1 //===- StackProtector.cpp - Stack Protector Insertion ---------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This pass inserts stack protectors into functions which need them. A variable
10 // with a random value in it is stored onto the stack before the local variables
11 // are allocated. Upon exiting the block, the stored value is checked. If it's
12 // changed, then there was some sort of violation and the program aborts.
13 //
14 //===----------------------------------------------------------------------===//
15
16 #include "llvm/CodeGen/StackProtector.h"
17 #include "llvm/ADT/SmallVector.h"
18 #include "llvm/ADT/Statistic.h"
19 #include "llvm/Analysis/BranchProbabilityInfo.h"
20 #include "llvm/Analysis/MemoryLocation.h"
21 #include "llvm/Analysis/OptimizationRemarkEmitter.h"
22 #include "llvm/CodeGen/Analysis.h"
23 #include "llvm/CodeGen/Passes.h"
24 #include "llvm/CodeGen/TargetLowering.h"
25 #include "llvm/CodeGen/TargetPassConfig.h"
26 #include "llvm/CodeGen/TargetSubtargetInfo.h"
27 #include "llvm/IR/Attributes.h"
28 #include "llvm/IR/BasicBlock.h"
29 #include "llvm/IR/Constants.h"
30 #include "llvm/IR/DataLayout.h"
31 #include "llvm/IR/DerivedTypes.h"
32 #include "llvm/IR/Dominators.h"
33 #include "llvm/IR/EHPersonalities.h"
34 #include "llvm/IR/Function.h"
35 #include "llvm/IR/IRBuilder.h"
36 #include "llvm/IR/Instruction.h"
37 #include "llvm/IR/Instructions.h"
38 #include "llvm/IR/IntrinsicInst.h"
39 #include "llvm/IR/Intrinsics.h"
40 #include "llvm/IR/MDBuilder.h"
41 #include "llvm/IR/Module.h"
42 #include "llvm/IR/Type.h"
43 #include "llvm/IR/User.h"
44 #include "llvm/InitializePasses.h"
45 #include "llvm/Pass.h"
46 #include "llvm/Support/Casting.h"
47 #include "llvm/Support/CommandLine.h"
48 #include "llvm/Target/TargetMachine.h"
49 #include "llvm/Target/TargetOptions.h"
50 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
51 #include <optional>
52 #include <utility>
53
54 using namespace llvm;
55
56 #define DEBUG_TYPE "stack-protector"
57
58 STATISTIC(NumFunProtected, "Number of functions protected");
59 STATISTIC(NumAddrTaken, "Number of local variables that have their address"
60 " taken.");
61
62 static cl::opt<bool> EnableSelectionDAGSP("enable-selectiondag-sp",
63 cl::init(true), cl::Hidden);
64 static cl::opt<bool> DisableCheckNoReturn("disable-check-noreturn-call",
65 cl::init(false), cl::Hidden);
66
67 /// InsertStackProtectors - Insert code into the prologue and epilogue of the
68 /// function.
69 ///
70 /// - The prologue code loads and stores the stack guard onto the stack.
71 /// - The epilogue checks the value stored in the prologue against the original
72 /// value. It calls __stack_chk_fail if they differ.
73 static bool InsertStackProtectors(const TargetMachine *TM, Function *F,
74 DomTreeUpdater *DTU, bool &HasPrologue,
75 bool &HasIRCheck);
76
77 /// CreateFailBB - Create a basic block to jump to when the stack protector
78 /// check fails.
