search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
* lto-partition.c (add_symbol_to_partition_1,
[official-gcc.git] / gcc / asan.c
blob53992a81b189970836022e81338119d40514fdef
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2014 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
11
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21
22 #include "config.h"
23 #include "system.h"
24 #include "coretypes.h"
25 #include "tree.h"
26 #include "hash-table.h"
27 #include "basic-block.h"
28 #include "tree-ssa-alias.h"
29 #include "internal-fn.h"
30 #include "gimple-expr.h"
31 #include "is-a.h"
32 #include "gimple.h"
33 #include "gimplify.h"
34 #include "gimple-iterator.h"
35 #include "calls.h"
36 #include "varasm.h"
37 #include "stor-layout.h"
38 #include "tree-iterator.h"
39 #include "cgraph.h"
40 #include "stringpool.h"
41 #include "tree-ssanames.h"
42 #include "tree-pass.h"
43 #include "asan.h"
44 #include "gimple-pretty-print.h"
45 #include "target.h"
46 #include "expr.h"
47 #include "optabs.h"
48 #include "output.h"
49 #include "tm_p.h"
50 #include "langhooks.h"
51 #include "alloc-pool.h"
52 #include "cfgloop.h"
53 #include "gimple-builder.h"
54 #include "ubsan.h"
55 #include "predict.h"
56 #include "params.h"
57
58 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
59 with <2x slowdown on average.
60
61 The tool consists of two parts:
62 instrumentation module (this file) and a run-time library.
63 The instrumentation module adds a run-time check before every memory insn.
64 For a 8- or 16- byte load accessing address X:
65 ShadowAddr = (X >> 3) + Offset
66 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
67 if (ShadowValue)
68 __asan_report_load8(X);
69 For a load of N bytes (N=1, 2 or 4) from address X:
70 ShadowAddr = (X >> 3) + Offset
71 ShadowValue = *(char*)ShadowAddr;
72 if (ShadowValue)
73 if ((X & 7) + N - 1 > ShadowValue)
74 __asan_report_loadN(X);
75 Stores are instrumented similarly, but using __asan_report_storeN functions.
76 A call too __asan_init_vN() is inserted to the list of module CTORs.
77 N is the version number of the AddressSanitizer API. The changes between the
78 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
79
80 The run-time library redefines malloc (so that redzone are inserted around
81 the allocated memory) and free (so that reuse of free-ed memory is delayed),
82 provides __asan_report* and __asan_init_vN functions.
83
84 Read more:
85 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
86
87 The current implementation supports detection of out-of-bounds and
88 use-after-free in the heap, on the stack and for global variables.
89
90 [Protection of stack variables]
91
92 To understand how detection of out-of-bounds and use-after-free works
93 for stack variables, lets look at this example on x86_64 where the
94 stack grows downward:
95
96 int
97 foo ()
98 {
99 char a[23] = {0};
100 int b[2] = {0};
101
102 a[5] = 1;
103 b[1] = 2;
104
105 return a[5] + b[1];
106 }
107
108 For this function, the stack protected by asan will be organized as
109 follows, from the top of the stack to the bottom:
110
111 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
112
113 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
114 the next slot be 32 bytes aligned; this one is called Partial
115 Redzone; this 32 bytes alignment is an asan constraint]
116
117 Slot 3/ [24 bytes for variable 'a']
118
119 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
120
121 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
122
123 Slot 6/ [8 bytes for variable 'b']
124
125 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
126 'LEFT RedZone']
127
128 The 32 bytes of LEFT red zone at the bottom of the stack can be
129 decomposed as such:
130
131 1/ The first 8 bytes contain a magical asan number that is always
132 0x41B58AB3.
133
134 2/ The following 8 bytes contains a pointer to a string (to be
135 parsed at runtime by the runtime asan library), which format is
136 the following:
137
138 "<function-name> <space> <num-of-variables-on-the-stack>
139 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
140 <length-of-var-in-bytes> ){n} "
141
142 where '(...){n}' means the content inside the parenthesis occurs 'n'
143 times, with 'n' being the number of variables on the stack.
144
145 3/ The following 8 bytes contain the PC of the current function which
146 will be used by the run-time library to print an error message.
147
148 4/ The following 8 bytes are reserved for internal use by the run-time.
149
150 The shadow memory for that stack layout is going to look like this:
151
152 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
153 The F1 byte pattern is a magic number called
154 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
155 the memory for that shadow byte is part of a the LEFT red zone
156 intended to seat at the bottom of the variables on the stack.
157
158 - content of shadow memory 8 bytes for slots 6 and 5:
159 0xF4F4F400. The F4 byte pattern is a magic number
160 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
161 memory region for this shadow byte is a PARTIAL red zone
162 intended to pad a variable A, so that the slot following
163 {A,padding} is 32 bytes aligned.
164
165 Note that the fact that the least significant byte of this
166 shadow memory content is 00 means that 8 bytes of its
167 corresponding memory (which corresponds to the memory of
168 variable 'b') is addressable.
169
170 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
171 The F2 byte pattern is a magic number called
172 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
173 region for this shadow byte is a MIDDLE red zone intended to
174 seat between two 32 aligned slots of {variable,padding}.
175
176 - content of shadow memory 8 bytes for slot 3 and 2:
177 0xF4000000. This represents is the concatenation of
178 variable 'a' and the partial red zone following it, like what we
179 had for variable 'b'. The least significant 3 bytes being 00
180 means that the 3 bytes of variable 'a' are addressable.
181
182 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
183 The F3 byte pattern is a magic number called
184 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
185 region for this shadow byte is a RIGHT red zone intended to seat
186 at the top of the variables of the stack.
187
188 Note that the real variable layout is done in expand_used_vars in
189 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
190 stack variables as well as the different red zones, emits some
191 prologue code to populate the shadow memory as to poison (mark as
192 non-accessible) the regions of the red zones and mark the regions of
193 stack variables as accessible, and emit some epilogue code to
194 un-poison (mark as accessible) the regions of red zones right before
195 the function exits.
196
197 [Protection of global variables]
198
199 The basic idea is to insert a red zone between two global variables
200 and install a constructor function that calls the asan runtime to do
201 the populating of the relevant shadow memory regions at load time.
202
203 So the global variables are laid out as to insert a red zone between
204 them. The size of the red zones is so that each variable starts on a
205 32 bytes boundary.
206
207 Then a constructor function is installed so that, for each global
208 variable, it calls the runtime asan library function
209 __asan_register_globals_with an instance of this type:
210
211 struct __asan_global
212 {
213 // Address of the beginning of the global variable.
214 const void *__beg;
215
216 // Initial size of the global variable.
217 uptr __size;
218
219 // Size of the global variable + size of the red zone. This
220 // size is 32 bytes aligned.
221 uptr __size_with_redzone;
222
223 // Name of the global variable.
224 const void *__name;
225
226 // Name of the module where the global variable is declared.
227 const void *__module_name;
228
229 // 1 if it has dynamic initialization, 0 otherwise.
230 uptr __has_dynamic_init;
231 }
232
233 A destructor function that calls the runtime asan library function
234 _asan_unregister_globals is also installed. */
235
236 alias_set_type asan_shadow_set = -1;
237
238 /* Pointer types to 1 resp. 2 byte integers in shadow memory. A separate
239 alias set is used for all shadow memory accesses. */
240 static GTY(()) tree shadow_ptr_types[2];
241
242 /* Decl for __asan_option_detect_stack_use_after_return. */
243 static GTY(()) tree asan_detect_stack_use_after_return;
244
245 /* Hashtable support for memory references used by gimple
246 statements. */
247
248 /* This type represents a reference to a memory region. */
249 struct asan_mem_ref
250 {
251 /* The expression of the beginning of the memory region. */
252 tree start;
253
254 /* The size of the access (can be 1, 2, 4, 8, 16 for now). */
255 char access_size;
256 };
257
258 static alloc_pool asan_mem_ref_alloc_pool;
259
260 /* This creates the alloc pool used to store the instances of
261 asan_mem_ref that are stored in the hash table asan_mem_ref_ht. */
262
263 static alloc_pool
264 asan_mem_ref_get_alloc_pool ()
265 {
266 if (asan_mem_ref_alloc_pool == NULL)
267 asan_mem_ref_alloc_pool = create_alloc_pool ("asan_mem_ref",
268 sizeof (asan_mem_ref),
269 10);
270 return asan_mem_ref_alloc_pool;
271
272 }
273
274 /* Initializes an instance of asan_mem_ref. */
275
276 static void
277 asan_mem_ref_init (asan_mem_ref *ref, tree start, char access_size)
278 {
279 ref->start = start;
280 ref->access_size = access_size;
281 }
282
283 /* Allocates memory for an instance of asan_mem_ref into the memory
284 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
285 START is the address of (or the expression pointing to) the
286 beginning of memory reference. ACCESS_SIZE is the size of the
287 access to the referenced memory. */
288
289 static asan_mem_ref*
290 asan_mem_ref_new (tree start, char access_size)
291 {
292 asan_mem_ref *ref =
293 (asan_mem_ref *) pool_alloc (asan_mem_ref_get_alloc_pool ());
294
295 asan_mem_ref_init (ref, start, access_size);
296 return ref;
297 }
298
299 /* This builds and returns a pointer to the end of the memory region
300 that starts at START and of length LEN. */
301
302 tree
303 asan_mem_ref_get_end (tree start, tree len)
304 {
305 if (len == NULL_TREE || integer_zerop (len))
306 return start;
307
308 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
309 }
310
311 /* Return a tree expression that represents the end of the referenced
312 memory region. Beware that this function can actually build a new
313 tree expression. */
314
315 tree
316 asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
317 {
318 return asan_mem_ref_get_end (ref->start, len);
319 }
320
321 struct asan_mem_ref_hasher
322 : typed_noop_remove <asan_mem_ref>
323 {
324 typedef asan_mem_ref value_type;
325 typedef asan_mem_ref compare_type;
326
327 static inline hashval_t hash (const value_type *);
328 static inline bool equal (const value_type *, const compare_type *);
329 };
330
331 /* Hash a memory reference. */
332
333 inline hashval_t
334 asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
335 {
336 hashval_t h = iterative_hash_expr (mem_ref->start, 0);
337 h = iterative_hash_hashval_t (h, mem_ref->access_size);
338 return h;
339 }
340
341 /* Compare two memory references. We accept the length of either
342 memory references to be NULL_TREE. */
343
344 inline bool
345 asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
346 const asan_mem_ref *m2)
347 {
348 return (m1->access_size == m2->access_size
349 && operand_equal_p (m1->start, m2->start, 0));
350 }
351
352 static hash_table <asan_mem_ref_hasher> asan_mem_ref_ht;
353
354 /* Returns a reference to the hash table containing memory references.
