MemorySanitizer.cpp revision d55ef5ce5f92fc02063e65ef328b89a7d66a3636
1//===-- MemorySanitizer.cpp - detector of uninitialized reads -------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9/// \file 10/// This file is a part of MemorySanitizer, a detector of uninitialized 11/// reads. 12/// 13/// Status: early prototype. 14/// 15/// The algorithm of the tool is similar to Memcheck 16/// (http://goo.gl/QKbem). We associate a few shadow bits with every 17/// byte of the application memory, poison the shadow of the malloc-ed 18/// or alloca-ed memory, load the shadow bits on every memory read, 19/// propagate the shadow bits through some of the arithmetic 20/// instruction (including MOV), store the shadow bits on every memory 21/// write, report a bug on some other instructions (e.g. JMP) if the 22/// associated shadow is poisoned. 23/// 24/// But there are differences too. The first and the major one: 25/// compiler instrumentation instead of binary instrumentation. This 26/// gives us much better register allocation, possible compiler 27/// optimizations and a fast start-up. But this brings the major issue 28/// as well: msan needs to see all program events, including system 29/// calls and reads/writes in system libraries, so we either need to 30/// compile *everything* with msan or use a binary translation 31/// component (e.g. DynamoRIO) to instrument pre-built libraries. 32/// Another difference from Memcheck is that we use 8 shadow bits per 33/// byte of application memory and use a direct shadow mapping. This 34/// greatly simplifies the instrumentation code and avoids races on 35/// shadow updates (Memcheck is single-threaded so races are not a 36/// concern there. Memcheck uses 2 shadow bits per byte with a slow 37/// path storage that uses 8 bits per byte). 38/// 39/// The default value of shadow is 0, which means "clean" (not poisoned). 40/// 41/// Every module initializer should call __msan_init to ensure that the 42/// shadow memory is ready. On error, __msan_warning is called. Since 43/// parameters and return values may be passed via registers, we have a 44/// specialized thread-local shadow for return values 45/// (__msan_retval_tls) and parameters (__msan_param_tls). 46/// 47/// Origin tracking. 48/// 49/// MemorySanitizer can track origins (allocation points) of all uninitialized 50/// values. This behavior is controlled with a flag (msan-track-origins) and is 51/// disabled by default. 52/// 53/// Origins are 4-byte values created and interpreted by the runtime library. 54/// They are stored in a second shadow mapping, one 4-byte value for 4 bytes 55/// of application memory. Propagation of origins is basically a bunch of 56/// "select" instructions that pick the origin of a dirty argument, if an 57/// instruction has one. 58/// 59/// Every 4 aligned, consecutive bytes of application memory have one origin 60/// value associated with them. If these bytes contain uninitialized data 61/// coming from 2 different allocations, the last store wins. Because of this, 62/// MemorySanitizer reports can show unrelated origins, but this is unlikely in 63/// practice. 64/// 65/// Origins are meaningless for fully initialized values, so MemorySanitizer 66/// avoids storing origin to memory when a fully initialized value is stored. 67/// This way it avoids needless overwritting origin of the 4-byte region on 68/// a short (i.e. 1 byte) clean store, and it is also good for performance. 69//===----------------------------------------------------------------------===// 70 71#define DEBUG_TYPE "msan" 72 73#include "llvm/Transforms/Instrumentation.h" 74#include "llvm/ADT/DepthFirstIterator.h" 75#include "llvm/ADT/SmallString.h" 76#include "llvm/ADT/SmallVector.h" 77#include "llvm/ADT/Triple.h" 78#include "llvm/ADT/ValueMap.h" 79#include "llvm/IR/DataLayout.h" 80#include "llvm/IR/Function.h" 81#include "llvm/IR/IRBuilder.h" 82#include "llvm/IR/InlineAsm.h" 83#include "llvm/IR/IntrinsicInst.h" 84#include "llvm/IR/LLVMContext.h" 85#include "llvm/IR/MDBuilder.h" 86#include "llvm/IR/Module.h" 87#include "llvm/IR/Type.h" 88#include "llvm/InstVisitor.h" 89#include "llvm/Support/CommandLine.h" 90#include "llvm/Support/Compiler.h" 91#include "llvm/Support/Debug.h" 92#include "llvm/Support/raw_ostream.h" 93#include "llvm/Transforms/Utils/BasicBlockUtils.h" 94#include "llvm/Transforms/Utils/BlackList.h" 95#include "llvm/Transforms/Utils/Local.h" 96#include "llvm/Transforms/Utils/ModuleUtils.h" 97 98using namespace llvm; 99 100static const uint64_t kShadowMask32 = 1ULL << 31; 101static const uint64_t kShadowMask64 = 1ULL << 46; 102static const uint64_t kOriginOffset32 = 1ULL << 30; 103static const uint64_t kOriginOffset64 = 1ULL << 45; 104static const unsigned kMinOriginAlignment = 4; 105static const unsigned kShadowTLSAlignment = 8; 106 107/// \brief Track origins of uninitialized values. 108/// 109/// Adds a section to MemorySanitizer report that points to the allocation 110/// (stack or heap) the uninitialized bits came from originally. 111static cl::opt<bool> ClTrackOrigins("msan-track-origins", 112 cl::desc("Track origins (allocation sites) of poisoned memory"), 113 cl::Hidden, cl::init(false)); 114static cl::opt<bool> ClKeepGoing("msan-keep-going", 115 cl::desc("keep going after reporting a UMR"), 116 cl::Hidden, cl::init(false)); 117static cl::opt<bool> ClPoisonStack("msan-poison-stack", 118 cl::desc("poison uninitialized stack variables"), 119 cl::Hidden, cl::init(true)); 120static cl::opt<bool> ClPoisonStackWithCall("msan-poison-stack-with-call", 121 cl::desc("poison uninitialized stack variables with a call"), 122 cl::Hidden, cl::init(false)); 123static cl::opt<int> ClPoisonStackPattern("msan-poison-stack-pattern", 124 cl::desc("poison uninitialized stack variables with the given patter"), 125 cl::Hidden, cl::init(0xff)); 126static cl::opt<bool> ClPoisonUndef("msan-poison-undef", 127 cl::desc("poison undef temps"), 128 cl::Hidden, cl::init(true)); 129 130static cl::opt<bool> ClHandleICmp("msan-handle-icmp", 131 cl::desc("propagate shadow through ICmpEQ and ICmpNE"), 132 cl::Hidden, cl::init(true)); 133 134static cl::opt<bool> ClHandleICmpExact("msan-handle-icmp-exact", 135 cl::desc("exact handling of relational integer ICmp"), 136 cl::Hidden, cl::init(false)); 137 138static cl::opt<bool> ClStoreCleanOrigin("msan-store-clean-origin", 139 cl::desc("store origin for clean (fully initialized) values"), 140 cl::Hidden, cl::init(false)); 141 142// This flag controls whether we check the shadow of the address 143// operand of load or store. Such bugs are very rare, since load from 144// a garbage address typically results in SEGV, but still happen 145// (e.g. only lower bits of address are garbage, or the access happens 146// early at program startup where malloc-ed memory is more likely to 147// be zeroed. As of 2012-08-28 this flag adds 20% slowdown. 148static cl::opt<bool> ClCheckAccessAddress("msan-check-access-address", 149 cl::desc("report accesses through a pointer which has poisoned shadow"), 150 cl::Hidden, cl::init(true)); 151 152static cl::opt<bool> ClDumpStrictInstructions("msan-dump-strict-instructions", 153 cl::desc("print out instructions with default strict semantics"), 154 cl::Hidden, cl::init(false)); 155 156static cl::opt<std::string> ClBlacklistFile("msan-blacklist", 157 cl::desc("File containing the list of functions where MemorySanitizer " 158 "should not report bugs"), cl::Hidden); 159 160namespace { 161 162/// \brief An instrumentation pass implementing detection of uninitialized 163/// reads. 164/// 165/// MemorySanitizer: instrument the code in module to find 166/// uninitialized reads. 167class MemorySanitizer : public FunctionPass { 168 public: 169 MemorySanitizer(bool TrackOrigins = false, 170 StringRef BlacklistFile = StringRef()) 171 : FunctionPass(ID), 172 TrackOrigins(TrackOrigins || ClTrackOrigins), 173 TD(0), 174 WarningFn(0), 175 BlacklistFile(BlacklistFile.empty() ? ClBlacklistFile 176 : BlacklistFile) { } 177 const char *getPassName() const { return "MemorySanitizer"; } 178 bool runOnFunction(Function &F); 179 bool doInitialization(Module &M); 180 static char ID; // Pass identification, replacement for typeid. 181 182 private: 183 void initializeCallbacks(Module &M); 184 185 /// \brief Track origins (allocation points) of uninitialized values. 186 bool TrackOrigins; 187 188 DataLayout *TD; 189 LLVMContext *C; 190 Type *IntptrTy; 191 Type *OriginTy; 192 /// \brief Thread-local shadow storage for function parameters. 193 GlobalVariable *ParamTLS; 194 /// \brief Thread-local origin storage for function parameters. 195 GlobalVariable *ParamOriginTLS; 196 /// \brief Thread-local shadow storage for function return value. 197 GlobalVariable *RetvalTLS; 198 /// \brief Thread-local origin storage for function return value. 199 GlobalVariable *RetvalOriginTLS; 200 /// \brief Thread-local shadow storage for in-register va_arg function 201 /// parameters (x86_64-specific). 202 GlobalVariable *VAArgTLS; 203 /// \brief Thread-local shadow storage for va_arg overflow area 204 /// (x86_64-specific). 205 GlobalVariable *VAArgOverflowSizeTLS; 206 /// \brief Thread-local space used to pass origin value to the UMR reporting 207 /// function. 208 GlobalVariable *OriginTLS; 209 210 /// \brief The run-time callback to print a warning. 211 Value *WarningFn; 212 /// \brief Run-time helper that copies origin info for a memory range. 213 Value *MsanCopyOriginFn; 214 /// \brief Run-time helper that generates a new origin value for a stack 215 /// allocation. 