]> git.ipfire.org Git - thirdparty/gcc.git/blame - gcc/asan.cc
projects / thirdparty / gcc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update copyright years.
[thirdparty/gcc.git] / gcc / asan.cc
CommitLineData
37d6f666 1/* AddressSanitizer, a fast memory error detector.
a945c346 2 Copyright (C) 2012-2024 Free Software Foundation, Inc.
37d6f666
WM		 3 Contributed by Kostya Serebryany <kcc@google.com>
4
5This file is part of GCC.
6
7GCC is free software; you can redistribute it and/or modify it under
8the terms of the GNU General Public License as published by the Free
9Software Foundation; either version 3, or (at your option) any later
10version.
11
12GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13WARRANTY; without even the implied warranty of MERCHANTABILITY or
14FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15for more details.
16
17You should have received a copy of the GNU General Public License
18along with GCC; see the file COPYING3. If not see
19<http://www.gnu.org/licenses/>. */
20
21
22#include "config.h"
23#include "system.h"
24#include "coretypes.h"
c7131fb2 25#include "backend.h"
957060b5
AM		 26#include "target.h"
27#include "rtl.h"
4d648807 28#include "tree.h"
c7131fb2 29#include "gimple.h"
957060b5
AM		 30#include "cfghooks.h"
31#include "alloc-pool.h"
32#include "tree-pass.h"
4d0cdd0c 33#include "memmodel.h"
957060b5 34#include "tm_p.h"
c7775327 35#include "ssa.h"
957060b5
AM		 36#include "stringpool.h"
37#include "tree-ssanames.h"
957060b5
AM		 38#include "optabs.h"
39#include "emit-rtl.h"
40#include "cgraph.h"
41#include "gimple-pretty-print.h"
42#include "alias.h"
40e23961 43#include "fold-const.h"
60393bbc 44#include "cfganal.h"
45b0be94 45#include "gimplify.h"
5be5c238 46#include "gimple-iterator.h"
d8a2d370
DN		 47#include "varasm.h"
48#include "stor-layout.h"
37d6f666 49#include "tree-iterator.h"
314e6352
ML		 50#include "stringpool.h"
51#include "attribs.h"
37d6f666 52#include "asan.h"
36566b39
PK		 53#include "dojump.h"
54#include "explow.h"
f3ddd692 55#include "expr.h"
8240018b 56#include "output.h"
0e668eaf 57#include "langhooks.h"
a9e0d843 58#include "cfgloop.h"
ff2a63a7 59#include "gimple-builder.h"
e3174bdf 60#include "gimple-fold.h"
b9a55b13 61#include "ubsan.h"
9b2b7279 62#include "builtins.h"
860503d8 63#include "fnmatch.h"
c7775327 64#include "tree-inline.h"
4e3d3e40 65#include "tree-ssa.h"
f0c7367b 66#include "tree-eh.h"
b6330a76 67#include "diagnostic-core.h"
37d6f666 68
497a1c66
JJ		 69/* AddressSanitizer finds out-of-bounds and use-after-free bugs
70 with <2x slowdown on average.
71
72 The tool consists of two parts:
73 instrumentation module (this file) and a run-time library.
74 The instrumentation module adds a run-time check before every memory insn.
75 For a 8- or 16- byte load accessing address X:
76 ShadowAddr = (X >> 3) + Offset
77 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
78 if (ShadowValue)
79 __asan_report_load8(X);
80 For a load of N bytes (N=1, 2 or 4) from address X:
81 ShadowAddr = (X >> 3) + Offset
82 ShadowValue = *(char*)ShadowAddr;
83 if (ShadowValue)
84 if ((X & 7) + N - 1 > ShadowValue)
85 __asan_report_loadN(X);
86 Stores are instrumented similarly, but using __asan_report_storeN functions.
ef1b3fda
KS		 87 A call too __asan_init_vN() is inserted to the list of module CTORs.
88 N is the version number of the AddressSanitizer API. The changes between the
89 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
497a1c66
JJ		 90
91 The run-time library redefines malloc (so that redzone are inserted around
92 the allocated memory) and free (so that reuse of free-ed memory is delayed),
ef1b3fda 93 provides __asan_report* and __asan_init_vN functions.
497a1c66
JJ		 94
95 Read more:
96 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
97
98 The current implementation supports detection of out-of-bounds and
99 use-after-free in the heap, on the stack and for global variables.
100
101 [Protection of stack variables]
102
103 To understand how detection of out-of-bounds and use-after-free works
104 for stack variables, lets look at this example on x86_64 where the
105 stack grows downward:
f3ddd692
JJ		 106
107 int
108 foo ()
109 {
9c2f0847 110 char a[24] = {0};
f3ddd692
JJ		 111 int b[2] = {0};
112
113 a[5] = 1;
114 b[1] = 2;
115
116 return a[5] + b[1];
117 }
118
497a1c66
JJ		 119 For this function, the stack protected by asan will be organized as
120 follows, from the top of the stack to the bottom:
f3ddd692 121
497a1c66 122 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
f3ddd692 123
497a1c66
JJ		 124 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
125 the next slot be 32 bytes aligned; this one is called Partial
126 Redzone; this 32 bytes alignment is an asan constraint]
f3ddd692 127
497a1c66 128 Slot 3/ [24 bytes for variable 'a']
f3ddd692 129
497a1c66 130 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
f3ddd692 131
497a1c66 132 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
f3ddd692 133
497a1c66 134 Slot 6/ [8 bytes for variable 'b']
f3ddd692 135
497a1c66
JJ		 136 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
137 'LEFT RedZone']
f3ddd692 138
497a1c66
JJ		 139 The 32 bytes of LEFT red zone at the bottom of the stack can be
140 decomposed as such:
f3ddd692
JJ		 141
142 1/ The first 8 bytes contain a magical asan number that is always
143 0x41B58AB3.
144
145 2/ The following 8 bytes contains a pointer to a string (to be
146 parsed at runtime by the runtime asan library), which format is
147 the following:
148
149 "<function-name> <space> <num-of-variables-on-the-stack>
150 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
151 <length-of-var-in-bytes> ){n} "
152
153 where '(...){n}' means the content inside the parenthesis occurs 'n'
154 times, with 'n' being the number of variables on the stack.
c1f5ce48 155
ef1b3fda
KS		 156 3/ The following 8 bytes contain the PC of the current function which
157 will be used by the run-time library to print an error message.
f3ddd692 158
ef1b3fda 159 4/ The following 8 bytes are reserved for internal use by the run-time.
f3ddd692 160
497a1c66 161 The shadow memory for that stack layout is going to look like this:
f3ddd692
JJ		 162
163 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
164 The F1 byte pattern is a magic number called
165 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
166 the memory for that shadow byte is part of a the LEFT red zone
167 intended to seat at the bottom of the variables on the stack.
168
169 - content of shadow memory 8 bytes for slots 6 and 5:
170 0xF4F4F400. The F4 byte pattern is a magic number
171 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
172 memory region for this shadow byte is a PARTIAL red zone
173 intended to pad a variable A, so that the slot following
174 {A,padding} is 32 bytes aligned.
175
176 Note that the fact that the least significant byte of this
177 shadow memory content is 00 means that 8 bytes of its
178 corresponding memory (which corresponds to the memory of
179 variable 'b') is addressable.
180
181 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
182 The F2 byte pattern is a magic number called
183 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
184 region for this shadow byte is a MIDDLE red zone intended to
185 seat between two 32 aligned slots of {variable,padding}.
186
187 - content of shadow memory 8 bytes for slot 3 and 2:
497a1c66 188 0xF4000000. This represents is the concatenation of
f3ddd692
JJ		 189 variable 'a' and the partial red zone following it, like what we
190 had for variable 'b'. The least significant 3 bytes being 00
191 means that the 3 bytes of variable 'a' are addressable.
192
497a1c66 193 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
f3ddd692
JJ		 194 The F3 byte pattern is a magic number called
195 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
196 region for this shadow byte is a RIGHT red zone intended to seat
197 at the top of the variables of the stack.
198
497a1c66 199 Note that the real variable layout is done in expand_used_vars in
e53b6e56 200 cfgexpand.cc. As far as Address Sanitizer is concerned, it lays out
497a1c66
JJ		 201 stack variables as well as the different red zones, emits some
202 prologue code to populate the shadow memory as to poison (mark as
203 non-accessible) the regions of the red zones and mark the regions of
204 stack variables as accessible, and emit some epilogue code to
205 un-poison (mark as accessible) the regions of red zones right before
206 the function exits.
8240018b 207
497a1c66 208 [Protection of global variables]
8240018b 209
497a1c66
JJ		 210 The basic idea is to insert a red zone between two global variables
211 and install a constructor function that calls the asan runtime to do
212 the populating of the relevant shadow memory regions at load time.
8240018b 213
497a1c66
JJ		 214 So the global variables are laid out as to insert a red zone between
215 them. The size of the red zones is so that each variable starts on a
216 32 bytes boundary.
8240018b 217
497a1c66
JJ		 218 Then a constructor function is installed so that, for each global
219 variable, it calls the runtime asan library function
220 __asan_register_globals_with an instance of this type:
8240018b
JJ		 221
222 struct __asan_global
223 {
224 // Address of the beginning of the global variable.
225 const void *__beg;
226
227 // Initial size of the global variable.
228 uptr __size;
229
230 // Size of the global variable + size of the red zone. This
231 // size is 32 bytes aligned.
232 uptr __size_with_redzone;
233
234 // Name of the global variable.
235 const void *__name;
236
ef1b3fda
KS		 237 // Name of the module where the global variable is declared.
238 const void *__module_name;
239
59b36ecf 240 // 1 if it has dynamic initialization, 0 otherwise.
8240018b 241 uptr __has_dynamic_init;
866e32ad
KS		 242
243 // A pointer to struct that contains source location, could be NULL.
244 __asan_global_source_location *__location;
8240018b
JJ		 245 }
246
497a1c66
JJ		 247 A destructor function that calls the runtime asan library function
248 _asan_unregister_globals is also installed. */
f3ddd692 249
fd960af2
YG		 250static unsigned HOST_WIDE_INT asan_shadow_offset_value;
251static bool asan_shadow_offset_computed;
860503d8 252static vec<char *> sanitized_sections;
e3174bdf 253static tree last_alloca_addr;
fd960af2 254
6dc4a604
ML		 255/* Set of variable declarations that are going to be guarded by
256 use-after-scope sanitizer. */
257
bf9f9292 258hash_set<tree> *asan_handled_variables = NULL;
6dc4a604
ML		 259
260hash_set <tree> *asan_used_labels = NULL;
261
0854b584
MM		 262/* Global variables for HWASAN stack tagging. */
263/* hwasan_frame_tag_offset records the offset from the frame base tag that the
264 next object should have. */
265static uint8_t hwasan_frame_tag_offset = 0;
266/* hwasan_frame_base_ptr is a pointer with the same address as
267 `virtual_stack_vars_rtx` for the current frame, and with the frame base tag
268 stored in it. N.b. this global RTX does not need to be marked GTY, but is
269 done so anyway. The need is not there since all uses are in just one pass
270 (cfgexpand) and there are no calls to ggc_collect between the uses. We mark
271 it GTY(()) anyway to allow the use of the variable later on if needed by
272 future features. */
273static GTY(()) rtx hwasan_frame_base_ptr = NULL_RTX;
274/* hwasan_frame_base_init_seq is the sequence of RTL insns that will initialize
275 the hwasan_frame_base_ptr. When the hwasan_frame_base_ptr is requested, we
276 generate this sequence but do not emit it. If the sequence was created it
277 is emitted once the function body has been expanded.
278
279 This delay is because the frame base pointer may be needed anywhere in the
280 function body, or needed by the expand_used_vars function. Emitting once in
281 a known place is simpler than requiring the emission of the instructions to
282 be know where it should go depending on the first place the hwasan frame
283 base is needed. */
284static GTY(()) rtx_insn *hwasan_frame_base_init_seq = NULL;
285
286/* Structure defining the extent of one object on the stack that HWASAN needs
287 to tag in the corresponding shadow stack space.
288
289 The range this object spans on the stack is between `untagged_base +
290 nearest_offset` and `untagged_base + farthest_offset`.
291 `tagged_base` is an rtx containing the same value as `untagged_base` but
292 with a random tag stored in the top byte. We record both `untagged_base`
293 and `tagged_base` so that `hwasan_emit_prologue` can use both without having
294 to emit RTL into the instruction stream to re-calculate one from the other.
295 (`hwasan_emit_prologue` needs to use both bases since the
296 __hwasan_tag_memory call it emits uses an untagged value, and it calculates
297 the tag to store in shadow memory based on the tag_offset plus the tag in
298 tagged_base). */
299struct hwasan_stack_var
300{
301 rtx untagged_base;
302 rtx tagged_base;
303 poly_int64 nearest_offset;
304 poly_int64 farthest_offset;
305 uint8_t tag_offset;
306};
307
308/* Variable recording all stack variables that HWASAN needs to tag.
309 Does not need to be marked as GTY(()) since every use is in the cfgexpand
310 pass and gcc_collect is not called in the middle of that pass. */
311static vec<hwasan_stack_var> hwasan_tagged_stack_vars;
312
313
fd960af2
YG		 314/* Sets shadow offset to value in string VAL. */
315
316bool
317set_asan_shadow_offset (const char *val)
318{
319 char *endp;
c1f5ce48 320
fd960af2
YG		 321 errno = 0;
322#ifdef HAVE_LONG_LONG
323 asan_shadow_offset_value = strtoull (val, &endp, 0);
324#else
325 asan_shadow_offset_value = strtoul (val, &endp, 0);
326#endif
327 if (!(*val != '\0' && *endp == '\0' && errno == 0))
328 return false;
329
330 asan_shadow_offset_computed = true;
331
332 return true;
333}
334
18af8d16
YG		 335/* Set list of user-defined sections that need to be sanitized. */
336
337void
860503d8 338set_sanitized_sections (const char *sections)
18af8d16 339{
860503d8
YG		 340 char *pat;
341 unsigned i;
342 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
343 free (pat);
344 sanitized_sections.truncate (0);
345
346 for (const char *s = sections; *s; )
347 {
348 const char *end;
349 for (end = s; *end && *end != ','; ++end);
350 size_t len = end - s;
351 sanitized_sections.safe_push (xstrndup (s, len));
352 s = *end ? end + 1 : end;
353 }
18af8d16
YG		 354}
355
56b7aede
ML		 356bool
357asan_mark_p (gimple *stmt, enum asan_mark_flags flag)
358{
359 return (gimple_call_internal_p (stmt, IFN_ASAN_MARK)
360 && tree_to_uhwi (gimple_call_arg (stmt, 0)) == flag);
361}
362
6dc4a604
ML		 363bool
364asan_sanitize_stack_p (void)
365{
028d4092 366 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_stack);
6dc4a604
ML		 367}
368
5094f7d5
MO		 369bool
370asan_sanitize_allocas_p (void)
371{
028d4092 372 return (asan_sanitize_stack_p () && param_asan_protect_allocas);
5094f7d5
MO		 373}
374
93a73251
MM		 375bool
376asan_instrument_reads (void)
377{
378 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_instrument_reads);
379}
380
381bool
382asan_instrument_writes (void)
383{
384 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_instrument_writes);
385}
386
387bool
388asan_memintrin (void)
389{
390 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_memintrin);
391}
392
393
91b36d1c
JJ		 394/* Support for --param asan-kernel-mem-intrinsic-prefix=1. */
395static GTY(()) rtx asan_memfn_rtls[3];
396
397rtx
398asan_memfn_rtl (tree fndecl)
399{
400 int i;
401 const char *f, *p;
402 char buf[sizeof ("__hwasan_memmove")];
403
404 switch (DECL_FUNCTION_CODE (fndecl))
405 {
406 case BUILT_IN_MEMCPY: i = 0; f = "memcpy"; break;
407 case BUILT_IN_MEMSET: i = 1; f = "memset"; break;
408 case BUILT_IN_MEMMOVE: i = 2; f = "memmove"; break;
409 default: gcc_unreachable ();
410 }
411 if (asan_memfn_rtls[i] == NULL_RTX)
412 {
413 tree save_name = DECL_NAME (fndecl);
414 tree save_assembler_name = DECL_ASSEMBLER_NAME (fndecl);
415 rtx save_rtl = DECL_RTL (fndecl);
416 if (flag_sanitize & SANITIZE_KERNEL_HWADDRESS)
417 p = "__hwasan_";
418 else
419 p = "__asan_";
420 strcpy (buf, p);
421 strcat (buf, f);
422 DECL_NAME (fndecl) = get_identifier (buf);
423 DECL_ASSEMBLER_NAME_RAW (fndecl) = NULL_TREE;
424 SET_DECL_RTL (fndecl, NULL_RTX);
425 asan_memfn_rtls[i] = DECL_RTL (fndecl);
426 DECL_NAME (fndecl) = save_name;
427 DECL_ASSEMBLER_NAME_RAW (fndecl) = save_assembler_name;
428 SET_DECL_RTL (fndecl, save_rtl);
429 }
430 return asan_memfn_rtls[i];
431}
432
433
18af8d16
YG		 434/* Checks whether section SEC should be sanitized. */
435
436static bool
437section_sanitized_p (const char *sec)
438{
860503d8
YG		 439 char *pat;
440 unsigned i;
441 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
442 if (fnmatch (pat, sec, FNM_PERIOD) == 0)
443 return true;
18af8d16
YG		 444 return false;
445}
446
fd960af2
YG		 447/* Returns Asan shadow offset. */
448
449static unsigned HOST_WIDE_INT
450asan_shadow_offset ()
451{
452 if (!asan_shadow_offset_computed)
453 {
454 asan_shadow_offset_computed = true;
455 asan_shadow_offset_value = targetm.asan_shadow_offset ();
456 }
457 return asan_shadow_offset_value;
458}
459
2ca1b6d0
KC		 460/* Returns Asan shadow offset has been set. */
461bool
462asan_shadow_offset_set_p ()
463{
464 return asan_shadow_offset_computed;
465}
466
f3ddd692 467alias_set_type asan_shadow_set = -1;
37d6f666 468
6dc4a604 469/* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
f6d98484 470 alias set is used for all shadow memory accesses. */
6dc4a604 471static GTY(()) tree shadow_ptr_types[3];
f6d98484 472
e361382f
JJ		 473/* Decl for __asan_option_detect_stack_use_after_return. */
474static GTY(()) tree asan_detect_stack_use_after_return;
475
bdcbe80c
DS		 476/* Hashtable support for memory references used by gimple
477 statements. */
478
479/* This type represents a reference to a memory region. */
480struct asan_mem_ref
481{
688010ba 482 /* The expression of the beginning of the memory region. */
bdcbe80c
DS		 483 tree start;
484
40f9f6bb
JJ		 485 /* The size of the access. */
486 HOST_WIDE_INT access_size;
c1f5ce48
ML		 487};
488
fcb87c50 489object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref");
bdcbe80c
DS		 490
491/* Initializes an instance of asan_mem_ref. */
492
493static void
40f9f6bb 494asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size)
bdcbe80c
DS		 495{
496 ref->start = start;
497 ref->access_size = access_size;
498}
499
500/* Allocates memory for an instance of asan_mem_ref into the memory
501 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
502 START is the address of (or the expression pointing to) the
503 beginning of memory reference. ACCESS_SIZE is the size of the
504 access to the referenced memory. */
505
506static asan_mem_ref*
40f9f6bb 507asan_mem_ref_new (tree start, HOST_WIDE_INT access_size)
bdcbe80c 508{
fb0b2914 509 asan_mem_ref *ref = asan_mem_ref_pool.allocate ();
bdcbe80c
DS		 510
511 asan_mem_ref_init (ref, start, access_size);
512 return ref;
513}
514
515/* This builds and returns a pointer to the end of the memory region
516 that starts at START and of length LEN. */
517
518tree
519asan_mem_ref_get_end (tree start, tree len)
520{
521 if (len == NULL_TREE || integer_zerop (len))
522 return start;
523
a2f581e1
YG		 524 if (!ptrofftype_p (len))
525 len = convert_to_ptrofftype (len);
526
bdcbe80c
DS		 527 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
528}
529
530/* Return a tree expression that represents the end of the referenced
531 memory region. Beware that this function can actually build a new
532 tree expression. */
533
534tree
535asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
536{
537 return asan_mem_ref_get_end (ref->start, len);
538}
539
8d67ee55 540struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref>
bdcbe80c 541{
67f58944
TS		 542 static inline hashval_t hash (const asan_mem_ref *);
543 static inline bool equal (const asan_mem_ref *, const asan_mem_ref *);
bdcbe80c
DS		 544};
545
546/* Hash a memory reference. */
547
548inline hashval_t
549asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
550{
bdea98ca 551 return iterative_hash_expr (mem_ref->start, 0);
bdcbe80c
DS		 552}
553
554/* Compare two memory references. We accept the length of either
555 memory references to be NULL_TREE. */
556
557inline bool
558asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
559 const asan_mem_ref *m2)
560{
bdea98ca 561 return operand_equal_p (m1->start, m2->start, 0);
bdcbe80c
DS		 562}
563
c203e8a7 564static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht;
bdcbe80c
DS		 565
566/* Returns a reference to the hash table containing memory references.
567 This function ensures that the hash table is created. Note that
568 this hash table is updated by the function
569 update_mem_ref_hash_table. */
570
c203e8a7 571static hash_table<asan_mem_ref_hasher> *
bdcbe80c
DS		 572get_mem_ref_hash_table ()
573{
c203e8a7
TS		 574 if (!asan_mem_ref_ht)
575 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10);
bdcbe80c
DS		 576
577 return asan_mem_ref_ht;
578}
579
580/* Clear all entries from the memory references hash table. */
581
582static void
583empty_mem_ref_hash_table ()
584{
c203e8a7
TS		 585 if (asan_mem_ref_ht)
586 asan_mem_ref_ht->empty ();
bdcbe80c
DS		 587}
588
589/* Free the memory references hash table. */
590
591static void
592free_mem_ref_resources ()
593{
c203e8a7
TS		 594 delete asan_mem_ref_ht;
595 asan_mem_ref_ht = NULL;
bdcbe80c 596
fb0b2914 597 asan_mem_ref_pool.release ();
bdcbe80c
DS		 598}
599
600/* Return true iff the memory reference REF has been instrumented. */
601
602static bool
40f9f6bb 603has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size)
bdcbe80c
DS		 604{
605 asan_mem_ref r;
606 asan_mem_ref_init (&r, ref, access_size);
607
bdea98ca
MO		 608 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r);
609 return saved_ref && saved_ref->access_size >= access_size;
bdcbe80c
DS		 610}
611
612/* Return true iff the memory reference REF has been instrumented. */
613
614static bool
615has_mem_ref_been_instrumented (const asan_mem_ref *ref)
616{
617 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
618}
619
620/* Return true iff access to memory region starting at REF and of
621 length LEN has been instrumented. */
622
623static bool
624has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
625{
bdea98ca
MO		 626 HOST_WIDE_INT size_in_bytes
627 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
bdcbe80c 628
bdea98ca
MO		 629 return size_in_bytes != -1
630 && has_mem_ref_been_instrumented (ref->start, size_in_bytes);
bdcbe80c
DS		 631}
632
633/* Set REF to the memory reference present in a gimple assignment
634 ASSIGNMENT. Return true upon successful completion, false
635 otherwise. */
636
637static bool
538dd0b7 638get_mem_ref_of_assignment (const gassign *assignment,
bdcbe80c
DS		 639 asan_mem_ref *ref,
640 bool *ref_is_store)
641{
642 gcc_assert (gimple_assign_single_p (assignment));
643
5d751b0c
JJ		 644 if (gimple_store_p (assignment)
645 && !gimple_clobber_p (assignment))
bdcbe80c
DS		 646 {
647 ref->start = gimple_assign_lhs (assignment);
648 *ref_is_store = true;
649 }
650 else if (gimple_assign_load_p (assignment))
651 {
652 ref->start = gimple_assign_rhs1 (assignment);
653 *ref_is_store = false;
654 }
655 else
656 return false;
657
658 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
659 return true;
660}
661
e3174bdf
MO		 662/* Return address of last allocated dynamic alloca. */
663
664static tree
665get_last_alloca_addr ()
666{
667 if (last_alloca_addr)
668 return last_alloca_addr;
669
670 last_alloca_addr = create_tmp_reg (ptr_type_node, "last_alloca_addr");
671 gassign *g = gimple_build_assign (last_alloca_addr, null_pointer_node);
672 edge e = single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun));
673 gsi_insert_on_edge_immediate (e, g);
674 return last_alloca_addr;
675}
676
7504c3bf 677/* Insert __asan_allocas_unpoison (top, bottom) call before
e3174bdf
MO		 678 __builtin_stack_restore (new_sp) call.
679 The pseudocode of this routine should look like this:
e3174bdf
MO		 680 top = last_alloca_addr;
681 bot = new_sp;
682 __asan_allocas_unpoison (top, bot);
683 last_alloca_addr = new_sp;
7504c3bf 684 __builtin_stack_restore (new_sp);
e3174bdf
MO		 685 In general, we can't use new_sp as bot parameter because on some
686 architectures SP has non zero offset from dynamic stack area. Moreover, on
687 some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each
688 particular function only after all callees were expanded to rtl.
689 The most noticeable example is PowerPC{,64}, see
690 http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK.
