| blob | 3fba12c2ae46ac07999b3710c6498c1af77e9f39 |
1 /* Pointer Bounds Checker insrumentation pass.
2 Copyright (C) 2014-2016 Free Software Foundation, Inc.
3 Contributed by Ilya Enkovich (ilya.enkovich@intel.com)
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
56 /* Pointer Bounds Checker instruments code with memory checks to find
57 out-of-bounds memory accesses. Checks are performed by computing
58 bounds for each pointer and then comparing address of accessed
59 memory before pointer dereferencing.
61 1. Function clones.
63 See ipa-chkp.c.
65 2. Instrumentation.
67 There are few things to instrument:
69 a) Memory accesses - add checker calls to check address of accessed memory
70 against bounds of dereferenced pointer. Obviously safe memory
71 accesses like static variable access does not have to be instrumented
72 with checks.
74 Example:
76 val_2 = *p_1;
78 with 4 bytes access is transformed into:
80 __builtin___chkp_bndcl (__bound_tmp.1_3, p_1);
81 D.1_4 = p_1 + 3;
82 __builtin___chkp_bndcu (__bound_tmp.1_3, D.1_4);
83 val_2 = *p_1;
85 where __bound_tmp.1_3 are bounds computed for pointer p_1,
86 __builtin___chkp_bndcl is a lower bound check and
87 __builtin___chkp_bndcu is an upper bound check.
89 b) Pointer stores.
91 When pointer is stored in memory we need to store its bounds. To
92 achieve compatibility of instrumented code with regular codes
93 we have to keep data layout and store bounds in special bound tables
94 via special checker call. Implementation of bounds table may vary for
95 different platforms. It has to associate pointer value and its
96 location (it is required because we may have two equal pointers
97 with different bounds stored in different places) with bounds.
98 Another checker builtin allows to get bounds for specified pointer
99 loaded from specified location.
101 Example:
103 buf1[i_1] = &buf2;
105 is transformed into:
107 buf1[i_1] = &buf2;
108 D.1_2 = &buf1[i_1];
109 __builtin___chkp_bndstx (D.1_2, &buf2, __bound_tmp.1_2);
111 where __bound_tmp.1_2 are bounds of &buf2.
113 c) Static initialization.
115 The special case of pointer store is static pointer initialization.
116 Bounds initialization is performed in a few steps:
117 - register all static initializations in front-end using
118 chkp_register_var_initializer
119 - when file compilation finishes we create functions with special
120 attribute 'chkp ctor' and put explicit initialization code
121 (assignments) for all statically initialized pointers.
122 - when checker constructor is compiled checker pass adds required
123 bounds initialization for all statically initialized pointers
124 - since we do not actually need excess pointers initialization
125 in checker constructor we remove such assignments from them
127 d) Calls.
129 For each call in the code we add additional arguments to pass
130 bounds for pointer arguments. We determine type of call arguments
131 using arguments list from function declaration; if function
132 declaration is not available we use function type; otherwise
133 (e.g. for unnamed arguments) we use type of passed value. Function
134 declaration/type is replaced with the instrumented one.
136 Example:
138 val_1 = foo (&buf1, &buf2, &buf1, 0);
140 is translated into:
142 val_1 = foo.chkp (&buf1, __bound_tmp.1_2, &buf2, __bound_tmp.1_3,
143 &buf1, __bound_tmp.1_2, 0);
145 e) Returns.
147 If function returns a pointer value we have to return bounds also.
148 A new operand was added for return statement to hold returned bounds.
150 Example:
152 return &_buf1;
154 is transformed into
156 return &_buf1, __bound_tmp.1_1;
158 3. Bounds computation.
160 Compiler is fully responsible for computing bounds to be used for each
161 memory access. The first step for bounds computation is to find the
162 origin of pointer dereferenced for memory access. Basing on pointer
163 origin we define a way to compute its bounds. There are just few
164 possible cases:
166 a) Pointer is returned by call.
168 In this case we use corresponding checker builtin method to obtain returned
169 bounds.
171 Example:
173 buf_1 = malloc (size_2);
174 foo (buf_1);
176 is translated into:
178 buf_1 = malloc (size_2);
179 __bound_tmp.1_3 = __builtin___chkp_bndret (buf_1);
180 foo (buf_1, __bound_tmp.1_3);
182 b) Pointer is an address of an object.
184 In this case compiler tries to compute objects size and create corresponding
185 bounds. If object has incomplete type then special checker builtin is used to
186 obtain its size at runtime.
188 Example:
190 foo ()
191 {
192 <unnamed type> __bound_tmp.3;
193 static int buf[100];
195 <bb 3>:
196 __bound_tmp.3_2 = __builtin___chkp_bndmk (&buf, 400);
198 <bb 2>:
199 return &buf, __bound_tmp.3_2;
200 }
202 Example:
204 Address of an object 'extern int buf[]' with incomplete type is
205 returned.
207 foo ()
208 {
209 <unnamed type> __bound_tmp.4;
210 long unsigned int __size_tmp.3;
212 <bb 3>:
213 __size_tmp.3_4 = __builtin_ia32_sizeof (buf);
214 __bound_tmp.4_3 = __builtin_ia32_bndmk (&buf, __size_tmp.3_4);
216 <bb 2>:
217 return &buf, __bound_tmp.4_3;
218 }
220 c) Pointer is the result of object narrowing.
222 It happens when we use pointer to an object to compute pointer to a part
223 of an object. E.g. we take pointer to a field of a structure. In this
224 case we perform bounds intersection using bounds of original object and
225 bounds of object's part (which are computed basing on its type).
227 There may be some debatable questions about when narrowing should occur
228 and when it should not. To avoid false bound violations in correct
229 programs we do not perform narrowing when address of an array element is
230 obtained (it has address of the whole array) and when address of the first
231 structure field is obtained (because it is guaranteed to be equal to
232 address of the whole structure and it is legal to cast it back to structure).
