1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2024 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
24 #include "coretypes.h"
31 #include "alloc-pool.h"
32 #include "tree-pass.h"
36 #include "stringpool.h"
37 #include "tree-ssanames.h"
41 #include "gimple-pretty-print.h"
43 #include "fold-const.h"
46 #include "gimple-iterator.h"
48 #include "stor-layout.h"
49 #include "tree-iterator.h"
50 #include "stringpool.h"
57 #include "langhooks.h"
59 #include "gimple-builder.h"
60 #include "gimple-fold.h"
64 #include "tree-inline.h"
67 #include "diagnostic-core.h"
69 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
70 with <2x slowdown on average.
72 The tool consists of two parts:
73 instrumentation module (this file) and a run-time library.
74 The instrumentation module adds a run-time check before every memory insn.
75 For a 8- or 16- byte load accessing address X:
76 ShadowAddr = (X >> 3) + Offset
77 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
79 __asan_report_load8(X);
80 For a load of N bytes (N=1, 2 or 4) from address X:
81 ShadowAddr = (X >> 3) + Offset
82 ShadowValue = *(char*)ShadowAddr;
84 if ((X & 7) + N - 1 > ShadowValue)
85 __asan_report_loadN(X);
86 Stores are instrumented similarly, but using __asan_report_storeN functions.
87 A call too __asan_init_vN() is inserted to the list of module CTORs.
88 N is the version number of the AddressSanitizer API. The changes between the
89 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
91 The run-time library redefines malloc (so that redzone are inserted around
92 the allocated memory) and free (so that reuse of free-ed memory is delayed),
93 provides __asan_report* and __asan_init_vN functions.
96 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
98 The current implementation supports detection of out-of-bounds and
99 use-after-free in the heap, on the stack and for global variables.
101 [Protection of stack variables]
103 To understand how detection of out-of-bounds and use-after-free works
104 for stack variables, lets look at this example on x86_64 where the
105 stack grows downward:
119 For this function, the stack protected by asan will be organized as
120 follows, from the top of the stack to the bottom:
122 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
124 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
125 the next slot be 32 bytes aligned; this one is called Partial
126 Redzone; this 32 bytes alignment is an asan constraint]
128 Slot 3/ [24 bytes for variable 'a']
130 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
132 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
134 Slot 6/ [8 bytes for variable 'b']
136 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
139 The 32 bytes of LEFT red zone at the bottom of the stack can be
142 1/ The first 8 bytes contain a magical asan number that is always
145 2/ The following 8 bytes contains a pointer to a string (to be
146 parsed at runtime by the runtime asan library), which format is
149 "<function-name> <space> <num-of-variables-on-the-stack>
150 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
151 <length-of-var-in-bytes> ){n} "
153 where '(...){n}' means the content inside the parenthesis occurs 'n'
154 times, with 'n' being the number of variables on the stack.
156 3/ The following 8 bytes contain the PC of the current function which
157 will be used by the run-time library to print an error message.
159 4/ The following 8 bytes are reserved for internal use by the run-time.
161 The shadow memory for that stack layout is going to look like this:
163 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
164 The F1 byte pattern is a magic number called
165 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
166 the memory for that shadow byte is part of a the LEFT red zone
167 intended to seat at the bottom of the variables on the stack.
169 - content of shadow memory 8 bytes for slots 6 and 5:
170 0xF4F4F400. The F4 byte pattern is a magic number
171 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
172 memory region for this shadow byte is a PARTIAL red zone
173 intended to pad a variable A, so that the slot following
174 {A,padding} is 32 bytes aligned.
176 Note that the fact that the least significant byte of this
177 shadow memory content is 00 means that 8 bytes of its
178 corresponding memory (which corresponds to the memory of
179 variable 'b') is addressable.
181 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
182 The F2 byte pattern is a magic number called
183 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
184 region for this shadow byte is a MIDDLE red zone intended to
185 seat between two 32 aligned slots of {variable,padding}.
187 - content of shadow memory 8 bytes for slot 3 and 2:
188 0xF4000000. This represents is the concatenation of
189 variable 'a' and the partial red zone following it, like what we
190 had for variable 'b'. The least significant 3 bytes being 00
191 means that the 3 bytes of variable 'a' are addressable.
193 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
194 The F3 byte pattern is a magic number called
195 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
196 region for this shadow byte is a RIGHT red zone intended to seat
197 at the top of the variables of the stack.
199 Note that the real variable layout is done in expand_used_vars in
200 cfgexpand.cc. As far as Address Sanitizer is concerned, it lays out
201 stack variables as well as the different red zones, emits some
202 prologue code to populate the shadow memory as to poison (mark as
203 non-accessible) the regions of the red zones and mark the regions of
204 stack variables as accessible, and emit some epilogue code to
205 un-poison (mark as accessible) the regions of red zones right before
208 [Protection of global variables]
210 The basic idea is to insert a red zone between two global variables
211 and install a constructor function that calls the asan runtime to do
212 the populating of the relevant shadow memory regions at load time.
214 So the global variables are laid out as to insert a red zone between
215 them. The size of the red zones is so that each variable starts on a
218 Then a constructor function is installed so that, for each global
219 variable, it calls the runtime asan library function
220 __asan_register_globals_with an instance of this type:
224 // Address of the beginning of the global variable.
227 // Initial size of the global variable.
230 // Size of the global variable + size of the red zone. This
231 // size is 32 bytes aligned.
232 uptr __size_with_redzone;
234 // Name of the global variable.
237 // Name of the module where the global variable is declared.
238 const void *__module_name;
240 // 1 if it has dynamic initialization, 0 otherwise.
241 uptr __has_dynamic_init;
243 // A pointer to struct that contains source location, could be NULL.
244 __asan_global_source_location *__location;
247 A destructor function that calls the runtime asan library function
248 _asan_unregister_globals is also installed. */
250 static unsigned HOST_WIDE_INT asan_shadow_offset_value
;
251 static bool asan_shadow_offset_computed
;
252 static vec
<char *> sanitized_sections
;
253 static tree last_alloca_addr
;
255 /* Set of variable declarations that are going to be guarded by
256 use-after-scope sanitizer. */
258 hash_set
<tree
> *asan_handled_variables
= NULL
;
260 hash_set
<tree
> *asan_used_labels
= NULL
;
262 /* Global variables for HWASAN stack tagging. */
263 /* hwasan_frame_tag_offset records the offset from the frame base tag that the
264 next object should have. */
265 static uint8_t hwasan_frame_tag_offset
= 0;
266 /* hwasan_frame_base_ptr is a pointer with the same address as
267 `virtual_stack_vars_rtx` for the current frame, and with the frame base tag
268 stored in it. N.b. this global RTX does not need to be marked GTY, but is
269 done so anyway. The need is not there since all uses are in just one pass
270 (cfgexpand) and there are no calls to ggc_collect between the uses. We mark
271 it GTY(()) anyway to allow the use of the variable later on if needed by
273 static GTY(()) rtx hwasan_frame_base_ptr
= NULL_RTX
;
274 /* hwasan_frame_base_init_seq is the sequence of RTL insns that will initialize
275 the hwasan_frame_base_ptr. When the hwasan_frame_base_ptr is requested, we
276 generate this sequence but do not emit it. If the sequence was created it
277 is emitted once the function body has been expanded.
279 This delay is because the frame base pointer may be needed anywhere in the
280 function body, or needed by the expand_used_vars function. Emitting once in
281 a known place is simpler than requiring the emission of the instructions to
282 be know where it should go depending on the first place the hwasan frame
284 static GTY(()) rtx_insn
*hwasan_frame_base_init_seq
= NULL
;
286 /* Structure defining the extent of one object on the stack that HWASAN needs
287 to tag in the corresponding shadow stack space.
289 The range this object spans on the stack is between `untagged_base +
290 nearest_offset` and `untagged_base + farthest_offset`.
291 `tagged_base` is an rtx containing the same value as `untagged_base` but
292 with a random tag stored in the top byte. We record both `untagged_base`
293 and `tagged_base` so that `hwasan_emit_prologue` can use both without having
294 to emit RTL into the instruction stream to re-calculate one from the other.
295 (`hwasan_emit_prologue` needs to use both bases since the
296 __hwasan_tag_memory call it emits uses an untagged value, and it calculates
297 the tag to store in shadow memory based on the tag_offset plus the tag in
299 struct hwasan_stack_var
303 poly_int64 nearest_offset
;
304 poly_int64 farthest_offset
;
308 /* Variable recording all stack variables that HWASAN needs to tag.
309 Does not need to be marked as GTY(()) since every use is in the cfgexpand
310 pass and gcc_collect is not called in the middle of that pass. */
311 static vec
<hwasan_stack_var
> hwasan_tagged_stack_vars
;
314 /* Sets shadow offset to value in string VAL. */
317 set_asan_shadow_offset (const char *val
)
322 #ifdef HAVE_LONG_LONG
323 asan_shadow_offset_value
= strtoull (val
, &endp
, 0);
325 asan_shadow_offset_value
= strtoul (val
, &endp
, 0);
327 if (!(*val
!= '\0' && *endp
== '\0' && errno
== 0))
330 asan_shadow_offset_computed
= true;
335 /* Set list of user-defined sections that need to be sanitized. */
338 set_sanitized_sections (const char *sections
)
342 FOR_EACH_VEC_ELT (sanitized_sections
, i
, pat
)
344 sanitized_sections
.truncate (0);
346 for (const char *s
= sections
; *s
; )
349 for (end
= s
; *end
&& *end
!= ','; ++end
);
350 size_t len
= end
- s
;
351 sanitized_sections
.safe_push (xstrndup (s
, len
));
352 s
= *end
? end
+ 1 : end
;
357 asan_mark_p (gimple
*stmt
, enum asan_mark_flags flag
)
359 return (gimple_call_internal_p (stmt
, IFN_ASAN_MARK
)
360 && tree_to_uhwi (gimple_call_arg (stmt
, 0)) == flag
);
364 asan_sanitize_stack_p (void)
366 return (sanitize_flags_p (SANITIZE_ADDRESS
) && param_asan_stack
);
370 asan_sanitize_allocas_p (void)
372 return (asan_sanitize_stack_p () && param_asan_protect_allocas
);
376 asan_instrument_reads (void)
378 return (sanitize_flags_p (SANITIZE_ADDRESS
) && param_asan_instrument_reads
);
382 asan_instrument_writes (void)
384 return (sanitize_flags_p (SANITIZE_ADDRESS
) && param_asan_instrument_writes
);
388 asan_memintrin (void)
390 return (sanitize_flags_p (SANITIZE_ADDRESS
) && param_asan_memintrin
);
394 /* Support for --param asan-kernel-mem-intrinsic-prefix=1. */
395 static GTY(()) rtx asan_memfn_rtls
[3];
398 asan_memfn_rtl (tree fndecl
)
402 char buf
[sizeof ("__hwasan_memmove")];
404 switch (DECL_FUNCTION_CODE (fndecl
))
406 case BUILT_IN_MEMCPY
: i
= 0; f
= "memcpy"; break;
407 case BUILT_IN_MEMSET
: i
= 1; f
= "memset"; break;
408 case BUILT_IN_MEMMOVE
: i
= 2; f
= "memmove"; break;
409 default: gcc_unreachable ();
411 if (asan_memfn_rtls
[i
] == NULL_RTX
)
413 tree save_name
= DECL_NAME (fndecl
);
414 tree save_assembler_name
= DECL_ASSEMBLER_NAME (fndecl
);
415 rtx save_rtl
= DECL_RTL (fndecl
);
416 if (flag_sanitize
& SANITIZE_KERNEL_HWADDRESS
)
422 DECL_NAME (fndecl
) = get_identifier (buf
);
423 DECL_ASSEMBLER_NAME_RAW (fndecl
) = NULL_TREE
;
424 SET_DECL_RTL (fndecl
, NULL_RTX
);
425 asan_memfn_rtls
[i
] = DECL_RTL (fndecl
);
426 DECL_NAME (fndecl
) = save_name
;
427 DECL_ASSEMBLER_NAME_RAW (fndecl
) = save_assembler_name
;
428 SET_DECL_RTL (fndecl
, save_rtl
);
430 return asan_memfn_rtls
[i
];
434 /* Checks whether section SEC should be sanitized. */
437 section_sanitized_p (const char *sec
)
441 FOR_EACH_VEC_ELT (sanitized_sections
, i
, pat
)
442 if (fnmatch (pat
, sec
, FNM_PERIOD
) == 0)
447 /* Returns Asan shadow offset. */
449 static unsigned HOST_WIDE_INT
450 asan_shadow_offset ()
452 if (!asan_shadow_offset_computed
)
454 asan_shadow_offset_computed
= true;
455 asan_shadow_offset_value
= targetm
.asan_shadow_offset ();
457 return asan_shadow_offset_value
;
460 /* Returns Asan shadow offset has been set. */
462 asan_shadow_offset_set_p ()
464 return asan_shadow_offset_computed
;
467 alias_set_type asan_shadow_set
= -1;
469 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
470 alias set is used for all shadow memory accesses. */
471 static GTY(()) tree shadow_ptr_types
[3];
473 /* Decl for __asan_option_detect_stack_use_after_return. */
474 static GTY(()) tree asan_detect_stack_use_after_return
;
476 /* Hashtable support for memory references used by gimple
479 /* This type represents a reference to a memory region. */
482 /* The expression of the beginning of the memory region. */
485 /* The size of the access. */
486 HOST_WIDE_INT access_size
;
489 object_allocator
<asan_mem_ref
> asan_mem_ref_pool ("asan_mem_ref");
491 /* Initializes an instance of asan_mem_ref. */
494 asan_mem_ref_init (asan_mem_ref
*ref
, tree start
, HOST_WIDE_INT access_size
)
497 ref
->access_size
= access_size
;
500 /* Allocates memory for an instance of asan_mem_ref into the memory
501 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
502 START is the address of (or the expression pointing to) the
503 beginning of memory reference. ACCESS_SIZE is the size of the
504 access to the referenced memory. */
507 asan_mem_ref_new (tree start
, HOST_WIDE_INT access_size
)
509 asan_mem_ref
*ref
= asan_mem_ref_pool
.allocate ();
511 asan_mem_ref_init (ref
, start
, access_size
);
515 /* This builds and returns a pointer to the end of the memory region
516 that starts at START and of length LEN. */
519 asan_mem_ref_get_end (tree start
, tree len
)
521 if (len
== NULL_TREE
|| integer_zerop (len
))
524 if (!ptrofftype_p (len
))
525 len
= convert_to_ptrofftype (len
);
527 return fold_build2 (POINTER_PLUS_EXPR
, TREE_TYPE (start
), start
, len
);
530 /* Return a tree expression that represents the end of the referenced
531 memory region. Beware that this function can actually build a new
535 asan_mem_ref_get_end (const asan_mem_ref
*ref
, tree len
)
537 return asan_mem_ref_get_end (ref
->start
, len
);
540 struct asan_mem_ref_hasher
: nofree_ptr_hash
<asan_mem_ref
>
542 static inline hashval_t
hash (const asan_mem_ref
*);
543 static inline bool equal (const asan_mem_ref
*, const asan_mem_ref
*);
546 /* Hash a memory reference. */
549 asan_mem_ref_hasher::hash (const asan_mem_ref
*mem_ref
)
551 return iterative_hash_expr (mem_ref
->start
, 0);
554 /* Compare two memory references. We accept the length of either
555 memory references to be NULL_TREE. */
558 asan_mem_ref_hasher::equal (const asan_mem_ref
*m1
,
559 const asan_mem_ref
*m2
)
561 return operand_equal_p (m1
->start
, m2
->start
, 0);
564 static hash_table
<asan_mem_ref_hasher
> *asan_mem_ref_ht
;
566 /* Returns a reference to the hash table containing memory references.
567 This function ensures that the hash table is created. Note that
568 this hash table is updated by the function
569 update_mem_ref_hash_table. */
571 static hash_table
<asan_mem_ref_hasher
> *
572 get_mem_ref_hash_table ()
574 if (!asan_mem_ref_ht
)
575 asan_mem_ref_ht
= new hash_table
<asan_mem_ref_hasher
> (10);
577 return asan_mem_ref_ht
;
580 /* Clear all entries from the memory references hash table. */
583 empty_mem_ref_hash_table ()
586 asan_mem_ref_ht
->empty ();
589 /* Free the memory references hash table. */
592 free_mem_ref_resources ()
594 delete asan_mem_ref_ht
;
595 asan_mem_ref_ht
= NULL
;
597 asan_mem_ref_pool
.release ();
600 /* Return true iff the memory reference REF has been instrumented. */
603 has_mem_ref_been_instrumented (tree ref
, HOST_WIDE_INT access_size
)
606 asan_mem_ref_init (&r
, ref
, access_size
);
608 asan_mem_ref
*saved_ref
= get_mem_ref_hash_table ()->find (&r
);
609 return saved_ref
&& saved_ref
->access_size
>= access_size
;
612 /* Return true iff the memory reference REF has been instrumented. */
615 has_mem_ref_been_instrumented (const asan_mem_ref
*ref
)
617 return has_mem_ref_been_instrumented (ref
->start
, ref
->access_size
);
620 /* Return true iff access to memory region starting at REF and of
621 length LEN has been instrumented. */
624 has_mem_ref_been_instrumented (const asan_mem_ref
*ref
, tree len
)
626 HOST_WIDE_INT size_in_bytes
627 = tree_fits_shwi_p (len
) ? tree_to_shwi (len
) : -1;
629 return size_in_bytes
!= -1
630 && has_mem_ref_been_instrumented (ref
->start
, size_in_bytes
);
633 /* Set REF to the memory reference present in a gimple assignment
634 ASSIGNMENT. Return true upon successful completion, false
638 get_mem_ref_of_assignment (const gassign
*assignment
,
642 gcc_assert (gimple_assign_single_p (assignment
));
644 if (gimple_store_p (assignment
)
645 && !gimple_clobber_p (assignment
))
647 ref
->start
= gimple_assign_lhs (assignment
);
648 *ref_is_store
= true;
650 else if (gimple_assign_load_p (assignment
))
652 ref
->start
= gimple_assign_rhs1 (assignment
);
653 *ref_is_store
= false;
658 ref
->access_size
= int_size_in_bytes (TREE_TYPE (ref
->start
));
662 /* Return address of last allocated dynamic alloca. */
665 get_last_alloca_addr ()
667 if (last_alloca_addr
)
668 return last_alloca_addr
;
670 last_alloca_addr
= create_tmp_reg (ptr_type_node
, "last_alloca_addr");
671 gassign
*g
= gimple_build_assign (last_alloca_addr
, null_pointer_node
);
672 edge e
= single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun
));
673 gsi_insert_on_edge_immediate (e
, g
);
674 return last_alloca_addr
;
677 /* Insert __asan_allocas_unpoison (top, bottom) call before
678 __builtin_stack_restore (new_sp) call.
679 The pseudocode of this routine should look like this:
680 top = last_alloca_addr;
682 __asan_allocas_unpoison (top, bot);
683 last_alloca_addr = new_sp;
684 __builtin_stack_restore (new_sp);
685 In general, we can't use new_sp as bot parameter because on some
686 architectures SP has non zero offset from dynamic stack area. Moreover, on
687 some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each
688 particular function only after all callees were expanded to rtl.
689 The most noticeable example is PowerPC{,64}, see
690 http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK.
691 To overcome the issue we use following trick: pass new_sp as a second
692 parameter to __asan_allocas_unpoison and rewrite it during expansion with
693 new_sp + (virtual_dynamic_stack_rtx - sp) later in
694 expand_asan_emit_allocas_unpoison function.
696 HWASAN needs to do very similar, the eventual pseudocode should be:
697 __hwasan_tag_memory (virtual_stack_dynamic_rtx,
700 __builtin_stack_restore (new_sp)
702 Need to use the same trick to handle STACK_DYNAMIC_OFFSET as described
706 handle_builtin_stack_restore (gcall
*call
, gimple_stmt_iterator
*iter
)
709 || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ()))
712 tree restored_stack
= gimple_call_arg (call
, 0);
716 if (hwasan_sanitize_allocas_p ())
718 enum internal_fn fn
= IFN_HWASAN_ALLOCA_UNPOISON
;
719 /* There is only one piece of information `expand_HWASAN_ALLOCA_UNPOISON`
720 needs to work. This is the length of the area that we're
721 deallocating. Since the stack pointer is known at expand time, the
722 position of the new stack pointer after deallocation is enough
723 information to calculate this length. */
724 g
= gimple_build_call_internal (fn
, 1, restored_stack
);
728 tree last_alloca
= get_last_alloca_addr ();
729 tree fn
= builtin_decl_implicit (BUILT_IN_ASAN_ALLOCAS_UNPOISON
);
730 g
= gimple_build_call (fn
, 2, last_alloca
, restored_stack
);
731 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
732 g
= gimple_build_assign (last_alloca
, restored_stack
);
735 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
738 /* Deploy and poison redzones around __builtin_alloca call. To do this, we
739 should replace this call with another one with changed parameters and
740 replace all its uses with new address, so
741 addr = __builtin_alloca (old_size, align);
743 left_redzone_size = max (align, ASAN_RED_ZONE_SIZE);
744 Following two statements are optimized out if we know that
745 old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial
747 misalign = old_size & (ASAN_RED_ZONE_SIZE - 1);
748 partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign;
749 right_redzone_size = ASAN_RED_ZONE_SIZE;
750 additional_size = left_redzone_size + partial_redzone_size +
752 new_size = old_size + additional_size;
753 new_alloca = __builtin_alloca (new_size, max (align, 32))
754 __asan_alloca_poison (new_alloca, old_size)
755 addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE);
756 last_alloca_addr = new_alloca;
757 ADDITIONAL_SIZE is added to make new memory allocation contain not only
758 requested memory, but also left, partial and right redzones as well as some
759 additional space, required by alignment. */
762 handle_builtin_alloca (gcall
*call
, gimple_stmt_iterator
*iter
)
765 || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ()))
770 tree callee
= gimple_call_fndecl (call
);
771 tree lhs
= gimple_call_lhs (call
);
772 tree old_size
= gimple_call_arg (call
, 0);
773 tree ptr_type
= lhs
? TREE_TYPE (lhs
) : ptr_type_node
;
774 tree partial_size
= NULL_TREE
;
776 = DECL_FUNCTION_CODE (callee
) == BUILT_IN_ALLOCA
777 ? 0 : tree_to_uhwi (gimple_call_arg (call
, 1));
781 if (stmt_can_throw_internal (cfun
, call
))
786 e
= find_fallthru_edge (gsi_bb (*iter
)->succs
);
789 if (hwasan_sanitize_allocas_p ())
791 gimple_seq stmts
= NULL
;
792 location_t loc
= gimple_location (gsi_stmt (*iter
));
794 HWASAN needs a different expansion.
796 addr = __builtin_alloca (size, align);
798 should be replaced by
800 new_size = size rounded up to HWASAN_TAG_GRANULE_SIZE byte alignment;
801 untagged_addr = __builtin_alloca (new_size, align);
802 tag = __hwasan_choose_alloca_tag ();
803 addr = ifn_HWASAN_SET_TAG (untagged_addr, tag);
804 __hwasan_tag_memory (untagged_addr, tag, new_size);
806 /* Ensure alignment at least HWASAN_TAG_GRANULE_SIZE bytes so we start on
808 align
= align
> HWASAN_TAG_GRANULE_SIZE
? align
: HWASAN_TAG_GRANULE_SIZE
;
810 tree old_size
= gimple_call_arg (call
, 0);
811 tree new_size
= gimple_build_round_up (&stmts
, loc
, size_type_node
,
813 HWASAN_TAG_GRANULE_SIZE
);
815 /* Make the alloca call */
817 = gimple_build (&stmts
, loc
,
818 as_combined_fn (BUILT_IN_ALLOCA_WITH_ALIGN
), ptr_type
,
819 new_size
, build_int_cst (size_type_node
, align
));
822 Here we use an internal function so we can choose the tag at expand
823 time. We need the decision to be made after stack variables have been
824 assigned their tag (i.e. once the hwasan_frame_tag_offset variable has
825 been set to one after the last stack variables tag). */
826 tree tag
= gimple_build (&stmts
, loc
, CFN_HWASAN_CHOOSE_TAG
,
827 unsigned_char_type_node
);
829 /* Add tag to pointer. */
831 = gimple_build (&stmts
, loc
, CFN_HWASAN_SET_TAG
, ptr_type
,
834 /* Tag shadow memory.
