| blob | f2934b0490ddc19fcf44419fcdd57d12b9ac0998 |
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2013 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
44 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
45 with <2x slowdown on average.
47 The tool consists of two parts:
48 instrumentation module (this file) and a run-time library.
49 The instrumentation module adds a run-time check before every memory insn.
50 For a 8- or 16- byte load accessing address X:
51 ShadowAddr = (X >> 3) + Offset
52 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
53 if (ShadowValue)
54 __asan_report_load8(X);
55 For a load of N bytes (N=1, 2 or 4) from address X:
56 ShadowAddr = (X >> 3) + Offset
57 ShadowValue = *(char*)ShadowAddr;
58 if (ShadowValue)
59 if ((X & 7) + N - 1 > ShadowValue)
60 __asan_report_loadN(X);
61 Stores are instrumented similarly, but using __asan_report_storeN functions.
62 A call too __asan_init() is inserted to the list of module CTORs.
64 The run-time library redefines malloc (so that redzone are inserted around
65 the allocated memory) and free (so that reuse of free-ed memory is delayed),
66 provides __asan_report* and __asan_init functions.
68 Read more:
69 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
71 The current implementation supports detection of out-of-bounds and
72 use-after-free in the heap, on the stack and for global variables.
74 [Protection of stack variables]
76 To understand how detection of out-of-bounds and use-after-free works
77 for stack variables, lets look at this example on x86_64 where the
78 stack grows downward:
80 int
81 foo ()
82 {
83 char a[23] = {0};
84 int b[2] = {0};
86 a[5] = 1;
87 b[1] = 2;
89 return a[5] + b[1];
90 }
92 For this function, the stack protected by asan will be organized as
93 follows, from the top of the stack to the bottom:
95 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
97 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
98 the next slot be 32 bytes aligned; this one is called Partial
99 Redzone; this 32 bytes alignment is an asan constraint]
101 Slot 3/ [24 bytes for variable 'a']
103 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
105 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
107 Slot 6/ [8 bytes for variable 'b']
109 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
110 'LEFT RedZone']
112 The 32 bytes of LEFT red zone at the bottom of the stack can be
113 decomposed as such:
115 1/ The first 8 bytes contain a magical asan number that is always
116 0x41B58AB3.
118 2/ The following 8 bytes contains a pointer to a string (to be
119 parsed at runtime by the runtime asan library), which format is
120 the following:
122 "<function-name> <space> <num-of-variables-on-the-stack>
123 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
124 <length-of-var-in-bytes> ){n} "
126 where '(...){n}' means the content inside the parenthesis occurs 'n'
127 times, with 'n' being the number of variables on the stack.
129 3/ The following 16 bytes of the red zone have no particular
130 format.
132 The shadow memory for that stack layout is going to look like this:
134 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
135 The F1 byte pattern is a magic number called
136 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
137 the memory for that shadow byte is part of a the LEFT red zone
138 intended to seat at the bottom of the variables on the stack.
140 - content of shadow memory 8 bytes for slots 6 and 5:
141 0xF4F4F400. The F4 byte pattern is a magic number
142 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
143 memory region for this shadow byte is a PARTIAL red zone
144 intended to pad a variable A, so that the slot following
145 {A,padding} is 32 bytes aligned.
147 Note that the fact that the least significant byte of this
148 shadow memory content is 00 means that 8 bytes of its
149 corresponding memory (which corresponds to the memory of
150 variable 'b') is addressable.
152 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
153 The F2 byte pattern is a magic number called
154 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
155 region for this shadow byte is a MIDDLE red zone intended to
156 seat between two 32 aligned slots of {variable,padding}.
158 - content of shadow memory 8 bytes for slot 3 and 2:
159 0xF4000000. This represents is the concatenation of
160 variable 'a' and the partial red zone following it, like what we
161 had for variable 'b'. The least significant 3 bytes being 00
162 means that the 3 bytes of variable 'a' are addressable.
164 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
165 The F3 byte pattern is a magic number called
166 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
167 region for this shadow byte is a RIGHT red zone intended to seat
168 at the top of the variables of the stack.
170 Note that the real variable layout is done in expand_used_vars in
171 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
172 stack variables as well as the different red zones, emits some
173 prologue code to populate the shadow memory as to poison (mark as
174 non-accessible) the regions of the red zones and mark the regions of
175 stack variables as accessible, and emit some epilogue code to
176 un-poison (mark as accessible) the regions of red zones right before
177 the function exits.
