| blob | 7eecbc8972db73c5c41fa178950530aafcf2aa1d |
1 /* Pointer Bounds Checker insrumentation pass.
2 Copyright (C) 2014-2017 Free Software Foundation, Inc.
3 Contributed by Ilya Enkovich (ilya.enkovich@intel.com)
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
56 /* Pointer Bounds Checker instruments code with memory checks to find
57 out-of-bounds memory accesses. Checks are performed by computing
58 bounds for each pointer and then comparing address of accessed
59 memory before pointer dereferencing.
61 1. Function clones.
63 See ipa-chkp.c.
65 2. Instrumentation.
67 There are few things to instrument:
69 a) Memory accesses - add checker calls to check address of accessed memory
70 against bounds of dereferenced pointer. Obviously safe memory
71 accesses like static variable access does not have to be instrumented
72 with checks.
74 Example:
76 val_2 = *p_1;
78 with 4 bytes access is transformed into:
80 __builtin___chkp_bndcl (__bound_tmp.1_3, p_1);
81 D.1_4 = p_1 + 3;
82 __builtin___chkp_bndcu (__bound_tmp.1_3, D.1_4);
83 val_2 = *p_1;
85 where __bound_tmp.1_3 are bounds computed for pointer p_1,
86 __builtin___chkp_bndcl is a lower bound check and
87 __builtin___chkp_bndcu is an upper bound check.
89 b) Pointer stores.
91 When pointer is stored in memory we need to store its bounds. To
92 achieve compatibility of instrumented code with regular codes
93 we have to keep data layout and store bounds in special bound tables
94 via special checker call. Implementation of bounds table may vary for
95 different platforms. It has to associate pointer value and its
96 location (it is required because we may have two equal pointers
97 with different bounds stored in different places) with bounds.
98 Another checker builtin allows to get bounds for specified pointer
99 loaded from specified location.
101 Example:
103 buf1[i_1] = &buf2;
105 is transformed into:
107 buf1[i_1] = &buf2;
108 D.1_2 = &buf1[i_1];
109 __builtin___chkp_bndstx (D.1_2, &buf2, __bound_tmp.1_2);
111 where __bound_tmp.1_2 are bounds of &buf2.
113 c) Static initialization.
115 The special case of pointer store is static pointer initialization.
116 Bounds initialization is performed in a few steps:
117 - register all static initializations in front-end using
118 chkp_register_var_initializer
119 - when file compilation finishes we create functions with special
120 attribute 'chkp ctor' and put explicit initialization code
121 (assignments) for all statically initialized pointers.
122 - when checker constructor is compiled checker pass adds required
123 bounds initialization for all statically initialized pointers
124 - since we do not actually need excess pointers initialization
125 in checker constructor we remove such assignments from them
127 d) Calls.
129 For each call in the code we add additional arguments to pass
130 bounds for pointer arguments. We determine type of call arguments
131 using arguments list from function declaration; if function
132 declaration is not available we use function type; otherwise
133 (e.g. for unnamed arguments) we use type of passed value. Function
134 declaration/type is replaced with the instrumented one.
136 Example:
138 val_1 = foo (&buf1, &buf2, &buf1, 0);
140 is translated into:
142 val_1 = foo.chkp (&buf1, __bound_tmp.1_2, &buf2, __bound_tmp.1_3,
143 &buf1, __bound_tmp.1_2, 0);
145 e) Returns.
147 If function returns a pointer value we have to return bounds also.
148 A new operand was added for return statement to hold returned bounds.
150 Example:
152 return &_buf1;
154 is transformed into
156 return &_buf1, __bound_tmp.1_1;
158 3. Bounds computation.
160 Compiler is fully responsible for computing bounds to be used for each
161 memory access. The first step for bounds computation is to find the
162 origin of pointer dereferenced for memory access. Basing on pointer
163 origin we define a way to compute its bounds. There are just few
164 possible cases:
166 a) Pointer is returned by call.
168 In this case we use corresponding checker builtin method to obtain returned
169 bounds.
171 Example:
173 buf_1 = malloc (size_2);
174 foo (buf_1);
176 is translated into:
178 buf_1 = malloc (size_2);
179 __bound_tmp.1_3 = __builtin___chkp_bndret (buf_1);
180 foo (buf_1, __bound_tmp.1_3);
182 b) Pointer is an address of an object.
184 In this case compiler tries to compute objects size and create corresponding
185 bounds. If object has incomplete type then special checker builtin is used to
186 obtain its size at runtime.
188 Example:
190 foo ()
191 {
192 <unnamed type> __bound_tmp.3;
193 static int buf[100];
195 <bb 3>:
196 __bound_tmp.3_2 = __builtin___chkp_bndmk (&buf, 400);
198 <bb 2>:
199 return &buf, __bound_tmp.3_2;
200 }
202 Example:
204 Address of an object 'extern int buf[]' with incomplete type is
205 returned.
207 foo ()
208 {
209 <unnamed type> __bound_tmp.4;
210 long unsigned int __size_tmp.3;
212 <bb 3>:
213 __size_tmp.3_4 = __builtin_ia32_sizeof (buf);
214 __bound_tmp.4_3 = __builtin_ia32_bndmk (&buf, __size_tmp.3_4);
216 <bb 2>:
217 return &buf, __bound_tmp.4_3;
218 }
220 c) Pointer is the result of object narrowing.
222 It happens when we use pointer to an object to compute pointer to a part
223 of an object. E.g. we take pointer to a field of a structure. In this
224 case we perform bounds intersection using bounds of original object and
225 bounds of object's part (which are computed basing on its type).
227 There may be some debatable questions about when narrowing should occur
228 and when it should not. To avoid false bound violations in correct
229 programs we do not perform narrowing when address of an array element is
230 obtained (it has address of the whole array) and when address of the first
231 structure field is obtained (because it is guaranteed to be equal to
232 address of the whole structure and it is legal to cast it back to structure).
