]> git.ipfire.org Git - thirdparty/gcc.git/blame - gcc/asan.c
projects / thirdparty / gcc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Support running the selftests under valgrind
[thirdparty/gcc.git] / gcc / asan.c
CommitLineData
37d6f666 1/* AddressSanitizer, a fast memory error detector.
818ab71a 2 Copyright (C) 2012-2016 Free Software Foundation, Inc.
37d6f666
WM		 3 Contributed by Kostya Serebryany <kcc@google.com>
4
5This file is part of GCC.
6
7GCC is free software; you can redistribute it and/or modify it under
8the terms of the GNU General Public License as published by the Free
9Software Foundation; either version 3, or (at your option) any later
10version.
11
12GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13WARRANTY; without even the implied warranty of MERCHANTABILITY or
14FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15for more details.
16
17You should have received a copy of the GNU General Public License
18along with GCC; see the file COPYING3. If not see
19<http://www.gnu.org/licenses/>. */
20
21
22#include "config.h"
23#include "system.h"
24#include "coretypes.h"
c7131fb2 25#include "backend.h"
957060b5
AM		 26#include "target.h"
27#include "rtl.h"
4d648807 28#include "tree.h"
c7131fb2 29#include "gimple.h"
957060b5
AM		 30#include "cfghooks.h"
31#include "alloc-pool.h"
32#include "tree-pass.h"
33#include "tm_p.h"
34#include "stringpool.h"
35#include "tree-ssanames.h"
957060b5
AM		 36#include "optabs.h"
37#include "emit-rtl.h"
38#include "cgraph.h"
39#include "gimple-pretty-print.h"
40#include "alias.h"
40e23961 41#include "fold-const.h"
60393bbc 42#include "cfganal.h"
45b0be94 43#include "gimplify.h"
5be5c238 44#include "gimple-iterator.h"
d8a2d370
DN		 45#include "varasm.h"
46#include "stor-layout.h"
37d6f666 47#include "tree-iterator.h"
37d6f666 48#include "asan.h"
36566b39
PK		 49#include "dojump.h"
50#include "explow.h"
f3ddd692 51#include "expr.h"
8240018b 52#include "output.h"
0e668eaf 53#include "langhooks.h"
a9e0d843 54#include "cfgloop.h"
ff2a63a7 55#include "gimple-builder.h"
b9a55b13 56#include "ubsan.h"
b5ebc991 57#include "params.h"
9b2b7279 58#include "builtins.h"
860503d8 59#include "fnmatch.h"
37d6f666 60
497a1c66
JJ		 61/* AddressSanitizer finds out-of-bounds and use-after-free bugs
62 with <2x slowdown on average.
63
64 The tool consists of two parts:
65 instrumentation module (this file) and a run-time library.
66 The instrumentation module adds a run-time check before every memory insn.
67 For a 8- or 16- byte load accessing address X:
68 ShadowAddr = (X >> 3) + Offset
69 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
70 if (ShadowValue)
71 __asan_report_load8(X);
72 For a load of N bytes (N=1, 2 or 4) from address X:
73 ShadowAddr = (X >> 3) + Offset
74 ShadowValue = *(char*)ShadowAddr;
75 if (ShadowValue)
76 if ((X & 7) + N - 1 > ShadowValue)
77 __asan_report_loadN(X);
78 Stores are instrumented similarly, but using __asan_report_storeN functions.
ef1b3fda
KS		 79 A call too __asan_init_vN() is inserted to the list of module CTORs.
80 N is the version number of the AddressSanitizer API. The changes between the
81 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
497a1c66
JJ		 82
83 The run-time library redefines malloc (so that redzone are inserted around
84 the allocated memory) and free (so that reuse of free-ed memory is delayed),
ef1b3fda 85 provides __asan_report* and __asan_init_vN functions.
497a1c66
JJ		 86
87 Read more:
88 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
89
90 The current implementation supports detection of out-of-bounds and
91 use-after-free in the heap, on the stack and for global variables.
92
93 [Protection of stack variables]
94
95 To understand how detection of out-of-bounds and use-after-free works
96 for stack variables, lets look at this example on x86_64 where the
97 stack grows downward:
f3ddd692
JJ		 98
99 int
100 foo ()
101 {
102 char a[23] = {0};
103 int b[2] = {0};
104
105 a[5] = 1;
106 b[1] = 2;
107
108 return a[5] + b[1];
109 }
110
497a1c66
JJ		 111 For this function, the stack protected by asan will be organized as
112 follows, from the top of the stack to the bottom:
f3ddd692 113
497a1c66 114 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
f3ddd692 115
497a1c66
JJ		 116 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
117 the next slot be 32 bytes aligned; this one is called Partial
118 Redzone; this 32 bytes alignment is an asan constraint]
f3ddd692 119
497a1c66 120 Slot 3/ [24 bytes for variable 'a']
f3ddd692 121
497a1c66 122 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
f3ddd692 123
497a1c66 124 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
f3ddd692 125
497a1c66 126 Slot 6/ [8 bytes for variable 'b']
f3ddd692 127
497a1c66
JJ		 128 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
129 'LEFT RedZone']
f3ddd692 130
497a1c66
JJ		 131 The 32 bytes of LEFT red zone at the bottom of the stack can be
132 decomposed as such:
f3ddd692
JJ		 133
134 1/ The first 8 bytes contain a magical asan number that is always
135 0x41B58AB3.
136
137 2/ The following 8 bytes contains a pointer to a string (to be
138 parsed at runtime by the runtime asan library), which format is
139 the following:
140
141 "<function-name> <space> <num-of-variables-on-the-stack>
142 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
143 <length-of-var-in-bytes> ){n} "
144
145 where '(...){n}' means the content inside the parenthesis occurs 'n'
146 times, with 'n' being the number of variables on the stack.
c1f5ce48 147
ef1b3fda
KS		 148 3/ The following 8 bytes contain the PC of the current function which
149 will be used by the run-time library to print an error message.
f3ddd692 150
ef1b3fda 151 4/ The following 8 bytes are reserved for internal use by the run-time.
f3ddd692 152
497a1c66 153 The shadow memory for that stack layout is going to look like this:
f3ddd692
JJ		 154
155 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
156 The F1 byte pattern is a magic number called
157 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
158 the memory for that shadow byte is part of a the LEFT red zone
159 intended to seat at the bottom of the variables on the stack.
160
161 - content of shadow memory 8 bytes for slots 6 and 5:
162 0xF4F4F400. The F4 byte pattern is a magic number
163 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
164 memory region for this shadow byte is a PARTIAL red zone
165 intended to pad a variable A, so that the slot following
166 {A,padding} is 32 bytes aligned.
167
168 Note that the fact that the least significant byte of this
169 shadow memory content is 00 means that 8 bytes of its
170 corresponding memory (which corresponds to the memory of
171 variable 'b') is addressable.
172
173 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
174 The F2 byte pattern is a magic number called
175 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
176 region for this shadow byte is a MIDDLE red zone intended to
177 seat between two 32 aligned slots of {variable,padding}.
178
179 - content of shadow memory 8 bytes for slot 3 and 2:
497a1c66 180 0xF4000000. This represents is the concatenation of
f3ddd692
JJ		 181 variable 'a' and the partial red zone following it, like what we
182 had for variable 'b'. The least significant 3 bytes being 00
183 means that the 3 bytes of variable 'a' are addressable.
184
497a1c66 185 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
f3ddd692
JJ		 186 The F3 byte pattern is a magic number called
187 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
188 region for this shadow byte is a RIGHT red zone intended to seat
189 at the top of the variables of the stack.
190
497a1c66
JJ		 191 Note that the real variable layout is done in expand_used_vars in
192 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
193 stack variables as well as the different red zones, emits some
194 prologue code to populate the shadow memory as to poison (mark as
195 non-accessible) the regions of the red zones and mark the regions of
196 stack variables as accessible, and emit some epilogue code to
197 un-poison (mark as accessible) the regions of red zones right before
198 the function exits.
8240018b 199
497a1c66 200 [Protection of global variables]
8240018b 201
497a1c66
JJ		 202 The basic idea is to insert a red zone between two global variables
203 and install a constructor function that calls the asan runtime to do
204 the populating of the relevant shadow memory regions at load time.
8240018b 205
497a1c66
JJ		 206 So the global variables are laid out as to insert a red zone between
207 them. The size of the red zones is so that each variable starts on a
208 32 bytes boundary.
8240018b 209
497a1c66
JJ		 210 Then a constructor function is installed so that, for each global
211 variable, it calls the runtime asan library function
212 __asan_register_globals_with an instance of this type:
8240018b
JJ		 213
214 struct __asan_global
215 {
216 // Address of the beginning of the global variable.
217 const void *__beg;
218
219 // Initial size of the global variable.
220 uptr __size;
221
222 // Size of the global variable + size of the red zone. This
223 // size is 32 bytes aligned.
224 uptr __size_with_redzone;
225
226 // Name of the global variable.
227 const void *__name;
228
ef1b3fda
KS		 229 // Name of the module where the global variable is declared.
230 const void *__module_name;
231
59b36ecf 232 // 1 if it has dynamic initialization, 0 otherwise.
8240018b 233 uptr __has_dynamic_init;
866e32ad
KS		 234
235 // A pointer to struct that contains source location, could be NULL.
236 __asan_global_source_location *__location;
8240018b
JJ		 237 }
238
497a1c66
JJ		 239 A destructor function that calls the runtime asan library function
240 _asan_unregister_globals is also installed. */
f3ddd692 241
fd960af2
YG		 242static unsigned HOST_WIDE_INT asan_shadow_offset_value;
243static bool asan_shadow_offset_computed;
860503d8 244static vec<char *> sanitized_sections;
fd960af2
YG		 245
246/* Sets shadow offset to value in string VAL. */
247
248bool
249set_asan_shadow_offset (const char *val)
250{
251 char *endp;
c1f5ce48 252
fd960af2
YG		 253 errno = 0;
254#ifdef HAVE_LONG_LONG
255 asan_shadow_offset_value = strtoull (val, &endp, 0);
256#else
257 asan_shadow_offset_value = strtoul (val, &endp, 0);
258#endif
259 if (!(*val != '\0' && *endp == '\0' && errno == 0))
260 return false;
261
262 asan_shadow_offset_computed = true;
263
264 return true;
265}
266
18af8d16
YG		 267/* Set list of user-defined sections that need to be sanitized. */
268
269void
860503d8 270set_sanitized_sections (const char *sections)
18af8d16 271{
860503d8
YG		 272 char *pat;
273 unsigned i;
274 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
275 free (pat);
276 sanitized_sections.truncate (0);
277
278 for (const char *s = sections; *s; )
279 {
280 const char *end;
281 for (end = s; *end && *end != ','; ++end);
282 size_t len = end - s;
283 sanitized_sections.safe_push (xstrndup (s, len));
284 s = *end ? end + 1 : end;
285 }
18af8d16
YG		 286}
287
288/* Checks whether section SEC should be sanitized. */
289
290static bool
291section_sanitized_p (const char *sec)
292{
860503d8
YG		 293 char *pat;
294 unsigned i;
295 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
296 if (fnmatch (pat, sec, FNM_PERIOD) == 0)
297 return true;
18af8d16
YG		 298 return false;
299}
300
fd960af2
YG		 301/* Returns Asan shadow offset. */
302
303static unsigned HOST_WIDE_INT
304asan_shadow_offset ()
305{
306 if (!asan_shadow_offset_computed)
307 {
308 asan_shadow_offset_computed = true;
309 asan_shadow_offset_value = targetm.asan_shadow_offset ();
310 }
311 return asan_shadow_offset_value;
312}
313
f3ddd692 314alias_set_type asan_shadow_set = -1;
37d6f666 315
f6d98484
JJ		 316/* Pointer types to 1 resp. 2 byte integers in shadow memory. A separate
317 alias set is used for all shadow memory accesses. */
318static GTY(()) tree shadow_ptr_types[2];
319
e361382f
JJ		 320/* Decl for __asan_option_detect_stack_use_after_return. */
321static GTY(()) tree asan_detect_stack_use_after_return;
322
c62ccb9a
YG		 323/* Various flags for Asan builtins. */
324enum asan_check_flags
8946c29e 325{
c62ccb9a
YG		 326 ASAN_CHECK_STORE = 1 << 0,
327 ASAN_CHECK_SCALAR_ACCESS = 1 << 1,
328 ASAN_CHECK_NON_ZERO_LEN = 1 << 2,
bdea98ca 329 ASAN_CHECK_LAST = 1 << 3
c62ccb9a 330};
8946c29e 331
bdcbe80c
DS		 332/* Hashtable support for memory references used by gimple
333 statements. */
334
335/* This type represents a reference to a memory region. */
336struct asan_mem_ref
337{
688010ba 338 /* The expression of the beginning of the memory region. */
bdcbe80c
DS		 339 tree start;
340
40f9f6bb
JJ		 341 /* The size of the access. */
342 HOST_WIDE_INT access_size;
c1f5ce48
ML		 343};
344
fcb87c50 345object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref");
bdcbe80c
DS		 346
347/* Initializes an instance of asan_mem_ref. */
348
349static void
40f9f6bb 350asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size)
bdcbe80c
DS		 351{
352 ref->start = start;
353 ref->access_size = access_size;
354}
355
356/* Allocates memory for an instance of asan_mem_ref into the memory
357 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
358 START is the address of (or the expression pointing to) the
359 beginning of memory reference. ACCESS_SIZE is the size of the
360 access to the referenced memory. */
361
362static asan_mem_ref*
40f9f6bb 363asan_mem_ref_new (tree start, HOST_WIDE_INT access_size)
bdcbe80c 364{
fb0b2914 365 asan_mem_ref *ref = asan_mem_ref_pool.allocate ();
bdcbe80c
DS		 366
367 asan_mem_ref_init (ref, start, access_size);
368 return ref;
369}
370
371/* This builds and returns a pointer to the end of the memory region
372 that starts at START and of length LEN. */
373
374tree
375asan_mem_ref_get_end (tree start, tree len)
376{
377 if (len == NULL_TREE || integer_zerop (len))
378 return start;
379
a2f581e1
YG		 380 if (!ptrofftype_p (len))
381 len = convert_to_ptrofftype (len);
382
bdcbe80c
DS		 383 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
384}
385
386/* Return a tree expression that represents the end of the referenced
387 memory region. Beware that this function can actually build a new
388 tree expression. */
389
390tree
391asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
392{
393 return asan_mem_ref_get_end (ref->start, len);
394}
395
8d67ee55 396struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref>
bdcbe80c 397{
67f58944
TS		 398 static inline hashval_t hash (const asan_mem_ref *);
399 static inline bool equal (const asan_mem_ref *, const asan_mem_ref *);
bdcbe80c
DS		 400};
401
402/* Hash a memory reference. */
403
404inline hashval_t
405asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
406{
bdea98ca 407 return iterative_hash_expr (mem_ref->start, 0);
bdcbe80c
DS		 408}
409
410/* Compare two memory references. We accept the length of either
411 memory references to be NULL_TREE. */
412
413inline bool
414asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
415 const asan_mem_ref *m2)
416{
bdea98ca 417 return operand_equal_p (m1->start, m2->start, 0);
bdcbe80c
DS		 418}
419
c203e8a7 420static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht;
bdcbe80c
DS		 421
422/* Returns a reference to the hash table containing memory references.
