1 //===- DataFlowSanitizer.cpp - dynamic data flow analysis -----------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 /// \file 10 /// This file is a part of DataFlowSanitizer, a generalised dynamic data flow 11 /// analysis. 12 /// 13 /// Unlike other Sanitizer tools, this tool is not designed to detect a specific 14 /// class of bugs on its own. Instead, it provides a generic dynamic data flow 15 /// analysis framework to be used by clients to help detect application-specific 16 /// issues within their own code. 17 /// 18 /// The analysis is based on automatic propagation of data flow labels (also 19 /// known as taint labels) through a program as it performs computation. 20 /// 21 /// Argument and return value labels are passed through TLS variables 22 /// __dfsan_arg_tls and __dfsan_retval_tls. 23 /// 24 /// Each byte of application memory is backed by a shadow memory byte. The 25 /// shadow byte can represent up to 8 labels. On Linux/x86_64, memory is then 26 /// laid out as follows: 27 /// 28 /// +--------------------+ 0x800000000000 (top of memory) 29 /// | application 3 | 30 /// +--------------------+ 0x700000000000 31 /// | invalid | 32 /// +--------------------+ 0x610000000000 33 /// | origin 1 | 34 /// +--------------------+ 0x600000000000 35 /// | application 2 | 36 /// +--------------------+ 0x510000000000 37 /// | shadow 1 | 38 /// +--------------------+ 0x500000000000 39 /// | invalid | 40 /// +--------------------+ 0x400000000000 41 /// | origin 3 | 42 /// +--------------------+ 0x300000000000 43 /// | shadow 3 | 44 /// +--------------------+ 0x200000000000 45 /// | origin 2 | 46 /// +--------------------+ 0x110000000000 47 /// | invalid | 48 /// +--------------------+ 0x100000000000 49 /// | shadow 2 | 50 /// +--------------------+ 0x010000000000 51 /// | application 1 | 52 /// +--------------------+ 0x000000000000 53 /// 54 /// MEM_TO_SHADOW(mem) = mem ^ 0x500000000000 55 /// SHADOW_TO_ORIGIN(shadow) = shadow + 0x100000000000 56 /// 57 /// For more information, please refer to the design document: 58 /// http://clang.llvm.org/docs/DataFlowSanitizerDesign.html 59 // 60 //===----------------------------------------------------------------------===// 61 62 #include "llvm/Transforms/Instrumentation/DataFlowSanitizer.h" 63 #include "llvm/ADT/DenseMap.h" 64 #include "llvm/ADT/DenseSet.h" 65 #include "llvm/ADT/DepthFirstIterator.h" 66 #include "llvm/ADT/None.h" 67 #include "llvm/ADT/SmallPtrSet.h" 68 #include "llvm/ADT/SmallVector.h" 69 #include "llvm/ADT/StringExtras.h" 70 #include "llvm/ADT/StringRef.h" 71 #include "llvm/ADT/Triple.h" 72 #include "llvm/ADT/iterator.h" 73 #include "llvm/Analysis/ValueTracking.h" 74 #include "llvm/IR/Argument.h" 75 #include "llvm/IR/Attributes.h" 76 #include "llvm/IR/BasicBlock.h" 77 #include "llvm/IR/Constant.h" 78 #include "llvm/IR/Constants.h" 79 #include "llvm/IR/DataLayout.h" 80 #include "llvm/IR/DerivedTypes.h" 81 #include "llvm/IR/Dominators.h" 82 #include "llvm/IR/Function.h" 83 #include "llvm/IR/GlobalAlias.h" 84 #include "llvm/IR/GlobalValue.h" 85 #include "llvm/IR/GlobalVariable.h" 86 #include "llvm/IR/IRBuilder.h" 87 #include "llvm/IR/InlineAsm.h" 88 #include "llvm/IR/InstVisitor.h" 89 #include "llvm/IR/InstrTypes.h" 90 #include "llvm/IR/Instruction.h" 91 #include "llvm/IR/Instructions.h" 92 #include "llvm/IR/IntrinsicInst.h" 93 #include "llvm/IR/LLVMContext.h" 94 #include "llvm/IR/MDBuilder.h" 95 #include "llvm/IR/Module.h" 96 #include "llvm/IR/PassManager.h" 97 #include "llvm/IR/Type.h" 98 #include "llvm/IR/User.h" 99 #include "llvm/IR/Value.h" 100 #include "llvm/InitializePasses.h" 101 #include "llvm/Pass.h" 102 #include "llvm/Support/Alignment.h" 103 #include "llvm/Support/Casting.h" 104 #include "llvm/Support/CommandLine.h" 105 #include "llvm/Support/ErrorHandling.h" 106 #include "llvm/Support/SpecialCaseList.h" 107 #include "llvm/Support/VirtualFileSystem.h" 108 #include "llvm/Transforms/Instrumentation.h" 109 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 110 #include "llvm/Transforms/Utils/Local.h" 111 #include <algorithm> 112 #include <cassert> 113 #include <cstddef> 114 #include <cstdint> 115 #include <iterator> 116 #include <memory> 117 #include <set> 118 #include <string> 119 #include <utility> 120 #include <vector> 121 122 using namespace llvm; 123 124 // This must be consistent with ShadowWidthBits. 125 static const Align ShadowTLSAlignment = Align(2); 126 127 static const Align MinOriginAlignment = Align(4); 128 129 // The size of TLS variables. These constants must be kept in sync with the ones 130 // in dfsan.cpp. 131 static const unsigned ArgTLSSize = 800; 132 static const unsigned RetvalTLSSize = 800; 133 134 // The -dfsan-preserve-alignment flag controls whether this pass assumes that 135 // alignment requirements provided by the input IR are correct. For example, 136 // if the input IR contains a load with alignment 8, this flag will cause 137 // the shadow load to have alignment 16. This flag is disabled by default as 138 // we have unfortunately encountered too much code (including Clang itself; 139 // see PR14291) which performs misaligned access. 140 static cl::opt<bool> ClPreserveAlignment( 141 "dfsan-preserve-alignment", 142 cl::desc("respect alignment requirements provided by input IR"), cl::Hidden, 143 cl::init(false)); 144 145 // The ABI list files control how shadow parameters are passed. The pass treats 146 // every function labelled "uninstrumented" in the ABI list file as conforming 147 // to the "native" (i.e. unsanitized) ABI. Unless the ABI list contains 148 // additional annotations for those functions, a call to one of those functions 149 // will produce a warning message, as the labelling behaviour of the function is 150 // unknown. The other supported annotations for uninstrumented functions are 151 // "functional" and "discard", which are described below under 152 // DataFlowSanitizer::WrapperKind. 153 // Functions will often be labelled with both "uninstrumented" and one of 154 // "functional" or "discard". This will leave the function unchanged by this 155 // pass, and create a wrapper function that will call the original. 156 // 157 // Instrumented functions can also be annotated as "force_zero_labels", which 158 // will make all shadow and return values set zero labels. 159 // Functions should never be labelled with both "force_zero_labels" and 160 // "uninstrumented" or any of the unistrumented wrapper kinds. 161 static cl::list<std::string> ClABIListFiles( 162 "dfsan-abilist", 163 cl::desc("File listing native ABI functions and how the pass treats them"), 164 cl::Hidden); 165 166 // Controls whether the pass includes or ignores the labels of pointers in load 167 // instructions. 168 static cl::opt<bool> ClCombinePointerLabelsOnLoad( 169 "dfsan-combine-pointer-labels-on-load", 170 cl::desc("Combine the label of the pointer with the label of the data when " 171 "loading from memory."), 172 cl::Hidden, cl::init(true)); 173 174 // Controls whether the pass includes or ignores the labels of pointers in 175 // stores instructions. 176 static cl::opt<bool> ClCombinePointerLabelsOnStore( 177 "dfsan-combine-pointer-labels-on-store", 178 cl::desc("Combine the label of the pointer with the label of the data when " 179 "storing in memory."), 180 cl::Hidden, cl::init(false)); 181 182 // Controls whether the pass propagates labels of offsets in GEP instructions. 183 static cl::opt<bool> ClCombineOffsetLabelsOnGEP( 184 "dfsan-combine-offset-labels-on-gep", 185 cl::desc( 186 "Combine the label of the offset with the label of the pointer when " 187 "doing pointer arithmetic."), 188 cl::Hidden, cl::init(true)); 189 190 static cl::opt<bool> ClDebugNonzeroLabels( 191 "dfsan-debug-nonzero-labels", 192 cl::desc("Insert calls to __dfsan_nonzero_label on observing a parameter, " 193 "load or return with a nonzero label"), 194 cl::Hidden); 195 196 // Experimental feature that inserts callbacks for certain data events. 197 // Currently callbacks are only inserted for loads, stores, memory transfers 198 // (i.e. memcpy and memmove), and comparisons. 199 // 200 // If this flag is set to true, the user must provide definitions for the 201 // following callback functions: 202 // void __dfsan_load_callback(dfsan_label Label, void* addr); 203 // void __dfsan_store_callback(dfsan_label Label, void* addr); 204 // void __dfsan_mem_transfer_callback(dfsan_label *Start, size_t Len); 205 // void __dfsan_cmp_callback(dfsan_label CombinedLabel); 206 static cl::opt<bool> ClEventCallbacks( 207 "dfsan-event-callbacks", 208 cl::desc("Insert calls to __dfsan_*_callback functions on data events."), 209 cl::Hidden, cl::init(false)); 210 211 // Experimental feature that inserts callbacks for conditionals, including: 212 // conditional branch, switch, select. 213 // This must be true for dfsan_set_conditional_callback() to have effect. 214 static cl::opt<bool> ClConditionalCallbacks( 215 "dfsan-conditional-callbacks", 216 cl::desc("Insert calls to callback functions on conditionals."), cl::Hidden, 217 cl::init(false)); 218 219 // Controls whether the pass tracks the control flow of select instructions. 220 static cl::opt<bool> ClTrackSelectControlFlow( 221 "dfsan-track-select-control-flow", 222 cl::desc("Propagate labels from condition values of select instructions " 223 "to results."), 224 cl::Hidden, cl::init(true)); 225 226 // TODO: This default value follows MSan. DFSan may use a different value. 227 static cl::opt<int> ClInstrumentWithCallThreshold( 228 "dfsan-instrument-with-call-threshold", 229 cl::desc("If the function being instrumented requires more than " 230 "this number of origin stores, use callbacks instead of " 231 "inline checks (-1 means never use callbacks)."), 232 cl::Hidden, cl::init(3500)); 233 234 // Controls how to track origins. 235 // * 0: do not track origins. 236 // * 1: track origins at memory store operations. 237 // * 2: track origins at memory load and store operations. 238 // TODO: track callsites. 239 static cl::opt<int> ClTrackOrigins("dfsan-track-origins", 240 cl::desc("Track origins of labels"), 241 cl::Hidden, cl::init(0)); 242 243 static cl::opt<bool> ClIgnorePersonalityRoutine( 244 "dfsan-ignore-personality-routine", 245 cl::desc("If a personality routine is marked uninstrumented from the ABI " 246 "list, do not create a wrapper for it."), 247 cl::Hidden, cl::init(false)); 248 249 static StringRef getGlobalTypeString(const GlobalValue &G) { 250 // Types of GlobalVariables are always pointer types. 251 Type *GType = G.getValueType(); 252 // For now we support excluding struct types only. 253 if (StructType *SGType = dyn_cast<StructType>(GType)) { 254 if (!SGType->isLiteral()) 255 return SGType->getName(); 256 } 257 return "<unknown type>"; 258 } 259 260 namespace { 261 262 // Memory map parameters used in application-to-shadow address calculation. 263 // Offset = (Addr & ~AndMask) ^ XorMask 264 // Shadow = ShadowBase + Offset 265 // Origin = (OriginBase + Offset) & ~3ULL 266 struct MemoryMapParams { 267 uint64_t AndMask; 268 uint64_t XorMask; 269 uint64_t ShadowBase; 270 uint64_t OriginBase; 271 }; 272 273 } // end anonymous namespace 274 275 // x86_64 Linux 276 // NOLINTNEXTLINE(readability-identifier-naming) 277 static const MemoryMapParams Linux_X86_64_MemoryMapParams = { 278 0, // AndMask (not used) 279 0x500000000000, // XorMask 280 0, // ShadowBase (not used) 281 0x100000000000, // OriginBase 282 }; 283 284 namespace { 285 286 class DFSanABIList { 287 std::unique_ptr<SpecialCaseList> SCL; 288 289 public: 290 DFSanABIList() = default; 291 292 void set(std::unique_ptr<SpecialCaseList> List) { SCL = std::move(List); } 293 294 /// Returns whether either this function or its source file are listed in the 295 /// given category. 296 bool isIn(const Function &F, StringRef Category) const { 297 return isIn(*F.getParent(), Category) || 298 SCL->inSection("dataflow", "fun", F.getName(), Category); 299 } 300 301 /// Returns whether this global alias is listed in the given category. 302 /// 303 /// If GA aliases a function, the alias's name is matched as a function name 304 /// would be. Similarly, aliases of globals are matched like globals. 305 bool isIn(const GlobalAlias &GA, StringRef Category) const { 306 if (isIn(*GA.getParent(), Category)) 307 return true; 308 309 if (isa<FunctionType>(GA.getValueType())) 310 return SCL->inSection("dataflow", "fun", GA.getName(), Category); 311 312 return SCL->inSection("dataflow", "global", GA.getName(), Category) || 313 SCL->inSection("dataflow", "type", getGlobalTypeString(GA), 314 Category); 315 } 316 317 /// Returns whether this module is listed in the given category. 318 bool isIn(const Module &M, StringRef Category) const { 319 return SCL->inSection("dataflow", "src", M.getModuleIdentifier(), Category); 320 } 321 }; 322 323 /// TransformedFunction is used to express the result of transforming one 324 /// function type into another. This struct is immutable. It holds metadata 325 /// useful for updating calls of the old function to the new type. 326 struct TransformedFunction { 327 TransformedFunction(FunctionType *OriginalType, FunctionType *TransformedType, 328 std::vector<unsigned> ArgumentIndexMapping) 329 : OriginalType(OriginalType), TransformedType(TransformedType), 330 ArgumentIndexMapping(ArgumentIndexMapping) {} 331 332 // Disallow copies. 333 TransformedFunction(const TransformedFunction &) = delete; 334 TransformedFunction &operator=(const TransformedFunction &) = delete; 335 336 // Allow moves. 337 TransformedFunction(TransformedFunction &&) = default; 338 TransformedFunction &operator=(TransformedFunction &&) = default; 339 340 /// Type of the function before the transformation. 341 FunctionType *OriginalType; 342 343 /// Type of the function after the transformation. 344 FunctionType *TransformedType; 345 346 /// Transforming a function may change the position of arguments. This 347 /// member records the mapping from each argument's old position to its new 348 /// position. Argument positions are zero-indexed. If the transformation 349 /// from F to F' made the first argument of F into the third argument of F', 350 /// then ArgumentIndexMapping[0] will equal 2. 351 std::vector<unsigned> ArgumentIndexMapping; 352 }; 353 354 /// Given function attributes from a call site for the original function, 355 /// return function attributes appropriate for a call to the transformed 356 /// function. 357 AttributeList 358 transformFunctionAttributes(const TransformedFunction &TransformedFunction, 359 LLVMContext &Ctx, AttributeList CallSiteAttrs) { 360 361 // Construct a vector of AttributeSet for each function argument. 362 std::vector<llvm::AttributeSet> ArgumentAttributes( 363 TransformedFunction.TransformedType->getNumParams()); 364 365 // Copy attributes from the parameter of the original function to the 366 // transformed version. 'ArgumentIndexMapping' holds the mapping from 367 // old argument position to new. 368 for (unsigned I = 0, IE = TransformedFunction.ArgumentIndexMapping.size(); 369 I < IE; ++I) { 370 unsigned TransformedIndex = TransformedFunction.ArgumentIndexMapping[I]; 371 ArgumentAttributes[TransformedIndex] = CallSiteAttrs.getParamAttrs(I); 372 } 373 374 // Copy annotations on varargs arguments. 