AddressSanitizer.cpp revision a1c45044099cf7fb4a072f1326f164706d5bb2e2
1//===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// Details of the algorithm: 12// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13// 14//===----------------------------------------------------------------------===// 15 16#define DEBUG_TYPE "asan" 17 18#include "FunctionBlackList.h" 19#include "llvm/ADT/ArrayRef.h" 20#include "llvm/ADT/OwningPtr.h" 21#include "llvm/ADT/SmallSet.h" 22#include "llvm/ADT/SmallString.h" 23#include "llvm/ADT/SmallVector.h" 24#include "llvm/ADT/StringExtras.h" 25#include "llvm/Function.h" 26#include "llvm/IntrinsicInst.h" 27#include "llvm/LLVMContext.h" 28#include "llvm/Module.h" 29#include "llvm/Support/CommandLine.h" 30#include "llvm/Support/DataTypes.h" 31#include "llvm/Support/Debug.h" 32#include "llvm/Support/IRBuilder.h" 33#include "llvm/Support/raw_ostream.h" 34#include "llvm/Support/system_error.h" 35#include "llvm/Target/TargetData.h" 36#include "llvm/Target/TargetMachine.h" 37#include "llvm/Transforms/Instrumentation.h" 38#include "llvm/Transforms/Utils/BasicBlockUtils.h" 39#include "llvm/Transforms/Utils/ModuleUtils.h" 40#include "llvm/Type.h" 41 42#include <string> 43#include <algorithm> 44 45using namespace llvm; 46 47static const uint64_t kDefaultShadowScale = 3; 48static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 49static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 50 51static const size_t kMaxStackMallocSize = 1 << 16; // 64K 52static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 53static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 54 55static const char *kAsanModuleCtorName = "asan.module_ctor"; 56static const char *kAsanModuleDtorName = "asan.module_dtor"; 57static const int kAsanCtorAndCtorPriority = 1; 58static const char *kAsanReportErrorTemplate = "__asan_report_"; 59static const char *kAsanRegisterGlobalsName = "__asan_register_globals"; 60static const char *kAsanUnregisterGlobalsName = "__asan_unregister_globals"; 61static const char *kAsanInitName = "__asan_init"; 62static const char *kAsanHandleNoReturnName = "__asan_handle_no_return"; 63static const char *kAsanMappingOffsetName = "__asan_mapping_offset"; 64static const char *kAsanMappingScaleName = "__asan_mapping_scale"; 65static const char *kAsanStackMallocName = "__asan_stack_malloc"; 66static const char *kAsanStackFreeName = "__asan_stack_free"; 67 68static const int kAsanStackLeftRedzoneMagic = 0xf1; 69static const int kAsanStackMidRedzoneMagic = 0xf2; 70static const int kAsanStackRightRedzoneMagic = 0xf3; 71static const int kAsanStackPartialRedzoneMagic = 0xf4; 72 73// Command-line flags. 74 75// This flag may need to be replaced with -f[no-]asan-reads. 76static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 77 cl::desc("instrument read instructions"), cl::Hidden, cl::init(true)); 78static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes", 79 cl::desc("instrument write instructions"), cl::Hidden, cl::init(true)); 80// This flag may need to be replaced with -f[no]asan-stack. 81static cl::opt<bool> ClStack("asan-stack", 82 cl::desc("Handle stack memory"), cl::Hidden, cl::init(true)); 83// This flag may need to be replaced with -f[no]asan-use-after-return. 84static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 85 cl::desc("Check return-after-free"), cl::Hidden, cl::init(false)); 86// This flag may need to be replaced with -f[no]asan-globals. 87static cl::opt<bool> ClGlobals("asan-globals", 88 cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); 89static cl::opt<bool> ClMemIntrin("asan-memintrin", 90 cl::desc("Handle memset/memcpy/memmove"), cl::Hidden, cl::init(true)); 91// This flag may need to be replaced with -fasan-blacklist. 92static cl::opt<std::string> ClBlackListFile("asan-blacklist", 93 cl::desc("File containing the list of functions to ignore " 94 "during instrumentation"), cl::Hidden); 95 96// These flags allow to change the shadow mapping. 97// The shadow mapping looks like 98// Shadow = (Mem >> scale) + (1 << offset_log) 99static cl::opt<int> ClMappingScale("asan-mapping-scale", 100 cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0)); 101static cl::opt<int> ClMappingOffsetLog("asan-mapping-offset-log", 102 cl::desc("offset of asan shadow mapping"), cl::Hidden, cl::init(-1)); 103 104// Optimization flags. Not user visible, used mostly for testing 105// and benchmarking the tool. 106static cl::opt<bool> ClOpt("asan-opt", 107 cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true)); 108static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp", 109 cl::desc("Instrument the same temp just once"), cl::Hidden, 110 cl::init(true)); 111static cl::opt<bool> ClOptGlobals("asan-opt-globals", 112 cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); 113 114// Debug flags. 