]> git.ipfire.org Git - thirdparty/gcc.git/blob - gcc/asan.c
projects / thirdparty / gcc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bail out HARD_REGISTER vars in asan (PR sanitizer/81224).
[thirdparty/gcc.git] / gcc / asan.c
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2017 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
11
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21
22 #include "config.h"
23 #include "system.h"
24 #include "coretypes.h"
25 #include "backend.h"
26 #include "target.h"
27 #include "rtl.h"
28 #include "tree.h"
29 #include "gimple.h"
30 #include "cfghooks.h"
31 #include "alloc-pool.h"
32 #include "tree-pass.h"
33 #include "memmodel.h"
34 #include "tm_p.h"
35 #include "ssa.h"
36 #include "stringpool.h"
37 #include "tree-ssanames.h"
38 #include "optabs.h"
39 #include "emit-rtl.h"
40 #include "cgraph.h"
41 #include "gimple-pretty-print.h"
42 #include "alias.h"
43 #include "fold-const.h"
44 #include "cfganal.h"
45 #include "gimplify.h"
46 #include "gimple-iterator.h"
47 #include "varasm.h"
48 #include "stor-layout.h"
49 #include "tree-iterator.h"
50 #include "asan.h"
51 #include "dojump.h"
52 #include "explow.h"
53 #include "expr.h"
54 #include "output.h"
55 #include "langhooks.h"
56 #include "cfgloop.h"
57 #include "gimple-builder.h"
58 #include "ubsan.h"
59 #include "params.h"
60 #include "builtins.h"
61 #include "fnmatch.h"
62 #include "tree-inline.h"
63
64 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
65 with <2x slowdown on average.
66
67 The tool consists of two parts:
68 instrumentation module (this file) and a run-time library.
69 The instrumentation module adds a run-time check before every memory insn.
70 For a 8- or 16- byte load accessing address X:
71 ShadowAddr = (X >> 3) + Offset
72 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
73 if (ShadowValue)
74 __asan_report_load8(X);
75 For a load of N bytes (N=1, 2 or 4) from address X:
76 ShadowAddr = (X >> 3) + Offset
77 ShadowValue = *(char*)ShadowAddr;
78 if (ShadowValue)
79 if ((X & 7) + N - 1 > ShadowValue)
80 __asan_report_loadN(X);
81 Stores are instrumented similarly, but using __asan_report_storeN functions.
82 A call too __asan_init_vN() is inserted to the list of module CTORs.
83 N is the version number of the AddressSanitizer API. The changes between the
84 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
85
86 The run-time library redefines malloc (so that redzone are inserted around
87 the allocated memory) and free (so that reuse of free-ed memory is delayed),
88 provides __asan_report* and __asan_init_vN functions.
89
90 Read more:
91 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
92
93 The current implementation supports detection of out-of-bounds and
94 use-after-free in the heap, on the stack and for global variables.
95
96 [Protection of stack variables]
97
98 To understand how detection of out-of-bounds and use-after-free works
99 for stack variables, lets look at this example on x86_64 where the
100 stack grows downward:
101
102 int
103 foo ()
104 {
105 char a[23] = {0};
106 int b[2] = {0};
107
108 a[5] = 1;
109 b[1] = 2;
110
111 return a[5] + b[1];
112 }
113
114 For this function, the stack protected by asan will be organized as
115 follows, from the top of the stack to the bottom:
116
117 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
118
119 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
120 the next slot be 32 bytes aligned; this one is called Partial
121 Redzone; this 32 bytes alignment is an asan constraint]
122
123 Slot 3/ [24 bytes for variable 'a']
124
125 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
126
127 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
128
129 Slot 6/ [8 bytes for variable 'b']
130
131 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
132 'LEFT RedZone']
133
134 The 32 bytes of LEFT red zone at the bottom of the stack can be
135 decomposed as such:
136
137 1/ The first 8 bytes contain a magical asan number that is always
138 0x41B58AB3.
139
140 2/ The following 8 bytes contains a pointer to a string (to be
141 parsed at runtime by the runtime asan library), which format is
142 the following:
143
144 "<function-name> <space> <num-of-variables-on-the-stack>
145 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
146 <length-of-var-in-bytes> ){n} "
147
148 where '(...){n}' means the content inside the parenthesis occurs 'n'
149 times, with 'n' being the number of variables on the stack.
150
151 3/ The following 8 bytes contain the PC of the current function which
152 will be used by the run-time library to print an error message.
153
154 4/ The following 8 bytes are reserved for internal use by the run-time.
155
156 The shadow memory for that stack layout is going to look like this:
157
158 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
159 The F1 byte pattern is a magic number called
160 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
161 the memory for that shadow byte is part of a the LEFT red zone
162 intended to seat at the bottom of the variables on the stack.
163
164 - content of shadow memory 8 bytes for slots 6 and 5:
165 0xF4F4F400. The F4 byte pattern is a magic number
166 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
167 memory region for this shadow byte is a PARTIAL red zone
168 intended to pad a variable A, so that the slot following
169 {A,padding} is 32 bytes aligned.
170
171 Note that the fact that the least significant byte of this
172 shadow memory content is 00 means that 8 bytes of its
173 corresponding memory (which corresponds to the memory of
174 variable 'b') is addressable.
175
176 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
177 The F2 byte pattern is a magic number called
178 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
179 region for this shadow byte is a MIDDLE red zone intended to
180 seat between two 32 aligned slots of {variable,padding}.
181
182 - content of shadow memory 8 bytes for slot 3 and 2:
183 0xF4000000. This represents is the concatenation of
184 variable 'a' and the partial red zone following it, like what we
185 had for variable 'b'. The least significant 3 bytes being 00
186 means that the 3 bytes of variable 'a' are addressable.
187
188 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
189 The F3 byte pattern is a magic number called
190 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
191 region for this shadow byte is a RIGHT red zone intended to seat
192 at the top of the variables of the stack.
193
194 Note that the real variable layout is done in expand_used_vars in
195 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
196 stack variables as well as the different red zones, emits some
197 prologue code to populate the shadow memory as to poison (mark as
198 non-accessible) the regions of the red zones and mark the regions of
199 stack variables as accessible, and emit some epilogue code to
200 un-poison (mark as accessible) the regions of red zones right before
201 the function exits.
202
203 [Protection of global variables]
204
205 The basic idea is to insert a red zone between two global variables
206 and install a constructor function that calls the asan runtime to do
207 the populating of the relevant shadow memory regions at load time.
208
209 So the global variables are laid out as to insert a red zone between
210 them. The size of the red zones is so that each variable starts on a
211 32 bytes boundary.
212
213 Then a constructor function is installed so that, for each global
214 variable, it calls the runtime asan library function
215 __asan_register_globals_with an instance of this type:
216
217 struct __asan_global
218 {
219 // Address of the beginning of the global variable.
220 const void *__beg;
221
222 // Initial size of the global variable.
223 uptr __size;
224
225 // Size of the global variable + size of the red zone. This
226 // size is 32 bytes aligned.
227 uptr __size_with_redzone;
228
229 // Name of the global variable.
230 const void *__name;
231
232 // Name of the module where the global variable is declared.
233 const void *__module_name;
234
235 // 1 if it has dynamic initialization, 0 otherwise.
236 uptr __has_dynamic_init;
237
238 // A pointer to struct that contains source location, could be NULL.
239 __asan_global_source_location *__location;
240 }
241
242 A destructor function that calls the runtime asan library function
243 _asan_unregister_globals is also installed. */
244
245 static unsigned HOST_WIDE_INT asan_shadow_offset_value;
246 static bool asan_shadow_offset_computed;
247 static vec<char *> sanitized_sections;
248
249 /* Set of variable declarations that are going to be guarded by
250 use-after-scope sanitizer. */
251
252 static hash_set<tree> *asan_handled_variables = NULL;
253
254 hash_set <tree> *asan_used_labels = NULL;
255
256 /* Sets shadow offset to value in string VAL. */
257
258 bool
259 set_asan_shadow_offset (const char *val)
260 {
261 char *endp;
262
263 errno = 0;
264 #ifdef HAVE_LONG_LONG
265 asan_shadow_offset_value = strtoull (val, &endp, 0);
266 #else
267 asan_shadow_offset_value = strtoul (val, &endp, 0);
268 #endif
269 if (!(*val != '\0' && *endp == '\0' && errno == 0))
270 return false;
271
272 asan_shadow_offset_computed = true;
273
274 return true;
275 }
276
277 /* Set list of user-defined sections that need to be sanitized. */
278
279 void
280 set_sanitized_sections (const char *sections)
281 {
282 char *pat;
283 unsigned i;
284 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
285 free (pat);
286 sanitized_sections.truncate (0);
287
288 for (const char *s = sections; *s; )
289 {
290 const char *end;
291 for (end = s; *end && *end != ','; ++end);
292 size_t len = end - s;
293 sanitized_sections.safe_push (xstrndup (s, len));
294 s = *end ? end + 1 : end;
295 }
296 }
297
298 bool
299 asan_mark_p (gimple *stmt, enum asan_mark_flags flag)
300 {
301 return (gimple_call_internal_p (stmt, IFN_ASAN_MARK)
302 && tree_to_uhwi (gimple_call_arg (stmt, 0)) == flag);
303 }
304
305 bool
306 asan_sanitize_stack_p (void)
307 {
308 return (sanitize_flags_p (SANITIZE_ADDRESS) && ASAN_STACK);
309 }
310
311 /* Checks whether section SEC should be sanitized. */
312
313 static bool
314 section_sanitized_p (const char *sec)
315 {
316 char *pat;
317 unsigned i;
318 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
319 if (fnmatch (pat, sec, FNM_PERIOD) == 0)
320 return true;
321 return false;
322 }
323
324 /* Returns Asan shadow offset. */
325
326 static unsigned HOST_WIDE_INT
327 asan_shadow_offset ()
328 {
329 if (!asan_shadow_offset_computed)
330 {
331 asan_shadow_offset_computed = true;
332 asan_shadow_offset_value = targetm.asan_shadow_offset ();
333 }
334 return asan_shadow_offset_value;
335 }
336
337 alias_set_type asan_shadow_set = -1;
338
339 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
340 alias set is used for all shadow memory accesses. */
341 static GTY(()) tree shadow_ptr_types[3];
342
343 /* Decl for __asan_option_detect_stack_use_after_return. */
344 static GTY(()) tree asan_detect_stack_use_after_return;
345
346 /* Hashtable support for memory references used by gimple
347 statements. */
348
349 /* This type represents a reference to a memory region. */
350 struct asan_mem_ref
351 {
352 /* The expression of the beginning of the memory region. */
353 tree start;
354
355 /* The size of the access. */
356 HOST_WIDE_INT access_size;
357 };
358
359 object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref");
360
361 /* Initializes an instance of asan_mem_ref. */
362
363 static void
364 asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size)
365 {
366 ref->start = start;
367 ref->access_size = access_size;
368 }
369
370 /* Allocates memory for an instance of asan_mem_ref into the memory
371 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
372 START is the address of (or the expression pointing to) the
373 beginning of memory reference. ACCESS_SIZE is the size of the
374 access to the referenced memory. */
375
376 static asan_mem_ref*
377 asan_mem_ref_new (tree start, HOST_WIDE_INT access_size)
378 {
379 asan_mem_ref *ref = asan_mem_ref_pool.allocate ();
380
381 asan_mem_ref_init (ref, start, access_size);
382 return ref;
383 }
384
385 /* This builds and returns a pointer to the end of the memory region
386 that starts at START and of length LEN. */
387
388 tree
389 asan_mem_ref_get_end (tree start, tree len)
390 {
391 if (len == NULL_TREE || integer_zerop (len))
392 return start;
393
394 if (!ptrofftype_p (len))
395 len = convert_to_ptrofftype (len);
396
397 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
398 }
399
400 /* Return a tree expression that represents the end of the referenced
401 memory region. Beware that this function can actually build a new
402 tree expression. */
403
404 tree
405 asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
406 {
407 return asan_mem_ref_get_end (ref->start, len);
408 }
409
410 struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref>
411 {
412 static inline hashval_t hash (const asan_mem_ref *);
413 static inline bool equal (const asan_mem_ref *, const asan_mem_ref *);
414 };
415
416 /* Hash a memory reference. */
417
418 inline hashval_t
419 asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
420 {
421 return iterative_hash_expr (mem_ref->start, 0);
422 }
423
424 /* Compare two memory references. We accept the length of either
425 memory references to be NULL_TREE. */
426
427 inline bool
428 asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
429 const asan_mem_ref *m2)
430 {
431 return operand_equal_p (m1->start, m2->start, 0);
432 }
433
434 static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht;
435
436 /* Returns a reference to the hash table containing memory references.
