xref: /freebsd/contrib/llvm-project/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp (revision 0fca6ea1d4eea4c934cfff25ac9ee8ad6fe95583)
1 //===- MemorySanitizer.cpp - detector of uninitialized reads --------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 /// \file
10 /// This file is a part of MemorySanitizer, a detector of uninitialized
11 /// reads.
12 ///
13 /// The algorithm of the tool is similar to Memcheck
14 /// (https://static.usenix.org/event/usenix05/tech/general/full_papers/seward/seward_html/usenix2005.html)
15 /// We associate a few shadow bits with every byte of the application memory,
16 /// poison the shadow of the malloc-ed or alloca-ed memory, load the shadow,
17 /// bits on every memory read, propagate the shadow bits through some of the
18 /// arithmetic instruction (including MOV), store the shadow bits on every memory
19 /// write, report a bug on some other instructions (e.g. JMP) if the
20 /// associated shadow is poisoned.
21 ///
22 /// But there are differences too. The first and the major one:
23 /// compiler instrumentation instead of binary instrumentation. This
24 /// gives us much better register allocation, possible compiler
25 /// optimizations and a fast start-up. But this brings the major issue
26 /// as well: msan needs to see all program events, including system
27 /// calls and reads/writes in system libraries, so we either need to
28 /// compile *everything* with msan or use a binary translation
29 /// component (e.g. DynamoRIO) to instrument pre-built libraries.
30 /// Another difference from Memcheck is that we use 8 shadow bits per
31 /// byte of application memory and use a direct shadow mapping. This
32 /// greatly simplifies the instrumentation code and avoids races on
33 /// shadow updates (Memcheck is single-threaded so races are not a
34 /// concern there. Memcheck uses 2 shadow bits per byte with a slow
35 /// path storage that uses 8 bits per byte).
36 ///
37 /// The default value of shadow is 0, which means "clean" (not poisoned).
38 ///
39 /// Every module initializer should call __msan_init to ensure that the
40 /// shadow memory is ready. On error, __msan_warning is called. Since
41 /// parameters and return values may be passed via registers, we have a
42 /// specialized thread-local shadow for return values
43 /// (__msan_retval_tls) and parameters (__msan_param_tls).
44 ///
45 ///                           Origin tracking.
46 ///
47 /// MemorySanitizer can track origins (allocation points) of all uninitialized
48 /// values. This behavior is controlled with a flag (msan-track-origins) and is
49 /// disabled by default.
50 ///
51 /// Origins are 4-byte values created and interpreted by the runtime library.
52 /// They are stored in a second shadow mapping, one 4-byte value for 4 bytes
53 /// of application memory. Propagation of origins is basically a bunch of
54 /// "select" instructions that pick the origin of a dirty argument, if an
55 /// instruction has one.
56 ///
57 /// Every 4 aligned, consecutive bytes of application memory have one origin
58 /// value associated with them. If these bytes contain uninitialized data
59 /// coming from 2 different allocations, the last store wins. Because of this,
60 /// MemorySanitizer reports can show unrelated origins, but this is unlikely in
61 /// practice.
62 ///
63 /// Origins are meaningless for fully initialized values, so MemorySanitizer
64 /// avoids storing origin to memory when a fully initialized value is stored.
65 /// This way it avoids needless overwriting origin of the 4-byte region on
66 /// a short (i.e. 1 byte) clean store, and it is also good for performance.
67 ///
68 ///                            Atomic handling.
69 ///
70 /// Ideally, every atomic store of application value should update the
71 /// corresponding shadow location in an atomic way. Unfortunately, atomic store
72 /// of two disjoint locations can not be done without severe slowdown.
73 ///
74 /// Therefore, we implement an approximation that may err on the safe side.
75 /// In this implementation, every atomically accessed location in the program
76 /// may only change from (partially) uninitialized to fully initialized, but
77 /// not the other way around. We load the shadow _after_ the application load,
78 /// and we store the shadow _before_ the app store. Also, we always store clean
79 /// shadow (if the application store is atomic). This way, if the store-load
80 /// pair constitutes a happens-before arc, shadow store and load are correctly
81 /// ordered such that the load will get either the value that was stored, or
82 /// some later value (which is always clean).
83 ///
84 /// This does not work very well with Compare-And-Swap (CAS) and
85 /// Read-Modify-Write (RMW) operations. To follow the above logic, CAS and RMW
86 /// must store the new shadow before the app operation, and load the shadow
87 /// after the app operation. Computers don't work this way. Current
88 /// implementation ignores the load aspect of CAS/RMW, always returning a clean
89 /// value. It implements the store part as a simple atomic store by storing a
90 /// clean shadow.
91 ///
92 ///                      Instrumenting inline assembly.
93 ///
94 /// For inline assembly code LLVM has little idea about which memory locations
95 /// become initialized depending on the arguments. It can be possible to figure
96 /// out which arguments are meant to point to inputs and outputs, but the
97 /// actual semantics can be only visible at runtime. In the Linux kernel it's
98 /// also possible that the arguments only indicate the offset for a base taken
99 /// from a segment register, so it's dangerous to treat any asm() arguments as
100 /// pointers. We take a conservative approach generating calls to
101 ///   __msan_instrument_asm_store(ptr, size)
102 /// , which defer the memory unpoisoning to the runtime library.
103 /// The latter can perform more complex address checks to figure out whether
104 /// it's safe to touch the shadow memory.
105 /// Like with atomic operations, we call __msan_instrument_asm_store() before
106 /// the assembly call, so that changes to the shadow memory will be seen by
107 /// other threads together with main memory initialization.
108 ///
109 ///                  KernelMemorySanitizer (KMSAN) implementation.
110 ///
111 /// The major differences between KMSAN and MSan instrumentation are:
112 ///  - KMSAN always tracks the origins and implies msan-keep-going=true;
113 ///  - KMSAN allocates shadow and origin memory for each page separately, so
114 ///    there are no explicit accesses to shadow and origin in the
115 ///    instrumentation.
116 ///    Shadow and origin values for a particular X-byte memory location
117 ///    (X=1,2,4,8) are accessed through pointers obtained via the
118 ///      __msan_metadata_ptr_for_load_X(ptr)
119 ///      __msan_metadata_ptr_for_store_X(ptr)
120 ///    functions. The corresponding functions check that the X-byte accesses
121 ///    are possible and returns the pointers to shadow and origin memory.
122 ///    Arbitrary sized accesses are handled with:
123 ///      __msan_metadata_ptr_for_load_n(ptr, size)
124 ///      __msan_metadata_ptr_for_store_n(ptr, size);
125 ///    Note that the sanitizer code has to deal with how shadow/origin pairs
126 ///    returned by the these functions are represented in different ABIs. In
127 ///    the X86_64 ABI they are returned in RDX:RAX, in PowerPC64 they are
128 ///    returned in r3 and r4, and in the SystemZ ABI they are written to memory
129 ///    pointed to by a hidden parameter.
130 ///  - TLS variables are stored in a single per-task struct. A call to a
131 ///    function __msan_get_context_state() returning a pointer to that struct
132 ///    is inserted into every instrumented function before the entry block;
133 ///  - __msan_warning() takes a 32-bit origin parameter;
134 ///  - local variables are poisoned with __msan_poison_alloca() upon function
135 ///    entry and unpoisoned with __msan_unpoison_alloca() before leaving the
136 ///    function;
137 ///  - the pass doesn't declare any global variables or add global constructors
138 ///    to the translation unit.
139 ///
140 /// Also, KMSAN currently ignores uninitialized memory passed into inline asm
141 /// calls, making sure we're on the safe side wrt. possible false positives.
142 ///
143 ///  KernelMemorySanitizer only supports X86_64, SystemZ and PowerPC64 at the
144 ///  moment.
145 ///
146 //
147 // FIXME: This sanitizer does not yet handle scalable vectors
148 //
149 //===----------------------------------------------------------------------===//
150 
151 #include "llvm/Transforms/Instrumentation/MemorySanitizer.h"
152 #include "llvm/ADT/APInt.h"
153 #include "llvm/ADT/ArrayRef.h"
154 #include "llvm/ADT/DenseMap.h"
155 #include "llvm/ADT/DepthFirstIterator.h"
156 #include "llvm/ADT/SetVector.h"
157 #include "llvm/ADT/SmallPtrSet.h"
158 #include "llvm/ADT/SmallVector.h"
159 #include "llvm/ADT/StringExtras.h"
160 #include "llvm/ADT/StringRef.h"
161 #include "llvm/Analysis/GlobalsModRef.h"
162 #include "llvm/Analysis/TargetLibraryInfo.h"
163 #include "llvm/Analysis/ValueTracking.h"
164 #include "llvm/IR/Argument.h"
165 #include "llvm/IR/AttributeMask.h"
166 #include "llvm/IR/Attributes.h"
167 #include "llvm/IR/BasicBlock.h"
168 #include "llvm/IR/CallingConv.h"
169 #include "llvm/IR/Constant.h"
170 #include "llvm/IR/Constants.h"
171 #include "llvm/IR/DataLayout.h"
172 #include "llvm/IR/DerivedTypes.h"
173 #include "llvm/IR/Function.h"
174 #include "llvm/IR/GlobalValue.h"
175 #include "llvm/IR/GlobalVariable.h"
176 #include "llvm/IR/IRBuilder.h"
177 #include "llvm/IR/InlineAsm.h"
178 #include "llvm/IR/InstVisitor.h"
179 #include "llvm/IR/InstrTypes.h"
180 #include "llvm/IR/Instruction.h"
181 #include "llvm/IR/Instructions.h"
182 #include "llvm/IR/IntrinsicInst.h"
183 #include "llvm/IR/Intrinsics.h"
184 #include "llvm/IR/IntrinsicsAArch64.h"
185 #include "llvm/IR/IntrinsicsX86.h"
186 #include "llvm/IR/MDBuilder.h"
187 #include "llvm/IR/Module.h"
188 #include "llvm/IR/Type.h"
189 #include "llvm/IR/Value.h"
190 #include "llvm/IR/ValueMap.h"
191 #include "llvm/Support/Alignment.h"
192 #include "llvm/Support/AtomicOrdering.h"
193 #include "llvm/Support/Casting.h"
194 #include "llvm/Support/CommandLine.h"
195 #include "llvm/Support/Debug.h"
196 #include "llvm/Support/DebugCounter.h"
197 #include "llvm/Support/ErrorHandling.h"
198 #include "llvm/Support/MathExtras.h"
199 #include "llvm/Support/raw_ostream.h"
200 #include "llvm/TargetParser/Triple.h"
201 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
202 #include "llvm/Transforms/Utils/Local.h"
203 #include "llvm/Transforms/Utils/ModuleUtils.h"
204 #include <algorithm>
205 #include <cassert>
206 #include <cstddef>
207 #include <cstdint>
208 #include <memory>
209 #include <string>
210 #include <tuple>
211 
212 using namespace llvm;
213 
214 #define DEBUG_TYPE "msan"
215 
216 DEBUG_COUNTER(DebugInsertCheck, "msan-insert-check",
217               "Controls which checks to insert");
218 
219 DEBUG_COUNTER(DebugInstrumentInstruction, "msan-instrument-instruction",
220               "Controls which instruction to instrument");
221 
222 static const unsigned kOriginSize = 4;
223 static const Align kMinOriginAlignment = Align(4);
224 static const Align kShadowTLSAlignment = Align(8);
225 
226 // These constants must be kept in sync with the ones in msan.h.
227 static const unsigned kParamTLSSize = 800;
228 static const unsigned kRetvalTLSSize = 800;
229 
230 // Accesses sizes are powers of two: 1, 2, 4, 8.
231 static const size_t kNumberOfAccessSizes = 4;
232 
233 /// Track origins of uninitialized values.
234 ///
235 /// Adds a section to MemorySanitizer report that points to the allocation
236 /// (stack or heap) the uninitialized bits came from originally.
237 static cl::opt<int> ClTrackOrigins(
238     "msan-track-origins",
239     cl::desc("Track origins (allocation sites) of poisoned memory"), cl::Hidden,
240     cl::init(0));
241 
242 static cl::opt<bool> ClKeepGoing("msan-keep-going",
243                                  cl::desc("keep going after reporting a UMR"),
244                                  cl::Hidden, cl::init(false));
245 
246 static cl::opt<bool>
247     ClPoisonStack("msan-poison-stack",
248                   cl::desc("poison uninitialized stack variables"), cl::Hidden,
249                   cl::init(true));
250 
251 static cl::opt<bool> ClPoisonStackWithCall(
252     "msan-poison-stack-with-call",
253     cl::desc("poison uninitialized stack variables with a call"), cl::Hidden,
254     cl::init(false));
255 
256 static cl::opt<int> ClPoisonStackPattern(
257     "msan-poison-stack-pattern",
258     cl::desc("poison uninitialized stack variables with the given pattern"),
259     cl::Hidden, cl::init(0xff));
260 
261 static cl::opt<bool>
262     ClPrintStackNames("msan-print-stack-names",
263                       cl::desc("Print name of local stack variable"),
264                       cl::Hidden, cl::init(true));
265 
266 static cl::opt<bool> ClPoisonUndef("msan-poison-undef",
267                                    cl::desc("poison undef temps"), cl::Hidden,
268                                    cl::init(true));
269 
270 static cl::opt<bool>
271     ClHandleICmp("msan-handle-icmp",
272                  cl::desc("propagate shadow through ICmpEQ and ICmpNE"),
273                  cl::Hidden, cl::init(true));
274 
275 static cl::opt<bool>
276     ClHandleICmpExact("msan-handle-icmp-exact",
277                       cl::desc("exact handling of relational integer ICmp"),
278                       cl::Hidden, cl::init(false));
279 
280 static cl::opt<bool> ClHandleLifetimeIntrinsics(
281     "msan-handle-lifetime-intrinsics",
282     cl::desc(
283         "when possible, poison scoped variables at the beginning of the scope "
284         "(slower, but more precise)"),
285     cl::Hidden, cl::init(true));
286 
287 // When compiling the Linux kernel, we sometimes see false positives related to
288 // MSan being unable to understand that inline assembly calls may initialize
289 // local variables.
290 // This flag makes the compiler conservatively unpoison every memory location
291 // passed into an assembly call. Note that this may cause false positives.
292 // Because it's impossible to figure out the array sizes, we can only unpoison
293 // the first sizeof(type) bytes for each type* pointer.
294 static cl::opt<bool> ClHandleAsmConservative(
295     "msan-handle-asm-conservative",
296     cl::desc("conservative handling of inline assembly"), cl::Hidden,
297     cl::init(true));
298 
299 // This flag controls whether we check the shadow of the address
300 // operand of load or store. Such bugs are very rare, since load from
301 // a garbage address typically results in SEGV, but still happen
302 // (e.g. only lower bits of address are garbage, or the access happens
303 // early at program startup where malloc-ed memory is more likely to
304 // be zeroed. As of 2012-08-28 this flag adds 20% slowdown.
305 static cl::opt<bool> ClCheckAccessAddress(
306     "msan-check-access-address",
307     cl::desc("report accesses through a pointer which has poisoned shadow"),
308     cl::Hidden, cl::init(true));
309 
310 static cl::opt<bool> ClEagerChecks(
311     "msan-eager-checks",
312     cl::desc("check arguments and return values at function call boundaries"),
313     cl::Hidden, cl::init(false));
314 
315 static cl::opt<bool> ClDumpStrictInstructions(
316     "msan-dump-strict-instructions",
317     cl::desc("print out instructions with default strict semantics"),
318     cl::Hidden, cl::init(false));
319 
320 static cl::opt<int> ClInstrumentationWithCallThreshold(
321     "msan-instrumentation-with-call-threshold",
322     cl::desc(
323         "If the function being instrumented requires more than "
324         "this number of checks and origin stores, use callbacks instead of "
325         "inline checks (-1 means never use callbacks)."),
326     cl::Hidden, cl::init(3500));
327 
328 static cl::opt<bool>
329     ClEnableKmsan("msan-kernel",
330                   cl::desc("Enable KernelMemorySanitizer instrumentation"),
331                   cl::Hidden, cl::init(false));
332 
333 static cl::opt<bool>
334     ClDisableChecks("msan-disable-checks",
335                     cl::desc("Apply no_sanitize to the whole file"), cl::Hidden,
336                     cl::init(false));
337 
338 static cl::opt<bool>
339     ClCheckConstantShadow("msan-check-constant-shadow",
340                           cl::desc("Insert checks for constant shadow values"),
341                           cl::Hidden, cl::init(true));
342 
343 // This is off by default because of a bug in gold:
344 // https://sourceware.org/bugzilla/show_bug.cgi?id=19002
345 static cl::opt<bool>
346     ClWithComdat("msan-with-comdat",
347                  cl::desc("Place MSan constructors in comdat sections"),
348                  cl::Hidden, cl::init(false));
349 
350 // These options allow to specify custom memory map parameters
351 // See MemoryMapParams for details.
352 static cl::opt<uint64_t> ClAndMask("msan-and-mask",
353                                    cl::desc("Define custom MSan AndMask"),
354                                    cl::Hidden, cl::init(0));
355 
356 static cl::opt<uint64_t> ClXorMask("msan-xor-mask",
357                                    cl::desc("Define custom MSan XorMask"),
358                                    cl::Hidden, cl::init(0));
359 
360 static cl::opt<uint64_t> ClShadowBase("msan-shadow-base",
361                                       cl::desc("Define custom MSan ShadowBase"),
362                                       cl::Hidden, cl::init(0));
363 
364 static cl::opt<uint64_t> ClOriginBase("msan-origin-base",
365                                       cl::desc("Define custom MSan OriginBase"),
366                                       cl::Hidden, cl::init(0));
367 
368 static cl::opt<int>
369     ClDisambiguateWarning("msan-disambiguate-warning-threshold",
370                           cl::desc("Define threshold for number of checks per "
371                                    "debug location to force origin update."),
372                           cl::Hidden, cl::init(3));
373 
374 const char kMsanModuleCtorName[] = "msan.module_ctor";
375 const char kMsanInitName[] = "__msan_init";
376 
377 namespace {
378 
379 // Memory map parameters used in application-to-shadow address calculation.
380 // Offset = (Addr & ~AndMask) ^ XorMask
381 // Shadow = ShadowBase + Offset
382 // Origin = OriginBase + Offset
383 struct MemoryMapParams {
384   uint64_t AndMask;
385   uint64_t XorMask;
386   uint64_t ShadowBase;
387   uint64_t OriginBase;
388 };
389 
390 struct PlatformMemoryMapParams {
391   const MemoryMapParams *bits32;
392   const MemoryMapParams *bits64;
393 };
394 
395 } // end anonymous namespace
396 
397 // i386 Linux
398 static const MemoryMapParams Linux_I386_MemoryMapParams = {
399     0x000080000000, // AndMask
400     0,              // XorMask (not used)
401     0,              // ShadowBase (not used)
402     0x000040000000, // OriginBase
403 };
404 
405 // x86_64 Linux
406 static const MemoryMapParams Linux_X86_64_MemoryMapParams = {
407     0,              // AndMask (not used)
408     0x500000000000, // XorMask
409     0,              // ShadowBase (not used)
410     0x100000000000, // OriginBase
411 };
412 
413 // mips64 Linux
414 static const MemoryMapParams Linux_MIPS64_MemoryMapParams = {
415     0,              // AndMask (not used)
416     0x008000000000, // XorMask
417     0,              // ShadowBase (not used)
418     0x002000000000, // OriginBase
419 };
420 
421 // ppc64 Linux
422 static const MemoryMapParams Linux_PowerPC64_MemoryMapParams = {
423     0xE00000000000, // AndMask
424     0x100000000000, // XorMask
425     0x080000000000, // ShadowBase
426     0x1C0000000000, // OriginBase
427 };
428 
429 // s390x Linux
430 static const MemoryMapParams Linux_S390X_MemoryMapParams = {
431     0xC00000000000, // AndMask
432     0,              // XorMask (not used)
433     0x080000000000, // ShadowBase
434     0x1C0000000000, // OriginBase
435 };
436 
437 // aarch64 Linux
438 static const MemoryMapParams Linux_AArch64_MemoryMapParams = {
439     0,               // AndMask (not used)
440     0x0B00000000000, // XorMask
441     0,               // ShadowBase (not used)
442     0x0200000000000, // OriginBase
443 };
444 
445 // loongarch64 Linux
446 static const MemoryMapParams Linux_LoongArch64_MemoryMapParams = {
447     0,              // AndMask (not used)
448     0x500000000000, // XorMask
449     0,              // ShadowBase (not used)
450     0x100000000000, // OriginBase
451 };
452 
453 // aarch64 FreeBSD
454 static const MemoryMapParams FreeBSD_AArch64_MemoryMapParams = {
455     0x1800000000000, // AndMask
456     0x0400000000000, // XorMask
457     0x0200000000000, // ShadowBase
458     0x0700000000000, // OriginBase
459 };
460 
461 // i386 FreeBSD
462 static const MemoryMapParams FreeBSD_I386_MemoryMapParams = {
463     0x000180000000, // AndMask
464     0x000040000000, // XorMask
465     0x000020000000, // ShadowBase
466     0x000700000000, // OriginBase
467 };
468 
469 // x86_64 FreeBSD
470 static const MemoryMapParams FreeBSD_X86_64_MemoryMapParams = {
471     0xc00000000000, // AndMask
472     0x200000000000, // XorMask
473     0x100000000000, // ShadowBase
474     0x380000000000, // OriginBase
475 };
476 
477 // x86_64 NetBSD
478 static const MemoryMapParams NetBSD_X86_64_MemoryMapParams = {
479     0,              // AndMask
480     0x500000000000, // XorMask
481     0,              // ShadowBase
482     0x100000000000, // OriginBase
483 };
484 
485 static const PlatformMemoryMapParams Linux_X86_MemoryMapParams = {
486     &Linux_I386_MemoryMapParams,
487     &Linux_X86_64_MemoryMapParams,
488 };
489 
490 static const PlatformMemoryMapParams Linux_MIPS_MemoryMapParams = {
491     nullptr,
492     &Linux_MIPS64_MemoryMapParams,
493 };
494 
495 static const PlatformMemoryMapParams Linux_PowerPC_MemoryMapParams = {
496     nullptr,
497     &Linux_PowerPC64_MemoryMapParams,
498 };
499 
500 static const PlatformMemoryMapParams Linux_S390_MemoryMapParams = {
501     nullptr,
502     &Linux_S390X_MemoryMapParams,
503 };
504 
505 static const PlatformMemoryMapParams Linux_ARM_MemoryMapParams = {
506     nullptr,
507     &Linux_AArch64_MemoryMapParams,
508 };
509 
510 static const PlatformMemoryMapParams Linux_LoongArch_MemoryMapParams = {
511     nullptr,
512     &Linux_LoongArch64_MemoryMapParams,
513 };
514 
515 static const PlatformMemoryMapParams FreeBSD_ARM_MemoryMapParams = {
516     nullptr,
517     &FreeBSD_AArch64_MemoryMapParams,
518 };
519 
520 static const PlatformMemoryMapParams FreeBSD_X86_MemoryMapParams = {
521     &FreeBSD_I386_MemoryMapParams,
522     &FreeBSD_X86_64_MemoryMapParams,
523 };
524 
525 static const PlatformMemoryMapParams NetBSD_X86_MemoryMapParams = {
526     nullptr,
527     &NetBSD_X86_64_MemoryMapParams,
528 };
529 
530 namespace {
531 
532 /// Instrument functions of a module to detect uninitialized reads.
533 ///
534 /// Instantiating MemorySanitizer inserts the msan runtime library API function
535 /// declarations into the module if they don't exist already. Instantiating
536 /// ensures the __msan_init function is in the list of global constructors for
537 /// the module.
538 class MemorySanitizer {
539 public:
MemorySanitizer(Module & M,MemorySanitizerOptions Options)540   MemorySanitizer(Module &M, MemorySanitizerOptions Options)
541       : CompileKernel(Options.Kernel), TrackOrigins(Options.TrackOrigins),
542         Recover(Options.Recover), EagerChecks(Options.EagerChecks) {
543     initializeModule(M);
544   }
545 
546   // MSan cannot be moved or copied because of MapParams.
547   MemorySanitizer(MemorySanitizer &&) = delete;
548   MemorySanitizer &operator=(MemorySanitizer &&) = delete;
549   MemorySanitizer(const MemorySanitizer &) = delete;
550   MemorySanitizer &operator=(const MemorySanitizer &) = delete;
551 
552   bool sanitizeFunction(Function &F, TargetLibraryInfo &TLI);
553 
554 private:
555   friend struct MemorySanitizerVisitor;
556   friend struct VarArgHelperBase;
557   friend struct VarArgAMD64Helper;
558   friend struct VarArgMIPS64Helper;
559   friend struct VarArgAArch64Helper;
560   friend struct VarArgPowerPC64Helper;
561   friend struct VarArgSystemZHelper;
562 
563   void initializeModule(Module &M);
564   void initializeCallbacks(Module &M, const TargetLibraryInfo &TLI);
565   void createKernelApi(Module &M, const TargetLibraryInfo &TLI);
566   void createUserspaceApi(Module &M, const TargetLibraryInfo &TLI);
567 
568   template <typename... ArgsTy>
569   FunctionCallee getOrInsertMsanMetadataFunction(Module &M, StringRef Name,
570                                                  ArgsTy... Args);
571 
572   /// True if we're compiling the Linux kernel.
573   bool CompileKernel;
574   /// Track origins (allocation points) of uninitialized values.
575   int TrackOrigins;
576   bool Recover;
577   bool EagerChecks;
578 
579   Triple TargetTriple;
580   LLVMContext *C;
581   Type *IntptrTy;  ///< Integer type with the size of a ptr in default AS.
582   Type *OriginTy;
583   PointerType *PtrTy; ///< Integer type with the size of a ptr in default AS.
584 
585   // XxxTLS variables represent the per-thread state in MSan and per-task state
586   // in KMSAN.
587   // For the userspace these point to thread-local globals. In the kernel land
588   // they point to the members of a per-task struct obtained via a call to
589   // __msan_get_context_state().
590 
591   /// Thread-local shadow storage for function parameters.
592   Value *ParamTLS;
593 
594   /// Thread-local origin storage for function parameters.
595   Value *ParamOriginTLS;
596 
597   /// Thread-local shadow storage for function return value.
598   Value *RetvalTLS;
599 
600   /// Thread-local origin storage for function return value.
601   Value *RetvalOriginTLS;
602 
603   /// Thread-local shadow storage for in-register va_arg function.
604   Value *VAArgTLS;
605 
606   /// Thread-local shadow storage for in-register va_arg function.
607   Value *VAArgOriginTLS;
608 
609   /// Thread-local shadow storage for va_arg overflow area.
610   Value *VAArgOverflowSizeTLS;
611 
612   /// Are the instrumentation callbacks set up?
613   bool CallbacksInitialized = false;
614 
615   /// The run-time callback to print a warning.
616   FunctionCallee WarningFn;
617 
618   // These arrays are indexed by log2(AccessSize).
619   FunctionCallee MaybeWarningFn[kNumberOfAccessSizes];
620   FunctionCallee MaybeStoreOriginFn[kNumberOfAccessSizes];
621 
622   /// Run-time helper that generates a new origin value for a stack
623   /// allocation.
624   FunctionCallee MsanSetAllocaOriginWithDescriptionFn;
625   // No description version
626   FunctionCallee MsanSetAllocaOriginNoDescriptionFn;
627 
628   /// Run-time helper that poisons stack on function entry.
629   FunctionCallee MsanPoisonStackFn;
630 
631   /// Run-time helper that records a store (or any event) of an
632   /// uninitialized value and returns an updated origin id encoding this info.
633   FunctionCallee MsanChainOriginFn;
634 
635   /// Run-time helper that paints an origin over a region.
636   FunctionCallee MsanSetOriginFn;
637 
638   /// MSan runtime replacements for memmove, memcpy and memset.
639   FunctionCallee MemmoveFn, MemcpyFn, MemsetFn;
640 
641   /// KMSAN callback for task-local function argument shadow.
642   StructType *MsanContextStateTy;
643   FunctionCallee MsanGetContextStateFn;
644 
645   /// Functions for poisoning/unpoisoning local variables
646   FunctionCallee MsanPoisonAllocaFn, MsanUnpoisonAllocaFn;
647 
648   /// Pair of shadow/origin pointers.
649   Type *MsanMetadata;
650 
651   /// Each of the MsanMetadataPtrXxx functions returns a MsanMetadata.
652   FunctionCallee MsanMetadataPtrForLoadN, MsanMetadataPtrForStoreN;
653   FunctionCallee MsanMetadataPtrForLoad_1_8[4];
654   FunctionCallee MsanMetadataPtrForStore_1_8[4];
655   FunctionCallee MsanInstrumentAsmStoreFn;
656 
657   /// Storage for return values of the MsanMetadataPtrXxx functions.
658   Value *MsanMetadataAlloca;
659 
660   /// Helper to choose between different MsanMetadataPtrXxx().
661   FunctionCallee getKmsanShadowOriginAccessFn(bool isStore, int size);
662 
663   /// Memory map parameters used in application-to-shadow calculation.
664   const MemoryMapParams *MapParams;
665 
666   /// Custom memory map parameters used when -msan-shadow-base or
667   // -msan-origin-base is provided.
668   MemoryMapParams CustomMapParams;
669 
670   MDNode *ColdCallWeights;
671 
672   /// Branch weights for origin store.
673   MDNode *OriginStoreWeights;
674 };
675 
insertModuleCtor(Module & M)676 void insertModuleCtor(Module &M) {
677   getOrCreateSanitizerCtorAndInitFunctions(
678       M, kMsanModuleCtorName, kMsanInitName,
679       /*InitArgTypes=*/{},
680       /*InitArgs=*/{},
681       // This callback is invoked when the functions are created the first
682       // time. Hook them into the global ctors list in that case:
683       [&](Function *Ctor, FunctionCallee) {
684         if (!ClWithComdat) {
685           appendToGlobalCtors(M, Ctor, 0);
686           return;
687         }
688         Comdat *MsanCtorComdat = M.getOrInsertComdat(kMsanModuleCtorName);
689         Ctor->setComdat(MsanCtorComdat);
690         appendToGlobalCtors(M, Ctor, 0, Ctor);
691       });
692 }
693 
getOptOrDefault(const cl::opt<T> & Opt,T Default)694 template <class T> T getOptOrDefault(const cl::opt<T> &Opt, T Default) {
695   return (Opt.getNumOccurrences() > 0) ? Opt : Default;
696 }
697 
698 } // end anonymous namespace
699 
MemorySanitizerOptions(int TO,bool R,bool K,bool EagerChecks)700 MemorySanitizerOptions::MemorySanitizerOptions(int TO, bool R, bool K,
701                                                bool EagerChecks)
702     : Kernel(getOptOrDefault(ClEnableKmsan, K)),
703       TrackOrigins(getOptOrDefault(ClTrackOrigins, Kernel ? 2 : TO)),
704       Recover(getOptOrDefault(ClKeepGoing, Kernel || R)),
705       EagerChecks(getOptOrDefault(ClEagerChecks, EagerChecks)) {}
706 
run(Module & M,ModuleAnalysisManager & AM)707 PreservedAnalyses MemorySanitizerPass::run(Module &M,
708                                            ModuleAnalysisManager &AM) {
709   bool Modified = false;
710   if (!Options.Kernel) {
711     insertModuleCtor(M);
712     Modified = true;
713   }
714 
715   auto &FAM = AM.getResult<FunctionAnalysisManagerModuleProxy>(M).getManager();
716   for (Function &F : M) {
717     if (F.empty())
718       continue;
719     MemorySanitizer Msan(*F.getParent(), Options);
720     Modified |=
721         Msan.sanitizeFunction(F, FAM.getResult<TargetLibraryAnalysis>(F));
722   }
723 
724   if (!Modified)
725     return PreservedAnalyses::all();
726 
727   PreservedAnalyses PA = PreservedAnalyses::none();
728   // GlobalsAA is considered stateless and does not get invalidated unless
729   // explicitly invalidated; PreservedAnalyses::none() is not enough. Sanitizers
730   // make changes that require GlobalsAA to be invalidated.
731   PA.abandon<GlobalsAA>();
732   return PA;
733 }
734 
printPipeline(raw_ostream & OS,function_ref<StringRef (StringRef)> MapClassName2PassName)735 void MemorySanitizerPass::printPipeline(
736     raw_ostream &OS, function_ref<StringRef(StringRef)> MapClassName2PassName) {
737   static_cast<PassInfoMixin<MemorySanitizerPass> *>(this)->printPipeline(
738       OS, MapClassName2PassName);
739   OS << '<';
740   if (Options.Recover)
741     OS << "recover;";
742   if (Options.Kernel)
743     OS << "kernel;";
744   if (Options.EagerChecks)
745     OS << "eager-checks;";
746   OS << "track-origins=" << Options.TrackOrigins;
747   OS << '>';
748 }
749 
750 /// Create a non-const global initialized with the given string.
751 ///
752 /// Creates a writable global for Str so that we can pass it to the
753 /// run-time lib. Runtime uses first 4 bytes of the string to store the
754 /// frame ID, so the string needs to be mutable.
createPrivateConstGlobalForString(Module & M,StringRef Str)755 static GlobalVariable *createPrivateConstGlobalForString(Module &M,
756                                                          StringRef Str) {
757   Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str);
758   return new GlobalVariable(M, StrConst->getType(), /*isConstant=*/true,
759                             GlobalValue::PrivateLinkage, StrConst, "");
760 }
761 
762 template <typename... ArgsTy>
763 FunctionCallee
getOrInsertMsanMetadataFunction(Module & M,StringRef Name,ArgsTy...Args)764 MemorySanitizer::getOrInsertMsanMetadataFunction(Module &M, StringRef Name,
765                                                  ArgsTy... Args) {
766   if (TargetTriple.getArch() == Triple::systemz) {
767     // SystemZ ABI: shadow/origin pair is returned via a hidden parameter.
768     return M.getOrInsertFunction(Name, Type::getVoidTy(*C),
769                                  PointerType::get(MsanMetadata, 0),
770                                  std::forward<ArgsTy>(Args)...);
771   }
772 
773   return M.getOrInsertFunction(Name, MsanMetadata,
774                                std::forward<ArgsTy>(Args)...);
775 }
776 
777 /// Create KMSAN API callbacks.
createKernelApi(Module & M,const TargetLibraryInfo & TLI)778 void MemorySanitizer::createKernelApi(Module &M, const TargetLibraryInfo &TLI) {
779   IRBuilder<> IRB(*C);
780 
781   // These will be initialized in insertKmsanPrologue().
782   RetvalTLS = nullptr;
783   RetvalOriginTLS = nullptr;
784   ParamTLS = nullptr;
785   ParamOriginTLS = nullptr;
786   VAArgTLS = nullptr;
787   VAArgOriginTLS = nullptr;
788   VAArgOverflowSizeTLS = nullptr;
789 
790   WarningFn = M.getOrInsertFunction("__msan_warning",
791                                     TLI.getAttrList(C, {0}, /*Signed=*/false),
792                                     IRB.getVoidTy(), IRB.getInt32Ty());
793 
794   // Requests the per-task context state (kmsan_context_state*) from the
795   // runtime library.
796   MsanContextStateTy = StructType::get(
797       ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8),
798       ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8),
799       ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8),
800       ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), /* va_arg_origin */
801       IRB.getInt64Ty(), ArrayType::get(OriginTy, kParamTLSSize / 4), OriginTy,
802       OriginTy);
803   MsanGetContextStateFn = M.getOrInsertFunction(
804       "__msan_get_context_state", PointerType::get(MsanContextStateTy, 0));
805 
806   MsanMetadata = StructType::get(PointerType::get(IRB.getInt8Ty(), 0),
807                                  PointerType::get(IRB.getInt32Ty(), 0));
808 
809   for (int ind = 0, size = 1; ind < 4; ind++, size <<= 1) {
810     std::string name_load =
811         "__msan_metadata_ptr_for_load_" + std::to_string(size);
812     std::string name_store =
813         "__msan_metadata_ptr_for_store_" + std::to_string(size);
814     MsanMetadataPtrForLoad_1_8[ind] = getOrInsertMsanMetadataFunction(
815         M, name_load, PointerType::get(IRB.getInt8Ty(), 0));
816     MsanMetadataPtrForStore_1_8[ind] = getOrInsertMsanMetadataFunction(
817         M, name_store, PointerType::get(IRB.getInt8Ty(), 0));
818   }
819 
820   MsanMetadataPtrForLoadN = getOrInsertMsanMetadataFunction(
821       M, "__msan_metadata_ptr_for_load_n", PointerType::get(IRB.getInt8Ty(), 0),
822       IRB.getInt64Ty());
823   MsanMetadataPtrForStoreN = getOrInsertMsanMetadataFunction(
824       M, "__msan_metadata_ptr_for_store_n",
825       PointerType::get(IRB.getInt8Ty(), 0), IRB.getInt64Ty());
826 
827   // Functions for poisoning and unpoisoning memory.
828   MsanPoisonAllocaFn = M.getOrInsertFunction(
829       "__msan_poison_alloca", IRB.getVoidTy(), PtrTy, IntptrTy, PtrTy);
830   MsanUnpoisonAllocaFn = M.getOrInsertFunction(
831       "__msan_unpoison_alloca", IRB.getVoidTy(), PtrTy, IntptrTy);
832 }
833 
getOrInsertGlobal(Module & M,StringRef Name,Type * Ty)834 static Constant *getOrInsertGlobal(Module &M, StringRef Name, Type *Ty) {
835   return M.getOrInsertGlobal(Name, Ty, [&] {
836     return new GlobalVariable(M, Ty, false, GlobalVariable::ExternalLinkage,
837                               nullptr, Name, nullptr,
838                               GlobalVariable::InitialExecTLSModel);
839   });
840 }
841 
842 /// Insert declarations for userspace-specific functions and globals.
createUserspaceApi(Module & M,const TargetLibraryInfo & TLI)843 void MemorySanitizer::createUserspaceApi(Module &M, const TargetLibraryInfo &TLI) {
844   IRBuilder<> IRB(*C);
845 
846   // Create the callback.
847   // FIXME: this function should have "Cold" calling conv,
848   // which is not yet implemented.
849   if (TrackOrigins) {
850     StringRef WarningFnName = Recover ? "__msan_warning_with_origin"
851                                       : "__msan_warning_with_origin_noreturn";
852     WarningFn = M.getOrInsertFunction(WarningFnName,
853                                       TLI.getAttrList(C, {0}, /*Signed=*/false),
854                                       IRB.getVoidTy(), IRB.getInt32Ty());
855   } else {
856     StringRef WarningFnName =
857         Recover ? "__msan_warning" : "__msan_warning_noreturn";
858     WarningFn = M.getOrInsertFunction(WarningFnName, IRB.getVoidTy());
859   }
860 
861   // Create the global TLS variables.
