| blob | 8276f12cc69438b99aa87cf318963397da344ec9 |
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2022 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
68 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
69 with <2x slowdown on average.
71 The tool consists of two parts:
72 instrumentation module (this file) and a run-time library.
73 The instrumentation module adds a run-time check before every memory insn.
74 For a 8- or 16- byte load accessing address X:
75 ShadowAddr = (X >> 3) + Offset
76 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
77 if (ShadowValue)
78 __asan_report_load8(X);
79 For a load of N bytes (N=1, 2 or 4) from address X:
80 ShadowAddr = (X >> 3) + Offset
81 ShadowValue = *(char*)ShadowAddr;
82 if (ShadowValue)
83 if ((X & 7) + N - 1 > ShadowValue)
84 __asan_report_loadN(X);
85 Stores are instrumented similarly, but using __asan_report_storeN functions.
86 A call too __asan_init_vN() is inserted to the list of module CTORs.
87 N is the version number of the AddressSanitizer API. The changes between the
88 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
90 The run-time library redefines malloc (so that redzone are inserted around
91 the allocated memory) and free (so that reuse of free-ed memory is delayed),
92 provides __asan_report* and __asan_init_vN functions.
94 Read more:
95 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
97 The current implementation supports detection of out-of-bounds and
98 use-after-free in the heap, on the stack and for global variables.
100 [Protection of stack variables]
102 To understand how detection of out-of-bounds and use-after-free works
103 for stack variables, lets look at this example on x86_64 where the
104 stack grows downward:
106 int
107 foo ()
108 {
109 char a[24] = {0};
110 int b[2] = {0};
112 a[5] = 1;
113 b[1] = 2;
115 return a[5] + b[1];
116 }
118 For this function, the stack protected by asan will be organized as
119 follows, from the top of the stack to the bottom:
121 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
123 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
124 the next slot be 32 bytes aligned; this one is called Partial
125 Redzone; this 32 bytes alignment is an asan constraint]
127 Slot 3/ [24 bytes for variable 'a']
129 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
131 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
133 Slot 6/ [8 bytes for variable 'b']
135 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
136 'LEFT RedZone']
138 The 32 bytes of LEFT red zone at the bottom of the stack can be
139 decomposed as such:
141 1/ The first 8 bytes contain a magical asan number that is always
142 0x41B58AB3.
144 2/ The following 8 bytes contains a pointer to a string (to be
145 parsed at runtime by the runtime asan library), which format is
146 the following:
148 "<function-name> <space> <num-of-variables-on-the-stack>
149 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
150 <length-of-var-in-bytes> ){n} "
152 where '(...){n}' means the content inside the parenthesis occurs 'n'
153 times, with 'n' being the number of variables on the stack.
155 3/ The following 8 bytes contain the PC of the current function which
156 will be used by the run-time library to print an error message.
158 4/ The following 8 bytes are reserved for internal use by the run-time.
160 The shadow memory for that stack layout is going to look like this:
162 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
163 The F1 byte pattern is a magic number called
164 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
165 the memory for that shadow byte is part of a the LEFT red zone
166 intended to seat at the bottom of the variables on the stack.
168 - content of shadow memory 8 bytes for slots 6 and 5:
169 0xF4F4F400. The F4 byte pattern is a magic number
170 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
171 memory region for this shadow byte is a PARTIAL red zone
172 intended to pad a variable A, so that the slot following
173 {A,padding} is 32 bytes aligned.
175 Note that the fact that the least significant byte of this
176 shadow memory content is 00 means that 8 bytes of its
177 corresponding memory (which corresponds to the memory of
178 variable 'b') is addressable.
180 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
181 The F2 byte pattern is a magic number called
182 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
183 region for this shadow byte is a MIDDLE red zone intended to
184 seat between two 32 aligned slots of {variable,padding}.
186 - content of shadow memory 8 bytes for slot 3 and 2:
187 0xF4000000. This represents is the concatenation of
188 variable 'a' and the partial red zone following it, like what we
189 had for variable 'b'. The least significant 3 bytes being 00
190 means that the 3 bytes of variable 'a' are addressable.
192 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
193 The F3 byte pattern is a magic number called
194 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
195 region for this shadow byte is a RIGHT red zone intended to seat
196 at the top of the variables of the stack.
198 Note that the real variable layout is done in expand_used_vars in
199 cfgexpand.cc. As far as Address Sanitizer is concerned, it lays out
200 stack variables as well as the different red zones, emits some
201 prologue code to populate the shadow memory as to poison (mark as
202 non-accessible) the regions of the red zones and mark the regions of
203 stack variables as accessible, and emit some epilogue code to
204 un-poison (mark as accessible) the regions of red zones right before
205 the function exits.
207 [Protection of global variables]
209 The basic idea is to insert a red zone between two global variables
210 and install a constructor function that calls the asan runtime to do
211 the populating of the relevant shadow memory regions at load time.
213 So the global variables are laid out as to insert a red zone between
214 them. The size of the red zones is so that each variable starts on a
215 32 bytes boundary.
217 Then a constructor function is installed so that, for each global
218 variable, it calls the runtime asan library function
219 __asan_register_globals_with an instance of this type:
221 struct __asan_global
222 {
223 // Address of the beginning of the global variable.
224 const void *__beg;
226 // Initial size of the global variable.
227 uptr __size;
229 // Size of the global variable + size of the red zone. This
230 // size is 32 bytes aligned.
231 uptr __size_with_redzone;
233 // Name of the global variable.
234 const void *__name;
236 // Name of the module where the global variable is declared.
237 const void *__module_name;
239 // 1 if it has dynamic initialization, 0 otherwise.
240 uptr __has_dynamic_init;
242 // A pointer to struct that contains source location, could be NULL.
243 __asan_global_source_location *__location;
244 }
246 A destructor function that calls the runtime asan library function
247 _asan_unregister_globals is also installed. */
254 /* Set of variable declarations that are going to be guarded by
255 use-after-scope sanitizer. */
261 /* Global variables for HWASAN stack tagging. */
262 /* hwasan_frame_tag_offset records the offset from the frame base tag that the
263 next object should have. */
265 /* hwasan_frame_base_ptr is a pointer with the same address as
266 `virtual_stack_vars_rtx` for the current frame, and with the frame base tag
267 stored in it. N.b. this global RTX does not need to be marked GTY, but is
268 done so anyway. The need is not there since all uses are in just one pass
269 (cfgexpand) and there are no calls to ggc_collect between the uses. We mark
270 it GTY(()) anyway to allow the use of the variable later on if needed by
271 future features. */
273 /* hwasan_frame_base_init_seq is the sequence of RTL insns that will initialize
274 the hwasan_frame_base_ptr. When the hwasan_frame_base_ptr is requested, we
275 generate this sequence but do not emit it. If the sequence was created it
276 is emitted once the function body has been expanded.
278 This delay is because the frame base pointer may be needed anywhere in the
279 function body, or needed by the expand_used_vars function. Emitting once in
280 a known place is simpler than requiring the emission of the instructions to
281 be know where it should go depending on the first place the hwasan frame
282 base is needed. */
285 /* Structure defining the extent of one object on the stack that HWASAN needs
286 to tag in the corresponding shadow stack space.
288 The range this object spans on the stack is between `untagged_base +
289 nearest_offset` and `untagged_base + farthest_offset`.
290 `tagged_base` is an rtx containing the same value as `untagged_base` but
291 with a random tag stored in the top byte. We record both `untagged_base`
292 and `tagged_base` so that `hwasan_emit_prologue` can use both without having
293 to emit RTL into the instruction stream to re-calculate one from the other.