115static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 116 cl::init(0)); 117static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 118 cl::Hidden, cl::init(0)); 119static cl::opt<std::string> ClDebugFunc("asan-debug-func", 120 cl::Hidden, cl::desc("Debug func")); 121static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 122 cl::Hidden, cl::init(-1)); 123static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), 124 cl::Hidden, cl::init(-1)); 125 126namespace { 127 128/// AddressSanitizer: instrument the code in module to find memory bugs. 129struct AddressSanitizer : public ModulePass { 130 AddressSanitizer(); 131 virtual const char *getPassName() const; 132 void instrumentMop(Instruction *I); 133 void instrumentAddress(Instruction *OrigIns, IRBuilder<> &IRB, 134 Value *Addr, uint32_t TypeSize, bool IsWrite); 135 Instruction *generateCrashCode(IRBuilder<> &IRB, Value *Addr, 136 bool IsWrite, uint32_t TypeSize); 137 bool instrumentMemIntrinsic(MemIntrinsic *MI); 138 void instrumentMemIntrinsicParam(Instruction *OrigIns, Value *Addr, 139 Value *Size, 140 Instruction *InsertBefore, bool IsWrite); 141 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 142 bool handleFunction(Module &M, Function &F); 143 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 144 bool poisonStackInFunction(Module &M, Function &F); 145 virtual bool runOnModule(Module &M); 146 bool insertGlobalRedzones(Module &M); 147 BranchInst *splitBlockAndInsertIfThen(Instruction *SplitBefore, Value *Cmp); 148 static char ID; // Pass identification, replacement for typeid 149 150 private: 151 152 uint64_t getAllocaSizeInBytes(AllocaInst *AI) { 153 Type *Ty = AI->getAllocatedType(); 154 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 155 return SizeInBytes; 156 } 157 uint64_t getAlignedSize(uint64_t SizeInBytes) { 158 return ((SizeInBytes + RedzoneSize - 1) 159 / RedzoneSize) * RedzoneSize; 160 } 161 uint64_t getAlignedAllocaSize(AllocaInst *AI) { 162 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 163 return getAlignedSize(SizeInBytes); 164 } 165 166 void PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, 167 Value *ShadowBase, bool DoPoison); 168 bool LooksLikeCodeInBug11395(Instruction *I); 169 170 Module *CurrentModule; 171 LLVMContext *C; 172 TargetData *TD; 173 uint64_t MappingOffset; 174 int MappingScale; 175 size_t RedzoneSize; 176 int LongSize; 177 Type *IntptrTy; 178 Type *IntptrPtrTy; 179 Function *AsanCtorFunction; 180 Function *AsanInitFunction; 181 Instruction *CtorInsertBefore; 182 OwningPtr<FunctionBlackList> BL; 183}; 184} // namespace 185 186char AddressSanitizer::ID = 0; 187INITIALIZE_PASS(AddressSanitizer, "asan", 188 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", 189 false, false) 190AddressSanitizer::AddressSanitizer() : ModulePass(ID) { } 191ModulePass *llvm::createAddressSanitizerPass() { 192 return new AddressSanitizer(); 193} 194 195const char *AddressSanitizer::getPassName() const { 196 return "AddressSanitizer"; 197} 198 199// Create a constant for Str so that we can pass it to the run-time lib. 200static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str) { 201 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 202 return new GlobalVariable(M, StrConst->getType(), true, 203 GlobalValue::PrivateLinkage, StrConst, ""); 204} 205 206// Split the basic block and insert an if-then code. 207// Before: 208// Head 209// SplitBefore 210// Tail 211// After: 212// Head 213// if (Cmp) 214// NewBasicBlock 215// SplitBefore 216// Tail 217// 218// Returns the NewBasicBlock's terminator. 