862   RetvalTLS =
863       getOrInsertGlobal(M, "__msan_retval_tls",
864                         ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8));
865 
866   RetvalOriginTLS = getOrInsertGlobal(M, "__msan_retval_origin_tls", OriginTy);
867 
868   ParamTLS =
869       getOrInsertGlobal(M, "__msan_param_tls",
870                         ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8));
871 
872   ParamOriginTLS =
873       getOrInsertGlobal(M, "__msan_param_origin_tls",
874                         ArrayType::get(OriginTy, kParamTLSSize / 4));
875 
876   VAArgTLS =
877       getOrInsertGlobal(M, "__msan_va_arg_tls",
878                         ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8));
879 
880   VAArgOriginTLS =
881       getOrInsertGlobal(M, "__msan_va_arg_origin_tls",
882                         ArrayType::get(OriginTy, kParamTLSSize / 4));
883 
884   VAArgOverflowSizeTLS =
885       getOrInsertGlobal(M, "__msan_va_arg_overflow_size_tls", IRB.getInt64Ty());
886 
887   for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes;
888        AccessSizeIndex++) {
889     unsigned AccessSize = 1 << AccessSizeIndex;
890     std::string FunctionName = "__msan_maybe_warning_" + itostr(AccessSize);
891     MaybeWarningFn[AccessSizeIndex] = M.getOrInsertFunction(
892         FunctionName, TLI.getAttrList(C, {0, 1}, /*Signed=*/false),
893         IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), IRB.getInt32Ty());
894 
895     FunctionName = "__msan_maybe_store_origin_" + itostr(AccessSize);
896     MaybeStoreOriginFn[AccessSizeIndex] = M.getOrInsertFunction(
897         FunctionName, TLI.getAttrList(C, {0, 2}, /*Signed=*/false),
898         IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), PtrTy,
899         IRB.getInt32Ty());
900   }
901 
902   MsanSetAllocaOriginWithDescriptionFn =
903       M.getOrInsertFunction("__msan_set_alloca_origin_with_descr",
904                             IRB.getVoidTy(), PtrTy, IntptrTy, PtrTy, PtrTy);
905   MsanSetAllocaOriginNoDescriptionFn =
906       M.getOrInsertFunction("__msan_set_alloca_origin_no_descr",
907                             IRB.getVoidTy(), PtrTy, IntptrTy, PtrTy);
908   MsanPoisonStackFn = M.getOrInsertFunction("__msan_poison_stack",
909                                             IRB.getVoidTy(), PtrTy, IntptrTy);
910 }
911 
912 /// Insert extern declaration of runtime-provided functions and globals.
initializeCallbacks(Module & M,const TargetLibraryInfo & TLI)913 void MemorySanitizer::initializeCallbacks(Module &M, const TargetLibraryInfo &TLI) {
914   // Only do this once.
915   if (CallbacksInitialized)
916     return;
917 
918   IRBuilder<> IRB(*C);
919   // Initialize callbacks that are common for kernel and userspace
920   // instrumentation.
921   MsanChainOriginFn = M.getOrInsertFunction(
922       "__msan_chain_origin",
923       TLI.getAttrList(C, {0}, /*Signed=*/false, /*Ret=*/true), IRB.getInt32Ty(),
924       IRB.getInt32Ty());
925   MsanSetOriginFn = M.getOrInsertFunction(
926       "__msan_set_origin", TLI.getAttrList(C, {2}, /*Signed=*/false),
927       IRB.getVoidTy(), PtrTy, IntptrTy, IRB.getInt32Ty());
928   MemmoveFn =
929       M.getOrInsertFunction("__msan_memmove", PtrTy, PtrTy, PtrTy, IntptrTy);
930   MemcpyFn =
931       M.getOrInsertFunction("__msan_memcpy", PtrTy, PtrTy, PtrTy, IntptrTy);
932   MemsetFn = M.getOrInsertFunction("__msan_memset",
933                                    TLI.getAttrList(C, {1}, /*Signed=*/true),
934                                    PtrTy, PtrTy, IRB.getInt32Ty(), IntptrTy);
935 
936   MsanInstrumentAsmStoreFn =
937       M.getOrInsertFunction("__msan_instrument_asm_store", IRB.getVoidTy(),
938                             PointerType::get(IRB.getInt8Ty(), 0), IntptrTy);
939 
940   if (CompileKernel) {
941     createKernelApi(M, TLI);
942   } else {
943     createUserspaceApi(M, TLI);
944   }
945   CallbacksInitialized = true;
946 }
947 
getKmsanShadowOriginAccessFn(bool isStore,int size)948 FunctionCallee MemorySanitizer::getKmsanShadowOriginAccessFn(bool isStore,
949                                                              int size) {
950   FunctionCallee *Fns =
951       isStore ? MsanMetadataPtrForStore_1_8 : MsanMetadataPtrForLoad_1_8;
952   switch (size) {
953   case 1:
954     return Fns[0];
955   case 2:
956     return Fns[1];
957   case 4:
958     return Fns[2];
959   case 8:
960     return Fns[3];
961   default:
962     return nullptr;
963   }
964 }
965 
966 /// Module-level initialization.
967 ///
968 /// inserts a call to __msan_init to the module's constructor list.
initializeModule(Module & M)969 void MemorySanitizer::initializeModule(Module &M) {
970   auto &DL = M.getDataLayout();
971 
972   TargetTriple = Triple(M.getTargetTriple());
973 
974   bool ShadowPassed = ClShadowBase.getNumOccurrences() > 0;
975   bool OriginPassed = ClOriginBase.getNumOccurrences() > 0;
976   // Check the overrides first
977   if (ShadowPassed || OriginPassed) {
978     CustomMapParams.AndMask = ClAndMask;
979     CustomMapParams.XorMask = ClXorMask;
980     CustomMapParams.ShadowBase = ClShadowBase;
981     CustomMapParams.OriginBase = ClOriginBase;
982     MapParams = &CustomMapParams;
983   } else {
984     switch (TargetTriple.getOS()) {
985     case Triple::FreeBSD:
986       switch (TargetTriple.getArch()) {
987       case Triple::aarch64:
988         MapParams = FreeBSD_ARM_MemoryMapParams.bits64;
989         break;
990       case Triple::x86_64:
991         MapParams = FreeBSD_X86_MemoryMapParams.bits64;
992         break;
993       case Triple::x86:
994         MapParams = FreeBSD_X86_MemoryMapParams.bits32;
995         break;
996       default:
997         report_fatal_error("unsupported architecture");
998       }
999       break;
1000     case Triple::NetBSD:
1001       switch (TargetTriple.getArch()) {
1002       case Triple::x86_64:
1003         MapParams = NetBSD_X86_MemoryMapParams.bits64;
1004         break;
1005       default:
1006         report_fatal_error("unsupported architecture");
1007       }
1008       break;
1009     case Triple::Linux:
1010       switch (TargetTriple.getArch()) {
1011       case Triple::x86_64:
1012         MapParams = Linux_X86_MemoryMapParams.bits64;
1013         break;
1014       case Triple::x86:
1015         MapParams = Linux_X86_MemoryMapParams.bits32;
1016         break;
1017       case Triple::mips64:
1018       case Triple::mips64el:
1019         MapParams = Linux_MIPS_MemoryMapParams.bits64;
1020         break;
1021       case Triple::ppc64:
1022       case Triple::ppc64le:
1023         MapParams = Linux_PowerPC_MemoryMapParams.bits64;
1024         break;
1025       case Triple::systemz:
1026         MapParams = Linux_S390_MemoryMapParams.bits64;
1027         break;
1028       case Triple::aarch64:
1029       case Triple::aarch64_be:
1030         MapParams = Linux_ARM_MemoryMapParams.bits64;
1031         break;
1032       case Triple::loongarch64:
1033         MapParams = Linux_LoongArch_MemoryMapParams.bits64;
1034         break;
1035       default:
1036         report_fatal_error("unsupported architecture");
1037       }
1038       break;
1039     default:
1040       report_fatal_error("unsupported operating system");
1041     }
1042   }
1043 
1044   C = &(M.getContext());
1045   IRBuilder<> IRB(*C);
1046   IntptrTy = IRB.getIntPtrTy(DL);
1047   OriginTy = IRB.getInt32Ty();
1048   PtrTy = IRB.getPtrTy();
1049 
1050   ColdCallWeights = MDBuilder(*C).createUnlikelyBranchWeights();
1051   OriginStoreWeights = MDBuilder(*C).createUnlikelyBranchWeights();
1052 
1053   if (!CompileKernel) {
1054     if (TrackOrigins)
1055       M.getOrInsertGlobal("__msan_track_origins", IRB.getInt32Ty(), [&] {
1056         return new GlobalVariable(
1057             M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage,
1058             IRB.getInt32(TrackOrigins), "__msan_track_origins");
1059       });
1060 
1061     if (Recover)
1062       M.getOrInsertGlobal("__msan_keep_going", IRB.getInt32Ty(), [&] {
1063         return new GlobalVariable(M, IRB.getInt32Ty(), true,
1064                                   GlobalValue::WeakODRLinkage,
1065                                   IRB.getInt32(Recover), "__msan_keep_going");
1066       });
1067   }
1068 }
1069 
1070 namespace {
1071 
1072 /// A helper class that handles instrumentation of VarArg
1073 /// functions on a particular platform.
1074 ///
1075 /// Implementations are expected to insert the instrumentation
1076 /// necessary to propagate argument shadow through VarArg function
1077 /// calls. Visit* methods are called during an InstVisitor pass over
1078 /// the function, and should avoid creating new basic blocks. A new
1079 /// instance of this class is created for each instrumented function.
1080 struct VarArgHelper {
1081   virtual ~VarArgHelper() = default;
1082 
1083   /// Visit a CallBase.
1084   virtual void visitCallBase(CallBase &CB, IRBuilder<> &IRB) = 0;
1085 
1086   /// Visit a va_start call.
1087   virtual void visitVAStartInst(VAStartInst &I) = 0;
1088 
1089   /// Visit a va_copy call.
1090   virtual void visitVACopyInst(VACopyInst &I) = 0;
1091 
1092   /// Finalize function instrumentation.
1093   ///
1094   /// This method is called after visiting all interesting (see above)
1095   /// instructions in a function.
1096   virtual void finalizeInstrumentation() = 0;
1097 };
1098 
1099 struct MemorySanitizerVisitor;
1100 
1101 } // end anonymous namespace
1102 
1103 static VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan,
1104                                         MemorySanitizerVisitor &Visitor);
1105 
TypeSizeToSizeIndex(TypeSize TS)1106 static unsigned TypeSizeToSizeIndex(TypeSize TS) {
1107   if (TS.isScalable())
1108     // Scalable types unconditionally take slowpaths.
1109     return kNumberOfAccessSizes;
1110   unsigned TypeSizeFixed = TS.getFixedValue();
1111   if (TypeSizeFixed <= 8)
1112     return 0;
1113   return Log2_32_Ceil((TypeSizeFixed + 7) / 8);
1114 }
1115 
1116 namespace {
1117 
1118 /// Helper class to attach debug information of the given instruction onto new
1119 /// instructions inserted after.
1120 class NextNodeIRBuilder : public IRBuilder<> {
1121 public:
NextNodeIRBuilder(Instruction * IP)1122   explicit NextNodeIRBuilder(Instruction *IP) : IRBuilder<>(IP->getNextNode()) {
1123     SetCurrentDebugLocation(IP->getDebugLoc());
1124   }
1125 };
1126 
1127 /// This class does all the work for a given function. Store and Load
1128 /// instructions store and load corresponding shadow and origin
1129 /// values. Most instructions propagate shadow from arguments to their
1130 /// return values. Certain instructions (most importantly, BranchInst)
1131 /// test their argument shadow and print reports (with a runtime call) if it's
1132 /// non-zero.
1133 struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {
1134   Function &F;
1135   MemorySanitizer &MS;
1136   SmallVector<PHINode *, 16> ShadowPHINodes, OriginPHINodes;
1137   ValueMap<Value *, Value *> ShadowMap, OriginMap;
1138   std::unique_ptr<VarArgHelper> VAHelper;
1139   const TargetLibraryInfo *TLI;
1140   Instruction *FnPrologueEnd;
1141   SmallVector<Instruction *, 16> Instructions;
1142 
1143   // The following flags disable parts of MSan instrumentation based on
1144   // exclusion list contents and command-line options.
1145   bool InsertChecks;
1146   bool PropagateShadow;
1147   bool PoisonStack;
1148   bool PoisonUndef;
1149 
1150   struct ShadowOriginAndInsertPoint {
1151     Value *Shadow;
1152     Value *Origin;
1153     Instruction *OrigIns;
1154 
ShadowOriginAndInsertPoint__anonb346f5430811::MemorySanitizerVisitor::ShadowOriginAndInsertPoint1155     ShadowOriginAndInsertPoint(Value *S, Value *O, Instruction *I)
1156         : Shadow(S), Origin(O), OrigIns(I) {}
1157   };
1158   SmallVector<ShadowOriginAndInsertPoint, 16> InstrumentationList;
1159   DenseMap<const DILocation *, int> LazyWarningDebugLocationCount;
1160   bool InstrumentLifetimeStart = ClHandleLifetimeIntrinsics;
1161   SmallSetVector<AllocaInst *, 16> AllocaSet;
1162   SmallVector<std::pair<IntrinsicInst *, AllocaInst *>, 16> LifetimeStartList;
1163   SmallVector<StoreInst *, 16> StoreList;
1164   int64_t SplittableBlocksCount = 0;
1165 
MemorySanitizerVisitor__anonb346f5430811::MemorySanitizerVisitor1166   MemorySanitizerVisitor(Function &F, MemorySanitizer &MS,
1167                          const TargetLibraryInfo &TLI)
1168       : F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)), TLI(&TLI) {
1169     bool SanitizeFunction =
1170         F.hasFnAttribute(Attribute::SanitizeMemory) && !ClDisableChecks;
1171     InsertChecks = SanitizeFunction;
1172     PropagateShadow = SanitizeFunction;
1173     PoisonStack = SanitizeFunction && ClPoisonStack;
1174     PoisonUndef = SanitizeFunction && ClPoisonUndef;
1175 
1176     // In the presence of unreachable blocks, we may see Phi nodes with
1177     // incoming nodes from such blocks. Since InstVisitor skips unreachable
1178     // blocks, such nodes will not have any shadow value associated with them.
1179     // It's easier to remove unreachable blocks than deal with missing shadow.
1180     removeUnreachableBlocks(F);
1181 
1182     MS.initializeCallbacks(*F.getParent(), TLI);
1183     FnPrologueEnd = IRBuilder<>(F.getEntryBlock().getFirstNonPHI())
1184                         .CreateIntrinsic(Intrinsic::donothing, {}, {});
1185 
1186     if (MS.CompileKernel) {
1187       IRBuilder<> IRB(FnPrologueEnd);
1188       insertKmsanPrologue(IRB);
1189     }
1190 
1191     LLVM_DEBUG(if (!InsertChecks) dbgs()
1192                << "MemorySanitizer is not inserting checks into '"
1193                << F.getName() << "'\n");
1194   }
1195 
instrumentWithCalls__anonb346f5430811::MemorySanitizerVisitor1196   bool instrumentWithCalls(Value *V) {
1197     // Constants likely will be eliminated by follow-up passes.
1198     if (isa<Constant>(V))
1199       return false;
1200 
1201     ++SplittableBlocksCount;
1202     return ClInstrumentationWithCallThreshold >= 0 &&
1203            SplittableBlocksCount > ClInstrumentationWithCallThreshold;
1204   }
1205 
isInPrologue__anonb346f5430811::MemorySanitizerVisitor1206   bool isInPrologue(Instruction &I) {
1207     return I.getParent() == FnPrologueEnd->getParent() &&
1208            (&I == FnPrologueEnd || I.comesBefore(FnPrologueEnd));
1209   }
1210 
1211   // Creates a new origin and records the stack trace. In general we can call
1212   // this function for any origin manipulation we like. However it will cost
1213   // runtime resources. So use this wisely only if it can provide additional
1214   // information helpful to a user.
updateOrigin__anonb346f5430811::MemorySanitizerVisitor1215   Value *updateOrigin(Value *V, IRBuilder<> &IRB) {
1216     if (MS.TrackOrigins <= 1)
1217       return V;
1218     return IRB.CreateCall(MS.MsanChainOriginFn, V);
1219   }
1220 
originToIntptr__anonb346f5430811::MemorySanitizerVisitor1221   Value *originToIntptr(IRBuilder<> &IRB, Value *Origin) {
1222     const DataLayout &DL = F.getDataLayout();
1223     unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy);
1224     if (IntptrSize == kOriginSize)
1225       return Origin;
1226     assert(IntptrSize == kOriginSize * 2);
1227     Origin = IRB.CreateIntCast(Origin, MS.IntptrTy, /* isSigned */ false);
1228     return IRB.CreateOr(Origin, IRB.CreateShl(Origin, kOriginSize * 8));
1229   }
1230 
1231   /// Fill memory range with the given origin value.
paintOrigin__anonb346f5430811::MemorySanitizerVisitor1232   void paintOrigin(IRBuilder<> &IRB, Value *Origin, Value *OriginPtr,
1233                    TypeSize TS, Align Alignment) {
1234     const DataLayout &DL = F.getDataLayout();
1235     const Align IntptrAlignment = DL.getABITypeAlign(MS.IntptrTy);
1236     unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy);
1237     assert(IntptrAlignment >= kMinOriginAlignment);
1238     assert(IntptrSize >= kOriginSize);
1239 
1240     // Note: The loop based formation works for fixed length vectors too,
1241     // however we prefer to unroll and specialize alignment below.
1242     if (TS.isScalable()) {
1243       Value *Size = IRB.CreateTypeSize(MS.IntptrTy, TS);
1244       Value *RoundUp =
1245           IRB.CreateAdd(Size, ConstantInt::get(MS.IntptrTy, kOriginSize - 1));
1246       Value *End =
1247           IRB.CreateUDiv(RoundUp, ConstantInt::get(MS.IntptrTy, kOriginSize));
1248       auto [InsertPt, Index] =
1249         SplitBlockAndInsertSimpleForLoop(End, &*IRB.GetInsertPoint());
1250       IRB.SetInsertPoint(InsertPt);
1251 
1252       Value *GEP = IRB.CreateGEP(MS.OriginTy, OriginPtr, Index);
1253       IRB.CreateAlignedStore(Origin, GEP, kMinOriginAlignment);
1254       return;
1255     }
1256 
1257     unsigned Size = TS.getFixedValue();
1258 
1259     unsigned Ofs = 0;
1260     Align CurrentAlignment = Alignment;
1261     if (Alignment >= IntptrAlignment && IntptrSize > kOriginSize) {
1262       Value *IntptrOrigin = originToIntptr(IRB, Origin);
1263       Value *IntptrOriginPtr =
1264           IRB.CreatePointerCast(OriginPtr, PointerType::get(MS.IntptrTy, 0));
1265       for (unsigned i = 0; i < Size / IntptrSize; ++i) {
1266         Value *Ptr = i ? IRB.CreateConstGEP1_32(MS.IntptrTy, IntptrOriginPtr, i)
1267                        : IntptrOriginPtr;
1268         IRB.CreateAlignedStore(IntptrOrigin, Ptr, CurrentAlignment);
1269         Ofs += IntptrSize / kOriginSize;
1270         CurrentAlignment = IntptrAlignment;
1271       }
1272     }
1273 
1274     for (unsigned i = Ofs; i < (Size + kOriginSize - 1) / kOriginSize; ++i) {
1275       Value *GEP =
1276           i ? IRB.CreateConstGEP1_32(MS.OriginTy, OriginPtr, i) : OriginPtr;
1277       IRB.CreateAlignedStore(Origin, GEP, CurrentAlignment);
1278       CurrentAlignment = kMinOriginAlignment;
1279     }
1280   }
1281 
storeOrigin__anonb346f5430811::MemorySanitizerVisitor1282   void storeOrigin(IRBuilder<> &IRB, Value *Addr, Value *Shadow, Value *Origin,
1283                    Value *OriginPtr, Align Alignment) {
1284     const DataLayout &DL = F.getDataLayout();
1285     const Align OriginAlignment = std::max(kMinOriginAlignment, Alignment);
1286     TypeSize StoreSize = DL.getTypeStoreSize(Shadow->getType());
1287     // ZExt cannot convert between vector and scalar
1288     Value *ConvertedShadow = convertShadowToScalar(Shadow, IRB);
1289     if (auto *ConstantShadow = dyn_cast<Constant>(ConvertedShadow)) {
1290       if (!ClCheckConstantShadow || ConstantShadow->isZeroValue()) {
1291         // Origin is not needed: value is initialized or const shadow is
1292         // ignored.
1293         return;
1294       }
1295       if (llvm::isKnownNonZero(ConvertedShadow, DL)) {
1296         // Copy origin as the value is definitely uninitialized.
1297         paintOrigin(IRB, updateOrigin(Origin, IRB), OriginPtr, StoreSize,
1298                     OriginAlignment);
1299         return;
1300       }
1301       // Fallback to runtime check, which still can be optimized out later.
1302     }
1303 
1304     TypeSize TypeSizeInBits = DL.getTypeSizeInBits(ConvertedShadow->getType());
1305     unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits);
1306     if (instrumentWithCalls(ConvertedShadow) &&
1307         SizeIndex < kNumberOfAccessSizes && !MS.CompileKernel) {
1308       FunctionCallee Fn = MS.MaybeStoreOriginFn[SizeIndex];
1309       Value *ConvertedShadow2 =
1310           IRB.CreateZExt(ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex)));
1311       CallBase *CB = IRB.CreateCall(Fn, {ConvertedShadow2, Addr, Origin});
1312       CB->addParamAttr(0, Attribute::ZExt);
1313       CB->addParamAttr(2, Attribute::ZExt);
1314     } else {
1315       Value *Cmp = convertToBool(ConvertedShadow, IRB, "_mscmp");
1316       Instruction *CheckTerm = SplitBlockAndInsertIfThen(
1317           Cmp, &*IRB.GetInsertPoint(), false, MS.OriginStoreWeights);
1318       IRBuilder<> IRBNew(CheckTerm);
1319       paintOrigin(IRBNew, updateOrigin(Origin, IRBNew), OriginPtr, StoreSize,
1320                   OriginAlignment);
1321     }
1322   }
1323 
materializeStores__anonb346f5430811::MemorySanitizerVisitor1324   void materializeStores() {
1325     for (StoreInst *SI : StoreList) {
1326       IRBuilder<> IRB(SI);
1327       Value *Val = SI->getValueOperand();
1328       Value *Addr = SI->getPointerOperand();
1329       Value *Shadow = SI->isAtomic() ? getCleanShadow(Val) : getShadow(Val);
1330       Value *ShadowPtr, *OriginPtr;
1331       Type *ShadowTy = Shadow->getType();
1332       const Align Alignment = SI->getAlign();
1333       const Align OriginAlignment = std::max(kMinOriginAlignment, Alignment);
1334       std::tie(ShadowPtr, OriginPtr) =
1335           getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ true);
1336 
1337       StoreInst *NewSI = IRB.CreateAlignedStore(Shadow, ShadowPtr, Alignment);
1338       LLVM_DEBUG(dbgs() << "  STORE: " << *NewSI << "\n");
1339       (void)NewSI;
1340 
1341       if (SI->isAtomic())
1342         SI->setOrdering(addReleaseOrdering(SI->getOrdering()));
1343 
1344       if (MS.TrackOrigins && !SI->isAtomic())
1345         storeOrigin(IRB, Addr, Shadow, getOrigin(Val), OriginPtr,
1346                     OriginAlignment);
1347     }
1348   }
1349 
1350   // Returns true if Debug Location corresponds to multiple warnings.
shouldDisambiguateWarningLocation__anonb346f5430811::MemorySanitizerVisitor1351   bool shouldDisambiguateWarningLocation(const DebugLoc &DebugLoc) {
1352     if (MS.TrackOrigins < 2)
1353       return false;
1354 
1355     if (LazyWarningDebugLocationCount.empty())
1356       for (const auto &I : InstrumentationList)
1357         ++LazyWarningDebugLocationCount[I.OrigIns->getDebugLoc()];
1358 
1359     return LazyWarningDebugLocationCount[DebugLoc] >= ClDisambiguateWarning;
1360   }
1361 
1362   /// Helper function to insert a warning at IRB's current insert point.
insertWarningFn__anonb346f5430811::MemorySanitizerVisitor1363   void insertWarningFn(IRBuilder<> &IRB, Value *Origin) {
1364     if (!Origin)
1365       Origin = (Value *)IRB.getInt32(0);
1366     assert(Origin->getType()->isIntegerTy());
1367 
1368     if (shouldDisambiguateWarningLocation(IRB.getCurrentDebugLocation())) {
1369       // Try to create additional origin with debug info of the last origin
1370       // instruction. It may provide additional information to the user.
1371       if (Instruction *OI = dyn_cast_or_null<Instruction>(Origin)) {
1372         assert(MS.TrackOrigins);
1373         auto NewDebugLoc = OI->getDebugLoc();
1374         // Origin update with missing or the same debug location provides no
1375         // additional value.
1376         if (NewDebugLoc && NewDebugLoc != IRB.getCurrentDebugLocation()) {
1377           // Insert update just before the check, so we call runtime only just
1378           // before the report.
1379           IRBuilder<> IRBOrigin(&*IRB.GetInsertPoint());
1380           IRBOrigin.SetCurrentDebugLocation(NewDebugLoc);
1381           Origin = updateOrigin(Origin, IRBOrigin);
1382         }
1383       }
1384     }
1385 
1386     if (MS.CompileKernel || MS.TrackOrigins)
1387       IRB.CreateCall(MS.WarningFn, Origin)->setCannotMerge();
1388     else
1389       IRB.CreateCall(MS.WarningFn)->setCannotMerge();
1390     // FIXME: Insert UnreachableInst if !MS.Recover?
1391     // This may invalidate some of the following checks and needs to be done
1392     // at the very end.
1393   }
1394 
materializeOneCheck__anonb346f5430811::MemorySanitizerVisitor1395   void materializeOneCheck(IRBuilder<> &IRB, Value *ConvertedShadow,
1396                            Value *Origin) {
1397     const DataLayout &DL = F.getDataLayout();
1398     TypeSize TypeSizeInBits = DL.getTypeSizeInBits(ConvertedShadow->getType());
1399     unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits);
1400     if (instrumentWithCalls(ConvertedShadow) &&
1401         SizeIndex < kNumberOfAccessSizes && !MS.CompileKernel) {
1402       FunctionCallee Fn = MS.MaybeWarningFn[SizeIndex];
1403       // ZExt cannot convert between vector and scalar
1404       ConvertedShadow = convertShadowToScalar(ConvertedShadow, IRB);
1405       Value *ConvertedShadow2 =
1406           IRB.CreateZExt(ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex)));
1407       CallBase *CB = IRB.CreateCall(
1408           Fn, {ConvertedShadow2,
1409                MS.TrackOrigins && Origin ? Origin : (Value *)IRB.getInt32(0)});
1410       CB->addParamAttr(0, Attribute::ZExt);
1411       CB->addParamAttr(1, Attribute::ZExt);
1412     } else {
1413       Value *Cmp = convertToBool(ConvertedShadow, IRB, "_mscmp");
1414       Instruction *CheckTerm = SplitBlockAndInsertIfThen(
1415           Cmp, &*IRB.GetInsertPoint(),
1416           /* Unreachable */ !MS.Recover, MS.ColdCallWeights);
1417 
1418       IRB.SetInsertPoint(CheckTerm);
1419       insertWarningFn(IRB, Origin);
1420       LLVM_DEBUG(dbgs() << "  CHECK: " << *Cmp << "\n");
1421     }
1422   }
1423 
materializeInstructionChecks__anonb346f5430811::MemorySanitizerVisitor1424   void materializeInstructionChecks(
1425       ArrayRef<ShadowOriginAndInsertPoint> InstructionChecks) {
1426     const DataLayout &DL = F.getDataLayout();
1427     // Disable combining in some cases. TrackOrigins checks each shadow to pick
1428     // correct origin.
1429     bool Combine = !MS.TrackOrigins;
1430     Instruction *Instruction = InstructionChecks.front().OrigIns;
1431     Value *Shadow = nullptr;
1432     for (const auto &ShadowData : InstructionChecks) {
1433       assert(ShadowData.OrigIns == Instruction);
1434       IRBuilder<> IRB(Instruction);
1435 
1436       Value *ConvertedShadow = ShadowData.Shadow;
1437 
1438       if (auto *ConstantShadow = dyn_cast<Constant>(ConvertedShadow)) {
1439         if (!ClCheckConstantShadow || ConstantShadow->isZeroValue()) {
1440           // Skip, value is initialized or const shadow is ignored.
1441           continue;
1442         }
1443         if (llvm::isKnownNonZero(ConvertedShadow, DL)) {
1444           // Report as the value is definitely uninitialized.
1445           insertWarningFn(IRB, ShadowData.Origin);
1446           if (!MS.Recover)
1447             return; // Always fail and stop here, not need to check the rest.
1448           // Skip entire instruction,
1449           continue;
1450         }
1451         // Fallback to runtime check, which still can be optimized out later.
1452       }
1453 
1454       if (!Combine) {
1455         materializeOneCheck(IRB, ConvertedShadow, ShadowData.Origin);
1456         continue;
1457       }
1458 
1459       if (!Shadow) {
1460         Shadow = ConvertedShadow;
1461         continue;
1462       }
1463 
1464       Shadow = convertToBool(Shadow, IRB, "_mscmp");
1465       ConvertedShadow = convertToBool(ConvertedShadow, IRB, "_mscmp");
1466       Shadow = IRB.CreateOr(Shadow, ConvertedShadow, "_msor");
1467     }
1468 
1469     if (Shadow) {
1470       assert(Combine);
1471       IRBuilder<> IRB(Instruction);
1472       materializeOneCheck(IRB, Shadow, nullptr);
1473     }
1474   }
1475 
materializeChecks__anonb346f5430811::MemorySanitizerVisitor1476   void materializeChecks() {
1477 #ifndef NDEBUG
1478     // For assert below.
1479     SmallPtrSet<Instruction *, 16> Done;
1480 #endif
1481 
1482     for (auto I = InstrumentationList.begin();
1483          I != InstrumentationList.end();) {
1484       auto OrigIns = I->OrigIns;
1485       // Checks are grouped by the original instruction. We call all
1486       // `insertShadowCheck` for an instruction at once.
1487       assert(Done.insert(OrigIns).second);
1488       auto J = std::find_if(I + 1, InstrumentationList.end(),
1489                             [OrigIns](const ShadowOriginAndInsertPoint &R) {
1490                               return OrigIns != R.OrigIns;
1491                             });
1492       // Process all checks of instruction at once.
1493       materializeInstructionChecks(ArrayRef<ShadowOriginAndInsertPoint>(I, J));
1494       I = J;
1495     }
1496 
1497     LLVM_DEBUG(dbgs() << "DONE:\n" << F);
1498   }
1499 
1500   // Returns the last instruction in the new prologue
insertKmsanPrologue__anonb346f5430811::MemorySanitizerVisitor1501   void insertKmsanPrologue(IRBuilder<> &IRB) {
1502     Value *ContextState = IRB.CreateCall(MS.MsanGetContextStateFn, {});
1503     Constant *Zero = IRB.getInt32(0);
1504     MS.ParamTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1505                                 {Zero, IRB.getInt32(0)}, "param_shadow");
1506     MS.RetvalTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1507                                  {Zero, IRB.getInt32(1)}, "retval_shadow");
1508     MS.VAArgTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1509                                 {Zero, IRB.getInt32(2)}, "va_arg_shadow");
1510     MS.VAArgOriginTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1511                                       {Zero, IRB.getInt32(3)}, "va_arg_origin");
1512     MS.VAArgOverflowSizeTLS =
1513         IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1514                       {Zero, IRB.getInt32(4)}, "va_arg_overflow_size");
1515     MS.ParamOriginTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1516                                       {Zero, IRB.getInt32(5)}, "param_origin");
1517     MS.RetvalOriginTLS =
1518         IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1519                       {Zero, IRB.getInt32(6)}, "retval_origin");
1520     if (MS.TargetTriple.getArch() == Triple::systemz)
1521       MS.MsanMetadataAlloca = IRB.CreateAlloca(MS.MsanMetadata, 0u);
1522   }
1523 
1524   /// Add MemorySanitizer instrumentation to a function.
runOnFunction__anonb346f5430811::MemorySanitizerVisitor1525   bool runOnFunction() {
1526     // Iterate all BBs in depth-first order and create shadow instructions
1527     // for all instructions (where applicable).
1528     // For PHI nodes we create dummy shadow PHIs which will be finalized later.
1529     for (BasicBlock *BB : depth_first(FnPrologueEnd->getParent()))
1530       visit(*BB);
1531 
1532     // `visit` above only collects instructions. Process them after iterating
1533     // CFG to avoid requirement on CFG transformations.
1534     for (Instruction *I : Instructions)
1535       InstVisitor<MemorySanitizerVisitor>::visit(*I);
1536 
1537     // Finalize PHI nodes.
1538     for (PHINode *PN : ShadowPHINodes) {
1539       PHINode *PNS = cast<PHINode>(getShadow(PN));
1540       PHINode *PNO = MS.TrackOrigins ? cast<PHINode>(getOrigin(PN)) : nullptr;
1541       size_t NumValues = PN->getNumIncomingValues();
1542       for (size_t v = 0; v < NumValues; v++) {
1543         PNS->addIncoming(getShadow(PN, v), PN->getIncomingBlock(v));
1544         if (PNO)
1545           PNO->addIncoming(getOrigin(PN, v), PN->getIncomingBlock(v));
1546       }
1547     }
1548 
1549     VAHelper->finalizeInstrumentation();
1550 
1551     // Poison llvm.lifetime.start intrinsics, if we haven't fallen back to
1552     // instrumenting only allocas.
1553     if (InstrumentLifetimeStart) {
1554       for (auto Item : LifetimeStartList) {
1555         instrumentAlloca(*Item.second, Item.first);
1556         AllocaSet.remove(Item.second);
1557       }
1558     }
1559     // Poison the allocas for which we didn't instrument the corresponding
1560     // lifetime intrinsics.
1561     for (AllocaInst *AI : AllocaSet)
1562       instrumentAlloca(*AI);
1563 
1564     // Insert shadow value checks.
1565     materializeChecks();
1566 
1567     // Delayed instrumentation of StoreInst.
1568     // This may not add new address checks.
1569     materializeStores();
1570 
1571     return true;
1572   }
1573 
1574   /// Compute the shadow type that corresponds to a given Value.
getShadowTy__anonb346f5430811::MemorySanitizerVisitor1575   Type *getShadowTy(Value *V) { return getShadowTy(V->getType()); }
1576 
1577   /// Compute the shadow type that corresponds to a given Type.
getShadowTy__anonb346f5430811::MemorySanitizerVisitor1578   Type *getShadowTy(Type *OrigTy) {
1579     if (!OrigTy->isSized()) {
1580       return nullptr;
1581     }
1582     // For integer type, shadow is the same as the original type.
1583     // This may return weird-sized types like i1.
1584     if (IntegerType *IT = dyn_cast<IntegerType>(OrigTy))
1585       return IT;
1586     const DataLayout &DL = F.getDataLayout();
1587     if (VectorType *VT = dyn_cast<VectorType>(OrigTy)) {
1588       uint32_t EltSize = DL.getTypeSizeInBits(VT->getElementType());
1589       return VectorType::get(IntegerType::get(*MS.C, EltSize),
1590                              VT->getElementCount());
1591     }
1592     if (ArrayType *AT = dyn_cast<ArrayType>(OrigTy)) {
1593       return ArrayType::get(getShadowTy(AT->getElementType()),
1594                             AT->getNumElements());
1595     }
1596     if (StructType *ST = dyn_cast<StructType>(OrigTy)) {
1597       SmallVector<Type *, 4> Elements;
1598       for (unsigned i = 0, n = ST->getNumElements(); i < n; i++)
1599         Elements.push_back(getShadowTy(ST->getElementType(i)));
1600       StructType *Res = StructType::get(*MS.C, Elements, ST->isPacked());
1601       LLVM_DEBUG(dbgs() << "getShadowTy: " << *ST << " ===> " << *Res << "\n");
1602       return Res;
1603     }
1604     uint32_t TypeSize = DL.getTypeSizeInBits(OrigTy);
1605     return IntegerType::get(*MS.C, TypeSize);
1606   }
1607 
1608   /// Extract combined shadow of struct elements as a bool
collapseStructShadow__anonb346f5430811::MemorySanitizerVisitor1609   Value *collapseStructShadow(StructType *Struct, Value *Shadow,
1610                               IRBuilder<> &IRB) {
1611     Value *FalseVal = IRB.getIntN(/* width */ 1, /* value */ 0);
1612     Value *Aggregator = FalseVal;
1613 
1614     for (unsigned Idx = 0; Idx < Struct->getNumElements(); Idx++) {
1615       // Combine by ORing together each element's bool shadow
1616       Value *ShadowItem = IRB.CreateExtractValue(Shadow, Idx);
1617       Value *ShadowBool = convertToBool(ShadowItem, IRB);
1618 
1619       if (Aggregator != FalseVal)
1620         Aggregator = IRB.CreateOr(Aggregator, ShadowBool);
1621       else
1622         Aggregator = ShadowBool;
1623     }
1624 
1625     return Aggregator;
1626   }
1627 
1628   // Extract combined shadow of array elements
collapseArrayShadow__anonb346f5430811::MemorySanitizerVisitor1629   Value *collapseArrayShadow(ArrayType *Array, Value *Shadow,
1630                              IRBuilder<> &IRB) {
1631     if (!Array->getNumElements())
1632       return IRB.getIntN(/* width */ 1, /* value */ 0);
1633 
1634     Value *FirstItem = IRB.CreateExtractValue(Shadow, 0);
1635     Value *Aggregator = convertShadowToScalar(FirstItem, IRB);
1636 
1637     for (unsigned Idx = 1; Idx < Array->getNumElements(); Idx++) {
1638       Value *ShadowItem = IRB.CreateExtractValue(Shadow, Idx);
1639       Value *ShadowInner = convertShadowToScalar(ShadowItem, IRB);
1640       Aggregator = IRB.CreateOr(Aggregator, ShadowInner);
1641     }
1642     return Aggregator;
1643   }
1644 
1645   /// Convert a shadow value to it's flattened variant. The resulting
1646   /// shadow may not necessarily have the same bit width as the input
1647   /// value, but it will always be comparable to zero.
convertShadowToScalar__anonb346f5430811::MemorySanitizerVisitor1648   Value *convertShadowToScalar(Value *V, IRBuilder<> &IRB) {
1649     if (StructType *Struct = dyn_cast<StructType>(V->getType()))
1650       return collapseStructShadow(Struct, V, IRB);
1651     if (ArrayType *Array = dyn_cast<ArrayType>(V->getType()))
1652       return collapseArrayShadow(Array, V, IRB);
1653     if (isa<VectorType>(V->getType())) {
1654       if (isa<ScalableVectorType>(V->getType()))
1655         return convertShadowToScalar(IRB.CreateOrReduce(V), IRB);
1656       unsigned BitWidth =
1657         V->getType()->getPrimitiveSizeInBits().getFixedValue();
1658       return IRB.CreateBitCast(V, IntegerType::get(*MS.C, BitWidth));
1659     }
1660     return V;
1661   }
1662 
1663   // Convert a scalar value to an i1 by comparing with 0
convertToBool__anonb346f5430811::MemorySanitizerVisitor1664   Value *convertToBool(Value *V, IRBuilder<> &IRB, const Twine &name = "") {
1665     Type *VTy = V->getType();
1666     if (!VTy->isIntegerTy())
1667       return convertToBool(convertShadowToScalar(V, IRB), IRB, name);
1668     if (VTy->getIntegerBitWidth() == 1)
1669       // Just converting a bool to a bool, so do nothing.