179 [Protection of global variables]
181 The basic idea is to insert a red zone between two global variables
182 and install a constructor function that calls the asan runtime to do
183 the populating of the relevant shadow memory regions at load time.
185 So the global variables are laid out as to insert a red zone between
186 them. The size of the red zones is so that each variable starts on a
187 32 bytes boundary.
189 Then a constructor function is installed so that, for each global
190 variable, it calls the runtime asan library function
191 __asan_register_globals_with an instance of this type:
193 struct __asan_global
194 {
195 // Address of the beginning of the global variable.
196 const void *__beg;
198 // Initial size of the global variable.
199 uptr __size;
201 // Size of the global variable + size of the red zone. This
202 // size is 32 bytes aligned.
203 uptr __size_with_redzone;
205 // Name of the global variable.
206 const void *__name;
208 // This is always set to NULL for now.
209 uptr __has_dynamic_init;
210 }
212 A destructor function that calls the runtime asan library function
213 _asan_unregister_globals is also installed. */
217 /* Pointer types to 1 resp. 2 byte integers in shadow memory. A separate
218 alias set is used for all shadow memory accesses. */
221 /* Hashtable support for memory references used by gimple
222 statements. */
224 /* This type represents a reference to a memory region. */
225 struct asan_mem_ref
226 {
227 /* The expression of the beginning of the memory region. */
228 tree start;
230 /* The size of the access (can be 1, 2, 4, 8, 16 for now). */
232 };
236 /* This creates the alloc pool used to store the instances of
237 asan_mem_ref that are stored in the hash table asan_mem_ref_ht. */
239 static alloc_pool
241 {
248 }
250 /* Initializes an instance of asan_mem_ref. */
252 static void
254 {
257 }
259 /* Allocates memory for an instance of asan_mem_ref into the memory
260 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
261 START is the address of (or the expression pointing to) the
262 beginning of memory reference. ACCESS_SIZE is the size of the
263 access to the referenced memory. */
267 {
273 }
275 /* This builds and returns a pointer to the end of the memory region
276 that starts at START and of length LEN. */
278 tree
280 {
285 }
287 /* Return a tree expression that represents the end of the referenced
288 memory region. Beware that this function can actually build a new
289 tree expression. */
291 tree
293 {
295 }
297 struct asan_mem_ref_hasher
299 {
305 };
307 /* Hash a memory reference. */
309 inline hashval_t
311 {
315 }
317 /* Compare two memory references. We accept the length of either
318 memory references to be NULL_TREE. */
323 {
326 }
330 /* Returns a reference to the hash table containing memory references.
331 This function ensures that the hash table is created. Note that
332 this hash table is updated by the function
333 update_mem_ref_hash_table. */
337 {
342 }
344 /* Clear all entries from the memory references hash table. */
346 static void
348 {
351 }
353 /* Free the memory references hash table. */
355 static void
357 {
362 {
365 }
366 }
368 /* Return true iff the memory reference REF has been instrumented. */
370 static bool
372 {
373 asan_mem_ref r;
377 }
379 /* Return true iff the memory reference REF has been instrumented. */
381 static bool
383 {
385 }
387 /* Return true iff access to memory region starting at REF and of
388 length LEN has been instrumented. */
390 static bool
392 {
393 /* First let's see if the address of the beginning of REF has been
394 instrumented. */
399 {
400 /* Let's see if the end of the region has been instrumented. */
404 }
406 }
408 /* Set REF to the memory reference present in a gimple assignment
409 ASSIGNMENT. Return true upon successful completion, false
410 otherwise. */
412 static bool
416 {
421 {
424 }
426 {
429 }
430 else
435 }
437 /* Return the memory references contained in a gimple statement
438 representing a builtin call that has to do with memory access. */
440 static bool
452 {
462 {
463 /* (s, s, n) style memops. */
471 /* (src, dest, n) style memops. */
478 /* (dest, src, n) style memops. */
490 /* (dest, n) style memops. */
496 /* (dest, x, n) style memops*/
508 /* And now the __atomic* and __sync builtins.
509 These are handled differently from the classical memory memory
510 access builtins above. */
518 /* fall through. */
703 {
705 /* DEST represents the address of a memory location.