234 Default narrowing behavior may be changed using compiler flags.
236 Example:
238 In this example address of the second structure field is returned.
240 foo (struct A * p, __bounds_type __bounds_of_p)
241 {
242 <unnamed type> __bound_tmp.3;
243 int * _2;
244 int * _5;
246 <bb 2>:
247 _5 = &p_1(D)->second_field;
248 __bound_tmp.3_6 = __builtin___chkp_bndmk (_5, 4);
249 __bound_tmp.3_8 = __builtin___chkp_intersect (__bound_tmp.3_6,
250 __bounds_of_p_3(D));
251 _2 = &p_1(D)->second_field;
252 return _2, __bound_tmp.3_8;
253 }
255 Example:
257 In this example address of the first field of array element is returned.
259 foo (struct A * p, __bounds_type __bounds_of_p, int i)
260 {
261 long unsigned int _3;
262 long unsigned int _4;
263 struct A * _6;
264 int * _7;
266 <bb 2>:
267 _3 = (long unsigned int) i_1(D);
268 _4 = _3 * 8;
269 _6 = p_5(D) + _4;
270 _7 = &_6->first_field;
271 return _7, __bounds_of_p_2(D);
272 }
275 d) Pointer is the result of pointer arithmetic or type cast.
277 In this case bounds of the base pointer are used. In case of binary
278 operation producing a pointer we are analyzing data flow further
279 looking for operand's bounds. One operand is considered as a base
280 if it has some valid bounds. If we fall into a case when none of
281 operands (or both of them) has valid bounds, a default bounds value
282 is used.
284 Trying to find out bounds for binary operations we may fall into
285 cyclic dependencies for pointers. To avoid infinite recursion all
286 walked phi nodes instantly obtain corresponding bounds but created
287 bounds are marked as incomplete. It helps us to stop DF walk during
288 bounds search.
290 When we reach pointer source, some args of incomplete bounds phi obtain
291 valid bounds and those values are propagated further through phi nodes.
292 If no valid bounds were found for phi node then we mark its result as
293 invalid bounds. Process stops when all incomplete bounds become either
294 valid or invalid and we are able to choose a pointer base.
296 e) Pointer is loaded from the memory.
298 In this case we just need to load bounds from the bounds table.
300 Example:
302 foo ()
303 {
304 <unnamed type> __bound_tmp.3;
305 static int * buf;
306 int * _2;
308 <bb 2>:
309 _2 = buf;
310 __bound_tmp.3_4 = __builtin___chkp_bndldx (&buf, _2);
311 return _2, __bound_tmp.3_4;
312 }
314 */
329 #define chkp_bndldx_fndecl \
330 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDLDX))
331 #define chkp_bndstx_fndecl \
332 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDSTX))
333 #define chkp_checkl_fndecl \
334 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDCL))
335 #define chkp_checku_fndecl \
336 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDCU))
337 #define chkp_bndmk_fndecl \
338 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDMK))
339 #define chkp_ret_bnd_fndecl \
340 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDRET))
341 #define chkp_intersect_fndecl \
342 (targetm.builtin_chkp_function (BUILT_IN_CHKP_INTERSECT))
343 #define chkp_narrow_bounds_fndecl \
344 (targetm.builtin_chkp_function (BUILT_IN_CHKP_NARROW))
345 #define chkp_sizeof_fndecl \
346 (targetm.builtin_chkp_function (BUILT_IN_CHKP_SIZEOF))
347 #define chkp_extract_lower_fndecl \
348 (targetm.builtin_chkp_function (BUILT_IN_CHKP_EXTRACT_LOWER))
349 #define chkp_extract_upper_fndecl \
350 (targetm.builtin_chkp_function (BUILT_IN_CHKP_EXTRACT_UPPER))
384 /* Static checker constructors may become very large and their
385 compilation with optimization may take too much time.
386 Therefore we put a limit to number of statements in one
387 constructor. Tests with 100 000 statically initialized
388 pointers showed following compilation times on Sandy Bridge
389 server (used -O2):
390 limit 100 => ~18 sec.
391 limit 300 => ~22 sec.
392 limit 1000 => ~30 sec.
393 limit 3000 => ~49 sec.
394 limit 5000 => ~55 sec.
395 limit 10000 => ~76 sec.
396 limit 100000 => ~532 sec. */
397 #define MAX_STMTS_IN_STATIC_CHKP_CTOR (PARAM_VALUE (PARAM_CHKP_MAX_CTOR_SIZE))
399 struct chkp_ctor_stmt_list
400 {
401 tree stmts;
403 };
405 /* Return 1 if function FNDECL is instrumented by Pointer
406 Bounds Checker. */
407 bool
409 {
410 return fndecl
412 }
414 /* Mark function FNDECL as instrumented. */
415 void
417 {
424 }
426 /* Return true when STMT is builtin call to instrumentation function
427 corresponding to CODE. */
429 bool
432 {
433 tree fndecl;
439 }
441 /* Emit code to build zero bounds and return RTL holding
442 the result. */
443 rtx
445 {
446 tree zero_bnd;
450 else
452 integer_zero_node);
454 }
456 /* Emit code to store zero bounds for PTR located at MEM. */
457 void
459 {
464 else
466 integer_zero_node);
475 }
477 /* Build retbnd call for returned value RETVAL.
479 If BNDVAL is not NULL then result is stored
480 in it. Otherwise a temporary is created to
481 hold returned value.
483 GSI points to a position for a retbnd call
484 and is set to created stmt.
486 Cgraph edge is created for a new call if
487 UPDATE_EDGE is 1.
489 Obtained bounds are returned. */
490 tree
493 {
504 }
506 /* Build a GIMPLE_CALL identical to CALL but skipping bounds
507 arguments. */
509 gcall *
511 {
512 bitmap bounds;
530 }
532 /* Redirect edge E to the correct node according to call_stmt.