294 (`hwasan_emit_prologue` needs to use both bases since the
295 __hwasan_tag_memory call it emits uses an untagged value, and it calculates
296 the tag to store in shadow memory based on the tag_offset plus the tag in
297 tagged_base). */
298 struct hwasan_stack_var
299 {
300 rtx untagged_base;
301 rtx tagged_base;
302 poly_int64 nearest_offset;
303 poly_int64 farthest_offset;
305 };
307 /* Variable recording all stack variables that HWASAN needs to tag.
308 Does not need to be marked as GTY(()) since every use is in the cfgexpand
309 pass and gcc_collect is not called in the middle of that pass. */
313 /* Sets shadow offset to value in string VAL. */
315 bool
317 {
321 #ifdef HAVE_LONG_LONG
323 #else
325 #endif
332 }
334 /* Set list of user-defined sections that need to be sanitized. */
336 void
338 {
346 {
352 }
353 }
355 bool
357 {
360 }
362 bool
364 {
366 }
368 bool
370 {
372 }
374 bool
376 {
378 }
380 bool
382 {
384 }
386 bool
388 {
390 }
393 /* Checks whether section SEC should be sanitized. */
395 static bool
397 {
404 }
406 /* Returns Asan shadow offset. */
408 static unsigned HOST_WIDE_INT
410 {
412 {
415 }
417 }
419 /* Returns Asan shadow offset has been set. */
420 bool
422 {
424 }
428 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
429 alias set is used for all shadow memory accesses. */
432 /* Decl for __asan_option_detect_stack_use_after_return. */
435 /* Hashtable support for memory references used by gimple
436 statements. */
438 /* This type represents a reference to a memory region. */
439 struct asan_mem_ref
440 {
441 /* The expression of the beginning of the memory region. */
442 tree start;
444 /* The size of the access. */
445 HOST_WIDE_INT access_size;
446 };
450 /* Initializes an instance of asan_mem_ref. */
452 static void
454 {
457 }
459 /* Allocates memory for an instance of asan_mem_ref into the memory
460 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
461 START is the address of (or the expression pointing to) the
462 beginning of memory reference. ACCESS_SIZE is the size of the
463 access to the referenced memory. */
467 {
472 }
474 /* This builds and returns a pointer to the end of the memory region
475 that starts at START and of length LEN. */
477 tree
479 {
487 }
489 /* Return a tree expression that represents the end of the referenced
490 memory region. Beware that this function can actually build a new
491 tree expression. */
493 tree
495 {
497 }
500 {
503 };
505 /* Hash a memory reference. */
507 inline hashval_t
509 {
511 }
513 /* Compare two memory references. We accept the length of either
514 memory references to be NULL_TREE. */
519 {
521 }
525 /* Returns a reference to the hash table containing memory references.
526 This function ensures that the hash table is created. Note that
527 this hash table is updated by the function
528 update_mem_ref_hash_table. */
532 {
537 }
539 /* Clear all entries from the memory references hash table. */
541 static void
543 {
546 }
548 /* Free the memory references hash table. */
550 static void
552 {
557 }
559 /* Return true iff the memory reference REF has been instrumented. */
561 static bool
563 {
564 asan_mem_ref r;
569 }
571 /* Return true iff the memory reference REF has been instrumented. */
573 static bool
575 {
577 }
579 /* Return true iff access to memory region starting at REF and of
580 length LEN has been instrumented. */
582 static bool
584 {
585 HOST_WIDE_INT size_in_bytes
590 }
592 /* Set REF to the memory reference present in a gimple assignment
593 ASSIGNMENT. Return true upon successful completion, false
594 otherwise. */
596 static bool
600 {
605 {
608 }
610 {
613 }
614 else
619 }
621 /* Return address of last allocated dynamic alloca. */
623 static tree
625 {
634 }
636 /* Insert __asan_allocas_unpoison (top, bottom) call before
637 __builtin_stack_restore (new_sp) call.
638 The pseudocode of this routine should look like this:
639 top = last_alloca_addr;
640 bot = new_sp;
641 __asan_allocas_unpoison (top, bot);
642 last_alloca_addr = new_sp;
643 __builtin_stack_restore (new_sp);
644 In general, we can't use new_sp as bot parameter because on some
645 architectures SP has non zero offset from dynamic stack area. Moreover, on
646 some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each
647 particular function only after all callees were expanded to rtl.
648 The most noticeable example is PowerPC{,64}, see
649 http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK.
650 To overcome the issue we use following trick: pass new_sp as a second
651 parameter to __asan_allocas_unpoison and rewrite it during expansion with
652 new_sp + (virtual_dynamic_stack_rtx - sp) later in
653 expand_asan_emit_allocas_unpoison function.
655 HWASAN needs to do very similar, the eventual pseudocode should be:
656 __hwasan_tag_memory (virtual_stack_dynamic_rtx,
657 0,
658 new_sp - sp);
659 __builtin_stack_restore (new_sp)
661 Need to use the same trick to handle STACK_DYNAMIC_OFFSET as described
662 above. */
664 static void
666 {
676 {
678 /* There is only one piece of information `expand_HWASAN_ALLOCA_UNPOISON`
679 needs to work. This is the length of the area that we're
680 deallocating. Since the stack pointer is known at expand time, the
681 position of the new stack pointer after deallocation is enough
682 information to calculate this length. */
684 }
685 else
686 {
692 }
695 }
697 /* Deploy and poison redzones around __builtin_alloca call. To do this, we
698 should replace this call with another one with changed parameters and
699 replace all its uses with new address, so
700 addr = __builtin_alloca (old_size, align);
701 is replaced by
702 left_redzone_size = max (align, ASAN_RED_ZONE_SIZE);
703 Following two statements are optimized out if we know that
704 old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial
705 redzone.
706 misalign = old_size & (ASAN_RED_ZONE_SIZE - 1);
707 partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign;
708 right_redzone_size = ASAN_RED_ZONE_SIZE;
709 additional_size = left_redzone_size + partial_redzone_size +
710 right_redzone_size;
711 new_size = old_size + additional_size;
712 new_alloca = __builtin_alloca (new_size, max (align, 32))
713 __asan_alloca_poison (new_alloca, old_size)
714 addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE);
715 last_alloca_addr = new_alloca;
716 ADDITIONAL_SIZE is added to make new memory allocation contain not only
717 requested memory, but also left, partial and right redzones as well as some
718 additional space, required by alignment. */
720 static void
722 {
734 unsigned int align
741 {
746 }
749 {
752 /*
753 HWASAN needs a different expansion.
755 addr = __builtin_alloca (size, align);
757 should be replaced by
759 new_size = size rounded up to HWASAN_TAG_GRANULE_SIZE byte alignment;
760 untagged_addr = __builtin_alloca (new_size, align);
761 tag = __hwasan_choose_alloca_tag ();
762 addr = ifn_HWASAN_SET_TAG (untagged_addr, tag);
763 __hwasan_tag_memory (untagged_addr, tag, new_size);
764 */
765 /* Ensure alignment at least HWASAN_TAG_GRANULE_SIZE bytes so we start on
766 a tag granule. */
771 old_size,
772 HWASAN_TAG_GRANULE_SIZE);
774 /* Make the alloca call */
775 tree untagged_addr
780 /* Choose the tag.
781 Here we use an internal function so we can choose the tag at expand
782 time. We need the decision to be made after stack variables have been
783 assigned their tag (i.e. once the hwasan_frame_tag_offset variable has
784 been set to one after the last stack variables tag). */
786 unsigned_char_type_node);
788 /* Add tag to pointer. */
789 tree addr
793 /* Tag shadow memory.