691 To overcome the issue we use following trick: pass new_sp as a second
692 parameter to __asan_allocas_unpoison and rewrite it during expansion with
7504c3bf 693 new_sp + (virtual_dynamic_stack_rtx - sp) later in
93a73251
MM		 694 expand_asan_emit_allocas_unpoison function.
695
696 HWASAN needs to do very similar, the eventual pseudocode should be:
697 __hwasan_tag_memory (virtual_stack_dynamic_rtx,
698 0,
699 new_sp - sp);
700 __builtin_stack_restore (new_sp)
701
702 Need to use the same trick to handle STACK_DYNAMIC_OFFSET as described
703 above. */
e3174bdf
MO		 704
705static void
706handle_builtin_stack_restore (gcall *call, gimple_stmt_iterator *iter)
707{
93a73251
MM		 708 if (!iter
709 || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ()))
e3174bdf
MO		 710 return;
711
e3174bdf 712 tree restored_stack = gimple_call_arg (call, 0);
93a73251
MM		 713
714 gimple *g;
715
716 if (hwasan_sanitize_allocas_p ())
717 {
718 enum internal_fn fn = IFN_HWASAN_ALLOCA_UNPOISON;
719 /* There is only one piece of information `expand_HWASAN_ALLOCA_UNPOISON`
720 needs to work. This is the length of the area that we're
721 deallocating. Since the stack pointer is known at expand time, the
722 position of the new stack pointer after deallocation is enough
723 information to calculate this length. */
724 g = gimple_build_call_internal (fn, 1, restored_stack);
725 }
726 else
727 {
728 tree last_alloca = get_last_alloca_addr ();
729 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCAS_UNPOISON);
730 g = gimple_build_call (fn, 2, last_alloca, restored_stack);
731 gsi_insert_before (iter, g, GSI_SAME_STMT);
732 g = gimple_build_assign (last_alloca, restored_stack);
733 }
734
7504c3bf 735 gsi_insert_before (iter, g, GSI_SAME_STMT);
e3174bdf
MO		 736}
737
738/* Deploy and poison redzones around __builtin_alloca call. To do this, we
739 should replace this call with another one with changed parameters and
740 replace all its uses with new address, so
741 addr = __builtin_alloca (old_size, align);
742 is replaced by
743 left_redzone_size = max (align, ASAN_RED_ZONE_SIZE);
744 Following two statements are optimized out if we know that
745 old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial
746 redzone.
747 misalign = old_size & (ASAN_RED_ZONE_SIZE - 1);
748 partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign;
749 right_redzone_size = ASAN_RED_ZONE_SIZE;
750 additional_size = left_redzone_size + partial_redzone_size +
751 right_redzone_size;
752 new_size = old_size + additional_size;
753 new_alloca = __builtin_alloca (new_size, max (align, 32))
754 __asan_alloca_poison (new_alloca, old_size)
755 addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE);
756 last_alloca_addr = new_alloca;
757 ADDITIONAL_SIZE is added to make new memory allocation contain not only
758 requested memory, but also left, partial and right redzones as well as some
759 additional space, required by alignment. */
760
761static void
762handle_builtin_alloca (gcall *call, gimple_stmt_iterator *iter)
763{
93a73251
MM		 764 if (!iter
765 || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ()))
e3174bdf
MO		 766 return;
767
768 gassign *g;
769 gcall *gg;
e3174bdf 770 tree callee = gimple_call_fndecl (call);
f0c7367b 771 tree lhs = gimple_call_lhs (call);
e3174bdf 772 tree old_size = gimple_call_arg (call, 0);
f0c7367b 773 tree ptr_type = lhs ? TREE_TYPE (lhs) : ptr_type_node;
e3174bdf 774 tree partial_size = NULL_TREE;
e3174bdf 775 unsigned int align
9e878cf1
EB		 776 = DECL_FUNCTION_CODE (callee) == BUILT_IN_ALLOCA
777 ? 0 : tree_to_uhwi (gimple_call_arg (call, 1));
e3174bdf 778
f0c7367b
JJ		 779 bool throws = false;
780 edge e = NULL;
781 if (stmt_can_throw_internal (cfun, call))
782 {
783 if (!lhs)
784 return;
785 throws = true;
786 e = find_fallthru_edge (gsi_bb (*iter)->succs);
787 }
788
93a73251
MM		 789 if (hwasan_sanitize_allocas_p ())
790 {
791 gimple_seq stmts = NULL;
792 location_t loc = gimple_location (gsi_stmt (*iter));
793 /*
794 HWASAN needs a different expansion.
795
796 addr = __builtin_alloca (size, align);
797
798 should be replaced by
799
800 new_size = size rounded up to HWASAN_TAG_GRANULE_SIZE byte alignment;
801 untagged_addr = __builtin_alloca (new_size, align);
802 tag = __hwasan_choose_alloca_tag ();
803 addr = ifn_HWASAN_SET_TAG (untagged_addr, tag);
804 __hwasan_tag_memory (untagged_addr, tag, new_size);
805 */
806 /* Ensure alignment at least HWASAN_TAG_GRANULE_SIZE bytes so we start on
807 a tag granule. */
808 align = align > HWASAN_TAG_GRANULE_SIZE ? align : HWASAN_TAG_GRANULE_SIZE;
809
810 tree old_size = gimple_call_arg (call, 0);
811 tree new_size = gimple_build_round_up (&stmts, loc, size_type_node,
812 old_size,
813 HWASAN_TAG_GRANULE_SIZE);
814
815 /* Make the alloca call */
816 tree untagged_addr
817 = gimple_build (&stmts, loc,
818 as_combined_fn (BUILT_IN_ALLOCA_WITH_ALIGN), ptr_type,
819 new_size, build_int_cst (size_type_node, align));
820
821 /* Choose the tag.
822 Here we use an internal function so we can choose the tag at expand
823 time. We need the decision to be made after stack variables have been
824 assigned their tag (i.e. once the hwasan_frame_tag_offset variable has
825 been set to one after the last stack variables tag). */
826 tree tag = gimple_build (&stmts, loc, CFN_HWASAN_CHOOSE_TAG,
827 unsigned_char_type_node);
828
829 /* Add tag to pointer. */
830 tree addr
831 = gimple_build (&stmts, loc, CFN_HWASAN_SET_TAG, ptr_type,
832 untagged_addr, tag);
833
834 /* Tag shadow memory.
835 NOTE: require using `untagged_addr` here for libhwasan API. */
836 gimple_build (&stmts, loc, as_combined_fn (BUILT_IN_HWASAN_TAG_MEM),
837 void_type_node, untagged_addr, tag, new_size);
838
839 /* Insert the built up code sequence into the original instruction stream
840 the iterator points to. */
841 gsi_insert_seq_before (iter, stmts, GSI_SAME_STMT);
842
843 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
844 replace_call_with_value (iter, addr);
845 return;
846 }
847
848 tree last_alloca = get_last_alloca_addr ();
849 const HOST_WIDE_INT redzone_mask = ASAN_RED_ZONE_SIZE - 1;
850
e3174bdf
MO		 851 /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN
852 bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE
853 manually. */
854 align = MAX (align, ASAN_RED_ZONE_SIZE * BITS_PER_UNIT);
855
856 tree alloca_rz_mask = build_int_cst (size_type_node, redzone_mask);
857 tree redzone_size = build_int_cst (size_type_node, ASAN_RED_ZONE_SIZE);
858
859 /* Extract lower bits from old_size. */
860 wide_int size_nonzero_bits = get_nonzero_bits (old_size);
861 wide_int rz_mask
862 = wi::uhwi (redzone_mask, wi::get_precision (size_nonzero_bits));
863 wide_int old_size_lower_bits = wi::bit_and (size_nonzero_bits, rz_mask);
864
865 /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial
866 redzone. Otherwise, compute its size here. */
867 if (wi::ne_p (old_size_lower_bits, 0))
868 {
869 /* misalign = size & (ASAN_RED_ZONE_SIZE - 1)
870 partial_size = ASAN_RED_ZONE_SIZE - misalign. */
871 g = gimple_build_assign (make_ssa_name (size_type_node, NULL),
872 BIT_AND_EXPR, old_size, alloca_rz_mask);
873 gsi_insert_before (iter, g, GSI_SAME_STMT);
874 tree misalign = gimple_assign_lhs (g);
875 g = gimple_build_assign (make_ssa_name (size_type_node, NULL), MINUS_EXPR,
876 redzone_size, misalign);
877 gsi_insert_before (iter, g, GSI_SAME_STMT);
878 partial_size = gimple_assign_lhs (g);
879 }
880
881 /* additional_size = align + ASAN_RED_ZONE_SIZE. */
882 tree additional_size = build_int_cst (size_type_node, align / BITS_PER_UNIT
883 + ASAN_RED_ZONE_SIZE);
884 /* If alloca has partial redzone, include it to additional_size too. */
885 if (partial_size)
886 {
887 /* additional_size += partial_size. */
888 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR,
889 partial_size, additional_size);
890 gsi_insert_before (iter, g, GSI_SAME_STMT);
891 additional_size = gimple_assign_lhs (g);
892 }
893
894 /* new_size = old_size + additional_size. */
895 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR, old_size,
896 additional_size);
897 gsi_insert_before (iter, g, GSI_SAME_STMT);
898 tree new_size = gimple_assign_lhs (g);
899
900 /* Build new __builtin_alloca call:
901 new_alloca_with_rz = __builtin_alloca (new_size, align). */
902 tree fn = builtin_decl_implicit (BUILT_IN_ALLOCA_WITH_ALIGN);
903 gg = gimple_build_call (fn, 2, new_size,
904 build_int_cst (size_type_node, align));
905 tree new_alloca_with_rz = make_ssa_name (ptr_type, gg);
906 gimple_call_set_lhs (gg, new_alloca_with_rz);
f0c7367b
JJ		 907 if (throws)
908 {
909 gimple_call_set_lhs (call, NULL);
910 gsi_replace (iter, gg, true);
911 }
912 else
913 gsi_insert_before (iter, gg, GSI_SAME_STMT);
e3174bdf
MO		 914
915 /* new_alloca = new_alloca_with_rz + align. */
916 g = gimple_build_assign (make_ssa_name (ptr_type), POINTER_PLUS_EXPR,
917 new_alloca_with_rz,
918 build_int_cst (size_type_node,
919 align / BITS_PER_UNIT));
f0c7367b
JJ		 920 gimple_stmt_iterator gsi = gsi_none ();
921 if (throws)
922 {
923 gsi_insert_on_edge_immediate (e, g);
924 gsi = gsi_for_stmt (g);
925 }
926 else
927 gsi_insert_before (iter, g, GSI_SAME_STMT);
e3174bdf
MO		 928 tree new_alloca = gimple_assign_lhs (g);
929
930 /* Poison newly created alloca redzones:
931 __asan_alloca_poison (new_alloca, old_size). */
932 fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCA_POISON);
933 gg = gimple_build_call (fn, 2, new_alloca, old_size);
f0c7367b
JJ		 934 if (throws)
935 gsi_insert_after (&gsi, gg, GSI_NEW_STMT);
936 else
937 gsi_insert_before (iter, gg, GSI_SAME_STMT);
e3174bdf
MO		 938
939 /* Save new_alloca_with_rz value into last_alloca to use it during
940 allocas unpoisoning. */
941 g = gimple_build_assign (last_alloca, new_alloca_with_rz);
f0c7367b
JJ		 942 if (throws)
943 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
944 else
945 gsi_insert_before (iter, g, GSI_SAME_STMT);
e3174bdf
MO		 946
947 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
f0c7367b
JJ		 948 if (throws)
949 {
950 g = gimple_build_assign (lhs, new_alloca);
951 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
952 }
953 else
954 replace_call_with_value (iter, new_alloca);
e3174bdf
MO		 955}
956
bdcbe80c
DS		 957/* Return the memory references contained in a gimple statement
958 representing a builtin call that has to do with memory access. */
959
960static bool
e3174bdf 961get_mem_refs_of_builtin_call (gcall *call,
bdcbe80c
DS		 962 asan_mem_ref *src0,
963 tree *src0_len,
964 bool *src0_is_store,
965 asan_mem_ref *src1,
966 tree *src1_len,
967 bool *src1_is_store,
968 asan_mem_ref *dst,
969 tree *dst_len,
970 bool *dst_is_store,
bdea98ca 971 bool *dest_is_deref,
e3174bdf
MO		 972 bool *intercepted_p,
973 gimple_stmt_iterator *iter = NULL)
bdcbe80c
DS		 974{
975 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
976
977 tree callee = gimple_call_fndecl (call);
978 tree source0 = NULL_TREE, source1 = NULL_TREE,
979 dest = NULL_TREE, len = NULL_TREE;
980 bool is_store = true, got_reference_p = false;
40f9f6bb 981 HOST_WIDE_INT access_size = 1;
bdcbe80c 982
bdea98ca
MO		 983 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee)));
984
bdcbe80c
DS		 985 switch (DECL_FUNCTION_CODE (callee))
986 {
987 /* (s, s, n) style memops. */
988 case BUILT_IN_BCMP:
989 case BUILT_IN_MEMCMP:
990 source0 = gimple_call_arg (call, 0);
991 source1 = gimple_call_arg (call, 1);
992 len = gimple_call_arg (call, 2);
993 break;
994
995 /* (src, dest, n) style memops. */
996 case BUILT_IN_BCOPY:
997 source0 = gimple_call_arg (call, 0);
998 dest = gimple_call_arg (call, 1);
999 len = gimple_call_arg (call, 2);
1000 break;
1001
1002 /* (dest, src, n) style memops. */
1003 case BUILT_IN_MEMCPY:
1004 case BUILT_IN_MEMCPY_CHK:
1005 case BUILT_IN_MEMMOVE:
1006 case BUILT_IN_MEMMOVE_CHK:
1007 case BUILT_IN_MEMPCPY:
1008 case BUILT_IN_MEMPCPY_CHK:
1009 dest = gimple_call_arg (call, 0);
1010 source0 = gimple_call_arg (call, 1);
1011 len = gimple_call_arg (call, 2);
1012 break;
1013
1014 /* (dest, n) style memops. */
1015 case BUILT_IN_BZERO:
1016 dest = gimple_call_arg (call, 0);
1017 len = gimple_call_arg (call, 1);
1018 break;
1019
1020 /* (dest, x, n) style memops*/
1021 case BUILT_IN_MEMSET:
1022 case BUILT_IN_MEMSET_CHK:
1023 dest = gimple_call_arg (call, 0);
1024 len = gimple_call_arg (call, 2);
1025 break;
1026
1027 case BUILT_IN_STRLEN:
93a73251
MM		 1028 /* Special case strlen here since its length is taken from its return
1029 value.
1030
1031 The approach taken by the sanitizers is to check a memory access
1032 before it's taken. For ASAN strlen is intercepted by libasan, so no
1033 check is inserted by the compiler.
1034
1035 This function still returns `true` and provides a length to the rest
1036 of the ASAN pass in order to record what areas have been checked,
1037 avoiding superfluous checks later on.
1038
1039 HWASAN does not intercept any of these internal functions.
1040 This means that checks for memory accesses must be inserted by the
1041 compiler.
1042 strlen is a special case, because we can tell the length from the
1043 return of the function, but that is not known until after the function
1044 has returned.
1045
1046 Hence we can't check the memory access before it happens.
1047 We could check the memory access after it has already happened, but
1048 for now we choose to just ignore `strlen` calls.
1049 This decision was simply made because that means the special case is
1050 limited to this one case of this one function. */
1051 if (hwasan_sanitize_p ())
1052 return false;
bdcbe80c
DS		 1053 source0 = gimple_call_arg (call, 0);
1054 len = gimple_call_lhs (call);
9e463823 1055 break;
bdcbe80c 1056
e3174bdf
MO		 1057 case BUILT_IN_STACK_RESTORE:
1058 handle_builtin_stack_restore (call, iter);
1059 break;
1060
9e878cf1 1061 CASE_BUILT_IN_ALLOCA:
e3174bdf
MO		 1062 handle_builtin_alloca (call, iter);
1063 break;
bdcbe80c 1064 /* And now the __atomic* and __sync builtins.
d5029d45 1065 These are handled differently from the classical memory
bdcbe80c
DS		 1066 access builtins above. */
1067
1068 case BUILT_IN_ATOMIC_LOAD_1:
bdcbe80c 1069 is_store = false;
9e463823 1070 /* FALLTHRU */
bdcbe80c 1071 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
bdcbe80c 1072 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
bdcbe80c 1073 case BUILT_IN_SYNC_FETCH_AND_OR_1:
bdcbe80c 1074 case BUILT_IN_SYNC_FETCH_AND_AND_1:
bdcbe80c 1075 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
bdcbe80c 1076 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
bdcbe80c 1077 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
bdcbe80c 1078 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
bdcbe80c 1079 case BUILT_IN_SYNC_OR_AND_FETCH_1:
bdcbe80c 1080 case BUILT_IN_SYNC_AND_AND_FETCH_1:
bdcbe80c 1081 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
bdcbe80c 1082 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
bdcbe80c 1083 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
bdcbe80c 1084 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
bdcbe80c 1085 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
bdcbe80c 1086 case BUILT_IN_SYNC_LOCK_RELEASE_1:
bdcbe80c 1087 case BUILT_IN_ATOMIC_EXCHANGE_1:
bdcbe80c 1088 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
bdcbe80c 1089 case BUILT_IN_ATOMIC_STORE_1:
bdcbe80c 1090 case BUILT_IN_ATOMIC_ADD_FETCH_1:
bdcbe80c 1091 case BUILT_IN_ATOMIC_SUB_FETCH_1:
bdcbe80c 1092 case BUILT_IN_ATOMIC_AND_FETCH_1:
bdcbe80c 1093 case BUILT_IN_ATOMIC_NAND_FETCH_1:
bdcbe80c 1094 case BUILT_IN_ATOMIC_XOR_FETCH_1:
bdcbe80c 1095 case BUILT_IN_ATOMIC_OR_FETCH_1:
bdcbe80c 1096 case BUILT_IN_ATOMIC_FETCH_ADD_1:
bdcbe80c 1097 case BUILT_IN_ATOMIC_FETCH_SUB_1:
bdcbe80c 1098 case BUILT_IN_ATOMIC_FETCH_AND_1:
bdcbe80c 1099 case BUILT_IN_ATOMIC_FETCH_NAND_1:
bdcbe80c 1100 case BUILT_IN_ATOMIC_FETCH_XOR_1:
bdcbe80c 1101 case BUILT_IN_ATOMIC_FETCH_OR_1:
9e463823
JJ		 1102 access_size = 1;
1103 goto do_atomic;
1104
1105 case BUILT_IN_ATOMIC_LOAD_2:
1106 is_store = false;
1107 /* FALLTHRU */
1108 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
1109 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
1110 case BUILT_IN_SYNC_FETCH_AND_OR_2:
1111 case BUILT_IN_SYNC_FETCH_AND_AND_2:
1112 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
1113 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
1114 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
1115 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
1116 case BUILT_IN_SYNC_OR_AND_FETCH_2:
1117 case BUILT_IN_SYNC_AND_AND_FETCH_2:
1118 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
1119 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
1120 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
1121 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
1122 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
1123 case BUILT_IN_SYNC_LOCK_RELEASE_2:
1124 case BUILT_IN_ATOMIC_EXCHANGE_2:
1125 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
1126 case BUILT_IN_ATOMIC_STORE_2:
1127 case BUILT_IN_ATOMIC_ADD_FETCH_2:
1128 case BUILT_IN_ATOMIC_SUB_FETCH_2:
1129 case BUILT_IN_ATOMIC_AND_FETCH_2:
1130 case BUILT_IN_ATOMIC_NAND_FETCH_2:
1131 case BUILT_IN_ATOMIC_XOR_FETCH_2:
1132 case BUILT_IN_ATOMIC_OR_FETCH_2:
1133 case BUILT_IN_ATOMIC_FETCH_ADD_2:
1134 case BUILT_IN_ATOMIC_FETCH_SUB_2:
1135 case BUILT_IN_ATOMIC_FETCH_AND_2:
1136 case BUILT_IN_ATOMIC_FETCH_NAND_2:
1137 case BUILT_IN_ATOMIC_FETCH_XOR_2:
bdcbe80c 1138 case BUILT_IN_ATOMIC_FETCH_OR_2:
9e463823
JJ		 1139 access_size = 2;
1140 goto do_atomic;
1141
1142 case BUILT_IN_ATOMIC_LOAD_4:
1143 is_store = false;
1144 /* FALLTHRU */
1145 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
1146 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
1147 case BUILT_IN_SYNC_FETCH_AND_OR_4:
1148 case BUILT_IN_SYNC_FETCH_AND_AND_4:
1149 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
1150 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
1151 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
1152 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
1153 case BUILT_IN_SYNC_OR_AND_FETCH_4:
1154 case BUILT_IN_SYNC_AND_AND_FETCH_4:
1155 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
1156 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
1157 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
1158 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
1159 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
1160 case BUILT_IN_SYNC_LOCK_RELEASE_4:
1161 case BUILT_IN_ATOMIC_EXCHANGE_4:
1162 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
1163 case BUILT_IN_ATOMIC_STORE_4:
1164 case BUILT_IN_ATOMIC_ADD_FETCH_4:
1165 case BUILT_IN_ATOMIC_SUB_FETCH_4:
1166 case BUILT_IN_ATOMIC_AND_FETCH_4:
1167 case BUILT_IN_ATOMIC_NAND_FETCH_4:
1168 case BUILT_IN_ATOMIC_XOR_FETCH_4:
1169 case BUILT_IN_ATOMIC_OR_FETCH_4:
1170 case BUILT_IN_ATOMIC_FETCH_ADD_4:
1171 case BUILT_IN_ATOMIC_FETCH_SUB_4:
1172 case BUILT_IN_ATOMIC_FETCH_AND_4:
1173 case BUILT_IN_ATOMIC_FETCH_NAND_4:
1174 case BUILT_IN_ATOMIC_FETCH_XOR_4:
bdcbe80c 1175 case BUILT_IN_ATOMIC_FETCH_OR_4:
9e463823
JJ		 1176 access_size = 4;
1177 goto do_atomic;
1178
1179 case BUILT_IN_ATOMIC_LOAD_8:
1180 is_store = false;
1181 /* FALLTHRU */
1182 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
1183 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
1184 case BUILT_IN_SYNC_FETCH_AND_OR_8:
1185 case BUILT_IN_SYNC_FETCH_AND_AND_8:
1186 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
1187 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
1188 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
1189 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
1190 case BUILT_IN_SYNC_OR_AND_FETCH_8:
1191 case BUILT_IN_SYNC_AND_AND_FETCH_8:
1192 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
1193 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
1194 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
1195 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
1196 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
1197 case BUILT_IN_SYNC_LOCK_RELEASE_8:
1198 case BUILT_IN_ATOMIC_EXCHANGE_8:
1199 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
1200 case BUILT_IN_ATOMIC_STORE_8:
1201 case BUILT_IN_ATOMIC_ADD_FETCH_8:
1202 case BUILT_IN_ATOMIC_SUB_FETCH_8:
1203 case BUILT_IN_ATOMIC_AND_FETCH_8:
1204 case BUILT_IN_ATOMIC_NAND_FETCH_8:
1205 case BUILT_IN_ATOMIC_XOR_FETCH_8:
1206 case BUILT_IN_ATOMIC_OR_FETCH_8:
1207 case BUILT_IN_ATOMIC_FETCH_ADD_8:
1208 case BUILT_IN_ATOMIC_FETCH_SUB_8:
1209 case BUILT_IN_ATOMIC_FETCH_AND_8:
1210 case BUILT_IN_ATOMIC_FETCH_NAND_8:
1211 case BUILT_IN_ATOMIC_FETCH_XOR_8:
bdcbe80c 1212 case BUILT_IN_ATOMIC_FETCH_OR_8:
9e463823
JJ		 1213 access_size = 8;
1214 goto do_atomic;
1215
1216 case BUILT_IN_ATOMIC_LOAD_16:
1217 is_store = false;
1218 /* FALLTHRU */
1219 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
1220 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
1221 case BUILT_IN_SYNC_FETCH_AND_OR_16:
1222 case BUILT_IN_SYNC_FETCH_AND_AND_16:
1223 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
1224 case BUILT_IN_SYNC_FETCH_AND_NAND_16:
1225 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
1226 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
1227 case BUILT_IN_SYNC_OR_AND_FETCH_16:
1228 case BUILT_IN_SYNC_AND_AND_FETCH_16:
1229 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
1230 case BUILT_IN_SYNC_NAND_AND_FETCH_16:
1231 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
1232 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
1233 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
1234 case BUILT_IN_SYNC_LOCK_RELEASE_16:
1235 case BUILT_IN_ATOMIC_EXCHANGE_16:
1236 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
1237 case BUILT_IN_ATOMIC_STORE_16:
1238 case BUILT_IN_ATOMIC_ADD_FETCH_16:
1239 case BUILT_IN_ATOMIC_SUB_FETCH_16:
1240 case BUILT_IN_ATOMIC_AND_FETCH_16:
1241 case BUILT_IN_ATOMIC_NAND_FETCH_16:
1242 case BUILT_IN_ATOMIC_XOR_FETCH_16:
1243 case BUILT_IN_ATOMIC_OR_FETCH_16:
1244 case BUILT_IN_ATOMIC_FETCH_ADD_16:
1245 case BUILT_IN_ATOMIC_FETCH_SUB_16:
1246 case BUILT_IN_ATOMIC_FETCH_AND_16:
1247 case BUILT_IN_ATOMIC_FETCH_NAND_16:
1248 case BUILT_IN_ATOMIC_FETCH_XOR_16:
bdcbe80c 1249 case BUILT_IN_ATOMIC_FETCH_OR_16:
9e463823
JJ		 1250 access_size = 16;
1251 /* FALLTHRU */
1252 do_atomic:
bdcbe80c
DS		 1253 {
1254 dest = gimple_call_arg (call, 0);
1255 /* DEST represents the address of a memory location.