219BranchInst *AddressSanitizer::splitBlockAndInsertIfThen( 220 Instruction *SplitBefore, Value *Cmp) { 221 BasicBlock *Head = SplitBefore->getParent(); 222 BasicBlock *Tail = Head->splitBasicBlock(SplitBefore); 223 TerminatorInst *HeadOldTerm = Head->getTerminator(); 224 BasicBlock *NewBasicBlock = 225 BasicBlock::Create(*C, "", Head->getParent()); 226 BranchInst *HeadNewTerm = BranchInst::Create(/*ifTrue*/NewBasicBlock, 227 /*ifFalse*/Tail, 228 Cmp); 229 ReplaceInstWithInst(HeadOldTerm, HeadNewTerm); 230 231 BranchInst *CheckTerm = BranchInst::Create(Tail, NewBasicBlock); 232 return CheckTerm; 233} 234 235Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 236 // Shadow >> scale 237 Shadow = IRB.CreateLShr(Shadow, MappingScale); 238 if (MappingOffset == 0) 239 return Shadow; 240 // (Shadow >> scale) | offset 241 return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, 242 MappingOffset)); 243} 244 245void AddressSanitizer::instrumentMemIntrinsicParam(Instruction *OrigIns, 246 Value *Addr, Value *Size, Instruction *InsertBefore, bool IsWrite) { 247 // Check the first byte. 248 { 249 IRBuilder<> IRB(InsertBefore); 250 instrumentAddress(OrigIns, IRB, Addr, 8, IsWrite); 251 } 252 // Check the last byte. 253 { 254 IRBuilder<> IRB(InsertBefore); 255 Value *SizeMinusOne = IRB.CreateSub( 256 Size, ConstantInt::get(Size->getType(), 1)); 257 SizeMinusOne = IRB.CreateIntCast(SizeMinusOne, IntptrTy, false); 258 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 259 Value *AddrPlusSizeMinisOne = IRB.CreateAdd(AddrLong, SizeMinusOne); 260 instrumentAddress(OrigIns, IRB, AddrPlusSizeMinisOne, 8, IsWrite); 261 } 262} 263 264// Instrument memset/memmove/memcpy 265bool AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 266 Value *Dst = MI->getDest(); 267 MemTransferInst *MemTran = dyn_cast<MemTransferInst>(MI); 268 Value *Src = MemTran ? MemTran->getSource() : NULL; 269 Value *Length = MI->getLength(); 270 271 Constant *ConstLength = dyn_cast<Constant>(Length); 272 Instruction *InsertBefore = MI; 273 if (ConstLength) { 274 if (ConstLength->isNullValue()) return false; 275 } else { 276 // The size is not a constant so it could be zero -- check at run-time. 277 IRBuilder<> IRB(InsertBefore); 278 279 Value *Cmp = IRB.CreateICmpNE(Length, 280 Constant::getNullValue(Length->getType())); 281 InsertBefore = splitBlockAndInsertIfThen(InsertBefore, Cmp); 282 } 283 284 instrumentMemIntrinsicParam(MI, Dst, Length, InsertBefore, true); 285 if (Src) 286 instrumentMemIntrinsicParam(MI, Src, Length, InsertBefore, false); 287 return true; 288} 289 290static Value *getLDSTOperand(Instruction *I) { 291 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 292 return LI->getPointerOperand(); 293 } 294 return cast<StoreInst>(*I).getPointerOperand(); 295} 296 297void AddressSanitizer::instrumentMop(Instruction *I) { 298 int IsWrite = isa<StoreInst>(*I); 299 Value *Addr = getLDSTOperand(I); 300 if (ClOpt && ClOptGlobals && isa<GlobalVariable>(Addr)) { 301 // We are accessing a global scalar variable. Nothing to catch here. 302 return; 303 } 304 Type *OrigPtrTy = Addr->getType(); 305 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 306 307 assert(OrigTy->isSized()); 308 uint32_t TypeSize = TD->getTypeStoreSizeInBits(OrigTy); 309 310 if (TypeSize != 8 && TypeSize != 16 && 311 TypeSize != 32 && TypeSize != 64 && TypeSize != 128) { 312 // Ignore all unusual sizes. 313 return; 314 } 315 316 IRBuilder<> IRB(I); 317 instrumentAddress(I, IRB, Addr, TypeSize, IsWrite); 318} 319 320Instruction *AddressSanitizer::generateCrashCode( 321 IRBuilder<> &IRB, Value *Addr, bool IsWrite, uint32_t TypeSize) { 322 // IsWrite and TypeSize are encoded in the function name. 323 std::string FunctionName = std::string(kAsanReportErrorTemplate) + 324 (IsWrite ? "store" : "load") + itostr(TypeSize / 8); 325 Value *ReportWarningFunc = CurrentModule->getOrInsertFunction( 326 FunctionName, IRB.getVoidTy(), IntptrTy, NULL); 327 CallInst *Call = IRB.CreateCall(ReportWarningFunc, Addr); 328 Call->setDoesNotReturn(); 329 return Call; 330} 331 332void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 333 IRBuilder<> &IRB, Value *Addr, 334 uint32_t TypeSize, bool IsWrite) { 335 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 336 337 Type *ShadowTy = IntegerType::get( 338 *C, std::max(8U, TypeSize >> MappingScale)); 339 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 340 Value *ShadowPtr = memToShadow(AddrLong, IRB); 341 Value *CmpVal = Constant::getNullValue(ShadowTy); 342 Value *ShadowValue = IRB.CreateLoad( 343 IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 344 345 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 346 347 Instruction *CheckTerm = splitBlockAndInsertIfThen( 348 cast<Instruction>(Cmp)->getNextNode(), Cmp); 349 IRBuilder<> IRB2(CheckTerm); 