]> git.ipfire.org Git - thirdparty/gcc.git/blob - gcc/asan.cc
projects / thirdparty / gcc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add AVX10.1 target_clones support
[thirdparty/gcc.git] / gcc / asan.cc
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2024 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
11
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21
22 #include "config.h"
23 #include "system.h"
24 #include "coretypes.h"
25 #include "backend.h"
26 #include "target.h"
27 #include "rtl.h"
28 #include "tree.h"
29 #include "gimple.h"
30 #include "cfghooks.h"
31 #include "alloc-pool.h"
32 #include "tree-pass.h"
33 #include "memmodel.h"
34 #include "tm_p.h"
35 #include "ssa.h"
36 #include "stringpool.h"
37 #include "tree-ssanames.h"
38 #include "optabs.h"
39 #include "emit-rtl.h"
40 #include "cgraph.h"
41 #include "gimple-pretty-print.h"
42 #include "alias.h"
43 #include "fold-const.h"
44 #include "cfganal.h"
45 #include "gimplify.h"
46 #include "gimple-iterator.h"
47 #include "varasm.h"
48 #include "stor-layout.h"
49 #include "tree-iterator.h"
50 #include "stringpool.h"
51 #include "attribs.h"
52 #include "asan.h"
53 #include "dojump.h"
54 #include "explow.h"
55 #include "expr.h"
56 #include "output.h"
57 #include "langhooks.h"
58 #include "cfgloop.h"
59 #include "gimple-builder.h"
60 #include "gimple-fold.h"
61 #include "ubsan.h"
62 #include "builtins.h"
63 #include "fnmatch.h"
64 #include "tree-inline.h"
65 #include "tree-ssa.h"
66 #include "tree-eh.h"
67 #include "diagnostic-core.h"
68
69 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
70 with <2x slowdown on average.
71
72 The tool consists of two parts:
73 instrumentation module (this file) and a run-time library.
74 The instrumentation module adds a run-time check before every memory insn.
75 For a 8- or 16- byte load accessing address X:
76 ShadowAddr = (X >> 3) + Offset
77 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
78 if (ShadowValue)
79 __asan_report_load8(X);
80 For a load of N bytes (N=1, 2 or 4) from address X:
81 ShadowAddr = (X >> 3) + Offset
82 ShadowValue = *(char*)ShadowAddr;
83 if (ShadowValue)
84 if ((X & 7) + N - 1 > ShadowValue)
85 __asan_report_loadN(X);
86 Stores are instrumented similarly, but using __asan_report_storeN functions.
87 A call too __asan_init_vN() is inserted to the list of module CTORs.
88 N is the version number of the AddressSanitizer API. The changes between the
89 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
90
91 The run-time library redefines malloc (so that redzone are inserted around
92 the allocated memory) and free (so that reuse of free-ed memory is delayed),
93 provides __asan_report* and __asan_init_vN functions.
94
95 Read more:
96 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
97
98 The current implementation supports detection of out-of-bounds and
99 use-after-free in the heap, on the stack and for global variables.
100
101 [Protection of stack variables]
102
103 To understand how detection of out-of-bounds and use-after-free works
104 for stack variables, lets look at this example on x86_64 where the
105 stack grows downward:
106
107 int
108 foo ()
109 {
110 char a[24] = {0};
111 int b[2] = {0};
112
113 a[5] = 1;
114 b[1] = 2;
115
116 return a[5] + b[1];
117 }
118
119 For this function, the stack protected by asan will be organized as
120 follows, from the top of the stack to the bottom:
121
122 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
123
124 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
125 the next slot be 32 bytes aligned; this one is called Partial
126 Redzone; this 32 bytes alignment is an asan constraint]
127
128 Slot 3/ [24 bytes for variable 'a']
129
130 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
131
132 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
133
134 Slot 6/ [8 bytes for variable 'b']
135
136 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
137 'LEFT RedZone']
138
139 The 32 bytes of LEFT red zone at the bottom of the stack can be
140 decomposed as such:
141
142 1/ The first 8 bytes contain a magical asan number that is always
143 0x41B58AB3.
144
145 2/ The following 8 bytes contains a pointer to a string (to be
146 parsed at runtime by the runtime asan library), which format is
147 the following:
148
149 "<function-name> <space> <num-of-variables-on-the-stack>
150 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
151 <length-of-var-in-bytes> ){n} "
152
153 where '(...){n}' means the content inside the parenthesis occurs 'n'
154 times, with 'n' being the number of variables on the stack.
155
156 3/ The following 8 bytes contain the PC of the current function which
157 will be used by the run-time library to print an error message.
158
159 4/ The following 8 bytes are reserved for internal use by the run-time.
160
161 The shadow memory for that stack layout is going to look like this:
162
163 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
164 The F1 byte pattern is a magic number called
165 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
166 the memory for that shadow byte is part of a the LEFT red zone
167 intended to seat at the bottom of the variables on the stack.
168
169 - content of shadow memory 8 bytes for slots 6 and 5:
170 0xF4F4F400. The F4 byte pattern is a magic number
171 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
172 memory region for this shadow byte is a PARTIAL red zone
173 intended to pad a variable A, so that the slot following
174 {A,padding} is 32 bytes aligned.
175
176 Note that the fact that the least significant byte of this
177 shadow memory content is 00 means that 8 bytes of its
178 corresponding memory (which corresponds to the memory of
179 variable 'b') is addressable.
180
181 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
182 The F2 byte pattern is a magic number called
183 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
184 region for this shadow byte is a MIDDLE red zone intended to
185 seat between two 32 aligned slots of {variable,padding}.
186
187 - content of shadow memory 8 bytes for slot 3 and 2:
188 0xF4000000. This represents is the concatenation of
189 variable 'a' and the partial red zone following it, like what we
190 had for variable 'b'. The least significant 3 bytes being 00
191 means that the 3 bytes of variable 'a' are addressable.
192
193 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
194 The F3 byte pattern is a magic number called
195 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
196 region for this shadow byte is a RIGHT red zone intended to seat
197 at the top of the variables of the stack.
198
199 Note that the real variable layout is done in expand_used_vars in
200 cfgexpand.cc. As far as Address Sanitizer is concerned, it lays out
201 stack variables as well as the different red zones, emits some
202 prologue code to populate the shadow memory as to poison (mark as
203 non-accessible) the regions of the red zones and mark the regions of
204 stack variables as accessible, and emit some epilogue code to
205 un-poison (mark as accessible) the regions of red zones right before
206 the function exits.
207
208 [Protection of global variables]
209
210 The basic idea is to insert a red zone between two global variables
211 and install a constructor function that calls the asan runtime to do
212 the populating of the relevant shadow memory regions at load time.
213
214 So the global variables are laid out as to insert a red zone between
215 them. The size of the red zones is so that each variable starts on a
216 32 bytes boundary.
217
218 Then a constructor function is installed so that, for each global
219 variable, it calls the runtime asan library function
220 __asan_register_globals_with an instance of this type:
221
222 struct __asan_global
223 {
224 // Address of the beginning of the global variable.
225 const void *__beg;
226
227 // Initial size of the global variable.
228 uptr __size;
229
230 // Size of the global variable + size of the red zone. This
231 // size is 32 bytes aligned.
232 uptr __size_with_redzone;
233
234 // Name of the global variable.
235 const void *__name;
236
237 // Name of the module where the global variable is declared.
238 const void *__module_name;
239
240 // 1 if it has dynamic initialization, 0 otherwise.
241 uptr __has_dynamic_init;
242
243 // A pointer to struct that contains source location, could be NULL.
244 __asan_global_source_location *__location;
245 }
246
247 A destructor function that calls the runtime asan library function
248 _asan_unregister_globals is also installed. */
249
250 static unsigned HOST_WIDE_INT asan_shadow_offset_value;
251 static bool asan_shadow_offset_computed;
252 static vec<char *> sanitized_sections;
253 static tree last_alloca_addr;
254
255 /* Set of variable declarations that are going to be guarded by
256 use-after-scope sanitizer. */
257
258 hash_set<tree> *asan_handled_variables = NULL;
259
260 hash_set <tree> *asan_used_labels = NULL;
261
262 /* Global variables for HWASAN stack tagging. */
263 /* hwasan_frame_tag_offset records the offset from the frame base tag that the
264 next object should have. */
265 static uint8_t hwasan_frame_tag_offset = 0;
266 /* hwasan_frame_base_ptr is a pointer with the same address as
267 `virtual_stack_vars_rtx` for the current frame, and with the frame base tag
268 stored in it. N.b. this global RTX does not need to be marked GTY, but is
269 done so anyway. The need is not there since all uses are in just one pass
270 (cfgexpand) and there are no calls to ggc_collect between the uses. We mark
271 it GTY(()) anyway to allow the use of the variable later on if needed by
272 future features. */
273 static GTY(()) rtx hwasan_frame_base_ptr = NULL_RTX;
274 /* hwasan_frame_base_init_seq is the sequence of RTL insns that will initialize
275 the hwasan_frame_base_ptr. When the hwasan_frame_base_ptr is requested, we
276 generate this sequence but do not emit it. If the sequence was created it
277 is emitted once the function body has been expanded.
278
279 This delay is because the frame base pointer may be needed anywhere in the
280 function body, or needed by the expand_used_vars function. Emitting once in
281 a known place is simpler than requiring the emission of the instructions to
282 be know where it should go depending on the first place the hwasan frame
283 base is needed. */
284 static GTY(()) rtx_insn *hwasan_frame_base_init_seq = NULL;
285
286 /* Structure defining the extent of one object on the stack that HWASAN needs
287 to tag in the corresponding shadow stack space.
288
289 The range this object spans on the stack is between `untagged_base +
290 nearest_offset` and `untagged_base + farthest_offset`.
291 `tagged_base` is an rtx containing the same value as `untagged_base` but
292 with a random tag stored in the top byte. We record both `untagged_base`
293 and `tagged_base` so that `hwasan_emit_prologue` can use both without having
294 to emit RTL into the instruction stream to re-calculate one from the other.
295 (`hwasan_emit_prologue` needs to use both bases since the
296 __hwasan_tag_memory call it emits uses an untagged value, and it calculates
297 the tag to store in shadow memory based on the tag_offset plus the tag in
298 tagged_base). */
299 struct hwasan_stack_var
300 {
301 rtx untagged_base;
302 rtx tagged_base;
303 poly_int64 nearest_offset;
304 poly_int64 farthest_offset;
305 uint8_t tag_offset;
306 };
307
308 /* Variable recording all stack variables that HWASAN needs to tag.
309 Does not need to be marked as GTY(()) since every use is in the cfgexpand
310 pass and gcc_collect is not called in the middle of that pass. */
311 static vec<hwasan_stack_var> hwasan_tagged_stack_vars;
312
313
314 /* Sets shadow offset to value in string VAL. */
315
316 bool
317 set_asan_shadow_offset (const char *val)
318 {
319 char *endp;
320
321 errno = 0;
322 #ifdef HAVE_LONG_LONG
323 asan_shadow_offset_value = strtoull (val, &endp, 0);
324 #else
325 asan_shadow_offset_value = strtoul (val, &endp, 0);
326 #endif
327 if (!(*val != '\0' && *endp == '\0' && errno == 0))
328 return false;
329
330 asan_shadow_offset_computed = true;
331
332 return true;
333 }
334
335 /* Set list of user-defined sections that need to be sanitized. */
336
337 void
338 set_sanitized_sections (const char *sections)
339 {
340 char *pat;
341 unsigned i;
342 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
343 free (pat);
344 sanitized_sections.truncate (0);
345
346 for (const char *s = sections; *s; )
347 {
348 const char *end;
349 for (end = s; *end && *end != ','; ++end);
350 size_t len = end - s;
351 sanitized_sections.safe_push (xstrndup (s, len));
352 s = *end ? end + 1 : end;
353 }
354 }
355
356 bool
357 asan_mark_p (gimple *stmt, enum asan_mark_flags flag)
358 {
359 return (gimple_call_internal_p (stmt, IFN_ASAN_MARK)
360 && tree_to_uhwi (gimple_call_arg (stmt, 0)) == flag);
361 }
362
363 bool
364 asan_sanitize_stack_p (void)
365 {
366 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_stack);
367 }
368
369 bool
370 asan_sanitize_allocas_p (void)
371 {
372 return (asan_sanitize_stack_p () && param_asan_protect_allocas);
373 }
374
375 bool
376 asan_instrument_reads (void)
377 {
378 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_instrument_reads);
379 }
380
381 bool
382 asan_instrument_writes (void)
383 {
384 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_instrument_writes);
385 }
386
387 bool
388 asan_memintrin (void)
389 {
390 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_memintrin);
391 }
392
393
394 /* Support for --param asan-kernel-mem-intrinsic-prefix=1. */
395 static GTY(()) rtx asan_memfn_rtls[3];
396
397 rtx
398 asan_memfn_rtl (tree fndecl)
399 {
400 int i;
401 const char *f, *p;
402 char buf[sizeof ("__hwasan_memmove")];
403
404 switch (DECL_FUNCTION_CODE (fndecl))
405 {
406 case BUILT_IN_MEMCPY: i = 0; f = "memcpy"; break;
407 case BUILT_IN_MEMSET: i = 1; f = "memset"; break;
408 case BUILT_IN_MEMMOVE: i = 2; f = "memmove"; break;
409 default: gcc_unreachable ();
410 }
411 if (asan_memfn_rtls[i] == NULL_RTX)
412 {
413 tree save_name = DECL_NAME (fndecl);
414 tree save_assembler_name = DECL_ASSEMBLER_NAME (fndecl);
415 rtx save_rtl = DECL_RTL (fndecl);
416 if (flag_sanitize & SANITIZE_KERNEL_HWADDRESS)
417 p = "__hwasan_";
418 else
419 p = "__asan_";
420 strcpy (buf, p);
421 strcat (buf, f);
422 DECL_NAME (fndecl) = get_identifier (buf);
423 DECL_ASSEMBLER_NAME_RAW (fndecl) = NULL_TREE;
424 SET_DECL_RTL (fndecl, NULL_RTX);
425 asan_memfn_rtls[i] = DECL_RTL (fndecl);
426 DECL_NAME (fndecl) = save_name;
427 DECL_ASSEMBLER_NAME_RAW (fndecl) = save_assembler_name;
428 SET_DECL_RTL (fndecl, save_rtl);
429 }
430 return asan_memfn_rtls[i];
431 }
432
433
434 /* Checks whether section SEC should be sanitized. */
435
436 static bool
437 section_sanitized_p (const char *sec)
438 {
439 char *pat;
440 unsigned i;
441 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
442 if (fnmatch (pat, sec, FNM_PERIOD) == 0)
443 return true;
444 return false;
445 }
446
447 /* Returns Asan shadow offset. */
448
449 static unsigned HOST_WIDE_INT
450 asan_shadow_offset ()
451 {
452 if (!asan_shadow_offset_computed)
453 {
454 asan_shadow_offset_computed = true;
455 asan_shadow_offset_value = targetm.asan_shadow_offset ();
456 }
457 return asan_shadow_offset_value;
458 }
459
460 /* Returns Asan shadow offset has been set. */
461 bool
462 asan_shadow_offset_set_p ()
463 {
464 return asan_shadow_offset_computed;
465 }
466
467 alias_set_type asan_shadow_set = -1;
468
469 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
470 alias set is used for all shadow memory accesses. */
471 static GTY(()) tree shadow_ptr_types[3];
472
473 /* Decl for __asan_option_detect_stack_use_after_return. */
474 static GTY(()) tree asan_detect_stack_use_after_return;
475
476 /* Hashtable support for memory references used by gimple
477 statements. */
478
479 /* This type represents a reference to a memory region. */
480 struct asan_mem_ref
481 {
482 /* The expression of the beginning of the memory region. */
483 tree start;
484
485 /* The size of the access. */
486 HOST_WIDE_INT access_size;
487 };
488
489 object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref");
490
491 /* Initializes an instance of asan_mem_ref. */
492
493 static void
494 asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size)
495 {
496 ref->start = start;
497 ref->access_size = access_size;
498 }
499
500 /* Allocates memory for an instance of asan_mem_ref into the memory
501 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
502 START is the address of (or the expression pointing to) the
503 beginning of memory reference. ACCESS_SIZE is the size of the
504 access to the referenced memory. */
505
506 static asan_mem_ref*
507 asan_mem_ref_new (tree start, HOST_WIDE_INT access_size)
508 {
509 asan_mem_ref *ref = asan_mem_ref_pool.allocate ();
510
511 asan_mem_ref_init (ref, start, access_size);
512 return ref;
513 }
514
515 /* This builds and returns a pointer to the end of the memory region
516 that starts at START and of length LEN. */
517
518 tree
519 asan_mem_ref_get_end (tree start, tree len)
520 {
521 if (len == NULL_TREE || integer_zerop (len))
522 return start;
523
524 if (!ptrofftype_p (len))
525 len = convert_to_ptrofftype (len);
526
527 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
528 }
529
530 /* Return a tree expression that represents the end of the referenced
531 memory region. Beware that this function can actually build a new
532 tree expression. */
533
534 tree
535 asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
536 {
537 return asan_mem_ref_get_end (ref->start, len);
538 }
539
540 struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref>
541 {
542 static inline hashval_t hash (const asan_mem_ref *);
543 static inline bool equal (const asan_mem_ref *, const asan_mem_ref *);
544 };
545
546 /* Hash a memory reference. */
547
548 inline hashval_t
549 asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
550 {
551 return iterative_hash_expr (mem_ref->start, 0);
552 }
553
554 /* Compare two memory references. We accept the length of either
555 memory references to be NULL_TREE. */
556
557 inline bool
558 asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
559 const asan_mem_ref *m2)
560 {
561 return operand_equal_p (m1->start, m2->start, 0);
562 }
563
564 static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht;
565
566 /* Returns a reference to the hash table containing memory references.
567 This function ensures that the hash table is created. Note that
568 this hash table is updated by the function
569 update_mem_ref_hash_table. */
570
571 static hash_table<asan_mem_ref_hasher> *
572 get_mem_ref_hash_table ()
573 {
574 if (!asan_mem_ref_ht)
575 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10);
576
577 return asan_mem_ref_ht;
578 }
579
580 /* Clear all entries from the memory references hash table. */
581
582 static void
583 empty_mem_ref_hash_table ()
584 {
585 if (asan_mem_ref_ht)
586 asan_mem_ref_ht->empty ();
587 }
588
589 /* Free the memory references hash table. */
590
591 static void
592 free_mem_ref_resources ()
593 {
594 delete asan_mem_ref_ht;
595 asan_mem_ref_ht = NULL;
596
597 asan_mem_ref_pool.release ();
598 }
599
600 /* Return true iff the memory reference REF has been instrumented. */
601
602 static bool
603 has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size)
604 {
605 asan_mem_ref r;
606 asan_mem_ref_init (&r, ref, access_size);
607
608 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r);
609 return saved_ref && saved_ref->access_size >= access_size;
610 }
611
612 /* Return true iff the memory reference REF has been instrumented. */
613
614 static bool
615 has_mem_ref_been_instrumented (const asan_mem_ref *ref)
616 {
617 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
618 }
619
620 /* Return true iff access to memory region starting at REF and of
621 length LEN has been instrumented. */
622
623 static bool
624 has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
625 {
626 HOST_WIDE_INT size_in_bytes
627 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
628
629 return size_in_bytes != -1
630 && has_mem_ref_been_instrumented (ref->start, size_in_bytes);
631 }
632
633 /* Set REF to the memory reference present in a gimple assignment
634 ASSIGNMENT. Return true upon successful completion, false
635 otherwise. */
636
637 static bool
638 get_mem_ref_of_assignment (const gassign *assignment,
639 asan_mem_ref *ref,
640 bool *ref_is_store)
641 {
642 gcc_assert (gimple_assign_single_p (assignment));
643
644 if (gimple_store_p (assignment)
645 && !gimple_clobber_p (assignment))
646 {
647 ref->start = gimple_assign_lhs (assignment);
648 *ref_is_store = true;
649 }
650 else if (gimple_assign_load_p (assignment))
651 {
652 ref->start = gimple_assign_rhs1 (assignment);
653 *ref_is_store = false;
654 }
655 else
656 return false;
657
658 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
659 return true;
660 }
661
662 /* Return address of last allocated dynamic alloca. */
663
664 static tree
665 get_last_alloca_addr ()
666 {
667 if (last_alloca_addr)
668 return last_alloca_addr;
669
670 last_alloca_addr = create_tmp_reg (ptr_type_node, "last_alloca_addr");
671 gassign *g = gimple_build_assign (last_alloca_addr, null_pointer_node);
672 edge e = single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun));
673 gsi_insert_on_edge_immediate (e, g);
674 return last_alloca_addr;
675 }
676
677 /* Insert __asan_allocas_unpoison (top, bottom) call before
678 __builtin_stack_restore (new_sp) call.
679 The pseudocode of this routine should look like this:
680 top = last_alloca_addr;
681 bot = new_sp;
682 __asan_allocas_unpoison (top, bot);
683 last_alloca_addr = new_sp;
684 __builtin_stack_restore (new_sp);
685 In general, we can't use new_sp as bot parameter because on some
686 architectures SP has non zero offset from dynamic stack area. Moreover, on
687 some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each
688 particular function only after all callees were expanded to rtl.
689 The most noticeable example is PowerPC{,64}, see
690 http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK.
691 To overcome the issue we use following trick: pass new_sp as a second
692 parameter to __asan_allocas_unpoison and rewrite it during expansion with
693 new_sp + (virtual_dynamic_stack_rtx - sp) later in
694 expand_asan_emit_allocas_unpoison function.
695
696 HWASAN needs to do very similar, the eventual pseudocode should be:
697 __hwasan_tag_memory (virtual_stack_dynamic_rtx,
698 0,
699 new_sp - sp);
700 __builtin_stack_restore (new_sp)
701
702 Need to use the same trick to handle STACK_DYNAMIC_OFFSET as described
703 above. */
704
705 static void
706 handle_builtin_stack_restore (gcall *call, gimple_stmt_iterator *iter)
707 {
708 if (!iter
709 || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ()))
710 return;
711
712 tree restored_stack = gimple_call_arg (call, 0);
713
714 gimple *g;
715
716 if (hwasan_sanitize_allocas_p ())
717 {
718 enum internal_fn fn = IFN_HWASAN_ALLOCA_UNPOISON;
719 /* There is only one piece of information `expand_HWASAN_ALLOCA_UNPOISON`
720 needs to work. This is the length of the area that we're
721 deallocating. Since the stack pointer is known at expand time, the
722 position of the new stack pointer after deallocation is enough
723 information to calculate this length. */
724 g = gimple_build_call_internal (fn, 1, restored_stack);
725 }
726 else
727 {
728 tree last_alloca = get_last_alloca_addr ();
729 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCAS_UNPOISON);
730 g = gimple_build_call (fn, 2, last_alloca, restored_stack);
731 gsi_insert_before (iter, g, GSI_SAME_STMT);
732 g = gimple_build_assign (last_alloca, restored_stack);
733 }
734
735 gsi_insert_before (iter, g, GSI_SAME_STMT);
736 }
737
738 /* Deploy and poison redzones around __builtin_alloca call. To do this, we
739 should replace this call with another one with changed parameters and
740 replace all its uses with new address, so
741 addr = __builtin_alloca (old_size, align);
742 is replaced by
743 left_redzone_size = max (align, ASAN_RED_ZONE_SIZE);
744 Following two statements are optimized out if we know that
745 old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial
746 redzone.
