AddressSanitizer.cpp revision 56139bc493790612ee6281630678e293be6b2eb2
1//===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// Details of the algorithm: 12// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13// 14//===----------------------------------------------------------------------===// 15 16#define DEBUG_TYPE "asan" 17 18#include "FunctionBlackList.h" 19#include "llvm/Function.h" 20#include "llvm/IRBuilder.h" 21#include "llvm/IntrinsicInst.h" 22#include "llvm/LLVMContext.h" 23#include "llvm/Module.h" 24#include "llvm/Type.h" 25#include "llvm/ADT/ArrayRef.h" 26#include "llvm/ADT/OwningPtr.h" 27#include "llvm/ADT/SmallSet.h" 28#include "llvm/ADT/SmallString.h" 29#include "llvm/ADT/SmallVector.h" 30#include "llvm/ADT/StringExtras.h" 31#include "llvm/ADT/Triple.h" 32#include "llvm/Support/CommandLine.h" 33#include "llvm/Support/DataTypes.h" 34#include "llvm/Support/Debug.h" 35#include "llvm/Support/raw_ostream.h" 36#include "llvm/Support/system_error.h" 37#include "llvm/Target/TargetData.h" 38#include "llvm/Target/TargetMachine.h" 39#include "llvm/Transforms/Instrumentation.h" 40#include "llvm/Transforms/Utils/BasicBlockUtils.h" 41#include "llvm/Transforms/Utils/ModuleUtils.h" 42 43#include <string> 44#include <algorithm> 45 46using namespace llvm; 47 48static const uint64_t kDefaultShadowScale = 3; 49static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 50static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 51static const uint64_t kDefaultShadowOffsetAndroid = 0; 52 53static const size_t kMaxStackMallocSize = 1 << 16; // 64K 54static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 55static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 56 57static const char *kAsanModuleCtorName = "asan.module_ctor"; 58static const char *kAsanModuleDtorName = "asan.module_dtor"; 59static const int kAsanCtorAndCtorPriority = 1; 60static const char *kAsanReportErrorTemplate = "__asan_report_"; 61static const char *kAsanRegisterGlobalsName = "__asan_register_globals"; 62static const char *kAsanUnregisterGlobalsName = "__asan_unregister_globals"; 63static const char *kAsanInitName = "__asan_init"; 64static const char *kAsanHandleNoReturnName = "__asan_handle_no_return"; 65static const char *kAsanMappingOffsetName = "__asan_mapping_offset"; 66static const char *kAsanMappingScaleName = "__asan_mapping_scale"; 67static const char *kAsanStackMallocName = "__asan_stack_malloc"; 68static const char *kAsanStackFreeName = "__asan_stack_free"; 69 70static const int kAsanStackLeftRedzoneMagic = 0xf1; 71static const int kAsanStackMidRedzoneMagic = 0xf2; 72static const int kAsanStackRightRedzoneMagic = 0xf3; 73static const int kAsanStackPartialRedzoneMagic = 0xf4; 74 75// Command-line flags. 76 77// This flag may need to be replaced with -f[no-]asan-reads. 78static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 79 cl::desc("instrument read instructions"), cl::Hidden, cl::init(true)); 80static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes", 81 cl::desc("instrument write instructions"), cl::Hidden, cl::init(true)); 82static cl::opt<bool> ClInstrumentAtomics("asan-instrument-atomics", 83 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), 84 cl::Hidden, cl::init(true)); 85// This flags limits the number of instructions to be instrumented 86// in any given BB. Normally, this should be set to unlimited (INT_MAX), 87// but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary 88// set it to 10000. 89static cl::opt<int> ClMaxInsnsToInstrumentPerBB("asan-max-ins-per-bb", 90 cl::init(10000), 91 cl::desc("maximal number of instructions to instrument in any given BB"), 92 cl::Hidden); 93// This flag may need to be replaced with -f[no]asan-stack. 94static cl::opt<bool> ClStack("asan-stack", 95 cl::desc("Handle stack memory"), cl::Hidden, cl::init(true)); 96// This flag may need to be replaced with -f[no]asan-use-after-return. 97static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 98 cl::desc("Check return-after-free"), cl::Hidden, cl::init(false)); 99// This flag may need to be replaced with -f[no]asan-globals. 100static cl::opt<bool> ClGlobals("asan-globals", 101 cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); 102static cl::opt<bool> ClMemIntrin("asan-memintrin", 103 cl::desc("Handle memset/memcpy/memmove"), cl::Hidden, cl::init(true)); 104// This flag may need to be replaced with -fasan-blacklist. 105static cl::opt<std::string> ClBlackListFile("asan-blacklist", 106 cl::desc("File containing the list of functions to ignore " 107 "during instrumentation"), cl::Hidden); 108 109// These flags allow to change the shadow mapping. 