216 Value *MsanSetAllocaOriginFn; 217 /// \brief Run-time helper that poisons stack on function entry. 218 Value *MsanPoisonStackFn; 219 /// \brief MSan runtime replacements for memmove, memcpy and memset. 220 Value *MemmoveFn, *MemcpyFn, *MemsetFn; 221 222 /// \brief Address mask used in application-to-shadow address calculation. 223 /// ShadowAddr is computed as ApplicationAddr & ~ShadowMask. 224 uint64_t ShadowMask; 225 /// \brief Offset of the origin shadow from the "normal" shadow. 226 /// OriginAddr is computed as (ShadowAddr + OriginOffset) & ~3ULL 227 uint64_t OriginOffset; 228 /// \brief Branch weights for error reporting. 229 MDNode *ColdCallWeights; 230 /// \brief Branch weights for origin store. 231 MDNode *OriginStoreWeights; 232 /// \brief Path to blacklist file. 233 SmallString<64> BlacklistFile; 234 /// \brief The blacklist. 235 OwningPtr<BlackList> BL; 236 /// \brief An empty volatile inline asm that prevents callback merge. 237 InlineAsm *EmptyAsm; 238 239 friend struct MemorySanitizerVisitor; 240 friend struct VarArgAMD64Helper; 241}; 242} // namespace 243 244char MemorySanitizer::ID = 0; 245INITIALIZE_PASS(MemorySanitizer, "msan", 246 "MemorySanitizer: detects uninitialized reads.", 247 false, false) 248 249FunctionPass *llvm::createMemorySanitizerPass(bool TrackOrigins, 250 StringRef BlacklistFile) { 251 return new MemorySanitizer(TrackOrigins, BlacklistFile); 252} 253 254/// \brief Create a non-const global initialized with the given string. 255/// 256/// Creates a writable global for Str so that we can pass it to the 257/// run-time lib. Runtime uses first 4 bytes of the string to store the 258/// frame ID, so the string needs to be mutable. 259static GlobalVariable *createPrivateNonConstGlobalForString(Module &M, 260 StringRef Str) { 261 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 262 return new GlobalVariable(M, StrConst->getType(), /*isConstant=*/false, 263 GlobalValue::PrivateLinkage, StrConst, ""); 264} 265 266 267/// \brief Insert extern declaration of runtime-provided functions and globals. 268void MemorySanitizer::initializeCallbacks(Module &M) { 269 // Only do this once. 270 if (WarningFn) 271 return; 272 273 IRBuilder<> IRB(*C); 274 // Create the callback. 275 // FIXME: this function should have "Cold" calling conv, 276 // which is not yet implemented. 277 StringRef WarningFnName = ClKeepGoing ? "__msan_warning" 278 : "__msan_warning_noreturn"; 279 WarningFn = M.getOrInsertFunction(WarningFnName, IRB.getVoidTy(), NULL); 280 281 MsanCopyOriginFn = M.getOrInsertFunction( 282 "__msan_copy_origin", IRB.getVoidTy(), IRB.getInt8PtrTy(), 283 IRB.getInt8PtrTy(), IntptrTy, NULL); 284 MsanSetAllocaOriginFn = M.getOrInsertFunction( 285 "__msan_set_alloca_origin", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy, 286 IRB.getInt8PtrTy(), NULL); 287 MsanPoisonStackFn = M.getOrInsertFunction( 288 "__msan_poison_stack", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy, NULL); 289 MemmoveFn = M.getOrInsertFunction( 290 "__msan_memmove", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 291 IRB.getInt8PtrTy(), IntptrTy, NULL); 292 MemcpyFn = M.getOrInsertFunction( 293 "__msan_memcpy", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 294 IntptrTy, NULL); 295 MemsetFn = M.getOrInsertFunction( 296 "__msan_memset", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt32Ty(), 297 IntptrTy, NULL); 298 299 // Create globals. 300 RetvalTLS = new GlobalVariable( 301 M, ArrayType::get(IRB.getInt64Ty(), 8), false, 302 GlobalVariable::ExternalLinkage, 0, "__msan_retval_tls", 0, 303 GlobalVariable::InitialExecTLSModel); 304 RetvalOriginTLS = new GlobalVariable( 305 M, OriginTy, false, GlobalVariable::ExternalLinkage, 0, 306 "__msan_retval_origin_tls", 0, GlobalVariable::InitialExecTLSModel); 307 308 ParamTLS = new GlobalVariable( 309 M, ArrayType::get(IRB.getInt64Ty(), 1000), false, 310 GlobalVariable::ExternalLinkage, 0, "__msan_param_tls", 0, 311 GlobalVariable::InitialExecTLSModel); 312 ParamOriginTLS = new GlobalVariable( 313 M, ArrayType::get(OriginTy, 1000), false, GlobalVariable::ExternalLinkage, 314 0, "__msan_param_origin_tls", 0, GlobalVariable::InitialExecTLSModel); 315 316 VAArgTLS = new GlobalVariable( 317 M, ArrayType::get(IRB.getInt64Ty(), 1000), false, 318 GlobalVariable::ExternalLinkage, 0, "__msan_va_arg_tls", 0, 319 GlobalVariable::InitialExecTLSModel); 320 VAArgOverflowSizeTLS = new GlobalVariable( 321 M, IRB.getInt64Ty(), false, GlobalVariable::ExternalLinkage, 0, 322 "__msan_va_arg_overflow_size_tls", 0, 323 GlobalVariable::InitialExecTLSModel); 324 OriginTLS = new GlobalVariable( 325 M, IRB.getInt32Ty(), false, GlobalVariable::ExternalLinkage, 0, 326 "__msan_origin_tls", 0, GlobalVariable::InitialExecTLSModel); 327 328 // We insert an empty inline asm after __msan_report* to avoid callback merge. 329 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 330 StringRef(""), StringRef(""), 331 /*hasSideEffects=*/true); 332} 333 334/// \brief Module-level initialization. 335/// 336/// inserts a call to __msan_init to the module's constructor list. 337bool MemorySanitizer::doInitialization(Module &M) { 338 TD = getAnalysisIfAvailable<DataLayout>(); 339 if (!TD) 340 return false; 341 BL.reset(new BlackList(BlacklistFile)); 342 C = &(M.getContext()); 343 unsigned PtrSize = TD->getPointerSizeInBits(/* AddressSpace */0); 344 switch (PtrSize) { 345 case 64: 346 ShadowMask = kShadowMask64; 347 OriginOffset = kOriginOffset64; 348 break; 349 case 32: 350 ShadowMask = kShadowMask32; 351 OriginOffset = kOriginOffset32; 352 break; 353 default: 354 report_fatal_error("unsupported pointer size"); 355 break; 356 } 357 358 IRBuilder<> IRB(*C); 359 IntptrTy = IRB.getIntPtrTy(TD); 360 OriginTy = IRB.getInt32Ty(); 361 362 ColdCallWeights = MDBuilder(*C).createBranchWeights(1, 1000); 363 OriginStoreWeights = MDBuilder(*C).createBranchWeights(1, 1000); 364 365 // Insert a call to __msan_init/__msan_track_origins into the module's CTORs. 366 appendToGlobalCtors(M, cast<Function>(M.getOrInsertFunction( 367 "__msan_init", IRB.getVoidTy(), NULL)), 0); 368 369 if (TrackOrigins) 370 new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, 371 IRB.getInt32(TrackOrigins), "__msan_track_origins"); 372 373 if (ClKeepGoing) 374 new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, 375 IRB.getInt32(ClKeepGoing), "__msan_keep_going"); 376 377 return true; 378} 379 380namespace { 381 382/// \brief A helper class that handles instrumentation of VarArg 383/// functions on a particular platform. 384/// 385/// Implementations are expected to insert the instrumentation 386/// necessary to propagate argument shadow through VarArg function 387/// calls. Visit* methods are called during an InstVisitor pass over 388/// the function, and should avoid creating new basic blocks. A new 389/// instance of this class is created for each instrumented function. 390struct VarArgHelper { 391 /// \brief Visit a CallSite. 392 virtual void visitCallSite(CallSite &CS, IRBuilder<> &IRB) = 0; 393 394 /// \brief Visit a va_start call. 395 virtual void visitVAStartInst(VAStartInst &I) = 0; 396 397 /// \brief Visit a va_copy call. 398 virtual void visitVACopyInst(VACopyInst &I) = 0; 399 400 /// \brief Finalize function instrumentation. 401 /// 402 /// This method is called after visiting all interesting (see above) 403 /// instructions in a function. 404 virtual void finalizeInstrumentation() = 0; 405 406 virtual ~VarArgHelper() {} 407}; 408 409struct MemorySanitizerVisitor; 410 411VarArgHelper* 412CreateVarArgHelper(Function &Func, MemorySanitizer &Msan, 413 MemorySanitizerVisitor &Visitor); 414 415/// This class does all the work for a given function. Store and Load 416/// instructions store and load corresponding shadow and origin 417/// values. Most instructions propagate shadow from arguments to their 418/// return values. Certain instructions (most importantly, BranchInst) 419/// test their argument shadow and print reports (with a runtime call) if it's 420/// non-zero. 421struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> { 422 Function &F; 423 MemorySanitizer &MS; 424 SmallVector<PHINode *, 16> ShadowPHINodes, OriginPHINodes; 425 ValueMap<Value*, Value*> ShadowMap, OriginMap; 426 bool InsertChecks; 427 bool LoadShadow; 428 bool PoisonStack; 429 bool PoisonUndef; 430 OwningPtr<VarArgHelper> VAHelper; 431 432 struct ShadowOriginAndInsertPoint { 433 Instruction *Shadow; 434 Instruction *Origin; 435 Instruction *OrigIns; 436 ShadowOriginAndInsertPoint(Instruction *S, Instruction *O, Instruction *I) 437 : Shadow(S), Origin(O), OrigIns(I) { } 438 ShadowOriginAndInsertPoint() : Shadow(0), Origin(0), OrigIns(0) { } 439 }; 440 SmallVector<ShadowOriginAndInsertPoint, 16> InstrumentationList; 441 SmallVector<Instruction*, 16> StoreList; 442 443 MemorySanitizerVisitor(Function &F, MemorySanitizer &MS) 444 : F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)) { 445 bool SanitizeFunction = !MS.BL->isIn(F) && F.getAttributes().hasAttribute( 446 AttributeSet::FunctionIndex, 447 Attribute::SanitizeMemory); 448 InsertChecks = SanitizeFunction; 449 LoadShadow = SanitizeFunction; 450 PoisonStack = SanitizeFunction && ClPoisonStack; 451 PoisonUndef = SanitizeFunction && ClPoisonUndef; 452 453 DEBUG(if (!InsertChecks) 454 dbgs() << "MemorySanitizer is not inserting checks into '" 455 << F.getName() << "'\n"); 456 } 457 458 void materializeStores() { 459 for (size_t i = 0, n = StoreList.size(); i < n; i++) { 460 StoreInst& I = *dyn_cast<StoreInst>(StoreList[i]); 461 462 IRBuilder<> IRB(&I); 463 Value *Val = I.getValueOperand(); 464 Value *Addr = I.getPointerOperand(); 465 Value *Shadow = getShadow(Val); 466 Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB); 467 468 StoreInst *NewSI = 469 IRB.CreateAlignedStore(Shadow, ShadowPtr, I.getAlignment()); 470 DEBUG(dbgs() << " STORE: " << *NewSI << "\n"); 471 (void)NewSI; 472 473 if (ClCheckAccessAddress) 474 insertCheck(Addr, &I); 475 476 if (MS.TrackOrigins) { 477 unsigned Alignment = std::max(kMinOriginAlignment, I.getAlignment()); 478 if (ClStoreCleanOrigin || isa<StructType>(Shadow->getType())) { 479 IRB.CreateAlignedStore(getOrigin(Val), getOriginPtr(Addr, IRB), 480 Alignment); 481 } else { 482 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB); 483 484 Constant *Cst = dyn_cast_or_null<Constant>(ConvertedShadow); 485 // TODO(eugenis): handle non-zero constant shadow by inserting an 486 // unconditional check (can not simply fail compilation as this could 487 // be in the dead code). 