]>
Commit | Line | Data |
---|---|---|
37d6f666 | 1 | /* AddressSanitizer, a fast memory error detector. |
a945c346 | 2 | Copyright (C) 2012-2024 Free Software Foundation, Inc. |
37d6f666 WM |
3 | Contributed by Kostya Serebryany <kcc@google.com> |
4 | ||
5 | This file is part of GCC. | |
6 | ||
7 | GCC is free software; you can redistribute it and/or modify it under | |
8 | the terms of the GNU General Public License as published by the Free | |
9 | Software Foundation; either version 3, or (at your option) any later | |
10 | version. | |
11 | ||
12 | GCC is distributed in the hope that it will be useful, but WITHOUT ANY | |
13 | WARRANTY; without even the implied warranty of MERCHANTABILITY or | |
14 | FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
15 | for more details. | |
16 | ||
17 | You should have received a copy of the GNU General Public License | |
18 | along with GCC; see the file COPYING3. If not see | |
19 | <http://www.gnu.org/licenses/>. */ | |
20 | ||
21 | ||
22 | #include "config.h" | |
23 | #include "system.h" | |
24 | #include "coretypes.h" | |
c7131fb2 | 25 | #include "backend.h" |
957060b5 AM |
26 | #include "target.h" |
27 | #include "rtl.h" | |
4d648807 | 28 | #include "tree.h" |
c7131fb2 | 29 | #include "gimple.h" |
957060b5 AM |
30 | #include "cfghooks.h" |
31 | #include "alloc-pool.h" | |
32 | #include "tree-pass.h" | |
4d0cdd0c | 33 | #include "memmodel.h" |
957060b5 | 34 | #include "tm_p.h" |
c7775327 | 35 | #include "ssa.h" |
957060b5 AM |
36 | #include "stringpool.h" |
37 | #include "tree-ssanames.h" | |
957060b5 AM |
38 | #include "optabs.h" |
39 | #include "emit-rtl.h" | |
40 | #include "cgraph.h" | |
41 | #include "gimple-pretty-print.h" | |
42 | #include "alias.h" | |
40e23961 | 43 | #include "fold-const.h" |
60393bbc | 44 | #include "cfganal.h" |
45b0be94 | 45 | #include "gimplify.h" |
5be5c238 | 46 | #include "gimple-iterator.h" |
d8a2d370 DN |
47 | #include "varasm.h" |
48 | #include "stor-layout.h" | |
37d6f666 | 49 | #include "tree-iterator.h" |
314e6352 ML |
50 | #include "stringpool.h" |
51 | #include "attribs.h" | |
37d6f666 | 52 | #include "asan.h" |
36566b39 PK |
53 | #include "dojump.h" |
54 | #include "explow.h" | |
f3ddd692 | 55 | #include "expr.h" |
8240018b | 56 | #include "output.h" |
0e668eaf | 57 | #include "langhooks.h" |
a9e0d843 | 58 | #include "cfgloop.h" |
ff2a63a7 | 59 | #include "gimple-builder.h" |
e3174bdf | 60 | #include "gimple-fold.h" |
b9a55b13 | 61 | #include "ubsan.h" |
9b2b7279 | 62 | #include "builtins.h" |
860503d8 | 63 | #include "fnmatch.h" |
c7775327 | 64 | #include "tree-inline.h" |
4e3d3e40 | 65 | #include "tree-ssa.h" |
f0c7367b | 66 | #include "tree-eh.h" |
b6330a76 | 67 | #include "diagnostic-core.h" |
37d6f666 | 68 | |
497a1c66 JJ |
69 | /* AddressSanitizer finds out-of-bounds and use-after-free bugs |
70 | with <2x slowdown on average. | |
71 | ||
72 | The tool consists of two parts: | |
73 | instrumentation module (this file) and a run-time library. | |
74 | The instrumentation module adds a run-time check before every memory insn. | |
75 | For a 8- or 16- byte load accessing address X: | |
76 | ShadowAddr = (X >> 3) + Offset | |
77 | ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access. | |
78 | if (ShadowValue) | |
79 | __asan_report_load8(X); | |
80 | For a load of N bytes (N=1, 2 or 4) from address X: | |
81 | ShadowAddr = (X >> 3) + Offset | |
82 | ShadowValue = *(char*)ShadowAddr; | |
83 | if (ShadowValue) | |
84 | if ((X & 7) + N - 1 > ShadowValue) | |
85 | __asan_report_loadN(X); | |
86 | Stores are instrumented similarly, but using __asan_report_storeN functions. | |
ef1b3fda KS |
87 | A call too __asan_init_vN() is inserted to the list of module CTORs. |
88 | N is the version number of the AddressSanitizer API. The changes between the | |
89 | API versions are listed in libsanitizer/asan/asan_interface_internal.h. | |
497a1c66 JJ |
90 | |
91 | The run-time library redefines malloc (so that redzone are inserted around | |
92 | the allocated memory) and free (so that reuse of free-ed memory is delayed), | |
ef1b3fda | 93 | provides __asan_report* and __asan_init_vN functions. |
497a1c66 JJ |
94 | |
95 | Read more: | |
96 | http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm | |
97 | ||
98 | The current implementation supports detection of out-of-bounds and | |
99 | use-after-free in the heap, on the stack and for global variables. | |
100 | ||
101 | [Protection of stack variables] | |
102 | ||
103 | To understand how detection of out-of-bounds and use-after-free works | |
104 | for stack variables, lets look at this example on x86_64 where the | |
105 | stack grows downward: | |
f3ddd692 JJ |
106 | |
107 | int | |
108 | foo () | |
109 | { | |
9c2f0847 | 110 | char a[24] = {0}; |
f3ddd692 JJ |
111 | int b[2] = {0}; |
112 | ||
113 | a[5] = 1; | |
114 | b[1] = 2; | |
115 | ||
116 | return a[5] + b[1]; | |
117 | } | |
118 | ||
497a1c66 JJ |
119 | For this function, the stack protected by asan will be organized as |
120 | follows, from the top of the stack to the bottom: | |
f3ddd692 | 121 | |
497a1c66 | 122 | Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone'] |
f3ddd692 | 123 | |
497a1c66 JJ |
124 | Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make |
125 | the next slot be 32 bytes aligned; this one is called Partial | |
126 | Redzone; this 32 bytes alignment is an asan constraint] | |
f3ddd692 | 127 | |
497a1c66 | 128 | Slot 3/ [24 bytes for variable 'a'] |
f3ddd692 | 129 | |
497a1c66 | 130 | Slot 4/ [red zone of 32 bytes called 'Middle RedZone'] |
f3ddd692 | 131 | |
497a1c66 | 132 | Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2] |
f3ddd692 | 133 | |
497a1c66 | 134 | Slot 6/ [8 bytes for variable 'b'] |
f3ddd692 | 135 | |
497a1c66 JJ |
136 | Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called |
137 | 'LEFT RedZone'] | |
f3ddd692 | 138 | |
497a1c66 JJ |
139 | The 32 bytes of LEFT red zone at the bottom of the stack can be |
140 | decomposed as such: | |
f3ddd692 JJ |
141 | |
142 | 1/ The first 8 bytes contain a magical asan number that is always | |
143 | 0x41B58AB3. | |
144 | ||
145 | 2/ The following 8 bytes contains a pointer to a string (to be | |
146 | parsed at runtime by the runtime asan library), which format is | |
147 | the following: | |
148 | ||
149 | "<function-name> <space> <num-of-variables-on-the-stack> | |
150 | (<32-bytes-aligned-offset-in-bytes-of-variable> <space> | |
151 | <length-of-var-in-bytes> ){n} " | |
152 | ||
153 | where '(...){n}' means the content inside the parenthesis occurs 'n' | |
154 | times, with 'n' being the number of variables on the stack. | |
c1f5ce48 | 155 | |
ef1b3fda KS |
156 | 3/ The following 8 bytes contain the PC of the current function which |
157 | will be used by the run-time library to print an error message. | |
f3ddd692 | 158 | |
ef1b3fda | 159 | 4/ The following 8 bytes are reserved for internal use by the run-time. |
f3ddd692 | 160 | |
497a1c66 | 161 | The shadow memory for that stack layout is going to look like this: |
f3ddd692 JJ |
162 | |
163 | - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1. | |
164 | The F1 byte pattern is a magic number called | |
165 | ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that | |
166 | the memory for that shadow byte is part of a the LEFT red zone | |
167 | intended to seat at the bottom of the variables on the stack. | |
168 | ||
169 | - content of shadow memory 8 bytes for slots 6 and 5: | |
170 | 0xF4F4F400. The F4 byte pattern is a magic number | |
171 | called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the | |
172 | memory region for this shadow byte is a PARTIAL red zone | |
173 | intended to pad a variable A, so that the slot following | |
174 | {A,padding} is 32 bytes aligned. | |
175 | ||
176 | Note that the fact that the least significant byte of this | |
177 | shadow memory content is 00 means that 8 bytes of its | |
178 | corresponding memory (which corresponds to the memory of | |
179 | variable 'b') is addressable. | |
180 | ||
181 | - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2. | |
182 | The F2 byte pattern is a magic number called | |
183 | ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory | |
184 | region for this shadow byte is a MIDDLE red zone intended to | |
185 | seat between two 32 aligned slots of {variable,padding}. | |
186 | ||
187 | - content of shadow memory 8 bytes for slot 3 and 2: | |
497a1c66 | 188 | 0xF4000000. This represents is the concatenation of |
f3ddd692 JJ |
189 | variable 'a' and the partial red zone following it, like what we |
190 | had for variable 'b'. The least significant 3 bytes being 00 | |
191 | means that the 3 bytes of variable 'a' are addressable. | |
192 | ||
497a1c66 | 193 | - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3. |
f3ddd692 JJ |
194 | The F3 byte pattern is a magic number called |
195 | ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory | |
196 | region for this shadow byte is a RIGHT red zone intended to seat | |
197 | at the top of the variables of the stack. | |
198 | ||
497a1c66 | 199 | Note that the real variable layout is done in expand_used_vars in |
e53b6e56 | 200 | cfgexpand.cc. As far as Address Sanitizer is concerned, it lays out |
497a1c66 JJ |
201 | stack variables as well as the different red zones, emits some |
202 | prologue code to populate the shadow memory as to poison (mark as | |
203 | non-accessible) the regions of the red zones and mark the regions of | |
204 | stack variables as accessible, and emit some epilogue code to | |
205 | un-poison (mark as accessible) the regions of red zones right before | |
206 | the function exits. | |
8240018b | 207 | |
497a1c66 | 208 | [Protection of global variables] |
8240018b | 209 | |
497a1c66 JJ |
210 | The basic idea is to insert a red zone between two global variables |
211 | and install a constructor function that calls the asan runtime to do | |
212 | the populating of the relevant shadow memory regions at load time. | |
8240018b | 213 | |
497a1c66 JJ |
214 | So the global variables are laid out as to insert a red zone between |
215 | them. The size of the red zones is so that each variable starts on a | |
216 | 32 bytes boundary. | |
8240018b | 217 | |
497a1c66 JJ |
218 | Then a constructor function is installed so that, for each global |
219 | variable, it calls the runtime asan library function | |
220 | __asan_register_globals_with an instance of this type: | |
8240018b JJ |
221 | |
222 | struct __asan_global | |
223 | { | |
224 | // Address of the beginning of the global variable. | |
225 | const void *__beg; | |
226 | ||
227 | // Initial size of the global variable. | |
228 | uptr __size; | |
229 | ||
230 | // Size of the global variable + size of the red zone. This | |
231 | // size is 32 bytes aligned. | |
232 | uptr __size_with_redzone; | |
233 | ||
234 | // Name of the global variable. | |
235 | const void *__name; | |
236 | ||
ef1b3fda KS |
237 | // Name of the module where the global variable is declared. |
238 | const void *__module_name; | |
239 | ||
59b36ecf | 240 | // 1 if it has dynamic initialization, 0 otherwise. |
8240018b | 241 | uptr __has_dynamic_init; |
866e32ad KS |
242 | |
243 | // A pointer to struct that contains source location, could be NULL. | |
244 | __asan_global_source_location *__location; | |
8240018b JJ |
245 | } |
246 | ||
497a1c66 JJ |
247 | A destructor function that calls the runtime asan library function |
248 | _asan_unregister_globals is also installed. */ | |
f3ddd692 | 249 | |
fd960af2 YG |
250 | static unsigned HOST_WIDE_INT asan_shadow_offset_value; |
251 | static bool asan_shadow_offset_computed; | |
860503d8 | 252 | static vec<char *> sanitized_sections; |
e3174bdf | 253 | static tree last_alloca_addr; |
fd960af2 | 254 | |
6dc4a604 ML |
255 | /* Set of variable declarations that are going to be guarded by |
256 | use-after-scope sanitizer. */ | |
257 | ||
bf9f9292 | 258 | hash_set<tree> *asan_handled_variables = NULL; |
6dc4a604 ML |
259 | |
260 | hash_set <tree> *asan_used_labels = NULL; | |
261 | ||
0854b584 MM |
262 | /* Global variables for HWASAN stack tagging. */ |
263 | /* hwasan_frame_tag_offset records the offset from the frame base tag that the | |
264 | next object should have. */ | |
265 | static uint8_t hwasan_frame_tag_offset = 0; | |
266 | /* hwasan_frame_base_ptr is a pointer with the same address as | |
267 | `virtual_stack_vars_rtx` for the current frame, and with the frame base tag | |
268 | stored in it. N.b. this global RTX does not need to be marked GTY, but is | |
269 | done so anyway. The need is not there since all uses are in just one pass | |
270 | (cfgexpand) and there are no calls to ggc_collect between the uses. We mark | |
271 | it GTY(()) anyway to allow the use of the variable later on if needed by | |
272 | future features. */ | |
273 | static GTY(()) rtx hwasan_frame_base_ptr = NULL_RTX; | |
274 | /* hwasan_frame_base_init_seq is the sequence of RTL insns that will initialize | |
275 | the hwasan_frame_base_ptr. When the hwasan_frame_base_ptr is requested, we | |
276 | generate this sequence but do not emit it. If the sequence was created it | |
277 | is emitted once the function body has been expanded. | |
278 | ||
279 | This delay is because the frame base pointer may be needed anywhere in the | |
280 | function body, or needed by the expand_used_vars function. Emitting once in | |
281 | a known place is simpler than requiring the emission of the instructions to | |
282 | be know where it should go depending on the first place the hwasan frame | |
283 | base is needed. */ | |
284 | static GTY(()) rtx_insn *hwasan_frame_base_init_seq = NULL; | |
285 | ||
286 | /* Structure defining the extent of one object on the stack that HWASAN needs | |
287 | to tag in the corresponding shadow stack space. | |
288 | ||
289 | The range this object spans on the stack is between `untagged_base + | |
290 | nearest_offset` and `untagged_base + farthest_offset`. | |
291 | `tagged_base` is an rtx containing the same value as `untagged_base` but | |
292 | with a random tag stored in the top byte. We record both `untagged_base` | |
293 | and `tagged_base` so that `hwasan_emit_prologue` can use both without having | |
294 | to emit RTL into the instruction stream to re-calculate one from the other. | |
295 | (`hwasan_emit_prologue` needs to use both bases since the | |
296 | __hwasan_tag_memory call it emits uses an untagged value, and it calculates | |
297 | the tag to store in shadow memory based on the tag_offset plus the tag in | |
298 | tagged_base). */ | |
299 | struct hwasan_stack_var | |
300 | { | |
301 | rtx untagged_base; | |
302 | rtx tagged_base; | |
303 | poly_int64 nearest_offset; | |
304 | poly_int64 farthest_offset; | |
305 | uint8_t tag_offset; | |
306 | }; | |
307 | ||
308 | /* Variable recording all stack variables that HWASAN needs to tag. | |
309 | Does not need to be marked as GTY(()) since every use is in the cfgexpand | |
310 | pass and gcc_collect is not called in the middle of that pass. */ | |
311 | static vec<hwasan_stack_var> hwasan_tagged_stack_vars; | |
312 | ||
313 | ||
fd960af2 YG |
314 | /* Sets shadow offset to value in string VAL. */ |
315 | ||
316 | bool | |
317 | set_asan_shadow_offset (const char *val) | |
318 | { | |
319 | char *endp; | |
c1f5ce48 | 320 | |
fd960af2 YG |
321 | errno = 0; |
322 | #ifdef HAVE_LONG_LONG | |
323 | asan_shadow_offset_value = strtoull (val, &endp, 0); | |
324 | #else | |
325 | asan_shadow_offset_value = strtoul (val, &endp, 0); | |
326 | #endif | |
327 | if (!(*val != '\0' && *endp == '\0' && errno == 0)) | |
328 | return false; | |
329 | ||
330 | asan_shadow_offset_computed = true; | |
331 | ||
332 | return true; | |
333 | } | |
334 | ||
18af8d16 YG |
335 | /* Set list of user-defined sections that need to be sanitized. */ |
336 | ||
337 | void | |
860503d8 | 338 | set_sanitized_sections (const char *sections) |
18af8d16 | 339 | { |
860503d8 YG |
340 | char *pat; |
341 | unsigned i; | |
342 | FOR_EACH_VEC_ELT (sanitized_sections, i, pat) | |
343 | free (pat); | |
344 | sanitized_sections.truncate (0); | |
345 | ||
346 | for (const char *s = sections; *s; ) | |
347 | { | |
348 | const char *end; | |
349 | for (end = s; *end && *end != ','; ++end); | |
350 | size_t len = end - s; | |
351 | sanitized_sections.safe_push (xstrndup (s, len)); | |
352 | s = *end ? end + 1 : end; | |
353 | } | |
18af8d16 YG |
354 | } |
355 | ||
56b7aede ML |
356 | bool |
357 | asan_mark_p (gimple *stmt, enum asan_mark_flags flag) | |
358 | { | |
359 | return (gimple_call_internal_p (stmt, IFN_ASAN_MARK) | |
360 | && tree_to_uhwi (gimple_call_arg (stmt, 0)) == flag); | |
361 | } | |
362 | ||
6dc4a604 ML |
363 | bool |
364 | asan_sanitize_stack_p (void) | |
365 | { | |
028d4092 | 366 | return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_stack); |
6dc4a604 ML |
367 | } |
368 | ||
5094f7d5 MO |
369 | bool |
370 | asan_sanitize_allocas_p (void) | |
371 | { | |
028d4092 | 372 | return (asan_sanitize_stack_p () && param_asan_protect_allocas); |
5094f7d5 MO |
373 | } |
374 | ||
93a73251 MM |
375 | bool |
376 | asan_instrument_reads (void) | |
377 | { | |
378 | return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_instrument_reads); | |
379 | } | |
380 | ||
381 | bool | |
382 | asan_instrument_writes (void) | |
383 | { | |
384 | return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_instrument_writes); | |
385 | } | |
386 | ||
387 | bool | |
388 | asan_memintrin (void) | |
389 | { | |
390 | return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_memintrin); | |
391 | } | |
392 | ||
393 | ||
91b36d1c JJ |
394 | /* Support for --param asan-kernel-mem-intrinsic-prefix=1. */ |
395 | static GTY(()) rtx asan_memfn_rtls[3]; | |
396 | ||
397 | rtx | |
398 | asan_memfn_rtl (tree fndecl) | |
399 | { | |
400 | int i; | |
401 | const char *f, *p; | |
402 | char buf[sizeof ("__hwasan_memmove")]; | |
403 | ||
404 | switch (DECL_FUNCTION_CODE (fndecl)) | |
405 | { | |
406 | case BUILT_IN_MEMCPY: i = 0; f = "memcpy"; break; | |
407 | case BUILT_IN_MEMSET: i = 1; f = "memset"; break; | |
408 | case BUILT_IN_MEMMOVE: i = 2; f = "memmove"; break; | |
409 | default: gcc_unreachable (); | |
410 | } | |
411 | if (asan_memfn_rtls[i] == NULL_RTX) | |
412 | { | |
413 | tree save_name = DECL_NAME (fndecl); | |
414 | tree save_assembler_name = DECL_ASSEMBLER_NAME (fndecl); | |
415 | rtx save_rtl = DECL_RTL (fndecl); | |
416 | if (flag_sanitize & SANITIZE_KERNEL_HWADDRESS) | |
417 | p = "__hwasan_"; | |
418 | else | |
419 | p = "__asan_"; | |
420 | strcpy (buf, p); | |
421 | strcat (buf, f); | |
422 | DECL_NAME (fndecl) = get_identifier (buf); | |
423 | DECL_ASSEMBLER_NAME_RAW (fndecl) = NULL_TREE; | |
424 | SET_DECL_RTL (fndecl, NULL_RTX); | |
425 | asan_memfn_rtls[i] = DECL_RTL (fndecl); | |
426 | DECL_NAME (fndecl) = save_name; | |
427 | DECL_ASSEMBLER_NAME_RAW (fndecl) = save_assembler_name; | |
428 | SET_DECL_RTL (fndecl, save_rtl); | |
429 | } | |
430 | return asan_memfn_rtls[i]; | |
431 | } | |
432 | ||
433 | ||
18af8d16 YG |
434 | /* Checks whether section SEC should be sanitized. */ |
435 | ||
436 | static bool | |
437 | section_sanitized_p (const char *sec) | |
438 | { | |
860503d8 YG |
439 | char *pat; |
440 | unsigned i; | |
441 | FOR_EACH_VEC_ELT (sanitized_sections, i, pat) | |
442 | if (fnmatch (pat, sec, FNM_PERIOD) == 0) | |
443 | return true; | |
18af8d16 YG |
444 | return false; |
445 | } | |
446 | ||
fd960af2 YG |
447 | /* Returns Asan shadow offset. */ |
448 | ||
449 | static unsigned HOST_WIDE_INT | |
450 | asan_shadow_offset () | |
451 | { | |
452 | if (!asan_shadow_offset_computed) | |
453 | { | |
454 | asan_shadow_offset_computed = true; | |
455 | asan_shadow_offset_value = targetm.asan_shadow_offset (); | |
456 | } | |
457 | return asan_shadow_offset_value; | |
458 | } | |
459 | ||
2ca1b6d0 KC |
460 | /* Returns Asan shadow offset has been set. */ |
461 | bool | |
462 | asan_shadow_offset_set_p () | |
463 | { | |
464 | return asan_shadow_offset_computed; | |
465 | } | |
466 | ||
f3ddd692 | 467 | alias_set_type asan_shadow_set = -1; |
37d6f666 | 468 | |
6dc4a604 | 469 | /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate |
f6d98484 | 470 | alias set is used for all shadow memory accesses. */ |
6dc4a604 | 471 | static GTY(()) tree shadow_ptr_types[3]; |
f6d98484 | 472 | |
e361382f JJ |
473 | /* Decl for __asan_option_detect_stack_use_after_return. */ |
474 | static GTY(()) tree asan_detect_stack_use_after_return; | |
475 | ||
bdcbe80c DS |
476 | /* Hashtable support for memory references used by gimple |
477 | statements. */ | |
478 | ||
479 | /* This type represents a reference to a memory region. */ | |
480 | struct asan_mem_ref | |
481 | { | |
688010ba | 482 | /* The expression of the beginning of the memory region. */ |
bdcbe80c DS |
483 | tree start; |
484 | ||
40f9f6bb JJ |
485 | /* The size of the access. */ |
486 | HOST_WIDE_INT access_size; | |
c1f5ce48 ML |
487 | }; |
488 | ||
fcb87c50 | 489 | object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref"); |
bdcbe80c DS |
490 | |
491 | /* Initializes an instance of asan_mem_ref. */ | |
492 | ||
493 | static void | |
40f9f6bb | 494 | asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size) |
bdcbe80c DS |
495 | { |
496 | ref->start = start; | |
497 | ref->access_size = access_size; | |
498 | } | |
499 | ||
500 | /* Allocates memory for an instance of asan_mem_ref into the memory | |
501 | pool returned by asan_mem_ref_get_alloc_pool and initialize it. | |
502 | START is the address of (or the expression pointing to) the | |
503 | beginning of memory reference. ACCESS_SIZE is the size of the | |
504 | access to the referenced memory. */ | |
505 | ||
506 | static asan_mem_ref* | |
40f9f6bb | 507 | asan_mem_ref_new (tree start, HOST_WIDE_INT access_size) |
bdcbe80c | 508 | { |
fb0b2914 | 509 | asan_mem_ref *ref = asan_mem_ref_pool.allocate (); |
bdcbe80c DS |
510 | |
511 | asan_mem_ref_init (ref, start, access_size); | |
512 | return ref; | |
513 | } | |
514 | ||
515 | /* This builds and returns a pointer to the end of the memory region | |
516 | that starts at START and of length LEN. */ | |
517 | ||
518 | tree | |
519 | asan_mem_ref_get_end (tree start, tree len) | |
520 | { | |
521 | if (len == NULL_TREE || integer_zerop (len)) | |
522 | return start; | |
523 | ||
a2f581e1 YG |
524 | if (!ptrofftype_p (len)) |
525 | len = convert_to_ptrofftype (len); | |
526 | ||
bdcbe80c DS |
527 | return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len); |
528 | } | |
529 | ||
530 | /* Return a tree expression that represents the end of the referenced | |
531 | memory region. Beware that this function can actually build a new | |
532 | tree expression. */ | |
533 | ||
534 | tree | |
535 | asan_mem_ref_get_end (const asan_mem_ref *ref, tree len) | |
536 | { | |
537 | return asan_mem_ref_get_end (ref->start, len); | |
538 | } | |
539 | ||
8d67ee55 | 540 | struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref> |
bdcbe80c | 541 | { |
67f58944 TS |
542 | static inline hashval_t hash (const asan_mem_ref *); |
543 | static inline bool equal (const asan_mem_ref *, const asan_mem_ref *); | |
bdcbe80c DS |
544 | }; |
545 | ||
546 | /* Hash a memory reference. */ | |
547 | ||
548 | inline hashval_t | |
549 | asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref) | |
550 | { | |
bdea98ca | 551 | return iterative_hash_expr (mem_ref->start, 0); |
bdcbe80c DS |
552 | } |
553 | ||
554 | /* Compare two memory references. We accept the length of either | |
555 | memory references to be NULL_TREE. */ | |
556 | ||
557 | inline bool | |
558 | asan_mem_ref_hasher::equal (const asan_mem_ref *m1, | |
559 | const asan_mem_ref *m2) | |
560 | { | |
bdea98ca | 561 | return operand_equal_p (m1->start, m2->start, 0); |
bdcbe80c DS |
562 | } |
563 | ||
c203e8a7 | 564 | static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht; |
bdcbe80c DS |
565 | |
566 | /* Returns a reference to the hash table containing memory references. | |
567 | This function ensures that the hash table is created. Note that | |
568 | this hash table is updated by the function | |
569 | update_mem_ref_hash_table. */ | |
570 | ||
c203e8a7 | 571 | static hash_table<asan_mem_ref_hasher> * |
bdcbe80c DS |
572 | get_mem_ref_hash_table () |
573 | { | |
c203e8a7 TS |
574 | if (!asan_mem_ref_ht) |
575 | asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10); | |
bdcbe80c DS |
576 | |
577 | return asan_mem_ref_ht; | |
578 | } | |
579 | ||
580 | /* Clear all entries from the memory references hash table. */ | |
581 | ||
582 | static void | |
583 | empty_mem_ref_hash_table () | |
584 | { | |
c203e8a7 TS |
585 | if (asan_mem_ref_ht) |
586 | asan_mem_ref_ht->empty (); | |
bdcbe80c DS |
587 | } |
588 | ||
589 | /* Free the memory references hash table. */ | |
590 | ||
591 | static void | |
592 | free_mem_ref_resources () | |
593 | { | |
c203e8a7 TS |
594 | delete asan_mem_ref_ht; |
595 | asan_mem_ref_ht = NULL; | |
bdcbe80c | 596 | |
fb0b2914 | 597 | asan_mem_ref_pool.release (); |
bdcbe80c DS |
598 | } |
599 | ||
600 | /* Return true iff the memory reference REF has been instrumented. */ | |
601 | ||
602 | static bool | |
40f9f6bb | 603 | has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size) |
bdcbe80c DS |
604 | { |
605 | asan_mem_ref r; | |
606 | asan_mem_ref_init (&r, ref, access_size); | |
607 | ||
bdea98ca MO |
608 | asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r); |
609 | return saved_ref && saved_ref->access_size >= access_size; | |
bdcbe80c DS |
610 | } |
611 | ||
612 | /* Return true iff the memory reference REF has been instrumented. */ | |
613 | ||
614 | static bool | |
615 | has_mem_ref_been_instrumented (const asan_mem_ref *ref) | |
616 | { | |
617 | return has_mem_ref_been_instrumented (ref->start, ref->access_size); | |
618 | } | |
619 | ||
620 | /* Return true iff access to memory region starting at REF and of | |
621 | length LEN has been instrumented. */ | |
622 | ||
623 | static bool | |
624 | has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len) | |
625 | { | |
bdea98ca MO |
626 | HOST_WIDE_INT size_in_bytes |
