| blob | dc7b7f4bcf1803dd2ffbbaad782cf1b515d61ed8 |
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2022 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
69 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
70 with <2x slowdown on average.
72 The tool consists of two parts:
73 instrumentation module (this file) and a run-time library.
74 The instrumentation module adds a run-time check before every memory insn.
75 For a 8- or 16- byte load accessing address X:
76 ShadowAddr = (X >> 3) + Offset
77 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
78 if (ShadowValue)
79 __asan_report_load8(X);
80 For a load of N bytes (N=1, 2 or 4) from address X:
81 ShadowAddr = (X >> 3) + Offset
82 ShadowValue = *(char*)ShadowAddr;
83 if (ShadowValue)
84 if ((X & 7) + N - 1 > ShadowValue)
85 __asan_report_loadN(X);
86 Stores are instrumented similarly, but using __asan_report_storeN functions.
87 A call too __asan_init_vN() is inserted to the list of module CTORs.
88 N is the version number of the AddressSanitizer API. The changes between the
89 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
91 The run-time library redefines malloc (so that redzone are inserted around
92 the allocated memory) and free (so that reuse of free-ed memory is delayed),
93 provides __asan_report* and __asan_init_vN functions.
95 Read more:
96 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
98 The current implementation supports detection of out-of-bounds and
99 use-after-free in the heap, on the stack and for global variables.
101 [Protection of stack variables]
103 To understand how detection of out-of-bounds and use-after-free works
104 for stack variables, lets look at this example on x86_64 where the
105 stack grows downward:
107 int
108 foo ()
109 {
110 char a[24] = {0};
111 int b[2] = {0};
113 a[5] = 1;
114 b[1] = 2;
116 return a[5] + b[1];
117 }
119 For this function, the stack protected by asan will be organized as
120 follows, from the top of the stack to the bottom:
122 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
124 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
125 the next slot be 32 bytes aligned; this one is called Partial
126 Redzone; this 32 bytes alignment is an asan constraint]
128 Slot 3/ [24 bytes for variable 'a']
130 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
132 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
134 Slot 6/ [8 bytes for variable 'b']
136 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
137 'LEFT RedZone']
139 The 32 bytes of LEFT red zone at the bottom of the stack can be
140 decomposed as such:
142 1/ The first 8 bytes contain a magical asan number that is always
143 0x41B58AB3.
145 2/ The following 8 bytes contains a pointer to a string (to be
146 parsed at runtime by the runtime asan library), which format is
147 the following:
149 "<function-name> <space> <num-of-variables-on-the-stack>
150 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
151 <length-of-var-in-bytes> ){n} "
153 where '(...){n}' means the content inside the parenthesis occurs 'n'
154 times, with 'n' being the number of variables on the stack.
156 3/ The following 8 bytes contain the PC of the current function which
157 will be used by the run-time library to print an error message.
159 4/ The following 8 bytes are reserved for internal use by the run-time.
161 The shadow memory for that stack layout is going to look like this:
163 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
164 The F1 byte pattern is a magic number called
165 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
166 the memory for that shadow byte is part of a the LEFT red zone
167 intended to seat at the bottom of the variables on the stack.
169 - content of shadow memory 8 bytes for slots 6 and 5:
170 0xF4F4F400. The F4 byte pattern is a magic number
171 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
172 memory region for this shadow byte is a PARTIAL red zone
173 intended to pad a variable A, so that the slot following
174 {A,padding} is 32 bytes aligned.
176 Note that the fact that the least significant byte of this
177 shadow memory content is 00 means that 8 bytes of its
178 corresponding memory (which corresponds to the memory of
179 variable 'b') is addressable.
181 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
182 The F2 byte pattern is a magic number called
183 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
184 region for this shadow byte is a MIDDLE red zone intended to
185 seat between two 32 aligned slots of {variable,padding}.
187 - content of shadow memory 8 bytes for slot 3 and 2:
188 0xF4000000. This represents is the concatenation of
189 variable 'a' and the partial red zone following it, like what we
190 had for variable 'b'. The least significant 3 bytes being 00
191 means that the 3 bytes of variable 'a' are addressable.
193 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
194 The F3 byte pattern is a magic number called
195 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
196 region for this shadow byte is a RIGHT red zone intended to seat
197 at the top of the variables of the stack.
199 Note that the real variable layout is done in expand_used_vars in
200 cfgexpand.cc. As far as Address Sanitizer is concerned, it lays out
201 stack variables as well as the different red zones, emits some
202 prologue code to populate the shadow memory as to poison (mark as
203 non-accessible) the regions of the red zones and mark the regions of
204 stack variables as accessible, and emit some epilogue code to
205 un-poison (mark as accessible) the regions of red zones right before
206 the function exits.
208 [Protection of global variables]
210 The basic idea is to insert a red zone between two global variables
211 and install a constructor function that calls the asan runtime to do
212 the populating of the relevant shadow memory regions at load time.
214 So the global variables are laid out as to insert a red zone between
215 them. The size of the red zones is so that each variable starts on a
216 32 bytes boundary.
218 Then a constructor function is installed so that, for each global
219 variable, it calls the runtime asan library function
220 __asan_register_globals_with an instance of this type:
222 struct __asan_global
223 {
224 // Address of the beginning of the global variable.
225 const void *__beg;
227 // Initial size of the global variable.
228 uptr __size;
230 // Size of the global variable + size of the red zone. This
231 // size is 32 bytes aligned.
232 uptr __size_with_redzone;
234 // Name of the global variable.
235 const void *__name;
237 // Name of the module where the global variable is declared.
238 const void *__module_name;
240 // 1 if it has dynamic initialization, 0 otherwise.
241 uptr __has_dynamic_init;
243 // A pointer to struct that contains source location, could be NULL.
244 __asan_global_source_location *__location;
245 }
247 A destructor function that calls the runtime asan library function
248 _asan_unregister_globals is also installed. */
255 /* Set of variable declarations that are going to be guarded by
256 use-after-scope sanitizer. */
262 /* Global variables for HWASAN stack tagging. */
263 /* hwasan_frame_tag_offset records the offset from the frame base tag that the
264 next object should have. */
266 /* hwasan_frame_base_ptr is a pointer with the same address as
267 `virtual_stack_vars_rtx` for the current frame, and with the frame base tag
268 stored in it. N.b. this global RTX does not need to be marked GTY, but is
269 done so anyway. The need is not there since all uses are in just one pass
270 (cfgexpand) and there are no calls to ggc_collect between the uses. We mark
271 it GTY(()) anyway to allow the use of the variable later on if needed by
272 future features. */
274 /* hwasan_frame_base_init_seq is the sequence of RTL insns that will initialize
275 the hwasan_frame_base_ptr. When the hwasan_frame_base_ptr is requested, we
276 generate this sequence but do not emit it. If the sequence was created it
277 is emitted once the function body has been expanded.
279 This delay is because the frame base pointer may be needed anywhere in the
280 function body, or needed by the expand_used_vars function. Emitting once in
281 a known place is simpler than requiring the emission of the instructions to
282 be know where it should go depending on the first place the hwasan frame
283 base is needed. */
286 /* Structure defining the extent of one object on the stack that HWASAN needs
287 to tag in the corresponding shadow stack space.
289 The range this object spans on the stack is between `untagged_base +
290 nearest_offset` and `untagged_base + farthest_offset`.
291 `tagged_base` is an rtx containing the same value as `untagged_base` but
292 with a random tag stored in the top byte. We record both `untagged_base`
293 and `tagged_base` so that `hwasan_emit_prologue` can use both without having
294 to emit RTL into the instruction stream to re-calculate one from the other.
295 (`hwasan_emit_prologue` needs to use both bases since the
296 __hwasan_tag_memory call it emits uses an untagged value, and it calculates
297 the tag to store in shadow memory based on the tag_offset plus the tag in
298 tagged_base). */
299 struct hwasan_stack_var
300 {
301 rtx untagged_base;
302 rtx tagged_base;
303 poly_int64 nearest_offset;
304 poly_int64 farthest_offset;
306 };
308 /* Variable recording all stack variables that HWASAN needs to tag.
