1 //===- AddressSanitizer.cpp - memory error detector -----------------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file is a part of AddressSanitizer, an address sanity checker. 10 // Details of the algorithm: 11 // https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm 12 // 13 // FIXME: This sanitizer does not yet handle scalable vectors 14 // 15 //===----------------------------------------------------------------------===// 16 17 #include "llvm/Transforms/Instrumentation/AddressSanitizer.h" 18 #include "llvm/ADT/ArrayRef.h" 19 #include "llvm/ADT/DenseMap.h" 20 #include "llvm/ADT/DepthFirstIterator.h" 21 #include "llvm/ADT/SmallPtrSet.h" 22 #include "llvm/ADT/SmallVector.h" 23 #include "llvm/ADT/Statistic.h" 24 #include "llvm/ADT/StringExtras.h" 25 #include "llvm/ADT/StringRef.h" 26 #include "llvm/ADT/Triple.h" 27 #include "llvm/ADT/Twine.h" 28 #include "llvm/Analysis/MemoryBuiltins.h" 29 #include "llvm/Analysis/StackSafetyAnalysis.h" 30 #include "llvm/Analysis/TargetLibraryInfo.h" 31 #include "llvm/Analysis/ValueTracking.h" 32 #include "llvm/BinaryFormat/MachO.h" 33 #include "llvm/IR/Argument.h" 34 #include "llvm/IR/Attributes.h" 35 #include "llvm/IR/BasicBlock.h" 36 #include "llvm/IR/Comdat.h" 37 #include "llvm/IR/Constant.h" 38 #include "llvm/IR/Constants.h" 39 #include "llvm/IR/DIBuilder.h" 40 #include "llvm/IR/DataLayout.h" 41 #include "llvm/IR/DebugInfoMetadata.h" 42 #include "llvm/IR/DebugLoc.h" 43 #include "llvm/IR/DerivedTypes.h" 44 #include "llvm/IR/Dominators.h" 45 #include "llvm/IR/Function.h" 46 #include "llvm/IR/GlobalAlias.h" 47 #include "llvm/IR/GlobalValue.h" 48 #include "llvm/IR/GlobalVariable.h" 49 #include "llvm/IR/IRBuilder.h" 50 #include "llvm/IR/InlineAsm.h" 51 #include "llvm/IR/InstIterator.h" 52 #include "llvm/IR/InstVisitor.h" 53 #include "llvm/IR/InstrTypes.h" 54 #include "llvm/IR/Instruction.h" 55 #include "llvm/IR/Instructions.h" 56 #include "llvm/IR/IntrinsicInst.h" 57 #include "llvm/IR/Intrinsics.h" 58 #include "llvm/IR/LLVMContext.h" 59 #include "llvm/IR/MDBuilder.h" 60 #include "llvm/IR/Metadata.h" 61 #include "llvm/IR/Module.h" 62 #include "llvm/IR/Type.h" 63 #include "llvm/IR/Use.h" 64 #include "llvm/IR/Value.h" 65 #include "llvm/InitializePasses.h" 66 #include "llvm/MC/MCSectionMachO.h" 67 #include "llvm/Pass.h" 68 #include "llvm/Support/Casting.h" 69 #include "llvm/Support/CommandLine.h" 70 #include "llvm/Support/Debug.h" 71 #include "llvm/Support/ErrorHandling.h" 72 #include "llvm/Support/MathExtras.h" 73 #include "llvm/Support/ScopedPrinter.h" 74 #include "llvm/Support/raw_ostream.h" 75 #include "llvm/Transforms/Instrumentation.h" 76 #include "llvm/Transforms/Instrumentation/AddressSanitizerCommon.h" 77 #include "llvm/Transforms/Instrumentation/AddressSanitizerOptions.h" 78 #include "llvm/Transforms/Utils/ASanStackFrameLayout.h" 79 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 80 #include "llvm/Transforms/Utils/Local.h" 81 #include "llvm/Transforms/Utils/ModuleUtils.h" 82 #include "llvm/Transforms/Utils/PromoteMemToReg.h" 83 #include <algorithm> 84 #include <cassert> 85 #include <cstddef> 86 #include <cstdint> 87 #include <iomanip> 88 #include <limits> 89 #include <memory> 90 #include <sstream> 91 #include <string> 92 #include <tuple> 93 94 using namespace llvm; 95 96 #define DEBUG_TYPE "asan" 97 98 static const uint64_t kDefaultShadowScale = 3; 99 static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 100 static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 101 static const uint64_t kDynamicShadowSentinel = 102 std::numeric_limits<uint64_t>::max(); 103 static const uint64_t kSmallX86_64ShadowOffsetBase = 0x7FFFFFFF; // < 2G. 104 static const uint64_t kSmallX86_64ShadowOffsetAlignMask = ~0xFFFULL; 105 static const uint64_t kLinuxKasan_ShadowOffset64 = 0xdffffc0000000000; 106 static const uint64_t kPPC64_ShadowOffset64 = 1ULL << 44; 107 static const uint64_t kSystemZ_ShadowOffset64 = 1ULL << 52; 108 static const uint64_t kMIPS32_ShadowOffset32 = 0x0aaa0000; 109 static const uint64_t kMIPS64_ShadowOffset64 = 1ULL << 37; 110 static const uint64_t kAArch64_ShadowOffset64 = 1ULL << 36; 111 static const uint64_t kRISCV64_ShadowOffset64 = 0xd55550000; 112 static const uint64_t kFreeBSD_ShadowOffset32 = 1ULL << 30; 113 static const uint64_t kFreeBSD_ShadowOffset64 = 1ULL << 46; 114 static const uint64_t kFreeBSDKasan_ShadowOffset64 = 0xdffff7c000000000; 115 static const uint64_t kNetBSD_ShadowOffset32 = 1ULL << 30; 116 static const uint64_t kNetBSD_ShadowOffset64 = 1ULL << 46; 117 static const uint64_t kNetBSDKasan_ShadowOffset64 = 0xdfff900000000000; 118 static const uint64_t kPS4CPU_ShadowOffset64 = 1ULL << 40; 119 static const uint64_t kWindowsShadowOffset32 = 3ULL << 28; 120 static const uint64_t kEmscriptenShadowOffset = 0; 121 122 // The shadow memory space is dynamically allocated. 123 static const uint64_t kWindowsShadowOffset64 = kDynamicShadowSentinel; 124 125 static const size_t kMinStackMallocSize = 1 << 6; // 64B 126 static const size_t kMaxStackMallocSize = 1 << 16; // 64K 127 static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 128 static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 129 130 const char kAsanModuleCtorName[] = "asan.module_ctor"; 131 const char kAsanModuleDtorName[] = "asan.module_dtor"; 132 static const uint64_t kAsanCtorAndDtorPriority = 1; 133 // On Emscripten, the system needs more than one priorities for constructors. 134 static const uint64_t kAsanEmscriptenCtorAndDtorPriority = 50; 135 const char kAsanReportErrorTemplate[] = "__asan_report_"; 136 const char kAsanRegisterGlobalsName[] = "__asan_register_globals"; 137 const char kAsanUnregisterGlobalsName[] = "__asan_unregister_globals"; 138 const char kAsanRegisterImageGlobalsName[] = "__asan_register_image_globals"; 139 const char kAsanUnregisterImageGlobalsName[] = 140 "__asan_unregister_image_globals"; 141 const char kAsanRegisterElfGlobalsName[] = "__asan_register_elf_globals"; 142 const char kAsanUnregisterElfGlobalsName[] = "__asan_unregister_elf_globals"; 143 const char kAsanPoisonGlobalsName[] = "__asan_before_dynamic_init"; 144 const char kAsanUnpoisonGlobalsName[] = "__asan_after_dynamic_init"; 145 const char kAsanInitName[] = "__asan_init"; 146 const char kAsanVersionCheckNamePrefix[] = "__asan_version_mismatch_check_v"; 147 const char kAsanPtrCmp[] = "__sanitizer_ptr_cmp"; 148 const char kAsanPtrSub[] = "__sanitizer_ptr_sub"; 149 const char kAsanHandleNoReturnName[] = "__asan_handle_no_return"; 150 static const int kMaxAsanStackMallocSizeClass = 10; 151 const char kAsanStackMallocNameTemplate[] = "__asan_stack_malloc_"; 152 const char kAsanStackMallocAlwaysNameTemplate[] = 153 "__asan_stack_malloc_always_"; 154 const char kAsanStackFreeNameTemplate[] = "__asan_stack_free_"; 155 const char kAsanGenPrefix[] = "___asan_gen_"; 156 const char kODRGenPrefix[] = "__odr_asan_gen_"; 157 const char kSanCovGenPrefix[] = "__sancov_gen_"; 158 const char kAsanSetShadowPrefix[] = "__asan_set_shadow_"; 159 const char kAsanPoisonStackMemoryName[] = "__asan_poison_stack_memory"; 160 const char kAsanUnpoisonStackMemoryName[] = "__asan_unpoison_stack_memory"; 161 162 // ASan version script has __asan_* wildcard. Triple underscore prevents a 163 // linker (gold) warning about attempting to export a local symbol. 164 const char kAsanGlobalsRegisteredFlagName[] = "___asan_globals_registered"; 165 166 const char kAsanOptionDetectUseAfterReturn[] = 167 "__asan_option_detect_stack_use_after_return"; 168 169 const char kAsanShadowMemoryDynamicAddress[] = 170 "__asan_shadow_memory_dynamic_address"; 171 172 const char kAsanAllocaPoison[] = "__asan_alloca_poison"; 173 const char kAsanAllocasUnpoison[] = "__asan_allocas_unpoison"; 174 175 const char kAMDGPUAddressSharedName[] = "llvm.amdgcn.is.shared"; 176 const char kAMDGPUAddressPrivateName[] = "llvm.amdgcn.is.private"; 177 178 // Accesses sizes are powers of two: 1, 2, 4, 8, 16. 179 static const size_t kNumberOfAccessSizes = 5; 180 181 static const uint64_t kAllocaRzSize = 32; 182 183 // ASanAccessInfo implementation constants. 184 constexpr size_t kCompileKernelShift = 0; 185 constexpr size_t kCompileKernelMask = 0x1; 186 constexpr size_t kAccessSizeIndexShift = 1; 187 constexpr size_t kAccessSizeIndexMask = 0xf; 188 constexpr size_t kIsWriteShift = 5; 189 constexpr size_t kIsWriteMask = 0x1; 190 191 // Command-line flags. 192 193 static cl::opt<bool> ClEnableKasan( 194 "asan-kernel", cl::desc("Enable KernelAddressSanitizer instrumentation"), 195 cl::Hidden, cl::init(false)); 196 197 static cl::opt<bool> ClRecover( 198 "asan-recover", 199 cl::desc("Enable recovery mode (continue-after-error)."), 200 cl::Hidden, cl::init(false)); 201 202 static cl::opt<bool> ClInsertVersionCheck( 203 "asan-guard-against-version-mismatch", 204 cl::desc("Guard against compiler/runtime version mismatch."), 205 cl::Hidden, cl::init(true)); 206 207 // This flag may need to be replaced with -f[no-]asan-reads. 208 static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 209 cl::desc("instrument read instructions"), 210 cl::Hidden, cl::init(true)); 211 212 static cl::opt<bool> ClInstrumentWrites( 213 "asan-instrument-writes", cl::desc("instrument write instructions"), 214 cl::Hidden, cl::init(true)); 215 216 static cl::opt<bool> 217 ClUseStackSafety("asan-use-stack-safety", cl::Hidden, cl::init(false), 218 cl::Hidden, cl::desc("Use Stack Safety analysis results"), 219 cl::Optional); 220 221 static cl::opt<bool> ClInstrumentAtomics( 222 "asan-instrument-atomics", 223 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden, 224 cl::init(true)); 225 226 static cl::opt<bool> 227 ClInstrumentByval("asan-instrument-byval", 228 cl::desc("instrument byval call arguments"), cl::Hidden, 229 cl::init(true)); 230 231 static cl::opt<bool> ClAlwaysSlowPath( 232 "asan-always-slow-path", 233 cl::desc("use instrumentation with slow path for all accesses"), cl::Hidden, 234 cl::init(false)); 235 236 static cl::opt<bool> ClForceDynamicShadow( 237 "asan-force-dynamic-shadow", 238 cl::desc("Load shadow address into a local variable for each function"), 239 cl::Hidden, cl::init(false)); 240 241 static cl::opt<bool> 242 ClWithIfunc("asan-with-ifunc", 243 cl::desc("Access dynamic shadow through an ifunc global on " 244 "platforms that support this"), 245 cl::Hidden, cl::init(true)); 246 247 static cl::opt<bool> ClWithIfuncSuppressRemat( 248 "asan-with-ifunc-suppress-remat", 249 cl::desc("Suppress rematerialization of dynamic shadow address by passing " 250 "it through inline asm in prologue."), 251 cl::Hidden, cl::init(true)); 252 253 // This flag limits the number of instructions to be instrumented 254 // in any given BB. Normally, this should be set to unlimited (INT_MAX), 255 // but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary 256 // set it to 10000. 257 static cl::opt<int> ClMaxInsnsToInstrumentPerBB( 258 "asan-max-ins-per-bb", cl::init(10000), 259 cl::desc("maximal number of instructions to instrument in any given BB"), 260 cl::Hidden); 261 262 // This flag may need to be replaced with -f[no]asan-stack. 263 static cl::opt<bool> ClStack("asan-stack", cl::desc("Handle stack memory"), 264 cl::Hidden, cl::init(true)); 265 static cl::opt<uint32_t> ClMaxInlinePoisoningSize( 266 "asan-max-inline-poisoning-size", 267 cl::desc( 268 "Inline shadow poisoning for blocks up to the given size in bytes."), 269 cl::Hidden, cl::init(64)); 270 271 static cl::opt<AsanDetectStackUseAfterReturnMode> ClUseAfterReturn( 272 "asan-use-after-return", 273 cl::desc("Sets the mode of detection for stack-use-after-return."), 274 cl::values( 275 clEnumValN(AsanDetectStackUseAfterReturnMode::Never, "never", 276 "Never detect stack use after return."), 277 clEnumValN( 278 AsanDetectStackUseAfterReturnMode::Runtime, "runtime", 279 "Detect stack use after return if " 280 "binary flag 'ASAN_OPTIONS=detect_stack_use_after_return' is set."), 281 clEnumValN(AsanDetectStackUseAfterReturnMode::Always, "always", 282 "Always detect stack use after return.")), 283 cl::Hidden, cl::init(AsanDetectStackUseAfterReturnMode::Runtime)); 284 285 static cl::opt<bool> ClRedzoneByvalArgs("asan-redzone-byval-args", 286 cl::desc("Create redzones for byval " 287 "arguments (extra copy " 288 "required)"), cl::Hidden, 289 cl::init(true)); 290 291 static cl::opt<bool> ClUseAfterScope("asan-use-after-scope", 292 cl::desc("Check stack-use-after-scope"), 293 cl::Hidden, cl::init(false)); 294 295 // This flag may need to be replaced with -f[no]asan-globals. 296 static cl::opt<bool> ClGlobals("asan-globals", 297 cl::desc("Handle global objects"), cl::Hidden, 298 cl::init(true)); 299 300 static cl::opt<bool> ClInitializers("asan-initialization-order", 301 cl::desc("Handle C++ initializer order"), 302 cl::Hidden, cl::init(true)); 303 304 static cl::opt<bool> ClInvalidPointerPairs( 305 "asan-detect-invalid-pointer-pair", 306 cl::desc("Instrument <, <=, >, >=, - with pointer operands"), cl::Hidden, 307 cl::init(false)); 308 309 static cl::opt<bool> ClInvalidPointerCmp( 310 "asan-detect-invalid-pointer-cmp", 311 cl::desc("Instrument <, <=, >, >= with pointer operands"), cl::Hidden, 312 cl::init(false)); 313 314 static cl::opt<bool> ClInvalidPointerSub( 315 "asan-detect-invalid-pointer-sub", 316 cl::desc("Instrument - operations with pointer operands"), cl::Hidden, 317 cl::init(false)); 318 319 static cl::opt<unsigned> ClRealignStack( 320 "asan-realign-stack", 321 cl::desc("Realign stack to the value of this flag (power of two)"), 322 cl::Hidden, cl::init(32)); 323 324 static cl::opt<int> ClInstrumentationWithCallsThreshold( 325 "asan-instrumentation-with-call-threshold", 326 cl::desc( 327 "If the function being instrumented contains more than " 328 "this number of memory accesses, use callbacks instead of " 329 "inline checks (-1 means never use callbacks)."), 330 cl::Hidden, cl::init(7000)); 331 332 static cl::opt<std::string> ClMemoryAccessCallbackPrefix( 333 "asan-memory-access-callback-prefix", 334 cl::desc("Prefix for memory access callbacks"), cl::Hidden, 335 cl::init("__asan_")); 336 337 static cl::opt<bool> 338 ClInstrumentDynamicAllocas("asan-instrument-dynamic-allocas", 339 cl::desc("instrument dynamic allocas"), 340 cl::Hidden, cl::init(true)); 341 342 static cl::opt<bool> ClSkipPromotableAllocas( 343 "asan-skip-promotable-allocas", 344 cl::desc("Do not instrument promotable allocas"), cl::Hidden, 345 cl::init(true)); 346 347 // These flags allow to change the shadow mapping. 348 // The shadow mapping looks like 349 // Shadow = (Mem >> scale) + offset 350 351 static cl::opt<int> ClMappingScale("asan-mapping-scale", 352 cl::desc("scale of asan shadow mapping"), 353 cl::Hidden, cl::init(0)); 354 355 static cl::opt<uint64_t> 356 ClMappingOffset("asan-mapping-offset", 357 cl::desc("offset of asan shadow mapping [EXPERIMENTAL]"), 358 cl::Hidden, cl::init(0)); 359 360 // Optimization flags. Not user visible, used mostly for testing 361 // and benchmarking the tool. 362 363 static cl::opt<bool> ClOpt("asan-opt", cl::desc("Optimize instrumentation"), 364 cl::Hidden, cl::init(true)); 365 366 static cl::opt<bool> ClOptimizeCallbacks("asan-optimize-callbacks", 367 cl::desc("Optimize callbacks"), 368 cl::Hidden, cl::init(false)); 369 370 static cl::opt<bool> ClOptSameTemp( 371 "asan-opt-same-temp", cl::desc("Instrument the same temp just once"), 372 cl::Hidden, cl::init(true)); 373 374 static cl::opt<bool> ClOptGlobals("asan-opt-globals", 375 cl::desc("Don't instrument scalar globals"), 376 cl::Hidden, cl::init(true)); 377 378 static cl::opt<bool> ClOptStack( 379 "asan-opt-stack", cl::desc("Don't instrument scalar stack variables"), 380 cl::Hidden, cl::init(false)); 381 382 static cl::opt<bool> ClDynamicAllocaStack( 383 "asan-stack-dynamic-alloca", 384 cl::desc("Use dynamic alloca to represent stack variables"), cl::Hidden, 385 cl::init(true)); 386 387 static cl::opt<uint32_t> ClForceExperiment( 388 "asan-force-experiment", 389 cl::desc("Force optimization experiment (for testing)"), cl::Hidden, 390 cl::init(0)); 391 392 static cl::opt<bool> 393 ClUsePrivateAlias("asan-use-private-alias", 394 cl::desc("Use private aliases for global variables"), 395 cl::Hidden, cl::init(false)); 396 397 static cl::opt<bool> 398 ClUseOdrIndicator("asan-use-odr-indicator", 399 cl::desc("Use odr indicators to improve ODR reporting"), 400 cl::Hidden, cl::init(false)); 401 402 static cl::opt<bool> 403 ClUseGlobalsGC("asan-globals-live-support", 404 cl::desc("Use linker features to support dead " 405 "code stripping of globals"), 406 cl::Hidden, cl::init(true)); 407 408 // This is on by default even though there is a bug in gold: 409 // https://sourceware.org/bugzilla/show_bug.cgi?id=19002 410 static cl::opt<bool> 411 ClWithComdat("asan-with-comdat", 412 cl::desc("Place ASan constructors in comdat sections"), 413 cl::Hidden, cl::init(true)); 414 415 static cl::opt<AsanDtorKind> ClOverrideDestructorKind( 416 "asan-destructor-kind", 417 cl::desc("Sets the ASan destructor kind. The default is to use the value " 418 "provided to the pass constructor"), 419 cl::values(clEnumValN(AsanDtorKind::None, "none", "No destructors"), 420 clEnumValN(AsanDtorKind::Global, "global", 421 "Use global destructors")), 422 cl::init(AsanDtorKind::Invalid), cl::Hidden); 423 424 // Debug flags. 425 426 static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 427 cl::init(0)); 428 429 static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 430 cl::Hidden, cl::init(0)); 431 432 static cl::opt<std::string> ClDebugFunc("asan-debug-func", cl::Hidden, 433 cl::desc("Debug func")); 434 435 static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 436 cl::Hidden, cl::init(-1)); 437 438 static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug max inst"), 439 cl::Hidden, cl::init(-1)); 440 441 STATISTIC(NumInstrumentedReads, "Number of instrumented reads"); 442 STATISTIC(NumInstrumentedWrites, "Number of instrumented writes"); 443 STATISTIC(NumOptimizedAccessesToGlobalVar, 444 "Number of optimized accesses to global vars"); 445 STATISTIC(NumOptimizedAccessesToStackVar, 446 "Number of optimized accesses to stack vars"); 447 448 namespace { 449 450 /// This struct defines the shadow mapping using the rule: 451 /// shadow = (mem >> Scale) ADD-or-OR Offset. 