355 This function ensures that the hash table is created. Note that
356 this hash table is updated by the function
357 update_mem_ref_hash_table. */
358
359 static hash_table <asan_mem_ref_hasher> &
360 get_mem_ref_hash_table ()
361 {
362 if (!asan_mem_ref_ht.is_created ())
363 asan_mem_ref_ht.create (10);
364
365 return asan_mem_ref_ht;
366 }
367
368 /* Clear all entries from the memory references hash table. */
369
370 static void
371 empty_mem_ref_hash_table ()
372 {
373 if (asan_mem_ref_ht.is_created ())
374 asan_mem_ref_ht.empty ();
375 }
376
377 /* Free the memory references hash table. */
378
379 static void
380 free_mem_ref_resources ()
381 {
382 if (asan_mem_ref_ht.is_created ())
383 asan_mem_ref_ht.dispose ();
384
385 if (asan_mem_ref_alloc_pool)
386 {
387 free_alloc_pool (asan_mem_ref_alloc_pool);
388 asan_mem_ref_alloc_pool = NULL;
389 }
390 }
391
392 /* Return true iff the memory reference REF has been instrumented. */
393
394 static bool
395 has_mem_ref_been_instrumented (tree ref, char access_size)
396 {
397 asan_mem_ref r;
398 asan_mem_ref_init (&r, ref, access_size);
399
400 return (get_mem_ref_hash_table ().find (&r) != NULL);
401 }
402
403 /* Return true iff the memory reference REF has been instrumented. */
404
405 static bool
406 has_mem_ref_been_instrumented (const asan_mem_ref *ref)
407 {
408 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
409 }
410
411 /* Return true iff access to memory region starting at REF and of
412 length LEN has been instrumented. */
413
414 static bool
415 has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
416 {
417 /* First let's see if the address of the beginning of REF has been
418 instrumented. */
419 if (!has_mem_ref_been_instrumented (ref))
420 return false;
421
422 if (len != 0)
423 {
424 /* Let's see if the end of the region has been instrumented. */
425 if (!has_mem_ref_been_instrumented (asan_mem_ref_get_end (ref, len),
426 ref->access_size))
427 return false;
428 }
429 return true;
430 }
431
432 /* Set REF to the memory reference present in a gimple assignment
433 ASSIGNMENT. Return true upon successful completion, false
434 otherwise. */
435
436 static bool
437 get_mem_ref_of_assignment (const gimple assignment,
438 asan_mem_ref *ref,
439 bool *ref_is_store)
440 {
441 gcc_assert (gimple_assign_single_p (assignment));
442
443 if (gimple_store_p (assignment)
444 && !gimple_clobber_p (assignment))
445 {
446 ref->start = gimple_assign_lhs (assignment);
447 *ref_is_store = true;
448 }
449 else if (gimple_assign_load_p (assignment))
450 {
451 ref->start = gimple_assign_rhs1 (assignment);
452 *ref_is_store = false;
453 }
454 else
455 return false;
456
457 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
458 return true;
459 }
460
461 /* Return the memory references contained in a gimple statement
462 representing a builtin call that has to do with memory access. */
463
464 static bool
465 get_mem_refs_of_builtin_call (const gimple call,
466 asan_mem_ref *src0,
467 tree *src0_len,
468 bool *src0_is_store,
469 asan_mem_ref *src1,
470 tree *src1_len,
471 bool *src1_is_store,
472 asan_mem_ref *dst,
473 tree *dst_len,
474 bool *dst_is_store,
475 bool *dest_is_deref)
476 {
477 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
478
479 tree callee = gimple_call_fndecl (call);
480 tree source0 = NULL_TREE, source1 = NULL_TREE,
481 dest = NULL_TREE, len = NULL_TREE;
482 bool is_store = true, got_reference_p = false;
483 char access_size = 1;
484
485 switch (DECL_FUNCTION_CODE (callee))
486 {
487 /* (s, s, n) style memops. */
488 case BUILT_IN_BCMP:
489 case BUILT_IN_MEMCMP:
490 source0 = gimple_call_arg (call, 0);
491 source1 = gimple_call_arg (call, 1);
492 len = gimple_call_arg (call, 2);
493 break;
494
495 /* (src, dest, n) style memops. */
496 case BUILT_IN_BCOPY:
497 source0 = gimple_call_arg (call, 0);
498 dest = gimple_call_arg (call, 1);
499 len = gimple_call_arg (call, 2);
500 break;
501
502 /* (dest, src, n) style memops. */
503 case BUILT_IN_MEMCPY:
504 case BUILT_IN_MEMCPY_CHK:
505 case BUILT_IN_MEMMOVE:
506 case BUILT_IN_MEMMOVE_CHK:
507 case BUILT_IN_MEMPCPY:
508 case BUILT_IN_MEMPCPY_CHK:
509 dest = gimple_call_arg (call, 0);
510 source0 = gimple_call_arg (call, 1);
511 len = gimple_call_arg (call, 2);
512 break;
513
514 /* (dest, n) style memops. */
515 case BUILT_IN_BZERO:
516 dest = gimple_call_arg (call, 0);
517 len = gimple_call_arg (call, 1);
518 break;
519
520 /* (dest, x, n) style memops*/
521 case BUILT_IN_MEMSET:
522 case BUILT_IN_MEMSET_CHK:
523 dest = gimple_call_arg (call, 0);
524 len = gimple_call_arg (call, 2);
525 break;
526
527 case BUILT_IN_STRLEN:
528 source0 = gimple_call_arg (call, 0);
529 len = gimple_call_lhs (call);
530 break ;
531
532 /* And now the __atomic* and __sync builtins.
533 These are handled differently from the classical memory memory
534 access builtins above. */
535
536 case BUILT_IN_ATOMIC_LOAD_1:
537 case BUILT_IN_ATOMIC_LOAD_2:
538 case BUILT_IN_ATOMIC_LOAD_4:
539 case BUILT_IN_ATOMIC_LOAD_8:
540 case BUILT_IN_ATOMIC_LOAD_16:
541 is_store = false;
542 /* fall through. */
543
544 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
545 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
546 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
547 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
548 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
549
550 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
551 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
552 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
553 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
554 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
555
556 case BUILT_IN_SYNC_FETCH_AND_OR_1:
557 case BUILT_IN_SYNC_FETCH_AND_OR_2:
558 case BUILT_IN_SYNC_FETCH_AND_OR_4:
559 case BUILT_IN_SYNC_FETCH_AND_OR_8:
560 case BUILT_IN_SYNC_FETCH_AND_OR_16:
561
562 case BUILT_IN_SYNC_FETCH_AND_AND_1:
563 case BUILT_IN_SYNC_FETCH_AND_AND_2:
564 case BUILT_IN_SYNC_FETCH_AND_AND_4:
565 case BUILT_IN_SYNC_FETCH_AND_AND_8:
566 case BUILT_IN_SYNC_FETCH_AND_AND_16:
567
568 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
569 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
570 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
571 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
572 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
573
574 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
575 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
576 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
577 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
578
579 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
580 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
581 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
582 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
583 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
584
585 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
586 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
587 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
588 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
589 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
590
591 case BUILT_IN_SYNC_OR_AND_FETCH_1:
592 case BUILT_IN_SYNC_OR_AND_FETCH_2:
593 case BUILT_IN_SYNC_OR_AND_FETCH_4:
594 case BUILT_IN_SYNC_OR_AND_FETCH_8:
595 case BUILT_IN_SYNC_OR_AND_FETCH_16:
596
597 case BUILT_IN_SYNC_AND_AND_FETCH_1:
598 case BUILT_IN_SYNC_AND_AND_FETCH_2:
599 case BUILT_IN_SYNC_AND_AND_FETCH_4:
600 case BUILT_IN_SYNC_AND_AND_FETCH_8:
601 case BUILT_IN_SYNC_AND_AND_FETCH_16:
602
603 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
604 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
605 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
606 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
607 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
608
609 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
610 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
611 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
612 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
613
614 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
615 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
616 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
617 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
618 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
619
620 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
621 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
622 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
623 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
624 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
625
626 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
627 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
628 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
629 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
630 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
631
632 case BUILT_IN_SYNC_LOCK_RELEASE_1:
633 case BUILT_IN_SYNC_LOCK_RELEASE_2:
634 case BUILT_IN_SYNC_LOCK_RELEASE_4:
635 case BUILT_IN_SYNC_LOCK_RELEASE_8:
636 case BUILT_IN_SYNC_LOCK_RELEASE_16:
637
638 case BUILT_IN_ATOMIC_EXCHANGE_1:
639 case BUILT_IN_ATOMIC_EXCHANGE_2:
640 case BUILT_IN_ATOMIC_EXCHANGE_4:
641 case BUILT_IN_ATOMIC_EXCHANGE_8:
642 case BUILT_IN_ATOMIC_EXCHANGE_16:
643
644 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
645 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
646 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
647 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
648 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
649
650 case BUILT_IN_ATOMIC_STORE_1:
651 case BUILT_IN_ATOMIC_STORE_2:
652 case BUILT_IN_ATOMIC_STORE_4:
653 case BUILT_IN_ATOMIC_STORE_8:
654 case BUILT_IN_ATOMIC_STORE_16:
655
656 case BUILT_IN_ATOMIC_ADD_FETCH_1:
657 case BUILT_IN_ATOMIC_ADD_FETCH_2:
658 case BUILT_IN_ATOMIC_ADD_FETCH_4:
659 case BUILT_IN_ATOMIC_ADD_FETCH_8:
660 case BUILT_IN_ATOMIC_ADD_FETCH_16:
661
662 case BUILT_IN_ATOMIC_SUB_FETCH_1:
663 case BUILT_IN_ATOMIC_SUB_FETCH_2:
664 case BUILT_IN_ATOMIC_SUB_FETCH_4:
665 case BUILT_IN_ATOMIC_SUB_FETCH_8:
666 case BUILT_IN_ATOMIC_SUB_FETCH_16:
667
668 case BUILT_IN_ATOMIC_AND_FETCH_1:
669 case BUILT_IN_ATOMIC_AND_FETCH_2:
670 case BUILT_IN_ATOMIC_AND_FETCH_4:
671 case BUILT_IN_ATOMIC_AND_FETCH_8:
672 case BUILT_IN_ATOMIC_AND_FETCH_16:
673
674 case BUILT_IN_ATOMIC_NAND_FETCH_1:
675 case BUILT_IN_ATOMIC_NAND_FETCH_2:
676 case BUILT_IN_ATOMIC_NAND_FETCH_4:
677 case BUILT_IN_ATOMIC_NAND_FETCH_8:
678 case BUILT_IN_ATOMIC_NAND_FETCH_16:
679
680 case BUILT_IN_ATOMIC_XOR_FETCH_1:
681 case BUILT_IN_ATOMIC_XOR_FETCH_2:
682 case BUILT_IN_ATOMIC_XOR_FETCH_4:
683 case BUILT_IN_ATOMIC_XOR_FETCH_8:
684 case BUILT_IN_ATOMIC_XOR_FETCH_16:
685
686 case BUILT_IN_ATOMIC_OR_FETCH_1:
687 case BUILT_IN_ATOMIC_OR_FETCH_2:
688 case BUILT_IN_ATOMIC_OR_FETCH_4:
689 case BUILT_IN_ATOMIC_OR_FETCH_8:
690 case BUILT_IN_ATOMIC_OR_FETCH_16:
691
692 case BUILT_IN_ATOMIC_FETCH_ADD_1:
693 case BUILT_IN_ATOMIC_FETCH_ADD_2:
694 case BUILT_IN_ATOMIC_FETCH_ADD_4:
695 case BUILT_IN_ATOMIC_FETCH_ADD_8:
696 case BUILT_IN_ATOMIC_FETCH_ADD_16:
697
698 case BUILT_IN_ATOMIC_FETCH_SUB_1:
699 case BUILT_IN_ATOMIC_FETCH_SUB_2:
700 case BUILT_IN_ATOMIC_FETCH_SUB_4:
701 case BUILT_IN_ATOMIC_FETCH_SUB_8:
702 case BUILT_IN_ATOMIC_FETCH_SUB_16:
703
704 case BUILT_IN_ATOMIC_FETCH_AND_1:
705 case BUILT_IN_ATOMIC_FETCH_AND_2:
706 case BUILT_IN_ATOMIC_FETCH_AND_4:
707 case BUILT_IN_ATOMIC_FETCH_AND_8:
708 case BUILT_IN_ATOMIC_FETCH_AND_16:
709
710 case BUILT_IN_ATOMIC_FETCH_NAND_1:
711 case BUILT_IN_ATOMIC_FETCH_NAND_2:
712 case BUILT_IN_ATOMIC_FETCH_NAND_4:
713 case BUILT_IN_ATOMIC_FETCH_NAND_8:
714 case BUILT_IN_ATOMIC_FETCH_NAND_16:
715
716 case BUILT_IN_ATOMIC_FETCH_XOR_1:
717 case BUILT_IN_ATOMIC_FETCH_XOR_2:
718 case BUILT_IN_ATOMIC_FETCH_XOR_4:
719 case BUILT_IN_ATOMIC_FETCH_XOR_8:
720 case BUILT_IN_ATOMIC_FETCH_XOR_16:
721
722 case BUILT_IN_ATOMIC_FETCH_OR_1:
723 case BUILT_IN_ATOMIC_FETCH_OR_2:
724 case BUILT_IN_ATOMIC_FETCH_OR_4:
725 case BUILT_IN_ATOMIC_FETCH_OR_8:
726 case BUILT_IN_ATOMIC_FETCH_OR_16:
727 {
728 dest = gimple_call_arg (call, 0);
729 /* DEST represents the address of a memory location.