423 This function ensures that the hash table is created. Note that
424 this hash table is updated by the function
425 update_mem_ref_hash_table. */
426
c203e8a7 427static hash_table<asan_mem_ref_hasher> *
bdcbe80c
DS		 428get_mem_ref_hash_table ()
429{
c203e8a7
TS		 430 if (!asan_mem_ref_ht)
431 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10);
bdcbe80c
DS		 432
433 return asan_mem_ref_ht;
434}
435
436/* Clear all entries from the memory references hash table. */
437
438static void
439empty_mem_ref_hash_table ()
440{
c203e8a7
TS		 441 if (asan_mem_ref_ht)
442 asan_mem_ref_ht->empty ();
bdcbe80c
DS		 443}
444
445/* Free the memory references hash table. */
446
447static void
448free_mem_ref_resources ()
449{
c203e8a7
TS		 450 delete asan_mem_ref_ht;
451 asan_mem_ref_ht = NULL;
bdcbe80c 452
fb0b2914 453 asan_mem_ref_pool.release ();
bdcbe80c
DS		 454}
455
456/* Return true iff the memory reference REF has been instrumented. */
457
458static bool
40f9f6bb 459has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size)
bdcbe80c
DS		 460{
461 asan_mem_ref r;
462 asan_mem_ref_init (&r, ref, access_size);
463
bdea98ca
MO		 464 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r);
465 return saved_ref && saved_ref->access_size >= access_size;
bdcbe80c
DS		 466}
467
468/* Return true iff the memory reference REF has been instrumented. */
469
470static bool
471has_mem_ref_been_instrumented (const asan_mem_ref *ref)
472{
473 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
474}
475
476/* Return true iff access to memory region starting at REF and of
477 length LEN has been instrumented. */
478
479static bool
480has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
481{
bdea98ca
MO		 482 HOST_WIDE_INT size_in_bytes
483 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
bdcbe80c 484
bdea98ca
MO		 485 return size_in_bytes != -1
486 && has_mem_ref_been_instrumented (ref->start, size_in_bytes);
bdcbe80c
DS		 487}
488
489/* Set REF to the memory reference present in a gimple assignment
490 ASSIGNMENT. Return true upon successful completion, false
491 otherwise. */
492
493static bool
538dd0b7 494get_mem_ref_of_assignment (const gassign *assignment,
bdcbe80c
DS		 495 asan_mem_ref *ref,
496 bool *ref_is_store)
497{
498 gcc_assert (gimple_assign_single_p (assignment));
499
5d751b0c
JJ		 500 if (gimple_store_p (assignment)
501 && !gimple_clobber_p (assignment))
bdcbe80c
DS		 502 {
503 ref->start = gimple_assign_lhs (assignment);
504 *ref_is_store = true;
505 }
506 else if (gimple_assign_load_p (assignment))
507 {
508 ref->start = gimple_assign_rhs1 (assignment);
509 *ref_is_store = false;
510 }
511 else
512 return false;
513
514 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
515 return true;
516}
517
518/* Return the memory references contained in a gimple statement
519 representing a builtin call that has to do with memory access. */
520
521static bool
538dd0b7 522get_mem_refs_of_builtin_call (const gcall *call,
bdcbe80c
DS		 523 asan_mem_ref *src0,
524 tree *src0_len,
525 bool *src0_is_store,
526 asan_mem_ref *src1,
527 tree *src1_len,
528 bool *src1_is_store,
529 asan_mem_ref *dst,
530 tree *dst_len,
531 bool *dst_is_store,
bdea98ca
MO		 532 bool *dest_is_deref,
533 bool *intercepted_p)
bdcbe80c
DS		 534{
535 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
536
537 tree callee = gimple_call_fndecl (call);
538 tree source0 = NULL_TREE, source1 = NULL_TREE,
539 dest = NULL_TREE, len = NULL_TREE;
540 bool is_store = true, got_reference_p = false;
40f9f6bb 541 HOST_WIDE_INT access_size = 1;
bdcbe80c 542
bdea98ca
MO		 543 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee)));
544
bdcbe80c
DS		 545 switch (DECL_FUNCTION_CODE (callee))
546 {
547 /* (s, s, n) style memops. */
548 case BUILT_IN_BCMP:
549 case BUILT_IN_MEMCMP:
550 source0 = gimple_call_arg (call, 0);
551 source1 = gimple_call_arg (call, 1);
552 len = gimple_call_arg (call, 2);
553 break;
554
555 /* (src, dest, n) style memops. */
556 case BUILT_IN_BCOPY:
557 source0 = gimple_call_arg (call, 0);
558 dest = gimple_call_arg (call, 1);
559 len = gimple_call_arg (call, 2);
560 break;
561
562 /* (dest, src, n) style memops. */
563 case BUILT_IN_MEMCPY:
564 case BUILT_IN_MEMCPY_CHK:
565 case BUILT_IN_MEMMOVE:
566 case BUILT_IN_MEMMOVE_CHK:
567 case BUILT_IN_MEMPCPY:
568 case BUILT_IN_MEMPCPY_CHK:
569 dest = gimple_call_arg (call, 0);
570 source0 = gimple_call_arg (call, 1);
571 len = gimple_call_arg (call, 2);
572 break;
573
574 /* (dest, n) style memops. */
575 case BUILT_IN_BZERO:
576 dest = gimple_call_arg (call, 0);
577 len = gimple_call_arg (call, 1);
578 break;
579
580 /* (dest, x, n) style memops*/
581 case BUILT_IN_MEMSET:
582 case BUILT_IN_MEMSET_CHK:
583 dest = gimple_call_arg (call, 0);
584 len = gimple_call_arg (call, 2);
585 break;
586
587 case BUILT_IN_STRLEN:
588 source0 = gimple_call_arg (call, 0);
589 len = gimple_call_lhs (call);
590 break ;
591
592 /* And now the __atomic* and __sync builtins.
593 These are handled differently from the classical memory memory
594 access builtins above. */
595
596 case BUILT_IN_ATOMIC_LOAD_1:
597 case BUILT_IN_ATOMIC_LOAD_2:
598 case BUILT_IN_ATOMIC_LOAD_4:
599 case BUILT_IN_ATOMIC_LOAD_8:
600 case BUILT_IN_ATOMIC_LOAD_16:
601 is_store = false;
602 /* fall through. */
603
604 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
605 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
606 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
607 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
608 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
609
610 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
611 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
612 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
613 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
614 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
615
616 case BUILT_IN_SYNC_FETCH_AND_OR_1:
617 case BUILT_IN_SYNC_FETCH_AND_OR_2:
618 case BUILT_IN_SYNC_FETCH_AND_OR_4:
619 case BUILT_IN_SYNC_FETCH_AND_OR_8:
620 case BUILT_IN_SYNC_FETCH_AND_OR_16:
621
622 case BUILT_IN_SYNC_FETCH_AND_AND_1:
623 case BUILT_IN_SYNC_FETCH_AND_AND_2:
624 case BUILT_IN_SYNC_FETCH_AND_AND_4:
625 case BUILT_IN_SYNC_FETCH_AND_AND_8:
626 case BUILT_IN_SYNC_FETCH_AND_AND_16:
627
628 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
629 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
630 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
631 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
632 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
633
634 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
635 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
636 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
637 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
638
639 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
640 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
641 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
642 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
643 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
644
645 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
646 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
647 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
648 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
649 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
650
651 case BUILT_IN_SYNC_OR_AND_FETCH_1:
652 case BUILT_IN_SYNC_OR_AND_FETCH_2:
653 case BUILT_IN_SYNC_OR_AND_FETCH_4:
654 case BUILT_IN_SYNC_OR_AND_FETCH_8:
655 case BUILT_IN_SYNC_OR_AND_FETCH_16:
656
657 case BUILT_IN_SYNC_AND_AND_FETCH_1:
658 case BUILT_IN_SYNC_AND_AND_FETCH_2:
659 case BUILT_IN_SYNC_AND_AND_FETCH_4:
660 case BUILT_IN_SYNC_AND_AND_FETCH_8:
661 case BUILT_IN_SYNC_AND_AND_FETCH_16:
662
663 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
664 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
665 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
666 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
667 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
668
669 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
670 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
671 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
672 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
673
674 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
675 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
676 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
677 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
678 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
679
680 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
681 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
682 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
683 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
684 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
685
686 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
687 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
688 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
689 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
690 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
691
692 case BUILT_IN_SYNC_LOCK_RELEASE_1:
693 case BUILT_IN_SYNC_LOCK_RELEASE_2:
694 case BUILT_IN_SYNC_LOCK_RELEASE_4:
695 case BUILT_IN_SYNC_LOCK_RELEASE_8:
696 case BUILT_IN_SYNC_LOCK_RELEASE_16:
697
698 case BUILT_IN_ATOMIC_EXCHANGE_1:
699 case BUILT_IN_ATOMIC_EXCHANGE_2:
700 case BUILT_IN_ATOMIC_EXCHANGE_4:
701 case BUILT_IN_ATOMIC_EXCHANGE_8:
702 case BUILT_IN_ATOMIC_EXCHANGE_16:
703
704 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
705 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
706 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
707 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
708 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
709
710 case BUILT_IN_ATOMIC_STORE_1:
711 case BUILT_IN_ATOMIC_STORE_2:
712 case BUILT_IN_ATOMIC_STORE_4:
713 case BUILT_IN_ATOMIC_STORE_8:
714 case BUILT_IN_ATOMIC_STORE_16:
715
716 case BUILT_IN_ATOMIC_ADD_FETCH_1:
717 case BUILT_IN_ATOMIC_ADD_FETCH_2:
718 case BUILT_IN_ATOMIC_ADD_FETCH_4:
719 case BUILT_IN_ATOMIC_ADD_FETCH_8:
720 case BUILT_IN_ATOMIC_ADD_FETCH_16:
721
722 case BUILT_IN_ATOMIC_SUB_FETCH_1:
723 case BUILT_IN_ATOMIC_SUB_FETCH_2:
724 case BUILT_IN_ATOMIC_SUB_FETCH_4:
725 case BUILT_IN_ATOMIC_SUB_FETCH_8:
726 case BUILT_IN_ATOMIC_SUB_FETCH_16:
727
728 case BUILT_IN_ATOMIC_AND_FETCH_1:
729 case BUILT_IN_ATOMIC_AND_FETCH_2:
730 case BUILT_IN_ATOMIC_AND_FETCH_4:
731 case BUILT_IN_ATOMIC_AND_FETCH_8:
732 case BUILT_IN_ATOMIC_AND_FETCH_16:
733
734 case BUILT_IN_ATOMIC_NAND_FETCH_1:
735 case BUILT_IN_ATOMIC_NAND_FETCH_2:
736 case BUILT_IN_ATOMIC_NAND_FETCH_4:
737 case BUILT_IN_ATOMIC_NAND_FETCH_8:
738 case BUILT_IN_ATOMIC_NAND_FETCH_16:
739
740 case BUILT_IN_ATOMIC_XOR_FETCH_1:
741 case BUILT_IN_ATOMIC_XOR_FETCH_2:
742 case BUILT_IN_ATOMIC_XOR_FETCH_4:
743 case BUILT_IN_ATOMIC_XOR_FETCH_8:
744 case BUILT_IN_ATOMIC_XOR_FETCH_16:
745
746 case BUILT_IN_ATOMIC_OR_FETCH_1:
747 case BUILT_IN_ATOMIC_OR_FETCH_2:
748 case BUILT_IN_ATOMIC_OR_FETCH_4:
749 case BUILT_IN_ATOMIC_OR_FETCH_8:
750 case BUILT_IN_ATOMIC_OR_FETCH_16:
751
752 case BUILT_IN_ATOMIC_FETCH_ADD_1:
753 case BUILT_IN_ATOMIC_FETCH_ADD_2:
754 case BUILT_IN_ATOMIC_FETCH_ADD_4:
755 case BUILT_IN_ATOMIC_FETCH_ADD_8:
756 case BUILT_IN_ATOMIC_FETCH_ADD_16:
757
758 case BUILT_IN_ATOMIC_FETCH_SUB_1:
759 case BUILT_IN_ATOMIC_FETCH_SUB_2:
760 case BUILT_IN_ATOMIC_FETCH_SUB_4:
761 case BUILT_IN_ATOMIC_FETCH_SUB_8:
762 case BUILT_IN_ATOMIC_FETCH_SUB_16:
763
764 case BUILT_IN_ATOMIC_FETCH_AND_1:
765 case BUILT_IN_ATOMIC_FETCH_AND_2:
766 case BUILT_IN_ATOMIC_FETCH_AND_4:
767 case BUILT_IN_ATOMIC_FETCH_AND_8:
768 case BUILT_IN_ATOMIC_FETCH_AND_16:
769
770 case BUILT_IN_ATOMIC_FETCH_NAND_1:
771 case BUILT_IN_ATOMIC_FETCH_NAND_2:
772 case BUILT_IN_ATOMIC_FETCH_NAND_4:
773 case BUILT_IN_ATOMIC_FETCH_NAND_8:
774 case BUILT_IN_ATOMIC_FETCH_NAND_16:
775
776 case BUILT_IN_ATOMIC_FETCH_XOR_1:
777 case BUILT_IN_ATOMIC_FETCH_XOR_2:
778 case BUILT_IN_ATOMIC_FETCH_XOR_4:
779 case BUILT_IN_ATOMIC_FETCH_XOR_8:
780 case BUILT_IN_ATOMIC_FETCH_XOR_16:
781
782 case BUILT_IN_ATOMIC_FETCH_OR_1:
783 case BUILT_IN_ATOMIC_FETCH_OR_2:
784 case BUILT_IN_ATOMIC_FETCH_OR_4:
785 case BUILT_IN_ATOMIC_FETCH_OR_8:
786 case BUILT_IN_ATOMIC_FETCH_OR_16:
787 {
788 dest = gimple_call_arg (call, 0);
789 /* DEST represents the address of a memory location.
