AddressSanitizer.cpp revision 59cca13a80ed78ccbcdaa9bf20381bd48243f2f1
1//===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// Details of the algorithm: 12// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13// 14//===----------------------------------------------------------------------===// 15 16#define DEBUG_TYPE "asan" 17 18#include "llvm/Transforms/Instrumentation.h" 19#include "BlackList.h" 20#include "llvm/ADT/ArrayRef.h" 21#include "llvm/ADT/DepthFirstIterator.h" 22#include "llvm/ADT/OwningPtr.h" 23#include "llvm/ADT/SmallSet.h" 24#include "llvm/ADT/SmallString.h" 25#include "llvm/ADT/SmallVector.h" 26#include "llvm/ADT/StringExtras.h" 27#include "llvm/ADT/Triple.h" 28#include "llvm/DataLayout.h" 29#include "llvm/DIBuilder.h" 30#include "llvm/Function.h" 31#include "llvm/IRBuilder.h" 32#include "llvm/InlineAsm.h" 33#include "llvm/InstVisitor.h" 34#include "llvm/IntrinsicInst.h" 35#include "llvm/LLVMContext.h" 36#include "llvm/Module.h" 37#include "llvm/Support/CommandLine.h" 38#include "llvm/Support/DataTypes.h" 39#include "llvm/Support/Debug.h" 40#include "llvm/Support/raw_ostream.h" 41#include "llvm/Support/system_error.h" 42#include "llvm/Target/TargetMachine.h" 43#include "llvm/Transforms/Utils/BasicBlockUtils.h" 44#include "llvm/Transforms/Utils/Local.h" 45#include "llvm/Transforms/Utils/ModuleUtils.h" 46#include "llvm/Type.h" 47#include <algorithm> 48#include <string> 49 50using namespace llvm; 51 52static const uint64_t kDefaultShadowScale = 3; 53static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 54static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 55static const uint64_t kDefaultShadowOffsetAndroid = 0; 56 57static const size_t kMaxStackMallocSize = 1 << 16; // 64K 58static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 59static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 60 61static const char *kAsanModuleCtorName = "asan.module_ctor"; 62static const char *kAsanModuleDtorName = "asan.module_dtor"; 63static const int kAsanCtorAndCtorPriority = 1; 64static const char *kAsanReportErrorTemplate = "__asan_report_"; 65static const char *kAsanRegisterGlobalsName = "__asan_register_globals"; 66static const char *kAsanUnregisterGlobalsName = "__asan_unregister_globals"; 67static const char *kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; 68static const char *kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; 69static const char *kAsanInitName = "__asan_init"; 70static const char *kAsanHandleNoReturnName = "__asan_handle_no_return"; 71static const char *kAsanMappingOffsetName = "__asan_mapping_offset"; 72static const char *kAsanMappingScaleName = "__asan_mapping_scale"; 73static const char *kAsanStackMallocName = "__asan_stack_malloc"; 74static const char *kAsanStackFreeName = "__asan_stack_free"; 75static const char *kAsanGenPrefix = "__asan_gen_"; 76static const char *kAsanPoisonStackMemoryName = "__asan_poison_stack_memory"; 77static const char *kAsanUnpoisonStackMemoryName = 78 "__asan_unpoison_stack_memory"; 79 80static const int kAsanStackLeftRedzoneMagic = 0xf1; 81static const int kAsanStackMidRedzoneMagic = 0xf2; 82static const int kAsanStackRightRedzoneMagic = 0xf3; 83static const int kAsanStackPartialRedzoneMagic = 0xf4; 84 85// Accesses sizes are powers of two: 1, 2, 4, 8, 16. 86static const size_t kNumberOfAccessSizes = 5; 87 88// Command-line flags. 89 90// This flag may need to be replaced with -f[no-]asan-reads. 91static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 92 cl::desc("instrument read instructions"), cl::Hidden, cl::init(true)); 93static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes", 94 cl::desc("instrument write instructions"), cl::Hidden, cl::init(true)); 95static cl::opt<bool> ClInstrumentAtomics("asan-instrument-atomics", 96 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), 97 cl::Hidden, cl::init(true)); 98static cl::opt<bool> ClAlwaysSlowPath("asan-always-slow-path", 99 cl::desc("use instrumentation with slow path for all accesses"), 100 cl::Hidden, cl::init(false)); 101// This flag limits the number of instructions to be instrumented 102// in any given BB. Normally, this should be set to unlimited (INT_MAX), 103// but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary 104// set it to 10000. 105static cl::opt<int> ClMaxInsnsToInstrumentPerBB("asan-max-ins-per-bb", 106 cl::init(10000), 107 cl::desc("maximal number of instructions to instrument in any given BB"), 108 cl::Hidden); 109// This flag may need to be replaced with -f[no]asan-stack. 110static cl::opt<bool> ClStack("asan-stack", 111 cl::desc("Handle stack memory"), cl::Hidden, cl::init(true)); 112// This flag may need to be replaced with -f[no]asan-use-after-return. 113static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 114 cl::desc("Check return-after-free"), cl::Hidden, cl::init(false)); 115// This flag may need to be replaced with -f[no]asan-globals. 116static cl::opt<bool> ClGlobals("asan-globals", 117 cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); 118static cl::opt<bool> ClInitializers("asan-initialization-order", 119 cl::desc("Handle C++ initializer order"), cl::Hidden, cl::init(false)); 120static cl::opt<bool> ClMemIntrin("asan-memintrin", 121 cl::desc("Handle memset/memcpy/memmove"), cl::Hidden, cl::init(true)); 122static cl::opt<bool> ClRealignStack("asan-realign-stack", 123 cl::desc("Realign stack to 32"), cl::Hidden, cl::init(true)); 124static cl::opt<std::string> ClBlacklistFile("asan-blacklist", 125 cl::desc("File containing the list of objects to ignore " 126 "during instrumentation"), cl::Hidden); 127 128// These flags allow to change the shadow mapping. 129// The shadow mapping looks like 130// Shadow = (Mem >> scale) + (1 << offset_log) 131static cl::opt<int> ClMappingScale("asan-mapping-scale", 132 cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0)); 133static cl::opt<int> ClMappingOffsetLog("asan-mapping-offset-log", 134 cl::desc("offset of asan shadow mapping"), cl::Hidden, cl::init(-1)); 135 136// Optimization flags. Not user visible, used mostly for testing 137// and benchmarking the tool. 138static cl::opt<bool> ClOpt("asan-opt", 139 cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true)); 140static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp", 141 cl::desc("Instrument the same temp just once"), cl::Hidden, 142 cl::init(true)); 143static cl::opt<bool> ClOptGlobals("asan-opt-globals", 144 cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); 145 146static cl::opt<bool> ClCheckLifetime("asan-check-lifetime", 147 cl::desc("Use llvm.lifetime intrinsics to insert extra checks"), 148 cl::Hidden, cl::init(false)); 149 150// Debug flags. 