AddressSanitizer.cpp revision 5085eb80abe29320fa8922c10b36249f5163f45d
1//===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// Details of the algorithm: 12// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13// 14//===----------------------------------------------------------------------===// 15 16#define DEBUG_TYPE "asan" 17 18#include "BlackList.h" 19#include "llvm/Function.h" 20#include "llvm/IRBuilder.h" 21#include "llvm/InlineAsm.h" 22#include "llvm/IntrinsicInst.h" 23#include "llvm/LLVMContext.h" 24#include "llvm/Module.h" 25#include "llvm/Type.h" 26#include "llvm/ADT/ArrayRef.h" 27#include "llvm/ADT/OwningPtr.h" 28#include "llvm/ADT/SmallSet.h" 29#include "llvm/ADT/SmallString.h" 30#include "llvm/ADT/SmallVector.h" 31#include "llvm/ADT/StringExtras.h" 32#include "llvm/ADT/Triple.h" 33#include "llvm/Support/CommandLine.h" 34#include "llvm/Support/DataTypes.h" 35#include "llvm/Support/Debug.h" 36#include "llvm/Support/raw_ostream.h" 37#include "llvm/Support/system_error.h" 38#include "llvm/DataLayout.h" 39#include "llvm/Target/TargetMachine.h" 40#include "llvm/Transforms/Instrumentation.h" 41#include "llvm/Transforms/Utils/BasicBlockUtils.h" 42#include "llvm/Transforms/Utils/ModuleUtils.h" 43 44#include <string> 45#include <algorithm> 46 47using namespace llvm; 48 49static const uint64_t kDefaultShadowScale = 3; 50static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 51static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 52static const uint64_t kDefaultShadowOffsetAndroid = 0; 53 54static const size_t kMaxStackMallocSize = 1 << 16; // 64K 55static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 56static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 57 58static const char *kAsanModuleCtorName = "asan.module_ctor"; 59static const char *kAsanModuleDtorName = "asan.module_dtor"; 60static const int kAsanCtorAndCtorPriority = 1; 61static const char *kAsanReportErrorTemplate = "__asan_report_"; 62static const char *kAsanRegisterGlobalsName = "__asan_register_globals"; 63static const char *kAsanUnregisterGlobalsName = "__asan_unregister_globals"; 64static const char *kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; 65static const char *kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; 66static const char *kAsanInitName = "__asan_init"; 67static const char *kAsanHandleNoReturnName = "__asan_handle_no_return"; 68static const char *kAsanMappingOffsetName = "__asan_mapping_offset"; 69static const char *kAsanMappingScaleName = "__asan_mapping_scale"; 70static const char *kAsanStackMallocName = "__asan_stack_malloc"; 71static const char *kAsanStackFreeName = "__asan_stack_free"; 72static const char *kAsanGenPrefix = "__asan_gen_"; 73 74static const int kAsanStackLeftRedzoneMagic = 0xf1; 75static const int kAsanStackMidRedzoneMagic = 0xf2; 76static const int kAsanStackRightRedzoneMagic = 0xf3; 77static const int kAsanStackPartialRedzoneMagic = 0xf4; 78 79// Accesses sizes are powers of two: 1, 2, 4, 8, 16. 80static const size_t kNumberOfAccessSizes = 5; 81 82// Command-line flags. 83 84// This flag may need to be replaced with -f[no-]asan-reads. 85static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 86 cl::desc("instrument read instructions"), cl::Hidden, cl::init(true)); 87static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes", 88 cl::desc("instrument write instructions"), cl::Hidden, cl::init(true)); 89static cl::opt<bool> ClInstrumentAtomics("asan-instrument-atomics", 90 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), 91 cl::Hidden, cl::init(true)); 92static cl::opt<bool> ClAlwaysSlowPath("asan-always-slow-path", 93 cl::desc("use instrumentation with slow path for all accesses"), 94 cl::Hidden, cl::init(false)); 95// This flag limits the number of instructions to be instrumented 96// in any given BB. Normally, this should be set to unlimited (INT_MAX), 97// but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary 98// set it to 10000. 99static cl::opt<int> ClMaxInsnsToInstrumentPerBB("asan-max-ins-per-bb", 100 cl::init(10000), 101 cl::desc("maximal number of instructions to instrument in any given BB"), 102 cl::Hidden); 103// This flag may need to be replaced with -f[no]asan-stack. 104static cl::opt<bool> ClStack("asan-stack", 105 cl::desc("Handle stack memory"), cl::Hidden, cl::init(true)); 106// This flag may need to be replaced with -f[no]asan-use-after-return. 107static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 108 cl::desc("Check return-after-free"), cl::Hidden, cl::init(false)); 109// This flag may need to be replaced with -f[no]asan-globals. 110static cl::opt<bool> ClGlobals("asan-globals", 111 cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); 112static cl::opt<bool> ClInitializers("asan-initialization-order", 113 cl::desc("Handle C++ initializer order"), cl::Hidden, cl::init(false)); 114static cl::opt<bool> ClMemIntrin("asan-memintrin", 115 cl::desc("Handle memset/memcpy/memmove"), cl::Hidden, cl::init(true)); 116// This flag may need to be replaced with -fasan-blacklist. 117static cl::opt<std::string> ClBlackListFile("asan-blacklist", 118 cl::desc("File containing the list of functions to ignore " 119 "during instrumentation"), cl::Hidden); 120 121// These flags allow to change the shadow mapping. 