437 This function ensures that the hash table is created. Note that
438 this hash table is updated by the function
439 update_mem_ref_hash_table. */
440
441 static hash_table<asan_mem_ref_hasher> *
442 get_mem_ref_hash_table ()
443 {
444 if (!asan_mem_ref_ht)
445 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10);
446
447 return asan_mem_ref_ht;
448 }
449
450 /* Clear all entries from the memory references hash table. */
451
452 static void
453 empty_mem_ref_hash_table ()
454 {
455 if (asan_mem_ref_ht)
456 asan_mem_ref_ht->empty ();
457 }
458
459 /* Free the memory references hash table. */
460
461 static void
462 free_mem_ref_resources ()
463 {
464 delete asan_mem_ref_ht;
465 asan_mem_ref_ht = NULL;
466
467 asan_mem_ref_pool.release ();
468 }
469
470 /* Return true iff the memory reference REF has been instrumented. */
471
472 static bool
473 has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size)
474 {
475 asan_mem_ref r;
476 asan_mem_ref_init (&r, ref, access_size);
477
478 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r);
479 return saved_ref && saved_ref->access_size >= access_size;
480 }
481
482 /* Return true iff the memory reference REF has been instrumented. */
483
484 static bool
485 has_mem_ref_been_instrumented (const asan_mem_ref *ref)
486 {
487 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
488 }
489
490 /* Return true iff access to memory region starting at REF and of
491 length LEN has been instrumented. */
492
493 static bool
494 has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
495 {
496 HOST_WIDE_INT size_in_bytes
497 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
498
499 return size_in_bytes != -1
500 && has_mem_ref_been_instrumented (ref->start, size_in_bytes);
501 }
502
503 /* Set REF to the memory reference present in a gimple assignment
504 ASSIGNMENT. Return true upon successful completion, false
505 otherwise. */
506
507 static bool
508 get_mem_ref_of_assignment (const gassign *assignment,
509 asan_mem_ref *ref,
510 bool *ref_is_store)
511 {
512 gcc_assert (gimple_assign_single_p (assignment));
513
514 if (gimple_store_p (assignment)
515 && !gimple_clobber_p (assignment))
516 {
517 ref->start = gimple_assign_lhs (assignment);
518 *ref_is_store = true;
519 }
520 else if (gimple_assign_load_p (assignment))
521 {
522 ref->start = gimple_assign_rhs1 (assignment);
523 *ref_is_store = false;
524 }
525 else
526 return false;
527
528 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
529 return true;
530 }
531
532 /* Return the memory references contained in a gimple statement
533 representing a builtin call that has to do with memory access. */
534
535 static bool
536 get_mem_refs_of_builtin_call (const gcall *call,
537 asan_mem_ref *src0,
538 tree *src0_len,
539 bool *src0_is_store,
540 asan_mem_ref *src1,
541 tree *src1_len,
542 bool *src1_is_store,
543 asan_mem_ref *dst,
544 tree *dst_len,
545 bool *dst_is_store,
546 bool *dest_is_deref,
547 bool *intercepted_p)
548 {
549 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
550
551 tree callee = gimple_call_fndecl (call);
552 tree source0 = NULL_TREE, source1 = NULL_TREE,
553 dest = NULL_TREE, len = NULL_TREE;
554 bool is_store = true, got_reference_p = false;
555 HOST_WIDE_INT access_size = 1;
556
557 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee)));
558
559 switch (DECL_FUNCTION_CODE (callee))
560 {
561 /* (s, s, n) style memops. */
562 case BUILT_IN_BCMP:
563 case BUILT_IN_MEMCMP:
564 source0 = gimple_call_arg (call, 0);
565 source1 = gimple_call_arg (call, 1);
566 len = gimple_call_arg (call, 2);
567 break;
568
569 /* (src, dest, n) style memops. */
570 case BUILT_IN_BCOPY:
571 source0 = gimple_call_arg (call, 0);
572 dest = gimple_call_arg (call, 1);
573 len = gimple_call_arg (call, 2);
574 break;
575
576 /* (dest, src, n) style memops. */
577 case BUILT_IN_MEMCPY:
578 case BUILT_IN_MEMCPY_CHK:
579 case BUILT_IN_MEMMOVE:
580 case BUILT_IN_MEMMOVE_CHK:
581 case BUILT_IN_MEMPCPY:
582 case BUILT_IN_MEMPCPY_CHK:
583 dest = gimple_call_arg (call, 0);
584 source0 = gimple_call_arg (call, 1);
585 len = gimple_call_arg (call, 2);
586 break;
587
588 /* (dest, n) style memops. */
589 case BUILT_IN_BZERO:
590 dest = gimple_call_arg (call, 0);
591 len = gimple_call_arg (call, 1);
592 break;
593
594 /* (dest, x, n) style memops*/
595 case BUILT_IN_MEMSET:
596 case BUILT_IN_MEMSET_CHK:
597 dest = gimple_call_arg (call, 0);
598 len = gimple_call_arg (call, 2);
599 break;
600
601 case BUILT_IN_STRLEN:
602 source0 = gimple_call_arg (call, 0);
603 len = gimple_call_lhs (call);
604 break;
605
606 /* And now the __atomic* and __sync builtins.
607 These are handled differently from the classical memory memory
608 access builtins above. */
609
610 case BUILT_IN_ATOMIC_LOAD_1:
611 is_store = false;
612 /* FALLTHRU */
613 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
614 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
615 case BUILT_IN_SYNC_FETCH_AND_OR_1:
616 case BUILT_IN_SYNC_FETCH_AND_AND_1:
617 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
618 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
619 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
620 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
621 case BUILT_IN_SYNC_OR_AND_FETCH_1:
622 case BUILT_IN_SYNC_AND_AND_FETCH_1:
623 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
624 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
625 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
626 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
627 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
628 case BUILT_IN_SYNC_LOCK_RELEASE_1:
629 case BUILT_IN_ATOMIC_EXCHANGE_1:
630 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
631 case BUILT_IN_ATOMIC_STORE_1:
632 case BUILT_IN_ATOMIC_ADD_FETCH_1:
633 case BUILT_IN_ATOMIC_SUB_FETCH_1:
634 case BUILT_IN_ATOMIC_AND_FETCH_1:
635 case BUILT_IN_ATOMIC_NAND_FETCH_1:
636 case BUILT_IN_ATOMIC_XOR_FETCH_1:
637 case BUILT_IN_ATOMIC_OR_FETCH_1:
638 case BUILT_IN_ATOMIC_FETCH_ADD_1:
639 case BUILT_IN_ATOMIC_FETCH_SUB_1:
640 case BUILT_IN_ATOMIC_FETCH_AND_1:
641 case BUILT_IN_ATOMIC_FETCH_NAND_1:
642 case BUILT_IN_ATOMIC_FETCH_XOR_1:
643 case BUILT_IN_ATOMIC_FETCH_OR_1:
644 access_size = 1;
645 goto do_atomic;
646
647 case BUILT_IN_ATOMIC_LOAD_2:
648 is_store = false;
649 /* FALLTHRU */
650 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
651 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
652 case BUILT_IN_SYNC_FETCH_AND_OR_2:
653 case BUILT_IN_SYNC_FETCH_AND_AND_2:
654 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
655 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
656 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
657 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
658 case BUILT_IN_SYNC_OR_AND_FETCH_2:
659 case BUILT_IN_SYNC_AND_AND_FETCH_2:
660 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
661 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
662 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
663 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
664 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
665 case BUILT_IN_SYNC_LOCK_RELEASE_2:
666 case BUILT_IN_ATOMIC_EXCHANGE_2:
667 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
668 case BUILT_IN_ATOMIC_STORE_2:
669 case BUILT_IN_ATOMIC_ADD_FETCH_2:
670 case BUILT_IN_ATOMIC_SUB_FETCH_2:
671 case BUILT_IN_ATOMIC_AND_FETCH_2:
672 case BUILT_IN_ATOMIC_NAND_FETCH_2:
673 case BUILT_IN_ATOMIC_XOR_FETCH_2:
674 case BUILT_IN_ATOMIC_OR_FETCH_2:
675 case BUILT_IN_ATOMIC_FETCH_ADD_2:
676 case BUILT_IN_ATOMIC_FETCH_SUB_2:
677 case BUILT_IN_ATOMIC_FETCH_AND_2:
678 case BUILT_IN_ATOMIC_FETCH_NAND_2:
679 case BUILT_IN_ATOMIC_FETCH_XOR_2:
680 case BUILT_IN_ATOMIC_FETCH_OR_2:
681 access_size = 2;
682 goto do_atomic;
683
684 case BUILT_IN_ATOMIC_LOAD_4:
685 is_store = false;
686 /* FALLTHRU */
687 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
688 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
689 case BUILT_IN_SYNC_FETCH_AND_OR_4:
690 case BUILT_IN_SYNC_FETCH_AND_AND_4:
691 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
692 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
693 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
694 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
695 case BUILT_IN_SYNC_OR_AND_FETCH_4:
696 case BUILT_IN_SYNC_AND_AND_FETCH_4:
697 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
698 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
699 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
700 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
701 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
702 case BUILT_IN_SYNC_LOCK_RELEASE_4:
703 case BUILT_IN_ATOMIC_EXCHANGE_4:
704 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
705 case BUILT_IN_ATOMIC_STORE_4:
706 case BUILT_IN_ATOMIC_ADD_FETCH_4:
707 case BUILT_IN_ATOMIC_SUB_FETCH_4:
708 case BUILT_IN_ATOMIC_AND_FETCH_4:
709 case BUILT_IN_ATOMIC_NAND_FETCH_4:
710 case BUILT_IN_ATOMIC_XOR_FETCH_4:
711 case BUILT_IN_ATOMIC_OR_FETCH_4:
712 case BUILT_IN_ATOMIC_FETCH_ADD_4:
713 case BUILT_IN_ATOMIC_FETCH_SUB_4:
714 case BUILT_IN_ATOMIC_FETCH_AND_4:
715 case BUILT_IN_ATOMIC_FETCH_NAND_4:
716 case BUILT_IN_ATOMIC_FETCH_XOR_4:
717 case BUILT_IN_ATOMIC_FETCH_OR_4:
718 access_size = 4;
719 goto do_atomic;
720
721 case BUILT_IN_ATOMIC_LOAD_8:
722 is_store = false;
723 /* FALLTHRU */
724 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
725 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
726 case BUILT_IN_SYNC_FETCH_AND_OR_8:
727 case BUILT_IN_SYNC_FETCH_AND_AND_8:
728 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
729 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
730 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
731 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
732 case BUILT_IN_SYNC_OR_AND_FETCH_8:
733 case BUILT_IN_SYNC_AND_AND_FETCH_8:
734 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
735 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
736 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
737 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
738 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
739 case BUILT_IN_SYNC_LOCK_RELEASE_8:
740 case BUILT_IN_ATOMIC_EXCHANGE_8:
741 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
742 case BUILT_IN_ATOMIC_STORE_8:
743 case BUILT_IN_ATOMIC_ADD_FETCH_8:
744 case BUILT_IN_ATOMIC_SUB_FETCH_8:
745 case BUILT_IN_ATOMIC_AND_FETCH_8:
746 case BUILT_IN_ATOMIC_NAND_FETCH_8:
747 case BUILT_IN_ATOMIC_XOR_FETCH_8:
748 case BUILT_IN_ATOMIC_OR_FETCH_8:
749 case BUILT_IN_ATOMIC_FETCH_ADD_8:
750 case BUILT_IN_ATOMIC_FETCH_SUB_8:
751 case BUILT_IN_ATOMIC_FETCH_AND_8:
752 case BUILT_IN_ATOMIC_FETCH_NAND_8:
753 case BUILT_IN_ATOMIC_FETCH_XOR_8:
754 case BUILT_IN_ATOMIC_FETCH_OR_8:
755 access_size = 8;
756 goto do_atomic;
757
758 case BUILT_IN_ATOMIC_LOAD_16:
759 is_store = false;
760 /* FALLTHRU */
761 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
762 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
763 case BUILT_IN_SYNC_FETCH_AND_OR_16:
764 case BUILT_IN_SYNC_FETCH_AND_AND_16:
765 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
766 case BUILT_IN_SYNC_FETCH_AND_NAND_16:
767 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
768 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
769 case BUILT_IN_SYNC_OR_AND_FETCH_16:
770 case BUILT_IN_SYNC_AND_AND_FETCH_16:
771 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
772 case BUILT_IN_SYNC_NAND_AND_FETCH_16:
773 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
774 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
775 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
776 case BUILT_IN_SYNC_LOCK_RELEASE_16:
777 case BUILT_IN_ATOMIC_EXCHANGE_16:
778 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
779 case BUILT_IN_ATOMIC_STORE_16:
780 case BUILT_IN_ATOMIC_ADD_FETCH_16:
781 case BUILT_IN_ATOMIC_SUB_FETCH_16:
782 case BUILT_IN_ATOMIC_AND_FETCH_16:
783 case BUILT_IN_ATOMIC_NAND_FETCH_16:
784 case BUILT_IN_ATOMIC_XOR_FETCH_16:
785 case BUILT_IN_ATOMIC_OR_FETCH_16:
786 case BUILT_IN_ATOMIC_FETCH_ADD_16:
787 case BUILT_IN_ATOMIC_FETCH_SUB_16:
788 case BUILT_IN_ATOMIC_FETCH_AND_16:
789 case BUILT_IN_ATOMIC_FETCH_NAND_16:
790 case BUILT_IN_ATOMIC_FETCH_XOR_16:
791 case BUILT_IN_ATOMIC_FETCH_OR_16:
792 access_size = 16;
793 /* FALLTHRU */
794 do_atomic:
795 {
796 dest = gimple_call_arg (call, 0);
797 /* DEST represents the address of a memory location.
798 instrument_derefs wants the memory location, so lets
799 dereference the address DEST before handing it to
800 instrument_derefs. */
801 tree type = build_nonstandard_integer_type (access_size
802 * BITS_PER_UNIT, 1);
803 dest = build2 (MEM_REF, type, dest,
804 build_int_cst (build_pointer_type (char_type_node), 0));
805 break;
806 }
807
808 default:
809 /* The other builtins memory access are not instrumented in this
810 function because they either don't have any length parameter,
811 or their length parameter is just a limit. */
812 break;
813 }
814
815 if (len != NULL_TREE)
816 {
817 if (source0 != NULL_TREE)
818 {
819 src0->start = source0;
820 src0->access_size = access_size;
821 *src0_len = len;
822 *src0_is_store = false;
823 }
824
825 if (source1 != NULL_TREE)
826 {
827 src1->start = source1;
828 src1->access_size = access_size;
829 *src1_len = len;
830 *src1_is_store = false;
831 }
832
833 if (dest != NULL_TREE)
834 {
835 dst->start = dest;
836 dst->access_size = access_size;
837 *dst_len = len;
838 *dst_is_store = true;
839 }
840
841 got_reference_p = true;
842 }
843 else if (dest)
844 {
845 dst->start = dest;
846 dst->access_size = access_size;
847 *dst_len = NULL_TREE;
848 *dst_is_store = is_store;
849 *dest_is_deref = true;
850 got_reference_p = true;
851 }
852
853 return got_reference_p;
854 }
855
856 /* Return true iff a given gimple statement has been instrumented.
