| blob | acd57eac5efdbdfbac0f5594a9b1ee10baa6b2da |
1 /* Pointer Bounds Checker insrumentation pass.
2 Copyright (C) 2014-2017 Free Software Foundation, Inc.
3 Contributed by Ilya Enkovich (ilya.enkovich@intel.com)
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
56 /* Pointer Bounds Checker instruments code with memory checks to find
57 out-of-bounds memory accesses. Checks are performed by computing
58 bounds for each pointer and then comparing address of accessed
59 memory before pointer dereferencing.
61 1. Function clones.
63 See ipa-chkp.c.
65 2. Instrumentation.
67 There are few things to instrument:
69 a) Memory accesses - add checker calls to check address of accessed memory
70 against bounds of dereferenced pointer. Obviously safe memory
71 accesses like static variable access does not have to be instrumented
72 with checks.
74 Example:
76 val_2 = *p_1;
78 with 4 bytes access is transformed into:
80 __builtin___chkp_bndcl (__bound_tmp.1_3, p_1);
81 D.1_4 = p_1 + 3;
82 __builtin___chkp_bndcu (__bound_tmp.1_3, D.1_4);
83 val_2 = *p_1;
85 where __bound_tmp.1_3 are bounds computed for pointer p_1,
86 __builtin___chkp_bndcl is a lower bound check and
87 __builtin___chkp_bndcu is an upper bound check.
89 b) Pointer stores.
91 When pointer is stored in memory we need to store its bounds. To
92 achieve compatibility of instrumented code with regular codes
93 we have to keep data layout and store bounds in special bound tables
94 via special checker call. Implementation of bounds table may vary for
95 different platforms. It has to associate pointer value and its
96 location (it is required because we may have two equal pointers
97 with different bounds stored in different places) with bounds.
98 Another checker builtin allows to get bounds for specified pointer
99 loaded from specified location.
101 Example:
103 buf1[i_1] = &buf2;
105 is transformed into:
107 buf1[i_1] = &buf2;
108 D.1_2 = &buf1[i_1];
109 __builtin___chkp_bndstx (D.1_2, &buf2, __bound_tmp.1_2);
111 where __bound_tmp.1_2 are bounds of &buf2.
113 c) Static initialization.
115 The special case of pointer store is static pointer initialization.
116 Bounds initialization is performed in a few steps:
117 - register all static initializations in front-end using
118 chkp_register_var_initializer
119 - when file compilation finishes we create functions with special
120 attribute 'chkp ctor' and put explicit initialization code
121 (assignments) for all statically initialized pointers.
122 - when checker constructor is compiled checker pass adds required
123 bounds initialization for all statically initialized pointers
124 - since we do not actually need excess pointers initialization
125 in checker constructor we remove such assignments from them
127 d) Calls.
129 For each call in the code we add additional arguments to pass
130 bounds for pointer arguments. We determine type of call arguments
131 using arguments list from function declaration; if function
132 declaration is not available we use function type; otherwise
133 (e.g. for unnamed arguments) we use type of passed value. Function
134 declaration/type is replaced with the instrumented one.
136 Example:
138 val_1 = foo (&buf1, &buf2, &buf1, 0);
140 is translated into:
142 val_1 = foo.chkp (&buf1, __bound_tmp.1_2, &buf2, __bound_tmp.1_3,
143 &buf1, __bound_tmp.1_2, 0);
145 e) Returns.
147 If function returns a pointer value we have to return bounds also.
148 A new operand was added for return statement to hold returned bounds.
150 Example:
152 return &_buf1;
154 is transformed into
156 return &_buf1, __bound_tmp.1_1;
158 3. Bounds computation.
160 Compiler is fully responsible for computing bounds to be used for each
161 memory access. The first step for bounds computation is to find the
162 origin of pointer dereferenced for memory access. Basing on pointer
163 origin we define a way to compute its bounds. There are just few
164 possible cases:
166 a) Pointer is returned by call.
168 In this case we use corresponding checker builtin method to obtain returned
169 bounds.
171 Example:
173 buf_1 = malloc (size_2);
174 foo (buf_1);
176 is translated into:
178 buf_1 = malloc (size_2);
179 __bound_tmp.1_3 = __builtin___chkp_bndret (buf_1);
180 foo (buf_1, __bound_tmp.1_3);
182 b) Pointer is an address of an object.
184 In this case compiler tries to compute objects size and create corresponding
185 bounds. If object has incomplete type then special checker builtin is used to
186 obtain its size at runtime.
188 Example:
190 foo ()
191 {
192 <unnamed type> __bound_tmp.3;
193 static int buf[100];
195 <bb 3>:
196 __bound_tmp.3_2 = __builtin___chkp_bndmk (&buf, 400);
198 <bb 2>:
199 return &buf, __bound_tmp.3_2;
200 }
202 Example:
204 Address of an object 'extern int buf[]' with incomplete type is
205 returned.
207 foo ()
208 {
209 <unnamed type> __bound_tmp.4;
210 long unsigned int __size_tmp.3;
212 <bb 3>:
213 __size_tmp.3_4 = __builtin_ia32_sizeof (buf);
214 __bound_tmp.4_3 = __builtin_ia32_bndmk (&buf, __size_tmp.3_4);
216 <bb 2>:
217 return &buf, __bound_tmp.4_3;
218 }
220 c) Pointer is the result of object narrowing.
222 It happens when we use pointer to an object to compute pointer to a part
223 of an object. E.g. we take pointer to a field of a structure. In this
224 case we perform bounds intersection using bounds of original object and
225 bounds of object's part (which are computed basing on its type).
227 There may be some debatable questions about when narrowing should occur
228 and when it should not. To avoid false bound violations in correct
229 programs we do not perform narrowing when address of an array element is
230 obtained (it has address of the whole array) and when address of the first
231 structure field is obtained (because it is guaranteed to be equal to
232 address of the whole structure and it is legal to cast it back to structure).