234 Default narrowing behavior may be changed using compiler flags.
236 Example:
238 In this example address of the second structure field is returned.
240 foo (struct A * p, __bounds_type __bounds_of_p)
241 {
242 <unnamed type> __bound_tmp.3;
243 int * _2;
244 int * _5;
246 <bb 2>:
247 _5 = &p_1(D)->second_field;
248 __bound_tmp.3_6 = __builtin___chkp_bndmk (_5, 4);
249 __bound_tmp.3_8 = __builtin___chkp_intersect (__bound_tmp.3_6,
250 __bounds_of_p_3(D));
251 _2 = &p_1(D)->second_field;
252 return _2, __bound_tmp.3_8;
253 }
255 Example:
257 In this example address of the first field of array element is returned.
259 foo (struct A * p, __bounds_type __bounds_of_p, int i)
260 {
261 long unsigned int _3;
262 long unsigned int _4;
263 struct A * _6;
264 int * _7;
266 <bb 2>:
267 _3 = (long unsigned int) i_1(D);
268 _4 = _3 * 8;
269 _6 = p_5(D) + _4;
270 _7 = &_6->first_field;
271 return _7, __bounds_of_p_2(D);
272 }
275 d) Pointer is the result of pointer arithmetic or type cast.
277 In this case bounds of the base pointer are used. In case of binary
278 operation producing a pointer we are analyzing data flow further
279 looking for operand's bounds. One operand is considered as a base
280 if it has some valid bounds. If we fall into a case when none of
281 operands (or both of them) has valid bounds, a default bounds value
282 is used.
284 Trying to find out bounds for binary operations we may fall into
285 cyclic dependencies for pointers. To avoid infinite recursion all
286 walked phi nodes instantly obtain corresponding bounds but created
287 bounds are marked as incomplete. It helps us to stop DF walk during
288 bounds search.
290 When we reach pointer source, some args of incomplete bounds phi obtain
291 valid bounds and those values are propagated further through phi nodes.
292 If no valid bounds were found for phi node then we mark its result as
293 invalid bounds. Process stops when all incomplete bounds become either
294 valid or invalid and we are able to choose a pointer base.
296 e) Pointer is loaded from the memory.
298 In this case we just need to load bounds from the bounds table.
300 Example:
302 foo ()
303 {
304 <unnamed type> __bound_tmp.3;
305 static int * buf;
306 int * _2;
308 <bb 2>:
309 _2 = buf;
310 __bound_tmp.3_4 = __builtin___chkp_bndldx (&buf, _2);
311 return _2, __bound_tmp.3_4;
312 }
314 */
329 #define chkp_bndldx_fndecl \
330 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDLDX))
331 #define chkp_bndstx_fndecl \
332 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDSTX))
333 #define chkp_checkl_fndecl \
334 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDCL))
335 #define chkp_checku_fndecl \
336 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDCU))
337 #define chkp_bndmk_fndecl \
338 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDMK))
339 #define chkp_ret_bnd_fndecl \
340 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDRET))
341 #define chkp_intersect_fndecl \
342 (targetm.builtin_chkp_function (BUILT_IN_CHKP_INTERSECT))
343 #define chkp_narrow_bounds_fndecl \
344 (targetm.builtin_chkp_function (BUILT_IN_CHKP_NARROW))
345 #define chkp_sizeof_fndecl \
346 (targetm.builtin_chkp_function (BUILT_IN_CHKP_SIZEOF))
347 #define chkp_extract_lower_fndecl \
348 (targetm.builtin_chkp_function (BUILT_IN_CHKP_EXTRACT_LOWER))
349 #define chkp_extract_upper_fndecl \
350 (targetm.builtin_chkp_function (BUILT_IN_CHKP_EXTRACT_UPPER))
384 /* Static checker constructors may become very large and their
385 compilation with optimization may take too much time.
386 Therefore we put a limit to number of statements in one
387 constructor. Tests with 100 000 statically initialized
388 pointers showed following compilation times on Sandy Bridge
389 server (used -O2):
390 limit 100 => ~18 sec.
391 limit 300 => ~22 sec.
392 limit 1000 => ~30 sec.
393 limit 3000 => ~49 sec.
394 limit 5000 => ~55 sec.
395 limit 10000 => ~76 sec.
396 limit 100000 => ~532 sec. */
397 #define MAX_STMTS_IN_STATIC_CHKP_CTOR (PARAM_VALUE (PARAM_CHKP_MAX_CTOR_SIZE))
399 struct chkp_ctor_stmt_list
400 {
401 tree stmts;
403 };
405 /* Return 1 if function FNDECL is instrumented by Pointer
406 Bounds Checker. */
407 bool
409 {
410 return fndecl
412 }
414 /* Mark function FNDECL as instrumented. */
415 void
417 {
424 }
426 /* Return true when STMT is builtin call to instrumentation function
427 corresponding to CODE. */
429 bool
432 {
433 tree fndecl;
440 }
442 /* Emit code to build zero bounds and return RTL holding
443 the result. */
444 rtx
446 {
447 tree zero_bnd;
451 else
453 integer_zero_node);
455 }
457 /* Emit code to store zero bounds for PTR located at MEM. */
458 void
460 {
465 else
467 integer_zero_node);
476 }
478 /* Build retbnd call for returned value RETVAL.
480 If BNDVAL is not NULL then result is stored
481 in it. Otherwise a temporary is created to
482 hold returned value.
484 GSI points to a position for a retbnd call
485 and is set to created stmt.
487 Cgraph edge is created for a new call if
488 UPDATE_EDGE is 1.
490 Obtained bounds are returned. */
491 tree
494 {
505 }
507 /* Build a GIMPLE_CALL identical to CALL but skipping bounds
508 arguments. */
510 gcall *
512 {
513 bitmap bounds;
531 }
533 /* Redirect edge E to the correct node according to call_stmt.