350 351 size_t Granularity = 1 << MappingScale; 352 if (TypeSize < 8 * Granularity) { 353 // Addr & (Granularity - 1) 354 Value *Lower3Bits = IRB2.CreateAnd( 355 AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 356 // (Addr & (Granularity - 1)) + size - 1 357 Value *LastAccessedByte = IRB2.CreateAdd( 358 Lower3Bits, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 359 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 360 LastAccessedByte = IRB2.CreateIntCast( 361 LastAccessedByte, IRB.getInt8Ty(), false); 362 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 363 Value *Cmp2 = IRB2.CreateICmpSGE(LastAccessedByte, ShadowValue); 364 365 CheckTerm = splitBlockAndInsertIfThen(CheckTerm, Cmp2); 366 } 367 368 IRBuilder<> IRB1(CheckTerm); 369 Instruction *Crash = generateCrashCode(IRB1, AddrLong, IsWrite, TypeSize); 370 Crash->setDebugLoc(OrigIns->getDebugLoc()); 371 ReplaceInstWithInst(CheckTerm, new UnreachableInst(*C)); 372} 373 374// This function replaces all global variables with new variables that have 375// trailing redzones. It also creates a function that poisons 376// redzones and inserts this function into llvm.global_ctors. 377bool AddressSanitizer::insertGlobalRedzones(Module &M) { 378 SmallVector<GlobalVariable *, 16> GlobalsToChange; 379 380 for (Module::GlobalListType::iterator G = M.getGlobalList().begin(), 381 E = M.getGlobalList().end(); G != E; ++G) { 382 Type *Ty = cast<PointerType>(G->getType())->getElementType(); 383 DEBUG(dbgs() << "GLOBAL: " << *G); 384 385 if (!Ty->isSized()) continue; 386 if (!G->hasInitializer()) continue; 387 // Touch only those globals that will not be defined in other modules. 388 // Don't handle ODR type linkages since other modules may be built w/o asan. 389 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 390 G->getLinkage() != GlobalVariable::PrivateLinkage && 391 G->getLinkage() != GlobalVariable::InternalLinkage) 392 continue; 393 // Two problems with thread-locals: 394 // - The address of the main thread's copy can't be computed at link-time. 395 // - Need to poison all copies, not just the main thread's one. 396 if (G->isThreadLocal()) 397 continue; 398 // For now, just ignore this Alloca if the alignment is large. 399 if (G->getAlignment() > RedzoneSize) continue; 400 401 // Ignore all the globals with the names starting with "\01L_OBJC_". 402 // Many of those are put into the .cstring section. The linker compresses 403 // that section by removing the spare \0s after the string terminator, so 404 // our redzones get broken. 405 if ((G->getName().find("\01L_OBJC_") == 0) || 406 (G->getName().find("\01l_OBJC_") == 0)) { 407 DEBUG(dbgs() << "Ignoring \\01L_OBJC_* global: " << *G); 408 continue; 409 } 410 411 if (G->hasSection()) { 412 StringRef Section(G->getSection()); 413 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 414 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 415 // them. 416 if ((Section.find("__OBJC,") == 0) || 417 (Section.find("__DATA, __objc_") == 0)) { 418 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G); 419 continue; 420 } 421 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 422 // Constant CFString instances are compiled in the following way: 423 // -- the string buffer is emitted into 424 // __TEXT,__cstring,cstring_literals 425 // -- the constant NSConstantString structure referencing that buffer 426 // is placed into __DATA,__cfstring 427 // Therefore there's no point in placing redzones into __DATA,__cfstring. 428 // Moreover, it causes the linker to crash on OS X 10.7 429 if (Section.find("__DATA,__cfstring") == 0) { 430 DEBUG(dbgs() << "Ignoring CFString: " << *G); 431 continue; 432 } 433 } 434 435 GlobalsToChange.push_back(G); 436 } 437 438 size_t n = GlobalsToChange.size(); 439 if (n == 0) return false; 440 441 // A global is described by a structure 442 // size_t beg; 443 // size_t size; 444 // size_t size_with_redzone; 445 // const char *name; 446 // We initialize an array of such structures and pass it to a run-time call. 447 StructType *GlobalStructTy = StructType::get(IntptrTy, IntptrTy, 448 IntptrTy, IntptrTy, NULL); 449 SmallVector<Constant *, 16> Initializers(n); 450 451 IRBuilder<> IRB(CtorInsertBefore); 452 453 for (size_t i = 0; i < n; i++) { 454 GlobalVariable *G = GlobalsToChange[i]; 455 PointerType *PtrTy = cast<PointerType>(G->getType()); 456 Type *Ty = PtrTy->getElementType(); 