234 Default narrowing behavior may be changed using compiler flags.
236 Example:
238 In this example address of the second structure field is returned.
240 foo (struct A * p, __bounds_type __bounds_of_p)
241 {
242 <unnamed type> __bound_tmp.3;
243 int * _2;
244 int * _5;
246 <bb 2>:
247 _5 = &p_1(D)->second_field;
248 __bound_tmp.3_6 = __builtin___chkp_bndmk (_5, 4);
249 __bound_tmp.3_8 = __builtin___chkp_intersect (__bound_tmp.3_6,
250 __bounds_of_p_3(D));
251 _2 = &p_1(D)->second_field;
252 return _2, __bound_tmp.3_8;
253 }
255 Example:
257 In this example address of the first field of array element is returned.
259 foo (struct A * p, __bounds_type __bounds_of_p, int i)
260 {
261 long unsigned int _3;
262 long unsigned int _4;
263 struct A * _6;
264 int * _7;
266 <bb 2>:
267 _3 = (long unsigned int) i_1(D);
268 _4 = _3 * 8;
269 _6 = p_5(D) + _4;
270 _7 = &_6->first_field;
271 return _7, __bounds_of_p_2(D);
272 }
275 d) Pointer is the result of pointer arithmetic or type cast.
277 In this case bounds of the base pointer are used. In case of binary
278 operation producing a pointer we are analyzing data flow further
279 looking for operand's bounds. One operand is considered as a base
280 if it has some valid bounds. If we fall into a case when none of
281 operands (or both of them) has valid bounds, a default bounds value
282 is used.
284 Trying to find out bounds for binary operations we may fall into
285 cyclic dependencies for pointers. To avoid infinite recursion all
286 walked phi nodes instantly obtain corresponding bounds but created
287 bounds are marked as incomplete. It helps us to stop DF walk during
288 bounds search.
290 When we reach pointer source, some args of incomplete bounds phi obtain
291 valid bounds and those values are propagated further through phi nodes.
292 If no valid bounds were found for phi node then we mark its result as
293 invalid bounds. Process stops when all incomplete bounds become either
294 valid or invalid and we are able to choose a pointer base.
296 e) Pointer is loaded from the memory.
298 In this case we just need to load bounds from the bounds table.
300 Example:
302 foo ()
303 {
304 <unnamed type> __bound_tmp.3;
305 static int * buf;
306 int * _2;
308 <bb 2>:
309 _2 = buf;
310 __bound_tmp.3_4 = __builtin___chkp_bndldx (&buf, _2);
311 return _2, __bound_tmp.3_4;
312 }
314 */
331 #define chkp_bndldx_fndecl \
332 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDLDX))
333 #define chkp_bndstx_fndecl \
334 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDSTX))
335 #define chkp_checkl_fndecl \
336 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDCL))
337 #define chkp_checku_fndecl \
338 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDCU))
339 #define chkp_bndmk_fndecl \
340 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDMK))
341 #define chkp_ret_bnd_fndecl \
342 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDRET))
343 #define chkp_intersect_fndecl \
344 (targetm.builtin_chkp_function (BUILT_IN_CHKP_INTERSECT))
345 #define chkp_narrow_bounds_fndecl \
346 (targetm.builtin_chkp_function (BUILT_IN_CHKP_NARROW))
347 #define chkp_sizeof_fndecl \
348 (targetm.builtin_chkp_function (BUILT_IN_CHKP_SIZEOF))
349 #define chkp_extract_lower_fndecl \
350 (targetm.builtin_chkp_function (BUILT_IN_CHKP_EXTRACT_LOWER))
351 #define chkp_extract_upper_fndecl \
352 (targetm.builtin_chkp_function (BUILT_IN_CHKP_EXTRACT_UPPER))
386 /* Static checker constructors may become very large and their
387 compilation with optimization may take too much time.
388 Therefore we put a limit to number of statements in one
389 constructor. Tests with 100 000 statically initialized
390 pointers showed following compilation times on Sandy Bridge
391 server (used -O2):
392 limit 100 => ~18 sec.
393 limit 300 => ~22 sec.
394 limit 1000 => ~30 sec.
395 limit 3000 => ~49 sec.
396 limit 5000 => ~55 sec.
397 limit 10000 => ~76 sec.
398 limit 100000 => ~532 sec. */
399 #define MAX_STMTS_IN_STATIC_CHKP_CTOR (PARAM_VALUE (PARAM_CHKP_MAX_CTOR_SIZE))
401 struct chkp_ctor_stmt_list
402 {
403 tree stmts;
405 };
407 /* Return 1 if function FNDECL is instrumented by Pointer
408 Bounds Checker. */
409 bool
411 {
412 return fndecl
414 }
416 /* Mark function FNDECL as instrumented. */
417 void
419 {
426 }
428 /* Return true when STMT is builtin call to instrumentation function
429 corresponding to CODE. */
431 bool
434 {
435 tree fndecl;
442 }
444 /* Emit code to build zero bounds and return RTL holding
445 the result. */
446 rtx
448 {
449 tree zero_bnd;
453 else
455 integer_zero_node);
457 }
459 /* Emit code to store zero bounds for PTR located at MEM. */
460 void
462 {
467 else
469 integer_zero_node);
478 }
480 /* Build retbnd call for returned value RETVAL.
482 If BNDVAL is not NULL then result is stored
483 in it. Otherwise a temporary is created to
484 hold returned value.
486 GSI points to a position for a retbnd call
487 and is set to created stmt.
489 Cgraph edge is created for a new call if
490 UPDATE_EDGE is 1.
492 Obtained bounds are returned. */
493 tree
496 {
507 }
509 /* Build a GIMPLE_CALL identical to CALL but skipping bounds
510 arguments. */
512 gcall *
514 {
515 bitmap bounds;
533 }
535 /* Redirect edge E to the correct node according to call_stmt.