488 if (Cst) 489 continue; 490 491 Value *Cmp = IRB.CreateICmpNE(ConvertedShadow, 492 getCleanShadow(ConvertedShadow), "_mscmp"); 493 Instruction *CheckTerm = 494 SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false, 495 MS.OriginStoreWeights); 496 IRBuilder<> IRBNew(CheckTerm); 497 IRBNew.CreateAlignedStore(getOrigin(Val), getOriginPtr(Addr, IRBNew), 498 Alignment); 499 } 500 } 501 } 502 } 503 504 void materializeChecks() { 505 for (size_t i = 0, n = InstrumentationList.size(); i < n; i++) { 506 Instruction *Shadow = InstrumentationList[i].Shadow; 507 Instruction *OrigIns = InstrumentationList[i].OrigIns; 508 IRBuilder<> IRB(OrigIns); 509 DEBUG(dbgs() << " SHAD0 : " << *Shadow << "\n"); 510 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB); 511 DEBUG(dbgs() << " SHAD1 : " << *ConvertedShadow << "\n"); 512 Value *Cmp = IRB.CreateICmpNE(ConvertedShadow, 513 getCleanShadow(ConvertedShadow), "_mscmp"); 514 Instruction *CheckTerm = 515 SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), 516 /* Unreachable */ !ClKeepGoing, 517 MS.ColdCallWeights); 518 519 IRB.SetInsertPoint(CheckTerm); 520 if (MS.TrackOrigins) { 521 Instruction *Origin = InstrumentationList[i].Origin; 522 IRB.CreateStore(Origin ? (Value*)Origin : (Value*)IRB.getInt32(0), 523 MS.OriginTLS); 524 } 525 CallInst *Call = IRB.CreateCall(MS.WarningFn); 526 Call->setDebugLoc(OrigIns->getDebugLoc()); 527 IRB.CreateCall(MS.EmptyAsm); 528 DEBUG(dbgs() << " CHECK: " << *Cmp << "\n"); 529 } 530 DEBUG(dbgs() << "DONE:\n" << F); 531 } 532 533 /// \brief Add MemorySanitizer instrumentation to a function. 534 bool runOnFunction() { 535 MS.initializeCallbacks(*F.getParent()); 536 if (!MS.TD) return false; 537 538 // In the presence of unreachable blocks, we may see Phi nodes with 539 // incoming nodes from such blocks. Since InstVisitor skips unreachable 540 // blocks, such nodes will not have any shadow value associated with them. 541 // It's easier to remove unreachable blocks than deal with missing shadow. 542 removeUnreachableBlocks(F); 543 544 // Iterate all BBs in depth-first order and create shadow instructions 545 // for all instructions (where applicable). 546 // For PHI nodes we create dummy shadow PHIs which will be finalized later. 547 for (df_iterator<BasicBlock*> DI = df_begin(&F.getEntryBlock()), 548 DE = df_end(&F.getEntryBlock()); DI != DE; ++DI) { 549 BasicBlock *BB = *DI; 550 visit(*BB); 551 } 552 553 // Finalize PHI nodes. 554 for (size_t i = 0, n = ShadowPHINodes.size(); i < n; i++) { 555 PHINode *PN = ShadowPHINodes[i]; 556 PHINode *PNS = cast<PHINode>(getShadow(PN)); 557 PHINode *PNO = MS.TrackOrigins ? cast<PHINode>(getOrigin(PN)) : 0; 558 size_t NumValues = PN->getNumIncomingValues(); 559 for (size_t v = 0; v < NumValues; v++) { 560 PNS->addIncoming(getShadow(PN, v), PN->getIncomingBlock(v)); 561 if (PNO) 562 PNO->addIncoming(getOrigin(PN, v), PN->getIncomingBlock(v)); 563 } 564 } 565 566 VAHelper->finalizeInstrumentation(); 567 568 // Delayed instrumentation of StoreInst. 569 // This may add new checks to be inserted later. 570 materializeStores(); 571 572 // Insert shadow value checks. 573 materializeChecks(); 574 575 return true; 576 } 577 578 /// \brief Compute the shadow type that corresponds to a given Value. 579 Type *getShadowTy(Value *V) { 580 return getShadowTy(V->getType()); 581 } 582 583 /// \brief Compute the shadow type that corresponds to a given Type. 584 Type *getShadowTy(Type *OrigTy) { 585 if (!OrigTy->isSized()) { 586 return 0; 587 } 588 // For integer type, shadow is the same as the original type. 589 // This may return weird-sized types like i1. 590 if (IntegerType *IT = dyn_cast<IntegerType>(OrigTy)) 591 return IT; 592 if (VectorType *VT = dyn_cast<VectorType>(OrigTy)) { 593 uint32_t EltSize = MS.TD->getTypeSizeInBits(VT->getElementType()); 594 return VectorType::get(IntegerType::get(*MS.C, EltSize), 595 VT->getNumElements()); 596 } 597 if (StructType *ST = dyn_cast<StructType>(OrigTy)) { 598 SmallVector<Type*, 4> Elements; 599 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++) 600 Elements.push_back(getShadowTy(ST->getElementType(i))); 601 StructType *Res = StructType::get(*MS.C, Elements, ST->isPacked()); 602 DEBUG(dbgs() << "getShadowTy: " << *ST << " ===> " << *Res << "\n"); 603 return Res; 604 } 605 uint32_t TypeSize = MS.TD->getTypeSizeInBits(OrigTy); 606 return IntegerType::get(*MS.C, TypeSize); 607 } 608 609 /// \brief Flatten a vector type. 610 Type *getShadowTyNoVec(Type *ty) { 611 if (VectorType *vt = dyn_cast<VectorType>(ty)) 612 return IntegerType::get(*MS.C, vt->getBitWidth()); 613 return ty; 614 } 615 616 /// \brief Convert a shadow value to it's flattened variant. 617 Value *convertToShadowTyNoVec(Value *V, IRBuilder<> &IRB) { 618 Type *Ty = V->getType(); 619 Type *NoVecTy = getShadowTyNoVec(Ty); 620 if (Ty == NoVecTy) return V; 621 return IRB.CreateBitCast(V, NoVecTy); 622 } 623 624 /// \brief Compute the shadow address that corresponds to a given application 625 /// address. 626 /// 627 /// Shadow = Addr & ~ShadowMask. 628 Value *getShadowPtr(Value *Addr, Type *ShadowTy, 629 IRBuilder<> &IRB) { 630 Value *ShadowLong = 631 IRB.CreateAnd(IRB.CreatePointerCast(Addr, MS.IntptrTy), 632 ConstantInt::get(MS.IntptrTy, ~MS.ShadowMask)); 633 return IRB.CreateIntToPtr(ShadowLong, PointerType::get(ShadowTy, 0)); 634 } 635 636 /// \brief Compute the origin address that corresponds to a given application 637 /// address. 638 /// 639 /// OriginAddr = (ShadowAddr + OriginOffset) & ~3ULL 640 Value *getOriginPtr(Value *Addr, IRBuilder<> &IRB) { 641 Value *ShadowLong = 642 IRB.CreateAnd(IRB.CreatePointerCast(Addr, MS.IntptrTy), 643 ConstantInt::get(MS.IntptrTy, ~MS.ShadowMask)); 644 Value *Add = 645 IRB.CreateAdd(ShadowLong, 646 ConstantInt::get(MS.IntptrTy, MS.OriginOffset)); 647 Value *SecondAnd = 648 IRB.CreateAnd(Add, ConstantInt::get(MS.IntptrTy, ~3ULL)); 649 return IRB.CreateIntToPtr(SecondAnd, PointerType::get(IRB.getInt32Ty(), 0)); 650 } 651 652 /// \brief Compute the shadow address for a given function argument. 653 /// 654 /// Shadow = ParamTLS+ArgOffset. 655 Value *getShadowPtrForArgument(Value *A, IRBuilder<> &IRB, 656 int ArgOffset) { 657 Value *Base = IRB.CreatePointerCast(MS.ParamTLS, MS.IntptrTy); 658 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 659 return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0), 660 "_msarg"); 661 } 662 663 /// \brief Compute the origin address for a given function argument. 664 Value *getOriginPtrForArgument(Value *A, IRBuilder<> &IRB, 665 int ArgOffset) { 666 if (!MS.TrackOrigins) return 0; 667 Value *Base = IRB.CreatePointerCast(MS.ParamOriginTLS, MS.IntptrTy); 668 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 669 return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0), 670 "_msarg_o"); 671 } 672 673 /// \brief Compute the shadow address for a retval. 674 Value *getShadowPtrForRetval(Value *A, IRBuilder<> &IRB) { 675 Value *Base = IRB.CreatePointerCast(MS.RetvalTLS, MS.IntptrTy); 676 return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0), 677 "_msret"); 678 } 679 680 /// \brief Compute the origin address for a retval. 681 Value *getOriginPtrForRetval(IRBuilder<> &IRB) { 682 // We keep a single origin for the entire retval. Might be too optimistic. 683 return MS.RetvalOriginTLS; 684 } 685 686 /// \brief Set SV to be the shadow value for V. 687 void setShadow(Value *V, Value *SV) { 688 assert(!ShadowMap.count(V) && "Values may only have one shadow"); 689 ShadowMap[V] = SV; 690 } 691 692 /// \brief Set Origin to be the origin value for V. 693 void setOrigin(Value *V, Value *Origin) { 694 if (!MS.TrackOrigins) return; 695 assert(!OriginMap.count(V) && "Values may only have one origin"); 696 DEBUG(dbgs() << "ORIGIN: " << *V << " ==> " << *Origin << "\n"); 697 OriginMap[V] = Origin; 698 } 699 700 /// \brief Create a clean shadow value for a given value. 701 /// 702 /// Clean shadow (all zeroes) means all bits of the value are defined 703 /// (initialized). 704 Constant *getCleanShadow(Value *V) { 705 Type *ShadowTy = getShadowTy(V); 706 if (!ShadowTy) 707 return 0; 708 return Constant::getNullValue(ShadowTy); 709 } 710 711 /// \brief Create a dirty shadow of a given shadow type. 712 Constant *getPoisonedShadow(Type *ShadowTy) { 713 assert(ShadowTy); 714 if (isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy)) 715 return Constant::getAllOnesValue(ShadowTy); 716 StructType *ST = cast<StructType>(ShadowTy); 717 SmallVector<Constant *, 4> Vals; 718 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++) 719 Vals.push_back(getPoisonedShadow(ST->getElementType(i))); 720 return ConstantStruct::get(ST, Vals); 721 } 722 723 /// \brief Create a dirty shadow for a given value. 