794 NOTE: require using `untagged_addr` here for libhwasan API. */
798 /* Insert the built up code sequence into the original instruction stream
799 the iterator points to. */
802 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
805 }
810 /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN
811 bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE
812 manually. */
818 /* Extract lower bits from old_size. */
820 wide_int rz_mask
824 /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial
825 redzone. Otherwise, compute its size here. */
827 {
828 /* misalign = size & (ASAN_RED_ZONE_SIZE - 1)
829 partial_size = ASAN_RED_ZONE_SIZE - misalign. */
838 }
840 /* additional_size = align + ASAN_RED_ZONE_SIZE. */
843 /* If alloca has partial redzone, include it to additional_size too. */
845 {
846 /* additional_size += partial_size. */
851 }
853 /* new_size = old_size + additional_size. */
855 additional_size);
859 /* Build new __builtin_alloca call:
860 new_alloca_with_rz = __builtin_alloca (new_size, align). */
867 {
870 }
871 else
874 /* new_alloca = new_alloca_with_rz + align. */
876 new_alloca_with_rz,
881 {
884 }
885 else
889 /* Poison newly created alloca redzones:
890 __asan_alloca_poison (new_alloca, old_size). */
895 else
898 /* Save new_alloca_with_rz value into last_alloca to use it during
899 allocas unpoisoning. */
903 else
906 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
908 {
911 }
912 else
914 }
916 /* Return the memory references contained in a gimple statement
917 representing a builtin call that has to do with memory access. */
919 static bool
933 {
945 {
946 /* (s, s, n) style memops. */
954 /* (src, dest, n) style memops. */
961 /* (dest, src, n) style memops. */
973 /* (dest, n) style memops. */
979 /* (dest, x, n) style memops*/
987 /* Special case strlen here since its length is taken from its return
988 value.
990 The approach taken by the sanitizers is to check a memory access
991 before it's taken. For ASAN strlen is intercepted by libasan, so no
992 check is inserted by the compiler.
994 This function still returns `true` and provides a length to the rest
995 of the ASAN pass in order to record what areas have been checked,
996 avoiding superfluous checks later on.
998 HWASAN does not intercept any of these internal functions.
999 This means that checks for memory accesses must be inserted by the
1000 compiler.
1001 strlen is a special case, because we can tell the length from the
1002 return of the function, but that is not known until after the function
1003 has returned.
1005 Hence we can't check the memory access before it happens.
1006 We could check the memory access after it has already happened, but
1007 for now we choose to just ignore `strlen` calls.
1008 This decision was simply made because that means the special case is
1009 limited to this one case of this one function. */
1020 CASE_BUILT_IN_ALLOCA:
1023 /* And now the __atomic* and __sync builtins.
1024 These are handled differently from the classical memory
1025 access builtins above. */
1029 /* FALLTHRU */
1066 /* FALLTHRU */
1103 /* FALLTHRU */
1140 /* FALLTHRU */
1177 /* FALLTHRU */
1210 /* FALLTHRU */
1211 do_atomic:
1212 {
1214 /* DEST represents the address of a memory location.
1215 instrument_derefs wants the memory location, so lets
1216 dereference the address DEST before handing it to
1217 instrument_derefs. */
1223 }
1226 /* The other builtins memory access are not instrumented in this
1227 function because they either don't have any length parameter,
1228 or their length parameter is just a limit. */
1230 }
1233 {
1235 {
1240 }
1243 {
1248 }
1251 {
1256 }
1259 }
1261 {
1268 }
1271 }
1273 /* Return true iff a given gimple statement has been instrumented.
1274 Note that the statement is "defined" by the memory references it
1275 contains. */
1277 static bool
1279 {
1281 {
1283 asan_mem_ref r;
1288 {
1292 {
1293 asan_mem_ref src;
1299 }
1301 }
1302 }
1304 {
1318 {
1332 }
1333 }
1335 {
1336 asan_mem_ref r;
1342 }
1345 }
1347 /* Insert a memory reference into the hash table. */
1349 static void
1351 {
1354 asan_mem_ref r;
1360 }
1362 /* Initialize shadow_ptr_types array. */
1364 static void
1366 {
1369 integer_type_node };
1372 {
1376 }
1379 }
1381 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
1383 static tree
1385 {
1395 }
1397 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
1398 though. */
1400 static void
1402 {
1416 {
1419 }
1438 }
1440 void
1442 {
1446 current_function_funcdef_no);
1447 }
1449 /* Return number of shadow bytes that are occupied by a local variable
1450 of SIZE bytes. */
1452 static unsigned HOST_WIDE_INT
1454 {
1455 /* It must be possible to align stack variables to granularity
1456 of shadow memory. */
1461 }
1463 /* Always emit 4 bytes at a time. */
1464 #define RZ_BUFFER_SIZE 4
1466 /* ASAN redzone buffer container that handles emission of shadow bytes. */
1467 class asan_redzone_buffer
1468 {
1470 /* Constructor. */
1474 {}
1476 /* Emit VALUE shadow byte at a given OFFSET. */
1479 /* Emit RTX emission of the content of the buffer. */
1483 /* Flush if the content of the buffer is full
1484 (equal to RZ_BUFFER_SIZE). */
1487 /* Memory where we last emitted a redzone payload. */
1488 rtx m_shadow_mem;
1490 /* Relative offset where we last emitted a redzone payload. */
1491 HOST_WIDE_INT m_prev_offset;
1493 /* Relative original offset. Used for checking only. */
1494 HOST_WIDE_INT m_original_offset;
1497 /* Buffer with redzone payload. */
1499 };
1501 /* Emit VALUE shadow byte at a given OFFSET. */
1503 void
1506 {
1510 HOST_WIDE_INT off
1517 {
1518 /* Shadow memory byte with a small gap. */
1521 }
1522 else
1523 {
1527 /* Maybe start earlier in order to use aligned store. */
1530 {
1534 }
1536 /* Adjust m_prev_offset and m_shadow_mem. */
1541 }
1544 }
1546 /* Emit RTX emission of the content of the buffer. */
1548 void
1550 {
1556 /* Be sure we always emit to an aligned address. */
1560 /* Fill it to RZ_BUFFER_SIZE bytes with zeros if needed. */
1571 {
1572 unsigned char v
1577 }
1586 }
1588 /* Flush if the content of the buffer is full
1589 (equal to RZ_BUFFER_SIZE). */
1591 void
1593 {
1596 }
1599 /* HWAddressSanitizer (hwasan) is a probabilistic method for detecting
1600 out-of-bounds and use-after-free bugs.
1601 Read more:
1602 http://code.google.com/p/address-sanitizer/
1604 Similar to AddressSanitizer (asan) it consists of two parts: the
1605 instrumentation module in this file, and a run-time library.
1607 The instrumentation module adds a run-time check before every memory insn in
1608 the same manner as asan (see the block comment for AddressSanitizer above).
1609 Currently, hwasan only adds out-of-line instrumentation, where each check is
1610 implemented as a function call to the run-time library. Hence a check for a
1611 load of N bytes from address X would be implemented with a function call to
1612 __hwasan_loadN(X), and checking a store of N bytes from address X would be
1613 implemented with a function call to __hwasan_storeN(X).
1615 The main difference between hwasan and asan is in the information stored to
1616 help this checking. Both sanitizers use a shadow memory area which stores
1617 data recording the state of main memory at a corresponding address.