747 misalign = old_size & (ASAN_RED_ZONE_SIZE - 1);
748 partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign;
749 right_redzone_size = ASAN_RED_ZONE_SIZE;
750 additional_size = left_redzone_size + partial_redzone_size +
751 right_redzone_size;
752 new_size = old_size + additional_size;
753 new_alloca = __builtin_alloca (new_size, max (align, 32))
754 __asan_alloca_poison (new_alloca, old_size)
755 addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE);
756 last_alloca_addr = new_alloca;
757 ADDITIONAL_SIZE is added to make new memory allocation contain not only
758 requested memory, but also left, partial and right redzones as well as some
759 additional space, required by alignment. */
760
761 static void
762 handle_builtin_alloca (gcall *call, gimple_stmt_iterator *iter)
763 {
764 if (!iter
765 || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ()))
766 return;
767
768 gassign *g;
769 gcall *gg;
770 tree callee = gimple_call_fndecl (call);
771 tree lhs = gimple_call_lhs (call);
772 tree old_size = gimple_call_arg (call, 0);
773 tree ptr_type = lhs ? TREE_TYPE (lhs) : ptr_type_node;
774 tree partial_size = NULL_TREE;
775 unsigned int align
776 = DECL_FUNCTION_CODE (callee) == BUILT_IN_ALLOCA
777 ? 0 : tree_to_uhwi (gimple_call_arg (call, 1));
778
779 bool throws = false;
780 edge e = NULL;
781 if (stmt_can_throw_internal (cfun, call))
782 {
783 if (!lhs)
784 return;
785 throws = true;
786 e = find_fallthru_edge (gsi_bb (*iter)->succs);
787 }
788
789 if (hwasan_sanitize_allocas_p ())
790 {
791 gimple_seq stmts = NULL;
792 location_t loc = gimple_location (gsi_stmt (*iter));
793 /*
794 HWASAN needs a different expansion.
795
796 addr = __builtin_alloca (size, align);
797
798 should be replaced by
799
800 new_size = size rounded up to HWASAN_TAG_GRANULE_SIZE byte alignment;
801 untagged_addr = __builtin_alloca (new_size, align);
802 tag = __hwasan_choose_alloca_tag ();
803 addr = ifn_HWASAN_SET_TAG (untagged_addr, tag);
804 __hwasan_tag_memory (untagged_addr, tag, new_size);
805 */
806 /* Ensure alignment at least HWASAN_TAG_GRANULE_SIZE bytes so we start on
807 a tag granule. */
808 align = align > HWASAN_TAG_GRANULE_SIZE ? align : HWASAN_TAG_GRANULE_SIZE;
809
810 tree old_size = gimple_call_arg (call, 0);
811 tree new_size = gimple_build_round_up (&stmts, loc, size_type_node,
812 old_size,
813 HWASAN_TAG_GRANULE_SIZE);
814
815 /* Make the alloca call */
816 tree untagged_addr
817 = gimple_build (&stmts, loc,
818 as_combined_fn (BUILT_IN_ALLOCA_WITH_ALIGN), ptr_type,
819 new_size, build_int_cst (size_type_node, align));
820
821 /* Choose the tag.
822 Here we use an internal function so we can choose the tag at expand
823 time. We need the decision to be made after stack variables have been
824 assigned their tag (i.e. once the hwasan_frame_tag_offset variable has
825 been set to one after the last stack variables tag). */
826 tree tag = gimple_build (&stmts, loc, CFN_HWASAN_CHOOSE_TAG,
827 unsigned_char_type_node);
828
829 /* Add tag to pointer. */
830 tree addr
831 = gimple_build (&stmts, loc, CFN_HWASAN_SET_TAG, ptr_type,
832 untagged_addr, tag);
833
834 /* Tag shadow memory.
835 NOTE: require using `untagged_addr` here for libhwasan API. */
836 gimple_build (&stmts, loc, as_combined_fn (BUILT_IN_HWASAN_TAG_MEM),
837 void_type_node, untagged_addr, tag, new_size);
838
839 /* Insert the built up code sequence into the original instruction stream
840 the iterator points to. */
841 gsi_insert_seq_before (iter, stmts, GSI_SAME_STMT);
842
843 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
844 replace_call_with_value (iter, addr);
845 return;
846 }
847
848 tree last_alloca = get_last_alloca_addr ();
849 const HOST_WIDE_INT redzone_mask = ASAN_RED_ZONE_SIZE - 1;
850
851 /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN
852 bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE
853 manually. */
854 align = MAX (align, ASAN_RED_ZONE_SIZE * BITS_PER_UNIT);
855
856 tree alloca_rz_mask = build_int_cst (size_type_node, redzone_mask);
857 tree redzone_size = build_int_cst (size_type_node, ASAN_RED_ZONE_SIZE);
858
859 /* Extract lower bits from old_size. */
860 wide_int size_nonzero_bits = get_nonzero_bits (old_size);
861 wide_int rz_mask
862 = wi::uhwi (redzone_mask, wi::get_precision (size_nonzero_bits));
863 wide_int old_size_lower_bits = wi::bit_and (size_nonzero_bits, rz_mask);
864
865 /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial
866 redzone. Otherwise, compute its size here. */
867 if (wi::ne_p (old_size_lower_bits, 0))
868 {
869 /* misalign = size & (ASAN_RED_ZONE_SIZE - 1)
870 partial_size = ASAN_RED_ZONE_SIZE - misalign. */
871 g = gimple_build_assign (make_ssa_name (size_type_node, NULL),
872 BIT_AND_EXPR, old_size, alloca_rz_mask);
873 gsi_insert_before (iter, g, GSI_SAME_STMT);
874 tree misalign = gimple_assign_lhs (g);
875 g = gimple_build_assign (make_ssa_name (size_type_node, NULL), MINUS_EXPR,
876 redzone_size, misalign);
877 gsi_insert_before (iter, g, GSI_SAME_STMT);
878 partial_size = gimple_assign_lhs (g);
879 }
880
881 /* additional_size = align + ASAN_RED_ZONE_SIZE. */
882 tree additional_size = build_int_cst (size_type_node, align / BITS_PER_UNIT
883 + ASAN_RED_ZONE_SIZE);
884 /* If alloca has partial redzone, include it to additional_size too. */
885 if (partial_size)
886 {
887 /* additional_size += partial_size. */
888 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR,
889 partial_size, additional_size);
890 gsi_insert_before (iter, g, GSI_SAME_STMT);
891 additional_size = gimple_assign_lhs (g);
892 }
893
894 /* new_size = old_size + additional_size. */
895 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR, old_size,
896 additional_size);
897 gsi_insert_before (iter, g, GSI_SAME_STMT);
898 tree new_size = gimple_assign_lhs (g);
899
900 /* Build new __builtin_alloca call:
901 new_alloca_with_rz = __builtin_alloca (new_size, align). */
902 tree fn = builtin_decl_implicit (BUILT_IN_ALLOCA_WITH_ALIGN);
903 gg = gimple_build_call (fn, 2, new_size,
904 build_int_cst (size_type_node, align));
905 tree new_alloca_with_rz = make_ssa_name (ptr_type, gg);
906 gimple_call_set_lhs (gg, new_alloca_with_rz);
907 if (throws)
908 {
909 gimple_call_set_lhs (call, NULL);
910 gsi_replace (iter, gg, true);
911 }
912 else
913 gsi_insert_before (iter, gg, GSI_SAME_STMT);
914
915 /* new_alloca = new_alloca_with_rz + align. */
916 g = gimple_build_assign (make_ssa_name (ptr_type), POINTER_PLUS_EXPR,
917 new_alloca_with_rz,
918 build_int_cst (size_type_node,
919 align / BITS_PER_UNIT));
920 gimple_stmt_iterator gsi = gsi_none ();
921 if (throws)
922 {
923 gsi_insert_on_edge_immediate (e, g);
924 gsi = gsi_for_stmt (g);
925 }
926 else
927 gsi_insert_before (iter, g, GSI_SAME_STMT);
928 tree new_alloca = gimple_assign_lhs (g);
929
930 /* Poison newly created alloca redzones:
931 __asan_alloca_poison (new_alloca, old_size). */
932 fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCA_POISON);
933 gg = gimple_build_call (fn, 2, new_alloca, old_size);
934 if (throws)
935 gsi_insert_after (&gsi, gg, GSI_NEW_STMT);
936 else
937 gsi_insert_before (iter, gg, GSI_SAME_STMT);
938
939 /* Save new_alloca_with_rz value into last_alloca to use it during
940 allocas unpoisoning. */
941 g = gimple_build_assign (last_alloca, new_alloca_with_rz);
942 if (throws)
943 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
944 else
945 gsi_insert_before (iter, g, GSI_SAME_STMT);
946
947 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
948 if (throws)
949 {
950 g = gimple_build_assign (lhs, new_alloca);
951 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
952 }
953 else
954 replace_call_with_value (iter, new_alloca);
955 }
956
957 /* Return the memory references contained in a gimple statement
958 representing a builtin call that has to do with memory access. */
959
960 static bool
961 get_mem_refs_of_builtin_call (gcall *call,
962 asan_mem_ref *src0,
963 tree *src0_len,
964 bool *src0_is_store,
965 asan_mem_ref *src1,
966 tree *src1_len,
967 bool *src1_is_store,
968 asan_mem_ref *dst,
969 tree *dst_len,
970 bool *dst_is_store,
971 bool *dest_is_deref,
972 bool *intercepted_p,
973 gimple_stmt_iterator *iter = NULL)
974 {
975 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
976
977 tree callee = gimple_call_fndecl (call);
978 tree source0 = NULL_TREE, source1 = NULL_TREE,
979 dest = NULL_TREE, len = NULL_TREE;
980 bool is_store = true, got_reference_p = false;
981 HOST_WIDE_INT access_size = 1;
982
983 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee)));
984
985 switch (DECL_FUNCTION_CODE (callee))
986 {
987 /* (s, s, n) style memops. */
988 case BUILT_IN_BCMP:
989 case BUILT_IN_MEMCMP:
990 source0 = gimple_call_arg (call, 0);
991 source1 = gimple_call_arg (call, 1);
992 len = gimple_call_arg (call, 2);
993 break;
994
995 /* (src, dest, n) style memops. */
996 case BUILT_IN_BCOPY:
997 source0 = gimple_call_arg (call, 0);
998 dest = gimple_call_arg (call, 1);
999 len = gimple_call_arg (call, 2);
1000 break;
1001
1002 /* (dest, src, n) style memops. */
1003 case BUILT_IN_MEMCPY:
1004 case BUILT_IN_MEMCPY_CHK:
1005 case BUILT_IN_MEMMOVE:
1006 case BUILT_IN_MEMMOVE_CHK:
1007 case BUILT_IN_MEMPCPY:
1008 case BUILT_IN_MEMPCPY_CHK:
1009 dest = gimple_call_arg (call, 0);
1010 source0 = gimple_call_arg (call, 1);
1011 len = gimple_call_arg (call, 2);
1012 break;
1013
1014 /* (dest, n) style memops. */
1015 case BUILT_IN_BZERO:
1016 dest = gimple_call_arg (call, 0);
1017 len = gimple_call_arg (call, 1);
1018 break;
1019
1020 /* (dest, x, n) style memops*/
1021 case BUILT_IN_MEMSET:
1022 case BUILT_IN_MEMSET_CHK:
1023 dest = gimple_call_arg (call, 0);
1024 len = gimple_call_arg (call, 2);
1025 break;
1026
1027 case BUILT_IN_STRLEN:
1028 /* Special case strlen here since its length is taken from its return
1029 value.
1030
1031 The approach taken by the sanitizers is to check a memory access
1032 before it's taken. For ASAN strlen is intercepted by libasan, so no
1033 check is inserted by the compiler.
1034
1035 This function still returns `true` and provides a length to the rest
1036 of the ASAN pass in order to record what areas have been checked,
1037 avoiding superfluous checks later on.
1038
1039 HWASAN does not intercept any of these internal functions.
1040 This means that checks for memory accesses must be inserted by the
1041 compiler.
1042 strlen is a special case, because we can tell the length from the
1043 return of the function, but that is not known until after the function
1044 has returned.
1045
1046 Hence we can't check the memory access before it happens.
1047 We could check the memory access after it has already happened, but
1048 for now we choose to just ignore `strlen` calls.
1049 This decision was simply made because that means the special case is
1050 limited to this one case of this one function. */
1051 if (hwasan_sanitize_p ())
1052 return false;
1053 source0 = gimple_call_arg (call, 0);
1054 len = gimple_call_lhs (call);
1055 break;
1056
1057 case BUILT_IN_STACK_RESTORE:
1058 handle_builtin_stack_restore (call, iter);
1059 break;
1060
1061 CASE_BUILT_IN_ALLOCA:
1062 handle_builtin_alloca (call, iter);
1063 break;
1064 /* And now the __atomic* and __sync builtins.
1065 These are handled differently from the classical memory
1066 access builtins above. */
1067
1068 case BUILT_IN_ATOMIC_LOAD_1:
1069 is_store = false;
1070 /* FALLTHRU */
1071 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
1072 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
1073 case BUILT_IN_SYNC_FETCH_AND_OR_1:
1074 case BUILT_IN_SYNC_FETCH_AND_AND_1:
1075 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
1076 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
1077 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
1078 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
1079 case BUILT_IN_SYNC_OR_AND_FETCH_1:
1080 case BUILT_IN_SYNC_AND_AND_FETCH_1:
1081 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
1082 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
1083 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
1084 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
1085 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
1086 case BUILT_IN_SYNC_LOCK_RELEASE_1:
1087 case BUILT_IN_ATOMIC_EXCHANGE_1:
1088 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
1089 case BUILT_IN_ATOMIC_STORE_1:
1090 case BUILT_IN_ATOMIC_ADD_FETCH_1:
1091 case BUILT_IN_ATOMIC_SUB_FETCH_1:
1092 case BUILT_IN_ATOMIC_AND_FETCH_1:
1093 case BUILT_IN_ATOMIC_NAND_FETCH_1:
1094 case BUILT_IN_ATOMIC_XOR_FETCH_1:
1095 case BUILT_IN_ATOMIC_OR_FETCH_1:
1096 case BUILT_IN_ATOMIC_FETCH_ADD_1:
1097 case BUILT_IN_ATOMIC_FETCH_SUB_1:
1098 case BUILT_IN_ATOMIC_FETCH_AND_1:
1099 case BUILT_IN_ATOMIC_FETCH_NAND_1:
1100 case BUILT_IN_ATOMIC_FETCH_XOR_1:
1101 case BUILT_IN_ATOMIC_FETCH_OR_1:
1102 access_size = 1;
1103 goto do_atomic;
1104
1105 case BUILT_IN_ATOMIC_LOAD_2:
1106 is_store = false;
1107 /* FALLTHRU */
1108 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
1109 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
1110 case BUILT_IN_SYNC_FETCH_AND_OR_2:
1111 case BUILT_IN_SYNC_FETCH_AND_AND_2:
1112 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
1113 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
1114 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
1115 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
1116 case BUILT_IN_SYNC_OR_AND_FETCH_2:
1117 case BUILT_IN_SYNC_AND_AND_FETCH_2:
1118 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
1119 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
1120 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
1121 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
1122 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
1123 case BUILT_IN_SYNC_LOCK_RELEASE_2:
1124 case BUILT_IN_ATOMIC_EXCHANGE_2:
1125 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
1126 case BUILT_IN_ATOMIC_STORE_2:
1127 case BUILT_IN_ATOMIC_ADD_FETCH_2:
1128 case BUILT_IN_ATOMIC_SUB_FETCH_2:
1129 case BUILT_IN_ATOMIC_AND_FETCH_2:
1130 case BUILT_IN_ATOMIC_NAND_FETCH_2:
1131 case BUILT_IN_ATOMIC_XOR_FETCH_2:
1132 case BUILT_IN_ATOMIC_OR_FETCH_2:
1133 case BUILT_IN_ATOMIC_FETCH_ADD_2:
1134 case BUILT_IN_ATOMIC_FETCH_SUB_2:
1135 case BUILT_IN_ATOMIC_FETCH_AND_2:
1136 case BUILT_IN_ATOMIC_FETCH_NAND_2:
1137 case BUILT_IN_ATOMIC_FETCH_XOR_2:
1138 case BUILT_IN_ATOMIC_FETCH_OR_2:
1139 access_size = 2;
1140 goto do_atomic;
1141
1142 case BUILT_IN_ATOMIC_LOAD_4:
1143 is_store = false;
1144 /* FALLTHRU */
1145 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
1146 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
1147 case BUILT_IN_SYNC_FETCH_AND_OR_4:
1148 case BUILT_IN_SYNC_FETCH_AND_AND_4:
1149 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
1150 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
1151 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
1152 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
1153 case BUILT_IN_SYNC_OR_AND_FETCH_4:
1154 case BUILT_IN_SYNC_AND_AND_FETCH_4:
1155 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
1156 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
1157 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
1158 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
1159 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
1160 case BUILT_IN_SYNC_LOCK_RELEASE_4:
1161 case BUILT_IN_ATOMIC_EXCHANGE_4:
1162 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
1163 case BUILT_IN_ATOMIC_STORE_4:
1164 case BUILT_IN_ATOMIC_ADD_FETCH_4:
1165 case BUILT_IN_ATOMIC_SUB_FETCH_4:
1166 case BUILT_IN_ATOMIC_AND_FETCH_4:
1167 case BUILT_IN_ATOMIC_NAND_FETCH_4:
1168 case BUILT_IN_ATOMIC_XOR_FETCH_4:
1169 case BUILT_IN_ATOMIC_OR_FETCH_4:
1170 case BUILT_IN_ATOMIC_FETCH_ADD_4:
1171 case BUILT_IN_ATOMIC_FETCH_SUB_4:
1172 case BUILT_IN_ATOMIC_FETCH_AND_4:
1173 case BUILT_IN_ATOMIC_FETCH_NAND_4:
1174 case BUILT_IN_ATOMIC_FETCH_XOR_4:
1175 case BUILT_IN_ATOMIC_FETCH_OR_4:
1176 access_size = 4;
1177 goto do_atomic;
1178
1179 case BUILT_IN_ATOMIC_LOAD_8:
1180 is_store = false;
1181 /* FALLTHRU */
1182 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
1183 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
1184 case BUILT_IN_SYNC_FETCH_AND_OR_8:
1185 case BUILT_IN_SYNC_FETCH_AND_AND_8:
1186 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
1187 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
1188 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
1189 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
1190 case BUILT_IN_SYNC_OR_AND_FETCH_8:
1191 case BUILT_IN_SYNC_AND_AND_FETCH_8:
1192 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
1193 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
1194 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
1195 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
1196 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
1197 case BUILT_IN_SYNC_LOCK_RELEASE_8:
1198 case BUILT_IN_ATOMIC_EXCHANGE_8:
1199 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
1200 case BUILT_IN_ATOMIC_STORE_8:
1201 case BUILT_IN_ATOMIC_ADD_FETCH_8:
1202 case BUILT_IN_ATOMIC_SUB_FETCH_8:
1203 case BUILT_IN_ATOMIC_AND_FETCH_8:
1204 case BUILT_IN_ATOMIC_NAND_FETCH_8:
1205 case BUILT_IN_ATOMIC_XOR_FETCH_8:
1206 case BUILT_IN_ATOMIC_OR_FETCH_8:
1207 case BUILT_IN_ATOMIC_FETCH_ADD_8:
1208 case BUILT_IN_ATOMIC_FETCH_SUB_8:
1209 case BUILT_IN_ATOMIC_FETCH_AND_8:
1210 case BUILT_IN_ATOMIC_FETCH_NAND_8:
1211 case BUILT_IN_ATOMIC_FETCH_XOR_8:
1212 case BUILT_IN_ATOMIC_FETCH_OR_8:
1213 access_size = 8;
1214 goto do_atomic;
1215
1216 case BUILT_IN_ATOMIC_LOAD_16:
1217 is_store = false;
1218 /* FALLTHRU */
1219 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
1220 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
1221 case BUILT_IN_SYNC_FETCH_AND_OR_16:
1222 case BUILT_IN_SYNC_FETCH_AND_AND_16:
1223 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
1224 case BUILT_IN_SYNC_FETCH_AND_NAND_16:
1225 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
1226 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
1227 case BUILT_IN_SYNC_OR_AND_FETCH_16:
1228 case BUILT_IN_SYNC_AND_AND_FETCH_16:
1229 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
1230 case BUILT_IN_SYNC_NAND_AND_FETCH_16:
1231 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
1232 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
1233 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
1234 case BUILT_IN_SYNC_LOCK_RELEASE_16:
1235 case BUILT_IN_ATOMIC_EXCHANGE_16:
1236 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
1237 case BUILT_IN_ATOMIC_STORE_16:
1238 case BUILT_IN_ATOMIC_ADD_FETCH_16:
1239 case BUILT_IN_ATOMIC_SUB_FETCH_16:
1240 case BUILT_IN_ATOMIC_AND_FETCH_16:
1241 case BUILT_IN_ATOMIC_NAND_FETCH_16:
1242 case BUILT_IN_ATOMIC_XOR_FETCH_16:
1243 case BUILT_IN_ATOMIC_OR_FETCH_16:
1244 case BUILT_IN_ATOMIC_FETCH_ADD_16:
1245 case BUILT_IN_ATOMIC_FETCH_SUB_16:
1246 case BUILT_IN_ATOMIC_FETCH_AND_16:
1247 case BUILT_IN_ATOMIC_FETCH_NAND_16:
1248 case BUILT_IN_ATOMIC_FETCH_XOR_16:
1249 case BUILT_IN_ATOMIC_FETCH_OR_16:
1250 access_size = 16;
1251 /* FALLTHRU */
1252 do_atomic:
1253 {
1254 dest = gimple_call_arg (call, 0);
1255 /* DEST represents the address of a memory location.