151static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 152 cl::init(0)); 153static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 154 cl::Hidden, cl::init(0)); 155static cl::opt<std::string> ClDebugFunc("asan-debug-func", 156 cl::Hidden, cl::desc("Debug func")); 157static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 158 cl::Hidden, cl::init(-1)); 159static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), 160 cl::Hidden, cl::init(-1)); 161 162namespace { 163/// A set of dynamically initialized globals extracted from metadata. 164class SetOfDynamicallyInitializedGlobals { 165 public: 166 void Init(Module& M) { 167 // Clang generates metadata identifying all dynamically initialized globals. 168 NamedMDNode *DynamicGlobals = 169 M.getNamedMetadata("llvm.asan.dynamically_initialized_globals"); 170 if (!DynamicGlobals) 171 return; 172 for (int i = 0, n = DynamicGlobals->getNumOperands(); i < n; ++i) { 173 MDNode *MDN = DynamicGlobals->getOperand(i); 174 assert(MDN->getNumOperands() == 1); 175 Value *VG = MDN->getOperand(0); 176 // The optimizer may optimize away a global entirely, in which case we 177 // cannot instrument access to it. 178 if (!VG) 179 continue; 180 DynInitGlobals.insert(cast<GlobalVariable>(VG)); 181 } 182 } 183 bool Contains(GlobalVariable *G) { return DynInitGlobals.count(G) != 0; } 184 private: 185 SmallSet<GlobalValue*, 32> DynInitGlobals; 186}; 187 188static int MappingScale() { 189 return ClMappingScale ? ClMappingScale : kDefaultShadowScale; 190} 191 192static size_t RedzoneSize() { 193 // Redzone used for stack and globals is at least 32 bytes. 194 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 195 return std::max(32U, 1U << MappingScale()); 196} 197 198/// AddressSanitizer: instrument the code in module to find memory bugs. 199struct AddressSanitizer : public FunctionPass { 200 AddressSanitizer(bool CheckInitOrder = false, 201 bool CheckUseAfterReturn = false, 202 bool CheckLifetime = false, 203 StringRef BlacklistFile = StringRef()) 204 : FunctionPass(ID), 205 CheckInitOrder(CheckInitOrder || ClInitializers), 206 CheckUseAfterReturn(CheckUseAfterReturn || ClUseAfterReturn), 207 CheckLifetime(CheckLifetime || ClCheckLifetime), 208 BlacklistFile(BlacklistFile.empty() ? ClBlacklistFile 209 : BlacklistFile) {} 210 virtual const char *getPassName() const { 211 return "AddressSanitizerFunctionPass"; 212 } 213 void instrumentMop(Instruction *I); 214 void instrumentAddress(Instruction *OrigIns, IRBuilder<> &IRB, 215 Value *Addr, uint32_t TypeSize, bool IsWrite); 216 Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 217 Value *ShadowValue, uint32_t TypeSize); 218 Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, 219 bool IsWrite, size_t AccessSizeIndex); 220 bool instrumentMemIntrinsic(MemIntrinsic *MI); 221 void instrumentMemIntrinsicParam(Instruction *OrigIns, Value *Addr, 222 Value *Size, 223 Instruction *InsertBefore, bool IsWrite); 224 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 225 bool runOnFunction(Function &F); 226 void createInitializerPoisonCalls(Module &M, 227 Value *FirstAddr, Value *LastAddr); 228 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 229 virtual bool doInitialization(Module &M); 230 static char ID; // Pass identification, replacement for typeid 231 232 private: 233 void initializeCallbacks(Module &M); 234 235 bool ShouldInstrumentGlobal(GlobalVariable *G); 236 bool LooksLikeCodeInBug11395(Instruction *I); 237 void FindDynamicInitializers(Module &M); 238 239 bool CheckInitOrder; 240 bool CheckUseAfterReturn; 241 bool CheckLifetime; 242 LLVMContext *C; 243 DataLayout *TD; 244 uint64_t MappingOffset; 245 int LongSize; 246 Type *IntptrTy; 247 Function *AsanCtorFunction; 248 Function *AsanInitFunction; 249 Function *AsanHandleNoReturnFunc; 250 SmallString<64> BlacklistFile; 251 OwningPtr<BlackList> BL; 252 // This array is indexed by AccessIsWrite and log2(AccessSize). 253 Function *AsanErrorCallback[2][kNumberOfAccessSizes]; 254 InlineAsm *EmptyAsm; 255 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 256 257 friend struct FunctionStackPoisoner; 258}; 259 260class AddressSanitizerModule : public ModulePass { 261 public: 262 AddressSanitizerModule(bool CheckInitOrder = false, 263 StringRef BlacklistFile = StringRef()) 264 : ModulePass(ID), 265 CheckInitOrder(CheckInitOrder || ClInitializers), 266 BlacklistFile(BlacklistFile.empty() ? ClBlacklistFile 267 : BlacklistFile) {} 268 bool runOnModule(Module &M); 269 static char ID; // Pass identification, replacement for typeid 270 virtual const char *getPassName() const { 271 return "AddressSanitizerModule"; 272 } 273 274 private: 275 bool ShouldInstrumentGlobal(GlobalVariable *G); 276 void createInitializerPoisonCalls(Module &M, Value *FirstAddr, 277 Value *LastAddr); 278 279 bool CheckInitOrder; 280 SmallString<64> BlacklistFile; 281 OwningPtr<BlackList> BL; 282 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 283 Type *IntptrTy; 284 LLVMContext *C; 285 DataLayout *TD; 286}; 287 288// Stack poisoning does not play well with exception handling. 289// When an exception is thrown, we essentially bypass the code 290// that unpoisones the stack. This is why the run-time library has 291// to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 292// stack in the interceptor. This however does not work inside the 293// actual function which catches the exception. Most likely because the 294// compiler hoists the load of the shadow value somewhere too high. 295// This causes asan to report a non-existing bug on 453.povray. 296// It sounds like an LLVM bug. 297struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> { 298 Function &F; 299 AddressSanitizer &ASan; 300 DIBuilder DIB; 301 LLVMContext *C; 302 Type *IntptrTy; 303 Type *IntptrPtrTy; 304 305 SmallVector<AllocaInst*, 16> AllocaVec; 306 SmallVector<Instruction*, 8> RetVec; 307 uint64_t TotalStackSize; 308 unsigned StackAlignment; 309 310 Function *AsanStackMallocFunc, *AsanStackFreeFunc; 311 Function *AsanPoisonStackMemoryFunc, *AsanUnpoisonStackMemoryFunc; 312 313 FunctionStackPoisoner(Function &F, AddressSanitizer &ASan) 314 : F(F), ASan(ASan), DIB(*F.getParent()), C(ASan.C), 315 IntptrTy(ASan.IntptrTy), IntptrPtrTy(PointerType::get(IntptrTy, 0)), 316 TotalStackSize(0), StackAlignment(1 << MappingScale()) {} 317 318 bool runOnFunction() { 319 if (!ClStack) return false; 320 // Collect alloca, ret, lifetime instructions etc. 321 for (df_iterator<BasicBlock*> DI = df_begin(&F.getEntryBlock()), 322 DE = df_end(&F.getEntryBlock()); DI != DE; ++DI) { 323 BasicBlock *BB = *DI; 324 visit(*BB); 325 } 326 if (AllocaVec.empty()) return false; 327 328 initializeCallbacks(*F.getParent()); 329 330 poisonStack(); 331 332 if (ClDebugStack) { 333 DEBUG(dbgs() << F); 334 } 335 return true; 336 } 337 338 // Finds all static Alloca instructions and puts 339 // poisoned red zones around all of them. 340 // Then unpoison everything back before the function returns. 