790 instrument_derefs wants the memory location, so lets
791 dereference the address DEST before handing it to
792 instrument_derefs. */
793 if (TREE_CODE (dest) == ADDR_EXPR)
794 dest = TREE_OPERAND (dest, 0);
77e83307 795 else if (TREE_CODE (dest) == SSA_NAME || TREE_CODE (dest) == INTEGER_CST)
bdcbe80c
DS		 796 dest = build2 (MEM_REF, TREE_TYPE (TREE_TYPE (dest)),
797 dest, build_int_cst (TREE_TYPE (dest), 0));
798 else
799 gcc_unreachable ();
800
801 access_size = int_size_in_bytes (TREE_TYPE (dest));
802 }
803
804 default:
805 /* The other builtins memory access are not instrumented in this
806 function because they either don't have any length parameter,
807 or their length parameter is just a limit. */
808 break;
809 }
810
811 if (len != NULL_TREE)
812 {
813 if (source0 != NULL_TREE)
814 {
815 src0->start = source0;
816 src0->access_size = access_size;
817 *src0_len = len;
818 *src0_is_store = false;
819 }
820
821 if (source1 != NULL_TREE)
822 {
823 src1->start = source1;
824 src1->access_size = access_size;
825 *src1_len = len;
826 *src1_is_store = false;
827 }
828
829 if (dest != NULL_TREE)
830 {
831 dst->start = dest;
832 dst->access_size = access_size;
833 *dst_len = len;
834 *dst_is_store = true;
835 }
836
837 got_reference_p = true;
838 }
b41288b3
JJ		 839 else if (dest)
840 {
841 dst->start = dest;
842 dst->access_size = access_size;
843 *dst_len = NULL_TREE;
844 *dst_is_store = is_store;
845 *dest_is_deref = true;
846 got_reference_p = true;
847 }
bdcbe80c 848
b41288b3 849 return got_reference_p;
bdcbe80c
DS		 850}
851
852/* Return true iff a given gimple statement has been instrumented.
853 Note that the statement is "defined" by the memory references it
854 contains. */
855
856static bool
355fe088 857has_stmt_been_instrumented_p (gimple *stmt)
bdcbe80c
DS		 858{
859 if (gimple_assign_single_p (stmt))
860 {
861 bool r_is_store;
862 asan_mem_ref r;
863 asan_mem_ref_init (&r, NULL, 1);
864
538dd0b7
DM		 865 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r,
866 &r_is_store))
bdcbe80c
DS		 867 return has_mem_ref_been_instrumented (&r);
868 }
869 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
870 {
871 asan_mem_ref src0, src1, dest;
872 asan_mem_ref_init (&src0, NULL, 1);
873 asan_mem_ref_init (&src1, NULL, 1);
874 asan_mem_ref_init (&dest, NULL, 1);
875
876 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
877 bool src0_is_store = false, src1_is_store = false,
bdea98ca 878 dest_is_store = false, dest_is_deref = false, intercepted_p = true;
538dd0b7 879 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt),
bdcbe80c
DS		 880 &src0, &src0_len, &src0_is_store,
881 &src1, &src1_len, &src1_is_store,
882 &dest, &dest_len, &dest_is_store,
bdea98ca 883 &dest_is_deref, &intercepted_p))
bdcbe80c
DS		 884 {
885 if (src0.start != NULL_TREE
886 && !has_mem_ref_been_instrumented (&src0, src0_len))
887 return false;
888
889 if (src1.start != NULL_TREE
890 && !has_mem_ref_been_instrumented (&src1, src1_len))
891 return false;
892
893 if (dest.start != NULL_TREE
894 && !has_mem_ref_been_instrumented (&dest, dest_len))
895 return false;
896
897 return true;
898 }
899 }
7db337c2
ML		 900 else if (is_gimple_call (stmt) && gimple_store_p (stmt))
901 {
902 asan_mem_ref r;
903 asan_mem_ref_init (&r, NULL, 1);
904
905 r.start = gimple_call_lhs (stmt);
906 r.access_size = int_size_in_bytes (TREE_TYPE (r.start));
907 return has_mem_ref_been_instrumented (&r);
908 }
909
bdcbe80c
DS		 910 return false;
911}
912
913/* Insert a memory reference into the hash table. */
914
915static void
40f9f6bb 916update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size)
bdcbe80c 917{
c203e8a7 918 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table ();
bdcbe80c
DS		 919
920 asan_mem_ref r;
921 asan_mem_ref_init (&r, ref, access_size);
922
c203e8a7 923 asan_mem_ref **slot = ht->find_slot (&r, INSERT);
bdea98ca 924 if (*slot == NULL || (*slot)->access_size < access_size)
bdcbe80c
DS		 925 *slot = asan_mem_ref_new (ref, access_size);
926}
927
94fce891
JJ		 928/* Initialize shadow_ptr_types array. */
929
930static void
931asan_init_shadow_ptr_types (void)
932{
933 asan_shadow_set = new_alias_set ();
934 shadow_ptr_types[0] = build_distinct_type_copy (signed_char_type_node);
935 TYPE_ALIAS_SET (shadow_ptr_types[0]) = asan_shadow_set;
936 shadow_ptr_types[0] = build_pointer_type (shadow_ptr_types[0]);
937 shadow_ptr_types[1] = build_distinct_type_copy (short_integer_type_node);
938 TYPE_ALIAS_SET (shadow_ptr_types[1]) = asan_shadow_set;
939 shadow_ptr_types[1] = build_pointer_type (shadow_ptr_types[1]);
940 initialize_sanitizer_builtins ();
941}
942
11a877b3 943/* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
8240018b
JJ		 944
945static tree
11a877b3 946asan_pp_string (pretty_printer *pp)
8240018b 947{
11a877b3 948 const char *buf = pp_formatted_text (pp);
8240018b
JJ		 949 size_t len = strlen (buf);
950 tree ret = build_string (len + 1, buf);
951 TREE_TYPE (ret)
94fce891
JJ		 952 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
953 build_index_type (size_int (len)));
8240018b
JJ		 954 TREE_READONLY (ret) = 1;
955 TREE_STATIC (ret) = 1;
94fce891 956 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
8240018b
JJ		 957}
958
f3ddd692
JJ		 959/* Return a CONST_INT representing 4 subsequent shadow memory bytes. */
960
961static rtx
962asan_shadow_cst (unsigned char shadow_bytes[4])
963{
964 int i;
965 unsigned HOST_WIDE_INT val = 0;
966 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
967 for (i = 0; i < 4; i++)
968 val |= (unsigned HOST_WIDE_INT) shadow_bytes[BYTES_BIG_ENDIAN ? 3 - i : i]
969 << (BITS_PER_UNIT * i);
dcad1dd3 970 return gen_int_mode (val, SImode);
f3ddd692
JJ		 971}
972
aeb7e7c1
JJ		 973/* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
974 though. */
975
976static void
977asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
978{
3a965f61
DM		 979 rtx_insn *insn, *insns, *jump;
980 rtx_code_label *top_label;
981 rtx end, addr, tmp;
aeb7e7c1
JJ		 982
983 start_sequence ();
984 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
985 insns = get_insns ();
986 end_sequence ();
987 for (insn = insns; insn; insn = NEXT_INSN (insn))
988 if (CALL_P (insn))
989 break;
990 if (insn == NULL_RTX)
991 {
992 emit_insn (insns);
993 return;
994 }
995
996 gcc_assert ((len & 3) == 0);
997 top_label = gen_label_rtx ();
57d4d653 998 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
aeb7e7c1
JJ		 999 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
1000 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
1001 emit_label (top_label);
1002
1003 emit_move_insn (shadow_mem, const0_rtx);
2f1cd2eb 1004 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
c62ccb9a 1005 true, OPTAB_LIB_WIDEN);
aeb7e7c1
JJ		 1006 if (tmp != addr)
1007 emit_move_insn (addr, tmp);
1008 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
1009 jump = get_last_insn ();
1010 gcc_assert (JUMP_P (jump));
e5af9ddd 1011 add_int_reg_note (jump, REG_BR_PROB, REG_BR_PROB_BASE * 80 / 100);
aeb7e7c1
JJ		 1012}
1013
ef1b3fda
KS		 1014void
1015asan_function_start (void)
1016{
1017 section *fnsec = function_section (current_function_decl);
1018 switch_to_section (fnsec);
1019 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC",
c62ccb9a 1020 current_function_funcdef_no);
ef1b3fda
KS		 1021}
1022
f3ddd692
JJ		 1023/* Insert code to protect stack vars. The prologue sequence should be emitted
1024 directly, epilogue sequence returned. BASE is the register holding the
1025 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1026 array contains pairs of offsets in reverse order, always the end offset
1027 of some gap that needs protection followed by starting offset,
1028 and DECLS is an array of representative decls for each var partition.
1029 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1030 elements long (OFFSETS include gap before the first variable as well
e361382f
JJ		 1031 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1032 register which stack vars DECL_RTLs are based on. Either BASE should be
1033 assigned to PBASE, when not doing use after return protection, or
1034 corresponding address based on __asan_stack_malloc* return value. */
f3ddd692 1035
3a4abd2f 1036rtx_insn *
e361382f
JJ		 1037asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
1038 HOST_WIDE_INT *offsets, tree *decls, int length)
f3ddd692 1039{
19f8b229
TS		 1040 rtx shadow_base, shadow_mem, ret, mem, orig_base;
1041 rtx_code_label *lab;
3a4abd2f 1042 rtx_insn *insns;
ef1b3fda 1043 char buf[30];
f3ddd692 1044 unsigned char shadow_bytes[4];
e361382f
JJ		 1045 HOST_WIDE_INT base_offset = offsets[length - 1];
1046 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
1047 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
f3ddd692
JJ		 1048 HOST_WIDE_INT last_offset, last_size;
1049 int l;
1050 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
ef1b3fda 1051 tree str_cst, decl, id;
e361382f 1052 int use_after_return_class = -1;
f3ddd692 1053
94fce891
JJ		 1054 if (shadow_ptr_types[0] == NULL_TREE)
1055 asan_init_shadow_ptr_types ();
1056
f3ddd692 1057 /* First of all, prepare the description string. */
11a877b3 1058 pretty_printer asan_pp;
da6ca2b5 1059
8240018b
JJ		 1060 pp_decimal_int (&asan_pp, length / 2 - 1);
1061 pp_space (&asan_pp);
f3ddd692
JJ		 1062 for (l = length - 2; l; l -= 2)
1063 {
1064 tree decl = decls[l / 2 - 1];
8240018b
JJ		 1065 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
1066 pp_space (&asan_pp);
1067 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
1068 pp_space (&asan_pp);
f3ddd692
JJ		 1069 if (DECL_P (decl) && DECL_NAME (decl))
1070 {
8240018b
JJ		 1071 pp_decimal_int (&asan_pp, IDENTIFIER_LENGTH (DECL_NAME (decl)));
1072 pp_space (&asan_pp);
b066401f 1073 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
f3ddd692
JJ		 1074 }
1075 else
8240018b
JJ		 1076 pp_string (&asan_pp, "9 <unknown>");
1077 pp_space (&asan_pp);
f3ddd692 1078 }
11a877b3 1079 str_cst = asan_pp_string (&asan_pp);
f3ddd692
JJ		 1080
1081 /* Emit the prologue sequence. */
b5ebc991
MO		 1082 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
1083 && ASAN_USE_AFTER_RETURN)
e361382f
JJ		 1084 {
1085 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1086 /* __asan_stack_malloc_N guarantees alignment
c62ccb9a 1087 N < 6 ? (64 << N) : 4096 bytes. */
e361382f
JJ		 1088 if (alignb > (use_after_return_class < 6
1089 ? (64U << use_after_return_class) : 4096U))
1090 use_after_return_class = -1;
1091 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1092 base_align_bias = ((asan_frame_size + alignb - 1)
1093 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1094 }
e5dcd695
LZ		 1095 /* Align base if target is STRICT_ALIGNMENT. */
1096 if (STRICT_ALIGNMENT)
1097 base = expand_binop (Pmode, and_optab, base,
1098 gen_int_mode (-((GET_MODE_ALIGNMENT (SImode)
1099 << ASAN_SHADOW_SHIFT)
1100 / BITS_PER_UNIT), Pmode), NULL_RTX,
1101 1, OPTAB_DIRECT);
1102
e361382f
JJ		 1103 if (use_after_return_class == -1 && pbase)
1104 emit_move_insn (pbase, base);
e5dcd695 1105
2f1cd2eb 1106 base = expand_binop (Pmode, add_optab, base,
e361382f 1107 gen_int_mode (base_offset - base_align_bias, Pmode),
f3ddd692 1108 NULL_RTX, 1, OPTAB_DIRECT);
e361382f
JJ		 1109 orig_base = NULL_RTX;
1110 if (use_after_return_class != -1)
1111 {
1112 if (asan_detect_stack_use_after_return == NULL_TREE)
1113 {
1114 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1115 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1116 integer_type_node);
1117 SET_DECL_ASSEMBLER_NAME (decl, id);
1118 TREE_ADDRESSABLE (decl) = 1;
1119 DECL_ARTIFICIAL (decl) = 1;
1120 DECL_IGNORED_P (decl) = 1;
1121 DECL_EXTERNAL (decl) = 1;
1122 TREE_STATIC (decl) = 1;
1123 TREE_PUBLIC (decl) = 1;
1124 TREE_USED (decl) = 1;
1125 asan_detect_stack_use_after_return = decl;
1126 }
1127 orig_base = gen_reg_rtx (Pmode);
1128 emit_move_insn (orig_base, base);
1129 ret = expand_normal (asan_detect_stack_use_after_return);
1130 lab = gen_label_rtx ();
1131 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1132 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1133 VOIDmode, 0, lab, very_likely);
1134 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1135 use_after_return_class);
1136 ret = init_one_libfunc (buf);
89e302b8 1137 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode, 1,
e361382f
JJ		 1138 GEN_INT (asan_frame_size
1139 + base_align_bias),
89e302b8
MO		 1140 TYPE_MODE (pointer_sized_int_node));
1141 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1142 and NULL otherwise. Check RET value is NULL here and jump over the
1143 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1144 int very_unlikely = REG_BR_PROB_BASE / 2000 - 1;
1145 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1146 VOIDmode, 0, lab, very_unlikely);
e361382f
JJ		 1147 ret = convert_memory_address (Pmode, ret);