452 /// If InGlobal is true, then 453 /// extern char __asan_shadow[]; 454 /// shadow = (mem >> Scale) + &__asan_shadow 455 struct ShadowMapping { 456 int Scale; 457 uint64_t Offset; 458 bool OrShadowOffset; 459 bool InGlobal; 460 }; 461 462 } // end anonymous namespace 463 464 static ShadowMapping getShadowMapping(const Triple &TargetTriple, int LongSize, 465 bool IsKasan) { 466 bool IsAndroid = TargetTriple.isAndroid(); 467 bool IsIOS = TargetTriple.isiOS() || TargetTriple.isWatchOS(); 468 bool IsMacOS = TargetTriple.isMacOSX(); 469 bool IsFreeBSD = TargetTriple.isOSFreeBSD(); 470 bool IsNetBSD = TargetTriple.isOSNetBSD(); 471 bool IsPS4CPU = TargetTriple.isPS4CPU(); 472 bool IsLinux = TargetTriple.isOSLinux(); 473 bool IsPPC64 = TargetTriple.getArch() == Triple::ppc64 || 474 TargetTriple.getArch() == Triple::ppc64le; 475 bool IsSystemZ = TargetTriple.getArch() == Triple::systemz; 476 bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64; 477 bool IsMIPS32 = TargetTriple.isMIPS32(); 478 bool IsMIPS64 = TargetTriple.isMIPS64(); 479 bool IsArmOrThumb = TargetTriple.isARM() || TargetTriple.isThumb(); 480 bool IsAArch64 = TargetTriple.getArch() == Triple::aarch64; 481 bool IsRISCV64 = TargetTriple.getArch() == Triple::riscv64; 482 bool IsWindows = TargetTriple.isOSWindows(); 483 bool IsFuchsia = TargetTriple.isOSFuchsia(); 484 bool IsEmscripten = TargetTriple.isOSEmscripten(); 485 bool IsAMDGPU = TargetTriple.isAMDGPU(); 486 487 ShadowMapping Mapping; 488 489 Mapping.Scale = kDefaultShadowScale; 490 if (ClMappingScale.getNumOccurrences() > 0) { 491 Mapping.Scale = ClMappingScale; 492 } 493 494 if (LongSize == 32) { 495 if (IsAndroid) 496 Mapping.Offset = kDynamicShadowSentinel; 497 else if (IsMIPS32) 498 Mapping.Offset = kMIPS32_ShadowOffset32; 499 else if (IsFreeBSD) 500 Mapping.Offset = kFreeBSD_ShadowOffset32; 501 else if (IsNetBSD) 502 Mapping.Offset = kNetBSD_ShadowOffset32; 503 else if (IsIOS) 504 Mapping.Offset = kDynamicShadowSentinel; 505 else if (IsWindows) 506 Mapping.Offset = kWindowsShadowOffset32; 507 else if (IsEmscripten) 508 Mapping.Offset = kEmscriptenShadowOffset; 509 else 510 Mapping.Offset = kDefaultShadowOffset32; 511 } else { // LongSize == 64 512 // Fuchsia is always PIE, which means that the beginning of the address 513 // space is always available. 514 if (IsFuchsia) 515 Mapping.Offset = 0; 516 else if (IsPPC64) 517 Mapping.Offset = kPPC64_ShadowOffset64; 518 else if (IsSystemZ) 519 Mapping.Offset = kSystemZ_ShadowOffset64; 520 else if (IsFreeBSD && !IsMIPS64) { 521 if (IsKasan) 522 Mapping.Offset = kFreeBSDKasan_ShadowOffset64; 523 else 524 Mapping.Offset = kFreeBSD_ShadowOffset64; 525 } else if (IsNetBSD) { 526 if (IsKasan) 527 Mapping.Offset = kNetBSDKasan_ShadowOffset64; 528 else 529 Mapping.Offset = kNetBSD_ShadowOffset64; 530 } else if (IsPS4CPU) 531 Mapping.Offset = kPS4CPU_ShadowOffset64; 532 else if (IsLinux && IsX86_64) { 533 if (IsKasan) 534 Mapping.Offset = kLinuxKasan_ShadowOffset64; 535 else 536 Mapping.Offset = (kSmallX86_64ShadowOffsetBase & 537 (kSmallX86_64ShadowOffsetAlignMask << Mapping.Scale)); 538 } else if (IsWindows && IsX86_64) { 539 Mapping.Offset = kWindowsShadowOffset64; 540 } else if (IsMIPS64) 541 Mapping.Offset = kMIPS64_ShadowOffset64; 542 else if (IsIOS) 543 Mapping.Offset = kDynamicShadowSentinel; 544 else if (IsMacOS && IsAArch64) 545 Mapping.Offset = kDynamicShadowSentinel; 546 else if (IsAArch64) 547 Mapping.Offset = kAArch64_ShadowOffset64; 548 else if (IsRISCV64) 549 Mapping.Offset = kRISCV64_ShadowOffset64; 550 else if (IsAMDGPU) 551 Mapping.Offset = (kSmallX86_64ShadowOffsetBase & 552 (kSmallX86_64ShadowOffsetAlignMask << Mapping.Scale)); 553 else 554 Mapping.Offset = kDefaultShadowOffset64; 555 } 556 557 if (ClForceDynamicShadow) { 558 Mapping.Offset = kDynamicShadowSentinel; 559 } 560 561 if (ClMappingOffset.getNumOccurrences() > 0) { 562 Mapping.Offset = ClMappingOffset; 563 } 564 565 // OR-ing shadow offset if more efficient (at least on x86) if the offset 566 // is a power of two, but on ppc64 we have to use add since the shadow 567 // offset is not necessary 1/8-th of the address space. On SystemZ, 568 // we could OR the constant in a single instruction, but it's more 569 // efficient to load it once and use indexed addressing. 570 Mapping.OrShadowOffset = !IsAArch64 && !IsPPC64 && !IsSystemZ && !IsPS4CPU && 571 !IsRISCV64 && 572 !(Mapping.Offset & (Mapping.Offset - 1)) && 573 Mapping.Offset != kDynamicShadowSentinel; 574 bool IsAndroidWithIfuncSupport = 575 IsAndroid && !TargetTriple.isAndroidVersionLT(21); 576 Mapping.InGlobal = ClWithIfunc && IsAndroidWithIfuncSupport && IsArmOrThumb; 577 578 return Mapping; 579 } 580 581 namespace llvm { 582 void getAddressSanitizerParams(const Triple &TargetTriple, int LongSize, 583 bool IsKasan, uint64_t *ShadowBase, 584 int *MappingScale, bool *OrShadowOffset) { 585 auto Mapping = getShadowMapping(TargetTriple, LongSize, IsKasan); 586 *ShadowBase = Mapping.Offset; 587 *MappingScale = Mapping.Scale; 588 *OrShadowOffset = Mapping.OrShadowOffset; 589 } 590 591 ASanAccessInfo::ASanAccessInfo(int32_t Packed) 592 : Packed(Packed), 593 AccessSizeIndex((Packed >> kAccessSizeIndexShift) & kAccessSizeIndexMask), 594 IsWrite((Packed >> kIsWriteShift) & kIsWriteMask), 595 CompileKernel((Packed >> kCompileKernelShift) & kCompileKernelMask) {} 596 597 ASanAccessInfo::ASanAccessInfo(bool IsWrite, bool CompileKernel, 598 uint8_t AccessSizeIndex) 599 : Packed((IsWrite << kIsWriteShift) + 600 (CompileKernel << kCompileKernelShift) + 601 (AccessSizeIndex << kAccessSizeIndexShift)), 602 AccessSizeIndex(AccessSizeIndex), IsWrite(IsWrite), 603 CompileKernel(CompileKernel) {} 604 605 } // namespace llvm 606 607 static uint64_t getRedzoneSizeForScale(int MappingScale) { 608 // Redzone used for stack and globals is at least 32 bytes. 609 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 610 return std::max(32U, 1U << MappingScale); 611 } 612 613 static uint64_t GetCtorAndDtorPriority(Triple &TargetTriple) { 614 if (TargetTriple.isOSEmscripten()) { 615 return kAsanEmscriptenCtorAndDtorPriority; 616 } else { 617 return kAsanCtorAndDtorPriority; 618 } 619 } 620 621 namespace { 622 623 /// Module analysis for getting various metadata about the module. 624 class ASanGlobalsMetadataWrapperPass : public ModulePass { 625 public: 626 static char ID; 627 628 ASanGlobalsMetadataWrapperPass() : ModulePass(ID) { 629 initializeASanGlobalsMetadataWrapperPassPass( 630 *PassRegistry::getPassRegistry()); 631 } 632 633 bool runOnModule(Module &M) override { 634 GlobalsMD = GlobalsMetadata(M); 635 return false; 636 } 637 638 StringRef getPassName() const override { 639 return "ASanGlobalsMetadataWrapperPass"; 640 } 641 642 void getAnalysisUsage(AnalysisUsage &AU) const override { 643 AU.setPreservesAll(); 644 } 645 646 GlobalsMetadata &getGlobalsMD() { return GlobalsMD; } 647 648 private: 649 GlobalsMetadata GlobalsMD; 650 }; 651 652 char ASanGlobalsMetadataWrapperPass::ID = 0; 653 654 /// AddressSanitizer: instrument the code in module to find memory bugs. 655 struct AddressSanitizer { 656 AddressSanitizer(Module &M, const GlobalsMetadata *GlobalsMD, 657 const StackSafetyGlobalInfo *SSGI, 658 bool CompileKernel = false, bool Recover = false, 659 bool UseAfterScope = false, 660 AsanDetectStackUseAfterReturnMode UseAfterReturn = 661 AsanDetectStackUseAfterReturnMode::Runtime) 662 : CompileKernel(ClEnableKasan.getNumOccurrences() > 0 ? ClEnableKasan 663 : CompileKernel), 664 Recover(ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover), 665 UseAfterScope(UseAfterScope || ClUseAfterScope), 666 UseAfterReturn(ClUseAfterReturn.getNumOccurrences() ? ClUseAfterReturn 667 : UseAfterReturn), 668 GlobalsMD(*GlobalsMD), SSGI(SSGI) { 669 C = &(M.getContext()); 670 LongSize = M.getDataLayout().getPointerSizeInBits(); 671 IntptrTy = Type::getIntNTy(*C, LongSize); 672 Int8PtrTy = Type::getInt8PtrTy(*C); 673 Int32Ty = Type::getInt32Ty(*C); 674 TargetTriple = Triple(M.getTargetTriple()); 675 676 Mapping = getShadowMapping(TargetTriple, LongSize, this->CompileKernel); 677 678 assert(this->UseAfterReturn != AsanDetectStackUseAfterReturnMode::Invalid); 679 } 680 681 uint64_t getAllocaSizeInBytes(const AllocaInst &AI) const { 682 uint64_t ArraySize = 1; 683 if (AI.isArrayAllocation()) { 684 const ConstantInt *CI = dyn_cast<ConstantInt>(AI.getArraySize()); 685 assert(CI && "non-constant array size"); 686 ArraySize = CI->getZExtValue(); 687 } 688 Type *Ty = AI.getAllocatedType(); 689 uint64_t SizeInBytes = 690 AI.getModule()->getDataLayout().getTypeAllocSize(Ty); 691 return SizeInBytes * ArraySize; 692 } 693 694 /// Check if we want (and can) handle this alloca. 695 bool isInterestingAlloca(const AllocaInst &AI); 696 697 bool ignoreAccess(Instruction *Inst, Value *Ptr); 698 void getInterestingMemoryOperands( 699 Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting); 700 701 void instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis, 702 InterestingMemoryOperand &O, bool UseCalls, 703 const DataLayout &DL); 704 void instrumentPointerComparisonOrSubtraction(Instruction *I); 705 void instrumentAddress(Instruction *OrigIns, Instruction *InsertBefore, 706 Value *Addr, uint32_t TypeSize, bool IsWrite, 707 Value *SizeArgument, bool UseCalls, uint32_t Exp); 708 Instruction *instrumentAMDGPUAddress(Instruction *OrigIns, 709 Instruction *InsertBefore, Value *Addr, 710 uint32_t TypeSize, bool IsWrite, 711 Value *SizeArgument); 712 void instrumentUnusualSizeOrAlignment(Instruction *I, 713 Instruction *InsertBefore, Value *Addr, 714 uint32_t TypeSize, bool IsWrite, 715 Value *SizeArgument, bool UseCalls, 716 uint32_t Exp); 717 Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 718 Value *ShadowValue, uint32_t TypeSize); 719 Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, 720 bool IsWrite, size_t AccessSizeIndex, 721 Value *SizeArgument, uint32_t Exp); 722 void instrumentMemIntrinsic(MemIntrinsic *MI); 723 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 724 bool suppressInstrumentationSiteForDebug(int &Instrumented); 725 bool instrumentFunction(Function &F, const TargetLibraryInfo *TLI); 726 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 727 bool maybeInsertDynamicShadowAtFunctionEntry(Function &F); 728 void markEscapedLocalAllocas(Function &F); 729 730 private: 731 friend struct FunctionStackPoisoner; 732 733 void initializeCallbacks(Module &M); 734 735 bool LooksLikeCodeInBug11395(Instruction *I); 736 bool GlobalIsLinkerInitialized(GlobalVariable *G); 737 bool isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, Value *Addr, 738 uint64_t TypeSize) const; 739 740 /// Helper to cleanup per-function state. 741 struct FunctionStateRAII { 742 AddressSanitizer *Pass; 743 744 FunctionStateRAII(AddressSanitizer *Pass) : Pass(Pass) { 745 assert(Pass->ProcessedAllocas.empty() && 746 "last pass forgot to clear cache"); 747 assert(!Pass->LocalDynamicShadow); 748 } 749 750 ~FunctionStateRAII() { 751 Pass->LocalDynamicShadow = nullptr; 752 Pass->ProcessedAllocas.clear(); 753 } 754 }; 755 756 LLVMContext *C; 757 Triple TargetTriple; 758 int LongSize; 759 bool CompileKernel; 760 bool Recover; 761 bool UseAfterScope; 762 AsanDetectStackUseAfterReturnMode UseAfterReturn; 763 Type *IntptrTy; 764 Type *Int8PtrTy; 765 Type *Int32Ty; 766 ShadowMapping Mapping; 767 FunctionCallee AsanHandleNoReturnFunc; 768 FunctionCallee AsanPtrCmpFunction, AsanPtrSubFunction; 769 Constant *AsanShadowGlobal; 770 771 // These arrays is indexed by AccessIsWrite, Experiment and log2(AccessSize). 772 FunctionCallee AsanErrorCallback[2][2][kNumberOfAccessSizes]; 773 FunctionCallee AsanMemoryAccessCallback[2][2][kNumberOfAccessSizes]; 774 775 // These arrays is indexed by AccessIsWrite and Experiment. 776 FunctionCallee AsanErrorCallbackSized[2][2]; 777 FunctionCallee AsanMemoryAccessCallbackSized[2][2]; 778 779 FunctionCallee AsanMemmove, AsanMemcpy, AsanMemset; 780 Value *LocalDynamicShadow = nullptr; 781 const GlobalsMetadata &GlobalsMD; 782 const StackSafetyGlobalInfo *SSGI; 783 DenseMap<const AllocaInst *, bool> ProcessedAllocas; 784 785 FunctionCallee AMDGPUAddressShared; 786 FunctionCallee AMDGPUAddressPrivate; 787 }; 788 789 class AddressSanitizerLegacyPass : public FunctionPass { 790 public: 791 static char ID; 792 793 explicit AddressSanitizerLegacyPass( 794 bool CompileKernel = false, bool Recover = false, 795 bool UseAfterScope = false, 796 AsanDetectStackUseAfterReturnMode UseAfterReturn = 797 AsanDetectStackUseAfterReturnMode::Runtime) 798 : FunctionPass(ID), CompileKernel(CompileKernel), Recover(Recover), 799 UseAfterScope(UseAfterScope), UseAfterReturn(UseAfterReturn) { 800 initializeAddressSanitizerLegacyPassPass(*PassRegistry::getPassRegistry()); 801 } 802 803 StringRef getPassName() const override { 804 return "AddressSanitizerFunctionPass"; 805 } 806 807 void getAnalysisUsage(AnalysisUsage &AU) const override { 808 AU.addRequired<ASanGlobalsMetadataWrapperPass>(); 809 if (ClUseStackSafety) 810 AU.addRequired<StackSafetyGlobalInfoWrapperPass>(); 811 AU.addRequired<TargetLibraryInfoWrapperPass>(); 812 } 813 814 bool runOnFunction(Function &F) override { 815 GlobalsMetadata &GlobalsMD = 816 getAnalysis<ASanGlobalsMetadataWrapperPass>().getGlobalsMD(); 817 const StackSafetyGlobalInfo *const SSGI = 818 ClUseStackSafety 819 ? &getAnalysis<StackSafetyGlobalInfoWrapperPass>().getResult() 820 : nullptr; 821 const TargetLibraryInfo *TLI = 822 &getAnalysis<TargetLibraryInfoWrapperPass>().getTLI(F); 823 AddressSanitizer ASan(*F.getParent(), &GlobalsMD, SSGI, CompileKernel, 824 Recover, UseAfterScope, UseAfterReturn); 825 return ASan.instrumentFunction(F, TLI); 826 } 827 828 private: 829 bool CompileKernel; 830 bool Recover; 831 bool UseAfterScope; 832 AsanDetectStackUseAfterReturnMode UseAfterReturn; 833 }; 834 835 class ModuleAddressSanitizer { 836 public: 837 ModuleAddressSanitizer(Module &M, const GlobalsMetadata *GlobalsMD, 838 bool CompileKernel = false, bool Recover = false, 839 bool UseGlobalsGC = true, bool UseOdrIndicator = false, 840 AsanDtorKind DestructorKind = AsanDtorKind::Global) 841 : GlobalsMD(*GlobalsMD), 842 CompileKernel(ClEnableKasan.getNumOccurrences() > 0 ? ClEnableKasan 843 : CompileKernel), 844 Recover(ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover), 845 UseGlobalsGC(UseGlobalsGC && ClUseGlobalsGC && !this->CompileKernel), 846 // Enable aliases as they should have no downside with ODR indicators. 847 UsePrivateAlias(UseOdrIndicator || ClUsePrivateAlias), 848 UseOdrIndicator(UseOdrIndicator || ClUseOdrIndicator), 849 // Not a typo: ClWithComdat is almost completely pointless without 850 // ClUseGlobalsGC (because then it only works on modules without 851 // globals, which are rare); it is a prerequisite for ClUseGlobalsGC; 852 // and both suffer from gold PR19002 for which UseGlobalsGC constructor 853 // argument is designed as workaround. Therefore, disable both 854 // ClWithComdat and ClUseGlobalsGC unless the frontend says it's ok to 855 // do globals-gc. 856 UseCtorComdat(UseGlobalsGC && ClWithComdat && !this->CompileKernel), 857 DestructorKind(DestructorKind) { 858 C = &(M.getContext()); 859 int LongSize = M.getDataLayout().getPointerSizeInBits(); 860 IntptrTy = Type::getIntNTy(*C, LongSize); 861 TargetTriple = Triple(M.getTargetTriple()); 862 Mapping = getShadowMapping(TargetTriple, LongSize, this->CompileKernel); 863 864 if (ClOverrideDestructorKind != AsanDtorKind::Invalid) 865 this->DestructorKind = ClOverrideDestructorKind; 866 assert(this->DestructorKind != AsanDtorKind::Invalid); 867 } 868 869 bool instrumentModule(Module &); 870 871 private: 872 void initializeCallbacks(Module &M); 873 874 bool InstrumentGlobals(IRBuilder<> &IRB, Module &M, bool *CtorComdat); 875 void InstrumentGlobalsCOFF(IRBuilder<> &IRB, Module &M, 876 ArrayRef<GlobalVariable *> ExtendedGlobals, 877 ArrayRef<Constant *> MetadataInitializers); 878 void InstrumentGlobalsELF(IRBuilder<> &IRB, Module &M, 879 ArrayRef<GlobalVariable *> ExtendedGlobals, 880 ArrayRef<Constant *> MetadataInitializers, 881 const std::string &UniqueModuleId); 882 void InstrumentGlobalsMachO(IRBuilder<> &IRB, Module &M, 883 ArrayRef<GlobalVariable *> ExtendedGlobals, 884 ArrayRef<Constant *> MetadataInitializers); 885 void 886 InstrumentGlobalsWithMetadataArray(IRBuilder<> &IRB, Module &M, 887 ArrayRef<GlobalVariable *> ExtendedGlobals, 888 ArrayRef<Constant *> MetadataInitializers); 889 890 GlobalVariable *CreateMetadataGlobal(Module &M, Constant *Initializer, 891 StringRef OriginalName); 892 void SetComdatForGlobalMetadata(GlobalVariable *G, GlobalVariable *Metadata, 893 StringRef InternalSuffix); 894 Instruction *CreateAsanModuleDtor(Module &M); 895 896 const GlobalVariable *getExcludedAliasedGlobal(const GlobalAlias &GA) const; 897 bool shouldInstrumentGlobal(GlobalVariable *G) const; 898 bool ShouldUseMachOGlobalsSection() const; 899 StringRef getGlobalMetadataSection() const; 900 void poisonOneInitializer(Function &GlobalInit, GlobalValue *ModuleName); 901 void createInitializerPoisonCalls(Module &M, GlobalValue *ModuleName); 902 uint64_t getMinRedzoneSizeForGlobal() const { 903 return getRedzoneSizeForScale(Mapping.Scale); 904 } 905 uint64_t getRedzoneSizeForGlobal(uint64_t SizeInBytes) const; 906 int GetAsanVersion(const Module &M) const; 907 908 const GlobalsMetadata &GlobalsMD; 909 bool CompileKernel; 910 bool Recover; 911 bool UseGlobalsGC; 912 bool UsePrivateAlias; 913 bool UseOdrIndicator; 914 bool UseCtorComdat; 915 AsanDtorKind DestructorKind; 916 Type *IntptrTy; 917 LLVMContext *C; 918 Triple TargetTriple; 919 ShadowMapping Mapping; 920 FunctionCallee AsanPoisonGlobals; 921 FunctionCallee AsanUnpoisonGlobals; 922 FunctionCallee AsanRegisterGlobals; 923 FunctionCallee AsanUnregisterGlobals; 924 FunctionCallee AsanRegisterImageGlobals; 925 FunctionCallee AsanUnregisterImageGlobals; 926 FunctionCallee AsanRegisterElfGlobals; 927 FunctionCallee AsanUnregisterElfGlobals; 928 929 Function *AsanCtorFunction = nullptr; 930 Function *AsanDtorFunction = nullptr; 931 }; 932 933 class ModuleAddressSanitizerLegacyPass : public ModulePass { 934 public: 935 static char ID; 936 937 explicit ModuleAddressSanitizerLegacyPass( 938 bool CompileKernel = false, bool Recover = false, bool UseGlobalGC = true, 939 bool UseOdrIndicator = false, 940 AsanDtorKind DestructorKind = AsanDtorKind::Global) 941 : ModulePass(ID), CompileKernel(CompileKernel), Recover(Recover), 942 UseGlobalGC(UseGlobalGC), UseOdrIndicator(UseOdrIndicator), 943 DestructorKind(DestructorKind) { 944 initializeModuleAddressSanitizerLegacyPassPass( 945 *PassRegistry::getPassRegistry()); 946 } 947 948 StringRef getPassName() const override { return "ModuleAddressSanitizer"; } 949 950 void getAnalysisUsage(AnalysisUsage &AU) const override { 951 AU.addRequired<ASanGlobalsMetadataWrapperPass>(); 952 } 953 954 bool runOnModule(Module &M) override { 955 GlobalsMetadata &GlobalsMD = 956 getAnalysis<ASanGlobalsMetadataWrapperPass>().getGlobalsMD(); 957 ModuleAddressSanitizer ASanModule(M, &GlobalsMD, CompileKernel, Recover, 958 UseGlobalGC, UseOdrIndicator, 959 DestructorKind); 960 return ASanModule.instrumentModule(M); 961 } 962 963 private: 964 bool CompileKernel; 965 bool Recover; 966 bool UseGlobalGC; 967 bool UseOdrIndicator; 968 AsanDtorKind DestructorKind; 969 }; 970 971 // Stack poisoning does not play well with exception handling. 