents and command-line options. 946 bool InsertChecks; 947 bool PropagateShadow; 948 bool PoisonStack; 949 bool PoisonUndef; 950 bool CheckReturnValue; 951 952 struct ShadowOriginAndInsertPoint { 953 Value *Shadow; 954 Value *Origin; 955 Instruction *OrigIns; 956 957 ShadowOriginAndInsertPoint(Value *S, Value *O, Instruction *I) 958 : Shadow(S), Origin(O), OrigIns(I) {} 959 }; 960 SmallVector<ShadowOriginAndInsertPoint, 16> InstrumentationList; 961 SmallVector<StoreInst *, 16> StoreList; 962 963 MemorySanitizerVisitor(Function &F, MemorySanitizer &MS) 964 : F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)) { 965 bool SanitizeFunction = F.hasFnAttribute(Attribute::SanitizeMemory); 966 InsertChecks = SanitizeFunction; 967 PropagateShadow = SanitizeFunction; 968 PoisonStack = SanitizeFunction && ClPoisonStack; 969 PoisonUndef = SanitizeFunction && ClPoisonUndef; 970 // FIXME: Consider using SpecialCaseList to specify a list of functions that 971 // must always return fully initialized values. For now, we hardcode "main". 972 CheckReturnValue = SanitizeFunction && (F.getName() == "main"); 973 TLI = &MS.getAnalysis<TargetLibraryInfoWrapperPass>().getTLI(); 974 975 MS.initializeCallbacks(*F.getParent()); 976 if (MS.CompileKernel) 977 ActualFnStart = insertKmsanPrologue(F); 978 else 979 ActualFnStart = &F.getEntryBlock(); 980 981 LLVM_DEBUG(if (!InsertChecks) dbgs() 982 << "MemorySanitizer is not inserting checks into '" 983 << F.getName() << "'\n"); 984 } 985 986 Value *updateOrigin(Value *V, IRBuilder<> &IRB) { 987 if (MS.TrackOrigins <= 1) return V; 988 return IRB.CreateCall(MS.MsanChainOriginFn, V); 989 } 990 991 Value *originToIntptr(IRBuilder<> &IRB, Value *Origin) { 992 const DataLayout &DL = F.getParent()->getDataLayout(); 993 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy); 994 if (IntptrSize == kOriginSize) return Origin; 995 assert(IntptrSize == kOriginSize * 2); 996 Origin = IRB.CreateIntCast(Origin, MS.IntptrTy, /* isSigned */ false); 997 return IRB.CreateOr(Origin, IRB.CreateShl(Origin, kOriginSize * 8)); 998 } 999 1000 /// Fill memory range with the given origin value. 1001 void paintOrigin(IRBuilder<> &IRB, Value *Origin, Value *OriginPtr, 1002 unsigned Size, unsigned Alignment) { 1003 const DataLayout &DL = F.getParent()->getDataLayout(); 1004 unsigned IntptrAlignment = DL.getABITypeAlignment(MS.IntptrTy); 1005 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy); 1006 assert(IntptrAlignment >= kMinOriginAlignment); 1007 assert(IntptrSize >= kOriginSize); 1008 1009 unsigned Ofs = 0; 1010 unsigned CurrentAlignment = Alignment; 1011 if (Alignment >= IntptrAlignment && IntptrSize > kOriginSize) { 1012 Value *IntptrOrigin = originToIntptr(IRB, Origin); 1013 Value *IntptrOriginPtr = 1014 IRB.CreatePointerCast(OriginPtr, PointerType::get(MS.IntptrTy, 0)); 1015 for (unsigned i = 0; i < Size / IntptrSize; ++i) { 1016 Value *Ptr = i ? IRB.CreateConstGEP1_32(MS.IntptrTy, IntptrOriginPtr, i) 1017 : IntptrOriginPtr; 1018 IRB.CreateAlignedStore(IntptrOrigin, Ptr, CurrentAlignment); 1019 Ofs += IntptrSize / kOriginSize; 1020 CurrentAlignment = IntptrAlignment; 1021 } 1022 } 1023 1024 for (unsigned i = Ofs; i < (Size + kOriginSize - 1) / kOriginSize; ++i) { 1025 Value *GEP = 1026 i ? IRB.CreateConstGEP1_32(nullptr, OriginPtr, i) : OriginPtr; 1027 IRB.CreateAlignedStore(Origin, GEP, CurrentAlignment); 1028 CurrentAlignment = kMinOriginAlignment; 1029 } 1030 } 1031 1032 void storeOrigin(IRBuilder<> &IRB, Value *Addr, Value *Shadow, Value *Origin, 1033 Value *OriginPtr, unsigned Alignment, bool AsCall) { 1034 const DataLayout &DL = F.getParent()->getDataLayout(); 1035 unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment); 1036 unsigned StoreSize = DL.getTypeStoreSize(Shadow->getType()); 1037 if (Shadow->getType()->isAggregateType()) { 1038 paintOrigin(IRB, updateOrigin(Origin, IRB), OriginPtr, StoreSize, 1039 OriginAlignment); 1040 } else { 1041 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB); 1042 Constant *ConstantShadow = dyn_cast_or_null<Constant>(ConvertedShadow); 1043 if (ConstantShadow) { 1044 if (ClCheckConstantShadow && !ConstantShadow->isZeroValue()) 1045 paintOrigin(IRB, updateOrigin(Origin, IRB), OriginPtr, StoreSize, 1046 OriginAlignment); 1047 return; 1048 } 1049 1050 unsigned TypeSizeInBits = 1051 DL.getTypeSizeInBits(ConvertedShadow->getType()); 1052 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits); 1053 if (AsCall && SizeIndex < kNumberOfAccessSizes && !MS.CompileKernel) { 1054 Value *Fn = MS.MaybeStoreOriginFn[SizeIndex]; 1055 Value *ConvertedShadow2 = IRB.CreateZExt( 1056 ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex))); 1057 IRB.CreateCall(Fn, {ConvertedShadow2, 1058 IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()), 1059 Origin}); 1060 } else { 1061 Value *Cmp = IRB.CreateICmpNE( 1062 ConvertedShadow, getCleanShadow(ConvertedShadow), "_mscmp"); 1063 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 1064 Cmp, &*IRB.GetInsertPoint(), false, MS.OriginStoreWeights); 1065 IRBuilder<> IRBNew(CheckTerm); 1066 paintOrigin(IRBNew, updateOrigin(Origin, IRBNew), OriginPtr, StoreSize, 1067 OriginAlignment); 1068 } 1069 } 1070 } 1071 1072 void materializeStores(bool InstrumentWithCalls) { 1073 for (StoreInst *SI : StoreList) { 1074 IRBuilder<> IRB(SI); 1075 Value *Val = SI->getValueOperand(); 1076 Value *Addr = SI->getPointerOperand(); 1077 Value *Shadow = SI->isAtomic() ? getCleanShadow(Val) : getShadow(Val); 1078 Value *ShadowPtr, *OriginPtr; 1079 Type *ShadowTy = Shadow->getType(); 1080 unsigned Alignment = SI->getAlignment(); 1081 unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment); 1082 std::tie(ShadowPtr, OriginPtr) = 1083 getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ true); 1084 1085 StoreInst *NewSI = IRB.CreateAlignedStore(Shadow, ShadowPtr, Alignment); 1086 LLVM_DEBUG(dbgs() << " STORE: " << *NewSI << "\n"); 1087 (void)NewSI; 1088 1089 if (SI->isAtomic()) 1090 SI->setOrdering(addReleaseOrdering(SI->getOrdering())); 1091 1092 if (MS.TrackOrigins && !SI->isAtomic()) 1093 storeOrigin(IRB, Addr, Shadow, getOrigin(Val), OriginPtr, 1094 OriginAlignment, InstrumentWithCalls); 1095 } 1096 } 1097 1098 /// Helper function to insert a warning at IRB's current insert point. 1099 void insertWarningFn(IRBuilder<> &IRB, Value *Origin) { 1100 if (!Origin) 1101 Origin = (Value *)IRB.getInt32(0); 1102 if (MS.CompileKernel) { 1103 IRB.CreateCall(MS.WarningFn, Origin); 1104 } else { 1105 if (MS.TrackOrigins) { 1106 IRB.CreateStore(Origin, MS.OriginTLS); 1107 } 1108 IRB.CreateCall(MS.WarningFn, {}); 1109 } 1110 IRB.CreateCall(MS.EmptyAsm, {}); 1111 // FIXME: Insert UnreachableInst if !MS.Recover? 1112 // This may invalidate some of the following checks and needs to be done 1113 // at the very end. 1114 } 1115 1116 void materializeOneCheck(Instruction *OrigIns, Value *Shadow, Value *Origin, 1117 bool AsCall) { 1118 IRBuilder<> IRB(OrigIns); 1119 LLVM_DEBUG(dbgs() << " SHAD0 : " << *Shadow << "\n"); 1120 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB); 1121 LLVM_DEBUG(dbgs() << " SHAD1 : " << *ConvertedShadow << "\n"); 1122 1123 Constant *ConstantShadow = dyn_cast_or_null<Constant>(ConvertedShadow); 1124 if (ConstantShadow) { 1125 if (ClCheckConstantShadow && !ConstantShadow->isZeroValue()) { 1126 insertWarningFn(IRB, Origin); 1127 } 1128 return; 1129 } 1130 1131 const DataLayout &DL = OrigIns->getModule()->getDataLayout(); 1132 1133 unsigned TypeSizeInBits = DL.getTypeSizeInBits(ConvertedShadow->getType()); 1134 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits); 1135 if (AsCall && SizeIndex < kNumberOfAccessSizes && !MS.CompileKernel) { 1136 Value *Fn = MS.MaybeWarningFn[SizeIndex]; 1137 Value *ConvertedShadow2 = 1138 IRB.CreateZExt(ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex))); 1139 IRB.CreateCall(Fn, {ConvertedShadow2, MS.TrackOrigins && Origin 1140 ? Origin 1141 : (Value *)IRB.getInt32(0)}); 1142 } else { 1143 Value *Cmp = IRB.CreateICmpNE(ConvertedShadow, 1144 getCleanShadow(ConvertedShadow), "_mscmp"); 1145 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 1146 Cmp, OrigIns, 1147 /* Unreachable */ !MS.Recover, MS.ColdCallWeights); 1148 1149 IRB.SetInsertPoint(CheckTerm); 1150 insertWarningFn(IRB, Origin); 1151 LLVM_DEBUG(dbgs() << " CHECK: " << *Cmp << "\n"); 1152 } 1153 } 1154 1155 void materializeChecks(bool InstrumentWithCalls) { 1156 for (const auto &ShadowData : InstrumentationList) { 1157 Instruction *OrigIns = ShadowData.OrigIns; 1158 Value *Shadow = ShadowData.Shadow; 1159 Value *Origin = ShadowData.Origin; 1160 materializeOneCheck(OrigIns, Shadow, Origin, InstrumentWithCalls); 1161 } 1162 LLVM_DEBUG(dbgs() << "DONE:\n" << F); 1163 } 1164 1165 BasicBlock *insertKmsanPrologue(Function &F) { 1166 BasicBlock *ret = 1167 SplitBlock(&F.getEntryBlock(), F.getEntryBlock().getFirstNonPHI()); 1168 IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI()); 1169 Value *ContextState = IRB.CreateCall(MS.MsanGetContextStateFn, {}); 1170 Constant *Zero = IRB.getInt32(0); 1171 MS.ParamTLS = 1172 IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(0)}, "param_shadow"); 1173 MS.RetvalTLS = 1174 IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(1)}, "retval_shadow"); 1175 MS.VAArgTLS = 1176 IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(2)}, "va_arg_shadow"); 1177 MS.VAArgOriginTLS = 1178 IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(3)}, "va_arg_origin"); 1179 MS.VAArgOverflowSizeTLS = IRB.CreateGEP( 1180 ContextState, {Zero, IRB.getInt32(4)}, "va_arg_overflow_size"); 1181 MS.ParamOriginTLS = 1182 IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(5)}, "param_origin"); 1183 MS.RetvalOriginTLS = 1184 IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(6)}, "retval_origin"); 1185 return ret; 1186 } 1187 1188 /// Add MemorySanitizer instrumentation to a function. 1189 bool runOnFunction() { 1190 // In the presence of unreachable blocks, we may see Phi nodes with 1191 // incoming nodes from such blocks. Since InstVisitor skips unreachable 1192 // blocks, such nodes will not have any shadow value associated with them. 1193 // It's easier to remove unreachable blocks than deal with missing shadow. 1194 removeUnreachableBlocks(F); 1195 1196 // Iterate all BBs in depth-first order and create shadow instructions 1197 // for all instructions (where applicable). 1198 // For PHI nodes we create dummy shadow PHIs which will be finalized later. 1199 for (BasicBlock *BB : depth_first(ActualFnStart)) 1200 visit(*BB); 1201 1202 // Finalize PHI nodes. 1203 for (PHINode *PN : ShadowPHINodes) { 1204 PHINode *PNS = cast<PHINode>(getShadow(PN)); 1205 PHINode *PNO = MS.TrackOrigins ? cast<PHINode>(getOrigin(PN)) : nullptr; 1206 size_t NumValues = PN->getNumIncomingValues(); 1207 for (size_t v = 0; v < NumValues; v++) { 1208 PNS->addIncoming(getShadow(PN, v), PN->getIncomingBlock(v)); 1209 if (PNO) PNO->addIncoming(getOrigin(PN, v), PN->getIncomingBlock(v)); 1210 } 1211 } 1212 1213 VAHelper->finalizeInstrumentation(); 1214 1215 bool InstrumentWithCalls = ClInstrumentationWithCallThreshold >= 0 && 1216 InstrumentationList.size() + StoreList.size() > 1217 (unsigned)ClInstrumentationWithCallThreshold; 1218 1219 // Insert shadow value checks. 1220 materializeChecks(InstrumentWithCalls); 1221 1222 // Delayed instrumentation of StoreInst. 1223 // This may not add new address checks. 1224 materializeStores(InstrumentWithCalls); 1225 1226 return true; 1227 } 1228 1229 /// Compute the shadow type that corresponds to a given Value. 1230 Type *getShadowTy(Value *V) { 1231 return getShadowTy(V->getType()); 1232 } 1233 1234 /// Compute the shadow type that corresponds to a given Type. 1235 Type *getShadowTy(Type *OrigTy) { 1236 if (!OrigTy->isSized()) { 1237 return nullptr; 1238 } 1239 // For integer type, shadow is the same as the original type. 1240 // This may return weird-sized types like i1. 1241 if (IntegerType *IT = dyn_cast<IntegerType>(OrigTy)) 1242 return IT; 1243 const DataLayout &DL = F.getParent()->getDataLayout(); 1244 if (VectorType *VT = dyn_cast<VectorType>(OrigTy)) { 1245 uint32_t EltSize = DL.getTypeSizeInBits(VT->getElementType()); 1246 return VectorType::get(IntegerType::get(*MS.C, EltSize), 1247 VT->getNumElements()); 1248 } 1249 if (ArrayType *AT = dyn_cast<ArrayType>(OrigTy)) { 1250 return ArrayType::get(getShadowTy(AT->getElementType()), 1251 AT->getNumElements()); 1252 } 1253 if (StructType *ST = dyn_cast<StructType>(OrigTy)) { 1254 SmallVector<Type*, 4> Elements; 1255 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++) 1256 Elements.push_back(getShadowTy(ST->getElementType(i))); 1257 StructType *Res = StructType::get(*MS.C, Elements, ST->isPacked()); 1258 LLVM_DEBUG(dbgs() << "getShadowTy: " << *ST << " ===> " << *Res << "\n"); 1259 return Res; 1260 } 1261 uint32_t TypeSize = DL.getTypeSizeInBits(OrigTy); 1262 return IntegerType::get(*MS.C, TypeSize); 1263 } 1264 1265 /// Flatten a vector type. 1266 Type *getShadowTyNoVec(Type *ty) { 1267 if (VectorType *vt = dyn_cast<VectorType>(ty)) 1268 return IntegerType::get(*MS.C, vt->getBitWidth()); 1269 return ty; 1270 } 1271 1272 /// Convert a shadow value to it's flattened variant. 1273 Value *convertToShadowTyNoVec(Value *V, IRBuilder<> &IRB) { 1274 Type *Ty = V->getType(); 1275 Type *NoVecTy = getShadowTyNoVec(Ty); 1276 if (Ty == NoVecTy) return V; 1277 return IRB.CreateBitCast(V, NoVecTy); 1278 } 1279 1280 /// Compute the integer shadow offset that corresponds to a given 1281 /// application address. 1282 /// 1283 /// Offset = (Addr & ~AndMask) ^ XorMask 1284 Value *getShadowPtrOffset(Value *Addr, IRBuilder<> &IRB) { 1285 Value *OffsetLong = IRB.CreatePointerCast(Addr, MS.IntptrTy); 1286 1287 uint64_t AndMask = MS.MapParams->AndMask; 1288 if (AndMask) 1289 OffsetLong = 1290 IRB.CreateAnd(OffsetLong, ConstantInt::get(MS.IntptrTy, ~AndMask)); 1291 1292 uint64_t XorMask = MS.MapParams->XorMask; 1293 if (XorMask) 1294 OffsetLong = 1295 IRB.CreateXor(OffsetLong, ConstantInt::get(MS.IntptrTy, XorMask)); 1296 return OffsetLong; 1297 } 1298 1299 /// Compute the shadow and origin addresses corresponding to a given 1300 /// application address. 1301 /// 1302 /// Shadow = ShadowBase + Offset 1303 /// Origin = (OriginBase + Offset) & ~3ULL 1304 std::pair<Value *, Value *> getShadowOriginPtrUserspace(Value *Addr, 1305 IRBuilder<> &IRB, 1306 Type *ShadowTy, 1307 unsigned Alignment) { 1308 Value *ShadowOffset = getShadowPtrOffset(Addr, IRB); 1309 Value *ShadowLong = ShadowOffset; 1310 uint64_t ShadowBase = MS.MapParams->ShadowBase; 1311 if (ShadowBase != 0) { 1312 ShadowLong = 1313 IRB.CreateAdd(ShadowLong, 1314 ConstantInt::get(MS.IntptrTy, ShadowBase)); 1315 } 1316 Value *ShadowPtr = 1317 IRB.CreateIntToPtr(ShadowLong, PointerType::get(ShadowTy, 0)); 1318 Value *OriginPtr = nullptr; 1319 if (MS.TrackOrigins) { 1320 Value *OriginLong = ShadowOffset; 1321 uint64_t OriginBase = MS.MapParams->OriginBase; 1322 if (OriginBase != 0) 1323 OriginLong = IRB.CreateAdd(OriginLong, 1324 ConstantInt::get(MS.IntptrTy, OriginBase)); 1325 if (Alignment < kMinOriginAlignment) { 1326 uint64_t Mask = kMinOriginAlignment - 1; 1327 OriginLong = 1328 IRB.CreateAnd(OriginLong, ConstantInt::get(MS.IntptrTy, ~Mask)); 1329 } 1330 OriginPtr = 1331 IRB.CreateIntToPtr(OriginLong, PointerType::get(IRB.getInt32Ty(), 0)); 1332 } 1333 return std::make_pair(ShadowPtr, OriginPtr); 1334 } 1335 1336 std::pair<Value *, Value *> 1337 getShadowOriginPtrKernel(Value *Addr, IRBuilder<> &IRB, Type *ShadowTy, 1338 unsigned Alignment, bool isStore) { 1339 Value *ShadowOriginPtrs; 1340 const DataLayout &DL = F.getParent()->getDataLayout(); 1341 int Size = DL.getTypeStoreSize(ShadowTy); 1342 1343 Value *Getter = MS.getKmsanShadowOriginAccessFn(isStore, Size); 1344 Value *AddrCast = 1345 IRB.CreatePointerCast(Addr, PointerType::get(IRB.getInt8Ty(), 0)); 1346 if (Getter) { 1347 ShadowOriginPtrs = IRB.CreateCall(Getter, AddrCast); 1348 } else { 1349 Value *SizeVal = ConstantInt::get(MS.IntptrTy, Size); 1350 ShadowOriginPtrs = IRB.CreateCall(isStore ? MS.MsanMetadataPtrForStoreN 1351 : MS.MsanMetadataPtrForLoadN, 1352 {AddrCast, SizeVal}); 1353 } 1354 Value *ShadowPtr = IRB.CreateExtractValue(ShadowOriginPtrs, 0); 1355 ShadowPtr = IRB.CreatePointerCast(ShadowPtr, PointerType::get(ShadowTy, 0)); 1356 Value *OriginPtr = IRB.CreateExtractValue(ShadowOriginPtrs, 1); 1357 1358 return std::make_pair(ShadowPtr, OriginPtr); 1359 } 1360 1361 std::pair<Value *, Value *> getShadowOriginPtr(Value *Addr, IRBuilder<> &IRB, 1362 Type *ShadowTy, 1363 unsigned Alignment, 1364 bool isStore) { 1365 std::pair<Value *, Value *> ret; 1366 if (MS.CompileKernel) 1367 ret = getShadowOriginPtrKernel(Addr, IRB, ShadowTy, Alignment, isStore); 1368 else 1369 ret = getShadowOriginPtrUserspace(Addr, IRB, ShadowTy, Alignment); 1370 return ret; 1371 } 1372 1373 /// Compute the shadow address for a given function argument. 