]> git.ipfire.org Git - thirdparty/gcc.git/blob - gcc/asan.c
projects / thirdparty / gcc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
asan.h (ASAN_STACK_MAGIC_PARTIAL): Remove.
[thirdparty/gcc.git] / gcc / asan.c
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2016 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
11
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21
22 #include "config.h"
23 #include "system.h"
24 #include "coretypes.h"
25 #include "backend.h"
26 #include "target.h"
27 #include "rtl.h"
28 #include "tree.h"
29 #include "gimple.h"
30 #include "cfghooks.h"
31 #include "alloc-pool.h"
32 #include "tree-pass.h"
33 #include "memmodel.h"
34 #include "tm_p.h"
35 #include "stringpool.h"
36 #include "tree-vrp.h"
37 #include "tree-ssanames.h"
38 #include "optabs.h"
39 #include "emit-rtl.h"
40 #include "cgraph.h"
41 #include "gimple-pretty-print.h"
42 #include "alias.h"
43 #include "fold-const.h"
44 #include "cfganal.h"
45 #include "gimplify.h"
46 #include "gimple-iterator.h"
47 #include "varasm.h"
48 #include "stor-layout.h"
49 #include "tree-iterator.h"
50 #include "asan.h"
51 #include "dojump.h"
52 #include "explow.h"
53 #include "expr.h"
54 #include "output.h"
55 #include "langhooks.h"
56 #include "cfgloop.h"
57 #include "gimple-builder.h"
58 #include "ubsan.h"
59 #include "params.h"
60 #include "builtins.h"
61 #include "fnmatch.h"
62
63 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
64 with <2x slowdown on average.
65
66 The tool consists of two parts:
67 instrumentation module (this file) and a run-time library.
68 The instrumentation module adds a run-time check before every memory insn.
69 For a 8- or 16- byte load accessing address X:
70 ShadowAddr = (X >> 3) + Offset
71 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
72 if (ShadowValue)
73 __asan_report_load8(X);
74 For a load of N bytes (N=1, 2 or 4) from address X:
75 ShadowAddr = (X >> 3) + Offset
76 ShadowValue = *(char*)ShadowAddr;
77 if (ShadowValue)
78 if ((X & 7) + N - 1 > ShadowValue)
79 __asan_report_loadN(X);
80 Stores are instrumented similarly, but using __asan_report_storeN functions.
81 A call too __asan_init_vN() is inserted to the list of module CTORs.
82 N is the version number of the AddressSanitizer API. The changes between the
83 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
84
85 The run-time library redefines malloc (so that redzone are inserted around
86 the allocated memory) and free (so that reuse of free-ed memory is delayed),
87 provides __asan_report* and __asan_init_vN functions.
88
89 Read more:
90 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
91
92 The current implementation supports detection of out-of-bounds and
93 use-after-free in the heap, on the stack and for global variables.
94
95 [Protection of stack variables]
96
97 To understand how detection of out-of-bounds and use-after-free works
98 for stack variables, lets look at this example on x86_64 where the
99 stack grows downward:
100
101 int
102 foo ()
103 {
104 char a[23] = {0};
105 int b[2] = {0};
106
107 a[5] = 1;
108 b[1] = 2;
109
110 return a[5] + b[1];
111 }
112
113 For this function, the stack protected by asan will be organized as
114 follows, from the top of the stack to the bottom:
115
116 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
117
118 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
119 the next slot be 32 bytes aligned; this one is called Partial
120 Redzone; this 32 bytes alignment is an asan constraint]
121
122 Slot 3/ [24 bytes for variable 'a']
123
124 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
125
126 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
127
128 Slot 6/ [8 bytes for variable 'b']
129
130 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
131 'LEFT RedZone']
132
133 The 32 bytes of LEFT red zone at the bottom of the stack can be
134 decomposed as such:
135
136 1/ The first 8 bytes contain a magical asan number that is always
137 0x41B58AB3.
138
139 2/ The following 8 bytes contains a pointer to a string (to be
140 parsed at runtime by the runtime asan library), which format is
141 the following:
142
143 "<function-name> <space> <num-of-variables-on-the-stack>
144 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
145 <length-of-var-in-bytes> ){n} "
146
147 where '(...){n}' means the content inside the parenthesis occurs 'n'
148 times, with 'n' being the number of variables on the stack.
149
150 3/ The following 8 bytes contain the PC of the current function which
151 will be used by the run-time library to print an error message.
152
153 4/ The following 8 bytes are reserved for internal use by the run-time.
154
155 The shadow memory for that stack layout is going to look like this:
156
157 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
158 The F1 byte pattern is a magic number called
159 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
160 the memory for that shadow byte is part of a the LEFT red zone
161 intended to seat at the bottom of the variables on the stack.
162
163 - content of shadow memory 8 bytes for slots 6 and 5:
164 0xF4F4F400. The F4 byte pattern is a magic number
165 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
166 memory region for this shadow byte is a PARTIAL red zone
167 intended to pad a variable A, so that the slot following
168 {A,padding} is 32 bytes aligned.
169
170 Note that the fact that the least significant byte of this
171 shadow memory content is 00 means that 8 bytes of its
172 corresponding memory (which corresponds to the memory of
173 variable 'b') is addressable.
174
175 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
176 The F2 byte pattern is a magic number called
177 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
178 region for this shadow byte is a MIDDLE red zone intended to
179 seat between two 32 aligned slots of {variable,padding}.
180
181 - content of shadow memory 8 bytes for slot 3 and 2:
182 0xF4000000. This represents is the concatenation of
183 variable 'a' and the partial red zone following it, like what we
184 had for variable 'b'. The least significant 3 bytes being 00
185 means that the 3 bytes of variable 'a' are addressable.
186
187 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
188 The F3 byte pattern is a magic number called
189 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
190 region for this shadow byte is a RIGHT red zone intended to seat
191 at the top of the variables of the stack.
192
193 Note that the real variable layout is done in expand_used_vars in
194 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
195 stack variables as well as the different red zones, emits some
196 prologue code to populate the shadow memory as to poison (mark as
197 non-accessible) the regions of the red zones and mark the regions of
198 stack variables as accessible, and emit some epilogue code to
199 un-poison (mark as accessible) the regions of red zones right before
200 the function exits.
201
202 [Protection of global variables]
203
204 The basic idea is to insert a red zone between two global variables
205 and install a constructor function that calls the asan runtime to do
206 the populating of the relevant shadow memory regions at load time.
207
208 So the global variables are laid out as to insert a red zone between
209 them. The size of the red zones is so that each variable starts on a
210 32 bytes boundary.
211
212 Then a constructor function is installed so that, for each global
213 variable, it calls the runtime asan library function
214 __asan_register_globals_with an instance of this type:
215
216 struct __asan_global
217 {
218 // Address of the beginning of the global variable.
219 const void *__beg;
220
221 // Initial size of the global variable.
222 uptr __size;
223
224 // Size of the global variable + size of the red zone. This
225 // size is 32 bytes aligned.
226 uptr __size_with_redzone;
227
228 // Name of the global variable.
229 const void *__name;
230
231 // Name of the module where the global variable is declared.
232 const void *__module_name;
233
234 // 1 if it has dynamic initialization, 0 otherwise.
235 uptr __has_dynamic_init;
236
237 // A pointer to struct that contains source location, could be NULL.
238 __asan_global_source_location *__location;
239 }
240
241 A destructor function that calls the runtime asan library function
242 _asan_unregister_globals is also installed. */
243
244 static unsigned HOST_WIDE_INT asan_shadow_offset_value;
245 static bool asan_shadow_offset_computed;
246 static vec<char *> sanitized_sections;
247
248 /* Return true if STMT is ASAN_MARK poisoning internal function call. */
249 static inline bool
250 asan_mark_poison_p (gimple *stmt)
251 {
252 return (gimple_call_internal_p (stmt, IFN_ASAN_MARK)
253 && tree_to_uhwi (gimple_call_arg (stmt, 0)) == ASAN_MARK_CLOBBER);
254
255 }
256
257 /* Set of variable declarations that are going to be guarded by
258 use-after-scope sanitizer. */
259
260 static hash_set<tree> *asan_handled_variables = NULL;
261
262 hash_set <tree> *asan_used_labels = NULL;
263
264 /* Sets shadow offset to value in string VAL. */
265
266 bool
267 set_asan_shadow_offset (const char *val)
268 {
269 char *endp;
270
271 errno = 0;
272 #ifdef HAVE_LONG_LONG
273 asan_shadow_offset_value = strtoull (val, &endp, 0);
274 #else
275 asan_shadow_offset_value = strtoul (val, &endp, 0);
276 #endif
277 if (!(*val != '\0' && *endp == '\0' && errno == 0))
278 return false;
279
280 asan_shadow_offset_computed = true;
281
282 return true;
283 }
284
285 /* Set list of user-defined sections that need to be sanitized. */
286
287 void
288 set_sanitized_sections (const char *sections)
289 {
290 char *pat;
291 unsigned i;
292 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
293 free (pat);
294 sanitized_sections.truncate (0);
295
296 for (const char *s = sections; *s; )
297 {
298 const char *end;
299 for (end = s; *end && *end != ','; ++end);
300 size_t len = end - s;
301 sanitized_sections.safe_push (xstrndup (s, len));
302 s = *end ? end + 1 : end;
303 }
304 }
305
306 bool
307 asan_sanitize_stack_p (void)
308 {
309 return ((flag_sanitize & SANITIZE_ADDRESS)
310 && ASAN_STACK
311 && !asan_no_sanitize_address_p ());
312 }
313
314 /* Checks whether section SEC should be sanitized. */
315
316 static bool
317 section_sanitized_p (const char *sec)
318 {
319 char *pat;
320 unsigned i;
321 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
322 if (fnmatch (pat, sec, FNM_PERIOD) == 0)
323 return true;
324 return false;
325 }
326
327 /* Returns Asan shadow offset. */
328
329 static unsigned HOST_WIDE_INT
330 asan_shadow_offset ()
331 {
332 if (!asan_shadow_offset_computed)
333 {
334 asan_shadow_offset_computed = true;
335 asan_shadow_offset_value = targetm.asan_shadow_offset ();
336 }
337 return asan_shadow_offset_value;
338 }
339
340 alias_set_type asan_shadow_set = -1;
341
342 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
343 alias set is used for all shadow memory accesses. */
344 static GTY(()) tree shadow_ptr_types[3];
345
346 /* Decl for __asan_option_detect_stack_use_after_return. */
347 static GTY(()) tree asan_detect_stack_use_after_return;
348
349 /* Hashtable support for memory references used by gimple
350 statements. */
351
352 /* This type represents a reference to a memory region. */
353 struct asan_mem_ref
354 {
355 /* The expression of the beginning of the memory region. */
356 tree start;
357
358 /* The size of the access. */
359 HOST_WIDE_INT access_size;
360 };
361
362 object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref");
363
364 /* Initializes an instance of asan_mem_ref. */
365
366 static void
367 asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size)
368 {
369 ref->start = start;
370 ref->access_size = access_size;
371 }
372
373 /* Allocates memory for an instance of asan_mem_ref into the memory
374 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
375 START is the address of (or the expression pointing to) the
376 beginning of memory reference. ACCESS_SIZE is the size of the
377 access to the referenced memory. */
378
379 static asan_mem_ref*
380 asan_mem_ref_new (tree start, HOST_WIDE_INT access_size)
381 {
382 asan_mem_ref *ref = asan_mem_ref_pool.allocate ();
383
384 asan_mem_ref_init (ref, start, access_size);
385 return ref;
386 }
387
388 /* This builds and returns a pointer to the end of the memory region
389 that starts at START and of length LEN. */
390
391 tree
392 asan_mem_ref_get_end (tree start, tree len)
393 {
394 if (len == NULL_TREE || integer_zerop (len))
395 return start;
396
397 if (!ptrofftype_p (len))
398 len = convert_to_ptrofftype (len);
399
400 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
401 }
402
403 /* Return a tree expression that represents the end of the referenced
404 memory region. Beware that this function can actually build a new
405 tree expression. */
406
407 tree
408 asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
409 {
410 return asan_mem_ref_get_end (ref->start, len);
411 }
412
413 struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref>
414 {
415 static inline hashval_t hash (const asan_mem_ref *);
416 static inline bool equal (const asan_mem_ref *, const asan_mem_ref *);
417 };
418
419 /* Hash a memory reference. */
420
421 inline hashval_t
422 asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
423 {
424 return iterative_hash_expr (mem_ref->start, 0);
425 }
426
427 /* Compare two memory references. We accept the length of either
428 memory references to be NULL_TREE. */
429
430 inline bool
431 asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
432 const asan_mem_ref *m2)
433 {
434 return operand_equal_p (m1->start, m2->start, 0);
435 }
436
437 static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht;
438
439 /* Returns a reference to the hash table containing memory references.