1256 instrument_derefs wants the memory location, so lets
1257 dereference the address DEST before handing it to
1258 instrument_derefs. */
1259 tree type = build_nonstandard_integer_type (access_size
1260 * BITS_PER_UNIT, 1);
1261 dest = build2 (MEM_REF, type, dest,
1262 build_int_cst (build_pointer_type (char_type_node), 0));
1263 break;
1264 }
1265
1266 default:
1267 /* The other builtins memory access are not instrumented in this
1268 function because they either don't have any length parameter,
1269 or their length parameter is just a limit. */
1270 break;
1271 }
1272
1273 if (len != NULL_TREE)
1274 {
1275 if (source0 != NULL_TREE)
1276 {
1277 src0->start = source0;
1278 src0->access_size = access_size;
1279 *src0_len = len;
1280 *src0_is_store = false;
1281 }
1282
1283 if (source1 != NULL_TREE)
1284 {
1285 src1->start = source1;
1286 src1->access_size = access_size;
1287 *src1_len = len;
1288 *src1_is_store = false;
1289 }
1290
1291 if (dest != NULL_TREE)
1292 {
1293 dst->start = dest;
1294 dst->access_size = access_size;
1295 *dst_len = len;
1296 *dst_is_store = true;
1297 }
1298
1299 got_reference_p = true;
1300 }
1301 else if (dest)
1302 {
1303 dst->start = dest;
1304 dst->access_size = access_size;
1305 *dst_len = NULL_TREE;
1306 *dst_is_store = is_store;
1307 *dest_is_deref = true;
1308 got_reference_p = true;
1309 }
1310
1311 return got_reference_p;
1312 }
1313
1314 /* Return true iff a given gimple statement has been instrumented.
1315 Note that the statement is "defined" by the memory references it
1316 contains. */
1317
1318 static bool
1319 has_stmt_been_instrumented_p (gimple *stmt)
1320 {
1321 if (gimple_assign_single_p (stmt))
1322 {
1323 bool r_is_store;
1324 asan_mem_ref r;
1325 asan_mem_ref_init (&r, NULL, 1);
1326
1327 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r,
1328 &r_is_store))
1329 {
1330 if (!has_mem_ref_been_instrumented (&r))
1331 return false;
1332 if (r_is_store && gimple_assign_load_p (stmt))
1333 {
1334 asan_mem_ref src;
1335 asan_mem_ref_init (&src, NULL, 1);
1336 src.start = gimple_assign_rhs1 (stmt);
1337 src.access_size = int_size_in_bytes (TREE_TYPE (src.start));
1338 if (!has_mem_ref_been_instrumented (&src))
1339 return false;
1340 }
1341 return true;
1342 }
1343 }
1344 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
1345 {
1346 asan_mem_ref src0, src1, dest;
1347 asan_mem_ref_init (&src0, NULL, 1);
1348 asan_mem_ref_init (&src1, NULL, 1);
1349 asan_mem_ref_init (&dest, NULL, 1);
1350
1351 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
1352 bool src0_is_store = false, src1_is_store = false,
1353 dest_is_store = false, dest_is_deref = false, intercepted_p = true;
1354 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt),
1355 &src0, &src0_len, &src0_is_store,
1356 &src1, &src1_len, &src1_is_store,
1357 &dest, &dest_len, &dest_is_store,
1358 &dest_is_deref, &intercepted_p))
1359 {
1360 if (src0.start != NULL_TREE
1361 && !has_mem_ref_been_instrumented (&src0, src0_len))
1362 return false;
1363
1364 if (src1.start != NULL_TREE
1365 && !has_mem_ref_been_instrumented (&src1, src1_len))
1366 return false;
1367
1368 if (dest.start != NULL_TREE
1369 && !has_mem_ref_been_instrumented (&dest, dest_len))
1370 return false;
1371
1372 return true;
1373 }
1374 }
1375 else if (is_gimple_call (stmt)
1376 && gimple_store_p (stmt)
1377 && (gimple_call_builtin_p (stmt)
1378 || gimple_call_internal_p (stmt)
1379 || !aggregate_value_p (TREE_TYPE (gimple_call_lhs (stmt)),
1380 gimple_call_fntype (stmt))))
1381 {
1382 asan_mem_ref r;
1383 asan_mem_ref_init (&r, NULL, 1);
1384
1385 r.start = gimple_call_lhs (stmt);
1386 r.access_size = int_size_in_bytes (TREE_TYPE (r.start));
1387 return has_mem_ref_been_instrumented (&r);
1388 }
1389
1390 return false;
1391 }
1392
1393 /* Insert a memory reference into the hash table. */
1394
1395 static void
1396 update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size)
1397 {
1398 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table ();
1399
1400 asan_mem_ref r;
1401 asan_mem_ref_init (&r, ref, access_size);
1402
1403 asan_mem_ref **slot = ht->find_slot (&r, INSERT);
1404 if (*slot == NULL || (*slot)->access_size < access_size)
1405 *slot = asan_mem_ref_new (ref, access_size);
1406 }
1407
1408 /* Initialize shadow_ptr_types array. */
1409
1410 static void
1411 asan_init_shadow_ptr_types (void)
1412 {
1413 asan_shadow_set = new_alias_set ();
1414 tree types[3] = { signed_char_type_node, short_integer_type_node,
1415 integer_type_node };
1416
1417 for (unsigned i = 0; i < 3; i++)
1418 {
1419 shadow_ptr_types[i] = build_distinct_type_copy (types[i]);
1420 TYPE_ALIAS_SET (shadow_ptr_types[i]) = asan_shadow_set;
1421 shadow_ptr_types[i] = build_pointer_type (shadow_ptr_types[i]);
1422 }
1423
1424 initialize_sanitizer_builtins ();
1425 }
1426
1427 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
1428
1429 static tree
1430 asan_pp_string (pretty_printer *pp)
1431 {
1432 const char *buf = pp_formatted_text (pp);
1433 size_t len = strlen (buf);
1434 tree ret = build_string (len + 1, buf);
1435 TREE_TYPE (ret)
1436 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
1437 build_index_type (size_int (len)));
1438 TREE_READONLY (ret) = 1;
1439 TREE_STATIC (ret) = 1;
1440 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
1441 }
1442
1443 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
1444 though. */
1445
1446 static void
1447 asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
1448 {
1449 rtx_insn *insn, *insns, *jump;
1450 rtx_code_label *top_label;
1451 rtx end, addr, tmp;
1452
1453 gcc_assert ((len & 3) == 0);
1454 start_sequence ();
1455 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
1456 insns = get_insns ();
1457 end_sequence ();
1458 for (insn = insns; insn; insn = NEXT_INSN (insn))
1459 if (CALL_P (insn))
1460 break;
1461 if (insn == NULL_RTX)
1462 {
1463 emit_insn (insns);
1464 return;
1465 }
1466
1467 top_label = gen_label_rtx ();
1468 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
1469 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
1470 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
1471 emit_label (top_label);
1472
1473 emit_move_insn (shadow_mem, const0_rtx);
1474 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
1475 true, OPTAB_LIB_WIDEN);
1476 if (tmp != addr)
1477 emit_move_insn (addr, tmp);
1478 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
1479 jump = get_last_insn ();
1480 gcc_assert (JUMP_P (jump));
1481 add_reg_br_prob_note (jump,
1482 profile_probability::guessed_always ()
1483 .apply_scale (80, 100));
1484 }
1485
1486 void
1487 asan_function_start (void)
1488 {
1489 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC", current_function_funcdef_no);
1490 }
1491
1492 /* Return number of shadow bytes that are occupied by a local variable
1493 of SIZE bytes. */
1494
1495 static unsigned HOST_WIDE_INT
1496 shadow_mem_size (unsigned HOST_WIDE_INT size)
1497 {
1498 /* It must be possible to align stack variables to granularity
1499 of shadow memory. */
1500 gcc_assert (BITS_PER_UNIT
1501 * ASAN_SHADOW_GRANULARITY <= MAX_SUPPORTED_STACK_ALIGNMENT);
1502
1503 return ROUND_UP (size, ASAN_SHADOW_GRANULARITY) / ASAN_SHADOW_GRANULARITY;
1504 }
1505
1506 /* Always emit 4 bytes at a time. */
1507 #define RZ_BUFFER_SIZE 4
1508
1509 /* ASAN redzone buffer container that handles emission of shadow bytes. */
1510 class asan_redzone_buffer
1511 {
1512 public:
1513 /* Constructor. */
1514 asan_redzone_buffer (rtx shadow_mem, HOST_WIDE_INT prev_offset):
1515 m_shadow_mem (shadow_mem), m_prev_offset (prev_offset),
1516 m_original_offset (prev_offset), m_shadow_bytes (RZ_BUFFER_SIZE)
1517 {}
1518
1519 /* Emit VALUE shadow byte at a given OFFSET. */
1520 void emit_redzone_byte (HOST_WIDE_INT offset, unsigned char value);
1521
1522 /* Emit RTX emission of the content of the buffer. */
1523 void flush_redzone_payload (void);
1524
1525 private:
1526 /* Flush if the content of the buffer is full
1527 (equal to RZ_BUFFER_SIZE). */
1528 void flush_if_full (void);
1529
1530 /* Memory where we last emitted a redzone payload. */
1531 rtx m_shadow_mem;
1532
1533 /* Relative offset where we last emitted a redzone payload. */
1534 HOST_WIDE_INT m_prev_offset;
1535
1536 /* Relative original offset. Used for checking only. */
1537 HOST_WIDE_INT m_original_offset;
1538
1539 public:
1540 /* Buffer with redzone payload. */
1541 auto_vec<unsigned char> m_shadow_bytes;
1542 };
1543
1544 /* Emit VALUE shadow byte at a given OFFSET. */
1545
1546 void
1547 asan_redzone_buffer::emit_redzone_byte (HOST_WIDE_INT offset,
1548 unsigned char value)
1549 {
1550 gcc_assert ((offset & (ASAN_SHADOW_GRANULARITY - 1)) == 0);
1551 gcc_assert (offset >= m_prev_offset);
1552
1553 HOST_WIDE_INT off
1554 = m_prev_offset + ASAN_SHADOW_GRANULARITY * m_shadow_bytes.length ();
1555 if (off == offset)
1556 /* Consecutive shadow memory byte. */;
1557 else if (offset < m_prev_offset + (HOST_WIDE_INT) (ASAN_SHADOW_GRANULARITY
1558 * RZ_BUFFER_SIZE)
1559 && !m_shadow_bytes.is_empty ())
1560 {
1561 /* Shadow memory byte with a small gap. */
1562 for (; off < offset; off += ASAN_SHADOW_GRANULARITY)
1563 m_shadow_bytes.safe_push (0);
1564 }
1565 else
1566 {
1567 if (!m_shadow_bytes.is_empty ())
1568 flush_redzone_payload ();
1569
1570 /* Maybe start earlier in order to use aligned store. */
1571 HOST_WIDE_INT align = (offset - m_prev_offset) % ASAN_RED_ZONE_SIZE;
1572 if (align)
1573 {
1574 offset -= align;
1575 for (unsigned i = 0; i < align / BITS_PER_UNIT; i++)
1576 m_shadow_bytes.safe_push (0);
1577 }
1578
1579 /* Adjust m_prev_offset and m_shadow_mem. */
1580 HOST_WIDE_INT diff = offset - m_prev_offset;
1581 m_shadow_mem = adjust_address (m_shadow_mem, VOIDmode,
1582 diff >> ASAN_SHADOW_SHIFT);
1583 m_prev_offset = offset;
1584 }
1585 m_shadow_bytes.safe_push (value);
1586 flush_if_full ();
1587 }
1588
1589 /* Emit RTX emission of the content of the buffer. */
1590
1591 void
1592 asan_redzone_buffer::flush_redzone_payload (void)
1593 {
1594 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
1595
1596 if (m_shadow_bytes.is_empty ())
1597 return;
1598
1599 /* Be sure we always emit to an aligned address. */
1600 gcc_assert (((m_prev_offset - m_original_offset)
1601 & (ASAN_RED_ZONE_SIZE - 1)) == 0);
1602
1603 /* Fill it to RZ_BUFFER_SIZE bytes with zeros if needed. */
1604 unsigned l = m_shadow_bytes.length ();
1605 for (unsigned i = 0; i <= RZ_BUFFER_SIZE - l; i++)
1606 m_shadow_bytes.safe_push (0);
1607
1608 if (dump_file && (dump_flags & TDF_DETAILS))
1609 fprintf (dump_file,
1610 "Flushing rzbuffer at offset %" PRId64 " with: ", m_prev_offset);
1611
1612 unsigned HOST_WIDE_INT val = 0;
1613 for (unsigned i = 0; i < RZ_BUFFER_SIZE; i++)
1614 {
1615 unsigned char v
1616 = m_shadow_bytes[BYTES_BIG_ENDIAN ? RZ_BUFFER_SIZE - i - 1 : i];
1617 val |= (unsigned HOST_WIDE_INT)v << (BITS_PER_UNIT * i);
1618 if (dump_file && (dump_flags & TDF_DETAILS))
1619 fprintf (dump_file, "%02x ", v);
1620 }
1621
1622 if (dump_file && (dump_flags & TDF_DETAILS))
1623 fprintf (dump_file, "\n");
1624
1625 rtx c = gen_int_mode (val, SImode);
1626 m_shadow_mem = adjust_address (m_shadow_mem, SImode, 0);
1627 emit_move_insn (m_shadow_mem, c);
1628 m_shadow_bytes.truncate (0);
1629 }
1630
1631 /* Flush if the content of the buffer is full
1632 (equal to RZ_BUFFER_SIZE). */
1633
1634 void
1635 asan_redzone_buffer::flush_if_full (void)
1636 {
1637 if (m_shadow_bytes.length () == RZ_BUFFER_SIZE)
1638 flush_redzone_payload ();
1639 }
1640
1641
1642 /* HWAddressSanitizer (hwasan) is a probabilistic method for detecting
1643 out-of-bounds and use-after-free bugs.
1644 Read more:
1645 http://code.google.com/p/address-sanitizer/
1646
1647 Similar to AddressSanitizer (asan) it consists of two parts: the
1648 instrumentation module in this file, and a run-time library.
1649
1650 The instrumentation module adds a run-time check before every memory insn in
1651 the same manner as asan (see the block comment for AddressSanitizer above).
1652 Currently, hwasan only adds out-of-line instrumentation, where each check is
1653 implemented as a function call to the run-time library. Hence a check for a
1654 load of N bytes from address X would be implemented with a function call to
1655 __hwasan_loadN(X), and checking a store of N bytes from address X would be
1656 implemented with a function call to __hwasan_storeN(X).
1657
1658 The main difference between hwasan and asan is in the information stored to
1659 help this checking. Both sanitizers use a shadow memory area which stores
1660 data recording the state of main memory at a corresponding address.
1661
1662 For hwasan, each 16 byte granule in main memory has a corresponding 1 byte
1663 in shadow memory. This shadow address can be calculated with equation:
1664 (addr >> log_2(HWASAN_TAG_GRANULE_SIZE))
1665 + __hwasan_shadow_memory_dynamic_address;
1666 The conversion between real and shadow memory for asan is given in the block
1667 comment at the top of this file.
1668 The description of how this shadow memory is laid out for asan is in the
1669 block comment at the top of this file, here we describe how this shadow
1670 memory is used for hwasan.
1671
1672 For hwasan, each variable is assigned a byte-sized 'tag'. The extent of
1673 the shadow memory for that variable is filled with the assigned tag, and
1674 every pointer referencing that variable has its top byte set to the same
1675 tag. The run-time library redefines malloc so that every allocation returns
1676 a tagged pointer and tags the corresponding shadow memory with the same tag.
1677
1678 On each pointer dereference the tag found in the pointer is compared to the
1679 tag found in the shadow memory corresponding to the accessed memory address.
1680 If these tags are found to differ then this memory access is judged to be
1681 invalid and a report is generated.
1682
1683 This method of bug detection is not perfect -- it can not catch every bad
1684 access -- but catches them probabilistically instead. There is always the
1685 possibility that an invalid memory access will happen to access memory
1686 tagged with the same tag as the pointer that this access used.
1687 The chances of this are approx. 0.4% for any two uncorrelated objects.
1688
1689 Random tag generation can mitigate this problem by decreasing the
1690 probability that an invalid access will be missed in the same manner over
1691 multiple runs. i.e. if two objects are tagged the same in one run of the
1692 binary they are unlikely to be tagged the same in the next run.
1693 Both heap and stack allocated objects have random tags by default.
1694
1695 [16 byte granule implications]
1696 Since the shadow memory only has a resolution on real memory of 16 bytes,
1697 invalid accesses that are within the same 16 byte granule as a valid
1698 address will not be caught.
1699
1700 There is a "short-granule" feature in the runtime library which does catch
1701 such accesses, but this feature is not implemented for stack objects (since
1702 stack objects are allocated and tagged by compiler instrumentation, and
1703 this feature has not yet been implemented in GCC instrumentation).
1704
1705 Another outcome of this 16 byte resolution is that each tagged object must
1706 be 16 byte aligned. If two objects were to share any 16 byte granule in
1707 memory, then they both would have to be given the same tag, and invalid
1708 accesses to one using a pointer to the other would be undetectable.
1709
1710 [Compiler instrumentation]
1711 Compiler instrumentation ensures that two adjacent buffers on the stack are
1712 given different tags, this means an access to one buffer using a pointer
1713 generated from the other (e.g. through buffer overrun) will have mismatched
1714 tags and be caught by hwasan.
1715
1716 We don't randomly tag every object on the stack, since that would require
1717 keeping many registers to record each tag. Instead we randomly generate a
1718 tag for each function frame, and each new stack object uses a tag offset
1719 from that frame tag.
1720 i.e. each object is tagged as RFT + offset, where RFT is the "random frame
1721 tag" generated for this frame.
1722 This means that randomisation does not peturb the difference between tags
1723 on tagged stack objects within a frame, but this is mitigated by the fact
1724 that objects with the same tag within a frame are very far apart
1725 (approx. 2^HWASAN_TAG_SIZE objects apart).
1726
1727 As a demonstration, using the same example program as in the asan block
1728 comment above:
1729
1730 int
1731 foo ()
1732 {
1733 char a[24] = {0};
1734 int b[2] = {0};
1735
1736 a[5] = 1;
1737 b[1] = 2;
1738
1739 return a[5] + b[1];
1740 }
1741
1742 On AArch64 the stack will be ordered as follows for the above function:
1743
1744 Slot 1/ [24 bytes for variable 'a']
1745 Slot 2/ [8 bytes padding for alignment]
1746 Slot 3/ [8 bytes for variable 'b']
1747 Slot 4/ [8 bytes padding for alignment]
1748
1749 (The padding is there to ensure 16 byte alignment as described in the 16
1750 byte granule implications).
1751
1752 While the shadow memory will be ordered as follows:
1753
1754 - 2 bytes (representing 32 bytes in real memory) tagged with RFT + 1.
1755 - 1 byte (representing 16 bytes in real memory) tagged with RFT + 2.
1756
1757 And any pointer to "a" will have the tag RFT + 1, and any pointer to "b"
1758 will have the tag RFT + 2.
1759
1760 [Top Byte Ignore requirements]
1761 Hwasan requires the ability to store an 8 bit tag in every pointer. There
1762 is no instrumentation done to remove this tag from pointers before
1763 dereferencing, which means the hardware must ignore this tag during memory
1764 accesses.
1765
1766 Architectures where this feature is available should indicate this using
1767 the TARGET_MEMTAG_CAN_TAG_ADDRESSES hook.
1768
1769 [Stack requires cleanup on unwinding]
1770 During normal operation of a hwasan sanitized program more space in the
1771 shadow memory becomes tagged as the stack grows. As the stack shrinks this
1772 shadow memory space must become untagged. If it is not untagged then when
1773 the stack grows again (during other function calls later on in the program)
1774 objects on the stack that are usually not tagged (e.g. parameters passed on
1775 the stack) can be placed in memory whose shadow space is tagged with
1776 something else, and accesses can cause false positive reports.
1777
1778 Hence we place untagging code on every epilogue of functions which tag some
1779 stack objects.
1780
1781 Moreover, the run-time library intercepts longjmp & setjmp to untag when
1782 the stack is unwound this way.
1783
1784 C++ exceptions are not yet handled, which means this sanitizer can not
1785 handle C++ code that throws exceptions -- it will give false positives
1786 after an exception has been thrown. The implementation that the hwasan
1787 library has for handling these relies on the frame pointer being after any
1788 local variables. This is not generally the case for GCC. */
1789
1790
1791 /* Returns whether we are tagging pointers and checking those tags on memory
1792 access. */
1793 bool
1794 hwasan_sanitize_p ()
1795 {
1796 return sanitize_flags_p (SANITIZE_HWADDRESS);
1797 }
1798
1799 /* Are we tagging the stack? */
1800 bool
1801 hwasan_sanitize_stack_p ()
1802 {
1803 return (hwasan_sanitize_p () && param_hwasan_instrument_stack);
1804 }
1805
1806 /* Are we tagging alloca objects? */
1807 bool
1808 hwasan_sanitize_allocas_p (void)
1809 {
1810 return (hwasan_sanitize_stack_p () && param_hwasan_instrument_allocas);
1811 }
1812
1813 /* Should we instrument reads? */
1814 bool
1815 hwasan_instrument_reads (void)
1816 {
1817 return (hwasan_sanitize_p () && param_hwasan_instrument_reads);
1818 }
1819
1820 /* Should we instrument writes? */
1821 bool
1822 hwasan_instrument_writes (void)
1823 {
1824 return (hwasan_sanitize_p () && param_hwasan_instrument_writes);
1825 }
1826
1827 /* Should we instrument builtin calls? */
1828 bool
1829 hwasan_memintrin (void)
1830 {
1831 return (hwasan_sanitize_p () && param_hwasan_instrument_mem_intrinsics);
1832 }
1833
1834 /* Insert code to protect stack vars. The prologue sequence should be emitted
1835 directly, epilogue sequence returned. BASE is the register holding the
1836 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1837 array contains pairs of offsets in reverse order, always the end offset
1838 of some gap that needs protection followed by starting offset,
1839 and DECLS is an array of representative decls for each var partition.