1374 /// 1375 /// Shadow = ParamTLS+ArgOffset. 1376 Value *getShadowPtrForArgument(Value *A, IRBuilder<> &IRB, 1377 int ArgOffset) { 1378 Value *Base = IRB.CreatePointerCast(MS.ParamTLS, MS.IntptrTy); 1379 if (ArgOffset) 1380 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 1381 return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0), 1382 "_msarg"); 1383 } 1384 1385 /// Compute the origin address for a given function argument. 1386 Value *getOriginPtrForArgument(Value *A, IRBuilder<> &IRB, 1387 int ArgOffset) { 1388 if (!MS.TrackOrigins) 1389 return nullptr; 1390 Value *Base = IRB.CreatePointerCast(MS.ParamOriginTLS, MS.IntptrTy); 1391 if (ArgOffset) 1392 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 1393 return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0), 1394 "_msarg_o"); 1395 } 1396 1397 /// Compute the shadow address for a retval. 1398 Value *getShadowPtrForRetval(Value *A, IRBuilder<> &IRB) { 1399 return IRB.CreatePointerCast(MS.RetvalTLS, 1400 PointerType::get(getShadowTy(A), 0), 1401 "_msret"); 1402 } 1403 1404 /// Compute the origin address for a retval. 1405 Value *getOriginPtrForRetval(IRBuilder<> &IRB) { 1406 // We keep a single origin for the entire retval. Might be too optimistic. 1407 return MS.RetvalOriginTLS; 1408 } 1409 1410 /// Set SV to be the shadow value for V. 1411 void setShadow(Value *V, Value *SV) { 1412 assert(!ShadowMap.count(V) && "Values may only have one shadow"); 1413 ShadowMap[V] = PropagateShadow ? SV : getCleanShadow(V); 1414 } 1415 1416 /// Set Origin to be the origin value for V. 1417 void setOrigin(Value *V, Value *Origin) { 1418 if (!MS.TrackOrigins) return; 1419 assert(!OriginMap.count(V) && "Values may only have one origin"); 1420 LLVM_DEBUG(dbgs() << "ORIGIN: " << *V << " ==> " << *Origin << "\n"); 1421 OriginMap[V] = Origin; 1422 } 1423 1424 Constant *getCleanShadow(Type *OrigTy) { 1425 Type *ShadowTy = getShadowTy(OrigTy); 1426 if (!ShadowTy) 1427 return nullptr; 1428 return Constant::getNullValue(ShadowTy); 1429 } 1430 1431 /// Create a clean shadow value for a given value. 1432 /// 1433 /// Clean shadow (all zeroes) means all bits of the value are defined 1434 /// (initialized). 1435 Constant *getCleanShadow(Value *V) { 1436 return getCleanShadow(V->getType()); 1437 } 1438 1439 /// Create a dirty shadow of a given shadow type. 1440 Constant *getPoisonedShadow(Type *ShadowTy) { 1441 assert(ShadowTy); 1442 if (isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy)) 1443 return Constant::getAllOnesValue(ShadowTy); 1444 if (ArrayType *AT = dyn_cast<ArrayType>(ShadowTy)) { 1445 SmallVector<Constant *, 4> Vals(AT->getNumElements(), 1446 getPoisonedShadow(AT->getElementType())); 1447 return ConstantArray::get(AT, Vals); 1448 } 1449 if (StructType *ST = dyn_cast<StructType>(ShadowTy)) { 1450 SmallVector<Constant *, 4> Vals; 1451 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++) 1452 Vals.push_back(getPoisonedShadow(ST->getElementType(i))); 1453 return ConstantStruct::get(ST, Vals); 1454 } 1455 llvm_unreachable("Unexpected shadow type"); 1456 } 1457 1458 /// Create a dirty shadow for a given value. 1459 Constant *getPoisonedShadow(Value *V) { 1460 Type *ShadowTy = getShadowTy(V); 1461 if (!ShadowTy) 1462 return nullptr; 1463 return getPoisonedShadow(ShadowTy); 1464 } 1465 1466 /// Create a clean (zero) origin. 1467 Value *getCleanOrigin() { 1468 return Constant::getNullValue(MS.OriginTy); 1469 } 1470 1471 /// Get the shadow value for a given Value. 1472 /// 1473 /// This function either returns the value set earlier with setShadow, 1474 /// or extracts if from ParamTLS (for function arguments). 1475 Value *getShadow(Value *V) { 1476 if (!PropagateShadow) return getCleanShadow(V); 1477 if (Instruction *I = dyn_cast<Instruction>(V)) { 1478 if (I->getMetadata("nosanitize")) 1479 return getCleanShadow(V); 1480 // For instructions the shadow is already stored in the map. 1481 Value *Shadow = ShadowMap[V]; 1482 if (!Shadow) { 1483 LLVM_DEBUG(dbgs() << "No shadow: " << *V << "\n" << *(I->getParent())); 1484 (void)I; 1485 assert(Shadow && "No shadow for a value"); 1486 } 1487 return Shadow; 1488 } 1489 if (UndefValue *U = dyn_cast<UndefValue>(V)) { 1490 Value *AllOnes = PoisonUndef ? getPoisonedShadow(V) : getCleanShadow(V); 1491 LLVM_DEBUG(dbgs() << "Undef: " << *U << " ==> " << *AllOnes << "\n"); 1492 (void)U; 1493 return AllOnes; 1494 } 1495 if (Argument *A = dyn_cast<Argument>(V)) { 1496 // For arguments we compute the shadow on demand and store it in the map. 1497 Value **ShadowPtr = &ShadowMap[V]; 1498 if (*ShadowPtr) 1499 return *ShadowPtr; 1500 Function *F = A->getParent(); 1501 IRBuilder<> EntryIRB(ActualFnStart->getFirstNonPHI()); 1502 unsigned ArgOffset = 0; 1503 const DataLayout &DL = F->getParent()->getDataLayout(); 1504 for (auto &FArg : F->args()) { 1505 if (!FArg.getType()->isSized()) { 1506 LLVM_DEBUG(dbgs() << "Arg is not sized\n"); 1507 continue; 1508 } 1509 unsigned Size = 1510 FArg.hasByValAttr() 1511 ? DL.getTypeAllocSize(FArg.getType()->getPointerElementType()) 1512 : DL.getTypeAllocSize(FArg.getType()); 1513 if (A == &FArg) { 1514 bool Overflow = ArgOffset + Size > kParamTLSSize; 1515 Value *Base = getShadowPtrForArgument(&FArg, EntryIRB, ArgOffset); 1516 if (FArg.hasByValAttr()) { 1517 // ByVal pointer itself has clean shadow. We copy the actual 1518 // argument shadow to the underlying memory. 1519 // Figure out maximal valid memcpy alignment. 1520 unsigned ArgAlign = FArg.getParamAlignment(); 1521 if (ArgAlign == 0) { 1522 Type *EltType = A->getType()->getPointerElementType(); 1523 ArgAlign = DL.getABITypeAlignment(EltType); 1524 } 1525 Value *CpShadowPtr = 1526 getShadowOriginPtr(V, EntryIRB, EntryIRB.getInt8Ty(), ArgAlign, 1527 /*isStore*/ true) 1528 .first; 1529 // TODO(glider): need to copy origins. 1530 if (Overflow) { 1531 // ParamTLS overflow. 1532 EntryIRB.CreateMemSet( 1533 CpShadowPtr, Constant::getNullValue(EntryIRB.getInt8Ty()), 1534 Size, ArgAlign); 1535 } else { 1536 unsigned CopyAlign = std::min(ArgAlign, kShadowTLSAlignment); 1537 Value *Cpy = EntryIRB.CreateMemCpy(CpShadowPtr, CopyAlign, Base, 1538 CopyAlign, Size); 1539 LLVM_DEBUG(dbgs() << " ByValCpy: " << *Cpy << "\n"); 1540 (void)Cpy; 1541 } 1542 *ShadowPtr = getCleanShadow(V); 1543 } else { 1544 if (Overflow) { 1545 // ParamTLS overflow. 1546 *ShadowPtr = getCleanShadow(V); 1547 } else { 1548 *ShadowPtr = 1549 EntryIRB.CreateAlignedLoad(Base, kShadowTLSAlignment); 1550 } 1551 } 1552 LLVM_DEBUG(dbgs() 1553 << " ARG: " << FArg << " ==> " << **ShadowPtr << "\n"); 1554 if (MS.TrackOrigins && !Overflow) { 1555 Value *OriginPtr = 1556 getOriginPtrForArgument(&FArg, EntryIRB, ArgOffset); 1557 setOrigin(A, EntryIRB.CreateLoad(OriginPtr)); 1558 } else { 1559 setOrigin(A, getCleanOrigin()); 1560 } 1561 } 1562 ArgOffset += alignTo(Size, kShadowTLSAlignment); 1563 } 1564 assert(*ShadowPtr && "Could not find shadow for an argument"); 1565 return *ShadowPtr; 1566 } 1567 // For everything else the shadow is zero. 1568 return getCleanShadow(V); 1569 } 1570 1571 /// Get the shadow for i-th argument of the instruction I. 1572 Value *getShadow(Instruction *I, int i) { 1573 return getShadow(I->getOperand(i)); 1574 } 1575 1576 /// Get the origin for a value. 1577 Value *getOrigin(Value *V) { 1578 if (!MS.TrackOrigins) return nullptr; 1579 if (!PropagateShadow) return getCleanOrigin(); 1580 if (isa<Constant>(V)) return getCleanOrigin(); 1581 assert((isa<Instruction>(V) || isa<Argument>(V)) && 1582 "Unexpected value type in getOrigin()"); 1583 if (Instruction *I = dyn_cast<Instruction>(V)) { 1584 if (I->getMetadata("nosanitize")) 1585 return getCleanOrigin(); 1586 } 1587 Value *Origin = OriginMap[V]; 1588 assert(Origin && "Missing origin"); 1589 return Origin; 1590 } 1591 1592 /// Get the origin for i-th argument of the instruction I. 1593 Value *getOrigin(Instruction *I, int i) { 1594 return getOrigin(I->getOperand(i)); 1595 } 1596 1597 /// Remember the place where a shadow check should be inserted. 1598 /// 1599 /// This location will be later instrumented with a check that will print a 1600 /// UMR warning in runtime if the shadow value is not 0. 1601 void insertShadowCheck(Value *Shadow, Value *Origin, Instruction *OrigIns) { 1602 assert(Shadow); 1603 if (!InsertChecks) return; 1604 #ifndef NDEBUG 1605 Type *ShadowTy = Shadow->getType(); 1606 assert((isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy)) && 1607 "Can only insert checks for integer and vector shadow types"); 1608 #endif 1609 InstrumentationList.push_back( 1610 ShadowOriginAndInsertPoint(Shadow, Origin, OrigIns)); 1611 } 1612 1613 /// Remember the place where a shadow check should be inserted. 1614 /// 1615 /// This location will be later instrumented with a check that will print a 1616 /// UMR warning in runtime if the value is not fully defined. 1617 void insertShadowCheck(Value *Val, Instruction *OrigIns) { 1618 assert(Val); 1619 Value *Shadow, *Origin; 1620 if (ClCheckConstantShadow) { 1621 Shadow = getShadow(Val); 1622 if (!Shadow) return; 1623 Origin = getOrigin(Val); 1624 } else { 1625 Shadow = dyn_cast_or_null<Instruction>(getShadow(Val)); 1626 if (!Shadow) return; 1627 Origin = dyn_cast_or_null<Instruction>(getOrigin(Val)); 1628 } 1629 insertShadowCheck(Shadow, Origin, OrigIns); 1630 } 1631 1632 AtomicOrdering addReleaseOrdering(AtomicOrdering a) { 1633 switch (a) { 1634 case AtomicOrdering::NotAtomic: 1635 return AtomicOrdering::NotAtomic; 1636 case AtomicOrdering::Unordered: 1637 case AtomicOrdering::Monotonic: 1638 case AtomicOrdering::Release: 1639 return AtomicOrdering::Release; 1640 case AtomicOrdering::Acquire: 1641 case AtomicOrdering::AcquireRelease: 1642 return AtomicOrdering::AcquireRelease; 1643 case AtomicOrdering::SequentiallyConsistent: 1644 return AtomicOrdering::SequentiallyConsistent; 1645 } 1646 llvm_unreachable("Unknown ordering"); 1647 } 1648 1649 AtomicOrdering addAcquireOrdering(AtomicOrdering a) { 1650 switch (a) { 1651 case AtomicOrdering::NotAtomic: 1652 return AtomicOrdering::NotAtomic; 1653 case AtomicOrdering::Unordered: 1654 case AtomicOrdering::Monotonic: 1655 case AtomicOrdering::Acquire: 1656 return AtomicOrdering::Acquire; 1657 case AtomicOrdering::Release: 1658 case AtomicOrdering::AcquireRelease: 1659 return AtomicOrdering::AcquireRelease; 1660 case AtomicOrdering::SequentiallyConsistent: 1661 return AtomicOrdering::SequentiallyConsistent; 1662 } 1663 llvm_unreachable("Unknown ordering"); 1664 } 1665 1666 // ------------------- Visitors. 1667 using InstVisitor<MemorySanitizerVisitor>::visit; 1668 void visit(Instruction &I) { 1669 if (!I.getMetadata("nosanitize")) 1670 InstVisitor<MemorySanitizerVisitor>::visit(I); 1671 } 1672 1673 /// Instrument LoadInst 1674 /// 1675 /// Loads the corresponding shadow and (optionally) origin. 1676 /// Optionally, checks that the load address is fully defined. 1677 void visitLoadInst(LoadInst &I) { 1678 assert(I.getType()->isSized() && "Load type must have size"); 1679 assert(!I.getMetadata("nosanitize")); 1680 IRBuilder<> IRB(I.getNextNode()); 1681 Type *ShadowTy = getShadowTy(&I); 1682 Value *Addr = I.getPointerOperand(); 1683 Value *ShadowPtr, *OriginPtr; 1684 unsigned Alignment = I.getAlignment(); 1685 if (PropagateShadow) { 1686 std::tie(ShadowPtr, OriginPtr) = 1687 getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ false); 1688 setShadow(&I, IRB.CreateAlignedLoad(ShadowPtr, Alignment, "_msld")); 1689 } else { 1690 setShadow(&I, getCleanShadow(&I)); 1691 } 1692 1693 if (ClCheckAccessAddress) 1694 insertShadowCheck(I.getPointerOperand(), &I); 1695 1696 if (I.isAtomic()) 1697 I.setOrdering(addAcquireOrdering(I.getOrdering())); 1698 1699 if (MS.TrackOrigins) { 1700 if (PropagateShadow) { 1701 unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment); 1702 setOrigin(&I, IRB.CreateAlignedLoad(OriginPtr, OriginAlignment)); 1703 } else { 1704 setOrigin(&I, getCleanOrigin()); 1705 } 1706 } 1707 } 1708 1709 /// Instrument StoreInst 1710 /// 1711 /// Stores the corresponding shadow and (optionally) origin. 1712 /// Optionally, checks that the store address is fully defined. 1713 void visitStoreInst(StoreInst &I) { 1714 StoreList.push_back(&I); 1715 if (ClCheckAccessAddress) 1716 insertShadowCheck(I.getPointerOperand(), &I); 1717 } 1718 1719 void handleCASOrRMW(Instruction &I) { 1720 assert(isa<AtomicRMWInst>(I) || isa<AtomicCmpXchgInst>(I)); 1721 1722 IRBuilder<> IRB(&I); 1723 Value *Addr = I.getOperand(0); 1724 Value *ShadowPtr = getShadowOriginPtr(Addr, IRB, I.getType(), 1725 /*Alignment*/ 1, /*isStore*/ true) 1726 .first; 1727 1728 if (ClCheckAccessAddress) 1729 insertShadowCheck(Addr, &I); 1730 1731 // Only test the conditional argument of cmpxchg instruction. 1732 // The other argument can potentially be uninitialized, but we can not 1733 // detect this situation reliably without possible false positives. 1734 if (isa<AtomicCmpXchgInst>(I)) 1735 insertShadowCheck(I.getOperand(1), &I); 1736 1737 IRB.CreateStore(getCleanShadow(&I), ShadowPtr); 1738 1739 setShadow(&I, getCleanShadow(&I)); 1740 setOrigin(&I, getCleanOrigin()); 1741 } 1742 1743 void visitAtomicRMWInst(AtomicRMWInst &I) { 1744 handleCASOrRMW(I); 1745 I.setOrdering(addReleaseOrdering(I.getOrdering())); 1746 } 1747 1748 void visitAtomicCmpXchgInst(AtomicCmpXchgInst &I) { 1749 handleCASOrRMW(I); 1750 I.setSuccessOrdering(addReleaseOrdering(I.getSuccessOrdering())); 1751 } 1752 1753 // Vector manipulation. 1754 void visitExtractElementInst(ExtractElementInst &I) { 1755 insertShadowCheck(I.getOperand(1), &I); 1756 IRBuilder<> IRB(&I); 1757 setShadow(&I, IRB.CreateExtractElement(getShadow(&I, 0), I.getOperand(1), 1758 "_msprop")); 1759 setOrigin(&I, getOrigin(&I, 0)); 1760 } 1761 1762 void visitInsertElementInst(InsertElementInst &I) { 1763 insertShadowCheck(I.getOperand(2), &I); 1764 IRBuilder<> IRB(&I); 1765 setShadow(&I, IRB.CreateInsertElement(getShadow(&I, 0), getShadow(&I, 1), 1766 I.getOperand(2), "_msprop")); 1767 setOriginForNaryOp(I); 1768 } 1769 1770 void visitShuffleVectorInst(ShuffleVectorInst &I) { 1771 insertShadowCheck(I.getOperand(2), &I); 1772 IRBuilder<> IRB(&I); 1773 setShadow(&I, IRB.CreateShuffleVector(getShadow(&I, 0), getShadow(&I, 1), 1774 I.getOperand(2), "_msprop")); 1775 setOriginForNaryOp(I); 1776 } 1777 1778 // Casts. 1779 void visitSExtInst(SExtInst &I) { 1780 IRBuilder<> IRB(&I); 1781 setShadow(&I, IRB.CreateSExt(getShadow(&I, 0), I.getType(), "_msprop")); 1782 setOrigin(&I, getOrigin(&I, 0)); 1783 } 1784 1785 void visitZExtInst(ZExtInst &I) { 1786 IRBuilder<> IRB(&I); 1787 setShadow(&I, IRB.CreateZExt(getShadow(&I, 0), I.getType(), "_msprop")); 1788 setOrigin(&I, getOrigin(&I, 0)); 1789 } 1790 1791 void visitTruncInst(TruncInst &I) { 1792 IRBuilder<> IRB(&I); 1793 setShadow(&I, IRB.CreateTrunc(getShadow(&I, 0), I.getType(), "_msprop")); 1794 setOrigin(&I, getOrigin(&I, 0)); 1795 } 1796 1797 void visitBitCastInst(BitCastInst &I) { 1798 // Special case: if this is the bitcast (there is exactly 1 allowed) between 1799 // a musttail call and a ret, don't instrument. New instructions are not 1800 // allowed after a musttail call. 1801 if (auto *CI = dyn_cast<CallInst>(I.getOperand(0))) 1802 if (CI->isMustTailCall()) 1803 return; 1804 IRBuilder<> IRB(&I); 1805 setShadow(&I, IRB.CreateBitCast(getShadow(&I, 0), getShadowTy(&I))); 1806 setOrigin(&I, getOrigin(&I, 0)); 1807 } 1808 1809 void visitPtrToIntInst(PtrToIntInst &I) { 1810 IRBuilder<> IRB(&I); 1811 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false, 1812 "_msprop_ptrtoint")); 1813 setOrigin(&I, getOrigin(&I, 0)); 1814 } 1815 1816 void visitIntToPtrInst(IntToPtrInst &I) { 1817 IRBuilder<> IRB(&I); 1818 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false, 1819 "_msprop_inttoptr")); 1820 setOrigin(&I, getOrigin(&I, 0)); 1821 } 1822 1823 void visitFPToSIInst(CastInst& I) { handleShadowOr(I); } 1824 void visitFPToUIInst(CastInst& I) { handleShadowOr(I); } 1825 void visitSIToFPInst(CastInst& I) { handleShadowOr(I); } 1826 void visitUIToFPInst(CastInst& I) { handleShadowOr(I); } 1827 void visitFPExtInst(CastInst& I) { handleShadowOr(I); } 1828 void visitFPTruncInst(CastInst& I) { handleShadowOr(I); } 1829 1830 /// Propagate shadow for bitwise AND. 1831 /// 1832 /// This code is exact, i.e. if, for example, a bit in the left argument 1833 /// is defined and 0, then neither the value not definedness of the 1834 /// corresponding bit in B don't affect the resulting shadow. 