1148 emit_move_insn (base, ret);
1149 emit_label (lab);
1150 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1151 gen_int_mode (base_align_bias
1152 - base_offset, Pmode),
1153 NULL_RTX, 1, OPTAB_DIRECT));
1154 }
f3ddd692 1155 mem = gen_rtx_MEM (ptr_mode, base);
e361382f 1156 mem = adjust_address (mem, VOIDmode, base_align_bias);
69db2d57 1157 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
f3ddd692
JJ		 1158 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1159 emit_move_insn (mem, expand_normal (str_cst));
ef1b3fda
KS		 1160 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1161 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1162 id = get_identifier (buf);
1163 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
c62ccb9a 1164 VAR_DECL, id, char_type_node);
ef1b3fda
KS		 1165 SET_DECL_ASSEMBLER_NAME (decl, id);
1166 TREE_ADDRESSABLE (decl) = 1;
1167 TREE_READONLY (decl) = 1;
1168 DECL_ARTIFICIAL (decl) = 1;
1169 DECL_IGNORED_P (decl) = 1;
1170 TREE_STATIC (decl) = 1;
1171 TREE_PUBLIC (decl) = 0;
1172 TREE_USED (decl) = 1;
8c8b21e4
JJ		 1173 DECL_INITIAL (decl) = decl;
1174 TREE_ASM_WRITTEN (decl) = 1;
1175 TREE_ASM_WRITTEN (id) = 1;
ef1b3fda 1176 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
f3ddd692
JJ		 1177 shadow_base = expand_binop (Pmode, lshr_optab, base,
1178 GEN_INT (ASAN_SHADOW_SHIFT),
1179 NULL_RTX, 1, OPTAB_DIRECT);
e361382f
JJ		 1180 shadow_base
1181 = plus_constant (Pmode, shadow_base,
fd960af2 1182 asan_shadow_offset ()
e361382f 1183 + (base_align_bias >> ASAN_SHADOW_SHIFT));
f3ddd692
JJ		 1184 gcc_assert (asan_shadow_set != -1
1185 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
1186 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
1187 set_mem_alias_set (shadow_mem, asan_shadow_set);
e5dcd695
LZ		 1188 if (STRICT_ALIGNMENT)
1189 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
f3ddd692
JJ		 1190 prev_offset = base_offset;
1191 for (l = length; l; l -= 2)
1192 {
1193 if (l == 2)
1194 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
1195 offset = offsets[l - 1];
1196 if ((offset - base_offset) & (ASAN_RED_ZONE_SIZE - 1))
1197 {
1198 int i;
1199 HOST_WIDE_INT aoff
1200 = base_offset + ((offset - base_offset)
1201 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1202 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1203 (aoff - prev_offset)
1204 >> ASAN_SHADOW_SHIFT);
1205 prev_offset = aoff;
1206 for (i = 0; i < 4; i++, aoff += (1 << ASAN_SHADOW_SHIFT))
1207 if (aoff < offset)
1208 {
1209 if (aoff < offset - (1 << ASAN_SHADOW_SHIFT) + 1)
1210 shadow_bytes[i] = 0;
1211 else
1212 shadow_bytes[i] = offset - aoff;
1213 }
1214 else
1215 shadow_bytes[i] = ASAN_STACK_MAGIC_PARTIAL;
1216 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1217 offset = aoff;
1218 }
1219 while (offset <= offsets[l - 2] - ASAN_RED_ZONE_SIZE)
1220 {
1221 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1222 (offset - prev_offset)
1223 >> ASAN_SHADOW_SHIFT);
1224 prev_offset = offset;
1225 memset (shadow_bytes, cur_shadow_byte, 4);
1226 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1227 offset += ASAN_RED_ZONE_SIZE;
1228 }
1229 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
1230 }
1231 do_pending_stack_adjust ();
1232
1233 /* Construct epilogue sequence. */
1234 start_sequence ();
1235
19f8b229 1236 lab = NULL;
e361382f
JJ		 1237 if (use_after_return_class != -1)
1238 {
19f8b229 1239 rtx_code_label *lab2 = gen_label_rtx ();
e361382f
JJ		 1240 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
1241 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1242 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
1243 VOIDmode, 0, lab2, very_likely);
1244 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1245 set_mem_alias_set (shadow_mem, asan_shadow_set);
1246 mem = gen_rtx_MEM (ptr_mode, base);
1247 mem = adjust_address (mem, VOIDmode, base_align_bias);
1248 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
1249 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
1250 if (use_after_return_class < 5
1251 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
1252 BITS_PER_UNIT, true))
1253 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
1254 BITS_PER_UNIT, true, 0);
1255 else if (use_after_return_class >= 5
1256 || !set_storage_via_setmem (shadow_mem,
1257 GEN_INT (sz),
1258 gen_int_mode (c, QImode),
1259 BITS_PER_UNIT, BITS_PER_UNIT,
1260 -1, sz, sz, sz))
1261 {
1262 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
1263 use_after_return_class);
1264 ret = init_one_libfunc (buf);
1265 rtx addr = convert_memory_address (ptr_mode, base);
1266 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
1267 emit_library_call (ret, LCT_NORMAL, ptr_mode, 3, addr, ptr_mode,
1268 GEN_INT (asan_frame_size + base_align_bias),
1269 TYPE_MODE (pointer_sized_int_node),
1270 orig_addr, ptr_mode);
1271 }
1272 lab = gen_label_rtx ();
1273 emit_jump (lab);
1274 emit_label (lab2);
1275 }
1276
f3ddd692
JJ		 1277 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1278 set_mem_alias_set (shadow_mem, asan_shadow_set);
e5dcd695
LZ		 1279
1280 if (STRICT_ALIGNMENT)
1281 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1282
f3ddd692
JJ		 1283 prev_offset = base_offset;
1284 last_offset = base_offset;
1285 last_size = 0;
1286 for (l = length; l; l -= 2)
1287 {
1288 offset = base_offset + ((offsets[l - 1] - base_offset)
1289 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1290 if (last_offset + last_size != offset)
1291 {
1292 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1293 (last_offset - prev_offset)
1294 >> ASAN_SHADOW_SHIFT);
1295 prev_offset = last_offset;
aeb7e7c1 1296 asan_clear_shadow (shadow_mem, last_size >> ASAN_SHADOW_SHIFT);
f3ddd692
JJ		 1297 last_offset = offset;
1298 last_size = 0;
1299 }
1300 last_size += base_offset + ((offsets[l - 2] - base_offset)
1301 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
1302 - offset;
1303 }
1304 if (last_size)
1305 {
1306 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1307 (last_offset - prev_offset)
1308 >> ASAN_SHADOW_SHIFT);
aeb7e7c1 1309 asan_clear_shadow (shadow_mem, last_size >> ASAN_SHADOW_SHIFT);
f3ddd692
JJ		 1310 }
1311
1312 do_pending_stack_adjust ();
e361382f
JJ		 1313 if (lab)
1314 emit_label (lab);
f3ddd692 1315
3a4abd2f 1316 insns = get_insns ();
f3ddd692 1317 end_sequence ();
3a4abd2f 1318 return insns;
f3ddd692
JJ		 1319}
1320
8240018b
JJ		 1321/* Return true if DECL, a global var, might be overridden and needs
1322 therefore a local alias. */
1323
1324static bool
1325asan_needs_local_alias (tree decl)
1326{
1327 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
1328}
1329
1330/* Return true if DECL is a VAR_DECL that should be protected
1331 by Address Sanitizer, by appending a red zone with protected
1332 shadow memory after it and aligning it to at least
1333 ASAN_RED_ZONE_SIZE bytes. */
1334
1335bool
1336asan_protect_global (tree decl)
1337{
b5ebc991
MO		 1338 if (!ASAN_GLOBALS)
1339 return false;
1340
8240018b 1341 rtx rtl, symbol;
8240018b 1342
94fce891
JJ		 1343 if (TREE_CODE (decl) == STRING_CST)
1344 {
1345 /* Instrument all STRING_CSTs except those created
1346 by asan_pp_string here. */
1347 if (shadow_ptr_types[0] != NULL_TREE
1348 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
1349 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
1350 return false;
1351 return true;
1352 }
8240018b
JJ		 1353 if (TREE_CODE (decl) != VAR_DECL
1354 /* TLS vars aren't statically protectable. */
1355 || DECL_THREAD_LOCAL_P (decl)
1356 /* Externs will be protected elsewhere. */
1357 || DECL_EXTERNAL (decl)
8240018b
JJ		 1358 || !DECL_RTL_SET_P (decl)
1359 /* Comdat vars pose an ABI problem, we can't know if
1360 the var that is selected by the linker will have
1361 padding or not. */
1362 || DECL_ONE_ONLY (decl)
f1d15bb9
DV		 1363 /* Similarly for common vars. People can use -fno-common.
1364 Note: Linux kernel is built with -fno-common, so we do instrument
1365 globals there even if it is C. */
a8a6fd74 1366 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
8240018b
JJ		 1367 /* Don't protect if using user section, often vars placed
1368 into user section from multiple TUs are then assumed
1369 to be an array of such vars, putting padding in there
1370 breaks this assumption. */
f961457f 1371 || (DECL_SECTION_NAME (decl) != NULL
18af8d16
YG		 1372 && !symtab_node::get (decl)->implicit_section
1373 && !section_sanitized_p (DECL_SECTION_NAME (decl)))
8240018b
JJ		 1374 || DECL_SIZE (decl) == 0
1375 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
1376 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
21a82048
JJ		 1377 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE
1378 || TREE_TYPE (decl) == ubsan_get_source_location_type ())
8240018b
JJ		 1379 return false;
1380
1381 rtl = DECL_RTL (decl);
1382 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
1383 return false;
1384 symbol = XEXP (rtl, 0);
1385
1386 if (CONSTANT_POOL_ADDRESS_P (symbol)
1387 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
1388 return false;
1389
8240018b
JJ		 1390 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
1391 return false;
1392
1393#ifndef ASM_OUTPUT_DEF
1394 if (asan_needs_local_alias (decl))
1395 return false;
1396#endif
1397
497a1c66 1398 return true;
8240018b
JJ		 1399}
1400
40f9f6bb
JJ		 1401/* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
1402 IS_STORE is either 1 (for a store) or 0 (for a load). */
37d6f666
WM		 1403
1404static tree
fed4de37
YG		 1405report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1406 int *nargs)
37d6f666 1407{
fed4de37
YG		 1408 static enum built_in_function report[2][2][6]
1409 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
1410 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
1411 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N },
1412 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
1413 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
1414 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } },
1415 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT,
1416 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
1417 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
1418 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
1419 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
1420 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
1421 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT,
1422 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
1423 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
1424 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
1425 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
1426 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
8946c29e
YG		 1427 if (size_in_bytes == -1)
1428 {
1429 *nargs = 2;
fed4de37 1430 return builtin_decl_implicit (report[recover_p][is_store][5]);
8946c29e
YG		 1431 }
1432 *nargs = 1;
fed4de37
YG		 1433 int size_log2 = exact_log2 (size_in_bytes);
1434 return builtin_decl_implicit (report[recover_p][is_store][size_log2]);
37d6f666
WM		 1435}
1436
8946c29e
YG		 1437/* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
1438 IS_STORE is either 1 (for a store) or 0 (for a load). */
1439
1440static tree
fed4de37
YG		 1441check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1442 int *nargs)
8946c29e 1443{
fed4de37
YG		 1444 static enum built_in_function check[2][2][6]
1445 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2,
1446 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8,
1447 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN },
1448 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2,
1449 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8,
1450 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } },
1451 { { BUILT_IN_ASAN_LOAD1_NOABORT,
1452 BUILT_IN_ASAN_LOAD2_NOABORT,
1453 BUILT_IN_ASAN_LOAD4_NOABORT,
1454 BUILT_IN_ASAN_LOAD8_NOABORT,
1455 BUILT_IN_ASAN_LOAD16_NOABORT,
1456 BUILT_IN_ASAN_LOADN_NOABORT },
1457 { BUILT_IN_ASAN_STORE1_NOABORT,
1458 BUILT_IN_ASAN_STORE2_NOABORT,
1459 BUILT_IN_ASAN_STORE4_NOABORT,
1460 BUILT_IN_ASAN_STORE8_NOABORT,
1461 BUILT_IN_ASAN_STORE16_NOABORT,
1462 BUILT_IN_ASAN_STOREN_NOABORT } } };
8946c29e
YG		 1463 if (size_in_bytes == -1)
1464 {
1465 *nargs = 2;
fed4de37 1466 return builtin_decl_implicit (check[recover_p][is_store][5]);
8946c29e
YG		 1467 }
1468 *nargs = 1;
fed4de37
YG		 1469 int size_log2 = exact_log2 (size_in_bytes);
1470 return builtin_decl_implicit (check[recover_p][is_store][size_log2]);
8946c29e
YG		 1471}
1472
01452015 1473/* Split the current basic block and create a condition statement
25ae5027
DS		 1474 insertion point right before or after the statement pointed to by
1475 ITER. Return an iterator to the point at which the caller might
1476 safely insert the condition statement.