341 void poisonStack(); 342 343 // ----------------------- Visitors. 344 /// \brief Collect all Ret instructions. 345 void visitReturnInst(ReturnInst &RI) { 346 RetVec.push_back(&RI); 347 } 348 349 /// \brief Collect Alloca instructions we want (and can) handle. 350 void visitAllocaInst(AllocaInst &AI) { 351 if (AI.isArrayAllocation()) return; 352 if (!AI.isStaticAlloca()) return; 353 if (!AI.getAllocatedType()->isSized()) return; 354 355 StackAlignment = std::max(StackAlignment, AI.getAlignment()); 356 AllocaVec.push_back(&AI); 357 uint64_t AlignedSize = getAlignedAllocaSize(&AI); 358 TotalStackSize += AlignedSize; 359 } 360 361 // ---------------------- Helpers. 362 void initializeCallbacks(Module &M); 363 364 uint64_t getAllocaSizeInBytes(AllocaInst *AI) { 365 Type *Ty = AI->getAllocatedType(); 366 uint64_t SizeInBytes = ASan.TD->getTypeAllocSize(Ty); 367 return SizeInBytes; 368 } 369 uint64_t getAlignedSize(uint64_t SizeInBytes) { 370 size_t RZ = RedzoneSize(); 371 return ((SizeInBytes + RZ - 1) / RZ) * RZ; 372 } 373 uint64_t getAlignedAllocaSize(AllocaInst *AI) { 374 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 375 return getAlignedSize(SizeInBytes); 376 } 377 void poisonRedZones(const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, 378 Value *ShadowBase, bool DoPoison); 379 void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> IRB, bool DoPoison); 380 /// Analyze lifetime intrinsics for given alloca. Use Value* instead of 381 /// AllocaInst* here, as we call this method after we merge all allocas into a 382 /// single one. Returns true if ASan added some instrumentation. 383 bool handleAllocaLifetime(Value *Alloca); 384 /// Analyze lifetime intrinsics for a specific value, casted from alloca. 385 /// Returns true if if ASan added some instrumentation. 386 bool handleValueLifetime(Value *V); 387}; 388 389} // namespace 390 391char AddressSanitizer::ID = 0; 392INITIALIZE_PASS(AddressSanitizer, "asan", 393 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", 394 false, false) 395FunctionPass *llvm::createAddressSanitizerFunctionPass( 396 bool CheckInitOrder, bool CheckUseAfterReturn, bool CheckLifetime, 397 StringRef BlacklistFile) { 398 return new AddressSanitizer(CheckInitOrder, CheckUseAfterReturn, 399 CheckLifetime, BlacklistFile); 400} 401 402char AddressSanitizerModule::ID = 0; 403INITIALIZE_PASS(AddressSanitizerModule, "asan-module", 404 "AddressSanitizer: detects use-after-free and out-of-bounds bugs." 405 "ModulePass", false, false) 406ModulePass *llvm::createAddressSanitizerModulePass( 407 bool CheckInitOrder, StringRef BlacklistFile) { 408 return new AddressSanitizerModule(CheckInitOrder, BlacklistFile); 409} 410 411static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 412 size_t Res = CountTrailingZeros_32(TypeSize / 8); 413 assert(Res < kNumberOfAccessSizes); 414 return Res; 415} 416 417// Create a constant for Str so that we can pass it to the run-time lib. 418static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str) { 419 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 420 return new GlobalVariable(M, StrConst->getType(), true, 421 GlobalValue::PrivateLinkage, StrConst, 422 kAsanGenPrefix); 423} 424 425static bool GlobalWasGeneratedByAsan(GlobalVariable *G) { 426 return G->getName().find(kAsanGenPrefix) == 0; 427} 428 429Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 430 // Shadow >> scale 431 Shadow = IRB.CreateLShr(Shadow, MappingScale()); 432 if (MappingOffset == 0) 433 return Shadow; 434 // (Shadow >> scale) | offset 435 return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, 436 MappingOffset)); 437} 438 439void AddressSanitizer::instrumentMemIntrinsicParam( 440 Instruction *OrigIns, 441 Value *Addr, Value *Size, Instruction *InsertBefore, bool IsWrite) { 442 // Check the first byte. 443 { 444 IRBuilder<> IRB(InsertBefore); 445 instrumentAddress(OrigIns, IRB, Addr, 8, IsWrite); 446 } 447 // Check the last byte. 448 { 449 IRBuilder<> IRB(InsertBefore); 450 Value *SizeMinusOne = IRB.CreateSub( 451 Size, ConstantInt::get(Size->getType(), 1)); 452 SizeMinusOne = IRB.CreateIntCast(SizeMinusOne, IntptrTy, false); 453 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 454 Value *AddrPlusSizeMinisOne = IRB.CreateAdd(AddrLong, SizeMinusOne); 455 instrumentAddress(OrigIns, IRB, AddrPlusSizeMinisOne, 8, IsWrite); 456 } 457} 458 459// Instrument memset/memmove/memcpy 460bool AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 461 Value *Dst = MI->getDest(); 462 MemTransferInst *MemTran = dyn_cast<MemTransferInst>(MI); 463 Value *Src = MemTran ? MemTran->getSource() : 0; 464 Value *Length = MI->getLength(); 465 466 Constant *ConstLength = dyn_cast<Constant>(Length); 467 Instruction *InsertBefore = MI; 468 if (ConstLength) { 469 if (ConstLength->isNullValue()) return false; 470 } else { 471 // The size is not a constant so it could be zero -- check at run-time. 472 IRBuilder<> IRB(InsertBefore); 473 474 Value *Cmp = IRB.CreateICmpNE(Length, 475 Constant::getNullValue(Length->getType())); 476 InsertBefore = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 477 } 478 479 instrumentMemIntrinsicParam(MI, Dst, Length, InsertBefore, true); 480 if (Src) 481 instrumentMemIntrinsicParam(MI, Src, Length, InsertBefore, false); 482 return true; 483} 484 485// If I is an interesting memory access, return the PointerOperand 486// and set IsWrite. Otherwise return NULL. 487static Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite) { 488 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 489 if (!ClInstrumentReads) return NULL; 490 *IsWrite = false; 491 return LI->getPointerOperand(); 492 } 493 if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 494 if (!ClInstrumentWrites) return NULL; 495 *IsWrite = true; 496 return SI->getPointerOperand(); 497 } 498 if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 499 if (!ClInstrumentAtomics) return NULL; 500 *IsWrite = true; 501 return RMW->getPointerOperand(); 502 } 503 if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 504 if (!ClInstrumentAtomics) return NULL; 505 *IsWrite = true; 506 return XCHG->getPointerOperand(); 507 } 508 return NULL; 509} 510 511void AddressSanitizer::instrumentMop(Instruction *I) { 512 bool IsWrite = false; 513 Value *Addr = isInterestingMemoryAccess(I, &IsWrite); 514 assert(Addr); 515 if (ClOpt && ClOptGlobals) { 516 if (GlobalVariable *G = dyn_cast<GlobalVariable>(Addr)) { 517 // If initialization order checking is disabled, a simple access to a 518 // dynamically initialized global is always valid. 