79 static BasicBlock *CreateFailBB(Function *F, const TargetLowering &TLI);
80
shouldEmitSDCheck(const BasicBlock & BB) const81 bool SSPLayoutInfo::shouldEmitSDCheck(const BasicBlock &BB) const {
82 return HasPrologue && !HasIRCheck && isa<ReturnInst>(BB.getTerminator());
83 }
84
copyToMachineFrameInfo(MachineFrameInfo & MFI) const85 void SSPLayoutInfo::copyToMachineFrameInfo(MachineFrameInfo &MFI) const {
86 if (Layout.empty())
87 return;
88
89 for (int I = 0, E = MFI.getObjectIndexEnd(); I != E; ++I) {
90 if (MFI.isDeadObjectIndex(I))
91 continue;
92
93 const AllocaInst *AI = MFI.getObjectAllocation(I);
94 if (!AI)
95 continue;
96
97 SSPLayoutMap::const_iterator LI = Layout.find(AI);
98 if (LI == Layout.end())
99 continue;
100
101 MFI.setObjectSSPLayout(I, LI->second);
102 }
103 }
104
run(Function & F,FunctionAnalysisManager & FAM)105 SSPLayoutInfo SSPLayoutAnalysis::run(Function &F,
106 FunctionAnalysisManager &FAM) {
107
108 SSPLayoutInfo Info;
109 Info.RequireStackProtector =
110 SSPLayoutAnalysis::requiresStackProtector(&F, &Info.Layout);
111 Info.SSPBufferSize = F.getFnAttributeAsParsedInteger(
112 "stack-protector-buffer-size", SSPLayoutInfo::DefaultSSPBufferSize);
113 return Info;
114 }
115
116 AnalysisKey SSPLayoutAnalysis::Key;
117
run(Function & F,FunctionAnalysisManager & FAM)118 PreservedAnalyses StackProtectorPass::run(Function &F,
119 FunctionAnalysisManager &FAM) {
120 auto &Info = FAM.getResult<SSPLayoutAnalysis>(F);
121 auto *DT = FAM.getCachedResult<DominatorTreeAnalysis>(F);
122 DomTreeUpdater DTU(DT, DomTreeUpdater::UpdateStrategy::Lazy);
123
124 if (!Info.RequireStackProtector)
125 return PreservedAnalyses::all();
126
127 // TODO(etienneb): Functions with funclets are not correctly supported now.
128 // Do nothing if this is funclet-based personality.
129 if (F.hasPersonalityFn()) {
130 EHPersonality Personality = classifyEHPersonality(F.getPersonalityFn());
131 if (isFuncletEHPersonality(Personality))
132 return PreservedAnalyses::all();
133 }
134
135 ++NumFunProtected;
136 bool Changed = InsertStackProtectors(TM, &F, DT ? &DTU : nullptr,
137 Info.HasPrologue, Info.HasIRCheck);
138 #ifdef EXPENSIVE_CHECKS
139 assert((!DT ||
140 DTU.getDomTree().verify(DominatorTree::VerificationLevel::Full)) &&
141 "Failed to maintain validity of domtree!");
142 #endif
143
144 if (!Changed)
145 return PreservedAnalyses::all();
146 PreservedAnalyses PA;
147 PA.preserve<SSPLayoutAnalysis>();
148 PA.preserve<DominatorTreeAnalysis>();
149 return PA;
150 }
151
152 char StackProtector::ID = 0;
153
StackProtector()154 StackProtector::StackProtector() : FunctionPass(ID) {
155 initializeStackProtectorPass(*PassRegistry::getPassRegistry());
156 }
157
158 INITIALIZE_PASS_BEGIN(StackProtector, DEBUG_TYPE,
159 "Insert stack protectors", false, true)
INITIALIZE_PASS_DEPENDENCY(TargetPassConfig)160 INITIALIZE_PASS_DEPENDENCY(TargetPassConfig)
161 INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass)
162 INITIALIZE_PASS_END(StackProtector, DEBUG_TYPE,
163 "Insert stack protectors", false, true)
164
165 FunctionPass *llvm::createStackProtectorPass() { return new StackProtector(); }
166
getAnalysisUsage(AnalysisUsage & AU) const167 void StackProtector::getAnalysisUsage(AnalysisUsage &AU) const {
168 AU.addRequired<TargetPassConfig>();
169 AU.addPreserved<DominatorTreeWrapperPass>();
170 }
171
runOnFunction(Function & Fn)172 bool StackProtector::runOnFunction(Function &Fn) {
173 F = &Fn;
174 M = F->getParent();
175 if (auto *DTWP = getAnalysisIfAvailable<DominatorTreeWrapperPass>())
176 DTU.emplace(DTWP->getDomTree(), DomTreeUpdater::UpdateStrategy::Lazy);
177 TM = &getAnalysis<TargetPassConfig>().getTM<TargetMachine>();
178 LayoutInfo.HasPrologue = false;
179 LayoutInfo.HasIRCheck = false;
180
181 LayoutInfo.SSPBufferSize = Fn.getFnAttributeAsParsedInteger(
182 "stack-protector-buffer-size", SSPLayoutInfo::DefaultSSPBufferSize);
183 if (!requiresStackProtector(F, &LayoutInfo.Layout))
184 return false;
185
186 // TODO(etienneb): Functions with funclets are not correctly supported now.