01452015
DS		 1477
1478 THEN_BLOCK must be set to the address of an uninitialized instance
1479 of basic_block. The function will then set *THEN_BLOCK to the
1480 'then block' of the condition statement to be inserted by the
1481 caller.
1482
c4bfe8bf
JJ		 1483 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1484 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1485
01452015
DS		 1486 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1487 block' of the condition statement to be inserted by the caller.
1488
1489 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1490 statements starting from *ITER, and *THEN_BLOCK is a new empty
1491 block.
1492
25ae5027
DS		 1493 *ITER is adjusted to point to always point to the first statement
1494 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1495 same as what ITER was pointing to prior to calling this function,
1496 if BEFORE_P is true; otherwise, it is its following statement. */
01452015 1497
ac0ff9f2 1498gimple_stmt_iterator
25ae5027
DS		 1499create_cond_insert_point (gimple_stmt_iterator *iter,
1500 bool before_p,
1501 bool then_more_likely_p,
c4bfe8bf 1502 bool create_then_fallthru_edge,
25ae5027
DS		 1503 basic_block *then_block,
1504 basic_block *fallthrough_block)
01452015
DS		 1505{
1506 gimple_stmt_iterator gsi = *iter;
1507
25ae5027 1508 if (!gsi_end_p (gsi) && before_p)
01452015
DS		 1509 gsi_prev (&gsi);
1510
1511 basic_block cur_bb = gsi_bb (*iter);
1512
1513 edge e = split_block (cur_bb, gsi_stmt (gsi));
1514
1515 /* Get a hold on the 'condition block', the 'then block' and the
1516 'else block'. */
1517 basic_block cond_bb = e->src;
1518 basic_block fallthru_bb = e->dest;
1519 basic_block then_bb = create_empty_bb (cond_bb);
a9e0d843
RB		 1520 if (current_loops)
1521 {
1522 add_bb_to_loop (then_bb, cond_bb->loop_father);
1523 loops_state_set (LOOPS_NEED_FIXUP);
1524 }
01452015
DS		 1525
1526 /* Set up the newly created 'then block'. */
1527 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
1528 int fallthrough_probability
1529 = then_more_likely_p
1530 ? PROB_VERY_UNLIKELY
1531 : PROB_ALWAYS - PROB_VERY_UNLIKELY;
1532 e->probability = PROB_ALWAYS - fallthrough_probability;
c4bfe8bf
JJ		 1533 if (create_then_fallthru_edge)
1534 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
01452015
DS		 1535
1536 /* Set up the fallthrough basic block. */
1537 e = find_edge (cond_bb, fallthru_bb);
1538 e->flags = EDGE_FALSE_VALUE;
1539 e->count = cond_bb->count;
1540 e->probability = fallthrough_probability;
1541
1542 /* Update dominance info for the newly created then_bb; note that
1543 fallthru_bb's dominance info has already been updated by
1544 split_bock. */
1545 if (dom_info_available_p (CDI_DOMINATORS))
1546 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
1547
1548 *then_block = then_bb;
1549 *fallthrough_block = fallthru_bb;
1550 *iter = gsi_start_bb (fallthru_bb);
1551
1552 return gsi_last_bb (cond_bb);
1553}
1554
25ae5027
DS		 1555/* Insert an if condition followed by a 'then block' right before the
1556 statement pointed to by ITER. The fallthrough block -- which is the
1557 else block of the condition as well as the destination of the
1558 outcoming edge of the 'then block' -- starts with the statement
1559 pointed to by ITER.
1560
497a1c66 1561 COND is the condition of the if.
25ae5027
DS		 1562
1563 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1564 'then block' is higher than the probability of the edge to the
1565 fallthrough block.
1566
1567 Upon completion of the function, *THEN_BB is set to the newly
1568 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1569 fallthrough block.
1570
1571 *ITER is adjusted to still point to the same statement it was
1572 pointing to initially. */
1573
1574static void
538dd0b7 1575insert_if_then_before_iter (gcond *cond,
25ae5027
DS		 1576 gimple_stmt_iterator *iter,
1577 bool then_more_likely_p,
1578 basic_block *then_bb,
1579 basic_block *fallthrough_bb)
1580{
1581 gimple_stmt_iterator cond_insert_point =
1582 create_cond_insert_point (iter,
1583 /*before_p=*/true,
1584 then_more_likely_p,
c4bfe8bf 1585 /*create_then_fallthru_edge=*/true,
25ae5027
DS		 1586 then_bb,
1587 fallthrough_bb);
1588 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
1589}
1590
40f9f6bb 1591/* Build
fd960af2 1592 (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset (). */
40f9f6bb
JJ		 1593
1594static tree
1595build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location,
1596 tree base_addr, tree shadow_ptr_type)
1597{
1598 tree t, uintptr_type = TREE_TYPE (base_addr);
1599 tree shadow_type = TREE_TYPE (shadow_ptr_type);
355fe088 1600 gimple *g;
40f9f6bb
JJ		 1601
1602 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
0d0e4a03
JJ		 1603 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR,
1604 base_addr, t);
40f9f6bb
JJ		 1605 gimple_set_location (g, location);
1606 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1607
fd960af2 1608 t = build_int_cst (uintptr_type, asan_shadow_offset ());
0d0e4a03
JJ		 1609 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR,
1610 gimple_assign_lhs (g), t);
40f9f6bb
JJ		 1611 gimple_set_location (g, location);
1612 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1613
0d0e4a03
JJ		 1614 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR,
1615 gimple_assign_lhs (g));
40f9f6bb
JJ		 1616 gimple_set_location (g, location);
1617 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1618
1619 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
1620 build_int_cst (shadow_ptr_type, 0));
0d0e4a03 1621 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t);
40f9f6bb
JJ		 1622 gimple_set_location (g, location);
1623 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1624 return gimple_assign_lhs (g);
1625}
1626
8946c29e
YG		 1627/* BASE can already be an SSA_NAME; in that case, do not create a
1628 new SSA_NAME for it. */
1629
1630static tree
1631maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter,
1632 bool before_p)
1633{
1634 if (TREE_CODE (base) == SSA_NAME)
1635 return base;
355fe088 1636 gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)),
0d0e4a03 1637 TREE_CODE (base), base);
8946c29e
YG		 1638 gimple_set_location (g, loc);
1639 if (before_p)
1640 gsi_insert_before (iter, g, GSI_SAME_STMT);
1641 else
1642 gsi_insert_after (iter, g, GSI_NEW_STMT);
1643 return gimple_assign_lhs (g);
1644}
1645
a2f581e1
YG		 1646/* LEN can already have necessary size and precision;
1647 in that case, do not create a new variable. */
1648
1649tree
1650maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter,
1651 bool before_p)
1652{
1653 if (ptrofftype_p (len))
1654 return len;
355fe088 1655 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
0d0e4a03 1656 NOP_EXPR, len);
a2f581e1
YG		 1657 gimple_set_location (g, loc);
1658 if (before_p)
1659 gsi_insert_before (iter, g, GSI_SAME_STMT);
1660 else
1661 gsi_insert_after (iter, g, GSI_NEW_STMT);
1662 return gimple_assign_lhs (g);
1663}
1664
dc29bf1e 1665/* Instrument the memory access instruction BASE. Insert new
25ae5027 1666 statements before or after ITER.
dc29bf1e
DS		 1667
1668 Note that the memory access represented by BASE can be either an
1669 SSA_NAME, or a non-SSA expression. LOCATION is the source code
1670 location. IS_STORE is TRUE for a store, FALSE for a load.
25ae5027 1671 BEFORE_P is TRUE for inserting the instrumentation code before
8946c29e
YG		 1672 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
1673 for a scalar memory access and FALSE for memory region access.
1674 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
1675 length. ALIGN tells alignment of accessed memory object.
1676
1677 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
1678 memory region have already been instrumented.
25ae5027
DS		 1679
1680 If BEFORE_P is TRUE, *ITER is arranged to still point to the
1681 statement it was pointing to prior to calling this function,
1682 otherwise, it points to the statement logically following it. */
37d6f666
WM		 1683
1684static void
c62ccb9a 1685build_check_stmt (location_t loc, tree base, tree len,
8946c29e 1686 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter,
c62ccb9a 1687 bool is_non_zero_len, bool before_p, bool is_store,
bdea98ca 1688 bool is_scalar_access, unsigned int align = 0)
37d6f666 1689{
8946c29e 1690 gimple_stmt_iterator gsi = *iter;
355fe088 1691 gimple *g;
8946c29e 1692
c62ccb9a 1693 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len));
8946c29e 1694
c62ccb9a
YG		 1695 gsi = *iter;
1696
1697 base = unshare_expr (base);
1698 base = maybe_create_ssa_name (loc, base, &gsi, before_p);
1699
8946c29e 1700 if (len)
a2f581e1
YG		 1701 {
1702 len = unshare_expr (len);
1703 len = maybe_cast_to_ptrmode (loc, len, iter, before_p);
1704 }
8946c29e
YG		 1705 else
1706 {
1707 gcc_assert (size_in_bytes != -1);
1708 len = build_int_cst (pointer_sized_int_node, size_in_bytes);
1709 }
1710
1711 if (size_in_bytes > 1)
b3f1051b 1712 {
8946c29e
YG		 1713 if ((size_in_bytes & (size_in_bytes - 1)) != 0
1714 || size_in_bytes > 16)
c62ccb9a 1715 is_scalar_access = false;
8946c29e
YG		 1716 else if (align && align < size_in_bytes * BITS_PER_UNIT)
1717 {
1718 /* On non-strict alignment targets, if
1719 16-byte access is just 8-byte aligned,
1720 this will result in misaligned shadow
1721 memory 2 byte load, but otherwise can
1722 be handled using one read. */
1723 if (size_in_bytes != 16
1724 || STRICT_ALIGNMENT
1725 || align < 8 * BITS_PER_UNIT)
c62ccb9a 1726 is_scalar_access = false;
40f9f6bb 1727 }
f6d98484 1728 }
37d6f666 1729
c62ccb9a
YG		 1730 HOST_WIDE_INT flags = 0;
1731 if (is_store)
1732 flags |= ASAN_CHECK_STORE;
1733 if (is_non_zero_len)
1734 flags |= ASAN_CHECK_NON_ZERO_LEN;
1735 if (is_scalar_access)
1736 flags |= ASAN_CHECK_SCALAR_ACCESS;
c62ccb9a 1737
f434eb69 1738 g = gimple_build_call_internal (IFN_ASAN_CHECK, 4,
c62ccb9a 1739 build_int_cst (integer_type_node, flags),
f434eb69
MZ		 1740 base, len,
1741 build_int_cst (integer_type_node,
1742 align / BITS_PER_UNIT));
c62ccb9a
YG		 1743 gimple_set_location (g, loc);
1744 if (before_p)
1745 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
8946c29e
YG		 1746 else
1747 {
8946c29e 1748 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
c62ccb9a
YG		 1749 gsi_next (&gsi);
1750 *iter = gsi;
8946c29e 1751 }
37d6f666
WM		 1752}
1753
1754/* If T represents a memory access, add instrumentation code before ITER.