1670       return V;
1671     return IRB.CreateICmpNE(V, ConstantInt::get(VTy, 0), name);
1672   }
1673 
ptrToIntPtrType__anonb346f5430811::MemorySanitizerVisitor1674   Type *ptrToIntPtrType(Type *PtrTy) const {
1675     if (VectorType *VectTy = dyn_cast<VectorType>(PtrTy)) {
1676       return VectorType::get(ptrToIntPtrType(VectTy->getElementType()),
1677                              VectTy->getElementCount());
1678     }
1679     assert(PtrTy->isIntOrPtrTy());
1680     return MS.IntptrTy;
1681   }
1682 
getPtrToShadowPtrType__anonb346f5430811::MemorySanitizerVisitor1683   Type *getPtrToShadowPtrType(Type *IntPtrTy, Type *ShadowTy) const {
1684     if (VectorType *VectTy = dyn_cast<VectorType>(IntPtrTy)) {
1685       return VectorType::get(
1686           getPtrToShadowPtrType(VectTy->getElementType(), ShadowTy),
1687           VectTy->getElementCount());
1688     }
1689     assert(IntPtrTy == MS.IntptrTy);
1690     return PointerType::get(*MS.C, 0);
1691   }
1692 
constToIntPtr__anonb346f5430811::MemorySanitizerVisitor1693   Constant *constToIntPtr(Type *IntPtrTy, uint64_t C) const {
1694     if (VectorType *VectTy = dyn_cast<VectorType>(IntPtrTy)) {
1695       return ConstantVector::getSplat(
1696           VectTy->getElementCount(), constToIntPtr(VectTy->getElementType(), C));
1697     }
1698     assert(IntPtrTy == MS.IntptrTy);
1699     return ConstantInt::get(MS.IntptrTy, C);
1700   }
1701 
1702   /// Compute the integer shadow offset that corresponds to a given
1703   /// application address.
1704   ///
1705   /// Offset = (Addr & ~AndMask) ^ XorMask
1706   /// Addr can be a ptr or <N x ptr>. In both cases ShadowTy the shadow type of
1707   /// a single pointee.
1708   /// Returns <shadow_ptr, origin_ptr> or <<N x shadow_ptr>, <N x origin_ptr>>.
getShadowPtrOffset__anonb346f5430811::MemorySanitizerVisitor1709   Value *getShadowPtrOffset(Value *Addr, IRBuilder<> &IRB) {
1710     Type *IntptrTy = ptrToIntPtrType(Addr->getType());
1711     Value *OffsetLong = IRB.CreatePointerCast(Addr, IntptrTy);
1712 
1713     if (uint64_t AndMask = MS.MapParams->AndMask)
1714       OffsetLong = IRB.CreateAnd(OffsetLong, constToIntPtr(IntptrTy, ~AndMask));
1715 
1716     if (uint64_t XorMask = MS.MapParams->XorMask)
1717       OffsetLong = IRB.CreateXor(OffsetLong, constToIntPtr(IntptrTy, XorMask));
1718     return OffsetLong;
1719   }
1720 
1721   /// Compute the shadow and origin addresses corresponding to a given
1722   /// application address.
1723   ///
1724   /// Shadow = ShadowBase + Offset
1725   /// Origin = (OriginBase + Offset) & ~3ULL
1726   /// Addr can be a ptr or <N x ptr>. In both cases ShadowTy the shadow type of
1727   /// a single pointee.
1728   /// Returns <shadow_ptr, origin_ptr> or <<N x shadow_ptr>, <N x origin_ptr>>.
1729   std::pair<Value *, Value *>
getShadowOriginPtrUserspace__anonb346f5430811::MemorySanitizerVisitor1730   getShadowOriginPtrUserspace(Value *Addr, IRBuilder<> &IRB, Type *ShadowTy,
1731                               MaybeAlign Alignment) {
1732     VectorType *VectTy = dyn_cast<VectorType>(Addr->getType());
1733     if (!VectTy) {
1734       assert(Addr->getType()->isPointerTy());
1735     } else {
1736       assert(VectTy->getElementType()->isPointerTy());
1737     }
1738     Type *IntptrTy = ptrToIntPtrType(Addr->getType());
1739     Value *ShadowOffset = getShadowPtrOffset(Addr, IRB);
1740     Value *ShadowLong = ShadowOffset;
1741     if (uint64_t ShadowBase = MS.MapParams->ShadowBase) {
1742       ShadowLong =
1743           IRB.CreateAdd(ShadowLong, constToIntPtr(IntptrTy, ShadowBase));
1744     }
1745     Value *ShadowPtr = IRB.CreateIntToPtr(
1746         ShadowLong, getPtrToShadowPtrType(IntptrTy, ShadowTy));
1747 
1748     Value *OriginPtr = nullptr;
1749     if (MS.TrackOrigins) {
1750       Value *OriginLong = ShadowOffset;
1751       uint64_t OriginBase = MS.MapParams->OriginBase;
1752       if (OriginBase != 0)
1753         OriginLong =
1754             IRB.CreateAdd(OriginLong, constToIntPtr(IntptrTy, OriginBase));
1755       if (!Alignment || *Alignment < kMinOriginAlignment) {
1756         uint64_t Mask = kMinOriginAlignment.value() - 1;
1757         OriginLong = IRB.CreateAnd(OriginLong, constToIntPtr(IntptrTy, ~Mask));
1758       }
1759       OriginPtr = IRB.CreateIntToPtr(
1760           OriginLong, getPtrToShadowPtrType(IntptrTy, MS.OriginTy));
1761     }
1762     return std::make_pair(ShadowPtr, OriginPtr);
1763   }
1764 
1765   template <typename... ArgsTy>
createMetadataCall__anonb346f5430811::MemorySanitizerVisitor1766   Value *createMetadataCall(IRBuilder<> &IRB, FunctionCallee Callee,
1767                             ArgsTy... Args) {
1768     if (MS.TargetTriple.getArch() == Triple::systemz) {
1769       IRB.CreateCall(Callee,
1770                      {MS.MsanMetadataAlloca, std::forward<ArgsTy>(Args)...});
1771       return IRB.CreateLoad(MS.MsanMetadata, MS.MsanMetadataAlloca);
1772     }
1773 
1774     return IRB.CreateCall(Callee, {std::forward<ArgsTy>(Args)...});
1775   }
1776 
getShadowOriginPtrKernelNoVec__anonb346f5430811::MemorySanitizerVisitor1777   std::pair<Value *, Value *> getShadowOriginPtrKernelNoVec(Value *Addr,
1778                                                             IRBuilder<> &IRB,
1779                                                             Type *ShadowTy,
1780                                                             bool isStore) {
1781     Value *ShadowOriginPtrs;
1782     const DataLayout &DL = F.getDataLayout();
1783     TypeSize Size = DL.getTypeStoreSize(ShadowTy);
1784 
1785     FunctionCallee Getter = MS.getKmsanShadowOriginAccessFn(isStore, Size);
1786     Value *AddrCast =
1787         IRB.CreatePointerCast(Addr, PointerType::get(IRB.getInt8Ty(), 0));
1788     if (Getter) {
1789       ShadowOriginPtrs = createMetadataCall(IRB, Getter, AddrCast);
1790     } else {
1791       Value *SizeVal = ConstantInt::get(MS.IntptrTy, Size);
1792       ShadowOriginPtrs = createMetadataCall(
1793           IRB,
1794           isStore ? MS.MsanMetadataPtrForStoreN : MS.MsanMetadataPtrForLoadN,
1795           AddrCast, SizeVal);
1796     }
1797     Value *ShadowPtr = IRB.CreateExtractValue(ShadowOriginPtrs, 0);
1798     ShadowPtr = IRB.CreatePointerCast(ShadowPtr, PointerType::get(ShadowTy, 0));
1799     Value *OriginPtr = IRB.CreateExtractValue(ShadowOriginPtrs, 1);
1800 
1801     return std::make_pair(ShadowPtr, OriginPtr);
1802   }
1803 
1804   /// Addr can be a ptr or <N x ptr>. In both cases ShadowTy the shadow type of
1805   /// a single pointee.
1806   /// Returns <shadow_ptr, origin_ptr> or <<N x shadow_ptr>, <N x origin_ptr>>.
getShadowOriginPtrKernel__anonb346f5430811::MemorySanitizerVisitor1807   std::pair<Value *, Value *> getShadowOriginPtrKernel(Value *Addr,
1808                                                        IRBuilder<> &IRB,
1809                                                        Type *ShadowTy,
1810                                                        bool isStore) {
1811     VectorType *VectTy = dyn_cast<VectorType>(Addr->getType());
1812     if (!VectTy) {
1813       assert(Addr->getType()->isPointerTy());
1814       return getShadowOriginPtrKernelNoVec(Addr, IRB, ShadowTy, isStore);
1815     }
1816 
1817     // TODO: Support callbacs with vectors of addresses.
1818     unsigned NumElements = cast<FixedVectorType>(VectTy)->getNumElements();
1819     Value *ShadowPtrs = ConstantInt::getNullValue(
1820         FixedVectorType::get(IRB.getPtrTy(), NumElements));
1821     Value *OriginPtrs = nullptr;
1822     if (MS.TrackOrigins)
1823       OriginPtrs = ConstantInt::getNullValue(
1824           FixedVectorType::get(IRB.getPtrTy(), NumElements));
1825     for (unsigned i = 0; i < NumElements; ++i) {
1826       Value *OneAddr =
1827           IRB.CreateExtractElement(Addr, ConstantInt::get(IRB.getInt32Ty(), i));
1828       auto [ShadowPtr, OriginPtr] =
1829           getShadowOriginPtrKernelNoVec(OneAddr, IRB, ShadowTy, isStore);
1830 
1831       ShadowPtrs = IRB.CreateInsertElement(
1832           ShadowPtrs, ShadowPtr, ConstantInt::get(IRB.getInt32Ty(), i));
1833       if (MS.TrackOrigins)
1834         OriginPtrs = IRB.CreateInsertElement(
1835             OriginPtrs, OriginPtr, ConstantInt::get(IRB.getInt32Ty(), i));
1836     }
1837     return {ShadowPtrs, OriginPtrs};
1838   }
1839 
getShadowOriginPtr__anonb346f5430811::MemorySanitizerVisitor1840   std::pair<Value *, Value *> getShadowOriginPtr(Value *Addr, IRBuilder<> &IRB,
1841                                                  Type *ShadowTy,
1842                                                  MaybeAlign Alignment,
1843                                                  bool isStore) {
1844     if (MS.CompileKernel)
1845       return getShadowOriginPtrKernel(Addr, IRB, ShadowTy, isStore);
1846     return getShadowOriginPtrUserspace(Addr, IRB, ShadowTy, Alignment);
1847   }
1848 
1849   /// Compute the shadow address for a given function argument.
1850   ///
1851   /// Shadow = ParamTLS+ArgOffset.
getShadowPtrForArgument__anonb346f5430811::MemorySanitizerVisitor1852   Value *getShadowPtrForArgument(IRBuilder<> &IRB, int ArgOffset) {
1853     Value *Base = IRB.CreatePointerCast(MS.ParamTLS, MS.IntptrTy);
1854     if (ArgOffset)
1855       Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
1856     return IRB.CreateIntToPtr(Base, IRB.getPtrTy(0), "_msarg");
1857   }
1858 
1859   /// Compute the origin address for a given function argument.
getOriginPtrForArgument__anonb346f5430811::MemorySanitizerVisitor1860   Value *getOriginPtrForArgument(IRBuilder<> &IRB, int ArgOffset) {
1861     if (!MS.TrackOrigins)
1862       return nullptr;
1863     Value *Base = IRB.CreatePointerCast(MS.ParamOriginTLS, MS.IntptrTy);
1864     if (ArgOffset)
1865       Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
1866     return IRB.CreateIntToPtr(Base, IRB.getPtrTy(0), "_msarg_o");
1867   }
1868 
1869   /// Compute the shadow address for a retval.
getShadowPtrForRetval__anonb346f5430811::MemorySanitizerVisitor1870   Value *getShadowPtrForRetval(IRBuilder<> &IRB) {
1871     return IRB.CreatePointerCast(MS.RetvalTLS, IRB.getPtrTy(0), "_msret");
1872   }
1873 
1874   /// Compute the origin address for a retval.
getOriginPtrForRetval__anonb346f5430811::MemorySanitizerVisitor1875   Value *getOriginPtrForRetval() {
1876     // We keep a single origin for the entire retval. Might be too optimistic.
1877     return MS.RetvalOriginTLS;
1878   }
1879 
1880   /// Set SV to be the shadow value for V.
setShadow__anonb346f5430811::MemorySanitizerVisitor1881   void setShadow(Value *V, Value *SV) {
1882     assert(!ShadowMap.count(V) && "Values may only have one shadow");
1883     ShadowMap[V] = PropagateShadow ? SV : getCleanShadow(V);
1884   }
1885 
1886   /// Set Origin to be the origin value for V.
setOrigin__anonb346f5430811::MemorySanitizerVisitor1887   void setOrigin(Value *V, Value *Origin) {
1888     if (!MS.TrackOrigins)
1889       return;
1890     assert(!OriginMap.count(V) && "Values may only have one origin");
1891     LLVM_DEBUG(dbgs() << "ORIGIN: " << *V << "  ==> " << *Origin << "\n");
1892     OriginMap[V] = Origin;
1893   }
1894 
getCleanShadow__anonb346f5430811::MemorySanitizerVisitor1895   Constant *getCleanShadow(Type *OrigTy) {
1896     Type *ShadowTy = getShadowTy(OrigTy);
1897     if (!ShadowTy)
1898       return nullptr;
1899     return Constant::getNullValue(ShadowTy);
1900   }
1901 
1902   /// Create a clean shadow value for a given value.
1903   ///
1904   /// Clean shadow (all zeroes) means all bits of the value are defined
1905   /// (initialized).
getCleanShadow__anonb346f5430811::MemorySanitizerVisitor1906   Constant *getCleanShadow(Value *V) { return getCleanShadow(V->getType()); }
1907 
1908   /// Create a dirty shadow of a given shadow type.
getPoisonedShadow__anonb346f5430811::MemorySanitizerVisitor1909   Constant *getPoisonedShadow(Type *ShadowTy) {
1910     assert(ShadowTy);
1911     if (isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy))
1912       return Constant::getAllOnesValue(ShadowTy);
1913     if (ArrayType *AT = dyn_cast<ArrayType>(ShadowTy)) {
1914       SmallVector<Constant *, 4> Vals(AT->getNumElements(),
1915                                       getPoisonedShadow(AT->getElementType()));
1916       return ConstantArray::get(AT, Vals);
1917     }
1918     if (StructType *ST = dyn_cast<StructType>(ShadowTy)) {
1919       SmallVector<Constant *, 4> Vals;
1920       for (unsigned i = 0, n = ST->getNumElements(); i < n; i++)
1921         Vals.push_back(getPoisonedShadow(ST->getElementType(i)));
1922       return ConstantStruct::get(ST, Vals);
1923     }
1924     llvm_unreachable("Unexpected shadow type");
1925   }
1926 
1927   /// Create a dirty shadow for a given value.
getPoisonedShadow__anonb346f5430811::MemorySanitizerVisitor1928   Constant *getPoisonedShadow(Value *V) {
1929     Type *ShadowTy = getShadowTy(V);
1930     if (!ShadowTy)
1931       return nullptr;
1932     return getPoisonedShadow(ShadowTy);
1933   }
1934 
1935   /// Create a clean (zero) origin.
getCleanOrigin__anonb346f5430811::MemorySanitizerVisitor1936   Value *getCleanOrigin() { return Constant::getNullValue(MS.OriginTy); }
1937 
1938   /// Get the shadow value for a given Value.
1939   ///
1940   /// This function either returns the value set earlier with setShadow,
1941   /// or extracts if from ParamTLS (for function arguments).
getShadow__anonb346f5430811::MemorySanitizerVisitor1942   Value *getShadow(Value *V) {
1943     if (Instruction *I = dyn_cast<Instruction>(V)) {
1944       if (!PropagateShadow || I->getMetadata(LLVMContext::MD_nosanitize))
1945         return getCleanShadow(V);
1946       // For instructions the shadow is already stored in the map.
1947       Value *Shadow = ShadowMap[V];
1948       if (!Shadow) {
1949         LLVM_DEBUG(dbgs() << "No shadow: " << *V << "\n" << *(I->getParent()));
1950         (void)I;
1951         assert(Shadow && "No shadow for a value");
1952       }
1953       return Shadow;
1954     }
1955     if (UndefValue *U = dyn_cast<UndefValue>(V)) {
1956       Value *AllOnes = (PropagateShadow && PoisonUndef) ? getPoisonedShadow(V)
1957                                                         : getCleanShadow(V);
1958       LLVM_DEBUG(dbgs() << "Undef: " << *U << " ==> " << *AllOnes << "\n");
1959       (void)U;
1960       return AllOnes;
1961     }
1962     if (Argument *A = dyn_cast<Argument>(V)) {
1963       // For arguments we compute the shadow on demand and store it in the map.
1964       Value *&ShadowPtr = ShadowMap[V];
1965       if (ShadowPtr)
1966         return ShadowPtr;
1967       Function *F = A->getParent();
1968       IRBuilder<> EntryIRB(FnPrologueEnd);
1969       unsigned ArgOffset = 0;
1970       const DataLayout &DL = F->getDataLayout();
1971       for (auto &FArg : F->args()) {
1972         if (!FArg.getType()->isSized() || FArg.getType()->isScalableTy()) {
1973           LLVM_DEBUG(dbgs() << (FArg.getType()->isScalableTy()
1974                                     ? "vscale not fully supported\n"
1975                                     : "Arg is not sized\n"));
1976           if (A == &FArg) {
1977             ShadowPtr = getCleanShadow(V);
1978             setOrigin(A, getCleanOrigin());
1979             break;
1980           }
1981           continue;
1982         }
1983 
1984         unsigned Size = FArg.hasByValAttr()
1985                             ? DL.getTypeAllocSize(FArg.getParamByValType())
1986                             : DL.getTypeAllocSize(FArg.getType());
1987 
1988         if (A == &FArg) {
1989           bool Overflow = ArgOffset + Size > kParamTLSSize;
1990           if (FArg.hasByValAttr()) {
1991             // ByVal pointer itself has clean shadow. We copy the actual
1992             // argument shadow to the underlying memory.
1993             // Figure out maximal valid memcpy alignment.
1994             const Align ArgAlign = DL.getValueOrABITypeAlignment(
1995                 FArg.getParamAlign(), FArg.getParamByValType());
1996             Value *CpShadowPtr, *CpOriginPtr;
1997             std::tie(CpShadowPtr, CpOriginPtr) =
1998                 getShadowOriginPtr(V, EntryIRB, EntryIRB.getInt8Ty(), ArgAlign,
1999                                    /*isStore*/ true);
2000             if (!PropagateShadow || Overflow) {
2001               // ParamTLS overflow.
2002               EntryIRB.CreateMemSet(
2003                   CpShadowPtr, Constant::getNullValue(EntryIRB.getInt8Ty()),
2004                   Size, ArgAlign);
2005             } else {
2006               Value *Base = getShadowPtrForArgument(EntryIRB, ArgOffset);
2007               const Align CopyAlign = std::min(ArgAlign, kShadowTLSAlignment);
2008               Value *Cpy = EntryIRB.CreateMemCpy(CpShadowPtr, CopyAlign, Base,
2009                                                  CopyAlign, Size);
2010               LLVM_DEBUG(dbgs() << "  ByValCpy: " << *Cpy << "\n");
2011               (void)Cpy;
2012 
2013               if (MS.TrackOrigins) {
2014                 Value *OriginPtr =
2015                     getOriginPtrForArgument(EntryIRB, ArgOffset);
2016                 // FIXME: OriginSize should be:
2017                 // alignTo(V % kMinOriginAlignment + Size, kMinOriginAlignment)
2018                 unsigned OriginSize = alignTo(Size, kMinOriginAlignment);
2019                 EntryIRB.CreateMemCpy(
2020                     CpOriginPtr,
2021                     /* by getShadowOriginPtr */ kMinOriginAlignment, OriginPtr,
2022                     /* by origin_tls[ArgOffset] */ kMinOriginAlignment,
2023                     OriginSize);
2024               }
2025             }
2026           }
2027 
2028           if (!PropagateShadow || Overflow || FArg.hasByValAttr() ||
2029               (MS.EagerChecks && FArg.hasAttribute(Attribute::NoUndef))) {
2030             ShadowPtr = getCleanShadow(V);
2031             setOrigin(A, getCleanOrigin());
2032           } else {
2033             // Shadow over TLS
2034             Value *Base = getShadowPtrForArgument(EntryIRB, ArgOffset);
2035             ShadowPtr = EntryIRB.CreateAlignedLoad(getShadowTy(&FArg), Base,
2036                                                    kShadowTLSAlignment);
2037             if (MS.TrackOrigins) {
2038               Value *OriginPtr =
2039                   getOriginPtrForArgument(EntryIRB, ArgOffset);
2040               setOrigin(A, EntryIRB.CreateLoad(MS.OriginTy, OriginPtr));
2041             }
2042           }
2043           LLVM_DEBUG(dbgs()
2044                      << "  ARG:    " << FArg << " ==> " << *ShadowPtr << "\n");
2045           break;
2046         }
2047 
2048         ArgOffset += alignTo(Size, kShadowTLSAlignment);
2049       }
2050       assert(ShadowPtr && "Could not find shadow for an argument");
2051       return ShadowPtr;
2052     }
2053     // For everything else the shadow is zero.
2054     return getCleanShadow(V);
2055   }
2056 
2057   /// Get the shadow for i-th argument of the instruction I.
getShadow__anonb346f5430811::MemorySanitizerVisitor2058   Value *getShadow(Instruction *I, int i) {
2059     return getShadow(I->getOperand(i));
2060   }
2061 
2062   /// Get the origin for a value.
getOrigin__anonb346f5430811::MemorySanitizerVisitor2063   Value *getOrigin(Value *V) {
2064     if (!MS.TrackOrigins)
2065       return nullptr;
2066     if (!PropagateShadow || isa<Constant>(V) || isa<InlineAsm>(V))
2067       return getCleanOrigin();
2068     assert((isa<Instruction>(V) || isa<Argument>(V)) &&
2069            "Unexpected value type in getOrigin()");
2070     if (Instruction *I = dyn_cast<Instruction>(V)) {
2071       if (I->getMetadata(LLVMContext::MD_nosanitize))
2072         return getCleanOrigin();
2073     }
2074     Value *Origin = OriginMap[V];
2075     assert(Origin && "Missing origin");
2076     return Origin;
2077   }
2078 
2079   /// Get the origin for i-th argument of the instruction I.
getOrigin__anonb346f5430811::MemorySanitizerVisitor2080   Value *getOrigin(Instruction *I, int i) {
2081     return getOrigin(I->getOperand(i));
2082   }
2083 
2084   /// Remember the place where a shadow check should be inserted.
2085   ///
2086   /// This location will be later instrumented with a check that will print a
2087   /// UMR warning in runtime if the shadow value is not 0.
insertShadowCheck__anonb346f5430811::MemorySanitizerVisitor2088   void insertShadowCheck(Value *Shadow, Value *Origin, Instruction *OrigIns) {
2089     assert(Shadow);
2090     if (!InsertChecks)
2091       return;
2092 
2093     if (!DebugCounter::shouldExecute(DebugInsertCheck)) {
2094       LLVM_DEBUG(dbgs() << "Skipping check of " << *Shadow << " before "
2095                         << *OrigIns << "\n");
2096       return;
2097     }
2098 #ifndef NDEBUG
2099     Type *ShadowTy = Shadow->getType();
2100     assert((isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy) ||
2101             isa<StructType>(ShadowTy) || isa<ArrayType>(ShadowTy)) &&
2102            "Can only insert checks for integer, vector, and aggregate shadow "
2103            "types");
2104 #endif
2105     InstrumentationList.push_back(
2106         ShadowOriginAndInsertPoint(Shadow, Origin, OrigIns));
2107   }
2108 
2109   /// Remember the place where a shadow check should be inserted.
2110   ///
2111   /// This location will be later instrumented with a check that will print a
2112   /// UMR warning in runtime if the value is not fully defined.
insertShadowCheck__anonb346f5430811::MemorySanitizerVisitor2113   void insertShadowCheck(Value *Val, Instruction *OrigIns) {
2114     assert(Val);
2115     Value *Shadow, *Origin;
2116     if (ClCheckConstantShadow) {
2117       Shadow = getShadow(Val);
2118       if (!Shadow)
2119         return;
2120       Origin = getOrigin(Val);
2121     } else {
2122       Shadow = dyn_cast_or_null<Instruction>(getShadow(Val));
2123       if (!Shadow)
2124         return;
2125       Origin = dyn_cast_or_null<Instruction>(getOrigin(Val));
2126     }
2127     insertShadowCheck(Shadow, Origin, OrigIns);
2128   }
2129 
addReleaseOrdering__anonb346f5430811::MemorySanitizerVisitor2130   AtomicOrdering addReleaseOrdering(AtomicOrdering a) {
2131     switch (a) {
2132     case AtomicOrdering::NotAtomic:
2133       return AtomicOrdering::NotAtomic;
2134     case AtomicOrdering::Unordered:
2135     case AtomicOrdering::Monotonic:
2136     case AtomicOrdering::Release:
2137       return AtomicOrdering::Release;
2138     case AtomicOrdering::Acquire:
2139     case AtomicOrdering::AcquireRelease:
2140       return AtomicOrdering::AcquireRelease;
2141     case AtomicOrdering::SequentiallyConsistent:
2142       return AtomicOrdering::SequentiallyConsistent;
2143     }
2144     llvm_unreachable("Unknown ordering");
2145   }
2146 
makeAddReleaseOrderingTable__anonb346f5430811::MemorySanitizerVisitor2147   Value *makeAddReleaseOrderingTable(IRBuilder<> &IRB) {
2148     constexpr int NumOrderings = (int)AtomicOrderingCABI::seq_cst + 1;
2149     uint32_t OrderingTable[NumOrderings] = {};
2150 
2151     OrderingTable[(int)AtomicOrderingCABI::relaxed] =
2152         OrderingTable[(int)AtomicOrderingCABI::release] =
2153             (int)AtomicOrderingCABI::release;
2154     OrderingTable[(int)AtomicOrderingCABI::consume] =
2155         OrderingTable[(int)AtomicOrderingCABI::acquire] =
2156             OrderingTable[(int)AtomicOrderingCABI::acq_rel] =
2157                 (int)AtomicOrderingCABI::acq_rel;
2158     OrderingTable[(int)AtomicOrderingCABI::seq_cst] =
2159         (int)AtomicOrderingCABI::seq_cst;
2160 
2161     return ConstantDataVector::get(IRB.getContext(), OrderingTable);
2162   }
2163 
addAcquireOrdering__anonb346f5430811::MemorySanitizerVisitor2164   AtomicOrdering addAcquireOrdering(AtomicOrdering a) {
2165     switch (a) {
2166     case AtomicOrdering::NotAtomic:
2167       return AtomicOrdering::NotAtomic;
2168     case AtomicOrdering::Unordered:
2169     case AtomicOrdering::Monotonic:
2170     case AtomicOrdering::Acquire:
2171       return AtomicOrdering::Acquire;
2172     case AtomicOrdering::Release:
2173     case AtomicOrdering::AcquireRelease:
2174       return AtomicOrdering::AcquireRelease;
2175     case AtomicOrdering::SequentiallyConsistent:
2176       return AtomicOrdering::SequentiallyConsistent;
2177     }
2178     llvm_unreachable("Unknown ordering");
2179   }
2180 
makeAddAcquireOrderingTable__anonb346f5430811::MemorySanitizerVisitor2181   Value *makeAddAcquireOrderingTable(IRBuilder<> &IRB) {
2182     constexpr int NumOrderings = (int)AtomicOrderingCABI::seq_cst + 1;
2183     uint32_t OrderingTable[NumOrderings] = {};
2184 
2185     OrderingTable[(int)AtomicOrderingCABI::relaxed] =
2186         OrderingTable[(int)AtomicOrderingCABI::acquire] =
2187             OrderingTable[(int)AtomicOrderingCABI::consume] =
2188                 (int)AtomicOrderingCABI::acquire;
2189     OrderingTable[(int)AtomicOrderingCABI::release] =
2190         OrderingTable[(int)AtomicOrderingCABI::acq_rel] =
2191             (int)AtomicOrderingCABI::acq_rel;
2192     OrderingTable[(int)AtomicOrderingCABI::seq_cst] =
2193         (int)AtomicOrderingCABI::seq_cst;
2194 
2195     return ConstantDataVector::get(IRB.getContext(), OrderingTable);
2196   }
2197 
2198   // ------------------- Visitors.
2199   using InstVisitor<MemorySanitizerVisitor>::visit;
visit__anonb346f5430811::MemorySanitizerVisitor2200   void visit(Instruction &I) {
2201     if (I.getMetadata(LLVMContext::MD_nosanitize))
2202       return;
2203     // Don't want to visit if we're in the prologue
2204     if (isInPrologue(I))
2205       return;
2206     if (!DebugCounter::shouldExecute(DebugInstrumentInstruction)) {
2207       LLVM_DEBUG(dbgs() << "Skipping instruction: " << I << "\n");
2208       // We still need to set the shadow and origin to clean values.
2209       setShadow(&I, getCleanShadow(&I));
2210       setOrigin(&I, getCleanOrigin());
2211       return;
2212     }
2213 
2214     Instructions.push_back(&I);
2215   }
2216 
2217   /// Instrument LoadInst
2218   ///
2219   /// Loads the corresponding shadow and (optionally) origin.
2220   /// Optionally, checks that the load address is fully defined.
visitLoadInst__anonb346f5430811::MemorySanitizerVisitor2221   void visitLoadInst(LoadInst &I) {
2222     assert(I.getType()->isSized() && "Load type must have size");
2223     assert(!I.getMetadata(LLVMContext::MD_nosanitize));
2224     NextNodeIRBuilder IRB(&I);
2225     Type *ShadowTy = getShadowTy(&I);
2226     Value *Addr = I.getPointerOperand();
2227     Value *ShadowPtr = nullptr, *OriginPtr = nullptr;
2228     const Align Alignment = I.getAlign();
2229     if (PropagateShadow) {
2230       std::tie(ShadowPtr, OriginPtr) =
2231           getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ false);
2232       setShadow(&I,
2233                 IRB.CreateAlignedLoad(ShadowTy, ShadowPtr, Alignment, "_msld"));
2234     } else {
2235       setShadow(&I, getCleanShadow(&I));
2236     }
2237 
2238     if (ClCheckAccessAddress)
2239       insertShadowCheck(I.getPointerOperand(), &I);
2240 
2241     if (I.isAtomic())
2242       I.setOrdering(addAcquireOrdering(I.getOrdering()));
2243 
2244     if (MS.TrackOrigins) {
2245       if (PropagateShadow) {
2246         const Align OriginAlignment = std::max(kMinOriginAlignment, Alignment);
2247         setOrigin(
2248             &I, IRB.CreateAlignedLoad(MS.OriginTy, OriginPtr, OriginAlignment));
2249       } else {
2250         setOrigin(&I, getCleanOrigin());
2251       }
2252     }
2253   }
2254 
2255   /// Instrument StoreInst
2256   ///
2257   /// Stores the corresponding shadow and (optionally) origin.
2258   /// Optionally, checks that the store address is fully defined.
visitStoreInst__anonb346f5430811::MemorySanitizerVisitor2259   void visitStoreInst(StoreInst &I) {
2260     StoreList.push_back(&I);
2261     if (ClCheckAccessAddress)
2262       insertShadowCheck(I.getPointerOperand(), &I);
2263   }
2264 
handleCASOrRMW__anonb346f5430811::MemorySanitizerVisitor2265   void handleCASOrRMW(Instruction &I) {
2266     assert(isa<AtomicRMWInst>(I) || isa<AtomicCmpXchgInst>(I));
2267 
2268     IRBuilder<> IRB(&I);
2269     Value *Addr = I.getOperand(0);
2270     Value *Val = I.getOperand(1);
2271     Value *ShadowPtr = getShadowOriginPtr(Addr, IRB, getShadowTy(Val), Align(1),
2272                                           /*isStore*/ true)
2273                            .first;
2274 
2275     if (ClCheckAccessAddress)
2276       insertShadowCheck(Addr, &I);
2277 
2278     // Only test the conditional argument of cmpxchg instruction.
2279     // The other argument can potentially be uninitialized, but we can not
2280     // detect this situation reliably without possible false positives.
2281     if (isa<AtomicCmpXchgInst>(I))
2282       insertShadowCheck(Val, &I);
2283 
2284     IRB.CreateStore(getCleanShadow(Val), ShadowPtr);
2285 
2286     setShadow(&I, getCleanShadow(&I));
2287     setOrigin(&I, getCleanOrigin());
2288   }
2289 
visitAtomicRMWInst__anonb346f5430811::MemorySanitizerVisitor2290   void visitAtomicRMWInst(AtomicRMWInst &I) {
2291     handleCASOrRMW(I);
2292     I.setOrdering(addReleaseOrdering(I.getOrdering()));
2293   }
2294 
visitAtomicCmpXchgInst__anonb346f5430811::MemorySanitizerVisitor2295   void visitAtomicCmpXchgInst(AtomicCmpXchgInst &I) {
2296     handleCASOrRMW(I);
2297     I.setSuccessOrdering(addReleaseOrdering(I.getSuccessOrdering()));
2298   }
2299 
2300   // Vector manipulation.
visitExtractElementInst__anonb346f5430811::MemorySanitizerVisitor2301   void visitExtractElementInst(ExtractElementInst &I) {
2302     insertShadowCheck(I.getOperand(1), &I);
2303     IRBuilder<> IRB(&I);
2304     setShadow(&I, IRB.CreateExtractElement(getShadow(&I, 0), I.getOperand(1),
2305                                            "_msprop"));
2306     setOrigin(&I, getOrigin(&I, 0));
2307   }
2308 
visitInsertElementInst__anonb346f5430811::MemorySanitizerVisitor2309   void visitInsertElementInst(InsertElementInst &I) {
2310     insertShadowCheck(I.getOperand(2), &I);
2311     IRBuilder<> IRB(&I);
2312     auto *Shadow0 = getShadow(&I, 0);
2313     auto *Shadow1 = getShadow(&I, 1);
2314     setShadow(&I, IRB.CreateInsertElement(Shadow0, Shadow1, I.getOperand(2),
2315                                           "_msprop"));
2316     setOriginForNaryOp(I);
2317   }
2318 
visitShuffleVectorInst__anonb346f5430811::MemorySanitizerVisitor2319   void visitShuffleVectorInst(ShuffleVectorInst &I) {
2320     IRBuilder<> IRB(&I);
2321     auto *Shadow0 = getShadow(&I, 0);
2322     auto *Shadow1 = getShadow(&I, 1);
2323     setShadow(&I, IRB.CreateShuffleVector(Shadow0, Shadow1, I.getShuffleMask(),
2324                                           "_msprop"));
2325     setOriginForNaryOp(I);
2326   }
2327 
2328   // Casts.
visitSExtInst__anonb346f5430811::MemorySanitizerVisitor2329   void visitSExtInst(SExtInst &I) {
2330     IRBuilder<> IRB(&I);
2331     setShadow(&I, IRB.CreateSExt(getShadow(&I, 0), I.getType(), "_msprop"));
2332     setOrigin(&I, getOrigin(&I, 0));
2333   }
2334 
visitZExtInst__anonb346f5430811::MemorySanitizerVisitor2335   void visitZExtInst(ZExtInst &I) {
2336     IRBuilder<> IRB(&I);
2337     setShadow(&I, IRB.CreateZExt(getShadow(&I, 0), I.getType(), "_msprop"));
2338     setOrigin(&I, getOrigin(&I, 0));
2339   }
2340 
visitTruncInst__anonb346f5430811::MemorySanitizerVisitor2341   void visitTruncInst(TruncInst &I) {
2342     IRBuilder<> IRB(&I);
2343     setShadow(&I, IRB.CreateTrunc(getShadow(&I, 0), I.getType(), "_msprop"));
2344     setOrigin(&I, getOrigin(&I, 0));
2345   }
2346 
visitBitCastInst__anonb346f5430811::MemorySanitizerVisitor2347   void visitBitCastInst(BitCastInst &I) {
2348     // Special case: if this is the bitcast (there is exactly 1 allowed) between
2349     // a musttail call and a ret, don't instrument. New instructions are not
2350     // allowed after a musttail call.