187 // Do nothing if this is funclet-based personality.
188 if (Fn.hasPersonalityFn()) {
189 EHPersonality Personality = classifyEHPersonality(Fn.getPersonalityFn());
190 if (isFuncletEHPersonality(Personality))
191 return false;
192 }
193
194 ++NumFunProtected;
195 bool Changed =
196 InsertStackProtectors(TM, F, DTU ? &*DTU : nullptr,
197 LayoutInfo.HasPrologue, LayoutInfo.HasIRCheck);
198 #ifdef EXPENSIVE_CHECKS
199 assert((!DTU ||
200 DTU->getDomTree().verify(DominatorTree::VerificationLevel::Full)) &&
201 "Failed to maintain validity of domtree!");
202 #endif
203 DTU.reset();
204 return Changed;
205 }
206
207 /// \param [out] IsLarge is set to true if a protectable array is found and
208 /// it is "large" ( >= ssp-buffer-size). In the case of a structure with
209 /// multiple arrays, this gets set if any of them is large.
ContainsProtectableArray(Type * Ty,Module * M,unsigned SSPBufferSize,bool & IsLarge,bool Strong,bool InStruct)210 static bool ContainsProtectableArray(Type *Ty, Module *M, unsigned SSPBufferSize,
211 bool &IsLarge, bool Strong,
212 bool InStruct) {
213 if (!Ty)
214 return false;
215 if (ArrayType *AT = dyn_cast<ArrayType>(Ty)) {
216 if (!AT->getElementType()->isIntegerTy(8)) {
217 // If we're on a non-Darwin platform or we're inside of a structure, don't
218 // add stack protectors unless the array is a character array.
219 // However, in strong mode any array, regardless of type and size,
220 // triggers a protector.
221 if (!Strong && (InStruct || !M->getTargetTriple().isOSDarwin()))
222 return false;
223 }
224
225 // If an array has more than SSPBufferSize bytes of allocated space, then we
226 // emit stack protectors.
227 if (SSPBufferSize <= M->getDataLayout().getTypeAllocSize(AT)) {
228 IsLarge = true;
229 return true;
230 }
231
232 if (Strong)
233 // Require a protector for all arrays in strong mode
234 return true;
235 }
236
237 const StructType *ST = dyn_cast<StructType>(Ty);
238 if (!ST)
239 return false;
240
241 bool NeedsProtector = false;
242 for (Type *ET : ST->elements())
243 if (ContainsProtectableArray(ET, M, SSPBufferSize, IsLarge, Strong, true)) {
244 // If the element is a protectable array and is large (>= SSPBufferSize)
245 // then we are done. If the protectable array is not large, then
246 // keep looking in case a subsequent element is a large array.
247 if (IsLarge)
248 return true;
249 NeedsProtector = true;
250 }
251
252 return NeedsProtector;
253 }
254
255 /// Maximum remaining allocation size observed for a phi node, and how often
256 /// the allocation size has already been decreased. We only allow a limited
257 /// number of decreases.
258 struct PhiInfo {
259 TypeSize AllocSize;
260 unsigned NumDecreased = 0;
261 static constexpr unsigned MaxNumDecreased = 3;
PhiInfoPhiInfo262 PhiInfo(TypeSize AllocSize) : AllocSize(AllocSize) {}
263 };
264 using PhiMap = SmallDenseMap<const PHINode *, PhiInfo, 16>;
265
266 /// Check whether a stack allocation has its address taken.
HasAddressTaken(const Instruction * AI,TypeSize AllocSize,Module * M,PhiMap & VisitedPHIs)267 static bool HasAddressTaken(const Instruction *AI, TypeSize AllocSize,
268 Module *M,
269 PhiMap &VisitedPHIs) {
270 const DataLayout &DL = M->getDataLayout();
271 for (const User *U : AI->users()) {
272 const auto *I = cast<Instruction>(U);
273 // If this instruction accesses memory make sure it doesn't access beyond
274 // the bounds of the allocated object.