110// The shadow mapping looks like 111// Shadow = (Mem >> scale) + (1 << offset_log) 112static cl::opt<int> ClMappingScale("asan-mapping-scale", 113 cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0)); 114static cl::opt<int> ClMappingOffsetLog("asan-mapping-offset-log", 115 cl::desc("offset of asan shadow mapping"), cl::Hidden, cl::init(-1)); 116 117// Optimization flags. Not user visible, used mostly for testing 118// and benchmarking the tool. 119static cl::opt<bool> ClOpt("asan-opt", 120 cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true)); 121static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp", 122 cl::desc("Instrument the same temp just once"), cl::Hidden, 123 cl::init(true)); 124static cl::opt<bool> ClOptGlobals("asan-opt-globals", 125 cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); 126 127// Debug flags. 128static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 129 cl::init(0)); 130static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 131 cl::Hidden, cl::init(0)); 132static cl::opt<std::string> ClDebugFunc("asan-debug-func", 133 cl::Hidden, cl::desc("Debug func")); 134static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 135 cl::Hidden, cl::init(-1)); 136static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), 137 cl::Hidden, cl::init(-1)); 138 139namespace { 140 141/// AddressSanitizer: instrument the code in module to find memory bugs. 142struct AddressSanitizer : public ModulePass { 143 AddressSanitizer(); 144 virtual const char *getPassName() const; 145 void instrumentMop(Instruction *I); 146 void instrumentAddress(Instruction *OrigIns, IRBuilder<> &IRB, 147 Value *Addr, uint32_t TypeSize, bool IsWrite); 148 Instruction *generateCrashCode(IRBuilder<> &IRB, Value *Addr, 149 bool IsWrite, uint32_t TypeSize); 150 bool instrumentMemIntrinsic(MemIntrinsic *MI); 151 void instrumentMemIntrinsicParam(Instruction *OrigIns, Value *Addr, 152 Value *Size, 153 Instruction *InsertBefore, bool IsWrite); 154 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 155 bool handleFunction(Module &M, Function &F); 156 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 157 bool poisonStackInFunction(Module &M, Function &F); 158 virtual bool runOnModule(Module &M); 159 bool insertGlobalRedzones(Module &M); 160 static char ID; // Pass identification, replacement for typeid 161 162 private: 163 164 uint64_t getAllocaSizeInBytes(AllocaInst *AI) { 165 Type *Ty = AI->getAllocatedType(); 166 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 167 return SizeInBytes; 168 } 169 uint64_t getAlignedSize(uint64_t SizeInBytes) { 170 return ((SizeInBytes + RedzoneSize - 1) 171 / RedzoneSize) * RedzoneSize; 172 } 173 uint64_t getAlignedAllocaSize(AllocaInst *AI) { 174 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 175 return getAlignedSize(SizeInBytes); 176 } 177 178 Function *checkInterfaceFunction(Constant *FuncOrBitcast); 179 void PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, 180 Value *ShadowBase, bool DoPoison); 181 bool LooksLikeCodeInBug11395(Instruction *I); 182 183 Module *CurrentModule; 184 LLVMContext *C; 185 TargetData *TD; 186 uint64_t MappingOffset; 187 int MappingScale; 188 size_t RedzoneSize; 189 int LongSize; 190 Type *IntptrTy; 191 Type *IntptrPtrTy; 192 Function *AsanCtorFunction; 193 Function *AsanInitFunction; 194 Instruction *CtorInsertBefore; 195 OwningPtr<FunctionBlackList> BL; 196}; 197} // namespace 198 199char AddressSanitizer::ID = 0; 200INITIALIZE_PASS(AddressSanitizer, "asan", 201 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", 202 false, false) 203AddressSanitizer::AddressSanitizer() : ModulePass(ID) { } 204ModulePass *llvm::createAddressSanitizerPass() { 205 return new AddressSanitizer(); 206} 207 208const char *AddressSanitizer::getPassName() const { 209 return "AddressSanitizer"; 210} 211 212// Create a constant for Str so that we can pass it to the run-time lib. 213static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str) { 214 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 215 return new GlobalVariable(M, StrConst->getType(), true, 216 GlobalValue::PrivateLinkage, StrConst, ""); 217} 218 219// Split the basic block and insert an if-then code. 220// Before: 221// Head 222// Cmp 223// Tail 224// After: 225// Head 226// if (Cmp) 227// ThenBlock 228// Tail 229// 230// Returns the ThenBlock's terminator. 