2351     if (auto *CI = dyn_cast<CallInst>(I.getOperand(0)))
2352       if (CI->isMustTailCall())
2353         return;
2354     IRBuilder<> IRB(&I);
2355     setShadow(&I, IRB.CreateBitCast(getShadow(&I, 0), getShadowTy(&I)));
2356     setOrigin(&I, getOrigin(&I, 0));
2357   }
2358 
visitPtrToIntInst__anonb346f5430811::MemorySanitizerVisitor2359   void visitPtrToIntInst(PtrToIntInst &I) {
2360     IRBuilder<> IRB(&I);
2361     setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false,
2362                                     "_msprop_ptrtoint"));
2363     setOrigin(&I, getOrigin(&I, 0));
2364   }
2365 
visitIntToPtrInst__anonb346f5430811::MemorySanitizerVisitor2366   void visitIntToPtrInst(IntToPtrInst &I) {
2367     IRBuilder<> IRB(&I);
2368     setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false,
2369                                     "_msprop_inttoptr"));
2370     setOrigin(&I, getOrigin(&I, 0));
2371   }
2372 
visitFPToSIInst__anonb346f5430811::MemorySanitizerVisitor2373   void visitFPToSIInst(CastInst &I) { handleShadowOr(I); }
visitFPToUIInst__anonb346f5430811::MemorySanitizerVisitor2374   void visitFPToUIInst(CastInst &I) { handleShadowOr(I); }
visitSIToFPInst__anonb346f5430811::MemorySanitizerVisitor2375   void visitSIToFPInst(CastInst &I) { handleShadowOr(I); }
visitUIToFPInst__anonb346f5430811::MemorySanitizerVisitor2376   void visitUIToFPInst(CastInst &I) { handleShadowOr(I); }
visitFPExtInst__anonb346f5430811::MemorySanitizerVisitor2377   void visitFPExtInst(CastInst &I) { handleShadowOr(I); }
visitFPTruncInst__anonb346f5430811::MemorySanitizerVisitor2378   void visitFPTruncInst(CastInst &I) { handleShadowOr(I); }
2379 
2380   /// Propagate shadow for bitwise AND.
2381   ///
2382   /// This code is exact, i.e. if, for example, a bit in the left argument
2383   /// is defined and 0, then neither the value not definedness of the
2384   /// corresponding bit in B don't affect the resulting shadow.
visitAnd__anonb346f5430811::MemorySanitizerVisitor2385   void visitAnd(BinaryOperator &I) {
2386     IRBuilder<> IRB(&I);
2387     //  "And" of 0 and a poisoned value results in unpoisoned value.
2388     //  1&1 => 1;     0&1 => 0;     p&1 => p;
2389     //  1&0 => 0;     0&0 => 0;     p&0 => 0;
2390     //  1&p => p;     0&p => 0;     p&p => p;
2391     //  S = (S1 & S2) | (V1 & S2) | (S1 & V2)
2392     Value *S1 = getShadow(&I, 0);
2393     Value *S2 = getShadow(&I, 1);
2394     Value *V1 = I.getOperand(0);
2395     Value *V2 = I.getOperand(1);
2396     if (V1->getType() != S1->getType()) {
2397       V1 = IRB.CreateIntCast(V1, S1->getType(), false);
2398       V2 = IRB.CreateIntCast(V2, S2->getType(), false);
2399     }
2400     Value *S1S2 = IRB.CreateAnd(S1, S2);
2401     Value *V1S2 = IRB.CreateAnd(V1, S2);
2402     Value *S1V2 = IRB.CreateAnd(S1, V2);
2403     setShadow(&I, IRB.CreateOr({S1S2, V1S2, S1V2}));
2404     setOriginForNaryOp(I);
2405   }
2406 
visitOr__anonb346f5430811::MemorySanitizerVisitor2407   void visitOr(BinaryOperator &I) {
2408     IRBuilder<> IRB(&I);
2409     //  "Or" of 1 and a poisoned value results in unpoisoned value.
2410     //  1|1 => 1;     0|1 => 1;     p|1 => 1;
2411     //  1|0 => 1;     0|0 => 0;     p|0 => p;
2412     //  1|p => 1;     0|p => p;     p|p => p;
2413     //  S = (S1 & S2) | (~V1 & S2) | (S1 & ~V2)
2414     Value *S1 = getShadow(&I, 0);
2415     Value *S2 = getShadow(&I, 1);
2416     Value *V1 = IRB.CreateNot(I.getOperand(0));
2417     Value *V2 = IRB.CreateNot(I.getOperand(1));
2418     if (V1->getType() != S1->getType()) {
2419       V1 = IRB.CreateIntCast(V1, S1->getType(), false);
2420       V2 = IRB.CreateIntCast(V2, S2->getType(), false);
2421     }
2422     Value *S1S2 = IRB.CreateAnd(S1, S2);
2423     Value *V1S2 = IRB.CreateAnd(V1, S2);
2424     Value *S1V2 = IRB.CreateAnd(S1, V2);
2425     setShadow(&I, IRB.CreateOr({S1S2, V1S2, S1V2}));
2426     setOriginForNaryOp(I);
2427   }
2428 
2429   /// Default propagation of shadow and/or origin.
2430   ///
2431   /// This class implements the general case of shadow propagation, used in all
2432   /// cases where we don't know and/or don't care about what the operation
2433   /// actually does. It converts all input shadow values to a common type
2434   /// (extending or truncating as necessary), and bitwise OR's them.
2435   ///
2436   /// This is much cheaper than inserting checks (i.e. requiring inputs to be
2437   /// fully initialized), and less prone to false positives.
2438   ///
2439   /// This class also implements the general case of origin propagation. For a
2440   /// Nary operation, result origin is set to the origin of an argument that is
2441   /// not entirely initialized. If there is more than one such arguments, the
2442   /// rightmost of them is picked. It does not matter which one is picked if all
2443   /// arguments are initialized.
2444   template <bool CombineShadow> class Combiner {
2445     Value *Shadow = nullptr;
2446     Value *Origin = nullptr;
2447     IRBuilder<> &IRB;
2448     MemorySanitizerVisitor *MSV;
2449 
2450   public:
Combiner(MemorySanitizerVisitor * MSV,IRBuilder<> & IRB)2451     Combiner(MemorySanitizerVisitor *MSV, IRBuilder<> &IRB)
2452         : IRB(IRB), MSV(MSV) {}
2453 
2454     /// Add a pair of shadow and origin values to the mix.
Add(Value * OpShadow,Value * OpOrigin)2455     Combiner &Add(Value *OpShadow, Value *OpOrigin) {
2456       if (CombineShadow) {
2457         assert(OpShadow);
2458         if (!Shadow)
2459           Shadow = OpShadow;
2460         else {
2461           OpShadow = MSV->CreateShadowCast(IRB, OpShadow, Shadow->getType());
2462           Shadow = IRB.CreateOr(Shadow, OpShadow, "_msprop");
2463         }
2464       }
2465 
2466       if (MSV->MS.TrackOrigins) {
2467         assert(OpOrigin);
2468         if (!Origin) {
2469           Origin = OpOrigin;
2470         } else {
2471           Constant *ConstOrigin = dyn_cast<Constant>(OpOrigin);
2472           // No point in adding something that might result in 0 origin value.
2473           if (!ConstOrigin || !ConstOrigin->isNullValue()) {
2474             Value *Cond = MSV->convertToBool(OpShadow, IRB);
2475             Origin = IRB.CreateSelect(Cond, OpOrigin, Origin);
2476           }
2477         }
2478       }
2479       return *this;
2480     }
2481 
2482     /// Add an application value to the mix.
Add(Value * V)2483     Combiner &Add(Value *V) {
2484       Value *OpShadow = MSV->getShadow(V);
2485       Value *OpOrigin = MSV->MS.TrackOrigins ? MSV->getOrigin(V) : nullptr;
2486       return Add(OpShadow, OpOrigin);
2487     }
2488 
2489     /// Set the current combined values as the given instruction's shadow
2490     /// and origin.
Done(Instruction * I)2491     void Done(Instruction *I) {
2492       if (CombineShadow) {
2493         assert(Shadow);
2494         Shadow = MSV->CreateShadowCast(IRB, Shadow, MSV->getShadowTy(I));
2495         MSV->setShadow(I, Shadow);
2496       }
2497       if (MSV->MS.TrackOrigins) {
2498         assert(Origin);
2499         MSV->setOrigin(I, Origin);
2500       }
2501     }
2502 
2503     /// Store the current combined value at the specified origin
2504     /// location.
DoneAndStoreOrigin(TypeSize TS,Value * OriginPtr)2505     void DoneAndStoreOrigin(TypeSize TS, Value *OriginPtr) {
2506       if (MSV->MS.TrackOrigins) {
2507         assert(Origin);
2508         MSV->paintOrigin(IRB, Origin, OriginPtr, TS, kMinOriginAlignment);
2509       }
2510     }
2511   };
2512 
2513   using ShadowAndOriginCombiner = Combiner<true>;
2514   using OriginCombiner = Combiner<false>;
2515 
2516   /// Propagate origin for arbitrary operation.
setOriginForNaryOp__anonb346f5430811::MemorySanitizerVisitor2517   void setOriginForNaryOp(Instruction &I) {
2518     if (!MS.TrackOrigins)
2519       return;
2520     IRBuilder<> IRB(&I);
2521     OriginCombiner OC(this, IRB);
2522     for (Use &Op : I.operands())
2523       OC.Add(Op.get());
2524     OC.Done(&I);
2525   }
2526 
VectorOrPrimitiveTypeSizeInBits__anonb346f5430811::MemorySanitizerVisitor2527   size_t VectorOrPrimitiveTypeSizeInBits(Type *Ty) {
2528     assert(!(Ty->isVectorTy() && Ty->getScalarType()->isPointerTy()) &&
2529            "Vector of pointers is not a valid shadow type");
2530     return Ty->isVectorTy() ? cast<FixedVectorType>(Ty)->getNumElements() *
2531                                   Ty->getScalarSizeInBits()
2532                             : Ty->getPrimitiveSizeInBits();
2533   }
2534 
2535   /// Cast between two shadow types, extending or truncating as
2536   /// necessary.
CreateShadowCast__anonb346f5430811::MemorySanitizerVisitor2537   Value *CreateShadowCast(IRBuilder<> &IRB, Value *V, Type *dstTy,
2538                           bool Signed = false) {
2539     Type *srcTy = V->getType();
2540     if (srcTy == dstTy)
2541       return V;
2542     size_t srcSizeInBits = VectorOrPrimitiveTypeSizeInBits(srcTy);
2543     size_t dstSizeInBits = VectorOrPrimitiveTypeSizeInBits(dstTy);
2544     if (srcSizeInBits > 1 && dstSizeInBits == 1)
2545       return IRB.CreateICmpNE(V, getCleanShadow(V));
2546 
2547     if (dstTy->isIntegerTy() && srcTy->isIntegerTy())
2548       return IRB.CreateIntCast(V, dstTy, Signed);
2549     if (dstTy->isVectorTy() && srcTy->isVectorTy() &&
2550         cast<VectorType>(dstTy)->getElementCount() ==
2551             cast<VectorType>(srcTy)->getElementCount())
2552       return IRB.CreateIntCast(V, dstTy, Signed);
2553     Value *V1 = IRB.CreateBitCast(V, Type::getIntNTy(*MS.C, srcSizeInBits));
2554     Value *V2 =
2555         IRB.CreateIntCast(V1, Type::getIntNTy(*MS.C, dstSizeInBits), Signed);
2556     return IRB.CreateBitCast(V2, dstTy);
2557     // TODO: handle struct types.
2558   }
2559 
2560   /// Cast an application value to the type of its own shadow.
CreateAppToShadowCast__anonb346f5430811::MemorySanitizerVisitor2561   Value *CreateAppToShadowCast(IRBuilder<> &IRB, Value *V) {
2562     Type *ShadowTy = getShadowTy(V);
2563     if (V->getType() == ShadowTy)
2564       return V;
2565     if (V->getType()->isPtrOrPtrVectorTy())
2566       return IRB.CreatePtrToInt(V, ShadowTy);
2567     else
2568       return IRB.CreateBitCast(V, ShadowTy);
2569   }
2570 
2571   /// Propagate shadow for arbitrary operation.
handleShadowOr__anonb346f5430811::MemorySanitizerVisitor2572   void handleShadowOr(Instruction &I) {
2573     IRBuilder<> IRB(&I);
2574     ShadowAndOriginCombiner SC(this, IRB);
2575     for (Use &Op : I.operands())
2576       SC.Add(Op.get());
2577     SC.Done(&I);
2578   }
2579 
visitFNeg__anonb346f5430811::MemorySanitizerVisitor2580   void visitFNeg(UnaryOperator &I) { handleShadowOr(I); }
2581 
2582   // Handle multiplication by constant.
2583   //
2584   // Handle a special case of multiplication by constant that may have one or
2585   // more zeros in the lower bits. This makes corresponding number of lower bits
2586   // of the result zero as well. We model it by shifting the other operand
2587   // shadow left by the required number of bits. Effectively, we transform
2588   // (X * (A * 2**B)) to ((X << B) * A) and instrument (X << B) as (Sx << B).
2589   // We use multiplication by 2**N instead of shift to cover the case of
2590   // multiplication by 0, which may occur in some elements of a vector operand.
handleMulByConstant__anonb346f5430811::MemorySanitizerVisitor2591   void handleMulByConstant(BinaryOperator &I, Constant *ConstArg,
2592                            Value *OtherArg) {
2593     Constant *ShadowMul;
2594     Type *Ty = ConstArg->getType();
2595     if (auto *VTy = dyn_cast<VectorType>(Ty)) {
2596       unsigned NumElements = cast<FixedVectorType>(VTy)->getNumElements();
2597       Type *EltTy = VTy->getElementType();
2598       SmallVector<Constant *, 16> Elements;
2599       for (unsigned Idx = 0; Idx < NumElements; ++Idx) {
2600         if (ConstantInt *Elt =
2601                 dyn_cast<ConstantInt>(ConstArg->getAggregateElement(Idx))) {
2602           const APInt &V = Elt->getValue();
2603           APInt V2 = APInt(V.getBitWidth(), 1) << V.countr_zero();
2604           Elements.push_back(ConstantInt::get(EltTy, V2));
2605         } else {
2606           Elements.push_back(ConstantInt::get(EltTy, 1));
2607         }
2608       }
2609       ShadowMul = ConstantVector::get(Elements);
2610     } else {
2611       if (ConstantInt *Elt = dyn_cast<ConstantInt>(ConstArg)) {
2612         const APInt &V = Elt->getValue();
2613         APInt V2 = APInt(V.getBitWidth(), 1) << V.countr_zero();
2614         ShadowMul = ConstantInt::get(Ty, V2);
2615       } else {
2616         ShadowMul = ConstantInt::get(Ty, 1);
2617       }
2618     }
2619 
2620     IRBuilder<> IRB(&I);
2621     setShadow(&I,
2622               IRB.CreateMul(getShadow(OtherArg), ShadowMul, "msprop_mul_cst"));
2623     setOrigin(&I, getOrigin(OtherArg));
2624   }
2625 
visitMul__anonb346f5430811::MemorySanitizerVisitor2626   void visitMul(BinaryOperator &I) {
2627     Constant *constOp0 = dyn_cast<Constant>(I.getOperand(0));
2628     Constant *constOp1 = dyn_cast<Constant>(I.getOperand(1));
2629     if (constOp0 && !constOp1)
2630       handleMulByConstant(I, constOp0, I.getOperand(1));
2631     else if (constOp1 && !constOp0)
2632       handleMulByConstant(I, constOp1, I.getOperand(0));
2633     else
2634       handleShadowOr(I);
2635   }
2636 
visitFAdd__anonb346f5430811::MemorySanitizerVisitor2637   void visitFAdd(BinaryOperator &I) { handleShadowOr(I); }
visitFSub__anonb346f5430811::MemorySanitizerVisitor2638   void visitFSub(BinaryOperator &I) { handleShadowOr(I); }
visitFMul__anonb346f5430811::MemorySanitizerVisitor2639   void visitFMul(BinaryOperator &I) { handleShadowOr(I); }
visitAdd__anonb346f5430811::MemorySanitizerVisitor2640   void visitAdd(BinaryOperator &I) { handleShadowOr(I); }
visitSub__anonb346f5430811::MemorySanitizerVisitor2641   void visitSub(BinaryOperator &I) { handleShadowOr(I); }
visitXor__anonb346f5430811::MemorySanitizerVisitor2642   void visitXor(BinaryOperator &I) { handleShadowOr(I); }
2643 
handleIntegerDiv__anonb346f5430811::MemorySanitizerVisitor2644   void handleIntegerDiv(Instruction &I) {
2645     IRBuilder<> IRB(&I);
2646     // Strict on the second argument.
2647     insertShadowCheck(I.getOperand(1), &I);
2648     setShadow(&I, getShadow(&I, 0));
2649     setOrigin(&I, getOrigin(&I, 0));
2650   }
2651 
visitUDiv__anonb346f5430811::MemorySanitizerVisitor2652   void visitUDiv(BinaryOperator &I) { handleIntegerDiv(I); }
visitSDiv__anonb346f5430811::MemorySanitizerVisitor2653   void visitSDiv(BinaryOperator &I) { handleIntegerDiv(I); }
visitURem__anonb346f5430811::MemorySanitizerVisitor2654   void visitURem(BinaryOperator &I) { handleIntegerDiv(I); }
visitSRem__anonb346f5430811::MemorySanitizerVisitor2655   void visitSRem(BinaryOperator &I) { handleIntegerDiv(I); }
2656 
2657   // Floating point division is side-effect free. We can not require that the
2658   // divisor is fully initialized and must propagate shadow. See PR37523.
visitFDiv__anonb346f5430811::MemorySanitizerVisitor2659   void visitFDiv(BinaryOperator &I) { handleShadowOr(I); }
visitFRem__anonb346f5430811::MemorySanitizerVisitor2660   void visitFRem(BinaryOperator &I) { handleShadowOr(I); }
2661 
2662   /// Instrument == and != comparisons.
2663   ///
2664   /// Sometimes the comparison result is known even if some of the bits of the
2665   /// arguments are not.
handleEqualityComparison__anonb346f5430811::MemorySanitizerVisitor2666   void handleEqualityComparison(ICmpInst &I) {
2667     IRBuilder<> IRB(&I);
2668     Value *A = I.getOperand(0);
2669     Value *B = I.getOperand(1);
2670     Value *Sa = getShadow(A);
2671     Value *Sb = getShadow(B);
2672 
2673     // Get rid of pointers and vectors of pointers.
2674     // For ints (and vectors of ints), types of A and Sa match,
2675     // and this is a no-op.
2676     A = IRB.CreatePointerCast(A, Sa->getType());
2677     B = IRB.CreatePointerCast(B, Sb->getType());
2678 
2679     // A == B  <==>  (C = A^B) == 0
2680     // A != B  <==>  (C = A^B) != 0
2681     // Sc = Sa | Sb
2682     Value *C = IRB.CreateXor(A, B);
2683     Value *Sc = IRB.CreateOr(Sa, Sb);
2684     // Now dealing with i = (C == 0) comparison (or C != 0, does not matter now)
2685     // Result is defined if one of the following is true
2686     // * there is a defined 1 bit in C
2687     // * C is fully defined
2688     // Si = !(C & ~Sc) && Sc
2689     Value *Zero = Constant::getNullValue(Sc->getType());
2690     Value *MinusOne = Constant::getAllOnesValue(Sc->getType());
2691     Value *LHS = IRB.CreateICmpNE(Sc, Zero);
2692     Value *RHS =
2693         IRB.CreateICmpEQ(IRB.CreateAnd(IRB.CreateXor(Sc, MinusOne), C), Zero);
2694     Value *Si = IRB.CreateAnd(LHS, RHS);
2695     Si->setName("_msprop_icmp");
2696     setShadow(&I, Si);
2697     setOriginForNaryOp(I);
2698   }
2699 
2700   /// Build the lowest possible value of V, taking into account V's
2701   ///        uninitialized bits.
getLowestPossibleValue__anonb346f5430811::MemorySanitizerVisitor2702   Value *getLowestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa,
2703                                 bool isSigned) {
2704     if (isSigned) {
2705       // Split shadow into sign bit and other bits.
2706       Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1);
2707       Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits);
2708       // Maximise the undefined shadow bit, minimize other undefined bits.
2709       return IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaOtherBits)),
2710                           SaSignBit);
2711     } else {
2712       // Minimize undefined bits.
2713       return IRB.CreateAnd(A, IRB.CreateNot(Sa));
2714     }
2715   }
2716 
2717   /// Build the highest possible value of V, taking into account V's
2718   ///        uninitialized bits.
getHighestPossibleValue__anonb346f5430811::MemorySanitizerVisitor2719   Value *getHighestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa,
2720                                  bool isSigned) {
2721     if (isSigned) {
2722       // Split shadow into sign bit and other bits.
2723       Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1);
2724       Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits);
2725       // Minimise the undefined shadow bit, maximise other undefined bits.
2726       return IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaSignBit)),
2727                           SaOtherBits);
2728     } else {
2729       // Maximize undefined bits.
2730       return IRB.CreateOr(A, Sa);
2731     }
2732   }
2733 
2734   /// Instrument relational comparisons.
2735   ///
2736   /// This function does exact shadow propagation for all relational
2737   /// comparisons of integers, pointers and vectors of those.
2738   /// FIXME: output seems suboptimal when one of the operands is a constant
handleRelationalComparisonExact__anonb346f5430811::MemorySanitizerVisitor2739   void handleRelationalComparisonExact(ICmpInst &I) {
2740     IRBuilder<> IRB(&I);
2741     Value *A = I.getOperand(0);
2742     Value *B = I.getOperand(1);
2743     Value *Sa = getShadow(A);
2744     Value *Sb = getShadow(B);
2745 
2746     // Get rid of pointers and vectors of pointers.
2747     // For ints (and vectors of ints), types of A and Sa match,
2748     // and this is a no-op.
2749     A = IRB.CreatePointerCast(A, Sa->getType());
2750     B = IRB.CreatePointerCast(B, Sb->getType());
2751 
2752     // Let [a0, a1] be the interval of possible values of A, taking into account
2753     // its undefined bits. Let [b0, b1] be the interval of possible values of B.
2754     // Then (A cmp B) is defined iff (a0 cmp b1) == (a1 cmp b0).
2755     bool IsSigned = I.isSigned();
2756     Value *S1 = IRB.CreateICmp(I.getPredicate(),
2757                                getLowestPossibleValue(IRB, A, Sa, IsSigned),
2758                                getHighestPossibleValue(IRB, B, Sb, IsSigned));
2759     Value *S2 = IRB.CreateICmp(I.getPredicate(),
2760                                getHighestPossibleValue(IRB, A, Sa, IsSigned),
2761                                getLowestPossibleValue(IRB, B, Sb, IsSigned));
2762     Value *Si = IRB.CreateXor(S1, S2);
2763     setShadow(&I, Si);
2764     setOriginForNaryOp(I);
2765   }
2766 
2767   /// Instrument signed relational comparisons.
2768   ///
2769   /// Handle sign bit tests: x<0, x>=0, x<=-1, x>-1 by propagating the highest
2770   /// bit of the shadow. Everything else is delegated to handleShadowOr().
handleSignedRelationalComparison__anonb346f5430811::MemorySanitizerVisitor2771   void handleSignedRelationalComparison(ICmpInst &I) {
2772     Constant *constOp;
2773     Value *op = nullptr;
2774     CmpInst::Predicate pre;
2775     if ((constOp = dyn_cast<Constant>(I.getOperand(1)))) {
2776       op = I.getOperand(0);
2777       pre = I.getPredicate();
2778     } else if ((constOp = dyn_cast<Constant>(I.getOperand(0)))) {
2779       op = I.getOperand(1);
2780       pre = I.getSwappedPredicate();
2781     } else {
2782       handleShadowOr(I);
2783       return;
2784     }
2785 
2786     if ((constOp->isNullValue() &&
2787          (pre == CmpInst::ICMP_SLT || pre == CmpInst::ICMP_SGE)) ||
2788         (constOp->isAllOnesValue() &&
2789          (pre == CmpInst::ICMP_SGT || pre == CmpInst::ICMP_SLE))) {
2790       IRBuilder<> IRB(&I);
2791       Value *Shadow = IRB.CreateICmpSLT(getShadow(op), getCleanShadow(op),
2792                                         "_msprop_icmp_s");
2793       setShadow(&I, Shadow);
2794       setOrigin(&I, getOrigin(op));
2795     } else {
2796       handleShadowOr(I);
2797     }
2798   }
2799 
visitICmpInst__anonb346f5430811::MemorySanitizerVisitor2800   void visitICmpInst(ICmpInst &I) {
2801     if (!ClHandleICmp) {
2802       handleShadowOr(I);
2803       return;
2804     }
2805     if (I.isEquality()) {
2806       handleEqualityComparison(I);
2807       return;
2808     }
2809 
2810     assert(I.isRelational());
2811     if (ClHandleICmpExact) {
2812       handleRelationalComparisonExact(I);
2813       return;
2814     }
2815     if (I.isSigned()) {
2816       handleSignedRelationalComparison(I);
2817       return;
2818     }
2819 
2820     assert(I.isUnsigned());
2821     if ((isa<Constant>(I.getOperand(0)) || isa<Constant>(I.getOperand(1)))) {
2822       handleRelationalComparisonExact(I);
2823       return;
2824     }
2825 
2826     handleShadowOr(I);
2827   }
2828 
visitFCmpInst__anonb346f5430811::MemorySanitizerVisitor2829   void visitFCmpInst(FCmpInst &I) { handleShadowOr(I); }
2830 
handleShift__anonb346f5430811::MemorySanitizerVisitor2831   void handleShift(BinaryOperator &I) {
2832     IRBuilder<> IRB(&I);
2833     // If any of the S2 bits are poisoned, the whole thing is poisoned.
2834     // Otherwise perform the same shift on S1.
2835     Value *S1 = getShadow(&I, 0);
2836     Value *S2 = getShadow(&I, 1);
2837     Value *S2Conv =
2838         IRB.CreateSExt(IRB.CreateICmpNE(S2, getCleanShadow(S2)), S2->getType());
2839     Value *V2 = I.getOperand(1);
2840     Value *Shift = IRB.CreateBinOp(I.getOpcode(), S1, V2);
2841     setShadow(&I, IRB.CreateOr(Shift, S2Conv));
2842     setOriginForNaryOp(I);
2843   }
2844 
visitShl__anonb346f5430811::MemorySanitizerVisitor2845   void visitShl(BinaryOperator &I) { handleShift(I); }
visitAShr__anonb346f5430811::MemorySanitizerVisitor2846   void visitAShr(BinaryOperator &I) { handleShift(I); }
visitLShr__anonb346f5430811::MemorySanitizerVisitor2847   void visitLShr(BinaryOperator &I) { handleShift(I); }
2848 
handleFunnelShift__anonb346f5430811::MemorySanitizerVisitor2849   void handleFunnelShift(IntrinsicInst &I) {
2850     IRBuilder<> IRB(&I);
2851     // If any of the S2 bits are poisoned, the whole thing is poisoned.
2852     // Otherwise perform the same shift on S0 and S1.
2853     Value *S0 = getShadow(&I, 0);
2854     Value *S1 = getShadow(&I, 1);
2855     Value *S2 = getShadow(&I, 2);
2856     Value *S2Conv =
2857         IRB.CreateSExt(IRB.CreateICmpNE(S2, getCleanShadow(S2)), S2->getType());
2858     Value *V2 = I.getOperand(2);
2859     Function *Intrin = Intrinsic::getDeclaration(
2860         I.getModule(), I.getIntrinsicID(), S2Conv->getType());
2861     Value *Shift = IRB.CreateCall(Intrin, {S0, S1, V2});
2862     setShadow(&I, IRB.CreateOr(Shift, S2Conv));
2863     setOriginForNaryOp(I);
2864   }
2865 
2866   /// Instrument llvm.memmove
2867   ///
2868   /// At this point we don't know if llvm.memmove will be inlined or not.
2869   /// If we don't instrument it and it gets inlined,
2870   /// our interceptor will not kick in and we will lose the memmove.
2871   /// If we instrument the call here, but it does not get inlined,
2872   /// we will memove the shadow twice: which is bad in case
2873   /// of overlapping regions. So, we simply lower the intrinsic to a call.
2874   ///
2875   /// Similar situation exists for memcpy and memset.
visitMemMoveInst__anonb346f5430811::MemorySanitizerVisitor2876   void visitMemMoveInst(MemMoveInst &I) {
2877     getShadow(I.getArgOperand(1)); // Ensure shadow initialized
2878     IRBuilder<> IRB(&I);
2879     IRB.CreateCall(MS.MemmoveFn,
2880                    {I.getArgOperand(0), I.getArgOperand(1),
2881                     IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)});
2882     I.eraseFromParent();
2883   }
2884 
2885   /// Instrument memcpy
2886   ///
2887   /// Similar to memmove: avoid copying shadow twice. This is somewhat
2888   /// unfortunate as it may slowdown small constant memcpys.
2889   /// FIXME: consider doing manual inline for small constant sizes and proper
2890   /// alignment.
2891   ///
2892   /// Note: This also handles memcpy.inline, which promises no calls to external
2893   /// functions as an optimization. However, with instrumentation enabled this
2894   /// is difficult to promise; additionally, we know that the MSan runtime
2895   /// exists and provides __msan_memcpy(). Therefore, we assume that with
2896   /// instrumentation it's safe to turn memcpy.inline into a call to
2897   /// __msan_memcpy(). Should this be wrong, such as when implementing memcpy()
2898   /// itself, instrumentation should be disabled with the no_sanitize attribute.
visitMemCpyInst__anonb346f5430811::MemorySanitizerVisitor2899   void visitMemCpyInst(MemCpyInst &I) {
2900     getShadow(I.getArgOperand(1)); // Ensure shadow initialized
2901     IRBuilder<> IRB(&I);
2902     IRB.CreateCall(MS.MemcpyFn,
2903                    {I.getArgOperand(0), I.getArgOperand(1),
2904                     IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)});
2905     I.eraseFromParent();
2906   }
2907 
2908   // Same as memcpy.
visitMemSetInst__anonb346f5430811::MemorySanitizerVisitor2909   void visitMemSetInst(MemSetInst &I) {
2910     IRBuilder<> IRB(&I);
2911     IRB.CreateCall(
2912         MS.MemsetFn,
2913         {I.getArgOperand(0),
2914          IRB.CreateIntCast(I.getArgOperand(1), IRB.getInt32Ty(), false),
2915          IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)});
2916     I.eraseFromParent();
2917   }
2918 
visitVAStartInst__anonb346f5430811::MemorySanitizerVisitor2919   void visitVAStartInst(VAStartInst &I) { VAHelper->visitVAStartInst(I); }
2920 
visitVACopyInst__anonb346f5430811::MemorySanitizerVisitor2921   void visitVACopyInst(VACopyInst &I) { VAHelper->visitVACopyInst(I); }
2922 
2923   /// Handle vector store-like intrinsics.
2924   ///
2925   /// Instrument intrinsics that look like a simple SIMD store: writes memory,
2926   /// has 1 pointer argument and 1 vector argument, returns void.
handleVectorStoreIntrinsic__anonb346f5430811::MemorySanitizerVisitor2927   bool handleVectorStoreIntrinsic(IntrinsicInst &I) {
2928     IRBuilder<> IRB(&I);
2929     Value *Addr = I.getArgOperand(0);
2930     Value *Shadow = getShadow(&I, 1);
2931     Value *ShadowPtr, *OriginPtr;
2932 
2933     // We don't know the pointer alignment (could be unaligned SSE store!).
2934     // Have to assume to worst case.
2935     std::tie(ShadowPtr, OriginPtr) = getShadowOriginPtr(
2936         Addr, IRB, Shadow->getType(), Align(1), /*isStore*/ true);
2937     IRB.CreateAlignedStore(Shadow, ShadowPtr, Align(1));
2938 
2939     if (ClCheckAccessAddress)
2940       insertShadowCheck(Addr, &I);
2941 
2942     // FIXME: factor out common code from materializeStores
2943     if (MS.TrackOrigins)
2944       IRB.CreateStore(getOrigin(&I, 1), OriginPtr);
2945     return true;
2946   }
2947 
2948   /// Handle vector load-like intrinsics.
2949   ///
2950   /// Instrument intrinsics that look like a simple SIMD load: reads memory,
2951   /// has 1 pointer argument, returns a vector.
handleVectorLoadIntrinsic__anonb346f5430811::MemorySanitizerVisitor2952   bool handleVectorLoadIntrinsic(IntrinsicInst &I) {
2953     IRBuilder<> IRB(&I);
2954     Value *Addr = I.getArgOperand(0);
2955 
2956     Type *ShadowTy = getShadowTy(&I);
2957     Value *ShadowPtr = nullptr, *OriginPtr = nullptr;
2958     if (PropagateShadow) {
2959       // We don't know the pointer alignment (could be unaligned SSE load!).
2960       // Have to assume to worst case.
2961       const Align Alignment = Align(1);
2962       std::tie(ShadowPtr, OriginPtr) =
2963           getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ false);
2964       setShadow(&I,
2965                 IRB.CreateAlignedLoad(ShadowTy, ShadowPtr, Alignment, "_msld"));
2966     } else {
2967       setShadow(&I, getCleanShadow(&I));
2968     }
2969 
2970     if (ClCheckAccessAddress)
2971       insertShadowCheck(Addr, &I);
2972 
2973     if (MS.TrackOrigins) {
2974       if (PropagateShadow)
2975         setOrigin(&I, IRB.CreateLoad(MS.OriginTy, OriginPtr));
2976       else
2977         setOrigin(&I, getCleanOrigin());
2978     }
2979     return true;
2980   }
2981 
2982   /// Handle (SIMD arithmetic)-like intrinsics.
2983   ///
2984   /// Instrument intrinsics with any number of arguments of the same type,
2985   /// equal to the return type. The type should be simple (no aggregates or
2986   /// pointers; vectors are fine).
2987   /// Caller guarantees that this intrinsic does not access memory.
maybeHandleSimpleNomemIntrinsic__anonb346f5430811::MemorySanitizerVisitor2988   bool maybeHandleSimpleNomemIntrinsic(IntrinsicInst &I) {
2989     Type *RetTy = I.getType();
2990     if (!(RetTy->isIntOrIntVectorTy() || RetTy->isFPOrFPVectorTy() ||
2991           RetTy->isX86_MMXTy()))
2992       return false;
2993 
2994     unsigned NumArgOperands = I.arg_size();
2995     for (unsigned i = 0; i < NumArgOperands; ++i) {
2996       Type *Ty = I.getArgOperand(i)->getType();
2997       if (Ty != RetTy)
2998         return false;
2999     }
3000 
3001     IRBuilder<> IRB(&I);
3002     ShadowAndOriginCombiner SC(this, IRB);
3003     for (unsigned i = 0; i < NumArgOperands; ++i)
3004       SC.Add(I.getArgOperand(i));
3005     SC.Done(&I);
3006 
3007     return true;
3008   }
3009 
3010   /// Heuristically instrument unknown intrinsics.
3011   ///
3012   /// The main purpose of this code is to do something reasonable with all
3013   /// random intrinsics we might encounter, most importantly - SIMD intrinsics.
3014   /// We recognize several classes of intrinsics by their argument types and
3015   /// ModRefBehaviour and apply special instrumentation when we are reasonably
3016   /// sure that we know what the intrinsic does.
3017   ///
3018   /// We special-case intrinsics where this approach fails. See llvm.bswap
3019   /// handling as an example of that.
handleUnknownIntrinsic__anonb346f5430811::MemorySanitizerVisitor3020   bool handleUnknownIntrinsic(IntrinsicInst &I) {
3021     unsigned NumArgOperands = I.arg_size();
3022     if (NumArgOperands == 0)
3023       return false;
3024 
3025     if (NumArgOperands == 2 && I.getArgOperand(0)->getType()->isPointerTy() &&
3026         I.getArgOperand(1)->getType()->isVectorTy() &&
3027         I.getType()->isVoidTy() && !I.onlyReadsMemory()) {
3028       // This looks like a vector store.
3029       return handleVectorStoreIntrinsic(I);
3030     }
3031 
3032     if (NumArgOperands == 1 && I.getArgOperand(0)->getType()->isPointerTy() &&
3033         I.getType()->isVectorTy() && I.onlyReadsMemory()) {
3034       // This looks like a vector load.
3035       return handleVectorLoadIntrinsic(I);
3036     }
3037 
3038     if (I.doesNotAccessMemory())
3039       if (maybeHandleSimpleNomemIntrinsic(I))
3040         return true;
3041 
3042     // FIXME: detect and handle SSE maskstore/maskload
3043     return false;
3044   }
3045 
handleInvariantGroup__anonb346f5430811::MemorySanitizerVisitor3046   void handleInvariantGroup(IntrinsicInst &I) {
3047     setShadow(&I, getShadow(&I, 0));
3048     setOrigin(&I, getOrigin(&I, 0));
3049   }
3050 
handleLifetimeStart__anonb346f5430811::MemorySanitizerVisitor3051   void handleLifetimeStart(IntrinsicInst &I) {
3052     if (!PoisonStack)
3053       return;
3054     AllocaInst *AI = llvm::findAllocaForValue(I.getArgOperand(1));
3055     if (!AI)
3056       InstrumentLifetimeStart = false;
3057     LifetimeStartList.push_back(std::make_pair(&I, AI));
3058   }
3059 
handleBswap__anonb346f5430811::MemorySanitizerVisitor3060   void handleBswap(IntrinsicInst &I) {
3061     IRBuilder<> IRB(&I);
3062     Value *Op = I.getArgOperand(0);
3063     Type *OpType = Op->getType();
3064     Function *BswapFunc = Intrinsic::getDeclaration(
3065         F.getParent(), Intrinsic::bswap, ArrayRef(&OpType, 1));
3066     setShadow(&I, IRB.CreateCall(BswapFunc, getShadow(Op)));
3067     setOrigin(&I, getOrigin(Op));
3068   }
3069 
handleCountZeroes__anonb346f5430811::MemorySanitizerVisitor3070   void handleCountZeroes(IntrinsicInst &I) {
3071     IRBuilder<> IRB(&I);
3072     Value *Src = I.getArgOperand(0);
3073 
3074     // Set the Output shadow based on input Shadow
3075     Value *BoolShadow = IRB.CreateIsNotNull(getShadow(Src), "_mscz_bs");
3076 
3077     // If zero poison is requested, mix in with the shadow
3078     Constant *IsZeroPoison = cast<Constant>(I.getOperand(1));
3079     if (!IsZeroPoison->isZeroValue()) {
3080       Value *BoolZeroPoison = IRB.CreateIsNull(Src, "_mscz_bzp");
3081       BoolShadow = IRB.CreateOr(BoolShadow, BoolZeroPoison, "_mscz_bs");
3082     }
3083 
3084     Value *OutputShadow =
3085         IRB.CreateSExt(BoolShadow, getShadowTy(Src), "_mscz_os");
3086 
3087     setShadow(&I, OutputShadow);
3088     setOriginForNaryOp(I);
3089   }
3090 
3091   // Instrument vector convert intrinsic.
