AddressSanitizer.cpp revision 8eec41fc778e99d42172a7f6de76faa43a6d8847
1//===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// Details of the algorithm: 12// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13// 14//===----------------------------------------------------------------------===// 15 16#define DEBUG_TYPE "asan" 17 18#include "llvm/Transforms/Instrumentation.h" 19#include "llvm/ADT/ArrayRef.h" 20#include "llvm/ADT/DenseMap.h" 21#include "llvm/ADT/DepthFirstIterator.h" 22#include "llvm/ADT/OwningPtr.h" 23#include "llvm/ADT/SmallSet.h" 24#include "llvm/ADT/SmallString.h" 25#include "llvm/ADT/SmallVector.h" 26#include "llvm/ADT/StringExtras.h" 27#include "llvm/ADT/Triple.h" 28#include "llvm/DIBuilder.h" 29#include "llvm/IR/DataLayout.h" 30#include "llvm/IR/Function.h" 31#include "llvm/IR/IRBuilder.h" 32#include "llvm/IR/InlineAsm.h" 33#include "llvm/IR/IntrinsicInst.h" 34#include "llvm/IR/LLVMContext.h" 35#include "llvm/IR/Module.h" 36#include "llvm/IR/Type.h" 37#include "llvm/InstVisitor.h" 38#include "llvm/Support/CallSite.h" 39#include "llvm/Support/CommandLine.h" 40#include "llvm/Support/DataTypes.h" 41#include "llvm/Support/Debug.h" 42#include "llvm/Support/raw_ostream.h" 43#include "llvm/Support/system_error.h" 44#include "llvm/Target/TargetMachine.h" 45#include "llvm/Transforms/Utils/BasicBlockUtils.h" 46#include "llvm/Transforms/Utils/BlackList.h" 47#include "llvm/Transforms/Utils/Local.h" 48#include "llvm/Transforms/Utils/ModuleUtils.h" 49#include <algorithm> 50#include <string> 51 52using namespace llvm; 53 54static const uint64_t kDefaultShadowScale = 3; 55static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 56static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 57static const uint64_t kDefaultShort64bitShadowOffset = 0x7FFF8000; // < 2G. 58static const uint64_t kPPC64_ShadowOffset64 = 1ULL << 41; 59 60static const size_t kMaxStackMallocSize = 1 << 16; // 64K 61static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 62static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 63 64static const char *kAsanModuleCtorName = "asan.module_ctor"; 65static const char *kAsanModuleDtorName = "asan.module_dtor"; 66static const int kAsanCtorAndCtorPriority = 1; 67static const char *kAsanReportErrorTemplate = "__asan_report_"; 68static const char *kAsanReportLoadN = "__asan_report_load_n"; 69static const char *kAsanReportStoreN = "__asan_report_store_n"; 70static const char *kAsanRegisterGlobalsName = "__asan_register_globals"; 71static const char *kAsanUnregisterGlobalsName = "__asan_unregister_globals"; 72static const char *kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; 73static const char *kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; 74static const char *kAsanInitName = "__asan_init_v1"; 75static const char *kAsanHandleNoReturnName = "__asan_handle_no_return"; 76static const char *kAsanMappingOffsetName = "__asan_mapping_offset"; 77static const char *kAsanMappingScaleName = "__asan_mapping_scale"; 78static const char *kAsanStackMallocName = "__asan_stack_malloc"; 79static const char *kAsanStackFreeName = "__asan_stack_free"; 80static const char *kAsanGenPrefix = "__asan_gen_"; 81static const char *kAsanPoisonStackMemoryName = "__asan_poison_stack_memory"; 82static const char *kAsanUnpoisonStackMemoryName = 83 "__asan_unpoison_stack_memory"; 84 85static const int kAsanStackLeftRedzoneMagic = 0xf1; 86static const int kAsanStackMidRedzoneMagic = 0xf2; 87static const int kAsanStackRightRedzoneMagic = 0xf3; 88static const int kAsanStackPartialRedzoneMagic = 0xf4; 89 90// Accesses sizes are powers of two: 1, 2, 4, 8, 16. 91static const size_t kNumberOfAccessSizes = 5; 92 93// Command-line flags. 94 95// This flag may need to be replaced with -f[no-]asan-reads. 96static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 97 cl::desc("instrument read instructions"), cl::Hidden, cl::init(true)); 98static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes", 99 cl::desc("instrument write instructions"), cl::Hidden, cl::init(true)); 100static cl::opt<bool> ClInstrumentAtomics("asan-instrument-atomics", 101 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), 102 cl::Hidden, cl::init(true)); 103static cl::opt<bool> ClAlwaysSlowPath("asan-always-slow-path", 104 cl::desc("use instrumentation with slow path for all accesses"), 105 cl::Hidden, cl::init(false)); 106// This flag limits the number of instructions to be instrumented 107// in any given BB. Normally, this should be set to unlimited (INT_MAX), 108// but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary 109// set it to 10000. 110static cl::opt<int> ClMaxInsnsToInstrumentPerBB("asan-max-ins-per-bb", 111 cl::init(10000), 112 cl::desc("maximal number of instructions to instrument in any given BB"), 113 cl::Hidden); 114// This flag may need to be replaced with -f[no]asan-stack. 115static cl::opt<bool> ClStack("asan-stack", 116 cl::desc("Handle stack memory"), cl::Hidden, cl::init(true)); 117// This flag may need to be replaced with -f[no]asan-use-after-return. 118static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 119 cl::desc("Check return-after-free"), cl::Hidden, cl::init(false)); 120// This flag may need to be replaced with -f[no]asan-globals. 121static cl::opt<bool> ClGlobals("asan-globals", 122 cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); 123static cl::opt<bool> ClInitializers("asan-initialization-order", 124 cl::desc("Handle C++ initializer order"), cl::Hidden, cl::init(false)); 125static cl::opt<bool> ClMemIntrin("asan-memintrin", 126 cl::desc("Handle memset/memcpy/memmove"), cl::Hidden, cl::init(true)); 127static cl::opt<bool> ClRealignStack("asan-realign-stack", 128 cl::desc("Realign stack to 32"), cl::Hidden, cl::init(true)); 129static cl::opt<std::string> ClBlacklistFile("asan-blacklist", 130 cl::desc("File containing the list of objects to ignore " 131 "during instrumentation"), cl::Hidden); 132 133// These flags allow to change the shadow mapping. 134// The shadow mapping looks like 135// Shadow = (Mem >> scale) + (1 << offset_log) 136static cl::opt<int> ClMappingScale("asan-mapping-scale", 137 cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0)); 138static cl::opt<int> ClMappingOffsetLog("asan-mapping-offset-log", 139 cl::desc("offset of asan shadow mapping"), cl::Hidden, cl::init(-1)); 140static cl::opt<bool> ClShort64BitOffset("asan-short-64bit-mapping-offset", 141 cl::desc("Use short immediate constant as the mapping offset for 64bit"), 142 cl::Hidden, cl::init(true)); 143 144// Optimization flags. Not user visible, used mostly for testing 145// and benchmarking the tool. 146static cl::opt<bool> ClOpt("asan-opt", 147 cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true)); 148static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp", 149 cl::desc("Instrument the same temp just once"), cl::Hidden, 150 cl::init(true)); 151static cl::opt<bool> ClOptGlobals("asan-opt-globals", 152 cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); 153 154static cl::opt<bool> ClCheckLifetime("asan-check-lifetime", 155 cl::desc("Use llvm.lifetime intrinsics to insert extra checks"), 156 cl::Hidden, cl::init(false)); 157 158// Debug flags. 