DataFlowSanitizer.cpp revision fdb1a6c341c0e289f3f900cdab87f831262c0e93
1//===-- DataFlowSanitizer.cpp - dynamic data flow analysis ----------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9/// \file 10/// This file is a part of DataFlowSanitizer, a generalised dynamic data flow 11/// analysis. 12/// 13/// Unlike other Sanitizer tools, this tool is not designed to detect a specific 14/// class of bugs on its own. Instead, it provides a generic dynamic data flow 15/// analysis framework to be used by clients to help detect application-specific 16/// issues within their own code. 17/// 18/// The analysis is based on automatic propagation of data flow labels (also 19/// known as taint labels) through a program as it performs computation. Each 20/// byte of application memory is backed by two bytes of shadow memory which 21/// hold the label. On Linux/x86_64, memory is laid out as follows: 22/// 23/// +--------------------+ 0x800000000000 (top of memory) 24/// | application memory | 25/// +--------------------+ 0x700000008000 (kAppAddr) 26/// | | 27/// | unused | 28/// | | 29/// +--------------------+ 0x200200000000 (kUnusedAddr) 30/// | union table | 31/// +--------------------+ 0x200000000000 (kUnionTableAddr) 32/// | shadow memory | 33/// +--------------------+ 0x000000010000 (kShadowAddr) 34/// | reserved by kernel | 35/// +--------------------+ 0x000000000000 36/// 37/// To derive a shadow memory address from an application memory address, 38/// bits 44-46 are cleared to bring the address into the range 39/// [0x000000008000,0x100000000000). Then the address is shifted left by 1 to 40/// account for the double byte representation of shadow labels and move the 41/// address into the shadow memory range. See the function 42/// DataFlowSanitizer::getShadowAddress below. 43/// 44/// For more information, please refer to the design document: 45/// http://clang.llvm.org/docs/DataFlowSanitizerDesign.html 46 47#include "llvm/Transforms/Instrumentation.h" 48#include "llvm/ADT/DenseMap.h" 49#include "llvm/ADT/DenseSet.h" 50#include "llvm/ADT/DepthFirstIterator.h" 51#include "llvm/Analysis/ValueTracking.h" 52#include "llvm/IR/InlineAsm.h" 53#include "llvm/IR/IRBuilder.h" 54#include "llvm/IR/LLVMContext.h" 55#include "llvm/IR/MDBuilder.h" 56#include "llvm/IR/Type.h" 57#include "llvm/IR/Value.h" 58#include "llvm/InstVisitor.h" 59#include "llvm/Pass.h" 60#include "llvm/Support/CommandLine.h" 61#include "llvm/Transforms/Utils/BasicBlockUtils.h" 62#include "llvm/Transforms/Utils/Local.h" 63#include "llvm/Transforms/Utils/SpecialCaseList.h" 64#include <iterator> 65 66using namespace llvm; 67 68// The -dfsan-preserve-alignment flag controls whether this pass assumes that 69// alignment requirements provided by the input IR are correct. For example, 70// if the input IR contains a load with alignment 8, this flag will cause 71// the shadow load to have alignment 16. This flag is disabled by default as 72// we have unfortunately encountered too much code (including Clang itself; 73// see PR14291) which performs misaligned access. 74static cl::opt<bool> ClPreserveAlignment( 75 "dfsan-preserve-alignment", 76 cl::desc("respect alignment requirements provided by input IR"), cl::Hidden, 77 cl::init(false)); 78 79// The ABI list file controls how shadow parameters are passed. The pass treats 80// every function labelled "uninstrumented" in the ABI list file as conforming 81// to the "native" (i.e. unsanitized) ABI. Unless the ABI list contains 82// additional annotations for those functions, a call to one of those functions 83// will produce a warning message, as the labelling behaviour of the function is 84// unknown. The other supported annotations are "functional" and "discard", 85// which are described below under DataFlowSanitizer::WrapperKind. 86static cl::opt<std::string> ClABIListFile( 87 "dfsan-abilist", 88 cl::desc("File listing native ABI functions and how the pass treats them"), 89 cl::Hidden); 90 91// Controls whether the pass uses IA_Args or IA_TLS as the ABI for instrumented 92// functions (see DataFlowSanitizer::InstrumentedABI below). 93static cl::opt<bool> ClArgsABI( 94 "dfsan-args-abi", 95 cl::desc("Use the argument ABI rather than the TLS ABI"), 96 cl::Hidden); 97 98namespace { 99 100class DataFlowSanitizer : public ModulePass { 101 friend struct DFSanFunction; 102 friend class DFSanVisitor; 103 104 enum { 105 ShadowWidth = 16 106 }; 107 108 /// Which ABI should be used for instrumented functions? 109 enum InstrumentedABI { 110 /// Argument and return value labels are passed through additional 111 /// arguments and by modifying the return type. 112 IA_Args, 113 114 /// Argument and return value labels are passed through TLS variables 115 /// __dfsan_arg_tls and __dfsan_retval_tls. 116 IA_TLS 117 }; 118 119 /// How should calls to uninstrumented functions be handled? 120 enum WrapperKind { 121 /// This function is present in an uninstrumented form but we don't know 122 /// how it should be handled. Print a warning and call the function anyway. 123 /// Don't label the return value. 124 WK_Warning, 125 126 /// This function does not write to (user-accessible) memory, and its return 127 /// value is unlabelled. 128 WK_Discard, 129 130 /// This function does not write to (user-accessible) memory, and the label 131 /// of its return value is the union of the label of its arguments. 