MemorySanitizer.cpp revision 34432aeb6d42fbe3e327d1d339ea4156c99aa133
1//===-- MemorySanitizer.cpp - detector of uninitialized reads -------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9/// \file 10/// This file is a part of MemorySanitizer, a detector of uninitialized 11/// reads. 12/// 13/// Status: early prototype. 14/// 15/// The algorithm of the tool is similar to Memcheck 16/// (http://goo.gl/QKbem). We associate a few shadow bits with every 17/// byte of the application memory, poison the shadow of the malloc-ed 18/// or alloca-ed memory, load the shadow bits on every memory read, 19/// propagate the shadow bits through some of the arithmetic 20/// instruction (including MOV), store the shadow bits on every memory 21/// write, report a bug on some other instructions (e.g. JMP) if the 22/// associated shadow is poisoned. 23/// 24/// But there are differences too. The first and the major one: 25/// compiler instrumentation instead of binary instrumentation. This 26/// gives us much better register allocation, possible compiler 27/// optimizations and a fast start-up. But this brings the major issue 28/// as well: msan needs to see all program events, including system 29/// calls and reads/writes in system libraries, so we either need to 30/// compile *everything* with msan or use a binary translation 31/// component (e.g. DynamoRIO) to instrument pre-built libraries. 32/// Another difference from Memcheck is that we use 8 shadow bits per 33/// byte of application memory and use a direct shadow mapping. This 34/// greatly simplifies the instrumentation code and avoids races on 35/// shadow updates (Memcheck is single-threaded so races are not a 36/// concern there. Memcheck uses 2 shadow bits per byte with a slow 37/// path storage that uses 8 bits per byte). 38/// 39/// The default value of shadow is 0, which means "clean" (not poisoned). 40/// 41/// Every module initializer should call __msan_init to ensure that the 42/// shadow memory is ready. On error, __msan_warning is called. Since 43/// parameters and return values may be passed via registers, we have a 44/// specialized thread-local shadow for return values 45/// (__msan_retval_tls) and parameters (__msan_param_tls). 46/// 47/// Origin tracking. 48/// 49/// MemorySanitizer can track origins (allocation points) of all uninitialized 50/// values. This behavior is controlled with a flag (msan-track-origins) and is 51/// disabled by default. 52/// 53/// Origins are 4-byte values created and interpreted by the runtime library. 54/// They are stored in a second shadow mapping, one 4-byte value for 4 bytes 55/// of application memory. Propagation of origins is basically a bunch of 56/// "select" instructions that pick the origin of a dirty argument, if an 57/// instruction has one. 58/// 59/// Every 4 aligned, consecutive bytes of application memory have one origin 60/// value associated with them. If these bytes contain uninitialized data 61/// coming from 2 different allocations, the last store wins. Because of this, 62/// MemorySanitizer reports can show unrelated origins, but this is unlikely in 63/// practice. 64/// 65/// Origins are meaningless for fully initialized values, so MemorySanitizer 66/// avoids storing origin to memory when a fully initialized value is stored. 67/// This way it avoids needless overwritting origin of the 4-byte region on 68/// a short (i.e. 1 byte) clean store, and it is also good for performance. 69/// 70/// Atomic handling. 71/// 72/// Ideally, every atomic store of application value should update the 73/// corresponding shadow location in an atomic way. Unfortunately, atomic store 74/// of two disjoint locations can not be done without severe slowdown. 75/// 76/// Therefore, we implement an approximation that may err on the safe side. 77/// In this implementation, every atomically accessed location in the program 78/// may only change from (partially) uninitialized to fully initialized, but 79/// not the other way around. We load the shadow _after_ the application load, 80/// and we store the shadow _before_ the app store. Also, we always store clean 81/// shadow (if the application store is atomic). This way, if the store-load 82/// pair constitutes a happens-before arc, shadow store and load are correctly 83/// ordered such that the load will get either the value that was stored, or 84/// some later value (which is always clean). 85/// 86/// This does not work very well with Compare-And-Swap (CAS) and 87/// Read-Modify-Write (RMW) operations. To follow the above logic, CAS and RMW 88/// must store the new shadow before the app operation, and load the shadow 89/// after the app operation. Computers don't work this way. Current 90/// implementation ignores the load aspect of CAS/RMW, always returning a clean 91/// value. It implements the store part as a simple atomic store by storing a 92/// clean shadow. 93 94//===----------------------------------------------------------------------===// 95 96#define DEBUG_TYPE "msan" 97 98#include "llvm/Transforms/Instrumentation.h" 99#include "llvm/ADT/DepthFirstIterator.h" 100#include "llvm/ADT/SmallString.h" 101#include "llvm/ADT/SmallVector.h" 102#include "llvm/ADT/Triple.h" 103#include "llvm/ADT/ValueMap.h" 104#include "llvm/IR/DataLayout.h" 105#include "llvm/IR/Function.h" 106#include "llvm/IR/IRBuilder.h" 107#include "llvm/IR/InlineAsm.h" 108#include "llvm/IR/IntrinsicInst.h" 109#include "llvm/IR/LLVMContext.h" 110#include "llvm/IR/MDBuilder.h" 111#include "llvm/IR/Module.h" 112#include "llvm/IR/Type.h" 113#include "llvm/InstVisitor.h" 114#include "llvm/Support/CommandLine.h" 115#include "llvm/Support/Compiler.h" 116#include "llvm/Support/Debug.h" 117#include "llvm/Support/raw_ostream.h" 118#include "llvm/Transforms/Utils/BasicBlockUtils.h" 119#include "llvm/Transforms/Utils/Local.h" 120#include "llvm/Transforms/Utils/ModuleUtils.h" 121#include "llvm/Transforms/Utils/SpecialCaseList.h" 122 123using namespace llvm; 124 125static const uint64_t kShadowMask32 = 1ULL << 31; 126static const uint64_t kShadowMask64 = 1ULL << 46; 127static const uint64_t kOriginOffset32 = 1ULL << 30; 128static const uint64_t kOriginOffset64 = 1ULL << 45; 129static const unsigned kMinOriginAlignment = 4; 130static const unsigned kShadowTLSAlignment = 8; 131 132/// \brief Track origins of uninitialized values. 133/// 134/// Adds a section to MemorySanitizer report that points to the allocation 135/// (stack or heap) the uninitialized bits came from originally. 136static cl::opt<bool> ClTrackOrigins("msan-track-origins", 137 cl::desc("Track origins (allocation sites) of poisoned memory"), 138 cl::Hidden, cl::init(false)); 139static cl::opt<bool> ClKeepGoing("msan-keep-going", 140 cl::desc("keep going after reporting a UMR"), 141 cl::Hidden, cl::init(false)); 142static cl::opt<bool> ClPoisonStack("msan-poison-stack", 143 cl::desc("poison uninitialized stack variables"), 144 cl::Hidden, cl::init(true)); 145static cl::opt<bool> ClPoisonStackWithCall("msan-poison-stack-with-call", 146 cl::desc("poison uninitialized stack variables with a call"), 147 cl::Hidden, cl::init(false)); 148static cl::opt<int> ClPoisonStackPattern("msan-poison-stack-pattern", 149 cl::desc("poison uninitialized stack variables with the given patter"), 150 cl::Hidden, cl::init(0xff)); 151static cl::opt<bool> ClPoisonUndef("msan-poison-undef", 152 cl::desc("poison undef temps"), 153 cl::Hidden, cl::init(true)); 154 155static cl::opt<bool> ClHandleICmp("msan-handle-icmp", 156 cl::desc("propagate shadow through ICmpEQ and ICmpNE"), 157 cl::Hidden, cl::init(true)); 158 159static cl::opt<bool> ClHandleICmpExact("msan-handle-icmp-exact", 160 cl::desc("exact handling of relational integer ICmp"), 161 cl::Hidden, cl::init(false)); 162 163static cl::opt<bool> ClStoreCleanOrigin("msan-store-clean-origin", 164 cl::desc("store origin for clean (fully initialized) values"), 165 cl::Hidden, cl::init(false)); 166 167// This flag controls whether we check the shadow of the address 168// operand of load or store. Such bugs are very rare, since load from 169// a garbage address typically results in SEGV, but still happen 170// (e.g. only lower bits of address are garbage, or the access happens 171// early at program startup where malloc-ed memory is more likely to 172// be zeroed. As of 2012-08-28 this flag adds 20% slowdown. 173static cl::opt<bool> ClCheckAccessAddress("msan-check-access-address", 174 cl::desc("report accesses through a pointer which has poisoned shadow"), 175 cl::Hidden, cl::init(true)); 176 177static cl::opt<bool> ClDumpStrictInstructions("msan-dump-strict-instructions", 178 cl::desc("print out instructions with default strict semantics"), 179 cl::Hidden, cl::init(false)); 180 181static cl::opt<std::string> ClBlacklistFile("msan-blacklist", 182 cl::desc("File containing the list of functions where MemorySanitizer " 183 "should not report bugs"), cl::Hidden); 184 185// Experimental. Wraps all indirect calls in the instrumented code with 186// a call to the given function. This is needed to assist the dynamic 187// helper tool (MSanDR) to regain control on transition between instrumented and 188// non-instrumented code. 189static cl::opt<std::string> ClWrapIndirectCalls("msan-wrap-indirect-calls", 190 cl::desc("Wrap indirect calls with a given function"), 191 cl::Hidden); 192 193static cl::opt<bool> ClWrapIndirectCallsFast("msan-wrap-indirect-calls-fast", 194 cl::desc("Do not wrap indirect calls with target in the same module"), 195 cl::Hidden, cl::init(true)); 196 197namespace { 198 199/// \brief An instrumentation pass implementing detection of uninitialized 200/// reads. 201/// 202/// MemorySanitizer: instrument the code in module to find 203/// uninitialized reads. 204class MemorySanitizer : public FunctionPass { 205 public: 206 MemorySanitizer(bool TrackOrigins = false, 207 StringRef BlacklistFile = StringRef()) 208 : FunctionPass(ID), 209 TrackOrigins(TrackOrigins || ClTrackOrigins), 210 TD(0), 211 WarningFn(0), 212 BlacklistFile(BlacklistFile.empty() ? ClBlacklistFile : BlacklistFile), 213 WrapIndirectCalls(!ClWrapIndirectCalls.empty()) {} 214 const char *getPassName() const { return "MemorySanitizer"; } 215 bool runOnFunction(Function &F); 216 bool doInitialization(Module &M); 217 static char ID; // Pass identification, replacement for typeid. 218 219 private: 220 void initializeCallbacks(Module &M); 221 222 /// \brief Track origins (allocation points) of uninitialized values. 223 bool TrackOrigins; 224 225 DataLayout *TD; 226 LLVMContext *C; 227 Type *IntptrTy; 228 Type *OriginTy; 229 /// \brief Thread-local shadow storage for function parameters. 230 GlobalVariable *ParamTLS; 231 /// \brief Thread-local origin storage for function parameters. 232 GlobalVariable *ParamOriginTLS; 233 /// \brief Thread-local shadow storage for function return value. 234 GlobalVariable *RetvalTLS; 235 /// \brief Thread-local origin storage for function return value. 236 GlobalVariable *RetvalOriginTLS; 237 /// \brief Thread-local shadow storage for in-register va_arg function 238 /// parameters (x86_64-specific). 239 GlobalVariable *VAArgTLS; 240 /// \brief Thread-local shadow storage for va_arg overflow area 241 /// (x86_64-specific). 