10 // Conceptually the pass injects shadow computations using higher precision
69 // Using smaller shadow types types can help improve speed. For example, `dlq`
73     "nsan-shadow-type-mapping", cl::init("dqq"),
74     cl::desc("One shadow type id for each of `float`, `double`, `long double`. "
77              "shadow `float` as `double`, and `double` and `x86_fp80` as "
97         "shadow check in the shadow (`x_shadow == 0.0) == (x == 0.0f)`) or app "
104 // When there is external, uninstrumented code writing to memory, the shadow
109 // framework did a bad job at tracking shadow memory modifications by failing on
126 // It's not really necessary to shadow such stores,
127 // if the shadow value is unknown the framework will re-extend it on load
150 // attached for all possible shadow types.
155   // The LLVM Type corresponding to the shadow type.
158   // The nsan type id of the shadow type (`d`, `l`, `q`, ...).
171 // `double` (`d`) shadow type.
178 // `x86_fp80` (`l`) shadow type: X86 long double.
185 // `fp128` (`q`) shadow type.
192 // `ppc_fp128` (`e`) shadow type: IBM extended double with 106 bits of mantissa.
212   report_fatal_error("nsan: invalid shadow type id '" + Twine(TypeId) + "'");  in fromNsanTypeId()
215 // An enum corresponding to shadow value types. Used as indices in arrays, so
260 // A specific mapping configuration of application type to shadow type for nsan
261 // (see -nsan-shadow-mapping flag).
278       // Check that the shadow type size is at most kShadowScale times the  in MappingConfig()
279       // application type size, so that shadow memory compoutations are valid.  in MappingConfig()
283                            ": The shadow type size should be at most " +  in MappingConfig()
292     // going to do an fpextend of `shadow(float) -> shadow(long double)` in  in MappingConfig()
293     // shadow code. This will fail in `qql` mode, since nsan would be  in MappingConfig()
310   // Returns the extended shadow type for a given application type.
421 // A map of LLVM IR values to shadow LLVM IR values.
429   // Sets the shadow value for a value. Asserts that the value does not already
431   void setShadow(Value &V, Value &Shadow) {  in setShadow()  argument
432     [[maybe_unused]] const bool Inserted = Map.try_emplace(&V, &Shadow).second;  in setShadow()
437         errs() << "duplicate shadow (" << &V << "): ";  in setShadow()
441     assert(Inserted && "duplicate shadow");  in setShadow()
444   // Returns true if the value already has a shadow (including if the value is a
450   // Returns the shadow value for a given value. Asserts that the value has
451   // a shadow value. Lazily creates shadows for constant values.
461   // Extends a constant application value to its shadow counterpart.
468   // Returns the shadow constant for the given application constant.
685 // This instruments the function entry to create shadow arguments.
708   // The function has shadow args if the shadow args tag matches the function  in createShadowArguments()
725     Value *Shadow = Builder.CreateSelect(HasShadowArgs, L,  in createShadowArguments()  local
727     Map.setShadow(Arg, *Shadow);  in createShadowArguments()
776 // Populates the shadow call stack (which contains shadow values for every
780   // Do not create a shadow stack for inline asm.  in populateShadowStack()
802   // Do not create shadow stacks for intrinsics/known lib funcs.  in populateShadowStack()
809   // Set the shadow stack tag.  in populateShadowStack()
831 // computation should continue with the shadow or resume by re-fextending the
910 // Inserts a runtime check of V against its shadow value ShadowV.
913 // Returns the shadow value that should be used to continue the computations,
940 // Inserts a check that fcmp on shadow values are consistent with that on base
965   // Create the shadow fcmp and comparison between the fcmps.  in emitFCmpCheck()
986     // shadow are the same. We want all elements to be 1.  in emitFCmpCheck()
1046 // Creates a shadow phi value for any phi that defines a value of FT type.
1053   // The phi operands are shadow values and are not available when the phi is  in maybeCreateShadowPhi()
1054   // created. They will be populated in a final phase, once all shadow values  in maybeCreateShadowPhi()
1056   PHINode *Shadow = PHINode::Create(ExtendedVT, Phi.getNumIncomingValues());  in maybeCreateShadowPhi()  local
1057   Shadow->insertAfter(&Phi);  in maybeCreateShadowPhi()
1058   return Shadow;  in maybeCreateShadowPhi()
1066     // No need to look into the shadow memory, the value is a constant. Just  in handleLoad()
1072   //    %shadow = fpext %v  in handleLoad()
1074   //    %shadow = load (ptrcast %shadow_ptr))  in handleLoad()
1094   // Create the two options for creating the shadow value.  in handleLoad()
1127   // The shadow value come from any of the options.  in handleLoad()
1145   //  - (A) If the source has a shadow, we truncate from the shadow, else we  in handleTrunc()
1147   //  - (B) If the shadow of the source is larger than the shadow of the dest,  in handleTrunc()
1148   //    we still need a truncate. Else, the shadow of the source is the same  in handleTrunc()
1149   //    type as the shadow of the dest (because mappings are non-decreasing), so  in handleTrunc()
1192   //  - (A) If the source has a shadow, we extend from the shadow, else we  in handleExt()
1194   //  - (B) If the shadow of the dest is larger than the shadow of the source,  in handleExt()
1195   //    we still need an extend. Else, the shadow of the source is the same  in handleExt()
1196   //    type as the shadow of the dest (because mappings are non-decreasing), so  in handleExt()
1244   // that applies the same operation on the shadow argument.