536 Return 1 if bounds removal from call_stmt should be done
537 instead of redirection. */
539 bool
541 {
557 {
560 else
561 {
563 /* Avoid bounds removal if all args will be removed. */
566 else
568 }
569 }
572 }
574 /* Mark statement S to not be instrumented. */
575 static void
577 {
579 }
581 /* Mark statement S to be instrumented. */
582 static void
584 {
586 }
588 /* Return 1 if statement S should not be instrumented. */
589 static bool
591 {
593 }
595 /* Get var to be used for bound temps. */
596 static tree
598 {
603 }
605 /* Get SSA_NAME to be used as temp. */
606 static tree
608 {
613 CHKP_BOUND_TMP_NAME);
614 }
616 /* Get var to be used for size temps. */
617 static tree
619 {
624 }
626 /* Register bounds BND for address of OBJ. */
627 static void
629 {
636 {
642 }
643 }
645 /* Return bounds registered for address of OBJ. */
646 static tree
648 {
651 }
653 /* Mark BOUNDS as completed. */
654 static void
656 {
660 {
664 }
665 }
667 /* Return 1 if BOUNDS were marked as completed and 0 otherwise. */
668 static bool
670 {
672 }
674 /* Clear comleted bound marks. */
675 static void
677 {
680 }
682 /* Mark BOUNDS associated with PTR as incomplete. */
683 static void
685 {
689 {
695 }
696 }
698 /* Return 1 if BOUNDS are incomplete and 0 otherwise. */
699 static bool
701 {
709 }
711 /* Clear incomleted bound marks. */
712 static void
714 {
717 }
719 /* Build and return bndmk call which creates bounds for structure
720 pointed by PTR. Structure should have complete type. */
721 tree
723 {
725 tree size;
736 }
738 /* Traversal function for chkp_may_finish_incomplete_bounds.
739 Set RES to 0 if at least one argument of phi statement
740 defining bounds (passed in KEY arg) is unknown.
741 Traversal stops when first unknown phi argument is found. */
742 bool
745 {
756 {
759 {
761 /* Do not need to traverse further. */
763 }
764 }
767 }
769 /* Return 1 if all phi nodes created for bounds have their
770 arguments computed. */
771 static bool
773 {
776 chkp_incomplete_bounds_map
780 }
782 /* Helper function for chkp_finish_incomplete_bounds.
783 Recompute args for bounds phi node. */
784 bool
787 {
800 {
806 UNKNOWN_LOCATION);
807 }
810 }
812 /* Mark BOUNDS as invalid. */
813 static void
815 {
819 {
823 }
824 }
826 /* Return 1 if BOUNDS were marked as invalid and 0 otherwise. */
827 static bool
829 {
834 }
836 /* Helper function for chkp_finish_incomplete_bounds.
837 Check all arguments of phi nodes trying to find
838 valid completed bounds. If there is at least one
839 such arg then bounds produced by phi node are marked
840 as valid completed bounds and all phi args are
841 recomputed. */
842 bool
844 {
858 {
864 {
869 }
870 }
873 }
875 /* Helper function for chkp_finish_incomplete_bounds.
876 Marks all incompleted bounds as invalid. */
877 bool
881 {
883 {
886 }
888 }
890 /* When all bound phi nodes have all their args computed
891 we have enough info to find valid bounds. We iterate
892 through all incompleted bounds searching for valid
893 bounds. Found valid bounds are marked as completed
894 and all remaining incompleted bounds are recomputed.
895 Process continues until no new valid bounds may be
896 found. All remained incompleted bounds are marked as
897 invalid (i.e. have no valid source of bounds). */
898 static void
900 {
904 {
907 chkp_incomplete_bounds_map->
911 chkp_incomplete_bounds_map->
913 }
915 chkp_incomplete_bounds_map->
917 chkp_incomplete_bounds_map->
922 }
924 /* Return 1 if type TYPE is a pointer type or a
925 structure having a pointer type as one of its fields.
926 Otherwise return 0. */
927 bool
929 {
935 {
936 tree field;
941 }
946 }
948 unsigned
950 {
958 {
959 bitmap have_bound;
967 }
970 }
972 /* Get bounds associated with NODE via
973 chkp_set_bounds call. */
974 tree
976 {
984 }
986 /* Associate bounds VAL with NODE. */
987 void
989 {
994 }
996 /* Check if statically initialized variable VAR require
997 static bounds initialization. If VAR is added into
998 bounds initlization list then 1 is returned. Otherwise
999 return 0. */
1002 {
1012 {
1015 }
1018 }
1020 /* Helper function for chkp_finish_file.
1022 Add new modification statement (RHS is assigned to LHS)
1023 into list of static initializer statementes (passed in ARG).
1024 If statements list becomes too big, emit checker constructor
1025 and start the new one. */
1026 static void
1028 tree rhs,
1030 {
1032 tree modify;
1041 }
1043 /* Build and return ADDR_EXPR for specified object OBJ. */
1044 static tree
1046 {
1050 }
1052 /* Helper function for chkp_finish_file.
1053 Initialize bound variable BND_VAR with bounds of variable
1054 VAR to statements list STMTS. If statements list becomes
1055 too big, emit checker constructor and start the new one. */
1056 static void
1059 {
1063 {
1066 }
1069 {
1070 /* Compute bounds using statically known size. */
1073 }
1074 else
1075 {
1076 /* Compute bounds using dynamic size. */
1077 tree call;
1082 chkp_sizeof_fndecl);
1087 {
1093 }
1096 }
1102 {
1107 }
1108 }
1110 /* Return entry block to be used for checker initilization code.
1111 Create new block if required. */
1112 static basic_block
1114 {
1116 entry_block
1120 }
1122 /* Return a bounds var to be used for pointer var PTR_VAR. */
1123 static tree
1125 {
1126 tree bnd_var;
1132 else
1133 {
1135 CHKP_BOUND_TMP_NAME);
1137 }
1140 }
1142 /* If BND is an abnormal bounds copy, return a copied value.
1143 Otherwise return BND. */
1144 static tree
1146 {
1148 {
1152 }
1155 }
1157 /* Register bounds BND for object PTR in global bounds table.
1158 A copy of bounds may be created for abnormal ssa names.
1159 Returns bounds to use for PTR. */
1160 static tree
1162 {
1168 /* Do nothing if bounds are incomplete_bounds
1169 because it means bounds will be recomputed. */
1177 /* A single bounds value may be reused multiple times for
1178 different pointer values. It may cause coalescing issues
1179 for abnormal SSA names. To avoid it we create a bounds
1180 copy in case it is computed for abnormal SSA name.