309 Does not need to be marked as GTY(()) since every use is in the cfgexpand
310 pass and gcc_collect is not called in the middle of that pass. */
314 /* Sets shadow offset to value in string VAL. */
316 bool
318 {
322 #ifdef HAVE_LONG_LONG
324 #else
326 #endif
333 }
335 /* Set list of user-defined sections that need to be sanitized. */
337 void
339 {
347 {
353 }
354 }
356 bool
358 {
361 }
363 bool
365 {
367 }
369 bool
371 {
373 }
375 bool
377 {
379 }
381 bool
383 {
385 }
387 bool
389 {
391 }
394 /* Checks whether section SEC should be sanitized. */
396 static bool
398 {
405 }
407 /* Returns Asan shadow offset. */
409 static unsigned HOST_WIDE_INT
411 {
413 {
416 }
418 }
420 /* Returns Asan shadow offset has been set. */
421 bool
423 {
425 }
429 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
430 alias set is used for all shadow memory accesses. */
433 /* Decl for __asan_option_detect_stack_use_after_return. */
436 /* Hashtable support for memory references used by gimple
437 statements. */
439 /* This type represents a reference to a memory region. */
440 struct asan_mem_ref
441 {
442 /* The expression of the beginning of the memory region. */
443 tree start;
445 /* The size of the access. */
446 HOST_WIDE_INT access_size;
447 };
451 /* Initializes an instance of asan_mem_ref. */
453 static void
455 {
458 }
460 /* Allocates memory for an instance of asan_mem_ref into the memory
461 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
462 START is the address of (or the expression pointing to) the
463 beginning of memory reference. ACCESS_SIZE is the size of the
464 access to the referenced memory. */
468 {
473 }
475 /* This builds and returns a pointer to the end of the memory region
476 that starts at START and of length LEN. */
478 tree
480 {
488 }
490 /* Return a tree expression that represents the end of the referenced
491 memory region. Beware that this function can actually build a new
492 tree expression. */
494 tree
496 {
498 }
501 {
504 };
506 /* Hash a memory reference. */
508 inline hashval_t
510 {
512 }
514 /* Compare two memory references. We accept the length of either
515 memory references to be NULL_TREE. */
520 {
522 }
526 /* Returns a reference to the hash table containing memory references.
527 This function ensures that the hash table is created. Note that
528 this hash table is updated by the function
529 update_mem_ref_hash_table. */
533 {
538 }
540 /* Clear all entries from the memory references hash table. */
542 static void
544 {
547 }
549 /* Free the memory references hash table. */
551 static void
553 {
558 }
560 /* Return true iff the memory reference REF has been instrumented. */
562 static bool
564 {
565 asan_mem_ref r;
570 }
572 /* Return true iff the memory reference REF has been instrumented. */
574 static bool
576 {
578 }
580 /* Return true iff access to memory region starting at REF and of
581 length LEN has been instrumented. */
583 static bool
585 {
586 HOST_WIDE_INT size_in_bytes
591 }
593 /* Set REF to the memory reference present in a gimple assignment
594 ASSIGNMENT. Return true upon successful completion, false
595 otherwise. */
597 static bool
601 {
606 {
609 }
611 {
614 }
615 else
620 }
622 /* Return address of last allocated dynamic alloca. */
624 static tree
626 {
635 }
637 /* Insert __asan_allocas_unpoison (top, bottom) call before
638 __builtin_stack_restore (new_sp) call.
639 The pseudocode of this routine should look like this:
640 top = last_alloca_addr;
641 bot = new_sp;
642 __asan_allocas_unpoison (top, bot);
643 last_alloca_addr = new_sp;
644 __builtin_stack_restore (new_sp);
645 In general, we can't use new_sp as bot parameter because on some
646 architectures SP has non zero offset from dynamic stack area. Moreover, on
647 some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each
648 particular function only after all callees were expanded to rtl.
649 The most noticeable example is PowerPC{,64}, see
650 http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK.
651 To overcome the issue we use following trick: pass new_sp as a second
652 parameter to __asan_allocas_unpoison and rewrite it during expansion with
653 new_sp + (virtual_dynamic_stack_rtx - sp) later in
654 expand_asan_emit_allocas_unpoison function.
656 HWASAN needs to do very similar, the eventual pseudocode should be:
657 __hwasan_tag_memory (virtual_stack_dynamic_rtx,
658 0,
659 new_sp - sp);
660 __builtin_stack_restore (new_sp)
662 Need to use the same trick to handle STACK_DYNAMIC_OFFSET as described
663 above. */
665 static void
667 {
677 {
679 /* There is only one piece of information `expand_HWASAN_ALLOCA_UNPOISON`
680 needs to work. This is the length of the area that we're
681 deallocating. Since the stack pointer is known at expand time, the
682 position of the new stack pointer after deallocation is enough
683 information to calculate this length. */
685 }
686 else
687 {
693 }
696 }
698 /* Deploy and poison redzones around __builtin_alloca call. To do this, we
699 should replace this call with another one with changed parameters and
700 replace all its uses with new address, so
701 addr = __builtin_alloca (old_size, align);
702 is replaced by
703 left_redzone_size = max (align, ASAN_RED_ZONE_SIZE);
704 Following two statements are optimized out if we know that
705 old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial
706 redzone.
707 misalign = old_size & (ASAN_RED_ZONE_SIZE - 1);
708 partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign;
709 right_redzone_size = ASAN_RED_ZONE_SIZE;
710 additional_size = left_redzone_size + partial_redzone_size +
711 right_redzone_size;
712 new_size = old_size + additional_size;
713 new_alloca = __builtin_alloca (new_size, max (align, 32))
714 __asan_alloca_poison (new_alloca, old_size)
715 addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE);
716 last_alloca_addr = new_alloca;
717 ADDITIONAL_SIZE is added to make new memory allocation contain not only
718 requested memory, but also left, partial and right redzones as well as some
719 additional space, required by alignment. */
721 static void
723 {
735 unsigned int align
742 {
747 }
750 {
753 /*
754 HWASAN needs a different expansion.
756 addr = __builtin_alloca (size, align);
758 should be replaced by
760 new_size = size rounded up to HWASAN_TAG_GRANULE_SIZE byte alignment;
761 untagged_addr = __builtin_alloca (new_size, align);
762 tag = __hwasan_choose_alloca_tag ();
763 addr = ifn_HWASAN_SET_TAG (untagged_addr, tag);
764 __hwasan_tag_memory (untagged_addr, tag, new_size);
765 */
766 /* Ensure alignment at least HWASAN_TAG_GRANULE_SIZE bytes so we start on
767 a tag granule. */
772 old_size,
773 HWASAN_TAG_GRANULE_SIZE);
775 /* Make the alloca call */
776 tree untagged_addr
781 /* Choose the tag.
782 Here we use an internal function so we can choose the tag at expand
783 time. We need the decision to be made after stack variables have been
784 assigned their tag (i.e. once the hwasan_frame_tag_offset variable has
785 been set to one after the last stack variables tag). */
787 unsigned_char_type_node);
789 /* Add tag to pointer. */
790 tree addr
794 /* Tag shadow memory.
795 NOTE: require using `untagged_addr` here for libhwasan API. */
799 /* Insert the built up code sequence into the original instruction stream
800 the iterator points to. */
803 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
806 }
811 /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN
812 bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE
813 manually. */
819 /* Extract lower bits from old_size. */
821 wide_int rz_mask
825 /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial
826 redzone. Otherwise, compute its size here. */
828 {
829 /* misalign = size & (ASAN_RED_ZONE_SIZE - 1)
830 partial_size = ASAN_RED_ZONE_SIZE - misalign. */
839 }
841 /* additional_size = align + ASAN_RED_ZONE_SIZE. */
844 /* If alloca has partial redzone, include it to additional_size too. */
846 {
847 /* additional_size += partial_size. */
852 }
854 /* new_size = old_size + additional_size. */
856 additional_size);
860 /* Build new __builtin_alloca call:
861 new_alloca_with_rz = __builtin_alloca (new_size, align). */
868 {
871 }
872 else
875 /* new_alloca = new_alloca_with_rz + align. */
877 new_alloca_with_rz,
882 {
885 }
886 else
890 /* Poison newly created alloca redzones:
891 __asan_alloca_poison (new_alloca, old_size). */
896 else
899 /* Save new_alloca_with_rz value into last_alloca to use it during
900 allocas unpoisoning. */
904 else
907 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
909 {
912 }
913 else
915 }
917 /* Return the memory references contained in a gimple statement
918 representing a builtin call that has to do with memory access. */
920 static bool
934 {
946 {
947 /* (s, s, n) style memops. */
955 /* (src, dest, n) style memops. */
962 /* (dest, src, n) style memops. */
974 /* (dest, n) style memops. */
980 /* (dest, x, n) style memops*/
988 /* Special case strlen here since its length is taken from its return
989 value.