972 // When an exception is thrown, we essentially bypass the code 973 // that unpoisones the stack. This is why the run-time library has 974 // to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 975 // stack in the interceptor. This however does not work inside the 976 // actual function which catches the exception. Most likely because the 977 // compiler hoists the load of the shadow value somewhere too high. 978 // This causes asan to report a non-existing bug on 453.povray. 979 // It sounds like an LLVM bug. 980 struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> { 981 Function &F; 982 AddressSanitizer &ASan; 983 DIBuilder DIB; 984 LLVMContext *C; 985 Type *IntptrTy; 986 Type *IntptrPtrTy; 987 ShadowMapping Mapping; 988 989 SmallVector<AllocaInst *, 16> AllocaVec; 990 SmallVector<AllocaInst *, 16> StaticAllocasToMoveUp; 991 SmallVector<Instruction *, 8> RetVec; 992 993 FunctionCallee AsanStackMallocFunc[kMaxAsanStackMallocSizeClass + 1], 994 AsanStackFreeFunc[kMaxAsanStackMallocSizeClass + 1]; 995 FunctionCallee AsanSetShadowFunc[0x100] = {}; 996 FunctionCallee AsanPoisonStackMemoryFunc, AsanUnpoisonStackMemoryFunc; 997 FunctionCallee AsanAllocaPoisonFunc, AsanAllocasUnpoisonFunc; 998 999 // Stores a place and arguments of poisoning/unpoisoning call for alloca. 1000 struct AllocaPoisonCall { 1001 IntrinsicInst *InsBefore; 1002 AllocaInst *AI; 1003 uint64_t Size; 1004 bool DoPoison; 1005 }; 1006 SmallVector<AllocaPoisonCall, 8> DynamicAllocaPoisonCallVec; 1007 SmallVector<AllocaPoisonCall, 8> StaticAllocaPoisonCallVec; 1008 bool HasUntracedLifetimeIntrinsic = false; 1009 1010 SmallVector<AllocaInst *, 1> DynamicAllocaVec; 1011 SmallVector<IntrinsicInst *, 1> StackRestoreVec; 1012 AllocaInst *DynamicAllocaLayout = nullptr; 1013 IntrinsicInst *LocalEscapeCall = nullptr; 1014 1015 bool HasInlineAsm = false; 1016 bool HasReturnsTwiceCall = false; 1017 bool PoisonStack; 1018 1019 FunctionStackPoisoner(Function &F, AddressSanitizer &ASan) 1020 : F(F), ASan(ASan), DIB(*F.getParent(), /*AllowUnresolved*/ false), 1021 C(ASan.C), IntptrTy(ASan.IntptrTy), 1022 IntptrPtrTy(PointerType::get(IntptrTy, 0)), Mapping(ASan.Mapping), 1023 PoisonStack(ClStack && 1024 !Triple(F.getParent()->getTargetTriple()).isAMDGPU()) {} 1025 1026 bool runOnFunction() { 1027 if (!PoisonStack) 1028 return false; 1029 1030 if (ClRedzoneByvalArgs) 1031 copyArgsPassedByValToAllocas(); 1032 1033 // Collect alloca, ret, lifetime instructions etc. 1034 for (BasicBlock *BB : depth_first(&F.getEntryBlock())) visit(*BB); 1035 1036 if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false; 1037 1038 initializeCallbacks(*F.getParent()); 1039 1040 if (HasUntracedLifetimeIntrinsic) { 1041 // If there are lifetime intrinsics which couldn't be traced back to an 1042 // alloca, we may not know exactly when a variable enters scope, and 1043 // therefore should "fail safe" by not poisoning them. 1044 StaticAllocaPoisonCallVec.clear(); 1045 DynamicAllocaPoisonCallVec.clear(); 1046 } 1047 1048 processDynamicAllocas(); 1049 processStaticAllocas(); 1050 1051 if (ClDebugStack) { 1052 LLVM_DEBUG(dbgs() << F); 1053 } 1054 return true; 1055 } 1056 1057 // Arguments marked with the "byval" attribute are implicitly copied without 1058 // using an alloca instruction. To produce redzones for those arguments, we 1059 // copy them a second time into memory allocated with an alloca instruction. 1060 void copyArgsPassedByValToAllocas(); 1061 1062 // Finds all Alloca instructions and puts 1063 // poisoned red zones around all of them. 1064 // Then unpoison everything back before the function returns. 1065 void processStaticAllocas(); 1066 void processDynamicAllocas(); 1067 1068 void createDynamicAllocasInitStorage(); 1069 1070 // ----------------------- Visitors. 1071 /// Collect all Ret instructions, or the musttail call instruction if it 1072 /// precedes the return instruction. 1073 void visitReturnInst(ReturnInst &RI) { 1074 if (CallInst *CI = RI.getParent()->getTerminatingMustTailCall()) 1075 RetVec.push_back(CI); 1076 else 1077 RetVec.push_back(&RI); 1078 } 1079 1080 /// Collect all Resume instructions. 1081 void visitResumeInst(ResumeInst &RI) { RetVec.push_back(&RI); } 1082 1083 /// Collect all CatchReturnInst instructions. 1084 void visitCleanupReturnInst(CleanupReturnInst &CRI) { RetVec.push_back(&CRI); } 1085 1086 void unpoisonDynamicAllocasBeforeInst(Instruction *InstBefore, 1087 Value *SavedStack) { 1088 IRBuilder<> IRB(InstBefore); 1089 Value *DynamicAreaPtr = IRB.CreatePtrToInt(SavedStack, IntptrTy); 1090 // When we insert _asan_allocas_unpoison before @llvm.stackrestore, we 1091 // need to adjust extracted SP to compute the address of the most recent 1092 // alloca. We have a special @llvm.get.dynamic.area.offset intrinsic for 1093 // this purpose. 1094 if (!isa<ReturnInst>(InstBefore)) { 1095 Function *DynamicAreaOffsetFunc = Intrinsic::getDeclaration( 1096 InstBefore->getModule(), Intrinsic::get_dynamic_area_offset, 1097 {IntptrTy}); 1098 1099 Value *DynamicAreaOffset = IRB.CreateCall(DynamicAreaOffsetFunc, {}); 1100 1101 DynamicAreaPtr = IRB.CreateAdd(IRB.CreatePtrToInt(SavedStack, IntptrTy), 1102 DynamicAreaOffset); 1103 } 1104 1105 IRB.CreateCall( 1106 AsanAllocasUnpoisonFunc, 1107 {IRB.CreateLoad(IntptrTy, DynamicAllocaLayout), DynamicAreaPtr}); 1108 } 1109 1110 // Unpoison dynamic allocas redzones. 1111 void unpoisonDynamicAllocas() { 1112 for (Instruction *Ret : RetVec) 1113 unpoisonDynamicAllocasBeforeInst(Ret, DynamicAllocaLayout); 1114 1115 for (Instruction *StackRestoreInst : StackRestoreVec) 1116 unpoisonDynamicAllocasBeforeInst(StackRestoreInst, 1117 StackRestoreInst->getOperand(0)); 1118 } 1119 1120 // Deploy and poison redzones around dynamic alloca call. To do this, we 1121 // should replace this call with another one with changed parameters and 1122 // replace all its uses with new address, so 1123 // addr = alloca type, old_size, align 1124 // is replaced by 1125 // new_size = (old_size + additional_size) * sizeof(type) 1126 // tmp = alloca i8, new_size, max(align, 32) 1127 // addr = tmp + 32 (first 32 bytes are for the left redzone). 1128 // Additional_size is added to make new memory allocation contain not only 1129 // requested memory, but also left, partial and right redzones. 1130 void handleDynamicAllocaCall(AllocaInst *AI); 1131 1132 /// Collect Alloca instructions we want (and can) handle. 1133 void visitAllocaInst(AllocaInst &AI) { 1134 if (!ASan.isInterestingAlloca(AI)) { 1135 if (AI.isStaticAlloca()) { 1136 // Skip over allocas that are present *before* the first instrumented 1137 // alloca, we don't want to move those around. 1138 if (AllocaVec.empty()) 1139 return; 1140 1141 StaticAllocasToMoveUp.push_back(&AI); 1142 } 1143 return; 1144 } 1145 1146 if (!AI.isStaticAlloca()) 1147 DynamicAllocaVec.push_back(&AI); 1148 else 1149 AllocaVec.push_back(&AI); 1150 } 1151 1152 /// Collect lifetime intrinsic calls to check for use-after-scope 1153 /// errors. 1154 void visitIntrinsicInst(IntrinsicInst &II) { 1155 Intrinsic::ID ID = II.getIntrinsicID(); 1156 if (ID == Intrinsic::stackrestore) StackRestoreVec.push_back(&II); 1157 if (ID == Intrinsic::localescape) LocalEscapeCall = &II; 1158 if (!ASan.UseAfterScope) 1159 return; 1160 if (!II.isLifetimeStartOrEnd()) 1161 return; 1162 // Found lifetime intrinsic, add ASan instrumentation if necessary. 1163 auto *Size = cast<ConstantInt>(II.getArgOperand(0)); 1164 // If size argument is undefined, don't do anything. 1165 if (Size->isMinusOne()) return; 1166 // Check that size doesn't saturate uint64_t and can 1167 // be stored in IntptrTy. 1168 const uint64_t SizeValue = Size->getValue().getLimitedValue(); 1169 if (SizeValue == ~0ULL || 1170 !ConstantInt::isValueValidForType(IntptrTy, SizeValue)) 1171 return; 1172 // Find alloca instruction that corresponds to llvm.lifetime argument. 1173 // Currently we can only handle lifetime markers pointing to the 1174 // beginning of the alloca. 1175 AllocaInst *AI = findAllocaForValue(II.getArgOperand(1), true); 1176 if (!AI) { 1177 HasUntracedLifetimeIntrinsic = true; 1178 return; 1179 } 1180 // We're interested only in allocas we can handle. 1181 if (!ASan.isInterestingAlloca(*AI)) 1182 return; 1183 bool DoPoison = (ID == Intrinsic::lifetime_end); 1184 AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison}; 1185 if (AI->isStaticAlloca()) 1186 StaticAllocaPoisonCallVec.push_back(APC); 1187 else if (ClInstrumentDynamicAllocas) 1188 DynamicAllocaPoisonCallVec.push_back(APC); 1189 } 1190 1191 void visitCallBase(CallBase &CB) { 1192 if (CallInst *CI = dyn_cast<CallInst>(&CB)) { 1193 HasInlineAsm |= CI->isInlineAsm() && &CB != ASan.LocalDynamicShadow; 1194 HasReturnsTwiceCall |= CI->canReturnTwice(); 1195 } 1196 } 1197 1198 // ---------------------- Helpers. 1199 void initializeCallbacks(Module &M); 1200 1201 // Copies bytes from ShadowBytes into shadow memory for indexes where 1202 // ShadowMask is not zero. If ShadowMask[i] is zero, we assume that 1203 // ShadowBytes[i] is constantly zero and doesn't need to be overwritten. 1204 void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes, 1205 IRBuilder<> &IRB, Value *ShadowBase); 1206 void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes, 1207 size_t Begin, size_t End, IRBuilder<> &IRB, 1208 Value *ShadowBase); 1209 void copyToShadowInline(ArrayRef<uint8_t> ShadowMask, 1210 ArrayRef<uint8_t> ShadowBytes, size_t Begin, 1211 size_t End, IRBuilder<> &IRB, Value *ShadowBase); 1212 1213 void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> &IRB, bool DoPoison); 1214 1215 Value *createAllocaForLayout(IRBuilder<> &IRB, const ASanStackFrameLayout &L, 1216 bool Dynamic); 1217 PHINode *createPHI(IRBuilder<> &IRB, Value *Cond, Value *ValueIfTrue, 1218 Instruction *ThenTerm, Value *ValueIfFalse); 1219 }; 1220 1221 } // end anonymous namespace 1222 1223 void LocationMetadata::parse(MDNode *MDN) { 1224 assert(MDN->getNumOperands() == 3); 1225 MDString *DIFilename = cast<MDString>(MDN->getOperand(0)); 1226 Filename = DIFilename->getString(); 1227 LineNo = mdconst::extract<ConstantInt>(MDN->getOperand(1))->getLimitedValue(); 1228 ColumnNo = 1229 mdconst::extract<ConstantInt>(MDN->getOperand(2))->getLimitedValue(); 1230 } 1231 1232 // FIXME: It would be cleaner to instead attach relevant metadata to the globals 1233 // we want to sanitize instead and reading this metadata on each pass over a 1234 // function instead of reading module level metadata at first. 1235 GlobalsMetadata::GlobalsMetadata(Module &M) { 1236 NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals"); 1237 if (!Globals) 1238 return; 1239 for (auto MDN : Globals->operands()) { 1240 // Metadata node contains the global and the fields of "Entry". 1241 assert(MDN->getNumOperands() == 5); 1242 auto *V = mdconst::extract_or_null<Constant>(MDN->getOperand(0)); 1243 // The optimizer may optimize away a global entirely. 1244 if (!V) 1245 continue; 1246 auto *StrippedV = V->stripPointerCasts(); 1247 auto *GV = dyn_cast<GlobalVariable>(StrippedV); 1248 if (!GV) 1249 continue; 1250 // We can already have an entry for GV if it was merged with another 1251 // global. 1252 Entry &E = Entries[GV]; 1253 if (auto *Loc = cast_or_null<MDNode>(MDN->getOperand(1))) 1254 E.SourceLoc.parse(Loc); 1255 if (auto *Name = cast_or_null<MDString>(MDN->getOperand(2))) 1256 E.Name = Name->getString(); 1257 ConstantInt *IsDynInit = mdconst::extract<ConstantInt>(MDN->getOperand(3)); 1258 E.IsDynInit |= IsDynInit->isOne(); 1259 ConstantInt *IsExcluded = 1260 mdconst::extract<ConstantInt>(MDN->getOperand(4)); 1261 E.IsExcluded |= IsExcluded->isOne(); 1262 } 1263 } 1264 1265 AnalysisKey ASanGlobalsMetadataAnalysis::Key; 1266 1267 GlobalsMetadata ASanGlobalsMetadataAnalysis::run(Module &M, 1268 ModuleAnalysisManager &AM) { 1269 return GlobalsMetadata(M); 1270 } 1271 1272 PreservedAnalyses AddressSanitizerPass::run(Function &F, 1273 AnalysisManager<Function> &AM) { 1274 auto &MAMProxy = AM.getResult<ModuleAnalysisManagerFunctionProxy>(F); 1275 Module &M = *F.getParent(); 1276 if (auto *R = MAMProxy.getCachedResult<ASanGlobalsMetadataAnalysis>(M)) { 1277 const TargetLibraryInfo *TLI = &AM.getResult<TargetLibraryAnalysis>(F); 1278 AddressSanitizer Sanitizer(M, R, nullptr, Options.CompileKernel, 1279 Options.Recover, Options.UseAfterScope, 1280 Options.UseAfterReturn); 1281 if (Sanitizer.instrumentFunction(F, TLI)) 1282 return PreservedAnalyses::none(); 1283 return PreservedAnalyses::all(); 1284 } 1285 1286 report_fatal_error( 1287 "The ASanGlobalsMetadataAnalysis is required to run before " 1288 "AddressSanitizer can run"); 1289 return PreservedAnalyses::all(); 1290 } 1291 1292 void AddressSanitizerPass::printPipeline( 1293 raw_ostream &OS, function_ref<StringRef(StringRef)> MapClassName2PassName) { 1294 static_cast<PassInfoMixin<AddressSanitizerPass> *>(this)->printPipeline( 1295 OS, MapClassName2PassName); 1296 OS << "<"; 1297 if (Options.CompileKernel) 1298 OS << "kernel"; 1299 OS << ">"; 1300 } 1301 1302 void ModuleAddressSanitizerPass::printPipeline( 1303 raw_ostream &OS, function_ref<StringRef(StringRef)> MapClassName2PassName) { 1304 static_cast<PassInfoMixin<ModuleAddressSanitizerPass> *>(this)->printPipeline( 1305 OS, MapClassName2PassName); 1306 OS << "<"; 1307 if (Options.CompileKernel) 1308 OS << "kernel"; 1309 OS << ">"; 1310 } 1311 1312 ModuleAddressSanitizerPass::ModuleAddressSanitizerPass( 1313 const AddressSanitizerOptions &Options, bool UseGlobalGC, 1314 bool UseOdrIndicator, AsanDtorKind DestructorKind) 1315 : Options(Options), UseGlobalGC(UseGlobalGC), 1316 UseOdrIndicator(UseOdrIndicator), DestructorKind(DestructorKind) {} 1317 1318 PreservedAnalyses ModuleAddressSanitizerPass::run(Module &M, 1319 ModuleAnalysisManager &MAM) { 1320 GlobalsMetadata &GlobalsMD = MAM.getResult<ASanGlobalsMetadataAnalysis>(M); 1321 ModuleAddressSanitizer ModuleSanitizer(M, &GlobalsMD, Options.CompileKernel, 1322 Options.Recover, UseGlobalGC, 1323 UseOdrIndicator, DestructorKind); 1324 bool Modified = false; 1325 auto &FAM = MAM.getResult<FunctionAnalysisManagerModuleProxy>(M).getManager(); 1326 const StackSafetyGlobalInfo *const SSGI = 1327 ClUseStackSafety ? &MAM.getResult<StackSafetyGlobalAnalysis>(M) : nullptr; 1328 for (Function &F : M) { 1329 AddressSanitizer FunctionSanitizer( 1330 M, &GlobalsMD, SSGI, Options.CompileKernel, Options.Recover, 1331 Options.UseAfterScope, Options.UseAfterReturn); 1332 const TargetLibraryInfo &TLI = FAM.getResult<TargetLibraryAnalysis>(F); 1333 Modified |= FunctionSanitizer.instrumentFunction(F, &TLI); 1334 } 1335 Modified |= ModuleSanitizer.instrumentModule(M); 1336 return Modified ? PreservedAnalyses::none() : PreservedAnalyses::all(); 1337 } 1338 1339 INITIALIZE_PASS(ASanGlobalsMetadataWrapperPass, "asan-globals-md", 1340 "Read metadata to mark which globals should be instrumented " 1341 "when running ASan.", 1342 false, true) 1343 1344 char AddressSanitizerLegacyPass::ID = 0; 1345 1346 INITIALIZE_PASS_BEGIN( 1347 AddressSanitizerLegacyPass, "asan", 1348 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false, 1349 false) 1350 INITIALIZE_PASS_DEPENDENCY(ASanGlobalsMetadataWrapperPass) 1351 INITIALIZE_PASS_DEPENDENCY(StackSafetyGlobalInfoWrapperPass) 1352 INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass) 1353 INITIALIZE_PASS_END( 1354 AddressSanitizerLegacyPass, "asan", 1355 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false, 1356 false) 1357 1358 FunctionPass *llvm::createAddressSanitizerFunctionPass( 1359 bool CompileKernel, bool Recover, bool UseAfterScope, 1360 AsanDetectStackUseAfterReturnMode UseAfterReturn) { 1361 assert(!CompileKernel || Recover); 1362 return new AddressSanitizerLegacyPass(CompileKernel, Recover, UseAfterScope, 1363 UseAfterReturn); 1364 } 1365 1366 char ModuleAddressSanitizerLegacyPass::ID = 0; 1367 1368 INITIALIZE_PASS( 1369 ModuleAddressSanitizerLegacyPass, "asan-module", 1370 "AddressSanitizer: detects use-after-free and out-of-bounds bugs." 1371 "ModulePass", 1372 false, false) 1373 1374 ModulePass *llvm::createModuleAddressSanitizerLegacyPassPass( 1375 bool CompileKernel, bool Recover, bool UseGlobalsGC, bool UseOdrIndicator, 1376 AsanDtorKind Destructor) { 1377 assert(!CompileKernel || Recover); 1378 return new ModuleAddressSanitizerLegacyPass( 1379 CompileKernel, Recover, UseGlobalsGC, UseOdrIndicator, Destructor); 1380 } 1381 1382 static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 1383 size_t Res = countTrailingZeros(TypeSize / 8); 1384 assert(Res < kNumberOfAccessSizes); 1385 return Res; 1386 } 1387 1388 /// Create a global describing a source location. 1389 static GlobalVariable *createPrivateGlobalForSourceLoc(Module &M, 1390 LocationMetadata MD) { 1391 Constant *LocData[] = { 1392 createPrivateGlobalForString(M, MD.Filename, true, kAsanGenPrefix), 1393 ConstantInt::get(Type::getInt32Ty(M.getContext()), MD.LineNo), 1394 ConstantInt::get(Type::getInt32Ty(M.getContext()), MD.ColumnNo), 1395 }; 1396 auto LocStruct = ConstantStruct::getAnon(LocData); 1397 auto GV = new GlobalVariable(M, LocStruct->getType(), true, 1398 GlobalValue::PrivateLinkage, LocStruct, 1399 kAsanGenPrefix); 1400 GV->setUnnamedAddr(GlobalValue::UnnamedAddr::Global); 1401 return GV; 1402 } 1403 1404 /// Check if \p G has been created by a trusted compiler pass. 1405 static bool GlobalWasGeneratedByCompiler(GlobalVariable *G) { 1406 // Do not instrument @llvm.global_ctors, @llvm.used, etc. 1407 if (G->getName().startswith("llvm.")) 1408 return true; 1409 1410 // Do not instrument asan globals. 1411 if (G->getName().startswith(kAsanGenPrefix) || 1412 G->getName().startswith(kSanCovGenPrefix) || 1413 G->getName().startswith(kODRGenPrefix)) 1414 return true; 1415 1416 // Do not instrument gcov counter arrays. 1417 if (G->getName() == "__llvm_gcov_ctr") 1418 return true; 1419 1420 return false; 1421 } 1422 1423 static bool isUnsupportedAMDGPUAddrspace(Value *Addr) { 1424 Type *PtrTy = cast<PointerType>(Addr->getType()->getScalarType()); 1425 unsigned int AddrSpace = PtrTy->getPointerAddressSpace(); 1426 if (AddrSpace == 3 || AddrSpace == 5) 1427 return true; 1428 return false; 1429 } 1430 1431 Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 1432 // Shadow >> scale 1433 Shadow = IRB.CreateLShr(Shadow, Mapping.Scale); 1434 if (Mapping.Offset == 0) return Shadow; 1435 // (Shadow >> scale) | offset 1436 Value *ShadowBase; 1437 if (LocalDynamicShadow) 1438 ShadowBase = LocalDynamicShadow; 1439 else 1440 ShadowBase = ConstantInt::get(IntptrTy, Mapping.Offset); 1441 if (Mapping.OrShadowOffset) 1442 return IRB.CreateOr(Shadow, ShadowBase); 1443 else 1444 return IRB.CreateAdd(Shadow, ShadowBase); 1445 } 1446 1447 // Instrument memset/memmove/memcpy 1448 void AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 1449 IRBuilder<> IRB(MI); 1450 if (isa<MemTransferInst>(MI)) { 1451 IRB.CreateCall( 1452 isa<MemMoveInst>(MI) ? AsanMemmove : AsanMemcpy, 1453 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 1454 IRB.CreatePointerCast(MI->getOperand(1), IRB.getInt8PtrTy()), 1455 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 1456 } else if (isa<MemSetInst>(MI)) { 1457 IRB.CreateCall( 1458 AsanMemset, 1459 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()), 1460 IRB.CreateIntCast(MI->getOperand(1), IRB.getInt32Ty(), false), 1461 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)}); 1462 } 1463 MI->eraseFromParent(); 1464 } 1465 1466 /// Check if we want (and can) handle this alloca. 