1182 We also cannot reuse such created copies for other pointers */
1185 {
1189 {
1192 }
1193 else
1196 /* For abnormal copies we may just find original
1197 bounds and use them. */
1200 /* For undefined values we usually use none bounds
1201 value but in case of abnormal edge it may cause
1202 coalescing failures. Use default definition of
1203 bounds variable instead to avoid it. */
1206 {
1210 {
1216 }
1217 }
1218 else
1219 {
1220 tree copy;
1223 gimple_stmt_iterator gsi;
1227 else
1229 NULL,
1230 CHKP_BOUND_TMP_NAME);
1235 {
1241 }
1244 {
1248 else
1250 }
1251 else
1252 {
1254 /* Sometimes (e.g. when we load a pointer from a
1255 memory) bounds are produced later than a pointer.
1256 We need to insert bounds copy appropriately. */
1260 else
1263 }
1266 }
1270 }
1275 {
1281 }
1284 }
1286 /* Get bounds registered for object PTR in global bounds table. */
1287 static tree
1289 {
1297 }
1299 /* Add bound retvals to return statement pointed by GSI. */
1301 static void
1303 {
1307 tree bounds;
1313 {
1317 }
1320 }
1322 /* Force OP to be suitable for using as an argument for call.
1323 New statements (if any) go to SEQ. */
1324 static tree
1326 {
1327 gimple_seq stmts;
1328 gimple_stmt_iterator si;
1338 }
1340 /* Generate lower bound check for memory access by ADDR.
1341 Check is inserted before the position pointed by ITER.
1342 DIRFLAG indicates whether memory access is load or store. */
1343 static void
1345 gimple_stmt_iterator iter,
1346 location_t location,
1347 tree dirflag)
1348 {
1349 gimple_seq seq;
1351 tree node;
1378 {
1384 }
1385 }
1387 /* Generate upper bound check for memory access by ADDR.
1388 Check is inserted before the position pointed by ITER.
1389 DIRFLAG indicates whether memory access is load or store. */
1390 static void
1392 gimple_stmt_iterator iter,
1393 location_t location,
1394 tree dirflag)
1395 {
1396 gimple_seq seq;
1398 tree node;
1425 {
1431 }
1432 }
1434 /* Generate lower and upper bound checks for memory access
1435 to memory slot [FIRST, LAST] againsr BOUNDS. Checks
1436 are inserted before the position pointed by ITER.
1437 DIRFLAG indicates whether memory access is load or store. */
1438 void
1440 gimple_stmt_iterator iter,
1441 location_t location,
1442 tree dirflag)
1443 {
1446 }
1448 /* Replace call to _bnd_chk_* pointed by GSI with
1449 bndcu and bndcl calls. DIRFLAG determines whether
1450 check is for read or write. */
1452 void
1454 tree dirflag)
1455 {
1470 {
1475 }
1478 }
1480 /* Replace call to _bnd_get_ptr_* pointed by GSI with
1481 corresponding bounds extract call. */
1483 void
1485 {
1496 else
1504 }
1506 /* Return COMPONENT_REF accessing FIELD in OBJ. */
1507 static tree
1509 {
1510 tree res;
1512 /* If object is TMR then we do not use component_ref but
1513 add offset instead. We need it to be able to get addr
1514 of the reasult later. */
1516 {
1526 }
1527 else
1531 }
1533 /* Return ARRAY_REF for array ARR and index IDX with
1534 specified element type ETYPE and element size ESIZE. */
1535 static tree
1538 {
1540 tree res;
1542 /* If object is TMR then we do not use array_ref but
1543 add offset instead. We need it to be able to get addr
1544 of the reasult later. */
1546 {
1560 }
1561 else
1565 }
1567 /* Helper function for chkp_add_bounds_to_call_stmt.
1568 Fill ALL_BOUNDS output array with created bounds.
1570 OFFS is used for recursive calls and holds basic
1571 offset of TYPE in outer structure in bits.
1573 ITER points a position where bounds are searched.
1575 ALL_BOUNDS[i] is filled with elem bounds if there
1576 is a field in TYPE which has pointer type and offset
1577 equal to i * POINTER_SIZE in bits. */
1578 static void
1580 HOST_WIDE_INT offs,
1582 {
1586 {
1588 {
1591 gimple_stmt_iterator gsi;
1597 }
1598 }
1600 {
1601 tree field;
1605 {
1608 HOST_WIDE_INT field_offs
1615 }
1616 }
1618 {
1628 {
1632 cur);
1634 iter);
1635 }
1636 }
1637 }
1639 /* Fill HAVE_BOUND output bitmap with information about
1640 bounds requred for object of type TYPE.
1642 OFFS is used for recursive calls and holds basic
1643 offset of TYPE in outer structure in bits.
1645 HAVE_BOUND[i] is set to 1 if there is a field
1646 in TYPE which has pointer type and offset
1647 equal to i * POINTER_SIZE - OFFS in bits. */
1648 void
1650 HOST_WIDE_INT offs)
1651 {
1655 {
1656 tree field;
1660 {
1668 }
1669 }
1671 {
1672 /* The object type is an array of complete type, i.e., other
1673 than a flexible array. */
1686 }
1687 }
1689 /* Fill bitmap RES with information about bounds for
1690 type TYPE. See chkp_find_bound_slots_1 for more
1691 details. */
1692 void
1694 {
1697 }
1699 /* Return 1 if call to FNDECL should be instrumented
1700 and 0 otherwise. */
1702 static bool
1704 {
1706 {
1740 }
1741 }
1743 /* Add bound arguments to call statement pointed by GSI.