159static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 160 cl::init(0)); 161static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 162 cl::Hidden, cl::init(0)); 163static cl::opt<std::string> ClDebugFunc("asan-debug-func", 164 cl::Hidden, cl::desc("Debug func")); 165static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 166 cl::Hidden, cl::init(-1)); 167static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), 168 cl::Hidden, cl::init(-1)); 169 170namespace { 171/// A set of dynamically initialized globals extracted from metadata. 172class SetOfDynamicallyInitializedGlobals { 173 public: 174 void Init(Module& M) { 175 // Clang generates metadata identifying all dynamically initialized globals. 176 NamedMDNode *DynamicGlobals = 177 M.getNamedMetadata("llvm.asan.dynamically_initialized_globals"); 178 if (!DynamicGlobals) 179 return; 180 for (int i = 0, n = DynamicGlobals->getNumOperands(); i < n; ++i) { 181 MDNode *MDN = DynamicGlobals->getOperand(i); 182 assert(MDN->getNumOperands() == 1); 183 Value *VG = MDN->getOperand(0); 184 // The optimizer may optimize away a global entirely, in which case we 185 // cannot instrument access to it. 186 if (!VG) 187 continue; 188 DynInitGlobals.insert(cast<GlobalVariable>(VG)); 189 } 190 } 191 bool Contains(GlobalVariable *G) { return DynInitGlobals.count(G) != 0; } 192 private: 193 SmallSet<GlobalValue*, 32> DynInitGlobals; 194}; 195 196/// This struct defines the shadow mapping using the rule: 197/// shadow = (mem >> Scale) ADD-or-OR Offset. 198struct ShadowMapping { 199 int Scale; 200 uint64_t Offset; 201 bool OrShadowOffset; 202}; 203 204static ShadowMapping getShadowMapping(const Module &M, int LongSize, 205 bool ZeroBaseShadow) { 206 llvm::Triple TargetTriple(M.getTargetTriple()); 207 bool IsAndroid = TargetTriple.getEnvironment() == llvm::Triple::Android; 208 bool IsMacOSX = TargetTriple.getOS() == llvm::Triple::MacOSX; 209 bool IsPPC64 = TargetTriple.getArch() == llvm::Triple::ppc64; 210 bool IsX86_64 = TargetTriple.getArch() == llvm::Triple::x86_64; 211 212 ShadowMapping Mapping; 213 214 // OR-ing shadow offset if more efficient (at least on x86), 215 // but on ppc64 we have to use add since the shadow offset is not neccesary 216 // 1/8-th of the address space. 217 Mapping.OrShadowOffset = !IsPPC64 && !ClShort64BitOffset; 218 219 Mapping.Offset = (IsAndroid || ZeroBaseShadow) ? 0 : 220 (LongSize == 32 ? kDefaultShadowOffset32 : 221 IsPPC64 ? kPPC64_ShadowOffset64 : kDefaultShadowOffset64); 222 if (!ZeroBaseShadow && ClShort64BitOffset && IsX86_64 && !IsMacOSX) { 223 assert(LongSize == 64); 224 Mapping.Offset = kDefaultShort64bitShadowOffset; 225 } 226 if (!ZeroBaseShadow && ClMappingOffsetLog >= 0) { 227 // Zero offset log is the special case. 228 Mapping.Offset = (ClMappingOffsetLog == 0) ? 0 : 1ULL << ClMappingOffsetLog; 229 } 230 231 Mapping.Scale = kDefaultShadowScale; 232 if (ClMappingScale) { 233 Mapping.Scale = ClMappingScale; 234 } 235 236 return Mapping; 237} 238 239static size_t RedzoneSizeForScale(int MappingScale) { 240 // Redzone used for stack and globals is at least 32 bytes. 241 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 242 return std::max(32U, 1U << MappingScale); 243} 244 245/// AddressSanitizer: instrument the code in module to find memory bugs. 246struct AddressSanitizer : public FunctionPass { 247 AddressSanitizer(bool CheckInitOrder = false, 248 bool CheckUseAfterReturn = false, 249 bool CheckLifetime = false, 250 StringRef BlacklistFile = StringRef(), 251 bool ZeroBaseShadow = false) 252 : FunctionPass(ID), 253 CheckInitOrder(CheckInitOrder || ClInitializers), 254 CheckUseAfterReturn(CheckUseAfterReturn || ClUseAfterReturn), 255 CheckLifetime(CheckLifetime || ClCheckLifetime), 256 BlacklistFile(BlacklistFile.empty() ? ClBlacklistFile 257 : BlacklistFile), 258 ZeroBaseShadow(ZeroBaseShadow) {} 259 virtual const char *getPassName() const { 260 return "AddressSanitizerFunctionPass"; 261 } 262 void instrumentMop(Instruction *I); 263 void instrumentAddress(Instruction *OrigIns, Instruction *InsertBefore, 264 Value *Addr, uint32_t TypeSize, bool IsWrite, 265 Value *SizeArgument); 266 Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 267 Value *ShadowValue, uint32_t TypeSize); 268 Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, 269 bool IsWrite, size_t AccessSizeIndex, 270 Value *SizeArgument); 271 bool instrumentMemIntrinsic(MemIntrinsic *MI); 272 void instrumentMemIntrinsicParam(Instruction *OrigIns, Value *Addr, 273 Value *Size, 274 Instruction *InsertBefore, bool IsWrite); 275 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 276 bool runOnFunction(Function &F); 277 void createInitializerPoisonCalls(Module &M, 278 Value *FirstAddr, Value *LastAddr); 279 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 280 void emitShadowMapping(Module &M, IRBuilder<> &IRB) const; 281 virtual bool doInitialization(Module &M); 282 static char ID; // Pass identification, replacement for typeid 283 284 private: 285 void initializeCallbacks(Module &M); 286 287 bool ShouldInstrumentGlobal(GlobalVariable *G); 288 bool LooksLikeCodeInBug11395(Instruction *I); 289 void FindDynamicInitializers(Module &M); 290 291 bool CheckInitOrder; 292 bool CheckUseAfterReturn; 293 bool CheckLifetime; 294 SmallString<64> BlacklistFile; 295 bool ZeroBaseShadow; 296 297 LLVMContext *C; 298 DataLayout *TD; 299 int LongSize; 300 Type *IntptrTy; 301 ShadowMapping Mapping; 302 Function *AsanCtorFunction; 303 Function *AsanInitFunction; 304 Function *AsanHandleNoReturnFunc; 305 OwningPtr<BlackList> BL; 306 // This array is indexed by AccessIsWrite and log2(AccessSize). 307 Function *AsanErrorCallback[2][kNumberOfAccessSizes]; 308 // This array is indexed by AccessIsWrite. 309 Function *AsanErrorCallbackSized[2]; 310 InlineAsm *EmptyAsm; 311 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 312 313 friend struct FunctionStackPoisoner; 314}; 315 316class AddressSanitizerModule : public ModulePass { 317 public: 318 AddressSanitizerModule(bool CheckInitOrder = false, 319 StringRef BlacklistFile = StringRef(), 320 bool ZeroBaseShadow = false) 321 : ModulePass(ID), 322 CheckInitOrder(CheckInitOrder || ClInitializers), 323 BlacklistFile(BlacklistFile.empty() ? ClBlacklistFile 324 : BlacklistFile), 325 ZeroBaseShadow(ZeroBaseShadow) {} 326 bool runOnModule(Module &M); 327 static char ID; // Pass identification, replacement for typeid 328 virtual const char *getPassName() const { 329 return "AddressSanitizerModule"; 330 } 331 332 private: 333 void initializeCallbacks(Module &M); 334 335 bool ShouldInstrumentGlobal(GlobalVariable *G); 336 void createInitializerPoisonCalls(Module &M, Value *FirstAddr, 337 Value *LastAddr); 338 size_t RedzoneSize() const { 339 return RedzoneSizeForScale(Mapping.Scale); 340 } 341 342 bool CheckInitOrder; 343 SmallString<64> BlacklistFile; 344 bool ZeroBaseShadow; 345 346 OwningPtr<BlackList> BL; 347 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 348 Type *IntptrTy; 349 LLVMContext *C; 350 DataLayout *TD; 351 ShadowMapping Mapping; 352 Function *AsanPoisonGlobals; 353 Function *AsanUnpoisonGlobals; 354 Function *AsanRegisterGlobals; 355 Function *AsanUnregisterGlobals; 356}; 357 358// Stack poisoning does not play well with exception handling. 