1467 bool AddressSanitizer::isInterestingAlloca(const AllocaInst &AI) { 1468 auto PreviouslySeenAllocaInfo = ProcessedAllocas.find(&AI); 1469 1470 if (PreviouslySeenAllocaInfo != ProcessedAllocas.end()) 1471 return PreviouslySeenAllocaInfo->getSecond(); 1472 1473 bool IsInteresting = 1474 (AI.getAllocatedType()->isSized() && 1475 // alloca() may be called with 0 size, ignore it. 1476 ((!AI.isStaticAlloca()) || getAllocaSizeInBytes(AI) > 0) && 1477 // We are only interested in allocas not promotable to registers. 1478 // Promotable allocas are common under -O0. 1479 (!ClSkipPromotableAllocas || !isAllocaPromotable(&AI)) && 1480 // inalloca allocas are not treated as static, and we don't want 1481 // dynamic alloca instrumentation for them as well. 1482 !AI.isUsedWithInAlloca() && 1483 // swifterror allocas are register promoted by ISel 1484 !AI.isSwiftError()); 1485 1486 ProcessedAllocas[&AI] = IsInteresting; 1487 return IsInteresting; 1488 } 1489 1490 bool AddressSanitizer::ignoreAccess(Instruction *Inst, Value *Ptr) { 1491 // Instrument acesses from different address spaces only for AMDGPU. 1492 Type *PtrTy = cast<PointerType>(Ptr->getType()->getScalarType()); 1493 if (PtrTy->getPointerAddressSpace() != 0 && 1494 !(TargetTriple.isAMDGPU() && !isUnsupportedAMDGPUAddrspace(Ptr))) 1495 return true; 1496 1497 // Ignore swifterror addresses. 1498 // swifterror memory addresses are mem2reg promoted by instruction 1499 // selection. As such they cannot have regular uses like an instrumentation 1500 // function and it makes no sense to track them as memory. 1501 if (Ptr->isSwiftError()) 1502 return true; 1503 1504 // Treat memory accesses to promotable allocas as non-interesting since they 1505 // will not cause memory violations. This greatly speeds up the instrumented 1506 // executable at -O0. 1507 if (auto AI = dyn_cast_or_null<AllocaInst>(Ptr)) 1508 if (ClSkipPromotableAllocas && !isInterestingAlloca(*AI)) 1509 return true; 1510 1511 if (SSGI != nullptr && SSGI->stackAccessIsSafe(*Inst) && 1512 findAllocaForValue(Ptr)) 1513 return true; 1514 1515 return false; 1516 } 1517 1518 void AddressSanitizer::getInterestingMemoryOperands( 1519 Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting) { 1520 // Skip memory accesses inserted by another instrumentation. 1521 if (I->hasMetadata("nosanitize")) 1522 return; 1523 1524 // Do not instrument the load fetching the dynamic shadow address. 1525 if (LocalDynamicShadow == I) 1526 return; 1527 1528 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 1529 if (!ClInstrumentReads || ignoreAccess(LI, LI->getPointerOperand())) 1530 return; 1531 Interesting.emplace_back(I, LI->getPointerOperandIndex(), false, 1532 LI->getType(), LI->getAlign()); 1533 } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 1534 if (!ClInstrumentWrites || ignoreAccess(LI, SI->getPointerOperand())) 1535 return; 1536 Interesting.emplace_back(I, SI->getPointerOperandIndex(), true, 1537 SI->getValueOperand()->getType(), SI->getAlign()); 1538 } else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 1539 if (!ClInstrumentAtomics || ignoreAccess(LI, RMW->getPointerOperand())) 1540 return; 1541 Interesting.emplace_back(I, RMW->getPointerOperandIndex(), true, 1542 RMW->getValOperand()->getType(), None); 1543 } else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 1544 if (!ClInstrumentAtomics || ignoreAccess(LI, XCHG->getPointerOperand())) 1545 return; 1546 Interesting.emplace_back(I, XCHG->getPointerOperandIndex(), true, 1547 XCHG->getCompareOperand()->getType(), None); 1548 } else if (auto CI = dyn_cast<CallInst>(I)) { 1549 auto *F = CI->getCalledFunction(); 1550 if (F && (F->getName().startswith("llvm.masked.load.") || 1551 F->getName().startswith("llvm.masked.store."))) { 1552 bool IsWrite = F->getName().startswith("llvm.masked.store."); 1553 // Masked store has an initial operand for the value. 1554 unsigned OpOffset = IsWrite ? 1 : 0; 1555 if (IsWrite ? !ClInstrumentWrites : !ClInstrumentReads) 1556 return; 1557 1558 auto BasePtr = CI->getOperand(OpOffset); 1559 if (ignoreAccess(LI, BasePtr)) 1560 return; 1561 auto Ty = cast<PointerType>(BasePtr->getType())->getElementType(); 1562 MaybeAlign Alignment = Align(1); 1563 // Otherwise no alignment guarantees. We probably got Undef. 1564 if (auto *Op = dyn_cast<ConstantInt>(CI->getOperand(1 + OpOffset))) 1565 Alignment = Op->getMaybeAlignValue(); 1566 Value *Mask = CI->getOperand(2 + OpOffset); 1567 Interesting.emplace_back(I, OpOffset, IsWrite, Ty, Alignment, Mask); 1568 } else { 1569 for (unsigned ArgNo = 0; ArgNo < CI->arg_size(); ArgNo++) { 1570 if (!ClInstrumentByval || !CI->isByValArgument(ArgNo) || 1571 ignoreAccess(LI, CI->getArgOperand(ArgNo))) 1572 continue; 1573 Type *Ty = CI->getParamByValType(ArgNo); 1574 Interesting.emplace_back(I, ArgNo, false, Ty, Align(1)); 1575 } 1576 } 1577 } 1578 } 1579 1580 static bool isPointerOperand(Value *V) { 1581 return V->getType()->isPointerTy() || isa<PtrToIntInst>(V); 1582 } 1583 1584 // This is a rough heuristic; it may cause both false positives and 1585 // false negatives. The proper implementation requires cooperation with 1586 // the frontend. 1587 static bool isInterestingPointerComparison(Instruction *I) { 1588 if (ICmpInst *Cmp = dyn_cast<ICmpInst>(I)) { 1589 if (!Cmp->isRelational()) 1590 return false; 1591 } else { 1592 return false; 1593 } 1594 return isPointerOperand(I->getOperand(0)) && 1595 isPointerOperand(I->getOperand(1)); 1596 } 1597 1598 // This is a rough heuristic; it may cause both false positives and 1599 // false negatives. The proper implementation requires cooperation with 1600 // the frontend. 1601 static bool isInterestingPointerSubtraction(Instruction *I) { 1602 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(I)) { 1603 if (BO->getOpcode() != Instruction::Sub) 1604 return false; 1605 } else { 1606 return false; 1607 } 1608 return isPointerOperand(I->getOperand(0)) && 1609 isPointerOperand(I->getOperand(1)); 1610 } 1611 1612 bool AddressSanitizer::GlobalIsLinkerInitialized(GlobalVariable *G) { 1613 // If a global variable does not have dynamic initialization we don't 1614 // have to instrument it. However, if a global does not have initializer 1615 // at all, we assume it has dynamic initializer (in other TU). 1616 // 1617 // FIXME: Metadata should be attched directly to the global directly instead 1618 // of being added to llvm.asan.globals. 1619 return G->hasInitializer() && !GlobalsMD.get(G).IsDynInit; 1620 } 1621 1622 void AddressSanitizer::instrumentPointerComparisonOrSubtraction( 1623 Instruction *I) { 1624 IRBuilder<> IRB(I); 1625 FunctionCallee F = isa<ICmpInst>(I) ? AsanPtrCmpFunction : AsanPtrSubFunction; 1626 Value *Param[2] = {I->getOperand(0), I->getOperand(1)}; 1627 for (Value *&i : Param) { 1628 if (i->getType()->isPointerTy()) 1629 i = IRB.CreatePointerCast(i, IntptrTy); 1630 } 1631 IRB.CreateCall(F, Param); 1632 } 1633 1634 static void doInstrumentAddress(AddressSanitizer *Pass, Instruction *I, 1635 Instruction *InsertBefore, Value *Addr, 1636 MaybeAlign Alignment, unsigned Granularity, 1637 uint32_t TypeSize, bool IsWrite, 1638 Value *SizeArgument, bool UseCalls, 1639 uint32_t Exp) { 1640 // Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check 1641 // if the data is properly aligned. 1642 if ((TypeSize == 8 || TypeSize == 16 || TypeSize == 32 || TypeSize == 64 || 1643 TypeSize == 128) && 1644 (!Alignment || *Alignment >= Granularity || *Alignment >= TypeSize / 8)) 1645 return Pass->instrumentAddress(I, InsertBefore, Addr, TypeSize, IsWrite, 1646 nullptr, UseCalls, Exp); 1647 Pass->instrumentUnusualSizeOrAlignment(I, InsertBefore, Addr, TypeSize, 1648 IsWrite, nullptr, UseCalls, Exp); 1649 } 1650 1651 static void instrumentMaskedLoadOrStore(AddressSanitizer *Pass, 1652 const DataLayout &DL, Type *IntptrTy, 1653 Value *Mask, Instruction *I, 1654 Value *Addr, MaybeAlign Alignment, 1655 unsigned Granularity, uint32_t TypeSize, 1656 bool IsWrite, Value *SizeArgument, 1657 bool UseCalls, uint32_t Exp) { 1658 auto *VTy = cast<FixedVectorType>( 1659 cast<PointerType>(Addr->getType())->getElementType()); 1660 uint64_t ElemTypeSize = DL.getTypeStoreSizeInBits(VTy->getScalarType()); 1661 unsigned Num = VTy->getNumElements(); 1662 auto Zero = ConstantInt::get(IntptrTy, 0); 1663 for (unsigned Idx = 0; Idx < Num; ++Idx) { 1664 Value *InstrumentedAddress = nullptr; 1665 Instruction *InsertBefore = I; 1666 if (auto *Vector = dyn_cast<ConstantVector>(Mask)) { 1667 // dyn_cast as we might get UndefValue 1668 if (auto *Masked = dyn_cast<ConstantInt>(Vector->getOperand(Idx))) { 1669 if (Masked->isZero()) 1670 // Mask is constant false, so no instrumentation needed. 1671 continue; 1672 // If we have a true or undef value, fall through to doInstrumentAddress 1673 // with InsertBefore == I 1674 } 1675 } else { 1676 IRBuilder<> IRB(I); 1677 Value *MaskElem = IRB.CreateExtractElement(Mask, Idx); 1678 Instruction *ThenTerm = SplitBlockAndInsertIfThen(MaskElem, I, false); 1679 InsertBefore = ThenTerm; 1680 } 1681 1682 IRBuilder<> IRB(InsertBefore); 1683 InstrumentedAddress = 1684 IRB.CreateGEP(VTy, Addr, {Zero, ConstantInt::get(IntptrTy, Idx)}); 1685 doInstrumentAddress(Pass, I, InsertBefore, InstrumentedAddress, Alignment, 1686 Granularity, ElemTypeSize, IsWrite, SizeArgument, 1687 UseCalls, Exp); 1688 } 1689 } 1690 1691 void AddressSanitizer::instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis, 1692 InterestingMemoryOperand &O, bool UseCalls, 1693 const DataLayout &DL) { 1694 Value *Addr = O.getPtr(); 1695 1696 // Optimization experiments. 1697 // The experiments can be used to evaluate potential optimizations that remove 1698 // instrumentation (assess false negatives). Instead of completely removing 1699 // some instrumentation, you set Exp to a non-zero value (mask of optimization 1700 // experiments that want to remove instrumentation of this instruction). 1701 // If Exp is non-zero, this pass will emit special calls into runtime 1702 // (e.g. __asan_report_exp_load1 instead of __asan_report_load1). These calls 1703 // make runtime terminate the program in a special way (with a different 1704 // exit status). Then you run the new compiler on a buggy corpus, collect 1705 // the special terminations (ideally, you don't see them at all -- no false 1706 // negatives) and make the decision on the optimization. 1707 uint32_t Exp = ClForceExperiment; 1708 1709 if (ClOpt && ClOptGlobals) { 1710 // If initialization order checking is disabled, a simple access to a 1711 // dynamically initialized global is always valid. 1712 GlobalVariable *G = dyn_cast<GlobalVariable>(getUnderlyingObject(Addr)); 1713 if (G && (!ClInitializers || GlobalIsLinkerInitialized(G)) && 1714 isSafeAccess(ObjSizeVis, Addr, O.TypeSize)) { 1715 NumOptimizedAccessesToGlobalVar++; 1716 return; 1717 } 1718 } 1719 1720 if (ClOpt && ClOptStack) { 1721 // A direct inbounds access to a stack variable is always valid. 1722 if (isa<AllocaInst>(getUnderlyingObject(Addr)) && 1723 isSafeAccess(ObjSizeVis, Addr, O.TypeSize)) { 1724 NumOptimizedAccessesToStackVar++; 1725 return; 1726 } 1727 } 1728 1729 if (O.IsWrite) 1730 NumInstrumentedWrites++; 1731 else 1732 NumInstrumentedReads++; 1733 1734 unsigned Granularity = 1 << Mapping.Scale; 1735 if (O.MaybeMask) { 1736 instrumentMaskedLoadOrStore(this, DL, IntptrTy, O.MaybeMask, O.getInsn(), 1737 Addr, O.Alignment, Granularity, O.TypeSize, 1738 O.IsWrite, nullptr, UseCalls, Exp); 1739 } else { 1740 doInstrumentAddress(this, O.getInsn(), O.getInsn(), Addr, O.Alignment, 1741 Granularity, O.TypeSize, O.IsWrite, nullptr, UseCalls, 1742 Exp); 1743 } 1744 } 1745 1746 Instruction *AddressSanitizer::generateCrashCode(Instruction *InsertBefore, 1747 Value *Addr, bool IsWrite, 1748 size_t AccessSizeIndex, 1749 Value *SizeArgument, 1750 uint32_t Exp) { 1751 IRBuilder<> IRB(InsertBefore); 1752 Value *ExpVal = Exp == 0 ? nullptr : ConstantInt::get(IRB.getInt32Ty(), Exp); 1753 CallInst *Call = nullptr; 1754 if (SizeArgument) { 1755 if (Exp == 0) 1756 Call = IRB.CreateCall(AsanErrorCallbackSized[IsWrite][0], 1757 {Addr, SizeArgument}); 1758 else 1759 Call = IRB.CreateCall(AsanErrorCallbackSized[IsWrite][1], 1760 {Addr, SizeArgument, ExpVal}); 1761 } else { 1762 if (Exp == 0) 1763 Call = 1764 IRB.CreateCall(AsanErrorCallback[IsWrite][0][AccessSizeIndex], Addr); 1765 else 1766 Call = IRB.CreateCall(AsanErrorCallback[IsWrite][1][AccessSizeIndex], 1767 {Addr, ExpVal}); 1768 } 1769 1770 Call->setCannotMerge(); 1771 return Call; 1772 } 1773 1774 Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 1775 Value *ShadowValue, 1776 uint32_t TypeSize) { 1777 size_t Granularity = static_cast<size_t>(1) << Mapping.Scale; 1778 // Addr & (Granularity - 1) 1779 Value *LastAccessedByte = 1780 IRB.CreateAnd(AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 1781 // (Addr & (Granularity - 1)) + size - 1 1782 if (TypeSize / 8 > 1) 1783 LastAccessedByte = IRB.CreateAdd( 1784 LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 1785 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 1786 LastAccessedByte = 1787 IRB.CreateIntCast(LastAccessedByte, ShadowValue->getType(), false); 1788 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 1789 return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue); 1790 } 1791 1792 Instruction *AddressSanitizer::instrumentAMDGPUAddress( 1793 Instruction *OrigIns, Instruction *InsertBefore, Value *Addr, 1794 uint32_t TypeSize, bool IsWrite, Value *SizeArgument) { 1795 // Do not instrument unsupported addrspaces. 1796 if (isUnsupportedAMDGPUAddrspace(Addr)) 1797 return nullptr; 1798 Type *PtrTy = cast<PointerType>(Addr->getType()->getScalarType()); 1799 // Follow host instrumentation for global and constant addresses. 1800 if (PtrTy->getPointerAddressSpace() != 0) 1801 return InsertBefore; 1802 // Instrument generic addresses in supported addressspaces. 1803 IRBuilder<> IRB(InsertBefore); 1804 Value *AddrLong = IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()); 1805 Value *IsShared = IRB.CreateCall(AMDGPUAddressShared, {AddrLong}); 1806 Value *IsPrivate = IRB.CreateCall(AMDGPUAddressPrivate, {AddrLong}); 1807 Value *IsSharedOrPrivate = IRB.CreateOr(IsShared, IsPrivate); 1808 Value *Cmp = IRB.CreateICmpNE(IRB.getTrue(), IsSharedOrPrivate); 1809 Value *AddrSpaceZeroLanding = 1810 SplitBlockAndInsertIfThen(Cmp, InsertBefore, false); 1811 InsertBefore = cast<Instruction>(AddrSpaceZeroLanding); 1812 return InsertBefore; 1813 } 1814 1815 void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 1816 Instruction *InsertBefore, Value *Addr, 1817 uint32_t TypeSize, bool IsWrite, 1818 Value *SizeArgument, bool UseCalls, 1819 uint32_t Exp) { 1820 if (TargetTriple.isAMDGPU()) { 1821 InsertBefore = instrumentAMDGPUAddress(OrigIns, InsertBefore, Addr, 1822 TypeSize, IsWrite, SizeArgument); 1823 if (!InsertBefore) 1824 return; 1825 } 1826 1827 IRBuilder<> IRB(InsertBefore); 1828 size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize); 1829 const ASanAccessInfo AccessInfo(IsWrite, CompileKernel, AccessSizeIndex); 1830 1831 if (UseCalls && ClOptimizeCallbacks) { 1832 const ASanAccessInfo AccessInfo(IsWrite, CompileKernel, AccessSizeIndex); 1833 Module *M = IRB.GetInsertBlock()->getParent()->getParent(); 1834 IRB.CreateCall( 1835 Intrinsic::getDeclaration(M, Intrinsic::asan_check_memaccess), 1836 {IRB.CreatePointerCast(Addr, Int8PtrTy), 1837 ConstantInt::get(Int32Ty, AccessInfo.Packed)}); 1838 return; 1839 } 1840 1841 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 1842 if (UseCalls) { 1843 if (Exp == 0) 1844 IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][0][AccessSizeIndex], 1845 AddrLong); 1846 else 1847 IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][1][AccessSizeIndex], 1848 {AddrLong, ConstantInt::get(IRB.getInt32Ty(), Exp)}); 1849 return; 1850 } 1851 1852 Type *ShadowTy = 1853 IntegerType::get(*C, std::max(8U, TypeSize >> Mapping.Scale)); 1854 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 1855 Value *ShadowPtr = memToShadow(AddrLong, IRB); 1856 Value *CmpVal = Constant::getNullValue(ShadowTy); 1857 Value *ShadowValue = 1858 IRB.CreateLoad(ShadowTy, IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 1859 1860 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 1861 size_t Granularity = 1ULL << Mapping.Scale; 1862 Instruction *CrashTerm = nullptr; 1863 1864 if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) { 1865 // We use branch weights for the slow path check, to indicate that the slow 1866 // path is rarely taken. This seems to be the case for SPEC benchmarks. 1867 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 1868 Cmp, InsertBefore, false, MDBuilder(*C).createBranchWeights(1, 100000)); 1869 assert(cast<BranchInst>(CheckTerm)->isUnconditional()); 1870 BasicBlock *NextBB = CheckTerm->getSuccessor(0); 1871 IRB.SetInsertPoint(CheckTerm); 1872 Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize); 1873 if (Recover) { 1874 CrashTerm = SplitBlockAndInsertIfThen(Cmp2, CheckTerm, false); 1875 } else { 1876 BasicBlock *CrashBlock = 1877 BasicBlock::Create(*C, "", NextBB->getParent(), NextBB); 1878 CrashTerm = new UnreachableInst(*C, CrashBlock); 1879 BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2); 1880 ReplaceInstWithInst(CheckTerm, NewTerm); 1881 } 1882 } else { 1883 CrashTerm = SplitBlockAndInsertIfThen(Cmp, InsertBefore, !Recover); 1884 } 1885 1886 Instruction *Crash = generateCrashCode(CrashTerm, AddrLong, IsWrite, 1887 AccessSizeIndex, SizeArgument, Exp); 1888 Crash->setDebugLoc(OrigIns->getDebugLoc()); 1889 } 1890 1891 // Instrument unusual size or unusual alignment. 