| blob | 2e1fb0e4082538ae0404a1fe511057b3c52c8b7c |
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2013 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
42 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
43 with <2x slowdown on average.
45 The tool consists of two parts:
46 instrumentation module (this file) and a run-time library.
47 The instrumentation module adds a run-time check before every memory insn.
48 For a 8- or 16- byte load accessing address X:
49 ShadowAddr = (X >> 3) + Offset
50 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
51 if (ShadowValue)
52 __asan_report_load8(X);
53 For a load of N bytes (N=1, 2 or 4) from address X:
54 ShadowAddr = (X >> 3) + Offset
55 ShadowValue = *(char*)ShadowAddr;
56 if (ShadowValue)
57 if ((X & 7) + N - 1 > ShadowValue)
58 __asan_report_loadN(X);
59 Stores are instrumented similarly, but using __asan_report_storeN functions.
60 A call too __asan_init() is inserted to the list of module CTORs.
62 The run-time library redefines malloc (so that redzone are inserted around
63 the allocated memory) and free (so that reuse of free-ed memory is delayed),
64 provides __asan_report* and __asan_init functions.
66 Read more:
67 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
69 The current implementation supports detection of out-of-bounds and
70 use-after-free in the heap, on the stack and for global variables.
72 [Protection of stack variables]
74 To understand how detection of out-of-bounds and use-after-free works
75 for stack variables, lets look at this example on x86_64 where the
76 stack grows downward:
78 int
79 foo ()
80 {
81 char a[23] = {0};
82 int b[2] = {0};
84 a[5] = 1;
85 b[1] = 2;
87 return a[5] + b[1];
88 }
90 For this function, the stack protected by asan will be organized as
91 follows, from the top of the stack to the bottom:
93 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
95 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
96 the next slot be 32 bytes aligned; this one is called Partial
97 Redzone; this 32 bytes alignment is an asan constraint]
99 Slot 3/ [24 bytes for variable 'a']
101 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
103 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
105 Slot 6/ [8 bytes for variable 'b']
107 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
108 'LEFT RedZone']
110 The 32 bytes of LEFT red zone at the bottom of the stack can be
111 decomposed as such:
113 1/ The first 8 bytes contain a magical asan number that is always
114 0x41B58AB3.
116 2/ The following 8 bytes contains a pointer to a string (to be
117 parsed at runtime by the runtime asan library), which format is
118 the following:
120 "<function-name> <space> <num-of-variables-on-the-stack>
121 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
122 <length-of-var-in-bytes> ){n} "
124 where '(...){n}' means the content inside the parenthesis occurs 'n'
125 times, with 'n' being the number of variables on the stack.
127 3/ The following 16 bytes of the red zone have no particular
128 format.
130 The shadow memory for that stack layout is going to look like this:
132 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
133 The F1 byte pattern is a magic number called
134 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
135 the memory for that shadow byte is part of a the LEFT red zone
136 intended to seat at the bottom of the variables on the stack.
138 - content of shadow memory 8 bytes for slots 6 and 5:
139 0xF4F4F400. The F4 byte pattern is a magic number
140 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
141 memory region for this shadow byte is a PARTIAL red zone
142 intended to pad a variable A, so that the slot following
143 {A,padding} is 32 bytes aligned.
145 Note that the fact that the least significant byte of this
146 shadow memory content is 00 means that 8 bytes of its
147 corresponding memory (which corresponds to the memory of
148 variable 'b') is addressable.
150 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
151 The F2 byte pattern is a magic number called
152 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
153 region for this shadow byte is a MIDDLE red zone intended to
154 seat between two 32 aligned slots of {variable,padding}.
156 - content of shadow memory 8 bytes for slot 3 and 2:
157 0xF4000000. This represents is the concatenation of
158 variable 'a' and the partial red zone following it, like what we
159 had for variable 'b'. The least significant 3 bytes being 00
160 means that the 3 bytes of variable 'a' are addressable.
162 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
163 The F3 byte pattern is a magic number called
164 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
165 region for this shadow byte is a RIGHT red zone intended to seat
166 at the top of the variables of the stack.
168 Note that the real variable layout is done in expand_used_vars in
169 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
170 stack variables as well as the different red zones, emits some
171 prologue code to populate the shadow memory as to poison (mark as
172 non-accessible) the regions of the red zones and mark the regions of
173 stack variables as accessible, and emit some epilogue code to
174 un-poison (mark as accessible) the regions of red zones right before
175 the function exits.
