AddressSanitizer.cpp revision b9a12ea0fd92bfdb4c6eb5af333648a618f68686
1//===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// Details of the algorithm: 12// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13// 14//===----------------------------------------------------------------------===// 15 16#define DEBUG_TYPE "asan" 17 18#include "BlackList.h" 19#include "llvm/Function.h" 20#include "llvm/IRBuilder.h" 21#include "llvm/InlineAsm.h" 22#include "llvm/IntrinsicInst.h" 23#include "llvm/LLVMContext.h" 24#include "llvm/Module.h" 25#include "llvm/Type.h" 26#include "llvm/ADT/ArrayRef.h" 27#include "llvm/ADT/OwningPtr.h" 28#include "llvm/ADT/SmallSet.h" 29#include "llvm/ADT/SmallString.h" 30#include "llvm/ADT/SmallVector.h" 31#include "llvm/ADT/StringExtras.h" 32#include "llvm/ADT/Triple.h" 33#include "llvm/Support/CommandLine.h" 34#include "llvm/Support/DataTypes.h" 35#include "llvm/Support/Debug.h" 36#include "llvm/Support/raw_ostream.h" 37#include "llvm/Support/system_error.h" 38#include "llvm/DataLayout.h" 39#include "llvm/Target/TargetMachine.h" 40#include "llvm/Transforms/Instrumentation.h" 41#include "llvm/Transforms/Utils/BasicBlockUtils.h" 42#include "llvm/Transforms/Utils/ModuleUtils.h" 43 44#include <string> 45#include <algorithm> 46 47using namespace llvm; 48 49static const uint64_t kDefaultShadowScale = 3; 50static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 51static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 52static const uint64_t kDefaultShadowOffsetAndroid = 0; 53 54static const size_t kMaxStackMallocSize = 1 << 16; // 64K 55static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 56static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 57 58static const char *kAsanModuleCtorName = "asan.module_ctor"; 59static const char *kAsanModuleDtorName = "asan.module_dtor"; 60static const int kAsanCtorAndCtorPriority = 1; 61static const char *kAsanReportErrorTemplate = "__asan_report_"; 62static const char *kAsanRegisterGlobalsName = "__asan_register_globals"; 63static const char *kAsanUnregisterGlobalsName = "__asan_unregister_globals"; 64static const char *kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; 65static const char *kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; 66static const char *kAsanInitName = "__asan_init"; 67static const char *kAsanHandleNoReturnName = "__asan_handle_no_return"; 68static const char *kAsanMappingOffsetName = "__asan_mapping_offset"; 69static const char *kAsanMappingScaleName = "__asan_mapping_scale"; 70static const char *kAsanStackMallocName = "__asan_stack_malloc"; 71static const char *kAsanStackFreeName = "__asan_stack_free"; 72static const char *kAsanGenPrefix = "__asan_gen_"; 73 74static const int kAsanStackLeftRedzoneMagic = 0xf1; 75static const int kAsanStackMidRedzoneMagic = 0xf2; 76static const int kAsanStackRightRedzoneMagic = 0xf3; 77static const int kAsanStackPartialRedzoneMagic = 0xf4; 78 79// Accesses sizes are powers of two: 1, 2, 4, 8, 16. 80static const size_t kNumberOfAccessSizes = 5; 81 82// Command-line flags. 83 84// This flag may need to be replaced with -f[no-]asan-reads. 85static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 86 cl::desc("instrument read instructions"), cl::Hidden, cl::init(true)); 87static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes", 88 cl::desc("instrument write instructions"), cl::Hidden, cl::init(true)); 89static cl::opt<bool> ClInstrumentAtomics("asan-instrument-atomics", 90 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), 91 cl::Hidden, cl::init(true)); 92static cl::opt<bool> ClAlwaysSlowPath("asan-always-slow-path", 93 cl::desc("use instrumentation with slow path for all accesses"), 94 cl::Hidden, cl::init(false)); 95// This flag limits the number of instructions to be instrumented 96// in any given BB. Normally, this should be set to unlimited (INT_MAX), 97// but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary 98// set it to 10000. 99static cl::opt<int> ClMaxInsnsToInstrumentPerBB("asan-max-ins-per-bb", 100 cl::init(10000), 101 cl::desc("maximal number of instructions to instrument in any given BB"), 102 cl::Hidden); 103// This flag may need to be replaced with -f[no]asan-stack. 104static cl::opt<bool> ClStack("asan-stack", 105 cl::desc("Handle stack memory"), cl::Hidden, cl::init(true)); 106// This flag may need to be replaced with -f[no]asan-use-after-return. 107static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 108 cl::desc("Check return-after-free"), cl::Hidden, cl::init(false)); 109// This flag may need to be replaced with -f[no]asan-globals. 110static cl::opt<bool> ClGlobals("asan-globals", 111 cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); 112static cl::opt<bool> ClInitializers("asan-initialization-order", 113 cl::desc("Handle C++ initializer order"), cl::Hidden, cl::init(false)); 114static cl::opt<bool> ClMemIntrin("asan-memintrin", 115 cl::desc("Handle memset/memcpy/memmove"), cl::Hidden, cl::init(true)); 116// This flag may need to be replaced with -fasan-blacklist. 117static cl::opt<std::string> ClBlackListFile("asan-blacklist", 118 cl::desc("File containing the list of functions to ignore " 119 "during instrumentation"), cl::Hidden); 120 121// These flags allow to change the shadow mapping. 