533 Return 1 if bounds removal from call_stmt should be done
534 instead of redirection. */
536 bool
538 {
554 {
557 else
558 {
560 /* Avoid bounds removal if all args will be removed. */
563 else
565 }
566 }
569 }
571 /* Mark statement S to not be instrumented. */
572 static void
574 {
576 }
578 /* Mark statement S to be instrumented. */
579 static void
581 {
583 }
585 /* Return 1 if statement S should not be instrumented. */
586 static bool
588 {
590 }
592 /* Get var to be used for bound temps. */
593 static tree
595 {
600 }
602 /* Get SSA_NAME to be used as temp. */
603 static tree
605 {
610 CHKP_BOUND_TMP_NAME);
611 }
613 /* Get var to be used for size temps. */
614 static tree
616 {
621 }
623 /* Register bounds BND for address of OBJ. */
624 static void
626 {
633 {
639 }
640 }
642 /* Return bounds registered for address of OBJ. */
643 static tree
645 {
648 }
650 /* Mark BOUNDS as completed. */
651 static void
653 {
657 {
661 }
662 }
664 /* Return 1 if BOUNDS were marked as completed and 0 otherwise. */
665 static bool
667 {
669 }
671 /* Clear comleted bound marks. */
672 static void
674 {
677 }
679 /* Mark BOUNDS associated with PTR as incomplete. */
680 static void
682 {
686 {
692 }
693 }
695 /* Return 1 if BOUNDS are incomplete and 0 otherwise. */
696 static bool
698 {
706 }
708 /* Clear incomleted bound marks. */
709 static void
711 {
714 }
716 /* Build and return bndmk call which creates bounds for structure
717 pointed by PTR. Structure should have complete type. */
718 tree
720 {
722 tree size;
733 }
735 /* Traversal function for chkp_may_finish_incomplete_bounds.
736 Set RES to 0 if at least one argument of phi statement
737 defining bounds (passed in KEY arg) is unknown.
738 Traversal stops when first unknown phi argument is found. */
739 bool
742 {
753 {
756 {
758 /* Do not need to traverse further. */
760 }
761 }
764 }
766 /* Return 1 if all phi nodes created for bounds have their
767 arguments computed. */
768 static bool
770 {
773 chkp_incomplete_bounds_map
777 }
779 /* Helper function for chkp_finish_incomplete_bounds.
780 Recompute args for bounds phi node. */
781 bool
784 {
797 {
803 UNKNOWN_LOCATION);
804 }
807 }
809 /* Mark BOUNDS as invalid. */
810 static void
812 {
816 {
820 }
821 }
823 /* Return 1 if BOUNDS were marked as invalid and 0 otherwise. */
824 static bool
826 {
831 }
833 /* Helper function for chkp_finish_incomplete_bounds.
834 Check all arguments of phi nodes trying to find
835 valid completed bounds. If there is at least one
836 such arg then bounds produced by phi node are marked
837 as valid completed bounds and all phi args are
838 recomputed. */
839 bool
841 {
855 {
861 {
866 }
867 }
870 }
872 /* Helper function for chkp_finish_incomplete_bounds.
873 Marks all incompleted bounds as invalid. */
874 bool
878 {
880 {
883 }
885 }
887 /* When all bound phi nodes have all their args computed
888 we have enough info to find valid bounds. We iterate
889 through all incompleted bounds searching for valid
890 bounds. Found valid bounds are marked as completed
891 and all remaining incompleted bounds are recomputed.
892 Process continues until no new valid bounds may be
893 found. All remained incompleted bounds are marked as
894 invalid (i.e. have no valid source of bounds). */
895 static void
897 {
901 {
904 chkp_incomplete_bounds_map->
908 chkp_incomplete_bounds_map->
910 }
912 chkp_incomplete_bounds_map->
914 chkp_incomplete_bounds_map->
919 }
921 /* Return 1 if type TYPE is a pointer type or a
922 structure having a pointer type as one of its fields.
923 Otherwise return 0. */
924 bool
926 {
932 {
933 tree field;
938 }
943 }
945 unsigned
947 {
955 {
956 bitmap have_bound;
964 }
967 }
969 /* Get bounds associated with NODE via
970 chkp_set_bounds call. */
971 tree
973 {
981 }
983 /* Associate bounds VAL with NODE. */
984 void
986 {
991 }
993 /* Check if statically initialized variable VAR require
994 static bounds initialization. If VAR is added into
995 bounds initlization list then 1 is returned. Otherwise
996 return 0. */
999 {
1009 {
1012 }
1015 }
1017 /* Helper function for chkp_finish_file.
1019 Add new modification statement (RHS is assigned to LHS)
1020 into list of static initializer statementes (passed in ARG).
1021 If statements list becomes too big, emit checker constructor
1022 and start the new one. */
1023 static void
1025 tree rhs,
1027 {
1029 tree modify;
1038 }
1040 /* Build and return ADDR_EXPR for specified object OBJ. */
1041 static tree
1043 {
1047 }
1049 /* Helper function for chkp_finish_file.
1050 Initialize bound variable BND_VAR with bounds of variable
1051 VAR to statements list STMTS. If statements list becomes
1052 too big, emit checker constructor and start the new one. */
1053 static void
1056 {
1060 {
1063 }
1066 {
1067 /* Compute bounds using statically known size. */
1070 }
1071 else
1072 {
1073 /* Compute bounds using dynamic size. */
1074 tree call;
1079 chkp_sizeof_fndecl);
1084 {
1090 }
1093 }
1099 {
1104 }
1105 }
1107 /* Return entry block to be used for checker initilization code.
1108 Create new block if required. */
1109 static basic_block
1111 {
1113 entry_block
1117 }
1119 /* Return a bounds var to be used for pointer var PTR_VAR. */
1120 static tree
1122 {
1123 tree bnd_var;
1129 else
1130 {
1132 CHKP_BOUND_TMP_NAME);
1134 }
1137 }
1139 /* If BND is an abnormal bounds copy, return a copied value.
1140 Otherwise return BND. */
1141 static tree
1143 {
1145 {
1149 }
1152 }
1154 /* Register bounds BND for object PTR in global bounds table.
1155 A copy of bounds may be created for abnormal ssa names.
1156 Returns bounds to use for PTR. */
1157 static tree
1159 {
1165 /* Do nothing if bounds are incomplete_bounds
1166 because it means bounds will be recomputed. */
1174 /* A single bounds value may be reused multiple times for
1175 different pointer values. It may cause coalescing issues
1176 for abnormal SSA names. To avoid it we create a bounds
1177 copy in case it is computed for abnormal SSA name.