275 std::optional<MemoryLocation> MemLoc = MemoryLocation::getOrNone(I);
276 if (MemLoc && MemLoc->Size.hasValue() &&
277 !TypeSize::isKnownGE(AllocSize, MemLoc->Size.getValue()))
278 return true;
279 switch (I->getOpcode()) {
280 case Instruction::Store:
281 if (AI == cast<StoreInst>(I)->getValueOperand())
282 return true;
283 break;
284 case Instruction::AtomicCmpXchg:
285 // cmpxchg conceptually includes both a load and store from the same
286 // location. So, like store, the value being stored is what matters.
287 if (AI == cast<AtomicCmpXchgInst>(I)->getNewValOperand())
288 return true;
289 break;
290 case Instruction::AtomicRMW:
291 if (AI == cast<AtomicRMWInst>(I)->getValOperand())
292 return true;
293 break;
294 case Instruction::PtrToInt:
295 if (AI == cast<PtrToIntInst>(I)->getOperand(0))
296 return true;
297 break;
298 case Instruction::Call: {
299 // Ignore intrinsics that do not become real instructions.
300 // TODO: Narrow this to intrinsics that have store-like effects.
301 const auto *CI = cast<CallInst>(I);
302 if (!CI->isDebugOrPseudoInst() && !CI->isLifetimeStartOrEnd())
303 return true;
304 break;
305 }
306 case Instruction::Invoke:
307 return true;
308 case Instruction::GetElementPtr: {
309 // If the GEP offset is out-of-bounds, or is non-constant and so has to be
310 // assumed to be potentially out-of-bounds, then any memory access that
311 // would use it could also be out-of-bounds meaning stack protection is
312 // required.
313 const GetElementPtrInst *GEP = cast<GetElementPtrInst>(I);
314 unsigned IndexSize = DL.getIndexTypeSizeInBits(I->getType());
315 APInt Offset(IndexSize, 0);
316 if (!GEP->accumulateConstantOffset(DL, Offset))
317 return true;
318 TypeSize OffsetSize = TypeSize::getFixed(Offset.getLimitedValue());
319 if (!TypeSize::isKnownGT(AllocSize, OffsetSize))
320 return true;
321 // Adjust AllocSize to be the space remaining after this offset.
322 // We can't subtract a fixed size from a scalable one, so in that case
323 // assume the scalable value is of minimum size.
324 TypeSize NewAllocSize =
325 TypeSize::getFixed(AllocSize.getKnownMinValue()) - OffsetSize;
326 if (HasAddressTaken(I, NewAllocSize, M, VisitedPHIs))
327 return true;
328 break;
329 }
330 case Instruction::BitCast:
331 case Instruction::Select:
332 case Instruction::AddrSpaceCast:
333 if (HasAddressTaken(I, AllocSize, M, VisitedPHIs))
334 return true;
335 break;
336 case Instruction::PHI: {
337 // Keep track of what PHI nodes we have already visited to ensure
338 // they are only visited once.
339 const auto *PN = cast<PHINode>(I);
340 auto [It, Inserted] = VisitedPHIs.try_emplace(PN, AllocSize);
341 if (!Inserted) {
342 if (TypeSize::isKnownGE(AllocSize, It->second.AllocSize))
343 break;
344
345 // Check again with smaller size.
346 if (It->second.NumDecreased == PhiInfo::MaxNumDecreased)
347 return true;
348
349 It->second.AllocSize = AllocSize;
350 ++It->second.NumDecreased;
351 }
352 if (HasAddressTaken(PN, AllocSize, M, VisitedPHIs))
353 return true;
354 break;
355 }
356 case Instruction::Load:
357 case Instruction::Ret:
358 // These instructions take an address operand, but have load-like or
359 // other innocuous behavior that should not trigger a stack protector.
360 break;
361 default:
362 // Conservatively return true for any instruction that takes an address
363 // operand, but is not handled above.