1256 instrument_derefs wants the memory location, so lets
1257 dereference the address DEST before handing it to
1258 instrument_derefs. */
9e463823
JJ		 1259 tree type = build_nonstandard_integer_type (access_size
1260 * BITS_PER_UNIT, 1);
1261 dest = build2 (MEM_REF, type, dest,
1262 build_int_cst (build_pointer_type (char_type_node), 0));
1263 break;
bdcbe80c
DS		 1264 }
1265
1266 default:
1267 /* The other builtins memory access are not instrumented in this
1268 function because they either don't have any length parameter,
1269 or their length parameter is just a limit. */
1270 break;
1271 }
1272
1273 if (len != NULL_TREE)
1274 {
1275 if (source0 != NULL_TREE)
1276 {
1277 src0->start = source0;
1278 src0->access_size = access_size;
1279 *src0_len = len;
1280 *src0_is_store = false;
1281 }
1282
1283 if (source1 != NULL_TREE)
1284 {
1285 src1->start = source1;
1286 src1->access_size = access_size;
1287 *src1_len = len;
1288 *src1_is_store = false;
1289 }
1290
1291 if (dest != NULL_TREE)
1292 {
1293 dst->start = dest;
1294 dst->access_size = access_size;
1295 *dst_len = len;
1296 *dst_is_store = true;
1297 }
1298
1299 got_reference_p = true;
1300 }
b41288b3
JJ		 1301 else if (dest)
1302 {
1303 dst->start = dest;
1304 dst->access_size = access_size;
1305 *dst_len = NULL_TREE;
1306 *dst_is_store = is_store;
1307 *dest_is_deref = true;
1308 got_reference_p = true;
1309 }
bdcbe80c 1310
b41288b3 1311 return got_reference_p;
bdcbe80c
DS		 1312}
1313
1314/* Return true iff a given gimple statement has been instrumented.
1315 Note that the statement is "defined" by the memory references it
1316 contains. */
1317
1318static bool
355fe088 1319has_stmt_been_instrumented_p (gimple *stmt)
bdcbe80c
DS		 1320{
1321 if (gimple_assign_single_p (stmt))
1322 {
1323 bool r_is_store;
1324 asan_mem_ref r;
1325 asan_mem_ref_init (&r, NULL, 1);
1326
538dd0b7
DM		 1327 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r,
1328 &r_is_store))
af02daff
JJ		 1329 {
1330 if (!has_mem_ref_been_instrumented (&r))
1331 return false;
1332 if (r_is_store && gimple_assign_load_p (stmt))
1333 {
1334 asan_mem_ref src;
1335 asan_mem_ref_init (&src, NULL, 1);
1336 src.start = gimple_assign_rhs1 (stmt);
1337 src.access_size = int_size_in_bytes (TREE_TYPE (src.start));
1338 if (!has_mem_ref_been_instrumented (&src))
1339 return false;
1340 }
1341 return true;
1342 }
bdcbe80c
DS		 1343 }
1344 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
1345 {
1346 asan_mem_ref src0, src1, dest;
1347 asan_mem_ref_init (&src0, NULL, 1);
1348 asan_mem_ref_init (&src1, NULL, 1);
1349 asan_mem_ref_init (&dest, NULL, 1);
1350
1351 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
1352 bool src0_is_store = false, src1_is_store = false,
bdea98ca 1353 dest_is_store = false, dest_is_deref = false, intercepted_p = true;
538dd0b7 1354 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt),
bdcbe80c
DS		 1355 &src0, &src0_len, &src0_is_store,
1356 &src1, &src1_len, &src1_is_store,
1357 &dest, &dest_len, &dest_is_store,
bdea98ca 1358 &dest_is_deref, &intercepted_p))
bdcbe80c
DS		 1359 {
1360 if (src0.start != NULL_TREE
1361 && !has_mem_ref_been_instrumented (&src0, src0_len))
1362 return false;
1363
1364 if (src1.start != NULL_TREE
1365 && !has_mem_ref_been_instrumented (&src1, src1_len))
1366 return false;
1367
1368 if (dest.start != NULL_TREE
1369 && !has_mem_ref_been_instrumented (&dest, dest_len))
1370 return false;
1371
1372 return true;
1373 }
1374 }
7db337c2
ML		 1375 else if (is_gimple_call (stmt) && gimple_store_p (stmt))
1376 {
1377 asan_mem_ref r;
1378 asan_mem_ref_init (&r, NULL, 1);
1379
1380 r.start = gimple_call_lhs (stmt);
1381 r.access_size = int_size_in_bytes (TREE_TYPE (r.start));
1382 return has_mem_ref_been_instrumented (&r);
1383 }
1384
bdcbe80c
DS		 1385 return false;
1386}
1387
1388/* Insert a memory reference into the hash table. */
1389
1390static void
40f9f6bb 1391update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size)
bdcbe80c 1392{
c203e8a7 1393 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table ();
bdcbe80c
DS		 1394
1395 asan_mem_ref r;
1396 asan_mem_ref_init (&r, ref, access_size);
1397
c203e8a7 1398 asan_mem_ref **slot = ht->find_slot (&r, INSERT);
bdea98ca 1399 if (*slot == NULL || (*slot)->access_size < access_size)
bdcbe80c
DS		 1400 *slot = asan_mem_ref_new (ref, access_size);
1401}
1402
94fce891
JJ		 1403/* Initialize shadow_ptr_types array. */
1404
1405static void
1406asan_init_shadow_ptr_types (void)
1407{
1408 asan_shadow_set = new_alias_set ();
6dc4a604
ML		 1409 tree types[3] = { signed_char_type_node, short_integer_type_node,
1410 integer_type_node };
1411
1412 for (unsigned i = 0; i < 3; i++)
1413 {
1414 shadow_ptr_types[i] = build_distinct_type_copy (types[i]);
1415 TYPE_ALIAS_SET (shadow_ptr_types[i]) = asan_shadow_set;
1416 shadow_ptr_types[i] = build_pointer_type (shadow_ptr_types[i]);
1417 }
1418
94fce891
JJ		 1419 initialize_sanitizer_builtins ();
1420}
1421
11a877b3 1422/* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
8240018b
JJ		 1423
1424static tree
11a877b3 1425asan_pp_string (pretty_printer *pp)
8240018b 1426{
11a877b3 1427 const char *buf = pp_formatted_text (pp);
8240018b
JJ		 1428 size_t len = strlen (buf);
1429 tree ret = build_string (len + 1, buf);
1430 TREE_TYPE (ret)
94fce891
JJ		 1431 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
1432 build_index_type (size_int (len)));
8240018b
JJ		 1433 TREE_READONLY (ret) = 1;
1434 TREE_STATIC (ret) = 1;
94fce891 1435 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
8240018b
JJ		 1436}
1437
aeb7e7c1
JJ		 1438/* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
1439 though. */
1440
1441static void
1442asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
1443{
3a965f61
DM		 1444 rtx_insn *insn, *insns, *jump;
1445 rtx_code_label *top_label;
1446 rtx end, addr, tmp;
aeb7e7c1 1447
e8094475 1448 gcc_assert ((len & 3) == 0);
aeb7e7c1
JJ		 1449 start_sequence ();
1450 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
1451 insns = get_insns ();
1452 end_sequence ();
1453 for (insn = insns; insn; insn = NEXT_INSN (insn))
1454 if (CALL_P (insn))
1455 break;
1456 if (insn == NULL_RTX)
1457 {
1458 emit_insn (insns);
1459 return;
1460 }
1461
aeb7e7c1 1462 top_label = gen_label_rtx ();
57d4d653 1463 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
aeb7e7c1
JJ		 1464 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
1465 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
1466 emit_label (top_label);
1467
1468 emit_move_insn (shadow_mem, const0_rtx);
2f1cd2eb 1469 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
c62ccb9a 1470 true, OPTAB_LIB_WIDEN);
aeb7e7c1
JJ		 1471 if (tmp != addr)
1472 emit_move_insn (addr, tmp);
1473 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
1474 jump = get_last_insn ();
1475 gcc_assert (JUMP_P (jump));
5fa396ad
JH		 1476 add_reg_br_prob_note (jump,
1477 profile_probability::guessed_always ()
1478 .apply_scale (80, 100));
aeb7e7c1
JJ		 1479}
1480
ef1b3fda
KS		 1481void
1482asan_function_start (void)
1483{
1484 section *fnsec = function_section (current_function_decl);
1485 switch_to_section (fnsec);
1486 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC",
c62ccb9a 1487 current_function_funcdef_no);
ef1b3fda
KS		 1488}
1489
6dc4a604
ML		 1490/* Return number of shadow bytes that are occupied by a local variable
1491 of SIZE bytes. */
1492
1493static unsigned HOST_WIDE_INT
1494shadow_mem_size (unsigned HOST_WIDE_INT size)
1495{
aa5bfa8d
ML		 1496 /* It must be possible to align stack variables to granularity
1497 of shadow memory. */
1498 gcc_assert (BITS_PER_UNIT
1499 * ASAN_SHADOW_GRANULARITY <= MAX_SUPPORTED_STACK_ALIGNMENT);
1500
6dc4a604
ML		 1501 return ROUND_UP (size, ASAN_SHADOW_GRANULARITY) / ASAN_SHADOW_GRANULARITY;
1502}
1503
6e644a50
ML		 1504/* Always emit 4 bytes at a time. */
1505#define RZ_BUFFER_SIZE 4
1506
1507/* ASAN redzone buffer container that handles emission of shadow bytes. */
6c1dae73 1508class asan_redzone_buffer
6e644a50 1509{
6c1dae73 1510public:
6e644a50
ML		 1511 /* Constructor. */
1512 asan_redzone_buffer (rtx shadow_mem, HOST_WIDE_INT prev_offset):
1513 m_shadow_mem (shadow_mem), m_prev_offset (prev_offset),
1514 m_original_offset (prev_offset), m_shadow_bytes (RZ_BUFFER_SIZE)
1515 {}
1516
1517 /* Emit VALUE shadow byte at a given OFFSET. */
1518 void emit_redzone_byte (HOST_WIDE_INT offset, unsigned char value);
1519
1520 /* Emit RTX emission of the content of the buffer. */
1521 void flush_redzone_payload (void);
1522
1523private:
1524 /* Flush if the content of the buffer is full
1525 (equal to RZ_BUFFER_SIZE). */
1526 void flush_if_full (void);
1527
1528 /* Memory where we last emitted a redzone payload. */
1529 rtx m_shadow_mem;
1530
1531 /* Relative offset where we last emitted a redzone payload. */
1532 HOST_WIDE_INT m_prev_offset;
1533
1534 /* Relative original offset. Used for checking only. */
1535 HOST_WIDE_INT m_original_offset;
1536
1537public:
1538 /* Buffer with redzone payload. */
1539 auto_vec<unsigned char> m_shadow_bytes;
1540};
1541
1542/* Emit VALUE shadow byte at a given OFFSET. */
1543
1544void
1545asan_redzone_buffer::emit_redzone_byte (HOST_WIDE_INT offset,
1546 unsigned char value)
1547{
1548 gcc_assert ((offset & (ASAN_SHADOW_GRANULARITY - 1)) == 0);
1549 gcc_assert (offset >= m_prev_offset);
1550
1551 HOST_WIDE_INT off
1552 = m_prev_offset + ASAN_SHADOW_GRANULARITY * m_shadow_bytes.length ();
1553 if (off == offset)
9715f10c
JJ		 1554 /* Consecutive shadow memory byte. */;
1555 else if (offset < m_prev_offset + (HOST_WIDE_INT) (ASAN_SHADOW_GRANULARITY
1556 * RZ_BUFFER_SIZE)
1557 && !m_shadow_bytes.is_empty ())
6e644a50 1558 {
9715f10c
JJ		 1559 /* Shadow memory byte with a small gap. */
1560 for (; off < offset; off += ASAN_SHADOW_GRANULARITY)
1561 m_shadow_bytes.safe_push (0);
6e644a50
ML		 1562 }
1563 else
1564 {
1565 if (!m_shadow_bytes.is_empty ())
1566 flush_redzone_payload ();
1567
1568 /* Maybe start earlier in order to use aligned store. */
1569 HOST_WIDE_INT align = (offset - m_prev_offset) % ASAN_RED_ZONE_SIZE;
1570 if (align)
1571 {
1572 offset -= align;
1573 for (unsigned i = 0; i < align / BITS_PER_UNIT; i++)
1574 m_shadow_bytes.safe_push (0);
1575 }
1576
1577 /* Adjust m_prev_offset and m_shadow_mem. */
1578 HOST_WIDE_INT diff = offset - m_prev_offset;
1579 m_shadow_mem = adjust_address (m_shadow_mem, VOIDmode,
1580 diff >> ASAN_SHADOW_SHIFT);
1581 m_prev_offset = offset;
6e644a50 1582 }
9715f10c
JJ		 1583 m_shadow_bytes.safe_push (value);
1584 flush_if_full ();
6e644a50
ML		 1585}
1586
1587/* Emit RTX emission of the content of the buffer. */
1588
1589void
1590asan_redzone_buffer::flush_redzone_payload (void)
1591{
1592 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
1593
1594 if (m_shadow_bytes.is_empty ())
1595 return;
1596
1597 /* Be sure we always emit to an aligned address. */
1598 gcc_assert (((m_prev_offset - m_original_offset)
1599 & (ASAN_RED_ZONE_SIZE - 1)) == 0);
1600
1601 /* Fill it to RZ_BUFFER_SIZE bytes with zeros if needed. */
1602 unsigned l = m_shadow_bytes.length ();
1603 for (unsigned i = 0; i <= RZ_BUFFER_SIZE - l; i++)
1604 m_shadow_bytes.safe_push (0);
1605
1606 if (dump_file && (dump_flags & TDF_DETAILS))
1607 fprintf (dump_file,
1608 "Flushing rzbuffer at offset %" PRId64 " with: ", m_prev_offset);
1609
1610 unsigned HOST_WIDE_INT val = 0;
1611 for (unsigned i = 0; i < RZ_BUFFER_SIZE; i++)
1612 {
1613 unsigned char v
a5b25661 1614 = m_shadow_bytes[BYTES_BIG_ENDIAN ? RZ_BUFFER_SIZE - i - 1 : i];
6e644a50
ML		 1615 val |= (unsigned HOST_WIDE_INT)v << (BITS_PER_UNIT * i);
1616 if (dump_file && (dump_flags & TDF_DETAILS))
1617 fprintf (dump_file, "%02x ", v);
1618 }
1619
1620 if (dump_file && (dump_flags & TDF_DETAILS))
1621 fprintf (dump_file, "\n");
1622
1623 rtx c = gen_int_mode (val, SImode);
1624 m_shadow_mem = adjust_address (m_shadow_mem, SImode, 0);
1625 emit_move_insn (m_shadow_mem, c);
1626 m_shadow_bytes.truncate (0);
1627}
1628
1629/* Flush if the content of the buffer is full
1630 (equal to RZ_BUFFER_SIZE). */
1631
1632void
1633asan_redzone_buffer::flush_if_full (void)
1634{
1635 if (m_shadow_bytes.length () == RZ_BUFFER_SIZE)
1636 flush_redzone_payload ();
1637}
1638
93a73251
MM		 1639
1640/* HWAddressSanitizer (hwasan) is a probabilistic method for detecting
1641 out-of-bounds and use-after-free bugs.
1642 Read more:
1643 http://code.google.com/p/address-sanitizer/
1644
1645 Similar to AddressSanitizer (asan) it consists of two parts: the
1646 instrumentation module in this file, and a run-time library.
1647
1648 The instrumentation module adds a run-time check before every memory insn in
1649 the same manner as asan (see the block comment for AddressSanitizer above).
1650 Currently, hwasan only adds out-of-line instrumentation, where each check is
1651 implemented as a function call to the run-time library. Hence a check for a
1652 load of N bytes from address X would be implemented with a function call to
1653 __hwasan_loadN(X), and checking a store of N bytes from address X would be
1654 implemented with a function call to __hwasan_storeN(X).
1655
1656 The main difference between hwasan and asan is in the information stored to
1657 help this checking. Both sanitizers use a shadow memory area which stores
1658 data recording the state of main memory at a corresponding address.
1659
1660 For hwasan, each 16 byte granule in main memory has a corresponding 1 byte
1661 in shadow memory. This shadow address can be calculated with equation:
1662 (addr >> log_2(HWASAN_TAG_GRANULE_SIZE))
1663 + __hwasan_shadow_memory_dynamic_address;
1664 The conversion between real and shadow memory for asan is given in the block
1665 comment at the top of this file.
1666 The description of how this shadow memory is laid out for asan is in the
1667 block comment at the top of this file, here we describe how this shadow
1668 memory is used for hwasan.
1669
1670 For hwasan, each variable is assigned a byte-sized 'tag'. The extent of
1671 the shadow memory for that variable is filled with the assigned tag, and
1672 every pointer referencing that variable has its top byte set to the same
1673 tag. The run-time library redefines malloc so that every allocation returns
1674 a tagged pointer and tags the corresponding shadow memory with the same tag.
1675
1676 On each pointer dereference the tag found in the pointer is compared to the
1677 tag found in the shadow memory corresponding to the accessed memory address.
1678 If these tags are found to differ then this memory access is judged to be
1679 invalid and a report is generated.
1680
1681 This method of bug detection is not perfect -- it can not catch every bad
1682 access -- but catches them probabilistically instead. There is always the
1683 possibility that an invalid memory access will happen to access memory
1684 tagged with the same tag as the pointer that this access used.
1685 The chances of this are approx. 0.4% for any two uncorrelated objects.
1686
1687 Random tag generation can mitigate this problem by decreasing the
1688 probability that an invalid access will be missed in the same manner over
1689 multiple runs. i.e. if two objects are tagged the same in one run of the
1690 binary they are unlikely to be tagged the same in the next run.
1691 Both heap and stack allocated objects have random tags by default.
1692
1693 [16 byte granule implications]
1694 Since the shadow memory only has a resolution on real memory of 16 bytes,
1695 invalid accesses that are within the same 16 byte granule as a valid
1696 address will not be caught.
1697
1698 There is a "short-granule" feature in the runtime library which does catch
1699 such accesses, but this feature is not implemented for stack objects (since
1700 stack objects are allocated and tagged by compiler instrumentation, and
1701 this feature has not yet been implemented in GCC instrumentation).
1702
1703 Another outcome of this 16 byte resolution is that each tagged object must
1704 be 16 byte aligned. If two objects were to share any 16 byte granule in
1705 memory, then they both would have to be given the same tag, and invalid
1706 accesses to one using a pointer to the other would be undetectable.
1707
1708 [Compiler instrumentation]
1709 Compiler instrumentation ensures that two adjacent buffers on the stack are
1710 given different tags, this means an access to one buffer using a pointer
1711 generated from the other (e.g. through buffer overrun) will have mismatched
1712 tags and be caught by hwasan.
1713
1714 We don't randomly tag every object on the stack, since that would require
1715 keeping many registers to record each tag. Instead we randomly generate a
1716 tag for each function frame, and each new stack object uses a tag offset
1717 from that frame tag.
1718 i.e. each object is tagged as RFT + offset, where RFT is the "random frame
1719 tag" generated for this frame.
1720 This means that randomisation does not peturb the difference between tags
1721 on tagged stack objects within a frame, but this is mitigated by the fact
1722 that objects with the same tag within a frame are very far apart
1723 (approx. 2^HWASAN_TAG_SIZE objects apart).
1724
1725 As a demonstration, using the same example program as in the asan block
1726 comment above:
1727
1728 int
1729 foo ()
1730 {
9c2f0847 1731 char a[24] = {0};
93a73251
MM		 1732 int b[2] = {0};
1733
1734 a[5] = 1;
1735 b[1] = 2;
1736
1737 return a[5] + b[1];
1738 }
1739
1740 On AArch64 the stack will be ordered as follows for the above function:
1741
1742 Slot 1/ [24 bytes for variable 'a']
1743 Slot 2/ [8 bytes padding for alignment]
1744 Slot 3/ [8 bytes for variable 'b']
1745 Slot 4/ [8 bytes padding for alignment]
1746
1747 (The padding is there to ensure 16 byte alignment as described in the 16
1748 byte granule implications).
1749
1750 While the shadow memory will be ordered as follows:
1751
1752 - 2 bytes (representing 32 bytes in real memory) tagged with RFT + 1.
1753 - 1 byte (representing 16 bytes in real memory) tagged with RFT + 2.
1754
1755 And any pointer to "a" will have the tag RFT + 1, and any pointer to "b"
1756 will have the tag RFT + 2.
1757
1758 [Top Byte Ignore requirements]
1759 Hwasan requires the ability to store an 8 bit tag in every pointer. There
1760 is no instrumentation done to remove this tag from pointers before
1761 dereferencing, which means the hardware must ignore this tag during memory
1762 accesses.
1763
1764 Architectures where this feature is available should indicate this using
1765 the TARGET_MEMTAG_CAN_TAG_ADDRESSES hook.
1766
1767 [Stack requires cleanup on unwinding]
1768 During normal operation of a hwasan sanitized program more space in the
1769 shadow memory becomes tagged as the stack grows. As the stack shrinks this
1770 shadow memory space must become untagged. If it is not untagged then when
1771 the stack grows again (during other function calls later on in the program)
1772 objects on the stack that are usually not tagged (e.g. parameters passed on
1773 the stack) can be placed in memory whose shadow space is tagged with
1774 something else, and accesses can cause false positive reports.
1775
1776 Hence we place untagging code on every epilogue of functions which tag some
1777 stack objects.
1778
1779 Moreover, the run-time library intercepts longjmp & setjmp to untag when
1780 the stack is unwound this way.
1781
1782 C++ exceptions are not yet handled, which means this sanitizer can not
1783 handle C++ code that throws exceptions -- it will give false positives
1784 after an exception has been thrown. The implementation that the hwasan
1785 library has for handling these relies on the frame pointer being after any
1786 local variables. This is not generally the case for GCC. */
1787
1788
0854b584
MM		 1789/* Returns whether we are tagging pointers and checking those tags on memory
1790 access. */
1791bool
1792hwasan_sanitize_p ()
1793{
1794 return sanitize_flags_p (SANITIZE_HWADDRESS);
1795}
1796
1797/* Are we tagging the stack? */
1798bool
1799hwasan_sanitize_stack_p ()
1800{
1801 return (hwasan_sanitize_p () && param_hwasan_instrument_stack);
1802}
1803
1804/* Are we tagging alloca objects? */
1805bool
1806hwasan_sanitize_allocas_p (void)
1807{
1808 return (hwasan_sanitize_stack_p () && param_hwasan_instrument_allocas);
1809}
1810
93a73251
MM		 1811/* Should we instrument reads? */
1812bool
1813hwasan_instrument_reads (void)
1814{
1815 return (hwasan_sanitize_p () && param_hwasan_instrument_reads);
1816}
1817
1818/* Should we instrument writes? */
1819bool
1820hwasan_instrument_writes (void)
1821{
1822 return (hwasan_sanitize_p () && param_hwasan_instrument_writes);
1823}
1824
1825/* Should we instrument builtin calls? */
1826bool
1827hwasan_memintrin (void)
1828{
1829 return (hwasan_sanitize_p () && param_hwasan_instrument_mem_intrinsics);
1830}
1831
f3ddd692
JJ		 1832/* Insert code to protect stack vars. The prologue sequence should be emitted
1833 directly, epilogue sequence returned. BASE is the register holding the
1834 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1835 array contains pairs of offsets in reverse order, always the end offset
1836 of some gap that needs protection followed by starting offset,
1837 and DECLS is an array of representative decls for each var partition.