122// The shadow mapping looks like 123// Shadow = (Mem >> scale) + (1 << offset_log) 124static cl::opt<int> ClMappingScale("asan-mapping-scale", 125 cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0)); 126static cl::opt<int> ClMappingOffsetLog("asan-mapping-offset-log", 127 cl::desc("offset of asan shadow mapping"), cl::Hidden, cl::init(-1)); 128 129// Optimization flags. Not user visible, used mostly for testing 130// and benchmarking the tool. 131static cl::opt<bool> ClOpt("asan-opt", 132 cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true)); 133static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp", 134 cl::desc("Instrument the same temp just once"), cl::Hidden, 135 cl::init(true)); 136static cl::opt<bool> ClOptGlobals("asan-opt-globals", 137 cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); 138 139// Debug flags. 140static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 141 cl::init(0)); 142static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 143 cl::Hidden, cl::init(0)); 144static cl::opt<std::string> ClDebugFunc("asan-debug-func", 145 cl::Hidden, cl::desc("Debug func")); 146static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 147 cl::Hidden, cl::init(-1)); 148static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), 149 cl::Hidden, cl::init(-1)); 150 151namespace { 152/// A set of dynamically initialized globals extracted from metadata. 153class SetOfDynamicallyInitializedGlobals { 154 public: 155 void Init(Module& M) { 156 // Clang generates metadata identifying all dynamically initialized globals. 157 NamedMDNode *DynamicGlobals = 158 M.getNamedMetadata("llvm.asan.dynamically_initialized_globals"); 159 if (!DynamicGlobals) 160 return; 161 for (int i = 0, n = DynamicGlobals->getNumOperands(); i < n; ++i) { 162 MDNode *MDN = DynamicGlobals->getOperand(i); 163 assert(MDN->getNumOperands() == 1); 164 Value *VG = MDN->getOperand(0); 165 // The optimizer may optimize away a global entirely, in which case we 166 // cannot instrument access to it. 167 if (!VG) 168 continue; 169 DynInitGlobals.insert(cast<GlobalVariable>(VG)); 170 } 171 } 172 bool Contains(GlobalVariable *G) { return DynInitGlobals.count(G) != 0; } 173 private: 174 SmallSet<GlobalValue*, 32> DynInitGlobals; 175}; 176 177static int MappingScale() { 178 return ClMappingScale ? ClMappingScale : kDefaultShadowScale; 179} 180 181static size_t RedzoneSize() { 182 // Redzone used for stack and globals is at least 32 bytes. 183 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 184 return std::max(32U, 1U << MappingScale()); 185} 186 187/// AddressSanitizer: instrument the code in module to find memory bugs. 188struct AddressSanitizer : public FunctionPass { 189 AddressSanitizer(); 190 virtual const char *getPassName() const; 191 void instrumentMop(Instruction *I); 192 void instrumentAddress(Instruction *OrigIns, IRBuilder<> &IRB, 193 Value *Addr, uint32_t TypeSize, bool IsWrite); 194 Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 195 Value *ShadowValue, uint32_t TypeSize); 196 Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, 197 bool IsWrite, size_t AccessSizeIndex); 198 bool instrumentMemIntrinsic(MemIntrinsic *MI); 199 void instrumentMemIntrinsicParam(Instruction *OrigIns, Value *Addr, 200 Value *Size, 201 Instruction *InsertBefore, bool IsWrite); 202 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 203 bool runOnFunction(Function &F); 204 void createInitializerPoisonCalls(Module &M, 205 Value *FirstAddr, Value *LastAddr); 206 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 207 bool poisonStackInFunction(Function &F); 208 virtual bool doInitialization(Module &M); 209 virtual bool doFinalization(Module &M); 210 static char ID; // Pass identification, replacement for typeid 211 212 private: 213 uint64_t getAllocaSizeInBytes(AllocaInst *AI) { 214 Type *Ty = AI->getAllocatedType(); 215 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 216 return SizeInBytes; 217 } 218 uint64_t getAlignedSize(uint64_t SizeInBytes) { 219 size_t RZ = RedzoneSize(); 220 return ((SizeInBytes + RZ - 1) / RZ) * RZ; 221 } 222 uint64_t getAlignedAllocaSize(AllocaInst *AI) { 223 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 224 return getAlignedSize(SizeInBytes); 225 } 226 227 bool ShouldInstrumentGlobal(GlobalVariable *G); 228 void PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, 229 Value *ShadowBase, bool DoPoison); 230 bool LooksLikeCodeInBug11395(Instruction *I); 231 void FindDynamicInitializers(Module &M); 232 233 LLVMContext *C; 234 DataLayout *TD; 235 uint64_t MappingOffset; 236 int LongSize; 237 Type *IntptrTy; 238 Type *IntptrPtrTy; 239 Function *AsanCtorFunction; 240 Function *AsanInitFunction; 241 Function *AsanStackMallocFunc, *AsanStackFreeFunc; 242 Function *AsanHandleNoReturnFunc; 243 OwningPtr<BlackList> BL; 244 // This array is indexed by AccessIsWrite and log2(AccessSize). 245 Function *AsanErrorCallback[2][kNumberOfAccessSizes]; 246 InlineAsm *EmptyAsm; 247 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 248}; 249 250// FIXME: inherit this from ModulePass and actually use it as a ModulePass. 251class AddressSanitizerCreateGlobalRedzonesPass { 252 public: 253 bool runOnModule(Module &M, DataLayout *TD); 254 private: 255 bool ShouldInstrumentGlobal(GlobalVariable *G); 256 void createInitializerPoisonCalls(Module &M, Value *FirstAddr, 257 Value *LastAddr); 258 259 static char ID; // Pass identification, replacement for typeid 260 OwningPtr<BlackList> BL; 261 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 262 Type *IntptrTy; 263 LLVMContext *C; 264}; 265 266} // namespace 267 268char AddressSanitizer::ID = 0; 269INITIALIZE_PASS(AddressSanitizer, "asan", 270 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", 271 false, false) 272AddressSanitizer::AddressSanitizer() : FunctionPass(ID) { } 273FunctionPass *llvm::createAddressSanitizerPass() { 274 return new AddressSanitizer(); 275} 276 277const char *AddressSanitizer::getPassName() const { 278 return "AddressSanitizer"; 