1179 We also cannot reuse such created copies for other pointers */
1182 {
1186 {
1189 }
1190 else
1193 /* For abnormal copies we may just find original
1194 bounds and use them. */
1197 /* For undefined values we usually use none bounds
1198 value but in case of abnormal edge it may cause
1199 coalescing failures. Use default definition of
1200 bounds variable instead to avoid it. */
1203 {
1207 {
1213 }
1214 }
1215 else
1216 {
1217 tree copy;
1220 gimple_stmt_iterator gsi;
1224 else
1226 NULL,
1227 CHKP_BOUND_TMP_NAME);
1232 {
1238 }
1241 {
1245 else
1247 }
1248 else
1249 {
1251 /* Sometimes (e.g. when we load a pointer from a
1252 memory) bounds are produced later than a pointer.
1253 We need to insert bounds copy appropriately. */
1257 else
1260 }
1263 }
1267 }
1272 {
1278 }
1281 }
1283 /* Get bounds registered for object PTR in global bounds table. */
1284 static tree
1286 {
1294 }
1296 /* Add bound retvals to return statement pointed by GSI. */
1298 static void
1300 {
1304 tree bounds;
1310 {
1314 }
1317 }
1319 /* Force OP to be suitable for using as an argument for call.
1320 New statements (if any) go to SEQ. */
1321 static tree
1323 {
1324 gimple_seq stmts;
1325 gimple_stmt_iterator si;
1335 }
1337 /* Generate lower bound check for memory access by ADDR.
1338 Check is inserted before the position pointed by ITER.
1339 DIRFLAG indicates whether memory access is load or store. */
1340 static void
1342 gimple_stmt_iterator iter,
1343 location_t location,
1344 tree dirflag)
1345 {
1346 gimple_seq seq;
1348 tree node;
1375 {
1381 }
1382 }
1384 /* Generate upper bound check for memory access by ADDR.
1385 Check is inserted before the position pointed by ITER.
1386 DIRFLAG indicates whether memory access is load or store. */
1387 static void
1389 gimple_stmt_iterator iter,
1390 location_t location,
1391 tree dirflag)
1392 {
1393 gimple_seq seq;
1395 tree node;
1422 {
1428 }
1429 }
1431 /* Generate lower and upper bound checks for memory access
1432 to memory slot [FIRST, LAST] againsr BOUNDS. Checks
1433 are inserted before the position pointed by ITER.
1434 DIRFLAG indicates whether memory access is load or store. */
1435 void
1437 gimple_stmt_iterator iter,
1438 location_t location,
1439 tree dirflag)
1440 {
1443 }
1445 /* Replace call to _bnd_chk_* pointed by GSI with
1446 bndcu and bndcl calls. DIRFLAG determines whether
1447 check is for read or write. */
1449 void
1451 tree dirflag)
1452 {
1467 {
1472 }
1475 }
1477 /* Replace call to _bnd_get_ptr_* pointed by GSI with
1478 corresponding bounds extract call. */
1480 void
1482 {
1493 else
1501 }
1503 /* Return COMPONENT_REF accessing FIELD in OBJ. */
1504 static tree
1506 {
1507 tree res;
1509 /* If object is TMR then we do not use component_ref but
1510 add offset instead. We need it to be able to get addr
1511 of the reasult later. */
1513 {
1523 }
1524 else
1528 }
1530 /* Return ARRAY_REF for array ARR and index IDX with
1531 specified element type ETYPE and element size ESIZE. */
1532 static tree
1535 {
1537 tree res;
1539 /* If object is TMR then we do not use array_ref but
1540 add offset instead. We need it to be able to get addr
1541 of the reasult later. */
1543 {
1557 }
1558 else
1562 }
1564 /* Helper function for chkp_add_bounds_to_call_stmt.
1565 Fill ALL_BOUNDS output array with created bounds.
1567 OFFS is used for recursive calls and holds basic
1568 offset of TYPE in outer structure in bits.
1570 ITER points a position where bounds are searched.
1572 ALL_BOUNDS[i] is filled with elem bounds if there
1573 is a field in TYPE which has pointer type and offset
1574 equal to i * POINTER_SIZE in bits. */
1575 static void
1577 HOST_WIDE_INT offs,
1579 {
1583 {
1585 {
1588 gimple_stmt_iterator gsi;
1594 }
1595 }
1597 {
1598 tree field;
1602 {
1605 HOST_WIDE_INT field_offs
1612 }
1613 }
1615 {
1625 {
1629 cur);
1631 iter);
1632 }
1633 }
1634 }
1636 /* Fill HAVE_BOUND output bitmap with information about
1637 bounds requred for object of type TYPE.
1639 OFFS is used for recursive calls and holds basic
1640 offset of TYPE in outer structure in bits.
1642 HAVE_BOUND[i] is set to 1 if there is a field
1643 in TYPE which has pointer type and offset
1644 equal to i * POINTER_SIZE - OFFS in bits. */
1645 void
1647 HOST_WIDE_INT offs)
1648 {
1652 {
1653 tree field;
1657 {
1665 }
1666 }
1668 {
1669 /* The object type is an array of complete type, i.e., other
1670 than a flexible array. */
1683 }
1684 }
1686 /* Fill bitmap RES with information about bounds for
1687 type TYPE. See chkp_find_bound_slots_1 for more
1688 details. */
1689 void
1691 {
1694 }
1696 /* Return 1 if call to FNDECL should be instrumented
1697 and 0 otherwise. */
1699 static bool
1701 {
1703 {
1737 }
1738 }
1740 /* Add bound arguments to call statement pointed by GSI.