1835 void visitAnd(BinaryOperator &I) { 1836 IRBuilder<> IRB(&I); 1837 // "And" of 0 and a poisoned value results in unpoisoned value. 1838 // 1&1 => 1; 0&1 => 0; p&1 => p; 1839 // 1&0 => 0; 0&0 => 0; p&0 => 0; 1840 // 1&p => p; 0&p => 0; p&p => p; 1841 // S = (S1 & S2) | (V1 & S2) | (S1 & V2) 1842 Value *S1 = getShadow(&I, 0); 1843 Value *S2 = getShadow(&I, 1); 1844 Value *V1 = I.getOperand(0); 1845 Value *V2 = I.getOperand(1); 1846 if (V1->getType() != S1->getType()) { 1847 V1 = IRB.CreateIntCast(V1, S1->getType(), false); 1848 V2 = IRB.CreateIntCast(V2, S2->getType(), false); 1849 } 1850 Value *S1S2 = IRB.CreateAnd(S1, S2); 1851 Value *V1S2 = IRB.CreateAnd(V1, S2); 1852 Value *S1V2 = IRB.CreateAnd(S1, V2); 1853 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2))); 1854 setOriginForNaryOp(I); 1855 } 1856 1857 void visitOr(BinaryOperator &I) { 1858 IRBuilder<> IRB(&I); 1859 // "Or" of 1 and a poisoned value results in unpoisoned value. 1860 // 1|1 => 1; 0|1 => 1; p|1 => 1; 1861 // 1|0 => 1; 0|0 => 0; p|0 => p; 1862 // 1|p => 1; 0|p => p; p|p => p; 1863 // S = (S1 & S2) | (~V1 & S2) | (S1 & ~V2) 1864 Value *S1 = getShadow(&I, 0); 1865 Value *S2 = getShadow(&I, 1); 1866 Value *V1 = IRB.CreateNot(I.getOperand(0)); 1867 Value *V2 = IRB.CreateNot(I.getOperand(1)); 1868 if (V1->getType() != S1->getType()) { 1869 V1 = IRB.CreateIntCast(V1, S1->getType(), false); 1870 V2 = IRB.CreateIntCast(V2, S2->getType(), false); 1871 } 1872 Value *S1S2 = IRB.CreateAnd(S1, S2); 1873 Value *V1S2 = IRB.CreateAnd(V1, S2); 1874 Value *S1V2 = IRB.CreateAnd(S1, V2); 1875 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2))); 1876 setOriginForNaryOp(I); 1877 } 1878 1879 /// Default propagation of shadow and/or origin. 1880 /// 1881 /// This class implements the general case of shadow propagation, used in all 1882 /// cases where we don't know and/or don't care about what the operation 1883 /// actually does. It converts all input shadow values to a common type 1884 /// (extending or truncating as necessary), and bitwise OR's them. 1885 /// 1886 /// This is much cheaper than inserting checks (i.e. requiring inputs to be 1887 /// fully initialized), and less prone to false positives. 1888 /// 1889 /// This class also implements the general case of origin propagation. For a 1890 /// Nary operation, result origin is set to the origin of an argument that is 1891 /// not entirely initialized. If there is more than one such arguments, the 1892 /// rightmost of them is picked. It does not matter which one is picked if all 1893 /// arguments are initialized. 1894 template <bool CombineShadow> 1895 class Combiner { 1896 Value *Shadow = nullptr; 1897 Value *Origin = nullptr; 1898 IRBuilder<> &IRB; 1899 MemorySanitizerVisitor *MSV; 1900 1901 public: 1902 Combiner(MemorySanitizerVisitor *MSV, IRBuilder<> &IRB) 1903 : IRB(IRB), MSV(MSV) {} 1904 1905 /// Add a pair of shadow and origin values to the mix. 1906 Combiner &Add(Value *OpShadow, Value *OpOrigin) { 1907 if (CombineShadow) { 1908 assert(OpShadow); 1909 if (!Shadow) 1910 Shadow = OpShadow; 1911 else { 1912 OpShadow = MSV->CreateShadowCast(IRB, OpShadow, Shadow->getType()); 1913 Shadow = IRB.CreateOr(Shadow, OpShadow, "_msprop"); 1914 } 1915 } 1916 1917 if (MSV->MS.TrackOrigins) { 1918 assert(OpOrigin); 1919 if (!Origin) { 1920 Origin = OpOrigin; 1921 } else { 1922 Constant *ConstOrigin = dyn_cast<Constant>(OpOrigin); 1923 // No point in adding something that might result in 0 origin value. 1924 if (!ConstOrigin || !ConstOrigin->isNullValue()) { 1925 Value *FlatShadow = MSV->convertToShadowTyNoVec(OpShadow, IRB); 1926 Value *Cond = 1927 IRB.CreateICmpNE(FlatShadow, MSV->getCleanShadow(FlatShadow)); 1928 Origin = IRB.CreateSelect(Cond, OpOrigin, Origin); 1929 } 1930 } 1931 } 1932 return *this; 1933 } 1934 1935 /// Add an application value to the mix. 1936 Combiner &Add(Value *V) { 1937 Value *OpShadow = MSV->getShadow(V); 1938 Value *OpOrigin = MSV->MS.TrackOrigins ? MSV->getOrigin(V) : nullptr; 1939 return Add(OpShadow, OpOrigin); 1940 } 1941 1942 /// Set the current combined values as the given instruction's shadow 1943 /// and origin. 1944 void Done(Instruction *I) { 1945 if (CombineShadow) { 1946 assert(Shadow); 1947 Shadow = MSV->CreateShadowCast(IRB, Shadow, MSV->getShadowTy(I)); 1948 MSV->setShadow(I, Shadow); 1949 } 1950 if (MSV->MS.TrackOrigins) { 1951 assert(Origin); 1952 MSV->setOrigin(I, Origin); 1953 } 1954 } 1955 }; 1956 1957 using ShadowAndOriginCombiner = Combiner<true>; 1958 using OriginCombiner = Combiner<false>; 1959 1960 /// Propagate origin for arbitrary operation. 1961 void setOriginForNaryOp(Instruction &I) { 1962 if (!MS.TrackOrigins) return; 1963 IRBuilder<> IRB(&I); 1964 OriginCombiner OC(this, IRB); 1965 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI) 1966 OC.Add(OI->get()); 1967 OC.Done(&I); 1968 } 1969 1970 size_t VectorOrPrimitiveTypeSizeInBits(Type *Ty) { 1971 assert(!(Ty->isVectorTy() && Ty->getScalarType()->isPointerTy()) && 1972 "Vector of pointers is not a valid shadow type"); 1973 return Ty->isVectorTy() ? 1974 Ty->getVectorNumElements() * Ty->getScalarSizeInBits() : 1975 Ty->getPrimitiveSizeInBits(); 1976 } 1977 1978 /// Cast between two shadow types, extending or truncating as 1979 /// necessary. 1980 Value *CreateShadowCast(IRBuilder<> &IRB, Value *V, Type *dstTy, 1981 bool Signed = false) { 1982 Type *srcTy = V->getType(); 1983 size_t srcSizeInBits = VectorOrPrimitiveTypeSizeInBits(srcTy); 1984 size_t dstSizeInBits = VectorOrPrimitiveTypeSizeInBits(dstTy); 1985 if (srcSizeInBits > 1 && dstSizeInBits == 1) 1986 return IRB.CreateICmpNE(V, getCleanShadow(V)); 1987 1988 if (dstTy->isIntegerTy() && srcTy->isIntegerTy()) 1989 return IRB.CreateIntCast(V, dstTy, Signed); 1990 if (dstTy->isVectorTy() && srcTy->isVectorTy() && 1991 dstTy->getVectorNumElements() == srcTy->getVectorNumElements()) 1992 return IRB.CreateIntCast(V, dstTy, Signed); 1993 Value *V1 = IRB.CreateBitCast(V, Type::getIntNTy(*MS.C, srcSizeInBits)); 1994 Value *V2 = 1995 IRB.CreateIntCast(V1, Type::getIntNTy(*MS.C, dstSizeInBits), Signed); 1996 return IRB.CreateBitCast(V2, dstTy); 1997 // TODO: handle struct types. 1998 } 1999 2000 /// Cast an application value to the type of its own shadow. 2001 Value *CreateAppToShadowCast(IRBuilder<> &IRB, Value *V) { 2002 Type *ShadowTy = getShadowTy(V); 2003 if (V->getType() == ShadowTy) 2004 return V; 2005 if (V->getType()->isPtrOrPtrVectorTy()) 2006 return IRB.CreatePtrToInt(V, ShadowTy); 2007 else 2008 return IRB.CreateBitCast(V, ShadowTy); 2009 } 2010 2011 /// Propagate shadow for arbitrary operation. 2012 void handleShadowOr(Instruction &I) { 2013 IRBuilder<> IRB(&I); 2014 ShadowAndOriginCombiner SC(this, IRB); 2015 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI) 2016 SC.Add(OI->get()); 2017 SC.Done(&I); 2018 } 2019 2020 // Handle multiplication by constant. 2021 // 2022 // Handle a special case of multiplication by constant that may have one or 2023 // more zeros in the lower bits. This makes corresponding number of lower bits 2024 // of the result zero as well. We model it by shifting the other operand 2025 // shadow left by the required number of bits. Effectively, we transform 2026 // (X * (A * 2**B)) to ((X << B) * A) and instrument (X << B) as (Sx << B). 2027 // We use multiplication by 2**N instead of shift to cover the case of 2028 // multiplication by 0, which may occur in some elements of a vector operand. 2029 void handleMulByConstant(BinaryOperator &I, Constant *ConstArg, 2030 Value *OtherArg) { 2031 Constant *ShadowMul; 2032 Type *Ty = ConstArg->getType(); 2033 if (Ty->isVectorTy()) { 2034 unsigned NumElements = Ty->getVectorNumElements(); 2035 Type *EltTy = Ty->getSequentialElementType(); 2036 SmallVector<Constant *, 16> Elements; 2037 for (unsigned Idx = 0; Idx < NumElements; ++Idx) { 2038 if (ConstantInt *Elt = 2039 dyn_cast<ConstantInt>(ConstArg->getAggregateElement(Idx))) { 2040 const APInt &V = Elt->getValue(); 2041 APInt V2 = APInt(V.getBitWidth(), 1) << V.countTrailingZeros(); 2042 Elements.push_back(ConstantInt::get(EltTy, V2)); 2043 } else { 2044 Elements.push_back(ConstantInt::get(EltTy, 1)); 2045 } 2046 } 2047 ShadowMul = ConstantVector::get(Elements); 2048 } else { 2049 if (ConstantInt *Elt = dyn_cast<ConstantInt>(ConstArg)) { 2050 const APInt &V = Elt->getValue(); 2051 APInt V2 = APInt(V.getBitWidth(), 1) << V.countTrailingZeros(); 2052 ShadowMul = ConstantInt::get(Ty, V2); 2053 } else { 2054 ShadowMul = ConstantInt::get(Ty, 1); 2055 } 2056 } 2057 2058 IRBuilder<> IRB(&I); 2059 setShadow(&I, 2060 IRB.CreateMul(getShadow(OtherArg), ShadowMul, "msprop_mul_cst")); 2061 setOrigin(&I, getOrigin(OtherArg)); 2062 } 2063 2064 void visitMul(BinaryOperator &I) { 2065 Constant *constOp0 = dyn_cast<Constant>(I.getOperand(0)); 2066 Constant *constOp1 = dyn_cast<Constant>(I.getOperand(1)); 2067 if (constOp0 && !constOp1) 2068 handleMulByConstant(I, constOp0, I.getOperand(1)); 2069 else if (constOp1 && !constOp0) 2070 handleMulByConstant(I, constOp1, I.getOperand(0)); 2071 else 2072 handleShadowOr(I); 2073 } 2074 2075 void visitFAdd(BinaryOperator &I) { handleShadowOr(I); } 2076 void visitFSub(BinaryOperator &I) { handleShadowOr(I); } 2077 void visitFMul(BinaryOperator &I) { handleShadowOr(I); } 2078 void visitAdd(BinaryOperator &I) { handleShadowOr(I); } 2079 void visitSub(BinaryOperator &I) { handleShadowOr(I); } 2080 void visitXor(BinaryOperator &I) { handleShadowOr(I); } 2081 2082 void handleIntegerDiv(Instruction &I) { 2083 IRBuilder<> IRB(&I); 2084 // Strict on the second argument. 2085 insertShadowCheck(I.getOperand(1), &I); 2086 setShadow(&I, getShadow(&I, 0)); 2087 setOrigin(&I, getOrigin(&I, 0)); 2088 } 2089 2090 void visitUDiv(BinaryOperator &I) { handleIntegerDiv(I); } 2091 void visitSDiv(BinaryOperator &I) { handleIntegerDiv(I); } 2092 void visitURem(BinaryOperator &I) { handleIntegerDiv(I); } 2093 void visitSRem(BinaryOperator &I) { handleIntegerDiv(I); } 2094 2095 // Floating point division is side-effect free. We can not require that the 2096 // divisor is fully initialized and must propagate shadow. See PR37523. 2097 void visitFDiv(BinaryOperator &I) { handleShadowOr(I); } 2098 void visitFRem(BinaryOperator &I) { handleShadowOr(I); } 2099 2100 /// Instrument == and != comparisons. 2101 /// 2102 /// Sometimes the comparison result is known even if some of the bits of the 2103 /// arguments are not. 2104 void handleEqualityComparison(ICmpInst &I) { 2105 IRBuilder<> IRB(&I); 2106 Value *A = I.getOperand(0); 2107 Value *B = I.getOperand(1); 2108 Value *Sa = getShadow(A); 2109 Value *Sb = getShadow(B); 2110 2111 // Get rid of pointers and vectors of pointers. 2112 // For ints (and vectors of ints), types of A and Sa match, 2113 // and this is a no-op. 2114 A = IRB.CreatePointerCast(A, Sa->getType()); 2115 B = IRB.CreatePointerCast(B, Sb->getType()); 2116 2117 // A == B <==> (C = A^B) == 0 2118 // A != B <==> (C = A^B) != 0 2119 // Sc = Sa | Sb 2120 Value *C = IRB.CreateXor(A, B); 2121 Value *Sc = IRB.CreateOr(Sa, Sb); 2122 // Now dealing with i = (C == 0) comparison (or C != 0, does not matter now) 2123 // Result is defined if one of the following is true 2124 // * there is a defined 1 bit in C 2125 // * C is fully defined 2126 // Si = !(C & ~Sc) && Sc 2127 Value *Zero = Constant::getNullValue(Sc->getType()); 2128 Value *MinusOne = Constant::getAllOnesValue(Sc->getType()); 2129 Value *Si = 2130 IRB.CreateAnd(IRB.CreateICmpNE(Sc, Zero), 2131 IRB.CreateICmpEQ( 2132 IRB.CreateAnd(IRB.CreateXor(Sc, MinusOne), C), Zero)); 2133 Si->setName("_msprop_icmp"); 2134 setShadow(&I, Si); 2135 setOriginForNaryOp(I); 2136 } 2137 2138 /// Build the lowest possible value of V, taking into account V's 2139 /// uninitialized bits. 2140 Value *getLowestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa, 2141 bool isSigned) { 2142 if (isSigned) { 2143 // Split shadow into sign bit and other bits. 2144 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1); 2145 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits); 2146 // Maximise the undefined shadow bit, minimize other undefined bits. 2147 return 2148 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaOtherBits)), SaSignBit); 2149 } else { 2150 // Minimize undefined bits. 2151 return IRB.CreateAnd(A, IRB.CreateNot(Sa)); 2152 } 2153 } 2154 2155 /// Build the highest possible value of V, taking into account V's 2156 /// uninitialized bits. 2157 Value *getHighestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa, 2158 bool isSigned) { 2159 if (isSigned) { 2160 // Split shadow into sign bit and other bits. 2161 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1); 2162 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits); 2163 // Minimise the undefined shadow bit, maximise other undefined bits. 2164 return 2165 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaSignBit)), SaOtherBits); 2166 } else { 2167 // Maximize undefined bits. 2168 return IRB.CreateOr(A, Sa); 2169 } 2170 } 2171 2172 /// Instrument relational comparisons. 2173 /// 2174 /// This function does exact shadow propagation for all relational 2175 /// comparisons of integers, pointers and vectors of those. 2176 /// FIXME: output seems suboptimal when one of the operands is a constant 2177 void handleRelationalComparisonExact(ICmpInst &I) { 2178 IRBuilder<> IRB(&I); 2179 Value *A = I.getOperand(0); 2180 Value *B = I.getOperand(1); 2181 Value *Sa = getShadow(A); 2182 Value *Sb = getShadow(B); 2183 2184 // Get rid of pointers and vectors of pointers. 2185 // For ints (and vectors of ints), types of A and Sa match, 2186 // and this is a no-op. 2187 A = IRB.CreatePointerCast(A, Sa->getType()); 2188 B = IRB.CreatePointerCast(B, Sb->getType()); 2189 2190 // Let [a0, a1] be the interval of possible values of A, taking into account 2191 // its undefined bits. Let [b0, b1] be the interval of possible values of B. 2192 // Then (A cmp B) is defined iff (a0 cmp b1) == (a1 cmp b0). 2193 bool IsSigned = I.isSigned(); 2194 Value *S1 = IRB.CreateICmp(I.getPredicate(), 2195 getLowestPossibleValue(IRB, A, Sa, IsSigned), 2196 getHighestPossibleValue(IRB, B, Sb, IsSigned)); 2197 Value *S2 = IRB.CreateICmp(I.getPredicate(), 2198 getHighestPossibleValue(IRB, A, Sa, IsSigned), 2199 getLowestPossibleValue(IRB, B, Sb, IsSigned)); 2200 Value *Si = IRB.CreateXor(S1, S2); 2201 setShadow(&I, Si); 2202 setOriginForNaryOp(I); 2203 } 2204 2205 /// Instrument signed relational comparisons. 2206 /// 2207 /// Handle sign bit tests: x<0, x>=0, x<=-1, x>-1 by propagating the highest 2208 /// bit of the shadow. Everything else is delegated to handleShadowOr(). 2209 void handleSignedRelationalComparison(ICmpInst &I) { 2210 Constant *constOp; 2211 Value *op = nullptr; 2212 CmpInst::Predicate pre; 2213 if ((constOp = dyn_cast<Constant>(I.getOperand(1)))) { 2214 op = I.getOperand(0); 2215 pre = I.getPredicate(); 2216 } else if ((constOp = dyn_cast<Constant>(I.getOperand(0)))) { 2217 op = I.getOperand(1); 2218 pre = I.getSwappedPredicate(); 2219 } else { 2220 handleShadowOr(I); 2221 return; 2222 } 2223 2224 if ((constOp->isNullValue() && 2225 (pre == CmpInst::ICMP_SLT || pre == CmpInst::ICMP_SGE)) || 2226 (constOp->isAllOnesValue() && 2227 (pre == CmpInst::ICMP_SGT || pre == CmpInst::ICMP_SLE))) { 2228 IRBuilder<> IRB(&I); 2229 Value *Shadow = IRB.CreateICmpSLT(getShadow(op), getCleanShadow(op), 2230 "_msprop_icmp_s"); 2231 setShadow(&I, Shadow); 2232 setOrigin(&I, getOrigin(op)); 2233 } else { 2234 handleShadowOr(I); 2235 } 2236 } 2237 2238 void visitICmpInst(ICmpInst &I) { 2239 if (!ClHandleICmp) { 2240 handleShadowOr(I); 2241 return; 2242 } 2243 if (I.isEquality()) { 2244 handleEqualityComparison(I); 2245 return; 2246 } 2247 2248 assert(I.isRelational()); 2249 if (ClHandleICmpExact) { 2250 handleRelationalComparisonExact(I); 2251 return; 2252 } 2253 if (I.isSigned()) { 2254 handleSignedRelationalComparison(I); 2255 return; 2256 } 2257 2258 assert(I.isUnsigned()); 2259 if ((isa<Constant>(I.getOperand(0)) || isa<Constant>(I.getOperand(1)))) { 2260 handleRelationalComparisonExact(I); 2261 return; 2262 } 2263 2264 handleShadowOr(I); 2265 } 2266 2267 void visitFCmpInst(FCmpInst &I) { 2268 handleShadowOr(I); 2269 } 2270 2271 void handleShift(BinaryOperator &I) { 2272 IRBuilder<> IRB(&I); 2273 // If any of the S2 bits are poisoned, the whole thing is poisoned. 