359// When an exception is thrown, we essentially bypass the code 360// that unpoisones the stack. This is why the run-time library has 361// to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 362// stack in the interceptor. This however does not work inside the 363// actual function which catches the exception. Most likely because the 364// compiler hoists the load of the shadow value somewhere too high. 365// This causes asan to report a non-existing bug on 453.povray. 366// It sounds like an LLVM bug. 367struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> { 368 Function &F; 369 AddressSanitizer &ASan; 370 DIBuilder DIB; 371 LLVMContext *C; 372 Type *IntptrTy; 373 Type *IntptrPtrTy; 374 ShadowMapping Mapping; 375 376 SmallVector<AllocaInst*, 16> AllocaVec; 377 SmallVector<Instruction*, 8> RetVec; 378 uint64_t TotalStackSize; 379 unsigned StackAlignment; 380 381 Function *AsanStackMallocFunc, *AsanStackFreeFunc; 382 Function *AsanPoisonStackMemoryFunc, *AsanUnpoisonStackMemoryFunc; 383 384 // Stores a place and arguments of poisoning/unpoisoning call for alloca. 385 struct AllocaPoisonCall { 386 IntrinsicInst *InsBefore; 387 uint64_t Size; 388 bool DoPoison; 389 }; 390 SmallVector<AllocaPoisonCall, 8> AllocaPoisonCallVec; 391 392 // Maps Value to an AllocaInst from which the Value is originated. 393 typedef DenseMap<Value*, AllocaInst*> AllocaForValueMapTy; 394 AllocaForValueMapTy AllocaForValue; 395 396 FunctionStackPoisoner(Function &F, AddressSanitizer &ASan) 397 : F(F), ASan(ASan), DIB(*F.getParent()), C(ASan.C), 398 IntptrTy(ASan.IntptrTy), IntptrPtrTy(PointerType::get(IntptrTy, 0)), 399 Mapping(ASan.Mapping), 400 TotalStackSize(0), StackAlignment(1 << Mapping.Scale) {} 401 402 bool runOnFunction() { 403 if (!ClStack) return false; 404 // Collect alloca, ret, lifetime instructions etc. 405 for (df_iterator<BasicBlock*> DI = df_begin(&F.getEntryBlock()), 406 DE = df_end(&F.getEntryBlock()); DI != DE; ++DI) { 407 BasicBlock *BB = *DI; 408 visit(*BB); 409 } 410 if (AllocaVec.empty()) return false; 411 412 initializeCallbacks(*F.getParent()); 413 414 poisonStack(); 415 416 if (ClDebugStack) { 417 DEBUG(dbgs() << F); 418 } 419 return true; 420 } 421 422 // Finds all static Alloca instructions and puts 423 // poisoned red zones around all of them. 424 // Then unpoison everything back before the function returns. 425 void poisonStack(); 426 427 // ----------------------- Visitors. 428 /// \brief Collect all Ret instructions. 429 void visitReturnInst(ReturnInst &RI) { 430 RetVec.push_back(&RI); 431 } 432 433 /// \brief Collect Alloca instructions we want (and can) handle. 434 void visitAllocaInst(AllocaInst &AI) { 435 if (!isInterestingAlloca(AI)) return; 436 437 StackAlignment = std::max(StackAlignment, AI.getAlignment()); 438 AllocaVec.push_back(&AI); 439 uint64_t AlignedSize = getAlignedAllocaSize(&AI); 440 TotalStackSize += AlignedSize; 441 } 442 443 /// \brief Collect lifetime intrinsic calls to check for use-after-scope 444 /// errors. 445 void visitIntrinsicInst(IntrinsicInst &II) { 446 if (!ASan.CheckLifetime) return; 447 Intrinsic::ID ID = II.getIntrinsicID(); 448 if (ID != Intrinsic::lifetime_start && 449 ID != Intrinsic::lifetime_end) 450 return; 451 // Found lifetime intrinsic, add ASan instrumentation if necessary. 452 ConstantInt *Size = dyn_cast<ConstantInt>(II.getArgOperand(0)); 453 // If size argument is undefined, don't do anything. 454 if (Size->isMinusOne()) return; 455 // Check that size doesn't saturate uint64_t and can 456 // be stored in IntptrTy. 457 const uint64_t SizeValue = Size->getValue().getLimitedValue(); 458 if (SizeValue == ~0ULL || 459 !ConstantInt::isValueValidForType(IntptrTy, SizeValue)) 460 return; 461 // Find alloca instruction that corresponds to llvm.lifetime argument. 462 AllocaInst *AI = findAllocaForValue(II.getArgOperand(1)); 463 if (!AI) return; 464 bool DoPoison = (ID == Intrinsic::lifetime_end); 465 AllocaPoisonCall APC = {&II, SizeValue, DoPoison}; 466 AllocaPoisonCallVec.push_back(APC); 467 } 468 469 // ---------------------- Helpers. 470 void initializeCallbacks(Module &M); 471 472 // Check if we want (and can) handle this alloca. 473 bool isInterestingAlloca(AllocaInst &AI) { 474 return (!AI.isArrayAllocation() && 475 AI.isStaticAlloca() && 476 AI.getAllocatedType()->isSized()); 477 } 478 479 size_t RedzoneSize() const { 480 return RedzoneSizeForScale(Mapping.Scale); 481 } 482 uint64_t getAllocaSizeInBytes(AllocaInst *AI) { 483 Type *Ty = AI->getAllocatedType(); 484 uint64_t SizeInBytes = ASan.TD->getTypeAllocSize(Ty); 485 return SizeInBytes; 486 } 487 uint64_t getAlignedSize(uint64_t SizeInBytes) { 488 size_t RZ = RedzoneSize(); 489 return ((SizeInBytes + RZ - 1) / RZ) * RZ; 490 } 491 uint64_t getAlignedAllocaSize(AllocaInst *AI) { 492 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 493 return getAlignedSize(SizeInBytes); 494 } 495 /// Finds alloca where the value comes from. 496 AllocaInst *findAllocaForValue(Value *V); 497 void poisonRedZones(const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, 498 Value *ShadowBase, bool DoPoison); 499 void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> IRB, bool DoPoison); 500}; 501 502} // namespace 503 504char AddressSanitizer::ID = 0; 505INITIALIZE_PASS(AddressSanitizer, "asan", 506 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", 507 false, false) 508FunctionPass *llvm::createAddressSanitizerFunctionPass( 509 bool CheckInitOrder, bool CheckUseAfterReturn, bool CheckLifetime, 510 StringRef BlacklistFile, bool ZeroBaseShadow) { 511 return new AddressSanitizer(CheckInitOrder, CheckUseAfterReturn, 512 CheckLifetime, BlacklistFile, ZeroBaseShadow); 513} 514 515char AddressSanitizerModule::ID = 0; 516INITIALIZE_PASS(AddressSanitizerModule, "asan-module", 517 "AddressSanitizer: detects use-after-free and out-of-bounds bugs." 518 "ModulePass", false, false) 519ModulePass *llvm::createAddressSanitizerModulePass( 520 bool CheckInitOrder, StringRef BlacklistFile, bool ZeroBaseShadow) { 521 return new AddressSanitizerModule(CheckInitOrder, BlacklistFile, 522 ZeroBaseShadow); 523} 524 525static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 526 size_t Res = CountTrailingZeros_32(TypeSize / 8); 527 assert(Res < kNumberOfAccessSizes); 528 return Res; 529} 530 531// Create a constant for Str so that we can pass it to the run-time lib. 532static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str) { 533 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 534 return new GlobalVariable(M, StrConst->getType(), true, 535 GlobalValue::PrivateLinkage, StrConst, 536 kAsanGenPrefix); 537} 538 539static bool GlobalWasGeneratedByAsan(GlobalVariable *G) { 540 return G->getName().find(kAsanGenPrefix) == 0; 541} 542 543Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 544 // Shadow >> scale 545 Shadow = IRB.CreateLShr(Shadow, Mapping.Scale); 546 if (Mapping.Offset == 0) 547 return Shadow; 548 // (Shadow >> scale) | offset 549 if (Mapping.OrShadowOffset) 550 return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, Mapping.Offset)); 551 else 552 return IRB.CreateAdd(Shadow, ConstantInt::get(IntptrTy, Mapping.Offset)); 553} 554 555void AddressSanitizer::instrumentMemIntrinsicParam( 556 Instruction *OrigIns, 557 