177 [Protection of global variables]
179 The basic idea is to insert a red zone between two global variables
180 and install a constructor function that calls the asan runtime to do
181 the populating of the relevant shadow memory regions at load time.
183 So the global variables are laid out as to insert a red zone between
184 them. The size of the red zones is so that each variable starts on a
185 32 bytes boundary.
187 Then a constructor function is installed so that, for each global
188 variable, it calls the runtime asan library function
189 __asan_register_globals_with an instance of this type:
191 struct __asan_global
192 {
193 // Address of the beginning of the global variable.
194 const void *__beg;
196 // Initial size of the global variable.
197 uptr __size;
199 // Size of the global variable + size of the red zone. This
200 // size is 32 bytes aligned.
201 uptr __size_with_redzone;
203 // Name of the global variable.
204 const void *__name;
206 // This is always set to NULL for now.
207 uptr __has_dynamic_init;
208 }
210 A destructor function that calls the runtime asan library function
211 _asan_unregister_globals is also installed. */
215 /* Pointer types to 1 resp. 2 byte integers in shadow memory. A separate
216 alias set is used for all shadow memory accesses. */
219 /* Hashtable support for memory references used by gimple
220 statements. */
222 /* This type represents a reference to a memory region. */
223 struct asan_mem_ref
224 {
225 /* The expression of the beginning of the memory region. */
226 tree start;
228 /* The size of the access (can be 1, 2, 4, 8, 16 for now). */
230 };
234 /* This creates the alloc pool used to store the instances of
235 asan_mem_ref that are stored in the hash table asan_mem_ref_ht. */
237 static alloc_pool
239 {
246 }
248 /* Initializes an instance of asan_mem_ref. */
250 static void
252 {
255 }
257 /* Allocates memory for an instance of asan_mem_ref into the memory
258 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
259 START is the address of (or the expression pointing to) the
260 beginning of memory reference. ACCESS_SIZE is the size of the
261 access to the referenced memory. */
265 {
271 }
273 /* This builds and returns a pointer to the end of the memory region
274 that starts at START and of length LEN. */
276 tree
278 {
283 }
285 /* Return a tree expression that represents the end of the referenced
286 memory region. Beware that this function can actually build a new
287 tree expression. */
289 tree
291 {
293 }
295 struct asan_mem_ref_hasher
297 {
303 };
305 /* Hash a memory reference. */
307 inline hashval_t
309 {
313 }
315 /* Compare two memory references. We accept the length of either
316 memory references to be NULL_TREE. */
321 {
324 }
328 /* Returns a reference to the hash table containing memory references.
329 This function ensures that the hash table is created. Note that
330 this hash table is updated by the function
331 update_mem_ref_hash_table. */
335 {
340 }
342 /* Clear all entries from the memory references hash table. */
344 static void
346 {
349 }
351 /* Free the memory references hash table. */
353 static void
355 {
360 {
363 }
364 }
366 /* Return true iff the memory reference REF has been instrumented. */
368 static bool
370 {
371 asan_mem_ref r;
375 }
377 /* Return true iff the memory reference REF has been instrumented. */
379 static bool
381 {
383 }
385 /* Return true iff access to memory region starting at REF and of
386 length LEN has been instrumented. */
388 static bool
390 {
391 /* First let's see if the address of the beginning of REF has been
392 instrumented. */
397 {
398 /* Let's see if the end of the region has been instrumented. */
402 }
404 }
406 /* Set REF to the memory reference present in a gimple assignment
407 ASSIGNMENT. Return true upon successful completion, false
408 otherwise. */
410 static bool
414 {
419 {
422 }
424 {
427 }
428 else
433 }
435 /* Return the memory references contained in a gimple statement
436 representing a builtin call that has to do with memory access. */
438 static bool
450 {
460 {
461 /* (s, s, n) style memops. */
469 /* (src, dest, n) style memops. */
476 /* (dest, src, n) style memops. */
488 /* (dest, n) style memops. */
494 /* (dest, x, n) style memops*/
506 /* And now the __atomic* and __sync builtins.
507 These are handled differently from the classical memory memory
508 access builtins above. */
516 /* fall through. */
701 {
703 /* DEST represents the address of a memory location.