534 Return 1 if bounds removal from call_stmt should be done
535 instead of redirection. */
537 bool
539 {
555 {
558 else
559 {
561 /* Avoid bounds removal if all args will be removed. */
564 else
566 }
567 }
570 }
572 /* Mark statement S to not be instrumented. */
573 static void
575 {
577 }
579 /* Mark statement S to be instrumented. */
580 static void
582 {
584 }
586 /* Return 1 if statement S should not be instrumented. */
587 static bool
589 {
591 }
593 /* Get var to be used for bound temps. */
594 static tree
596 {
601 }
603 /* Get SSA_NAME to be used as temp. */
604 static tree
606 {
611 CHKP_BOUND_TMP_NAME);
612 }
614 /* Get var to be used for size temps. */
615 static tree
617 {
622 }
624 /* Register bounds BND for address of OBJ. */
625 static void
627 {
634 {
640 }
641 }
643 /* Return bounds registered for address of OBJ. */
644 static tree
646 {
649 }
651 /* Mark BOUNDS as completed. */
652 static void
654 {
658 {
662 }
663 }
665 /* Return 1 if BOUNDS were marked as completed and 0 otherwise. */
666 static bool
668 {
670 }
672 /* Clear comleted bound marks. */
673 static void
675 {
678 }
680 /* Mark BOUNDS associated with PTR as incomplete. */
681 static void
683 {
687 {
693 }
694 }
696 /* Return 1 if BOUNDS are incomplete and 0 otherwise. */
697 static bool
699 {
707 }
709 /* Clear incomleted bound marks. */
710 static void
712 {
715 }
717 /* Build and return bndmk call which creates bounds for structure
718 pointed by PTR. Structure should have complete type. */
719 tree
721 {
723 tree size;
734 }
736 /* Traversal function for chkp_may_finish_incomplete_bounds.
737 Set RES to 0 if at least one argument of phi statement
738 defining bounds (passed in KEY arg) is unknown.
739 Traversal stops when first unknown phi argument is found. */
740 bool
743 {
754 {
757 {
759 /* Do not need to traverse further. */
761 }
762 }
765 }
767 /* Return 1 if all phi nodes created for bounds have their
768 arguments computed. */
769 static bool
771 {
774 chkp_incomplete_bounds_map
778 }
780 /* Helper function for chkp_finish_incomplete_bounds.
781 Recompute args for bounds phi node. */
782 bool
785 {
798 {
804 UNKNOWN_LOCATION);
805 }
808 }
810 /* Mark BOUNDS as invalid. */
811 static void
813 {
817 {
821 }
822 }
824 /* Return 1 if BOUNDS were marked as invalid and 0 otherwise. */
825 static bool
827 {
832 }
834 /* Helper function for chkp_finish_incomplete_bounds.
835 Check all arguments of phi nodes trying to find
836 valid completed bounds. If there is at least one
837 such arg then bounds produced by phi node are marked
838 as valid completed bounds and all phi args are
839 recomputed. */
840 bool
842 {
856 {
862 {
867 }
868 }
871 }
873 /* Helper function for chkp_finish_incomplete_bounds.
874 Marks all incompleted bounds as invalid. */
875 bool
879 {
881 {
884 }
886 }
888 /* When all bound phi nodes have all their args computed
889 we have enough info to find valid bounds. We iterate
890 through all incompleted bounds searching for valid
891 bounds. Found valid bounds are marked as completed
892 and all remaining incompleted bounds are recomputed.
893 Process continues until no new valid bounds may be
894 found. All remained incompleted bounds are marked as
895 invalid (i.e. have no valid source of bounds). */
896 static void
898 {
902 {
905 chkp_incomplete_bounds_map->
909 chkp_incomplete_bounds_map->
911 }
913 chkp_incomplete_bounds_map->
915 chkp_incomplete_bounds_map->
920 }
922 /* Return 1 if type TYPE is a pointer type or a
923 structure having a pointer type as one of its fields.
924 Otherwise return 0. */
925 bool
927 {
933 {
934 tree field;
939 }
944 }
946 unsigned
948 {
956 {
957 bitmap have_bound;
965 }
968 }
970 /* Get bounds associated with NODE via
971 chkp_set_bounds call. */
972 tree
974 {
982 }
984 /* Associate bounds VAL with NODE. */
985 void
987 {
992 }
994 /* Check if statically initialized variable VAR require
995 static bounds initialization. If VAR is added into
996 bounds initlization list then 1 is returned. Otherwise
997 return 0. */
1000 {
1010 {
1013 }
1016 }
1018 /* Helper function for chkp_finish_file.
1020 Add new modification statement (RHS is assigned to LHS)
1021 into list of static initializer statementes (passed in ARG).
1022 If statements list becomes too big, emit checker constructor
1023 and start the new one. */
1024 static void
1026 tree rhs,
1028 {
1030 tree modify;
1039 }
1041 /* Build and return ADDR_EXPR for specified object OBJ. */
1042 static tree
1044 {
1048 }
1050 /* Helper function for chkp_finish_file.
1051 Initialize bound variable BND_VAR with bounds of variable
1052 VAR to statements list STMTS. If statements list becomes
1053 too big, emit checker constructor and start the new one. */
1054 static void
1057 {
1061 {
1064 }
1067 {
1068 /* Compute bounds using statically known size. */
1071 }
1072 else
1073 {
1074 /* Compute bounds using dynamic size. */
1075 tree call;
1080 chkp_sizeof_fndecl);
1085 {
1091 }
1094 }
1100 {
1105 }
1106 }
1108 /* Return entry block to be used for checker initilization code.
1109 Create new block if required. */
1110 static basic_block
1112 {
1114 entry_block
1118 }
1120 /* Return a bounds var to be used for pointer var PTR_VAR. */
1121 static tree
1123 {
1124 tree bnd_var;
1130 else
1131 {
1133 CHKP_BOUND_TMP_NAME);
1135 }
1138 }
1140 /* If BND is an abnormal bounds copy, return a copied value.
1141 Otherwise return BND. */
1142 static tree
1144 {
1146 {
1150 }
1153 }
1155 /* Register bounds BND for object PTR in global bounds table.
1156 A copy of bounds may be created for abnormal ssa names.
1157 Returns bounds to use for PTR. */
1158 static tree
1160 {
1166 /* Do nothing if bounds are incomplete_bounds
1167 because it means bounds will be recomputed. */
1175 /* A single bounds value may be reused multiple times for
1176 different pointer values. It may cause coalescing issues
1177 for abnormal SSA names. To avoid it we create a bounds
1178 copy in case it is computed for abnormal SSA name.