1741 Also performs a replacement of user checker builtins calls
1742 with internal ones. */
1744 static void
1746 {
1750 tree fntype;
1751 tree first_formal_arg;
1752 tree arg;
1754 tree op;
1755 ssa_op_iter iter;
1758 /* Do nothing for internal functions. */
1764 /* Do nothing if back-end builtin is called. */
1768 /* Do nothing for some middle-end builtins. */
1773 /* Do nothing for calls to not instrumentable functions. */
1777 /* Ignore CHKP_INIT_PTR_BOUNDS, CHKP_NULL_PTR_BOUNDS
1778 and CHKP_COPY_PTR_BOUNDS. */
1786 /* Check user builtins are replaced with checks. */
1791 {
1794 }
1796 /* Check user builtins are replaced with bound extract. */
1800 {
1803 }
1805 /* BUILT_IN_CHKP_NARROW_PTR_BOUNDS call is replaced with
1806 target narrow bounds call. */
1809 {
1818 }
1820 /* BUILT_IN_CHKP_STORE_PTR_BOUNDS call is replaced with
1821 bndstx call. */
1824 {
1834 }
1839 /* We instrument only some subset of builtins. We also instrument
1840 builtin calls to be inlined. */
1844 {
1852 }
1854 /* If function decl is available then use it for
1855 formal arguments list. Otherwise use function type. */
1858 else
1859 {
1862 }
1864 /* Fill vector of new call args. */
1869 {
1871 tree type;
1873 /* Get arg type using formal argument description
1874 or actual argument type. */
1878 {
1881 }
1882 else
1884 else
1885 {
1888 }
1889 else
1898 {
1899 HOST_WIDE_INT max_bounds
1902 HOST_WIDE_INT bnd_no;
1913 }
1914 }
1918 else
1919 {
1924 }
1927 /* For direct calls fndecl is replaced with instrumented version. */
1929 {
1933 }
1934 /* For indirect call we should fix function pointer type if
1935 pass some bounds. */
1937 {
1941 }
1943 /* replace old call statement with the new one. */
1945 {
1947 {
1949 }
1951 }
1952 else
1956 }
1958 /* Return constant static bounds var with specified bounds LB and UB.
1959 If such var does not exists then new var is created with specified NAME. */
1960 static tree
1962 HOST_WIDE_INT ub,
1964 {
1966 tree var;
1971 pointer_bounds_type_node);
1975 /* With LTO we may have constant bounds already in varpool.
1976 Try to find it. */
1978 {
1979 /* We don't allow this symbol usage for non bounds. */
1987 }
1996 /* We may use this symbol during ctors generation in chkp_finish_file
1997 when all symbols are emitted. Force output to avoid undefined
1998 symbols in ctors. */
2005 }
2007 /* Generate code to make bounds with specified lower bound LB and SIZE.
2008 if AFTER is 1 then code is inserted after position pointed by ITER
2009 otherwise code is inserted before position pointed by ITER.
2010 If ITER is NULL then code is added to entry block. */
2011 static tree
2013 {
2014 gimple_seq seq;
2015 gimple_stmt_iterator gsi;
2017 tree bounds;
2021 else
2039 else
2043 {
2047 {
2050 }
2051 else
2053 }
2055 /* update_stmt (stmt); */
2058 }
2060 /* Return var holding zero bounds. */
2061 tree
2063 {
2065 chkp_zero_bounds_var
2067 CHKP_ZERO_BOUNDS_VAR_NAME);
2069 }
2071 /* Return var holding none bounds. */
2072 tree
2074 {
2076 chkp_none_bounds_var
2078 CHKP_NONE_BOUNDS_VAR_NAME);
2080 }
2082 /* Return SSA_NAME used to represent zero bounds. */
2083 static tree
2085 {
2094 {
2101 }
2102 else
2104 integer_zero_node,
2105 NULL,
2109 }
2111 /* Return SSA_NAME used to represent none bounds. */
2112 static tree
2114 {
2124 {
2131 }
2132 else
2135 NULL,
2139 }
2141 /* Return bounds to be used as a result of operation which
2142 should not create poiunter (e.g. MULT_EXPR). */
2143 static tree
2145 {
2147 }
2149 /* Return bounds to be used for loads of non-pointer values. */
2150 static tree
2152 {
2154 }
2156 /* Return 1 if may use bndret call to get bounds for pointer
2157 returned by CALL. */
2158 static bool
2160 {
2162 {
2166 }
2184 {
2193 }
2196 }
2198 /* Build bounds returned by CALL. */
2199 static tree
2201 {
2202 gimple_stmt_iterator gsi;
2203 tree bounds;
2208 /* To avoid fixing alloca expands in targets we handle
2209 it separately. */
2214 {
2219 }
2220 /* We know bounds returned by set_bounds builtin call. */
2224 {
2229 }
2230 /* Detect bounds initialization calls. */
2235 /* Detect bounds nullification calls. */
2240 /* Detect bounds copy calls. */
2244 {
2247 }
2248 /* Do not use retbnd when returned bounds are equal to some
2249 of passed bounds. */
2252 {
2256 {
2259 {
2261 retarg--;
2262 else
2264 }
2265 }
2266 else
2270 }
2272 {
2275 /* In general case build checker builtin call to
2276 obtain returned bounds. */
2288 }
2289 else
2293 {
2298 }
2303 }
2305 /* Return bounds used as returned by call
2306 which produced SSA name VAL. */
2307 gcall *
2309 {
2315 imm_use_iterator use_iter;
2316 use_operand_p use_p;
2323 }
2325 /* Check the next parameter for the given PARM is bounds
2326 and return it's default SSA_NAME (create if required). */
2327 static tree
2329 {
2334 {
2337 }
2339 }
2341 /* Return bounds to be used for input argument PARM. */
2342 static tree
2344 {
2346 tree bounds;
2356 {
2359 /* For static chain param we return zero bounds
2360 because currently we do not check dereferences
2361 of this pointer. */
2364 /* If non instrumented runtime is used then it may be useful
2365 to use zero bounds for input arguments of main
2366 function. */
2372 {
2377 {
2382 }
2383 }
2384 else
2386 }
2392 {
2400 }
2403 }
2405 /* Build and return CALL_EXPR for bndstx builtin with specified
2406 arguments. */
2407 tree
2409 {
2412 chkp_bndldx_fndecl);
2417 }
2419 /* Insert code to load bounds for PTR located by ADDR.