122// The shadow mapping looks like 123// Shadow = (Mem >> scale) + (1 << offset_log) 124static cl::opt<int> ClMappingScale("asan-mapping-scale", 125 cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0)); 126static cl::opt<int> ClMappingOffsetLog("asan-mapping-offset-log", 127 cl::desc("offset of asan shadow mapping"), cl::Hidden, cl::init(-1)); 128 129// Optimization flags. Not user visible, used mostly for testing 130// and benchmarking the tool. 131static cl::opt<bool> ClOpt("asan-opt", 132 cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true)); 133static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp", 134 cl::desc("Instrument the same temp just once"), cl::Hidden, 135 cl::init(true)); 136static cl::opt<bool> ClOptGlobals("asan-opt-globals", 137 cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); 138 139// Debug flags. 140static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 141 cl::init(0)); 142static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 143 cl::Hidden, cl::init(0)); 144static cl::opt<std::string> ClDebugFunc("asan-debug-func", 145 cl::Hidden, cl::desc("Debug func")); 146static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 147 cl::Hidden, cl::init(-1)); 148static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), 149 cl::Hidden, cl::init(-1)); 150 151namespace { 152/// A set of dynamically initialized globals extracted from metadata. 153class SetOfDynamicallyInitializedGlobals { 154 public: 155 void Init(Module& M) { 156 // Clang generates metadata identifying all dynamically initialized globals. 157 NamedMDNode *DynamicGlobals = 158 M.getNamedMetadata("llvm.asan.dynamically_initialized_globals"); 159 if (!DynamicGlobals) 160 return; 161 for (int i = 0, n = DynamicGlobals->getNumOperands(); i < n; ++i) { 162 MDNode *MDN = DynamicGlobals->getOperand(i); 163 assert(MDN->getNumOperands() == 1); 164 Value *VG = MDN->getOperand(0); 165 // The optimizer may optimize away a global entirely, in which case we 166 // cannot instrument access to it. 167 if (!VG) 168 continue; 169 DynInitGlobals.insert(cast<GlobalVariable>(VG)); 170 } 171 } 172 bool Contains(GlobalVariable *G) { return DynInitGlobals.count(G) != 0; } 173 private: 174 SmallSet<GlobalValue*, 32> DynInitGlobals; 175}; 176 177static int MappingScale() { 178 return ClMappingScale ? ClMappingScale : kDefaultShadowScale; 179} 180 181static size_t RedzoneSize() { 182 // Redzone used for stack and globals is at least 32 bytes. 183 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 184 return std::max(32U, 1U << MappingScale()); 185} 186 187/// AddressSanitizer: instrument the code in module to find memory bugs. 188struct AddressSanitizer : public FunctionPass { 189 AddressSanitizer(); 190 virtual const char *getPassName() const { 191 return "AddressSanitizerFunctionPass"; 192 } 193 void instrumentMop(Instruction *I); 194 void instrumentAddress(Instruction *OrigIns, IRBuilder<> &IRB, 195 Value *Addr, uint32_t TypeSize, bool IsWrite); 196 Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 197 Value *ShadowValue, uint32_t TypeSize); 198 Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, 199 bool IsWrite, size_t AccessSizeIndex); 200 bool instrumentMemIntrinsic(MemIntrinsic *MI); 201 void instrumentMemIntrinsicParam(Instruction *OrigIns, Value *Addr, 202 Value *Size, 203 Instruction *InsertBefore, bool IsWrite); 204 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 205 bool runOnFunction(Function &F); 206 void createInitializerPoisonCalls(Module &M, 207 Value *FirstAddr, Value *LastAddr); 208 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 209 bool poisonStackInFunction(Function &F); 210 virtual bool doInitialization(Module &M); 211 static char ID; // Pass identification, replacement for typeid 212 213 private: 214 uint64_t getAllocaSizeInBytes(AllocaInst *AI) { 215 Type *Ty = AI->getAllocatedType(); 216 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 217 return SizeInBytes; 218 } 219 uint64_t getAlignedSize(uint64_t SizeInBytes) { 220 size_t RZ = RedzoneSize(); 221 return ((SizeInBytes + RZ - 1) / RZ) * RZ; 222 } 223 uint64_t getAlignedAllocaSize(AllocaInst *AI) { 224 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 225 return getAlignedSize(SizeInBytes); 226 } 227 228 bool ShouldInstrumentGlobal(GlobalVariable *G); 229 void PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, 230 Value *ShadowBase, bool DoPoison); 231 bool LooksLikeCodeInBug11395(Instruction *I); 232 void FindDynamicInitializers(Module &M); 233 234 LLVMContext *C; 235 DataLayout *TD; 236 uint64_t MappingOffset; 237 int LongSize; 238 Type *IntptrTy; 239 Type *IntptrPtrTy; 240 Function *AsanCtorFunction; 241 Function *AsanInitFunction; 242 Function *AsanStackMallocFunc, *AsanStackFreeFunc; 243 Function *AsanHandleNoReturnFunc; 244 OwningPtr<BlackList> BL; 245 // This array is indexed by AccessIsWrite and log2(AccessSize). 246 Function *AsanErrorCallback[2][kNumberOfAccessSizes]; 247 InlineAsm *EmptyAsm; 248 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 249}; 250 251class AddressSanitizerModule : public ModulePass { 252 public: 253 bool runOnModule(Module &M); 254 static char ID; // Pass identification, replacement for typeid 255 AddressSanitizerModule() : ModulePass(ID) { } 256 virtual const char *getPassName() const { 257 return "AddressSanitizerModule"; 258 } 259 private: 260 bool ShouldInstrumentGlobal(GlobalVariable *G); 261 void createInitializerPoisonCalls(Module &M, Value *FirstAddr, 262 Value *LastAddr); 263 264 OwningPtr<BlackList> BL; 265 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 266 Type *IntptrTy; 267 LLVMContext *C; 268 DataLayout *TD; 269}; 270 271} // namespace 272 273char AddressSanitizer::ID = 0; 274INITIALIZE_PASS(AddressSanitizer, "asan", 275 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", 276 false, false) 277AddressSanitizer::AddressSanitizer() : FunctionPass(ID) { } 278FunctionPass *llvm::createAddressSanitizerFunctionPass() { 279 return new AddressSanitizer(); 280} 281 282char AddressSanitizerModule::ID = 0; 