1838 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1839 elements long (OFFSETS include gap before the first variable as well
e361382f
JJ		 1840 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1841 register which stack vars DECL_RTLs are based on. Either BASE should be
1842 assigned to PBASE, when not doing use after return protection, or
1843 corresponding address based on __asan_stack_malloc* return value. */
f3ddd692 1844
3a4abd2f 1845rtx_insn *
e361382f
JJ		 1846asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
1847 HOST_WIDE_INT *offsets, tree *decls, int length)
f3ddd692 1848{
19f8b229
TS		 1849 rtx shadow_base, shadow_mem, ret, mem, orig_base;
1850 rtx_code_label *lab;
3a4abd2f 1851 rtx_insn *insns;
47d5beb4 1852 char buf[32];
e361382f
JJ		 1853 HOST_WIDE_INT base_offset = offsets[length - 1];
1854 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
1855 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
e8094475 1856 HOST_WIDE_INT last_offset, last_size, last_size_aligned;
f3ddd692
JJ		 1857 int l;
1858 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
ef1b3fda 1859 tree str_cst, decl, id;
e361382f 1860 int use_after_return_class = -1;
f3ddd692 1861
b6330a76
JJ		 1862 /* Don't emit anything when doing error recovery, the assertions
1863 might fail e.g. if a function had a frame offset overflow. */
1864 if (seen_error ())
1865 return NULL;
1866
94fce891
JJ		 1867 if (shadow_ptr_types[0] == NULL_TREE)
1868 asan_init_shadow_ptr_types ();
1869
2c73950d
ML		 1870 expanded_location cfun_xloc
1871 = expand_location (DECL_SOURCE_LOCATION (current_function_decl));
1872
f3ddd692 1873 /* First of all, prepare the description string. */
11a877b3 1874 pretty_printer asan_pp;
da6ca2b5 1875
8240018b
JJ		 1876 pp_decimal_int (&asan_pp, length / 2 - 1);
1877 pp_space (&asan_pp);
f3ddd692
JJ		 1878 for (l = length - 2; l; l -= 2)
1879 {
1880 tree decl = decls[l / 2 - 1];
8240018b
JJ		 1881 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
1882 pp_space (&asan_pp);
1883 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
1884 pp_space (&asan_pp);
2c73950d
ML		 1885
1886 expanded_location xloc
1887 = expand_location (DECL_SOURCE_LOCATION (decl));
1888 char location[32];
1889
1890 if (xloc.file == cfun_xloc.file)
1891 sprintf (location, ":%d", xloc.line);
1892 else
1893 location[0] = '\0';
1894
f3ddd692
JJ		 1895 if (DECL_P (decl) && DECL_NAME (decl))
1896 {
2c73950d
ML		 1897 unsigned idlen
1898 = IDENTIFIER_LENGTH (DECL_NAME (decl)) + strlen (location);
1899 pp_decimal_int (&asan_pp, idlen);
8240018b 1900 pp_space (&asan_pp);
b066401f 1901 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
2c73950d 1902 pp_string (&asan_pp, location);
f3ddd692
JJ		 1903 }
1904 else
8240018b 1905 pp_string (&asan_pp, "9 <unknown>");
2c73950d
ML		 1906
1907 if (l > 2)
1908 pp_space (&asan_pp);
f3ddd692 1909 }
11a877b3 1910 str_cst = asan_pp_string (&asan_pp);
f3ddd692
JJ		 1911
1912 /* Emit the prologue sequence. */
b5ebc991 1913 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
028d4092 1914 && param_asan_use_after_return)
e361382f
JJ		 1915 {
1916 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1917 /* __asan_stack_malloc_N guarantees alignment
c62ccb9a 1918 N < 6 ? (64 << N) : 4096 bytes. */
e361382f
JJ		 1919 if (alignb > (use_after_return_class < 6
1920 ? (64U << use_after_return_class) : 4096U))
1921 use_after_return_class = -1;
1922 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1923 base_align_bias = ((asan_frame_size + alignb - 1)
1924 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1925 }
362432c0 1926
e5dcd695
LZ		 1927 /* Align base if target is STRICT_ALIGNMENT. */
1928 if (STRICT_ALIGNMENT)
362432c0
EB		 1929 {
1930 const HOST_WIDE_INT align
1931 = (GET_MODE_ALIGNMENT (SImode) / BITS_PER_UNIT) << ASAN_SHADOW_SHIFT;
1932 base = expand_binop (Pmode, and_optab, base, gen_int_mode (-align, Pmode),
1933 NULL_RTX, 1, OPTAB_DIRECT);
1934 }
e5dcd695 1935
e361382f
JJ		 1936 if (use_after_return_class == -1 && pbase)
1937 emit_move_insn (pbase, base);
e5dcd695 1938
2f1cd2eb 1939 base = expand_binop (Pmode, add_optab, base,
e361382f 1940 gen_int_mode (base_offset - base_align_bias, Pmode),
f3ddd692 1941 NULL_RTX, 1, OPTAB_DIRECT);
e361382f
JJ		 1942 orig_base = NULL_RTX;
1943 if (use_after_return_class != -1)
1944 {
1945 if (asan_detect_stack_use_after_return == NULL_TREE)
1946 {
1947 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1948 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1949 integer_type_node);
1950 SET_DECL_ASSEMBLER_NAME (decl, id);
1951 TREE_ADDRESSABLE (decl) = 1;
1952 DECL_ARTIFICIAL (decl) = 1;
1953 DECL_IGNORED_P (decl) = 1;
1954 DECL_EXTERNAL (decl) = 1;
1955 TREE_STATIC (decl) = 1;
1956 TREE_PUBLIC (decl) = 1;
1957 TREE_USED (decl) = 1;
1958 asan_detect_stack_use_after_return = decl;
1959 }
1960 orig_base = gen_reg_rtx (Pmode);
1961 emit_move_insn (orig_base, base);
1962 ret = expand_normal (asan_detect_stack_use_after_return);
1963 lab = gen_label_rtx ();
e361382f 1964 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
357067f2
JH		 1965 VOIDmode, 0, lab,
1966 profile_probability::very_likely ());
e361382f
JJ		 1967 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1968 use_after_return_class);
1969 ret = init_one_libfunc (buf);
db69559b 1970 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode,
e361382f
JJ		 1971 GEN_INT (asan_frame_size
1972 + base_align_bias),
89e302b8
MO		 1973 TYPE_MODE (pointer_sized_int_node));
1974 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1975 and NULL otherwise. Check RET value is NULL here and jump over the
1976 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
89e302b8 1977 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
357067f2
JH		 1978 VOIDmode, 0, lab,
1979 profile_probability:: very_unlikely ());
e361382f
JJ		 1980 ret = convert_memory_address (Pmode, ret);
1981 emit_move_insn (base, ret);
1982 emit_label (lab);
1983 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1984 gen_int_mode (base_align_bias
1985 - base_offset, Pmode),
1986 NULL_RTX, 1, OPTAB_DIRECT));
1987 }
f3ddd692 1988 mem = gen_rtx_MEM (ptr_mode, base);
e361382f 1989 mem = adjust_address (mem, VOIDmode, base_align_bias);
69db2d57 1990 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
f3ddd692
JJ		 1991 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1992 emit_move_insn (mem, expand_normal (str_cst));
ef1b3fda
KS		 1993 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1994 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1995 id = get_identifier (buf);
1996 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
c62ccb9a 1997 VAR_DECL, id, char_type_node);
ef1b3fda
KS		 1998 SET_DECL_ASSEMBLER_NAME (decl, id);
1999 TREE_ADDRESSABLE (decl) = 1;
2000 TREE_READONLY (decl) = 1;
2001 DECL_ARTIFICIAL (decl) = 1;
2002 DECL_IGNORED_P (decl) = 1;
2003 TREE_STATIC (decl) = 1;
2004 TREE_PUBLIC (decl) = 0;
2005 TREE_USED (decl) = 1;
8c8b21e4
JJ		 2006 DECL_INITIAL (decl) = decl;
2007 TREE_ASM_WRITTEN (decl) = 1;
2008 TREE_ASM_WRITTEN (id) = 1;
ef1b3fda 2009 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
f3ddd692 2010 shadow_base = expand_binop (Pmode, lshr_optab, base,
abd3c800 2011 gen_int_shift_amount (Pmode, ASAN_SHADOW_SHIFT),
f3ddd692 2012 NULL_RTX, 1, OPTAB_DIRECT);
e361382f
JJ		 2013 shadow_base
2014 = plus_constant (Pmode, shadow_base,
fd960af2 2015 asan_shadow_offset ()
e361382f 2016 + (base_align_bias >> ASAN_SHADOW_SHIFT));
f3ddd692
JJ		 2017 gcc_assert (asan_shadow_set != -1
2018 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
2019 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
2020 set_mem_alias_set (shadow_mem, asan_shadow_set);
e5dcd695
LZ		 2021 if (STRICT_ALIGNMENT)
2022 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
f3ddd692 2023 prev_offset = base_offset;
6e644a50
ML		 2024
2025 asan_redzone_buffer rz_buffer (shadow_mem, prev_offset);
f3ddd692
JJ		 2026 for (l = length; l; l -= 2)
2027 {
2028 if (l == 2)
2029 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
2030 offset = offsets[l - 1];
6e644a50
ML		 2031
2032 bool extra_byte = (offset - base_offset) & (ASAN_SHADOW_GRANULARITY - 1);
2033 /* If a red-zone is not aligned to ASAN_SHADOW_GRANULARITY then
2034 the previous stack variable has size % ASAN_SHADOW_GRANULARITY != 0.
2035 In that case we have to emit one extra byte that will describe
2036 how many bytes (our of ASAN_SHADOW_GRANULARITY) can be accessed. */
2037 if (extra_byte)
f3ddd692 2038 {
f3ddd692
JJ		 2039 HOST_WIDE_INT aoff
2040 = base_offset + ((offset - base_offset)
6e644a50
ML		 2041 & ~(ASAN_SHADOW_GRANULARITY - HOST_WIDE_INT_1));
2042 rz_buffer.emit_redzone_byte (aoff, offset - aoff);
2043 offset = aoff + ASAN_SHADOW_GRANULARITY;
f3ddd692 2044 }
6e644a50
ML		 2045
2046 /* Calculate size of red zone payload. */
2047 while (offset < offsets[l - 2])
f3ddd692 2048 {
6e644a50
ML		 2049 rz_buffer.emit_redzone_byte (offset, cur_shadow_byte);
2050 offset += ASAN_SHADOW_GRANULARITY;
f3ddd692 2051 }
6e644a50 2052
f3ddd692
JJ		 2053 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
2054 }
6e644a50
ML		 2055
2056 /* As the automatic variables are aligned to
2057 ASAN_RED_ZONE_SIZE / ASAN_SHADOW_GRANULARITY, the buffer should be
2058 flushed here. */
2059 gcc_assert (rz_buffer.m_shadow_bytes.is_empty ());
2060
f3ddd692
JJ		 2061 do_pending_stack_adjust ();
2062
2063 /* Construct epilogue sequence. */
2064 start_sequence ();
2065
19f8b229 2066 lab = NULL;
e361382f
JJ		 2067 if (use_after_return_class != -1)
2068 {
19f8b229 2069 rtx_code_label *lab2 = gen_label_rtx ();
e361382f 2070 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
e361382f 2071 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
357067f2
JH		 2072 VOIDmode, 0, lab2,
2073 profile_probability::very_likely ());
e361382f
JJ		 2074 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
2075 set_mem_alias_set (shadow_mem, asan_shadow_set);
2076 mem = gen_rtx_MEM (ptr_mode, base);
2077 mem = adjust_address (mem, VOIDmode, base_align_bias);
2078 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
2079 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
2080 if (use_after_return_class < 5
2081 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
2082 BITS_PER_UNIT, true))
8b6731e6
ML		 2083 {
2084 /* Emit:
2085 memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize);
2086 **SavedFlagPtr(FakeStack, class_id) = 0
2087 */
2088 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
2089 BITS_PER_UNIT, true, RETURN_BEGIN);
2090
2091 unsigned HOST_WIDE_INT offset
2092 = (1 << (use_after_return_class + 6));
2093 offset -= GET_MODE_SIZE (ptr_mode);
2094 mem = gen_rtx_MEM (ptr_mode, base);
2095 mem = adjust_address (mem, ptr_mode, offset);
2096 rtx addr = gen_reg_rtx (ptr_mode);
2097 emit_move_insn (addr, mem);
8cff672c 2098 addr = convert_memory_address (Pmode, addr);
8b6731e6
ML		 2099 mem = gen_rtx_MEM (QImode, addr);
2100 emit_move_insn (mem, const0_rtx);
2101 }
e361382f
JJ		 2102 else if (use_after_return_class >= 5
2103 || !set_storage_via_setmem (shadow_mem,
2104 GEN_INT (sz),
2105 gen_int_mode (c, QImode),
2106 BITS_PER_UNIT, BITS_PER_UNIT,
2107 -1, sz, sz, sz))
2108 {
2109 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
2110 use_after_return_class);
2111 ret = init_one_libfunc (buf);
2112 rtx addr = convert_memory_address (ptr_mode, base);
2113 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
db69559b 2114 emit_library_call (ret, LCT_NORMAL, ptr_mode, addr, ptr_mode,
e361382f
JJ		 2115 GEN_INT (asan_frame_size + base_align_bias),
2116 TYPE_MODE (pointer_sized_int_node),
2117 orig_addr, ptr_mode);
2118 }
2119 lab = gen_label_rtx ();
2120 emit_jump (lab);
2121 emit_label (lab2);
2122 }
2123
f3ddd692
JJ		 2124 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
2125 set_mem_alias_set (shadow_mem, asan_shadow_set);
e5dcd695
LZ		 2126
2127 if (STRICT_ALIGNMENT)
2128 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
2129
7b972538 2130 prev_offset = base_offset;
f3ddd692 2131 last_offset = base_offset;
7b972538 2132 last_size = 0;
e8094475 2133 last_size_aligned = 0;
7b972538 2134 for (l = length; l; l -= 2)
f3ddd692 2135 {
7b972538 2136 offset = base_offset + ((offsets[l - 1] - base_offset)
e8094475
JJ		 2137 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
2138 if (last_offset + last_size_aligned < offset)
f3ddd692 2139 {
7b972538
ML		 2140 shadow_mem = adjust_address (shadow_mem, VOIDmode,
2141 (last_offset - prev_offset)
2142 >> ASAN_SHADOW_SHIFT);
2143 prev_offset = last_offset;
e8094475 2144 asan_clear_shadow (shadow_mem, last_size_aligned >> ASAN_SHADOW_SHIFT);
7b972538
ML		 2145 last_offset = offset;
2146 last_size = 0;
2147 }
e8094475
JJ		 2148 else
2149 last_size = offset - last_offset;
7b972538 2150 last_size += base_offset + ((offsets[l - 2] - base_offset)
6e644a50 2151 & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
7b972538 2152 - offset;
6dc4a604 2153
7b972538
ML		 2154 /* Unpoison shadow memory that corresponds to a variable that is
2155 is subject of use-after-return sanitization. */
2156 if (l > 2)
2157 {
2158 decl = decls[l / 2 - 2];
6dc4a604
ML		 2159 if (asan_handled_variables != NULL
2160 && asan_handled_variables->contains (decl))
2161 {
7b972538 2162 HOST_WIDE_INT size = offsets[l - 3] - offsets[l - 2];
6dc4a604
ML		 2163 if (dump_file && (dump_flags & TDF_DETAILS))
2164 {
2165 const char *n = (DECL_NAME (decl)
2166 ? IDENTIFIER_POINTER (DECL_NAME (decl))
2167 : "<unknown>");
2168 fprintf (dump_file, "Unpoisoning shadow stack for variable: "
7b972538 2169 "%s (%" PRId64 " B)\n", n, size);
6dc4a604
ML		 2170 }
2171
6e644a50 2172 last_size += size & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1);
6dc4a604 2173 }
f3ddd692 2174 }
e8094475
JJ		 2175 last_size_aligned
2176 = ((last_size + (ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
2177 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
7b972538 2178 }
e8094475 2179 if (last_size_aligned)
7b972538
ML		 2180 {
2181 shadow_mem = adjust_address (shadow_mem, VOIDmode,
2182 (last_offset - prev_offset)
2183 >> ASAN_SHADOW_SHIFT);
e8094475 2184 asan_clear_shadow (shadow_mem, last_size_aligned >> ASAN_SHADOW_SHIFT);
f3ddd692
JJ		 2185 }
2186
6dc4a604
ML		 2187 /* Clean-up set with instrumented stack variables. */
2188 delete asan_handled_variables;
2189 asan_handled_variables = NULL;
2190 delete asan_used_labels;
2191 asan_used_labels = NULL;
2192
f3ddd692 2193 do_pending_stack_adjust ();
e361382f
JJ		 2194 if (lab)
2195 emit_label (lab);
f3ddd692 2196
3a4abd2f 2197 insns = get_insns ();
f3ddd692 2198 end_sequence ();
3a4abd2f 2199 return insns;
f3ddd692
JJ		 2200}
2201
e3174bdf
MO		 2202/* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds
2203 to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE
2204 indicates whether we're emitting new instructions sequence or not. */
2205
2206rtx_insn *
2207asan_emit_allocas_unpoison (rtx top, rtx bot, rtx_insn *before)
2208{
2209 if (before)
2210 push_to_sequence (before);
2211 else
2212 start_sequence ();
2213 rtx ret = init_one_libfunc ("__asan_allocas_unpoison");
8f4956ca
MO		 2214 top = convert_memory_address (ptr_mode, top);
2215 bot = convert_memory_address (ptr_mode, bot);
45309d28
ML		 2216 emit_library_call (ret, LCT_NORMAL, ptr_mode,
2217 top, ptr_mode, bot, ptr_mode);
e3174bdf
MO		 2218
2219 do_pending_stack_adjust ();
2220 rtx_insn *insns = get_insns ();
2221 end_sequence ();
2222 return insns;
2223}
2224
8240018b
JJ		 2225/* Return true if DECL, a global var, might be overridden and needs
2226 therefore a local alias. */
2227
2228static bool
2229asan_needs_local_alias (tree decl)
2230{
2231 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
2232}
2233
84b0769e
MO		 2234/* Return true if DECL, a global var, is an artificial ODR indicator symbol
2235 therefore doesn't need protection. */
2236
2237static bool
2238is_odr_indicator (tree decl)
2239{
2240 return (DECL_ARTIFICIAL (decl)
2241 && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl)));
2242}
2243
8240018b
JJ		 2244/* Return true if DECL is a VAR_DECL that should be protected
2245 by Address Sanitizer, by appending a red zone with protected
2246 shadow memory after it and aligning it to at least
2247 ASAN_RED_ZONE_SIZE bytes. */
2248
2249bool
1069dc25 2250asan_protect_global (tree decl, bool ignore_decl_rtl_set_p)
8240018b 2251{
028d4092 2252 if (!param_asan_globals)
b5ebc991
MO		 2253 return false;
2254
8240018b 2255 rtx rtl, symbol;
8240018b 2256
94fce891
JJ		 2257 if (TREE_CODE (decl) == STRING_CST)
2258 {
2259 /* Instrument all STRING_CSTs except those created
2260 by asan_pp_string here. */
2261 if (shadow_ptr_types[0] != NULL_TREE
2262 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
2263 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
2264 return false;
2265 return true;
2266 }
8813a647 2267 if (!VAR_P (decl)
8240018b
JJ		 2268 /* TLS vars aren't statically protectable. */
2269 || DECL_THREAD_LOCAL_P (decl)
2270 /* Externs will be protected elsewhere. */
2271 || DECL_EXTERNAL (decl)
1069dc25
MO		 2272 /* PR sanitizer/81697: For architectures that use section anchors first
2273 call to asan_protect_global may occur before DECL_RTL (decl) is set.
2274 We should ignore DECL_RTL_SET_P then, because otherwise the first call
2275 to asan_protect_global will return FALSE and the following calls on the
2276 same decl after setting DECL_RTL (decl) will return TRUE and we'll end
2277 up with inconsistency at runtime. */
2278 || (!DECL_RTL_SET_P (decl) && !ignore_decl_rtl_set_p)
8240018b
JJ		 2279 /* Comdat vars pose an ABI problem, we can't know if
2280 the var that is selected by the linker will have
2281 padding or not. */
2282 || DECL_ONE_ONLY (decl)
f1d15bb9
DV		 2283 /* Similarly for common vars. People can use -fno-common.
2284 Note: Linux kernel is built with -fno-common, so we do instrument
2285 globals there even if it is C. */
a8a6fd74 2286 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
8240018b
JJ		 2287 /* Don't protect if using user section, often vars placed
2288 into user section from multiple TUs are then assumed
2289 to be an array of such vars, putting padding in there
2290 breaks this assumption. */
f961457f 2291 || (DECL_SECTION_NAME (decl) != NULL
18af8d16
YG		 2292 && !symtab_node::get (decl)->implicit_section
2293 && !section_sanitized_p (DECL_SECTION_NAME (decl)))
7e404978
RB		 2294 /* Don't protect variables in non-generic address-space. */
2295 || !ADDR_SPACE_GENERIC_P (TYPE_ADDR_SPACE (TREE_TYPE (decl)))
8240018b
JJ		 2296 || DECL_SIZE (decl) == 0
2297 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
36fd6408 2298 || TREE_CODE (DECL_SIZE_UNIT (decl)) != INTEGER_CST
8240018b 2299 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
21a82048 2300 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE
84b0769e
MO		 2301 || TREE_TYPE (decl) == ubsan_get_source_location_type ()
2302 || is_odr_indicator (decl))
8240018b
JJ		 2303 return false;
2304
1069dc25
MO		 2305 if (!ignore_decl_rtl_set_p || DECL_RTL_SET_P (decl))
2306 {
8240018b 2307
1069dc25
MO		 2308 rtl = DECL_RTL (decl);
2309 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
2310 return false;
2311 symbol = XEXP (rtl, 0);
2312
2313 if (CONSTANT_POOL_ADDRESS_P (symbol)
2314 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
2315 return false;
2316 }
8240018b 2317
8240018b
JJ		 2318 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
2319 return false;
2320
a8b522b4 2321 if (!TARGET_SUPPORTS_ALIASES && asan_needs_local_alias (decl))
8240018b 2322 return false;
8240018b 2323
497a1c66 2324 return true;
8240018b
JJ		 2325}
2326
40f9f6bb
JJ		 2327/* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
2328 IS_STORE is either 1 (for a store) or 0 (for a load). */
37d6f666
WM		 2329
2330static tree
fed4de37
YG		 2331report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
2332 int *nargs)
37d6f666 2333{
93a73251
MM		 2334 gcc_assert (!hwasan_sanitize_p ());
2335
fed4de37
YG		 2336 static enum built_in_function report[2][2][6]
2337 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
2338 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
2339 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N },
2340 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
2341 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
2342 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } },
2343 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT,
2344 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
2345 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
2346 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
2347 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
2348 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
2349 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT,
2350 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
2351 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
2352 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
2353 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
2354 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
8946c29e
YG		 2355 if (size_in_bytes == -1)
2356 {
2357 *nargs = 2;
fed4de37 2358 return builtin_decl_implicit (report[recover_p][is_store][5]);
8946c29e
YG		 2359 }
2360 *nargs = 1;
fed4de37
YG		 2361 int size_log2 = exact_log2 (size_in_bytes);
2362 return builtin_decl_implicit (report[recover_p][is_store][size_log2]);
37d6f666
WM		 2363}
2364
8946c29e
YG		 2365/* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
2366 IS_STORE is either 1 (for a store) or 0 (for a load). */
2367
2368static tree
fed4de37
YG		 2369check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
2370 int *nargs)
8946c29e 2371{
fed4de37
YG		 2372 static enum built_in_function check[2][2][6]
2373 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2,
2374 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8,
2375 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN },
2376 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2,
2377 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8,
2378 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } },
2379 { { BUILT_IN_ASAN_LOAD1_NOABORT,
2380 BUILT_IN_ASAN_LOAD2_NOABORT,
2381 BUILT_IN_ASAN_LOAD4_NOABORT,
2382 BUILT_IN_ASAN_LOAD8_NOABORT,
2383 BUILT_IN_ASAN_LOAD16_NOABORT,
2384 BUILT_IN_ASAN_LOADN_NOABORT },
2385 { BUILT_IN_ASAN_STORE1_NOABORT,
2386 BUILT_IN_ASAN_STORE2_NOABORT,
2387 BUILT_IN_ASAN_STORE4_NOABORT,
2388 BUILT_IN_ASAN_STORE8_NOABORT,
2389 BUILT_IN_ASAN_STORE16_NOABORT,
2390 BUILT_IN_ASAN_STOREN_NOABORT } } };
8946c29e
YG		 2391 if (size_in_bytes == -1)
2392 {
2393 *nargs = 2;
fed4de37 2394 return builtin_decl_implicit (check[recover_p][is_store][5]);
8946c29e
YG		 2395 }
2396 *nargs = 1;
fed4de37
YG		 2397 int size_log2 = exact_log2 (size_in_bytes);
2398 return builtin_decl_implicit (check[recover_p][is_store][size_log2]);
8946c29e
YG		 2399}
2400
01452015 2401/* Split the current basic block and create a condition statement
25ae5027
DS		 2402 insertion point right before or after the statement pointed to by
2403 ITER. Return an iterator to the point at which the caller might
2404 safely insert the condition statement.
01452015
DS		 2405
2406 THEN_BLOCK must be set to the address of an uninitialized instance
2407 of basic_block. The function will then set *THEN_BLOCK to the
2408 'then block' of the condition statement to be inserted by the
2409 caller.
2410
c4bfe8bf
JJ		 2411 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
2412 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
2413
01452015
DS		 2414 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
2415 block' of the condition statement to be inserted by the caller.
2416
2417 Note that *FALLTHROUGH_BLOCK is a new block that contains the
2418 statements starting from *ITER, and *THEN_BLOCK is a new empty
2419 block.