835 NOTE: require using `untagged_addr` here for libhwasan API. */
836 gimple_build (&stmts
, loc
, as_combined_fn (BUILT_IN_HWASAN_TAG_MEM
),
837 void_type_node
, untagged_addr
, tag
, new_size
);
839 /* Insert the built up code sequence into the original instruction stream
840 the iterator points to. */
841 gsi_insert_seq_before (iter
, stmts
, GSI_SAME_STMT
);
843 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
844 replace_call_with_value (iter
, addr
);
848 tree last_alloca
= get_last_alloca_addr ();
849 const HOST_WIDE_INT redzone_mask
= ASAN_RED_ZONE_SIZE
- 1;
851 /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN
852 bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE
854 align
= MAX (align
, ASAN_RED_ZONE_SIZE
* BITS_PER_UNIT
);
856 tree alloca_rz_mask
= build_int_cst (size_type_node
, redzone_mask
);
857 tree redzone_size
= build_int_cst (size_type_node
, ASAN_RED_ZONE_SIZE
);
859 /* Extract lower bits from old_size. */
860 wide_int size_nonzero_bits
= get_nonzero_bits (old_size
);
862 = wi::uhwi (redzone_mask
, wi::get_precision (size_nonzero_bits
));
863 wide_int old_size_lower_bits
= wi::bit_and (size_nonzero_bits
, rz_mask
);
865 /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial
866 redzone. Otherwise, compute its size here. */
867 if (wi::ne_p (old_size_lower_bits
, 0))
869 /* misalign = size & (ASAN_RED_ZONE_SIZE - 1)
870 partial_size = ASAN_RED_ZONE_SIZE - misalign. */
871 g
= gimple_build_assign (make_ssa_name (size_type_node
, NULL
),
872 BIT_AND_EXPR
, old_size
, alloca_rz_mask
);
873 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
874 tree misalign
= gimple_assign_lhs (g
);
875 g
= gimple_build_assign (make_ssa_name (size_type_node
, NULL
), MINUS_EXPR
,
876 redzone_size
, misalign
);
877 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
878 partial_size
= gimple_assign_lhs (g
);
881 /* additional_size = align + ASAN_RED_ZONE_SIZE. */
882 tree additional_size
= build_int_cst (size_type_node
, align
/ BITS_PER_UNIT
883 + ASAN_RED_ZONE_SIZE
);
884 /* If alloca has partial redzone, include it to additional_size too. */
887 /* additional_size += partial_size. */
888 g
= gimple_build_assign (make_ssa_name (size_type_node
), PLUS_EXPR
,
889 partial_size
, additional_size
);
890 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
891 additional_size
= gimple_assign_lhs (g
);
894 /* new_size = old_size + additional_size. */
895 g
= gimple_build_assign (make_ssa_name (size_type_node
), PLUS_EXPR
, old_size
,
897 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
898 tree new_size
= gimple_assign_lhs (g
);
900 /* Build new __builtin_alloca call:
901 new_alloca_with_rz = __builtin_alloca (new_size, align). */
902 tree fn
= builtin_decl_implicit (BUILT_IN_ALLOCA_WITH_ALIGN
);
903 gg
= gimple_build_call (fn
, 2, new_size
,
904 build_int_cst (size_type_node
, align
));
905 tree new_alloca_with_rz
= make_ssa_name (ptr_type
, gg
);
906 gimple_call_set_lhs (gg
, new_alloca_with_rz
);
909 gimple_call_set_lhs (call
, NULL
);
910 gsi_replace (iter
, gg
, true);
913 gsi_insert_before (iter
, gg
, GSI_SAME_STMT
);
915 /* new_alloca = new_alloca_with_rz + align. */
916 g
= gimple_build_assign (make_ssa_name (ptr_type
), POINTER_PLUS_EXPR
,
918 build_int_cst (size_type_node
,
919 align
/ BITS_PER_UNIT
));
920 gimple_stmt_iterator gsi
= gsi_none ();
923 gsi_insert_on_edge_immediate (e
, g
);
924 gsi
= gsi_for_stmt (g
);
927 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
928 tree new_alloca
= gimple_assign_lhs (g
);
930 /* Poison newly created alloca redzones:
931 __asan_alloca_poison (new_alloca, old_size). */
932 fn
= builtin_decl_implicit (BUILT_IN_ASAN_ALLOCA_POISON
);
933 gg
= gimple_build_call (fn
, 2, new_alloca
, old_size
);
935 gsi_insert_after (&gsi
, gg
, GSI_NEW_STMT
);
937 gsi_insert_before (iter
, gg
, GSI_SAME_STMT
);
939 /* Save new_alloca_with_rz value into last_alloca to use it during
940 allocas unpoisoning. */
941 g
= gimple_build_assign (last_alloca
, new_alloca_with_rz
);
943 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
945 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
947 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
950 g
= gimple_build_assign (lhs
, new_alloca
);
951 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
954 replace_call_with_value (iter
, new_alloca
);
957 /* Return the memory references contained in a gimple statement
958 representing a builtin call that has to do with memory access. */
961 get_mem_refs_of_builtin_call (gcall
*call
,
973 gimple_stmt_iterator
*iter
= NULL
)
975 gcc_checking_assert (gimple_call_builtin_p (call
, BUILT_IN_NORMAL
));
977 tree callee
= gimple_call_fndecl (call
);
978 tree source0
= NULL_TREE
, source1
= NULL_TREE
,
979 dest
= NULL_TREE
, len
= NULL_TREE
;
980 bool is_store
= true, got_reference_p
= false;
981 HOST_WIDE_INT access_size
= 1;
983 *intercepted_p
= asan_intercepted_p ((DECL_FUNCTION_CODE (callee
)));
985 switch (DECL_FUNCTION_CODE (callee
))
987 /* (s, s, n) style memops. */
989 case BUILT_IN_MEMCMP
:
990 source0
= gimple_call_arg (call
, 0);
991 source1
= gimple_call_arg (call
, 1);
992 len
= gimple_call_arg (call
, 2);
995 /* (src, dest, n) style memops. */
997 source0
= gimple_call_arg (call
, 0);
998 dest
= gimple_call_arg (call
, 1);
999 len
= gimple_call_arg (call
, 2);
1002 /* (dest, src, n) style memops. */
1003 case BUILT_IN_MEMCPY
:
1004 case BUILT_IN_MEMCPY_CHK
:
1005 case BUILT_IN_MEMMOVE
:
1006 case BUILT_IN_MEMMOVE_CHK
:
1007 case BUILT_IN_MEMPCPY
:
1008 case BUILT_IN_MEMPCPY_CHK
:
1009 dest
= gimple_call_arg (call
, 0);
1010 source0
= gimple_call_arg (call
, 1);
1011 len
= gimple_call_arg (call
, 2);
1014 /* (dest, n) style memops. */
1015 case BUILT_IN_BZERO
:
1016 dest
= gimple_call_arg (call
, 0);
1017 len
= gimple_call_arg (call
, 1);
1020 /* (dest, x, n) style memops*/
1021 case BUILT_IN_MEMSET
:
1022 case BUILT_IN_MEMSET_CHK
:
1023 dest
= gimple_call_arg (call
, 0);
1024 len
= gimple_call_arg (call
, 2);
1027 case BUILT_IN_STRLEN
:
1028 /* Special case strlen here since its length is taken from its return
1031 The approach taken by the sanitizers is to check a memory access
1032 before it's taken. For ASAN strlen is intercepted by libasan, so no
1033 check is inserted by the compiler.
1035 This function still returns `true` and provides a length to the rest
1036 of the ASAN pass in order to record what areas have been checked,
1037 avoiding superfluous checks later on.
1039 HWASAN does not intercept any of these internal functions.
1040 This means that checks for memory accesses must be inserted by the
1042 strlen is a special case, because we can tell the length from the
1043 return of the function, but that is not known until after the function
1046 Hence we can't check the memory access before it happens.
1047 We could check the memory access after it has already happened, but
1048 for now we choose to just ignore `strlen` calls.
1049 This decision was simply made because that means the special case is
1050 limited to this one case of this one function. */
1051 if (hwasan_sanitize_p ())
1053 source0
= gimple_call_arg (call
, 0);
1054 len
= gimple_call_lhs (call
);
1057 case BUILT_IN_STACK_RESTORE
:
1058 handle_builtin_stack_restore (call
, iter
);
1061 CASE_BUILT_IN_ALLOCA
:
1062 handle_builtin_alloca (call
, iter
);
1064 /* And now the __atomic* and __sync builtins.
1065 These are handled differently from the classical memory
1066 access builtins above. */
1068 case BUILT_IN_ATOMIC_LOAD_1
:
1071 case BUILT_IN_SYNC_FETCH_AND_ADD_1
:
1072 case BUILT_IN_SYNC_FETCH_AND_SUB_1
:
1073 case BUILT_IN_SYNC_FETCH_AND_OR_1
:
1074 case BUILT_IN_SYNC_FETCH_AND_AND_1
:
1075 case BUILT_IN_SYNC_FETCH_AND_XOR_1
:
1076 case BUILT_IN_SYNC_FETCH_AND_NAND_1
:
1077 case BUILT_IN_SYNC_ADD_AND_FETCH_1
:
1078 case BUILT_IN_SYNC_SUB_AND_FETCH_1
:
1079 case BUILT_IN_SYNC_OR_AND_FETCH_1
:
1080 case BUILT_IN_SYNC_AND_AND_FETCH_1
:
1081 case BUILT_IN_SYNC_XOR_AND_FETCH_1
:
1082 case BUILT_IN_SYNC_NAND_AND_FETCH_1
:
1083 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1
:
1084 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1
:
1085 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1
:
1086 case BUILT_IN_SYNC_LOCK_RELEASE_1
:
1087 case BUILT_IN_ATOMIC_EXCHANGE_1
:
1088 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1
:
1089 case BUILT_IN_ATOMIC_STORE_1
:
1090 case BUILT_IN_ATOMIC_ADD_FETCH_1
:
1091 case BUILT_IN_ATOMIC_SUB_FETCH_1
:
1092 case BUILT_IN_ATOMIC_AND_FETCH_1
:
1093 case BUILT_IN_ATOMIC_NAND_FETCH_1
:
1094 case BUILT_IN_ATOMIC_XOR_FETCH_1
:
1095 case BUILT_IN_ATOMIC_OR_FETCH_1
:
1096 case BUILT_IN_ATOMIC_FETCH_ADD_1
:
1097 case BUILT_IN_ATOMIC_FETCH_SUB_1
:
1098 case BUILT_IN_ATOMIC_FETCH_AND_1
:
1099 case BUILT_IN_ATOMIC_FETCH_NAND_1
:
1100 case BUILT_IN_ATOMIC_FETCH_XOR_1
:
1101 case BUILT_IN_ATOMIC_FETCH_OR_1
:
1105 case BUILT_IN_ATOMIC_LOAD_2
:
1108 case BUILT_IN_SYNC_FETCH_AND_ADD_2
:
1109 case BUILT_IN_SYNC_FETCH_AND_SUB_2
:
1110 case BUILT_IN_SYNC_FETCH_AND_OR_2
:
1111 case BUILT_IN_SYNC_FETCH_AND_AND_2
:
1112 case BUILT_IN_SYNC_FETCH_AND_XOR_2
:
1113 case BUILT_IN_SYNC_FETCH_AND_NAND_2
:
1114 case BUILT_IN_SYNC_ADD_AND_FETCH_2
:
1115 case BUILT_IN_SYNC_SUB_AND_FETCH_2
:
1116 case BUILT_IN_SYNC_OR_AND_FETCH_2
:
1117 case BUILT_IN_SYNC_AND_AND_FETCH_2
:
1118 case BUILT_IN_SYNC_XOR_AND_FETCH_2
:
1119 case BUILT_IN_SYNC_NAND_AND_FETCH_2
:
1120 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2
:
1121 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2
:
1122 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2
:
1123 case BUILT_IN_SYNC_LOCK_RELEASE_2
:
1124 case BUILT_IN_ATOMIC_EXCHANGE_2
:
1125 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2
:
1126 case BUILT_IN_ATOMIC_STORE_2
:
1127 case BUILT_IN_ATOMIC_ADD_FETCH_2
:
1128 case BUILT_IN_ATOMIC_SUB_FETCH_2
:
1129 case BUILT_IN_ATOMIC_AND_FETCH_2
:
1130 case BUILT_IN_ATOMIC_NAND_FETCH_2
:
1131 case BUILT_IN_ATOMIC_XOR_FETCH_2
:
1132 case BUILT_IN_ATOMIC_OR_FETCH_2
:
1133 case BUILT_IN_ATOMIC_FETCH_ADD_2
:
1134 case BUILT_IN_ATOMIC_FETCH_SUB_2
:
1135 case BUILT_IN_ATOMIC_FETCH_AND_2
:
1136 case BUILT_IN_ATOMIC_FETCH_NAND_2
:
1137 case BUILT_IN_ATOMIC_FETCH_XOR_2
:
1138 case BUILT_IN_ATOMIC_FETCH_OR_2
:
1142 case BUILT_IN_ATOMIC_LOAD_4
:
1145 case BUILT_IN_SYNC_FETCH_AND_ADD_4
:
1146 case BUILT_IN_SYNC_FETCH_AND_SUB_4
:
1147 case BUILT_IN_SYNC_FETCH_AND_OR_4
:
1148 case BUILT_IN_SYNC_FETCH_AND_AND_4
:
1149 case BUILT_IN_SYNC_FETCH_AND_XOR_4
:
1150 case BUILT_IN_SYNC_FETCH_AND_NAND_4
:
1151 case BUILT_IN_SYNC_ADD_AND_FETCH_4
:
1152 case BUILT_IN_SYNC_SUB_AND_FETCH_4
:
1153 case BUILT_IN_SYNC_OR_AND_FETCH_4
:
1154 case BUILT_IN_SYNC_AND_AND_FETCH_4
:
1155 case BUILT_IN_SYNC_XOR_AND_FETCH_4
:
1156 case BUILT_IN_SYNC_NAND_AND_FETCH_4
:
1157 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4
:
1158 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4
:
1159 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4
:
1160 case BUILT_IN_SYNC_LOCK_RELEASE_4
:
1161 case BUILT_IN_ATOMIC_EXCHANGE_4
:
1162 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4
:
1163 case BUILT_IN_ATOMIC_STORE_4
:
1164 case BUILT_IN_ATOMIC_ADD_FETCH_4
:
1165 case BUILT_IN_ATOMIC_SUB_FETCH_4
:
1166 case BUILT_IN_ATOMIC_AND_FETCH_4
:
1167 case BUILT_IN_ATOMIC_NAND_FETCH_4
:
1168 case BUILT_IN_ATOMIC_XOR_FETCH_4
:
1169 case BUILT_IN_ATOMIC_OR_FETCH_4
:
1170 case BUILT_IN_ATOMIC_FETCH_ADD_4
:
1171 case BUILT_IN_ATOMIC_FETCH_SUB_4
:
1172 case BUILT_IN_ATOMIC_FETCH_AND_4
:
1173 case BUILT_IN_ATOMIC_FETCH_NAND_4
:
1174 case BUILT_IN_ATOMIC_FETCH_XOR_4
:
1175 case BUILT_IN_ATOMIC_FETCH_OR_4
:
1179 case BUILT_IN_ATOMIC_LOAD_8
:
1182 case BUILT_IN_SYNC_FETCH_AND_ADD_8
:
1183 case BUILT_IN_SYNC_FETCH_AND_SUB_8
:
1184 case BUILT_IN_SYNC_FETCH_AND_OR_8
:
1185 case BUILT_IN_SYNC_FETCH_AND_AND_8
:
1186 case BUILT_IN_SYNC_FETCH_AND_XOR_8
:
1187 case BUILT_IN_SYNC_FETCH_AND_NAND_8
:
1188 case BUILT_IN_SYNC_ADD_AND_FETCH_8
:
1189 case BUILT_IN_SYNC_SUB_AND_FETCH_8
:
1190 case BUILT_IN_SYNC_OR_AND_FETCH_8
:
1191 case BUILT_IN_SYNC_AND_AND_FETCH_8
:
1192 case BUILT_IN_SYNC_XOR_AND_FETCH_8
:
1193 case BUILT_IN_SYNC_NAND_AND_FETCH_8
:
1194 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8
:
1195 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8
:
1196 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8
:
1197 case BUILT_IN_SYNC_LOCK_RELEASE_8
:
1198 case BUILT_IN_ATOMIC_EXCHANGE_8
:
1199 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8
:
1200 case BUILT_IN_ATOMIC_STORE_8
:
1201 case BUILT_IN_ATOMIC_ADD_FETCH_8
:
1202 case BUILT_IN_ATOMIC_SUB_FETCH_8
:
1203 case BUILT_IN_ATOMIC_AND_FETCH_8
:
1204 case BUILT_IN_ATOMIC_NAND_FETCH_8
:
1205 case BUILT_IN_ATOMIC_XOR_FETCH_8
:
1206 case BUILT_IN_ATOMIC_OR_FETCH_8
:
1207 case BUILT_IN_ATOMIC_FETCH_ADD_8
:
1208 case BUILT_IN_ATOMIC_FETCH_SUB_8
:
1209 case BUILT_IN_ATOMIC_FETCH_AND_8
:
1210 case BUILT_IN_ATOMIC_FETCH_NAND_8
:
1211 case BUILT_IN_ATOMIC_FETCH_XOR_8
:
1212 case BUILT_IN_ATOMIC_FETCH_OR_8
:
1216 case BUILT_IN_ATOMIC_LOAD_16
:
1219 case BUILT_IN_SYNC_FETCH_AND_ADD_16
:
1220 case BUILT_IN_SYNC_FETCH_AND_SUB_16
:
1221 case BUILT_IN_SYNC_FETCH_AND_OR_16
:
1222 case BUILT_IN_SYNC_FETCH_AND_AND_16
:
1223 case BUILT_IN_SYNC_FETCH_AND_XOR_16
:
1224 case BUILT_IN_SYNC_FETCH_AND_NAND_16
:
1225 case BUILT_IN_SYNC_ADD_AND_FETCH_16
:
1226 case BUILT_IN_SYNC_SUB_AND_FETCH_16
:
1227 case BUILT_IN_SYNC_OR_AND_FETCH_16
:
1228 case BUILT_IN_SYNC_AND_AND_FETCH_16
:
1229 case BUILT_IN_SYNC_XOR_AND_FETCH_16
:
1230 case BUILT_IN_SYNC_NAND_AND_FETCH_16
:
1231 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16
:
1232 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16
:
1233 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16
:
1234 case BUILT_IN_SYNC_LOCK_RELEASE_16
:
1235 case BUILT_IN_ATOMIC_EXCHANGE_16
:
1236 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16
:
1237 case BUILT_IN_ATOMIC_STORE_16
:
1238 case BUILT_IN_ATOMIC_ADD_FETCH_16
:
1239 case BUILT_IN_ATOMIC_SUB_FETCH_16
:
1240 case BUILT_IN_ATOMIC_AND_FETCH_16
:
1241 case BUILT_IN_ATOMIC_NAND_FETCH_16
:
1242 case BUILT_IN_ATOMIC_XOR_FETCH_16
:
1243 case BUILT_IN_ATOMIC_OR_FETCH_16
:
1244 case BUILT_IN_ATOMIC_FETCH_ADD_16
:
1245 case BUILT_IN_ATOMIC_FETCH_SUB_16
:
1246 case BUILT_IN_ATOMIC_FETCH_AND_16
:
1247 case BUILT_IN_ATOMIC_FETCH_NAND_16
:
1248 case BUILT_IN_ATOMIC_FETCH_XOR_16
:
1249 case BUILT_IN_ATOMIC_FETCH_OR_16
:
1254 dest
= gimple_call_arg (call
, 0);
1255 /* DEST represents the address of a memory location.
1256 instrument_derefs wants the memory location, so lets
1257 dereference the address DEST before handing it to
1258 instrument_derefs. */
1259 tree type
= build_nonstandard_integer_type (access_size
1260 * BITS_PER_UNIT
, 1);
1261 dest
= build2 (MEM_REF
, type
, dest
,
1262 build_int_cst (build_pointer_type (char_type_node
), 0));
1267 /* The other builtins memory access are not instrumented in this
1268 function because they either don't have any length parameter,
1269 or their length parameter is just a limit. */
1273 if (len
!= NULL_TREE
)
1275 if (source0
!= NULL_TREE
)
1277 src0
->start
= source0
;
1278 src0
->access_size
= access_size
;
1280 *src0_is_store
= false;
1283 if (source1
!= NULL_TREE
)
1285 src1
->start
= source1
;
1286 src1
->access_size
= access_size
;
1288 *src1_is_store
= false;
1291 if (dest
!= NULL_TREE
)
1294 dst
->access_size
= access_size
;
1296 *dst_is_store
= true;
1299 got_reference_p
= true;
1304 dst
->access_size
= access_size
;
1305 *dst_len
= NULL_TREE
;
1306 *dst_is_store
= is_store
;
1307 *dest_is_deref
= true;
1308 got_reference_p
= true;
1311 return got_reference_p
;
1314 /* Return true iff a given gimple statement has been instrumented.