283INITIALIZE_PASS(AddressSanitizerModule, "asan-module", 284 "AddressSanitizer: detects use-after-free and out-of-bounds bugs." 285 "ModulePass", false, false) 286ModulePass *llvm::createAddressSanitizerModulePass() { 287 return new AddressSanitizerModule(); 288} 289 290static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 291 size_t Res = CountTrailingZeros_32(TypeSize / 8); 292 assert(Res < kNumberOfAccessSizes); 293 return Res; 294} 295 296// Create a constant for Str so that we can pass it to the run-time lib. 297static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str) { 298 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 299 return new GlobalVariable(M, StrConst->getType(), true, 300 GlobalValue::PrivateLinkage, StrConst, 301 kAsanGenPrefix); 302} 303 304static bool GlobalWasGeneratedByAsan(GlobalVariable *G) { 305 return G->getName().find(kAsanGenPrefix) == 0; 306} 307 308Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 309 // Shadow >> scale 310 Shadow = IRB.CreateLShr(Shadow, MappingScale()); 311 if (MappingOffset == 0) 312 return Shadow; 313 // (Shadow >> scale) | offset 314 return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, 315 MappingOffset)); 316} 317 318void AddressSanitizer::instrumentMemIntrinsicParam( 319 Instruction *OrigIns, 320 Value *Addr, Value *Size, Instruction *InsertBefore, bool IsWrite) { 321 // Check the first byte. 322 { 323 IRBuilder<> IRB(InsertBefore); 324 instrumentAddress(OrigIns, IRB, Addr, 8, IsWrite); 325 } 326 // Check the last byte. 327 { 328 IRBuilder<> IRB(InsertBefore); 329 Value *SizeMinusOne = IRB.CreateSub( 330 Size, ConstantInt::get(Size->getType(), 1)); 331 SizeMinusOne = IRB.CreateIntCast(SizeMinusOne, IntptrTy, false); 332 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 333 Value *AddrPlusSizeMinisOne = IRB.CreateAdd(AddrLong, SizeMinusOne); 334 instrumentAddress(OrigIns, IRB, AddrPlusSizeMinisOne, 8, IsWrite); 335 } 336} 337 338// Instrument memset/memmove/memcpy 339bool AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 340 Value *Dst = MI->getDest(); 341 MemTransferInst *MemTran = dyn_cast<MemTransferInst>(MI); 342 Value *Src = MemTran ? MemTran->getSource() : 0; 343 Value *Length = MI->getLength(); 344 345 Constant *ConstLength = dyn_cast<Constant>(Length); 346 Instruction *InsertBefore = MI; 347 if (ConstLength) { 348 if (ConstLength->isNullValue()) return false; 349 } else { 350 // The size is not a constant so it could be zero -- check at run-time. 351 IRBuilder<> IRB(InsertBefore); 352 353 Value *Cmp = IRB.CreateICmpNE(Length, 354 Constant::getNullValue(Length->getType())); 355 InsertBefore = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 356 } 357 358 instrumentMemIntrinsicParam(MI, Dst, Length, InsertBefore, true); 359 if (Src) 360 instrumentMemIntrinsicParam(MI, Src, Length, InsertBefore, false); 361 return true; 362} 363 364// If I is an interesting memory access, return the PointerOperand 365// and set IsWrite. Otherwise return NULL. 366static Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite) { 367 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 368 if (!ClInstrumentReads) return NULL; 369 *IsWrite = false; 370 return LI->getPointerOperand(); 371 } 372 if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 373 if (!ClInstrumentWrites) return NULL; 374 *IsWrite = true; 375 return SI->getPointerOperand(); 376 } 377 if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 378 if (!ClInstrumentAtomics) return NULL; 379 *IsWrite = true; 380 return RMW->getPointerOperand(); 381 } 382 if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 383 if (!ClInstrumentAtomics) return NULL; 384 *IsWrite = true; 385 return XCHG->getPointerOperand(); 386 } 387 return NULL; 388} 389 390void AddressSanitizer::instrumentMop(Instruction *I) { 391 bool IsWrite = false; 392 Value *Addr = isInterestingMemoryAccess(I, &IsWrite); 393 assert(Addr); 394 if (ClOpt && ClOptGlobals) { 395 if (GlobalVariable *G = dyn_cast<GlobalVariable>(Addr)) { 396 // If initialization order checking is disabled, a simple access to a 397 // dynamically initialized global is always valid. 398 if (!ClInitializers) 399 return; 400 // If a global variable does not have dynamic initialization we don't 401 // have to instrument it. However, if a global does not have initailizer 402 // at all, we assume it has dynamic initializer (in other TU). 403 if (G->hasInitializer() && !DynamicallyInitializedGlobals.Contains(G)) 404 return; 405 } 406 } 407 408 Type *OrigPtrTy = Addr->getType(); 409 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 410 411 assert(OrigTy->isSized()); 412 uint32_t TypeSize = TD->getTypeStoreSizeInBits(OrigTy); 413 414 if (TypeSize != 8 && TypeSize != 16 && 415 TypeSize != 32 && TypeSize != 64 && TypeSize != 128) { 416 // Ignore all unusual sizes. 417 return; 418 } 419 420 IRBuilder<> IRB(I); 421 instrumentAddress(I, IRB, Addr, TypeSize, IsWrite); 422} 423 424// Validate the result of Module::getOrInsertFunction called for an interface 425// function of AddressSanitizer. If the instrumented module defines a function 426// with the same name, their prototypes must match, otherwise 427// getOrInsertFunction returns a bitcast. 428static Function *checkInterfaceFunction(Constant *FuncOrBitcast) { 429 if (isa<Function>(FuncOrBitcast)) return cast<Function>(FuncOrBitcast); 430 FuncOrBitcast->dump(); 431 report_fatal_error("trying to redefine an AddressSanitizer " 432 "interface function"); 433} 434 435Instruction *AddressSanitizer::generateCrashCode( 436 Instruction *InsertBefore, Value *Addr, 437 bool IsWrite, size_t AccessSizeIndex) { 438 IRBuilder<> IRB(InsertBefore); 439 CallInst *Call = IRB.CreateCall(AsanErrorCallback[IsWrite][AccessSizeIndex], 440 Addr); 441 // We don't do Call->setDoesNotReturn() because the BB already has 442 // UnreachableInst at the end. 443 // This EmptyAsm is required to avoid callback merge. 