1892 // We can not do it with a single check, so we do 1-byte check for the first 1893 // and the last bytes. We call __asan_report_*_n(addr, real_size) to be able 1894 // to report the actual access size. 1895 void AddressSanitizer::instrumentUnusualSizeOrAlignment( 1896 Instruction *I, Instruction *InsertBefore, Value *Addr, uint32_t TypeSize, 1897 bool IsWrite, Value *SizeArgument, bool UseCalls, uint32_t Exp) { 1898 IRBuilder<> IRB(InsertBefore); 1899 Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8); 1900 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 1901 if (UseCalls) { 1902 if (Exp == 0) 1903 IRB.CreateCall(AsanMemoryAccessCallbackSized[IsWrite][0], 1904 {AddrLong, Size}); 1905 else 1906 IRB.CreateCall(AsanMemoryAccessCallbackSized[IsWrite][1], 1907 {AddrLong, Size, ConstantInt::get(IRB.getInt32Ty(), Exp)}); 1908 } else { 1909 Value *LastByte = IRB.CreateIntToPtr( 1910 IRB.CreateAdd(AddrLong, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)), 1911 Addr->getType()); 1912 instrumentAddress(I, InsertBefore, Addr, 8, IsWrite, Size, false, Exp); 1913 instrumentAddress(I, InsertBefore, LastByte, 8, IsWrite, Size, false, Exp); 1914 } 1915 } 1916 1917 void ModuleAddressSanitizer::poisonOneInitializer(Function &GlobalInit, 1918 GlobalValue *ModuleName) { 1919 // Set up the arguments to our poison/unpoison functions. 1920 IRBuilder<> IRB(&GlobalInit.front(), 1921 GlobalInit.front().getFirstInsertionPt()); 1922 1923 // Add a call to poison all external globals before the given function starts. 1924 Value *ModuleNameAddr = ConstantExpr::getPointerCast(ModuleName, IntptrTy); 1925 IRB.CreateCall(AsanPoisonGlobals, ModuleNameAddr); 1926 1927 // Add calls to unpoison all globals before each return instruction. 1928 for (auto &BB : GlobalInit.getBasicBlockList()) 1929 if (ReturnInst *RI = dyn_cast<ReturnInst>(BB.getTerminator())) 1930 CallInst::Create(AsanUnpoisonGlobals, "", RI); 1931 } 1932 1933 void ModuleAddressSanitizer::createInitializerPoisonCalls( 1934 Module &M, GlobalValue *ModuleName) { 1935 GlobalVariable *GV = M.getGlobalVariable("llvm.global_ctors"); 1936 if (!GV) 1937 return; 1938 1939 ConstantArray *CA = dyn_cast<ConstantArray>(GV->getInitializer()); 1940 if (!CA) 1941 return; 1942 1943 for (Use &OP : CA->operands()) { 1944 if (isa<ConstantAggregateZero>(OP)) continue; 1945 ConstantStruct *CS = cast<ConstantStruct>(OP); 1946 1947 // Must have a function or null ptr. 1948 if (Function *F = dyn_cast<Function>(CS->getOperand(1))) { 1949 if (F->getName() == kAsanModuleCtorName) continue; 1950 auto *Priority = cast<ConstantInt>(CS->getOperand(0)); 1951 // Don't instrument CTORs that will run before asan.module_ctor. 1952 if (Priority->getLimitedValue() <= GetCtorAndDtorPriority(TargetTriple)) 1953 continue; 1954 poisonOneInitializer(*F, ModuleName); 1955 } 1956 } 1957 } 1958 1959 const GlobalVariable * 1960 ModuleAddressSanitizer::getExcludedAliasedGlobal(const GlobalAlias &GA) const { 1961 // In case this function should be expanded to include rules that do not just 1962 // apply when CompileKernel is true, either guard all existing rules with an 1963 // 'if (CompileKernel) { ... }' or be absolutely sure that all these rules 1964 // should also apply to user space. 1965 assert(CompileKernel && "Only expecting to be called when compiling kernel"); 1966 1967 const Constant *C = GA.getAliasee(); 1968 1969 // When compiling the kernel, globals that are aliased by symbols prefixed 1970 // by "__" are special and cannot be padded with a redzone. 1971 if (GA.getName().startswith("__")) 1972 return dyn_cast<GlobalVariable>(C->stripPointerCastsAndAliases()); 1973 1974 return nullptr; 1975 } 1976 1977 bool ModuleAddressSanitizer::shouldInstrumentGlobal(GlobalVariable *G) const { 1978 Type *Ty = G->getValueType(); 1979 LLVM_DEBUG(dbgs() << "GLOBAL: " << *G << "\n"); 1980 1981 // FIXME: Metadata should be attched directly to the global directly instead 1982 // of being added to llvm.asan.globals. 1983 if (GlobalsMD.get(G).IsExcluded) return false; 1984 if (!Ty->isSized()) return false; 1985 if (!G->hasInitializer()) return false; 1986 // Globals in address space 1 and 4 are supported for AMDGPU. 1987 if (G->getAddressSpace() && 1988 !(TargetTriple.isAMDGPU() && !isUnsupportedAMDGPUAddrspace(G))) 1989 return false; 1990 if (GlobalWasGeneratedByCompiler(G)) return false; // Our own globals. 1991 // Two problems with thread-locals: 1992 // - The address of the main thread's copy can't be computed at link-time. 1993 // - Need to poison all copies, not just the main thread's one. 1994 if (G->isThreadLocal()) return false; 1995 // For now, just ignore this Global if the alignment is large. 1996 if (G->getAlignment() > getMinRedzoneSizeForGlobal()) return false; 1997 1998 // For non-COFF targets, only instrument globals known to be defined by this 1999 // TU. 2000 // FIXME: We can instrument comdat globals on ELF if we are using the 2001 // GC-friendly metadata scheme. 2002 if (!TargetTriple.isOSBinFormatCOFF()) { 2003 if (!G->hasExactDefinition() || G->hasComdat()) 2004 return false; 2005 } else { 2006 // On COFF, don't instrument non-ODR linkages. 2007 if (G->isInterposable()) 2008 return false; 2009 } 2010 2011 // If a comdat is present, it must have a selection kind that implies ODR 2012 // semantics: no duplicates, any, or exact match. 2013 if (Comdat *C = G->getComdat()) { 2014 switch (C->getSelectionKind()) { 2015 case Comdat::Any: 2016 case Comdat::ExactMatch: 2017 case Comdat::NoDeduplicate: 2018 break; 2019 case Comdat::Largest: 2020 case Comdat::SameSize: 2021 return false; 2022 } 2023 } 2024 2025 if (G->hasSection()) { 2026 // The kernel uses explicit sections for mostly special global variables 2027 // that we should not instrument. E.g. the kernel may rely on their layout 2028 // without redzones, or remove them at link time ("discard.*"), etc. 2029 if (CompileKernel) 2030 return false; 2031 2032 StringRef Section = G->getSection(); 2033 2034 // Globals from llvm.metadata aren't emitted, do not instrument them. 2035 if (Section == "llvm.metadata") return false; 2036 // Do not instrument globals from special LLVM sections. 2037 if (Section.contains("__llvm") || Section.contains("__LLVM")) 2038 return false; 2039 2040 // Do not instrument function pointers to initialization and termination 2041 // routines: dynamic linker will not properly handle redzones. 2042 if (Section.startswith(".preinit_array") || 2043 Section.startswith(".init_array") || 2044 Section.startswith(".fini_array")) { 2045 return false; 2046 } 2047 2048 // Do not instrument user-defined sections (with names resembling 2049 // valid C identifiers) 2050 if (TargetTriple.isOSBinFormatELF()) { 2051 if (llvm::all_of(Section, 2052 [](char c) { return llvm::isAlnum(c) || c == '_'; })) 2053 return false; 2054 } 2055 2056 // On COFF, if the section name contains '$', it is highly likely that the 2057 // user is using section sorting to create an array of globals similar to 2058 // the way initialization callbacks are registered in .init_array and 2059 // .CRT$XCU. The ATL also registers things in .ATL$__[azm]. Adding redzones 2060 // to such globals is counterproductive, because the intent is that they 2061 // will form an array, and out-of-bounds accesses are expected. 2062 // See https://github.com/google/sanitizers/issues/305 2063 // and http://msdn.microsoft.com/en-US/en-en/library/bb918180(v=vs.120).aspx 2064 if (TargetTriple.isOSBinFormatCOFF() && Section.contains('$')) { 2065 LLVM_DEBUG(dbgs() << "Ignoring global in sorted section (contains '$'): " 2066 << *G << "\n"); 2067 return false; 2068 } 2069 2070 if (TargetTriple.isOSBinFormatMachO()) { 2071 StringRef ParsedSegment, ParsedSection; 2072 unsigned TAA = 0, StubSize = 0; 2073 bool TAAParsed; 2074 cantFail(MCSectionMachO::ParseSectionSpecifier( 2075 Section, ParsedSegment, ParsedSection, TAA, TAAParsed, StubSize)); 2076 2077 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 2078 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 2079 // them. 2080 if (ParsedSegment == "__OBJC" || 2081 (ParsedSegment == "__DATA" && ParsedSection.startswith("__objc_"))) { 2082 LLVM_DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G << "\n"); 2083 return false; 2084 } 2085 // See https://github.com/google/sanitizers/issues/32 2086 // Constant CFString instances are compiled in the following way: 2087 // -- the string buffer is emitted into 2088 // __TEXT,__cstring,cstring_literals 2089 // -- the constant NSConstantString structure referencing that buffer 2090 // is placed into __DATA,__cfstring 2091 // Therefore there's no point in placing redzones into __DATA,__cfstring. 2092 // Moreover, it causes the linker to crash on OS X 10.7 2093 if (ParsedSegment == "__DATA" && ParsedSection == "__cfstring") { 2094 LLVM_DEBUG(dbgs() << "Ignoring CFString: " << *G << "\n"); 2095 return false; 2096 } 2097 // The linker merges the contents of cstring_literals and removes the 2098 // trailing zeroes. 2099 if (ParsedSegment == "__TEXT" && (TAA & MachO::S_CSTRING_LITERALS)) { 2100 LLVM_DEBUG(dbgs() << "Ignoring a cstring literal: " << *G << "\n"); 2101 return false; 2102 } 2103 } 2104 } 2105 2106 if (CompileKernel) { 2107 // Globals that prefixed by "__" are special and cannot be padded with a 2108 // redzone. 2109 if (G->getName().startswith("__")) 2110 return false; 2111 } 2112 2113 return true; 2114 } 2115 2116 // On Mach-O platforms, we emit global metadata in a separate section of the 2117 // binary in order to allow the linker to properly dead strip. This is only 2118 // supported on recent versions of ld64. 2119 bool ModuleAddressSanitizer::ShouldUseMachOGlobalsSection() const { 2120 if (!TargetTriple.isOSBinFormatMachO()) 2121 return false; 2122 2123 if (TargetTriple.isMacOSX() && !TargetTriple.isMacOSXVersionLT(10, 11)) 2124 return true; 2125 if (TargetTriple.isiOS() /* or tvOS */ && !TargetTriple.isOSVersionLT(9)) 2126 return true; 2127 if (TargetTriple.isWatchOS() && !TargetTriple.isOSVersionLT(2)) 2128 return true; 2129 2130 return false; 2131 } 2132 2133 StringRef ModuleAddressSanitizer::getGlobalMetadataSection() const { 2134 switch (TargetTriple.getObjectFormat()) { 2135 case Triple::COFF: return ".ASAN$GL"; 2136 case Triple::ELF: return "asan_globals"; 2137 case Triple::MachO: return "__DATA,__asan_globals,regular"; 2138 case Triple::Wasm: 2139 case Triple::GOFF: 2140 case Triple::XCOFF: 2141 report_fatal_error( 2142 "ModuleAddressSanitizer not implemented for object file format"); 2143 case Triple::UnknownObjectFormat: 2144 break; 2145 } 2146 llvm_unreachable("unsupported object format"); 2147 } 2148 2149 void ModuleAddressSanitizer::initializeCallbacks(Module &M) { 2150 IRBuilder<> IRB(*C); 2151 2152 // Declare our poisoning and unpoisoning functions. 2153 AsanPoisonGlobals = 2154 M.getOrInsertFunction(kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy); 2155 AsanUnpoisonGlobals = 2156 M.getOrInsertFunction(kAsanUnpoisonGlobalsName, IRB.getVoidTy()); 2157 2158 // Declare functions that register/unregister globals. 2159 AsanRegisterGlobals = M.getOrInsertFunction( 2160 kAsanRegisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy); 2161 AsanUnregisterGlobals = M.getOrInsertFunction( 2162 kAsanUnregisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy); 2163 2164 // Declare the functions that find globals in a shared object and then invoke 2165 // the (un)register function on them. 2166 AsanRegisterImageGlobals = M.getOrInsertFunction( 2167 kAsanRegisterImageGlobalsName, IRB.getVoidTy(), IntptrTy); 2168 AsanUnregisterImageGlobals = M.getOrInsertFunction( 2169 kAsanUnregisterImageGlobalsName, IRB.getVoidTy(), IntptrTy); 2170 2171 AsanRegisterElfGlobals = 2172 M.getOrInsertFunction(kAsanRegisterElfGlobalsName, IRB.getVoidTy(), 2173 IntptrTy, IntptrTy, IntptrTy); 2174 AsanUnregisterElfGlobals = 2175 M.getOrInsertFunction(kAsanUnregisterElfGlobalsName, IRB.getVoidTy(), 2176 IntptrTy, IntptrTy, IntptrTy); 2177 } 2178 2179 // Put the metadata and the instrumented global in the same group. This ensures 2180 // that the metadata is discarded if the instrumented global is discarded. 2181 void ModuleAddressSanitizer::SetComdatForGlobalMetadata( 2182 GlobalVariable *G, GlobalVariable *Metadata, StringRef InternalSuffix) { 2183 Module &M = *G->getParent(); 2184 Comdat *C = G->getComdat(); 2185 if (!C) { 2186 if (!G->hasName()) { 2187 // If G is unnamed, it must be internal. Give it an artificial name 2188 // so we can put it in a comdat. 2189 assert(G->hasLocalLinkage()); 2190 G->setName(Twine(kAsanGenPrefix) + "_anon_global"); 2191 } 2192 2193 if (!InternalSuffix.empty() && G->hasLocalLinkage()) { 2194 std::string Name = std::string(G->getName()); 2195 Name += InternalSuffix; 2196 C = M.getOrInsertComdat(Name); 2197 } else { 2198 C = M.getOrInsertComdat(G->getName()); 2199 } 2200 2201 // Make this IMAGE_COMDAT_SELECT_NODUPLICATES on COFF. Also upgrade private 2202 // linkage to internal linkage so that a symbol table entry is emitted. This 2203 // is necessary in order to create the comdat group. 2204 if (TargetTriple.isOSBinFormatCOFF()) { 2205 C->setSelectionKind(Comdat::NoDeduplicate); 2206 if (G->hasPrivateLinkage()) 2207 G->setLinkage(GlobalValue::InternalLinkage); 2208 } 2209 G->setComdat(C); 2210 } 2211 2212 assert(G->hasComdat()); 2213 Metadata->setComdat(G->getComdat()); 2214 } 2215 2216 // Create a separate metadata global and put it in the appropriate ASan 2217 // global registration section. 2218 GlobalVariable * 2219 ModuleAddressSanitizer::CreateMetadataGlobal(Module &M, Constant *Initializer, 2220 StringRef OriginalName) { 2221 auto Linkage = TargetTriple.isOSBinFormatMachO() 2222 ? GlobalVariable::InternalLinkage 2223 : GlobalVariable::PrivateLinkage; 2224 GlobalVariable *Metadata = new GlobalVariable( 2225 M, Initializer->getType(), false, Linkage, Initializer, 2226 Twine("__asan_global_") + GlobalValue::dropLLVMManglingEscape(OriginalName)); 2227 Metadata->setSection(getGlobalMetadataSection()); 2228 return Metadata; 2229 } 2230 2231 Instruction *ModuleAddressSanitizer::CreateAsanModuleDtor(Module &M) { 2232 AsanDtorFunction = Function::createWithDefaultAttr( 2233 FunctionType::get(Type::getVoidTy(*C), false), 2234 GlobalValue::InternalLinkage, 0, kAsanModuleDtorName, &M); 2235 AsanDtorFunction->addFnAttr(Attribute::NoUnwind); 2236 // Ensure Dtor cannot be discarded, even if in a comdat. 2237 appendToUsed(M, {AsanDtorFunction}); 2238 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 2239 2240 return ReturnInst::Create(*C, AsanDtorBB); 2241 } 2242 2243 void ModuleAddressSanitizer::InstrumentGlobalsCOFF( 2244 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 2245 ArrayRef<Constant *> MetadataInitializers) { 2246 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 2247 auto &DL = M.getDataLayout(); 2248 2249 SmallVector<GlobalValue *, 16> MetadataGlobals(ExtendedGlobals.size()); 2250 for (size_t i = 0; i < ExtendedGlobals.size(); i++) { 2251 Constant *Initializer = MetadataInitializers[i]; 2252 GlobalVariable *G = ExtendedGlobals[i]; 2253 GlobalVariable *Metadata = 2254 CreateMetadataGlobal(M, Initializer, G->getName()); 2255 MDNode *MD = MDNode::get(M.getContext(), ValueAsMetadata::get(G)); 2256 Metadata->setMetadata(LLVMContext::MD_associated, MD); 2257 MetadataGlobals[i] = Metadata; 2258 2259 // The MSVC linker always inserts padding when linking incrementally. We 2260 // cope with that by aligning each struct to its size, which must be a power 2261 // of two. 2262 unsigned SizeOfGlobalStruct = DL.getTypeAllocSize(Initializer->getType()); 2263 assert(isPowerOf2_32(SizeOfGlobalStruct) && 2264 "global metadata will not be padded appropriately"); 2265 Metadata->setAlignment(assumeAligned(SizeOfGlobalStruct)); 2266 2267 SetComdatForGlobalMetadata(G, Metadata, ""); 2268 } 2269 2270 // Update llvm.compiler.used, adding the new metadata globals. This is 2271 // needed so that during LTO these variables stay alive. 2272 if (!MetadataGlobals.empty()) 2273 appendToCompilerUsed(M, MetadataGlobals); 2274 } 2275 2276 void ModuleAddressSanitizer::InstrumentGlobalsELF( 2277 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 2278 ArrayRef<Constant *> MetadataInitializers, 2279 const std::string &UniqueModuleId) { 2280 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 2281 2282 // Putting globals in a comdat changes the semantic and potentially cause 2283 // false negative odr violations at link time. If odr indicators are used, we 2284 // keep the comdat sections, as link time odr violations will be dectected on 2285 // the odr indicator symbols. 2286 bool UseComdatForGlobalsGC = UseOdrIndicator; 2287 2288 SmallVector<GlobalValue *, 16> MetadataGlobals(ExtendedGlobals.size()); 2289 for (size_t i = 0; i < ExtendedGlobals.size(); i++) { 2290 GlobalVariable *G = ExtendedGlobals[i]; 2291 GlobalVariable *Metadata = 2292 CreateMetadataGlobal(M, MetadataInitializers[i], G->getName()); 2293 MDNode *MD = MDNode::get(M.getContext(), ValueAsMetadata::get(G)); 2294 Metadata->setMetadata(LLVMContext::MD_associated, MD); 2295 MetadataGlobals[i] = Metadata; 2296 2297 if (UseComdatForGlobalsGC) 2298 SetComdatForGlobalMetadata(G, Metadata, UniqueModuleId); 2299 } 2300 2301 // Update llvm.compiler.used, adding the new metadata globals. This is 2302 // needed so that during LTO these variables stay alive. 2303 if (!MetadataGlobals.empty()) 2304 appendToCompilerUsed(M, MetadataGlobals); 2305 2306 // RegisteredFlag serves two purposes. First, we can pass it to dladdr() 2307 // to look up the loaded image that contains it. Second, we can store in it 2308 // whether registration has already occurred, to prevent duplicate 2309 // registration. 2310 // 2311 // Common linkage ensures that there is only one global per shared library. 2312 GlobalVariable *RegisteredFlag = new GlobalVariable( 2313 M, IntptrTy, false, GlobalVariable::CommonLinkage, 2314 ConstantInt::get(IntptrTy, 0), kAsanGlobalsRegisteredFlagName); 2315 RegisteredFlag->setVisibility(GlobalVariable::HiddenVisibility); 2316 2317 // Create start and stop symbols. 2318 GlobalVariable *StartELFMetadata = new GlobalVariable( 2319 M, IntptrTy, false, GlobalVariable::ExternalWeakLinkage, nullptr, 2320 "__start_" + getGlobalMetadataSection()); 2321 StartELFMetadata->setVisibility(GlobalVariable::HiddenVisibility); 2322 GlobalVariable *StopELFMetadata = new GlobalVariable( 2323 M, IntptrTy, false, GlobalVariable::ExternalWeakLinkage, nullptr, 2324 "__stop_" + getGlobalMetadataSection()); 2325 StopELFMetadata->setVisibility(GlobalVariable::HiddenVisibility); 2326 2327 // Create a call to register the globals with the runtime. 2328 IRB.CreateCall(AsanRegisterElfGlobals, 2329 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy), 2330 IRB.CreatePointerCast(StartELFMetadata, IntptrTy), 2331 IRB.CreatePointerCast(StopELFMetadata, IntptrTy)}); 2332 2333 // We also need to unregister globals at the end, e.g., when a shared library 2334 // gets closed. 