457 uint64_t SizeInBytes = TD->getTypeStoreSizeInBits(Ty) / 8; 458 uint64_t RightRedzoneSize = RedzoneSize + 459 (RedzoneSize - (SizeInBytes % RedzoneSize)); 460 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 461 462 StructType *NewTy = StructType::get(Ty, RightRedZoneTy, NULL); 463 Constant *NewInitializer = ConstantStruct::get( 464 NewTy, G->getInitializer(), 465 Constant::getNullValue(RightRedZoneTy), NULL); 466 467 SmallString<2048> DescriptionOfGlobal = G->getName(); 468 DescriptionOfGlobal += " ("; 469 DescriptionOfGlobal += M.getModuleIdentifier(); 470 DescriptionOfGlobal += ")"; 471 GlobalVariable *Name = createPrivateGlobalForString(M, DescriptionOfGlobal); 472 473 // Create a new global variable with enough space for a redzone. 474 GlobalVariable *NewGlobal = new GlobalVariable( 475 M, NewTy, G->isConstant(), G->getLinkage(), 476 NewInitializer, "", G, G->isThreadLocal()); 477 NewGlobal->copyAttributesFrom(G); 478 NewGlobal->setAlignment(RedzoneSize); 479 480 Value *Indices2[2]; 481 Indices2[0] = IRB.getInt32(0); 482 Indices2[1] = IRB.getInt32(0); 483 484 G->replaceAllUsesWith( 485 ConstantExpr::getGetElementPtr(NewGlobal, Indices2, true)); 486 NewGlobal->takeName(G); 487 G->eraseFromParent(); 488 489 Initializers[i] = ConstantStruct::get( 490 GlobalStructTy, 491 ConstantExpr::getPointerCast(NewGlobal, IntptrTy), 492 ConstantInt::get(IntptrTy, SizeInBytes), 493 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 494 ConstantExpr::getPointerCast(Name, IntptrTy), 495 NULL); 496 DEBUG(dbgs() << "NEW GLOBAL:\n" << *NewGlobal); 497 } 498 499 ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); 500 GlobalVariable *AllGlobals = new GlobalVariable( 501 M, ArrayOfGlobalStructTy, false, GlobalVariable::PrivateLinkage, 502 ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); 503 504 Function *AsanRegisterGlobals = cast<Function>(M.getOrInsertFunction( 505 kAsanRegisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 506 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 507 508 IRB.CreateCall2(AsanRegisterGlobals, 509 IRB.CreatePointerCast(AllGlobals, IntptrTy), 510 ConstantInt::get(IntptrTy, n)); 511 512 // We also need to unregister globals at the end, e.g. when a shared library 513 // gets closed. 514 Function *AsanDtorFunction = Function::Create( 515 FunctionType::get(Type::getVoidTy(*C), false), 516 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 517 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 518 IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); 519 Function *AsanUnregisterGlobals = cast<Function>(M.getOrInsertFunction( 520 kAsanUnregisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 521 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 522 523 IRB_Dtor.CreateCall2(AsanUnregisterGlobals, 524 IRB.CreatePointerCast(AllGlobals, IntptrTy), 525 ConstantInt::get(IntptrTy, n)); 526 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndCtorPriority); 527 528 DEBUG(dbgs() << M); 529 return true; 530} 531 532// virtual 533bool AddressSanitizer::runOnModule(Module &M) { 534 // Initialize the private fields. No one has accessed them before. 535 TD = getAnalysisIfAvailable<TargetData>(); 536 if (!TD) 537 return false; 538 BL.reset(new FunctionBlackList(ClBlackListFile)); 539 540 CurrentModule = &M; 541 C = &(M.getContext()); 542 LongSize = TD->getPointerSizeInBits(); 543 IntptrTy = Type::getIntNTy(*C, LongSize); 544 IntptrPtrTy = PointerType::get(IntptrTy, 0); 545 546 AsanCtorFunction = Function::Create( 547 FunctionType::get(Type::getVoidTy(*C), false), 548 GlobalValue::InternalLinkage, kAsanModuleCtorName, &M); 549 BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction); 550 CtorInsertBefore = ReturnInst::Create(*C, AsanCtorBB); 551 552 // call __asan_init in the module ctor. 553 IRBuilder<> IRB(CtorInsertBefore); 554 AsanInitFunction = cast<Function>( 555 M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), NULL)); 556 AsanInitFunction->setLinkage(Function::ExternalLinkage); 557 IRB.CreateCall(AsanInitFunction); 558 559 MappingOffset = LongSize == 32 560 ? kDefaultShadowOffset32 : kDefaultShadowOffset64; 561 if (ClMappingOffsetLog >= 0) { 562 if (ClMappingOffsetLog == 0) { 563 // special case 564 MappingOffset = 0; 565 } else { 566 MappingOffset = 1ULL << ClMappingOffsetLog; 567 } 568 } 569 MappingScale = kDefaultShadowScale; 570 if (ClMappingScale) { 571 MappingScale = ClMappingScale; 572 } 573 // Redzone used for stack and globals is at least 32 bytes. 