132 WK_Functional, 133 134 /// Instead of calling the function, a custom wrapper __dfsw_F is called, 135 /// where F is the name of the function. This function may wrap the 136 /// original function or provide its own implementation. This is similar to 137 /// the IA_Args ABI, except that IA_Args uses a struct return type to 138 /// pass the return value shadow in a register, while WK_Custom uses an 139 /// extra pointer argument to return the shadow. This allows the wrapped 140 /// form of the function type to be expressed in C. 141 WK_Custom 142 }; 143 144 DataLayout *DL; 145 Module *Mod; 146 LLVMContext *Ctx; 147 IntegerType *ShadowTy; 148 PointerType *ShadowPtrTy; 149 IntegerType *IntptrTy; 150 ConstantInt *ZeroShadow; 151 ConstantInt *ShadowPtrMask; 152 ConstantInt *ShadowPtrMul; 153 Constant *ArgTLS; 154 Constant *RetvalTLS; 155 void *(*GetArgTLSPtr)(); 156 void *(*GetRetvalTLSPtr)(); 157 Constant *GetArgTLS; 158 Constant *GetRetvalTLS; 159 FunctionType *DFSanUnionFnTy; 160 FunctionType *DFSanUnionLoadFnTy; 161 FunctionType *DFSanUnimplementedFnTy; 162 Constant *DFSanUnionFn; 163 Constant *DFSanUnionLoadFn; 164 Constant *DFSanUnimplementedFn; 165 MDNode *ColdCallWeights; 166 OwningPtr<SpecialCaseList> ABIList; 167 DenseMap<Value *, Function *> UnwrappedFnMap; 168 AttributeSet ReadOnlyNoneAttrs; 169 170 Value *getShadowAddress(Value *Addr, Instruction *Pos); 171 Value *combineShadows(Value *V1, Value *V2, Instruction *Pos); 172 bool isInstrumented(Function *F); 173 FunctionType *getArgsFunctionType(FunctionType *T); 174 FunctionType *getCustomFunctionType(FunctionType *T); 175 InstrumentedABI getInstrumentedABI(); 176 WrapperKind getWrapperKind(Function *F); 177 178 public: 179 DataFlowSanitizer(StringRef ABIListFile = StringRef(), 180 void *(*getArgTLS)() = 0, void *(*getRetValTLS)() = 0); 181 static char ID; 182 bool doInitialization(Module &M); 183 bool runOnModule(Module &M); 184}; 185 186struct DFSanFunction { 187 DataFlowSanitizer &DFS; 188 Function *F; 189 DataFlowSanitizer::InstrumentedABI IA; 190 bool IsNativeABI; 191 Value *ArgTLSPtr; 192 Value *RetvalTLSPtr; 193 AllocaInst *LabelReturnAlloca; 194 DenseMap<Value *, Value *> ValShadowMap; 195 DenseMap<AllocaInst *, AllocaInst *> AllocaShadowMap; 196 std::vector<std::pair<PHINode *, PHINode *> > PHIFixups; 197 DenseSet<Instruction *> SkipInsts; 198 199 DFSanFunction(DataFlowSanitizer &DFS, Function *F, bool IsNativeABI) 200 : DFS(DFS), F(F), IA(DFS.getInstrumentedABI()), 201 IsNativeABI(IsNativeABI), ArgTLSPtr(0), RetvalTLSPtr(0), 202 LabelReturnAlloca(0) {} 203 Value *getArgTLSPtr(); 204 Value *getArgTLS(unsigned Index, Instruction *Pos); 205 Value *getRetvalTLS(); 206 Value *getShadow(Value *V); 207 void setShadow(Instruction *I, Value *Shadow); 208 Value *combineOperandShadows(Instruction *Inst); 209 Value *loadShadow(Value *ShadowAddr, uint64_t Size, uint64_t Align, 210 Instruction *Pos); 211 void storeShadow(Value *Addr, uint64_t Size, uint64_t Align, Value *Shadow, 212 Instruction *Pos); 213}; 214 215class DFSanVisitor : public InstVisitor<DFSanVisitor> { 216 public: 217 DFSanFunction &DFSF; 218 DFSanVisitor(DFSanFunction &DFSF) : DFSF(DFSF) {} 219 220 void visitOperandShadowInst(Instruction &I); 221 222 void visitBinaryOperator(BinaryOperator &BO); 223 void visitCastInst(CastInst &CI); 224 void visitCmpInst(CmpInst &CI); 225 void visitGetElementPtrInst(GetElementPtrInst &GEPI); 226 void visitLoadInst(LoadInst &LI); 227 void visitStoreInst(StoreInst &SI); 228 void visitReturnInst(ReturnInst &RI); 229 void visitCallSite(CallSite CS); 230 void visitPHINode(PHINode &PN); 231 void visitExtractElementInst(ExtractElementInst &I); 232 void visitInsertElementInst(InsertElementInst &I); 233 void visitShuffleVectorInst(ShuffleVectorInst &I); 234 void visitExtractValueInst(ExtractValueInst &I); 235 void visitInsertValueInst(InsertValueInst &I); 236 void visitAllocaInst(AllocaInst &I); 237 void visitSelectInst(SelectInst &I); 238 void visitMemTransferInst(MemTransferInst &I); 239}; 240 241} 242 243char DataFlowSanitizer::ID; 244INITIALIZE_PASS(DataFlowSanitizer, "dfsan", 245 "DataFlowSanitizer: dynamic data flow analysis.", false, false) 246 247ModulePass *llvm::createDataFlowSanitizerPass(StringRef ABIListFile, 248 void *(*getArgTLS)(), 249 void *(*getRetValTLS)()) { 250 return new DataFlowSanitizer(ABIListFile, getArgTLS, getRetValTLS); 251} 252 253DataFlowSanitizer::DataFlowSanitizer(StringRef ABIListFile, 254 void *(*getArgTLS)(), 255 void *(*getRetValTLS)()) 256 : ModulePass(ID), GetArgTLSPtr(getArgTLS), GetRetvalTLSPtr(getRetValTLS), 257 ABIList(SpecialCaseList::createOrDie(ABIListFile.empty() ? ClABIListFile 258 : ABIListFile)) { 259} 260 261FunctionType *DataFlowSanitizer::getArgsFunctionType(FunctionType *T) { 262 llvm::SmallVector<Type *, 4> ArgTypes; 263 std::copy(T->param_begin(), T->param_end(), std::back_inserter(ArgTypes)); 264 for (unsigned i = 0, e = T->getNumParams(); i != e; ++i) 265 ArgTypes.push_back(ShadowTy); 266 if (T->isVarArg()) 267 ArgTypes.push_back(ShadowPtrTy); 268 Type *RetType = T->getReturnType(); 269 if (!RetType->isVoidTy()) 270 RetType = StructType::get(RetType, ShadowTy, (Type *)0); 271 return FunctionType::get(RetType, ArgTypes, T->isVarArg()); 272} 273 274FunctionType *DataFlowSanitizer::getCustomFunctionType(FunctionType *T) { 275 assert(!T->isVarArg()); 