AddressSanitizer.cpp revision 086a472dbed9911f83add781e020cb49c89829d0
1//===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// Details of the algorithm: 12// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13// 14//===----------------------------------------------------------------------===// 15 16#define DEBUG_TYPE "asan" 17 18#include "llvm/Transforms/Instrumentation.h" 19#include "llvm/ADT/ArrayRef.h" 20#include "llvm/ADT/DenseMap.h" 21#include "llvm/ADT/DepthFirstIterator.h" 22#include "llvm/ADT/OwningPtr.h" 23#include "llvm/ADT/SmallSet.h" 24#include "llvm/ADT/SmallString.h" 25#include "llvm/ADT/SmallVector.h" 26#include "llvm/ADT/StringExtras.h" 27#include "llvm/ADT/Triple.h" 28#include "llvm/DIBuilder.h" 29#include "llvm/IR/DataLayout.h" 30#include "llvm/IR/Function.h" 31#include "llvm/IR/IRBuilder.h" 32#include "llvm/IR/InlineAsm.h" 33#include "llvm/IR/IntrinsicInst.h" 34#include "llvm/IR/LLVMContext.h" 35#include "llvm/IR/Module.h" 36#include "llvm/IR/Type.h" 37#include "llvm/InstVisitor.h" 38#include "llvm/Support/CallSite.h" 39#include "llvm/Support/CommandLine.h" 40#include "llvm/Support/DataTypes.h" 41#include "llvm/Support/Debug.h" 42#include "llvm/Support/raw_ostream.h" 43#include "llvm/Support/system_error.h" 44#include "llvm/Target/TargetMachine.h" 45#include "llvm/Transforms/Utils/BasicBlockUtils.h" 46#include "llvm/Transforms/Utils/BlackList.h" 47#include "llvm/Transforms/Utils/Local.h" 48#include "llvm/Transforms/Utils/ModuleUtils.h" 49#include <algorithm> 50#include <string> 51 52using namespace llvm; 53 54static const uint64_t kDefaultShadowScale = 3; 55static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 56static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 57static const uint64_t kDefaultShort64bitShadowOffset = 0x7FFF8000; // < 2G. 58static const uint64_t kPPC64_ShadowOffset64 = 1ULL << 41; 59 60static const size_t kMaxStackMallocSize = 1 << 16; // 64K 61static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 62static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 63 64static const char *kAsanModuleCtorName = "asan.module_ctor"; 65static const char *kAsanModuleDtorName = "asan.module_dtor"; 66static const int kAsanCtorAndCtorPriority = 1; 67static const char *kAsanReportErrorTemplate = "__asan_report_"; 68static const char *kAsanReportLoadN = "__asan_report_load_n"; 69static const char *kAsanReportStoreN = "__asan_report_store_n"; 70static const char *kAsanRegisterGlobalsName = "__asan_register_globals"; 71static const char *kAsanUnregisterGlobalsName = "__asan_unregister_globals"; 72static const char *kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; 73static const char *kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; 74static const char *kAsanInitName = "__asan_init_v2"; 75static const char *kAsanHandleNoReturnName = "__asan_handle_no_return"; 76static const char *kAsanMappingOffsetName = "__asan_mapping_offset"; 77static const char *kAsanMappingScaleName = "__asan_mapping_scale"; 78static const char *kAsanStackMallocName = "__asan_stack_malloc"; 79static const char *kAsanStackFreeName = "__asan_stack_free"; 80static const char *kAsanGenPrefix = "__asan_gen_"; 81static const char *kAsanPoisonStackMemoryName = "__asan_poison_stack_memory"; 82static const char *kAsanUnpoisonStackMemoryName = 83 "__asan_unpoison_stack_memory"; 84 85static const int kAsanStackLeftRedzoneMagic = 0xf1; 86static const int kAsanStackMidRedzoneMagic = 0xf2; 87static const int kAsanStackRightRedzoneMagic = 0xf3; 88static const int kAsanStackPartialRedzoneMagic = 0xf4; 89 90// Accesses sizes are powers of two: 1, 2, 4, 8, 16. 91static const size_t kNumberOfAccessSizes = 5; 92 93// Command-line flags. 94 95// This flag may need to be replaced with -f[no-]asan-reads. 96static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 97 cl::desc("instrument read instructions"), cl::Hidden, cl::init(true)); 98static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes", 99 cl::desc("instrument write instructions"), cl::Hidden, cl::init(true)); 100static cl::opt<bool> ClInstrumentAtomics("asan-instrument-atomics", 101 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), 102 cl::Hidden, cl::init(true)); 103static cl::opt<bool> ClAlwaysSlowPath("asan-always-slow-path", 104 cl::desc("use instrumentation with slow path for all accesses"), 105 cl::Hidden, cl::init(false)); 106// This flag limits the number of instructions to be instrumented 107// in any given BB. Normally, this should be set to unlimited (INT_MAX), 108// but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary 109// set it to 10000. 110static cl::opt<int> ClMaxInsnsToInstrumentPerBB("asan-max-ins-per-bb", 111 cl::init(10000), 112 cl::desc("maximal number of instructions to instrument in any given BB"), 113 cl::Hidden); 114// This flag may need to be replaced with -f[no]asan-stack. 115static cl::opt<bool> ClStack("asan-stack", 116 cl::desc("Handle stack memory"), cl::Hidden, cl::init(true)); 117// This flag may need to be replaced with -f[no]asan-use-after-return. 118static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 119 cl::desc("Check return-after-free"), cl::Hidden, cl::init(false)); 120// This flag may need to be replaced with -f[no]asan-globals. 121static cl::opt<bool> ClGlobals("asan-globals", 122 cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); 123static cl::opt<bool> ClInitializers("asan-initialization-order", 124 cl::desc("Handle C++ initializer order"), cl::Hidden, cl::init(false)); 125static cl::opt<bool> ClMemIntrin("asan-memintrin", 126 cl::desc("Handle memset/memcpy/memmove"), cl::Hidden, cl::init(true)); 127static cl::opt<bool> ClRealignStack("asan-realign-stack", 128 cl::desc("Realign stack to 32"), cl::Hidden, cl::init(true)); 129static cl::opt<std::string> ClBlacklistFile("asan-blacklist", 130 cl::desc("File containing the list of objects to ignore " 131 "during instrumentation"), cl::Hidden); 132 133// These flags allow to change the shadow mapping. 134// The shadow mapping looks like 135// Shadow = (Mem >> scale) + (1 << offset_log) 136static cl::opt<int> ClMappingScale("asan-mapping-scale", 137 cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0)); 138static cl::opt<int> ClMappingOffsetLog("asan-mapping-offset-log", 139 cl::desc("offset of asan shadow mapping"), cl::Hidden, cl::init(-1)); 140static cl::opt<bool> ClShort64BitOffset("asan-short-64bit-mapping-offset", 141 cl::desc("Use short immediate constant as the mapping offset for 64bit"), 142 cl::Hidden, cl::init(true)); 143 144// Optimization flags. Not user visible, used mostly for testing 145// and benchmarking the tool. 146static cl::opt<bool> ClOpt("asan-opt", 147 cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true)); 148static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp", 149 cl::desc("Instrument the same temp just once"), cl::Hidden, 150 cl::init(true)); 151static cl::opt<bool> ClOptGlobals("asan-opt-globals", 152 cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); 153 154static cl::opt<bool> ClCheckLifetime("asan-check-lifetime", 155 cl::desc("Use llvm.lifetime intrinsics to insert extra checks"), 156 cl::Hidden, cl::init(false)); 157 158// Debug flags. 