627 | = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1; | |
bdcbe80c | 628 | |
bdea98ca MO |
629 | return size_in_bytes != -1 |
630 | && has_mem_ref_been_instrumented (ref->start, size_in_bytes); | |
bdcbe80c DS |
631 | } |
632 | ||
633 | /* Set REF to the memory reference present in a gimple assignment | |
634 | ASSIGNMENT. Return true upon successful completion, false | |
635 | otherwise. */ | |
636 | ||
637 | static bool | |
538dd0b7 | 638 | get_mem_ref_of_assignment (const gassign *assignment, |
bdcbe80c DS |
639 | asan_mem_ref *ref, |
640 | bool *ref_is_store) | |
641 | { | |
642 | gcc_assert (gimple_assign_single_p (assignment)); | |
643 | ||
5d751b0c JJ |
644 | if (gimple_store_p (assignment) |
645 | && !gimple_clobber_p (assignment)) | |
bdcbe80c DS |
646 | { |
647 | ref->start = gimple_assign_lhs (assignment); | |
648 | *ref_is_store = true; | |
649 | } | |
650 | else if (gimple_assign_load_p (assignment)) | |
651 | { | |
652 | ref->start = gimple_assign_rhs1 (assignment); | |
653 | *ref_is_store = false; | |
654 | } | |
655 | else | |
656 | return false; | |
657 | ||
658 | ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start)); | |
659 | return true; | |
660 | } | |
661 | ||
e3174bdf MO |
662 | /* Return address of last allocated dynamic alloca. */ |
663 | ||
664 | static tree | |
665 | get_last_alloca_addr () | |
666 | { | |
667 | if (last_alloca_addr) | |
668 | return last_alloca_addr; | |
669 | ||
670 | last_alloca_addr = create_tmp_reg (ptr_type_node, "last_alloca_addr"); | |
671 | gassign *g = gimple_build_assign (last_alloca_addr, null_pointer_node); | |
672 | edge e = single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun)); | |
673 | gsi_insert_on_edge_immediate (e, g); | |
674 | return last_alloca_addr; | |
675 | } | |
676 | ||
7504c3bf | 677 | /* Insert __asan_allocas_unpoison (top, bottom) call before |
e3174bdf MO |
678 | __builtin_stack_restore (new_sp) call. |
679 | The pseudocode of this routine should look like this: | |
e3174bdf MO |
680 | top = last_alloca_addr; |
681 | bot = new_sp; | |
682 | __asan_allocas_unpoison (top, bot); | |
683 | last_alloca_addr = new_sp; | |
7504c3bf | 684 | __builtin_stack_restore (new_sp); |
e3174bdf MO |
685 | In general, we can't use new_sp as bot parameter because on some |
686 | architectures SP has non zero offset from dynamic stack area. Moreover, on | |
687 | some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each | |
688 | particular function only after all callees were expanded to rtl. | |
689 | The most noticeable example is PowerPC{,64}, see | |
690 | http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK. | |
691 | To overcome the issue we use following trick: pass new_sp as a second | |
692 | parameter to __asan_allocas_unpoison and rewrite it during expansion with | |
7504c3bf | 693 | new_sp + (virtual_dynamic_stack_rtx - sp) later in |
93a73251 MM |
694 | expand_asan_emit_allocas_unpoison function. |
695 | ||
696 | HWASAN needs to do very similar, the eventual pseudocode should be: | |
697 | __hwasan_tag_memory (virtual_stack_dynamic_rtx, | |
698 | 0, | |
699 | new_sp - sp); | |
700 | __builtin_stack_restore (new_sp) | |
701 | ||
702 | Need to use the same trick to handle STACK_DYNAMIC_OFFSET as described | |
703 | above. */ | |
e3174bdf MO |
704 | |
705 | static void | |
706 | handle_builtin_stack_restore (gcall *call, gimple_stmt_iterator *iter) | |
707 | { | |
93a73251 MM |
708 | if (!iter |
709 | || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ())) | |
e3174bdf MO |
710 | return; |
711 | ||
e3174bdf | 712 | tree restored_stack = gimple_call_arg (call, 0); |
93a73251 MM |
713 | |
714 | gimple *g; | |
715 | ||
716 | if (hwasan_sanitize_allocas_p ()) | |
717 | { | |
718 | enum internal_fn fn = IFN_HWASAN_ALLOCA_UNPOISON; | |
719 | /* There is only one piece of information `expand_HWASAN_ALLOCA_UNPOISON` | |
720 | needs to work. This is the length of the area that we're | |
721 | deallocating. Since the stack pointer is known at expand time, the | |
722 | position of the new stack pointer after deallocation is enough | |
723 | information to calculate this length. */ | |
724 | g = gimple_build_call_internal (fn, 1, restored_stack); | |
725 | } | |
726 | else | |
727 | { | |
728 | tree last_alloca = get_last_alloca_addr (); | |
729 | tree fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCAS_UNPOISON); | |
730 | g = gimple_build_call (fn, 2, last_alloca, restored_stack); | |
731 | gsi_insert_before (iter, g, GSI_SAME_STMT); | |
732 | g = gimple_build_assign (last_alloca, restored_stack); | |
733 | } | |
734 | ||
7504c3bf | 735 | gsi_insert_before (iter, g, GSI_SAME_STMT); |
e3174bdf MO |
736 | } |
737 | ||
738 | /* Deploy and poison redzones around __builtin_alloca call. To do this, we | |
739 | should replace this call with another one with changed parameters and | |
740 | replace all its uses with new address, so | |
741 | addr = __builtin_alloca (old_size, align); | |
742 | is replaced by | |
743 | left_redzone_size = max (align, ASAN_RED_ZONE_SIZE); | |
744 | Following two statements are optimized out if we know that | |
745 | old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial | |
746 | redzone. | |
747 | misalign = old_size & (ASAN_RED_ZONE_SIZE - 1); | |
748 | partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign; | |
749 | right_redzone_size = ASAN_RED_ZONE_SIZE; | |
750 | additional_size = left_redzone_size + partial_redzone_size + | |
751 | right_redzone_size; | |
752 | new_size = old_size + additional_size; | |
753 | new_alloca = __builtin_alloca (new_size, max (align, 32)) | |
754 | __asan_alloca_poison (new_alloca, old_size) | |
755 | addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE); | |
756 | last_alloca_addr = new_alloca; | |
757 | ADDITIONAL_SIZE is added to make new memory allocation contain not only | |
758 | requested memory, but also left, partial and right redzones as well as some | |
759 | additional space, required by alignment. */ | |
760 | ||
761 | static void | |
762 | handle_builtin_alloca (gcall *call, gimple_stmt_iterator *iter) | |
763 | { | |
93a73251 MM |
764 | if (!iter |
765 | || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ())) | |
e3174bdf MO |
766 | return; |
767 | ||
768 | gassign *g; | |
769 | gcall *gg; | |
e3174bdf | 770 | tree callee = gimple_call_fndecl (call); |
f0c7367b | 771 | tree lhs = gimple_call_lhs (call); |
e3174bdf | 772 | tree old_size = gimple_call_arg (call, 0); |
f0c7367b | 773 | tree ptr_type = lhs ? TREE_TYPE (lhs) : ptr_type_node; |
e3174bdf | 774 | tree partial_size = NULL_TREE; |
e3174bdf | 775 | unsigned int align |
9e878cf1 EB |
776 | = DECL_FUNCTION_CODE (callee) == BUILT_IN_ALLOCA |
777 | ? 0 : tree_to_uhwi (gimple_call_arg (call, 1)); | |
e3174bdf | 778 | |
f0c7367b JJ |
779 | bool throws = false; |
780 | edge e = NULL; | |
781 | if (stmt_can_throw_internal (cfun, call)) | |
782 | { | |
783 | if (!lhs) | |
784 | return; | |
785 | throws = true; | |
786 | e = find_fallthru_edge (gsi_bb (*iter)->succs); | |
787 | } | |
788 | ||
93a73251 MM |
789 | if (hwasan_sanitize_allocas_p ()) |
790 | { | |
791 | gimple_seq stmts = NULL; | |
792 | location_t loc = gimple_location (gsi_stmt (*iter)); | |
793 | /* | |
794 | HWASAN needs a different expansion. | |
795 | ||
796 | addr = __builtin_alloca (size, align); | |
797 | ||
798 | should be replaced by | |
799 | ||
800 | new_size = size rounded up to HWASAN_TAG_GRANULE_SIZE byte alignment; | |
801 | untagged_addr = __builtin_alloca (new_size, align); | |
802 | tag = __hwasan_choose_alloca_tag (); | |
803 | addr = ifn_HWASAN_SET_TAG (untagged_addr, tag); | |
804 | __hwasan_tag_memory (untagged_addr, tag, new_size); | |
805 | */ | |
806 | /* Ensure alignment at least HWASAN_TAG_GRANULE_SIZE bytes so we start on | |
807 | a tag granule. */ | |
808 | align = align > HWASAN_TAG_GRANULE_SIZE ? align : HWASAN_TAG_GRANULE_SIZE; | |
809 | ||
810 | tree old_size = gimple_call_arg (call, 0); | |
811 | tree new_size = gimple_build_round_up (&stmts, loc, size_type_node, | |
812 | old_size, | |
813 | HWASAN_TAG_GRANULE_SIZE); | |
814 | ||
815 | /* Make the alloca call */ | |
816 | tree untagged_addr | |
817 | = gimple_build (&stmts, loc, | |
818 | as_combined_fn (BUILT_IN_ALLOCA_WITH_ALIGN), ptr_type, | |
819 | new_size, build_int_cst (size_type_node, align)); | |
820 | ||
821 | /* Choose the tag. | |
822 | Here we use an internal function so we can choose the tag at expand | |
823 | time. We need the decision to be made after stack variables have been | |
824 | assigned their tag (i.e. once the hwasan_frame_tag_offset variable has | |
825 | been set to one after the last stack variables tag). */ | |
826 | tree tag = gimple_build (&stmts, loc, CFN_HWASAN_CHOOSE_TAG, | |
827 | unsigned_char_type_node); | |
828 | ||
829 | /* Add tag to pointer. */ | |
830 | tree addr | |
831 | = gimple_build (&stmts, loc, CFN_HWASAN_SET_TAG, ptr_type, | |
832 | untagged_addr, tag); | |
833 | ||
834 | /* Tag shadow memory. | |
835 | NOTE: require using `untagged_addr` here for libhwasan API. */ | |
836 | gimple_build (&stmts, loc, as_combined_fn (BUILT_IN_HWASAN_TAG_MEM), | |
837 | void_type_node, untagged_addr, tag, new_size); | |
838 | ||
839 | /* Insert the built up code sequence into the original instruction stream | |
840 | the iterator points to. */ | |
841 | gsi_insert_seq_before (iter, stmts, GSI_SAME_STMT); | |
842 | ||
843 | /* Finally, replace old alloca ptr with NEW_ALLOCA. */ | |
844 | replace_call_with_value (iter, addr); | |
845 | return; | |
846 | } | |
847 | ||
848 | tree last_alloca = get_last_alloca_addr (); | |
849 | const HOST_WIDE_INT redzone_mask = ASAN_RED_ZONE_SIZE - 1; | |
850 | ||
e3174bdf MO |
851 | /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN |
852 | bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE | |
853 | manually. */ | |
854 | align = MAX (align, ASAN_RED_ZONE_SIZE * BITS_PER_UNIT); | |
855 | ||
856 | tree alloca_rz_mask = build_int_cst (size_type_node, redzone_mask); | |
857 | tree redzone_size = build_int_cst (size_type_node, ASAN_RED_ZONE_SIZE); | |
858 | ||
859 | /* Extract lower bits from old_size. */ | |
860 | wide_int size_nonzero_bits = get_nonzero_bits (old_size); | |
861 | wide_int rz_mask | |
862 | = wi::uhwi (redzone_mask, wi::get_precision (size_nonzero_bits)); | |
863 | wide_int old_size_lower_bits = wi::bit_and (size_nonzero_bits, rz_mask); | |
864 | ||
865 | /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial | |
866 | redzone. Otherwise, compute its size here. */ | |
867 | if (wi::ne_p (old_size_lower_bits, 0)) | |
868 | { | |
869 | /* misalign = size & (ASAN_RED_ZONE_SIZE - 1) | |
870 | partial_size = ASAN_RED_ZONE_SIZE - misalign. */ | |
871 | g = gimple_build_assign (make_ssa_name (size_type_node, NULL), | |
872 | BIT_AND_EXPR, old_size, alloca_rz_mask); | |
873 | gsi_insert_before (iter, g, GSI_SAME_STMT); | |
874 | tree misalign = gimple_assign_lhs (g); | |
875 | g = gimple_build_assign (make_ssa_name (size_type_node, NULL), MINUS_EXPR, | |
876 | redzone_size, misalign); | |
877 | gsi_insert_before (iter, g, GSI_SAME_STMT); | |
878 | partial_size = gimple_assign_lhs (g); | |
879 | } | |
880 | ||
881 | /* additional_size = align + ASAN_RED_ZONE_SIZE. */ | |
882 | tree additional_size = build_int_cst (size_type_node, align / BITS_PER_UNIT | |
883 | + ASAN_RED_ZONE_SIZE); | |
884 | /* If alloca has partial redzone, include it to additional_size too. */ | |
885 | if (partial_size) | |
886 | { | |
887 | /* additional_size += partial_size. */ | |
888 | g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR, | |
889 | partial_size, additional_size); | |
890 | gsi_insert_before (iter, g, GSI_SAME_STMT); | |
891 | additional_size = gimple_assign_lhs (g); | |
892 | } | |
893 | ||
894 | /* new_size = old_size + additional_size. */ | |
895 | g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR, old_size, | |
896 | additional_size); | |
897 | gsi_insert_before (iter, g, GSI_SAME_STMT); | |
898 | tree new_size = gimple_assign_lhs (g); | |
899 | ||
900 | /* Build new __builtin_alloca call: | |
901 | new_alloca_with_rz = __builtin_alloca (new_size, align). */ | |
902 | tree fn = builtin_decl_implicit (BUILT_IN_ALLOCA_WITH_ALIGN); | |
903 | gg = gimple_build_call (fn, 2, new_size, | |
904 | build_int_cst (size_type_node, align)); | |
905 | tree new_alloca_with_rz = make_ssa_name (ptr_type, gg); | |
906 | gimple_call_set_lhs (gg, new_alloca_with_rz); | |
f0c7367b JJ |
907 | if (throws) |
908 | { | |
909 | gimple_call_set_lhs (call, NULL); | |
910 | gsi_replace (iter, gg, true); | |
911 | } | |
912 | else | |
913 | gsi_insert_before (iter, gg, GSI_SAME_STMT); | |
e3174bdf MO |
914 | |
915 | /* new_alloca = new_alloca_with_rz + align. */ | |
916 | g = gimple_build_assign (make_ssa_name (ptr_type), POINTER_PLUS_EXPR, | |
917 | new_alloca_with_rz, | |
918 | build_int_cst (size_type_node, | |
919 | align / BITS_PER_UNIT)); | |
f0c7367b JJ |
920 | gimple_stmt_iterator gsi = gsi_none (); |
921 | if (throws) | |
922 | { | |
923 | gsi_insert_on_edge_immediate (e, g); | |
924 | gsi = gsi_for_stmt (g); | |
925 | } | |
926 | else | |
927 | gsi_insert_before (iter, g, GSI_SAME_STMT); | |
e3174bdf MO |
928 | tree new_alloca = gimple_assign_lhs (g); |
929 | ||
930 | /* Poison newly created alloca redzones: | |
931 | __asan_alloca_poison (new_alloca, old_size). */ | |
932 | fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCA_POISON); | |
933 | gg = gimple_build_call (fn, 2, new_alloca, old_size); | |
f0c7367b JJ |
934 | if (throws) |
935 | gsi_insert_after (&gsi, gg, GSI_NEW_STMT); | |
936 | else | |
937 | gsi_insert_before (iter, gg, GSI_SAME_STMT); | |
e3174bdf MO |
938 | |
939 | /* Save new_alloca_with_rz value into last_alloca to use it during | |
940 | allocas unpoisoning. */ | |
941 | g = gimple_build_assign (last_alloca, new_alloca_with_rz); | |
f0c7367b JJ |
942 | if (throws) |
943 | gsi_insert_after (&gsi, g, GSI_NEW_STMT); | |
944 | else | |
945 | gsi_insert_before (iter, g, GSI_SAME_STMT); | |
e3174bdf MO |
946 | |
947 | /* Finally, replace old alloca ptr with NEW_ALLOCA. */ | |
f0c7367b JJ |
948 | if (throws) |
949 | { | |
950 | g = gimple_build_assign (lhs, new_alloca); | |
951 | gsi_insert_after (&gsi, g, GSI_NEW_STMT); | |
952 | } | |
953 | else | |
954 | replace_call_with_value (iter, new_alloca); | |
e3174bdf MO |
955 | } |
956 | ||
bdcbe80c DS |
957 | /* Return the memory references contained in a gimple statement |
958 | representing a builtin call that has to do with memory access. */ | |
959 | ||
960 | static bool | |
e3174bdf | 961 | get_mem_refs_of_builtin_call (gcall *call, |
bdcbe80c DS |
962 | asan_mem_ref *src0, |
963 | tree *src0_len, | |
964 | bool *src0_is_store, | |
965 | asan_mem_ref *src1, | |
966 | tree *src1_len, | |
967 | bool *src1_is_store, | |
968 | asan_mem_ref *dst, | |
969 | tree *dst_len, | |
970 | bool *dst_is_store, | |
bdea98ca | 971 | bool *dest_is_deref, |
e3174bdf MO |
972 | bool *intercepted_p, |
973 | gimple_stmt_iterator *iter = NULL) | |
bdcbe80c DS |
974 | { |
975 | gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL)); | |
976 | ||
977 | tree callee = gimple_call_fndecl (call); | |
978 | tree source0 = NULL_TREE, source1 = NULL_TREE, | |
979 | dest = NULL_TREE, len = NULL_TREE; | |
980 | bool is_store = true, got_reference_p = false; | |
40f9f6bb | 981 | HOST_WIDE_INT access_size = 1; |
bdcbe80c | 982 | |
bdea98ca MO |
983 | *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee))); |
984 | ||
bdcbe80c DS |
985 | switch (DECL_FUNCTION_CODE (callee)) |
986 | { | |
987 | /* (s, s, n) style memops. */ | |
988 | case BUILT_IN_BCMP: | |
989 | case BUILT_IN_MEMCMP: | |
990 | source0 = gimple_call_arg (call, 0); | |
991 | source1 = gimple_call_arg (call, 1); | |
992 | len = gimple_call_arg (call, 2); | |
993 | break; | |
994 | ||
995 | /* (src, dest, n) style memops. */ | |
996 | case BUILT_IN_BCOPY: | |
997 | source0 = gimple_call_arg (call, 0); | |
998 | dest = gimple_call_arg (call, 1); | |
999 | len = gimple_call_arg (call, 2); | |
1000 | break; | |
1001 | ||
1002 | /* (dest, src, n) style memops. */ | |
1003 | case BUILT_IN_MEMCPY: | |
1004 | case BUILT_IN_MEMCPY_CHK: | |
1005 | case BUILT_IN_MEMMOVE: | |
1006 | case BUILT_IN_MEMMOVE_CHK: | |
1007 | case BUILT_IN_MEMPCPY: | |
1008 | case BUILT_IN_MEMPCPY_CHK: | |
1009 | dest = gimple_call_arg (call, 0); | |
1010 | source0 = gimple_call_arg (call, 1); | |
1011 | len = gimple_call_arg (call, 2); | |
1012 | break; | |
1013 | ||
1014 | /* (dest, n) style memops. */ | |
1015 | case BUILT_IN_BZERO: | |
1016 | dest = gimple_call_arg (call, 0); | |
1017 | len = gimple_call_arg (call, 1); | |
1018 | break; | |
1019 | ||
1020 | /* (dest, x, n) style memops*/ | |
1021 | case BUILT_IN_MEMSET: | |
1022 | case BUILT_IN_MEMSET_CHK: | |
1023 | dest = gimple_call_arg (call, 0); | |
1024 | len = gimple_call_arg (call, 2); | |
1025 | break; | |
1026 | ||
1027 | case BUILT_IN_STRLEN: | |
93a73251 MM |
1028 | /* Special case strlen here since its length is taken from its return |
1029 | value. | |
1030 | ||
1031 | The approach taken by the sanitizers is to check a memory access | |
1032 | before it's taken. For ASAN strlen is intercepted by libasan, so no | |
1033 | check is inserted by the compiler. | |
1034 | ||
1035 | This function still returns `true` and provides a length to the rest | |
1036 | of the ASAN pass in order to record what areas have been checked, | |
1037 | avoiding superfluous checks later on. | |
1038 | ||
1039 | HWASAN does not intercept any of these internal functions. | |
1040 | This means that checks for memory accesses must be inserted by the | |
1041 | compiler. | |
1042 | strlen is a special case, because we can tell the length from the | |
1043 | return of the function, but that is not known until after the function | |
1044 | has returned. | |
1045 | ||
1046 | Hence we can't check the memory access before it happens. | |
1047 | We could check the memory access after it has already happened, but | |
1048 | for now we choose to just ignore `strlen` calls. | |
1049 | This decision was simply made because that means the special case is | |
1050 | limited to this one case of this one function. */ | |
1051 | if (hwasan_sanitize_p ()) | |
1052 | return false; | |
bdcbe80c DS |
1053 | source0 = gimple_call_arg (call, 0); |
1054 | len = gimple_call_lhs (call); | |
9e463823 | 1055 | break; |
bdcbe80c | 1056 | |
e3174bdf MO |
1057 | case BUILT_IN_STACK_RESTORE: |
1058 | handle_builtin_stack_restore (call, iter); | |
1059 | break; | |
1060 | ||
9e878cf1 | 1061 | CASE_BUILT_IN_ALLOCA: |
e3174bdf MO |
1062 | handle_builtin_alloca (call, iter); |
1063 | break; | |
bdcbe80c | 1064 | /* And now the __atomic* and __sync builtins. |
d5029d45 | 1065 | These are handled differently from the classical memory |
bdcbe80c DS |
1066 | access builtins above. */ |
1067 | ||
1068 | case BUILT_IN_ATOMIC_LOAD_1: | |
bdcbe80c | 1069 | is_store = false; |
9e463823 | 1070 | /* FALLTHRU */ |
bdcbe80c | 1071 | case BUILT_IN_SYNC_FETCH_AND_ADD_1: |
bdcbe80c | 1072 | case BUILT_IN_SYNC_FETCH_AND_SUB_1: |
bdcbe80c | 1073 | case BUILT_IN_SYNC_FETCH_AND_OR_1: |
bdcbe80c | 1074 | case BUILT_IN_SYNC_FETCH_AND_AND_1: |
bdcbe80c | 1075 | case BUILT_IN_SYNC_FETCH_AND_XOR_1: |
bdcbe80c | 1076 | case BUILT_IN_SYNC_FETCH_AND_NAND_1: |
bdcbe80c | 1077 | case BUILT_IN_SYNC_ADD_AND_FETCH_1: |
bdcbe80c | 1078 | case BUILT_IN_SYNC_SUB_AND_FETCH_1: |
bdcbe80c | 1079 | case BUILT_IN_SYNC_OR_AND_FETCH_1: |
bdcbe80c | 1080 | case BUILT_IN_SYNC_AND_AND_FETCH_1: |
bdcbe80c | 1081 | case BUILT_IN_SYNC_XOR_AND_FETCH_1: |
bdcbe80c | 1082 | case BUILT_IN_SYNC_NAND_AND_FETCH_1: |
bdcbe80c | 1083 | case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1: |
bdcbe80c | 1084 | case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1: |
bdcbe80c | 1085 | case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1: |
bdcbe80c | 1086 | case BUILT_IN_SYNC_LOCK_RELEASE_1: |
bdcbe80c | 1087 | case BUILT_IN_ATOMIC_EXCHANGE_1: |
bdcbe80c | 1088 | case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1: |
bdcbe80c | 1089 | case BUILT_IN_ATOMIC_STORE_1: |
bdcbe80c | 1090 | case BUILT_IN_ATOMIC_ADD_FETCH_1: |
bdcbe80c | 1091 | case BUILT_IN_ATOMIC_SUB_FETCH_1: |
bdcbe80c | 1092 | case BUILT_IN_ATOMIC_AND_FETCH_1: |
bdcbe80c | 1093 | case BUILT_IN_ATOMIC_NAND_FETCH_1: |
bdcbe80c | 1094 | case BUILT_IN_ATOMIC_XOR_FETCH_1: |
bdcbe80c | 1095 | case BUILT_IN_ATOMIC_OR_FETCH_1: |
bdcbe80c | 1096 | case BUILT_IN_ATOMIC_FETCH_ADD_1: |
bdcbe80c | 1097 | case BUILT_IN_ATOMIC_FETCH_SUB_1: |
bdcbe80c | 1098 | case BUILT_IN_ATOMIC_FETCH_AND_1: |
bdcbe80c | 1099 | case BUILT_IN_ATOMIC_FETCH_NAND_1: |
bdcbe80c | 1100 | case BUILT_IN_ATOMIC_FETCH_XOR_1: |
bdcbe80c | 1101 | case BUILT_IN_ATOMIC_FETCH_OR_1: |
9e463823 JJ |
1102 | access_size = 1; |
1103 | goto do_atomic; | |
1104 | ||
1105 | case BUILT_IN_ATOMIC_LOAD_2: | |
1106 | is_store = false; | |
1107 | /* FALLTHRU */ | |
1108 | case BUILT_IN_SYNC_FETCH_AND_ADD_2: | |
1109 | case BUILT_IN_SYNC_FETCH_AND_SUB_2: | |
1110 | case BUILT_IN_SYNC_FETCH_AND_OR_2: | |
1111 | case BUILT_IN_SYNC_FETCH_AND_AND_2: | |
1112 | case BUILT_IN_SYNC_FETCH_AND_XOR_2: | |
1113 | case BUILT_IN_SYNC_FETCH_AND_NAND_2: | |
1114 | case BUILT_IN_SYNC_ADD_AND_FETCH_2: | |
1115 | case BUILT_IN_SYNC_SUB_AND_FETCH_2: | |
1116 | case BUILT_IN_SYNC_OR_AND_FETCH_2: | |
1117 | case BUILT_IN_SYNC_AND_AND_FETCH_2: | |
1118 | case BUILT_IN_SYNC_XOR_AND_FETCH_2: | |
1119 | case BUILT_IN_SYNC_NAND_AND_FETCH_2: | |
1120 | case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2: | |
1121 | case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2: | |
1122 | case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2: | |
1123 | case BUILT_IN_SYNC_LOCK_RELEASE_2: | |
1124 | case BUILT_IN_ATOMIC_EXCHANGE_2: | |
1125 | case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2: | |
1126 | case BUILT_IN_ATOMIC_STORE_2: | |
1127 | case BUILT_IN_ATOMIC_ADD_FETCH_2: | |
1128 | case BUILT_IN_ATOMIC_SUB_FETCH_2: | |
1129 | case BUILT_IN_ATOMIC_AND_FETCH_2: | |
1130 | case BUILT_IN_ATOMIC_NAND_FETCH_2: | |
1131 | case BUILT_IN_ATOMIC_XOR_FETCH_2: | |
1132 | case BUILT_IN_ATOMIC_OR_FETCH_2: | |
1133 | case BUILT_IN_ATOMIC_FETCH_ADD_2: | |
1134 | case BUILT_IN_ATOMIC_FETCH_SUB_2: | |
1135 | case BUILT_IN_ATOMIC_FETCH_AND_2: | |
1136 | case BUILT_IN_ATOMIC_FETCH_NAND_2: | |
1137 | case BUILT_IN_ATOMIC_FETCH_XOR_2: | |
bdcbe80c | 1138 | case BUILT_IN_ATOMIC_FETCH_OR_2: |
9e463823 JJ |
1139 | access_size = 2; |
1140 | goto do_atomic; | |
1141 | ||
1142 | case BUILT_IN_ATOMIC_LOAD_4: | |
1143 | is_store = false; | |
1144 | /* FALLTHRU */ | |
1145 | case BUILT_IN_SYNC_FETCH_AND_ADD_4: | |
1146 | case BUILT_IN_SYNC_FETCH_AND_SUB_4: | |
1147 | case BUILT_IN_SYNC_FETCH_AND_OR_4: | |
1148 | case BUILT_IN_SYNC_FETCH_AND_AND_4: | |
1149 | case BUILT_IN_SYNC_FETCH_AND_XOR_4: | |
1150 | case BUILT_IN_SYNC_FETCH_AND_NAND_4: | |
1151 | case BUILT_IN_SYNC_ADD_AND_FETCH_4: | |
1152 | case BUILT_IN_SYNC_SUB_AND_FETCH_4: | |
1153 | case BUILT_IN_SYNC_OR_AND_FETCH_4: | |
1154 | case BUILT_IN_SYNC_AND_AND_FETCH_4: | |
1155 | case BUILT_IN_SYNC_XOR_AND_FETCH_4: | |
1156 | case BUILT_IN_SYNC_NAND_AND_FETCH_4: | |
1157 | case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4: | |
1158 | case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4: | |
1159 | case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4: | |
1160 | case BUILT_IN_SYNC_LOCK_RELEASE_4: | |
1161 | case BUILT_IN_ATOMIC_EXCHANGE_4: | |
1162 | case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4: | |
1163 | case BUILT_IN_ATOMIC_STORE_4: | |
1164 | case BUILT_IN_ATOMIC_ADD_FETCH_4: | |
1165 | case BUILT_IN_ATOMIC_SUB_FETCH_4: | |
1166 | case BUILT_IN_ATOMIC_AND_FETCH_4: | |
1167 | case BUILT_IN_ATOMIC_NAND_FETCH_4: | |
1168 | case BUILT_IN_ATOMIC_XOR_FETCH_4: | |
1169 | case BUILT_IN_ATOMIC_OR_FETCH_4: | |
1170 | case BUILT_IN_ATOMIC_FETCH_ADD_4: | |
1171 | case BUILT_IN_ATOMIC_FETCH_SUB_4: | |
1172 | case BUILT_IN_ATOMIC_FETCH_AND_4: | |
1173 | case BUILT_IN_ATOMIC_FETCH_NAND_4: | |
1174 | case BUILT_IN_ATOMIC_FETCH_XOR_4: | |
bdcbe80c | 1175 | case BUILT_IN_ATOMIC_FETCH_OR_4: |
9e463823 JJ |
1176 | access_size = 4; |
1177 | goto do_atomic; | |
1178 | ||
1179 | case BUILT_IN_ATOMIC_LOAD_8: | |
1180 | is_store = false; | |
1181 | /* FALLTHRU */ | |
1182 | case BUILT_IN_SYNC_FETCH_AND_ADD_8: | |
1183 | case BUILT_IN_SYNC_FETCH_AND_SUB_8: | |
1184 | case BUILT_IN_SYNC_FETCH_AND_OR_8: | |
1185 | case BUILT_IN_SYNC_FETCH_AND_AND_8: | |
1186 | case BUILT_IN_SYNC_FETCH_AND_XOR_8: | |
1187 | case BUILT_IN_SYNC_FETCH_AND_NAND_8: | |
1188 | case BUILT_IN_SYNC_ADD_AND_FETCH_8: | |
1189 | case BUILT_IN_SYNC_SUB_AND_FETCH_8: | |
1190 | case BUILT_IN_SYNC_OR_AND_FETCH_8: | |
1191 | case BUILT_IN_SYNC_AND_AND_FETCH_8: | |
1192 | case BUILT_IN_SYNC_XOR_AND_FETCH_8: | |
1193 | case BUILT_IN_SYNC_NAND_AND_FETCH_8: | |
1194 | case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8: | |
1195 | case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8: | |
1196 | case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8: | |
1197 | case BUILT_IN_SYNC_LOCK_RELEASE_8: | |
1198 | case BUILT_IN_ATOMIC_EXCHANGE_8: | |
1199 | case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8: | |
1200 | case BUILT_IN_ATOMIC_STORE_8: | |
1201 | case BUILT_IN_ATOMIC_ADD_FETCH_8: | |
1202 | case BUILT_IN_ATOMIC_SUB_FETCH_8: | |
1203 | case BUILT_IN_ATOMIC_AND_FETCH_8: | |
1204 | case BUILT_IN_ATOMIC_NAND_FETCH_8: | |
1205 | case BUILT_IN_ATOMIC_XOR_FETCH_8: | |
1206 | case BUILT_IN_ATOMIC_OR_FETCH_8: | |
1207 | case BUILT_IN_ATOMIC_FETCH_ADD_8: | |
1208 | case BUILT_IN_ATOMIC_FETCH_SUB_8: | |
1209 | case BUILT_IN_ATOMIC_FETCH_AND_8: | |
1210 | case BUILT_IN_ATOMIC_FETCH_NAND_8: | |
1211 | case BUILT_IN_ATOMIC_FETCH_XOR_8: | |
bdcbe80c | 1212 | case BUILT_IN_ATOMIC_FETCH_OR_8: |
9e463823 JJ |
1213 | access_size = 8; |
1214 | goto do_atomic; | |
1215 | ||
1216 | case BUILT_IN_ATOMIC_LOAD_16: | |
1217 | is_store = false; | |
1218 | /* FALLTHRU */ | |
1219 | case BUILT_IN_SYNC_FETCH_AND_ADD_16: | |
1220 | case BUILT_IN_SYNC_FETCH_AND_SUB_16: | |
1221 | case BUILT_IN_SYNC_FETCH_AND_OR_16: | |