440 This function ensures that the hash table is created. Note that
441 this hash table is updated by the function
442 update_mem_ref_hash_table. */
443
444 static hash_table<asan_mem_ref_hasher> *
445 get_mem_ref_hash_table ()
446 {
447 if (!asan_mem_ref_ht)
448 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10);
449
450 return asan_mem_ref_ht;
451 }
452
453 /* Clear all entries from the memory references hash table. */
454
455 static void
456 empty_mem_ref_hash_table ()
457 {
458 if (asan_mem_ref_ht)
459 asan_mem_ref_ht->empty ();
460 }
461
462 /* Free the memory references hash table. */
463
464 static void
465 free_mem_ref_resources ()
466 {
467 delete asan_mem_ref_ht;
468 asan_mem_ref_ht = NULL;
469
470 asan_mem_ref_pool.release ();
471 }
472
473 /* Return true iff the memory reference REF has been instrumented. */
474
475 static bool
476 has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size)
477 {
478 asan_mem_ref r;
479 asan_mem_ref_init (&r, ref, access_size);
480
481 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r);
482 return saved_ref && saved_ref->access_size >= access_size;
483 }
484
485 /* Return true iff the memory reference REF has been instrumented. */
486
487 static bool
488 has_mem_ref_been_instrumented (const asan_mem_ref *ref)
489 {
490 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
491 }
492
493 /* Return true iff access to memory region starting at REF and of
494 length LEN has been instrumented. */
495
496 static bool
497 has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
498 {
499 HOST_WIDE_INT size_in_bytes
500 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
501
502 return size_in_bytes != -1
503 && has_mem_ref_been_instrumented (ref->start, size_in_bytes);
504 }
505
506 /* Set REF to the memory reference present in a gimple assignment
507 ASSIGNMENT. Return true upon successful completion, false
508 otherwise. */
509
510 static bool
511 get_mem_ref_of_assignment (const gassign *assignment,
512 asan_mem_ref *ref,
513 bool *ref_is_store)
514 {
515 gcc_assert (gimple_assign_single_p (assignment));
516
517 if (gimple_store_p (assignment)
518 && !gimple_clobber_p (assignment))
519 {
520 ref->start = gimple_assign_lhs (assignment);
521 *ref_is_store = true;
522 }
523 else if (gimple_assign_load_p (assignment))
524 {
525 ref->start = gimple_assign_rhs1 (assignment);
526 *ref_is_store = false;
527 }
528 else
529 return false;
530
531 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
532 return true;
533 }
534
535 /* Return the memory references contained in a gimple statement
536 representing a builtin call that has to do with memory access. */
537
538 static bool
539 get_mem_refs_of_builtin_call (const gcall *call,
540 asan_mem_ref *src0,
541 tree *src0_len,
542 bool *src0_is_store,
543 asan_mem_ref *src1,
544 tree *src1_len,
545 bool *src1_is_store,
546 asan_mem_ref *dst,
547 tree *dst_len,
548 bool *dst_is_store,
549 bool *dest_is_deref,
550 bool *intercepted_p)
551 {
552 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
553
554 tree callee = gimple_call_fndecl (call);
555 tree source0 = NULL_TREE, source1 = NULL_TREE,
556 dest = NULL_TREE, len = NULL_TREE;
557 bool is_store = true, got_reference_p = false;
558 HOST_WIDE_INT access_size = 1;
559
560 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee)));
561
562 switch (DECL_FUNCTION_CODE (callee))
563 {
564 /* (s, s, n) style memops. */
565 case BUILT_IN_BCMP:
566 case BUILT_IN_MEMCMP:
567 source0 = gimple_call_arg (call, 0);
568 source1 = gimple_call_arg (call, 1);
569 len = gimple_call_arg (call, 2);
570 break;
571
572 /* (src, dest, n) style memops. */
573 case BUILT_IN_BCOPY:
574 source0 = gimple_call_arg (call, 0);
575 dest = gimple_call_arg (call, 1);
576 len = gimple_call_arg (call, 2);
577 break;
578
579 /* (dest, src, n) style memops. */
580 case BUILT_IN_MEMCPY:
581 case BUILT_IN_MEMCPY_CHK:
582 case BUILT_IN_MEMMOVE:
583 case BUILT_IN_MEMMOVE_CHK:
584 case BUILT_IN_MEMPCPY:
585 case BUILT_IN_MEMPCPY_CHK:
586 dest = gimple_call_arg (call, 0);
587 source0 = gimple_call_arg (call, 1);
588 len = gimple_call_arg (call, 2);
589 break;
590
591 /* (dest, n) style memops. */
592 case BUILT_IN_BZERO:
593 dest = gimple_call_arg (call, 0);
594 len = gimple_call_arg (call, 1);
595 break;
596
597 /* (dest, x, n) style memops*/
598 case BUILT_IN_MEMSET:
599 case BUILT_IN_MEMSET_CHK:
600 dest = gimple_call_arg (call, 0);
601 len = gimple_call_arg (call, 2);
602 break;
603
604 case BUILT_IN_STRLEN:
605 source0 = gimple_call_arg (call, 0);
606 len = gimple_call_lhs (call);
607 break ;
608
609 /* And now the __atomic* and __sync builtins.
610 These are handled differently from the classical memory memory
611 access builtins above. */
612
613 case BUILT_IN_ATOMIC_LOAD_1:
614 case BUILT_IN_ATOMIC_LOAD_2:
615 case BUILT_IN_ATOMIC_LOAD_4:
616 case BUILT_IN_ATOMIC_LOAD_8:
617 case BUILT_IN_ATOMIC_LOAD_16:
618 is_store = false;
619 /* fall through. */
620
621 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
622 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
623 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
624 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
625 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
626
627 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
628 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
629 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
630 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
631 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
632
633 case BUILT_IN_SYNC_FETCH_AND_OR_1:
634 case BUILT_IN_SYNC_FETCH_AND_OR_2:
635 case BUILT_IN_SYNC_FETCH_AND_OR_4:
636 case BUILT_IN_SYNC_FETCH_AND_OR_8:
637 case BUILT_IN_SYNC_FETCH_AND_OR_16:
638
639 case BUILT_IN_SYNC_FETCH_AND_AND_1:
640 case BUILT_IN_SYNC_FETCH_AND_AND_2:
641 case BUILT_IN_SYNC_FETCH_AND_AND_4:
642 case BUILT_IN_SYNC_FETCH_AND_AND_8:
643 case BUILT_IN_SYNC_FETCH_AND_AND_16:
644
645 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
646 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
647 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
648 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
649 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
650
651 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
652 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
653 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
654 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
655
656 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
657 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
658 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
659 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
660 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
661
662 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
663 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
664 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
665 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
666 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
667
668 case BUILT_IN_SYNC_OR_AND_FETCH_1:
669 case BUILT_IN_SYNC_OR_AND_FETCH_2:
670 case BUILT_IN_SYNC_OR_AND_FETCH_4:
671 case BUILT_IN_SYNC_OR_AND_FETCH_8:
672 case BUILT_IN_SYNC_OR_AND_FETCH_16:
673
674 case BUILT_IN_SYNC_AND_AND_FETCH_1:
675 case BUILT_IN_SYNC_AND_AND_FETCH_2:
676 case BUILT_IN_SYNC_AND_AND_FETCH_4:
677 case BUILT_IN_SYNC_AND_AND_FETCH_8:
678 case BUILT_IN_SYNC_AND_AND_FETCH_16:
679
680 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
681 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
682 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
683 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
684 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
685
686 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
687 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
688 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
689 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
690
691 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
692 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
693 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
694 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
695 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
696
697 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
698 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
699 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
700 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
701 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
702
703 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
704 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
705 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
706 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
707 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
708
709 case BUILT_IN_SYNC_LOCK_RELEASE_1:
710 case BUILT_IN_SYNC_LOCK_RELEASE_2:
711 case BUILT_IN_SYNC_LOCK_RELEASE_4:
712 case BUILT_IN_SYNC_LOCK_RELEASE_8:
713 case BUILT_IN_SYNC_LOCK_RELEASE_16:
714
715 case BUILT_IN_ATOMIC_EXCHANGE_1:
716 case BUILT_IN_ATOMIC_EXCHANGE_2:
717 case BUILT_IN_ATOMIC_EXCHANGE_4:
718 case BUILT_IN_ATOMIC_EXCHANGE_8:
719 case BUILT_IN_ATOMIC_EXCHANGE_16:
720
721 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
722 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
723 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
724 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
725 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
726
727 case BUILT_IN_ATOMIC_STORE_1:
728 case BUILT_IN_ATOMIC_STORE_2:
729 case BUILT_IN_ATOMIC_STORE_4:
730 case BUILT_IN_ATOMIC_STORE_8:
731 case BUILT_IN_ATOMIC_STORE_16:
732
733 case BUILT_IN_ATOMIC_ADD_FETCH_1:
734 case BUILT_IN_ATOMIC_ADD_FETCH_2:
735 case BUILT_IN_ATOMIC_ADD_FETCH_4:
736 case BUILT_IN_ATOMIC_ADD_FETCH_8:
737 case BUILT_IN_ATOMIC_ADD_FETCH_16:
738
739 case BUILT_IN_ATOMIC_SUB_FETCH_1:
740 case BUILT_IN_ATOMIC_SUB_FETCH_2:
741 case BUILT_IN_ATOMIC_SUB_FETCH_4:
742 case BUILT_IN_ATOMIC_SUB_FETCH_8:
743 case BUILT_IN_ATOMIC_SUB_FETCH_16:
744
745 case BUILT_IN_ATOMIC_AND_FETCH_1:
746 case BUILT_IN_ATOMIC_AND_FETCH_2:
747 case BUILT_IN_ATOMIC_AND_FETCH_4:
748 case BUILT_IN_ATOMIC_AND_FETCH_8:
749 case BUILT_IN_ATOMIC_AND_FETCH_16:
750
751 case BUILT_IN_ATOMIC_NAND_FETCH_1:
752 case BUILT_IN_ATOMIC_NAND_FETCH_2:
753 case BUILT_IN_ATOMIC_NAND_FETCH_4:
754 case BUILT_IN_ATOMIC_NAND_FETCH_8:
755 case BUILT_IN_ATOMIC_NAND_FETCH_16:
756
757 case BUILT_IN_ATOMIC_XOR_FETCH_1:
758 case BUILT_IN_ATOMIC_XOR_FETCH_2:
759 case BUILT_IN_ATOMIC_XOR_FETCH_4:
760 case BUILT_IN_ATOMIC_XOR_FETCH_8:
761 case BUILT_IN_ATOMIC_XOR_FETCH_16:
762
763 case BUILT_IN_ATOMIC_OR_FETCH_1:
764 case BUILT_IN_ATOMIC_OR_FETCH_2:
765 case BUILT_IN_ATOMIC_OR_FETCH_4:
766 case BUILT_IN_ATOMIC_OR_FETCH_8:
767 case BUILT_IN_ATOMIC_OR_FETCH_16:
768
769 case BUILT_IN_ATOMIC_FETCH_ADD_1:
770 case BUILT_IN_ATOMIC_FETCH_ADD_2:
771 case BUILT_IN_ATOMIC_FETCH_ADD_4:
772 case BUILT_IN_ATOMIC_FETCH_ADD_8:
773 case BUILT_IN_ATOMIC_FETCH_ADD_16:
774
775 case BUILT_IN_ATOMIC_FETCH_SUB_1:
776 case BUILT_IN_ATOMIC_FETCH_SUB_2:
777 case BUILT_IN_ATOMIC_FETCH_SUB_4:
778 case BUILT_IN_ATOMIC_FETCH_SUB_8:
779 case BUILT_IN_ATOMIC_FETCH_SUB_16:
780
781 case BUILT_IN_ATOMIC_FETCH_AND_1:
782 case BUILT_IN_ATOMIC_FETCH_AND_2:
783 case BUILT_IN_ATOMIC_FETCH_AND_4:
784 case BUILT_IN_ATOMIC_FETCH_AND_8:
785 case BUILT_IN_ATOMIC_FETCH_AND_16:
786
787 case BUILT_IN_ATOMIC_FETCH_NAND_1:
788 case BUILT_IN_ATOMIC_FETCH_NAND_2:
789 case BUILT_IN_ATOMIC_FETCH_NAND_4:
790 case BUILT_IN_ATOMIC_FETCH_NAND_8:
791 case BUILT_IN_ATOMIC_FETCH_NAND_16:
792
793 case BUILT_IN_ATOMIC_FETCH_XOR_1:
794 case BUILT_IN_ATOMIC_FETCH_XOR_2:
795 case BUILT_IN_ATOMIC_FETCH_XOR_4:
796 case BUILT_IN_ATOMIC_FETCH_XOR_8:
797 case BUILT_IN_ATOMIC_FETCH_XOR_16:
798
799 case BUILT_IN_ATOMIC_FETCH_OR_1:
800 case BUILT_IN_ATOMIC_FETCH_OR_2:
801 case BUILT_IN_ATOMIC_FETCH_OR_4:
802 case BUILT_IN_ATOMIC_FETCH_OR_8:
803 case BUILT_IN_ATOMIC_FETCH_OR_16:
804 {
805 dest = gimple_call_arg (call, 0);
806 /* DEST represents the address of a memory location.