2335 if (DestructorKind != AsanDtorKind::None) { 2336 IRBuilder<> IrbDtor(CreateAsanModuleDtor(M)); 2337 IrbDtor.CreateCall(AsanUnregisterElfGlobals, 2338 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy), 2339 IRB.CreatePointerCast(StartELFMetadata, IntptrTy), 2340 IRB.CreatePointerCast(StopELFMetadata, IntptrTy)}); 2341 } 2342 } 2343 2344 void ModuleAddressSanitizer::InstrumentGlobalsMachO( 2345 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 2346 ArrayRef<Constant *> MetadataInitializers) { 2347 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 2348 2349 // On recent Mach-O platforms, use a structure which binds the liveness of 2350 // the global variable to the metadata struct. Keep the list of "Liveness" GV 2351 // created to be added to llvm.compiler.used 2352 StructType *LivenessTy = StructType::get(IntptrTy, IntptrTy); 2353 SmallVector<GlobalValue *, 16> LivenessGlobals(ExtendedGlobals.size()); 2354 2355 for (size_t i = 0; i < ExtendedGlobals.size(); i++) { 2356 Constant *Initializer = MetadataInitializers[i]; 2357 GlobalVariable *G = ExtendedGlobals[i]; 2358 GlobalVariable *Metadata = 2359 CreateMetadataGlobal(M, Initializer, G->getName()); 2360 2361 // On recent Mach-O platforms, we emit the global metadata in a way that 2362 // allows the linker to properly strip dead globals. 2363 auto LivenessBinder = 2364 ConstantStruct::get(LivenessTy, Initializer->getAggregateElement(0u), 2365 ConstantExpr::getPointerCast(Metadata, IntptrTy)); 2366 GlobalVariable *Liveness = new GlobalVariable( 2367 M, LivenessTy, false, GlobalVariable::InternalLinkage, LivenessBinder, 2368 Twine("__asan_binder_") + G->getName()); 2369 Liveness->setSection("__DATA,__asan_liveness,regular,live_support"); 2370 LivenessGlobals[i] = Liveness; 2371 } 2372 2373 // Update llvm.compiler.used, adding the new liveness globals. This is 2374 // needed so that during LTO these variables stay alive. The alternative 2375 // would be to have the linker handling the LTO symbols, but libLTO 2376 // current API does not expose access to the section for each symbol. 2377 if (!LivenessGlobals.empty()) 2378 appendToCompilerUsed(M, LivenessGlobals); 2379 2380 // RegisteredFlag serves two purposes. First, we can pass it to dladdr() 2381 // to look up the loaded image that contains it. Second, we can store in it 2382 // whether registration has already occurred, to prevent duplicate 2383 // registration. 2384 // 2385 // common linkage ensures that there is only one global per shared library. 2386 GlobalVariable *RegisteredFlag = new GlobalVariable( 2387 M, IntptrTy, false, GlobalVariable::CommonLinkage, 2388 ConstantInt::get(IntptrTy, 0), kAsanGlobalsRegisteredFlagName); 2389 RegisteredFlag->setVisibility(GlobalVariable::HiddenVisibility); 2390 2391 IRB.CreateCall(AsanRegisterImageGlobals, 2392 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy)}); 2393 2394 // We also need to unregister globals at the end, e.g., when a shared library 2395 // gets closed. 2396 if (DestructorKind != AsanDtorKind::None) { 2397 IRBuilder<> IrbDtor(CreateAsanModuleDtor(M)); 2398 IrbDtor.CreateCall(AsanUnregisterImageGlobals, 2399 {IRB.CreatePointerCast(RegisteredFlag, IntptrTy)}); 2400 } 2401 } 2402 2403 void ModuleAddressSanitizer::InstrumentGlobalsWithMetadataArray( 2404 IRBuilder<> &IRB, Module &M, ArrayRef<GlobalVariable *> ExtendedGlobals, 2405 ArrayRef<Constant *> MetadataInitializers) { 2406 assert(ExtendedGlobals.size() == MetadataInitializers.size()); 2407 unsigned N = ExtendedGlobals.size(); 2408 assert(N > 0); 2409 2410 // On platforms that don't have a custom metadata section, we emit an array 2411 // of global metadata structures. 2412 ArrayType *ArrayOfGlobalStructTy = 2413 ArrayType::get(MetadataInitializers[0]->getType(), N); 2414 auto AllGlobals = new GlobalVariable( 2415 M, ArrayOfGlobalStructTy, false, GlobalVariable::InternalLinkage, 2416 ConstantArray::get(ArrayOfGlobalStructTy, MetadataInitializers), ""); 2417 if (Mapping.Scale > 3) 2418 AllGlobals->setAlignment(Align(1ULL << Mapping.Scale)); 2419 2420 IRB.CreateCall(AsanRegisterGlobals, 2421 {IRB.CreatePointerCast(AllGlobals, IntptrTy), 2422 ConstantInt::get(IntptrTy, N)}); 2423 2424 // We also need to unregister globals at the end, e.g., when a shared library 2425 // gets closed. 2426 if (DestructorKind != AsanDtorKind::None) { 2427 IRBuilder<> IrbDtor(CreateAsanModuleDtor(M)); 2428 IrbDtor.CreateCall(AsanUnregisterGlobals, 2429 {IRB.CreatePointerCast(AllGlobals, IntptrTy), 2430 ConstantInt::get(IntptrTy, N)}); 2431 } 2432 } 2433 2434 // This function replaces all global variables with new variables that have 2435 // trailing redzones. It also creates a function that poisons 2436 // redzones and inserts this function into llvm.global_ctors. 2437 // Sets *CtorComdat to true if the global registration code emitted into the 2438 // asan constructor is comdat-compatible. 2439 bool ModuleAddressSanitizer::InstrumentGlobals(IRBuilder<> &IRB, Module &M, 2440 bool *CtorComdat) { 2441 *CtorComdat = false; 2442 2443 // Build set of globals that are aliased by some GA, where 2444 // getExcludedAliasedGlobal(GA) returns the relevant GlobalVariable. 2445 SmallPtrSet<const GlobalVariable *, 16> AliasedGlobalExclusions; 2446 if (CompileKernel) { 2447 for (auto &GA : M.aliases()) { 2448 if (const GlobalVariable *GV = getExcludedAliasedGlobal(GA)) 2449 AliasedGlobalExclusions.insert(GV); 2450 } 2451 } 2452 2453 SmallVector<GlobalVariable *, 16> GlobalsToChange; 2454 for (auto &G : M.globals()) { 2455 if (!AliasedGlobalExclusions.count(&G) && shouldInstrumentGlobal(&G)) 2456 GlobalsToChange.push_back(&G); 2457 } 2458 2459 size_t n = GlobalsToChange.size(); 2460 if (n == 0) { 2461 *CtorComdat = true; 2462 return false; 2463 } 2464 2465 auto &DL = M.getDataLayout(); 2466 2467 // A global is described by a structure 2468 // size_t beg; 2469 // size_t size; 2470 // size_t size_with_redzone; 2471 // const char *name; 2472 // const char *module_name; 2473 // size_t has_dynamic_init; 2474 // void *source_location; 2475 // size_t odr_indicator; 2476 // We initialize an array of such structures and pass it to a run-time call. 2477 StructType *GlobalStructTy = 2478 StructType::get(IntptrTy, IntptrTy, IntptrTy, IntptrTy, IntptrTy, 2479 IntptrTy, IntptrTy, IntptrTy); 2480 SmallVector<GlobalVariable *, 16> NewGlobals(n); 2481 SmallVector<Constant *, 16> Initializers(n); 2482 2483 bool HasDynamicallyInitializedGlobals = false; 2484 2485 // We shouldn't merge same module names, as this string serves as unique 2486 // module ID in runtime. 2487 GlobalVariable *ModuleName = createPrivateGlobalForString( 2488 M, M.getModuleIdentifier(), /*AllowMerging*/ false, kAsanGenPrefix); 2489 2490 for (size_t i = 0; i < n; i++) { 2491 GlobalVariable *G = GlobalsToChange[i]; 2492 2493 // FIXME: Metadata should be attched directly to the global directly instead 2494 // of being added to llvm.asan.globals. 2495 auto MD = GlobalsMD.get(G); 2496 StringRef NameForGlobal = G->getName(); 2497 // Create string holding the global name (use global name from metadata 2498 // if it's available, otherwise just write the name of global variable). 2499 GlobalVariable *Name = createPrivateGlobalForString( 2500 M, MD.Name.empty() ? NameForGlobal : MD.Name, 2501 /*AllowMerging*/ true, kAsanGenPrefix); 2502 2503 Type *Ty = G->getValueType(); 2504 const uint64_t SizeInBytes = DL.getTypeAllocSize(Ty); 2505 const uint64_t RightRedzoneSize = getRedzoneSizeForGlobal(SizeInBytes); 2506 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 2507 2508 StructType *NewTy = StructType::get(Ty, RightRedZoneTy); 2509 Constant *NewInitializer = ConstantStruct::get( 2510 NewTy, G->getInitializer(), Constant::getNullValue(RightRedZoneTy)); 2511 2512 // Create a new global variable with enough space for a redzone. 2513 GlobalValue::LinkageTypes Linkage = G->getLinkage(); 2514 if (G->isConstant() && Linkage == GlobalValue::PrivateLinkage) 2515 Linkage = GlobalValue::InternalLinkage; 2516 GlobalVariable *NewGlobal = new GlobalVariable( 2517 M, NewTy, G->isConstant(), Linkage, NewInitializer, "", G, 2518 G->getThreadLocalMode(), G->getAddressSpace()); 2519 NewGlobal->copyAttributesFrom(G); 2520 NewGlobal->setComdat(G->getComdat()); 2521 NewGlobal->setAlignment(MaybeAlign(getMinRedzoneSizeForGlobal())); 2522 // Don't fold globals with redzones. ODR violation detector and redzone 2523 // poisoning implicitly creates a dependence on the global's address, so it 2524 // is no longer valid for it to be marked unnamed_addr. 2525 NewGlobal->setUnnamedAddr(GlobalValue::UnnamedAddr::None); 2526 2527 // Move null-terminated C strings to "__asan_cstring" section on Darwin. 2528 if (TargetTriple.isOSBinFormatMachO() && !G->hasSection() && 2529 G->isConstant()) { 2530 auto Seq = dyn_cast<ConstantDataSequential>(G->getInitializer()); 2531 if (Seq && Seq->isCString()) 2532 NewGlobal->setSection("__TEXT,__asan_cstring,regular"); 2533 } 2534 2535 // Transfer the debug info and type metadata. The payload starts at offset 2536 // zero so we can copy the metadata over as is. 2537 NewGlobal->copyMetadata(G, 0); 2538 2539 Value *Indices2[2]; 2540 Indices2[0] = IRB.getInt32(0); 2541 Indices2[1] = IRB.getInt32(0); 2542 2543 G->replaceAllUsesWith( 2544 ConstantExpr::getGetElementPtr(NewTy, NewGlobal, Indices2, true)); 2545 NewGlobal->takeName(G); 2546 G->eraseFromParent(); 2547 NewGlobals[i] = NewGlobal; 2548 2549 Constant *SourceLoc; 2550 if (!MD.SourceLoc.empty()) { 2551 auto SourceLocGlobal = createPrivateGlobalForSourceLoc(M, MD.SourceLoc); 2552 SourceLoc = ConstantExpr::getPointerCast(SourceLocGlobal, IntptrTy); 2553 } else { 2554 SourceLoc = ConstantInt::get(IntptrTy, 0); 2555 } 2556 2557 Constant *ODRIndicator = ConstantExpr::getNullValue(IRB.getInt8PtrTy()); 2558 GlobalValue *InstrumentedGlobal = NewGlobal; 2559 2560 bool CanUsePrivateAliases = 2561 TargetTriple.isOSBinFormatELF() || TargetTriple.isOSBinFormatMachO() || 2562 TargetTriple.isOSBinFormatWasm(); 2563 if (CanUsePrivateAliases && UsePrivateAlias) { 2564 // Create local alias for NewGlobal to avoid crash on ODR between 2565 // instrumented and non-instrumented libraries. 2566 InstrumentedGlobal = 2567 GlobalAlias::create(GlobalValue::PrivateLinkage, "", NewGlobal); 2568 } 2569 2570 // ODR should not happen for local linkage. 2571 if (NewGlobal->hasLocalLinkage()) { 2572 ODRIndicator = ConstantExpr::getIntToPtr(ConstantInt::get(IntptrTy, -1), 2573 IRB.getInt8PtrTy()); 2574 } else if (UseOdrIndicator) { 2575 // With local aliases, we need to provide another externally visible 2576 // symbol __odr_asan_XXX to detect ODR violation. 2577 auto *ODRIndicatorSym = 2578 new GlobalVariable(M, IRB.getInt8Ty(), false, Linkage, 2579 Constant::getNullValue(IRB.getInt8Ty()), 2580 kODRGenPrefix + NameForGlobal, nullptr, 2581 NewGlobal->getThreadLocalMode()); 2582 2583 // Set meaningful attributes for indicator symbol. 2584 ODRIndicatorSym->setVisibility(NewGlobal->getVisibility()); 2585 ODRIndicatorSym->setDLLStorageClass(NewGlobal->getDLLStorageClass()); 2586 ODRIndicatorSym->setAlignment(Align(1)); 2587 ODRIndicator = ODRIndicatorSym; 2588 } 2589 2590 Constant *Initializer = ConstantStruct::get( 2591 GlobalStructTy, 2592 ConstantExpr::getPointerCast(InstrumentedGlobal, IntptrTy), 2593 ConstantInt::get(IntptrTy, SizeInBytes), 2594 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 2595 ConstantExpr::getPointerCast(Name, IntptrTy), 2596 ConstantExpr::getPointerCast(ModuleName, IntptrTy), 2597 ConstantInt::get(IntptrTy, MD.IsDynInit), SourceLoc, 2598 ConstantExpr::getPointerCast(ODRIndicator, IntptrTy)); 2599 2600 if (ClInitializers && MD.IsDynInit) HasDynamicallyInitializedGlobals = true; 2601 2602 LLVM_DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); 2603 2604 Initializers[i] = Initializer; 2605 } 2606 2607 // Add instrumented globals to llvm.compiler.used list to avoid LTO from 2608 // ConstantMerge'ing them. 2609 SmallVector<GlobalValue *, 16> GlobalsToAddToUsedList; 2610 for (size_t i = 0; i < n; i++) { 2611 GlobalVariable *G = NewGlobals[i]; 2612 if (G->getName().empty()) continue; 2613 GlobalsToAddToUsedList.push_back(G); 2614 } 2615 appendToCompilerUsed(M, ArrayRef<GlobalValue *>(GlobalsToAddToUsedList)); 2616 2617 std::string ELFUniqueModuleId = 2618 (UseGlobalsGC && TargetTriple.isOSBinFormatELF()) ? getUniqueModuleId(&M) 2619 : ""; 2620 2621 if (!ELFUniqueModuleId.empty()) { 2622 InstrumentGlobalsELF(IRB, M, NewGlobals, Initializers, ELFUniqueModuleId); 2623 *CtorComdat = true; 2624 } else if (UseGlobalsGC && TargetTriple.isOSBinFormatCOFF()) { 2625 InstrumentGlobalsCOFF(IRB, M, NewGlobals, Initializers); 2626 } else if (UseGlobalsGC && ShouldUseMachOGlobalsSection()) { 2627 InstrumentGlobalsMachO(IRB, M, NewGlobals, Initializers); 2628 } else { 2629 InstrumentGlobalsWithMetadataArray(IRB, M, NewGlobals, Initializers); 2630 } 2631 2632 // Create calls for poisoning before initializers run and unpoisoning after. 2633 if (HasDynamicallyInitializedGlobals) 2634 createInitializerPoisonCalls(M, ModuleName); 2635 2636 LLVM_DEBUG(dbgs() << M); 2637 return true; 2638 } 2639 2640 uint64_t 2641 ModuleAddressSanitizer::getRedzoneSizeForGlobal(uint64_t SizeInBytes) const { 2642 constexpr uint64_t kMaxRZ = 1 << 18; 2643 const uint64_t MinRZ = getMinRedzoneSizeForGlobal(); 2644 2645 uint64_t RZ = 0; 2646 if (SizeInBytes <= MinRZ / 2) { 2647 // Reduce redzone size for small size objects, e.g. int, char[1]. MinRZ is 2648 // at least 32 bytes, optimize when SizeInBytes is less than or equal to 2649 // half of MinRZ. 2650 RZ = MinRZ - SizeInBytes; 2651 } else { 2652 // Calculate RZ, where MinRZ <= RZ <= MaxRZ, and RZ ~ 1/4 * SizeInBytes. 2653 RZ = std::max(MinRZ, std::min(kMaxRZ, (SizeInBytes / MinRZ / 4) * MinRZ)); 2654 2655 // Round up to multiple of MinRZ. 2656 if (SizeInBytes % MinRZ) 2657 RZ += MinRZ - (SizeInBytes % MinRZ); 2658 } 2659 2660 assert((RZ + SizeInBytes) % MinRZ == 0); 2661 2662 return RZ; 2663 } 2664 2665 int ModuleAddressSanitizer::GetAsanVersion(const Module &M) const { 2666 int LongSize = M.getDataLayout().getPointerSizeInBits(); 2667 bool isAndroid = Triple(M.getTargetTriple()).isAndroid(); 2668 int Version = 8; 2669 // 32-bit Android is one version ahead because of the switch to dynamic 2670 // shadow. 2671 Version += (LongSize == 32 && isAndroid); 2672 return Version; 2673 } 2674 2675 bool ModuleAddressSanitizer::instrumentModule(Module &M) { 2676 initializeCallbacks(M); 2677 2678 // Create a module constructor. A destructor is created lazily because not all 2679 // platforms, and not all modules need it. 2680 if (CompileKernel) { 2681 // The kernel always builds with its own runtime, and therefore does not 2682 // need the init and version check calls. 2683 AsanCtorFunction = createSanitizerCtor(M, kAsanModuleCtorName); 2684 } else { 2685 std::string AsanVersion = std::to_string(GetAsanVersion(M)); 2686 std::string VersionCheckName = 2687 ClInsertVersionCheck ? (kAsanVersionCheckNamePrefix + AsanVersion) : ""; 2688 std::tie(AsanCtorFunction, std::ignore) = 2689 createSanitizerCtorAndInitFunctions(M, kAsanModuleCtorName, 2690 kAsanInitName, /*InitArgTypes=*/{}, 2691 /*InitArgs=*/{}, VersionCheckName); 2692 } 2693 2694 bool CtorComdat = true; 2695 if (ClGlobals) { 2696 IRBuilder<> IRB(AsanCtorFunction->getEntryBlock().getTerminator()); 2697 InstrumentGlobals(IRB, M, &CtorComdat); 2698 } 2699 2700 const uint64_t Priority = GetCtorAndDtorPriority(TargetTriple); 2701 2702 // Put the constructor and destructor in comdat if both 2703 // (1) global instrumentation is not TU-specific 2704 // (2) target is ELF. 2705 if (UseCtorComdat && TargetTriple.isOSBinFormatELF() && CtorComdat) { 2706 AsanCtorFunction->setComdat(M.getOrInsertComdat(kAsanModuleCtorName)); 2707 appendToGlobalCtors(M, AsanCtorFunction, Priority, AsanCtorFunction); 2708 if (AsanDtorFunction) { 2709 AsanDtorFunction->setComdat(M.getOrInsertComdat(kAsanModuleDtorName)); 2710 appendToGlobalDtors(M, AsanDtorFunction, Priority, AsanDtorFunction); 2711 } 2712 } else { 2713 appendToGlobalCtors(M, AsanCtorFunction, Priority); 2714 if (AsanDtorFunction) 2715 appendToGlobalDtors(M, AsanDtorFunction, Priority); 2716 } 2717 2718 return true; 2719 } 2720 2721 void AddressSanitizer::initializeCallbacks(Module &M) { 2722 IRBuilder<> IRB(*C); 2723 // Create __asan_report* callbacks. 2724 // IsWrite, TypeSize and Exp are encoded in the function name. 2725 for (int Exp = 0; Exp < 2; Exp++) { 2726 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 2727 const std::string TypeStr = AccessIsWrite ? "store" : "load"; 2728 const std::string ExpStr = Exp ? "exp_" : ""; 2729 const std::string EndingStr = Recover ? "_noabort" : ""; 2730 2731 SmallVector<Type *, 3> Args2 = {IntptrTy, IntptrTy}; 2732 SmallVector<Type *, 2> Args1{1, IntptrTy}; 2733 if (Exp) { 2734 Type *ExpType = Type::getInt32Ty(*C); 2735 Args2.push_back(ExpType); 2736 Args1.push_back(ExpType); 2737 } 2738 AsanErrorCallbackSized[AccessIsWrite][Exp] = M.getOrInsertFunction( 2739 kAsanReportErrorTemplate + ExpStr + TypeStr + "_n" + EndingStr, 2740 FunctionType::get(IRB.getVoidTy(), Args2, false)); 2741 2742 AsanMemoryAccessCallbackSized[AccessIsWrite][Exp] = M.getOrInsertFunction( 2743 ClMemoryAccessCallbackPrefix + ExpStr + TypeStr + "N" + EndingStr, 2744 FunctionType::get(IRB.getVoidTy(), Args2, false)); 2745 2746 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 2747 AccessSizeIndex++) { 2748 const std::string Suffix = TypeStr + itostr(1ULL << AccessSizeIndex); 2749 AsanErrorCallback[AccessIsWrite][Exp][AccessSizeIndex] = 2750 M.getOrInsertFunction( 2751 kAsanReportErrorTemplate + ExpStr + Suffix + EndingStr, 2752 FunctionType::get(IRB.getVoidTy(), Args1, false)); 2753 2754 AsanMemoryAccessCallback[AccessIsWrite][Exp][AccessSizeIndex] = 2755 M.getOrInsertFunction( 2756 ClMemoryAccessCallbackPrefix + ExpStr + Suffix + EndingStr, 2757 FunctionType::get(IRB.getVoidTy(), Args1, false)); 2758 } 2759 } 2760 } 2761 2762 const std::string MemIntrinCallbackPrefix = 2763 CompileKernel ? std::string("") : ClMemoryAccessCallbackPrefix; 2764 AsanMemmove = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memmove", 2765 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 2766 IRB.getInt8PtrTy(), IntptrTy); 2767 AsanMemcpy = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memcpy", 2768 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 2769 IRB.getInt8PtrTy(), IntptrTy); 2770 AsanMemset = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memset", 2771 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 2772 IRB.getInt32Ty(), IntptrTy); 2773 2774 AsanHandleNoReturnFunc = 2775 M.getOrInsertFunction(kAsanHandleNoReturnName, IRB.getVoidTy()); 2776 2777 AsanPtrCmpFunction = 2778 M.getOrInsertFunction(kAsanPtrCmp, IRB.getVoidTy(), IntptrTy, IntptrTy); 2779 AsanPtrSubFunction = 2780 M.getOrInsertFunction(kAsanPtrSub, IRB.getVoidTy(), IntptrTy, IntptrTy); 2781 if (Mapping.InGlobal) 2782 AsanShadowGlobal = M.getOrInsertGlobal("__asan_shadow", 2783 ArrayType::get(IRB.getInt8Ty(), 0)); 2784 2785 AMDGPUAddressShared = M.getOrInsertFunction( 2786 kAMDGPUAddressSharedName, IRB.getInt1Ty(), IRB.getInt8PtrTy()); 2787 AMDGPUAddressPrivate = M.getOrInsertFunction( 2788 kAMDGPUAddressPrivateName, IRB.getInt1Ty(), IRB.getInt8PtrTy()); 2789 } 2790 2791 bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 2792 // For each NSObject descendant having a +load method, this method is invoked 2793 // by the ObjC runtime before any of the static constructors is called. 