704 instrument_derefs wants the memory location, so lets
705 dereference the address DEST before handing it to
706 instrument_derefs. */
712 else
716 }
719 /* The other builtins memory access are not instrumented in this
720 function because they either don't have any length parameter,
721 or their length parameter is just a limit. */
723 }
726 {
728 {
733 }
736 {
741 }
744 {
749 }
752 }
754 {
761 }
764 }
766 /* Return true iff a given gimple statement has been instrumented.
767 Note that the statement is "defined" by the memory references it
768 contains. */
770 static bool
772 {
774 {
776 asan_mem_ref r;
781 }
783 {
797 {
811 }
812 }
814 }
816 /* Insert a memory reference into the hash table. */
818 static void
820 {
823 asan_mem_ref r;
829 }
831 /* Initialize shadow_ptr_types array. */
833 static void
835 {
844 }
846 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
848 static tree
850 {
860 }
862 /* Return a CONST_INT representing 4 subsequent shadow memory bytes. */
864 static rtx
866 {
874 }
876 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
877 though. */
879 static void
881 {
892 {
895 }
913 }
915 /* Insert code to protect stack vars. The prologue sequence should be emitted
916 directly, epilogue sequence returned. BASE is the register holding the
917 stack base, against which OFFSETS array offsets are relative to, OFFSETS
918 array contains pairs of offsets in reverse order, always the end offset
919 of some gap that needs protection followed by starting offset,
920 and DECLS is an array of representative decls for each var partition.
921 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
922 elements long (OFFSETS include gap before the first variable as well
923 as gaps after each stack variable). */
925 rtx
928 {
935 tree str_cst;
940 /* First of all, prepare the description string. */
941 pretty_printer asan_pp;
945 else
951 {
958 {
962 }
963 else
966 }
969 /* Emit the prologue sequence. */
982 Pmode),
990 {
995 {
997 HOST_WIDE_INT aoff
1006 {
1009 else
1011 }
1012 else
1016 }
1018 {
1026 }
1028 }
1031 /* Construct epilogue sequence. */
1040 {
1044 {
1052 }
1056 }
1058 {
1063 }
1070 }
1072 /* Return true if DECL, a global var, might be overridden and needs
1073 therefore a local alias. */
1075 static bool
1077 {
1079 }
1081 /* Return true if DECL is a VAR_DECL that should be protected
1082 by Address Sanitizer, by appending a red zone with protected
1083 shadow memory after it and aligning it to at least
1084 ASAN_RED_ZONE_SIZE bytes. */
1086 bool
1088 {
1092 {
1093 /* Instrument all STRING_CSTs except those created
1094 by asan_pp_string here. */
1100 }
1102 /* TLS vars aren't statically protectable. */
1104 /* Externs will be protected elsewhere. */
1107 /* Comdat vars pose an ABI problem, we can't know if
1108 the var that is selected by the linker will have
1109 padding or not. */
1111 /* Similarly for common vars. People can use -fno-common. */
1113 /* Don't protect if using user section, often vars placed
1114 into user section from multiple TUs are then assumed
1115 to be an array of such vars, putting padding in there
1116 breaks this assumption. */
1137 #ifndef ASM_OUTPUT_DEF
1140 #endif
1143 }
1145 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16}.
1146 IS_STORE is either 1 (for a store) or 0 (for a load).
1147 SIZE_IN_BYTES is one of 1, 2, 4, 8, 16. */
1149 static tree
1151 {
1155 BUILT_IN_ASAN_REPORT_LOAD16 },
1158 BUILT_IN_ASAN_REPORT_STORE16 } };
1160 }
1162 #define PROB_VERY_UNLIKELY (REG_BR_PROB_BASE / 2000 - 1)
1163 #define PROB_ALWAYS (REG_BR_PROB_BASE)
1165 /* Split the current basic block and create a condition statement
1166 insertion point right before or after the statement pointed to by
1167 ITER. Return an iterator to the point at which the caller might
1168 safely insert the condition statement.
1170 THEN_BLOCK must be set to the address of an uninitialized instance
1171 of basic_block. The function will then set *THEN_BLOCK to the
1172 'then block' of the condition statement to be inserted by the
1173 caller.
1175 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1176 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1178 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1179 block' of the condition statement to be inserted by the caller.
1181 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1182 statements starting from *ITER, and *THEN_BLOCK is a new empty
1183 block.