1180 We also cannot reuse such created copies for other pointers */
1183 {
1187 {
1190 }
1191 else
1194 /* For abnormal copies we may just find original
1195 bounds and use them. */
1198 /* For undefined values we usually use none bounds
1199 value but in case of abnormal edge it may cause
1200 coalescing failures. Use default definition of
1201 bounds variable instead to avoid it. */
1204 {
1208 {
1214 }
1215 }
1216 else
1217 {
1218 tree copy;
1221 gimple_stmt_iterator gsi;
1225 else
1227 NULL,
1228 CHKP_BOUND_TMP_NAME);
1233 {
1239 }
1242 {
1246 else
1248 }
1249 else
1250 {
1252 /* Sometimes (e.g. when we load a pointer from a
1253 memory) bounds are produced later than a pointer.
1254 We need to insert bounds copy appropriately. */
1258 else
1261 }
1264 }
1268 }
1273 {
1279 }
1282 }
1284 /* Get bounds registered for object PTR in global bounds table. */
1285 static tree
1287 {
1295 }
1297 /* Add bound retvals to return statement pointed by GSI. */
1299 static void
1301 {
1305 tree bounds;
1311 {
1315 }
1318 }
1320 /* Force OP to be suitable for using as an argument for call.
1321 New statements (if any) go to SEQ. */
1322 static tree
1324 {
1325 gimple_seq stmts;
1326 gimple_stmt_iterator si;
1336 }
1338 /* Generate lower bound check for memory access by ADDR.
1339 Check is inserted before the position pointed by ITER.
1340 DIRFLAG indicates whether memory access is load or store. */
1341 static void
1343 gimple_stmt_iterator iter,
1344 location_t location,
1345 tree dirflag)
1346 {
1347 gimple_seq seq;
1349 tree node;
1376 {
1382 }
1383 }
1385 /* Generate upper bound check for memory access by ADDR.
1386 Check is inserted before the position pointed by ITER.
1387 DIRFLAG indicates whether memory access is load or store. */
1388 static void
1390 gimple_stmt_iterator iter,
1391 location_t location,
1392 tree dirflag)
1393 {
1394 gimple_seq seq;
1396 tree node;
1423 {
1429 }
1430 }
1432 /* Generate lower and upper bound checks for memory access
1433 to memory slot [FIRST, LAST] againsr BOUNDS. Checks
1434 are inserted before the position pointed by ITER.
1435 DIRFLAG indicates whether memory access is load or store. */
1436 void
1438 gimple_stmt_iterator iter,
1439 location_t location,
1440 tree dirflag)
1441 {
1444 }
1446 /* Replace call to _bnd_chk_* pointed by GSI with
1447 bndcu and bndcl calls. DIRFLAG determines whether
1448 check is for read or write. */
1450 void
1452 tree dirflag)
1453 {
1468 {
1473 }
1476 }
1478 /* Replace call to _bnd_get_ptr_* pointed by GSI with
1479 corresponding bounds extract call. */
1481 void
1483 {
1494 else
1502 }
1504 /* Return COMPONENT_REF accessing FIELD in OBJ. */
1505 static tree
1507 {
1508 tree res;
1510 /* If object is TMR then we do not use component_ref but
1511 add offset instead. We need it to be able to get addr
1512 of the reasult later. */
1514 {
1524 }
1525 else
1529 }
1531 /* Return ARRAY_REF for array ARR and index IDX with
1532 specified element type ETYPE and element size ESIZE. */
1533 static tree
1536 {
1538 tree res;
1540 /* If object is TMR then we do not use array_ref but
1541 add offset instead. We need it to be able to get addr
1542 of the reasult later. */
1544 {
1558 }
1559 else
1563 }
1565 /* Helper function for chkp_add_bounds_to_call_stmt.
1566 Fill ALL_BOUNDS output array with created bounds.
1568 OFFS is used for recursive calls and holds basic
1569 offset of TYPE in outer structure in bits.
1571 ITER points a position where bounds are searched.
1573 ALL_BOUNDS[i] is filled with elem bounds if there
1574 is a field in TYPE which has pointer type and offset
1575 equal to i * POINTER_SIZE in bits. */
1576 static void
1578 HOST_WIDE_INT offs,
1580 {
1584 {
1586 {
1589 gimple_stmt_iterator gsi;
1595 }
1596 }
1598 {
1599 tree field;
1603 {
1606 HOST_WIDE_INT field_offs
1613 }
1614 }
1616 {
1626 {
1630 cur);
1632 iter);
1633 }
1634 }
1635 }
1637 /* Fill HAVE_BOUND output bitmap with information about
1638 bounds requred for object of type TYPE.
1640 OFFS is used for recursive calls and holds basic
1641 offset of TYPE in outer structure in bits.
1643 HAVE_BOUND[i] is set to 1 if there is a field
1644 in TYPE which has pointer type and offset
1645 equal to i * POINTER_SIZE - OFFS in bits. */
1646 void
1648 HOST_WIDE_INT offs)
1649 {
1653 {
1654 tree field;
1658 {
1666 }
1667 }
1669 {
1670 /* The object type is an array of complete type, i.e., other
1671 than a flexible array. */
1684 }
1685 }
1687 /* Fill bitmap RES with information about bounds for
1688 type TYPE. See chkp_find_bound_slots_1 for more
1689 details. */
1690 void
1692 {
1695 }
1697 /* Return 1 if call to FNDECL should be instrumented
1698 and 0 otherwise. */
1700 static bool
1702 {
1704 {
1738 }
1739 }
1741 /* Add bound arguments to call statement pointed by GSI.