2794 // Therefore we need to instrument such methods with a call to __asan_init 2795 // at the beginning in order to initialize our runtime before any access to 2796 // the shadow memory. 2797 // We cannot just ignore these methods, because they may call other 2798 // instrumented functions. 2799 if (F.getName().find(" load]") != std::string::npos) { 2800 FunctionCallee AsanInitFunction = 2801 declareSanitizerInitFunction(*F.getParent(), kAsanInitName, {}); 2802 IRBuilder<> IRB(&F.front(), F.front().begin()); 2803 IRB.CreateCall(AsanInitFunction, {}); 2804 return true; 2805 } 2806 return false; 2807 } 2808 2809 bool AddressSanitizer::maybeInsertDynamicShadowAtFunctionEntry(Function &F) { 2810 // Generate code only when dynamic addressing is needed. 2811 if (Mapping.Offset != kDynamicShadowSentinel) 2812 return false; 2813 2814 IRBuilder<> IRB(&F.front().front()); 2815 if (Mapping.InGlobal) { 2816 if (ClWithIfuncSuppressRemat) { 2817 // An empty inline asm with input reg == output reg. 2818 // An opaque pointer-to-int cast, basically. 2819 InlineAsm *Asm = InlineAsm::get( 2820 FunctionType::get(IntptrTy, {AsanShadowGlobal->getType()}, false), 2821 StringRef(""), StringRef("=r,0"), 2822 /*hasSideEffects=*/false); 2823 LocalDynamicShadow = 2824 IRB.CreateCall(Asm, {AsanShadowGlobal}, ".asan.shadow"); 2825 } else { 2826 LocalDynamicShadow = 2827 IRB.CreatePointerCast(AsanShadowGlobal, IntptrTy, ".asan.shadow"); 2828 } 2829 } else { 2830 Value *GlobalDynamicAddress = F.getParent()->getOrInsertGlobal( 2831 kAsanShadowMemoryDynamicAddress, IntptrTy); 2832 LocalDynamicShadow = IRB.CreateLoad(IntptrTy, GlobalDynamicAddress); 2833 } 2834 return true; 2835 } 2836 2837 void AddressSanitizer::markEscapedLocalAllocas(Function &F) { 2838 // Find the one possible call to llvm.localescape and pre-mark allocas passed 2839 // to it as uninteresting. This assumes we haven't started processing allocas 2840 // yet. This check is done up front because iterating the use list in 2841 // isInterestingAlloca would be algorithmically slower. 2842 assert(ProcessedAllocas.empty() && "must process localescape before allocas"); 2843 2844 // Try to get the declaration of llvm.localescape. If it's not in the module, 2845 // we can exit early. 2846 if (!F.getParent()->getFunction("llvm.localescape")) return; 2847 2848 // Look for a call to llvm.localescape call in the entry block. It can't be in 2849 // any other block. 2850 for (Instruction &I : F.getEntryBlock()) { 2851 IntrinsicInst *II = dyn_cast<IntrinsicInst>(&I); 2852 if (II && II->getIntrinsicID() == Intrinsic::localescape) { 2853 // We found a call. Mark all the allocas passed in as uninteresting. 2854 for (Value *Arg : II->args()) { 2855 AllocaInst *AI = dyn_cast<AllocaInst>(Arg->stripPointerCasts()); 2856 assert(AI && AI->isStaticAlloca() && 2857 "non-static alloca arg to localescape"); 2858 ProcessedAllocas[AI] = false; 2859 } 2860 break; 2861 } 2862 } 2863 } 2864 2865 bool AddressSanitizer::suppressInstrumentationSiteForDebug(int &Instrumented) { 2866 bool ShouldInstrument = 2867 ClDebugMin < 0 || ClDebugMax < 0 || 2868 (Instrumented >= ClDebugMin && Instrumented <= ClDebugMax); 2869 Instrumented++; 2870 return !ShouldInstrument; 2871 } 2872 2873 bool AddressSanitizer::instrumentFunction(Function &F, 2874 const TargetLibraryInfo *TLI) { 2875 if (F.empty()) 2876 return false; 2877 if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false; 2878 if (!ClDebugFunc.empty() && ClDebugFunc == F.getName()) return false; 2879 if (F.getName().startswith("__asan_")) return false; 2880 2881 bool FunctionModified = false; 2882 2883 // If needed, insert __asan_init before checking for SanitizeAddress attr. 2884 // This function needs to be called even if the function body is not 2885 // instrumented. 2886 if (maybeInsertAsanInitAtFunctionEntry(F)) 2887 FunctionModified = true; 2888 2889 // Leave if the function doesn't need instrumentation. 2890 if (!F.hasFnAttribute(Attribute::SanitizeAddress)) return FunctionModified; 2891 2892 LLVM_DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); 2893 2894 initializeCallbacks(*F.getParent()); 2895 2896 FunctionStateRAII CleanupObj(this); 2897 2898 FunctionModified |= maybeInsertDynamicShadowAtFunctionEntry(F); 2899 2900 // We can't instrument allocas used with llvm.localescape. Only static allocas 2901 // can be passed to that intrinsic. 2902 markEscapedLocalAllocas(F); 2903 2904 // We want to instrument every address only once per basic block (unless there 2905 // are calls between uses). 2906 SmallPtrSet<Value *, 16> TempsToInstrument; 2907 SmallVector<InterestingMemoryOperand, 16> OperandsToInstrument; 2908 SmallVector<MemIntrinsic *, 16> IntrinToInstrument; 2909 SmallVector<Instruction *, 8> NoReturnCalls; 2910 SmallVector<BasicBlock *, 16> AllBlocks; 2911 SmallVector<Instruction *, 16> PointerComparisonsOrSubtracts; 2912 int NumAllocas = 0; 2913 2914 // Fill the set of memory operations to instrument. 2915 for (auto &BB : F) { 2916 AllBlocks.push_back(&BB); 2917 TempsToInstrument.clear(); 2918 int NumInsnsPerBB = 0; 2919 for (auto &Inst : BB) { 2920 if (LooksLikeCodeInBug11395(&Inst)) return false; 2921 SmallVector<InterestingMemoryOperand, 1> InterestingOperands; 2922 getInterestingMemoryOperands(&Inst, InterestingOperands); 2923 2924 if (!InterestingOperands.empty()) { 2925 for (auto &Operand : InterestingOperands) { 2926 if (ClOpt && ClOptSameTemp) { 2927 Value *Ptr = Operand.getPtr(); 2928 // If we have a mask, skip instrumentation if we've already 2929 // instrumented the full object. But don't add to TempsToInstrument 2930 // because we might get another load/store with a different mask. 2931 if (Operand.MaybeMask) { 2932 if (TempsToInstrument.count(Ptr)) 2933 continue; // We've seen this (whole) temp in the current BB. 2934 } else { 2935 if (!TempsToInstrument.insert(Ptr).second) 2936 continue; // We've seen this temp in the current BB. 2937 } 2938 } 2939 OperandsToInstrument.push_back(Operand); 2940 NumInsnsPerBB++; 2941 } 2942 } else if (((ClInvalidPointerPairs || ClInvalidPointerCmp) && 2943 isInterestingPointerComparison(&Inst)) || 2944 ((ClInvalidPointerPairs || ClInvalidPointerSub) && 2945 isInterestingPointerSubtraction(&Inst))) { 2946 PointerComparisonsOrSubtracts.push_back(&Inst); 2947 } else if (MemIntrinsic *MI = dyn_cast<MemIntrinsic>(&Inst)) { 2948 // ok, take it. 2949 IntrinToInstrument.push_back(MI); 2950 NumInsnsPerBB++; 2951 } else { 2952 if (isa<AllocaInst>(Inst)) NumAllocas++; 2953 if (auto *CB = dyn_cast<CallBase>(&Inst)) { 2954 // A call inside BB. 2955 TempsToInstrument.clear(); 2956 if (CB->doesNotReturn() && !CB->hasMetadata("nosanitize")) 2957 NoReturnCalls.push_back(CB); 2958 } 2959 if (CallInst *CI = dyn_cast<CallInst>(&Inst)) 2960 maybeMarkSanitizerLibraryCallNoBuiltin(CI, TLI); 2961 } 2962 if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) break; 2963 } 2964 } 2965 2966 bool UseCalls = (ClInstrumentationWithCallsThreshold >= 0 && 2967 OperandsToInstrument.size() + IntrinToInstrument.size() > 2968 (unsigned)ClInstrumentationWithCallsThreshold); 2969 const DataLayout &DL = F.getParent()->getDataLayout(); 2970 ObjectSizeOpts ObjSizeOpts; 2971 ObjSizeOpts.RoundToAlign = true; 2972 ObjectSizeOffsetVisitor ObjSizeVis(DL, TLI, F.getContext(), ObjSizeOpts); 2973 2974 // Instrument. 2975 int NumInstrumented = 0; 2976 for (auto &Operand : OperandsToInstrument) { 2977 if (!suppressInstrumentationSiteForDebug(NumInstrumented)) 2978 instrumentMop(ObjSizeVis, Operand, UseCalls, 2979 F.getParent()->getDataLayout()); 2980 FunctionModified = true; 2981 } 2982 for (auto Inst : IntrinToInstrument) { 2983 if (!suppressInstrumentationSiteForDebug(NumInstrumented)) 2984 instrumentMemIntrinsic(Inst); 2985 FunctionModified = true; 2986 } 2987 2988 FunctionStackPoisoner FSP(F, *this); 2989 bool ChangedStack = FSP.runOnFunction(); 2990 2991 // We must unpoison the stack before NoReturn calls (throw, _exit, etc). 2992 // See e.g. https://github.com/google/sanitizers/issues/37 2993 for (auto CI : NoReturnCalls) { 2994 IRBuilder<> IRB(CI); 2995 IRB.CreateCall(AsanHandleNoReturnFunc, {}); 2996 } 2997 2998 for (auto Inst : PointerComparisonsOrSubtracts) { 2999 instrumentPointerComparisonOrSubtraction(Inst); 3000 FunctionModified = true; 3001 } 3002 3003 if (ChangedStack || !NoReturnCalls.empty()) 3004 FunctionModified = true; 3005 3006 LLVM_DEBUG(dbgs() << "ASAN done instrumenting: " << FunctionModified << " " 3007 << F << "\n"); 3008 3009 return FunctionModified; 3010 } 3011 3012 // Workaround for bug 11395: we don't want to instrument stack in functions 3013 // with large assembly blobs (32-bit only), otherwise reg alloc may crash. 3014 // FIXME: remove once the bug 11395 is fixed. 3015 bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 3016 if (LongSize != 32) return false; 3017 CallInst *CI = dyn_cast<CallInst>(I); 3018 if (!CI || !CI->isInlineAsm()) return false; 3019 if (CI->arg_size() <= 5) 3020 return false; 3021 // We have inline assembly with quite a few arguments. 3022 return true; 3023 } 3024 3025 void FunctionStackPoisoner::initializeCallbacks(Module &M) { 3026 IRBuilder<> IRB(*C); 3027 if (ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode::Always || 3028 ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode::Runtime) { 3029 const char *MallocNameTemplate = 3030 ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode::Always 3031 ? kAsanStackMallocAlwaysNameTemplate 3032 : kAsanStackMallocNameTemplate; 3033 for (int Index = 0; Index <= kMaxAsanStackMallocSizeClass; Index++) { 3034 std::string Suffix = itostr(Index); 3035 AsanStackMallocFunc[Index] = M.getOrInsertFunction( 3036 MallocNameTemplate + Suffix, IntptrTy, IntptrTy); 3037 AsanStackFreeFunc[Index] = 3038 M.getOrInsertFunction(kAsanStackFreeNameTemplate + Suffix, 3039 IRB.getVoidTy(), IntptrTy, IntptrTy); 3040 } 3041 } 3042 if (ASan.UseAfterScope) { 3043 AsanPoisonStackMemoryFunc = M.getOrInsertFunction( 3044 kAsanPoisonStackMemoryName, IRB.getVoidTy(), IntptrTy, IntptrTy); 3045 AsanUnpoisonStackMemoryFunc = M.getOrInsertFunction( 3046 kAsanUnpoisonStackMemoryName, IRB.getVoidTy(), IntptrTy, IntptrTy); 3047 } 3048 3049 for (size_t Val : {0x00, 0xf1, 0xf2, 0xf3, 0xf5, 0xf8}) { 3050 std::ostringstream Name; 3051 Name << kAsanSetShadowPrefix; 3052 Name << std::setw(2) << std::setfill('0') << std::hex << Val; 3053 AsanSetShadowFunc[Val] = 3054 M.getOrInsertFunction(Name.str(), IRB.getVoidTy(), IntptrTy, IntptrTy); 3055 } 3056 3057 AsanAllocaPoisonFunc = M.getOrInsertFunction( 3058 kAsanAllocaPoison, IRB.getVoidTy(), IntptrTy, IntptrTy); 3059 AsanAllocasUnpoisonFunc = M.getOrInsertFunction( 3060 kAsanAllocasUnpoison, IRB.getVoidTy(), IntptrTy, IntptrTy); 3061 } 3062 3063 void FunctionStackPoisoner::copyToShadowInline(ArrayRef<uint8_t> ShadowMask, 3064 ArrayRef<uint8_t> ShadowBytes, 3065 size_t Begin, size_t End, 3066 IRBuilder<> &IRB, 3067 Value *ShadowBase) { 3068 if (Begin >= End) 3069 return; 3070 3071 const size_t LargestStoreSizeInBytes = 3072 std::min<size_t>(sizeof(uint64_t), ASan.LongSize / 8); 3073 3074 const bool IsLittleEndian = F.getParent()->getDataLayout().isLittleEndian(); 3075 3076 // Poison given range in shadow using larges store size with out leading and 3077 // trailing zeros in ShadowMask. Zeros never change, so they need neither 3078 // poisoning nor up-poisoning. Still we don't mind if some of them get into a 3079 // middle of a store. 3080 for (size_t i = Begin; i < End;) { 3081 if (!ShadowMask[i]) { 3082 assert(!ShadowBytes[i]); 3083 ++i; 3084 continue; 3085 } 3086 3087 size_t StoreSizeInBytes = LargestStoreSizeInBytes; 3088 // Fit store size into the range. 3089 while (StoreSizeInBytes > End - i) 3090 StoreSizeInBytes /= 2; 3091 3092 // Minimize store size by trimming trailing zeros. 3093 for (size_t j = StoreSizeInBytes - 1; j && !ShadowMask[i + j]; --j) { 3094 while (j <= StoreSizeInBytes / 2) 3095 StoreSizeInBytes /= 2; 3096 } 3097 3098 uint64_t Val = 0; 3099 for (size_t j = 0; j < StoreSizeInBytes; j++) { 3100 if (IsLittleEndian) 3101 Val |= (uint64_t)ShadowBytes[i + j] << (8 * j); 3102 else 3103 Val = (Val << 8) | ShadowBytes[i + j]; 3104 } 3105 3106 Value *Ptr = IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i)); 3107 Value *Poison = IRB.getIntN(StoreSizeInBytes * 8, Val); 3108 IRB.CreateAlignedStore( 3109 Poison, IRB.CreateIntToPtr(Ptr, Poison->getType()->getPointerTo()), 3110 Align(1)); 3111 3112 i += StoreSizeInBytes; 3113 } 3114 } 3115 3116 void FunctionStackPoisoner::copyToShadow(ArrayRef<uint8_t> ShadowMask, 3117 ArrayRef<uint8_t> ShadowBytes, 3118 IRBuilder<> &IRB, Value *ShadowBase) { 3119 copyToShadow(ShadowMask, ShadowBytes, 0, ShadowMask.size(), IRB, ShadowBase); 3120 } 3121 3122 void FunctionStackPoisoner::copyToShadow(ArrayRef<uint8_t> ShadowMask, 3123 ArrayRef<uint8_t> ShadowBytes, 3124 size_t Begin, size_t End, 3125 IRBuilder<> &IRB, Value *ShadowBase) { 3126 assert(ShadowMask.size() == ShadowBytes.size()); 3127 size_t Done = Begin; 3128 for (size_t i = Begin, j = Begin + 1; i < End; i = j++) { 3129 if (!ShadowMask[i]) { 3130 assert(!ShadowBytes[i]); 3131 continue; 3132 } 3133 uint8_t Val = ShadowBytes[i]; 3134 if (!AsanSetShadowFunc[Val]) 3135 continue; 3136 3137 // Skip same values. 3138 for (; j < End && ShadowMask[j] && Val == ShadowBytes[j]; ++j) { 3139 } 3140 3141 if (j - i >= ClMaxInlinePoisoningSize) { 3142 copyToShadowInline(ShadowMask, ShadowBytes, Done, i, IRB, ShadowBase); 3143 IRB.CreateCall(AsanSetShadowFunc[Val], 3144 {IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i)), 3145 ConstantInt::get(IntptrTy, j - i)}); 3146 Done = j; 3147 } 3148 } 3149 3150 copyToShadowInline(ShadowMask, ShadowBytes, Done, End, IRB, ShadowBase); 3151 } 3152 3153 // Fake stack allocator (asan_fake_stack.h) has 11 size classes 3154 // for every power of 2 from kMinStackMallocSize to kMaxAsanStackMallocSizeClass 3155 static int StackMallocSizeClass(uint64_t LocalStackSize) { 3156 assert(LocalStackSize <= kMaxStackMallocSize); 3157 uint64_t MaxSize = kMinStackMallocSize; 3158 for (int i = 0;; i++, MaxSize *= 2) 3159 if (LocalStackSize <= MaxSize) return i; 3160 llvm_unreachable("impossible LocalStackSize"); 3161 } 3162 3163 void FunctionStackPoisoner::copyArgsPassedByValToAllocas() { 3164 Instruction *CopyInsertPoint = &F.front().front(); 3165 if (CopyInsertPoint == ASan.LocalDynamicShadow) { 3166 // Insert after the dynamic shadow location is determined 3167 CopyInsertPoint = CopyInsertPoint->getNextNode(); 3168 assert(CopyInsertPoint); 3169 } 3170 IRBuilder<> IRB(CopyInsertPoint); 3171 const DataLayout &DL = F.getParent()->getDataLayout(); 3172 for (Argument &Arg : F.args()) { 3173 if (Arg.hasByValAttr()) { 3174 Type *Ty = Arg.getParamByValType(); 3175 const Align Alignment = 3176 DL.getValueOrABITypeAlignment(Arg.getParamAlign(), Ty); 3177 3178 AllocaInst *AI = IRB.CreateAlloca( 3179 Ty, nullptr, 3180 (Arg.hasName() ? Arg.getName() : "Arg" + Twine(Arg.getArgNo())) + 3181 ".byval"); 3182 AI->setAlignment(Alignment); 3183 Arg.replaceAllUsesWith(AI); 3184 3185 uint64_t AllocSize = DL.getTypeAllocSize(Ty); 3186 IRB.CreateMemCpy(AI, Alignment, &Arg, Alignment, AllocSize); 3187 } 3188 } 3189 } 3190 3191 PHINode *FunctionStackPoisoner::createPHI(IRBuilder<> &IRB, Value *Cond, 3192 Value *ValueIfTrue, 3193 Instruction *ThenTerm, 3194 Value *ValueIfFalse) { 3195 PHINode *PHI = IRB.CreatePHI(IntptrTy, 2); 3196 BasicBlock *CondBlock = cast<Instruction>(Cond)->getParent(); 3197 PHI->addIncoming(ValueIfFalse, CondBlock); 3198 BasicBlock *ThenBlock = ThenTerm->getParent(); 3199 PHI->addIncoming(ValueIfTrue, ThenBlock); 3200 return PHI; 3201 } 3202 3203 Value *FunctionStackPoisoner::createAllocaForLayout( 3204 IRBuilder<> &IRB, const ASanStackFrameLayout &L, bool Dynamic) { 3205 AllocaInst *Alloca; 3206 if (Dynamic) { 3207 Alloca = IRB.CreateAlloca(IRB.getInt8Ty(), 3208 ConstantInt::get(IRB.getInt64Ty(), L.FrameSize), 3209 "MyAlloca"); 3210 } else { 3211 Alloca = IRB.CreateAlloca(ArrayType::get(IRB.getInt8Ty(), L.FrameSize), 3212 nullptr, "MyAlloca"); 3213 assert(Alloca->isStaticAlloca()); 3214 } 3215 assert((ClRealignStack & (ClRealignStack - 1)) == 0); 3216 uint64_t FrameAlignment = std::max(L.FrameAlignment, uint64_t(ClRealignStack)); 3217 Alloca->setAlignment(Align(FrameAlignment)); 3218 return IRB.CreatePointerCast(Alloca, IntptrTy); 3219 } 3220 3221 void FunctionStackPoisoner::createDynamicAllocasInitStorage() { 3222 BasicBlock &FirstBB = *F.begin(); 3223 IRBuilder<> IRB(dyn_cast<Instruction>(FirstBB.begin())); 3224 DynamicAllocaLayout = IRB.CreateAlloca(IntptrTy, nullptr); 3225 IRB.CreateStore(Constant::getNullValue(IntptrTy), DynamicAllocaLayout); 3226 DynamicAllocaLayout->setAlignment(Align(32)); 3227 } 3228 3229 void FunctionStackPoisoner::processDynamicAllocas() { 3230 if (!ClInstrumentDynamicAllocas || DynamicAllocaVec.empty()) { 3231 assert(DynamicAllocaPoisonCallVec.empty()); 3232 return; 3233 } 3234 3235 // Insert poison calls for lifetime intrinsics for dynamic allocas. 3236 for (const auto &APC : DynamicAllocaPoisonCallVec) { 3237 assert(APC.InsBefore); 3238 assert(APC.AI); 3239 assert(ASan.isInterestingAlloca(*APC.AI)); 3240 assert(!APC.AI->isStaticAlloca()); 3241 3242 IRBuilder<> IRB(APC.InsBefore); 3243 poisonAlloca(APC.AI, APC.Size, IRB, APC.DoPoison); 3244 // Dynamic allocas will be unpoisoned unconditionally below in 3245 // unpoisonDynamicAllocas. 3246 // Flag that we need unpoison static allocas. 3247 } 3248 3249 // Handle dynamic allocas. 3250 createDynamicAllocasInitStorage(); 3251 for (auto &AI : DynamicAllocaVec) 3252 handleDynamicAllocaCall(AI); 3253 unpoisonDynamicAllocas(); 3254 } 3255 3256 /// Collect instructions in the entry block after \p InsBefore which initialize 3257 /// permanent storage for a function argument. These instructions must remain in 3258 /// the entry block so that uninitialized values do not appear in backtraces. An 3259 /// added benefit is that this conserves spill slots. This does not move stores 3260 /// before instrumented / "interesting" allocas. 