1840 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1841 elements long (OFFSETS include gap before the first variable as well
1842 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1843 register which stack vars DECL_RTLs are based on. Either BASE should be
1844 assigned to PBASE, when not doing use after return protection, or
1845 corresponding address based on __asan_stack_malloc* return value. */
1846
1847 rtx_insn *
1848 asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
1849 HOST_WIDE_INT *offsets, tree *decls, int length)
1850 {
1851 rtx shadow_base, shadow_mem, ret, mem, orig_base;
1852 rtx_code_label *lab;
1853 rtx_insn *insns;
1854 char buf[32];
1855 HOST_WIDE_INT base_offset = offsets[length - 1];
1856 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
1857 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
1858 HOST_WIDE_INT last_offset, last_size, last_size_aligned;
1859 int l;
1860 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
1861 tree str_cst, decl, id;
1862 int use_after_return_class = -1;
1863
1864 /* Don't emit anything when doing error recovery, the assertions
1865 might fail e.g. if a function had a frame offset overflow. */
1866 if (seen_error ())
1867 return NULL;
1868
1869 if (shadow_ptr_types[0] == NULL_TREE)
1870 asan_init_shadow_ptr_types ();
1871
1872 expanded_location cfun_xloc
1873 = expand_location (DECL_SOURCE_LOCATION (current_function_decl));
1874
1875 /* First of all, prepare the description string. */
1876 pretty_printer asan_pp;
1877
1878 pp_decimal_int (&asan_pp, length / 2 - 1);
1879 pp_space (&asan_pp);
1880 for (l = length - 2; l; l -= 2)
1881 {
1882 tree decl = decls[l / 2 - 1];
1883 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
1884 pp_space (&asan_pp);
1885 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
1886 pp_space (&asan_pp);
1887
1888 expanded_location xloc
1889 = expand_location (DECL_SOURCE_LOCATION (decl));
1890 char location[32];
1891
1892 if (xloc.file == cfun_xloc.file)
1893 sprintf (location, ":%d", xloc.line);
1894 else
1895 location[0] = '\0';
1896
1897 if (DECL_P (decl) && DECL_NAME (decl))
1898 {
1899 unsigned idlen
1900 = IDENTIFIER_LENGTH (DECL_NAME (decl)) + strlen (location);
1901 pp_decimal_int (&asan_pp, idlen);
1902 pp_space (&asan_pp);
1903 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
1904 pp_string (&asan_pp, location);
1905 }
1906 else
1907 pp_string (&asan_pp, "9 <unknown>");
1908
1909 if (l > 2)
1910 pp_space (&asan_pp);
1911 }
1912 str_cst = asan_pp_string (&asan_pp);
1913
1914 /* Emit the prologue sequence. */
1915 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
1916 && param_asan_use_after_return)
1917 {
1918 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1919 /* __asan_stack_malloc_N guarantees alignment
1920 N < 6 ? (64 << N) : 4096 bytes. */
1921 if (alignb > (use_after_return_class < 6
1922 ? (64U << use_after_return_class) : 4096U))
1923 use_after_return_class = -1;
1924 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1925 base_align_bias = ((asan_frame_size + alignb - 1)
1926 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1927 }
1928
1929 /* Align base if target is STRICT_ALIGNMENT. */
1930 if (STRICT_ALIGNMENT)
1931 {
1932 const HOST_WIDE_INT align
1933 = (GET_MODE_ALIGNMENT (SImode) / BITS_PER_UNIT) << ASAN_SHADOW_SHIFT;
1934 base = expand_binop (Pmode, and_optab, base, gen_int_mode (-align, Pmode),
1935 NULL_RTX, 1, OPTAB_DIRECT);
1936 }
1937
1938 if (use_after_return_class == -1 && pbase)
1939 emit_move_insn (pbase, base);
1940
1941 base = expand_binop (Pmode, add_optab, base,
1942 gen_int_mode (base_offset - base_align_bias, Pmode),
1943 NULL_RTX, 1, OPTAB_DIRECT);
1944 orig_base = NULL_RTX;
1945 if (use_after_return_class != -1)
1946 {
1947 if (asan_detect_stack_use_after_return == NULL_TREE)
1948 {
1949 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1950 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1951 integer_type_node);
1952 SET_DECL_ASSEMBLER_NAME (decl, id);
1953 TREE_ADDRESSABLE (decl) = 1;
1954 DECL_ARTIFICIAL (decl) = 1;
1955 DECL_IGNORED_P (decl) = 1;
1956 DECL_EXTERNAL (decl) = 1;
1957 TREE_STATIC (decl) = 1;
1958 TREE_PUBLIC (decl) = 1;
1959 TREE_USED (decl) = 1;
1960 asan_detect_stack_use_after_return = decl;
1961 }
1962 orig_base = gen_reg_rtx (Pmode);
1963 emit_move_insn (orig_base, base);
1964 ret = expand_normal (asan_detect_stack_use_after_return);
1965 lab = gen_label_rtx ();
1966 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1967 VOIDmode, 0, lab,
1968 profile_probability::very_likely ());
1969 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1970 use_after_return_class);
1971 ret = init_one_libfunc (buf);
1972 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode,
1973 GEN_INT (asan_frame_size
1974 + base_align_bias),
1975 TYPE_MODE (pointer_sized_int_node));
1976 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1977 and NULL otherwise. Check RET value is NULL here and jump over the
1978 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1979 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1980 VOIDmode, 0, lab,
1981 profile_probability:: very_unlikely ());
1982 ret = convert_memory_address (Pmode, ret);
1983 emit_move_insn (base, ret);
1984 emit_label (lab);
1985 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1986 gen_int_mode (base_align_bias
1987 - base_offset, Pmode),
1988 NULL_RTX, 1, OPTAB_DIRECT));
1989 }
1990 mem = gen_rtx_MEM (ptr_mode, base);
1991 mem = adjust_address (mem, VOIDmode, base_align_bias);
1992 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
1993 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1994 emit_move_insn (mem, expand_normal (str_cst));
1995 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1996 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1997 id = get_identifier (buf);
1998 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
1999 VAR_DECL, id, char_type_node);
2000 SET_DECL_ASSEMBLER_NAME (decl, id);
2001 TREE_ADDRESSABLE (decl) = 1;
2002 TREE_READONLY (decl) = 1;
2003 DECL_ARTIFICIAL (decl) = 1;
2004 DECL_IGNORED_P (decl) = 1;
2005 TREE_STATIC (decl) = 1;
2006 TREE_PUBLIC (decl) = 0;
2007 TREE_USED (decl) = 1;
2008 DECL_INITIAL (decl) = decl;
2009 TREE_ASM_WRITTEN (decl) = 1;
2010 TREE_ASM_WRITTEN (id) = 1;
2011 DECL_ALIGN_RAW (decl) = DECL_ALIGN_RAW (current_function_decl);
2012 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
2013 shadow_base = expand_binop (Pmode, lshr_optab, base,
2014 gen_int_shift_amount (Pmode, ASAN_SHADOW_SHIFT),
2015 NULL_RTX, 1, OPTAB_DIRECT);
2016 shadow_base
2017 = plus_constant (Pmode, shadow_base,
2018 asan_shadow_offset ()
2019 + (base_align_bias >> ASAN_SHADOW_SHIFT));
2020 gcc_assert (asan_shadow_set != -1
2021 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
2022 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
2023 set_mem_alias_set (shadow_mem, asan_shadow_set);
2024 if (STRICT_ALIGNMENT)
2025 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
2026 prev_offset = base_offset;
2027
2028 asan_redzone_buffer rz_buffer (shadow_mem, prev_offset);
2029 for (l = length; l; l -= 2)
2030 {
2031 if (l == 2)
2032 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
2033 offset = offsets[l - 1];
2034
2035 bool extra_byte = (offset - base_offset) & (ASAN_SHADOW_GRANULARITY - 1);
2036 /* If a red-zone is not aligned to ASAN_SHADOW_GRANULARITY then
2037 the previous stack variable has size % ASAN_SHADOW_GRANULARITY != 0.
2038 In that case we have to emit one extra byte that will describe
2039 how many bytes (our of ASAN_SHADOW_GRANULARITY) can be accessed. */
2040 if (extra_byte)
2041 {
2042 HOST_WIDE_INT aoff
2043 = base_offset + ((offset - base_offset)
2044 & ~(ASAN_SHADOW_GRANULARITY - HOST_WIDE_INT_1));
2045 rz_buffer.emit_redzone_byte (aoff, offset - aoff);
2046 offset = aoff + ASAN_SHADOW_GRANULARITY;
2047 }
2048
2049 /* Calculate size of red zone payload. */
2050 while (offset < offsets[l - 2])
2051 {
2052 rz_buffer.emit_redzone_byte (offset, cur_shadow_byte);
2053 offset += ASAN_SHADOW_GRANULARITY;
2054 }
2055
2056 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
2057 }
2058
2059 /* As the automatic variables are aligned to
2060 ASAN_RED_ZONE_SIZE / ASAN_SHADOW_GRANULARITY, the buffer should be
2061 flushed here. */
2062 gcc_assert (rz_buffer.m_shadow_bytes.is_empty ());
2063
2064 do_pending_stack_adjust ();
2065
2066 /* Construct epilogue sequence. */
2067 start_sequence ();
2068
2069 lab = NULL;
2070 if (use_after_return_class != -1)
2071 {
2072 rtx_code_label *lab2 = gen_label_rtx ();
2073 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
2074 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
2075 VOIDmode, 0, lab2,
2076 profile_probability::very_likely ());
2077 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
2078 set_mem_alias_set (shadow_mem, asan_shadow_set);
2079 mem = gen_rtx_MEM (ptr_mode, base);
2080 mem = adjust_address (mem, VOIDmode, base_align_bias);
2081 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
2082 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
2083 if (use_after_return_class < 5
2084 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
2085 BITS_PER_UNIT, true))
2086 {
2087 /* Emit:
2088 memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize);
2089 **SavedFlagPtr(FakeStack, class_id) = 0
2090 */
2091 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
2092 BITS_PER_UNIT, true, RETURN_BEGIN);
2093
2094 unsigned HOST_WIDE_INT offset
2095 = (1 << (use_after_return_class + 6));
2096 offset -= GET_MODE_SIZE (ptr_mode);
2097 mem = gen_rtx_MEM (ptr_mode, base);
2098 mem = adjust_address (mem, ptr_mode, offset);
2099 rtx addr = gen_reg_rtx (ptr_mode);
2100 emit_move_insn (addr, mem);
2101 addr = convert_memory_address (Pmode, addr);
2102 mem = gen_rtx_MEM (QImode, addr);
2103 emit_move_insn (mem, const0_rtx);
2104 }
2105 else if (use_after_return_class >= 5
2106 || !set_storage_via_setmem (shadow_mem,
2107 GEN_INT (sz),
2108 gen_int_mode (c, QImode),
2109 BITS_PER_UNIT, BITS_PER_UNIT,
2110 -1, sz, sz, sz))
2111 {
2112 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
2113 use_after_return_class);
2114 ret = init_one_libfunc (buf);
2115 rtx addr = convert_memory_address (ptr_mode, base);
2116 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
2117 emit_library_call (ret, LCT_NORMAL, ptr_mode, addr, ptr_mode,
2118 GEN_INT (asan_frame_size + base_align_bias),
2119 TYPE_MODE (pointer_sized_int_node),
2120 orig_addr, ptr_mode);
2121 }
2122 lab = gen_label_rtx ();
2123 emit_jump (lab);
2124 emit_label (lab2);
2125 }
2126
2127 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
2128 set_mem_alias_set (shadow_mem, asan_shadow_set);
2129
2130 if (STRICT_ALIGNMENT)
2131 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
2132
2133 prev_offset = base_offset;
2134 last_offset = base_offset;
2135 last_size = 0;
2136 last_size_aligned = 0;
2137 for (l = length; l; l -= 2)
2138 {
2139 offset = base_offset + ((offsets[l - 1] - base_offset)
2140 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
2141 if (last_offset + last_size_aligned < offset)
2142 {
2143 shadow_mem = adjust_address (shadow_mem, VOIDmode,
2144 (last_offset - prev_offset)
2145 >> ASAN_SHADOW_SHIFT);
2146 prev_offset = last_offset;
2147 asan_clear_shadow (shadow_mem, last_size_aligned >> ASAN_SHADOW_SHIFT);
2148 last_offset = offset;
2149 last_size = 0;
2150 }
2151 else
2152 last_size = offset - last_offset;
2153 last_size += base_offset + ((offsets[l - 2] - base_offset)
2154 & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
2155 - offset;
2156
2157 /* Unpoison shadow memory that corresponds to a variable that is
2158 is subject of use-after-return sanitization. */
2159 if (l > 2)
2160 {
2161 decl = decls[l / 2 - 2];
2162 if (asan_handled_variables != NULL
2163 && asan_handled_variables->contains (decl))
2164 {
2165 HOST_WIDE_INT size = offsets[l - 3] - offsets[l - 2];
2166 if (dump_file && (dump_flags & TDF_DETAILS))
2167 {
2168 const char *n = (DECL_NAME (decl)
2169 ? IDENTIFIER_POINTER (DECL_NAME (decl))
2170 : "<unknown>");
2171 fprintf (dump_file, "Unpoisoning shadow stack for variable: "
2172 "%s (%" PRId64 " B)\n", n, size);
2173 }
2174
2175 last_size += size & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1);
2176 }
2177 }
2178 last_size_aligned
2179 = ((last_size + (ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
2180 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
2181 }
2182 if (last_size_aligned)
2183 {
2184 shadow_mem = adjust_address (shadow_mem, VOIDmode,
2185 (last_offset - prev_offset)
2186 >> ASAN_SHADOW_SHIFT);
2187 asan_clear_shadow (shadow_mem, last_size_aligned >> ASAN_SHADOW_SHIFT);
2188 }
2189
2190 /* Clean-up set with instrumented stack variables. */
2191 delete asan_handled_variables;
2192 asan_handled_variables = NULL;
2193 delete asan_used_labels;
2194 asan_used_labels = NULL;
2195
2196 do_pending_stack_adjust ();
2197 if (lab)
2198 emit_label (lab);
2199
2200 insns = get_insns ();
2201 end_sequence ();
2202 return insns;
2203 }
2204
2205 /* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds
2206 to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE
2207 indicates whether we're emitting new instructions sequence or not. */
2208
2209 rtx_insn *
2210 asan_emit_allocas_unpoison (rtx top, rtx bot, rtx_insn *before)
2211 {
2212 if (before)
2213 push_to_sequence (before);
2214 else
2215 start_sequence ();
2216 rtx ret = init_one_libfunc ("__asan_allocas_unpoison");
2217 top = convert_memory_address (ptr_mode, top);
2218 bot = convert_memory_address (ptr_mode, bot);
2219 emit_library_call (ret, LCT_NORMAL, ptr_mode,
2220 top, ptr_mode, bot, ptr_mode);
2221
2222 do_pending_stack_adjust ();
2223 rtx_insn *insns = get_insns ();
2224 end_sequence ();
2225 return insns;
2226 }
2227
2228 /* Return true if DECL, a global var, might be overridden and needs
2229 therefore a local alias. */
2230
2231 static bool
2232 asan_needs_local_alias (tree decl)
2233 {
2234 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
2235 }
2236
2237 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
2238 therefore doesn't need protection. */
2239
2240 static bool
2241 is_odr_indicator (tree decl)
2242 {
2243 return (DECL_ARTIFICIAL (decl)
2244 && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl)));
2245 }
2246
2247 /* Return true if DECL is a VAR_DECL that should be protected
2248 by Address Sanitizer, by appending a red zone with protected
2249 shadow memory after it and aligning it to at least
2250 ASAN_RED_ZONE_SIZE bytes. */
2251
2252 bool
2253 asan_protect_global (tree decl, bool ignore_decl_rtl_set_p)
2254 {
2255 if (!param_asan_globals)
2256 return false;
2257
2258 rtx rtl, symbol;
2259
2260 if (TREE_CODE (decl) == STRING_CST)
2261 {
2262 /* Instrument all STRING_CSTs except those created
2263 by asan_pp_string here. */
2264 if (shadow_ptr_types[0] != NULL_TREE
2265 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
2266 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
2267 return false;
2268 return true;
2269 }
2270 if (!VAR_P (decl)
2271 /* TLS vars aren't statically protectable. */
2272 || DECL_THREAD_LOCAL_P (decl)
2273 /* Externs will be protected elsewhere. */
2274 || DECL_EXTERNAL (decl)
2275 /* PR sanitizer/81697: For architectures that use section anchors first
2276 call to asan_protect_global may occur before DECL_RTL (decl) is set.
2277 We should ignore DECL_RTL_SET_P then, because otherwise the first call
2278 to asan_protect_global will return FALSE and the following calls on the
2279 same decl after setting DECL_RTL (decl) will return TRUE and we'll end
2280 up with inconsistency at runtime. */
2281 || (!DECL_RTL_SET_P (decl) && !ignore_decl_rtl_set_p)
2282 /* Comdat vars pose an ABI problem, we can't know if
2283 the var that is selected by the linker will have
2284 padding or not. */
2285 || DECL_ONE_ONLY (decl)
2286 /* Similarly for common vars. People can use -fno-common.
2287 Note: Linux kernel is built with -fno-common, so we do instrument
2288 globals there even if it is C. */
2289 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
2290 /* Don't protect if using user section, often vars placed
2291 into user section from multiple TUs are then assumed
2292 to be an array of such vars, putting padding in there
2293 breaks this assumption. */
2294 || (DECL_SECTION_NAME (decl) != NULL
2295 && !symtab_node::get (decl)->implicit_section
2296 && !section_sanitized_p (DECL_SECTION_NAME (decl)))
2297 /* Don't protect variables in non-generic address-space. */
2298 || !ADDR_SPACE_GENERIC_P (TYPE_ADDR_SPACE (TREE_TYPE (decl)))
2299 || DECL_SIZE (decl) == 0
2300 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
2301 || TREE_CODE (DECL_SIZE_UNIT (decl)) != INTEGER_CST
2302 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
2303 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE
2304 || TREE_TYPE (decl) == ubsan_get_source_location_type ()
2305 || is_odr_indicator (decl))
2306 return false;
2307
2308 if (!ignore_decl_rtl_set_p || DECL_RTL_SET_P (decl))
2309 {
2310
2311 rtl = DECL_RTL (decl);
2312 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
2313 return false;
2314 symbol = XEXP (rtl, 0);
2315
2316 if (CONSTANT_POOL_ADDRESS_P (symbol)
2317 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
2318 return false;
2319 }
2320
2321 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
2322 return false;
2323
2324 if (!TARGET_SUPPORTS_ALIASES && asan_needs_local_alias (decl))
2325 return false;
2326
2327 return true;
2328 }
2329
2330 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
2331 IS_STORE is either 1 (for a store) or 0 (for a load). */
2332
2333 static tree
2334 report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
2335 int *nargs)
2336 {
2337 gcc_assert (!hwasan_sanitize_p ());
2338
2339 static enum built_in_function report[2][2][6]
2340 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
2341 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
2342 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N },
2343 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
2344 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
2345 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } },
2346 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT,
2347 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
2348 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
2349 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
2350 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
2351 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
2352 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT,
2353 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
2354 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
2355 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
2356 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
2357 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
2358 if (size_in_bytes == -1)
2359 {
2360 *nargs = 2;
2361 return builtin_decl_implicit (report[recover_p][is_store][5]);
2362 }
2363 *nargs = 1;
2364 int size_log2 = exact_log2 (size_in_bytes);
2365 return builtin_decl_implicit (report[recover_p][is_store][size_log2]);
2366 }
2367
2368 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
2369 IS_STORE is either 1 (for a store) or 0 (for a load). */
2370
2371 static tree
2372 check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
2373 int *nargs)
2374 {
2375 static enum built_in_function check[2][2][6]
2376 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2,
2377 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8,
2378 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN },
2379 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2,
2380 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8,
2381 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } },
2382 { { BUILT_IN_ASAN_LOAD1_NOABORT,
2383 BUILT_IN_ASAN_LOAD2_NOABORT,
2384 BUILT_IN_ASAN_LOAD4_NOABORT,
2385 BUILT_IN_ASAN_LOAD8_NOABORT,
2386 BUILT_IN_ASAN_LOAD16_NOABORT,
2387 BUILT_IN_ASAN_LOADN_NOABORT },
2388 { BUILT_IN_ASAN_STORE1_NOABORT,
2389 BUILT_IN_ASAN_STORE2_NOABORT,
2390 BUILT_IN_ASAN_STORE4_NOABORT,
2391 BUILT_IN_ASAN_STORE8_NOABORT,
2392 BUILT_IN_ASAN_STORE16_NOABORT,
2393 BUILT_IN_ASAN_STOREN_NOABORT } } };
2394 if (size_in_bytes == -1)
2395 {
2396 *nargs = 2;
2397 return builtin_decl_implicit (check[recover_p][is_store][5]);
2398 }
2399 *nargs = 1;
2400 int size_log2 = exact_log2 (size_in_bytes);
2401 return builtin_decl_implicit (check[recover_p][is_store][size_log2]);
2402 }
2403
2404 /* Split the current basic block and create a condition statement
2405 insertion point right before or after the statement pointed to by
2406 ITER. Return an iterator to the point at which the caller might
2407 safely insert the condition statement.
2408
2409 THEN_BLOCK must be set to the address of an uninitialized instance
2410 of basic_block. The function will then set *THEN_BLOCK to the
2411 'then block' of the condition statement to be inserted by the
2412 caller.
2413
2414 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
2415 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
2416
2417 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
2418 block' of the condition statement to be inserted by the caller.
2419
2420 Note that *FALLTHROUGH_BLOCK is a new block that contains the
2421 statements starting from *ITER, and *THEN_BLOCK is a new empty
2422 block.