519 if (!CheckInitOrder) 520 return; 521 // If a global variable does not have dynamic initialization we don't 522 // have to instrument it. However, if a global does not have initailizer 523 // at all, we assume it has dynamic initializer (in other TU). 524 if (G->hasInitializer() && !DynamicallyInitializedGlobals.Contains(G)) 525 return; 526 } 527 } 528 529 Type *OrigPtrTy = Addr->getType(); 530 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 531 532 assert(OrigTy->isSized()); 533 uint32_t TypeSize = TD->getTypeStoreSizeInBits(OrigTy); 534 535 if (TypeSize != 8 && TypeSize != 16 && 536 TypeSize != 32 && TypeSize != 64 && TypeSize != 128) { 537 // Ignore all unusual sizes. 538 return; 539 } 540 541 IRBuilder<> IRB(I); 542 instrumentAddress(I, IRB, Addr, TypeSize, IsWrite); 543} 544 545// Validate the result of Module::getOrInsertFunction called for an interface 546// function of AddressSanitizer. If the instrumented module defines a function 547// with the same name, their prototypes must match, otherwise 548// getOrInsertFunction returns a bitcast. 549static Function *checkInterfaceFunction(Constant *FuncOrBitcast) { 550 if (isa<Function>(FuncOrBitcast)) return cast<Function>(FuncOrBitcast); 551 FuncOrBitcast->dump(); 552 report_fatal_error("trying to redefine an AddressSanitizer " 553 "interface function"); 554} 555 556Instruction *AddressSanitizer::generateCrashCode( 557 Instruction *InsertBefore, Value *Addr, 558 bool IsWrite, size_t AccessSizeIndex) { 559 IRBuilder<> IRB(InsertBefore); 560 CallInst *Call = IRB.CreateCall(AsanErrorCallback[IsWrite][AccessSizeIndex], 561 Addr); 562 // We don't do Call->setDoesNotReturn() because the BB already has 563 // UnreachableInst at the end. 564 // This EmptyAsm is required to avoid callback merge. 565 IRB.CreateCall(EmptyAsm); 566 return Call; 567} 568 569Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 570 Value *ShadowValue, 571 uint32_t TypeSize) { 572 size_t Granularity = 1 << MappingScale(); 573 // Addr & (Granularity - 1) 574 Value *LastAccessedByte = IRB.CreateAnd( 575 AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 576 // (Addr & (Granularity - 1)) + size - 1 577 if (TypeSize / 8 > 1) 578 LastAccessedByte = IRB.CreateAdd( 579 LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 580 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 581 LastAccessedByte = IRB.CreateIntCast( 582 LastAccessedByte, ShadowValue->getType(), false); 583 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 584 return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue); 585} 586 587void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 588 IRBuilder<> &IRB, Value *Addr, 589 uint32_t TypeSize, bool IsWrite) { 590 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 591 592 Type *ShadowTy = IntegerType::get( 593 *C, std::max(8U, TypeSize >> MappingScale())); 594 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 595 Value *ShadowPtr = memToShadow(AddrLong, IRB); 596 Value *CmpVal = Constant::getNullValue(ShadowTy); 597 Value *ShadowValue = IRB.CreateLoad( 598 IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 599 600 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 601 size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize); 602 size_t Granularity = 1 << MappingScale(); 603 TerminatorInst *CrashTerm = 0; 604 605 if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) { 606 TerminatorInst *CheckTerm = 607 SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 608 assert(dyn_cast<BranchInst>(CheckTerm)->isUnconditional()); 609 BasicBlock *NextBB = CheckTerm->getSuccessor(0); 610 IRB.SetInsertPoint(CheckTerm); 611 Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize); 612 BasicBlock *CrashBlock = 613 BasicBlock::Create(*C, "", NextBB->getParent(), NextBB); 614 CrashTerm = new UnreachableInst(*C, CrashBlock); 615 BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2); 616 ReplaceInstWithInst(CheckTerm, NewTerm); 617 } else { 618 CrashTerm = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), true); 619 } 620 621 Instruction *Crash = 622 generateCrashCode(CrashTerm, AddrLong, IsWrite, AccessSizeIndex); 623 Crash->setDebugLoc(OrigIns->getDebugLoc()); 624} 625 626void AddressSanitizerModule::createInitializerPoisonCalls( 627 Module &M, Value *FirstAddr, Value *LastAddr) { 628 // We do all of our poisoning and unpoisoning within _GLOBAL__I_a. 629 Function *GlobalInit = M.getFunction("_GLOBAL__I_a"); 630 // If that function is not present, this TU contains no globals, or they have 631 // all been optimized away 632 if (!GlobalInit) 633 return; 634 635 // Set up the arguments to our poison/unpoison functions. 636 IRBuilder<> IRB(GlobalInit->begin()->getFirstInsertionPt()); 637 638 // Declare our poisoning and unpoisoning functions. 639 Function *AsanPoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 640 kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 641 AsanPoisonGlobals->setLinkage(Function::ExternalLinkage); 642 Function *AsanUnpoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 643 kAsanUnpoisonGlobalsName, IRB.getVoidTy(), NULL)); 644 AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage); 645 646 // Add a call to poison all external globals before the given function starts. 647 IRB.CreateCall2(AsanPoisonGlobals, FirstAddr, LastAddr); 648 649 // Add calls to unpoison all globals before each return instruction. 650 for (Function::iterator I = GlobalInit->begin(), E = GlobalInit->end(); 651 I != E; ++I) { 652 if (ReturnInst *RI = dyn_cast<ReturnInst>(I->getTerminator())) { 653 CallInst::Create(AsanUnpoisonGlobals, "", RI); 654 } 655 } 656} 657 658bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) { 659 Type *Ty = cast<PointerType>(G->getType())->getElementType(); 660 DEBUG(dbgs() << "GLOBAL: " << *G << "\n"); 661 662 if (BL->isIn(*G)) return false; 663 if (!Ty->isSized()) return false; 664 if (!G->hasInitializer()) return false; 665 if (GlobalWasGeneratedByAsan(G)) return false; // Our own global. 666 // Touch only those globals that will not be defined in other modules. 