2274 // Otherwise perform the same shift on S1. 2275 Value *S1 = getShadow(&I, 0); 2276 Value *S2 = getShadow(&I, 1); 2277 Value *S2Conv = IRB.CreateSExt(IRB.CreateICmpNE(S2, getCleanShadow(S2)), 2278 S2->getType()); 2279 Value *V2 = I.getOperand(1); 2280 Value *Shift = IRB.CreateBinOp(I.getOpcode(), S1, V2); 2281 setShadow(&I, IRB.CreateOr(Shift, S2Conv)); 2282 setOriginForNaryOp(I); 2283 } 2284 2285 void visitShl(BinaryOperator &I) { handleShift(I); } 2286 void visitAShr(BinaryOperator &I) { handleShift(I); } 2287 void visitLShr(BinaryOperator &I) { handleShift(I); } 2288 2289 /// Instrument llvm.memmove 2290 /// 2291 /// At this point we don't know if llvm.memmove will be inlined or not. 2292 /// If we don't instrument it and it gets inlined, 2293 /// our interceptor will not kick in and we will lose the memmove. 2294 /// If we instrument the call here, but it does not get inlined, 2295 /// we will memove the shadow twice: which is bad in case 2296 /// of overlapping regions. So, we simply lower the intrinsic to a call. 2297 /// 2298 /// Similar situation exists for memcpy and memset. 2299 void visitMemMoveInst(MemMoveInst &I) { 2300 IRBuilder<> IRB(&I); 2301 IRB.CreateCall( 2302 MS.MemmoveFn, 2303 {IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 2304 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()), 2305 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)}); 2306 I.eraseFromParent(); 2307 } 2308 2309 // Similar to memmove: avoid copying shadow twice. 2310 // This is somewhat unfortunate as it may slowdown small constant memcpys. 2311 // FIXME: consider doing manual inline for small constant sizes and proper 2312 // alignment. 2313 void visitMemCpyInst(MemCpyInst &I) { 2314 IRBuilder<> IRB(&I); 2315 IRB.CreateCall( 2316 MS.MemcpyFn, 2317 {IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 2318 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()), 2319 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)}); 2320 I.eraseFromParent(); 2321 } 2322 2323 // Same as memcpy. 2324 void visitMemSetInst(MemSetInst &I) { 2325 IRBuilder<> IRB(&I); 2326 IRB.CreateCall( 2327 MS.MemsetFn, 2328 {IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 2329 IRB.CreateIntCast(I.getArgOperand(1), IRB.getInt32Ty(), false), 2330 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)}); 2331 I.eraseFromParent(); 2332 } 2333 2334 void visitVAStartInst(VAStartInst &I) { 2335 VAHelper->visitVAStartInst(I); 2336 } 2337 2338 void visitVACopyInst(VACopyInst &I) { 2339 VAHelper->visitVACopyInst(I); 2340 } 2341 2342 /// Handle vector store-like intrinsics. 2343 /// 2344 /// Instrument intrinsics that look like a simple SIMD store: writes memory, 2345 /// has 1 pointer argument and 1 vector argument, returns void. 2346 bool handleVectorStoreIntrinsic(IntrinsicInst &I) { 2347 IRBuilder<> IRB(&I); 2348 Value* Addr = I.getArgOperand(0); 2349 Value *Shadow = getShadow(&I, 1); 2350 Value *ShadowPtr, *OriginPtr; 2351 2352 // We don't know the pointer alignment (could be unaligned SSE store!). 2353 // Have to assume to worst case. 2354 std::tie(ShadowPtr, OriginPtr) = getShadowOriginPtr( 2355 Addr, IRB, Shadow->getType(), /*Alignment*/ 1, /*isStore*/ true); 2356 IRB.CreateAlignedStore(Shadow, ShadowPtr, 1); 2357 2358 if (ClCheckAccessAddress) 2359 insertShadowCheck(Addr, &I); 2360 2361 // FIXME: factor out common code from materializeStores 2362 if (MS.TrackOrigins) IRB.CreateStore(getOrigin(&I, 1), OriginPtr); 2363 return true; 2364 } 2365 2366 /// Handle vector load-like intrinsics. 2367 /// 2368 /// Instrument intrinsics that look like a simple SIMD load: reads memory, 2369 /// has 1 pointer argument, returns a vector. 2370 bool handleVectorLoadIntrinsic(IntrinsicInst &I) { 2371 IRBuilder<> IRB(&I); 2372 Value *Addr = I.getArgOperand(0); 2373 2374 Type *ShadowTy = getShadowTy(&I); 2375 Value *ShadowPtr, *OriginPtr; 2376 if (PropagateShadow) { 2377 // We don't know the pointer alignment (could be unaligned SSE load!). 2378 // Have to assume to worst case. 2379 unsigned Alignment = 1; 2380 std::tie(ShadowPtr, OriginPtr) = 2381 getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ false); 2382 setShadow(&I, IRB.CreateAlignedLoad(ShadowPtr, Alignment, "_msld")); 2383 } else { 2384 setShadow(&I, getCleanShadow(&I)); 2385 } 2386 2387 if (ClCheckAccessAddress) 2388 insertShadowCheck(Addr, &I); 2389 2390 if (MS.TrackOrigins) { 2391 if (PropagateShadow) 2392 setOrigin(&I, IRB.CreateLoad(OriginPtr)); 2393 else 2394 setOrigin(&I, getCleanOrigin()); 2395 } 2396 return true; 2397 } 2398 2399 /// Handle (SIMD arithmetic)-like intrinsics. 2400 /// 2401 /// Instrument intrinsics with any number of arguments of the same type, 2402 /// equal to the return type. The type should be simple (no aggregates or 2403 /// pointers; vectors are fine). 2404 /// Caller guarantees that this intrinsic does not access memory. 2405 bool maybeHandleSimpleNomemIntrinsic(IntrinsicInst &I) { 2406 Type *RetTy = I.getType(); 2407 if (!(RetTy->isIntOrIntVectorTy() || 2408 RetTy->isFPOrFPVectorTy() || 2409 RetTy->isX86_MMXTy())) 2410 return false; 2411 2412 unsigned NumArgOperands = I.getNumArgOperands(); 2413 2414 for (unsigned i = 0; i < NumArgOperands; ++i) { 2415 Type *Ty = I.getArgOperand(i)->getType(); 2416 if (Ty != RetTy) 2417 return false; 2418 } 2419 2420 IRBuilder<> IRB(&I); 2421 ShadowAndOriginCombiner SC(this, IRB); 2422 for (unsigned i = 0; i < NumArgOperands; ++i) 2423 SC.Add(I.getArgOperand(i)); 2424 SC.Done(&I); 2425 2426 return true; 2427 } 2428 2429 /// Heuristically instrument unknown intrinsics. 2430 /// 2431 /// The main purpose of this code is to do something reasonable with all 2432 /// random intrinsics we might encounter, most importantly - SIMD intrinsics. 2433 /// We recognize several classes of intrinsics by their argument types and 2434 /// ModRefBehaviour and apply special intrumentation when we are reasonably 2435 /// sure that we know what the intrinsic does. 2436 /// 2437 /// We special-case intrinsics where this approach fails. See llvm.bswap 2438 /// handling as an example of that. 2439 bool handleUnknownIntrinsic(IntrinsicInst &I) { 2440 unsigned NumArgOperands = I.getNumArgOperands(); 2441 if (NumArgOperands == 0) 2442 return false; 2443 2444 if (NumArgOperands == 2 && 2445 I.getArgOperand(0)->getType()->isPointerTy() && 2446 I.getArgOperand(1)->getType()->isVectorTy() && 2447 I.getType()->isVoidTy() && 2448 !I.onlyReadsMemory()) { 2449 // This looks like a vector store. 2450 return handleVectorStoreIntrinsic(I); 2451 } 2452 2453 if (NumArgOperands == 1 && 2454 I.getArgOperand(0)->getType()->isPointerTy() && 2455 I.getType()->isVectorTy() && 2456 I.onlyReadsMemory()) { 2457 // This looks like a vector load. 2458 return handleVectorLoadIntrinsic(I); 2459 } 2460 2461 if (I.doesNotAccessMemory()) 2462 if (maybeHandleSimpleNomemIntrinsic(I)) 2463 return true; 2464 2465 // FIXME: detect and handle SSE maskstore/maskload 2466 return false; 2467 } 2468 2469 void handleBswap(IntrinsicInst &I) { 2470 IRBuilder<> IRB(&I); 2471 Value *Op = I.getArgOperand(0); 2472 Type *OpType = Op->getType(); 2473 Function *BswapFunc = Intrinsic::getDeclaration( 2474 F.getParent(), Intrinsic::bswap, makeArrayRef(&OpType, 1)); 2475 setShadow(&I, IRB.CreateCall(BswapFunc, getShadow(Op))); 2476 setOrigin(&I, getOrigin(Op)); 2477 } 2478 2479 // Instrument vector convert instrinsic. 2480 // 2481 // This function instruments intrinsics like cvtsi2ss: 2482 // %Out = int_xxx_cvtyyy(%ConvertOp) 2483 // or 2484 // %Out = int_xxx_cvtyyy(%CopyOp, %ConvertOp) 2485 // Intrinsic converts \p NumUsedElements elements of \p ConvertOp to the same 2486 // number \p Out elements, and (if has 2 arguments) copies the rest of the 2487 // elements from \p CopyOp. 2488 // In most cases conversion involves floating-point value which may trigger a 2489 // hardware exception when not fully initialized. For this reason we require 2490 // \p ConvertOp[0:NumUsedElements] to be fully initialized and trap otherwise. 2491 // We copy the shadow of \p CopyOp[NumUsedElements:] to \p 2492 // Out[NumUsedElements:]. This means that intrinsics without \p CopyOp always 2493 // return a fully initialized value. 2494 void handleVectorConvertIntrinsic(IntrinsicInst &I, int NumUsedElements) { 2495 IRBuilder<> IRB(&I); 2496 Value *CopyOp, *ConvertOp; 2497 2498 switch (I.getNumArgOperands()) { 2499 case 3: 2500 assert(isa<ConstantInt>(I.getArgOperand(2)) && "Invalid rounding mode"); 2501 LLVM_FALLTHROUGH; 2502 case 2: 2503 CopyOp = I.getArgOperand(0); 2504 ConvertOp = I.getArgOperand(1); 2505 break; 2506 case 1: 2507 ConvertOp = I.getArgOperand(0); 2508 CopyOp = nullptr; 2509 break; 2510 default: 2511 llvm_unreachable("Cvt intrinsic with unsupported number of arguments."); 2512 } 2513 2514 // The first *NumUsedElements* elements of ConvertOp are converted to the 2515 // same number of output elements. The rest of the output is copied from 2516 // CopyOp, or (if not available) filled with zeroes. 2517 // Combine shadow for elements of ConvertOp that are used in this operation, 2518 // and insert a check. 2519 // FIXME: consider propagating shadow of ConvertOp, at least in the case of 2520 // int->any conversion. 2521 Value *ConvertShadow = getShadow(ConvertOp); 2522 Value *AggShadow = nullptr; 2523 if (ConvertOp->getType()->isVectorTy()) { 2524 AggShadow = IRB.CreateExtractElement( 2525 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), 0)); 2526 for (int i = 1; i < NumUsedElements; ++i) { 2527 Value *MoreShadow = IRB.CreateExtractElement( 2528 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), i)); 2529 AggShadow = IRB.CreateOr(AggShadow, MoreShadow); 2530 } 2531 } else { 2532 AggShadow = ConvertShadow; 2533 } 2534 assert(AggShadow->getType()->isIntegerTy()); 2535 insertShadowCheck(AggShadow, getOrigin(ConvertOp), &I); 2536 2537 // Build result shadow by zero-filling parts of CopyOp shadow that come from 2538 // ConvertOp. 2539 if (CopyOp) { 2540 assert(CopyOp->getType() == I.getType()); 2541 assert(CopyOp->getType()->isVectorTy()); 2542 Value *ResultShadow = getShadow(CopyOp); 2543 Type *EltTy = ResultShadow->getType()->getVectorElementType(); 2544 for (int i = 0; i < NumUsedElements; ++i) { 2545 ResultShadow = IRB.CreateInsertElement( 2546 ResultShadow, ConstantInt::getNullValue(EltTy), 2547 ConstantInt::get(IRB.getInt32Ty(), i)); 2548 } 2549 setShadow(&I, ResultShadow); 2550 setOrigin(&I, getOrigin(CopyOp)); 2551 } else { 2552 setShadow(&I, getCleanShadow(&I)); 2553 setOrigin(&I, getCleanOrigin()); 2554 } 2555 } 2556 2557 // Given a scalar or vector, extract lower 64 bits (or less), and return all 2558 // zeroes if it is zero, and all ones otherwise. 2559 Value *Lower64ShadowExtend(IRBuilder<> &IRB, Value *S, Type *T) { 2560 if (S->getType()->isVectorTy()) 2561 S = CreateShadowCast(IRB, S, IRB.getInt64Ty(), /* Signed */ true); 2562 assert(S->getType()->getPrimitiveSizeInBits() <= 64); 2563 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S)); 2564 return CreateShadowCast(IRB, S2, T, /* Signed */ true); 2565 } 2566 2567 // Given a vector, extract its first element, and return all 2568 // zeroes if it is zero, and all ones otherwise. 2569 Value *LowerElementShadowExtend(IRBuilder<> &IRB, Value *S, Type *T) { 2570 Value *S1 = IRB.CreateExtractElement(S, (uint64_t)0); 2571 Value *S2 = IRB.CreateICmpNE(S1, getCleanShadow(S1)); 2572 return CreateShadowCast(IRB, S2, T, /* Signed */ true); 2573 } 2574 2575 Value *VariableShadowExtend(IRBuilder<> &IRB, Value *S) { 2576 Type *T = S->getType(); 2577 assert(T->isVectorTy()); 2578 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S)); 2579 return IRB.CreateSExt(S2, T); 2580 } 2581 2582 // Instrument vector shift instrinsic. 2583 // 2584 // This function instruments intrinsics like int_x86_avx2_psll_w. 2585 // Intrinsic shifts %In by %ShiftSize bits. 2586 // %ShiftSize may be a vector. In that case the lower 64 bits determine shift 2587 // size, and the rest is ignored. Behavior is defined even if shift size is 2588 // greater than register (or field) width. 2589 void handleVectorShiftIntrinsic(IntrinsicInst &I, bool Variable) { 2590 assert(I.getNumArgOperands() == 2); 2591 IRBuilder<> IRB(&I); 2592 // If any of the S2 bits are poisoned, the whole thing is poisoned. 2593 // Otherwise perform the same shift on S1. 2594 Value *S1 = getShadow(&I, 0); 2595 Value *S2 = getShadow(&I, 1); 2596 Value *S2Conv = Variable ? VariableShadowExtend(IRB, S2) 2597 : Lower64ShadowExtend(IRB, S2, getShadowTy(&I)); 2598 Value *V1 = I.getOperand(0); 2599 Value *V2 = I.getOperand(1); 2600 Value *Shift = IRB.CreateCall(I.getCalledValue(), 2601 {IRB.CreateBitCast(S1, V1->getType()), V2}); 2602 Shift = IRB.CreateBitCast(Shift, getShadowTy(&I)); 2603 setShadow(&I, IRB.CreateOr(Shift, S2Conv)); 2604 setOriginForNaryOp(I); 2605 } 2606 2607 // Get an X86_MMX-sized vector type. 2608 Type *getMMXVectorTy(unsigned EltSizeInBits) { 2609 const unsigned X86_MMXSizeInBits = 64; 2610 return VectorType::get(IntegerType::get(*MS.C, EltSizeInBits), 2611 X86_MMXSizeInBits / EltSizeInBits); 2612 } 2613 2614 // Returns a signed counterpart for an (un)signed-saturate-and-pack 2615 // intrinsic. 2616 Intrinsic::ID getSignedPackIntrinsic(Intrinsic::ID id) { 2617 switch (id) { 2618 case Intrinsic::x86_sse2_packsswb_128: 2619 case Intrinsic::x86_sse2_packuswb_128: 2620 return Intrinsic::x86_sse2_packsswb_128; 2621 2622 case Intrinsic::x86_sse2_packssdw_128: 2623 case Intrinsic::x86_sse41_packusdw: 2624 return Intrinsic::x86_sse2_packssdw_128; 2625 2626 case Intrinsic::x86_avx2_packsswb: 2627 case Intrinsic::x86_avx2_packuswb: 2628 return Intrinsic::x86_avx2_packsswb; 2629 2630 case Intrinsic::x86_avx2_packssdw: 2631 case Intrinsic::x86_avx2_packusdw: 2632 return Intrinsic::x86_avx2_packssdw; 2633 2634 case Intrinsic::x86_mmx_packsswb: 2635 case Intrinsic::x86_mmx_packuswb: 2636 return Intrinsic::x86_mmx_packsswb; 2637 2638 case Intrinsic::x86_mmx_packssdw: 2639 return Intrinsic::x86_mmx_packssdw; 2640 default: 2641 llvm_unreachable("unexpected intrinsic id"); 2642 } 2643 } 2644 2645 // Instrument vector pack instrinsic. 2646 // 2647 // This function instruments intrinsics like x86_mmx_packsswb, that 2648 // packs elements of 2 input vectors into half as many bits with saturation. 2649 // Shadow is propagated with the signed variant of the same intrinsic applied 2650 // to sext(Sa != zeroinitializer), sext(Sb != zeroinitializer). 2651 // EltSizeInBits is used only for x86mmx arguments. 2652 void handleVectorPackIntrinsic(IntrinsicInst &I, unsigned EltSizeInBits = 0) { 2653 assert(I.getNumArgOperands() == 2); 2654 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy(); 2655 IRBuilder<> IRB(&I); 2656 Value *S1 = getShadow(&I, 0); 2657 Value *S2 = getShadow(&I, 1); 2658 assert(isX86_MMX || S1->getType()->isVectorTy()); 2659 2660 // SExt and ICmpNE below must apply to individual elements of input vectors. 2661 // In case of x86mmx arguments, cast them to appropriate vector types and 2662 // back. 2663 Type *T = isX86_MMX ? getMMXVectorTy(EltSizeInBits) : S1->getType(); 2664 if (isX86_MMX) { 2665 S1 = IRB.CreateBitCast(S1, T); 2666 S2 = IRB.CreateBitCast(S2, T); 2667 } 2668 Value *S1_ext = IRB.CreateSExt( 2669 IRB.CreateICmpNE(S1, Constant::getNullValue(T)), T); 2670 Value *S2_ext = IRB.CreateSExt( 2671 IRB.CreateICmpNE(S2, Constant::getNullValue(T)), T); 2672 if (isX86_MMX) { 2673 Type *X86_MMXTy = Type::getX86_MMXTy(*MS.C); 2674 S1_ext = IRB.CreateBitCast(S1_ext, X86_MMXTy); 2675 S2_ext = IRB.CreateBitCast(S2_ext, X86_MMXTy); 2676 } 2677 2678 Function *ShadowFn = Intrinsic::getDeclaration( 2679 F.getParent(), getSignedPackIntrinsic(I.getIntrinsicID())); 2680 2681 Value *S = 2682 IRB.CreateCall(ShadowFn, {S1_ext, S2_ext}, "_msprop_vector_pack"); 2683 if (isX86_MMX) S = IRB.CreateBitCast(S, getShadowTy(&I)); 2684 setShadow(&I, S); 2685 setOriginForNaryOp(I); 2686 } 2687 2688 // Instrument sum-of-absolute-differencies intrinsic. 