807 instrument_derefs wants the memory location, so lets
808 dereference the address DEST before handing it to
809 instrument_derefs. */
810 if (TREE_CODE (dest) == ADDR_EXPR)
811 dest = TREE_OPERAND (dest, 0);
812 else if (TREE_CODE (dest) == SSA_NAME || TREE_CODE (dest) == INTEGER_CST)
813 dest = build2 (MEM_REF, TREE_TYPE (TREE_TYPE (dest)),
814 dest, build_int_cst (TREE_TYPE (dest), 0));
815 else
816 gcc_unreachable ();
817
818 access_size = int_size_in_bytes (TREE_TYPE (dest));
819 }
820
821 default:
822 /* The other builtins memory access are not instrumented in this
823 function because they either don't have any length parameter,
824 or their length parameter is just a limit. */
825 break;
826 }
827
828 if (len != NULL_TREE)
829 {
830 if (source0 != NULL_TREE)
831 {
832 src0->start = source0;
833 src0->access_size = access_size;
834 *src0_len = len;
835 *src0_is_store = false;
836 }
837
838 if (source1 != NULL_TREE)
839 {
840 src1->start = source1;
841 src1->access_size = access_size;
842 *src1_len = len;
843 *src1_is_store = false;
844 }
845
846 if (dest != NULL_TREE)
847 {
848 dst->start = dest;
849 dst->access_size = access_size;
850 *dst_len = len;
851 *dst_is_store = true;
852 }
853
854 got_reference_p = true;
855 }
856 else if (dest)
857 {
858 dst->start = dest;
859 dst->access_size = access_size;
860 *dst_len = NULL_TREE;
861 *dst_is_store = is_store;
862 *dest_is_deref = true;
863 got_reference_p = true;
864 }
865
866 return got_reference_p;
867 }
868
869 /* Return true iff a given gimple statement has been instrumented.
870 Note that the statement is "defined" by the memory references it
871 contains. */
872
873 static bool
874 has_stmt_been_instrumented_p (gimple *stmt)
875 {
876 if (gimple_assign_single_p (stmt))
877 {
878 bool r_is_store;
879 asan_mem_ref r;
880 asan_mem_ref_init (&r, NULL, 1);
881
882 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r,
883 &r_is_store))
884 return has_mem_ref_been_instrumented (&r);
885 }
886 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
887 {
888 asan_mem_ref src0, src1, dest;
889 asan_mem_ref_init (&src0, NULL, 1);
890 asan_mem_ref_init (&src1, NULL, 1);
891 asan_mem_ref_init (&dest, NULL, 1);
892
893 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
894 bool src0_is_store = false, src1_is_store = false,
895 dest_is_store = false, dest_is_deref = false, intercepted_p = true;
896 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt),
897 &src0, &src0_len, &src0_is_store,
898 &src1, &src1_len, &src1_is_store,
899 &dest, &dest_len, &dest_is_store,
900 &dest_is_deref, &intercepted_p))
901 {
902 if (src0.start != NULL_TREE
903 && !has_mem_ref_been_instrumented (&src0, src0_len))
904 return false;
905
906 if (src1.start != NULL_TREE
907 && !has_mem_ref_been_instrumented (&src1, src1_len))
908 return false;
909
910 if (dest.start != NULL_TREE
911 && !has_mem_ref_been_instrumented (&dest, dest_len))
912 return false;
913
914 return true;
915 }
916 }
917 else if (is_gimple_call (stmt) && gimple_store_p (stmt))
918 {
919 asan_mem_ref r;
920 asan_mem_ref_init (&r, NULL, 1);
921
922 r.start = gimple_call_lhs (stmt);
923 r.access_size = int_size_in_bytes (TREE_TYPE (r.start));
924 return has_mem_ref_been_instrumented (&r);
925 }
926
927 return false;
928 }
929
930 /* Insert a memory reference into the hash table. */
931
932 static void
933 update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size)
934 {
935 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table ();
936
937 asan_mem_ref r;
938 asan_mem_ref_init (&r, ref, access_size);
939
940 asan_mem_ref **slot = ht->find_slot (&r, INSERT);
941 if (*slot == NULL || (*slot)->access_size < access_size)
942 *slot = asan_mem_ref_new (ref, access_size);
943 }
944
945 /* Initialize shadow_ptr_types array. */
946
947 static void
948 asan_init_shadow_ptr_types (void)
949 {
950 asan_shadow_set = new_alias_set ();
951 tree types[3] = { signed_char_type_node, short_integer_type_node,
952 integer_type_node };
953
954 for (unsigned i = 0; i < 3; i++)
955 {
956 shadow_ptr_types[i] = build_distinct_type_copy (types[i]);
957 TYPE_ALIAS_SET (shadow_ptr_types[i]) = asan_shadow_set;
958 shadow_ptr_types[i] = build_pointer_type (shadow_ptr_types[i]);
959 }
960
961 initialize_sanitizer_builtins ();
962 }
963
964 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
965
966 static tree
967 asan_pp_string (pretty_printer *pp)
968 {
969 const char *buf = pp_formatted_text (pp);
970 size_t len = strlen (buf);
971 tree ret = build_string (len + 1, buf);
972 TREE_TYPE (ret)
973 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
974 build_index_type (size_int (len)));
975 TREE_READONLY (ret) = 1;
976 TREE_STATIC (ret) = 1;
977 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
978 }
979
980 /* Return a CONST_INT representing 4 subsequent shadow memory bytes. */
981
982 static rtx
983 asan_shadow_cst (unsigned char shadow_bytes[4])
984 {
985 int i;
986 unsigned HOST_WIDE_INT val = 0;
987 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
988 for (i = 0; i < 4; i++)
989 val |= (unsigned HOST_WIDE_INT) shadow_bytes[BYTES_BIG_ENDIAN ? 3 - i : i]
990 << (BITS_PER_UNIT * i);
991 return gen_int_mode (val, SImode);
992 }
993
994 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
995 though. */
996
997 static void
998 asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
999 {
1000 rtx_insn *insn, *insns, *jump;
1001 rtx_code_label *top_label;
1002 rtx end, addr, tmp;
1003
1004 start_sequence ();
1005 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
1006 insns = get_insns ();
1007 end_sequence ();
1008 for (insn = insns; insn; insn = NEXT_INSN (insn))
1009 if (CALL_P (insn))
1010 break;
1011 if (insn == NULL_RTX)
1012 {
1013 emit_insn (insns);
1014 return;
1015 }
1016
1017 gcc_assert ((len & 3) == 0);
1018 top_label = gen_label_rtx ();
1019 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
1020 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
1021 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
1022 emit_label (top_label);
1023
1024 emit_move_insn (shadow_mem, const0_rtx);
1025 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
1026 true, OPTAB_LIB_WIDEN);
1027 if (tmp != addr)
1028 emit_move_insn (addr, tmp);
1029 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
1030 jump = get_last_insn ();
1031 gcc_assert (JUMP_P (jump));
1032 add_int_reg_note (jump, REG_BR_PROB, REG_BR_PROB_BASE * 80 / 100);
1033 }
1034
1035 void
1036 asan_function_start (void)
1037 {
1038 section *fnsec = function_section (current_function_decl);
1039 switch_to_section (fnsec);
1040 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC",
1041 current_function_funcdef_no);
1042 }
1043
1044 /* Return number of shadow bytes that are occupied by a local variable
1045 of SIZE bytes. */
1046
1047 static unsigned HOST_WIDE_INT
1048 shadow_mem_size (unsigned HOST_WIDE_INT size)
1049 {
1050 return ROUND_UP (size, ASAN_SHADOW_GRANULARITY) / ASAN_SHADOW_GRANULARITY;
1051 }
1052
1053 /* Insert code to protect stack vars. The prologue sequence should be emitted
1054 directly, epilogue sequence returned. BASE is the register holding the
1055 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1056 array contains pairs of offsets in reverse order, always the end offset
1057 of some gap that needs protection followed by starting offset,
1058 and DECLS is an array of representative decls for each var partition.
1059 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1060 elements long (OFFSETS include gap before the first variable as well
1061 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1062 register which stack vars DECL_RTLs are based on. Either BASE should be
1063 assigned to PBASE, when not doing use after return protection, or
1064 corresponding address based on __asan_stack_malloc* return value. */
1065
1066 rtx_insn *
1067 asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
1068 HOST_WIDE_INT *offsets, tree *decls, int length)
1069 {
1070 rtx shadow_base, shadow_mem, ret, mem, orig_base;
1071 rtx_code_label *lab;
1072 rtx_insn *insns;
1073 char buf[30];
1074 unsigned char shadow_bytes[4];
1075 HOST_WIDE_INT base_offset = offsets[length - 1];
1076 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
1077 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
1078 HOST_WIDE_INT last_offset;
1079 int l;
1080 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
1081 tree str_cst, decl, id;
1082 int use_after_return_class = -1;
1083
1084 if (shadow_ptr_types[0] == NULL_TREE)
1085 asan_init_shadow_ptr_types ();
1086
1087 /* First of all, prepare the description string. */
1088 pretty_printer asan_pp;
1089
1090 pp_decimal_int (&asan_pp, length / 2 - 1);
1091 pp_space (&asan_pp);
1092 for (l = length - 2; l; l -= 2)
1093 {
1094 tree decl = decls[l / 2 - 1];
1095 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
1096 pp_space (&asan_pp);
1097 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
1098 pp_space (&asan_pp);
1099 if (DECL_P (decl) && DECL_NAME (decl))
1100 {
1101 pp_decimal_int (&asan_pp, IDENTIFIER_LENGTH (DECL_NAME (decl)));
1102 pp_space (&asan_pp);
1103 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
1104 }
1105 else
1106 pp_string (&asan_pp, "9 <unknown>");
1107 pp_space (&asan_pp);
1108 }
1109 str_cst = asan_pp_string (&asan_pp);
1110
1111 /* Emit the prologue sequence. */
1112 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
1113 && ASAN_USE_AFTER_RETURN)
1114 {
1115 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1116 /* __asan_stack_malloc_N guarantees alignment
1117 N < 6 ? (64 << N) : 4096 bytes. */
1118 if (alignb > (use_after_return_class < 6
1119 ? (64U << use_after_return_class) : 4096U))
1120 use_after_return_class = -1;
1121 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1122 base_align_bias = ((asan_frame_size + alignb - 1)
1123 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1124 }
1125 /* Align base if target is STRICT_ALIGNMENT. */
1126 if (STRICT_ALIGNMENT)
1127 base = expand_binop (Pmode, and_optab, base,
1128 gen_int_mode (-((GET_MODE_ALIGNMENT (SImode)
1129 << ASAN_SHADOW_SHIFT)
1130 / BITS_PER_UNIT), Pmode), NULL_RTX,
1131 1, OPTAB_DIRECT);
1132
1133 if (use_after_return_class == -1 && pbase)
1134 emit_move_insn (pbase, base);
1135
1136 base = expand_binop (Pmode, add_optab, base,
1137 gen_int_mode (base_offset - base_align_bias, Pmode),
1138 NULL_RTX, 1, OPTAB_DIRECT);
1139 orig_base = NULL_RTX;
1140 if (use_after_return_class != -1)
1141 {
1142 if (asan_detect_stack_use_after_return == NULL_TREE)
1143 {
1144 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1145 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1146 integer_type_node);
1147 SET_DECL_ASSEMBLER_NAME (decl, id);
1148 TREE_ADDRESSABLE (decl) = 1;
1149 DECL_ARTIFICIAL (decl) = 1;
1150 DECL_IGNORED_P (decl) = 1;
1151 DECL_EXTERNAL (decl) = 1;
1152 TREE_STATIC (decl) = 1;
1153 TREE_PUBLIC (decl) = 1;
1154 TREE_USED (decl) = 1;
1155 asan_detect_stack_use_after_return = decl;
1156 }
1157 orig_base = gen_reg_rtx (Pmode);
1158 emit_move_insn (orig_base, base);
1159 ret = expand_normal (asan_detect_stack_use_after_return);
1160 lab = gen_label_rtx ();
1161 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1162 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1163 VOIDmode, 0, lab, very_likely);
1164 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1165 use_after_return_class);
1166 ret = init_one_libfunc (buf);
1167 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode, 1,
1168 GEN_INT (asan_frame_size
1169 + base_align_bias),
1170 TYPE_MODE (pointer_sized_int_node));
1171 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1172 and NULL otherwise. Check RET value is NULL here and jump over the
1173 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1174 int very_unlikely = REG_BR_PROB_BASE / 2000 - 1;
1175 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1176 VOIDmode, 0, lab, very_unlikely);
1177 ret = convert_memory_address (Pmode, ret);
1178 emit_move_insn (base, ret);
1179 emit_label (lab);
1180 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1181 gen_int_mode (base_align_bias
1182 - base_offset, Pmode),
1183 NULL_RTX, 1, OPTAB_DIRECT));
1184 }
1185 mem = gen_rtx_MEM (ptr_mode, base);
1186 mem = adjust_address (mem, VOIDmode, base_align_bias);
1187 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
1188 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1189 emit_move_insn (mem, expand_normal (str_cst));
1190 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1191 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1192 id = get_identifier (buf);
1193 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
1194 VAR_DECL, id, char_type_node);
1195 SET_DECL_ASSEMBLER_NAME (decl, id);
1196 TREE_ADDRESSABLE (decl) = 1;
1197 TREE_READONLY (decl) = 1;
1198 DECL_ARTIFICIAL (decl) = 1;