1755 LOCATION is source code location.
25ae5027 1756 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
37d6f666
WM		 1757
1758static void
1759instrument_derefs (gimple_stmt_iterator *iter, tree t,
bdcbe80c 1760 location_t location, bool is_store)
37d6f666 1761{
b5ebc991
MO		 1762 if (is_store && !ASAN_INSTRUMENT_WRITES)
1763 return;
1764 if (!is_store && !ASAN_INSTRUMENT_READS)
1765 return;
1766
37d6f666 1767 tree type, base;
f6d98484 1768 HOST_WIDE_INT size_in_bytes;
c3da4956
MO		 1769 if (location == UNKNOWN_LOCATION)
1770 location = EXPR_LOCATION (t);
37d6f666
WM		 1771
1772 type = TREE_TYPE (t);
37d6f666
WM		 1773 switch (TREE_CODE (t))
1774 {
1775 case ARRAY_REF:
1776 case COMPONENT_REF:
1777 case INDIRECT_REF:
1778 case MEM_REF:
59b36ecf 1779 case VAR_DECL:
913f32a1 1780 case BIT_FIELD_REF:
37d6f666 1781 break;
59b36ecf 1782 /* FALLTHRU */
37d6f666
WM		 1783 default:
1784 return;
1785 }
f6d98484
JJ		 1786
1787 size_in_bytes = int_size_in_bytes (type);
40f9f6bb 1788 if (size_in_bytes <= 0)
f6d98484
JJ		 1789 return;
1790
f6d98484
JJ		 1791 HOST_WIDE_INT bitsize, bitpos;
1792 tree offset;
ef4bddc2 1793 machine_mode mode;
ee45a32d
EB		 1794 int unsignedp, reversep, volatilep = 0;
1795 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
1796 &unsignedp, &reversep, &volatilep, false);
87d1d65a
YG		 1797
1798 if (TREE_CODE (t) == COMPONENT_REF
1799 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
1fe04fdc 1800 {
87d1d65a
YG		 1801 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
1802 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
1803 TREE_OPERAND (t, 0), repr,
1804 NULL_TREE), location, is_store);
1fe04fdc
JJ		 1805 return;
1806 }
87d1d65a
YG		 1807
1808 if (bitpos % BITS_PER_UNIT
1809 || bitsize != size_in_bytes * BITS_PER_UNIT)
40f9f6bb 1810 return;
f6d98484 1811
59b36ecf
JJ		 1812 if (TREE_CODE (inner) == VAR_DECL
1813 && offset == NULL_TREE
1814 && bitpos >= 0
1815 && DECL_SIZE (inner)
1816 && tree_fits_shwi_p (DECL_SIZE (inner))
1817 && bitpos + bitsize <= tree_to_shwi (DECL_SIZE (inner)))
1818 {
1819 if (DECL_THREAD_LOCAL_P (inner))
1820 return;
6b98fab5
MZ		 1821 if (!ASAN_GLOBALS && is_global_var (inner))
1822 return;
59b36ecf
JJ		 1823 if (!TREE_STATIC (inner))
1824 {
1825 /* Automatic vars in the current function will be always
1826 accessible. */
1827 if (decl_function_context (inner) == current_function_decl)
1828 return;
1829 }
1830 /* Always instrument external vars, they might be dynamically
1831 initialized. */
1832 else if (!DECL_EXTERNAL (inner))
1833 {
1834 /* For static vars if they are known not to be dynamically
1835 initialized, they will be always accessible. */
9041d2e6 1836 varpool_node *vnode = varpool_node::get (inner);
59b36ecf
JJ		 1837 if (vnode && !vnode->dynamically_initialized)
1838 return;
1839 }
1840 }
1841
f6d98484 1842 base = build_fold_addr_expr (t);
bdcbe80c
DS		 1843 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
1844 {
8946c29e
YG		 1845 unsigned int align = get_object_alignment (t);
1846 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter,
c62ccb9a 1847 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true,
8946c29e 1848 is_store, /*is_scalar_access*/true, align);
bdcbe80c
DS		 1849 update_mem_ref_hash_table (base, size_in_bytes);
1850 update_mem_ref_hash_table (t, size_in_bytes);
1851 }
1852
25ae5027
DS		 1853}
1854
bdea98ca
MO		 1855/* Insert a memory reference into the hash table if access length
1856 can be determined in compile time. */
1857
1858static void
1859maybe_update_mem_ref_hash_table (tree base, tree len)
1860{
1861 if (!POINTER_TYPE_P (TREE_TYPE (base))
1862 || !INTEGRAL_TYPE_P (TREE_TYPE (len)))
1863 return;
1864
1865 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
1866
1867 if (size_in_bytes != -1)
1868 update_mem_ref_hash_table (base, size_in_bytes);
1869}
1870
25ae5027
DS		 1871/* Instrument an access to a contiguous memory region that starts at
1872 the address pointed to by BASE, over a length of LEN (expressed in
1873 the sizeof (*BASE) bytes). ITER points to the instruction before
1874 which the instrumentation instructions must be inserted. LOCATION
1875 is the source location that the instrumentation instructions must
1876 have. If IS_STORE is true, then the memory access is a store;
1877 otherwise, it's a load. */
1878
1879static void
1880instrument_mem_region_access (tree base, tree len,
1881 gimple_stmt_iterator *iter,
1882 location_t location, bool is_store)
1883{
c63d3b96
JJ		 1884 if (!POINTER_TYPE_P (TREE_TYPE (base))
1885 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
1886 || integer_zerop (len))
25ae5027
DS		 1887 return;
1888
8946c29e 1889 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
bdcbe80c 1890
bdea98ca
MO		 1891 if ((size_in_bytes == -1)
1892 || !has_mem_ref_been_instrumented (base, size_in_bytes))
1893 {
1894 build_check_stmt (location, base, len, size_in_bytes, iter,
1895 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true,
1896 is_store, /*is_scalar_access*/false, /*align*/0);
1897 }
b41288b3 1898
bdea98ca 1899 maybe_update_mem_ref_hash_table (base, len);
b41288b3 1900 *iter = gsi_for_stmt (gsi_stmt (*iter));
bdcbe80c 1901}
25ae5027 1902
bdcbe80c
DS		 1903/* Instrument the call to a built-in memory access function that is
1904 pointed to by the iterator ITER.
25ae5027 1905
bdcbe80c
DS		 1906 Upon completion, return TRUE iff *ITER has been advanced to the
1907 statement following the one it was originally pointing to. */
25ae5027 1908
bdcbe80c
DS		 1909static bool
1910instrument_builtin_call (gimple_stmt_iterator *iter)
1911{
b5ebc991
MO		 1912 if (!ASAN_MEMINTRIN)
1913 return false;
1914
bdcbe80c 1915 bool iter_advanced_p = false;
538dd0b7 1916 gcall *call = as_a <gcall *> (gsi_stmt (*iter));
25ae5027 1917
bdcbe80c 1918 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
25ae5027 1919
bdcbe80c 1920 location_t loc = gimple_location (call);
25ae5027 1921
bdea98ca
MO		 1922 asan_mem_ref src0, src1, dest;
1923 asan_mem_ref_init (&src0, NULL, 1);
1924 asan_mem_ref_init (&src1, NULL, 1);
1925 asan_mem_ref_init (&dest, NULL, 1);
bdcbe80c 1926
bdea98ca
MO		 1927 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
1928 bool src0_is_store = false, src1_is_store = false, dest_is_store = false,
1929 dest_is_deref = false, intercepted_p = true;
bdcbe80c 1930
bdea98ca
MO		 1931 if (get_mem_refs_of_builtin_call (call,
1932 &src0, &src0_len, &src0_is_store,
1933 &src1, &src1_len, &src1_is_store,
1934 &dest, &dest_len, &dest_is_store,
1935 &dest_is_deref, &intercepted_p))
1936 {
1937 if (dest_is_deref)
bdcbe80c 1938 {
bdea98ca
MO		 1939 instrument_derefs (iter, dest.start, loc, dest_is_store);
1940 gsi_next (iter);
1941 iter_advanced_p = true;
1942 }
1943 else if (!intercepted_p
1944 && (src0_len || src1_len || dest_len))
1945 {
1946 if (src0.start != NULL_TREE)
1947 instrument_mem_region_access (src0.start, src0_len,
1948 iter, loc, /*is_store=*/false);
1949 if (src1.start != NULL_TREE)
1950 instrument_mem_region_access (src1.start, src1_len,
1951 iter, loc, /*is_store=*/false);
1952 if (dest.start != NULL_TREE)
1953 instrument_mem_region_access (dest.start, dest_len,
1954 iter, loc, /*is_store=*/true);
1955
1956 *iter = gsi_for_stmt (call);
1957 gsi_next (iter);
1958 iter_advanced_p = true;
1959 }
1960 else
1961 {
1962 if (src0.start != NULL_TREE)
1963 maybe_update_mem_ref_hash_table (src0.start, src0_len);
1964 if (src1.start != NULL_TREE)
1965 maybe_update_mem_ref_hash_table (src1.start, src1_len);
1966 if (dest.start != NULL_TREE)
1967 maybe_update_mem_ref_hash_table (dest.start, dest_len);
bdcbe80c 1968 }
25ae5027 1969 }
bdcbe80c 1970 return iter_advanced_p;
25ae5027
DS		 1971}
1972
1973/* Instrument the assignment statement ITER if it is subject to
bdcbe80c
DS		 1974 instrumentation. Return TRUE iff instrumentation actually
1975 happened. In that case, the iterator ITER is advanced to the next
1976 logical expression following the one initially pointed to by ITER,
1977 and the relevant memory reference that which access has been
1978 instrumented is added to the memory references hash table. */
25ae5027 1979
bdcbe80c
DS		 1980static bool
1981maybe_instrument_assignment (gimple_stmt_iterator *iter)
25ae5027 1982{
355fe088 1983 gimple *s = gsi_stmt (*iter);
25ae5027
DS		 1984
1985 gcc_assert (gimple_assign_single_p (s));
1986
bdcbe80c
DS		 1987 tree ref_expr = NULL_TREE;
1988 bool is_store, is_instrumented = false;
1989
52f2e7e1 1990 if (gimple_store_p (s))
bdcbe80c
DS		 1991 {
1992 ref_expr = gimple_assign_lhs (s);
1993 is_store = true;
1994 instrument_derefs (iter, ref_expr,
1995 gimple_location (s),
1996 is_store);
1997 is_instrumented = true;
1998 }
c1f5ce48 1999
52f2e7e1 2000 if (gimple_assign_load_p (s))
bdcbe80c
DS		 2001 {
2002 ref_expr = gimple_assign_rhs1 (s);
2003 is_store = false;
2004 instrument_derefs (iter, ref_expr,
2005 gimple_location (s),
2006 is_store);
2007 is_instrumented = true;
2008 }
2009
2010 if (is_instrumented)
2011 gsi_next (iter);
2012
2013 return is_instrumented;
25ae5027
DS		 2014}
2015
2016/* Instrument the function call pointed to by the iterator ITER, if it
2017 is subject to instrumentation. At the moment, the only function
2018 calls that are instrumented are some built-in functions that access
2019 memory. Look at instrument_builtin_call to learn more.
2020
2021 Upon completion return TRUE iff *ITER was advanced to the statement
2022 following the one it was originally pointing to. */
2023
2024static bool
2025maybe_instrument_call (gimple_stmt_iterator *iter)
2026{
355fe088 2027 gimple *stmt = gsi_stmt (*iter);
bdcbe80c
DS		 2028 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2029
2030 if (is_builtin && instrument_builtin_call (iter))
2b2571c9 2031 return true;
bdcbe80c 2032
2b2571c9
JJ		 2033 if (gimple_call_noreturn_p (stmt))
2034 {
2035 if (is_builtin)
2036 {
2037 tree callee = gimple_call_fndecl (stmt);
2038 switch (DECL_FUNCTION_CODE (callee))
2039 {
2040 case BUILT_IN_UNREACHABLE:
2041 case BUILT_IN_TRAP:
2042 /* Don't instrument these. */
2043 return false;
083e891e
MP		 2044 default:
2045 break;
2b2571c9
JJ		 2046 }
2047 }
2048 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
355fe088 2049 gimple *g = gimple_build_call (decl, 0);
2b2571c9
JJ		 2050 gimple_set_location (g, gimple_location (stmt));
2051 gsi_insert_before (iter, g, GSI_SAME_STMT);
2052 }
7db337c2 2053
c3da4956 2054 bool instrumented = false;
7db337c2
ML		 2055 if (gimple_store_p (stmt))
2056 {
2057 tree ref_expr = gimple_call_lhs (stmt);
2058 instrument_derefs (iter, ref_expr,
2059 gimple_location (stmt),
2060 /*is_store=*/true);
2061
c3da4956 2062 instrumented = true;
7db337c2
ML		 2063 }
2064
c3da4956
MO		 2065 /* Walk through gimple_call arguments and check them id needed. */
2066 unsigned args_num = gimple_call_num_args (stmt);
2067 for (unsigned i = 0; i < args_num; ++i)
2068 {
2069 tree arg = gimple_call_arg (stmt, i);
2070 /* If ARG is not a non-aggregate register variable, compiler in general
2071 creates temporary for it and pass it as argument to gimple call.
2072 But in some cases, e.g. when we pass by value a small structure that
2073 fits to register, compiler can avoid extra overhead by pulling out
2074 these temporaries. In this case, we should check the argument. */
2075 if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg))
2076 {
2077 instrument_derefs (iter, arg,
2078 gimple_location (stmt),
2079 /*is_store=*/false);
2080 instrumented = true;
2081 }
2082 }
2083 if (instrumented)
2084 gsi_next (iter);
2085 return instrumented;
37d6f666
WM		 2086}
2087
bdcbe80c
DS		 2088/* Walk each instruction of all basic block and instrument those that
2089 represent memory references: loads, stores, or function calls.
2090 In a given basic block, this function avoids instrumenting memory
2091 references that have already been instrumented. */
37d6f666
WM		 2092
2093static void
2094transform_statements (void)
2095{
c4bfe8bf 2096 basic_block bb, last_bb = NULL;
37d6f666 2097 gimple_stmt_iterator i;
8b1c6fd7 2098 int saved_last_basic_block = last_basic_block_for_fn (cfun);
37d6f666 2099
11cd3bed 2100 FOR_EACH_BB_FN (bb, cfun)
37d6f666 2101 {
c4bfe8bf 2102 basic_block prev_bb = bb;
bdcbe80c 2103
37d6f666 2104 if (bb->index >= saved_last_basic_block) continue;
c4bfe8bf
JJ		 2105
2106 /* Flush the mem ref hash table, if current bb doesn't have
2107 exactly one predecessor, or if that predecessor (skipping
2108 over asan created basic blocks) isn't the last processed
2109 basic block. Thus we effectively flush on extended basic
2110 block boundaries. */
2111 while (single_pred_p (prev_bb))
2112 {
2113 prev_bb = single_pred (prev_bb);
2114 if (prev_bb->index < saved_last_basic_block)
2115 break;
2116 }
2117 if (prev_bb != last_bb)
2118 empty_mem_ref_hash_table ();
2119 last_bb = bb;
2120
25ae5027 2121 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
497a1c66 2122 {
355fe088 2123 gimple *s = gsi_stmt (i);
25ae5027 2124
bdcbe80c
DS		 2125 if (has_stmt_been_instrumented_p (s))
2126 gsi_next (&i);
2127 else if (gimple_assign_single_p (s)
e1e160c1 2128 && !gimple_clobber_p (s)
bdcbe80c
DS		 2129 && maybe_instrument_assignment (&i))
2130 /* Nothing to do as maybe_instrument_assignment advanced
2131 the iterator I. */;
2132 else if (is_gimple_call (s) && maybe_instrument_call (&i))
2133 /* Nothing to do as maybe_instrument_call
2134 advanced the iterator I. */;
2135 else
25ae5027 2136 {
bdcbe80c
DS		 2137 /* No instrumentation happened.