2423
2424 *ITER is adjusted to point to always point to the first statement
2425 of the basic block * FALLTHROUGH_BLOCK. That statement is the
2426 same as what ITER was pointing to prior to calling this function,
2427 if BEFORE_P is true; otherwise, it is its following statement. */
2428
2429 gimple_stmt_iterator
2430 create_cond_insert_point (gimple_stmt_iterator *iter,
2431 bool before_p,
2432 bool then_more_likely_p,
2433 bool create_then_fallthru_edge,
2434 basic_block *then_block,
2435 basic_block *fallthrough_block)
2436 {
2437 gimple_stmt_iterator gsi = *iter;
2438
2439 if (!gsi_end_p (gsi) && before_p)
2440 gsi_prev (&gsi);
2441
2442 basic_block cur_bb = gsi_bb (*iter);
2443
2444 edge e = split_block (cur_bb, gsi_stmt (gsi));
2445
2446 /* Get a hold on the 'condition block', the 'then block' and the
2447 'else block'. */
2448 basic_block cond_bb = e->src;
2449 basic_block fallthru_bb = e->dest;
2450 basic_block then_bb = create_empty_bb (cond_bb);
2451 if (current_loops)
2452 {
2453 add_bb_to_loop (then_bb, cond_bb->loop_father);
2454 loops_state_set (LOOPS_NEED_FIXUP);
2455 }
2456
2457 /* Set up the newly created 'then block'. */
2458 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
2459 profile_probability fallthrough_probability
2460 = then_more_likely_p
2461 ? profile_probability::very_unlikely ()
2462 : profile_probability::very_likely ();
2463 e->probability = fallthrough_probability.invert ();
2464 then_bb->count = e->count ();
2465 if (create_then_fallthru_edge)
2466 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
2467
2468 /* Set up the fallthrough basic block. */
2469 e = find_edge (cond_bb, fallthru_bb);
2470 e->flags = EDGE_FALSE_VALUE;
2471 e->probability = fallthrough_probability;
2472
2473 /* Update dominance info for the newly created then_bb; note that
2474 fallthru_bb's dominance info has already been updated by
2475 split_bock. */
2476 if (dom_info_available_p (CDI_DOMINATORS))
2477 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
2478
2479 *then_block = then_bb;
2480 *fallthrough_block = fallthru_bb;
2481 *iter = gsi_start_bb (fallthru_bb);
2482
2483 return gsi_last_bb (cond_bb);
2484 }
2485
2486 /* Insert an if condition followed by a 'then block' right before the
2487 statement pointed to by ITER. The fallthrough block -- which is the
2488 else block of the condition as well as the destination of the
2489 outcoming edge of the 'then block' -- starts with the statement
2490 pointed to by ITER.
2491
2492 COND is the condition of the if.
2493
2494 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
2495 'then block' is higher than the probability of the edge to the
2496 fallthrough block.
2497
2498 Upon completion of the function, *THEN_BB is set to the newly
2499 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
2500 fallthrough block.
2501
2502 *ITER is adjusted to still point to the same statement it was
2503 pointing to initially. */
2504
2505 static void
2506 insert_if_then_before_iter (gcond *cond,
2507 gimple_stmt_iterator *iter,
2508 bool then_more_likely_p,
2509 basic_block *then_bb,
2510 basic_block *fallthrough_bb)
2511 {
2512 gimple_stmt_iterator cond_insert_point =
2513 create_cond_insert_point (iter,
2514 /*before_p=*/true,
2515 then_more_likely_p,
2516 /*create_then_fallthru_edge=*/true,
2517 then_bb,
2518 fallthrough_bb);
2519 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
2520 }
2521
2522 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
2523 If RETURN_ADDRESS is set to true, return memory location instread
2524 of a value in the shadow memory. */
2525
2526 static tree
2527 build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location,
2528 tree base_addr, tree shadow_ptr_type,
2529 bool return_address = false)
2530 {
2531 tree t, uintptr_type = TREE_TYPE (base_addr);
2532 tree shadow_type = TREE_TYPE (shadow_ptr_type);
2533 gimple *g;
2534
2535 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
2536 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR,
2537 base_addr, t);
2538 gimple_set_location (g, location);
2539 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2540
2541 t = build_int_cst (uintptr_type, asan_shadow_offset ());
2542 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR,
2543 gimple_assign_lhs (g), t);
2544 gimple_set_location (g, location);
2545 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2546
2547 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR,
2548 gimple_assign_lhs (g));
2549 gimple_set_location (g, location);
2550 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2551
2552 if (!return_address)
2553 {
2554 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
2555 build_int_cst (shadow_ptr_type, 0));
2556 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t);
2557 gimple_set_location (g, location);
2558 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2559 }
2560
2561 return gimple_assign_lhs (g);
2562 }
2563
2564 /* BASE can already be an SSA_NAME; in that case, do not create a
2565 new SSA_NAME for it. */
2566
2567 static tree
2568 maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter,
2569 bool before_p)
2570 {
2571 STRIP_USELESS_TYPE_CONVERSION (base);
2572 if (TREE_CODE (base) == SSA_NAME)
2573 return base;
2574 gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)), base);
2575 gimple_set_location (g, loc);
2576 if (before_p)
2577 gsi_safe_insert_before (iter, g);
2578 else
2579 gsi_insert_after (iter, g, GSI_NEW_STMT);
2580 return gimple_assign_lhs (g);
2581 }
2582
2583 /* LEN can already have necessary size and precision;
2584 in that case, do not create a new variable. */
2585
2586 tree
2587 maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter,
2588 bool before_p)
2589 {
2590 if (ptrofftype_p (len))
2591 return len;
2592 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2593 NOP_EXPR, len);
2594 gimple_set_location (g, loc);
2595 if (before_p)
2596 gsi_safe_insert_before (iter, g);
2597 else
2598 gsi_insert_after (iter, g, GSI_NEW_STMT);
2599 return gimple_assign_lhs (g);
2600 }
2601
2602 /* Instrument the memory access instruction BASE. Insert new
2603 statements before or after ITER.
2604
2605 Note that the memory access represented by BASE can be either an
2606 SSA_NAME, or a non-SSA expression. LOCATION is the source code
2607 location. IS_STORE is TRUE for a store, FALSE for a load.
2608 BEFORE_P is TRUE for inserting the instrumentation code before
2609 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
2610 for a scalar memory access and FALSE for memory region access.
2611 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
2612 length. ALIGN tells alignment of accessed memory object.
2613
2614 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
2615 memory region have already been instrumented.
2616
2617 If BEFORE_P is TRUE, *ITER is arranged to still point to the
2618 statement it was pointing to prior to calling this function,
2619 otherwise, it points to the statement logically following it. */
2620
2621 static void
2622 build_check_stmt (location_t loc, tree base, tree len,
2623 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter,
2624 bool is_non_zero_len, bool before_p, bool is_store,
2625 bool is_scalar_access, unsigned int align = 0)
2626 {
2627 gimple_stmt_iterator gsi = *iter;
2628 gimple *g;
2629
2630 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len));
2631 gcc_assert (size_in_bytes == -1 || size_in_bytes >= 1);
2632
2633 gsi = *iter;
2634
2635 base = unshare_expr (base);
2636 base = maybe_create_ssa_name (loc, base, &gsi, before_p);
2637
2638 if (len)
2639 {
2640 len = unshare_expr (len);
2641 len = maybe_cast_to_ptrmode (loc, len, iter, before_p);
2642 }
2643 else
2644 {
2645 gcc_assert (size_in_bytes != -1);
2646 len = build_int_cst (pointer_sized_int_node, size_in_bytes);
2647 }
2648
2649 if (size_in_bytes > 1)
2650 {
2651 if ((size_in_bytes & (size_in_bytes - 1)) != 0
2652 || size_in_bytes > 16)
2653 is_scalar_access = false;
2654 else if (align && align < size_in_bytes * BITS_PER_UNIT)
2655 {
2656 /* On non-strict alignment targets, if
2657 16-byte access is just 8-byte aligned,
2658 this will result in misaligned shadow
2659 memory 2 byte load, but otherwise can
2660 be handled using one read. */
2661 if (size_in_bytes != 16
2662 || STRICT_ALIGNMENT
2663 || align < 8 * BITS_PER_UNIT)
2664 is_scalar_access = false;
2665 }
2666 }
2667
2668 HOST_WIDE_INT flags = 0;
2669 if (is_store)
2670 flags |= ASAN_CHECK_STORE;
2671 if (is_non_zero_len)
2672 flags |= ASAN_CHECK_NON_ZERO_LEN;
2673 if (is_scalar_access)
2674 flags |= ASAN_CHECK_SCALAR_ACCESS;
2675
2676 enum internal_fn fn = hwasan_sanitize_p ()
2677 ? IFN_HWASAN_CHECK
2678 : IFN_ASAN_CHECK;
2679
2680 g = gimple_build_call_internal (fn, 4,
2681 build_int_cst (integer_type_node, flags),
2682 base, len,
2683 build_int_cst (integer_type_node,
2684 align / BITS_PER_UNIT));
2685 gimple_set_location (g, loc);
2686 if (before_p)
2687 gsi_safe_insert_before (&gsi, g);
2688 else
2689 {
2690 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2691 gsi_next (&gsi);
2692 *iter = gsi;
2693 }
2694 }
2695
2696 /* If T represents a memory access, add instrumentation code before ITER.
2697 LOCATION is source code location.
2698 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
2699
2700 static void
2701 instrument_derefs (gimple_stmt_iterator *iter, tree t,
2702 location_t location, bool is_store)
2703 {
2704 if (is_store && !(asan_instrument_writes () || hwasan_instrument_writes ()))
2705 return;
2706 if (!is_store && !(asan_instrument_reads () || hwasan_instrument_reads ()))
2707 return;
2708
2709 tree type, base;
2710 HOST_WIDE_INT size_in_bytes;
2711 if (location == UNKNOWN_LOCATION)
2712 location = EXPR_LOCATION (t);
2713
2714 type = TREE_TYPE (t);
2715 switch (TREE_CODE (t))
2716 {
2717 case ARRAY_REF:
2718 case COMPONENT_REF:
2719 case INDIRECT_REF:
2720 case MEM_REF:
2721 case VAR_DECL:
2722 case BIT_FIELD_REF:
2723 break;
2724 /* FALLTHRU */
2725 default:
2726 return;
2727 }
2728
2729 size_in_bytes = int_size_in_bytes (type);
2730 if (size_in_bytes <= 0)
2731 return;
2732
2733 poly_int64 bitsize, bitpos;
2734 tree offset;
2735 machine_mode mode;
2736 int unsignedp, reversep, volatilep = 0;
2737 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
2738 &unsignedp, &reversep, &volatilep);
2739
2740 if (TREE_CODE (t) == COMPONENT_REF
2741 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
2742 {
2743 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
2744 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
2745 TREE_OPERAND (t, 0), repr,
2746 TREE_OPERAND (t, 2)),
2747 location, is_store);
2748 return;
2749 }
2750
2751 if (!multiple_p (bitpos, BITS_PER_UNIT)
2752 || maybe_ne (bitsize, size_in_bytes * BITS_PER_UNIT))
2753 return;
2754
2755 if (VAR_P (inner) && DECL_HARD_REGISTER (inner))
2756 return;
2757
2758 /* Accesses to non-generic address-spaces should not be instrumented. */
2759 if (!ADDR_SPACE_GENERIC_P (TYPE_ADDR_SPACE (TREE_TYPE (inner))))
2760 return;
2761
2762 poly_int64 decl_size;
2763 if ((VAR_P (inner)
2764 || (TREE_CODE (inner) == RESULT_DECL
2765 && !aggregate_value_p (inner, current_function_decl)))
2766 && offset == NULL_TREE
2767 && DECL_SIZE (inner)
2768 && poly_int_tree_p (DECL_SIZE (inner), &decl_size)
2769 && known_subrange_p (bitpos, bitsize, 0, decl_size))
2770 {
2771 if (VAR_P (inner) && DECL_THREAD_LOCAL_P (inner))
2772 return;
2773 /* If we're not sanitizing globals and we can tell statically that this
2774 access is inside a global variable, then there's no point adding
2775 instrumentation to check the access. N.b. hwasan currently never
2776 sanitizes globals. */
2777 if ((hwasan_sanitize_p () || !param_asan_globals)
2778 && is_global_var (inner))
2779 return;
2780 if (!TREE_STATIC (inner))
2781 {
2782 /* Automatic vars in the current function will be always
2783 accessible. */
2784 if (decl_function_context (inner) == current_function_decl
2785 && (!asan_sanitize_use_after_scope ()
2786 || !TREE_ADDRESSABLE (inner)))
2787 return;
2788 }
2789 /* Always instrument external vars, they might be dynamically
2790 initialized. */
2791 else if (!DECL_EXTERNAL (inner))
2792 {
2793 /* For static vars if they are known not to be dynamically
2794 initialized, they will be always accessible. */
2795 varpool_node *vnode = varpool_node::get (inner);
2796 if (vnode && !vnode->dynamically_initialized)
2797 return;
2798 }
2799 }
2800
2801 if (DECL_P (inner)
2802 && decl_function_context (inner) == current_function_decl
2803 && !TREE_ADDRESSABLE (inner))
2804 mark_addressable (inner);
2805
2806 base = build_fold_addr_expr (t);
2807 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
2808 {
2809 unsigned int align = get_object_alignment (t);
2810 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter,
2811 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true,
2812 is_store, /*is_scalar_access*/true, align);
2813 update_mem_ref_hash_table (base, size_in_bytes);
2814 update_mem_ref_hash_table (t, size_in_bytes);
2815 }
2816
2817 }
2818
2819 /* Insert a memory reference into the hash table if access length
2820 can be determined in compile time. */
2821
2822 static void
2823 maybe_update_mem_ref_hash_table (tree base, tree len)
2824 {
2825 if (!POINTER_TYPE_P (TREE_TYPE (base))
2826 || !INTEGRAL_TYPE_P (TREE_TYPE (len)))
2827 return;
2828
2829 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2830
2831 if (size_in_bytes != -1)
2832 update_mem_ref_hash_table (base, size_in_bytes);
2833 }
2834
2835 /* Instrument an access to a contiguous memory region that starts at
2836 the address pointed to by BASE, over a length of LEN (expressed in
2837 the sizeof (*BASE) bytes). ITER points to the instruction before
2838 which the instrumentation instructions must be inserted. LOCATION
2839 is the source location that the instrumentation instructions must
2840 have. If IS_STORE is true, then the memory access is a store;
2841 otherwise, it's a load. */
2842
2843 static void
2844 instrument_mem_region_access (tree base, tree len,
2845 gimple_stmt_iterator *iter,
2846 location_t location, bool is_store)
2847 {
2848 if (!POINTER_TYPE_P (TREE_TYPE (base))
2849 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
2850 || integer_zerop (len))
2851 return;
2852
2853 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2854
2855 if ((size_in_bytes == -1)
2856 || !has_mem_ref_been_instrumented (base, size_in_bytes))
2857 {
2858 build_check_stmt (location, base, len, size_in_bytes, iter,
2859 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true,
2860 is_store, /*is_scalar_access*/false, /*align*/0);
2861 }
2862
2863 maybe_update_mem_ref_hash_table (base, len);
2864 *iter = gsi_for_stmt (gsi_stmt (*iter));
2865 }
2866
2867 /* Instrument the call to a built-in memory access function that is
2868 pointed to by the iterator ITER.
2869
2870 Upon completion, return TRUE iff *ITER has been advanced to the
2871 statement following the one it was originally pointing to. */
2872
2873 static bool
2874 instrument_builtin_call (gimple_stmt_iterator *iter)
2875 {
2876 if (!(asan_memintrin () || hwasan_memintrin ()))
2877 return false;
2878
2879 bool iter_advanced_p = false;
2880 gcall *call = as_a <gcall *> (gsi_stmt (*iter));
2881
2882 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
2883
2884 location_t loc = gimple_location (call);
2885
2886 asan_mem_ref src0, src1, dest;
2887 asan_mem_ref_init (&src0, NULL, 1);
2888 asan_mem_ref_init (&src1, NULL, 1);
2889 asan_mem_ref_init (&dest, NULL, 1);
2890
2891 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
2892 bool src0_is_store = false, src1_is_store = false, dest_is_store = false,
2893 dest_is_deref = false, intercepted_p = true;
2894
2895 if (get_mem_refs_of_builtin_call (call,
2896 &src0, &src0_len, &src0_is_store,
2897 &src1, &src1_len, &src1_is_store,
2898 &dest, &dest_len, &dest_is_store,
2899 &dest_is_deref, &intercepted_p, iter))
2900 {
2901 if (dest_is_deref)
2902 {
2903 instrument_derefs (iter, dest.start, loc, dest_is_store);
2904 gsi_next (iter);
2905 iter_advanced_p = true;
2906 }
2907 else if (!intercepted_p
2908 && (src0_len || src1_len || dest_len))
2909 {
2910 if (src0.start != NULL_TREE)
2911 instrument_mem_region_access (src0.start, src0_len,
2912 iter, loc, /*is_store=*/false);
2913 if (src1.start != NULL_TREE)
2914 instrument_mem_region_access (src1.start, src1_len,
2915 iter, loc, /*is_store=*/false);
2916 if (dest.start != NULL_TREE)
2917 instrument_mem_region_access (dest.start, dest_len,
2918 iter, loc, /*is_store=*/true);
2919
2920 *iter = gsi_for_stmt (call);
2921 gsi_next (iter);
2922 iter_advanced_p = true;
2923 }
2924 else
2925 {
2926 if (src0.start != NULL_TREE)
2927 maybe_update_mem_ref_hash_table (src0.start, src0_len);
2928 if (src1.start != NULL_TREE)
2929 maybe_update_mem_ref_hash_table (src1.start, src1_len);
2930 if (dest.start != NULL_TREE)
2931 maybe_update_mem_ref_hash_table (dest.start, dest_len);
2932 }
2933 }
2934 return iter_advanced_p;
2935 }
2936
2937 /* Instrument the assignment statement ITER if it is subject to
2938 instrumentation. Return TRUE iff instrumentation actually
2939 happened. In that case, the iterator ITER is advanced to the next
2940 logical expression following the one initially pointed to by ITER,
2941 and the relevant memory reference that which access has been
2942 instrumented is added to the memory references hash table. */
2943
2944 static bool
2945 maybe_instrument_assignment (gimple_stmt_iterator *iter)
2946 {
2947 gimple *s = gsi_stmt (*iter);
2948
2949 gcc_assert (gimple_assign_single_p (s));
2950
2951 tree ref_expr = NULL_TREE;
2952 bool is_store, is_instrumented = false;
2953
2954 if (gimple_store_p (s))
2955 {
2956 ref_expr = gimple_assign_lhs (s);
2957 is_store = true;
2958 instrument_derefs (iter, ref_expr,
2959 gimple_location (s),
2960 is_store);
2961 is_instrumented = true;
2962 }
2963
2964 if (gimple_assign_load_p (s))
2965 {
2966 ref_expr = gimple_assign_rhs1 (s);
2967 is_store = false;
2968 instrument_derefs (iter, ref_expr,
2969 gimple_location (s),
2970 is_store);
2971 is_instrumented = true;
2972 }
2973
2974 if (is_instrumented)
2975 gsi_next (iter);
2976
2977 return is_instrumented;
2978 }
2979
2980 /* Instrument the function call pointed to by the iterator ITER, if it
2981 is subject to instrumentation. At the moment, the only function
2982 calls that are instrumented are some built-in functions that access
2983 memory. Look at instrument_builtin_call to learn more.
2984
2985 Upon completion return TRUE iff *ITER was advanced to the statement
2986 following the one it was originally pointing to. */
2987
2988 static bool
2989 maybe_instrument_call (gimple_stmt_iterator *iter)
2990 {
2991 gimple *stmt = gsi_stmt (*iter);
2992 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2993
2994 if (is_builtin && instrument_builtin_call (iter))
2995 return true;
2996
2997 if (gimple_call_noreturn_p (stmt))
2998 {
2999 if (is_builtin)
3000 {
3001 tree callee = gimple_call_fndecl (stmt);
3002 switch (DECL_FUNCTION_CODE (callee))
3003 {
3004 case BUILT_IN_UNREACHABLE:
3005 case BUILT_IN_UNREACHABLE_TRAP:
3006 case BUILT_IN_TRAP:
3007 /* Don't instrument these. */
3008 return false;
3009 default:
3010 break;
3011 }
3012 }
3013 /* If a function does not return, then we must handle clearing up the
3014 shadow stack accordingly. For ASAN we can simply set the entire stack
3015 to "valid" for accesses by setting the shadow space to 0 and all
3016 accesses will pass checks. That means that some bad accesses may be
3017 missed, but we will not report any false positives.
3018
3019 This is not possible for HWASAN. Since there is no "always valid" tag
3020 we can not set any space to "always valid". If we were to clear the
3021 entire shadow stack then code resuming from `longjmp` or a caught
3022 exception would trigger false positives when correctly accessing
3023 variables on the stack. Hence we need to handle things like
3024 `longjmp`, thread exit, and exceptions in a different way. These
3025 problems must be handled externally to the compiler, e.g. in the
3026 language runtime. */
3027 if (! hwasan_sanitize_p ())
3028 {
3029 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
3030 gimple *g = gimple_build_call (decl, 0);
3031 gimple_set_location (g, gimple_location (stmt));
3032 gsi_safe_insert_before (iter, g);
3033 }
3034 }
3035
3036 bool instrumented = false;
3037 if (gimple_store_p (stmt)
3038 && (gimple_call_builtin_p (stmt)
3039 || gimple_call_internal_p (stmt)
3040 || !aggregate_value_p (TREE_TYPE (gimple_call_lhs (stmt)),
3041 gimple_call_fntype (stmt))))
3042 {
3043 tree ref_expr = gimple_call_lhs (stmt);
3044 instrument_derefs (iter, ref_expr,
3045 gimple_location (stmt),
3046 /*is_store=*/true);
3047
3048 instrumented = true;
3049 }
3050
3051 /* Walk through gimple_call arguments and check them id needed. */
3052 unsigned args_num = gimple_call_num_args (stmt);
3053 for (unsigned i = 0; i < args_num; ++i)
3054 {
3055 tree arg = gimple_call_arg (stmt, i);
3056 /* If ARG is not a non-aggregate register variable, compiler in general
3057 creates temporary for it and pass it as argument to gimple call.
3058 But in some cases, e.g. when we pass by value a small structure that
3059 fits to register, compiler can avoid extra overhead by pulling out
3060 these temporaries. In this case, we should check the argument. */
3061 if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg))
3062 {
3063 instrument_derefs (iter, arg,
3064 gimple_location (stmt),
3065 /*is_store=*/false);
3066 instrumented = true;
3067 }
3068 }
3069 if (instrumented)
3070 gsi_next (iter);
3071 return instrumented;
3072 }
3073
3074 /* Walk each instruction of all basic block and instrument those that
3075 represent memory references: loads, stores, or function calls.