730 instrument_derefs wants the memory location, so lets
731 dereference the address DEST before handing it to
732 instrument_derefs. */
733 if (TREE_CODE (dest) == ADDR_EXPR)
734 dest = TREE_OPERAND (dest, 0);
735 else if (TREE_CODE (dest) == SSA_NAME || TREE_CODE (dest) == INTEGER_CST)
736 dest = build2 (MEM_REF, TREE_TYPE (TREE_TYPE (dest)),
737 dest, build_int_cst (TREE_TYPE (dest), 0));
738 else
739 gcc_unreachable ();
740
741 access_size = int_size_in_bytes (TREE_TYPE (dest));
742 }
743
744 default:
745 /* The other builtins memory access are not instrumented in this
746 function because they either don't have any length parameter,
747 or their length parameter is just a limit. */
748 break;
749 }
750
751 if (len != NULL_TREE)
752 {
753 if (source0 != NULL_TREE)
754 {
755 src0->start = source0;
756 src0->access_size = access_size;
757 *src0_len = len;
758 *src0_is_store = false;
759 }
760
761 if (source1 != NULL_TREE)
762 {
763 src1->start = source1;
764 src1->access_size = access_size;
765 *src1_len = len;
766 *src1_is_store = false;
767 }
768
769 if (dest != NULL_TREE)
770 {
771 dst->start = dest;
772 dst->access_size = access_size;
773 *dst_len = len;
774 *dst_is_store = true;
775 }
776
777 got_reference_p = true;
778 }
779 else if (dest)
780 {
781 dst->start = dest;
782 dst->access_size = access_size;
783 *dst_len = NULL_TREE;
784 *dst_is_store = is_store;
785 *dest_is_deref = true;
786 got_reference_p = true;
787 }
788
789 return got_reference_p;
790 }
791
792 /* Return true iff a given gimple statement has been instrumented.
793 Note that the statement is "defined" by the memory references it
794 contains. */
795
796 static bool
797 has_stmt_been_instrumented_p (gimple stmt)
798 {
799 if (gimple_assign_single_p (stmt))
800 {
801 bool r_is_store;
802 asan_mem_ref r;
803 asan_mem_ref_init (&r, NULL, 1);
804
805 if (get_mem_ref_of_assignment (stmt, &r, &r_is_store))
806 return has_mem_ref_been_instrumented (&r);
807 }
808 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
809 {
810 asan_mem_ref src0, src1, dest;
811 asan_mem_ref_init (&src0, NULL, 1);
812 asan_mem_ref_init (&src1, NULL, 1);
813 asan_mem_ref_init (&dest, NULL, 1);
814
815 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
816 bool src0_is_store = false, src1_is_store = false,
817 dest_is_store = false, dest_is_deref = false;
818 if (get_mem_refs_of_builtin_call (stmt,
819 &src0, &src0_len, &src0_is_store,
820 &src1, &src1_len, &src1_is_store,
821 &dest, &dest_len, &dest_is_store,
822 &dest_is_deref))
823 {
824 if (src0.start != NULL_TREE
825 && !has_mem_ref_been_instrumented (&src0, src0_len))
826 return false;
827
828 if (src1.start != NULL_TREE
829 && !has_mem_ref_been_instrumented (&src1, src1_len))
830 return false;
831
832 if (dest.start != NULL_TREE
833 && !has_mem_ref_been_instrumented (&dest, dest_len))
834 return false;
835
836 return true;
837 }
838 }
839 return false;
840 }
841
842 /* Insert a memory reference into the hash table. */
843
844 static void
845 update_mem_ref_hash_table (tree ref, char access_size)
846 {
847 hash_table <asan_mem_ref_hasher> ht = get_mem_ref_hash_table ();
848
849 asan_mem_ref r;
850 asan_mem_ref_init (&r, ref, access_size);
851
852 asan_mem_ref **slot = ht.find_slot (&r, INSERT);
853 if (*slot == NULL)
854 *slot = asan_mem_ref_new (ref, access_size);
855 }
856
857 /* Initialize shadow_ptr_types array. */
858
859 static void
860 asan_init_shadow_ptr_types (void)
861 {
862 asan_shadow_set = new_alias_set ();
863 shadow_ptr_types[0] = build_distinct_type_copy (signed_char_type_node);
864 TYPE_ALIAS_SET (shadow_ptr_types[0]) = asan_shadow_set;
865 shadow_ptr_types[0] = build_pointer_type (shadow_ptr_types[0]);
866 shadow_ptr_types[1] = build_distinct_type_copy (short_integer_type_node);
867 TYPE_ALIAS_SET (shadow_ptr_types[1]) = asan_shadow_set;
868 shadow_ptr_types[1] = build_pointer_type (shadow_ptr_types[1]);
869 initialize_sanitizer_builtins ();
870 }
871
872 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
873
874 static tree
875 asan_pp_string (pretty_printer *pp)
876 {
877 const char *buf = pp_formatted_text (pp);
878 size_t len = strlen (buf);
879 tree ret = build_string (len + 1, buf);
880 TREE_TYPE (ret)
881 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
882 build_index_type (size_int (len)));
883 TREE_READONLY (ret) = 1;
884 TREE_STATIC (ret) = 1;
885 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
886 }
887
888 /* Return a CONST_INT representing 4 subsequent shadow memory bytes. */
889
890 static rtx
891 asan_shadow_cst (unsigned char shadow_bytes[4])
892 {
893 int i;
894 unsigned HOST_WIDE_INT val = 0;
895 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
896 for (i = 0; i < 4; i++)
897 val |= (unsigned HOST_WIDE_INT) shadow_bytes[BYTES_BIG_ENDIAN ? 3 - i : i]
898 << (BITS_PER_UNIT * i);
899 return gen_int_mode (val, SImode);
900 }
901
902 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
903 though. */
904
905 static void
906 asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
907 {
908 rtx insn, insns, top_label, end, addr, tmp, jump;
909
910 start_sequence ();
911 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
912 insns = get_insns ();
913 end_sequence ();
914 for (insn = insns; insn; insn = NEXT_INSN (insn))
915 if (CALL_P (insn))
916 break;
917 if (insn == NULL_RTX)
918 {
919 emit_insn (insns);
920 return;
921 }
922
923 gcc_assert ((len & 3) == 0);
924 top_label = gen_label_rtx ();
925 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
926 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
927 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
928 emit_label (top_label);
929
930 emit_move_insn (shadow_mem, const0_rtx);
931 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
932 true, OPTAB_LIB_WIDEN);
933 if (tmp != addr)
934 emit_move_insn (addr, tmp);
935 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
936 jump = get_last_insn ();
937 gcc_assert (JUMP_P (jump));
938 add_int_reg_note (jump, REG_BR_PROB, REG_BR_PROB_BASE * 80 / 100);
939 }
940
941 void
942 asan_function_start (void)
943 {
944 section *fnsec = function_section (current_function_decl);
945 switch_to_section (fnsec);
946 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC",
947 current_function_funcdef_no);
948 }
949
950 /* Insert code to protect stack vars. The prologue sequence should be emitted
951 directly, epilogue sequence returned. BASE is the register holding the
952 stack base, against which OFFSETS array offsets are relative to, OFFSETS
953 array contains pairs of offsets in reverse order, always the end offset
954 of some gap that needs protection followed by starting offset,
955 and DECLS is an array of representative decls for each var partition.