444 IRB.CreateCall(EmptyAsm); 445 return Call; 446} 447 448Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 449 Value *ShadowValue, 450 uint32_t TypeSize) { 451 size_t Granularity = 1 << MappingScale(); 452 // Addr & (Granularity - 1) 453 Value *LastAccessedByte = IRB.CreateAnd( 454 AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 455 // (Addr & (Granularity - 1)) + size - 1 456 if (TypeSize / 8 > 1) 457 LastAccessedByte = IRB.CreateAdd( 458 LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 459 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 460 LastAccessedByte = IRB.CreateIntCast( 461 LastAccessedByte, ShadowValue->getType(), false); 462 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 463 return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue); 464} 465 466void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 467 IRBuilder<> &IRB, Value *Addr, 468 uint32_t TypeSize, bool IsWrite) { 469 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 470 471 Type *ShadowTy = IntegerType::get( 472 *C, std::max(8U, TypeSize >> MappingScale())); 473 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 474 Value *ShadowPtr = memToShadow(AddrLong, IRB); 475 Value *CmpVal = Constant::getNullValue(ShadowTy); 476 Value *ShadowValue = IRB.CreateLoad( 477 IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 478 479 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 480 size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize); 481 size_t Granularity = 1 << MappingScale(); 482 TerminatorInst *CrashTerm = 0; 483 484 if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) { 485 TerminatorInst *CheckTerm = 486 SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 487 assert(dyn_cast<BranchInst>(CheckTerm)->isUnconditional()); 488 BasicBlock *NextBB = CheckTerm->getSuccessor(0); 489 IRB.SetInsertPoint(CheckTerm); 490 Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize); 491 BasicBlock *CrashBlock = 492 BasicBlock::Create(*C, "", NextBB->getParent(), NextBB); 493 CrashTerm = new UnreachableInst(*C, CrashBlock); 494 BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2); 495 ReplaceInstWithInst(CheckTerm, NewTerm); 496 } else { 497 CrashTerm = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), true); 498 } 499 500 Instruction *Crash = 501 generateCrashCode(CrashTerm, AddrLong, IsWrite, AccessSizeIndex); 502 Crash->setDebugLoc(OrigIns->getDebugLoc()); 503} 504 505void AddressSanitizerModule::createInitializerPoisonCalls( 506 Module &M, Value *FirstAddr, Value *LastAddr) { 507 // We do all of our poisoning and unpoisoning within _GLOBAL__I_a. 508 Function *GlobalInit = M.getFunction("_GLOBAL__I_a"); 509 // If that function is not present, this TU contains no globals, or they have 510 // all been optimized away 511 if (!GlobalInit) 512 return; 513 514 // Set up the arguments to our poison/unpoison functions. 515 IRBuilder<> IRB(GlobalInit->begin()->getFirstInsertionPt()); 516 517 // Declare our poisoning and unpoisoning functions. 518 Function *AsanPoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 519 kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 520 AsanPoisonGlobals->setLinkage(Function::ExternalLinkage); 521 Function *AsanUnpoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 522 kAsanUnpoisonGlobalsName, IRB.getVoidTy(), NULL)); 523 AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage); 524 525 // Add a call to poison all external globals before the given function starts. 526 IRB.CreateCall2(AsanPoisonGlobals, FirstAddr, LastAddr); 527 528 // Add calls to unpoison all globals before each return instruction. 529 for (Function::iterator I = GlobalInit->begin(), E = GlobalInit->end(); 530 I != E; ++I) { 531 if (ReturnInst *RI = dyn_cast<ReturnInst>(I->getTerminator())) { 532 CallInst::Create(AsanUnpoisonGlobals, "", RI); 533 } 534 } 535} 536 537bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) { 538 Type *Ty = cast<PointerType>(G->getType())->getElementType(); 539 DEBUG(dbgs() << "GLOBAL: " << *G << "\n"); 540 541 if (BL->isIn(*G)) return false; 542 if (!Ty->isSized()) return false; 543 if (!G->hasInitializer()) return false; 544 if (GlobalWasGeneratedByAsan(G)) return false; // Our own global. 545 // Touch only those globals that will not be defined in other modules. 546 // Don't handle ODR type linkages since other modules may be built w/o asan. 547 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 548 G->getLinkage() != GlobalVariable::PrivateLinkage && 549 G->getLinkage() != GlobalVariable::InternalLinkage) 550 return false; 551 // Two problems with thread-locals: 552 // - The address of the main thread's copy can't be computed at link-time. 553 // - Need to poison all copies, not just the main thread's one. 554 if (G->isThreadLocal()) 555 return false; 556 // For now, just ignore this Alloca if the alignment is large. 557 if (G->getAlignment() > RedzoneSize()) return false; 558 559 // Ignore all the globals with the names starting with "\01L_OBJC_". 560 // Many of those are put into the .cstring section. The linker compresses 561 // that section by removing the spare \0s after the string terminator, so 562 // our redzones get broken. 