Value *Addr, Value *Size, Instruction *InsertBefore, bool IsWrite) { 558 IRBuilder<> IRB(InsertBefore); 559 if (Size->getType() != IntptrTy) 560 Size = IRB.CreateIntCast(Size, IntptrTy, false); 561 // Check the first byte. 562 instrumentAddress(OrigIns, InsertBefore, Addr, 8, IsWrite, Size); 563 // Check the last byte. 564 IRB.SetInsertPoint(InsertBefore); 565 Value *SizeMinusOne = IRB.CreateSub(Size, ConstantInt::get(IntptrTy, 1)); 566 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 567 Value *AddrLast = IRB.CreateAdd(AddrLong, SizeMinusOne); 568 instrumentAddress(OrigIns, InsertBefore, AddrLast, 8, IsWrite, Size); 569} 570 571// Instrument memset/memmove/memcpy 572bool AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 573 Value *Dst = MI->getDest(); 574 MemTransferInst *MemTran = dyn_cast<MemTransferInst>(MI); 575 Value *Src = MemTran ? MemTran->getSource() : 0; 576 Value *Length = MI->getLength(); 577 578 Constant *ConstLength = dyn_cast<Constant>(Length); 579 Instruction *InsertBefore = MI; 580 if (ConstLength) { 581 if (ConstLength->isNullValue()) return false; 582 } else { 583 // The size is not a constant so it could be zero -- check at run-time. 584 IRBuilder<> IRB(InsertBefore); 585 586 Value *Cmp = IRB.CreateICmpNE(Length, 587 Constant::getNullValue(Length->getType())); 588 InsertBefore = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 589 } 590 591 instrumentMemIntrinsicParam(MI, Dst, Length, InsertBefore, true); 592 if (Src) 593 instrumentMemIntrinsicParam(MI, Src, Length, InsertBefore, false); 594 return true; 595} 596 597// If I is an interesting memory access, return the PointerOperand 598// and set IsWrite. Otherwise return NULL. 599static Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite) { 600 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 601 if (!ClInstrumentReads) return NULL; 602 *IsWrite = false; 603 return LI->getPointerOperand(); 604 } 605 if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 606 if (!ClInstrumentWrites) return NULL; 607 *IsWrite = true; 608 return SI->getPointerOperand(); 609 } 610 if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 611 if (!ClInstrumentAtomics) return NULL; 612 *IsWrite = true; 613 return RMW->getPointerOperand(); 614 } 615 if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 616 if (!ClInstrumentAtomics) return NULL; 617 *IsWrite = true; 618 return XCHG->getPointerOperand(); 619 } 620 return NULL; 621} 622 623void AddressSanitizer::instrumentMop(Instruction *I) { 624 bool IsWrite = false; 625 Value *Addr = isInterestingMemoryAccess(I, &IsWrite); 626 assert(Addr); 627 if (ClOpt && ClOptGlobals) { 628 if (GlobalVariable *G = dyn_cast<GlobalVariable>(Addr)) { 629 // If initialization order checking is disabled, a simple access to a 630 // dynamically initialized global is always valid. 631 if (!CheckInitOrder) 632 return; 633 // If a global variable does not have dynamic initialization we don't 634 // have to instrument it. However, if a global does not have initailizer 635 // at all, we assume it has dynamic initializer (in other TU). 636 if (G->hasInitializer() && !DynamicallyInitializedGlobals.Contains(G)) 637 return; 638 } 639 } 640 641 Type *OrigPtrTy = Addr->getType(); 642 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 643 644 assert(OrigTy->isSized()); 645 uint32_t TypeSize = TD->getTypeStoreSizeInBits(OrigTy); 646 647 assert((TypeSize % 8) == 0); 648 649 // Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check. 650 if (TypeSize == 8 || TypeSize == 16 || 651 TypeSize == 32 || TypeSize == 64 || TypeSize == 128) 652 return instrumentAddress(I, I, Addr, TypeSize, IsWrite, 0); 653 // Instrument unusual size (but still multiple of 8). 654 // We can not do it with a single check, so we do 1-byte check for the first 655 // and the last bytes. We call __asan_report_*_n(addr, real_size) to be able 656 // to report the actual access size. 657 IRBuilder<> IRB(I); 658 Value *LastByte = IRB.CreateIntToPtr( 659 IRB.CreateAdd(IRB.CreatePointerCast(Addr, IntptrTy), 660 ConstantInt::get(IntptrTy, TypeSize / 8 - 1)), 661 OrigPtrTy); 662 Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8); 663 instrumentAddress(I, I, Addr, 8, IsWrite, Size); 664 instrumentAddress(I, I, LastByte, 8, IsWrite, Size); 665} 666 667// Validate the result of Module::getOrInsertFunction called for an interface 668// function of AddressSanitizer. If the instrumented module defines a function 669// with the same name, their prototypes must match, otherwise 670// getOrInsertFunction returns a bitcast. 671static Function *checkInterfaceFunction(Constant *FuncOrBitcast) { 672 if (isa<Function>(FuncOrBitcast)) return cast<Function>(FuncOrBitcast); 673 FuncOrBitcast->dump(); 674 report_fatal_error("trying to redefine an AddressSanitizer " 675 "interface function"); 676} 677 678Instruction *AddressSanitizer::generateCrashCode( 679 Instruction *InsertBefore, Value *Addr, 680 bool IsWrite, size_t AccessSizeIndex, Value *SizeArgument) { 681 IRBuilder<> IRB(InsertBefore); 682 CallInst *Call = SizeArgument 683 ? IRB.CreateCall2(AsanErrorCallbackSized[IsWrite], Addr, SizeArgument) 684 : IRB.CreateCall(AsanErrorCallback[IsWrite][AccessSizeIndex], Addr); 685 686 // We don't do Call->setDoesNotReturn() because the BB already has 687 // UnreachableInst at the end. 688 // This EmptyAsm is required to avoid callback merge. 689 IRB.CreateCall(EmptyAsm); 690 return Call; 691} 692 693Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 694 Value *ShadowValue, 695 uint32_t TypeSize) { 696 size_t Granularity = 1 << Mapping.Scale; 697 // Addr & (Granularity - 1) 698 Value *LastAccessedByte = IRB.CreateAnd( 699 AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 700 // (Addr & (Granularity - 1)) + size - 1 701 if (TypeSize / 8 > 1) 702 LastAccessedByte = IRB.CreateAdd( 703 LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 704 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 705 LastAccessedByte = IRB.CreateIntCast( 706 LastAccessedByte, ShadowValue->getType(), false); 707 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 708 return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue); 709} 710 711void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 712 Instruction *InsertBefore, 713 Value *Addr, uint32_t TypeSize, 714 bool IsWrite, Value *SizeArgument) { 715 IRBuilder<> IRB(InsertBefore); 716 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 717 718 Type *ShadowTy = IntegerType::get( 719 *C, std::max(8U, TypeSize >> Mapping.Scale)); 720 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 721 Value *ShadowPtr = memToShadow(AddrLong, IRB); 722 Value *CmpVal = Constant::getNullValue(ShadowTy); 723 Value *ShadowValue = IRB.CreateLoad( 724 IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 725 726 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 727 size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize); 728 size_t Granularity = 1 << Mapping.Scale; 729 TerminatorInst *CrashTerm = 0; 730 731 if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) { 732 TerminatorInst *CheckTerm = 733 SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 734 assert(dyn_cast<BranchInst>(CheckTerm)->isUnconditional()); 735 BasicBlock *NextBB = CheckTerm->getSuccessor(0); 736 IRB.SetInsertPoint(CheckTerm); 737 Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize); 738 BasicBlock *CrashBlock = 739 BasicBlock::Create(*C, "", NextBB->getParent(), NextBB); 740 CrashTerm = new UnreachableInst(*C, CrashBlock); 741 BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2); 742 ReplaceInstWithInst(CheckTerm, NewTerm); 743 } else { 744 CrashTerm = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), true); 745 } 746 747 Instruction *Crash = generateCrashCode( 748 CrashTerm, AddrLong, IsWrite, AccessSizeIndex, SizeArgument); 749 Crash->setDebugLoc(OrigIns->getDebugLoc()); 750} 751 752void AddressSanitizerModule::createInitializerPoisonCalls( 753 Module &M, Value *FirstAddr, Value *LastAddr) { 754 // We do all of our poisoning and unpoisoning within _GLOBAL__I_a. 755 Function *GlobalInit = M.getFunction("_GLOBAL__I_a"); 756 // If that function is not present, this TU contains no globals, or they have 757 // all been optimized away 758 if (!GlobalInit) 759 return; 760 761 // Set up the arguments to our poison/unpoison functions. 762 IRBuilder<> IRB(GlobalInit->begin()->getFirstInsertionPt()); 763 764 // Add a call to poison all external globals before the given function starts. 765 IRB.CreateCall2(AsanPoisonGlobals, FirstAddr, LastAddr); 766 767 // Add calls to unpoison all globals before each return instruction. 768 for (Function::iterator I = GlobalInit->begin(), E = GlobalInit->end(); 769 I != E; ++I) { 770 if (ReturnInst *RI = dyn_cast<ReturnInst>(I->getTerminator())) { 771 CallInst::Create(AsanUnpoisonGlobals, "", RI); 772 } 773 } 774} 775 776bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) { 777 Type *Ty = cast<PointerType>(G->getType())->getElementType(); 778 DEBUG(dbgs() << "GLOBAL: " << *G << "\n"); 779 780 if (BL->isIn(*G)) return false; 781 if (!Ty->isSized()) return false; 782 if (!G->hasInitializer()) return false; 783 if (GlobalWasGeneratedByAsan(G)) return false; // Our own global. 784 // Touch only those globals that will not be defined in other modules. 785 // Don't handle ODR type linkages since other modules may be built w/o asan. 786 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 787 G->getLinkage() != GlobalVariable::PrivateLinkage && 788 G->getLinkage() != GlobalVariable::InternalLinkage) 789 return false; 790 // Two problems with thread-locals: 791 // - The address of the main thread's copy can't be computed at link-time. 792 // - Need to poison all copies, not just the main thread's one. 793 if (G->isThreadLocal()) 794 return false; 795 // For now, just ignore this Alloca if the alignment is large. 796 if (G->getAlignment() > RedzoneSize()) return false; 797 798 // Ignore all the globals with the names starting with "\01L_OBJC_". 799 // Many of those are put into the .cstring section. The linker compresses 800 // that section by removing the spare \0s after the string terminator, so 801 // our redzones get broken. 802 if ((G->getName().find("\01L_OBJC_") == 0) || 803 (G->getName().find("\01l_OBJC_") == 0)) { 804 DEBUG(dbgs() << "Ignoring \\01L_OBJC_* global: " << *G); 805 return false; 806 } 807 808 if (G->hasSection()) { 809 StringRef Section(G->getSection()); 810 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 811 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 812 // them. 813 if ((Section.find("__OBJC,") == 0) || 814 (Section.find("__DATA, __objc_") == 0)) { 815 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G); 816 return false; 817 } 818 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 819 // Constant CFString instances are compiled in the following way: 820 // -- the string buffer is emitted into 821 // __TEXT,__cstring,cstring_literals 822 // -- the constant NSConstantString structure referencing that buffer 823 // is placed into __DATA,__cfstring 824 // Therefore there's no point in placing redzones into __DATA,__cfstring. 825 // Moreover, it causes the linker to crash on OS X 10.7 826 if (Section.find("__DATA,__cfstring") == 0) { 827 DEBUG(dbgs() << "Ignoring CFString: " << *G); 828 return false; 829 } 830 } 831 832 return true; 833} 834 835void AddressSanitizerModule::initializeCallbacks(Module &M) { 836 IRBuilder<> IRB(*C); 837 // Declare our poisoning and unpoisoning functions. 838 AsanPoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 839 kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 840 AsanPoisonGlobals->setLinkage(Function::ExternalLinkage); 841 AsanUnpoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 842 kAsanUnpoisonGlobalsName, IRB.getVoidTy(), NULL)); 843 AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage); 844 // Declare functions that register/unregister globals. 845 AsanRegisterGlobals = checkInterfaceFunction(M.getOrInsertFunction( 846 kAsanRegisterGlobalsName, IRB.getVoidTy(), 847 IntptrTy, IntptrTy, NULL)); 848 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 849 AsanUnregisterGlobals = checkInterfaceFunction(M.getOrInsertFunction( 850 kAsanUnregisterGlobalsName, 851 IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 852 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 853} 854 855// This function replaces all global variables with new variables that have 856// trailing redzones. It also creates a function that poisons 857// redzones and inserts this function into llvm.global_ctors. 858bool AddressSanitizerModule::runOnModule(Module &M) { 859 if (!ClGlobals) return false; 860 TD = getAnalysisIfAvailable<DataLayout>(); 861 if (!TD) 862 return false; 863 BL.reset(new BlackList(BlacklistFile)); 864 if (BL->isIn(M)) return false; 865 C = &(M.getContext()); 866 int LongSize = TD->getPointerSizeInBits(); 867 IntptrTy = Type::getIntNTy(*C, LongSize); 868 Mapping = getShadowMapping(M, LongSize, ZeroBaseShadow); 869 initializeCallbacks(M); 870 DynamicallyInitializedGlobals.Init(M); 871 872 SmallVector<GlobalVariable *, 16> GlobalsToChange; 873 874 for (Module::GlobalListType::iterator G = M.global_begin(), 875 E = M.global_end(); G != E; ++G) { 876 if (ShouldInstrumentGlobal(G)) 877 GlobalsToChange.push_back(G); 878 } 879 880 size_t n = GlobalsToChange.size(); 881 if (n == 0) return false; 882 883 // A global is described by a structure 884 // size_t beg; 885 // size_t size; 886 // size_t size_with_redzone; 887 // const char *name; 888 // size_t has_dynamic_init; 889 // We initialize an array of such structures and pass it to a run-time call. 890 StructType *GlobalStructTy = StructType::get(IntptrTy, IntptrTy, 891 IntptrTy, IntptrTy, 892 IntptrTy, NULL); 893 SmallVector<Constant *, 16> Initializers(n), DynamicInit; 894 895 896 Function *CtorFunc = M.getFunction(kAsanModuleCtorName); 897 assert(CtorFunc); 898 IRBuilder<> IRB(CtorFunc->getEntryBlock().getTerminator()); 899 900 // The addresses of the first and last dynamically initialized globals in 901 // this TU. Used in initialization order checking. 902 Value *FirstDynamic = 0, *LastDynamic = 0; 903 904 for (size_t i = 0; i < n; i++) { 905 static const uint64_t kMaxGlobalRedzone = 1 << 18; 906 GlobalVariable *G = GlobalsToChange[i]; 907 PointerType *PtrTy = cast<PointerType>(G->getType()); 908 Type *Ty = PtrTy->getElementType(); 909 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 910 uint64_t MinRZ = RedzoneSize(); 911 // MinRZ <= RZ <= kMaxGlobalRedzone 912 // and trying to make RZ to be ~ 1/4 of SizeInBytes. 