2420
25ae5027
DS		 2421 *ITER is adjusted to point to always point to the first statement
2422 of the basic block * FALLTHROUGH_BLOCK. That statement is the
2423 same as what ITER was pointing to prior to calling this function,
2424 if BEFORE_P is true; otherwise, it is its following statement. */
01452015 2425
ac0ff9f2 2426gimple_stmt_iterator
25ae5027
DS		 2427create_cond_insert_point (gimple_stmt_iterator *iter,
2428 bool before_p,
2429 bool then_more_likely_p,
c4bfe8bf 2430 bool create_then_fallthru_edge,
25ae5027
DS		 2431 basic_block *then_block,
2432 basic_block *fallthrough_block)
01452015
DS		 2433{
2434 gimple_stmt_iterator gsi = *iter;
2435
25ae5027 2436 if (!gsi_end_p (gsi) && before_p)
01452015
DS		 2437 gsi_prev (&gsi);
2438
2439 basic_block cur_bb = gsi_bb (*iter);
2440
2441 edge e = split_block (cur_bb, gsi_stmt (gsi));
2442
2443 /* Get a hold on the 'condition block', the 'then block' and the
2444 'else block'. */
2445 basic_block cond_bb = e->src;
2446 basic_block fallthru_bb = e->dest;
2447 basic_block then_bb = create_empty_bb (cond_bb);
a9e0d843
RB		 2448 if (current_loops)
2449 {
2450 add_bb_to_loop (then_bb, cond_bb->loop_father);
2451 loops_state_set (LOOPS_NEED_FIXUP);
2452 }
01452015
DS		 2453
2454 /* Set up the newly created 'then block'. */
2455 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
e4e822ab 2456 profile_probability fallthrough_probability
01452015 2457 = then_more_likely_p
e4e822ab
JH		 2458 ? profile_probability::very_unlikely ()
2459 : profile_probability::very_likely ();
2460 e->probability = fallthrough_probability.invert ();
e7a74006 2461 then_bb->count = e->count ();
c4bfe8bf
JJ		 2462 if (create_then_fallthru_edge)
2463 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
01452015
DS		 2464
2465 /* Set up the fallthrough basic block. */
2466 e = find_edge (cond_bb, fallthru_bb);
2467 e->flags = EDGE_FALSE_VALUE;
e4e822ab 2468 e->probability = fallthrough_probability;
01452015
DS		 2469
2470 /* Update dominance info for the newly created then_bb; note that
2471 fallthru_bb's dominance info has already been updated by
2472 split_bock. */
2473 if (dom_info_available_p (CDI_DOMINATORS))
2474 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
2475
2476 *then_block = then_bb;
2477 *fallthrough_block = fallthru_bb;
2478 *iter = gsi_start_bb (fallthru_bb);
2479
2480 return gsi_last_bb (cond_bb);
2481}
2482
25ae5027
DS		 2483/* Insert an if condition followed by a 'then block' right before the
2484 statement pointed to by ITER. The fallthrough block -- which is the
2485 else block of the condition as well as the destination of the
2486 outcoming edge of the 'then block' -- starts with the statement
2487 pointed to by ITER.
2488
497a1c66 2489 COND is the condition of the if.
25ae5027
DS		 2490
2491 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
2492 'then block' is higher than the probability of the edge to the
2493 fallthrough block.
2494
2495 Upon completion of the function, *THEN_BB is set to the newly
2496 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
2497 fallthrough block.
2498
2499 *ITER is adjusted to still point to the same statement it was
2500 pointing to initially. */
2501
2502static void
538dd0b7 2503insert_if_then_before_iter (gcond *cond,
25ae5027
DS		 2504 gimple_stmt_iterator *iter,
2505 bool then_more_likely_p,
2506 basic_block *then_bb,
2507 basic_block *fallthrough_bb)
2508{
2509 gimple_stmt_iterator cond_insert_point =
2510 create_cond_insert_point (iter,
2511 /*before_p=*/true,
2512 then_more_likely_p,
c4bfe8bf 2513 /*create_then_fallthru_edge=*/true,
25ae5027
DS		 2514 then_bb,
2515 fallthrough_bb);
2516 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
2517}
2518
6dc4a604
ML		 2519/* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
2520 If RETURN_ADDRESS is set to true, return memory location instread
2521 of a value in the shadow memory. */
40f9f6bb
JJ		 2522
2523static tree
2524build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location,
6dc4a604
ML		 2525 tree base_addr, tree shadow_ptr_type,
2526 bool return_address = false)
40f9f6bb
JJ		 2527{
2528 tree t, uintptr_type = TREE_TYPE (base_addr);
2529 tree shadow_type = TREE_TYPE (shadow_ptr_type);
355fe088 2530 gimple *g;
40f9f6bb
JJ		 2531
2532 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
0d0e4a03
JJ		 2533 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR,
2534 base_addr, t);
40f9f6bb
JJ		 2535 gimple_set_location (g, location);
2536 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2537
fd960af2 2538 t = build_int_cst (uintptr_type, asan_shadow_offset ());
0d0e4a03
JJ		 2539 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR,
2540 gimple_assign_lhs (g), t);
40f9f6bb
JJ		 2541 gimple_set_location (g, location);
2542 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2543
0d0e4a03
JJ		 2544 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR,
2545 gimple_assign_lhs (g));
40f9f6bb
JJ		 2546 gimple_set_location (g, location);
2547 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2548
6dc4a604
ML		 2549 if (!return_address)
2550 {
2551 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
2552 build_int_cst (shadow_ptr_type, 0));
2553 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t);
2554 gimple_set_location (g, location);
2555 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2556 }
2557
40f9f6bb
JJ		 2558 return gimple_assign_lhs (g);
2559}
2560
8946c29e
YG		 2561/* BASE can already be an SSA_NAME; in that case, do not create a
2562 new SSA_NAME for it. */
2563
2564static tree
2565maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter,
2566 bool before_p)
2567{
4e3d3e40 2568 STRIP_USELESS_TYPE_CONVERSION (base);
8946c29e
YG		 2569 if (TREE_CODE (base) == SSA_NAME)
2570 return base;
4e3d3e40 2571 gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)), base);
8946c29e
YG		 2572 gimple_set_location (g, loc);
2573 if (before_p)
2574 gsi_insert_before (iter, g, GSI_SAME_STMT);
2575 else
2576 gsi_insert_after (iter, g, GSI_NEW_STMT);
2577 return gimple_assign_lhs (g);
2578}
2579
a2f581e1
YG		 2580/* LEN can already have necessary size and precision;
2581 in that case, do not create a new variable. */
2582
2583tree
2584maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter,
2585 bool before_p)
2586{
2587 if (ptrofftype_p (len))
2588 return len;
355fe088 2589 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
0d0e4a03 2590 NOP_EXPR, len);
a2f581e1
YG		 2591 gimple_set_location (g, loc);
2592 if (before_p)
2593 gsi_insert_before (iter, g, GSI_SAME_STMT);
2594 else
2595 gsi_insert_after (iter, g, GSI_NEW_STMT);
2596 return gimple_assign_lhs (g);
2597}
2598
dc29bf1e 2599/* Instrument the memory access instruction BASE. Insert new
25ae5027 2600 statements before or after ITER.
dc29bf1e
DS		 2601
2602 Note that the memory access represented by BASE can be either an
2603 SSA_NAME, or a non-SSA expression. LOCATION is the source code
2604 location. IS_STORE is TRUE for a store, FALSE for a load.
25ae5027 2605 BEFORE_P is TRUE for inserting the instrumentation code before
8946c29e
YG		 2606 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
2607 for a scalar memory access and FALSE for memory region access.
2608 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
2609 length. ALIGN tells alignment of accessed memory object.
2610
2611 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
2612 memory region have already been instrumented.
25ae5027
DS		 2613
2614 If BEFORE_P is TRUE, *ITER is arranged to still point to the
2615 statement it was pointing to prior to calling this function,
2616 otherwise, it points to the statement logically following it. */
37d6f666
WM		 2617
2618static void
c62ccb9a 2619build_check_stmt (location_t loc, tree base, tree len,
8946c29e 2620 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter,
c62ccb9a 2621 bool is_non_zero_len, bool before_p, bool is_store,
bdea98ca 2622 bool is_scalar_access, unsigned int align = 0)
37d6f666 2623{
8946c29e 2624 gimple_stmt_iterator gsi = *iter;
355fe088 2625 gimple *g;
8946c29e 2626
c62ccb9a 2627 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len));
93a73251 2628 gcc_assert (size_in_bytes == -1 || size_in_bytes >= 1);
8946c29e 2629
c62ccb9a
YG		 2630 gsi = *iter;
2631
2632 base = unshare_expr (base);
2633 base = maybe_create_ssa_name (loc, base, &gsi, before_p);
2634
8946c29e 2635 if (len)
a2f581e1
YG		 2636 {
2637 len = unshare_expr (len);
2638 len = maybe_cast_to_ptrmode (loc, len, iter, before_p);
2639 }
8946c29e
YG		 2640 else
2641 {
2642 gcc_assert (size_in_bytes != -1);
2643 len = build_int_cst (pointer_sized_int_node, size_in_bytes);
2644 }
2645
2646 if (size_in_bytes > 1)
b3f1051b 2647 {
8946c29e
YG		 2648 if ((size_in_bytes & (size_in_bytes - 1)) != 0
2649 || size_in_bytes > 16)
c62ccb9a 2650 is_scalar_access = false;
8946c29e
YG		 2651 else if (align && align < size_in_bytes * BITS_PER_UNIT)
2652 {
2653 /* On non-strict alignment targets, if
2654 16-byte access is just 8-byte aligned,
2655 this will result in misaligned shadow
2656 memory 2 byte load, but otherwise can
2657 be handled using one read. */
2658 if (size_in_bytes != 16
2659 || STRICT_ALIGNMENT
2660 || align < 8 * BITS_PER_UNIT)
c62ccb9a 2661 is_scalar_access = false;
40f9f6bb 2662 }
f6d98484 2663 }
37d6f666 2664
c62ccb9a
YG		 2665 HOST_WIDE_INT flags = 0;
2666 if (is_store)
2667 flags |= ASAN_CHECK_STORE;
2668 if (is_non_zero_len)
2669 flags |= ASAN_CHECK_NON_ZERO_LEN;
2670 if (is_scalar_access)
2671 flags |= ASAN_CHECK_SCALAR_ACCESS;
c62ccb9a 2672
93a73251
MM		 2673 enum internal_fn fn = hwasan_sanitize_p ()
2674 ? IFN_HWASAN_CHECK
2675 : IFN_ASAN_CHECK;
2676
2677 g = gimple_build_call_internal (fn, 4,
c62ccb9a 2678 build_int_cst (integer_type_node, flags),
f434eb69
MZ		 2679 base, len,
2680 build_int_cst (integer_type_node,
2681 align / BITS_PER_UNIT));
c62ccb9a
YG		 2682 gimple_set_location (g, loc);
2683 if (before_p)
2684 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
8946c29e
YG		 2685 else
2686 {
8946c29e 2687 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
c62ccb9a
YG		 2688 gsi_next (&gsi);
2689 *iter = gsi;
8946c29e 2690 }
37d6f666
WM		 2691}
2692
2693/* If T represents a memory access, add instrumentation code before ITER.
2694 LOCATION is source code location.
25ae5027 2695 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
37d6f666
WM		 2696
2697static void
2698instrument_derefs (gimple_stmt_iterator *iter, tree t,
bdcbe80c 2699 location_t location, bool is_store)
37d6f666 2700{
93a73251 2701 if (is_store && !(asan_instrument_writes () || hwasan_instrument_writes ()))
b5ebc991 2702 return;
93a73251 2703 if (!is_store && !(asan_instrument_reads () || hwasan_instrument_reads ()))
b5ebc991
MO		 2704 return;
2705
37d6f666 2706 tree type, base;
f6d98484 2707 HOST_WIDE_INT size_in_bytes;
c3da4956
MO		 2708 if (location == UNKNOWN_LOCATION)
2709 location = EXPR_LOCATION (t);
37d6f666
WM		 2710
2711 type = TREE_TYPE (t);
37d6f666
WM		 2712 switch (TREE_CODE (t))
2713 {
2714 case ARRAY_REF:
2715 case COMPONENT_REF:
2716 case INDIRECT_REF:
2717 case MEM_REF:
59b36ecf 2718 case VAR_DECL:
913f32a1 2719 case BIT_FIELD_REF:
37d6f666 2720 break;
59b36ecf 2721 /* FALLTHRU */
37d6f666
WM		 2722 default:
2723 return;
2724 }
f6d98484
JJ		 2725
2726 size_in_bytes = int_size_in_bytes (type);
40f9f6bb 2727 if (size_in_bytes <= 0)
f6d98484
JJ		 2728 return;
2729
f37fac2b 2730 poly_int64 bitsize, bitpos;
f6d98484 2731 tree offset;
ef4bddc2 2732 machine_mode mode;
ee45a32d
EB		 2733 int unsignedp, reversep, volatilep = 0;
2734 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
25b75a48 2735 &unsignedp, &reversep, &volatilep);
87d1d65a
YG		 2736
2737 if (TREE_CODE (t) == COMPONENT_REF
2738 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
1fe04fdc 2739 {
87d1d65a
YG		 2740 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
2741 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
2742 TREE_OPERAND (t, 0), repr,
7cd200f6
JJ		 2743 TREE_OPERAND (t, 2)),
2744 location, is_store);
1fe04fdc
JJ		 2745 return;
2746 }
87d1d65a 2747
f37fac2b
RS		 2748 if (!multiple_p (bitpos, BITS_PER_UNIT)
2749 || maybe_ne (bitsize, size_in_bytes * BITS_PER_UNIT))
40f9f6bb 2750 return;
f6d98484 2751
6dc61b45
ML		 2752 if (VAR_P (inner) && DECL_HARD_REGISTER (inner))
2753 return;
2754
f37fac2b 2755 poly_int64 decl_size;
9e3bbb4a 2756 if ((VAR_P (inner) || TREE_CODE (inner) == RESULT_DECL)
59b36ecf 2757 && offset == NULL_TREE
59b36ecf 2758 && DECL_SIZE (inner)
f37fac2b
RS		 2759 && poly_int_tree_p (DECL_SIZE (inner), &decl_size)
2760 && known_subrange_p (bitpos, bitsize, 0, decl_size))
59b36ecf 2761 {
9e3bbb4a 2762 if (VAR_P (inner) && DECL_THREAD_LOCAL_P (inner))
59b36ecf 2763 return;
93a73251
MM		 2764 /* If we're not sanitizing globals and we can tell statically that this
2765 access is inside a global variable, then there's no point adding
2766 instrumentation to check the access. N.b. hwasan currently never
2767 sanitizes globals. */
2768 if ((hwasan_sanitize_p () || !param_asan_globals)
2769 && is_global_var (inner))
6b98fab5 2770 return;
59b36ecf
JJ		 2771 if (!TREE_STATIC (inner))
2772 {
2773 /* Automatic vars in the current function will be always
2774 accessible. */
6dc4a604
ML		 2775 if (decl_function_context (inner) == current_function_decl
2776 && (!asan_sanitize_use_after_scope ()
2777 || !TREE_ADDRESSABLE (inner)))
59b36ecf
JJ		 2778 return;
2779 }
2780 /* Always instrument external vars, they might be dynamically
2781 initialized. */
2782 else if (!DECL_EXTERNAL (inner))
2783 {
2784 /* For static vars if they are known not to be dynamically
2785 initialized, they will be always accessible. */
9041d2e6 2786 varpool_node *vnode = varpool_node::get (inner);
59b36ecf
JJ		 2787 if (vnode && !vnode->dynamically_initialized)
2788 return;
2789 }
2790 }
2791
9e3bbb4a
JJ		 2792 if (DECL_P (inner)
2793 && decl_function_context (inner) == current_function_decl
2794 && !TREE_ADDRESSABLE (inner))
2795 mark_addressable (inner);
2796
f6d98484 2797 base = build_fold_addr_expr (t);
bdcbe80c
DS		 2798 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
2799 {
8946c29e
YG		 2800 unsigned int align = get_object_alignment (t);
2801 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter,
c62ccb9a 2802 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true,
8946c29e 2803 is_store, /*is_scalar_access*/true, align);
bdcbe80c
DS		 2804 update_mem_ref_hash_table (base, size_in_bytes);
2805 update_mem_ref_hash_table (t, size_in_bytes);
2806 }
2807
25ae5027
DS		 2808}
2809
bdea98ca
MO		 2810/* Insert a memory reference into the hash table if access length
2811 can be determined in compile time. */
2812
2813static void
2814maybe_update_mem_ref_hash_table (tree base, tree len)
2815{
2816 if (!POINTER_TYPE_P (TREE_TYPE (base))
2817 || !INTEGRAL_TYPE_P (TREE_TYPE (len)))
2818 return;
2819
2820 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2821
2822 if (size_in_bytes != -1)
2823 update_mem_ref_hash_table (base, size_in_bytes);
2824}
2825
25ae5027
DS		 2826/* Instrument an access to a contiguous memory region that starts at
2827 the address pointed to by BASE, over a length of LEN (expressed in
2828 the sizeof (*BASE) bytes). ITER points to the instruction before
2829 which the instrumentation instructions must be inserted. LOCATION
2830 is the source location that the instrumentation instructions must
2831 have. If IS_STORE is true, then the memory access is a store;
2832 otherwise, it's a load. */
2833
2834static void
2835instrument_mem_region_access (tree base, tree len,
2836 gimple_stmt_iterator *iter,
2837 location_t location, bool is_store)
2838{
c63d3b96
JJ		 2839 if (!POINTER_TYPE_P (TREE_TYPE (base))
2840 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
2841 || integer_zerop (len))
25ae5027
DS		 2842 return;
2843
8946c29e 2844 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
bdcbe80c 2845
bdea98ca
MO		 2846 if ((size_in_bytes == -1)
2847 || !has_mem_ref_been_instrumented (base, size_in_bytes))
2848 {
2849 build_check_stmt (location, base, len, size_in_bytes, iter,
2850 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true,
2851 is_store, /*is_scalar_access*/false, /*align*/0);
2852 }
b41288b3 2853
bdea98ca 2854 maybe_update_mem_ref_hash_table (base, len);
b41288b3 2855 *iter = gsi_for_stmt (gsi_stmt (*iter));
bdcbe80c 2856}
25ae5027 2857
bdcbe80c
DS		 2858/* Instrument the call to a built-in memory access function that is
2859 pointed to by the iterator ITER.
25ae5027 2860
bdcbe80c
DS		 2861 Upon completion, return TRUE iff *ITER has been advanced to the
2862 statement following the one it was originally pointing to. */
25ae5027 2863
bdcbe80c
DS		 2864static bool
2865instrument_builtin_call (gimple_stmt_iterator *iter)
2866{
93a73251 2867 if (!(asan_memintrin () || hwasan_memintrin ()))
b5ebc991
MO		 2868 return false;
2869
bdcbe80c 2870 bool iter_advanced_p = false;
538dd0b7 2871 gcall *call = as_a <gcall *> (gsi_stmt (*iter));
25ae5027 2872
bdcbe80c 2873 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
25ae5027 2874
bdcbe80c 2875 location_t loc = gimple_location (call);
25ae5027 2876
bdea98ca
MO		 2877 asan_mem_ref src0, src1, dest;
2878 asan_mem_ref_init (&src0, NULL, 1);
2879 asan_mem_ref_init (&src1, NULL, 1);
2880 asan_mem_ref_init (&dest, NULL, 1);
bdcbe80c 2881
bdea98ca
MO		 2882 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
2883 bool src0_is_store = false, src1_is_store = false, dest_is_store = false,
2884 dest_is_deref = false, intercepted_p = true;
bdcbe80c 2885
bdea98ca
MO		 2886 if (get_mem_refs_of_builtin_call (call,
2887 &src0, &src0_len, &src0_is_store,
2888 &src1, &src1_len, &src1_is_store,
2889 &dest, &dest_len, &dest_is_store,
e3174bdf 2890 &dest_is_deref, &intercepted_p, iter))
bdea98ca
MO		 2891 {
2892 if (dest_is_deref)
bdcbe80c 2893 {
bdea98ca
MO		 2894 instrument_derefs (iter, dest.start, loc, dest_is_store);
2895 gsi_next (iter);
2896 iter_advanced_p = true;
2897 }
2898 else if (!intercepted_p
2899 && (src0_len || src1_len || dest_len))
2900 {
2901 if (src0.start != NULL_TREE)
2902 instrument_mem_region_access (src0.start, src0_len,
2903 iter, loc, /*is_store=*/false);
2904 if (src1.start != NULL_TREE)
2905 instrument_mem_region_access (src1.start, src1_len,
2906 iter, loc, /*is_store=*/false);
2907 if (dest.start != NULL_TREE)
2908 instrument_mem_region_access (dest.start, dest_len,
2909 iter, loc, /*is_store=*/true);
2910
2911 *iter = gsi_for_stmt (call);
2912 gsi_next (iter);
2913 iter_advanced_p = true;
2914 }
2915 else
2916 {
2917 if (src0.start != NULL_TREE)
2918 maybe_update_mem_ref_hash_table (src0.start, src0_len);
2919 if (src1.start != NULL_TREE)
2920 maybe_update_mem_ref_hash_table (src1.start, src1_len);
2921 if (dest.start != NULL_TREE)
2922 maybe_update_mem_ref_hash_table (dest.start, dest_len);
bdcbe80c 2923 }
25ae5027 2924 }
bdcbe80c 2925 return iter_advanced_p;
25ae5027
DS		 2926}
2927
2928/* Instrument the assignment statement ITER if it is subject to
bdcbe80c
DS		 2929 instrumentation. Return TRUE iff instrumentation actually
2930 happened. In that case, the iterator ITER is advanced to the next
2931 logical expression following the one initially pointed to by ITER,
2932 and the relevant memory reference that which access has been
2933 instrumented is added to the memory references hash table. */
25ae5027 2934
bdcbe80c
DS		 2935static bool
2936maybe_instrument_assignment (gimple_stmt_iterator *iter)
25ae5027 2937{
355fe088 2938 gimple *s = gsi_stmt (*iter);
25ae5027
DS		 2939
2940 gcc_assert (gimple_assign_single_p (s));
2941
bdcbe80c
DS		 2942 tree ref_expr = NULL_TREE;
2943 bool is_store, is_instrumented = false;
2944
52f2e7e1 2945 if (gimple_store_p (s))
bdcbe80c
DS		 2946 {
2947 ref_expr = gimple_assign_lhs (s);
2948 is_store = true;
2949 instrument_derefs (iter, ref_expr,
2950 gimple_location (s),
2951 is_store);
2952 is_instrumented = true;
2953 }
c1f5ce48 2954
52f2e7e1 2955 if (gimple_assign_load_p (s))
bdcbe80c
DS		 2956 {
2957 ref_expr = gimple_assign_rhs1 (s);
2958 is_store = false;
2959 instrument_derefs (iter, ref_expr,
2960 gimple_location (s),
2961 is_store);
2962 is_instrumented = true;
2963 }
2964
2965 if (is_instrumented)
2966 gsi_next (iter);
2967
2968 return is_instrumented;
25ae5027
DS		 2969}
2970
2971/* Instrument the function call pointed to by the iterator ITER, if it
2972 is subject to instrumentation. At the moment, the only function
2973 calls that are instrumented are some built-in functions that access
2974 memory. Look at instrument_builtin_call to learn more.
2975
2976 Upon completion return TRUE iff *ITER was advanced to the statement
2977 following the one it was originally pointing to. */
2978
2979static bool
2980maybe_instrument_call (gimple_stmt_iterator *iter)
2981{
355fe088 2982 gimple *stmt = gsi_stmt (*iter);
bdcbe80c
DS		 2983 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2984
2985 if (is_builtin && instrument_builtin_call (iter))
2b2571c9 2986 return true;
bdcbe80c 2987
2b2571c9
JJ		 2988 if (gimple_call_noreturn_p (stmt))
2989 {
2990 if (is_builtin)
2991 {
2992 tree callee = gimple_call_fndecl (stmt);
2993 switch (DECL_FUNCTION_CODE (callee))
2994 {
2995 case BUILT_IN_UNREACHABLE:
d2423144 2996 case BUILT_IN_UNREACHABLE_TRAP:
2b2571c9
JJ		 2997 case BUILT_IN_TRAP:
2998 /* Don't instrument these. */
2999 return false;
083e891e
MP		 3000 default:
3001 break;
2b2571c9
JJ		 3002 }
3003 }
93a73251
MM		 3004 /* If a function does not return, then we must handle clearing up the
3005 shadow stack accordingly. For ASAN we can simply set the entire stack
3006 to "valid" for accesses by setting the shadow space to 0 and all
3007 accesses will pass checks. That means that some bad accesses may be
3008 missed, but we will not report any false positives.
3009
3010 This is not possible for HWASAN. Since there is no "always valid" tag
3011 we can not set any space to "always valid". If we were to clear the
3012 entire shadow stack then code resuming from `longjmp` or a caught
3013 exception would trigger false positives when correctly accessing
3014 variables on the stack. Hence we need to handle things like
3015 `longjmp`, thread exit, and exceptions in a different way. These
3016 problems must be handled externally to the compiler, e.g. in the
3017 language runtime. */
3018 if (! hwasan_sanitize_p ())
3019 {
3020 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
3021 gimple *g = gimple_build_call (decl, 0);
3022 gimple_set_location (g, gimple_location (stmt));
3023 gsi_insert_before (iter, g, GSI_SAME_STMT);
3024 }
2b2571c9 3025 }
7db337c2 3026
c3da4956 3027 bool instrumented = false;
7db337c2
ML		 3028 if (gimple_store_p (stmt))
3029 {
3030 tree ref_expr = gimple_call_lhs (stmt);
3031 instrument_derefs (iter, ref_expr,
3032 gimple_location (stmt),
3033 /*is_store=*/true);
3034
c3da4956 3035 instrumented = true;
7db337c2
ML		 3036 }
3037
c3da4956
MO		 3038 /* Walk through gimple_call arguments and check them id needed. */
3039 unsigned args_num = gimple_call_num_args (stmt);
3040 for (unsigned i = 0; i < args_num; ++i)
3041 {
3042 tree arg = gimple_call_arg (stmt, i);
3043 /* If ARG is not a non-aggregate register variable, compiler in general
3044 creates temporary for it and pass it as argument to gimple call.