242 GlobalVariable *VAArgOverflowSizeTLS; 243 /// \brief Thread-local space used to pass origin value to the UMR reporting 244 /// function. 245 GlobalVariable *OriginTLS; 246 247 GlobalVariable *MsandrModuleStart; 248 GlobalVariable *MsandrModuleEnd; 249 250 /// \brief The run-time callback to print a warning. 251 Value *WarningFn; 252 /// \brief Run-time helper that copies origin info for a memory range. 253 Value *MsanCopyOriginFn; 254 /// \brief Run-time helper that generates a new origin value for a stack 255 /// allocation. 256 Value *MsanSetAllocaOrigin4Fn; 257 /// \brief Run-time helper that poisons stack on function entry. 258 Value *MsanPoisonStackFn; 259 /// \brief MSan runtime replacements for memmove, memcpy and memset. 260 Value *MemmoveFn, *MemcpyFn, *MemsetFn; 261 262 /// \brief Address mask used in application-to-shadow address calculation. 263 /// ShadowAddr is computed as ApplicationAddr & ~ShadowMask. 264 uint64_t ShadowMask; 265 /// \brief Offset of the origin shadow from the "normal" shadow. 266 /// OriginAddr is computed as (ShadowAddr + OriginOffset) & ~3ULL 267 uint64_t OriginOffset; 268 /// \brief Branch weights for error reporting. 269 MDNode *ColdCallWeights; 270 /// \brief Branch weights for origin store. 271 MDNode *OriginStoreWeights; 272 /// \brief Path to blacklist file. 273 SmallString<64> BlacklistFile; 274 /// \brief The blacklist. 275 OwningPtr<SpecialCaseList> BL; 276 /// \brief An empty volatile inline asm that prevents callback merge. 277 InlineAsm *EmptyAsm; 278 279 bool WrapIndirectCalls; 280 /// \brief Run-time wrapper for indirect calls. 281 Value *IndirectCallWrapperFn; 282 // Argument and return type of IndirectCallWrapperFn: void (*f)(void). 283 Type *AnyFunctionPtrTy; 284 285 friend struct MemorySanitizerVisitor; 286 friend struct VarArgAMD64Helper; 287}; 288} // namespace 289 290char MemorySanitizer::ID = 0; 291INITIALIZE_PASS(MemorySanitizer, "msan", 292 "MemorySanitizer: detects uninitialized reads.", 293 false, false) 294 295FunctionPass *llvm::createMemorySanitizerPass(bool TrackOrigins, 296 StringRef BlacklistFile) { 297 return new MemorySanitizer(TrackOrigins, BlacklistFile); 298} 299 300/// \brief Create a non-const global initialized with the given string. 301/// 302/// Creates a writable global for Str so that we can pass it to the 303/// run-time lib. Runtime uses first 4 bytes of the string to store the 304/// frame ID, so the string needs to be mutable. 305static GlobalVariable *createPrivateNonConstGlobalForString(Module &M, 306 StringRef Str) { 307 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 308 return new GlobalVariable(M, StrConst->getType(), /*isConstant=*/false, 309 GlobalValue::PrivateLinkage, StrConst, ""); 310} 311 312 313/// \brief Insert extern declaration of runtime-provided functions and globals. 314void MemorySanitizer::initializeCallbacks(Module &M) { 315 // Only do this once. 316 if (WarningFn) 317 return; 318 319 IRBuilder<> IRB(*C); 320 // Create the callback. 321 // FIXME: this function should have "Cold" calling conv, 322 // which is not yet implemented. 323 StringRef WarningFnName = ClKeepGoing ? "__msan_warning" 324 : "__msan_warning_noreturn"; 325 WarningFn = M.getOrInsertFunction(WarningFnName, IRB.getVoidTy(), NULL); 326 327 MsanCopyOriginFn = M.getOrInsertFunction( 328 "__msan_copy_origin", IRB.getVoidTy(), IRB.getInt8PtrTy(), 329 IRB.getInt8PtrTy(), IntptrTy, NULL); 330 MsanSetAllocaOrigin4Fn = M.getOrInsertFunction( 331 "__msan_set_alloca_origin4", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy, 332 IRB.getInt8PtrTy(), IntptrTy, NULL); 333 MsanPoisonStackFn = M.getOrInsertFunction( 334 "__msan_poison_stack", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy, NULL); 335 MemmoveFn = M.getOrInsertFunction( 336 "__msan_memmove", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 337 IRB.getInt8PtrTy(), IntptrTy, NULL); 338 MemcpyFn = M.getOrInsertFunction( 339 "__msan_memcpy", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 340 IntptrTy, NULL); 341 MemsetFn = M.getOrInsertFunction( 342 "__msan_memset", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt32Ty(), 343 IntptrTy, NULL); 344 345 // Create globals. 346 RetvalTLS = new GlobalVariable( 347 M, ArrayType::get(IRB.getInt64Ty(), 8), false, 348 GlobalVariable::ExternalLinkage, 0, "__msan_retval_tls", 0, 349 GlobalVariable::InitialExecTLSModel); 350 RetvalOriginTLS = new GlobalVariable( 351 M, OriginTy, false, GlobalVariable::ExternalLinkage, 0, 352 "__msan_retval_origin_tls", 0, GlobalVariable::InitialExecTLSModel); 353 354 ParamTLS = new GlobalVariable( 355 M, ArrayType::get(IRB.getInt64Ty(), 1000), false, 356 GlobalVariable::ExternalLinkage, 0, "__msan_param_tls", 0, 357 GlobalVariable::InitialExecTLSModel); 358 ParamOriginTLS = new GlobalVariable( 359 M, ArrayType::get(OriginTy, 1000), false, GlobalVariable::ExternalLinkage, 360 0, "__msan_param_origin_tls", 0, GlobalVariable::InitialExecTLSModel); 361 362 VAArgTLS = new GlobalVariable( 363 M, ArrayType::get(IRB.getInt64Ty(), 1000), false, 364 GlobalVariable::ExternalLinkage, 0, "__msan_va_arg_tls", 0, 365 GlobalVariable::InitialExecTLSModel); 366 VAArgOverflowSizeTLS = new GlobalVariable( 367 M, IRB.getInt64Ty(), false, GlobalVariable::ExternalLinkage, 0, 368 "__msan_va_arg_overflow_size_tls", 0, 369 GlobalVariable::InitialExecTLSModel); 370 OriginTLS = new GlobalVariable( 371 M, IRB.getInt32Ty(), false, GlobalVariable::ExternalLinkage, 0, 372 "__msan_origin_tls", 0, GlobalVariable::InitialExecTLSModel); 373 374 // We insert an empty inline asm after __msan_report* to avoid callback merge. 375 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 376 StringRef(""), StringRef(""), 377 /*hasSideEffects=*/true); 378 379 if (WrapIndirectCalls) { 380 AnyFunctionPtrTy = 381 PointerType::getUnqual(FunctionType::get(IRB.getVoidTy(), false)); 382 IndirectCallWrapperFn = M.getOrInsertFunction( 383 ClWrapIndirectCalls, AnyFunctionPtrTy, AnyFunctionPtrTy, NULL); 384 } 385 386 if (ClWrapIndirectCallsFast) { 387 MsandrModuleStart = new GlobalVariable( 388 M, IRB.getInt32Ty(), false, GlobalValue::ExternalLinkage, 389 0, "__executable_start"); 390 MsandrModuleStart->setVisibility(GlobalVariable::HiddenVisibility); 391 MsandrModuleEnd = new GlobalVariable( 392 M, IRB.getInt32Ty(), false, GlobalValue::ExternalLinkage, 393 0, "_end"); 394 MsandrModuleEnd->setVisibility(GlobalVariable::HiddenVisibility); 395 } 396} 397 398/// \brief Module-level initialization. 399/// 400/// inserts a call to __msan_init to the module's constructor list. 401bool MemorySanitizer::doInitialization(Module &M) { 402 TD = getAnalysisIfAvailable<DataLayout>(); 403 if (!TD) 404 return false; 405 BL.reset(SpecialCaseList::createOrDie(BlacklistFile)); 406 C = &(M.getContext()); 407 unsigned PtrSize = TD->getPointerSizeInBits(/* AddressSpace */0); 408 switch (PtrSize) { 409 case 64: 410 ShadowMask = kShadowMask64; 411 OriginOffset = kOriginOffset64; 412 break; 413 case 32: 414 ShadowMask = kShadowMask32; 415 OriginOffset = kOriginOffset32; 416 break; 417 default: 418 report_fatal_error("unsupported pointer size"); 419 break; 420 } 421 422 IRBuilder<> IRB(*C); 423 IntptrTy = IRB.getIntPtrTy(TD); 424 OriginTy = IRB.getInt32Ty(); 425 426 ColdCallWeights = MDBuilder(*C).createBranchWeights(1, 1000); 427 OriginStoreWeights = MDBuilder(*C).createBranchWeights(1, 1000); 428 429 // Insert a call to __msan_init/__msan_track_origins into the module's CTORs. 430 appendToGlobalCtors(M, cast<Function>(M.getOrInsertFunction( 431 "__msan_init", IRB.getVoidTy(), NULL)), 0); 432 433 if (TrackOrigins) 434 new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, 435 IRB.getInt32(TrackOrigins), "__msan_track_origins"); 436 437 if (ClKeepGoing) 438 new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, 439 IRB.getInt32(ClKeepGoing), "__msan_keep_going"); 440 441 return true; 442} 443 444namespace { 445 446/// \brief A helper class that handles instrumentation of VarArg 447/// functions on a particular platform. 448/// 449/// Implementations are expected to insert the instrumentation 450/// necessary to propagate argument shadow through VarArg function 451/// calls. Visit* methods are called during an InstVisitor pass over 452/// the function, and should avoid creating new basic blocks. A new 453/// instance of this class is created for each instrumented function. 454struct VarArgHelper { 455 /// \brief Visit a CallSite. 456 virtual void visitCallSite(CallSite &CS, IRBuilder<> &IRB) = 0; 457 458 /// \brief Visit a va_start call. 459 virtual void visitVAStartInst(VAStartInst &I) = 0; 460 461 /// \brief Visit a va_copy call. 462 virtual void visitVACopyInst(VACopyInst &I) = 0; 463 464 /// \brief Finalize function instrumentation. 465 /// 466 /// This method is called after visiting all interesting (see above) 467 /// instructions in a function. 468 virtual void finalizeInstrumentation() = 0; 469 470 virtual ~VarArgHelper() {} 471}; 472 473struct MemorySanitizerVisitor; 474 475VarArgHelper* 476CreateVarArgHelper(Function &Func, MemorySanitizer &Msan, 477 MemorySanitizerVisitor &Visitor); 478 479/// This class does all the work for a given function. Store and Load 480/// instructions store and load corresponding shadow and origin 481/// values. Most instructions propagate shadow from arguments to their 482/// return values. Certain instructions (most importantly, BranchInst) 483/// test their argument shadow and print reports (with a runtime call) if it's 484/// non-zero. 485struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> { 486 Function &F; 487 MemorySanitizer &MS; 488 SmallVector<PHINode *, 16> ShadowPHINodes, OriginPHINodes; 489 ValueMap<Value*, Value*> ShadowMap, OriginMap; 490 OwningPtr<VarArgHelper> VAHelper; 491 492 // The following flags disable parts of MSan instrumentation based on 493 // blacklist contents and command-line options. 494 bool InsertChecks; 495 bool LoadShadow; 496 bool PoisonStack; 497 bool PoisonUndef; 498 bool CheckReturnValue; 499 500 struct ShadowOriginAndInsertPoint { 501 Value *Shadow; 502 Value *Origin; 503 Instruction *OrigIns; 504 ShadowOriginAndInsertPoint(Value *S, Value *O, Instruction *I) 505 : Shadow(S), Origin(O), OrigIns(I) { } 506 ShadowOriginAndInsertPoint() : Shadow(0), Origin(0), OrigIns(0) { } 507 }; 508 SmallVector<ShadowOriginAndInsertPoint, 16> InstrumentationList; 509 SmallVector<Instruction*, 16> StoreList; 510 SmallVector<CallSite, 16> IndirectCallList; 511 512 MemorySanitizerVisitor(Function &F, MemorySanitizer &MS) 513 : F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)) { 514 bool SanitizeFunction = !MS.BL->isIn(F) && F.getAttributes().hasAttribute( 515 AttributeSet::FunctionIndex, 516 Attribute::SanitizeMemory); 517 InsertChecks = SanitizeFunction; 518 LoadShadow = SanitizeFunction; 519 PoisonStack = SanitizeFunction && ClPoisonStack; 520 PoisonUndef = SanitizeFunction && ClPoisonUndef; 521 // FIXME: Consider using SpecialCaseList to specify a list of functions that 522 // must always return fully initialized values. For now, we hardcode "main". 