1744 Also performs a replacement of user checker builtins calls
1745 with internal ones. */
1747 static void
1749 {
1753 tree fntype;
1754 tree first_formal_arg;
1755 tree arg;
1757 tree op;
1758 ssa_op_iter iter;
1761 /* Do nothing for internal functions. */
1767 /* Do nothing if back-end builtin is called. */
1771 /* Do nothing for some middle-end builtins. */
1776 /* Do nothing for calls to not instrumentable functions. */
1780 /* Ignore CHKP_INIT_PTR_BOUNDS, CHKP_NULL_PTR_BOUNDS
1781 and CHKP_COPY_PTR_BOUNDS. */
1789 /* Check user builtins are replaced with checks. */
1794 {
1797 }
1799 /* Check user builtins are replaced with bound extract. */
1803 {
1806 }
1808 /* BUILT_IN_CHKP_NARROW_PTR_BOUNDS call is replaced with
1809 target narrow bounds call. */
1812 {
1821 }
1823 /* BUILT_IN_CHKP_STORE_PTR_BOUNDS call is replaced with
1824 bndstx call. */
1827 {
1837 }
1842 /* We instrument only some subset of builtins. We also instrument
1843 builtin calls to be inlined. */
1847 {
1855 }
1857 /* If function decl is available then use it for
1858 formal arguments list. Otherwise use function type. */
1863 else
1864 {
1867 }
1869 /* Fill vector of new call args. */
1874 {
1876 tree type;
1878 /* Get arg type using formal argument description
1879 or actual argument type. */
1883 {
1886 }
1887 else
1889 else
1890 {
1893 }
1894 else
1903 {
1904 HOST_WIDE_INT max_bounds
1907 HOST_WIDE_INT bnd_no;
1918 }
1919 }
1923 else
1924 {
1929 }
1932 /* For direct calls fndecl is replaced with instrumented version. */
1934 {
1937 /* In case of a type cast we should modify used function
1938 type instead of using type of new fndecl. */
1940 {
1944 }
1945 else
1947 }
1948 /* For indirect call we should fix function pointer type if
1949 pass some bounds. */
1951 {
1955 }
1957 /* replace old call statement with the new one. */
1959 {
1961 {
1963 }
1965 }
1966 else
1970 }
1972 /* Return constant static bounds var with specified bounds LB and UB.
1973 If such var does not exists then new var is created with specified NAME. */
1974 static tree
1976 HOST_WIDE_INT ub,
1978 {
1980 tree var;
1985 pointer_bounds_type_node);
1989 /* With LTO we may have constant bounds already in varpool.
1990 Try to find it. */
1992 {
1993 /* We don't allow this symbol usage for non bounds. */
2001 }
2010 /* We may use this symbol during ctors generation in chkp_finish_file
2011 when all symbols are emitted. Force output to avoid undefined
2012 symbols in ctors. */
2019 }
2021 /* Generate code to make bounds with specified lower bound LB and SIZE.
2022 if AFTER is 1 then code is inserted after position pointed by ITER
2023 otherwise code is inserted before position pointed by ITER.
2024 If ITER is NULL then code is added to entry block. */
2025 static tree
2027 {
2028 gimple_seq seq;
2029 gimple_stmt_iterator gsi;
2031 tree bounds;
2035 else
2053 else
2057 {
2061 {
2064 }
2065 else
2067 }
2069 /* update_stmt (stmt); */
2072 }
2074 /* Return var holding zero bounds. */
2075 tree
2077 {
2079 chkp_zero_bounds_var
2081 CHKP_ZERO_BOUNDS_VAR_NAME);
2083 }
2085 /* Return var holding none bounds. */
2086 tree
2088 {
2090 chkp_none_bounds_var
2092 CHKP_NONE_BOUNDS_VAR_NAME);
2094 }
2096 /* Return SSA_NAME used to represent zero bounds. */
2097 static tree
2099 {
2108 {
2115 }
2116 else
2118 integer_zero_node,
2119 NULL,
2123 }
2125 /* Return SSA_NAME used to represent none bounds. */
2126 static tree
2128 {
2138 {
2145 }
2146 else
2149 NULL,
2153 }
2155 /* Return bounds to be used as a result of operation which
2156 should not create poiunter (e.g. MULT_EXPR). */
2157 static tree
2159 {
2161 }
2163 /* Return bounds to be used for loads of non-pointer values. */
2164 static tree
2166 {
2168 }
2170 /* Return 1 if may use bndret call to get bounds for pointer
2171 returned by CALL. */
2172 static bool
2174 {
2176 {
2180 }
2198 {
2207 }
2210 }
2212 /* Build bounds returned by CALL. */
2213 static tree
2215 {
2216 gimple_stmt_iterator gsi;
2217 tree bounds;
2222 /* To avoid fixing alloca expands in targets we handle
2223 it separately. */
2228 {
2233 }
2234 /* We know bounds returned by set_bounds builtin call. */
2238 {
2243 }
2244 /* Detect bounds initialization calls. */
2249 /* Detect bounds nullification calls. */
2254 /* Detect bounds copy calls. */
2258 {
2261 }
2262 /* Do not use retbnd when returned bounds are equal to some
2263 of passed bounds. */
2266 {
2270 {
2273 {
2275 retarg--;
2276 else
2278 }
2279 }
2280 else
2284 }
2286 {
2289 /* In general case build checker builtin call to
2290 obtain returned bounds. */
2302 }
2303 else
2307 {
2312 }
2317 }
2319 /* Return bounds used as returned by call
2320 which produced SSA name VAL. */
2321 gcall *
2323 {
2329 imm_use_iterator use_iter;
2330 use_operand_p use_p;
2336 }
2338 /* Check the next parameter for the given PARM is bounds
2339 and return it's default SSA_NAME (create if required). */
2340 static tree
2342 {
2347 {
2350 }
2352 }
2354 /* Return bounds to be used for input argument PARM. */
2355 static tree
2357 {
2359 tree bounds;
2369 {
2372 /* For static chain param we return zero bounds
2373 because currently we do not check dereferences
2374 of this pointer. */
2377 /* If non instrumented runtime is used then it may be useful
2378 to use zero bounds for input arguments of main
2379 function. */
2385 {
2390 {
2395 }
2396 }
2397 else
2399 }
2405 {
2413 }
2416 }
2418 /* Build and return CALL_EXPR for bndstx builtin with specified
2419 arguments. */
2420 tree
2422 {
2425 chkp_bndldx_fndecl);
2430 }
2432 /* Insert code to load bounds for PTR located by ADDR.