231static BranchInst *splitBlockAndInsertIfThen(Value *Cmp) { 232 Instruction *SplitBefore = cast<Instruction>(Cmp)->getNextNode(); 233 BasicBlock *Head = SplitBefore->getParent(); 234 BasicBlock *Tail = Head->splitBasicBlock(SplitBefore); 235 TerminatorInst *HeadOldTerm = Head->getTerminator(); 236 LLVMContext &C = Head->getParent()->getParent()->getContext(); 237 BasicBlock *ThenBlock = BasicBlock::Create(C, "", Head->getParent()); 238 BranchInst *HeadNewTerm = 239 BranchInst::Create(/*ifTrue*/ThenBlock, /*ifFalse*/Tail, Cmp); 240 ReplaceInstWithInst(HeadOldTerm, HeadNewTerm); 241 242 BranchInst *CheckTerm = BranchInst::Create(Tail, ThenBlock); 243 return CheckTerm; 244} 245 246Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 247 // Shadow >> scale 248 Shadow = IRB.CreateLShr(Shadow, MappingScale); 249 if (MappingOffset == 0) 250 return Shadow; 251 // (Shadow >> scale) | offset 252 return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, 253 MappingOffset)); 254} 255 256void AddressSanitizer::instrumentMemIntrinsicParam(Instruction *OrigIns, 257 Value *Addr, Value *Size, Instruction *InsertBefore, bool IsWrite) { 258 // Check the first byte. 259 { 260 IRBuilder<> IRB(InsertBefore); 261 instrumentAddress(OrigIns, IRB, Addr, 8, IsWrite); 262 } 263 // Check the last byte. 264 { 265 IRBuilder<> IRB(InsertBefore); 266 Value *SizeMinusOne = IRB.CreateSub( 267 Size, ConstantInt::get(Size->getType(), 1)); 268 SizeMinusOne = IRB.CreateIntCast(SizeMinusOne, IntptrTy, false); 269 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 270 Value *AddrPlusSizeMinisOne = IRB.CreateAdd(AddrLong, SizeMinusOne); 271 instrumentAddress(OrigIns, IRB, AddrPlusSizeMinisOne, 8, IsWrite); 272 } 273} 274 275// Instrument memset/memmove/memcpy 276bool AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 277 Value *Dst = MI->getDest(); 278 MemTransferInst *MemTran = dyn_cast<MemTransferInst>(MI); 279 Value *Src = MemTran ? MemTran->getSource() : NULL; 280 Value *Length = MI->getLength(); 281 282 Constant *ConstLength = dyn_cast<Constant>(Length); 283 Instruction *InsertBefore = MI; 284 if (ConstLength) { 285 if (ConstLength->isNullValue()) return false; 286 } else { 287 // The size is not a constant so it could be zero -- check at run-time. 288 IRBuilder<> IRB(InsertBefore); 289 290 Value *Cmp = IRB.CreateICmpNE(Length, 291 Constant::getNullValue(Length->getType())); 292 InsertBefore = splitBlockAndInsertIfThen(Cmp); 293 } 294 295 instrumentMemIntrinsicParam(MI, Dst, Length, InsertBefore, true); 296 if (Src) 297 instrumentMemIntrinsicParam(MI, Src, Length, InsertBefore, false); 298 return true; 299} 300 301// If I is an interesting memory access, return the PointerOperand 302// and set IsWrite. Otherwise return NULL. 303static Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite) { 304 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 305 if (!ClInstrumentReads) return NULL; 306 *IsWrite = false; 307 return LI->getPointerOperand(); 308 } 309 if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 310 if (!ClInstrumentWrites) return NULL; 311 *IsWrite = true; 312 return SI->getPointerOperand(); 313 } 314 if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 315 if (!ClInstrumentAtomics) return NULL; 316 *IsWrite = true; 317 return RMW->getPointerOperand(); 318 } 319 if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 320 if (!ClInstrumentAtomics) return NULL; 321 *IsWrite = true; 322 return XCHG->getPointerOperand(); 323 } 324 return NULL; 325} 326 327void AddressSanitizer::instrumentMop(Instruction *I) { 328 bool IsWrite; 329 Value *Addr = isInterestingMemoryAccess(I, &IsWrite); 330 assert(Addr); 331 if (ClOpt && ClOptGlobals && isa<GlobalVariable>(Addr)) { 332 // We are accessing a global scalar variable. Nothing to catch here. 333 return; 334 } 335 Type *OrigPtrTy = Addr->getType(); 336 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 337 338 assert(OrigTy->isSized()); 339 uint32_t TypeSize = TD->getTypeStoreSizeInBits(OrigTy); 340 341 if (TypeSize != 8 && TypeSize != 16 && 342 TypeSize != 32 && TypeSize != 64 && TypeSize != 128) { 343 // Ignore all unusual sizes. 344 return; 345 } 346 347 IRBuilder<> IRB(I); 348 instrumentAddress(I, IRB, Addr, TypeSize, IsWrite); 349} 350 351// Validate the result of Module::getOrInsertFunction called for an interface 352// function of AddressSanitizer. If the instrumented module defines a function 353// with the same name, their prototypes must match, otherwise 354// getOrInsertFunction returns a bitcast. 