1742 Also performs a replacement of user checker builtins calls
1743 with internal ones. */
1745 static void
1747 {
1751 tree fntype;
1752 tree first_formal_arg;
1753 tree arg;
1755 tree op;
1756 ssa_op_iter iter;
1759 /* Do nothing for internal functions. */
1765 /* Do nothing if back-end builtin is called. */
1769 /* Do nothing for some middle-end builtins. */
1774 /* Do nothing for calls to not instrumentable functions. */
1778 /* Ignore CHKP_INIT_PTR_BOUNDS, CHKP_NULL_PTR_BOUNDS
1779 and CHKP_COPY_PTR_BOUNDS. */
1787 /* Check user builtins are replaced with checks. */
1792 {
1795 }
1797 /* Check user builtins are replaced with bound extract. */
1801 {
1804 }
1806 /* BUILT_IN_CHKP_NARROW_PTR_BOUNDS call is replaced with
1807 target narrow bounds call. */
1810 {
1819 }
1821 /* BUILT_IN_CHKP_STORE_PTR_BOUNDS call is replaced with
1822 bndstx call. */
1825 {
1835 }
1840 /* We instrument only some subset of builtins. We also instrument
1841 builtin calls to be inlined. */
1845 {
1853 }
1855 /* If function decl is available then use it for
1856 formal arguments list. Otherwise use function type. */
1861 else
1862 {
1865 }
1867 /* Fill vector of new call args. */
1872 {
1874 tree type;
1876 /* Get arg type using formal argument description
1877 or actual argument type. */
1881 {
1884 }
1885 else
1887 else
1888 {
1891 }
1892 else
1901 {
1902 HOST_WIDE_INT max_bounds
1905 HOST_WIDE_INT bnd_no;
1916 }
1917 }
1921 else
1922 {
1927 }
1930 /* For direct calls fndecl is replaced with instrumented version. */
1932 {
1935 /* In case of a type cast we should modify used function
1936 type instead of using type of new fndecl. */
1938 {
1942 }
1943 else
1945 }
1946 /* For indirect call we should fix function pointer type if
1947 pass some bounds. */
1949 {
1953 }
1955 /* replace old call statement with the new one. */
1957 {
1959 {
1961 }
1963 }
1964 else
1968 }
1970 /* Return constant static bounds var with specified bounds LB and UB.
1971 If such var does not exists then new var is created with specified NAME. */
1972 static tree
1974 HOST_WIDE_INT ub,
1976 {
1978 tree var;
1983 pointer_bounds_type_node);
1987 /* With LTO we may have constant bounds already in varpool.
1988 Try to find it. */
1990 {
1991 /* We don't allow this symbol usage for non bounds. */
1999 }
2008 /* We may use this symbol during ctors generation in chkp_finish_file
2009 when all symbols are emitted. Force output to avoid undefined
2010 symbols in ctors. */
2017 }
2019 /* Generate code to make bounds with specified lower bound LB and SIZE.
2020 if AFTER is 1 then code is inserted after position pointed by ITER
2021 otherwise code is inserted before position pointed by ITER.
2022 If ITER is NULL then code is added to entry block. */
2023 static tree
2025 {
2026 gimple_seq seq;
2027 gimple_stmt_iterator gsi;
2029 tree bounds;
2033 else
2051 else
2055 {
2059 {
2062 }
2063 else
2065 }
2067 /* update_stmt (stmt); */
2070 }
2072 /* Return var holding zero bounds. */
2073 tree
2075 {
2077 chkp_zero_bounds_var
2079 CHKP_ZERO_BOUNDS_VAR_NAME);
2081 }
2083 /* Return var holding none bounds. */
2084 tree
2086 {
2088 chkp_none_bounds_var
2090 CHKP_NONE_BOUNDS_VAR_NAME);
2092 }
2094 /* Return SSA_NAME used to represent zero bounds. */
2095 static tree
2097 {
2106 {
2113 }
2114 else
2116 integer_zero_node,
2117 NULL,
2121 }
2123 /* Return SSA_NAME used to represent none bounds. */
2124 static tree
2126 {
2136 {
2143 }
2144 else
2147 NULL,
2151 }
2153 /* Return bounds to be used as a result of operation which
2154 should not create poiunter (e.g. MULT_EXPR). */
2155 static tree
2157 {
2159 }
2161 /* Return bounds to be used for loads of non-pointer values. */
2162 static tree
2164 {
2166 }
2168 /* Return 1 if may use bndret call to get bounds for pointer
2169 returned by CALL. */
2170 static bool
2172 {
2174 {
2178 }
2196 {
2205 }
2208 }
2210 /* Build bounds returned by CALL. */
2211 static tree
2213 {
2214 gimple_stmt_iterator gsi;
2215 tree bounds;
2220 /* To avoid fixing alloca expands in targets we handle
2221 it separately. */
2226 {
2231 }
2232 /* We know bounds returned by set_bounds builtin call. */
2236 {
2241 }
2242 /* Detect bounds initialization calls. */
2247 /* Detect bounds nullification calls. */
2252 /* Detect bounds copy calls. */
2256 {
2259 }
2260 /* Do not use retbnd when returned bounds are equal to some
2261 of passed bounds. */
2264 {
2268 {
2271 {
2273 retarg--;
2274 else
2276 }
2277 }
2278 else
2282 }
2284 {
2287 /* In general case build checker builtin call to
2288 obtain returned bounds. */
2300 }
2301 else
2305 {
2310 }
2315 }
2317 /* Return bounds used as returned by call
2318 which produced SSA name VAL. */
2319 gcall *
2321 {
2327 imm_use_iterator use_iter;
2328 use_operand_p use_p;
2334 }
2336 /* Check the next parameter for the given PARM is bounds
2337 and return it's default SSA_NAME (create if required). */
2338 static tree
2340 {
2345 {
2348 }
2350 }
2352 /* Return bounds to be used for input argument PARM. */
2353 static tree
2355 {
2357 tree bounds;
2367 {
2370 /* For static chain param we return zero bounds
2371 because currently we do not check dereferences
2372 of this pointer. */
2375 /* If non instrumented runtime is used then it may be useful
2376 to use zero bounds for input arguments of main
2377 function. */
2383 {
2388 {
2393 }
2394 }
2395 else
2397 }
2403 {
2411 }
2414 }
2416 /* Build and return CALL_EXPR for bndstx builtin with specified
2417 arguments. */
2418 tree
2420 {
2423 chkp_bndldx_fndecl);
2428 }
2430 /* Insert code to load bounds for PTR located by ADDR.