279} 280 281static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 282 size_t Res = CountTrailingZeros_32(TypeSize / 8); 283 assert(Res < kNumberOfAccessSizes); 284 return Res; 285} 286 287// Create a constant for Str so that we can pass it to the run-time lib. 288static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str) { 289 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 290 return new GlobalVariable(M, StrConst->getType(), true, 291 GlobalValue::PrivateLinkage, StrConst, 292 kAsanGenPrefix); 293} 294 295static bool GlobalWasGeneratedByAsan(GlobalVariable *G) { 296 return G->getName().find(kAsanGenPrefix) == 0; 297} 298 299Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 300 // Shadow >> scale 301 Shadow = IRB.CreateLShr(Shadow, MappingScale()); 302 if (MappingOffset == 0) 303 return Shadow; 304 // (Shadow >> scale) | offset 305 return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, 306 MappingOffset)); 307} 308 309void AddressSanitizer::instrumentMemIntrinsicParam( 310 Instruction *OrigIns, 311 Value *Addr, Value *Size, Instruction *InsertBefore, bool IsWrite) { 312 // Check the first byte. 313 { 314 IRBuilder<> IRB(InsertBefore); 315 instrumentAddress(OrigIns, IRB, Addr, 8, IsWrite); 316 } 317 // Check the last byte. 318 { 319 IRBuilder<> IRB(InsertBefore); 320 Value *SizeMinusOne = IRB.CreateSub( 321 Size, ConstantInt::get(Size->getType(), 1)); 322 SizeMinusOne = IRB.CreateIntCast(SizeMinusOne, IntptrTy, false); 323 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 324 Value *AddrPlusSizeMinisOne = IRB.CreateAdd(AddrLong, SizeMinusOne); 325 instrumentAddress(OrigIns, IRB, AddrPlusSizeMinisOne, 8, IsWrite); 326 } 327} 328 329// Instrument memset/memmove/memcpy 330bool AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 331 Value *Dst = MI->getDest(); 332 MemTransferInst *MemTran = dyn_cast<MemTransferInst>(MI); 333 Value *Src = MemTran ? MemTran->getSource() : 0; 334 Value *Length = MI->getLength(); 335 336 Constant *ConstLength = dyn_cast<Constant>(Length); 337 Instruction *InsertBefore = MI; 338 if (ConstLength) { 339 if (ConstLength->isNullValue()) return false; 340 } else { 341 // The size is not a constant so it could be zero -- check at run-time. 342 IRBuilder<> IRB(InsertBefore); 343 344 Value *Cmp = IRB.CreateICmpNE(Length, 345 Constant::getNullValue(Length->getType())); 346 InsertBefore = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 347 } 348 349 instrumentMemIntrinsicParam(MI, Dst, Length, InsertBefore, true); 350 if (Src) 351 instrumentMemIntrinsicParam(MI, Src, Length, InsertBefore, false); 352 return true; 353} 354 355// If I is an interesting memory access, return the PointerOperand 356// and set IsWrite. Otherwise return NULL. 357static Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite) { 358 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 359 if (!ClInstrumentReads) return NULL; 360 *IsWrite = false; 361 return LI->getPointerOperand(); 362 } 363 if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 364 if (!ClInstrumentWrites) return NULL; 365 *IsWrite = true; 366 return SI->getPointerOperand(); 367 } 368 if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 369 if (!ClInstrumentAtomics) return NULL; 370 *IsWrite = true; 371 return RMW->getPointerOperand(); 372 } 373 if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 374 if (!ClInstrumentAtomics) return NULL; 375 *IsWrite = true; 376 return XCHG->getPointerOperand(); 377 } 378 return NULL; 379} 380 381void AddressSanitizer::instrumentMop(Instruction *I) { 382 bool IsWrite = false; 383 Value *Addr = isInterestingMemoryAccess(I, &IsWrite); 384 assert(Addr); 385 if (ClOpt && ClOptGlobals) { 386 if (GlobalVariable *G = dyn_cast<GlobalVariable>(Addr)) { 387 // If initialization order checking is disabled, a simple access to a 388 // dynamically initialized global is always valid. 389 if (!ClInitializers) 390 return; 391 // If a global variable does not have dynamic initialization we don't 392 // have to instrument it. However, if a global does not have initailizer 393 // at all, we assume it has dynamic initializer (in other TU). 394 if (G->hasInitializer() && !DynamicallyInitializedGlobals.Contains(G)) 395 return; 396 } 397 } 398 399 Type *OrigPtrTy = Addr->getType(); 400 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 401 402 assert(OrigTy->isSized()); 403 uint32_t TypeSize = TD->getTypeStoreSizeInBits(OrigTy); 404 405 if (TypeSize != 8 && TypeSize != 16 && 406 TypeSize != 32 && TypeSize != 64 && TypeSize != 128) { 407 // Ignore all unusual sizes. 408 return; 409 } 410 411 IRBuilder<> IRB(I); 412 instrumentAddress(I, IRB, Addr, TypeSize, IsWrite); 413} 414 415// Validate the result of Module::getOrInsertFunction called for an interface 416// function of AddressSanitizer. If the instrumented module defines a function 417// with the same name, their prototypes must match, otherwise 418// getOrInsertFunction returns a bitcast. 419static Function *checkInterfaceFunction(Constant *FuncOrBitcast) { 420 if (isa<Function>(FuncOrBitcast)) return cast<Function>(FuncOrBitcast); 421 FuncOrBitcast->dump(); 422 report_fatal_error("trying to redefine an AddressSanitizer " 423 "interface function"); 424} 425 426Instruction *AddressSanitizer::generateCrashCode( 427 Instruction *InsertBefore, Value *Addr, 428 bool IsWrite, size_t AccessSizeIndex) { 429 IRBuilder<> IRB(InsertBefore); 430 CallInst *Call = IRB.CreateCall(AsanErrorCallback[IsWrite][AccessSizeIndex], 431 Addr); 432 // We don't do Call->setDoesNotReturn() because the BB already has 433 // UnreachableInst at the end. 434 // This EmptyAsm is required to avoid callback merge. 