2433 Code is inserted after position pointed by GSI.
2434 Loaded bounds are returned. */
2435 static tree
2437 {
2438 gimple_seq seq;
2440 tree bounds;
2457 {
2462 }
2465 }
2467 /* Build and return CALL_EXPR for bndstx builtin with specified
2468 arguments. */
2469 tree
2471 {
2474 chkp_bndstx_fndecl);
2479 }
2481 /* Insert code to store BOUNDS for PTR stored by ADDR.
2482 New statements are inserted after position pointed
2483 by GSI. */
2484 void
2487 {
2488 gimple_seq seq;
2505 {
2509 }
2510 }
2512 /* This function is called when call statement
2513 is inlined and therefore we can't use bndret
2514 for its LHS anymore. Function fixes bndret
2515 call using new RHS value if possible. */
2516 void
2518 {
2525 /* Search for retbnd call. */
2530 /* Currently only handle cases when call is replaced
2531 with a memory access. In this case bndret call
2532 may be replaced with bndldx call. Otherwise we
2533 have to search for bounds which may cause wrong
2534 result due to various optimizations applied. */
2536 {
2557 }
2559 /* Create a new statements sequence with bndldx call. */
2565 /* Remove bndret call. */
2570 /* Link new bndldx call. */
2573 }
2575 /* Compute bounds for pointer NODE which was assigned in
2576 assignment statement ASSIGN. Return computed bounds. */
2577 static tree
2579 {
2587 {
2590 }
2593 {
2598 /* We need to load bounds from the bounds table. */
2609 /* Bounds are just propagated from RHS. */
2615 /* Bounds are just propagated from RHS. */
2621 {
2622 /* We need to load bounds from the bounds table. */
2626 }
2627 else
2636 {
2641 /* First we try to check types of operands. If it
2642 does not help then look at bound values.
2644 If some bounds are incomplete and other are
2645 not proven to be valid (i.e. also incomplete
2646 or invalid because value is not pointer) then
2647 resulting value is incomplete and will be
2648 recomputed later in chkp_finish_incomplete_bounds. */
2660 else
2666 else
2673 else
2677 else
2678 /* Seems both operands may have valid bounds
2679 (e.g. pointer minus pointer). In such case
2680 use default invalid op bounds. */
2684 }
2714 /* No valid bounds may be produced by these exprs. */
2719 {
2730 else
2731 {
2740 }
2741 }
2746 {
2755 else
2756 {
2767 }
2768 }
2775 }
2779 /* We may reuse bounds of other pointer we copy/modify. But it is not
2780 allowed for abnormal ssa names. If we produced a pointer using
2781 abnormal ssa name, we better make a bounds copy to avoid coalescing
2782 issues. */
2786 {
2790 }
2796 }
2798 /* Compute bounds for ssa name NODE defined by DEF_STMT pointed by ITER.
2800 There are just few statement codes allowed: NOP (for default ssa names),
2801 ASSIGN, CALL, PHI, ASM.
2803 Return computed bounds. */
2804 static tree
2807 {
2813 {
2819 }
2822 {
2826 {
2832 /* For uninitialized pointers use none bounds. */
2838 {
2839 tree base_type;
2852 }
2857 {
2860 }
2863 }
2878 else
2880 NULL,
2881 CHKP_BOUND_TMP_NAME);
2882 else
2890 /* Created bounds do not have all phi args computed and
2891 therefore we do not know if there is a valid source
2892 of bounds for that node. Therefore we mark bounds
2893 as incomplete and then recompute them when all phi
2894 args are computed. */
2906 }
2909 }
2911 /* Return CALL_EXPR for bndmk with specified LOWER_BOUND and SIZE. */
2912 tree
2914 {
2917 chkp_bndmk_fndecl);
2920 }
2922 /* Create static bounds var of specfified OBJ which is
2923 is either VAR_DECL or string constant. */
2924 static tree
2926 {
2932 tree bnd_var;
2934 /* First check if we already have required var. */
2936 {
2937 /* For vars we use assembler name as a key in
2938 chkp_static_var_bounds map. It allows to
2939 avoid duplicating bound vars for decls
2940 sharing assembler name. */
2942 {
2947 }
2948 else
2949 {
2953 }
2954 }
2956 /* Build decl for bounds var. */
2958 {
2960 {
2963 }
2964 else
2965 {
2968 /* For hidden symbols we want to skip first '*' char. */
2970 var_name++;
2976 }
2980 pointer_bounds_type_node);
2982 /* Address of the obj will be used as lower bound. */
2984 }
2985 else
2986 {
2992 pointer_bounds_type_node);
2993 }
3007 /* Force output similar to constant bounds.
3008 See chkp_make_static_const_bounds. */
3010 /* Mark symbol as requiring bounds initialization. */
3014 /* Add created var to the map to use it for other references
3015 to obj. */
3020 {
3023 }
3024 else
3028 }
3030 /* When var has incomplete type we cannot get size to
3031 compute its bounds. In such cases we use checker
3032 builtin call which determines object size at runtime. */
3033 static tree
3035 {
3037 gimple_stmt_iterator gsi;
3041 /* If instrumentation is not enabled for vars having
3042 incomplete type then just return zero bounds to avoid
3043 checks for this var. */
3048 {
3052 }
3065 {
3066 /* We should check that size relocation was resolved.
3067 If it was not then use maximum possible size for the var. */
3076 }
3077 else
3078 {
3081 }
3089 }
3091 /* Return 1 if TYPE has fields with zero size or fields
3092 marked with chkp_variable_size attribute. */
3093 bool
3095 {
3097 tree field;
3101 {
3103 res = res
3106 }
3107 else
3113 }
3115 /* Compute and return bounds for address of DECL which is
3116 one of VAR_DECL, PARM_DECL, RESULT_DECL. */
3117 static tree
3119 {
3120 tree bounds;
3132 {
3136 }
3138 /* Use zero bounds if size is unknown and checks for
3139 unknown sizes are restricted. */
3154 {
3162 }
3168 {
3171 }
3172 else
3173 {
3176 }
3179 }
3181 /* Compute and return bounds for constant string. */
3182 static tree
3184 {
3185 tree bounds;
3186 tree lb;
3187 tree size;
3198 {
3206 }
3207 else
3208 {
3212 }
3217 }
3219 /* Generate code to instersect bounds BOUNDS1 and BOUNDS2 and
3220 return the result. if ITER is not NULL then Code is inserted
3221 before position pointed by ITER. Otherwise code is added to
3222 entry block. */
3223 static tree
3225 {
3230 else
3231 {
3232 gimple_seq seq;
3234 tree bounds;
3246 /* We are probably doing narrowing for constant expression.