3076 In a given basic block, this function avoids instrumenting memory
3077 references that have already been instrumented. */
3078
3079 static void
3080 transform_statements (void)
3081 {
3082 basic_block bb, last_bb = NULL;
3083 gimple_stmt_iterator i;
3084 int saved_last_basic_block = last_basic_block_for_fn (cfun);
3085
3086 FOR_EACH_BB_FN (bb, cfun)
3087 {
3088 basic_block prev_bb = bb;
3089
3090 if (bb->index >= saved_last_basic_block) continue;
3091
3092 /* Flush the mem ref hash table, if current bb doesn't have
3093 exactly one predecessor, or if that predecessor (skipping
3094 over asan created basic blocks) isn't the last processed
3095 basic block. Thus we effectively flush on extended basic
3096 block boundaries. */
3097 while (single_pred_p (prev_bb))
3098 {
3099 prev_bb = single_pred (prev_bb);
3100 if (prev_bb->index < saved_last_basic_block)
3101 break;
3102 }
3103 if (prev_bb != last_bb)
3104 empty_mem_ref_hash_table ();
3105 last_bb = bb;
3106
3107 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
3108 {
3109 gimple *s = gsi_stmt (i);
3110
3111 if (has_stmt_been_instrumented_p (s))
3112 gsi_next (&i);
3113 else if (gimple_assign_single_p (s)
3114 && !gimple_clobber_p (s)
3115 && maybe_instrument_assignment (&i))
3116 /* Nothing to do as maybe_instrument_assignment advanced
3117 the iterator I. */;
3118 else if (is_gimple_call (s) && maybe_instrument_call (&i))
3119 /* Nothing to do as maybe_instrument_call
3120 advanced the iterator I. */;
3121 else
3122 {
3123 /* No instrumentation happened.
3124
3125 If the current instruction is a function call that
3126 might free something, let's forget about the memory
3127 references that got instrumented. Otherwise we might
3128 miss some instrumentation opportunities. Do the same
3129 for a ASAN_MARK poisoning internal function. */
3130 if (is_gimple_call (s)
3131 && (!nonfreeing_call_p (s)
3132 || asan_mark_p (s, ASAN_MARK_POISON)))
3133 empty_mem_ref_hash_table ();
3134
3135 gsi_next (&i);
3136 }
3137 }
3138 }
3139 free_mem_ref_resources ();
3140 }
3141
3142 /* Build
3143 __asan_before_dynamic_init (module_name)
3144 or
3145 __asan_after_dynamic_init ()
3146 call. */
3147
3148 tree
3149 asan_dynamic_init_call (bool after_p)
3150 {
3151 if (shadow_ptr_types[0] == NULL_TREE)
3152 asan_init_shadow_ptr_types ();
3153
3154 tree fn = builtin_decl_implicit (after_p
3155 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
3156 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
3157 tree module_name_cst = NULL_TREE;
3158 if (!after_p)
3159 {
3160 pretty_printer module_name_pp;
3161 pp_string (&module_name_pp, main_input_filename);
3162
3163 module_name_cst = asan_pp_string (&module_name_pp);
3164 module_name_cst = fold_convert (const_ptr_type_node,
3165 module_name_cst);
3166 }
3167
3168 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
3169 }
3170
3171 /* Build
3172 struct __asan_global
3173 {
3174 const void *__beg;
3175 uptr __size;
3176 uptr __size_with_redzone;
3177 const void *__name;
3178 const void *__module_name;
3179 uptr __has_dynamic_init;
3180 __asan_global_source_location *__location;
3181 char *__odr_indicator;
3182 } type. */
3183
3184 static tree
3185 asan_global_struct (void)
3186 {
3187 static const char *field_names[]
3188 = { "__beg", "__size", "__size_with_redzone",
3189 "__name", "__module_name", "__has_dynamic_init", "__location",
3190 "__odr_indicator" };
3191 tree fields[ARRAY_SIZE (field_names)], ret;
3192 unsigned i;
3193
3194 ret = make_node (RECORD_TYPE);
3195 for (i = 0; i < ARRAY_SIZE (field_names); i++)
3196 {
3197 fields[i]
3198 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
3199 get_identifier (field_names[i]),
3200 (i == 0 || i == 3) ? const_ptr_type_node
3201 : pointer_sized_int_node);
3202 DECL_CONTEXT (fields[i]) = ret;
3203 if (i)
3204 DECL_CHAIN (fields[i - 1]) = fields[i];
3205 }
3206 tree type_decl = build_decl (input_location, TYPE_DECL,
3207 get_identifier ("__asan_global"), ret);
3208 DECL_IGNORED_P (type_decl) = 1;
3209 DECL_ARTIFICIAL (type_decl) = 1;
3210 TYPE_FIELDS (ret) = fields[0];
3211 TYPE_NAME (ret) = type_decl;
3212 TYPE_STUB_DECL (ret) = type_decl;
3213 TYPE_ARTIFICIAL (ret) = 1;
3214 layout_type (ret);
3215 return ret;
3216 }
3217
3218 /* Create and return odr indicator symbol for DECL.
3219 TYPE is __asan_global struct type as returned by asan_global_struct. */
3220
3221 static tree
3222 create_odr_indicator (tree decl, tree type)
3223 {
3224 char *name;
3225 tree uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
3226 tree decl_name
3227 = (HAS_DECL_ASSEMBLER_NAME_P (decl) ? DECL_ASSEMBLER_NAME (decl)
3228 : DECL_NAME (decl));
3229 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
3230 if (decl_name == NULL_TREE)
3231 return build_int_cst (uptr, 0);
3232 const char *dname = IDENTIFIER_POINTER (decl_name);
3233 if (HAS_DECL_ASSEMBLER_NAME_P (decl))
3234 dname = targetm.strip_name_encoding (dname);
3235 size_t len = strlen (dname) + sizeof ("__odr_asan_");
3236 name = XALLOCAVEC (char, len);
3237 snprintf (name, len, "__odr_asan_%s", dname);
3238 #ifndef NO_DOT_IN_LABEL
3239 name[sizeof ("__odr_asan") - 1] = '.';
3240 #elif !defined(NO_DOLLAR_IN_LABEL)
3241 name[sizeof ("__odr_asan") - 1] = '$';
3242 #endif
3243 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (name),
3244 char_type_node);
3245 TREE_ADDRESSABLE (var) = 1;
3246 TREE_READONLY (var) = 0;
3247 TREE_THIS_VOLATILE (var) = 1;
3248 DECL_ARTIFICIAL (var) = 1;
3249 DECL_IGNORED_P (var) = 1;
3250 TREE_STATIC (var) = 1;
3251 TREE_PUBLIC (var) = 1;
3252 DECL_VISIBILITY (var) = DECL_VISIBILITY (decl);
3253 DECL_VISIBILITY_SPECIFIED (var) = DECL_VISIBILITY_SPECIFIED (decl);
3254
3255 TREE_USED (var) = 1;
3256 tree ctor = build_constructor_va (TREE_TYPE (var), 1, NULL_TREE,
3257 build_int_cst (unsigned_type_node, 0));
3258 TREE_CONSTANT (ctor) = 1;
3259 TREE_STATIC (ctor) = 1;
3260 DECL_INITIAL (var) = ctor;
3261 DECL_ATTRIBUTES (var) = tree_cons (get_identifier ("asan odr indicator"),
3262 NULL, DECL_ATTRIBUTES (var));
3263 make_decl_rtl (var);
3264 varpool_node::finalize_decl (var);
3265 return fold_convert (uptr, build_fold_addr_expr (var));
3266 }
3267
3268 /* Return true if DECL, a global var, might be overridden and needs
3269 an additional odr indicator symbol. */
3270
3271 static bool
3272 asan_needs_odr_indicator_p (tree decl)
3273 {
3274 /* Don't emit ODR indicators for kernel because:
3275 a) Kernel is written in C thus doesn't need ODR indicators.
3276 b) Some kernel code may have assumptions about symbols containing specific
3277 patterns in their names. Since ODR indicators contain original names
3278 of symbols they are emitted for, these assumptions would be broken for
3279 ODR indicator symbols. */
3280 return (!(flag_sanitize & SANITIZE_KERNEL_ADDRESS)
3281 && !DECL_ARTIFICIAL (decl)
3282 && !DECL_WEAK (decl)
3283 && TREE_PUBLIC (decl));
3284 }
3285
3286 /* Append description of a single global DECL into vector V.
3287 TYPE is __asan_global struct type as returned by asan_global_struct. */
3288
3289 static void
3290 asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
3291 {
3292 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
3293 unsigned HOST_WIDE_INT size;
3294 tree str_cst, module_name_cst, refdecl = decl;
3295 vec<constructor_elt, va_gc> *vinner = NULL;
3296
3297 pretty_printer asan_pp, module_name_pp;
3298
3299 if (DECL_NAME (decl))
3300 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
3301 else
3302 pp_string (&asan_pp, "<unknown>");
3303 str_cst = asan_pp_string (&asan_pp);
3304
3305 if (!in_lto_p)
3306 pp_string (&module_name_pp, main_input_filename);
3307 else
3308 {
3309 const_tree tu = get_ultimate_context ((const_tree)decl);
3310 if (tu != NULL_TREE)
3311 pp_string (&module_name_pp, IDENTIFIER_POINTER (DECL_NAME (tu)));
3312 else
3313 pp_string (&module_name_pp, aux_base_name);
3314 }
3315
3316 module_name_cst = asan_pp_string (&module_name_pp);
3317
3318 if (asan_needs_local_alias (decl))
3319 {
3320 char buf[20];
3321 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
3322 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
3323 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
3324 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
3325 TREE_READONLY (refdecl) = TREE_READONLY (decl);
3326 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
3327 DECL_NOT_GIMPLE_REG_P (refdecl) = DECL_NOT_GIMPLE_REG_P (decl);
3328 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
3329 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
3330 TREE_STATIC (refdecl) = 1;
3331 TREE_PUBLIC (refdecl) = 0;
3332 TREE_USED (refdecl) = 1;
3333 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
3334 }
3335
3336 tree odr_indicator_ptr
3337 = (asan_needs_odr_indicator_p (decl) ? create_odr_indicator (decl, type)
3338 : build_int_cst (uptr, 0));
3339 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
3340 fold_convert (const_ptr_type_node,
3341 build_fold_addr_expr (refdecl)));
3342 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
3343 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
3344 size += asan_red_zone_size (size);
3345 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
3346 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
3347 fold_convert (const_ptr_type_node, str_cst));
3348 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
3349 fold_convert (const_ptr_type_node, module_name_cst));
3350 varpool_node *vnode = varpool_node::get (decl);
3351 int has_dynamic_init = 0;
3352 /* FIXME: Enable initialization order fiasco detection in LTO mode once
3353 proper fix for PR 79061 will be applied. */
3354 if (!in_lto_p)
3355 has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
3356 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
3357 build_int_cst (uptr, has_dynamic_init));
3358 tree locptr = NULL_TREE;
3359 location_t loc = DECL_SOURCE_LOCATION (decl);
3360 expanded_location xloc = expand_location (loc);
3361 if (xloc.file != NULL)
3362 {
3363 static int lasanloccnt = 0;
3364 char buf[25];
3365 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt);
3366 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
3367 ubsan_get_source_location_type ());
3368 TREE_STATIC (var) = 1;
3369 TREE_PUBLIC (var) = 0;
3370 DECL_ARTIFICIAL (var) = 1;
3371 DECL_IGNORED_P (var) = 1;
3372 pretty_printer filename_pp;
3373 pp_string (&filename_pp, xloc.file);
3374 tree str = asan_pp_string (&filename_pp);
3375 tree ctor = build_constructor_va (TREE_TYPE (var), 3,
3376 NULL_TREE, str, NULL_TREE,
3377 build_int_cst (unsigned_type_node,
3378 xloc.line), NULL_TREE,
3379 build_int_cst (unsigned_type_node,
3380 xloc.column));
3381 TREE_CONSTANT (ctor) = 1;
3382 TREE_STATIC (ctor) = 1;
3383 DECL_INITIAL (var) = ctor;
3384 varpool_node::finalize_decl (var);
3385 locptr = fold_convert (uptr, build_fold_addr_expr (var));
3386 }
3387 else
3388 locptr = build_int_cst (uptr, 0);
3389 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr);
3390 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, odr_indicator_ptr);
3391 init = build_constructor (type, vinner);
3392 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
3393 }
3394
3395 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
3396 void
3397 initialize_sanitizer_builtins (void)
3398 {
3399 tree decl;
3400
3401 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
3402 return;
3403
3404 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
3405 tree BT_FN_VOID_PTR
3406 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
3407 tree BT_FN_VOID_CONST_PTR
3408 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
3409 tree BT_FN_VOID_PTR_PTR
3410 = build_function_type_list (void_type_node, ptr_type_node,
3411 ptr_type_node, NULL_TREE);
3412 tree BT_FN_VOID_PTR_PTR_PTR
3413 = build_function_type_list (void_type_node, ptr_type_node,
3414 ptr_type_node, ptr_type_node, NULL_TREE);
3415 tree BT_FN_VOID_PTR_PTRMODE
3416 = build_function_type_list (void_type_node, ptr_type_node,
3417 pointer_sized_int_node, NULL_TREE);
3418 tree BT_FN_VOID_INT
3419 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
3420 tree BT_FN_SIZE_CONST_PTR_INT
3421 = build_function_type_list (size_type_node, const_ptr_type_node,
3422 integer_type_node, NULL_TREE);
3423
3424 tree BT_FN_VOID_UINT8_UINT8
3425 = build_function_type_list (void_type_node, unsigned_char_type_node,
3426 unsigned_char_type_node, NULL_TREE);
3427 tree BT_FN_VOID_UINT16_UINT16
3428 = build_function_type_list (void_type_node, uint16_type_node,
3429 uint16_type_node, NULL_TREE);
3430 tree BT_FN_VOID_UINT32_UINT32
3431 = build_function_type_list (void_type_node, uint32_type_node,
3432 uint32_type_node, NULL_TREE);
3433 tree BT_FN_VOID_UINT64_UINT64
3434 = build_function_type_list (void_type_node, uint64_type_node,
3435 uint64_type_node, NULL_TREE);
3436 tree BT_FN_VOID_FLOAT_FLOAT
3437 = build_function_type_list (void_type_node, float_type_node,
3438 float_type_node, NULL_TREE);
3439 tree BT_FN_VOID_DOUBLE_DOUBLE
3440 = build_function_type_list (void_type_node, double_type_node,
3441 double_type_node, NULL_TREE);
3442 tree BT_FN_VOID_UINT64_PTR
3443 = build_function_type_list (void_type_node, uint64_type_node,
3444 ptr_type_node, NULL_TREE);
3445
3446 tree BT_FN_PTR_CONST_PTR_UINT8
3447 = build_function_type_list (ptr_type_node, const_ptr_type_node,
3448 unsigned_char_type_node, NULL_TREE);
3449 tree BT_FN_VOID_PTR_UINT8_PTRMODE
3450 = build_function_type_list (void_type_node, ptr_type_node,
3451 unsigned_char_type_node,
3452 pointer_sized_int_node, NULL_TREE);
3453
3454 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
3455 tree BT_FN_IX_CONST_VPTR_INT[5];
3456 tree BT_FN_IX_VPTR_IX_INT[5];
3457 tree BT_FN_VOID_VPTR_IX_INT[5];
3458 tree vptr
3459 = build_pointer_type (build_qualified_type (void_type_node,
3460 TYPE_QUAL_VOLATILE));
3461 tree cvptr
3462 = build_pointer_type (build_qualified_type (void_type_node,
3463 TYPE_QUAL_VOLATILE
3464 |TYPE_QUAL_CONST));
3465 tree boolt
3466 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
3467 int i;
3468 for (i = 0; i < 5; i++)
3469 {
3470 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
3471 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
3472 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
3473 integer_type_node, integer_type_node,
3474 NULL_TREE);
3475 BT_FN_IX_CONST_VPTR_INT[i]
3476 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
3477 BT_FN_IX_VPTR_IX_INT[i]
3478 = build_function_type_list (ix, vptr, ix, integer_type_node,
3479 NULL_TREE);
3480 BT_FN_VOID_VPTR_IX_INT[i]
3481 = build_function_type_list (void_type_node, vptr, ix,
3482 integer_type_node, NULL_TREE);
3483 }
3484 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
3485 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
3486 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
3487 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
3488 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
3489 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
3490 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
3491 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
3492 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
3493 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
3494 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
3495 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
3496 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
3497 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
3498 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
3499 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
3500 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
3501 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
3502 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
3503 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
3504 #undef ATTR_NOTHROW_LIST
3505 #define ATTR_NOTHROW_LIST ECF_NOTHROW
3506 #undef ATTR_NOTHROW_LEAF_LIST
3507 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
3508 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
3509 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
3510 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
3511 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
3512 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
3513 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
3514 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
3515 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
3516 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
3517 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
3518 #undef ATTR_COLD_NOTHROW_LEAF_LIST
3519 #define ATTR_COLD_NOTHROW_LEAF_LIST \
3520 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
3521 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
3522 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
3523 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
3524 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
3525 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
3526 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
3527 #undef ATTR_PURE_NOTHROW_LEAF_LIST
3528 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
3529 #undef DEF_BUILTIN_STUB
3530 #define DEF_BUILTIN_STUB(ENUM, NAME)
3531 #undef DEF_SANITIZER_BUILTIN_1
3532 #define DEF_SANITIZER_BUILTIN_1(ENUM, NAME, TYPE, ATTRS) \
3533 do { \
3534 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
3535 BUILT_IN_NORMAL, NAME, NULL_TREE); \
3536 set_call_expr_flags (decl, ATTRS); \
3537 set_builtin_decl (ENUM, decl, true); \
3538 } while (0)
3539 #undef DEF_SANITIZER_BUILTIN
3540 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
3541 DEF_SANITIZER_BUILTIN_1 (ENUM, NAME, TYPE, ATTRS);
3542
3543 #include "sanitizer.def"
3544
3545 /* -fsanitize=object-size uses __builtin_dynamic_object_size and
3546 __builtin_object_size, but they might not be available for e.g. Fortran at
3547 this point. We use DEF_SANITIZER_BUILTIN here only as a convenience
3548 macro. */
3549 if (flag_sanitize & SANITIZE_OBJECT_SIZE)
3550 {
3551 if (!builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE))
3552 DEF_SANITIZER_BUILTIN_1 (BUILT_IN_OBJECT_SIZE, "object_size",
3553 BT_FN_SIZE_CONST_PTR_INT,
3554 ATTR_PURE_NOTHROW_LEAF_LIST);
3555 if (!builtin_decl_implicit_p (BUILT_IN_DYNAMIC_OBJECT_SIZE))
3556 DEF_SANITIZER_BUILTIN_1 (BUILT_IN_DYNAMIC_OBJECT_SIZE,
3557 "dynamic_object_size",
3558 BT_FN_SIZE_CONST_PTR_INT,
3559 ATTR_PURE_NOTHROW_LEAF_LIST);
3560 }
3561
3562 #undef DEF_SANITIZER_BUILTIN_1
3563 #undef DEF_SANITIZER_BUILTIN
3564 #undef DEF_BUILTIN_STUB
3565 }
3566
3567 /* Called via htab_traverse. Count number of emitted
3568 STRING_CSTs in the constant hash table. */
3569
3570 int
3571 count_string_csts (constant_descriptor_tree **slot,
3572 unsigned HOST_WIDE_INT *data)
3573 {
3574 struct constant_descriptor_tree *desc = *slot;
3575 if (TREE_CODE (desc->value) == STRING_CST
3576 && TREE_ASM_WRITTEN (desc->value)
3577 && asan_protect_global (desc->value))
3578 ++*data;
3579 return 1;
3580 }
3581
3582 /* Helper structure to pass two parameters to
3583 add_string_csts. */
3584
3585 struct asan_add_string_csts_data
3586 {
3587 tree type;
3588 vec<constructor_elt, va_gc> *v;
3589 };
3590
3591 /* Called via hash_table::traverse. Call asan_add_global
3592 on emitted STRING_CSTs from the constant hash table. */
3593
3594 int
3595 add_string_csts (constant_descriptor_tree **slot,
3596 asan_add_string_csts_data *aascd)
3597 {
3598 struct constant_descriptor_tree *desc = *slot;
3599 if (TREE_CODE (desc->value) == STRING_CST
3600 && TREE_ASM_WRITTEN (desc->value)
3601 && asan_protect_global (desc->value))
3602 {
3603 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
3604 aascd->type, aascd->v);
3605 }
3606 return 1;
3607 }
3608
3609 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
3610 invoke ggc_collect. */
3611 static GTY(()) tree asan_ctor_statements;
3612
3613 /* Module-level instrumentation.
3614 - Insert __asan_init_vN() into the list of CTORs.
3615 - TODO: insert redzones around globals.
3616 */
3617
3618 void
3619 asan_finish_file (void)
3620 {
3621 varpool_node *vnode;
3622 unsigned HOST_WIDE_INT gcount = 0;
3623
3624 if (shadow_ptr_types[0] == NULL_TREE)
3625 asan_init_shadow_ptr_types ();
3626 /* Avoid instrumenting code in the asan ctors/dtors.
3627 We don't need to insert padding after the description strings,
3628 nor after .LASAN* array. */
3629 flag_sanitize &= ~SANITIZE_ADDRESS;
3630
3631 /* For user-space we want asan constructors to run first.