1619 For hwasan, each 16 byte granule in main memory has a corresponding 1 byte
1620 in shadow memory. This shadow address can be calculated with equation:
1621 (addr >> log_2(HWASAN_TAG_GRANULE_SIZE))
1622 + __hwasan_shadow_memory_dynamic_address;
1623 The conversion between real and shadow memory for asan is given in the block
1624 comment at the top of this file.
1625 The description of how this shadow memory is laid out for asan is in the
1626 block comment at the top of this file, here we describe how this shadow
1627 memory is used for hwasan.
1629 For hwasan, each variable is assigned a byte-sized 'tag'. The extent of
1630 the shadow memory for that variable is filled with the assigned tag, and
1631 every pointer referencing that variable has its top byte set to the same
1632 tag. The run-time library redefines malloc so that every allocation returns
1633 a tagged pointer and tags the corresponding shadow memory with the same tag.
1635 On each pointer dereference the tag found in the pointer is compared to the
1636 tag found in the shadow memory corresponding to the accessed memory address.
1637 If these tags are found to differ then this memory access is judged to be
1638 invalid and a report is generated.
1640 This method of bug detection is not perfect -- it can not catch every bad
1641 access -- but catches them probabilistically instead. There is always the
1642 possibility that an invalid memory access will happen to access memory
1643 tagged with the same tag as the pointer that this access used.
1644 The chances of this are approx. 0.4% for any two uncorrelated objects.
1646 Random tag generation can mitigate this problem by decreasing the
1647 probability that an invalid access will be missed in the same manner over
1648 multiple runs. i.e. if two objects are tagged the same in one run of the
1649 binary they are unlikely to be tagged the same in the next run.
1650 Both heap and stack allocated objects have random tags by default.
1652 [16 byte granule implications]
1653 Since the shadow memory only has a resolution on real memory of 16 bytes,
1654 invalid accesses that are within the same 16 byte granule as a valid
1655 address will not be caught.
1657 There is a "short-granule" feature in the runtime library which does catch
1658 such accesses, but this feature is not implemented for stack objects (since
1659 stack objects are allocated and tagged by compiler instrumentation, and
1660 this feature has not yet been implemented in GCC instrumentation).
1662 Another outcome of this 16 byte resolution is that each tagged object must
1663 be 16 byte aligned. If two objects were to share any 16 byte granule in
1664 memory, then they both would have to be given the same tag, and invalid
1665 accesses to one using a pointer to the other would be undetectable.
1667 [Compiler instrumentation]
1668 Compiler instrumentation ensures that two adjacent buffers on the stack are
1669 given different tags, this means an access to one buffer using a pointer
1670 generated from the other (e.g. through buffer overrun) will have mismatched
1671 tags and be caught by hwasan.
1673 We don't randomly tag every object on the stack, since that would require
1674 keeping many registers to record each tag. Instead we randomly generate a
1675 tag for each function frame, and each new stack object uses a tag offset
1676 from that frame tag.
1677 i.e. each object is tagged as RFT + offset, where RFT is the "random frame
1678 tag" generated for this frame.
1679 This means that randomisation does not peturb the difference between tags
1680 on tagged stack objects within a frame, but this is mitigated by the fact
1681 that objects with the same tag within a frame are very far apart
1682 (approx. 2^HWASAN_TAG_SIZE objects apart).
1684 As a demonstration, using the same example program as in the asan block
1685 comment above:
1687 int
1688 foo ()
1689 {
1690 char a[24] = {0};
1691 int b[2] = {0};
1693 a[5] = 1;
1694 b[1] = 2;
1696 return a[5] + b[1];
1697 }
1699 On AArch64 the stack will be ordered as follows for the above function:
1701 Slot 1/ [24 bytes for variable 'a']
1702 Slot 2/ [8 bytes padding for alignment]
1703 Slot 3/ [8 bytes for variable 'b']
1704 Slot 4/ [8 bytes padding for alignment]
1706 (The padding is there to ensure 16 byte alignment as described in the 16
1707 byte granule implications).
1709 While the shadow memory will be ordered as follows:
1711 - 2 bytes (representing 32 bytes in real memory) tagged with RFT + 1.
1712 - 1 byte (representing 16 bytes in real memory) tagged with RFT + 2.
1714 And any pointer to "a" will have the tag RFT + 1, and any pointer to "b"
1715 will have the tag RFT + 2.
1717 [Top Byte Ignore requirements]
1718 Hwasan requires the ability to store an 8 bit tag in every pointer. There
1719 is no instrumentation done to remove this tag from pointers before
1720 dereferencing, which means the hardware must ignore this tag during memory
1721 accesses.
1723 Architectures where this feature is available should indicate this using
1724 the TARGET_MEMTAG_CAN_TAG_ADDRESSES hook.
1726 [Stack requires cleanup on unwinding]
1727 During normal operation of a hwasan sanitized program more space in the
1728 shadow memory becomes tagged as the stack grows. As the stack shrinks this
1729 shadow memory space must become untagged. If it is not untagged then when
1730 the stack grows again (during other function calls later on in the program)
1731 objects on the stack that are usually not tagged (e.g. parameters passed on
1732 the stack) can be placed in memory whose shadow space is tagged with
1733 something else, and accesses can cause false positive reports.
1735 Hence we place untagging code on every epilogue of functions which tag some
1736 stack objects.
1738 Moreover, the run-time library intercepts longjmp & setjmp to untag when
1739 the stack is unwound this way.
1741 C++ exceptions are not yet handled, which means this sanitizer can not
1742 handle C++ code that throws exceptions -- it will give false positives
1743 after an exception has been thrown. The implementation that the hwasan
1744 library has for handling these relies on the frame pointer being after any
1745 local variables. This is not generally the case for GCC. */
1748 /* Returns whether we are tagging pointers and checking those tags on memory
1749 access. */
1750 bool
1752 {
1754 }
1756 /* Are we tagging the stack? */
1757 bool
1759 {
1761 }
1763 /* Are we tagging alloca objects? */
1764 bool
1766 {
1768 }
1770 /* Should we instrument reads? */
1771 bool
1773 {
1775 }
1777 /* Should we instrument writes? */
1778 bool
1780 {
1782 }
1784 /* Should we instrument builtin calls? */
1785 bool
1787 {
1789 }
1791 /* Insert code to protect stack vars. The prologue sequence should be emitted
1792 directly, epilogue sequence returned. BASE is the register holding the
1793 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1794 array contains pairs of offsets in reverse order, always the end offset
1795 of some gap that needs protection followed by starting offset,
1796 and DECLS is an array of representative decls for each var partition.
1797 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1798 elements long (OFFSETS include gap before the first variable as well
1799 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1800 register which stack vars DECL_RTLs are based on. Either BASE should be
1801 assigned to PBASE, when not doing use after return protection, or
1802 corresponding address based on __asan_stack_malloc* return value. */
1804 rtx_insn *
1807 {
1824 expanded_location cfun_xloc
1827 /* First of all, prepare the description string. */
1828 pretty_printer asan_pp;
1833 {
1840 expanded_location xloc
1846 else
1850 {
1851 unsigned idlen
1857 }
1858 else
1863 }
1866 /* Emit the prologue sequence. */
1869 {
1871 /* __asan_stack_malloc_N guarantees alignment
1872 N < 6 ? (64 << N) : 4096 bytes. */
1879 }
1881 /* Align base if target is STRICT_ALIGNMENT. */
1883 {
1884 const HOST_WIDE_INT align
1888 }
1898 {
1900 {
1903 integer_type_node);
1913 }
1922 use_after_return_class);
1928 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1929 and NULL otherwise. Check RET value is NULL here and jump over the
1930 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1941 }
1967 shadow_base
1981 {
1987 /* If a red-zone is not aligned to ASAN_SHADOW_GRANULARITY then
1988 the previous stack variable has size % ASAN_SHADOW_GRANULARITY != 0.