574 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 575 RedzoneSize = std::max(32, (int)(1 << MappingScale)); 576 577 bool Res = false; 578 579 if (ClGlobals) 580 Res |= insertGlobalRedzones(M); 581 582 // Tell the run-time the current values of mapping offset and scale. 583 GlobalValue *asan_mapping_offset = 584 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 585 ConstantInt::get(IntptrTy, MappingOffset), 586 kAsanMappingOffsetName); 587 GlobalValue *asan_mapping_scale = 588 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 589 ConstantInt::get(IntptrTy, MappingScale), 590 kAsanMappingScaleName); 591 // Read these globals, otherwise they may be optimized away. 592 IRB.CreateLoad(asan_mapping_scale, true); 593 IRB.CreateLoad(asan_mapping_offset, true); 594 595 596 for (Module::iterator F = M.begin(), E = M.end(); F != E; ++F) { 597 if (F->isDeclaration()) continue; 598 Res |= handleFunction(M, *F); 599 } 600 601 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndCtorPriority); 602 603 return Res; 604} 605 606bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 607 // For each NSObject descendant having a +load method, this method is invoked 608 // by the ObjC runtime before any of the static constructors is called. 609 // Therefore we need to instrument such methods with a call to __asan_init 610 // at the beginning in order to initialize our runtime before any access to 611 // the shadow memory. 612 // We cannot just ignore these methods, because they may call other 613 // instrumented functions. 614 if (F.getName().find(" load]") != std::string::npos) { 615 IRBuilder<> IRB(F.begin()->begin()); 616 IRB.CreateCall(AsanInitFunction); 617 return true; 618 } 619 return false; 620} 621 622bool AddressSanitizer::handleFunction(Module &M, Function &F) { 623 if (BL->isIn(F)) return false; 624 if (&F == AsanCtorFunction) return false; 625 626 // If needed, insert __asan_init before checking for AddressSafety attr. 627 maybeInsertAsanInitAtFunctionEntry(F); 628 629 if (!F.hasFnAttr(Attribute::AddressSafety)) return false; 630 631 if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) 632 return false; 633 // We want to instrument every address only once per basic block 634 // (unless there are calls between uses). 635 SmallSet<Value*, 16> TempsToInstrument; 636 SmallVector<Instruction*, 16> ToInstrument; 637 SmallVector<Instruction*, 8> NoReturnCalls; 638 639 // Fill the set of memory operations to instrument. 640 for (Function::iterator FI = F.begin(), FE = F.end(); 641 FI != FE; ++FI) { 642 TempsToInstrument.clear(); 643 for (BasicBlock::iterator BI = FI->begin(), BE = FI->end(); 644 BI != BE; ++BI) { 645 if (LooksLikeCodeInBug11395(BI)) return false; 646 if ((isa<LoadInst>(BI) && ClInstrumentReads) || 647 (isa<StoreInst>(BI) && ClInstrumentWrites)) { 648 Value *Addr = getLDSTOperand(BI); 649 if (ClOpt && ClOptSameTemp) { 650 if (!TempsToInstrument.insert(Addr)) 651 continue; // We've seen this temp in the current BB. 652 } 653 } else if (isa<MemIntrinsic>(BI) && ClMemIntrin) { 654 // ok, take it. 655 } else { 656 if (CallInst *CI = dyn_cast<CallInst>(BI)) { 657 // A call inside BB. 658 TempsToInstrument.clear(); 659 if (CI->doesNotReturn()) { 660 NoReturnCalls.push_back(CI); 661 } 662 } 663 continue; 664 } 665 ToInstrument.push_back(BI); 666 } 667 } 668 669 // Instrument. 670 int NumInstrumented = 0; 671 for (size_t i = 0, n = ToInstrument.size(); i != n; i++) { 672 Instruction *Inst = ToInstrument[i]; 673 if (ClDebugMin < 0 || ClDebugMax < 0 || 674 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 675 if (isa<StoreInst>(Inst) || isa<LoadInst>(Inst)) 676 instrumentMop(Inst); 677 else 678 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 679 } 680 NumInstrumented++; 681 } 682 683 DEBUG(dbgs() << F); 684 685 bool ChangedStack = poisonStackInFunction(M, F); 686 687 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 688 // See e.g. http://code.google.com/p/address-sanitizer/issues/detail?id=37 689 for (size_t i = 0, n = NoReturnCalls.size(); i != n; i++) { 690 Instruction *CI = NoReturnCalls[i]; 691 IRBuilder<> IRB(CI); 692 IRB.CreateCall(M.getOrInsertFunction(kAsanHandleNoReturnName, 693 IRB.getVoidTy(), NULL)); 694 } 695 696 return NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); 697} 698 699static