667 // Don't handle ODR type linkages since other modules may be built w/o asan. 668 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 669 G->getLinkage() != GlobalVariable::PrivateLinkage && 670 G->getLinkage() != GlobalVariable::InternalLinkage) 671 return false; 672 // Two problems with thread-locals: 673 // - The address of the main thread's copy can't be computed at link-time. 674 // - Need to poison all copies, not just the main thread's one. 675 if (G->isThreadLocal()) 676 return false; 677 // For now, just ignore this Alloca if the alignment is large. 678 if (G->getAlignment() > RedzoneSize()) return false; 679 680 // Ignore all the globals with the names starting with "\01L_OBJC_". 681 // Many of those are put into the .cstring section. The linker compresses 682 // that section by removing the spare \0s after the string terminator, so 683 // our redzones get broken. 684 if ((G->getName().find("\01L_OBJC_") == 0) || 685 (G->getName().find("\01l_OBJC_") == 0)) { 686 DEBUG(dbgs() << "Ignoring \\01L_OBJC_* global: " << *G); 687 return false; 688 } 689 690 if (G->hasSection()) { 691 StringRef Section(G->getSection()); 692 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 693 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 694 // them. 695 if ((Section.find("__OBJC,") == 0) || 696 (Section.find("__DATA, __objc_") == 0)) { 697 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G); 698 return false; 699 } 700 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 701 // Constant CFString instances are compiled in the following way: 702 // -- the string buffer is emitted into 703 // __TEXT,__cstring,cstring_literals 704 // -- the constant NSConstantString structure referencing that buffer 705 // is placed into __DATA,__cfstring 706 // Therefore there's no point in placing redzones into __DATA,__cfstring. 707 // Moreover, it causes the linker to crash on OS X 10.7 708 if (Section.find("__DATA,__cfstring") == 0) { 709 DEBUG(dbgs() << "Ignoring CFString: " << *G); 710 return false; 711 } 712 } 713 714 return true; 715} 716 717// This function replaces all global variables with new variables that have 718// trailing redzones. It also creates a function that poisons 719// redzones and inserts this function into llvm.global_ctors. 720bool AddressSanitizerModule::runOnModule(Module &M) { 721 if (!ClGlobals) return false; 722 TD = getAnalysisIfAvailable<DataLayout>(); 723 if (!TD) 724 return false; 725 BL.reset(new BlackList(BlacklistFile)); 726 if (BL->isIn(M)) return false; 727 DynamicallyInitializedGlobals.Init(M); 728 C = &(M.getContext()); 729 IntptrTy = Type::getIntNTy(*C, TD->getPointerSizeInBits()); 730 731 SmallVector<GlobalVariable *, 16> GlobalsToChange; 732 733 for (Module::GlobalListType::iterator G = M.global_begin(), 734 E = M.global_end(); G != E; ++G) { 735 if (ShouldInstrumentGlobal(G)) 736 GlobalsToChange.push_back(G); 737 } 738 739 size_t n = GlobalsToChange.size(); 740 if (n == 0) return false; 741 742 // A global is described by a structure 743 // size_t beg; 744 // size_t size; 745 // size_t size_with_redzone; 746 // const char *name; 747 // size_t has_dynamic_init; 748 // We initialize an array of such structures and pass it to a run-time call. 749 StructType *GlobalStructTy = StructType::get(IntptrTy, IntptrTy, 750 IntptrTy, IntptrTy, 751 IntptrTy, NULL); 752 SmallVector<Constant *, 16> Initializers(n), DynamicInit; 753 754 755 Function *CtorFunc = M.getFunction(kAsanModuleCtorName); 756 assert(CtorFunc); 757 IRBuilder<> IRB(CtorFunc->getEntryBlock().getTerminator()); 758 759 // The addresses of the first and last dynamically initialized globals in 760 // this TU. Used in initialization order checking. 761 Value *FirstDynamic = 0, *LastDynamic = 0; 762 763 for (size_t i = 0; i < n; i++) { 764 GlobalVariable *G = GlobalsToChange[i]; 765 PointerType *PtrTy = cast<PointerType>(G->getType()); 766 Type *Ty = PtrTy->getElementType(); 767 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 768 size_t RZ = RedzoneSize(); 769 uint64_t RightRedzoneSize = RZ + (RZ - (SizeInBytes % RZ)); 770 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 771 // Determine whether this global should be poisoned in initialization. 772 bool GlobalHasDynamicInitializer = 773 DynamicallyInitializedGlobals.Contains(G); 774 // Don't check initialization order if this global is blacklisted. 775 GlobalHasDynamicInitializer &= !BL->isInInit(*G); 776 777 StructType *NewTy = StructType::get(Ty, RightRedZoneTy, NULL); 778 Constant *NewInitializer = ConstantStruct::get( 779 NewTy, G->getInitializer(), 780 Constant::getNullValue(RightRedZoneTy), NULL); 781 782 SmallString<2048> DescriptionOfGlobal = G->getName(); 783 DescriptionOfGlobal += " ("; 784 DescriptionOfGlobal += M.getModuleIdentifier(); 785 DescriptionOfGlobal += ")"; 786 GlobalVariable *Name = createPrivateGlobalForString(M, DescriptionOfGlobal); 787 788 // Create a new global variable with enough space for a redzone. 789 GlobalVariable *NewGlobal = new GlobalVariable( 790 M, NewTy, G->isConstant(), G->getLinkage(), 791 NewInitializer, "", G, G->getThreadLocalMode()); 792 NewGlobal->copyAttributesFrom(G); 793 NewGlobal->setAlignment(RZ); 794 795 Value *Indices2[2]; 796 Indices2[0] = IRB.getInt32(0); 797 Indices2[1] = IRB.getInt32(0); 798 799 G->replaceAllUsesWith( 800 ConstantExpr::getGetElementPtr(NewGlobal, Indices2, true)); 801 NewGlobal->takeName(G); 802 G->eraseFromParent(); 803 804 Initializers[i] = ConstantStruct::get( 805 GlobalStructTy, 806 ConstantExpr::getPointerCast(NewGlobal, IntptrTy), 807 ConstantInt::get(IntptrTy, SizeInBytes), 808 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 809 ConstantExpr::getPointerCast(Name, IntptrTy), 810 ConstantInt::get(IntptrTy, GlobalHasDynamicInitializer), 811 NULL); 812 813 // Populate the first and last globals declared in this TU. 814 if (CheckInitOrder && GlobalHasDynamicInitializer) { 815 LastDynamic = ConstantExpr::getPointerCast(NewGlobal, IntptrTy); 816 if (FirstDynamic == 0) 817 FirstDynamic = LastDynamic; 818 } 819 820 DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); 821 } 822 823 ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); 824 GlobalVariable *AllGlobals = new GlobalVariable( 825 M, ArrayOfGlobalStructTy, false, GlobalVariable::PrivateLinkage, 826 ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); 827 828 // Create calls for poisoning before initializers run and unpoisoning after. 