563 if ((G->getName().find("\01L_OBJC_") == 0) || 564 (G->getName().find("\01l_OBJC_") == 0)) { 565 DEBUG(dbgs() << "Ignoring \\01L_OBJC_* global: " << *G); 566 return false; 567 } 568 569 if (G->hasSection()) { 570 StringRef Section(G->getSection()); 571 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 572 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 573 // them. 574 if ((Section.find("__OBJC,") == 0) || 575 (Section.find("__DATA, __objc_") == 0)) { 576 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G); 577 return false; 578 } 579 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 580 // Constant CFString instances are compiled in the following way: 581 // -- the string buffer is emitted into 582 // __TEXT,__cstring,cstring_literals 583 // -- the constant NSConstantString structure referencing that buffer 584 // is placed into __DATA,__cfstring 585 // Therefore there's no point in placing redzones into __DATA,__cfstring. 586 // Moreover, it causes the linker to crash on OS X 10.7 587 if (Section.find("__DATA,__cfstring") == 0) { 588 DEBUG(dbgs() << "Ignoring CFString: " << *G); 589 return false; 590 } 591 } 592 593 return true; 594} 595 596// This function replaces all global variables with new variables that have 597// trailing redzones. It also creates a function that poisons 598// redzones and inserts this function into llvm.global_ctors. 599bool AddressSanitizerModule::runOnModule(Module &M) { 600 if (!ClGlobals) return false; 601 TD = getAnalysisIfAvailable<DataLayout>(); 602 if (!TD) 603 return false; 604 BL.reset(new BlackList(ClBlackListFile)); 605 DynamicallyInitializedGlobals.Init(M); 606 C = &(M.getContext()); 607 IntptrTy = Type::getIntNTy(*C, TD->getPointerSizeInBits()); 608 609 SmallVector<GlobalVariable *, 16> GlobalsToChange; 610 611 for (Module::GlobalListType::iterator G = M.global_begin(), 612 E = M.global_end(); G != E; ++G) { 613 if (ShouldInstrumentGlobal(G)) 614 GlobalsToChange.push_back(G); 615 } 616 617 size_t n = GlobalsToChange.size(); 618 if (n == 0) return false; 619 620 // A global is described by a structure 621 // size_t beg; 622 // size_t size; 623 // size_t size_with_redzone; 624 // const char *name; 625 // size_t has_dynamic_init; 626 // We initialize an array of such structures and pass it to a run-time call. 627 StructType *GlobalStructTy = StructType::get(IntptrTy, IntptrTy, 628 IntptrTy, IntptrTy, 629 IntptrTy, NULL); 630 SmallVector<Constant *, 16> Initializers(n), DynamicInit; 631 632 633 Function *CtorFunc = M.getFunction(kAsanModuleCtorName); 634 assert(CtorFunc); 635 IRBuilder<> IRB(CtorFunc->getEntryBlock().getTerminator()); 636 637 // The addresses of the first and last dynamically initialized globals in 638 // this TU. Used in initialization order checking. 639 Value *FirstDynamic = 0, *LastDynamic = 0; 640 641 for (size_t i = 0; i < n; i++) { 642 GlobalVariable *G = GlobalsToChange[i]; 643 PointerType *PtrTy = cast<PointerType>(G->getType()); 644 Type *Ty = PtrTy->getElementType(); 645 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 646 size_t RZ = RedzoneSize(); 647 uint64_t RightRedzoneSize = RZ + (RZ - (SizeInBytes % RZ)); 648 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 649 // Determine whether this global should be poisoned in initialization. 650 bool GlobalHasDynamicInitializer = 651 DynamicallyInitializedGlobals.Contains(G); 652 // Don't check initialization order if this global is blacklisted. 653 GlobalHasDynamicInitializer &= !BL->isInInit(*G); 654 655 StructType *NewTy = StructType::get(Ty, RightRedZoneTy, NULL); 656 Constant *NewInitializer = ConstantStruct::get( 657 NewTy, G->getInitializer(), 658 Constant::getNullValue(RightRedZoneTy), NULL); 659 660 SmallString<2048> DescriptionOfGlobal = G->getName(); 661 DescriptionOfGlobal += " ("; 662 DescriptionOfGlobal += M.getModuleIdentifier(); 663 DescriptionOfGlobal += ")"; 664 GlobalVariable *Name = createPrivateGlobalForString(M, DescriptionOfGlobal); 665 666 // Create a new global variable with enough space for a redzone. 667 GlobalVariable *NewGlobal = new GlobalVariable( 668 M, NewTy, G->isConstant(), G->getLinkage(), 669 NewInitializer, "", G, G->getThreadLocalMode()); 670 NewGlobal->copyAttributesFrom(G); 671 NewGlobal->setAlignment(RZ); 672 673 Value *Indices2[2]; 674 Indices2[0] = IRB.getInt32(0); 675 Indices2[1] = IRB.getInt32(0); 676 677 G->replaceAllUsesWith( 678 ConstantExpr::getGetElementPtr(NewGlobal, Indices2, true)); 679 NewGlobal->takeName(G); 680 G->eraseFromParent(); 681 682 Initializers[i] = ConstantStruct::get( 683 GlobalStructTy, 684 ConstantExpr::getPointerCast(NewGlobal, IntptrTy), 685 ConstantInt::get(IntptrTy, SizeInBytes), 686 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 687 ConstantExpr::getPointerCast(Name, IntptrTy), 688 ConstantInt::get(IntptrTy, GlobalHasDynamicInitializer), 689 NULL); 690 691 // Populate the first and last globals declared in this TU. 692 if (ClInitializers && GlobalHasDynamicInitializer) { 693 LastDynamic = ConstantExpr::getPointerCast(NewGlobal, IntptrTy); 694 if (FirstDynamic == 0) 695 FirstDynamic = LastDynamic; 696 } 697 698 DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); 699 } 700 701 ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); 702 GlobalVariable *AllGlobals = new GlobalVariable( 703 M, ArrayOfGlobalStructTy, false, GlobalVariable::PrivateLinkage, 704 ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); 705 706 // Create calls for poisoning before initializers run and unpoisoning after. 707 if (ClInitializers && FirstDynamic && LastDynamic) 708 createInitializerPoisonCalls(M, FirstDynamic, LastDynamic); 709 710 Function *AsanRegisterGlobals = checkInterfaceFunction(M.getOrInsertFunction( 711 kAsanRegisterGlobalsName, IRB.getVoidTy(), 712 IntptrTy, IntptrTy, NULL)); 713 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 714 715 IRB.CreateCall2(AsanRegisterGlobals, 716 IRB.CreatePointerCast(AllGlobals, IntptrTy), 717 ConstantInt::get(IntptrTy, n)); 718 719 // We also need to unregister globals at the end, e.g. when a shared library 720 // gets closed. 