3092   //
3093   // This function instruments intrinsics like cvtsi2ss:
3094   // %Out = int_xxx_cvtyyy(%ConvertOp)
3095   // or
3096   // %Out = int_xxx_cvtyyy(%CopyOp, %ConvertOp)
3097   // Intrinsic converts \p NumUsedElements elements of \p ConvertOp to the same
3098   // number \p Out elements, and (if has 2 arguments) copies the rest of the
3099   // elements from \p CopyOp.
3100   // In most cases conversion involves floating-point value which may trigger a
3101   // hardware exception when not fully initialized. For this reason we require
3102   // \p ConvertOp[0:NumUsedElements] to be fully initialized and trap otherwise.
3103   // We copy the shadow of \p CopyOp[NumUsedElements:] to \p
3104   // Out[NumUsedElements:]. This means that intrinsics without \p CopyOp always
3105   // return a fully initialized value.
handleVectorConvertIntrinsic__anonb346f5430811::MemorySanitizerVisitor3106   void handleVectorConvertIntrinsic(IntrinsicInst &I, int NumUsedElements,
3107                                     bool HasRoundingMode = false) {
3108     IRBuilder<> IRB(&I);
3109     Value *CopyOp, *ConvertOp;
3110 
3111     assert((!HasRoundingMode ||
3112             isa<ConstantInt>(I.getArgOperand(I.arg_size() - 1))) &&
3113            "Invalid rounding mode");
3114 
3115     switch (I.arg_size() - HasRoundingMode) {
3116     case 2:
3117       CopyOp = I.getArgOperand(0);
3118       ConvertOp = I.getArgOperand(1);
3119       break;
3120     case 1:
3121       ConvertOp = I.getArgOperand(0);
3122       CopyOp = nullptr;
3123       break;
3124     default:
3125       llvm_unreachable("Cvt intrinsic with unsupported number of arguments.");
3126     }
3127 
3128     // The first *NumUsedElements* elements of ConvertOp are converted to the
3129     // same number of output elements. The rest of the output is copied from
3130     // CopyOp, or (if not available) filled with zeroes.
3131     // Combine shadow for elements of ConvertOp that are used in this operation,
3132     // and insert a check.
3133     // FIXME: consider propagating shadow of ConvertOp, at least in the case of
3134     // int->any conversion.
3135     Value *ConvertShadow = getShadow(ConvertOp);
3136     Value *AggShadow = nullptr;
3137     if (ConvertOp->getType()->isVectorTy()) {
3138       AggShadow = IRB.CreateExtractElement(
3139           ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), 0));
3140       for (int i = 1; i < NumUsedElements; ++i) {
3141         Value *MoreShadow = IRB.CreateExtractElement(
3142             ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), i));
3143         AggShadow = IRB.CreateOr(AggShadow, MoreShadow);
3144       }
3145     } else {
3146       AggShadow = ConvertShadow;
3147     }
3148     assert(AggShadow->getType()->isIntegerTy());
3149     insertShadowCheck(AggShadow, getOrigin(ConvertOp), &I);
3150 
3151     // Build result shadow by zero-filling parts of CopyOp shadow that come from
3152     // ConvertOp.
3153     if (CopyOp) {
3154       assert(CopyOp->getType() == I.getType());
3155       assert(CopyOp->getType()->isVectorTy());
3156       Value *ResultShadow = getShadow(CopyOp);
3157       Type *EltTy = cast<VectorType>(ResultShadow->getType())->getElementType();
3158       for (int i = 0; i < NumUsedElements; ++i) {
3159         ResultShadow = IRB.CreateInsertElement(
3160             ResultShadow, ConstantInt::getNullValue(EltTy),
3161             ConstantInt::get(IRB.getInt32Ty(), i));
3162       }
3163       setShadow(&I, ResultShadow);
3164       setOrigin(&I, getOrigin(CopyOp));
3165     } else {
3166       setShadow(&I, getCleanShadow(&I));
3167       setOrigin(&I, getCleanOrigin());
3168     }
3169   }
3170 
3171   // Given a scalar or vector, extract lower 64 bits (or less), and return all
3172   // zeroes if it is zero, and all ones otherwise.
Lower64ShadowExtend__anonb346f5430811::MemorySanitizerVisitor3173   Value *Lower64ShadowExtend(IRBuilder<> &IRB, Value *S, Type *T) {
3174     if (S->getType()->isVectorTy())
3175       S = CreateShadowCast(IRB, S, IRB.getInt64Ty(), /* Signed */ true);
3176     assert(S->getType()->getPrimitiveSizeInBits() <= 64);
3177     Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S));
3178     return CreateShadowCast(IRB, S2, T, /* Signed */ true);
3179   }
3180 
3181   // Given a vector, extract its first element, and return all
3182   // zeroes if it is zero, and all ones otherwise.
LowerElementShadowExtend__anonb346f5430811::MemorySanitizerVisitor3183   Value *LowerElementShadowExtend(IRBuilder<> &IRB, Value *S, Type *T) {
3184     Value *S1 = IRB.CreateExtractElement(S, (uint64_t)0);
3185     Value *S2 = IRB.CreateICmpNE(S1, getCleanShadow(S1));
3186     return CreateShadowCast(IRB, S2, T, /* Signed */ true);
3187   }
3188 
VariableShadowExtend__anonb346f5430811::MemorySanitizerVisitor3189   Value *VariableShadowExtend(IRBuilder<> &IRB, Value *S) {
3190     Type *T = S->getType();
3191     assert(T->isVectorTy());
3192     Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S));
3193     return IRB.CreateSExt(S2, T);
3194   }
3195 
3196   // Instrument vector shift intrinsic.
3197   //
3198   // This function instruments intrinsics like int_x86_avx2_psll_w.
3199   // Intrinsic shifts %In by %ShiftSize bits.
3200   // %ShiftSize may be a vector. In that case the lower 64 bits determine shift
3201   // size, and the rest is ignored. Behavior is defined even if shift size is
3202   // greater than register (or field) width.
handleVectorShiftIntrinsic__anonb346f5430811::MemorySanitizerVisitor3203   void handleVectorShiftIntrinsic(IntrinsicInst &I, bool Variable) {
3204     assert(I.arg_size() == 2);
3205     IRBuilder<> IRB(&I);
3206     // If any of the S2 bits are poisoned, the whole thing is poisoned.
3207     // Otherwise perform the same shift on S1.
3208     Value *S1 = getShadow(&I, 0);
3209     Value *S2 = getShadow(&I, 1);
3210     Value *S2Conv = Variable ? VariableShadowExtend(IRB, S2)
3211                              : Lower64ShadowExtend(IRB, S2, getShadowTy(&I));
3212     Value *V1 = I.getOperand(0);
3213     Value *V2 = I.getOperand(1);
3214     Value *Shift = IRB.CreateCall(I.getFunctionType(), I.getCalledOperand(),
3215                                   {IRB.CreateBitCast(S1, V1->getType()), V2});
3216     Shift = IRB.CreateBitCast(Shift, getShadowTy(&I));
3217     setShadow(&I, IRB.CreateOr(Shift, S2Conv));
3218     setOriginForNaryOp(I);
3219   }
3220 
3221   // Get an X86_MMX-sized vector type.
getMMXVectorTy__anonb346f5430811::MemorySanitizerVisitor3222   Type *getMMXVectorTy(unsigned EltSizeInBits) {
3223     const unsigned X86_MMXSizeInBits = 64;
3224     assert(EltSizeInBits != 0 && (X86_MMXSizeInBits % EltSizeInBits) == 0 &&
3225            "Illegal MMX vector element size");
3226     return FixedVectorType::get(IntegerType::get(*MS.C, EltSizeInBits),
3227                                 X86_MMXSizeInBits / EltSizeInBits);
3228   }
3229 
3230   // Returns a signed counterpart for an (un)signed-saturate-and-pack
3231   // intrinsic.
getSignedPackIntrinsic__anonb346f5430811::MemorySanitizerVisitor3232   Intrinsic::ID getSignedPackIntrinsic(Intrinsic::ID id) {
3233     switch (id) {
3234     case Intrinsic::x86_sse2_packsswb_128:
3235     case Intrinsic::x86_sse2_packuswb_128:
3236       return Intrinsic::x86_sse2_packsswb_128;
3237 
3238     case Intrinsic::x86_sse2_packssdw_128:
3239     case Intrinsic::x86_sse41_packusdw:
3240       return Intrinsic::x86_sse2_packssdw_128;
3241 
3242     case Intrinsic::x86_avx2_packsswb:
3243     case Intrinsic::x86_avx2_packuswb:
3244       return Intrinsic::x86_avx2_packsswb;
3245 
3246     case Intrinsic::x86_avx2_packssdw:
3247     case Intrinsic::x86_avx2_packusdw:
3248       return Intrinsic::x86_avx2_packssdw;
3249 
3250     case Intrinsic::x86_mmx_packsswb:
3251     case Intrinsic::x86_mmx_packuswb:
3252       return Intrinsic::x86_mmx_packsswb;
3253 
3254     case Intrinsic::x86_mmx_packssdw:
3255       return Intrinsic::x86_mmx_packssdw;
3256     default:
3257       llvm_unreachable("unexpected intrinsic id");
3258     }
3259   }
3260 
3261   // Instrument vector pack intrinsic.
3262   //
3263   // This function instruments intrinsics like x86_mmx_packsswb, that
3264   // packs elements of 2 input vectors into half as many bits with saturation.
3265   // Shadow is propagated with the signed variant of the same intrinsic applied
3266   // to sext(Sa != zeroinitializer), sext(Sb != zeroinitializer).
3267   // EltSizeInBits is used only for x86mmx arguments.
handleVectorPackIntrinsic__anonb346f5430811::MemorySanitizerVisitor3268   void handleVectorPackIntrinsic(IntrinsicInst &I, unsigned EltSizeInBits = 0) {
3269     assert(I.arg_size() == 2);
3270     bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy();
3271     IRBuilder<> IRB(&I);
3272     Value *S1 = getShadow(&I, 0);
3273     Value *S2 = getShadow(&I, 1);
3274     assert(isX86_MMX || S1->getType()->isVectorTy());
3275 
3276     // SExt and ICmpNE below must apply to individual elements of input vectors.
3277     // In case of x86mmx arguments, cast them to appropriate vector types and
3278     // back.
3279     Type *T = isX86_MMX ? getMMXVectorTy(EltSizeInBits) : S1->getType();
3280     if (isX86_MMX) {
3281       S1 = IRB.CreateBitCast(S1, T);
3282       S2 = IRB.CreateBitCast(S2, T);
3283     }
3284     Value *S1_ext =
3285         IRB.CreateSExt(IRB.CreateICmpNE(S1, Constant::getNullValue(T)), T);
3286     Value *S2_ext =
3287         IRB.CreateSExt(IRB.CreateICmpNE(S2, Constant::getNullValue(T)), T);
3288     if (isX86_MMX) {
3289       Type *X86_MMXTy = Type::getX86_MMXTy(*MS.C);
3290       S1_ext = IRB.CreateBitCast(S1_ext, X86_MMXTy);
3291       S2_ext = IRB.CreateBitCast(S2_ext, X86_MMXTy);
3292     }
3293 
3294     Function *ShadowFn = Intrinsic::getDeclaration(
3295         F.getParent(), getSignedPackIntrinsic(I.getIntrinsicID()));
3296 
3297     Value *S =
3298         IRB.CreateCall(ShadowFn, {S1_ext, S2_ext}, "_msprop_vector_pack");
3299     if (isX86_MMX)
3300       S = IRB.CreateBitCast(S, getShadowTy(&I));
3301     setShadow(&I, S);
3302     setOriginForNaryOp(I);
3303   }
3304 
3305   // Convert `Mask` into `<n x i1>`.
createDppMask__anonb346f5430811::MemorySanitizerVisitor3306   Constant *createDppMask(unsigned Width, unsigned Mask) {
3307     SmallVector<Constant *, 4> R(Width);
3308     for (auto &M : R) {
3309       M = ConstantInt::getBool(F.getContext(), Mask & 1);
3310       Mask >>= 1;
3311     }
3312     return ConstantVector::get(R);
3313   }
3314 
3315   // Calculate output shadow as array of booleans `<n x i1>`, assuming if any
3316   // arg is poisoned, entire dot product is poisoned.
findDppPoisonedOutput__anonb346f5430811::MemorySanitizerVisitor3317   Value *findDppPoisonedOutput(IRBuilder<> &IRB, Value *S, unsigned SrcMask,
3318                                unsigned DstMask) {
3319     const unsigned Width =
3320         cast<FixedVectorType>(S->getType())->getNumElements();
3321 
3322     S = IRB.CreateSelect(createDppMask(Width, SrcMask), S,
3323                          Constant::getNullValue(S->getType()));
3324     Value *SElem = IRB.CreateOrReduce(S);
3325     Value *IsClean = IRB.CreateIsNull(SElem, "_msdpp");
3326     Value *DstMaskV = createDppMask(Width, DstMask);
3327 
3328     return IRB.CreateSelect(
3329         IsClean, Constant::getNullValue(DstMaskV->getType()), DstMaskV);
3330   }
3331 
3332   // See `Intel Intrinsics Guide` for `_dp_p*` instructions.
3333   //
3334   // 2 and 4 element versions produce single scalar of dot product, and then
3335   // puts it into elements of output vector, selected by 4 lowest bits of the
3336   // mask. Top 4 bits of the mask control which elements of input to use for dot
3337   // product.
3338   //
3339   // 8 element version mask still has only 4 bit for input, and 4 bit for output
3340   // mask. According to the spec it just operates as 4 element version on first
3341   // 4 elements of inputs and output, and then on last 4 elements of inputs and
3342   // output.
handleDppIntrinsic__anonb346f5430811::MemorySanitizerVisitor3343   void handleDppIntrinsic(IntrinsicInst &I) {
3344     IRBuilder<> IRB(&I);
3345 
3346     Value *S0 = getShadow(&I, 0);
3347     Value *S1 = getShadow(&I, 1);
3348     Value *S = IRB.CreateOr(S0, S1);
3349 
3350     const unsigned Width =
3351         cast<FixedVectorType>(S->getType())->getNumElements();
3352     assert(Width == 2 || Width == 4 || Width == 8);
3353 
3354     const unsigned Mask = cast<ConstantInt>(I.getArgOperand(2))->getZExtValue();
3355     const unsigned SrcMask = Mask >> 4;
3356     const unsigned DstMask = Mask & 0xf;
3357 
3358     // Calculate shadow as `<n x i1>`.
3359     Value *SI1 = findDppPoisonedOutput(IRB, S, SrcMask, DstMask);
3360     if (Width == 8) {
3361       // First 4 elements of shadow are already calculated. `makeDppShadow`
3362       // operats on 32 bit masks, so we can just shift masks, and repeat.
3363       SI1 = IRB.CreateOr(
3364           SI1, findDppPoisonedOutput(IRB, S, SrcMask << 4, DstMask << 4));
3365     }
3366     // Extend to real size of shadow, poisoning either all or none bits of an
3367     // element.
3368     S = IRB.CreateSExt(SI1, S->getType(), "_msdpp");
3369 
3370     setShadow(&I, S);
3371     setOriginForNaryOp(I);
3372   }
3373 
convertBlendvToSelectMask__anonb346f5430811::MemorySanitizerVisitor3374   Value *convertBlendvToSelectMask(IRBuilder<> &IRB, Value *C) {
3375     C = CreateAppToShadowCast(IRB, C);
3376     FixedVectorType *FVT = cast<FixedVectorType>(C->getType());
3377     unsigned ElSize = FVT->getElementType()->getPrimitiveSizeInBits();
3378     C = IRB.CreateAShr(C, ElSize - 1);
3379     FVT = FixedVectorType::get(IRB.getInt1Ty(), FVT->getNumElements());
3380     return IRB.CreateTrunc(C, FVT);
3381   }
3382 
3383   // `blendv(f, t, c)` is effectively `select(c[top_bit], t, f)`.
handleBlendvIntrinsic__anonb346f5430811::MemorySanitizerVisitor3384   void handleBlendvIntrinsic(IntrinsicInst &I) {
3385     Value *C = I.getOperand(2);
3386     Value *T = I.getOperand(1);
3387     Value *F = I.getOperand(0);
3388 
3389     Value *Sc = getShadow(&I, 2);
3390     Value *Oc = MS.TrackOrigins ? getOrigin(C) : nullptr;
3391 
3392     {
3393       IRBuilder<> IRB(&I);
3394       // Extract top bit from condition and its shadow.
3395       C = convertBlendvToSelectMask(IRB, C);
3396       Sc = convertBlendvToSelectMask(IRB, Sc);
3397 
3398       setShadow(C, Sc);
3399       setOrigin(C, Oc);
3400     }
3401 
3402     handleSelectLikeInst(I, C, T, F);
3403   }
3404 
3405   // Instrument sum-of-absolute-differences intrinsic.
handleVectorSadIntrinsic__anonb346f5430811::MemorySanitizerVisitor3406   void handleVectorSadIntrinsic(IntrinsicInst &I) {
3407     const unsigned SignificantBitsPerResultElement = 16;
3408     bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy();
3409     Type *ResTy = isX86_MMX ? IntegerType::get(*MS.C, 64) : I.getType();
3410     unsigned ZeroBitsPerResultElement =
3411         ResTy->getScalarSizeInBits() - SignificantBitsPerResultElement;
3412 
3413     IRBuilder<> IRB(&I);
3414     auto *Shadow0 = getShadow(&I, 0);
3415     auto *Shadow1 = getShadow(&I, 1);
3416     Value *S = IRB.CreateOr(Shadow0, Shadow1);
3417     S = IRB.CreateBitCast(S, ResTy);
3418     S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)),
3419                        ResTy);
3420     S = IRB.CreateLShr(S, ZeroBitsPerResultElement);
3421     S = IRB.CreateBitCast(S, getShadowTy(&I));
3422     setShadow(&I, S);
3423     setOriginForNaryOp(I);
3424   }
3425 
3426   // Instrument multiply-add intrinsic.
handleVectorPmaddIntrinsic__anonb346f5430811::MemorySanitizerVisitor3427   void handleVectorPmaddIntrinsic(IntrinsicInst &I,
3428                                   unsigned EltSizeInBits = 0) {
3429     bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy();
3430     Type *ResTy = isX86_MMX ? getMMXVectorTy(EltSizeInBits * 2) : I.getType();
3431     IRBuilder<> IRB(&I);
3432     auto *Shadow0 = getShadow(&I, 0);
3433     auto *Shadow1 = getShadow(&I, 1);
3434     Value *S = IRB.CreateOr(Shadow0, Shadow1);
3435     S = IRB.CreateBitCast(S, ResTy);
3436     S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)),
3437                        ResTy);
3438     S = IRB.CreateBitCast(S, getShadowTy(&I));
3439     setShadow(&I, S);
3440     setOriginForNaryOp(I);
3441   }
3442 
3443   // Instrument compare-packed intrinsic.
3444   // Basically, an or followed by sext(icmp ne 0) to end up with all-zeros or
3445   // all-ones shadow.
handleVectorComparePackedIntrinsic__anonb346f5430811::MemorySanitizerVisitor3446   void handleVectorComparePackedIntrinsic(IntrinsicInst &I) {
3447     IRBuilder<> IRB(&I);
3448     Type *ResTy = getShadowTy(&I);
3449     auto *Shadow0 = getShadow(&I, 0);
3450     auto *Shadow1 = getShadow(&I, 1);
3451     Value *S0 = IRB.CreateOr(Shadow0, Shadow1);
3452     Value *S = IRB.CreateSExt(
3453         IRB.CreateICmpNE(S0, Constant::getNullValue(ResTy)), ResTy);
3454     setShadow(&I, S);
3455     setOriginForNaryOp(I);
3456   }
3457 
3458   // Instrument compare-scalar intrinsic.
3459   // This handles both cmp* intrinsics which return the result in the first
3460   // element of a vector, and comi* which return the result as i32.
handleVectorCompareScalarIntrinsic__anonb346f5430811::MemorySanitizerVisitor3461   void handleVectorCompareScalarIntrinsic(IntrinsicInst &I) {
3462     IRBuilder<> IRB(&I);
3463     auto *Shadow0 = getShadow(&I, 0);
3464     auto *Shadow1 = getShadow(&I, 1);
3465     Value *S0 = IRB.CreateOr(Shadow0, Shadow1);
3466     Value *S = LowerElementShadowExtend(IRB, S0, getShadowTy(&I));
3467     setShadow(&I, S);
3468     setOriginForNaryOp(I);
3469   }
3470 
3471   // Instrument generic vector reduction intrinsics
3472   // by ORing together all their fields.
handleVectorReduceIntrinsic__anonb346f5430811::MemorySanitizerVisitor3473   void handleVectorReduceIntrinsic(IntrinsicInst &I) {
3474     IRBuilder<> IRB(&I);
3475     Value *S = IRB.CreateOrReduce(getShadow(&I, 0));
3476     setShadow(&I, S);
3477     setOrigin(&I, getOrigin(&I, 0));
3478   }
3479 
3480   // Instrument vector.reduce.or intrinsic.
3481   // Valid (non-poisoned) set bits in the operand pull low the
3482   // corresponding shadow bits.
handleVectorReduceOrIntrinsic__anonb346f5430811::MemorySanitizerVisitor3483   void handleVectorReduceOrIntrinsic(IntrinsicInst &I) {
3484     IRBuilder<> IRB(&I);
3485     Value *OperandShadow = getShadow(&I, 0);
3486     Value *OperandUnsetBits = IRB.CreateNot(I.getOperand(0));
3487     Value *OperandUnsetOrPoison = IRB.CreateOr(OperandUnsetBits, OperandShadow);
3488     // Bit N is clean if any field's bit N is 1 and unpoison
3489     Value *OutShadowMask = IRB.CreateAndReduce(OperandUnsetOrPoison);
3490     // Otherwise, it is clean if every field's bit N is unpoison
3491     Value *OrShadow = IRB.CreateOrReduce(OperandShadow);
3492     Value *S = IRB.CreateAnd(OutShadowMask, OrShadow);
3493 
3494     setShadow(&I, S);
3495     setOrigin(&I, getOrigin(&I, 0));
3496   }
3497 
3498   // Instrument vector.reduce.and intrinsic.
3499   // Valid (non-poisoned) unset bits in the operand pull down the
3500   // corresponding shadow bits.
handleVectorReduceAndIntrinsic__anonb346f5430811::MemorySanitizerVisitor3501   void handleVectorReduceAndIntrinsic(IntrinsicInst &I) {
3502     IRBuilder<> IRB(&I);
3503     Value *OperandShadow = getShadow(&I, 0);
3504     Value *OperandSetOrPoison = IRB.CreateOr(I.getOperand(0), OperandShadow);
3505     // Bit N is clean if any field's bit N is 0 and unpoison
3506     Value *OutShadowMask = IRB.CreateAndReduce(OperandSetOrPoison);
3507     // Otherwise, it is clean if every field's bit N is unpoison
3508     Value *OrShadow = IRB.CreateOrReduce(OperandShadow);
3509     Value *S = IRB.CreateAnd(OutShadowMask, OrShadow);
3510 
3511     setShadow(&I, S);
3512     setOrigin(&I, getOrigin(&I, 0));
3513   }
3514 
handleStmxcsr__anonb346f5430811::MemorySanitizerVisitor3515   void handleStmxcsr(IntrinsicInst &I) {
3516     IRBuilder<> IRB(&I);
3517     Value *Addr = I.getArgOperand(0);
3518     Type *Ty = IRB.getInt32Ty();
3519     Value *ShadowPtr =
3520         getShadowOriginPtr(Addr, IRB, Ty, Align(1), /*isStore*/ true).first;
3521 
3522     IRB.CreateStore(getCleanShadow(Ty), ShadowPtr);
3523 
3524     if (ClCheckAccessAddress)
3525       insertShadowCheck(Addr, &I);
3526   }
3527 
handleLdmxcsr__anonb346f5430811::MemorySanitizerVisitor3528   void handleLdmxcsr(IntrinsicInst &I) {
3529     if (!InsertChecks)
3530       return;
3531 
3532     IRBuilder<> IRB(&I);
3533     Value *Addr = I.getArgOperand(0);
3534     Type *Ty = IRB.getInt32Ty();
3535     const Align Alignment = Align(1);
3536     Value *ShadowPtr, *OriginPtr;
3537     std::tie(ShadowPtr, OriginPtr) =
3538         getShadowOriginPtr(Addr, IRB, Ty, Alignment, /*isStore*/ false);
3539 
3540     if (ClCheckAccessAddress)
3541       insertShadowCheck(Addr, &I);
3542 
3543     Value *Shadow = IRB.CreateAlignedLoad(Ty, ShadowPtr, Alignment, "_ldmxcsr");
3544     Value *Origin = MS.TrackOrigins ? IRB.CreateLoad(MS.OriginTy, OriginPtr)
3545                                     : getCleanOrigin();
3546     insertShadowCheck(Shadow, Origin, &I);
3547   }
3548 
handleMaskedExpandLoad__anonb346f5430811::MemorySanitizerVisitor3549   void handleMaskedExpandLoad(IntrinsicInst &I) {
3550     IRBuilder<> IRB(&I);
3551     Value *Ptr = I.getArgOperand(0);
3552     Value *Mask = I.getArgOperand(1);
3553     Value *PassThru = I.getArgOperand(2);
3554 
3555     if (ClCheckAccessAddress) {
3556       insertShadowCheck(Ptr, &I);
3557       insertShadowCheck(Mask, &I);
3558     }
3559 
3560     if (!PropagateShadow) {
3561       setShadow(&I, getCleanShadow(&I));
3562       setOrigin(&I, getCleanOrigin());
3563       return;
3564     }
3565 
3566     Type *ShadowTy = getShadowTy(&I);
3567     Type *ElementShadowTy = cast<VectorType>(ShadowTy)->getElementType();
3568     auto [ShadowPtr, OriginPtr] =
3569         getShadowOriginPtr(Ptr, IRB, ElementShadowTy, {}, /*isStore*/ false);
3570 
3571     Value *Shadow = IRB.CreateMaskedExpandLoad(
3572         ShadowTy, ShadowPtr, Mask, getShadow(PassThru), "_msmaskedexpload");
3573 
3574     setShadow(&I, Shadow);
3575 
3576     // TODO: Store origins.
3577     setOrigin(&I, getCleanOrigin());
3578   }
3579 
handleMaskedCompressStore__anonb346f5430811::MemorySanitizerVisitor3580   void handleMaskedCompressStore(IntrinsicInst &I) {
3581     IRBuilder<> IRB(&I);
3582     Value *Values = I.getArgOperand(0);
3583     Value *Ptr = I.getArgOperand(1);
3584     Value *Mask = I.getArgOperand(2);
3585 
3586     if (ClCheckAccessAddress) {
3587       insertShadowCheck(Ptr, &I);
3588       insertShadowCheck(Mask, &I);
3589     }
3590 
3591     Value *Shadow = getShadow(Values);
3592     Type *ElementShadowTy =
3593         getShadowTy(cast<VectorType>(Values->getType())->getElementType());
3594     auto [ShadowPtr, OriginPtrs] =
3595         getShadowOriginPtr(Ptr, IRB, ElementShadowTy, {}, /*isStore*/ true);
3596 
3597     IRB.CreateMaskedCompressStore(Shadow, ShadowPtr, Mask);
3598 
3599     // TODO: Store origins.
3600   }
3601 
handleMaskedGather__anonb346f5430811::MemorySanitizerVisitor3602   void handleMaskedGather(IntrinsicInst &I) {
3603     IRBuilder<> IRB(&I);
3604     Value *Ptrs = I.getArgOperand(0);
3605     const Align Alignment(
3606         cast<ConstantInt>(I.getArgOperand(1))->getZExtValue());
3607     Value *Mask = I.getArgOperand(2);
3608     Value *PassThru = I.getArgOperand(3);
3609 
3610     Type *PtrsShadowTy = getShadowTy(Ptrs);
3611     if (ClCheckAccessAddress) {
3612       insertShadowCheck(Mask, &I);
3613       Value *MaskedPtrShadow = IRB.CreateSelect(
3614           Mask, getShadow(Ptrs), Constant::getNullValue((PtrsShadowTy)),
3615           "_msmaskedptrs");
3616       insertShadowCheck(MaskedPtrShadow, getOrigin(Ptrs), &I);
3617     }
3618 
3619     if (!PropagateShadow) {
3620       setShadow(&I, getCleanShadow(&I));
3621       setOrigin(&I, getCleanOrigin());
3622       return;
3623     }
3624 
3625     Type *ShadowTy = getShadowTy(&I);
3626     Type *ElementShadowTy = cast<VectorType>(ShadowTy)->getElementType();
3627     auto [ShadowPtrs, OriginPtrs] = getShadowOriginPtr(
3628         Ptrs, IRB, ElementShadowTy, Alignment, /*isStore*/ false);
3629 
3630     Value *Shadow =
3631         IRB.CreateMaskedGather(ShadowTy, ShadowPtrs, Alignment, Mask,
3632                                getShadow(PassThru), "_msmaskedgather");
3633 
3634     setShadow(&I, Shadow);
3635 
3636     // TODO: Store origins.
3637     setOrigin(&I, getCleanOrigin());
3638   }
3639 
handleMaskedScatter__anonb346f5430811::MemorySanitizerVisitor3640   void handleMaskedScatter(IntrinsicInst &I) {
3641     IRBuilder<> IRB(&I);
3642     Value *Values = I.getArgOperand(0);
3643     Value *Ptrs = I.getArgOperand(1);
3644     const Align Alignment(
3645         cast<ConstantInt>(I.getArgOperand(2))->getZExtValue());
3646     Value *Mask = I.getArgOperand(3);
3647 
3648     Type *PtrsShadowTy = getShadowTy(Ptrs);
3649     if (ClCheckAccessAddress) {
3650       insertShadowCheck(Mask, &I);
3651       Value *MaskedPtrShadow = IRB.CreateSelect(
3652           Mask, getShadow(Ptrs), Constant::getNullValue((PtrsShadowTy)),
3653           "_msmaskedptrs");
3654       insertShadowCheck(MaskedPtrShadow, getOrigin(Ptrs), &I);
3655     }
3656 
3657     Value *Shadow = getShadow(Values);
3658     Type *ElementShadowTy =
3659         getShadowTy(cast<VectorType>(Values->getType())->getElementType());
3660     auto [ShadowPtrs, OriginPtrs] = getShadowOriginPtr(
3661         Ptrs, IRB, ElementShadowTy, Alignment, /*isStore*/ true);
3662 
3663     IRB.CreateMaskedScatter(Shadow, ShadowPtrs, Alignment, Mask);
3664 
3665     // TODO: Store origin.
3666   }
3667 
handleMaskedStore__anonb346f5430811::MemorySanitizerVisitor3668   void handleMaskedStore(IntrinsicInst &I) {
3669     IRBuilder<> IRB(&I);
3670     Value *V = I.getArgOperand(0);
3671     Value *Ptr = I.getArgOperand(1);
3672     const Align Alignment(
3673         cast<ConstantInt>(I.getArgOperand(2))->getZExtValue());
3674     Value *Mask = I.getArgOperand(3);
3675     Value *Shadow = getShadow(V);
3676 
3677     if (ClCheckAccessAddress) {
3678       insertShadowCheck(Ptr, &I);
3679       insertShadowCheck(Mask, &I);
3680     }
3681 
3682     Value *ShadowPtr;
3683     Value *OriginPtr;
3684     std::tie(ShadowPtr, OriginPtr) = getShadowOriginPtr(
3685         Ptr, IRB, Shadow->getType(), Alignment, /*isStore*/ true);
3686 
3687     IRB.CreateMaskedStore(Shadow, ShadowPtr, Alignment, Mask);
3688 
3689     if (!MS.TrackOrigins)
3690       return;
3691 
3692     auto &DL = F.getDataLayout();
3693     paintOrigin(IRB, getOrigin(V), OriginPtr,
3694                 DL.getTypeStoreSize(Shadow->getType()),
3695                 std::max(Alignment, kMinOriginAlignment));
3696   }
3697 
handleMaskedLoad__anonb346f5430811::MemorySanitizerVisitor3698   void handleMaskedLoad(IntrinsicInst &I) {
3699     IRBuilder<> IRB(&I);
3700     Value *Ptr = I.getArgOperand(0);
3701     const Align Alignment(
3702         cast<ConstantInt>(I.getArgOperand(1))->getZExtValue());
3703     Value *Mask = I.getArgOperand(2);
3704     Value *PassThru = I.getArgOperand(3);
3705 
3706     if (ClCheckAccessAddress) {
3707       insertShadowCheck(Ptr, &I);
3708       insertShadowCheck(Mask, &I);
3709     }
3710 
3711     if (!PropagateShadow) {
3712       setShadow(&I, getCleanShadow(&I));
3713       setOrigin(&I, getCleanOrigin());
3714       return;
3715     }
3716 
3717     Type *ShadowTy = getShadowTy(&I);
3718     Value *ShadowPtr, *OriginPtr;
3719     std::tie(ShadowPtr, OriginPtr) =
3720         getShadowOriginPtr(Ptr, IRB, ShadowTy, Alignment, /*isStore*/ false);
3721     setShadow(&I, IRB.CreateMaskedLoad(ShadowTy, ShadowPtr, Alignment, Mask,
3722                                        getShadow(PassThru), "_msmaskedld"));
3723 
3724     if (!MS.TrackOrigins)
3725       return;
3726 
3727     // Choose between PassThru's and the loaded value's origins.
3728     Value *MaskedPassThruShadow = IRB.CreateAnd(
3729         getShadow(PassThru), IRB.CreateSExt(IRB.CreateNeg(Mask), ShadowTy));
3730 
3731     Value *NotNull = convertToBool(MaskedPassThruShadow, IRB, "_mscmp");
3732 
3733     Value *PtrOrigin = IRB.CreateLoad(MS.OriginTy, OriginPtr);
3734     Value *Origin = IRB.CreateSelect(NotNull, getOrigin(PassThru), PtrOrigin);
3735 
3736     setOrigin(&I, Origin);
3737   }
3738 
3739   // Instrument BMI / BMI2 intrinsics.
3740   // All of these intrinsics are Z = I(X, Y)
3741   // where the types of all operands and the result match, and are either i32 or
3742   // i64. The following instrumentation happens to work for all of them:
3743   //   Sz = I(Sx, Y) | (sext (Sy != 0))
handleBmiIntrinsic__anonb346f5430811::MemorySanitizerVisitor3744   void handleBmiIntrinsic(IntrinsicInst &I) {
3745     IRBuilder<> IRB(&I);
3746     Type *ShadowTy = getShadowTy(&I);
3747 
3748     // If any bit of the mask operand is poisoned, then the whole thing is.
3749     Value *SMask = getShadow(&I, 1);
3750     SMask = IRB.CreateSExt(IRB.CreateICmpNE(SMask, getCleanShadow(ShadowTy)),
3751                            ShadowTy);
3752     // Apply the same intrinsic to the shadow of the first operand.
3753     Value *S = IRB.CreateCall(I.getCalledFunction(),
3754                               {getShadow(&I, 0), I.getOperand(1)});
3755     S = IRB.CreateOr(SMask, S);
3756     setShadow(&I, S);
3757     setOriginForNaryOp(I);
3758   }
3759 
getPclmulMask__anonb346f5430811::MemorySanitizerVisitor3760   static SmallVector<int, 8> getPclmulMask(unsigned Width, bool OddElements) {
3761     SmallVector<int, 8> Mask;
3762     for (unsigned X = OddElements ? 1 : 0; X < Width; X += 2) {
3763       Mask.append(2, X);
3764     }
3765     return Mask;
3766   }
3767 
3768   // Instrument pclmul intrinsics.
3769   // These intrinsics operate either on odd or on even elements of the input
3770   // vectors, depending on the constant in the 3rd argument, ignoring the rest.
3771   // Replace the unused elements with copies of the used ones, ex:
3772   //   (0, 1, 2, 3) -> (0, 0, 2, 2) (even case)
3773   // or
3774   //   (0, 1, 2, 3) -> (1, 1, 3, 3) (odd case)
3775   // and then apply the usual shadow combining logic.
handlePclmulIntrinsic__anonb346f5430811::MemorySanitizerVisitor3776   void handlePclmulIntrinsic(IntrinsicInst &I) {
3777     IRBuilder<> IRB(&I);
3778     unsigned Width =
3779         cast<FixedVectorType>(I.getArgOperand(0)->getType())->getNumElements();
3780     assert(isa<ConstantInt>(I.getArgOperand(2)) &&
3781            "pclmul 3rd operand must be a constant");
3782     unsigned Imm = cast<ConstantInt>(I.getArgOperand(2))->getZExtValue();
3783     Value *Shuf0 = IRB.CreateShuffleVector(getShadow(&I, 0),
3784                                            getPclmulMask(Width, Imm & 0x01));
3785     Value *Shuf1 = IRB.CreateShuffleVector(getShadow(&I, 1),
3786                                            getPclmulMask(Width, Imm & 0x10));
3787     ShadowAndOriginCombiner SOC(this, IRB);
3788     SOC.Add(Shuf0, getOrigin(&I, 0));
3789     SOC.Add(Shuf1, getOrigin(&I, 1));
3790     SOC.Done(&I);
3791   }
3792 
3793   // Instrument _mm_*_sd|ss intrinsics
handleUnarySdSsIntrinsic__anonb346f5430811::MemorySanitizerVisitor3794   void handleUnarySdSsIntrinsic(IntrinsicInst &I) {
3795     IRBuilder<> IRB(&I);
3796     unsigned Width =
3797         cast<FixedVectorType>(I.getArgOperand(0)->getType())->getNumElements();
3798     Value *First = getShadow(&I, 0);
3799     Value *Second = getShadow(&I, 1);
3800     // First element of second operand, remaining elements of first operand
3801     SmallVector<int, 16> Mask;
3802     Mask.push_back(Width);
3803     for (unsigned i = 1; i < Width; i++)
3804       Mask.push_back(i);
3805     Value *Shadow = IRB.CreateShuffleVector(First, Second, Mask);
3806 
3807     setShadow(&I, Shadow);
3808     setOriginForNaryOp(I);
3809   }
3810 
handleVtestIntrinsic__anonb346f5430811::MemorySanitizerVisitor3811   void handleVtestIntrinsic(IntrinsicInst &I) {
3812     IRBuilder<> IRB(&I);
3813     Value *Shadow0 = getShadow(&I, 0);
3814     Value *Shadow1 = getShadow(&I, 1);
3815     Value *Or = IRB.CreateOr(Shadow0, Shadow1);
3816     Value *NZ = IRB.CreateICmpNE(Or, Constant::getNullValue(Or->getType()));
3817     Value *Scalar = convertShadowToScalar(NZ, IRB);
3818     Value *Shadow = IRB.CreateZExt(Scalar, getShadowTy(&I));
3819 
3820     setShadow(&I, Shadow);
3821     setOriginForNaryOp(I);
3822   }
3823 
handleBinarySdSsIntrinsic__anonb346f5430811::MemorySanitizerVisitor3824   void handleBinarySdSsIntrinsic(IntrinsicInst &I) {
3825     IRBuilder<> IRB(&I);
3826     unsigned Width =
3827         cast<FixedVectorType>(I.getArgOperand(0)->getType())->getNumElements();
3828     Value *First = getShadow(&I, 0);
3829     Value *Second = getShadow(&I, 1);
3830     Value *OrShadow = IRB.CreateOr(First, Second);
3831     // First element of both OR'd together, remaining elements of first operand
3832     SmallVector<int, 16> Mask;
3833     Mask.push_back(Width);
3834     for (unsigned i = 1; i < Width; i++)
3835       Mask.push_back(i);
3836     Value *Shadow = IRB.CreateShuffleVector(First, OrShadow, Mask);
3837 
3838     setShadow(&I, Shadow);
3839     setOriginForNaryOp(I);
3840   }
3841 
3842   // Instrument abs intrinsic.