829 if (CheckInitOrder && FirstDynamic && LastDynamic) 830 createInitializerPoisonCalls(M, FirstDynamic, LastDynamic); 831 832 Function *AsanRegisterGlobals = checkInterfaceFunction(M.getOrInsertFunction( 833 kAsanRegisterGlobalsName, IRB.getVoidTy(), 834 IntptrTy, IntptrTy, NULL)); 835 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 836 837 IRB.CreateCall2(AsanRegisterGlobals, 838 IRB.CreatePointerCast(AllGlobals, IntptrTy), 839 ConstantInt::get(IntptrTy, n)); 840 841 // We also need to unregister globals at the end, e.g. when a shared library 842 // gets closed. 843 Function *AsanDtorFunction = Function::Create( 844 FunctionType::get(Type::getVoidTy(*C), false), 845 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 846 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 847 IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); 848 Function *AsanUnregisterGlobals = 849 checkInterfaceFunction(M.getOrInsertFunction( 850 kAsanUnregisterGlobalsName, 851 IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 852 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 853 854 IRB_Dtor.CreateCall2(AsanUnregisterGlobals, 855 IRB.CreatePointerCast(AllGlobals, IntptrTy), 856 ConstantInt::get(IntptrTy, n)); 857 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndCtorPriority); 858 859 DEBUG(dbgs() << M); 860 return true; 861} 862 863void AddressSanitizer::initializeCallbacks(Module &M) { 864 IRBuilder<> IRB(*C); 865 // Create __asan_report* callbacks. 866 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 867 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 868 AccessSizeIndex++) { 869 // IsWrite and TypeSize are encoded in the function name. 870 std::string FunctionName = std::string(kAsanReportErrorTemplate) + 871 (AccessIsWrite ? "store" : "load") + itostr(1 << AccessSizeIndex); 872 // If we are merging crash callbacks, they have two parameters. 873 AsanErrorCallback[AccessIsWrite][AccessSizeIndex] = 874 checkInterfaceFunction(M.getOrInsertFunction( 875 FunctionName, IRB.getVoidTy(), IntptrTy, NULL)); 876 } 877 } 878 879 AsanHandleNoReturnFunc = checkInterfaceFunction(M.getOrInsertFunction( 880 kAsanHandleNoReturnName, IRB.getVoidTy(), NULL)); 881 // We insert an empty inline asm after __asan_report* to avoid callback merge. 882 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 883 StringRef(""), StringRef(""), 884 /*hasSideEffects=*/true); 885} 886 887// virtual 888bool AddressSanitizer::doInitialization(Module &M) { 889 // Initialize the private fields. No one has accessed them before. 890 TD = getAnalysisIfAvailable<DataLayout>(); 891 892 if (!TD) 893 return false; 894 BL.reset(new BlackList(BlacklistFile)); 895 DynamicallyInitializedGlobals.Init(M); 896 897 C = &(M.getContext()); 898 LongSize = TD->getPointerSizeInBits(); 899 IntptrTy = Type::getIntNTy(*C, LongSize); 900 901 AsanCtorFunction = Function::Create( 902 FunctionType::get(Type::getVoidTy(*C), false), 903 GlobalValue::InternalLinkage, kAsanModuleCtorName, &M); 904 BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction); 905 // call __asan_init in the module ctor. 906 IRBuilder<> IRB(ReturnInst::Create(*C, AsanCtorBB)); 907 AsanInitFunction = checkInterfaceFunction( 908 M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), NULL)); 909 AsanInitFunction->setLinkage(Function::ExternalLinkage); 910 IRB.CreateCall(AsanInitFunction); 911 912 llvm::Triple targetTriple(M.getTargetTriple()); 913 bool isAndroid = targetTriple.getEnvironment() == llvm::Triple::Android; 914 915 MappingOffset = isAndroid ? kDefaultShadowOffsetAndroid : 916 (LongSize == 32 ? kDefaultShadowOffset32 : kDefaultShadowOffset64); 917 if (ClMappingOffsetLog >= 0) { 918 if (ClMappingOffsetLog == 0) { 919 // special case 920 MappingOffset = 0; 921 } else { 922 MappingOffset = 1ULL << ClMappingOffsetLog; 923 } 924 } 925 926 927 if (ClMappingOffsetLog >= 0) { 928 // Tell the run-time the current values of mapping offset and scale. 929 GlobalValue *asan_mapping_offset = 930 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 931 ConstantInt::get(IntptrTy, MappingOffset), 932 kAsanMappingOffsetName); 933 // Read the global, otherwise it may be optimized away. 934 IRB.CreateLoad(asan_mapping_offset, true); 935 } 936 if (ClMappingScale) { 937 GlobalValue *asan_mapping_scale = 938 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 939 ConstantInt::get(IntptrTy, MappingScale()), 940 kAsanMappingScaleName); 941 // Read the global, otherwise it may be optimized away. 942 IRB.CreateLoad(asan_mapping_scale, true); 943 } 944 945 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndCtorPriority); 946 947 return true; 948} 949 950bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 951 // For each NSObject descendant having a +load method, this method is invoked 952 // by the ObjC runtime before any of the static constructors is called. 953 // Therefore we need to instrument such methods with a call to __asan_init 954 // at the beginning in order to initialize our runtime before any access to 955 // the shadow memory. 956 // We cannot just ignore these methods, because they may call other 957 // instrumented functions. 958 if (F.getName().find(" load]") != std::string::npos) { 959 IRBuilder<> IRB(F.begin()->begin()); 960 IRB.CreateCall(AsanInitFunction); 961 return true; 962 } 963 return false; 964} 965 966bool AddressSanitizer::runOnFunction(Function &F) { 967 if (BL->isIn(F)) return false; 968 if (&F == AsanCtorFunction) return false; 969 DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); 970 initializeCallbacks(*F.getParent()); 971 972 // If needed, insert __asan_init before checking for AddressSafety attr. 973 maybeInsertAsanInitAtFunctionEntry(F); 974 975 if (!F.getFnAttributes().hasAttribute(Attribute::AddressSafety)) 976 return false; 977 978 if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) 979 return false; 980 981 // We want to instrument every address only once per basic block (unless there 982 // are calls between uses). 983 SmallSet<Value*, 16> TempsToInstrument; 984 SmallVector<Instruction*, 16> ToInstrument; 985 SmallVector<Instruction*, 8> NoReturnCalls; 986 bool IsWrite; 987 988 // Fill the set of memory operations to instrument. 989 for (Function::iterator FI = F.begin(), FE = F.end(); 990 FI != FE; ++FI) { 991 TempsToInstrument.clear(); 992 int NumInsnsPerBB = 0; 993 for (BasicBlock::iterator BI = FI->begin(), BE = FI->end(); 994 BI != BE; ++BI) { 995 if (LooksLikeCodeInBug11395(BI)) return false; 996 if (Value *Addr = isInterestingMemoryAccess(BI, &IsWrite)) { 997 if (ClOpt && ClOptSameTemp) { 998 if (!TempsToInstrument.insert(Addr)) 999 continue; // We've seen this temp in the current BB. 1000 } 1001 } else if (isa<MemIntrinsic>(BI) && ClMemIntrin) { 1002 // ok, take it. 1003 } else { 1004 if (CallInst *CI = dyn_cast<CallInst>(BI)) { 1005 // A call inside BB. 1006 TempsToInstrument.clear(); 1007 if (CI->doesNotReturn()) { 1008 NoReturnCalls.push_back(CI); 1009 } 1010 } 1011 continue; 1012 } 1013 ToInstrument.push_back(BI); 1014 NumInsnsPerBB++; 1015 if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) 1016 break; 1017 } 1018 } 1019 1020 // Instrument. 