3045 But in some cases, e.g. when we pass by value a small structure that
3046 fits to register, compiler can avoid extra overhead by pulling out
3047 these temporaries. In this case, we should check the argument. */
3048 if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg))
3049 {
3050 instrument_derefs (iter, arg,
3051 gimple_location (stmt),
3052 /*is_store=*/false);
3053 instrumented = true;
3054 }
3055 }
3056 if (instrumented)
3057 gsi_next (iter);
3058 return instrumented;
37d6f666
WM		 3059}
3060
bdcbe80c
DS		 3061/* Walk each instruction of all basic block and instrument those that
3062 represent memory references: loads, stores, or function calls.
3063 In a given basic block, this function avoids instrumenting memory
3064 references that have already been instrumented. */
37d6f666
WM		 3065
3066static void
3067transform_statements (void)
3068{
c4bfe8bf 3069 basic_block bb, last_bb = NULL;
37d6f666 3070 gimple_stmt_iterator i;
8b1c6fd7 3071 int saved_last_basic_block = last_basic_block_for_fn (cfun);
37d6f666 3072
11cd3bed 3073 FOR_EACH_BB_FN (bb, cfun)
37d6f666 3074 {
c4bfe8bf 3075 basic_block prev_bb = bb;
bdcbe80c 3076
37d6f666 3077 if (bb->index >= saved_last_basic_block) continue;
c4bfe8bf
JJ		 3078
3079 /* Flush the mem ref hash table, if current bb doesn't have
3080 exactly one predecessor, or if that predecessor (skipping
3081 over asan created basic blocks) isn't the last processed
3082 basic block. Thus we effectively flush on extended basic
3083 block boundaries. */
3084 while (single_pred_p (prev_bb))
3085 {
3086 prev_bb = single_pred (prev_bb);
3087 if (prev_bb->index < saved_last_basic_block)
3088 break;
3089 }
3090 if (prev_bb != last_bb)
3091 empty_mem_ref_hash_table ();
3092 last_bb = bb;
3093
25ae5027 3094 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
497a1c66 3095 {
355fe088 3096 gimple *s = gsi_stmt (i);
25ae5027 3097
bdcbe80c
DS		 3098 if (has_stmt_been_instrumented_p (s))
3099 gsi_next (&i);
3100 else if (gimple_assign_single_p (s)
e1e160c1 3101 && !gimple_clobber_p (s)
bdcbe80c
DS		 3102 && maybe_instrument_assignment (&i))
3103 /* Nothing to do as maybe_instrument_assignment advanced
3104 the iterator I. */;
3105 else if (is_gimple_call (s) && maybe_instrument_call (&i))
3106 /* Nothing to do as maybe_instrument_call
3107 advanced the iterator I. */;
3108 else
25ae5027 3109 {
bdcbe80c
DS		 3110 /* No instrumentation happened.
3111
c4bfe8bf
JJ		 3112 If the current instruction is a function call that
3113 might free something, let's forget about the memory
3114 references that got instrumented. Otherwise we might
6dc4a604
ML		 3115 miss some instrumentation opportunities. Do the same
3116 for a ASAN_MARK poisoning internal function. */
3117 if (is_gimple_call (s)
56b7aede
ML		 3118 && (!nonfreeing_call_p (s)
3119 || asan_mark_p (s, ASAN_MARK_POISON)))
bdcbe80c
DS		 3120 empty_mem_ref_hash_table ();
3121
3122 gsi_next (&i);
25ae5027 3123 }
497a1c66 3124 }
37d6f666 3125 }
bdcbe80c 3126 free_mem_ref_resources ();
37d6f666
WM		 3127}
3128
59b36ecf
JJ		 3129/* Build
3130 __asan_before_dynamic_init (module_name)
3131 or
3132 __asan_after_dynamic_init ()
3133 call. */
3134
3135tree
3136asan_dynamic_init_call (bool after_p)
3137{
185faecb
JJ		 3138 if (shadow_ptr_types[0] == NULL_TREE)
3139 asan_init_shadow_ptr_types ();
3140
59b36ecf
JJ		 3141 tree fn = builtin_decl_implicit (after_p
3142 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
3143 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
3144 tree module_name_cst = NULL_TREE;
3145 if (!after_p)
3146 {
3147 pretty_printer module_name_pp;
3148 pp_string (&module_name_pp, main_input_filename);
3149
59b36ecf
JJ		 3150 module_name_cst = asan_pp_string (&module_name_pp);
3151 module_name_cst = fold_convert (const_ptr_type_node,
3152 module_name_cst);
3153 }
3154
3155 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
3156}
3157
8240018b
JJ		 3158/* Build
3159 struct __asan_global
3160 {
3161 const void *__beg;
3162 uptr __size;
3163 uptr __size_with_redzone;
3164 const void *__name;
ef1b3fda 3165 const void *__module_name;
8240018b 3166 uptr __has_dynamic_init;
866e32ad 3167 __asan_global_source_location *__location;
fbdb92eb 3168 char *__odr_indicator;
8240018b
JJ		 3169 } type. */
3170
3171static tree
3172asan_global_struct (void)
3173{
84b0769e 3174 static const char *field_names[]
8240018b 3175 = { "__beg", "__size", "__size_with_redzone",
84b0769e
MO		 3176 "__name", "__module_name", "__has_dynamic_init", "__location",
3177 "__odr_indicator" };
3178 tree fields[ARRAY_SIZE (field_names)], ret;
3179 unsigned i;
8240018b
JJ		 3180
3181 ret = make_node (RECORD_TYPE);
84b0769e 3182 for (i = 0; i < ARRAY_SIZE (field_names); i++)
8240018b
JJ		 3183 {
3184 fields[i]
3185 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
3186 get_identifier (field_names[i]),
3187 (i == 0 || i == 3) ? const_ptr_type_node
de5a5fa1 3188 : pointer_sized_int_node);
8240018b
JJ		 3189 DECL_CONTEXT (fields[i]) = ret;
3190 if (i)
3191 DECL_CHAIN (fields[i - 1]) = fields[i];
3192 }
bebcdc67
MP		 3193 tree type_decl = build_decl (input_location, TYPE_DECL,
3194 get_identifier ("__asan_global"), ret);
3195 DECL_IGNORED_P (type_decl) = 1;
3196 DECL_ARTIFICIAL (type_decl) = 1;
8240018b 3197 TYPE_FIELDS (ret) = fields[0];
bebcdc67
MP		 3198 TYPE_NAME (ret) = type_decl;
3199 TYPE_STUB_DECL (ret) = type_decl;
73f8e9dc 3200 TYPE_ARTIFICIAL (ret) = 1;
8240018b
JJ		 3201 layout_type (ret);
3202 return ret;
3203}
3204
84b0769e
MO		 3205/* Create and return odr indicator symbol for DECL.
3206 TYPE is __asan_global struct type as returned by asan_global_struct. */
3207
3208static tree
3209create_odr_indicator (tree decl, tree type)
3210{
3211 char *name;
3212 tree uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
3213 tree decl_name
3214 = (HAS_DECL_ASSEMBLER_NAME_P (decl) ? DECL_ASSEMBLER_NAME (decl)
3215 : DECL_NAME (decl));
3216 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
3217 if (decl_name == NULL_TREE)
3218 return build_int_cst (uptr, 0);
349884d1
JJ		 3219 const char *dname = IDENTIFIER_POINTER (decl_name);
3220 if (HAS_DECL_ASSEMBLER_NAME_P (decl))
3221 dname = targetm.strip_name_encoding (dname);
3222 size_t len = strlen (dname) + sizeof ("__odr_asan_");
84b0769e 3223 name = XALLOCAVEC (char, len);
349884d1 3224 snprintf (name, len, "__odr_asan_%s", dname);
84b0769e
MO		 3225#ifndef NO_DOT_IN_LABEL
3226 name[sizeof ("__odr_asan") - 1] = '.';
3227#elif !defined(NO_DOLLAR_IN_LABEL)
3228 name[sizeof ("__odr_asan") - 1] = '$';
3229#endif
3230 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (name),
3231 char_type_node);
3232 TREE_ADDRESSABLE (var) = 1;
3233 TREE_READONLY (var) = 0;
3234 TREE_THIS_VOLATILE (var) = 1;
84b0769e
MO		 3235 DECL_ARTIFICIAL (var) = 1;
3236 DECL_IGNORED_P (var) = 1;
3237 TREE_STATIC (var) = 1;
3238 TREE_PUBLIC (var) = 1;
3239 DECL_VISIBILITY (var) = DECL_VISIBILITY (decl);
3240 DECL_VISIBILITY_SPECIFIED (var) = DECL_VISIBILITY_SPECIFIED (decl);
3241
3242 TREE_USED (var) = 1;
3243 tree ctor = build_constructor_va (TREE_TYPE (var), 1, NULL_TREE,
3244 build_int_cst (unsigned_type_node, 0));
3245 TREE_CONSTANT (ctor) = 1;
3246 TREE_STATIC (ctor) = 1;
3247 DECL_INITIAL (var) = ctor;
3248 DECL_ATTRIBUTES (var) = tree_cons (get_identifier ("asan odr indicator"),
3249 NULL, DECL_ATTRIBUTES (var));
3250 make_decl_rtl (var);
3251 varpool_node::finalize_decl (var);
3252 return fold_convert (uptr, build_fold_addr_expr (var));
3253}
3254
3255/* Return true if DECL, a global var, might be overridden and needs
3256 an additional odr indicator symbol. */
3257
3258static bool
3259asan_needs_odr_indicator_p (tree decl)
3260{
0acd830b
MO		 3261 /* Don't emit ODR indicators for kernel because:
3262 a) Kernel is written in C thus doesn't need ODR indicators.
3263 b) Some kernel code may have assumptions about symbols containing specific
3264 patterns in their names. Since ODR indicators contain original names
3265 of symbols they are emitted for, these assumptions would be broken for
3266 ODR indicator symbols. */
3267 return (!(flag_sanitize & SANITIZE_KERNEL_ADDRESS)
3268 && !DECL_ARTIFICIAL (decl)
3269 && !DECL_WEAK (decl)
3270 && TREE_PUBLIC (decl));
84b0769e
MO		 3271}
3272
8240018b
JJ		 3273/* Append description of a single global DECL into vector V.
3274 TYPE is __asan_global struct type as returned by asan_global_struct. */
3275
3276static void
9771b263 3277asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
8240018b
JJ		 3278{
3279 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
3280 unsigned HOST_WIDE_INT size;
ef1b3fda 3281 tree str_cst, module_name_cst, refdecl = decl;
9771b263 3282 vec<constructor_elt, va_gc> *vinner = NULL;
8240018b 3283
ef1b3fda 3284 pretty_printer asan_pp, module_name_pp;
8240018b 3285
8240018b 3286 if (DECL_NAME (decl))
b066401f 3287 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
8240018b
JJ		 3288 else
3289 pp_string (&asan_pp, "<unknown>");
11a877b3 3290 str_cst = asan_pp_string (&asan_pp);
8240018b 3291
94c9b1bb
ML		 3292 if (!in_lto_p)
3293 pp_string (&module_name_pp, main_input_filename);
3294 else
3295 {
3296 const_tree tu = get_ultimate_context ((const_tree)decl);
3297 if (tu != NULL_TREE)
3298 pp_string (&module_name_pp, IDENTIFIER_POINTER (DECL_NAME (tu)));
3299 else
3300 pp_string (&module_name_pp, aux_base_name);
3301 }
3302
ef1b3fda
KS		 3303 module_name_cst = asan_pp_string (&module_name_pp);
3304
8240018b
JJ		 3305 if (asan_needs_local_alias (decl))
3306 {
3307 char buf[20];
9771b263 3308 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
8240018b
JJ		 3309 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
3310 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
3311 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
3312 TREE_READONLY (refdecl) = TREE_READONLY (decl);
3313 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
eb72dc66 3314 DECL_NOT_GIMPLE_REG_P (refdecl) = DECL_NOT_GIMPLE_REG_P (decl);
8240018b
JJ		 3315 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
3316 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
3317 TREE_STATIC (refdecl) = 1;
3318 TREE_PUBLIC (refdecl) = 0;
3319 TREE_USED (refdecl) = 1;
3320 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
3321 }
3322
84b0769e
MO		 3323 tree odr_indicator_ptr
3324 = (asan_needs_odr_indicator_p (decl) ? create_odr_indicator (decl, type)
3325 : build_int_cst (uptr, 0));
8240018b
JJ		 3326 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
3327 fold_convert (const_ptr_type_node,
3328 build_fold_addr_expr (refdecl)));
ae7e9ddd 3329 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
8240018b
JJ		 3330 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
3331 size += asan_red_zone_size (size);
3332 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
3333 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
3334 fold_convert (const_ptr_type_node, str_cst));
ef1b3fda
KS		 3335 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
3336 fold_convert (const_ptr_type_node, module_name_cst));
9041d2e6 3337 varpool_node *vnode = varpool_node::get (decl);
f1860ba9
MO		 3338 int has_dynamic_init = 0;
3339 /* FIXME: Enable initialization order fiasco detection in LTO mode once
3340 proper fix for PR 79061 will be applied. */
3341 if (!in_lto_p)
3342 has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
59b36ecf
JJ		 3343 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
3344 build_int_cst (uptr, has_dynamic_init));
21a82048
JJ		 3345 tree locptr = NULL_TREE;
3346 location_t loc = DECL_SOURCE_LOCATION (decl);
3347 expanded_location xloc = expand_location (loc);
3348 if (xloc.file != NULL)
3349 {
3350 static int lasanloccnt = 0;
3351 char buf[25];
3352 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt);
3353 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
3354 ubsan_get_source_location_type ());
3355 TREE_STATIC (var) = 1;
3356 TREE_PUBLIC (var) = 0;
3357 DECL_ARTIFICIAL (var) = 1;
3358 DECL_IGNORED_P (var) = 1;
3359 pretty_printer filename_pp;
3360 pp_string (&filename_pp, xloc.file);
3361 tree str = asan_pp_string (&filename_pp);
3362 tree ctor = build_constructor_va (TREE_TYPE (var), 3,
3363 NULL_TREE, str, NULL_TREE,
3364 build_int_cst (unsigned_type_node,
3365 xloc.line), NULL_TREE,
3366 build_int_cst (unsigned_type_node,
3367 xloc.column));
3368 TREE_CONSTANT (ctor) = 1;
3369 TREE_STATIC (ctor) = 1;
3370 DECL_INITIAL (var) = ctor;
3371 varpool_node::finalize_decl (var);
3372 locptr = fold_convert (uptr, build_fold_addr_expr (var));
3373 }
3374 else
3375 locptr = build_int_cst (uptr, 0);
3376 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr);
84b0769e 3377 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, odr_indicator_ptr);
8240018b
JJ		 3378 init = build_constructor (type, vinner);
3379 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
3380}
3381
0e668eaf
JJ		 3382/* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
3383void
3384initialize_sanitizer_builtins (void)
3385{
3386 tree decl;
3387
3388 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
3389 return;
3390
3391 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
3392 tree BT_FN_VOID_PTR
3393 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
59b36ecf
JJ		 3394 tree BT_FN_VOID_CONST_PTR
3395 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
b906f4ca
MP		 3396 tree BT_FN_VOID_PTR_PTR
3397 = build_function_type_list (void_type_node, ptr_type_node,
3398 ptr_type_node, NULL_TREE);
de5a5fa1
MP		 3399 tree BT_FN_VOID_PTR_PTR_PTR
3400 = build_function_type_list (void_type_node, ptr_type_node,
3401 ptr_type_node, ptr_type_node, NULL_TREE);
0e668eaf
JJ		 3402 tree BT_FN_VOID_PTR_PTRMODE
3403 = build_function_type_list (void_type_node, ptr_type_node,
de5a5fa1 3404 pointer_sized_int_node, NULL_TREE);
c954bddd
JJ		 3405 tree BT_FN_VOID_INT
3406 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
0bae64d5
MP		 3407 tree BT_FN_SIZE_CONST_PTR_INT
3408 = build_function_type_list (size_type_node, const_ptr_type_node,
3409 integer_type_node, NULL_TREE);
f6e50a7d
WW		 3410
3411 tree BT_FN_VOID_UINT8_UINT8
3412 = build_function_type_list (void_type_node, unsigned_char_type_node,
3413 unsigned_char_type_node, NULL_TREE);
3414 tree BT_FN_VOID_UINT16_UINT16
3415 = build_function_type_list (void_type_node, uint16_type_node,
3416 uint16_type_node, NULL_TREE);
3417 tree BT_FN_VOID_UINT32_UINT32
3418 = build_function_type_list (void_type_node, uint32_type_node,
3419 uint32_type_node, NULL_TREE);
3420 tree BT_FN_VOID_UINT64_UINT64
3421 = build_function_type_list (void_type_node, uint64_type_node,
3422 uint64_type_node, NULL_TREE);
3423 tree BT_FN_VOID_FLOAT_FLOAT
3424 = build_function_type_list (void_type_node, float_type_node,
3425 float_type_node, NULL_TREE);
3426 tree BT_FN_VOID_DOUBLE_DOUBLE
3427 = build_function_type_list (void_type_node, double_type_node,
3428 double_type_node, NULL_TREE);
3429 tree BT_FN_VOID_UINT64_PTR
3430 = build_function_type_list (void_type_node, uint64_type_node,
3431 ptr_type_node, NULL_TREE);
3432
93a73251
MM		 3433 tree BT_FN_PTR_CONST_PTR_UINT8
3434 = build_function_type_list (ptr_type_node, const_ptr_type_node,
3435 unsigned_char_type_node, NULL_TREE);
0854b584
MM		 3436 tree BT_FN_VOID_PTR_UINT8_PTRMODE
3437 = build_function_type_list (void_type_node, ptr_type_node,
3438 unsigned_char_type_node,
3439 pointer_sized_int_node, NULL_TREE);
3440
c954bddd
JJ		 3441 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
3442 tree BT_FN_IX_CONST_VPTR_INT[5];
3443 tree BT_FN_IX_VPTR_IX_INT[5];
3444 tree BT_FN_VOID_VPTR_IX_INT[5];
3445 tree vptr
3446 = build_pointer_type (build_qualified_type (void_type_node,
3447 TYPE_QUAL_VOLATILE));
3448 tree cvptr
3449 = build_pointer_type (build_qualified_type (void_type_node,
3450 TYPE_QUAL_VOLATILE
3451 |TYPE_QUAL_CONST));
3452 tree boolt
3453 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
3454 int i;
3455 for (i = 0; i < 5; i++)
3456 {
3457 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
3458 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
3459 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
3460 integer_type_node, integer_type_node,
3461 NULL_TREE);
3462 BT_FN_IX_CONST_VPTR_INT[i]
3463 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
3464 BT_FN_IX_VPTR_IX_INT[i]
3465 = build_function_type_list (ix, vptr, ix, integer_type_node,
3466 NULL_TREE);
3467 BT_FN_VOID_VPTR_IX_INT[i]
3468 = build_function_type_list (void_type_node, vptr, ix,
3469 integer_type_node, NULL_TREE);
3470 }
3471#define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
3472#define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
3473#define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
3474#define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
3475#define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
3476#define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
3477#define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
3478#define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
3479#define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
3480#define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
3481#define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
3482#define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
3483#define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
3484#define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
3485#define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
3486#define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
3487#define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
3488#define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
3489#define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
3490#define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
0854b584
MM		 3491#undef ATTR_NOTHROW_LIST
3492#define ATTR_NOTHROW_LIST ECF_NOTHROW
0e668eaf
JJ		 3493#undef ATTR_NOTHROW_LEAF_LIST
3494#define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
bc77608b
JJ		 3495#undef ATTR_TMPURE_NOTHROW_LEAF_LIST
3496#define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
0e668eaf
JJ		 3497#undef ATTR_NORETURN_NOTHROW_LEAF_LIST
3498#define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
4088b790
MP		 3499#undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
3500#define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
3501 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
bc77608b
JJ		 3502#undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
3503#define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
3504 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
de5a5fa1
MP		 3505#undef ATTR_COLD_NOTHROW_LEAF_LIST
3506#define ATTR_COLD_NOTHROW_LEAF_LIST \
3507 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
3508#undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
3509#define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
3510 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
4088b790
MP		 3511#undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
3512#define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
3513 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
0bae64d5
MP		 3514#undef ATTR_PURE_NOTHROW_LEAF_LIST
3515#define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
8f91e6e0
JJ		 3516#undef DEF_BUILTIN_STUB
3517#define DEF_BUILTIN_STUB(ENUM, NAME)
67c6769b
TV		 3518#undef DEF_SANITIZER_BUILTIN_1
3519#define DEF_SANITIZER_BUILTIN_1(ENUM, NAME, TYPE, ATTRS) \
a74560eb
MP		 3520 do { \
3521 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
3522 BUILT_IN_NORMAL, NAME, NULL_TREE); \
3523 set_call_expr_flags (decl, ATTRS); \
3524 set_builtin_decl (ENUM, decl, true); \
67c6769b
TV		 3525 } while (0)
3526#undef DEF_SANITIZER_BUILTIN
3527#define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
3528 DEF_SANITIZER_BUILTIN_1 (ENUM, NAME, TYPE, ATTRS);
0e668eaf
JJ		 3529
3530#include "sanitizer.def"
3531
546c6210
SP		 3532 /* -fsanitize=object-size uses __builtin_dynamic_object_size and
3533 __builtin_object_size, but they might not be available for e.g. Fortran at
3534 this point. We use DEF_SANITIZER_BUILTIN here only as a convenience
3535 macro. */
3536 if (flag_sanitize & SANITIZE_OBJECT_SIZE)
3537 {
3538 if (!builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE))
3539 DEF_SANITIZER_BUILTIN_1 (BUILT_IN_OBJECT_SIZE, "object_size",
3540 BT_FN_SIZE_CONST_PTR_INT,
3541 ATTR_PURE_NOTHROW_LEAF_LIST);
3542 if (!builtin_decl_implicit_p (BUILT_IN_DYNAMIC_OBJECT_SIZE))
3543 DEF_SANITIZER_BUILTIN_1 (BUILT_IN_DYNAMIC_OBJECT_SIZE,
3544 "dynamic_object_size",
3545 BT_FN_SIZE_CONST_PTR_INT,
3546 ATTR_PURE_NOTHROW_LEAF_LIST);
3547 }
0bae64d5 3548
67c6769b 3549#undef DEF_SANITIZER_BUILTIN_1
0e668eaf 3550#undef DEF_SANITIZER_BUILTIN
8f91e6e0 3551#undef DEF_BUILTIN_STUB
0e668eaf
JJ		 3552}
3553
94fce891
JJ		 3554/* Called via htab_traverse. Count number of emitted
3555 STRING_CSTs in the constant hash table. */
3556
2a22f99c
TS		 3557int
3558count_string_csts (constant_descriptor_tree **slot,
3559 unsigned HOST_WIDE_INT *data)
94fce891 3560{
2a22f99c 3561 struct constant_descriptor_tree *desc = *slot;
94fce891
JJ		 3562 if (TREE_CODE (desc->value) == STRING_CST
3563 && TREE_ASM_WRITTEN (desc->value)
3564 && asan_protect_global (desc->value))
2a22f99c 3565 ++*data;
94fce891
JJ		 3566 return 1;
3567}
3568
3569/* Helper structure to pass two parameters to
3570 add_string_csts. */
3571
3572struct asan_add_string_csts_data
3573{
3574 tree type;
3575 vec<constructor_elt, va_gc> *v;
3576};
3577
2a22f99c 3578/* Called via hash_table::traverse. Call asan_add_global
94fce891
JJ		 3579 on emitted STRING_CSTs from the constant hash table. */
3580
2a22f99c
TS		 3581int
3582add_string_csts (constant_descriptor_tree **slot,
3583 asan_add_string_csts_data *aascd)
94fce891 3584{
2a22f99c 3585 struct constant_descriptor_tree *desc = *slot;
94fce891
JJ		 3586 if (TREE_CODE (desc->value) == STRING_CST
3587 && TREE_ASM_WRITTEN (desc->value)
3588 && asan_protect_global (desc->value))
3589 {
94fce891
JJ		 3590 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
3591 aascd->type, aascd->v);
3592 }
3593 return 1;
3594}
3595
8240018b
JJ		 3596/* Needs to be GTY(()), because cgraph_build_static_cdtor may
3597 invoke ggc_collect. */
3598static GTY(()) tree asan_ctor_statements;
3599
37d6f666 3600/* Module-level instrumentation.
ef1b3fda 3601 - Insert __asan_init_vN() into the list of CTORs.
37d6f666
WM		 3602 - TODO: insert redzones around globals.