1199 DECL_IGNORED_P (decl) = 1;
1200 TREE_STATIC (decl) = 1;
1201 TREE_PUBLIC (decl) = 0;
1202 TREE_USED (decl) = 1;
1203 DECL_INITIAL (decl) = decl;
1204 TREE_ASM_WRITTEN (decl) = 1;
1205 TREE_ASM_WRITTEN (id) = 1;
1206 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
1207 shadow_base = expand_binop (Pmode, lshr_optab, base,
1208 GEN_INT (ASAN_SHADOW_SHIFT),
1209 NULL_RTX, 1, OPTAB_DIRECT);
1210 shadow_base
1211 = plus_constant (Pmode, shadow_base,
1212 asan_shadow_offset ()
1213 + (base_align_bias >> ASAN_SHADOW_SHIFT));
1214 gcc_assert (asan_shadow_set != -1
1215 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
1216 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
1217 set_mem_alias_set (shadow_mem, asan_shadow_set);
1218 if (STRICT_ALIGNMENT)
1219 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1220 prev_offset = base_offset;
1221 for (l = length; l; l -= 2)
1222 {
1223 if (l == 2)
1224 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
1225 offset = offsets[l - 1];
1226 if ((offset - base_offset) & (ASAN_RED_ZONE_SIZE - 1))
1227 {
1228 int i;
1229 HOST_WIDE_INT aoff
1230 = base_offset + ((offset - base_offset)
1231 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1232 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1233 (aoff - prev_offset)
1234 >> ASAN_SHADOW_SHIFT);
1235 prev_offset = aoff;
1236 for (i = 0; i < 4; i++, aoff += ASAN_SHADOW_GRANULARITY)
1237 if (aoff < offset)
1238 {
1239 if (aoff < offset - (HOST_WIDE_INT)ASAN_SHADOW_GRANULARITY + 1)
1240 shadow_bytes[i] = 0;
1241 else
1242 shadow_bytes[i] = offset - aoff;
1243 }
1244 else
1245 shadow_bytes[i] = ASAN_STACK_MAGIC_MIDDLE;
1246 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1247 offset = aoff;
1248 }
1249 while (offset <= offsets[l - 2] - ASAN_RED_ZONE_SIZE)
1250 {
1251 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1252 (offset - prev_offset)
1253 >> ASAN_SHADOW_SHIFT);
1254 prev_offset = offset;
1255 memset (shadow_bytes, cur_shadow_byte, 4);
1256 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1257 offset += ASAN_RED_ZONE_SIZE;
1258 }
1259 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
1260 }
1261 do_pending_stack_adjust ();
1262
1263 /* Construct epilogue sequence. */
1264 start_sequence ();
1265
1266 lab = NULL;
1267 if (use_after_return_class != -1)
1268 {
1269 rtx_code_label *lab2 = gen_label_rtx ();
1270 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
1271 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1272 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
1273 VOIDmode, 0, lab2, very_likely);
1274 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1275 set_mem_alias_set (shadow_mem, asan_shadow_set);
1276 mem = gen_rtx_MEM (ptr_mode, base);
1277 mem = adjust_address (mem, VOIDmode, base_align_bias);
1278 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
1279 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
1280 if (use_after_return_class < 5
1281 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
1282 BITS_PER_UNIT, true))
1283 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
1284 BITS_PER_UNIT, true, 0);
1285 else if (use_after_return_class >= 5
1286 || !set_storage_via_setmem (shadow_mem,
1287 GEN_INT (sz),
1288 gen_int_mode (c, QImode),
1289 BITS_PER_UNIT, BITS_PER_UNIT,
1290 -1, sz, sz, sz))
1291 {
1292 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
1293 use_after_return_class);
1294 ret = init_one_libfunc (buf);
1295 rtx addr = convert_memory_address (ptr_mode, base);
1296 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
1297 emit_library_call (ret, LCT_NORMAL, ptr_mode, 3, addr, ptr_mode,
1298 GEN_INT (asan_frame_size + base_align_bias),
1299 TYPE_MODE (pointer_sized_int_node),
1300 orig_addr, ptr_mode);
1301 }
1302 lab = gen_label_rtx ();
1303 emit_jump (lab);
1304 emit_label (lab2);
1305 }
1306
1307 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1308 set_mem_alias_set (shadow_mem, asan_shadow_set);
1309
1310 if (STRICT_ALIGNMENT)
1311 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1312
1313 /* Unpoison shadow memory of a stack at the very end of a function.
1314 As we're poisoning stack variables at the end of their scope,
1315 shadow memory must be properly unpoisoned here. The easiest approach
1316 would be to collect all variables that should not be unpoisoned and
1317 we unpoison shadow memory of the whole stack except ranges
1318 occupied by these variables. */
1319 last_offset = base_offset;
1320 HOST_WIDE_INT current_offset = last_offset;
1321 if (length)
1322 {
1323 HOST_WIDE_INT var_end_offset = 0;
1324 HOST_WIDE_INT stack_start = offsets[length - 1];
1325 gcc_assert (last_offset == stack_start);
1326
1327 for (int l = length - 2; l > 0; l -= 2)
1328 {
1329 HOST_WIDE_INT var_offset = offsets[l];
1330 current_offset = var_offset;
1331 var_end_offset = offsets[l - 1];
1332 HOST_WIDE_INT rounded_size = ROUND_UP (var_end_offset - var_offset,
1333 BITS_PER_UNIT);
1334
1335 /* Should we unpoison the variable? */
1336 if (asan_handled_variables != NULL
1337 && asan_handled_variables->contains (decl))
1338 {
1339 if (dump_file && (dump_flags & TDF_DETAILS))
1340 {
1341 const char *n = (DECL_NAME (decl)
1342 ? IDENTIFIER_POINTER (DECL_NAME (decl))
1343 : "<unknown>");
1344 fprintf (dump_file, "Unpoisoning shadow stack for variable: "
1345 "%s (%" PRId64 "B)\n", n,
1346 var_end_offset - var_offset);
1347 }
1348
1349 unsigned HOST_WIDE_INT s
1350 = shadow_mem_size (current_offset - last_offset);
1351 asan_clear_shadow (shadow_mem, s);
1352 HOST_WIDE_INT shift
1353 = shadow_mem_size (current_offset - last_offset + rounded_size);
1354 shadow_mem = adjust_address (shadow_mem, VOIDmode, shift);
1355 last_offset = var_offset + rounded_size;
1356 current_offset = last_offset;
1357 }
1358
1359 }
1360
1361 /* Handle last redzone. */
1362 current_offset = offsets[0];
1363 asan_clear_shadow (shadow_mem,
1364 shadow_mem_size (current_offset - last_offset));
1365 }
1366
1367 /* Clean-up set with instrumented stack variables. */
1368 delete asan_handled_variables;
1369 asan_handled_variables = NULL;
1370 delete asan_used_labels;
1371 asan_used_labels = NULL;
1372
1373 do_pending_stack_adjust ();
1374 if (lab)
1375 emit_label (lab);
1376
1377 insns = get_insns ();
1378 end_sequence ();
1379 return insns;
1380 }
1381
1382 /* Return true if DECL, a global var, might be overridden and needs
1383 therefore a local alias. */
1384
1385 static bool
1386 asan_needs_local_alias (tree decl)
1387 {
1388 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
1389 }
1390
1391 /* Return true if DECL is a VAR_DECL that should be protected
1392 by Address Sanitizer, by appending a red zone with protected
1393 shadow memory after it and aligning it to at least
1394 ASAN_RED_ZONE_SIZE bytes. */
1395
1396 bool
1397 asan_protect_global (tree decl)
1398 {
1399 if (!ASAN_GLOBALS)
1400 return false;
1401
1402 rtx rtl, symbol;
1403
1404 if (TREE_CODE (decl) == STRING_CST)
1405 {
1406 /* Instrument all STRING_CSTs except those created
1407 by asan_pp_string here. */
1408 if (shadow_ptr_types[0] != NULL_TREE
1409 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
1410 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
1411 return false;
1412 return true;
1413 }
1414 if (!VAR_P (decl)
1415 /* TLS vars aren't statically protectable. */
1416 || DECL_THREAD_LOCAL_P (decl)
1417 /* Externs will be protected elsewhere. */
1418 || DECL_EXTERNAL (decl)
1419 || !DECL_RTL_SET_P (decl)
1420 /* Comdat vars pose an ABI problem, we can't know if
1421 the var that is selected by the linker will have
1422 padding or not. */
1423 || DECL_ONE_ONLY (decl)
1424 /* Similarly for common vars. People can use -fno-common.
1425 Note: Linux kernel is built with -fno-common, so we do instrument
1426 globals there even if it is C. */
1427 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
1428 /* Don't protect if using user section, often vars placed
1429 into user section from multiple TUs are then assumed
1430 to be an array of such vars, putting padding in there
1431 breaks this assumption. */
1432 || (DECL_SECTION_NAME (decl) != NULL
1433 && !symtab_node::get (decl)->implicit_section
1434 && !section_sanitized_p (DECL_SECTION_NAME (decl)))
1435 || DECL_SIZE (decl) == 0
1436 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
1437 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
1438 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE
1439 || TREE_TYPE (decl) == ubsan_get_source_location_type ())
1440 return false;
1441
1442 rtl = DECL_RTL (decl);
1443 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
1444 return false;
1445 symbol = XEXP (rtl, 0);
1446
1447 if (CONSTANT_POOL_ADDRESS_P (symbol)
1448 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
1449 return false;
1450
1451 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
1452 return false;
1453
1454 #ifndef ASM_OUTPUT_DEF
1455 if (asan_needs_local_alias (decl))
1456 return false;
1457 #endif
1458
1459 return true;
1460 }
1461
1462 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
1463 IS_STORE is either 1 (for a store) or 0 (for a load). */
1464
1465 static tree
1466 report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1467 int *nargs)
1468 {
1469 static enum built_in_function report[2][2][6]
1470 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
1471 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
1472 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N },
1473 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
1474 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
1475 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } },
1476 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT,
1477 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
1478 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
1479 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
1480 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
1481 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
1482 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT,
1483 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
1484 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
1485 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
1486 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
1487 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
1488 if (size_in_bytes == -1)
1489 {
1490 *nargs = 2;
1491 return builtin_decl_implicit (report[recover_p][is_store][5]);
1492 }
1493 *nargs = 1;
1494 int size_log2 = exact_log2 (size_in_bytes);
1495 return builtin_decl_implicit (report[recover_p][is_store][size_log2]);
1496 }
1497
1498 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
1499 IS_STORE is either 1 (for a store) or 0 (for a load). */
1500
1501 static tree
1502 check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1503 int *nargs)
1504 {
1505 static enum built_in_function check[2][2][6]
1506 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2,
1507 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8,
1508 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN },
1509 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2,
1510 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8,
1511 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } },
1512 { { BUILT_IN_ASAN_LOAD1_NOABORT,
1513 BUILT_IN_ASAN_LOAD2_NOABORT,
1514 BUILT_IN_ASAN_LOAD4_NOABORT,
1515 BUILT_IN_ASAN_LOAD8_NOABORT,
1516 BUILT_IN_ASAN_LOAD16_NOABORT,
1517 BUILT_IN_ASAN_LOADN_NOABORT },
1518 { BUILT_IN_ASAN_STORE1_NOABORT,
1519 BUILT_IN_ASAN_STORE2_NOABORT,
1520 BUILT_IN_ASAN_STORE4_NOABORT,
1521 BUILT_IN_ASAN_STORE8_NOABORT,
1522 BUILT_IN_ASAN_STORE16_NOABORT,
1523 BUILT_IN_ASAN_STOREN_NOABORT } } };
1524 if (size_in_bytes == -1)
1525 {
1526 *nargs = 2;
1527 return builtin_decl_implicit (check[recover_p][is_store][5]);
1528 }
1529 *nargs = 1;
1530 int size_log2 = exact_log2 (size_in_bytes);
1531 return builtin_decl_implicit (check[recover_p][is_store][size_log2]);
1532 }
1533
1534 /* Split the current basic block and create a condition statement
1535 insertion point right before or after the statement pointed to by
1536 ITER. Return an iterator to the point at which the caller might
1537 safely insert the condition statement.
1538
1539 THEN_BLOCK must be set to the address of an uninitialized instance
1540 of basic_block. The function will then set *THEN_BLOCK to the
1541 'then block' of the condition statement to be inserted by the
1542 caller.
1543
1544 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1545 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1546
1547 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1548 block' of the condition statement to be inserted by the caller.
1549
1550 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1551 statements starting from *ITER, and *THEN_BLOCK is a new empty
1552 block.