523 CheckReturnValue = SanitizeFunction && (F.getName() == "main"); 524 525 DEBUG(if (!InsertChecks) 526 dbgs() << "MemorySanitizer is not inserting checks into '" 527 << F.getName() << "'\n"); 528 } 529 530 void materializeStores() { 531 for (size_t i = 0, n = StoreList.size(); i < n; i++) { 532 StoreInst& I = *dyn_cast<StoreInst>(StoreList[i]); 533 534 IRBuilder<> IRB(&I); 535 Value *Val = I.getValueOperand(); 536 Value *Addr = I.getPointerOperand(); 537 Value *Shadow = I.isAtomic() ? getCleanShadow(Val) : getShadow(Val); 538 Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB); 539 540 StoreInst *NewSI = 541 IRB.CreateAlignedStore(Shadow, ShadowPtr, I.getAlignment()); 542 DEBUG(dbgs() << " STORE: " << *NewSI << "\n"); 543 (void)NewSI; 544 545 if (ClCheckAccessAddress) 546 insertShadowCheck(Addr, &I); 547 548 if (I.isAtomic()) 549 I.setOrdering(addReleaseOrdering(I.getOrdering())); 550 551 if (MS.TrackOrigins) { 552 unsigned Alignment = std::max(kMinOriginAlignment, I.getAlignment()); 553 if (ClStoreCleanOrigin || isa<StructType>(Shadow->getType())) { 554 IRB.CreateAlignedStore(getOrigin(Val), getOriginPtr(Addr, IRB), 555 Alignment); 556 } else { 557 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB); 558 559 // TODO(eugenis): handle non-zero constant shadow by inserting an 560 // unconditional check (can not simply fail compilation as this could 561 // be in the dead code). 562 if (isa<Constant>(ConvertedShadow)) 563 continue; 564 565 Value *Cmp = IRB.CreateICmpNE(ConvertedShadow, 566 getCleanShadow(ConvertedShadow), "_mscmp"); 567 Instruction *CheckTerm = 568 SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false, 569 MS.OriginStoreWeights); 570 IRBuilder<> IRBNew(CheckTerm); 571 IRBNew.CreateAlignedStore(getOrigin(Val), getOriginPtr(Addr, IRBNew), 572 Alignment); 573 } 574 } 575 } 576 } 577 578 void materializeChecks() { 579 for (size_t i = 0, n = InstrumentationList.size(); i < n; i++) { 580 Value *Shadow = InstrumentationList[i].Shadow; 581 Instruction *OrigIns = InstrumentationList[i].OrigIns; 582 IRBuilder<> IRB(OrigIns); 583 DEBUG(dbgs() << " SHAD0 : " << *Shadow << "\n"); 584 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB); 585 DEBUG(dbgs() << " SHAD1 : " << *ConvertedShadow << "\n"); 586 // See the comment in materializeStores(). 587 if (isa<Constant>(ConvertedShadow)) 588 continue; 589 Value *Cmp = IRB.CreateICmpNE(ConvertedShadow, 590 getCleanShadow(ConvertedShadow), "_mscmp"); 591 Instruction *CheckTerm = 592 SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), 593 /* Unreachable */ !ClKeepGoing, 594 MS.ColdCallWeights); 595 596 IRB.SetInsertPoint(CheckTerm); 597 if (MS.TrackOrigins) { 598 Value *Origin = InstrumentationList[i].Origin; 599 IRB.CreateStore(Origin ? (Value*)Origin : (Value*)IRB.getInt32(0), 600 MS.OriginTLS); 601 } 602 CallInst *Call = IRB.CreateCall(MS.WarningFn); 603 Call->setDebugLoc(OrigIns->getDebugLoc()); 604 IRB.CreateCall(MS.EmptyAsm); 605 DEBUG(dbgs() << " CHECK: " << *Cmp << "\n"); 606 } 607 DEBUG(dbgs() << "DONE:\n" << F); 608 } 609 610 void materializeIndirectCalls() { 611 for (size_t i = 0, n = IndirectCallList.size(); i < n; i++) { 612 CallSite CS = IndirectCallList[i]; 613 Instruction *I = CS.getInstruction(); 614 BasicBlock *B = I->getParent(); 615 IRBuilder<> IRB(I); 616 Value *Fn0 = CS.getCalledValue(); 617 Value *Fn = IRB.CreateBitCast(Fn0, MS.AnyFunctionPtrTy); 618 619 if (ClWrapIndirectCallsFast) { 620 // Check that call target is inside this module limits. 621 Value *Start = 622 IRB.CreateBitCast(MS.MsandrModuleStart, MS.AnyFunctionPtrTy); 623 Value *End = IRB.CreateBitCast(MS.MsandrModuleEnd, MS.AnyFunctionPtrTy); 624 625 Value *NotInThisModule = IRB.CreateOr(IRB.CreateICmpULT(Fn, Start), 626 IRB.CreateICmpUGE(Fn, End)); 627 628 PHINode *NewFnPhi = 629 IRB.CreatePHI(Fn0->getType(), 2, "msandr.indirect_target"); 630 631 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 632 cast<Instruction>(NotInThisModule), 633 /* Unreachable */ false, MS.ColdCallWeights); 634 635 IRB.SetInsertPoint(CheckTerm); 636 // Slow path: call wrapper function to possibly transform the call 637 // target. 638 Value *NewFn = IRB.CreateBitCast( 639 IRB.CreateCall(MS.IndirectCallWrapperFn, Fn), Fn0->getType()); 640 641 NewFnPhi->addIncoming(Fn0, B); 642 NewFnPhi->addIncoming(NewFn, dyn_cast<Instruction>(NewFn)->getParent()); 643 CS.setCalledFunction(NewFnPhi); 644 } else { 645 Value *NewFn = IRB.CreateBitCast( 646 IRB.CreateCall(MS.IndirectCallWrapperFn, Fn), Fn0->getType()); 647 CS.setCalledFunction(NewFn); 648 } 649 } 650 } 651 652 /// \brief Add MemorySanitizer instrumentation to a function. 653 bool runOnFunction() { 654 MS.initializeCallbacks(*F.getParent()); 655 if (!MS.TD) return false; 656 657 // In the presence of unreachable blocks, we may see Phi nodes with 658 // incoming nodes from such blocks. Since InstVisitor skips unreachable 659 // blocks, such nodes will not have any shadow value associated with them. 660 // It's easier to remove unreachable blocks than deal with missing shadow. 661 removeUnreachableBlocks(F); 662 663 // Iterate all BBs in depth-first order and create shadow instructions 664 // for all instructions (where applicable). 665 // For PHI nodes we create dummy shadow PHIs which will be finalized later. 666 for (df_iterator<BasicBlock*> DI = df_begin(&F.getEntryBlock()), 667 DE = df_end(&F.getEntryBlock()); DI != DE; ++DI) { 668 BasicBlock *BB = *DI; 669 visit(*BB); 670 } 671 672 // Finalize PHI nodes. 673 for (size_t i = 0, n = ShadowPHINodes.size(); i < n; i++) { 674 PHINode *PN = ShadowPHINodes[i]; 675 PHINode *PNS = cast<PHINode>(getShadow(PN)); 676 PHINode *PNO = MS.TrackOrigins ? cast<PHINode>(getOrigin(PN)) : 0; 677 size_t NumValues = PN->getNumIncomingValues(); 678 for (size_t v = 0; v < NumValues; v++) { 679 PNS->addIncoming(getShadow(PN, v), PN->getIncomingBlock(v)); 680 if (PNO) 681 PNO->addIncoming(getOrigin(PN, v), PN->getIncomingBlock(v)); 682 } 683 } 684 685 VAHelper->finalizeInstrumentation(); 686 687 // Delayed instrumentation of StoreInst. 688 // This may add new checks to be inserted later. 689 materializeStores(); 690 691 // Insert shadow value checks. 692 materializeChecks(); 693 694 // Wrap indirect calls. 695 materializeIndirectCalls(); 696 697 return true; 698 } 699 700 /// \brief Compute the shadow type that corresponds to a given Value. 701 Type *getShadowTy(Value *V) { 702 return getShadowTy(V->getType()); 703 } 704 705 /// \brief Compute the shadow type that corresponds to a given Type. 706 Type *getShadowTy(Type *OrigTy) { 707 if (!OrigTy->isSized()) { 708 return 0; 709 } 710 // For integer type, shadow is the same as the original type. 711 // This may return weird-sized types like i1. 712 if (IntegerType *IT = dyn_cast<IntegerType>(OrigTy)) 713 return IT; 714 if (VectorType *VT = dyn_cast<VectorType>(OrigTy)) { 715 uint32_t EltSize = MS.TD->getTypeSizeInBits(VT->getElementType()); 716 return VectorType::get(IntegerType::get(*MS.C, EltSize), 717 VT->getNumElements()); 718 } 719 if (StructType *ST = dyn_cast<StructType>(OrigTy)) { 720 SmallVector<Type*, 4> Elements; 721 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++) 722 Elements.push_back(getShadowTy(ST->getElementType(i))); 723 StructType *Res = StructType::get(*MS.C, Elements, ST->isPacked()); 724 DEBUG(dbgs() << "getShadowTy: " << *ST << " ===> " << *Res << "\n"); 725 return Res; 726 } 727 uint32_t TypeSize = MS.TD->getTypeSizeInBits(OrigTy); 728 return IntegerType::get(*MS.C, TypeSize); 729 } 730 731 /// \brief Flatten a vector type. 732 Type *getShadowTyNoVec(Type *ty) { 733 if (VectorType *vt = dyn_cast<VectorType>(ty)) 734 return IntegerType::get(*MS.C, vt->getBitWidth()); 735 return ty; 736 } 737 738 /// \brief Convert a shadow value to it's flattened variant. 739 Value *convertToShadowTyNoVec(Value *V, IRBuilder<> &IRB) { 740 Type *Ty = V->getType(); 741 Type *NoVecTy = getShadowTyNoVec(Ty); 742 if (Ty == NoVecTy) return V; 743 return IRB.CreateBitCast(V, NoVecTy); 744 } 745 746 /// \brief Compute the shadow address that corresponds to a given application 747 /// address. 748 /// 749 /// Shadow = Addr & ~ShadowMask. 750 Value *getShadowPtr(Value *Addr, Type *ShadowTy, 751 IRBuilder<> &IRB) { 752 Value *ShadowLong = 753 IRB.CreateAnd(IRB.CreatePointerCast(Addr, MS.IntptrTy), 754 ConstantInt::get(MS.IntptrTy, ~MS.ShadowMask)); 755 return IRB.CreateIntToPtr(ShadowLong, PointerType::get(ShadowTy, 0)); 756 } 757 758 /// \brief Compute the origin address that corresponds to a given application 759 /// address. 760 /// 761 /// OriginAddr = (ShadowAddr + OriginOffset) & ~3ULL 762 Value *getOriginPtr(Value *Addr, IRBuilder<> &IRB) { 763 Value *ShadowLong = 764 IRB.CreateAnd(IRB.CreatePointerCast(Addr, MS.IntptrTy), 765 ConstantInt::get(MS.IntptrTy, ~MS.ShadowMask)); 766 Value *Add = 767 IRB.CreateAdd(ShadowLong, 768 ConstantInt::get(MS.IntptrTy, MS.OriginOffset)); 769 Value *SecondAnd = 770 IRB.CreateAnd(Add, ConstantInt::get(MS.IntptrTy, ~3ULL)); 771 return IRB.CreateIntToPtr(SecondAnd, PointerType::get(IRB.getInt32Ty(), 0)); 772 } 773 774 /// \brief Compute the shadow address for a given function argument. 775 /// 776 /// Shadow = ParamTLS+ArgOffset. 777 Value *getShadowPtrForArgument(Value *A, IRBuilder<> &IRB, 778 int ArgOffset) { 779 Value *Base = IRB.CreatePointerCast(MS.ParamTLS, MS.IntptrTy); 780 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 781 return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0), 782 "_msarg"); 783 } 784 785 /// \brief Compute the origin address for a given function argument. 786 Value *getOriginPtrForArgument(Value *A, IRBuilder<> &IRB, 787 int ArgOffset) { 788 if (!MS.TrackOrigins) return 0; 789 Value *Base = IRB.CreatePointerCast(MS.ParamOriginTLS, MS.IntptrTy); 790 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 791 return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0), 792 "_msarg_o"); 793 } 794 795 /// \brief Compute the shadow address for a retval. 796 Value *getShadowPtrForRetval(Value *A, IRBuilder<> &IRB) { 797 Value *Base = IRB.CreatePointerCast(MS.RetvalTLS, MS.IntptrTy); 798 return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0), 799 "_msret"); 800 } 801 802 /// \brief Compute the origin address for a retval. 803 Value *getOriginPtrForRetval(IRBuilder<> &IRB) { 804 // We keep a single origin for the entire retval. Might be too optimistic. 805 return MS.RetvalOriginTLS; 806 } 807 808 /// \brief Set SV to be the shadow value for V. 809 void setShadow(Value *V, Value *SV) { 810 assert(!ShadowMap.count(V) && "Values may only have one shadow"); 811 ShadowMap[V] = SV; 812 } 813 814 /// \brief Set Origin to be the origin value for V. 815 void setOrigin(Value *V, Value *Origin) { 816 if (!MS.TrackOrigins) return; 817 assert(!OriginMap.count(V) && "Values may only have one origin"); 818 DEBUG(dbgs() << "ORIGIN: " << *V << " ==> " << *Origin << "\n"); 819 OriginMap[V] = Origin; 820 } 821 822 /// \brief Create a clean shadow value for a given value. 823 /// 824 /// Clean shadow (all zeroes) means all bits of the value are defined 825 /// (initialized). 