1222 | case BUILT_IN_SYNC_FETCH_AND_AND_16: | |
1223 | case BUILT_IN_SYNC_FETCH_AND_XOR_16: | |
1224 | case BUILT_IN_SYNC_FETCH_AND_NAND_16: | |
1225 | case BUILT_IN_SYNC_ADD_AND_FETCH_16: | |
1226 | case BUILT_IN_SYNC_SUB_AND_FETCH_16: | |
1227 | case BUILT_IN_SYNC_OR_AND_FETCH_16: | |
1228 | case BUILT_IN_SYNC_AND_AND_FETCH_16: | |
1229 | case BUILT_IN_SYNC_XOR_AND_FETCH_16: | |
1230 | case BUILT_IN_SYNC_NAND_AND_FETCH_16: | |
1231 | case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16: | |
1232 | case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16: | |
1233 | case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16: | |
1234 | case BUILT_IN_SYNC_LOCK_RELEASE_16: | |
1235 | case BUILT_IN_ATOMIC_EXCHANGE_16: | |
1236 | case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16: | |
1237 | case BUILT_IN_ATOMIC_STORE_16: | |
1238 | case BUILT_IN_ATOMIC_ADD_FETCH_16: | |
1239 | case BUILT_IN_ATOMIC_SUB_FETCH_16: | |
1240 | case BUILT_IN_ATOMIC_AND_FETCH_16: | |
1241 | case BUILT_IN_ATOMIC_NAND_FETCH_16: | |
1242 | case BUILT_IN_ATOMIC_XOR_FETCH_16: | |
1243 | case BUILT_IN_ATOMIC_OR_FETCH_16: | |
1244 | case BUILT_IN_ATOMIC_FETCH_ADD_16: | |
1245 | case BUILT_IN_ATOMIC_FETCH_SUB_16: | |
1246 | case BUILT_IN_ATOMIC_FETCH_AND_16: | |
1247 | case BUILT_IN_ATOMIC_FETCH_NAND_16: | |
1248 | case BUILT_IN_ATOMIC_FETCH_XOR_16: | |
bdcbe80c | 1249 | case BUILT_IN_ATOMIC_FETCH_OR_16: |
9e463823 JJ |
1250 | access_size = 16; |
1251 | /* FALLTHRU */ | |
1252 | do_atomic: | |
bdcbe80c DS |
1253 | { |
1254 | dest = gimple_call_arg (call, 0); | |
1255 | /* DEST represents the address of a memory location. | |
1256 | instrument_derefs wants the memory location, so lets | |
1257 | dereference the address DEST before handing it to | |
1258 | instrument_derefs. */ | |
9e463823 JJ |
1259 | tree type = build_nonstandard_integer_type (access_size |
1260 | * BITS_PER_UNIT, 1); | |
1261 | dest = build2 (MEM_REF, type, dest, | |
1262 | build_int_cst (build_pointer_type (char_type_node), 0)); | |
1263 | break; | |
bdcbe80c DS |
1264 | } |
1265 | ||
1266 | default: | |
1267 | /* The other builtins memory access are not instrumented in this | |
1268 | function because they either don't have any length parameter, | |
1269 | or their length parameter is just a limit. */ | |
1270 | break; | |
1271 | } | |
1272 | ||
1273 | if (len != NULL_TREE) | |
1274 | { | |
1275 | if (source0 != NULL_TREE) | |
1276 | { | |
1277 | src0->start = source0; | |
1278 | src0->access_size = access_size; | |
1279 | *src0_len = len; | |
1280 | *src0_is_store = false; | |
1281 | } | |
1282 | ||
1283 | if (source1 != NULL_TREE) | |
1284 | { | |
1285 | src1->start = source1; | |
1286 | src1->access_size = access_size; | |
1287 | *src1_len = len; | |
1288 | *src1_is_store = false; | |
1289 | } | |
1290 | ||
1291 | if (dest != NULL_TREE) | |
1292 | { | |
1293 | dst->start = dest; | |
1294 | dst->access_size = access_size; | |
1295 | *dst_len = len; | |
1296 | *dst_is_store = true; | |
1297 | } | |
1298 | ||
1299 | got_reference_p = true; | |
1300 | } | |
b41288b3 JJ |
1301 | else if (dest) |
1302 | { | |
1303 | dst->start = dest; | |
1304 | dst->access_size = access_size; | |
1305 | *dst_len = NULL_TREE; | |
1306 | *dst_is_store = is_store; | |
1307 | *dest_is_deref = true; | |
1308 | got_reference_p = true; | |
1309 | } | |
bdcbe80c | 1310 | |
b41288b3 | 1311 | return got_reference_p; |
bdcbe80c DS |
1312 | } |
1313 | ||
1314 | /* Return true iff a given gimple statement has been instrumented. | |
1315 | Note that the statement is "defined" by the memory references it | |
1316 | contains. */ | |
1317 | ||
1318 | static bool | |
355fe088 | 1319 | has_stmt_been_instrumented_p (gimple *stmt) |
bdcbe80c DS |
1320 | { |
1321 | if (gimple_assign_single_p (stmt)) | |
1322 | { | |
1323 | bool r_is_store; | |
1324 | asan_mem_ref r; | |
1325 | asan_mem_ref_init (&r, NULL, 1); | |
1326 | ||
538dd0b7 DM |
1327 | if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r, |
1328 | &r_is_store)) | |
af02daff JJ |
1329 | { |
1330 | if (!has_mem_ref_been_instrumented (&r)) | |
1331 | return false; | |
1332 | if (r_is_store && gimple_assign_load_p (stmt)) | |
1333 | { | |
1334 | asan_mem_ref src; | |
1335 | asan_mem_ref_init (&src, NULL, 1); | |
1336 | src.start = gimple_assign_rhs1 (stmt); | |
1337 | src.access_size = int_size_in_bytes (TREE_TYPE (src.start)); | |
1338 | if (!has_mem_ref_been_instrumented (&src)) | |
1339 | return false; | |
1340 | } | |
1341 | return true; | |
1342 | } | |
bdcbe80c DS |
1343 | } |
1344 | else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL)) | |
1345 | { | |
1346 | asan_mem_ref src0, src1, dest; | |
1347 | asan_mem_ref_init (&src0, NULL, 1); | |
1348 | asan_mem_ref_init (&src1, NULL, 1); | |
1349 | asan_mem_ref_init (&dest, NULL, 1); | |
1350 | ||
1351 | tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE; | |
1352 | bool src0_is_store = false, src1_is_store = false, | |
bdea98ca | 1353 | dest_is_store = false, dest_is_deref = false, intercepted_p = true; |
538dd0b7 | 1354 | if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt), |
bdcbe80c DS |
1355 | &src0, &src0_len, &src0_is_store, |
1356 | &src1, &src1_len, &src1_is_store, | |
1357 | &dest, &dest_len, &dest_is_store, | |
bdea98ca | 1358 | &dest_is_deref, &intercepted_p)) |
bdcbe80c DS |
1359 | { |
1360 | if (src0.start != NULL_TREE | |
1361 | && !has_mem_ref_been_instrumented (&src0, src0_len)) | |
1362 | return false; | |
1363 | ||
1364 | if (src1.start != NULL_TREE | |
1365 | && !has_mem_ref_been_instrumented (&src1, src1_len)) | |
1366 | return false; | |
1367 | ||
1368 | if (dest.start != NULL_TREE | |
1369 | && !has_mem_ref_been_instrumented (&dest, dest_len)) | |
1370 | return false; | |
1371 | ||
1372 | return true; | |
1373 | } | |
1374 | } | |
7db337c2 ML |
1375 | else if (is_gimple_call (stmt) && gimple_store_p (stmt)) |
1376 | { | |
1377 | asan_mem_ref r; | |
1378 | asan_mem_ref_init (&r, NULL, 1); | |
1379 | ||
1380 | r.start = gimple_call_lhs (stmt); | |
1381 | r.access_size = int_size_in_bytes (TREE_TYPE (r.start)); | |
1382 | return has_mem_ref_been_instrumented (&r); | |
1383 | } | |
1384 | ||
bdcbe80c DS |
1385 | return false; |
1386 | } | |
1387 | ||
1388 | /* Insert a memory reference into the hash table. */ | |
1389 | ||
1390 | static void | |
40f9f6bb | 1391 | update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size) |
bdcbe80c | 1392 | { |
c203e8a7 | 1393 | hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table (); |
bdcbe80c DS |
1394 | |
1395 | asan_mem_ref r; | |
1396 | asan_mem_ref_init (&r, ref, access_size); | |
1397 | ||
c203e8a7 | 1398 | asan_mem_ref **slot = ht->find_slot (&r, INSERT); |
bdea98ca | 1399 | if (*slot == NULL || (*slot)->access_size < access_size) |
bdcbe80c DS |
1400 | *slot = asan_mem_ref_new (ref, access_size); |
1401 | } | |
1402 | ||
94fce891 JJ |
1403 | /* Initialize shadow_ptr_types array. */ |
1404 | ||
1405 | static void | |
1406 | asan_init_shadow_ptr_types (void) | |
1407 | { | |
1408 | asan_shadow_set = new_alias_set (); | |
6dc4a604 ML |
1409 | tree types[3] = { signed_char_type_node, short_integer_type_node, |
1410 | integer_type_node }; | |
1411 | ||
1412 | for (unsigned i = 0; i < 3; i++) | |
1413 | { | |
1414 | shadow_ptr_types[i] = build_distinct_type_copy (types[i]); | |
1415 | TYPE_ALIAS_SET (shadow_ptr_types[i]) = asan_shadow_set; | |
1416 | shadow_ptr_types[i] = build_pointer_type (shadow_ptr_types[i]); | |
1417 | } | |
1418 | ||
94fce891 JJ |
1419 | initialize_sanitizer_builtins (); |
1420 | } | |
1421 | ||
11a877b3 | 1422 | /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */ |
8240018b JJ |
1423 | |
1424 | static tree | |
11a877b3 | 1425 | asan_pp_string (pretty_printer *pp) |
8240018b | 1426 | { |
11a877b3 | 1427 | const char *buf = pp_formatted_text (pp); |
8240018b JJ |
1428 | size_t len = strlen (buf); |
1429 | tree ret = build_string (len + 1, buf); | |
1430 | TREE_TYPE (ret) | |
94fce891 JJ |
1431 | = build_array_type (TREE_TYPE (shadow_ptr_types[0]), |
1432 | build_index_type (size_int (len))); | |
8240018b JJ |
1433 | TREE_READONLY (ret) = 1; |
1434 | TREE_STATIC (ret) = 1; | |
94fce891 | 1435 | return build1 (ADDR_EXPR, shadow_ptr_types[0], ret); |
8240018b JJ |
1436 | } |
1437 | ||
aeb7e7c1 JJ |
1438 | /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here |
1439 | though. */ | |
1440 | ||
1441 | static void | |
1442 | asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len) | |
1443 | { | |
3a965f61 DM |
1444 | rtx_insn *insn, *insns, *jump; |
1445 | rtx_code_label *top_label; | |
1446 | rtx end, addr, tmp; | |
aeb7e7c1 | 1447 | |
e8094475 | 1448 | gcc_assert ((len & 3) == 0); |
aeb7e7c1 JJ |
1449 | start_sequence (); |
1450 | clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL); | |
1451 | insns = get_insns (); | |
1452 | end_sequence (); | |
1453 | for (insn = insns; insn; insn = NEXT_INSN (insn)) | |
1454 | if (CALL_P (insn)) | |
1455 | break; | |
1456 | if (insn == NULL_RTX) | |
1457 | { | |
1458 | emit_insn (insns); | |
1459 | return; | |
1460 | } | |
1461 | ||
aeb7e7c1 | 1462 | top_label = gen_label_rtx (); |
57d4d653 | 1463 | addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0)); |
aeb7e7c1 JJ |
1464 | shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0); |
1465 | end = force_reg (Pmode, plus_constant (Pmode, addr, len)); | |
1466 | emit_label (top_label); | |
1467 | ||
1468 | emit_move_insn (shadow_mem, const0_rtx); | |
2f1cd2eb | 1469 | tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr, |
c62ccb9a | 1470 | true, OPTAB_LIB_WIDEN); |
aeb7e7c1 JJ |
1471 | if (tmp != addr) |
1472 | emit_move_insn (addr, tmp); | |
1473 | emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label); | |
1474 | jump = get_last_insn (); | |
1475 | gcc_assert (JUMP_P (jump)); | |
5fa396ad JH |
1476 | add_reg_br_prob_note (jump, |
1477 | profile_probability::guessed_always () | |
1478 | .apply_scale (80, 100)); | |
aeb7e7c1 JJ |
1479 | } |
1480 | ||
ef1b3fda KS |
1481 | void |
1482 | asan_function_start (void) | |
1483 | { | |
1484 | section *fnsec = function_section (current_function_decl); | |
1485 | switch_to_section (fnsec); | |
1486 | ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC", | |
c62ccb9a | 1487 | current_function_funcdef_no); |
ef1b3fda KS |
1488 | } |
1489 | ||
6dc4a604 ML |
1490 | /* Return number of shadow bytes that are occupied by a local variable |
1491 | of SIZE bytes. */ | |
1492 | ||
1493 | static unsigned HOST_WIDE_INT | |
1494 | shadow_mem_size (unsigned HOST_WIDE_INT size) | |
1495 | { | |
aa5bfa8d ML |
1496 | /* It must be possible to align stack variables to granularity |
1497 | of shadow memory. */ | |
1498 | gcc_assert (BITS_PER_UNIT | |
1499 | * ASAN_SHADOW_GRANULARITY <= MAX_SUPPORTED_STACK_ALIGNMENT); | |
1500 | ||
6dc4a604 ML |
1501 | return ROUND_UP (size, ASAN_SHADOW_GRANULARITY) / ASAN_SHADOW_GRANULARITY; |
1502 | } | |
1503 | ||
6e644a50 ML |
1504 | /* Always emit 4 bytes at a time. */ |
1505 | #define RZ_BUFFER_SIZE 4 | |
1506 | ||
1507 | /* ASAN redzone buffer container that handles emission of shadow bytes. */ | |
6c1dae73 | 1508 | class asan_redzone_buffer |
6e644a50 | 1509 | { |
6c1dae73 | 1510 | public: |
6e644a50 ML |
1511 | /* Constructor. */ |
1512 | asan_redzone_buffer (rtx shadow_mem, HOST_WIDE_INT prev_offset): | |
1513 | m_shadow_mem (shadow_mem), m_prev_offset (prev_offset), | |
1514 | m_original_offset (prev_offset), m_shadow_bytes (RZ_BUFFER_SIZE) | |
1515 | {} | |
1516 | ||
1517 | /* Emit VALUE shadow byte at a given OFFSET. */ | |
1518 | void emit_redzone_byte (HOST_WIDE_INT offset, unsigned char value); | |
1519 | ||
1520 | /* Emit RTX emission of the content of the buffer. */ | |
1521 | void flush_redzone_payload (void); | |
1522 | ||
1523 | private: | |
1524 | /* Flush if the content of the buffer is full | |
1525 | (equal to RZ_BUFFER_SIZE). */ | |
1526 | void flush_if_full (void); | |
1527 | ||
1528 | /* Memory where we last emitted a redzone payload. */ | |
1529 | rtx m_shadow_mem; | |
1530 | ||
1531 | /* Relative offset where we last emitted a redzone payload. */ | |
1532 | HOST_WIDE_INT m_prev_offset; | |
1533 | ||
1534 | /* Relative original offset. Used for checking only. */ | |
1535 | HOST_WIDE_INT m_original_offset; | |
1536 | ||
1537 | public: | |
1538 | /* Buffer with redzone payload. */ | |
1539 | auto_vec<unsigned char> m_shadow_bytes; | |
1540 | }; | |
1541 | ||
1542 | /* Emit VALUE shadow byte at a given OFFSET. */ | |
1543 | ||
1544 | void | |
1545 | asan_redzone_buffer::emit_redzone_byte (HOST_WIDE_INT offset, | |
1546 | unsigned char value) | |
1547 | { | |
1548 | gcc_assert ((offset & (ASAN_SHADOW_GRANULARITY - 1)) == 0); | |
1549 | gcc_assert (offset >= m_prev_offset); | |
1550 | ||
1551 | HOST_WIDE_INT off | |
1552 | = m_prev_offset + ASAN_SHADOW_GRANULARITY * m_shadow_bytes.length (); | |
1553 | if (off == offset) | |
9715f10c JJ |
1554 | /* Consecutive shadow memory byte. */; |
1555 | else if (offset < m_prev_offset + (HOST_WIDE_INT) (ASAN_SHADOW_GRANULARITY | |
1556 | * RZ_BUFFER_SIZE) | |
1557 | && !m_shadow_bytes.is_empty ()) | |
6e644a50 | 1558 | { |
9715f10c JJ |
1559 | /* Shadow memory byte with a small gap. */ |
1560 | for (; off < offset; off += ASAN_SHADOW_GRANULARITY) | |
1561 | m_shadow_bytes.safe_push (0); | |
6e644a50 ML |
1562 | } |
1563 | else | |
1564 | { | |
1565 | if (!m_shadow_bytes.is_empty ()) | |
1566 | flush_redzone_payload (); | |
1567 | ||
1568 | /* Maybe start earlier in order to use aligned store. */ | |
1569 | HOST_WIDE_INT align = (offset - m_prev_offset) % ASAN_RED_ZONE_SIZE; | |
1570 | if (align) | |
1571 | { | |
1572 | offset -= align; | |
1573 | for (unsigned i = 0; i < align / BITS_PER_UNIT; i++) | |
1574 | m_shadow_bytes.safe_push (0); | |
1575 | } | |
1576 | ||
1577 | /* Adjust m_prev_offset and m_shadow_mem. */ | |
1578 | HOST_WIDE_INT diff = offset - m_prev_offset; | |
1579 | m_shadow_mem = adjust_address (m_shadow_mem, VOIDmode, | |
1580 | diff >> ASAN_SHADOW_SHIFT); | |
1581 | m_prev_offset = offset; | |
6e644a50 | 1582 | } |
9715f10c JJ |
1583 | m_shadow_bytes.safe_push (value); |
1584 | flush_if_full (); | |
6e644a50 ML |
1585 | } |
1586 | ||
1587 | /* Emit RTX emission of the content of the buffer. */ | |
1588 | ||
1589 | void | |
1590 | asan_redzone_buffer::flush_redzone_payload (void) | |
1591 | { | |
1592 | gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN); | |
1593 | ||
1594 | if (m_shadow_bytes.is_empty ()) | |
1595 | return; | |
1596 | ||
1597 | /* Be sure we always emit to an aligned address. */ | |
1598 | gcc_assert (((m_prev_offset - m_original_offset) | |
1599 | & (ASAN_RED_ZONE_SIZE - 1)) == 0); | |
1600 | ||
1601 | /* Fill it to RZ_BUFFER_SIZE bytes with zeros if needed. */ | |
1602 | unsigned l = m_shadow_bytes.length (); | |
1603 | for (unsigned i = 0; i <= RZ_BUFFER_SIZE - l; i++) | |
1604 | m_shadow_bytes.safe_push (0); | |
1605 | ||
1606 | if (dump_file && (dump_flags & TDF_DETAILS)) | |
1607 | fprintf (dump_file, | |
1608 | "Flushing rzbuffer at offset %" PRId64 " with: ", m_prev_offset); | |
1609 | ||
1610 | unsigned HOST_WIDE_INT val = 0; | |
1611 | for (unsigned i = 0; i < RZ_BUFFER_SIZE; i++) | |
1612 | { | |
1613 | unsigned char v | |
a5b25661 | 1614 | = m_shadow_bytes[BYTES_BIG_ENDIAN ? RZ_BUFFER_SIZE - i - 1 : i]; |
6e644a50 ML |
1615 | val |= (unsigned HOST_WIDE_INT)v << (BITS_PER_UNIT * i); |
1616 | if (dump_file && (dump_flags & TDF_DETAILS)) | |
1617 | fprintf (dump_file, "%02x ", v); | |
1618 | } | |
1619 | ||
1620 | if (dump_file && (dump_flags & TDF_DETAILS)) | |
1621 | fprintf (dump_file, "\n"); | |
1622 | ||
1623 | rtx c = gen_int_mode (val, SImode); | |
1624 | m_shadow_mem = adjust_address (m_shadow_mem, SImode, 0); | |
1625 | emit_move_insn (m_shadow_mem, c); | |
1626 | m_shadow_bytes.truncate (0); | |
1627 | } | |
1628 | ||
1629 | /* Flush if the content of the buffer is full | |
1630 | (equal to RZ_BUFFER_SIZE). */ | |
1631 | ||
1632 | void | |
1633 | asan_redzone_buffer::flush_if_full (void) | |
1634 | { | |
1635 | if (m_shadow_bytes.length () == RZ_BUFFER_SIZE) | |
1636 | flush_redzone_payload (); | |
1637 | } | |
1638 | ||
93a73251 MM |
1639 | |
1640 | /* HWAddressSanitizer (hwasan) is a probabilistic method for detecting | |
1641 | out-of-bounds and use-after-free bugs. | |
1642 | Read more: | |
1643 | http://code.google.com/p/address-sanitizer/ | |
1644 | ||
1645 | Similar to AddressSanitizer (asan) it consists of two parts: the | |
1646 | instrumentation module in this file, and a run-time library. | |
1647 | ||
1648 | The instrumentation module adds a run-time check before every memory insn in | |
1649 | the same manner as asan (see the block comment for AddressSanitizer above). | |
1650 | Currently, hwasan only adds out-of-line instrumentation, where each check is | |
1651 | implemented as a function call to the run-time library. Hence a check for a | |
1652 | load of N bytes from address X would be implemented with a function call to | |
1653 | __hwasan_loadN(X), and checking a store of N bytes from address X would be | |
1654 | implemented with a function call to __hwasan_storeN(X). | |
1655 | ||
1656 | The main difference between hwasan and asan is in the information stored to | |
1657 | help this checking. Both sanitizers use a shadow memory area which stores | |
1658 | data recording the state of main memory at a corresponding address. | |
1659 | ||
1660 | For hwasan, each 16 byte granule in main memory has a corresponding 1 byte | |
1661 | in shadow memory. This shadow address can be calculated with equation: | |
1662 | (addr >> log_2(HWASAN_TAG_GRANULE_SIZE)) | |
1663 | + __hwasan_shadow_memory_dynamic_address; | |
1664 | The conversion between real and shadow memory for asan is given in the block | |
1665 | comment at the top of this file. | |
1666 | The description of how this shadow memory is laid out for asan is in the | |
1667 | block comment at the top of this file, here we describe how this shadow | |
1668 | memory is used for hwasan. | |
1669 | ||
1670 | For hwasan, each variable is assigned a byte-sized 'tag'. The extent of | |
1671 | the shadow memory for that variable is filled with the assigned tag, and | |
1672 | every pointer referencing that variable has its top byte set to the same | |
1673 | tag. The run-time library redefines malloc so that every allocation returns | |
1674 | a tagged pointer and tags the corresponding shadow memory with the same tag. | |
1675 | ||
1676 | On each pointer dereference the tag found in the pointer is compared to the | |
1677 | tag found in the shadow memory corresponding to the accessed memory address. | |
1678 | If these tags are found to differ then this memory access is judged to be | |
1679 | invalid and a report is generated. | |
1680 | ||
1681 | This method of bug detection is not perfect -- it can not catch every bad | |
1682 | access -- but catches them probabilistically instead. There is always the | |
1683 | possibility that an invalid memory access will happen to access memory | |
1684 | tagged with the same tag as the pointer that this access used. | |
1685 | The chances of this are approx. 0.4% for any two uncorrelated objects. | |
1686 | ||
1687 | Random tag generation can mitigate this problem by decreasing the | |
1688 | probability that an invalid access will be missed in the same manner over | |
1689 | multiple runs. i.e. if two objects are tagged the same in one run of the | |
1690 | binary they are unlikely to be tagged the same in the next run. | |
1691 | Both heap and stack allocated objects have random tags by default. | |
1692 | ||
1693 | [16 byte granule implications] | |
1694 | Since the shadow memory only has a resolution on real memory of 16 bytes, | |
1695 | invalid accesses that are within the same 16 byte granule as a valid | |
1696 | address will not be caught. | |
1697 | ||
1698 | There is a "short-granule" feature in the runtime library which does catch | |
1699 | such accesses, but this feature is not implemented for stack objects (since | |
1700 | stack objects are allocated and tagged by compiler instrumentation, and | |
1701 | this feature has not yet been implemented in GCC instrumentation). | |
1702 | ||
1703 | Another outcome of this 16 byte resolution is that each tagged object must | |
1704 | be 16 byte aligned. If two objects were to share any 16 byte granule in | |
1705 | memory, then they both would have to be given the same tag, and invalid | |
1706 | accesses to one using a pointer to the other would be undetectable. | |
1707 | ||
1708 | [Compiler instrumentation] | |
1709 | Compiler instrumentation ensures that two adjacent buffers on the stack are | |
1710 | given different tags, this means an access to one buffer using a pointer | |
1711 | generated from the other (e.g. through buffer overrun) will have mismatched | |
1712 | tags and be caught by hwasan. | |
1713 | ||
1714 | We don't randomly tag every object on the stack, since that would require | |
1715 | keeping many registers to record each tag. Instead we randomly generate a | |
1716 | tag for each function frame, and each new stack object uses a tag offset | |
1717 | from that frame tag. | |
1718 | i.e. each object is tagged as RFT + offset, where RFT is the "random frame | |
1719 | tag" generated for this frame. | |
1720 | This means that randomisation does not peturb the difference between tags | |
1721 | on tagged stack objects within a frame, but this is mitigated by the fact | |
1722 | that objects with the same tag within a frame are very far apart | |
1723 | (approx. 2^HWASAN_TAG_SIZE objects apart). | |
1724 | ||
1725 | As a demonstration, using the same example program as in the asan block | |
1726 | comment above: | |
1727 | ||
1728 | int | |
1729 | foo () | |
1730 | { | |
9c2f0847 | 1731 | char a[24] = {0}; |
93a73251 MM |
1732 | int b[2] = {0}; |
1733 | ||
1734 | a[5] = 1; | |
1735 | b[1] = 2; | |
1736 | ||
1737 | return a[5] + b[1]; | |
1738 | } | |
1739 | ||
1740 | On AArch64 the stack will be ordered as follows for the above function: | |
1741 | ||
1742 | Slot 1/ [24 bytes for variable 'a'] | |
1743 | Slot 2/ [8 bytes padding for alignment] | |
1744 | Slot 3/ [8 bytes for variable 'b'] | |
1745 | Slot 4/ [8 bytes padding for alignment] | |
1746 | ||
1747 | (The padding is there to ensure 16 byte alignment as described in the 16 | |
1748 | byte granule implications). | |
1749 | ||
1750 | While the shadow memory will be ordered as follows: | |
1751 | ||
1752 | - 2 bytes (representing 32 bytes in real memory) tagged with RFT + 1. | |
1753 | - 1 byte (representing 16 bytes in real memory) tagged with RFT + 2. | |
1754 | ||
1755 | And any pointer to "a" will have the tag RFT + 1, and any pointer to "b" | |
1756 | will have the tag RFT + 2. | |
1757 | ||
1758 | [Top Byte Ignore requirements] | |
1759 | Hwasan requires the ability to store an 8 bit tag in every pointer. There | |
1760 | is no instrumentation done to remove this tag from pointers before | |
1761 | dereferencing, which means the hardware must ignore this tag during memory | |
1762 | accesses. | |
1763 | ||
1764 | Architectures where this feature is available should indicate this using | |
1765 | the TARGET_MEMTAG_CAN_TAG_ADDRESSES hook. | |
1766 | ||
1767 | [Stack requires cleanup on unwinding] | |
1768 | During normal operation of a hwasan sanitized program more space in the | |
1769 | shadow memory becomes tagged as the stack grows. As the stack shrinks this | |
1770 | shadow memory space must become untagged. If it is not untagged then when | |
1771 | the stack grows again (during other function calls later on in the program) | |
1772 | objects on the stack that are usually not tagged (e.g. parameters passed on | |
1773 | the stack) can be placed in memory whose shadow space is tagged with | |
1774 | something else, and accesses can cause false positive reports. | |
1775 | ||
1776 | Hence we place untagging code on every epilogue of functions which tag some | |
1777 | stack objects. | |
1778 | ||
1779 | Moreover, the run-time library intercepts longjmp & setjmp to untag when | |
1780 | the stack is unwound this way. | |
1781 | ||
1782 | C++ exceptions are not yet handled, which means this sanitizer can not | |
1783 | handle C++ code that throws exceptions -- it will give false positives | |
1784 | after an exception has been thrown. The implementation that the hwasan | |
1785 | library has for handling these relies on the frame pointer being after any | |
1786 | local variables. This is not generally the case for GCC. */ | |
1787 | ||
1788 | ||
0854b584 MM |
1789 | /* Returns whether we are tagging pointers and checking those tags on memory |
1790 | access. */ | |
1791 | bool | |
1792 | hwasan_sanitize_p () | |
1793 | { | |
1794 | return sanitize_flags_p (SANITIZE_HWADDRESS); | |
1795 | } | |
1796 | ||
1797 | /* Are we tagging the stack? */ | |
1798 | bool | |
1799 | hwasan_sanitize_stack_p () | |
1800 | { | |
1801 | return (hwasan_sanitize_p () && param_hwasan_instrument_stack); | |
1802 | } | |
1803 | ||
1804 | /* Are we tagging alloca objects? */ | |
1805 | bool | |
1806 | hwasan_sanitize_allocas_p (void) | |
1807 | { | |
1808 | return (hwasan_sanitize_stack_p () && param_hwasan_instrument_allocas); | |
1809 | } | |
1810 | ||
93a73251 MM |
1811 | /* Should we instrument reads? */ |
1812 | bool | |
1813 | hwasan_instrument_reads (void) | |
1814 | { | |
1815 | return (hwasan_sanitize_p () && param_hwasan_instrument_reads); | |
1816 | } | |
1817 | ||
1818 | /* Should we instrument writes? */ | |
1819 | bool | |
1820 | hwasan_instrument_writes (void) | |
1821 | { | |
1822 | return (hwasan_sanitize_p () && param_hwasan_instrument_writes); | |
1823 | } | |
1824 | ||
1825 | /* Should we instrument builtin calls? */ | |
1826 | bool | |
1827 | hwasan_memintrin (void) | |
1828 | { | |
1829 | return (hwasan_sanitize_p () && param_hwasan_instrument_mem_intrinsics); | |
1830 | } | |
1831 | ||
f3ddd692 JJ |
1832 | /* Insert code to protect stack vars. The prologue sequence should be emitted |
1833 | directly, epilogue sequence returned. BASE is the register holding the | |
1834 | stack base, against which OFFSETS array offsets are relative to, OFFSETS | |