724 Constant *getPoisonedShadow(Value *V) { 725 Type *ShadowTy = getShadowTy(V); 726 if (!ShadowTy) 727 return 0; 728 return getPoisonedShadow(ShadowTy); 729 } 730 731 /// \brief Create a clean (zero) origin. 732 Value *getCleanOrigin() { 733 return Constant::getNullValue(MS.OriginTy); 734 } 735 736 /// \brief Get the shadow value for a given Value. 737 /// 738 /// This function either returns the value set earlier with setShadow, 739 /// or extracts if from ParamTLS (for function arguments). 740 Value *getShadow(Value *V) { 741 if (Instruction *I = dyn_cast<Instruction>(V)) { 742 // For instructions the shadow is already stored in the map. 743 Value *Shadow = ShadowMap[V]; 744 if (!Shadow) { 745 DEBUG(dbgs() << "No shadow: " << *V << "\n" << *(I->getParent())); 746 (void)I; 747 assert(Shadow && "No shadow for a value"); 748 } 749 return Shadow; 750 } 751 if (UndefValue *U = dyn_cast<UndefValue>(V)) { 752 Value *AllOnes = PoisonUndef ? getPoisonedShadow(V) : getCleanShadow(V); 753 DEBUG(dbgs() << "Undef: " << *U << " ==> " << *AllOnes << "\n"); 754 (void)U; 755 return AllOnes; 756 } 757 if (Argument *A = dyn_cast<Argument>(V)) { 758 // For arguments we compute the shadow on demand and store it in the map. 759 Value **ShadowPtr = &ShadowMap[V]; 760 if (*ShadowPtr) 761 return *ShadowPtr; 762 Function *F = A->getParent(); 763 IRBuilder<> EntryIRB(F->getEntryBlock().getFirstNonPHI()); 764 unsigned ArgOffset = 0; 765 for (Function::arg_iterator AI = F->arg_begin(), AE = F->arg_end(); 766 AI != AE; ++AI) { 767 if (!AI->getType()->isSized()) { 768 DEBUG(dbgs() << "Arg is not sized\n"); 769 continue; 770 } 771 unsigned Size = AI->hasByValAttr() 772 ? MS.TD->getTypeAllocSize(AI->getType()->getPointerElementType()) 773 : MS.TD->getTypeAllocSize(AI->getType()); 774 if (A == AI) { 775 Value *Base = getShadowPtrForArgument(AI, EntryIRB, ArgOffset); 776 if (AI->hasByValAttr()) { 777 // ByVal pointer itself has clean shadow. We copy the actual 778 // argument shadow to the underlying memory. 779 // Figure out maximal valid memcpy alignment. 780 unsigned ArgAlign = AI->getParamAlignment(); 781 if (ArgAlign == 0) { 782 Type *EltType = A->getType()->getPointerElementType(); 783 ArgAlign = MS.TD->getABITypeAlignment(EltType); 784 } 785 unsigned CopyAlign = std::min(ArgAlign, kShadowTLSAlignment); 786 Value *Cpy = EntryIRB.CreateMemCpy( 787 getShadowPtr(V, EntryIRB.getInt8Ty(), EntryIRB), Base, Size, 788 CopyAlign); 789 DEBUG(dbgs() << " ByValCpy: " << *Cpy << "\n"); 790 (void)Cpy; 791 *ShadowPtr = getCleanShadow(V); 792 } else { 793 *ShadowPtr = EntryIRB.CreateAlignedLoad(Base, kShadowTLSAlignment); 794 } 795 DEBUG(dbgs() << " ARG: " << *AI << " ==> " << 796 **ShadowPtr << "\n"); 797 if (MS.TrackOrigins) { 798 Value* OriginPtr = getOriginPtrForArgument(AI, EntryIRB, ArgOffset); 799 setOrigin(A, EntryIRB.CreateLoad(OriginPtr)); 800 } 801 } 802 ArgOffset += DataLayout::RoundUpAlignment(Size, kShadowTLSAlignment); 803 } 804 assert(*ShadowPtr && "Could not find shadow for an argument"); 805 return *ShadowPtr; 806 } 807 // For everything else the shadow is zero. 808 return getCleanShadow(V); 809 } 810 811 /// \brief Get the shadow for i-th argument of the instruction I. 812 Value *getShadow(Instruction *I, int i) { 813 return getShadow(I->getOperand(i)); 814 } 815 816 /// \brief Get the origin for a value. 817 Value *getOrigin(Value *V) { 818 if (!MS.TrackOrigins) return 0; 819 if (isa<Instruction>(V) || isa<Argument>(V)) { 820 Value *Origin = OriginMap[V]; 821 if (!Origin) { 822 DEBUG(dbgs() << "NO ORIGIN: " << *V << "\n"); 823 Origin = getCleanOrigin(); 824 } 825 return Origin; 826 } 827 return getCleanOrigin(); 828 } 829 830 /// \brief Get the origin for i-th argument of the instruction I. 831 Value *getOrigin(Instruction *I, int i) { 832 return getOrigin(I->getOperand(i)); 833 } 834 835 /// \brief Remember the place where a shadow check should be inserted. 836 /// 837 /// This location will be later instrumented with a check that will print a 838 /// UMR warning in runtime if the value is not fully defined. 839 void insertCheck(Value *Val, Instruction *OrigIns) { 840 assert(Val); 841 if (!InsertChecks) return; 842 Instruction *Shadow = dyn_cast_or_null<Instruction>(getShadow(Val)); 843 if (!Shadow) return; 844#ifndef NDEBUG 845 Type *ShadowTy = Shadow->getType(); 846 assert((isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy)) && 847 "Can only insert checks for integer and vector shadow types"); 848#endif 849 Instruction *Origin = dyn_cast_or_null<Instruction>(getOrigin(Val)); 850 InstrumentationList.push_back( 851 ShadowOriginAndInsertPoint(Shadow, Origin, OrigIns)); 852 } 853 854 // ------------------- Visitors. 855 856 /// \brief Instrument LoadInst 857 /// 858 /// Loads the corresponding shadow and (optionally) origin. 859 /// Optionally, checks that the load address is fully defined. 860 void visitLoadInst(LoadInst &I) { 861 assert(I.getType()->isSized() && "Load type must have size"); 862 IRBuilder<> IRB(&I); 863 Type *ShadowTy = getShadowTy(&I); 864 Value *Addr = I.getPointerOperand(); 865 if (LoadShadow) { 866 Value *ShadowPtr = getShadowPtr(Addr, ShadowTy, IRB); 867 setShadow(&I, 868 IRB.CreateAlignedLoad(ShadowPtr, I.getAlignment(), "_msld")); 869 } else { 870 setShadow(&I, getCleanShadow(&I)); 871 } 872 873 if (ClCheckAccessAddress) 874 insertCheck(I.getPointerOperand(), &I); 875 876 if (MS.TrackOrigins) { 877 if (LoadShadow) { 878 unsigned Alignment = std::max(kMinOriginAlignment, I.getAlignment()); 879 setOrigin(&I, 880 IRB.CreateAlignedLoad(getOriginPtr(Addr, IRB), Alignment)); 881 } else { 882 setOrigin(&I, getCleanOrigin()); 883 } 884 } 885 } 886 887 /// \brief Instrument StoreInst 888 /// 889 /// Stores the corresponding shadow and (optionally) origin. 890 /// Optionally, checks that the store address is fully defined. 891 void visitStoreInst(StoreInst &I) { 892 StoreList.push_back(&I); 893 } 894 895 // Vector manipulation. 896 void visitExtractElementInst(ExtractElementInst &I) { 897 insertCheck(I.getOperand(1), &I); 898 IRBuilder<> IRB(&I); 899 setShadow(&I, IRB.CreateExtractElement(getShadow(&I, 0), I.getOperand(1), 900 "_msprop")); 901 setOrigin(&I, getOrigin(&I, 0)); 902 } 903 904 void visitInsertElementInst(InsertElementInst &I) { 905 insertCheck(I.getOperand(2), &I); 906 IRBuilder<> IRB(&I); 907 setShadow(&I, IRB.CreateInsertElement(getShadow(&I, 0), getShadow(&I, 1), 908 I.getOperand(2), "_msprop")); 909 setOriginForNaryOp(I); 910 } 911 912 void visitShuffleVectorInst(ShuffleVectorInst &I) { 913 insertCheck(I.getOperand(2), &I); 914 IRBuilder<> IRB(&I); 915 setShadow(&I, IRB.CreateShuffleVector(getShadow(&I, 0), getShadow(&I, 1), 916 I.getOperand(2), "_msprop")); 917 setOriginForNaryOp(I); 918 } 919 920 // Casts. 921 void visitSExtInst(SExtInst &I) { 922 IRBuilder<> IRB(&I); 923 setShadow(&I, IRB.CreateSExt(getShadow(&I, 0), I.getType(), "_msprop")); 924 setOrigin(&I, getOrigin(&I, 0)); 925 } 926 927 void visitZExtInst(ZExtInst &I) { 928 IRBuilder<> IRB(&I); 929 setShadow(&I, IRB.CreateZExt(getShadow(&I, 0), I.getType(), "_msprop")); 930 setOrigin(&I, getOrigin(&I, 0)); 931 } 932 933 void visitTruncInst(TruncInst &I) { 934 IRBuilder<> IRB(&I); 935 setShadow(&I, IRB.CreateTrunc(getShadow(&I, 0), I.getType(), "_msprop")); 936 setOrigin(&I, getOrigin(&I, 0)); 937 } 938 939 void visitBitCastInst(BitCastInst &I) { 940 IRBuilder<> IRB(&I); 941 setShadow(&I, IRB.CreateBitCast(getShadow(&I, 0), getShadowTy(&I))); 942 setOrigin(&I, getOrigin(&I, 0)); 943 } 944 945 void visitPtrToIntInst(PtrToIntInst &I) { 946 IRBuilder<> IRB(&I); 947 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false, 948 "_msprop_ptrtoint")); 949 setOrigin(&I, getOrigin(&I, 0)); 950 } 951 952 void visitIntToPtrInst(IntToPtrInst &I) { 953 IRBuilder<> IRB(&I); 954 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false, 955 "_msprop_inttoptr")); 956 setOrigin(&I, getOrigin(&I, 0)); 957 } 958 959 void visitFPToSIInst(CastInst& I) { handleShadowOr(I); } 960 void visitFPToUIInst(CastInst& I) { handleShadowOr(I); } 961 void visitSIToFPInst(CastInst& I) { handleShadowOr(I); } 962 void visitUIToFPInst(CastInst& I) { handleShadowOr(I); } 963 void visitFPExtInst(CastInst& I) { handleShadowOr(I); } 964 void visitFPTruncInst(CastInst& I) { handleShadowOr(I); } 965 966 /// \brief Propagate shadow for bitwise AND. 967 /// 968 /// This code is exact, i.e. if, for example, a bit in the left argument 969 /// is defined and 0, then neither the value not definedness of the 970 /// corresponding bit in B don't affect the resulting shadow. 971 void visitAnd(BinaryOperator &I) { 972 IRBuilder<> IRB(&I); 973 // "And" of 0 and a poisoned value results in unpoisoned value. 974 // 1&1 => 1; 0&1 => 0; p&1 => p; 975 // 1&0 => 0; 0&0 => 0; p&0 => 0; 976 // 1&p => p; 0&p => 0; p&p => p; 977 // S = (S1 & S2) | (V1 & S2) | (S1 & V2) 978 Value *S1 = getShadow(&I, 0); 979 Value *S2 = getShadow(&I, 1); 980 Value *V1 = I.getOperand(0); 981 Value *V2 = I.getOperand(1); 982 if (V1->getType() != S1->getType()) { 983 V1 = IRB.CreateIntCast(V1, S1->getType(), false); 984 V2 = IRB.CreateIntCast(V2, S2->getType(), false); 985 } 986 Value *S1S2 = IRB.CreateAnd(S1, S2); 987 Value *V1S2 = IRB.CreateAnd(V1, S2); 988 Value *S1V2 = IRB.CreateAnd(S1, V2); 989 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2))); 990 setOriginForNaryOp(I); 991 } 992 993 void visitOr(BinaryOperator &I) { 994 IRBuilder<> IRB(&I); 995 // "Or" of 1 and a poisoned value results in unpoisoned value. 