721 Function *AsanDtorFunction = Function::Create( 722 FunctionType::get(Type::getVoidTy(*C), false), 723 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 724 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 725 IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); 726 Function *AsanUnregisterGlobals = 727 checkInterfaceFunction(M.getOrInsertFunction( 728 kAsanUnregisterGlobalsName, 729 IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 730 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 731 732 IRB_Dtor.CreateCall2(AsanUnregisterGlobals, 733 IRB.CreatePointerCast(AllGlobals, IntptrTy), 734 ConstantInt::get(IntptrTy, n)); 735 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndCtorPriority); 736 737 DEBUG(dbgs() << M); 738 return true; 739} 740 741// virtual 742bool AddressSanitizer::doInitialization(Module &M) { 743 // Initialize the private fields. No one has accessed them before. 744 TD = getAnalysisIfAvailable<DataLayout>(); 745 746 if (!TD) 747 return false; 748 BL.reset(new BlackList(ClBlackListFile)); 749 DynamicallyInitializedGlobals.Init(M); 750 751 C = &(M.getContext()); 752 LongSize = TD->getPointerSizeInBits(); 753 IntptrTy = Type::getIntNTy(*C, LongSize); 754 IntptrPtrTy = PointerType::get(IntptrTy, 0); 755 756 AsanCtorFunction = Function::Create( 757 FunctionType::get(Type::getVoidTy(*C), false), 758 GlobalValue::InternalLinkage, kAsanModuleCtorName, &M); 759 BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction); 760 // call __asan_init in the module ctor. 761 IRBuilder<> IRB(ReturnInst::Create(*C, AsanCtorBB)); 762 AsanInitFunction = checkInterfaceFunction( 763 M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), NULL)); 764 AsanInitFunction->setLinkage(Function::ExternalLinkage); 765 IRB.CreateCall(AsanInitFunction); 766 767 // Create __asan_report* callbacks. 768 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 769 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 770 AccessSizeIndex++) { 771 // IsWrite and TypeSize are encoded in the function name. 772 std::string FunctionName = std::string(kAsanReportErrorTemplate) + 773 (AccessIsWrite ? "store" : "load") + itostr(1 << AccessSizeIndex); 774 // If we are merging crash callbacks, they have two parameters. 775 AsanErrorCallback[AccessIsWrite][AccessSizeIndex] = 776 checkInterfaceFunction(M.getOrInsertFunction( 777 FunctionName, IRB.getVoidTy(), IntptrTy, NULL)); 778 } 779 } 780 781 AsanStackMallocFunc = checkInterfaceFunction(M.getOrInsertFunction( 782 kAsanStackMallocName, IntptrTy, IntptrTy, IntptrTy, NULL)); 783 AsanStackFreeFunc = checkInterfaceFunction(M.getOrInsertFunction( 784 kAsanStackFreeName, IRB.getVoidTy(), 785 IntptrTy, IntptrTy, IntptrTy, NULL)); 786 AsanHandleNoReturnFunc = checkInterfaceFunction(M.getOrInsertFunction( 787 kAsanHandleNoReturnName, IRB.getVoidTy(), NULL)); 788 789 // We insert an empty inline asm after __asan_report* to avoid callback merge. 790 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 791 StringRef(""), StringRef(""), 792 /*hasSideEffects=*/true); 793 794 llvm::Triple targetTriple(M.getTargetTriple()); 795 bool isAndroid = targetTriple.getEnvironment() == llvm::Triple::Android; 796 797 MappingOffset = isAndroid ? kDefaultShadowOffsetAndroid : 798 (LongSize == 32 ? kDefaultShadowOffset32 : kDefaultShadowOffset64); 799 if (ClMappingOffsetLog >= 0) { 800 if (ClMappingOffsetLog == 0) { 801 // special case 802 MappingOffset = 0; 803 } else { 804 MappingOffset = 1ULL << ClMappingOffsetLog; 805 } 806 } 807 808 809 if (ClMappingOffsetLog >= 0) { 810 // Tell the run-time the current values of mapping offset and scale. 811 GlobalValue *asan_mapping_offset = 812 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 813 ConstantInt::get(IntptrTy, MappingOffset), 814 kAsanMappingOffsetName); 815 // Read the global, otherwise it may be optimized away. 816 IRB.CreateLoad(asan_mapping_offset, true); 817 } 818 if (ClMappingScale) { 819 GlobalValue *asan_mapping_scale = 820 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 821 ConstantInt::get(IntptrTy, MappingScale()), 822 kAsanMappingScaleName); 823 // Read the global, otherwise it may be optimized away. 824 IRB.CreateLoad(asan_mapping_scale, true); 825 } 826 827 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndCtorPriority); 828 829 return true; 830} 831 832bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 833 // For each NSObject descendant having a +load method, this method is invoked 834 // by the ObjC runtime before any of the static constructors is called. 835 // Therefore we need to instrument such methods with a call to __asan_init 836 // at the beginning in order to initialize our runtime before any access to 837 // the shadow memory. 838 // We cannot just ignore these methods, because they may call other 839 // instrumented functions. 840 if (F.getName().find(" load]") != std::string::npos) { 841 IRBuilder<> IRB(F.begin()->begin()); 842 IRB.CreateCall(AsanInitFunction); 843 return true; 844 } 845 return false; 846} 847 848// Check both the call and the callee for doesNotReturn(). 849static bool isNoReturnCall(CallInst *CI) { 850 if (CI->doesNotReturn()) return true; 851 Function *F = CI->getCalledFunction(); 852 if (F && F->doesNotReturn()) return true; 853 return false; 854} 855 856bool AddressSanitizer::runOnFunction(Function &F) { 857 if (BL->isIn(F)) return false; 858 if (&F == AsanCtorFunction) return false; 859 DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); 860 861 // If needed, insert __asan_init before checking for AddressSafety attr. 862 maybeInsertAsanInitAtFunctionEntry(F); 863 864 if (!F.getFnAttributes().hasAttribute(Attributes::AddressSafety)) 865 return false; 866 867 if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) 868 return false; 869 870 // We want to instrument every address only once per basic block (unless there 871 // are calls between uses). 