1185 *ITER is adjusted to point to always point to the first statement
1186 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1187 same as what ITER was pointing to prior to calling this function,
1188 if BEFORE_P is true; otherwise, it is its following statement. */
1190 static gimple_stmt_iterator
1197 {
1207 /* Get a hold on the 'condition block', the 'then block' and the
1208 'else block'. */
1213 {
1216 }
1218 /* Set up the newly created 'then block'. */
1220 int fallthrough_probability
1221 = then_more_likely_p
1222 ? PROB_VERY_UNLIKELY
1228 /* Set up the fallthrough basic block. */
1234 /* Update dominance info for the newly created then_bb; note that
1235 fallthru_bb's dominance info has already been updated by
1236 split_bock. */
1245 }
1247 /* Insert an if condition followed by a 'then block' right before the
1248 statement pointed to by ITER. The fallthrough block -- which is the
1249 else block of the condition as well as the destination of the
1250 outcoming edge of the 'then block' -- starts with the statement
1251 pointed to by ITER.
1253 COND is the condition of the if.
1255 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1256 'then block' is higher than the probability of the edge to the
1257 fallthrough block.
1259 Upon completion of the function, *THEN_BB is set to the newly
1260 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1261 fallthrough block.
1263 *ITER is adjusted to still point to the same statement it was
1264 pointing to initially. */
1266 static void
1272 {
1273 gimple_stmt_iterator cond_insert_point =
1276 then_more_likely_p,
1278 then_bb,
1279 fallthrough_bb);
1281 }
1283 /* Instrument the memory access instruction BASE. Insert new
1284 statements before or after ITER.
1286 Note that the memory access represented by BASE can be either an
1287 SSA_NAME, or a non-SSA expression. LOCATION is the source code
1288 location. IS_STORE is TRUE for a store, FALSE for a load.
1289 BEFORE_P is TRUE for inserting the instrumentation code before
1290 ITER, FALSE for inserting it after ITER. SIZE_IN_BYTES is one of
1291 1, 2, 4, 8, 16.
1293 If BEFORE_P is TRUE, *ITER is arranged to still point to the
1294 statement it was pointing to prior to calling this function,
1295 otherwise, it points to the statement logically following it. */
1297 static void
1300 {
1301 gimple_stmt_iterator gsi;
1304 gimple g;
1307 tree uintptr_type
1311 /* Get an iterator on the point where we can add the condition
1312 statement for the instrumentation. */
1321 /* BASE can already be an SSA_NAME; in that case, do not create a
1322 new SSA_NAME for it. */
1324 {
1331 }
1340 /* Build
1341 (base_addr >> ASAN_SHADOW_SHIFT) + targetm.asan_shadow_offset (). */
1373 {
1374 /* Slow path for 1, 2 and 4 byte accesses.
1375 Test (shadow != 0)
1376 & ((base_addr & 7) + (size_in_bytes - 1)) >= shadow). */
1388 shadow));
1394 }
1395 else
1403 /* Generate call to the run-time library (e.g. __asan_report_load8). */
1411 }
1413 /* If T represents a memory access, add instrumentation code before ITER.
1414 LOCATION is source code location.
1415 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
1417 static void
1420 {
1422 HOST_WIDE_INT size_in_bytes;
1426 {
1434 }
1442 tree offset;
1449 {
1452 {
1457 }
1459 }
1463 {
1468 }
1470 }
1472 /* Instrument an access to a contiguous memory region that starts at
1473 the address pointed to by BASE, over a length of LEN (expressed in
1474 the sizeof (*BASE) bytes). ITER points to the instruction before
1475 which the instrumentation instructions must be inserted. LOCATION
1476 is the source location that the instrumentation instructions must
1477 have. If IS_STORE is true, then the memory access is a store;
1478 otherwise, it's a load. */
1480 static void
1484 {
1494 /* If the beginning of the memory region has already been
1495 instrumented, do not instrument it. */
1498 /* If the end of the memory region has already been instrumented, do
1499 not instrument it. */
1507 {
1508 /* So, the length of the memory area to asan-protect is
1509 non-constant. Let's guard the generated instrumentation code
1510 like:
1512 if (len != 0)
1513 {
1514 //asan instrumentation code goes here.