1315 Note that the statement is "defined" by the memory references it
1319 has_stmt_been_instrumented_p (gimple
*stmt
)
1321 if (gimple_assign_single_p (stmt
))
1325 asan_mem_ref_init (&r
, NULL
, 1);
1327 if (get_mem_ref_of_assignment (as_a
<gassign
*> (stmt
), &r
,
1330 if (!has_mem_ref_been_instrumented (&r
))
1332 if (r_is_store
&& gimple_assign_load_p (stmt
))
1335 asan_mem_ref_init (&src
, NULL
, 1);
1336 src
.start
= gimple_assign_rhs1 (stmt
);
1337 src
.access_size
= int_size_in_bytes (TREE_TYPE (src
.start
));
1338 if (!has_mem_ref_been_instrumented (&src
))
1344 else if (gimple_call_builtin_p (stmt
, BUILT_IN_NORMAL
))
1346 asan_mem_ref src0
, src1
, dest
;
1347 asan_mem_ref_init (&src0
, NULL
, 1);
1348 asan_mem_ref_init (&src1
, NULL
, 1);
1349 asan_mem_ref_init (&dest
, NULL
, 1);
1351 tree src0_len
= NULL_TREE
, src1_len
= NULL_TREE
, dest_len
= NULL_TREE
;
1352 bool src0_is_store
= false, src1_is_store
= false,
1353 dest_is_store
= false, dest_is_deref
= false, intercepted_p
= true;
1354 if (get_mem_refs_of_builtin_call (as_a
<gcall
*> (stmt
),
1355 &src0
, &src0_len
, &src0_is_store
,
1356 &src1
, &src1_len
, &src1_is_store
,
1357 &dest
, &dest_len
, &dest_is_store
,
1358 &dest_is_deref
, &intercepted_p
))
1360 if (src0
.start
!= NULL_TREE
1361 && !has_mem_ref_been_instrumented (&src0
, src0_len
))
1364 if (src1
.start
!= NULL_TREE
1365 && !has_mem_ref_been_instrumented (&src1
, src1_len
))
1368 if (dest
.start
!= NULL_TREE
1369 && !has_mem_ref_been_instrumented (&dest
, dest_len
))
1375 else if (is_gimple_call (stmt
)
1376 && gimple_store_p (stmt
)
1377 && (gimple_call_builtin_p (stmt
)
1378 || gimple_call_internal_p (stmt
)
1379 || !aggregate_value_p (TREE_TYPE (gimple_call_lhs (stmt
)),
1380 gimple_call_fntype (stmt
))))
1383 asan_mem_ref_init (&r
, NULL
, 1);
1385 r
.start
= gimple_call_lhs (stmt
);
1386 r
.access_size
= int_size_in_bytes (TREE_TYPE (r
.start
));
1387 return has_mem_ref_been_instrumented (&r
);
1393 /* Insert a memory reference into the hash table. */
1396 update_mem_ref_hash_table (tree ref
, HOST_WIDE_INT access_size
)
1398 hash_table
<asan_mem_ref_hasher
> *ht
= get_mem_ref_hash_table ();
1401 asan_mem_ref_init (&r
, ref
, access_size
);
1403 asan_mem_ref
**slot
= ht
->find_slot (&r
, INSERT
);
1404 if (*slot
== NULL
|| (*slot
)->access_size
< access_size
)
1405 *slot
= asan_mem_ref_new (ref
, access_size
);
1408 /* Initialize shadow_ptr_types array. */
1411 asan_init_shadow_ptr_types (void)
1413 asan_shadow_set
= new_alias_set ();
1414 tree types
[3] = { signed_char_type_node
, short_integer_type_node
,
1415 integer_type_node
};
1417 for (unsigned i
= 0; i
< 3; i
++)
1419 shadow_ptr_types
[i
] = build_distinct_type_copy (types
[i
]);
1420 TYPE_ALIAS_SET (shadow_ptr_types
[i
]) = asan_shadow_set
;
1421 shadow_ptr_types
[i
] = build_pointer_type (shadow_ptr_types
[i
]);
1424 initialize_sanitizer_builtins ();
1427 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
1430 asan_pp_string (pretty_printer
*pp
)
1432 const char *buf
= pp_formatted_text (pp
);
1433 size_t len
= strlen (buf
);
1434 tree ret
= build_string (len
+ 1, buf
);
1436 = build_array_type (TREE_TYPE (shadow_ptr_types
[0]),
1437 build_index_type (size_int (len
)));
1438 TREE_READONLY (ret
) = 1;
1439 TREE_STATIC (ret
) = 1;
1440 return build1 (ADDR_EXPR
, shadow_ptr_types
[0], ret
);
1443 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
1447 asan_clear_shadow (rtx shadow_mem
, HOST_WIDE_INT len
)
1449 rtx_insn
*insn
, *insns
, *jump
;
1450 rtx_code_label
*top_label
;
1453 gcc_assert ((len
& 3) == 0);
1455 clear_storage (shadow_mem
, GEN_INT (len
), BLOCK_OP_NORMAL
);
1456 insns
= get_insns ();
1458 for (insn
= insns
; insn
; insn
= NEXT_INSN (insn
))
1461 if (insn
== NULL_RTX
)
1467 top_label
= gen_label_rtx ();
1468 addr
= copy_to_mode_reg (Pmode
, XEXP (shadow_mem
, 0));
1469 shadow_mem
= adjust_automodify_address (shadow_mem
, SImode
, addr
, 0);
1470 end
= force_reg (Pmode
, plus_constant (Pmode
, addr
, len
));
1471 emit_label (top_label
);
1473 emit_move_insn (shadow_mem
, const0_rtx
);
1474 tmp
= expand_simple_binop (Pmode
, PLUS
, addr
, gen_int_mode (4, Pmode
), addr
,
1475 true, OPTAB_LIB_WIDEN
);
1477 emit_move_insn (addr
, tmp
);
1478 emit_cmp_and_jump_insns (addr
, end
, LT
, NULL_RTX
, Pmode
, true, top_label
);
1479 jump
= get_last_insn ();
1480 gcc_assert (JUMP_P (jump
));
1481 add_reg_br_prob_note (jump
,
1482 profile_probability::guessed_always ()
1483 .apply_scale (80, 100));
1487 asan_function_start (void)
1489 ASM_OUTPUT_DEBUG_LABEL (asm_out_file
, "LASANPC", current_function_funcdef_no
);
1492 /* Return number of shadow bytes that are occupied by a local variable
1495 static unsigned HOST_WIDE_INT
1496 shadow_mem_size (unsigned HOST_WIDE_INT size
)
1498 /* It must be possible to align stack variables to granularity
1499 of shadow memory. */
1500 gcc_assert (BITS_PER_UNIT
1501 * ASAN_SHADOW_GRANULARITY
<= MAX_SUPPORTED_STACK_ALIGNMENT
);
1503 return ROUND_UP (size
, ASAN_SHADOW_GRANULARITY
) / ASAN_SHADOW_GRANULARITY
;
1506 /* Always emit 4 bytes at a time. */
1507 #define RZ_BUFFER_SIZE 4
1509 /* ASAN redzone buffer container that handles emission of shadow bytes. */
1510 class asan_redzone_buffer
1514 asan_redzone_buffer (rtx shadow_mem
, HOST_WIDE_INT prev_offset
):
1515 m_shadow_mem (shadow_mem
), m_prev_offset (prev_offset
),
1516 m_original_offset (prev_offset
), m_shadow_bytes (RZ_BUFFER_SIZE
)
1519 /* Emit VALUE shadow byte at a given OFFSET. */
1520 void emit_redzone_byte (HOST_WIDE_INT offset
, unsigned char value
);
1522 /* Emit RTX emission of the content of the buffer. */
1523 void flush_redzone_payload (void);
1526 /* Flush if the content of the buffer is full
1527 (equal to RZ_BUFFER_SIZE). */
1528 void flush_if_full (void);
1530 /* Memory where we last emitted a redzone payload. */
1533 /* Relative offset where we last emitted a redzone payload. */
1534 HOST_WIDE_INT m_prev_offset
;
1536 /* Relative original offset. Used for checking only. */
1537 HOST_WIDE_INT m_original_offset
;
1540 /* Buffer with redzone payload. */
1541 auto_vec
<unsigned char> m_shadow_bytes
;
1544 /* Emit VALUE shadow byte at a given OFFSET. */
1547 asan_redzone_buffer::emit_redzone_byte (HOST_WIDE_INT offset
,
1548 unsigned char value
)
1550 gcc_assert ((offset
& (ASAN_SHADOW_GRANULARITY
- 1)) == 0);
1551 gcc_assert (offset
>= m_prev_offset
);
1554 = m_prev_offset
+ ASAN_SHADOW_GRANULARITY
* m_shadow_bytes
.length ();
1556 /* Consecutive shadow memory byte. */;
1557 else if (offset
< m_prev_offset
+ (HOST_WIDE_INT
) (ASAN_SHADOW_GRANULARITY
1559 && !m_shadow_bytes
.is_empty ())
1561 /* Shadow memory byte with a small gap. */
1562 for (; off
< offset
; off
+= ASAN_SHADOW_GRANULARITY
)
1563 m_shadow_bytes
.safe_push (0);
1567 if (!m_shadow_bytes
.is_empty ())
1568 flush_redzone_payload ();
1570 /* Maybe start earlier in order to use aligned store. */
1571 HOST_WIDE_INT align
= (offset
- m_prev_offset
) % ASAN_RED_ZONE_SIZE
;
1575 for (unsigned i
= 0; i
< align
/ BITS_PER_UNIT
; i
++)
1576 m_shadow_bytes
.safe_push (0);
1579 /* Adjust m_prev_offset and m_shadow_mem. */
1580 HOST_WIDE_INT diff
= offset
- m_prev_offset
;
1581 m_shadow_mem
= adjust_address (m_shadow_mem
, VOIDmode
,
1582 diff
>> ASAN_SHADOW_SHIFT
);
1583 m_prev_offset
= offset
;
1585 m_shadow_bytes
.safe_push (value
);
1589 /* Emit RTX emission of the content of the buffer. */
1592 asan_redzone_buffer::flush_redzone_payload (void)
1594 gcc_assert (WORDS_BIG_ENDIAN
== BYTES_BIG_ENDIAN
);
1596 if (m_shadow_bytes
.is_empty ())
1599 /* Be sure we always emit to an aligned address. */
1600 gcc_assert (((m_prev_offset
- m_original_offset
)
1601 & (ASAN_RED_ZONE_SIZE
- 1)) == 0);
1603 /* Fill it to RZ_BUFFER_SIZE bytes with zeros if needed. */
1604 unsigned l
= m_shadow_bytes
.length ();
1605 for (unsigned i
= 0; i
<= RZ_BUFFER_SIZE
- l
; i
++)
1606 m_shadow_bytes
.safe_push (0);
1608 if (dump_file
&& (dump_flags
& TDF_DETAILS
))
1610 "Flushing rzbuffer at offset %" PRId64
" with: ", m_prev_offset
);
1612 unsigned HOST_WIDE_INT val
= 0;
1613 for (unsigned i
= 0; i
< RZ_BUFFER_SIZE
; i
++)
1616 = m_shadow_bytes
[BYTES_BIG_ENDIAN
? RZ_BUFFER_SIZE
- i
- 1 : i
];
1617 val
|= (unsigned HOST_WIDE_INT
)v
<< (BITS_PER_UNIT
* i
);
1618 if (dump_file
&& (dump_flags
& TDF_DETAILS
))
1619 fprintf (dump_file
, "%02x ", v
);
1622 if (dump_file
&& (dump_flags
& TDF_DETAILS
))
1623 fprintf (dump_file
, "\n");
1625 rtx c
= gen_int_mode (val
, SImode
);
1626 m_shadow_mem
= adjust_address (m_shadow_mem
, SImode
, 0);
1627 emit_move_insn (m_shadow_mem
, c
);
1628 m_shadow_bytes
.truncate (0);
1631 /* Flush if the content of the buffer is full
1632 (equal to RZ_BUFFER_SIZE). */
1635 asan_redzone_buffer::flush_if_full (void)
1637 if (m_shadow_bytes
.length () == RZ_BUFFER_SIZE
)
1638 flush_redzone_payload ();
1642 /* HWAddressSanitizer (hwasan) is a probabilistic method for detecting
1643 out-of-bounds and use-after-free bugs.
1645 http://code.google.com/p/address-sanitizer/
1647 Similar to AddressSanitizer (asan) it consists of two parts: the
1648 instrumentation module in this file, and a run-time library.
1650 The instrumentation module adds a run-time check before every memory insn in
1651 the same manner as asan (see the block comment for AddressSanitizer above).
1652 Currently, hwasan only adds out-of-line instrumentation, where each check is
1653 implemented as a function call to the run-time library. Hence a check for a
1654 load of N bytes from address X would be implemented with a function call to
1655 __hwasan_loadN(X), and checking a store of N bytes from address X would be
1656 implemented with a function call to __hwasan_storeN(X).
1658 The main difference between hwasan and asan is in the information stored to
1659 help this checking. Both sanitizers use a shadow memory area which stores
1660 data recording the state of main memory at a corresponding address.
1662 For hwasan, each 16 byte granule in main memory has a corresponding 1 byte
1663 in shadow memory. This shadow address can be calculated with equation:
1664 (addr >> log_2(HWASAN_TAG_GRANULE_SIZE))
1665 + __hwasan_shadow_memory_dynamic_address;
1666 The conversion between real and shadow memory for asan is given in the block
1667 comment at the top of this file.
1668 The description of how this shadow memory is laid out for asan is in the
1669 block comment at the top of this file, here we describe how this shadow
1670 memory is used for hwasan.
1672 For hwasan, each variable is assigned a byte-sized 'tag'. The extent of
1673 the shadow memory for that variable is filled with the assigned tag, and
1674 every pointer referencing that variable has its top byte set to the same
1675 tag. The run-time library redefines malloc so that every allocation returns
1676 a tagged pointer and tags the corresponding shadow memory with the same tag.
1678 On each pointer dereference the tag found in the pointer is compared to the
1679 tag found in the shadow memory corresponding to the accessed memory address.
1680 If these tags are found to differ then this memory access is judged to be
1681 invalid and a report is generated.
1683 This method of bug detection is not perfect -- it can not catch every bad
1684 access -- but catches them probabilistically instead. There is always the
1685 possibility that an invalid memory access will happen to access memory
1686 tagged with the same tag as the pointer that this access used.
1687 The chances of this are approx. 0.4% for any two uncorrelated objects.
1689 Random tag generation can mitigate this problem by decreasing the
1690 probability that an invalid access will be missed in the same manner over
1691 multiple runs. i.e. if two objects are tagged the same in one run of the
1692 binary they are unlikely to be tagged the same in the next run.
1693 Both heap and stack allocated objects have random tags by default.
1695 [16 byte granule implications]
1696 Since the shadow memory only has a resolution on real memory of 16 bytes,
1697 invalid accesses that are within the same 16 byte granule as a valid
1698 address will not be caught.
1700 There is a "short-granule" feature in the runtime library which does catch
1701 such accesses, but this feature is not implemented for stack objects (since
1702 stack objects are allocated and tagged by compiler instrumentation, and
1703 this feature has not yet been implemented in GCC instrumentation).
1705 Another outcome of this 16 byte resolution is that each tagged object must
1706 be 16 byte aligned. If two objects were to share any 16 byte granule in
1707 memory, then they both would have to be given the same tag, and invalid
1708 accesses to one using a pointer to the other would be undetectable.
1710 [Compiler instrumentation]
1711 Compiler instrumentation ensures that two adjacent buffers on the stack are
1712 given different tags, this means an access to one buffer using a pointer
1713 generated from the other (e.g. through buffer overrun) will have mismatched
1714 tags and be caught by hwasan.
1716 We don't randomly tag every object on the stack, since that would require
1717 keeping many registers to record each tag. Instead we randomly generate a
1718 tag for each function frame, and each new stack object uses a tag offset
1719 from that frame tag.
1720 i.e. each object is tagged as RFT + offset, where RFT is the "random frame
1721 tag" generated for this frame.
1722 This means that randomisation does not peturb the difference between tags
1723 on tagged stack objects within a frame, but this is mitigated by the fact
1724 that objects with the same tag within a frame are very far apart
1725 (approx. 2^HWASAN_TAG_SIZE objects apart).
1727 As a demonstration, using the same example program as in the asan block
1742 On AArch64 the stack will be ordered as follows for the above function:
1744 Slot 1/ [24 bytes for variable 'a']
1745 Slot 2/ [8 bytes padding for alignment]
1746 Slot 3/ [8 bytes for variable 'b']
1747 Slot 4/ [8 bytes padding for alignment]
1749 (The padding is there to ensure 16 byte alignment as described in the 16
1750 byte granule implications).
1752 While the shadow memory will be ordered as follows:
1754 - 2 bytes (representing 32 bytes in real memory) tagged with RFT + 1.
1755 - 1 byte (representing 16 bytes in real memory) tagged with RFT + 2.
1757 And any pointer to "a" will have the tag RFT + 1, and any pointer to "b"
1758 will have the tag RFT + 2.
1760 [Top Byte Ignore requirements]
1761 Hwasan requires the ability to store an 8 bit tag in every pointer. There
1762 is no instrumentation done to remove this tag from pointers before
1763 dereferencing, which means the hardware must ignore this tag during memory
1766 Architectures where this feature is available should indicate this using
1767 the TARGET_MEMTAG_CAN_TAG_ADDRESSES hook.
1769 [Stack requires cleanup on unwinding]
1770 During normal operation of a hwasan sanitized program more space in the
1771 shadow memory becomes tagged as the stack grows. As the stack shrinks this
1772 shadow memory space must become untagged. If it is not untagged then when
1773 the stack grows again (during other function calls later on in the program)
1774 objects on the stack that are usually not tagged (e.g. parameters passed on
1775 the stack) can be placed in memory whose shadow space is tagged with
1776 something else, and accesses can cause false positive reports.
1778 Hence we place untagging code on every epilogue of functions which tag some
1781 Moreover, the run-time library intercepts longjmp & setjmp to untag when
1782 the stack is unwound this way.
1784 C++ exceptions are not yet handled, which means this sanitizer can not
1785 handle C++ code that throws exceptions -- it will give false positives
1786 after an exception has been thrown. The implementation that the hwasan
1787 library has for handling these relies on the frame pointer being after any
1788 local variables. This is not generally the case for GCC. */
1791 /* Returns whether we are tagging pointers and checking those tags on memory
1794 hwasan_sanitize_p ()
1796 return sanitize_flags_p (SANITIZE_HWADDRESS
);
1799 /* Are we tagging the stack? */
1801 hwasan_sanitize_stack_p ()
1803 return (hwasan_sanitize_p () && param_hwasan_instrument_stack
);
1806 /* Are we tagging alloca objects? */
1808 hwasan_sanitize_allocas_p (void)
1810 return (hwasan_sanitize_stack_p () && param_hwasan_instrument_allocas
);
1813 /* Should we instrument reads? */
1815 hwasan_instrument_reads (void)
1817 return (hwasan_sanitize_p () && param_hwasan_instrument_reads
);
1820 /* Should we instrument writes? */
1822 hwasan_instrument_writes (void)
1824 return (hwasan_sanitize_p () && param_hwasan_instrument_writes
);
1827 /* Should we instrument builtin calls? */
1829 hwasan_memintrin (void)
1831 return (hwasan_sanitize_p () && param_hwasan_instrument_mem_intrinsics
);
1834 /* Insert code to protect stack vars. The prologue sequence should be emitted
1835 directly, epilogue sequence returned. BASE is the register holding the
1836 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1837 array contains pairs of offsets in reverse order, always the end offset
1838 of some gap that needs protection followed by starting offset,
1839 and DECLS is an array of representative decls for each var partition.