159static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 160 cl::init(0)); 161static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 162 cl::Hidden, cl::init(0)); 163static cl::opt<std::string> ClDebugFunc("asan-debug-func", 164 cl::Hidden, cl::desc("Debug func")); 165static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 166 cl::Hidden, cl::init(-1)); 167static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), 168 cl::Hidden, cl::init(-1)); 169 170namespace { 171/// A set of dynamically initialized globals extracted from metadata. 172class SetOfDynamicallyInitializedGlobals { 173 public: 174 void Init(Module& M) { 175 // Clang generates metadata identifying all dynamically initialized globals. 176 NamedMDNode *DynamicGlobals = 177 M.getNamedMetadata("llvm.asan.dynamically_initialized_globals"); 178 if (!DynamicGlobals) 179 return; 180 for (int i = 0, n = DynamicGlobals->getNumOperands(); i < n; ++i) { 181 MDNode *MDN = DynamicGlobals->getOperand(i); 182 assert(MDN->getNumOperands() == 1); 183 Value *VG = MDN->getOperand(0); 184 // The optimizer may optimize away a global entirely, in which case we 185 // cannot instrument access to it. 186 if (!VG) 187 continue; 188 DynInitGlobals.insert(cast<GlobalVariable>(VG)); 189 } 190 } 191 bool Contains(GlobalVariable *G) { return DynInitGlobals.count(G) != 0; } 192 private: 193 SmallSet<GlobalValue*, 32> DynInitGlobals; 194}; 195 196/// This struct defines the shadow mapping using the rule: 197/// shadow = (mem >> Scale) ADD-or-OR Offset. 198struct ShadowMapping { 199 int Scale; 200 uint64_t Offset; 201 bool OrShadowOffset; 202}; 203 204static ShadowMapping getShadowMapping(const Module &M, int LongSize, 205 bool ZeroBaseShadow) { 206 llvm::Triple TargetTriple(M.getTargetTriple()); 207 bool IsAndroid = TargetTriple.getEnvironment() == llvm::Triple::Android; 208 bool IsMacOSX = TargetTriple.getOS() == llvm::Triple::MacOSX; 209 bool IsPPC64 = TargetTriple.getArch() == llvm::Triple::ppc64; 210 bool IsX86_64 = TargetTriple.getArch() == llvm::Triple::x86_64; 211 212 ShadowMapping Mapping; 213 214 // OR-ing shadow offset if more efficient (at least on x86), 215 // but on ppc64 we have to use add since the shadow offset is not neccesary 216 // 1/8-th of the address space. 217 Mapping.OrShadowOffset = !IsPPC64 && !ClShort64BitOffset; 218 219 Mapping.Offset = (IsAndroid || ZeroBaseShadow) ? 0 : 220 (LongSize == 32 ? kDefaultShadowOffset32 : 221 IsPPC64 ? kPPC64_ShadowOffset64 : kDefaultShadowOffset64); 222 if (!ZeroBaseShadow && ClShort64BitOffset && IsX86_64 && !IsMacOSX) { 223 assert(LongSize == 64); 224 Mapping.Offset = kDefaultShort64bitShadowOffset; 225 } 226 if (!ZeroBaseShadow && ClMappingOffsetLog >= 0) { 227 // Zero offset log is the special case. 228 Mapping.Offset = (ClMappingOffsetLog == 0) ? 0 : 1ULL << ClMappingOffsetLog; 229 } 230 231 Mapping.Scale = kDefaultShadowScale; 232 if (ClMappingScale) { 233 Mapping.Scale = ClMappingScale; 234 } 235 236 return Mapping; 237} 238 239static size_t RedzoneSizeForScale(int MappingScale) { 240 // Redzone used for stack and globals is at least 32 bytes. 241 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 242 return std::max(32U, 1U << MappingScale); 243} 244 245/// AddressSanitizer: instrument the code in module to find memory bugs. 246struct AddressSanitizer : public FunctionPass { 247 AddressSanitizer(bool CheckInitOrder = true, 248 bool CheckUseAfterReturn = false, 249 bool CheckLifetime = false, 250 StringRef BlacklistFile = StringRef(), 251 bool ZeroBaseShadow = false) 252 : FunctionPass(ID), 253 CheckInitOrder(CheckInitOrder || ClInitializers), 254 CheckUseAfterReturn(CheckUseAfterReturn || ClUseAfterReturn), 255 CheckLifetime(CheckLifetime || ClCheckLifetime), 256 BlacklistFile(BlacklistFile.empty() ? ClBlacklistFile 257 : BlacklistFile), 258 ZeroBaseShadow(ZeroBaseShadow) {} 259 virtual const char *getPassName() const { 260 return "AddressSanitizerFunctionPass"; 261 } 262 void instrumentMop(Instruction *I); 263 void instrumentAddress(Instruction *OrigIns, Instruction *InsertBefore, 264 Value *Addr, uint32_t TypeSize, bool IsWrite, 265 Value *SizeArgument); 266 Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 267 Value *ShadowValue, uint32_t TypeSize); 268 Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, 269 bool IsWrite, size_t AccessSizeIndex, 270 Value *SizeArgument); 271 bool instrumentMemIntrinsic(MemIntrinsic *MI); 272 void instrumentMemIntrinsicParam(Instruction *OrigIns, Value *Addr, 273 Value *Size, 274 Instruction *InsertBefore, bool IsWrite); 275 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 276 bool runOnFunction(Function &F); 277 void createInitializerPoisonCalls(Module &M, 278 Value *FirstAddr, Value *LastAddr); 279 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 280 void emitShadowMapping(Module &M, IRBuilder<> &IRB) const; 281 virtual bool doInitialization(Module &M); 282 static char ID; // Pass identification, replacement for typeid 283 284 private: 285 void initializeCallbacks(Module &M); 286 287 bool ShouldInstrumentGlobal(GlobalVariable *G); 288 bool LooksLikeCodeInBug11395(Instruction *I); 289 void FindDynamicInitializers(Module &M); 290 291 bool CheckInitOrder; 292 bool CheckUseAfterReturn; 293 bool CheckLifetime; 294 SmallString<64> BlacklistFile; 295 bool ZeroBaseShadow; 296 297 LLVMContext *C; 298 DataLayout *TD; 299 int LongSize; 300 Type *IntptrTy; 301 ShadowMapping Mapping; 302 Function *AsanCtorFunction; 303 Function *AsanInitFunction; 304 Function *AsanHandleNoReturnFunc; 305 OwningPtr<BlackList> BL; 306 // This array is indexed by AccessIsWrite and log2(AccessSize). 307 Function *AsanErrorCallback[2][kNumberOfAccessSizes]; 308 // This array is indexed by AccessIsWrite. 309 Function *AsanErrorCallbackSized[2]; 310 InlineAsm *EmptyAsm; 311 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 312 313 friend struct FunctionStackPoisoner; 314}; 315 316class AddressSanitizerModule : public ModulePass { 317 public: 318 AddressSanitizerModule(bool CheckInitOrder = true, 319 StringRef BlacklistFile = StringRef(), 320 bool ZeroBaseShadow = false) 321 : ModulePass(ID), 322 CheckInitOrder(CheckInitOrder || ClInitializers), 323 BlacklistFile(BlacklistFile.empty() ? ClBlacklistFile 324 : BlacklistFile), 325 ZeroBaseShadow(ZeroBaseShadow) {} 326 bool runOnModule(Module &M); 327 static char ID; // Pass identification, replacement for typeid 328 virtual const char *getPassName() const { 329 return "AddressSanitizerModule"; 330 } 331 332 private: 333 void initializeCallbacks(Module &M); 334 335 bool ShouldInstrumentGlobal(GlobalVariable *G); 336 void createInitializerPoisonCalls(Module &M, Value *FirstAddr, 337 Value *LastAddr); 338 size_t RedzoneSize() const { 339 return RedzoneSizeForScale(Mapping.Scale); 340 } 341 342 bool CheckInitOrder; 343 SmallString<64> BlacklistFile; 344 bool ZeroBaseShadow; 345 346 OwningPtr<BlackList> BL; 347 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 348 Type *IntptrTy; 349 LLVMContext *C; 350 DataLayout *TD; 351 ShadowMapping Mapping; 352 Function *AsanPoisonGlobals; 353 Function *AsanUnpoisonGlobals; 354 Function *AsanRegisterGlobals; 355 Function *AsanUnregisterGlobals; 356}; 357 358// Stack poisoning does not play well with exception handling. 