913 uint64_t RZ = std::max(MinRZ, 914 std::min(kMaxGlobalRedzone, 915 (SizeInBytes / MinRZ / 4) * MinRZ)); 916 uint64_t RightRedzoneSize = RZ; 917 // Round up to MinRZ 918 if (SizeInBytes % MinRZ) 919 RightRedzoneSize += MinRZ - (SizeInBytes % MinRZ); 920 assert(((RightRedzoneSize + SizeInBytes) % MinRZ) == 0); 921 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 922 // Determine whether this global should be poisoned in initialization. 923 bool GlobalHasDynamicInitializer = 924 DynamicallyInitializedGlobals.Contains(G); 925 // Don't check initialization order if this global is blacklisted. 926 GlobalHasDynamicInitializer &= !BL->isInInit(*G); 927 928 StructType *NewTy = StructType::get(Ty, RightRedZoneTy, NULL); 929 Constant *NewInitializer = ConstantStruct::get( 930 NewTy, G->getInitializer(), 931 Constant::getNullValue(RightRedZoneTy), NULL); 932 933 SmallString<2048> DescriptionOfGlobal = G->getName(); 934 DescriptionOfGlobal += " ("; 935 DescriptionOfGlobal += M.getModuleIdentifier(); 936 DescriptionOfGlobal += ")"; 937 GlobalVariable *Name = createPrivateGlobalForString(M, DescriptionOfGlobal); 938 939 // Create a new global variable with enough space for a redzone. 940 GlobalVariable *NewGlobal = new GlobalVariable( 941 M, NewTy, G->isConstant(), G->getLinkage(), 942 NewInitializer, "", G, G->getThreadLocalMode()); 943 NewGlobal->copyAttributesFrom(G); 944 NewGlobal->setAlignment(MinRZ); 945 946 Value *Indices2[2]; 947 Indices2[0] = IRB.getInt32(0); 948 Indices2[1] = IRB.getInt32(0); 949 950 G->replaceAllUsesWith( 951 ConstantExpr::getGetElementPtr(NewGlobal, Indices2, true)); 952 NewGlobal->takeName(G); 953 G->eraseFromParent(); 954 955 Initializers[i] = ConstantStruct::get( 956 GlobalStructTy, 957 ConstantExpr::getPointerCast(NewGlobal, IntptrTy), 958 ConstantInt::get(IntptrTy, SizeInBytes), 959 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 960 ConstantExpr::getPointerCast(Name, IntptrTy), 961 ConstantInt::get(IntptrTy, GlobalHasDynamicInitializer), 962 NULL); 963 964 // Populate the first and last globals declared in this TU. 965 if (CheckInitOrder && GlobalHasDynamicInitializer) { 966 LastDynamic = ConstantExpr::getPointerCast(NewGlobal, IntptrTy); 967 if (FirstDynamic == 0) 968 FirstDynamic = LastDynamic; 969 } 970 971 DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); 972 } 973 974 ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); 975 GlobalVariable *AllGlobals = new GlobalVariable( 976 M, ArrayOfGlobalStructTy, false, GlobalVariable::PrivateLinkage, 977 ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); 978 979 // Create calls for poisoning before initializers run and unpoisoning after. 980 if (CheckInitOrder && FirstDynamic && LastDynamic) 981 createInitializerPoisonCalls(M, FirstDynamic, LastDynamic); 982 IRB.CreateCall2(AsanRegisterGlobals, 983 IRB.CreatePointerCast(AllGlobals, IntptrTy), 984 ConstantInt::get(IntptrTy, n)); 985 986 // We also need to unregister globals at the end, e.g. when a shared library 987 // gets closed. 988 Function *AsanDtorFunction = Function::Create( 989 FunctionType::get(Type::getVoidTy(*C), false), 990 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 991 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 992 IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); 993 IRB_Dtor.CreateCall2(AsanUnregisterGlobals, 994 IRB.CreatePointerCast(AllGlobals, IntptrTy), 995 ConstantInt::get(IntptrTy, n)); 996 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndCtorPriority); 997 998 DEBUG(dbgs() << M); 999 return true; 1000} 1001 1002void AddressSanitizer::initializeCallbacks(Module &M) { 1003 IRBuilder<> IRB(*C); 1004 // Create __asan_report* callbacks. 1005 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 1006 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 1007 AccessSizeIndex++) { 1008 // IsWrite and TypeSize are encoded in the function name. 1009 std::string FunctionName = std::string(kAsanReportErrorTemplate) + 1010 (AccessIsWrite ? "store" : "load") + itostr(1 << AccessSizeIndex); 1011 // If we are merging crash callbacks, they have two parameters. 1012 AsanErrorCallback[AccessIsWrite][AccessSizeIndex] = 1013 checkInterfaceFunction(M.getOrInsertFunction( 1014 FunctionName, IRB.getVoidTy(), IntptrTy, NULL)); 1015 } 1016 } 1017 AsanErrorCallbackSized[0] = checkInterfaceFunction(M.getOrInsertFunction( 1018 kAsanReportLoadN, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1019 AsanErrorCallbackSized[1] = checkInterfaceFunction(M.getOrInsertFunction( 1020 kAsanReportStoreN, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1021 1022 AsanHandleNoReturnFunc = checkInterfaceFunction(M.getOrInsertFunction( 1023 kAsanHandleNoReturnName, IRB.getVoidTy(), NULL)); 1024 // We insert an empty inline asm after __asan_report* to avoid callback merge. 1025 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 1026 StringRef(""), StringRef(""), 1027 /*hasSideEffects=*/true); 1028} 1029 1030void AddressSanitizer::emitShadowMapping(Module &M, IRBuilder<> &IRB) const { 1031 // Tell the values of mapping offset and scale to the run-time. 1032 GlobalValue *asan_mapping_offset = 1033 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 1034 ConstantInt::get(IntptrTy, Mapping.Offset), 1035 kAsanMappingOffsetName); 1036 // Read the global, otherwise it may be optimized away. 1037 IRB.CreateLoad(asan_mapping_offset, true); 1038 1039 GlobalValue *asan_mapping_scale = 1040 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 1041 ConstantInt::get(IntptrTy, Mapping.Scale), 1042 kAsanMappingScaleName); 1043 // Read the global, otherwise it may be optimized away. 1044 IRB.CreateLoad(asan_mapping_scale, true); 1045} 1046 1047// virtual 1048bool AddressSanitizer::doInitialization(Module &M) { 1049 // Initialize the private fields. No one has accessed them before. 1050 TD = getAnalysisIfAvailable<DataLayout>(); 1051 1052 if (!TD) 1053 return false; 1054 BL.reset(new BlackList(BlacklistFile)); 1055 DynamicallyInitializedGlobals.Init(M); 1056 1057 C = &(M.getContext()); 1058 LongSize = TD->getPointerSizeInBits(); 1059 IntptrTy = Type::getIntNTy(*C, LongSize); 1060 1061 AsanCtorFunction = Function::Create( 1062 FunctionType::get(Type::getVoidTy(*C), false), 1063 GlobalValue::InternalLinkage, kAsanModuleCtorName, &M); 1064 BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction); 1065 // call __asan_init in the module ctor. 1066 IRBuilder<> IRB(ReturnInst::Create(*C, AsanCtorBB)); 1067 AsanInitFunction = checkInterfaceFunction( 1068 M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), NULL)); 1069 AsanInitFunction->setLinkage(Function::ExternalLinkage); 1070 IRB.CreateCall(AsanInitFunction); 1071 1072 Mapping = getShadowMapping(M, LongSize, ZeroBaseShadow); 1073 emitShadowMapping(M, IRB); 1074 1075 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndCtorPriority); 1076 return true; 1077} 1078 1079bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 1080 // For each NSObject descendant having a +load method, this method is invoked 1081 // by the ObjC runtime before any of the static constructors is called. 