435 IRB.CreateCall(EmptyAsm); 436 return Call; 437} 438 439Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 440 Value *ShadowValue, 441 uint32_t TypeSize) { 442 size_t Granularity = 1 << MappingScale(); 443 // Addr & (Granularity - 1) 444 Value *LastAccessedByte = IRB.CreateAnd( 445 AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 446 // (Addr & (Granularity - 1)) + size - 1 447 if (TypeSize / 8 > 1) 448 LastAccessedByte = IRB.CreateAdd( 449 LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 450 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 451 LastAccessedByte = IRB.CreateIntCast( 452 LastAccessedByte, ShadowValue->getType(), false); 453 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 454 return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue); 455} 456 457void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 458 IRBuilder<> &IRB, Value *Addr, 459 uint32_t TypeSize, bool IsWrite) { 460 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 461 462 Type *ShadowTy = IntegerType::get( 463 *C, std::max(8U, TypeSize >> MappingScale())); 464 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 465 Value *ShadowPtr = memToShadow(AddrLong, IRB); 466 Value *CmpVal = Constant::getNullValue(ShadowTy); 467 Value *ShadowValue = IRB.CreateLoad( 468 IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 469 470 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 471 size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize); 472 size_t Granularity = 1 << MappingScale(); 473 TerminatorInst *CrashTerm = 0; 474 475 if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) { 476 TerminatorInst *CheckTerm = 477 SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 478 assert(dyn_cast<BranchInst>(CheckTerm)->isUnconditional()); 479 BasicBlock *NextBB = CheckTerm->getSuccessor(0); 480 IRB.SetInsertPoint(CheckTerm); 481 Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize); 482 BasicBlock *CrashBlock = 483 BasicBlock::Create(*C, "", NextBB->getParent(), NextBB); 484 CrashTerm = new UnreachableInst(*C, CrashBlock); 485 BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2); 486 ReplaceInstWithInst(CheckTerm, NewTerm); 487 } else { 488 CrashTerm = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), true); 489 } 490 491 Instruction *Crash = 492 generateCrashCode(CrashTerm, AddrLong, IsWrite, AccessSizeIndex); 493 Crash->setDebugLoc(OrigIns->getDebugLoc()); 494} 495 496void AddressSanitizerCreateGlobalRedzonesPass::createInitializerPoisonCalls( 497 Module &M, Value *FirstAddr, Value *LastAddr) { 498 // We do all of our poisoning and unpoisoning within _GLOBAL__I_a. 499 Function *GlobalInit = M.getFunction("_GLOBAL__I_a"); 500 // If that function is not present, this TU contains no globals, or they have 501 // all been optimized away 502 if (!GlobalInit) 503 return; 504 505 // Set up the arguments to our poison/unpoison functions. 506 IRBuilder<> IRB(GlobalInit->begin()->getFirstInsertionPt()); 507 508 // Declare our poisoning and unpoisoning functions. 509 Function *AsanPoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 510 kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 511 AsanPoisonGlobals->setLinkage(Function::ExternalLinkage); 512 Function *AsanUnpoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 513 kAsanUnpoisonGlobalsName, IRB.getVoidTy(), NULL)); 514 AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage); 515 516 // Add a call to poison all external globals before the given function starts. 517 IRB.CreateCall2(AsanPoisonGlobals, FirstAddr, LastAddr); 518 519 // Add calls to unpoison all globals before each return instruction. 520 for (Function::iterator I = GlobalInit->begin(), E = GlobalInit->end(); 521 I != E; ++I) { 522 if (ReturnInst *RI = dyn_cast<ReturnInst>(I->getTerminator())) { 523 CallInst::Create(AsanUnpoisonGlobals, "", RI); 524 } 525 } 526} 527 528bool AddressSanitizerCreateGlobalRedzonesPass::ShouldInstrumentGlobal( 529 GlobalVariable *G) { 530 Type *Ty = cast<PointerType>(G->getType())->getElementType(); 531 DEBUG(dbgs() << "GLOBAL: " << *G << "\n"); 532 533 if (BL->isIn(*G)) return false; 534 if (!Ty->isSized()) return false; 535 if (!G->hasInitializer()) return false; 536 if (GlobalWasGeneratedByAsan(G)) return false; // Our own global. 537 // Touch only those globals that will not be defined in other modules. 538 // Don't handle ODR type linkages since other modules may be built w/o asan. 539 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 540 G->getLinkage() != GlobalVariable::PrivateLinkage && 541 G->getLinkage() != GlobalVariable::InternalLinkage) 542 return false; 543 // Two problems with thread-locals: 544 // - The address of the main thread's copy can't be computed at link-time. 545 // - Need to poison all copies, not just the main thread's one. 546 if (G->isThreadLocal()) 547 return false; 548 // For now, just ignore this Alloca if the alignment is large. 549 if (G->getAlignment() > RedzoneSize()) return false; 550 551 // Ignore all the globals with the names starting with "\01L_OBJC_". 552 // Many of those are put into the .cstring section. The linker compresses 553 // that section by removing the spare \0s after the string terminator, so 554 // our redzones get broken. 