355Function *AddressSanitizer::checkInterfaceFunction(Constant *FuncOrBitcast) { 356 if (isa<Function>(FuncOrBitcast)) return cast<Function>(FuncOrBitcast); 357 FuncOrBitcast->dump(); 358 report_fatal_error("trying to redefine an AddressSanitizer " 359 "interface function"); 360} 361 362Instruction *AddressSanitizer::generateCrashCode( 363 IRBuilder<> &IRB, Value *Addr, bool IsWrite, uint32_t TypeSize) { 364 // IsWrite and TypeSize are encoded in the function name. 365 std::string FunctionName = std::string(kAsanReportErrorTemplate) + 366 (IsWrite ? "store" : "load") + itostr(TypeSize / 8); 367 Value *ReportWarningFunc = CurrentModule->getOrInsertFunction( 368 FunctionName, IRB.getVoidTy(), IntptrTy, NULL); 369 CallInst *Call = IRB.CreateCall(ReportWarningFunc, Addr); 370 Call->setDoesNotReturn(); 371 return Call; 372} 373 374void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 375 IRBuilder<> &IRB, Value *Addr, 376 uint32_t TypeSize, bool IsWrite) { 377 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 378 379 Type *ShadowTy = IntegerType::get( 380 *C, std::max(8U, TypeSize >> MappingScale)); 381 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 382 Value *ShadowPtr = memToShadow(AddrLong, IRB); 383 Value *CmpVal = Constant::getNullValue(ShadowTy); 384 Value *ShadowValue = IRB.CreateLoad( 385 IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 386 387 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 388 389 Instruction *CheckTerm = splitBlockAndInsertIfThen(Cmp); 390 IRBuilder<> IRB2(CheckTerm); 391 392 size_t Granularity = 1 << MappingScale; 393 if (TypeSize < 8 * Granularity) { 394 // Addr & (Granularity - 1) 395 Value *LastAccessedByte = IRB2.CreateAnd( 396 AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 397 // (Addr & (Granularity - 1)) + size - 1 398 if (TypeSize / 8 > 1) 399 LastAccessedByte = IRB2.CreateAdd( 400 LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 401 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 402 LastAccessedByte = IRB2.CreateIntCast( 403 LastAccessedByte, IRB.getInt8Ty(), false); 404 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 405 Value *Cmp2 = IRB2.CreateICmpSGE(LastAccessedByte, ShadowValue); 406 407 CheckTerm = splitBlockAndInsertIfThen(Cmp2); 408 } 409 410 IRBuilder<> IRB1(CheckTerm); 411 Instruction *Crash = generateCrashCode(IRB1, AddrLong, IsWrite, TypeSize); 412 Crash->setDebugLoc(OrigIns->getDebugLoc()); 413 ReplaceInstWithInst(CheckTerm, new UnreachableInst(*C)); 414} 415 416// This function replaces all global variables with new variables that have 417// trailing redzones. It also creates a function that poisons 418// redzones and inserts this function into llvm.global_ctors. 419bool AddressSanitizer::insertGlobalRedzones(Module &M) { 420 SmallVector<GlobalVariable *, 16> GlobalsToChange; 421 422 for (Module::GlobalListType::iterator G = M.getGlobalList().begin(), 423 E = M.getGlobalList().end(); G != E; ++G) { 424 Type *Ty = cast<PointerType>(G->getType())->getElementType(); 425 DEBUG(dbgs() << "GLOBAL: " << *G); 426 427 if (!Ty->isSized()) continue; 428 if (!G->hasInitializer()) continue; 429 // Touch only those globals that will not be defined in other modules. 430 // Don't handle ODR type linkages since other modules may be built w/o asan. 431 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 432 G->getLinkage() != GlobalVariable::PrivateLinkage && 433 G->getLinkage() != GlobalVariable::InternalLinkage) 434 continue; 435 // Two problems with thread-locals: 436 // - The address of the main thread's copy can't be computed at link-time. 437 // - Need to poison all copies, not just the main thread's one. 438 if (G->isThreadLocal()) 439 continue; 440 // For now, just ignore this Alloca if the alignment is large. 441 if (G->getAlignment() > RedzoneSize) continue; 442 443 // Ignore all the globals with the names starting with "\01L_OBJC_". 444 // Many of those are put into the .cstring section. The linker compresses 445 // that section by removing the spare \0s after the string terminator, so 446 // our redzones get broken. 447 if ((G->getName().find("\01L_OBJC_") == 0) || 448 (G->getName().find("\01l_OBJC_") == 0)) { 449 DEBUG(dbgs() << "Ignoring \\01L_OBJC_* global: " << *G); 450 continue; 451 } 452 453 if (G->hasSection()) { 454 StringRef Section(G->getSection()); 455 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 456 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 457 // them. 458 if ((Section.find("__OBJC,") == 0) || 459 (Section.find("__DATA, __objc_") == 0)) { 460 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G); 461 continue; 462 } 463 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 464 // Constant CFString instances are compiled in the following way: 465 // -- the string buffer is emitted into 466 // __TEXT,__cstring,cstring_literals 467 // -- the constant NSConstantString structure referencing that buffer 468 // is placed into __DATA,__cfstring 469 // Therefore there's no point in placing redzones into __DATA,__cfstring. 