3603 */
3604
3605void
3606asan_finish_file (void)
3607{
2c8326a5 3608 varpool_node *vnode;
8240018b
JJ		 3609 unsigned HOST_WIDE_INT gcount = 0;
3610
94fce891
JJ		 3611 if (shadow_ptr_types[0] == NULL_TREE)
3612 asan_init_shadow_ptr_types ();
3613 /* Avoid instrumenting code in the asan ctors/dtors.
3614 We don't need to insert padding after the description strings,
3615 nor after .LASAN* array. */
de5a5fa1 3616 flag_sanitize &= ~SANITIZE_ADDRESS;
0e668eaf 3617
f1d15bb9
DV		 3618 /* For user-space we want asan constructors to run first.
3619 Linux kernel does not support priorities other than default, and the only
3620 other user of constructors is coverage. So we run with the default
3621 priority. */
3622 int priority = flag_sanitize & SANITIZE_USER_ADDRESS
3623 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY;
3624
c6d129b0
YG		 3625 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3626 {
3627 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
3628 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
89e302b8
MO		 3629 fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK);
3630 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
c6d129b0 3631 }
8240018b 3632 FOR_EACH_DEFINED_VARIABLE (vnode)
67348ccc
DM		 3633 if (TREE_ASM_WRITTEN (vnode->decl)
3634 && asan_protect_global (vnode->decl))
8240018b 3635 ++gcount;
2a22f99c
TS		 3636 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab ();
3637 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts>
3638 (&gcount);
8240018b
JJ		 3639 if (gcount)
3640 {
0e668eaf 3641 tree type = asan_global_struct (), var, ctor;
8240018b 3642 tree dtor_statements = NULL_TREE;
9771b263 3643 vec<constructor_elt, va_gc> *v;
8240018b
JJ		 3644 char buf[20];
3645
3646 type = build_array_type_nelts (type, gcount);
3647 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
3648 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
3649 type);
3650 TREE_STATIC (var) = 1;
3651 TREE_PUBLIC (var) = 0;
3652 DECL_ARTIFICIAL (var) = 1;
3653 DECL_IGNORED_P (var) = 1;
9771b263 3654 vec_alloc (v, gcount);
8240018b 3655 FOR_EACH_DEFINED_VARIABLE (vnode)
67348ccc
DM		 3656 if (TREE_ASM_WRITTEN (vnode->decl)
3657 && asan_protect_global (vnode->decl))
3658 asan_add_global (vnode->decl, TREE_TYPE (type), v);
94fce891
JJ		 3659 struct asan_add_string_csts_data aascd;
3660 aascd.type = TREE_TYPE (type);
3661 aascd.v = v;
2a22f99c
TS		 3662 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts>
3663 (&aascd);
8240018b
JJ		 3664 ctor = build_constructor (type, v);
3665 TREE_CONSTANT (ctor) = 1;
3666 TREE_STATIC (ctor) = 1;
3667 DECL_INITIAL (var) = ctor;
aa650b64
MO		 3668 SET_DECL_ALIGN (var, MAX (DECL_ALIGN (var),
3669 ASAN_SHADOW_GRANULARITY * BITS_PER_UNIT));
3670
9041d2e6 3671 varpool_node::finalize_decl (var);
8240018b 3672
c6d129b0 3673 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
de5a5fa1 3674 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
0e668eaf 3675 append_to_statement_list (build_call_expr (fn, 2,
8240018b 3676 build_fold_addr_expr (var),
de5a5fa1 3677 gcount_tree),
8240018b
JJ		 3678 &asan_ctor_statements);
3679
0e668eaf
JJ		 3680 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
3681 append_to_statement_list (build_call_expr (fn, 2,
8240018b 3682 build_fold_addr_expr (var),
de5a5fa1 3683 gcount_tree),
8240018b 3684 &dtor_statements);
f1d15bb9 3685 cgraph_build_static_cdtor ('D', dtor_statements, priority);
8240018b 3686 }
c6d129b0 3687 if (asan_ctor_statements)
f1d15bb9 3688 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority);
de5a5fa1 3689 flag_sanitize |= SANITIZE_ADDRESS;
f6d98484
JJ		 3690}
3691
6dc4a604
ML		 3692/* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
3693 on SHADOW address. Newly added statements will be added to ITER with
3694 given location LOC. We mark SIZE bytes in shadow memory, where
3695 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
3696 end of a variable. */
3697
3698static void
3699asan_store_shadow_bytes (gimple_stmt_iterator *iter, location_t loc,
3700 tree shadow,
3701 unsigned HOST_WIDE_INT base_addr_offset,
3702 bool is_clobber, unsigned size,
3703 unsigned last_chunk_size)
3704{
3705 tree shadow_ptr_type;
3706
3707 switch (size)
3708 {
3709 case 1:
3710 shadow_ptr_type = shadow_ptr_types[0];
3711 break;
3712 case 2:
3713 shadow_ptr_type = shadow_ptr_types[1];
3714 break;
3715 case 4:
3716 shadow_ptr_type = shadow_ptr_types[2];
3717 break;
3718 default:
3719 gcc_unreachable ();
3720 }
3721
3722 unsigned char c = (char) is_clobber ? ASAN_STACK_MAGIC_USE_AFTER_SCOPE : 0;
3723 unsigned HOST_WIDE_INT val = 0;
47a11342
JJ		 3724 unsigned last_pos = size;
3725 if (last_chunk_size && !is_clobber)
3726 last_pos = BYTES_BIG_ENDIAN ? 0 : size - 1;
6dc4a604
ML		 3727 for (unsigned i = 0; i < size; ++i)
3728 {
3729 unsigned char shadow_c = c;
47a11342 3730 if (i == last_pos)
6dc4a604
ML		 3731 shadow_c = last_chunk_size;
3732 val |= (unsigned HOST_WIDE_INT) shadow_c << (BITS_PER_UNIT * i);
3733 }
3734
3735 /* Handle last chunk in unpoisoning. */
3736 tree magic = build_int_cst (TREE_TYPE (shadow_ptr_type), val);
3737
3738 tree dest = build2 (MEM_REF, TREE_TYPE (shadow_ptr_type), shadow,
3739 build_int_cst (shadow_ptr_type, base_addr_offset));
3740
3741 gimple *g = gimple_build_assign (dest, magic);
3742 gimple_set_location (g, loc);
3743 gsi_insert_after (iter, g, GSI_NEW_STMT);
3744}
3745
3746/* Expand the ASAN_MARK builtins. */
3747
3748bool
3749asan_expand_mark_ifn (gimple_stmt_iterator *iter)
3750{
3751 gimple *g = gsi_stmt (*iter);
3752 location_t loc = gimple_location (g);
56b7aede
ML		 3753 HOST_WIDE_INT flag = tree_to_shwi (gimple_call_arg (g, 0));
3754 bool is_poison = ((asan_mark_flags)flag) == ASAN_MARK_POISON;
6dc4a604
ML		 3755
3756 tree base = gimple_call_arg (g, 1);
3757 gcc_checking_assert (TREE_CODE (base) == ADDR_EXPR);
3758 tree decl = TREE_OPERAND (base, 0);
fb61d96c
ML		 3759
3760 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
3761 if (TREE_CODE (decl) == COMPONENT_REF
3762 && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl, 0)))
3763 decl = TREE_OPERAND (decl, 0);
3764
6dc4a604 3765 gcc_checking_assert (TREE_CODE (decl) == VAR_DECL);
7b972538 3766
93a73251
MM		 3767 if (hwasan_sanitize_p ())
3768 {
3769 gcc_assert (param_hwasan_instrument_stack);
3770 gimple_seq stmts = NULL;
3771 /* Here we swap ASAN_MARK calls for HWASAN_MARK.
3772 This is because we are using the approach of using ASAN_MARK as a
3773 synonym until here.
3774 That approach means we don't yet have to duplicate all the special
3775 cases for ASAN_MARK and ASAN_POISON with the exact same handling but
3776 called HWASAN_MARK etc.
3777
3778 N.b. __asan_poison_stack_memory (which implements ASAN_MARK for ASAN)
3779 rounds the size up to its shadow memory granularity, while
3780 __hwasan_tag_memory (which implements the same for HWASAN) does not.
3781 Hence we emit HWASAN_MARK with an aligned size unlike ASAN_MARK. */
3782 tree len = gimple_call_arg (g, 2);
3783 tree new_len = gimple_build_round_up (&stmts, loc, size_type_node, len,
3784 HWASAN_TAG_GRANULE_SIZE);
3785 gimple_build (&stmts, loc, CFN_HWASAN_MARK,
3786 void_type_node, gimple_call_arg (g, 0),
3787 base, new_len);
3788 gsi_replace_with_seq (iter, stmts, true);
3789 return false;
3790 }
3791
7b972538
ML		 3792 if (is_poison)
3793 {
3794 if (asan_handled_variables == NULL)
3795 asan_handled_variables = new hash_set<tree> (16);
3796 asan_handled_variables->add (decl);
3797 }
6dc4a604
ML		 3798 tree len = gimple_call_arg (g, 2);
3799
3800 gcc_assert (tree_fits_shwi_p (len));
3801 unsigned HOST_WIDE_INT size_in_bytes = tree_to_shwi (len);
3802 gcc_assert (size_in_bytes);
3803
3804 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3805 NOP_EXPR, base);
3806 gimple_set_location (g, loc);
3807 gsi_replace (iter, g, false);
3808 tree base_addr = gimple_assign_lhs (g);
3809
3810 /* Generate direct emission if size_in_bytes is small. */
028d4092
ML		 3811 if (size_in_bytes
3812 <= (unsigned)param_use_after_scope_direct_emission_threshold)
6dc4a604 3813 {
c4d57632
EB		 3814 const unsigned HOST_WIDE_INT shadow_size
3815 = shadow_mem_size (size_in_bytes);
3816 const unsigned int shadow_align
3817 = (get_pointer_alignment (base) / BITS_PER_UNIT) >> ASAN_SHADOW_SHIFT;
6dc4a604
ML		 3818
3819 tree shadow = build_shadow_mem_access (iter, loc, base_addr,
3820 shadow_ptr_types[0], true);
3821
3822 for (unsigned HOST_WIDE_INT offset = 0; offset < shadow_size;)
3823 {
3824 unsigned size = 1;
c4d57632
EB		 3825 if (shadow_size - offset >= 4
3826 && (!STRICT_ALIGNMENT || shadow_align >= 4))
6dc4a604 3827 size = 4;
c4d57632
EB		 3828 else if (shadow_size - offset >= 2
3829 && (!STRICT_ALIGNMENT || shadow_align >= 2))
6dc4a604
ML		 3830 size = 2;
3831
3832 unsigned HOST_WIDE_INT last_chunk_size = 0;
3833 unsigned HOST_WIDE_INT s = (offset + size) * ASAN_SHADOW_GRANULARITY;
3834 if (s > size_in_bytes)
3835 last_chunk_size = ASAN_SHADOW_GRANULARITY - (s - size_in_bytes);
3836
56b7aede 3837 asan_store_shadow_bytes (iter, loc, shadow, offset, is_poison,
6dc4a604
ML		 3838 size, last_chunk_size);
3839 offset += size;
3840 }
3841 }
3842 else
3843 {
3844 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3845 NOP_EXPR, len);
3846 gimple_set_location (g, loc);
3847 gsi_insert_before (iter, g, GSI_SAME_STMT);
3848 tree sz_arg = gimple_assign_lhs (g);
3849
5594a028
ML		 3850 tree fun
3851 = builtin_decl_implicit (is_poison ? BUILT_IN_ASAN_POISON_STACK_MEMORY
3852 : BUILT_IN_ASAN_UNPOISON_STACK_MEMORY);
6dc4a604
ML		 3853 g = gimple_build_call (fun, 2, base_addr, sz_arg);
3854 gimple_set_location (g, loc);
3855 gsi_insert_after (iter, g, GSI_NEW_STMT);
3856 }
3857
3858 return false;
3859}
3860
c62ccb9a
YG		 3861/* Expand the ASAN_{LOAD,STORE} builtins. */
3862
06cefae9 3863bool
c62ccb9a
YG		 3864asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls)
3865{
93a73251 3866 gcc_assert (!hwasan_sanitize_p ());
355fe088 3867 gimple *g = gsi_stmt (*iter);
c62ccb9a 3868 location_t loc = gimple_location (g);
b59e2a49
MO		 3869 bool recover_p;
3870 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3871 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
3872 else
3873 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
fed4de37 3874
c62ccb9a
YG		 3875 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
3876 gcc_assert (flags < ASAN_CHECK_LAST);
3877 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
3878 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
3879 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
c62ccb9a
YG		 3880
3881 tree base = gimple_call_arg (g, 1);
3882 tree len = gimple_call_arg (g, 2);
f434eb69 3883 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3));
c62ccb9a
YG		 3884
3885 HOST_WIDE_INT size_in_bytes
3886 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
3887
3888 if (use_calls)
3889 {
3890 /* Instrument using callbacks. */
355fe088 3891 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
0d0e4a03 3892 NOP_EXPR, base);
c62ccb9a
YG		 3893 gimple_set_location (g, loc);
3894 gsi_insert_before (iter, g, GSI_SAME_STMT);
3895 tree base_addr = gimple_assign_lhs (g);
3896
3897 int nargs;
fed4de37 3898 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs);
c62ccb9a
YG		 3899 if (nargs == 1)
3900 g = gimple_build_call (fun, 1, base_addr);
3901 else
3902 {
3903 gcc_assert (nargs == 2);
0d0e4a03
JJ		 3904 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3905 NOP_EXPR, len);
c62ccb9a
YG		 3906 gimple_set_location (g, loc);
3907 gsi_insert_before (iter, g, GSI_SAME_STMT);
3908 tree sz_arg = gimple_assign_lhs (g);
3909 g = gimple_build_call (fun, nargs, base_addr, sz_arg);
3910 }
3911 gimple_set_location (g, loc);
3912 gsi_replace (iter, g, false);
3913 return false;
3914 }
3915
3916 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes;
3917
c62ccb9a
YG		 3918 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0];
3919 tree shadow_type = TREE_TYPE (shadow_ptr_type);
3920
3921 gimple_stmt_iterator gsi = *iter;
3922
3923 if (!is_non_zero_len)
3924 {
3925 /* So, the length of the memory area to asan-protect is
3926 non-constant. Let's guard the generated instrumentation code
3927 like:
3928
3929 if (len != 0)
3930 {
3931 //asan instrumentation code goes here.
3932 }
3933 // falltrough instructions, starting with *ITER. */
3934
3935 g = gimple_build_cond (NE_EXPR,
3936 len,
3937 build_int_cst (TREE_TYPE (len), 0),
3938 NULL_TREE, NULL_TREE);
3939 gimple_set_location (g, loc);
3940
3941 basic_block then_bb, fallthrough_bb;
538dd0b7
DM		 3942 insert_if_then_before_iter (as_a <gcond *> (g), iter,
3943 /*then_more_likely_p=*/true,
3944 &then_bb, &fallthrough_bb);
c62ccb9a
YG		 3945 /* Note that fallthrough_bb starts with the statement that was
3946 pointed to by ITER. */
3947
3948 /* The 'then block' of the 'if (len != 0) condition is where
3949 we'll generate the asan instrumentation code now. */
3950 gsi = gsi_last_bb (then_bb);
3951 }
3952
3953 /* Get an iterator on the point where we can add the condition
3954 statement for the instrumentation. */
3955 basic_block then_bb, else_bb;
3956 gsi = create_cond_insert_point (&gsi, /*before_p*/false,
3957 /*then_more_likely_p=*/false,
fed4de37 3958 /*create_then_fallthru_edge*/recover_p,
c62ccb9a
YG		 3959 &then_bb,
3960 &else_bb);
3961
0d0e4a03
JJ		 3962 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3963 NOP_EXPR, base);
c62ccb9a
YG		 3964 gimple_set_location (g, loc);
3965 gsi_insert_before (&gsi, g, GSI_NEW_STMT);
3966 tree base_addr = gimple_assign_lhs (g);
3967
3968 tree t = NULL_TREE;
3969 if (real_size_in_bytes >= 8)
3970 {
3971 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3972 shadow_ptr_type);
3973 t = shadow;
3974 }
3975 else
3976 {
3977 /* Slow path for 1, 2 and 4 byte accesses. */
bdea98ca
MO		 3978 /* Test (shadow != 0)
3979 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
3980 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3981 shadow_ptr_type);
355fe088 3982 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
bdea98ca
MO		 3983 gimple_seq seq = NULL;
3984 gimple_seq_add_stmt (&seq, shadow_test);
3985 /* Aligned (>= 8 bytes) can test just
3986 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
3987 to be 0. */
3988 if (align < 8)
c62ccb9a 3989 {
bdea98ca
MO		 3990 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3991 base_addr, 7));
3992 gimple_seq_add_stmt (&seq,
3993 build_type_cast (shadow_type,
3994 gimple_seq_last (seq)));
3995 if (real_size_in_bytes > 1)
3996 gimple_seq_add_stmt (&seq,
3997 build_assign (PLUS_EXPR,
3998 gimple_seq_last (seq),
3999 real_size_in_bytes - 1));
4000 t = gimple_assign_lhs (gimple_seq_last_stmt (seq));
c62ccb9a 4001 }
bdea98ca
MO		 4002 else
4003 t = build_int_cst (shadow_type, real_size_in_bytes - 1);
4004 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow));
4005 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
4006 gimple_seq_last (seq)));
4007 t = gimple_assign_lhs (gimple_seq_last (seq));
4008 gimple_seq_set_location (seq, loc);
4009 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
c62ccb9a
YG		 4010
4011 /* For non-constant, misaligned or otherwise weird access sizes,
bdea98ca
MO		 4012 check first and last byte. */
4013 if (size_in_bytes == -1)
c62ccb9a 4014 {
0d0e4a03
JJ		 4015 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
4016 MINUS_EXPR, len,
4017 build_int_cst (pointer_sized_int_node, 1));
c62ccb9a
YG		 4018 gimple_set_location (g, loc);
4019 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
4020 tree last = gimple_assign_lhs (g);
0d0e4a03
JJ		 4021 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
4022 PLUS_EXPR, base_addr, last);
c62ccb9a
YG		 4023 gimple_set_location (g, loc);
4024 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
4025 tree base_end_addr = gimple_assign_lhs (g);
4026
4027 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr,
4028 shadow_ptr_type);
355fe088 4029 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
c62ccb9a
YG		 4030 gimple_seq seq = NULL;
4031 gimple_seq_add_stmt (&seq, shadow_test);
4032 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
4033 base_end_addr, 7));
4034 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
4035 gimple_seq_last (seq)));
4036 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR,
4037 gimple_seq_last (seq),
4038 shadow));
4039 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
4040 gimple_seq_last (seq)));
bdea98ca
MO		 4041 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t,
4042 gimple_seq_last (seq)));
c62ccb9a
YG		 4043 t = gimple_assign_lhs (gimple_seq_last (seq));
4044 gimple_seq_set_location (seq, loc);
4045 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
4046 }
4047 }
4048
4049 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
4050 NULL_TREE, NULL_TREE);
4051 gimple_set_location (g, loc);
4052 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
4053
4054 /* Generate call to the run-time library (e.g. __asan_report_load8). */
4055 gsi = gsi_start_bb (then_bb);
4056 int nargs;
fed4de37 4057 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs);
c62ccb9a
YG		 4058 g = gimple_build_call (fun, nargs, base_addr, len);
4059 gimple_set_location (g, loc);
4060 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
4061
4062 gsi_remove (iter, true);
4063 *iter = gsi_start_bb (else_bb);
4064
4065 return true;
4066}
4067
c7775327
ML		 4068/* Create ASAN shadow variable for a VAR_DECL which has been rewritten
4069 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
4070
4071static tree
4072create_asan_shadow_var (tree var_decl,
4073 hash_map<tree, tree> &shadow_vars_mapping)
4074{
4075 tree *slot = shadow_vars_mapping.get (var_decl);
4076 if (slot == NULL)
4077 {
4078 tree shadow_var = copy_node (var_decl);
4079
4080 copy_body_data id;
4081 memset (&id, 0, sizeof (copy_body_data));
4082 id.src_fn = id.dst_fn = current_function_decl;
4083 copy_decl_for_dup_finish (&id, var_decl, shadow_var);
4084
4085 DECL_ARTIFICIAL (shadow_var) = 1;
4086 DECL_IGNORED_P (shadow_var) = 1;
4087 DECL_SEEN_IN_BIND_EXPR_P (shadow_var) = 0;
4088 gimple_add_tmp_var (shadow_var);
4089
4090 shadow_vars_mapping.put (var_decl, shadow_var);
4091 return shadow_var;
4092 }
4093 else
4094 return *slot;
4095}
4096
f6b9f2ff
ML		 4097/* Expand ASAN_POISON ifn. */
4098
c7775327
ML		 4099bool
4100asan_expand_poison_ifn (gimple_stmt_iterator *iter,
4101 bool *need_commit_edge_insert,
4102 hash_map<tree, tree> &shadow_vars_mapping)
4103{
4104 gimple *g = gsi_stmt (*iter);
4105 tree poisoned_var = gimple_call_lhs (g);
a50a32aa 4106 if (!poisoned_var || has_zero_uses (poisoned_var))
c7775327
ML		 4107 {
4108 gsi_remove (iter, true);
4109 return true;
4110 }
4111
a50a32aa
ML		 4112 if (SSA_NAME_VAR (poisoned_var) == NULL_TREE)
4113 SET_SSA_NAME_VAR_OR_IDENTIFIER (poisoned_var,
4114 create_tmp_var (TREE_TYPE (poisoned_var)));
4115
f6b9f2ff
ML		 4116 tree shadow_var = create_asan_shadow_var (SSA_NAME_VAR (poisoned_var),
4117 shadow_vars_mapping);
c7775327
ML		 4118
4119 bool recover_p;
4120 if (flag_sanitize & SANITIZE_USER_ADDRESS)
4121 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
4122 else
4123 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
4124 tree size = DECL_SIZE_UNIT (shadow_var);
4125 gimple *poison_call
4126 = gimple_build_call_internal (IFN_ASAN_MARK, 3,
4127 build_int_cst (integer_type_node,
4128 ASAN_MARK_POISON),
4129 build_fold_addr_expr (shadow_var), size);
4130
f6b9f2ff 4131 gimple *use;
c7775327 4132 imm_use_iterator imm_iter;
f6b9f2ff 4133 FOR_EACH_IMM_USE_STMT (use, imm_iter, poisoned_var)
c7775327 4134 {
c7775327
ML		 4135 if (is_gimple_debug (use))
4136 continue;
4137
4138 int nargs;
f6b9f2ff 4139 bool store_p = gimple_call_internal_p (use, IFN_ASAN_POISON_USE);
93a73251
MM		 4140 gcall *call;
4141 if (hwasan_sanitize_p ())
4142 {
4143 tree fun = builtin_decl_implicit (BUILT_IN_HWASAN_TAG_MISMATCH4);
4144 /* NOTE: hwasan has no __hwasan_report_* functions like asan does.
4145 We use __hwasan_tag_mismatch4 with arguments that tell it the
4146 size of access and load to report all tag mismatches.
4147
4148 The arguments to this function are:
4149 Address of invalid access.
4150 Bitfield containing information about the access
4151 (access_info)
4152 Pointer to a frame of registers
4153 (for use in printing the contents of registers in a dump)
4154 Not used yet -- to be used by inline instrumentation.
4155 Size of access.
4156
4157 The access_info bitfield encodes the following pieces of
4158 information:
4159 - Is this a store or load?
4160 access_info & 0x10 => store
4161 - Should the program continue after reporting the error?
4162 access_info & 0x20 => recover
4163 - What size access is this (not used here since we can always
4164 pass the size in the last argument)
4165
4166 if (access_info & 0xf == 0xf)
4167 size is taken from last argument.
4168 else
4169 size == 1 << (access_info & 0xf)
4170
4171 The last argument contains the size of the access iff the
4172 access_info size indicator is 0xf (we always use this argument
4173 rather than storing the size in the access_info bitfield).
4174
4175 See the function definition `__hwasan_tag_mismatch4` in
4176 libsanitizer/hwasan for the full definition.