555 if ((G->getName().find("\01L_OBJC_") == 0) || 556 (G->getName().find("\01l_OBJC_") == 0)) { 557 DEBUG(dbgs() << "Ignoring \\01L_OBJC_* global: " << *G); 558 return false; 559 } 560 561 if (G->hasSection()) { 562 StringRef Section(G->getSection()); 563 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 564 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 565 // them. 566 if ((Section.find("__OBJC,") == 0) || 567 (Section.find("__DATA, __objc_") == 0)) { 568 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G); 569 return false; 570 } 571 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 572 // Constant CFString instances are compiled in the following way: 573 // -- the string buffer is emitted into 574 // __TEXT,__cstring,cstring_literals 575 // -- the constant NSConstantString structure referencing that buffer 576 // is placed into __DATA,__cfstring 577 // Therefore there's no point in placing redzones into __DATA,__cfstring. 578 // Moreover, it causes the linker to crash on OS X 10.7 579 if (Section.find("__DATA,__cfstring") == 0) { 580 DEBUG(dbgs() << "Ignoring CFString: " << *G); 581 return false; 582 } 583 } 584 585 return true; 586} 587 588// This function replaces all global variables with new variables that have 589// trailing redzones. It also creates a function that poisons 590// redzones and inserts this function into llvm.global_ctors. 591bool AddressSanitizerCreateGlobalRedzonesPass::runOnModule(Module &M, 592 DataLayout *TD) { 593 BL.reset(new BlackList(ClBlackListFile)); 594 DynamicallyInitializedGlobals.Init(M); 595 C = &(M.getContext()); 596 IntptrTy = Type::getIntNTy(*C, TD->getPointerSizeInBits()); 597 598 SmallVector<GlobalVariable *, 16> GlobalsToChange; 599 600 for (Module::GlobalListType::iterator G = M.global_begin(), 601 E = M.global_end(); G != E; ++G) { 602 if (ShouldInstrumentGlobal(G)) 603 GlobalsToChange.push_back(G); 604 } 605 606 size_t n = GlobalsToChange.size(); 607 if (n == 0) return false; 608 609 // A global is described by a structure 610 // size_t beg; 611 // size_t size; 612 // size_t size_with_redzone; 613 // const char *name; 614 // size_t has_dynamic_init; 615 // We initialize an array of such structures and pass it to a run-time call. 616 StructType *GlobalStructTy = StructType::get(IntptrTy, IntptrTy, 617 IntptrTy, IntptrTy, 618 IntptrTy, NULL); 619 SmallVector<Constant *, 16> Initializers(n), DynamicInit; 620 621 622 Function *CtorFunc = M.getFunction(kAsanModuleCtorName); 623 assert(CtorFunc); 624 IRBuilder<> IRB(CtorFunc->getEntryBlock().getTerminator()); 625 626 // The addresses of the first and last dynamically initialized globals in 627 // this TU. Used in initialization order checking. 628 Value *FirstDynamic = 0, *LastDynamic = 0; 629 630 for (size_t i = 0; i < n; i++) { 631 GlobalVariable *G = GlobalsToChange[i]; 632 PointerType *PtrTy = cast<PointerType>(G->getType()); 633 Type *Ty = PtrTy->getElementType(); 634 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 635 size_t RZ = RedzoneSize(); 636 uint64_t RightRedzoneSize = RZ + (RZ - (SizeInBytes % RZ)); 637 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 638 // Determine whether this global should be poisoned in initialization. 639 bool GlobalHasDynamicInitializer = 640 DynamicallyInitializedGlobals.Contains(G); 641 // Don't check initialization order if this global is blacklisted. 642 GlobalHasDynamicInitializer &= !BL->isInInit(*G); 643 644 StructType *NewTy = StructType::get(Ty, RightRedZoneTy, NULL); 645 Constant *NewInitializer = ConstantStruct::get( 646 NewTy, G->getInitializer(), 647 Constant::getNullValue(RightRedZoneTy), NULL); 648 649 SmallString<2048> DescriptionOfGlobal = G->getName(); 650 DescriptionOfGlobal += " ("; 651 DescriptionOfGlobal += M.getModuleIdentifier(); 652 DescriptionOfGlobal += ")"; 653 GlobalVariable *Name = createPrivateGlobalForString(M, DescriptionOfGlobal); 654 655 // Create a new global variable with enough space for a redzone. 656 GlobalVariable *NewGlobal = new GlobalVariable( 657 M, NewTy, G->isConstant(), G->getLinkage(), 658 NewInitializer, "", G, G->getThreadLocalMode()); 659 NewGlobal->copyAttributesFrom(G); 660 NewGlobal->setAlignment(RZ); 661 662 Value *Indices2[2]; 663 Indices2[0] = IRB.getInt32(0); 664 Indices2[1] = IRB.getInt32(0); 665 666 G->replaceAllUsesWith( 667 ConstantExpr::getGetElementPtr(NewGlobal, Indices2, true)); 668 NewGlobal->takeName(G); 669 G->eraseFromParent(); 670 671 Initializers[i] = ConstantStruct::get( 672 GlobalStructTy, 673 ConstantExpr::getPointerCast(NewGlobal, IntptrTy), 674 ConstantInt::get(IntptrTy, SizeInBytes), 675 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 676 ConstantExpr::getPointerCast(Name, IntptrTy), 677 ConstantInt::get(IntptrTy, GlobalHasDynamicInitializer), 678 NULL); 679 680 // Populate the first and last globals declared in this TU. 681 if (ClInitializers && GlobalHasDynamicInitializer) { 682 LastDynamic = ConstantExpr::getPointerCast(NewGlobal, IntptrTy); 683 if (FirstDynamic == 0) 684 FirstDynamic = LastDynamic; 685 } 686 687 DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); 688 } 689 690 ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); 691 GlobalVariable *AllGlobals = new GlobalVariable( 692 M, ArrayOfGlobalStructTy, false, GlobalVariable::PrivateLinkage, 693 ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); 694 695 // Create calls for poisoning before initializers run and unpoisoning after. 696 if (ClInitializers && FirstDynamic && LastDynamic) 697 createInitializerPoisonCalls(M, FirstDynamic, LastDynamic); 698 699 Function *AsanRegisterGlobals = checkInterfaceFunction(M.getOrInsertFunction( 700 kAsanRegisterGlobalsName, IRB.getVoidTy(), 701 IntptrTy, IntptrTy, NULL)); 702 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 703 704 IRB.CreateCall2(AsanRegisterGlobals, 705 IRB.CreatePointerCast(AllGlobals, IntptrTy), 706 ConstantInt::get(IntptrTy, n)); 707 708 // We also need to unregister globals at the end, e.g. when a shared library 709 // gets closed. 