1835 | array contains pairs of offsets in reverse order, always the end offset | |
1836 | of some gap that needs protection followed by starting offset, | |
1837 | and DECLS is an array of representative decls for each var partition. | |
1838 | LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1 | |
1839 | elements long (OFFSETS include gap before the first variable as well | |
e361382f JJ |
1840 | as gaps after each stack variable). PBASE is, if non-NULL, some pseudo |
1841 | register which stack vars DECL_RTLs are based on. Either BASE should be | |
1842 | assigned to PBASE, when not doing use after return protection, or | |
1843 | corresponding address based on __asan_stack_malloc* return value. */ | |
f3ddd692 | 1844 | |
3a4abd2f | 1845 | rtx_insn * |
e361382f JJ |
1846 | asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb, |
1847 | HOST_WIDE_INT *offsets, tree *decls, int length) | |
f3ddd692 | 1848 | { |
19f8b229 TS |
1849 | rtx shadow_base, shadow_mem, ret, mem, orig_base; |
1850 | rtx_code_label *lab; | |
3a4abd2f | 1851 | rtx_insn *insns; |
47d5beb4 | 1852 | char buf[32]; |
e361382f JJ |
1853 | HOST_WIDE_INT base_offset = offsets[length - 1]; |
1854 | HOST_WIDE_INT base_align_bias = 0, offset, prev_offset; | |
1855 | HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset; | |
e8094475 | 1856 | HOST_WIDE_INT last_offset, last_size, last_size_aligned; |
f3ddd692 JJ |
1857 | int l; |
1858 | unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT; | |
ef1b3fda | 1859 | tree str_cst, decl, id; |
e361382f | 1860 | int use_after_return_class = -1; |
f3ddd692 | 1861 | |
b6330a76 JJ |
1862 | /* Don't emit anything when doing error recovery, the assertions |
1863 | might fail e.g. if a function had a frame offset overflow. */ | |
1864 | if (seen_error ()) | |
1865 | return NULL; | |
1866 | ||
94fce891 JJ |
1867 | if (shadow_ptr_types[0] == NULL_TREE) |
1868 | asan_init_shadow_ptr_types (); | |
1869 | ||
2c73950d ML |
1870 | expanded_location cfun_xloc |
1871 | = expand_location (DECL_SOURCE_LOCATION (current_function_decl)); | |
1872 | ||
f3ddd692 | 1873 | /* First of all, prepare the description string. */ |
11a877b3 | 1874 | pretty_printer asan_pp; |
da6ca2b5 | 1875 | |
8240018b JJ |
1876 | pp_decimal_int (&asan_pp, length / 2 - 1); |
1877 | pp_space (&asan_pp); | |
f3ddd692 JJ |
1878 | for (l = length - 2; l; l -= 2) |
1879 | { | |
1880 | tree decl = decls[l / 2 - 1]; | |
8240018b JJ |
1881 | pp_wide_integer (&asan_pp, offsets[l] - base_offset); |
1882 | pp_space (&asan_pp); | |
1883 | pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]); | |
1884 | pp_space (&asan_pp); | |
2c73950d ML |
1885 | |
1886 | expanded_location xloc | |
1887 | = expand_location (DECL_SOURCE_LOCATION (decl)); | |
1888 | char location[32]; | |
1889 | ||
1890 | if (xloc.file == cfun_xloc.file) | |
1891 | sprintf (location, ":%d", xloc.line); | |
1892 | else | |
1893 | location[0] = '\0'; | |
1894 | ||
f3ddd692 JJ |
1895 | if (DECL_P (decl) && DECL_NAME (decl)) |
1896 | { | |
2c73950d ML |
1897 | unsigned idlen |
1898 | = IDENTIFIER_LENGTH (DECL_NAME (decl)) + strlen (location); | |
1899 | pp_decimal_int (&asan_pp, idlen); | |
8240018b | 1900 | pp_space (&asan_pp); |
b066401f | 1901 | pp_tree_identifier (&asan_pp, DECL_NAME (decl)); |
2c73950d | 1902 | pp_string (&asan_pp, location); |
f3ddd692 JJ |
1903 | } |
1904 | else | |
8240018b | 1905 | pp_string (&asan_pp, "9 <unknown>"); |
2c73950d ML |
1906 | |
1907 | if (l > 2) | |
1908 | pp_space (&asan_pp); | |
f3ddd692 | 1909 | } |
11a877b3 | 1910 | str_cst = asan_pp_string (&asan_pp); |
f3ddd692 JJ |
1911 | |
1912 | /* Emit the prologue sequence. */ | |
b5ebc991 | 1913 | if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase |
028d4092 | 1914 | && param_asan_use_after_return) |
e361382f JJ |
1915 | { |
1916 | use_after_return_class = floor_log2 (asan_frame_size - 1) - 5; | |
1917 | /* __asan_stack_malloc_N guarantees alignment | |
c62ccb9a | 1918 | N < 6 ? (64 << N) : 4096 bytes. */ |
e361382f JJ |
1919 | if (alignb > (use_after_return_class < 6 |
1920 | ? (64U << use_after_return_class) : 4096U)) | |
1921 | use_after_return_class = -1; | |
1922 | else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1))) | |
1923 | base_align_bias = ((asan_frame_size + alignb - 1) | |
1924 | & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size; | |
1925 | } | |
362432c0 | 1926 | |
e5dcd695 LZ |
1927 | /* Align base if target is STRICT_ALIGNMENT. */ |
1928 | if (STRICT_ALIGNMENT) | |
362432c0 EB |
1929 | { |
1930 | const HOST_WIDE_INT align | |
1931 | = (GET_MODE_ALIGNMENT (SImode) / BITS_PER_UNIT) << ASAN_SHADOW_SHIFT; | |
1932 | base = expand_binop (Pmode, and_optab, base, gen_int_mode (-align, Pmode), | |
1933 | NULL_RTX, 1, OPTAB_DIRECT); | |
1934 | } | |
e5dcd695 | 1935 | |
e361382f JJ |
1936 | if (use_after_return_class == -1 && pbase) |
1937 | emit_move_insn (pbase, base); | |
e5dcd695 | 1938 | |
2f1cd2eb | 1939 | base = expand_binop (Pmode, add_optab, base, |
e361382f | 1940 | gen_int_mode (base_offset - base_align_bias, Pmode), |
f3ddd692 | 1941 | NULL_RTX, 1, OPTAB_DIRECT); |
e361382f JJ |
1942 | orig_base = NULL_RTX; |
1943 | if (use_after_return_class != -1) | |
1944 | { | |
1945 | if (asan_detect_stack_use_after_return == NULL_TREE) | |
1946 | { | |
1947 | id = get_identifier ("__asan_option_detect_stack_use_after_return"); | |
1948 | decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id, | |
1949 | integer_type_node); | |
1950 | SET_DECL_ASSEMBLER_NAME (decl, id); | |
1951 | TREE_ADDRESSABLE (decl) = 1; | |
1952 | DECL_ARTIFICIAL (decl) = 1; | |
1953 | DECL_IGNORED_P (decl) = 1; | |
1954 | DECL_EXTERNAL (decl) = 1; | |
1955 | TREE_STATIC (decl) = 1; | |
1956 | TREE_PUBLIC (decl) = 1; | |
1957 | TREE_USED (decl) = 1; | |
1958 | asan_detect_stack_use_after_return = decl; | |
1959 | } | |
1960 | orig_base = gen_reg_rtx (Pmode); | |
1961 | emit_move_insn (orig_base, base); | |
1962 | ret = expand_normal (asan_detect_stack_use_after_return); | |
1963 | lab = gen_label_rtx (); | |
e361382f | 1964 | emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX, |
357067f2 JH |
1965 | VOIDmode, 0, lab, |
1966 | profile_probability::very_likely ()); | |
e361382f JJ |
1967 | snprintf (buf, sizeof buf, "__asan_stack_malloc_%d", |
1968 | use_after_return_class); | |
1969 | ret = init_one_libfunc (buf); | |
db69559b | 1970 | ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode, |
e361382f JJ |
1971 | GEN_INT (asan_frame_size |
1972 | + base_align_bias), | |
89e302b8 MO |
1973 | TYPE_MODE (pointer_sized_int_node)); |
1974 | /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded | |
1975 | and NULL otherwise. Check RET value is NULL here and jump over the | |
1976 | BASE reassignment in this case. Otherwise, reassign BASE to RET. */ | |
89e302b8 | 1977 | emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX, |
357067f2 JH |
1978 | VOIDmode, 0, lab, |
1979 | profile_probability:: very_unlikely ()); | |
e361382f JJ |
1980 | ret = convert_memory_address (Pmode, ret); |
1981 | emit_move_insn (base, ret); | |
1982 | emit_label (lab); | |
1983 | emit_move_insn (pbase, expand_binop (Pmode, add_optab, base, | |
1984 | gen_int_mode (base_align_bias | |
1985 | - base_offset, Pmode), | |
1986 | NULL_RTX, 1, OPTAB_DIRECT)); | |
1987 | } | |
f3ddd692 | 1988 | mem = gen_rtx_MEM (ptr_mode, base); |
e361382f | 1989 | mem = adjust_address (mem, VOIDmode, base_align_bias); |
69db2d57 | 1990 | emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode)); |
f3ddd692 JJ |
1991 | mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode)); |
1992 | emit_move_insn (mem, expand_normal (str_cst)); | |
ef1b3fda KS |
1993 | mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode)); |
1994 | ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no); | |
1995 | id = get_identifier (buf); | |
1996 | decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl), | |
c62ccb9a | 1997 | VAR_DECL, id, char_type_node); |
ef1b3fda KS |
1998 | SET_DECL_ASSEMBLER_NAME (decl, id); |
1999 | TREE_ADDRESSABLE (decl) = 1; | |
2000 | TREE_READONLY (decl) = 1; | |
2001 | DECL_ARTIFICIAL (decl) = 1; | |
2002 | DECL_IGNORED_P (decl) = 1; | |
2003 | TREE_STATIC (decl) = 1; | |
2004 | TREE_PUBLIC (decl) = 0; | |
2005 | TREE_USED (decl) = 1; | |
8c8b21e4 JJ |
2006 | DECL_INITIAL (decl) = decl; |
2007 | TREE_ASM_WRITTEN (decl) = 1; | |
2008 | TREE_ASM_WRITTEN (id) = 1; | |
ef1b3fda | 2009 | emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl))); |
f3ddd692 | 2010 | shadow_base = expand_binop (Pmode, lshr_optab, base, |
abd3c800 | 2011 | gen_int_shift_amount (Pmode, ASAN_SHADOW_SHIFT), |
f3ddd692 | 2012 | NULL_RTX, 1, OPTAB_DIRECT); |
e361382f JJ |
2013 | shadow_base |
2014 | = plus_constant (Pmode, shadow_base, | |
fd960af2 | 2015 | asan_shadow_offset () |
e361382f | 2016 | + (base_align_bias >> ASAN_SHADOW_SHIFT)); |
f3ddd692 JJ |
2017 | gcc_assert (asan_shadow_set != -1 |
2018 | && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4); | |
2019 | shadow_mem = gen_rtx_MEM (SImode, shadow_base); | |
2020 | set_mem_alias_set (shadow_mem, asan_shadow_set); | |
e5dcd695 LZ |
2021 | if (STRICT_ALIGNMENT) |
2022 | set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode))); | |
f3ddd692 | 2023 | prev_offset = base_offset; |
6e644a50 ML |
2024 | |
2025 | asan_redzone_buffer rz_buffer (shadow_mem, prev_offset); | |
f3ddd692 JJ |
2026 | for (l = length; l; l -= 2) |
2027 | { | |
2028 | if (l == 2) | |
2029 | cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT; | |
2030 | offset = offsets[l - 1]; | |
6e644a50 ML |
2031 | |
2032 | bool extra_byte = (offset - base_offset) & (ASAN_SHADOW_GRANULARITY - 1); | |
2033 | /* If a red-zone is not aligned to ASAN_SHADOW_GRANULARITY then | |
2034 | the previous stack variable has size % ASAN_SHADOW_GRANULARITY != 0. | |
2035 | In that case we have to emit one extra byte that will describe | |
2036 | how many bytes (our of ASAN_SHADOW_GRANULARITY) can be accessed. */ | |
2037 | if (extra_byte) | |
f3ddd692 | 2038 | { |
f3ddd692 JJ |
2039 | HOST_WIDE_INT aoff |
2040 | = base_offset + ((offset - base_offset) | |
6e644a50 ML |
2041 | & ~(ASAN_SHADOW_GRANULARITY - HOST_WIDE_INT_1)); |
2042 | rz_buffer.emit_redzone_byte (aoff, offset - aoff); | |
2043 | offset = aoff + ASAN_SHADOW_GRANULARITY; | |
f3ddd692 | 2044 | } |
6e644a50 ML |
2045 | |
2046 | /* Calculate size of red zone payload. */ | |
2047 | while (offset < offsets[l - 2]) | |
f3ddd692 | 2048 | { |
6e644a50 ML |
2049 | rz_buffer.emit_redzone_byte (offset, cur_shadow_byte); |
2050 | offset += ASAN_SHADOW_GRANULARITY; | |
f3ddd692 | 2051 | } |
6e644a50 | 2052 | |
f3ddd692 JJ |
2053 | cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE; |
2054 | } | |
6e644a50 ML |
2055 | |
2056 | /* As the automatic variables are aligned to | |
2057 | ASAN_RED_ZONE_SIZE / ASAN_SHADOW_GRANULARITY, the buffer should be | |
2058 | flushed here. */ | |
2059 | gcc_assert (rz_buffer.m_shadow_bytes.is_empty ()); | |
2060 | ||
f3ddd692 JJ |
2061 | do_pending_stack_adjust (); |
2062 | ||
2063 | /* Construct epilogue sequence. */ | |
2064 | start_sequence (); | |
2065 | ||
19f8b229 | 2066 | lab = NULL; |
e361382f JJ |
2067 | if (use_after_return_class != -1) |
2068 | { | |
19f8b229 | 2069 | rtx_code_label *lab2 = gen_label_rtx (); |
e361382f | 2070 | char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET; |
e361382f | 2071 | emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX, |
357067f2 JH |
2072 | VOIDmode, 0, lab2, |
2073 | profile_probability::very_likely ()); | |
e361382f JJ |
2074 | shadow_mem = gen_rtx_MEM (BLKmode, shadow_base); |
2075 | set_mem_alias_set (shadow_mem, asan_shadow_set); | |
2076 | mem = gen_rtx_MEM (ptr_mode, base); | |
2077 | mem = adjust_address (mem, VOIDmode, base_align_bias); | |
2078 | emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode)); | |
2079 | unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT; | |
2080 | if (use_after_return_class < 5 | |
2081 | && can_store_by_pieces (sz, builtin_memset_read_str, &c, | |
2082 | BITS_PER_UNIT, true)) | |
8b6731e6 ML |
2083 | { |
2084 | /* Emit: | |
2085 | memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize); | |
2086 | **SavedFlagPtr(FakeStack, class_id) = 0 | |
2087 | */ | |
2088 | store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c, | |
2089 | BITS_PER_UNIT, true, RETURN_BEGIN); | |
2090 | ||
2091 | unsigned HOST_WIDE_INT offset | |
2092 | = (1 << (use_after_return_class + 6)); | |
2093 | offset -= GET_MODE_SIZE (ptr_mode); | |
2094 | mem = gen_rtx_MEM (ptr_mode, base); | |
2095 | mem = adjust_address (mem, ptr_mode, offset); | |
2096 | rtx addr = gen_reg_rtx (ptr_mode); | |
2097 | emit_move_insn (addr, mem); | |
8cff672c | 2098 | addr = convert_memory_address (Pmode, addr); |
8b6731e6 ML |
2099 | mem = gen_rtx_MEM (QImode, addr); |
2100 | emit_move_insn (mem, const0_rtx); | |
2101 | } | |
e361382f JJ |
2102 | else if (use_after_return_class >= 5 |
2103 | || !set_storage_via_setmem (shadow_mem, | |
2104 | GEN_INT (sz), | |
2105 | gen_int_mode (c, QImode), | |
2106 | BITS_PER_UNIT, BITS_PER_UNIT, | |
2107 | -1, sz, sz, sz)) | |
2108 | { | |
2109 | snprintf (buf, sizeof buf, "__asan_stack_free_%d", | |
2110 | use_after_return_class); | |
2111 | ret = init_one_libfunc (buf); | |
2112 | rtx addr = convert_memory_address (ptr_mode, base); | |
2113 | rtx orig_addr = convert_memory_address (ptr_mode, orig_base); | |
db69559b | 2114 | emit_library_call (ret, LCT_NORMAL, ptr_mode, addr, ptr_mode, |
e361382f JJ |
2115 | GEN_INT (asan_frame_size + base_align_bias), |
2116 | TYPE_MODE (pointer_sized_int_node), | |
2117 | orig_addr, ptr_mode); | |
2118 | } | |
2119 | lab = gen_label_rtx (); | |
2120 | emit_jump (lab); | |
2121 | emit_label (lab2); | |
2122 | } | |
2123 | ||
f3ddd692 JJ |
2124 | shadow_mem = gen_rtx_MEM (BLKmode, shadow_base); |
2125 | set_mem_alias_set (shadow_mem, asan_shadow_set); | |
e5dcd695 LZ |
2126 | |
2127 | if (STRICT_ALIGNMENT) | |
2128 | set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode))); | |
2129 | ||
7b972538 | 2130 | prev_offset = base_offset; |
f3ddd692 | 2131 | last_offset = base_offset; |
7b972538 | 2132 | last_size = 0; |
e8094475 | 2133 | last_size_aligned = 0; |
7b972538 | 2134 | for (l = length; l; l -= 2) |
f3ddd692 | 2135 | { |
7b972538 | 2136 | offset = base_offset + ((offsets[l - 1] - base_offset) |
e8094475 JJ |
2137 | & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1)); |
2138 | if (last_offset + last_size_aligned < offset) | |
f3ddd692 | 2139 | { |
7b972538 ML |
2140 | shadow_mem = adjust_address (shadow_mem, VOIDmode, |
2141 | (last_offset - prev_offset) | |
2142 | >> ASAN_SHADOW_SHIFT); | |
2143 | prev_offset = last_offset; | |
e8094475 | 2144 | asan_clear_shadow (shadow_mem, last_size_aligned >> ASAN_SHADOW_SHIFT); |
7b972538 ML |
2145 | last_offset = offset; |
2146 | last_size = 0; | |
2147 | } | |
e8094475 JJ |
2148 | else |
2149 | last_size = offset - last_offset; | |
7b972538 | 2150 | last_size += base_offset + ((offsets[l - 2] - base_offset) |
6e644a50 | 2151 | & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1)) |
7b972538 | 2152 | - offset; |
6dc4a604 | 2153 | |
7b972538 ML |
2154 | /* Unpoison shadow memory that corresponds to a variable that is |
2155 | is subject of use-after-return sanitization. */ | |
2156 | if (l > 2) | |
2157 | { | |
2158 | decl = decls[l / 2 - 2]; | |
6dc4a604 ML |
2159 | if (asan_handled_variables != NULL |
2160 | && asan_handled_variables->contains (decl)) | |
2161 | { | |
7b972538 | 2162 | HOST_WIDE_INT size = offsets[l - 3] - offsets[l - 2]; |
6dc4a604 ML |
2163 | if (dump_file && (dump_flags & TDF_DETAILS)) |
2164 | { | |
2165 | const char *n = (DECL_NAME (decl) | |
2166 | ? IDENTIFIER_POINTER (DECL_NAME (decl)) | |
2167 | : "<unknown>"); | |
2168 | fprintf (dump_file, "Unpoisoning shadow stack for variable: " | |
7b972538 | 2169 | "%s (%" PRId64 " B)\n", n, size); |
6dc4a604 ML |
2170 | } |
2171 | ||
6e644a50 | 2172 | last_size += size & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1); |
6dc4a604 | 2173 | } |
f3ddd692 | 2174 | } |
e8094475 JJ |
2175 | last_size_aligned |
2176 | = ((last_size + (ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1)) | |
2177 | & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1)); | |
7b972538 | 2178 | } |
e8094475 | 2179 | if (last_size_aligned) |
7b972538 ML |
2180 | { |
2181 | shadow_mem = adjust_address (shadow_mem, VOIDmode, | |
2182 | (last_offset - prev_offset) | |
2183 | >> ASAN_SHADOW_SHIFT); | |
e8094475 | 2184 | asan_clear_shadow (shadow_mem, last_size_aligned >> ASAN_SHADOW_SHIFT); |
f3ddd692 JJ |
2185 | } |
2186 | ||
6dc4a604 ML |
2187 | /* Clean-up set with instrumented stack variables. */ |
2188 | delete asan_handled_variables; | |
2189 | asan_handled_variables = NULL; | |
2190 | delete asan_used_labels; | |
2191 | asan_used_labels = NULL; | |
2192 | ||
f3ddd692 | 2193 | do_pending_stack_adjust (); |
e361382f JJ |
2194 | if (lab) |
2195 | emit_label (lab); | |
f3ddd692 | 2196 | |
3a4abd2f | 2197 | insns = get_insns (); |
f3ddd692 | 2198 | end_sequence (); |
3a4abd2f | 2199 | return insns; |
f3ddd692 JJ |
2200 | } |
2201 | ||
e3174bdf MO |
2202 | /* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds |
2203 | to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE | |
2204 | indicates whether we're emitting new instructions sequence or not. */ | |
2205 | ||
2206 | rtx_insn * | |
2207 | asan_emit_allocas_unpoison (rtx top, rtx bot, rtx_insn *before) | |
2208 | { | |
2209 | if (before) | |
2210 | push_to_sequence (before); | |
2211 | else | |
2212 | start_sequence (); | |
2213 | rtx ret = init_one_libfunc ("__asan_allocas_unpoison"); | |
8f4956ca MO |
2214 | top = convert_memory_address (ptr_mode, top); |
2215 | bot = convert_memory_address (ptr_mode, bot); | |
45309d28 ML |
2216 | emit_library_call (ret, LCT_NORMAL, ptr_mode, |
2217 | top, ptr_mode, bot, ptr_mode); | |
e3174bdf MO |
2218 | |
2219 | do_pending_stack_adjust (); | |
2220 | rtx_insn *insns = get_insns (); | |
2221 | end_sequence (); | |
2222 | return insns; | |
2223 | } | |
2224 | ||
8240018b JJ |
2225 | /* Return true if DECL, a global var, might be overridden and needs |
2226 | therefore a local alias. */ | |
2227 | ||
2228 | static bool | |
2229 | asan_needs_local_alias (tree decl) | |
2230 | { | |
2231 | return DECL_WEAK (decl) || !targetm.binds_local_p (decl); | |
2232 | } | |
2233 | ||
84b0769e MO |
2234 | /* Return true if DECL, a global var, is an artificial ODR indicator symbol |
2235 | therefore doesn't need protection. */ | |
2236 | ||
2237 | static bool | |
2238 | is_odr_indicator (tree decl) | |
2239 | { | |
2240 | return (DECL_ARTIFICIAL (decl) | |
2241 | && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl))); | |
2242 | } | |
2243 | ||
8240018b JJ |
2244 | /* Return true if DECL is a VAR_DECL that should be protected |
2245 | by Address Sanitizer, by appending a red zone with protected | |
2246 | shadow memory after it and aligning it to at least | |
2247 | ASAN_RED_ZONE_SIZE bytes. */ | |
2248 | ||
2249 | bool | |
1069dc25 | 2250 | asan_protect_global (tree decl, bool ignore_decl_rtl_set_p) |
8240018b | 2251 | { |
028d4092 | 2252 | if (!param_asan_globals) |
b5ebc991 MO |
2253 | return false; |
2254 | ||
8240018b | 2255 | rtx rtl, symbol; |
8240018b | 2256 | |
94fce891 JJ |
2257 | if (TREE_CODE (decl) == STRING_CST) |
2258 | { | |
2259 | /* Instrument all STRING_CSTs except those created | |
2260 | by asan_pp_string here. */ | |
2261 | if (shadow_ptr_types[0] != NULL_TREE | |
2262 | && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE | |
2263 | && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0])) | |
2264 | return false; | |
2265 | return true; | |
2266 | } | |
8813a647 | 2267 | if (!VAR_P (decl) |
8240018b JJ |
2268 | /* TLS vars aren't statically protectable. */ |
2269 | || DECL_THREAD_LOCAL_P (decl) | |
2270 | /* Externs will be protected elsewhere. */ | |
2271 | || DECL_EXTERNAL (decl) | |
1069dc25 MO |
2272 | /* PR sanitizer/81697: For architectures that use section anchors first |
2273 | call to asan_protect_global may occur before DECL_RTL (decl) is set. | |
2274 | We should ignore DECL_RTL_SET_P then, because otherwise the first call | |
2275 | to asan_protect_global will return FALSE and the following calls on the | |
2276 | same decl after setting DECL_RTL (decl) will return TRUE and we'll end | |
2277 | up with inconsistency at runtime. */ | |
2278 | || (!DECL_RTL_SET_P (decl) && !ignore_decl_rtl_set_p) | |
8240018b JJ |
2279 | /* Comdat vars pose an ABI problem, we can't know if |
2280 | the var that is selected by the linker will have | |
2281 | padding or not. */ | |
2282 | || DECL_ONE_ONLY (decl) | |
f1d15bb9 DV |
2283 | /* Similarly for common vars. People can use -fno-common. |
2284 | Note: Linux kernel is built with -fno-common, so we do instrument | |
2285 | globals there even if it is C. */ | |
a8a6fd74 | 2286 | || (DECL_COMMON (decl) && TREE_PUBLIC (decl)) |
8240018b JJ |
2287 | /* Don't protect if using user section, often vars placed |
2288 | into user section from multiple TUs are then assumed | |
2289 | to be an array of such vars, putting padding in there | |
2290 | breaks this assumption. */ | |
f961457f | 2291 | || (DECL_SECTION_NAME (decl) != NULL |
18af8d16 YG |
2292 | && !symtab_node::get (decl)->implicit_section |
2293 | && !section_sanitized_p (DECL_SECTION_NAME (decl))) | |
7e404978 RB |
2294 | /* Don't protect variables in non-generic address-space. */ |
2295 | || !ADDR_SPACE_GENERIC_P (TYPE_ADDR_SPACE (TREE_TYPE (decl))) | |
8240018b JJ |
2296 | || DECL_SIZE (decl) == 0 |
2297 | || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT | |
36fd6408 | 2298 | || TREE_CODE (DECL_SIZE_UNIT (decl)) != INTEGER_CST |
8240018b | 2299 | || !valid_constant_size_p (DECL_SIZE_UNIT (decl)) |
21a82048 | 2300 | || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE |
84b0769e MO |
2301 | || TREE_TYPE (decl) == ubsan_get_source_location_type () |
2302 | || is_odr_indicator (decl)) | |
8240018b JJ |
2303 | return false; |
2304 | ||
1069dc25 MO |
2305 | if (!ignore_decl_rtl_set_p || DECL_RTL_SET_P (decl)) |
2306 | { | |
8240018b | 2307 | |
1069dc25 MO |
2308 | rtl = DECL_RTL (decl); |
2309 | if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF) | |
2310 | return false; | |
2311 | symbol = XEXP (rtl, 0); | |
2312 | ||
2313 | if (CONSTANT_POOL_ADDRESS_P (symbol) | |
2314 | || TREE_CONSTANT_POOL_ADDRESS_P (symbol)) | |
2315 | return false; | |
2316 | } | |
8240018b | 2317 | |
8240018b JJ |
2318 | if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl))) |
2319 | return false; | |
2320 | ||
a8b522b4 | 2321 | if (!TARGET_SUPPORTS_ALIASES && asan_needs_local_alias (decl)) |
8240018b | 2322 | return false; |
8240018b | 2323 | |
497a1c66 | 2324 | return true; |
8240018b JJ |
2325 | } |
2326 | ||
40f9f6bb JJ |
2327 | /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}. |
2328 | IS_STORE is either 1 (for a store) or 0 (for a load). */ | |
37d6f666 WM |
2329 | |
2330 | static tree | |
fed4de37 YG |
2331 | report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes, |
2332 | int *nargs) | |
37d6f666 | 2333 | { |
93a73251 MM |
2334 | gcc_assert (!hwasan_sanitize_p ()); |
2335 | ||
fed4de37 YG |
2336 | static enum built_in_function report[2][2][6] |
2337 | = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2, | |
2338 | BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8, | |
2339 | BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N }, | |
2340 | { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2, | |
2341 | BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8, | |
2342 | BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } }, | |
2343 | { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT, | |
2344 | BUILT_IN_ASAN_REPORT_LOAD2_NOABORT, | |
2345 | BUILT_IN_ASAN_REPORT_LOAD4_NOABORT, | |
2346 | BUILT_IN_ASAN_REPORT_LOAD8_NOABORT, | |
2347 | BUILT_IN_ASAN_REPORT_LOAD16_NOABORT, | |
2348 | BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT }, | |
2349 | { BUILT_IN_ASAN_REPORT_STORE1_NOABORT, | |
2350 | BUILT_IN_ASAN_REPORT_STORE2_NOABORT, | |
2351 | BUILT_IN_ASAN_REPORT_STORE4_NOABORT, | |
2352 | BUILT_IN_ASAN_REPORT_STORE8_NOABORT, | |
2353 | BUILT_IN_ASAN_REPORT_STORE16_NOABORT, | |
2354 | BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } }; | |
8946c29e YG |
2355 | if (size_in_bytes == -1) |
2356 | { | |
2357 | *nargs = 2; | |
fed4de37 | 2358 | return builtin_decl_implicit (report[recover_p][is_store][5]); |
8946c29e YG |
2359 | } |
2360 | *nargs = 1; | |
fed4de37 YG |
2361 | int size_log2 = exact_log2 (size_in_bytes); |
2362 | return builtin_decl_implicit (report[recover_p][is_store][size_log2]); | |
37d6f666 WM |
2363 | } |
2364 | ||
8946c29e YG |
2365 | /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}. |
2366 | IS_STORE is either 1 (for a store) or 0 (for a load). */ | |
2367 | ||
2368 | static tree | |
fed4de37 YG |
2369 | check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes, |
2370 | int *nargs) | |
8946c29e | 2371 | { |
fed4de37 YG |
2372 | static enum built_in_function check[2][2][6] |
2373 | = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2, | |
2374 | BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8, | |
2375 | BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN }, | |
2376 | { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2, | |
2377 | BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8, | |
2378 | BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } }, | |
2379 | { { BUILT_IN_ASAN_LOAD1_NOABORT, | |
2380 | BUILT_IN_ASAN_LOAD2_NOABORT, | |
2381 | BUILT_IN_ASAN_LOAD4_NOABORT, | |
2382 | BUILT_IN_ASAN_LOAD8_NOABORT, | |
2383 | BUILT_IN_ASAN_LOAD16_NOABORT, | |
2384 | BUILT_IN_ASAN_LOADN_NOABORT }, | |
2385 | { BUILT_IN_ASAN_STORE1_NOABORT, | |
2386 | BUILT_IN_ASAN_STORE2_NOABORT, | |
2387 | BUILT_IN_ASAN_STORE4_NOABORT, | |
2388 | BUILT_IN_ASAN_STORE8_NOABORT, | |
2389 | BUILT_IN_ASAN_STORE16_NOABORT, | |
2390 | BUILT_IN_ASAN_STOREN_NOABORT } } }; | |
8946c29e YG |
2391 | if (size_in_bytes == -1) |
2392 | { | |
2393 | *nargs = 2; | |
fed4de37 | 2394 | return builtin_decl_implicit (check[recover_p][is_store][5]); |