706 instrument_derefs wants the memory location, so lets
707 dereference the address DEST before handing it to
708 instrument_derefs. */
714 else
718 }
721 /* The other builtins memory access are not instrumented in this
722 function because they either don't have any length parameter,
723 or their length parameter is just a limit. */
725 }
728 {
730 {
735 }
738 {
743 }
746 {
751 }
754 }
756 {
763 }
766 }
768 /* Return true iff a given gimple statement has been instrumented.
769 Note that the statement is "defined" by the memory references it
770 contains. */
772 static bool
774 {
776 {
778 asan_mem_ref r;
783 }
785 {
799 {
813 }
814 }
816 }
818 /* Insert a memory reference into the hash table. */
820 static void
822 {
825 asan_mem_ref r;
831 }
833 /* Initialize shadow_ptr_types array. */
835 static void
837 {
846 }
848 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
850 static tree
852 {
862 }
864 /* Return a CONST_INT representing 4 subsequent shadow memory bytes. */
866 static rtx
868 {
876 }
878 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
879 though. */
881 static void
883 {
894 {
897 }
915 }
917 /* Insert code to protect stack vars. The prologue sequence should be emitted
918 directly, epilogue sequence returned. BASE is the register holding the
919 stack base, against which OFFSETS array offsets are relative to, OFFSETS
920 array contains pairs of offsets in reverse order, always the end offset
921 of some gap that needs protection followed by starting offset,
922 and DECLS is an array of representative decls for each var partition.
923 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
924 elements long (OFFSETS include gap before the first variable as well
925 as gaps after each stack variable). */
927 rtx
930 {
937 tree str_cst;
942 /* First of all, prepare the description string. */
943 pretty_printer asan_pp;
947 else
953 {
960 {
964 }
965 else
968 }
971 /* Emit the prologue sequence. */
984 Pmode),
992 {
997 {
999 HOST_WIDE_INT aoff
1008 {
1011 else
1013 }
1014 else
1018 }
1020 {
1028 }
1030 }
1033 /* Construct epilogue sequence. */
1042 {
1046 {
1054 }
1058 }
1060 {
1065 }
1072 }
1074 /* Return true if DECL, a global var, might be overridden and needs
1075 therefore a local alias. */
1077 static bool
1079 {
1081 }
1083 /* Return true if DECL is a VAR_DECL that should be protected
1084 by Address Sanitizer, by appending a red zone with protected
1085 shadow memory after it and aligning it to at least
1086 ASAN_RED_ZONE_SIZE bytes. */
1088 bool
1090 {
1094 {
1095 /* Instrument all STRING_CSTs except those created
1096 by asan_pp_string here. */
1102 }
1104 /* TLS vars aren't statically protectable. */
1106 /* Externs will be protected elsewhere. */
1109 /* Comdat vars pose an ABI problem, we can't know if
1110 the var that is selected by the linker will have
1111 padding or not. */
1113 /* Similarly for common vars. People can use -fno-common. */
1115 /* Don't protect if using user section, often vars placed
1116 into user section from multiple TUs are then assumed
1117 to be an array of such vars, putting padding in there
1118 breaks this assumption. */
1139 #ifndef ASM_OUTPUT_DEF
1142 #endif
1145 }
1147 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16}.
1148 IS_STORE is either 1 (for a store) or 0 (for a load).
1149 SIZE_IN_BYTES is one of 1, 2, 4, 8, 16. */
1151 static tree
1153 {
1157 BUILT_IN_ASAN_REPORT_LOAD16 },
1160 BUILT_IN_ASAN_REPORT_STORE16 } };
1162 }
1164 #define PROB_VERY_UNLIKELY (REG_BR_PROB_BASE / 2000 - 1)
1165 #define PROB_ALWAYS (REG_BR_PROB_BASE)
1167 /* Split the current basic block and create a condition statement
1168 insertion point right before or after the statement pointed to by
1169 ITER. Return an iterator to the point at which the caller might
1170 safely insert the condition statement.
1172 THEN_BLOCK must be set to the address of an uninitialized instance
1173 of basic_block. The function will then set *THEN_BLOCK to the
1174 'then block' of the condition statement to be inserted by the
1175 caller.
1177 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1178 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1180 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1181 block' of the condition statement to be inserted by the caller.
1183 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1184 statements starting from *ITER, and *THEN_BLOCK is a new empty
1185 block.