710 Function *AsanDtorFunction = Function::Create( 711 FunctionType::get(Type::getVoidTy(*C), false), 712 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 713 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 714 IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); 715 Function *AsanUnregisterGlobals = 716 checkInterfaceFunction(M.getOrInsertFunction( 717 kAsanUnregisterGlobalsName, 718 IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 719 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 720 721 IRB_Dtor.CreateCall2(AsanUnregisterGlobals, 722 IRB.CreatePointerCast(AllGlobals, IntptrTy), 723 ConstantInt::get(IntptrTy, n)); 724 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndCtorPriority); 725 726 DEBUG(dbgs() << M); 727 return true; 728} 729 730// virtual 731bool AddressSanitizer::doInitialization(Module &M) { 732 // Initialize the private fields. No one has accessed them before. 733 TD = getAnalysisIfAvailable<DataLayout>(); 734 735 if (!TD) 736 return false; 737 BL.reset(new BlackList(ClBlackListFile)); 738 DynamicallyInitializedGlobals.Init(M); 739 740 C = &(M.getContext()); 741 LongSize = TD->getPointerSizeInBits(); 742 IntptrTy = Type::getIntNTy(*C, LongSize); 743 IntptrPtrTy = PointerType::get(IntptrTy, 0); 744 745 AsanCtorFunction = Function::Create( 746 FunctionType::get(Type::getVoidTy(*C), false), 747 GlobalValue::InternalLinkage, kAsanModuleCtorName, &M); 748 BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction); 749 // call __asan_init in the module ctor. 750 IRBuilder<> IRB(ReturnInst::Create(*C, AsanCtorBB)); 751 AsanInitFunction = checkInterfaceFunction( 752 M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), NULL)); 753 AsanInitFunction->setLinkage(Function::ExternalLinkage); 754 IRB.CreateCall(AsanInitFunction); 755 756 // Create __asan_report* callbacks. 757 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 758 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 759 AccessSizeIndex++) { 760 // IsWrite and TypeSize are encoded in the function name. 761 std::string FunctionName = std::string(kAsanReportErrorTemplate) + 762 (AccessIsWrite ? "store" : "load") + itostr(1 << AccessSizeIndex); 763 // If we are merging crash callbacks, they have two parameters. 764 AsanErrorCallback[AccessIsWrite][AccessSizeIndex] = 765 checkInterfaceFunction(M.getOrInsertFunction( 766 FunctionName, IRB.getVoidTy(), IntptrTy, NULL)); 767 } 768 } 769 770 AsanStackMallocFunc = checkInterfaceFunction(M.getOrInsertFunction( 771 kAsanStackMallocName, IntptrTy, IntptrTy, IntptrTy, NULL)); 772 AsanStackFreeFunc = checkInterfaceFunction(M.getOrInsertFunction( 773 kAsanStackFreeName, IRB.getVoidTy(), 774 IntptrTy, IntptrTy, IntptrTy, NULL)); 775 AsanHandleNoReturnFunc = checkInterfaceFunction(M.getOrInsertFunction( 776 kAsanHandleNoReturnName, IRB.getVoidTy(), NULL)); 777 778 // We insert an empty inline asm after __asan_report* to avoid callback merge. 779 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 780 StringRef(""), StringRef(""), 781 /*hasSideEffects=*/true); 782 783 llvm::Triple targetTriple(M.getTargetTriple()); 784 bool isAndroid = targetTriple.getEnvironment() == llvm::Triple::Android; 785 786 MappingOffset = isAndroid ? kDefaultShadowOffsetAndroid : 787 (LongSize == 32 ? kDefaultShadowOffset32 : kDefaultShadowOffset64); 788 if (ClMappingOffsetLog >= 0) { 789 if (ClMappingOffsetLog == 0) { 790 // special case 791 MappingOffset = 0; 792 } else { 793 MappingOffset = 1ULL << ClMappingOffsetLog; 794 } 795 } 796 797 798 if (ClMappingOffsetLog >= 0) { 799 // Tell the run-time the current values of mapping offset and scale. 800 GlobalValue *asan_mapping_offset = 801 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 802 ConstantInt::get(IntptrTy, MappingOffset), 803 kAsanMappingOffsetName); 804 // Read the global, otherwise it may be optimized away. 805 IRB.CreateLoad(asan_mapping_offset, true); 806 } 807 if (ClMappingScale) { 808 GlobalValue *asan_mapping_scale = 809 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 810 ConstantInt::get(IntptrTy, MappingScale()), 811 kAsanMappingScaleName); 812 // Read the global, otherwise it may be optimized away. 813 IRB.CreateLoad(asan_mapping_scale, true); 814 } 815 816 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndCtorPriority); 817 818 return true; 819} 820 821bool AddressSanitizer::doFinalization(Module &M) { 822 // We transform the globals at the very end so that the optimization analysis 823 // works on the original globals. 824 if (ClGlobals) { 825 // FIXME: instead of doFinalization, run this as a true ModulePass. 826 AddressSanitizerCreateGlobalRedzonesPass Pass; 827 return Pass.runOnModule(M, TD); 828 } 829 return false; 830} 831 832 833bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 834 // For each NSObject descendant having a +load method, this method is invoked 835 // by the ObjC runtime before any of the static constructors is called. 836 // Therefore we need to instrument such methods with a call to __asan_init 837 // at the beginning in order to initialize our runtime before any access to 838 // the shadow memory. 839 // We cannot just ignore these methods, because they may call other 840 // instrumented functions. 841 if (F.getName().find(" load]") != std::string::npos) { 842 IRBuilder<> IRB(F.begin()->begin()); 843 IRB.CreateCall(AsanInitFunction); 844 return true; 845 } 846 return false; 847} 848 849bool AddressSanitizer::runOnFunction(Function &F) { 850 if (BL->isIn(F)) return false; 851 if (&F == AsanCtorFunction) return false; 852 DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); 853 854 // If needed, insert __asan_init before checking for AddressSafety attr. 855 maybeInsertAsanInitAtFunctionEntry(F); 856 857 if (!F.getFnAttributes().hasAttribute(Attributes::AddressSafety)) 858 return false; 859 860 if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) 861 return false; 862 863 // We want to instrument every address only once per basic block (unless there 864 // are calls between uses). 