991 The approach taken by the sanitizers is to check a memory access
992 before it's taken. For ASAN strlen is intercepted by libasan, so no
993 check is inserted by the compiler.
995 This function still returns `true` and provides a length to the rest
996 of the ASAN pass in order to record what areas have been checked,
997 avoiding superfluous checks later on.
999 HWASAN does not intercept any of these internal functions.
1000 This means that checks for memory accesses must be inserted by the
1001 compiler.
1002 strlen is a special case, because we can tell the length from the
1003 return of the function, but that is not known until after the function
1004 has returned.
1006 Hence we can't check the memory access before it happens.
1007 We could check the memory access after it has already happened, but
1008 for now we choose to just ignore `strlen` calls.
1009 This decision was simply made because that means the special case is
1010 limited to this one case of this one function. */
1021 CASE_BUILT_IN_ALLOCA:
1024 /* And now the __atomic* and __sync builtins.
1025 These are handled differently from the classical memory
1026 access builtins above. */
1030 /* FALLTHRU */
1067 /* FALLTHRU */
1104 /* FALLTHRU */
1141 /* FALLTHRU */
1178 /* FALLTHRU */
1211 /* FALLTHRU */
1212 do_atomic:
1213 {
1215 /* DEST represents the address of a memory location.
1216 instrument_derefs wants the memory location, so lets
1217 dereference the address DEST before handing it to
1218 instrument_derefs. */
1224 }
1227 /* The other builtins memory access are not instrumented in this
1228 function because they either don't have any length parameter,
1229 or their length parameter is just a limit. */
1231 }
1234 {
1236 {
1241 }
1244 {
1249 }
1252 {
1257 }
1260 }
1262 {
1269 }
1272 }
1274 /* Return true iff a given gimple statement has been instrumented.
1275 Note that the statement is "defined" by the memory references it
1276 contains. */
1278 static bool
1280 {
1282 {
1284 asan_mem_ref r;
1289 {
1293 {
1294 asan_mem_ref src;
1300 }
1302 }
1303 }
1305 {
1319 {
1333 }
1334 }
1336 {
1337 asan_mem_ref r;
1343 }
1346 }
1348 /* Insert a memory reference into the hash table. */
1350 static void
1352 {
1355 asan_mem_ref r;
1361 }
1363 /* Initialize shadow_ptr_types array. */
1365 static void
1367 {
1370 integer_type_node };
1373 {
1377 }
1380 }
1382 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
1384 static tree
1386 {
1396 }
1398 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
1399 though. */
1401 static void
1403 {
1417 {
1420 }
1439 }
1441 void
1443 {
1447 current_function_funcdef_no);
1448 }
1450 /* Return number of shadow bytes that are occupied by a local variable
1451 of SIZE bytes. */
1453 static unsigned HOST_WIDE_INT
1455 {
1456 /* It must be possible to align stack variables to granularity
1457 of shadow memory. */
1462 }
1464 /* Always emit 4 bytes at a time. */
1465 #define RZ_BUFFER_SIZE 4
1467 /* ASAN redzone buffer container that handles emission of shadow bytes. */
1468 class asan_redzone_buffer
1469 {
1471 /* Constructor. */
1475 {}
1477 /* Emit VALUE shadow byte at a given OFFSET. */
1480 /* Emit RTX emission of the content of the buffer. */
1484 /* Flush if the content of the buffer is full
1485 (equal to RZ_BUFFER_SIZE). */
1488 /* Memory where we last emitted a redzone payload. */
1489 rtx m_shadow_mem;
1491 /* Relative offset where we last emitted a redzone payload. */
1492 HOST_WIDE_INT m_prev_offset;
1494 /* Relative original offset. Used for checking only. */
1495 HOST_WIDE_INT m_original_offset;
1498 /* Buffer with redzone payload. */
1500 };
1502 /* Emit VALUE shadow byte at a given OFFSET. */
1504 void
1507 {
1511 HOST_WIDE_INT off
1518 {
1519 /* Shadow memory byte with a small gap. */
1522 }
1523 else
1524 {
1528 /* Maybe start earlier in order to use aligned store. */
1531 {
1535 }
1537 /* Adjust m_prev_offset and m_shadow_mem. */
1542 }
1545 }
1547 /* Emit RTX emission of the content of the buffer. */
1549 void
1551 {
1557 /* Be sure we always emit to an aligned address. */
1561 /* Fill it to RZ_BUFFER_SIZE bytes with zeros if needed. */
1572 {
1573 unsigned char v
1578 }
1587 }
1589 /* Flush if the content of the buffer is full
1590 (equal to RZ_BUFFER_SIZE). */
1592 void
1594 {
1597 }
1600 /* HWAddressSanitizer (hwasan) is a probabilistic method for detecting
1601 out-of-bounds and use-after-free bugs.
1602 Read more:
1603 http://code.google.com/p/address-sanitizer/
1605 Similar to AddressSanitizer (asan) it consists of two parts: the
1606 instrumentation module in this file, and a run-time library.
1608 The instrumentation module adds a run-time check before every memory insn in
1609 the same manner as asan (see the block comment for AddressSanitizer above).
1610 Currently, hwasan only adds out-of-line instrumentation, where each check is
1611 implemented as a function call to the run-time library. Hence a check for a
1612 load of N bytes from address X would be implemented with a function call to
1613 __hwasan_loadN(X), and checking a store of N bytes from address X would be
1614 implemented with a function call to __hwasan_storeN(X).
1616 The main difference between hwasan and asan is in the information stored to
1617 help this checking. Both sanitizers use a shadow memory area which stores
1618 data recording the state of main memory at a corresponding address.
1620 For hwasan, each 16 byte granule in main memory has a corresponding 1 byte
1621 in shadow memory. This shadow address can be calculated with equation:
1622 (addr >> log_2(HWASAN_TAG_GRANULE_SIZE))
1623 + __hwasan_shadow_memory_dynamic_address;
1624 The conversion between real and shadow memory for asan is given in the block
1625 comment at the top of this file.
1626 The description of how this shadow memory is laid out for asan is in the
1627 block comment at the top of this file, here we describe how this shadow
1628 memory is used for hwasan.
1630 For hwasan, each variable is assigned a byte-sized 'tag'. The extent of
1631 the shadow memory for that variable is filled with the assigned tag, and
1632 every pointer referencing that variable has its top byte set to the same
1633 tag. The run-time library redefines malloc so that every allocation returns
1634 a tagged pointer and tags the corresponding shadow memory with the same tag.
1636 On each pointer dereference the tag found in the pointer is compared to the
1637 tag found in the shadow memory corresponding to the accessed memory address.
1638 If these tags are found to differ then this memory access is judged to be
1639 invalid and a report is generated.
1641 This method of bug detection is not perfect -- it can not catch every bad
1642 access -- but catches them probabilistically instead. There is always the
1643 possibility that an invalid memory access will happen to access memory
1644 tagged with the same tag as the pointer that this access used.
1645 The chances of this are approx. 0.4% for any two uncorrelated objects.
1647 Random tag generation can mitigate this problem by decreasing the
1648 probability that an invalid access will be missed in the same manner over
1649 multiple runs. i.e. if two objects are tagged the same in one run of the
1650 binary they are unlikely to be tagged the same in the next run.
1651 Both heap and stack allocated objects have random tags by default.
1653 [16 byte granule implications]
1654 Since the shadow memory only has a resolution on real memory of 16 bytes,
1655 invalid accesses that are within the same 16 byte granule as a valid
1656 address will not be caught.
1658 There is a "short-granule" feature in the runtime library which does catch
1659 such accesses, but this feature is not implemented for stack objects (since
1660 stack objects are allocated and tagged by compiler instrumentation, and
1661 this feature has not yet been implemented in GCC instrumentation).