1989 In that case we have to emit one extra byte that will describe
1990 how many bytes (our of ASAN_SHADOW_GRANULARITY) can be accessed. */
1992 {
1993 HOST_WIDE_INT aoff
1998 }
2000 /* Calculate size of red zone payload. */
2002 {
2005 }
2008 }
2010 /* As the automatic variables are aligned to
2011 ASAN_RED_ZONE_SIZE / ASAN_SHADOW_GRANULARITY, the buffer should be
2012 flushed here. */
2017 /* Construct epilogue sequence. */
2022 {
2037 {
2038 /* Emit:
2039 memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize);
2040 **SavedFlagPtr(FakeStack, class_id) = 0
2041 */
2045 unsigned HOST_WIDE_INT offset
2055 }
2062 {
2064 use_after_return_class);
2072 }
2076 }
2089 {
2093 {
2101 }
2102 else
2108 /* Unpoison shadow memory that corresponds to a variable that is
2109 is subject of use-after-return sanitization. */
2111 {
2115 {
2118 {
2124 }
2127 }
2128 }
2129 last_size_aligned
2132 }
2134 {
2139 }
2141 /* Clean-up set with instrumented stack variables. */
2154 }
2156 /* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds
2157 to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE
2158 indicates whether we're emitting new instructions sequence or not. */
2160 rtx_insn *
2162 {
2165 else
2177 }
2179 /* Return true if DECL, a global var, might be overridden and needs
2180 therefore a local alias. */
2182 static bool
2184 {
2186 }
2188 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
2189 therefore doesn't need protection. */
2191 static bool
2193 {
2196 }
2198 /* Return true if DECL is a VAR_DECL that should be protected
2199 by Address Sanitizer, by appending a red zone with protected
2200 shadow memory after it and aligning it to at least
2201 ASAN_RED_ZONE_SIZE bytes. */
2203 bool
2205 {
2212 {
2213 /* Instrument all STRING_CSTs except those created
2214 by asan_pp_string here. */
2220 }
2222 /* TLS vars aren't statically protectable. */
2224 /* Externs will be protected elsewhere. */
2226 /* PR sanitizer/81697: For architectures that use section anchors first
2227 call to asan_protect_global may occur before DECL_RTL (decl) is set.
2228 We should ignore DECL_RTL_SET_P then, because otherwise the first call
2229 to asan_protect_global will return FALSE and the following calls on the
2230 same decl after setting DECL_RTL (decl) will return TRUE and we'll end
2231 up with inconsistency at runtime. */
2233 /* Comdat vars pose an ABI problem, we can't know if
2234 the var that is selected by the linker will have
2235 padding or not. */
2237 /* Similarly for common vars. People can use -fno-common.
2238 Note: Linux kernel is built with -fno-common, so we do instrument
2239 globals there even if it is C. */
2241 /* Don't protect if using user section, often vars placed
2242 into user section from multiple TUs are then assumed
2243 to be an array of such vars, putting padding in there
2244 breaks this assumption. */
2258 {
2268 }
2277 }
2279 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
2280 IS_STORE is either 1 (for a store) or 0 (for a load). */
2282 static tree
2285 {
2296 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
2297 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
2298 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
2299 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
2300 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
2302 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
2303 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
2304 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
2305 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
2306 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
2308 {
2311 }
2315 }
2317 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
2318 IS_STORE is either 1 (for a store) or 0 (for a load). */
2320 static tree
2323 {
2332 BUILT_IN_ASAN_LOAD2_NOABORT,
2333 BUILT_IN_ASAN_LOAD4_NOABORT,
2334 BUILT_IN_ASAN_LOAD8_NOABORT,
2335 BUILT_IN_ASAN_LOAD16_NOABORT,
2336 BUILT_IN_ASAN_LOADN_NOABORT },
2338 BUILT_IN_ASAN_STORE2_NOABORT,
2339 BUILT_IN_ASAN_STORE4_NOABORT,
2340 BUILT_IN_ASAN_STORE8_NOABORT,
2341 BUILT_IN_ASAN_STORE16_NOABORT,
2342 BUILT_IN_ASAN_STOREN_NOABORT } } };
2344 {
2347 }
2351 }
2353 /* Split the current basic block and create a condition statement
2354 insertion point right before or after the statement pointed to by
2355 ITER. Return an iterator to the point at which the caller might
2356 safely insert the condition statement.
2358 THEN_BLOCK must be set to the address of an uninitialized instance
2359 of basic_block. The function will then set *THEN_BLOCK to the
2360 'then block' of the condition statement to be inserted by the
2361 caller.
2363 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
2364 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
2366 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
2367 block' of the condition statement to be inserted by the caller.
2369 Note that *FALLTHROUGH_BLOCK is a new block that contains the
2370 statements starting from *ITER, and *THEN_BLOCK is a new empty
2371 block.
2373 *ITER is adjusted to point to always point to the first statement
2374 of the basic block * FALLTHROUGH_BLOCK. That statement is the
2375 same as what ITER was pointing to prior to calling this function,
2376 if BEFORE_P is true; otherwise, it is its following statement. */
2378 gimple_stmt_iterator
2385 {
2395 /* Get a hold on the 'condition block', the 'then block' and the
2396 'else block'. */
2401 {
2404 }
2406 /* Set up the newly created 'then block'. */
2408 profile_probability fallthrough_probability
2409 = then_more_likely_p
2417 /* Set up the fallthrough basic block. */
2422 /* Update dominance info for the newly created then_bb; note that
2423 fallthru_bb's dominance info has already been updated by
2424 split_bock. */
2433 }
2435 /* Insert an if condition followed by a 'then block' right before the
2436 statement pointed to by ITER. The fallthrough block -- which is the
2437 else block of the condition as well as the destination of the
2438 outcoming edge of the 'then block' -- starts with the statement
2439 pointed to by ITER.
2441 COND is the condition of the if.
2443 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
2444 'then block' is higher than the probability of the edge to the
2445 fallthrough block.
2447 Upon completion of the function, *THEN_BB is set to the newly
2448 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
2449 fallthrough block.
2451 *ITER is adjusted to still point to the same statement it was
2452 pointing to initially. */
2454 static void
2460 {
2461 gimple_stmt_iterator cond_insert_point =
2464 then_more_likely_p,
2466 then_bb,
2467 fallthrough_bb);
2469 }
2471 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
2472 If RETURN_ADDRESS is set to true, return memory location instread
2473 of a value in the shadow memory. */
2475 static tree
2479 {
2502 {
2508 }
2511 }
2513 /* BASE can already be an SSA_NAME; in that case, do not create a
2514 new SSA_NAME for it. */
2516 static tree
2519 {
2527 else
2530 }
2532 /* LEN can already have necessary size and precision;
2533 in that case, do not create a new variable. */
2535 tree
2538 {
2546 else
2549 }
2551 /* Instrument the memory access instruction BASE. Insert new
2552 statements before or after ITER.
2554 Note that the memory access represented by BASE can be either an
2555 SSA_NAME, or a non-SSA expression. LOCATION is the source code
2556 location. IS_STORE is TRUE for a store, FALSE for a load.
2557 BEFORE_P is TRUE for inserting the instrumentation code before
2558 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
2559 for a scalar memory access and FALSE for memory region access.