276 llvm::SmallVector<Type *, 4> ArgTypes; 277 std::copy(T->param_begin(), T->param_end(), std::back_inserter(ArgTypes)); 278 for (unsigned i = 0, e = T->getNumParams(); i != e; ++i) 279 ArgTypes.push_back(ShadowTy); 280 Type *RetType = T->getReturnType(); 281 if (!RetType->isVoidTy()) 282 ArgTypes.push_back(ShadowPtrTy); 283 return FunctionType::get(T->getReturnType(), ArgTypes, false); 284} 285 286bool DataFlowSanitizer::doInitialization(Module &M) { 287 DL = getAnalysisIfAvailable<DataLayout>(); 288 if (!DL) 289 return false; 290 291 Mod = &M; 292 Ctx = &M.getContext(); 293 ShadowTy = IntegerType::get(*Ctx, ShadowWidth); 294 ShadowPtrTy = PointerType::getUnqual(ShadowTy); 295 IntptrTy = DL->getIntPtrType(*Ctx); 296 ZeroShadow = ConstantInt::getSigned(ShadowTy, 0); 297 ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0x700000000000LL); 298 ShadowPtrMul = ConstantInt::getSigned(IntptrTy, ShadowWidth / 8); 299 300 Type *DFSanUnionArgs[2] = { ShadowTy, ShadowTy }; 301 DFSanUnionFnTy = 302 FunctionType::get(ShadowTy, DFSanUnionArgs, /*isVarArg=*/ false); 303 Type *DFSanUnionLoadArgs[2] = { ShadowPtrTy, IntptrTy }; 304 DFSanUnionLoadFnTy = 305 FunctionType::get(ShadowTy, DFSanUnionLoadArgs, /*isVarArg=*/ false); 306 DFSanUnimplementedFnTy = FunctionType::get( 307 Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false); 308 309 if (GetArgTLSPtr) { 310 Type *ArgTLSTy = ArrayType::get(ShadowTy, 64); 311 ArgTLS = 0; 312 GetArgTLS = ConstantExpr::getIntToPtr( 313 ConstantInt::get(IntptrTy, uintptr_t(GetArgTLSPtr)), 314 PointerType::getUnqual( 315 FunctionType::get(PointerType::getUnqual(ArgTLSTy), (Type *)0))); 316 } 317 if (GetRetvalTLSPtr) { 318 RetvalTLS = 0; 319 GetRetvalTLS = ConstantExpr::getIntToPtr( 320 ConstantInt::get(IntptrTy, uintptr_t(GetRetvalTLSPtr)), 321 PointerType::getUnqual( 322 FunctionType::get(PointerType::getUnqual(ShadowTy), (Type *)0))); 323 } 324 325 ColdCallWeights = MDBuilder(*Ctx).createBranchWeights(1, 1000); 326 return true; 327} 328 329bool DataFlowSanitizer::isInstrumented(Function *F) { 330 return !ABIList->isIn(*F, "uninstrumented"); 331} 332 333DataFlowSanitizer::InstrumentedABI DataFlowSanitizer::getInstrumentedABI() { 334 return ClArgsABI ? IA_Args : IA_TLS; 335} 336 337DataFlowSanitizer::WrapperKind DataFlowSanitizer::getWrapperKind(Function *F) { 338 if (ABIList->isIn(*F, "functional")) 339 return WK_Functional; 340 if (ABIList->isIn(*F, "discard")) 341 return WK_Discard; 342 if (ABIList->isIn(*F, "custom")) 343 return WK_Custom; 344 345 return WK_Warning; 346} 347 348bool DataFlowSanitizer::runOnModule(Module &M) { 349 if (!DL) 350 return false; 351 352 if (ABIList->isIn(M, "skip")) 353 return false; 354 355 if (!GetArgTLSPtr) { 356 Type *ArgTLSTy = ArrayType::get(ShadowTy, 64); 357 ArgTLS = Mod->getOrInsertGlobal("__dfsan_arg_tls", ArgTLSTy); 358 if (GlobalVariable *G = dyn_cast<GlobalVariable>(ArgTLS)) 359 G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel); 360 } 361 if (!GetRetvalTLSPtr) { 362 RetvalTLS = Mod->getOrInsertGlobal("__dfsan_retval_tls", ShadowTy); 363 if (GlobalVariable *G = dyn_cast<GlobalVariable>(RetvalTLS)) 364 G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel); 365 } 366 367 DFSanUnionFn = Mod->getOrInsertFunction("__dfsan_union", DFSanUnionFnTy); 368 if (Function *F = dyn_cast<Function>(DFSanUnionFn)) { 369 F->addAttribute(AttributeSet::FunctionIndex, Attribute::ReadNone); 370 F->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt); 371 F->addAttribute(1, Attribute::ZExt); 372 F->addAttribute(2, Attribute::ZExt); 373 } 374 DFSanUnionLoadFn = 375 Mod->getOrInsertFunction("__dfsan_union_load", DFSanUnionLoadFnTy); 376 if (Function *F = dyn_cast<Function>(DFSanUnionLoadFn)) { 377 F->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt); 378 } 379 DFSanUnimplementedFn = 380 Mod->getOrInsertFunction("__dfsan_unimplemented", DFSanUnimplementedFnTy); 381 382 std::vector<Function *> FnsToInstrument; 383 llvm::SmallPtrSet<Function *, 2> FnsWithNativeABI; 384 for (Module::iterator i = M.begin(), e = M.end(); i != e; ++i) { 385 if (!i->isIntrinsic() && 386 i != DFSanUnionFn && 387 i != DFSanUnionLoadFn && 388 i != DFSanUnimplementedFn) 389 FnsToInstrument.push_back(&*i); 390 } 391 392 AttrBuilder B; 393 B.addAttribute(Attribute::ReadOnly).addAttribute(Attribute::ReadNone); 394 ReadOnlyNoneAttrs = AttributeSet::get(*Ctx, AttributeSet::FunctionIndex, B); 395 396 // First, change the ABI of every function in the module. ABI-listed 397 // functions keep their original ABI and get a wrapper function. 398 for (std::vector<Function *>::iterator i = FnsToInstrument.begin(), 399 e = FnsToInstrument.end(); 400 i != e; ++i) { 401 Function &F = **i; 402 FunctionType *FT = F.getFunctionType(); 403 404 if (FT->getNumParams() == 0 && !FT->isVarArg() && 405 FT->getReturnType()->isVoidTy()) 406 continue; 407 408 if (isInstrumented(&F)) { 409 if (getInstrumentedABI() == IA_Args) { 410 FunctionType *NewFT = getArgsFunctionType(FT); 411 Function *NewF = Function::Create(NewFT, F.getLinkage(), "", &M); 412 NewF->copyAttributesFrom(&F); 413 NewF->removeAttributes( 414 AttributeSet::ReturnIndex, 415 AttributeFuncs::typeIncompatible(NewFT->getReturnType(), 416 AttributeSet::ReturnIndex)); 417 for (Function::arg_iterator FArg = F.arg_begin(), 418 NewFArg = NewF->arg_begin(), 419 FArgEnd = F.arg_end(); 420 FArg != FArgEnd; ++FArg, ++NewFArg) { 421 FArg->replaceAllUsesWith(NewFArg); 422 } 423 NewF->getBasicBlockList().splice(NewF->begin(), F.getBasicBlockList()); 424 425 for (Function::use_iterator ui = F.use_begin(), ue = F.use_end(); 426 ui != ue;) { 427 BlockAddress *BA = dyn_cast<BlockAddress>(ui.getUse().getUser()); 428 ++ui; 429 if (BA) { 430 BA->replaceAllUsesWith( 431 BlockAddress::get(NewF, BA->getBasicBlock())); 432 delete BA; 433 } 434 } 435 F.replaceAllUsesWith( 436 ConstantExpr::getBitCast(NewF, PointerType::getUnqual(FT))); 437 NewF->takeName(&F); 438 F.eraseFromParent(); 439 *i = NewF; 440 } 441 // Hopefully, nobody will try to indirectly call a vararg 442 // function... yet. 443 } else if (FT->isVarArg()) { 444 UnwrappedFnMap[&F] = &F; 445 *i = 0; 446 } else { 447 // Build a wrapper function for F. The wrapper simply calls F, and is 448 // added to FnsToInstrument so that any instrumentation according to its 449 // WrapperKind is done in the second pass below. 450 FunctionType *NewFT = getInstrumentedABI() == IA_Args 451 ? getArgsFunctionType(FT) 452 : FT; 453 Function *NewF = 454 Function::Create(NewFT, GlobalValue::LinkOnceODRLinkage, 455 std::string("dfsw$") + F.getName(), &M); 456 NewF->copyAttributesFrom(&F); 457 NewF->removeAttributes( 458 AttributeSet::ReturnIndex, 459 AttributeFuncs::typeIncompatible(NewFT->getReturnType(), 460 AttributeSet::ReturnIndex)); 461 if (getInstrumentedABI() == IA_TLS) 462 NewF->removeAttributes(AttributeSet::FunctionIndex, 463 ReadOnlyNoneAttrs); 464 465 BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", NewF); 466 std::vector<Value *> Args; 467 unsigned n = FT->getNumParams(); 468 for (Function::arg_iterator ai = NewF->arg_begin(); n != 0; ++ai, --n) 469 Args.push_back(&*ai); 470 CallInst *CI = CallInst::Create(&F, Args, "", BB); 471 if (FT->getReturnType()->isVoidTy()) 472 ReturnInst::Create(*Ctx, BB); 473 else 474 ReturnInst::Create(*Ctx, CI, BB); 475 476 Value *WrappedFnCst = 477 ConstantExpr::getBitCast(NewF, PointerType::getUnqual(FT)); 478 F.replaceAllUsesWith(WrappedFnCst); 479 UnwrappedFnMap[WrappedFnCst] = &F; 480 *i = NewF; 481 482 if (!F.isDeclaration()) { 483 // This function is probably defining an interposition of an 484 // uninstrumented function and hence needs to keep the original ABI. 485 // But any functions it may call need to use the instrumented ABI, so 486 // we instrument it in a mode which preserves the original ABI. 487 FnsWithNativeABI.insert(&F); 488 489 // This code needs to rebuild the iterators, as they may be invalidated 490 // by the push_back, taking care that the new range does not include 491 // any functions added by this code. 492 size_t N = i - FnsToInstrument.begin(), 493 Count = e - FnsToInstrument.begin(); 494 FnsToInstrument.push_back(&F); 495 i = FnsToInstrument.begin() + N; 496 e = FnsToInstrument.begin() + Count; 497 } 498 } 499 } 500 501 for (std::vector<Function *>::iterator i = FnsToInstrument.begin(), 502 e = FnsToInstrument.end(); 503 i != e; ++i) { 504 if (!*i || (*i)->isDeclaration()) 505 continue; 506 507 removeUnreachableBlocks(**i); 508 509 DFSanFunction DFSF(*this, *i, FnsWithNativeABI.count(*i)); 510 511 // DFSanVisitor may create new basic blocks, which confuses df_iterator. 512 // Build a copy of the list before iterating over it. 513 llvm::SmallVector<BasicBlock *, 4> BBList; 514 std::copy(df_begin(&(*i)->getEntryBlock()), df_end(&(*i)->getEntryBlock()), 515 std::back_inserter(BBList)); 516 517 for (llvm::SmallVector<BasicBlock *, 4>::iterator i = BBList.begin(), 518 e = BBList.end(); 519 i != e; ++i) { 520 Instruction *Inst = &(*i)->front(); 521 while (1) { 522 // DFSanVisitor may split the current basic block, changing the current 523 // instruction's next pointer and moving the next instruction to the 524 // tail block from which we should continue. 525 Instruction *Next = Inst->getNextNode(); 526 // DFSanVisitor may delete Inst, so keep track of whether it was a 527 // terminator. 528 bool IsTerminator = isa<TerminatorInst>(Inst); 529 if (!DFSF.SkipInsts.count(Inst)) 530 DFSanVisitor(DFSF).visit(Inst); 531 if (IsTerminator) 532 break; 533 Inst = Next; 534 } 535 } 536 537 // We will not necessarily be able to compute the shadow for every phi node 538 // until we have visited every block. Therefore, the code that handles phi 539 // nodes adds them to the PHIFixups list so that they can be properly 540 // handled here. 541 for (std::vector<std::pair<PHINode *, PHINode *> >::iterator 542 i = DFSF.PHIFixups.begin(), 543 e = DFSF.PHIFixups.end(); 544 i != e; ++i) { 545 for (unsigned val = 0, n = i->first->getNumIncomingValues(); val != n; 546 ++val) { 547 i->second->setIncomingValue( 548 val, DFSF.getShadow(i->first->getIncomingValue(val))); 549 } 550 } 551 } 552 553 return false; 554} 555 556Value *DFSanFunction::getArgTLSPtr() { 557 if (ArgTLSPtr) 558 return ArgTLSPtr; 559 if (DFS.ArgTLS) 560 return ArgTLSPtr = DFS.ArgTLS; 561 562 IRBuilder<> IRB(F->getEntryBlock().begin()); 563 return ArgTLSPtr = IRB.CreateCall(DFS.GetArgTLS); 564} 565 566Value *DFSanFunction::getRetvalTLS() { 567 if (RetvalTLSPtr) 568 return RetvalTLSPtr; 569 if (DFS.RetvalTLS) 570 return RetvalTLSPtr = DFS.RetvalTLS; 571 572 IRBuilder<> IRB(F->getEntryBlock().begin()); 573 return RetvalTLSPtr = IRB.CreateCall(DFS.GetRetvalTLS); 574} 575 576Value *DFSanFunction::getArgTLS(unsigned Idx, Instruction *Pos) { 577 IRBuilder<> IRB(Pos); 578 return IRB.CreateConstGEP2_64(getArgTLSPtr(), 0, Idx); 579} 580 581Value *DFSanFunction::getShadow(Value *V) { 582 if (!isa<Argument>(V) && !isa<Instruction>(V)) 583 return DFS.ZeroShadow; 584 Value *&Shadow = ValShadowMap[V]; 585 if (!Shadow) { 586 if (Argument *A = dyn_cast<Argument>(V)) { 587 if (IsNativeABI) 588 return DFS.ZeroShadow; 589 switch (IA) { 590 case DataFlowSanitizer::IA_TLS: { 591 Value *ArgTLSPtr = getArgTLSPtr(); 592 Instruction *ArgTLSPos = 593 DFS.ArgTLS ? &*F->getEntryBlock().begin() 594 : cast<Instruction>(ArgTLSPtr)->getNextNode(); 595 IRBuilder<> IRB(ArgTLSPos); 596 Shadow = IRB.CreateLoad(getArgTLS(A->getArgNo(), ArgTLSPos)); 597 break; 598 } 599 case DataFlowSanitizer::IA_Args: { 600 unsigned ArgIdx = A->getArgNo() + F->getArgumentList().size() / 2; 601 Function::arg_iterator i = F->arg_begin(); 602 while (ArgIdx--) 603 ++i; 604 Shadow = i; 605 assert(Shadow->getType() == DFS.ShadowTy); 606 break; 607 } 608 } 609 } else { 610 Shadow = DFS.ZeroShadow; 611 } 612 } 613 return Shadow; 614} 615 616void DFSanFunction::setShadow(Instruction *I, Value *Shadow) { 617 assert(!ValShadowMap.count(I)); 618 assert(Shadow->getType() == DFS.ShadowTy); 619 ValShadowMap[I] = Shadow; 620} 621 622Value *DataFlowSanitizer::getShadowAddress(Value *Addr, Instruction *Pos) { 623 assert(Addr != RetvalTLS && "Reinstrumenting?"); 624 IRBuilder<> IRB(Pos); 625 return IRB.CreateIntToPtr( 626 IRB.CreateMul( 627 IRB.CreateAnd(IRB.CreatePtrToInt(Addr, IntptrTy), ShadowPtrMask), 628 ShadowPtrMul), 629 ShadowPtrTy); 630} 631 632// Generates IR to compute the union of the two given shadows, inserting it 633// before Pos. Returns the computed union Value. 634Value *DataFlowSanitizer::combineShadows(Value *V1, Value *V2, 635 Instruction *Pos) { 636 if (V1 == ZeroShadow) 637 return V2; 638 if (V2 == ZeroShadow) 639 return V1; 640 if (V1 == V2) 641 return V1; 642 IRBuilder<> IRB(Pos); 643 BasicBlock *Head = Pos->getParent(); 644 Value *Ne = IRB.CreateICmpNE(V1, V2); 645 Instruction *NeInst = dyn_cast<Instruction>(Ne); 646 if (NeInst) { 647 BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen( 648 NeInst, /*Unreachable=*/ false, ColdCallWeights)); 649 IRBuilder<> ThenIRB(BI); 650 CallInst *Call = ThenIRB.CreateCall2(DFSanUnionFn, V1, V2); 651 Call->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt); 652 Call->addAttribute(1, Attribute::ZExt); 653 Call->addAttribute(2, Attribute::ZExt); 654 655 BasicBlock *Tail = BI->getSuccessor(0); 656 PHINode *Phi = PHINode::Create(ShadowTy, 2, "", Tail->begin()); 657 Phi->addIncoming(Call, Call->getParent()); 658 Phi->addIncoming(ZeroShadow, Head); 659 Pos = Phi; 660 return Phi; 661 } else { 662 assert(0 && "todo"); 663 return 0; 664 } 665} 666 667// A convenience function which folds the shadows of each of the operands 668// of the provided instruction Inst, inserting the IR before Inst. Returns 669// the computed union Value. 670Value *DFSanFunction::combineOperandShadows(Instruction *Inst) { 671 if (Inst->getNumOperands() == 0) 672 return DFS.ZeroShadow; 673 674 Value *Shadow = getShadow(Inst->getOperand(0)); 675 for (unsigned i = 1, n = Inst->getNumOperands(); i != n; ++i) { 676 Shadow = DFS.combineShadows(Shadow, getShadow(Inst->getOperand(i)), Inst); 677 } 678 return Shadow; 679} 680 681void DFSanVisitor::visitOperandShadowInst(Instruction &I) { 682 Value *CombinedShadow = DFSF.combineOperandShadows(&I); 683 DFSF.setShadow(&I, CombinedShadow); 684} 685 686// Generates IR to load shadow corresponding to bytes [Addr, Addr+Size), where 687// Addr has alignment Align, and take the union of each of those shadows. 688Value *DFSanFunction::loadShadow(Value *Addr, uint64_t Size, uint64_t Align, 689 Instruction *Pos) { 690 if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) { 691 llvm::DenseMap<AllocaInst *, AllocaInst *>::iterator i = 692 AllocaShadowMap.find(AI); 693 if (i != AllocaShadowMap.end()) { 694 IRBuilder<> IRB(Pos); 695 return IRB.CreateLoad(i->second); 696 } 697 } 698 699 uint64_t ShadowAlign = Align * DFS.ShadowWidth / 8; 700 SmallVector<Value *, 2> Objs; 701 GetUnderlyingObjects(Addr, Objs, DFS.DL); 702 bool AllConstants = true; 703 for (SmallVector<Value *, 2>::iterator i = Objs.begin(), e = Objs.end(); 704 i != e; ++i) { 705 if (isa<Function>(*i) || isa<BlockAddress>(*i)) 706 continue; 707 if (isa<GlobalVariable>(*i) && cast<GlobalVariable>(*i)->isConstant()) 708 continue; 709 710 AllConstants = false; 711 break; 712 } 713 if (AllConstants) 714 return DFS.ZeroShadow; 715 716 Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos); 717 switch (Size) { 718 case 0: 719 return DFS.ZeroShadow; 720 case 1: { 721 LoadInst *LI = new LoadInst(ShadowAddr, "", Pos); 722 LI->setAlignment(ShadowAlign); 723 return LI; 724 } 725 case 2: { 726 IRBuilder<> IRB(Pos); 727 Value *ShadowAddr1 = 728 IRB.CreateGEP(ShadowAddr, ConstantInt::get(DFS.IntptrTy, 1)); 729 return DFS.combineShadows(IRB.CreateAlignedLoad(ShadowAddr, ShadowAlign), 730 IRB.CreateAlignedLoad(ShadowAddr1, ShadowAlign), 731 Pos); 732 } 733 } 734 if (Size % (64 / DFS.ShadowWidth) == 0) { 735 // Fast path for the common case where each byte has identical shadow: load 736 // shadow 64 bits at a time, fall out to a __dfsan_union_load call if any 737 // shadow is non-equal. 