857 Note that the statement is "defined" by the memory references it
858 contains. */
859
860 static bool
861 has_stmt_been_instrumented_p (gimple *stmt)
862 {
863 if (gimple_assign_single_p (stmt))
864 {
865 bool r_is_store;
866 asan_mem_ref r;
867 asan_mem_ref_init (&r, NULL, 1);
868
869 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r,
870 &r_is_store))
871 return has_mem_ref_been_instrumented (&r);
872 }
873 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
874 {
875 asan_mem_ref src0, src1, dest;
876 asan_mem_ref_init (&src0, NULL, 1);
877 asan_mem_ref_init (&src1, NULL, 1);
878 asan_mem_ref_init (&dest, NULL, 1);
879
880 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
881 bool src0_is_store = false, src1_is_store = false,
882 dest_is_store = false, dest_is_deref = false, intercepted_p = true;
883 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt),
884 &src0, &src0_len, &src0_is_store,
885 &src1, &src1_len, &src1_is_store,
886 &dest, &dest_len, &dest_is_store,
887 &dest_is_deref, &intercepted_p))
888 {
889 if (src0.start != NULL_TREE
890 && !has_mem_ref_been_instrumented (&src0, src0_len))
891 return false;
892
893 if (src1.start != NULL_TREE
894 && !has_mem_ref_been_instrumented (&src1, src1_len))
895 return false;
896
897 if (dest.start != NULL_TREE
898 && !has_mem_ref_been_instrumented (&dest, dest_len))
899 return false;
900
901 return true;
902 }
903 }
904 else if (is_gimple_call (stmt) && gimple_store_p (stmt))
905 {
906 asan_mem_ref r;
907 asan_mem_ref_init (&r, NULL, 1);
908
909 r.start = gimple_call_lhs (stmt);
910 r.access_size = int_size_in_bytes (TREE_TYPE (r.start));
911 return has_mem_ref_been_instrumented (&r);
912 }
913
914 return false;
915 }
916
917 /* Insert a memory reference into the hash table. */
918
919 static void
920 update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size)
921 {
922 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table ();
923
924 asan_mem_ref r;
925 asan_mem_ref_init (&r, ref, access_size);
926
927 asan_mem_ref **slot = ht->find_slot (&r, INSERT);
928 if (*slot == NULL || (*slot)->access_size < access_size)
929 *slot = asan_mem_ref_new (ref, access_size);
930 }
931
932 /* Initialize shadow_ptr_types array. */
933
934 static void
935 asan_init_shadow_ptr_types (void)
936 {
937 asan_shadow_set = new_alias_set ();
938 tree types[3] = { signed_char_type_node, short_integer_type_node,
939 integer_type_node };
940
941 for (unsigned i = 0; i < 3; i++)
942 {
943 shadow_ptr_types[i] = build_distinct_type_copy (types[i]);
944 TYPE_ALIAS_SET (shadow_ptr_types[i]) = asan_shadow_set;
945 shadow_ptr_types[i] = build_pointer_type (shadow_ptr_types[i]);
946 }
947
948 initialize_sanitizer_builtins ();
949 }
950
951 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
952
953 static tree
954 asan_pp_string (pretty_printer *pp)
955 {
956 const char *buf = pp_formatted_text (pp);
957 size_t len = strlen (buf);
958 tree ret = build_string (len + 1, buf);
959 TREE_TYPE (ret)
960 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
961 build_index_type (size_int (len)));
962 TREE_READONLY (ret) = 1;
963 TREE_STATIC (ret) = 1;
964 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
965 }
966
967 /* Return a CONST_INT representing 4 subsequent shadow memory bytes. */
968
969 static rtx
970 asan_shadow_cst (unsigned char shadow_bytes[4])
971 {
972 int i;
973 unsigned HOST_WIDE_INT val = 0;
974 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
975 for (i = 0; i < 4; i++)
976 val |= (unsigned HOST_WIDE_INT) shadow_bytes[BYTES_BIG_ENDIAN ? 3 - i : i]
977 << (BITS_PER_UNIT * i);
978 return gen_int_mode (val, SImode);
979 }
980
981 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
982 though. */
983
984 static void
985 asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
986 {
987 rtx_insn *insn, *insns, *jump;
988 rtx_code_label *top_label;
989 rtx end, addr, tmp;
990
991 start_sequence ();
992 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
993 insns = get_insns ();
994 end_sequence ();
995 for (insn = insns; insn; insn = NEXT_INSN (insn))
996 if (CALL_P (insn))
997 break;
998 if (insn == NULL_RTX)
999 {
1000 emit_insn (insns);
1001 return;
1002 }
1003
1004 gcc_assert ((len & 3) == 0);
1005 top_label = gen_label_rtx ();
1006 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
1007 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
1008 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
1009 emit_label (top_label);
1010
1011 emit_move_insn (shadow_mem, const0_rtx);
1012 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
1013 true, OPTAB_LIB_WIDEN);
1014 if (tmp != addr)
1015 emit_move_insn (addr, tmp);
1016 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
1017 jump = get_last_insn ();
1018 gcc_assert (JUMP_P (jump));
1019 add_int_reg_note (jump, REG_BR_PROB, REG_BR_PROB_BASE * 80 / 100);
1020 }
1021
1022 void
1023 asan_function_start (void)
1024 {
1025 section *fnsec = function_section (current_function_decl);
1026 switch_to_section (fnsec);
1027 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC",
1028 current_function_funcdef_no);
1029 }
1030
1031 /* Return number of shadow bytes that are occupied by a local variable
1032 of SIZE bytes. */
1033
1034 static unsigned HOST_WIDE_INT
1035 shadow_mem_size (unsigned HOST_WIDE_INT size)
1036 {
1037 return ROUND_UP (size, ASAN_SHADOW_GRANULARITY) / ASAN_SHADOW_GRANULARITY;
1038 }
1039
1040 /* Insert code to protect stack vars. The prologue sequence should be emitted
1041 directly, epilogue sequence returned. BASE is the register holding the
1042 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1043 array contains pairs of offsets in reverse order, always the end offset
1044 of some gap that needs protection followed by starting offset,
1045 and DECLS is an array of representative decls for each var partition.
1046 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1047 elements long (OFFSETS include gap before the first variable as well
1048 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1049 register which stack vars DECL_RTLs are based on. Either BASE should be
1050 assigned to PBASE, when not doing use after return protection, or
1051 corresponding address based on __asan_stack_malloc* return value. */
1052
1053 rtx_insn *
1054 asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
1055 HOST_WIDE_INT *offsets, tree *decls, int length)
1056 {
1057 rtx shadow_base, shadow_mem, ret, mem, orig_base;
1058 rtx_code_label *lab;
1059 rtx_insn *insns;
1060 char buf[32];
1061 unsigned char shadow_bytes[4];
1062 HOST_WIDE_INT base_offset = offsets[length - 1];
1063 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
1064 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
1065 HOST_WIDE_INT last_offset;
1066 int l;
1067 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
1068 tree str_cst, decl, id;
1069 int use_after_return_class = -1;
1070
1071 if (shadow_ptr_types[0] == NULL_TREE)
1072 asan_init_shadow_ptr_types ();
1073
1074 /* First of all, prepare the description string. */
1075 pretty_printer asan_pp;
1076
1077 pp_decimal_int (&asan_pp, length / 2 - 1);
1078 pp_space (&asan_pp);
1079 for (l = length - 2; l; l -= 2)
1080 {
1081 tree decl = decls[l / 2 - 1];
1082 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
1083 pp_space (&asan_pp);
1084 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
1085 pp_space (&asan_pp);
1086 if (DECL_P (decl) && DECL_NAME (decl))
1087 {
1088 pp_decimal_int (&asan_pp, IDENTIFIER_LENGTH (DECL_NAME (decl)));
1089 pp_space (&asan_pp);
1090 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
1091 }
1092 else
1093 pp_string (&asan_pp, "9 <unknown>");
1094 pp_space (&asan_pp);
1095 }
1096 str_cst = asan_pp_string (&asan_pp);
1097
1098 /* Emit the prologue sequence. */
1099 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
1100 && ASAN_USE_AFTER_RETURN)
1101 {
1102 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1103 /* __asan_stack_malloc_N guarantees alignment
1104 N < 6 ? (64 << N) : 4096 bytes. */
1105 if (alignb > (use_after_return_class < 6
1106 ? (64U << use_after_return_class) : 4096U))
1107 use_after_return_class = -1;
1108 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1109 base_align_bias = ((asan_frame_size + alignb - 1)
1110 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1111 }
1112 /* Align base if target is STRICT_ALIGNMENT. */
1113 if (STRICT_ALIGNMENT)
1114 base = expand_binop (Pmode, and_optab, base,
1115 gen_int_mode (-((GET_MODE_ALIGNMENT (SImode)
1116 << ASAN_SHADOW_SHIFT)
1117 / BITS_PER_UNIT), Pmode), NULL_RTX,
1118 1, OPTAB_DIRECT);
1119
1120 if (use_after_return_class == -1 && pbase)
1121 emit_move_insn (pbase, base);
1122
1123 base = expand_binop (Pmode, add_optab, base,
1124 gen_int_mode (base_offset - base_align_bias, Pmode),
1125 NULL_RTX, 1, OPTAB_DIRECT);
1126 orig_base = NULL_RTX;
1127 if (use_after_return_class != -1)
1128 {
1129 if (asan_detect_stack_use_after_return == NULL_TREE)
1130 {
1131 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1132 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1133 integer_type_node);
1134 SET_DECL_ASSEMBLER_NAME (decl, id);
1135 TREE_ADDRESSABLE (decl) = 1;
1136 DECL_ARTIFICIAL (decl) = 1;
1137 DECL_IGNORED_P (decl) = 1;
1138 DECL_EXTERNAL (decl) = 1;
1139 TREE_STATIC (decl) = 1;
1140 TREE_PUBLIC (decl) = 1;
1141 TREE_USED (decl) = 1;
1142 asan_detect_stack_use_after_return = decl;
1143 }
1144 orig_base = gen_reg_rtx (Pmode);
1145 emit_move_insn (orig_base, base);
1146 ret = expand_normal (asan_detect_stack_use_after_return);
1147 lab = gen_label_rtx ();
1148 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1149 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1150 VOIDmode, 0, lab, very_likely);
1151 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1152 use_after_return_class);
1153 ret = init_one_libfunc (buf);
1154 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode, 1,
1155 GEN_INT (asan_frame_size
1156 + base_align_bias),
1157 TYPE_MODE (pointer_sized_int_node));
1158 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1159 and NULL otherwise. Check RET value is NULL here and jump over the
1160 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1161 int very_unlikely = REG_BR_PROB_BASE / 2000 - 1;
1162 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1163 VOIDmode, 0, lab, very_unlikely);
1164 ret = convert_memory_address (Pmode, ret);
1165 emit_move_insn (base, ret);
1166 emit_label (lab);
1167 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1168 gen_int_mode (base_align_bias
1169 - base_offset, Pmode),
1170 NULL_RTX, 1, OPTAB_DIRECT));
1171 }
1172 mem = gen_rtx_MEM (ptr_mode, base);
1173 mem = adjust_address (mem, VOIDmode, base_align_bias);
1174 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
1175 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1176 emit_move_insn (mem, expand_normal (str_cst));
1177 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1178 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1179 id = get_identifier (buf);
1180 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
1181 VAR_DECL, id, char_type_node);
1182 SET_DECL_ASSEMBLER_NAME (decl, id);
1183 TREE_ADDRESSABLE (decl) = 1;
1184 TREE_READONLY (decl) = 1;
1185 DECL_ARTIFICIAL (decl) = 1;
1186 DECL_IGNORED_P (decl) = 1;
1187 TREE_STATIC (decl) = 1;
1188 TREE_PUBLIC (decl) = 0;
1189 TREE_USED (decl) = 1;
1190 DECL_INITIAL (decl) = decl;
1191 TREE_ASM_WRITTEN (decl) = 1;
1192 TREE_ASM_WRITTEN (id) = 1;
1193 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
1194 shadow_base = expand_binop (Pmode, lshr_optab, base,
1195 GEN_INT (ASAN_SHADOW_SHIFT),
1196 NULL_RTX, 1, OPTAB_DIRECT);
1197 shadow_base
1198 = plus_constant (Pmode, shadow_base,
1199 asan_shadow_offset ()
1200 + (base_align_bias >> ASAN_SHADOW_SHIFT));
1201 gcc_assert (asan_shadow_set != -1
1202 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
1203 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
1204 set_mem_alias_set (shadow_mem, asan_shadow_set);
1205 if (STRICT_ALIGNMENT)
1206 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1207 prev_offset = base_offset;
1208 for (l = length; l; l -= 2)
1209 {
1210 if (l == 2)
1211 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
1212 offset = offsets[l - 1];
1213 if ((offset - base_offset) & (ASAN_RED_ZONE_SIZE - 1))
1214 {
1215 int i;
1216 HOST_WIDE_INT aoff
1217 = base_offset + ((offset - base_offset)
1218 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1219 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1220 (aoff - prev_offset)
1221 >> ASAN_SHADOW_SHIFT);
1222 prev_offset = aoff;
1223 for (i = 0; i < 4; i++, aoff += ASAN_SHADOW_GRANULARITY)
1224 if (aoff < offset)
1225 {
1226 if (aoff < offset - (HOST_WIDE_INT)ASAN_SHADOW_GRANULARITY + 1)
1227 shadow_bytes[i] = 0;
1228 else
1229 shadow_bytes[i] = offset - aoff;
1230 }
1231 else
1232 shadow_bytes[i] = ASAN_STACK_MAGIC_MIDDLE;
1233 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1234 offset = aoff;
1235 }
1236 while (offset <= offsets[l - 2] - ASAN_RED_ZONE_SIZE)
1237 {
1238 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1239 (offset - prev_offset)
1240 >> ASAN_SHADOW_SHIFT);
1241 prev_offset = offset;
1242 memset (shadow_bytes, cur_shadow_byte, 4);
1243 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1244 offset += ASAN_RED_ZONE_SIZE;
1245 }
1246 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
1247 }
1248 do_pending_stack_adjust ();
1249
1250 /* Construct epilogue sequence. */
1251 start_sequence ();
1252
1253 lab = NULL;
1254 if (use_after_return_class != -1)
1255 {
1256 rtx_code_label *lab2 = gen_label_rtx ();
1257 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
1258 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1259 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
1260 VOIDmode, 0, lab2, very_likely);
1261 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1262 set_mem_alias_set (shadow_mem, asan_shadow_set);
1263 mem = gen_rtx_MEM (ptr_mode, base);
1264 mem = adjust_address (mem, VOIDmode, base_align_bias);
1265 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
1266 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
1267 if (use_after_return_class < 5
1268 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
1269 BITS_PER_UNIT, true))
1270 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
1271 BITS_PER_UNIT, true, 0);
1272 else if (use_after_return_class >= 5
1273 || !set_storage_via_setmem (shadow_mem,
1274 GEN_INT (sz),
1275 gen_int_mode (c, QImode),
1276 BITS_PER_UNIT, BITS_PER_UNIT,
1277 -1, sz, sz, sz))
1278 {
1279 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
1280 use_after_return_class);
1281 ret = init_one_libfunc (buf);
1282 rtx addr = convert_memory_address (ptr_mode, base);
1283 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
1284 emit_library_call (ret, LCT_NORMAL, ptr_mode, 3, addr, ptr_mode,
1285 GEN_INT (asan_frame_size + base_align_bias),
1286 TYPE_MODE (pointer_sized_int_node),
1287 orig_addr, ptr_mode);
1288 }
1289 lab = gen_label_rtx ();
1290 emit_jump (lab);
1291 emit_label (lab2);
1292 }
1293
1294 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1295 set_mem_alias_set (shadow_mem, asan_shadow_set);
1296
1297 if (STRICT_ALIGNMENT)
1298 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1299
1300 /* Unpoison shadow memory of a stack at the very end of a function.