2431 Code is inserted after position pointed by GSI.
2432 Loaded bounds are returned. */
2433 static tree
2435 {
2436 gimple_seq seq;
2438 tree bounds;
2455 {
2460 }
2463 }
2465 /* Build and return CALL_EXPR for bndstx builtin with specified
2466 arguments. */
2467 tree
2469 {
2472 chkp_bndstx_fndecl);
2477 }
2479 /* Insert code to store BOUNDS for PTR stored by ADDR.
2480 New statements are inserted after position pointed
2481 by GSI. */
2482 void
2485 {
2486 gimple_seq seq;
2503 {
2507 }
2508 }
2510 /* This function is called when call statement
2511 is inlined and therefore we can't use bndret
2512 for its LHS anymore. Function fixes bndret
2513 call using new RHS value if possible. */
2514 void
2516 {
2523 /* Search for retbnd call. */
2528 /* Currently only handle cases when call is replaced
2529 with a memory access. In this case bndret call
2530 may be replaced with bndldx call. Otherwise we
2531 have to search for bounds which may cause wrong
2532 result due to various optimizations applied. */
2534 {
2555 }
2557 /* Create a new statements sequence with bndldx call. */
2563 /* Remove bndret call. */
2568 /* Link new bndldx call. */
2571 }
2573 /* Compute bounds for pointer NODE which was assigned in
2574 assignment statement ASSIGN. Return computed bounds. */
2575 static tree
2577 {
2585 {
2588 }
2591 {
2596 /* We need to load bounds from the bounds table. */
2607 /* Bounds are just propagated from RHS. */
2613 /* Bounds are just propagated from RHS. */
2619 {
2620 /* We need to load bounds from the bounds table. */
2624 }
2625 else
2634 {
2639 /* First we try to check types of operands. If it
2640 does not help then look at bound values.
2642 If some bounds are incomplete and other are
2643 not proven to be valid (i.e. also incomplete
2644 or invalid because value is not pointer) then
2645 resulting value is incomplete and will be
2646 recomputed later in chkp_finish_incomplete_bounds. */
2658 else
2664 else
2671 else
2675 else
2676 /* Seems both operands may have valid bounds
2677 (e.g. pointer minus pointer). In such case
2678 use default invalid op bounds. */
2682 }
2712 /* No valid bounds may be produced by these exprs. */
2717 {
2728 else
2729 {
2738 }
2739 }
2744 {
2753 else
2754 {
2765 }
2766 }
2773 }
2777 /* We may reuse bounds of other pointer we copy/modify. But it is not
2778 allowed for abnormal ssa names. If we produced a pointer using
2779 abnormal ssa name, we better make a bounds copy to avoid coalescing
2780 issues. */
2784 {
2788 }
2794 }
2796 /* Compute bounds for ssa name NODE defined by DEF_STMT pointed by ITER.
2798 There are just few statement codes allowed: NOP (for default ssa names),
2799 ASSIGN, CALL, PHI, ASM.
2801 Return computed bounds. */
2802 static tree
2805 {
2811 {
2817 }
2820 {
2824 {
2830 /* For uninitialized pointers use none bounds. */
2836 {
2837 tree base_type;
2850 }
2855 {
2858 }
2861 }
2876 else
2878 NULL,
2879 CHKP_BOUND_TMP_NAME);
2880 else
2888 /* Created bounds do not have all phi args computed and
2889 therefore we do not know if there is a valid source
2890 of bounds for that node. Therefore we mark bounds
2891 as incomplete and then recompute them when all phi
2892 args are computed. */
2904 }
2907 }
2909 /* Return CALL_EXPR for bndmk with specified LOWER_BOUND and SIZE. */
2910 tree
2912 {
2915 chkp_bndmk_fndecl);
2918 }
2920 /* Create static bounds var of specfified OBJ which is
2921 is either VAR_DECL or string constant. */
2922 static tree
2924 {
2930 tree bnd_var;
2932 /* First check if we already have required var. */
2934 {
2935 /* For vars we use assembler name as a key in
2936 chkp_static_var_bounds map. It allows to
2937 avoid duplicating bound vars for decls
2938 sharing assembler name. */
2940 {
2945 }
2946 else
2947 {
2951 }
2952 }
2954 /* Build decl for bounds var. */
2956 {
2958 {
2961 }
2962 else
2963 {
2966 /* For hidden symbols we want to skip first '*' char. */
2968 var_name++;
2974 }
2978 pointer_bounds_type_node);
2980 /* Address of the obj will be used as lower bound. */
2982 }
2983 else
2984 {
2990 pointer_bounds_type_node);
2991 }
3005 /* Force output similar to constant bounds.
3006 See chkp_make_static_const_bounds. */
3008 /* Mark symbol as requiring bounds initialization. */
3012 /* Add created var to the map to use it for other references
3013 to obj. */
3018 {
3021 }
3022 else
3026 }
3028 /* When var has incomplete type we cannot get size to
3029 compute its bounds. In such cases we use checker
3030 builtin call which determines object size at runtime. */
3031 static tree
3033 {
3035 gimple_stmt_iterator gsi;
3039 /* If instrumentation is not enabled for vars having
3040 incomplete type then just return zero bounds to avoid
3041 checks for this var. */
3046 {
3050 }
3063 {
3064 /* We should check that size relocation was resolved.