2420 Code is inserted after position pointed by GSI.
2421 Loaded bounds are returned. */
2422 static tree
2424 {
2425 gimple_seq seq;
2427 tree bounds;
2444 {
2449 }
2452 }
2454 /* Build and return CALL_EXPR for bndstx builtin with specified
2455 arguments. */
2456 tree
2458 {
2461 chkp_bndstx_fndecl);
2466 }
2468 /* Insert code to store BOUNDS for PTR stored by ADDR.
2469 New statements are inserted after position pointed
2470 by GSI. */
2471 void
2474 {
2475 gimple_seq seq;
2492 {
2496 }
2497 }
2499 /* This function is called when call statement
2500 is inlined and therefore we can't use bndret
2501 for its LHS anymore. Function fixes bndret
2502 call using new RHS value if possible. */
2503 void
2505 {
2512 /* Search for retbnd call. */
2517 /* Currently only handle cases when call is replaced
2518 with a memory access. In this case bndret call
2519 may be replaced with bndldx call. Otherwise we
2520 have to search for bounds which may cause wrong
2521 result due to various optimizations applied. */
2523 {
2544 }
2546 /* Create a new statements sequence with bndldx call. */
2552 /* Remove bndret call. */
2557 /* Link new bndldx call. */
2560 }
2562 /* Compute bounds for pointer NODE which was assigned in
2563 assignment statement ASSIGN. Return computed bounds. */
2564 static tree
2566 {
2574 {
2577 }
2580 {
2585 /* We need to load bounds from the bounds table. */
2596 /* Bounds are just propagated from RHS. */
2602 /* Bounds are just propagated from RHS. */
2608 {
2609 /* We need to load bounds from the bounds table. */
2613 }
2614 else
2623 {
2628 /* First we try to check types of operands. If it
2629 does not help then look at bound values.
2631 If some bounds are incomplete and other are
2632 not proven to be valid (i.e. also incomplete
2633 or invalid because value is not pointer) then
2634 resulting value is incomplete and will be
2635 recomputed later in chkp_finish_incomplete_bounds. */
2647 else
2653 else
2660 else
2664 else
2665 /* Seems both operands may have valid bounds
2666 (e.g. pointer minus pointer). In such case
2667 use default invalid op bounds. */
2671 }
2701 /* No valid bounds may be produced by these exprs. */
2706 {
2717 else
2718 {
2727 }
2728 }
2733 {
2742 else
2743 {
2754 }
2755 }
2762 }
2766 /* We may reuse bounds of other pointer we copy/modify. But it is not
2767 allowed for abnormal ssa names. If we produced a pointer using
2768 abnormal ssa name, we better make a bounds copy to avoid coalescing
2769 issues. */
2773 {
2777 }
2783 }
2785 /* Compute bounds for ssa name NODE defined by DEF_STMT pointed by ITER.
2787 There are just few statement codes allowed: NOP (for default ssa names),
2788 ASSIGN, CALL, PHI, ASM.
2790 Return computed bounds. */
2791 static tree
2794 {
2800 {
2806 }
2809 {
2813 {
2819 /* For uninitialized pointers use none bounds. */
2825 {
2826 tree base_type;
2839 }
2844 {
2847 }
2850 }
2865 else
2867 NULL,
2868 CHKP_BOUND_TMP_NAME);
2869 else
2877 /* Created bounds do not have all phi args computed and
2878 therefore we do not know if there is a valid source
2879 of bounds for that node. Therefore we mark bounds
2880 as incomplete and then recompute them when all phi
2881 args are computed. */
2893 }
2896 }
2898 /* Return CALL_EXPR for bndmk with specified LOWER_BOUND and SIZE. */
2899 tree
2901 {
2904 chkp_bndmk_fndecl);
2907 }
2909 /* Create static bounds var of specfified OBJ which is
2910 is either VAR_DECL or string constant. */
2911 static tree
2913 {
2919 tree bnd_var;
2921 /* First check if we already have required var. */
2923 {
2924 /* For vars we use assembler name as a key in
2925 chkp_static_var_bounds map. It allows to
2926 avoid duplicating bound vars for decls
2927 sharing assembler name. */
2929 {
2934 }
2935 else
2936 {
2940 }
2941 }
2943 /* Build decl for bounds var. */
2945 {
2947 {
2950 }
2951 else
2952 {
2955 /* For hidden symbols we want to skip first '*' char. */
2957 var_name++;
2963 }
2967 pointer_bounds_type_node);
2969 /* Address of the obj will be used as lower bound. */
2971 }
2972 else
2973 {
2979 pointer_bounds_type_node);
2980 }
2994 /* Force output similar to constant bounds.
2995 See chkp_make_static_const_bounds. */
2997 /* Mark symbol as requiring bounds initialization. */
3001 /* Add created var to the map to use it for other references
3002 to obj. */
3007 {
3010 }
3011 else
3015 }
3017 /* When var has incomplete type we cannot get size to
3018 compute its bounds. In such cases we use checker
3019 builtin call which determines object size at runtime. */
3020 static tree
3022 {
3024 gimple_stmt_iterator gsi;
3028 /* If instrumentation is not enabled for vars having
3029 incomplete type then just return zero bounds to avoid
3030 checks for this var. */
3035 {
3039 }
3052 {
3053 /* We should check that size relocation was resolved.