470 // Moreover, it causes the linker to crash on OS X 10.7 471 if (Section.find("__DATA,__cfstring") == 0) { 472 DEBUG(dbgs() << "Ignoring CFString: " << *G); 473 continue; 474 } 475 } 476 477 GlobalsToChange.push_back(G); 478 } 479 480 size_t n = GlobalsToChange.size(); 481 if (n == 0) return false; 482 483 // A global is described by a structure 484 // size_t beg; 485 // size_t size; 486 // size_t size_with_redzone; 487 // const char *name; 488 // We initialize an array of such structures and pass it to a run-time call. 489 StructType *GlobalStructTy = StructType::get(IntptrTy, IntptrTy, 490 IntptrTy, IntptrTy, NULL); 491 SmallVector<Constant *, 16> Initializers(n); 492 493 IRBuilder<> IRB(CtorInsertBefore); 494 495 for (size_t i = 0; i < n; i++) { 496 GlobalVariable *G = GlobalsToChange[i]; 497 PointerType *PtrTy = cast<PointerType>(G->getType()); 498 Type *Ty = PtrTy->getElementType(); 499 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 500 uint64_t RightRedzoneSize = RedzoneSize + 501 (RedzoneSize - (SizeInBytes % RedzoneSize)); 502 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 503 504 StructType *NewTy = StructType::get(Ty, RightRedZoneTy, NULL); 505 Constant *NewInitializer = ConstantStruct::get( 506 NewTy, G->getInitializer(), 507 Constant::getNullValue(RightRedZoneTy), NULL); 508 509 SmallString<2048> DescriptionOfGlobal = G->getName(); 510 DescriptionOfGlobal += " ("; 511 DescriptionOfGlobal += M.getModuleIdentifier(); 512 DescriptionOfGlobal += ")"; 513 GlobalVariable *Name = createPrivateGlobalForString(M, DescriptionOfGlobal); 514 515 // Create a new global variable with enough space for a redzone. 516 GlobalVariable *NewGlobal = new GlobalVariable( 517 M, NewTy, G->isConstant(), G->getLinkage(), 518 NewInitializer, "", G, G->getThreadLocalMode()); 519 NewGlobal->copyAttributesFrom(G); 520 NewGlobal->setAlignment(RedzoneSize); 521 522 Value *Indices2[2]; 523 Indices2[0] = IRB.getInt32(0); 524 Indices2[1] = IRB.getInt32(0); 525 526 G->replaceAllUsesWith( 527 ConstantExpr::getGetElementPtr(NewGlobal, Indices2, true)); 528 NewGlobal->takeName(G); 529 G->eraseFromParent(); 530 531 Initializers[i] = ConstantStruct::get( 532 GlobalStructTy, 533 ConstantExpr::getPointerCast(NewGlobal, IntptrTy), 534 ConstantInt::get(IntptrTy, SizeInBytes), 535 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 536 ConstantExpr::getPointerCast(Name, IntptrTy), 537 NULL); 538 DEBUG(dbgs() << "NEW GLOBAL:\n" << *NewGlobal); 539 } 540 541 ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); 542 GlobalVariable *AllGlobals = new GlobalVariable( 543 M, ArrayOfGlobalStructTy, false, GlobalVariable::PrivateLinkage, 544 ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); 545 546 Function *AsanRegisterGlobals = checkInterfaceFunction(M.getOrInsertFunction( 547 kAsanRegisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 548 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 549 550 IRB.CreateCall2(AsanRegisterGlobals, 551 IRB.CreatePointerCast(AllGlobals, IntptrTy), 552 ConstantInt::get(IntptrTy, n)); 553 554 // We also need to unregister globals at the end, e.g. when a shared library 555 // gets closed. 556 Function *AsanDtorFunction = Function::Create( 557 FunctionType::get(Type::getVoidTy(*C), false), 558 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 559 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 560 IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); 561 Function *AsanUnregisterGlobals = 562 checkInterfaceFunction(M.getOrInsertFunction( 563 kAsanUnregisterGlobalsName, 564 IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 565 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 566 567 IRB_Dtor.CreateCall2(AsanUnregisterGlobals, 568 IRB.CreatePointerCast(AllGlobals, IntptrTy), 569 ConstantInt::get(IntptrTy, n)); 570 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndCtorPriority); 571 572 DEBUG(dbgs() << M); 573 return true; 574} 575 576// virtual 577bool AddressSanitizer::runOnModule(Module &M) { 578 // Initialize the private fields. No one has accessed them before. 579 TD = getAnalysisIfAvailable<TargetData>(); 580 if (!TD) 581 return false; 582 BL.reset(new FunctionBlackList(ClBlackListFile)); 583 584 CurrentModule = &M; 585 C = &(M.getContext()); 586 LongSize = TD->getPointerSizeInBits(); 587 IntptrTy = Type::getIntNTy(*C, LongSize); 588 IntptrPtrTy = PointerType::get(IntptrTy, 0); 589 590 AsanCtorFunction = Function::Create( 591 FunctionType::get(Type::getVoidTy(*C), false), 592 GlobalValue::InternalLinkage, kAsanModuleCtorName, &M); 593 BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction); 594 CtorInsertBefore = ReturnInst::Create(*C, AsanCtorBB); 595 596 // call __asan_init in the module ctor. 597 IRBuilder<> IRB(CtorInsertBefore); 598 AsanInitFunction = checkInterfaceFunction( 599 