364 return true;
365 }
366 }
367 return false;
368 }
369
370 /// Search for the first call to the llvm.stackprotector intrinsic and return it
371 /// if present.
findStackProtectorIntrinsic(Function & F)372 static const CallInst *findStackProtectorIntrinsic(Function &F) {
373 for (const BasicBlock &BB : F)
374 for (const Instruction &I : BB)
375 if (const auto *II = dyn_cast<IntrinsicInst>(&I))
376 if (II->getIntrinsicID() == Intrinsic::stackprotector)
377 return II;
378 return nullptr;
379 }
380
381 /// Check whether or not this function needs a stack protector based
382 /// upon the stack protector level.
383 ///
384 /// We use two heuristics: a standard (ssp) and strong (sspstrong).
385 /// The standard heuristic which will add a guard variable to functions that
386 /// call alloca with a either a variable size or a size >= SSPBufferSize,
387 /// functions with character buffers larger than SSPBufferSize, and functions
388 /// with aggregates containing character buffers larger than SSPBufferSize. The
389 /// strong heuristic will add a guard variables to functions that call alloca
390 /// regardless of size, functions with any buffer regardless of type and size,
391 /// functions with aggregates that contain any buffer regardless of type and
392 /// size, and functions that contain stack-based variables that have had their
393 /// address taken.
requiresStackProtector(Function * F,SSPLayoutMap * Layout)394 bool SSPLayoutAnalysis::requiresStackProtector(Function *F,
395 SSPLayoutMap *Layout) {
396 Module *M = F->getParent();
397 bool Strong = false;
398 bool NeedsProtector = false;
399
400 // The set of PHI nodes visited when determining if a variable's reference has
401 // been taken. This set is maintained to ensure we don't visit the same PHI
402 // node multiple times.
403 PhiMap VisitedPHIs;
404
405 unsigned SSPBufferSize = F->getFnAttributeAsParsedInteger(
406 "stack-protector-buffer-size", SSPLayoutInfo::DefaultSSPBufferSize);
407
408 if (F->hasFnAttribute(Attribute::SafeStack))
409 return false;
410
411 // We are constructing the OptimizationRemarkEmitter on the fly rather than
412 // using the analysis pass to avoid building DominatorTree and LoopInfo which
413 // are not available this late in the IR pipeline.
414 OptimizationRemarkEmitter ORE(F);
415
416 if (F->hasFnAttribute(Attribute::StackProtectReq)) {
417 if (!Layout)
418 return true;
419 ORE.emit([&]() {
420 return OptimizationRemark(DEBUG_TYPE, "StackProtectorRequested", F)
421 << "Stack protection applied to function "
422 << ore::NV("Function", F)
423 << " due to a function attribute or command-line switch";
424 });
425 NeedsProtector = true;
426 Strong = true; // Use the same heuristic as strong to determine SSPLayout
427 } else if (F->hasFnAttribute(Attribute::StackProtectStrong))
428 Strong = true;
429 else if (!F->hasFnAttribute(Attribute::StackProtect))
430 return false;
431
432 for (const BasicBlock &BB : *F) {
433 for (const Instruction &I : BB) {
434 if (const AllocaInst *AI = dyn_cast<AllocaInst>(&I)) {
435 if (AI->isArrayAllocation()) {
436 auto RemarkBuilder = [&]() {
437 return OptimizationRemark(DEBUG_TYPE, "StackProtectorAllocaOrArray",
438 &I)
439 << "Stack protection applied to function "
440 << ore::NV("Function", F)
441 << " due to a call to alloca or use of a variable length "
442 "array";
443 };
444 if (const auto *CI = dyn_cast<ConstantInt>(AI->getArraySize())) {
445 if (CI->getLimitedValue(SSPBufferSize) >= SSPBufferSize) {
446 // A call to alloca with size >= SSPBufferSize requires
447 // stack protectors.
448 if (!Layout)
449 return true;
450 Layout->insert(
451 std::make_pair(AI, MachineFrameInfo::SSPLK_LargeArray));
452 ORE.emit(RemarkBuilder);
453 NeedsProtector = true;
454 } else if (Strong) {
455 // Require protectors for all alloca calls in strong mode.
456 if (!Layout)
457 return true;
458 Layout->insert(
459 std::make_pair(AI, MachineFrameInfo::SSPLK_SmallArray));
460 ORE.emit(RemarkBuilder);
461 NeedsProtector = true;
462 }
463 } else {
464 // A call to alloca with a variable size requires protectors.