3054 If it was not then use maximum possible size for the var. */
3063 }
3064 else
3065 {
3068 }
3076 }
3078 /* Return 1 if TYPE has fields with zero size or fields
3079 marked with chkp_variable_size attribute. */
3080 bool
3082 {
3084 tree field;
3088 {
3090 res = res
3093 }
3094 else
3100 }
3102 /* Compute and return bounds for address of DECL which is
3103 one of VAR_DECL, PARM_DECL, RESULT_DECL. */
3104 static tree
3106 {
3107 tree bounds;
3119 {
3123 }
3125 /* Use zero bounds if size is unknown and checks for
3126 unknown sizes are restricted. */
3141 {
3149 }
3155 {
3158 }
3159 else
3160 {
3163 }
3166 }
3168 /* Compute and return bounds for constant string. */
3169 static tree
3171 {
3172 tree bounds;
3173 tree lb;
3174 tree size;
3185 {
3193 }
3194 else
3195 {
3199 }
3204 }
3206 /* Generate code to instersect bounds BOUNDS1 and BOUNDS2 and
3207 return the result. if ITER is not NULL then Code is inserted
3208 before position pointed by ITER. Otherwise code is added to
3209 entry block. */
3210 static tree
3212 {
3217 else
3218 {
3219 gimple_seq seq;
3221 tree bounds;
3233 /* We are probably doing narrowing for constant expression.
3234 In such case iter may be undefined. */
3236 {
3240 }
3241 else
3245 {
3251 }
3254 }
3255 }
3257 /* Return 1 if we are allowed to narrow bounds for addressed FIELD
3258 and 0 othersize. */
3259 static bool
3261 {
3270 }
3272 /* Return 1 if bounds for FIELD should be narrowed to
3273 field's own size. */
3274 static bool
3276 {
3277 HOST_WIDE_INT offs;
3278 HOST_WIDE_INT bit_offs;
3283 /* Accesse to compiler generated fields should not cause
3284 bounds narrowing. */
3292 && (flag_chkp_first_field_has_own_bounds
3293 || offs
3295 }
3297 /* Perform narrowing for BOUNDS using bounds computed for field
3298 access COMPONENT. ITER meaning is the same as for
3299 chkp_intersect_bounds. */
3300 static tree
3303 {
3307 tree field_bounds;
3312 }
3314 /* Parse field or array access NODE.
3316 PTR ouput parameter holds a pointer to the outermost
3317 object.
3319 BITFIELD output parameter is set to 1 if bitfield is
3320 accessed and to 0 otherwise. If it is 1 then ELT holds
3321 outer component for accessed bit field.
3323 SAFE outer parameter is set to 1 if access is safe and
3324 checks are not required.
3326 BOUNDS outer parameter holds bounds to be used to check
3327 access (may be NULL).
3329 If INNERMOST_BOUNDS is 1 then try to narrow bounds to the
3330 innermost accessed component. */
3331 static void
3338 {
3343 tree var;
3347 /* Compute tree height for expression. */
3353 {
3355 len++;
3356 }
3360 /* It is more convenient for us to scan left-to-right,
3361 so walk tree again and put all node to nodes vector
3362 in reversed order. */
3373 /* To get bitfield address we will need outer elemnt. */
3376 else
3379 /* If we have indirection in expression then compute
3380 outermost structure bounds. Computed bounds may be
3381 narrowed later. */
3383 {
3388 }
3389 else
3390 {
3398 }
3400 /* In this loop we are trying to find a field access
3401 requiring narrowing. There are two simple rules
3402 for search:
3403 1. Leftmost array_ref is chosen if any.
3404 2. Rightmost suitable component_ref is chosen if innermost
3405 bounds are required and no array_ref exists. */
3407 {
3411 {
3415 && !flag_chkp_narrow_to_innermost_arrray
3416 && (!last_comp
3418 {
3421 }
3422 }
3424 {
3428 && !array_ref_found
3434 && flag_chkp_narrow_to_innermost_arrray
3436 {
3440 }
3441 }
3443 /* Nothing to do for it. */
3444 ;
3445 else
3447 }
3454 }
3456 /* Compute and return bounds for address of OBJ. */
3457 static tree
3459 {
3466 {
3479 {
3480 tree elt;
3481 tree ptr;
3489 }
3508 {
3513 }
3517 }
3522 }
3524 /* Compute bounds for pointer PTR loaded from PTR_SRC. Generate statements
3525 to compute bounds if required. Computed bounds should be available at
3526 position pointed by ITER.
3528 If PTR_SRC is NULL_TREE then pointer definition is identified.
3530 If PTR_SRC is not NULL_TREE then ITER points to statements which loads
3531 PTR. If PTR is a any memory reference then ITER points to a statement
3532 after which bndldx will be inserterd. In both cases ITER will be updated
3533 to point to the inserted bndldx statement. */
3535 static tree
3537 {
3550 {
3556 else
3557 {
3560 }
3561 else
3571 {
3575 else
3576 {
3579 }
3580 else
3582 }
3583 else
3584 {
3587 }
3603 {
3605 gphi_iterator phi_iter;
3612 {
3616 {
3618 tree arg_bnd;
3623 /* chkp_get_bounds_by_definition created new phi
3624 statement and phi_iter points to it.
3626 Previous call to chkp_find_bounds could create
3627 new basic block and therefore change phi statement
3628 phi_iter points to. */
3633 UNKNOWN_LOCATION);
3634 }
3636 /* If all bound phi nodes have their arg computed
3637 then we may finish its computation. See
3638 chkp_finish_incomplete_bounds for more details. */
3641 }
3645 }
3655 else
3661 {
3665 }
3668 }
3671 {
3673 {
3676 }
3678 }
3681 }
3683 /* Normal case for bounds search without forced narrowing. */
3684 static tree
3686 {
3688 }
3690 /* Search bounds for pointer PTR loaded from PTR_SRC
3691 by statement *ITER points to. */
3692 static tree
3694 {
3696 }
3698 /* Helper function which checks type of RHS and finds all pointers in
3699 it. For each found pointer we build it's accesses in LHS and RHS
3700 objects and then call HANDLER for them. Function is used to copy
3701 or initilize bounds for copied object. */
3702 static void
3704 assign_handler handler)
3705 {
3708 /* We have nothing to do with clobbers. */
3715 {
3716 tree field;
3719 {
3721 tree val;
3724 {
3726 {
3729 }
3730 }
3731 }
3732 else
3736 {
3740 }
3741 }
3743 {
3750 {
3755 {
3757 {
3763 cur++)
3764 {
3767 }
3768 }
3769 else
3770 {
3772 {
3775 }
3780 }
3781 }
3782 }
3783 /* Copy array only when size is known. */
3786 {
3790 }
3791 }
3792 else
3795 }
3797 /* Add code to copy bounds for assignment of RHS to LHS.