1021 int NumInstrumented = 0; 1022 for (size_t i = 0, n = ToInstrument.size(); i != n; i++) { 1023 Instruction *Inst = ToInstrument[i]; 1024 if (ClDebugMin < 0 || ClDebugMax < 0 || 1025 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 1026 if (isInterestingMemoryAccess(Inst, &IsWrite)) 1027 instrumentMop(Inst); 1028 else 1029 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 1030 } 1031 NumInstrumented++; 1032 } 1033 1034 FunctionStackPoisoner FSP(F, *this); 1035 bool ChangedStack = FSP.runOnFunction(); 1036 1037 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 1038 // See e.g. http://code.google.com/p/address-sanitizer/issues/detail?id=37 1039 for (size_t i = 0, n = NoReturnCalls.size(); i != n; i++) { 1040 Instruction *CI = NoReturnCalls[i]; 1041 IRBuilder<> IRB(CI); 1042 IRB.CreateCall(AsanHandleNoReturnFunc); 1043 } 1044 DEBUG(dbgs() << "ASAN done instrumenting:\n" << F << "\n"); 1045 1046 return NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); 1047} 1048 1049static uint64_t ValueForPoison(uint64_t PoisonByte, size_t ShadowRedzoneSize) { 1050 if (ShadowRedzoneSize == 1) return PoisonByte; 1051 if (ShadowRedzoneSize == 2) return (PoisonByte << 8) + PoisonByte; 1052 if (ShadowRedzoneSize == 4) 1053 return (PoisonByte << 24) + (PoisonByte << 16) + 1054 (PoisonByte << 8) + (PoisonByte); 1055 llvm_unreachable("ShadowRedzoneSize is either 1, 2 or 4"); 1056} 1057 1058static void PoisonShadowPartialRightRedzone(uint8_t *Shadow, 1059 size_t Size, 1060 size_t RZSize, 1061 size_t ShadowGranularity, 1062 uint8_t Magic) { 1063 for (size_t i = 0; i < RZSize; 1064 i+= ShadowGranularity, Shadow++) { 1065 if (i + ShadowGranularity <= Size) { 1066 *Shadow = 0; // fully addressable 1067 } else if (i >= Size) { 1068 *Shadow = Magic; // unaddressable 1069 } else { 1070 *Shadow = Size - i; // first Size-i bytes are addressable 1071 } 1072 } 1073} 1074 1075// Workaround for bug 11395: we don't want to instrument stack in functions 1076// with large assembly blobs (32-bit only), otherwise reg alloc may crash. 1077// FIXME: remove once the bug 11395 is fixed. 1078bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 1079 if (LongSize != 32) return false; 1080 CallInst *CI = dyn_cast<CallInst>(I); 1081 if (!CI || !CI->isInlineAsm()) return false; 1082 if (CI->getNumArgOperands() <= 5) return false; 1083 // We have inline assembly with quite a few arguments. 1084 return true; 1085} 1086 1087void FunctionStackPoisoner::initializeCallbacks(Module &M) { 1088 IRBuilder<> IRB(*C); 1089 AsanStackMallocFunc = checkInterfaceFunction(M.getOrInsertFunction( 1090 kAsanStackMallocName, IntptrTy, IntptrTy, IntptrTy, NULL)); 1091 AsanStackFreeFunc = checkInterfaceFunction(M.getOrInsertFunction( 1092 kAsanStackFreeName, IRB.getVoidTy(), 1093 IntptrTy, IntptrTy, IntptrTy, NULL)); 1094 AsanPoisonStackMemoryFunc = checkInterfaceFunction(M.getOrInsertFunction( 1095 kAsanPoisonStackMemoryName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1096 AsanUnpoisonStackMemoryFunc = checkInterfaceFunction(M.getOrInsertFunction( 1097 kAsanUnpoisonStackMemoryName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1098} 1099 1100void FunctionStackPoisoner::poisonRedZones( 1101 const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, Value *ShadowBase, 1102 bool DoPoison) { 1103 size_t ShadowRZSize = RedzoneSize() >> MappingScale(); 1104 assert(ShadowRZSize >= 1 && ShadowRZSize <= 4); 1105 Type *RZTy = Type::getIntNTy(*C, ShadowRZSize * 8); 1106 Type *RZPtrTy = PointerType::get(RZTy, 0); 1107 1108 Value *PoisonLeft = ConstantInt::get(RZTy, 1109 ValueForPoison(DoPoison ? kAsanStackLeftRedzoneMagic : 0LL, ShadowRZSize)); 1110 Value *PoisonMid = ConstantInt::get(RZTy, 1111 ValueForPoison(DoPoison ? kAsanStackMidRedzoneMagic : 0LL, ShadowRZSize)); 1112 Value *PoisonRight = ConstantInt::get(RZTy, 1113 ValueForPoison(DoPoison ? kAsanStackRightRedzoneMagic : 0LL, ShadowRZSize)); 1114 1115 // poison the first red zone. 1116 IRB.CreateStore(PoisonLeft, IRB.CreateIntToPtr(ShadowBase, RZPtrTy)); 1117 1118 // poison all other red zones. 1119 uint64_t Pos = RedzoneSize(); 1120 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 1121 AllocaInst *AI = AllocaVec[i]; 1122 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 1123 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1124 assert(AlignedSize - SizeInBytes < RedzoneSize()); 1125 Value *Ptr = NULL; 1126 1127 Pos += AlignedSize; 1128 1129 assert(ShadowBase->getType() == IntptrTy); 1130 if (SizeInBytes < AlignedSize) { 1131 // Poison the partial redzone at right 1132 Ptr = IRB.CreateAdd( 1133 ShadowBase, ConstantInt::get(IntptrTy, 1134 (Pos >> MappingScale()) - ShadowRZSize)); 1135 size_t AddressableBytes = RedzoneSize() - (AlignedSize - SizeInBytes); 1136 uint32_t Poison = 0; 1137 if (DoPoison) { 1138 PoisonShadowPartialRightRedzone((uint8_t*)&Poison, AddressableBytes, 1139 RedzoneSize(), 1140 1ULL << MappingScale(), 1141 kAsanStackPartialRedzoneMagic); 1142 } 1143 Value *PartialPoison = ConstantInt::get(RZTy, Poison); 1144 IRB.CreateStore(PartialPoison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1145 } 1146 1147 // Poison the full redzone at right. 1148 Ptr = IRB.CreateAdd(ShadowBase, 1149 ConstantInt::get(IntptrTy, Pos >> MappingScale())); 1150 Value *Poison = i == AllocaVec.size() - 1 ? PoisonRight : PoisonMid; 1151 IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1152 1153 Pos += RedzoneSize(); 1154 } 1155} 1156 1157void FunctionStackPoisoner::poisonStack() { 1158 bool HavePoisonedAllocas = false; 1159 uint64_t LocalStackSize = TotalStackSize + 1160 (AllocaVec.size() + 1) * RedzoneSize(); 1161 1162 bool DoStackMalloc = ASan.CheckUseAfterReturn 1163 && LocalStackSize <= kMaxStackMallocSize; 1164 1165 Instruction *InsBefore = AllocaVec[0]; 1166 IRBuilder<> IRB(InsBefore); 1167 1168 1169 Type *ByteArrayTy = ArrayType::get(IRB.getInt8Ty(), LocalStackSize); 1170 AllocaInst *MyAlloca = 1171 new AllocaInst(ByteArrayTy, "MyAlloca", InsBefore); 1172 if (ClRealignStack && StackAlignment < RedzoneSize()) 1173 StackAlignment = RedzoneSize(); 1174 MyAlloca->setAlignment(StackAlignment); 1175 assert(MyAlloca->isStaticAlloca()); 1176 Value *OrigStackBase = IRB.CreatePointerCast(MyAlloca, IntptrTy); 1177 Value *LocalStackBase = OrigStackBase; 1178 1179 if (DoStackMalloc) { 1180 LocalStackBase = IRB.CreateCall2(AsanStackMallocFunc, 1181 ConstantInt::get(IntptrTy, LocalStackSize), OrigStackBase); 1182 } 1183 1184 // This string will be parsed by the run-time (DescribeStackAddress). 