1840 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1841 elements long (OFFSETS include gap before the first variable as well
1842 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1843 register which stack vars DECL_RTLs are based on. Either BASE should be
1844 assigned to PBASE, when not doing use after return protection, or
1845 corresponding address based on __asan_stack_malloc* return value. */
1848 asan_emit_stack_protection (rtx base
, rtx pbase
, unsigned int alignb
,
1849 HOST_WIDE_INT
*offsets
, tree
*decls
, int length
)
1851 rtx shadow_base
, shadow_mem
, ret
, mem
, orig_base
;
1852 rtx_code_label
*lab
;
1855 HOST_WIDE_INT base_offset
= offsets
[length
- 1];
1856 HOST_WIDE_INT base_align_bias
= 0, offset
, prev_offset
;
1857 HOST_WIDE_INT asan_frame_size
= offsets
[0] - base_offset
;
1858 HOST_WIDE_INT last_offset
, last_size
, last_size_aligned
;
1860 unsigned char cur_shadow_byte
= ASAN_STACK_MAGIC_LEFT
;
1861 tree str_cst
, decl
, id
;
1862 int use_after_return_class
= -1;
1864 /* Don't emit anything when doing error recovery, the assertions
1865 might fail e.g. if a function had a frame offset overflow. */
1869 if (shadow_ptr_types
[0] == NULL_TREE
)
1870 asan_init_shadow_ptr_types ();
1872 expanded_location cfun_xloc
1873 = expand_location (DECL_SOURCE_LOCATION (current_function_decl
));
1875 /* First of all, prepare the description string. */
1876 pretty_printer asan_pp
;
1878 pp_decimal_int (&asan_pp
, length
/ 2 - 1);
1879 pp_space (&asan_pp
);
1880 for (l
= length
- 2; l
; l
-= 2)
1882 tree decl
= decls
[l
/ 2 - 1];
1883 pp_wide_integer (&asan_pp
, offsets
[l
] - base_offset
);
1884 pp_space (&asan_pp
);
1885 pp_wide_integer (&asan_pp
, offsets
[l
- 1] - offsets
[l
]);
1886 pp_space (&asan_pp
);
1888 expanded_location xloc
1889 = expand_location (DECL_SOURCE_LOCATION (decl
));
1892 if (xloc
.file
== cfun_xloc
.file
)
1893 sprintf (location
, ":%d", xloc
.line
);
1897 if (DECL_P (decl
) && DECL_NAME (decl
))
1900 = IDENTIFIER_LENGTH (DECL_NAME (decl
)) + strlen (location
);
1901 pp_decimal_int (&asan_pp
, idlen
);
1902 pp_space (&asan_pp
);
1903 pp_tree_identifier (&asan_pp
, DECL_NAME (decl
));
1904 pp_string (&asan_pp
, location
);
1907 pp_string (&asan_pp
, "9 <unknown>");
1910 pp_space (&asan_pp
);
1912 str_cst
= asan_pp_string (&asan_pp
);
1914 /* Emit the prologue sequence. */
1915 if (asan_frame_size
> 32 && asan_frame_size
<= 65536 && pbase
1916 && param_asan_use_after_return
)
1918 use_after_return_class
= floor_log2 (asan_frame_size
- 1) - 5;
1919 /* __asan_stack_malloc_N guarantees alignment
1920 N < 6 ? (64 << N) : 4096 bytes. */
1921 if (alignb
> (use_after_return_class
< 6
1922 ? (64U << use_after_return_class
) : 4096U))
1923 use_after_return_class
= -1;
1924 else if (alignb
> ASAN_RED_ZONE_SIZE
&& (asan_frame_size
& (alignb
- 1)))
1925 base_align_bias
= ((asan_frame_size
+ alignb
- 1)
1926 & ~(alignb
- HOST_WIDE_INT_1
)) - asan_frame_size
;
1929 /* Align base if target is STRICT_ALIGNMENT. */
1930 if (STRICT_ALIGNMENT
)
1932 const HOST_WIDE_INT align
1933 = (GET_MODE_ALIGNMENT (SImode
) / BITS_PER_UNIT
) << ASAN_SHADOW_SHIFT
;
1934 base
= expand_binop (Pmode
, and_optab
, base
, gen_int_mode (-align
, Pmode
),
1935 NULL_RTX
, 1, OPTAB_DIRECT
);
1938 if (use_after_return_class
== -1 && pbase
)
1939 emit_move_insn (pbase
, base
);
1941 base
= expand_binop (Pmode
, add_optab
, base
,
1942 gen_int_mode (base_offset
- base_align_bias
, Pmode
),
1943 NULL_RTX
, 1, OPTAB_DIRECT
);
1944 orig_base
= NULL_RTX
;
1945 if (use_after_return_class
!= -1)
1947 if (asan_detect_stack_use_after_return
== NULL_TREE
)
1949 id
= get_identifier ("__asan_option_detect_stack_use_after_return");
1950 decl
= build_decl (BUILTINS_LOCATION
, VAR_DECL
, id
,
1952 SET_DECL_ASSEMBLER_NAME (decl
, id
);
1953 TREE_ADDRESSABLE (decl
) = 1;
1954 DECL_ARTIFICIAL (decl
) = 1;
1955 DECL_IGNORED_P (decl
) = 1;
1956 DECL_EXTERNAL (decl
) = 1;
1957 TREE_STATIC (decl
) = 1;
1958 TREE_PUBLIC (decl
) = 1;
1959 TREE_USED (decl
) = 1;
1960 asan_detect_stack_use_after_return
= decl
;
1962 orig_base
= gen_reg_rtx (Pmode
);
1963 emit_move_insn (orig_base
, base
);
1964 ret
= expand_normal (asan_detect_stack_use_after_return
);
1965 lab
= gen_label_rtx ();
1966 emit_cmp_and_jump_insns (ret
, const0_rtx
, EQ
, NULL_RTX
,
1968 profile_probability::very_likely ());
1969 snprintf (buf
, sizeof buf
, "__asan_stack_malloc_%d",
1970 use_after_return_class
);
1971 ret
= init_one_libfunc (buf
);
1972 ret
= emit_library_call_value (ret
, NULL_RTX
, LCT_NORMAL
, ptr_mode
,
1973 GEN_INT (asan_frame_size
1975 TYPE_MODE (pointer_sized_int_node
));
1976 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1977 and NULL otherwise. Check RET value is NULL here and jump over the
1978 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1979 emit_cmp_and_jump_insns (ret
, const0_rtx
, EQ
, NULL_RTX
,
1981 profile_probability:: very_unlikely ());
1982 ret
= convert_memory_address (Pmode
, ret
);
1983 emit_move_insn (base
, ret
);
1985 emit_move_insn (pbase
, expand_binop (Pmode
, add_optab
, base
,
1986 gen_int_mode (base_align_bias
1987 - base_offset
, Pmode
),
1988 NULL_RTX
, 1, OPTAB_DIRECT
));
1990 mem
= gen_rtx_MEM (ptr_mode
, base
);
1991 mem
= adjust_address (mem
, VOIDmode
, base_align_bias
);
1992 emit_move_insn (mem
, gen_int_mode (ASAN_STACK_FRAME_MAGIC
, ptr_mode
));
1993 mem
= adjust_address (mem
, VOIDmode
, GET_MODE_SIZE (ptr_mode
));
1994 emit_move_insn (mem
, expand_normal (str_cst
));
1995 mem
= adjust_address (mem
, VOIDmode
, GET_MODE_SIZE (ptr_mode
));
1996 ASM_GENERATE_INTERNAL_LABEL (buf
, "LASANPC", current_function_funcdef_no
);
1997 id
= get_identifier (buf
);
1998 decl
= build_decl (DECL_SOURCE_LOCATION (current_function_decl
),
1999 VAR_DECL
, id
, char_type_node
);
2000 SET_DECL_ASSEMBLER_NAME (decl
, id
);
2001 TREE_ADDRESSABLE (decl
) = 1;
2002 TREE_READONLY (decl
) = 1;
2003 DECL_ARTIFICIAL (decl
) = 1;
2004 DECL_IGNORED_P (decl
) = 1;
2005 TREE_STATIC (decl
) = 1;
2006 TREE_PUBLIC (decl
) = 0;
2007 TREE_USED (decl
) = 1;
2008 DECL_INITIAL (decl
) = decl
;
2009 TREE_ASM_WRITTEN (decl
) = 1;
2010 TREE_ASM_WRITTEN (id
) = 1;
2011 DECL_ALIGN_RAW (decl
) = DECL_ALIGN_RAW (current_function_decl
);
2012 emit_move_insn (mem
, expand_normal (build_fold_addr_expr (decl
)));
2013 shadow_base
= expand_binop (Pmode
, lshr_optab
, base
,
2014 gen_int_shift_amount (Pmode
, ASAN_SHADOW_SHIFT
),
2015 NULL_RTX
, 1, OPTAB_DIRECT
);
2017 = plus_constant (Pmode
, shadow_base
,
2018 asan_shadow_offset ()
2019 + (base_align_bias
>> ASAN_SHADOW_SHIFT
));
2020 gcc_assert (asan_shadow_set
!= -1
2021 && (ASAN_RED_ZONE_SIZE
>> ASAN_SHADOW_SHIFT
) == 4);
2022 shadow_mem
= gen_rtx_MEM (SImode
, shadow_base
);
2023 set_mem_alias_set (shadow_mem
, asan_shadow_set
);
2024 if (STRICT_ALIGNMENT
)
2025 set_mem_align (shadow_mem
, (GET_MODE_ALIGNMENT (SImode
)));
2026 prev_offset
= base_offset
;
2028 asan_redzone_buffer
rz_buffer (shadow_mem
, prev_offset
);
2029 for (l
= length
; l
; l
-= 2)
2032 cur_shadow_byte
= ASAN_STACK_MAGIC_RIGHT
;
2033 offset
= offsets
[l
- 1];
2035 bool extra_byte
= (offset
- base_offset
) & (ASAN_SHADOW_GRANULARITY
- 1);
2036 /* If a red-zone is not aligned to ASAN_SHADOW_GRANULARITY then
2037 the previous stack variable has size % ASAN_SHADOW_GRANULARITY != 0.
2038 In that case we have to emit one extra byte that will describe
2039 how many bytes (our of ASAN_SHADOW_GRANULARITY) can be accessed. */
2043 = base_offset
+ ((offset
- base_offset
)
2044 & ~(ASAN_SHADOW_GRANULARITY
- HOST_WIDE_INT_1
));
2045 rz_buffer
.emit_redzone_byte (aoff
, offset
- aoff
);
2046 offset
= aoff
+ ASAN_SHADOW_GRANULARITY
;
2049 /* Calculate size of red zone payload. */
2050 while (offset
< offsets
[l
- 2])
2052 rz_buffer
.emit_redzone_byte (offset
, cur_shadow_byte
);
2053 offset
+= ASAN_SHADOW_GRANULARITY
;
2056 cur_shadow_byte
= ASAN_STACK_MAGIC_MIDDLE
;
2059 /* As the automatic variables are aligned to
2060 ASAN_RED_ZONE_SIZE / ASAN_SHADOW_GRANULARITY, the buffer should be
2062 gcc_assert (rz_buffer
.m_shadow_bytes
.is_empty ());
2064 do_pending_stack_adjust ();
2066 /* Construct epilogue sequence. */
2070 if (use_after_return_class
!= -1)
2072 rtx_code_label
*lab2
= gen_label_rtx ();
2073 char c
= (char) ASAN_STACK_MAGIC_USE_AFTER_RET
;
2074 emit_cmp_and_jump_insns (orig_base
, base
, EQ
, NULL_RTX
,
2076 profile_probability::very_likely ());
2077 shadow_mem
= gen_rtx_MEM (BLKmode
, shadow_base
);
2078 set_mem_alias_set (shadow_mem
, asan_shadow_set
);
2079 mem
= gen_rtx_MEM (ptr_mode
, base
);
2080 mem
= adjust_address (mem
, VOIDmode
, base_align_bias
);
2081 emit_move_insn (mem
, gen_int_mode (ASAN_STACK_RETIRED_MAGIC
, ptr_mode
));
2082 unsigned HOST_WIDE_INT sz
= asan_frame_size
>> ASAN_SHADOW_SHIFT
;
2083 if (use_after_return_class
< 5
2084 && can_store_by_pieces (sz
, builtin_memset_read_str
, &c
,
2085 BITS_PER_UNIT
, true))
2088 memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize);
2089 **SavedFlagPtr(FakeStack, class_id) = 0
2091 store_by_pieces (shadow_mem
, sz
, builtin_memset_read_str
, &c
,
2092 BITS_PER_UNIT
, true, RETURN_BEGIN
);
2094 unsigned HOST_WIDE_INT offset
2095 = (1 << (use_after_return_class
+ 6));
2096 offset
-= GET_MODE_SIZE (ptr_mode
);
2097 mem
= gen_rtx_MEM (ptr_mode
, base
);
2098 mem
= adjust_address (mem
, ptr_mode
, offset
);
2099 rtx addr
= gen_reg_rtx (ptr_mode
);
2100 emit_move_insn (addr
, mem
);
2101 addr
= convert_memory_address (Pmode
, addr
);
2102 mem
= gen_rtx_MEM (QImode
, addr
);
2103 emit_move_insn (mem
, const0_rtx
);
2105 else if (use_after_return_class
>= 5
2106 || !set_storage_via_setmem (shadow_mem
,
2108 gen_int_mode (c
, QImode
),
2109 BITS_PER_UNIT
, BITS_PER_UNIT
,
2112 snprintf (buf
, sizeof buf
, "__asan_stack_free_%d",
2113 use_after_return_class
);
2114 ret
= init_one_libfunc (buf
);
2115 rtx addr
= convert_memory_address (ptr_mode
, base
);
2116 rtx orig_addr
= convert_memory_address (ptr_mode
, orig_base
);
2117 emit_library_call (ret
, LCT_NORMAL
, ptr_mode
, addr
, ptr_mode
,
2118 GEN_INT (asan_frame_size
+ base_align_bias
),
2119 TYPE_MODE (pointer_sized_int_node
),
2120 orig_addr
, ptr_mode
);
2122 lab
= gen_label_rtx ();
2127 shadow_mem
= gen_rtx_MEM (BLKmode
, shadow_base
);
2128 set_mem_alias_set (shadow_mem
, asan_shadow_set
);
2130 if (STRICT_ALIGNMENT
)
2131 set_mem_align (shadow_mem
, (GET_MODE_ALIGNMENT (SImode
)));
2133 prev_offset
= base_offset
;
2134 last_offset
= base_offset
;
2136 last_size_aligned
= 0;
2137 for (l
= length
; l
; l
-= 2)
2139 offset
= base_offset
+ ((offsets
[l
- 1] - base_offset
)
2140 & ~(ASAN_RED_ZONE_SIZE
- HOST_WIDE_INT_1
));
2141 if (last_offset
+ last_size_aligned
< offset
)
2143 shadow_mem
= adjust_address (shadow_mem
, VOIDmode
,
2144 (last_offset
- prev_offset
)
2145 >> ASAN_SHADOW_SHIFT
);
2146 prev_offset
= last_offset
;
2147 asan_clear_shadow (shadow_mem
, last_size_aligned
>> ASAN_SHADOW_SHIFT
);
2148 last_offset
= offset
;
2152 last_size
= offset
- last_offset
;
2153 last_size
+= base_offset
+ ((offsets
[l
- 2] - base_offset
)
2154 & ~(ASAN_MIN_RED_ZONE_SIZE
- HOST_WIDE_INT_1
))
2157 /* Unpoison shadow memory that corresponds to a variable that is
2158 is subject of use-after-return sanitization. */
2161 decl
= decls
[l
/ 2 - 2];
2162 if (asan_handled_variables
!= NULL
2163 && asan_handled_variables
->contains (decl
))
2165 HOST_WIDE_INT size
= offsets
[l
- 3] - offsets
[l
- 2];
2166 if (dump_file
&& (dump_flags
& TDF_DETAILS
))
2168 const char *n
= (DECL_NAME (decl
)
2169 ? IDENTIFIER_POINTER (DECL_NAME (decl
))
2171 fprintf (dump_file
, "Unpoisoning shadow stack for variable: "
2172 "%s (%" PRId64
" B)\n", n
, size
);
2175 last_size
+= size
& ~(ASAN_MIN_RED_ZONE_SIZE
- HOST_WIDE_INT_1
);
2179 = ((last_size
+ (ASAN_RED_ZONE_SIZE
- HOST_WIDE_INT_1
))
2180 & ~(ASAN_RED_ZONE_SIZE
- HOST_WIDE_INT_1
));
2182 if (last_size_aligned
)
2184 shadow_mem
= adjust_address (shadow_mem
, VOIDmode
,
2185 (last_offset
- prev_offset
)
2186 >> ASAN_SHADOW_SHIFT
);
2187 asan_clear_shadow (shadow_mem
, last_size_aligned
>> ASAN_SHADOW_SHIFT
);
2190 /* Clean-up set with instrumented stack variables. */
2191 delete asan_handled_variables
;
2192 asan_handled_variables
= NULL
;
2193 delete asan_used_labels
;
2194 asan_used_labels
= NULL
;
2196 do_pending_stack_adjust ();
2200 insns
= get_insns ();
2205 /* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds
2206 to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE
2207 indicates whether we're emitting new instructions sequence or not. */
2210 asan_emit_allocas_unpoison (rtx top
, rtx bot
, rtx_insn
*before
)
2213 push_to_sequence (before
);
2216 rtx ret
= init_one_libfunc ("__asan_allocas_unpoison");
2217 top
= convert_memory_address (ptr_mode
, top
);
2218 bot
= convert_memory_address (ptr_mode
, bot
);
2219 emit_library_call (ret
, LCT_NORMAL
, ptr_mode
,
2220 top
, ptr_mode
, bot
, ptr_mode
);
2222 do_pending_stack_adjust ();
2223 rtx_insn
*insns
= get_insns ();
2228 /* Return true if DECL, a global var, might be overridden and needs
2229 therefore a local alias. */
2232 asan_needs_local_alias (tree decl
)
2234 return DECL_WEAK (decl
) || !targetm
.binds_local_p (decl
);
2237 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
2238 therefore doesn't need protection. */
2241 is_odr_indicator (tree decl
)
2243 return (DECL_ARTIFICIAL (decl
)
2244 && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl
)));
2247 /* Return true if DECL is a VAR_DECL that should be protected
2248 by Address Sanitizer, by appending a red zone with protected
2249 shadow memory after it and aligning it to at least
2250 ASAN_RED_ZONE_SIZE bytes. */
2253 asan_protect_global (tree decl
, bool ignore_decl_rtl_set_p
)
2255 if (!param_asan_globals
)
2260 if (TREE_CODE (decl
) == STRING_CST
)
2262 /* Instrument all STRING_CSTs except those created
2263 by asan_pp_string here. */
2264 if (shadow_ptr_types
[0] != NULL_TREE
2265 && TREE_CODE (TREE_TYPE (decl
)) == ARRAY_TYPE
2266 && TREE_TYPE (TREE_TYPE (decl
)) == TREE_TYPE (shadow_ptr_types
[0]))
2271 /* TLS vars aren't statically protectable. */
2272 || DECL_THREAD_LOCAL_P (decl
)
2273 /* Externs will be protected elsewhere. */
2274 || DECL_EXTERNAL (decl
)
2275 /* PR sanitizer/81697: For architectures that use section anchors first
2276 call to asan_protect_global may occur before DECL_RTL (decl) is set.
2277 We should ignore DECL_RTL_SET_P then, because otherwise the first call
2278 to asan_protect_global will return FALSE and the following calls on the
2279 same decl after setting DECL_RTL (decl) will return TRUE and we'll end
2280 up with inconsistency at runtime. */
2281 || (!DECL_RTL_SET_P (decl
) && !ignore_decl_rtl_set_p
)
2282 /* Comdat vars pose an ABI problem, we can't know if
2283 the var that is selected by the linker will have
2285 || DECL_ONE_ONLY (decl
)
2286 /* Similarly for common vars. People can use -fno-common.
2287 Note: Linux kernel is built with -fno-common, so we do instrument
2288 globals there even if it is C. */
2289 || (DECL_COMMON (decl
) && TREE_PUBLIC (decl
))
2290 /* Don't protect if using user section, often vars placed
2291 into user section from multiple TUs are then assumed
2292 to be an array of such vars, putting padding in there
2293 breaks this assumption. */
2294 || (DECL_SECTION_NAME (decl
) != NULL
2295 && !symtab_node::get (decl
)->implicit_section
2296 && !section_sanitized_p (DECL_SECTION_NAME (decl
)))
2297 /* Don't protect variables in non-generic address-space. */
2298 || !ADDR_SPACE_GENERIC_P (TYPE_ADDR_SPACE (TREE_TYPE (decl
)))
2299 || DECL_SIZE (decl
) == 0
2300 || ASAN_RED_ZONE_SIZE
* BITS_PER_UNIT
> MAX_OFILE_ALIGNMENT
2301 || TREE_CODE (DECL_SIZE_UNIT (decl
)) != INTEGER_CST
2302 || !valid_constant_size_p (DECL_SIZE_UNIT (decl
))
2303 || DECL_ALIGN_UNIT (decl
) > 2 * ASAN_RED_ZONE_SIZE
2304 || TREE_TYPE (decl
) == ubsan_get_source_location_type ()
2305 || is_odr_indicator (decl
))
2308 if (!ignore_decl_rtl_set_p
|| DECL_RTL_SET_P (decl
))
2311 rtl
= DECL_RTL (decl
);
2312 if (!MEM_P (rtl
) || GET_CODE (XEXP (rtl
, 0)) != SYMBOL_REF
)
2314 symbol
= XEXP (rtl
, 0);
2316 if (CONSTANT_POOL_ADDRESS_P (symbol
)
2317 || TREE_CONSTANT_POOL_ADDRESS_P (symbol
))
2321 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl
)))
2324 if (!TARGET_SUPPORTS_ALIASES
&& asan_needs_local_alias (decl
))
2330 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
2331 IS_STORE is either 1 (for a store) or 0 (for a load). */
2334 report_error_func (bool is_store
, bool recover_p
, HOST_WIDE_INT size_in_bytes
,
2337 gcc_assert (!hwasan_sanitize_p ());
2339 static enum built_in_function report
[2][2][6]
2340 = { { { BUILT_IN_ASAN_REPORT_LOAD1
, BUILT_IN_ASAN_REPORT_LOAD2
,
2341 BUILT_IN_ASAN_REPORT_LOAD4
, BUILT_IN_ASAN_REPORT_LOAD8
,
2342 BUILT_IN_ASAN_REPORT_LOAD16
, BUILT_IN_ASAN_REPORT_LOAD_N
},
2343 { BUILT_IN_ASAN_REPORT_STORE1
, BUILT_IN_ASAN_REPORT_STORE2
,
2344 BUILT_IN_ASAN_REPORT_STORE4
, BUILT_IN_ASAN_REPORT_STORE8
,
2345 BUILT_IN_ASAN_REPORT_STORE16
, BUILT_IN_ASAN_REPORT_STORE_N
} },
2346 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT
,
2347 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT
,
2348 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT
,
2349 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT
,
2350 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT
,
2351 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT
},
2352 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT
,
2353 BUILT_IN_ASAN_REPORT_STORE2_NOABORT
,
2354 BUILT_IN_ASAN_REPORT_STORE4_NOABORT
,
2355 BUILT_IN_ASAN_REPORT_STORE8_NOABORT
,
2356 BUILT_IN_ASAN_REPORT_STORE16_NOABORT
,
2357 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT
} } };
2358 if (size_in_bytes
== -1)
2361 return builtin_decl_implicit (report
[recover_p
][is_store
][5]);
2364 int size_log2
= exact_log2 (size_in_bytes
);
2365 return builtin_decl_implicit (report
[recover_p
][is_store
][size_log2
]);
2368 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
2369 IS_STORE is either 1 (for a store) or 0 (for a load). */
2372 check_func (bool is_store
, bool recover_p
, HOST_WIDE_INT size_in_bytes
,
2375 static enum built_in_function check
[2][2][6]
2376 = { { { BUILT_IN_ASAN_LOAD1
, BUILT_IN_ASAN_LOAD2
,
2377 BUILT_IN_ASAN_LOAD4
, BUILT_IN_ASAN_LOAD8
,
2378 BUILT_IN_ASAN_LOAD16
, BUILT_IN_ASAN_LOADN
},
2379 { BUILT_IN_ASAN_STORE1
, BUILT_IN_ASAN_STORE2
,
2380 BUILT_IN_ASAN_STORE4
, BUILT_IN_ASAN_STORE8
,
2381 BUILT_IN_ASAN_STORE16
, BUILT_IN_ASAN_STOREN
} },
2382 { { BUILT_IN_ASAN_LOAD1_NOABORT
,
2383 BUILT_IN_ASAN_LOAD2_NOABORT
,
2384 BUILT_IN_ASAN_LOAD4_NOABORT
,
2385 BUILT_IN_ASAN_LOAD8_NOABORT
,
2386 BUILT_IN_ASAN_LOAD16_NOABORT
,
2387 BUILT_IN_ASAN_LOADN_NOABORT
},
2388 { BUILT_IN_ASAN_STORE1_NOABORT
,
2389 BUILT_IN_ASAN_STORE2_NOABORT
,
2390 BUILT_IN_ASAN_STORE4_NOABORT
,
2391 BUILT_IN_ASAN_STORE8_NOABORT
,
2392 BUILT_IN_ASAN_STORE16_NOABORT
,
2393 BUILT_IN_ASAN_STOREN_NOABORT
} } };
2394 if (size_in_bytes
== -1)
2397 return builtin_decl_implicit (check
[recover_p
][is_store
][5]);
2400 int size_log2
= exact_log2 (size_in_bytes
);
2401 return builtin_decl_implicit (check
[recover_p
][is_store
][size_log2
]);
2404 /* Split the current basic block and create a condition statement
2405 insertion point right before or after the statement pointed to by
2406 ITER. Return an iterator to the point at which the caller might
2407 safely insert the condition statement.
2409 THEN_BLOCK must be set to the address of an uninitialized instance
2410 of basic_block. The function will then set *THEN_BLOCK to the
2411 'then block' of the condition statement to be inserted by the
2414 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
2415 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
2417 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
2418 block' of the condition statement to be inserted by the caller.