3798 ARG is an iterator pointing ne code position. */
3799 static void
3801 {
3807 }
3809 /* Emit static bound initilizers and size vars. */
3810 void
3812 {
3819 /* Iterate through varpool and generate bounds initialization
3820 constructors for all statically initialized pointers. */
3824 /* Check that var is actually emitted and we need and may initialize
3825 its bounds. */
3831 {
3835 chkp_add_modification_to_stmt_list);
3838 {
3843 }
3844 }
3850 /* Iterate through varpool and generate bounds initialization
3851 constructors for all static bounds vars. */
3858 {
3860 tree var;
3867 }
3875 }
3877 /* An instrumentation function which is called for each statement
3878 having memory access we want to instrument. It inserts check
3879 code and bounds copy code.
3881 ITER points to statement to instrument.
3883 NODE holds memory access in statement to check.
3885 LOC holds the location information for statement.
3887 DIRFLAGS determines whether access is read or write.
3889 ACCESS_OFFS should be added to address used in NODE
3890 before check.
3892 ACCESS_SIZE holds size of checked access.
3894 SAFE indicates if NODE access is safe and should not be
3895 checked. */
3896 static void
3901 {
3909 /* We do not need instrumentation for clobbers. */
3916 {
3919 {
3921 tree elt;
3924 {
3925 /* We are not going to generate any checks, so do not
3926 generate bounds as well. */
3929 }
3934 /* Break if there is no dereference and operation is safe. */
3937 {
3947 addr_first,
3949 }
3950 else
3952 }
3978 {
3997 }
4013 }
4015 /* If addr_last was not computed then use (addr_first + size - 1)
4016 expression to compute it. */
4018 {
4021 }
4023 /* Shift both first_addr and last_addr by access_offs if specified. */
4025 {
4028 }
4030 /* Generate bndcl/bndcu checks if memory access is not safe. */
4032 {
4040 }
4042 /* We need to store bounds in case pointer is stored. */
4046 {
4053 chkp_copy_bounds_for_elem);
4054 else
4055 {
4058 }
4059 }
4060 }
4062 /* Add code to copy bounds for all pointers copied
4063 in ASSIGN created during inline of EDGE. */
4064 void
4066 {
4076 /* We should create edges for all created calls to bndldx and bndstx. */
4078 {
4081 {
4096 }
4098 }
4099 }
4101 /* Some code transformation made during instrumentation pass
4102 may put code into inconsistent state. Here we find and fix
4103 such flaws. */
4104 void
4106 {
4107 basic_block bb;
4108 gimple_stmt_iterator i;
4110 /* We could insert some code right after stmt which ends bb.
4111 We wanted to put this code on fallthru edge but did not
4112 add new edges from the beginning because it may cause new
4113 phi node creation which may be incorrect due to incomplete
4114 bound phi nodes. */
4117 {
4125 {
4132 /* We cannot split abnormal edge. Therefore we
4133 store its params, make it regular and then
4134 rebuild abnormal edge after split. */
4136 {
4141 }
4144 {
4148 }
4152 /* Re-create abnormal edge. */
4155 }
4156 }
4157 }
4159 /* Walker callback for chkp_replace_function_pointers. Replaces
4160 function pointer in the specified operand with pointer to the
4161 instrumented function version. */
4162 static tree
4165 {
4169 /* For builtins we replace pointers only for selected
4170 function and functions having definitions. */
4174 {
4184 }
4187 }
4189 /* This function searches for function pointers in statement
4190 pointed by GSI and replaces them with pointers to instrumented
4191 function versions. */
4192 static void
4194 {
4196 /* For calls we want to walk call args only. */
4198 {
4203 }
4204 else
4206 }
4208 /* This function instruments all statements working with memory,
4209 calls and rets.
4211 It also removes excess statements from static initializers. */
4212 static void
4214 {
4216 gimple_stmt_iterator i;
4221 do
4222 {
4225 {
4228 /* Skip statement marked to not be instrumented. */
4230 {
4233 }
4238 {
4254 {
4257 {
4260 integer_zero_node,
4263 /* Additionally we need to add bounds
4264 to return statement. */
4266 }
4267 }
4275 ;
4276 }
4280 /* We do not need any actual pointer stores in checker
4281 static initializer. */
4285 {
4290 }
4291 }
4293 }
4296 /* Some input params may have bounds and be address taken. In this case
4297 we should store incoming bounds into bounds table. */
4298 tree arg;
4302 {
4304 {
4307 gimple_stmt_iterator iter
4313 /* Skip bounds arg. */
4315 }
4317 {
4320 gimple_stmt_iterator iter
4322 bitmap_iterator bi;
4328 {
4338 }
4340 }
4341 }
4342 }
4344 /* Find init/null/copy_ptr_bounds calls and replace them
4345 with assignments. It should allow better code
4346 optimization. */
4348 static void
4350 {
4351 basic_block bb;
4352 gimple_stmt_iterator gsi;
4355 {
4357 {
4359 tree fndecl;
4362 /* Find builtins returning first arg and replace
4363 them with assignments. */
4372 {
4377 }
4378 }
4379 }
4380 }
4382 /* Initialize pass. */
4383 static void
4385 {
4386 basic_block bb;
4387 gimple_stmt_iterator i;
4416 /* We create these constant bounds once for each object file.
4417 These symbols go to comdat section and result in single copy
4418 of each one in the final binary. */
4426 }
4428 /* Finalize instrumentation pass. */
4429 static void
4431 {
4447 }
4449 /* Main instrumentation pass function. */
4450 static unsigned int
4452 {
4466 }
4468 /* Instrumentation pass gate. */
4469 static bool
4471 {
4476 }
4481 {
4490 TODO_verify_il
4492 };
4495 {
4499 {}
4501 /* opt_pass methods: */
4503 {
4505 }
4508 {
4510 }
4513 {
4515 }
4521 gimple_opt_pass *
4523 {
4525 }