8946c29e YG |
2395 | } |
2396 | *nargs = 1; | |
fed4de37 YG |
2397 | int size_log2 = exact_log2 (size_in_bytes); |
2398 | return builtin_decl_implicit (check[recover_p][is_store][size_log2]); | |
8946c29e YG |
2399 | } |
2400 | ||
01452015 | 2401 | /* Split the current basic block and create a condition statement |
25ae5027 DS |
2402 | insertion point right before or after the statement pointed to by |
2403 | ITER. Return an iterator to the point at which the caller might | |
2404 | safely insert the condition statement. | |
01452015 DS |
2405 | |
2406 | THEN_BLOCK must be set to the address of an uninitialized instance | |
2407 | of basic_block. The function will then set *THEN_BLOCK to the | |
2408 | 'then block' of the condition statement to be inserted by the | |
2409 | caller. | |
2410 | ||
c4bfe8bf JJ |
2411 | If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from |
2412 | *THEN_BLOCK to *FALLTHROUGH_BLOCK. | |
2413 | ||
01452015 DS |
2414 | Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else |
2415 | block' of the condition statement to be inserted by the caller. | |
2416 | ||
2417 | Note that *FALLTHROUGH_BLOCK is a new block that contains the | |
2418 | statements starting from *ITER, and *THEN_BLOCK is a new empty | |
2419 | block. | |
2420 | ||
25ae5027 DS |
2421 | *ITER is adjusted to point to always point to the first statement |
2422 | of the basic block * FALLTHROUGH_BLOCK. That statement is the | |
2423 | same as what ITER was pointing to prior to calling this function, | |
2424 | if BEFORE_P is true; otherwise, it is its following statement. */ | |
01452015 | 2425 | |
ac0ff9f2 | 2426 | gimple_stmt_iterator |
25ae5027 DS |
2427 | create_cond_insert_point (gimple_stmt_iterator *iter, |
2428 | bool before_p, | |
2429 | bool then_more_likely_p, | |
c4bfe8bf | 2430 | bool create_then_fallthru_edge, |
25ae5027 DS |
2431 | basic_block *then_block, |
2432 | basic_block *fallthrough_block) | |
01452015 DS |
2433 | { |
2434 | gimple_stmt_iterator gsi = *iter; | |
2435 | ||
25ae5027 | 2436 | if (!gsi_end_p (gsi) && before_p) |
01452015 DS |
2437 | gsi_prev (&gsi); |
2438 | ||
2439 | basic_block cur_bb = gsi_bb (*iter); | |
2440 | ||
2441 | edge e = split_block (cur_bb, gsi_stmt (gsi)); | |
2442 | ||
2443 | /* Get a hold on the 'condition block', the 'then block' and the | |
2444 | 'else block'. */ | |
2445 | basic_block cond_bb = e->src; | |
2446 | basic_block fallthru_bb = e->dest; | |
2447 | basic_block then_bb = create_empty_bb (cond_bb); | |
a9e0d843 RB |
2448 | if (current_loops) |
2449 | { | |
2450 | add_bb_to_loop (then_bb, cond_bb->loop_father); | |
2451 | loops_state_set (LOOPS_NEED_FIXUP); | |
2452 | } | |
01452015 DS |
2453 | |
2454 | /* Set up the newly created 'then block'. */ | |
2455 | e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE); | |
e4e822ab | 2456 | profile_probability fallthrough_probability |
01452015 | 2457 | = then_more_likely_p |
e4e822ab JH |
2458 | ? profile_probability::very_unlikely () |
2459 | : profile_probability::very_likely (); | |
2460 | e->probability = fallthrough_probability.invert (); | |
e7a74006 | 2461 | then_bb->count = e->count (); |
c4bfe8bf JJ |
2462 | if (create_then_fallthru_edge) |
2463 | make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU); | |
01452015 DS |
2464 | |
2465 | /* Set up the fallthrough basic block. */ | |
2466 | e = find_edge (cond_bb, fallthru_bb); | |
2467 | e->flags = EDGE_FALSE_VALUE; | |
e4e822ab | 2468 | e->probability = fallthrough_probability; |
01452015 DS |
2469 | |
2470 | /* Update dominance info for the newly created then_bb; note that | |
2471 | fallthru_bb's dominance info has already been updated by | |
2472 | split_bock. */ | |
2473 | if (dom_info_available_p (CDI_DOMINATORS)) | |
2474 | set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb); | |
2475 | ||
2476 | *then_block = then_bb; | |
2477 | *fallthrough_block = fallthru_bb; | |
2478 | *iter = gsi_start_bb (fallthru_bb); | |
2479 | ||
2480 | return gsi_last_bb (cond_bb); | |
2481 | } | |
2482 | ||
25ae5027 DS |
2483 | /* Insert an if condition followed by a 'then block' right before the |
2484 | statement pointed to by ITER. The fallthrough block -- which is the | |
2485 | else block of the condition as well as the destination of the | |
2486 | outcoming edge of the 'then block' -- starts with the statement | |
2487 | pointed to by ITER. | |
2488 | ||
497a1c66 | 2489 | COND is the condition of the if. |
25ae5027 DS |
2490 | |
2491 | If THEN_MORE_LIKELY_P is true, the probability of the edge to the | |
2492 | 'then block' is higher than the probability of the edge to the | |
2493 | fallthrough block. | |
2494 | ||
2495 | Upon completion of the function, *THEN_BB is set to the newly | |
2496 | inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the | |
2497 | fallthrough block. | |
2498 | ||
2499 | *ITER is adjusted to still point to the same statement it was | |
2500 | pointing to initially. */ | |
2501 | ||
2502 | static void | |
538dd0b7 | 2503 | insert_if_then_before_iter (gcond *cond, |
25ae5027 DS |
2504 | gimple_stmt_iterator *iter, |
2505 | bool then_more_likely_p, | |
2506 | basic_block *then_bb, | |
2507 | basic_block *fallthrough_bb) | |
2508 | { | |
2509 | gimple_stmt_iterator cond_insert_point = | |
2510 | create_cond_insert_point (iter, | |
2511 | /*before_p=*/true, | |
2512 | then_more_likely_p, | |
c4bfe8bf | 2513 | /*create_then_fallthru_edge=*/true, |
25ae5027 DS |
2514 | then_bb, |
2515 | fallthrough_bb); | |
2516 | gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT); | |
2517 | } | |
2518 | ||
6dc4a604 ML |
2519 | /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset (). |
2520 | If RETURN_ADDRESS is set to true, return memory location instread | |
2521 | of a value in the shadow memory. */ | |
40f9f6bb JJ |
2522 | |
2523 | static tree | |
2524 | build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location, | |
6dc4a604 ML |
2525 | tree base_addr, tree shadow_ptr_type, |
2526 | bool return_address = false) | |
40f9f6bb JJ |
2527 | { |
2528 | tree t, uintptr_type = TREE_TYPE (base_addr); | |
2529 | tree shadow_type = TREE_TYPE (shadow_ptr_type); | |
355fe088 | 2530 | gimple *g; |
40f9f6bb JJ |
2531 | |
2532 | t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT); | |
0d0e4a03 JJ |
2533 | g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR, |
2534 | base_addr, t); | |
40f9f6bb JJ |
2535 | gimple_set_location (g, location); |
2536 | gsi_insert_after (gsi, g, GSI_NEW_STMT); | |
2537 | ||
fd960af2 | 2538 | t = build_int_cst (uintptr_type, asan_shadow_offset ()); |
0d0e4a03 JJ |
2539 | g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR, |
2540 | gimple_assign_lhs (g), t); | |
40f9f6bb JJ |
2541 | gimple_set_location (g, location); |
2542 | gsi_insert_after (gsi, g, GSI_NEW_STMT); | |
2543 | ||
0d0e4a03 JJ |
2544 | g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR, |
2545 | gimple_assign_lhs (g)); | |
40f9f6bb JJ |
2546 | gimple_set_location (g, location); |
2547 | gsi_insert_after (gsi, g, GSI_NEW_STMT); | |
2548 | ||
6dc4a604 ML |
2549 | if (!return_address) |
2550 | { | |
2551 | t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g), | |
2552 | build_int_cst (shadow_ptr_type, 0)); | |
2553 | g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t); | |
2554 | gimple_set_location (g, location); | |
2555 | gsi_insert_after (gsi, g, GSI_NEW_STMT); | |
2556 | } | |
2557 | ||
40f9f6bb JJ |
2558 | return gimple_assign_lhs (g); |
2559 | } | |
2560 | ||
8946c29e YG |
2561 | /* BASE can already be an SSA_NAME; in that case, do not create a |
2562 | new SSA_NAME for it. */ | |
2563 | ||
2564 | static tree | |
2565 | maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter, | |
2566 | bool before_p) | |
2567 | { | |
4e3d3e40 | 2568 | STRIP_USELESS_TYPE_CONVERSION (base); |
8946c29e YG |
2569 | if (TREE_CODE (base) == SSA_NAME) |
2570 | return base; | |
4e3d3e40 | 2571 | gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)), base); |
8946c29e YG |
2572 | gimple_set_location (g, loc); |
2573 | if (before_p) | |
2574 | gsi_insert_before (iter, g, GSI_SAME_STMT); | |
2575 | else | |
2576 | gsi_insert_after (iter, g, GSI_NEW_STMT); | |
2577 | return gimple_assign_lhs (g); | |
2578 | } | |
2579 | ||
a2f581e1 YG |
2580 | /* LEN can already have necessary size and precision; |
2581 | in that case, do not create a new variable. */ | |
2582 | ||
2583 | tree | |
2584 | maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter, | |
2585 | bool before_p) | |
2586 | { | |
2587 | if (ptrofftype_p (len)) | |
2588 | return len; | |
355fe088 | 2589 | gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), |
0d0e4a03 | 2590 | NOP_EXPR, len); |
a2f581e1 YG |
2591 | gimple_set_location (g, loc); |
2592 | if (before_p) | |
2593 | gsi_insert_before (iter, g, GSI_SAME_STMT); | |
2594 | else | |
2595 | gsi_insert_after (iter, g, GSI_NEW_STMT); | |
2596 | return gimple_assign_lhs (g); | |
2597 | } | |
2598 | ||
dc29bf1e | 2599 | /* Instrument the memory access instruction BASE. Insert new |
25ae5027 | 2600 | statements before or after ITER. |
dc29bf1e DS |
2601 | |
2602 | Note that the memory access represented by BASE can be either an | |
2603 | SSA_NAME, or a non-SSA expression. LOCATION is the source code | |
2604 | location. IS_STORE is TRUE for a store, FALSE for a load. | |
25ae5027 | 2605 | BEFORE_P is TRUE for inserting the instrumentation code before |
8946c29e YG |
2606 | ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE |
2607 | for a scalar memory access and FALSE for memory region access. | |
2608 | NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero | |
2609 | length. ALIGN tells alignment of accessed memory object. | |
2610 | ||
2611 | START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of | |
2612 | memory region have already been instrumented. | |
25ae5027 DS |
2613 | |
2614 | If BEFORE_P is TRUE, *ITER is arranged to still point to the | |
2615 | statement it was pointing to prior to calling this function, | |
2616 | otherwise, it points to the statement logically following it. */ | |
37d6f666 WM |
2617 | |
2618 | static void | |
c62ccb9a | 2619 | build_check_stmt (location_t loc, tree base, tree len, |
8946c29e | 2620 | HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter, |
c62ccb9a | 2621 | bool is_non_zero_len, bool before_p, bool is_store, |
bdea98ca | 2622 | bool is_scalar_access, unsigned int align = 0) |
37d6f666 | 2623 | { |
8946c29e | 2624 | gimple_stmt_iterator gsi = *iter; |
355fe088 | 2625 | gimple *g; |
8946c29e | 2626 | |
c62ccb9a | 2627 | gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len)); |
93a73251 | 2628 | gcc_assert (size_in_bytes == -1 || size_in_bytes >= 1); |
8946c29e | 2629 | |
c62ccb9a YG |
2630 | gsi = *iter; |
2631 | ||
2632 | base = unshare_expr (base); | |
2633 | base = maybe_create_ssa_name (loc, base, &gsi, before_p); | |
2634 | ||
8946c29e | 2635 | if (len) |
a2f581e1 YG |
2636 | { |
2637 | len = unshare_expr (len); | |
2638 | len = maybe_cast_to_ptrmode (loc, len, iter, before_p); | |
2639 | } | |
8946c29e YG |
2640 | else |
2641 | { | |
2642 | gcc_assert (size_in_bytes != -1); | |
2643 | len = build_int_cst (pointer_sized_int_node, size_in_bytes); | |
2644 | } | |
2645 | ||
2646 | if (size_in_bytes > 1) | |
b3f1051b | 2647 | { |
8946c29e YG |
2648 | if ((size_in_bytes & (size_in_bytes - 1)) != 0 |
2649 | || size_in_bytes > 16) | |
c62ccb9a | 2650 | is_scalar_access = false; |
8946c29e YG |
2651 | else if (align && align < size_in_bytes * BITS_PER_UNIT) |
2652 | { | |
2653 | /* On non-strict alignment targets, if | |
2654 | 16-byte access is just 8-byte aligned, | |
2655 | this will result in misaligned shadow | |
2656 | memory 2 byte load, but otherwise can | |
2657 | be handled using one read. */ | |
2658 | if (size_in_bytes != 16 | |
2659 | || STRICT_ALIGNMENT | |
2660 | || align < 8 * BITS_PER_UNIT) | |
c62ccb9a | 2661 | is_scalar_access = false; |
40f9f6bb | 2662 | } |
f6d98484 | 2663 | } |
37d6f666 | 2664 | |
c62ccb9a YG |
2665 | HOST_WIDE_INT flags = 0; |
2666 | if (is_store) | |
2667 | flags |= ASAN_CHECK_STORE; | |
2668 | if (is_non_zero_len) | |
2669 | flags |= ASAN_CHECK_NON_ZERO_LEN; | |
2670 | if (is_scalar_access) | |
2671 | flags |= ASAN_CHECK_SCALAR_ACCESS; | |
c62ccb9a | 2672 | |
93a73251 MM |
2673 | enum internal_fn fn = hwasan_sanitize_p () |
2674 | ? IFN_HWASAN_CHECK | |
2675 | : IFN_ASAN_CHECK; | |
2676 | ||
2677 | g = gimple_build_call_internal (fn, 4, | |
c62ccb9a | 2678 | build_int_cst (integer_type_node, flags), |
f434eb69 MZ |
2679 | base, len, |
2680 | build_int_cst (integer_type_node, | |
2681 | align / BITS_PER_UNIT)); | |
c62ccb9a YG |
2682 | gimple_set_location (g, loc); |
2683 | if (before_p) | |
2684 | gsi_insert_before (&gsi, g, GSI_SAME_STMT); | |
8946c29e YG |
2685 | else |
2686 | { | |
8946c29e | 2687 | gsi_insert_after (&gsi, g, GSI_NEW_STMT); |
c62ccb9a YG |
2688 | gsi_next (&gsi); |
2689 | *iter = gsi; | |
8946c29e | 2690 | } |
37d6f666 WM |
2691 | } |
2692 | ||
2693 | /* If T represents a memory access, add instrumentation code before ITER. | |
2694 | LOCATION is source code location. | |
25ae5027 | 2695 | IS_STORE is either TRUE (for a store) or FALSE (for a load). */ |
37d6f666 WM |
2696 | |
2697 | static void | |
2698 | instrument_derefs (gimple_stmt_iterator *iter, tree t, | |
bdcbe80c | 2699 | location_t location, bool is_store) |
37d6f666 | 2700 | { |
93a73251 | 2701 | if (is_store && !(asan_instrument_writes () || hwasan_instrument_writes ())) |
b5ebc991 | 2702 | return; |
93a73251 | 2703 | if (!is_store && !(asan_instrument_reads () || hwasan_instrument_reads ())) |
b5ebc991 MO |
2704 | return; |
2705 | ||
37d6f666 | 2706 | tree type, base; |
f6d98484 | 2707 | HOST_WIDE_INT size_in_bytes; |
c3da4956 MO |
2708 | if (location == UNKNOWN_LOCATION) |
2709 | location = EXPR_LOCATION (t); | |
37d6f666 WM |
2710 | |
2711 | type = TREE_TYPE (t); | |
37d6f666 WM |
2712 | switch (TREE_CODE (t)) |
2713 | { | |
2714 | case ARRAY_REF: | |
2715 | case COMPONENT_REF: | |
2716 | case INDIRECT_REF: | |
2717 | case MEM_REF: | |
59b36ecf | 2718 | case VAR_DECL: |
913f32a1 | 2719 | case BIT_FIELD_REF: |
37d6f666 | 2720 | break; |
59b36ecf | 2721 | /* FALLTHRU */ |
37d6f666 WM |
2722 | default: |
2723 | return; | |
2724 | } | |
f6d98484 JJ |
2725 | |
2726 | size_in_bytes = int_size_in_bytes (type); | |
40f9f6bb | 2727 | if (size_in_bytes <= 0) |
f6d98484 JJ |
2728 | return; |
2729 | ||
f37fac2b | 2730 | poly_int64 bitsize, bitpos; |
f6d98484 | 2731 | tree offset; |
ef4bddc2 | 2732 | machine_mode mode; |
ee45a32d EB |
2733 | int unsignedp, reversep, volatilep = 0; |
2734 | tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode, | |
25b75a48 | 2735 | &unsignedp, &reversep, &volatilep); |
87d1d65a YG |
2736 | |
2737 | if (TREE_CODE (t) == COMPONENT_REF | |
2738 | && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE) | |
1fe04fdc | 2739 | { |
87d1d65a YG |
2740 | tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)); |
2741 | instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr), | |
2742 | TREE_OPERAND (t, 0), repr, | |
7cd200f6 JJ |
2743 | TREE_OPERAND (t, 2)), |
2744 | location, is_store); | |
1fe04fdc JJ |
2745 | return; |
2746 | } | |
87d1d65a | 2747 | |
f37fac2b RS |
2748 | if (!multiple_p (bitpos, BITS_PER_UNIT) |
2749 | || maybe_ne (bitsize, size_in_bytes * BITS_PER_UNIT)) | |
40f9f6bb | 2750 | return; |
f6d98484 | 2751 | |
6dc61b45 ML |
2752 | if (VAR_P (inner) && DECL_HARD_REGISTER (inner)) |
2753 | return; | |
2754 | ||
f37fac2b | 2755 | poly_int64 decl_size; |
9e3bbb4a | 2756 | if ((VAR_P (inner) || TREE_CODE (inner) == RESULT_DECL) |
59b36ecf | 2757 | && offset == NULL_TREE |
59b36ecf | 2758 | && DECL_SIZE (inner) |
f37fac2b RS |
2759 | && poly_int_tree_p (DECL_SIZE (inner), &decl_size) |
2760 | && known_subrange_p (bitpos, bitsize, 0, decl_size)) | |
59b36ecf | 2761 | { |
9e3bbb4a | 2762 | if (VAR_P (inner) && DECL_THREAD_LOCAL_P (inner)) |
59b36ecf | 2763 | return; |
93a73251 MM |
2764 | /* If we're not sanitizing globals and we can tell statically that this |
2765 | access is inside a global variable, then there's no point adding | |
2766 | instrumentation to check the access. N.b. hwasan currently never | |
2767 | sanitizes globals. */ | |
2768 | if ((hwasan_sanitize_p () || !param_asan_globals) | |
2769 | && is_global_var (inner)) | |
6b98fab5 | 2770 | return; |
59b36ecf JJ |
2771 | if (!TREE_STATIC (inner)) |
2772 | { | |
2773 | /* Automatic vars in the current function will be always | |
2774 | accessible. */ | |
6dc4a604 ML |
2775 | if (decl_function_context (inner) == current_function_decl |
2776 | && (!asan_sanitize_use_after_scope () | |
2777 | || !TREE_ADDRESSABLE (inner))) | |
59b36ecf JJ |
2778 | return; |
2779 | } | |
2780 | /* Always instrument external vars, they might be dynamically | |
2781 | initialized. */ | |
2782 | else if (!DECL_EXTERNAL (inner)) | |
2783 | { | |
2784 | /* For static vars if they are known not to be dynamically | |
2785 | initialized, they will be always accessible. */ | |
9041d2e6 | 2786 | varpool_node *vnode = varpool_node::get (inner); |
59b36ecf JJ |
2787 | if (vnode && !vnode->dynamically_initialized) |
2788 | return; | |
2789 | } | |
2790 | } | |
2791 | ||
9e3bbb4a JJ |
2792 | if (DECL_P (inner) |
2793 | && decl_function_context (inner) == current_function_decl | |
2794 | && !TREE_ADDRESSABLE (inner)) | |
2795 | mark_addressable (inner); | |
2796 | ||
f6d98484 | 2797 | base = build_fold_addr_expr (t); |
bdcbe80c DS |
2798 | if (!has_mem_ref_been_instrumented (base, size_in_bytes)) |
2799 | { | |
8946c29e YG |
2800 | unsigned int align = get_object_alignment (t); |
2801 | build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter, | |
c62ccb9a | 2802 | /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true, |
8946c29e | 2803 | is_store, /*is_scalar_access*/true, align); |
bdcbe80c DS |
2804 | update_mem_ref_hash_table (base, size_in_bytes); |
2805 | update_mem_ref_hash_table (t, size_in_bytes); | |
2806 | } | |
2807 | ||
25ae5027 DS |
2808 | } |
2809 | ||
bdea98ca MO |
2810 | /* Insert a memory reference into the hash table if access length |
2811 | can be determined in compile time. */ | |
2812 | ||
2813 | static void | |
2814 | maybe_update_mem_ref_hash_table (tree base, tree len) | |
2815 | { | |
2816 | if (!POINTER_TYPE_P (TREE_TYPE (base)) | |
2817 | || !INTEGRAL_TYPE_P (TREE_TYPE (len))) | |
2818 | return; | |
2819 | ||
2820 | HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1; | |
2821 | ||
2822 | if (size_in_bytes != -1) | |
2823 | update_mem_ref_hash_table (base, size_in_bytes); | |
2824 | } | |
2825 | ||
25ae5027 DS |
2826 | /* Instrument an access to a contiguous memory region that starts at |
2827 | the address pointed to by BASE, over a length of LEN (expressed in | |
2828 | the sizeof (*BASE) bytes). ITER points to the instruction before | |
2829 | which the instrumentation instructions must be inserted. LOCATION | |
2830 | is the source location that the instrumentation instructions must | |
2831 | have. If IS_STORE is true, then the memory access is a store; | |
2832 | otherwise, it's a load. */ | |
2833 | ||
2834 | static void | |
2835 | instrument_mem_region_access (tree base, tree len, | |
2836 | gimple_stmt_iterator *iter, | |
2837 | location_t location, bool is_store) | |
2838 | { | |
c63d3b96 JJ |
2839 | if (!POINTER_TYPE_P (TREE_TYPE (base)) |
2840 | || !INTEGRAL_TYPE_P (TREE_TYPE (len)) | |
2841 | || integer_zerop (len)) | |
25ae5027 DS |
2842 | return; |
2843 | ||
8946c29e | 2844 | HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1; |
bdcbe80c | 2845 | |
bdea98ca MO |
2846 | if ((size_in_bytes == -1) |
2847 | || !has_mem_ref_been_instrumented (base, size_in_bytes)) | |
2848 | { | |
2849 | build_check_stmt (location, base, len, size_in_bytes, iter, | |
2850 | /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true, | |
2851 | is_store, /*is_scalar_access*/false, /*align*/0); | |
2852 | } | |
b41288b3 | 2853 | |
bdea98ca | 2854 | maybe_update_mem_ref_hash_table (base, len); |
b41288b3 | 2855 | *iter = gsi_for_stmt (gsi_stmt (*iter)); |
bdcbe80c | 2856 | } |
25ae5027 | 2857 | |
bdcbe80c DS |
2858 | /* Instrument the call to a built-in memory access function that is |
2859 | pointed to by the iterator ITER. | |
25ae5027 | 2860 | |
bdcbe80c DS |
2861 | Upon completion, return TRUE iff *ITER has been advanced to the |
2862 | statement following the one it was originally pointing to. */ | |
25ae5027 | 2863 | |
bdcbe80c DS |
2864 | static bool |
2865 | instrument_builtin_call (gimple_stmt_iterator *iter) | |
2866 | { | |
93a73251 | 2867 | if (!(asan_memintrin () || hwasan_memintrin ())) |
b5ebc991 MO |
2868 | return false; |
2869 | ||
bdcbe80c | 2870 | bool iter_advanced_p = false; |
538dd0b7 | 2871 | gcall *call = as_a <gcall *> (gsi_stmt (*iter)); |
25ae5027 | 2872 | |
bdcbe80c | 2873 | gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL)); |
25ae5027 | 2874 | |
bdcbe80c | 2875 | location_t loc = gimple_location (call); |
25ae5027 | 2876 | |
bdea98ca MO |
2877 | asan_mem_ref src0, src1, dest; |
2878 | asan_mem_ref_init (&src0, NULL, 1); | |
2879 | asan_mem_ref_init (&src1, NULL, 1); | |
2880 | asan_mem_ref_init (&dest, NULL, 1); | |
bdcbe80c | 2881 | |
bdea98ca MO |
2882 | tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE; |
2883 | bool src0_is_store = false, src1_is_store = false, dest_is_store = false, | |
2884 | dest_is_deref = false, intercepted_p = true; | |
bdcbe80c | 2885 | |
bdea98ca MO |
2886 | if (get_mem_refs_of_builtin_call (call, |
2887 | &src0, &src0_len, &src0_is_store, | |
2888 | &src1, &src1_len, &src1_is_store, | |
2889 | &dest, &dest_len, &dest_is_store, | |
e3174bdf | 2890 | &dest_is_deref, &intercepted_p, iter)) |
bdea98ca MO |
2891 | { |
2892 | if (dest_is_deref) | |
bdcbe80c | 2893 | { |
bdea98ca MO |
2894 | instrument_derefs (iter, dest.start, loc, dest_is_store); |
2895 | gsi_next (iter); | |
2896 | iter_advanced_p = true; | |
2897 | } | |
2898 | else if (!intercepted_p | |
2899 | && (src0_len || src1_len || dest_len)) | |
2900 | { | |
2901 | if (src0.start != NULL_TREE) | |
2902 | instrument_mem_region_access (src0.start, src0_len, | |
2903 | iter, loc, /*is_store=*/false); | |
2904 | if (src1.start != NULL_TREE) | |
2905 | instrument_mem_region_access (src1.start, src1_len, | |
2906 | iter, loc, /*is_store=*/false); | |
2907 | if (dest.start != NULL_TREE) | |
2908 | instrument_mem_region_access (dest.start, dest_len, | |
2909 | iter, loc, /*is_store=*/true); | |
2910 | ||
2911 | *iter = gsi_for_stmt (call); | |
2912 | gsi_next (iter); | |
2913 | iter_advanced_p = true; | |
2914 | } | |
2915 | else | |
2916 | { | |
2917 | if (src0.start != NULL_TREE) | |
2918 | maybe_update_mem_ref_hash_table (src0.start, src0_len); | |
2919 | if (src1.start != NULL_TREE) | |
2920 | maybe_update_mem_ref_hash_table (src1.start, src1_len); | |
2921 | if (dest.start != NULL_TREE) | |
2922 | maybe_update_mem_ref_hash_table (dest.start, dest_len); | |
bdcbe80c | 2923 | } |
25ae5027 | 2924 | } |
bdcbe80c | 2925 | return iter_advanced_p; |
25ae5027 DS |
2926 | } |
2927 | ||
2928 | /* Instrument the assignment statement ITER if it is subject to | |
bdcbe80c DS |
2929 | instrumentation. Return TRUE iff instrumentation actually |
2930 | happened. In that case, the iterator ITER is advanced to the next | |
2931 | logical expression following the one initially pointed to by ITER, | |
2932 | and the relevant memory reference that which access has been | |
2933 | instrumented is added to the memory references hash table. */ | |
25ae5027 | 2934 | |
bdcbe80c DS |
2935 | static bool |
2936 | maybe_instrument_assignment (gimple_stmt_iterator *iter) | |
25ae5027 | 2937 | { |
355fe088 | 2938 | gimple *s = gsi_stmt (*iter); |
25ae5027 DS |
2939 | |
2940 | gcc_assert (gimple_assign_single_p (s)); | |
2941 | ||
bdcbe80c DS |
2942 | tree ref_expr = NULL_TREE; |
2943 | bool is_store, is_instrumented = false; | |
2944 | ||
52f2e7e1 | 2945 | if (gimple_store_p (s)) |
bdcbe80c DS |
2946 | { |
2947 | ref_expr = gimple_assign_lhs (s); | |
2948 | is_store = true; | |
2949 | instrument_derefs (iter, ref_expr, | |
2950 | gimple_location (s), | |
2951 | is_store); | |
2952 | is_instrumented = true; | |
2953 | } | |
c1f5ce48 | 2954 | |
52f2e7e1 | 2955 | if (gimple_assign_load_p (s)) |
bdcbe80c DS |
2956 | { |
2957 | ref_expr = gimple_assign_rhs1 (s); | |
2958 | is_store = false; | |
2959 | instrument_derefs (iter, ref_expr, | |
2960 | gimple_location (s), | |
2961 | is_store); | |
2962 | is_instrumented = true; | |
2963 | } | |
2964 | ||
2965 | if (is_instrumented) | |
2966 | gsi_next (iter); | |
2967 | ||
2968 | return is_instrumented; | |
25ae5027 DS |
2969 | } |
2970 | ||
2971 | /* Instrument the function call pointed to by the iterator ITER, if it | |
2972 | is subject to instrumentation. At the moment, the only function | |
2973 | calls that are instrumented are some built-in functions that access | |
2974 | memory. Look at instrument_builtin_call to learn more. | |
2975 | ||
2976 | Upon completion return TRUE iff *ITER was advanced to the statement | |
2977 | following the one it was originally pointing to. */ | |
2978 | ||
2979 | static bool | |
2980 | maybe_instrument_call (gimple_stmt_iterator *iter) | |
2981 | { | |
355fe088 | 2982 | gimple *stmt = gsi_stmt (*iter); |
bdcbe80c DS |
2983 | bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL); |
2984 | ||
2985 | if (is_builtin && instrument_builtin_call (iter)) | |
2b2571c9 | 2986 | return true; |
bdcbe80c | 2987 | |
2b2571c9 JJ |
2988 | if (gimple_call_noreturn_p (stmt)) |
2989 | { | |
2990 | if (is_builtin) | |
2991 | { | |
2992 | tree callee = gimple_call_fndecl (stmt); | |
2993 | switch (DECL_FUNCTION_CODE (callee)) | |
2994 | { | |
2995 | case BUILT_IN_UNREACHABLE: | |
d2423144 | 2996 | case BUILT_IN_UNREACHABLE_TRAP: |
2b2571c9 JJ |
2997 | case BUILT_IN_TRAP: |
2998 | /* Don't instrument these. */ | |
2999 | return false; | |
083e891e MP |
3000 | default: |
3001 | break; | |
2b2571c9 JJ |
3002 | } |
3003 | } | |
93a73251 MM |
3004 | /* If a function does not return, then we must handle clearing up the |