359// When an exception is thrown, we essentially bypass the code 360// that unpoisones the stack. This is why the run-time library has 361// to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 362// stack in the interceptor. This however does not work inside the 363// actual function which catches the exception. Most likely because the 364// compiler hoists the load of the shadow value somewhere too high. 365// This causes asan to report a non-existing bug on 453.povray. 366// It sounds like an LLVM bug. 367struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> { 368 Function &F; 369 AddressSanitizer &ASan; 370 DIBuilder DIB; 371 LLVMContext *C; 372 Type *IntptrTy; 373 Type *IntptrPtrTy; 374 ShadowMapping Mapping; 375 376 SmallVector<AllocaInst*, 16> AllocaVec; 377 SmallVector<Instruction*, 8> RetVec; 378 uint64_t TotalStackSize; 379 unsigned StackAlignment; 380 381 Function *AsanStackMallocFunc, *AsanStackFreeFunc; 382 Function *AsanPoisonStackMemoryFunc, *AsanUnpoisonStackMemoryFunc; 383 384 // Stores a place and arguments of poisoning/unpoisoning call for alloca. 385 struct AllocaPoisonCall { 386 IntrinsicInst *InsBefore; 387 uint64_t Size; 388 bool DoPoison; 389 }; 390 SmallVector<AllocaPoisonCall, 8> AllocaPoisonCallVec; 391 392 // Maps Value to an AllocaInst from which the Value is originated. 393 typedef DenseMap<Value*, AllocaInst*> AllocaForValueMapTy; 394 AllocaForValueMapTy AllocaForValue; 395 396 FunctionStackPoisoner(Function &F, AddressSanitizer &ASan) 397 : F(F), ASan(ASan), DIB(*F.getParent()), C(ASan.C), 398 IntptrTy(ASan.IntptrTy), IntptrPtrTy(PointerType::get(IntptrTy, 0)), 399 Mapping(ASan.Mapping), 400 TotalStackSize(0), StackAlignment(1 << Mapping.Scale) {} 401 402 bool runOnFunction() { 403 if (!ClStack) return false; 404 // Collect alloca, ret, lifetime instructions etc. 405 for (df_iterator<BasicBlock*> DI = df_begin(&F.getEntryBlock()), 406 DE = df_end(&F.getEntryBlock()); DI != DE; ++DI) { 407 BasicBlock *BB = *DI; 408 visit(*BB); 409 } 410 if (AllocaVec.empty()) return false; 411 412 initializeCallbacks(*F.getParent()); 413 414 poisonStack(); 415 416 if (ClDebugStack) { 417 DEBUG(dbgs() << F); 418 } 419 return true; 420 } 421 422 // Finds all static Alloca instructions and puts 423 // poisoned red zones around all of them. 424 // Then unpoison everything back before the function returns. 425 void poisonStack(); 426 427 // ----------------------- Visitors. 428 /// \brief Collect all Ret instructions. 429 void visitReturnInst(ReturnInst &RI) { 430 RetVec.push_back(&RI); 431 } 432 433 /// \brief Collect Alloca instructions we want (and can) handle. 434 void visitAllocaInst(AllocaInst &AI) { 435 if (!isInterestingAlloca(AI)) return; 436 437 StackAlignment = std::max(StackAlignment, AI.getAlignment()); 438 AllocaVec.push_back(&AI); 439 uint64_t AlignedSize = getAlignedAllocaSize(&AI); 440 TotalStackSize += AlignedSize; 441 } 442 443 /// \brief Collect lifetime intrinsic calls to check for use-after-scope 444 /// errors. 445 void visitIntrinsicInst(IntrinsicInst &II) { 446 if (!ASan.CheckLifetime) return; 447 Intrinsic::ID ID = II.getIntrinsicID(); 448 if (ID != Intrinsic::lifetime_start && 449 ID != Intrinsic::lifetime_end) 450 return; 451 // Found lifetime intrinsic, add ASan instrumentation if necessary. 452 ConstantInt *Size = dyn_cast<ConstantInt>(II.getArgOperand(0)); 453 // If size argument is undefined, don't do anything. 454 if (Size->isMinusOne()) return; 455 // Check that size doesn't saturate uint64_t and can 456 // be stored in IntptrTy. 457 const uint64_t SizeValue = Size->getValue().getLimitedValue(); 458 if (SizeValue == ~0ULL || 459 !ConstantInt::isValueValidForType(IntptrTy, SizeValue)) 460 return; 461 // Find alloca instruction that corresponds to llvm.lifetime argument. 462 AllocaInst *AI = findAllocaForValue(II.getArgOperand(1)); 463 if (!AI) return; 464 bool DoPoison = (ID == Intrinsic::lifetime_end); 465 AllocaPoisonCall APC = {&II, SizeValue, DoPoison}; 466 AllocaPoisonCallVec.push_back(APC); 467 } 468 469 // ---------------------- Helpers. 470 void initializeCallbacks(Module &M); 471 472 // Check if we want (and can) handle this alloca. 473 bool isInterestingAlloca(AllocaInst &AI) { 474 return (!AI.isArrayAllocation() && 475 AI.isStaticAlloca() && 476 AI.getAllocatedType()->isSized()); 477 } 478 479 size_t RedzoneSize() const { 480 return RedzoneSizeForScale(Mapping.Scale); 481 } 482 uint64_t getAllocaSizeInBytes(AllocaInst *AI) { 483 Type *Ty = AI->getAllocatedType(); 484 uint64_t SizeInBytes = ASan.TD->getTypeAllocSize(Ty); 485 return SizeInBytes; 486 } 487 uint64_t getAlignedSize(uint64_t SizeInBytes) { 488 size_t RZ = RedzoneSize(); 489 return ((SizeInBytes + RZ - 1) / RZ) * RZ; 490 } 491 uint64_t getAlignedAllocaSize(AllocaInst *AI) { 492 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 493 return getAlignedSize(SizeInBytes); 494 } 495 /// Finds alloca where the value comes from. 496 AllocaInst *findAllocaForValue(Value *V); 497 void poisonRedZones(const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, 498 Value *ShadowBase, bool DoPoison); 499 void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> IRB, bool DoPoison); 500}; 501 502} // namespace 503 504char AddressSanitizer::ID = 0; 505INITIALIZE_PASS(AddressSanitizer, "asan", 506 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", 507 false, false) 508FunctionPass *llvm::createAddressSanitizerFunctionPass( 509 bool CheckInitOrder, bool CheckUseAfterReturn, bool CheckLifetime, 510 StringRef BlacklistFile, bool ZeroBaseShadow) { 511 return new AddressSanitizer(CheckInitOrder, CheckUseAfterReturn, 512 CheckLifetime, BlacklistFile, ZeroBaseShadow); 513} 514 515char AddressSanitizerModule::ID = 0; 516INITIALIZE_PASS(AddressSanitizerModule, "asan-module", 517 "AddressSanitizer: detects use-after-free and out-of-bounds bugs." 518 "ModulePass", false, false) 519ModulePass *llvm::createAddressSanitizerModulePass( 520 bool CheckInitOrder, StringRef BlacklistFile, bool ZeroBaseShadow) { 521 return new AddressSanitizerModule(CheckInitOrder, BlacklistFile, 522 ZeroBaseShadow); 523} 524 525static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 526 size_t Res = CountTrailingZeros_32(TypeSize / 8); 527 assert(Res < kNumberOfAccessSizes); 528 return Res; 529} 530 531// Create a constant for Str so that we can pass it to the run-time lib. 532static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str) { 533 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 534 return new GlobalVariable(M, StrConst->getType(), true, 535 GlobalValue::PrivateLinkage, StrConst, 536 kAsanGenPrefix); 537} 538 539static bool GlobalWasGeneratedByAsan(GlobalVariable *G) { 540 return G->getName().find(kAsanGenPrefix) == 0; 541} 542 543Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 544 // Shadow >> scale 545 Shadow = IRB.CreateLShr(Shadow, Mapping.Scale); 546 if (Mapping.Offset == 0) 547 return Shadow; 548 // (Shadow >> scale) | offset 549 if (Mapping.OrShadowOffset) 550 return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, Mapping.Offset)); 551 else 552 return IRB.CreateAdd(Shadow, ConstantInt::get(IntptrTy, Mapping.Offset)); 553} 554 555void AddressSanitizer::instrumentMemIntrinsicParam( 556 Instruction *OrigIns, 557 Value *Addr, Value *Size, Instruction *InsertBefore, bool IsWrite) { 558 IRBuilder<> IRB(InsertBefore); 559 if (Size->getType() != IntptrTy) 560 Size = IRB.CreateIntCast(Size, IntptrTy, false); 561 // Check the first byte. 562 instrumentAddress(OrigIns, InsertBefore, Addr, 8, IsWrite, Size); 563 // Check the last byte. 564 IRB.SetInsertPoint(InsertBefore); 565 Value *SizeMinusOne = IRB.CreateSub(Size, ConstantInt::get(IntptrTy, 1)); 566 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 567 Value *AddrLast = IRB.CreateAdd(AddrLong, SizeMinusOne); 568 instrumentAddress(OrigIns, InsertBefore, AddrLast, 8, IsWrite, Size); 569} 570 571// Instrument memset/memmove/memcpy 572bool AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 573 Value *Dst = MI->getDest(); 574 MemTransferInst *MemTran = dyn_cast<MemTransferInst>(MI); 575 Value *Src = MemTran ? MemTran->getSource() : 0; 576 Value *Length = MI->getLength(); 577 578 Constant *ConstLength = dyn_cast<Constant>(Length); 579 Instruction *InsertBefore = MI; 580 if (ConstLength) { 581 if (ConstLength->isNullValue()) return false; 582 } else { 583 // The size is not a constant so it could be zero -- check at run-time. 584 IRBuilder<> IRB(InsertBefore); 585 586 Value *Cmp = IRB.CreateICmpNE(Length, 587 Constant::getNullValue(Length->getType())); 588 InsertBefore = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 589 } 590 591 instrumentMemIntrinsicParam(MI, Dst, Length, InsertBefore, true); 592 if (Src) 593 instrumentMemIntrinsicParam(MI, Src, Length, InsertBefore, false); 594 return true; 595} 596 597// If I is an interesting memory access, return the PointerOperand 598// and set IsWrite. Otherwise return NULL. 599static Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite) { 600 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 601 if (!ClInstrumentReads) return NULL; 602 *IsWrite = false; 603 return LI->getPointerOperand(); 604 } 605 if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 606 if (!ClInstrumentWrites) return NULL; 607 *IsWrite = true; 608 return SI->getPointerOperand(); 609 } 610 if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 611 if (!ClInstrumentAtomics) return NULL; 612 *IsWrite = true; 613 return RMW->getPointerOperand(); 614 } 615 if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 616 if (!ClInstrumentAtomics) return NULL; 617 *IsWrite = true; 618 return XCHG->getPointerOperand(); 619 } 620 return NULL; 621} 622 623void AddressSanitizer::instrumentMop(Instruction *I) { 624 bool IsWrite = false; 625 Value *Addr = isInterestingMemoryAccess(I, &IsWrite); 626 assert(Addr); 627 if (ClOpt && ClOptGlobals) { 628 if (GlobalVariable *G = dyn_cast<GlobalVariable>(Addr)) { 629 // If initialization order checking is disabled, a simple access to a 630 // dynamically initialized global is always valid. 631 if (!CheckInitOrder) 632 return; 633 // If a global variable does not have dynamic initialization we don't 634 // have to instrument it. However, if a global does not have initailizer 635 // at all, we assume it has dynamic initializer (in other TU). 636 if (G->hasInitializer() && !DynamicallyInitializedGlobals.Contains(G)) 637 return; 638 } 639 } 640 641 Type *OrigPtrTy = Addr->getType(); 642 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 643 644 assert(OrigTy->isSized()); 645 uint32_t TypeSize = TD->getTypeStoreSizeInBits(OrigTy); 646 647 assert((TypeSize % 8) == 0); 648 649 // Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check. 650 if (TypeSize == 8 || TypeSize == 16 || 651 TypeSize == 32 || TypeSize == 64 || TypeSize == 128) 652 return instrumentAddress(I, I, Addr, TypeSize, IsWrite, 0); 653 // Instrument unusual size (but still multiple of 8). 654 // We can not do it with a single check, so we do 1-byte check for the first 655 // and the last bytes. We call __asan_report_*_n(addr, real_size) to be able 656 // to report the actual access size. 657 IRBuilder<> IRB(I); 658 Value *LastByte = IRB.CreateIntToPtr( 659 IRB.CreateAdd(IRB.CreatePointerCast(Addr, IntptrTy), 660 ConstantInt::get(IntptrTy, TypeSize / 8 - 1)), 661 OrigPtrTy); 662 Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8); 663 instrumentAddress(I, I, Addr, 8, IsWrite, Size); 664 instrumentAddress(I, I, LastByte, 8, IsWrite, Size); 665} 666 667// Validate the result of Module::getOrInsertFunction called for an interface 668// function of AddressSanitizer. If the instrumented module defines a function 669// with the same name, their prototypes must match, otherwise 670// getOrInsertFunction returns a bitcast. 671static Function *checkInterfaceFunction(Constant *FuncOrBitcast) { 672 if (isa<Function>(FuncOrBitcast)) return cast<Function>(FuncOrBitcast); 673 FuncOrBitcast->dump(); 674 report_fatal_error("trying to redefine an AddressSanitizer " 675 "interface function"); 676} 677 678Instruction *AddressSanitizer::generateCrashCode( 679 Instruction *InsertBefore, Value *Addr, 680 bool IsWrite, size_t AccessSizeIndex, Value *SizeArgument) { 681 IRBuilder<> IRB(InsertBefore); 682 CallInst *Call = SizeArgument 683 ? IRB.CreateCall2(AsanErrorCallbackSized[IsWrite], Addr, SizeArgument) 684 : IRB.CreateCall(AsanErrorCallback[IsWrite][AccessSizeIndex], Addr); 685 686 // We don't do Call->setDoesNotReturn() because the BB already has 687 // UnreachableInst at the end. 688 // This EmptyAsm is required to avoid callback merge. 689 IRB.CreateCall(EmptyAsm); 690 return Call; 691} 692 693Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 694 Value *ShadowValue, 695 uint32_t TypeSize) { 696 size_t Granularity = 1 << Mapping.Scale; 697 // Addr & (Granularity - 1) 698 Value *LastAccessedByte = IRB.CreateAnd( 699 AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 700 // (Addr & (Granularity - 1)) + size - 1 701 if (TypeSize / 8 > 1) 702 LastAccessedByte = IRB.CreateAdd( 703 LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 704 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 705 LastAccessedByte = IRB.CreateIntCast( 706 LastAccessedByte, ShadowValue->getType(), false); 707 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 708 return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue); 709} 710 711void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 712 Instruction *InsertBefore, 713 Value *Addr, uint32_t TypeSize, 714 bool IsWrite, Value *SizeArgument) { 715 IRBuilder<> IRB(InsertBefore); 716 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 717 718 Type *ShadowTy = IntegerType::get( 719 *C, std::max(8U, TypeSize >> Mapping.Scale)); 720 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 721 Value *ShadowPtr = memToShadow(AddrLong, IRB); 722 Value *CmpVal = Constant::getNullValue(ShadowTy); 723 Value *ShadowValue = IRB.CreateLoad( 724 IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 725 726 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 727 size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize); 728 size_t Granularity = 1 << Mapping.Scale; 729 TerminatorInst *CrashTerm = 0; 730 731 if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) { 732 TerminatorInst *CheckTerm = 733 SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 734 assert(dyn_cast<BranchInst>(CheckTerm)->isUnconditional()); 735 BasicBlock *NextBB = CheckTerm->getSuccessor(0); 736 IRB.SetInsertPoint(CheckTerm); 737 Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize); 738 BasicBlock *CrashBlock = 739 BasicBlock::Create(*C, "", NextBB->getParent(), NextBB); 740 CrashTerm = new UnreachableInst(*C, CrashBlock); 741 BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2); 742 ReplaceInstWithInst(CheckTerm, NewTerm); 743 } else { 744 CrashTerm = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), true); 745 } 746 747 Instruction *Crash = generateCrashCode( 748 CrashTerm, AddrLong, IsWrite, AccessSizeIndex, SizeArgument); 749 Crash->setDebugLoc(OrigIns->getDebugLoc()); 750} 751 752void AddressSanitizerModule::createInitializerPoisonCalls( 753 Module &M, Value *FirstAddr, Value *LastAddr) { 754 // We do all of our poisoning and unpoisoning within _GLOBAL__I_a. 755 Function *GlobalInit = M.getFunction("_GLOBAL__I_a"); 756 // If that function is not present, this TU contains no globals, or they have 757 // all been optimized away 758 if (!GlobalInit) 759 return; 760 761 // Set up the arguments to our poison/unpoison functions. 