1187 *ITER is adjusted to point to always point to the first statement
1188 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1189 same as what ITER was pointing to prior to calling this function,
1190 if BEFORE_P is true; otherwise, it is its following statement. */
1192 static gimple_stmt_iterator
1199 {
1209 /* Get a hold on the 'condition block', the 'then block' and the
1210 'else block'. */
1215 {
1218 }
1220 /* Set up the newly created 'then block'. */
1222 int fallthrough_probability
1223 = then_more_likely_p
1224 ? PROB_VERY_UNLIKELY
1230 /* Set up the fallthrough basic block. */
1236 /* Update dominance info for the newly created then_bb; note that
1237 fallthru_bb's dominance info has already been updated by
1238 split_bock. */
1247 }
1249 /* Insert an if condition followed by a 'then block' right before the
1250 statement pointed to by ITER. The fallthrough block -- which is the
1251 else block of the condition as well as the destination of the
1252 outcoming edge of the 'then block' -- starts with the statement
1253 pointed to by ITER.
1255 COND is the condition of the if.
1257 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1258 'then block' is higher than the probability of the edge to the
1259 fallthrough block.
1261 Upon completion of the function, *THEN_BB is set to the newly
1262 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1263 fallthrough block.
1265 *ITER is adjusted to still point to the same statement it was
1266 pointing to initially. */
1268 static void
1274 {
1275 gimple_stmt_iterator cond_insert_point =
1278 then_more_likely_p,
1280 then_bb,
1281 fallthrough_bb);
1283 }
1285 /* Instrument the memory access instruction BASE. Insert new
1286 statements before or after ITER.
1288 Note that the memory access represented by BASE can be either an
1289 SSA_NAME, or a non-SSA expression. LOCATION is the source code
1290 location. IS_STORE is TRUE for a store, FALSE for a load.
1291 BEFORE_P is TRUE for inserting the instrumentation code before
1292 ITER, FALSE for inserting it after ITER. SIZE_IN_BYTES is one of
1293 1, 2, 4, 8, 16.
1295 If BEFORE_P is TRUE, *ITER is arranged to still point to the
1296 statement it was pointing to prior to calling this function,
1297 otherwise, it points to the statement logically following it. */
1299 static void
1302 {
1303 gimple_stmt_iterator gsi;
1306 gimple g;
1309 tree uintptr_type
1313 /* Get an iterator on the point where we can add the condition
1314 statement for the instrumentation. */
1323 /* BASE can already be an SSA_NAME; in that case, do not create a
1324 new SSA_NAME for it. */
1326 {
1333 }
1342 /* Build
1343 (base_addr >> ASAN_SHADOW_SHIFT) + targetm.asan_shadow_offset (). */
1375 {
1376 /* Slow path for 1, 2 and 4 byte accesses.
1377 Test (shadow != 0)
1378 & ((base_addr & 7) + (size_in_bytes - 1)) >= shadow). */
1390 shadow));
1396 }
1397 else
1405 /* Generate call to the run-time library (e.g. __asan_report_load8). */
1413 }
1415 /* If T represents a memory access, add instrumentation code before ITER.
1416 LOCATION is source code location.
1417 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
1419 static void
1422 {
1424 HOST_WIDE_INT size_in_bytes;
1428 {
1436 }
1444 tree offset;
1451 {
1454 {
1459 }
1461 }
1465 {
1470 }
1472 }
1474 /* Instrument an access to a contiguous memory region that starts at
1475 the address pointed to by BASE, over a length of LEN (expressed in
1476 the sizeof (*BASE) bytes). ITER points to the instruction before
1477 which the instrumentation instructions must be inserted. LOCATION
1478 is the source location that the instrumentation instructions must
1479 have. If IS_STORE is true, then the memory access is a store;
1480 otherwise, it's a load. */
1482 static void
1486 {
1496 /* If the beginning of the memory region has already been
1497 instrumented, do not instrument it. */
1500 /* If the end of the memory region has already been instrumented, do
1501 not instrument it. */
1509 {
1510 /* So, the length of the memory area to asan-protect is
1511 non-constant. Let's guard the generated instrumentation code
1512 like:
1514 if (len != 0)
1515 {
1516 //asan instrumentation code goes here.