996 // 1|1 => 1; 0|1 => 1; p|1 => 1; 997 // 1|0 => 1; 0|0 => 0; p|0 => p; 998 // 1|p => 1; 0|p => p; p|p => p; 999 // S = (S1 & S2) | (~V1 & S2) | (S1 & ~V2) 1000 Value *S1 = getShadow(&I, 0); 1001 Value *S2 = getShadow(&I, 1); 1002 Value *V1 = IRB.CreateNot(I.getOperand(0)); 1003 Value *V2 = IRB.CreateNot(I.getOperand(1)); 1004 if (V1->getType() != S1->getType()) { 1005 V1 = IRB.CreateIntCast(V1, S1->getType(), false); 1006 V2 = IRB.CreateIntCast(V2, S2->getType(), false); 1007 } 1008 Value *S1S2 = IRB.CreateAnd(S1, S2); 1009 Value *V1S2 = IRB.CreateAnd(V1, S2); 1010 Value *S1V2 = IRB.CreateAnd(S1, V2); 1011 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2))); 1012 setOriginForNaryOp(I); 1013 } 1014 1015 /// \brief Default propagation of shadow and/or origin. 1016 /// 1017 /// This class implements the general case of shadow propagation, used in all 1018 /// cases where we don't know and/or don't care about what the operation 1019 /// actually does. It converts all input shadow values to a common type 1020 /// (extending or truncating as necessary), and bitwise OR's them. 1021 /// 1022 /// This is much cheaper than inserting checks (i.e. requiring inputs to be 1023 /// fully initialized), and less prone to false positives. 1024 /// 1025 /// This class also implements the general case of origin propagation. For a 1026 /// Nary operation, result origin is set to the origin of an argument that is 1027 /// not entirely initialized. If there is more than one such arguments, the 1028 /// rightmost of them is picked. It does not matter which one is picked if all 1029 /// arguments are initialized. 1030 template <bool CombineShadow> 1031 class Combiner { 1032 Value *Shadow; 1033 Value *Origin; 1034 IRBuilder<> &IRB; 1035 MemorySanitizerVisitor *MSV; 1036 1037 public: 1038 Combiner(MemorySanitizerVisitor *MSV, IRBuilder<> &IRB) : 1039 Shadow(0), Origin(0), IRB(IRB), MSV(MSV) {} 1040 1041 /// \brief Add a pair of shadow and origin values to the mix. 1042 Combiner &Add(Value *OpShadow, Value *OpOrigin) { 1043 if (CombineShadow) { 1044 assert(OpShadow); 1045 if (!Shadow) 1046 Shadow = OpShadow; 1047 else { 1048 OpShadow = MSV->CreateShadowCast(IRB, OpShadow, Shadow->getType()); 1049 Shadow = IRB.CreateOr(Shadow, OpShadow, "_msprop"); 1050 } 1051 } 1052 1053 if (MSV->MS.TrackOrigins) { 1054 assert(OpOrigin); 1055 if (!Origin) { 1056 Origin = OpOrigin; 1057 } else { 1058 Value *FlatShadow = MSV->convertToShadowTyNoVec(OpShadow, IRB); 1059 Value *Cond = IRB.CreateICmpNE(FlatShadow, 1060 MSV->getCleanShadow(FlatShadow)); 1061 Origin = IRB.CreateSelect(Cond, OpOrigin, Origin); 1062 } 1063 } 1064 return *this; 1065 } 1066 1067 /// \brief Add an application value to the mix. 1068 Combiner &Add(Value *V) { 1069 Value *OpShadow = MSV->getShadow(V); 1070 Value *OpOrigin = MSV->MS.TrackOrigins ? MSV->getOrigin(V) : 0; 1071 return Add(OpShadow, OpOrigin); 1072 } 1073 1074 /// \brief Set the current combined values as the given instruction's shadow 1075 /// and origin. 1076 void Done(Instruction *I) { 1077 if (CombineShadow) { 1078 assert(Shadow); 1079 Shadow = MSV->CreateShadowCast(IRB, Shadow, MSV->getShadowTy(I)); 1080 MSV->setShadow(I, Shadow); 1081 } 1082 if (MSV->MS.TrackOrigins) { 1083 assert(Origin); 1084 MSV->setOrigin(I, Origin); 1085 } 1086 } 1087 }; 1088 1089 typedef Combiner<true> ShadowAndOriginCombiner; 1090 typedef Combiner<false> OriginCombiner; 1091 1092 /// \brief Propagate origin for arbitrary operation. 1093 void setOriginForNaryOp(Instruction &I) { 1094 if (!MS.TrackOrigins) return; 1095 IRBuilder<> IRB(&I); 1096 OriginCombiner OC(this, IRB); 1097 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI) 1098 OC.Add(OI->get()); 1099 OC.Done(&I); 1100 } 1101 1102 size_t VectorOrPrimitiveTypeSizeInBits(Type *Ty) { 1103 assert(!(Ty->isVectorTy() && Ty->getScalarType()->isPointerTy()) && 1104 "Vector of pointers is not a valid shadow type"); 1105 return Ty->isVectorTy() ? 1106 Ty->getVectorNumElements() * Ty->getScalarSizeInBits() : 1107 Ty->getPrimitiveSizeInBits(); 1108 } 1109 1110 /// \brief Cast between two shadow types, extending or truncating as 1111 /// necessary. 1112 Value *CreateShadowCast(IRBuilder<> &IRB, Value *V, Type *dstTy) { 1113 Type *srcTy = V->getType(); 1114 if (dstTy->isIntegerTy() && srcTy->isIntegerTy()) 1115 return IRB.CreateIntCast(V, dstTy, false); 1116 if (dstTy->isVectorTy() && srcTy->isVectorTy() && 1117 dstTy->getVectorNumElements() == srcTy->getVectorNumElements()) 1118 return IRB.CreateIntCast(V, dstTy, false); 1119 size_t srcSizeInBits = VectorOrPrimitiveTypeSizeInBits(srcTy); 1120 size_t dstSizeInBits = VectorOrPrimitiveTypeSizeInBits(dstTy); 1121 Value *V1 = IRB.CreateBitCast(V, Type::getIntNTy(*MS.C, srcSizeInBits)); 1122 Value *V2 = 1123 IRB.CreateIntCast(V1, Type::getIntNTy(*MS.C, dstSizeInBits), false); 1124 return IRB.CreateBitCast(V2, dstTy); 1125 // TODO: handle struct types. 1126 } 1127 1128 /// \brief Propagate shadow for arbitrary operation. 1129 void handleShadowOr(Instruction &I) { 1130 IRBuilder<> IRB(&I); 1131 ShadowAndOriginCombiner SC(this, IRB); 1132 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI) 1133 SC.Add(OI->get()); 1134 SC.Done(&I); 1135 } 1136 1137 void visitFAdd(BinaryOperator &I) { handleShadowOr(I); } 1138 void visitFSub(BinaryOperator &I) { handleShadowOr(I); } 1139 void visitFMul(BinaryOperator &I) { handleShadowOr(I); } 1140 void visitAdd(BinaryOperator &I) { handleShadowOr(I); } 1141 void visitSub(BinaryOperator &I) { handleShadowOr(I); } 1142 void visitXor(BinaryOperator &I) { handleShadowOr(I); } 1143 void visitMul(BinaryOperator &I) { handleShadowOr(I); } 1144 1145 void handleDiv(Instruction &I) { 1146 IRBuilder<> IRB(&I); 1147 // Strict on the second argument. 1148 insertCheck(I.getOperand(1), &I); 1149 setShadow(&I, getShadow(&I, 0)); 1150 setOrigin(&I, getOrigin(&I, 0)); 1151 } 1152 1153 void visitUDiv(BinaryOperator &I) { handleDiv(I); } 1154 void visitSDiv(BinaryOperator &I) { handleDiv(I); } 1155 void visitFDiv(BinaryOperator &I) { handleDiv(I); } 1156 void visitURem(BinaryOperator &I) { handleDiv(I); } 1157 void visitSRem(BinaryOperator &I) { handleDiv(I); } 1158 void visitFRem(BinaryOperator &I) { handleDiv(I); } 1159 1160 /// \brief Instrument == and != comparisons. 1161 /// 1162 /// Sometimes the comparison result is known even if some of the bits of the 1163 /// arguments are not. 1164 void handleEqualityComparison(ICmpInst &I) { 1165 IRBuilder<> IRB(&I); 1166 Value *A = I.getOperand(0); 1167 Value *B = I.getOperand(1); 1168 Value *Sa = getShadow(A); 1169 Value *Sb = getShadow(B); 1170 1171 // Get rid of pointers and vectors of pointers. 1172 // For ints (and vectors of ints), types of A and Sa match, 1173 // and this is a no-op. 1174 A = IRB.CreatePointerCast(A, Sa->getType()); 1175 B = IRB.CreatePointerCast(B, Sb->getType()); 1176 1177 // A == B <==> (C = A^B) == 0 1178 // A != B <==> (C = A^B) != 0 1179 // Sc = Sa | Sb 1180 Value *C = IRB.CreateXor(A, B); 1181 Value *Sc = IRB.CreateOr(Sa, Sb); 1182 // Now dealing with i = (C == 0) comparison (or C != 0, does not matter now) 1183 // Result is defined if one of the following is true 1184 // * there is a defined 1 bit in C 1185 // * C is fully defined 1186 // Si = !(C & ~Sc) && Sc 1187 Value *Zero = Constant::getNullValue(Sc->getType()); 1188 Value *MinusOne = Constant::getAllOnesValue(Sc->getType()); 1189 Value *Si = 1190 IRB.CreateAnd(IRB.CreateICmpNE(Sc, Zero), 1191 IRB.CreateICmpEQ( 1192 IRB.CreateAnd(IRB.CreateXor(Sc, MinusOne), C), Zero)); 1193 Si->setName("_msprop_icmp"); 1194 setShadow(&I, Si); 1195 setOriginForNaryOp(I); 1196 } 1197 1198 /// \brief Build the lowest possible value of V, taking into account V's 1199 /// uninitialized bits. 1200 Value *getLowestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa, 1201 bool isSigned) { 1202 if (isSigned) { 1203 // Split shadow into sign bit and other bits. 1204 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1); 1205 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits); 1206 // Maximise the undefined shadow bit, minimize other undefined bits. 1207 return 1208 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaOtherBits)), SaSignBit); 1209 } else { 1210 // Minimize undefined bits. 1211 return IRB.CreateAnd(A, IRB.CreateNot(Sa)); 1212 } 1213 } 1214 1215 /// \brief Build the highest possible value of V, taking into account V's 1216 /// uninitialized bits. 1217 Value *getHighestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa, 1218 bool isSigned) { 1219 if (isSigned) { 1220 // Split shadow into sign bit and other bits. 1221 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1); 1222 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits); 1223 // Minimise the undefined shadow bit, maximise other undefined bits. 1224 return 1225 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaSignBit)), SaOtherBits); 1226 } else { 1227 // Maximize undefined bits. 1228 return IRB.CreateOr(A, Sa); 1229 } 1230 } 1231 1232 /// \brief Instrument relational comparisons. 1233 /// 1234 /// This function does exact shadow propagation for all relational 1235 /// comparisons of integers, pointers and vectors of those. 1236 /// FIXME: output seems suboptimal when one of the operands is a constant 1237 void handleRelationalComparisonExact(ICmpInst &I) { 1238 IRBuilder<> IRB(&I); 1239 Value *A = I.getOperand(0); 1240 Value *B = I.getOperand(1); 1241 Value *Sa = getShadow(A); 1242 Value *Sb = getShadow(B); 1243 1244 // Get rid of pointers and vectors of pointers. 