2560 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
2561 length. ALIGN tells alignment of accessed memory object.
2563 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
2564 memory region have already been instrumented.
2566 If BEFORE_P is TRUE, *ITER is arranged to still point to the
2567 statement it was pointing to prior to calling this function,
2568 otherwise, it points to the statement logically following it. */
2570 static void
2575 {
2588 {
2591 }
2592 else
2593 {
2596 }
2599 {
2604 {
2605 /* On non-strict alignment targets, if
2606 16-byte access is just 8-byte aligned,
2607 this will result in misaligned shadow
2608 memory 2 byte load, but otherwise can
2609 be handled using one read. */
2611 || STRICT_ALIGNMENT
2614 }
2615 }
2626 ? IFN_HWASAN_CHECK
2637 else
2638 {
2642 }
2643 }
2645 /* If T represents a memory access, add instrumentation code before ITER.
2646 LOCATION is source code location.
2647 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
2649 static void
2652 {
2659 HOST_WIDE_INT size_in_bytes;
2665 {
2673 /* FALLTHRU */
2676 }
2683 tree offset;
2684 machine_mode mode;
2691 {
2698 }
2707 poly_int64 decl_size;
2713 {
2716 /* If we're not sanitizing globals and we can tell statically that this
2717 access is inside a global variable, then there's no point adding
2718 instrumentation to check the access. N.b. hwasan currently never
2719 sanitizes globals. */
2724 {
2725 /* Automatic vars in the current function will be always
2726 accessible. */
2731 }
2732 /* Always instrument external vars, they might be dynamically
2733 initialized. */
2735 {
2736 /* For static vars if they are known not to be dynamically
2737 initialized, they will be always accessible. */
2741 }
2742 }
2751 {
2758 }
2760 }
2762 /* Insert a memory reference into the hash table if access length
2763 can be determined in compile time. */
2765 static void
2767 {
2776 }
2778 /* Instrument an access to a contiguous memory region that starts at
2779 the address pointed to by BASE, over a length of LEN (expressed in
2780 the sizeof (*BASE) bytes). ITER points to the instruction before
2781 which the instrumentation instructions must be inserted. LOCATION
2782 is the source location that the instrumentation instructions must
2783 have. If IS_STORE is true, then the memory access is a store;
2784 otherwise, it's a load. */
2786 static void
2790 {
2800 {
2804 }
2808 }
2810 /* Instrument the call to a built-in memory access function that is
2811 pointed to by the iterator ITER.
2813 Upon completion, return TRUE iff *ITER has been advanced to the
2814 statement following the one it was originally pointing to. */
2816 static bool
2818 {
2843 {
2845 {
2849 }
2852 {
2866 }
2867 else
2868 {
2875 }
2876 }
2878 }
2880 /* Instrument the assignment statement ITER if it is subject to
2881 instrumentation. Return TRUE iff instrumentation actually
2882 happened. In that case, the iterator ITER is advanced to the next
2883 logical expression following the one initially pointed to by ITER,
2884 and the relevant memory reference that which access has been
2885 instrumented is added to the memory references hash table. */
2887 static bool
2889 {
2898 {
2903 is_store);
2905 }
2908 {
2913 is_store);
2915 }
2921 }
2923 /* Instrument the function call pointed to by the iterator ITER, if it
2924 is subject to instrumentation. At the moment, the only function
2925 calls that are instrumented are some built-in functions that access
2926 memory. Look at instrument_builtin_call to learn more.
2928 Upon completion return TRUE iff *ITER was advanced to the statement
2929 following the one it was originally pointing to. */
2931 static bool
2933 {
2941 {
2943 {
2946 {
2949 /* Don't instrument these. */
2953 }
2954 }
2955 /* If a function does not return, then we must handle clearing up the
2956 shadow stack accordingly. For ASAN we can simply set the entire stack
2957 to "valid" for accesses by setting the shadow space to 0 and all
2958 accesses will pass checks. That means that some bad accesses may be
2959 missed, but we will not report any false positives.
2961 This is not possible for HWASAN. Since there is no "always valid" tag
2962 we can not set any space to "always valid". If we were to clear the
2963 entire shadow stack then code resuming from `longjmp` or a caught
2964 exception would trigger false positives when correctly accessing
2965 variables on the stack. Hence we need to handle things like
2966 `longjmp`, thread exit, and exceptions in a different way. These
2967 problems must be handled externally to the compiler, e.g. in the
2968 language runtime. */
2970 {
2975 }
2976 }
2980 {
2987 }
2989 /* Walk through gimple_call arguments and check them id needed. */
2992 {
2994 /* If ARG is not a non-aggregate register variable, compiler in general
2995 creates temporary for it and pass it as argument to gimple call.
2996 But in some cases, e.g. when we pass by value a small structure that
2997 fits to register, compiler can avoid extra overhead by pulling out
2998 these temporaries. In this case, we should check the argument. */
3000 {
3005 }
3006 }
3010 }
3012 /* Walk each instruction of all basic block and instrument those that
3013 represent memory references: loads, stores, or function calls.
3014 In a given basic block, this function avoids instrumenting memory
3015 references that have already been instrumented. */
3017 static void
3019 {
3021 gimple_stmt_iterator i;
3025 {
3030 /* Flush the mem ref hash table, if current bb doesn't have
3031 exactly one predecessor, or if that predecessor (skipping
3032 over asan created basic blocks) isn't the last processed
3033 basic block. Thus we effectively flush on extended basic
3034 block boundaries. */
3036 {
3040 }
3046 {
3054 /* Nothing to do as maybe_instrument_assignment advanced
3057 /* Nothing to do as maybe_instrument_call
3059 else
3060 {
3061 /* No instrumentation happened.
3063 If the current instruction is a function call that
3064 might free something, let's forget about the memory
3065 references that got instrumented. Otherwise we might
3066 miss some instrumentation opportunities. Do the same
3067 for a ASAN_MARK poisoning internal function. */
3074 }
3075 }
3076 }
3078 }
3080 /* Build
3081 __asan_before_dynamic_init (module_name)
3082 or
3083 __asan_after_dynamic_init ()
3084 call. */
3086 tree
3088 {
3093 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
3097 {
3098 pretty_printer module_name_pp;
3103 module_name_cst);
3104 }
3107 }
3109 /* Build
3110 struct __asan_global
3111 {
3112 const void *__beg;
3113 uptr __size;
3114 uptr __size_with_redzone;
3115 const void *__name;
3116 const void *__module_name;
3117 uptr __has_dynamic_init;
3118 __asan_global_source_location *__location;
3119 char *__odr_indicator;
3120 } type. */
3122 static tree
3124 {
3134 {
3143 }
3154 }
3156 /* Create and return odr indicator symbol for DECL.
3157 TYPE is __asan_global struct type as returned by asan_global_struct. */
3159 static tree
3161 {
3164 tree decl_name
3167 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
3176 #ifndef NO_DOT_IN_LABEL
3178 #elif !defined(NO_DOLLAR_IN_LABEL)
3180 #endif
3182 char_type_node);
3204 }
3206 /* Return true if DECL, a global var, might be overridden and needs
3207 an additional odr indicator symbol. */
3209 static bool
3211 {
3212 /* Don't emit ODR indicators for kernel because:
3213 a) Kernel is written in C thus doesn't need ODR indicators.
3214 b) Some kernel code may have assumptions about symbols containing specific
3215 patterns in their names. Since ODR indicators contain original names
3216 of symbols they are emitted for, these assumptions would be broken for
3217 ODR indicator symbols. */
3222 }
3224 /* Append description of a single global DECL into vector V.