2420 Note that *FALLTHROUGH_BLOCK is a new block that contains the
2421 statements starting from *ITER, and *THEN_BLOCK is a new empty
2424 *ITER is adjusted to point to always point to the first statement
2425 of the basic block * FALLTHROUGH_BLOCK. That statement is the
2426 same as what ITER was pointing to prior to calling this function,
2427 if BEFORE_P is true; otherwise, it is its following statement. */
2429 gimple_stmt_iterator
2430 create_cond_insert_point (gimple_stmt_iterator
*iter
,
2432 bool then_more_likely_p
,
2433 bool create_then_fallthru_edge
,
2434 basic_block
*then_block
,
2435 basic_block
*fallthrough_block
)
2437 gimple_stmt_iterator gsi
= *iter
;
2439 if (!gsi_end_p (gsi
) && before_p
)
2442 basic_block cur_bb
= gsi_bb (*iter
);
2444 edge e
= split_block (cur_bb
, gsi_stmt (gsi
));
2446 /* Get a hold on the 'condition block', the 'then block' and the
2448 basic_block cond_bb
= e
->src
;
2449 basic_block fallthru_bb
= e
->dest
;
2450 basic_block then_bb
= create_empty_bb (cond_bb
);
2453 add_bb_to_loop (then_bb
, cond_bb
->loop_father
);
2454 loops_state_set (LOOPS_NEED_FIXUP
);
2457 /* Set up the newly created 'then block'. */
2458 e
= make_edge (cond_bb
, then_bb
, EDGE_TRUE_VALUE
);
2459 profile_probability fallthrough_probability
2460 = then_more_likely_p
2461 ? profile_probability::very_unlikely ()
2462 : profile_probability::very_likely ();
2463 e
->probability
= fallthrough_probability
.invert ();
2464 then_bb
->count
= e
->count ();
2465 if (create_then_fallthru_edge
)
2466 make_single_succ_edge (then_bb
, fallthru_bb
, EDGE_FALLTHRU
);
2468 /* Set up the fallthrough basic block. */
2469 e
= find_edge (cond_bb
, fallthru_bb
);
2470 e
->flags
= EDGE_FALSE_VALUE
;
2471 e
->probability
= fallthrough_probability
;
2473 /* Update dominance info for the newly created then_bb; note that
2474 fallthru_bb's dominance info has already been updated by
2476 if (dom_info_available_p (CDI_DOMINATORS
))
2477 set_immediate_dominator (CDI_DOMINATORS
, then_bb
, cond_bb
);
2479 *then_block
= then_bb
;
2480 *fallthrough_block
= fallthru_bb
;
2481 *iter
= gsi_start_bb (fallthru_bb
);
2483 return gsi_last_bb (cond_bb
);
2486 /* Insert an if condition followed by a 'then block' right before the
2487 statement pointed to by ITER. The fallthrough block -- which is the
2488 else block of the condition as well as the destination of the
2489 outcoming edge of the 'then block' -- starts with the statement
2492 COND is the condition of the if.
2494 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
2495 'then block' is higher than the probability of the edge to the
2498 Upon completion of the function, *THEN_BB is set to the newly
2499 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
2502 *ITER is adjusted to still point to the same statement it was
2503 pointing to initially. */
2506 insert_if_then_before_iter (gcond
*cond
,
2507 gimple_stmt_iterator
*iter
,
2508 bool then_more_likely_p
,
2509 basic_block
*then_bb
,
2510 basic_block
*fallthrough_bb
)
2512 gimple_stmt_iterator cond_insert_point
=
2513 create_cond_insert_point (iter
,
2516 /*create_then_fallthru_edge=*/true,
2519 gsi_insert_after (&cond_insert_point
, cond
, GSI_NEW_STMT
);
2522 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
2523 If RETURN_ADDRESS is set to true, return memory location instread
2524 of a value in the shadow memory. */
2527 build_shadow_mem_access (gimple_stmt_iterator
*gsi
, location_t location
,
2528 tree base_addr
, tree shadow_ptr_type
,
2529 bool return_address
= false)
2531 tree t
, uintptr_type
= TREE_TYPE (base_addr
);
2532 tree shadow_type
= TREE_TYPE (shadow_ptr_type
);
2535 t
= build_int_cst (uintptr_type
, ASAN_SHADOW_SHIFT
);
2536 g
= gimple_build_assign (make_ssa_name (uintptr_type
), RSHIFT_EXPR
,
2538 gimple_set_location (g
, location
);
2539 gsi_insert_after (gsi
, g
, GSI_NEW_STMT
);
2541 t
= build_int_cst (uintptr_type
, asan_shadow_offset ());
2542 g
= gimple_build_assign (make_ssa_name (uintptr_type
), PLUS_EXPR
,
2543 gimple_assign_lhs (g
), t
);
2544 gimple_set_location (g
, location
);
2545 gsi_insert_after (gsi
, g
, GSI_NEW_STMT
);
2547 g
= gimple_build_assign (make_ssa_name (shadow_ptr_type
), NOP_EXPR
,
2548 gimple_assign_lhs (g
));
2549 gimple_set_location (g
, location
);
2550 gsi_insert_after (gsi
, g
, GSI_NEW_STMT
);
2552 if (!return_address
)
2554 t
= build2 (MEM_REF
, shadow_type
, gimple_assign_lhs (g
),
2555 build_int_cst (shadow_ptr_type
, 0));
2556 g
= gimple_build_assign (make_ssa_name (shadow_type
), MEM_REF
, t
);
2557 gimple_set_location (g
, location
);
2558 gsi_insert_after (gsi
, g
, GSI_NEW_STMT
);
2561 return gimple_assign_lhs (g
);
2564 /* BASE can already be an SSA_NAME; in that case, do not create a
2565 new SSA_NAME for it. */
2568 maybe_create_ssa_name (location_t loc
, tree base
, gimple_stmt_iterator
*iter
,
2571 STRIP_USELESS_TYPE_CONVERSION (base
);
2572 if (TREE_CODE (base
) == SSA_NAME
)
2574 gimple
*g
= gimple_build_assign (make_ssa_name (TREE_TYPE (base
)), base
);
2575 gimple_set_location (g
, loc
);
2577 gsi_safe_insert_before (iter
, g
);
2579 gsi_insert_after (iter
, g
, GSI_NEW_STMT
);
2580 return gimple_assign_lhs (g
);
2583 /* LEN can already have necessary size and precision;
2584 in that case, do not create a new variable. */
2587 maybe_cast_to_ptrmode (location_t loc
, tree len
, gimple_stmt_iterator
*iter
,
2590 if (ptrofftype_p (len
))
2592 gimple
*g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
2594 gimple_set_location (g
, loc
);
2596 gsi_safe_insert_before (iter
, g
);
2598 gsi_insert_after (iter
, g
, GSI_NEW_STMT
);
2599 return gimple_assign_lhs (g
);
2602 /* Instrument the memory access instruction BASE. Insert new
2603 statements before or after ITER.
2605 Note that the memory access represented by BASE can be either an
2606 SSA_NAME, or a non-SSA expression. LOCATION is the source code
2607 location. IS_STORE is TRUE for a store, FALSE for a load.
2608 BEFORE_P is TRUE for inserting the instrumentation code before
2609 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
2610 for a scalar memory access and FALSE for memory region access.
2611 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
2612 length. ALIGN tells alignment of accessed memory object.
2614 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
2615 memory region have already been instrumented.
2617 If BEFORE_P is TRUE, *ITER is arranged to still point to the
2618 statement it was pointing to prior to calling this function,
2619 otherwise, it points to the statement logically following it. */
2622 build_check_stmt (location_t loc
, tree base
, tree len
,
2623 HOST_WIDE_INT size_in_bytes
, gimple_stmt_iterator
*iter
,
2624 bool is_non_zero_len
, bool before_p
, bool is_store
,
2625 bool is_scalar_access
, unsigned int align
= 0)
2627 gimple_stmt_iterator gsi
= *iter
;
2630 gcc_assert (!(size_in_bytes
> 0 && !is_non_zero_len
));
2631 gcc_assert (size_in_bytes
== -1 || size_in_bytes
>= 1);
2635 base
= unshare_expr (base
);
2636 base
= maybe_create_ssa_name (loc
, base
, &gsi
, before_p
);
2640 len
= unshare_expr (len
);
2641 len
= maybe_cast_to_ptrmode (loc
, len
, iter
, before_p
);
2645 gcc_assert (size_in_bytes
!= -1);
2646 len
= build_int_cst (pointer_sized_int_node
, size_in_bytes
);
2649 if (size_in_bytes
> 1)
2651 if ((size_in_bytes
& (size_in_bytes
- 1)) != 0
2652 || size_in_bytes
> 16)
2653 is_scalar_access
= false;
2654 else if (align
&& align
< size_in_bytes
* BITS_PER_UNIT
)
2656 /* On non-strict alignment targets, if
2657 16-byte access is just 8-byte aligned,
2658 this will result in misaligned shadow
2659 memory 2 byte load, but otherwise can
2660 be handled using one read. */
2661 if (size_in_bytes
!= 16
2663 || align
< 8 * BITS_PER_UNIT
)
2664 is_scalar_access
= false;
2668 HOST_WIDE_INT flags
= 0;
2670 flags
|= ASAN_CHECK_STORE
;
2671 if (is_non_zero_len
)
2672 flags
|= ASAN_CHECK_NON_ZERO_LEN
;
2673 if (is_scalar_access
)
2674 flags
|= ASAN_CHECK_SCALAR_ACCESS
;
2676 enum internal_fn fn
= hwasan_sanitize_p ()
2680 g
= gimple_build_call_internal (fn
, 4,
2681 build_int_cst (integer_type_node
, flags
),
2683 build_int_cst (integer_type_node
,
2684 align
/ BITS_PER_UNIT
));
2685 gimple_set_location (g
, loc
);
2687 gsi_safe_insert_before (&gsi
, g
);
2690 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
2696 /* If T represents a memory access, add instrumentation code before ITER.
2697 LOCATION is source code location.
2698 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
2701 instrument_derefs (gimple_stmt_iterator
*iter
, tree t
,
2702 location_t location
, bool is_store
)
2704 if (is_store
&& !(asan_instrument_writes () || hwasan_instrument_writes ()))
2706 if (!is_store
&& !(asan_instrument_reads () || hwasan_instrument_reads ()))
2710 HOST_WIDE_INT size_in_bytes
;
2711 if (location
== UNKNOWN_LOCATION
)
2712 location
= EXPR_LOCATION (t
);
2714 type
= TREE_TYPE (t
);
2715 switch (TREE_CODE (t
))
2729 size_in_bytes
= int_size_in_bytes (type
);
2730 if (size_in_bytes
<= 0)
2733 poly_int64 bitsize
, bitpos
;
2736 int unsignedp
, reversep
, volatilep
= 0;
2737 tree inner
= get_inner_reference (t
, &bitsize
, &bitpos
, &offset
, &mode
,
2738 &unsignedp
, &reversep
, &volatilep
);
2740 if (TREE_CODE (t
) == COMPONENT_REF
2741 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t
, 1)) != NULL_TREE
)
2743 tree repr
= DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t
, 1));
2744 instrument_derefs (iter
, build3 (COMPONENT_REF
, TREE_TYPE (repr
),
2745 TREE_OPERAND (t
, 0), repr
,
2746 TREE_OPERAND (t
, 2)),
2747 location
, is_store
);
2751 if (!multiple_p (bitpos
, BITS_PER_UNIT
)
2752 || maybe_ne (bitsize
, size_in_bytes
* BITS_PER_UNIT
))
2755 if (VAR_P (inner
) && DECL_HARD_REGISTER (inner
))
2758 /* Accesses to non-generic address-spaces should not be instrumented. */
2759 if (!ADDR_SPACE_GENERIC_P (TYPE_ADDR_SPACE (TREE_TYPE (inner
))))
2762 poly_int64 decl_size
;
2764 || (TREE_CODE (inner
) == RESULT_DECL
2765 && !aggregate_value_p (inner
, current_function_decl
)))
2766 && offset
== NULL_TREE
2767 && DECL_SIZE (inner
)
2768 && poly_int_tree_p (DECL_SIZE (inner
), &decl_size
)
2769 && known_subrange_p (bitpos
, bitsize
, 0, decl_size
))
2771 if (VAR_P (inner
) && DECL_THREAD_LOCAL_P (inner
))
2773 /* If we're not sanitizing globals and we can tell statically that this
2774 access is inside a global variable, then there's no point adding
2775 instrumentation to check the access. N.b. hwasan currently never
2776 sanitizes globals. */
2777 if ((hwasan_sanitize_p () || !param_asan_globals
)
2778 && is_global_var (inner
))
2780 if (!TREE_STATIC (inner
))
2782 /* Automatic vars in the current function will be always
2784 if (decl_function_context (inner
) == current_function_decl
2785 && (!asan_sanitize_use_after_scope ()
2786 || !TREE_ADDRESSABLE (inner
)))
2789 /* Always instrument external vars, they might be dynamically
2791 else if (!DECL_EXTERNAL (inner
))
2793 /* For static vars if they are known not to be dynamically
2794 initialized, they will be always accessible. */
2795 varpool_node
*vnode
= varpool_node::get (inner
);
2796 if (vnode
&& !vnode
->dynamically_initialized
)
2802 && decl_function_context (inner
) == current_function_decl
2803 && !TREE_ADDRESSABLE (inner
))
2804 mark_addressable (inner
);
2806 base
= build_fold_addr_expr (t
);
2807 if (!has_mem_ref_been_instrumented (base
, size_in_bytes
))
2809 unsigned int align
= get_object_alignment (t
);
2810 build_check_stmt (location
, base
, NULL_TREE
, size_in_bytes
, iter
,
2811 /*is_non_zero_len*/size_in_bytes
> 0, /*before_p=*/true,
2812 is_store
, /*is_scalar_access*/true, align
);
2813 update_mem_ref_hash_table (base
, size_in_bytes
);
2814 update_mem_ref_hash_table (t
, size_in_bytes
);
2819 /* Insert a memory reference into the hash table if access length
2820 can be determined in compile time. */
2823 maybe_update_mem_ref_hash_table (tree base
, tree len
)
2825 if (!POINTER_TYPE_P (TREE_TYPE (base
))
2826 || !INTEGRAL_TYPE_P (TREE_TYPE (len
)))
2829 HOST_WIDE_INT size_in_bytes
= tree_fits_shwi_p (len
) ? tree_to_shwi (len
) : -1;
2831 if (size_in_bytes
!= -1)
2832 update_mem_ref_hash_table (base
, size_in_bytes
);
2835 /* Instrument an access to a contiguous memory region that starts at
2836 the address pointed to by BASE, over a length of LEN (expressed in
2837 the sizeof (*BASE) bytes). ITER points to the instruction before
2838 which the instrumentation instructions must be inserted. LOCATION
2839 is the source location that the instrumentation instructions must
2840 have. If IS_STORE is true, then the memory access is a store;
2841 otherwise, it's a load. */
2844 instrument_mem_region_access (tree base
, tree len
,
2845 gimple_stmt_iterator
*iter
,
2846 location_t location
, bool is_store
)
2848 if (!POINTER_TYPE_P (TREE_TYPE (base
))
2849 || !INTEGRAL_TYPE_P (TREE_TYPE (len
))
2850 || integer_zerop (len
))
2853 HOST_WIDE_INT size_in_bytes
= tree_fits_shwi_p (len
) ? tree_to_shwi (len
) : -1;
2855 if ((size_in_bytes
== -1)
2856 || !has_mem_ref_been_instrumented (base
, size_in_bytes
))
2858 build_check_stmt (location
, base
, len
, size_in_bytes
, iter
,
2859 /*is_non_zero_len*/size_in_bytes
> 0, /*before_p*/true,
2860 is_store
, /*is_scalar_access*/false, /*align*/0);
2863 maybe_update_mem_ref_hash_table (base
, len
);
2864 *iter
= gsi_for_stmt (gsi_stmt (*iter
));
2867 /* Instrument the call to a built-in memory access function that is
2868 pointed to by the iterator ITER.
2870 Upon completion, return TRUE iff *ITER has been advanced to the
2871 statement following the one it was originally pointing to. */
2874 instrument_builtin_call (gimple_stmt_iterator
*iter
)
2876 if (!(asan_memintrin () || hwasan_memintrin ()))
2879 bool iter_advanced_p
= false;
2880 gcall
*call
= as_a
<gcall
*> (gsi_stmt (*iter
));
2882 gcc_checking_assert (gimple_call_builtin_p (call
, BUILT_IN_NORMAL
));
2884 location_t loc
= gimple_location (call
);
2886 asan_mem_ref src0
, src1
, dest
;
2887 asan_mem_ref_init (&src0
, NULL
, 1);
2888 asan_mem_ref_init (&src1
, NULL
, 1);
2889 asan_mem_ref_init (&dest
, NULL
, 1);
2891 tree src0_len
= NULL_TREE
, src1_len
= NULL_TREE
, dest_len
= NULL_TREE
;
2892 bool src0_is_store
= false, src1_is_store
= false, dest_is_store
= false,
2893 dest_is_deref
= false, intercepted_p
= true;
2895 if (get_mem_refs_of_builtin_call (call
,
2896 &src0
, &src0_len
, &src0_is_store
,
2897 &src1
, &src1_len
, &src1_is_store
,
2898 &dest
, &dest_len
, &dest_is_store
,
2899 &dest_is_deref
, &intercepted_p
, iter
))
2903 instrument_derefs (iter
, dest
.start
, loc
, dest_is_store
);
2905 iter_advanced_p
= true;
2907 else if (!intercepted_p
2908 && (src0_len
|| src1_len
|| dest_len
))
2910 if (src0
.start
!= NULL_TREE
)
2911 instrument_mem_region_access (src0
.start
, src0_len
,
2912 iter
, loc
, /*is_store=*/false);
2913 if (src1
.start
!= NULL_TREE
)
2914 instrument_mem_region_access (src1
.start
, src1_len
,
2915 iter
, loc
, /*is_store=*/false);
2916 if (dest
.start
!= NULL_TREE
)
2917 instrument_mem_region_access (dest
.start
, dest_len
,
2918 iter
, loc
, /*is_store=*/true);
2920 *iter
= gsi_for_stmt (call
);
2922 iter_advanced_p
= true;
2926 if (src0
.start
!= NULL_TREE
)
2927 maybe_update_mem_ref_hash_table (src0
.start
, src0_len
);
2928 if (src1
.start
!= NULL_TREE
)
2929 maybe_update_mem_ref_hash_table (src1
.start
, src1_len
);
2930 if (dest
.start
!= NULL_TREE
)
2931 maybe_update_mem_ref_hash_table (dest
.start
, dest_len
);
2934 return iter_advanced_p
;
2937 /* Instrument the assignment statement ITER if it is subject to
2938 instrumentation. Return TRUE iff instrumentation actually
2939 happened. In that case, the iterator ITER is advanced to the next
2940 logical expression following the one initially pointed to by ITER,
2941 and the relevant memory reference that which access has been
2942 instrumented is added to the memory references hash table. */
2945 maybe_instrument_assignment (gimple_stmt_iterator
*iter
)
2947 gimple
*s
= gsi_stmt (*iter
);
2949 gcc_assert (gimple_assign_single_p (s
));
2951 tree ref_expr
= NULL_TREE
;
2952 bool is_store
, is_instrumented
= false;
2954 if (gimple_store_p (s
))
2956 ref_expr
= gimple_assign_lhs (s
);
2958 instrument_derefs (iter
, ref_expr
,
2959 gimple_location (s
),
2961 is_instrumented
= true;
2964 if (gimple_assign_load_p (s
))
2966 ref_expr
= gimple_assign_rhs1 (s
);
2968 instrument_derefs (iter
, ref_expr
,
2969 gimple_location (s
),
2971 is_instrumented
= true;
2974 if (is_instrumented
)
2977 return is_instrumented
;
2980 /* Instrument the function call pointed to by the iterator ITER, if it
2981 is subject to instrumentation. At the moment, the only function
2982 calls that are instrumented are some built-in functions that access
2983 memory. Look at instrument_builtin_call to learn more.
2985 Upon completion return TRUE iff *ITER was advanced to the statement
2986 following the one it was originally pointing to. */
2989 maybe_instrument_call (gimple_stmt_iterator
*iter
)
2991 gimple
*stmt
= gsi_stmt (*iter
);
2992 bool is_builtin
= gimple_call_builtin_p (stmt
, BUILT_IN_NORMAL
);
2994 if (is_builtin
&& instrument_builtin_call (iter
))
2997 if (gimple_call_noreturn_p (stmt
))
3001 tree callee
= gimple_call_fndecl (stmt
);
3002 switch (DECL_FUNCTION_CODE (callee
))
3004 case BUILT_IN_UNREACHABLE
:
3005 case BUILT_IN_UNREACHABLE_TRAP
:
3007 /* Don't instrument these. */
3013 /* If a function does not return, then we must handle clearing up the
3014 shadow stack accordingly. For ASAN we can simply set the entire stack
3015 to "valid" for accesses by setting the shadow space to 0 and all
3016 accesses will pass checks. That means that some bad accesses may be
3017 missed, but we will not report any false positives.
3019 This is not possible for HWASAN. Since there is no "always valid" tag
3020 we can not set any space to "always valid". If we were to clear the
3021 entire shadow stack then code resuming from `longjmp` or a caught
3022 exception would trigger false positives when correctly accessing
3023 variables on the stack. Hence we need to handle things like
3024 `longjmp`, thread exit, and exceptions in a different way. These
3025 problems must be handled externally to the compiler, e.g. in the
3026 language runtime. */
3027 if (! hwasan_sanitize_p ())
3029 tree decl
= builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN
);
3030 gimple
*g
= gimple_build_call (decl
, 0);
3031 gimple_set_location (g
, gimple_location (stmt
));
3032 gsi_safe_insert_before (iter
, g
);
3036 bool instrumented
= false;
3037 if (gimple_store_p (stmt
)
3038 && (gimple_call_builtin_p (stmt
)
3039 || gimple_call_internal_p (stmt
)
3040 || !aggregate_value_p (TREE_TYPE (gimple_call_lhs (stmt
)),
3041 gimple_call_fntype (stmt
))))
3043 tree ref_expr
= gimple_call_lhs (stmt
);
3044 instrument_derefs (iter
, ref_expr
,
3045 gimple_location (stmt
),
3048 instrumented
= true;
3051 /* Walk through gimple_call arguments and check them id needed. */
3052 unsigned args_num
= gimple_call_num_args (stmt
);
3053 for (unsigned i
= 0; i
< args_num
; ++i
)
3055 tree arg
= gimple_call_arg (stmt
, i
);
3056 /* If ARG is not a non-aggregate register variable, compiler in general
3057 creates temporary for it and pass it as argument to gimple call.
3058 But in some cases, e.g. when we pass by value a small structure that
3059 fits to register, compiler can avoid extra overhead by pulling out
3060 these temporaries. In this case, we should check the argument. */
3061 if (!is_gimple_reg (arg
) && !is_gimple_min_invariant (arg
))
3063 instrument_derefs (iter
, arg
,
3064 gimple_location (stmt
),
3065 /*is_store=*/false);
3066 instrumented
= true;
3071 return instrumented
;
3074 /* Walk each instruction of all basic block and instrument those that
3075 represent memory references: loads, stores, or function calls.