1517 }
1518 // falltrough instructions, starting with *ITER. */
1521 len,
1527 /* Note that fallthrough_bb starts with the statement that was
1528 pointed to by ITER. */
1530 /* The 'then block' of the 'if (len != 0) condition is where
1531 we'll generate the asan instrumentation code now. */
1533 }
1536 {
1537 /* Instrument the beginning of the memory region to be accessed,
1538 and arrange for the rest of the intrumentation code to be
1539 inserted in the then block *after* the current gsi. */
1543 /* We are in the case where the length of the region is not
1544 constant; so instrumentation code is being generated in the
1545 'then block' of the 'if (len != 0) condition. Let's arrange
1546 for the subsequent instrumentation statements to go in the
1547 'then block'. */
1549 else
1550 {
1552 /* Don't remember this access as instrumented, if length
1553 is unknown. It might be zero and not being actually
1554 instrumented, so we can't rely on it being instrumented. */
1556 }
1557 }
1562 /* We want to instrument the access at the end of the memory region,
1563 which is at (base + len - 1). */
1565 /* offset = len - 1; */
1567 tree offset;
1573 else
1574 {
1575 gimple g;
1576 tree t;
1579 {
1585 }
1587 {
1593 }
1601 }
1603 /* _1 = base; */
1605 gimple region_end =
1612 /* _2 = _1 + offset; */
1613 region_end =
1617 offset);
1622 /* instrument access at _2; */
1631 }
1633 /* Instrument the call (to the builtin strlen function) pointed to by
1634 ITER.
1636 This function instruments the access to the first byte of the
1637 argument, right before the call. After the call it instruments the
1638 access to the last byte of the argument; it uses the result of the
1639 call to deduce the offset of that last byte.
1641 Upon completion, iff the call has actually been instrumented, this
1642 function returns TRUE and *ITER points to the statement logically
1643 following the built-in strlen function call *ITER was initially
1644 pointing to. Otherwise, the function returns FALSE and *ITER
1645 remains unchanged. */
1647 static bool
1649 {
1660 /* Some passes might clear the return value of the strlen call;
1661 bail out in that case. Return FALSE as we are not advancing
1662 *ITER. */
1669 /* Instrument the access to the first byte of str_arg. i.e:
1671 _1 = str_arg; instrument (_1); */
1673 gimple str_arg_ssa =
1683 /* If we initially had an instruction like:
1685 int n = strlen (str)
1687 we now want to instrument the access to str[n], after the
1688 instruction above.*/
1690 /* So let's build the access to str[n] that is, access through the
1691 pointer_plus expr: (_1 + len). */
1692 gimple stmt =
1696 len);
1703 /* Ensure that iter points to the statement logically following the
1704 one it was initially pointing to. */
1706 /* As *ITER has been advanced to point to the next statement, let's
1707 return true to inform transform_statements that it shouldn't
1708 advance *ITER anymore; otherwises it will skip that next
1709 statement, which wouldn't be instrumented. */
1711 }
1713 /* Instrument the call to a built-in memory access function that is
1714 pointed to by the iterator ITER.
1716 Upon completion, return TRUE iff *ITER has been advanced to the
1717 statement following the one it was originally pointing to. */
1719 static bool
1721 {
1732 else
1733 {
1748 {
1750 {
1754 }
1756 {
1769 }
1770 }
1771 }
1773 }
1775 /* Instrument the assignment statement ITER if it is subject to
1776 instrumentation. Return TRUE iff instrumentation actually
1777 happened. In that case, the iterator ITER is advanced to the next
1778 logical expression following the one initially pointed to by ITER,
1779 and the relevant memory reference that which access has been
1780 instrumented is added to the memory references hash table. */
1782 static bool
1784 {
1793 {
1798 is_store);
1800 }
1803 {
1808 is_store);
1810 }
1816 }
1818 /* Instrument the function call pointed to by the iterator ITER, if it
1819 is subject to instrumentation. At the moment, the only function
1820 calls that are instrumented are some built-in functions that access
1821 memory. Look at instrument_builtin_call to learn more.
1823 Upon completion return TRUE iff *ITER was advanced to the statement
1824 following the one it was originally pointing to. */
1826 static bool
1828 {
1836 {
1838 {
1841 {
1844 /* Don't instrument these. */
1846 }
1847 }
1852 }
1854 }
1856 /* Walk each instruction of all basic block and instrument those that
1857 represent memory references: loads, stores, or function calls.