1245 // For ints (and vectors of ints), types of A and Sa match, 1246 // and this is a no-op. 1247 A = IRB.CreatePointerCast(A, Sa->getType()); 1248 B = IRB.CreatePointerCast(B, Sb->getType()); 1249 1250 // Let [a0, a1] be the interval of possible values of A, taking into account 1251 // its undefined bits. Let [b0, b1] be the interval of possible values of B. 1252 // Then (A cmp B) is defined iff (a0 cmp b1) == (a1 cmp b0). 1253 bool IsSigned = I.isSigned(); 1254 Value *S1 = IRB.CreateICmp(I.getPredicate(), 1255 getLowestPossibleValue(IRB, A, Sa, IsSigned), 1256 getHighestPossibleValue(IRB, B, Sb, IsSigned)); 1257 Value *S2 = IRB.CreateICmp(I.getPredicate(), 1258 getHighestPossibleValue(IRB, A, Sa, IsSigned), 1259 getLowestPossibleValue(IRB, B, Sb, IsSigned)); 1260 Value *Si = IRB.CreateXor(S1, S2); 1261 setShadow(&I, Si); 1262 setOriginForNaryOp(I); 1263 } 1264 1265 /// \brief Instrument signed relational comparisons. 1266 /// 1267 /// Handle (x<0) and (x>=0) comparisons (essentially, sign bit tests) by 1268 /// propagating the highest bit of the shadow. Everything else is delegated 1269 /// to handleShadowOr(). 1270 void handleSignedRelationalComparison(ICmpInst &I) { 1271 Constant *constOp0 = dyn_cast<Constant>(I.getOperand(0)); 1272 Constant *constOp1 = dyn_cast<Constant>(I.getOperand(1)); 1273 Value* op = NULL; 1274 CmpInst::Predicate pre = I.getPredicate(); 1275 if (constOp0 && constOp0->isNullValue() && 1276 (pre == CmpInst::ICMP_SGT || pre == CmpInst::ICMP_SLE)) { 1277 op = I.getOperand(1); 1278 } else if (constOp1 && constOp1->isNullValue() && 1279 (pre == CmpInst::ICMP_SLT || pre == CmpInst::ICMP_SGE)) { 1280 op = I.getOperand(0); 1281 } 1282 if (op) { 1283 IRBuilder<> IRB(&I); 1284 Value* Shadow = 1285 IRB.CreateICmpSLT(getShadow(op), getCleanShadow(op), "_msprop_icmpslt"); 1286 setShadow(&I, Shadow); 1287 setOrigin(&I, getOrigin(op)); 1288 } else { 1289 handleShadowOr(I); 1290 } 1291 } 1292 1293 void visitICmpInst(ICmpInst &I) { 1294 if (!ClHandleICmp) { 1295 handleShadowOr(I); 1296 return; 1297 } 1298 if (I.isEquality()) { 1299 handleEqualityComparison(I); 1300 return; 1301 } 1302 1303 assert(I.isRelational()); 1304 if (ClHandleICmpExact) { 1305 handleRelationalComparisonExact(I); 1306 return; 1307 } 1308 if (I.isSigned()) { 1309 handleSignedRelationalComparison(I); 1310 return; 1311 } 1312 1313 assert(I.isUnsigned()); 1314 if ((isa<Constant>(I.getOperand(0)) || isa<Constant>(I.getOperand(1)))) { 1315 handleRelationalComparisonExact(I); 1316 return; 1317 } 1318 1319 handleShadowOr(I); 1320 } 1321 1322 void visitFCmpInst(FCmpInst &I) { 1323 handleShadowOr(I); 1324 } 1325 1326 void handleShift(BinaryOperator &I) { 1327 IRBuilder<> IRB(&I); 1328 // If any of the S2 bits are poisoned, the whole thing is poisoned. 1329 // Otherwise perform the same shift on S1. 1330 Value *S1 = getShadow(&I, 0); 1331 Value *S2 = getShadow(&I, 1); 1332 Value *S2Conv = IRB.CreateSExt(IRB.CreateICmpNE(S2, getCleanShadow(S2)), 1333 S2->getType()); 1334 Value *V2 = I.getOperand(1); 1335 Value *Shift = IRB.CreateBinOp(I.getOpcode(), S1, V2); 1336 setShadow(&I, IRB.CreateOr(Shift, S2Conv)); 1337 setOriginForNaryOp(I); 1338 } 1339 1340 void visitShl(BinaryOperator &I) { handleShift(I); } 1341 void visitAShr(BinaryOperator &I) { handleShift(I); } 1342 void visitLShr(BinaryOperator &I) { handleShift(I); } 1343 1344 /// \brief Instrument llvm.memmove 1345 /// 1346 /// At this point we don't know if llvm.memmove will be inlined or not. 1347 /// If we don't instrument it and it gets inlined, 1348 /// our interceptor will not kick in and we will lose the memmove. 1349 /// If we instrument the call here, but it does not get inlined, 1350 /// we will memove the shadow twice: which is bad in case 1351 /// of overlapping regions. So, we simply lower the intrinsic to a call. 1352 /// 1353 /// Similar situation exists for memcpy and memset. 1354 void visitMemMoveInst(MemMoveInst &I) { 1355 IRBuilder<> IRB(&I); 1356 IRB.CreateCall3( 1357 MS.MemmoveFn, 1358 IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1359 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()), 1360 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)); 1361 I.eraseFromParent(); 1362 } 1363 1364 // Similar to memmove: avoid copying shadow twice. 1365 // This is somewhat unfortunate as it may slowdown small constant memcpys. 1366 // FIXME: consider doing manual inline for small constant sizes and proper 1367 // alignment. 1368 void visitMemCpyInst(MemCpyInst &I) { 1369 IRBuilder<> IRB(&I); 1370 IRB.CreateCall3( 1371 MS.MemcpyFn, 1372 IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1373 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()), 1374 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)); 1375 I.eraseFromParent(); 1376 } 1377 1378 // Same as memcpy. 1379 void visitMemSetInst(MemSetInst &I) { 1380 IRBuilder<> IRB(&I); 1381 IRB.CreateCall3( 1382 MS.MemsetFn, 1383 IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1384 IRB.CreateIntCast(I.getArgOperand(1), IRB.getInt32Ty(), false), 1385 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)); 1386 I.eraseFromParent(); 1387 } 1388 1389 void visitVAStartInst(VAStartInst &I) { 1390 VAHelper->visitVAStartInst(I); 1391 } 1392 1393 void visitVACopyInst(VACopyInst &I) { 1394 VAHelper->visitVACopyInst(I); 1395 } 1396 1397 enum IntrinsicKind { 1398 IK_DoesNotAccessMemory, 1399 IK_OnlyReadsMemory, 1400 IK_WritesMemory 1401 }; 1402 1403 static IntrinsicKind getIntrinsicKind(Intrinsic::ID iid) { 1404 const int DoesNotAccessMemory = IK_DoesNotAccessMemory; 1405 const int OnlyReadsArgumentPointees = IK_OnlyReadsMemory; 1406 const int OnlyReadsMemory = IK_OnlyReadsMemory; 1407 const int OnlyAccessesArgumentPointees = IK_WritesMemory; 1408 const int UnknownModRefBehavior = IK_WritesMemory; 1409#define GET_INTRINSIC_MODREF_BEHAVIOR 1410#define ModRefBehavior IntrinsicKind 1411#include "llvm/IR/Intrinsics.gen" 1412#undef ModRefBehavior 1413#undef GET_INTRINSIC_MODREF_BEHAVIOR 1414 } 1415 1416 /// \brief Handle vector store-like intrinsics. 1417 /// 1418 /// Instrument intrinsics that look like a simple SIMD store: writes memory, 1419 /// has 1 pointer argument and 1 vector argument, returns void. 1420 bool handleVectorStoreIntrinsic(IntrinsicInst &I) { 1421 IRBuilder<> IRB(&I); 1422 Value* Addr = I.getArgOperand(0); 1423 Value *Shadow = getShadow(&I, 1); 1424 Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB); 1425 1426 // We don't know the pointer alignment (could be unaligned SSE store!). 1427 // Have to assume to worst case. 1428 IRB.CreateAlignedStore(Shadow, ShadowPtr, 1); 1429 1430 if (ClCheckAccessAddress) 1431 insertCheck(Addr, &I); 1432 1433 // FIXME: use ClStoreCleanOrigin 1434 // FIXME: factor out common code from materializeStores 1435 if (MS.TrackOrigins) 1436 IRB.CreateStore(getOrigin(&I, 1), getOriginPtr(Addr, IRB)); 1437 return true; 1438 } 1439 1440 /// \brief Handle vector load-like intrinsics. 1441 /// 1442 /// Instrument intrinsics that look like a simple SIMD load: reads memory, 1443 /// has 1 pointer argument, returns a vector. 1444 bool handleVectorLoadIntrinsic(IntrinsicInst &I) { 1445 IRBuilder<> IRB(&I); 1446 Value *Addr = I.getArgOperand(0); 1447 1448 Type *ShadowTy = getShadowTy(&I); 1449 if (LoadShadow) { 1450 Value *ShadowPtr = getShadowPtr(Addr, ShadowTy, IRB); 1451 // We don't know the pointer alignment (could be unaligned SSE load!). 1452 // Have to assume to worst case. 1453 setShadow(&I, IRB.CreateAlignedLoad(ShadowPtr, 1, "_msld")); 1454 } else { 1455 setShadow(&I, getCleanShadow(&I)); 1456 } 1457 1458 1459 if (ClCheckAccessAddress) 1460 insertCheck(Addr, &I); 1461 1462 if (MS.TrackOrigins) { 1463 if (LoadShadow) 1464 setOrigin(&I, IRB.CreateLoad(getOriginPtr(Addr, IRB))); 1465 else 1466 setOrigin(&I, getCleanOrigin()); 1467 } 1468 return true; 1469 } 1470 1471 /// \brief Handle (SIMD arithmetic)-like intrinsics. 1472 /// 1473 /// Instrument intrinsics with any number of arguments of the same type, 1474 /// equal to the return type. The type should be simple (no aggregates or 1475 /// pointers; vectors are fine). 1476 /// Caller guarantees that this intrinsic does not access memory. 1477 bool maybeHandleSimpleNomemIntrinsic(IntrinsicInst &I) { 1478 Type *RetTy = I.getType(); 1479 if (!(RetTy->isIntOrIntVectorTy() || 1480 RetTy->isFPOrFPVectorTy() || 1481 RetTy->isX86_MMXTy())) 1482 return false; 1483 1484 unsigned NumArgOperands = I.getNumArgOperands(); 1485 1486 for (unsigned i = 0; i < NumArgOperands; ++i) { 1487 Type *Ty = I.getArgOperand(i)->getType(); 1488 if (Ty != RetTy) 1489 return false; 1490 } 1491 1492 IRBuilder<> IRB(&I); 1493 ShadowAndOriginCombiner SC(this, IRB); 1494 for (unsigned i = 0; i < NumArgOperands; ++i) 1495 SC.Add(I.getArgOperand(i)); 1496 SC.Done(&I); 1497 1498 return true; 1499 } 1500 1501 /// \brief Heuristically instrument unknown intrinsics. 1502 /// 1503 /// The main purpose of this code is to do something reasonable with all 1504 /// random intrinsics we might encounter, most importantly - SIMD intrinsics. 1505 /// We recognize several classes of intrinsics by their argument types and 1506 /// ModRefBehaviour and apply special intrumentation when we are reasonably 1507 /// sure that we know what the intrinsic does. 1508 /// 1509 /// We special-case intrinsics where this approach fails. See llvm.bswap 1510 /// handling as an example of that. 1511 bool handleUnknownIntrinsic(IntrinsicInst &I) { 1512 unsigned NumArgOperands = I.getNumArgOperands(); 1513 if (NumArgOperands == 0) 1514 return false; 1515 1516 Intrinsic::ID iid = I.getIntrinsicID(); 1517 IntrinsicKind IK = getIntrinsicKind(iid); 1518 bool OnlyReadsMemory = IK == IK_OnlyReadsMemory; 1519 bool WritesMemory = IK == IK_WritesMemory; 1520 assert(!