1553
1554 *ITER is adjusted to point to always point to the first statement
1555 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1556 same as what ITER was pointing to prior to calling this function,
1557 if BEFORE_P is true; otherwise, it is its following statement. */
1558
1559 gimple_stmt_iterator
1560 create_cond_insert_point (gimple_stmt_iterator *iter,
1561 bool before_p,
1562 bool then_more_likely_p,
1563 bool create_then_fallthru_edge,
1564 basic_block *then_block,
1565 basic_block *fallthrough_block)
1566 {
1567 gimple_stmt_iterator gsi = *iter;
1568
1569 if (!gsi_end_p (gsi) && before_p)
1570 gsi_prev (&gsi);
1571
1572 basic_block cur_bb = gsi_bb (*iter);
1573
1574 edge e = split_block (cur_bb, gsi_stmt (gsi));
1575
1576 /* Get a hold on the 'condition block', the 'then block' and the
1577 'else block'. */
1578 basic_block cond_bb = e->src;
1579 basic_block fallthru_bb = e->dest;
1580 basic_block then_bb = create_empty_bb (cond_bb);
1581 if (current_loops)
1582 {
1583 add_bb_to_loop (then_bb, cond_bb->loop_father);
1584 loops_state_set (LOOPS_NEED_FIXUP);
1585 }
1586
1587 /* Set up the newly created 'then block'. */
1588 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
1589 int fallthrough_probability
1590 = then_more_likely_p
1591 ? PROB_VERY_UNLIKELY
1592 : PROB_ALWAYS - PROB_VERY_UNLIKELY;
1593 e->probability = PROB_ALWAYS - fallthrough_probability;
1594 if (create_then_fallthru_edge)
1595 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
1596
1597 /* Set up the fallthrough basic block. */
1598 e = find_edge (cond_bb, fallthru_bb);
1599 e->flags = EDGE_FALSE_VALUE;
1600 e->count = cond_bb->count;
1601 e->probability = fallthrough_probability;
1602
1603 /* Update dominance info for the newly created then_bb; note that
1604 fallthru_bb's dominance info has already been updated by
1605 split_bock. */
1606 if (dom_info_available_p (CDI_DOMINATORS))
1607 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
1608
1609 *then_block = then_bb;
1610 *fallthrough_block = fallthru_bb;
1611 *iter = gsi_start_bb (fallthru_bb);
1612
1613 return gsi_last_bb (cond_bb);
1614 }
1615
1616 /* Insert an if condition followed by a 'then block' right before the
1617 statement pointed to by ITER. The fallthrough block -- which is the
1618 else block of the condition as well as the destination of the
1619 outcoming edge of the 'then block' -- starts with the statement
1620 pointed to by ITER.
1621
1622 COND is the condition of the if.
1623
1624 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1625 'then block' is higher than the probability of the edge to the
1626 fallthrough block.
1627
1628 Upon completion of the function, *THEN_BB is set to the newly
1629 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1630 fallthrough block.
1631
1632 *ITER is adjusted to still point to the same statement it was
1633 pointing to initially. */
1634
1635 static void
1636 insert_if_then_before_iter (gcond *cond,
1637 gimple_stmt_iterator *iter,
1638 bool then_more_likely_p,
1639 basic_block *then_bb,
1640 basic_block *fallthrough_bb)
1641 {
1642 gimple_stmt_iterator cond_insert_point =
1643 create_cond_insert_point (iter,
1644 /*before_p=*/true,
1645 then_more_likely_p,
1646 /*create_then_fallthru_edge=*/true,
1647 then_bb,
1648 fallthrough_bb);
1649 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
1650 }
1651
1652 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
1653 If RETURN_ADDRESS is set to true, return memory location instread
1654 of a value in the shadow memory. */
1655
1656 static tree
1657 build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location,
1658 tree base_addr, tree shadow_ptr_type,
1659 bool return_address = false)
1660 {
1661 tree t, uintptr_type = TREE_TYPE (base_addr);
1662 tree shadow_type = TREE_TYPE (shadow_ptr_type);
1663 gimple *g;
1664
1665 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
1666 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR,
1667 base_addr, t);
1668 gimple_set_location (g, location);
1669 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1670
1671 t = build_int_cst (uintptr_type, asan_shadow_offset ());
1672 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR,
1673 gimple_assign_lhs (g), t);
1674 gimple_set_location (g, location);
1675 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1676
1677 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR,
1678 gimple_assign_lhs (g));
1679 gimple_set_location (g, location);
1680 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1681
1682 if (!return_address)
1683 {
1684 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
1685 build_int_cst (shadow_ptr_type, 0));
1686 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t);
1687 gimple_set_location (g, location);
1688 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1689 }
1690
1691 return gimple_assign_lhs (g);
1692 }
1693
1694 /* BASE can already be an SSA_NAME; in that case, do not create a
1695 new SSA_NAME for it. */
1696
1697 static tree
1698 maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter,
1699 bool before_p)
1700 {
1701 if (TREE_CODE (base) == SSA_NAME)
1702 return base;
1703 gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)),
1704 TREE_CODE (base), base);
1705 gimple_set_location (g, loc);
1706 if (before_p)
1707 gsi_insert_before (iter, g, GSI_SAME_STMT);
1708 else
1709 gsi_insert_after (iter, g, GSI_NEW_STMT);
1710 return gimple_assign_lhs (g);
1711 }
1712
1713 /* LEN can already have necessary size and precision;
1714 in that case, do not create a new variable. */
1715
1716 tree
1717 maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter,
1718 bool before_p)
1719 {
1720 if (ptrofftype_p (len))
1721 return len;
1722 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
1723 NOP_EXPR, len);
1724 gimple_set_location (g, loc);
1725 if (before_p)
1726 gsi_insert_before (iter, g, GSI_SAME_STMT);
1727 else
1728 gsi_insert_after (iter, g, GSI_NEW_STMT);
1729 return gimple_assign_lhs (g);
1730 }
1731
1732 /* Instrument the memory access instruction BASE. Insert new
1733 statements before or after ITER.
1734
1735 Note that the memory access represented by BASE can be either an
1736 SSA_NAME, or a non-SSA expression. LOCATION is the source code
1737 location. IS_STORE is TRUE for a store, FALSE for a load.
1738 BEFORE_P is TRUE for inserting the instrumentation code before
1739 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
1740 for a scalar memory access and FALSE for memory region access.
1741 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
1742 length. ALIGN tells alignment of accessed memory object.
1743
1744 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
1745 memory region have already been instrumented.
1746
1747 If BEFORE_P is TRUE, *ITER is arranged to still point to the
1748 statement it was pointing to prior to calling this function,
1749 otherwise, it points to the statement logically following it. */
1750
1751 static void
1752 build_check_stmt (location_t loc, tree base, tree len,
1753 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter,
1754 bool is_non_zero_len, bool before_p, bool is_store,
1755 bool is_scalar_access, unsigned int align = 0)
1756 {
1757 gimple_stmt_iterator gsi = *iter;
1758 gimple *g;
1759
1760 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len));
1761
1762 gsi = *iter;
1763
1764 base = unshare_expr (base);
1765 base = maybe_create_ssa_name (loc, base, &gsi, before_p);
1766
1767 if (len)
1768 {
1769 len = unshare_expr (len);
1770 len = maybe_cast_to_ptrmode (loc, len, iter, before_p);
1771 }
1772 else
1773 {
1774 gcc_assert (size_in_bytes != -1);
1775 len = build_int_cst (pointer_sized_int_node, size_in_bytes);
1776 }
1777
1778 if (size_in_bytes > 1)
1779 {
1780 if ((size_in_bytes & (size_in_bytes - 1)) != 0
1781 || size_in_bytes > 16)
1782 is_scalar_access = false;
1783 else if (align && align < size_in_bytes * BITS_PER_UNIT)
1784 {
1785 /* On non-strict alignment targets, if
1786 16-byte access is just 8-byte aligned,
1787 this will result in misaligned shadow
1788 memory 2 byte load, but otherwise can
1789 be handled using one read. */
1790 if (size_in_bytes != 16
1791 || STRICT_ALIGNMENT
1792 || align < 8 * BITS_PER_UNIT)
1793 is_scalar_access = false;
1794 }
1795 }
1796
1797 HOST_WIDE_INT flags = 0;
1798 if (is_store)
1799 flags |= ASAN_CHECK_STORE;
1800 if (is_non_zero_len)
1801 flags |= ASAN_CHECK_NON_ZERO_LEN;
1802 if (is_scalar_access)
1803 flags |= ASAN_CHECK_SCALAR_ACCESS;
1804
1805 g = gimple_build_call_internal (IFN_ASAN_CHECK, 4,
1806 build_int_cst (integer_type_node, flags),
1807 base, len,
1808 build_int_cst (integer_type_node,
1809 align / BITS_PER_UNIT));
1810 gimple_set_location (g, loc);
1811 if (before_p)
1812 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
1813 else
1814 {
1815 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
1816 gsi_next (&gsi);
1817 *iter = gsi;
1818 }
1819 }
1820
1821 /* If T represents a memory access, add instrumentation code before ITER.
1822 LOCATION is source code location.
1823 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
1824
1825 static void
1826 instrument_derefs (gimple_stmt_iterator *iter, tree t,
1827 location_t location, bool is_store)
1828 {
1829 if (is_store && !ASAN_INSTRUMENT_WRITES)
1830 return;
1831 if (!is_store && !ASAN_INSTRUMENT_READS)
1832 return;
1833
1834 tree type, base;
1835 HOST_WIDE_INT size_in_bytes;
1836 if (location == UNKNOWN_LOCATION)
1837 location = EXPR_LOCATION (t);
1838
1839 type = TREE_TYPE (t);
1840 switch (TREE_CODE (t))
1841 {
1842 case ARRAY_REF:
1843 case COMPONENT_REF:
1844 case INDIRECT_REF:
1845 case MEM_REF:
1846 case VAR_DECL:
1847 case BIT_FIELD_REF:
1848 break;
1849 /* FALLTHRU */
1850 default:
1851 return;
1852 }
1853
1854 size_in_bytes = int_size_in_bytes (type);
1855 if (size_in_bytes <= 0)
1856 return;
1857
1858 HOST_WIDE_INT bitsize, bitpos;
1859 tree offset;
1860 machine_mode mode;
1861 int unsignedp, reversep, volatilep = 0;
1862 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
1863 &unsignedp, &reversep, &volatilep);
1864
1865 if (TREE_CODE (t) == COMPONENT_REF
1866 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
1867 {
1868 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
1869 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
1870 TREE_OPERAND (t, 0), repr,
1871 NULL_TREE), location, is_store);
1872 return;
1873 }
1874
1875 if (bitpos % BITS_PER_UNIT
1876 || bitsize != size_in_bytes * BITS_PER_UNIT)
1877 return;
1878
1879 if (VAR_P (inner)
1880 && offset == NULL_TREE
1881 && bitpos >= 0
1882 && DECL_SIZE (inner)
1883 && tree_fits_shwi_p (DECL_SIZE (inner))
1884 && bitpos + bitsize <= tree_to_shwi (DECL_SIZE (inner)))
1885 {
1886 if (DECL_THREAD_LOCAL_P (inner))
1887 return;
1888 if (!ASAN_GLOBALS && is_global_var (inner))
1889 return;
1890 if (!TREE_STATIC (inner))
1891 {
1892 /* Automatic vars in the current function will be always
1893 accessible. */
1894 if (decl_function_context (inner) == current_function_decl
1895 && (!asan_sanitize_use_after_scope ()
1896 || !TREE_ADDRESSABLE (inner)))
1897 return;
1898 }
1899 /* Always instrument external vars, they might be dynamically
1900 initialized. */
1901 else if (!DECL_EXTERNAL (inner))
1902 {
1903 /* For static vars if they are known not to be dynamically
1904 initialized, they will be always accessible. */
1905 varpool_node *vnode = varpool_node::get (inner);
1906 if (vnode && !vnode->dynamically_initialized)
1907 return;
1908 }
1909 }
1910
1911 base = build_fold_addr_expr (t);
1912 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
1913 {
1914 unsigned int align = get_object_alignment (t);
1915 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter,
1916 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true,
1917 is_store, /*is_scalar_access*/true, align);
1918 update_mem_ref_hash_table (base, size_in_bytes);
1919 update_mem_ref_hash_table (t, size_in_bytes);
1920 }
1921
1922 }
1923
1924 /* Insert a memory reference into the hash table if access length
1925 can be determined in compile time. */
1926
1927 static void
1928 maybe_update_mem_ref_hash_table (tree base, tree len)
1929 {
1930 if (!POINTER_TYPE_P (TREE_TYPE (base))
1931 || !INTEGRAL_TYPE_P (TREE_TYPE (len)))
1932 return;
1933
1934 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
1935
1936 if (size_in_bytes != -1)
1937 update_mem_ref_hash_table (base, size_in_bytes);
1938 }
1939
1940 /* Instrument an access to a contiguous memory region that starts at
1941 the address pointed to by BASE, over a length of LEN (expressed in
1942 the sizeof (*BASE) bytes). ITER points to the instruction before
1943 which the instrumentation instructions must be inserted. LOCATION
1944 is the source location that the instrumentation instructions must
1945 have. If IS_STORE is true, then the memory access is a store;
1946 otherwise, it's a load. */
1947
1948 static void
1949 instrument_mem_region_access (tree base, tree len,
1950 gimple_stmt_iterator *iter,
1951 location_t location, bool is_store)
1952 {
1953 if (!POINTER_TYPE_P (TREE_TYPE (base))
1954 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
1955 || integer_zerop (len))
1956 return;
1957
1958 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
1959
1960 if ((size_in_bytes == -1)
1961 || !has_mem_ref_been_instrumented (base, size_in_bytes))
1962 {
1963 build_check_stmt (location, base, len, size_in_bytes, iter,
1964 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true,
1965 is_store, /*is_scalar_access*/false, /*align*/0);
1966 }
1967
1968 maybe_update_mem_ref_hash_table (base, len);
1969 *iter = gsi_for_stmt (gsi_stmt (*iter));
1970 }
1971
1972 /* Instrument the call to a built-in memory access function that is
1973 pointed to by the iterator ITER.