375 for (unsigned I = TransformedFunction.OriginalType->getNumParams(), 376 IE = CallSiteAttrs.getNumAttrSets(); 377 I < IE; ++I) { 378 ArgumentAttributes.push_back(CallSiteAttrs.getParamAttrs(I)); 379 } 380 381 return AttributeList::get(Ctx, CallSiteAttrs.getFnAttrs(), 382 CallSiteAttrs.getRetAttrs(), 383 llvm::makeArrayRef(ArgumentAttributes)); 384 } 385 386 class DataFlowSanitizer { 387 friend struct DFSanFunction; 388 friend class DFSanVisitor; 389 390 enum { ShadowWidthBits = 8, ShadowWidthBytes = ShadowWidthBits / 8 }; 391 392 enum { OriginWidthBits = 32, OriginWidthBytes = OriginWidthBits / 8 }; 393 394 /// How should calls to uninstrumented functions be handled? 395 enum WrapperKind { 396 /// This function is present in an uninstrumented form but we don't know 397 /// how it should be handled. Print a warning and call the function anyway. 398 /// Don't label the return value. 399 WK_Warning, 400 401 /// This function does not write to (user-accessible) memory, and its return 402 /// value is unlabelled. 403 WK_Discard, 404 405 /// This function does not write to (user-accessible) memory, and the label 406 /// of its return value is the union of the label of its arguments. 407 WK_Functional, 408 409 /// Instead of calling the function, a custom wrapper __dfsw_F is called, 410 /// where F is the name of the function. This function may wrap the 411 /// original function or provide its own implementation. WK_Custom uses an 412 /// extra pointer argument to return the shadow. This allows the wrapped 413 /// form of the function type to be expressed in C. 414 WK_Custom 415 }; 416 417 Module *Mod; 418 LLVMContext *Ctx; 419 Type *Int8Ptr; 420 IntegerType *OriginTy; 421 PointerType *OriginPtrTy; 422 ConstantInt *ZeroOrigin; 423 /// The shadow type for all primitive types and vector types. 424 IntegerType *PrimitiveShadowTy; 425 PointerType *PrimitiveShadowPtrTy; 426 IntegerType *IntptrTy; 427 ConstantInt *ZeroPrimitiveShadow; 428 Constant *ArgTLS; 429 ArrayType *ArgOriginTLSTy; 430 Constant *ArgOriginTLS; 431 Constant *RetvalTLS; 432 Constant *RetvalOriginTLS; 433 FunctionType *DFSanUnionLoadFnTy; 434 FunctionType *DFSanLoadLabelAndOriginFnTy; 435 FunctionType *DFSanUnimplementedFnTy; 436 FunctionType *DFSanSetLabelFnTy; 437 FunctionType *DFSanNonzeroLabelFnTy; 438 FunctionType *DFSanVarargWrapperFnTy; 439 FunctionType *DFSanConditionalCallbackFnTy; 440 FunctionType *DFSanConditionalCallbackOriginFnTy; 441 FunctionType *DFSanCmpCallbackFnTy; 442 FunctionType *DFSanLoadStoreCallbackFnTy; 443 FunctionType *DFSanMemTransferCallbackFnTy; 444 FunctionType *DFSanChainOriginFnTy; 445 FunctionType *DFSanChainOriginIfTaintedFnTy; 446 FunctionType *DFSanMemOriginTransferFnTy; 447 FunctionType *DFSanMaybeStoreOriginFnTy; 448 FunctionCallee DFSanUnionLoadFn; 449 FunctionCallee DFSanLoadLabelAndOriginFn; 450 FunctionCallee DFSanUnimplementedFn; 451 FunctionCallee DFSanSetLabelFn; 452 FunctionCallee DFSanNonzeroLabelFn; 453 FunctionCallee DFSanVarargWrapperFn; 454 FunctionCallee DFSanLoadCallbackFn; 455 FunctionCallee DFSanStoreCallbackFn; 456 FunctionCallee DFSanMemTransferCallbackFn; 457 FunctionCallee DFSanConditionalCallbackFn; 458 FunctionCallee DFSanConditionalCallbackOriginFn; 459 FunctionCallee DFSanCmpCallbackFn; 460 FunctionCallee DFSanChainOriginFn; 461 FunctionCallee DFSanChainOriginIfTaintedFn; 462 FunctionCallee DFSanMemOriginTransferFn; 463 FunctionCallee DFSanMaybeStoreOriginFn; 464 SmallPtrSet<Value *, 16> DFSanRuntimeFunctions; 465 MDNode *ColdCallWeights; 466 MDNode *OriginStoreWeights; 467 DFSanABIList ABIList; 468 DenseMap<Value *, Function *> UnwrappedFnMap; 469 AttributeMask ReadOnlyNoneAttrs; 470 471 /// Memory map parameters used in calculation mapping application addresses 472 /// to shadow addresses and origin addresses. 473 const MemoryMapParams *MapParams; 474 475 Value *getShadowOffset(Value *Addr, IRBuilder<> &IRB); 476 Value *getShadowAddress(Value *Addr, Instruction *Pos); 477 Value *getShadowAddress(Value *Addr, Instruction *Pos, Value *ShadowOffset); 478 std::pair<Value *, Value *> 479 getShadowOriginAddress(Value *Addr, Align InstAlignment, Instruction *Pos); 480 bool isInstrumented(const Function *F); 481 bool isInstrumented(const GlobalAlias *GA); 482 bool isForceZeroLabels(const Function *F); 483 FunctionType *getTrampolineFunctionType(FunctionType *T); 484 TransformedFunction getCustomFunctionType(FunctionType *T); 485 WrapperKind getWrapperKind(Function *F); 486 void addGlobalNameSuffix(GlobalValue *GV); 487 Function *buildWrapperFunction(Function *F, StringRef NewFName, 488 GlobalValue::LinkageTypes NewFLink, 489 FunctionType *NewFT); 490 Constant *getOrBuildTrampolineFunction(FunctionType *FT, StringRef FName); 491 void initializeCallbackFunctions(Module &M); 492 void initializeRuntimeFunctions(Module &M); 493 void injectMetadataGlobals(Module &M); 494 bool initializeModule(Module &M); 495 496 /// Advances \p OriginAddr to point to the next 32-bit origin and then loads 497 /// from it. Returns the origin's loaded value. 498 Value *loadNextOrigin(Instruction *Pos, Align OriginAlign, 499 Value **OriginAddr); 500 501 /// Returns whether the given load byte size is amenable to inlined 502 /// optimization patterns. 503 bool hasLoadSizeForFastPath(uint64_t Size); 504 505 /// Returns whether the pass tracks origins. Supports only TLS ABI mode. 506 bool shouldTrackOrigins(); 507 508 /// Returns a zero constant with the shadow type of OrigTy. 509 /// 510 /// getZeroShadow({T1,T2,...}) = {getZeroShadow(T1),getZeroShadow(T2,...} 511 /// getZeroShadow([n x T]) = [n x getZeroShadow(T)] 512 /// getZeroShadow(other type) = i16(0) 513 Constant *getZeroShadow(Type *OrigTy); 514 /// Returns a zero constant with the shadow type of V's type. 515 Constant *getZeroShadow(Value *V); 516 517 /// Checks if V is a zero shadow. 518 bool isZeroShadow(Value *V); 519 520 /// Returns the shadow type of OrigTy. 521 /// 522 /// getShadowTy({T1,T2,...}) = {getShadowTy(T1),getShadowTy(T2),...} 523 /// getShadowTy([n x T]) = [n x getShadowTy(T)] 524 /// getShadowTy(other type) = i16 525 Type *getShadowTy(Type *OrigTy); 526 /// Returns the shadow type of of V's type. 527 Type *getShadowTy(Value *V); 528 529 const uint64_t NumOfElementsInArgOrgTLS = ArgTLSSize / OriginWidthBytes; 530 531 public: 532 DataFlowSanitizer(const std::vector<std::string> &ABIListFiles); 533 534 bool runImpl(Module &M); 535 }; 536 537 struct DFSanFunction { 538 DataFlowSanitizer &DFS; 539 Function *F; 540 DominatorTree DT; 541 bool IsNativeABI; 542 bool IsForceZeroLabels; 543 AllocaInst *LabelReturnAlloca = nullptr; 544 AllocaInst *OriginReturnAlloca = nullptr; 545 DenseMap<Value *, Value *> ValShadowMap; 546 DenseMap<Value *, Value *> ValOriginMap; 547 DenseMap<AllocaInst *, AllocaInst *> AllocaShadowMap; 548 DenseMap<AllocaInst *, AllocaInst *> AllocaOriginMap; 549 550 struct PHIFixupElement { 551 PHINode *Phi; 552 PHINode *ShadowPhi; 553 PHINode *OriginPhi; 554 }; 555 std::vector<PHIFixupElement> PHIFixups; 556 557 DenseSet<Instruction *> SkipInsts; 558 std::vector<Value *> NonZeroChecks; 559 560 struct CachedShadow { 561 BasicBlock *Block; // The block where Shadow is defined. 562 Value *Shadow; 563 }; 564 /// Maps a value to its latest shadow value in terms of domination tree. 565 DenseMap<std::pair<Value *, Value *>, CachedShadow> CachedShadows; 566 /// Maps a value to its latest collapsed shadow value it was converted to in 567 /// terms of domination tree. When ClDebugNonzeroLabels is on, this cache is 568 /// used at a post process where CFG blocks are split. So it does not cache 569 /// BasicBlock like CachedShadows, but uses domination between values. 570 DenseMap<Value *, Value *> CachedCollapsedShadows; 571 DenseMap<Value *, std::set<Value *>> ShadowElements; 572 573 DFSanFunction(DataFlowSanitizer &DFS, Function *F, bool IsNativeABI, 574 bool IsForceZeroLabels) 575 : DFS(DFS), F(F), IsNativeABI(IsNativeABI), 576 IsForceZeroLabels(IsForceZeroLabels) { 577 DT.recalculate(*F); 578 } 579 580 /// Computes the shadow address for a given function argument. 581 /// 582 /// Shadow = ArgTLS+ArgOffset. 583 Value *getArgTLS(Type *T, unsigned ArgOffset, IRBuilder<> &IRB); 584 585 /// Computes the shadow address for a return value. 586 Value *getRetvalTLS(Type *T, IRBuilder<> &IRB); 587 588 /// Computes the origin address for a given function argument. 589 /// 590 /// Origin = ArgOriginTLS[ArgNo]. 591 Value *getArgOriginTLS(unsigned ArgNo, IRBuilder<> &IRB); 592 593 /// Computes the origin address for a return value. 594 Value *getRetvalOriginTLS(); 595 596 Value *getOrigin(Value *V); 597 void setOrigin(Instruction *I, Value *Origin); 598 /// Generates IR to compute the origin of the last operand with a taint label. 599 Value *combineOperandOrigins(Instruction *Inst); 600 /// Before the instruction Pos, generates IR to compute the last origin with a 601 /// taint label. Labels and origins are from vectors Shadows and Origins 602 /// correspondingly. The generated IR is like 603 /// Sn-1 != Zero ? On-1: ... S2 != Zero ? O2: S1 != Zero ? O1: O0 604 /// When Zero is nullptr, it uses ZeroPrimitiveShadow. Otherwise it can be 605 /// zeros with other bitwidths. 606 Value *combineOrigins(const std::vector<Value *> &Shadows, 607 const std::vector<Value *> &Origins, Instruction *Pos, 608 ConstantInt *Zero = nullptr); 609 610 Value *getShadow(Value *V); 611 void setShadow(Instruction *I, Value *Shadow); 612 /// Generates IR to compute the union of the two given shadows, inserting it 613 /// before Pos. The combined value is with primitive type. 614 Value *combineShadows(Value *V1, Value *V2, Instruction *Pos); 615 /// Combines the shadow values of V1 and V2, then converts the combined value 616 /// with primitive type into a shadow value with the original type T. 617 Value *combineShadowsThenConvert(Type *T, Value *V1, Value *V2, 618 Instruction *Pos); 619 Value *combineOperandShadows(Instruction *Inst); 620 621 /// Generates IR to load shadow and origin corresponding to bytes [\p 622 /// Addr, \p Addr + \p Size), where addr has alignment \p 623 /// InstAlignment, and take the union of each of those shadows. The returned 624 /// shadow always has primitive type. 625 /// 626 /// When tracking loads is enabled, the returned origin is a chain at the 627 /// current stack if the returned shadow is tainted. 628 std::pair<Value *, Value *> loadShadowOrigin(Value *Addr, uint64_t Size, 629 Align InstAlignment, 630 Instruction *Pos); 631 632 void storePrimitiveShadowOrigin(Value *Addr, uint64_t Size, 633 Align InstAlignment, Value *PrimitiveShadow, 634 Value *Origin, Instruction *Pos); 635 /// Applies PrimitiveShadow to all primitive subtypes of T, returning 636 /// the expanded shadow value. 637 /// 638 /// EFP({T1,T2, ...}, PS) = {EFP(T1,PS),EFP(T2,PS),...} 639 /// EFP([n x T], PS) = [n x EFP(T,PS)] 640 /// EFP(other types, PS) = PS 641 Value *expandFromPrimitiveShadow(Type *T, Value *PrimitiveShadow, 642 Instruction *Pos); 643 /// Collapses Shadow into a single primitive shadow value, unioning all 644 /// primitive shadow values in the process. Returns the final primitive 645 /// shadow value. 646 /// 647 /// CTP({V1,V2, ...}) = UNION(CFP(V1,PS),CFP(V2,PS),...) 648 /// CTP([V1,V2,...]) = UNION(CFP(V1,PS),CFP(V2,PS),...) 649 /// CTP(other types, PS) = PS 650 Value *collapseToPrimitiveShadow(Value *Shadow, Instruction *Pos); 651 652 void storeZeroPrimitiveShadow(Value *Addr, uint64_t Size, Align ShadowAlign, 653 Instruction *Pos); 654 655 Align getShadowAlign(Align InstAlignment); 656 657 // If ClConditionalCallbacks is enabled, insert a callback after a given 658 // branch instruction using the given conditional expression. 659 void addConditionalCallbacksIfEnabled(Instruction &I, Value *Condition); 660 661 private: 662 /// Collapses the shadow with aggregate type into a single primitive shadow 663 /// value. 664 template <class AggregateType> 665 Value *collapseAggregateShadow(AggregateType *AT, Value *Shadow, 666 IRBuilder<> &IRB); 667 668 Value *collapseToPrimitiveShadow(Value *Shadow, IRBuilder<> &IRB); 669 670 /// Returns the shadow value of an argument A. 671 Value *getShadowForTLSArgument(Argument *A); 672 673 /// The fast path of loading shadows. 674 std::pair<Value *, Value *> 675 loadShadowFast(Value *ShadowAddr, Value *OriginAddr, uint64_t Size, 676 Align ShadowAlign, Align OriginAlign, Value *FirstOrigin, 677 Instruction *Pos); 678 679 Align getOriginAlign(Align InstAlignment); 680 681 /// Because 4 contiguous bytes share one 4-byte origin, the most accurate load 682 /// is __dfsan_load_label_and_origin. This function returns the union of all 683 /// labels and the origin of the first taint label. However this is an 684 /// additional call with many instructions. To ensure common cases are fast, 685 /// checks if it is possible to load labels and origins without using the 686 /// callback function. 687 /// 688 /// When enabling tracking load instructions, we always use 689 /// __dfsan_load_label_and_origin to reduce code size. 690 bool useCallbackLoadLabelAndOrigin(uint64_t Size, Align InstAlignment); 691 692 /// Returns a chain at the current stack with previous origin V. 693 Value *updateOrigin(Value *V, IRBuilder<> &IRB); 694 695 /// Returns a chain at the current stack with previous origin V if Shadow is 696 /// tainted. 697 Value *updateOriginIfTainted(Value *Shadow, Value *Origin, IRBuilder<> &IRB); 698 699 /// Creates an Intptr = Origin | Origin << 32 if Intptr's size is 64. Returns 700 /// Origin otherwise. 701 Value *originToIntptr(IRBuilder<> &IRB, Value *Origin); 702 703 /// Stores Origin into the address range [StoreOriginAddr, StoreOriginAddr + 704 /// Size). 705 void paintOrigin(IRBuilder<> &IRB, Value *Origin, Value *StoreOriginAddr, 706 uint64_t StoreOriginSize, Align Alignment); 707 708 /// Stores Origin in terms of its Shadow value. 709 /// * Do not write origins for zero shadows because we do not trace origins 710 /// for untainted sinks. 711 /// * Use __dfsan_maybe_store_origin if there are too many origin store 712 /// instrumentations. 713 void storeOrigin(Instruction *Pos, Value *Addr, uint64_t Size, Value *Shadow, 714 Value *Origin, Value *StoreOriginAddr, Align InstAlignment); 715 716 /// Convert a scalar value to an i1 by comparing with 0. 717 Value *convertToBool(Value *V, IRBuilder<> &IRB, const Twine &Name = ""); 718 719 bool shouldInstrumentWithCall(); 720 721 /// Generates IR to load shadow and origin corresponding to bytes [\p 722 /// Addr, \p Addr + \p Size), where addr has alignment \p 723 /// InstAlignment, and take the union of each of those shadows. The returned 724 /// shadow always has primitive type. 725 std::pair<Value *, Value *> 726 loadShadowOriginSansLoadTracking(Value *Addr, uint64_t Size, 727 Align InstAlignment, Instruction *Pos); 728 int NumOriginStores = 0; 729 }; 730 731 class DFSanVisitor : public InstVisitor<DFSanVisitor> { 732 public: 733 DFSanFunction &DFSF; 734 735 DFSanVisitor(DFSanFunction &DFSF) : DFSF(DFSF) {} 736 737 const DataLayout &getDataLayout() const { 738 return DFSF.F->getParent()->getDataLayout(); 739 } 740 741 // Combines shadow values and origins for all of I's operands. 