3005 | shadow stack accordingly. For ASAN we can simply set the entire stack | |
3006 | to "valid" for accesses by setting the shadow space to 0 and all | |
3007 | accesses will pass checks. That means that some bad accesses may be | |
3008 | missed, but we will not report any false positives. | |
3009 | ||
3010 | This is not possible for HWASAN. Since there is no "always valid" tag | |
3011 | we can not set any space to "always valid". If we were to clear the | |
3012 | entire shadow stack then code resuming from `longjmp` or a caught | |
3013 | exception would trigger false positives when correctly accessing | |
3014 | variables on the stack. Hence we need to handle things like | |
3015 | `longjmp`, thread exit, and exceptions in a different way. These | |
3016 | problems must be handled externally to the compiler, e.g. in the | |
3017 | language runtime. */ | |
3018 | if (! hwasan_sanitize_p ()) | |
3019 | { | |
3020 | tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN); | |
3021 | gimple *g = gimple_build_call (decl, 0); | |
3022 | gimple_set_location (g, gimple_location (stmt)); | |
3023 | gsi_insert_before (iter, g, GSI_SAME_STMT); | |
3024 | } | |
2b2571c9 | 3025 | } |
7db337c2 | 3026 | |
c3da4956 | 3027 | bool instrumented = false; |
7db337c2 ML |
3028 | if (gimple_store_p (stmt)) |
3029 | { | |
3030 | tree ref_expr = gimple_call_lhs (stmt); | |
3031 | instrument_derefs (iter, ref_expr, | |
3032 | gimple_location (stmt), | |
3033 | /*is_store=*/true); | |
3034 | ||
c3da4956 | 3035 | instrumented = true; |
7db337c2 ML |
3036 | } |
3037 | ||
c3da4956 MO |
3038 | /* Walk through gimple_call arguments and check them id needed. */ |
3039 | unsigned args_num = gimple_call_num_args (stmt); | |
3040 | for (unsigned i = 0; i < args_num; ++i) | |
3041 | { | |
3042 | tree arg = gimple_call_arg (stmt, i); | |
3043 | /* If ARG is not a non-aggregate register variable, compiler in general | |
3044 | creates temporary for it and pass it as argument to gimple call. | |
3045 | But in some cases, e.g. when we pass by value a small structure that | |
3046 | fits to register, compiler can avoid extra overhead by pulling out | |
3047 | these temporaries. In this case, we should check the argument. */ | |
3048 | if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg)) | |
3049 | { | |
3050 | instrument_derefs (iter, arg, | |
3051 | gimple_location (stmt), | |
3052 | /*is_store=*/false); | |
3053 | instrumented = true; | |
3054 | } | |
3055 | } | |
3056 | if (instrumented) | |
3057 | gsi_next (iter); | |
3058 | return instrumented; | |
37d6f666 WM |
3059 | } |
3060 | ||
bdcbe80c DS |
3061 | /* Walk each instruction of all basic block and instrument those that |
3062 | represent memory references: loads, stores, or function calls. | |
3063 | In a given basic block, this function avoids instrumenting memory | |
3064 | references that have already been instrumented. */ | |
37d6f666 WM |
3065 | |
3066 | static void | |
3067 | transform_statements (void) | |
3068 | { | |
c4bfe8bf | 3069 | basic_block bb, last_bb = NULL; |
37d6f666 | 3070 | gimple_stmt_iterator i; |
8b1c6fd7 | 3071 | int saved_last_basic_block = last_basic_block_for_fn (cfun); |
37d6f666 | 3072 | |
11cd3bed | 3073 | FOR_EACH_BB_FN (bb, cfun) |
37d6f666 | 3074 | { |
c4bfe8bf | 3075 | basic_block prev_bb = bb; |
bdcbe80c | 3076 | |
37d6f666 | 3077 | if (bb->index >= saved_last_basic_block) continue; |
c4bfe8bf JJ |
3078 | |
3079 | /* Flush the mem ref hash table, if current bb doesn't have | |
3080 | exactly one predecessor, or if that predecessor (skipping | |
3081 | over asan created basic blocks) isn't the last processed | |
3082 | basic block. Thus we effectively flush on extended basic | |
3083 | block boundaries. */ | |
3084 | while (single_pred_p (prev_bb)) | |
3085 | { | |
3086 | prev_bb = single_pred (prev_bb); | |
3087 | if (prev_bb->index < saved_last_basic_block) | |
3088 | break; | |
3089 | } | |
3090 | if (prev_bb != last_bb) | |
3091 | empty_mem_ref_hash_table (); | |
3092 | last_bb = bb; | |
3093 | ||
25ae5027 | 3094 | for (i = gsi_start_bb (bb); !gsi_end_p (i);) |
497a1c66 | 3095 | { |
355fe088 | 3096 | gimple *s = gsi_stmt (i); |
25ae5027 | 3097 | |
bdcbe80c DS |
3098 | if (has_stmt_been_instrumented_p (s)) |
3099 | gsi_next (&i); | |
3100 | else if (gimple_assign_single_p (s) | |
e1e160c1 | 3101 | && !gimple_clobber_p (s) |
bdcbe80c DS |
3102 | && maybe_instrument_assignment (&i)) |
3103 | /* Nothing to do as maybe_instrument_assignment advanced | |
3104 | the iterator I. */; | |
3105 | else if (is_gimple_call (s) && maybe_instrument_call (&i)) | |
3106 | /* Nothing to do as maybe_instrument_call | |
3107 | advanced the iterator I. */; | |
3108 | else | |
25ae5027 | 3109 | { |
bdcbe80c DS |
3110 | /* No instrumentation happened. |
3111 | ||
c4bfe8bf JJ |
3112 | If the current instruction is a function call that |
3113 | might free something, let's forget about the memory | |
3114 | references that got instrumented. Otherwise we might | |
6dc4a604 ML |
3115 | miss some instrumentation opportunities. Do the same |
3116 | for a ASAN_MARK poisoning internal function. */ | |
3117 | if (is_gimple_call (s) | |
56b7aede ML |
3118 | && (!nonfreeing_call_p (s) |
3119 | || asan_mark_p (s, ASAN_MARK_POISON))) | |
bdcbe80c DS |
3120 | empty_mem_ref_hash_table (); |
3121 | ||
3122 | gsi_next (&i); | |
25ae5027 | 3123 | } |
497a1c66 | 3124 | } |
37d6f666 | 3125 | } |
bdcbe80c | 3126 | free_mem_ref_resources (); |
37d6f666 WM |
3127 | } |
3128 | ||
59b36ecf JJ |
3129 | /* Build |
3130 | __asan_before_dynamic_init (module_name) | |
3131 | or | |
3132 | __asan_after_dynamic_init () | |
3133 | call. */ | |
3134 | ||
3135 | tree | |
3136 | asan_dynamic_init_call (bool after_p) | |
3137 | { | |
185faecb JJ |
3138 | if (shadow_ptr_types[0] == NULL_TREE) |
3139 | asan_init_shadow_ptr_types (); | |
3140 | ||
59b36ecf JJ |
3141 | tree fn = builtin_decl_implicit (after_p |
3142 | ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT | |
3143 | : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT); | |
3144 | tree module_name_cst = NULL_TREE; | |
3145 | if (!after_p) | |
3146 | { | |
3147 | pretty_printer module_name_pp; | |
3148 | pp_string (&module_name_pp, main_input_filename); | |
3149 | ||
59b36ecf JJ |
3150 | module_name_cst = asan_pp_string (&module_name_pp); |
3151 | module_name_cst = fold_convert (const_ptr_type_node, | |
3152 | module_name_cst); | |
3153 | } | |
3154 | ||
3155 | return build_call_expr (fn, after_p ? 0 : 1, module_name_cst); | |
3156 | } | |
3157 | ||
8240018b JJ |
3158 | /* Build |
3159 | struct __asan_global | |
3160 | { | |
3161 | const void *__beg; | |
3162 | uptr __size; | |
3163 | uptr __size_with_redzone; | |
3164 | const void *__name; | |
ef1b3fda | 3165 | const void *__module_name; |
8240018b | 3166 | uptr __has_dynamic_init; |
866e32ad | 3167 | __asan_global_source_location *__location; |
fbdb92eb | 3168 | char *__odr_indicator; |
8240018b JJ |
3169 | } type. */ |
3170 | ||
3171 | static tree | |
3172 | asan_global_struct (void) | |
3173 | { | |
84b0769e | 3174 | static const char *field_names[] |
8240018b | 3175 | = { "__beg", "__size", "__size_with_redzone", |
84b0769e MO |
3176 | "__name", "__module_name", "__has_dynamic_init", "__location", |
3177 | "__odr_indicator" }; | |
3178 | tree fields[ARRAY_SIZE (field_names)], ret; | |
3179 | unsigned i; | |
8240018b JJ |
3180 | |
3181 | ret = make_node (RECORD_TYPE); | |
84b0769e | 3182 | for (i = 0; i < ARRAY_SIZE (field_names); i++) |
8240018b JJ |
3183 | { |
3184 | fields[i] | |
3185 | = build_decl (UNKNOWN_LOCATION, FIELD_DECL, | |
3186 | get_identifier (field_names[i]), | |
3187 | (i == 0 || i == 3) ? const_ptr_type_node | |
de5a5fa1 | 3188 | : pointer_sized_int_node); |
8240018b JJ |
3189 | DECL_CONTEXT (fields[i]) = ret; |
3190 | if (i) | |
3191 | DECL_CHAIN (fields[i - 1]) = fields[i]; | |
3192 | } | |
bebcdc67 MP |
3193 | tree type_decl = build_decl (input_location, TYPE_DECL, |
3194 | get_identifier ("__asan_global"), ret); | |
3195 | DECL_IGNORED_P (type_decl) = 1; | |
3196 | DECL_ARTIFICIAL (type_decl) = 1; | |
8240018b | 3197 | TYPE_FIELDS (ret) = fields[0]; |
bebcdc67 MP |
3198 | TYPE_NAME (ret) = type_decl; |
3199 | TYPE_STUB_DECL (ret) = type_decl; | |
73f8e9dc | 3200 | TYPE_ARTIFICIAL (ret) = 1; |
8240018b JJ |
3201 | layout_type (ret); |
3202 | return ret; | |
3203 | } | |
3204 | ||
84b0769e MO |
3205 | /* Create and return odr indicator symbol for DECL. |
3206 | TYPE is __asan_global struct type as returned by asan_global_struct. */ | |
3207 | ||
3208 | static tree | |
3209 | create_odr_indicator (tree decl, tree type) | |
3210 | { | |
3211 | char *name; | |
3212 | tree uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type))); | |
3213 | tree decl_name | |
3214 | = (HAS_DECL_ASSEMBLER_NAME_P (decl) ? DECL_ASSEMBLER_NAME (decl) | |
3215 | : DECL_NAME (decl)); | |
3216 | /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */ | |
3217 | if (decl_name == NULL_TREE) | |
3218 | return build_int_cst (uptr, 0); | |
349884d1 JJ |
3219 | const char *dname = IDENTIFIER_POINTER (decl_name); |
3220 | if (HAS_DECL_ASSEMBLER_NAME_P (decl)) | |
3221 | dname = targetm.strip_name_encoding (dname); | |
3222 | size_t len = strlen (dname) + sizeof ("__odr_asan_"); | |
84b0769e | 3223 | name = XALLOCAVEC (char, len); |
349884d1 | 3224 | snprintf (name, len, "__odr_asan_%s", dname); |
84b0769e MO |
3225 | #ifndef NO_DOT_IN_LABEL |
3226 | name[sizeof ("__odr_asan") - 1] = '.'; | |
3227 | #elif !defined(NO_DOLLAR_IN_LABEL) | |
3228 | name[sizeof ("__odr_asan") - 1] = '$'; | |
3229 | #endif | |
3230 | tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (name), | |
3231 | char_type_node); | |
3232 | TREE_ADDRESSABLE (var) = 1; | |
3233 | TREE_READONLY (var) = 0; | |
3234 | TREE_THIS_VOLATILE (var) = 1; | |
84b0769e MO |
3235 | DECL_ARTIFICIAL (var) = 1; |
3236 | DECL_IGNORED_P (var) = 1; | |
3237 | TREE_STATIC (var) = 1; | |
3238 | TREE_PUBLIC (var) = 1; | |
3239 | DECL_VISIBILITY (var) = DECL_VISIBILITY (decl); | |
3240 | DECL_VISIBILITY_SPECIFIED (var) = DECL_VISIBILITY_SPECIFIED (decl); | |
3241 | ||
3242 | TREE_USED (var) = 1; | |
3243 | tree ctor = build_constructor_va (TREE_TYPE (var), 1, NULL_TREE, | |
3244 | build_int_cst (unsigned_type_node, 0)); | |
3245 | TREE_CONSTANT (ctor) = 1; | |
3246 | TREE_STATIC (ctor) = 1; | |
3247 | DECL_INITIAL (var) = ctor; | |
3248 | DECL_ATTRIBUTES (var) = tree_cons (get_identifier ("asan odr indicator"), | |
3249 | NULL, DECL_ATTRIBUTES (var)); | |
3250 | make_decl_rtl (var); | |
3251 | varpool_node::finalize_decl (var); | |
3252 | return fold_convert (uptr, build_fold_addr_expr (var)); | |
3253 | } | |
3254 | ||
3255 | /* Return true if DECL, a global var, might be overridden and needs | |
3256 | an additional odr indicator symbol. */ | |
3257 | ||
3258 | static bool | |
3259 | asan_needs_odr_indicator_p (tree decl) | |
3260 | { | |
0acd830b MO |
3261 | /* Don't emit ODR indicators for kernel because: |
3262 | a) Kernel is written in C thus doesn't need ODR indicators. | |
3263 | b) Some kernel code may have assumptions about symbols containing specific | |
3264 | patterns in their names. Since ODR indicators contain original names | |
3265 | of symbols they are emitted for, these assumptions would be broken for | |
3266 | ODR indicator symbols. */ | |
3267 | return (!(flag_sanitize & SANITIZE_KERNEL_ADDRESS) | |
3268 | && !DECL_ARTIFICIAL (decl) | |
3269 | && !DECL_WEAK (decl) | |
3270 | && TREE_PUBLIC (decl)); | |
84b0769e MO |
3271 | } |
3272 | ||
8240018b JJ |
3273 | /* Append description of a single global DECL into vector V. |
3274 | TYPE is __asan_global struct type as returned by asan_global_struct. */ | |
3275 | ||
3276 | static void | |
9771b263 | 3277 | asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v) |
8240018b JJ |
3278 | { |
3279 | tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type))); | |
3280 | unsigned HOST_WIDE_INT size; | |
ef1b3fda | 3281 | tree str_cst, module_name_cst, refdecl = decl; |
9771b263 | 3282 | vec<constructor_elt, va_gc> *vinner = NULL; |
8240018b | 3283 | |
ef1b3fda | 3284 | pretty_printer asan_pp, module_name_pp; |
8240018b | 3285 | |
8240018b | 3286 | if (DECL_NAME (decl)) |
b066401f | 3287 | pp_tree_identifier (&asan_pp, DECL_NAME (decl)); |
8240018b JJ |
3288 | else |
3289 | pp_string (&asan_pp, "<unknown>"); | |
11a877b3 | 3290 | str_cst = asan_pp_string (&asan_pp); |
8240018b | 3291 | |
94c9b1bb ML |
3292 | if (!in_lto_p) |
3293 | pp_string (&module_name_pp, main_input_filename); | |
3294 | else | |
3295 | { | |
3296 | const_tree tu = get_ultimate_context ((const_tree)decl); | |
3297 | if (tu != NULL_TREE) | |
3298 | pp_string (&module_name_pp, IDENTIFIER_POINTER (DECL_NAME (tu))); | |
3299 | else | |
3300 | pp_string (&module_name_pp, aux_base_name); | |
3301 | } | |
3302 | ||
ef1b3fda KS |
3303 | module_name_cst = asan_pp_string (&module_name_pp); |
3304 | ||
8240018b JJ |
3305 | if (asan_needs_local_alias (decl)) |
3306 | { | |
3307 | char buf[20]; | |
9771b263 | 3308 | ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1); |
8240018b JJ |
3309 | refdecl = build_decl (DECL_SOURCE_LOCATION (decl), |
3310 | VAR_DECL, get_identifier (buf), TREE_TYPE (decl)); | |
3311 | TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl); | |
3312 | TREE_READONLY (refdecl) = TREE_READONLY (decl); | |
3313 | TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl); | |
eb72dc66 | 3314 | DECL_NOT_GIMPLE_REG_P (refdecl) = DECL_NOT_GIMPLE_REG_P (decl); |
8240018b JJ |
3315 | DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl); |
3316 | DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl); | |
3317 | TREE_STATIC (refdecl) = 1; | |
3318 | TREE_PUBLIC (refdecl) = 0; | |
3319 | TREE_USED (refdecl) = 1; | |
3320 | assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl)); | |
3321 | } | |
3322 | ||
84b0769e MO |
3323 | tree odr_indicator_ptr |
3324 | = (asan_needs_odr_indicator_p (decl) ? create_odr_indicator (decl, type) | |
3325 | : build_int_cst (uptr, 0)); | |
8240018b JJ |
3326 | CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, |
3327 | fold_convert (const_ptr_type_node, | |
3328 | build_fold_addr_expr (refdecl))); | |
ae7e9ddd | 3329 | size = tree_to_uhwi (DECL_SIZE_UNIT (decl)); |
8240018b JJ |
3330 | CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size)); |
3331 | size += asan_red_zone_size (size); | |
3332 | CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size)); | |
3333 | CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, | |
3334 | fold_convert (const_ptr_type_node, str_cst)); | |
ef1b3fda KS |
3335 | CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, |
3336 | fold_convert (const_ptr_type_node, module_name_cst)); | |
9041d2e6 | 3337 | varpool_node *vnode = varpool_node::get (decl); |
f1860ba9 MO |
3338 | int has_dynamic_init = 0; |
3339 | /* FIXME: Enable initialization order fiasco detection in LTO mode once | |
3340 | proper fix for PR 79061 will be applied. */ | |
3341 | if (!in_lto_p) | |
3342 | has_dynamic_init = vnode ? vnode->dynamically_initialized : 0; | |
59b36ecf JJ |
3343 | CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, |
3344 | build_int_cst (uptr, has_dynamic_init)); | |
21a82048 JJ |
3345 | tree locptr = NULL_TREE; |
3346 | location_t loc = DECL_SOURCE_LOCATION (decl); | |
3347 | expanded_location xloc = expand_location (loc); | |
3348 | if (xloc.file != NULL) | |
3349 | { | |
3350 | static int lasanloccnt = 0; | |
3351 | char buf[25]; | |
3352 | ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt); | |
3353 | tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf), | |
3354 | ubsan_get_source_location_type ()); | |
3355 | TREE_STATIC (var) = 1; | |
3356 | TREE_PUBLIC (var) = 0; | |
3357 | DECL_ARTIFICIAL (var) = 1; | |
3358 | DECL_IGNORED_P (var) = 1; | |
3359 | pretty_printer filename_pp; | |
3360 | pp_string (&filename_pp, xloc.file); | |
3361 | tree str = asan_pp_string (&filename_pp); | |
3362 | tree ctor = build_constructor_va (TREE_TYPE (var), 3, | |
3363 | NULL_TREE, str, NULL_TREE, | |
3364 | build_int_cst (unsigned_type_node, | |
3365 | xloc.line), NULL_TREE, | |
3366 | build_int_cst (unsigned_type_node, | |
3367 | xloc.column)); | |
3368 | TREE_CONSTANT (ctor) = 1; | |
3369 | TREE_STATIC (ctor) = 1; | |
3370 | DECL_INITIAL (var) = ctor; | |
3371 | varpool_node::finalize_decl (var); | |
3372 | locptr = fold_convert (uptr, build_fold_addr_expr (var)); | |
3373 | } | |
3374 | else | |
3375 | locptr = build_int_cst (uptr, 0); | |
3376 | CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr); | |
84b0769e | 3377 | CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, odr_indicator_ptr); |
8240018b JJ |
3378 | init = build_constructor (type, vinner); |
3379 | CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init); | |
3380 | } | |
3381 | ||
0e668eaf JJ |
3382 | /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */ |
3383 | void | |
3384 | initialize_sanitizer_builtins (void) | |
3385 | { | |
3386 | tree decl; | |
3387 | ||
3388 | if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT)) | |
3389 | return; | |
3390 | ||
3391 | tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE); | |
3392 | tree BT_FN_VOID_PTR | |
3393 | = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE); | |
59b36ecf JJ |
3394 | tree BT_FN_VOID_CONST_PTR |
3395 | = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE); | |
b906f4ca MP |
3396 | tree BT_FN_VOID_PTR_PTR |
3397 | = build_function_type_list (void_type_node, ptr_type_node, | |
3398 | ptr_type_node, NULL_TREE); | |
de5a5fa1 MP |
3399 | tree BT_FN_VOID_PTR_PTR_PTR |
3400 | = build_function_type_list (void_type_node, ptr_type_node, | |
3401 | ptr_type_node, ptr_type_node, NULL_TREE); | |
0e668eaf JJ |
3402 | tree BT_FN_VOID_PTR_PTRMODE |
3403 | = build_function_type_list (void_type_node, ptr_type_node, | |
de5a5fa1 | 3404 | pointer_sized_int_node, NULL_TREE); |
c954bddd JJ |
3405 | tree BT_FN_VOID_INT |
3406 | = build_function_type_list (void_type_node, integer_type_node, NULL_TREE); | |
0bae64d5 MP |
3407 | tree BT_FN_SIZE_CONST_PTR_INT |
3408 | = build_function_type_list (size_type_node, const_ptr_type_node, | |
3409 | integer_type_node, NULL_TREE); | |
f6e50a7d WW |
3410 | |
3411 | tree BT_FN_VOID_UINT8_UINT8 | |
3412 | = build_function_type_list (void_type_node, unsigned_char_type_node, | |
3413 | unsigned_char_type_node, NULL_TREE); | |
3414 | tree BT_FN_VOID_UINT16_UINT16 | |
3415 | = build_function_type_list (void_type_node, uint16_type_node, | |
3416 | uint16_type_node, NULL_TREE); | |
3417 | tree BT_FN_VOID_UINT32_UINT32 | |
3418 | = build_function_type_list (void_type_node, uint32_type_node, | |
3419 | uint32_type_node, NULL_TREE); | |
3420 | tree BT_FN_VOID_UINT64_UINT64 | |
3421 | = build_function_type_list (void_type_node, uint64_type_node, | |
3422 | uint64_type_node, NULL_TREE); | |
3423 | tree BT_FN_VOID_FLOAT_FLOAT | |
3424 | = build_function_type_list (void_type_node, float_type_node, | |
3425 | float_type_node, NULL_TREE); | |
3426 | tree BT_FN_VOID_DOUBLE_DOUBLE | |
3427 | = build_function_type_list (void_type_node, double_type_node, | |
3428 | double_type_node, NULL_TREE); | |
3429 | tree BT_FN_VOID_UINT64_PTR | |
3430 | = build_function_type_list (void_type_node, uint64_type_node, | |
3431 | ptr_type_node, NULL_TREE); | |
3432 | ||
93a73251 MM |
3433 | tree BT_FN_PTR_CONST_PTR_UINT8 |
3434 | = build_function_type_list (ptr_type_node, const_ptr_type_node, | |
3435 | unsigned_char_type_node, NULL_TREE); | |
0854b584 MM |
3436 | tree BT_FN_VOID_PTR_UINT8_PTRMODE |
3437 | = build_function_type_list (void_type_node, ptr_type_node, | |
3438 | unsigned_char_type_node, | |
3439 | pointer_sized_int_node, NULL_TREE); | |
3440 | ||
c954bddd JJ |
3441 | tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5]; |
3442 | tree BT_FN_IX_CONST_VPTR_INT[5]; | |
3443 | tree BT_FN_IX_VPTR_IX_INT[5]; | |
3444 | tree BT_FN_VOID_VPTR_IX_INT[5]; | |
3445 | tree vptr | |
3446 | = build_pointer_type (build_qualified_type (void_type_node, | |
3447 | TYPE_QUAL_VOLATILE)); | |
3448 | tree cvptr | |
3449 | = build_pointer_type (build_qualified_type (void_type_node, | |
3450 | TYPE_QUAL_VOLATILE | |
3451 | |TYPE_QUAL_CONST)); | |
3452 | tree boolt | |
3453 | = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1); | |
3454 | int i; | |
3455 | for (i = 0; i < 5; i++) | |
3456 | { | |
3457 | tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1); | |
3458 | BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i] | |
3459 | = build_function_type_list (boolt, vptr, ptr_type_node, ix, | |
3460 | integer_type_node, integer_type_node, | |
3461 | NULL_TREE); | |
3462 | BT_FN_IX_CONST_VPTR_INT[i] | |
3463 | = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE); | |
3464 | BT_FN_IX_VPTR_IX_INT[i] | |
3465 | = build_function_type_list (ix, vptr, ix, integer_type_node, | |
3466 | NULL_TREE); | |
3467 | BT_FN_VOID_VPTR_IX_INT[i] | |
3468 | = build_function_type_list (void_type_node, vptr, ix, | |
3469 | integer_type_node, NULL_TREE); | |
3470 | } | |
3471 | #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0] | |
3472 | #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0] | |
3473 | #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0] | |
3474 | #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0] | |
3475 | #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1] | |
3476 | #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1] | |
3477 | #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1] | |
3478 | #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1] | |
3479 | #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2] | |
3480 | #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2] | |
3481 | #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2] | |
3482 | #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2] | |
3483 | #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3] | |
3484 | #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3] | |
3485 | #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3] | |
3486 | #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3] | |
3487 | #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4] | |
3488 | #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4] | |
3489 | #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4] | |
3490 | #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4] | |
0854b584 MM |
3491 | #undef ATTR_NOTHROW_LIST |
3492 | #define ATTR_NOTHROW_LIST ECF_NOTHROW | |
0e668eaf JJ |
3493 | #undef ATTR_NOTHROW_LEAF_LIST |
3494 | #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF | |
bc77608b JJ |
3495 | #undef ATTR_TMPURE_NOTHROW_LEAF_LIST |
3496 | #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST | |
0e668eaf JJ |
3497 | #undef ATTR_NORETURN_NOTHROW_LEAF_LIST |
3498 | #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST | |
4088b790 MP |
3499 | #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST |
3500 | #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \ | |
3501 | ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST | |
bc77608b JJ |
3502 | #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST |
3503 | #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \ | |
3504 | ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST | |
de5a5fa1 MP |
3505 | #undef ATTR_COLD_NOTHROW_LEAF_LIST |
3506 | #define ATTR_COLD_NOTHROW_LEAF_LIST \ | |
3507 | /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST | |
3508 | #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST | |
3509 | #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \ | |
3510 | /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST | |
4088b790 MP |
3511 | #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST |
3512 | #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \ | |
3513 | /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST | |
0bae64d5 MP |
3514 | #undef ATTR_PURE_NOTHROW_LEAF_LIST |
3515 | #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST | |
8f91e6e0 JJ |
3516 | #undef DEF_BUILTIN_STUB |
3517 | #define DEF_BUILTIN_STUB(ENUM, NAME) | |
67c6769b TV |
3518 | #undef DEF_SANITIZER_BUILTIN_1 |
3519 | #define DEF_SANITIZER_BUILTIN_1(ENUM, NAME, TYPE, ATTRS) \ | |
a74560eb MP |
3520 | do { \ |
3521 | decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \ | |
3522 | BUILT_IN_NORMAL, NAME, NULL_TREE); \ | |
3523 | set_call_expr_flags (decl, ATTRS); \ | |
3524 | set_builtin_decl (ENUM, decl, true); \ | |
67c6769b TV |
3525 | } while (0) |
3526 | #undef DEF_SANITIZER_BUILTIN | |
3527 | #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \ | |
3528 | DEF_SANITIZER_BUILTIN_1 (ENUM, NAME, TYPE, ATTRS); | |
0e668eaf JJ |
3529 | |
3530 | #include "sanitizer.def" | |
3531 | ||
546c6210 SP |
3532 | /* -fsanitize=object-size uses __builtin_dynamic_object_size and |
3533 | __builtin_object_size, but they might not be available for e.g. Fortran at | |
3534 | this point. We use DEF_SANITIZER_BUILTIN here only as a convenience | |
3535 | macro. */ | |
3536 | if (flag_sanitize & SANITIZE_OBJECT_SIZE) | |
3537 | { | |
3538 | if (!builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE)) | |
3539 | DEF_SANITIZER_BUILTIN_1 (BUILT_IN_OBJECT_SIZE, "object_size", | |
3540 | BT_FN_SIZE_CONST_PTR_INT, | |
3541 | ATTR_PURE_NOTHROW_LEAF_LIST); | |
3542 | if (!builtin_decl_implicit_p (BUILT_IN_DYNAMIC_OBJECT_SIZE)) | |
3543 | DEF_SANITIZER_BUILTIN_1 (BUILT_IN_DYNAMIC_OBJECT_SIZE, | |
3544 | "dynamic_object_size", | |
3545 | BT_FN_SIZE_CONST_PTR_INT, | |
3546 | ATTR_PURE_NOTHROW_LEAF_LIST); | |
3547 | } | |
0bae64d5 | 3548 | |
67c6769b | 3549 | #undef DEF_SANITIZER_BUILTIN_1 |
0e668eaf | 3550 | #undef DEF_SANITIZER_BUILTIN |
8f91e6e0 | 3551 | #undef DEF_BUILTIN_STUB |
0e668eaf JJ |
3552 | } |
3553 | ||
94fce891 JJ |
3554 | /* Called via htab_traverse. Count number of emitted |
3555 | STRING_CSTs in the constant hash table. */ | |
3556 | ||
2a22f99c TS |
3557 | int |
3558 | count_string_csts (constant_descriptor_tree **slot, | |
3559 | unsigned HOST_WIDE_INT *data) | |
94fce891 | 3560 | { |
2a22f99c | 3561 | struct constant_descriptor_tree *desc = *slot; |
94fce891 JJ |
3562 | if (TREE_CODE (desc->value) == STRING_CST |