3843   // handleUnknownIntrinsic can't handle it because of the last
3844   // is_int_min_poison argument which does not match the result type.
handleAbsIntrinsic__anonb346f5430811::MemorySanitizerVisitor3845   void handleAbsIntrinsic(IntrinsicInst &I) {
3846     assert(I.getType()->isIntOrIntVectorTy());
3847     assert(I.getArgOperand(0)->getType() == I.getType());
3848 
3849     // FIXME: Handle is_int_min_poison.
3850     IRBuilder<> IRB(&I);
3851     setShadow(&I, getShadow(&I, 0));
3852     setOrigin(&I, getOrigin(&I, 0));
3853   }
3854 
handleIsFpClass__anonb346f5430811::MemorySanitizerVisitor3855   void handleIsFpClass(IntrinsicInst &I) {
3856     IRBuilder<> IRB(&I);
3857     Value *Shadow = getShadow(&I, 0);
3858     setShadow(&I, IRB.CreateICmpNE(Shadow, getCleanShadow(Shadow)));
3859     setOrigin(&I, getOrigin(&I, 0));
3860   }
3861 
handleArithmeticWithOverflow__anonb346f5430811::MemorySanitizerVisitor3862   void handleArithmeticWithOverflow(IntrinsicInst &I) {
3863     IRBuilder<> IRB(&I);
3864     Value *Shadow0 = getShadow(&I, 0);
3865     Value *Shadow1 = getShadow(&I, 1);
3866     Value *ShadowElt0 = IRB.CreateOr(Shadow0, Shadow1);
3867     Value *ShadowElt1 =
3868         IRB.CreateICmpNE(ShadowElt0, getCleanShadow(ShadowElt0));
3869 
3870     Value *Shadow = PoisonValue::get(getShadowTy(&I));
3871     Shadow = IRB.CreateInsertValue(Shadow, ShadowElt0, 0);
3872     Shadow = IRB.CreateInsertValue(Shadow, ShadowElt1, 1);
3873 
3874     setShadow(&I, Shadow);
3875     setOriginForNaryOp(I);
3876   }
3877 
3878   /// Handle Arm NEON vector store intrinsics (vst{2,3,4}).
3879   ///
3880   /// Arm NEON vector store intrinsics have the output address (pointer) as the
3881   /// last argument, with the initial arguments being the inputs. They return
3882   /// void.
handleNEONVectorStoreIntrinsic__anonb346f5430811::MemorySanitizerVisitor3883   void handleNEONVectorStoreIntrinsic(IntrinsicInst &I) {
3884     IRBuilder<> IRB(&I);
3885 
3886     // Don't use getNumOperands() because it includes the callee
3887     int numArgOperands = I.arg_size();
3888     assert(numArgOperands >= 1);
3889 
3890     // The last arg operand is the output
3891     Value *Addr = I.getArgOperand(numArgOperands - 1);
3892     assert(Addr->getType()->isPointerTy());
3893 
3894     if (ClCheckAccessAddress)
3895       insertShadowCheck(Addr, &I);
3896 
3897     // Every arg operand, other than the last one, is an input vector
3898     IntrinsicInst *ShadowI = cast<IntrinsicInst>(I.clone());
3899     for (int i = 0; i < numArgOperands - 1; i++) {
3900       assert(isa<FixedVectorType>(I.getArgOperand(i)->getType()));
3901       ShadowI->setArgOperand(i, getShadow(&I, i));
3902     }
3903 
3904     // MSan's GetShadowTy assumes the LHS is the type we want the shadow for
3905     // e.g., for:
3906     //     [[TMP5:%.*]] = bitcast <16 x i8> [[TMP2]] to i128
3907     // we know the type of the output (and its shadow) is <16 x i8>.
3908     //
3909     // Arm NEON VST is unusual because the last argument is the output address:
3910     //     define void @st2_16b(<16 x i8> %A, <16 x i8> %B, ptr %P) {
3911     //         call void @llvm.aarch64.neon.st2.v16i8.p0
3912     //                   (<16 x i8> [[A]], <16 x i8> [[B]], ptr [[P]])
3913     // and we have no type information about P's operand. We must manually
3914     // compute the type (<16 x i8> x 2).
3915     FixedVectorType *OutputVectorTy = FixedVectorType::get(
3916         cast<FixedVectorType>(I.getArgOperand(0)->getType())->getElementType(),
3917         cast<FixedVectorType>(I.getArgOperand(0)->getType())->getNumElements() *
3918             (numArgOperands - 1));
3919     Type *ShadowTy = getShadowTy(OutputVectorTy);
3920     Value *ShadowPtr, *OriginPtr;
3921     // AArch64 NEON does not need alignment (unless OS requires it)
3922     std::tie(ShadowPtr, OriginPtr) =
3923         getShadowOriginPtr(Addr, IRB, ShadowTy, Align(1), /*isStore*/ true);
3924     ShadowI->setArgOperand(numArgOperands - 1, ShadowPtr);
3925     ShadowI->insertAfter(&I);
3926 
3927     if (MS.TrackOrigins) {
3928       // TODO: if we modelled the vst* instruction more precisely, we could
3929       // more accurately track the origins (e.g., if both inputs are
3930       // uninitialized for vst2, we currently blame the second input, even
3931       // though part of the output depends only on the first input).
3932       OriginCombiner OC(this, IRB);
3933       for (int i = 0; i < numArgOperands - 1; i++)
3934         OC.Add(I.getArgOperand(i));
3935 
3936       const DataLayout &DL = F.getDataLayout();
3937       OC.DoneAndStoreOrigin(DL.getTypeStoreSize(OutputVectorTy), OriginPtr);
3938     }
3939   }
3940 
visitIntrinsicInst__anonb346f5430811::MemorySanitizerVisitor3941   void visitIntrinsicInst(IntrinsicInst &I) {
3942     switch (I.getIntrinsicID()) {
3943     case Intrinsic::uadd_with_overflow:
3944     case Intrinsic::sadd_with_overflow:
3945     case Intrinsic::usub_with_overflow:
3946     case Intrinsic::ssub_with_overflow:
3947     case Intrinsic::umul_with_overflow:
3948     case Intrinsic::smul_with_overflow:
3949       handleArithmeticWithOverflow(I);
3950       break;
3951     case Intrinsic::abs:
3952       handleAbsIntrinsic(I);
3953       break;
3954     case Intrinsic::is_fpclass:
3955       handleIsFpClass(I);
3956       break;
3957     case Intrinsic::lifetime_start:
3958       handleLifetimeStart(I);
3959       break;
3960     case Intrinsic::launder_invariant_group:
3961     case Intrinsic::strip_invariant_group:
3962       handleInvariantGroup(I);
3963       break;
3964     case Intrinsic::bswap:
3965       handleBswap(I);
3966       break;
3967     case Intrinsic::ctlz:
3968     case Intrinsic::cttz:
3969       handleCountZeroes(I);
3970       break;
3971     case Intrinsic::masked_compressstore:
3972       handleMaskedCompressStore(I);
3973       break;
3974     case Intrinsic::masked_expandload:
3975       handleMaskedExpandLoad(I);
3976       break;
3977     case Intrinsic::masked_gather:
3978       handleMaskedGather(I);
3979       break;
3980     case Intrinsic::masked_scatter:
3981       handleMaskedScatter(I);
3982       break;
3983     case Intrinsic::masked_store:
3984       handleMaskedStore(I);
3985       break;
3986     case Intrinsic::masked_load:
3987       handleMaskedLoad(I);
3988       break;
3989     case Intrinsic::vector_reduce_and:
3990       handleVectorReduceAndIntrinsic(I);
3991       break;
3992     case Intrinsic::vector_reduce_or:
3993       handleVectorReduceOrIntrinsic(I);
3994       break;
3995     case Intrinsic::vector_reduce_add:
3996     case Intrinsic::vector_reduce_xor:
3997     case Intrinsic::vector_reduce_mul:
3998       handleVectorReduceIntrinsic(I);
3999       break;
4000     case Intrinsic::x86_sse_stmxcsr:
4001       handleStmxcsr(I);
4002       break;
4003     case Intrinsic::x86_sse_ldmxcsr:
4004       handleLdmxcsr(I);
4005       break;
4006     case Intrinsic::x86_avx512_vcvtsd2usi64:
4007     case Intrinsic::x86_avx512_vcvtsd2usi32:
4008     case Intrinsic::x86_avx512_vcvtss2usi64:
4009     case Intrinsic::x86_avx512_vcvtss2usi32:
4010     case Intrinsic::x86_avx512_cvttss2usi64:
4011     case Intrinsic::x86_avx512_cvttss2usi:
4012     case Intrinsic::x86_avx512_cvttsd2usi64:
4013     case Intrinsic::x86_avx512_cvttsd2usi:
4014     case Intrinsic::x86_avx512_cvtusi2ss:
4015     case Intrinsic::x86_avx512_cvtusi642sd:
4016     case Intrinsic::x86_avx512_cvtusi642ss:
4017       handleVectorConvertIntrinsic(I, 1, true);
4018       break;
4019     case Intrinsic::x86_sse2_cvtsd2si64:
4020     case Intrinsic::x86_sse2_cvtsd2si:
4021     case Intrinsic::x86_sse2_cvtsd2ss:
4022     case Intrinsic::x86_sse2_cvttsd2si64:
4023     case Intrinsic::x86_sse2_cvttsd2si:
4024     case Intrinsic::x86_sse_cvtss2si64:
4025     case Intrinsic::x86_sse_cvtss2si:
4026     case Intrinsic::x86_sse_cvttss2si64:
4027     case Intrinsic::x86_sse_cvttss2si:
4028       handleVectorConvertIntrinsic(I, 1);
4029       break;
4030     case Intrinsic::x86_sse_cvtps2pi:
4031     case Intrinsic::x86_sse_cvttps2pi:
4032       handleVectorConvertIntrinsic(I, 2);
4033       break;
4034 
4035     case Intrinsic::x86_avx512_psll_w_512:
4036     case Intrinsic::x86_avx512_psll_d_512:
4037     case Intrinsic::x86_avx512_psll_q_512:
4038     case Intrinsic::x86_avx512_pslli_w_512:
4039     case Intrinsic::x86_avx512_pslli_d_512:
4040     case Intrinsic::x86_avx512_pslli_q_512:
4041     case Intrinsic::x86_avx512_psrl_w_512:
4042     case Intrinsic::x86_avx512_psrl_d_512:
4043     case Intrinsic::x86_avx512_psrl_q_512:
4044     case Intrinsic::x86_avx512_psra_w_512:
4045     case Intrinsic::x86_avx512_psra_d_512:
4046     case Intrinsic::x86_avx512_psra_q_512:
4047     case Intrinsic::x86_avx512_psrli_w_512:
4048     case Intrinsic::x86_avx512_psrli_d_512:
4049     case Intrinsic::x86_avx512_psrli_q_512:
4050     case Intrinsic::x86_avx512_psrai_w_512:
4051     case Intrinsic::x86_avx512_psrai_d_512:
4052     case Intrinsic::x86_avx512_psrai_q_512:
4053     case Intrinsic::x86_avx512_psra_q_256:
4054     case Intrinsic::x86_avx512_psra_q_128:
4055     case Intrinsic::x86_avx512_psrai_q_256:
4056     case Intrinsic::x86_avx512_psrai_q_128:
4057     case Intrinsic::x86_avx2_psll_w:
4058     case Intrinsic::x86_avx2_psll_d:
4059     case Intrinsic::x86_avx2_psll_q:
4060     case Intrinsic::x86_avx2_pslli_w:
4061     case Intrinsic::x86_avx2_pslli_d:
4062     case Intrinsic::x86_avx2_pslli_q:
4063     case Intrinsic::x86_avx2_psrl_w:
4064     case Intrinsic::x86_avx2_psrl_d:
4065     case Intrinsic::x86_avx2_psrl_q:
4066     case Intrinsic::x86_avx2_psra_w:
4067     case Intrinsic::x86_avx2_psra_d:
4068     case Intrinsic::x86_avx2_psrli_w:
4069     case Intrinsic::x86_avx2_psrli_d:
4070     case Intrinsic::x86_avx2_psrli_q:
4071     case Intrinsic::x86_avx2_psrai_w:
4072     case Intrinsic::x86_avx2_psrai_d:
4073     case Intrinsic::x86_sse2_psll_w:
4074     case Intrinsic::x86_sse2_psll_d:
4075     case Intrinsic::x86_sse2_psll_q:
4076     case Intrinsic::x86_sse2_pslli_w:
4077     case Intrinsic::x86_sse2_pslli_d:
4078     case Intrinsic::x86_sse2_pslli_q:
4079     case Intrinsic::x86_sse2_psrl_w:
4080     case Intrinsic::x86_sse2_psrl_d:
4081     case Intrinsic::x86_sse2_psrl_q:
4082     case Intrinsic::x86_sse2_psra_w:
4083     case Intrinsic::x86_sse2_psra_d:
4084     case Intrinsic::x86_sse2_psrli_w:
4085     case Intrinsic::x86_sse2_psrli_d:
4086     case Intrinsic::x86_sse2_psrli_q:
4087     case Intrinsic::x86_sse2_psrai_w:
4088     case Intrinsic::x86_sse2_psrai_d:
4089     case Intrinsic::x86_mmx_psll_w:
4090     case Intrinsic::x86_mmx_psll_d:
4091     case Intrinsic::x86_mmx_psll_q:
4092     case Intrinsic::x86_mmx_pslli_w:
4093     case Intrinsic::x86_mmx_pslli_d:
4094     case Intrinsic::x86_mmx_pslli_q:
4095     case Intrinsic::x86_mmx_psrl_w:
4096     case Intrinsic::x86_mmx_psrl_d:
4097     case Intrinsic::x86_mmx_psrl_q:
4098     case Intrinsic::x86_mmx_psra_w:
4099     case Intrinsic::x86_mmx_psra_d:
4100     case Intrinsic::x86_mmx_psrli_w:
4101     case Intrinsic::x86_mmx_psrli_d:
4102     case Intrinsic::x86_mmx_psrli_q:
4103     case Intrinsic::x86_mmx_psrai_w:
4104     case Intrinsic::x86_mmx_psrai_d:
4105       handleVectorShiftIntrinsic(I, /* Variable */ false);
4106       break;
4107     case Intrinsic::x86_avx2_psllv_d:
4108     case Intrinsic::x86_avx2_psllv_d_256:
4109     case Intrinsic::x86_avx512_psllv_d_512:
4110     case Intrinsic::x86_avx2_psllv_q:
4111     case Intrinsic::x86_avx2_psllv_q_256:
4112     case Intrinsic::x86_avx512_psllv_q_512:
4113     case Intrinsic::x86_avx2_psrlv_d:
4114     case Intrinsic::x86_avx2_psrlv_d_256:
4115     case Intrinsic::x86_avx512_psrlv_d_512:
4116     case Intrinsic::x86_avx2_psrlv_q:
4117     case Intrinsic::x86_avx2_psrlv_q_256:
4118     case Intrinsic::x86_avx512_psrlv_q_512:
4119     case Intrinsic::x86_avx2_psrav_d:
4120     case Intrinsic::x86_avx2_psrav_d_256:
4121     case Intrinsic::x86_avx512_psrav_d_512:
4122     case Intrinsic::x86_avx512_psrav_q_128:
4123     case Intrinsic::x86_avx512_psrav_q_256:
4124     case Intrinsic::x86_avx512_psrav_q_512:
4125       handleVectorShiftIntrinsic(I, /* Variable */ true);
4126       break;
4127 
4128     case Intrinsic::x86_sse2_packsswb_128:
4129     case Intrinsic::x86_sse2_packssdw_128:
4130     case Intrinsic::x86_sse2_packuswb_128:
4131     case Intrinsic::x86_sse41_packusdw:
4132     case Intrinsic::x86_avx2_packsswb:
4133     case Intrinsic::x86_avx2_packssdw:
4134     case Intrinsic::x86_avx2_packuswb:
4135     case Intrinsic::x86_avx2_packusdw:
4136       handleVectorPackIntrinsic(I);
4137       break;
4138 
4139     case Intrinsic::x86_sse41_pblendvb:
4140     case Intrinsic::x86_sse41_blendvpd:
4141     case Intrinsic::x86_sse41_blendvps:
4142     case Intrinsic::x86_avx_blendv_pd_256:
4143     case Intrinsic::x86_avx_blendv_ps_256:
4144     case Intrinsic::x86_avx2_pblendvb:
4145       handleBlendvIntrinsic(I);
4146       break;
4147 
4148     case Intrinsic::x86_avx_dp_ps_256:
4149     case Intrinsic::x86_sse41_dppd:
4150     case Intrinsic::x86_sse41_dpps:
4151       handleDppIntrinsic(I);
4152       break;
4153 
4154     case Intrinsic::x86_mmx_packsswb:
4155     case Intrinsic::x86_mmx_packuswb:
4156       handleVectorPackIntrinsic(I, 16);
4157       break;
4158 
4159     case Intrinsic::x86_mmx_packssdw:
4160       handleVectorPackIntrinsic(I, 32);
4161       break;
4162 
4163     case Intrinsic::x86_mmx_psad_bw:
4164     case Intrinsic::x86_sse2_psad_bw:
4165     case Intrinsic::x86_avx2_psad_bw:
4166       handleVectorSadIntrinsic(I);
4167       break;
4168 
4169     case Intrinsic::x86_sse2_pmadd_wd:
4170     case Intrinsic::x86_avx2_pmadd_wd:
4171     case Intrinsic::x86_ssse3_pmadd_ub_sw_128:
4172     case Intrinsic::x86_avx2_pmadd_ub_sw:
4173       handleVectorPmaddIntrinsic(I);
4174       break;
4175 
4176     case Intrinsic::x86_ssse3_pmadd_ub_sw:
4177       handleVectorPmaddIntrinsic(I, 8);
4178       break;
4179 
4180     case Intrinsic::x86_mmx_pmadd_wd:
4181       handleVectorPmaddIntrinsic(I, 16);
4182       break;
4183 
4184     case Intrinsic::x86_sse_cmp_ss:
4185     case Intrinsic::x86_sse2_cmp_sd:
4186     case Intrinsic::x86_sse_comieq_ss:
4187     case Intrinsic::x86_sse_comilt_ss:
4188     case Intrinsic::x86_sse_comile_ss:
4189     case Intrinsic::x86_sse_comigt_ss:
4190     case Intrinsic::x86_sse_comige_ss:
4191     case Intrinsic::x86_sse_comineq_ss:
4192     case Intrinsic::x86_sse_ucomieq_ss:
4193     case Intrinsic::x86_sse_ucomilt_ss:
4194     case Intrinsic::x86_sse_ucomile_ss:
4195     case Intrinsic::x86_sse_ucomigt_ss:
4196     case Intrinsic::x86_sse_ucomige_ss:
4197     case Intrinsic::x86_sse_ucomineq_ss:
4198     case Intrinsic::x86_sse2_comieq_sd:
4199     case Intrinsic::x86_sse2_comilt_sd:
4200     case Intrinsic::x86_sse2_comile_sd:
4201     case Intrinsic::x86_sse2_comigt_sd:
4202     case Intrinsic::x86_sse2_comige_sd:
4203     case Intrinsic::x86_sse2_comineq_sd:
4204     case Intrinsic::x86_sse2_ucomieq_sd:
4205     case Intrinsic::x86_sse2_ucomilt_sd:
4206     case Intrinsic::x86_sse2_ucomile_sd:
4207     case Intrinsic::x86_sse2_ucomigt_sd:
4208     case Intrinsic::x86_sse2_ucomige_sd:
4209     case Intrinsic::x86_sse2_ucomineq_sd:
4210       handleVectorCompareScalarIntrinsic(I);
4211       break;
4212 
4213     case Intrinsic::x86_avx_cmp_pd_256:
4214     case Intrinsic::x86_avx_cmp_ps_256:
4215     case Intrinsic::x86_sse2_cmp_pd:
4216     case Intrinsic::x86_sse_cmp_ps:
4217       handleVectorComparePackedIntrinsic(I);
4218       break;
4219 
4220     case Intrinsic::x86_bmi_bextr_32:
4221     case Intrinsic::x86_bmi_bextr_64:
4222     case Intrinsic::x86_bmi_bzhi_32:
4223     case Intrinsic::x86_bmi_bzhi_64:
4224     case Intrinsic::x86_bmi_pdep_32:
4225     case Intrinsic::x86_bmi_pdep_64:
4226     case Intrinsic::x86_bmi_pext_32:
4227     case Intrinsic::x86_bmi_pext_64:
4228       handleBmiIntrinsic(I);
4229       break;
4230 
4231     case Intrinsic::x86_pclmulqdq:
4232     case Intrinsic::x86_pclmulqdq_256:
4233     case Intrinsic::x86_pclmulqdq_512:
4234       handlePclmulIntrinsic(I);
4235       break;
4236 
4237     case Intrinsic::x86_sse41_round_sd:
4238     case Intrinsic::x86_sse41_round_ss:
4239       handleUnarySdSsIntrinsic(I);
4240       break;
4241     case Intrinsic::x86_sse2_max_sd:
4242     case Intrinsic::x86_sse_max_ss:
4243     case Intrinsic::x86_sse2_min_sd:
4244     case Intrinsic::x86_sse_min_ss:
4245       handleBinarySdSsIntrinsic(I);
4246       break;
4247 
4248     case Intrinsic::x86_avx_vtestc_pd:
4249     case Intrinsic::x86_avx_vtestc_pd_256:
4250     case Intrinsic::x86_avx_vtestc_ps:
4251     case Intrinsic::x86_avx_vtestc_ps_256:
4252     case Intrinsic::x86_avx_vtestnzc_pd:
4253     case Intrinsic::x86_avx_vtestnzc_pd_256:
4254     case Intrinsic::x86_avx_vtestnzc_ps:
4255     case Intrinsic::x86_avx_vtestnzc_ps_256:
4256     case Intrinsic::x86_avx_vtestz_pd:
4257     case Intrinsic::x86_avx_vtestz_pd_256:
4258     case Intrinsic::x86_avx_vtestz_ps:
4259     case Intrinsic::x86_avx_vtestz_ps_256:
4260     case Intrinsic::x86_avx_ptestc_256:
4261     case Intrinsic::x86_avx_ptestnzc_256:
4262     case Intrinsic::x86_avx_ptestz_256:
4263     case Intrinsic::x86_sse41_ptestc:
4264     case Intrinsic::x86_sse41_ptestnzc:
4265     case Intrinsic::x86_sse41_ptestz:
4266       handleVtestIntrinsic(I);
4267       break;
4268 
4269     case Intrinsic::fshl:
4270     case Intrinsic::fshr:
4271       handleFunnelShift(I);
4272       break;
4273 
4274     case Intrinsic::is_constant:
4275       // The result of llvm.is.constant() is always defined.
4276       setShadow(&I, getCleanShadow(&I));
4277       setOrigin(&I, getCleanOrigin());
4278       break;
4279 
4280     case Intrinsic::aarch64_neon_st2:
4281     case Intrinsic::aarch64_neon_st3:
4282     case Intrinsic::aarch64_neon_st4: {
4283       handleNEONVectorStoreIntrinsic(I);
4284       break;
4285     }
4286 
4287     default:
4288       if (!handleUnknownIntrinsic(I))
4289         visitInstruction(I);
4290       break;
4291     }
4292   }
4293 
visitLibAtomicLoad__anonb346f5430811::MemorySanitizerVisitor4294   void visitLibAtomicLoad(CallBase &CB) {
4295     // Since we use getNextNode here, we can't have CB terminate the BB.
4296     assert(isa<CallInst>(CB));
4297 
4298     IRBuilder<> IRB(&CB);
4299     Value *Size = CB.getArgOperand(0);
4300     Value *SrcPtr = CB.getArgOperand(1);
4301     Value *DstPtr = CB.getArgOperand(2);
4302     Value *Ordering = CB.getArgOperand(3);
4303     // Convert the call to have at least Acquire ordering to make sure
4304     // the shadow operations aren't reordered before it.
4305     Value *NewOrdering =
4306         IRB.CreateExtractElement(makeAddAcquireOrderingTable(IRB), Ordering);
4307     CB.setArgOperand(3, NewOrdering);
4308 
4309     NextNodeIRBuilder NextIRB(&CB);
4310     Value *SrcShadowPtr, *SrcOriginPtr;
4311     std::tie(SrcShadowPtr, SrcOriginPtr) =
4312         getShadowOriginPtr(SrcPtr, NextIRB, NextIRB.getInt8Ty(), Align(1),
4313                            /*isStore*/ false);
4314     Value *DstShadowPtr =
4315         getShadowOriginPtr(DstPtr, NextIRB, NextIRB.getInt8Ty(), Align(1),
4316                            /*isStore*/ true)
4317             .first;
4318 
4319     NextIRB.CreateMemCpy(DstShadowPtr, Align(1), SrcShadowPtr, Align(1), Size);
4320     if (MS.TrackOrigins) {
4321       Value *SrcOrigin = NextIRB.CreateAlignedLoad(MS.OriginTy, SrcOriginPtr,
4322                                                    kMinOriginAlignment);
4323       Value *NewOrigin = updateOrigin(SrcOrigin, NextIRB);
4324       NextIRB.CreateCall(MS.MsanSetOriginFn, {DstPtr, Size, NewOrigin});
4325     }
4326   }
4327 
visitLibAtomicStore__anonb346f5430811::MemorySanitizerVisitor4328   void visitLibAtomicStore(CallBase &CB) {
4329     IRBuilder<> IRB(&CB);
4330     Value *Size = CB.getArgOperand(0);
4331     Value *DstPtr = CB.getArgOperand(2);
4332     Value *Ordering = CB.getArgOperand(3);
4333     // Convert the call to have at least Release ordering to make sure
4334     // the shadow operations aren't reordered after it.
4335     Value *NewOrdering =
4336         IRB.CreateExtractElement(makeAddReleaseOrderingTable(IRB), Ordering);
4337     CB.setArgOperand(3, NewOrdering);
4338 
4339     Value *DstShadowPtr =
4340         getShadowOriginPtr(DstPtr, IRB, IRB.getInt8Ty(), Align(1),
4341                            /*isStore*/ true)
4342             .first;
4343 
4344     // Atomic store always paints clean shadow/origin. See file header.
4345     IRB.CreateMemSet(DstShadowPtr, getCleanShadow(IRB.getInt8Ty()), Size,
4346                      Align(1));
4347   }
4348 
visitCallBase__anonb346f5430811::MemorySanitizerVisitor4349   void visitCallBase(CallBase &CB) {
4350     assert(!CB.getMetadata(LLVMContext::MD_nosanitize));
4351     if (CB.isInlineAsm()) {
4352       // For inline asm (either a call to asm function, or callbr instruction),
4353       // do the usual thing: check argument shadow and mark all outputs as
4354       // clean. Note that any side effects of the inline asm that are not
4355       // immediately visible in its constraints are not handled.
4356       if (ClHandleAsmConservative)
4357         visitAsmInstruction(CB);
4358       else
4359         visitInstruction(CB);
4360       return;
4361     }
4362     LibFunc LF;
4363     if (TLI->getLibFunc(CB, LF)) {
4364       // libatomic.a functions need to have special handling because there isn't
4365       // a good way to intercept them or compile the library with
4366       // instrumentation.
4367       switch (LF) {
4368       case LibFunc_atomic_load:
4369         if (!isa<CallInst>(CB)) {
4370           llvm::errs() << "MSAN -- cannot instrument invoke of libatomic load."
4371                           "Ignoring!\n";
4372           break;
4373         }
4374         visitLibAtomicLoad(CB);
4375         return;
4376       case LibFunc_atomic_store:
4377         visitLibAtomicStore(CB);
4378         return;
4379       default:
4380         break;
4381       }
4382     }
4383 
4384     if (auto *Call = dyn_cast<CallInst>(&CB)) {
4385       assert(!isa<IntrinsicInst>(Call) && "intrinsics are handled elsewhere");
4386 
4387       // We are going to insert code that relies on the fact that the callee
4388       // will become a non-readonly function after it is instrumented by us. To
4389       // prevent this code from being optimized out, mark that function
4390       // non-readonly in advance.
4391       // TODO: We can likely do better than dropping memory() completely here.
4392       AttributeMask B;
4393       B.addAttribute(Attribute::Memory).addAttribute(Attribute::Speculatable);
4394 
4395       Call->removeFnAttrs(B);
4396       if (Function *Func = Call->getCalledFunction()) {
4397         Func->removeFnAttrs(B);
4398       }
4399 
4400       maybeMarkSanitizerLibraryCallNoBuiltin(Call, TLI);
4401     }
4402     IRBuilder<> IRB(&CB);
4403     bool MayCheckCall = MS.EagerChecks;
4404     if (Function *Func = CB.getCalledFunction()) {
4405       // __sanitizer_unaligned_{load,store} functions may be called by users
4406       // and always expects shadows in the TLS. So don't check them.
4407       MayCheckCall &= !Func->getName().starts_with("__sanitizer_unaligned_");
4408     }
4409 
4410     unsigned ArgOffset = 0;
4411     LLVM_DEBUG(dbgs() << "  CallSite: " << CB << "\n");
4412     for (const auto &[i, A] : llvm::enumerate(CB.args())) {
4413       if (!A->getType()->isSized()) {
4414         LLVM_DEBUG(dbgs() << "Arg " << i << " is not sized: " << CB << "\n");
4415         continue;
4416       }
4417 
4418       if (A->getType()->isScalableTy()) {
4419         LLVM_DEBUG(dbgs() << "Arg  " << i << " is vscale: " << CB << "\n");
4420         // Handle as noundef, but don't reserve tls slots.
4421         insertShadowCheck(A, &CB);
4422         continue;
4423       }
4424 
4425       unsigned Size = 0;
4426       const DataLayout &DL = F.getDataLayout();
4427 
4428       bool ByVal = CB.paramHasAttr(i, Attribute::ByVal);
4429       bool NoUndef = CB.paramHasAttr(i, Attribute::NoUndef);
4430       bool EagerCheck = MayCheckCall && !ByVal && NoUndef;
4431 
4432       if (EagerCheck) {
4433         insertShadowCheck(A, &CB);
4434         Size = DL.getTypeAllocSize(A->getType());
4435       } else {
4436         Value *Store = nullptr;
4437         // Compute the Shadow for arg even if it is ByVal, because
4438         // in that case getShadow() will copy the actual arg shadow to
4439         // __msan_param_tls.
4440         Value *ArgShadow = getShadow(A);
4441         Value *ArgShadowBase = getShadowPtrForArgument(IRB, ArgOffset);
4442         LLVM_DEBUG(dbgs() << "  Arg#" << i << ": " << *A
4443                           << " Shadow: " << *ArgShadow << "\n");
4444         if (ByVal) {
4445           // ByVal requires some special handling as it's too big for a single
4446           // load
4447           assert(A->getType()->isPointerTy() &&
4448                  "ByVal argument is not a pointer!");
4449           Size = DL.getTypeAllocSize(CB.getParamByValType(i));
4450           if (ArgOffset + Size > kParamTLSSize)
4451             break;
4452           const MaybeAlign ParamAlignment(CB.getParamAlign(i));
4453           MaybeAlign Alignment = std::nullopt;
4454           if (ParamAlignment)
4455             Alignment = std::min(*ParamAlignment, kShadowTLSAlignment);
4456           Value *AShadowPtr, *AOriginPtr;
4457           std::tie(AShadowPtr, AOriginPtr) =
4458               getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), Alignment,
4459                                  /*isStore*/ false);
4460           if (!PropagateShadow) {
4461             Store = IRB.CreateMemSet(ArgShadowBase,
4462                                      Constant::getNullValue(IRB.getInt8Ty()),
4463                                      Size, Alignment);
4464           } else {
4465             Store = IRB.CreateMemCpy(ArgShadowBase, Alignment, AShadowPtr,
4466                                      Alignment, Size);
4467             if (MS.TrackOrigins) {
4468               Value *ArgOriginBase = getOriginPtrForArgument(IRB, ArgOffset);
4469               // FIXME: OriginSize should be:
4470               // alignTo(A % kMinOriginAlignment + Size, kMinOriginAlignment)
4471               unsigned OriginSize = alignTo(Size, kMinOriginAlignment);
4472               IRB.CreateMemCpy(
4473                   ArgOriginBase,
4474                   /* by origin_tls[ArgOffset] */ kMinOriginAlignment,
4475                   AOriginPtr,
4476                   /* by getShadowOriginPtr */ kMinOriginAlignment, OriginSize);
4477             }
4478           }
4479         } else {
4480           // Any other parameters mean we need bit-grained tracking of uninit
4481           // data
4482           Size = DL.getTypeAllocSize(A->getType());
4483           if (ArgOffset + Size > kParamTLSSize)
4484             break;
4485           Store = IRB.CreateAlignedStore(ArgShadow, ArgShadowBase,
4486                                          kShadowTLSAlignment);
4487           Constant *Cst = dyn_cast<Constant>(ArgShadow);
4488           if (MS.TrackOrigins && !(Cst && Cst->isNullValue())) {
4489             IRB.CreateStore(getOrigin(A),
4490                             getOriginPtrForArgument(IRB, ArgOffset));
4491           }
4492         }
4493         (void)Store;
4494         assert(Store != nullptr);
4495         LLVM_DEBUG(dbgs() << "  Param:" << *Store << "\n");
4496       }
4497       assert(Size != 0);
4498       ArgOffset += alignTo(Size, kShadowTLSAlignment);
4499     }
4500     LLVM_DEBUG(dbgs() << "  done with call args\n");
4501 
4502     FunctionType *FT = CB.getFunctionType();
4503     if (FT->isVarArg()) {
4504       VAHelper->visitCallBase(CB, IRB);
4505     }
4506 
4507     // Now, get the shadow for the RetVal.
4508     if (!CB.getType()->isSized())
4509       return;
4510     // Don't emit the epilogue for musttail call returns.
4511     if (isa<CallInst>(CB) && cast<CallInst>(CB).isMustTailCall())
4512       return;
4513 
4514     if (MayCheckCall && CB.hasRetAttr(Attribute::NoUndef)) {
4515       setShadow(&CB, getCleanShadow(&CB));
4516       setOrigin(&CB, getCleanOrigin());
4517       return;
4518     }
4519 
4520     IRBuilder<> IRBBefore(&CB);
4521     // Until we have full dynamic coverage, make sure the retval shadow is 0.
4522     Value *Base = getShadowPtrForRetval(IRBBefore);
4523     IRBBefore.CreateAlignedStore(getCleanShadow(&CB), Base,
4524                                  kShadowTLSAlignment);
4525     BasicBlock::iterator NextInsn;
4526     if (isa<CallInst>(CB)) {
4527       NextInsn = ++CB.getIterator();
4528       assert(NextInsn != CB.getParent()->end());
4529     } else {
4530       BasicBlock *NormalDest = cast<InvokeInst>(CB).getNormalDest();
4531       if (!NormalDest->getSinglePredecessor()) {
4532         // FIXME: this case is tricky, so we are just conservative here.
4533         // Perhaps we need to split the edge between this BB and NormalDest,
4534         // but a naive attempt to use SplitEdge leads to a crash.
4535         setShadow(&CB, getCleanShadow(&CB));
4536         setOrigin(&CB, getCleanOrigin());
4537         return;
4538       }
4539       // FIXME: NextInsn is likely in a basic block that has not been visited
4540       // yet. Anything inserted there will be instrumented by MSan later!
4541       NextInsn = NormalDest->getFirstInsertionPt();
4542       assert(NextInsn != NormalDest->end() &&
4543              "Could not find insertion point for retval shadow load");
4544     }
4545     IRBuilder<> IRBAfter(&*NextInsn);
4546     Value *RetvalShadow = IRBAfter.CreateAlignedLoad(
4547         getShadowTy(&CB), getShadowPtrForRetval(IRBAfter),
4548         kShadowTLSAlignment, "_msret");
4549     setShadow(&CB, RetvalShadow);
4550     if (MS.TrackOrigins)
4551       setOrigin(&CB, IRBAfter.CreateLoad(MS.OriginTy,
4552                                          getOriginPtrForRetval()));
4553   }
4554 
isAMustTailRetVal__anonb346f5430811::MemorySanitizerVisitor4555   bool isAMustTailRetVal(Value *RetVal) {
4556     if (auto *I = dyn_cast<BitCastInst>(RetVal)) {
4557       RetVal = I->getOperand(0);
4558     }
4559     if (auto *I = dyn_cast<CallInst>(RetVal)) {
4560       return I->isMustTailCall();
4561     }
4562     return false;
4563   }
4564 
visitReturnInst__anonb346f5430811::MemorySanitizerVisitor4565   void visitReturnInst(ReturnInst &I) {
4566     IRBuilder<> IRB(&I);
4567     Value *RetVal = I.getReturnValue();
4568     if (!RetVal)
4569       return;
4570     // Don't emit the epilogue for musttail call returns.