2138
c4bfe8bf
JJ		 2139 If the current instruction is a function call that
2140 might free something, let's forget about the memory
2141 references that got instrumented. Otherwise we might
2142 miss some instrumentation opportunities. */
2143 if (is_gimple_call (s) && !nonfreeing_call_p (s))
bdcbe80c
DS		 2144 empty_mem_ref_hash_table ();
2145
2146 gsi_next (&i);
25ae5027 2147 }
497a1c66 2148 }
37d6f666 2149 }
bdcbe80c 2150 free_mem_ref_resources ();
37d6f666
WM		 2151}
2152
59b36ecf
JJ		 2153/* Build
2154 __asan_before_dynamic_init (module_name)
2155 or
2156 __asan_after_dynamic_init ()
2157 call. */
2158
2159tree
2160asan_dynamic_init_call (bool after_p)
2161{
2162 tree fn = builtin_decl_implicit (after_p
2163 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
2164 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
2165 tree module_name_cst = NULL_TREE;
2166 if (!after_p)
2167 {
2168 pretty_printer module_name_pp;
2169 pp_string (&module_name_pp, main_input_filename);
2170
2171 if (shadow_ptr_types[0] == NULL_TREE)
2172 asan_init_shadow_ptr_types ();
2173 module_name_cst = asan_pp_string (&module_name_pp);
2174 module_name_cst = fold_convert (const_ptr_type_node,
2175 module_name_cst);
2176 }
2177
2178 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
2179}
2180
8240018b
JJ		 2181/* Build
2182 struct __asan_global
2183 {
2184 const void *__beg;
2185 uptr __size;
2186 uptr __size_with_redzone;
2187 const void *__name;
ef1b3fda 2188 const void *__module_name;
8240018b 2189 uptr __has_dynamic_init;
866e32ad 2190 __asan_global_source_location *__location;
8240018b
JJ		 2191 } type. */
2192
2193static tree
2194asan_global_struct (void)
2195{
866e32ad 2196 static const char *field_names[7]
8240018b 2197 = { "__beg", "__size", "__size_with_redzone",
866e32ad
KS		 2198 "__name", "__module_name", "__has_dynamic_init", "__location"};
2199 tree fields[7], ret;
8240018b
JJ		 2200 int i;
2201
2202 ret = make_node (RECORD_TYPE);
866e32ad 2203 for (i = 0; i < 7; i++)
8240018b
JJ		 2204 {
2205 fields[i]
2206 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
2207 get_identifier (field_names[i]),
2208 (i == 0 || i == 3) ? const_ptr_type_node
de5a5fa1 2209 : pointer_sized_int_node);
8240018b
JJ		 2210 DECL_CONTEXT (fields[i]) = ret;
2211 if (i)
2212 DECL_CHAIN (fields[i - 1]) = fields[i];
2213 }
bebcdc67
MP		 2214 tree type_decl = build_decl (input_location, TYPE_DECL,
2215 get_identifier ("__asan_global"), ret);
2216 DECL_IGNORED_P (type_decl) = 1;
2217 DECL_ARTIFICIAL (type_decl) = 1;
8240018b 2218 TYPE_FIELDS (ret) = fields[0];
bebcdc67
MP		 2219 TYPE_NAME (ret) = type_decl;
2220 TYPE_STUB_DECL (ret) = type_decl;
8240018b
JJ		 2221 layout_type (ret);
2222 return ret;
2223}
2224
2225/* Append description of a single global DECL into vector V.
2226 TYPE is __asan_global struct type as returned by asan_global_struct. */
2227
2228static void
9771b263 2229asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
8240018b
JJ		 2230{
2231 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2232 unsigned HOST_WIDE_INT size;
ef1b3fda 2233 tree str_cst, module_name_cst, refdecl = decl;
9771b263 2234 vec<constructor_elt, va_gc> *vinner = NULL;
8240018b 2235
ef1b3fda 2236 pretty_printer asan_pp, module_name_pp;
8240018b 2237
8240018b 2238 if (DECL_NAME (decl))
b066401f 2239 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
8240018b
JJ		 2240 else
2241 pp_string (&asan_pp, "<unknown>");
11a877b3 2242 str_cst = asan_pp_string (&asan_pp);
8240018b 2243
ef1b3fda
KS		 2244 pp_string (&module_name_pp, main_input_filename);
2245 module_name_cst = asan_pp_string (&module_name_pp);
2246
8240018b
JJ		 2247 if (asan_needs_local_alias (decl))
2248 {
2249 char buf[20];
9771b263 2250 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
8240018b
JJ		 2251 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
2252 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
2253 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
2254 TREE_READONLY (refdecl) = TREE_READONLY (decl);
2255 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
2256 DECL_GIMPLE_REG_P (refdecl) = DECL_GIMPLE_REG_P (decl);
2257 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
2258 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
2259 TREE_STATIC (refdecl) = 1;
2260 TREE_PUBLIC (refdecl) = 0;
2261 TREE_USED (refdecl) = 1;
2262 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
2263 }
2264
2265 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2266 fold_convert (const_ptr_type_node,
2267 build_fold_addr_expr (refdecl)));
ae7e9ddd 2268 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
8240018b
JJ		 2269 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2270 size += asan_red_zone_size (size);
2271 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2272 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2273 fold_convert (const_ptr_type_node, str_cst));
ef1b3fda
KS		 2274 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2275 fold_convert (const_ptr_type_node, module_name_cst));
9041d2e6 2276 varpool_node *vnode = varpool_node::get (decl);
59b36ecf
JJ		 2277 int has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
2278 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2279 build_int_cst (uptr, has_dynamic_init));
21a82048
JJ		 2280 tree locptr = NULL_TREE;
2281 location_t loc = DECL_SOURCE_LOCATION (decl);
2282 expanded_location xloc = expand_location (loc);
2283 if (xloc.file != NULL)
2284 {
2285 static int lasanloccnt = 0;
2286 char buf[25];
2287 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt);
2288 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2289 ubsan_get_source_location_type ());
2290 TREE_STATIC (var) = 1;
2291 TREE_PUBLIC (var) = 0;
2292 DECL_ARTIFICIAL (var) = 1;
2293 DECL_IGNORED_P (var) = 1;
2294 pretty_printer filename_pp;
2295 pp_string (&filename_pp, xloc.file);
2296 tree str = asan_pp_string (&filename_pp);
2297 tree ctor = build_constructor_va (TREE_TYPE (var), 3,
2298 NULL_TREE, str, NULL_TREE,
2299 build_int_cst (unsigned_type_node,
2300 xloc.line), NULL_TREE,
2301 build_int_cst (unsigned_type_node,
2302 xloc.column));
2303 TREE_CONSTANT (ctor) = 1;
2304 TREE_STATIC (ctor) = 1;
2305 DECL_INITIAL (var) = ctor;
2306 varpool_node::finalize_decl (var);
2307 locptr = fold_convert (uptr, build_fold_addr_expr (var));
2308 }
2309 else
2310 locptr = build_int_cst (uptr, 0);
2311 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr);
8240018b
JJ		 2312 init = build_constructor (type, vinner);
2313 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
2314}
2315
0e668eaf
JJ		 2316/* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2317void
2318initialize_sanitizer_builtins (void)
2319{
2320 tree decl;
2321
2322 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
2323 return;
2324
2325 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
2326 tree BT_FN_VOID_PTR
2327 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
59b36ecf
JJ		 2328 tree BT_FN_VOID_CONST_PTR
2329 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
b906f4ca
MP		 2330 tree BT_FN_VOID_PTR_PTR
2331 = build_function_type_list (void_type_node, ptr_type_node,
2332 ptr_type_node, NULL_TREE);
de5a5fa1
MP		 2333 tree BT_FN_VOID_PTR_PTR_PTR
2334 = build_function_type_list (void_type_node, ptr_type_node,
2335 ptr_type_node, ptr_type_node, NULL_TREE);
0e668eaf
JJ		 2336 tree BT_FN_VOID_PTR_PTRMODE
2337 = build_function_type_list (void_type_node, ptr_type_node,
de5a5fa1 2338 pointer_sized_int_node, NULL_TREE);
c954bddd
JJ		 2339 tree BT_FN_VOID_INT
2340 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
0bae64d5
MP		 2341 tree BT_FN_SIZE_CONST_PTR_INT
2342 = build_function_type_list (size_type_node, const_ptr_type_node,
2343 integer_type_node, NULL_TREE);
c954bddd
JJ		 2344 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
2345 tree BT_FN_IX_CONST_VPTR_INT[5];
2346 tree BT_FN_IX_VPTR_IX_INT[5];
2347 tree BT_FN_VOID_VPTR_IX_INT[5];
2348 tree vptr
2349 = build_pointer_type (build_qualified_type (void_type_node,
2350 TYPE_QUAL_VOLATILE));
2351 tree cvptr
2352 = build_pointer_type (build_qualified_type (void_type_node,
2353 TYPE_QUAL_VOLATILE
2354 |TYPE_QUAL_CONST));
2355 tree boolt
2356 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
2357 int i;
2358 for (i = 0; i < 5; i++)
2359 {
2360 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
2361 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
2362 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
2363 integer_type_node, integer_type_node,
2364 NULL_TREE);
2365 BT_FN_IX_CONST_VPTR_INT[i]
2366 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
2367 BT_FN_IX_VPTR_IX_INT[i]
2368 = build_function_type_list (ix, vptr, ix, integer_type_node,
2369 NULL_TREE);
2370 BT_FN_VOID_VPTR_IX_INT[i]
2371 = build_function_type_list (void_type_node, vptr, ix,
2372 integer_type_node, NULL_TREE);
2373 }
2374#define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2375#define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2376#define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2377#define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2378#define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2379#define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2380#define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2381#define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2382#define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2383#define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2384#define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2385#define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2386#define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2387#define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2388#define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2389#define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2390#define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2391#define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2392#define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2393#define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
0e668eaf
JJ		 2394#undef ATTR_NOTHROW_LEAF_LIST
2395#define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
bc77608b
JJ		 2396#undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2397#define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
0e668eaf
JJ		 2398#undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2399#define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
4088b790
MP		 2400#undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2401#define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
2402 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
bc77608b
JJ		 2403#undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2404#define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2405 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
de5a5fa1
MP		 2406#undef ATTR_COLD_NOTHROW_LEAF_LIST
2407#define ATTR_COLD_NOTHROW_LEAF_LIST \
2408 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
2409#undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2410#define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2411 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
4088b790
MP		 2412#undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
2413#define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
2414 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
0bae64d5
MP		 2415#undef ATTR_PURE_NOTHROW_LEAF_LIST
2416#define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
8f91e6e0
JJ		 2417#undef DEF_BUILTIN_STUB
2418#define DEF_BUILTIN_STUB(ENUM, NAME)
0e668eaf
JJ		 2419#undef DEF_SANITIZER_BUILTIN
2420#define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2421 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
2422 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2423 set_call_expr_flags (decl, ATTRS); \
2424 set_builtin_decl (ENUM, decl, true);
2425
2426#include "sanitizer.def"
2427
0bae64d5
MP		 2428 /* -fsanitize=object-size uses __builtin_object_size, but that might
2429 not be available for e.g. Fortran at this point. We use
2430 DEF_SANITIZER_BUILTIN here only as a convenience macro. */
2431 if ((flag_sanitize & SANITIZE_OBJECT_SIZE)
2432 && !builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE))
2433 DEF_SANITIZER_BUILTIN (BUILT_IN_OBJECT_SIZE, "object_size",
2434 BT_FN_SIZE_CONST_PTR_INT,
2435 ATTR_PURE_NOTHROW_LEAF_LIST)
2436
0e668eaf 2437#undef DEF_SANITIZER_BUILTIN
8f91e6e0 2438#undef DEF_BUILTIN_STUB
0e668eaf
JJ		 2439}
2440
94fce891
JJ		 2441/* Called via htab_traverse. Count number of emitted
2442 STRING_CSTs in the constant hash table. */
2443
2a22f99c
TS		 2444int
2445count_string_csts (constant_descriptor_tree **slot,
2446 unsigned HOST_WIDE_INT *data)
94fce891 2447{
2a22f99c 2448 struct constant_descriptor_tree *desc = *slot;
94fce891
JJ		 2449 if (TREE_CODE (desc->value) == STRING_CST
2450 && TREE_ASM_WRITTEN (desc->value)
2451 && asan_protect_global (desc->value))
2a22f99c 2452 ++*data;
94fce891
JJ		 2453 return 1;
2454}
2455
2456/* Helper structure to pass two parameters to
2457 add_string_csts. */
2458
2459struct asan_add_string_csts_data
2460{
2461 tree type;
2462 vec<constructor_elt, va_gc> *v;
2463};
2464
2a22f99c 2465/* Called via hash_table::traverse. Call asan_add_global
94fce891
JJ		 2466 on emitted STRING_CSTs from the constant hash table. */
2467
2a22f99c
TS		 2468int
2469add_string_csts (constant_descriptor_tree **slot,
2470 asan_add_string_csts_data *aascd)
94fce891 2471{
2a22f99c 2472 struct constant_descriptor_tree *desc = *slot;
94fce891
JJ		 2473 if (TREE_CODE (desc->value) == STRING_CST
2474 && TREE_ASM_WRITTEN (desc->value)
2475 && asan_protect_global (desc->value))
2476 {
94fce891
JJ		 2477 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
2478 aascd->type, aascd->v);
2479 }
2480 return 1;
2481}
2482
8240018b
JJ		 2483/* Needs to be GTY(()), because cgraph_build_static_cdtor may
2484 invoke ggc_collect. */
2485static GTY(()) tree asan_ctor_statements;
2486
37d6f666 2487/* Module-level instrumentation.
ef1b3fda 2488 - Insert __asan_init_vN() into the list of CTORs.
37d6f666
WM		 2489 - TODO: insert redzones around globals.
2490 */
2491
2492void
2493asan_finish_file (void)
2494{
2c8326a5 2495 varpool_node *vnode;
8240018b
JJ		 2496 unsigned HOST_WIDE_INT gcount = 0;
2497
94fce891
JJ		 2498 if (shadow_ptr_types[0] == NULL_TREE)
2499 asan_init_shadow_ptr_types ();
2500 /* Avoid instrumenting code in the asan ctors/dtors.
2501 We don't need to insert padding after the description strings,
2502 nor after .LASAN* array. */
de5a5fa1 2503 flag_sanitize &= ~SANITIZE_ADDRESS;
0e668eaf 2504
f1d15bb9
DV		 2505 /* For user-space we want asan constructors to run first.