742 void visitInstOperands(Instruction &I); 743 744 void visitUnaryOperator(UnaryOperator &UO); 745 void visitBinaryOperator(BinaryOperator &BO); 746 void visitBitCastInst(BitCastInst &BCI); 747 void visitCastInst(CastInst &CI); 748 void visitCmpInst(CmpInst &CI); 749 void visitLandingPadInst(LandingPadInst &LPI); 750 void visitGetElementPtrInst(GetElementPtrInst &GEPI); 751 void visitLoadInst(LoadInst &LI); 752 void visitStoreInst(StoreInst &SI); 753 void visitAtomicRMWInst(AtomicRMWInst &I); 754 void visitAtomicCmpXchgInst(AtomicCmpXchgInst &I); 755 void visitReturnInst(ReturnInst &RI); 756 void visitCallBase(CallBase &CB); 757 void visitPHINode(PHINode &PN); 758 void visitExtractElementInst(ExtractElementInst &I); 759 void visitInsertElementInst(InsertElementInst &I); 760 void visitShuffleVectorInst(ShuffleVectorInst &I); 761 void visitExtractValueInst(ExtractValueInst &I); 762 void visitInsertValueInst(InsertValueInst &I); 763 void visitAllocaInst(AllocaInst &I); 764 void visitSelectInst(SelectInst &I); 765 void visitMemSetInst(MemSetInst &I); 766 void visitMemTransferInst(MemTransferInst &I); 767 void visitBranchInst(BranchInst &BR); 768 void visitSwitchInst(SwitchInst &SW); 769 770 private: 771 void visitCASOrRMW(Align InstAlignment, Instruction &I); 772 773 // Returns false when this is an invoke of a custom function. 774 bool visitWrappedCallBase(Function &F, CallBase &CB); 775 776 // Combines origins for all of I's operands. 777 void visitInstOperandOrigins(Instruction &I); 778 779 void addShadowArguments(Function &F, CallBase &CB, std::vector<Value *> &Args, 780 IRBuilder<> &IRB); 781 782 void addOriginArguments(Function &F, CallBase &CB, std::vector<Value *> &Args, 783 IRBuilder<> &IRB); 784 }; 785 786 } // end anonymous namespace 787 788 DataFlowSanitizer::DataFlowSanitizer( 789 const std::vector<std::string> &ABIListFiles) { 790 std::vector<std::string> AllABIListFiles(std::move(ABIListFiles)); 791 llvm::append_range(AllABIListFiles, ClABIListFiles); 792 // FIXME: should we propagate vfs::FileSystem to this constructor? 793 ABIList.set( 794 SpecialCaseList::createOrDie(AllABIListFiles, *vfs::getRealFileSystem())); 795 } 796 797 FunctionType *DataFlowSanitizer::getTrampolineFunctionType(FunctionType *T) { 798 assert(!T->isVarArg()); 799 SmallVector<Type *, 4> ArgTypes; 800 ArgTypes.push_back(T->getPointerTo()); 801 ArgTypes.append(T->param_begin(), T->param_end()); 802 ArgTypes.append(T->getNumParams(), PrimitiveShadowTy); 803 Type *RetType = T->getReturnType(); 804 if (!RetType->isVoidTy()) 805 ArgTypes.push_back(PrimitiveShadowPtrTy); 806 807 if (shouldTrackOrigins()) { 808 ArgTypes.append(T->getNumParams(), OriginTy); 809 if (!RetType->isVoidTy()) 810 ArgTypes.push_back(OriginPtrTy); 811 } 812 813 return FunctionType::get(T->getReturnType(), ArgTypes, false); 814 } 815 816 TransformedFunction DataFlowSanitizer::getCustomFunctionType(FunctionType *T) { 817 SmallVector<Type *, 4> ArgTypes; 818 819 // Some parameters of the custom function being constructed are 820 // parameters of T. Record the mapping from parameters of T to 821 // parameters of the custom function, so that parameter attributes 822 // at call sites can be updated. 823 std::vector<unsigned> ArgumentIndexMapping; 824 for (unsigned I = 0, E = T->getNumParams(); I != E; ++I) { 825 Type *ParamType = T->getParamType(I); 826 FunctionType *FT; 827 if (isa<PointerType>(ParamType) && 828 (FT = dyn_cast<FunctionType>(ParamType->getPointerElementType()))) { 829 ArgumentIndexMapping.push_back(ArgTypes.size()); 830 ArgTypes.push_back(getTrampolineFunctionType(FT)->getPointerTo()); 831 ArgTypes.push_back(Type::getInt8PtrTy(*Ctx)); 832 } else { 833 ArgumentIndexMapping.push_back(ArgTypes.size()); 834 ArgTypes.push_back(ParamType); 835 } 836 } 837 for (unsigned I = 0, E = T->getNumParams(); I != E; ++I) 838 ArgTypes.push_back(PrimitiveShadowTy); 839 if (T->isVarArg()) 840 ArgTypes.push_back(PrimitiveShadowPtrTy); 841 Type *RetType = T->getReturnType(); 842 if (!RetType->isVoidTy()) 843 ArgTypes.push_back(PrimitiveShadowPtrTy); 844 845 if (shouldTrackOrigins()) { 846 for (unsigned I = 0, E = T->getNumParams(); I != E; ++I) 847 ArgTypes.push_back(OriginTy); 848 if (T->isVarArg()) 849 ArgTypes.push_back(OriginPtrTy); 850 if (!RetType->isVoidTy()) 851 ArgTypes.push_back(OriginPtrTy); 852 } 853 854 return TransformedFunction( 855 T, FunctionType::get(T->getReturnType(), ArgTypes, T->isVarArg()), 856 ArgumentIndexMapping); 857 } 858 859 bool DataFlowSanitizer::isZeroShadow(Value *V) { 860 Type *T = V->getType(); 861 if (!isa<ArrayType>(T) && !isa<StructType>(T)) { 862 if (const ConstantInt *CI = dyn_cast<ConstantInt>(V)) 863 return CI->isZero(); 864 return false; 865 } 866 867 return isa<ConstantAggregateZero>(V); 868 } 869 870 bool DataFlowSanitizer::hasLoadSizeForFastPath(uint64_t Size) { 871 uint64_t ShadowSize = Size * ShadowWidthBytes; 872 return ShadowSize % 8 == 0 || ShadowSize == 4; 873 } 874 875 bool DataFlowSanitizer::shouldTrackOrigins() { 876 static const bool ShouldTrackOrigins = ClTrackOrigins; 877 return ShouldTrackOrigins; 878 } 879 880 Constant *DataFlowSanitizer::getZeroShadow(Type *OrigTy) { 881 if (!isa<ArrayType>(OrigTy) && !isa<StructType>(OrigTy)) 882 return ZeroPrimitiveShadow; 883 Type *ShadowTy = getShadowTy(OrigTy); 884 return ConstantAggregateZero::get(ShadowTy); 885 } 886 887 Constant *DataFlowSanitizer::getZeroShadow(Value *V) { 888 return getZeroShadow(V->getType()); 889 } 890 891 static Value *expandFromPrimitiveShadowRecursive( 892 Value *Shadow, SmallVector<unsigned, 4> &Indices, Type *SubShadowTy, 893 Value *PrimitiveShadow, IRBuilder<> &IRB) { 894 if (!isa<ArrayType>(SubShadowTy) && !isa<StructType>(SubShadowTy)) 895 return IRB.CreateInsertValue(Shadow, PrimitiveShadow, Indices); 896 897 if (ArrayType *AT = dyn_cast<ArrayType>(SubShadowTy)) { 898 for (unsigned Idx = 0; Idx < AT->getNumElements(); Idx++) { 899 Indices.push_back(Idx); 900 Shadow = expandFromPrimitiveShadowRecursive( 901 Shadow, Indices, AT->getElementType(), PrimitiveShadow, IRB); 902 Indices.pop_back(); 903 } 904 return Shadow; 905 } 906 907 if (StructType *ST = dyn_cast<StructType>(SubShadowTy)) { 908 for (unsigned Idx = 0; Idx < ST->getNumElements(); Idx++) { 909 Indices.push_back(Idx); 910 Shadow = expandFromPrimitiveShadowRecursive( 911 Shadow, Indices, ST->getElementType(Idx), PrimitiveShadow, IRB); 912 Indices.pop_back(); 913 } 914 return Shadow; 915 } 916 llvm_unreachable("Unexpected shadow type"); 917 } 918 919 bool DFSanFunction::shouldInstrumentWithCall() { 920 return ClInstrumentWithCallThreshold >= 0 && 921 NumOriginStores >= ClInstrumentWithCallThreshold; 922 } 923 924 Value *DFSanFunction::expandFromPrimitiveShadow(Type *T, Value *PrimitiveShadow, 925 Instruction *Pos) { 926 Type *ShadowTy = DFS.getShadowTy(T); 927 928 if (!isa<ArrayType>(ShadowTy) && !isa<StructType>(ShadowTy)) 929 return PrimitiveShadow; 930 931 if (DFS.isZeroShadow(PrimitiveShadow)) 932 return DFS.getZeroShadow(ShadowTy); 933 934 IRBuilder<> IRB(Pos); 935 SmallVector<unsigned, 4> Indices; 936 Value *Shadow = UndefValue::get(ShadowTy); 937 Shadow = expandFromPrimitiveShadowRecursive(Shadow, Indices, ShadowTy, 938 PrimitiveShadow, IRB); 939 940 // Caches the primitive shadow value that built the shadow value. 941 CachedCollapsedShadows[Shadow] = PrimitiveShadow; 942 return Shadow; 943 } 944 945 template <class AggregateType> 946 Value *DFSanFunction::collapseAggregateShadow(AggregateType *AT, Value *Shadow, 947 IRBuilder<> &IRB) { 948 if (!AT->getNumElements()) 949 return DFS.ZeroPrimitiveShadow; 950 951 Value *FirstItem = IRB.CreateExtractValue(Shadow, 0); 952 Value *Aggregator = collapseToPrimitiveShadow(FirstItem, IRB); 953 954 for (unsigned Idx = 1; Idx < AT->getNumElements(); Idx++) { 955 Value *ShadowItem = IRB.CreateExtractValue(Shadow, Idx); 956 Value *ShadowInner = collapseToPrimitiveShadow(ShadowItem, IRB); 957 Aggregator = IRB.CreateOr(Aggregator, ShadowInner); 958 } 959 return Aggregator; 960 } 961 962 Value *DFSanFunction::collapseToPrimitiveShadow(Value *Shadow, 963 IRBuilder<> &IRB) { 964 Type *ShadowTy = Shadow->getType(); 965 if (!isa<ArrayType>(ShadowTy) && !isa<StructType>(ShadowTy)) 966 return Shadow; 967 if (ArrayType *AT = dyn_cast<ArrayType>(ShadowTy)) 968 return collapseAggregateShadow<>(AT, Shadow, IRB); 969 if (StructType *ST = dyn_cast<StructType>(ShadowTy)) 970 return collapseAggregateShadow<>(ST, Shadow, IRB); 971 llvm_unreachable("Unexpected shadow type"); 972 } 973 974 Value *DFSanFunction::collapseToPrimitiveShadow(Value *Shadow, 975 Instruction *Pos) { 976 Type *ShadowTy = Shadow->getType(); 977 if (!isa<ArrayType>(ShadowTy) && !isa<StructType>(ShadowTy)) 978 return Shadow; 979 980 // Checks if the cached collapsed shadow value dominates Pos. 981 Value *&CS = CachedCollapsedShadows[Shadow]; 982 if (CS && DT.dominates(CS, Pos)) 983 return CS; 984 985 IRBuilder<> IRB(Pos); 986 Value *PrimitiveShadow = collapseToPrimitiveShadow(Shadow, IRB); 987 // Caches the converted primitive shadow value. 988 CS = PrimitiveShadow; 989 return PrimitiveShadow; 990 } 991 992 void DFSanFunction::addConditionalCallbacksIfEnabled(Instruction &I, 993 Value *Condition) { 994 if (!ClConditionalCallbacks) { 995 return; 996 } 997 IRBuilder<> IRB(&I); 998 Value *CondShadow = getShadow(Condition); 999 if (DFS.shouldTrackOrigins()) { 1000 Value *CondOrigin = getOrigin(Condition); 1001 IRB.CreateCall(DFS.DFSanConditionalCallbackOriginFn, 1002 {CondShadow, CondOrigin}); 1003 } else { 1004 IRB.CreateCall(DFS.DFSanConditionalCallbackFn, {CondShadow}); 1005 } 1006 } 1007 1008 Type *DataFlowSanitizer::getShadowTy(Type *OrigTy) { 1009 if (!OrigTy->isSized()) 1010 return PrimitiveShadowTy; 1011 if (isa<IntegerType>(OrigTy)) 1012 return PrimitiveShadowTy; 1013 if (isa<VectorType>(OrigTy)) 1014 return PrimitiveShadowTy; 1015 if (ArrayType *AT = dyn_cast<ArrayType>(OrigTy)) 1016 return ArrayType::get(getShadowTy(AT->getElementType()), 1017 AT->getNumElements()); 1018 if (StructType *ST = dyn_cast<StructType>(OrigTy)) { 1019 SmallVector<Type *, 4> Elements; 1020 for (unsigned I = 0, N = ST->getNumElements(); I < N; ++I) 1021 Elements.push_back(getShadowTy(ST->getElementType(I))); 1022 return StructType::get(*Ctx, Elements); 1023 } 1024 return PrimitiveShadowTy; 1025 } 1026 1027 Type *DataFlowSanitizer::getShadowTy(Value *V) { 1028 return getShadowTy(V->getType()); 1029 } 1030 1031 bool DataFlowSanitizer::initializeModule(Module &M) { 1032 Triple TargetTriple(M.getTargetTriple()); 1033 const DataLayout &DL = M.getDataLayout(); 1034 1035 if (TargetTriple.getOS() != Triple::Linux) 1036 report_fatal_error("unsupported operating system"); 1037 if (TargetTriple.getArch() != Triple::x86_64) 1038 report_fatal_error("unsupported architecture"); 1039 MapParams = &Linux_X86_64_MemoryMapParams; 1040 1041 Mod = &M; 1042 Ctx = &M.getContext(); 1043 Int8Ptr = Type::getInt8PtrTy(*Ctx); 1044 OriginTy = IntegerType::get(*Ctx, OriginWidthBits); 1045 OriginPtrTy = PointerType::getUnqual(OriginTy); 1046 PrimitiveShadowTy = IntegerType::get(*Ctx, ShadowWidthBits); 1047 PrimitiveShadowPtrTy = PointerType::getUnqual(PrimitiveShadowTy); 1048 IntptrTy = DL.getIntPtrType(*Ctx); 1049 ZeroPrimitiveShadow = ConstantInt::getSigned(PrimitiveShadowTy, 0); 1050 ZeroOrigin = ConstantInt::getSigned(OriginTy, 0); 1051 1052 Type *DFSanUnionLoadArgs[2] = {PrimitiveShadowPtrTy, IntptrTy}; 1053 DFSanUnionLoadFnTy = FunctionType::get(PrimitiveShadowTy, DFSanUnionLoadArgs, 1054 /*isVarArg=*/false); 1055 Type *DFSanLoadLabelAndOriginArgs[2] = {Int8Ptr, IntptrTy}; 1056 DFSanLoadLabelAndOriginFnTy = 1057 FunctionType::get(IntegerType::get(*Ctx, 64), DFSanLoadLabelAndOriginArgs, 1058 /*isVarArg=*/false); 1059 DFSanUnimplementedFnTy = FunctionType::get( 1060 Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false); 1061 Type *DFSanSetLabelArgs[4] = {PrimitiveShadowTy, OriginTy, 1062 Type::getInt8PtrTy(*Ctx), IntptrTy}; 1063 DFSanSetLabelFnTy = FunctionType::get(Type::getVoidTy(*Ctx), 1064 DFSanSetLabelArgs, /*isVarArg=*/false); 1065 DFSanNonzeroLabelFnTy = 1066 FunctionType::get(Type::getVoidTy(*Ctx), None, /*isVarArg=*/false); 1067 DFSanVarargWrapperFnTy = FunctionType::get( 1068 Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false); 1069 DFSanConditionalCallbackFnTy = 1070 FunctionType::get(Type::getVoidTy(*Ctx), PrimitiveShadowTy, 1071 /*isVarArg=*/false); 1072 Type *DFSanConditionalCallbackOriginArgs[2] = {PrimitiveShadowTy, OriginTy}; 1073 DFSanConditionalCallbackOriginFnTy = FunctionType::get( 1074 Type::getVoidTy(*Ctx), DFSanConditionalCallbackOriginArgs, 1075 /*isVarArg=*/false); 1076 DFSanCmpCallbackFnTy = 1077 FunctionType::get(Type::getVoidTy(*Ctx), PrimitiveShadowTy, 1078 /*isVarArg=*/false); 1079 DFSanChainOriginFnTy = 1080 FunctionType::get(OriginTy, OriginTy, /*isVarArg=*/false); 1081 Type *DFSanChainOriginIfTaintedArgs[2] = {PrimitiveShadowTy, OriginTy}; 1082 DFSanChainOriginIfTaintedFnTy = FunctionType::get( 1083 OriginTy, DFSanChainOriginIfTaintedArgs, /*isVarArg=*/false); 1084 Type *DFSanMaybeStoreOriginArgs[4] = {IntegerType::get(*Ctx, ShadowWidthBits), 1085 Int8Ptr, IntptrTy, OriginTy}; 1086 DFSanMaybeStoreOriginFnTy = FunctionType::get( 1087 Type::getVoidTy(*Ctx), DFSanMaybeStoreOriginArgs, /*isVarArg=*/false); 1088 Type *DFSanMemOriginTransferArgs[3] = {Int8Ptr, Int8Ptr, IntptrTy}; 1089 DFSanMemOriginTransferFnTy = FunctionType::get( 1090 Type::getVoidTy(*Ctx), DFSanMemOriginTransferArgs, /*isVarArg=*/false); 1091 Type *DFSanLoadStoreCallbackArgs[2] = {PrimitiveShadowTy, Int8Ptr}; 1092 DFSanLoadStoreCallbackFnTy = 1093 FunctionType::get(Type::getVoidTy(*Ctx), DFSanLoadStoreCallbackArgs, 1094 /*isVarArg=*/false); 1095 Type *DFSanMemTransferCallbackArgs[2] = {PrimitiveShadowPtrTy, IntptrTy}; 1096 DFSanMemTransferCallbackFnTy = 1097 FunctionType::get(Type::getVoidTy(*Ctx), DFSanMemTransferCallbackArgs, 1098 /*isVarArg=*/false); 1099 1100 ColdCallWeights = MDBuilder(*Ctx).createBranchWeights(1, 1000); 1101 OriginStoreWeights = MDBuilder(*Ctx).createBranchWeights(1, 1000); 1102 return true; 1103 } 1104 1105 bool DataFlowSanitizer::isInstrumented(const Function *F) { 1106 return !ABIList.isIn(*F, "uninstrumented"); 1107 } 1108 1109 bool DataFlowSanitizer::isInstrumented(const GlobalAlias *GA) { 1110 return !ABIList.isIn(*GA, "uninstrumented"); 1111 } 1112 1113 bool DataFlowSanitizer::isForceZeroLabels(const Function *F) { 1114 return ABIList.isIn(*F, "force_zero_labels"); 1115 } 1116 1117 DataFlowSanitizer::WrapperKind DataFlowSanitizer::getWrapperKind(Function *F) { 1118 if (ABIList.isIn(*F, "functional")) 1119 return WK_Functional; 1120 if (ABIList.isIn(*F, "discard")) 1121 return WK_Discard; 1122 if (ABIList.isIn(*F, "custom")) 1123 return WK_Custom; 1124 1125 return WK_Warning; 1126 } 1127 1128 void DataFlowSanitizer::addGlobalNameSuffix(GlobalValue *GV) { 1129 std::string GVName = std::string(GV->getName()), Suffix = ".dfsan"; 1130 GV->setName(GVName + Suffix); 1131 1132 // Try to change the name of the function in module inline asm. We only do 1133 // this for specific asm directives, currently only ".symver", to try to avoid 1134 // corrupting asm which happens to contain the symbol name as a substring. 