3632 Linux kernel does not support priorities other than default, and the only
3633 other user of constructors is coverage. So we run with the default
3634 priority. */
3635 int priority = flag_sanitize & SANITIZE_USER_ADDRESS
3636 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY;
3637
3638 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3639 {
3640 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
3641 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
3642 fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK);
3643 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
3644 }
3645 FOR_EACH_DEFINED_VARIABLE (vnode)
3646 if (TREE_ASM_WRITTEN (vnode->decl)
3647 && asan_protect_global (vnode->decl))
3648 ++gcount;
3649 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab ();
3650 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts>
3651 (&gcount);
3652 if (gcount)
3653 {
3654 tree type = asan_global_struct (), var, ctor;
3655 tree dtor_statements = NULL_TREE;
3656 vec<constructor_elt, va_gc> *v;
3657 char buf[20];
3658
3659 type = build_array_type_nelts (type, gcount);
3660 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
3661 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
3662 type);
3663 TREE_STATIC (var) = 1;
3664 TREE_PUBLIC (var) = 0;
3665 DECL_ARTIFICIAL (var) = 1;
3666 DECL_IGNORED_P (var) = 1;
3667 vec_alloc (v, gcount);
3668 FOR_EACH_DEFINED_VARIABLE (vnode)
3669 if (TREE_ASM_WRITTEN (vnode->decl)
3670 && asan_protect_global (vnode->decl))
3671 asan_add_global (vnode->decl, TREE_TYPE (type), v);
3672 struct asan_add_string_csts_data aascd;
3673 aascd.type = TREE_TYPE (type);
3674 aascd.v = v;
3675 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts>
3676 (&aascd);
3677 ctor = build_constructor (type, v);
3678 TREE_CONSTANT (ctor) = 1;
3679 TREE_STATIC (ctor) = 1;
3680 DECL_INITIAL (var) = ctor;
3681 SET_DECL_ALIGN (var, MAX (DECL_ALIGN (var),
3682 ASAN_SHADOW_GRANULARITY * BITS_PER_UNIT));
3683
3684 varpool_node::finalize_decl (var);
3685
3686 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
3687 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
3688 append_to_statement_list (build_call_expr (fn, 2,
3689 build_fold_addr_expr (var),
3690 gcount_tree),
3691 &asan_ctor_statements);
3692
3693 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
3694 append_to_statement_list (build_call_expr (fn, 2,
3695 build_fold_addr_expr (var),
3696 gcount_tree),
3697 &dtor_statements);
3698 cgraph_build_static_cdtor ('D', dtor_statements, priority);
3699 }
3700 if (asan_ctor_statements)
3701 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority);
3702 flag_sanitize |= SANITIZE_ADDRESS;
3703 }
3704
3705 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
3706 on SHADOW address. Newly added statements will be added to ITER with
3707 given location LOC. We mark SIZE bytes in shadow memory, where
3708 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
3709 end of a variable. */
3710
3711 static void
3712 asan_store_shadow_bytes (gimple_stmt_iterator *iter, location_t loc,
3713 tree shadow,
3714 unsigned HOST_WIDE_INT base_addr_offset,
3715 bool is_clobber, unsigned size,
3716 unsigned last_chunk_size)
3717 {
3718 tree shadow_ptr_type;
3719
3720 switch (size)
3721 {
3722 case 1:
3723 shadow_ptr_type = shadow_ptr_types[0];
3724 break;
3725 case 2:
3726 shadow_ptr_type = shadow_ptr_types[1];
3727 break;
3728 case 4:
3729 shadow_ptr_type = shadow_ptr_types[2];
3730 break;
3731 default:
3732 gcc_unreachable ();
3733 }
3734
3735 unsigned char c = (char) is_clobber ? ASAN_STACK_MAGIC_USE_AFTER_SCOPE : 0;
3736 unsigned HOST_WIDE_INT val = 0;
3737 unsigned last_pos = size;
3738 if (last_chunk_size && !is_clobber)
3739 last_pos = BYTES_BIG_ENDIAN ? 0 : size - 1;
3740 for (unsigned i = 0; i < size; ++i)
3741 {
3742 unsigned char shadow_c = c;
3743 if (i == last_pos)
3744 shadow_c = last_chunk_size;
3745 val |= (unsigned HOST_WIDE_INT) shadow_c << (BITS_PER_UNIT * i);
3746 }
3747
3748 /* Handle last chunk in unpoisoning. */
3749 tree magic = build_int_cst (TREE_TYPE (shadow_ptr_type), val);
3750
3751 tree dest = build2 (MEM_REF, TREE_TYPE (shadow_ptr_type), shadow,
3752 build_int_cst (shadow_ptr_type, base_addr_offset));
3753
3754 gimple *g = gimple_build_assign (dest, magic);
3755 gimple_set_location (g, loc);
3756 gsi_insert_after (iter, g, GSI_NEW_STMT);
3757 }
3758
3759 /* Expand the ASAN_MARK builtins. */
3760
3761 bool
3762 asan_expand_mark_ifn (gimple_stmt_iterator *iter)
3763 {
3764 gimple *g = gsi_stmt (*iter);
3765 location_t loc = gimple_location (g);
3766 HOST_WIDE_INT flag = tree_to_shwi (gimple_call_arg (g, 0));
3767 bool is_poison = ((asan_mark_flags)flag) == ASAN_MARK_POISON;
3768
3769 tree base = gimple_call_arg (g, 1);
3770 gcc_checking_assert (TREE_CODE (base) == ADDR_EXPR);
3771 tree decl = TREE_OPERAND (base, 0);
3772
3773 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
3774 if (TREE_CODE (decl) == COMPONENT_REF
3775 && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl, 0)))
3776 decl = TREE_OPERAND (decl, 0);
3777
3778 gcc_checking_assert (TREE_CODE (decl) == VAR_DECL);
3779
3780 if (hwasan_sanitize_p ())
3781 {
3782 gcc_assert (param_hwasan_instrument_stack);
3783 gimple_seq stmts = NULL;
3784 /* Here we swap ASAN_MARK calls for HWASAN_MARK.
3785 This is because we are using the approach of using ASAN_MARK as a
3786 synonym until here.
3787 That approach means we don't yet have to duplicate all the special
3788 cases for ASAN_MARK and ASAN_POISON with the exact same handling but
3789 called HWASAN_MARK etc.
3790
3791 N.b. __asan_poison_stack_memory (which implements ASAN_MARK for ASAN)
3792 rounds the size up to its shadow memory granularity, while
3793 __hwasan_tag_memory (which implements the same for HWASAN) does not.
3794 Hence we emit HWASAN_MARK with an aligned size unlike ASAN_MARK. */
3795 tree len = gimple_call_arg (g, 2);
3796 tree new_len = gimple_build_round_up (&stmts, loc, size_type_node, len,
3797 HWASAN_TAG_GRANULE_SIZE);
3798 gimple_build (&stmts, loc, CFN_HWASAN_MARK,
3799 void_type_node, gimple_call_arg (g, 0),
3800 base, new_len);
3801 gsi_replace_with_seq (iter, stmts, true);
3802 return false;
3803 }
3804
3805 if (is_poison)
3806 {
3807 if (asan_handled_variables == NULL)
3808 asan_handled_variables = new hash_set<tree> (16);
3809 asan_handled_variables->add (decl);
3810 }
3811 tree len = gimple_call_arg (g, 2);
3812
3813 gcc_assert (poly_int_tree_p (len));
3814
3815 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3816 NOP_EXPR, base);
3817 gimple_set_location (g, loc);
3818 gsi_replace (iter, g, false);
3819 tree base_addr = gimple_assign_lhs (g);
3820
3821 /* Generate direct emission if size_in_bytes is small. */
3822 unsigned threshold = param_use_after_scope_direct_emission_threshold;
3823 if (tree_fits_uhwi_p (len) && tree_to_uhwi (len) <= threshold)
3824 {
3825 unsigned HOST_WIDE_INT size_in_bytes = tree_to_uhwi (len);
3826 const unsigned HOST_WIDE_INT shadow_size
3827 = shadow_mem_size (size_in_bytes);
3828 const unsigned int shadow_align
3829 = (get_pointer_alignment (base) / BITS_PER_UNIT) >> ASAN_SHADOW_SHIFT;
3830
3831 tree shadow = build_shadow_mem_access (iter, loc, base_addr,
3832 shadow_ptr_types[0], true);
3833
3834 for (unsigned HOST_WIDE_INT offset = 0; offset < shadow_size;)
3835 {
3836 unsigned size = 1;
3837 if (shadow_size - offset >= 4
3838 && (!STRICT_ALIGNMENT || shadow_align >= 4))
3839 size = 4;
3840 else if (shadow_size - offset >= 2
3841 && (!STRICT_ALIGNMENT || shadow_align >= 2))
3842 size = 2;
3843
3844 unsigned HOST_WIDE_INT last_chunk_size = 0;
3845 unsigned HOST_WIDE_INT s = (offset + size) * ASAN_SHADOW_GRANULARITY;
3846 if (s > size_in_bytes)
3847 last_chunk_size = ASAN_SHADOW_GRANULARITY - (s - size_in_bytes);
3848
3849 asan_store_shadow_bytes (iter, loc, shadow, offset, is_poison,
3850 size, last_chunk_size);
3851 offset += size;
3852 }
3853 }
3854 else
3855 {
3856 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3857 NOP_EXPR, len);
3858 gimple_set_location (g, loc);
3859 gsi_safe_insert_before (iter, g);
3860 tree sz_arg = gimple_assign_lhs (g);
3861
3862 tree fun
3863 = builtin_decl_implicit (is_poison ? BUILT_IN_ASAN_POISON_STACK_MEMORY
3864 : BUILT_IN_ASAN_UNPOISON_STACK_MEMORY);
3865 g = gimple_build_call (fun, 2, base_addr, sz_arg);
3866 gimple_set_location (g, loc);
3867 gsi_insert_after (iter, g, GSI_NEW_STMT);
3868 }
3869
3870 return false;
3871 }
3872
3873 /* Expand the ASAN_{LOAD,STORE} builtins. */
3874
3875 bool
3876 asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls)
3877 {
3878 gcc_assert (!hwasan_sanitize_p ());
3879 gimple *g = gsi_stmt (*iter);
3880 location_t loc = gimple_location (g);
3881 bool recover_p;
3882 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3883 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
3884 else
3885 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
3886
3887 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
3888 gcc_assert (flags < ASAN_CHECK_LAST);
3889 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
3890 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
3891 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
3892
3893 tree base = gimple_call_arg (g, 1);
3894 tree len = gimple_call_arg (g, 2);
3895 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3));
3896
3897 HOST_WIDE_INT size_in_bytes
3898 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
3899
3900 if (use_calls)
3901 {
3902 /* Instrument using callbacks. */
3903 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3904 NOP_EXPR, base);
3905 gimple_set_location (g, loc);
3906 gsi_insert_before (iter, g, GSI_SAME_STMT);
3907 tree base_addr = gimple_assign_lhs (g);
3908
3909 int nargs;
3910 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs);
3911 if (nargs == 1)
3912 g = gimple_build_call (fun, 1, base_addr);
3913 else
3914 {
3915 gcc_assert (nargs == 2);
3916 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3917 NOP_EXPR, len);
3918 gimple_set_location (g, loc);
3919 gsi_insert_before (iter, g, GSI_SAME_STMT);
3920 tree sz_arg = gimple_assign_lhs (g);
3921 g = gimple_build_call (fun, nargs, base_addr, sz_arg);
3922 }
3923 gimple_set_location (g, loc);
3924 gsi_replace (iter, g, false);
3925 return false;
3926 }
3927
3928 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes;
3929
3930 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0];
3931 tree shadow_type = TREE_TYPE (shadow_ptr_type);
3932
3933 gimple_stmt_iterator gsi = *iter;
3934
3935 if (!is_non_zero_len)
3936 {
3937 /* So, the length of the memory area to asan-protect is
3938 non-constant. Let's guard the generated instrumentation code
3939 like:
3940
3941 if (len != 0)
3942 {
3943 //asan instrumentation code goes here.
3944 }
3945 // falltrough instructions, starting with *ITER. */
3946
3947 g = gimple_build_cond (NE_EXPR,
3948 len,
3949 build_int_cst (TREE_TYPE (len), 0),
3950 NULL_TREE, NULL_TREE);
3951 gimple_set_location (g, loc);
3952
3953 basic_block then_bb, fallthrough_bb;
3954 insert_if_then_before_iter (as_a <gcond *> (g), iter,
3955 /*then_more_likely_p=*/true,
3956 &then_bb, &fallthrough_bb);
3957 /* Note that fallthrough_bb starts with the statement that was
3958 pointed to by ITER. */
3959
3960 /* The 'then block' of the 'if (len != 0) condition is where
3961 we'll generate the asan instrumentation code now. */
3962 gsi = gsi_last_bb (then_bb);
3963 }
3964
3965 /* Get an iterator on the point where we can add the condition
3966 statement for the instrumentation. */
3967 basic_block then_bb, else_bb;
3968 gsi = create_cond_insert_point (&gsi, /*before_p*/false,
3969 /*then_more_likely_p=*/false,
3970 /*create_then_fallthru_edge*/recover_p,
3971 &then_bb,
3972 &else_bb);
3973
3974 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3975 NOP_EXPR, base);
3976 gimple_set_location (g, loc);
3977 gsi_insert_before (&gsi, g, GSI_NEW_STMT);
3978 tree base_addr = gimple_assign_lhs (g);
3979
3980 tree t = NULL_TREE;
3981 if (real_size_in_bytes >= 8)
3982 {
3983 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3984 shadow_ptr_type);
3985 t = shadow;
3986 }
3987 else
3988 {
3989 /* Slow path for 1, 2 and 4 byte accesses. */
3990 /* Test (shadow != 0)
3991 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
3992 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3993 shadow_ptr_type);
3994 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3995 gimple_seq seq = NULL;
3996 gimple_seq_add_stmt (&seq, shadow_test);
3997 /* Aligned (>= 8 bytes) can test just
3998 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
3999 to be 0. */
4000 if (align < 8)
4001 {
4002 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
4003 base_addr, 7));
4004 gimple_seq_add_stmt (&seq,
4005 build_type_cast (shadow_type,
4006 gimple_seq_last (seq)));
4007 if (real_size_in_bytes > 1)
4008 gimple_seq_add_stmt (&seq,
4009 build_assign (PLUS_EXPR,
4010 gimple_seq_last (seq),
4011 real_size_in_bytes - 1));
4012 t = gimple_assign_lhs (gimple_seq_last_stmt (seq));
4013 }
4014 else
4015 t = build_int_cst (shadow_type, real_size_in_bytes - 1);
4016 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow));
4017 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
4018 gimple_seq_last (seq)));
4019 t = gimple_assign_lhs (gimple_seq_last (seq));
4020 gimple_seq_set_location (seq, loc);
4021 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
4022
4023 /* For non-constant, misaligned or otherwise weird access sizes,
4024 check first and last byte. */
4025 if (size_in_bytes == -1)
4026 {
4027 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
4028 MINUS_EXPR, len,
4029 build_int_cst (pointer_sized_int_node, 1));
4030 gimple_set_location (g, loc);
4031 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
4032 tree last = gimple_assign_lhs (g);
4033 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
4034 PLUS_EXPR, base_addr, last);
4035 gimple_set_location (g, loc);
4036 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
4037 tree base_end_addr = gimple_assign_lhs (g);
4038
4039 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr,
4040 shadow_ptr_type);
4041 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
4042 gimple_seq seq = NULL;
4043 gimple_seq_add_stmt (&seq, shadow_test);
4044 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
4045 base_end_addr, 7));
4046 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
4047 gimple_seq_last (seq)));
4048 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR,
4049 gimple_seq_last (seq),
4050 shadow));
4051 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
4052 gimple_seq_last (seq)));
4053 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t,
4054 gimple_seq_last (seq)));
4055 t = gimple_assign_lhs (gimple_seq_last (seq));
4056 gimple_seq_set_location (seq, loc);
4057 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
4058 }
4059 }
4060
4061 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
4062 NULL_TREE, NULL_TREE);
4063 gimple_set_location (g, loc);
4064 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
4065
4066 /* Generate call to the run-time library (e.g. __asan_report_load8). */
4067 gsi = gsi_start_bb (then_bb);
4068 int nargs;
4069 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs);
4070 g = gimple_build_call (fun, nargs, base_addr, len);
4071 gimple_set_location (g, loc);
4072 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
4073
4074 gsi_remove (iter, true);
4075 *iter = gsi_start_bb (else_bb);
4076
4077 return true;
4078 }
4079
4080 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten
4081 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
4082
4083 static tree
4084 create_asan_shadow_var (tree var_decl,
4085 hash_map<tree, tree> &shadow_vars_mapping)
4086 {
4087 tree *slot = shadow_vars_mapping.get (var_decl);
4088 if (slot == NULL)
4089 {
4090 tree shadow_var = copy_node (var_decl);
4091
4092 copy_body_data id;
4093 memset (&id, 0, sizeof (copy_body_data));
4094 id.src_fn = id.dst_fn = current_function_decl;
4095 copy_decl_for_dup_finish (&id, var_decl, shadow_var);
4096
4097 DECL_ARTIFICIAL (shadow_var) = 1;
4098 DECL_IGNORED_P (shadow_var) = 1;
4099 DECL_SEEN_IN_BIND_EXPR_P (shadow_var) = 0;
4100 gimple_add_tmp_var (shadow_var);
4101
4102 shadow_vars_mapping.put (var_decl, shadow_var);
4103 return shadow_var;
4104 }
4105 else
4106 return *slot;
4107 }
4108
4109 /* Expand ASAN_POISON ifn. */
4110
4111 bool
4112 asan_expand_poison_ifn (gimple_stmt_iterator *iter,
4113 bool *need_commit_edge_insert,
4114 hash_map<tree, tree> &shadow_vars_mapping)
4115 {
4116 gimple *g = gsi_stmt (*iter);
4117 tree poisoned_var = gimple_call_lhs (g);
4118 if (!poisoned_var || has_zero_uses (poisoned_var))
4119 {
4120 gsi_remove (iter, true);
4121 return true;
4122 }
4123
4124 if (SSA_NAME_VAR (poisoned_var) == NULL_TREE)
4125 SET_SSA_NAME_VAR_OR_IDENTIFIER (poisoned_var,
4126 create_tmp_var (TREE_TYPE (poisoned_var)));
4127
4128 tree shadow_var = create_asan_shadow_var (SSA_NAME_VAR (poisoned_var),
4129 shadow_vars_mapping);
4130
4131 bool recover_p;
4132 if (flag_sanitize & SANITIZE_USER_ADDRESS)
4133 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
4134 else
4135 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
4136 tree size = DECL_SIZE_UNIT (shadow_var);
4137 gimple *poison_call
4138 = gimple_build_call_internal (IFN_ASAN_MARK, 3,
4139 build_int_cst (integer_type_node,
4140 ASAN_MARK_POISON),
4141 build_fold_addr_expr (shadow_var), size);
4142
4143 gimple *use;
4144 imm_use_iterator imm_iter;
4145 FOR_EACH_IMM_USE_STMT (use, imm_iter, poisoned_var)
4146 {
4147 if (is_gimple_debug (use))
4148 continue;
4149
4150 int nargs;
4151 bool store_p = gimple_call_internal_p (use, IFN_ASAN_POISON_USE);
4152 gcall *call;
4153 if (hwasan_sanitize_p ())
4154 {
4155 tree fun = builtin_decl_implicit (BUILT_IN_HWASAN_TAG_MISMATCH4);
4156 /* NOTE: hwasan has no __hwasan_report_* functions like asan does.
4157 We use __hwasan_tag_mismatch4 with arguments that tell it the
4158 size of access and load to report all tag mismatches.
4159
4160 The arguments to this function are:
4161 Address of invalid access.
4162 Bitfield containing information about the access
4163 (access_info)
4164 Pointer to a frame of registers
4165 (for use in printing the contents of registers in a dump)
4166 Not used yet -- to be used by inline instrumentation.
4167 Size of access.
4168
4169 The access_info bitfield encodes the following pieces of
4170 information:
4171 - Is this a store or load?
4172 access_info & 0x10 => store
4173 - Should the program continue after reporting the error?
4174 access_info & 0x20 => recover
4175 - What size access is this (not used here since we can always
4176 pass the size in the last argument)
4177
4178 if (access_info & 0xf == 0xf)
4179 size is taken from last argument.
4180 else
4181 size == 1 << (access_info & 0xf)
4182
4183 The last argument contains the size of the access iff the
4184 access_info size indicator is 0xf (we always use this argument
4185 rather than storing the size in the access_info bitfield).
4186
4187 See the function definition `__hwasan_tag_mismatch4` in
4188 libsanitizer/hwasan for the full definition.