738 BasicBlock *FallbackBB = BasicBlock::Create(*DFS.Ctx, "", F); 739 IRBuilder<> FallbackIRB(FallbackBB); 740 CallInst *FallbackCall = FallbackIRB.CreateCall2( 741 DFS.DFSanUnionLoadFn, ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)); 742 FallbackCall->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt); 743 744 // Compare each of the shadows stored in the loaded 64 bits to each other, 745 // by computing (WideShadow rotl ShadowWidth) == WideShadow. 746 IRBuilder<> IRB(Pos); 747 Value *WideAddr = 748 IRB.CreateBitCast(ShadowAddr, Type::getInt64PtrTy(*DFS.Ctx)); 749 Value *WideShadow = IRB.CreateAlignedLoad(WideAddr, ShadowAlign); 750 Value *TruncShadow = IRB.CreateTrunc(WideShadow, DFS.ShadowTy); 751 Value *ShlShadow = IRB.CreateShl(WideShadow, DFS.ShadowWidth); 752 Value *ShrShadow = IRB.CreateLShr(WideShadow, 64 - DFS.ShadowWidth); 753 Value *RotShadow = IRB.CreateOr(ShlShadow, ShrShadow); 754 Value *ShadowsEq = IRB.CreateICmpEQ(WideShadow, RotShadow); 755 756 BasicBlock *Head = Pos->getParent(); 757 BasicBlock *Tail = Head->splitBasicBlock(Pos); 758 // In the following code LastBr will refer to the previous basic block's 759 // conditional branch instruction, whose true successor is fixed up to point 760 // to the next block during the loop below or to the tail after the final 761 // iteration. 762 BranchInst *LastBr = BranchInst::Create(FallbackBB, FallbackBB, ShadowsEq); 763 ReplaceInstWithInst(Head->getTerminator(), LastBr); 764 765 for (uint64_t Ofs = 64 / DFS.ShadowWidth; Ofs != Size; 766 Ofs += 64 / DFS.ShadowWidth) { 767 BasicBlock *NextBB = BasicBlock::Create(*DFS.Ctx, "", F); 768 IRBuilder<> NextIRB(NextBB); 769 WideAddr = NextIRB.CreateGEP(WideAddr, ConstantInt::get(DFS.IntptrTy, 1)); 770 Value *NextWideShadow = NextIRB.CreateAlignedLoad(WideAddr, ShadowAlign); 771 ShadowsEq = NextIRB.CreateICmpEQ(WideShadow, NextWideShadow); 772 LastBr->setSuccessor(0, NextBB); 773 LastBr = NextIRB.CreateCondBr(ShadowsEq, FallbackBB, FallbackBB); 774 } 775 776 LastBr->setSuccessor(0, Tail); 777 FallbackIRB.CreateBr(Tail); 778 PHINode *Shadow = PHINode::Create(DFS.ShadowTy, 2, "", &Tail->front()); 779 Shadow->addIncoming(FallbackCall, FallbackBB); 780 Shadow->addIncoming(TruncShadow, LastBr->getParent()); 781 return Shadow; 782 } 783 784 IRBuilder<> IRB(Pos); 785 CallInst *FallbackCall = IRB.CreateCall2( 786 DFS.DFSanUnionLoadFn, ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)); 787 FallbackCall->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt); 788 return FallbackCall; 789} 790 791void DFSanVisitor::visitLoadInst(LoadInst &LI) { 792 uint64_t Size = DFSF.DFS.DL->getTypeStoreSize(LI.getType()); 793 uint64_t Align; 794 if (ClPreserveAlignment) { 795 Align = LI.getAlignment(); 796 if (Align == 0) 797 Align = DFSF.DFS.DL->getABITypeAlignment(LI.getType()); 798 } else { 799 Align = 1; 800 } 801 IRBuilder<> IRB(&LI); 802 Value *LoadedShadow = 803 DFSF.loadShadow(LI.getPointerOperand(), Size, Align, &LI); 804 Value *PtrShadow = DFSF.getShadow(LI.getPointerOperand()); 805 DFSF.setShadow(&LI, DFSF.DFS.combineShadows(LoadedShadow, PtrShadow, &LI)); 806} 807 808void DFSanFunction::storeShadow(Value *Addr, uint64_t Size, uint64_t Align, 809 Value *Shadow, Instruction *Pos) { 810 if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) { 811 llvm::DenseMap<AllocaInst *, AllocaInst *>::iterator i = 812 AllocaShadowMap.find(AI); 813 if (i != AllocaShadowMap.end()) { 814 IRBuilder<> IRB(Pos); 815 IRB.CreateStore(Shadow, i->second); 816 return; 817 } 818 } 819 820 uint64_t ShadowAlign = Align * DFS.ShadowWidth / 8; 821 IRBuilder<> IRB(Pos); 822 Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos); 823 if (Shadow == DFS.ZeroShadow) { 824 IntegerType *ShadowTy = IntegerType::get(*DFS.Ctx, Size * DFS.ShadowWidth); 825 Value *ExtZeroShadow = ConstantInt::get(ShadowTy, 0); 826 Value *ExtShadowAddr = 827 IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowTy)); 828 IRB.CreateAlignedStore(ExtZeroShadow, ExtShadowAddr, ShadowAlign); 829 return; 830 } 831 832 const unsigned ShadowVecSize = 128 / DFS.ShadowWidth; 833 uint64_t Offset = 0; 834 if (Size >= ShadowVecSize) { 835 VectorType *ShadowVecTy = VectorType::get(DFS.ShadowTy, ShadowVecSize); 836 Value *ShadowVec = UndefValue::get(ShadowVecTy); 837 for (unsigned i = 0; i != ShadowVecSize; ++i) { 838 ShadowVec = IRB.CreateInsertElement( 839 ShadowVec, Shadow, ConstantInt::get(Type::getInt32Ty(*DFS.Ctx), i)); 840 } 841 Value *ShadowVecAddr = 842 IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowVecTy)); 843 do { 844 Value *CurShadowVecAddr = IRB.CreateConstGEP1_32(ShadowVecAddr, Offset); 845 IRB.CreateAlignedStore(ShadowVec, CurShadowVecAddr, ShadowAlign); 846 Size -= ShadowVecSize; 847 ++Offset; 848 } while (Size >= ShadowVecSize); 849 Offset *= ShadowVecSize; 850 } 851 while (Size > 0) { 852 Value *CurShadowAddr = IRB.CreateConstGEP1_32(ShadowAddr, Offset); 853 IRB.CreateAlignedStore(Shadow, CurShadowAddr, ShadowAlign); 854 --Size; 855 ++Offset; 856 } 857} 858 859void DFSanVisitor::visitStoreInst(StoreInst &SI) { 860 uint64_t Size = 861 DFSF.DFS.DL->getTypeStoreSize(SI.getValueOperand()->getType()); 862 uint64_t Align; 863 if (ClPreserveAlignment) { 864 Align = SI.getAlignment(); 865 if (Align == 0) 866 Align = DFSF.DFS.DL->getABITypeAlignment(SI.getValueOperand()->getType()); 867 } else { 868 Align = 1; 869 } 870 DFSF.storeShadow(SI.getPointerOperand(), Size, Align, 