1135 // Note that the substitution for .symver assumes that the versioned symbol 1136 // also has an instrumented name. 1137 std::string Asm = GV->getParent()->getModuleInlineAsm(); 1138 std::string SearchStr = ".symver " + GVName + ","; 1139 size_t Pos = Asm.find(SearchStr); 1140 if (Pos != std::string::npos) { 1141 Asm.replace(Pos, SearchStr.size(), ".symver " + GVName + Suffix + ","); 1142 Pos = Asm.find("@"); 1143 1144 if (Pos == std::string::npos) 1145 report_fatal_error(Twine("unsupported .symver: ", Asm)); 1146 1147 Asm.replace(Pos, 1, Suffix + "@"); 1148 GV->getParent()->setModuleInlineAsm(Asm); 1149 } 1150 } 1151 1152 Function * 1153 DataFlowSanitizer::buildWrapperFunction(Function *F, StringRef NewFName, 1154 GlobalValue::LinkageTypes NewFLink, 1155 FunctionType *NewFT) { 1156 FunctionType *FT = F->getFunctionType(); 1157 Function *NewF = Function::Create(NewFT, NewFLink, F->getAddressSpace(), 1158 NewFName, F->getParent()); 1159 NewF->copyAttributesFrom(F); 1160 NewF->removeRetAttrs( 1161 AttributeFuncs::typeIncompatible(NewFT->getReturnType())); 1162 1163 BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", NewF); 1164 if (F->isVarArg()) { 1165 NewF->removeFnAttr("split-stack"); 1166 CallInst::Create(DFSanVarargWrapperFn, 1167 IRBuilder<>(BB).CreateGlobalStringPtr(F->getName()), "", 1168 BB); 1169 new UnreachableInst(*Ctx, BB); 1170 } else { 1171 auto ArgIt = pointer_iterator<Argument *>(NewF->arg_begin()); 1172 std::vector<Value *> Args(ArgIt, ArgIt + FT->getNumParams()); 1173 1174 CallInst *CI = CallInst::Create(F, Args, "", BB); 1175 if (FT->getReturnType()->isVoidTy()) 1176 ReturnInst::Create(*Ctx, BB); 1177 else 1178 ReturnInst::Create(*Ctx, CI, BB); 1179 } 1180 1181 return NewF; 1182 } 1183 1184 Constant *DataFlowSanitizer::getOrBuildTrampolineFunction(FunctionType *FT, 1185 StringRef FName) { 1186 FunctionType *FTT = getTrampolineFunctionType(FT); 1187 FunctionCallee C = Mod->getOrInsertFunction(FName, FTT); 1188 Function *F = dyn_cast<Function>(C.getCallee()); 1189 if (F && F->isDeclaration()) { 1190 F->setLinkage(GlobalValue::LinkOnceODRLinkage); 1191 BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", F); 1192 std::vector<Value *> Args; 1193 Function::arg_iterator AI = F->arg_begin() + 1; 1194 for (unsigned N = FT->getNumParams(); N != 0; ++AI, --N) 1195 Args.push_back(&*AI); 1196 CallInst *CI = CallInst::Create(FT, &*F->arg_begin(), Args, "", BB); 1197 Type *RetType = FT->getReturnType(); 1198 ReturnInst *RI = RetType->isVoidTy() ? ReturnInst::Create(*Ctx, BB) 1199 : ReturnInst::Create(*Ctx, CI, BB); 1200 1201 // F is called by a wrapped custom function with primitive shadows. So 1202 // its arguments and return value need conversion. 1203 DFSanFunction DFSF(*this, F, /*IsNativeABI=*/true, 1204 /*IsForceZeroLabels=*/false); 1205 Function::arg_iterator ValAI = F->arg_begin(), ShadowAI = AI; 1206 ++ValAI; 1207 for (unsigned N = FT->getNumParams(); N != 0; ++ValAI, ++ShadowAI, --N) { 1208 Value *Shadow = 1209 DFSF.expandFromPrimitiveShadow(ValAI->getType(), &*ShadowAI, CI); 1210 DFSF.ValShadowMap[&*ValAI] = Shadow; 1211 } 1212 Function::arg_iterator RetShadowAI = ShadowAI; 1213 const bool ShouldTrackOrigins = shouldTrackOrigins(); 1214 if (ShouldTrackOrigins) { 1215 ValAI = F->arg_begin(); 1216 ++ValAI; 1217 Function::arg_iterator OriginAI = ShadowAI; 1218 if (!RetType->isVoidTy()) 1219 ++OriginAI; 1220 for (unsigned N = FT->getNumParams(); N != 0; ++ValAI, ++OriginAI, --N) { 1221 DFSF.ValOriginMap[&*ValAI] = &*OriginAI; 1222 } 1223 } 1224 DFSanVisitor(DFSF).visitCallInst(*CI); 1225 if (!RetType->isVoidTy()) { 1226 Value *PrimitiveShadow = DFSF.collapseToPrimitiveShadow( 1227 DFSF.getShadow(RI->getReturnValue()), RI); 1228 new StoreInst(PrimitiveShadow, &*RetShadowAI, RI); 1229 if (ShouldTrackOrigins) { 1230 Value *Origin = DFSF.getOrigin(RI->getReturnValue()); 1231 new StoreInst(Origin, &*std::prev(F->arg_end()), RI); 1232 } 1233 } 1234 } 1235 1236 return cast<Constant>(C.getCallee()); 1237 } 1238 1239 // Initialize DataFlowSanitizer runtime functions and declare them in the module 1240 void DataFlowSanitizer::initializeRuntimeFunctions(Module &M) { 1241 { 1242 AttributeList AL; 1243 AL = AL.addFnAttribute(M.getContext(), Attribute::NoUnwind); 1244 AL = AL.addFnAttribute(M.getContext(), Attribute::ReadOnly); 1245 AL = AL.addRetAttribute(M.getContext(), Attribute::ZExt); 1246 DFSanUnionLoadFn = 1247 Mod->getOrInsertFunction("__dfsan_union_load", DFSanUnionLoadFnTy, AL); 1248 } 1249 { 1250 AttributeList AL; 1251 AL = AL.addFnAttribute(M.getContext(), Attribute::NoUnwind); 1252 AL = AL.addFnAttribute(M.getContext(), Attribute::ReadOnly); 1253 AL = AL.addRetAttribute(M.getContext(), Attribute::ZExt); 1254 DFSanLoadLabelAndOriginFn = Mod->getOrInsertFunction( 1255 "__dfsan_load_label_and_origin", DFSanLoadLabelAndOriginFnTy, AL); 1256 } 1257 DFSanUnimplementedFn = 1258 Mod->getOrInsertFunction("__dfsan_unimplemented", DFSanUnimplementedFnTy); 1259 { 1260 AttributeList AL; 1261 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 1262 AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt); 1263 DFSanSetLabelFn = 1264 Mod->getOrInsertFunction("__dfsan_set_label", DFSanSetLabelFnTy, AL); 1265 } 1266 DFSanNonzeroLabelFn = 1267 Mod->getOrInsertFunction("__dfsan_nonzero_label", DFSanNonzeroLabelFnTy); 1268 DFSanVarargWrapperFn = Mod->getOrInsertFunction("__dfsan_vararg_wrapper", 1269 DFSanVarargWrapperFnTy); 1270 { 1271 AttributeList AL; 1272 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 1273 AL = AL.addRetAttribute(M.getContext(), Attribute::ZExt); 1274 DFSanChainOriginFn = Mod->getOrInsertFunction("__dfsan_chain_origin", 1275 DFSanChainOriginFnTy, AL); 1276 } 1277 { 1278 AttributeList AL; 1279 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 1280 AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt); 1281 AL = AL.addRetAttribute(M.getContext(), Attribute::ZExt); 1282 DFSanChainOriginIfTaintedFn = Mod->getOrInsertFunction( 1283 "__dfsan_chain_origin_if_tainted", DFSanChainOriginIfTaintedFnTy, AL); 1284 } 1285 DFSanMemOriginTransferFn = Mod->getOrInsertFunction( 1286 "__dfsan_mem_origin_transfer", DFSanMemOriginTransferFnTy); 1287 1288 { 1289 AttributeList AL; 1290 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 1291 AL = AL.addParamAttribute(M.getContext(), 3, Attribute::ZExt); 1292 DFSanMaybeStoreOriginFn = Mod->getOrInsertFunction( 1293 "__dfsan_maybe_store_origin", DFSanMaybeStoreOriginFnTy, AL); 1294 } 1295 1296 DFSanRuntimeFunctions.insert( 1297 DFSanUnionLoadFn.getCallee()->stripPointerCasts()); 1298 DFSanRuntimeFunctions.insert( 1299 DFSanLoadLabelAndOriginFn.getCallee()->stripPointerCasts()); 1300 DFSanRuntimeFunctions.insert( 1301 DFSanUnimplementedFn.getCallee()->stripPointerCasts()); 1302 DFSanRuntimeFunctions.insert( 1303 DFSanSetLabelFn.getCallee()->stripPointerCasts()); 1304 DFSanRuntimeFunctions.insert( 1305 DFSanNonzeroLabelFn.getCallee()->stripPointerCasts()); 1306 DFSanRuntimeFunctions.insert( 1307 DFSanVarargWrapperFn.getCallee()->stripPointerCasts()); 1308 DFSanRuntimeFunctions.insert( 1309 DFSanLoadCallbackFn.getCallee()->stripPointerCasts()); 1310 DFSanRuntimeFunctions.insert( 1311 DFSanStoreCallbackFn.getCallee()->stripPointerCasts()); 1312 DFSanRuntimeFunctions.insert( 1313 DFSanMemTransferCallbackFn.getCallee()->stripPointerCasts()); 1314 DFSanRuntimeFunctions.insert( 1315 DFSanConditionalCallbackFn.getCallee()->stripPointerCasts()); 1316 DFSanRuntimeFunctions.insert( 1317 DFSanConditionalCallbackOriginFn.getCallee()->stripPointerCasts()); 1318 DFSanRuntimeFunctions.insert( 1319 DFSanCmpCallbackFn.getCallee()->stripPointerCasts()); 1320 DFSanRuntimeFunctions.insert( 1321 DFSanChainOriginFn.getCallee()->stripPointerCasts()); 1322 DFSanRuntimeFunctions.insert( 1323 DFSanChainOriginIfTaintedFn.getCallee()->stripPointerCasts()); 1324 DFSanRuntimeFunctions.insert( 1325 DFSanMemOriginTransferFn.getCallee()->stripPointerCasts()); 1326 DFSanRuntimeFunctions.insert( 1327 DFSanMaybeStoreOriginFn.getCallee()->stripPointerCasts()); 1328 } 1329 1330 // Initializes event callback functions and declare them in the module 1331 void DataFlowSanitizer::initializeCallbackFunctions(Module &M) { 1332 DFSanLoadCallbackFn = Mod->getOrInsertFunction("__dfsan_load_callback", 1333 DFSanLoadStoreCallbackFnTy); 1334 DFSanStoreCallbackFn = Mod->getOrInsertFunction("__dfsan_store_callback", 1335 DFSanLoadStoreCallbackFnTy); 1336 DFSanMemTransferCallbackFn = Mod->getOrInsertFunction( 1337 "__dfsan_mem_transfer_callback", DFSanMemTransferCallbackFnTy); 1338 DFSanCmpCallbackFn = 1339 Mod->getOrInsertFunction("__dfsan_cmp_callback", DFSanCmpCallbackFnTy); 1340 1341 DFSanConditionalCallbackFn = Mod->getOrInsertFunction( 1342 "__dfsan_conditional_callback", DFSanConditionalCallbackFnTy); 1343 DFSanConditionalCallbackOriginFn = 1344 Mod->getOrInsertFunction("__dfsan_conditional_callback_origin", 1345 DFSanConditionalCallbackOriginFnTy); 1346 } 1347 1348 void DataFlowSanitizer::injectMetadataGlobals(Module &M) { 1349 // These variables can be used: 1350 // - by the runtime (to discover what the shadow width was, during 1351 // compilation) 1352 // - in testing (to avoid hardcoding the shadow width and type but instead 1353 // extract them by pattern matching) 1354 Type *IntTy = Type::getInt32Ty(*Ctx); 1355 (void)Mod->getOrInsertGlobal("__dfsan_shadow_width_bits", IntTy, [&] { 1356 return new GlobalVariable( 1357 M, IntTy, /*isConstant=*/true, GlobalValue::WeakODRLinkage, 1358 ConstantInt::get(IntTy, ShadowWidthBits), "__dfsan_shadow_width_bits"); 1359 }); 1360 (void)Mod->getOrInsertGlobal("__dfsan_shadow_width_bytes", IntTy, [&] { 1361 return new GlobalVariable(M, IntTy, /*isConstant=*/true, 1362 GlobalValue::WeakODRLinkage, 1363 ConstantInt::get(IntTy, ShadowWidthBytes), 1364 "__dfsan_shadow_width_bytes"); 1365 }); 1366 } 1367 1368 bool DataFlowSanitizer::runImpl(Module &M) { 1369 initializeModule(M); 1370 1371 if (ABIList.isIn(M, "skip")) 1372 return false; 1373 1374 const unsigned InitialGlobalSize = M.global_size(); 1375 const unsigned InitialModuleSize = M.size(); 1376 1377 bool Changed = false; 1378 1379 auto GetOrInsertGlobal = [this, &Changed](StringRef Name, 1380 Type *Ty) -> Constant * { 1381 Constant *C = Mod->getOrInsertGlobal(Name, Ty); 1382 if (GlobalVariable *G = dyn_cast<GlobalVariable>(C)) { 1383 Changed |= G->getThreadLocalMode() != GlobalVariable::InitialExecTLSModel; 1384 G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel); 1385 } 1386 return C; 1387 }; 1388 1389 // These globals must be kept in sync with the ones in dfsan.cpp. 1390 ArgTLS = 1391 GetOrInsertGlobal("__dfsan_arg_tls", 1392 ArrayType::get(Type::getInt64Ty(*Ctx), ArgTLSSize / 8)); 1393 RetvalTLS = GetOrInsertGlobal( 1394 "__dfsan_retval_tls", 1395 ArrayType::get(Type::getInt64Ty(*Ctx), RetvalTLSSize / 8)); 1396 ArgOriginTLSTy = ArrayType::get(OriginTy, NumOfElementsInArgOrgTLS); 1397 ArgOriginTLS = GetOrInsertGlobal("__dfsan_arg_origin_tls", ArgOriginTLSTy); 1398 RetvalOriginTLS = GetOrInsertGlobal("__dfsan_retval_origin_tls", OriginTy); 1399 1400 (void)Mod->getOrInsertGlobal("__dfsan_track_origins", OriginTy, [&] { 1401 Changed = true; 1402 return new GlobalVariable( 1403 M, OriginTy, true, GlobalValue::WeakODRLinkage, 1404 ConstantInt::getSigned(OriginTy, 1405 shouldTrackOrigins() ? ClTrackOrigins : 0), 1406 "__dfsan_track_origins"); 1407 }); 1408 1409 injectMetadataGlobals(M); 1410 1411 initializeCallbackFunctions(M); 1412 initializeRuntimeFunctions(M); 1413 1414 std::vector<Function *> FnsToInstrument; 1415 SmallPtrSet<Function *, 2> FnsWithNativeABI; 1416 SmallPtrSet<Function *, 2> FnsWithForceZeroLabel; 1417 SmallPtrSet<Constant *, 1> PersonalityFns; 1418 for (Function &F : M) 1419 if (!F.isIntrinsic() && !DFSanRuntimeFunctions.contains(&F)) { 1420 FnsToInstrument.push_back(&F); 1421 if (F.hasPersonalityFn()) 1422 PersonalityFns.insert(F.getPersonalityFn()->stripPointerCasts()); 1423 } 1424 1425 if (ClIgnorePersonalityRoutine) { 1426 for (auto *C : PersonalityFns) { 1427 assert(isa<Function>(C) && "Personality routine is not a function!"); 1428 Function *F = cast<Function>(C); 1429 if (!isInstrumented(F)) 1430 FnsToInstrument.erase( 1431 std::remove(FnsToInstrument.begin(), FnsToInstrument.end(), F), 1432 FnsToInstrument.end()); 1433 } 1434 } 1435 1436 // Give function aliases prefixes when necessary, and build wrappers where the 1437 // instrumentedness is inconsistent. 1438 for (GlobalAlias &GA : llvm::make_early_inc_range(M.aliases())) { 1439 // Don't stop on weak. We assume people aren't playing games with the 1440 // instrumentedness of overridden weak aliases. 1441 auto *F = dyn_cast<Function>(GA.getAliaseeObject()); 1442 if (!F) 1443 continue; 1444 1445 bool GAInst = isInstrumented(&GA), FInst = isInstrumented(F); 1446 if (GAInst && FInst) { 1447 addGlobalNameSuffix(&GA); 1448 } else if (GAInst != FInst) { 1449 // Non-instrumented alias of an instrumented function, or vice versa. 1450 // Replace the alias with a native-ABI wrapper of the aliasee. The pass 1451 // below will take care of instrumenting it. 1452 Function *NewF = 1453 buildWrapperFunction(F, "", GA.getLinkage(), F->getFunctionType()); 1454 GA.replaceAllUsesWith(ConstantExpr::getBitCast(NewF, GA.getType())); 1455 NewF->takeName(&GA); 1456 GA.eraseFromParent(); 1457 FnsToInstrument.push_back(NewF); 1458 } 1459 } 1460 1461 ReadOnlyNoneAttrs.addAttribute(Attribute::ReadOnly) 1462 .addAttribute(Attribute::ReadNone); 1463 1464 // First, change the ABI of every function in the module. ABI-listed 1465 // functions keep their original ABI and get a wrapper function. 1466 for (std::vector<Function *>::iterator FI = FnsToInstrument.begin(), 1467 FE = FnsToInstrument.end(); 1468 FI != FE; ++FI) { 1469 Function &F = **FI; 1470 FunctionType *FT = F.getFunctionType(); 1471 1472 bool IsZeroArgsVoidRet = (FT->getNumParams() == 0 && !FT->isVarArg() && 1473 FT->getReturnType()->isVoidTy()); 1474 1475 if (isInstrumented(&F)) { 1476 if (isForceZeroLabels(&F)) 1477 FnsWithForceZeroLabel.insert(&F); 1478 1479 // Instrumented functions get a '.dfsan' suffix. This allows us to more 1480 // easily identify cases of mismatching ABIs. This naming scheme is 1481 // mangling-compatible (see Itanium ABI), using a vendor-specific suffix. 1482 addGlobalNameSuffix(&F); 1483 } else if (!IsZeroArgsVoidRet || getWrapperKind(&F) == WK_Custom) { 1484 // Build a wrapper function for F. The wrapper simply calls F, and is 1485 // added to FnsToInstrument so that any instrumentation according to its 1486 // WrapperKind is done in the second pass below. 1487 1488 // If the function being wrapped has local linkage, then preserve the 1489 // function's linkage in the wrapper function. 