4571     if (isAMustTailRetVal(RetVal))
4572       return;
4573     Value *ShadowPtr = getShadowPtrForRetval(IRB);
4574     bool HasNoUndef = F.hasRetAttribute(Attribute::NoUndef);
4575     bool StoreShadow = !(MS.EagerChecks && HasNoUndef);
4576     // FIXME: Consider using SpecialCaseList to specify a list of functions that
4577     // must always return fully initialized values. For now, we hardcode "main".
4578     bool EagerCheck = (MS.EagerChecks && HasNoUndef) || (F.getName() == "main");
4579 
4580     Value *Shadow = getShadow(RetVal);
4581     bool StoreOrigin = true;
4582     if (EagerCheck) {
4583       insertShadowCheck(RetVal, &I);
4584       Shadow = getCleanShadow(RetVal);
4585       StoreOrigin = false;
4586     }
4587 
4588     // The caller may still expect information passed over TLS if we pass our
4589     // check
4590     if (StoreShadow) {
4591       IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment);
4592       if (MS.TrackOrigins && StoreOrigin)
4593         IRB.CreateStore(getOrigin(RetVal), getOriginPtrForRetval());
4594     }
4595   }
4596 
visitPHINode__anonb346f5430811::MemorySanitizerVisitor4597   void visitPHINode(PHINode &I) {
4598     IRBuilder<> IRB(&I);
4599     if (!PropagateShadow) {
4600       setShadow(&I, getCleanShadow(&I));
4601       setOrigin(&I, getCleanOrigin());
4602       return;
4603     }
4604 
4605     ShadowPHINodes.push_back(&I);
4606     setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(),
4607                                 "_msphi_s"));
4608     if (MS.TrackOrigins)
4609       setOrigin(
4610           &I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(), "_msphi_o"));
4611   }
4612 
getLocalVarIdptr__anonb346f5430811::MemorySanitizerVisitor4613   Value *getLocalVarIdptr(AllocaInst &I) {
4614     ConstantInt *IntConst =
4615         ConstantInt::get(Type::getInt32Ty((*F.getParent()).getContext()), 0);
4616     return new GlobalVariable(*F.getParent(), IntConst->getType(),
4617                               /*isConstant=*/false, GlobalValue::PrivateLinkage,
4618                               IntConst);
4619   }
4620 
getLocalVarDescription__anonb346f5430811::MemorySanitizerVisitor4621   Value *getLocalVarDescription(AllocaInst &I) {
4622     return createPrivateConstGlobalForString(*F.getParent(), I.getName());
4623   }
4624 
poisonAllocaUserspace__anonb346f5430811::MemorySanitizerVisitor4625   void poisonAllocaUserspace(AllocaInst &I, IRBuilder<> &IRB, Value *Len) {
4626     if (PoisonStack && ClPoisonStackWithCall) {
4627       IRB.CreateCall(MS.MsanPoisonStackFn, {&I, Len});
4628     } else {
4629       Value *ShadowBase, *OriginBase;
4630       std::tie(ShadowBase, OriginBase) = getShadowOriginPtr(
4631           &I, IRB, IRB.getInt8Ty(), Align(1), /*isStore*/ true);
4632 
4633       Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0);
4634       IRB.CreateMemSet(ShadowBase, PoisonValue, Len, I.getAlign());
4635     }
4636 
4637     if (PoisonStack && MS.TrackOrigins) {
4638       Value *Idptr = getLocalVarIdptr(I);
4639       if (ClPrintStackNames) {
4640         Value *Descr = getLocalVarDescription(I);
4641         IRB.CreateCall(MS.MsanSetAllocaOriginWithDescriptionFn,
4642                        {&I, Len, Idptr, Descr});
4643       } else {
4644         IRB.CreateCall(MS.MsanSetAllocaOriginNoDescriptionFn, {&I, Len, Idptr});
4645       }
4646     }
4647   }
4648 
poisonAllocaKmsan__anonb346f5430811::MemorySanitizerVisitor4649   void poisonAllocaKmsan(AllocaInst &I, IRBuilder<> &IRB, Value *Len) {
4650     Value *Descr = getLocalVarDescription(I);
4651     if (PoisonStack) {
4652       IRB.CreateCall(MS.MsanPoisonAllocaFn, {&I, Len, Descr});
4653     } else {
4654       IRB.CreateCall(MS.MsanUnpoisonAllocaFn, {&I, Len});
4655     }
4656   }
4657 
instrumentAlloca__anonb346f5430811::MemorySanitizerVisitor4658   void instrumentAlloca(AllocaInst &I, Instruction *InsPoint = nullptr) {
4659     if (!InsPoint)
4660       InsPoint = &I;
4661     NextNodeIRBuilder IRB(InsPoint);
4662     const DataLayout &DL = F.getDataLayout();
4663     TypeSize TS = DL.getTypeAllocSize(I.getAllocatedType());
4664     Value *Len = IRB.CreateTypeSize(MS.IntptrTy, TS);
4665     if (I.isArrayAllocation())
4666       Len = IRB.CreateMul(Len,
4667                           IRB.CreateZExtOrTrunc(I.getArraySize(), MS.IntptrTy));
4668 
4669     if (MS.CompileKernel)
4670       poisonAllocaKmsan(I, IRB, Len);
4671     else
4672       poisonAllocaUserspace(I, IRB, Len);
4673   }
4674 
visitAllocaInst__anonb346f5430811::MemorySanitizerVisitor4675   void visitAllocaInst(AllocaInst &I) {
4676     setShadow(&I, getCleanShadow(&I));
4677     setOrigin(&I, getCleanOrigin());
4678     // We'll get to this alloca later unless it's poisoned at the corresponding
4679     // llvm.lifetime.start.
4680     AllocaSet.insert(&I);
4681   }
4682 
visitSelectInst__anonb346f5430811::MemorySanitizerVisitor4683   void visitSelectInst(SelectInst &I) {
4684     // a = select b, c, d
4685     Value *B = I.getCondition();
4686     Value *C = I.getTrueValue();
4687     Value *D = I.getFalseValue();
4688 
4689     handleSelectLikeInst(I, B, C, D);
4690   }
4691 
handleSelectLikeInst__anonb346f5430811::MemorySanitizerVisitor4692   void handleSelectLikeInst(Instruction &I, Value *B, Value *C, Value *D) {
4693     IRBuilder<> IRB(&I);
4694 
4695     Value *Sb = getShadow(B);
4696     Value *Sc = getShadow(C);
4697     Value *Sd = getShadow(D);
4698 
4699     Value *Ob = MS.TrackOrigins ? getOrigin(B) : nullptr;
4700     Value *Oc = MS.TrackOrigins ? getOrigin(C) : nullptr;
4701     Value *Od = MS.TrackOrigins ? getOrigin(D) : nullptr;
4702 
4703     // Result shadow if condition shadow is 0.
4704     Value *Sa0 = IRB.CreateSelect(B, Sc, Sd);
4705     Value *Sa1;
4706     if (I.getType()->isAggregateType()) {
4707       // To avoid "sign extending" i1 to an arbitrary aggregate type, we just do
4708       // an extra "select". This results in much more compact IR.
4709       // Sa = select Sb, poisoned, (select b, Sc, Sd)
4710       Sa1 = getPoisonedShadow(getShadowTy(I.getType()));
4711     } else {
4712       // Sa = select Sb, [ (c^d) | Sc | Sd ], [ b ? Sc : Sd ]
4713       // If Sb (condition is poisoned), look for bits in c and d that are equal
4714       // and both unpoisoned.
4715       // If !Sb (condition is unpoisoned), simply pick one of Sc and Sd.
4716 
4717       // Cast arguments to shadow-compatible type.
4718       C = CreateAppToShadowCast(IRB, C);
4719       D = CreateAppToShadowCast(IRB, D);
4720 
4721       // Result shadow if condition shadow is 1.
4722       Sa1 = IRB.CreateOr({IRB.CreateXor(C, D), Sc, Sd});
4723     }
4724     Value *Sa = IRB.CreateSelect(Sb, Sa1, Sa0, "_msprop_select");
4725     setShadow(&I, Sa);
4726     if (MS.TrackOrigins) {
4727       // Origins are always i32, so any vector conditions must be flattened.
4728       // FIXME: consider tracking vector origins for app vectors?
4729       if (B->getType()->isVectorTy()) {
4730         B = convertToBool(B, IRB);
4731         Sb = convertToBool(Sb, IRB);
4732       }
4733       // a = select b, c, d
4734       // Oa = Sb ? Ob : (b ? Oc : Od)
4735       setOrigin(&I, IRB.CreateSelect(Sb, Ob, IRB.CreateSelect(B, Oc, Od)));
4736     }
4737   }
4738 
visitLandingPadInst__anonb346f5430811::MemorySanitizerVisitor4739   void visitLandingPadInst(LandingPadInst &I) {
4740     // Do nothing.
4741     // See https://github.com/google/sanitizers/issues/504
4742     setShadow(&I, getCleanShadow(&I));
4743     setOrigin(&I, getCleanOrigin());
4744   }
4745 
visitCatchSwitchInst__anonb346f5430811::MemorySanitizerVisitor4746   void visitCatchSwitchInst(CatchSwitchInst &I) {
4747     setShadow(&I, getCleanShadow(&I));
4748     setOrigin(&I, getCleanOrigin());
4749   }
4750 
visitFuncletPadInst__anonb346f5430811::MemorySanitizerVisitor4751   void visitFuncletPadInst(FuncletPadInst &I) {
4752     setShadow(&I, getCleanShadow(&I));
4753     setOrigin(&I, getCleanOrigin());
4754   }
4755 
visitGetElementPtrInst__anonb346f5430811::MemorySanitizerVisitor4756   void visitGetElementPtrInst(GetElementPtrInst &I) { handleShadowOr(I); }
4757 
visitExtractValueInst__anonb346f5430811::MemorySanitizerVisitor4758   void visitExtractValueInst(ExtractValueInst &I) {
4759     IRBuilder<> IRB(&I);
4760     Value *Agg = I.getAggregateOperand();
4761     LLVM_DEBUG(dbgs() << "ExtractValue:  " << I << "\n");
4762     Value *AggShadow = getShadow(Agg);
4763     LLVM_DEBUG(dbgs() << "   AggShadow:  " << *AggShadow << "\n");
4764     Value *ResShadow = IRB.CreateExtractValue(AggShadow, I.getIndices());
4765     LLVM_DEBUG(dbgs() << "   ResShadow:  " << *ResShadow << "\n");
4766     setShadow(&I, ResShadow);
4767     setOriginForNaryOp(I);
4768   }
4769 
visitInsertValueInst__anonb346f5430811::MemorySanitizerVisitor4770   void visitInsertValueInst(InsertValueInst &I) {
4771     IRBuilder<> IRB(&I);
4772     LLVM_DEBUG(dbgs() << "InsertValue:  " << I << "\n");
4773     Value *AggShadow = getShadow(I.getAggregateOperand());
4774     Value *InsShadow = getShadow(I.getInsertedValueOperand());
4775     LLVM_DEBUG(dbgs() << "   AggShadow:  " << *AggShadow << "\n");
4776     LLVM_DEBUG(dbgs() << "   InsShadow:  " << *InsShadow << "\n");
4777     Value *Res = IRB.CreateInsertValue(AggShadow, InsShadow, I.getIndices());
4778     LLVM_DEBUG(dbgs() << "   Res:        " << *Res << "\n");
4779     setShadow(&I, Res);
4780     setOriginForNaryOp(I);
4781   }
4782 
dumpInst__anonb346f5430811::MemorySanitizerVisitor4783   void dumpInst(Instruction &I) {
4784     if (CallInst *CI = dyn_cast<CallInst>(&I)) {
4785       errs() << "ZZZ call " << CI->getCalledFunction()->getName() << "\n";
4786     } else {
4787       errs() << "ZZZ " << I.getOpcodeName() << "\n";
4788     }
4789     errs() << "QQQ " << I << "\n";
4790   }
4791 
visitResumeInst__anonb346f5430811::MemorySanitizerVisitor4792   void visitResumeInst(ResumeInst &I) {
4793     LLVM_DEBUG(dbgs() << "Resume: " << I << "\n");
4794     // Nothing to do here.
4795   }
4796 
visitCleanupReturnInst__anonb346f5430811::MemorySanitizerVisitor4797   void visitCleanupReturnInst(CleanupReturnInst &CRI) {
4798     LLVM_DEBUG(dbgs() << "CleanupReturn: " << CRI << "\n");
4799     // Nothing to do here.
4800   }
4801 
visitCatchReturnInst__anonb346f5430811::MemorySanitizerVisitor4802   void visitCatchReturnInst(CatchReturnInst &CRI) {
4803     LLVM_DEBUG(dbgs() << "CatchReturn: " << CRI << "\n");
4804     // Nothing to do here.
4805   }
4806 
instrumentAsmArgument__anonb346f5430811::MemorySanitizerVisitor4807   void instrumentAsmArgument(Value *Operand, Type *ElemTy, Instruction &I,
4808                              IRBuilder<> &IRB, const DataLayout &DL,
4809                              bool isOutput) {
4810     // For each assembly argument, we check its value for being initialized.
4811     // If the argument is a pointer, we assume it points to a single element
4812     // of the corresponding type (or to a 8-byte word, if the type is unsized).
4813     // Each such pointer is instrumented with a call to the runtime library.
4814     Type *OpType = Operand->getType();
4815     // Check the operand value itself.
4816     insertShadowCheck(Operand, &I);
4817     if (!OpType->isPointerTy() || !isOutput) {
4818       assert(!isOutput);
4819       return;
4820     }
4821     if (!ElemTy->isSized())
4822       return;
4823     auto Size = DL.getTypeStoreSize(ElemTy);
4824     Value *SizeVal = IRB.CreateTypeSize(MS.IntptrTy, Size);
4825     if (MS.CompileKernel) {
4826       IRB.CreateCall(MS.MsanInstrumentAsmStoreFn, {Operand, SizeVal});
4827     } else {
4828       // ElemTy, derived from elementtype(), does not encode the alignment of
4829       // the pointer. Conservatively assume that the shadow memory is unaligned.
4830       // When Size is large, avoid StoreInst as it would expand to many
4831       // instructions.
4832       auto [ShadowPtr, _] =
4833           getShadowOriginPtrUserspace(Operand, IRB, IRB.getInt8Ty(), Align(1));
4834       if (Size <= 32)
4835         IRB.CreateAlignedStore(getCleanShadow(ElemTy), ShadowPtr, Align(1));
4836       else
4837         IRB.CreateMemSet(ShadowPtr, ConstantInt::getNullValue(IRB.getInt8Ty()),
4838                          SizeVal, Align(1));
4839     }
4840   }
4841 
4842   /// Get the number of output arguments returned by pointers.
getNumOutputArgs__anonb346f5430811::MemorySanitizerVisitor4843   int getNumOutputArgs(InlineAsm *IA, CallBase *CB) {
4844     int NumRetOutputs = 0;
4845     int NumOutputs = 0;
4846     Type *RetTy = cast<Value>(CB)->getType();
4847     if (!RetTy->isVoidTy()) {
4848       // Register outputs are returned via the CallInst return value.
4849       auto *ST = dyn_cast<StructType>(RetTy);
4850       if (ST)
4851         NumRetOutputs = ST->getNumElements();
4852       else
4853         NumRetOutputs = 1;
4854     }
4855     InlineAsm::ConstraintInfoVector Constraints = IA->ParseConstraints();
4856     for (const InlineAsm::ConstraintInfo &Info : Constraints) {
4857       switch (Info.Type) {
4858       case InlineAsm::isOutput:
4859         NumOutputs++;
4860         break;
4861       default:
4862         break;
4863       }
4864     }
4865     return NumOutputs - NumRetOutputs;
4866   }
4867 
visitAsmInstruction__anonb346f5430811::MemorySanitizerVisitor4868   void visitAsmInstruction(Instruction &I) {
4869     // Conservative inline assembly handling: check for poisoned shadow of
4870     // asm() arguments, then unpoison the result and all the memory locations
4871     // pointed to by those arguments.
4872     // An inline asm() statement in C++ contains lists of input and output
4873     // arguments used by the assembly code. These are mapped to operands of the
4874     // CallInst as follows:
4875     //  - nR register outputs ("=r) are returned by value in a single structure
4876     //  (SSA value of the CallInst);
4877     //  - nO other outputs ("=m" and others) are returned by pointer as first
4878     // nO operands of the CallInst;
4879     //  - nI inputs ("r", "m" and others) are passed to CallInst as the
4880     // remaining nI operands.
4881     // The total number of asm() arguments in the source is nR+nO+nI, and the
4882     // corresponding CallInst has nO+nI+1 operands (the last operand is the
4883     // function to be called).
4884     const DataLayout &DL = F.getDataLayout();
4885     CallBase *CB = cast<CallBase>(&I);
4886     IRBuilder<> IRB(&I);
4887     InlineAsm *IA = cast<InlineAsm>(CB->getCalledOperand());
4888     int OutputArgs = getNumOutputArgs(IA, CB);
4889     // The last operand of a CallInst is the function itself.
4890     int NumOperands = CB->getNumOperands() - 1;
4891 
4892     // Check input arguments. Doing so before unpoisoning output arguments, so
4893     // that we won't overwrite uninit values before checking them.
4894     for (int i = OutputArgs; i < NumOperands; i++) {
4895       Value *Operand = CB->getOperand(i);
4896       instrumentAsmArgument(Operand, CB->getParamElementType(i), I, IRB, DL,
4897                             /*isOutput*/ false);
4898     }
4899     // Unpoison output arguments. This must happen before the actual InlineAsm
4900     // call, so that the shadow for memory published in the asm() statement
4901     // remains valid.
4902     for (int i = 0; i < OutputArgs; i++) {
4903       Value *Operand = CB->getOperand(i);
4904       instrumentAsmArgument(Operand, CB->getParamElementType(i), I, IRB, DL,
4905                             /*isOutput*/ true);
4906     }
4907 
4908     setShadow(&I, getCleanShadow(&I));
4909     setOrigin(&I, getCleanOrigin());
4910   }
4911 
visitFreezeInst__anonb346f5430811::MemorySanitizerVisitor4912   void visitFreezeInst(FreezeInst &I) {
4913     // Freeze always returns a fully defined value.
4914     setShadow(&I, getCleanShadow(&I));
4915     setOrigin(&I, getCleanOrigin());
4916   }
4917 
visitInstruction__anonb346f5430811::MemorySanitizerVisitor4918   void visitInstruction(Instruction &I) {
4919     // Everything else: stop propagating and check for poisoned shadow.
4920     if (ClDumpStrictInstructions)
4921       dumpInst(I);
4922     LLVM_DEBUG(dbgs() << "DEFAULT: " << I << "\n");
4923     for (size_t i = 0, n = I.getNumOperands(); i < n; i++) {
4924       Value *Operand = I.getOperand(i);
4925       if (Operand->getType()->isSized())
4926         insertShadowCheck(Operand, &I);
4927     }
4928     setShadow(&I, getCleanShadow(&I));
4929     setOrigin(&I, getCleanOrigin());
4930   }
4931 };
4932 
4933 struct VarArgHelperBase : public VarArgHelper {
4934   Function &F;
4935   MemorySanitizer &MS;
4936   MemorySanitizerVisitor &MSV;
4937   SmallVector<CallInst *, 16> VAStartInstrumentationList;
4938   const unsigned VAListTagSize;
4939 
VarArgHelperBase__anonb346f5430811::VarArgHelperBase4940   VarArgHelperBase(Function &F, MemorySanitizer &MS,
4941                    MemorySanitizerVisitor &MSV, unsigned VAListTagSize)
4942       : F(F), MS(MS), MSV(MSV), VAListTagSize(VAListTagSize) {}
4943 
getShadowAddrForVAArgument__anonb346f5430811::VarArgHelperBase4944   Value *getShadowAddrForVAArgument(IRBuilder<> &IRB, unsigned ArgOffset) {
4945     Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
4946     return IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
4947   }
4948 
4949   /// Compute the shadow address for a given va_arg.
getShadowPtrForVAArgument__anonb346f5430811::VarArgHelperBase4950   Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
4951                                    unsigned ArgOffset) {
4952     Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
4953     Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
4954     return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
4955                               "_msarg_va_s");
4956   }
4957 
4958   /// Compute the shadow address for a given va_arg.
getShadowPtrForVAArgument__anonb346f5430811::VarArgHelperBase4959   Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
4960                                    unsigned ArgOffset, unsigned ArgSize) {
4961     // Make sure we don't overflow __msan_va_arg_tls.
4962     if (ArgOffset + ArgSize > kParamTLSSize)
4963       return nullptr;
4964     return getShadowPtrForVAArgument(Ty, IRB, ArgOffset);
4965   }
4966 
4967   /// Compute the origin address for a given va_arg.
getOriginPtrForVAArgument__anonb346f5430811::VarArgHelperBase4968   Value *getOriginPtrForVAArgument(IRBuilder<> &IRB, int ArgOffset) {
4969     Value *Base = IRB.CreatePointerCast(MS.VAArgOriginTLS, MS.IntptrTy);
4970     // getOriginPtrForVAArgument() is always called after
4971     // getShadowPtrForVAArgument(), so __msan_va_arg_origin_tls can never
4972     // overflow.
4973     Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
4974     return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0),
4975                               "_msarg_va_o");
4976   }
4977 
CleanUnusedTLS__anonb346f5430811::VarArgHelperBase4978   void CleanUnusedTLS(IRBuilder<> &IRB, Value *ShadowBase,
4979                       unsigned BaseOffset) {
4980     // The tails of __msan_va_arg_tls is not large enough to fit full
4981     // value shadow, but it will be copied to backup anyway. Make it
4982     // clean.
4983     if (BaseOffset >= kParamTLSSize)
4984       return;
4985     Value *TailSize =
4986         ConstantInt::getSigned(IRB.getInt32Ty(), kParamTLSSize - BaseOffset);
4987     IRB.CreateMemSet(ShadowBase, ConstantInt::getNullValue(IRB.getInt8Ty()),
4988                      TailSize, Align(8));
4989   }
4990 
unpoisonVAListTagForInst__anonb346f5430811::VarArgHelperBase4991   void unpoisonVAListTagForInst(IntrinsicInst &I) {
4992     IRBuilder<> IRB(&I);
4993     Value *VAListTag = I.getArgOperand(0);
4994     const Align Alignment = Align(8);
4995     auto [ShadowPtr, OriginPtr] = MSV.getShadowOriginPtr(
4996         VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
4997     // Unpoison the whole __va_list_tag.
4998     IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
4999                      VAListTagSize, Alignment, false);
5000   }
5001 
visitVAStartInst__anonb346f5430811::VarArgHelperBase5002   void visitVAStartInst(VAStartInst &I) override {
5003     if (F.getCallingConv() == CallingConv::Win64)
5004       return;
5005     VAStartInstrumentationList.push_back(&I);
5006     unpoisonVAListTagForInst(I);
5007   }
5008 
visitVACopyInst__anonb346f5430811::VarArgHelperBase5009   void visitVACopyInst(VACopyInst &I) override {
5010     if (F.getCallingConv() == CallingConv::Win64)
5011       return;
5012     unpoisonVAListTagForInst(I);
5013   }
5014 };
5015 
5016 /// AMD64-specific implementation of VarArgHelper.
5017 struct VarArgAMD64Helper : public VarArgHelperBase {
5018   // An unfortunate workaround for asymmetric lowering of va_arg stuff.
5019   // See a comment in visitCallBase for more details.
5020   static const unsigned AMD64GpEndOffset = 48; // AMD64 ABI Draft 0.99.6 p3.5.7
5021   static const unsigned AMD64FpEndOffsetSSE = 176;
5022   // If SSE is disabled, fp_offset in va_list is zero.
5023   static const unsigned AMD64FpEndOffsetNoSSE = AMD64GpEndOffset;
5024 
5025   unsigned AMD64FpEndOffset;
5026   AllocaInst *VAArgTLSCopy = nullptr;
5027   AllocaInst *VAArgTLSOriginCopy = nullptr;
5028   Value *VAArgOverflowSize = nullptr;
5029 
5030   enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory };
5031 
VarArgAMD64Helper__anonb346f5430811::VarArgAMD64Helper5032   VarArgAMD64Helper(Function &F, MemorySanitizer &MS,
5033                     MemorySanitizerVisitor &MSV)
5034       : VarArgHelperBase(F, MS, MSV, /*VAListTagSize=*/24) {
5035     AMD64FpEndOffset = AMD64FpEndOffsetSSE;
5036     for (const auto &Attr : F.getAttributes().getFnAttrs()) {
5037       if (Attr.isStringAttribute() &&
5038           (Attr.getKindAsString() == "target-features")) {
5039         if (Attr.getValueAsString().contains("-sse"))
5040           AMD64FpEndOffset = AMD64FpEndOffsetNoSSE;
5041         break;
5042       }
5043     }
5044   }
5045 
classifyArgument__anonb346f5430811::VarArgAMD64Helper5046   ArgKind classifyArgument(Value *arg) {
5047     // A very rough approximation of X86_64 argument classification rules.
5048     Type *T = arg->getType();
5049     if (T->isX86_FP80Ty())
5050       return AK_Memory;
5051     if (T->isFPOrFPVectorTy() || T->isX86_MMXTy())
5052       return AK_FloatingPoint;
5053     if (T->isIntegerTy() && T->getPrimitiveSizeInBits() <= 64)
5054       return AK_GeneralPurpose;
5055     if (T->isPointerTy())
5056       return AK_GeneralPurpose;
5057     return AK_Memory;
5058   }
5059 
5060   // For VarArg functions, store the argument shadow in an ABI-specific format
5061   // that corresponds to va_list layout.
5062   // We do this because Clang lowers va_arg in the frontend, and this pass
5063   // only sees the low level code that deals with va_list internals.
5064   // A much easier alternative (provided that Clang emits va_arg instructions)
5065   // would have been to associate each live instance of va_list with a copy of
5066   // MSanParamTLS, and extract shadow on va_arg() call in the argument list
5067   // order.
visitCallBase__anonb346f5430811::VarArgAMD64Helper5068   void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
5069     unsigned GpOffset = 0;
5070     unsigned FpOffset = AMD64GpEndOffset;
5071     unsigned OverflowOffset = AMD64FpEndOffset;
5072     const DataLayout &DL = F.getDataLayout();
5073 
5074     for (const auto &[ArgNo, A] : llvm::enumerate(CB.args())) {
5075       bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
5076       bool IsByVal = CB.paramHasAttr(ArgNo, Attribute::ByVal);
5077       if (IsByVal) {
5078         // ByVal arguments always go to the overflow area.
5079         // Fixed arguments passed through the overflow area will be stepped
5080         // over by va_start, so don't count them towards the offset.
5081         if (IsFixed)
5082           continue;
5083         assert(A->getType()->isPointerTy());
5084         Type *RealTy = CB.getParamByValType(ArgNo);
5085         uint64_t ArgSize = DL.getTypeAllocSize(RealTy);
5086         uint64_t AlignedSize = alignTo(ArgSize, 8);
5087         unsigned BaseOffset = OverflowOffset;
5088         Value *ShadowBase =
5089             getShadowPtrForVAArgument(RealTy, IRB, OverflowOffset);
5090         Value *OriginBase = nullptr;
5091         if (MS.TrackOrigins)
5092           OriginBase = getOriginPtrForVAArgument(IRB, OverflowOffset);
5093         OverflowOffset += AlignedSize;
5094 
5095         if (OverflowOffset > kParamTLSSize) {
5096           CleanUnusedTLS(IRB, ShadowBase, BaseOffset);
5097           continue; // We have no space to copy shadow there.
5098         }
5099 
5100         Value *ShadowPtr, *OriginPtr;
5101         std::tie(ShadowPtr, OriginPtr) =
5102             MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), kShadowTLSAlignment,
5103                                    /*isStore*/ false);
5104         IRB.CreateMemCpy(ShadowBase, kShadowTLSAlignment, ShadowPtr,
5105                          kShadowTLSAlignment, ArgSize);
5106         if (MS.TrackOrigins)
5107           IRB.CreateMemCpy(OriginBase, kShadowTLSAlignment, OriginPtr,
5108                            kShadowTLSAlignment, ArgSize);
5109       } else {
5110         ArgKind AK = classifyArgument(A);
5111         if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset)
5112           AK = AK_Memory;
5113         if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset)
5114           AK = AK_Memory;
5115         Value *ShadowBase, *OriginBase = nullptr;
5116         switch (AK) {
5117         case AK_GeneralPurpose:
5118           ShadowBase = getShadowPtrForVAArgument(A->getType(), IRB, GpOffset);
5119           if (MS.TrackOrigins)
5120             OriginBase = getOriginPtrForVAArgument(IRB, GpOffset);
5121           GpOffset += 8;
5122           assert(GpOffset <= kParamTLSSize);
5123           break;
5124         case AK_FloatingPoint:
5125           ShadowBase = getShadowPtrForVAArgument(A->getType(), IRB, FpOffset);
5126           if (MS.TrackOrigins)
5127             OriginBase = getOriginPtrForVAArgument(IRB, FpOffset);
5128           FpOffset += 16;
5129           assert(FpOffset <= kParamTLSSize);
5130           break;
5131         case AK_Memory:
5132           if (IsFixed)
5133             continue;
5134           uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
5135           uint64_t AlignedSize = alignTo(ArgSize, 8);
5136           unsigned BaseOffset = OverflowOffset;
5137           ShadowBase =
5138               getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset);
5139           if (MS.TrackOrigins) {
5140             OriginBase = getOriginPtrForVAArgument(IRB, OverflowOffset);
5141           }
5142           OverflowOffset += AlignedSize;
5143           if (OverflowOffset > kParamTLSSize) {
5144             // We have no space to copy shadow there.
5145             CleanUnusedTLS(IRB, ShadowBase, BaseOffset);
5146             continue;
5147           }
5148         }
5149         // Take fixed arguments into account for GpOffset and FpOffset,
5150         // but don't actually store shadows for them.
5151         // TODO(glider): don't call get*PtrForVAArgument() for them.
5152         if (IsFixed)
5153           continue;
5154         Value *Shadow = MSV.getShadow(A);
5155         IRB.CreateAlignedStore(Shadow, ShadowBase, kShadowTLSAlignment);
5156         if (MS.TrackOrigins) {
5157           Value *Origin = MSV.getOrigin(A);
5158           TypeSize StoreSize = DL.getTypeStoreSize(Shadow->getType());
5159           MSV.paintOrigin(IRB, Origin, OriginBase, StoreSize,
5160                           std::max(kShadowTLSAlignment, kMinOriginAlignment));
5161         }
5162       }
5163     }
5164     Constant *OverflowSize =
5165         ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset);
5166     IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
5167   }
5168 
finalizeInstrumentation__anonb346f5430811::VarArgAMD64Helper5169   void finalizeInstrumentation() override {
5170     assert(!VAArgOverflowSize && !VAArgTLSCopy &&
5171            "finalizeInstrumentation called twice");
5172     if (!VAStartInstrumentationList.empty()) {
5173       // If there is a va_start in this function, make a backup copy of
5174       // va_arg_tls somewhere in the function entry block.
5175       IRBuilder<> IRB(MSV.FnPrologueEnd);
5176       VAArgOverflowSize =
5177           IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
5178       Value *CopySize = IRB.CreateAdd(
5179           ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset), VAArgOverflowSize);
5180       VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
5181       VAArgTLSCopy->setAlignment(kShadowTLSAlignment);
5182       IRB.CreateMemSet(VAArgTLSCopy, Constant::getNullValue(IRB.getInt8Ty()),
5183                        CopySize, kShadowTLSAlignment, false);
5184 
5185       Value *SrcSize = IRB.CreateBinaryIntrinsic(
5186           Intrinsic::umin, CopySize,
5187           ConstantInt::get(MS.IntptrTy, kParamTLSSize));
5188       IRB.CreateMemCpy(VAArgTLSCopy, kShadowTLSAlignment, MS.VAArgTLS,
5189                        kShadowTLSAlignment, SrcSize);
5190       if (MS.TrackOrigins) {
5191         VAArgTLSOriginCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
5192         VAArgTLSOriginCopy->setAlignment(kShadowTLSAlignment);
5193         IRB.CreateMemCpy(VAArgTLSOriginCopy, kShadowTLSAlignment,
5194                          MS.VAArgOriginTLS, kShadowTLSAlignment, SrcSize);
5195       }
5196     }
5197 
5198     // Instrument va_start.
5199     // Copy va_list shadow from the backup copy of the TLS contents.
5200     for (CallInst *OrigInst : VAStartInstrumentationList) {
5201       NextNodeIRBuilder IRB(OrigInst);
5202       Value *VAListTag = OrigInst->getArgOperand(0);
5203 
5204       Type *RegSaveAreaPtrTy = PointerType::getUnqual(*MS.C); // i64*
5205       Value *RegSaveAreaPtrPtr = IRB.CreateIntToPtr(
5206           IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5207                         ConstantInt::get(MS.IntptrTy, 16)),
5208           PointerType::get(RegSaveAreaPtrTy, 0));
5209       Value *RegSaveAreaPtr =
5210           IRB.CreateLoad(RegSaveAreaPtrTy, RegSaveAreaPtrPtr);
5211       Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
5212       const Align Alignment = Align(16);
5213       std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
5214           MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
5215                                  Alignment, /*isStore*/ true);
5216       IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
5217                        AMD64FpEndOffset);
5218       if (MS.TrackOrigins)
5219         IRB.CreateMemCpy(RegSaveAreaOriginPtr, Alignment, VAArgTLSOriginCopy,
5220                          Alignment, AMD64FpEndOffset);
5221       Type *OverflowArgAreaPtrTy = PointerType::getUnqual(*MS.C); // i64*
5222       Value *OverflowArgAreaPtrPtr = IRB.CreateIntToPtr(
5223           IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5224                         ConstantInt::get(MS.IntptrTy, 8)),
5225           PointerType::get(OverflowArgAreaPtrTy, 0));
5226       Value *OverflowArgAreaPtr =
5227           IRB.CreateLoad(OverflowArgAreaPtrTy, OverflowArgAreaPtrPtr);
5228       Value *OverflowArgAreaShadowPtr, *OverflowArgAreaOriginPtr;
5229       std::tie(OverflowArgAreaShadowPtr, OverflowArgAreaOriginPtr) =
5230           MSV.getShadowOriginPtr(OverflowArgAreaPtr, IRB, IRB.getInt8Ty(),
5231                                  Alignment, /*isStore*/ true);
5232       Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy,
5233                                              AMD64FpEndOffset);
5234       IRB.CreateMemCpy(OverflowArgAreaShadowPtr, Alignment, SrcPtr, Alignment,
5235                        VAArgOverflowSize);
5236       if (MS.TrackOrigins) {
5237         SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSOriginCopy,
5238                                         AMD64FpEndOffset);
5239         IRB.CreateMemCpy(OverflowArgAreaOriginPtr, Alignment, SrcPtr, Alignment,
5240                          VAArgOverflowSize);
5241       }
5242     }
5243   }
5244 };
5245 
5246 /// MIPS64-specific implementation of VarArgHelper.
5247 /// NOTE: This is also used for LoongArch64.
5248 struct VarArgMIPS64Helper : public VarArgHelperBase {
5249   AllocaInst *VAArgTLSCopy = nullptr;
5250   Value *VAArgSize = nullptr;
5251 
VarArgMIPS64Helper__anonb346f5430811::VarArgMIPS64Helper5252   VarArgMIPS64Helper(Function &F, MemorySanitizer &MS,
5253                      MemorySanitizerVisitor &MSV)
5254       : VarArgHelperBase(F, MS, MSV, /*VAListTagSize=*/8) {}
5255 
visitCallBase__anonb346f5430811::VarArgMIPS64Helper5256   void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
5257     unsigned VAArgOffset = 0;
5258     const DataLayout &DL = F.getDataLayout();
5259     for (Value *A :
5260          llvm::drop_begin(CB.args(), CB.getFunctionType()->getNumParams())) {
5261       Triple TargetTriple(F.getParent()->getTargetTriple());
5262       Value *Base;
5263       uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
5264       if (TargetTriple.getArch() == Triple::mips64) {
5265         // Adjusting the shadow for argument with size < 8 to match the
5266         // placement of bits in big endian system
5267         if (ArgSize < 8)
5268           VAArgOffset += (8 - ArgSize);
5269       }
5270       Base = getShadowPtrForVAArgument(A->getType(), IRB, VAArgOffset, ArgSize);
5271       VAArgOffset += ArgSize;
5272       VAArgOffset = alignTo(VAArgOffset, 8);
5273       if (!Base)
5274         continue;
5275       IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
5276     }
5277 
5278     Constant *TotalVAArgSize = ConstantInt::get(IRB.getInt64Ty(), VAArgOffset);
5279     // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of
5280     // a new class member i.e. it is the total size of all VarArgs.
5281     IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS);
5282   }
5283 
finalizeInstrumentation__anonb346f5430811::VarArgMIPS64Helper5284   void finalizeInstrumentation() override {
5285     assert(!VAArgSize && !VAArgTLSCopy &&
5286            "finalizeInstrumentation called twice");
5287     IRBuilder<> IRB(MSV.FnPrologueEnd);
5288     VAArgSize = IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
5289     Value *CopySize =
5290         IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, 0), VAArgSize);
5291 
5292     if (!VAStartInstrumentationList.empty()) {
5293       // If there is a va_start in this function, make a backup copy of
5294       // va_arg_tls somewhere in the function entry block.
5295       VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
5296       VAArgTLSCopy->setAlignment(kShadowTLSAlignment);
5297       IRB.CreateMemSet(VAArgTLSCopy, Constant::getNullValue(IRB.getInt8Ty()),
5298                        CopySize, kShadowTLSAlignment, false);
5299 
5300       Value *SrcSize = IRB.CreateBinaryIntrinsic(
5301           Intrinsic::umin, CopySize,
5302           ConstantInt::get(MS.IntptrTy, kParamTLSSize));
5303       IRB.CreateMemCpy(VAArgTLSCopy, kShadowTLSAlignment, MS.VAArgTLS,
5304                        kShadowTLSAlignment, SrcSize);
5305     }
5306 
5307     // Instrument va_start.
5308     // Copy va_list shadow from the backup copy of the TLS contents.