(OnlyReadsMemory && WritesMemory)); 1521 1522 if (NumArgOperands == 2 && 1523 I.getArgOperand(0)->getType()->isPointerTy() && 1524 I.getArgOperand(1)->getType()->isVectorTy() && 1525 I.getType()->isVoidTy() && 1526 WritesMemory) { 1527 // This looks like a vector store. 1528 return handleVectorStoreIntrinsic(I); 1529 } 1530 1531 if (NumArgOperands == 1 && 1532 I.getArgOperand(0)->getType()->isPointerTy() && 1533 I.getType()->isVectorTy() && 1534 OnlyReadsMemory) { 1535 // This looks like a vector load. 1536 return handleVectorLoadIntrinsic(I); 1537 } 1538 1539 if (!OnlyReadsMemory && !WritesMemory) 1540 if (maybeHandleSimpleNomemIntrinsic(I)) 1541 return true; 1542 1543 // FIXME: detect and handle SSE maskstore/maskload 1544 return false; 1545 } 1546 1547 void handleBswap(IntrinsicInst &I) { 1548 IRBuilder<> IRB(&I); 1549 Value *Op = I.getArgOperand(0); 1550 Type *OpType = Op->getType(); 1551 Function *BswapFunc = Intrinsic::getDeclaration( 1552 F.getParent(), Intrinsic::bswap, ArrayRef<Type*>(&OpType, 1)); 1553 setShadow(&I, IRB.CreateCall(BswapFunc, getShadow(Op))); 1554 setOrigin(&I, getOrigin(Op)); 1555 } 1556 1557 void visitIntrinsicInst(IntrinsicInst &I) { 1558 switch (I.getIntrinsicID()) { 1559 case llvm::Intrinsic::bswap: 1560 handleBswap(I); 1561 break; 1562 default: 1563 if (!handleUnknownIntrinsic(I)) 1564 visitInstruction(I); 1565 break; 1566 } 1567 } 1568 1569 void visitCallSite(CallSite CS) { 1570 Instruction &I = *CS.getInstruction(); 1571 assert((CS.isCall() || CS.isInvoke()) && "Unknown type of CallSite"); 1572 if (CS.isCall()) { 1573 CallInst *Call = cast<CallInst>(&I); 1574 1575 // For inline asm, do the usual thing: check argument shadow and mark all 1576 // outputs as clean. Note that any side effects of the inline asm that are 1577 // not immediately visible in its constraints are not handled. 1578 if (Call->isInlineAsm()) { 1579 visitInstruction(I); 1580 return; 1581 } 1582 1583 // Allow only tail calls with the same types, otherwise 1584 // we may have a false positive: shadow for a non-void RetVal 1585 // will get propagated to a void RetVal. 1586 if (Call->isTailCall() && Call->getType() != Call->getParent()->getType()) 1587 Call->setTailCall(false); 1588 1589 assert(!isa<IntrinsicInst>(&I) && "intrinsics are handled elsewhere"); 1590 1591 // We are going to insert code that relies on the fact that the callee 1592 // will become a non-readonly function after it is instrumented by us. To 1593 // prevent this code from being optimized out, mark that function 1594 // non-readonly in advance. 1595 if (Function *Func = Call->getCalledFunction()) { 1596 // Clear out readonly/readnone attributes. 1597 AttrBuilder B; 1598 B.addAttribute(Attribute::ReadOnly) 1599 .addAttribute(Attribute::ReadNone); 1600 Func->removeAttributes(AttributeSet::FunctionIndex, 1601 AttributeSet::get(Func->getContext(), 1602 AttributeSet::FunctionIndex, 1603 B)); 1604 } 1605 } 1606 IRBuilder<> IRB(&I); 1607 unsigned ArgOffset = 0; 1608 DEBUG(dbgs() << " CallSite: " << I << "\n"); 1609 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 1610 ArgIt != End; ++ArgIt) { 1611 Value *A = *ArgIt; 1612 unsigned i = ArgIt - CS.arg_begin(); 1613 if (!A->getType()->isSized()) { 1614 DEBUG(dbgs() << "Arg " << i << " is not sized: " << I << "\n"); 1615 continue; 1616 } 1617 unsigned Size = 0; 1618 Value *Store = 0; 1619 // Compute the Shadow for arg even if it is ByVal, because 1620 // in that case getShadow() will copy the actual arg shadow to 1621 // __msan_param_tls. 1622 Value *ArgShadow = getShadow(A); 1623 Value *ArgShadowBase = getShadowPtrForArgument(A, IRB, ArgOffset); 1624 DEBUG(dbgs() << " Arg#" << i << ": " << *A << 1625 " Shadow: " << *ArgShadow << "\n"); 1626 if (CS.paramHasAttr(i + 1, Attribute::ByVal)) { 1627 assert(A->getType()->isPointerTy() && 1628 "ByVal argument is not a pointer!"); 1629 Size = MS.TD->getTypeAllocSize(A->getType()->getPointerElementType()); 1630 unsigned Alignment = CS.getParamAlignment(i + 1); 1631 Store = IRB.CreateMemCpy(ArgShadowBase, 1632 getShadowPtr(A, Type::getInt8Ty(*MS.C), IRB), 1633 Size, Alignment); 1634 } else { 1635 Size = MS.TD->getTypeAllocSize(A->getType()); 1636 Store = IRB.CreateAlignedStore(ArgShadow, ArgShadowBase, 1637 kShadowTLSAlignment); 1638 } 1639 if (MS.TrackOrigins) 1640 IRB.CreateStore(getOrigin(A), 1641 getOriginPtrForArgument(A, IRB, ArgOffset)); 1642 (void)Store; 1643 assert(Size != 0 && Store != 0); 1644 DEBUG(dbgs() << " Param:" << *Store << "\n"); 1645 ArgOffset += DataLayout::RoundUpAlignment(Size, 8); 1646 } 1647 DEBUG(dbgs() << " done with call args\n"); 1648 1649 FunctionType *FT = 1650 cast<FunctionType>(CS.getCalledValue()->getType()-> getContainedType(0)); 1651 if (FT->isVarArg()) { 1652 VAHelper->visitCallSite(CS, IRB); 1653 } 1654 1655 // Now, get the shadow for the RetVal. 1656 if (!I.getType()->isSized()) return; 1657 IRBuilder<> IRBBefore(&I); 1658 // Untill we have full dynamic coverage, make sure the retval shadow is 0. 1659 Value *Base = getShadowPtrForRetval(&I, IRBBefore); 1660 IRBBefore.CreateAlignedStore(getCleanShadow(&I), Base, kShadowTLSAlignment); 1661 Instruction *NextInsn = 0; 1662 if (CS.isCall()) { 1663 NextInsn = I.getNextNode(); 1664 } else { 1665 BasicBlock *NormalDest = cast<InvokeInst>(&I)->getNormalDest(); 1666 if (!NormalDest->getSinglePredecessor()) { 1667 // FIXME: this case is tricky, so we are just conservative here. 1668 // Perhaps we need to split the edge between this BB and NormalDest, 1669 // but a naive attempt to use SplitEdge leads to a crash. 1670 setShadow(&I, getCleanShadow(&I)); 1671 setOrigin(&I, getCleanOrigin()); 1672 return; 1673 } 1674 NextInsn = NormalDest->getFirstInsertionPt(); 1675 assert(NextInsn && 1676 "Could not find insertion point for retval shadow load"); 1677 } 1678 IRBuilder<> IRBAfter(NextInsn); 1679 Value *RetvalShadow = 1680 IRBAfter.CreateAlignedLoad(getShadowPtrForRetval(&I, IRBAfter), 1681 kShadowTLSAlignment, "_msret"); 1682 setShadow(&I, RetvalShadow); 1683 if (MS.TrackOrigins) 1684 setOrigin(&I, IRBAfter.CreateLoad(getOriginPtrForRetval(IRBAfter))); 1685 } 1686 1687 void visitReturnInst(ReturnInst &I) { 1688 IRBuilder<> IRB(&I); 1689 if (Value *RetVal = I.getReturnValue()) { 1690 // Set the shadow for the RetVal. 1691 Value *Shadow = getShadow(RetVal); 1692 Value *ShadowPtr = getShadowPtrForRetval(RetVal, IRB); 1693 DEBUG(dbgs() << "Return: " << *Shadow << "\n" << *ShadowPtr << "\n"); 1694 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment); 1695 if (MS.TrackOrigins) 1696 IRB.CreateStore(getOrigin(RetVal), getOriginPtrForRetval(IRB)); 1697 } 1698 } 1699 1700 void visitPHINode(PHINode &I) { 1701 IRBuilder<> IRB(&I); 1702 ShadowPHINodes.push_back(&I); 1703 setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(), 1704 "_msphi_s")); 1705 if (MS.TrackOrigins) 1706 setOrigin(&I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(), 1707 "_msphi_o")); 1708 } 1709 1710 void visitAllocaInst(AllocaInst &I) { 1711 setShadow(&I, getCleanShadow(&I)); 1712 IRBuilder<> IRB(I.getNextNode()); 1713 uint64_t Size = MS.TD->getTypeAllocSize(I.getAllocatedType()); 1714 if (PoisonStack && ClPoisonStackWithCall) { 1715 IRB.CreateCall2(MS.MsanPoisonStackFn, 1716 IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), 1717 ConstantInt::get(MS.IntptrTy, Size)); 1718 } else { 1719 Value *ShadowBase = getShadowPtr(&I, Type::getInt8PtrTy(*MS.C), IRB); 1720 Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0); 1721 IRB.CreateMemSet(ShadowBase, PoisonValue, Size, I.getAlignment()); 1722 } 1723 1724 if (PoisonStack && MS.TrackOrigins) { 1725 setOrigin(&I, getCleanOrigin()); 1726 SmallString<2048> StackDescriptionStorage; 1727 raw_svector_ostream StackDescription(StackDescriptionStorage); 1728 // We create a string with a description of the stack allocation and 1729 // pass it into __msan_set_alloca_origin. 1730 // It will be printed by the run-time if stack-originated UMR is found. 1731 // The first 4 bytes of the string are set to '----' and will be replaced 1732 // by __msan_va_arg_overflow_size_tls at the first call. 1733 StackDescription << "----" << I.getName() << "@" << F.getName(); 1734 Value *Descr = 1735 createPrivateNonConstGlobalForString(*F.getParent(), 1736 StackDescription.str()); 1737 IRB.CreateCall3(MS.MsanSetAllocaOriginFn, 1738 IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), 1739 ConstantInt::get(MS.IntptrTy, Size), 1740 IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy())); 1741 } 1742 } 1743 1744 void visitSelectInst(SelectInst& I) { 1745 IRBuilder<> IRB(&I); 1746 setShadow(&I, IRB.CreateSelect(I.getCondition(), 1747 getShadow(I.getTrueValue()), getShadow(I.getFalseValue()), 1748 "_msprop")); 1749 if (MS.TrackOrigins) { 1750 // Origins are always i32, so any vector conditions must be flattened. 1751 // FIXME: consider tracking vector origins for app vectors? 1752 Value *Cond = I.getCondition(); 1753 if (Cond->getType()->isVectorTy()) { 1754 Value *ConvertedShadow = convertToShadowTyNoVec(Cond, IRB); 1755 Cond = IRB.CreateICmpNE(ConvertedShadow, 1756 getCleanShadow(ConvertedShadow), "_mso_select"); 1757 } 1758 setOrigin(&I, IRB.CreateSelect(Cond, 1759 getOrigin(I.getTrueValue()), getOrigin(I.getFalseValue()))); 1760 } 1761 } 1762 1763 void visitLandingPadInst(LandingPadInst &I) { 1764 // Do nothing. 