1082 // Therefore we need to instrument such methods with a call to __asan_init 1083 // at the beginning in order to initialize our runtime before any access to 1084 // the shadow memory. 1085 // We cannot just ignore these methods, because they may call other 1086 // instrumented functions. 1087 if (F.getName().find(" load]") != std::string::npos) { 1088 IRBuilder<> IRB(F.begin()->begin()); 1089 IRB.CreateCall(AsanInitFunction); 1090 return true; 1091 } 1092 return false; 1093} 1094 1095bool AddressSanitizer::runOnFunction(Function &F) { 1096 if (BL->isIn(F)) return false; 1097 if (&F == AsanCtorFunction) return false; 1098 DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); 1099 initializeCallbacks(*F.getParent()); 1100 1101 // If needed, insert __asan_init before checking for SanitizeAddress attr. 1102 maybeInsertAsanInitAtFunctionEntry(F); 1103 1104 if (!F.getAttributes().hasAttribute(AttributeSet::FunctionIndex, 1105 Attribute::SanitizeAddress)) 1106 return false; 1107 1108 if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) 1109 return false; 1110 1111 // We want to instrument every address only once per basic block (unless there 1112 // are calls between uses). 1113 SmallSet<Value*, 16> TempsToInstrument; 1114 SmallVector<Instruction*, 16> ToInstrument; 1115 SmallVector<Instruction*, 8> NoReturnCalls; 1116 bool IsWrite; 1117 1118 // Fill the set of memory operations to instrument. 1119 for (Function::iterator FI = F.begin(), FE = F.end(); 1120 FI != FE; ++FI) { 1121 TempsToInstrument.clear(); 1122 int NumInsnsPerBB = 0; 1123 for (BasicBlock::iterator BI = FI->begin(), BE = FI->end(); 1124 BI != BE; ++BI) { 1125 if (LooksLikeCodeInBug11395(BI)) return false; 1126 if (Value *Addr = isInterestingMemoryAccess(BI, &IsWrite)) { 1127 if (ClOpt && ClOptSameTemp) { 1128 if (!TempsToInstrument.insert(Addr)) 1129 continue; // We've seen this temp in the current BB. 1130 } 1131 } else if (isa<MemIntrinsic>(BI) && ClMemIntrin) { 1132 // ok, take it. 1133 } else { 1134 CallSite CS(BI); 1135 if (CS) { 1136 // A call inside BB. 1137 TempsToInstrument.clear(); 1138 if (CS.doesNotReturn()) 1139 NoReturnCalls.push_back(CS.getInstruction()); 1140 } 1141 continue; 1142 } 1143 ToInstrument.push_back(BI); 1144 NumInsnsPerBB++; 1145 if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) 1146 break; 1147 } 1148 } 1149 1150 // Instrument. 1151 int NumInstrumented = 0; 1152 for (size_t i = 0, n = ToInstrument.size(); i != n; i++) { 1153 Instruction *Inst = ToInstrument[i]; 1154 if (ClDebugMin < 0 || ClDebugMax < 0 || 1155 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 1156 if (isInterestingMemoryAccess(Inst, &IsWrite)) 1157 instrumentMop(Inst); 1158 else 1159 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 1160 } 1161 NumInstrumented++; 1162 } 1163 1164 FunctionStackPoisoner FSP(F, *this); 1165 bool ChangedStack = FSP.runOnFunction(); 1166 1167 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 1168 // See e.g. http://code.google.com/p/address-sanitizer/issues/detail?id=37 1169 for (size_t i = 0, n = NoReturnCalls.size(); i != n; i++) { 1170 Instruction *CI = NoReturnCalls[i]; 1171 IRBuilder<> IRB(CI); 1172 IRB.CreateCall(AsanHandleNoReturnFunc); 1173 } 1174 DEBUG(dbgs() << "ASAN done instrumenting:\n" << F << "\n"); 1175 1176 return NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); 1177} 1178 1179static uint64_t ValueForPoison(uint64_t PoisonByte, size_t ShadowRedzoneSize) { 1180 if (ShadowRedzoneSize == 1) return PoisonByte; 1181 if (ShadowRedzoneSize == 2) return (PoisonByte << 8) + PoisonByte; 1182 if (ShadowRedzoneSize == 4) 1183 return (PoisonByte << 24) + (PoisonByte << 16) + 1184 (PoisonByte << 8) + (PoisonByte); 1185 llvm_unreachable("ShadowRedzoneSize is either 1, 2 or 4"); 1186} 1187 1188static void PoisonShadowPartialRightRedzone(uint8_t *Shadow, 1189 size_t Size, 1190 size_t RZSize, 1191 size_t ShadowGranularity, 1192 uint8_t Magic) { 1193 for (size_t i = 0; i < RZSize; 1194 i+= ShadowGranularity, Shadow++) { 1195 if (i + ShadowGranularity <= Size) { 1196 *Shadow = 0; // fully addressable 1197 } else if (i >= Size) { 1198 *Shadow = Magic; // unaddressable 1199 } else { 1200 *Shadow = Size - i; // first Size-i bytes are addressable 1201 } 1202 } 1203} 1204 1205// Workaround for bug 11395: we don't want to instrument stack in functions 1206// with large assembly blobs (32-bit only), otherwise reg alloc may crash. 1207// FIXME: remove once the bug 11395 is fixed. 1208bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 1209 if (LongSize != 32) return false; 1210 CallInst *CI = dyn_cast<CallInst>(I); 1211 if (!CI || !CI->isInlineAsm()) return false; 1212 if (CI->getNumArgOperands() <= 5) return false; 1213 // We have inline assembly with quite a few arguments. 1214 return true; 1215} 1216 1217void FunctionStackPoisoner::initializeCallbacks(Module &M) { 1218 IRBuilder<> IRB(*C); 1219 AsanStackMallocFunc = checkInterfaceFunction(M.getOrInsertFunction( 1220 kAsanStackMallocName, IntptrTy, IntptrTy, IntptrTy, NULL)); 1221 AsanStackFreeFunc = checkInterfaceFunction(M.getOrInsertFunction( 1222 kAsanStackFreeName, IRB.getVoidTy(), 1223 IntptrTy, IntptrTy, IntptrTy, NULL)); 1224 AsanPoisonStackMemoryFunc = checkInterfaceFunction(M.getOrInsertFunction( 1225 kAsanPoisonStackMemoryName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1226 AsanUnpoisonStackMemoryFunc = checkInterfaceFunction(M.getOrInsertFunction( 1227 kAsanUnpoisonStackMemoryName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1228} 1229 1230void FunctionStackPoisoner::poisonRedZones( 1231 const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, Value *ShadowBase, 1232 bool DoPoison) { 1233 size_t ShadowRZSize = RedzoneSize() >> Mapping.Scale; 1234 assert(ShadowRZSize >= 1 && ShadowRZSize <= 4); 1235 Type *RZTy = Type::getIntNTy(*C, ShadowRZSize * 8); 1236 Type *RZPtrTy = PointerType::get(RZTy, 0); 1237 1238 Value *PoisonLeft = ConstantInt::get(RZTy, 1239 ValueForPoison(DoPoison ? kAsanStackLeftRedzoneMagic : 0LL, ShadowRZSize)); 1240 Value *PoisonMid = ConstantInt::get(RZTy, 1241 ValueForPoison(DoPoison ? kAsanStackMidRedzoneMagic : 0LL, ShadowRZSize)); 1242 Value *PoisonRight = ConstantInt::get(RZTy, 1243 ValueForPoison(DoPoison ? kAsanStackRightRedzoneMagic : 0LL, ShadowRZSize)); 1244 1245 // poison the first red zone. 1246 IRB.CreateStore(PoisonLeft, IRB.CreateIntToPtr(ShadowBase, RZPtrTy)); 1247 1248 // poison all other red zones. 1249 uint64_t Pos = RedzoneSize(); 1250 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 1251 AllocaInst *AI = AllocaVec[i]; 1252 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 1253 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1254 assert(AlignedSize - SizeInBytes < RedzoneSize()); 1255 Value *Ptr = NULL; 1256 1257 Pos += AlignedSize; 1258 1259 assert(ShadowBase->getType() == IntptrTy); 1260 if (SizeInBytes < AlignedSize) { 1261 // Poison the partial redzone at right 1262 Ptr = IRB.CreateAdd( 1263 ShadowBase, ConstantInt::get(IntptrTy, 1264 (Pos >> Mapping.Scale) - ShadowRZSize)); 1265 size_t AddressableBytes = RedzoneSize() - (AlignedSize - SizeInBytes); 1266 uint32_t Poison = 0; 1267 if (DoPoison) { 1268 PoisonShadowPartialRightRedzone((uint8_t*)&Poison, AddressableBytes, 1269 RedzoneSize(), 1270 1ULL << Mapping.Scale, 1271 kAsanStackPartialRedzoneMagic); 1272 } 1273 Value *PartialPoison = ConstantInt::get(RZTy, Poison); 1274 IRB.CreateStore(PartialPoison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1275 } 1276 1277 // Poison the full redzone at right. 