5309     for (CallInst *OrigInst : VAStartInstrumentationList) {
5310       NextNodeIRBuilder IRB(OrigInst);
5311       Value *VAListTag = OrigInst->getArgOperand(0);
5312       Type *RegSaveAreaPtrTy = PointerType::getUnqual(*MS.C); // i64*
5313       Value *RegSaveAreaPtrPtr =
5314           IRB.CreateIntToPtr(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5315                              PointerType::get(RegSaveAreaPtrTy, 0));
5316       Value *RegSaveAreaPtr =
5317           IRB.CreateLoad(RegSaveAreaPtrTy, RegSaveAreaPtrPtr);
5318       Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
5319       const Align Alignment = Align(8);
5320       std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
5321           MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
5322                                  Alignment, /*isStore*/ true);
5323       IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
5324                        CopySize);
5325     }
5326   }
5327 };
5328 
5329 /// AArch64-specific implementation of VarArgHelper.
5330 struct VarArgAArch64Helper : public VarArgHelperBase {
5331   static const unsigned kAArch64GrArgSize = 64;
5332   static const unsigned kAArch64VrArgSize = 128;
5333 
5334   static const unsigned AArch64GrBegOffset = 0;
5335   static const unsigned AArch64GrEndOffset = kAArch64GrArgSize;
5336   // Make VR space aligned to 16 bytes.
5337   static const unsigned AArch64VrBegOffset = AArch64GrEndOffset;
5338   static const unsigned AArch64VrEndOffset =
5339       AArch64VrBegOffset + kAArch64VrArgSize;
5340   static const unsigned AArch64VAEndOffset = AArch64VrEndOffset;
5341 
5342   AllocaInst *VAArgTLSCopy = nullptr;
5343   Value *VAArgOverflowSize = nullptr;
5344 
5345   enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory };
5346 
VarArgAArch64Helper__anonb346f5430811::VarArgAArch64Helper5347   VarArgAArch64Helper(Function &F, MemorySanitizer &MS,
5348                       MemorySanitizerVisitor &MSV)
5349       : VarArgHelperBase(F, MS, MSV, /*VAListTagSize=*/32) {}
5350 
5351   // A very rough approximation of aarch64 argument classification rules.
classifyArgument__anonb346f5430811::VarArgAArch64Helper5352   std::pair<ArgKind, uint64_t> classifyArgument(Type *T) {
5353     if (T->isIntOrPtrTy() && T->getPrimitiveSizeInBits() <= 64)
5354       return {AK_GeneralPurpose, 1};
5355     if (T->isFloatingPointTy() && T->getPrimitiveSizeInBits() <= 128)
5356       return {AK_FloatingPoint, 1};
5357 
5358     if (T->isArrayTy()) {
5359       auto R = classifyArgument(T->getArrayElementType());
5360       R.second *= T->getScalarType()->getArrayNumElements();
5361       return R;
5362     }
5363 
5364     if (const FixedVectorType *FV = dyn_cast<FixedVectorType>(T)) {
5365       auto R = classifyArgument(FV->getScalarType());
5366       R.second *= FV->getNumElements();
5367       return R;
5368     }
5369 
5370     LLVM_DEBUG(errs() << "Unknown vararg type: " << *T << "\n");
5371     return {AK_Memory, 0};
5372   }
5373 
5374   // The instrumentation stores the argument shadow in a non ABI-specific
5375   // format because it does not know which argument is named (since Clang,
5376   // like x86_64 case, lowers the va_args in the frontend and this pass only
5377   // sees the low level code that deals with va_list internals).
5378   // The first seven GR registers are saved in the first 56 bytes of the
5379   // va_arg tls arra, followed by the first 8 FP/SIMD registers, and then
5380   // the remaining arguments.
5381   // Using constant offset within the va_arg TLS array allows fast copy
5382   // in the finalize instrumentation.
visitCallBase__anonb346f5430811::VarArgAArch64Helper5383   void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
5384     unsigned GrOffset = AArch64GrBegOffset;
5385     unsigned VrOffset = AArch64VrBegOffset;
5386     unsigned OverflowOffset = AArch64VAEndOffset;
5387 
5388     const DataLayout &DL = F.getDataLayout();
5389     for (const auto &[ArgNo, A] : llvm::enumerate(CB.args())) {
5390       bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
5391       auto [AK, RegNum] = classifyArgument(A->getType());
5392       if (AK == AK_GeneralPurpose &&
5393           (GrOffset + RegNum * 8) > AArch64GrEndOffset)
5394         AK = AK_Memory;
5395       if (AK == AK_FloatingPoint &&
5396           (VrOffset + RegNum * 16) > AArch64VrEndOffset)
5397         AK = AK_Memory;
5398       Value *Base;
5399       switch (AK) {
5400       case AK_GeneralPurpose:
5401         Base = getShadowPtrForVAArgument(A->getType(), IRB, GrOffset);
5402         GrOffset += 8 * RegNum;
5403         break;
5404       case AK_FloatingPoint:
5405         Base = getShadowPtrForVAArgument(A->getType(), IRB, VrOffset);
5406         VrOffset += 16 * RegNum;
5407         break;
5408       case AK_Memory:
5409         // Don't count fixed arguments in the overflow area - va_start will
5410         // skip right over them.
5411         if (IsFixed)
5412           continue;
5413         uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
5414         uint64_t AlignedSize = alignTo(ArgSize, 8);
5415         unsigned BaseOffset = OverflowOffset;
5416         Base = getShadowPtrForVAArgument(A->getType(), IRB, BaseOffset);
5417         OverflowOffset += AlignedSize;
5418         if (OverflowOffset > kParamTLSSize) {
5419           // We have no space to copy shadow there.
5420           CleanUnusedTLS(IRB, Base, BaseOffset);
5421           continue;
5422         }
5423         break;
5424       }
5425       // Count Gp/Vr fixed arguments to their respective offsets, but don't
5426       // bother to actually store a shadow.
5427       if (IsFixed)
5428         continue;
5429       IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
5430     }
5431     Constant *OverflowSize =
5432         ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AArch64VAEndOffset);
5433     IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
5434   }
5435 
5436   // Retrieve a va_list field of 'void*' size.
getVAField64__anonb346f5430811::VarArgAArch64Helper5437   Value *getVAField64(IRBuilder<> &IRB, Value *VAListTag, int offset) {
5438     Value *SaveAreaPtrPtr = IRB.CreateIntToPtr(
5439         IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5440                       ConstantInt::get(MS.IntptrTy, offset)),
5441         PointerType::get(*MS.C, 0));
5442     return IRB.CreateLoad(Type::getInt64Ty(*MS.C), SaveAreaPtrPtr);
5443   }
5444 
5445   // Retrieve a va_list field of 'int' size.
getVAField32__anonb346f5430811::VarArgAArch64Helper5446   Value *getVAField32(IRBuilder<> &IRB, Value *VAListTag, int offset) {
5447     Value *SaveAreaPtr = IRB.CreateIntToPtr(
5448         IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5449                       ConstantInt::get(MS.IntptrTy, offset)),
5450         PointerType::get(*MS.C, 0));
5451     Value *SaveArea32 = IRB.CreateLoad(IRB.getInt32Ty(), SaveAreaPtr);
5452     return IRB.CreateSExt(SaveArea32, MS.IntptrTy);
5453   }
5454 
finalizeInstrumentation__anonb346f5430811::VarArgAArch64Helper5455   void finalizeInstrumentation() override {
5456     assert(!VAArgOverflowSize && !VAArgTLSCopy &&
5457            "finalizeInstrumentation called twice");
5458     if (!VAStartInstrumentationList.empty()) {
5459       // If there is a va_start in this function, make a backup copy of
5460       // va_arg_tls somewhere in the function entry block.
5461       IRBuilder<> IRB(MSV.FnPrologueEnd);
5462       VAArgOverflowSize =
5463           IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
5464       Value *CopySize = IRB.CreateAdd(
5465           ConstantInt::get(MS.IntptrTy, AArch64VAEndOffset), VAArgOverflowSize);
5466       VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
5467       VAArgTLSCopy->setAlignment(kShadowTLSAlignment);
5468       IRB.CreateMemSet(VAArgTLSCopy, Constant::getNullValue(IRB.getInt8Ty()),
5469                        CopySize, kShadowTLSAlignment, false);
5470 
5471       Value *SrcSize = IRB.CreateBinaryIntrinsic(
5472           Intrinsic::umin, CopySize,
5473           ConstantInt::get(MS.IntptrTy, kParamTLSSize));
5474       IRB.CreateMemCpy(VAArgTLSCopy, kShadowTLSAlignment, MS.VAArgTLS,
5475                        kShadowTLSAlignment, SrcSize);
5476     }
5477 
5478     Value *GrArgSize = ConstantInt::get(MS.IntptrTy, kAArch64GrArgSize);
5479     Value *VrArgSize = ConstantInt::get(MS.IntptrTy, kAArch64VrArgSize);
5480 
5481     // Instrument va_start, copy va_list shadow from the backup copy of
5482     // the TLS contents.
5483     for (CallInst *OrigInst : VAStartInstrumentationList) {
5484       NextNodeIRBuilder IRB(OrigInst);
5485 
5486       Value *VAListTag = OrigInst->getArgOperand(0);
5487 
5488       // The variadic ABI for AArch64 creates two areas to save the incoming
5489       // argument registers (one for 64-bit general register xn-x7 and another
5490       // for 128-bit FP/SIMD vn-v7).
5491       // We need then to propagate the shadow arguments on both regions
5492       // 'va::__gr_top + va::__gr_offs' and 'va::__vr_top + va::__vr_offs'.
5493       // The remaining arguments are saved on shadow for 'va::stack'.
5494       // One caveat is it requires only to propagate the non-named arguments,
5495       // however on the call site instrumentation 'all' the arguments are
5496       // saved. So to copy the shadow values from the va_arg TLS array
5497       // we need to adjust the offset for both GR and VR fields based on
5498       // the __{gr,vr}_offs value (since they are stores based on incoming
5499       // named arguments).
5500       Type *RegSaveAreaPtrTy = IRB.getPtrTy();
5501 
5502       // Read the stack pointer from the va_list.
5503       Value *StackSaveAreaPtr =
5504           IRB.CreateIntToPtr(getVAField64(IRB, VAListTag, 0), RegSaveAreaPtrTy);
5505 
5506       // Read both the __gr_top and __gr_off and add them up.
5507       Value *GrTopSaveAreaPtr = getVAField64(IRB, VAListTag, 8);
5508       Value *GrOffSaveArea = getVAField32(IRB, VAListTag, 24);
5509 
5510       Value *GrRegSaveAreaPtr = IRB.CreateIntToPtr(
5511           IRB.CreateAdd(GrTopSaveAreaPtr, GrOffSaveArea), RegSaveAreaPtrTy);
5512 
5513       // Read both the __vr_top and __vr_off and add them up.
5514       Value *VrTopSaveAreaPtr = getVAField64(IRB, VAListTag, 16);
5515       Value *VrOffSaveArea = getVAField32(IRB, VAListTag, 28);
5516 
5517       Value *VrRegSaveAreaPtr = IRB.CreateIntToPtr(
5518           IRB.CreateAdd(VrTopSaveAreaPtr, VrOffSaveArea), RegSaveAreaPtrTy);
5519 
5520       // It does not know how many named arguments is being used and, on the
5521       // callsite all the arguments were saved.  Since __gr_off is defined as
5522       // '0 - ((8 - named_gr) * 8)', the idea is to just propagate the variadic
5523       // argument by ignoring the bytes of shadow from named arguments.
5524       Value *GrRegSaveAreaShadowPtrOff =
5525           IRB.CreateAdd(GrArgSize, GrOffSaveArea);
5526 
5527       Value *GrRegSaveAreaShadowPtr =
5528           MSV.getShadowOriginPtr(GrRegSaveAreaPtr, IRB, IRB.getInt8Ty(),
5529                                  Align(8), /*isStore*/ true)
5530               .first;
5531 
5532       Value *GrSrcPtr =
5533           IRB.CreateInBoundsPtrAdd(VAArgTLSCopy, GrRegSaveAreaShadowPtrOff);
5534       Value *GrCopySize = IRB.CreateSub(GrArgSize, GrRegSaveAreaShadowPtrOff);
5535 
5536       IRB.CreateMemCpy(GrRegSaveAreaShadowPtr, Align(8), GrSrcPtr, Align(8),
5537                        GrCopySize);
5538 
5539       // Again, but for FP/SIMD values.
5540       Value *VrRegSaveAreaShadowPtrOff =
5541           IRB.CreateAdd(VrArgSize, VrOffSaveArea);
5542 
5543       Value *VrRegSaveAreaShadowPtr =
5544           MSV.getShadowOriginPtr(VrRegSaveAreaPtr, IRB, IRB.getInt8Ty(),
5545                                  Align(8), /*isStore*/ true)
5546               .first;
5547 
5548       Value *VrSrcPtr = IRB.CreateInBoundsPtrAdd(
5549           IRB.CreateInBoundsPtrAdd(VAArgTLSCopy,
5550                                    IRB.getInt32(AArch64VrBegOffset)),
5551           VrRegSaveAreaShadowPtrOff);
5552       Value *VrCopySize = IRB.CreateSub(VrArgSize, VrRegSaveAreaShadowPtrOff);
5553 
5554       IRB.CreateMemCpy(VrRegSaveAreaShadowPtr, Align(8), VrSrcPtr, Align(8),
5555                        VrCopySize);
5556 
5557       // And finally for remaining arguments.
5558       Value *StackSaveAreaShadowPtr =
5559           MSV.getShadowOriginPtr(StackSaveAreaPtr, IRB, IRB.getInt8Ty(),
5560                                  Align(16), /*isStore*/ true)
5561               .first;
5562 
5563       Value *StackSrcPtr = IRB.CreateInBoundsPtrAdd(
5564           VAArgTLSCopy, IRB.getInt32(AArch64VAEndOffset));
5565 
5566       IRB.CreateMemCpy(StackSaveAreaShadowPtr, Align(16), StackSrcPtr,
5567                        Align(16), VAArgOverflowSize);
5568     }
5569   }
5570 };
5571 
5572 /// PowerPC64-specific implementation of VarArgHelper.
5573 struct VarArgPowerPC64Helper : public VarArgHelperBase {
5574   AllocaInst *VAArgTLSCopy = nullptr;
5575   Value *VAArgSize = nullptr;
5576 
VarArgPowerPC64Helper__anonb346f5430811::VarArgPowerPC64Helper5577   VarArgPowerPC64Helper(Function &F, MemorySanitizer &MS,
5578                         MemorySanitizerVisitor &MSV)
5579       : VarArgHelperBase(F, MS, MSV, /*VAListTagSize=*/8) {}
5580 
visitCallBase__anonb346f5430811::VarArgPowerPC64Helper5581   void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
5582     // For PowerPC, we need to deal with alignment of stack arguments -
5583     // they are mostly aligned to 8 bytes, but vectors and i128 arrays
5584     // are aligned to 16 bytes, byvals can be aligned to 8 or 16 bytes,
5585     // For that reason, we compute current offset from stack pointer (which is
5586     // always properly aligned), and offset for the first vararg, then subtract
5587     // them.
5588     unsigned VAArgBase;
5589     Triple TargetTriple(F.getParent()->getTargetTriple());
5590     // Parameter save area starts at 48 bytes from frame pointer for ABIv1,
5591     // and 32 bytes for ABIv2.  This is usually determined by target
5592     // endianness, but in theory could be overridden by function attribute.
5593     if (TargetTriple.getArch() == Triple::ppc64)
5594       VAArgBase = 48;
5595     else
5596       VAArgBase = 32;
5597     unsigned VAArgOffset = VAArgBase;
5598     const DataLayout &DL = F.getDataLayout();
5599     for (const auto &[ArgNo, A] : llvm::enumerate(CB.args())) {
5600       bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
5601       bool IsByVal = CB.paramHasAttr(ArgNo, Attribute::ByVal);
5602       if (IsByVal) {
5603         assert(A->getType()->isPointerTy());
5604         Type *RealTy = CB.getParamByValType(ArgNo);
5605         uint64_t ArgSize = DL.getTypeAllocSize(RealTy);
5606         Align ArgAlign = CB.getParamAlign(ArgNo).value_or(Align(8));
5607         if (ArgAlign < 8)
5608           ArgAlign = Align(8);
5609         VAArgOffset = alignTo(VAArgOffset, ArgAlign);
5610         if (!IsFixed) {
5611           Value *Base = getShadowPtrForVAArgument(
5612               RealTy, IRB, VAArgOffset - VAArgBase, ArgSize);
5613           if (Base) {
5614             Value *AShadowPtr, *AOriginPtr;
5615             std::tie(AShadowPtr, AOriginPtr) =
5616                 MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(),
5617                                        kShadowTLSAlignment, /*isStore*/ false);
5618 
5619             IRB.CreateMemCpy(Base, kShadowTLSAlignment, AShadowPtr,
5620                              kShadowTLSAlignment, ArgSize);
5621           }
5622         }
5623         VAArgOffset += alignTo(ArgSize, Align(8));
5624       } else {
5625         Value *Base;
5626         uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
5627         Align ArgAlign = Align(8);
5628         if (A->getType()->isArrayTy()) {
5629           // Arrays are aligned to element size, except for long double
5630           // arrays, which are aligned to 8 bytes.
5631           Type *ElementTy = A->getType()->getArrayElementType();
5632           if (!ElementTy->isPPC_FP128Ty())
5633             ArgAlign = Align(DL.getTypeAllocSize(ElementTy));
5634         } else if (A->getType()->isVectorTy()) {
5635           // Vectors are naturally aligned.
5636           ArgAlign = Align(ArgSize);
5637         }
5638         if (ArgAlign < 8)
5639           ArgAlign = Align(8);
5640         VAArgOffset = alignTo(VAArgOffset, ArgAlign);
5641         if (DL.isBigEndian()) {
5642           // Adjusting the shadow for argument with size < 8 to match the
5643           // placement of bits in big endian system
5644           if (ArgSize < 8)
5645             VAArgOffset += (8 - ArgSize);
5646         }
5647         if (!IsFixed) {
5648           Base = getShadowPtrForVAArgument(A->getType(), IRB,
5649                                            VAArgOffset - VAArgBase, ArgSize);
5650           if (Base)
5651             IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
5652         }
5653         VAArgOffset += ArgSize;
5654         VAArgOffset = alignTo(VAArgOffset, Align(8));
5655       }
5656       if (IsFixed)
5657         VAArgBase = VAArgOffset;
5658     }
5659 
5660     Constant *TotalVAArgSize =
5661         ConstantInt::get(IRB.getInt64Ty(), VAArgOffset - VAArgBase);
5662     // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of
5663     // a new class member i.e. it is the total size of all VarArgs.
5664     IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS);
5665   }
5666 
finalizeInstrumentation__anonb346f5430811::VarArgPowerPC64Helper5667   void finalizeInstrumentation() override {
5668     assert(!VAArgSize && !VAArgTLSCopy &&
5669            "finalizeInstrumentation called twice");
5670     IRBuilder<> IRB(MSV.FnPrologueEnd);
5671     VAArgSize = IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
5672     Value *CopySize =
5673         IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, 0), VAArgSize);
5674 
5675     if (!VAStartInstrumentationList.empty()) {
5676       // If there is a va_start in this function, make a backup copy of
5677       // va_arg_tls somewhere in the function entry block.
5678 
5679       VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
5680       VAArgTLSCopy->setAlignment(kShadowTLSAlignment);
5681       IRB.CreateMemSet(VAArgTLSCopy, Constant::getNullValue(IRB.getInt8Ty()),
5682                        CopySize, kShadowTLSAlignment, false);
5683 
5684       Value *SrcSize = IRB.CreateBinaryIntrinsic(
5685           Intrinsic::umin, CopySize,
5686           ConstantInt::get(MS.IntptrTy, kParamTLSSize));
5687       IRB.CreateMemCpy(VAArgTLSCopy, kShadowTLSAlignment, MS.VAArgTLS,
5688                        kShadowTLSAlignment, SrcSize);
5689     }
5690 
5691     // Instrument va_start.
5692     // Copy va_list shadow from the backup copy of the TLS contents.
5693     for (CallInst *OrigInst : VAStartInstrumentationList) {
5694       NextNodeIRBuilder IRB(OrigInst);
5695       Value *VAListTag = OrigInst->getArgOperand(0);
5696       Type *RegSaveAreaPtrTy = PointerType::getUnqual(*MS.C); // i64*
5697       Value *RegSaveAreaPtrPtr =
5698           IRB.CreateIntToPtr(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5699                              PointerType::get(RegSaveAreaPtrTy, 0));
5700       Value *RegSaveAreaPtr =
5701           IRB.CreateLoad(RegSaveAreaPtrTy, RegSaveAreaPtrPtr);
5702       Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
5703       const Align Alignment = Align(8);
5704       std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
5705           MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
5706                                  Alignment, /*isStore*/ true);
5707       IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
5708                        CopySize);
5709     }
5710   }
5711 };
5712 
5713 /// SystemZ-specific implementation of VarArgHelper.
5714 struct VarArgSystemZHelper : public VarArgHelperBase {
5715   static const unsigned SystemZGpOffset = 16;
5716   static const unsigned SystemZGpEndOffset = 56;
5717   static const unsigned SystemZFpOffset = 128;
5718   static const unsigned SystemZFpEndOffset = 160;
5719   static const unsigned SystemZMaxVrArgs = 8;
5720   static const unsigned SystemZRegSaveAreaSize = 160;
5721   static const unsigned SystemZOverflowOffset = 160;
5722   static const unsigned SystemZVAListTagSize = 32;
5723   static const unsigned SystemZOverflowArgAreaPtrOffset = 16;
5724   static const unsigned SystemZRegSaveAreaPtrOffset = 24;
5725 
5726   bool IsSoftFloatABI;
5727   AllocaInst *VAArgTLSCopy = nullptr;
5728   AllocaInst *VAArgTLSOriginCopy = nullptr;
5729   Value *VAArgOverflowSize = nullptr;
5730 
5731   enum class ArgKind {
5732     GeneralPurpose,
5733     FloatingPoint,
5734     Vector,
5735     Memory,
5736     Indirect,
5737   };
5738 
5739   enum class ShadowExtension { None, Zero, Sign };
5740 
VarArgSystemZHelper__anonb346f5430811::VarArgSystemZHelper5741   VarArgSystemZHelper(Function &F, MemorySanitizer &MS,
5742                       MemorySanitizerVisitor &MSV)
5743       : VarArgHelperBase(F, MS, MSV, SystemZVAListTagSize),
5744         IsSoftFloatABI(F.getFnAttribute("use-soft-float").getValueAsBool()) {}
5745 
classifyArgument__anonb346f5430811::VarArgSystemZHelper5746   ArgKind classifyArgument(Type *T) {
5747     // T is a SystemZABIInfo::classifyArgumentType() output, and there are
5748     // only a few possibilities of what it can be. In particular, enums, single
5749     // element structs and large types have already been taken care of.
5750 
5751     // Some i128 and fp128 arguments are converted to pointers only in the
5752     // back end.
5753     if (T->isIntegerTy(128) || T->isFP128Ty())
5754       return ArgKind::Indirect;
5755     if (T->isFloatingPointTy())
5756       return IsSoftFloatABI ? ArgKind::GeneralPurpose : ArgKind::FloatingPoint;
5757     if (T->isIntegerTy() || T->isPointerTy())
5758       return ArgKind::GeneralPurpose;
5759     if (T->isVectorTy())
5760       return ArgKind::Vector;
5761     return ArgKind::Memory;
5762   }
5763 
getShadowExtension__anonb346f5430811::VarArgSystemZHelper5764   ShadowExtension getShadowExtension(const CallBase &CB, unsigned ArgNo) {
5765     // ABI says: "One of the simple integer types no more than 64 bits wide.
5766     // ... If such an argument is shorter than 64 bits, replace it by a full
5767     // 64-bit integer representing the same number, using sign or zero
5768     // extension". Shadow for an integer argument has the same type as the
5769     // argument itself, so it can be sign or zero extended as well.
5770     bool ZExt = CB.paramHasAttr(ArgNo, Attribute::ZExt);
5771     bool SExt = CB.paramHasAttr(ArgNo, Attribute::SExt);
5772     if (ZExt) {
5773       assert(!SExt);
5774       return ShadowExtension::Zero;
5775     }
5776     if (SExt) {
5777       assert(!ZExt);
5778       return ShadowExtension::Sign;
5779     }
5780     return ShadowExtension::None;
5781   }
5782 
visitCallBase__anonb346f5430811::VarArgSystemZHelper5783   void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
5784     unsigned GpOffset = SystemZGpOffset;
5785     unsigned FpOffset = SystemZFpOffset;
5786     unsigned VrIndex = 0;
5787     unsigned OverflowOffset = SystemZOverflowOffset;
5788     const DataLayout &DL = F.getDataLayout();
5789     for (const auto &[ArgNo, A] : llvm::enumerate(CB.args())) {
5790       bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
5791       // SystemZABIInfo does not produce ByVal parameters.
5792       assert(!CB.paramHasAttr(ArgNo, Attribute::ByVal));
5793       Type *T = A->getType();
5794       ArgKind AK = classifyArgument(T);
5795       if (AK == ArgKind::Indirect) {
5796         T = PointerType::get(T, 0);
5797         AK = ArgKind::GeneralPurpose;
5798       }
5799       if (AK == ArgKind::GeneralPurpose && GpOffset >= SystemZGpEndOffset)
5800         AK = ArgKind::Memory;
5801       if (AK == ArgKind::FloatingPoint && FpOffset >= SystemZFpEndOffset)
5802         AK = ArgKind::Memory;
5803       if (AK == ArgKind::Vector && (VrIndex >= SystemZMaxVrArgs || !IsFixed))
5804         AK = ArgKind::Memory;
5805       Value *ShadowBase = nullptr;
5806       Value *OriginBase = nullptr;
5807       ShadowExtension SE = ShadowExtension::None;
5808       switch (AK) {
5809       case ArgKind::GeneralPurpose: {
5810         // Always keep track of GpOffset, but store shadow only for varargs.
5811         uint64_t ArgSize = 8;
5812         if (GpOffset + ArgSize <= kParamTLSSize) {
5813           if (!IsFixed) {
5814             SE = getShadowExtension(CB, ArgNo);
5815             uint64_t GapSize = 0;
5816             if (SE == ShadowExtension::None) {
5817               uint64_t ArgAllocSize = DL.getTypeAllocSize(T);
5818               assert(ArgAllocSize <= ArgSize);
5819               GapSize = ArgSize - ArgAllocSize;
5820             }
5821             ShadowBase = getShadowAddrForVAArgument(IRB, GpOffset + GapSize);
5822             if (MS.TrackOrigins)
5823               OriginBase = getOriginPtrForVAArgument(IRB, GpOffset + GapSize);
5824           }
5825           GpOffset += ArgSize;
5826         } else {
5827           GpOffset = kParamTLSSize;
5828         }
5829         break;
5830       }
5831       case ArgKind::FloatingPoint: {
5832         // Always keep track of FpOffset, but store shadow only for varargs.
5833         uint64_t ArgSize = 8;
5834         if (FpOffset + ArgSize <= kParamTLSSize) {
5835           if (!IsFixed) {
5836             // PoP says: "A short floating-point datum requires only the
5837             // left-most 32 bit positions of a floating-point register".
5838             // Therefore, in contrast to AK_GeneralPurpose and AK_Memory,
5839             // don't extend shadow and don't mind the gap.
5840             ShadowBase = getShadowAddrForVAArgument(IRB, FpOffset);
5841             if (MS.TrackOrigins)
5842               OriginBase = getOriginPtrForVAArgument(IRB, FpOffset);
5843           }
5844           FpOffset += ArgSize;
5845         } else {
5846           FpOffset = kParamTLSSize;
5847         }
5848         break;
5849       }
5850       case ArgKind::Vector: {
5851         // Keep track of VrIndex. No need to store shadow, since vector varargs
5852         // go through AK_Memory.
5853         assert(IsFixed);
5854         VrIndex++;
5855         break;
5856       }
5857       case ArgKind::Memory: {
5858         // Keep track of OverflowOffset and store shadow only for varargs.
5859         // Ignore fixed args, since we need to copy only the vararg portion of
5860         // the overflow area shadow.
5861         if (!IsFixed) {
5862           uint64_t ArgAllocSize = DL.getTypeAllocSize(T);
5863           uint64_t ArgSize = alignTo(ArgAllocSize, 8);
5864           if (OverflowOffset + ArgSize <= kParamTLSSize) {
5865             SE = getShadowExtension(CB, ArgNo);
5866             uint64_t GapSize =
5867                 SE == ShadowExtension::None ? ArgSize - ArgAllocSize : 0;
5868             ShadowBase =
5869                 getShadowAddrForVAArgument(IRB, OverflowOffset + GapSize);
5870             if (MS.TrackOrigins)
5871               OriginBase =
5872                   getOriginPtrForVAArgument(IRB, OverflowOffset + GapSize);
5873             OverflowOffset += ArgSize;
5874           } else {
5875             OverflowOffset = kParamTLSSize;
5876           }
5877         }
5878         break;
5879       }
5880       case ArgKind::Indirect:
5881         llvm_unreachable("Indirect must be converted to GeneralPurpose");
5882       }
5883       if (ShadowBase == nullptr)
5884         continue;
5885       Value *Shadow = MSV.getShadow(A);
5886       if (SE != ShadowExtension::None)
5887         Shadow = MSV.CreateShadowCast(IRB, Shadow, IRB.getInt64Ty(),
5888                                       /*Signed*/ SE == ShadowExtension::Sign);
5889       ShadowBase = IRB.CreateIntToPtr(
5890           ShadowBase, PointerType::get(Shadow->getType(), 0), "_msarg_va_s");
5891       IRB.CreateStore(Shadow, ShadowBase);
5892       if (MS.TrackOrigins) {
5893         Value *Origin = MSV.getOrigin(A);
5894         TypeSize StoreSize = DL.getTypeStoreSize(Shadow->getType());
5895         MSV.paintOrigin(IRB, Origin, OriginBase, StoreSize,
5896                         kMinOriginAlignment);
5897       }
5898     }
5899     Constant *OverflowSize = ConstantInt::get(
5900         IRB.getInt64Ty(), OverflowOffset - SystemZOverflowOffset);
5901     IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
5902   }
5903 
copyRegSaveArea__anonb346f5430811::VarArgSystemZHelper5904   void copyRegSaveArea(IRBuilder<> &IRB, Value *VAListTag) {
5905     Type *RegSaveAreaPtrTy = PointerType::getUnqual(*MS.C); // i64*
5906     Value *RegSaveAreaPtrPtr = IRB.CreateIntToPtr(
5907         IRB.CreateAdd(
5908             IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5909             ConstantInt::get(MS.IntptrTy, SystemZRegSaveAreaPtrOffset)),
5910         PointerType::get(RegSaveAreaPtrTy, 0));
5911     Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrTy, RegSaveAreaPtrPtr);
5912     Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
5913     const Align Alignment = Align(8);
5914     std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
5915         MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(), Alignment,
5916                                /*isStore*/ true);
5917     // TODO(iii): copy only fragments filled by visitCallBase()
5918     // TODO(iii): support packed-stack && !use-soft-float
5919     // For use-soft-float functions, it is enough to copy just the GPRs.
5920     unsigned RegSaveAreaSize =
5921         IsSoftFloatABI ? SystemZGpEndOffset : SystemZRegSaveAreaSize;
5922     IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
5923                      RegSaveAreaSize);
5924     if (MS.TrackOrigins)
5925       IRB.CreateMemCpy(RegSaveAreaOriginPtr, Alignment, VAArgTLSOriginCopy,
5926                        Alignment, RegSaveAreaSize);
5927   }
5928 
5929   // FIXME: This implementation limits OverflowOffset to kParamTLSSize, so we
5930   // don't know real overflow size and can't clear shadow beyond kParamTLSSize.
copyOverflowArea__anonb346f5430811::VarArgSystemZHelper5931   void copyOverflowArea(IRBuilder<> &IRB, Value *VAListTag) {
5932     Type *OverflowArgAreaPtrTy = PointerType::getUnqual(*MS.C); // i64*
5933     Value *OverflowArgAreaPtrPtr = IRB.CreateIntToPtr(
5934         IRB.CreateAdd(
5935             IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5936             ConstantInt::get(MS.IntptrTy, SystemZOverflowArgAreaPtrOffset)),
5937         PointerType::get(OverflowArgAreaPtrTy, 0));
5938     Value *OverflowArgAreaPtr =
5939         IRB.CreateLoad(OverflowArgAreaPtrTy, OverflowArgAreaPtrPtr);
5940     Value *OverflowArgAreaShadowPtr, *OverflowArgAreaOriginPtr;
5941     const Align Alignment = Align(8);
5942     std::tie(OverflowArgAreaShadowPtr, OverflowArgAreaOriginPtr) =
5943         MSV.getShadowOriginPtr(OverflowArgAreaPtr, IRB, IRB.getInt8Ty(),
5944                                Alignment, /*isStore*/ true);
5945     Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy,
5946                                            SystemZOverflowOffset);
5947     IRB.CreateMemCpy(OverflowArgAreaShadowPtr, Alignment, SrcPtr, Alignment,
5948                      VAArgOverflowSize);
5949     if (MS.TrackOrigins) {
5950       SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSOriginCopy,
5951                                       SystemZOverflowOffset);
5952       IRB.CreateMemCpy(OverflowArgAreaOriginPtr, Alignment, SrcPtr, Alignment,
5953                        VAArgOverflowSize);
5954     }
5955   }
5956 
finalizeInstrumentation__anonb346f5430811::VarArgSystemZHelper5957   void finalizeInstrumentation() override {
5958     assert(!VAArgOverflowSize && !VAArgTLSCopy &&
5959            "finalizeInstrumentation called twice");
5960     if (!VAStartInstrumentationList.empty()) {
5961       // If there is a va_start in this function, make a backup copy of
5962       // va_arg_tls somewhere in the function entry block.
5963       IRBuilder<> IRB(MSV.FnPrologueEnd);
5964       VAArgOverflowSize =
5965           IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
5966       Value *CopySize =
5967           IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, SystemZOverflowOffset),
5968                         VAArgOverflowSize);
5969       VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
5970       VAArgTLSCopy->setAlignment(kShadowTLSAlignment);
5971       IRB.CreateMemSet(VAArgTLSCopy, Constant::getNullValue(IRB.getInt8Ty()),
5972                        CopySize, kShadowTLSAlignment, false);
5973 
5974       Value *SrcSize = IRB.CreateBinaryIntrinsic(
5975           Intrinsic::umin, CopySize,
5976           ConstantInt::get(MS.IntptrTy, kParamTLSSize));
5977       IRB.CreateMemCpy(VAArgTLSCopy, kShadowTLSAlignment, MS.VAArgTLS,
5978                        kShadowTLSAlignment, SrcSize);
5979       if (MS.TrackOrigins) {
5980         VAArgTLSOriginCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
5981         VAArgTLSOriginCopy->setAlignment(kShadowTLSAlignment);
5982         IRB.CreateMemCpy(VAArgTLSOriginCopy, kShadowTLSAlignment,
5983                          MS.VAArgOriginTLS, kShadowTLSAlignment, SrcSize);
5984       }
5985     }
5986 
5987     // Instrument va_start.
5988     // Copy va_list shadow from the backup copy of the TLS contents.
5989     for (CallInst *OrigInst : VAStartInstrumentationList) {
5990       NextNodeIRBuilder IRB(OrigInst);
5991       Value *VAListTag = OrigInst->getArgOperand(0);
5992       copyRegSaveArea(IRB, VAListTag);
5993       copyOverflowArea(IRB, VAListTag);
5994     }
5995   }
5996 };
5997 
5998 // Loongarch64 is not a MIPS, but the current vargs calling convention matches
5999 // the MIPS.
6000 using VarArgLoongArch64Helper = VarArgMIPS64Helper;
6001 
6002 /// A no-op implementation of VarArgHelper.
6003 struct VarArgNoOpHelper : public VarArgHelper {
VarArgNoOpHelper__anonb346f5430811::VarArgNoOpHelper6004   VarArgNoOpHelper(Function &F, MemorySanitizer &MS,
6005                    MemorySanitizerVisitor &MSV) {}
6006 
visitCallBase__anonb346f5430811::VarArgNoOpHelper6007   void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {}
6008 
visitVAStartInst__anonb346f5430811::VarArgNoOpHelper6009   void visitVAStartInst(VAStartInst &I) override {}
6010 
visitVACopyInst__anonb346f5430811::VarArgNoOpHelper6011   void visitVACopyInst(VACopyInst &I) override {}
6012 
finalizeInstrumentation__anonb346f5430811::VarArgNoOpHelper6013   void finalizeInstrumentation() override {}
6014 };
6015 
6016 } // end anonymous namespace
6017 
CreateVarArgHelper(Function & Func,MemorySanitizer & Msan,MemorySanitizerVisitor & Visitor)6018 static VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan,
6019                                         MemorySanitizerVisitor &Visitor) {
6020   // VarArg handling is only implemented on AMD64. False positives are possible
6021   // on other platforms.
6022   Triple TargetTriple(Func.getParent()->getTargetTriple());
6023   if (TargetTriple.getArch() == Triple::x86_64)
6024     return new VarArgAMD64Helper(Func, Msan, Visitor);
6025   else if (TargetTriple.isMIPS64())
6026     return new VarArgMIPS64Helper(Func, Msan, Visitor);
6027   else if (TargetTriple.getArch() == Triple::aarch64)
6028     return new VarArgAArch64Helper(Func, Msan, Visitor);
6029   else if (TargetTriple.getArch() == Triple::ppc64 ||
6030            TargetTriple.getArch() == Triple::ppc64le)
6031     return new VarArgPowerPC64Helper(Func, Msan, Visitor);
6032   else if (TargetTriple.getArch() == Triple::systemz)
6033     return new VarArgSystemZHelper(Func, Msan, Visitor);
6034   else if (TargetTriple.isLoongArch64())
6035     return new VarArgLoongArch64Helper(Func, Msan, Visitor);
6036   else
6037     return new VarArgNoOpHelper(Func, Msan, Visitor);
6038 }
6039 
sanitizeFunction(Function & F,TargetLibraryInfo & TLI)6040 bool MemorySanitizer::sanitizeFunction(Function &F, TargetLibraryInfo &TLI) {
6041   if (!CompileKernel && F.getName() == kMsanModuleCtorName)
6042     return false;
6043 
6044   if (F.hasFnAttribute(Attribute::DisableSanitizerInstrumentation))
6045     return false;
6046 
6047   MemorySanitizerVisitor Visitor(F, *this, TLI);
6048 
6049   // Clear out memory attributes.
6050   AttributeMask B;
6051   B.addAttribute(Attribute::Memory).addAttribute(Attribute::Speculatable);
6052   F.removeFnAttrs(B);
6053 
6054   return Visitor.runOnFunction();
6055 }
6056