1515 }
1516 // falltrough instructions, starting with *ITER. */
1519 len,
1525 /* Note that fallthrough_bb starts with the statement that was
1526 pointed to by ITER. */
1528 /* The 'then block' of the 'if (len != 0) condition is where
1529 we'll generate the asan instrumentation code now. */
1531 }
1534 {
1535 /* Instrument the beginning of the memory region to be accessed,
1536 and arrange for the rest of the intrumentation code to be
1537 inserted in the then block *after* the current gsi. */
1541 /* We are in the case where the length of the region is not
1542 constant; so instrumentation code is being generated in the
1543 'then block' of the 'if (len != 0) condition. Let's arrange
1544 for the subsequent instrumentation statements to go in the
1545 'then block'. */
1547 else
1548 {
1550 /* Don't remember this access as instrumented, if length
1551 is unknown. It might be zero and not being actually
1552 instrumented, so we can't rely on it being instrumented. */
1554 }
1555 }
1560 /* We want to instrument the access at the end of the memory region,
1561 which is at (base + len - 1). */
1563 /* offset = len - 1; */
1565 tree offset;
1571 else
1572 {
1573 gimple g;
1574 tree t;
1577 {
1583 }
1585 {
1591 }
1599 }
1601 /* _1 = base; */
1603 gimple region_end =
1610 /* _2 = _1 + offset; */
1611 region_end =
1615 offset);
1620 /* instrument access at _2; */
1629 }
1631 /* Instrument the call (to the builtin strlen function) pointed to by
1632 ITER.
1634 This function instruments the access to the first byte of the
1635 argument, right before the call. After the call it instruments the
1636 access to the last byte of the argument; it uses the result of the
1637 call to deduce the offset of that last byte.
1639 Upon completion, iff the call has actually been instrumented, this
1640 function returns TRUE and *ITER points to the statement logically
1641 following the built-in strlen function call *ITER was initially
1642 pointing to. Otherwise, the function returns FALSE and *ITER
1643 remains unchanged. */
1645 static bool
1647 {
1658 /* Some passes might clear the return value of the strlen call;
1659 bail out in that case. Return FALSE as we are not advancing
1660 *ITER. */
1667 /* Instrument the access to the first byte of str_arg. i.e:
1669 _1 = str_arg; instrument (_1); */
1671 gimple str_arg_ssa =
1681 /* If we initially had an instruction like:
1683 int n = strlen (str)
1685 we now want to instrument the access to str[n], after the
1686 instruction above.*/
1688 /* So let's build the access to str[n] that is, access through the
1689 pointer_plus expr: (_1 + len). */
1690 gimple stmt =
1694 len);
1701 /* Ensure that iter points to the statement logically following the
1702 one it was initially pointing to. */
1704 /* As *ITER has been advanced to point to the next statement, let's
1705 return true to inform transform_statements that it shouldn't
1706 advance *ITER anymore; otherwises it will skip that next
1707 statement, which wouldn't be instrumented. */
1709 }
1711 /* Instrument the call to a built-in memory access function that is
1712 pointed to by the iterator ITER.
1714 Upon completion, return TRUE iff *ITER has been advanced to the
1715 statement following the one it was originally pointing to. */
1717 static bool
1719 {
1730 else
1731 {
1746 {
1748 {
1752 }
1754 {
1767 }
1768 }
1769 }
1771 }
1773 /* Instrument the assignment statement ITER if it is subject to
1774 instrumentation. Return TRUE iff instrumentation actually
1775 happened. In that case, the iterator ITER is advanced to the next
1776 logical expression following the one initially pointed to by ITER,
1777 and the relevant memory reference that which access has been
1778 instrumented is added to the memory references hash table. */
1780 static bool
1782 {
1791 {
1796 is_store);
1798 }
1801 {
1806 is_store);
1808 }
1814 }
1816 /* Instrument the function call pointed to by the iterator ITER, if it
1817 is subject to instrumentation. At the moment, the only function
1818 calls that are instrumented are some built-in functions that access
1819 memory. Look at instrument_builtin_call to learn more.
1821 Upon completion return TRUE iff *ITER was advanced to the statement
1822 following the one it was originally pointing to. */
1824 static bool
1826 {
1834 {
1836 {
1839 {
1842 /* Don't instrument these. */
1844 }
1845 }
1850 }
1852 }
1854 /* Walk each instruction of all basic block and instrument those that
1855 represent memory references: loads, stores, or function calls.