1490 GlobalValue::LinkageTypes WrapperLinkage = 1491 F.hasLocalLinkage() ? F.getLinkage() 1492 : GlobalValue::LinkOnceODRLinkage; 1493 1494 Function *NewF = buildWrapperFunction( 1495 &F, 1496 (shouldTrackOrigins() ? std::string("dfso$") : std::string("dfsw$")) + 1497 std::string(F.getName()), 1498 WrapperLinkage, FT); 1499 NewF->removeFnAttrs(ReadOnlyNoneAttrs); 1500 1501 Value *WrappedFnCst = 1502 ConstantExpr::getBitCast(NewF, PointerType::getUnqual(FT)); 1503 F.replaceAllUsesWith(WrappedFnCst); 1504 1505 UnwrappedFnMap[WrappedFnCst] = &F; 1506 *FI = NewF; 1507 1508 if (!F.isDeclaration()) { 1509 // This function is probably defining an interposition of an 1510 // uninstrumented function and hence needs to keep the original ABI. 1511 // But any functions it may call need to use the instrumented ABI, so 1512 // we instrument it in a mode which preserves the original ABI. 1513 FnsWithNativeABI.insert(&F); 1514 1515 // This code needs to rebuild the iterators, as they may be invalidated 1516 // by the push_back, taking care that the new range does not include 1517 // any functions added by this code. 1518 size_t N = FI - FnsToInstrument.begin(), 1519 Count = FE - FnsToInstrument.begin(); 1520 FnsToInstrument.push_back(&F); 1521 FI = FnsToInstrument.begin() + N; 1522 FE = FnsToInstrument.begin() + Count; 1523 } 1524 // Hopefully, nobody will try to indirectly call a vararg 1525 // function... yet. 1526 } else if (FT->isVarArg()) { 1527 UnwrappedFnMap[&F] = &F; 1528 *FI = nullptr; 1529 } 1530 } 1531 1532 for (Function *F : FnsToInstrument) { 1533 if (!F || F->isDeclaration()) 1534 continue; 1535 1536 removeUnreachableBlocks(*F); 1537 1538 DFSanFunction DFSF(*this, F, FnsWithNativeABI.count(F), 1539 FnsWithForceZeroLabel.count(F)); 1540 1541 // DFSanVisitor may create new basic blocks, which confuses df_iterator. 1542 // Build a copy of the list before iterating over it. 1543 SmallVector<BasicBlock *, 4> BBList(depth_first(&F->getEntryBlock())); 1544 1545 for (BasicBlock *BB : BBList) { 1546 Instruction *Inst = &BB->front(); 1547 while (true) { 1548 // DFSanVisitor may split the current basic block, changing the current 1549 // instruction's next pointer and moving the next instruction to the 1550 // tail block from which we should continue. 1551 Instruction *Next = Inst->getNextNode(); 1552 // DFSanVisitor may delete Inst, so keep track of whether it was a 1553 // terminator. 1554 bool IsTerminator = Inst->isTerminator(); 1555 if (!DFSF.SkipInsts.count(Inst)) 1556 DFSanVisitor(DFSF).visit(Inst); 1557 if (IsTerminator) 1558 break; 1559 Inst = Next; 1560 } 1561 } 1562 1563 // We will not necessarily be able to compute the shadow for every phi node 1564 // until we have visited every block. Therefore, the code that handles phi 1565 // nodes adds them to the PHIFixups list so that they can be properly 1566 // handled here. 1567 for (DFSanFunction::PHIFixupElement &P : DFSF.PHIFixups) { 1568 for (unsigned Val = 0, N = P.Phi->getNumIncomingValues(); Val != N; 1569 ++Val) { 1570 P.ShadowPhi->setIncomingValue( 1571 Val, DFSF.getShadow(P.Phi->getIncomingValue(Val))); 1572 if (P.OriginPhi) 1573 P.OriginPhi->setIncomingValue( 1574 Val, DFSF.getOrigin(P.Phi->getIncomingValue(Val))); 1575 } 1576 } 1577 1578 // -dfsan-debug-nonzero-labels will split the CFG in all kinds of crazy 1579 // places (i.e. instructions in basic blocks we haven't even begun visiting 1580 // yet). To make our life easier, do this work in a pass after the main 1581 // instrumentation. 1582 if (ClDebugNonzeroLabels) { 1583 for (Value *V : DFSF.NonZeroChecks) { 1584 Instruction *Pos; 1585 if (Instruction *I = dyn_cast<Instruction>(V)) 1586 Pos = I->getNextNode(); 1587 else 1588 Pos = &DFSF.F->getEntryBlock().front(); 1589 while (isa<PHINode>(Pos) || isa<AllocaInst>(Pos)) 1590 Pos = Pos->getNextNode(); 1591 IRBuilder<> IRB(Pos); 1592 Value *PrimitiveShadow = DFSF.collapseToPrimitiveShadow(V, Pos); 1593 Value *Ne = 1594 IRB.CreateICmpNE(PrimitiveShadow, DFSF.DFS.ZeroPrimitiveShadow); 1595 BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen( 1596 Ne, Pos, /*Unreachable=*/false, ColdCallWeights)); 1597 IRBuilder<> ThenIRB(BI); 1598 ThenIRB.CreateCall(DFSF.DFS.DFSanNonzeroLabelFn, {}); 1599 } 1600 } 1601 } 1602 1603 return Changed || !FnsToInstrument.empty() || 1604 M.global_size() != InitialGlobalSize || M.size() != InitialModuleSize; 1605 } 1606 1607 Value *DFSanFunction::getArgTLS(Type *T, unsigned ArgOffset, IRBuilder<> &IRB) { 1608 Value *Base = IRB.CreatePointerCast(DFS.ArgTLS, DFS.IntptrTy); 1609 if (ArgOffset) 1610 Base = IRB.CreateAdd(Base, ConstantInt::get(DFS.IntptrTy, ArgOffset)); 1611 return IRB.CreateIntToPtr(Base, PointerType::get(DFS.getShadowTy(T), 0), 1612 "_dfsarg"); 1613 } 1614 1615 Value *DFSanFunction::getRetvalTLS(Type *T, IRBuilder<> &IRB) { 1616 return IRB.CreatePointerCast( 1617 DFS.RetvalTLS, PointerType::get(DFS.getShadowTy(T), 0), "_dfsret"); 1618 } 1619 1620 Value *DFSanFunction::getRetvalOriginTLS() { return DFS.RetvalOriginTLS; } 1621 1622 Value *DFSanFunction::getArgOriginTLS(unsigned ArgNo, IRBuilder<> &IRB) { 1623 return IRB.CreateConstGEP2_64(DFS.ArgOriginTLSTy, DFS.ArgOriginTLS, 0, ArgNo, 1624 "_dfsarg_o"); 1625 } 1626 1627 Value *DFSanFunction::getOrigin(Value *V) { 1628 assert(DFS.shouldTrackOrigins()); 1629 if (!isa<Argument>(V) && !isa<Instruction>(V)) 1630 return DFS.ZeroOrigin; 1631 Value *&Origin = ValOriginMap[V]; 1632 if (!Origin) { 1633 if (Argument *A = dyn_cast<Argument>(V)) { 1634 if (IsNativeABI) 1635 return DFS.ZeroOrigin; 1636 if (A->getArgNo() < DFS.NumOfElementsInArgOrgTLS) { 1637 Instruction *ArgOriginTLSPos = &*F->getEntryBlock().begin(); 1638 IRBuilder<> IRB(ArgOriginTLSPos); 1639 Value *ArgOriginPtr = getArgOriginTLS(A->getArgNo(), IRB); 1640 Origin = IRB.CreateLoad(DFS.OriginTy, ArgOriginPtr); 1641 } else { 1642 // Overflow 1643 Origin = DFS.ZeroOrigin; 1644 } 1645 } else { 1646 Origin = DFS.ZeroOrigin; 1647 } 1648 } 1649 return Origin; 1650 } 1651 1652 void DFSanFunction::setOrigin(Instruction *I, Value *Origin) { 1653 if (!DFS.shouldTrackOrigins()) 1654 return; 1655 assert(!ValOriginMap.count(I)); 1656 assert(Origin->getType() == DFS.OriginTy); 1657 ValOriginMap[I] = Origin; 1658 } 1659 1660 Value *DFSanFunction::getShadowForTLSArgument(Argument *A) { 1661 unsigned ArgOffset = 0; 1662 const DataLayout &DL = F->getParent()->getDataLayout(); 1663 for (auto &FArg : F->args()) { 1664 if (!FArg.getType()->isSized()) { 1665 if (A == &FArg) 1666 break; 1667 continue; 1668 } 1669 1670 unsigned Size = DL.getTypeAllocSize(DFS.getShadowTy(&FArg)); 1671 if (A != &FArg) { 1672 ArgOffset += alignTo(Size, ShadowTLSAlignment); 1673 if (ArgOffset > ArgTLSSize) 1674 break; // ArgTLS overflows, uses a zero shadow. 1675 continue; 1676 } 1677 1678 if (ArgOffset + Size > ArgTLSSize) 1679 break; // ArgTLS overflows, uses a zero shadow. 1680 1681 Instruction *ArgTLSPos = &*F->getEntryBlock().begin(); 1682 IRBuilder<> IRB(ArgTLSPos); 1683 Value *ArgShadowPtr = getArgTLS(FArg.getType(), ArgOffset, IRB); 1684 return IRB.CreateAlignedLoad(DFS.getShadowTy(&FArg), ArgShadowPtr, 1685 ShadowTLSAlignment); 1686 } 1687 1688 return DFS.getZeroShadow(A); 1689 } 1690 1691 Value *DFSanFunction::getShadow(Value *V) { 1692 if (!isa<Argument>(V) && !isa<Instruction>(V)) 1693 return DFS.getZeroShadow(V); 1694 if (IsForceZeroLabels) 1695 return DFS.getZeroShadow(V); 1696 Value *&Shadow = ValShadowMap[V]; 1697 if (!Shadow) { 1698 if (Argument *A = dyn_cast<Argument>(V)) { 1699 if (IsNativeABI) 1700 return DFS.getZeroShadow(V); 1701 Shadow = getShadowForTLSArgument(A); 1702 NonZeroChecks.push_back(Shadow); 1703 } else { 1704 Shadow = DFS.getZeroShadow(V); 1705 } 1706 } 1707 return Shadow; 1708 } 1709 1710 void DFSanFunction::setShadow(Instruction *I, Value *Shadow) { 1711 assert(!ValShadowMap.count(I)); 1712 ValShadowMap[I] = Shadow; 1713 } 1714 1715 /// Compute the integer shadow offset that corresponds to a given 1716 /// application address. 1717 /// 1718 /// Offset = (Addr & ~AndMask) ^ XorMask 1719 Value *DataFlowSanitizer::getShadowOffset(Value *Addr, IRBuilder<> &IRB) { 1720 assert(Addr != RetvalTLS && "Reinstrumenting?"); 1721 Value *OffsetLong = IRB.CreatePointerCast(Addr, IntptrTy); 1722 1723 uint64_t AndMask = MapParams->AndMask; 1724 if (AndMask) 1725 OffsetLong = 1726 IRB.CreateAnd(OffsetLong, ConstantInt::get(IntptrTy, ~AndMask)); 1727 1728 uint64_t XorMask = MapParams->XorMask; 1729 if (XorMask) 1730 OffsetLong = IRB.CreateXor(OffsetLong, ConstantInt::get(IntptrTy, XorMask)); 1731 return OffsetLong; 1732 } 1733 1734 std::pair<Value *, Value *> 1735 DataFlowSanitizer::getShadowOriginAddress(Value *Addr, Align InstAlignment, 1736 Instruction *Pos) { 1737 // Returns ((Addr & shadow_mask) + origin_base - shadow_base) & ~4UL 1738 IRBuilder<> IRB(Pos); 1739 Value *ShadowOffset = getShadowOffset(Addr, IRB); 1740 Value *ShadowLong = ShadowOffset; 1741 uint64_t ShadowBase = MapParams->ShadowBase; 1742 if (ShadowBase != 0) { 1743 ShadowLong = 1744 IRB.CreateAdd(ShadowLong, ConstantInt::get(IntptrTy, ShadowBase)); 1745 } 1746 IntegerType *ShadowTy = IntegerType::get(*Ctx, ShadowWidthBits); 1747 Value *ShadowPtr = 1748 IRB.CreateIntToPtr(ShadowLong, PointerType::get(ShadowTy, 0)); 1749 Value *OriginPtr = nullptr; 1750 if (shouldTrackOrigins()) { 1751 Value *OriginLong = ShadowOffset; 1752 uint64_t OriginBase = MapParams->OriginBase; 1753 if (OriginBase != 0) 1754 OriginLong = 1755 IRB.CreateAdd(OriginLong, ConstantInt::get(IntptrTy, OriginBase)); 1756 const Align Alignment = llvm::assumeAligned(InstAlignment.value()); 1757 // When alignment is >= 4, Addr must be aligned to 4, otherwise it is UB. 1758 // So Mask is unnecessary. 1759 if (Alignment < MinOriginAlignment) { 1760 uint64_t Mask = MinOriginAlignment.value() - 1; 1761 OriginLong = IRB.CreateAnd(OriginLong, ConstantInt::get(IntptrTy, ~Mask)); 1762 } 1763 OriginPtr = IRB.CreateIntToPtr(OriginLong, OriginPtrTy); 1764 } 1765 return std::make_pair(ShadowPtr, OriginPtr); 1766 } 1767 1768 Value *DataFlowSanitizer::getShadowAddress(Value *Addr, Instruction *Pos, 1769 Value *ShadowOffset) { 1770 IRBuilder<> IRB(Pos); 1771 return IRB.CreateIntToPtr(ShadowOffset, PrimitiveShadowPtrTy); 1772 } 1773 1774 Value *DataFlowSanitizer::getShadowAddress(Value *Addr, Instruction *Pos) { 1775 IRBuilder<> IRB(Pos); 1776 Value *ShadowOffset = getShadowOffset(Addr, IRB); 1777 return getShadowAddress(Addr, Pos, ShadowOffset); 1778 } 1779 1780 Value *DFSanFunction::combineShadowsThenConvert(Type *T, Value *V1, Value *V2, 1781 Instruction *Pos) { 1782 Value *PrimitiveValue = combineShadows(V1, V2, Pos); 1783 return expandFromPrimitiveShadow(T, PrimitiveValue, Pos); 1784 } 1785 1786 // Generates IR to compute the union of the two given shadows, inserting it 1787 // before Pos. The combined value is with primitive type. 1788 Value *DFSanFunction::combineShadows(Value *V1, Value *V2, Instruction *Pos) { 1789 if (DFS.isZeroShadow(V1)) 1790 return collapseToPrimitiveShadow(V2, Pos); 1791 if (DFS.isZeroShadow(V2)) 1792 return collapseToPrimitiveShadow(V1, Pos); 1793 if (V1 == V2) 1794 return collapseToPrimitiveShadow(V1, Pos); 1795 1796 auto V1Elems = ShadowElements.find(V1); 1797 auto V2Elems = ShadowElements.find(V2); 1798 if (V1Elems != ShadowElements.end() && V2Elems != ShadowElements.end()) { 1799 if (std::includes(V1Elems->second.begin(), V1Elems->second.end(), 1800 V2Elems->second.begin(), V2Elems->second.end())) { 1801 return collapseToPrimitiveShadow(V1, Pos); 1802 } 1803 if (std::includes(V2Elems->second.begin(), V2Elems->second.end(), 1804 V1Elems->second.begin(), V1Elems->second.end())) { 1805 return collapseToPrimitiveShadow(V2, Pos); 1806 } 1807 } else if (V1Elems != ShadowElements.end()) { 1808 if (V1Elems->second.count(V2)) 1809 return collapseToPrimitiveShadow(V1, Pos); 1810 } else if (V2Elems != ShadowElements.end()) { 1811 if (V2Elems->second.count(V1)) 1812 return collapseToPrimitiveShadow(V2, Pos); 1813 } 1814 1815 auto Key = std::make_pair(V1, V2); 1816 if (V1 > V2) 1817 std::swap(Key.first, Key.second); 1818 CachedShadow &CCS = CachedShadows[Key]; 1819 if (CCS.Block && DT.dominates(CCS.Block, Pos->getParent())) 1820 return CCS.Shadow; 1821 1822 // Converts inputs shadows to shadows with primitive types. 1823 Value *PV1 = collapseToPrimitiveShadow(V1, Pos); 1824 Value *PV2 = collapseToPrimitiveShadow(V2, Pos); 1825 1826 IRBuilder<> IRB(Pos); 1827 CCS.Block = Pos->getParent(); 1828 CCS.Shadow = IRB.CreateOr(PV1, PV2); 1829 1830 std::set<Value *> UnionElems; 1831 if (V1Elems != ShadowElements.end()) { 1832 UnionElems = V1Elems->second; 1833 } else { 1834 UnionElems.insert(V1); 1835 } 1836 if (V2Elems != ShadowElements.end()) { 1837 UnionElems.insert(V2Elems->second.begin(), V2Elems->second.end()); 1838 } else { 1839 UnionElems.insert(V2); 1840 } 1841 ShadowElements[CCS.Shadow] = std::move(UnionElems); 1842 1843 return CCS.Shadow; 1844 } 1845 1846 // A convenience function which folds the shadows of each of the operands 1847 // of the provided instruction Inst, inserting the IR before Inst. Returns 1848 // the computed union Value. 1849 Value *DFSanFunction::combineOperandShadows(Instruction *Inst) { 1850 if (Inst->getNumOperands() == 0) 1851 return DFS.getZeroShadow(Inst); 1852 1853 Value *Shadow = getShadow(Inst->getOperand(0)); 1854 for (unsigned I = 1, N = Inst->getNumOperands(); I < N; ++I) 1855 Shadow = combineShadows(Shadow, getShadow(Inst->getOperand(I)), Inst); 1856 1857 return expandFromPrimitiveShadow(Inst->getType(), Shadow, Inst); 1858 } 1859 1860 void DFSanVisitor::visitInstOperands(Instruction &I) { 1861 Value *CombinedShadow = DFSF.combineOperandShadows(&I); 1862 DFSF.setShadow(&I, CombinedShadow); 1863 visitInstOperandOrigins(I); 1864 } 1865 1866 Value *DFSanFunction::combineOrigins(const std::vector<Value *> &Shadows, 1867 const std::vector<Value *> &Origins, 1868 Instruction *Pos, ConstantInt *Zero) { 1869 assert(Shadows.size() == Origins.size()); 1870 size_t Size = Origins.size(); 1871 if (Size == 0) 1872 return DFS.ZeroOrigin; 1873 Value *Origin = nullptr; 1874 if (!Zero) 1875 Zero = DFS.ZeroPrimitiveShadow; 1876 for (size_t I = 0; I != Size; ++I) { 1877 Value *OpOrigin = Origins[I]; 1878 Constant *ConstOpOrigin = dyn_cast<Constant>(OpOrigin); 1879 if (ConstOpOrigin && ConstOpOrigin->isNullValue()) 1880 continue; 1881 if (!Origin) { 1882 Origin = OpOrigin; 1883 continue; 1884 } 1885 Value *OpShadow = Shadows[I]; 1886 Value *PrimitiveShadow = collapseToPrimitiveShadow(OpShadow, Pos); 1887 IRBuilder<> IRB(Pos); 1888 Value *Cond = IRB.CreateICmpNE(PrimitiveShadow, Zero); 1889 Origin = IRB.CreateSelect(Cond, OpOrigin, Origin); 1890 } 1891 return Origin ? Origin : DFS.ZeroOrigin; 1892 } 1893 1894 Value *DFSanFunction::combineOperandOrigins(Instruction *Inst) { 1895 size_t Size = Inst->getNumOperands(); 1896 std::vector<Value *> Shadows(Size); 1897 std::vector<Value *> Origins(Size); 1898 for (unsigned I = 0; I != Size; ++I) { 1899 Shadows[I] = getShadow(Inst->getOperand(I)); 1900 Origins[I] = getOrigin(Inst->getOperand(I)); 1901 } 1902 return combineOrigins(Shadows, Origins, Inst); 1903 } 1904 1905 void DFSanVisitor::visitInstOperandOrigins(Instruction &I) { 1906 if (!DFSF.DFS.shouldTrackOrigins()) 1907 return; 1908 Value *CombinedOrigin = DFSF.combineOperandOrigins(&I); 1909 DFSF.setOrigin(&I, CombinedOrigin); 1910 } 1911 1912 Align DFSanFunction::getShadowAlign(Align InstAlignment) { 1913 const Align Alignment = ClPreserveAlignment ? InstAlignment : Align(1); 1914 return Align(Alignment.value() * DFS.ShadowWidthBytes); 1915 } 1916 1917 Align DFSanFunction::getOriginAlign(Align InstAlignment) { 1918 const Align Alignment = llvm::assumeAligned(InstAlignment.value()); 1919 return Align(std::max(MinOriginAlignment, Alignment)); 1920 } 1921 1922 bool DFSanFunction::useCallbackLoadLabelAndOrigin(uint64_t Size, 1923 Align InstAlignment) { 1924 // When enabling tracking load instructions, we always use 1925 // __dfsan_load_label_and_origin to reduce code size. 1926 if (ClTrackOrigins == 2) 1927 return true; 1928 1929 assert(Size != 0); 1930 // * if Size == 1, it is sufficient to load its origin aligned at 4. 