uint64_t ValueForPoison(uint64_t PoisonByte, size_t ShadowRedzoneSize) { 700 if (ShadowRedzoneSize == 1) return PoisonByte; 701 if (ShadowRedzoneSize == 2) return (PoisonByte << 8) + PoisonByte; 702 if (ShadowRedzoneSize == 4) 703 return (PoisonByte << 24) + (PoisonByte << 16) + 704 (PoisonByte << 8) + (PoisonByte); 705 llvm_unreachable("ShadowRedzoneSize is either 1, 2 or 4"); 706} 707 708static void PoisonShadowPartialRightRedzone(uint8_t *Shadow, 709 size_t Size, 710 size_t RedzoneSize, 711 size_t ShadowGranularity, 712 uint8_t Magic) { 713 for (size_t i = 0; i < RedzoneSize; 714 i+= ShadowGranularity, Shadow++) { 715 if (i + ShadowGranularity <= Size) { 716 *Shadow = 0; // fully addressable 717 } else if (i >= Size) { 718 *Shadow = Magic; // unaddressable 719 } else { 720 *Shadow = Size - i; // first Size-i bytes are addressable 721 } 722 } 723} 724 725void AddressSanitizer::PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, 726 IRBuilder<> IRB, 727 Value *ShadowBase, bool DoPoison) { 728 size_t ShadowRZSize = RedzoneSize >> MappingScale; 729 assert(ShadowRZSize >= 1 && ShadowRZSize <= 4); 730 Type *RZTy = Type::getIntNTy(*C, ShadowRZSize * 8); 731 Type *RZPtrTy = PointerType::get(RZTy, 0); 732 733 Value *PoisonLeft = ConstantInt::get(RZTy, 734 ValueForPoison(DoPoison ? kAsanStackLeftRedzoneMagic : 0LL, ShadowRZSize)); 735 Value *PoisonMid = ConstantInt::get(RZTy, 736 ValueForPoison(DoPoison ? kAsanStackMidRedzoneMagic : 0LL, ShadowRZSize)); 737 Value *PoisonRight = ConstantInt::get(RZTy, 738 ValueForPoison(DoPoison ? kAsanStackRightRedzoneMagic : 0LL, ShadowRZSize)); 739 740 // poison the first red zone. 741 IRB.CreateStore(PoisonLeft, IRB.CreateIntToPtr(ShadowBase, RZPtrTy)); 742 743 // poison all other red zones. 744 uint64_t Pos = RedzoneSize; 745 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 746 AllocaInst *AI = AllocaVec[i]; 747 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 748 uint64_t AlignedSize = getAlignedAllocaSize(AI); 749 assert(AlignedSize - SizeInBytes < RedzoneSize); 750 Value *Ptr = NULL; 751 752 Pos += AlignedSize; 753 754 assert(ShadowBase->getType() == IntptrTy); 755 if (SizeInBytes < AlignedSize) { 756 // Poison the partial redzone at right 757 Ptr = IRB.CreateAdd( 758 ShadowBase, ConstantInt::get(IntptrTy, 759 (Pos >> MappingScale) - ShadowRZSize)); 760 size_t AddressableBytes = RedzoneSize - (AlignedSize - SizeInBytes); 761 uint32_t Poison = 0; 762 if (DoPoison) { 763 PoisonShadowPartialRightRedzone((uint8_t*)&Poison, AddressableBytes, 764 RedzoneSize, 765 1ULL << MappingScale, 766 kAsanStackPartialRedzoneMagic); 767 } 768 Value *PartialPoison = ConstantInt::get(RZTy, Poison); 769 IRB.CreateStore(PartialPoison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 770 } 771 772 // Poison the full redzone at right. 773 Ptr = IRB.CreateAdd(ShadowBase, 774 ConstantInt::get(IntptrTy, Pos >> MappingScale)); 775 Value *Poison = i == AllocaVec.size() - 1 ? PoisonRight : PoisonMid; 776 IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 777 778 Pos += RedzoneSize; 779 } 780} 781 782// Workaround for bug 11395: we don't want to instrument stack in functions 783// with large assembly blobs (32-bit only), otherwise reg alloc may crash. 784// FIXME: remove once the bug 11395 is fixed. 785bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 786 if (LongSize != 32) return false; 787 CallInst *CI = dyn_cast<CallInst>(I); 788 if (!CI || !CI->isInlineAsm()) return false; 789 if (CI->getNumArgOperands() <= 5) return false; 790 // We have inline assembly with quite a few arguments. 791 return true; 792} 793 794// Find all static Alloca instructions and put 795// poisoned red zones around all of them. 796// Then unpoison everything back before the function returns. 797// 798// Stack poisoning does not play well with exception handling. 799// When an exception is thrown, we essentially bypass the code 800// that unpoisones the stack. This is why the run-time library has 801// to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 802// stack in the interceptor. This however does not work inside the 803// actual function which catches the exception. Most likely because the 804// compiler hoists the load of the shadow value somewhere too high. 805// This causes asan to report a non-existing bug on 453.povray. 