3225 TYPE is __asan_global struct type as returned by asan_global_struct. */
3227 static void
3229 {
3239 else
3247 {
3262 }
3264 tree odr_indicator_ptr
3280 /* FIXME: Enable initialization order fiasco detection in LTO mode once
3281 proper fix for PR 79061 will be applied. */
3290 {
3300 pretty_printer filename_pp;
3314 }
3315 else
3321 }
3323 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
3324 void
3326 {
3327 tree decl;
3333 tree BT_FN_VOID_PTR
3335 tree BT_FN_VOID_CONST_PTR
3337 tree BT_FN_VOID_PTR_PTR
3340 tree BT_FN_VOID_PTR_PTR_PTR
3343 tree BT_FN_VOID_PTR_PTRMODE
3346 tree BT_FN_VOID_INT
3348 tree BT_FN_SIZE_CONST_PTR_INT
3352 tree BT_FN_VOID_UINT8_UINT8
3355 tree BT_FN_VOID_UINT16_UINT16
3358 tree BT_FN_VOID_UINT32_UINT32
3361 tree BT_FN_VOID_UINT64_UINT64
3364 tree BT_FN_VOID_FLOAT_FLOAT
3367 tree BT_FN_VOID_DOUBLE_DOUBLE
3370 tree BT_FN_VOID_UINT64_PTR
3374 tree BT_FN_PTR_CONST_PTR_UINT8
3377 tree BT_FN_VOID_PTR_UINT8_PTRMODE
3379 unsigned_char_type_node,
3386 tree vptr
3388 TYPE_QUAL_VOLATILE));
3389 tree cvptr
3391 TYPE_QUAL_VOLATILE
3393 tree boolt
3397 {
3402 NULL_TREE);
3407 NULL_TREE);
3411 }
3412 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
3413 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
3414 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
3415 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
3416 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
3417 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
3418 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
3419 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
3420 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
3421 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
3422 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
3423 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
3424 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
3425 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
3426 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
3427 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
3428 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
3429 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
3430 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
3431 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
3432 #undef ATTR_NOTHROW_LIST
3433 #define ATTR_NOTHROW_LIST ECF_NOTHROW
3434 #undef ATTR_NOTHROW_LEAF_LIST
3435 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
3436 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
3437 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
3438 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
3439 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
3440 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
3441 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
3442 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
3443 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
3444 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
3445 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
3446 #undef ATTR_COLD_NOTHROW_LEAF_LIST
3447 #define ATTR_COLD_NOTHROW_LEAF_LIST \
3449 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
3450 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
3452 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
3453 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
3455 #undef ATTR_PURE_NOTHROW_LEAF_LIST
3456 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
3457 #undef DEF_BUILTIN_STUB
3458 #define DEF_BUILTIN_STUB(ENUM, NAME)
3459 #undef DEF_SANITIZER_BUILTIN_1
3460 #define DEF_SANITIZER_BUILTIN_1(ENUM, NAME, TYPE, ATTRS) \
3461 do { \
3463 BUILT_IN_NORMAL, NAME, NULL_TREE); \
3464 set_call_expr_flags (decl, ATTRS); \
3465 set_builtin_decl (ENUM, decl, true); \
3466 } while (0)
3467 #undef DEF_SANITIZER_BUILTIN
3468 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
3469 DEF_SANITIZER_BUILTIN_1 (ENUM, NAME, TYPE, ATTRS);
3473 /* -fsanitize=object-size uses __builtin_dynamic_object_size and
3474 __builtin_object_size, but they might not be available for e.g. Fortran at
3475 this point. We use DEF_SANITIZER_BUILTIN here only as a convenience
3476 macro. */
3478 {
3481 BT_FN_SIZE_CONST_PTR_INT,
3482 ATTR_PURE_NOTHROW_LEAF_LIST);
3486 BT_FN_SIZE_CONST_PTR_INT,
3487 ATTR_PURE_NOTHROW_LEAF_LIST);
3488 }
3490 #undef DEF_SANITIZER_BUILTIN_1
3491 #undef DEF_SANITIZER_BUILTIN
3492 #undef DEF_BUILTIN_STUB
3493 }
3495 /* Called via htab_traverse. Count number of emitted
3496 STRING_CSTs in the constant hash table. */
3498 int
3501 {
3508 }
3510 /* Helper structure to pass two parameters to
3511 add_string_csts. */
3513 struct asan_add_string_csts_data
3514 {
3515 tree type;
3517 };
3519 /* Called via hash_table::traverse. Call asan_add_global
3520 on emitted STRING_CSTs from the constant hash table. */
3522 int
3525 {
3530 {
3533 }
3535 }
3537 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
3538 invoke ggc_collect. */
3541 /* Module-level instrumentation.
3542 - Insert __asan_init_vN() into the list of CTORs.
3543 - TODO: insert redzones around globals.
3544 */
3546 void
3548 {
3554 /* Avoid instrumenting code in the asan ctors/dtors.
3555 We don't need to insert padding after the description strings,
3556 nor after .LASAN* array. */
3559 /* For user-space we want asan constructors to run first.
3560 Linux kernel does not support priorities other than default, and the only
3561 other user of constructors is coverage. So we run with the default
3562 priority. */
3567 {
3572 }
3581 {
3590 type);
3618 gcount_tree),
3624 gcount_tree),
3627 }
3631 }
3633 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
3634 on SHADOW address. Newly added statements will be added to ITER with
3635 given location LOC. We mark SIZE bytes in shadow memory, where
3636 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
3637 end of a variable. */
3639 static void
3641 tree shadow,
3645 {
3646 tree shadow_ptr_type;
3649 {
3661 }
3669 {
3674 }
3676 /* Handle last chunk in unpoisoning. */
3685 }
3687 /* Expand the ASAN_MARK builtins. */
3689 bool
3691 {
3701 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
3709 {
3712 /* Here we swap ASAN_MARK calls for HWASAN_MARK.
3713 This is because we are using the approach of using ASAN_MARK as a
3714 synonym until here.
3715 That approach means we don't yet have to duplicate all the special
3716 cases for ASAN_MARK and ASAN_POISON with the exact same handling but
3717 called HWASAN_MARK etc.
3719 N.b. __asan_poison_stack_memory (which implements ASAN_MARK for ASAN)
3720 rounds the size up to its shadow memory granularity, while
3721 __hwasan_tag_memory (which implements the same for HWASAN) does not.
3722 Hence we emit HWASAN_MARK with an aligned size unlike ASAN_MARK. */
3725 HWASAN_TAG_GRANULE_SIZE);
3731 }
3734 {
3738 }
3751 /* Generate direct emission if size_in_bytes is small. */
3754 {
3755 const unsigned HOST_WIDE_INT shadow_size
3757 const unsigned int shadow_align
3764 {
3781 }
3782 }
3783 else
3784 {
3791 tree fun
3797 }
3800 }
3802 /* Expand the ASAN_{LOAD,STORE} builtins. */
3804 bool
3806 {
3813 else
3826 HOST_WIDE_INT size_in_bytes
3830 {
3831 /* Instrument using callbacks. */
3842 else
3843 {
3851 }
3855 }
3865 {
3866 /* So, the length of the memory area to asan-protect is
3867 non-constant. Let's guard the generated instrumentation code
3868 like:
3870 if (len != 0)
3871 {
3872 //asan instrumentation code goes here.