871 DFSF.getShadow(SI.getValueOperand()), &SI); 872} 873 874void DFSanVisitor::visitBinaryOperator(BinaryOperator &BO) { 875 visitOperandShadowInst(BO); 876} 877 878void DFSanVisitor::visitCastInst(CastInst &CI) { visitOperandShadowInst(CI); } 879 880void DFSanVisitor::visitCmpInst(CmpInst &CI) { visitOperandShadowInst(CI); } 881 882void DFSanVisitor::visitGetElementPtrInst(GetElementPtrInst &GEPI) { 883 visitOperandShadowInst(GEPI); 884} 885 886void DFSanVisitor::visitExtractElementInst(ExtractElementInst &I) { 887 visitOperandShadowInst(I); 888} 889 890void DFSanVisitor::visitInsertElementInst(InsertElementInst &I) { 891 visitOperandShadowInst(I); 892} 893 894void DFSanVisitor::visitShuffleVectorInst(ShuffleVectorInst &I) { 895 visitOperandShadowInst(I); 896} 897 898void DFSanVisitor::visitExtractValueInst(ExtractValueInst &I) { 899 visitOperandShadowInst(I); 900} 901 902void DFSanVisitor::visitInsertValueInst(InsertValueInst &I) { 903 visitOperandShadowInst(I); 904} 905 906void DFSanVisitor::visitAllocaInst(AllocaInst &I) { 907 bool AllLoadsStores = true; 908 for (Instruction::use_iterator i = I.use_begin(), e = I.use_end(); i != e; 909 ++i) { 910 if (isa<LoadInst>(*i)) 911 continue; 912 913 if (StoreInst *SI = dyn_cast<StoreInst>(*i)) { 914 if (SI->getPointerOperand() == &I) 915 continue; 916 } 917 918 AllLoadsStores = false; 919 break; 920 } 921 if (AllLoadsStores) { 922 IRBuilder<> IRB(&I); 923 DFSF.AllocaShadowMap[&I] = IRB.CreateAlloca(DFSF.DFS.ShadowTy); 924 } 925 DFSF.setShadow(&I, DFSF.DFS.ZeroShadow); 926} 927 928void DFSanVisitor::visitSelectInst(SelectInst &I) { 929 Value *CondShadow = DFSF.getShadow(I.getCondition()); 930 Value *TrueShadow = DFSF.getShadow(I.getTrueValue()); 931 Value *FalseShadow = DFSF.getShadow(I.getFalseValue()); 932 933 if (isa<VectorType>(I.getCondition()->getType())) { 934 DFSF.setShadow( 935 &I, DFSF.DFS.combineShadows( 936 CondShadow, 937 DFSF.DFS.combineShadows(TrueShadow, FalseShadow, &I), &I)); 938 } else { 939 Value *ShadowSel; 940 if (TrueShadow == FalseShadow) { 941 ShadowSel = TrueShadow; 942 } else { 943 ShadowSel = 944 SelectInst::Create(I.getCondition(), TrueShadow, FalseShadow, "", &I); 945 } 946 DFSF.setShadow(&I, DFSF.DFS.combineShadows(CondShadow, ShadowSel, &I)); 947 } 948} 949 950void DFSanVisitor::visitMemTransferInst(MemTransferInst &I) { 951 IRBuilder<> IRB(&I); 952 Value *DestShadow = DFSF.DFS.getShadowAddress(I.getDest(), &I); 953 Value *SrcShadow = DFSF.DFS.getShadowAddress(I.getSource(), &I); 954 Value *LenShadow = IRB.CreateMul( 955 I.getLength(), 956 ConstantInt::get(I.getLength()->getType(), DFSF.DFS.ShadowWidth / 8)); 957 Value *AlignShadow; 958 if (ClPreserveAlignment) { 959 AlignShadow = IRB.CreateMul(I.getAlignmentCst(), 960 ConstantInt::get(I.getAlignmentCst()->getType(), 961 DFSF.DFS.ShadowWidth / 8)); 962 } else { 963 AlignShadow = ConstantInt::get(I.getAlignmentCst()->getType(), 964 DFSF.DFS.ShadowWidth / 8); 965 } 966 Type *Int8Ptr = Type::getInt8PtrTy(*DFSF.DFS.Ctx); 967 DestShadow = IRB.CreateBitCast(DestShadow, Int8Ptr); 968 SrcShadow = IRB.CreateBitCast(SrcShadow, Int8Ptr); 969 IRB.CreateCall5(I.getCalledValue(), DestShadow, SrcShadow, LenShadow, 970 AlignShadow, I.getVolatileCst()); 971} 972 973void DFSanVisitor::visitReturnInst(ReturnInst &RI) { 974 if (!DFSF.IsNativeABI && RI.getReturnValue()) { 975 switch (DFSF.IA) { 976 case DataFlowSanitizer::IA_TLS: { 977 Value *S = DFSF.getShadow(RI.getReturnValue()); 978 IRBuilder<> IRB(&RI); 979 IRB.CreateStore(S, DFSF.getRetvalTLS()); 980 break; 981 } 982 case DataFlowSanitizer::IA_Args: { 983 IRBuilder<> IRB(&RI); 984 Type *RT = DFSF.F->getFunctionType()->getReturnType(); 985 Value *InsVal = 986 IRB.CreateInsertValue(UndefValue::get(RT), RI.getReturnValue(), 0); 987 Value *InsShadow = 988 IRB.CreateInsertValue(InsVal, DFSF.getShadow(RI.getReturnValue()), 1); 989 RI.setOperand(0, InsShadow); 990 break; 991 } 992 } 993 } 994} 995 996void DFSanVisitor::visitCallSite(CallSite CS) { 997 Function *F = CS.getCalledFunction(); 998 if ((F && F->isIntrinsic()) || isa<InlineAsm>(CS.getCalledValue())) { 999 visitOperandShadowInst(*CS.getInstruction()); 1000 return; 1001 } 1002 1003 IRBuilder<> IRB(CS.getInstruction()); 1004 1005 DenseMap<Value *, Function *>::iterator i = 1006 DFSF.DFS.UnwrappedFnMap.find(CS.getCalledValue()); 1007 if (i != DFSF.DFS.UnwrappedFnMap.end()) { 1008 Function *F = i->second; 1009 switch (DFSF.DFS.getWrapperKind(F)) { 1010 case DataFlowSanitizer::WK_Warning: { 1011 CS.setCalledFunction(F); 1012 IRB.CreateCall(DFSF.DFS.DFSanUnimplementedFn, 1013 IRB.CreateGlobalStringPtr(F->getName())); 1014 DFSF.setShadow(CS.getInstruction(), DFSF.DFS.ZeroShadow); 1015 return; 1016 } 1017 case DataFlowSanitizer::WK_Discard: { 1018 CS.setCalledFunction(F); 1019 DFSF.setShadow(CS.getInstruction(), DFSF.DFS.ZeroShadow); 1020 return; 1021 } 1022 case DataFlowSanitizer::WK_Functional: { 1023 CS.setCalledFunction(F); 1024 visitOperandShadowInst(*CS.getInstruction()); 1025 return; 1026 } 1027 case DataFlowSanitizer::WK_Custom: { 1028 // Don't try to handle invokes of custom functions, it's too complicated. 1029 // Instead, invoke the dfsw$ wrapper, which will in turn call the __dfsw_ 1030 // wrapper. 