1663 Another outcome of this 16 byte resolution is that each tagged object must
1664 be 16 byte aligned. If two objects were to share any 16 byte granule in
1665 memory, then they both would have to be given the same tag, and invalid
1666 accesses to one using a pointer to the other would be undetectable.
1668 [Compiler instrumentation]
1669 Compiler instrumentation ensures that two adjacent buffers on the stack are
1670 given different tags, this means an access to one buffer using a pointer
1671 generated from the other (e.g. through buffer overrun) will have mismatched
1672 tags and be caught by hwasan.
1674 We don't randomly tag every object on the stack, since that would require
1675 keeping many registers to record each tag. Instead we randomly generate a
1676 tag for each function frame, and each new stack object uses a tag offset
1677 from that frame tag.
1678 i.e. each object is tagged as RFT + offset, where RFT is the "random frame
1679 tag" generated for this frame.
1680 This means that randomisation does not peturb the difference between tags
1681 on tagged stack objects within a frame, but this is mitigated by the fact
1682 that objects with the same tag within a frame are very far apart
1683 (approx. 2^HWASAN_TAG_SIZE objects apart).
1685 As a demonstration, using the same example program as in the asan block
1686 comment above:
1688 int
1689 foo ()
1690 {
1691 char a[24] = {0};
1692 int b[2] = {0};
1694 a[5] = 1;
1695 b[1] = 2;
1697 return a[5] + b[1];
1698 }
1700 On AArch64 the stack will be ordered as follows for the above function:
1702 Slot 1/ [24 bytes for variable 'a']
1703 Slot 2/ [8 bytes padding for alignment]
1704 Slot 3/ [8 bytes for variable 'b']
1705 Slot 4/ [8 bytes padding for alignment]
1707 (The padding is there to ensure 16 byte alignment as described in the 16
1708 byte granule implications).
1710 While the shadow memory will be ordered as follows:
1712 - 2 bytes (representing 32 bytes in real memory) tagged with RFT + 1.
1713 - 1 byte (representing 16 bytes in real memory) tagged with RFT + 2.
1715 And any pointer to "a" will have the tag RFT + 1, and any pointer to "b"
1716 will have the tag RFT + 2.
1718 [Top Byte Ignore requirements]
1719 Hwasan requires the ability to store an 8 bit tag in every pointer. There
1720 is no instrumentation done to remove this tag from pointers before
1721 dereferencing, which means the hardware must ignore this tag during memory
1722 accesses.
1724 Architectures where this feature is available should indicate this using
1725 the TARGET_MEMTAG_CAN_TAG_ADDRESSES hook.
1727 [Stack requires cleanup on unwinding]
1728 During normal operation of a hwasan sanitized program more space in the
1729 shadow memory becomes tagged as the stack grows. As the stack shrinks this
1730 shadow memory space must become untagged. If it is not untagged then when
1731 the stack grows again (during other function calls later on in the program)
1732 objects on the stack that are usually not tagged (e.g. parameters passed on
1733 the stack) can be placed in memory whose shadow space is tagged with
1734 something else, and accesses can cause false positive reports.
1736 Hence we place untagging code on every epilogue of functions which tag some
1737 stack objects.
1739 Moreover, the run-time library intercepts longjmp & setjmp to untag when
1740 the stack is unwound this way.
1742 C++ exceptions are not yet handled, which means this sanitizer can not
1743 handle C++ code that throws exceptions -- it will give false positives
1744 after an exception has been thrown. The implementation that the hwasan
1745 library has for handling these relies on the frame pointer being after any
1746 local variables. This is not generally the case for GCC. */
1749 /* Returns whether we are tagging pointers and checking those tags on memory
1750 access. */
1751 bool
1753 {
1755 }
1757 /* Are we tagging the stack? */
1758 bool
1760 {
1762 }
1764 /* Are we tagging alloca objects? */
1765 bool
1767 {
1769 }
1771 /* Should we instrument reads? */
1772 bool
1774 {
1776 }
1778 /* Should we instrument writes? */
1779 bool
1781 {
1783 }
1785 /* Should we instrument builtin calls? */
1786 bool
1788 {
1790 }
1792 /* Insert code to protect stack vars. The prologue sequence should be emitted
1793 directly, epilogue sequence returned. BASE is the register holding the
1794 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1795 array contains pairs of offsets in reverse order, always the end offset
1796 of some gap that needs protection followed by starting offset,
1797 and DECLS is an array of representative decls for each var partition.
1798 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1799 elements long (OFFSETS include gap before the first variable as well
1800 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1801 register which stack vars DECL_RTLs are based on. Either BASE should be
1802 assigned to PBASE, when not doing use after return protection, or
1803 corresponding address based on __asan_stack_malloc* return value. */
1805 rtx_insn *
1808 {
1822 /* Don't emit anything when doing error recovery, the assertions
1823 might fail e.g. if a function had a frame offset overflow. */
1830 expanded_location cfun_xloc
1833 /* First of all, prepare the description string. */
1834 pretty_printer asan_pp;
1839 {
1846 expanded_location xloc
1852 else
1856 {
1857 unsigned idlen
1863 }
1864 else
1869 }
1872 /* Emit the prologue sequence. */
1875 {
1877 /* __asan_stack_malloc_N guarantees alignment
1878 N < 6 ? (64 << N) : 4096 bytes. */
1885 }
1887 /* Align base if target is STRICT_ALIGNMENT. */
1889 {
1890 const HOST_WIDE_INT align
1894 }
1904 {
1906 {
1909 integer_type_node);
1919 }
1928 use_after_return_class);
1934 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1935 and NULL otherwise. Check RET value is NULL here and jump over the
1936 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1947 }
1973 shadow_base
1987 {
1993 /* If a red-zone is not aligned to ASAN_SHADOW_GRANULARITY then
1994 the previous stack variable has size % ASAN_SHADOW_GRANULARITY != 0.
1995 In that case we have to emit one extra byte that will describe
1996 how many bytes (our of ASAN_SHADOW_GRANULARITY) can be accessed. */
1998 {
1999 HOST_WIDE_INT aoff
2004 }
2006 /* Calculate size of red zone payload. */
2008 {
2011 }
2014 }
2016 /* As the automatic variables are aligned to
2017 ASAN_RED_ZONE_SIZE / ASAN_SHADOW_GRANULARITY, the buffer should be
2018 flushed here. */
2023 /* Construct epilogue sequence. */
2028 {
2043 {
2044 /* Emit:
2045 memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize);
2046 **SavedFlagPtr(FakeStack, class_id) = 0
2047 */
2051 unsigned HOST_WIDE_INT offset
2061 }
2068 {
2070 use_after_return_class);
2078 }
2082 }
2095 {
2099 {
2107 }
2108 else
2114 /* Unpoison shadow memory that corresponds to a variable that is
2115 is subject of use-after-return sanitization. */
2117 {
2121 {
2124 {
2130 }
2133 }
2134 }
2135 last_size_aligned
2138 }
2140 {
2145 }
2147 /* Clean-up set with instrumented stack variables. */
2160 }
2162 /* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds
2163 to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE
2164 indicates whether we're emitting new instructions sequence or not. */
2166 rtx_insn *
2168 {
2171 else
2183 }
2185 /* Return true if DECL, a global var, might be overridden and needs
2186 therefore a local alias. */
2188 static bool
2190 {
2192 }
2194 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
2195 therefore doesn't need protection. */
2197 static bool
2199 {
2202 }
2204 /* Return true if DECL is a VAR_DECL that should be protected
2205 by Address Sanitizer, by appending a red zone with protected
2206 shadow memory after it and aligning it to at least
2207 ASAN_RED_ZONE_SIZE bytes. */
2209 bool
2211 {
2218 {
2219 /* Instrument all STRING_CSTs except those created
2220 by asan_pp_string here. */
2226 }
2228 /* TLS vars aren't statically protectable. */
2230 /* Externs will be protected elsewhere. */
2232 /* PR sanitizer/81697: For architectures that use section anchors first
2233 call to asan_protect_global may occur before DECL_RTL (decl) is set.
2234 We should ignore DECL_RTL_SET_P then, because otherwise the first call
2235 to asan_protect_global will return FALSE and the following calls on the
2236 same decl after setting DECL_RTL (decl) will return TRUE and we'll end
2237 up with inconsistency at runtime. */
2239 /* Comdat vars pose an ABI problem, we can't know if
2240 the var that is selected by the linker will have
2241 padding or not. */
2243 /* Similarly for common vars. People can use -fno-common.