872 SmallSet<Value*, 16> TempsToInstrument; 873 SmallVector<Instruction*, 16> ToInstrument; 874 SmallVector<Instruction*, 8> NoReturnCalls; 875 bool IsWrite; 876 877 // Fill the set of memory operations to instrument. 878 for (Function::iterator FI = F.begin(), FE = F.end(); 879 FI != FE; ++FI) { 880 TempsToInstrument.clear(); 881 int NumInsnsPerBB = 0; 882 for (BasicBlock::iterator BI = FI->begin(), BE = FI->end(); 883 BI != BE; ++BI) { 884 if (LooksLikeCodeInBug11395(BI)) return false; 885 if (Value *Addr = isInterestingMemoryAccess(BI, &IsWrite)) { 886 if (ClOpt && ClOptSameTemp) { 887 if (!TempsToInstrument.insert(Addr)) 888 continue; // We've seen this temp in the current BB. 889 } 890 } else if (isa<MemIntrinsic>(BI) && ClMemIntrin) { 891 // ok, take it. 892 } else { 893 if (CallInst *CI = dyn_cast<CallInst>(BI)) { 894 // A call inside BB. 895 TempsToInstrument.clear(); 896 if (isNoReturnCall(CI)) { 897 NoReturnCalls.push_back(CI); 898 } 899 } 900 continue; 901 } 902 ToInstrument.push_back(BI); 903 NumInsnsPerBB++; 904 if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) 905 break; 906 } 907 } 908 909 // Instrument. 910 int NumInstrumented = 0; 911 for (size_t i = 0, n = ToInstrument.size(); i != n; i++) { 912 Instruction *Inst = ToInstrument[i]; 913 if (ClDebugMin < 0 || ClDebugMax < 0 || 914 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 915 if (isInterestingMemoryAccess(Inst, &IsWrite)) 916 instrumentMop(Inst); 917 else 918 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 919 } 920 NumInstrumented++; 921 } 922 923 bool ChangedStack = poisonStackInFunction(F); 924 925 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 926 // See e.g. http://code.google.com/p/address-sanitizer/issues/detail?id=37 927 for (size_t i = 0, n = NoReturnCalls.size(); i != n; i++) { 928 Instruction *CI = NoReturnCalls[i]; 929 IRBuilder<> IRB(CI); 930 IRB.CreateCall(AsanHandleNoReturnFunc); 931 } 932 DEBUG(dbgs() << "ASAN done instrumenting:\n" << F << "\n"); 933 934 return NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); 935} 936 937static uint64_t ValueForPoison(uint64_t PoisonByte, size_t ShadowRedzoneSize) { 938 if (ShadowRedzoneSize == 1) return PoisonByte; 939 if (ShadowRedzoneSize == 2) return (PoisonByte << 8) + PoisonByte; 940 if (ShadowRedzoneSize == 4) 941 return (PoisonByte << 24) + (PoisonByte << 16) + 942 (PoisonByte << 8) + (PoisonByte); 943 llvm_unreachable("ShadowRedzoneSize is either 1, 2 or 4"); 944} 945 946static void PoisonShadowPartialRightRedzone(uint8_t *Shadow, 947 size_t Size, 948 size_t RZSize, 949 size_t ShadowGranularity, 950 uint8_t Magic) { 951 for (size_t i = 0; i < RZSize; 952 i+= ShadowGranularity, Shadow++) { 953 if (i + ShadowGranularity <= Size) { 954 *Shadow = 0; // fully addressable 955 } else if (i >= Size) { 956 *Shadow = Magic; // unaddressable 957 } else { 958 *Shadow = Size - i; // first Size-i bytes are addressable 959 } 960 } 961} 962 963void AddressSanitizer::PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, 964 IRBuilder<> IRB, 965 Value *ShadowBase, bool DoPoison) { 966 size_t ShadowRZSize = RedzoneSize() >> MappingScale(); 967 assert(ShadowRZSize >= 1 && ShadowRZSize <= 4); 968 Type *RZTy = Type::getIntNTy(*C, ShadowRZSize * 8); 969 Type *RZPtrTy = PointerType::get(RZTy, 0); 970 971 Value *PoisonLeft = ConstantInt::get(RZTy, 972 ValueForPoison(DoPoison ? kAsanStackLeftRedzoneMagic : 0LL, ShadowRZSize)); 973 Value *PoisonMid = ConstantInt::get(RZTy, 974 ValueForPoison(DoPoison ? kAsanStackMidRedzoneMagic : 0LL, ShadowRZSize)); 975 Value *PoisonRight = ConstantInt::get(RZTy, 976 ValueForPoison(DoPoison ? kAsanStackRightRedzoneMagic : 0LL, ShadowRZSize)); 977 978 // poison the first red zone. 979 IRB.CreateStore(PoisonLeft, IRB.CreateIntToPtr(ShadowBase, RZPtrTy)); 980 981 // poison all other red zones. 982 uint64_t Pos = RedzoneSize(); 983 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 984 AllocaInst *AI = AllocaVec[i]; 985 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 986 uint64_t AlignedSize = getAlignedAllocaSize(AI); 987 assert(AlignedSize - SizeInBytes < RedzoneSize()); 988 Value *Ptr = NULL; 989 990 Pos += AlignedSize; 991 992 assert(ShadowBase->getType() == IntptrTy); 993 if (SizeInBytes < AlignedSize) { 994 // Poison the partial redzone at right 995 Ptr = IRB.CreateAdd( 996 ShadowBase, ConstantInt::get(IntptrTy, 997 (Pos >> MappingScale()) - ShadowRZSize)); 998 size_t AddressableBytes = RedzoneSize() - (AlignedSize - SizeInBytes); 999 uint32_t Poison = 0; 1000 if (DoPoison) { 1001 PoisonShadowPartialRightRedzone((uint8_t*)&Poison, AddressableBytes, 1002 RedzoneSize(), 1003 1ULL << MappingScale(), 1004 kAsanStackPartialRedzoneMagic); 1005 } 1006 Value *PartialPoison = ConstantInt::get(RZTy, Poison); 1007 IRB.CreateStore(PartialPoison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1008 } 1009 1010 // Poison the full redzone at right. 1011 Ptr = IRB.CreateAdd(ShadowBase, 1012 ConstantInt::get(IntptrTy, Pos >> MappingScale())); 1013 Value *Poison = i == AllocaVec.size() - 1 ? PoisonRight : PoisonMid; 1014 IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1015 1016 Pos += RedzoneSize(); 1017 } 1018} 1019 1020// Workaround for bug 11395: we don't want to instrument stack in functions 1021// with large assembly blobs (32-bit only), otherwise reg alloc may crash. 