1974
1975 Upon completion, return TRUE iff *ITER has been advanced to the
1976 statement following the one it was originally pointing to. */
1977
1978 static bool
1979 instrument_builtin_call (gimple_stmt_iterator *iter)
1980 {
1981 if (!ASAN_MEMINTRIN)
1982 return false;
1983
1984 bool iter_advanced_p = false;
1985 gcall *call = as_a <gcall *> (gsi_stmt (*iter));
1986
1987 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
1988
1989 location_t loc = gimple_location (call);
1990
1991 asan_mem_ref src0, src1, dest;
1992 asan_mem_ref_init (&src0, NULL, 1);
1993 asan_mem_ref_init (&src1, NULL, 1);
1994 asan_mem_ref_init (&dest, NULL, 1);
1995
1996 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
1997 bool src0_is_store = false, src1_is_store = false, dest_is_store = false,
1998 dest_is_deref = false, intercepted_p = true;
1999
2000 if (get_mem_refs_of_builtin_call (call,
2001 &src0, &src0_len, &src0_is_store,
2002 &src1, &src1_len, &src1_is_store,
2003 &dest, &dest_len, &dest_is_store,
2004 &dest_is_deref, &intercepted_p))
2005 {
2006 if (dest_is_deref)
2007 {
2008 instrument_derefs (iter, dest.start, loc, dest_is_store);
2009 gsi_next (iter);
2010 iter_advanced_p = true;
2011 }
2012 else if (!intercepted_p
2013 && (src0_len || src1_len || dest_len))
2014 {
2015 if (src0.start != NULL_TREE)
2016 instrument_mem_region_access (src0.start, src0_len,
2017 iter, loc, /*is_store=*/false);
2018 if (src1.start != NULL_TREE)
2019 instrument_mem_region_access (src1.start, src1_len,
2020 iter, loc, /*is_store=*/false);
2021 if (dest.start != NULL_TREE)
2022 instrument_mem_region_access (dest.start, dest_len,
2023 iter, loc, /*is_store=*/true);
2024
2025 *iter = gsi_for_stmt (call);
2026 gsi_next (iter);
2027 iter_advanced_p = true;
2028 }
2029 else
2030 {
2031 if (src0.start != NULL_TREE)
2032 maybe_update_mem_ref_hash_table (src0.start, src0_len);
2033 if (src1.start != NULL_TREE)
2034 maybe_update_mem_ref_hash_table (src1.start, src1_len);
2035 if (dest.start != NULL_TREE)
2036 maybe_update_mem_ref_hash_table (dest.start, dest_len);
2037 }
2038 }
2039 return iter_advanced_p;
2040 }
2041
2042 /* Instrument the assignment statement ITER if it is subject to
2043 instrumentation. Return TRUE iff instrumentation actually
2044 happened. In that case, the iterator ITER is advanced to the next
2045 logical expression following the one initially pointed to by ITER,
2046 and the relevant memory reference that which access has been
2047 instrumented is added to the memory references hash table. */
2048
2049 static bool
2050 maybe_instrument_assignment (gimple_stmt_iterator *iter)
2051 {
2052 gimple *s = gsi_stmt (*iter);
2053
2054 gcc_assert (gimple_assign_single_p (s));
2055
2056 tree ref_expr = NULL_TREE;
2057 bool is_store, is_instrumented = false;
2058
2059 if (gimple_store_p (s))
2060 {
2061 ref_expr = gimple_assign_lhs (s);
2062 is_store = true;
2063 instrument_derefs (iter, ref_expr,
2064 gimple_location (s),
2065 is_store);
2066 is_instrumented = true;
2067 }
2068
2069 if (gimple_assign_load_p (s))
2070 {
2071 ref_expr = gimple_assign_rhs1 (s);
2072 is_store = false;
2073 instrument_derefs (iter, ref_expr,
2074 gimple_location (s),
2075 is_store);
2076 is_instrumented = true;
2077 }
2078
2079 if (is_instrumented)
2080 gsi_next (iter);
2081
2082 return is_instrumented;
2083 }
2084
2085 /* Instrument the function call pointed to by the iterator ITER, if it
2086 is subject to instrumentation. At the moment, the only function
2087 calls that are instrumented are some built-in functions that access
2088 memory. Look at instrument_builtin_call to learn more.
2089
2090 Upon completion return TRUE iff *ITER was advanced to the statement
2091 following the one it was originally pointing to. */
2092
2093 static bool
2094 maybe_instrument_call (gimple_stmt_iterator *iter)
2095 {
2096 gimple *stmt = gsi_stmt (*iter);
2097 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2098
2099 if (is_builtin && instrument_builtin_call (iter))
2100 return true;
2101
2102 if (gimple_call_noreturn_p (stmt))
2103 {
2104 if (is_builtin)
2105 {
2106 tree callee = gimple_call_fndecl (stmt);
2107 switch (DECL_FUNCTION_CODE (callee))
2108 {
2109 case BUILT_IN_UNREACHABLE:
2110 case BUILT_IN_TRAP:
2111 /* Don't instrument these. */
2112 return false;
2113 default:
2114 break;
2115 }
2116 }
2117 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
2118 gimple *g = gimple_build_call (decl, 0);
2119 gimple_set_location (g, gimple_location (stmt));
2120 gsi_insert_before (iter, g, GSI_SAME_STMT);
2121 }
2122
2123 bool instrumented = false;
2124 if (gimple_store_p (stmt))
2125 {
2126 tree ref_expr = gimple_call_lhs (stmt);
2127 instrument_derefs (iter, ref_expr,
2128 gimple_location (stmt),
2129 /*is_store=*/true);
2130
2131 instrumented = true;
2132 }
2133
2134 /* Walk through gimple_call arguments and check them id needed. */
2135 unsigned args_num = gimple_call_num_args (stmt);
2136 for (unsigned i = 0; i < args_num; ++i)
2137 {
2138 tree arg = gimple_call_arg (stmt, i);
2139 /* If ARG is not a non-aggregate register variable, compiler in general
2140 creates temporary for it and pass it as argument to gimple call.
2141 But in some cases, e.g. when we pass by value a small structure that
2142 fits to register, compiler can avoid extra overhead by pulling out
2143 these temporaries. In this case, we should check the argument. */
2144 if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg))
2145 {
2146 instrument_derefs (iter, arg,
2147 gimple_location (stmt),
2148 /*is_store=*/false);
2149 instrumented = true;
2150 }
2151 }
2152 if (instrumented)
2153 gsi_next (iter);
2154 return instrumented;
2155 }
2156
2157 /* Walk each instruction of all basic block and instrument those that
2158 represent memory references: loads, stores, or function calls.
2159 In a given basic block, this function avoids instrumenting memory
2160 references that have already been instrumented. */
2161
2162 static void
2163 transform_statements (void)
2164 {
2165 basic_block bb, last_bb = NULL;
2166 gimple_stmt_iterator i;
2167 int saved_last_basic_block = last_basic_block_for_fn (cfun);
2168
2169 FOR_EACH_BB_FN (bb, cfun)
2170 {
2171 basic_block prev_bb = bb;
2172
2173 if (bb->index >= saved_last_basic_block) continue;
2174
2175 /* Flush the mem ref hash table, if current bb doesn't have
2176 exactly one predecessor, or if that predecessor (skipping
2177 over asan created basic blocks) isn't the last processed
2178 basic block. Thus we effectively flush on extended basic
2179 block boundaries. */
2180 while (single_pred_p (prev_bb))
2181 {
2182 prev_bb = single_pred (prev_bb);
2183 if (prev_bb->index < saved_last_basic_block)
2184 break;
2185 }
2186 if (prev_bb != last_bb)
2187 empty_mem_ref_hash_table ();
2188 last_bb = bb;
2189
2190 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
2191 {
2192 gimple *s = gsi_stmt (i);
2193
2194 if (has_stmt_been_instrumented_p (s))
2195 gsi_next (&i);
2196 else if (gimple_assign_single_p (s)
2197 && !gimple_clobber_p (s)
2198 && maybe_instrument_assignment (&i))
2199 /* Nothing to do as maybe_instrument_assignment advanced
2200 the iterator I. */;
2201 else if (is_gimple_call (s) && maybe_instrument_call (&i))
2202 /* Nothing to do as maybe_instrument_call
2203 advanced the iterator I. */;
2204 else
2205 {
2206 /* No instrumentation happened.
2207
2208 If the current instruction is a function call that
2209 might free something, let's forget about the memory
2210 references that got instrumented. Otherwise we might
2211 miss some instrumentation opportunities. Do the same
2212 for a ASAN_MARK poisoning internal function. */
2213 if (is_gimple_call (s)
2214 && (!nonfreeing_call_p (s) || asan_mark_poison_p (s)))
2215 empty_mem_ref_hash_table ();
2216
2217 gsi_next (&i);
2218 }
2219 }
2220 }
2221 free_mem_ref_resources ();
2222 }
2223
2224 /* Build
2225 __asan_before_dynamic_init (module_name)
2226 or
2227 __asan_after_dynamic_init ()
2228 call. */
2229
2230 tree
2231 asan_dynamic_init_call (bool after_p)
2232 {
2233 if (shadow_ptr_types[0] == NULL_TREE)
2234 asan_init_shadow_ptr_types ();
2235
2236 tree fn = builtin_decl_implicit (after_p
2237 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
2238 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
2239 tree module_name_cst = NULL_TREE;
2240 if (!after_p)
2241 {
2242 pretty_printer module_name_pp;
2243 pp_string (&module_name_pp, main_input_filename);
2244
2245 module_name_cst = asan_pp_string (&module_name_pp);
2246 module_name_cst = fold_convert (const_ptr_type_node,
2247 module_name_cst);
2248 }
2249
2250 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
2251 }
2252
2253 /* Build
2254 struct __asan_global
2255 {
2256 const void *__beg;
2257 uptr __size;
2258 uptr __size_with_redzone;
2259 const void *__name;
2260 const void *__module_name;
2261 uptr __has_dynamic_init;
2262 __asan_global_source_location *__location;
2263 char *__odr_indicator;
2264 } type. */
2265
2266 static tree
2267 asan_global_struct (void)
2268 {
2269 static const char *field_names[8]
2270 = { "__beg", "__size", "__size_with_redzone",
2271 "__name", "__module_name", "__has_dynamic_init", "__location", "__odr_indicator"};
2272 tree fields[8], ret;
2273 int i;
2274
2275 ret = make_node (RECORD_TYPE);
2276 for (i = 0; i < 8; i++)
2277 {
2278 fields[i]
2279 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
2280 get_identifier (field_names[i]),
2281 (i == 0 || i == 3) ? const_ptr_type_node
2282 : pointer_sized_int_node);
2283 DECL_CONTEXT (fields[i]) = ret;
2284 if (i)
2285 DECL_CHAIN (fields[i - 1]) = fields[i];
2286 }
2287 tree type_decl = build_decl (input_location, TYPE_DECL,
2288 get_identifier ("__asan_global"), ret);
2289 DECL_IGNORED_P (type_decl) = 1;
2290 DECL_ARTIFICIAL (type_decl) = 1;
2291 TYPE_FIELDS (ret) = fields[0];
2292 TYPE_NAME (ret) = type_decl;
2293 TYPE_STUB_DECL (ret) = type_decl;
2294 layout_type (ret);
2295 return ret;
2296 }
2297
2298 /* Append description of a single global DECL into vector V.