806// It sounds like an LLVM bug. 807bool AddressSanitizer::poisonStackInFunction(Module &M, Function &F) { 808 if (!ClStack) return false; 809 SmallVector<AllocaInst*, 16> AllocaVec; 810 SmallVector<Instruction*, 8> RetVec; 811 uint64_t TotalSize = 0; 812 813 // Filter out Alloca instructions we want (and can) handle. 814 // Collect Ret instructions. 815 for (Function::iterator FI = F.begin(), FE = F.end(); 816 FI != FE; ++FI) { 817 BasicBlock &BB = *FI; 818 for (BasicBlock::iterator BI = BB.begin(), BE = BB.end(); 819 BI != BE; ++BI) { 820 if (isa<ReturnInst>(BI)) { 821 RetVec.push_back(BI); 822 continue; 823 } 824 825 AllocaInst *AI = dyn_cast<AllocaInst>(BI); 826 if (!AI) continue; 827 if (AI->isArrayAllocation()) continue; 828 if (!AI->isStaticAlloca()) continue; 829 if (!AI->getAllocatedType()->isSized()) continue; 830 if (AI->getAlignment() > RedzoneSize) continue; 831 AllocaVec.push_back(AI); 832 uint64_t AlignedSize = getAlignedAllocaSize(AI); 833 TotalSize += AlignedSize; 834 } 835 } 836 837 if (AllocaVec.empty()) return false; 838 839 uint64_t LocalStackSize = TotalSize + (AllocaVec.size() + 1) * RedzoneSize; 840 841 bool DoStackMalloc = ClUseAfterReturn 842 && LocalStackSize <= kMaxStackMallocSize; 843 844 Instruction *InsBefore = AllocaVec[0]; 845 IRBuilder<> IRB(InsBefore); 846 847 848 Type *ByteArrayTy = ArrayType::get(IRB.getInt8Ty(), LocalStackSize); 849 AllocaInst *MyAlloca = 850 new AllocaInst(ByteArrayTy, "MyAlloca", InsBefore); 851 MyAlloca->setAlignment(RedzoneSize); 852 assert(MyAlloca->isStaticAlloca()); 853 Value *OrigStackBase = IRB.CreatePointerCast(MyAlloca, IntptrTy); 854 Value *LocalStackBase = OrigStackBase; 855 856 if (DoStackMalloc) { 857 Value *AsanStackMallocFunc = M.getOrInsertFunction( 858 kAsanStackMallocName, IntptrTy, IntptrTy, IntptrTy, NULL); 859 LocalStackBase = IRB.CreateCall2(AsanStackMallocFunc, 860 ConstantInt::get(IntptrTy, LocalStackSize), OrigStackBase); 861 } 862 863 // This string will be parsed by the run-time (DescribeStackAddress). 864 SmallString<2048> StackDescriptionStorage; 865 raw_svector_ostream StackDescription(StackDescriptionStorage); 866 StackDescription << F.getName() << " " << AllocaVec.size() << " "; 867 868 uint64_t Pos = RedzoneSize; 869 // Replace Alloca instructions with base+offset. 870 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 871 AllocaInst *AI = AllocaVec[i]; 872 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 873 StringRef Name = AI->getName(); 874 StackDescription << Pos << " " << SizeInBytes << " " 875 << Name.size() << " " << Name << " "; 876 uint64_t AlignedSize = getAlignedAllocaSize(AI); 877 assert((AlignedSize % RedzoneSize) == 0); 878 AI->replaceAllUsesWith( 879 IRB.CreateIntToPtr( 880 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Pos)), 881 AI->getType())); 882 Pos += AlignedSize + RedzoneSize; 883 } 884 assert(Pos == LocalStackSize); 885 886 // Write the Magic value and the frame description constant to the redzone. 887 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 888 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 889 BasePlus0); 890 Value *BasePlus1 = IRB.CreateAdd(LocalStackBase, 891 ConstantInt::get(IntptrTy, LongSize/8)); 892 BasePlus1 = IRB.CreateIntToPtr(BasePlus1, IntptrPtrTy); 893 Value *Description = IRB.CreatePointerCast( 894 createPrivateGlobalForString(M, StackDescription.str()), 895 IntptrTy); 896 IRB.CreateStore(Description, BasePlus1); 897 898 // Poison the stack redzones at the entry. 899 Value *ShadowBase = memToShadow(LocalStackBase, IRB); 900 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRB, ShadowBase, true); 901 902 Value *AsanStackFreeFunc = NULL; 903 if (DoStackMalloc) { 904 AsanStackFreeFunc = M.getOrInsertFunction( 905 kAsanStackFreeName, IRB.getVoidTy(), 906 IntptrTy, IntptrTy, IntptrTy, NULL); 907 } 908 909 // Unpoison the stack before all ret instructions. 910 for (size_t i = 0, n = RetVec.size(); i < n; i++) { 911 Instruction *Ret = RetVec[i]; 912 IRBuilder<> IRBRet(Ret); 913 914 // Mark the current frame as retired. 915 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 916 BasePlus0); 917 // Unpoison the stack. 918 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRBRet, ShadowBase, false); 919 920 if (DoStackMalloc) { 921 IRBRet.CreateCall3(AsanStackFreeFunc, LocalStackBase, 922 ConstantInt::get(IntptrTy, LocalStackSize), 923 OrigStackBase); 924 } 925 } 926 927 if (ClDebugStack) { 928 DEBUG(dbgs() << F); 929 } 930 931 return true; 932} 933