1031 if (CallInst *CI = dyn_cast<CallInst>(CS.getInstruction())) { 1032 FunctionType *FT = F->getFunctionType(); 1033 FunctionType *CustomFT = DFSF.DFS.getCustomFunctionType(FT); 1034 std::string CustomFName = "__dfsw_"; 1035 CustomFName += F->getName(); 1036 Constant *CustomF = 1037 DFSF.DFS.Mod->getOrInsertFunction(CustomFName, CustomFT); 1038 if (Function *CustomFn = dyn_cast<Function>(CustomF)) { 1039 CustomFn->copyAttributesFrom(F); 1040 1041 // Custom functions returning non-void will write to the return label. 1042 if (!FT->getReturnType()->isVoidTy()) { 1043 CustomFn->removeAttributes(AttributeSet::FunctionIndex, 1044 DFSF.DFS.ReadOnlyNoneAttrs); 1045 } 1046 } 1047 1048 std::vector<Value *> Args; 1049 1050 CallSite::arg_iterator i = CS.arg_begin(); 1051 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) 1052 Args.push_back(*i); 1053 1054 i = CS.arg_begin(); 1055 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) 1056 Args.push_back(DFSF.getShadow(*i)); 1057 1058 if (!FT->getReturnType()->isVoidTy()) { 1059 if (!DFSF.LabelReturnAlloca) { 1060 DFSF.LabelReturnAlloca = 1061 new AllocaInst(DFSF.DFS.ShadowTy, "labelreturn", 1062 DFSF.F->getEntryBlock().begin()); 1063 } 1064 Args.push_back(DFSF.LabelReturnAlloca); 1065 } 1066 1067 CallInst *CustomCI = IRB.CreateCall(CustomF, Args); 1068 CustomCI->setCallingConv(CI->getCallingConv()); 1069 CustomCI->setAttributes(CI->getAttributes()); 1070 1071 if (!FT->getReturnType()->isVoidTy()) { 1072 LoadInst *LabelLoad = IRB.CreateLoad(DFSF.LabelReturnAlloca); 1073 DFSF.setShadow(CustomCI, LabelLoad); 1074 } 1075 1076 CI->replaceAllUsesWith(CustomCI); 1077 CI->eraseFromParent(); 1078 return; 1079 } 1080 break; 1081 } 1082 } 1083 } 1084 1085 FunctionType *FT = cast<FunctionType>( 1086 CS.getCalledValue()->getType()->getPointerElementType()); 1087 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) { 1088 for (unsigned i = 0, n = FT->getNumParams(); i != n; ++i) { 1089 IRB.CreateStore(DFSF.getShadow(CS.getArgument(i)), 1090 DFSF.getArgTLS(i, CS.getInstruction())); 1091 } 1092 } 1093 1094 Instruction *Next = 0; 1095 if (!CS.getType()->isVoidTy()) { 1096 if (InvokeInst *II = dyn_cast<InvokeInst>(CS.getInstruction())) { 1097 if (II->getNormalDest()->getSinglePredecessor()) { 1098 Next = II->getNormalDest()->begin(); 1099 } else { 1100 BasicBlock *NewBB = 1101 SplitEdge(II->getParent(), II->getNormalDest(), &DFSF.DFS); 1102 Next = NewBB->begin(); 1103 } 1104 } else { 1105 Next = CS->getNextNode(); 1106 } 1107 1108 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) { 1109 IRBuilder<> NextIRB(Next); 1110 LoadInst *LI = NextIRB.CreateLoad(DFSF.getRetvalTLS()); 1111 DFSF.SkipInsts.insert(LI); 1112 DFSF.setShadow(CS.getInstruction(), LI); 1113 } 1114 } 1115 1116 // Do all instrumentation for IA_Args down here to defer tampering with the 1117 // CFG in a way that SplitEdge may be able to detect. 1118 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_Args) { 1119 FunctionType *NewFT = DFSF.DFS.getArgsFunctionType(FT); 1120 Value *Func = 1121 IRB.CreateBitCast(CS.getCalledValue(), PointerType::getUnqual(NewFT)); 1122 std::vector<Value *> Args; 1123 1124 CallSite::arg_iterator i = CS.arg_begin(), e = CS.arg_end(); 1125 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) 1126 Args.push_back(*i); 1127 1128 i = CS.arg_begin(); 1129 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) 1130 Args.push_back(DFSF.getShadow(*i)); 1131 1132 if (FT->isVarArg()) { 1133 unsigned VarArgSize = CS.arg_size() - FT->getNumParams(); 1134 ArrayType *VarArgArrayTy = ArrayType::get(DFSF.DFS.ShadowTy, VarArgSize); 1135 AllocaInst *VarArgShadow = 1136 new AllocaInst(VarArgArrayTy, "", DFSF.F->getEntryBlock().begin()); 1137 Args.push_back(IRB.CreateConstGEP2_32(VarArgShadow, 0, 0)); 1138 for (unsigned n = 0; i != e; ++i, ++n) { 1139 IRB.CreateStore(DFSF.getShadow(*i), 1140 IRB.CreateConstGEP2_32(VarArgShadow, 0, n)); 1141 Args.push_back(*i); 1142 } 1143 } 1144 1145 CallSite NewCS; 1146 if (InvokeInst *II = dyn_cast<InvokeInst>(CS.getInstruction())) { 1147 NewCS = IRB.CreateInvoke(Func, II->getNormalDest(), II->getUnwindDest(), 1148 Args); 1149 } else { 1150 NewCS = IRB.CreateCall(Func, Args); 1151 } 1152 NewCS.setCallingConv(CS.getCallingConv()); 1153 NewCS.setAttributes(CS.getAttributes().removeAttributes( 1154 *DFSF.DFS.Ctx, AttributeSet::ReturnIndex, 1155 AttributeFuncs::typeIncompatible(NewCS.getInstruction()->getType(), 1156 AttributeSet::ReturnIndex))); 1157 1158 if (Next) { 1159 ExtractValueInst *ExVal = 1160 ExtractValueInst::Create(NewCS.getInstruction(), 0, "", Next); 1161 DFSF.SkipInsts.insert(ExVal); 1162 ExtractValueInst *ExShadow = 1163 ExtractValueInst::Create(NewCS.getInstruction(), 1, "", Next); 1164 DFSF.SkipInsts.insert(ExShadow); 1165 DFSF.setShadow(ExVal, ExShadow); 1166 1167 CS.getInstruction()->replaceAllUsesWith(ExVal); 1168 } 1169 1170 CS.getInstruction()->eraseFromParent(); 1171 } 1172} 1173 1174void DFSanVisitor::visitPHINode(PHINode &PN) { 1175 PHINode *ShadowPN = 1176 PHINode::Create(DFSF.DFS.ShadowTy, PN.getNumIncomingValues(), "", &PN); 1177 1178 // Give the shadow phi node valid predecessors to fool SplitEdge into working. 1179 Value *UndefShadow = UndefValue::get(DFSF.DFS.ShadowTy); 1180 for (PHINode::block_iterator i = PN.block_begin(), e = PN.block_end(); i != e; 1181 ++i) { 1182 ShadowPN->addIncoming(UndefShadow, *i); 1183 } 1184 1185 DFSF.PHIFixups.push_back(std::make_pair(&PN, ShadowPN)); 1186 DFSF.setShadow(&PN, ShadowPN); 1187} 1188