465 if (!Layout)
466 return true;
467 Layout->insert(
468 std::make_pair(AI, MachineFrameInfo::SSPLK_LargeArray));
469 ORE.emit(RemarkBuilder);
470 NeedsProtector = true;
471 }
472 continue;
473 }
474
475 bool IsLarge = false;
476 if (ContainsProtectableArray(AI->getAllocatedType(), M, SSPBufferSize,
477 IsLarge, Strong, false)) {
478 if (!Layout)
479 return true;
480 Layout->insert(std::make_pair(
481 AI, IsLarge ? MachineFrameInfo::SSPLK_LargeArray
482 : MachineFrameInfo::SSPLK_SmallArray));
483 ORE.emit([&]() {
484 return OptimizationRemark(DEBUG_TYPE, "StackProtectorBuffer", &I)
485 << "Stack protection applied to function "
486 << ore::NV("Function", F)
487 << " due to a stack allocated buffer or struct containing a "
488 "buffer";
489 });
490 NeedsProtector = true;
491 continue;
492 }
493
494 if (Strong &&
495 HasAddressTaken(
496 AI, M->getDataLayout().getTypeAllocSize(AI->getAllocatedType()),
497 M, VisitedPHIs)) {
498 ++NumAddrTaken;
499 if (!Layout)
500 return true;
501 Layout->insert(std::make_pair(AI, MachineFrameInfo::SSPLK_AddrOf));
502 ORE.emit([&]() {
503 return OptimizationRemark(DEBUG_TYPE, "StackProtectorAddressTaken",
504 &I)
505 << "Stack protection applied to function "
506 << ore::NV("Function", F)
507 << " due to the address of a local variable being taken";
508 });
509 NeedsProtector = true;
510 }
511 // Clear any PHIs that we visited, to make sure we examine all uses of
512 // any subsequent allocas that we look at.
513 VisitedPHIs.clear();
514 }
515 }
516 }
517
518 return NeedsProtector;
519 }
520
521 /// Create a stack guard loading and populate whether SelectionDAG SSP is
522 /// supported.
getStackGuard(const TargetLoweringBase * TLI,Module * M,IRBuilder<> & B,bool * SupportsSelectionDAGSP=nullptr)523 static Value *getStackGuard(const TargetLoweringBase *TLI, Module *M,
524 IRBuilder<> &B,
525 bool *SupportsSelectionDAGSP = nullptr) {
526 Value *Guard = TLI->getIRStackGuard(B);
527 StringRef GuardMode = M->getStackProtectorGuard();
528 if ((GuardMode == "tls" || GuardMode.empty()) && Guard)
529 return B.CreateLoad(B.getPtrTy(), Guard, true, "StackGuard");
530
531 // Use SelectionDAG SSP handling, since there isn't an IR guard.
532 //
533 // This is more or less weird, since we optionally output whether we
534 // should perform a SelectionDAG SP here. The reason is that it's strictly
535 // defined as !TLI->getIRStackGuard(B), where getIRStackGuard is also
536 // mutating. There is no way to get this bit without mutating the IR, so
537 // getting this bit has to happen in this right time.
538 //
539 // We could have define a new function TLI::supportsSelectionDAGSP(), but that
540 // will put more burden on the backends' overriding work, especially when it
541 // actually conveys the same information getIRStackGuard() already gives.
542 if (SupportsSelectionDAGSP)
543 *SupportsSelectionDAGSP = true;
544 TLI->insertSSPDeclarations(*M);
545 return B.CreateIntrinsic(Intrinsic::stackguard, {});
546 }
547
548 /// Insert code into the entry block that stores the stack guard
549 /// variable onto the stack:
550 ///
551 /// entry:
552 /// StackGuardSlot = alloca i8*
553 /// StackGuard = <stack guard>
554 /// call void @llvm.stackprotector(StackGuard, StackGuardSlot)
555 ///
556 /// Returns true if the platform/triple supports the stackprotectorcreate pseudo
557 /// node.