956 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
957 elements long (OFFSETS include gap before the first variable as well
958 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
959 register which stack vars DECL_RTLs are based on. Either BASE should be
960 assigned to PBASE, when not doing use after return protection, or
961 corresponding address based on __asan_stack_malloc* return value. */
962
963 rtx
964 asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
965 HOST_WIDE_INT *offsets, tree *decls, int length)
966 {
967 rtx shadow_base, shadow_mem, ret, mem, orig_base, lab;
968 char buf[30];
969 unsigned char shadow_bytes[4];
970 HOST_WIDE_INT base_offset = offsets[length - 1];
971 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
972 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
973 HOST_WIDE_INT last_offset, last_size;
974 int l;
975 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
976 tree str_cst, decl, id;
977 int use_after_return_class = -1;
978
979 if (shadow_ptr_types[0] == NULL_TREE)
980 asan_init_shadow_ptr_types ();
981
982 /* First of all, prepare the description string. */
983 pretty_printer asan_pp;
984
985 pp_decimal_int (&asan_pp, length / 2 - 1);
986 pp_space (&asan_pp);
987 for (l = length - 2; l; l -= 2)
988 {
989 tree decl = decls[l / 2 - 1];
990 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
991 pp_space (&asan_pp);
992 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
993 pp_space (&asan_pp);
994 if (DECL_P (decl) && DECL_NAME (decl))
995 {
996 pp_decimal_int (&asan_pp, IDENTIFIER_LENGTH (DECL_NAME (decl)));
997 pp_space (&asan_pp);
998 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
999 }
1000 else
1001 pp_string (&asan_pp, "9 <unknown>");
1002 pp_space (&asan_pp);
1003 }
1004 str_cst = asan_pp_string (&asan_pp);
1005
1006 /* Emit the prologue sequence. */
1007 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
1008 && ASAN_USE_AFTER_RETURN)
1009 {
1010 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1011 /* __asan_stack_malloc_N guarantees alignment
1012 N < 6 ? (64 << N) : 4096 bytes. */
1013 if (alignb > (use_after_return_class < 6
1014 ? (64U << use_after_return_class) : 4096U))
1015 use_after_return_class = -1;
1016 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1017 base_align_bias = ((asan_frame_size + alignb - 1)
1018 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1019 }
1020 if (use_after_return_class == -1 && pbase)
1021 emit_move_insn (pbase, base);
1022 base = expand_binop (Pmode, add_optab, base,
1023 gen_int_mode (base_offset - base_align_bias, Pmode),
1024 NULL_RTX, 1, OPTAB_DIRECT);
1025 orig_base = NULL_RTX;
1026 if (use_after_return_class != -1)
1027 {
1028 if (asan_detect_stack_use_after_return == NULL_TREE)
1029 {
1030 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1031 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1032 integer_type_node);
1033 SET_DECL_ASSEMBLER_NAME (decl, id);
1034 TREE_ADDRESSABLE (decl) = 1;
1035 DECL_ARTIFICIAL (decl) = 1;
1036 DECL_IGNORED_P (decl) = 1;
1037 DECL_EXTERNAL (decl) = 1;
1038 TREE_STATIC (decl) = 1;
1039 TREE_PUBLIC (decl) = 1;
1040 TREE_USED (decl) = 1;
1041 asan_detect_stack_use_after_return = decl;
1042 }
1043 orig_base = gen_reg_rtx (Pmode);
1044 emit_move_insn (orig_base, base);
1045 ret = expand_normal (asan_detect_stack_use_after_return);
1046 lab = gen_label_rtx ();
1047 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1048 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1049 VOIDmode, 0, lab, very_likely);
1050 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1051 use_after_return_class);
1052 ret = init_one_libfunc (buf);
1053 rtx addr = convert_memory_address (ptr_mode, base);
1054 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode, 2,
1055 GEN_INT (asan_frame_size
1056 + base_align_bias),
1057 TYPE_MODE (pointer_sized_int_node),
1058 addr, ptr_mode);
1059 ret = convert_memory_address (Pmode, ret);
1060 emit_move_insn (base, ret);
1061 emit_label (lab);
1062 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1063 gen_int_mode (base_align_bias
1064 - base_offset, Pmode),
1065 NULL_RTX, 1, OPTAB_DIRECT));
1066 }
1067 mem = gen_rtx_MEM (ptr_mode, base);
1068 mem = adjust_address (mem, VOIDmode, base_align_bias);
1069 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
1070 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1071 emit_move_insn (mem, expand_normal (str_cst));
1072 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1073 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1074 id = get_identifier (buf);
1075 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
1076 VAR_DECL, id, char_type_node);
1077 SET_DECL_ASSEMBLER_NAME (decl, id);
1078 TREE_ADDRESSABLE (decl) = 1;
1079 TREE_READONLY (decl) = 1;
1080 DECL_ARTIFICIAL (decl) = 1;
1081 DECL_IGNORED_P (decl) = 1;
1082 TREE_STATIC (decl) = 1;
1083 TREE_PUBLIC (decl) = 0;
1084 TREE_USED (decl) = 1;
1085 DECL_INITIAL (decl) = decl;
1086 TREE_ASM_WRITTEN (decl) = 1;
1087 TREE_ASM_WRITTEN (id) = 1;
1088 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
1089 shadow_base = expand_binop (Pmode, lshr_optab, base,
1090 GEN_INT (ASAN_SHADOW_SHIFT),
1091 NULL_RTX, 1, OPTAB_DIRECT);
1092 shadow_base
1093 = plus_constant (Pmode, shadow_base,
1094 targetm.asan_shadow_offset ()
1095 + (base_align_bias >> ASAN_SHADOW_SHIFT));
1096 gcc_assert (asan_shadow_set != -1
1097 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
1098 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
1099 set_mem_alias_set (shadow_mem, asan_shadow_set);
1100 prev_offset = base_offset;
1101 for (l = length; l; l -= 2)
1102 {
1103 if (l == 2)
1104 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
1105 offset = offsets[l - 1];
1106 if ((offset - base_offset) & (ASAN_RED_ZONE_SIZE - 1))
1107 {
1108 int i;
1109 HOST_WIDE_INT aoff
1110 = base_offset + ((offset - base_offset)
1111 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1112 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1113 (aoff - prev_offset)
1114 >> ASAN_SHADOW_SHIFT);
1115 prev_offset = aoff;
1116 for (i = 0; i < 4; i++, aoff += (1 << ASAN_SHADOW_SHIFT))
1117 if (aoff < offset)
1118 {
1119 if (aoff < offset - (1 << ASAN_SHADOW_SHIFT) + 1)
1120 shadow_bytes[i] = 0;
1121 else
1122 shadow_bytes[i] = offset - aoff;
1123 }
1124 else
1125 shadow_bytes[i] = ASAN_STACK_MAGIC_PARTIAL;
1126 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1127 offset = aoff;
1128 }
1129 while (offset <= offsets[l - 2] - ASAN_RED_ZONE_SIZE)
1130 {
1131 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1132 (offset - prev_offset)
1133 >> ASAN_SHADOW_SHIFT);
1134 prev_offset = offset;
1135 memset (shadow_bytes, cur_shadow_byte, 4);
1136 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1137 offset += ASAN_RED_ZONE_SIZE;
1138 }
1139 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
1140 }
1141 do_pending_stack_adjust ();
1142
1143 /* Construct epilogue sequence. */
1144 start_sequence ();
1145
1146 lab = NULL_RTX;
1147 if (use_after_return_class != -1)
1148 {
1149 rtx lab2 = gen_label_rtx ();
1150 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
1151 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1152 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
1153 VOIDmode, 0, lab2, very_likely);
1154 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1155 set_mem_alias_set (shadow_mem, asan_shadow_set);
1156 mem = gen_rtx_MEM (ptr_mode, base);
1157 mem = adjust_address (mem, VOIDmode, base_align_bias);
1158 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
1159 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
1160 if (use_after_return_class < 5
1161 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
1162 BITS_PER_UNIT, true))
1163 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
1164 BITS_PER_UNIT, true, 0);
1165 else if (use_after_return_class >= 5
1166 || !set_storage_via_setmem (shadow_mem,
1167 GEN_INT (sz),
1168 gen_int_mode (c, QImode),
1169 BITS_PER_UNIT, BITS_PER_UNIT,
1170 -1, sz, sz, sz))
1171 {
1172 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
1173 use_after_return_class);
1174 ret = init_one_libfunc (buf);
1175 rtx addr = convert_memory_address (ptr_mode, base);
1176 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
1177 emit_library_call (ret, LCT_NORMAL, ptr_mode, 3, addr, ptr_mode,
1178 GEN_INT (asan_frame_size + base_align_bias),
1179 TYPE_MODE (pointer_sized_int_node),
1180 orig_addr, ptr_mode);
1181 }
1182 lab = gen_label_rtx ();
1183 emit_jump (lab);
1184 emit_label (lab2);
1185 }
1186
1187 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1188 set_mem_alias_set (shadow_mem, asan_shadow_set);
1189 prev_offset = base_offset;
1190 last_offset = base_offset;
1191 last_size = 0;
1192 for (l = length; l; l -= 2)
1193 {
1194 offset = base_offset + ((offsets[l - 1] - base_offset)
1195 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1196 if (last_offset + last_size != offset)
1197 {
1198 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1199 (last_offset - prev_offset)
1200 >> ASAN_SHADOW_SHIFT);
1201 prev_offset = last_offset;
1202 asan_clear_shadow (shadow_mem, last_size >> ASAN_SHADOW_SHIFT);
1203 last_offset = offset;
1204 last_size = 0;
1205 }
1206 last_size += base_offset + ((offsets[l - 2] - base_offset)
1207 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
1208 - offset;
1209 }
1210 if (last_size)
1211 {
1212 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1213 (last_offset - prev_offset)
1214 >> ASAN_SHADOW_SHIFT);
1215 asan_clear_shadow (shadow_mem, last_size >> ASAN_SHADOW_SHIFT);
1216 }
1217
1218 do_pending_stack_adjust ();
1219 if (lab)
1220 emit_label (lab);
1221
1222 ret = get_insns ();
1223 end_sequence ();
1224 return ret;
1225 }
1226
1227 /* Return true if DECL, a global var, might be overridden and needs
1228 therefore a local alias. */
1229
1230 static bool
1231 asan_needs_local_alias (tree decl)
1232 {
1233 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
1234 }
1235
1236 /* Return true if DECL is a VAR_DECL that should be protected
1237 by Address Sanitizer, by appending a red zone with protected
1238 shadow memory after it and aligning it to at least
1239 ASAN_RED_ZONE_SIZE bytes. */
1240
1241 bool
1242 asan_protect_global (tree decl)
1243 {
1244 if (!ASAN_GLOBALS)
1245 return false;
1246
1247 rtx rtl, symbol;
1248
1249 if (TREE_CODE (decl) == STRING_CST)
1250 {
1251 /* Instrument all STRING_CSTs except those created
1252 by asan_pp_string here. */
1253 if (shadow_ptr_types[0] != NULL_TREE
1254 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
1255 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
1256 return false;
1257 return true;
1258 }
1259 if (TREE_CODE (decl) != VAR_DECL
1260 /* TLS vars aren't statically protectable. */
1261 || DECL_THREAD_LOCAL_P (decl)
1262 /* Externs will be protected elsewhere. */
1263 || DECL_EXTERNAL (decl)
1264 || !DECL_RTL_SET_P (decl)
1265 /* Comdat vars pose an ABI problem, we can't know if
1266 the var that is selected by the linker will have
1267 padding or not. */
1268 || DECL_ONE_ONLY (decl)
1269 /* Similarly for common vars. People can use -fno-common. */
1270 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
1271 /* Don't protect if using user section, often vars placed
1272 into user section from multiple TUs are then assumed
1273 to be an array of such vars, putting padding in there
1274 breaks this assumption. */
1275 || (DECL_SECTION_NAME (decl) != NULL_TREE
1276 && !DECL_HAS_IMPLICIT_SECTION_NAME_P (decl))
1277 || DECL_SIZE (decl) == 0
1278 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
1279 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
1280 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE)
1281 return false;
1282
1283 rtl = DECL_RTL (decl);
1284 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
1285 return false;
1286 symbol = XEXP (rtl, 0);
1287
1288 if (CONSTANT_POOL_ADDRESS_P (symbol)
1289 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
1290 return false;
1291
1292 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
1293 return false;
1294
1295 #ifndef ASM_OUTPUT_DEF
1296 if (asan_needs_local_alias (decl))
1297 return false;
1298 #endif
1299
1300 return true;
1301 }
1302
1303 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16}.
1304 IS_STORE is either 1 (for a store) or 0 (for a load).
1305 SIZE_IN_BYTES is one of 1, 2, 4, 8, 16. */
1306
1307 static tree
1308 report_error_func (bool is_store, int size_in_bytes)
1309 {
1310 static enum built_in_function report[2][5]
1311 = { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
1312 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
1313 BUILT_IN_ASAN_REPORT_LOAD16 },
1314 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
1315 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
1316 BUILT_IN_ASAN_REPORT_STORE16 } };
1317 return builtin_decl_implicit (report[is_store][exact_log2 (size_in_bytes)]);
1318 }
1319
1320 /* Split the current basic block and create a condition statement
1321 insertion point right before or after the statement pointed to by
1322 ITER. Return an iterator to the point at which the caller might
1323 safely insert the condition statement.
1324
1325 THEN_BLOCK must be set to the address of an uninitialized instance
1326 of basic_block. The function will then set *THEN_BLOCK to the
1327 'then block' of the condition statement to be inserted by the
1328 caller.
1329
1330 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1331 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1332
1333 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1334 block' of the condition statement to be inserted by the caller.
1335
1336 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1337 statements starting from *ITER, and *THEN_BLOCK is a new empty
1338 block.