3076 In a given basic block, this function avoids instrumenting memory
3077 references that have already been instrumented. */
3080 transform_statements (void)
3082 basic_block bb
, last_bb
= NULL
;
3083 gimple_stmt_iterator i
;
3084 int saved_last_basic_block
= last_basic_block_for_fn (cfun
);
3086 FOR_EACH_BB_FN (bb
, cfun
)
3088 basic_block prev_bb
= bb
;
3090 if (bb
->index
>= saved_last_basic_block
) continue;
3092 /* Flush the mem ref hash table, if current bb doesn't have
3093 exactly one predecessor, or if that predecessor (skipping
3094 over asan created basic blocks) isn't the last processed
3095 basic block. Thus we effectively flush on extended basic
3096 block boundaries. */
3097 while (single_pred_p (prev_bb
))
3099 prev_bb
= single_pred (prev_bb
);
3100 if (prev_bb
->index
< saved_last_basic_block
)
3103 if (prev_bb
!= last_bb
)
3104 empty_mem_ref_hash_table ();
3107 for (i
= gsi_start_bb (bb
); !gsi_end_p (i
);)
3109 gimple
*s
= gsi_stmt (i
);
3111 if (has_stmt_been_instrumented_p (s
))
3113 else if (gimple_assign_single_p (s
)
3114 && !gimple_clobber_p (s
)
3115 && maybe_instrument_assignment (&i
))
3116 /* Nothing to do as maybe_instrument_assignment advanced
3118 else if (is_gimple_call (s
) && maybe_instrument_call (&i
))
3119 /* Nothing to do as maybe_instrument_call
3120 advanced the iterator I. */;
3123 /* No instrumentation happened.
3125 If the current instruction is a function call that
3126 might free something, let's forget about the memory
3127 references that got instrumented. Otherwise we might
3128 miss some instrumentation opportunities. Do the same
3129 for a ASAN_MARK poisoning internal function. */
3130 if (is_gimple_call (s
)
3131 && (!nonfreeing_call_p (s
)
3132 || asan_mark_p (s
, ASAN_MARK_POISON
)))
3133 empty_mem_ref_hash_table ();
3139 free_mem_ref_resources ();
3143 __asan_before_dynamic_init (module_name)
3145 __asan_after_dynamic_init ()
3149 asan_dynamic_init_call (bool after_p
)
3151 if (shadow_ptr_types
[0] == NULL_TREE
)
3152 asan_init_shadow_ptr_types ();
3154 tree fn
= builtin_decl_implicit (after_p
3155 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
3156 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT
);
3157 tree module_name_cst
= NULL_TREE
;
3160 pretty_printer module_name_pp
;
3161 pp_string (&module_name_pp
, main_input_filename
);
3163 module_name_cst
= asan_pp_string (&module_name_pp
);
3164 module_name_cst
= fold_convert (const_ptr_type_node
,
3168 return build_call_expr (fn
, after_p
? 0 : 1, module_name_cst
);
3172 struct __asan_global
3176 uptr __size_with_redzone;
3178 const void *__module_name;
3179 uptr __has_dynamic_init;
3180 __asan_global_source_location *__location;
3181 char *__odr_indicator;
3185 asan_global_struct (void)
3187 static const char *field_names
[]
3188 = { "__beg", "__size", "__size_with_redzone",
3189 "__name", "__module_name", "__has_dynamic_init", "__location",
3190 "__odr_indicator" };
3191 tree fields
[ARRAY_SIZE (field_names
)], ret
;
3194 ret
= make_node (RECORD_TYPE
);
3195 for (i
= 0; i
< ARRAY_SIZE (field_names
); i
++)
3198 = build_decl (UNKNOWN_LOCATION
, FIELD_DECL
,
3199 get_identifier (field_names
[i
]),
3200 (i
== 0 || i
== 3) ? const_ptr_type_node
3201 : pointer_sized_int_node
);
3202 DECL_CONTEXT (fields
[i
]) = ret
;
3204 DECL_CHAIN (fields
[i
- 1]) = fields
[i
];
3206 tree type_decl
= build_decl (input_location
, TYPE_DECL
,
3207 get_identifier ("__asan_global"), ret
);
3208 DECL_IGNORED_P (type_decl
) = 1;
3209 DECL_ARTIFICIAL (type_decl
) = 1;
3210 TYPE_FIELDS (ret
) = fields
[0];
3211 TYPE_NAME (ret
) = type_decl
;
3212 TYPE_STUB_DECL (ret
) = type_decl
;
3213 TYPE_ARTIFICIAL (ret
) = 1;
3218 /* Create and return odr indicator symbol for DECL.
3219 TYPE is __asan_global struct type as returned by asan_global_struct. */
3222 create_odr_indicator (tree decl
, tree type
)
3225 tree uptr
= TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type
)));
3227 = (HAS_DECL_ASSEMBLER_NAME_P (decl
) ? DECL_ASSEMBLER_NAME (decl
)
3228 : DECL_NAME (decl
));
3229 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
3230 if (decl_name
== NULL_TREE
)
3231 return build_int_cst (uptr
, 0);
3232 const char *dname
= IDENTIFIER_POINTER (decl_name
);
3233 if (HAS_DECL_ASSEMBLER_NAME_P (decl
))
3234 dname
= targetm
.strip_name_encoding (dname
);
3235 size_t len
= strlen (dname
) + sizeof ("__odr_asan_");
3236 name
= XALLOCAVEC (char, len
);
3237 snprintf (name
, len
, "__odr_asan_%s", dname
);
3238 #ifndef NO_DOT_IN_LABEL
3239 name
[sizeof ("__odr_asan") - 1] = '.';
3240 #elif !defined(NO_DOLLAR_IN_LABEL)
3241 name
[sizeof ("__odr_asan") - 1] = '$';
3243 tree var
= build_decl (UNKNOWN_LOCATION
, VAR_DECL
, get_identifier (name
),
3245 TREE_ADDRESSABLE (var
) = 1;
3246 TREE_READONLY (var
) = 0;
3247 TREE_THIS_VOLATILE (var
) = 1;
3248 DECL_ARTIFICIAL (var
) = 1;
3249 DECL_IGNORED_P (var
) = 1;
3250 TREE_STATIC (var
) = 1;
3251 TREE_PUBLIC (var
) = 1;
3252 DECL_VISIBILITY (var
) = DECL_VISIBILITY (decl
);
3253 DECL_VISIBILITY_SPECIFIED (var
) = DECL_VISIBILITY_SPECIFIED (decl
);
3255 TREE_USED (var
) = 1;
3256 tree ctor
= build_constructor_va (TREE_TYPE (var
), 1, NULL_TREE
,
3257 build_int_cst (unsigned_type_node
, 0));
3258 TREE_CONSTANT (ctor
) = 1;
3259 TREE_STATIC (ctor
) = 1;
3260 DECL_INITIAL (var
) = ctor
;
3261 DECL_ATTRIBUTES (var
) = tree_cons (get_identifier ("asan odr indicator"),
3262 NULL
, DECL_ATTRIBUTES (var
));
3263 make_decl_rtl (var
);
3264 varpool_node::finalize_decl (var
);
3265 return fold_convert (uptr
, build_fold_addr_expr (var
));
3268 /* Return true if DECL, a global var, might be overridden and needs
3269 an additional odr indicator symbol. */
3272 asan_needs_odr_indicator_p (tree decl
)
3274 /* Don't emit ODR indicators for kernel because:
3275 a) Kernel is written in C thus doesn't need ODR indicators.
3276 b) Some kernel code may have assumptions about symbols containing specific
3277 patterns in their names. Since ODR indicators contain original names
3278 of symbols they are emitted for, these assumptions would be broken for
3279 ODR indicator symbols. */
3280 return (!(flag_sanitize
& SANITIZE_KERNEL_ADDRESS
)
3281 && !DECL_ARTIFICIAL (decl
)
3282 && !DECL_WEAK (decl
)
3283 && TREE_PUBLIC (decl
));
3286 /* Append description of a single global DECL into vector V.
3287 TYPE is __asan_global struct type as returned by asan_global_struct. */
3290 asan_add_global (tree decl
, tree type
, vec
<constructor_elt
, va_gc
> *v
)
3292 tree init
, uptr
= TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type
)));
3293 unsigned HOST_WIDE_INT size
;
3294 tree str_cst
, module_name_cst
, refdecl
= decl
;
3295 vec
<constructor_elt
, va_gc
> *vinner
= NULL
;
3297 pretty_printer asan_pp
, module_name_pp
;
3299 if (DECL_NAME (decl
))
3300 pp_tree_identifier (&asan_pp
, DECL_NAME (decl
));
3302 pp_string (&asan_pp
, "<unknown>");
3303 str_cst
= asan_pp_string (&asan_pp
);
3306 pp_string (&module_name_pp
, main_input_filename
);
3309 const_tree tu
= get_ultimate_context ((const_tree
)decl
);
3310 if (tu
!= NULL_TREE
)
3311 pp_string (&module_name_pp
, IDENTIFIER_POINTER (DECL_NAME (tu
)));
3313 pp_string (&module_name_pp
, aux_base_name
);
3316 module_name_cst
= asan_pp_string (&module_name_pp
);
3318 if (asan_needs_local_alias (decl
))
3321 ASM_GENERATE_INTERNAL_LABEL (buf
, "LASAN", vec_safe_length (v
) + 1);
3322 refdecl
= build_decl (DECL_SOURCE_LOCATION (decl
),
3323 VAR_DECL
, get_identifier (buf
), TREE_TYPE (decl
));
3324 TREE_ADDRESSABLE (refdecl
) = TREE_ADDRESSABLE (decl
);
3325 TREE_READONLY (refdecl
) = TREE_READONLY (decl
);
3326 TREE_THIS_VOLATILE (refdecl
) = TREE_THIS_VOLATILE (decl
);
3327 DECL_NOT_GIMPLE_REG_P (refdecl
) = DECL_NOT_GIMPLE_REG_P (decl
);
3328 DECL_ARTIFICIAL (refdecl
) = DECL_ARTIFICIAL (decl
);
3329 DECL_IGNORED_P (refdecl
) = DECL_IGNORED_P (decl
);
3330 TREE_STATIC (refdecl
) = 1;
3331 TREE_PUBLIC (refdecl
) = 0;
3332 TREE_USED (refdecl
) = 1;
3333 assemble_alias (refdecl
, DECL_ASSEMBLER_NAME (decl
));
3336 tree odr_indicator_ptr
3337 = (asan_needs_odr_indicator_p (decl
) ? create_odr_indicator (decl
, type
)
3338 : build_int_cst (uptr
, 0));
3339 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
,
3340 fold_convert (const_ptr_type_node
,
3341 build_fold_addr_expr (refdecl
)));
3342 size
= tree_to_uhwi (DECL_SIZE_UNIT (decl
));
3343 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
, build_int_cst (uptr
, size
));
3344 size
+= asan_red_zone_size (size
);
3345 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
, build_int_cst (uptr
, size
));
3346 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
,
3347 fold_convert (const_ptr_type_node
, str_cst
));
3348 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
,
3349 fold_convert (const_ptr_type_node
, module_name_cst
));
3350 varpool_node
*vnode
= varpool_node::get (decl
);
3351 int has_dynamic_init
= 0;
3352 /* FIXME: Enable initialization order fiasco detection in LTO mode once
3353 proper fix for PR 79061 will be applied. */
3355 has_dynamic_init
= vnode
? vnode
->dynamically_initialized
: 0;
3356 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
,
3357 build_int_cst (uptr
, has_dynamic_init
));
3358 tree locptr
= NULL_TREE
;
3359 location_t loc
= DECL_SOURCE_LOCATION (decl
);
3360 expanded_location xloc
= expand_location (loc
);
3361 if (xloc
.file
!= NULL
)
3363 static int lasanloccnt
= 0;
3365 ASM_GENERATE_INTERNAL_LABEL (buf
, "LASANLOC", ++lasanloccnt
);
3366 tree var
= build_decl (UNKNOWN_LOCATION
, VAR_DECL
, get_identifier (buf
),
3367 ubsan_get_source_location_type ());
3368 TREE_STATIC (var
) = 1;
3369 TREE_PUBLIC (var
) = 0;
3370 DECL_ARTIFICIAL (var
) = 1;
3371 DECL_IGNORED_P (var
) = 1;
3372 pretty_printer filename_pp
;
3373 pp_string (&filename_pp
, xloc
.file
);
3374 tree str
= asan_pp_string (&filename_pp
);
3375 tree ctor
= build_constructor_va (TREE_TYPE (var
), 3,
3376 NULL_TREE
, str
, NULL_TREE
,
3377 build_int_cst (unsigned_type_node
,
3378 xloc
.line
), NULL_TREE
,
3379 build_int_cst (unsigned_type_node
,
3381 TREE_CONSTANT (ctor
) = 1;
3382 TREE_STATIC (ctor
) = 1;
3383 DECL_INITIAL (var
) = ctor
;
3384 varpool_node::finalize_decl (var
);
3385 locptr
= fold_convert (uptr
, build_fold_addr_expr (var
));
3388 locptr
= build_int_cst (uptr
, 0);
3389 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
, locptr
);
3390 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
, odr_indicator_ptr
);
3391 init
= build_constructor (type
, vinner
);
3392 CONSTRUCTOR_APPEND_ELT (v
, NULL_TREE
, init
);
3395 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
3397 initialize_sanitizer_builtins (void)
3401 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT
))
3404 tree BT_FN_VOID
= build_function_type_list (void_type_node
, NULL_TREE
);
3406 = build_function_type_list (void_type_node
, ptr_type_node
, NULL_TREE
);
3407 tree BT_FN_VOID_CONST_PTR
3408 = build_function_type_list (void_type_node
, const_ptr_type_node
, NULL_TREE
);
3409 tree BT_FN_VOID_PTR_PTR
3410 = build_function_type_list (void_type_node
, ptr_type_node
,
3411 ptr_type_node
, NULL_TREE
);
3412 tree BT_FN_VOID_PTR_PTR_PTR
3413 = build_function_type_list (void_type_node
, ptr_type_node
,
3414 ptr_type_node
, ptr_type_node
, NULL_TREE
);
3415 tree BT_FN_VOID_PTR_PTRMODE
3416 = build_function_type_list (void_type_node
, ptr_type_node
,
3417 pointer_sized_int_node
, NULL_TREE
);
3419 = build_function_type_list (void_type_node
, integer_type_node
, NULL_TREE
);
3420 tree BT_FN_SIZE_CONST_PTR_INT
3421 = build_function_type_list (size_type_node
, const_ptr_type_node
,
3422 integer_type_node
, NULL_TREE
);
3424 tree BT_FN_VOID_UINT8_UINT8
3425 = build_function_type_list (void_type_node
, unsigned_char_type_node
,
3426 unsigned_char_type_node
, NULL_TREE
);
3427 tree BT_FN_VOID_UINT16_UINT16
3428 = build_function_type_list (void_type_node
, uint16_type_node
,
3429 uint16_type_node
, NULL_TREE
);
3430 tree BT_FN_VOID_UINT32_UINT32
3431 = build_function_type_list (void_type_node
, uint32_type_node
,
3432 uint32_type_node
, NULL_TREE
);
3433 tree BT_FN_VOID_UINT64_UINT64
3434 = build_function_type_list (void_type_node
, uint64_type_node
,
3435 uint64_type_node
, NULL_TREE
);
3436 tree BT_FN_VOID_FLOAT_FLOAT
3437 = build_function_type_list (void_type_node
, float_type_node
,
3438 float_type_node
, NULL_TREE
);
3439 tree BT_FN_VOID_DOUBLE_DOUBLE
3440 = build_function_type_list (void_type_node
, double_type_node
,
3441 double_type_node
, NULL_TREE
);
3442 tree BT_FN_VOID_UINT64_PTR
3443 = build_function_type_list (void_type_node
, uint64_type_node
,
3444 ptr_type_node
, NULL_TREE
);
3446 tree BT_FN_PTR_CONST_PTR_UINT8
3447 = build_function_type_list (ptr_type_node
, const_ptr_type_node
,
3448 unsigned_char_type_node
, NULL_TREE
);
3449 tree BT_FN_VOID_PTR_UINT8_PTRMODE
3450 = build_function_type_list (void_type_node
, ptr_type_node
,
3451 unsigned_char_type_node
,
3452 pointer_sized_int_node
, NULL_TREE
);
3454 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT
[5];
3455 tree BT_FN_IX_CONST_VPTR_INT
[5];
3456 tree BT_FN_IX_VPTR_IX_INT
[5];
3457 tree BT_FN_VOID_VPTR_IX_INT
[5];
3459 = build_pointer_type (build_qualified_type (void_type_node
,
3460 TYPE_QUAL_VOLATILE
));
3462 = build_pointer_type (build_qualified_type (void_type_node
,
3466 = lang_hooks
.types
.type_for_size (BOOL_TYPE_SIZE
, 1);
3468 for (i
= 0; i
< 5; i
++)
3470 tree ix
= build_nonstandard_integer_type (BITS_PER_UNIT
* (1 << i
), 1);
3471 BT_FN_BOOL_VPTR_PTR_IX_INT_INT
[i
]
3472 = build_function_type_list (boolt
, vptr
, ptr_type_node
, ix
,
3473 integer_type_node
, integer_type_node
,
3475 BT_FN_IX_CONST_VPTR_INT
[i
]
3476 = build_function_type_list (ix
, cvptr
, integer_type_node
, NULL_TREE
);
3477 BT_FN_IX_VPTR_IX_INT
[i
]
3478 = build_function_type_list (ix
, vptr
, ix
, integer_type_node
,
3480 BT_FN_VOID_VPTR_IX_INT
[i
]
3481 = build_function_type_list (void_type_node
, vptr
, ix
,
3482 integer_type_node
, NULL_TREE
);
3484 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
3485 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
3486 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
3487 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
3488 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
3489 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
3490 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
3491 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
3492 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
3493 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
3494 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
3495 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
3496 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
3497 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
3498 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
3499 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
3500 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
3501 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
3502 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
3503 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
3504 #undef ATTR_NOTHROW_LIST
3505 #define ATTR_NOTHROW_LIST ECF_NOTHROW
3506 #undef ATTR_NOTHROW_LEAF_LIST
3507 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
3508 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
3509 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
3510 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
3511 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
3512 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
3513 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
3514 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
3515 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
3516 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
3517 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
3518 #undef ATTR_COLD_NOTHROW_LEAF_LIST
3519 #define ATTR_COLD_NOTHROW_LEAF_LIST \
3520 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
3521 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
3522 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
3523 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
3524 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
3525 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
3526 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
3527 #undef ATTR_PURE_NOTHROW_LEAF_LIST
3528 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
3529 #undef DEF_BUILTIN_STUB
3530 #define DEF_BUILTIN_STUB(ENUM, NAME)
3531 #undef DEF_SANITIZER_BUILTIN_1
3532 #define DEF_SANITIZER_BUILTIN_1(ENUM, NAME, TYPE, ATTRS) \
3534 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
3535 BUILT_IN_NORMAL, NAME, NULL_TREE); \
3536 set_call_expr_flags (decl, ATTRS); \
3537 set_builtin_decl (ENUM, decl, true); \
3539 #undef DEF_SANITIZER_BUILTIN
3540 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
3541 DEF_SANITIZER_BUILTIN_1 (ENUM, NAME, TYPE, ATTRS);
3543 #include "sanitizer.def"
3545 /* -fsanitize=object-size uses __builtin_dynamic_object_size and
3546 __builtin_object_size, but they might not be available for e.g. Fortran at
3547 this point. We use DEF_SANITIZER_BUILTIN here only as a convenience
3549 if (flag_sanitize
& SANITIZE_OBJECT_SIZE
)
3551 if (!builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE
))
3552 DEF_SANITIZER_BUILTIN_1 (BUILT_IN_OBJECT_SIZE
, "object_size",
3553 BT_FN_SIZE_CONST_PTR_INT
,
3554 ATTR_PURE_NOTHROW_LEAF_LIST
);
3555 if (!builtin_decl_implicit_p (BUILT_IN_DYNAMIC_OBJECT_SIZE
))
3556 DEF_SANITIZER_BUILTIN_1 (BUILT_IN_DYNAMIC_OBJECT_SIZE
,
3557 "dynamic_object_size",
3558 BT_FN_SIZE_CONST_PTR_INT
,
3559 ATTR_PURE_NOTHROW_LEAF_LIST
);
3562 #undef DEF_SANITIZER_BUILTIN_1
3563 #undef DEF_SANITIZER_BUILTIN
3564 #undef DEF_BUILTIN_STUB
3567 /* Called via htab_traverse. Count number of emitted
3568 STRING_CSTs in the constant hash table. */
3571 count_string_csts (constant_descriptor_tree
**slot
,
3572 unsigned HOST_WIDE_INT
*data
)
3574 struct constant_descriptor_tree
*desc
= *slot
;
3575 if (TREE_CODE (desc
->value
) == STRING_CST
3576 && TREE_ASM_WRITTEN (desc
->value
)
3577 && asan_protect_global (desc
->value
))
3582 /* Helper structure to pass two parameters to
3585 struct asan_add_string_csts_data
3588 vec
<constructor_elt
, va_gc
> *v
;
3591 /* Called via hash_table::traverse. Call asan_add_global
3592 on emitted STRING_CSTs from the constant hash table. */
3595 add_string_csts (constant_descriptor_tree
**slot
,
3596 asan_add_string_csts_data
*aascd
)
3598 struct constant_descriptor_tree
*desc
= *slot
;
3599 if (TREE_CODE (desc
->value
) == STRING_CST
3600 && TREE_ASM_WRITTEN (desc
->value
)
3601 && asan_protect_global (desc
->value
))
3603 asan_add_global (SYMBOL_REF_DECL (XEXP (desc
->rtl
, 0)),
3604 aascd
->type
, aascd
->v
);
3609 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
3610 invoke ggc_collect. */
3611 static GTY(()) tree asan_ctor_statements
;
3613 /* Module-level instrumentation.
3614 - Insert __asan_init_vN() into the list of CTORs.
3615 - TODO: insert redzones around globals.
3619 asan_finish_file (void)
3621 varpool_node
*vnode
;
3622 unsigned HOST_WIDE_INT gcount
= 0;
3624 if (shadow_ptr_types
[0] == NULL_TREE
)
3625 asan_init_shadow_ptr_types ();
3626 /* Avoid instrumenting code in the asan ctors/dtors.
3627 We don't need to insert padding after the description strings,
3628 nor after .LASAN* array. */
3629 flag_sanitize
&= ~SANITIZE_ADDRESS
;
3631 /* For user-space we want asan constructors to run first.