2244 Note: Linux kernel is built with -fno-common, so we do instrument
2245 globals there even if it is C. */
2247 /* Don't protect if using user section, often vars placed
2248 into user section from multiple TUs are then assumed
2249 to be an array of such vars, putting padding in there
2250 breaks this assumption. */
2264 {
2274 }
2283 }
2285 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
2286 IS_STORE is either 1 (for a store) or 0 (for a load). */
2288 static tree
2291 {
2302 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
2303 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
2304 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
2305 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
2306 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
2308 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
2309 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
2310 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
2311 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
2312 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
2314 {
2317 }
2321 }
2323 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
2324 IS_STORE is either 1 (for a store) or 0 (for a load). */
2326 static tree
2329 {
2338 BUILT_IN_ASAN_LOAD2_NOABORT,
2339 BUILT_IN_ASAN_LOAD4_NOABORT,
2340 BUILT_IN_ASAN_LOAD8_NOABORT,
2341 BUILT_IN_ASAN_LOAD16_NOABORT,
2342 BUILT_IN_ASAN_LOADN_NOABORT },
2344 BUILT_IN_ASAN_STORE2_NOABORT,
2345 BUILT_IN_ASAN_STORE4_NOABORT,
2346 BUILT_IN_ASAN_STORE8_NOABORT,
2347 BUILT_IN_ASAN_STORE16_NOABORT,
2348 BUILT_IN_ASAN_STOREN_NOABORT } } };
2350 {
2353 }
2357 }
2359 /* Split the current basic block and create a condition statement
2360 insertion point right before or after the statement pointed to by
2361 ITER. Return an iterator to the point at which the caller might
2362 safely insert the condition statement.
2364 THEN_BLOCK must be set to the address of an uninitialized instance
2365 of basic_block. The function will then set *THEN_BLOCK to the
2366 'then block' of the condition statement to be inserted by the
2367 caller.
2369 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
2370 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
2372 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
2373 block' of the condition statement to be inserted by the caller.
2375 Note that *FALLTHROUGH_BLOCK is a new block that contains the
2376 statements starting from *ITER, and *THEN_BLOCK is a new empty
2377 block.
2379 *ITER is adjusted to point to always point to the first statement
2380 of the basic block * FALLTHROUGH_BLOCK. That statement is the
2381 same as what ITER was pointing to prior to calling this function,
2382 if BEFORE_P is true; otherwise, it is its following statement. */
2384 gimple_stmt_iterator
2391 {
2401 /* Get a hold on the 'condition block', the 'then block' and the
2402 'else block'. */
2407 {
2410 }
2412 /* Set up the newly created 'then block'. */
2414 profile_probability fallthrough_probability
2415 = then_more_likely_p
2423 /* Set up the fallthrough basic block. */
2428 /* Update dominance info for the newly created then_bb; note that
2429 fallthru_bb's dominance info has already been updated by
2430 split_bock. */
2439 }
2441 /* Insert an if condition followed by a 'then block' right before the
2442 statement pointed to by ITER. The fallthrough block -- which is the
2443 else block of the condition as well as the destination of the
2444 outcoming edge of the 'then block' -- starts with the statement
2445 pointed to by ITER.
2447 COND is the condition of the if.
2449 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
2450 'then block' is higher than the probability of the edge to the
2451 fallthrough block.
2453 Upon completion of the function, *THEN_BB is set to the newly
2454 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
2455 fallthrough block.
2457 *ITER is adjusted to still point to the same statement it was
2458 pointing to initially. */
2460 static void
2466 {
2467 gimple_stmt_iterator cond_insert_point =
2470 then_more_likely_p,
2472 then_bb,
2473 fallthrough_bb);
2475 }
2477 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
2478 If RETURN_ADDRESS is set to true, return memory location instread
2479 of a value in the shadow memory. */
2481 static tree
2485 {
2508 {
2514 }
2517 }
2519 /* BASE can already be an SSA_NAME; in that case, do not create a
2520 new SSA_NAME for it. */
2522 static tree
2525 {
2533 else
2536 }
2538 /* LEN can already have necessary size and precision;
2539 in that case, do not create a new variable. */
2541 tree
2544 {
2552 else
2555 }
2557 /* Instrument the memory access instruction BASE. Insert new
2558 statements before or after ITER.
2560 Note that the memory access represented by BASE can be either an
2561 SSA_NAME, or a non-SSA expression. LOCATION is the source code
2562 location. IS_STORE is TRUE for a store, FALSE for a load.
2563 BEFORE_P is TRUE for inserting the instrumentation code before
2564 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
2565 for a scalar memory access and FALSE for memory region access.
2566 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
2567 length. ALIGN tells alignment of accessed memory object.
2569 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
2570 memory region have already been instrumented.
2572 If BEFORE_P is TRUE, *ITER is arranged to still point to the
2573 statement it was pointing to prior to calling this function,
2574 otherwise, it points to the statement logically following it. */
2576 static void
2581 {
2594 {
2597 }
2598 else
2599 {
2602 }
2605 {
2610 {
2611 /* On non-strict alignment targets, if
2612 16-byte access is just 8-byte aligned,
2613 this will result in misaligned shadow
2614 memory 2 byte load, but otherwise can
2615 be handled using one read. */
2617 || STRICT_ALIGNMENT
2620 }
2621 }
2632 ? IFN_HWASAN_CHECK
2643 else
2644 {
2648 }
2649 }
2651 /* If T represents a memory access, add instrumentation code before ITER.
2652 LOCATION is source code location.
2653 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
2655 static void
2658 {
2665 HOST_WIDE_INT size_in_bytes;
2671 {
2679 /* FALLTHRU */
2682 }
2689 tree offset;
2690 machine_mode mode;
2697 {
2704 }
2713 poly_int64 decl_size;
2719 {
2722 /* If we're not sanitizing globals and we can tell statically that this
2723 access is inside a global variable, then there's no point adding
2724 instrumentation to check the access. N.b. hwasan currently never
2725 sanitizes globals. */
2730 {
2731 /* Automatic vars in the current function will be always
2732 accessible. */
2737 }
2738 /* Always instrument external vars, they might be dynamically
2739 initialized. */
2741 {
2742 /* For static vars if they are known not to be dynamically
2743 initialized, they will be always accessible. */
2747 }
2748 }
2757 {
2764 }
2766 }
2768 /* Insert a memory reference into the hash table if access length
2769 can be determined in compile time. */
2771 static void
2773 {
2782 }
2784 /* Instrument an access to a contiguous memory region that starts at
2785 the address pointed to by BASE, over a length of LEN (expressed in
2786 the sizeof (*BASE) bytes). ITER points to the instruction before
2787 which the instrumentation instructions must be inserted. LOCATION
2788 is the source location that the instrumentation instructions must
2789 have. If IS_STORE is true, then the memory access is a store;
2790 otherwise, it's a load. */
2792 static void
2796 {
2806 {
2810 }
2814 }
2816 /* Instrument the call to a built-in memory access function that is
2817 pointed to by the iterator ITER.
2819 Upon completion, return TRUE iff *ITER has been advanced to the
2820 statement following the one it was originally pointing to. */
2822 static bool
2824 {
2849 {
2851 {
2855 }
2858 {
2872 }
2873 else
2874 {
2881 }
2882 }
2884 }
2886 /* Instrument the assignment statement ITER if it is subject to
2887 instrumentation. Return TRUE iff instrumentation actually
2888 happened. In that case, the iterator ITER is advanced to the next
2889 logical expression following the one initially pointed to by ITER,
2890 and the relevant memory reference that which access has been
2891 instrumented is added to the memory references hash table. */
2893 static bool
2895 {
2904 {
2909 is_store);
2911 }
2914 {
2919 is_store);
2921 }
2927 }
2929 /* Instrument the function call pointed to by the iterator ITER, if it
2930 is subject to instrumentation. At the moment, the only function
2931 calls that are instrumented are some built-in functions that access
2932 memory. Look at instrument_builtin_call to learn more.