1931 // * if Size == 2, we assume most cases Addr % 2 == 0, so it is sufficient to 1932 // load its origin aligned at 4. If not, although origins may be lost, it 1933 // should not happen very often. 1934 // * if align >= 4, Addr must be aligned to 4, otherwise it is UB. When 1935 // Size % 4 == 0, it is more efficient to load origins without callbacks. 1936 // * Otherwise we use __dfsan_load_label_and_origin. 1937 // This should ensure that common cases run efficiently. 1938 if (Size <= 2) 1939 return false; 1940 1941 const Align Alignment = llvm::assumeAligned(InstAlignment.value()); 1942 return Alignment < MinOriginAlignment || !DFS.hasLoadSizeForFastPath(Size); 1943 } 1944 1945 Value *DataFlowSanitizer::loadNextOrigin(Instruction *Pos, Align OriginAlign, 1946 Value **OriginAddr) { 1947 IRBuilder<> IRB(Pos); 1948 *OriginAddr = 1949 IRB.CreateGEP(OriginTy, *OriginAddr, ConstantInt::get(IntptrTy, 1)); 1950 return IRB.CreateAlignedLoad(OriginTy, *OriginAddr, OriginAlign); 1951 } 1952 1953 std::pair<Value *, Value *> DFSanFunction::loadShadowFast( 1954 Value *ShadowAddr, Value *OriginAddr, uint64_t Size, Align ShadowAlign, 1955 Align OriginAlign, Value *FirstOrigin, Instruction *Pos) { 1956 const bool ShouldTrackOrigins = DFS.shouldTrackOrigins(); 1957 const uint64_t ShadowSize = Size * DFS.ShadowWidthBytes; 1958 1959 assert(Size >= 4 && "Not large enough load size for fast path!"); 1960 1961 // Used for origin tracking. 1962 std::vector<Value *> Shadows; 1963 std::vector<Value *> Origins; 1964 1965 // Load instructions in LLVM can have arbitrary byte sizes (e.g., 3, 12, 20) 1966 // but this function is only used in a subset of cases that make it possible 1967 // to optimize the instrumentation. 1968 // 1969 // Specifically, when the shadow size in bytes (i.e., loaded bytes x shadow 1970 // per byte) is either: 1971 // - a multiple of 8 (common) 1972 // - equal to 4 (only for load32) 1973 // 1974 // For the second case, we can fit the wide shadow in a 32-bit integer. In all 1975 // other cases, we use a 64-bit integer to hold the wide shadow. 1976 Type *WideShadowTy = 1977 ShadowSize == 4 ? Type::getInt32Ty(*DFS.Ctx) : Type::getInt64Ty(*DFS.Ctx); 1978 1979 IRBuilder<> IRB(Pos); 1980 Value *WideAddr = IRB.CreateBitCast(ShadowAddr, WideShadowTy->getPointerTo()); 1981 Value *CombinedWideShadow = 1982 IRB.CreateAlignedLoad(WideShadowTy, WideAddr, ShadowAlign); 1983 1984 unsigned WideShadowBitWidth = WideShadowTy->getIntegerBitWidth(); 1985 const uint64_t BytesPerWideShadow = WideShadowBitWidth / DFS.ShadowWidthBits; 1986 1987 auto AppendWideShadowAndOrigin = [&](Value *WideShadow, Value *Origin) { 1988 if (BytesPerWideShadow > 4) { 1989 assert(BytesPerWideShadow == 8); 1990 // The wide shadow relates to two origin pointers: one for the first four 1991 // application bytes, and one for the latest four. We use a left shift to 1992 // get just the shadow bytes that correspond to the first origin pointer, 1993 // and then the entire shadow for the second origin pointer (which will be 1994 // chosen by combineOrigins() iff the least-significant half of the wide 1995 // shadow was empty but the other half was not). 1996 Value *WideShadowLo = IRB.CreateShl( 1997 WideShadow, ConstantInt::get(WideShadowTy, WideShadowBitWidth / 2)); 1998 Shadows.push_back(WideShadow); 1999 Origins.push_back(DFS.loadNextOrigin(Pos, OriginAlign, &OriginAddr)); 2000 2001 Shadows.push_back(WideShadowLo); 2002 Origins.push_back(Origin); 2003 } else { 2004 Shadows.push_back(WideShadow); 2005 Origins.push_back(Origin); 2006 } 2007 }; 2008 2009 if (ShouldTrackOrigins) 2010 AppendWideShadowAndOrigin(CombinedWideShadow, FirstOrigin); 2011 2012 // First OR all the WideShadows (i.e., 64bit or 32bit shadow chunks) linearly; 2013 // then OR individual shadows within the combined WideShadow by binary ORing. 2014 // This is fewer instructions than ORing shadows individually, since it 2015 // needs logN shift/or instructions (N being the bytes of the combined wide 2016 // shadow). 2017 for (uint64_t ByteOfs = BytesPerWideShadow; ByteOfs < Size; 2018 ByteOfs += BytesPerWideShadow) { 2019 WideAddr = IRB.CreateGEP(WideShadowTy, WideAddr, 2020 ConstantInt::get(DFS.IntptrTy, 1)); 2021 Value *NextWideShadow = 2022 IRB.CreateAlignedLoad(WideShadowTy, WideAddr, ShadowAlign); 2023 CombinedWideShadow = IRB.CreateOr(CombinedWideShadow, NextWideShadow); 2024 if (ShouldTrackOrigins) { 2025 Value *NextOrigin = DFS.loadNextOrigin(Pos, OriginAlign, &OriginAddr); 2026 AppendWideShadowAndOrigin(NextWideShadow, NextOrigin); 2027 } 2028 } 2029 for (unsigned Width = WideShadowBitWidth / 2; Width >= DFS.ShadowWidthBits; 2030 Width >>= 1) { 2031 Value *ShrShadow = IRB.CreateLShr(CombinedWideShadow, Width); 2032 CombinedWideShadow = IRB.CreateOr(CombinedWideShadow, ShrShadow); 2033 } 2034 return {IRB.CreateTrunc(CombinedWideShadow, DFS.PrimitiveShadowTy), 2035 ShouldTrackOrigins 2036 ? combineOrigins(Shadows, Origins, Pos, 2037 ConstantInt::getSigned(IRB.getInt64Ty(), 0)) 2038 : DFS.ZeroOrigin}; 2039 } 2040 2041 std::pair<Value *, Value *> DFSanFunction::loadShadowOriginSansLoadTracking( 2042 Value *Addr, uint64_t Size, Align InstAlignment, Instruction *Pos) { 2043 const bool ShouldTrackOrigins = DFS.shouldTrackOrigins(); 2044 2045 // Non-escaped loads. 2046 if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) { 2047 const auto SI = AllocaShadowMap.find(AI); 2048 if (SI != AllocaShadowMap.end()) { 2049 IRBuilder<> IRB(Pos); 2050 Value *ShadowLI = IRB.CreateLoad(DFS.PrimitiveShadowTy, SI->second); 2051 const auto OI = AllocaOriginMap.find(AI); 2052 assert(!ShouldTrackOrigins || OI != AllocaOriginMap.end()); 2053 return {ShadowLI, ShouldTrackOrigins 2054 ? IRB.CreateLoad(DFS.OriginTy, OI->second) 2055 : nullptr}; 2056 } 2057 } 2058 2059 // Load from constant addresses. 2060 SmallVector<const Value *, 2> Objs; 2061 getUnderlyingObjects(Addr, Objs); 2062 bool AllConstants = true; 2063 for (const Value *Obj : Objs) { 2064 if (isa<Function>(Obj) || isa<BlockAddress>(Obj)) 2065 continue; 2066 if (isa<GlobalVariable>(Obj) && cast<GlobalVariable>(Obj)->isConstant()) 2067 continue; 2068 2069 AllConstants = false; 2070 break; 2071 } 2072 if (AllConstants) 2073 return {DFS.ZeroPrimitiveShadow, 2074 ShouldTrackOrigins ? DFS.ZeroOrigin : nullptr}; 2075 2076 if (Size == 0) 2077 return {DFS.ZeroPrimitiveShadow, 2078 ShouldTrackOrigins ? DFS.ZeroOrigin : nullptr}; 2079 2080 // Use callback to load if this is not an optimizable case for origin 2081 // tracking. 2082 if (ShouldTrackOrigins && 2083 useCallbackLoadLabelAndOrigin(Size, InstAlignment)) { 2084 IRBuilder<> IRB(Pos); 2085 CallInst *Call = 2086 IRB.CreateCall(DFS.DFSanLoadLabelAndOriginFn, 2087 {IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()), 2088 ConstantInt::get(DFS.IntptrTy, Size)}); 2089 Call->addRetAttr(Attribute::ZExt); 2090 return {IRB.CreateTrunc(IRB.CreateLShr(Call, DFS.OriginWidthBits), 2091 DFS.PrimitiveShadowTy), 2092 IRB.CreateTrunc(Call, DFS.OriginTy)}; 2093 } 2094 2095 // Other cases that support loading shadows or origins in a fast way. 2096 Value *ShadowAddr, *OriginAddr; 2097 std::tie(ShadowAddr, OriginAddr) = 2098 DFS.getShadowOriginAddress(Addr, InstAlignment, Pos); 2099 2100 const Align ShadowAlign = getShadowAlign(InstAlignment); 2101 const Align OriginAlign = getOriginAlign(InstAlignment); 2102 Value *Origin = nullptr; 2103 if (ShouldTrackOrigins) { 2104 IRBuilder<> IRB(Pos); 2105 Origin = IRB.CreateAlignedLoad(DFS.OriginTy, OriginAddr, OriginAlign); 2106 } 2107 2108 // When the byte size is small enough, we can load the shadow directly with 2109 // just a few instructions. 2110 switch (Size) { 2111 case 1: { 2112 LoadInst *LI = new LoadInst(DFS.PrimitiveShadowTy, ShadowAddr, "", Pos); 2113 LI->setAlignment(ShadowAlign); 2114 return {LI, Origin}; 2115 } 2116 case 2: { 2117 IRBuilder<> IRB(Pos); 2118 Value *ShadowAddr1 = IRB.CreateGEP(DFS.PrimitiveShadowTy, ShadowAddr, 2119 ConstantInt::get(DFS.IntptrTy, 1)); 2120 Value *Load = 2121 IRB.CreateAlignedLoad(DFS.PrimitiveShadowTy, ShadowAddr, ShadowAlign); 2122 Value *Load1 = 2123 IRB.CreateAlignedLoad(DFS.PrimitiveShadowTy, ShadowAddr1, ShadowAlign); 2124 return {combineShadows(Load, Load1, Pos), Origin}; 2125 } 2126 } 2127 bool HasSizeForFastPath = DFS.hasLoadSizeForFastPath(Size); 2128 2129 if (HasSizeForFastPath) 2130 return loadShadowFast(ShadowAddr, OriginAddr, Size, ShadowAlign, 2131 OriginAlign, Origin, Pos); 2132 2133 IRBuilder<> IRB(Pos); 2134 CallInst *FallbackCall = IRB.CreateCall( 2135 DFS.DFSanUnionLoadFn, {ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)}); 2136 FallbackCall->addRetAttr(Attribute::ZExt); 2137 return {FallbackCall, Origin}; 2138 } 2139 2140 std::pair<Value *, Value *> DFSanFunction::loadShadowOrigin(Value *Addr, 2141 uint64_t Size, 2142 Align InstAlignment, 2143 Instruction *Pos) { 2144 Value *PrimitiveShadow, *Origin; 2145 std::tie(PrimitiveShadow, Origin) = 2146 loadShadowOriginSansLoadTracking(Addr, Size, InstAlignment, Pos); 2147 if (DFS.shouldTrackOrigins()) { 2148 if (ClTrackOrigins == 2) { 2149 IRBuilder<> IRB(Pos); 2150 auto *ConstantShadow = dyn_cast<Constant>(PrimitiveShadow); 2151 if (!ConstantShadow || !ConstantShadow->isZeroValue()) 2152 Origin = updateOriginIfTainted(PrimitiveShadow, Origin, IRB); 2153 } 2154 } 2155 return {PrimitiveShadow, Origin}; 2156 } 2157 2158 static AtomicOrdering addAcquireOrdering(AtomicOrdering AO) { 2159 switch (AO) { 2160 case AtomicOrdering::NotAtomic: 2161 return AtomicOrdering::NotAtomic; 2162 case AtomicOrdering::Unordered: 2163 case AtomicOrdering::Monotonic: 2164 case AtomicOrdering::Acquire: 2165 return AtomicOrdering::Acquire; 2166 case AtomicOrdering::Release: 2167 case AtomicOrdering::AcquireRelease: 2168 return AtomicOrdering::AcquireRelease; 2169 case AtomicOrdering::SequentiallyConsistent: 2170 return AtomicOrdering::SequentiallyConsistent; 2171 } 2172 llvm_unreachable("Unknown ordering"); 2173 } 2174 2175 void DFSanVisitor::visitLoadInst(LoadInst &LI) { 2176 auto &DL = LI.getModule()->getDataLayout(); 2177 uint64_t Size = DL.getTypeStoreSize(LI.getType()); 2178 if (Size == 0) { 2179 DFSF.setShadow(&LI, DFSF.DFS.getZeroShadow(&LI)); 2180 DFSF.setOrigin(&LI, DFSF.DFS.ZeroOrigin); 2181 return; 2182 } 2183 2184 // When an application load is atomic, increase atomic ordering between 2185 // atomic application loads and stores to ensure happen-before order; load 2186 // shadow data after application data; store zero shadow data before 2187 // application data. This ensure shadow loads return either labels of the 2188 // initial application data or zeros. 2189 if (LI.isAtomic()) 2190 LI.setOrdering(addAcquireOrdering(LI.getOrdering())); 2191 2192 Instruction *Pos = LI.isAtomic() ? LI.getNextNode() : &LI; 2193 std::vector<Value *> Shadows; 2194 std::vector<Value *> Origins; 2195 Value *PrimitiveShadow, *Origin; 2196 std::tie(PrimitiveShadow, Origin) = 2197 DFSF.loadShadowOrigin(LI.getPointerOperand(), Size, LI.getAlign(), Pos); 2198 const bool ShouldTrackOrigins = DFSF.DFS.shouldTrackOrigins(); 2199 if (ShouldTrackOrigins) { 2200 Shadows.push_back(PrimitiveShadow); 2201 Origins.push_back(Origin); 2202 } 2203 if (ClCombinePointerLabelsOnLoad) { 2204 Value *PtrShadow = DFSF.getShadow(LI.getPointerOperand()); 2205 PrimitiveShadow = DFSF.combineShadows(PrimitiveShadow, PtrShadow, Pos); 2206 if (ShouldTrackOrigins) { 2207 Shadows.push_back(PtrShadow); 2208 Origins.push_back(DFSF.getOrigin(LI.getPointerOperand())); 2209 } 2210 } 2211 if (!DFSF.DFS.isZeroShadow(PrimitiveShadow)) 2212 DFSF.NonZeroChecks.push_back(PrimitiveShadow); 2213 2214 Value *Shadow = 2215 DFSF.expandFromPrimitiveShadow(LI.getType(), PrimitiveShadow, Pos); 2216 DFSF.setShadow(&LI, Shadow); 2217 2218 if (ShouldTrackOrigins) { 2219 DFSF.setOrigin(&LI, DFSF.combineOrigins(Shadows, Origins, Pos)); 2220 } 2221 2222 if (ClEventCallbacks) { 2223 IRBuilder<> IRB(Pos); 2224 Value *Addr8 = IRB.CreateBitCast(LI.getPointerOperand(), DFSF.DFS.Int8Ptr); 2225 IRB.CreateCall(DFSF.DFS.DFSanLoadCallbackFn, {PrimitiveShadow, Addr8}); 2226 } 2227 } 2228 2229 Value *DFSanFunction::updateOriginIfTainted(Value *Shadow, Value *Origin, 2230 IRBuilder<> &IRB) { 2231 assert(DFS.shouldTrackOrigins()); 2232 return IRB.CreateCall(DFS.DFSanChainOriginIfTaintedFn, {Shadow, Origin}); 2233 } 2234 2235 Value *DFSanFunction::updateOrigin(Value *V, IRBuilder<> &IRB) { 2236 if (!DFS.shouldTrackOrigins()) 2237 return V; 2238 return IRB.CreateCall(DFS.DFSanChainOriginFn, V); 2239 } 2240 2241 Value *DFSanFunction::originToIntptr(IRBuilder<> &IRB, Value *Origin) { 2242 const unsigned OriginSize = DataFlowSanitizer::OriginWidthBytes; 2243 const DataLayout &DL = F->getParent()->getDataLayout(); 2244 unsigned IntptrSize = DL.getTypeStoreSize(DFS.IntptrTy); 2245 if (IntptrSize == OriginSize) 2246 return Origin; 2247 assert(IntptrSize == OriginSize * 2); 2248 Origin = IRB.CreateIntCast(Origin, DFS.IntptrTy, /* isSigned */ false); 2249 return IRB.CreateOr(Origin, IRB.CreateShl(Origin, OriginSize * 8)); 2250 } 2251 2252 void DFSanFunction::paintOrigin(IRBuilder<> &IRB, Value *Origin, 2253 Value *StoreOriginAddr, 2254 uint64_t StoreOriginSize, Align Alignment) { 2255 const unsigned OriginSize = DataFlowSanitizer::OriginWidthBytes; 2256 const DataLayout &DL = F->getParent()->getDataLayout(); 2257 const Align IntptrAlignment = DL.getABITypeAlign(DFS.IntptrTy); 2258 unsigned IntptrSize = DL.getTypeStoreSize(DFS.IntptrTy); 2259 assert(IntptrAlignment >= MinOriginAlignment); 2260 assert(IntptrSize >= OriginSize); 2261 2262 unsigned Ofs = 0; 2263 Align CurrentAlignment = Alignment; 2264 if (Alignment >= IntptrAlignment && IntptrSize > OriginSize) { 2265 Value *IntptrOrigin = originToIntptr(IRB, Origin); 2266 Value *IntptrStoreOriginPtr = IRB.CreatePointerCast( 2267 StoreOriginAddr, PointerType::get(DFS.IntptrTy, 0)); 2268 for (unsigned I = 0; I < StoreOriginSize / IntptrSize; ++I) { 2269 Value *Ptr = 2270 I ? IRB.CreateConstGEP1_32(DFS.IntptrTy, IntptrStoreOriginPtr, I) 2271 : IntptrStoreOriginPtr; 2272 IRB.CreateAlignedStore(IntptrOrigin, Ptr, CurrentAlignment); 2273 Ofs += IntptrSize / OriginSize; 2274 CurrentAlignment = IntptrAlignment; 2275 } 2276 } 2277 2278 for (unsigned I = Ofs; I < (StoreOriginSize + OriginSize - 1) / OriginSize; 2279 ++I) { 2280 Value *GEP = I ? IRB.CreateConstGEP1_32(DFS.OriginTy, StoreOriginAddr, I) 2281 : StoreOriginAddr; 2282 IRB.CreateAlignedStore(Origin, GEP, CurrentAlignment); 2283 CurrentAlignment = MinOriginAlignment; 2284 } 2285 } 2286 2287 Value *DFSanFunction::convertToBool(Value *V, IRBuilder<> &IRB, 2288 const Twine &Name) { 2289 Type *VTy = V->getType(); 2290 assert(VTy->isIntegerTy()); 2291 if (VTy->getIntegerBitWidth() == 1) 2292 // Just converting a bool to a bool, so do nothing. 