3632 Linux kernel does not support priorities other than default, and the only
3633 other user of constructors is coverage. So we run with the default
3635 int priority
= flag_sanitize
& SANITIZE_USER_ADDRESS
3636 ? MAX_RESERVED_INIT_PRIORITY
- 1 : DEFAULT_INIT_PRIORITY
;
3638 if (flag_sanitize
& SANITIZE_USER_ADDRESS
)
3640 tree fn
= builtin_decl_implicit (BUILT_IN_ASAN_INIT
);
3641 append_to_statement_list (build_call_expr (fn
, 0), &asan_ctor_statements
);
3642 fn
= builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK
);
3643 append_to_statement_list (build_call_expr (fn
, 0), &asan_ctor_statements
);
3645 FOR_EACH_DEFINED_VARIABLE (vnode
)
3646 if (TREE_ASM_WRITTEN (vnode
->decl
)
3647 && asan_protect_global (vnode
->decl
))
3649 hash_table
<tree_descriptor_hasher
> *const_desc_htab
= constant_pool_htab ();
3650 const_desc_htab
->traverse
<unsigned HOST_WIDE_INT
*, count_string_csts
>
3654 tree type
= asan_global_struct (), var
, ctor
;
3655 tree dtor_statements
= NULL_TREE
;
3656 vec
<constructor_elt
, va_gc
> *v
;
3659 type
= build_array_type_nelts (type
, gcount
);
3660 ASM_GENERATE_INTERNAL_LABEL (buf
, "LASAN", 0);
3661 var
= build_decl (UNKNOWN_LOCATION
, VAR_DECL
, get_identifier (buf
),
3663 TREE_STATIC (var
) = 1;
3664 TREE_PUBLIC (var
) = 0;
3665 DECL_ARTIFICIAL (var
) = 1;
3666 DECL_IGNORED_P (var
) = 1;
3667 vec_alloc (v
, gcount
);
3668 FOR_EACH_DEFINED_VARIABLE (vnode
)
3669 if (TREE_ASM_WRITTEN (vnode
->decl
)
3670 && asan_protect_global (vnode
->decl
))
3671 asan_add_global (vnode
->decl
, TREE_TYPE (type
), v
);
3672 struct asan_add_string_csts_data aascd
;
3673 aascd
.type
= TREE_TYPE (type
);
3675 const_desc_htab
->traverse
<asan_add_string_csts_data
*, add_string_csts
>
3677 ctor
= build_constructor (type
, v
);
3678 TREE_CONSTANT (ctor
) = 1;
3679 TREE_STATIC (ctor
) = 1;
3680 DECL_INITIAL (var
) = ctor
;
3681 SET_DECL_ALIGN (var
, MAX (DECL_ALIGN (var
),
3682 ASAN_SHADOW_GRANULARITY
* BITS_PER_UNIT
));
3684 varpool_node::finalize_decl (var
);
3686 tree fn
= builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS
);
3687 tree gcount_tree
= build_int_cst (pointer_sized_int_node
, gcount
);
3688 append_to_statement_list (build_call_expr (fn
, 2,
3689 build_fold_addr_expr (var
),
3691 &asan_ctor_statements
);
3693 fn
= builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS
);
3694 append_to_statement_list (build_call_expr (fn
, 2,
3695 build_fold_addr_expr (var
),
3698 cgraph_build_static_cdtor ('D', dtor_statements
, priority
);
3700 if (asan_ctor_statements
)
3701 cgraph_build_static_cdtor ('I', asan_ctor_statements
, priority
);
3702 flag_sanitize
|= SANITIZE_ADDRESS
;
3705 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
3706 on SHADOW address. Newly added statements will be added to ITER with
3707 given location LOC. We mark SIZE bytes in shadow memory, where
3708 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
3709 end of a variable. */
3712 asan_store_shadow_bytes (gimple_stmt_iterator
*iter
, location_t loc
,
3714 unsigned HOST_WIDE_INT base_addr_offset
,
3715 bool is_clobber
, unsigned size
,
3716 unsigned last_chunk_size
)
3718 tree shadow_ptr_type
;
3723 shadow_ptr_type
= shadow_ptr_types
[0];
3726 shadow_ptr_type
= shadow_ptr_types
[1];
3729 shadow_ptr_type
= shadow_ptr_types
[2];
3735 unsigned char c
= (char) is_clobber
? ASAN_STACK_MAGIC_USE_AFTER_SCOPE
: 0;
3736 unsigned HOST_WIDE_INT val
= 0;
3737 unsigned last_pos
= size
;
3738 if (last_chunk_size
&& !is_clobber
)
3739 last_pos
= BYTES_BIG_ENDIAN
? 0 : size
- 1;
3740 for (unsigned i
= 0; i
< size
; ++i
)
3742 unsigned char shadow_c
= c
;
3744 shadow_c
= last_chunk_size
;
3745 val
|= (unsigned HOST_WIDE_INT
) shadow_c
<< (BITS_PER_UNIT
* i
);
3748 /* Handle last chunk in unpoisoning. */
3749 tree magic
= build_int_cst (TREE_TYPE (shadow_ptr_type
), val
);
3751 tree dest
= build2 (MEM_REF
, TREE_TYPE (shadow_ptr_type
), shadow
,
3752 build_int_cst (shadow_ptr_type
, base_addr_offset
));
3754 gimple
*g
= gimple_build_assign (dest
, magic
);
3755 gimple_set_location (g
, loc
);
3756 gsi_insert_after (iter
, g
, GSI_NEW_STMT
);
3759 /* Expand the ASAN_MARK builtins. */
3762 asan_expand_mark_ifn (gimple_stmt_iterator
*iter
)
3764 gimple
*g
= gsi_stmt (*iter
);
3765 location_t loc
= gimple_location (g
);
3766 HOST_WIDE_INT flag
= tree_to_shwi (gimple_call_arg (g
, 0));
3767 bool is_poison
= ((asan_mark_flags
)flag
) == ASAN_MARK_POISON
;
3769 tree base
= gimple_call_arg (g
, 1);
3770 gcc_checking_assert (TREE_CODE (base
) == ADDR_EXPR
);
3771 tree decl
= TREE_OPERAND (base
, 0);
3773 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
3774 if (TREE_CODE (decl
) == COMPONENT_REF
3775 && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl
, 0)))
3776 decl
= TREE_OPERAND (decl
, 0);
3778 gcc_checking_assert (TREE_CODE (decl
) == VAR_DECL
);
3780 if (hwasan_sanitize_p ())
3782 gcc_assert (param_hwasan_instrument_stack
);
3783 gimple_seq stmts
= NULL
;
3784 /* Here we swap ASAN_MARK calls for HWASAN_MARK.
3785 This is because we are using the approach of using ASAN_MARK as a
3787 That approach means we don't yet have to duplicate all the special
3788 cases for ASAN_MARK and ASAN_POISON with the exact same handling but
3789 called HWASAN_MARK etc.
3791 N.b. __asan_poison_stack_memory (which implements ASAN_MARK for ASAN)
3792 rounds the size up to its shadow memory granularity, while
3793 __hwasan_tag_memory (which implements the same for HWASAN) does not.
3794 Hence we emit HWASAN_MARK with an aligned size unlike ASAN_MARK. */
3795 tree len
= gimple_call_arg (g
, 2);
3796 tree new_len
= gimple_build_round_up (&stmts
, loc
, size_type_node
, len
,
3797 HWASAN_TAG_GRANULE_SIZE
);
3798 gimple_build (&stmts
, loc
, CFN_HWASAN_MARK
,
3799 void_type_node
, gimple_call_arg (g
, 0),
3801 gsi_replace_with_seq (iter
, stmts
, true);
3807 if (asan_handled_variables
== NULL
)
3808 asan_handled_variables
= new hash_set
<tree
> (16);
3809 asan_handled_variables
->add (decl
);
3811 tree len
= gimple_call_arg (g
, 2);
3813 gcc_assert (poly_int_tree_p (len
));
3815 g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
3817 gimple_set_location (g
, loc
);
3818 gsi_replace (iter
, g
, false);
3819 tree base_addr
= gimple_assign_lhs (g
);
3821 /* Generate direct emission if size_in_bytes is small. */
3822 unsigned threshold
= param_use_after_scope_direct_emission_threshold
;
3823 if (tree_fits_uhwi_p (len
) && tree_to_uhwi (len
) <= threshold
)
3825 unsigned HOST_WIDE_INT size_in_bytes
= tree_to_uhwi (len
);
3826 const unsigned HOST_WIDE_INT shadow_size
3827 = shadow_mem_size (size_in_bytes
);
3828 const unsigned int shadow_align
3829 = (get_pointer_alignment (base
) / BITS_PER_UNIT
) >> ASAN_SHADOW_SHIFT
;
3831 tree shadow
= build_shadow_mem_access (iter
, loc
, base_addr
,
3832 shadow_ptr_types
[0], true);
3834 for (unsigned HOST_WIDE_INT offset
= 0; offset
< shadow_size
;)
3837 if (shadow_size
- offset
>= 4
3838 && (!STRICT_ALIGNMENT
|| shadow_align
>= 4))
3840 else if (shadow_size
- offset
>= 2
3841 && (!STRICT_ALIGNMENT
|| shadow_align
>= 2))
3844 unsigned HOST_WIDE_INT last_chunk_size
= 0;
3845 unsigned HOST_WIDE_INT s
= (offset
+ size
) * ASAN_SHADOW_GRANULARITY
;
3846 if (s
> size_in_bytes
)
3847 last_chunk_size
= ASAN_SHADOW_GRANULARITY
- (s
- size_in_bytes
);
3849 asan_store_shadow_bytes (iter
, loc
, shadow
, offset
, is_poison
,
3850 size
, last_chunk_size
);
3856 g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
3858 gimple_set_location (g
, loc
);
3859 gsi_safe_insert_before (iter
, g
);
3860 tree sz_arg
= gimple_assign_lhs (g
);
3863 = builtin_decl_implicit (is_poison
? BUILT_IN_ASAN_POISON_STACK_MEMORY
3864 : BUILT_IN_ASAN_UNPOISON_STACK_MEMORY
);
3865 g
= gimple_build_call (fun
, 2, base_addr
, sz_arg
);
3866 gimple_set_location (g
, loc
);
3867 gsi_insert_after (iter
, g
, GSI_NEW_STMT
);
3873 /* Expand the ASAN_{LOAD,STORE} builtins. */
3876 asan_expand_check_ifn (gimple_stmt_iterator
*iter
, bool use_calls
)
3878 gcc_assert (!hwasan_sanitize_p ());
3879 gimple
*g
= gsi_stmt (*iter
);
3880 location_t loc
= gimple_location (g
);
3882 if (flag_sanitize
& SANITIZE_USER_ADDRESS
)
3883 recover_p
= (flag_sanitize_recover
& SANITIZE_USER_ADDRESS
) != 0;
3885 recover_p
= (flag_sanitize_recover
& SANITIZE_KERNEL_ADDRESS
) != 0;
3887 HOST_WIDE_INT flags
= tree_to_shwi (gimple_call_arg (g
, 0));
3888 gcc_assert (flags
< ASAN_CHECK_LAST
);
3889 bool is_scalar_access
= (flags
& ASAN_CHECK_SCALAR_ACCESS
) != 0;
3890 bool is_store
= (flags
& ASAN_CHECK_STORE
) != 0;
3891 bool is_non_zero_len
= (flags
& ASAN_CHECK_NON_ZERO_LEN
) != 0;
3893 tree base
= gimple_call_arg (g
, 1);
3894 tree len
= gimple_call_arg (g
, 2);
3895 HOST_WIDE_INT align
= tree_to_shwi (gimple_call_arg (g
, 3));
3897 HOST_WIDE_INT size_in_bytes
3898 = is_scalar_access
&& tree_fits_shwi_p (len
) ? tree_to_shwi (len
) : -1;
3902 /* Instrument using callbacks. */
3903 gimple
*g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
3905 gimple_set_location (g
, loc
);
3906 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
3907 tree base_addr
= gimple_assign_lhs (g
);
3910 tree fun
= check_func (is_store
, recover_p
, size_in_bytes
, &nargs
);
3912 g
= gimple_build_call (fun
, 1, base_addr
);
3915 gcc_assert (nargs
== 2);
3916 g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
3918 gimple_set_location (g
, loc
);
3919 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
3920 tree sz_arg
= gimple_assign_lhs (g
);
3921 g
= gimple_build_call (fun
, nargs
, base_addr
, sz_arg
);
3923 gimple_set_location (g
, loc
);
3924 gsi_replace (iter
, g
, false);
3928 HOST_WIDE_INT real_size_in_bytes
= size_in_bytes
== -1 ? 1 : size_in_bytes
;
3930 tree shadow_ptr_type
= shadow_ptr_types
[real_size_in_bytes
== 16 ? 1 : 0];
3931 tree shadow_type
= TREE_TYPE (shadow_ptr_type
);
3933 gimple_stmt_iterator gsi
= *iter
;
3935 if (!is_non_zero_len
)
3937 /* So, the length of the memory area to asan-protect is
3938 non-constant. Let's guard the generated instrumentation code
3943 //asan instrumentation code goes here.
3945 // falltrough instructions, starting with *ITER. */
3947 g
= gimple_build_cond (NE_EXPR
,
3949 build_int_cst (TREE_TYPE (len
), 0),
3950 NULL_TREE
, NULL_TREE
);
3951 gimple_set_location (g
, loc
);
3953 basic_block then_bb
, fallthrough_bb
;
3954 insert_if_then_before_iter (as_a
<gcond
*> (g
), iter
,
3955 /*then_more_likely_p=*/true,
3956 &then_bb
, &fallthrough_bb
);
3957 /* Note that fallthrough_bb starts with the statement that was
3958 pointed to by ITER. */
3960 /* The 'then block' of the 'if (len != 0) condition is where
3961 we'll generate the asan instrumentation code now. */
3962 gsi
= gsi_last_bb (then_bb
);
3965 /* Get an iterator on the point where we can add the condition
3966 statement for the instrumentation. */
3967 basic_block then_bb
, else_bb
;
3968 gsi
= create_cond_insert_point (&gsi
, /*before_p*/false,
3969 /*then_more_likely_p=*/false,
3970 /*create_then_fallthru_edge*/recover_p
,
3974 g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
3976 gimple_set_location (g
, loc
);
3977 gsi_insert_before (&gsi
, g
, GSI_NEW_STMT
);
3978 tree base_addr
= gimple_assign_lhs (g
);
3981 if (real_size_in_bytes
>= 8)
3983 tree shadow
= build_shadow_mem_access (&gsi
, loc
, base_addr
,
3989 /* Slow path for 1, 2 and 4 byte accesses. */
3990 /* Test (shadow != 0)
3991 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
3992 tree shadow
= build_shadow_mem_access (&gsi
, loc
, base_addr
,
3994 gimple
*shadow_test
= build_assign (NE_EXPR
, shadow
, 0);
3995 gimple_seq seq
= NULL
;
3996 gimple_seq_add_stmt (&seq
, shadow_test
);
3997 /* Aligned (>= 8 bytes) can test just
3998 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
4002 gimple_seq_add_stmt (&seq
, build_assign (BIT_AND_EXPR
,
4004 gimple_seq_add_stmt (&seq
,
4005 build_type_cast (shadow_type
,
4006 gimple_seq_last (seq
)));
4007 if (real_size_in_bytes
> 1)
4008 gimple_seq_add_stmt (&seq
,
4009 build_assign (PLUS_EXPR
,
4010 gimple_seq_last (seq
),
4011 real_size_in_bytes
- 1));
4012 t
= gimple_assign_lhs (gimple_seq_last_stmt (seq
));
4015 t
= build_int_cst (shadow_type
, real_size_in_bytes
- 1);
4016 gimple_seq_add_stmt (&seq
, build_assign (GE_EXPR
, t
, shadow
));
4017 gimple_seq_add_stmt (&seq
, build_assign (BIT_AND_EXPR
, shadow_test
,
4018 gimple_seq_last (seq
)));
4019 t
= gimple_assign_lhs (gimple_seq_last (seq
));
4020 gimple_seq_set_location (seq
, loc
);
4021 gsi_insert_seq_after (&gsi
, seq
, GSI_CONTINUE_LINKING
);
4023 /* For non-constant, misaligned or otherwise weird access sizes,
4024 check first and last byte. */
4025 if (size_in_bytes
== -1)
4027 g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
4029 build_int_cst (pointer_sized_int_node
, 1));
4030 gimple_set_location (g
, loc
);
4031 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
4032 tree last
= gimple_assign_lhs (g
);
4033 g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
4034 PLUS_EXPR
, base_addr
, last
);
4035 gimple_set_location (g
, loc
);
4036 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
4037 tree base_end_addr
= gimple_assign_lhs (g
);
4039 tree shadow
= build_shadow_mem_access (&gsi
, loc
, base_end_addr
,
4041 gimple
*shadow_test
= build_assign (NE_EXPR
, shadow
, 0);
4042 gimple_seq seq
= NULL
;
4043 gimple_seq_add_stmt (&seq
, shadow_test
);
4044 gimple_seq_add_stmt (&seq
, build_assign (BIT_AND_EXPR
,
4046 gimple_seq_add_stmt (&seq
, build_type_cast (shadow_type
,
4047 gimple_seq_last (seq
)));
4048 gimple_seq_add_stmt (&seq
, build_assign (GE_EXPR
,
4049 gimple_seq_last (seq
),
4051 gimple_seq_add_stmt (&seq
, build_assign (BIT_AND_EXPR
, shadow_test
,
4052 gimple_seq_last (seq
)));
4053 gimple_seq_add_stmt (&seq
, build_assign (BIT_IOR_EXPR
, t
,
4054 gimple_seq_last (seq
)));
4055 t
= gimple_assign_lhs (gimple_seq_last (seq
));
4056 gimple_seq_set_location (seq
, loc
);
4057 gsi_insert_seq_after (&gsi
, seq
, GSI_CONTINUE_LINKING
);
4061 g
= gimple_build_cond (NE_EXPR
, t
, build_int_cst (TREE_TYPE (t
), 0),
4062 NULL_TREE
, NULL_TREE
);
4063 gimple_set_location (g
, loc
);
4064 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
4066 /* Generate call to the run-time library (e.g. __asan_report_load8). */
4067 gsi
= gsi_start_bb (then_bb
);
4069 tree fun
= report_error_func (is_store
, recover_p
, size_in_bytes
, &nargs
);
4070 g
= gimple_build_call (fun
, nargs
, base_addr
, len
);
4071 gimple_set_location (g
, loc
);
4072 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
4074 gsi_remove (iter
, true);
4075 *iter
= gsi_start_bb (else_bb
);
4080 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten
4081 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
4084 create_asan_shadow_var (tree var_decl
,
4085 hash_map
<tree
, tree
> &shadow_vars_mapping
)
4087 tree
*slot
= shadow_vars_mapping
.get (var_decl
);
4090 tree shadow_var
= copy_node (var_decl
);
4093 memset (&id
, 0, sizeof (copy_body_data
));
4094 id
.src_fn
= id
.dst_fn
= current_function_decl
;
4095 copy_decl_for_dup_finish (&id
, var_decl
, shadow_var
);
4097 DECL_ARTIFICIAL (shadow_var
) = 1;
4098 DECL_IGNORED_P (shadow_var
) = 1;
4099 DECL_SEEN_IN_BIND_EXPR_P (shadow_var
) = 0;
4100 gimple_add_tmp_var (shadow_var
);
4102 shadow_vars_mapping
.put (var_decl
, shadow_var
);
4109 /* Expand ASAN_POISON ifn. */
4112 asan_expand_poison_ifn (gimple_stmt_iterator
*iter
,
4113 bool *need_commit_edge_insert
,
4114 hash_map
<tree
, tree
> &shadow_vars_mapping
)
4116 gimple
*g
= gsi_stmt (*iter
);
4117 tree poisoned_var
= gimple_call_lhs (g
);
4118 if (!poisoned_var
|| has_zero_uses (poisoned_var
))
4120 gsi_remove (iter
, true);
4124 if (SSA_NAME_VAR (poisoned_var
) == NULL_TREE
)
4125 SET_SSA_NAME_VAR_OR_IDENTIFIER (poisoned_var
,
4126 create_tmp_var (TREE_TYPE (poisoned_var
)));
4128 tree shadow_var
= create_asan_shadow_var (SSA_NAME_VAR (poisoned_var
),
4129 shadow_vars_mapping
);
4132 if (flag_sanitize
& SANITIZE_USER_ADDRESS
)
4133 recover_p
= (flag_sanitize_recover
& SANITIZE_USER_ADDRESS
) != 0;
4135 recover_p
= (flag_sanitize_recover
& SANITIZE_KERNEL_ADDRESS
) != 0;
4136 tree size
= DECL_SIZE_UNIT (shadow_var
);
4138 = gimple_build_call_internal (IFN_ASAN_MARK
, 3,
4139 build_int_cst (integer_type_node
,
4141 build_fold_addr_expr (shadow_var
), size
);
4144 imm_use_iterator imm_iter
;
4145 FOR_EACH_IMM_USE_STMT (use
, imm_iter
, poisoned_var
)
4147 if (is_gimple_debug (use
))
4151 bool store_p
= gimple_call_internal_p (use
, IFN_ASAN_POISON_USE
);
4153 if (hwasan_sanitize_p ())
4155 tree fun
= builtin_decl_implicit (BUILT_IN_HWASAN_TAG_MISMATCH4
);
4156 /* NOTE: hwasan has no __hwasan_report_* functions like asan does.
4157 We use __hwasan_tag_mismatch4 with arguments that tell it the
4158 size of access and load to report all tag mismatches.
4160 The arguments to this function are:
4161 Address of invalid access.
4162 Bitfield containing information about the access
4164 Pointer to a frame of registers
4165 (for use in printing the contents of registers in a dump)
4166 Not used yet -- to be used by inline instrumentation.
4169 The access_info bitfield encodes the following pieces of
4171 - Is this a store or load?
4172 access_info & 0x10 => store
4173 - Should the program continue after reporting the error?
4174 access_info & 0x20 => recover
4175 - What size access is this (not used here since we can always
4176 pass the size in the last argument)
4178 if (access_info & 0xf == 0xf)
4179 size is taken from last argument.
4181 size == 1 << (access_info & 0xf)
4183 The last argument contains the size of the access iff the
4184 access_info size indicator is 0xf (we always use this argument
4185 rather than storing the size in the access_info bitfield).
4187 See the function definition `__hwasan_tag_mismatch4` in
4188 libsanitizer/hwasan for the full definition.