1301 As we're poisoning stack variables at the end of their scope,
1302 shadow memory must be properly unpoisoned here. The easiest approach
1303 would be to collect all variables that should not be unpoisoned and
1304 we unpoison shadow memory of the whole stack except ranges
1305 occupied by these variables. */
1306 last_offset = base_offset;
1307 HOST_WIDE_INT current_offset = last_offset;
1308 if (length)
1309 {
1310 HOST_WIDE_INT var_end_offset = 0;
1311 HOST_WIDE_INT stack_start = offsets[length - 1];
1312 gcc_assert (last_offset == stack_start);
1313
1314 for (int l = length - 2; l > 0; l -= 2)
1315 {
1316 HOST_WIDE_INT var_offset = offsets[l];
1317 current_offset = var_offset;
1318 var_end_offset = offsets[l - 1];
1319 HOST_WIDE_INT rounded_size = ROUND_UP (var_end_offset - var_offset,
1320 BITS_PER_UNIT);
1321
1322 /* Should we unpoison the variable? */
1323 if (asan_handled_variables != NULL
1324 && asan_handled_variables->contains (decl))
1325 {
1326 if (dump_file && (dump_flags & TDF_DETAILS))
1327 {
1328 const char *n = (DECL_NAME (decl)
1329 ? IDENTIFIER_POINTER (DECL_NAME (decl))
1330 : "<unknown>");
1331 fprintf (dump_file, "Unpoisoning shadow stack for variable: "
1332 "%s (%" PRId64 "B)\n", n,
1333 var_end_offset - var_offset);
1334 }
1335
1336 unsigned HOST_WIDE_INT s
1337 = shadow_mem_size (current_offset - last_offset);
1338 asan_clear_shadow (shadow_mem, s);
1339 HOST_WIDE_INT shift
1340 = shadow_mem_size (current_offset - last_offset + rounded_size);
1341 shadow_mem = adjust_address (shadow_mem, VOIDmode, shift);
1342 last_offset = var_offset + rounded_size;
1343 current_offset = last_offset;
1344 }
1345
1346 }
1347
1348 /* Handle last redzone. */
1349 current_offset = offsets[0];
1350 asan_clear_shadow (shadow_mem,
1351 shadow_mem_size (current_offset - last_offset));
1352 }
1353
1354 /* Clean-up set with instrumented stack variables. */
1355 delete asan_handled_variables;
1356 asan_handled_variables = NULL;
1357 delete asan_used_labels;
1358 asan_used_labels = NULL;
1359
1360 do_pending_stack_adjust ();
1361 if (lab)
1362 emit_label (lab);
1363
1364 insns = get_insns ();
1365 end_sequence ();
1366 return insns;
1367 }
1368
1369 /* Return true if DECL, a global var, might be overridden and needs
1370 therefore a local alias. */
1371
1372 static bool
1373 asan_needs_local_alias (tree decl)
1374 {
1375 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
1376 }
1377
1378 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
1379 therefore doesn't need protection. */
1380
1381 static bool
1382 is_odr_indicator (tree decl)
1383 {
1384 return (DECL_ARTIFICIAL (decl)
1385 && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl)));
1386 }
1387
1388 /* Return true if DECL is a VAR_DECL that should be protected
1389 by Address Sanitizer, by appending a red zone with protected
1390 shadow memory after it and aligning it to at least
1391 ASAN_RED_ZONE_SIZE bytes. */
1392
1393 bool
1394 asan_protect_global (tree decl)
1395 {
1396 if (!ASAN_GLOBALS)
1397 return false;
1398
1399 rtx rtl, symbol;
1400
1401 if (TREE_CODE (decl) == STRING_CST)
1402 {
1403 /* Instrument all STRING_CSTs except those created
1404 by asan_pp_string here. */
1405 if (shadow_ptr_types[0] != NULL_TREE
1406 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
1407 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
1408 return false;
1409 return true;
1410 }
1411 if (!VAR_P (decl)
1412 /* TLS vars aren't statically protectable. */
1413 || DECL_THREAD_LOCAL_P (decl)
1414 /* Externs will be protected elsewhere. */
1415 || DECL_EXTERNAL (decl)
1416 || !DECL_RTL_SET_P (decl)
1417 /* Comdat vars pose an ABI problem, we can't know if
1418 the var that is selected by the linker will have
1419 padding or not. */
1420 || DECL_ONE_ONLY (decl)
1421 /* Similarly for common vars. People can use -fno-common.
1422 Note: Linux kernel is built with -fno-common, so we do instrument
1423 globals there even if it is C. */
1424 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
1425 /* Don't protect if using user section, often vars placed
1426 into user section from multiple TUs are then assumed
1427 to be an array of such vars, putting padding in there
1428 breaks this assumption. */
1429 || (DECL_SECTION_NAME (decl) != NULL
1430 && !symtab_node::get (decl)->implicit_section
1431 && !section_sanitized_p (DECL_SECTION_NAME (decl)))
1432 || DECL_SIZE (decl) == 0
1433 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
1434 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
1435 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE
1436 || TREE_TYPE (decl) == ubsan_get_source_location_type ()
1437 || is_odr_indicator (decl))
1438 return false;
1439
1440 rtl = DECL_RTL (decl);
1441 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
1442 return false;
1443 symbol = XEXP (rtl, 0);
1444
1445 if (CONSTANT_POOL_ADDRESS_P (symbol)
1446 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
1447 return false;
1448
1449 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
1450 return false;
1451
1452 #ifndef ASM_OUTPUT_DEF
1453 if (asan_needs_local_alias (decl))
1454 return false;
1455 #endif
1456
1457 return true;
1458 }
1459
1460 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
1461 IS_STORE is either 1 (for a store) or 0 (for a load). */
1462
1463 static tree
1464 report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1465 int *nargs)
1466 {
1467 static enum built_in_function report[2][2][6]
1468 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
1469 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
1470 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N },
1471 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
1472 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
1473 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } },
1474 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT,
1475 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
1476 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
1477 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
1478 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
1479 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
1480 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT,
1481 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
1482 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
1483 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
1484 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
1485 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
1486 if (size_in_bytes == -1)
1487 {
1488 *nargs = 2;
1489 return builtin_decl_implicit (report[recover_p][is_store][5]);
1490 }
1491 *nargs = 1;
1492 int size_log2 = exact_log2 (size_in_bytes);
1493 return builtin_decl_implicit (report[recover_p][is_store][size_log2]);
1494 }
1495
1496 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
1497 IS_STORE is either 1 (for a store) or 0 (for a load). */
1498
1499 static tree
1500 check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1501 int *nargs)
1502 {
1503 static enum built_in_function check[2][2][6]
1504 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2,
1505 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8,
1506 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN },
1507 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2,
1508 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8,
1509 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } },
1510 { { BUILT_IN_ASAN_LOAD1_NOABORT,
1511 BUILT_IN_ASAN_LOAD2_NOABORT,
1512 BUILT_IN_ASAN_LOAD4_NOABORT,
1513 BUILT_IN_ASAN_LOAD8_NOABORT,
1514 BUILT_IN_ASAN_LOAD16_NOABORT,
1515 BUILT_IN_ASAN_LOADN_NOABORT },
1516 { BUILT_IN_ASAN_STORE1_NOABORT,
1517 BUILT_IN_ASAN_STORE2_NOABORT,
1518 BUILT_IN_ASAN_STORE4_NOABORT,
1519 BUILT_IN_ASAN_STORE8_NOABORT,
1520 BUILT_IN_ASAN_STORE16_NOABORT,
1521 BUILT_IN_ASAN_STOREN_NOABORT } } };
1522 if (size_in_bytes == -1)
1523 {
1524 *nargs = 2;
1525 return builtin_decl_implicit (check[recover_p][is_store][5]);
1526 }
1527 *nargs = 1;
1528 int size_log2 = exact_log2 (size_in_bytes);
1529 return builtin_decl_implicit (check[recover_p][is_store][size_log2]);
1530 }
1531
1532 /* Split the current basic block and create a condition statement
1533 insertion point right before or after the statement pointed to by
1534 ITER. Return an iterator to the point at which the caller might
1535 safely insert the condition statement.
1536
1537 THEN_BLOCK must be set to the address of an uninitialized instance
1538 of basic_block. The function will then set *THEN_BLOCK to the
1539 'then block' of the condition statement to be inserted by the
1540 caller.
1541
1542 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1543 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1544
1545 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1546 block' of the condition statement to be inserted by the caller.
1547
1548 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1549 statements starting from *ITER, and *THEN_BLOCK is a new empty
1550 block.
1551
1552 *ITER is adjusted to point to always point to the first statement
1553 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1554 same as what ITER was pointing to prior to calling this function,
1555 if BEFORE_P is true; otherwise, it is its following statement. */
1556
1557 gimple_stmt_iterator
1558 create_cond_insert_point (gimple_stmt_iterator *iter,
1559 bool before_p,
1560 bool then_more_likely_p,
1561 bool create_then_fallthru_edge,
1562 basic_block *then_block,
1563 basic_block *fallthrough_block)
1564 {
1565 gimple_stmt_iterator gsi = *iter;
1566
1567 if (!gsi_end_p (gsi) && before_p)
1568 gsi_prev (&gsi);
1569
1570 basic_block cur_bb = gsi_bb (*iter);
1571
1572 edge e = split_block (cur_bb, gsi_stmt (gsi));
1573
1574 /* Get a hold on the 'condition block', the 'then block' and the
1575 'else block'. */
1576 basic_block cond_bb = e->src;
1577 basic_block fallthru_bb = e->dest;
1578 basic_block then_bb = create_empty_bb (cond_bb);
1579 if (current_loops)
1580 {
1581 add_bb_to_loop (then_bb, cond_bb->loop_father);
1582 loops_state_set (LOOPS_NEED_FIXUP);
1583 }
1584
1585 /* Set up the newly created 'then block'. */
1586 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
1587 int fallthrough_probability
1588 = then_more_likely_p
1589 ? PROB_VERY_UNLIKELY
1590 : PROB_ALWAYS - PROB_VERY_UNLIKELY;
1591 e->probability = PROB_ALWAYS - fallthrough_probability;
1592 if (create_then_fallthru_edge)
1593 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
1594
1595 /* Set up the fallthrough basic block. */
1596 e = find_edge (cond_bb, fallthru_bb);
1597 e->flags = EDGE_FALSE_VALUE;
1598 e->count = cond_bb->count;
1599 e->probability = fallthrough_probability;
1600
1601 /* Update dominance info for the newly created then_bb; note that
1602 fallthru_bb's dominance info has already been updated by
1603 split_bock. */
1604 if (dom_info_available_p (CDI_DOMINATORS))
1605 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
1606
1607 *then_block = then_bb;
1608 *fallthrough_block = fallthru_bb;
1609 *iter = gsi_start_bb (fallthru_bb);
1610
1611 return gsi_last_bb (cond_bb);
1612 }
1613
1614 /* Insert an if condition followed by a 'then block' right before the
1615 statement pointed to by ITER. The fallthrough block -- which is the
1616 else block of the condition as well as the destination of the
1617 outcoming edge of the 'then block' -- starts with the statement
1618 pointed to by ITER.
1619
1620 COND is the condition of the if.
1621
1622 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1623 'then block' is higher than the probability of the edge to the
1624 fallthrough block.
1625
1626 Upon completion of the function, *THEN_BB is set to the newly
1627 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1628 fallthrough block.
1629
1630 *ITER is adjusted to still point to the same statement it was
1631 pointing to initially. */
1632
1633 static void
1634 insert_if_then_before_iter (gcond *cond,
1635 gimple_stmt_iterator *iter,
1636 bool then_more_likely_p,
1637 basic_block *then_bb,
1638 basic_block *fallthrough_bb)
1639 {
1640 gimple_stmt_iterator cond_insert_point =
1641 create_cond_insert_point (iter,
1642 /*before_p=*/true,
1643 then_more_likely_p,
1644 /*create_then_fallthru_edge=*/true,
1645 then_bb,
1646 fallthrough_bb);
1647 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
1648 }
1649
1650 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
1651 If RETURN_ADDRESS is set to true, return memory location instread
1652 of a value in the shadow memory. */
1653
1654 static tree
1655 build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location,
1656 tree base_addr, tree shadow_ptr_type,
1657 bool return_address = false)
1658 {
1659 tree t, uintptr_type = TREE_TYPE (base_addr);
1660 tree shadow_type = TREE_TYPE (shadow_ptr_type);
1661 gimple *g;
1662
1663 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
1664 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR,
1665 base_addr, t);
1666 gimple_set_location (g, location);
1667 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1668
1669 t = build_int_cst (uintptr_type, asan_shadow_offset ());
1670 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR,
1671 gimple_assign_lhs (g), t);
1672 gimple_set_location (g, location);
1673 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1674
1675 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR,
1676 gimple_assign_lhs (g));
1677 gimple_set_location (g, location);
1678 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1679
1680 if (!return_address)
1681 {
1682 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
1683 build_int_cst (shadow_ptr_type, 0));
1684 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t);
1685 gimple_set_location (g, location);
1686 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1687 }
1688
1689 return gimple_assign_lhs (g);
1690 }
1691
1692 /* BASE can already be an SSA_NAME; in that case, do not create a
1693 new SSA_NAME for it. */
1694
1695 static tree
1696 maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter,
1697 bool before_p)
1698 {
1699 if (TREE_CODE (base) == SSA_NAME)
1700 return base;
1701 gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)),
1702 TREE_CODE (base), base);
1703 gimple_set_location (g, loc);
1704 if (before_p)
1705 gsi_insert_before (iter, g, GSI_SAME_STMT);
1706 else
1707 gsi_insert_after (iter, g, GSI_NEW_STMT);
1708 return gimple_assign_lhs (g);
1709 }
1710
1711 /* LEN can already have necessary size and precision;
1712 in that case, do not create a new variable. */
1713
1714 tree
1715 maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter,
1716 bool before_p)
1717 {
1718 if (ptrofftype_p (len))
1719 return len;
1720 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
1721 NOP_EXPR, len);
1722 gimple_set_location (g, loc);
1723 if (before_p)
1724 gsi_insert_before (iter, g, GSI_SAME_STMT);
1725 else
1726 gsi_insert_after (iter, g, GSI_NEW_STMT);
1727 return gimple_assign_lhs (g);
1728 }
1729
1730 /* Instrument the memory access instruction BASE. Insert new
1731 statements before or after ITER.