M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), NULL)); 600 AsanInitFunction->setLinkage(Function::ExternalLinkage); 601 IRB.CreateCall(AsanInitFunction); 602 603 llvm::Triple targetTriple(M.getTargetTriple()); 604 bool isAndroid = targetTriple.getEnvironment() == llvm::Triple::ANDROIDEABI; 605 606 MappingOffset = isAndroid ? kDefaultShadowOffsetAndroid : 607 (LongSize == 32 ? kDefaultShadowOffset32 : kDefaultShadowOffset64); 608 if (ClMappingOffsetLog >= 0) { 609 if (ClMappingOffsetLog == 0) { 610 // special case 611 MappingOffset = 0; 612 } else { 613 MappingOffset = 1ULL << ClMappingOffsetLog; 614 } 615 } 616 MappingScale = kDefaultShadowScale; 617 if (ClMappingScale) { 618 MappingScale = ClMappingScale; 619 } 620 // Redzone used for stack and globals is at least 32 bytes. 621 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 622 RedzoneSize = std::max(32, (int)(1 << MappingScale)); 623 624 bool Res = false; 625 626 if (ClGlobals) 627 Res |= insertGlobalRedzones(M); 628 629 if (ClMappingOffsetLog >= 0) { 630 // Tell the run-time the current values of mapping offset and scale. 631 GlobalValue *asan_mapping_offset = 632 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 633 ConstantInt::get(IntptrTy, MappingOffset), 634 kAsanMappingOffsetName); 635 // Read the global, otherwise it may be optimized away. 636 IRB.CreateLoad(asan_mapping_offset, true); 637 } 638 if (ClMappingScale) { 639 GlobalValue *asan_mapping_scale = 640 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 641 ConstantInt::get(IntptrTy, MappingScale), 642 kAsanMappingScaleName); 643 // Read the global, otherwise it may be optimized away. 644 IRB.CreateLoad(asan_mapping_scale, true); 645 } 646 647 648 for (Module::iterator F = M.begin(), E = M.end(); F != E; ++F) { 649 if (F->isDeclaration()) continue; 650 Res |= handleFunction(M, *F); 651 } 652 653 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndCtorPriority); 654 655 return Res; 656} 657 658bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 659 // For each NSObject descendant having a +load method, this method is invoked 660 // by the ObjC runtime before any of the static constructors is called. 661 // Therefore we need to instrument such methods with a call to __asan_init 662 // at the beginning in order to initialize our runtime before any access to 663 // the shadow memory. 664 // We cannot just ignore these methods, because they may call other 665 // instrumented functions. 666 if (F.getName().find(" load]") != std::string::npos) { 667 IRBuilder<> IRB(F.begin()->begin()); 668 IRB.CreateCall(AsanInitFunction); 669 return true; 670 } 671 return false; 672} 673 674bool AddressSanitizer::handleFunction(Module &M, Function &F) { 675 if (BL->isIn(F)) return false; 676 if (&F == AsanCtorFunction) return false; 677 678 // If needed, insert __asan_init before checking for AddressSafety attr. 679 maybeInsertAsanInitAtFunctionEntry(F); 680 681 if (!F.hasFnAttr(Attribute::AddressSafety)) return false; 682 683 if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) 684 return false; 685 // We want to instrument every address only once per basic block 686 // (unless there are calls between uses). 687 SmallSet<Value*, 16> TempsToInstrument; 688 SmallVector<Instruction*, 16> ToInstrument; 689 SmallVector<Instruction*, 8> NoReturnCalls; 690 bool IsWrite; 691 692 // Fill the set of memory operations to instrument. 693 for (Function::iterator FI = F.begin(), FE = F.end(); 694 FI != FE; ++FI) { 695 TempsToInstrument.clear(); 696 int NumInsnsPerBB = 0; 697 for (BasicBlock::iterator BI = FI->begin(), BE = FI->end(); 698 BI != BE; ++BI) { 699 if (LooksLikeCodeInBug11395(BI)) return false; 700 if (Value *Addr = isInterestingMemoryAccess(BI, &IsWrite)) { 701 if (ClOpt && ClOptSameTemp) { 702 if (!TempsToInstrument.insert(Addr)) 703 continue; // We've seen this temp in the current BB. 704 } 705 } else if (isa<MemIntrinsic>(BI) && ClMemIntrin) { 706 // ok, take it. 707 } else { 708 if (CallInst *CI = dyn_cast<CallInst>(BI)) { 709 // A call inside BB. 710 TempsToInstrument.clear(); 711 if (CI->doesNotReturn()) { 712 NoReturnCalls.push_back(CI); 713 } 714 } 715 continue; 716 } 717 ToInstrument.push_back(BI); 718 NumInsnsPerBB++; 719 if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) 720 break; 721 } 722 } 723 724 // Instrument. 