2934 Upon completion return TRUE iff *ITER was advanced to the statement
2935 following the one it was originally pointing to. */
2937 static bool
2939 {
2947 {
2949 {
2952 {
2955 /* Don't instrument these. */
2959 }
2960 }
2961 /* If a function does not return, then we must handle clearing up the
2962 shadow stack accordingly. For ASAN we can simply set the entire stack
2963 to "valid" for accesses by setting the shadow space to 0 and all
2964 accesses will pass checks. That means that some bad accesses may be
2965 missed, but we will not report any false positives.
2967 This is not possible for HWASAN. Since there is no "always valid" tag
2968 we can not set any space to "always valid". If we were to clear the
2969 entire shadow stack then code resuming from `longjmp` or a caught
2970 exception would trigger false positives when correctly accessing
2971 variables on the stack. Hence we need to handle things like
2972 `longjmp`, thread exit, and exceptions in a different way. These
2973 problems must be handled externally to the compiler, e.g. in the
2974 language runtime. */
2976 {
2981 }
2982 }
2986 {
2993 }
2995 /* Walk through gimple_call arguments and check them id needed. */
2998 {
3000 /* If ARG is not a non-aggregate register variable, compiler in general
3001 creates temporary for it and pass it as argument to gimple call.
3002 But in some cases, e.g. when we pass by value a small structure that
3003 fits to register, compiler can avoid extra overhead by pulling out
3004 these temporaries. In this case, we should check the argument. */
3006 {
3011 }
3012 }
3016 }
3018 /* Walk each instruction of all basic block and instrument those that
3019 represent memory references: loads, stores, or function calls.
3020 In a given basic block, this function avoids instrumenting memory
3021 references that have already been instrumented. */
3023 static void
3025 {
3027 gimple_stmt_iterator i;
3031 {
3036 /* Flush the mem ref hash table, if current bb doesn't have
3037 exactly one predecessor, or if that predecessor (skipping
3038 over asan created basic blocks) isn't the last processed
3039 basic block. Thus we effectively flush on extended basic
3040 block boundaries. */
3042 {
3046 }
3052 {
3060 /* Nothing to do as maybe_instrument_assignment advanced
3063 /* Nothing to do as maybe_instrument_call
3065 else
3066 {
3067 /* No instrumentation happened.
3069 If the current instruction is a function call that
3070 might free something, let's forget about the memory
3071 references that got instrumented. Otherwise we might
3072 miss some instrumentation opportunities. Do the same
3073 for a ASAN_MARK poisoning internal function. */
3080 }
3081 }
3082 }
3084 }
3086 /* Build
3087 __asan_before_dynamic_init (module_name)
3088 or
3089 __asan_after_dynamic_init ()
3090 call. */
3092 tree
3094 {
3099 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
3103 {
3104 pretty_printer module_name_pp;
3109 module_name_cst);
3110 }
3113 }
3115 /* Build
3116 struct __asan_global
3117 {
3118 const void *__beg;
3119 uptr __size;
3120 uptr __size_with_redzone;
3121 const void *__name;
3122 const void *__module_name;
3123 uptr __has_dynamic_init;
3124 __asan_global_source_location *__location;
3125 char *__odr_indicator;
3126 } type. */
3128 static tree
3130 {
3140 {
3149 }
3160 }
3162 /* Create and return odr indicator symbol for DECL.
3163 TYPE is __asan_global struct type as returned by asan_global_struct. */
3165 static tree
3167 {
3170 tree decl_name
3173 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
3182 #ifndef NO_DOT_IN_LABEL
3184 #elif !defined(NO_DOLLAR_IN_LABEL)
3186 #endif
3188 char_type_node);
3210 }
3212 /* Return true if DECL, a global var, might be overridden and needs
3213 an additional odr indicator symbol. */
3215 static bool
3217 {
3218 /* Don't emit ODR indicators for kernel because:
3219 a) Kernel is written in C thus doesn't need ODR indicators.
3220 b) Some kernel code may have assumptions about symbols containing specific
3221 patterns in their names. Since ODR indicators contain original names
3222 of symbols they are emitted for, these assumptions would be broken for
3223 ODR indicator symbols. */
3228 }
3230 /* Append description of a single global DECL into vector V.
3231 TYPE is __asan_global struct type as returned by asan_global_struct. */
3233 static void
3235 {
3245 else
3253 {
3268 }
3270 tree odr_indicator_ptr
3286 /* FIXME: Enable initialization order fiasco detection in LTO mode once
3287 proper fix for PR 79061 will be applied. */
3296 {
3306 pretty_printer filename_pp;
3320 }
3321 else
3327 }
3329 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
3330 void
3332 {
3333 tree decl;
3339 tree BT_FN_VOID_PTR
3341 tree BT_FN_VOID_CONST_PTR
3343 tree BT_FN_VOID_PTR_PTR
3346 tree BT_FN_VOID_PTR_PTR_PTR
3349 tree BT_FN_VOID_PTR_PTRMODE
3352 tree BT_FN_VOID_INT
3354 tree BT_FN_SIZE_CONST_PTR_INT
3358 tree BT_FN_VOID_UINT8_UINT8
3361 tree BT_FN_VOID_UINT16_UINT16
3364 tree BT_FN_VOID_UINT32_UINT32
3367 tree BT_FN_VOID_UINT64_UINT64
3370 tree BT_FN_VOID_FLOAT_FLOAT
3373 tree BT_FN_VOID_DOUBLE_DOUBLE
3376 tree BT_FN_VOID_UINT64_PTR
3380 tree BT_FN_PTR_CONST_PTR_UINT8
3383 tree BT_FN_VOID_PTR_UINT8_PTRMODE
3385 unsigned_char_type_node,
3392 tree vptr
3394 TYPE_QUAL_VOLATILE));
3395 tree cvptr
3397 TYPE_QUAL_VOLATILE
3399 tree boolt
3403 {
3408 NULL_TREE);
3413 NULL_TREE);
3417 }
3418 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
3419 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
3420 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
3421 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
3422 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
3423 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
3424 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
3425 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
3426 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
3427 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
3428 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
3429 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
3430 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
3431 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
3432 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
3433 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
3434 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
3435 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
3436 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
3437 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
3438 #undef ATTR_NOTHROW_LIST
3439 #define ATTR_NOTHROW_LIST ECF_NOTHROW
3440 #undef ATTR_NOTHROW_LEAF_LIST
3441 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
3442 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
3443 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
3444 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
3445 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
3446 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
3447 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
3448 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
3449 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
3450 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
3451 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
3452 #undef ATTR_COLD_NOTHROW_LEAF_LIST
3453 #define ATTR_COLD_NOTHROW_LEAF_LIST \
3455 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
3456 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
3458 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
3459 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
3461 #undef ATTR_PURE_NOTHROW_LEAF_LIST
3462 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
3463 #undef DEF_BUILTIN_STUB
3464 #define DEF_BUILTIN_STUB(ENUM, NAME)
3465 #undef DEF_SANITIZER_BUILTIN_1
3466 #define DEF_SANITIZER_BUILTIN_1(ENUM, NAME, TYPE, ATTRS) \
3467 do { \
3469 BUILT_IN_NORMAL, NAME, NULL_TREE); \
3470 set_call_expr_flags (decl, ATTRS); \
3471 set_builtin_decl (ENUM, decl, true); \
3472 } while (0)
3473 #undef DEF_SANITIZER_BUILTIN
3474 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
3475 DEF_SANITIZER_BUILTIN_1 (ENUM, NAME, TYPE, ATTRS);
3479 /* -fsanitize=object-size uses __builtin_dynamic_object_size and
3480 __builtin_object_size, but they might not be available for e.g. Fortran at
3481 this point. We use DEF_SANITIZER_BUILTIN here only as a convenience
3482 macro. */
3484 {
3487 BT_FN_SIZE_CONST_PTR_INT,
3488 ATTR_PURE_NOTHROW_LEAF_LIST);
3492 BT_FN_SIZE_CONST_PTR_INT,
3493 ATTR_PURE_NOTHROW_LEAF_LIST);
3494 }
3496 #undef DEF_SANITIZER_BUILTIN_1
3497 #undef DEF_SANITIZER_BUILTIN
3498 #undef DEF_BUILTIN_STUB
3499 }
3501 /* Called via htab_traverse. Count number of emitted
3502 STRING_CSTs in the constant hash table. */
3504 int
3507 {
3514 }
3516 /* Helper structure to pass two parameters to
3517 add_string_csts. */
3519 struct asan_add_string_csts_data
3520 {
3521 tree type;
3523 };
3525 /* Called via hash_table::traverse. Call asan_add_global
3526 on emitted STRING_CSTs from the constant hash table. */
3528 int
3531 {
3536 {
3539 }
3541 }
3543 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
3544 invoke ggc_collect. */
3547 /* Module-level instrumentation.