1732
1733 Note that the memory access represented by BASE can be either an
1734 SSA_NAME, or a non-SSA expression. LOCATION is the source code
1735 location. IS_STORE is TRUE for a store, FALSE for a load.
1736 BEFORE_P is TRUE for inserting the instrumentation code before
1737 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
1738 for a scalar memory access and FALSE for memory region access.
1739 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
1740 length. ALIGN tells alignment of accessed memory object.
1741
1742 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
1743 memory region have already been instrumented.
1744
1745 If BEFORE_P is TRUE, *ITER is arranged to still point to the
1746 statement it was pointing to prior to calling this function,
1747 otherwise, it points to the statement logically following it. */
1748
1749 static void
1750 build_check_stmt (location_t loc, tree base, tree len,
1751 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter,
1752 bool is_non_zero_len, bool before_p, bool is_store,
1753 bool is_scalar_access, unsigned int align = 0)
1754 {
1755 gimple_stmt_iterator gsi = *iter;
1756 gimple *g;
1757
1758 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len));
1759
1760 gsi = *iter;
1761
1762 base = unshare_expr (base);
1763 base = maybe_create_ssa_name (loc, base, &gsi, before_p);
1764
1765 if (len)
1766 {
1767 len = unshare_expr (len);
1768 len = maybe_cast_to_ptrmode (loc, len, iter, before_p);
1769 }
1770 else
1771 {
1772 gcc_assert (size_in_bytes != -1);
1773 len = build_int_cst (pointer_sized_int_node, size_in_bytes);
1774 }
1775
1776 if (size_in_bytes > 1)
1777 {
1778 if ((size_in_bytes & (size_in_bytes - 1)) != 0
1779 || size_in_bytes > 16)
1780 is_scalar_access = false;
1781 else if (align && align < size_in_bytes * BITS_PER_UNIT)
1782 {
1783 /* On non-strict alignment targets, if
1784 16-byte access is just 8-byte aligned,
1785 this will result in misaligned shadow
1786 memory 2 byte load, but otherwise can
1787 be handled using one read. */
1788 if (size_in_bytes != 16
1789 || STRICT_ALIGNMENT
1790 || align < 8 * BITS_PER_UNIT)
1791 is_scalar_access = false;
1792 }
1793 }
1794
1795 HOST_WIDE_INT flags = 0;
1796 if (is_store)
1797 flags |= ASAN_CHECK_STORE;
1798 if (is_non_zero_len)
1799 flags |= ASAN_CHECK_NON_ZERO_LEN;
1800 if (is_scalar_access)
1801 flags |= ASAN_CHECK_SCALAR_ACCESS;
1802
1803 g = gimple_build_call_internal (IFN_ASAN_CHECK, 4,
1804 build_int_cst (integer_type_node, flags),
1805 base, len,
1806 build_int_cst (integer_type_node,
1807 align / BITS_PER_UNIT));
1808 gimple_set_location (g, loc);
1809 if (before_p)
1810 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
1811 else
1812 {
1813 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
1814 gsi_next (&gsi);
1815 *iter = gsi;
1816 }
1817 }
1818
1819 /* If T represents a memory access, add instrumentation code before ITER.
1820 LOCATION is source code location.
1821 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
1822
1823 static void
1824 instrument_derefs (gimple_stmt_iterator *iter, tree t,
1825 location_t location, bool is_store)
1826 {
1827 if (is_store && !ASAN_INSTRUMENT_WRITES)
1828 return;
1829 if (!is_store && !ASAN_INSTRUMENT_READS)
1830 return;
1831
1832 tree type, base;
1833 HOST_WIDE_INT size_in_bytes;
1834 if (location == UNKNOWN_LOCATION)
1835 location = EXPR_LOCATION (t);
1836
1837 type = TREE_TYPE (t);
1838 switch (TREE_CODE (t))
1839 {
1840 case ARRAY_REF:
1841 case COMPONENT_REF:
1842 case INDIRECT_REF:
1843 case MEM_REF:
1844 case VAR_DECL:
1845 case BIT_FIELD_REF:
1846 break;
1847 /* FALLTHRU */
1848 default:
1849 return;
1850 }
1851
1852 size_in_bytes = int_size_in_bytes (type);
1853 if (size_in_bytes <= 0)
1854 return;
1855
1856 HOST_WIDE_INT bitsize, bitpos;
1857 tree offset;
1858 machine_mode mode;
1859 int unsignedp, reversep, volatilep = 0;
1860 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
1861 &unsignedp, &reversep, &volatilep);
1862
1863 if (TREE_CODE (t) == COMPONENT_REF
1864 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
1865 {
1866 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
1867 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
1868 TREE_OPERAND (t, 0), repr,
1869 TREE_OPERAND (t, 2)),
1870 location, is_store);
1871 return;
1872 }
1873
1874 if (bitpos % BITS_PER_UNIT
1875 || bitsize != size_in_bytes * BITS_PER_UNIT)
1876 return;
1877
1878 if (VAR_P (inner) && DECL_HARD_REGISTER (inner))
1879 return;
1880
1881 if (VAR_P (inner)
1882 && offset == NULL_TREE
1883 && bitpos >= 0
1884 && DECL_SIZE (inner)
1885 && tree_fits_shwi_p (DECL_SIZE (inner))
1886 && bitpos + bitsize <= tree_to_shwi (DECL_SIZE (inner)))
1887 {
1888 if (DECL_THREAD_LOCAL_P (inner))
1889 return;
1890 if (!ASAN_GLOBALS && is_global_var (inner))
1891 return;
1892 if (!TREE_STATIC (inner))
1893 {
1894 /* Automatic vars in the current function will be always
1895 accessible. */
1896 if (decl_function_context (inner) == current_function_decl
1897 && (!asan_sanitize_use_after_scope ()
1898 || !TREE_ADDRESSABLE (inner)))
1899 return;
1900 }
1901 /* Always instrument external vars, they might be dynamically
1902 initialized. */
1903 else if (!DECL_EXTERNAL (inner))
1904 {
1905 /* For static vars if they are known not to be dynamically
1906 initialized, they will be always accessible. */
1907 varpool_node *vnode = varpool_node::get (inner);
1908 if (vnode && !vnode->dynamically_initialized)
1909 return;
1910 }
1911 }
1912
1913 base = build_fold_addr_expr (t);
1914 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
1915 {
1916 unsigned int align = get_object_alignment (t);
1917 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter,
1918 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true,
1919 is_store, /*is_scalar_access*/true, align);
1920 update_mem_ref_hash_table (base, size_in_bytes);
1921 update_mem_ref_hash_table (t, size_in_bytes);
1922 }
1923
1924 }
1925
1926 /* Insert a memory reference into the hash table if access length
1927 can be determined in compile time. */
1928
1929 static void
1930 maybe_update_mem_ref_hash_table (tree base, tree len)
1931 {
1932 if (!POINTER_TYPE_P (TREE_TYPE (base))
1933 || !INTEGRAL_TYPE_P (TREE_TYPE (len)))
1934 return;
1935
1936 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
1937
1938 if (size_in_bytes != -1)
1939 update_mem_ref_hash_table (base, size_in_bytes);
1940 }
1941
1942 /* Instrument an access to a contiguous memory region that starts at
1943 the address pointed to by BASE, over a length of LEN (expressed in
1944 the sizeof (*BASE) bytes). ITER points to the instruction before
1945 which the instrumentation instructions must be inserted. LOCATION
1946 is the source location that the instrumentation instructions must
1947 have. If IS_STORE is true, then the memory access is a store;
1948 otherwise, it's a load. */
1949
1950 static void
1951 instrument_mem_region_access (tree base, tree len,
1952 gimple_stmt_iterator *iter,
1953 location_t location, bool is_store)
1954 {
1955 if (!POINTER_TYPE_P (TREE_TYPE (base))
1956 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
1957 || integer_zerop (len))
1958 return;
1959
1960 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
1961
1962 if ((size_in_bytes == -1)
1963 || !has_mem_ref_been_instrumented (base, size_in_bytes))
1964 {
1965 build_check_stmt (location, base, len, size_in_bytes, iter,
1966 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true,
1967 is_store, /*is_scalar_access*/false, /*align*/0);
1968 }
1969
1970 maybe_update_mem_ref_hash_table (base, len);
1971 *iter = gsi_for_stmt (gsi_stmt (*iter));
1972 }
1973
1974 /* Instrument the call to a built-in memory access function that is
1975 pointed to by the iterator ITER.
1976
1977 Upon completion, return TRUE iff *ITER has been advanced to the
1978 statement following the one it was originally pointing to. */
1979
1980 static bool
1981 instrument_builtin_call (gimple_stmt_iterator *iter)
1982 {
1983 if (!ASAN_MEMINTRIN)
1984 return false;
1985
1986 bool iter_advanced_p = false;
1987 gcall *call = as_a <gcall *> (gsi_stmt (*iter));
1988
1989 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
1990
1991 location_t loc = gimple_location (call);
1992
1993 asan_mem_ref src0, src1, dest;
1994 asan_mem_ref_init (&src0, NULL, 1);
1995 asan_mem_ref_init (&src1, NULL, 1);
1996 asan_mem_ref_init (&dest, NULL, 1);
1997
1998 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
1999 bool src0_is_store = false, src1_is_store = false, dest_is_store = false,
2000 dest_is_deref = false, intercepted_p = true;
2001
2002 if (get_mem_refs_of_builtin_call (call,
2003 &src0, &src0_len, &src0_is_store,
2004 &src1, &src1_len, &src1_is_store,
2005 &dest, &dest_len, &dest_is_store,
2006 &dest_is_deref, &intercepted_p))
2007 {
2008 if (dest_is_deref)
2009 {
2010 instrument_derefs (iter, dest.start, loc, dest_is_store);
2011 gsi_next (iter);
2012 iter_advanced_p = true;
2013 }
2014 else if (!intercepted_p
2015 && (src0_len || src1_len || dest_len))
2016 {
2017 if (src0.start != NULL_TREE)
2018 instrument_mem_region_access (src0.start, src0_len,
2019 iter, loc, /*is_store=*/false);
2020 if (src1.start != NULL_TREE)
2021 instrument_mem_region_access (src1.start, src1_len,
2022 iter, loc, /*is_store=*/false);
2023 if (dest.start != NULL_TREE)
2024 instrument_mem_region_access (dest.start, dest_len,
2025 iter, loc, /*is_store=*/true);
2026
2027 *iter = gsi_for_stmt (call);
2028 gsi_next (iter);
2029 iter_advanced_p = true;
2030 }
2031 else
2032 {
2033 if (src0.start != NULL_TREE)
2034 maybe_update_mem_ref_hash_table (src0.start, src0_len);
2035 if (src1.start != NULL_TREE)
2036 maybe_update_mem_ref_hash_table (src1.start, src1_len);
2037 if (dest.start != NULL_TREE)
2038 maybe_update_mem_ref_hash_table (dest.start, dest_len);
2039 }
2040 }
2041 return iter_advanced_p;
2042 }
2043
2044 /* Instrument the assignment statement ITER if it is subject to
2045 instrumentation. Return TRUE iff instrumentation actually
2046 happened. In that case, the iterator ITER is advanced to the next
2047 logical expression following the one initially pointed to by ITER,
2048 and the relevant memory reference that which access has been
2049 instrumented is added to the memory references hash table. */
2050
2051 static bool
2052 maybe_instrument_assignment (gimple_stmt_iterator *iter)
2053 {
2054 gimple *s = gsi_stmt (*iter);
2055
2056 gcc_assert (gimple_assign_single_p (s));
2057
2058 tree ref_expr = NULL_TREE;
2059 bool is_store, is_instrumented = false;
2060
2061 if (gimple_store_p (s))
2062 {
2063 ref_expr = gimple_assign_lhs (s);
2064 is_store = true;
2065 instrument_derefs (iter, ref_expr,
2066 gimple_location (s),
2067 is_store);
2068 is_instrumented = true;
2069 }
2070
2071 if (gimple_assign_load_p (s))
2072 {
2073 ref_expr = gimple_assign_rhs1 (s);
2074 is_store = false;
2075 instrument_derefs (iter, ref_expr,
2076 gimple_location (s),
2077 is_store);
2078 is_instrumented = true;
2079 }
2080
2081 if (is_instrumented)
2082 gsi_next (iter);
2083
2084 return is_instrumented;
2085 }
2086
2087 /* Instrument the function call pointed to by the iterator ITER, if it
2088 is subject to instrumentation. At the moment, the only function
2089 calls that are instrumented are some built-in functions that access
2090 memory. Look at instrument_builtin_call to learn more.