2299 TYPE is __asan_global struct type as returned by asan_global_struct. */
2300
2301 static void
2302 asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
2303 {
2304 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2305 unsigned HOST_WIDE_INT size;
2306 tree str_cst, module_name_cst, refdecl = decl;
2307 vec<constructor_elt, va_gc> *vinner = NULL;
2308
2309 pretty_printer asan_pp, module_name_pp;
2310
2311 if (DECL_NAME (decl))
2312 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
2313 else
2314 pp_string (&asan_pp, "<unknown>");
2315 str_cst = asan_pp_string (&asan_pp);
2316
2317 pp_string (&module_name_pp, main_input_filename);
2318 module_name_cst = asan_pp_string (&module_name_pp);
2319
2320 if (asan_needs_local_alias (decl))
2321 {
2322 char buf[20];
2323 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
2324 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
2325 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
2326 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
2327 TREE_READONLY (refdecl) = TREE_READONLY (decl);
2328 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
2329 DECL_GIMPLE_REG_P (refdecl) = DECL_GIMPLE_REG_P (decl);
2330 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
2331 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
2332 TREE_STATIC (refdecl) = 1;
2333 TREE_PUBLIC (refdecl) = 0;
2334 TREE_USED (refdecl) = 1;
2335 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
2336 }
2337
2338 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2339 fold_convert (const_ptr_type_node,
2340 build_fold_addr_expr (refdecl)));
2341 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
2342 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2343 size += asan_red_zone_size (size);
2344 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2345 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2346 fold_convert (const_ptr_type_node, str_cst));
2347 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2348 fold_convert (const_ptr_type_node, module_name_cst));
2349 varpool_node *vnode = varpool_node::get (decl);
2350 int has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
2351 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2352 build_int_cst (uptr, has_dynamic_init));
2353 tree locptr = NULL_TREE;
2354 location_t loc = DECL_SOURCE_LOCATION (decl);
2355 expanded_location xloc = expand_location (loc);
2356 if (xloc.file != NULL)
2357 {
2358 static int lasanloccnt = 0;
2359 char buf[25];
2360 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt);
2361 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2362 ubsan_get_source_location_type ());
2363 TREE_STATIC (var) = 1;
2364 TREE_PUBLIC (var) = 0;
2365 DECL_ARTIFICIAL (var) = 1;
2366 DECL_IGNORED_P (var) = 1;
2367 pretty_printer filename_pp;
2368 pp_string (&filename_pp, xloc.file);
2369 tree str = asan_pp_string (&filename_pp);
2370 tree ctor = build_constructor_va (TREE_TYPE (var), 3,
2371 NULL_TREE, str, NULL_TREE,
2372 build_int_cst (unsigned_type_node,
2373 xloc.line), NULL_TREE,
2374 build_int_cst (unsigned_type_node,
2375 xloc.column));
2376 TREE_CONSTANT (ctor) = 1;
2377 TREE_STATIC (ctor) = 1;
2378 DECL_INITIAL (var) = ctor;
2379 varpool_node::finalize_decl (var);
2380 locptr = fold_convert (uptr, build_fold_addr_expr (var));
2381 }
2382 else
2383 locptr = build_int_cst (uptr, 0);
2384 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr);
2385 /* TODO: support ODR indicators. */
2386 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, 0));
2387 init = build_constructor (type, vinner);
2388 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
2389 }
2390
2391 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2392 void
2393 initialize_sanitizer_builtins (void)
2394 {
2395 tree decl;
2396
2397 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
2398 return;
2399
2400 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
2401 tree BT_FN_VOID_PTR
2402 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
2403 tree BT_FN_VOID_CONST_PTR
2404 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
2405 tree BT_FN_VOID_PTR_PTR
2406 = build_function_type_list (void_type_node, ptr_type_node,
2407 ptr_type_node, NULL_TREE);
2408 tree BT_FN_VOID_PTR_PTR_PTR
2409 = build_function_type_list (void_type_node, ptr_type_node,
2410 ptr_type_node, ptr_type_node, NULL_TREE);
2411 tree BT_FN_VOID_PTR_PTRMODE
2412 = build_function_type_list (void_type_node, ptr_type_node,
2413 pointer_sized_int_node, NULL_TREE);
2414 tree BT_FN_VOID_INT
2415 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
2416 tree BT_FN_SIZE_CONST_PTR_INT
2417 = build_function_type_list (size_type_node, const_ptr_type_node,
2418 integer_type_node, NULL_TREE);
2419 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
2420 tree BT_FN_IX_CONST_VPTR_INT[5];
2421 tree BT_FN_IX_VPTR_IX_INT[5];
2422 tree BT_FN_VOID_VPTR_IX_INT[5];
2423 tree vptr
2424 = build_pointer_type (build_qualified_type (void_type_node,
2425 TYPE_QUAL_VOLATILE));
2426 tree cvptr
2427 = build_pointer_type (build_qualified_type (void_type_node,
2428 TYPE_QUAL_VOLATILE
2429 |TYPE_QUAL_CONST));
2430 tree boolt
2431 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
2432 int i;
2433 for (i = 0; i < 5; i++)
2434 {
2435 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
2436 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
2437 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
2438 integer_type_node, integer_type_node,
2439 NULL_TREE);
2440 BT_FN_IX_CONST_VPTR_INT[i]
2441 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
2442 BT_FN_IX_VPTR_IX_INT[i]
2443 = build_function_type_list (ix, vptr, ix, integer_type_node,
2444 NULL_TREE);
2445 BT_FN_VOID_VPTR_IX_INT[i]
2446 = build_function_type_list (void_type_node, vptr, ix,
2447 integer_type_node, NULL_TREE);
2448 }
2449 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2450 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2451 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2452 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2453 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2454 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2455 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2456 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2457 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2458 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2459 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2460 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2461 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2462 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2463 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2464 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2465 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2466 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2467 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2468 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
2469 #undef ATTR_NOTHROW_LEAF_LIST
2470 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
2471 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2472 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
2473 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2474 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
2475 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2476 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
2477 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
2478 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2479 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2480 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
2481 #undef ATTR_COLD_NOTHROW_LEAF_LIST
2482 #define ATTR_COLD_NOTHROW_LEAF_LIST \
2483 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
2484 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2485 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2486 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
2487 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
2488 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
2489 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2490 #undef ATTR_PURE_NOTHROW_LEAF_LIST
2491 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
2492 #undef DEF_BUILTIN_STUB
2493 #define DEF_BUILTIN_STUB(ENUM, NAME)
2494 #undef DEF_SANITIZER_BUILTIN
2495 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2496 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
2497 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2498 set_call_expr_flags (decl, ATTRS); \
2499 set_builtin_decl (ENUM, decl, true);
2500
2501 #include "sanitizer.def"
2502
2503 /* -fsanitize=object-size uses __builtin_object_size, but that might
2504 not be available for e.g. Fortran at this point. We use
2505 DEF_SANITIZER_BUILTIN here only as a convenience macro. */
2506 if ((flag_sanitize & SANITIZE_OBJECT_SIZE)
2507 && !builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE))
2508 DEF_SANITIZER_BUILTIN (BUILT_IN_OBJECT_SIZE, "object_size",
2509 BT_FN_SIZE_CONST_PTR_INT,
2510 ATTR_PURE_NOTHROW_LEAF_LIST)
2511
2512 #undef DEF_SANITIZER_BUILTIN
2513 #undef DEF_BUILTIN_STUB
2514 }
2515
2516 /* Called via htab_traverse. Count number of emitted
2517 STRING_CSTs in the constant hash table. */
2518
2519 int
2520 count_string_csts (constant_descriptor_tree **slot,
2521 unsigned HOST_WIDE_INT *data)
2522 {
2523 struct constant_descriptor_tree *desc = *slot;
2524 if (TREE_CODE (desc->value) == STRING_CST
2525 && TREE_ASM_WRITTEN (desc->value)
2526 && asan_protect_global (desc->value))
2527 ++*data;
2528 return 1;
2529 }
2530
2531 /* Helper structure to pass two parameters to
2532 add_string_csts. */
2533
2534 struct asan_add_string_csts_data
2535 {
2536 tree type;
2537 vec<constructor_elt, va_gc> *v;
2538 };
2539
2540 /* Called via hash_table::traverse. Call asan_add_global
2541 on emitted STRING_CSTs from the constant hash table. */
2542
2543 int
2544 add_string_csts (constant_descriptor_tree **slot,
2545 asan_add_string_csts_data *aascd)
2546 {
2547 struct constant_descriptor_tree *desc = *slot;
2548 if (TREE_CODE (desc->value) == STRING_CST
2549 && TREE_ASM_WRITTEN (desc->value)
2550 && asan_protect_global (desc->value))
2551 {
2552 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
2553 aascd->type, aascd->v);
2554 }
2555 return 1;
2556 }
2557
2558 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
2559 invoke ggc_collect. */
2560 static GTY(()) tree asan_ctor_statements;
2561
2562 /* Module-level instrumentation.
2563 - Insert __asan_init_vN() into the list of CTORs.
2564 - TODO: insert redzones around globals.
2565 */
2566
2567 void
2568 asan_finish_file (void)
2569 {
2570 varpool_node *vnode;
2571 unsigned HOST_WIDE_INT gcount = 0;
2572
2573 if (shadow_ptr_types[0] == NULL_TREE)
2574 asan_init_shadow_ptr_types ();
2575 /* Avoid instrumenting code in the asan ctors/dtors.
2576 We don't need to insert padding after the description strings,
2577 nor after .LASAN* array. */
2578 flag_sanitize &= ~SANITIZE_ADDRESS;
2579
2580 /* For user-space we want asan constructors to run first.
2581 Linux kernel does not support priorities other than default, and the only
2582 other user of constructors is coverage. So we run with the default
2583 priority. */
2584 int priority = flag_sanitize & SANITIZE_USER_ADDRESS
2585 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY;
2586
2587 if (flag_sanitize & SANITIZE_USER_ADDRESS)
2588 {
2589 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
2590 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2591 fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK);
2592 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2593 }
2594 FOR_EACH_DEFINED_VARIABLE (vnode)
2595 if (TREE_ASM_WRITTEN (vnode->decl)
2596 && asan_protect_global (vnode->decl))
2597 ++gcount;
2598 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab ();
2599 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts>
2600 (&gcount);
2601 if (gcount)
2602 {
2603 tree type = asan_global_struct (), var, ctor;
2604 tree dtor_statements = NULL_TREE;
2605 vec<constructor_elt, va_gc> *v;
2606 char buf[20];
2607
2608 type = build_array_type_nelts (type, gcount);
2609 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
2610 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2611 type);
2612 TREE_STATIC (var) = 1;
2613 TREE_PUBLIC (var) = 0;
2614 DECL_ARTIFICIAL (var) = 1;
2615 DECL_IGNORED_P (var) = 1;
2616 vec_alloc (v, gcount);
2617 FOR_EACH_DEFINED_VARIABLE (vnode)
2618 if (TREE_ASM_WRITTEN (vnode->decl)
2619 && asan_protect_global (vnode->decl))
2620 asan_add_global (vnode->decl, TREE_TYPE (type), v);
2621 struct asan_add_string_csts_data aascd;
2622 aascd.type = TREE_TYPE (type);
2623 aascd.v = v;
2624 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts>
2625 (&aascd);
2626 ctor = build_constructor (type, v);
2627 TREE_CONSTANT (ctor) = 1;
2628 TREE_STATIC (ctor) = 1;
2629 DECL_INITIAL (var) = ctor;
2630 varpool_node::finalize_decl (var);
2631
2632 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
2633 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
2634 append_to_statement_list (build_call_expr (fn, 2,
2635 build_fold_addr_expr (var),
2636 gcount_tree),
2637 &asan_ctor_statements);
2638
2639 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
2640 append_to_statement_list (build_call_expr (fn, 2,
2641 build_fold_addr_expr (var),
2642 gcount_tree),
2643 &dtor_statements);
2644 cgraph_build_static_cdtor ('D', dtor_statements, priority);
2645 }
2646 if (asan_ctor_statements)
2647 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority);