1278 Ptr = IRB.CreateAdd(ShadowBase, 1279 ConstantInt::get(IntptrTy, Pos >> Mapping.Scale)); 1280 bool LastAlloca = (i == AllocaVec.size() - 1); 1281 Value *Poison = LastAlloca ? PoisonRight : PoisonMid; 1282 IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1283 1284 Pos += RedzoneSize(); 1285 } 1286} 1287 1288void FunctionStackPoisoner::poisonStack() { 1289 uint64_t LocalStackSize = TotalStackSize + 1290 (AllocaVec.size() + 1) * RedzoneSize(); 1291 1292 bool DoStackMalloc = ASan.CheckUseAfterReturn 1293 && LocalStackSize <= kMaxStackMallocSize; 1294 1295 assert(AllocaVec.size() > 0); 1296 Instruction *InsBefore = AllocaVec[0]; 1297 IRBuilder<> IRB(InsBefore); 1298 1299 1300 Type *ByteArrayTy = ArrayType::get(IRB.getInt8Ty(), LocalStackSize); 1301 AllocaInst *MyAlloca = 1302 new AllocaInst(ByteArrayTy, "MyAlloca", InsBefore); 1303 if (ClRealignStack && StackAlignment < RedzoneSize()) 1304 StackAlignment = RedzoneSize(); 1305 MyAlloca->setAlignment(StackAlignment); 1306 assert(MyAlloca->isStaticAlloca()); 1307 Value *OrigStackBase = IRB.CreatePointerCast(MyAlloca, IntptrTy); 1308 Value *LocalStackBase = OrigStackBase; 1309 1310 if (DoStackMalloc) { 1311 LocalStackBase = IRB.CreateCall2(AsanStackMallocFunc, 1312 ConstantInt::get(IntptrTy, LocalStackSize), OrigStackBase); 1313 } 1314 1315 // This string will be parsed by the run-time (DescribeStackAddress). 1316 SmallString<2048> StackDescriptionStorage; 1317 raw_svector_ostream StackDescription(StackDescriptionStorage); 1318 StackDescription << F.getName() << " " << AllocaVec.size() << " "; 1319 1320 // Insert poison calls for lifetime intrinsics for alloca. 1321 bool HavePoisonedAllocas = false; 1322 for (size_t i = 0, n = AllocaPoisonCallVec.size(); i < n; i++) { 1323 const AllocaPoisonCall &APC = AllocaPoisonCallVec[i]; 1324 IntrinsicInst *II = APC.InsBefore; 1325 AllocaInst *AI = findAllocaForValue(II->getArgOperand(1)); 1326 assert(AI); 1327 IRBuilder<> IRB(II); 1328 poisonAlloca(AI, APC.Size, IRB, APC.DoPoison); 1329 HavePoisonedAllocas |= APC.DoPoison; 1330 } 1331 1332 uint64_t Pos = RedzoneSize(); 1333 // Replace Alloca instructions with base+offset. 1334 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 1335 AllocaInst *AI = AllocaVec[i]; 1336 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 1337 StringRef Name = AI->getName(); 1338 StackDescription << Pos << " " << SizeInBytes << " " 1339 << Name.size() << " " << Name << " "; 1340 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1341 assert((AlignedSize % RedzoneSize()) == 0); 1342 Value *NewAllocaPtr = IRB.CreateIntToPtr( 1343 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Pos)), 1344 AI->getType()); 1345 replaceDbgDeclareForAlloca(AI, NewAllocaPtr, DIB); 1346 AI->replaceAllUsesWith(NewAllocaPtr); 1347 Pos += AlignedSize + RedzoneSize(); 1348 } 1349 assert(Pos == LocalStackSize); 1350 1351 // Write the Magic value and the frame description constant to the redzone. 1352 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 1353 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 1354 BasePlus0); 1355 Value *BasePlus1 = IRB.CreateAdd(LocalStackBase, 1356 ConstantInt::get(IntptrTy, 1357 ASan.LongSize/8)); 1358 BasePlus1 = IRB.CreateIntToPtr(BasePlus1, IntptrPtrTy); 1359 GlobalVariable *StackDescriptionGlobal = 1360 createPrivateGlobalForString(*F.getParent(), StackDescription.str()); 1361 Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, 1362 IntptrTy); 1363 IRB.CreateStore(Description, BasePlus1); 1364 1365 // Poison the stack redzones at the entry. 1366 Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB); 1367 poisonRedZones(AllocaVec, IRB, ShadowBase, true); 1368 1369 // Unpoison the stack before all ret instructions. 1370 for (size_t i = 0, n = RetVec.size(); i < n; i++) { 1371 Instruction *Ret = RetVec[i]; 1372 IRBuilder<> IRBRet(Ret); 1373 // Mark the current frame as retired. 1374 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 1375 BasePlus0); 1376 // Unpoison the stack. 1377 poisonRedZones(AllocaVec, IRBRet, ShadowBase, false); 1378 if (DoStackMalloc) { 1379 // In use-after-return mode, mark the whole stack frame unaddressable. 1380 IRBRet.CreateCall3(AsanStackFreeFunc, LocalStackBase, 1381 ConstantInt::get(IntptrTy, LocalStackSize), 1382 OrigStackBase); 1383 } else if (HavePoisonedAllocas) { 1384 // If we poisoned some allocas in llvm.lifetime analysis, 1385 // unpoison whole stack frame now. 1386 assert(LocalStackBase == OrigStackBase); 1387 poisonAlloca(LocalStackBase, LocalStackSize, IRBRet, false); 1388 } 1389 } 1390 1391 // We are done. Remove the old unused alloca instructions. 1392 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) 1393 AllocaVec[i]->eraseFromParent(); 1394} 1395 1396void FunctionStackPoisoner::poisonAlloca(Value *V, uint64_t Size, 1397 IRBuilder<> IRB, bool DoPoison) { 1398 // For now just insert the call to ASan runtime. 1399 Value *AddrArg = IRB.CreatePointerCast(V, IntptrTy); 1400 Value *SizeArg = ConstantInt::get(IntptrTy, Size); 1401 IRB.CreateCall2(DoPoison ? AsanPoisonStackMemoryFunc 1402 : AsanUnpoisonStackMemoryFunc, 1403 AddrArg, SizeArg); 1404} 1405 1406// Handling llvm.lifetime intrinsics for a given %alloca: 1407// (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca. 1408// (2) if %size is constant, poison memory for llvm.lifetime.end (to detect 1409// invalid accesses) and unpoison it for llvm.lifetime.start (the memory 1410// could be poisoned by previous llvm.lifetime.end instruction, as the 1411// variable may go in and out of scope several times, e.g. in loops). 1412// (3) if we poisoned at least one %alloca in a function, 1413// unpoison the whole stack frame at function exit. 1414 1415AllocaInst *FunctionStackPoisoner::findAllocaForValue(Value *V) { 1416 if (AllocaInst *AI = dyn_cast<AllocaInst>(V)) 1417 // We're intested only in allocas we can handle. 1418 return isInterestingAlloca(*AI) ? AI : 0; 1419 // See if we've already calculated (or started to calculate) alloca for a 1420 // given value. 1421 AllocaForValueMapTy::iterator I = AllocaForValue.find(V); 1422 if (I != AllocaForValue.end()) 1423 return I->second; 1424 // Store 0 while we're calculating alloca for value V to avoid 1425 // infinite recursion if the value references itself. 1426 AllocaForValue[V] = 0; 1427 AllocaInst *Res = 0; 1428 if (CastInst *CI = dyn_cast<CastInst>(V)) 1429 Res = findAllocaForValue(CI->getOperand(0)); 1430 else if (PHINode *PN = dyn_cast<PHINode>(V)) { 1431 for (unsigned i = 0, e = PN->getNumIncomingValues(); i != e; ++i) { 1432 Value *IncValue = PN->getIncomingValue(i); 1433 // Allow self-referencing phi-nodes. 1434 if (IncValue == PN) continue; 1435 AllocaInst *IncValueAI = findAllocaForValue(IncValue); 1436 // AI for incoming values should exist and should all be equal. 1437 if (IncValueAI == 0 || (Res != 0 && IncValueAI != Res)) 1438 return 0; 1439 Res = IncValueAI; 1440 } 1441 } 1442 if (Res != 0) 1443 AllocaForValue[V] = Res; 1444 return Res; 1445} 1446