2091
2092 Upon completion return TRUE iff *ITER was advanced to the statement
2093 following the one it was originally pointing to. */
2094
2095 static bool
2096 maybe_instrument_call (gimple_stmt_iterator *iter)
2097 {
2098 gimple *stmt = gsi_stmt (*iter);
2099 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2100
2101 if (is_builtin && instrument_builtin_call (iter))
2102 return true;
2103
2104 if (gimple_call_noreturn_p (stmt))
2105 {
2106 if (is_builtin)
2107 {
2108 tree callee = gimple_call_fndecl (stmt);
2109 switch (DECL_FUNCTION_CODE (callee))
2110 {
2111 case BUILT_IN_UNREACHABLE:
2112 case BUILT_IN_TRAP:
2113 /* Don't instrument these. */
2114 return false;
2115 default:
2116 break;
2117 }
2118 }
2119 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
2120 gimple *g = gimple_build_call (decl, 0);
2121 gimple_set_location (g, gimple_location (stmt));
2122 gsi_insert_before (iter, g, GSI_SAME_STMT);
2123 }
2124
2125 bool instrumented = false;
2126 if (gimple_store_p (stmt))
2127 {
2128 tree ref_expr = gimple_call_lhs (stmt);
2129 instrument_derefs (iter, ref_expr,
2130 gimple_location (stmt),
2131 /*is_store=*/true);
2132
2133 instrumented = true;
2134 }
2135
2136 /* Walk through gimple_call arguments and check them id needed. */
2137 unsigned args_num = gimple_call_num_args (stmt);
2138 for (unsigned i = 0; i < args_num; ++i)
2139 {
2140 tree arg = gimple_call_arg (stmt, i);
2141 /* If ARG is not a non-aggregate register variable, compiler in general
2142 creates temporary for it and pass it as argument to gimple call.
2143 But in some cases, e.g. when we pass by value a small structure that
2144 fits to register, compiler can avoid extra overhead by pulling out
2145 these temporaries. In this case, we should check the argument. */
2146 if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg))
2147 {
2148 instrument_derefs (iter, arg,
2149 gimple_location (stmt),
2150 /*is_store=*/false);
2151 instrumented = true;
2152 }
2153 }
2154 if (instrumented)
2155 gsi_next (iter);
2156 return instrumented;
2157 }
2158
2159 /* Walk each instruction of all basic block and instrument those that
2160 represent memory references: loads, stores, or function calls.
2161 In a given basic block, this function avoids instrumenting memory
2162 references that have already been instrumented. */
2163
2164 static void
2165 transform_statements (void)
2166 {
2167 basic_block bb, last_bb = NULL;
2168 gimple_stmt_iterator i;
2169 int saved_last_basic_block = last_basic_block_for_fn (cfun);
2170
2171 FOR_EACH_BB_FN (bb, cfun)
2172 {
2173 basic_block prev_bb = bb;
2174
2175 if (bb->index >= saved_last_basic_block) continue;
2176
2177 /* Flush the mem ref hash table, if current bb doesn't have
2178 exactly one predecessor, or if that predecessor (skipping
2179 over asan created basic blocks) isn't the last processed
2180 basic block. Thus we effectively flush on extended basic
2181 block boundaries. */
2182 while (single_pred_p (prev_bb))
2183 {
2184 prev_bb = single_pred (prev_bb);
2185 if (prev_bb->index < saved_last_basic_block)
2186 break;
2187 }
2188 if (prev_bb != last_bb)
2189 empty_mem_ref_hash_table ();
2190 last_bb = bb;
2191
2192 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
2193 {
2194 gimple *s = gsi_stmt (i);
2195
2196 if (has_stmt_been_instrumented_p (s))
2197 gsi_next (&i);
2198 else if (gimple_assign_single_p (s)
2199 && !gimple_clobber_p (s)
2200 && maybe_instrument_assignment (&i))
2201 /* Nothing to do as maybe_instrument_assignment advanced
2202 the iterator I. */;
2203 else if (is_gimple_call (s) && maybe_instrument_call (&i))
2204 /* Nothing to do as maybe_instrument_call
2205 advanced the iterator I. */;
2206 else
2207 {
2208 /* No instrumentation happened.
2209
2210 If the current instruction is a function call that
2211 might free something, let's forget about the memory
2212 references that got instrumented. Otherwise we might
2213 miss some instrumentation opportunities. Do the same
2214 for a ASAN_MARK poisoning internal function. */
2215 if (is_gimple_call (s)
2216 && (!nonfreeing_call_p (s)
2217 || asan_mark_p (s, ASAN_MARK_POISON)))
2218 empty_mem_ref_hash_table ();
2219
2220 gsi_next (&i);
2221 }
2222 }
2223 }
2224 free_mem_ref_resources ();
2225 }
2226
2227 /* Build
2228 __asan_before_dynamic_init (module_name)
2229 or
2230 __asan_after_dynamic_init ()
2231 call. */
2232
2233 tree
2234 asan_dynamic_init_call (bool after_p)
2235 {
2236 if (shadow_ptr_types[0] == NULL_TREE)
2237 asan_init_shadow_ptr_types ();
2238
2239 tree fn = builtin_decl_implicit (after_p
2240 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
2241 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
2242 tree module_name_cst = NULL_TREE;
2243 if (!after_p)
2244 {
2245 pretty_printer module_name_pp;
2246 pp_string (&module_name_pp, main_input_filename);
2247
2248 module_name_cst = asan_pp_string (&module_name_pp);
2249 module_name_cst = fold_convert (const_ptr_type_node,
2250 module_name_cst);
2251 }
2252
2253 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
2254 }
2255
2256 /* Build
2257 struct __asan_global
2258 {
2259 const void *__beg;
2260 uptr __size;
2261 uptr __size_with_redzone;
2262 const void *__name;
2263 const void *__module_name;
2264 uptr __has_dynamic_init;
2265 __asan_global_source_location *__location;
2266 char *__odr_indicator;
2267 } type. */
2268
2269 static tree
2270 asan_global_struct (void)
2271 {
2272 static const char *field_names[]
2273 = { "__beg", "__size", "__size_with_redzone",
2274 "__name", "__module_name", "__has_dynamic_init", "__location",
2275 "__odr_indicator" };
2276 tree fields[ARRAY_SIZE (field_names)], ret;
2277 unsigned i;
2278
2279 ret = make_node (RECORD_TYPE);
2280 for (i = 0; i < ARRAY_SIZE (field_names); i++)
2281 {
2282 fields[i]
2283 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
2284 get_identifier (field_names[i]),
2285 (i == 0 || i == 3) ? const_ptr_type_node
2286 : pointer_sized_int_node);
2287 DECL_CONTEXT (fields[i]) = ret;
2288 if (i)
2289 DECL_CHAIN (fields[i - 1]) = fields[i];
2290 }
2291 tree type_decl = build_decl (input_location, TYPE_DECL,
2292 get_identifier ("__asan_global"), ret);
2293 DECL_IGNORED_P (type_decl) = 1;
2294 DECL_ARTIFICIAL (type_decl) = 1;
2295 TYPE_FIELDS (ret) = fields[0];
2296 TYPE_NAME (ret) = type_decl;
2297 TYPE_STUB_DECL (ret) = type_decl;
2298 layout_type (ret);
2299 return ret;
2300 }
2301
2302 /* Create and return odr indicator symbol for DECL.
2303 TYPE is __asan_global struct type as returned by asan_global_struct. */
2304
2305 static tree
2306 create_odr_indicator (tree decl, tree type)
2307 {
2308 char *name;
2309 tree uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2310 tree decl_name
2311 = (HAS_DECL_ASSEMBLER_NAME_P (decl) ? DECL_ASSEMBLER_NAME (decl)
2312 : DECL_NAME (decl));
2313 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
2314 if (decl_name == NULL_TREE)
2315 return build_int_cst (uptr, 0);
2316 size_t len = strlen (IDENTIFIER_POINTER (decl_name)) + sizeof ("__odr_asan_");
2317 name = XALLOCAVEC (char, len);
2318 snprintf (name, len, "__odr_asan_%s", IDENTIFIER_POINTER (decl_name));
2319 #ifndef NO_DOT_IN_LABEL
2320 name[sizeof ("__odr_asan") - 1] = '.';
2321 #elif !defined(NO_DOLLAR_IN_LABEL)
2322 name[sizeof ("__odr_asan") - 1] = '$';
2323 #endif
2324 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (name),
2325 char_type_node);
2326 TREE_ADDRESSABLE (var) = 1;
2327 TREE_READONLY (var) = 0;
2328 TREE_THIS_VOLATILE (var) = 1;
2329 DECL_GIMPLE_REG_P (var) = 0;
2330 DECL_ARTIFICIAL (var) = 1;
2331 DECL_IGNORED_P (var) = 1;
2332 TREE_STATIC (var) = 1;
2333 TREE_PUBLIC (var) = 1;
2334 DECL_VISIBILITY (var) = DECL_VISIBILITY (decl);
2335 DECL_VISIBILITY_SPECIFIED (var) = DECL_VISIBILITY_SPECIFIED (decl);
2336
2337 TREE_USED (var) = 1;
2338 tree ctor = build_constructor_va (TREE_TYPE (var), 1, NULL_TREE,
2339 build_int_cst (unsigned_type_node, 0));
2340 TREE_CONSTANT (ctor) = 1;
2341 TREE_STATIC (ctor) = 1;
2342 DECL_INITIAL (var) = ctor;
2343 DECL_ATTRIBUTES (var) = tree_cons (get_identifier ("asan odr indicator"),
2344 NULL, DECL_ATTRIBUTES (var));
2345 make_decl_rtl (var);
2346 varpool_node::finalize_decl (var);
2347 return fold_convert (uptr, build_fold_addr_expr (var));
2348 }
2349
2350 /* Return true if DECL, a global var, might be overridden and needs
2351 an additional odr indicator symbol. */
2352
2353 static bool
2354 asan_needs_odr_indicator_p (tree decl)
2355 {
2356 /* Don't emit ODR indicators for kernel because:
2357 a) Kernel is written in C thus doesn't need ODR indicators.
2358 b) Some kernel code may have assumptions about symbols containing specific
2359 patterns in their names. Since ODR indicators contain original names
2360 of symbols they are emitted for, these assumptions would be broken for
2361 ODR indicator symbols. */
2362 return (!(flag_sanitize & SANITIZE_KERNEL_ADDRESS)
2363 && !DECL_ARTIFICIAL (decl)
2364 && !DECL_WEAK (decl)
2365 && TREE_PUBLIC (decl));
2366 }
2367
2368 /* Append description of a single global DECL into vector V.