1339
1340 *ITER is adjusted to point to always point to the first statement
1341 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1342 same as what ITER was pointing to prior to calling this function,
1343 if BEFORE_P is true; otherwise, it is its following statement. */
1344
1345 gimple_stmt_iterator
1346 create_cond_insert_point (gimple_stmt_iterator *iter,
1347 bool before_p,
1348 bool then_more_likely_p,
1349 bool create_then_fallthru_edge,
1350 basic_block *then_block,
1351 basic_block *fallthrough_block)
1352 {
1353 gimple_stmt_iterator gsi = *iter;
1354
1355 if (!gsi_end_p (gsi) && before_p)
1356 gsi_prev (&gsi);
1357
1358 basic_block cur_bb = gsi_bb (*iter);
1359
1360 edge e = split_block (cur_bb, gsi_stmt (gsi));
1361
1362 /* Get a hold on the 'condition block', the 'then block' and the
1363 'else block'. */
1364 basic_block cond_bb = e->src;
1365 basic_block fallthru_bb = e->dest;
1366 basic_block then_bb = create_empty_bb (cond_bb);
1367 if (current_loops)
1368 {
1369 add_bb_to_loop (then_bb, cond_bb->loop_father);
1370 loops_state_set (LOOPS_NEED_FIXUP);
1371 }
1372
1373 /* Set up the newly created 'then block'. */
1374 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
1375 int fallthrough_probability
1376 = then_more_likely_p
1377 ? PROB_VERY_UNLIKELY
1378 : PROB_ALWAYS - PROB_VERY_UNLIKELY;
1379 e->probability = PROB_ALWAYS - fallthrough_probability;
1380 if (create_then_fallthru_edge)
1381 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
1382
1383 /* Set up the fallthrough basic block. */
1384 e = find_edge (cond_bb, fallthru_bb);
1385 e->flags = EDGE_FALSE_VALUE;
1386 e->count = cond_bb->count;
1387 e->probability = fallthrough_probability;
1388
1389 /* Update dominance info for the newly created then_bb; note that
1390 fallthru_bb's dominance info has already been updated by
1391 split_bock. */
1392 if (dom_info_available_p (CDI_DOMINATORS))
1393 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
1394
1395 *then_block = then_bb;
1396 *fallthrough_block = fallthru_bb;
1397 *iter = gsi_start_bb (fallthru_bb);
1398
1399 return gsi_last_bb (cond_bb);
1400 }
1401
1402 /* Insert an if condition followed by a 'then block' right before the
1403 statement pointed to by ITER. The fallthrough block -- which is the
1404 else block of the condition as well as the destination of the
1405 outcoming edge of the 'then block' -- starts with the statement
1406 pointed to by ITER.
1407
1408 COND is the condition of the if.
1409
1410 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1411 'then block' is higher than the probability of the edge to the
1412 fallthrough block.
1413
1414 Upon completion of the function, *THEN_BB is set to the newly
1415 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1416 fallthrough block.
1417
1418 *ITER is adjusted to still point to the same statement it was
1419 pointing to initially. */
1420
1421 static void
1422 insert_if_then_before_iter (gimple cond,
1423 gimple_stmt_iterator *iter,
1424 bool then_more_likely_p,
1425 basic_block *then_bb,
1426 basic_block *fallthrough_bb)
1427 {
1428 gimple_stmt_iterator cond_insert_point =
1429 create_cond_insert_point (iter,
1430 /*before_p=*/true,
1431 then_more_likely_p,
1432 /*create_then_fallthru_edge=*/true,
1433 then_bb,
1434 fallthrough_bb);
1435 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
1436 }
1437
1438 /* Instrument the memory access instruction BASE. Insert new
1439 statements before or after ITER.
1440
1441 Note that the memory access represented by BASE can be either an
1442 SSA_NAME, or a non-SSA expression. LOCATION is the source code
1443 location. IS_STORE is TRUE for a store, FALSE for a load.
1444 BEFORE_P is TRUE for inserting the instrumentation code before
1445 ITER, FALSE for inserting it after ITER. SIZE_IN_BYTES is one of
1446 1, 2, 4, 8, 16.
1447
1448 If BEFORE_P is TRUE, *ITER is arranged to still point to the
1449 statement it was pointing to prior to calling this function,
1450 otherwise, it points to the statement logically following it. */
1451
1452 static void
1453 build_check_stmt (location_t location, tree base, gimple_stmt_iterator *iter,
1454 bool before_p, bool is_store, int size_in_bytes)
1455 {
1456 gimple_stmt_iterator gsi;
1457 basic_block then_bb, else_bb;
1458 tree t, base_addr, shadow;
1459 gimple g;
1460 tree shadow_ptr_type = shadow_ptr_types[size_in_bytes == 16 ? 1 : 0];
1461 tree shadow_type = TREE_TYPE (shadow_ptr_type);
1462 tree uintptr_type
1463 = build_nonstandard_integer_type (TYPE_PRECISION (TREE_TYPE (base)), 1);
1464 tree base_ssa = base;
1465
1466 /* Get an iterator on the point where we can add the condition
1467 statement for the instrumentation. */
1468 gsi = create_cond_insert_point (iter, before_p,
1469 /*then_more_likely_p=*/false,
1470 /*create_then_fallthru_edge=*/false,
1471 &then_bb,
1472 &else_bb);
1473
1474 base = unshare_expr (base);
1475
1476 /* BASE can already be an SSA_NAME; in that case, do not create a
1477 new SSA_NAME for it. */
1478 if (TREE_CODE (base) != SSA_NAME)
1479 {
1480 g = gimple_build_assign_with_ops (TREE_CODE (base),
1481 make_ssa_name (TREE_TYPE (base), NULL),
1482 base, NULL_TREE);
1483 gimple_set_location (g, location);
1484 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
1485 base_ssa = gimple_assign_lhs (g);
1486 }
1487
1488 g = gimple_build_assign_with_ops (NOP_EXPR,
1489 make_ssa_name (uintptr_type, NULL),
1490 base_ssa, NULL_TREE);
1491 gimple_set_location (g, location);
1492 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
1493 base_addr = gimple_assign_lhs (g);
1494
1495 /* Build
1496 (base_addr >> ASAN_SHADOW_SHIFT) + targetm.asan_shadow_offset (). */
1497
1498 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
1499 g = gimple_build_assign_with_ops (RSHIFT_EXPR,
1500 make_ssa_name (uintptr_type, NULL),
1501 base_addr, t);
1502 gimple_set_location (g, location);
1503 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
1504
1505 t = build_int_cst (uintptr_type, targetm.asan_shadow_offset ());
1506 g = gimple_build_assign_with_ops (PLUS_EXPR,
1507 make_ssa_name (uintptr_type, NULL),
1508 gimple_assign_lhs (g), t);
1509 gimple_set_location (g, location);
1510 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
1511
1512 g = gimple_build_assign_with_ops (NOP_EXPR,
1513 make_ssa_name (shadow_ptr_type, NULL),
1514 gimple_assign_lhs (g), NULL_TREE);
1515 gimple_set_location (g, location);
1516 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
1517
1518 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
1519 build_int_cst (shadow_ptr_type, 0));
1520 g = gimple_build_assign_with_ops (MEM_REF,
1521 make_ssa_name (shadow_type, NULL),
1522 t, NULL_TREE);
1523 gimple_set_location (g, location);
1524 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
1525 shadow = gimple_assign_lhs (g);
1526
1527 if (size_in_bytes < 8)
1528 {
1529 /* Slow path for 1, 2 and 4 byte accesses.
1530 Test (shadow != 0)
1531 & ((base_addr & 7) + (size_in_bytes - 1)) >= shadow). */
1532 gimple_seq seq = NULL;
1533 gimple shadow_test = build_assign (NE_EXPR, shadow, 0);
1534 gimple_seq_add_stmt (&seq, shadow_test);
1535 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, base_addr, 7));
1536 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
1537 gimple_seq_last (seq)));
1538 if (size_in_bytes > 1)
1539 gimple_seq_add_stmt (&seq,
1540 build_assign (PLUS_EXPR, gimple_seq_last (seq),
1541 size_in_bytes - 1));
1542 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, gimple_seq_last (seq),
1543 shadow));
1544 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
1545 gimple_seq_last (seq)));
1546 t = gimple_assign_lhs (gimple_seq_last (seq));
1547 gimple_seq_set_location (seq, location);
1548 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
1549 }
1550 else
1551 t = shadow;
1552
1553 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
1554 NULL_TREE, NULL_TREE);
1555 gimple_set_location (g, location);
1556 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
1557
1558 /* Generate call to the run-time library (e.g. __asan_report_load8). */
1559 gsi = gsi_start_bb (then_bb);
1560 g = gimple_build_call (report_error_func (is_store, size_in_bytes),
1561 1, base_addr);
1562 gimple_set_location (g, location);
1563 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
1564
1565 *iter = gsi_start_bb (else_bb);
1566 }
1567
1568 /* If T represents a memory access, add instrumentation code before ITER.
1569 LOCATION is source code location.
1570 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
1571
1572 static void
1573 instrument_derefs (gimple_stmt_iterator *iter, tree t,
1574 location_t location, bool is_store)
1575 {
1576 if (is_store && !ASAN_INSTRUMENT_WRITES)
1577 return;
1578 if (!is_store && !ASAN_INSTRUMENT_READS)
1579 return;
1580
1581 tree type, base;
1582 HOST_WIDE_INT size_in_bytes;
1583
1584 type = TREE_TYPE (t);
1585 switch (TREE_CODE (t))
1586 {
1587 case ARRAY_REF:
1588 case COMPONENT_REF:
1589 case INDIRECT_REF:
1590 case MEM_REF:
1591 case VAR_DECL:
1592 break;
1593 /* FALLTHRU */
1594 default:
1595 return;
1596 }
1597
1598 size_in_bytes = int_size_in_bytes (type);
1599 if ((size_in_bytes & (size_in_bytes - 1)) != 0
1600 || (unsigned HOST_WIDE_INT) size_in_bytes - 1 >= 16)
1601 return;
1602
1603 HOST_WIDE_INT bitsize, bitpos;
1604 tree offset;
1605 enum machine_mode mode;
1606 int volatilep = 0, unsignedp = 0;
1607 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset,
1608 &mode, &unsignedp, &volatilep, false);
1609 if (bitpos % (size_in_bytes * BITS_PER_UNIT)
1610 || bitsize != size_in_bytes * BITS_PER_UNIT)
1611 {
1612 if (TREE_CODE (t) == COMPONENT_REF
1613 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
1614 {
1615 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
1616 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
1617 TREE_OPERAND (t, 0), repr,
1618 NULL_TREE), location, is_store);
1619 }
1620 return;
1621 }
1622
1623 if (TREE_CODE (inner) == VAR_DECL
1624 && offset == NULL_TREE
1625 && bitpos >= 0
1626 && DECL_SIZE (inner)
1627 && tree_fits_shwi_p (DECL_SIZE (inner))
1628 && bitpos + bitsize <= tree_to_shwi (DECL_SIZE (inner)))
1629 {
1630 if (DECL_THREAD_LOCAL_P (inner))
1631 return;
1632 if (!TREE_STATIC (inner))
1633 {
1634 /* Automatic vars in the current function will be always
1635 accessible. */
1636 if (decl_function_context (inner) == current_function_decl)
1637 return;
1638 }
1639 /* Always instrument external vars, they might be dynamically
1640 initialized. */
1641 else if (!DECL_EXTERNAL (inner))
1642 {
1643 /* For static vars if they are known not to be dynamically
1644 initialized, they will be always accessible. */
1645 varpool_node *vnode = varpool_get_node (inner);
1646 if (vnode && !vnode->dynamically_initialized)
1647 return;
1648 }
1649 }
1650
1651 base = build_fold_addr_expr (t);
1652 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
1653 {
1654 build_check_stmt (location, base, iter, /*before_p=*/true,
1655 is_store, size_in_bytes);
1656 update_mem_ref_hash_table (base, size_in_bytes);
1657 update_mem_ref_hash_table (t, size_in_bytes);
1658 }
1659
1660 }
1661
1662 /* Instrument an access to a contiguous memory region that starts at
1663 the address pointed to by BASE, over a length of LEN (expressed in
1664 the sizeof (*BASE) bytes). ITER points to the instruction before
1665 which the instrumentation instructions must be inserted. LOCATION
1666 is the source location that the instrumentation instructions must
1667 have. If IS_STORE is true, then the memory access is a store;
1668 otherwise, it's a load. */
1669
1670 static void
1671 instrument_mem_region_access (tree base, tree len,
1672 gimple_stmt_iterator *iter,
1673 location_t location, bool is_store)
1674 {
1675 if (!POINTER_TYPE_P (TREE_TYPE (base))
1676 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
1677 || integer_zerop (len))
1678 return;
1679
1680 gimple_stmt_iterator gsi = *iter;
1681
1682 basic_block fallthrough_bb = NULL, then_bb = NULL;
1683
1684 /* If the beginning of the memory region has already been
1685 instrumented, do not instrument it. */
1686 bool start_instrumented = has_mem_ref_been_instrumented (base, 1);
1687
1688 /* If the end of the memory region has already been instrumented, do
1689 not instrument it. */
1690 tree end = asan_mem_ref_get_end (base, len);
1691 bool end_instrumented = has_mem_ref_been_instrumented (end, 1);
1692
1693 if (start_instrumented && end_instrumented)
1694 return;
1695
1696 if (!is_gimple_constant (len))
1697 {
1698 /* So, the length of the memory area to asan-protect is
1699 non-constant. Let's guard the generated instrumentation code
1700 like:
1701
1702 if (len != 0)
1703 {
1704 //asan instrumentation code goes here.