1858 In a given basic block, this function avoids instrumenting memory
1859 references that have already been instrumented. */
1861 static void
1863 {
1865 gimple_stmt_iterator i;
1869 {
1874 /* Flush the mem ref hash table, if current bb doesn't have
1875 exactly one predecessor, or if that predecessor (skipping
1876 over asan created basic blocks) isn't the last processed
1877 basic block. Thus we effectively flush on extended basic
1878 block boundaries. */
1880 {
1884 }
1890 {
1897 /* Nothing to do as maybe_instrument_assignment advanced
1900 /* Nothing to do as maybe_instrument_call
1902 else
1903 {
1904 /* No instrumentation happened.
1906 If the current instruction is a function call that
1907 might free something, let's forget about the memory
1908 references that got instrumented. Otherwise we might
1909 miss some instrumentation opportunities. */
1914 }
1915 }
1916 }
1918 }
1920 /* Build
1921 struct __asan_global
1922 {
1923 const void *__beg;
1924 uptr __size;
1925 uptr __size_with_redzone;
1926 const void *__name;
1927 uptr __has_dynamic_init;
1928 } type. */
1930 static tree
1932 {
1941 {
1950 }
1955 }
1957 /* Append description of a single global DECL into vector V.
1958 TYPE is __asan_global struct type as returned by asan_global_struct. */
1960 static void
1962 {
1968 pretty_printer asan_pp;
1972 else
1981 {
1996 }
2010 }
2012 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2013 void
2015 {
2016 tree decl;
2022 tree BT_FN_VOID_PTR
2024 tree BT_FN_VOID_PTR_PTR_PTR
2027 tree BT_FN_VOID_PTR_PTRMODE
2030 tree BT_FN_VOID_INT
2036 tree vptr
2038 TYPE_QUAL_VOLATILE));
2039 tree cvptr
2041 TYPE_QUAL_VOLATILE
2043 tree boolt
2047 {
2052 NULL_TREE);
2057 NULL_TREE);
2061 }
2062 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2063 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2064 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2065 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2066 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2067 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2068 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2069 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2070 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2071 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2072 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2073 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2074 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2075 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2076 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2077 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2078 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2079 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2080 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2081 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
2082 #undef ATTR_NOTHROW_LEAF_LIST
2083 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
2084 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2085 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
2086 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2087 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
2088 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2089 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2090 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
2091 #undef ATTR_COLD_NOTHROW_LEAF_LIST
2092 #define ATTR_COLD_NOTHROW_LEAF_LIST \
2094 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2095 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2097 #undef DEF_SANITIZER_BUILTIN
2098 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2100 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2101 set_call_expr_flags (decl, ATTRS); \
2102 set_builtin_decl (ENUM, decl, true);
2106 #undef DEF_SANITIZER_BUILTIN
2107 }
2109 /* Called via htab_traverse. Count number of emitted
2110 STRING_CSTs in the constant hash table. */
2112 static int
2114 {
2122 }
2124 /* Helper structure to pass two parameters to
2125 add_string_csts. */
2127 struct asan_add_string_csts_data
2128 {
2129 tree type;
2131 };
2133 /* Called via htab_traverse. Call asan_add_global
2134 on emitted STRING_CSTs from the constant hash table. */
2136 static int
2138 {
2144 {
2149 }
2151 }
2153 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
2154 invoke ggc_collect. */
2157 /* Module-level instrumentation.
2158 - Insert __asan_init() into the list of CTORs.
2159 - TODO: insert redzones around globals.
2160 */
2162 void
2164 {
2170 /* Avoid instrumenting code in the asan ctors/dtors.
2171 We don't need to insert padding after the description strings,
2172 nor after .LASAN* array. */
2184 {
2193 type);
2217 gcount_tree),
2223 gcount_tree),
2227 }
2231 }
2233 /* Instrument the current function. */
2235 static unsigned int
2237 {
2242 }
2244 static bool
2246 {
2250 }
2255 {
2268 };
2271 {
2275 {}
2277 /* opt_pass methods: */
2286 gimple_opt_pass *
2288 {
2290 }
2292 static bool
2294 {
2296 }
2301 {
2314 };
2317 {
2321 {}
2323 /* opt_pass methods: */
2331 gimple_opt_pass *
2333 {
2335 }