2369 TYPE is __asan_global struct type as returned by asan_global_struct. */
2370
2371 static void
2372 asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
2373 {
2374 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2375 unsigned HOST_WIDE_INT size;
2376 tree str_cst, module_name_cst, refdecl = decl;
2377 vec<constructor_elt, va_gc> *vinner = NULL;
2378
2379 pretty_printer asan_pp, module_name_pp;
2380
2381 if (DECL_NAME (decl))
2382 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
2383 else
2384 pp_string (&asan_pp, "<unknown>");
2385 str_cst = asan_pp_string (&asan_pp);
2386
2387 pp_string (&module_name_pp, main_input_filename);
2388 module_name_cst = asan_pp_string (&module_name_pp);
2389
2390 if (asan_needs_local_alias (decl))
2391 {
2392 char buf[20];
2393 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
2394 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
2395 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
2396 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
2397 TREE_READONLY (refdecl) = TREE_READONLY (decl);
2398 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
2399 DECL_GIMPLE_REG_P (refdecl) = DECL_GIMPLE_REG_P (decl);
2400 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
2401 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
2402 TREE_STATIC (refdecl) = 1;
2403 TREE_PUBLIC (refdecl) = 0;
2404 TREE_USED (refdecl) = 1;
2405 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
2406 }
2407
2408 tree odr_indicator_ptr
2409 = (asan_needs_odr_indicator_p (decl) ? create_odr_indicator (decl, type)
2410 : build_int_cst (uptr, 0));
2411 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2412 fold_convert (const_ptr_type_node,
2413 build_fold_addr_expr (refdecl)));
2414 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
2415 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2416 size += asan_red_zone_size (size);
2417 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2418 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2419 fold_convert (const_ptr_type_node, str_cst));
2420 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2421 fold_convert (const_ptr_type_node, module_name_cst));
2422 varpool_node *vnode = varpool_node::get (decl);
2423 int has_dynamic_init = 0;
2424 /* FIXME: Enable initialization order fiasco detection in LTO mode once
2425 proper fix for PR 79061 will be applied. */
2426 if (!in_lto_p)
2427 has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
2428 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2429 build_int_cst (uptr, has_dynamic_init));
2430 tree locptr = NULL_TREE;
2431 location_t loc = DECL_SOURCE_LOCATION (decl);
2432 expanded_location xloc = expand_location (loc);
2433 if (xloc.file != NULL)
2434 {
2435 static int lasanloccnt = 0;
2436 char buf[25];
2437 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt);
2438 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2439 ubsan_get_source_location_type ());
2440 TREE_STATIC (var) = 1;
2441 TREE_PUBLIC (var) = 0;
2442 DECL_ARTIFICIAL (var) = 1;
2443 DECL_IGNORED_P (var) = 1;
2444 pretty_printer filename_pp;
2445 pp_string (&filename_pp, xloc.file);
2446 tree str = asan_pp_string (&filename_pp);
2447 tree ctor = build_constructor_va (TREE_TYPE (var), 3,
2448 NULL_TREE, str, NULL_TREE,
2449 build_int_cst (unsigned_type_node,
2450 xloc.line), NULL_TREE,
2451 build_int_cst (unsigned_type_node,
2452 xloc.column));
2453 TREE_CONSTANT (ctor) = 1;
2454 TREE_STATIC (ctor) = 1;
2455 DECL_INITIAL (var) = ctor;
2456 varpool_node::finalize_decl (var);
2457 locptr = fold_convert (uptr, build_fold_addr_expr (var));
2458 }
2459 else
2460 locptr = build_int_cst (uptr, 0);
2461 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr);
2462 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, odr_indicator_ptr);
2463 init = build_constructor (type, vinner);
2464 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
2465 }
2466
2467 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2468 void
2469 initialize_sanitizer_builtins (void)
2470 {
2471 tree decl;
2472
2473 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
2474 return;
2475
2476 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
2477 tree BT_FN_VOID_PTR
2478 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
2479 tree BT_FN_VOID_CONST_PTR
2480 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
2481 tree BT_FN_VOID_PTR_PTR
2482 = build_function_type_list (void_type_node, ptr_type_node,
2483 ptr_type_node, NULL_TREE);
2484 tree BT_FN_VOID_PTR_PTR_PTR
2485 = build_function_type_list (void_type_node, ptr_type_node,
2486 ptr_type_node, ptr_type_node, NULL_TREE);
2487 tree BT_FN_VOID_PTR_PTRMODE
2488 = build_function_type_list (void_type_node, ptr_type_node,
2489 pointer_sized_int_node, NULL_TREE);
2490 tree BT_FN_VOID_INT
2491 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
2492 tree BT_FN_SIZE_CONST_PTR_INT
2493 = build_function_type_list (size_type_node, const_ptr_type_node,
2494 integer_type_node, NULL_TREE);
2495 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
2496 tree BT_FN_IX_CONST_VPTR_INT[5];
2497 tree BT_FN_IX_VPTR_IX_INT[5];
2498 tree BT_FN_VOID_VPTR_IX_INT[5];
2499 tree vptr
2500 = build_pointer_type (build_qualified_type (void_type_node,
2501 TYPE_QUAL_VOLATILE));
2502 tree cvptr
2503 = build_pointer_type (build_qualified_type (void_type_node,
2504 TYPE_QUAL_VOLATILE
2505 |TYPE_QUAL_CONST));
2506 tree boolt
2507 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
2508 int i;
2509 for (i = 0; i < 5; i++)
2510 {
2511 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
2512 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
2513 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
2514 integer_type_node, integer_type_node,
2515 NULL_TREE);
2516 BT_FN_IX_CONST_VPTR_INT[i]
2517 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
2518 BT_FN_IX_VPTR_IX_INT[i]
2519 = build_function_type_list (ix, vptr, ix, integer_type_node,
2520 NULL_TREE);
2521 BT_FN_VOID_VPTR_IX_INT[i]
2522 = build_function_type_list (void_type_node, vptr, ix,
2523 integer_type_node, NULL_TREE);
2524 }
2525 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2526 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2527 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2528 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2529 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2530 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2531 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2532 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2533 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2534 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2535 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2536 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2537 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2538 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2539 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2540 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2541 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2542 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2543 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2544 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
2545 #undef ATTR_NOTHROW_LEAF_LIST
2546 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
2547 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2548 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
2549 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2550 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
2551 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2552 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
2553 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
2554 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2555 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2556 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
2557 #undef ATTR_COLD_NOTHROW_LEAF_LIST
2558 #define ATTR_COLD_NOTHROW_LEAF_LIST \
2559 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
2560 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2561 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2562 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
2563 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
2564 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
2565 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2566 #undef ATTR_PURE_NOTHROW_LEAF_LIST
2567 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
2568 #undef DEF_BUILTIN_STUB
2569 #define DEF_BUILTIN_STUB(ENUM, NAME)
2570 #undef DEF_SANITIZER_BUILTIN
2571 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2572 do { \
2573 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
2574 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2575 set_call_expr_flags (decl, ATTRS); \
2576 set_builtin_decl (ENUM, decl, true); \
2577 } while (0);
2578
2579 #include "sanitizer.def"
2580
2581 /* -fsanitize=object-size uses __builtin_object_size, but that might
2582 not be available for e.g. Fortran at this point. We use
2583 DEF_SANITIZER_BUILTIN here only as a convenience macro. */
2584 if ((flag_sanitize & SANITIZE_OBJECT_SIZE)
2585 && !builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE))
2586 DEF_SANITIZER_BUILTIN (BUILT_IN_OBJECT_SIZE, "object_size",
2587 BT_FN_SIZE_CONST_PTR_INT,
2588 ATTR_PURE_NOTHROW_LEAF_LIST)
2589
2590 #undef DEF_SANITIZER_BUILTIN
2591 #undef DEF_BUILTIN_STUB
2592 }
2593
2594 /* Called via htab_traverse. Count number of emitted
2595 STRING_CSTs in the constant hash table. */
2596
2597 int
2598 count_string_csts (constant_descriptor_tree **slot,
2599 unsigned HOST_WIDE_INT *data)
2600 {
2601 struct constant_descriptor_tree *desc = *slot;
2602 if (TREE_CODE (desc->value) == STRING_CST
2603 && TREE_ASM_WRITTEN (desc->value)
2604 && asan_protect_global (desc->value))
2605 ++*data;
2606 return 1;
2607 }
2608
2609 /* Helper structure to pass two parameters to
2610 add_string_csts. */
2611
2612 struct asan_add_string_csts_data
2613 {
2614 tree type;
2615 vec<constructor_elt, va_gc> *v;
2616 };
2617
2618 /* Called via hash_table::traverse. Call asan_add_global
2619 on emitted STRING_CSTs from the constant hash table. */
2620
2621 int
2622 add_string_csts (constant_descriptor_tree **slot,
2623 asan_add_string_csts_data *aascd)
2624 {
2625 struct constant_descriptor_tree *desc = *slot;
2626 if (TREE_CODE (desc->value) == STRING_CST
2627 && TREE_ASM_WRITTEN (desc->value)
2628 && asan_protect_global (desc->value))
2629 {
2630 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
2631 aascd->type, aascd->v);
2632 }
2633 return 1;
2634 }
2635
2636 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
2637 invoke ggc_collect. */
2638 static GTY(()) tree asan_ctor_statements;
2639
2640 /* Module-level instrumentation.
2641 - Insert __asan_init_vN() into the list of CTORs.
2642 - TODO: insert redzones around globals.
2643 */
2644
2645 void
2646 asan_finish_file (void)
2647 {
2648 varpool_node *vnode;
2649 unsigned HOST_WIDE_INT gcount = 0;
2650
2651 if (shadow_ptr_types[0] == NULL_TREE)
2652 asan_init_shadow_ptr_types ();
2653 /* Avoid instrumenting code in the asan ctors/dtors.
2654 We don't need to insert padding after the description strings,
2655 nor after .LASAN* array. */
2656 flag_sanitize &= ~SANITIZE_ADDRESS;
2657
2658 /* For user-space we want asan constructors to run first.
2659 Linux kernel does not support priorities other than default, and the only
2660 other user of constructors is coverage. So we run with the default
2661 priority. */
2662 int priority = flag_sanitize & SANITIZE_USER_ADDRESS
2663 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY;
2664
2665 if (flag_sanitize & SANITIZE_USER_ADDRESS)
2666 {
2667 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
2668 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2669 fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK);
2670 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2671 }
2672 FOR_EACH_DEFINED_VARIABLE (vnode)
2673 if (TREE_ASM_WRITTEN (vnode->decl)
2674 && asan_protect_global (vnode->decl))
2675 ++gcount;
2676 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab ();
2677 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts>
2678 (&gcount);
2679 if (gcount)
2680 {
2681 tree type = asan_global_struct (), var, ctor;
2682 tree dtor_statements = NULL_TREE;
2683 vec<constructor_elt, va_gc> *v;
2684 char buf[20];
2685
2686 type = build_array_type_nelts (type, gcount);
2687 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
2688 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2689 type);
2690 TREE_STATIC (var) = 1;
2691 TREE_PUBLIC (var) = 0;
2692 DECL_ARTIFICIAL (var) = 1;
2693 DECL_IGNORED_P (var) = 1;
2694 vec_alloc (v, gcount);
2695 FOR_EACH_DEFINED_VARIABLE (vnode)
2696 if (TREE_ASM_WRITTEN (vnode->decl)
2697 && asan_protect_global (vnode->decl))
2698 asan_add_global (vnode->decl, TREE_TYPE (type), v);
2699 struct asan_add_string_csts_data aascd;
2700 aascd.type = TREE_TYPE (type);
2701 aascd.v = v;
2702 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts>
2703 (&aascd);
2704 ctor = build_constructor (type, v);
2705 TREE_CONSTANT (ctor) = 1;
2706 TREE_STATIC (ctor) = 1;
2707 DECL_INITIAL (var) = ctor;
2708 varpool_node::finalize_decl (var);
2709
2710 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
2711 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
2712 append_to_statement_list (build_call_expr (fn, 2,
2713 build_fold_addr_expr (var),
2714 gcount_tree),
2715 &asan_ctor_statements);
2716
2717 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
2718 append_to_statement_list (build_call_expr (fn, 2,
2719 build_fold_addr_expr (var),
2720 gcount_tree),
2721 &dtor_statements);
2722 cgraph_build_static_cdtor ('D', dtor_statements, priority);
2723 }
2724 if (asan_ctor_statements)
2725 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority);
2726 flag_sanitize |= SANITIZE_ADDRESS;
2727 }
2728
2729 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
2730 on SHADOW address. Newly added statements will be added to ITER with
2731 given location LOC. We mark SIZE bytes in shadow memory, where
2732 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
2733 end of a variable. */
2734
2735 static void
2736 asan_store_shadow_bytes (gimple_stmt_iterator *iter, location_t loc,
2737 tree shadow,
2738 unsigned HOST_WIDE_INT base_addr_offset,
2739 bool is_clobber, unsigned size,
2740 unsigned last_chunk_size)
2741 {
2742 tree shadow_ptr_type;
2743
2744 switch (size)
2745 {
2746 case 1:
2747 shadow_ptr_type = shadow_ptr_types[0];
2748 break;
2749 case 2:
2750 shadow_ptr_type = shadow_ptr_types[1];
2751 break;
2752 case 4:
2753 shadow_ptr_type = shadow_ptr_types[2];
2754 break;
2755 default:
2756 gcc_unreachable ();
2757 }
2758
2759 unsigned char c = (char) is_clobber ? ASAN_STACK_MAGIC_USE_AFTER_SCOPE : 0;
2760 unsigned HOST_WIDE_INT val = 0;
2761 unsigned last_pos = size;
2762 if (last_chunk_size && !is_clobber)
2763 last_pos = BYTES_BIG_ENDIAN ? 0 : size - 1;
2764 for (unsigned i = 0; i < size; ++i)
2765 {
2766 unsigned char shadow_c = c;
2767 if (i == last_pos)
2768 shadow_c = last_chunk_size;
2769 val |= (unsigned HOST_WIDE_INT) shadow_c << (BITS_PER_UNIT * i);
2770 }
2771
2772 /* Handle last chunk in unpoisoning. */
2773 tree magic = build_int_cst (TREE_TYPE (shadow_ptr_type), val);
2774
2775 tree dest = build2 (MEM_REF, TREE_TYPE (shadow_ptr_type), shadow,
2776 build_int_cst (shadow_ptr_type, base_addr_offset));
2777
2778 gimple *g = gimple_build_assign (dest, magic);
2779 gimple_set_location (g, loc);
2780 gsi_insert_after (iter, g, GSI_NEW_STMT);
2781 }
2782
2783 /* Expand the ASAN_MARK builtins. */
2784
2785 bool
2786 asan_expand_mark_ifn (gimple_stmt_iterator *iter)
2787 {
2788 gimple *g = gsi_stmt (*iter);
2789 location_t loc = gimple_location (g);
2790 HOST_WIDE_INT flag = tree_to_shwi (gimple_call_arg (g, 0));
2791 bool is_poison = ((asan_mark_flags)flag) == ASAN_MARK_POISON;
2792
2793 tree base = gimple_call_arg (g, 1);
2794 gcc_checking_assert (TREE_CODE (base) == ADDR_EXPR);
2795 tree decl = TREE_OPERAND (base, 0);
2796
2797 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
2798 if (TREE_CODE (decl) == COMPONENT_REF
2799 && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl, 0)))
2800 decl = TREE_OPERAND (decl, 0);
2801
2802 gcc_checking_assert (TREE_CODE (decl) == VAR_DECL);
2803 if (asan_handled_variables == NULL)
2804 asan_handled_variables = new hash_set<tree> (16);
2805 asan_handled_variables->add (decl);
2806 tree len = gimple_call_arg (g, 2);
2807
2808 gcc_assert (tree_fits_shwi_p (len));
2809 unsigned HOST_WIDE_INT size_in_bytes = tree_to_shwi (len);
2810 gcc_assert (size_in_bytes);
2811
2812 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2813 NOP_EXPR, base);
2814 gimple_set_location (g, loc);
2815 gsi_replace (iter, g, false);
2816 tree base_addr = gimple_assign_lhs (g);
2817
2818 /* Generate direct emission if size_in_bytes is small. */
2819 if (size_in_bytes <= ASAN_PARAM_USE_AFTER_SCOPE_DIRECT_EMISSION_THRESHOLD)
2820 {
2821 unsigned HOST_WIDE_INT shadow_size = shadow_mem_size (size_in_bytes);
2822
2823 tree shadow = build_shadow_mem_access (iter, loc, base_addr,
2824 shadow_ptr_types[0], true);
2825
2826 for (unsigned HOST_WIDE_INT offset = 0; offset < shadow_size;)
2827 {
2828 unsigned size = 1;
2829 if (shadow_size - offset >= 4)
2830 size = 4;
2831 else if (shadow_size - offset >= 2)
2832 size = 2;
2833
2834 unsigned HOST_WIDE_INT last_chunk_size = 0;
2835 unsigned HOST_WIDE_INT s = (offset + size) * ASAN_SHADOW_GRANULARITY;
2836 if (s > size_in_bytes)
2837 last_chunk_size = ASAN_SHADOW_GRANULARITY - (s - size_in_bytes);
2838
2839 asan_store_shadow_bytes (iter, loc, shadow, offset, is_poison,
2840 size, last_chunk_size);
2841 offset += size;
2842 }
2843 }
2844 else
2845 {
2846 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2847 NOP_EXPR, len);
2848 gimple_set_location (g, loc);
2849 gsi_insert_before (iter, g, GSI_SAME_STMT);
2850 tree sz_arg = gimple_assign_lhs (g);
2851
2852 tree fun
2853 = builtin_decl_implicit (is_poison ? BUILT_IN_ASAN_POISON_STACK_MEMORY
2854 : BUILT_IN_ASAN_UNPOISON_STACK_MEMORY);
2855 g = gimple_build_call (fun, 2, base_addr, sz_arg);
2856 gimple_set_location (g, loc);
2857 gsi_insert_after (iter, g, GSI_NEW_STMT);
2858 }
2859
2860 return false;
2861 }
2862
2863 /* Expand the ASAN_{LOAD,STORE} builtins. */
2864
2865 bool
2866 asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls)
2867 {
2868 gimple *g = gsi_stmt (*iter);
2869 location_t loc = gimple_location (g);
2870 bool recover_p;
2871 if (flag_sanitize & SANITIZE_USER_ADDRESS)
2872 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
2873 else
2874 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
2875
2876 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
2877 gcc_assert (flags < ASAN_CHECK_LAST);
2878 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
2879 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
2880 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
2881
2882 tree base = gimple_call_arg (g, 1);
2883 tree len = gimple_call_arg (g, 2);
2884 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3));
2885
2886 HOST_WIDE_INT size_in_bytes
2887 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2888
2889 if (use_calls)
2890 {
2891 /* Instrument using callbacks. */
2892 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2893 NOP_EXPR, base);
2894 gimple_set_location (g, loc);
2895 gsi_insert_before (iter, g, GSI_SAME_STMT);
2896 tree base_addr = gimple_assign_lhs (g);
2897
2898 int nargs;
2899 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs);
2900 if (nargs == 1)
2901 g = gimple_build_call (fun, 1, base_addr);
2902 else
2903 {
2904 gcc_assert (nargs == 2);
2905 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2906 NOP_EXPR, len);
2907 gimple_set_location (g, loc);
2908 gsi_insert_before (iter, g, GSI_SAME_STMT);
2909 tree sz_arg = gimple_assign_lhs (g);
2910 g = gimple_build_call (fun, nargs, base_addr, sz_arg);
2911 }
2912 gimple_set_location (g, loc);
2913 gsi_replace (iter, g, false);
2914 return false;
2915 }
2916
2917 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes;
2918
2919 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0];
2920 tree shadow_type = TREE_TYPE (shadow_ptr_type);
2921
2922 gimple_stmt_iterator gsi = *iter;
2923
2924 if (!is_non_zero_len)
2925 {
2926 /* So, the length of the memory area to asan-protect is
2927 non-constant. Let's guard the generated instrumentation code
2928 like:
2929
2930 if (len != 0)
2931 {
2932 //asan instrumentation code goes here.