4190 unsigned access_info
= (0x20 * recover_p
)
4193 call
= gimple_build_call (fun
, 4,
4194 build_fold_addr_expr (shadow_var
),
4195 build_int_cst (pointer_sized_int_node
,
4197 build_int_cst (pointer_sized_int_node
, 0),
4202 tree fun
= report_error_func (store_p
, recover_p
, tree_to_uhwi (size
),
4204 call
= gimple_build_call (fun
, 1,
4205 build_fold_addr_expr (shadow_var
));
4207 gimple_set_location (call
, gimple_location (use
));
4208 gimple
*call_to_insert
= call
;
4210 /* The USE can be a gimple PHI node. If so, insert the call on
4211 all edges leading to the PHI node. */
4212 if (is_a
<gphi
*> (use
))
4214 gphi
*phi
= dyn_cast
<gphi
*> (use
);
4215 for (unsigned i
= 0; i
< gimple_phi_num_args (phi
); ++i
)
4216 if (gimple_phi_arg_def (phi
, i
) == poisoned_var
)
4218 edge e
= gimple_phi_arg_edge (phi
, i
);
4220 /* Do not insert on an edge we can't split. */
4221 if (e
->flags
& EDGE_ABNORMAL
)
4224 if (call_to_insert
== NULL
)
4225 call_to_insert
= gimple_copy (call
);
4227 gsi_insert_seq_on_edge (e
, call_to_insert
);
4228 *need_commit_edge_insert
= true;
4229 call_to_insert
= NULL
;
4234 gimple_stmt_iterator gsi
= gsi_for_stmt (use
);
4236 gsi_replace (&gsi
, call
, true);
4238 gsi_insert_before (&gsi
, call
, GSI_NEW_STMT
);
4242 SSA_NAME_IS_DEFAULT_DEF (poisoned_var
) = true;
4243 SSA_NAME_DEF_STMT (poisoned_var
) = gimple_build_nop ();
4244 gsi_replace (iter
, poison_call
, false);
4249 /* Instrument the current function. */
4252 asan_instrument (void)
4254 if (hwasan_sanitize_p ())
4256 transform_statements ();
4260 if (shadow_ptr_types
[0] == NULL_TREE
)
4261 asan_init_shadow_ptr_types ();
4262 transform_statements ();
4263 last_alloca_addr
= NULL_TREE
;
4270 return sanitize_flags_p (SANITIZE_ADDRESS
);
4275 const pass_data pass_data_asan
=
4277 GIMPLE_PASS
, /* type */
4279 OPTGROUP_NONE
, /* optinfo_flags */
4280 TV_NONE
, /* tv_id */
4281 ( PROP_ssa
| PROP_cfg
| PROP_gimple_leh
), /* properties_required */
4282 0, /* properties_provided */
4283 0, /* properties_destroyed */
4284 0, /* todo_flags_start */
4285 TODO_update_ssa
, /* todo_flags_finish */
4288 class pass_asan
: public gimple_opt_pass
4291 pass_asan (gcc::context
*ctxt
)
4292 : gimple_opt_pass (pass_data_asan
, ctxt
)
4295 /* opt_pass methods: */
4296 opt_pass
* clone () final override
{ return new pass_asan (m_ctxt
); }
4297 bool gate (function
*) final override
4299 return gate_asan () || gate_hwasan ();
4301 unsigned int execute (function
*) final override
4303 return asan_instrument ();
4306 }; // class pass_asan
4311 make_pass_asan (gcc::context
*ctxt
)
4313 return new pass_asan (ctxt
);
4318 const pass_data pass_data_asan_O0
=
4320 GIMPLE_PASS
, /* type */
4322 OPTGROUP_NONE
, /* optinfo_flags */
4323 TV_NONE
, /* tv_id */
4324 ( PROP_ssa
| PROP_cfg
| PROP_gimple_leh
), /* properties_required */
4325 0, /* properties_provided */
4326 0, /* properties_destroyed */
4327 0, /* todo_flags_start */
4328 TODO_update_ssa
, /* todo_flags_finish */
4331 class pass_asan_O0
: public gimple_opt_pass
4334 pass_asan_O0 (gcc::context
*ctxt
)
4335 : gimple_opt_pass (pass_data_asan_O0
, ctxt
)
4338 /* opt_pass methods: */
4339 bool gate (function
*) final override
4341 return !optimize
&& (gate_asan () || gate_hwasan ());
4343 unsigned int execute (function
*) final override
4345 return asan_instrument ();
4348 }; // class pass_asan_O0
4353 make_pass_asan_O0 (gcc::context
*ctxt
)
4355 return new pass_asan_O0 (ctxt
);
4360 /* For stack tagging:
4362 Return the offset from the frame base tag that the "next" expanded object
4365 hwasan_current_frame_tag ()
4367 return hwasan_frame_tag_offset
;
4370 /* For stack tagging:
4372 Return the 'base pointer' for this function. If that base pointer has not
4373 yet been created then we create a register to hold it and record the insns
4374 to initialize the register in `hwasan_frame_base_init_seq` for later
4377 hwasan_frame_base ()
4379 if (! hwasan_frame_base_ptr
)
4382 hwasan_frame_base_ptr
4384 targetm
.memtag
.insert_random_tag (virtual_stack_vars_rtx
,
4386 hwasan_frame_base_init_seq
= get_insns ();
4390 return hwasan_frame_base_ptr
;
4393 /* For stack tagging:
4395 Check whether this RTX is a standard pointer addressing the base of the
4396 stack variables for this frame. Returns true if the RTX is either
4397 virtual_stack_vars_rtx or hwasan_frame_base_ptr. */
4399 stack_vars_base_reg_p (rtx base
)
4401 return base
== virtual_stack_vars_rtx
|| base
== hwasan_frame_base_ptr
;
4404 /* For stack tagging:
4406 Emit frame base initialisation.
4407 If hwasan_frame_base has been used before here then
4408 hwasan_frame_base_init_seq contains the sequence of instructions to
4409 initialize it. This must be put just before the hwasan prologue, so we emit
4410 the insns before parm_birth_insn (which will point to the first instruction
4411 of the hwasan prologue if it exists).
4413 We update `parm_birth_insn` to point to the start of this initialisation
4414 since that represents the end of the initialisation done by
4415 expand_function_{start,end} functions and we want to maintain that. */
4417 hwasan_maybe_emit_frame_base_init ()
4419 if (! hwasan_frame_base_init_seq
)
4421 emit_insn_before (hwasan_frame_base_init_seq
, parm_birth_insn
);
4422 parm_birth_insn
= hwasan_frame_base_init_seq
;
4425 /* Record a compile-time constant size stack variable that HWASAN will need to
4426 tag. This record of the range of a stack variable will be used by
4427 `hwasan_emit_prologue` to emit the RTL at the start of each frame which will
4428 set tags in the shadow memory according to the assigned tag for each object.
4430 The range that the object spans in stack space should be described by the
4431 bounds `untagged_base + nearest_offset` and
4432 `untagged_base + farthest_offset`.
4433 `tagged_base` is the base address which contains the "base frame tag" for
4434 this frame, and from which the value to address this object with will be
4437 We record the `untagged_base` since the functions in the hwasan library we
4438 use to tag memory take pointers without a tag. */
4440 hwasan_record_stack_var (rtx untagged_base
, rtx tagged_base
,
4441 poly_int64 nearest_offset
, poly_int64 farthest_offset
)
4443 hwasan_stack_var cur_var
;
4444 cur_var
.untagged_base
= untagged_base
;
4445 cur_var
.tagged_base
= tagged_base
;
4446 cur_var
.nearest_offset
= nearest_offset
;
4447 cur_var
.farthest_offset
= farthest_offset
;
4448 cur_var
.tag_offset
= hwasan_current_frame_tag ();
4450 hwasan_tagged_stack_vars
.safe_push (cur_var
);
4453 /* Return the RTX representing the farthest extent of the statically allocated
4454 stack objects for this frame. If hwasan_frame_base_ptr has not been
4455 initialized then we are not storing any static variables on the stack in
4456 this frame. In this case we return NULL_RTX to represent that.
4458 Otherwise simply return virtual_stack_vars_rtx + frame_offset. */
4460 hwasan_get_frame_extent ()
4462 return (hwasan_frame_base_ptr
4463 ? plus_constant (Pmode
, virtual_stack_vars_rtx
, frame_offset
)
4467 /* For stack tagging:
4469 Increment the frame tag offset modulo the size a tag can represent. */
4471 hwasan_increment_frame_tag ()
4473 uint8_t tag_bits
= HWASAN_TAG_SIZE
;
4474 gcc_assert (HWASAN_TAG_SIZE
4475 <= sizeof (hwasan_frame_tag_offset
) * CHAR_BIT
);
4476 hwasan_frame_tag_offset
= (hwasan_frame_tag_offset
+ 1) % (1 << tag_bits
);
4477 /* The "background tag" of the stack is zero by definition.
4478 This is the tag that objects like parameters passed on the stack and
4479 spilled registers are given. It is handy to avoid this tag for objects
4480 whose tags we decide ourselves, partly to ensure that buffer overruns
4481 can't affect these important variables (e.g. saved link register, saved
4482 stack pointer etc) and partly to make debugging easier (everything with a
4483 tag of zero is space allocated automatically by the compiler).
4485 This is not feasible when using random frame tags (the default
4486 configuration for hwasan) since the tag for the given frame is randomly
4487 chosen at runtime. In order to avoid any tags matching the stack
4488 background we would need to decide tag offsets at runtime instead of
4489 compile time (and pay the resulting performance cost).
4491 When not using random base tags for each frame (i.e. when compiled with
4492 `--param hwasan-random-frame-tag=0`) the base tag for each frame is zero.
4493 This means the tag that each object gets is equal to the
4494 hwasan_frame_tag_offset used in determining it.
4495 When this is the case we *can* ensure no object gets the tag of zero by
4496 simply ensuring no object has the hwasan_frame_tag_offset of zero.
4498 There is the extra complication that we only record the
4499 hwasan_frame_tag_offset here (which is the offset from the tag stored in
4500 the stack pointer). In the kernel, the tag in the stack pointer is 0xff
4501 rather than zero. This does not cause problems since tags of 0xff are
4502 never checked in the kernel. As mentioned at the beginning of this
4503 comment the background tag of the stack is zero by definition, which means
4504 that for the kernel we should skip offsets of both 0 and 1 from the stack
4505 pointer. Avoiding the offset of 0 ensures we use a tag which will be
4506 checked, avoiding the offset of 1 ensures we use a tag that is not the
4507 same as the background. */
4508 if (hwasan_frame_tag_offset
== 0 && ! param_hwasan_random_frame_tag
)
4509 hwasan_frame_tag_offset
+= 1;
4510 if (hwasan_frame_tag_offset
== 1 && ! param_hwasan_random_frame_tag
4511 && sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS
))
4512 hwasan_frame_tag_offset
+= 1;
4515 /* Clear internal state for the next function.
4516 This function is called before variables on the stack get expanded, in
4517 `init_vars_expansion`. */
4519 hwasan_record_frame_init ()
4521 delete asan_used_labels
;
4522 asan_used_labels
= NULL
;
4524 /* If this isn't the case then some stack variable was recorded *before*
4525 hwasan_record_frame_init is called, yet *after* the hwasan prologue for
4526 the previous frame was emitted. Such stack variables would not have
4527 their shadow stack filled in. */
4528 gcc_assert (hwasan_tagged_stack_vars
.is_empty ());
4529 hwasan_frame_base_ptr
= NULL_RTX
;
4530 hwasan_frame_base_init_seq
= NULL
;
4532 /* When not using a random frame tag we can avoid the background stack
4533 color which gives the user a little better debug output upon a crash.
4534 Meanwhile, when using a random frame tag it will be nice to avoid adding
4535 tags for the first object since that is unnecessary extra work.
4536 Hence set the initial hwasan_frame_tag_offset to be 0 if using a random
4537 frame tag and 1 otherwise.
4539 As described in hwasan_increment_frame_tag, in the kernel the stack
4540 pointer has the tag 0xff. That means that to avoid 0xff and 0 (the tag
4541 which the kernel does not check and the background tag respectively) we
4542 start with a tag offset of 2. */
4543 hwasan_frame_tag_offset
= param_hwasan_random_frame_tag
4545 : sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS
) ? 2 : 1;
4548 /* For stack tagging:
4549 (Emits HWASAN equivalent of what is emitted by
4550 `asan_emit_stack_protection`).
4552 Emits the extra prologue code to set the shadow stack as required for HWASAN
4553 stack instrumentation.
4555 Uses the vector of recorded stack variables hwasan_tagged_stack_vars. When
4556 this function has completed hwasan_tagged_stack_vars is empty and all
4557 objects it had pointed to are deallocated. */
4559 hwasan_emit_prologue ()
4561 /* We need untagged base pointers since libhwasan only accepts untagged
4562 pointers in __hwasan_tag_memory. We need the tagged base pointer to obtain
4563 the base tag for an offset. */
4565 if (hwasan_tagged_stack_vars
.is_empty ())
4568 poly_int64 bot
= 0, top
= 0;
4569 for (hwasan_stack_var
&cur
: hwasan_tagged_stack_vars
)
4571 poly_int64 nearest
= cur
.nearest_offset
;
4572 poly_int64 farthest
= cur
.farthest_offset
;
4574 if (known_ge (nearest
, farthest
))
4581 /* Given how these values are calculated, one must be known greater
4583 gcc_assert (known_le (nearest
, farthest
));
4587 poly_int64 size
= (top
- bot
);
4589 /* Assert the edge of each variable is aligned to the HWASAN tag granule
4591 gcc_assert (multiple_p (top
, HWASAN_TAG_GRANULE_SIZE
));
4592 gcc_assert (multiple_p (bot
, HWASAN_TAG_GRANULE_SIZE
));
4593 gcc_assert (multiple_p (size
, HWASAN_TAG_GRANULE_SIZE
));
4595 rtx fn
= init_one_libfunc ("__hwasan_tag_memory");
4596 rtx base_tag
= targetm
.memtag
.extract_tag (cur
.tagged_base
, NULL_RTX
);
4597 rtx tag
= plus_constant (QImode
, base_tag
, cur
.tag_offset
);
4598 tag
= hwasan_truncate_to_tag_size (tag
, NULL_RTX
);
4600 rtx bottom
= convert_memory_address (ptr_mode
,
4601 plus_constant (Pmode
,
4604 emit_library_call (fn
, LCT_NORMAL
, VOIDmode
,
4607 gen_int_mode (size
, ptr_mode
), ptr_mode
);
4609 /* Clear the stack vars, we've emitted the prologue for them all now. */
4610 hwasan_tagged_stack_vars
.truncate (0);
4613 /* For stack tagging:
4615 Return RTL insns to clear the tags between DYNAMIC and VARS pointers
4616 into the stack. These instructions should be emitted at the end of
4619 If `dynamic` is NULL_RTX then no insns are returned. */
4621 hwasan_emit_untag_frame (rtx dynamic
, rtx vars
)
4628 dynamic
= convert_memory_address (ptr_mode
, dynamic
);
4629 vars
= convert_memory_address (ptr_mode
, vars
);
4633 if (FRAME_GROWS_DOWNWARD
)
4644 rtx size_rtx
= expand_simple_binop (ptr_mode
, MINUS
, top_rtx
, bot_rtx
,
4645 NULL_RTX
, /* unsignedp = */0,
4648 rtx fn
= init_one_libfunc ("__hwasan_tag_memory");
4649 emit_library_call (fn
, LCT_NORMAL
, VOIDmode
,
4651 HWASAN_STACK_BACKGROUND
, QImode
,
4652 size_rtx
, ptr_mode
);
4654 do_pending_stack_adjust ();
4655 rtx_insn
*insns
= get_insns ();
4660 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
4661 invoke ggc_collect. */
4662 static GTY(()) tree hwasan_ctor_statements
;
4664 /* Insert module initialization into this TU. This initialization calls the
4665 initialization code for libhwasan. */
4667 hwasan_finish_file (void)
4669 /* Do not emit constructor initialization for the kernel.
4670 (the kernel has its own initialization already). */
4671 if (flag_sanitize
& SANITIZE_KERNEL_HWADDRESS
)
4674 /* Avoid instrumenting code in the hwasan constructors/destructors. */
4675 flag_sanitize
&= ~SANITIZE_HWADDRESS
;
4676 int priority
= MAX_RESERVED_INIT_PRIORITY
- 1;
4677 tree fn
= builtin_decl_implicit (BUILT_IN_HWASAN_INIT
);
4678 append_to_statement_list (build_call_expr (fn
, 0), &hwasan_ctor_statements
);
4679 cgraph_build_static_cdtor ('I', hwasan_ctor_statements
, priority
);
4680 flag_sanitize
|= SANITIZE_HWADDRESS
;
4683 /* For stack tagging:
4685 Truncate `tag` to the number of bits that a tag uses (i.e. to
4686 HWASAN_TAG_SIZE). Store the result in `target` if it's convenient. */
4688 hwasan_truncate_to_tag_size (rtx tag
, rtx target
)
4690 gcc_assert (GET_MODE (tag
) == QImode
);
4691 if (HWASAN_TAG_SIZE
!= GET_MODE_PRECISION (QImode
))
4693 gcc_assert (GET_MODE_PRECISION (QImode
) > HWASAN_TAG_SIZE
);
4694 rtx mask
= gen_int_mode ((HOST_WIDE_INT_1U
<< HWASAN_TAG_SIZE
) - 1,
4696 tag
= expand_simple_binop (QImode
, AND
, tag
, mask
, target
,
4697 /* unsignedp = */1, OPTAB_WIDEN
);
4703 /* Construct a function tree for __hwasan_{load,store}{1,2,4,8,16,_n}.
4704 IS_STORE is either 1 (for a store) or 0 (for a load). */
4706 hwasan_check_func (bool is_store
, bool recover_p
, HOST_WIDE_INT size_in_bytes
,
4709 static enum built_in_function check
[2][2][6]
4710 = { { { BUILT_IN_HWASAN_LOAD1
, BUILT_IN_HWASAN_LOAD2
,
4711 BUILT_IN_HWASAN_LOAD4
, BUILT_IN_HWASAN_LOAD8
,
4712 BUILT_IN_HWASAN_LOAD16
, BUILT_IN_HWASAN_LOADN
},
4713 { BUILT_IN_HWASAN_STORE1
, BUILT_IN_HWASAN_STORE2
,
4714 BUILT_IN_HWASAN_STORE4
, BUILT_IN_HWASAN_STORE8
,
4715 BUILT_IN_HWASAN_STORE16
, BUILT_IN_HWASAN_STOREN
} },
4716 { { BUILT_IN_HWASAN_LOAD1_NOABORT
,
4717 BUILT_IN_HWASAN_LOAD2_NOABORT
,
4718 BUILT_IN_HWASAN_LOAD4_NOABORT
,
4719 BUILT_IN_HWASAN_LOAD8_NOABORT
,
4720 BUILT_IN_HWASAN_LOAD16_NOABORT
,
4721 BUILT_IN_HWASAN_LOADN_NOABORT
},
4722 { BUILT_IN_HWASAN_STORE1_NOABORT
,
4723 BUILT_IN_HWASAN_STORE2_NOABORT
,
4724 BUILT_IN_HWASAN_STORE4_NOABORT
,
4725 BUILT_IN_HWASAN_STORE8_NOABORT
,
4726 BUILT_IN_HWASAN_STORE16_NOABORT
,
4727 BUILT_IN_HWASAN_STOREN_NOABORT
} } };
4728 if (size_in_bytes
== -1)
4731 return as_combined_fn (check
[recover_p
][is_store
][5]);
4734 int size_log2
= exact_log2 (size_in_bytes
);
4735 gcc_assert (size_log2
>= 0 && size_log2
<= 5);
4736 return as_combined_fn (check
[recover_p
][is_store
][size_log2
]);
4739 /* Expand the HWASAN_{LOAD,STORE} builtins. */
4741 hwasan_expand_check_ifn (gimple_stmt_iterator
*iter
, bool)
4743 gimple
*g
= gsi_stmt (*iter
);
4744 location_t loc
= gimple_location (g
);
4746 if (flag_sanitize
& SANITIZE_USER_HWADDRESS
)
4747 recover_p
= (flag_sanitize_recover
& SANITIZE_USER_HWADDRESS
) != 0;
4749 recover_p
= (flag_sanitize_recover
& SANITIZE_KERNEL_HWADDRESS
) != 0;
4751 HOST_WIDE_INT flags
= tree_to_shwi (gimple_call_arg (g
, 0));
4752 gcc_assert (flags
< ASAN_CHECK_LAST
);
4753 bool is_scalar_access
= (flags
& ASAN_CHECK_SCALAR_ACCESS
) != 0;
4754 bool is_store
= (flags
& ASAN_CHECK_STORE
) != 0;
4755 bool is_non_zero_len
= (flags
& ASAN_CHECK_NON_ZERO_LEN
) != 0;
4757 tree base
= gimple_call_arg (g
, 1);
4758 tree len
= gimple_call_arg (g
, 2);
4760 /* `align` is unused for HWASAN_CHECK, but we pass the argument anyway
4761 since that way the arguments match ASAN_CHECK. */
4762 /* HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3)); */
4764 unsigned HOST_WIDE_INT size_in_bytes
4765 = is_scalar_access
? tree_to_shwi (len
) : -1;
4767 gimple_stmt_iterator gsi
= *iter
;
4769 if (!is_non_zero_len
)
4771 /* So, the length of the memory area to hwasan-protect is
4772 non-constant. Let's guard the generated instrumentation code
4777 // hwasan instrumentation code goes here.
4779 // falltrough instructions, starting with *ITER. */
4781 g
= gimple_build_cond (NE_EXPR
,
4783 build_int_cst (TREE_TYPE (len
), 0),
4784 NULL_TREE
, NULL_TREE
);
4785 gimple_set_location (g
, loc
);
4787 basic_block then_bb
, fallthrough_bb
;
4788 insert_if_then_before_iter (as_a
<gcond
*> (g
), iter
,
4789 /*then_more_likely_p=*/true,
4790 &then_bb
, &fallthrough_bb
);
4791 /* Note that fallthrough_bb starts with the statement that was
4792 pointed to by ITER. */
4794 /* The 'then block' of the 'if (len != 0) condition is where
4795 we'll generate the hwasan instrumentation code now. */
4796 gsi
= gsi_last_bb (then_bb
);
4799 gimple_seq stmts
= NULL
;
4800 tree base_addr
= gimple_build (&stmts
, loc
, NOP_EXPR
,
4801 pointer_sized_int_node
, base
);
4805 = hwasan_check_func (is_store
, recover_p
, size_in_bytes
, &nargs
);
4807 gimple_build (&stmts
, loc
, fn
, void_type_node
, base_addr
);
4810 gcc_assert (nargs
== 2);
4811 tree sz_arg
= gimple_build (&stmts
, loc
, NOP_EXPR
,
4812 pointer_sized_int_node
, len
);
4813 gimple_build (&stmts
, loc
, fn
, void_type_node
, base_addr
, sz_arg
);
4816 gsi_insert_seq_after (&gsi
, stmts
, GSI_NEW_STMT
);
4817 gsi_remove (iter
, true);
4822 /* For stack tagging:
4824 Dummy: the HWASAN_MARK internal function should only ever be in the code
4825 after the sanopt pass. */
4827 hwasan_expand_mark_ifn (gimple_stmt_iterator
*)
4835 return hwasan_sanitize_p ();
4838 #include "gt-asan.h"