725 int NumInstrumented = 0; 726 for (size_t i = 0, n = ToInstrument.size(); i != n; i++) { 727 Instruction *Inst = ToInstrument[i]; 728 if (ClDebugMin < 0 || ClDebugMax < 0 || 729 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 730 if (isInterestingMemoryAccess(Inst, &IsWrite)) 731 instrumentMop(Inst); 732 else 733 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 734 } 735 NumInstrumented++; 736 } 737 738 DEBUG(dbgs() << F); 739 740 bool ChangedStack = poisonStackInFunction(M, F); 741 742 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 743 // See e.g. http://code.google.com/p/address-sanitizer/issues/detail?id=37 744 for (size_t i = 0, n = NoReturnCalls.size(); i != n; i++) { 745 Instruction *CI = NoReturnCalls[i]; 746 IRBuilder<> IRB(CI); 747 IRB.CreateCall(M.getOrInsertFunction(kAsanHandleNoReturnName, 748 IRB.getVoidTy(), NULL)); 749 } 750 751 return NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); 752} 753 754static uint64_t ValueForPoison(uint64_t PoisonByte, size_t ShadowRedzoneSize) { 755 if (ShadowRedzoneSize == 1) return PoisonByte; 756 if (ShadowRedzoneSize == 2) return (PoisonByte << 8) + PoisonByte; 757 if (ShadowRedzoneSize == 4) 758 return (PoisonByte << 24) + (PoisonByte << 16) + 759 (PoisonByte << 8) + (PoisonByte); 760 llvm_unreachable("ShadowRedzoneSize is either 1, 2 or 4"); 761} 762 763static void PoisonShadowPartialRightRedzone(uint8_t *Shadow, 764 size_t Size, 765 size_t RedzoneSize, 766 size_t ShadowGranularity, 767 uint8_t Magic) { 768 for (size_t i = 0; i < RedzoneSize; 769 i+= ShadowGranularity, Shadow++) { 770 if (i + ShadowGranularity <= Size) { 771 *Shadow = 0; // fully addressable 772 } else if (i >= Size) { 773 *Shadow = Magic; // unaddressable 774 } else { 775 *Shadow = Size - i; // first Size-i bytes are addressable 776 } 777 } 778} 779 780void AddressSanitizer::PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, 781 IRBuilder<> IRB, 782 Value *ShadowBase, bool DoPoison) { 783 size_t ShadowRZSize = RedzoneSize >> MappingScale; 784 assert(ShadowRZSize >= 1 && ShadowRZSize <= 4); 785 Type *RZTy = Type::getIntNTy(*C, ShadowRZSize * 8); 786 Type *RZPtrTy = PointerType::get(RZTy, 0); 787 788 Value *PoisonLeft = ConstantInt::get(RZTy, 789 ValueForPoison(DoPoison ? kAsanStackLeftRedzoneMagic : 0LL, ShadowRZSize)); 790 Value *PoisonMid = ConstantInt::get(RZTy, 791 ValueForPoison(DoPoison ? kAsanStackMidRedzoneMagic : 0LL, ShadowRZSize)); 792 Value *PoisonRight = ConstantInt::get(RZTy, 793 ValueForPoison(DoPoison ? kAsanStackRightRedzoneMagic : 0LL, ShadowRZSize)); 794 795 // poison the first red zone. 796 IRB.CreateStore(PoisonLeft, IRB.CreateIntToPtr(ShadowBase, RZPtrTy)); 797 798 // poison all other red zones. 799 uint64_t Pos = RedzoneSize; 800 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 801 AllocaInst *AI = AllocaVec[i]; 802 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 803 uint64_t AlignedSize = getAlignedAllocaSize(AI); 804 assert(AlignedSize - SizeInBytes < RedzoneSize); 805 Value *Ptr = NULL; 806 807 Pos += AlignedSize; 808 809 assert(ShadowBase->getType() == IntptrTy); 810 if (SizeInBytes < AlignedSize) { 811 // Poison the partial redzone at right 812 Ptr = IRB.CreateAdd( 813 ShadowBase, ConstantInt::get(IntptrTy, 814 (Pos >> MappingScale) - ShadowRZSize)); 815 size_t AddressableBytes = RedzoneSize - (AlignedSize - SizeInBytes); 816 uint32_t Poison = 0; 817 if (DoPoison) { 818 PoisonShadowPartialRightRedzone((uint8_t*)&Poison, AddressableBytes, 819 RedzoneSize, 820 1ULL << MappingScale, 821 kAsanStackPartialRedzoneMagic); 822 } 823 Value *PartialPoison = ConstantInt::get(RZTy, Poison); 824 IRB.CreateStore(PartialPoison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 825 } 826 827 // Poison the full redzone at right. 828 Ptr = IRB.CreateAdd(ShadowBase, 829 ConstantInt::get(IntptrTy, Pos >> MappingScale)); 830 Value *Poison = i == AllocaVec.size() - 1 ? PoisonRight : PoisonMid; 831 IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 832 833 Pos += RedzoneSize; 834 } 835} 836 837// Workaround for bug 11395: we don't want to instrument stack in functions 838// with large assembly blobs (32-bit only), otherwise reg alloc may crash. 839// FIXME: remove once the bug 11395 is fixed. 840bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 841 if (LongSize != 32) return false; 842 CallInst *CI = dyn_cast<CallInst>(I); 843 if (!CI || !CI->isInlineAsm()) return false; 844 if (CI->getNumArgOperands() <= 5) return false; 845 // We have inline assembly with quite a few arguments. 846 return true; 847} 848 849// Find all static Alloca instructions and put 850// poisoned red zones around all of them. 851// Then unpoison everything back before the function returns. 852// 853// Stack poisoning does not play well with exception handling. 854// When an exception is thrown, we essentially bypass the code 855// that unpoisones the stack. This is why the run-time library has 856// to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 857// stack in the interceptor. This however does not work inside the 858// actual function which catches the exception. Most likely because the 859// compiler hoists the load of the shadow value somewhere too high. 860// This causes asan to report a non-existing bug on 453.povray. 