1856 In a given basic block, this function avoids instrumenting memory
1857 references that have already been instrumented. */
1859 static void
1861 {
1863 gimple_stmt_iterator i;
1867 {
1872 /* Flush the mem ref hash table, if current bb doesn't have
1873 exactly one predecessor, or if that predecessor (skipping
1874 over asan created basic blocks) isn't the last processed
1875 basic block. Thus we effectively flush on extended basic
1876 block boundaries. */
1878 {
1882 }
1888 {
1895 /* Nothing to do as maybe_instrument_assignment advanced
1898 /* Nothing to do as maybe_instrument_call
1900 else
1901 {
1902 /* No instrumentation happened.
1904 If the current instruction is a function call that
1905 might free something, let's forget about the memory
1906 references that got instrumented. Otherwise we might
1907 miss some instrumentation opportunities. */
1912 }
1913 }
1914 }
1916 }
1918 /* Build
1919 struct __asan_global
1920 {
1921 const void *__beg;
1922 uptr __size;
1923 uptr __size_with_redzone;
1924 const void *__name;
1925 uptr __has_dynamic_init;
1926 } type. */
1928 static tree
1930 {
1939 {
1948 }
1953 }
1955 /* Append description of a single global DECL into vector V.
1956 TYPE is __asan_global struct type as returned by asan_global_struct. */
1958 static void
1960 {
1966 pretty_printer asan_pp;
1970 else
1979 {
1994 }
2008 }
2010 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2011 void
2013 {
2014 tree decl;
2020 tree BT_FN_VOID_PTR
2022 tree BT_FN_VOID_PTR_PTR_PTR
2025 tree BT_FN_VOID_PTR_PTRMODE
2028 tree BT_FN_VOID_INT
2034 tree vptr
2036 TYPE_QUAL_VOLATILE));
2037 tree cvptr
2039 TYPE_QUAL_VOLATILE
2041 tree boolt
2045 {
2050 NULL_TREE);
2055 NULL_TREE);
2059 }
2060 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2061 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2062 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2063 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2064 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2065 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2066 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2067 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2068 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2069 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2070 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2071 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2072 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2073 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2074 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2075 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2076 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2077 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2078 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2079 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
2080 #undef ATTR_NOTHROW_LEAF_LIST
2081 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
2082 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2083 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
2084 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2085 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
2086 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2087 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2088 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
2089 #undef ATTR_COLD_NOTHROW_LEAF_LIST
2090 #define ATTR_COLD_NOTHROW_LEAF_LIST \
2092 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2093 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2095 #undef DEF_SANITIZER_BUILTIN
2096 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2098 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2099 set_call_expr_flags (decl, ATTRS); \
2100 set_builtin_decl (ENUM, decl, true);
2104 #undef DEF_SANITIZER_BUILTIN
2105 }
2107 /* Called via htab_traverse. Count number of emitted
2108 STRING_CSTs in the constant hash table. */
2110 static int
2112 {
2120 }
2122 /* Helper structure to pass two parameters to
2123 add_string_csts. */
2125 struct asan_add_string_csts_data
2126 {
2127 tree type;
2129 };
2131 /* Called via htab_traverse. Call asan_add_global
2132 on emitted STRING_CSTs from the constant hash table. */
2134 static int
2136 {
2142 {
2147 }
2149 }
2151 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
2152 invoke ggc_collect. */
2155 /* Module-level instrumentation.
2156 - Insert __asan_init() into the list of CTORs.
2157 - TODO: insert redzones around globals.
2158 */
2160 void
2162 {
2168 /* Avoid instrumenting code in the asan ctors/dtors.
2169 We don't need to insert padding after the description strings,
2170 nor after .LASAN* array. */
2182 {
2191 type);
2215 gcount_tree),
2221 gcount_tree),
2225 }
2229 }
2231 /* Instrument the current function. */
2233 static unsigned int
2235 {
2240 }
2242 static bool
2244 {
2248 }
2253 {
2266 };
2269 {
2273 {}
2275 /* opt_pass methods: */
2284 gimple_opt_pass *
2286 {
2288 }
2290 static bool
2292 {
2294 }
2299 {
2312 };
2315 {
2319 {}
2321 /* opt_pass methods: */
2329 gimple_opt_pass *
2331 {
2333 }