865 SmallSet<Value*, 16> TempsToInstrument; 866 SmallVector<Instruction*, 16> ToInstrument; 867 SmallVector<Instruction*, 8> NoReturnCalls; 868 bool IsWrite; 869 870 // Fill the set of memory operations to instrument. 871 for (Function::iterator FI = F.begin(), FE = F.end(); 872 FI != FE; ++FI) { 873 TempsToInstrument.clear(); 874 int NumInsnsPerBB = 0; 875 for (BasicBlock::iterator BI = FI->begin(), BE = FI->end(); 876 BI != BE; ++BI) { 877 if (LooksLikeCodeInBug11395(BI)) return false; 878 if (Value *Addr = isInterestingMemoryAccess(BI, &IsWrite)) { 879 if (ClOpt && ClOptSameTemp) { 880 if (!TempsToInstrument.insert(Addr)) 881 continue; // We've seen this temp in the current BB. 882 } 883 } else if (isa<MemIntrinsic>(BI) && ClMemIntrin) { 884 // ok, take it. 885 } else { 886 if (CallInst *CI = dyn_cast<CallInst>(BI)) { 887 // A call inside BB. 888 TempsToInstrument.clear(); 889 if (CI->doesNotReturn()) { 890 NoReturnCalls.push_back(CI); 891 } 892 } 893 continue; 894 } 895 ToInstrument.push_back(BI); 896 NumInsnsPerBB++; 897 if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) 898 break; 899 } 900 } 901 902 // Instrument. 903 int NumInstrumented = 0; 904 for (size_t i = 0, n = ToInstrument.size(); i != n; i++) { 905 Instruction *Inst = ToInstrument[i]; 906 if (ClDebugMin < 0 || ClDebugMax < 0 || 907 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 908 if (isInterestingMemoryAccess(Inst, &IsWrite)) 909 instrumentMop(Inst); 910 else 911 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 912 } 913 NumInstrumented++; 914 } 915 916 bool ChangedStack = poisonStackInFunction(F); 917 918 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 919 // See e.g. http://code.google.com/p/address-sanitizer/issues/detail?id=37 920 for (size_t i = 0, n = NoReturnCalls.size(); i != n; i++) { 921 Instruction *CI = NoReturnCalls[i]; 922 IRBuilder<> IRB(CI); 923 IRB.CreateCall(AsanHandleNoReturnFunc); 924 } 925 DEBUG(dbgs() << "ASAN done instrumenting:\n" << F << "\n"); 926 927 return NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); 928} 929 930static uint64_t ValueForPoison(uint64_t PoisonByte, size_t ShadowRedzoneSize) { 931 if (ShadowRedzoneSize == 1) return PoisonByte; 932 if (ShadowRedzoneSize == 2) return (PoisonByte << 8) + PoisonByte; 933 if (ShadowRedzoneSize == 4) 934 return (PoisonByte << 24) + (PoisonByte << 16) + 935 (PoisonByte << 8) + (PoisonByte); 936 llvm_unreachable("ShadowRedzoneSize is either 1, 2 or 4"); 937} 938 939static void PoisonShadowPartialRightRedzone(uint8_t *Shadow, 940 size_t Size, 941 size_t RZSize, 942 size_t ShadowGranularity, 943 uint8_t Magic) { 944 for (size_t i = 0; i < RZSize; 945 i+= ShadowGranularity, Shadow++) { 946 if (i + ShadowGranularity <= Size) { 947 *Shadow = 0; // fully addressable 948 } else if (i >= Size) { 949 *Shadow = Magic; // unaddressable 950 } else { 951 *Shadow = Size - i; // first Size-i bytes are addressable 952 } 953 } 954} 955 956void AddressSanitizer::PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, 957 IRBuilder<> IRB, 958 Value *ShadowBase, bool DoPoison) { 959 size_t ShadowRZSize = RedzoneSize() >> MappingScale(); 960 assert(ShadowRZSize >= 1 && ShadowRZSize <= 4); 961 Type *RZTy = Type::getIntNTy(*C, ShadowRZSize * 8); 962 Type *RZPtrTy = PointerType::get(RZTy, 0); 963 964 Value *PoisonLeft = ConstantInt::get(RZTy, 965 ValueForPoison(DoPoison ? kAsanStackLeftRedzoneMagic : 0LL, ShadowRZSize)); 966 Value *PoisonMid = ConstantInt::get(RZTy, 967 ValueForPoison(DoPoison ? kAsanStackMidRedzoneMagic : 0LL, ShadowRZSize)); 968 Value *PoisonRight = ConstantInt::get(RZTy, 969 ValueForPoison(DoPoison ? kAsanStackRightRedzoneMagic : 0LL, ShadowRZSize)); 970 971 // poison the first red zone. 972 IRB.CreateStore(PoisonLeft, IRB.CreateIntToPtr(ShadowBase, RZPtrTy)); 973 974 // poison all other red zones. 975 uint64_t Pos = RedzoneSize(); 976 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 977 AllocaInst *AI = AllocaVec[i]; 978 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 979 uint64_t AlignedSize = getAlignedAllocaSize(AI); 980 assert(AlignedSize - SizeInBytes < RedzoneSize()); 981 Value *Ptr = NULL; 982 983 Pos += AlignedSize; 984 985 assert(ShadowBase->getType() == IntptrTy); 986 if (SizeInBytes < AlignedSize) { 987 // Poison the partial redzone at right 988 Ptr = IRB.CreateAdd( 989 ShadowBase, ConstantInt::get(IntptrTy, 990 (Pos >> MappingScale()) - ShadowRZSize)); 991 size_t AddressableBytes = RedzoneSize() - (AlignedSize - SizeInBytes); 992 uint32_t Poison = 0; 993 if (DoPoison) { 994 PoisonShadowPartialRightRedzone((uint8_t*)&Poison, AddressableBytes, 995 RedzoneSize(), 996 1ULL << MappingScale(), 997 kAsanStackPartialRedzoneMagic); 998 } 999 Value *PartialPoison = ConstantInt::get(RZTy, Poison); 1000 IRB.CreateStore(PartialPoison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1001 } 1002 1003 // Poison the full redzone at right. 1004 Ptr = IRB.CreateAdd(ShadowBase, 1005 ConstantInt::get(IntptrTy, Pos >> MappingScale())); 1006 Value *Poison = i == AllocaVec.size() - 1 ? PoisonRight : PoisonMid; 1007 IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1008 1009 Pos += RedzoneSize(); 1010 } 1011} 1012 1013// Workaround for bug 11395: we don't want to instrument stack in functions 1014// with large assembly blobs (32-bit only), otherwise reg alloc may crash. 