2506 Linux kernel does not support priorities other than default, and the only
2507 other user of constructors is coverage. So we run with the default
2508 priority. */
2509 int priority = flag_sanitize & SANITIZE_USER_ADDRESS
2510 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY;
2511
c6d129b0
YG		 2512 if (flag_sanitize & SANITIZE_USER_ADDRESS)
2513 {
2514 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
2515 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
89e302b8
MO		 2516 fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK);
2517 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
c6d129b0 2518 }
8240018b 2519 FOR_EACH_DEFINED_VARIABLE (vnode)
67348ccc
DM		 2520 if (TREE_ASM_WRITTEN (vnode->decl)
2521 && asan_protect_global (vnode->decl))
8240018b 2522 ++gcount;
2a22f99c
TS		 2523 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab ();
2524 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts>
2525 (&gcount);
8240018b
JJ		 2526 if (gcount)
2527 {
0e668eaf 2528 tree type = asan_global_struct (), var, ctor;
8240018b 2529 tree dtor_statements = NULL_TREE;
9771b263 2530 vec<constructor_elt, va_gc> *v;
8240018b
JJ		 2531 char buf[20];
2532
2533 type = build_array_type_nelts (type, gcount);
2534 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
2535 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2536 type);
2537 TREE_STATIC (var) = 1;
2538 TREE_PUBLIC (var) = 0;
2539 DECL_ARTIFICIAL (var) = 1;
2540 DECL_IGNORED_P (var) = 1;
9771b263 2541 vec_alloc (v, gcount);
8240018b 2542 FOR_EACH_DEFINED_VARIABLE (vnode)
67348ccc
DM		 2543 if (TREE_ASM_WRITTEN (vnode->decl)
2544 && asan_protect_global (vnode->decl))
2545 asan_add_global (vnode->decl, TREE_TYPE (type), v);
94fce891
JJ		 2546 struct asan_add_string_csts_data aascd;
2547 aascd.type = TREE_TYPE (type);
2548 aascd.v = v;
2a22f99c
TS		 2549 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts>
2550 (&aascd);
8240018b
JJ		 2551 ctor = build_constructor (type, v);
2552 TREE_CONSTANT (ctor) = 1;
2553 TREE_STATIC (ctor) = 1;
2554 DECL_INITIAL (var) = ctor;
9041d2e6 2555 varpool_node::finalize_decl (var);
8240018b 2556
c6d129b0 2557 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
de5a5fa1 2558 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
0e668eaf 2559 append_to_statement_list (build_call_expr (fn, 2,
8240018b 2560 build_fold_addr_expr (var),
de5a5fa1 2561 gcount_tree),
8240018b
JJ		 2562 &asan_ctor_statements);
2563
0e668eaf
JJ		 2564 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
2565 append_to_statement_list (build_call_expr (fn, 2,
8240018b 2566 build_fold_addr_expr (var),
de5a5fa1 2567 gcount_tree),
8240018b 2568 &dtor_statements);
f1d15bb9 2569 cgraph_build_static_cdtor ('D', dtor_statements, priority);
8240018b 2570 }
c6d129b0 2571 if (asan_ctor_statements)
f1d15bb9 2572 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority);
de5a5fa1 2573 flag_sanitize |= SANITIZE_ADDRESS;
f6d98484
JJ		 2574}
2575
c62ccb9a
YG		 2576/* Expand the ASAN_{LOAD,STORE} builtins. */
2577
06cefae9 2578bool
c62ccb9a
YG		 2579asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls)
2580{
355fe088 2581 gimple *g = gsi_stmt (*iter);
c62ccb9a 2582 location_t loc = gimple_location (g);
b59e2a49
MO		 2583 bool recover_p;
2584 if (flag_sanitize & SANITIZE_USER_ADDRESS)
2585 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
2586 else
2587 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
fed4de37 2588
c62ccb9a
YG		 2589 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
2590 gcc_assert (flags < ASAN_CHECK_LAST);
2591 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
2592 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
2593 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
c62ccb9a
YG		 2594
2595 tree base = gimple_call_arg (g, 1);
2596 tree len = gimple_call_arg (g, 2);
f434eb69 2597 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3));
c62ccb9a
YG		 2598
2599 HOST_WIDE_INT size_in_bytes
2600 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2601
2602 if (use_calls)
2603 {
2604 /* Instrument using callbacks. */
355fe088 2605 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
0d0e4a03 2606 NOP_EXPR, base);
c62ccb9a
YG		 2607 gimple_set_location (g, loc);
2608 gsi_insert_before (iter, g, GSI_SAME_STMT);
2609 tree base_addr = gimple_assign_lhs (g);
2610
2611 int nargs;
fed4de37 2612 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs);
c62ccb9a
YG		 2613 if (nargs == 1)
2614 g = gimple_build_call (fun, 1, base_addr);
2615 else
2616 {
2617 gcc_assert (nargs == 2);
0d0e4a03
JJ		 2618 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2619 NOP_EXPR, len);
c62ccb9a
YG		 2620 gimple_set_location (g, loc);
2621 gsi_insert_before (iter, g, GSI_SAME_STMT);
2622 tree sz_arg = gimple_assign_lhs (g);
2623 g = gimple_build_call (fun, nargs, base_addr, sz_arg);
2624 }
2625 gimple_set_location (g, loc);
2626 gsi_replace (iter, g, false);
2627 return false;
2628 }
2629
2630 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes;
2631
c62ccb9a
YG		 2632 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0];
2633 tree shadow_type = TREE_TYPE (shadow_ptr_type);
2634
2635 gimple_stmt_iterator gsi = *iter;
2636
2637 if (!is_non_zero_len)
2638 {
2639 /* So, the length of the memory area to asan-protect is
2640 non-constant. Let's guard the generated instrumentation code
2641 like:
2642
2643 if (len != 0)
2644 {
2645 //asan instrumentation code goes here.
2646 }
2647 // falltrough instructions, starting with *ITER. */
2648
2649 g = gimple_build_cond (NE_EXPR,
2650 len,
2651 build_int_cst (TREE_TYPE (len), 0),
2652 NULL_TREE, NULL_TREE);
2653 gimple_set_location (g, loc);
2654
2655 basic_block then_bb, fallthrough_bb;
538dd0b7
DM		 2656 insert_if_then_before_iter (as_a <gcond *> (g), iter,
2657 /*then_more_likely_p=*/true,
2658 &then_bb, &fallthrough_bb);
c62ccb9a
YG		 2659 /* Note that fallthrough_bb starts with the statement that was
2660 pointed to by ITER. */
2661
2662 /* The 'then block' of the 'if (len != 0) condition is where
2663 we'll generate the asan instrumentation code now. */
2664 gsi = gsi_last_bb (then_bb);
2665 }
2666
2667 /* Get an iterator on the point where we can add the condition
2668 statement for the instrumentation. */
2669 basic_block then_bb, else_bb;
2670 gsi = create_cond_insert_point (&gsi, /*before_p*/false,
2671 /*then_more_likely_p=*/false,
fed4de37 2672 /*create_then_fallthru_edge*/recover_p,
c62ccb9a
YG		 2673 &then_bb,
2674 &else_bb);
2675
0d0e4a03
JJ		 2676 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2677 NOP_EXPR, base);
c62ccb9a
YG		 2678 gimple_set_location (g, loc);
2679 gsi_insert_before (&gsi, g, GSI_NEW_STMT);
2680 tree base_addr = gimple_assign_lhs (g);
2681
2682 tree t = NULL_TREE;
2683 if (real_size_in_bytes >= 8)
2684 {
2685 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
2686 shadow_ptr_type);
2687 t = shadow;
2688 }
2689 else
2690 {
2691 /* Slow path for 1, 2 and 4 byte accesses. */
bdea98ca
MO		 2692 /* Test (shadow != 0)
2693 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
2694 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
2695 shadow_ptr_type);
355fe088 2696 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
bdea98ca
MO		 2697 gimple_seq seq = NULL;
2698 gimple_seq_add_stmt (&seq, shadow_test);
2699 /* Aligned (>= 8 bytes) can test just
2700 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
2701 to be 0. */
2702 if (align < 8)
c62ccb9a 2703 {
bdea98ca
MO		 2704 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
2705 base_addr, 7));
2706 gimple_seq_add_stmt (&seq,
2707 build_type_cast (shadow_type,
2708 gimple_seq_last (seq)));
2709 if (real_size_in_bytes > 1)
2710 gimple_seq_add_stmt (&seq,
2711 build_assign (PLUS_EXPR,
2712 gimple_seq_last (seq),
2713 real_size_in_bytes - 1));
2714 t = gimple_assign_lhs (gimple_seq_last_stmt (seq));
c62ccb9a 2715 }
bdea98ca
MO		 2716 else
2717 t = build_int_cst (shadow_type, real_size_in_bytes - 1);
2718 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow));
2719 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
2720 gimple_seq_last (seq)));
2721 t = gimple_assign_lhs (gimple_seq_last (seq));
2722 gimple_seq_set_location (seq, loc);
2723 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
c62ccb9a
YG		 2724
2725 /* For non-constant, misaligned or otherwise weird access sizes,
bdea98ca
MO		 2726 check first and last byte. */
2727 if (size_in_bytes == -1)
c62ccb9a 2728 {
0d0e4a03
JJ		 2729 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2730 MINUS_EXPR, len,
2731 build_int_cst (pointer_sized_int_node, 1));
c62ccb9a
YG		 2732 gimple_set_location (g, loc);
2733 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2734 tree last = gimple_assign_lhs (g);
0d0e4a03
JJ		 2735 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2736 PLUS_EXPR, base_addr, last);
c62ccb9a
YG		 2737 gimple_set_location (g, loc);
2738 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2739 tree base_end_addr = gimple_assign_lhs (g);
2740
2741 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr,
2742 shadow_ptr_type);
355fe088 2743 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
c62ccb9a
YG		 2744 gimple_seq seq = NULL;
2745 gimple_seq_add_stmt (&seq, shadow_test);
2746 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
2747 base_end_addr, 7));
2748 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
2749 gimple_seq_last (seq)));
2750 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR,
2751 gimple_seq_last (seq),
2752 shadow));
2753 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
2754 gimple_seq_last (seq)));
bdea98ca
MO		 2755 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t,
2756 gimple_seq_last (seq)));
c62ccb9a
YG		 2757 t = gimple_assign_lhs (gimple_seq_last (seq));
2758 gimple_seq_set_location (seq, loc);
2759 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
2760 }
2761 }
2762
2763 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
2764 NULL_TREE, NULL_TREE);
2765 gimple_set_location (g, loc);
2766 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2767
2768 /* Generate call to the run-time library (e.g. __asan_report_load8). */
2769 gsi = gsi_start_bb (then_bb);
2770 int nargs;
fed4de37 2771 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs);
c62ccb9a
YG		 2772 g = gimple_build_call (fun, nargs, base_addr, len);
2773 gimple_set_location (g, loc);
2774 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2775
2776 gsi_remove (iter, true);
2777 *iter = gsi_start_bb (else_bb);
2778
2779 return true;
2780}
2781
37d6f666
WM		 2782/* Instrument the current function. */
2783
2784static unsigned int
2785asan_instrument (void)
2786{
f6d98484 2787 if (shadow_ptr_types[0] == NULL_TREE)
94fce891 2788 asan_init_shadow_ptr_types ();
37d6f666 2789 transform_statements ();
37d6f666
WM		 2790 return 0;
2791}
2792
2793static bool
2794gate_asan (void)
2795{
de5a5fa1 2796 return (flag_sanitize & SANITIZE_ADDRESS) != 0
e664c61c 2797 && !lookup_attribute ("no_sanitize_address",
77bc5132 2798 DECL_ATTRIBUTES (current_function_decl));
37d6f666
WM		 2799}
2800
27a4cd48
DM		 2801namespace {
2802
2803const pass_data pass_data_asan =
37d6f666 2804{
27a4cd48
DM		 2805 GIMPLE_PASS, /* type */
2806 "asan", /* name */
2807 OPTGROUP_NONE, /* optinfo_flags */
27a4cd48
DM		 2808 TV_NONE, /* tv_id */
2809 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
2810 0, /* properties_provided */
2811 0, /* properties_destroyed */
2812 0, /* todo_flags_start */
3bea341f 2813 TODO_update_ssa, /* todo_flags_finish */
37d6f666 2814};
f6d98484 2815
27a4cd48
DM		 2816class pass_asan : public gimple_opt_pass
2817{
2818public:
c3284718
RS		 2819 pass_asan (gcc::context *ctxt)
2820 : gimple_opt_pass (pass_data_asan, ctxt)
27a4cd48
DM		 2821 {}
2822
2823 /* opt_pass methods: */
65d3284b 2824 opt_pass * clone () { return new pass_asan (m_ctxt); }
1a3d085c 2825 virtual bool gate (function *) { return gate_asan (); }
be55bfe6 2826 virtual unsigned int execute (function *) { return asan_instrument (); }
27a4cd48
DM		 2827
2828}; // class pass_asan
2829
2830} // anon namespace
2831
2832gimple_opt_pass *
2833make_pass_asan (gcc::context *ctxt)
2834{
2835 return new pass_asan (ctxt);
2836}
2837
27a4cd48
DM		 2838namespace {
2839
2840const pass_data pass_data_asan_O0 =
dfb9e332 2841{
27a4cd48
DM		 2842 GIMPLE_PASS, /* type */
2843 "asan0", /* name */
2844 OPTGROUP_NONE, /* optinfo_flags */
27a4cd48
DM		 2845 TV_NONE, /* tv_id */
2846 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
2847 0, /* properties_provided */
2848 0, /* properties_destroyed */
2849 0, /* todo_flags_start */
3bea341f 2850 TODO_update_ssa, /* todo_flags_finish */
dfb9e332
JJ		 2851};
2852
27a4cd48
DM		 2853class pass_asan_O0 : public gimple_opt_pass
2854{
2855public:
c3284718
RS		 2856 pass_asan_O0 (gcc::context *ctxt)
2857 : gimple_opt_pass (pass_data_asan_O0, ctxt)
27a4cd48
DM		 2858 {}
2859
2860 /* opt_pass methods: */
1a3d085c 2861 virtual bool gate (function *) { return !optimize && gate_asan (); }
be55bfe6 2862 virtual unsigned int execute (function *) { return asan_instrument (); }
27a4cd48
DM		 2863
2864}; // class pass_asan_O0
2865
2866} // anon namespace
2867
2868gimple_opt_pass *
2869make_pass_asan_O0 (gcc::context *ctxt)
2870{
2871 return new pass_asan_O0 (ctxt);
2872}
2873
f6d98484 2874#include "gt-asan.h"
Mirror of https://gcc.gnu.org/git/gcc.git