2293 return V; 2294 return IRB.CreateICmpNE(V, ConstantInt::get(VTy, 0), Name); 2295 } 2296 2297 void DFSanFunction::storeOrigin(Instruction *Pos, Value *Addr, uint64_t Size, 2298 Value *Shadow, Value *Origin, 2299 Value *StoreOriginAddr, Align InstAlignment) { 2300 // Do not write origins for zero shadows because we do not trace origins for 2301 // untainted sinks. 2302 const Align OriginAlignment = getOriginAlign(InstAlignment); 2303 Value *CollapsedShadow = collapseToPrimitiveShadow(Shadow, Pos); 2304 IRBuilder<> IRB(Pos); 2305 if (auto *ConstantShadow = dyn_cast<Constant>(CollapsedShadow)) { 2306 if (!ConstantShadow->isZeroValue()) 2307 paintOrigin(IRB, updateOrigin(Origin, IRB), StoreOriginAddr, Size, 2308 OriginAlignment); 2309 return; 2310 } 2311 2312 if (shouldInstrumentWithCall()) { 2313 IRB.CreateCall(DFS.DFSanMaybeStoreOriginFn, 2314 {CollapsedShadow, 2315 IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()), 2316 ConstantInt::get(DFS.IntptrTy, Size), Origin}); 2317 } else { 2318 Value *Cmp = convertToBool(CollapsedShadow, IRB, "_dfscmp"); 2319 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 2320 Cmp, &*IRB.GetInsertPoint(), false, DFS.OriginStoreWeights, &DT); 2321 IRBuilder<> IRBNew(CheckTerm); 2322 paintOrigin(IRBNew, updateOrigin(Origin, IRBNew), StoreOriginAddr, Size, 2323 OriginAlignment); 2324 ++NumOriginStores; 2325 } 2326 } 2327 2328 void DFSanFunction::storeZeroPrimitiveShadow(Value *Addr, uint64_t Size, 2329 Align ShadowAlign, 2330 Instruction *Pos) { 2331 IRBuilder<> IRB(Pos); 2332 IntegerType *ShadowTy = 2333 IntegerType::get(*DFS.Ctx, Size * DFS.ShadowWidthBits); 2334 Value *ExtZeroShadow = ConstantInt::get(ShadowTy, 0); 2335 Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos); 2336 Value *ExtShadowAddr = 2337 IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowTy)); 2338 IRB.CreateAlignedStore(ExtZeroShadow, ExtShadowAddr, ShadowAlign); 2339 // Do not write origins for 0 shadows because we do not trace origins for 2340 // untainted sinks. 2341 } 2342 2343 void DFSanFunction::storePrimitiveShadowOrigin(Value *Addr, uint64_t Size, 2344 Align InstAlignment, 2345 Value *PrimitiveShadow, 2346 Value *Origin, 2347 Instruction *Pos) { 2348 const bool ShouldTrackOrigins = DFS.shouldTrackOrigins() && Origin; 2349 2350 if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) { 2351 const auto SI = AllocaShadowMap.find(AI); 2352 if (SI != AllocaShadowMap.end()) { 2353 IRBuilder<> IRB(Pos); 2354 IRB.CreateStore(PrimitiveShadow, SI->second); 2355 2356 // Do not write origins for 0 shadows because we do not trace origins for 2357 // untainted sinks. 2358 if (ShouldTrackOrigins && !DFS.isZeroShadow(PrimitiveShadow)) { 2359 const auto OI = AllocaOriginMap.find(AI); 2360 assert(OI != AllocaOriginMap.end() && Origin); 2361 IRB.CreateStore(Origin, OI->second); 2362 } 2363 return; 2364 } 2365 } 2366 2367 const Align ShadowAlign = getShadowAlign(InstAlignment); 2368 if (DFS.isZeroShadow(PrimitiveShadow)) { 2369 storeZeroPrimitiveShadow(Addr, Size, ShadowAlign, Pos); 2370 return; 2371 } 2372 2373 IRBuilder<> IRB(Pos); 2374 Value *ShadowAddr, *OriginAddr; 2375 std::tie(ShadowAddr, OriginAddr) = 2376 DFS.getShadowOriginAddress(Addr, InstAlignment, Pos); 2377 2378 const unsigned ShadowVecSize = 8; 2379 assert(ShadowVecSize * DFS.ShadowWidthBits <= 128 && 2380 "Shadow vector is too large!"); 2381 2382 uint64_t Offset = 0; 2383 uint64_t LeftSize = Size; 2384 if (LeftSize >= ShadowVecSize) { 2385 auto *ShadowVecTy = 2386 FixedVectorType::get(DFS.PrimitiveShadowTy, ShadowVecSize); 2387 Value *ShadowVec = UndefValue::get(ShadowVecTy); 2388 for (unsigned I = 0; I != ShadowVecSize; ++I) { 2389 ShadowVec = IRB.CreateInsertElement( 2390 ShadowVec, PrimitiveShadow, 2391 ConstantInt::get(Type::getInt32Ty(*DFS.Ctx), I)); 2392 } 2393 Value *ShadowVecAddr = 2394 IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowVecTy)); 2395 do { 2396 Value *CurShadowVecAddr = 2397 IRB.CreateConstGEP1_32(ShadowVecTy, ShadowVecAddr, Offset); 2398 IRB.CreateAlignedStore(ShadowVec, CurShadowVecAddr, ShadowAlign); 2399 LeftSize -= ShadowVecSize; 2400 ++Offset; 2401 } while (LeftSize >= ShadowVecSize); 2402 Offset *= ShadowVecSize; 2403 } 2404 while (LeftSize > 0) { 2405 Value *CurShadowAddr = 2406 IRB.CreateConstGEP1_32(DFS.PrimitiveShadowTy, ShadowAddr, Offset); 2407 IRB.CreateAlignedStore(PrimitiveShadow, CurShadowAddr, ShadowAlign); 2408 --LeftSize; 2409 ++Offset; 2410 } 2411 2412 if (ShouldTrackOrigins) { 2413 storeOrigin(Pos, Addr, Size, PrimitiveShadow, Origin, OriginAddr, 2414 InstAlignment); 2415 } 2416 } 2417 2418 static AtomicOrdering addReleaseOrdering(AtomicOrdering AO) { 2419 switch (AO) { 2420 case AtomicOrdering::NotAtomic: 2421 return AtomicOrdering::NotAtomic; 2422 case AtomicOrdering::Unordered: 2423 case AtomicOrdering::Monotonic: 2424 case AtomicOrdering::Release: 2425 return AtomicOrdering::Release; 2426 case AtomicOrdering::Acquire: 2427 case AtomicOrdering::AcquireRelease: 2428 return AtomicOrdering::AcquireRelease; 2429 case AtomicOrdering::SequentiallyConsistent: 2430 return AtomicOrdering::SequentiallyConsistent; 2431 } 2432 llvm_unreachable("Unknown ordering"); 2433 } 2434 2435 void DFSanVisitor::visitStoreInst(StoreInst &SI) { 2436 auto &DL = SI.getModule()->getDataLayout(); 2437 Value *Val = SI.getValueOperand(); 2438 uint64_t Size = DL.getTypeStoreSize(Val->getType()); 2439 if (Size == 0) 2440 return; 2441 2442 // When an application store is atomic, increase atomic ordering between 2443 // atomic application loads and stores to ensure happen-before order; load 2444 // shadow data after application data; store zero shadow data before 2445 // application data. This ensure shadow loads return either labels of the 2446 // initial application data or zeros. 2447 if (SI.isAtomic()) 2448 SI.setOrdering(addReleaseOrdering(SI.getOrdering())); 2449 2450 const bool ShouldTrackOrigins = 2451 DFSF.DFS.shouldTrackOrigins() && !SI.isAtomic(); 2452 std::vector<Value *> Shadows; 2453 std::vector<Value *> Origins; 2454 2455 Value *Shadow = 2456 SI.isAtomic() ? DFSF.DFS.getZeroShadow(Val) : DFSF.getShadow(Val); 2457 2458 if (ShouldTrackOrigins) { 2459 Shadows.push_back(Shadow); 2460 Origins.push_back(DFSF.getOrigin(Val)); 2461 } 2462 2463 Value *PrimitiveShadow; 2464 if (ClCombinePointerLabelsOnStore) { 2465 Value *PtrShadow = DFSF.getShadow(SI.getPointerOperand()); 2466 if (ShouldTrackOrigins) { 2467 Shadows.push_back(PtrShadow); 2468 Origins.push_back(DFSF.getOrigin(SI.getPointerOperand())); 2469 } 2470 PrimitiveShadow = DFSF.combineShadows(Shadow, PtrShadow, &SI); 2471 } else { 2472 PrimitiveShadow = DFSF.collapseToPrimitiveShadow(Shadow, &SI); 2473 } 2474 Value *Origin = nullptr; 2475 if (ShouldTrackOrigins) 2476 Origin = DFSF.combineOrigins(Shadows, Origins, &SI); 2477 DFSF.storePrimitiveShadowOrigin(SI.getPointerOperand(), Size, SI.getAlign(), 2478 PrimitiveShadow, Origin, &SI); 2479 if (ClEventCallbacks) { 2480 IRBuilder<> IRB(&SI); 2481 Value *Addr8 = IRB.CreateBitCast(SI.getPointerOperand(), DFSF.DFS.Int8Ptr); 2482 IRB.CreateCall(DFSF.DFS.DFSanStoreCallbackFn, {PrimitiveShadow, Addr8}); 2483 } 2484 } 2485 2486 void DFSanVisitor::visitCASOrRMW(Align InstAlignment, Instruction &I) { 2487 assert(isa<AtomicRMWInst>(I) || isa<AtomicCmpXchgInst>(I)); 2488 2489 Value *Val = I.getOperand(1); 2490 const auto &DL = I.getModule()->getDataLayout(); 2491 uint64_t Size = DL.getTypeStoreSize(Val->getType()); 2492 if (Size == 0) 2493 return; 2494 2495 // Conservatively set data at stored addresses and return with zero shadow to 2496 // prevent shadow data races. 2497 IRBuilder<> IRB(&I); 2498 Value *Addr = I.getOperand(0); 2499 const Align ShadowAlign = DFSF.getShadowAlign(InstAlignment); 2500 DFSF.storeZeroPrimitiveShadow(Addr, Size, ShadowAlign, &I); 2501 DFSF.setShadow(&I, DFSF.DFS.getZeroShadow(&I)); 2502 DFSF.setOrigin(&I, DFSF.DFS.ZeroOrigin); 2503 } 2504 2505 void DFSanVisitor::visitAtomicRMWInst(AtomicRMWInst &I) { 2506 visitCASOrRMW(I.getAlign(), I); 2507 // TODO: The ordering change follows MSan. It is possible not to change 2508 // ordering because we always set and use 0 shadows. 2509 I.setOrdering(addReleaseOrdering(I.getOrdering())); 2510 } 2511 2512 void DFSanVisitor::visitAtomicCmpXchgInst(AtomicCmpXchgInst &I) { 2513 visitCASOrRMW(I.getAlign(), I); 2514 // TODO: The ordering change follows MSan. It is possible not to change 2515 // ordering because we always set and use 0 shadows. 2516 I.setSuccessOrdering(addReleaseOrdering(I.getSuccessOrdering())); 2517 } 2518 2519 void DFSanVisitor::visitUnaryOperator(UnaryOperator &UO) { 2520 visitInstOperands(UO); 2521 } 2522 2523 void DFSanVisitor::visitBinaryOperator(BinaryOperator &BO) { 2524 visitInstOperands(BO); 2525 } 2526 2527 void DFSanVisitor::visitBitCastInst(BitCastInst &BCI) { 2528 // Special case: if this is the bitcast (there is exactly 1 allowed) between 2529 // a musttail call and a ret, don't instrument. New instructions are not 2530 // allowed after a musttail call. 2531 if (auto *CI = dyn_cast<CallInst>(BCI.getOperand(0))) 2532 if (CI->isMustTailCall()) 2533 return; 2534 visitInstOperands(BCI); 2535 } 2536 2537 void DFSanVisitor::visitCastInst(CastInst &CI) { visitInstOperands(CI); } 2538 2539 void DFSanVisitor::visitCmpInst(CmpInst &CI) { 2540 visitInstOperands(CI); 2541 if (ClEventCallbacks) { 2542 IRBuilder<> IRB(&CI); 2543 Value *CombinedShadow = DFSF.getShadow(&CI); 2544 IRB.CreateCall(DFSF.DFS.DFSanCmpCallbackFn, CombinedShadow); 2545 } 2546 } 2547 2548 void DFSanVisitor::visitLandingPadInst(LandingPadInst &LPI) { 2549 // We do not need to track data through LandingPadInst. 2550 // 2551 // For the C++ exceptions, if a value is thrown, this value will be stored 2552 // in a memory location provided by __cxa_allocate_exception(...) (on the 2553 // throw side) or __cxa_begin_catch(...) (on the catch side). 2554 // This memory will have a shadow, so with the loads and stores we will be 2555 // able to propagate labels on data thrown through exceptions, without any 2556 // special handling of the LandingPadInst. 2557 // 2558 // The second element in the pair result of the LandingPadInst is a 2559 // register value, but it is for a type ID and should never be tainted. 2560 DFSF.setShadow(&LPI, DFSF.DFS.getZeroShadow(&LPI)); 2561 DFSF.setOrigin(&LPI, DFSF.DFS.ZeroOrigin); 2562 } 2563 2564 void DFSanVisitor::visitGetElementPtrInst(GetElementPtrInst &GEPI) { 2565 if (ClCombineOffsetLabelsOnGEP) { 2566 visitInstOperands(GEPI); 2567 return; 2568 } 2569 2570 // Only propagate shadow/origin of base pointer value but ignore those of 2571 // offset operands. 2572 Value *BasePointer = GEPI.getPointerOperand(); 2573 DFSF.setShadow(&GEPI, DFSF.getShadow(BasePointer)); 2574 if (DFSF.DFS.shouldTrackOrigins()) 2575 DFSF.setOrigin(&GEPI, DFSF.getOrigin(BasePointer)); 2576 } 2577 2578 void DFSanVisitor::visitExtractElementInst(ExtractElementInst &I) { 2579 visitInstOperands(I); 2580 } 2581 2582 void DFSanVisitor::visitInsertElementInst(InsertElementInst &I) { 2583 visitInstOperands(I); 2584 } 2585 2586 void DFSanVisitor::visitShuffleVectorInst(ShuffleVectorInst &I) { 2587 visitInstOperands(I); 2588 } 2589 2590 void DFSanVisitor::visitExtractValueInst(ExtractValueInst &I) { 2591 IRBuilder<> IRB(&I); 2592 Value *Agg = I.getAggregateOperand(); 2593 Value *AggShadow = DFSF.getShadow(Agg); 2594 Value *ResShadow = IRB.CreateExtractValue(AggShadow, I.getIndices()); 2595 DFSF.setShadow(&I, ResShadow); 2596 visitInstOperandOrigins(I); 2597 } 2598 2599 void DFSanVisitor::visitInsertValueInst(InsertValueInst &I) { 2600 IRBuilder<> IRB(&I); 2601 Value *AggShadow = DFSF.getShadow(I.getAggregateOperand()); 2602 Value *InsShadow = DFSF.getShadow(I.getInsertedValueOperand()); 2603 Value *Res = IRB.CreateInsertValue(AggShadow, InsShadow, I.getIndices()); 2604 DFSF.setShadow(&I, Res); 2605 visitInstOperandOrigins(I); 2606 } 2607 2608 void DFSanVisitor::visitAllocaInst(AllocaInst &I) { 2609 bool AllLoadsStores = true; 2610 for (User *U : I.users()) { 2611 if (isa<LoadInst>(U)) 2612 continue; 2613 2614 if (StoreInst *SI = dyn_cast<StoreInst>(U)) { 2615 if (SI->getPointerOperand() == &I) 2616 continue; 2617 } 2618 2619 AllLoadsStores = false; 2620 break; 2621 } 2622 if (AllLoadsStores) { 2623 IRBuilder<> IRB(&I); 2624 DFSF.AllocaShadowMap[&I] = IRB.CreateAlloca(DFSF.DFS.PrimitiveShadowTy); 2625 if (DFSF.DFS.shouldTrackOrigins()) { 2626 DFSF.AllocaOriginMap[&I] = 2627 IRB.CreateAlloca(DFSF.DFS.OriginTy, nullptr, "_dfsa"); 2628 } 2629 } 2630 DFSF.setShadow(&I, DFSF.DFS.ZeroPrimitiveShadow); 2631 DFSF.setOrigin(&I, DFSF.DFS.ZeroOrigin); 2632 } 2633 2634 void DFSanVisitor::visitSelectInst(SelectInst &I) { 2635 Value *CondShadow = DFSF.getShadow(I.getCondition()); 2636 Value *TrueShadow = DFSF.getShadow(I.getTrueValue()); 2637 Value *FalseShadow = DFSF.getShadow(I.getFalseValue()); 2638 Value *ShadowSel = nullptr; 2639 const bool ShouldTrackOrigins = DFSF.DFS.shouldTrackOrigins(); 2640 std::vector<Value *> Shadows; 2641 std::vector<Value *> Origins; 2642 Value *TrueOrigin = 2643 ShouldTrackOrigins ? DFSF.getOrigin(I.getTrueValue()) : nullptr; 2644 Value *FalseOrigin = 2645 ShouldTrackOrigins ? DFSF.getOrigin(I.getFalseValue()) : nullptr; 2646 2647 DFSF.addConditionalCallbacksIfEnabled(I, I.getCondition()); 2648 2649 if (isa<VectorType>(I.getCondition()->getType())) { 2650 ShadowSel = DFSF.combineShadowsThenConvert(I.getType(), TrueShadow, 2651 FalseShadow, &I); 2652 if (ShouldTrackOrigins) { 2653 Shadows.push_back(TrueShadow); 2654 Shadows.push_back(FalseShadow); 2655 Origins.push_back(TrueOrigin); 2656 Origins.push_back(FalseOrigin); 2657 } 2658 } else { 2659 if (TrueShadow == FalseShadow) { 2660 ShadowSel = TrueShadow; 2661 if (ShouldTrackOrigins) { 2662 Shadows.push_back(TrueShadow); 2663 Origins.push_back(TrueOrigin); 2664 } 2665 } else { 2666 ShadowSel = 2667 SelectInst::Create(I.getCondition(), TrueShadow, FalseShadow, "", &I); 2668 if (ShouldTrackOrigins) { 2669 Shadows.push_back(ShadowSel); 2670 Origins.push_back(SelectInst::Create(I.getCondition(), TrueOrigin, 2671 FalseOrigin, "", &I)); 2672 } 2673 } 2674 } 2675 DFSF.setShadow(&I, ClTrackSelectControlFlow 2676 ? DFSF.combineShadowsThenConvert( 2677 I.getType(), CondShadow, ShadowSel, &I) 2678 : ShadowSel); 2679 if (ShouldTrackOrigins) { 2680 if (ClTrackSelectControlFlow) { 2681 Shadows.push_back(CondShadow); 2682 Origins.push_back(DFSF.getOrigin(I.getCondition())); 2683 } 2684 DFSF.setOrigin(&I, DFSF.combineOrigins(Shadows, Origins, &I)); 2685 } 2686 } 2687 2688 void DFSanVisitor::visitMemSetInst(MemSetInst &I) { 2689 IRBuilder<> IRB(&I); 2690 Value *ValShadow = DFSF.getShadow(I.getValue()); 2691 Value *ValOrigin = DFSF.DFS.shouldTrackOrigins() 2692 ? DFSF.getOrigin(I.getValue()) 2693 : DFSF.DFS.ZeroOrigin; 2694 IRB.CreateCall( 2695 DFSF.DFS.DFSanSetLabelFn, 2696 {ValShadow, ValOrigin, 2697 IRB.CreateBitCast(I.getDest(), Type::getInt8PtrTy(*DFSF.DFS.Ctx)), 2698 IRB.CreateZExtOrTrunc(I.getLength(), DFSF.DFS.IntptrTy)}); 2699 } 2700 2701 void DFSanVisitor::visitMemTransferInst(MemTransferInst &I) { 2702 IRBuilder<> IRB(&I); 2703 2704 // CopyOrMoveOrigin transfers origins by refering to their shadows. So we 2705 // need to move origins before moving shadows. 