2689 void handleVectorSadIntrinsic(IntrinsicInst &I) { 2690 const unsigned SignificantBitsPerResultElement = 16; 2691 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy(); 2692 Type *ResTy = isX86_MMX ? IntegerType::get(*MS.C, 64) : I.getType(); 2693 unsigned ZeroBitsPerResultElement = 2694 ResTy->getScalarSizeInBits() - SignificantBitsPerResultElement; 2695 2696 IRBuilder<> IRB(&I); 2697 Value *S = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1)); 2698 S = IRB.CreateBitCast(S, ResTy); 2699 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)), 2700 ResTy); 2701 S = IRB.CreateLShr(S, ZeroBitsPerResultElement); 2702 S = IRB.CreateBitCast(S, getShadowTy(&I)); 2703 setShadow(&I, S); 2704 setOriginForNaryOp(I); 2705 } 2706 2707 // Instrument multiply-add intrinsic. 2708 void handleVectorPmaddIntrinsic(IntrinsicInst &I, 2709 unsigned EltSizeInBits = 0) { 2710 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy(); 2711 Type *ResTy = isX86_MMX ? getMMXVectorTy(EltSizeInBits * 2) : I.getType(); 2712 IRBuilder<> IRB(&I); 2713 Value *S = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1)); 2714 S = IRB.CreateBitCast(S, ResTy); 2715 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)), 2716 ResTy); 2717 S = IRB.CreateBitCast(S, getShadowTy(&I)); 2718 setShadow(&I, S); 2719 setOriginForNaryOp(I); 2720 } 2721 2722 // Instrument compare-packed intrinsic. 2723 // Basically, an or followed by sext(icmp ne 0) to end up with all-zeros or 2724 // all-ones shadow. 2725 void handleVectorComparePackedIntrinsic(IntrinsicInst &I) { 2726 IRBuilder<> IRB(&I); 2727 Type *ResTy = getShadowTy(&I); 2728 Value *S0 = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1)); 2729 Value *S = IRB.CreateSExt( 2730 IRB.CreateICmpNE(S0, Constant::getNullValue(ResTy)), ResTy); 2731 setShadow(&I, S); 2732 setOriginForNaryOp(I); 2733 } 2734 2735 // Instrument compare-scalar intrinsic. 2736 // This handles both cmp* intrinsics which return the result in the first 2737 // element of a vector, and comi* which return the result as i32. 2738 void handleVectorCompareScalarIntrinsic(IntrinsicInst &I) { 2739 IRBuilder<> IRB(&I); 2740 Value *S0 = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1)); 2741 Value *S = LowerElementShadowExtend(IRB, S0, getShadowTy(&I)); 2742 setShadow(&I, S); 2743 setOriginForNaryOp(I); 2744 } 2745 2746 void handleStmxcsr(IntrinsicInst &I) { 2747 IRBuilder<> IRB(&I); 2748 Value* Addr = I.getArgOperand(0); 2749 Type *Ty = IRB.getInt32Ty(); 2750 Value *ShadowPtr = 2751 getShadowOriginPtr(Addr, IRB, Ty, /*Alignment*/ 1, /*isStore*/ true) 2752 .first; 2753 2754 IRB.CreateStore(getCleanShadow(Ty), 2755 IRB.CreatePointerCast(ShadowPtr, Ty->getPointerTo())); 2756 2757 if (ClCheckAccessAddress) 2758 insertShadowCheck(Addr, &I); 2759 } 2760 2761 void handleLdmxcsr(IntrinsicInst &I) { 2762 if (!InsertChecks) return; 2763 2764 IRBuilder<> IRB(&I); 2765 Value *Addr = I.getArgOperand(0); 2766 Type *Ty = IRB.getInt32Ty(); 2767 unsigned Alignment = 1; 2768 Value *ShadowPtr, *OriginPtr; 2769 std::tie(ShadowPtr, OriginPtr) = 2770 getShadowOriginPtr(Addr, IRB, Ty, Alignment, /*isStore*/ false); 2771 2772 if (ClCheckAccessAddress) 2773 insertShadowCheck(Addr, &I); 2774 2775 Value *Shadow = IRB.CreateAlignedLoad(ShadowPtr, Alignment, "_ldmxcsr"); 2776 Value *Origin = 2777 MS.TrackOrigins ? IRB.CreateLoad(OriginPtr) : getCleanOrigin(); 2778 insertShadowCheck(Shadow, Origin, &I); 2779 } 2780 2781 void handleMaskedStore(IntrinsicInst &I) { 2782 IRBuilder<> IRB(&I); 2783 Value *V = I.getArgOperand(0); 2784 Value *Addr = I.getArgOperand(1); 2785 unsigned Align = cast<ConstantInt>(I.getArgOperand(2))->getZExtValue(); 2786 Value *Mask = I.getArgOperand(3); 2787 Value *Shadow = getShadow(V); 2788 2789 Value *ShadowPtr; 2790 Value *OriginPtr; 2791 std::tie(ShadowPtr, OriginPtr) = getShadowOriginPtr( 2792 Addr, IRB, Shadow->getType(), Align, /*isStore*/ true); 2793 2794 if (ClCheckAccessAddress) { 2795 insertShadowCheck(Addr, &I); 2796 // Uninitialized mask is kind of like uninitialized address, but not as 2797 // scary. 2798 insertShadowCheck(Mask, &I); 2799 } 2800 2801 IRB.CreateMaskedStore(Shadow, ShadowPtr, Align, Mask); 2802 2803 if (MS.TrackOrigins) { 2804 auto &DL = F.getParent()->getDataLayout(); 2805 paintOrigin(IRB, getOrigin(V), OriginPtr, 2806 DL.getTypeStoreSize(Shadow->getType()), 2807 std::max(Align, kMinOriginAlignment)); 2808 } 2809 } 2810 2811 bool handleMaskedLoad(IntrinsicInst &I) { 2812 IRBuilder<> IRB(&I); 2813 Value *Addr = I.getArgOperand(0); 2814 unsigned Align = cast<ConstantInt>(I.getArgOperand(1))->getZExtValue(); 2815 Value *Mask = I.getArgOperand(2); 2816 Value *PassThru = I.getArgOperand(3); 2817 2818 Type *ShadowTy = getShadowTy(&I); 2819 Value *ShadowPtr, *OriginPtr; 2820 if (PropagateShadow) { 2821 std::tie(ShadowPtr, OriginPtr) = 2822 getShadowOriginPtr(Addr, IRB, ShadowTy, Align, /*isStore*/ false); 2823 setShadow(&I, IRB.CreateMaskedLoad(ShadowPtr, Align, Mask, 2824 getShadow(PassThru), "_msmaskedld")); 2825 } else { 2826 setShadow(&I, getCleanShadow(&I)); 2827 } 2828 2829 if (ClCheckAccessAddress) { 2830 insertShadowCheck(Addr, &I); 2831 insertShadowCheck(Mask, &I); 2832 } 2833 2834 if (MS.TrackOrigins) { 2835 if (PropagateShadow) { 2836 // Choose between PassThru's and the loaded value's origins. 2837 Value *MaskedPassThruShadow = IRB.CreateAnd( 2838 getShadow(PassThru), IRB.CreateSExt(IRB.CreateNeg(Mask), ShadowTy)); 2839 2840 Value *Acc = IRB.CreateExtractElement( 2841 MaskedPassThruShadow, ConstantInt::get(IRB.getInt32Ty(), 0)); 2842 for (int i = 1, N = PassThru->getType()->getVectorNumElements(); i < N; 2843 ++i) { 2844 Value *More = IRB.CreateExtractElement( 2845 MaskedPassThruShadow, ConstantInt::get(IRB.getInt32Ty(), i)); 2846 Acc = IRB.CreateOr(Acc, More); 2847 } 2848 2849 Value *Origin = IRB.CreateSelect( 2850 IRB.CreateICmpNE(Acc, Constant::getNullValue(Acc->getType())), 2851 getOrigin(PassThru), IRB.CreateLoad(OriginPtr)); 2852 2853 setOrigin(&I, Origin); 2854 } else { 2855 setOrigin(&I, getCleanOrigin()); 2856 } 2857 } 2858 return true; 2859 } 2860 2861 2862 void visitIntrinsicInst(IntrinsicInst &I) { 2863 switch (I.getIntrinsicID()) { 2864 case Intrinsic::bswap: 2865 handleBswap(I); 2866 break; 2867 case Intrinsic::masked_store: 2868 handleMaskedStore(I); 2869 break; 2870 case Intrinsic::masked_load: 2871 handleMaskedLoad(I); 2872 break; 2873 case Intrinsic::x86_sse_stmxcsr: 2874 handleStmxcsr(I); 2875 break; 2876 case Intrinsic::x86_sse_ldmxcsr: 2877 handleLdmxcsr(I); 2878 break; 2879 case Intrinsic::x86_avx512_vcvtsd2usi64: 2880 case Intrinsic::x86_avx512_vcvtsd2usi32: 2881 case Intrinsic::x86_avx512_vcvtss2usi64: 2882 case Intrinsic::x86_avx512_vcvtss2usi32: 2883 case Intrinsic::x86_avx512_cvttss2usi64: 2884 case Intrinsic::x86_avx512_cvttss2usi: 2885 case Intrinsic::x86_avx512_cvttsd2usi64: 2886 case Intrinsic::x86_avx512_cvttsd2usi: 2887 case Intrinsic::x86_avx512_cvtusi2ss: 2888 case Intrinsic::x86_avx512_cvtusi642sd: 2889 case Intrinsic::x86_avx512_cvtusi642ss: 2890 case Intrinsic::x86_sse2_cvtsd2si64: 2891 case Intrinsic::x86_sse2_cvtsd2si: 2892 case Intrinsic::x86_sse2_cvtsd2ss: 2893 case Intrinsic::x86_sse2_cvttsd2si64: 2894 case Intrinsic::x86_sse2_cvttsd2si: 2895 case Intrinsic::x86_sse_cvtss2si64: 2896 case Intrinsic::x86_sse_cvtss2si: 2897 case Intrinsic::x86_sse_cvttss2si64: 2898 case Intrinsic::x86_sse_cvttss2si: 2899 handleVectorConvertIntrinsic(I, 1); 2900 break; 2901 case Intrinsic::x86_sse_cvtps2pi: 2902 case Intrinsic::x86_sse_cvttps2pi: 2903 handleVectorConvertIntrinsic(I, 2); 2904 break; 2905 2906 case Intrinsic::x86_avx512_psll_w_512: 2907 case Intrinsic::x86_avx512_psll_d_512: 2908 case Intrinsic::x86_avx512_psll_q_512: 2909 case Intrinsic::x86_avx512_pslli_w_512: 2910 case Intrinsic::x86_avx512_pslli_d_512: 2911 case Intrinsic::x86_avx512_pslli_q_512: 2912 case Intrinsic::x86_avx512_psrl_w_512: 2913 case Intrinsic::x86_avx512_psrl_d_512: 2914 case Intrinsic::x86_avx512_psrl_q_512: 2915 case Intrinsic::x86_avx512_psra_w_512: 2916 case Intrinsic::x86_avx512_psra_d_512: 2917 case Intrinsic::x86_avx512_psra_q_512: 2918 case Intrinsic::x86_avx512_psrli_w_512: 2919 case Intrinsic::x86_avx512_psrli_d_512: 2920 case Intrinsic::x86_avx512_psrli_q_512: 2921 case Intrinsic::x86_avx512_psrai_w_512: 2922 case Intrinsic::x86_avx512_psrai_d_512: 2923 case Intrinsic::x86_avx512_psrai_q_512: 2924 case Intrinsic::x86_avx512_psra_q_256: 2925 case Intrinsic::x86_avx512_psra_q_128: 2926 case Intrinsic::x86_avx512_psrai_q_256: 2927 case Intrinsic::x86_avx512_psrai_q_128: 2928 case Intrinsic::x86_avx2_psll_w: 2929 case Intrinsic::x86_avx2_psll_d: 2930 case Intrinsic::x86_avx2_psll_q: 2931 case Intrinsic::x86_avx2_pslli_w: 2932 case Intrinsic::x86_avx2_pslli_d: 2933 case Intrinsic::x86_avx2_pslli_q: 2934 case Intrinsic::x86_avx2_psrl_w: 2935 case Intrinsic::x86_avx2_psrl_d: 2936 case Intrinsic::x86_avx2_psrl_q: 2937 case Intrinsic::x86_avx2_psra_w: 2938 case Intrinsic::x86_avx2_psra_d: 2939 case Intrinsic::x86_avx2_psrli_w: 2940 case Intrinsic::x86_avx2_psrli_d: 2941 case Intrinsic::x86_avx2_psrli_q: 2942 case Intrinsic::x86_avx2_psrai_w: 2943 case Intrinsic::x86_avx2_psrai_d: 2944 case Intrinsic::x86_sse2_psll_w: 2945 case Intrinsic::x86_sse2_psll_d: 2946 case Intrinsic::x86_sse2_psll_q: 2947 case Intrinsic::x86_sse2_pslli_w: 2948 case Intrinsic::x86_sse2_pslli_d: 2949 case Intrinsic::x86_sse2_pslli_q: 2950 case Intrinsic::x86_sse2_psrl_w: 2951 case Intrinsic::x86_sse2_psrl_d: 2952 case Intrinsic::x86_sse2_psrl_q: 2953 case Intrinsic::x86_sse2_psra_w: 2954 case Intrinsic::x86_sse2_psra_d: 2955 case Intrinsic::x86_sse2_psrli_w: 2956 case Intrinsic::x86_sse2_psrli_d: 2957 case Intrinsic::x86_sse2_psrli_q: 2958 case Intrinsic::x86_sse2_psrai_w: 2959 case Intrinsic::x86_sse2_psrai_d: 2960 case Intrinsic::x86_mmx_psll_w: 2961 case Intrinsic::x86_mmx_psll_d: 2962 case Intrinsic::x86_mmx_psll_q: 2963 case Intrinsic::x86_mmx_pslli_w: 2964 case Intrinsic::x86_mmx_pslli_d: 2965 case Intrinsic::x86_mmx_pslli_q: 2966 case Intrinsic::x86_mmx_psrl_w: 2967 case Intrinsic::x86_mmx_psrl_d: 2968 case Intrinsic::x86_mmx_psrl_q: 2969 case Intrinsic::x86_mmx_psra_w: 2970 case Intrinsic::x86_mmx_psra_d: 2971 case Intrinsic::x86_mmx_psrli_w: 2972 case Intrinsic::x86_mmx_psrli_d: 2973 case Intrinsic::x86_mmx_psrli_q: 2974 case Intrinsic::x86_mmx_psrai_w: 2975 case Intrinsic::x86_mmx_psrai_d: 2976 handleVectorShiftIntrinsic(I, /* Variable */ false); 2977 break; 2978 case Intrinsic::x86_avx2_psllv_d: 2979 case Intrinsic::x86_avx2_psllv_d_256: 2980 case Intrinsic::x86_avx512_psllv_d_512: 2981 case Intrinsic::x86_avx2_psllv_q: 2982 case Intrinsic::x86_avx2_psllv_q_256: 2983 case Intrinsic::x86_avx512_psllv_q_512: 2984 case Intrinsic::x86_avx2_psrlv_d: 2985 case Intrinsic::x86_avx2_psrlv_d_256: 2986 case Intrinsic::x86_avx512_psrlv_d_512: 2987 case Intrinsic::x86_avx2_psrlv_q: 2988 case Intrinsic::x86_avx2_psrlv_q_256: 2989 case Intrinsic::x86_avx512_psrlv_q_512: 2990 case Intrinsic::x86_avx2_psrav_d: 2991 case Intrinsic::x86_avx2_psrav_d_256: 2992 case Intrinsic::x86_avx512_psrav_d_512: 2993 case Intrinsic::x86_avx512_psrav_q_128: 2994 case Intrinsic::x86_avx512_psrav_q_256: 2995 case Intrinsic::x86_avx512_psrav_q_512: 2996 handleVectorShiftIntrinsic(I, /* Variable */ true); 2997 break; 2998 2999 case Intrinsic::x86_sse2_packsswb_128: 3000 case Intrinsic::x86_sse2_packssdw_128: 3001 case Intrinsic::x86_sse2_packuswb_128: 3002 case Intrinsic::x86_sse41_packusdw: 3003 case Intrinsic::x86_avx2_packsswb: 3004 case Intrinsic::x86_avx2_packssdw: 3005 case Intrinsic::x86_avx2_packuswb: 3006 case Intrinsic::x86_avx2_packusdw: 3007 handleVectorPackIntrinsic(I); 3008 break; 3009 3010 case Intrinsic::x86_mmx_packsswb: 3011 case Intrinsic::x86_mmx_packuswb: 3012 handleVectorPackIntrinsic(I, 16); 3013 break; 3014 3015 case Intrinsic::x86_mmx_packssdw: 3016 handleVectorPackIntrinsic(I, 32); 3017 break; 3018 3019 case Intrinsic::x86_mmx_psad_bw: 3020 case Intrinsic::x86_sse2_psad_bw: 3021 case Intrinsic::x86_avx2_psad_bw: 3022 handleVectorSadIntrinsic(I); 3023 break; 3024 3025 case Intrinsic::x86_sse2_pmadd_wd: 3026 case Intrinsic::x86_avx2_pmadd_wd: 3027 case Intrinsic::x86_ssse3_pmadd_ub_sw_128: 3028 case Intrinsic::x86_avx2_pmadd_ub_sw: 3029 handleVectorPmaddIntrinsic(I); 3030 break; 3031 3032 case Intrinsic::x86_ssse3_pmadd_ub_sw: 3033 handleVectorPmaddIntrinsic(I, 8); 3034 break; 3035 3036 case Intrinsic::x86_mmx_pmadd_wd: 3037 handleVectorPmaddIntrinsic(I, 16); 3038 break; 3039 3040 case Intrinsic::x86_sse_cmp_ss: 3041 case Intrinsic::x86_sse2_cmp_sd: 3042 case Intrinsic::x86_sse_comieq_ss: 3043 case Intrinsic::x86_sse_comilt_ss: 3044 case Intrinsic::x86_sse_comile_ss: 3045 case Intrinsic::x86_sse_comigt_ss: 3046 case Intrinsic::x86_sse_comige_ss: 3047 case Intrinsic::x86_sse_comineq_ss: 3048 case Intrinsic::x86_sse_ucomieq_ss: 3049 case Intrinsic::x86_sse_ucomilt_ss: 3050 case Intrinsic::x86_sse_ucomile_ss: 3051 case Intrinsic::x86_sse_ucomigt_ss: 3052 case Intrinsic::x86_sse_ucomige_ss: 3053 case Intrinsic::x86_sse_ucomineq_ss: 3054 case Intrinsic::x86_sse2_comieq_sd: 3055 case Intrinsic::x86_sse2_comilt_sd: 3056 case Intrinsic::x86_sse2_comile_sd: 3057 case Intrinsic::x86_sse2_comigt_sd: 3058 case Intrinsic::x86_sse2_comige_sd: 3059 case Intrinsic::x86_sse2_comineq_sd: 3060 case Intrinsic::x86_sse2_ucomieq_sd: 3061 case Intrinsic::x86_sse2_ucomilt_sd: 3062 case Intrinsic::x86_sse2_ucomile_sd: 3063 case Intrinsic::x86_sse2_ucomigt_sd: 3064 case Intrinsic::x86_sse2_ucomige_sd: 3065 case Intrinsic::x86_sse2_ucomineq_sd: 3066 handleVectorCompareScalarIntrinsic(I); 3067 break; 3068 3069 case Intrinsic::x86_sse_cmp_ps: 3070 case Intrinsic::x86_sse2_cmp_pd: 3071 // FIXME: For x86_avx_cmp_pd_256 and x86_avx_cmp_ps_256 this function 3072 // generates reasonably looking IR that fails in the backend with "Do not 3073 // know how to split the result of this operator!". 3074 handleVectorComparePackedIntrinsic(I); 3075 break; 3076 3077 default: 3078 if (!handleUnknownIntrinsic(I)) 3079 visitInstruction(I); 3080 break; 3081 } 3082 } 3083 3084 void visitCallSite(CallSite CS) { 3085 Instruction &I = *CS.getInstruction(); 3086 assert(!I.getMetadata("nosanitize")); 3087 assert((CS.isCall() || CS.isInvoke()) && "Unknown type of CallSite"); 3088 if (CS.isCall()) { 3089 CallInst *Call = cast<CallInst>(&I); 3090 3091 // For inline asm, do the usual thing: check argument shadow and mark all 3092 // outputs as clean. Note that any side effects of the inline asm that are 3093 // not immediately visible in its constraints are not handled. 3094 if (Call->isInlineAsm()) { 3095 if (ClHandleAsmConservative) 3096 visitAsmInstruction(I); 3097 else 3098 visitInstruction(I); 3099 return; 3100 } 3101 3102 assert(!isa<IntrinsicInst>(&I) && "intrinsics are handled elsewhere"); 3103 3104 // We are going to insert code that relies on the fact that the callee 3105 // will become a non-readonly function after it is instrumented by us. To 3106 // prevent this code from being optimized out, mark that function 3107 // non-readonly in advance. 3108 if (Function *Func = Call->getCalledFunction()) { 3109 // Clear out readonly/readnone attributes. 