826 Constant *getCleanShadow(Value *V) { 827 Type *ShadowTy = getShadowTy(V); 828 if (!ShadowTy) 829 return 0; 830 return Constant::getNullValue(ShadowTy); 831 } 832 833 /// \brief Create a dirty shadow of a given shadow type. 834 Constant *getPoisonedShadow(Type *ShadowTy) { 835 assert(ShadowTy); 836 if (isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy)) 837 return Constant::getAllOnesValue(ShadowTy); 838 StructType *ST = cast<StructType>(ShadowTy); 839 SmallVector<Constant *, 4> Vals; 840 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++) 841 Vals.push_back(getPoisonedShadow(ST->getElementType(i))); 842 return ConstantStruct::get(ST, Vals); 843 } 844 845 /// \brief Create a dirty shadow for a given value. 846 Constant *getPoisonedShadow(Value *V) { 847 Type *ShadowTy = getShadowTy(V); 848 if (!ShadowTy) 849 return 0; 850 return getPoisonedShadow(ShadowTy); 851 } 852 853 /// \brief Create a clean (zero) origin. 854 Value *getCleanOrigin() { 855 return Constant::getNullValue(MS.OriginTy); 856 } 857 858 /// \brief Get the shadow value for a given Value. 859 /// 860 /// This function either returns the value set earlier with setShadow, 861 /// or extracts if from ParamTLS (for function arguments). 862 Value *getShadow(Value *V) { 863 if (Instruction *I = dyn_cast<Instruction>(V)) { 864 // For instructions the shadow is already stored in the map. 865 Value *Shadow = ShadowMap[V]; 866 if (!Shadow) { 867 DEBUG(dbgs() << "No shadow: " << *V << "\n" << *(I->getParent())); 868 (void)I; 869 assert(Shadow && "No shadow for a value"); 870 } 871 return Shadow; 872 } 873 if (UndefValue *U = dyn_cast<UndefValue>(V)) { 874 Value *AllOnes = PoisonUndef ? getPoisonedShadow(V) : getCleanShadow(V); 875 DEBUG(dbgs() << "Undef: " << *U << " ==> " << *AllOnes << "\n"); 876 (void)U; 877 return AllOnes; 878 } 879 if (Argument *A = dyn_cast<Argument>(V)) { 880 // For arguments we compute the shadow on demand and store it in the map. 881 Value **ShadowPtr = &ShadowMap[V]; 882 if (*ShadowPtr) 883 return *ShadowPtr; 884 Function *F = A->getParent(); 885 IRBuilder<> EntryIRB(F->getEntryBlock().getFirstNonPHI()); 886 unsigned ArgOffset = 0; 887 for (Function::arg_iterator AI = F->arg_begin(), AE = F->arg_end(); 888 AI != AE; ++AI) { 889 if (!AI->getType()->isSized()) { 890 DEBUG(dbgs() << "Arg is not sized\n"); 891 continue; 892 } 893 unsigned Size = AI->hasByValAttr() 894 ? MS.TD->getTypeAllocSize(AI->getType()->getPointerElementType()) 895 : MS.TD->getTypeAllocSize(AI->getType()); 896 if (A == AI) { 897 Value *Base = getShadowPtrForArgument(AI, EntryIRB, ArgOffset); 898 if (AI->hasByValAttr()) { 899 // ByVal pointer itself has clean shadow. We copy the actual 900 // argument shadow to the underlying memory. 901 // Figure out maximal valid memcpy alignment. 902 unsigned ArgAlign = AI->getParamAlignment(); 903 if (ArgAlign == 0) { 904 Type *EltType = A->getType()->getPointerElementType(); 905 ArgAlign = MS.TD->getABITypeAlignment(EltType); 906 } 907 unsigned CopyAlign = std::min(ArgAlign, kShadowTLSAlignment); 908 Value *Cpy = EntryIRB.CreateMemCpy( 909 getShadowPtr(V, EntryIRB.getInt8Ty(), EntryIRB), Base, Size, 910 CopyAlign); 911 DEBUG(dbgs() << " ByValCpy: " << *Cpy << "\n"); 912 (void)Cpy; 913 *ShadowPtr = getCleanShadow(V); 914 } else { 915 *ShadowPtr = EntryIRB.CreateAlignedLoad(Base, kShadowTLSAlignment); 916 } 917 DEBUG(dbgs() << " ARG: " << *AI << " ==> " << 918 **ShadowPtr << "\n"); 919 if (MS.TrackOrigins) { 920 Value* OriginPtr = getOriginPtrForArgument(AI, EntryIRB, ArgOffset); 921 setOrigin(A, EntryIRB.CreateLoad(OriginPtr)); 922 } 923 } 924 ArgOffset += DataLayout::RoundUpAlignment(Size, kShadowTLSAlignment); 925 } 926 assert(*ShadowPtr && "Could not find shadow for an argument"); 927 return *ShadowPtr; 928 } 929 // For everything else the shadow is zero. 930 return getCleanShadow(V); 931 } 932 933 /// \brief Get the shadow for i-th argument of the instruction I. 934 Value *getShadow(Instruction *I, int i) { 935 return getShadow(I->getOperand(i)); 936 } 937 938 /// \brief Get the origin for a value. 939 Value *getOrigin(Value *V) { 940 if (!MS.TrackOrigins) return 0; 941 if (isa<Instruction>(V) || isa<Argument>(V)) { 942 Value *Origin = OriginMap[V]; 943 if (!Origin) { 944 DEBUG(dbgs() << "NO ORIGIN: " << *V << "\n"); 945 Origin = getCleanOrigin(); 946 } 947 return Origin; 948 } 949 return getCleanOrigin(); 950 } 951 952 /// \brief Get the origin for i-th argument of the instruction I. 953 Value *getOrigin(Instruction *I, int i) { 954 return getOrigin(I->getOperand(i)); 955 } 956 957 /// \brief Remember the place where a shadow check should be inserted. 958 /// 959 /// This location will be later instrumented with a check that will print a 960 /// UMR warning in runtime if the shadow value is not 0. 961 void insertShadowCheck(Value *Shadow, Value *Origin, Instruction *OrigIns) { 962 assert(Shadow); 963 if (!InsertChecks) return; 964#ifndef NDEBUG 965 Type *ShadowTy = Shadow->getType(); 966 assert((isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy)) && 967 "Can only insert checks for integer and vector shadow types"); 968#endif 969 InstrumentationList.push_back( 970 ShadowOriginAndInsertPoint(Shadow, Origin, OrigIns)); 971 } 972 973 /// \brief Remember the place where a shadow check should be inserted. 974 /// 975 /// This location will be later instrumented with a check that will print a 976 /// UMR warning in runtime if the value is not fully defined. 977 void insertShadowCheck(Value *Val, Instruction *OrigIns) { 978 assert(Val); 979 Instruction *Shadow = dyn_cast_or_null<Instruction>(getShadow(Val)); 980 if (!Shadow) return; 981 Instruction *Origin = dyn_cast_or_null<Instruction>(getOrigin(Val)); 982 insertShadowCheck(Shadow, Origin, OrigIns); 983 } 984 985 AtomicOrdering addReleaseOrdering(AtomicOrdering a) { 986 switch (a) { 987 case NotAtomic: 988 return NotAtomic; 989 case Unordered: 990 case Monotonic: 991 case Release: 992 return Release; 993 case Acquire: 994 case AcquireRelease: 995 return AcquireRelease; 996 case SequentiallyConsistent: 997 return SequentiallyConsistent; 998 } 999 llvm_unreachable("Unknown ordering"); 1000 } 1001 1002 AtomicOrdering addAcquireOrdering(AtomicOrdering a) { 1003 switch (a) { 1004 case NotAtomic: 1005 return NotAtomic; 1006 case Unordered: 1007 case Monotonic: 1008 case Acquire: 1009 return Acquire; 1010 case Release: 1011 case AcquireRelease: 1012 return AcquireRelease; 1013 case SequentiallyConsistent: 1014 return SequentiallyConsistent; 1015 } 1016 llvm_unreachable("Unknown ordering"); 1017 } 1018 1019 // ------------------- Visitors. 1020 1021 /// \brief Instrument LoadInst 1022 /// 1023 /// Loads the corresponding shadow and (optionally) origin. 1024 /// Optionally, checks that the load address is fully defined. 1025 void visitLoadInst(LoadInst &I) { 1026 assert(I.getType()->isSized() && "Load type must have size"); 1027 IRBuilder<> IRB(I.getNextNode()); 1028 Type *ShadowTy = getShadowTy(&I); 1029 Value *Addr = I.getPointerOperand(); 1030 if (LoadShadow) { 1031 Value *ShadowPtr = getShadowPtr(Addr, ShadowTy, IRB); 1032 setShadow(&I, 1033 IRB.CreateAlignedLoad(ShadowPtr, I.getAlignment(), "_msld")); 1034 } else { 1035 setShadow(&I, getCleanShadow(&I)); 1036 } 1037 1038 if (ClCheckAccessAddress) 1039 insertShadowCheck(I.getPointerOperand(), &I); 1040 1041 if (I.isAtomic()) 1042 I.setOrdering(addAcquireOrdering(I.getOrdering())); 1043 1044 if (MS.TrackOrigins) { 1045 if (LoadShadow) { 1046 unsigned Alignment = std::max(kMinOriginAlignment, I.getAlignment()); 1047 setOrigin(&I, 1048 IRB.CreateAlignedLoad(getOriginPtr(Addr, IRB), Alignment)); 1049 } else { 1050 setOrigin(&I, getCleanOrigin()); 1051 } 1052 } 1053 } 1054 1055 /// \brief Instrument StoreInst 1056 /// 1057 /// Stores the corresponding shadow and (optionally) origin. 1058 /// Optionally, checks that the store address is fully defined. 1059 void visitStoreInst(StoreInst &I) { 1060 StoreList.push_back(&I); 1061 } 1062 1063 void handleCASOrRMW(Instruction &I) { 1064 assert(isa<AtomicRMWInst>(I) || isa<AtomicCmpXchgInst>(I)); 1065 1066 IRBuilder<> IRB(&I); 1067 Value *Addr = I.getOperand(0); 1068 Value *ShadowPtr = getShadowPtr(Addr, I.getType(), IRB); 1069 1070 if (ClCheckAccessAddress) 1071 insertShadowCheck(Addr, &I); 1072 1073 // Only test the conditional argument of cmpxchg instruction. 1074 // The other argument can potentially be uninitialized, but we can not 1075 // detect this situation reliably without possible false positives. 1076 if (isa<AtomicCmpXchgInst>(I)) 1077 insertShadowCheck(I.getOperand(1), &I); 1078 1079 IRB.CreateStore(getCleanShadow(&I), ShadowPtr); 1080 1081 setShadow(&I, getCleanShadow(&I)); 1082 } 1083 1084 void visitAtomicRMWInst(AtomicRMWInst &I) { 1085 handleCASOrRMW(I); 1086 I.setOrdering(addReleaseOrdering(I.getOrdering())); 1087 } 1088 1089 void visitAtomicCmpXchgInst(AtomicCmpXchgInst &I) { 1090 handleCASOrRMW(I); 1091 I.setOrdering(addReleaseOrdering(I.getOrdering())); 1092 } 1093 1094 // Vector manipulation. 1095 void visitExtractElementInst(ExtractElementInst &I) { 1096 insertShadowCheck(I.getOperand(1), &I); 1097 IRBuilder<> IRB(&I); 1098 setShadow(&I, IRB.CreateExtractElement(getShadow(&I, 0), I.getOperand(1), 1099 "_msprop")); 1100 setOrigin(&I, getOrigin(&I, 0)); 1101 } 1102 1103 void visitInsertElementInst(InsertElementInst &I) { 1104 insertShadowCheck(I.getOperand(2), &I); 1105 IRBuilder<> IRB(&I); 1106 setShadow(&I, IRB.CreateInsertElement(getShadow(&I, 0), getShadow(&I, 1), 1107 I.getOperand(2), "_msprop")); 1108 setOriginForNaryOp(I); 1109 } 1110 1111 void visitShuffleVectorInst(ShuffleVectorInst &I) { 1112 insertShadowCheck(I.getOperand(2), &I); 1113 IRBuilder<> IRB(&I); 1114 setShadow(&I, IRB.CreateShuffleVector(getShadow(&I, 0), getShadow(&I, 1), 1115 I.getOperand(2), "_msprop")); 1116 setOriginForNaryOp(I); 1117 } 1118 1119 // Casts. 1120 void visitSExtInst(SExtInst &I) { 1121 IRBuilder<> IRB(&I); 1122 setShadow(&I, IRB.CreateSExt(getShadow(&I, 0), I.getType(), "_msprop")); 1123 setOrigin(&I, getOrigin(&I, 0)); 1124 } 1125 1126 void visitZExtInst(ZExtInst &I) { 1127 IRBuilder<> IRB(&I); 1128 setShadow(&I, IRB.CreateZExt(getShadow(&I, 0), I.getType(), "_msprop")); 1129 setOrigin(&I, getOrigin(&I, 0)); 1130 } 1131 1132 void visitTruncInst(TruncInst &I) { 1133 IRBuilder<> IRB(&I); 1134 setShadow(&I, IRB.CreateTrunc(getShadow(&I, 0), I.getType(), "_msprop")); 1135 setOrigin(&I, getOrigin(&I, 0)); 1136 } 1137 1138 void visitBitCastInst(BitCastInst &I) { 1139 IRBuilder<> IRB(&I); 1140 setShadow(&I, IRB.CreateBitCast(getShadow(&I, 0), getShadowTy(&I))); 1141 setOrigin(&I, getOrigin(&I, 0)); 1142 } 1143 1144 void visitPtrToIntInst(PtrToIntInst &I) { 1145 IRBuilder<> IRB(&I); 1146 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false, 1147 "_msprop_ptrtoint")); 1148 setOrigin(&I, getOrigin(&I, 0)); 1149 } 1150 1151 void visitIntToPtrInst(IntToPtrInst &I) { 1152 IRBuilder<> IRB(&I); 1153 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false, 1154 "_msprop_inttoptr")); 1155 setOrigin(&I, getOrigin(&I, 0)); 1156 } 1157 1158 void visitFPToSIInst(CastInst& I) { handleShadowOr(I); } 1159 void visitFPToUIInst(CastInst& I) { handleShadowOr(I); } 1160 void visitSIToFPInst(CastInst& I) { handleShadowOr(I); } 1161 void visitUIToFPInst(CastInst& I) { handleShadowOr(I); } 1162 void visitFPExtInst(CastInst& I) { handleShadowOr(I); } 1163 void visitFPTruncInst(CastInst& I) { handleShadowOr(I); } 1164 1165 /// \brief Propagate shadow for bitwise AND. 1166 /// 1167 /// This code is exact, i.e. if, for example, a bit in the left argument 1168 /// is defined and 0, then neither the value not definedness of the 1169 /// corresponding bit in B don't affect the resulting shadow. 