1705 }
1706 // falltrough instructions, starting with *ITER. */
1707
1708 gimple g = gimple_build_cond (NE_EXPR,
1709 len,
1710 build_int_cst (TREE_TYPE (len), 0),
1711 NULL_TREE, NULL_TREE);
1712 gimple_set_location (g, location);
1713 insert_if_then_before_iter (g, iter, /*then_more_likely_p=*/true,
1714 &then_bb, &fallthrough_bb);
1715 /* Note that fallthrough_bb starts with the statement that was
1716 pointed to by ITER. */
1717
1718 /* The 'then block' of the 'if (len != 0) condition is where
1719 we'll generate the asan instrumentation code now. */
1720 gsi = gsi_last_bb (then_bb);
1721 }
1722
1723 if (!start_instrumented)
1724 {
1725 /* Instrument the beginning of the memory region to be accessed,
1726 and arrange for the rest of the intrumentation code to be
1727 inserted in the then block *after* the current gsi. */
1728 build_check_stmt (location, base, &gsi, /*before_p=*/true, is_store, 1);
1729
1730 if (then_bb)
1731 /* We are in the case where the length of the region is not
1732 constant; so instrumentation code is being generated in the
1733 'then block' of the 'if (len != 0) condition. Let's arrange
1734 for the subsequent instrumentation statements to go in the
1735 'then block'. */
1736 gsi = gsi_last_bb (then_bb);
1737 else
1738 {
1739 *iter = gsi;
1740 /* Don't remember this access as instrumented, if length
1741 is unknown. It might be zero and not being actually
1742 instrumented, so we can't rely on it being instrumented. */
1743 update_mem_ref_hash_table (base, 1);
1744 }
1745 }
1746
1747 if (end_instrumented)
1748 return;
1749
1750 /* We want to instrument the access at the end of the memory region,
1751 which is at (base + len - 1). */
1752
1753 /* offset = len - 1; */
1754 len = unshare_expr (len);
1755 tree offset;
1756 gimple_seq seq = NULL;
1757 if (TREE_CODE (len) == INTEGER_CST)
1758 offset = fold_build2 (MINUS_EXPR, size_type_node,
1759 fold_convert (size_type_node, len),
1760 build_int_cst (size_type_node, 1));
1761 else
1762 {
1763 gimple g;
1764 tree t;
1765
1766 if (TREE_CODE (len) != SSA_NAME)
1767 {
1768 t = make_ssa_name (TREE_TYPE (len), NULL);
1769 g = gimple_build_assign_with_ops (TREE_CODE (len), t, len, NULL);
1770 gimple_set_location (g, location);
1771 gimple_seq_add_stmt_without_update (&seq, g);
1772 len = t;
1773 }
1774 if (!useless_type_conversion_p (size_type_node, TREE_TYPE (len)))
1775 {
1776 t = make_ssa_name (size_type_node, NULL);
1777 g = gimple_build_assign_with_ops (NOP_EXPR, t, len, NULL);
1778 gimple_set_location (g, location);
1779 gimple_seq_add_stmt_without_update (&seq, g);
1780 len = t;
1781 }
1782
1783 t = make_ssa_name (size_type_node, NULL);
1784 g = gimple_build_assign_with_ops (MINUS_EXPR, t, len,
1785 build_int_cst (size_type_node, 1));
1786 gimple_set_location (g, location);
1787 gimple_seq_add_stmt_without_update (&seq, g);
1788 offset = gimple_assign_lhs (g);
1789 }
1790
1791 /* _1 = base; */
1792 base = unshare_expr (base);
1793 gimple region_end =
1794 gimple_build_assign_with_ops (TREE_CODE (base),
1795 make_ssa_name (TREE_TYPE (base), NULL),
1796 base, NULL);
1797 gimple_set_location (region_end, location);
1798 gimple_seq_add_stmt_without_update (&seq, region_end);
1799
1800 /* _2 = _1 + offset; */
1801 region_end =
1802 gimple_build_assign_with_ops (POINTER_PLUS_EXPR,
1803 make_ssa_name (TREE_TYPE (base), NULL),
1804 gimple_assign_lhs (region_end),
1805 offset);
1806 gimple_set_location (region_end, location);
1807 gimple_seq_add_stmt_without_update (&seq, region_end);
1808 gsi_insert_seq_before (&gsi, seq, GSI_SAME_STMT);
1809
1810 /* instrument access at _2; */
1811 gsi = gsi_for_stmt (region_end);
1812 build_check_stmt (location, gimple_assign_lhs (region_end),
1813 &gsi, /*before_p=*/false, is_store, 1);
1814
1815 if (then_bb == NULL)
1816 update_mem_ref_hash_table (end, 1);
1817
1818 *iter = gsi_for_stmt (gsi_stmt (*iter));
1819 }
1820
1821 /* Instrument the call (to the builtin strlen function) pointed to by
1822 ITER.
1823
1824 This function instruments the access to the first byte of the
1825 argument, right before the call. After the call it instruments the
1826 access to the last byte of the argument; it uses the result of the
1827 call to deduce the offset of that last byte.
1828
1829 Upon completion, iff the call has actually been instrumented, this
1830 function returns TRUE and *ITER points to the statement logically
1831 following the built-in strlen function call *ITER was initially
1832 pointing to. Otherwise, the function returns FALSE and *ITER
1833 remains unchanged. */
1834
1835 static bool
1836 instrument_strlen_call (gimple_stmt_iterator *iter)
1837 {
1838 gimple call = gsi_stmt (*iter);
1839 gcc_assert (is_gimple_call (call));
1840
1841 tree callee = gimple_call_fndecl (call);
1842 gcc_assert (is_builtin_fn (callee)
1843 && DECL_BUILT_IN_CLASS (callee) == BUILT_IN_NORMAL
1844 && DECL_FUNCTION_CODE (callee) == BUILT_IN_STRLEN);
1845
1846 tree len = gimple_call_lhs (call);
1847 if (len == NULL)
1848 /* Some passes might clear the return value of the strlen call;
1849 bail out in that case. Return FALSE as we are not advancing
1850 *ITER. */
1851 return false;
1852 gcc_assert (INTEGRAL_TYPE_P (TREE_TYPE (len)));
1853
1854 location_t loc = gimple_location (call);
1855 tree str_arg = gimple_call_arg (call, 0);
1856
1857 /* Instrument the access to the first byte of str_arg. i.e:
1858
1859 _1 = str_arg; instrument (_1); */
1860 tree cptr_type = build_pointer_type (char_type_node);
1861 gimple str_arg_ssa =
1862 gimple_build_assign_with_ops (NOP_EXPR,
1863 make_ssa_name (cptr_type, NULL),
1864 str_arg, NULL);
1865 gimple_set_location (str_arg_ssa, loc);
1866 gimple_stmt_iterator gsi = *iter;
1867 gsi_insert_before (&gsi, str_arg_ssa, GSI_NEW_STMT);
1868 build_check_stmt (loc, gimple_assign_lhs (str_arg_ssa), &gsi,
1869 /*before_p=*/false, /*is_store=*/false, 1);
1870
1871 /* If we initially had an instruction like:
1872
1873 int n = strlen (str)
1874
1875 we now want to instrument the access to str[n], after the
1876 instruction above.*/
1877
1878 /* So let's build the access to str[n] that is, access through the
1879 pointer_plus expr: (_1 + len). */
1880 gimple stmt =
1881 gimple_build_assign_with_ops (POINTER_PLUS_EXPR,
1882 make_ssa_name (cptr_type, NULL),
1883 gimple_assign_lhs (str_arg_ssa),
1884 len);
1885 gimple_set_location (stmt, loc);
1886 gsi_insert_after (&gsi, stmt, GSI_NEW_STMT);
1887
1888 build_check_stmt (loc, gimple_assign_lhs (stmt), &gsi,
1889 /*before_p=*/false, /*is_store=*/false, 1);
1890
1891 /* Ensure that iter points to the statement logically following the
1892 one it was initially pointing to. */
1893 *iter = gsi;
1894 /* As *ITER has been advanced to point to the next statement, let's
1895 return true to inform transform_statements that it shouldn't
1896 advance *ITER anymore; otherwises it will skip that next
1897 statement, which wouldn't be instrumented. */
1898 return true;
1899 }
1900
1901 /* Instrument the call to a built-in memory access function that is
1902 pointed to by the iterator ITER.