3110 AttrBuilder B; 3111 B.addAttribute(Attribute::ReadOnly) 3112 .addAttribute(Attribute::ReadNone); 3113 Func->removeAttributes(AttributeList::FunctionIndex, B); 3114 } 3115 3116 maybeMarkSanitizerLibraryCallNoBuiltin(Call, TLI); 3117 } 3118 IRBuilder<> IRB(&I); 3119 3120 unsigned ArgOffset = 0; 3121 LLVM_DEBUG(dbgs() << " CallSite: " << I << "\n"); 3122 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 3123 ArgIt != End; ++ArgIt) { 3124 Value *A = *ArgIt; 3125 unsigned i = ArgIt - CS.arg_begin(); 3126 if (!A->getType()->isSized()) { 3127 LLVM_DEBUG(dbgs() << "Arg " << i << " is not sized: " << I << "\n"); 3128 continue; 3129 } 3130 unsigned Size = 0; 3131 Value *Store = nullptr; 3132 // Compute the Shadow for arg even if it is ByVal, because 3133 // in that case getShadow() will copy the actual arg shadow to 3134 // __msan_param_tls. 3135 Value *ArgShadow = getShadow(A); 3136 Value *ArgShadowBase = getShadowPtrForArgument(A, IRB, ArgOffset); 3137 LLVM_DEBUG(dbgs() << " Arg#" << i << ": " << *A 3138 << " Shadow: " << *ArgShadow << "\n"); 3139 bool ArgIsInitialized = false; 3140 const DataLayout &DL = F.getParent()->getDataLayout(); 3141 if (CS.paramHasAttr(i, Attribute::ByVal)) { 3142 assert(A->getType()->isPointerTy() && 3143 "ByVal argument is not a pointer!"); 3144 Size = DL.getTypeAllocSize(A->getType()->getPointerElementType()); 3145 if (ArgOffset + Size > kParamTLSSize) break; 3146 unsigned ParamAlignment = CS.getParamAlignment(i); 3147 unsigned Alignment = std::min(ParamAlignment, kShadowTLSAlignment); 3148 Value *AShadowPtr = 3149 getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), Alignment, 3150 /*isStore*/ false) 3151 .first; 3152 3153 Store = IRB.CreateMemCpy(ArgShadowBase, Alignment, AShadowPtr, 3154 Alignment, Size); 3155 // TODO(glider): need to copy origins. 3156 } else { 3157 Size = DL.getTypeAllocSize(A->getType()); 3158 if (ArgOffset + Size > kParamTLSSize) break; 3159 Store = IRB.CreateAlignedStore(ArgShadow, ArgShadowBase, 3160 kShadowTLSAlignment); 3161 Constant *Cst = dyn_cast<Constant>(ArgShadow); 3162 if (Cst && Cst->isNullValue()) ArgIsInitialized = true; 3163 } 3164 if (MS.TrackOrigins && !ArgIsInitialized) 3165 IRB.CreateStore(getOrigin(A), 3166 getOriginPtrForArgument(A, IRB, ArgOffset)); 3167 (void)Store; 3168 assert(Size != 0 && Store != nullptr); 3169 LLVM_DEBUG(dbgs() << " Param:" << *Store << "\n"); 3170 ArgOffset += alignTo(Size, 8); 3171 } 3172 LLVM_DEBUG(dbgs() << " done with call args\n"); 3173 3174 FunctionType *FT = 3175 cast<FunctionType>(CS.getCalledValue()->getType()->getContainedType(0)); 3176 if (FT->isVarArg()) { 3177 VAHelper->visitCallSite(CS, IRB); 3178 } 3179 3180 // Now, get the shadow for the RetVal. 3181 if (!I.getType()->isSized()) return; 3182 // Don't emit the epilogue for musttail call returns. 3183 if (CS.isCall() && cast<CallInst>(&I)->isMustTailCall()) return; 3184 IRBuilder<> IRBBefore(&I); 3185 // Until we have full dynamic coverage, make sure the retval shadow is 0. 3186 Value *Base = getShadowPtrForRetval(&I, IRBBefore); 3187 IRBBefore.CreateAlignedStore(getCleanShadow(&I), Base, kShadowTLSAlignment); 3188 BasicBlock::iterator NextInsn; 3189 if (CS.isCall()) { 3190 NextInsn = ++I.getIterator(); 3191 assert(NextInsn != I.getParent()->end()); 3192 } else { 3193 BasicBlock *NormalDest = cast<InvokeInst>(&I)->getNormalDest(); 3194 if (!NormalDest->getSinglePredecessor()) { 3195 // FIXME: this case is tricky, so we are just conservative here. 3196 // Perhaps we need to split the edge between this BB and NormalDest, 3197 // but a naive attempt to use SplitEdge leads to a crash. 3198 setShadow(&I, getCleanShadow(&I)); 3199 setOrigin(&I, getCleanOrigin()); 3200 return; 3201 } 3202 // FIXME: NextInsn is likely in a basic block that has not been visited yet. 3203 // Anything inserted there will be instrumented by MSan later! 3204 NextInsn = NormalDest->getFirstInsertionPt(); 3205 assert(NextInsn != NormalDest->end() && 3206 "Could not find insertion point for retval shadow load"); 3207 } 3208 IRBuilder<> IRBAfter(&*NextInsn); 3209 Value *RetvalShadow = 3210 IRBAfter.CreateAlignedLoad(getShadowPtrForRetval(&I, IRBAfter), 3211 kShadowTLSAlignment, "_msret"); 3212 setShadow(&I, RetvalShadow); 3213 if (MS.TrackOrigins) 3214 setOrigin(&I, IRBAfter.CreateLoad(getOriginPtrForRetval(IRBAfter))); 3215 } 3216 3217 bool isAMustTailRetVal(Value *RetVal) { 3218 if (auto *I = dyn_cast<BitCastInst>(RetVal)) { 3219 RetVal = I->getOperand(0); 3220 } 3221 if (auto *I = dyn_cast<CallInst>(RetVal)) { 3222 return I->isMustTailCall(); 3223 } 3224 return false; 3225 } 3226 3227 void visitReturnInst(ReturnInst &I) { 3228 IRBuilder<> IRB(&I); 3229 Value *RetVal = I.getReturnValue(); 3230 if (!RetVal) return; 3231 // Don't emit the epilogue for musttail call returns. 3232 if (isAMustTailRetVal(RetVal)) return; 3233 Value *ShadowPtr = getShadowPtrForRetval(RetVal, IRB); 3234 if (CheckReturnValue) { 3235 insertShadowCheck(RetVal, &I); 3236 Value *Shadow = getCleanShadow(RetVal); 3237 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment); 3238 } else { 3239 Value *Shadow = getShadow(RetVal); 3240 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment); 3241 if (MS.TrackOrigins) 3242 IRB.CreateStore(getOrigin(RetVal), getOriginPtrForRetval(IRB)); 3243 } 3244 } 3245 3246 void visitPHINode(PHINode &I) { 3247 IRBuilder<> IRB(&I); 3248 if (!PropagateShadow) { 3249 setShadow(&I, getCleanShadow(&I)); 3250 setOrigin(&I, getCleanOrigin()); 3251 return; 3252 } 3253 3254 ShadowPHINodes.push_back(&I); 3255 setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(), 3256 "_msphi_s")); 3257 if (MS.TrackOrigins) 3258 setOrigin(&I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(), 3259 "_msphi_o")); 3260 } 3261 3262 Value *getLocalVarDescription(AllocaInst &I) { 3263 SmallString<2048> StackDescriptionStorage; 3264 raw_svector_ostream StackDescription(StackDescriptionStorage); 3265 // We create a string with a description of the stack allocation and 3266 // pass it into __msan_set_alloca_origin. 3267 // It will be printed by the run-time if stack-originated UMR is found. 3268 // The first 4 bytes of the string are set to '----' and will be replaced 3269 // by __msan_va_arg_overflow_size_tls at the first call. 3270 StackDescription << "----" << I.getName() << "@" << F.getName(); 3271 return createPrivateNonConstGlobalForString(*F.getParent(), 3272 StackDescription.str()); 3273 } 3274 3275 void instrumentAllocaUserspace(AllocaInst &I, IRBuilder<> &IRB, Value *Len) { 3276 if (PoisonStack && ClPoisonStackWithCall) { 3277 IRB.CreateCall(MS.MsanPoisonStackFn, 3278 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len}); 3279 } else { 3280 Value *ShadowBase, *OriginBase; 3281 std::tie(ShadowBase, OriginBase) = 3282 getShadowOriginPtr(&I, IRB, IRB.getInt8Ty(), 1, /*isStore*/ true); 3283 3284 Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0); 3285 IRB.CreateMemSet(ShadowBase, PoisonValue, Len, I.getAlignment()); 3286 } 3287 3288 if (PoisonStack && MS.TrackOrigins) { 3289 Value *Descr = getLocalVarDescription(I); 3290 IRB.CreateCall(MS.MsanSetAllocaOrigin4Fn, 3291 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len, 3292 IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy()), 3293 IRB.CreatePointerCast(&F, MS.IntptrTy)}); 3294 } 3295 } 3296 3297 void instrumentAllocaKmsan(AllocaInst &I, IRBuilder<> &IRB, Value *Len) { 3298 Value *Descr = getLocalVarDescription(I); 3299 if (PoisonStack) { 3300 IRB.CreateCall(MS.MsanPoisonAllocaFn, 3301 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len, 3302 IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy())}); 3303 } else { 3304 IRB.CreateCall(MS.MsanUnpoisonAllocaFn, 3305 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len}); 3306 } 3307 } 3308 3309 void visitAllocaInst(AllocaInst &I) { 3310 setShadow(&I, getCleanShadow(&I)); 3311 setOrigin(&I, getCleanOrigin()); 3312 IRBuilder<> IRB(I.getNextNode()); 3313 const DataLayout &DL = F.getParent()->getDataLayout(); 3314 uint64_t TypeSize = DL.getTypeAllocSize(I.getAllocatedType()); 3315 Value *Len = ConstantInt::get(MS.IntptrTy, TypeSize); 3316 if (I.isArrayAllocation()) 3317 Len = IRB.CreateMul(Len, I.getArraySize()); 3318 3319 if (MS.CompileKernel) 3320 instrumentAllocaKmsan(I, IRB, Len); 3321 else 3322 instrumentAllocaUserspace(I, IRB, Len); 3323 } 3324 3325 void visitSelectInst(SelectInst& I) { 3326 IRBuilder<> IRB(&I); 3327 // a = select b, c, d 3328 Value *B = I.getCondition(); 3329 Value *C = I.getTrueValue(); 3330 Value *D = I.getFalseValue(); 3331 Value *Sb = getShadow(B); 3332 Value *Sc = getShadow(C); 3333 Value *Sd = getShadow(D); 3334 3335 // Result shadow if condition shadow is 0. 3336 Value *Sa0 = IRB.CreateSelect(B, Sc, Sd); 3337 Value *Sa1; 3338 if (I.getType()->isAggregateType()) { 3339 // To avoid "sign extending" i1 to an arbitrary aggregate type, we just do 3340 // an extra "select". This results in much more compact IR. 3341 // Sa = select Sb, poisoned, (select b, Sc, Sd) 3342 Sa1 = getPoisonedShadow(getShadowTy(I.getType())); 3343 } else { 3344 // Sa = select Sb, [ (c^d) | Sc | Sd ], [ b ? Sc : Sd ] 3345 // If Sb (condition is poisoned), look for bits in c and d that are equal 3346 // and both unpoisoned. 3347 // If !Sb (condition is unpoisoned), simply pick one of Sc and Sd. 3348 3349 // Cast arguments to shadow-compatible type. 3350 C = CreateAppToShadowCast(IRB, C); 3351 D = CreateAppToShadowCast(IRB, D); 3352 3353 // Result shadow if condition shadow is 1. 3354 Sa1 = IRB.CreateOr(IRB.CreateXor(C, D), IRB.CreateOr(Sc, Sd)); 3355 } 3356 Value *Sa = IRB.CreateSelect(Sb, Sa1, Sa0, "_msprop_select"); 3357 setShadow(&I, Sa); 3358 if (MS.TrackOrigins) { 3359 // Origins are always i32, so any vector conditions must be flattened. 3360 // FIXME: consider tracking vector origins for app vectors? 3361 if (B->getType()->isVectorTy()) { 3362 Type *FlatTy = getShadowTyNoVec(B->getType()); 3363 B = IRB.CreateICmpNE(IRB.CreateBitCast(B, FlatTy), 3364 ConstantInt::getNullValue(FlatTy)); 3365 Sb = IRB.CreateICmpNE(IRB.CreateBitCast(Sb, FlatTy), 3366 ConstantInt::getNullValue(FlatTy)); 3367 } 3368 // a = select b, c, d 3369 // Oa = Sb ? Ob : (b ? Oc : Od) 3370 setOrigin( 3371 &I, IRB.CreateSelect(Sb, getOrigin(I.getCondition()), 3372 IRB.CreateSelect(B, getOrigin(I.getTrueValue()), 3373 getOrigin(I.getFalseValue())))); 3374 } 3375 } 3376 3377 void visitLandingPadInst(LandingPadInst &I) { 3378 // Do nothing. 3379 // See https://github.com/google/sanitizers/issues/504 3380 setShadow(&I, getCleanShadow(&I)); 3381 setOrigin(&I, getCleanOrigin()); 3382 } 3383 3384 void visitCatchSwitchInst(CatchSwitchInst &I) { 3385 setShadow(&I, getCleanShadow(&I)); 3386 setOrigin(&I, getCleanOrigin()); 3387 } 3388 3389 void visitFuncletPadInst(FuncletPadInst &I) { 3390 setShadow(&I, getCleanShadow(&I)); 3391 setOrigin(&I, getCleanOrigin()); 3392 } 3393 3394 void visitGetElementPtrInst(GetElementPtrInst &I) { 3395 handleShadowOr(I); 3396 } 3397 3398 void visitExtractValueInst(ExtractValueInst &I) { 3399 IRBuilder<> IRB(&I); 3400 Value *Agg = I.getAggregateOperand(); 3401 LLVM_DEBUG(dbgs() << "ExtractValue: " << I << "\n"); 3402 Value *AggShadow = getShadow(Agg); 3403 LLVM_DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n"); 3404 Value *ResShadow = IRB.CreateExtractValue(AggShadow, I.getIndices()); 3405 LLVM_DEBUG(dbgs() << " ResShadow: " << *ResShadow << "\n"); 3406 setShadow(&I, ResShadow); 3407 setOriginForNaryOp(I); 3408 } 3409 3410 void visitInsertValueInst(InsertValueInst &I) { 3411 IRBuilder<> IRB(&I); 3412 LLVM_DEBUG(dbgs() << "InsertValue: " << I << "\n"); 3413 Value *AggShadow = getShadow(I.getAggregateOperand()); 3414 Value *InsShadow = getShadow(I.getInsertedValueOperand()); 3415 LLVM_DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n"); 3416 LLVM_DEBUG(dbgs() << " InsShadow: " << *InsShadow << "\n"); 3417 Value *Res = IRB.CreateInsertValue(AggShadow, InsShadow, I.getIndices()); 3418 LLVM_DEBUG(dbgs() << " Res: " << *Res << "\n"); 3419 setShadow(&I, Res); 3420 setOriginForNaryOp(I); 3421 } 3422 3423 void dumpInst(Instruction &I) { 3424 if (CallInst *CI = dyn_cast<CallInst>(&I)) { 3425 errs() << "ZZZ call " << CI->getCalledFunction()->getName() << "\n"; 3426 } else { 3427 errs() << "ZZZ " << I.getOpcodeName() << "\n"; 3428 } 3429 errs() << "QQQ " << I << "\n"; 3430 } 3431 3432 void visitResumeInst(ResumeInst &I) { 3433 LLVM_DEBUG(dbgs() << "Resume: " << I << "\n"); 3434 // Nothing to do here. 3435 } 3436 3437 void visitCleanupReturnInst(CleanupReturnInst &CRI) { 3438 LLVM_DEBUG(dbgs() << "CleanupReturn: " << CRI << "\n"); 3439 // Nothing to do here. 3440 } 3441 3442 void visitCatchReturnInst(CatchReturnInst &CRI) { 3443 LLVM_DEBUG(dbgs() << "CatchReturn: " << CRI << "\n"); 3444 // Nothing to do here. 3445 } 3446 3447 void visitAsmInstruction(Instruction &I) { 3448 // Conservative inline assembly handling: check for poisoned shadow of 3449 // asm() arguments, then unpoison the result and all the memory locations 3450 // pointed to by those arguments. 3451 CallInst *CI = dyn_cast<CallInst>(&I); 3452 3453 for (size_t i = 0, n = CI->getNumOperands(); i < n; i++) { 3454 Value *Operand = CI->getOperand(i); 3455 if (Operand->getType()->isSized()) 3456 insertShadowCheck(Operand, &I); 3457 } 3458 setShadow(&I, getCleanShadow(&I)); 3459 setOrigin(&I, getCleanOrigin()); 3460 IRBuilder<> IRB(&I); 3461 IRB.SetInsertPoint(I.getNextNode()); 3462 for (size_t i = 0, n = CI->getNumOperands(); i < n; i++) { 3463 Value *Operand = CI->getOperand(i); 3464 Type *OpType = Operand->getType(); 3465 if (!OpType->isPointerTy()) 3466 continue; 3467 Type *ElType = OpType->getPointerElementType(); 3468 if (!ElType->isSized()) 3469 continue; 3470 Value *ShadowPtr, *OriginPtr; 3471 std::tie(ShadowPtr, OriginPtr) = getShadowOriginPtr( 3472 Operand, IRB, ElType, /*Alignment*/ 1, /*isStore*/ true); 3473 Value *CShadow = getCleanShadow(ElType); 3474 IRB.CreateStore( 3475 CShadow, 3476 IRB.CreatePointerCast(ShadowPtr, CShadow->getType()->getPointerTo())); 3477 } 3478 } 3479 3480 void visitInstruction(Instruction &I) { 3481 // Everything else: stop propagating and check for poisoned shadow. 3482 if (ClDumpStrictInstructions) 3483 dumpInst(I); 3484 LLVM_DEBUG(dbgs() << "DEFAULT: " << I << "\n"); 3485 for (size_t i = 0, n = I.getNumOperands(); i < n; i++) { 3486 Value *Operand = I.getOperand(i); 3487 if (Operand->getType()->isSized()) 3488 insertShadowCheck(Operand, &I); 3489 } 3490 setShadow(&I, getCleanShadow(&I)); 3491 setOrigin(&I, getCleanOrigin()); 3492 } 3493 }; 3494 3495 /// AMD64-specific implementation of VarArgHelper. 3496 struct VarArgAMD64Helper : public VarArgHelper { 3497 // An unfortunate workaround for asymmetric lowering of va_arg stuff. 3498 // See a comment in visitCallSite for more details. 3499 static const unsigned AMD64GpEndOffset = 48; // AMD64 ABI Draft 0.99.6 p3.5.7 3500 static const unsigned AMD64FpEndOffsetSSE = 176; 3501 // If SSE is disabled, fp_offset in va_list is zero. 3502 static const unsigned AMD64FpEndOffsetNoSSE = AMD64GpEndOffset; 3503 3504 unsigned AMD64FpEndOffset; 3505 Function &F; 3506 MemorySanitizer &MS; 3507 MemorySanitizerVisitor &MSV; 3508 Value *VAArgTLSCopy = nullptr; 3509 Value *VAArgTLSOriginCopy = nullptr; 3510 Value *VAArgOverflowSize = nullptr; 3511 3512 SmallVector<CallInst*, 16> VAStartInstrumentationList; 3513 3514 enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory }; 3515 3516 VarArgAMD64Helper(Function &F, MemorySanitizer &MS, 3517 MemorySanitizerVisitor &MSV) 3518 : F(F), MS(MS), MSV(MSV) { 3519 AMD64FpEndOffset = AMD64FpEndOffsetSSE; 3520 for (const auto &Attr : F.getAttributes().getFnAttributes()) { 3521 if (Attr.isStringAttribute() && 3522 (Attr.getKindAsString() == "target-features")) { 3523 if (Attr.getValueAsString().contains("-sse")) 3524 AMD64FpEndOffset = AMD64FpEndOffsetNoSSE; 3525 break; 3526 } 3527 } 3528 } 3529 3530 ArgKind classifyArgument(Value* arg) { 3531 // A very rough approximation of X86_64 argument classification rules. 3532 Type *T = arg->getType(); 3533 if (T->isFPOrFPVectorTy() || T->isX86_MMXTy()) 3534 return AK_FloatingPoint; 3535 if (T->isIntegerTy() && T->getPrimitiveSizeInBits() <= 64) 3536 return AK_GeneralPurpose; 3537 if (T->isPointerTy()) 3538 return AK_GeneralPurpose; 3539 return AK_Memory; 3540 } 3541 3542 // For VarArg functions, store the argument shadow in an ABI-specific format 3543 // that corresponds to va_list layout. 3544 // We do this because Clang lowers va_arg in the frontend, and this pass 3545 // only sees the low level code that deals with va_list internals. 3546 // A much easier alternative (provided that Clang emits va_arg instructions) 3547 // would have been to associate each live instance of va_list with a copy of 3548 // MSanParamTLS, and extract shadow on va_arg() call in the argument list 3549 // order. 