3247 In such case iter may be undefined. */
3249 {
3253 }
3254 else
3258 {
3264 }
3267 }
3268 }
3270 /* Return 1 if we are allowed to narrow bounds for addressed FIELD
3271 and 0 othersize. REF is reference to the field. */
3273 static bool
3275 {
3278 && !(flag_chkp_flexible_struct_trailing_arrays
3286 }
3288 /* Return 1 if bounds for FIELD should be narrowed to
3289 field's own size. REF is reference to the field. */
3291 static bool
3293 {
3294 HOST_WIDE_INT offs;
3295 HOST_WIDE_INT bit_offs;
3300 /* Access to compiler generated fields should not cause
3301 bounds narrowing. */
3309 && (flag_chkp_first_field_has_own_bounds
3310 || offs
3312 }
3314 /* Perform narrowing for BOUNDS of an INNER reference. Shift boundary
3315 by OFFSET bytes and limit to SIZE bytes. Newly created statements are
3316 added to ITER. */
3318 static tree
3321 {
3338 }
3340 /* Perform narrowing for BOUNDS using bounds computed for field
3341 access COMPONENT. ITER meaning is the same as for
3342 chkp_intersect_bounds. */
3344 static tree
3347 {
3351 tree field_bounds;
3356 }
3358 /* Parse field or array access NODE.
3360 PTR ouput parameter holds a pointer to the outermost
3361 object.
3363 BITFIELD output parameter is set to 1 if bitfield is
3364 accessed and to 0 otherwise. If it is 1 then ELT holds
3365 outer component for accessed bit field.
3367 SAFE outer parameter is set to 1 if access is safe and
3368 checks are not required.
3370 BOUNDS outer parameter holds bounds to be used to check
3371 access (may be NULL).
3373 If INNERMOST_BOUNDS is 1 then try to narrow bounds to the
3374 innermost accessed component. */
3375 static void
3382 {
3387 tree var;
3391 /* Compute tree height for expression. */
3398 {
3400 len++;
3401 }
3405 /* It is more convenient for us to scan left-to-right,
3406 so walk tree again and put all node to nodes vector
3407 in reversed order. */
3419 /* To get bitfield address we will need outer element. */
3422 else
3425 /* If we have indirection in expression then compute
3426 outermost structure bounds. Computed bounds may be
3427 narrowed later. */
3429 {
3434 }
3435 else
3436 {
3444 }
3446 /* In this loop we are trying to find a field access
3447 requiring narrowing. There are two simple rules
3448 for search:
3449 1. Leftmost array_ref is chosen if any.
3450 2. Rightmost suitable component_ref is chosen if innermost
3451 bounds are required and no array_ref exists. */
3453 {
3457 {
3461 && !flag_chkp_narrow_to_innermost_arrray
3462 && (!last_comp
3465 {
3468 }
3469 }
3471 {
3475 && !array_ref_found
3481 && flag_chkp_narrow_to_innermost_arrray
3483 {
3487 }
3488 }
3490 {
3492 {
3495 *bounds
3498 }
3499 }
3501 /* Nothing to do for it. */
3502 ;
3503 else
3505 }
3512 }
3514 /* Parse BIT_FIELD_REF to a NODE for a given location LOC. Return OFFSET
3515 and SIZE in bytes. */
3517 static
3520 {
3533 }
3535 /* Compute and return bounds for address of OBJ. */
3536 static tree
3538 {
3545 {
3559 {
3560 tree elt;
3561 tree ptr;
3569 }
3588 {
3593 }
3597 }
3602 }
3604 /* Compute bounds for pointer PTR loaded from PTR_SRC. Generate statements
3605 to compute bounds if required. Computed bounds should be available at
3606 position pointed by ITER.
3608 If PTR_SRC is NULL_TREE then pointer definition is identified.
3610 If PTR_SRC is not NULL_TREE then ITER points to statements which loads
3611 PTR. If PTR is a any memory reference then ITER points to a statement
3612 after which bndldx will be inserterd. In both cases ITER will be updated
3613 to point to the inserted bndldx statement. */
3615 static tree
3617 {
3630 {
3636 else
3637 {
3640 }
3641 else
3651 {
3655 else
3656 {
3659 }
3660 else
3662 }
3663 else
3664 {
3667 }
3671 /* Handled above but failed. */
3683 {
3685 gphi_iterator phi_iter;
3692 {
3696 {
3698 tree arg_bnd;
3703 /* chkp_get_bounds_by_definition created new phi
3704 statement and phi_iter points to it.
3706 Previous call to chkp_find_bounds could create
3707 new basic block and therefore change phi statement
3708 phi_iter points to. */
3713 UNKNOWN_LOCATION);
3714 }
3716 /* If all bound phi nodes have their arg computed
3717 then we may finish its computation. See
3718 chkp_finish_incomplete_bounds for more details. */
3721 }
3725 }
3736 else
3742 {
3746 }
3749 }
3752 {
3754 {
3757 }
3759 }
3762 }
3764 /* Normal case for bounds search without forced narrowing. */
3765 static tree
3767 {
3769 }
3771 /* Search bounds for pointer PTR loaded from PTR_SRC
3772 by statement *ITER points to. */
3773 static tree
3775 {
3777 }
3779 /* Helper function which checks type of RHS and finds all pointers in
3780 it. For each found pointer we build it's accesses in LHS and RHS
3781 objects and then call HANDLER for them. Function is used to copy
3782 or initilize bounds for copied object. */
3783 static void
3785 assign_handler handler)
3786 {
3789 /* We have nothing to do with clobbers. */
3796 {
3797 tree field;
3800 {
3802 tree val;
3805 {
3807 {
3810 }
3811 }
3812 }
3813 else
3817 {
3821 }
3822 }
3824 {
3831 {
3836 {
3838 {
3844 cur++)
3845 {
3848 }
3849 }
3850 else
3851 {
3853 {
3856 }
3861 }
3862 }
3863 }
3864 /* Copy array only when size is known. */
3867 {
3871 }
3872 }
3873 else
3876 }
3878 /* Add code to copy bounds for assignment of RHS to LHS.