CreatePrologue(Function * F,Module * M,Instruction * CheckLoc,const TargetLoweringBase * TLI,AllocaInst * & AI)558 static bool CreatePrologue(Function *F, Module *M, Instruction *CheckLoc,
559 const TargetLoweringBase *TLI, AllocaInst *&AI) {
560 bool SupportsSelectionDAGSP = false;
561 IRBuilder<> B(&F->getEntryBlock().front());
562 PointerType *PtrTy = PointerType::getUnqual(CheckLoc->getContext());
563 AI = B.CreateAlloca(PtrTy, nullptr, "StackGuardSlot");
564
565 Value *GuardSlot = getStackGuard(TLI, M, B, &SupportsSelectionDAGSP);
566 B.CreateIntrinsic(Intrinsic::stackprotector, {GuardSlot, AI});
567 return SupportsSelectionDAGSP;
568 }
569
InsertStackProtectors(const TargetMachine * TM,Function * F,DomTreeUpdater * DTU,bool & HasPrologue,bool & HasIRCheck)570 bool InsertStackProtectors(const TargetMachine *TM, Function *F,
571 DomTreeUpdater *DTU, bool &HasPrologue,
572 bool &HasIRCheck) {
573 auto *M = F->getParent();
574 auto *TLI = TM->getSubtargetImpl(*F)->getTargetLowering();
575
576 // If the target wants to XOR the frame pointer into the guard value, it's
577 // impossible to emit the check in IR, so the target *must* support stack
578 // protection in SDAG.
579 bool SupportsSelectionDAGSP =
580 TLI->useStackGuardXorFP() ||
581 (EnableSelectionDAGSP && !TM->Options.EnableFastISel);
582 AllocaInst *AI = nullptr; // Place on stack that stores the stack guard.
583 BasicBlock *FailBB = nullptr;
584
585 for (BasicBlock &BB : llvm::make_early_inc_range(*F)) {
586 // This is stack protector auto generated check BB, skip it.
587 if (&BB == FailBB)
588 continue;
589 Instruction *CheckLoc = dyn_cast<ReturnInst>(BB.getTerminator());
590 if (!CheckLoc && !DisableCheckNoReturn)
591 for (auto &Inst : BB)
592 if (auto *CB = dyn_cast<CallBase>(&Inst))
593 // Do stack check before noreturn calls that aren't nounwind (e.g:
594 // __cxa_throw).
595 if (CB->doesNotReturn() && !CB->doesNotThrow()) {
596 CheckLoc = CB;
597 break;
598 }
599
600 if (!CheckLoc)
601 continue;
602
603 // Generate prologue instrumentation if not already generated.
604 if (!HasPrologue) {
605 HasPrologue = true;
606 SupportsSelectionDAGSP &= CreatePrologue(F, M, CheckLoc, TLI, AI);
607 }
608
609 // SelectionDAG based code generation. Nothing else needs to be done here.
610 // The epilogue instrumentation is postponed to SelectionDAG.
611 if (SupportsSelectionDAGSP)
612 break;
613
614 // Find the stack guard slot if the prologue was not created by this pass
615 // itself via a previous call to CreatePrologue().
616 if (!AI) {
617 const CallInst *SPCall = findStackProtectorIntrinsic(*F);
618 assert(SPCall && "Call to llvm.stackprotector is missing");
619 AI = cast<AllocaInst>(SPCall->getArgOperand(1));
620 }
621
622 // Set HasIRCheck to true, so that SelectionDAG will not generate its own
623 // version. SelectionDAG called 'shouldEmitSDCheck' to check whether
624 // instrumentation has already been generated.
625 HasIRCheck = true;
626
627 // If we're instrumenting a block with a tail call, the check has to be
628 // inserted before the call rather than between it and the return.
629 Instruction *Prev = CheckLoc->getPrevNonDebugInstruction();
630 if (auto *CI = dyn_cast_if_present<CallInst>(Prev))
631 if (CI->isTailCall() && isInTailCallPosition(*CI, *TM))
632 CheckLoc = Prev;
633
634 // Generate epilogue instrumentation. The epilogue intrumentation can be
635 // function-based or inlined depending on which mechanism the target is
636 // providing.
637 if (Function *GuardCheck = TLI->getSSPStackGuardCheck(*M)) {
638 // Generate the function-based epilogue instrumentation.
639 // The target provides a guard check function, generate a call to it.