3550 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override { 3551 unsigned GpOffset = 0; 3552 unsigned FpOffset = AMD64GpEndOffset; 3553 unsigned OverflowOffset = AMD64FpEndOffset; 3554 const DataLayout &DL = F.getParent()->getDataLayout(); 3555 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 3556 ArgIt != End; ++ArgIt) { 3557 Value *A = *ArgIt; 3558 unsigned ArgNo = CS.getArgumentNo(ArgIt); 3559 bool IsFixed = ArgNo < CS.getFunctionType()->getNumParams(); 3560 bool IsByVal = CS.paramHasAttr(ArgNo, Attribute::ByVal); 3561 if (IsByVal) { 3562 // ByVal arguments always go to the overflow area. 3563 // Fixed arguments passed through the overflow area will be stepped 3564 // over by va_start, so don't count them towards the offset. 3565 if (IsFixed) 3566 continue; 3567 assert(A->getType()->isPointerTy()); 3568 Type *RealTy = A->getType()->getPointerElementType(); 3569 uint64_t ArgSize = DL.getTypeAllocSize(RealTy); 3570 Value *ShadowBase = getShadowPtrForVAArgument( 3571 RealTy, IRB, OverflowOffset, alignTo(ArgSize, 8)); 3572 Value *OriginBase = nullptr; 3573 if (MS.TrackOrigins) 3574 OriginBase = getOriginPtrForVAArgument(RealTy, IRB, OverflowOffset); 3575 OverflowOffset += alignTo(ArgSize, 8); 3576 if (!ShadowBase) 3577 continue; 3578 Value *ShadowPtr, *OriginPtr; 3579 std::tie(ShadowPtr, OriginPtr) = 3580 MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), kShadowTLSAlignment, 3581 /*isStore*/ false); 3582 3583 IRB.CreateMemCpy(ShadowBase, kShadowTLSAlignment, ShadowPtr, 3584 kShadowTLSAlignment, ArgSize); 3585 if (MS.TrackOrigins) 3586 IRB.CreateMemCpy(OriginBase, kShadowTLSAlignment, OriginPtr, 3587 kShadowTLSAlignment, ArgSize); 3588 } else { 3589 ArgKind AK = classifyArgument(A); 3590 if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset) 3591 AK = AK_Memory; 3592 if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset) 3593 AK = AK_Memory; 3594 Value *ShadowBase, *OriginBase = nullptr; 3595 switch (AK) { 3596 case AK_GeneralPurpose: 3597 ShadowBase = 3598 getShadowPtrForVAArgument(A->getType(), IRB, GpOffset, 8); 3599 if (MS.TrackOrigins) 3600 OriginBase = 3601 getOriginPtrForVAArgument(A->getType(), IRB, GpOffset); 3602 GpOffset += 8; 3603 break; 3604 case AK_FloatingPoint: 3605 ShadowBase = 3606 getShadowPtrForVAArgument(A->getType(), IRB, FpOffset, 16); 3607 if (MS.TrackOrigins) 3608 OriginBase = 3609 getOriginPtrForVAArgument(A->getType(), IRB, FpOffset); 3610 FpOffset += 16; 3611 break; 3612 case AK_Memory: 3613 if (IsFixed) 3614 continue; 3615 uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); 3616 ShadowBase = 3617 getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset, 8); 3618 if (MS.TrackOrigins) 3619 OriginBase = 3620 getOriginPtrForVAArgument(A->getType(), IRB, OverflowOffset); 3621 OverflowOffset += alignTo(ArgSize, 8); 3622 } 3623 // Take fixed arguments into account for GpOffset and FpOffset, 3624 // but don't actually store shadows for them. 3625 // TODO(glider): don't call get*PtrForVAArgument() for them. 3626 if (IsFixed) 3627 continue; 3628 if (!ShadowBase) 3629 continue; 3630 Value *Shadow = MSV.getShadow(A); 3631 IRB.CreateAlignedStore(Shadow, ShadowBase, kShadowTLSAlignment); 3632 if (MS.TrackOrigins) { 3633 Value *Origin = MSV.getOrigin(A); 3634 unsigned StoreSize = DL.getTypeStoreSize(Shadow->getType()); 3635 MSV.paintOrigin(IRB, Origin, OriginBase, StoreSize, 3636 std::max(kShadowTLSAlignment, kMinOriginAlignment)); 3637 } 3638 } 3639 } 3640 Constant *OverflowSize = 3641 ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset); 3642 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS); 3643 } 3644 3645 /// Compute the shadow address for a given va_arg. 3646 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, 3647 unsigned ArgOffset, unsigned ArgSize) { 3648 // Make sure we don't overflow __msan_va_arg_tls. 3649 if (ArgOffset + ArgSize > kParamTLSSize) 3650 return nullptr; 3651 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); 3652 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 3653 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), 3654 "_msarg_va_s"); 3655 } 3656 3657 /// Compute the origin address for a given va_arg. 3658 Value *getOriginPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, int ArgOffset) { 3659 Value *Base = IRB.CreatePointerCast(MS.VAArgOriginTLS, MS.IntptrTy); 3660 // getOriginPtrForVAArgument() is always called after 3661 // getShadowPtrForVAArgument(), so __msan_va_arg_origin_tls can never 3662 // overflow. 3663 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 3664 return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0), 3665 "_msarg_va_o"); 3666 } 3667 3668 void unpoisonVAListTagForInst(IntrinsicInst &I) { 3669 IRBuilder<> IRB(&I); 3670 Value *VAListTag = I.getArgOperand(0); 3671 Value *ShadowPtr, *OriginPtr; 3672 unsigned Alignment = 8; 3673 std::tie(ShadowPtr, OriginPtr) = 3674 MSV.getShadowOriginPtr(VAListTag, IRB, IRB.getInt8Ty(), Alignment, 3675 /*isStore*/ true); 3676 3677 // Unpoison the whole __va_list_tag. 3678 // FIXME: magic ABI constants. 3679 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 3680 /* size */ 24, Alignment, false); 3681 // We shouldn't need to zero out the origins, as they're only checked for 3682 // nonzero shadow. 3683 } 3684 3685 void visitVAStartInst(VAStartInst &I) override { 3686 if (F.getCallingConv() == CallingConv::Win64) 3687 return; 3688 VAStartInstrumentationList.push_back(&I); 3689 unpoisonVAListTagForInst(I); 3690 } 3691 3692 void visitVACopyInst(VACopyInst &I) override { 3693 if (F.getCallingConv() == CallingConv::Win64) return; 3694 unpoisonVAListTagForInst(I); 3695 } 3696 3697 void finalizeInstrumentation() override { 3698 assert(!VAArgOverflowSize && !VAArgTLSCopy && 3699 "finalizeInstrumentation called twice"); 3700 if (!VAStartInstrumentationList.empty()) { 3701 // If there is a va_start in this function, make a backup copy of 3702 // va_arg_tls somewhere in the function entry block. 3703 IRBuilder<> IRB(MSV.ActualFnStart->getFirstNonPHI()); 3704 VAArgOverflowSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS); 3705 Value *CopySize = 3706 IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset), 3707 VAArgOverflowSize); 3708 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); 3709 IRB.CreateMemCpy(VAArgTLSCopy, 8, MS.VAArgTLS, 8, CopySize); 3710 if (MS.TrackOrigins) { 3711 VAArgTLSOriginCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); 3712 IRB.CreateMemCpy(VAArgTLSOriginCopy, 8, MS.VAArgOriginTLS, 8, CopySize); 3713 } 3714 } 3715 3716 // Instrument va_start. 3717 // Copy va_list shadow from the backup copy of the TLS contents. 3718 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) { 3719 CallInst *OrigInst = VAStartInstrumentationList[i]; 3720 IRBuilder<> IRB(OrigInst->getNextNode()); 3721 Value *VAListTag = OrigInst->getArgOperand(0); 3722 3723 Value *RegSaveAreaPtrPtr = IRB.CreateIntToPtr( 3724 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 3725 ConstantInt::get(MS.IntptrTy, 16)), 3726 PointerType::get(Type::getInt64PtrTy(*MS.C), 0)); 3727 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr); 3728 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr; 3729 unsigned Alignment = 16; 3730 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) = 3731 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(), 3732 Alignment, /*isStore*/ true); 3733 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment, 3734 AMD64FpEndOffset); 3735 if (MS.TrackOrigins) 3736 IRB.CreateMemCpy(RegSaveAreaOriginPtr, Alignment, VAArgTLSOriginCopy, 3737 Alignment, AMD64FpEndOffset); 3738 Value *OverflowArgAreaPtrPtr = IRB.CreateIntToPtr( 3739 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 3740 ConstantInt::get(MS.IntptrTy, 8)), 3741 PointerType::get(Type::getInt64PtrTy(*MS.C), 0)); 3742 Value *OverflowArgAreaPtr = IRB.CreateLoad(OverflowArgAreaPtrPtr); 3743 Value *OverflowArgAreaShadowPtr, *OverflowArgAreaOriginPtr; 3744 std::tie(OverflowArgAreaShadowPtr, OverflowArgAreaOriginPtr) = 3745 MSV.getShadowOriginPtr(OverflowArgAreaPtr, IRB, IRB.getInt8Ty(), 3746 Alignment, /*isStore*/ true); 3747 Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy, 3748 AMD64FpEndOffset); 3749 IRB.CreateMemCpy(OverflowArgAreaShadowPtr, Alignment, SrcPtr, Alignment, 3750 VAArgOverflowSize); 3751 if (MS.TrackOrigins) { 3752 SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSOriginCopy, 3753 AMD64FpEndOffset); 3754 IRB.CreateMemCpy(OverflowArgAreaOriginPtr, Alignment, SrcPtr, Alignment, 3755 VAArgOverflowSize); 3756 } 3757 } 3758 } 3759 }; 3760 3761 /// MIPS64-specific implementation of VarArgHelper. 3762 struct VarArgMIPS64Helper : public VarArgHelper { 3763 Function &F; 3764 MemorySanitizer &MS; 3765 MemorySanitizerVisitor &MSV; 3766 Value *VAArgTLSCopy = nullptr; 3767 Value *VAArgSize = nullptr; 3768 3769 SmallVector<CallInst*, 16> VAStartInstrumentationList; 3770 3771 VarArgMIPS64Helper(Function &F, MemorySanitizer &MS, 3772 MemorySanitizerVisitor &MSV) : F(F), MS(MS), MSV(MSV) {} 3773 3774 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override { 3775 unsigned VAArgOffset = 0; 3776 const DataLayout &DL = F.getParent()->getDataLayout(); 3777 for (CallSite::arg_iterator ArgIt = CS.arg_begin() + 3778 CS.getFunctionType()->getNumParams(), End = CS.arg_end(); 3779 ArgIt != End; ++ArgIt) { 3780 Triple TargetTriple(F.getParent()->getTargetTriple()); 3781 Value *A = *ArgIt; 3782 Value *Base; 3783 uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); 3784 if (TargetTriple.getArch() == Triple::mips64) { 3785 // Adjusting the shadow for argument with size < 8 to match the placement 3786 // of bits in big endian system 3787 if (ArgSize < 8) 3788 VAArgOffset += (8 - ArgSize); 3789 } 3790 Base = getShadowPtrForVAArgument(A->getType(), IRB, VAArgOffset, ArgSize); 3791 VAArgOffset += ArgSize; 3792 VAArgOffset = alignTo(VAArgOffset, 8); 3793 if (!Base) 3794 continue; 3795 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment); 3796 } 3797 3798 Constant *TotalVAArgSize = ConstantInt::get(IRB.getInt64Ty(), VAArgOffset); 3799 // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of 3800 // a new class member i.e. it is the total size of all VarArgs. 3801 IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS); 3802 } 3803 3804 /// Compute the shadow address for a given va_arg. 3805 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, 3806 unsigned ArgOffset, unsigned ArgSize) { 3807 // Make sure we don't overflow __msan_va_arg_tls. 3808 if (ArgOffset + ArgSize > kParamTLSSize) 3809 return nullptr; 3810 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); 3811 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 3812 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), 3813 "_msarg"); 3814 } 3815 3816 void visitVAStartInst(VAStartInst &I) override { 3817 IRBuilder<> IRB(&I); 3818 VAStartInstrumentationList.push_back(&I); 3819 Value *VAListTag = I.getArgOperand(0); 3820 Value *ShadowPtr, *OriginPtr; 3821 unsigned Alignment = 8; 3822 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr( 3823 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true); 3824 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 3825 /* size */ 8, Alignment, false); 3826 } 3827 3828 void visitVACopyInst(VACopyInst &I) override { 3829 IRBuilder<> IRB(&I); 3830 VAStartInstrumentationList.push_back(&I); 3831 Value *VAListTag = I.getArgOperand(0); 3832 Value *ShadowPtr, *OriginPtr; 3833 unsigned Alignment = 8; 3834 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr( 3835 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true); 3836 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 3837 /* size */ 8, Alignment, false); 3838 } 3839 3840 void finalizeInstrumentation() override { 3841 assert(!VAArgSize && !VAArgTLSCopy && 3842 "finalizeInstrumentation called twice"); 3843 IRBuilder<> IRB(MSV.ActualFnStart->getFirstNonPHI()); 3844 VAArgSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS); 3845 Value *CopySize = IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, 0), 3846 VAArgSize); 3847 3848 if (!VAStartInstrumentationList.empty()) { 3849 // If there is a va_start in this function, make a backup copy of 3850 // va_arg_tls somewhere in the function entry block. 3851 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); 3852 IRB.CreateMemCpy(VAArgTLSCopy, 8, MS.VAArgTLS, 8, CopySize); 3853 } 3854 3855 // Instrument va_start. 3856 // Copy va_list shadow from the backup copy of the TLS contents. 3857 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) { 3858 CallInst *OrigInst = VAStartInstrumentationList[i]; 3859 IRBuilder<> IRB(OrigInst->getNextNode()); 3860 Value *VAListTag = OrigInst->getArgOperand(0); 3861 Value *RegSaveAreaPtrPtr = 3862 IRB.CreateIntToPtr(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 3863 PointerType::get(Type::getInt64PtrTy(*MS.C), 0)); 3864 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr); 3865 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr; 3866 unsigned Alignment = 8; 3867 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) = 3868 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(), 3869 Alignment, /*isStore*/ true); 3870 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment, 3871 CopySize); 3872 } 3873 } 3874 }; 3875 3876 /// AArch64-specific implementation of VarArgHelper. 3877 struct VarArgAArch64Helper : public VarArgHelper { 3878 static const unsigned kAArch64GrArgSize = 64; 3879 static const unsigned kAArch64VrArgSize = 128; 3880 3881 static const unsigned AArch64GrBegOffset = 0; 3882 static const unsigned AArch64GrEndOffset = kAArch64GrArgSize; 3883 // Make VR space aligned to 16 bytes. 3884 static const unsigned AArch64VrBegOffset = AArch64GrEndOffset; 3885 static const unsigned AArch64VrEndOffset = AArch64VrBegOffset 3886 + kAArch64VrArgSize; 3887 static const unsigned AArch64VAEndOffset = AArch64VrEndOffset; 3888 3889 Function &F; 3890 MemorySanitizer &MS; 3891 MemorySanitizerVisitor &MSV; 3892 Value *VAArgTLSCopy = nullptr; 3893 Value *VAArgOverflowSize = nullptr; 3894 3895 SmallVector<CallInst*, 16> VAStartInstrumentationList; 3896 3897 enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory }; 3898 3899 VarArgAArch64Helper(Function &F, MemorySanitizer &MS, 3900 MemorySanitizerVisitor &MSV) : F(F), MS(MS), MSV(MSV) {} 3901 3902 ArgKind classifyArgument(Value* arg) { 3903 Type *T = arg->getType(); 3904 if (T->isFPOrFPVectorTy()) 3905 return AK_FloatingPoint; 3906 if ((T->isIntegerTy() && T->getPrimitiveSizeInBits() <= 64) 3907 || (T->isPointerTy())) 3908 return AK_GeneralPurpose; 3909 return AK_Memory; 3910 } 3911 3912 // The instrumentation stores the argument shadow in a non ABI-specific 3913 // format because it does not know which argument is named (since Clang, 3914 // like x86_64 case, lowers the va_args in the frontend and this pass only 3915 // sees the low level code that deals with va_list internals). 3916 // The first seven GR registers are saved in the first 56 bytes of the 3917 // va_arg tls arra, followers by the first 8 FP/SIMD registers, and then 3918 // the remaining arguments. 3919 // Using constant offset within the va_arg TLS array allows fast copy 3920 // in the finalize instrumentation. 3921 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override { 3922 unsigned GrOffset = AArch64GrBegOffset; 3923 unsigned VrOffset = AArch64VrBegOffset; 3924 unsigned OverflowOffset = AArch64VAEndOffset; 3925 3926 const DataLayout &DL = F.getParent()->getDataLayout(); 3927 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 3928 ArgIt != End; ++ArgIt) { 3929 Value *A = *ArgIt; 3930 unsigned ArgNo = CS.getArgumentNo(ArgIt); 3931 bool IsFixed = ArgNo < CS.getFunctionType()->getNumParams(); 3932 ArgKind AK = classifyArgument(A); 3933 if (AK == AK_GeneralPurpose && GrOffset >= AArch64GrEndOffset) 3934 AK = AK_Memory; 3935 if (AK == AK_FloatingPoint && VrOffset >= AArch64VrEndOffset) 3936 AK = AK_Memory; 3937 Value *Base; 3938 switch (AK) { 3939 case AK_GeneralPurpose: 3940 Base = getShadowPtrForVAArgument(A->getType(), IRB, GrOffset, 8); 3941 GrOffset += 8; 3942 break; 3943 case AK_FloatingPoint: 3944 Base = getShadowPtrForVAArgument(A->getType(), IRB, VrOffset, 8); 3945 VrOffset += 16; 3946 break; 3947 case AK_Memory: 3948 // Don't count fixed arguments in the overflow area - va_start will 3949 // skip right over them. 3950 if (IsFixed) 3951 continue; 3952 uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); 3953 Base = getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset, 3954 alignTo(ArgSize, 8)); 3955 OverflowOffset += alignTo(ArgSize, 8); 3956 break; 3957 } 3958 // Count Gp/Vr fixed arguments to their respective offsets, but don't 3959 // bother to actually store a shadow. 