3879 ARG is an iterator pointing ne code position. */
3880 static void
3882 {
3888 }
3890 /* Emit static bound initilizers and size vars. */
3891 void
3893 {
3900 /* Iterate through varpool and generate bounds initialization
3901 constructors for all statically initialized pointers. */
3905 /* Check that var is actually emitted and we need and may initialize
3906 its bounds. */
3912 {
3916 chkp_add_modification_to_stmt_list);
3919 {
3924 }
3925 }
3931 /* Iterate through varpool and generate bounds initialization
3932 constructors for all static bounds vars. */
3939 {
3941 tree var;
3948 }
3956 }
3958 /* An instrumentation function which is called for each statement
3959 having memory access we want to instrument. It inserts check
3960 code and bounds copy code.
3962 ITER points to statement to instrument.
3964 NODE holds memory access in statement to check.
3966 LOC holds the location information for statement.
3968 DIRFLAGS determines whether access is read or write.
3970 ACCESS_OFFS should be added to address used in NODE
3971 before check.
3973 ACCESS_SIZE holds size of checked access.
3975 SAFE indicates if NODE access is safe and should not be
3976 checked. */
3977 static void
3982 {
3990 /* We do not need instrumentation for clobbers. */
3997 {
4000 {
4002 tree elt;
4005 {
4006 /* We are not going to generate any checks, so do not
4007 generate bounds as well. */
4010 }
4015 /* Break if there is no dereference and operation is safe. */
4018 {
4028 addr_first,
4030 }
4031 else
4033 }
4059 {
4070 }
4086 }
4088 /* If addr_last was not computed then use (addr_first + size - 1)
4089 expression to compute it. */
4091 {
4094 }
4096 /* Shift both first_addr and last_addr by access_offs if specified. */
4098 {
4101 }
4103 /* Generate bndcl/bndcu checks if memory access is not safe. */
4105 {
4113 }
4115 /* We need to store bounds in case pointer is stored. */
4119 {
4126 chkp_copy_bounds_for_elem);
4127 else
4128 {
4131 }
4132 }
4133 }
4135 /* Add code to copy bounds for all pointers copied
4136 in ASSIGN created during inline of EDGE. */
4137 void
4139 {
4149 /* We should create edges for all created calls to bndldx and bndstx. */
4151 {
4154 {
4169 }
4171 }
4172 }
4174 /* Some code transformation made during instrumentation pass
4175 may put code into inconsistent state. Here we find and fix
4176 such flaws. */
4177 void
4179 {
4180 basic_block bb;
4181 gimple_stmt_iterator i;
4183 /* We could insert some code right after stmt which ends bb.
4184 We wanted to put this code on fallthru edge but did not
4185 add new edges from the beginning because it may cause new
4186 phi node creation which may be incorrect due to incomplete
4187 bound phi nodes. */
4190 {
4198 {
4205 /* We cannot split abnormal edge. Therefore we
4206 store its params, make it regular and then
4207 rebuild abnormal edge after split. */
4209 {
4214 }
4217 {
4221 }
4225 /* Re-create abnormal edge. */
4228 }
4229 }
4230 }
4232 /* Walker callback for chkp_replace_function_pointers. Replaces
4233 function pointer in the specified operand with pointer to the
4234 instrumented function version. */
4235 static tree
4238 {
4242 /* For builtins we replace pointers only for selected
4243 function and functions having definitions. */
4247 {
4257 }
4260 }
4262 /* This function searches for function pointers in statement
4263 pointed by GSI and replaces them with pointers to instrumented
4264 function versions. */
4265 static void
4267 {
4269 /* For calls we want to walk call args only. */
4271 {
4276 }
4277 else
4279 }
4281 /* This function instruments all statements working with memory,
4282 calls and rets.
4284 It also removes excess statements from static initializers. */
4285 static void
4287 {
4289 gimple_stmt_iterator i;
4294 do
4295 {
4298 {
4301 /* Skip statement marked to not be instrumented. */
4303 {
4306 }
4311 {
4327 {
4330 {
4333 integer_zero_node,
4336 /* Additionally we need to add bounds
4337 to return statement. */
4339 }
4340 }
4348 ;
4349 }
4353 /* We do not need any actual pointer stores in checker
4354 static initializer. */
4358 {
4363 }
4364 }
4366 }
4369 /* Some input params may have bounds and be address taken. In this case
4370 we should store incoming bounds into bounds table. */
4371 tree arg;
4375 {
4377 {
4380 gimple_stmt_iterator iter
4386 /* Skip bounds arg. */
4388 }
4390 {
4393 gimple_stmt_iterator iter
4395 bitmap_iterator bi;
4401 {
4411 }
4413 }
4414 }
4415 }
4417 /* Find init/null/copy_ptr_bounds calls and replace them
4418 with assignments. It should allow better code
4419 optimization. */
4421 static void
4423 {
4424 basic_block bb;
4425 gimple_stmt_iterator gsi;
4428 {
4430 {
4432 tree fndecl;
4435 /* Find builtins returning first arg and replace
4436 them with assignments. */
4445 {
4450 }
4451 }
4452 }
4453 }
4455 /* Initialize pass. */
4456 static void
4458 {
4459 basic_block bb;
4460 gimple_stmt_iterator i;
4489 /* We create these constant bounds once for each object file.
4490 These symbols go to comdat section and result in single copy
4491 of each one in the final binary. */
4499 }
4501 /* Finalize instrumentation pass. */
4502 static void
4504 {
4520 }
4522 /* Main instrumentation pass function. */
4523 static unsigned int
4525 {
4539 }
4541 /* Instrumentation pass gate. */
4542 static bool
4544 {
4549 }
4554 {
4563 TODO_verify_il
4565 };
4568 {
4572 {}
4574 /* opt_pass methods: */
4576 {
4578 }
4581 {
4583 }
4586 {
4588 }
4594 gimple_opt_pass *
4596 {
4598 }