640 IRBuilder<> B(CheckLoc);
641 LoadInst *Guard = B.CreateLoad(B.getPtrTy(), AI, true, "Guard");
642 CallInst *Call = B.CreateCall(GuardCheck, {Guard});
643 Call->setAttributes(GuardCheck->getAttributes());
644 Call->setCallingConv(GuardCheck->getCallingConv());
645 } else {
646 // Generate the epilogue with inline instrumentation.
647 // If we do not support SelectionDAG based calls, generate IR level
648 // calls.
649 //
650 // For each block with a return instruction, convert this:
651 //
652 // return:
653 // ...
654 // ret ...
655 //
656 // into this:
657 //
658 // return:
659 // ...
660 // %1 = <stack guard>
661 // %2 = load StackGuardSlot
662 // %3 = icmp ne i1 %1, %2
663 // br i1 %3, label %CallStackCheckFailBlk, label %SP_return
664 //
665 // SP_return:
666 // ret ...
667 //
668 // CallStackCheckFailBlk:
669 // call void @__stack_chk_fail()
670 // unreachable
671
672 // Create the FailBB. We duplicate the BB every time since the MI tail
673 // merge pass will merge together all of the various BB into one including
674 // fail BB generated by the stack protector pseudo instruction.
675 if (!FailBB)
676 FailBB = CreateFailBB(F, *TLI);
677
678 IRBuilder<> B(CheckLoc);
679 Value *Guard = getStackGuard(TLI, M, B);
680 LoadInst *LI2 = B.CreateLoad(B.getPtrTy(), AI, true);
681 auto *Cmp = cast<ICmpInst>(B.CreateICmpNE(Guard, LI2));
682 auto SuccessProb =
683 BranchProbabilityInfo::getBranchProbStackProtector(true);
684 auto FailureProb =
685 BranchProbabilityInfo::getBranchProbStackProtector(false);
686 MDNode *Weights = MDBuilder(F->getContext())
687 .createBranchWeights(FailureProb.getNumerator(),
688 SuccessProb.getNumerator());
689
690 SplitBlockAndInsertIfThen(Cmp, CheckLoc,
691 /*Unreachable=*/false, Weights, DTU,
692 /*LI=*/nullptr, /*ThenBlock=*/FailBB);
693
694 auto *BI = cast<BranchInst>(Cmp->getParent()->getTerminator());
695 BasicBlock *NewBB = BI->getSuccessor(1);
696 NewBB->setName("SP_return");
697 NewBB->moveAfter(&BB);
698
699 Cmp->setPredicate(Cmp->getInversePredicate());
700 BI->swapSuccessors();
701 }
702 }
703
704 // Return if we didn't modify any basic blocks. i.e., there are no return
705 // statements in the function.
706 return HasPrologue;
707 }
708
CreateFailBB(Function * F,const TargetLowering & TLI)709 BasicBlock *CreateFailBB(Function *F, const TargetLowering &TLI) {
710 auto *M = F->getParent();
711 LLVMContext &Context = F->getContext();
712 BasicBlock *FailBB = BasicBlock::Create(Context, "CallStackCheckFailBlk", F);
713 IRBuilder<> B(FailBB);
714 if (F->getSubprogram())
715 B.SetCurrentDebugLocation(
716 DILocation::get(Context, 0, 0, F->getSubprogram()));
717 FunctionCallee StackChkFail;
718 SmallVector<Value *, 1> Args;
719
720 if (const char *ChkFailName =
721 TLI.getLibcallName(RTLIB::STACKPROTECTOR_CHECK_FAIL)) {
722 StackChkFail =
723 M->getOrInsertFunction(ChkFailName, Type::getVoidTy(Context));
724 } else if (const char *SSHName =
725 TLI.getLibcallName(RTLIB::STACK_SMASH_HANDLER)) {
726 StackChkFail = M->getOrInsertFunction(SSHName, Type::getVoidTy(Context),
727 PointerType::getUnqual(Context));
728 Args.push_back(B.CreateGlobalString(F->getName(), "SSH"));
729 } else {
730 Context.emitError("no libcall available for stack protector");
731 }
732
733 if (StackChkFail) {
734 cast<Function>(StackChkFail.getCallee())->addFnAttr(Attribute::NoReturn);
735 B.CreateCall(StackChkFail, Args);
736 }
737
738 B.CreateUnreachable();
739 return FailBB;
740 }
741