762 IRBuilder<> IRB(GlobalInit->begin()->getFirstInsertionPt()); 763 764 // Add a call to poison all external globals before the given function starts. 765 IRB.CreateCall2(AsanPoisonGlobals, FirstAddr, LastAddr); 766 767 // Add calls to unpoison all globals before each return instruction. 768 for (Function::iterator I = GlobalInit->begin(), E = GlobalInit->end(); 769 I != E; ++I) { 770 if (ReturnInst *RI = dyn_cast<ReturnInst>(I->getTerminator())) { 771 CallInst::Create(AsanUnpoisonGlobals, "", RI); 772 } 773 } 774} 775 776bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) { 777 Type *Ty = cast<PointerType>(G->getType())->getElementType(); 778 DEBUG(dbgs() << "GLOBAL: " << *G << "\n"); 779 780 if (BL->isIn(*G)) return false; 781 if (!Ty->isSized()) return false; 782 if (!G->hasInitializer()) return false; 783 if (GlobalWasGeneratedByAsan(G)) return false; // Our own global. 784 // Touch only those globals that will not be defined in other modules. 785 // Don't handle ODR type linkages since other modules may be built w/o asan. 786 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 787 G->getLinkage() != GlobalVariable::PrivateLinkage && 788 G->getLinkage() != GlobalVariable::InternalLinkage) 789 return false; 790 // Two problems with thread-locals: 791 // - The address of the main thread's copy can't be computed at link-time. 792 // - Need to poison all copies, not just the main thread's one. 793 if (G->isThreadLocal()) 794 return false; 795 // For now, just ignore this Alloca if the alignment is large. 796 if (G->getAlignment() > RedzoneSize()) return false; 797 798 // Ignore all the globals with the names starting with "\01L_OBJC_". 799 // Many of those are put into the .cstring section. The linker compresses 800 // that section by removing the spare \0s after the string terminator, so 801 // our redzones get broken. 802 if ((G->getName().find("\01L_OBJC_") == 0) || 803 (G->getName().find("\01l_OBJC_") == 0)) { 804 DEBUG(dbgs() << "Ignoring \\01L_OBJC_* global: " << *G); 805 return false; 806 } 807 808 if (G->hasSection()) { 809 StringRef Section(G->getSection()); 810 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 811 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 812 // them. 813 if ((Section.find("__OBJC,") == 0) || 814 (Section.find("__DATA, __objc_") == 0)) { 815 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G); 816 return false; 817 } 818 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 819 // Constant CFString instances are compiled in the following way: 820 // -- the string buffer is emitted into 821 // __TEXT,__cstring,cstring_literals 822 // -- the constant NSConstantString structure referencing that buffer 823 // is placed into __DATA,__cfstring 824 // Therefore there's no point in placing redzones into __DATA,__cfstring. 825 // Moreover, it causes the linker to crash on OS X 10.7 826 if (Section.find("__DATA,__cfstring") == 0) { 827 DEBUG(dbgs() << "Ignoring CFString: " << *G); 828 return false; 829 } 830 } 831 832 return true; 833} 834 835void AddressSanitizerModule::initializeCallbacks(Module &M) { 836 IRBuilder<> IRB(*C); 837 // Declare our poisoning and unpoisoning functions. 838 AsanPoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 839 kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 840 AsanPoisonGlobals->setLinkage(Function::ExternalLinkage); 841 AsanUnpoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 842 kAsanUnpoisonGlobalsName, IRB.getVoidTy(), NULL)); 843 AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage); 844 // Declare functions that register/unregister globals. 845 AsanRegisterGlobals = checkInterfaceFunction(M.getOrInsertFunction( 846 kAsanRegisterGlobalsName, IRB.getVoidTy(), 847 IntptrTy, IntptrTy, NULL)); 848 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 849 AsanUnregisterGlobals = checkInterfaceFunction(M.getOrInsertFunction( 850 kAsanUnregisterGlobalsName, 851 IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 852 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 853} 854 855// This function replaces all global variables with new variables that have 856// trailing redzones. It also creates a function that poisons 857// redzones and inserts this function into llvm.global_ctors. 858bool AddressSanitizerModule::runOnModule(Module &M) { 859 if (!ClGlobals) return false; 860 TD = getAnalysisIfAvailable<DataLayout>(); 861 if (!TD) 862 return false; 863 BL.reset(new BlackList(BlacklistFile)); 864 if (BL->isIn(M)) return false; 865 C = &(M.getContext()); 866 int LongSize = TD->getPointerSizeInBits(); 867 IntptrTy = Type::getIntNTy(*C, LongSize); 868 Mapping = getShadowMapping(M, LongSize, ZeroBaseShadow); 869 initializeCallbacks(M); 870 DynamicallyInitializedGlobals.Init(M); 871 872 SmallVector<GlobalVariable *, 16> GlobalsToChange; 873 874 for (Module::GlobalListType::iterator G = M.global_begin(), 875 E = M.global_end(); G != E; ++G) { 876 if (ShouldInstrumentGlobal(G)) 877 GlobalsToChange.push_back(G); 878 } 879 880 size_t n = GlobalsToChange.size(); 881 if (n == 0) return false; 882 883 // A global is described by a structure 884 // size_t beg; 885 // size_t size; 886 // size_t size_with_redzone; 887 // const char *name; 888 // const char *module_name; 889 // size_t has_dynamic_init; 890 // We initialize an array of such structures and pass it to a run-time call. 891 StructType *GlobalStructTy = StructType::get(IntptrTy, IntptrTy, 892 IntptrTy, IntptrTy, 893 IntptrTy, IntptrTy, NULL); 894 SmallVector<Constant *, 16> Initializers(n), DynamicInit; 895 896 897 Function *CtorFunc = M.getFunction(kAsanModuleCtorName); 898 assert(CtorFunc); 899 IRBuilder<> IRB(CtorFunc->getEntryBlock().getTerminator()); 900 901 // The addresses of the first and last dynamically initialized globals in 902 // this TU. Used in initialization order checking. 903 Value *FirstDynamic = 0, *LastDynamic = 0; 904 905 GlobalVariable *ModuleName = createPrivateGlobalForString( 906 M, M.getModuleIdentifier()); 907 908 for (size_t i = 0; i < n; i++) { 909 static const uint64_t kMaxGlobalRedzone = 1 << 18; 910 GlobalVariable *G = GlobalsToChange[i]; 911 PointerType *PtrTy = cast<PointerType>(G->getType()); 912 Type *Ty = PtrTy->getElementType(); 913 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 914 uint64_t MinRZ = RedzoneSize(); 915 // MinRZ <= RZ <= kMaxGlobalRedzone 916 // and trying to make RZ to be ~ 1/4 of SizeInBytes. 