3563 | && TREE_ASM_WRITTEN (desc->value) | |
3564 | && asan_protect_global (desc->value)) | |
2a22f99c | 3565 | ++*data; |
94fce891 JJ |
3566 | return 1; |
3567 | } | |
3568 | ||
3569 | /* Helper structure to pass two parameters to | |
3570 | add_string_csts. */ | |
3571 | ||
3572 | struct asan_add_string_csts_data | |
3573 | { | |
3574 | tree type; | |
3575 | vec<constructor_elt, va_gc> *v; | |
3576 | }; | |
3577 | ||
2a22f99c | 3578 | /* Called via hash_table::traverse. Call asan_add_global |
94fce891 JJ |
3579 | on emitted STRING_CSTs from the constant hash table. */ |
3580 | ||
2a22f99c TS |
3581 | int |
3582 | add_string_csts (constant_descriptor_tree **slot, | |
3583 | asan_add_string_csts_data *aascd) | |
94fce891 | 3584 | { |
2a22f99c | 3585 | struct constant_descriptor_tree *desc = *slot; |
94fce891 JJ |
3586 | if (TREE_CODE (desc->value) == STRING_CST |
3587 | && TREE_ASM_WRITTEN (desc->value) | |
3588 | && asan_protect_global (desc->value)) | |
3589 | { | |
94fce891 JJ |
3590 | asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)), |
3591 | aascd->type, aascd->v); | |
3592 | } | |
3593 | return 1; | |
3594 | } | |
3595 | ||
8240018b JJ |
3596 | /* Needs to be GTY(()), because cgraph_build_static_cdtor may |
3597 | invoke ggc_collect. */ | |
3598 | static GTY(()) tree asan_ctor_statements; | |
3599 | ||
37d6f666 | 3600 | /* Module-level instrumentation. |
ef1b3fda | 3601 | - Insert __asan_init_vN() into the list of CTORs. |
37d6f666 WM |
3602 | - TODO: insert redzones around globals. |
3603 | */ | |
3604 | ||
3605 | void | |
3606 | asan_finish_file (void) | |
3607 | { | |
2c8326a5 | 3608 | varpool_node *vnode; |
8240018b JJ |
3609 | unsigned HOST_WIDE_INT gcount = 0; |
3610 | ||
94fce891 JJ |
3611 | if (shadow_ptr_types[0] == NULL_TREE) |
3612 | asan_init_shadow_ptr_types (); | |
3613 | /* Avoid instrumenting code in the asan ctors/dtors. | |
3614 | We don't need to insert padding after the description strings, | |
3615 | nor after .LASAN* array. */ | |
de5a5fa1 | 3616 | flag_sanitize &= ~SANITIZE_ADDRESS; |
0e668eaf | 3617 | |
f1d15bb9 DV |
3618 | /* For user-space we want asan constructors to run first. |
3619 | Linux kernel does not support priorities other than default, and the only | |
3620 | other user of constructors is coverage. So we run with the default | |
3621 | priority. */ | |
3622 | int priority = flag_sanitize & SANITIZE_USER_ADDRESS | |
3623 | ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY; | |
3624 | ||
c6d129b0 YG |
3625 | if (flag_sanitize & SANITIZE_USER_ADDRESS) |
3626 | { | |
3627 | tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT); | |
3628 | append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements); | |
89e302b8 MO |
3629 | fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK); |
3630 | append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements); | |
c6d129b0 | 3631 | } |
8240018b | 3632 | FOR_EACH_DEFINED_VARIABLE (vnode) |
67348ccc DM |
3633 | if (TREE_ASM_WRITTEN (vnode->decl) |
3634 | && asan_protect_global (vnode->decl)) | |
8240018b | 3635 | ++gcount; |
2a22f99c TS |
3636 | hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab (); |
3637 | const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts> | |
3638 | (&gcount); | |
8240018b JJ |
3639 | if (gcount) |
3640 | { | |
0e668eaf | 3641 | tree type = asan_global_struct (), var, ctor; |
8240018b | 3642 | tree dtor_statements = NULL_TREE; |
9771b263 | 3643 | vec<constructor_elt, va_gc> *v; |
8240018b JJ |
3644 | char buf[20]; |
3645 | ||
3646 | type = build_array_type_nelts (type, gcount); | |
3647 | ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0); | |
3648 | var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf), | |
3649 | type); | |
3650 | TREE_STATIC (var) = 1; | |
3651 | TREE_PUBLIC (var) = 0; | |
3652 | DECL_ARTIFICIAL (var) = 1; | |
3653 | DECL_IGNORED_P (var) = 1; | |
9771b263 | 3654 | vec_alloc (v, gcount); |
8240018b | 3655 | FOR_EACH_DEFINED_VARIABLE (vnode) |
67348ccc DM |
3656 | if (TREE_ASM_WRITTEN (vnode->decl) |
3657 | && asan_protect_global (vnode->decl)) | |
3658 | asan_add_global (vnode->decl, TREE_TYPE (type), v); | |
94fce891 JJ |
3659 | struct asan_add_string_csts_data aascd; |
3660 | aascd.type = TREE_TYPE (type); | |
3661 | aascd.v = v; | |
2a22f99c TS |
3662 | const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts> |
3663 | (&aascd); | |
8240018b JJ |
3664 | ctor = build_constructor (type, v); |
3665 | TREE_CONSTANT (ctor) = 1; | |
3666 | TREE_STATIC (ctor) = 1; | |
3667 | DECL_INITIAL (var) = ctor; | |
aa650b64 MO |
3668 | SET_DECL_ALIGN (var, MAX (DECL_ALIGN (var), |
3669 | ASAN_SHADOW_GRANULARITY * BITS_PER_UNIT)); | |
3670 | ||
9041d2e6 | 3671 | varpool_node::finalize_decl (var); |
8240018b | 3672 | |
c6d129b0 | 3673 | tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS); |
de5a5fa1 | 3674 | tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount); |
0e668eaf | 3675 | append_to_statement_list (build_call_expr (fn, 2, |
8240018b | 3676 | build_fold_addr_expr (var), |
de5a5fa1 | 3677 | gcount_tree), |
8240018b JJ |
3678 | &asan_ctor_statements); |
3679 | ||
0e668eaf JJ |
3680 | fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS); |
3681 | append_to_statement_list (build_call_expr (fn, 2, | |
8240018b | 3682 | build_fold_addr_expr (var), |
de5a5fa1 | 3683 | gcount_tree), |
8240018b | 3684 | &dtor_statements); |
f1d15bb9 | 3685 | cgraph_build_static_cdtor ('D', dtor_statements, priority); |
8240018b | 3686 | } |
c6d129b0 | 3687 | if (asan_ctor_statements) |
f1d15bb9 | 3688 | cgraph_build_static_cdtor ('I', asan_ctor_statements, priority); |
de5a5fa1 | 3689 | flag_sanitize |= SANITIZE_ADDRESS; |
f6d98484 JJ |
3690 | } |
3691 | ||
6dc4a604 ML |
3692 | /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based |
3693 | on SHADOW address. Newly added statements will be added to ITER with | |
3694 | given location LOC. We mark SIZE bytes in shadow memory, where | |
3695 | LAST_CHUNK_SIZE is greater than zero in situation where we are at the | |
3696 | end of a variable. */ | |
3697 | ||
3698 | static void | |
3699 | asan_store_shadow_bytes (gimple_stmt_iterator *iter, location_t loc, | |
3700 | tree shadow, | |
3701 | unsigned HOST_WIDE_INT base_addr_offset, | |
3702 | bool is_clobber, unsigned size, | |
3703 | unsigned last_chunk_size) | |
3704 | { | |
3705 | tree shadow_ptr_type; | |
3706 | ||
3707 | switch (size) | |
3708 | { | |
3709 | case 1: | |
3710 | shadow_ptr_type = shadow_ptr_types[0]; | |
3711 | break; | |
3712 | case 2: | |
3713 | shadow_ptr_type = shadow_ptr_types[1]; | |
3714 | break; | |
3715 | case 4: | |
3716 | shadow_ptr_type = shadow_ptr_types[2]; | |
3717 | break; | |
3718 | default: | |
3719 | gcc_unreachable (); | |
3720 | } | |
3721 | ||
3722 | unsigned char c = (char) is_clobber ? ASAN_STACK_MAGIC_USE_AFTER_SCOPE : 0; | |
3723 | unsigned HOST_WIDE_INT val = 0; | |
47a11342 JJ |
3724 | unsigned last_pos = size; |
3725 | if (last_chunk_size && !is_clobber) | |
3726 | last_pos = BYTES_BIG_ENDIAN ? 0 : size - 1; | |
6dc4a604 ML |
3727 | for (unsigned i = 0; i < size; ++i) |
3728 | { | |
3729 | unsigned char shadow_c = c; | |
47a11342 | 3730 | if (i == last_pos) |
6dc4a604 ML |
3731 | shadow_c = last_chunk_size; |
3732 | val |= (unsigned HOST_WIDE_INT) shadow_c << (BITS_PER_UNIT * i); | |
3733 | } | |
3734 | ||
3735 | /* Handle last chunk in unpoisoning. */ | |
3736 | tree magic = build_int_cst (TREE_TYPE (shadow_ptr_type), val); | |
3737 | ||
3738 | tree dest = build2 (MEM_REF, TREE_TYPE (shadow_ptr_type), shadow, | |
3739 | build_int_cst (shadow_ptr_type, base_addr_offset)); | |
3740 | ||
3741 | gimple *g = gimple_build_assign (dest, magic); | |
3742 | gimple_set_location (g, loc); | |
3743 | gsi_insert_after (iter, g, GSI_NEW_STMT); | |
3744 | } | |
3745 | ||
3746 | /* Expand the ASAN_MARK builtins. */ | |
3747 | ||
3748 | bool | |
3749 | asan_expand_mark_ifn (gimple_stmt_iterator *iter) | |
3750 | { | |
3751 | gimple *g = gsi_stmt (*iter); | |
3752 | location_t loc = gimple_location (g); | |
56b7aede ML |
3753 | HOST_WIDE_INT flag = tree_to_shwi (gimple_call_arg (g, 0)); |
3754 | bool is_poison = ((asan_mark_flags)flag) == ASAN_MARK_POISON; | |
6dc4a604 ML |
3755 | |
3756 | tree base = gimple_call_arg (g, 1); | |
3757 | gcc_checking_assert (TREE_CODE (base) == ADDR_EXPR); | |
3758 | tree decl = TREE_OPERAND (base, 0); | |
fb61d96c ML |
3759 | |
3760 | /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */ | |
3761 | if (TREE_CODE (decl) == COMPONENT_REF | |
3762 | && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl, 0))) | |
3763 | decl = TREE_OPERAND (decl, 0); | |
3764 | ||
6dc4a604 | 3765 | gcc_checking_assert (TREE_CODE (decl) == VAR_DECL); |
7b972538 | 3766 | |
93a73251 MM |
3767 | if (hwasan_sanitize_p ()) |
3768 | { | |
3769 | gcc_assert (param_hwasan_instrument_stack); | |
3770 | gimple_seq stmts = NULL; | |
3771 | /* Here we swap ASAN_MARK calls for HWASAN_MARK. | |
3772 | This is because we are using the approach of using ASAN_MARK as a | |
3773 | synonym until here. | |
3774 | That approach means we don't yet have to duplicate all the special | |
3775 | cases for ASAN_MARK and ASAN_POISON with the exact same handling but | |
3776 | called HWASAN_MARK etc. | |
3777 | ||
3778 | N.b. __asan_poison_stack_memory (which implements ASAN_MARK for ASAN) | |
3779 | rounds the size up to its shadow memory granularity, while | |
3780 | __hwasan_tag_memory (which implements the same for HWASAN) does not. | |
3781 | Hence we emit HWASAN_MARK with an aligned size unlike ASAN_MARK. */ | |
3782 | tree len = gimple_call_arg (g, 2); | |
3783 | tree new_len = gimple_build_round_up (&stmts, loc, size_type_node, len, | |
3784 | HWASAN_TAG_GRANULE_SIZE); | |
3785 | gimple_build (&stmts, loc, CFN_HWASAN_MARK, | |
3786 | void_type_node, gimple_call_arg (g, 0), | |
3787 | base, new_len); | |
3788 | gsi_replace_with_seq (iter, stmts, true); | |
3789 | return false; | |
3790 | } | |
3791 | ||
7b972538 ML |
3792 | if (is_poison) |
3793 | { | |
3794 | if (asan_handled_variables == NULL) | |
3795 | asan_handled_variables = new hash_set<tree> (16); | |
3796 | asan_handled_variables->add (decl); | |
3797 | } | |
6dc4a604 ML |
3798 | tree len = gimple_call_arg (g, 2); |
3799 | ||
3800 | gcc_assert (tree_fits_shwi_p (len)); | |
3801 | unsigned HOST_WIDE_INT size_in_bytes = tree_to_shwi (len); | |
3802 | gcc_assert (size_in_bytes); | |
3803 | ||
3804 | g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), | |
3805 | NOP_EXPR, base); | |
3806 | gimple_set_location (g, loc); | |
3807 | gsi_replace (iter, g, false); | |
3808 | tree base_addr = gimple_assign_lhs (g); | |
3809 | ||
3810 | /* Generate direct emission if size_in_bytes is small. */ | |
028d4092 ML |
3811 | if (size_in_bytes |
3812 | <= (unsigned)param_use_after_scope_direct_emission_threshold) | |
6dc4a604 | 3813 | { |
c4d57632 EB |
3814 | const unsigned HOST_WIDE_INT shadow_size |
3815 | = shadow_mem_size (size_in_bytes); | |
3816 | const unsigned int shadow_align | |
3817 | = (get_pointer_alignment (base) / BITS_PER_UNIT) >> ASAN_SHADOW_SHIFT; | |
6dc4a604 ML |
3818 | |
3819 | tree shadow = build_shadow_mem_access (iter, loc, base_addr, | |
3820 | shadow_ptr_types[0], true); | |
3821 | ||
3822 | for (unsigned HOST_WIDE_INT offset = 0; offset < shadow_size;) | |
3823 | { | |
3824 | unsigned size = 1; | |
c4d57632 EB |
3825 | if (shadow_size - offset >= 4 |
3826 | && (!STRICT_ALIGNMENT || shadow_align >= 4)) | |
6dc4a604 | 3827 | size = 4; |
c4d57632 EB |
3828 | else if (shadow_size - offset >= 2 |
3829 | && (!STRICT_ALIGNMENT || shadow_align >= 2)) | |
6dc4a604 ML |
3830 | size = 2; |
3831 | ||
3832 | unsigned HOST_WIDE_INT last_chunk_size = 0; | |
3833 | unsigned HOST_WIDE_INT s = (offset + size) * ASAN_SHADOW_GRANULARITY; | |
3834 | if (s > size_in_bytes) | |
3835 | last_chunk_size = ASAN_SHADOW_GRANULARITY - (s - size_in_bytes); | |
3836 | ||
56b7aede | 3837 | asan_store_shadow_bytes (iter, loc, shadow, offset, is_poison, |
6dc4a604 ML |
3838 | size, last_chunk_size); |
3839 | offset += size; | |
3840 | } | |
3841 | } | |
3842 | else | |
3843 | { | |
3844 | g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), | |
3845 | NOP_EXPR, len); | |
3846 | gimple_set_location (g, loc); | |
3847 | gsi_insert_before (iter, g, GSI_SAME_STMT); | |
3848 | tree sz_arg = gimple_assign_lhs (g); | |
3849 | ||
5594a028 ML |
3850 | tree fun |
3851 | = builtin_decl_implicit (is_poison ? BUILT_IN_ASAN_POISON_STACK_MEMORY | |
3852 | : BUILT_IN_ASAN_UNPOISON_STACK_MEMORY); | |
6dc4a604 ML |
3853 | g = gimple_build_call (fun, 2, base_addr, sz_arg); |
3854 | gimple_set_location (g, loc); | |
3855 | gsi_insert_after (iter, g, GSI_NEW_STMT); | |
3856 | } | |
3857 | ||
3858 | return false; | |
3859 | } | |
3860 | ||
c62ccb9a YG |
3861 | /* Expand the ASAN_{LOAD,STORE} builtins. */ |
3862 | ||
06cefae9 | 3863 | bool |
c62ccb9a YG |
3864 | asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls) |
3865 | { | |
93a73251 | 3866 | gcc_assert (!hwasan_sanitize_p ()); |
355fe088 | 3867 | gimple *g = gsi_stmt (*iter); |
c62ccb9a | 3868 | location_t loc = gimple_location (g); |
b59e2a49 MO |
3869 | bool recover_p; |
3870 | if (flag_sanitize & SANITIZE_USER_ADDRESS) | |
3871 | recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0; | |
3872 | else | |
3873 | recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0; | |
fed4de37 | 3874 | |
c62ccb9a YG |
3875 | HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0)); |
3876 | gcc_assert (flags < ASAN_CHECK_LAST); | |
3877 | bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0; | |
3878 | bool is_store = (flags & ASAN_CHECK_STORE) != 0; | |
3879 | bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0; | |
c62ccb9a YG |
3880 | |
3881 | tree base = gimple_call_arg (g, 1); | |
3882 | tree len = gimple_call_arg (g, 2); | |
f434eb69 | 3883 | HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3)); |
c62ccb9a YG |
3884 | |
3885 | HOST_WIDE_INT size_in_bytes | |
3886 | = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1; | |
3887 | ||
3888 | if (use_calls) | |
3889 | { | |
3890 | /* Instrument using callbacks. */ | |
355fe088 | 3891 | gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), |
0d0e4a03 | 3892 | NOP_EXPR, base); |
c62ccb9a YG |
3893 | gimple_set_location (g, loc); |
3894 | gsi_insert_before (iter, g, GSI_SAME_STMT); | |
3895 | tree base_addr = gimple_assign_lhs (g); | |
3896 | ||
3897 | int nargs; | |
fed4de37 | 3898 | tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs); |
c62ccb9a YG |
3899 | if (nargs == 1) |
3900 | g = gimple_build_call (fun, 1, base_addr); | |
3901 | else | |
3902 | { | |
3903 | gcc_assert (nargs == 2); | |
0d0e4a03 JJ |
3904 | g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), |
3905 | NOP_EXPR, len); | |
c62ccb9a YG |
3906 | gimple_set_location (g, loc); |
3907 | gsi_insert_before (iter, g, GSI_SAME_STMT); | |
3908 | tree sz_arg = gimple_assign_lhs (g); | |
3909 | g = gimple_build_call (fun, nargs, base_addr, sz_arg); | |
3910 | } | |
3911 | gimple_set_location (g, loc); | |
3912 | gsi_replace (iter, g, false); | |
3913 | return false; | |
3914 | } | |
3915 | ||
3916 | HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes; | |
3917 | ||
c62ccb9a YG |
3918 | tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0]; |
3919 | tree shadow_type = TREE_TYPE (shadow_ptr_type); | |
3920 | ||
3921 | gimple_stmt_iterator gsi = *iter; | |
3922 | ||
3923 | if (!is_non_zero_len) | |
3924 | { | |
3925 | /* So, the length of the memory area to asan-protect is | |
3926 | non-constant. Let's guard the generated instrumentation code | |
3927 | like: | |
3928 | ||
3929 | if (len != 0) | |
3930 | { | |
3931 | //asan instrumentation code goes here. | |
3932 | } | |
3933 | // falltrough instructions, starting with *ITER. */ | |
3934 | ||
3935 | g = gimple_build_cond (NE_EXPR, | |
3936 | len, | |
3937 | build_int_cst (TREE_TYPE (len), 0), | |
3938 | NULL_TREE, NULL_TREE); | |
3939 | gimple_set_location (g, loc); | |
3940 | ||
3941 | basic_block then_bb, fallthrough_bb; | |
538dd0b7 DM |
3942 | insert_if_then_before_iter (as_a <gcond *> (g), iter, |
3943 | /*then_more_likely_p=*/true, | |
3944 | &then_bb, &fallthrough_bb); | |
c62ccb9a YG |
3945 | /* Note that fallthrough_bb starts with the statement that was |
3946 | pointed to by ITER. */ | |
3947 | ||
3948 | /* The 'then block' of the 'if (len != 0) condition is where | |
3949 | we'll generate the asan instrumentation code now. */ | |
3950 | gsi = gsi_last_bb (then_bb); | |
3951 | } | |
3952 | ||
3953 | /* Get an iterator on the point where we can add the condition | |
3954 | statement for the instrumentation. */ | |
3955 | basic_block then_bb, else_bb; | |
3956 | gsi = create_cond_insert_point (&gsi, /*before_p*/false, | |
3957 | /*then_more_likely_p=*/false, | |
fed4de37 | 3958 | /*create_then_fallthru_edge*/recover_p, |
c62ccb9a YG |
3959 | &then_bb, |
3960 | &else_bb); | |
3961 | ||
0d0e4a03 JJ |
3962 | g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), |
3963 | NOP_EXPR, base); | |
c62ccb9a YG |
3964 | gimple_set_location (g, loc); |
3965 | gsi_insert_before (&gsi, g, GSI_NEW_STMT); | |
3966 | tree base_addr = gimple_assign_lhs (g); | |
3967 | ||
3968 | tree t = NULL_TREE; | |
3969 | if (real_size_in_bytes >= 8) | |
3970 | { | |
3971 | tree shadow = build_shadow_mem_access (&gsi, loc, base_addr, | |
3972 | shadow_ptr_type); | |
3973 | t = shadow; | |
3974 | } | |
3975 | else | |
3976 | { | |
3977 | /* Slow path for 1, 2 and 4 byte accesses. */ | |
bdea98ca MO |
3978 | /* Test (shadow != 0) |
3979 | & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */ | |
3980 | tree shadow = build_shadow_mem_access (&gsi, loc, base_addr, | |
3981 | shadow_ptr_type); | |
355fe088 | 3982 | gimple *shadow_test = build_assign (NE_EXPR, shadow, 0); |
bdea98ca MO |
3983 | gimple_seq seq = NULL; |
3984 | gimple_seq_add_stmt (&seq, shadow_test); | |
3985 | /* Aligned (>= 8 bytes) can test just | |
3986 | (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known | |
3987 | to be 0. */ | |
3988 | if (align < 8) | |
c62ccb9a | 3989 | { |
bdea98ca MO |
3990 | gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, |
3991 | base_addr, 7)); | |
3992 | gimple_seq_add_stmt (&seq, | |
3993 | build_type_cast (shadow_type, | |
3994 | gimple_seq_last (seq))); | |
3995 | if (real_size_in_bytes > 1) | |
3996 | gimple_seq_add_stmt (&seq, | |
3997 | build_assign (PLUS_EXPR, | |
3998 | gimple_seq_last (seq), | |
3999 | real_size_in_bytes - 1)); | |
4000 | t = gimple_assign_lhs (gimple_seq_last_stmt (seq)); | |
c62ccb9a | 4001 | } |
bdea98ca MO |
4002 | else |
4003 | t = build_int_cst (shadow_type, real_size_in_bytes - 1); | |
4004 | gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow)); | |
4005 | gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test, | |
4006 | gimple_seq_last (seq))); | |
4007 | t = gimple_assign_lhs (gimple_seq_last (seq)); | |
4008 | gimple_seq_set_location (seq, loc); | |
4009 | gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING); | |
c62ccb9a YG |
4010 | |
4011 | /* For non-constant, misaligned or otherwise weird access sizes, | |
bdea98ca MO |
4012 | check first and last byte. */ |
4013 | if (size_in_bytes == -1) | |
c62ccb9a | 4014 | { |
0d0e4a03 JJ |
4015 | g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), |
4016 | MINUS_EXPR, len, | |
4017 | build_int_cst (pointer_sized_int_node, 1)); | |
c62ccb9a YG |
4018 | gimple_set_location (g, loc); |
4019 | gsi_insert_after (&gsi, g, GSI_NEW_STMT); | |
4020 | tree last = gimple_assign_lhs (g); | |
0d0e4a03 JJ |
4021 | g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), |
4022 | PLUS_EXPR, base_addr, last); | |
c62ccb9a YG |
4023 | gimple_set_location (g, loc); |
4024 | gsi_insert_after (&gsi, g, GSI_NEW_STMT); | |
4025 | tree base_end_addr = gimple_assign_lhs (g); | |
4026 | ||
4027 | tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr, | |
4028 | shadow_ptr_type); | |
355fe088 | 4029 | gimple *shadow_test = build_assign (NE_EXPR, shadow, 0); |
c62ccb9a YG |
4030 | gimple_seq seq = NULL; |
4031 | gimple_seq_add_stmt (&seq, shadow_test); | |
4032 | gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, | |
4033 | base_end_addr, 7)); | |
4034 | gimple_seq_add_stmt (&seq, build_type_cast (shadow_type, | |
4035 | gimple_seq_last (seq))); | |
4036 | gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, | |
4037 | gimple_seq_last (seq), | |
4038 | shadow)); | |
4039 | gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test, | |
4040 | gimple_seq_last (seq))); | |
bdea98ca MO |
4041 | gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t, |
4042 | gimple_seq_last (seq))); | |
c62ccb9a YG |
4043 | t = gimple_assign_lhs (gimple_seq_last (seq)); |
4044 | gimple_seq_set_location (seq, loc); | |
4045 | gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING); | |
4046 | } | |
4047 | } | |
4048 | ||
4049 | g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0), | |
4050 | NULL_TREE, NULL_TREE); | |
4051 | gimple_set_location (g, loc); | |
4052 | gsi_insert_after (&gsi, g, GSI_NEW_STMT); | |
4053 | ||
4054 | /* Generate call to the run-time library (e.g. __asan_report_load8). */ | |
4055 | gsi = gsi_start_bb (then_bb); | |
4056 | int nargs; | |
fed4de37 | 4057 | tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs); |
c62ccb9a YG |
4058 | g = gimple_build_call (fun, nargs, base_addr, len); |
4059 | gimple_set_location (g, loc); | |
4060 | gsi_insert_after (&gsi, g, GSI_NEW_STMT); | |
4061 | ||
4062 | gsi_remove (iter, true); | |
4063 | *iter = gsi_start_bb (else_bb); | |
4064 | ||
4065 | return true; | |
4066 | } | |
4067 | ||
c7775327 ML |
4068 | /* Create ASAN shadow variable for a VAR_DECL which has been rewritten |
4069 | into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */ | |
4070 | ||
4071 | static tree | |
4072 | create_asan_shadow_var (tree var_decl, | |
4073 | hash_map<tree, tree> &shadow_vars_mapping) | |
4074 | { | |
4075 | tree *slot = shadow_vars_mapping.get (var_decl); | |
4076 | if (slot == NULL) | |
4077 | { | |
4078 | tree shadow_var = copy_node (var_decl); | |
4079 | ||
4080 | copy_body_data id; | |
4081 | memset (&id, 0, sizeof (copy_body_data)); | |
4082 | id.src_fn = id.dst_fn = current_function_decl; | |
4083 | copy_decl_for_dup_finish (&id, var_decl, shadow_var); | |
4084 | ||
4085 | DECL_ARTIFICIAL (shadow_var) = 1; | |
4086 | DECL_IGNORED_P (shadow_var) = 1; | |
4087 | DECL_SEEN_IN_BIND_EXPR_P (shadow_var) = 0; | |
4088 | gimple_add_tmp_var (shadow_var); | |
4089 | ||
4090 | shadow_vars_mapping.put (var_decl, shadow_var); | |
4091 | return shadow_var; | |
4092 | } | |
4093 | else | |
4094 | return *slot; | |
4095 | } | |
4096 | ||
f6b9f2ff ML |
4097 | /* Expand ASAN_POISON ifn. */ |
4098 | ||
c7775327 ML |
4099 | bool |
4100 | asan_expand_poison_ifn (gimple_stmt_iterator *iter, | |
4101 | bool *need_commit_edge_insert, | |
4102 | hash_map<tree, tree> &shadow_vars_mapping) | |
4103 | { | |
4104 | gimple *g = gsi_stmt (*iter); | |
4105 | tree poisoned_var = gimple_call_lhs (g); | |
a50a32aa | 4106 | if (!poisoned_var || has_zero_uses (poisoned_var)) |
c7775327 ML |
4107 | { |
4108 | gsi_remove (iter, true); | |
4109 | return true; | |
4110 | } | |
4111 | ||
a50a32aa ML |
4112 | if (SSA_NAME_VAR (poisoned_var) == NULL_TREE) |
4113 | SET_SSA_NAME_VAR_OR_IDENTIFIER (poisoned_var, | |
4114 | create_tmp_var (TREE_TYPE (poisoned_var))); | |
4115 | ||
f6b9f2ff ML |
4116 | tree shadow_var = create_asan_shadow_var (SSA_NAME_VAR (poisoned_var), |
4117 | shadow_vars_mapping); | |
c7775327 ML |
4118 | |
4119 | bool recover_p; | |
4120 | if (flag_sanitize & SANITIZE_USER_ADDRESS) | |
4121 | recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0; | |
4122 | else | |
4123 | recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0; | |
4124 | tree size = DECL_SIZE_UNIT (shadow_var); | |
4125 | gimple *poison_call | |
4126 | = gimple_build_call_internal (IFN_ASAN_MARK, 3, | |
4127 | build_int_cst (integer_type_node, | |
4128 | ASAN_MARK_POISON), | |
4129 | build_fold_addr_expr (shadow_var), size); | |
4130 | ||
f6b9f2ff | 4131 | gimple *use; |
c7775327 | 4132 | imm_use_iterator imm_iter; |
f6b9f2ff | 4133 | FOR_EACH_IMM_USE_STMT (use, imm_iter, poisoned_var) |
c7775327 | 4134 | { |
c7775327 ML |
4135 | if (is_gimple_debug (use)) |
4136 | continue; | |
4137 | ||
4138 | int nargs; | |
f6b9f2ff | 4139 | bool store_p = gimple_call_internal_p (use, IFN_ASAN_POISON_USE); |
93a73251 MM |
4140 | gcall *call; |
4141 | if (hwasan_sanitize_p ()) | |
4142 | { | |
4143 | tree fun = builtin_decl_implicit (BUILT_IN_HWASAN_TAG_MISMATCH4); | |
4144 | /* NOTE: hwasan has no __hwasan_report_* functions like asan does. | |
4145 | We use __hwasan_tag_mismatch4 with arguments that tell it the | |
4146 | size of access and load to report all tag mismatches. | |
4147 | ||
4148 | The arguments to this function are: | |
4149 | Address of invalid access. | |
4150 | Bitfield containing information about the access | |
4151 | (access_info) | |
4152 | Pointer to a frame of registers | |
4153 | (for use in printing the contents of registers in a dump) | |
4154 | Not used yet -- to be used by inline instrumentation. | |
4155 | Size of access. | |
4156 | ||
4157 | The access_info bitfield encodes the following pieces of | |
4158 | information: | |
4159 | - Is this a store or load? | |
4160 | access_info & 0x10 => store | |
4161 | - Should the program continue after reporting the error? | |
4162 | access_info & 0x20 => recover | |
4163 | - What size access is this (not used here since we can always | |
4164 | pass the size in the last argument) | |
4165 | ||
4166 | if (access_info & 0xf == 0xf) | |
4167 | size is taken from last argument. | |
4168 | else | |
4169 | size == 1 << (access_info & 0xf) | |
4170 | ||
4171 | The last argument contains the size of the access iff the | |
4172 | access_info size indicator is 0xf (we always use this argument | |
4173 | rather than storing the size in the access_info bitfield). | |
4174 | ||
4175 | See the function definition `__hwasan_tag_mismatch4` in | |
4176 | libsanitizer/hwasan for the full definition. | |
4177 | */ | |
4178 | unsigned access_info = (0x20 * recover_p) | |