1903
1904 Upon completion, return TRUE iff *ITER has been advanced to the
1905 statement following the one it was originally pointing to. */
1906
1907 static bool
1908 instrument_builtin_call (gimple_stmt_iterator *iter)
1909 {
1910 if (!ASAN_MEMINTRIN)
1911 return false;
1912
1913 bool iter_advanced_p = false;
1914 gimple call = gsi_stmt (*iter);
1915
1916 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
1917
1918 tree callee = gimple_call_fndecl (call);
1919 location_t loc = gimple_location (call);
1920
1921 if (DECL_FUNCTION_CODE (callee) == BUILT_IN_STRLEN)
1922 iter_advanced_p = instrument_strlen_call (iter);
1923 else
1924 {
1925 asan_mem_ref src0, src1, dest;
1926 asan_mem_ref_init (&src0, NULL, 1);
1927 asan_mem_ref_init (&src1, NULL, 1);
1928 asan_mem_ref_init (&dest, NULL, 1);
1929
1930 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
1931 bool src0_is_store = false, src1_is_store = false,
1932 dest_is_store = false, dest_is_deref = false;
1933
1934 if (get_mem_refs_of_builtin_call (call,
1935 &src0, &src0_len, &src0_is_store,
1936 &src1, &src1_len, &src1_is_store,
1937 &dest, &dest_len, &dest_is_store,
1938 &dest_is_deref))
1939 {
1940 if (dest_is_deref)
1941 {
1942 instrument_derefs (iter, dest.start, loc, dest_is_store);
1943 gsi_next (iter);
1944 iter_advanced_p = true;
1945 }
1946 else if (src0_len || src1_len || dest_len)
1947 {
1948 if (src0.start != NULL_TREE)
1949 instrument_mem_region_access (src0.start, src0_len,
1950 iter, loc, /*is_store=*/false);
1951 if (src1.start != NULL_TREE)
1952 instrument_mem_region_access (src1.start, src1_len,
1953 iter, loc, /*is_store=*/false);
1954 if (dest.start != NULL_TREE)
1955 instrument_mem_region_access (dest.start, dest_len,
1956 iter, loc, /*is_store=*/true);
1957 *iter = gsi_for_stmt (call);
1958 gsi_next (iter);
1959 iter_advanced_p = true;
1960 }
1961 }
1962 }
1963 return iter_advanced_p;
1964 }
1965
1966 /* Instrument the assignment statement ITER if it is subject to
1967 instrumentation. Return TRUE iff instrumentation actually
1968 happened. In that case, the iterator ITER is advanced to the next
1969 logical expression following the one initially pointed to by ITER,
1970 and the relevant memory reference that which access has been
1971 instrumented is added to the memory references hash table. */
1972
1973 static bool
1974 maybe_instrument_assignment (gimple_stmt_iterator *iter)
1975 {
1976 gimple s = gsi_stmt (*iter);
1977
1978 gcc_assert (gimple_assign_single_p (s));
1979
1980 tree ref_expr = NULL_TREE;
1981 bool is_store, is_instrumented = false;
1982
1983 if (gimple_store_p (s))
1984 {
1985 ref_expr = gimple_assign_lhs (s);
1986 is_store = true;
1987 instrument_derefs (iter, ref_expr,
1988 gimple_location (s),
1989 is_store);
1990 is_instrumented = true;
1991 }
1992
1993 if (gimple_assign_load_p (s))
1994 {
1995 ref_expr = gimple_assign_rhs1 (s);
1996 is_store = false;
1997 instrument_derefs (iter, ref_expr,
1998 gimple_location (s),
1999 is_store);
2000 is_instrumented = true;
2001 }
2002
2003 if (is_instrumented)
2004 gsi_next (iter);
2005
2006 return is_instrumented;
2007 }
2008
2009 /* Instrument the function call pointed to by the iterator ITER, if it
2010 is subject to instrumentation. At the moment, the only function
2011 calls that are instrumented are some built-in functions that access
2012 memory. Look at instrument_builtin_call to learn more.
2013
2014 Upon completion return TRUE iff *ITER was advanced to the statement
2015 following the one it was originally pointing to. */
2016
2017 static bool
2018 maybe_instrument_call (gimple_stmt_iterator *iter)
2019 {
2020 gimple stmt = gsi_stmt (*iter);
2021 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2022
2023 if (is_builtin && instrument_builtin_call (iter))
2024 return true;
2025
2026 if (gimple_call_noreturn_p (stmt))
2027 {
2028 if (is_builtin)
2029 {
2030 tree callee = gimple_call_fndecl (stmt);
2031 switch (DECL_FUNCTION_CODE (callee))
2032 {
2033 case BUILT_IN_UNREACHABLE:
2034 case BUILT_IN_TRAP:
2035 /* Don't instrument these. */
2036 return false;
2037 }
2038 }
2039 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
2040 gimple g = gimple_build_call (decl, 0);
2041 gimple_set_location (g, gimple_location (stmt));
2042 gsi_insert_before (iter, g, GSI_SAME_STMT);
2043 }
2044 return false;
2045 }
2046
2047 /* Walk each instruction of all basic block and instrument those that
2048 represent memory references: loads, stores, or function calls.
2049 In a given basic block, this function avoids instrumenting memory
2050 references that have already been instrumented. */
2051
2052 static void
2053 transform_statements (void)
2054 {
2055 basic_block bb, last_bb = NULL;
2056 gimple_stmt_iterator i;
2057 int saved_last_basic_block = last_basic_block_for_fn (cfun);
2058
2059 FOR_EACH_BB_FN (bb, cfun)
2060 {
2061 basic_block prev_bb = bb;
2062
2063 if (bb->index >= saved_last_basic_block) continue;
2064
2065 /* Flush the mem ref hash table, if current bb doesn't have
2066 exactly one predecessor, or if that predecessor (skipping
2067 over asan created basic blocks) isn't the last processed
2068 basic block. Thus we effectively flush on extended basic
2069 block boundaries. */
2070 while (single_pred_p (prev_bb))
2071 {
2072 prev_bb = single_pred (prev_bb);
2073 if (prev_bb->index < saved_last_basic_block)
2074 break;
2075 }
2076 if (prev_bb != last_bb)
2077 empty_mem_ref_hash_table ();
2078 last_bb = bb;
2079
2080 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
2081 {
2082 gimple s = gsi_stmt (i);
2083
2084 if (has_stmt_been_instrumented_p (s))
2085 gsi_next (&i);
2086 else if (gimple_assign_single_p (s)
2087 && maybe_instrument_assignment (&i))
2088 /* Nothing to do as maybe_instrument_assignment advanced
2089 the iterator I. */;
2090 else if (is_gimple_call (s) && maybe_instrument_call (&i))
2091 /* Nothing to do as maybe_instrument_call
2092 advanced the iterator I. */;
2093 else
2094 {
2095 /* No instrumentation happened.
2096
2097 If the current instruction is a function call that
2098 might free something, let's forget about the memory
2099 references that got instrumented. Otherwise we might
2100 miss some instrumentation opportunities. */
2101 if (is_gimple_call (s) && !nonfreeing_call_p (s))
2102 empty_mem_ref_hash_table ();
2103
2104 gsi_next (&i);
2105 }
2106 }
2107 }
2108 free_mem_ref_resources ();
2109 }
2110
2111 /* Build
2112 __asan_before_dynamic_init (module_name)
2113 or
2114 __asan_after_dynamic_init ()
2115 call. */
2116
2117 tree
2118 asan_dynamic_init_call (bool after_p)
2119 {
2120 tree fn = builtin_decl_implicit (after_p
2121 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
2122 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
2123 tree module_name_cst = NULL_TREE;
2124 if (!after_p)
2125 {
2126 pretty_printer module_name_pp;
2127 pp_string (&module_name_pp, main_input_filename);
2128
2129 if (shadow_ptr_types[0] == NULL_TREE)
2130 asan_init_shadow_ptr_types ();
2131 module_name_cst = asan_pp_string (&module_name_pp);
2132 module_name_cst = fold_convert (const_ptr_type_node,
2133 module_name_cst);
2134 }
2135
2136 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
2137 }
2138
2139 /* Build
2140 struct __asan_global
2141 {
2142 const void *__beg;
2143 uptr __size;
2144 uptr __size_with_redzone;
2145 const void *__name;
2146 const void *__module_name;
2147 uptr __has_dynamic_init;
2148 } type. */
2149
2150 static tree
2151 asan_global_struct (void)
2152 {
2153 static const char *field_names[6]
2154 = { "__beg", "__size", "__size_with_redzone",
2155 "__name", "__module_name", "__has_dynamic_init" };
2156 tree fields[6], ret;
2157 int i;
2158
2159 ret = make_node (RECORD_TYPE);
2160 for (i = 0; i < 6; i++)
2161 {
2162 fields[i]
2163 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
2164 get_identifier (field_names[i]),
2165 (i == 0 || i == 3) ? const_ptr_type_node
2166 : pointer_sized_int_node);
2167 DECL_CONTEXT (fields[i]) = ret;
2168 if (i)
2169 DECL_CHAIN (fields[i - 1]) = fields[i];
2170 }
2171 TYPE_FIELDS (ret) = fields[0];
2172 TYPE_NAME (ret) = get_identifier ("__asan_global");
2173 layout_type (ret);
2174 return ret;
2175 }
2176
2177 /* Append description of a single global DECL into vector V.
2178 TYPE is __asan_global struct type as returned by asan_global_struct. */
2179
2180 static void
2181 asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
2182 {
2183 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2184 unsigned HOST_WIDE_INT size;
2185 tree str_cst, module_name_cst, refdecl = decl;
2186 vec<constructor_elt, va_gc> *vinner = NULL;
2187
2188 pretty_printer asan_pp, module_name_pp;
2189
2190 if (DECL_NAME (decl))
2191 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
2192 else
2193 pp_string (&asan_pp, "<unknown>");
2194 str_cst = asan_pp_string (&asan_pp);
2195
2196 pp_string (&module_name_pp, main_input_filename);
2197 module_name_cst = asan_pp_string (&module_name_pp);
2198
2199 if (asan_needs_local_alias (decl))
2200 {
2201 char buf[20];
2202 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
2203 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
2204 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
2205 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
2206 TREE_READONLY (refdecl) = TREE_READONLY (decl);
2207 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
2208 DECL_GIMPLE_REG_P (refdecl) = DECL_GIMPLE_REG_P (decl);
2209 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
2210 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
2211 TREE_STATIC (refdecl) = 1;
2212 TREE_PUBLIC (refdecl) = 0;
2213 TREE_USED (refdecl) = 1;
2214 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
2215 }
2216
2217 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2218 fold_convert (const_ptr_type_node,
2219 build_fold_addr_expr (refdecl)));
2220 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
2221 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2222 size += asan_red_zone_size (size);
2223 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2224 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2225 fold_convert (const_ptr_type_node, str_cst));
2226 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2227 fold_convert (const_ptr_type_node, module_name_cst));
2228 varpool_node *vnode = varpool_get_node (decl);
2229 int has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
2230 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2231 build_int_cst (uptr, has_dynamic_init));
2232 init = build_constructor (type, vinner);
2233 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
2234 }
2235
2236 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2237 void
2238 initialize_sanitizer_builtins (void)
2239 {
2240 tree decl;
2241
2242 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
2243 return;
2244
2245 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
2246 tree BT_FN_VOID_PTR
2247 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
2248 tree BT_FN_VOID_CONST_PTR
2249 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
2250 tree BT_FN_VOID_PTR_PTR
2251 = build_function_type_list (void_type_node, ptr_type_node,
2252 ptr_type_node, NULL_TREE);
2253 tree BT_FN_VOID_PTR_PTR_PTR
2254 = build_function_type_list (void_type_node, ptr_type_node,
2255 ptr_type_node, ptr_type_node, NULL_TREE);
2256 tree BT_FN_VOID_PTR_PTRMODE
2257 = build_function_type_list (void_type_node, ptr_type_node,
2258 pointer_sized_int_node, NULL_TREE);
2259 tree BT_FN_VOID_INT
2260 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
2261 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
2262 tree BT_FN_IX_CONST_VPTR_INT[5];
2263 tree BT_FN_IX_VPTR_IX_INT[5];
2264 tree BT_FN_VOID_VPTR_IX_INT[5];
2265 tree vptr
2266 = build_pointer_type (build_qualified_type (void_type_node,
2267 TYPE_QUAL_VOLATILE));
2268 tree cvptr
2269 = build_pointer_type (build_qualified_type (void_type_node,
2270 TYPE_QUAL_VOLATILE
2271 |TYPE_QUAL_CONST));
2272 tree boolt
2273 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
2274 int i;
2275 for (i = 0; i < 5; i++)
2276 {
2277 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
2278 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
2279 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
2280 integer_type_node, integer_type_node,
2281 NULL_TREE);
2282 BT_FN_IX_CONST_VPTR_INT[i]
2283 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
2284 BT_FN_IX_VPTR_IX_INT[i]
2285 = build_function_type_list (ix, vptr, ix, integer_type_node,
2286 NULL_TREE);
2287 BT_FN_VOID_VPTR_IX_INT[i]
2288 = build_function_type_list (void_type_node, vptr, ix,
2289 integer_type_node, NULL_TREE);
2290 }
2291 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2292 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2293 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2294 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2295 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2296 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2297 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2298 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2299 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2300 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2301 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2302 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2303 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2304 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2305 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2306 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2307 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2308 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2309 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2310 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
2311 #undef ATTR_NOTHROW_LEAF_LIST
2312 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
2313 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2314 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
2315 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2316 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
2317 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2318 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2319 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
2320 #undef ATTR_COLD_NOTHROW_LEAF_LIST
2321 #define ATTR_COLD_NOTHROW_LEAF_LIST \
2322 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
2323 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2324 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2325 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
2326 #undef DEF_SANITIZER_BUILTIN
2327 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2328 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
2329 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2330 set_call_expr_flags (decl, ATTRS); \
2331 set_builtin_decl (ENUM, decl, true);
2332
2333 #include "sanitizer.def"
2334
2335 #undef DEF_SANITIZER_BUILTIN
2336 }
2337
2338 /* Called via htab_traverse. Count number of emitted
2339 STRING_CSTs in the constant hash table. */
2340
2341 static int
2342 count_string_csts (void **slot, void *data)
2343 {
2344 struct constant_descriptor_tree *desc
2345 = (struct constant_descriptor_tree *) *slot;
2346 if (TREE_CODE (desc->value) == STRING_CST
2347 && TREE_ASM_WRITTEN (desc->value)
2348 && asan_protect_global (desc->value))
2349 ++*((unsigned HOST_WIDE_INT *) data);
2350 return 1;
2351 }
2352
2353 /* Helper structure to pass two parameters to
2354 add_string_csts. */
2355
2356 struct asan_add_string_csts_data
2357 {
2358 tree type;
2359 vec<constructor_elt, va_gc> *v;
2360 };
2361
2362 /* Called via htab_traverse. Call asan_add_global
2363 on emitted STRING_CSTs from the constant hash table. */
2364
2365 static int
2366 add_string_csts (void **slot, void *data)
2367 {
2368 struct constant_descriptor_tree *desc
2369 = (struct constant_descriptor_tree *) *slot;
2370 if (TREE_CODE (desc->value) == STRING_CST
2371 && TREE_ASM_WRITTEN (desc->value)
2372 && asan_protect_global (desc->value))
2373 {
2374 struct asan_add_string_csts_data *aascd
2375 = (struct asan_add_string_csts_data *) data;
2376 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
2377 aascd->type, aascd->v);
2378 }
2379 return 1;
2380 }
2381
2382 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
2383 invoke ggc_collect. */
2384 static GTY(()) tree asan_ctor_statements;
2385
2386 /* Module-level instrumentation.