917 uint64_t RZ = std::max(MinRZ, 918 std::min(kMaxGlobalRedzone, 919 (SizeInBytes / MinRZ / 4) * MinRZ)); 920 uint64_t RightRedzoneSize = RZ; 921 // Round up to MinRZ 922 if (SizeInBytes % MinRZ) 923 RightRedzoneSize += MinRZ - (SizeInBytes % MinRZ); 924 assert(((RightRedzoneSize + SizeInBytes) % MinRZ) == 0); 925 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 926 // Determine whether this global should be poisoned in initialization. 927 bool GlobalHasDynamicInitializer = 928 DynamicallyInitializedGlobals.Contains(G); 929 // Don't check initialization order if this global is blacklisted. 930 GlobalHasDynamicInitializer &= !BL->isInInit(*G); 931 932 StructType *NewTy = StructType::get(Ty, RightRedZoneTy, NULL); 933 Constant *NewInitializer = ConstantStruct::get( 934 NewTy, G->getInitializer(), 935 Constant::getNullValue(RightRedZoneTy), NULL); 936 937 GlobalVariable *Name = createPrivateGlobalForString(M, G->getName()); 938 939 // Create a new global variable with enough space for a redzone. 940 GlobalVariable *NewGlobal = new GlobalVariable( 941 M, NewTy, G->isConstant(), G->getLinkage(), 942 NewInitializer, "", G, G->getThreadLocalMode()); 943 NewGlobal->copyAttributesFrom(G); 944 NewGlobal->setAlignment(MinRZ); 945 946 Value *Indices2[2]; 947 Indices2[0] = IRB.getInt32(0); 948 Indices2[1] = IRB.getInt32(0); 949 950 G->replaceAllUsesWith( 951 ConstantExpr::getGetElementPtr(NewGlobal, Indices2, true)); 952 NewGlobal->takeName(G); 953 G->eraseFromParent(); 954 955 Initializers[i] = ConstantStruct::get( 956 GlobalStructTy, 957 ConstantExpr::getPointerCast(NewGlobal, IntptrTy), 958 ConstantInt::get(IntptrTy, SizeInBytes), 959 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 960 ConstantExpr::getPointerCast(Name, IntptrTy), 961 ConstantExpr::getPointerCast(ModuleName, IntptrTy), 962 ConstantInt::get(IntptrTy, GlobalHasDynamicInitializer), 963 NULL); 964 965 // Populate the first and last globals declared in this TU. 966 if (CheckInitOrder && GlobalHasDynamicInitializer) { 967 LastDynamic = ConstantExpr::getPointerCast(NewGlobal, IntptrTy); 968 if (FirstDynamic == 0) 969 FirstDynamic = LastDynamic; 970 } 971 972 DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); 973 } 974 975 ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); 976 GlobalVariable *AllGlobals = new GlobalVariable( 977 M, ArrayOfGlobalStructTy, false, GlobalVariable::PrivateLinkage, 978 ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); 979 980 // Create calls for poisoning before initializers run and unpoisoning after. 981 if (CheckInitOrder && FirstDynamic && LastDynamic) 982 createInitializerPoisonCalls(M, FirstDynamic, LastDynamic); 983 IRB.CreateCall2(AsanRegisterGlobals, 984 IRB.CreatePointerCast(AllGlobals, IntptrTy), 985 ConstantInt::get(IntptrTy, n)); 986 987 // We also need to unregister globals at the end, e.g. when a shared library 988 // gets closed. 989 Function *AsanDtorFunction = Function::Create( 990 FunctionType::get(Type::getVoidTy(*C), false), 991 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 992 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 993 IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); 994 IRB_Dtor.CreateCall2(AsanUnregisterGlobals, 995 IRB.CreatePointerCast(AllGlobals, IntptrTy), 996 ConstantInt::get(IntptrTy, n)); 997 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndCtorPriority); 998 999 DEBUG(dbgs() << M); 1000 return true; 1001} 1002 1003void AddressSanitizer::initializeCallbacks(Module &M) { 1004 IRBuilder<> IRB(*C); 1005 // Create __asan_report* callbacks. 1006 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 1007 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 1008 AccessSizeIndex++) { 1009 // IsWrite and TypeSize are encoded in the function name. 1010 std::string FunctionName = std::string(kAsanReportErrorTemplate) + 1011 (AccessIsWrite ? "store" : "load") + itostr(1 << AccessSizeIndex); 1012 // If we are merging crash callbacks, they have two parameters. 1013 AsanErrorCallback[AccessIsWrite][AccessSizeIndex] = 1014 checkInterfaceFunction(M.getOrInsertFunction( 1015 FunctionName, IRB.getVoidTy(), IntptrTy, NULL)); 1016 } 1017 } 1018 AsanErrorCallbackSized[0] = checkInterfaceFunction(M.getOrInsertFunction( 1019 kAsanReportLoadN, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1020 AsanErrorCallbackSized[1] = checkInterfaceFunction(M.getOrInsertFunction( 1021 kAsanReportStoreN, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1022 1023 AsanHandleNoReturnFunc = checkInterfaceFunction(M.getOrInsertFunction( 1024 kAsanHandleNoReturnName, IRB.getVoidTy(), NULL)); 1025 // We insert an empty inline asm after __asan_report* to avoid callback merge. 1026 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 1027 StringRef(""), StringRef(""), 1028 /*hasSideEffects=*/true); 1029} 1030 1031void AddressSanitizer::emitShadowMapping(Module &M, IRBuilder<> &IRB) const { 1032 // Tell the values of mapping offset and scale to the run-time. 1033 GlobalValue *asan_mapping_offset = 1034 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 1035 ConstantInt::get(IntptrTy, Mapping.Offset), 1036 kAsanMappingOffsetName); 1037 // Read the global, otherwise it may be optimized away. 1038 IRB.CreateLoad(asan_mapping_offset, true); 1039 1040 GlobalValue *asan_mapping_scale = 1041 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 1042 ConstantInt::get(IntptrTy, Mapping.Scale), 1043 kAsanMappingScaleName); 1044 // Read the global, otherwise it may be optimized away. 1045 IRB.CreateLoad(asan_mapping_scale, true); 1046} 1047 1048// virtual 1049bool AddressSanitizer::doInitialization(Module &M) { 1050 // Initialize the private fields. No one has accessed them before. 1051 TD = getAnalysisIfAvailable<DataLayout>(); 1052 1053 if (!TD) 1054 return false; 1055 BL.reset(new BlackList(BlacklistFile)); 1056 DynamicallyInitializedGlobals.Init(M); 1057 1058 C = &(M.getContext()); 1059 LongSize = TD->getPointerSizeInBits(); 1060 IntptrTy = Type::getIntNTy(*C, LongSize); 1061 1062 AsanCtorFunction = Function::Create( 1063 FunctionType::get(Type::getVoidTy(*C), false), 1064 GlobalValue::InternalLinkage, kAsanModuleCtorName, &M); 1065 BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction); 1066 // call __asan_init in the module ctor. 1067 IRBuilder<> IRB(ReturnInst::Create(*C, AsanCtorBB)); 1068 AsanInitFunction = checkInterfaceFunction( 1069 M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), NULL)); 1070 AsanInitFunction->setLinkage(Function::ExternalLinkage); 1071 IRB.CreateCall(AsanInitFunction); 1072 1073 Mapping = getShadowMapping(M, LongSize, ZeroBaseShadow); 1074 emitShadowMapping(M, IRB); 1075 1076 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndCtorPriority); 1077 return true; 1078} 1079 1080bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 1081 // For each NSObject descendant having a +load method, this method is invoked 1082 // by the ObjC runtime before any of the static constructors is called. 