4179 | + (0x10 * store_p) | |
4180 | + (0xf); | |
4181 | call = gimple_build_call (fun, 4, | |
4182 | build_fold_addr_expr (shadow_var), | |
4183 | build_int_cst (pointer_sized_int_node, | |
4184 | access_info), | |
4185 | build_int_cst (pointer_sized_int_node, 0), | |
4186 | size); | |
4187 | } | |
4188 | else | |
4189 | { | |
4190 | tree fun = report_error_func (store_p, recover_p, tree_to_uhwi (size), | |
4191 | &nargs); | |
4192 | call = gimple_build_call (fun, 1, | |
4193 | build_fold_addr_expr (shadow_var)); | |
4194 | } | |
c7775327 ML |
4195 | gimple_set_location (call, gimple_location (use)); |
4196 | gimple *call_to_insert = call; | |
4197 | ||
4198 | /* The USE can be a gimple PHI node. If so, insert the call on | |
4199 | all edges leading to the PHI node. */ | |
4200 | if (is_a <gphi *> (use)) | |
4201 | { | |
4202 | gphi *phi = dyn_cast<gphi *> (use); | |
4203 | for (unsigned i = 0; i < gimple_phi_num_args (phi); ++i) | |
4204 | if (gimple_phi_arg_def (phi, i) == poisoned_var) | |
4205 | { | |
4206 | edge e = gimple_phi_arg_edge (phi, i); | |
4207 | ||
236ac442 ML |
4208 | /* Do not insert on an edge we can't split. */ |
4209 | if (e->flags & EDGE_ABNORMAL) | |
4210 | continue; | |
4211 | ||
c7775327 ML |
4212 | if (call_to_insert == NULL) |
4213 | call_to_insert = gimple_copy (call); | |
4214 | ||
4215 | gsi_insert_seq_on_edge (e, call_to_insert); | |
4216 | *need_commit_edge_insert = true; | |
4217 | call_to_insert = NULL; | |
4218 | } | |
4219 | } | |
4220 | else | |
4221 | { | |
4222 | gimple_stmt_iterator gsi = gsi_for_stmt (use); | |
f6b9f2ff ML |
4223 | if (store_p) |
4224 | gsi_replace (&gsi, call, true); | |
4225 | else | |
4226 | gsi_insert_before (&gsi, call, GSI_NEW_STMT); | |
c7775327 ML |
4227 | } |
4228 | } | |
4229 | ||
4230 | SSA_NAME_IS_DEFAULT_DEF (poisoned_var) = true; | |
4231 | SSA_NAME_DEF_STMT (poisoned_var) = gimple_build_nop (); | |
4232 | gsi_replace (iter, poison_call, false); | |
4233 | ||
4234 | return true; | |
4235 | } | |
4236 | ||
37d6f666 WM |
4237 | /* Instrument the current function. */ |
4238 | ||
4239 | static unsigned int | |
4240 | asan_instrument (void) | |
4241 | { | |
93a73251 MM |
4242 | if (hwasan_sanitize_p ()) |
4243 | { | |
4244 | transform_statements (); | |
4245 | return 0; | |
4246 | } | |
4247 | ||
f6d98484 | 4248 | if (shadow_ptr_types[0] == NULL_TREE) |
94fce891 | 4249 | asan_init_shadow_ptr_types (); |
37d6f666 | 4250 | transform_statements (); |
e3174bdf | 4251 | last_alloca_addr = NULL_TREE; |
37d6f666 WM |
4252 | return 0; |
4253 | } | |
4254 | ||
4255 | static bool | |
4256 | gate_asan (void) | |
4257 | { | |
45b2222a | 4258 | return sanitize_flags_p (SANITIZE_ADDRESS); |
37d6f666 WM |
4259 | } |
4260 | ||
27a4cd48 DM |
4261 | namespace { |
4262 | ||
4263 | const pass_data pass_data_asan = | |
37d6f666 | 4264 | { |
27a4cd48 DM |
4265 | GIMPLE_PASS, /* type */ |
4266 | "asan", /* name */ | |
4267 | OPTGROUP_NONE, /* optinfo_flags */ | |
27a4cd48 DM |
4268 | TV_NONE, /* tv_id */ |
4269 | ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */ | |
4270 | 0, /* properties_provided */ | |
4271 | 0, /* properties_destroyed */ | |
4272 | 0, /* todo_flags_start */ | |
3bea341f | 4273 | TODO_update_ssa, /* todo_flags_finish */ |
37d6f666 | 4274 | }; |
f6d98484 | 4275 | |
27a4cd48 DM |
4276 | class pass_asan : public gimple_opt_pass |
4277 | { | |
4278 | public: | |
c3284718 RS |
4279 | pass_asan (gcc::context *ctxt) |
4280 | : gimple_opt_pass (pass_data_asan, ctxt) | |
27a4cd48 DM |
4281 | {} |
4282 | ||
4283 | /* opt_pass methods: */ | |
725793af DM |
4284 | opt_pass * clone () final override { return new pass_asan (m_ctxt); } |
4285 | bool gate (function *) final override | |
4286 | { | |
4287 | return gate_asan () || gate_hwasan (); | |
4288 | } | |
4289 | unsigned int execute (function *) final override | |
4290 | { | |
4291 | return asan_instrument (); | |
4292 | } | |
27a4cd48 DM |
4293 | |
4294 | }; // class pass_asan | |
4295 | ||
4296 | } // anon namespace | |
4297 | ||
4298 | gimple_opt_pass * | |
4299 | make_pass_asan (gcc::context *ctxt) | |
4300 | { | |
4301 | return new pass_asan (ctxt); | |
4302 | } | |
4303 | ||
27a4cd48 DM |
4304 | namespace { |
4305 | ||
4306 | const pass_data pass_data_asan_O0 = | |
dfb9e332 | 4307 | { |
27a4cd48 DM |
4308 | GIMPLE_PASS, /* type */ |
4309 | "asan0", /* name */ | |
4310 | OPTGROUP_NONE, /* optinfo_flags */ | |
27a4cd48 DM |
4311 | TV_NONE, /* tv_id */ |
4312 | ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */ | |
4313 | 0, /* properties_provided */ | |
4314 | 0, /* properties_destroyed */ | |
4315 | 0, /* todo_flags_start */ | |
3bea341f | 4316 | TODO_update_ssa, /* todo_flags_finish */ |
dfb9e332 JJ |
4317 | }; |
4318 | ||
27a4cd48 DM |
4319 | class pass_asan_O0 : public gimple_opt_pass |
4320 | { | |
4321 | public: | |
c3284718 RS |
4322 | pass_asan_O0 (gcc::context *ctxt) |
4323 | : gimple_opt_pass (pass_data_asan_O0, ctxt) | |
27a4cd48 DM |
4324 | {} |
4325 | ||
4326 | /* opt_pass methods: */ | |
725793af | 4327 | bool gate (function *) final override |
93a73251 MM |
4328 | { |
4329 | return !optimize && (gate_asan () || gate_hwasan ()); | |
4330 | } | |
725793af DM |
4331 | unsigned int execute (function *) final override |
4332 | { | |
4333 | return asan_instrument (); | |
4334 | } | |
27a4cd48 DM |
4335 | |
4336 | }; // class pass_asan_O0 | |
4337 | ||
4338 | } // anon namespace | |
4339 | ||
4340 | gimple_opt_pass * | |
4341 | make_pass_asan_O0 (gcc::context *ctxt) | |
4342 | { | |
4343 | return new pass_asan_O0 (ctxt); | |
4344 | } | |
4345 | ||
93a73251 MM |
4346 | /* HWASAN */ |
4347 | ||
0854b584 MM |
4348 | /* For stack tagging: |
4349 | ||
4350 | Return the offset from the frame base tag that the "next" expanded object | |
4351 | should have. */ | |
4352 | uint8_t | |
4353 | hwasan_current_frame_tag () | |
4354 | { | |
4355 | return hwasan_frame_tag_offset; | |
4356 | } | |
4357 | ||
4358 | /* For stack tagging: | |
4359 | ||
4360 | Return the 'base pointer' for this function. If that base pointer has not | |
4361 | yet been created then we create a register to hold it and record the insns | |
4362 | to initialize the register in `hwasan_frame_base_init_seq` for later | |
4363 | emission. */ | |
4364 | rtx | |
4365 | hwasan_frame_base () | |
4366 | { | |
4367 | if (! hwasan_frame_base_ptr) | |
4368 | { | |
4369 | start_sequence (); | |
4370 | hwasan_frame_base_ptr | |
4371 | = force_reg (Pmode, | |
4372 | targetm.memtag.insert_random_tag (virtual_stack_vars_rtx, | |
4373 | NULL_RTX)); | |
4374 | hwasan_frame_base_init_seq = get_insns (); | |
4375 | end_sequence (); | |
4376 | } | |
4377 | ||
4378 | return hwasan_frame_base_ptr; | |
4379 | } | |
4380 | ||
4381 | /* For stack tagging: | |
4382 | ||
4383 | Check whether this RTX is a standard pointer addressing the base of the | |
4384 | stack variables for this frame. Returns true if the RTX is either | |
4385 | virtual_stack_vars_rtx or hwasan_frame_base_ptr. */ | |
4386 | bool | |
4387 | stack_vars_base_reg_p (rtx base) | |
4388 | { | |
4389 | return base == virtual_stack_vars_rtx || base == hwasan_frame_base_ptr; | |
4390 | } | |
4391 | ||
4392 | /* For stack tagging: | |
4393 | ||
4394 | Emit frame base initialisation. | |
4395 | If hwasan_frame_base has been used before here then | |
4396 | hwasan_frame_base_init_seq contains the sequence of instructions to | |
4397 | initialize it. This must be put just before the hwasan prologue, so we emit | |
4398 | the insns before parm_birth_insn (which will point to the first instruction | |
4399 | of the hwasan prologue if it exists). | |
4400 | ||
4401 | We update `parm_birth_insn` to point to the start of this initialisation | |
4402 | since that represents the end of the initialisation done by | |
4403 | expand_function_{start,end} functions and we want to maintain that. */ | |
4404 | void | |
4405 | hwasan_maybe_emit_frame_base_init () | |
4406 | { | |
4407 | if (! hwasan_frame_base_init_seq) | |
4408 | return; | |
4409 | emit_insn_before (hwasan_frame_base_init_seq, parm_birth_insn); | |
4410 | parm_birth_insn = hwasan_frame_base_init_seq; | |
4411 | } | |
4412 | ||
4413 | /* Record a compile-time constant size stack variable that HWASAN will need to | |
4414 | tag. This record of the range of a stack variable will be used by | |
4415 | `hwasan_emit_prologue` to emit the RTL at the start of each frame which will | |
4416 | set tags in the shadow memory according to the assigned tag for each object. | |
4417 | ||
4418 | The range that the object spans in stack space should be described by the | |
4419 | bounds `untagged_base + nearest_offset` and | |
4420 | `untagged_base + farthest_offset`. | |
4421 | `tagged_base` is the base address which contains the "base frame tag" for | |
4422 | this frame, and from which the value to address this object with will be | |
4423 | calculated. | |
4424 | ||
4425 | We record the `untagged_base` since the functions in the hwasan library we | |
4426 | use to tag memory take pointers without a tag. */ | |
4427 | void | |
4428 | hwasan_record_stack_var (rtx untagged_base, rtx tagged_base, | |
4429 | poly_int64 nearest_offset, poly_int64 farthest_offset) | |
4430 | { | |
4431 | hwasan_stack_var cur_var; | |
4432 | cur_var.untagged_base = untagged_base; | |
4433 | cur_var.tagged_base = tagged_base; | |
4434 | cur_var.nearest_offset = nearest_offset; | |
4435 | cur_var.farthest_offset = farthest_offset; | |
4436 | cur_var.tag_offset = hwasan_current_frame_tag (); | |
4437 | ||
4438 | hwasan_tagged_stack_vars.safe_push (cur_var); | |
4439 | } | |
4440 | ||
4441 | /* Return the RTX representing the farthest extent of the statically allocated | |
4442 | stack objects for this frame. If hwasan_frame_base_ptr has not been | |
4443 | initialized then we are not storing any static variables on the stack in | |
4444 | this frame. In this case we return NULL_RTX to represent that. | |
4445 | ||
4446 | Otherwise simply return virtual_stack_vars_rtx + frame_offset. */ | |
4447 | rtx | |
4448 | hwasan_get_frame_extent () | |
4449 | { | |
4450 | return (hwasan_frame_base_ptr | |
4451 | ? plus_constant (Pmode, virtual_stack_vars_rtx, frame_offset) | |
4452 | : NULL_RTX); | |
4453 | } | |
4454 | ||
4455 | /* For stack tagging: | |
4456 | ||
4457 | Increment the frame tag offset modulo the size a tag can represent. */ | |
4458 | void | |
4459 | hwasan_increment_frame_tag () | |
4460 | { | |
4461 | uint8_t tag_bits = HWASAN_TAG_SIZE; | |
4462 | gcc_assert (HWASAN_TAG_SIZE | |
4463 | <= sizeof (hwasan_frame_tag_offset) * CHAR_BIT); | |
4464 | hwasan_frame_tag_offset = (hwasan_frame_tag_offset + 1) % (1 << tag_bits); | |
4465 | /* The "background tag" of the stack is zero by definition. | |
4466 | This is the tag that objects like parameters passed on the stack and | |
4467 | spilled registers are given. It is handy to avoid this tag for objects | |
4468 | whose tags we decide ourselves, partly to ensure that buffer overruns | |
4469 | can't affect these important variables (e.g. saved link register, saved | |
4470 | stack pointer etc) and partly to make debugging easier (everything with a | |
4471 | tag of zero is space allocated automatically by the compiler). | |
4472 | ||
4473 | This is not feasible when using random frame tags (the default | |
4474 | configuration for hwasan) since the tag for the given frame is randomly | |
4475 | chosen at runtime. In order to avoid any tags matching the stack | |
4476 | background we would need to decide tag offsets at runtime instead of | |
4477 | compile time (and pay the resulting performance cost). | |
4478 | ||
4479 | When not using random base tags for each frame (i.e. when compiled with | |
4480 | `--param hwasan-random-frame-tag=0`) the base tag for each frame is zero. | |
4481 | This means the tag that each object gets is equal to the | |
4482 | hwasan_frame_tag_offset used in determining it. | |
4483 | When this is the case we *can* ensure no object gets the tag of zero by | |
4484 | simply ensuring no object has the hwasan_frame_tag_offset of zero. | |
4485 | ||
4486 | There is the extra complication that we only record the | |
4487 | hwasan_frame_tag_offset here (which is the offset from the tag stored in | |
4488 | the stack pointer). In the kernel, the tag in the stack pointer is 0xff | |
4489 | rather than zero. This does not cause problems since tags of 0xff are | |
4490 | never checked in the kernel. As mentioned at the beginning of this | |
4491 | comment the background tag of the stack is zero by definition, which means | |
4492 | that for the kernel we should skip offsets of both 0 and 1 from the stack | |
4493 | pointer. Avoiding the offset of 0 ensures we use a tag which will be | |
4494 | checked, avoiding the offset of 1 ensures we use a tag that is not the | |
4495 | same as the background. */ | |
4496 | if (hwasan_frame_tag_offset == 0 && ! param_hwasan_random_frame_tag) | |
4497 | hwasan_frame_tag_offset += 1; | |
4498 | if (hwasan_frame_tag_offset == 1 && ! param_hwasan_random_frame_tag | |
4499 | && sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS)) | |
4500 | hwasan_frame_tag_offset += 1; | |
4501 | } | |
4502 | ||
4503 | /* Clear internal state for the next function. | |
4504 | This function is called before variables on the stack get expanded, in | |
4505 | `init_vars_expansion`. */ | |
4506 | void | |
4507 | hwasan_record_frame_init () | |
4508 | { | |
4509 | delete asan_used_labels; | |
4510 | asan_used_labels = NULL; | |
4511 | ||
4512 | /* If this isn't the case then some stack variable was recorded *before* | |
4513 | hwasan_record_frame_init is called, yet *after* the hwasan prologue for | |
4514 | the previous frame was emitted. Such stack variables would not have | |
4515 | their shadow stack filled in. */ | |
4516 | gcc_assert (hwasan_tagged_stack_vars.is_empty ()); | |
4517 | hwasan_frame_base_ptr = NULL_RTX; | |
4518 | hwasan_frame_base_init_seq = NULL; | |
4519 | ||
4520 | /* When not using a random frame tag we can avoid the background stack | |
4521 | color which gives the user a little better debug output upon a crash. | |
4522 | Meanwhile, when using a random frame tag it will be nice to avoid adding | |
4523 | tags for the first object since that is unnecessary extra work. | |
4524 | Hence set the initial hwasan_frame_tag_offset to be 0 if using a random | |
4525 | frame tag and 1 otherwise. | |
4526 | ||
4527 | As described in hwasan_increment_frame_tag, in the kernel the stack | |
4528 | pointer has the tag 0xff. That means that to avoid 0xff and 0 (the tag | |
4529 | which the kernel does not check and the background tag respectively) we | |
4530 | start with a tag offset of 2. */ | |
4531 | hwasan_frame_tag_offset = param_hwasan_random_frame_tag | |
4532 | ? 0 | |
4533 | : sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS) ? 2 : 1; | |
4534 | } | |
4535 | ||
4536 | /* For stack tagging: | |
4537 | (Emits HWASAN equivalent of what is emitted by | |
4538 | `asan_emit_stack_protection`). | |
4539 | ||
4540 | Emits the extra prologue code to set the shadow stack as required for HWASAN | |
4541 | stack instrumentation. | |
4542 | ||
4543 | Uses the vector of recorded stack variables hwasan_tagged_stack_vars. When | |
4544 | this function has completed hwasan_tagged_stack_vars is empty and all | |
4545 | objects it had pointed to are deallocated. */ | |
4546 | void | |
4547 | hwasan_emit_prologue () | |
4548 | { | |
4549 | /* We need untagged base pointers since libhwasan only accepts untagged | |
4550 | pointers in __hwasan_tag_memory. We need the tagged base pointer to obtain | |
4551 | the base tag for an offset. */ | |
4552 | ||
4553 | if (hwasan_tagged_stack_vars.is_empty ()) | |
4554 | return; | |
4555 | ||
4556 | poly_int64 bot = 0, top = 0; | |
4557 | for (hwasan_stack_var &cur : hwasan_tagged_stack_vars) | |
4558 | { | |
4559 | poly_int64 nearest = cur.nearest_offset; | |
4560 | poly_int64 farthest = cur.farthest_offset; | |
4561 | ||
4562 | if (known_ge (nearest, farthest)) | |
4563 | { | |
4564 | top = nearest; | |
4565 | bot = farthest; | |
4566 | } | |
4567 | else | |
4568 | { | |
4569 | /* Given how these values are calculated, one must be known greater | |
4570 | than the other. */ | |
4571 | gcc_assert (known_le (nearest, farthest)); | |
4572 | top = farthest; | |
4573 | bot = nearest; | |
4574 | } | |
4575 | poly_int64 size = (top - bot); | |
4576 | ||
4577 | /* Assert the edge of each variable is aligned to the HWASAN tag granule | |
4578 | size. */ | |
4579 | gcc_assert (multiple_p (top, HWASAN_TAG_GRANULE_SIZE)); | |
4580 | gcc_assert (multiple_p (bot, HWASAN_TAG_GRANULE_SIZE)); | |
4581 | gcc_assert (multiple_p (size, HWASAN_TAG_GRANULE_SIZE)); | |
4582 | ||
4583 | rtx fn = init_one_libfunc ("__hwasan_tag_memory"); | |
4584 | rtx base_tag = targetm.memtag.extract_tag (cur.tagged_base, NULL_RTX); | |
4585 | rtx tag = plus_constant (QImode, base_tag, cur.tag_offset); | |
4586 | tag = hwasan_truncate_to_tag_size (tag, NULL_RTX); | |
4587 | ||
4588 | rtx bottom = convert_memory_address (ptr_mode, | |
4589 | plus_constant (Pmode, | |
4590 | cur.untagged_base, | |
4591 | bot)); | |
4592 | emit_library_call (fn, LCT_NORMAL, VOIDmode, | |
4593 | bottom, ptr_mode, | |
4594 | tag, QImode, | |
4595 | gen_int_mode (size, ptr_mode), ptr_mode); | |
4596 | } | |
4597 | /* Clear the stack vars, we've emitted the prologue for them all now. */ | |
4598 | hwasan_tagged_stack_vars.truncate (0); | |
4599 | } | |
4600 | ||
4601 | /* For stack tagging: | |
4602 | ||
4603 | Return RTL insns to clear the tags between DYNAMIC and VARS pointers | |
4604 | into the stack. These instructions should be emitted at the end of | |
4605 | every function. | |
4606 | ||
4607 | If `dynamic` is NULL_RTX then no insns are returned. */ | |
4608 | rtx_insn * | |
4609 | hwasan_emit_untag_frame (rtx dynamic, rtx vars) | |
4610 | { | |
4611 | if (! dynamic) | |
4612 | return NULL; | |
4613 | ||
4614 | start_sequence (); | |
4615 | ||
4616 | dynamic = convert_memory_address (ptr_mode, dynamic); | |
4617 | vars = convert_memory_address (ptr_mode, vars); | |
4618 | ||
4619 | rtx top_rtx; | |
4620 | rtx bot_rtx; | |
4621 | if (FRAME_GROWS_DOWNWARD) | |
4622 | { | |
4623 | top_rtx = vars; | |
4624 | bot_rtx = dynamic; | |
4625 | } | |
4626 | else | |
4627 | { | |
4628 | top_rtx = dynamic; | |
4629 | bot_rtx = vars; | |
4630 | } | |
4631 | ||
4632 | rtx size_rtx = expand_simple_binop (ptr_mode, MINUS, top_rtx, bot_rtx, | |
4633 | NULL_RTX, /* unsignedp = */0, | |
4634 | OPTAB_DIRECT); | |
4635 | ||
4636 | rtx fn = init_one_libfunc ("__hwasan_tag_memory"); | |
4637 | emit_library_call (fn, LCT_NORMAL, VOIDmode, | |
4638 | bot_rtx, ptr_mode, | |
4639 | HWASAN_STACK_BACKGROUND, QImode, | |
4640 | size_rtx, ptr_mode); | |
4641 | ||
4642 | do_pending_stack_adjust (); | |
4643 | rtx_insn *insns = get_insns (); | |
4644 | end_sequence (); | |
4645 | return insns; | |
4646 | } | |
4647 | ||
4648 | /* Needs to be GTY(()), because cgraph_build_static_cdtor may | |
4649 | invoke ggc_collect. */ | |
4650 | static GTY(()) tree hwasan_ctor_statements; | |
4651 | ||
4652 | /* Insert module initialization into this TU. This initialization calls the | |
4653 | initialization code for libhwasan. */ | |
4654 | void | |
4655 | hwasan_finish_file (void) | |
4656 | { | |
4657 | /* Do not emit constructor initialization for the kernel. | |
4658 | (the kernel has its own initialization already). */ | |
4659 | if (flag_sanitize & SANITIZE_KERNEL_HWADDRESS) | |
4660 | return; | |
4661 | ||
4662 | /* Avoid instrumenting code in the hwasan constructors/destructors. */ | |
4663 | flag_sanitize &= ~SANITIZE_HWADDRESS; | |
4664 | int priority = MAX_RESERVED_INIT_PRIORITY - 1; | |
4665 | tree fn = builtin_decl_implicit (BUILT_IN_HWASAN_INIT); | |
4666 | append_to_statement_list (build_call_expr (fn, 0), &hwasan_ctor_statements); | |
4667 | cgraph_build_static_cdtor ('I', hwasan_ctor_statements, priority); | |
4668 | flag_sanitize |= SANITIZE_HWADDRESS; | |
4669 | } | |
4670 | ||
4671 | /* For stack tagging: | |
4672 | ||
4673 | Truncate `tag` to the number of bits that a tag uses (i.e. to | |
4674 | HWASAN_TAG_SIZE). Store the result in `target` if it's convenient. */ | |
4675 | rtx | |
4676 | hwasan_truncate_to_tag_size (rtx tag, rtx target) | |
4677 | { | |
4678 | gcc_assert (GET_MODE (tag) == QImode); | |
4679 | if (HWASAN_TAG_SIZE != GET_MODE_PRECISION (QImode)) | |
4680 | { | |
4681 | gcc_assert (GET_MODE_PRECISION (QImode) > HWASAN_TAG_SIZE); | |
4682 | rtx mask = gen_int_mode ((HOST_WIDE_INT_1U << HWASAN_TAG_SIZE) - 1, | |
4683 | QImode); | |
4684 | tag = expand_simple_binop (QImode, AND, tag, mask, target, | |
4685 | /* unsignedp = */1, OPTAB_WIDEN); | |
4686 | gcc_assert (tag); | |
4687 | } | |
4688 | return tag; | |
4689 | } | |
4690 | ||
93a73251 MM |
4691 | /* Construct a function tree for __hwasan_{load,store}{1,2,4,8,16,_n}. |
4692 | IS_STORE is either 1 (for a store) or 0 (for a load). */ | |
4693 | static combined_fn | |
4694 | hwasan_check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes, | |
4695 | int *nargs) | |
4696 | { | |
4697 | static enum built_in_function check[2][2][6] | |
4698 | = { { { BUILT_IN_HWASAN_LOAD1, BUILT_IN_HWASAN_LOAD2, | |
4699 | BUILT_IN_HWASAN_LOAD4, BUILT_IN_HWASAN_LOAD8, | |
4700 | BUILT_IN_HWASAN_LOAD16, BUILT_IN_HWASAN_LOADN }, | |
4701 | { BUILT_IN_HWASAN_STORE1, BUILT_IN_HWASAN_STORE2, | |
4702 | BUILT_IN_HWASAN_STORE4, BUILT_IN_HWASAN_STORE8, | |
4703 | BUILT_IN_HWASAN_STORE16, BUILT_IN_HWASAN_STOREN } }, | |
4704 | { { BUILT_IN_HWASAN_LOAD1_NOABORT, | |
4705 | BUILT_IN_HWASAN_LOAD2_NOABORT, | |
4706 | BUILT_IN_HWASAN_LOAD4_NOABORT, | |
4707 | BUILT_IN_HWASAN_LOAD8_NOABORT, | |
4708 | BUILT_IN_HWASAN_LOAD16_NOABORT, | |
4709 | BUILT_IN_HWASAN_LOADN_NOABORT }, | |
4710 | { BUILT_IN_HWASAN_STORE1_NOABORT, | |
4711 | BUILT_IN_HWASAN_STORE2_NOABORT, | |
4712 | BUILT_IN_HWASAN_STORE4_NOABORT, | |
4713 | BUILT_IN_HWASAN_STORE8_NOABORT, | |
4714 | BUILT_IN_HWASAN_STORE16_NOABORT, | |
4715 | BUILT_IN_HWASAN_STOREN_NOABORT } } }; | |
4716 | if (size_in_bytes == -1) | |
4717 | { | |
4718 | *nargs = 2; | |
4719 | return as_combined_fn (check[recover_p][is_store][5]); | |
4720 | } | |
4721 | *nargs = 1; | |
4722 | int size_log2 = exact_log2 (size_in_bytes); | |
4723 | gcc_assert (size_log2 >= 0 && size_log2 <= 5); | |
4724 | return as_combined_fn (check[recover_p][is_store][size_log2]); | |
4725 | } | |
4726 | ||
4727 | /* Expand the HWASAN_{LOAD,STORE} builtins. */ | |
4728 | bool | |
4729 | hwasan_expand_check_ifn (gimple_stmt_iterator *iter, bool) | |
4730 | { | |
4731 | gimple *g = gsi_stmt (*iter); | |
4732 | location_t loc = gimple_location (g); | |
4733 | bool recover_p; | |
4734 | if (flag_sanitize & SANITIZE_USER_HWADDRESS) | |
4735 | recover_p = (flag_sanitize_recover & SANITIZE_USER_HWADDRESS) != 0; | |
4736 | else | |
4737 | recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_HWADDRESS) != 0; | |
4738 | ||
4739 | HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0)); | |
4740 | gcc_assert (flags < ASAN_CHECK_LAST); | |
4741 | bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0; | |
4742 | bool is_store = (flags & ASAN_CHECK_STORE) != 0; | |
4743 | bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0; | |
4744 | ||
4745 | tree base = gimple_call_arg (g, 1); | |
4746 | tree len = gimple_call_arg (g, 2); | |
4747 | ||
4748 | /* `align` is unused for HWASAN_CHECK, but we pass the argument anyway | |
4749 | since that way the arguments match ASAN_CHECK. */ | |
4750 | /* HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3)); */ | |
4751 | ||
4752 | unsigned HOST_WIDE_INT size_in_bytes | |
4753 | = is_scalar_access ? tree_to_shwi (len) : -1; | |
4754 | ||
4755 | gimple_stmt_iterator gsi = *iter; | |
4756 | ||
4757 | if (!is_non_zero_len) | |
4758 | { | |
4759 | /* So, the length of the memory area to hwasan-protect is | |
4760 | non-constant. Let's guard the generated instrumentation code | |
4761 | like: | |
4762 | ||
4763 | if (len != 0) | |
4764 | { | |
4765 | // hwasan instrumentation code goes here. | |
4766 | } | |
4767 | // falltrough instructions, starting with *ITER. */ | |
4768 | ||
4769 | g = gimple_build_cond (NE_EXPR, | |
4770 | len, | |
4771 | build_int_cst (TREE_TYPE (len), 0), | |
4772 | NULL_TREE, NULL_TREE); | |
4773 | gimple_set_location (g, loc); | |
4774 | ||
4775 | basic_block then_bb, fallthrough_bb; | |
4776 | insert_if_then_before_iter (as_a <gcond *> (g), iter, | |
4777 | /*then_more_likely_p=*/true, | |
4778 | &then_bb, &fallthrough_bb); | |
4779 | /* Note that fallthrough_bb starts with the statement that was | |
4780 | pointed to by ITER. */ | |
4781 | ||
4782 | /* The 'then block' of the 'if (len != 0) condition is where | |
4783 | we'll generate the hwasan instrumentation code now. */ | |
4784 | gsi = gsi_last_bb (then_bb); | |
4785 | } | |
4786 | ||
4787 | gimple_seq stmts = NULL; | |
4788 | tree base_addr = gimple_build (&stmts, loc, NOP_EXPR, | |
4789 | pointer_sized_int_node, base); | |
4790 | ||
4791 | int nargs = 0; | |
4792 | combined_fn fn | |
4793 | = hwasan_check_func (is_store, recover_p, size_in_bytes, &nargs); | |
4794 | if (nargs == 1) | |
4795 | gimple_build (&stmts, loc, fn, void_type_node, base_addr); | |
4796 | else | |
4797 | { | |
4798 | gcc_assert (nargs == 2); | |
4799 | tree sz_arg = gimple_build (&stmts, loc, NOP_EXPR, | |
4800 | pointer_sized_int_node, len); | |
4801 | gimple_build (&stmts, loc, fn, void_type_node, base_addr, sz_arg); | |
4802 | } | |
4803 | ||
4804 | gsi_insert_seq_after (&gsi, stmts, GSI_NEW_STMT); | |
4805 | gsi_remove (iter, true); | |
4806 | *iter = gsi; | |
4807 | return false; | |
4808 | } | |
4809 | ||
4810 | /* For stack tagging: | |
4811 | ||
4812 | Dummy: the HWASAN_MARK internal function should only ever be in the code | |
4813 | after the sanopt pass. */ | |
4814 | bool | |
4815 | hwasan_expand_mark_ifn (gimple_stmt_iterator *) | |
4816 | { | |
4817 | gcc_unreachable (); | |
4818 | } | |
4819 | ||
4820 | bool | |
4821 | gate_hwasan () | |
4822 | { | |
4823 | return hwasan_sanitize_p (); | |
4824 | } | |
4825 | ||
f6d98484 | 4826 | #include "gt-asan.h" |