2933 }
2934 // falltrough instructions, starting with *ITER. */
2935
2936 g = gimple_build_cond (NE_EXPR,
2937 len,
2938 build_int_cst (TREE_TYPE (len), 0),
2939 NULL_TREE, NULL_TREE);
2940 gimple_set_location (g, loc);
2941
2942 basic_block then_bb, fallthrough_bb;
2943 insert_if_then_before_iter (as_a <gcond *> (g), iter,
2944 /*then_more_likely_p=*/true,
2945 &then_bb, &fallthrough_bb);
2946 /* Note that fallthrough_bb starts with the statement that was
2947 pointed to by ITER. */
2948
2949 /* The 'then block' of the 'if (len != 0) condition is where
2950 we'll generate the asan instrumentation code now. */
2951 gsi = gsi_last_bb (then_bb);
2952 }
2953
2954 /* Get an iterator on the point where we can add the condition
2955 statement for the instrumentation. */
2956 basic_block then_bb, else_bb;
2957 gsi = create_cond_insert_point (&gsi, /*before_p*/false,
2958 /*then_more_likely_p=*/false,
2959 /*create_then_fallthru_edge*/recover_p,
2960 &then_bb,
2961 &else_bb);
2962
2963 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2964 NOP_EXPR, base);
2965 gimple_set_location (g, loc);
2966 gsi_insert_before (&gsi, g, GSI_NEW_STMT);
2967 tree base_addr = gimple_assign_lhs (g);
2968
2969 tree t = NULL_TREE;
2970 if (real_size_in_bytes >= 8)
2971 {
2972 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
2973 shadow_ptr_type);
2974 t = shadow;
2975 }
2976 else
2977 {
2978 /* Slow path for 1, 2 and 4 byte accesses. */
2979 /* Test (shadow != 0)
2980 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
2981 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
2982 shadow_ptr_type);
2983 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
2984 gimple_seq seq = NULL;
2985 gimple_seq_add_stmt (&seq, shadow_test);
2986 /* Aligned (>= 8 bytes) can test just
2987 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
2988 to be 0. */
2989 if (align < 8)
2990 {
2991 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
2992 base_addr, 7));
2993 gimple_seq_add_stmt (&seq,
2994 build_type_cast (shadow_type,
2995 gimple_seq_last (seq)));
2996 if (real_size_in_bytes > 1)
2997 gimple_seq_add_stmt (&seq,
2998 build_assign (PLUS_EXPR,
2999 gimple_seq_last (seq),
3000 real_size_in_bytes - 1));
3001 t = gimple_assign_lhs (gimple_seq_last_stmt (seq));
3002 }
3003 else
3004 t = build_int_cst (shadow_type, real_size_in_bytes - 1);
3005 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow));
3006 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3007 gimple_seq_last (seq)));
3008 t = gimple_assign_lhs (gimple_seq_last (seq));
3009 gimple_seq_set_location (seq, loc);
3010 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3011
3012 /* For non-constant, misaligned or otherwise weird access sizes,
3013 check first and last byte. */
3014 if (size_in_bytes == -1)
3015 {
3016 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3017 MINUS_EXPR, len,
3018 build_int_cst (pointer_sized_int_node, 1));
3019 gimple_set_location (g, loc);
3020 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3021 tree last = gimple_assign_lhs (g);
3022 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3023 PLUS_EXPR, base_addr, last);
3024 gimple_set_location (g, loc);
3025 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3026 tree base_end_addr = gimple_assign_lhs (g);
3027
3028 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr,
3029 shadow_ptr_type);
3030 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3031 gimple_seq seq = NULL;
3032 gimple_seq_add_stmt (&seq, shadow_test);
3033 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3034 base_end_addr, 7));
3035 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
3036 gimple_seq_last (seq)));
3037 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR,
3038 gimple_seq_last (seq),
3039 shadow));
3040 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3041 gimple_seq_last (seq)));
3042 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t,
3043 gimple_seq_last (seq)));
3044 t = gimple_assign_lhs (gimple_seq_last (seq));
3045 gimple_seq_set_location (seq, loc);
3046 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3047 }
3048 }
3049
3050 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
3051 NULL_TREE, NULL_TREE);
3052 gimple_set_location (g, loc);
3053 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3054
3055 /* Generate call to the run-time library (e.g. __asan_report_load8). */
3056 gsi = gsi_start_bb (then_bb);
3057 int nargs;
3058 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs);
3059 g = gimple_build_call (fun, nargs, base_addr, len);
3060 gimple_set_location (g, loc);
3061 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3062
3063 gsi_remove (iter, true);
3064 *iter = gsi_start_bb (else_bb);
3065
3066 return true;
3067 }
3068
3069 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten
3070 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
3071
3072 static tree
3073 create_asan_shadow_var (tree var_decl,
3074 hash_map<tree, tree> &shadow_vars_mapping)
3075 {
3076 tree *slot = shadow_vars_mapping.get (var_decl);
3077 if (slot == NULL)
3078 {
3079 tree shadow_var = copy_node (var_decl);
3080
3081 copy_body_data id;
3082 memset (&id, 0, sizeof (copy_body_data));
3083 id.src_fn = id.dst_fn = current_function_decl;
3084 copy_decl_for_dup_finish (&id, var_decl, shadow_var);
3085
3086 DECL_ARTIFICIAL (shadow_var) = 1;
3087 DECL_IGNORED_P (shadow_var) = 1;
3088 DECL_SEEN_IN_BIND_EXPR_P (shadow_var) = 0;
3089 gimple_add_tmp_var (shadow_var);
3090
3091 shadow_vars_mapping.put (var_decl, shadow_var);
3092 return shadow_var;
3093 }
3094 else
3095 return *slot;
3096 }
3097
3098 /* Expand ASAN_POISON ifn. */
3099
3100 bool
3101 asan_expand_poison_ifn (gimple_stmt_iterator *iter,
3102 bool *need_commit_edge_insert,
3103 hash_map<tree, tree> &shadow_vars_mapping)
3104 {
3105 gimple *g = gsi_stmt (*iter);
3106 tree poisoned_var = gimple_call_lhs (g);
3107 if (!poisoned_var || has_zero_uses (poisoned_var))
3108 {
3109 gsi_remove (iter, true);
3110 return true;
3111 }
3112
3113 if (SSA_NAME_VAR (poisoned_var) == NULL_TREE)
3114 SET_SSA_NAME_VAR_OR_IDENTIFIER (poisoned_var,
3115 create_tmp_var (TREE_TYPE (poisoned_var)));
3116
3117 tree shadow_var = create_asan_shadow_var (SSA_NAME_VAR (poisoned_var),
3118 shadow_vars_mapping);
3119
3120 bool recover_p;
3121 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3122 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
3123 else
3124 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
3125 tree size = DECL_SIZE_UNIT (shadow_var);
3126 gimple *poison_call
3127 = gimple_build_call_internal (IFN_ASAN_MARK, 3,
3128 build_int_cst (integer_type_node,
3129 ASAN_MARK_POISON),
3130 build_fold_addr_expr (shadow_var), size);
3131
3132 gimple *use;
3133 imm_use_iterator imm_iter;
3134 FOR_EACH_IMM_USE_STMT (use, imm_iter, poisoned_var)
3135 {
3136 if (is_gimple_debug (use))
3137 continue;
3138
3139 int nargs;
3140 bool store_p = gimple_call_internal_p (use, IFN_ASAN_POISON_USE);
3141 tree fun = report_error_func (store_p, recover_p, tree_to_uhwi (size),
3142 &nargs);
3143
3144 gcall *call = gimple_build_call (fun, 1,
3145 build_fold_addr_expr (shadow_var));
3146 gimple_set_location (call, gimple_location (use));
3147 gimple *call_to_insert = call;
3148
3149 /* The USE can be a gimple PHI node. If so, insert the call on
3150 all edges leading to the PHI node. */
3151 if (is_a <gphi *> (use))
3152 {
3153 gphi *phi = dyn_cast<gphi *> (use);
3154 for (unsigned i = 0; i < gimple_phi_num_args (phi); ++i)
3155 if (gimple_phi_arg_def (phi, i) == poisoned_var)
3156 {
3157 edge e = gimple_phi_arg_edge (phi, i);
3158
3159 if (call_to_insert == NULL)
3160 call_to_insert = gimple_copy (call);
3161
3162 gsi_insert_seq_on_edge (e, call_to_insert);
3163 *need_commit_edge_insert = true;
3164 call_to_insert = NULL;
3165 }
3166 }
3167 else
3168 {
3169 gimple_stmt_iterator gsi = gsi_for_stmt (use);
3170 if (store_p)
3171 gsi_replace (&gsi, call, true);
3172 else
3173 gsi_insert_before (&gsi, call, GSI_NEW_STMT);
3174 }
3175 }
3176
3177 SSA_NAME_IS_DEFAULT_DEF (poisoned_var) = true;
3178 SSA_NAME_DEF_STMT (poisoned_var) = gimple_build_nop ();
3179 gsi_replace (iter, poison_call, false);
3180
3181 return true;
3182 }
3183
3184 /* Instrument the current function. */
3185
3186 static unsigned int
3187 asan_instrument (void)
3188 {
3189 if (shadow_ptr_types[0] == NULL_TREE)
3190 asan_init_shadow_ptr_types ();
3191 transform_statements ();
3192 return 0;
3193 }
3194
3195 static bool
3196 gate_asan (void)
3197 {
3198 return sanitize_flags_p (SANITIZE_ADDRESS);
3199 }
3200
3201 namespace {
3202
3203 const pass_data pass_data_asan =
3204 {
3205 GIMPLE_PASS, /* type */
3206 "asan", /* name */
3207 OPTGROUP_NONE, /* optinfo_flags */
3208 TV_NONE, /* tv_id */
3209 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3210 0, /* properties_provided */
3211 0, /* properties_destroyed */
3212 0, /* todo_flags_start */
3213 TODO_update_ssa, /* todo_flags_finish */
3214 };
3215
3216 class pass_asan : public gimple_opt_pass
3217 {
3218 public:
3219 pass_asan (gcc::context *ctxt)
3220 : gimple_opt_pass (pass_data_asan, ctxt)
3221 {}
3222
3223 /* opt_pass methods: */
3224 opt_pass * clone () { return new pass_asan (m_ctxt); }
3225 virtual bool gate (function *) { return gate_asan (); }
3226 virtual unsigned int execute (function *) { return asan_instrument (); }
3227
3228 }; // class pass_asan
3229
3230 } // anon namespace
3231
3232 gimple_opt_pass *
3233 make_pass_asan (gcc::context *ctxt)
3234 {
3235 return new pass_asan (ctxt);
3236 }
3237
3238 namespace {
3239
3240 const pass_data pass_data_asan_O0 =
3241 {
3242 GIMPLE_PASS, /* type */
3243 "asan0", /* name */
3244 OPTGROUP_NONE, /* optinfo_flags */
3245 TV_NONE, /* tv_id */
3246 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3247 0, /* properties_provided */
3248 0, /* properties_destroyed */
3249 0, /* todo_flags_start */
3250 TODO_update_ssa, /* todo_flags_finish */
3251 };
3252
3253 class pass_asan_O0 : public gimple_opt_pass
3254 {
3255 public:
3256 pass_asan_O0 (gcc::context *ctxt)
3257 : gimple_opt_pass (pass_data_asan_O0, ctxt)
3258 {}
3259
3260 /* opt_pass methods: */
3261 virtual bool gate (function *) { return !optimize && gate_asan (); }
3262 virtual unsigned int execute (function *) { return asan_instrument (); }
3263
3264 }; // class pass_asan_O0
3265
3266 } // anon namespace
3267
3268 gimple_opt_pass *
3269 make_pass_asan_O0 (gcc::context *ctxt)
3270 {
3271 return new pass_asan_O0 (ctxt);
3272 }
3273
3274 #include "gt-asan.h"
Mirror of https://gcc.gnu.org/git/gcc.git