4177 */
4178 unsigned access_info = (0x20 * recover_p)
4179 + (0x10 * store_p)
4180 + (0xf);
4181 call = gimple_build_call (fun, 4,
4182 build_fold_addr_expr (shadow_var),
4183 build_int_cst (pointer_sized_int_node,
4184 access_info),
4185 build_int_cst (pointer_sized_int_node, 0),
4186 size);
4187 }
4188 else
4189 {
4190 tree fun = report_error_func (store_p, recover_p, tree_to_uhwi (size),
4191 &nargs);
4192 call = gimple_build_call (fun, 1,
4193 build_fold_addr_expr (shadow_var));
4194 }
c7775327
ML		 4195 gimple_set_location (call, gimple_location (use));
4196 gimple *call_to_insert = call;
4197
4198 /* The USE can be a gimple PHI node. If so, insert the call on
4199 all edges leading to the PHI node. */
4200 if (is_a <gphi *> (use))
4201 {
4202 gphi *phi = dyn_cast<gphi *> (use);
4203 for (unsigned i = 0; i < gimple_phi_num_args (phi); ++i)
4204 if (gimple_phi_arg_def (phi, i) == poisoned_var)
4205 {
4206 edge e = gimple_phi_arg_edge (phi, i);
4207
236ac442
ML		 4208 /* Do not insert on an edge we can't split. */
4209 if (e->flags & EDGE_ABNORMAL)
4210 continue;
4211
c7775327
ML		 4212 if (call_to_insert == NULL)
4213 call_to_insert = gimple_copy (call);
4214
4215 gsi_insert_seq_on_edge (e, call_to_insert);
4216 *need_commit_edge_insert = true;
4217 call_to_insert = NULL;
4218 }
4219 }
4220 else
4221 {
4222 gimple_stmt_iterator gsi = gsi_for_stmt (use);
f6b9f2ff
ML		 4223 if (store_p)
4224 gsi_replace (&gsi, call, true);
4225 else
4226 gsi_insert_before (&gsi, call, GSI_NEW_STMT);
c7775327
ML		 4227 }
4228 }
4229
4230 SSA_NAME_IS_DEFAULT_DEF (poisoned_var) = true;
4231 SSA_NAME_DEF_STMT (poisoned_var) = gimple_build_nop ();
4232 gsi_replace (iter, poison_call, false);
4233
4234 return true;
4235}
4236
37d6f666
WM		 4237/* Instrument the current function. */
4238
4239static unsigned int
4240asan_instrument (void)
4241{
93a73251
MM		 4242 if (hwasan_sanitize_p ())
4243 {
4244 transform_statements ();
4245 return 0;
4246 }
4247
f6d98484 4248 if (shadow_ptr_types[0] == NULL_TREE)
94fce891 4249 asan_init_shadow_ptr_types ();
37d6f666 4250 transform_statements ();
e3174bdf 4251 last_alloca_addr = NULL_TREE;
37d6f666
WM		 4252 return 0;
4253}
4254
4255static bool
4256gate_asan (void)
4257{
45b2222a 4258 return sanitize_flags_p (SANITIZE_ADDRESS);
37d6f666
WM		 4259}
4260
27a4cd48
DM		 4261namespace {
4262
4263const pass_data pass_data_asan =
37d6f666 4264{
27a4cd48
DM		 4265 GIMPLE_PASS, /* type */
4266 "asan", /* name */
4267 OPTGROUP_NONE, /* optinfo_flags */
27a4cd48
DM		 4268 TV_NONE, /* tv_id */
4269 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
4270 0, /* properties_provided */
4271 0, /* properties_destroyed */
4272 0, /* todo_flags_start */
3bea341f 4273 TODO_update_ssa, /* todo_flags_finish */
37d6f666 4274};
f6d98484 4275
27a4cd48
DM		 4276class pass_asan : public gimple_opt_pass
4277{
4278public:
c3284718
RS		 4279 pass_asan (gcc::context *ctxt)
4280 : gimple_opt_pass (pass_data_asan, ctxt)
27a4cd48
DM		 4281 {}
4282
4283 /* opt_pass methods: */
725793af
DM		 4284 opt_pass * clone () final override { return new pass_asan (m_ctxt); }
4285 bool gate (function *) final override
4286 {
4287 return gate_asan () || gate_hwasan ();
4288 }
4289 unsigned int execute (function *) final override
4290 {
4291 return asan_instrument ();
4292 }
27a4cd48
DM		 4293
4294}; // class pass_asan
4295
4296} // anon namespace
4297
4298gimple_opt_pass *
4299make_pass_asan (gcc::context *ctxt)
4300{
4301 return new pass_asan (ctxt);
4302}
4303
27a4cd48
DM		 4304namespace {
4305
4306const pass_data pass_data_asan_O0 =
dfb9e332 4307{
27a4cd48
DM		 4308 GIMPLE_PASS, /* type */
4309 "asan0", /* name */
4310 OPTGROUP_NONE, /* optinfo_flags */
27a4cd48
DM		 4311 TV_NONE, /* tv_id */
4312 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
4313 0, /* properties_provided */
4314 0, /* properties_destroyed */
4315 0, /* todo_flags_start */
3bea341f 4316 TODO_update_ssa, /* todo_flags_finish */
dfb9e332
JJ		 4317};
4318
27a4cd48
DM		 4319class pass_asan_O0 : public gimple_opt_pass
4320{
4321public:
c3284718
RS		 4322 pass_asan_O0 (gcc::context *ctxt)
4323 : gimple_opt_pass (pass_data_asan_O0, ctxt)
27a4cd48
DM		 4324 {}
4325
4326 /* opt_pass methods: */
725793af 4327 bool gate (function *) final override
93a73251
MM		 4328 {
4329 return !optimize && (gate_asan () || gate_hwasan ());
4330 }
725793af
DM		 4331 unsigned int execute (function *) final override
4332 {
4333 return asan_instrument ();
4334 }
27a4cd48
DM		 4335
4336}; // class pass_asan_O0
4337
4338} // anon namespace
4339
4340gimple_opt_pass *
4341make_pass_asan_O0 (gcc::context *ctxt)
4342{
4343 return new pass_asan_O0 (ctxt);
4344}
4345
93a73251
MM		 4346/* HWASAN */
4347
0854b584
MM		 4348/* For stack tagging:
4349
4350 Return the offset from the frame base tag that the "next" expanded object
4351 should have. */
4352uint8_t
4353hwasan_current_frame_tag ()
4354{
4355 return hwasan_frame_tag_offset;
4356}
4357
4358/* For stack tagging:
4359
4360 Return the 'base pointer' for this function. If that base pointer has not
4361 yet been created then we create a register to hold it and record the insns
4362 to initialize the register in `hwasan_frame_base_init_seq` for later
4363 emission. */
4364rtx
4365hwasan_frame_base ()
4366{
4367 if (! hwasan_frame_base_ptr)
4368 {
4369 start_sequence ();
4370 hwasan_frame_base_ptr
4371 = force_reg (Pmode,
4372 targetm.memtag.insert_random_tag (virtual_stack_vars_rtx,
4373 NULL_RTX));
4374 hwasan_frame_base_init_seq = get_insns ();
4375 end_sequence ();
4376 }
4377
4378 return hwasan_frame_base_ptr;
4379}
4380
4381/* For stack tagging:
4382
4383 Check whether this RTX is a standard pointer addressing the base of the
4384 stack variables for this frame. Returns true if the RTX is either
4385 virtual_stack_vars_rtx or hwasan_frame_base_ptr. */
4386bool
4387stack_vars_base_reg_p (rtx base)
4388{
4389 return base == virtual_stack_vars_rtx || base == hwasan_frame_base_ptr;
4390}
4391
4392/* For stack tagging:
4393
4394 Emit frame base initialisation.
4395 If hwasan_frame_base has been used before here then
4396 hwasan_frame_base_init_seq contains the sequence of instructions to
4397 initialize it. This must be put just before the hwasan prologue, so we emit
4398 the insns before parm_birth_insn (which will point to the first instruction
4399 of the hwasan prologue if it exists).
4400
4401 We update `parm_birth_insn` to point to the start of this initialisation
4402 since that represents the end of the initialisation done by
4403 expand_function_{start,end} functions and we want to maintain that. */
4404void
4405hwasan_maybe_emit_frame_base_init ()
4406{
4407 if (! hwasan_frame_base_init_seq)
4408 return;
4409 emit_insn_before (hwasan_frame_base_init_seq, parm_birth_insn);
4410 parm_birth_insn = hwasan_frame_base_init_seq;
4411}
4412
4413/* Record a compile-time constant size stack variable that HWASAN will need to
4414 tag. This record of the range of a stack variable will be used by
4415 `hwasan_emit_prologue` to emit the RTL at the start of each frame which will
4416 set tags in the shadow memory according to the assigned tag for each object.
4417
4418 The range that the object spans in stack space should be described by the
4419 bounds `untagged_base + nearest_offset` and
4420 `untagged_base + farthest_offset`.
4421 `tagged_base` is the base address which contains the "base frame tag" for
4422 this frame, and from which the value to address this object with will be
4423 calculated.
4424
4425 We record the `untagged_base` since the functions in the hwasan library we
4426 use to tag memory take pointers without a tag. */
4427void
4428hwasan_record_stack_var (rtx untagged_base, rtx tagged_base,
4429 poly_int64 nearest_offset, poly_int64 farthest_offset)
4430{
4431 hwasan_stack_var cur_var;
4432 cur_var.untagged_base = untagged_base;
4433 cur_var.tagged_base = tagged_base;
4434 cur_var.nearest_offset = nearest_offset;
4435 cur_var.farthest_offset = farthest_offset;
4436 cur_var.tag_offset = hwasan_current_frame_tag ();
4437
4438 hwasan_tagged_stack_vars.safe_push (cur_var);
4439}
4440
4441/* Return the RTX representing the farthest extent of the statically allocated
4442 stack objects for this frame. If hwasan_frame_base_ptr has not been
4443 initialized then we are not storing any static variables on the stack in
4444 this frame. In this case we return NULL_RTX to represent that.
4445
4446 Otherwise simply return virtual_stack_vars_rtx + frame_offset. */
4447rtx
4448hwasan_get_frame_extent ()
4449{
4450 return (hwasan_frame_base_ptr
4451 ? plus_constant (Pmode, virtual_stack_vars_rtx, frame_offset)
4452 : NULL_RTX);
4453}
4454
4455/* For stack tagging:
4456
4457 Increment the frame tag offset modulo the size a tag can represent. */
4458void
4459hwasan_increment_frame_tag ()
4460{
4461 uint8_t tag_bits = HWASAN_TAG_SIZE;
4462 gcc_assert (HWASAN_TAG_SIZE
4463 <= sizeof (hwasan_frame_tag_offset) * CHAR_BIT);
4464 hwasan_frame_tag_offset = (hwasan_frame_tag_offset + 1) % (1 << tag_bits);
4465 /* The "background tag" of the stack is zero by definition.
4466 This is the tag that objects like parameters passed on the stack and
4467 spilled registers are given. It is handy to avoid this tag for objects
4468 whose tags we decide ourselves, partly to ensure that buffer overruns
4469 can't affect these important variables (e.g. saved link register, saved
4470 stack pointer etc) and partly to make debugging easier (everything with a
4471 tag of zero is space allocated automatically by the compiler).
4472
4473 This is not feasible when using random frame tags (the default
4474 configuration for hwasan) since the tag for the given frame is randomly
4475 chosen at runtime. In order to avoid any tags matching the stack
4476 background we would need to decide tag offsets at runtime instead of
4477 compile time (and pay the resulting performance cost).
4478
4479 When not using random base tags for each frame (i.e. when compiled with
4480 `--param hwasan-random-frame-tag=0`) the base tag for each frame is zero.
4481 This means the tag that each object gets is equal to the
4482 hwasan_frame_tag_offset used in determining it.
4483 When this is the case we *can* ensure no object gets the tag of zero by
4484 simply ensuring no object has the hwasan_frame_tag_offset of zero.
4485
4486 There is the extra complication that we only record the
4487 hwasan_frame_tag_offset here (which is the offset from the tag stored in
4488 the stack pointer). In the kernel, the tag in the stack pointer is 0xff
4489 rather than zero. This does not cause problems since tags of 0xff are
4490 never checked in the kernel. As mentioned at the beginning of this
4491 comment the background tag of the stack is zero by definition, which means
4492 that for the kernel we should skip offsets of both 0 and 1 from the stack
4493 pointer. Avoiding the offset of 0 ensures we use a tag which will be
4494 checked, avoiding the offset of 1 ensures we use a tag that is not the
4495 same as the background. */
4496 if (hwasan_frame_tag_offset == 0 && ! param_hwasan_random_frame_tag)
4497 hwasan_frame_tag_offset += 1;
4498 if (hwasan_frame_tag_offset == 1 && ! param_hwasan_random_frame_tag
4499 && sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS))
4500 hwasan_frame_tag_offset += 1;
4501}
4502
4503/* Clear internal state for the next function.
4504 This function is called before variables on the stack get expanded, in
4505 `init_vars_expansion`. */
4506void
4507hwasan_record_frame_init ()
4508{
4509 delete asan_used_labels;
4510 asan_used_labels = NULL;
4511
4512 /* If this isn't the case then some stack variable was recorded *before*
4513 hwasan_record_frame_init is called, yet *after* the hwasan prologue for
4514 the previous frame was emitted. Such stack variables would not have
4515 their shadow stack filled in. */
4516 gcc_assert (hwasan_tagged_stack_vars.is_empty ());
4517 hwasan_frame_base_ptr = NULL_RTX;
4518 hwasan_frame_base_init_seq = NULL;
4519
4520 /* When not using a random frame tag we can avoid the background stack
4521 color which gives the user a little better debug output upon a crash.
4522 Meanwhile, when using a random frame tag it will be nice to avoid adding
4523 tags for the first object since that is unnecessary extra work.
4524 Hence set the initial hwasan_frame_tag_offset to be 0 if using a random
4525 frame tag and 1 otherwise.
4526
4527 As described in hwasan_increment_frame_tag, in the kernel the stack
4528 pointer has the tag 0xff. That means that to avoid 0xff and 0 (the tag
4529 which the kernel does not check and the background tag respectively) we
4530 start with a tag offset of 2. */
4531 hwasan_frame_tag_offset = param_hwasan_random_frame_tag
4532 ? 0
4533 : sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS) ? 2 : 1;
4534}
4535
4536/* For stack tagging:
4537 (Emits HWASAN equivalent of what is emitted by
4538 `asan_emit_stack_protection`).
4539
4540 Emits the extra prologue code to set the shadow stack as required for HWASAN
4541 stack instrumentation.
4542
4543 Uses the vector of recorded stack variables hwasan_tagged_stack_vars. When
4544 this function has completed hwasan_tagged_stack_vars is empty and all
4545 objects it had pointed to are deallocated. */
4546void
4547hwasan_emit_prologue ()
4548{
4549 /* We need untagged base pointers since libhwasan only accepts untagged
4550 pointers in __hwasan_tag_memory. We need the tagged base pointer to obtain
4551 the base tag for an offset. */
4552
4553 if (hwasan_tagged_stack_vars.is_empty ())
4554 return;
4555
4556 poly_int64 bot = 0, top = 0;
4557 for (hwasan_stack_var &cur : hwasan_tagged_stack_vars)
4558 {
4559 poly_int64 nearest = cur.nearest_offset;
4560 poly_int64 farthest = cur.farthest_offset;
4561
4562 if (known_ge (nearest, farthest))
4563 {
4564 top = nearest;
4565 bot = farthest;
4566 }
4567 else
4568 {
4569 /* Given how these values are calculated, one must be known greater
4570 than the other. */
4571 gcc_assert (known_le (nearest, farthest));
4572 top = farthest;
4573 bot = nearest;
4574 }
4575 poly_int64 size = (top - bot);
4576
4577 /* Assert the edge of each variable is aligned to the HWASAN tag granule
4578 size. */
4579 gcc_assert (multiple_p (top, HWASAN_TAG_GRANULE_SIZE));
4580 gcc_assert (multiple_p (bot, HWASAN_TAG_GRANULE_SIZE));
4581 gcc_assert (multiple_p (size, HWASAN_TAG_GRANULE_SIZE));
4582
4583 rtx fn = init_one_libfunc ("__hwasan_tag_memory");
4584 rtx base_tag = targetm.memtag.extract_tag (cur.tagged_base, NULL_RTX);
4585 rtx tag = plus_constant (QImode, base_tag, cur.tag_offset);
4586 tag = hwasan_truncate_to_tag_size (tag, NULL_RTX);
4587
4588 rtx bottom = convert_memory_address (ptr_mode,
4589 plus_constant (Pmode,
4590 cur.untagged_base,
4591 bot));
4592 emit_library_call (fn, LCT_NORMAL, VOIDmode,
4593 bottom, ptr_mode,
4594 tag, QImode,
4595 gen_int_mode (size, ptr_mode), ptr_mode);
4596 }
4597 /* Clear the stack vars, we've emitted the prologue for them all now. */
4598 hwasan_tagged_stack_vars.truncate (0);
4599}
4600
4601/* For stack tagging:
4602
4603 Return RTL insns to clear the tags between DYNAMIC and VARS pointers
4604 into the stack. These instructions should be emitted at the end of
4605 every function.
4606
4607 If `dynamic` is NULL_RTX then no insns are returned. */
4608rtx_insn *
4609hwasan_emit_untag_frame (rtx dynamic, rtx vars)
4610{
4611 if (! dynamic)
4612 return NULL;
4613
4614 start_sequence ();
4615
4616 dynamic = convert_memory_address (ptr_mode, dynamic);
4617 vars = convert_memory_address (ptr_mode, vars);
4618
4619 rtx top_rtx;
4620 rtx bot_rtx;
4621 if (FRAME_GROWS_DOWNWARD)
4622 {
4623 top_rtx = vars;
4624 bot_rtx = dynamic;
4625 }
4626 else
4627 {
4628 top_rtx = dynamic;
4629 bot_rtx = vars;
4630 }
4631
4632 rtx size_rtx = expand_simple_binop (ptr_mode, MINUS, top_rtx, bot_rtx,
4633 NULL_RTX, /* unsignedp = */0,
4634 OPTAB_DIRECT);
4635
4636 rtx fn = init_one_libfunc ("__hwasan_tag_memory");
4637 emit_library_call (fn, LCT_NORMAL, VOIDmode,
4638 bot_rtx, ptr_mode,
4639 HWASAN_STACK_BACKGROUND, QImode,
4640 size_rtx, ptr_mode);
4641
4642 do_pending_stack_adjust ();
4643 rtx_insn *insns = get_insns ();
4644 end_sequence ();
4645 return insns;
4646}
4647
4648/* Needs to be GTY(()), because cgraph_build_static_cdtor may
4649 invoke ggc_collect. */
4650static GTY(()) tree hwasan_ctor_statements;
4651
4652/* Insert module initialization into this TU. This initialization calls the
4653 initialization code for libhwasan. */
4654void
4655hwasan_finish_file (void)
4656{
4657 /* Do not emit constructor initialization for the kernel.
4658 (the kernel has its own initialization already). */
4659 if (flag_sanitize & SANITIZE_KERNEL_HWADDRESS)
4660 return;
4661
4662 /* Avoid instrumenting code in the hwasan constructors/destructors. */
4663 flag_sanitize &= ~SANITIZE_HWADDRESS;
4664 int priority = MAX_RESERVED_INIT_PRIORITY - 1;
4665 tree fn = builtin_decl_implicit (BUILT_IN_HWASAN_INIT);
4666 append_to_statement_list (build_call_expr (fn, 0), &hwasan_ctor_statements);
4667 cgraph_build_static_cdtor ('I', hwasan_ctor_statements, priority);
4668 flag_sanitize |= SANITIZE_HWADDRESS;
4669}
4670
4671/* For stack tagging:
4672
4673 Truncate `tag` to the number of bits that a tag uses (i.e. to
4674 HWASAN_TAG_SIZE). Store the result in `target` if it's convenient. */
4675rtx
4676hwasan_truncate_to_tag_size (rtx tag, rtx target)
4677{
4678 gcc_assert (GET_MODE (tag) == QImode);
4679 if (HWASAN_TAG_SIZE != GET_MODE_PRECISION (QImode))
4680 {
4681 gcc_assert (GET_MODE_PRECISION (QImode) > HWASAN_TAG_SIZE);
4682 rtx mask = gen_int_mode ((HOST_WIDE_INT_1U << HWASAN_TAG_SIZE) - 1,
4683 QImode);
4684 tag = expand_simple_binop (QImode, AND, tag, mask, target,
4685 /* unsignedp = */1, OPTAB_WIDEN);
4686 gcc_assert (tag);
4687 }
4688 return tag;
4689}
4690
93a73251
MM		 4691/* Construct a function tree for __hwasan_{load,store}{1,2,4,8,16,_n}.
4692 IS_STORE is either 1 (for a store) or 0 (for a load). */
4693static combined_fn
4694hwasan_check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
4695 int *nargs)
4696{
4697 static enum built_in_function check[2][2][6]
4698 = { { { BUILT_IN_HWASAN_LOAD1, BUILT_IN_HWASAN_LOAD2,
4699 BUILT_IN_HWASAN_LOAD4, BUILT_IN_HWASAN_LOAD8,
4700 BUILT_IN_HWASAN_LOAD16, BUILT_IN_HWASAN_LOADN },
4701 { BUILT_IN_HWASAN_STORE1, BUILT_IN_HWASAN_STORE2,
4702 BUILT_IN_HWASAN_STORE4, BUILT_IN_HWASAN_STORE8,
4703 BUILT_IN_HWASAN_STORE16, BUILT_IN_HWASAN_STOREN } },
4704 { { BUILT_IN_HWASAN_LOAD1_NOABORT,
4705 BUILT_IN_HWASAN_LOAD2_NOABORT,
4706 BUILT_IN_HWASAN_LOAD4_NOABORT,
4707 BUILT_IN_HWASAN_LOAD8_NOABORT,
4708 BUILT_IN_HWASAN_LOAD16_NOABORT,
4709 BUILT_IN_HWASAN_LOADN_NOABORT },
4710 { BUILT_IN_HWASAN_STORE1_NOABORT,
4711 BUILT_IN_HWASAN_STORE2_NOABORT,
4712 BUILT_IN_HWASAN_STORE4_NOABORT,
4713 BUILT_IN_HWASAN_STORE8_NOABORT,
4714 BUILT_IN_HWASAN_STORE16_NOABORT,
4715 BUILT_IN_HWASAN_STOREN_NOABORT } } };
4716 if (size_in_bytes == -1)
4717 {
4718 *nargs = 2;
4719 return as_combined_fn (check[recover_p][is_store][5]);
4720 }
4721 *nargs = 1;
4722 int size_log2 = exact_log2 (size_in_bytes);
4723 gcc_assert (size_log2 >= 0 && size_log2 <= 5);
4724 return as_combined_fn (check[recover_p][is_store][size_log2]);
4725}
4726
4727/* Expand the HWASAN_{LOAD,STORE} builtins. */
4728bool
4729hwasan_expand_check_ifn (gimple_stmt_iterator *iter, bool)
4730{
4731 gimple *g = gsi_stmt (*iter);
4732 location_t loc = gimple_location (g);
4733 bool recover_p;
4734 if (flag_sanitize & SANITIZE_USER_HWADDRESS)
4735 recover_p = (flag_sanitize_recover & SANITIZE_USER_HWADDRESS) != 0;
4736 else
4737 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_HWADDRESS) != 0;
4738
4739 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
4740 gcc_assert (flags < ASAN_CHECK_LAST);
4741 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
4742 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
4743 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
4744
4745 tree base = gimple_call_arg (g, 1);
4746 tree len = gimple_call_arg (g, 2);
4747
4748 /* `align` is unused for HWASAN_CHECK, but we pass the argument anyway
4749 since that way the arguments match ASAN_CHECK. */
4750 /* HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3)); */
4751
4752 unsigned HOST_WIDE_INT size_in_bytes
4753 = is_scalar_access ? tree_to_shwi (len) : -1;
4754
4755 gimple_stmt_iterator gsi = *iter;
4756
4757 if (!is_non_zero_len)
4758 {
4759 /* So, the length of the memory area to hwasan-protect is
4760 non-constant. Let's guard the generated instrumentation code
4761 like:
4762
4763 if (len != 0)
4764 {
4765 // hwasan instrumentation code goes here.
4766 }
4767 // falltrough instructions, starting with *ITER. */
4768
4769 g = gimple_build_cond (NE_EXPR,
4770 len,
4771 build_int_cst (TREE_TYPE (len), 0),
4772 NULL_TREE, NULL_TREE);
4773 gimple_set_location (g, loc);
4774
4775 basic_block then_bb, fallthrough_bb;
4776 insert_if_then_before_iter (as_a <gcond *> (g), iter,
4777 /*then_more_likely_p=*/true,
4778 &then_bb, &fallthrough_bb);
4779 /* Note that fallthrough_bb starts with the statement that was
4780 pointed to by ITER. */
4781
4782 /* The 'then block' of the 'if (len != 0) condition is where
4783 we'll generate the hwasan instrumentation code now. */
4784 gsi = gsi_last_bb (then_bb);
4785 }
4786
4787 gimple_seq stmts = NULL;
4788 tree base_addr = gimple_build (&stmts, loc, NOP_EXPR,
4789 pointer_sized_int_node, base);
4790
4791 int nargs = 0;
4792 combined_fn fn
4793 = hwasan_check_func (is_store, recover_p, size_in_bytes, &nargs);
4794 if (nargs == 1)
4795 gimple_build (&stmts, loc, fn, void_type_node, base_addr);
4796 else
4797 {
4798 gcc_assert (nargs == 2);
4799 tree sz_arg = gimple_build (&stmts, loc, NOP_EXPR,
4800 pointer_sized_int_node, len);
4801 gimple_build (&stmts, loc, fn, void_type_node, base_addr, sz_arg);
4802 }
4803
4804 gsi_insert_seq_after (&gsi, stmts, GSI_NEW_STMT);
4805 gsi_remove (iter, true);
4806 *iter = gsi;
4807 return false;
4808}
4809
4810/* For stack tagging:
4811
4812 Dummy: the HWASAN_MARK internal function should only ever be in the code
4813 after the sanopt pass. */
4814bool
4815hwasan_expand_mark_ifn (gimple_stmt_iterator *)
4816{
4817 gcc_unreachable ();
4818}
4819
4820bool
4821gate_hwasan ()
4822{
4823 return hwasan_sanitize_p ();
4824}
4825
f6d98484 4826#include "gt-asan.h"
Mirror of https://gcc.gnu.org/git/gcc.git