1083 // Therefore we need to instrument such methods with a call to __asan_init 1084 // at the beginning in order to initialize our runtime before any access to 1085 // the shadow memory. 1086 // We cannot just ignore these methods, because they may call other 1087 // instrumented functions. 1088 if (F.getName().find(" load]") != std::string::npos) { 1089 IRBuilder<> IRB(F.begin()->begin()); 1090 IRB.CreateCall(AsanInitFunction); 1091 return true; 1092 } 1093 return false; 1094} 1095 1096bool AddressSanitizer::runOnFunction(Function &F) { 1097 if (BL->isIn(F)) return false; 1098 if (&F == AsanCtorFunction) return false; 1099 if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false; 1100 DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); 1101 initializeCallbacks(*F.getParent()); 1102 1103 // If needed, insert __asan_init before checking for SanitizeAddress attr. 1104 maybeInsertAsanInitAtFunctionEntry(F); 1105 1106 if (!F.getAttributes().hasAttribute(AttributeSet::FunctionIndex, 1107 Attribute::SanitizeAddress)) 1108 return false; 1109 1110 if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) 1111 return false; 1112 1113 // We want to instrument every address only once per basic block (unless there 1114 // are calls between uses). 1115 SmallSet<Value*, 16> TempsToInstrument; 1116 SmallVector<Instruction*, 16> ToInstrument; 1117 SmallVector<Instruction*, 8> NoReturnCalls; 1118 bool IsWrite; 1119 1120 // Fill the set of memory operations to instrument. 1121 for (Function::iterator FI = F.begin(), FE = F.end(); 1122 FI != FE; ++FI) { 1123 TempsToInstrument.clear(); 1124 int NumInsnsPerBB = 0; 1125 for (BasicBlock::iterator BI = FI->begin(), BE = FI->end(); 1126 BI != BE; ++BI) { 1127 if (LooksLikeCodeInBug11395(BI)) return false; 1128 if (Value *Addr = isInterestingMemoryAccess(BI, &IsWrite)) { 1129 if (ClOpt && ClOptSameTemp) { 1130 if (!TempsToInstrument.insert(Addr)) 1131 continue; // We've seen this temp in the current BB. 1132 } 1133 } else if (isa<MemIntrinsic>(BI) && ClMemIntrin) { 1134 // ok, take it. 1135 } else { 1136 CallSite CS(BI); 1137 if (CS) { 1138 // A call inside BB. 1139 TempsToInstrument.clear(); 1140 if (CS.doesNotReturn()) 1141 NoReturnCalls.push_back(CS.getInstruction()); 1142 } 1143 continue; 1144 } 1145 ToInstrument.push_back(BI); 1146 NumInsnsPerBB++; 1147 if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) 1148 break; 1149 } 1150 } 1151 1152 // Instrument. 1153 int NumInstrumented = 0; 1154 for (size_t i = 0, n = ToInstrument.size(); i != n; i++) { 1155 Instruction *Inst = ToInstrument[i]; 1156 if (ClDebugMin < 0 || ClDebugMax < 0 || 1157 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 1158 if (isInterestingMemoryAccess(Inst, &IsWrite)) 1159 instrumentMop(Inst); 1160 else 1161 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 1162 } 1163 NumInstrumented++; 1164 } 1165 1166 FunctionStackPoisoner FSP(F, *this); 1167 bool ChangedStack = FSP.runOnFunction(); 1168 1169 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 1170 // See e.g. http://code.google.com/p/address-sanitizer/issues/detail?id=37 1171 for (size_t i = 0, n = NoReturnCalls.size(); i != n; i++) { 1172 Instruction *CI = NoReturnCalls[i]; 1173 IRBuilder<> IRB(CI); 1174 IRB.CreateCall(AsanHandleNoReturnFunc); 1175 } 1176 DEBUG(dbgs() << "ASAN done instrumenting:\n" << F << "\n"); 1177 1178 return NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); 1179} 1180 1181static uint64_t ValueForPoison(uint64_t PoisonByte, size_t ShadowRedzoneSize) { 1182 if (ShadowRedzoneSize == 1) return PoisonByte; 1183 if (ShadowRedzoneSize == 2) return (PoisonByte << 8) + PoisonByte; 1184 if (ShadowRedzoneSize == 4) 1185 return (PoisonByte << 24) + (PoisonByte << 16) + 1186 (PoisonByte << 8) + (PoisonByte); 1187 llvm_unreachable("ShadowRedzoneSize is either 1, 2 or 4"); 1188} 1189 1190static void PoisonShadowPartialRightRedzone(uint8_t *Shadow, 1191 size_t Size, 1192 size_t RZSize, 1193 size_t ShadowGranularity, 1194 uint8_t Magic) { 1195 for (size_t i = 0; i < RZSize; 1196 i+= ShadowGranularity, Shadow++) { 1197 if (i + ShadowGranularity <= Size) { 1198 *Shadow = 0; // fully addressable 1199 } else if (i >= Size) { 1200 *Shadow = Magic; // unaddressable 1201 } else { 1202 *Shadow = Size - i; // first Size-i bytes are addressable 1203 } 1204 } 1205} 1206 1207// Workaround for bug 11395: we don't want to instrument stack in functions 1208// with large assembly blobs (32-bit only), otherwise reg alloc may crash. 1209// FIXME: remove once the bug 11395 is fixed. 1210bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 1211 if (LongSize != 32) return false; 1212 CallInst *CI = dyn_cast<CallInst>(I); 1213 if (!CI || !CI->isInlineAsm()) return false; 1214 if (CI->getNumArgOperands() <= 5) return false; 1215 // We have inline assembly with quite a few arguments. 1216 return true; 1217} 1218 1219void FunctionStackPoisoner::initializeCallbacks(Module &M) { 1220 IRBuilder<> IRB(*C); 1221 AsanStackMallocFunc = checkInterfaceFunction(M.getOrInsertFunction( 1222 kAsanStackMallocName, IntptrTy, IntptrTy, IntptrTy, NULL)); 1223 AsanStackFreeFunc = checkInterfaceFunction(M.getOrInsertFunction( 1224 kAsanStackFreeName, IRB.getVoidTy(), 1225 IntptrTy, IntptrTy, IntptrTy, NULL)); 1226 AsanPoisonStackMemoryFunc = checkInterfaceFunction(M.getOrInsertFunction( 1227 kAsanPoisonStackMemoryName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1228 AsanUnpoisonStackMemoryFunc = checkInterfaceFunction(M.getOrInsertFunction( 1229 kAsanUnpoisonStackMemoryName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1230} 1231 1232void FunctionStackPoisoner::poisonRedZones( 1233 const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, Value *ShadowBase, 1234 bool DoPoison) { 1235 size_t ShadowRZSize = RedzoneSize() >> Mapping.Scale; 1236 assert(ShadowRZSize >= 1 && ShadowRZSize <= 4); 1237 Type *RZTy = Type::getIntNTy(*C, ShadowRZSize * 8); 1238 Type *RZPtrTy = PointerType::get(RZTy, 0); 1239 1240 Value *PoisonLeft = ConstantInt::get(RZTy, 1241 ValueForPoison(DoPoison ? kAsanStackLeftRedzoneMagic : 0LL, ShadowRZSize)); 1242 Value *PoisonMid = ConstantInt::get(RZTy, 1243 ValueForPoison(DoPoison ? kAsanStackMidRedzoneMagic : 0LL, ShadowRZSize)); 1244 Value *PoisonRight = ConstantInt::get(RZTy, 1245 ValueForPoison(DoPoison ? kAsanStackRightRedzoneMagic : 0LL, ShadowRZSize)); 1246 1247 // poison the first red zone. 1248 IRB.CreateStore(PoisonLeft, IRB.CreateIntToPtr(ShadowBase, RZPtrTy)); 1249 1250 // poison all other red zones. 1251 uint64_t Pos = RedzoneSize(); 1252 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 1253 AllocaInst *AI = AllocaVec[i]; 1254 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 1255 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1256 assert(AlignedSize - SizeInBytes < RedzoneSize()); 1257 Value *Ptr = NULL; 1258 1259 Pos += AlignedSize; 1260 1261 assert(ShadowBase->getType() == IntptrTy); 1262 if (SizeInBytes < AlignedSize) { 1263 // Poison the partial redzone at right 1264 Ptr = IRB.CreateAdd( 1265 ShadowBase, ConstantInt::get(IntptrTy, 1266 (Pos >> Mapping.Scale) - ShadowRZSize)); 1267 size_t AddressableBytes = RedzoneSize() - (AlignedSize - SizeInBytes); 1268 uint32_t Poison = 0; 1269 if (DoPoison) { 1270 PoisonShadowPartialRightRedzone((uint8_t*)&Poison, AddressableBytes, 1271 RedzoneSize(), 1272 1ULL << Mapping.Scale, 1273 kAsanStackPartialRedzoneMagic); 1274 } 1275 Value *PartialPoison = ConstantInt::get(RZTy, Poison); 1276 IRB.CreateStore(PartialPoison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1277 } 1278 1279 // Poison the full redzone at right. 