1511       // call the non-wide version on a truncated shadow and extend again  in maybeHandleKnownCallBase()
1551            "don't know how to get the shadow value for a non-FT");  in maybeHandleKnownCallBase()
1552     Value *Shadow = Map.getShadow(Arg);  in maybeHandleKnownCallBase()  local
1554       // The shadow is the right type for the intrinsic.  in maybeHandleKnownCallBase()
1555       assert(Shadow->getType() == ShadowArgTy);  in maybeHandleKnownCallBase()
1556       Args.push_back(Shadow);  in maybeHandleKnownCallBase()
1559     // There is no intrinsic with his level of precision, truncate the shadow.  in maybeHandleKnownCallBase()
1560     Args.push_back(Builder.CreateFPTrunc(Shadow, IntrinsicArgTy));  in maybeHandleKnownCallBase()
1581   // blindly calling them (e.g. compute the sinus in the actual shadow domain).  in handleCallBase()
1587   // return value from the shadow ret ptr. Else, just extend the return value.  in handleCallBase()
1597   Value *Shadow = Builder.CreateSelect(HasShadowRet, ShadowRetVal,  in handleCallBase()  local
1600   return Shadow;  in handleCallBase()
1603 // Creates a shadow value for the given FT value. At that point all operands are
1610   assert(ExtendedVT != nullptr && "trying to create a shadow for a non-FT");  in createShadowValueWithOperandsAvailable()
1634     Value *Shadow = handleCallBase(*Invoke, VT, ExtendedVT, TLI, Map, Builder);  in createShadowValueWithOperandsAvailable()  local
1637     return Shadow;  in createShadowValueWithOperandsAvailable()
1693 // Creates a shadow value for an instruction that defines a value of FT type.
1694 // FT operands that do not already have shadow values are created recursively.
1705     return; // Shadow already exists.  in maybeCreateShadowValue()
1714     // The shadow for the instruction might have been created deeper in the DFS,  in maybeCreateShadowValue()
1727         continue; // Shadow is already available.  in maybeCreateShadowValue()
1734     // All operands have shadows. Create a shadow for the current value.  in maybeCreateShadowValue()
1735     Value *Shadow = createShadowValueWithOperandsAvailable(*I, TLI, Map);  in maybeCreateShadowValue()  local
1736     Map.setShadow(*I, *Shadow);  in maybeCreateShadowValue()
1741 // A floating-point store needs its value and type written to shadow memory.
1767 // A non-ft store needs to invalidate shadow memory. Exceptions are:
1801     // Read the shadow type and value at load time. The type has the same size  in propagateNonFTStore()
1815     // Write back the shadow type and value at store time.  in propagateNonFTStore()
1875       Value *Shadow =  in propagateNonFTStore()  local
1877       Builder.CreateAlignedStore(Shadow, ShadowPtr, Align(1),  in propagateNonFTStore()
1882   // All other stores just reset the shadow value to unknown.  in propagateNonFTStore()
1990   //    FT, a shadow IR value `s(v)` with twice the precision 2FT (e.g.  in sanitizeFunction()
1992   //  - A shadow memory, which stores `s(v)` for any `v` that has been stored,  in sanitizeFunction()
1993   //    along with a shadow memory tag, which stores whether the value in the  in sanitizeFunction()
1994   //    corresponding shadow memory is valid. Note that this might be  in sanitizeFunction()
1997   //  - A shadow stack, which holds `s(v)` for any floating-point argument `v`  in sanitizeFunction()
1999   //    instrumented functions to retrieve the shadow values for their  in sanitizeFunction()
2003   //    function knows whether shadow values are available for their  in sanitizeFunction()
2005   //    When shadow arguments are not available, they have to be recreated by  in sanitizeFunction()
2006   //    extending the precision of the non-shadow arguments to the non-shadow  in sanitizeFunction()
2008   //    shadow stack. The shadow stack pointer is __nsan_shadow_args. The shadow  in sanitizeFunction()
2013   //     calls                             shadow stack tag      shadow stack  in sanitizeFunction()
2034   //   Note that functions reset the tag to 0 after reading shadow parameters.  in sanitizeFunction()
2039   //   shadow arguments (which would be incorrect).  in sanitizeFunction()
2051   //  - A shadow return slot. Any function that returns a floating-point value  in sanitizeFunction()
2052   //    places a shadow return value in __nsan_shadow_ret_val. Again, because  in sanitizeFunction()
2059   //    `instrumented_1` rejects the shadow return value from `instrumented_3`  in sanitizeFunction()
2072   // their overload on the shadow type.  in sanitizeFunction()
2074   // Collect all instructions before processing, as creating shadow values  in sanitizeFunction()
2084   // In the first pass, we create shadow values for all FT function arguments  in sanitizeFunction()
2091       if (PHINode *Shadow = maybeCreateShadowPhi(*Phi, TLI)) {  in sanitizeFunction()  local
2093         ValueToShadow.setShadow(*Phi, *Shadow);  in sanitizeFunction()
2098   // Create shadow values for all instructions creating FT values.  in sanitizeFunction()
2102   // Propagate shadow values across stores, calls and rets.  in sanitizeFunction()
2106   // The last pass populates shadow phis with shadow values.  in sanitizeFunction()
2111       Value *Shadow = ValueToShadow.getShadow(V);  in sanitizeFunction()  local
2113       // For some instructions (e.g. invoke), we create the shadow in a separate  in sanitizeFunction()
2115       // In that case, the shadow phi might need to refer to this block instead  in sanitizeFunction()
2119       ShadowPhi->addIncoming(Shadow, IncomingBB);  in sanitizeFunction()
2126 // Instrument the memory intrinsics so that they properly modify the shadow