1170 void visitAnd(BinaryOperator &I) { 1171 IRBuilder<> IRB(&I); 1172 // "And" of 0 and a poisoned value results in unpoisoned value. 1173 // 1&1 => 1; 0&1 => 0; p&1 => p; 1174 // 1&0 => 0; 0&0 => 0; p&0 => 0; 1175 // 1&p => p; 0&p => 0; p&p => p; 1176 // S = (S1 & S2) | (V1 & S2) | (S1 & V2) 1177 Value *S1 = getShadow(&I, 0); 1178 Value *S2 = getShadow(&I, 1); 1179 Value *V1 = I.getOperand(0); 1180 Value *V2 = I.getOperand(1); 1181 if (V1->getType() != S1->getType()) { 1182 V1 = IRB.CreateIntCast(V1, S1->getType(), false); 1183 V2 = IRB.CreateIntCast(V2, S2->getType(), false); 1184 } 1185 Value *S1S2 = IRB.CreateAnd(S1, S2); 1186 Value *V1S2 = IRB.CreateAnd(V1, S2); 1187 Value *S1V2 = IRB.CreateAnd(S1, V2); 1188 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2))); 1189 setOriginForNaryOp(I); 1190 } 1191 1192 void visitOr(BinaryOperator &I) { 1193 IRBuilder<> IRB(&I); 1194 // "Or" of 1 and a poisoned value results in unpoisoned value. 1195 // 1|1 => 1; 0|1 => 1; p|1 => 1; 1196 // 1|0 => 1; 0|0 => 0; p|0 => p; 1197 // 1|p => 1; 0|p => p; p|p => p; 1198 // S = (S1 & S2) | (~V1 & S2) | (S1 & ~V2) 1199 Value *S1 = getShadow(&I, 0); 1200 Value *S2 = getShadow(&I, 1); 1201 Value *V1 = IRB.CreateNot(I.getOperand(0)); 1202 Value *V2 = IRB.CreateNot(I.getOperand(1)); 1203 if (V1->getType() != S1->getType()) { 1204 V1 = IRB.CreateIntCast(V1, S1->getType(), false); 1205 V2 = IRB.CreateIntCast(V2, S2->getType(), false); 1206 } 1207 Value *S1S2 = IRB.CreateAnd(S1, S2); 1208 Value *V1S2 = IRB.CreateAnd(V1, S2); 1209 Value *S1V2 = IRB.CreateAnd(S1, V2); 1210 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2))); 1211 setOriginForNaryOp(I); 1212 } 1213 1214 /// \brief Default propagation of shadow and/or origin. 1215 /// 1216 /// This class implements the general case of shadow propagation, used in all 1217 /// cases where we don't know and/or don't care about what the operation 1218 /// actually does. It converts all input shadow values to a common type 1219 /// (extending or truncating as necessary), and bitwise OR's them. 1220 /// 1221 /// This is much cheaper than inserting checks (i.e. requiring inputs to be 1222 /// fully initialized), and less prone to false positives. 1223 /// 1224 /// This class also implements the general case of origin propagation. For a 1225 /// Nary operation, result origin is set to the origin of an argument that is 1226 /// not entirely initialized. If there is more than one such arguments, the 1227 /// rightmost of them is picked. It does not matter which one is picked if all 1228 /// arguments are initialized. 1229 template <bool CombineShadow> 1230 class Combiner { 1231 Value *Shadow; 1232 Value *Origin; 1233 IRBuilder<> &IRB; 1234 MemorySanitizerVisitor *MSV; 1235 1236 public: 1237 Combiner(MemorySanitizerVisitor *MSV, IRBuilder<> &IRB) : 1238 Shadow(0), Origin(0), IRB(IRB), MSV(MSV) {} 1239 1240 /// \brief Add a pair of shadow and origin values to the mix. 1241 Combiner &Add(Value *OpShadow, Value *OpOrigin) { 1242 if (CombineShadow) { 1243 assert(OpShadow); 1244 if (!Shadow) 1245 Shadow = OpShadow; 1246 else { 1247 OpShadow = MSV->CreateShadowCast(IRB, OpShadow, Shadow->getType()); 1248 Shadow = IRB.CreateOr(Shadow, OpShadow, "_msprop"); 1249 } 1250 } 1251 1252 if (MSV->MS.TrackOrigins) { 1253 assert(OpOrigin); 1254 if (!Origin) { 1255 Origin = OpOrigin; 1256 } else { 1257 Value *FlatShadow = MSV->convertToShadowTyNoVec(OpShadow, IRB); 1258 Value *Cond = IRB.CreateICmpNE(FlatShadow, 1259 MSV->getCleanShadow(FlatShadow)); 1260 Origin = IRB.CreateSelect(Cond, OpOrigin, Origin); 1261 } 1262 } 1263 return *this; 1264 } 1265 1266 /// \brief Add an application value to the mix. 1267 Combiner &Add(Value *V) { 1268 Value *OpShadow = MSV->getShadow(V); 1269 Value *OpOrigin = MSV->MS.TrackOrigins ? MSV->getOrigin(V) : 0; 1270 return Add(OpShadow, OpOrigin); 1271 } 1272 1273 /// \brief Set the current combined values as the given instruction's shadow 1274 /// and origin. 1275 void Done(Instruction *I) { 1276 if (CombineShadow) { 1277 assert(Shadow); 1278 Shadow = MSV->CreateShadowCast(IRB, Shadow, MSV->getShadowTy(I)); 1279 MSV->setShadow(I, Shadow); 1280 } 1281 if (MSV->MS.TrackOrigins) { 1282 assert(Origin); 1283 MSV->setOrigin(I, Origin); 1284 } 1285 } 1286 }; 1287 1288 typedef Combiner<true> ShadowAndOriginCombiner; 1289 typedef Combiner<false> OriginCombiner; 1290 1291 /// \brief Propagate origin for arbitrary operation. 1292 void setOriginForNaryOp(Instruction &I) { 1293 if (!MS.TrackOrigins) return; 1294 IRBuilder<> IRB(&I); 1295 OriginCombiner OC(this, IRB); 1296 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI) 1297 OC.Add(OI->get()); 1298 OC.Done(&I); 1299 } 1300 1301 size_t VectorOrPrimitiveTypeSizeInBits(Type *Ty) { 1302 assert(!(Ty->isVectorTy() && Ty->getScalarType()->isPointerTy()) && 1303 "Vector of pointers is not a valid shadow type"); 1304 return Ty->isVectorTy() ? 1305 Ty->getVectorNumElements() * Ty->getScalarSizeInBits() : 1306 Ty->getPrimitiveSizeInBits(); 1307 } 1308 1309 /// \brief Cast between two shadow types, extending or truncating as 1310 /// necessary. 1311 Value *CreateShadowCast(IRBuilder<> &IRB, Value *V, Type *dstTy, 1312 bool Signed = false) { 1313 Type *srcTy = V->getType(); 1314 if (dstTy->isIntegerTy() && srcTy->isIntegerTy()) 1315 return IRB.CreateIntCast(V, dstTy, Signed); 1316 if (dstTy->isVectorTy() && srcTy->isVectorTy() && 1317 dstTy->getVectorNumElements() == srcTy->getVectorNumElements()) 1318 return IRB.CreateIntCast(V, dstTy, Signed); 1319 size_t srcSizeInBits = VectorOrPrimitiveTypeSizeInBits(srcTy); 1320 size_t dstSizeInBits = VectorOrPrimitiveTypeSizeInBits(dstTy); 1321 Value *V1 = IRB.CreateBitCast(V, Type::getIntNTy(*MS.C, srcSizeInBits)); 1322 Value *V2 = 1323 IRB.CreateIntCast(V1, Type::getIntNTy(*MS.C, dstSizeInBits), Signed); 1324 return IRB.CreateBitCast(V2, dstTy); 1325 // TODO: handle struct types. 1326 } 1327 1328 /// \brief Propagate shadow for arbitrary operation. 1329 void handleShadowOr(Instruction &I) { 1330 IRBuilder<> IRB(&I); 1331 ShadowAndOriginCombiner SC(this, IRB); 1332 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI) 1333 SC.Add(OI->get()); 1334 SC.Done(&I); 1335 } 1336 1337 void visitFAdd(BinaryOperator &I) { handleShadowOr(I); } 1338 void visitFSub(BinaryOperator &I) { handleShadowOr(I); } 1339 void visitFMul(BinaryOperator &I) { handleShadowOr(I); } 1340 void visitAdd(BinaryOperator &I) { handleShadowOr(I); } 1341 void visitSub(BinaryOperator &I) { handleShadowOr(I); } 1342 void visitXor(BinaryOperator &I) { handleShadowOr(I); } 1343 void visitMul(BinaryOperator &I) { handleShadowOr(I); } 1344 1345 void handleDiv(Instruction &I) { 1346 IRBuilder<> IRB(&I); 1347 // Strict on the second argument. 1348 insertShadowCheck(I.getOperand(1), &I); 1349 setShadow(&I, getShadow(&I, 0)); 1350 setOrigin(&I, getOrigin(&I, 0)); 1351 } 1352 1353 void visitUDiv(BinaryOperator &I) { handleDiv(I); } 1354 void visitSDiv(BinaryOperator &I) { handleDiv(I); } 1355 void visitFDiv(BinaryOperator &I) { handleDiv(I); } 1356 void visitURem(BinaryOperator &I) { handleDiv(I); } 1357 void visitSRem(BinaryOperator &I) { handleDiv(I); } 1358 void visitFRem(BinaryOperator &I) { handleDiv(I); } 1359 1360 /// \brief Instrument == and != comparisons. 1361 /// 1362 /// Sometimes the comparison result is known even if some of the bits of the 1363 /// arguments are not. 1364 void handleEqualityComparison(ICmpInst &I) { 1365 IRBuilder<> IRB(&I); 1366 Value *A = I.getOperand(0); 1367 Value *B = I.getOperand(1); 1368 Value *Sa = getShadow(A); 1369 Value *Sb = getShadow(B); 1370 1371 // Get rid of pointers and vectors of pointers. 1372 // For ints (and vectors of ints), types of A and Sa match, 1373 // and this is a no-op. 1374 A = IRB.CreatePointerCast(A, Sa->getType()); 1375 B = IRB.CreatePointerCast(B, Sb->getType()); 1376 1377 // A == B <==> (C = A^B) == 0 1378 // A != B <==> (C = A^B) != 0 1379 // Sc = Sa | Sb 1380 Value *C = IRB.CreateXor(A, B); 1381 Value *Sc = IRB.CreateOr(Sa, Sb); 1382 // Now dealing with i = (C == 0) comparison (or C != 0, does not matter now) 1383 // Result is defined if one of the following is true 1384 // * there is a defined 1 bit in C 1385 // * C is fully defined 1386 // Si = !(C & ~Sc) && Sc 1387 Value *Zero = Constant::getNullValue(Sc->getType()); 1388 Value *MinusOne = Constant::getAllOnesValue(Sc->getType()); 1389 Value *Si = 1390 IRB.CreateAnd(IRB.CreateICmpNE(Sc, Zero), 1391 IRB.CreateICmpEQ( 1392 IRB.CreateAnd(IRB.CreateXor(Sc, MinusOne), C), Zero)); 1393 Si->setName("_msprop_icmp"); 1394 setShadow(&I, Si); 1395 setOriginForNaryOp(I); 1396 } 1397 1398 /// \brief Build the lowest possible value of V, taking into account V's 1399 /// uninitialized bits. 1400 Value *getLowestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa, 1401 bool isSigned) { 1402 if (isSigned) { 1403 // Split shadow into sign bit and other bits. 1404 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1); 1405 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits); 1406 // Maximise the undefined shadow bit, minimize other undefined bits. 1407 return 1408 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaOtherBits)), SaSignBit); 1409 } else { 1410 // Minimize undefined bits. 1411 return IRB.CreateAnd(A, IRB.CreateNot(Sa)); 1412 } 1413 } 1414 1415 /// \brief Build the highest possible value of V, taking into account V's 1416 /// uninitialized bits. 1417 Value *getHighestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa, 1418 bool isSigned) { 1419 if (isSigned) { 1420 // Split shadow into sign bit and other bits. 1421 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1); 1422 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits); 1423 // Minimise the undefined shadow bit, maximise other undefined bits. 1424 return 1425 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaSignBit)), SaOtherBits); 1426 } else { 1427 // Maximize undefined bits. 1428 return IRB.CreateOr(A, Sa); 1429 } 1430 } 1431 1432 /// \brief Instrument relational comparisons. 1433 /// 1434 /// This function does exact shadow propagation for all relational 1435 /// comparisons of integers, pointers and vectors of those. 1436 /// FIXME: output seems suboptimal when one of the operands is a constant 1437 void handleRelationalComparisonExact(ICmpInst &I) { 1438 IRBuilder<> IRB(&I); 1439 Value *A = I.getOperand(0); 1440 Value *B = I.getOperand(1); 1441 Value *Sa = getShadow(A); 1442 Value *Sb = getShadow(B); 1443 1444 // Get rid of pointers and vectors of pointers. 1445 // For ints (and vectors of ints), types of A and Sa match, 1446 // and this is a no-op. 1447 A = IRB.CreatePointerCast(A, Sa->getType()); 1448 B = IRB.CreatePointerCast(B, Sb->getType()); 1449 1450 // Let [a0, a1] be the interval of possible values of A, taking into account 1451 // its undefined bits. Let [b0, b1] be the interval of possible values of B. 1452 // Then (A cmp B) is defined iff (a0 cmp b1) == (a1 cmp b0). 