2706 if (DFSF.DFS.shouldTrackOrigins()) { 2707 IRB.CreateCall( 2708 DFSF.DFS.DFSanMemOriginTransferFn, 2709 {IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 2710 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()), 2711 IRB.CreateIntCast(I.getArgOperand(2), DFSF.DFS.IntptrTy, false)}); 2712 } 2713 2714 Value *RawDestShadow = DFSF.DFS.getShadowAddress(I.getDest(), &I); 2715 Value *SrcShadow = DFSF.DFS.getShadowAddress(I.getSource(), &I); 2716 Value *LenShadow = 2717 IRB.CreateMul(I.getLength(), ConstantInt::get(I.getLength()->getType(), 2718 DFSF.DFS.ShadowWidthBytes)); 2719 Type *Int8Ptr = Type::getInt8PtrTy(*DFSF.DFS.Ctx); 2720 Value *DestShadow = IRB.CreateBitCast(RawDestShadow, Int8Ptr); 2721 SrcShadow = IRB.CreateBitCast(SrcShadow, Int8Ptr); 2722 auto *MTI = cast<MemTransferInst>( 2723 IRB.CreateCall(I.getFunctionType(), I.getCalledOperand(), 2724 {DestShadow, SrcShadow, LenShadow, I.getVolatileCst()})); 2725 if (ClPreserveAlignment) { 2726 MTI->setDestAlignment(I.getDestAlign() * DFSF.DFS.ShadowWidthBytes); 2727 MTI->setSourceAlignment(I.getSourceAlign() * DFSF.DFS.ShadowWidthBytes); 2728 } else { 2729 MTI->setDestAlignment(Align(DFSF.DFS.ShadowWidthBytes)); 2730 MTI->setSourceAlignment(Align(DFSF.DFS.ShadowWidthBytes)); 2731 } 2732 if (ClEventCallbacks) { 2733 IRB.CreateCall(DFSF.DFS.DFSanMemTransferCallbackFn, 2734 {RawDestShadow, 2735 IRB.CreateZExtOrTrunc(I.getLength(), DFSF.DFS.IntptrTy)}); 2736 } 2737 } 2738 2739 void DFSanVisitor::visitBranchInst(BranchInst &BR) { 2740 if (!BR.isConditional()) 2741 return; 2742 2743 DFSF.addConditionalCallbacksIfEnabled(BR, BR.getCondition()); 2744 } 2745 2746 void DFSanVisitor::visitSwitchInst(SwitchInst &SW) { 2747 DFSF.addConditionalCallbacksIfEnabled(SW, SW.getCondition()); 2748 } 2749 2750 static bool isAMustTailRetVal(Value *RetVal) { 2751 // Tail call may have a bitcast between return. 2752 if (auto *I = dyn_cast<BitCastInst>(RetVal)) { 2753 RetVal = I->getOperand(0); 2754 } 2755 if (auto *I = dyn_cast<CallInst>(RetVal)) { 2756 return I->isMustTailCall(); 2757 } 2758 return false; 2759 } 2760 2761 void DFSanVisitor::visitReturnInst(ReturnInst &RI) { 2762 if (!DFSF.IsNativeABI && RI.getReturnValue()) { 2763 // Don't emit the instrumentation for musttail call returns. 2764 if (isAMustTailRetVal(RI.getReturnValue())) 2765 return; 2766 2767 Value *S = DFSF.getShadow(RI.getReturnValue()); 2768 IRBuilder<> IRB(&RI); 2769 Type *RT = DFSF.F->getFunctionType()->getReturnType(); 2770 unsigned Size = getDataLayout().getTypeAllocSize(DFSF.DFS.getShadowTy(RT)); 2771 if (Size <= RetvalTLSSize) { 2772 // If the size overflows, stores nothing. At callsite, oversized return 2773 // shadows are set to zero. 2774 IRB.CreateAlignedStore(S, DFSF.getRetvalTLS(RT, IRB), ShadowTLSAlignment); 2775 } 2776 if (DFSF.DFS.shouldTrackOrigins()) { 2777 Value *O = DFSF.getOrigin(RI.getReturnValue()); 2778 IRB.CreateStore(O, DFSF.getRetvalOriginTLS()); 2779 } 2780 } 2781 } 2782 2783 void DFSanVisitor::addShadowArguments(Function &F, CallBase &CB, 2784 std::vector<Value *> &Args, 2785 IRBuilder<> &IRB) { 2786 FunctionType *FT = F.getFunctionType(); 2787 2788 auto *I = CB.arg_begin(); 2789 2790 // Adds non-variable argument shadows. 2791 for (unsigned N = FT->getNumParams(); N != 0; ++I, --N) 2792 Args.push_back(DFSF.collapseToPrimitiveShadow(DFSF.getShadow(*I), &CB)); 2793 2794 // Adds variable argument shadows. 2795 if (FT->isVarArg()) { 2796 auto *LabelVATy = ArrayType::get(DFSF.DFS.PrimitiveShadowTy, 2797 CB.arg_size() - FT->getNumParams()); 2798 auto *LabelVAAlloca = 2799 new AllocaInst(LabelVATy, getDataLayout().getAllocaAddrSpace(), 2800 "labelva", &DFSF.F->getEntryBlock().front()); 2801 2802 for (unsigned N = 0; I != CB.arg_end(); ++I, ++N) { 2803 auto *LabelVAPtr = IRB.CreateStructGEP(LabelVATy, LabelVAAlloca, N); 2804 IRB.CreateStore(DFSF.collapseToPrimitiveShadow(DFSF.getShadow(*I), &CB), 2805 LabelVAPtr); 2806 } 2807 2808 Args.push_back(IRB.CreateStructGEP(LabelVATy, LabelVAAlloca, 0)); 2809 } 2810 2811 // Adds the return value shadow. 2812 if (!FT->getReturnType()->isVoidTy()) { 2813 if (!DFSF.LabelReturnAlloca) { 2814 DFSF.LabelReturnAlloca = new AllocaInst( 2815 DFSF.DFS.PrimitiveShadowTy, getDataLayout().getAllocaAddrSpace(), 2816 "labelreturn", &DFSF.F->getEntryBlock().front()); 2817 } 2818 Args.push_back(DFSF.LabelReturnAlloca); 2819 } 2820 } 2821 2822 void DFSanVisitor::addOriginArguments(Function &F, CallBase &CB, 2823 std::vector<Value *> &Args, 2824 IRBuilder<> &IRB) { 2825 FunctionType *FT = F.getFunctionType(); 2826 2827 auto *I = CB.arg_begin(); 2828 2829 // Add non-variable argument origins. 2830 for (unsigned N = FT->getNumParams(); N != 0; ++I, --N) 2831 Args.push_back(DFSF.getOrigin(*I)); 2832 2833 // Add variable argument origins. 2834 if (FT->isVarArg()) { 2835 auto *OriginVATy = 2836 ArrayType::get(DFSF.DFS.OriginTy, CB.arg_size() - FT->getNumParams()); 2837 auto *OriginVAAlloca = 2838 new AllocaInst(OriginVATy, getDataLayout().getAllocaAddrSpace(), 2839 "originva", &DFSF.F->getEntryBlock().front()); 2840 2841 for (unsigned N = 0; I != CB.arg_end(); ++I, ++N) { 2842 auto *OriginVAPtr = IRB.CreateStructGEP(OriginVATy, OriginVAAlloca, N); 2843 IRB.CreateStore(DFSF.getOrigin(*I), OriginVAPtr); 2844 } 2845 2846 Args.push_back(IRB.CreateStructGEP(OriginVATy, OriginVAAlloca, 0)); 2847 } 2848 2849 // Add the return value origin. 2850 if (!FT->getReturnType()->isVoidTy()) { 2851 if (!DFSF.OriginReturnAlloca) { 2852 DFSF.OriginReturnAlloca = new AllocaInst( 2853 DFSF.DFS.OriginTy, getDataLayout().getAllocaAddrSpace(), 2854 "originreturn", &DFSF.F->getEntryBlock().front()); 2855 } 2856 Args.push_back(DFSF.OriginReturnAlloca); 2857 } 2858 } 2859 2860 bool DFSanVisitor::visitWrappedCallBase(Function &F, CallBase &CB) { 2861 IRBuilder<> IRB(&CB); 2862 switch (DFSF.DFS.getWrapperKind(&F)) { 2863 case DataFlowSanitizer::WK_Warning: 2864 CB.setCalledFunction(&F); 2865 IRB.CreateCall(DFSF.DFS.DFSanUnimplementedFn, 2866 IRB.CreateGlobalStringPtr(F.getName())); 2867 DFSF.setShadow(&CB, DFSF.DFS.getZeroShadow(&CB)); 2868 DFSF.setOrigin(&CB, DFSF.DFS.ZeroOrigin); 2869 return true; 2870 case DataFlowSanitizer::WK_Discard: 2871 CB.setCalledFunction(&F); 2872 DFSF.setShadow(&CB, DFSF.DFS.getZeroShadow(&CB)); 2873 DFSF.setOrigin(&CB, DFSF.DFS.ZeroOrigin); 2874 return true; 2875 case DataFlowSanitizer::WK_Functional: 2876 CB.setCalledFunction(&F); 2877 visitInstOperands(CB); 2878 return true; 2879 case DataFlowSanitizer::WK_Custom: 2880 // Don't try to handle invokes of custom functions, it's too complicated. 2881 // Instead, invoke the dfsw$ wrapper, which will in turn call the __dfsw_ 2882 // wrapper. 2883 CallInst *CI = dyn_cast<CallInst>(&CB); 2884 if (!CI) 2885 return false; 2886 2887 const bool ShouldTrackOrigins = DFSF.DFS.shouldTrackOrigins(); 2888 FunctionType *FT = F.getFunctionType(); 2889 TransformedFunction CustomFn = DFSF.DFS.getCustomFunctionType(FT); 2890 std::string CustomFName = ShouldTrackOrigins ? "__dfso_" : "__dfsw_"; 2891 CustomFName += F.getName(); 2892 FunctionCallee CustomF = DFSF.DFS.Mod->getOrInsertFunction( 2893 CustomFName, CustomFn.TransformedType); 2894 if (Function *CustomFn = dyn_cast<Function>(CustomF.getCallee())) { 2895 CustomFn->copyAttributesFrom(&F); 2896 2897 // Custom functions returning non-void will write to the return label. 2898 if (!FT->getReturnType()->isVoidTy()) { 2899 CustomFn->removeFnAttrs(DFSF.DFS.ReadOnlyNoneAttrs); 2900 } 2901 } 2902 2903 std::vector<Value *> Args; 2904 2905 // Adds non-variable arguments. 2906 auto *I = CB.arg_begin(); 2907 for (unsigned N = FT->getNumParams(); N != 0; ++I, --N) { 2908 Type *T = (*I)->getType(); 2909 FunctionType *ParamFT; 2910 if (isa<PointerType>(T) && 2911 (ParamFT = dyn_cast<FunctionType>(T->getPointerElementType()))) { 2912 std::string TName = "dfst"; 2913 TName += utostr(FT->getNumParams() - N); 2914 TName += "$"; 2915 TName += F.getName(); 2916 Constant *Trampoline = 2917 DFSF.DFS.getOrBuildTrampolineFunction(ParamFT, TName); 2918 Args.push_back(Trampoline); 2919 Args.push_back( 2920 IRB.CreateBitCast(*I, Type::getInt8PtrTy(*DFSF.DFS.Ctx))); 2921 } else { 2922 Args.push_back(*I); 2923 } 2924 } 2925 2926 // Adds shadow arguments. 2927 const unsigned ShadowArgStart = Args.size(); 2928 addShadowArguments(F, CB, Args, IRB); 2929 2930 // Adds origin arguments. 2931 const unsigned OriginArgStart = Args.size(); 2932 if (ShouldTrackOrigins) 2933 addOriginArguments(F, CB, Args, IRB); 2934 2935 // Adds variable arguments. 2936 append_range(Args, drop_begin(CB.args(), FT->getNumParams())); 2937 2938 CallInst *CustomCI = IRB.CreateCall(CustomF, Args); 2939 CustomCI->setCallingConv(CI->getCallingConv()); 2940 CustomCI->setAttributes(transformFunctionAttributes( 2941 CustomFn, CI->getContext(), CI->getAttributes())); 2942 2943 // Update the parameter attributes of the custom call instruction to 2944 // zero extend the shadow parameters. This is required for targets 2945 // which consider PrimitiveShadowTy an illegal type. 2946 for (unsigned N = 0; N < FT->getNumParams(); N++) { 2947 const unsigned ArgNo = ShadowArgStart + N; 2948 if (CustomCI->getArgOperand(ArgNo)->getType() == 2949 DFSF.DFS.PrimitiveShadowTy) 2950 CustomCI->addParamAttr(ArgNo, Attribute::ZExt); 2951 if (ShouldTrackOrigins) { 2952 const unsigned OriginArgNo = OriginArgStart + N; 2953 if (CustomCI->getArgOperand(OriginArgNo)->getType() == 2954 DFSF.DFS.OriginTy) 2955 CustomCI->addParamAttr(OriginArgNo, Attribute::ZExt); 2956 } 2957 } 2958 2959 // Loads the return value shadow and origin. 2960 if (!FT->getReturnType()->isVoidTy()) { 2961 LoadInst *LabelLoad = 2962 IRB.CreateLoad(DFSF.DFS.PrimitiveShadowTy, DFSF.LabelReturnAlloca); 2963 DFSF.setShadow(CustomCI, DFSF.expandFromPrimitiveShadow( 2964 FT->getReturnType(), LabelLoad, &CB)); 2965 if (ShouldTrackOrigins) { 2966 LoadInst *OriginLoad = 2967 IRB.CreateLoad(DFSF.DFS.OriginTy, DFSF.OriginReturnAlloca); 2968 DFSF.setOrigin(CustomCI, OriginLoad); 2969 } 2970 } 2971 2972 CI->replaceAllUsesWith(CustomCI); 2973 CI->eraseFromParent(); 2974 return true; 2975 } 2976 return false; 2977 } 2978 2979 void DFSanVisitor::visitCallBase(CallBase &CB) { 2980 Function *F = CB.getCalledFunction(); 2981 if ((F && F->isIntrinsic()) || CB.isInlineAsm()) { 2982 visitInstOperands(CB); 2983 return; 2984 } 2985 2986 // Calls to this function are synthesized in wrappers, and we shouldn't 2987 // instrument them. 2988 if (F == DFSF.DFS.DFSanVarargWrapperFn.getCallee()->stripPointerCasts()) 2989 return; 2990 2991 DenseMap<Value *, Function *>::iterator UnwrappedFnIt = 2992 DFSF.DFS.UnwrappedFnMap.find(CB.getCalledOperand()); 2993 if (UnwrappedFnIt != DFSF.DFS.UnwrappedFnMap.end()) 2994 if (visitWrappedCallBase(*UnwrappedFnIt->second, CB)) 2995 return; 2996 2997 IRBuilder<> IRB(&CB); 2998 2999 const bool ShouldTrackOrigins = DFSF.DFS.shouldTrackOrigins(); 3000 FunctionType *FT = CB.getFunctionType(); 3001 const DataLayout &DL = getDataLayout(); 3002 3003 // Stores argument shadows. 3004 unsigned ArgOffset = 0; 3005 for (unsigned I = 0, N = FT->getNumParams(); I != N; ++I) { 3006 if (ShouldTrackOrigins) { 3007 // Ignore overflowed origins 3008 Value *ArgShadow = DFSF.getShadow(CB.getArgOperand(I)); 3009 if (I < DFSF.DFS.NumOfElementsInArgOrgTLS && 3010 !DFSF.DFS.isZeroShadow(ArgShadow)) 3011 IRB.CreateStore(DFSF.getOrigin(CB.getArgOperand(I)), 3012 DFSF.getArgOriginTLS(I, IRB)); 3013 } 3014 3015 unsigned Size = 3016 DL.getTypeAllocSize(DFSF.DFS.getShadowTy(FT->getParamType(I))); 3017 // Stop storing if arguments' size overflows. Inside a function, arguments 3018 // after overflow have zero shadow values. 3019 if (ArgOffset + Size > ArgTLSSize) 3020 break; 3021 IRB.CreateAlignedStore(DFSF.getShadow(CB.getArgOperand(I)), 3022 DFSF.getArgTLS(FT->getParamType(I), ArgOffset, IRB), 3023 ShadowTLSAlignment); 3024 ArgOffset += alignTo(Size, ShadowTLSAlignment); 3025 } 3026 3027 Instruction *Next = nullptr; 3028 if (!CB.getType()->isVoidTy()) { 3029 if (InvokeInst *II = dyn_cast<InvokeInst>(&CB)) { 3030 if (II->getNormalDest()->getSinglePredecessor()) { 3031 Next = &II->getNormalDest()->front(); 3032 } else { 3033 BasicBlock *NewBB = 3034 SplitEdge(II->getParent(), II->getNormalDest(), &DFSF.DT); 3035 Next = &NewBB->front(); 3036 } 3037 } else { 3038 assert(CB.getIterator() != CB.getParent()->end()); 3039 Next = CB.getNextNode(); 3040 } 3041 3042 // Don't emit the epilogue for musttail call returns. 3043 if (isa<CallInst>(CB) && cast<CallInst>(CB).isMustTailCall()) 3044 return; 3045 3046 // Loads the return value shadow. 3047 IRBuilder<> NextIRB(Next); 3048 unsigned Size = DL.getTypeAllocSize(DFSF.DFS.getShadowTy(&CB)); 3049 if (Size > RetvalTLSSize) { 3050 // Set overflowed return shadow to be zero. 3051 DFSF.setShadow(&CB, DFSF.DFS.getZeroShadow(&CB)); 3052 } else { 3053 LoadInst *LI = NextIRB.CreateAlignedLoad( 3054 DFSF.DFS.getShadowTy(&CB), DFSF.getRetvalTLS(CB.getType(), NextIRB), 3055 ShadowTLSAlignment, "_dfsret"); 3056 DFSF.SkipInsts.insert(LI); 3057 DFSF.setShadow(&CB, LI); 3058 DFSF.NonZeroChecks.push_back(LI); 3059 } 3060 3061 if (ShouldTrackOrigins) { 3062 LoadInst *LI = NextIRB.CreateLoad(DFSF.DFS.OriginTy, 3063 DFSF.getRetvalOriginTLS(), "_dfsret_o"); 3064 DFSF.SkipInsts.insert(LI); 3065 DFSF.setOrigin(&CB, LI); 3066 } 3067 } 3068 } 3069 3070 void DFSanVisitor::visitPHINode(PHINode &PN) { 3071 Type *ShadowTy = DFSF.DFS.getShadowTy(&PN); 3072 PHINode *ShadowPN = 3073 PHINode::Create(ShadowTy, PN.getNumIncomingValues(), "", &PN); 3074 3075 // Give the shadow phi node valid predecessors to fool SplitEdge into working. 3076 Value *UndefShadow = UndefValue::get(ShadowTy); 3077 for (BasicBlock *BB : PN.blocks()) 3078 ShadowPN->addIncoming(UndefShadow, BB); 3079 3080 DFSF.setShadow(&PN, ShadowPN); 3081 3082 PHINode *OriginPN = nullptr; 3083 if (DFSF.DFS.shouldTrackOrigins()) { 3084 OriginPN = 3085 PHINode::Create(DFSF.DFS.OriginTy, PN.getNumIncomingValues(), "", &PN); 3086 Value *UndefOrigin = UndefValue::get(DFSF.DFS.OriginTy); 3087 for (BasicBlock *BB : PN.blocks()) 3088 OriginPN->addIncoming(UndefOrigin, BB); 3089 DFSF.setOrigin(&PN, OriginPN); 3090 } 3091 3092 DFSF.PHIFixups.push_back({&PN, ShadowPN, OriginPN}); 3093 } 3094 3095 namespace { 3096 class DataFlowSanitizerLegacyPass : public ModulePass { 3097 private: 3098 std::vector<std::string> ABIListFiles; 3099 3100 public: 3101 static char ID; 3102 3103 DataFlowSanitizerLegacyPass( 3104 const std::vector<std::string> &ABIListFiles = std::vector<std::string>()) 3105 : ModulePass(ID), ABIListFiles(ABIListFiles) {} 3106 3107 bool runOnModule(Module &M) override { 3108 return DataFlowSanitizer(ABIListFiles).runImpl(M); 3109 } 3110 }; 3111 } // namespace 3112 3113 char DataFlowSanitizerLegacyPass::ID; 3114 3115 INITIALIZE_PASS(DataFlowSanitizerLegacyPass, "dfsan", 3116 "DataFlowSanitizer: dynamic data flow analysis.", false, false) 3117 3118 ModulePass *llvm::createDataFlowSanitizerLegacyPassPass( 3119 const std::vector<std::string> &ABIListFiles) { 3120 return new DataFlowSanitizerLegacyPass(ABIListFiles); 3121 } 3122 3123 PreservedAnalyses DataFlowSanitizerPass::run(Module &M, 3124 ModuleAnalysisManager &AM) { 3125 if (DataFlowSanitizer(ABIListFiles).runImpl(M)) { 3126 return PreservedAnalyses::none(); 3127 } 3128 return PreservedAnalyses::all(); 3129 } 3130