3065 If it was not then use maximum possible size for the var. */
3074 }
3075 else
3076 {
3079 }
3087 }
3089 /* Return 1 if TYPE has fields with zero size or fields
3090 marked with chkp_variable_size attribute. */
3091 bool
3093 {
3095 tree field;
3099 {
3101 res = res
3104 }
3105 else
3111 }
3113 /* Compute and return bounds for address of DECL which is
3114 one of VAR_DECL, PARM_DECL, RESULT_DECL. */
3115 static tree
3117 {
3118 tree bounds;
3130 {
3134 }
3136 /* Use zero bounds if size is unknown and checks for
3137 unknown sizes are restricted. */
3152 {
3160 }
3166 {
3169 }
3170 else
3171 {
3174 }
3177 }
3179 /* Compute and return bounds for constant string. */
3180 static tree
3182 {
3183 tree bounds;
3184 tree lb;
3185 tree size;
3196 {
3204 }
3205 else
3206 {
3210 }
3215 }
3217 /* Generate code to instersect bounds BOUNDS1 and BOUNDS2 and
3218 return the result. if ITER is not NULL then Code is inserted
3219 before position pointed by ITER. Otherwise code is added to
3220 entry block. */
3221 static tree
3223 {
3228 else
3229 {
3230 gimple_seq seq;
3232 tree bounds;
3244 /* We are probably doing narrowing for constant expression.
3245 In such case iter may be undefined. */
3247 {
3251 }
3252 else
3256 {
3262 }
3265 }
3266 }
3268 /* Return 1 if we are allowed to narrow bounds for addressed FIELD
3269 and 0 othersize. */
3270 static bool
3272 {
3275 && !(flag_chkp_flexible_struct_trailing_arrays
3284 }
3286 /* Return 1 if bounds for FIELD should be narrowed to
3287 field's own size. */
3288 static bool
3290 {
3291 HOST_WIDE_INT offs;
3292 HOST_WIDE_INT bit_offs;
3297 /* Accesse to compiler generated fields should not cause
3298 bounds narrowing. */
3306 && (flag_chkp_first_field_has_own_bounds
3307 || offs
3309 }
3311 /* Perform narrowing for BOUNDS using bounds computed for field
3312 access COMPONENT. ITER meaning is the same as for
3313 chkp_intersect_bounds. */
3314 static tree
3317 {
3321 tree field_bounds;
3326 }
3328 /* Parse field or array access NODE.
3330 PTR ouput parameter holds a pointer to the outermost
3331 object.
3333 BITFIELD output parameter is set to 1 if bitfield is
3334 accessed and to 0 otherwise. If it is 1 then ELT holds
3335 outer component for accessed bit field.
3337 SAFE outer parameter is set to 1 if access is safe and
3338 checks are not required.
3340 BOUNDS outer parameter holds bounds to be used to check
3341 access (may be NULL).
3343 If INNERMOST_BOUNDS is 1 then try to narrow bounds to the
3344 innermost accessed component. */
3345 static void
3352 {
3357 tree var;
3361 /* Compute tree height for expression. */
3367 {
3369 len++;
3370 }
3374 /* It is more convenient for us to scan left-to-right,
3375 so walk tree again and put all node to nodes vector
3376 in reversed order. */
3387 /* To get bitfield address we will need outer elemnt. */
3390 else
3393 /* If we have indirection in expression then compute
3394 outermost structure bounds. Computed bounds may be
3395 narrowed later. */
3397 {
3402 }
3403 else
3404 {
3412 }
3414 /* In this loop we are trying to find a field access
3415 requiring narrowing. There are two simple rules
3416 for search:
3417 1. Leftmost array_ref is chosen if any.
3418 2. Rightmost suitable component_ref is chosen if innermost
3419 bounds are required and no array_ref exists. */
3421 {
3425 {
3429 && !flag_chkp_narrow_to_innermost_arrray
3430 && (!last_comp
3432 {
3435 }
3436 }
3438 {
3442 && !array_ref_found
3448 && flag_chkp_narrow_to_innermost_arrray
3450 {
3454 }
3455 }
3457 /* Nothing to do for it. */
3458 ;
3459 else
3461 }
3468 }
3470 /* Compute and return bounds for address of OBJ. */
3471 static tree
3473 {
3480 {
3493 {
3494 tree elt;
3495 tree ptr;
3503 }
3522 {
3527 }
3531 }
3536 }
3538 /* Compute bounds for pointer PTR loaded from PTR_SRC. Generate statements
3539 to compute bounds if required. Computed bounds should be available at
3540 position pointed by ITER.
3542 If PTR_SRC is NULL_TREE then pointer definition is identified.
3544 If PTR_SRC is not NULL_TREE then ITER points to statements which loads
3545 PTR. If PTR is a any memory reference then ITER points to a statement
3546 after which bndldx will be inserterd. In both cases ITER will be updated
3547 to point to the inserted bndldx statement. */
3549 static tree
3551 {
3564 {
3570 else
3571 {
3574 }
3575 else
3585 {
3589 else
3590 {
3593 }
3594 else
3596 }
3597 else
3598 {
3601 }
3617 {
3619 gphi_iterator phi_iter;
3626 {
3630 {
3632 tree arg_bnd;
3637 /* chkp_get_bounds_by_definition created new phi
3638 statement and phi_iter points to it.
3640 Previous call to chkp_find_bounds could create
3641 new basic block and therefore change phi statement
3642 phi_iter points to. */
3647 UNKNOWN_LOCATION);
3648 }
3650 /* If all bound phi nodes have their arg computed
3651 then we may finish its computation. See
3652 chkp_finish_incomplete_bounds for more details. */
3655 }
3659 }
3670 else
3676 {
3680 }
3683 }
3686 {
3688 {
3691 }
3693 }
3696 }
3698 /* Normal case for bounds search without forced narrowing. */
3699 static tree
3701 {
3703 }
3705 /* Search bounds for pointer PTR loaded from PTR_SRC
3706 by statement *ITER points to. */
3707 static tree
3709 {
3711 }
3713 /* Helper function which checks type of RHS and finds all pointers in
3714 it. For each found pointer we build it's accesses in LHS and RHS
3715 objects and then call HANDLER for them. Function is used to copy
3716 or initilize bounds for copied object. */
3717 static void
3719 assign_handler handler)
3720 {
3723 /* We have nothing to do with clobbers. */
3730 {
3731 tree field;
3734 {
3736 tree val;
3739 {
3741 {
3744 }
3745 }
3746 }
3747 else
3751 {
3755 }
3756 }
3758 {
3765 {
3770 {
3772 {
3778 cur++)
3779 {
3782 }
3783 }
3784 else
3785 {
3787 {
3790 }
3795 }
3796 }
3797 }
3798 /* Copy array only when size is known. */
3801 {
3805 }
3806 }
3807 else
3810 }
3812 /* Add code to copy bounds for assignment of RHS to LHS.