1453 bool IsSigned = I.isSigned(); 1454 Value *S1 = IRB.CreateICmp(I.getPredicate(), 1455 getLowestPossibleValue(IRB, A, Sa, IsSigned), 1456 getHighestPossibleValue(IRB, B, Sb, IsSigned)); 1457 Value *S2 = IRB.CreateICmp(I.getPredicate(), 1458 getHighestPossibleValue(IRB, A, Sa, IsSigned), 1459 getLowestPossibleValue(IRB, B, Sb, IsSigned)); 1460 Value *Si = IRB.CreateXor(S1, S2); 1461 setShadow(&I, Si); 1462 setOriginForNaryOp(I); 1463 } 1464 1465 /// \brief Instrument signed relational comparisons. 1466 /// 1467 /// Handle (x<0) and (x>=0) comparisons (essentially, sign bit tests) by 1468 /// propagating the highest bit of the shadow. Everything else is delegated 1469 /// to handleShadowOr(). 1470 void handleSignedRelationalComparison(ICmpInst &I) { 1471 Constant *constOp0 = dyn_cast<Constant>(I.getOperand(0)); 1472 Constant *constOp1 = dyn_cast<Constant>(I.getOperand(1)); 1473 Value* op = NULL; 1474 CmpInst::Predicate pre = I.getPredicate(); 1475 if (constOp0 && constOp0->isNullValue() && 1476 (pre == CmpInst::ICMP_SGT || pre == CmpInst::ICMP_SLE)) { 1477 op = I.getOperand(1); 1478 } else if (constOp1 && constOp1->isNullValue() && 1479 (pre == CmpInst::ICMP_SLT || pre == CmpInst::ICMP_SGE)) { 1480 op = I.getOperand(0); 1481 } 1482 if (op) { 1483 IRBuilder<> IRB(&I); 1484 Value* Shadow = 1485 IRB.CreateICmpSLT(getShadow(op), getCleanShadow(op), "_msprop_icmpslt"); 1486 setShadow(&I, Shadow); 1487 setOrigin(&I, getOrigin(op)); 1488 } else { 1489 handleShadowOr(I); 1490 } 1491 } 1492 1493 void visitICmpInst(ICmpInst &I) { 1494 if (!ClHandleICmp) { 1495 handleShadowOr(I); 1496 return; 1497 } 1498 if (I.isEquality()) { 1499 handleEqualityComparison(I); 1500 return; 1501 } 1502 1503 assert(I.isRelational()); 1504 if (ClHandleICmpExact) { 1505 handleRelationalComparisonExact(I); 1506 return; 1507 } 1508 if (I.isSigned()) { 1509 handleSignedRelationalComparison(I); 1510 return; 1511 } 1512 1513 assert(I.isUnsigned()); 1514 if ((isa<Constant>(I.getOperand(0)) || isa<Constant>(I.getOperand(1)))) { 1515 handleRelationalComparisonExact(I); 1516 return; 1517 } 1518 1519 handleShadowOr(I); 1520 } 1521 1522 void visitFCmpInst(FCmpInst &I) { 1523 handleShadowOr(I); 1524 } 1525 1526 void handleShift(BinaryOperator &I) { 1527 IRBuilder<> IRB(&I); 1528 // If any of the S2 bits are poisoned, the whole thing is poisoned. 1529 // Otherwise perform the same shift on S1. 1530 Value *S1 = getShadow(&I, 0); 1531 Value *S2 = getShadow(&I, 1); 1532 Value *S2Conv = IRB.CreateSExt(IRB.CreateICmpNE(S2, getCleanShadow(S2)), 1533 S2->getType()); 1534 Value *V2 = I.getOperand(1); 1535 Value *Shift = IRB.CreateBinOp(I.getOpcode(), S1, V2); 1536 setShadow(&I, IRB.CreateOr(Shift, S2Conv)); 1537 setOriginForNaryOp(I); 1538 } 1539 1540 void visitShl(BinaryOperator &I) { handleShift(I); } 1541 void visitAShr(BinaryOperator &I) { handleShift(I); } 1542 void visitLShr(BinaryOperator &I) { handleShift(I); } 1543 1544 /// \brief Instrument llvm.memmove 1545 /// 1546 /// At this point we don't know if llvm.memmove will be inlined or not. 1547 /// If we don't instrument it and it gets inlined, 1548 /// our interceptor will not kick in and we will lose the memmove. 1549 /// If we instrument the call here, but it does not get inlined, 1550 /// we will memove the shadow twice: which is bad in case 1551 /// of overlapping regions. So, we simply lower the intrinsic to a call. 1552 /// 1553 /// Similar situation exists for memcpy and memset. 1554 void visitMemMoveInst(MemMoveInst &I) { 1555 IRBuilder<> IRB(&I); 1556 IRB.CreateCall3( 1557 MS.MemmoveFn, 1558 IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1559 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()), 1560 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)); 1561 I.eraseFromParent(); 1562 } 1563 1564 // Similar to memmove: avoid copying shadow twice. 1565 // This is somewhat unfortunate as it may slowdown small constant memcpys. 1566 // FIXME: consider doing manual inline for small constant sizes and proper 1567 // alignment. 1568 void visitMemCpyInst(MemCpyInst &I) { 1569 IRBuilder<> IRB(&I); 1570 IRB.CreateCall3( 1571 MS.MemcpyFn, 1572 IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1573 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()), 1574 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)); 1575 I.eraseFromParent(); 1576 } 1577 1578 // Same as memcpy. 1579 void visitMemSetInst(MemSetInst &I) { 1580 IRBuilder<> IRB(&I); 1581 IRB.CreateCall3( 1582 MS.MemsetFn, 1583 IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1584 IRB.CreateIntCast(I.getArgOperand(1), IRB.getInt32Ty(), false), 1585 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)); 1586 I.eraseFromParent(); 1587 } 1588 1589 void visitVAStartInst(VAStartInst &I) { 1590 VAHelper->visitVAStartInst(I); 1591 } 1592 1593 void visitVACopyInst(VACopyInst &I) { 1594 VAHelper->visitVACopyInst(I); 1595 } 1596 1597 enum IntrinsicKind { 1598 IK_DoesNotAccessMemory, 1599 IK_OnlyReadsMemory, 1600 IK_WritesMemory 1601 }; 1602 1603 static IntrinsicKind getIntrinsicKind(Intrinsic::ID iid) { 1604 const int DoesNotAccessMemory = IK_DoesNotAccessMemory; 1605 const int OnlyReadsArgumentPointees = IK_OnlyReadsMemory; 1606 const int OnlyReadsMemory = IK_OnlyReadsMemory; 1607 const int OnlyAccessesArgumentPointees = IK_WritesMemory; 1608 const int UnknownModRefBehavior = IK_WritesMemory; 1609#define GET_INTRINSIC_MODREF_BEHAVIOR 1610#define ModRefBehavior IntrinsicKind 1611#include "llvm/IR/Intrinsics.gen" 1612#undef ModRefBehavior 1613#undef GET_INTRINSIC_MODREF_BEHAVIOR 1614 } 1615 1616 /// \brief Handle vector store-like intrinsics. 1617 /// 1618 /// Instrument intrinsics that look like a simple SIMD store: writes memory, 1619 /// has 1 pointer argument and 1 vector argument, returns void. 1620 bool handleVectorStoreIntrinsic(IntrinsicInst &I) { 1621 IRBuilder<> IRB(&I); 1622 Value* Addr = I.getArgOperand(0); 1623 Value *Shadow = getShadow(&I, 1); 1624 Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB); 1625 1626 // We don't know the pointer alignment (could be unaligned SSE store!). 1627 // Have to assume to worst case. 1628 IRB.CreateAlignedStore(Shadow, ShadowPtr, 1); 1629 1630 if (ClCheckAccessAddress) 1631 insertShadowCheck(Addr, &I); 1632 1633 // FIXME: use ClStoreCleanOrigin 1634 // FIXME: factor out common code from materializeStores 1635 if (MS.TrackOrigins) 1636 IRB.CreateStore(getOrigin(&I, 1), getOriginPtr(Addr, IRB)); 1637 return true; 1638 } 1639 1640 /// \brief Handle vector load-like intrinsics. 1641 /// 1642 /// Instrument intrinsics that look like a simple SIMD load: reads memory, 1643 /// has 1 pointer argument, returns a vector. 1644 bool handleVectorLoadIntrinsic(IntrinsicInst &I) { 1645 IRBuilder<> IRB(&I); 1646 Value *Addr = I.getArgOperand(0); 1647 1648 Type *ShadowTy = getShadowTy(&I); 1649 if (LoadShadow) { 1650 Value *ShadowPtr = getShadowPtr(Addr, ShadowTy, IRB); 1651 // We don't know the pointer alignment (could be unaligned SSE load!). 1652 // Have to assume to worst case. 1653 setShadow(&I, IRB.CreateAlignedLoad(ShadowPtr, 1, "_msld")); 1654 } else { 1655 setShadow(&I, getCleanShadow(&I)); 1656 } 1657 1658 if (ClCheckAccessAddress) 1659 insertShadowCheck(Addr, &I); 1660 1661 if (MS.TrackOrigins) { 1662 if (LoadShadow) 1663 setOrigin(&I, IRB.CreateLoad(getOriginPtr(Addr, IRB))); 1664 else 1665 setOrigin(&I, getCleanOrigin()); 1666 } 1667 return true; 1668 } 1669 1670 /// \brief Handle (SIMD arithmetic)-like intrinsics. 1671 /// 1672 /// Instrument intrinsics with any number of arguments of the same type, 1673 /// equal to the return type. The type should be simple (no aggregates or 1674 /// pointers; vectors are fine). 1675 /// Caller guarantees that this intrinsic does not access memory. 1676 bool maybeHandleSimpleNomemIntrinsic(IntrinsicInst &I) { 1677 Type *RetTy = I.getType(); 1678 if (!(RetTy->isIntOrIntVectorTy() || 1679 RetTy->isFPOrFPVectorTy() || 1680 RetTy->isX86_MMXTy())) 1681 return false; 1682 1683 unsigned NumArgOperands = I.getNumArgOperands(); 1684 1685 for (unsigned i = 0; i < NumArgOperands; ++i) { 1686 Type *Ty = I.getArgOperand(i)->getType(); 1687 if (Ty != RetTy) 1688 return false; 1689 } 1690 1691 IRBuilder<> IRB(&I); 1692 ShadowAndOriginCombiner SC(this, IRB); 1693 for (unsigned i = 0; i < NumArgOperands; ++i) 1694 SC.Add(I.getArgOperand(i)); 1695 SC.Done(&I); 1696 1697 return true; 1698 } 1699 1700 /// \brief Heuristically instrument unknown intrinsics. 1701 /// 1702 /// The main purpose of this code is to do something reasonable with all 1703 /// random intrinsics we might encounter, most importantly - SIMD intrinsics. 1704 /// We recognize several classes of intrinsics by their argument types and 1705 /// ModRefBehaviour and apply special intrumentation when we are reasonably 1706 /// sure that we know what the intrinsic does. 1707 /// 1708 /// We special-case intrinsics where this approach fails. See llvm.bswap 1709 /// handling as an example of that. 1710 bool handleUnknownIntrinsic(IntrinsicInst &I) { 1711 unsigned NumArgOperands = I.getNumArgOperands(); 1712 if (NumArgOperands == 0) 1713 return false; 1714 1715 Intrinsic::ID iid = I.getIntrinsicID(); 1716 IntrinsicKind IK = getIntrinsicKind(iid); 1717 bool OnlyReadsMemory = IK == IK_OnlyReadsMemory; 1718 bool WritesMemory = IK == IK_WritesMemory; 1719 assert(!(OnlyReadsMemory && WritesMemory)); 1720 1721 if (NumArgOperands == 2 && 1722 I.getArgOperand(0)->getType()->isPointerTy() && 1723 I.getArgOperand(1)->getType()->isVectorTy() && 1724 I.getType()->isVoidTy() && 1725 WritesMemory) { 1726 // This looks like a vector store. 1727 return handleVectorStoreIntrinsic(I); 1728 } 1729 1730 if (NumArgOperands == 1 && 1731 I.getArgOperand(0)->getType()->isPointerTy() && 1732 I.getType()->isVectorTy() && 1733 OnlyReadsMemory) { 1734 // This looks like a vector load. 1735 return handleVectorLoadIntrinsic(I); 1736 } 1737 1738 if (!OnlyReadsMemory && !WritesMemory) 1739 if (maybeHandleSimpleNomemIntrinsic(I)) 1740 return true; 1741 1742 // FIXME: detect and handle SSE maskstore/maskload 1743 return false; 1744 } 1745 1746 void handleBswap(IntrinsicInst &I) { 1747 IRBuilder<> IRB(&I); 1748 Value *Op = I.getArgOperand(0); 1749 Type *OpType = Op->getType(); 1750 Function *BswapFunc = Intrinsic::getDeclaration( 1751 F.getParent(), Intrinsic::bswap, ArrayRef<Type*>(&OpType, 1)); 1752 setShadow(&I, IRB.CreateCall(BswapFunc, getShadow(Op))); 1753 setOrigin(&I, getOrigin(Op)); 1754 } 1755 1756 // \brief Instrument vector convert instrinsic. 1757 // 1758 // This function instruments intrinsics like cvtsi2ss: 1759 // %Out = int_xxx_cvtyyy(%ConvertOp) 1760 // or 1761 // %Out = int_xxx_cvtyyy(%CopyOp, %ConvertOp) 1762 // Intrinsic converts \p NumUsedElements elements of \p ConvertOp to the same 1763 // number \p Out elements, and (if has 2 arguments) copies the rest of the 1764 // elements from \p CopyOp. 1765 // In most cases conversion involves floating-point value which may trigger a 1766 // hardware exception when not fully initialized. For this reason we require 1767 // \p ConvertOp[0:NumUsedElements] to be fully initialized and trap otherwise. 1768 // We copy the shadow of \p CopyOp[NumUsedElements:] to \p 1769 // Out[NumUsedElements:]. This means that intrinsics without \p CopyOp always 1770 // return a fully initialized value. 