2648 flag_sanitize |= SANITIZE_ADDRESS;
2649 }
2650
2651 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
2652 on SHADOW address. Newly added statements will be added to ITER with
2653 given location LOC. We mark SIZE bytes in shadow memory, where
2654 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
2655 end of a variable. */
2656
2657 static void
2658 asan_store_shadow_bytes (gimple_stmt_iterator *iter, location_t loc,
2659 tree shadow,
2660 unsigned HOST_WIDE_INT base_addr_offset,
2661 bool is_clobber, unsigned size,
2662 unsigned last_chunk_size)
2663 {
2664 tree shadow_ptr_type;
2665
2666 switch (size)
2667 {
2668 case 1:
2669 shadow_ptr_type = shadow_ptr_types[0];
2670 break;
2671 case 2:
2672 shadow_ptr_type = shadow_ptr_types[1];
2673 break;
2674 case 4:
2675 shadow_ptr_type = shadow_ptr_types[2];
2676 break;
2677 default:
2678 gcc_unreachable ();
2679 }
2680
2681 unsigned char c = (char) is_clobber ? ASAN_STACK_MAGIC_USE_AFTER_SCOPE : 0;
2682 unsigned HOST_WIDE_INT val = 0;
2683 for (unsigned i = 0; i < size; ++i)
2684 {
2685 unsigned char shadow_c = c;
2686 if (i == size - 1 && last_chunk_size && !is_clobber)
2687 shadow_c = last_chunk_size;
2688 val |= (unsigned HOST_WIDE_INT) shadow_c << (BITS_PER_UNIT * i);
2689 }
2690
2691 /* Handle last chunk in unpoisoning. */
2692 tree magic = build_int_cst (TREE_TYPE (shadow_ptr_type), val);
2693
2694 tree dest = build2 (MEM_REF, TREE_TYPE (shadow_ptr_type), shadow,
2695 build_int_cst (shadow_ptr_type, base_addr_offset));
2696
2697 gimple *g = gimple_build_assign (dest, magic);
2698 gimple_set_location (g, loc);
2699 gsi_insert_after (iter, g, GSI_NEW_STMT);
2700 }
2701
2702 /* Expand the ASAN_MARK builtins. */
2703
2704 bool
2705 asan_expand_mark_ifn (gimple_stmt_iterator *iter)
2706 {
2707 gimple *g = gsi_stmt (*iter);
2708 location_t loc = gimple_location (g);
2709 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
2710 gcc_assert (flags < ASAN_MARK_LAST);
2711 bool is_clobber = (flags & ASAN_MARK_CLOBBER) != 0;
2712
2713 tree base = gimple_call_arg (g, 1);
2714 gcc_checking_assert (TREE_CODE (base) == ADDR_EXPR);
2715 tree decl = TREE_OPERAND (base, 0);
2716 gcc_checking_assert (TREE_CODE (decl) == VAR_DECL);
2717 if (asan_handled_variables == NULL)
2718 asan_handled_variables = new hash_set<tree> (16);
2719 asan_handled_variables->add (decl);
2720 tree len = gimple_call_arg (g, 2);
2721
2722 gcc_assert (tree_fits_shwi_p (len));
2723 unsigned HOST_WIDE_INT size_in_bytes = tree_to_shwi (len);
2724 gcc_assert (size_in_bytes);
2725
2726 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2727 NOP_EXPR, base);
2728 gimple_set_location (g, loc);
2729 gsi_replace (iter, g, false);
2730 tree base_addr = gimple_assign_lhs (g);
2731
2732 /* Generate direct emission if size_in_bytes is small. */
2733 if (size_in_bytes <= ASAN_PARAM_USE_AFTER_SCOPE_DIRECT_EMISSION_THRESHOLD)
2734 {
2735 unsigned HOST_WIDE_INT shadow_size = shadow_mem_size (size_in_bytes);
2736
2737 tree shadow = build_shadow_mem_access (iter, loc, base_addr,
2738 shadow_ptr_types[0], true);
2739
2740 for (unsigned HOST_WIDE_INT offset = 0; offset < shadow_size;)
2741 {
2742 unsigned size = 1;
2743 if (shadow_size - offset >= 4)
2744 size = 4;
2745 else if (shadow_size - offset >= 2)
2746 size = 2;
2747
2748 unsigned HOST_WIDE_INT last_chunk_size = 0;
2749 unsigned HOST_WIDE_INT s = (offset + size) * ASAN_SHADOW_GRANULARITY;
2750 if (s > size_in_bytes)
2751 last_chunk_size = ASAN_SHADOW_GRANULARITY - (s - size_in_bytes);
2752
2753 asan_store_shadow_bytes (iter, loc, shadow, offset, is_clobber,
2754 size, last_chunk_size);
2755 offset += size;
2756 }
2757 }
2758 else
2759 {
2760 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2761 NOP_EXPR, len);
2762 gimple_set_location (g, loc);
2763 gsi_insert_before (iter, g, GSI_SAME_STMT);
2764 tree sz_arg = gimple_assign_lhs (g);
2765
2766 tree fun = builtin_decl_implicit (is_clobber ? BUILT_IN_ASAN_CLOBBER_N
2767 : BUILT_IN_ASAN_UNCLOBBER_N);
2768 g = gimple_build_call (fun, 2, base_addr, sz_arg);
2769 gimple_set_location (g, loc);
2770 gsi_insert_after (iter, g, GSI_NEW_STMT);
2771 }
2772
2773 return false;
2774 }
2775
2776 /* Expand the ASAN_{LOAD,STORE} builtins. */
2777
2778 bool
2779 asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls)
2780 {
2781 gimple *g = gsi_stmt (*iter);
2782 location_t loc = gimple_location (g);
2783 bool recover_p;
2784 if (flag_sanitize & SANITIZE_USER_ADDRESS)
2785 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
2786 else
2787 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
2788
2789 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
2790 gcc_assert (flags < ASAN_CHECK_LAST);
2791 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
2792 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
2793 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
2794
2795 tree base = gimple_call_arg (g, 1);
2796 tree len = gimple_call_arg (g, 2);
2797 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3));
2798
2799 HOST_WIDE_INT size_in_bytes
2800 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2801
2802 if (use_calls)
2803 {
2804 /* Instrument using callbacks. */
2805 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2806 NOP_EXPR, base);
2807 gimple_set_location (g, loc);
2808 gsi_insert_before (iter, g, GSI_SAME_STMT);
2809 tree base_addr = gimple_assign_lhs (g);
2810
2811 int nargs;
2812 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs);
2813 if (nargs == 1)
2814 g = gimple_build_call (fun, 1, base_addr);
2815 else
2816 {
2817 gcc_assert (nargs == 2);
2818 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2819 NOP_EXPR, len);
2820 gimple_set_location (g, loc);
2821 gsi_insert_before (iter, g, GSI_SAME_STMT);
2822 tree sz_arg = gimple_assign_lhs (g);
2823 g = gimple_build_call (fun, nargs, base_addr, sz_arg);
2824 }
2825 gimple_set_location (g, loc);
2826 gsi_replace (iter, g, false);
2827 return false;
2828 }
2829
2830 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes;
2831
2832 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0];
2833 tree shadow_type = TREE_TYPE (shadow_ptr_type);
2834
2835 gimple_stmt_iterator gsi = *iter;
2836
2837 if (!is_non_zero_len)
2838 {
2839 /* So, the length of the memory area to asan-protect is
2840 non-constant. Let's guard the generated instrumentation code
2841 like:
2842
2843 if (len != 0)
2844 {
2845 //asan instrumentation code goes here.
2846 }
2847 // falltrough instructions, starting with *ITER. */
2848
2849 g = gimple_build_cond (NE_EXPR,
2850 len,
2851 build_int_cst (TREE_TYPE (len), 0),
2852 NULL_TREE, NULL_TREE);
2853 gimple_set_location (g, loc);
2854
2855 basic_block then_bb, fallthrough_bb;
2856 insert_if_then_before_iter (as_a <gcond *> (g), iter,
2857 /*then_more_likely_p=*/true,
2858 &then_bb, &fallthrough_bb);
2859 /* Note that fallthrough_bb starts with the statement that was
2860 pointed to by ITER. */
2861
2862 /* The 'then block' of the 'if (len != 0) condition is where
2863 we'll generate the asan instrumentation code now. */
2864 gsi = gsi_last_bb (then_bb);
2865 }
2866
2867 /* Get an iterator on the point where we can add the condition
2868 statement for the instrumentation. */
2869 basic_block then_bb, else_bb;
2870 gsi = create_cond_insert_point (&gsi, /*before_p*/false,
2871 /*then_more_likely_p=*/false,
2872 /*create_then_fallthru_edge*/recover_p,
2873 &then_bb,
2874 &else_bb);
2875
2876 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2877 NOP_EXPR, base);
2878 gimple_set_location (g, loc);
2879 gsi_insert_before (&gsi, g, GSI_NEW_STMT);
2880 tree base_addr = gimple_assign_lhs (g);
2881
2882 tree t = NULL_TREE;
2883 if (real_size_in_bytes >= 8)
2884 {
2885 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
2886 shadow_ptr_type);
2887 t = shadow;
2888 }
2889 else
2890 {
2891 /* Slow path for 1, 2 and 4 byte accesses. */
2892 /* Test (shadow != 0)
2893 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
2894 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
2895 shadow_ptr_type);
2896 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
2897 gimple_seq seq = NULL;
2898 gimple_seq_add_stmt (&seq, shadow_test);
2899 /* Aligned (>= 8 bytes) can test just
2900 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
2901 to be 0. */
2902 if (align < 8)
2903 {
2904 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
2905 base_addr, 7));
2906 gimple_seq_add_stmt (&seq,
2907 build_type_cast (shadow_type,
2908 gimple_seq_last (seq)));
2909 if (real_size_in_bytes > 1)
2910 gimple_seq_add_stmt (&seq,
2911 build_assign (PLUS_EXPR,
2912 gimple_seq_last (seq),
2913 real_size_in_bytes - 1));
2914 t = gimple_assign_lhs (gimple_seq_last_stmt (seq));
2915 }
2916 else
2917 t = build_int_cst (shadow_type, real_size_in_bytes - 1);
2918 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow));
2919 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
2920 gimple_seq_last (seq)));
2921 t = gimple_assign_lhs (gimple_seq_last (seq));
2922 gimple_seq_set_location (seq, loc);
2923 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
2924
2925 /* For non-constant, misaligned or otherwise weird access sizes,
2926 check first and last byte. */
2927 if (size_in_bytes == -1)
2928 {
2929 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2930 MINUS_EXPR, len,
2931 build_int_cst (pointer_sized_int_node, 1));
2932 gimple_set_location (g, loc);
2933 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2934 tree last = gimple_assign_lhs (g);
2935 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2936 PLUS_EXPR, base_addr, last);
2937 gimple_set_location (g, loc);
2938 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2939 tree base_end_addr = gimple_assign_lhs (g);
2940
2941 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr,
2942 shadow_ptr_type);
2943 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
2944 gimple_seq seq = NULL;
2945 gimple_seq_add_stmt (&seq, shadow_test);
2946 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
2947 base_end_addr, 7));
2948 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
2949 gimple_seq_last (seq)));
2950 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR,
2951 gimple_seq_last (seq),
2952 shadow));
2953 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
2954 gimple_seq_last (seq)));
2955 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t,
2956 gimple_seq_last (seq)));
2957 t = gimple_assign_lhs (gimple_seq_last (seq));
2958 gimple_seq_set_location (seq, loc);
2959 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
2960 }
2961 }
2962
2963 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
2964 NULL_TREE, NULL_TREE);
2965 gimple_set_location (g, loc);
2966 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2967
2968 /* Generate call to the run-time library (e.g. __asan_report_load8). */
2969 gsi = gsi_start_bb (then_bb);
2970 int nargs;
2971 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs);
2972 g = gimple_build_call (fun, nargs, base_addr, len);
2973 gimple_set_location (g, loc);
2974 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2975
2976 gsi_remove (iter, true);
2977 *iter = gsi_start_bb (else_bb);
2978
2979 return true;
2980 }
2981
2982 /* Instrument the current function. */
2983
2984 static unsigned int
2985 asan_instrument (void)
2986 {
2987 if (shadow_ptr_types[0] == NULL_TREE)
2988 asan_init_shadow_ptr_types ();
2989 transform_statements ();
2990 return 0;
2991 }
2992
2993 static bool
2994 gate_asan (void)
2995 {
2996 return (flag_sanitize & SANITIZE_ADDRESS) != 0
2997 && !lookup_attribute ("no_sanitize_address",
2998 DECL_ATTRIBUTES (current_function_decl));
2999 }
3000
3001 namespace {
3002
3003 const pass_data pass_data_asan =
3004 {
3005 GIMPLE_PASS, /* type */
3006 "asan", /* name */
3007 OPTGROUP_NONE, /* optinfo_flags */
3008 TV_NONE, /* tv_id */
3009 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3010 0, /* properties_provided */
3011 0, /* properties_destroyed */
3012 0, /* todo_flags_start */
3013 TODO_update_ssa, /* todo_flags_finish */
3014 };
3015
3016 class pass_asan : public gimple_opt_pass
3017 {
3018 public:
3019 pass_asan (gcc::context *ctxt)
3020 : gimple_opt_pass (pass_data_asan, ctxt)
3021 {}
3022
3023 /* opt_pass methods: */
3024 opt_pass * clone () { return new pass_asan (m_ctxt); }
3025 virtual bool gate (function *) { return gate_asan (); }
3026 virtual unsigned int execute (function *) { return asan_instrument (); }
3027
3028 }; // class pass_asan
3029
3030 } // anon namespace
3031
3032 gimple_opt_pass *
3033 make_pass_asan (gcc::context *ctxt)
3034 {
3035 return new pass_asan (ctxt);
3036 }
3037
3038 namespace {
3039
3040 const pass_data pass_data_asan_O0 =
3041 {
3042 GIMPLE_PASS, /* type */
3043 "asan0", /* name */
3044 OPTGROUP_NONE, /* optinfo_flags */
3045 TV_NONE, /* tv_id */
3046 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3047 0, /* properties_provided */
3048 0, /* properties_destroyed */
3049 0, /* todo_flags_start */
3050 TODO_update_ssa, /* todo_flags_finish */
3051 };
3052
3053 class pass_asan_O0 : public gimple_opt_pass
3054 {
3055 public:
3056 pass_asan_O0 (gcc::context *ctxt)
3057 : gimple_opt_pass (pass_data_asan_O0, ctxt)
3058 {}
3059
3060 /* opt_pass methods: */
3061 virtual bool gate (function *) { return !optimize && gate_asan (); }
3062 virtual unsigned int execute (function *) { return asan_instrument (); }
3063
3064 }; // class pass_asan_O0
3065
3066 } // anon namespace
3067
3068 gimple_opt_pass *
3069 make_pass_asan_O0 (gcc::context *ctxt)
3070 {
3071 return new pass_asan_O0 (ctxt);
3072 }
3073
3074 #include "gt-asan.h"
Mirror of https://gcc.gnu.org/git/gcc.git