1280 Ptr = IRB.CreateAdd(ShadowBase, 1281 ConstantInt::get(IntptrTy, Pos >> Mapping.Scale)); 1282 bool LastAlloca = (i == AllocaVec.size() - 1); 1283 Value *Poison = LastAlloca ? PoisonRight : PoisonMid; 1284 IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1285 1286 Pos += RedzoneSize(); 1287 } 1288} 1289 1290void FunctionStackPoisoner::poisonStack() { 1291 uint64_t LocalStackSize = TotalStackSize + 1292 (AllocaVec.size() + 1) * RedzoneSize(); 1293 1294 bool DoStackMalloc = ASan.CheckUseAfterReturn 1295 && LocalStackSize <= kMaxStackMallocSize; 1296 1297 assert(AllocaVec.size() > 0); 1298 Instruction *InsBefore = AllocaVec[0]; 1299 IRBuilder<> IRB(InsBefore); 1300 1301 1302 Type *ByteArrayTy = ArrayType::get(IRB.getInt8Ty(), LocalStackSize); 1303 AllocaInst *MyAlloca = 1304 new AllocaInst(ByteArrayTy, "MyAlloca", InsBefore); 1305 if (ClRealignStack && StackAlignment < RedzoneSize()) 1306 StackAlignment = RedzoneSize(); 1307 MyAlloca->setAlignment(StackAlignment); 1308 assert(MyAlloca->isStaticAlloca()); 1309 Value *OrigStackBase = IRB.CreatePointerCast(MyAlloca, IntptrTy); 1310 Value *LocalStackBase = OrigStackBase; 1311 1312 if (DoStackMalloc) { 1313 LocalStackBase = IRB.CreateCall2(AsanStackMallocFunc, 1314 ConstantInt::get(IntptrTy, LocalStackSize), OrigStackBase); 1315 } 1316 1317 // This string will be parsed by the run-time (DescribeStackAddress). 1318 SmallString<2048> StackDescriptionStorage; 1319 raw_svector_ostream StackDescription(StackDescriptionStorage); 1320 StackDescription << F.getName() << " " << AllocaVec.size() << " "; 1321 1322 // Insert poison calls for lifetime intrinsics for alloca. 1323 bool HavePoisonedAllocas = false; 1324 for (size_t i = 0, n = AllocaPoisonCallVec.size(); i < n; i++) { 1325 const AllocaPoisonCall &APC = AllocaPoisonCallVec[i]; 1326 IntrinsicInst *II = APC.InsBefore; 1327 AllocaInst *AI = findAllocaForValue(II->getArgOperand(1)); 1328 assert(AI); 1329 IRBuilder<> IRB(II); 1330 poisonAlloca(AI, APC.Size, IRB, APC.DoPoison); 1331 HavePoisonedAllocas |= APC.DoPoison; 1332 } 1333 1334 uint64_t Pos = RedzoneSize(); 1335 // Replace Alloca instructions with base+offset. 1336 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 1337 AllocaInst *AI = AllocaVec[i]; 1338 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 1339 StringRef Name = AI->getName(); 1340 StackDescription << Pos << " " << SizeInBytes << " " 1341 << Name.size() << " " << Name << " "; 1342 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1343 assert((AlignedSize % RedzoneSize()) == 0); 1344 Value *NewAllocaPtr = IRB.CreateIntToPtr( 1345 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Pos)), 1346 AI->getType()); 1347 replaceDbgDeclareForAlloca(AI, NewAllocaPtr, DIB); 1348 AI->replaceAllUsesWith(NewAllocaPtr); 1349 Pos += AlignedSize + RedzoneSize(); 1350 } 1351 assert(Pos == LocalStackSize); 1352 1353 // Write the Magic value and the frame description constant to the redzone. 1354 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 1355 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 1356 BasePlus0); 1357 Value *BasePlus1 = IRB.CreateAdd(LocalStackBase, 1358 ConstantInt::get(IntptrTy, 1359 ASan.LongSize/8)); 1360 BasePlus1 = IRB.CreateIntToPtr(BasePlus1, IntptrPtrTy); 1361 GlobalVariable *StackDescriptionGlobal = 1362 createPrivateGlobalForString(*F.getParent(), StackDescription.str()); 1363 Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, 1364 IntptrTy); 1365 IRB.CreateStore(Description, BasePlus1); 1366 1367 // Poison the stack redzones at the entry. 1368 Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB); 1369 poisonRedZones(AllocaVec, IRB, ShadowBase, true); 1370 1371 // Unpoison the stack before all ret instructions. 1372 for (size_t i = 0, n = RetVec.size(); i < n; i++) { 1373 Instruction *Ret = RetVec[i]; 1374 IRBuilder<> IRBRet(Ret); 1375 // Mark the current frame as retired. 1376 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 1377 BasePlus0); 1378 // Unpoison the stack. 1379 poisonRedZones(AllocaVec, IRBRet, ShadowBase, false); 1380 if (DoStackMalloc) { 1381 // In use-after-return mode, mark the whole stack frame unaddressable. 1382 IRBRet.CreateCall3(AsanStackFreeFunc, LocalStackBase, 1383 ConstantInt::get(IntptrTy, LocalStackSize), 1384 OrigStackBase); 1385 } else if (HavePoisonedAllocas) { 1386 // If we poisoned some allocas in llvm.lifetime analysis, 1387 // unpoison whole stack frame now. 1388 assert(LocalStackBase == OrigStackBase); 1389 poisonAlloca(LocalStackBase, LocalStackSize, IRBRet, false); 1390 } 1391 } 1392 1393 // We are done. Remove the old unused alloca instructions. 1394 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) 1395 AllocaVec[i]->eraseFromParent(); 1396} 1397 1398void FunctionStackPoisoner::poisonAlloca(Value *V, uint64_t Size, 1399 IRBuilder<> IRB, bool DoPoison) { 1400 // For now just insert the call to ASan runtime. 1401 Value *AddrArg = IRB.CreatePointerCast(V, IntptrTy); 1402 Value *SizeArg = ConstantInt::get(IntptrTy, Size); 1403 IRB.CreateCall2(DoPoison ? AsanPoisonStackMemoryFunc 1404 : AsanUnpoisonStackMemoryFunc, 1405 AddrArg, SizeArg); 1406} 1407 1408// Handling llvm.lifetime intrinsics for a given %alloca: 1409// (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca. 1410// (2) if %size is constant, poison memory for llvm.lifetime.end (to detect 1411// invalid accesses) and unpoison it for llvm.lifetime.start (the memory 1412// could be poisoned by previous llvm.lifetime.end instruction, as the 1413// variable may go in and out of scope several times, e.g. in loops). 1414// (3) if we poisoned at least one %alloca in a function, 1415// unpoison the whole stack frame at function exit. 1416 1417AllocaInst *FunctionStackPoisoner::findAllocaForValue(Value *V) { 1418 if (AllocaInst *AI = dyn_cast<AllocaInst>(V)) 1419 // We're intested only in allocas we can handle. 1420 return isInterestingAlloca(*AI) ? AI : 0; 1421 // See if we've already calculated (or started to calculate) alloca for a 1422 // given value. 1423 AllocaForValueMapTy::iterator I = AllocaForValue.find(V); 1424 if (I != AllocaForValue.end()) 1425 return I->second; 1426 // Store 0 while we're calculating alloca for value V to avoid 1427 // infinite recursion if the value references itself. 1428 AllocaForValue[V] = 0; 1429 AllocaInst *Res = 0; 1430 if (CastInst *CI = dyn_cast<CastInst>(V)) 1431 Res = findAllocaForValue(CI->getOperand(0)); 1432 else if (PHINode *PN = dyn_cast<PHINode>(V)) { 1433 for (unsigned i = 0, e = PN->getNumIncomingValues(); i != e; ++i) { 1434 Value *IncValue = PN->getIncomingValue(i); 1435 // Allow self-referencing phi-nodes. 1436 if (IncValue == PN) continue; 1437 AllocaInst *IncValueAI = findAllocaForValue(IncValue); 1438 // AI for incoming values should exist and should all be equal. 1439 if (IncValueAI == 0 || (Res != 0 && IncValueAI != Res)) 1440 return 0; 1441 Res = IncValueAI; 1442 } 1443 } 1444 if (Res != 0) 1445 AllocaForValue[V] = Res; 1446 return Res; 1447} 1448