4189 */
4190 unsigned access_info = (0x20 * recover_p)
4191 + (0x10 * store_p)
4192 + (0xf);
4193 call = gimple_build_call (fun, 4,
4194 build_fold_addr_expr (shadow_var),
4195 build_int_cst (pointer_sized_int_node,
4196 access_info),
4197 build_int_cst (pointer_sized_int_node, 0),
4198 size);
4199 }
4200 else
4201 {
4202 tree fun = report_error_func (store_p, recover_p, tree_to_uhwi (size),
4203 &nargs);
4204 call = gimple_build_call (fun, 1,
4205 build_fold_addr_expr (shadow_var));
4206 }
4207 gimple_set_location (call, gimple_location (use));
4208 gimple *call_to_insert = call;
4209
4210 /* The USE can be a gimple PHI node. If so, insert the call on
4211 all edges leading to the PHI node. */
4212 if (is_a <gphi *> (use))
4213 {
4214 gphi *phi = dyn_cast<gphi *> (use);
4215 for (unsigned i = 0; i < gimple_phi_num_args (phi); ++i)
4216 if (gimple_phi_arg_def (phi, i) == poisoned_var)
4217 {
4218 edge e = gimple_phi_arg_edge (phi, i);
4219
4220 /* Do not insert on an edge we can't split. */
4221 if (e->flags & EDGE_ABNORMAL)
4222 continue;
4223
4224 if (call_to_insert == NULL)
4225 call_to_insert = gimple_copy (call);
4226
4227 gsi_insert_seq_on_edge (e, call_to_insert);
4228 *need_commit_edge_insert = true;
4229 call_to_insert = NULL;
4230 }
4231 }
4232 else
4233 {
4234 gimple_stmt_iterator gsi = gsi_for_stmt (use);
4235 if (store_p)
4236 gsi_replace (&gsi, call, true);
4237 else
4238 gsi_insert_before (&gsi, call, GSI_NEW_STMT);
4239 }
4240 }
4241
4242 SSA_NAME_IS_DEFAULT_DEF (poisoned_var) = true;
4243 SSA_NAME_DEF_STMT (poisoned_var) = gimple_build_nop ();
4244 gsi_replace (iter, poison_call, false);
4245
4246 return true;
4247 }
4248
4249 /* Instrument the current function. */
4250
4251 static unsigned int
4252 asan_instrument (void)
4253 {
4254 if (hwasan_sanitize_p ())
4255 {
4256 transform_statements ();
4257 return 0;
4258 }
4259
4260 if (shadow_ptr_types[0] == NULL_TREE)
4261 asan_init_shadow_ptr_types ();
4262 transform_statements ();
4263 last_alloca_addr = NULL_TREE;
4264 return 0;
4265 }
4266
4267 static bool
4268 gate_asan (void)
4269 {
4270 return sanitize_flags_p (SANITIZE_ADDRESS);
4271 }
4272
4273 namespace {
4274
4275 const pass_data pass_data_asan =
4276 {
4277 GIMPLE_PASS, /* type */
4278 "asan", /* name */
4279 OPTGROUP_NONE, /* optinfo_flags */
4280 TV_NONE, /* tv_id */
4281 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
4282 0, /* properties_provided */
4283 0, /* properties_destroyed */
4284 0, /* todo_flags_start */
4285 TODO_update_ssa, /* todo_flags_finish */
4286 };
4287
4288 class pass_asan : public gimple_opt_pass
4289 {
4290 public:
4291 pass_asan (gcc::context *ctxt)
4292 : gimple_opt_pass (pass_data_asan, ctxt)
4293 {}
4294
4295 /* opt_pass methods: */
4296 opt_pass * clone () final override { return new pass_asan (m_ctxt); }
4297 bool gate (function *) final override
4298 {
4299 return gate_asan () || gate_hwasan ();
4300 }
4301 unsigned int execute (function *) final override
4302 {
4303 return asan_instrument ();
4304 }
4305
4306 }; // class pass_asan
4307
4308 } // anon namespace
4309
4310 gimple_opt_pass *
4311 make_pass_asan (gcc::context *ctxt)
4312 {
4313 return new pass_asan (ctxt);
4314 }
4315
4316 namespace {
4317
4318 const pass_data pass_data_asan_O0 =
4319 {
4320 GIMPLE_PASS, /* type */
4321 "asan0", /* name */
4322 OPTGROUP_NONE, /* optinfo_flags */
4323 TV_NONE, /* tv_id */
4324 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
4325 0, /* properties_provided */
4326 0, /* properties_destroyed */
4327 0, /* todo_flags_start */
4328 TODO_update_ssa, /* todo_flags_finish */
4329 };
4330
4331 class pass_asan_O0 : public gimple_opt_pass
4332 {
4333 public:
4334 pass_asan_O0 (gcc::context *ctxt)
4335 : gimple_opt_pass (pass_data_asan_O0, ctxt)
4336 {}
4337
4338 /* opt_pass methods: */
4339 bool gate (function *) final override
4340 {
4341 return !optimize && (gate_asan () || gate_hwasan ());
4342 }
4343 unsigned int execute (function *) final override
4344 {
4345 return asan_instrument ();
4346 }
4347
4348 }; // class pass_asan_O0
4349
4350 } // anon namespace
4351
4352 gimple_opt_pass *
4353 make_pass_asan_O0 (gcc::context *ctxt)
4354 {
4355 return new pass_asan_O0 (ctxt);
4356 }
4357
4358 /* HWASAN */
4359
4360 /* For stack tagging:
4361
4362 Return the offset from the frame base tag that the "next" expanded object
4363 should have. */
4364 uint8_t
4365 hwasan_current_frame_tag ()
4366 {
4367 return hwasan_frame_tag_offset;
4368 }
4369
4370 /* For stack tagging:
4371
4372 Return the 'base pointer' for this function. If that base pointer has not
4373 yet been created then we create a register to hold it and record the insns
4374 to initialize the register in `hwasan_frame_base_init_seq` for later
4375 emission. */
4376 rtx
4377 hwasan_frame_base ()
4378 {
4379 if (! hwasan_frame_base_ptr)
4380 {
4381 start_sequence ();
4382 hwasan_frame_base_ptr
4383 = force_reg (Pmode,
4384 targetm.memtag.insert_random_tag (virtual_stack_vars_rtx,
4385 NULL_RTX));
4386 hwasan_frame_base_init_seq = get_insns ();
4387 end_sequence ();
4388 }
4389
4390 return hwasan_frame_base_ptr;
4391 }
4392
4393 /* For stack tagging:
4394
4395 Check whether this RTX is a standard pointer addressing the base of the
4396 stack variables for this frame. Returns true if the RTX is either
4397 virtual_stack_vars_rtx or hwasan_frame_base_ptr. */
4398 bool
4399 stack_vars_base_reg_p (rtx base)
4400 {
4401 return base == virtual_stack_vars_rtx || base == hwasan_frame_base_ptr;
4402 }
4403
4404 /* For stack tagging:
4405
4406 Emit frame base initialisation.
4407 If hwasan_frame_base has been used before here then
4408 hwasan_frame_base_init_seq contains the sequence of instructions to
4409 initialize it. This must be put just before the hwasan prologue, so we emit
4410 the insns before parm_birth_insn (which will point to the first instruction
4411 of the hwasan prologue if it exists).
4412
4413 We update `parm_birth_insn` to point to the start of this initialisation
4414 since that represents the end of the initialisation done by
4415 expand_function_{start,end} functions and we want to maintain that. */
4416 void
4417 hwasan_maybe_emit_frame_base_init ()
4418 {
4419 if (! hwasan_frame_base_init_seq)
4420 return;
4421 emit_insn_before (hwasan_frame_base_init_seq, parm_birth_insn);
4422 parm_birth_insn = hwasan_frame_base_init_seq;
4423 }
4424
4425 /* Record a compile-time constant size stack variable that HWASAN will need to
4426 tag. This record of the range of a stack variable will be used by
4427 `hwasan_emit_prologue` to emit the RTL at the start of each frame which will
4428 set tags in the shadow memory according to the assigned tag for each object.
4429
4430 The range that the object spans in stack space should be described by the
4431 bounds `untagged_base + nearest_offset` and
4432 `untagged_base + farthest_offset`.
4433 `tagged_base` is the base address which contains the "base frame tag" for
4434 this frame, and from which the value to address this object with will be
4435 calculated.
4436
4437 We record the `untagged_base` since the functions in the hwasan library we
4438 use to tag memory take pointers without a tag. */
4439 void
4440 hwasan_record_stack_var (rtx untagged_base, rtx tagged_base,
4441 poly_int64 nearest_offset, poly_int64 farthest_offset)
4442 {
4443 hwasan_stack_var cur_var;
4444 cur_var.untagged_base = untagged_base;
4445 cur_var.tagged_base = tagged_base;
4446 cur_var.nearest_offset = nearest_offset;
4447 cur_var.farthest_offset = farthest_offset;
4448 cur_var.tag_offset = hwasan_current_frame_tag ();
4449
4450 hwasan_tagged_stack_vars.safe_push (cur_var);
4451 }
4452
4453 /* Return the RTX representing the farthest extent of the statically allocated
4454 stack objects for this frame. If hwasan_frame_base_ptr has not been
4455 initialized then we are not storing any static variables on the stack in
4456 this frame. In this case we return NULL_RTX to represent that.
4457
4458 Otherwise simply return virtual_stack_vars_rtx + frame_offset. */
4459 rtx
4460 hwasan_get_frame_extent ()
4461 {
4462 return (hwasan_frame_base_ptr
4463 ? plus_constant (Pmode, virtual_stack_vars_rtx, frame_offset)
4464 : NULL_RTX);
4465 }
4466
4467 /* For stack tagging:
4468
4469 Increment the frame tag offset modulo the size a tag can represent. */
4470 void
4471 hwasan_increment_frame_tag ()
4472 {
4473 uint8_t tag_bits = HWASAN_TAG_SIZE;
4474 gcc_assert (HWASAN_TAG_SIZE
4475 <= sizeof (hwasan_frame_tag_offset) * CHAR_BIT);
4476 hwasan_frame_tag_offset = (hwasan_frame_tag_offset + 1) % (1 << tag_bits);
4477 /* The "background tag" of the stack is zero by definition.
4478 This is the tag that objects like parameters passed on the stack and
4479 spilled registers are given. It is handy to avoid this tag for objects
4480 whose tags we decide ourselves, partly to ensure that buffer overruns
4481 can't affect these important variables (e.g. saved link register, saved
4482 stack pointer etc) and partly to make debugging easier (everything with a
4483 tag of zero is space allocated automatically by the compiler).
4484
4485 This is not feasible when using random frame tags (the default
4486 configuration for hwasan) since the tag for the given frame is randomly
4487 chosen at runtime. In order to avoid any tags matching the stack
4488 background we would need to decide tag offsets at runtime instead of
4489 compile time (and pay the resulting performance cost).
4490
4491 When not using random base tags for each frame (i.e. when compiled with
4492 `--param hwasan-random-frame-tag=0`) the base tag for each frame is zero.
4493 This means the tag that each object gets is equal to the
4494 hwasan_frame_tag_offset used in determining it.
4495 When this is the case we *can* ensure no object gets the tag of zero by
4496 simply ensuring no object has the hwasan_frame_tag_offset of zero.
4497
4498 There is the extra complication that we only record the
4499 hwasan_frame_tag_offset here (which is the offset from the tag stored in
4500 the stack pointer). In the kernel, the tag in the stack pointer is 0xff
4501 rather than zero. This does not cause problems since tags of 0xff are
4502 never checked in the kernel. As mentioned at the beginning of this
4503 comment the background tag of the stack is zero by definition, which means
4504 that for the kernel we should skip offsets of both 0 and 1 from the stack
4505 pointer. Avoiding the offset of 0 ensures we use a tag which will be
4506 checked, avoiding the offset of 1 ensures we use a tag that is not the
4507 same as the background. */
4508 if (hwasan_frame_tag_offset == 0 && ! param_hwasan_random_frame_tag)
4509 hwasan_frame_tag_offset += 1;
4510 if (hwasan_frame_tag_offset == 1 && ! param_hwasan_random_frame_tag
4511 && sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS))
4512 hwasan_frame_tag_offset += 1;
4513 }
4514
4515 /* Clear internal state for the next function.
4516 This function is called before variables on the stack get expanded, in
4517 `init_vars_expansion`. */
4518 void
4519 hwasan_record_frame_init ()
4520 {
4521 delete asan_used_labels;
4522 asan_used_labels = NULL;
4523
4524 /* If this isn't the case then some stack variable was recorded *before*
4525 hwasan_record_frame_init is called, yet *after* the hwasan prologue for
4526 the previous frame was emitted. Such stack variables would not have
4527 their shadow stack filled in. */
4528 gcc_assert (hwasan_tagged_stack_vars.is_empty ());
4529 hwasan_frame_base_ptr = NULL_RTX;
4530 hwasan_frame_base_init_seq = NULL;
4531
4532 /* When not using a random frame tag we can avoid the background stack
4533 color which gives the user a little better debug output upon a crash.
4534 Meanwhile, when using a random frame tag it will be nice to avoid adding
4535 tags for the first object since that is unnecessary extra work.
4536 Hence set the initial hwasan_frame_tag_offset to be 0 if using a random
4537 frame tag and 1 otherwise.
4538
4539 As described in hwasan_increment_frame_tag, in the kernel the stack
4540 pointer has the tag 0xff. That means that to avoid 0xff and 0 (the tag
4541 which the kernel does not check and the background tag respectively) we
4542 start with a tag offset of 2. */
4543 hwasan_frame_tag_offset = param_hwasan_random_frame_tag
4544 ? 0
4545 : sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS) ? 2 : 1;
4546 }
4547
4548 /* For stack tagging:
4549 (Emits HWASAN equivalent of what is emitted by
4550 `asan_emit_stack_protection`).
4551
4552 Emits the extra prologue code to set the shadow stack as required for HWASAN
4553 stack instrumentation.
4554
4555 Uses the vector of recorded stack variables hwasan_tagged_stack_vars. When
4556 this function has completed hwasan_tagged_stack_vars is empty and all
4557 objects it had pointed to are deallocated. */
4558 void
4559 hwasan_emit_prologue ()
4560 {
4561 /* We need untagged base pointers since libhwasan only accepts untagged
4562 pointers in __hwasan_tag_memory. We need the tagged base pointer to obtain
4563 the base tag for an offset. */
4564
4565 if (hwasan_tagged_stack_vars.is_empty ())
4566 return;
4567
4568 poly_int64 bot = 0, top = 0;
4569 for (hwasan_stack_var &cur : hwasan_tagged_stack_vars)
4570 {
4571 poly_int64 nearest = cur.nearest_offset;
4572 poly_int64 farthest = cur.farthest_offset;
4573
4574 if (known_ge (nearest, farthest))
4575 {
4576 top = nearest;
4577 bot = farthest;
4578 }
4579 else
4580 {
4581 /* Given how these values are calculated, one must be known greater
4582 than the other. */
4583 gcc_assert (known_le (nearest, farthest));
4584 top = farthest;
4585 bot = nearest;
4586 }
4587 poly_int64 size = (top - bot);
4588
4589 /* Assert the edge of each variable is aligned to the HWASAN tag granule
4590 size. */
4591 gcc_assert (multiple_p (top, HWASAN_TAG_GRANULE_SIZE));
4592 gcc_assert (multiple_p (bot, HWASAN_TAG_GRANULE_SIZE));
4593 gcc_assert (multiple_p (size, HWASAN_TAG_GRANULE_SIZE));
4594
4595 rtx fn = init_one_libfunc ("__hwasan_tag_memory");
4596 rtx base_tag = targetm.memtag.extract_tag (cur.tagged_base, NULL_RTX);
4597 rtx tag = plus_constant (QImode, base_tag, cur.tag_offset);
4598 tag = hwasan_truncate_to_tag_size (tag, NULL_RTX);
4599
4600 rtx bottom = convert_memory_address (ptr_mode,
4601 plus_constant (Pmode,
4602 cur.untagged_base,
4603 bot));
4604 emit_library_call (fn, LCT_NORMAL, VOIDmode,
4605 bottom, ptr_mode,
4606 tag, QImode,
4607 gen_int_mode (size, ptr_mode), ptr_mode);
4608 }
4609 /* Clear the stack vars, we've emitted the prologue for them all now. */
4610 hwasan_tagged_stack_vars.truncate (0);
4611 }
4612
4613 /* For stack tagging:
4614
4615 Return RTL insns to clear the tags between DYNAMIC and VARS pointers
4616 into the stack. These instructions should be emitted at the end of
4617 every function.
4618
4619 If `dynamic` is NULL_RTX then no insns are returned. */
4620 rtx_insn *
4621 hwasan_emit_untag_frame (rtx dynamic, rtx vars)
4622 {
4623 if (! dynamic)
4624 return NULL;
4625
4626 start_sequence ();
4627
4628 dynamic = convert_memory_address (ptr_mode, dynamic);
4629 vars = convert_memory_address (ptr_mode, vars);
4630
4631 rtx top_rtx;
4632 rtx bot_rtx;
4633 if (FRAME_GROWS_DOWNWARD)
4634 {
4635 top_rtx = vars;
4636 bot_rtx = dynamic;
4637 }
4638 else
4639 {
4640 top_rtx = dynamic;
4641 bot_rtx = vars;
4642 }
4643
4644 rtx size_rtx = expand_simple_binop (ptr_mode, MINUS, top_rtx, bot_rtx,
4645 NULL_RTX, /* unsignedp = */0,
4646 OPTAB_DIRECT);
4647
4648 rtx fn = init_one_libfunc ("__hwasan_tag_memory");
4649 emit_library_call (fn, LCT_NORMAL, VOIDmode,
4650 bot_rtx, ptr_mode,
4651 HWASAN_STACK_BACKGROUND, QImode,
4652 size_rtx, ptr_mode);
4653
4654 do_pending_stack_adjust ();
4655 rtx_insn *insns = get_insns ();
4656 end_sequence ();
4657 return insns;
4658 }
4659
4660 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
4661 invoke ggc_collect. */
4662 static GTY(()) tree hwasan_ctor_statements;
4663
4664 /* Insert module initialization into this TU. This initialization calls the
4665 initialization code for libhwasan. */
4666 void
4667 hwasan_finish_file (void)
4668 {
4669 /* Do not emit constructor initialization for the kernel.
4670 (the kernel has its own initialization already). */
4671 if (flag_sanitize & SANITIZE_KERNEL_HWADDRESS)
4672 return;
4673
4674 /* Avoid instrumenting code in the hwasan constructors/destructors. */
4675 flag_sanitize &= ~SANITIZE_HWADDRESS;
4676 int priority = MAX_RESERVED_INIT_PRIORITY - 1;
4677 tree fn = builtin_decl_implicit (BUILT_IN_HWASAN_INIT);
4678 append_to_statement_list (build_call_expr (fn, 0), &hwasan_ctor_statements);
4679 cgraph_build_static_cdtor ('I', hwasan_ctor_statements, priority);
4680 flag_sanitize |= SANITIZE_HWADDRESS;
4681 }
4682
4683 /* For stack tagging:
4684
4685 Truncate `tag` to the number of bits that a tag uses (i.e. to
4686 HWASAN_TAG_SIZE). Store the result in `target` if it's convenient. */
4687 rtx
4688 hwasan_truncate_to_tag_size (rtx tag, rtx target)
4689 {
4690 gcc_assert (GET_MODE (tag) == QImode);
4691 if (HWASAN_TAG_SIZE != GET_MODE_PRECISION (QImode))
4692 {
4693 gcc_assert (GET_MODE_PRECISION (QImode) > HWASAN_TAG_SIZE);
4694 rtx mask = gen_int_mode ((HOST_WIDE_INT_1U << HWASAN_TAG_SIZE) - 1,
4695 QImode);
4696 tag = expand_simple_binop (QImode, AND, tag, mask, target,
4697 /* unsignedp = */1, OPTAB_WIDEN);
4698 gcc_assert (tag);
4699 }
4700 return tag;
4701 }
4702
4703 /* Construct a function tree for __hwasan_{load,store}{1,2,4,8,16,_n}.
4704 IS_STORE is either 1 (for a store) or 0 (for a load). */
4705 static combined_fn
4706 hwasan_check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
4707 int *nargs)
4708 {
4709 static enum built_in_function check[2][2][6]
4710 = { { { BUILT_IN_HWASAN_LOAD1, BUILT_IN_HWASAN_LOAD2,
4711 BUILT_IN_HWASAN_LOAD4, BUILT_IN_HWASAN_LOAD8,
4712 BUILT_IN_HWASAN_LOAD16, BUILT_IN_HWASAN_LOADN },
4713 { BUILT_IN_HWASAN_STORE1, BUILT_IN_HWASAN_STORE2,
4714 BUILT_IN_HWASAN_STORE4, BUILT_IN_HWASAN_STORE8,
4715 BUILT_IN_HWASAN_STORE16, BUILT_IN_HWASAN_STOREN } },
4716 { { BUILT_IN_HWASAN_LOAD1_NOABORT,
4717 BUILT_IN_HWASAN_LOAD2_NOABORT,
4718 BUILT_IN_HWASAN_LOAD4_NOABORT,
4719 BUILT_IN_HWASAN_LOAD8_NOABORT,
4720 BUILT_IN_HWASAN_LOAD16_NOABORT,
4721 BUILT_IN_HWASAN_LOADN_NOABORT },
4722 { BUILT_IN_HWASAN_STORE1_NOABORT,
4723 BUILT_IN_HWASAN_STORE2_NOABORT,
4724 BUILT_IN_HWASAN_STORE4_NOABORT,
4725 BUILT_IN_HWASAN_STORE8_NOABORT,
4726 BUILT_IN_HWASAN_STORE16_NOABORT,
4727 BUILT_IN_HWASAN_STOREN_NOABORT } } };
4728 if (size_in_bytes == -1)
4729 {
4730 *nargs = 2;
4731 return as_combined_fn (check[recover_p][is_store][5]);
4732 }
4733 *nargs = 1;
4734 int size_log2 = exact_log2 (size_in_bytes);
4735 gcc_assert (size_log2 >= 0 && size_log2 <= 5);
4736 return as_combined_fn (check[recover_p][is_store][size_log2]);
4737 }
4738
4739 /* Expand the HWASAN_{LOAD,STORE} builtins. */
4740 bool
4741 hwasan_expand_check_ifn (gimple_stmt_iterator *iter, bool)
4742 {
4743 gimple *g = gsi_stmt (*iter);
4744 location_t loc = gimple_location (g);
4745 bool recover_p;
4746 if (flag_sanitize & SANITIZE_USER_HWADDRESS)
4747 recover_p = (flag_sanitize_recover & SANITIZE_USER_HWADDRESS) != 0;
4748 else
4749 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_HWADDRESS) != 0;
4750
4751 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
4752 gcc_assert (flags < ASAN_CHECK_LAST);
4753 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
4754 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
4755 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
4756
4757 tree base = gimple_call_arg (g, 1);
4758 tree len = gimple_call_arg (g, 2);
4759
4760 /* `align` is unused for HWASAN_CHECK, but we pass the argument anyway
4761 since that way the arguments match ASAN_CHECK. */
4762 /* HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3)); */
4763
4764 unsigned HOST_WIDE_INT size_in_bytes
4765 = is_scalar_access ? tree_to_shwi (len) : -1;
4766
4767 gimple_stmt_iterator gsi = *iter;
4768
4769 if (!is_non_zero_len)
4770 {
4771 /* So, the length of the memory area to hwasan-protect is
4772 non-constant. Let's guard the generated instrumentation code
4773 like:
4774
4775 if (len != 0)
4776 {
4777 // hwasan instrumentation code goes here.
4778 }
4779 // falltrough instructions, starting with *ITER. */
4780
4781 g = gimple_build_cond (NE_EXPR,
4782 len,
4783 build_int_cst (TREE_TYPE (len), 0),
4784 NULL_TREE, NULL_TREE);
4785 gimple_set_location (g, loc);
4786
4787 basic_block then_bb, fallthrough_bb;
4788 insert_if_then_before_iter (as_a <gcond *> (g), iter,
4789 /*then_more_likely_p=*/true,
4790 &then_bb, &fallthrough_bb);
4791 /* Note that fallthrough_bb starts with the statement that was
4792 pointed to by ITER. */
4793
4794 /* The 'then block' of the 'if (len != 0) condition is where
4795 we'll generate the hwasan instrumentation code now. */
4796 gsi = gsi_last_bb (then_bb);
4797 }
4798
4799 gimple_seq stmts = NULL;
4800 tree base_addr = gimple_build (&stmts, loc, NOP_EXPR,
4801 pointer_sized_int_node, base);
4802
4803 int nargs = 0;
4804 combined_fn fn
4805 = hwasan_check_func (is_store, recover_p, size_in_bytes, &nargs);
4806 if (nargs == 1)
4807 gimple_build (&stmts, loc, fn, void_type_node, base_addr);
4808 else
4809 {
4810 gcc_assert (nargs == 2);
4811 tree sz_arg = gimple_build (&stmts, loc, NOP_EXPR,
4812 pointer_sized_int_node, len);
4813 gimple_build (&stmts, loc, fn, void_type_node, base_addr, sz_arg);
4814 }
4815
4816 gsi_insert_seq_after (&gsi, stmts, GSI_NEW_STMT);
4817 gsi_remove (iter, true);
4818 *iter = gsi;
4819 return false;
4820 }
4821
4822 /* For stack tagging:
4823
4824 Dummy: the HWASAN_MARK internal function should only ever be in the code
4825 after the sanopt pass. */
4826 bool
4827 hwasan_expand_mark_ifn (gimple_stmt_iterator *)
4828 {
4829 gcc_unreachable ();
4830 }
4831
4832 bool
4833 gate_hwasan ()
4834 {
4835 return hwasan_sanitize_p ();
4836 }
4837
4838 #include "gt-asan.h"
Mirror of https://gcc.gnu.org/git/gcc.git