3261 static void findStoresToUninstrumentedArgAllocas( 3262 AddressSanitizer &ASan, Instruction &InsBefore, 3263 SmallVectorImpl<Instruction *> &InitInsts) { 3264 Instruction *Start = InsBefore.getNextNonDebugInstruction(); 3265 for (Instruction *It = Start; It; It = It->getNextNonDebugInstruction()) { 3266 // Argument initialization looks like: 3267 // 1) store <Argument>, <Alloca> OR 3268 // 2) <CastArgument> = cast <Argument> to ... 3269 // store <CastArgument> to <Alloca> 3270 // Do not consider any other kind of instruction. 3271 // 3272 // Note: This covers all known cases, but may not be exhaustive. An 3273 // alternative to pattern-matching stores is to DFS over all Argument uses: 3274 // this might be more general, but is probably much more complicated. 3275 if (isa<AllocaInst>(It) || isa<CastInst>(It)) 3276 continue; 3277 if (auto *Store = dyn_cast<StoreInst>(It)) { 3278 // The store destination must be an alloca that isn't interesting for 3279 // ASan to instrument. These are moved up before InsBefore, and they're 3280 // not interesting because allocas for arguments can be mem2reg'd. 3281 auto *Alloca = dyn_cast<AllocaInst>(Store->getPointerOperand()); 3282 if (!Alloca || ASan.isInterestingAlloca(*Alloca)) 3283 continue; 3284 3285 Value *Val = Store->getValueOperand(); 3286 bool IsDirectArgInit = isa<Argument>(Val); 3287 bool IsArgInitViaCast = 3288 isa<CastInst>(Val) && 3289 isa<Argument>(cast<CastInst>(Val)->getOperand(0)) && 3290 // Check that the cast appears directly before the store. Otherwise 3291 // moving the cast before InsBefore may break the IR. 3292 Val == It->getPrevNonDebugInstruction(); 3293 bool IsArgInit = IsDirectArgInit || IsArgInitViaCast; 3294 if (!IsArgInit) 3295 continue; 3296 3297 if (IsArgInitViaCast) 3298 InitInsts.push_back(cast<Instruction>(Val)); 3299 InitInsts.push_back(Store); 3300 continue; 3301 } 3302 3303 // Do not reorder past unknown instructions: argument initialization should 3304 // only involve casts and stores. 3305 return; 3306 } 3307 } 3308 3309 void FunctionStackPoisoner::processStaticAllocas() { 3310 if (AllocaVec.empty()) { 3311 assert(StaticAllocaPoisonCallVec.empty()); 3312 return; 3313 } 3314 3315 int StackMallocIdx = -1; 3316 DebugLoc EntryDebugLocation; 3317 if (auto SP = F.getSubprogram()) 3318 EntryDebugLocation = 3319 DILocation::get(SP->getContext(), SP->getScopeLine(), 0, SP); 3320 3321 Instruction *InsBefore = AllocaVec[0]; 3322 IRBuilder<> IRB(InsBefore); 3323 3324 // Make sure non-instrumented allocas stay in the entry block. Otherwise, 3325 // debug info is broken, because only entry-block allocas are treated as 3326 // regular stack slots. 3327 auto InsBeforeB = InsBefore->getParent(); 3328 assert(InsBeforeB == &F.getEntryBlock()); 3329 for (auto *AI : StaticAllocasToMoveUp) 3330 if (AI->getParent() == InsBeforeB) 3331 AI->moveBefore(InsBefore); 3332 3333 // Move stores of arguments into entry-block allocas as well. This prevents 3334 // extra stack slots from being generated (to house the argument values until 3335 // they can be stored into the allocas). This also prevents uninitialized 3336 // values from being shown in backtraces. 3337 SmallVector<Instruction *, 8> ArgInitInsts; 3338 findStoresToUninstrumentedArgAllocas(ASan, *InsBefore, ArgInitInsts); 3339 for (Instruction *ArgInitInst : ArgInitInsts) 3340 ArgInitInst->moveBefore(InsBefore); 3341 3342 // If we have a call to llvm.localescape, keep it in the entry block. 3343 if (LocalEscapeCall) LocalEscapeCall->moveBefore(InsBefore); 3344 3345 SmallVector<ASanStackVariableDescription, 16> SVD; 3346 SVD.reserve(AllocaVec.size()); 3347 for (AllocaInst *AI : AllocaVec) { 3348 ASanStackVariableDescription D = {AI->getName().data(), 3349 ASan.getAllocaSizeInBytes(*AI), 3350 0, 3351 AI->getAlignment(), 3352 AI, 3353 0, 3354 0}; 3355 SVD.push_back(D); 3356 } 3357 3358 // Minimal header size (left redzone) is 4 pointers, 3359 // i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms. 3360 uint64_t Granularity = 1ULL << Mapping.Scale; 3361 uint64_t MinHeaderSize = std::max((uint64_t)ASan.LongSize / 2, Granularity); 3362 const ASanStackFrameLayout &L = 3363 ComputeASanStackFrameLayout(SVD, Granularity, MinHeaderSize); 3364 3365 // Build AllocaToSVDMap for ASanStackVariableDescription lookup. 3366 DenseMap<const AllocaInst *, ASanStackVariableDescription *> AllocaToSVDMap; 3367 for (auto &Desc : SVD) 3368 AllocaToSVDMap[Desc.AI] = &Desc; 3369 3370 // Update SVD with information from lifetime intrinsics. 3371 for (const auto &APC : StaticAllocaPoisonCallVec) { 3372 assert(APC.InsBefore); 3373 assert(APC.AI); 3374 assert(ASan.isInterestingAlloca(*APC.AI)); 3375 assert(APC.AI->isStaticAlloca()); 3376 3377 ASanStackVariableDescription &Desc = *AllocaToSVDMap[APC.AI]; 3378 Desc.LifetimeSize = Desc.Size; 3379 if (const DILocation *FnLoc = EntryDebugLocation.get()) { 3380 if (const DILocation *LifetimeLoc = APC.InsBefore->getDebugLoc().get()) { 3381 if (LifetimeLoc->getFile() == FnLoc->getFile()) 3382 if (unsigned Line = LifetimeLoc->getLine()) 3383 Desc.Line = std::min(Desc.Line ? Desc.Line : Line, Line); 3384 } 3385 } 3386 } 3387 3388 auto DescriptionString = ComputeASanStackFrameDescription(SVD); 3389 LLVM_DEBUG(dbgs() << DescriptionString << " --- " << L.FrameSize << "\n"); 3390 uint64_t LocalStackSize = L.FrameSize; 3391 bool DoStackMalloc = 3392 ASan.UseAfterReturn != AsanDetectStackUseAfterReturnMode::Never && 3393 !ASan.CompileKernel && LocalStackSize <= kMaxStackMallocSize; 3394 bool DoDynamicAlloca = ClDynamicAllocaStack; 3395 // Don't do dynamic alloca or stack malloc if: 3396 // 1) There is inline asm: too often it makes assumptions on which registers 3397 // are available. 3398 // 2) There is a returns_twice call (typically setjmp), which is 3399 // optimization-hostile, and doesn't play well with introduced indirect 3400 // register-relative calculation of local variable addresses. 3401 DoDynamicAlloca &= !HasInlineAsm && !HasReturnsTwiceCall; 3402 DoStackMalloc &= !HasInlineAsm && !HasReturnsTwiceCall; 3403 3404 Value *StaticAlloca = 3405 DoDynamicAlloca ? nullptr : createAllocaForLayout(IRB, L, false); 3406 3407 Value *FakeStack; 3408 Value *LocalStackBase; 3409 Value *LocalStackBaseAlloca; 3410 uint8_t DIExprFlags = DIExpression::ApplyOffset; 3411 3412 if (DoStackMalloc) { 3413 LocalStackBaseAlloca = 3414 IRB.CreateAlloca(IntptrTy, nullptr, "asan_local_stack_base"); 3415 if (ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode::Runtime) { 3416 // void *FakeStack = __asan_option_detect_stack_use_after_return 3417 // ? __asan_stack_malloc_N(LocalStackSize) 3418 // : nullptr; 3419 // void *LocalStackBase = (FakeStack) ? FakeStack : 3420 // alloca(LocalStackSize); 3421 Constant *OptionDetectUseAfterReturn = F.getParent()->getOrInsertGlobal( 3422 kAsanOptionDetectUseAfterReturn, IRB.getInt32Ty()); 3423 Value *UseAfterReturnIsEnabled = IRB.CreateICmpNE( 3424 IRB.CreateLoad(IRB.getInt32Ty(), OptionDetectUseAfterReturn), 3425 Constant::getNullValue(IRB.getInt32Ty())); 3426 Instruction *Term = 3427 SplitBlockAndInsertIfThen(UseAfterReturnIsEnabled, InsBefore, false); 3428 IRBuilder<> IRBIf(Term); 3429 StackMallocIdx = StackMallocSizeClass(LocalStackSize); 3430 assert(StackMallocIdx <= kMaxAsanStackMallocSizeClass); 3431 Value *FakeStackValue = 3432 IRBIf.CreateCall(AsanStackMallocFunc[StackMallocIdx], 3433 ConstantInt::get(IntptrTy, LocalStackSize)); 3434 IRB.SetInsertPoint(InsBefore); 3435 FakeStack = createPHI(IRB, UseAfterReturnIsEnabled, FakeStackValue, Term, 3436 ConstantInt::get(IntptrTy, 0)); 3437 } else { 3438 // assert(ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode:Always) 3439 // void *FakeStack = __asan_stack_malloc_N(LocalStackSize); 3440 // void *LocalStackBase = (FakeStack) ? FakeStack : 3441 // alloca(LocalStackSize); 3442 StackMallocIdx = StackMallocSizeClass(LocalStackSize); 3443 FakeStack = IRB.CreateCall(AsanStackMallocFunc[StackMallocIdx], 3444 ConstantInt::get(IntptrTy, LocalStackSize)); 3445 } 3446 Value *NoFakeStack = 3447 IRB.CreateICmpEQ(FakeStack, Constant::getNullValue(IntptrTy)); 3448 Instruction *Term = 3449 SplitBlockAndInsertIfThen(NoFakeStack, InsBefore, false); 3450 IRBuilder<> IRBIf(Term); 3451 Value *AllocaValue = 3452 DoDynamicAlloca ? createAllocaForLayout(IRBIf, L, true) : StaticAlloca; 3453 3454 IRB.SetInsertPoint(InsBefore); 3455 LocalStackBase = createPHI(IRB, NoFakeStack, AllocaValue, Term, FakeStack); 3456 IRB.CreateStore(LocalStackBase, LocalStackBaseAlloca); 3457 DIExprFlags |= DIExpression::DerefBefore; 3458 } else { 3459 // void *FakeStack = nullptr; 3460 // void *LocalStackBase = alloca(LocalStackSize); 3461 FakeStack = ConstantInt::get(IntptrTy, 0); 3462 LocalStackBase = 3463 DoDynamicAlloca ? createAllocaForLayout(IRB, L, true) : StaticAlloca; 3464 LocalStackBaseAlloca = LocalStackBase; 3465 } 3466 3467 // It shouldn't matter whether we pass an `alloca` or a `ptrtoint` as the 3468 // dbg.declare address opereand, but passing a `ptrtoint` seems to confuse 3469 // later passes and can result in dropped variable coverage in debug info. 3470 Value *LocalStackBaseAllocaPtr = 3471 isa<PtrToIntInst>(LocalStackBaseAlloca) 3472 ? cast<PtrToIntInst>(LocalStackBaseAlloca)->getPointerOperand() 3473 : LocalStackBaseAlloca; 3474 assert(isa<AllocaInst>(LocalStackBaseAllocaPtr) && 3475 "Variable descriptions relative to ASan stack base will be dropped"); 3476 3477 // Replace Alloca instructions with base+offset. 3478 for (const auto &Desc : SVD) { 3479 AllocaInst *AI = Desc.AI; 3480 replaceDbgDeclare(AI, LocalStackBaseAllocaPtr, DIB, DIExprFlags, 3481 Desc.Offset); 3482 Value *NewAllocaPtr = IRB.CreateIntToPtr( 3483 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Desc.Offset)), 3484 AI->getType()); 3485 AI->replaceAllUsesWith(NewAllocaPtr); 3486 } 3487 3488 // The left-most redzone has enough space for at least 4 pointers. 3489 // Write the Magic value to redzone[0]. 3490 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 3491 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 3492 BasePlus0); 3493 // Write the frame description constant to redzone[1]. 3494 Value *BasePlus1 = IRB.CreateIntToPtr( 3495 IRB.CreateAdd(LocalStackBase, 3496 ConstantInt::get(IntptrTy, ASan.LongSize / 8)), 3497 IntptrPtrTy); 3498 GlobalVariable *StackDescriptionGlobal = 3499 createPrivateGlobalForString(*F.getParent(), DescriptionString, 3500 /*AllowMerging*/ true, kAsanGenPrefix); 3501 Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, IntptrTy); 3502 IRB.CreateStore(Description, BasePlus1); 3503 // Write the PC to redzone[2]. 3504 Value *BasePlus2 = IRB.CreateIntToPtr( 3505 IRB.CreateAdd(LocalStackBase, 3506 ConstantInt::get(IntptrTy, 2 * ASan.LongSize / 8)), 3507 IntptrPtrTy); 3508 IRB.CreateStore(IRB.CreatePointerCast(&F, IntptrTy), BasePlus2); 3509 3510 const auto &ShadowAfterScope = GetShadowBytesAfterScope(SVD, L); 3511 3512 // Poison the stack red zones at the entry. 3513 Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB); 3514 // As mask we must use most poisoned case: red zones and after scope. 3515 // As bytes we can use either the same or just red zones only. 3516 copyToShadow(ShadowAfterScope, ShadowAfterScope, IRB, ShadowBase); 3517 3518 if (!StaticAllocaPoisonCallVec.empty()) { 3519 const auto &ShadowInScope = GetShadowBytes(SVD, L); 3520 3521 // Poison static allocas near lifetime intrinsics. 3522 for (const auto &APC : StaticAllocaPoisonCallVec) { 3523 const ASanStackVariableDescription &Desc = *AllocaToSVDMap[APC.AI]; 3524 assert(Desc.Offset % L.Granularity == 0); 3525 size_t Begin = Desc.Offset / L.Granularity; 3526 size_t End = Begin + (APC.Size + L.Granularity - 1) / L.Granularity; 3527 3528 IRBuilder<> IRB(APC.InsBefore); 3529 copyToShadow(ShadowAfterScope, 3530 APC.DoPoison ? ShadowAfterScope : ShadowInScope, Begin, End, 3531 IRB, ShadowBase); 3532 } 3533 } 3534 3535 SmallVector<uint8_t, 64> ShadowClean(ShadowAfterScope.size(), 0); 3536 SmallVector<uint8_t, 64> ShadowAfterReturn; 3537 3538 // (Un)poison the stack before all ret instructions. 3539 for (Instruction *Ret : RetVec) { 3540 IRBuilder<> IRBRet(Ret); 3541 // Mark the current frame as retired. 3542 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 3543 BasePlus0); 3544 if (DoStackMalloc) { 3545 assert(StackMallocIdx >= 0); 3546 // if FakeStack != 0 // LocalStackBase == FakeStack 3547 // // In use-after-return mode, poison the whole stack frame. 3548 // if StackMallocIdx <= 4 3549 // // For small sizes inline the whole thing: 3550 // memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize); 3551 // **SavedFlagPtr(FakeStack) = 0 3552 // else 3553 // __asan_stack_free_N(FakeStack, LocalStackSize) 3554 // else 3555 // <This is not a fake stack; unpoison the redzones> 3556 Value *Cmp = 3557 IRBRet.CreateICmpNE(FakeStack, Constant::getNullValue(IntptrTy)); 3558 Instruction *ThenTerm, *ElseTerm; 3559 SplitBlockAndInsertIfThenElse(Cmp, Ret, &ThenTerm, &ElseTerm); 3560 3561 IRBuilder<> IRBPoison(ThenTerm); 3562 if (StackMallocIdx <= 4) { 3563 int ClassSize = kMinStackMallocSize << StackMallocIdx; 3564 ShadowAfterReturn.resize(ClassSize / L.Granularity, 3565 kAsanStackUseAfterReturnMagic); 3566 copyToShadow(ShadowAfterReturn, ShadowAfterReturn, IRBPoison, 3567 ShadowBase); 3568 Value *SavedFlagPtrPtr = IRBPoison.CreateAdd( 3569 FakeStack, 3570 ConstantInt::get(IntptrTy, ClassSize - ASan.LongSize / 8)); 3571 Value *SavedFlagPtr = IRBPoison.CreateLoad( 3572 IntptrTy, IRBPoison.CreateIntToPtr(SavedFlagPtrPtr, IntptrPtrTy)); 3573 IRBPoison.CreateStore( 3574 Constant::getNullValue(IRBPoison.getInt8Ty()), 3575 IRBPoison.CreateIntToPtr(SavedFlagPtr, IRBPoison.getInt8PtrTy())); 3576 } else { 3577 // For larger frames call __asan_stack_free_*. 3578 IRBPoison.CreateCall( 3579 AsanStackFreeFunc[StackMallocIdx], 3580 {FakeStack, ConstantInt::get(IntptrTy, LocalStackSize)}); 3581 } 3582 3583 IRBuilder<> IRBElse(ElseTerm); 3584 copyToShadow(ShadowAfterScope, ShadowClean, IRBElse, ShadowBase); 3585 } else { 3586 copyToShadow(ShadowAfterScope, ShadowClean, IRBRet, ShadowBase); 3587 } 3588 } 3589 3590 // We are done. Remove the old unused alloca instructions. 3591 for (auto AI : AllocaVec) AI->eraseFromParent(); 3592 } 3593 3594 void FunctionStackPoisoner::poisonAlloca(Value *V, uint64_t Size, 3595 IRBuilder<> &IRB, bool DoPoison) { 3596 // For now just insert the call to ASan runtime. 3597 Value *AddrArg = IRB.CreatePointerCast(V, IntptrTy); 3598 Value *SizeArg = ConstantInt::get(IntptrTy, Size); 3599 IRB.CreateCall( 3600 DoPoison ? AsanPoisonStackMemoryFunc : AsanUnpoisonStackMemoryFunc, 3601 {AddrArg, SizeArg}); 3602 } 3603 3604 // Handling llvm.lifetime intrinsics for a given %alloca: 3605 // (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca. 3606 // (2) if %size is constant, poison memory for llvm.lifetime.end (to detect 3607 // invalid accesses) and unpoison it for llvm.lifetime.start (the memory 3608 // could be poisoned by previous llvm.lifetime.end instruction, as the 3609 // variable may go in and out of scope several times, e.g. in loops). 3610 // (3) if we poisoned at least one %alloca in a function, 3611 // unpoison the whole stack frame at function exit. 3612 void FunctionStackPoisoner::handleDynamicAllocaCall(AllocaInst *AI) { 3613 IRBuilder<> IRB(AI); 3614 3615 const uint64_t Alignment = std::max(kAllocaRzSize, AI->getAlignment()); 3616 const uint64_t AllocaRedzoneMask = kAllocaRzSize - 1; 3617 3618 Value *Zero = Constant::getNullValue(IntptrTy); 3619 Value *AllocaRzSize = ConstantInt::get(IntptrTy, kAllocaRzSize); 3620 Value *AllocaRzMask = ConstantInt::get(IntptrTy, AllocaRedzoneMask); 3621 3622 // Since we need to extend alloca with additional memory to locate 3623 // redzones, and OldSize is number of allocated blocks with 3624 // ElementSize size, get allocated memory size in bytes by 3625 // OldSize * ElementSize. 3626 const unsigned ElementSize = 3627 F.getParent()->getDataLayout().getTypeAllocSize(AI->getAllocatedType()); 3628 Value *OldSize = 3629 IRB.CreateMul(IRB.CreateIntCast(AI->getArraySize(), IntptrTy, false), 3630 ConstantInt::get(IntptrTy, ElementSize)); 3631 3632 // PartialSize = OldSize % 32 3633 Value *PartialSize = IRB.CreateAnd(OldSize, AllocaRzMask); 3634 3635 // Misalign = kAllocaRzSize - PartialSize; 3636 Value *Misalign = IRB.CreateSub(AllocaRzSize, PartialSize); 3637 3638 // PartialPadding = Misalign != kAllocaRzSize ? Misalign : 0; 3639 Value *Cond = IRB.CreateICmpNE(Misalign, AllocaRzSize); 3640 Value *PartialPadding = IRB.CreateSelect(Cond, Misalign, Zero); 3641 3642 // AdditionalChunkSize = Alignment + PartialPadding + kAllocaRzSize 3643 // Alignment is added to locate left redzone, PartialPadding for possible 3644 // partial redzone and kAllocaRzSize for right redzone respectively. 3645 Value *AdditionalChunkSize = IRB.CreateAdd( 3646 ConstantInt::get(IntptrTy, Alignment + kAllocaRzSize), PartialPadding); 3647 3648 Value *NewSize = IRB.CreateAdd(OldSize, AdditionalChunkSize); 3649 3650 // Insert new alloca with new NewSize and Alignment params. 3651 AllocaInst *NewAlloca = IRB.CreateAlloca(IRB.getInt8Ty(), NewSize); 3652 NewAlloca->setAlignment(Align(Alignment)); 3653 3654 // NewAddress = Address + Alignment 3655 Value *NewAddress = IRB.CreateAdd(IRB.CreatePtrToInt(NewAlloca, IntptrTy), 3656 ConstantInt::get(IntptrTy, Alignment)); 3657 3658 // Insert __asan_alloca_poison call for new created alloca. 3659 IRB.CreateCall(AsanAllocaPoisonFunc, {NewAddress, OldSize}); 3660 3661 // Store the last alloca's address to DynamicAllocaLayout. We'll need this 3662 // for unpoisoning stuff. 3663 IRB.CreateStore(IRB.CreatePtrToInt(NewAlloca, IntptrTy), DynamicAllocaLayout); 3664 3665 Value *NewAddressPtr = IRB.CreateIntToPtr(NewAddress, AI->getType()); 3666 3667 // Replace all uses of AddessReturnedByAlloca with NewAddressPtr. 3668 AI->replaceAllUsesWith(NewAddressPtr); 3669 3670 // We are done. Erase old alloca from parent. 3671 AI->eraseFromParent(); 3672 } 3673 3674 // isSafeAccess returns true if Addr is always inbounds with respect to its 3675 // base object. For example, it is a field access or an array access with 3676 // constant inbounds index. 3677 bool AddressSanitizer::isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, 3678 Value *Addr, uint64_t TypeSize) const { 3679 SizeOffsetType SizeOffset = ObjSizeVis.compute(Addr); 3680 if (!ObjSizeVis.bothKnown(SizeOffset)) return false; 3681 uint64_t Size = SizeOffset.first.getZExtValue(); 3682 int64_t Offset = SizeOffset.second.getSExtValue(); 3683 // Three checks are required to ensure safety: 3684 // . Offset >= 0 (since the offset is given from the base ptr) 3685 // . Size >= Offset (unsigned) 3686 // . Size - Offset >= NeededSize (unsigned) 3687 return Offset >= 0 && Size >= uint64_t(Offset) && 3688 Size - uint64_t(Offset) >= TypeSize / 8; 3689 } 3690