861// It sounds like an LLVM bug. 862bool AddressSanitizer::poisonStackInFunction(Module &M, Function &F) { 863 if (!ClStack) return false; 864 SmallVector<AllocaInst*, 16> AllocaVec; 865 SmallVector<Instruction*, 8> RetVec; 866 uint64_t TotalSize = 0; 867 868 // Filter out Alloca instructions we want (and can) handle. 869 // Collect Ret instructions. 870 for (Function::iterator FI = F.begin(), FE = F.end(); 871 FI != FE; ++FI) { 872 BasicBlock &BB = *FI; 873 for (BasicBlock::iterator BI = BB.begin(), BE = BB.end(); 874 BI != BE; ++BI) { 875 if (isa<ReturnInst>(BI)) { 876 RetVec.push_back(BI); 877 continue; 878 } 879 880 AllocaInst *AI = dyn_cast<AllocaInst>(BI); 881 if (!AI) continue; 882 if (AI->isArrayAllocation()) continue; 883 if (!AI->isStaticAlloca()) continue; 884 if (!AI->getAllocatedType()->isSized()) continue; 885 if (AI->getAlignment() > RedzoneSize) continue; 886 AllocaVec.push_back(AI); 887 uint64_t AlignedSize = getAlignedAllocaSize(AI); 888 TotalSize += AlignedSize; 889 } 890 } 891 892 if (AllocaVec.empty()) return false; 893 894 uint64_t LocalStackSize = TotalSize + (AllocaVec.size() + 1) * RedzoneSize; 895 896 bool DoStackMalloc = ClUseAfterReturn 897 && LocalStackSize <= kMaxStackMallocSize; 898 899 Instruction *InsBefore = AllocaVec[0]; 900 IRBuilder<> IRB(InsBefore); 901 902 903 Type *ByteArrayTy = ArrayType::get(IRB.getInt8Ty(), LocalStackSize); 904 AllocaInst *MyAlloca = 905 new AllocaInst(ByteArrayTy, "MyAlloca", InsBefore); 906 MyAlloca->setAlignment(RedzoneSize); 907 assert(MyAlloca->isStaticAlloca()); 908 Value *OrigStackBase = IRB.CreatePointerCast(MyAlloca, IntptrTy); 909 Value *LocalStackBase = OrigStackBase; 910 911 if (DoStackMalloc) { 912 Value *AsanStackMallocFunc = M.getOrInsertFunction( 913 kAsanStackMallocName, IntptrTy, IntptrTy, IntptrTy, NULL); 914 LocalStackBase = IRB.CreateCall2(AsanStackMallocFunc, 915 ConstantInt::get(IntptrTy, LocalStackSize), OrigStackBase); 916 } 917 918 // This string will be parsed by the run-time (DescribeStackAddress). 919 SmallString<2048> StackDescriptionStorage; 920 raw_svector_ostream StackDescription(StackDescriptionStorage); 921 StackDescription << F.getName() << " " << AllocaVec.size() << " "; 922 923 uint64_t Pos = RedzoneSize; 924 // Replace Alloca instructions with base+offset. 925 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 926 AllocaInst *AI = AllocaVec[i]; 927 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 928 StringRef Name = AI->getName(); 929 StackDescription << Pos << " " << SizeInBytes << " " 930 << Name.size() << " " << Name << " "; 931 uint64_t AlignedSize = getAlignedAllocaSize(AI); 932 assert((AlignedSize % RedzoneSize) == 0); 933 AI->replaceAllUsesWith( 934 IRB.CreateIntToPtr( 935 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Pos)), 936 AI->getType())); 937 Pos += AlignedSize + RedzoneSize; 938 } 939 assert(Pos == LocalStackSize); 940 941 // Write the Magic value and the frame description constant to the redzone. 942 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 943 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 944 BasePlus0); 945 Value *BasePlus1 = IRB.CreateAdd(LocalStackBase, 946 ConstantInt::get(IntptrTy, LongSize/8)); 947 BasePlus1 = IRB.CreateIntToPtr(BasePlus1, IntptrPtrTy); 948 Value *Description = IRB.CreatePointerCast( 949 createPrivateGlobalForString(M, StackDescription.str()), 950 IntptrTy); 951 IRB.CreateStore(Description, BasePlus1); 952 953 // Poison the stack redzones at the entry. 954 Value *ShadowBase = memToShadow(LocalStackBase, IRB); 955 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRB, ShadowBase, true); 956 957 Value *AsanStackFreeFunc = NULL; 958 if (DoStackMalloc) { 959 AsanStackFreeFunc = M.getOrInsertFunction( 960 kAsanStackFreeName, IRB.getVoidTy(), 961 IntptrTy, IntptrTy, IntptrTy, NULL); 962 } 963 964 // Unpoison the stack before all ret instructions. 965 for (size_t i = 0, n = RetVec.size(); i < n; i++) { 966 Instruction *Ret = RetVec[i]; 967 IRBuilder<> IRBRet(Ret); 968 969 // Mark the current frame as retired. 970 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 971 BasePlus0); 972 // Unpoison the stack. 973 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRBRet, ShadowBase, false); 974 975 if (DoStackMalloc) { 976 IRBRet.CreateCall3(AsanStackFreeFunc, LocalStackBase, 977 ConstantInt::get(IntptrTy, LocalStackSize), 978 OrigStackBase); 979 } 980 } 981 982 if (ClDebugStack) { 983 DEBUG(dbgs() << F); 984 } 985 986 return true; 987} 988