3548 - Insert __asan_init_vN() into the list of CTORs.
3549 - TODO: insert redzones around globals.
3550 */
3552 void
3554 {
3560 /* Avoid instrumenting code in the asan ctors/dtors.
3561 We don't need to insert padding after the description strings,
3562 nor after .LASAN* array. */
3565 /* For user-space we want asan constructors to run first.
3566 Linux kernel does not support priorities other than default, and the only
3567 other user of constructors is coverage. So we run with the default
3568 priority. */
3573 {
3578 }
3587 {
3596 type);
3624 gcount_tree),
3630 gcount_tree),
3633 }
3637 }
3639 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
3640 on SHADOW address. Newly added statements will be added to ITER with
3641 given location LOC. We mark SIZE bytes in shadow memory, where
3642 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
3643 end of a variable. */
3645 static void
3647 tree shadow,
3651 {
3652 tree shadow_ptr_type;
3655 {
3667 }
3675 {
3680 }
3682 /* Handle last chunk in unpoisoning. */
3691 }
3693 /* Expand the ASAN_MARK builtins. */
3695 bool
3697 {
3707 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
3715 {
3718 /* Here we swap ASAN_MARK calls for HWASAN_MARK.
3719 This is because we are using the approach of using ASAN_MARK as a
3720 synonym until here.
3721 That approach means we don't yet have to duplicate all the special
3722 cases for ASAN_MARK and ASAN_POISON with the exact same handling but
3723 called HWASAN_MARK etc.
3725 N.b. __asan_poison_stack_memory (which implements ASAN_MARK for ASAN)
3726 rounds the size up to its shadow memory granularity, while
3727 __hwasan_tag_memory (which implements the same for HWASAN) does not.
3728 Hence we emit HWASAN_MARK with an aligned size unlike ASAN_MARK. */
3731 HWASAN_TAG_GRANULE_SIZE);
3737 }
3740 {
3744 }
3757 /* Generate direct emission if size_in_bytes is small. */
3760 {
3761 const unsigned HOST_WIDE_INT shadow_size
3763 const unsigned int shadow_align
3770 {
3787 }
3788 }
3789 else
3790 {
3797 tree fun
3803 }
3806 }
3808 /* Expand the ASAN_{LOAD,STORE} builtins. */
3810 bool
3812 {
3819 else
3832 HOST_WIDE_INT size_in_bytes
3836 {
3837 /* Instrument using callbacks. */
3848 else
3849 {
3857 }
3861 }
3871 {
3872 /* So, the length of the memory area to asan-protect is
3873 non-constant. Let's guard the generated instrumentation code
3874 like:
3876 if (len != 0)
3877 {
3878 //asan instrumentation code goes here.
3879 }
3880 // falltrough instructions, starting with *ITER. */
3883 len,
3892 /* Note that fallthrough_bb starts with the statement that was
3893 pointed to by ITER. */
3895 /* The 'then block' of the 'if (len != 0) condition is where
3896 we'll generate the asan instrumentation code now. */
3898 }
3900 /* Get an iterator on the point where we can add the condition
3901 statement for the instrumentation. */
3917 {
3919 shadow_ptr_type);
3921 }
3922 else
3923 {
3924 /* Slow path for 1, 2 and 4 byte accesses. */
3925 /* Test (shadow != 0)
3926 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
3928 shadow_ptr_type);
3932 /* Aligned (>= 8 bytes) can test just
3933 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
3934 to be 0. */
3936 {
3948 }
3949 else
3958 /* For non-constant, misaligned or otherwise weird access sizes,
3959 check first and last byte. */
3961 {
3975 shadow_ptr_type);
3985 shadow));
3993 }
3994 }
4001 /* Generate call to the run-time library (e.g. __asan_report_load8). */
4013 }
4015 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten
4016 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
4018 static tree
4021 {
4024 {
4027 copy_body_data id;
4039 }
4040 else
4042 }
4044 /* Expand ASAN_POISON ifn. */
4046 bool
4050 {
4054 {
4057 }
4064 shadow_vars_mapping);
4069 else
4072 gimple *poison_call
4075 ASAN_MARK_POISON),
4079 imm_use_iterator imm_iter;
4081 {
4089 {
4091 /* NOTE: hwasan has no __hwasan_report_* functions like asan does.
4092 We use __hwasan_tag_mismatch4 with arguments that tell it the
4093 size of access and load to report all tag mismatches.
4095 The arguments to this function are:
4096 Address of invalid access.
4097 Bitfield containing information about the access
4098 (access_info)
4099 Pointer to a frame of registers
4100 (for use in printing the contents of registers in a dump)
4101 Not used yet -- to be used by inline instrumentation.
4102 Size of access.
4104 The access_info bitfield encodes the following pieces of
4105 information:
4106 - Is this a store or load?
4107 access_info & 0x10 => store
4108 - Should the program continue after reporting the error?
4109 access_info & 0x20 => recover
4110 - What size access is this (not used here since we can always
4111 pass the size in the last argument)
4113 if (access_info & 0xf == 0xf)
4114 size is taken from last argument.
4115 else
4116 size == 1 << (access_info & 0xf)
4118 The last argument contains the size of the access iff the
4119 access_info size indicator is 0xf (we always use this argument
4120 rather than storing the size in the access_info bitfield).
4122 See the function definition `__hwasan_tag_mismatch4` in
4123 libsanitizer/hwasan for the full definition.
4124 */
4131 access_info),
4133 size);
4134 }
4135 else
4136 {
4141 }
4145 /* The USE can be a gimple PHI node. If so, insert the call on
4146 all edges leading to the PHI node. */
4148 {
4152 {
4155 /* Do not insert on an edge we can't split. */
4165 }
4166 }
4167 else
4168 {
4172 else
4174 }
4175 }
4182 }
4184 /* Instrument the current function. */
4186 static unsigned int
4188 {
4190 {
4193 }
4200 }
4202 static bool
4204 {
4206 }
4211 {
4221 };
4224 {
4228 {}
4230 /* opt_pass methods: */
4233 {
4235 }
4237 {
4239 }
4245 gimple_opt_pass *
4247 {
4249 }
4254 {
4264 };
4267 {
4271 {}
4273 /* opt_pass methods: */
4275 {
4277 }
4279 {
4281 }
4287 gimple_opt_pass *
4289 {
4291 }
4293 /* HWASAN */
4295 /* For stack tagging:
4297 Return the offset from the frame base tag that the "next" expanded object
4298 should have. */
4299 uint8_t
4301 {
4303 }
4305 /* For stack tagging:
4307 Return the 'base pointer' for this function. If that base pointer has not
4308 yet been created then we create a register to hold it and record the insns
4309 to initialize the register in `hwasan_frame_base_init_seq` for later
4310 emission. */
4311 rtx
4313 {
4315 {
4317 hwasan_frame_base_ptr
4320 NULL_RTX));
4323 }
4326 }
4328 /* For stack tagging:
4330 Check whether this RTX is a standard pointer addressing the base of the
4331 stack variables for this frame. Returns true if the RTX is either
4332 virtual_stack_vars_rtx or hwasan_frame_base_ptr. */
4333 bool
4335 {
4337 }
4339 /* For stack tagging:
4341 Emit frame base initialisation.
4342 If hwasan_frame_base has been used before here then
4343 hwasan_frame_base_init_seq contains the sequence of instructions to
4344 initialize it. This must be put just before the hwasan prologue, so we emit
4345 the insns before parm_birth_insn (which will point to the first instruction
4346 of the hwasan prologue if it exists).
4348 We update `parm_birth_insn` to point to the start of this initialisation
4349 since that represents the end of the initialisation done by
4350 expand_function_{start,end} functions and we want to maintain that. */
4351 void
4353 {
4358 }
4360 /* Record a compile-time constant size stack variable that HWASAN will need to
4361 tag. This record of the range of a stack variable will be used by
4362 `hwasan_emit_prologue` to emit the RTL at the start of each frame which will
4363 set tags in the shadow memory according to the assigned tag for each object.