1015// FIXME: remove once the bug 11395 is fixed. 1016bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 1017 if (LongSize != 32) return false; 1018 CallInst *CI = dyn_cast<CallInst>(I); 1019 if (!CI || !CI->isInlineAsm()) return false; 1020 if (CI->getNumArgOperands() <= 5) return false; 1021 // We have inline assembly with quite a few arguments. 1022 return true; 1023} 1024 1025// Find all static Alloca instructions and put 1026// poisoned red zones around all of them. 1027// Then unpoison everything back before the function returns. 1028// 1029// Stack poisoning does not play well with exception handling. 1030// When an exception is thrown, we essentially bypass the code 1031// that unpoisones the stack. This is why the run-time library has 1032// to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 1033// stack in the interceptor. This however does not work inside the 1034// actual function which catches the exception. Most likely because the 1035// compiler hoists the load of the shadow value somewhere too high. 1036// This causes asan to report a non-existing bug on 453.povray. 1037// It sounds like an LLVM bug. 1038bool AddressSanitizer::poisonStackInFunction(Function &F) { 1039 if (!ClStack) return false; 1040 SmallVector<AllocaInst*, 16> AllocaVec; 1041 SmallVector<Instruction*, 8> RetVec; 1042 uint64_t TotalSize = 0; 1043 1044 // Filter out Alloca instructions we want (and can) handle. 1045 // Collect Ret instructions. 1046 for (Function::iterator FI = F.begin(), FE = F.end(); 1047 FI != FE; ++FI) { 1048 BasicBlock &BB = *FI; 1049 for (BasicBlock::iterator BI = BB.begin(), BE = BB.end(); 1050 BI != BE; ++BI) { 1051 if (isa<ReturnInst>(BI)) { 1052 RetVec.push_back(BI); 1053 continue; 1054 } 1055 1056 AllocaInst *AI = dyn_cast<AllocaInst>(BI); 1057 if (!AI) continue; 1058 if (AI->isArrayAllocation()) continue; 1059 if (!AI->isStaticAlloca()) continue; 1060 if (!AI->getAllocatedType()->isSized()) continue; 1061 if (AI->getAlignment() > RedzoneSize()) continue; 1062 AllocaVec.push_back(AI); 1063 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1064 TotalSize += AlignedSize; 1065 } 1066 } 1067 1068 if (AllocaVec.empty()) return false; 1069 1070 uint64_t LocalStackSize = TotalSize + (AllocaVec.size() + 1) * RedzoneSize(); 1071 1072 bool DoStackMalloc = ClUseAfterReturn 1073 && LocalStackSize <= kMaxStackMallocSize; 1074 1075 Instruction *InsBefore = AllocaVec[0]; 1076 IRBuilder<> IRB(InsBefore); 1077 1078 1079 Type *ByteArrayTy = ArrayType::get(IRB.getInt8Ty(), LocalStackSize); 1080 AllocaInst *MyAlloca = 1081 new AllocaInst(ByteArrayTy, "MyAlloca", InsBefore); 1082 MyAlloca->setAlignment(RedzoneSize()); 1083 assert(MyAlloca->isStaticAlloca()); 1084 Value *OrigStackBase = IRB.CreatePointerCast(MyAlloca, IntptrTy); 1085 Value *LocalStackBase = OrigStackBase; 1086 1087 if (DoStackMalloc) { 1088 LocalStackBase = IRB.CreateCall2(AsanStackMallocFunc, 1089 ConstantInt::get(IntptrTy, LocalStackSize), OrigStackBase); 1090 } 1091 1092 // This string will be parsed by the run-time (DescribeStackAddress). 1093 SmallString<2048> StackDescriptionStorage; 1094 raw_svector_ostream StackDescription(StackDescriptionStorage); 1095 StackDescription << F.getName() << " " << AllocaVec.size() << " "; 1096 1097 uint64_t Pos = RedzoneSize(); 1098 // Replace Alloca instructions with base+offset. 1099 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 1100 AllocaInst *AI = AllocaVec[i]; 1101 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 1102 StringRef Name = AI->getName(); 1103 StackDescription << Pos << " " << SizeInBytes << " " 1104 << Name.size() << " " << Name << " "; 1105 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1106 assert((AlignedSize % RedzoneSize()) == 0); 1107 AI->replaceAllUsesWith( 1108 IRB.CreateIntToPtr( 1109 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Pos)), 1110 AI->getType())); 1111 Pos += AlignedSize + RedzoneSize(); 1112 } 1113 assert(Pos == LocalStackSize); 1114 1115 // Write the Magic value and the frame description constant to the redzone. 1116 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 1117 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 1118 BasePlus0); 1119 Value *BasePlus1 = IRB.CreateAdd(LocalStackBase, 1120 ConstantInt::get(IntptrTy, LongSize/8)); 1121 BasePlus1 = IRB.CreateIntToPtr(BasePlus1, IntptrPtrTy); 1122 GlobalVariable *StackDescriptionGlobal = 1123 createPrivateGlobalForString(*F.getParent(), StackDescription.str()); 1124 Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, IntptrTy); 1125 IRB.CreateStore(Description, BasePlus1); 1126 1127 // Poison the stack redzones at the entry. 1128 Value *ShadowBase = memToShadow(LocalStackBase, IRB); 1129 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRB, ShadowBase, true); 1130 1131 // Unpoison the stack before all ret instructions. 1132 for (size_t i = 0, n = RetVec.size(); i < n; i++) { 1133 Instruction *Ret = RetVec[i]; 1134 IRBuilder<> IRBRet(Ret); 1135 1136 // Mark the current frame as retired. 1137 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 1138 BasePlus0); 1139 // Unpoison the stack. 1140 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRBRet, ShadowBase, false); 1141 1142 if (DoStackMalloc) { 1143 IRBRet.CreateCall3(AsanStackFreeFunc, LocalStackBase, 1144 ConstantInt::get(IntptrTy, LocalStackSize), 1145 OrigStackBase); 1146 } 1147 } 1148 1149 // We are done. Remove the old unused alloca instructions. 1150 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) 1151 AllocaVec[i]->eraseFromParent(); 1152 1153 if (ClDebugStack) { 1154 DEBUG(dbgs() << F); 1155 } 1156 1157 return true; 1158} 1159