1765 // See http://code.google.com/p/memory-sanitizer/issues/detail?id=1 1766 setShadow(&I, getCleanShadow(&I)); 1767 setOrigin(&I, getCleanOrigin()); 1768 } 1769 1770 void visitGetElementPtrInst(GetElementPtrInst &I) { 1771 handleShadowOr(I); 1772 } 1773 1774 void visitExtractValueInst(ExtractValueInst &I) { 1775 IRBuilder<> IRB(&I); 1776 Value *Agg = I.getAggregateOperand(); 1777 DEBUG(dbgs() << "ExtractValue: " << I << "\n"); 1778 Value *AggShadow = getShadow(Agg); 1779 DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n"); 1780 Value *ResShadow = IRB.CreateExtractValue(AggShadow, I.getIndices()); 1781 DEBUG(dbgs() << " ResShadow: " << *ResShadow << "\n"); 1782 setShadow(&I, ResShadow); 1783 setOrigin(&I, getCleanOrigin()); 1784 } 1785 1786 void visitInsertValueInst(InsertValueInst &I) { 1787 IRBuilder<> IRB(&I); 1788 DEBUG(dbgs() << "InsertValue: " << I << "\n"); 1789 Value *AggShadow = getShadow(I.getAggregateOperand()); 1790 Value *InsShadow = getShadow(I.getInsertedValueOperand()); 1791 DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n"); 1792 DEBUG(dbgs() << " InsShadow: " << *InsShadow << "\n"); 1793 Value *Res = IRB.CreateInsertValue(AggShadow, InsShadow, I.getIndices()); 1794 DEBUG(dbgs() << " Res: " << *Res << "\n"); 1795 setShadow(&I, Res); 1796 setOrigin(&I, getCleanOrigin()); 1797 } 1798 1799 void dumpInst(Instruction &I) { 1800 if (CallInst *CI = dyn_cast<CallInst>(&I)) { 1801 errs() << "ZZZ call " << CI->getCalledFunction()->getName() << "\n"; 1802 } else { 1803 errs() << "ZZZ " << I.getOpcodeName() << "\n"; 1804 } 1805 errs() << "QQQ " << I << "\n"; 1806 } 1807 1808 void visitResumeInst(ResumeInst &I) { 1809 DEBUG(dbgs() << "Resume: " << I << "\n"); 1810 // Nothing to do here. 1811 } 1812 1813 void visitInstruction(Instruction &I) { 1814 // Everything else: stop propagating and check for poisoned shadow. 1815 if (ClDumpStrictInstructions) 1816 dumpInst(I); 1817 DEBUG(dbgs() << "DEFAULT: " << I << "\n"); 1818 for (size_t i = 0, n = I.getNumOperands(); i < n; i++) 1819 insertCheck(I.getOperand(i), &I); 1820 setShadow(&I, getCleanShadow(&I)); 1821 setOrigin(&I, getCleanOrigin()); 1822 } 1823}; 1824 1825/// \brief AMD64-specific implementation of VarArgHelper. 1826struct VarArgAMD64Helper : public VarArgHelper { 1827 // An unfortunate workaround for asymmetric lowering of va_arg stuff. 1828 // See a comment in visitCallSite for more details. 1829 static const unsigned AMD64GpEndOffset = 48; // AMD64 ABI Draft 0.99.6 p3.5.7 1830 static const unsigned AMD64FpEndOffset = 176; 1831 1832 Function &F; 1833 MemorySanitizer &MS; 1834 MemorySanitizerVisitor &MSV; 1835 Value *VAArgTLSCopy; 1836 Value *VAArgOverflowSize; 1837 1838 SmallVector<CallInst*, 16> VAStartInstrumentationList; 1839 1840 VarArgAMD64Helper(Function &F, MemorySanitizer &MS, 1841 MemorySanitizerVisitor &MSV) 1842 : F(F), MS(MS), MSV(MSV), VAArgTLSCopy(0), VAArgOverflowSize(0) { } 1843 1844 enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory }; 1845 1846 ArgKind classifyArgument(Value* arg) { 1847 // A very rough approximation of X86_64 argument classification rules. 1848 Type *T = arg->getType(); 1849 if (T->isFPOrFPVectorTy() || T->isX86_MMXTy()) 1850 return AK_FloatingPoint; 1851 if (T->isIntegerTy() && T->getPrimitiveSizeInBits() <= 64) 1852 return AK_GeneralPurpose; 1853 if (T->isPointerTy()) 1854 return AK_GeneralPurpose; 1855 return AK_Memory; 1856 } 1857 1858 // For VarArg functions, store the argument shadow in an ABI-specific format 1859 // that corresponds to va_list layout. 1860 // We do this because Clang lowers va_arg in the frontend, and this pass 1861 // only sees the low level code that deals with va_list internals. 1862 // A much easier alternative (provided that Clang emits va_arg instructions) 1863 // would have been to associate each live instance of va_list with a copy of 1864 // MSanParamTLS, and extract shadow on va_arg() call in the argument list 1865 // order. 1866 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) { 1867 unsigned GpOffset = 0; 1868 unsigned FpOffset = AMD64GpEndOffset; 1869 unsigned OverflowOffset = AMD64FpEndOffset; 1870 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 1871 ArgIt != End; ++ArgIt) { 1872 Value *A = *ArgIt; 1873 ArgKind AK = classifyArgument(A); 1874 if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset) 1875 AK = AK_Memory; 1876 if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset) 1877 AK = AK_Memory; 1878 Value *Base; 1879 switch (AK) { 1880 case AK_GeneralPurpose: 1881 Base = getShadowPtrForVAArgument(A, IRB, GpOffset); 1882 GpOffset += 8; 1883 break; 1884 case AK_FloatingPoint: 1885 Base = getShadowPtrForVAArgument(A, IRB, FpOffset); 1886 FpOffset += 16; 1887 break; 1888 case AK_Memory: 1889 uint64_t ArgSize = MS.TD->getTypeAllocSize(A->getType()); 1890 Base = getShadowPtrForVAArgument(A, IRB, OverflowOffset); 1891 OverflowOffset += DataLayout::RoundUpAlignment(ArgSize, 8); 1892 } 1893 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment); 1894 } 1895 Constant *OverflowSize = 1896 ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset); 1897 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS); 1898 } 1899 1900 /// \brief Compute the shadow address for a given va_arg. 1901 Value *getShadowPtrForVAArgument(Value *A, IRBuilder<> &IRB, 1902 int ArgOffset) { 1903 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); 1904 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 1905 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(A), 0), 1906 "_msarg"); 1907 } 1908 1909 void visitVAStartInst(VAStartInst &I) { 1910 IRBuilder<> IRB(&I); 1911 VAStartInstrumentationList.push_back(&I); 1912 Value *VAListTag = I.getArgOperand(0); 1913 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 1914 1915 // Unpoison the whole __va_list_tag. 1916 // FIXME: magic ABI constants. 1917 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 1918 /* size */24, /* alignment */8, false); 1919 } 1920 1921 void visitVACopyInst(VACopyInst &I) { 1922 IRBuilder<> IRB(&I); 1923 Value *VAListTag = I.getArgOperand(0); 1924 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 1925 1926 // Unpoison the whole __va_list_tag. 1927 // FIXME: magic ABI constants. 1928 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 1929 /* size */24, /* alignment */8, false); 1930 } 1931 1932 void finalizeInstrumentation() { 1933 assert(!VAArgOverflowSize && !VAArgTLSCopy && 1934 "finalizeInstrumentation called twice"); 1935 if (!VAStartInstrumentationList.empty()) { 1936 // If there is a va_start in this function, make a backup copy of 1937 // va_arg_tls somewhere in the function entry block. 1938 IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI()); 1939 VAArgOverflowSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS); 1940 Value *CopySize = 1941 IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset), 1942 VAArgOverflowSize); 1943 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); 1944 IRB.CreateMemCpy(VAArgTLSCopy, MS.VAArgTLS, CopySize, 8); 1945 } 1946 1947 // Instrument va_start. 1948 // Copy va_list shadow from the backup copy of the TLS contents. 1949 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) { 1950 CallInst *OrigInst = VAStartInstrumentationList[i]; 1951 IRBuilder<> IRB(OrigInst->getNextNode()); 1952 Value *VAListTag = OrigInst->getArgOperand(0); 1953 1954 Value *RegSaveAreaPtrPtr = 1955 IRB.CreateIntToPtr( 1956 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 1957 ConstantInt::get(MS.IntptrTy, 16)), 1958 Type::getInt64PtrTy(*MS.C)); 1959 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr); 1960 Value *RegSaveAreaShadowPtr = 1961 MSV.getShadowPtr(RegSaveAreaPtr, IRB.getInt8Ty(), IRB); 1962 IRB.CreateMemCpy(RegSaveAreaShadowPtr, VAArgTLSCopy, 1963 AMD64FpEndOffset, 16); 1964 1965 Value *OverflowArgAreaPtrPtr = 1966 IRB.CreateIntToPtr( 1967 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 1968 ConstantInt::get(MS.IntptrTy, 8)), 1969 Type::getInt64PtrTy(*MS.C)); 1970 Value *OverflowArgAreaPtr = IRB.CreateLoad(OverflowArgAreaPtrPtr); 1971 Value *OverflowArgAreaShadowPtr = 1972 MSV.getShadowPtr(OverflowArgAreaPtr, IRB.getInt8Ty(), IRB); 1973 Value *SrcPtr = 1974 getShadowPtrForVAArgument(VAArgTLSCopy, IRB, AMD64FpEndOffset); 1975 IRB.CreateMemCpy(OverflowArgAreaShadowPtr, SrcPtr, VAArgOverflowSize, 16); 1976 } 1977 } 1978}; 1979 1980/// \brief A no-op implementation of VarArgHelper. 1981struct VarArgNoOpHelper : public VarArgHelper { 1982 VarArgNoOpHelper(Function &F, MemorySanitizer &MS, 1983 MemorySanitizerVisitor &MSV) {} 1984 1985 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) {} 1986 1987 void visitVAStartInst(VAStartInst &I) {} 1988 1989 void visitVACopyInst(VACopyInst &I) {} 1990 1991 void finalizeInstrumentation() {} 1992}; 1993 1994VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan, 1995 MemorySanitizerVisitor &Visitor) { 1996 // VarArg handling is only implemented on AMD64. False positives are possible 1997 // on other platforms. 1998 llvm::Triple TargetTriple(Func.getParent()->getTargetTriple()); 1999 if (TargetTriple.getArch() == llvm::Triple::x86_64) 2000 return new VarArgAMD64Helper(Func, Msan, Visitor); 2001 else 2002 return new VarArgNoOpHelper(Func, Msan, Visitor); 2003} 2004 2005} // namespace 2006 2007bool MemorySanitizer::runOnFunction(Function &F) { 2008 MemorySanitizerVisitor Visitor(F, *this); 2009 2010 // Clear out readonly/readnone attributes. 2011 AttrBuilder B; 2012 B.addAttribute(Attribute::ReadOnly) 2013 .addAttribute(Attribute::ReadNone); 2014 F.removeAttributes(AttributeSet::FunctionIndex, 2015 AttributeSet::get(F.getContext(), 2016 AttributeSet::FunctionIndex, B)); 2017 2018 return Visitor.runOnFunction(); 2019} 2020