4365 The range that the object spans in stack space should be described by the
4366 bounds `untagged_base + nearest_offset` and
4367 `untagged_base + farthest_offset`.
4368 `tagged_base` is the base address which contains the "base frame tag" for
4369 this frame, and from which the value to address this object with will be
4370 calculated.
4372 We record the `untagged_base` since the functions in the hwasan library we
4373 use to tag memory take pointers without a tag. */
4374 void
4377 {
4378 hwasan_stack_var cur_var;
4386 }
4388 /* Return the RTX representing the farthest extent of the statically allocated
4389 stack objects for this frame. If hwasan_frame_base_ptr has not been
4390 initialized then we are not storing any static variables on the stack in
4391 this frame. In this case we return NULL_RTX to represent that.
4393 Otherwise simply return virtual_stack_vars_rtx + frame_offset. */
4394 rtx
4396 {
4400 }
4402 /* For stack tagging:
4404 Increment the frame tag offset modulo the size a tag can represent. */
4405 void
4407 {
4412 /* The "background tag" of the stack is zero by definition.
4413 This is the tag that objects like parameters passed on the stack and
4414 spilled registers are given. It is handy to avoid this tag for objects
4415 whose tags we decide ourselves, partly to ensure that buffer overruns
4416 can't affect these important variables (e.g. saved link register, saved
4417 stack pointer etc) and partly to make debugging easier (everything with a
4418 tag of zero is space allocated automatically by the compiler).
4420 This is not feasible when using random frame tags (the default
4421 configuration for hwasan) since the tag for the given frame is randomly
4422 chosen at runtime. In order to avoid any tags matching the stack
4423 background we would need to decide tag offsets at runtime instead of
4424 compile time (and pay the resulting performance cost).
4426 When not using random base tags for each frame (i.e. when compiled with
4427 `--param hwasan-random-frame-tag=0`) the base tag for each frame is zero.
4428 This means the tag that each object gets is equal to the
4429 hwasan_frame_tag_offset used in determining it.
4430 When this is the case we *can* ensure no object gets the tag of zero by
4431 simply ensuring no object has the hwasan_frame_tag_offset of zero.
4433 There is the extra complication that we only record the
4434 hwasan_frame_tag_offset here (which is the offset from the tag stored in
4435 the stack pointer). In the kernel, the tag in the stack pointer is 0xff
4436 rather than zero. This does not cause problems since tags of 0xff are
4437 never checked in the kernel. As mentioned at the beginning of this
4438 comment the background tag of the stack is zero by definition, which means
4439 that for the kernel we should skip offsets of both 0 and 1 from the stack
4440 pointer. Avoiding the offset of 0 ensures we use a tag which will be
4441 checked, avoiding the offset of 1 ensures we use a tag that is not the
4442 same as the background. */
4448 }
4450 /* Clear internal state for the next function.
4451 This function is called before variables on the stack get expanded, in
4452 `init_vars_expansion`. */
4453 void
4455 {
4459 /* If this isn't the case then some stack variable was recorded *before*
4460 hwasan_record_frame_init is called, yet *after* the hwasan prologue for
4461 the previous frame was emitted. Such stack variables would not have
4462 their shadow stack filled in. */
4467 /* When not using a random frame tag we can avoid the background stack
4468 color which gives the user a little better debug output upon a crash.
4469 Meanwhile, when using a random frame tag it will be nice to avoid adding
4470 tags for the first object since that is unnecessary extra work.
4471 Hence set the initial hwasan_frame_tag_offset to be 0 if using a random
4472 frame tag and 1 otherwise.
4474 As described in hwasan_increment_frame_tag, in the kernel the stack
4475 pointer has the tag 0xff. That means that to avoid 0xff and 0 (the tag
4476 which the kernel does not check and the background tag respectively) we
4477 start with a tag offset of 2. */
4478 hwasan_frame_tag_offset = param_hwasan_random_frame_tag
4481 }
4483 /* For stack tagging:
4484 (Emits HWASAN equivalent of what is emitted by
4485 `asan_emit_stack_protection`).
4487 Emits the extra prologue code to set the shadow stack as required for HWASAN
4488 stack instrumentation.
4490 Uses the vector of recorded stack variables hwasan_tagged_stack_vars. When
4491 this function has completed hwasan_tagged_stack_vars is empty and all
4492 objects it had pointed to are deallocated. */
4493 void
4495 {
4496 /* We need untagged base pointers since libhwasan only accepts untagged
4497 pointers in __hwasan_tag_memory. We need the tagged base pointer to obtain
4498 the base tag for an offset. */
4505 {
4510 {
4513 }
4514 else
4515 {
4516 /* Given how these values are calculated, one must be known greater
4517 than the other. */
4521 }
4524 /* Assert the edge of each variable is aligned to the HWASAN tag granule
4525 size. */
4538 bot));
4543 }
4544 /* Clear the stack vars, we've emitted the prologue for them all now. */
4546 }
4548 /* For stack tagging:
4550 Return RTL insns to clear the tags between DYNAMIC and VARS pointers
4551 into the stack. These instructions should be emitted at the end of
4552 every function.
4554 If `dynamic` is NULL_RTX then no insns are returned. */
4555 rtx_insn *
4557 {
4566 rtx top_rtx;
4567 rtx bot_rtx;
4569 {
4572 }
4573 else
4574 {
4577 }
4581 OPTAB_DIRECT);
4593 }
4595 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
4596 invoke ggc_collect. */
4599 /* Insert module initialization into this TU. This initialization calls the
4600 initialization code for libhwasan. */
4601 void
4603 {
4604 /* Do not emit constructor initialization for the kernel.
4605 (the kernel has its own initialization already). */
4609 /* Avoid instrumenting code in the hwasan constructors/destructors. */
4616 }
4618 /* For stack tagging:
4620 Truncate `tag` to the number of bits that a tag uses (i.e. to
4621 HWASAN_TAG_SIZE). Store the result in `target` if it's convenient. */
4622 rtx
4624 {
4627 {
4630 QImode);
4634 }
4636 }
4638 /* Construct a function tree for __hwasan_{load,store}{1,2,4,8,16,_n}.
4639 IS_STORE is either 1 (for a store) or 0 (for a load). */
4640 static combined_fn
4643 {
4652 BUILT_IN_HWASAN_LOAD2_NOABORT,
4653 BUILT_IN_HWASAN_LOAD4_NOABORT,
4654 BUILT_IN_HWASAN_LOAD8_NOABORT,
4655 BUILT_IN_HWASAN_LOAD16_NOABORT,
4656 BUILT_IN_HWASAN_LOADN_NOABORT },
4658 BUILT_IN_HWASAN_STORE2_NOABORT,
4659 BUILT_IN_HWASAN_STORE4_NOABORT,
4660 BUILT_IN_HWASAN_STORE8_NOABORT,
4661 BUILT_IN_HWASAN_STORE16_NOABORT,
4662 BUILT_IN_HWASAN_STOREN_NOABORT } } };
4664 {
4667 }
4672 }
4674 /* Expand the HWASAN_{LOAD,STORE} builtins. */
4675 bool
4677 {
4683 else
4695 /* `align` is unused for HWASAN_CHECK, but we pass the argument anyway
4696 since that way the arguments match ASAN_CHECK. */
4697 /* HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3)); */
4699 unsigned HOST_WIDE_INT size_in_bytes
4705 {
4706 /* So, the length of the memory area to hwasan-protect is
4707 non-constant. Let's guard the generated instrumentation code
4708 like:
4710 if (len != 0)
4711 {
4712 // hwasan instrumentation code goes here.
4713 }
4714 // falltrough instructions, starting with *ITER. */
4717 len,
4726 /* Note that fallthrough_bb starts with the statement that was
4727 pointed to by ITER. */
4729 /* The 'then block' of the 'if (len != 0) condition is where
4730 we'll generate the hwasan instrumentation code now. */
4732 }
4739 combined_fn fn
4743 else
4744 {
4749 }
4755 }
4757 /* For stack tagging:
4759 Dummy: the HWASAN_MARK internal function should only ever be in the code
4760 after the sanopt pass. */
4761 bool
4763 {
4765 }
4767 bool
4769 {
4771 }