2387 - Insert __asan_init_vN() into the list of CTORs.
2388 - TODO: insert redzones around globals.
2389 */
2390
2391 void
2392 asan_finish_file (void)
2393 {
2394 varpool_node *vnode;
2395 unsigned HOST_WIDE_INT gcount = 0;
2396
2397 if (shadow_ptr_types[0] == NULL_TREE)
2398 asan_init_shadow_ptr_types ();
2399 /* Avoid instrumenting code in the asan ctors/dtors.
2400 We don't need to insert padding after the description strings,
2401 nor after .LASAN* array. */
2402 flag_sanitize &= ~SANITIZE_ADDRESS;
2403
2404 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
2405 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2406 FOR_EACH_DEFINED_VARIABLE (vnode)
2407 if (TREE_ASM_WRITTEN (vnode->decl)
2408 && asan_protect_global (vnode->decl))
2409 ++gcount;
2410 htab_t const_desc_htab = constant_pool_htab ();
2411 htab_traverse (const_desc_htab, count_string_csts, &gcount);
2412 if (gcount)
2413 {
2414 tree type = asan_global_struct (), var, ctor;
2415 tree dtor_statements = NULL_TREE;
2416 vec<constructor_elt, va_gc> *v;
2417 char buf[20];
2418
2419 type = build_array_type_nelts (type, gcount);
2420 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
2421 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2422 type);
2423 TREE_STATIC (var) = 1;
2424 TREE_PUBLIC (var) = 0;
2425 DECL_ARTIFICIAL (var) = 1;
2426 DECL_IGNORED_P (var) = 1;
2427 vec_alloc (v, gcount);
2428 FOR_EACH_DEFINED_VARIABLE (vnode)
2429 if (TREE_ASM_WRITTEN (vnode->decl)
2430 && asan_protect_global (vnode->decl))
2431 asan_add_global (vnode->decl, TREE_TYPE (type), v);
2432 struct asan_add_string_csts_data aascd;
2433 aascd.type = TREE_TYPE (type);
2434 aascd.v = v;
2435 htab_traverse (const_desc_htab, add_string_csts, &aascd);
2436 ctor = build_constructor (type, v);
2437 TREE_CONSTANT (ctor) = 1;
2438 TREE_STATIC (ctor) = 1;
2439 DECL_INITIAL (var) = ctor;
2440 varpool_assemble_decl (varpool_node_for_decl (var));
2441
2442 fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
2443 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
2444 append_to_statement_list (build_call_expr (fn, 2,
2445 build_fold_addr_expr (var),
2446 gcount_tree),
2447 &asan_ctor_statements);
2448
2449 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
2450 append_to_statement_list (build_call_expr (fn, 2,
2451 build_fold_addr_expr (var),
2452 gcount_tree),
2453 &dtor_statements);
2454 cgraph_build_static_cdtor ('D', dtor_statements,
2455 MAX_RESERVED_INIT_PRIORITY - 1);
2456 }
2457 cgraph_build_static_cdtor ('I', asan_ctor_statements,
2458 MAX_RESERVED_INIT_PRIORITY - 1);
2459 flag_sanitize |= SANITIZE_ADDRESS;
2460 }
2461
2462 /* Instrument the current function. */
2463
2464 static unsigned int
2465 asan_instrument (void)
2466 {
2467 if (shadow_ptr_types[0] == NULL_TREE)
2468 asan_init_shadow_ptr_types ();
2469 transform_statements ();
2470 return 0;
2471 }
2472
2473 static bool
2474 gate_asan (void)
2475 {
2476 return (flag_sanitize & SANITIZE_ADDRESS) != 0
2477 && !lookup_attribute ("no_sanitize_address",
2478 DECL_ATTRIBUTES (current_function_decl));
2479 }
2480
2481 namespace {
2482
2483 const pass_data pass_data_asan =
2484 {
2485 GIMPLE_PASS, /* type */
2486 "asan", /* name */
2487 OPTGROUP_NONE, /* optinfo_flags */
2488 true, /* has_gate */
2489 true, /* has_execute */
2490 TV_NONE, /* tv_id */
2491 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
2492 0, /* properties_provided */
2493 0, /* properties_destroyed */
2494 0, /* todo_flags_start */
2495 ( TODO_verify_flow | TODO_verify_stmts
2496 | TODO_update_ssa ), /* todo_flags_finish */
2497 };
2498
2499 class pass_asan : public gimple_opt_pass
2500 {
2501 public:
2502 pass_asan (gcc::context *ctxt)
2503 : gimple_opt_pass (pass_data_asan, ctxt)
2504 {}
2505
2506 /* opt_pass methods: */
2507 opt_pass * clone () { return new pass_asan (m_ctxt); }
2508 bool gate () { return gate_asan (); }
2509 unsigned int execute () { return asan_instrument (); }
2510
2511 }; // class pass_asan
2512
2513 } // anon namespace
2514
2515 gimple_opt_pass *
2516 make_pass_asan (gcc::context *ctxt)
2517 {
2518 return new pass_asan (ctxt);
2519 }
2520
2521 static bool
2522 gate_asan_O0 (void)
2523 {
2524 return !optimize && gate_asan ();
2525 }
2526
2527 namespace {
2528
2529 const pass_data pass_data_asan_O0 =
2530 {
2531 GIMPLE_PASS, /* type */
2532 "asan0", /* name */
2533 OPTGROUP_NONE, /* optinfo_flags */
2534 true, /* has_gate */
2535 true, /* has_execute */
2536 TV_NONE, /* tv_id */
2537 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
2538 0, /* properties_provided */
2539 0, /* properties_destroyed */
2540 0, /* todo_flags_start */
2541 ( TODO_verify_flow | TODO_verify_stmts
2542 | TODO_update_ssa ), /* todo_flags_finish */
2543 };
2544
2545 class pass_asan_O0 : public gimple_opt_pass
2546 {
2547 public:
2548 pass_asan_O0 (gcc::context *ctxt)
2549 : gimple_opt_pass (pass_data_asan_O0, ctxt)
2550 {}
2551
2552 /* opt_pass methods: */
2553 bool gate () { return gate_asan_O0 (); }
2554 unsigned int execute () { return asan_instrument (); }
2555
2556 }; // class pass_asan_O0
2557
2558 } // anon namespace
2559
2560 gimple_opt_pass *
2561 make_pass_asan_O0 (gcc::context *ctxt)
2562 {
2563 return new pass_asan_O0 (ctxt);
2564 }
2565
2566 /* Perform optimization of sanitize functions. */
2567
2568 static unsigned int
2569 execute_sanopt (void)
2570 {
2571 basic_block bb;
2572
2573 FOR_EACH_BB_FN (bb, cfun)
2574 {
2575 gimple_stmt_iterator gsi;
2576 for (gsi = gsi_start_bb (bb); !gsi_end_p (gsi); gsi_next (&gsi))
2577 {
2578 gimple stmt = gsi_stmt (gsi);
2579
2580 if (!is_gimple_call (stmt))
2581 continue;
2582
2583 if (gimple_call_internal_p (stmt))
2584 switch (gimple_call_internal_fn (stmt))
2585 {
2586 case IFN_UBSAN_NULL:
2587 ubsan_expand_null_ifn (gsi);
2588 break;
2589 default:
2590 break;
2591 }
2592
2593 if (dump_file && (dump_flags & TDF_DETAILS))
2594 {
2595 fprintf (dump_file, "Optimized\n ");
2596 print_gimple_stmt (dump_file, stmt, 0, dump_flags);
2597 fprintf (dump_file, "\n");
2598 }
2599 }
2600 }
2601 return 0;
2602 }
2603
2604 static bool
2605 gate_sanopt (void)
2606 {
2607 return flag_sanitize;
2608 }
2609
2610 namespace {
2611
2612 const pass_data pass_data_sanopt =
2613 {
2614 GIMPLE_PASS, /* type */
2615 "sanopt", /* name */
2616 OPTGROUP_NONE, /* optinfo_flags */
2617 true, /* has_gate */
2618 true, /* has_execute */
2619 TV_NONE, /* tv_id */
2620 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
2621 0, /* properties_provided */
2622 0, /* properties_destroyed */
2623 0, /* todo_flags_start */
2624 ( TODO_verify_flow | TODO_verify_stmts
2625 | TODO_update_ssa ), /* todo_flags_finish */
2626 };
2627
2628 class pass_sanopt : public gimple_opt_pass
2629 {
2630 public:
2631 pass_sanopt (gcc::context *ctxt)
2632 : gimple_opt_pass (pass_data_sanopt, ctxt)
2633 {}
2634
2635 /* opt_pass methods: */
2636 bool gate () { return gate_sanopt (); }
2637 unsigned int execute () { return execute_sanopt (); }
2638
2639 }; // class pass_sanopt
2640
2641 } // anon namespace
2642
2643 gimple_opt_pass *
2644 make_pass_sanopt (gcc::context *ctxt)
2645 {
2646 return new pass_sanopt (ctxt);
2647 }
2648
2649 #include "gt-asan.h"
Mirror of the offical gcc git repository hosted at gcc.gnu.org