1185 SmallString<2048> StackDescriptionStorage; 1186 raw_svector_ostream StackDescription(StackDescriptionStorage); 1187 StackDescription << F.getName() << " " << AllocaVec.size() << " "; 1188 1189 uint64_t Pos = RedzoneSize(); 1190 // Replace Alloca instructions with base+offset. 1191 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 1192 AllocaInst *AI = AllocaVec[i]; 1193 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 1194 StringRef Name = AI->getName(); 1195 StackDescription << Pos << " " << SizeInBytes << " " 1196 << Name.size() << " " << Name << " "; 1197 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1198 assert((AlignedSize % RedzoneSize()) == 0); 1199 Value *NewAllocaPtr = IRB.CreateIntToPtr( 1200 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Pos)), 1201 AI->getType()); 1202 replaceDbgDeclareForAlloca(AI, NewAllocaPtr, DIB); 1203 AI->replaceAllUsesWith(NewAllocaPtr); 1204 // Analyze lifetime intrinsics only for static allocas we handle. 1205 if (ASan.CheckLifetime) 1206 HavePoisonedAllocas |= handleAllocaLifetime(NewAllocaPtr); 1207 Pos += AlignedSize + RedzoneSize(); 1208 } 1209 assert(Pos == LocalStackSize); 1210 1211 // Write the Magic value and the frame description constant to the redzone. 1212 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 1213 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 1214 BasePlus0); 1215 Value *BasePlus1 = IRB.CreateAdd(LocalStackBase, 1216 ConstantInt::get(IntptrTy, 1217 ASan.LongSize/8)); 1218 BasePlus1 = IRB.CreateIntToPtr(BasePlus1, IntptrPtrTy); 1219 GlobalVariable *StackDescriptionGlobal = 1220 createPrivateGlobalForString(*F.getParent(), StackDescription.str()); 1221 Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, 1222 IntptrTy); 1223 IRB.CreateStore(Description, BasePlus1); 1224 1225 // Poison the stack redzones at the entry. 1226 Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB); 1227 poisonRedZones(AllocaVec, IRB, ShadowBase, true); 1228 1229 // Unpoison the stack before all ret instructions. 1230 for (size_t i = 0, n = RetVec.size(); i < n; i++) { 1231 Instruction *Ret = RetVec[i]; 1232 IRBuilder<> IRBRet(Ret); 1233 // Mark the current frame as retired. 1234 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 1235 BasePlus0); 1236 // Unpoison the stack. 1237 poisonRedZones(AllocaVec, IRBRet, ShadowBase, false); 1238 if (DoStackMalloc) { 1239 // In use-after-return mode, mark the whole stack frame unaddressable. 1240 IRBRet.CreateCall3(AsanStackFreeFunc, LocalStackBase, 1241 ConstantInt::get(IntptrTy, LocalStackSize), 1242 OrigStackBase); 1243 } else if (HavePoisonedAllocas) { 1244 // If we poisoned some allocas in llvm.lifetime analysis, 1245 // unpoison whole stack frame now. 1246 assert(LocalStackBase == OrigStackBase); 1247 poisonAlloca(LocalStackBase, LocalStackSize, IRBRet, false); 1248 } 1249 } 1250 1251 // We are done. Remove the old unused alloca instructions. 1252 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) 1253 AllocaVec[i]->eraseFromParent(); 1254} 1255 1256void FunctionStackPoisoner::poisonAlloca(Value *V, uint64_t Size, 1257 IRBuilder<> IRB, bool DoPoison) { 1258 // For now just insert the call to ASan runtime. 1259 Value *AddrArg = IRB.CreatePointerCast(V, IntptrTy); 1260 Value *SizeArg = ConstantInt::get(IntptrTy, Size); 1261 IRB.CreateCall2(DoPoison ? AsanPoisonStackMemoryFunc 1262 : AsanUnpoisonStackMemoryFunc, 1263 AddrArg, SizeArg); 1264} 1265 1266// Handling llvm.lifetime intrinsics for a given %alloca: 1267// (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca. 1268// (2) if %size is constant, poison memory for llvm.lifetime.end (to detect 1269// invalid accesses) and unpoison it for llvm.lifetime.start (the memory 1270// could be poisoned by previous llvm.lifetime.end instruction, as the 1271// variable may go in and out of scope several times, e.g. in loops). 1272// (3) if we poisoned at least one %alloca in a function, 1273// unpoison the whole stack frame at function exit. 1274bool FunctionStackPoisoner::handleAllocaLifetime(Value *Alloca) { 1275 assert(ASan.CheckLifetime); 1276 Type *AllocaType = Alloca->getType(); 1277 Type *Int8PtrTy = Type::getInt8PtrTy(AllocaType->getContext()); 1278 1279 bool Res = false; 1280 // Typical code looks like this: 1281 // %alloca = alloca <type>, <alignment> 1282 // ... some code ... 1283 // %val1 = bitcast <type>* %alloca to i8* 1284 // call void @llvm.lifetime.start(i64 <size>, i8* %val1) 1285 // ... more code ... 1286 // %val2 = bitcast <type>* %alloca to i8* 1287 // call void @llvm.lifetime.start(i64 <size>, i8* %val2) 1288 // That is, to handle %alloca we must find all its casts to 1289 // i8* values, and find lifetime instructions for these values. 1290 if (AllocaType == Int8PtrTy) 1291 Res |= handleValueLifetime(Alloca); 1292 for (Value::use_iterator UI = Alloca->use_begin(), UE = Alloca->use_end(); 1293 UI != UE; ++UI) { 1294 if (UI->getType() != Int8PtrTy) continue; 1295 if (UI->stripPointerCasts() != Alloca) continue; 1296 Res |= handleValueLifetime(*UI); 1297 } 1298 return Res; 1299} 1300 1301bool FunctionStackPoisoner::handleValueLifetime(Value *V) { 1302 assert(ASan.CheckLifetime); 1303 bool Res = false; 1304 for (Value::use_iterator UI = V->use_begin(), UE = V->use_end(); UI != UE; 1305 ++UI) { 1306 IntrinsicInst *II = dyn_cast<IntrinsicInst>(*UI); 1307 if (!II) continue; 1308 Intrinsic::ID ID = II->getIntrinsicID(); 1309 if (ID != Intrinsic::lifetime_start && 1310 ID != Intrinsic::lifetime_end) 1311 continue; 1312 if (V != II->getArgOperand(1)) 1313 continue; 1314 // Found lifetime intrinsic, add ASan instrumentation if necessary. 1315 ConstantInt *Size = dyn_cast<ConstantInt>(II->getArgOperand(0)); 1316 // If size argument is undefined, don't do anything. 1317 if (Size->isMinusOne()) 1318 continue; 1319 // Check that size doesn't saturate uint64_t and can 1320 // be stored in IntptrTy. 1321 const uint64_t SizeValue = Size->getValue().getLimitedValue(); 1322 if (SizeValue == ~0ULL || 1323 !ConstantInt::isValueValidForType(IntptrTy, SizeValue)) { 1324 continue; 1325 } 1326 IRBuilder<> IRB(II); 1327 bool DoPoison = (ID == Intrinsic::lifetime_end); 1328 poisonAlloca(V, SizeValue, IRB, DoPoison); 1329 Res = true; 1330 } 1331 return Res; 1332} 1333