3813 ARG is an iterator pointing ne code position. */
3814 static void
3816 {
3822 }
3824 /* Emit static bound initilizers and size vars. */
3825 void
3827 {
3834 /* Iterate through varpool and generate bounds initialization
3835 constructors for all statically initialized pointers. */
3839 /* Check that var is actually emitted and we need and may initialize
3840 its bounds. */
3846 {
3850 chkp_add_modification_to_stmt_list);
3853 {
3858 }
3859 }
3865 /* Iterate through varpool and generate bounds initialization
3866 constructors for all static bounds vars. */
3873 {
3875 tree var;
3882 }
3890 }
3892 /* An instrumentation function which is called for each statement
3893 having memory access we want to instrument. It inserts check
3894 code and bounds copy code.
3896 ITER points to statement to instrument.
3898 NODE holds memory access in statement to check.
3900 LOC holds the location information for statement.
3902 DIRFLAGS determines whether access is read or write.
3904 ACCESS_OFFS should be added to address used in NODE
3905 before check.
3907 ACCESS_SIZE holds size of checked access.
3909 SAFE indicates if NODE access is safe and should not be
3910 checked. */
3911 static void
3916 {
3924 /* We do not need instrumentation for clobbers. */
3931 {
3934 {
3936 tree elt;
3939 {
3940 /* We are not going to generate any checks, so do not
3941 generate bounds as well. */
3944 }
3949 /* Break if there is no dereference and operation is safe. */
3952 {
3962 addr_first,
3964 }
3965 else
3967 }
3993 {
4012 }
4028 }
4030 /* If addr_last was not computed then use (addr_first + size - 1)
4031 expression to compute it. */
4033 {
4036 }
4038 /* Shift both first_addr and last_addr by access_offs if specified. */
4040 {
4043 }
4045 /* Generate bndcl/bndcu checks if memory access is not safe. */
4047 {
4055 }
4057 /* We need to store bounds in case pointer is stored. */
4061 {
4068 chkp_copy_bounds_for_elem);
4069 else
4070 {
4073 }
4074 }
4075 }
4077 /* Add code to copy bounds for all pointers copied
4078 in ASSIGN created during inline of EDGE. */
4079 void
4081 {
4091 /* We should create edges for all created calls to bndldx and bndstx. */
4093 {
4096 {
4111 }
4113 }
4114 }
4116 /* Some code transformation made during instrumentation pass
4117 may put code into inconsistent state. Here we find and fix
4118 such flaws. */
4119 void
4121 {
4122 basic_block bb;
4123 gimple_stmt_iterator i;
4125 /* We could insert some code right after stmt which ends bb.
4126 We wanted to put this code on fallthru edge but did not
4127 add new edges from the beginning because it may cause new
4128 phi node creation which may be incorrect due to incomplete
4129 bound phi nodes. */
4132 {
4140 {
4147 /* We cannot split abnormal edge. Therefore we
4148 store its params, make it regular and then
4149 rebuild abnormal edge after split. */
4151 {
4156 }
4159 {
4163 }
4167 /* Re-create abnormal edge. */
4170 }
4171 }
4172 }
4174 /* Walker callback for chkp_replace_function_pointers. Replaces
4175 function pointer in the specified operand with pointer to the
4176 instrumented function version. */
4177 static tree
4180 {
4184 /* For builtins we replace pointers only for selected
4185 function and functions having definitions. */
4189 {
4199 }
4202 }
4204 /* This function searches for function pointers in statement
4205 pointed by GSI and replaces them with pointers to instrumented
4206 function versions. */
4207 static void
4209 {
4211 /* For calls we want to walk call args only. */
4213 {
4218 }
4219 else
4221 }
4223 /* This function instruments all statements working with memory,
4224 calls and rets.
4226 It also removes excess statements from static initializers. */
4227 static void
4229 {
4231 gimple_stmt_iterator i;
4236 do
4237 {
4240 {
4243 /* Skip statement marked to not be instrumented. */
4245 {
4248 }
4253 {
4269 {
4272 {
4275 integer_zero_node,
4278 /* Additionally we need to add bounds
4279 to return statement. */
4281 }
4282 }
4290 ;
4291 }
4295 /* We do not need any actual pointer stores in checker
4296 static initializer. */
4300 {
4305 }
4306 }
4308 }
4311 /* Some input params may have bounds and be address taken. In this case
4312 we should store incoming bounds into bounds table. */
4313 tree arg;
4317 {
4319 {
4322 gimple_stmt_iterator iter
4328 /* Skip bounds arg. */
4330 }
4332 {
4335 gimple_stmt_iterator iter
4337 bitmap_iterator bi;
4343 {
4353 }
4355 }
4356 }
4357 }
4359 /* Find init/null/copy_ptr_bounds calls and replace them
4360 with assignments. It should allow better code
4361 optimization. */
4363 static void
4365 {
4366 basic_block bb;
4367 gimple_stmt_iterator gsi;
4370 {
4372 {
4374 tree fndecl;
4377 /* Find builtins returning first arg and replace
4378 them with assignments. */
4387 {
4392 }
4393 }
4394 }
4395 }
4397 /* Initialize pass. */
4398 static void
4400 {
4401 basic_block bb;
4402 gimple_stmt_iterator i;
4431 /* We create these constant bounds once for each object file.
4432 These symbols go to comdat section and result in single copy
4433 of each one in the final binary. */
4441 }
4443 /* Finalize instrumentation pass. */
4444 static void
4446 {
4462 }
4464 /* Main instrumentation pass function. */
4465 static unsigned int
4467 {
4481 }
4483 /* Instrumentation pass gate. */
4484 static bool
4486 {
4491 }
4496 {
4505 TODO_verify_il
4507 };
4510 {
4514 {}
4516 /* opt_pass methods: */
4518 {
4520 }
4523 {
4525 }
4528 {
4530 }
4536 gimple_opt_pass *
4538 {
4540 }