3960 if (IsFixed) 3961 continue; 3962 if (!Base) 3963 continue; 3964 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment); 3965 } 3966 Constant *OverflowSize = 3967 ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AArch64VAEndOffset); 3968 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS); 3969 } 3970 3971 /// Compute the shadow address for a given va_arg. 3972 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, 3973 unsigned ArgOffset, unsigned ArgSize) { 3974 // Make sure we don't overflow __msan_va_arg_tls. 3975 if (ArgOffset + ArgSize > kParamTLSSize) 3976 return nullptr; 3977 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); 3978 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 3979 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), 3980 "_msarg"); 3981 } 3982 3983 void visitVAStartInst(VAStartInst &I) override { 3984 IRBuilder<> IRB(&I); 3985 VAStartInstrumentationList.push_back(&I); 3986 Value *VAListTag = I.getArgOperand(0); 3987 Value *ShadowPtr, *OriginPtr; 3988 unsigned Alignment = 8; 3989 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr( 3990 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true); 3991 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 3992 /* size */ 32, Alignment, false); 3993 } 3994 3995 void visitVACopyInst(VACopyInst &I) override { 3996 IRBuilder<> IRB(&I); 3997 VAStartInstrumentationList.push_back(&I); 3998 Value *VAListTag = I.getArgOperand(0); 3999 Value *ShadowPtr, *OriginPtr; 4000 unsigned Alignment = 8; 4001 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr( 4002 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true); 4003 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 4004 /* size */ 32, Alignment, false); 4005 } 4006 4007 // Retrieve a va_list field of 'void*' size. 4008 Value* getVAField64(IRBuilder<> &IRB, Value *VAListTag, int offset) { 4009 Value *SaveAreaPtrPtr = 4010 IRB.CreateIntToPtr( 4011 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 4012 ConstantInt::get(MS.IntptrTy, offset)), 4013 Type::getInt64PtrTy(*MS.C)); 4014 return IRB.CreateLoad(SaveAreaPtrPtr); 4015 } 4016 4017 // Retrieve a va_list field of 'int' size. 4018 Value* getVAField32(IRBuilder<> &IRB, Value *VAListTag, int offset) { 4019 Value *SaveAreaPtr = 4020 IRB.CreateIntToPtr( 4021 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 4022 ConstantInt::get(MS.IntptrTy, offset)), 4023 Type::getInt32PtrTy(*MS.C)); 4024 Value *SaveArea32 = IRB.CreateLoad(SaveAreaPtr); 4025 return IRB.CreateSExt(SaveArea32, MS.IntptrTy); 4026 } 4027 4028 void finalizeInstrumentation() override { 4029 assert(!VAArgOverflowSize && !VAArgTLSCopy && 4030 "finalizeInstrumentation called twice"); 4031 if (!VAStartInstrumentationList.empty()) { 4032 // If there is a va_start in this function, make a backup copy of 4033 // va_arg_tls somewhere in the function entry block. 4034 IRBuilder<> IRB(MSV.ActualFnStart->getFirstNonPHI()); 4035 VAArgOverflowSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS); 4036 Value *CopySize = 4037 IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AArch64VAEndOffset), 4038 VAArgOverflowSize); 4039 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); 4040 IRB.CreateMemCpy(VAArgTLSCopy, 8, MS.VAArgTLS, 8, CopySize); 4041 } 4042 4043 Value *GrArgSize = ConstantInt::get(MS.IntptrTy, kAArch64GrArgSize); 4044 Value *VrArgSize = ConstantInt::get(MS.IntptrTy, kAArch64VrArgSize); 4045 4046 // Instrument va_start, copy va_list shadow from the backup copy of 4047 // the TLS contents. 4048 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) { 4049 CallInst *OrigInst = VAStartInstrumentationList[i]; 4050 IRBuilder<> IRB(OrigInst->getNextNode()); 4051 4052 Value *VAListTag = OrigInst->getArgOperand(0); 4053 4054 // The variadic ABI for AArch64 creates two areas to save the incoming 4055 // argument registers (one for 64-bit general register xn-x7 and another 4056 // for 128-bit FP/SIMD vn-v7). 4057 // We need then to propagate the shadow arguments on both regions 4058 // 'va::__gr_top + va::__gr_offs' and 'va::__vr_top + va::__vr_offs'. 4059 // The remaning arguments are saved on shadow for 'va::stack'. 4060 // One caveat is it requires only to propagate the non-named arguments, 4061 // however on the call site instrumentation 'all' the arguments are 4062 // saved. So to copy the shadow values from the va_arg TLS array 4063 // we need to adjust the offset for both GR and VR fields based on 4064 // the __{gr,vr}_offs value (since they are stores based on incoming 4065 // named arguments). 4066 4067 // Read the stack pointer from the va_list. 4068 Value *StackSaveAreaPtr = getVAField64(IRB, VAListTag, 0); 4069 4070 // Read both the __gr_top and __gr_off and add them up. 4071 Value *GrTopSaveAreaPtr = getVAField64(IRB, VAListTag, 8); 4072 Value *GrOffSaveArea = getVAField32(IRB, VAListTag, 24); 4073 4074 Value *GrRegSaveAreaPtr = IRB.CreateAdd(GrTopSaveAreaPtr, GrOffSaveArea); 4075 4076 // Read both the __vr_top and __vr_off and add them up. 4077 Value *VrTopSaveAreaPtr = getVAField64(IRB, VAListTag, 16); 4078 Value *VrOffSaveArea = getVAField32(IRB, VAListTag, 28); 4079 4080 Value *VrRegSaveAreaPtr = IRB.CreateAdd(VrTopSaveAreaPtr, VrOffSaveArea); 4081 4082 // It does not know how many named arguments is being used and, on the 4083 // callsite all the arguments were saved. Since __gr_off is defined as 4084 // '0 - ((8 - named_gr) * 8)', the idea is to just propagate the variadic 4085 // argument by ignoring the bytes of shadow from named arguments. 4086 Value *GrRegSaveAreaShadowPtrOff = 4087 IRB.CreateAdd(GrArgSize, GrOffSaveArea); 4088 4089 Value *GrRegSaveAreaShadowPtr = 4090 MSV.getShadowOriginPtr(GrRegSaveAreaPtr, IRB, IRB.getInt8Ty(), 4091 /*Alignment*/ 8, /*isStore*/ true) 4092 .first; 4093 4094 Value *GrSrcPtr = IRB.CreateInBoundsGEP(IRB.getInt8Ty(), VAArgTLSCopy, 4095 GrRegSaveAreaShadowPtrOff); 4096 Value *GrCopySize = IRB.CreateSub(GrArgSize, GrRegSaveAreaShadowPtrOff); 4097 4098 IRB.CreateMemCpy(GrRegSaveAreaShadowPtr, 8, GrSrcPtr, 8, GrCopySize); 4099 4100 // Again, but for FP/SIMD values. 4101 Value *VrRegSaveAreaShadowPtrOff = 4102 IRB.CreateAdd(VrArgSize, VrOffSaveArea); 4103 4104 Value *VrRegSaveAreaShadowPtr = 4105 MSV.getShadowOriginPtr(VrRegSaveAreaPtr, IRB, IRB.getInt8Ty(), 4106 /*Alignment*/ 8, /*isStore*/ true) 4107 .first; 4108 4109 Value *VrSrcPtr = IRB.CreateInBoundsGEP( 4110 IRB.getInt8Ty(), 4111 IRB.CreateInBoundsGEP(IRB.getInt8Ty(), VAArgTLSCopy, 4112 IRB.getInt32(AArch64VrBegOffset)), 4113 VrRegSaveAreaShadowPtrOff); 4114 Value *VrCopySize = IRB.CreateSub(VrArgSize, VrRegSaveAreaShadowPtrOff); 4115 4116 IRB.CreateMemCpy(VrRegSaveAreaShadowPtr, 8, VrSrcPtr, 8, VrCopySize); 4117 4118 // And finally for remaining arguments. 4119 Value *StackSaveAreaShadowPtr = 4120 MSV.getShadowOriginPtr(StackSaveAreaPtr, IRB, IRB.getInt8Ty(), 4121 /*Alignment*/ 16, /*isStore*/ true) 4122 .first; 4123 4124 Value *StackSrcPtr = 4125 IRB.CreateInBoundsGEP(IRB.getInt8Ty(), VAArgTLSCopy, 4126 IRB.getInt32(AArch64VAEndOffset)); 4127 4128 IRB.CreateMemCpy(StackSaveAreaShadowPtr, 16, StackSrcPtr, 16, 4129 VAArgOverflowSize); 4130 } 4131 } 4132 }; 4133 4134 /// PowerPC64-specific implementation of VarArgHelper. 4135 struct VarArgPowerPC64Helper : public VarArgHelper { 4136 Function &F; 4137 MemorySanitizer &MS; 4138 MemorySanitizerVisitor &MSV; 4139 Value *VAArgTLSCopy = nullptr; 4140 Value *VAArgSize = nullptr; 4141 4142 SmallVector<CallInst*, 16> VAStartInstrumentationList; 4143 4144 VarArgPowerPC64Helper(Function &F, MemorySanitizer &MS, 4145 MemorySanitizerVisitor &MSV) : F(F), MS(MS), MSV(MSV) {} 4146 4147 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override { 4148 // For PowerPC, we need to deal with alignment of stack arguments - 4149 // they are mostly aligned to 8 bytes, but vectors and i128 arrays 4150 // are aligned to 16 bytes, byvals can be aligned to 8 or 16 bytes, 4151 // and QPX vectors are aligned to 32 bytes. For that reason, we 4152 // compute current offset from stack pointer (which is always properly 4153 // aligned), and offset for the first vararg, then subtract them. 4154 unsigned VAArgBase; 4155 Triple TargetTriple(F.getParent()->getTargetTriple()); 4156 // Parameter save area starts at 48 bytes from frame pointer for ABIv1, 4157 // and 32 bytes for ABIv2. This is usually determined by target 4158 // endianness, but in theory could be overriden by function attribute. 4159 // For simplicity, we ignore it here (it'd only matter for QPX vectors). 4160 if (TargetTriple.getArch() == Triple::ppc64) 4161 VAArgBase = 48; 4162 else 4163 VAArgBase = 32; 4164 unsigned VAArgOffset = VAArgBase; 4165 const DataLayout &DL = F.getParent()->getDataLayout(); 4166 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 4167 ArgIt != End; ++ArgIt) { 4168 Value *A = *ArgIt; 4169 unsigned ArgNo = CS.getArgumentNo(ArgIt); 4170 bool IsFixed = ArgNo < CS.getFunctionType()->getNumParams(); 4171 bool IsByVal = CS.paramHasAttr(ArgNo, Attribute::ByVal); 4172 if (IsByVal) { 4173 assert(A->getType()->isPointerTy()); 4174 Type *RealTy = A->getType()->getPointerElementType(); 4175 uint64_t ArgSize = DL.getTypeAllocSize(RealTy); 4176 uint64_t ArgAlign = CS.getParamAlignment(ArgNo); 4177 if (ArgAlign < 8) 4178 ArgAlign = 8; 4179 VAArgOffset = alignTo(VAArgOffset, ArgAlign); 4180 if (!IsFixed) { 4181 Value *Base = getShadowPtrForVAArgument( 4182 RealTy, IRB, VAArgOffset - VAArgBase, ArgSize); 4183 if (Base) { 4184 Value *AShadowPtr, *AOriginPtr; 4185 std::tie(AShadowPtr, AOriginPtr) = 4186 MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), 4187 kShadowTLSAlignment, /*isStore*/ false); 4188 4189 IRB.CreateMemCpy(Base, kShadowTLSAlignment, AShadowPtr, 4190 kShadowTLSAlignment, ArgSize); 4191 } 4192 } 4193 VAArgOffset += alignTo(ArgSize, 8); 4194 } else { 4195 Value *Base; 4196 uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); 4197 uint64_t ArgAlign = 8; 4198 if (A->getType()->isArrayTy()) { 4199 // Arrays are aligned to element size, except for long double 4200 // arrays, which are aligned to 8 bytes. 4201 Type *ElementTy = A->getType()->getArrayElementType(); 4202 if (!ElementTy->isPPC_FP128Ty()) 4203 ArgAlign = DL.getTypeAllocSize(ElementTy); 4204 } else if (A->getType()->isVectorTy()) { 4205 // Vectors are naturally aligned. 4206 ArgAlign = DL.getTypeAllocSize(A->getType()); 4207 } 4208 if (ArgAlign < 8) 4209 ArgAlign = 8; 4210 VAArgOffset = alignTo(VAArgOffset, ArgAlign); 4211 if (DL.isBigEndian()) { 4212 // Adjusting the shadow for argument with size < 8 to match the placement 4213 // of bits in big endian system 4214 if (ArgSize < 8) 4215 VAArgOffset += (8 - ArgSize); 4216 } 4217 if (!IsFixed) { 4218 Base = getShadowPtrForVAArgument(A->getType(), IRB, 4219 VAArgOffset - VAArgBase, ArgSize); 4220 if (Base) 4221 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment); 4222 } 4223 VAArgOffset += ArgSize; 4224 VAArgOffset = alignTo(VAArgOffset, 8); 4225 } 4226 if (IsFixed) 4227 VAArgBase = VAArgOffset; 4228 } 4229 4230 Constant *TotalVAArgSize = ConstantInt::get(IRB.getInt64Ty(), 4231 VAArgOffset - VAArgBase); 4232 // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of 4233 // a new class member i.e. it is the total size of all VarArgs. 4234 IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS); 4235 } 4236 4237 /// Compute the shadow address for a given va_arg. 4238 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, 4239 unsigned ArgOffset, unsigned ArgSize) { 4240 // Make sure we don't overflow __msan_va_arg_tls. 4241 if (ArgOffset + ArgSize > kParamTLSSize) 4242 return nullptr; 4243 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); 4244 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 4245 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), 4246 "_msarg"); 4247 } 4248 4249 void visitVAStartInst(VAStartInst &I) override { 4250 IRBuilder<> IRB(&I); 4251 VAStartInstrumentationList.push_back(&I); 4252 Value *VAListTag = I.getArgOperand(0); 4253 Value *ShadowPtr, *OriginPtr; 4254 unsigned Alignment = 8; 4255 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr( 4256 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true); 4257 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 4258 /* size */ 8, Alignment, false); 4259 } 4260 4261 void visitVACopyInst(VACopyInst &I) override { 4262 IRBuilder<> IRB(&I); 4263 Value *VAListTag = I.getArgOperand(0); 4264 Value *ShadowPtr, *OriginPtr; 4265 unsigned Alignment = 8; 4266 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr( 4267 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true); 4268 // Unpoison the whole __va_list_tag. 4269 // FIXME: magic ABI constants. 4270 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 4271 /* size */ 8, Alignment, false); 4272 } 4273 4274 void finalizeInstrumentation() override { 4275 assert(!VAArgSize && !VAArgTLSCopy && 4276 "finalizeInstrumentation called twice"); 4277 IRBuilder<> IRB(MSV.ActualFnStart->getFirstNonPHI()); 4278 VAArgSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS); 4279 Value *CopySize = IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, 0), 4280 VAArgSize); 4281 4282 if (!VAStartInstrumentationList.empty()) { 4283 // If there is a va_start in this function, make a backup copy of 4284 // va_arg_tls somewhere in the function entry block. 4285 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); 4286 IRB.CreateMemCpy(VAArgTLSCopy, 8, MS.VAArgTLS, 8, CopySize); 4287 } 4288 4289 // Instrument va_start. 4290 // Copy va_list shadow from the backup copy of the TLS contents. 4291 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) { 4292 CallInst *OrigInst = VAStartInstrumentationList[i]; 4293 IRBuilder<> IRB(OrigInst->getNextNode()); 4294 Value *VAListTag = OrigInst->getArgOperand(0); 4295 Value *RegSaveAreaPtrPtr = 4296 IRB.CreateIntToPtr(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 4297 PointerType::get(Type::getInt64PtrTy(*MS.C), 0)); 4298 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr); 4299 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr; 4300 unsigned Alignment = 8; 4301 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) = 4302 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(), 4303 Alignment, /*isStore*/ true); 4304 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment, 4305 CopySize); 4306 } 4307 } 4308 }; 4309 4310 /// A no-op implementation of VarArgHelper. 4311 struct VarArgNoOpHelper : public VarArgHelper { 4312 VarArgNoOpHelper(Function &F, MemorySanitizer &MS, 4313 MemorySanitizerVisitor &MSV) {} 4314 4315 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override {} 4316 4317 void visitVAStartInst(VAStartInst &I) override {} 4318 4319 void visitVACopyInst(VACopyInst &I) override {} 4320 4321 void finalizeInstrumentation() override {} 4322 }; 4323 4324 } // end anonymous namespace 4325 4326 static VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan, 4327 MemorySanitizerVisitor &Visitor) { 4328 // VarArg handling is only implemented on AMD64. False positives are possible 4329 // on other platforms. 4330 Triple TargetTriple(Func.getParent()->getTargetTriple()); 4331 if (TargetTriple.getArch() == Triple::x86_64) 4332 return new VarArgAMD64Helper(Func, Msan, Visitor); 4333 else if (TargetTriple.isMIPS64()) 4334 return new VarArgMIPS64Helper(Func, Msan, Visitor); 4335 else if (TargetTriple.getArch() == Triple::aarch64) 4336 return new VarArgAArch64Helper(Func, Msan, Visitor); 4337 else if (TargetTriple.getArch() == Triple::ppc64 || 4338 TargetTriple.getArch() == Triple::ppc64le) 4339 return new VarArgPowerPC64Helper(Func, Msan, Visitor); 4340 else 4341 return new VarArgNoOpHelper(Func, Msan, Visitor); 4342 } 4343 4344 bool MemorySanitizer::runOnFunction(Function &F) { 4345 if (!CompileKernel && (&F == MsanCtorFunction)) 4346 return false; 4347 MemorySanitizerVisitor Visitor(F, *this); 4348 4349 // Clear out readonly/readnone attributes. 4350 AttrBuilder B; 4351 B.addAttribute(Attribute::ReadOnly) 4352 .addAttribute(Attribute::ReadNone); 4353 F.removeAttributes(AttributeList::FunctionIndex, B); 4354 4355 return Visitor.runOnFunction(); 4356 } 4357