1771 void handleVectorConvertIntrinsic(IntrinsicInst &I, int NumUsedElements) { 1772 IRBuilder<> IRB(&I); 1773 Value *CopyOp, *ConvertOp; 1774 1775 switch (I.getNumArgOperands()) { 1776 case 2: 1777 CopyOp = I.getArgOperand(0); 1778 ConvertOp = I.getArgOperand(1); 1779 break; 1780 case 1: 1781 ConvertOp = I.getArgOperand(0); 1782 CopyOp = NULL; 1783 break; 1784 default: 1785 llvm_unreachable("Cvt intrinsic with unsupported number of arguments."); 1786 } 1787 1788 // The first *NumUsedElements* elements of ConvertOp are converted to the 1789 // same number of output elements. The rest of the output is copied from 1790 // CopyOp, or (if not available) filled with zeroes. 1791 // Combine shadow for elements of ConvertOp that are used in this operation, 1792 // and insert a check. 1793 // FIXME: consider propagating shadow of ConvertOp, at least in the case of 1794 // int->any conversion. 1795 Value *ConvertShadow = getShadow(ConvertOp); 1796 Value *AggShadow = 0; 1797 if (ConvertOp->getType()->isVectorTy()) { 1798 AggShadow = IRB.CreateExtractElement( 1799 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), 0)); 1800 for (int i = 1; i < NumUsedElements; ++i) { 1801 Value *MoreShadow = IRB.CreateExtractElement( 1802 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), i)); 1803 AggShadow = IRB.CreateOr(AggShadow, MoreShadow); 1804 } 1805 } else { 1806 AggShadow = ConvertShadow; 1807 } 1808 assert(AggShadow->getType()->isIntegerTy()); 1809 insertShadowCheck(AggShadow, getOrigin(ConvertOp), &I); 1810 1811 // Build result shadow by zero-filling parts of CopyOp shadow that come from 1812 // ConvertOp. 1813 if (CopyOp) { 1814 assert(CopyOp->getType() == I.getType()); 1815 assert(CopyOp->getType()->isVectorTy()); 1816 Value *ResultShadow = getShadow(CopyOp); 1817 Type *EltTy = ResultShadow->getType()->getVectorElementType(); 1818 for (int i = 0; i < NumUsedElements; ++i) { 1819 ResultShadow = IRB.CreateInsertElement( 1820 ResultShadow, ConstantInt::getNullValue(EltTy), 1821 ConstantInt::get(IRB.getInt32Ty(), i)); 1822 } 1823 setShadow(&I, ResultShadow); 1824 setOrigin(&I, getOrigin(CopyOp)); 1825 } else { 1826 setShadow(&I, getCleanShadow(&I)); 1827 } 1828 } 1829 1830 void visitIntrinsicInst(IntrinsicInst &I) { 1831 switch (I.getIntrinsicID()) { 1832 case llvm::Intrinsic::bswap: 1833 handleBswap(I); 1834 break; 1835 case llvm::Intrinsic::x86_avx512_cvtsd2usi64: 1836 case llvm::Intrinsic::x86_avx512_cvtsd2usi: 1837 case llvm::Intrinsic::x86_avx512_cvtss2usi64: 1838 case llvm::Intrinsic::x86_avx512_cvtss2usi: 1839 case llvm::Intrinsic::x86_avx512_cvttss2usi64: 1840 case llvm::Intrinsic::x86_avx512_cvttss2usi: 1841 case llvm::Intrinsic::x86_avx512_cvttsd2usi64: 1842 case llvm::Intrinsic::x86_avx512_cvttsd2usi: 1843 case llvm::Intrinsic::x86_avx512_cvtusi2sd: 1844 case llvm::Intrinsic::x86_avx512_cvtusi2ss: 1845 case llvm::Intrinsic::x86_avx512_cvtusi642sd: 1846 case llvm::Intrinsic::x86_avx512_cvtusi642ss: 1847 case llvm::Intrinsic::x86_sse2_cvtsd2si64: 1848 case llvm::Intrinsic::x86_sse2_cvtsd2si: 1849 case llvm::Intrinsic::x86_sse2_cvtsd2ss: 1850 case llvm::Intrinsic::x86_sse2_cvtsi2sd: 1851 case llvm::Intrinsic::x86_sse2_cvtsi642sd: 1852 case llvm::Intrinsic::x86_sse2_cvtss2sd: 1853 case llvm::Intrinsic::x86_sse2_cvttsd2si64: 1854 case llvm::Intrinsic::x86_sse2_cvttsd2si: 1855 case llvm::Intrinsic::x86_sse_cvtsi2ss: 1856 case llvm::Intrinsic::x86_sse_cvtsi642ss: 1857 case llvm::Intrinsic::x86_sse_cvtss2si64: 1858 case llvm::Intrinsic::x86_sse_cvtss2si: 1859 case llvm::Intrinsic::x86_sse_cvttss2si64: 1860 case llvm::Intrinsic::x86_sse_cvttss2si: 1861 handleVectorConvertIntrinsic(I, 1); 1862 break; 1863 case llvm::Intrinsic::x86_sse2_cvtdq2pd: 1864 case llvm::Intrinsic::x86_sse2_cvtps2pd: 1865 case llvm::Intrinsic::x86_sse_cvtps2pi: 1866 case llvm::Intrinsic::x86_sse_cvttps2pi: 1867 handleVectorConvertIntrinsic(I, 2); 1868 break; 1869 default: 1870 if (!handleUnknownIntrinsic(I)) 1871 visitInstruction(I); 1872 break; 1873 } 1874 } 1875 1876 void visitCallSite(CallSite CS) { 1877 Instruction &I = *CS.getInstruction(); 1878 assert((CS.isCall() || CS.isInvoke()) && "Unknown type of CallSite"); 1879 if (CS.isCall()) { 1880 CallInst *Call = cast<CallInst>(&I); 1881 1882 // For inline asm, do the usual thing: check argument shadow and mark all 1883 // outputs as clean. Note that any side effects of the inline asm that are 1884 // not immediately visible in its constraints are not handled. 1885 if (Call->isInlineAsm()) { 1886 visitInstruction(I); 1887 return; 1888 } 1889 1890 // Allow only tail calls with the same types, otherwise 1891 // we may have a false positive: shadow for a non-void RetVal 1892 // will get propagated to a void RetVal. 1893 if (Call->isTailCall() && Call->getType() != Call->getParent()->getType()) 1894 Call->setTailCall(false); 1895 1896 assert(!isa<IntrinsicInst>(&I) && "intrinsics are handled elsewhere"); 1897 1898 // We are going to insert code that relies on the fact that the callee 1899 // will become a non-readonly function after it is instrumented by us. To 1900 // prevent this code from being optimized out, mark that function 1901 // non-readonly in advance. 1902 if (Function *Func = Call->getCalledFunction()) { 1903 // Clear out readonly/readnone attributes. 1904 AttrBuilder B; 1905 B.addAttribute(Attribute::ReadOnly) 1906 .addAttribute(Attribute::ReadNone); 1907 Func->removeAttributes(AttributeSet::FunctionIndex, 1908 AttributeSet::get(Func->getContext(), 1909 AttributeSet::FunctionIndex, 1910 B)); 1911 } 1912 } 1913 IRBuilder<> IRB(&I); 1914 1915 if (MS.WrapIndirectCalls && !CS.getCalledFunction()) 1916 IndirectCallList.push_back(CS); 1917 1918 unsigned ArgOffset = 0; 1919 DEBUG(dbgs() << " CallSite: " << I << "\n"); 1920 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 1921 ArgIt != End; ++ArgIt) { 1922 Value *A = *ArgIt; 1923 unsigned i = ArgIt - CS.arg_begin(); 1924 if (!A->getType()->isSized()) { 1925 DEBUG(dbgs() << "Arg " << i << " is not sized: " << I << "\n"); 1926 continue; 1927 } 1928 unsigned Size = 0; 1929 Value *Store = 0; 1930 // Compute the Shadow for arg even if it is ByVal, because 1931 // in that case getShadow() will copy the actual arg shadow to 1932 // __msan_param_tls. 1933 Value *ArgShadow = getShadow(A); 1934 Value *ArgShadowBase = getShadowPtrForArgument(A, IRB, ArgOffset); 1935 DEBUG(dbgs() << " Arg#" << i << ": " << *A << 1936 " Shadow: " << *ArgShadow << "\n"); 1937 if (CS.paramHasAttr(i + 1, Attribute::ByVal)) { 1938 assert(A->getType()->isPointerTy() && 1939 "ByVal argument is not a pointer!"); 1940 Size = MS.TD->getTypeAllocSize(A->getType()->getPointerElementType()); 1941 unsigned Alignment = CS.getParamAlignment(i + 1); 1942 Store = IRB.CreateMemCpy(ArgShadowBase, 1943 getShadowPtr(A, Type::getInt8Ty(*MS.C), IRB), 1944 Size, Alignment); 1945 } else { 1946 Size = MS.TD->getTypeAllocSize(A->getType()); 1947 Store = IRB.CreateAlignedStore(ArgShadow, ArgShadowBase, 1948 kShadowTLSAlignment); 1949 } 1950 if (MS.TrackOrigins) 1951 IRB.CreateStore(getOrigin(A), 1952 getOriginPtrForArgument(A, IRB, ArgOffset)); 1953 (void)Store; 1954 assert(Size != 0 && Store != 0); 1955 DEBUG(dbgs() << " Param:" << *Store << "\n"); 1956 ArgOffset += DataLayout::RoundUpAlignment(Size, 8); 1957 } 1958 DEBUG(dbgs() << " done with call args\n"); 1959 1960 FunctionType *FT = 1961 cast<FunctionType>(CS.getCalledValue()->getType()->getContainedType(0)); 1962 if (FT->isVarArg()) { 1963 VAHelper->visitCallSite(CS, IRB); 1964 } 1965 1966 // Now, get the shadow for the RetVal. 1967 if (!I.getType()->isSized()) return; 1968 IRBuilder<> IRBBefore(&I); 1969 // Untill we have full dynamic coverage, make sure the retval shadow is 0. 1970 Value *Base = getShadowPtrForRetval(&I, IRBBefore); 1971 IRBBefore.CreateAlignedStore(getCleanShadow(&I), Base, kShadowTLSAlignment); 1972 Instruction *NextInsn = 0; 1973 if (CS.isCall()) { 1974 NextInsn = I.getNextNode(); 1975 } else { 1976 BasicBlock *NormalDest = cast<InvokeInst>(&I)->getNormalDest(); 1977 if (!NormalDest->getSinglePredecessor()) { 1978 // FIXME: this case is tricky, so we are just conservative here. 1979 // Perhaps we need to split the edge between this BB and NormalDest, 1980 // but a naive attempt to use SplitEdge leads to a crash. 1981 setShadow(&I, getCleanShadow(&I)); 1982 setOrigin(&I, getCleanOrigin()); 1983 return; 1984 } 1985 NextInsn = NormalDest->getFirstInsertionPt(); 1986 assert(NextInsn && 1987 "Could not find insertion point for retval shadow load"); 1988 } 1989 IRBuilder<> IRBAfter(NextInsn); 1990 Value *RetvalShadow = 1991 IRBAfter.CreateAlignedLoad(getShadowPtrForRetval(&I, IRBAfter), 1992 kShadowTLSAlignment, "_msret"); 1993 setShadow(&I, RetvalShadow); 1994 if (MS.TrackOrigins) 1995 setOrigin(&I, IRBAfter.CreateLoad(getOriginPtrForRetval(IRBAfter))); 1996 } 1997 1998 void visitReturnInst(ReturnInst &I) { 1999 IRBuilder<> IRB(&I); 2000 Value *RetVal = I.getReturnValue(); 2001 if (!RetVal) return; 2002 Value *ShadowPtr = getShadowPtrForRetval(RetVal, IRB); 2003 if (CheckReturnValue) { 2004 insertShadowCheck(RetVal, &I); 2005 Value *Shadow = getCleanShadow(RetVal); 2006 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment); 2007 } else { 2008 Value *Shadow = getShadow(RetVal); 2009 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment); 2010 // FIXME: make it conditional if ClStoreCleanOrigin==0 2011 if (MS.TrackOrigins) 2012 IRB.CreateStore(getOrigin(RetVal), getOriginPtrForRetval(IRB)); 2013 } 2014 } 2015 2016 void visitPHINode(PHINode &I) { 2017 IRBuilder<> IRB(&I); 2018 ShadowPHINodes.push_back(&I); 2019 setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(), 2020 "_msphi_s")); 2021 if (MS.TrackOrigins) 2022 setOrigin(&I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(), 2023 "_msphi_o")); 2024 } 2025 2026 void visitAllocaInst(AllocaInst &I) { 2027 setShadow(&I, getCleanShadow(&I)); 2028 IRBuilder<> IRB(I.getNextNode()); 2029 uint64_t Size = MS.TD->getTypeAllocSize(I.getAllocatedType()); 2030 if (PoisonStack && ClPoisonStackWithCall) { 2031 IRB.CreateCall2(MS.MsanPoisonStackFn, 2032 IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), 2033 ConstantInt::get(MS.IntptrTy, Size)); 2034 } else { 2035 Value *ShadowBase = getShadowPtr(&I, Type::getInt8PtrTy(*MS.C), IRB); 2036 Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0); 2037 IRB.CreateMemSet(ShadowBase, PoisonValue, Size, I.getAlignment()); 2038 } 2039 2040 if (PoisonStack && MS.TrackOrigins) { 2041 setOrigin(&I, getCleanOrigin()); 2042 SmallString<2048> StackDescriptionStorage; 2043 raw_svector_ostream StackDescription(StackDescriptionStorage); 2044 // We create a string with a description of the stack allocation and 2045 // pass it into __msan_set_alloca_origin. 2046 // It will be printed by the run-time if stack-originated UMR is found. 