1022// FIXME: remove once the bug 11395 is fixed. 1023bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 1024 if (LongSize != 32) return false; 1025 CallInst *CI = dyn_cast<CallInst>(I); 1026 if (!CI || !CI->isInlineAsm()) return false; 1027 if (CI->getNumArgOperands() <= 5) return false; 1028 // We have inline assembly with quite a few arguments. 1029 return true; 1030} 1031 1032// Find all static Alloca instructions and put 1033// poisoned red zones around all of them. 1034// Then unpoison everything back before the function returns. 1035// 1036// Stack poisoning does not play well with exception handling. 1037// When an exception is thrown, we essentially bypass the code 1038// that unpoisones the stack. This is why the run-time library has 1039// to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 1040// stack in the interceptor. This however does not work inside the 1041// actual function which catches the exception. Most likely because the 1042// compiler hoists the load of the shadow value somewhere too high. 1043// This causes asan to report a non-existing bug on 453.povray. 1044// It sounds like an LLVM bug. 1045bool AddressSanitizer::poisonStackInFunction(Function &F) { 1046 if (!ClStack) return false; 1047 SmallVector<AllocaInst*, 16> AllocaVec; 1048 SmallVector<Instruction*, 8> RetVec; 1049 uint64_t TotalSize = 0; 1050 1051 // Filter out Alloca instructions we want (and can) handle. 1052 // Collect Ret instructions. 1053 for (Function::iterator FI = F.begin(), FE = F.end(); 1054 FI != FE; ++FI) { 1055 BasicBlock &BB = *FI; 1056 for (BasicBlock::iterator BI = BB.begin(), BE = BB.end(); 1057 BI != BE; ++BI) { 1058 if (isa<ReturnInst>(BI)) { 1059 RetVec.push_back(BI); 1060 continue; 1061 } 1062 1063 AllocaInst *AI = dyn_cast<AllocaInst>(BI); 1064 if (!AI) continue; 1065 if (AI->isArrayAllocation()) continue; 1066 if (!AI->isStaticAlloca()) continue; 1067 if (!AI->getAllocatedType()->isSized()) continue; 1068 if (AI->getAlignment() > RedzoneSize()) continue; 1069 AllocaVec.push_back(AI); 1070 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1071 TotalSize += AlignedSize; 1072 } 1073 } 1074 1075 if (AllocaVec.empty()) return false; 1076 1077 uint64_t LocalStackSize = TotalSize + (AllocaVec.size() + 1) * RedzoneSize(); 1078 1079 bool DoStackMalloc = ClUseAfterReturn 1080 && LocalStackSize <= kMaxStackMallocSize; 1081 1082 Instruction *InsBefore = AllocaVec[0]; 1083 IRBuilder<> IRB(InsBefore); 1084 1085 1086 Type *ByteArrayTy = ArrayType::get(IRB.getInt8Ty(), LocalStackSize); 1087 AllocaInst *MyAlloca = 1088 new AllocaInst(ByteArrayTy, "MyAlloca", InsBefore); 1089 MyAlloca->setAlignment(RedzoneSize()); 1090 assert(MyAlloca->isStaticAlloca()); 1091 Value *OrigStackBase = IRB.CreatePointerCast(MyAlloca, IntptrTy); 1092 Value *LocalStackBase = OrigStackBase; 1093 1094 if (DoStackMalloc) { 1095 LocalStackBase = IRB.CreateCall2(AsanStackMallocFunc, 1096 ConstantInt::get(IntptrTy, LocalStackSize), OrigStackBase); 1097 } 1098 1099 // This string will be parsed by the run-time (DescribeStackAddress). 1100 SmallString<2048> StackDescriptionStorage; 1101 raw_svector_ostream StackDescription(StackDescriptionStorage); 1102 StackDescription << F.getName() << " " << AllocaVec.size() << " "; 1103 1104 uint64_t Pos = RedzoneSize(); 1105 // Replace Alloca instructions with base+offset. 1106 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 1107 AllocaInst *AI = AllocaVec[i]; 1108 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 1109 StringRef Name = AI->getName(); 1110 StackDescription << Pos << " " << SizeInBytes << " " 1111 << Name.size() << " " << Name << " "; 1112 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1113 assert((AlignedSize % RedzoneSize()) == 0); 1114 AI->replaceAllUsesWith( 1115 IRB.CreateIntToPtr( 1116 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Pos)), 1117 AI->getType())); 1118 Pos += AlignedSize + RedzoneSize(); 1119 } 1120 assert(Pos == LocalStackSize); 1121 1122 // Write the Magic value and the frame description constant to the redzone. 1123 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 1124 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 1125 BasePlus0); 1126 Value *BasePlus1 = IRB.CreateAdd(LocalStackBase, 1127 ConstantInt::get(IntptrTy, LongSize/8)); 1128 BasePlus1 = IRB.CreateIntToPtr(BasePlus1, IntptrPtrTy); 1129 GlobalVariable *StackDescriptionGlobal = 1130 createPrivateGlobalForString(*F.getParent(), StackDescription.str()); 1131 Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, IntptrTy); 1132 IRB.CreateStore(Description, BasePlus1); 1133 1134 // Poison the stack redzones at the entry. 1135 Value *ShadowBase = memToShadow(LocalStackBase, IRB); 1136 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRB, ShadowBase, true); 1137 1138 // Unpoison the stack before all ret instructions. 1139 for (size_t i = 0, n = RetVec.size(); i < n; i++) { 1140 Instruction *Ret = RetVec[i]; 1141 IRBuilder<> IRBRet(Ret); 1142 1143 // Mark the current frame as retired. 1144 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 1145 BasePlus0); 1146 // Unpoison the stack. 1147 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRBRet, ShadowBase, false); 1148 1149 if (DoStackMalloc) { 1150 IRBRet.CreateCall3(AsanStackFreeFunc, LocalStackBase, 1151 ConstantInt::get(IntptrTy, LocalStackSize), 1152 OrigStackBase); 1153 } 1154 } 1155 1156 // We are done. Remove the old unused alloca instructions. 1157 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) 1158 AllocaVec[i]->eraseFromParent(); 1159 1160 if (ClDebugStack) { 1161 DEBUG(dbgs() << F); 1162 } 1163 1164 return true; 1165} 1166