2047 // The first 4 bytes of the string are set to '----' and will be replaced 2048 // by __msan_va_arg_overflow_size_tls at the first call. 2049 StackDescription << "----" << I.getName() << "@" << F.getName(); 2050 Value *Descr = 2051 createPrivateNonConstGlobalForString(*F.getParent(), 2052 StackDescription.str()); 2053 2054 IRB.CreateCall4(MS.MsanSetAllocaOrigin4Fn, 2055 IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), 2056 ConstantInt::get(MS.IntptrTy, Size), 2057 IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy()), 2058 IRB.CreatePointerCast(&F, MS.IntptrTy)); 2059 } 2060 } 2061 2062 void visitSelectInst(SelectInst& I) { 2063 IRBuilder<> IRB(&I); 2064 // a = select b, c, d 2065 Value *S = IRB.CreateSelect(I.getCondition(), getShadow(I.getTrueValue()), 2066 getShadow(I.getFalseValue())); 2067 if (I.getType()->isAggregateType()) { 2068 // To avoid "sign extending" i1 to an arbitrary aggregate type, we just do 2069 // an extra "select". This results in much more compact IR. 2070 // Sa = select Sb, poisoned, (select b, Sc, Sd) 2071 S = IRB.CreateSelect(getShadow(I.getCondition()), 2072 getPoisonedShadow(getShadowTy(I.getType())), S, 2073 "_msprop_select_agg"); 2074 } else { 2075 // Sa = (sext Sb) | (select b, Sc, Sd) 2076 S = IRB.CreateOr(S, CreateShadowCast(IRB, getShadow(I.getCondition()), 2077 S->getType(), true), 2078 "_msprop_select"); 2079 } 2080 setShadow(&I, S); 2081 if (MS.TrackOrigins) { 2082 // Origins are always i32, so any vector conditions must be flattened. 2083 // FIXME: consider tracking vector origins for app vectors? 2084 Value *Cond = I.getCondition(); 2085 if (Cond->getType()->isVectorTy()) { 2086 Value *ConvertedShadow = convertToShadowTyNoVec(Cond, IRB); 2087 Cond = IRB.CreateICmpNE(ConvertedShadow, 2088 getCleanShadow(ConvertedShadow), "_mso_select"); 2089 } 2090 setOrigin(&I, IRB.CreateSelect(Cond, 2091 getOrigin(I.getTrueValue()), getOrigin(I.getFalseValue()))); 2092 } 2093 } 2094 2095 void visitLandingPadInst(LandingPadInst &I) { 2096 // Do nothing. 2097 // See http://code.google.com/p/memory-sanitizer/issues/detail?id=1 2098 setShadow(&I, getCleanShadow(&I)); 2099 setOrigin(&I, getCleanOrigin()); 2100 } 2101 2102 void visitGetElementPtrInst(GetElementPtrInst &I) { 2103 handleShadowOr(I); 2104 } 2105 2106 void visitExtractValueInst(ExtractValueInst &I) { 2107 IRBuilder<> IRB(&I); 2108 Value *Agg = I.getAggregateOperand(); 2109 DEBUG(dbgs() << "ExtractValue: " << I << "\n"); 2110 Value *AggShadow = getShadow(Agg); 2111 DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n"); 2112 Value *ResShadow = IRB.CreateExtractValue(AggShadow, I.getIndices()); 2113 DEBUG(dbgs() << " ResShadow: " << *ResShadow << "\n"); 2114 setShadow(&I, ResShadow); 2115 setOriginForNaryOp(I); 2116 } 2117 2118 void visitInsertValueInst(InsertValueInst &I) { 2119 IRBuilder<> IRB(&I); 2120 DEBUG(dbgs() << "InsertValue: " << I << "\n"); 2121 Value *AggShadow = getShadow(I.getAggregateOperand()); 2122 Value *InsShadow = getShadow(I.getInsertedValueOperand()); 2123 DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n"); 2124 DEBUG(dbgs() << " InsShadow: " << *InsShadow << "\n"); 2125 Value *Res = IRB.CreateInsertValue(AggShadow, InsShadow, I.getIndices()); 2126 DEBUG(dbgs() << " Res: " << *Res << "\n"); 2127 setShadow(&I, Res); 2128 setOriginForNaryOp(I); 2129 } 2130 2131 void dumpInst(Instruction &I) { 2132 if (CallInst *CI = dyn_cast<CallInst>(&I)) { 2133 errs() << "ZZZ call " << CI->getCalledFunction()->getName() << "\n"; 2134 } else { 2135 errs() << "ZZZ " << I.getOpcodeName() << "\n"; 2136 } 2137 errs() << "QQQ " << I << "\n"; 2138 } 2139 2140 void visitResumeInst(ResumeInst &I) { 2141 DEBUG(dbgs() << "Resume: " << I << "\n"); 2142 // Nothing to do here. 2143 } 2144 2145 void visitInstruction(Instruction &I) { 2146 // Everything else: stop propagating and check for poisoned shadow. 2147 if (ClDumpStrictInstructions) 2148 dumpInst(I); 2149 DEBUG(dbgs() << "DEFAULT: " << I << "\n"); 2150 for (size_t i = 0, n = I.getNumOperands(); i < n; i++) 2151 insertShadowCheck(I.getOperand(i), &I); 2152 setShadow(&I, getCleanShadow(&I)); 2153 setOrigin(&I, getCleanOrigin()); 2154 } 2155}; 2156 2157/// \brief AMD64-specific implementation of VarArgHelper. 2158struct VarArgAMD64Helper : public VarArgHelper { 2159 // An unfortunate workaround for asymmetric lowering of va_arg stuff. 2160 // See a comment in visitCallSite for more details. 2161 static const unsigned AMD64GpEndOffset = 48; // AMD64 ABI Draft 0.99.6 p3.5.7 2162 static const unsigned AMD64FpEndOffset = 176; 2163 2164 Function &F; 2165 MemorySanitizer &MS; 2166 MemorySanitizerVisitor &MSV; 2167 Value *VAArgTLSCopy; 2168 Value *VAArgOverflowSize; 2169 2170 SmallVector<CallInst*, 16> VAStartInstrumentationList; 2171 2172 VarArgAMD64Helper(Function &F, MemorySanitizer &MS, 2173 MemorySanitizerVisitor &MSV) 2174 : F(F), MS(MS), MSV(MSV), VAArgTLSCopy(0), VAArgOverflowSize(0) { } 2175 2176 enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory }; 2177 2178 ArgKind classifyArgument(Value* arg) { 2179 // A very rough approximation of X86_64 argument classification rules. 2180 Type *T = arg->getType(); 2181 if (T->isFPOrFPVectorTy() || T->isX86_MMXTy()) 2182 return AK_FloatingPoint; 2183 if (T->isIntegerTy() && T->getPrimitiveSizeInBits() <= 64) 2184 return AK_GeneralPurpose; 2185 if (T->isPointerTy()) 2186 return AK_GeneralPurpose; 2187 return AK_Memory; 2188 } 2189 2190 // For VarArg functions, store the argument shadow in an ABI-specific format 2191 // that corresponds to va_list layout. 2192 // We do this because Clang lowers va_arg in the frontend, and this pass 2193 // only sees the low level code that deals with va_list internals. 2194 // A much easier alternative (provided that Clang emits va_arg instructions) 2195 // would have been to associate each live instance of va_list with a copy of 2196 // MSanParamTLS, and extract shadow on va_arg() call in the argument list 2197 // order. 2198 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) { 2199 unsigned GpOffset = 0; 2200 unsigned FpOffset = AMD64GpEndOffset; 2201 unsigned OverflowOffset = AMD64FpEndOffset; 2202 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 2203 ArgIt != End; ++ArgIt) { 2204 Value *A = *ArgIt; 2205 ArgKind AK = classifyArgument(A); 2206 if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset) 2207 AK = AK_Memory; 2208 if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset) 2209 AK = AK_Memory; 2210 Value *Base; 2211 switch (AK) { 2212 case AK_GeneralPurpose: 2213 Base = getShadowPtrForVAArgument(A, IRB, GpOffset); 2214 GpOffset += 8; 2215 break; 2216 case AK_FloatingPoint: 2217 Base = getShadowPtrForVAArgument(A, IRB, FpOffset); 2218 FpOffset += 16; 2219 break; 2220 case AK_Memory: 2221 uint64_t ArgSize = MS.TD->getTypeAllocSize(A->getType()); 2222 Base = getShadowPtrForVAArgument(A, IRB, OverflowOffset); 2223 OverflowOffset += DataLayout::RoundUpAlignment(ArgSize, 8); 2224 } 2225 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment); 2226 } 2227 Constant *OverflowSize = 2228 ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset); 2229 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS); 2230 } 2231 2232 /// \brief Compute the shadow address for a given va_arg. 2233 Value *getShadowPtrForVAArgument(Value *A, IRBuilder<> &IRB, 2234 int ArgOffset) { 2235 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); 2236 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 2237 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(A), 0), 2238 "_msarg"); 2239 } 2240 2241 void visitVAStartInst(VAStartInst &I) { 2242 IRBuilder<> IRB(&I); 2243 VAStartInstrumentationList.push_back(&I); 2244 Value *VAListTag = I.getArgOperand(0); 2245 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 2246 2247 // Unpoison the whole __va_list_tag. 2248 // FIXME: magic ABI constants. 2249 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 2250 /* size */24, /* alignment */8, false); 2251 } 2252 2253 void visitVACopyInst(VACopyInst &I) { 2254 IRBuilder<> IRB(&I); 2255 Value *VAListTag = I.getArgOperand(0); 2256 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 2257 2258 // Unpoison the whole __va_list_tag. 2259 // FIXME: magic ABI constants. 2260 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 2261 /* size */24, /* alignment */8, false); 2262 } 2263 2264 void finalizeInstrumentation() { 2265 assert(!VAArgOverflowSize && !VAArgTLSCopy && 2266 "finalizeInstrumentation called twice"); 2267 if (!VAStartInstrumentationList.empty()) { 2268 // If there is a va_start in this function, make a backup copy of 2269 // va_arg_tls somewhere in the function entry block. 2270 IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI()); 2271 VAArgOverflowSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS); 2272 Value *CopySize = 2273 IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset), 2274 VAArgOverflowSize); 2275 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); 2276 IRB.CreateMemCpy(VAArgTLSCopy, MS.VAArgTLS, CopySize, 8); 2277 } 2278 2279 // Instrument va_start. 2280 // Copy va_list shadow from the backup copy of the TLS contents. 2281 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) { 2282 CallInst *OrigInst = VAStartInstrumentationList[i]; 2283 IRBuilder<> IRB(OrigInst->getNextNode()); 2284 Value *VAListTag = OrigInst->getArgOperand(0); 2285 2286 Value *RegSaveAreaPtrPtr = 2287 IRB.CreateIntToPtr( 2288 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 2289 ConstantInt::get(MS.IntptrTy, 16)), 2290 Type::getInt64PtrTy(*MS.C)); 2291 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr); 2292 Value *RegSaveAreaShadowPtr = 2293 MSV.getShadowPtr(RegSaveAreaPtr, IRB.getInt8Ty(), IRB); 2294 IRB.CreateMemCpy(RegSaveAreaShadowPtr, VAArgTLSCopy, 2295 AMD64FpEndOffset, 16); 2296 2297 Value *OverflowArgAreaPtrPtr = 2298 IRB.CreateIntToPtr( 2299 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 2300 ConstantInt::get(MS.IntptrTy, 8)), 2301 Type::getInt64PtrTy(*MS.C)); 2302 Value *OverflowArgAreaPtr = IRB.CreateLoad(OverflowArgAreaPtrPtr); 2303 Value *OverflowArgAreaShadowPtr = 2304 MSV.getShadowPtr(OverflowArgAreaPtr, IRB.getInt8Ty(), IRB); 2305 Value *SrcPtr = IRB.CreateConstGEP1_32(VAArgTLSCopy, AMD64FpEndOffset); 2306 IRB.CreateMemCpy(OverflowArgAreaShadowPtr, SrcPtr, VAArgOverflowSize, 16); 2307 } 2308 } 2309}; 2310 2311/// \brief A no-op implementation of VarArgHelper. 2312struct VarArgNoOpHelper : public VarArgHelper { 2313 VarArgNoOpHelper(Function &F, MemorySanitizer &MS, 2314 MemorySanitizerVisitor &MSV) {} 2315 2316 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) {} 2317 2318 void visitVAStartInst(VAStartInst &I) {} 2319 2320 void visitVACopyInst(VACopyInst &I) {} 2321 2322 void finalizeInstrumentation() {} 2323}; 2324 2325VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan, 2326 MemorySanitizerVisitor &Visitor) { 2327 // VarArg handling is only implemented on AMD64. False positives are possible 2328 // on other platforms. 2329 llvm::Triple TargetTriple(Func.getParent()->getTargetTriple()); 2330 if (TargetTriple.getArch() == llvm::Triple::x86_64) 2331 return new VarArgAMD64Helper(Func, Msan, Visitor); 2332 else 2333 return new VarArgNoOpHelper(Func, Msan, Visitor); 2334} 2335 2336} // namespace 2337 2338bool MemorySanitizer::runOnFunction(Function &F) { 2339 MemorySanitizerVisitor Visitor(F, *this); 2340 2341 // Clear out readonly/readnone attributes. 2342 AttrBuilder B; 2343 B.addAttribute(Attribute::ReadOnly) 2344 .addAttribute(Attribute::ReadNone); 2345 F.removeAttributes(AttributeSet::FunctionIndex, 2346 AttributeSet::get(F.getContext(), 2347 AttributeSet::FunctionIndex, B)); 2348 2349 return Visitor.runOnFunction(); 2350} 2351