3873 }
3874 // falltrough instructions, starting with *ITER. */
3877 len,
3886 /* Note that fallthrough_bb starts with the statement that was
3887 pointed to by ITER. */
3889 /* The 'then block' of the 'if (len != 0) condition is where
3890 we'll generate the asan instrumentation code now. */
3892 }
3894 /* Get an iterator on the point where we can add the condition
3895 statement for the instrumentation. */
3911 {
3913 shadow_ptr_type);
3915 }
3916 else
3917 {
3918 /* Slow path for 1, 2 and 4 byte accesses. */
3919 /* Test (shadow != 0)
3920 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
3922 shadow_ptr_type);
3926 /* Aligned (>= 8 bytes) can test just
3927 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
3928 to be 0. */
3930 {
3942 }
3943 else
3952 /* For non-constant, misaligned or otherwise weird access sizes,
3953 check first and last byte. */
3955 {
3969 shadow_ptr_type);
3979 shadow));
3987 }
3988 }
3995 /* Generate call to the run-time library (e.g. __asan_report_load8). */
4007 }
4009 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten
4010 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
4012 static tree
4015 {
4018 {
4021 copy_body_data id;
4033 }
4034 else
4036 }
4038 /* Expand ASAN_POISON ifn. */
4040 bool
4044 {
4048 {
4051 }
4058 shadow_vars_mapping);
4063 else
4066 gimple *poison_call
4069 ASAN_MARK_POISON),
4073 imm_use_iterator imm_iter;
4075 {
4083 {
4085 /* NOTE: hwasan has no __hwasan_report_* functions like asan does.
4086 We use __hwasan_tag_mismatch4 with arguments that tell it the
4087 size of access and load to report all tag mismatches.
4089 The arguments to this function are:
4090 Address of invalid access.
4091 Bitfield containing information about the access
4092 (access_info)
4093 Pointer to a frame of registers
4094 (for use in printing the contents of registers in a dump)
4095 Not used yet -- to be used by inline instrumentation.
4096 Size of access.
4098 The access_info bitfield encodes the following pieces of
4099 information:
4100 - Is this a store or load?
4101 access_info & 0x10 => store
4102 - Should the program continue after reporting the error?
4103 access_info & 0x20 => recover
4104 - What size access is this (not used here since we can always
4105 pass the size in the last argument)
4107 if (access_info & 0xf == 0xf)
4108 size is taken from last argument.
4109 else
4110 size == 1 << (access_info & 0xf)
4112 The last argument contains the size of the access iff the
4113 access_info size indicator is 0xf (we always use this argument
4114 rather than storing the size in the access_info bitfield).
4116 See the function definition `__hwasan_tag_mismatch4` in
4117 libsanitizer/hwasan for the full definition.
4118 */
4125 access_info),
4127 size);
4128 }
4129 else
4130 {
4135 }
4139 /* The USE can be a gimple PHI node. If so, insert the call on
4140 all edges leading to the PHI node. */
4142 {
4146 {
4149 /* Do not insert on an edge we can't split. */
4159 }
4160 }
4161 else
4162 {
4166 else
4168 }
4169 }
4176 }
4178 /* Instrument the current function. */
4180 static unsigned int
4182 {
4184 {
4187 }
4194 }
4196 static bool
4198 {
4200 }
4205 {
4215 };
4218 {
4222 {}
4224 /* opt_pass methods: */
4227 {
4229 }
4231 {
4233 }
4239 gimple_opt_pass *
4241 {
4243 }
4248 {
4258 };
4261 {
4265 {}
4267 /* opt_pass methods: */
4269 {
4271 }
4273 {
4275 }
4281 gimple_opt_pass *
4283 {
4285 }
4287 /* HWASAN */
4289 /* For stack tagging:
4291 Return the offset from the frame base tag that the "next" expanded object
4292 should have. */
4293 uint8_t
4295 {
4297 }
4299 /* For stack tagging:
4301 Return the 'base pointer' for this function. If that base pointer has not
4302 yet been created then we create a register to hold it and record the insns
4303 to initialize the register in `hwasan_frame_base_init_seq` for later
4304 emission. */
4305 rtx
4307 {
4309 {
4311 hwasan_frame_base_ptr
4314 NULL_RTX));
4317 }
4320 }
4322 /* For stack tagging:
4324 Check whether this RTX is a standard pointer addressing the base of the
4325 stack variables for this frame. Returns true if the RTX is either
4326 virtual_stack_vars_rtx or hwasan_frame_base_ptr. */
4327 bool
4329 {
4331 }
4333 /* For stack tagging:
4335 Emit frame base initialisation.
4336 If hwasan_frame_base has been used before here then
4337 hwasan_frame_base_init_seq contains the sequence of instructions to
4338 initialize it. This must be put just before the hwasan prologue, so we emit
4339 the insns before parm_birth_insn (which will point to the first instruction
4340 of the hwasan prologue if it exists).
4342 We update `parm_birth_insn` to point to the start of this initialisation
4343 since that represents the end of the initialisation done by
4344 expand_function_{start,end} functions and we want to maintain that. */
4345 void
4347 {
4352 }
4354 /* Record a compile-time constant size stack variable that HWASAN will need to
4355 tag. This record of the range of a stack variable will be used by
4356 `hwasan_emit_prologue` to emit the RTL at the start of each frame which will
4357 set tags in the shadow memory according to the assigned tag for each object.
4359 The range that the object spans in stack space should be described by the
4360 bounds `untagged_base + nearest_offset` and
4361 `untagged_base + farthest_offset`.
4362 `tagged_base` is the base address which contains the "base frame tag" for
4363 this frame, and from which the value to address this object with will be
4364 calculated.
4366 We record the `untagged_base` since the functions in the hwasan library we
4367 use to tag memory take pointers without a tag. */
4368 void
4371 {
4372 hwasan_stack_var cur_var;
4380 }
4382 /* Return the RTX representing the farthest extent of the statically allocated
4383 stack objects for this frame. If hwasan_frame_base_ptr has not been
4384 initialized then we are not storing any static variables on the stack in
4385 this frame. In this case we return NULL_RTX to represent that.
4387 Otherwise simply return virtual_stack_vars_rtx + frame_offset. */
4388 rtx
4390 {
4394 }
4396 /* For stack tagging:
4398 Increment the frame tag offset modulo the size a tag can represent. */
4399 void
4401 {
4406 /* The "background tag" of the stack is zero by definition.
4407 This is the tag that objects like parameters passed on the stack and
4408 spilled registers are given. It is handy to avoid this tag for objects
4409 whose tags we decide ourselves, partly to ensure that buffer overruns
4410 can't affect these important variables (e.g. saved link register, saved
4411 stack pointer etc) and partly to make debugging easier (everything with a
4412 tag of zero is space allocated automatically by the compiler).
4414 This is not feasible when using random frame tags (the default
4415 configuration for hwasan) since the tag for the given frame is randomly
4416 chosen at runtime. In order to avoid any tags matching the stack
4417 background we would need to decide tag offsets at runtime instead of
4418 compile time (and pay the resulting performance cost).
4420 When not using random base tags for each frame (i.e. when compiled with
4421 `--param hwasan-random-frame-tag=0`) the base tag for each frame is zero.
4422 This means the tag that each object gets is equal to the
4423 hwasan_frame_tag_offset used in determining it.
4424 When this is the case we *can* ensure no object gets the tag of zero by
4425 simply ensuring no object has the hwasan_frame_tag_offset of zero.
4427 There is the extra complication that we only record the
4428 hwasan_frame_tag_offset here (which is the offset from the tag stored in
4429 the stack pointer). In the kernel, the tag in the stack pointer is 0xff
4430 rather than zero. This does not cause problems since tags of 0xff are
4431 never checked in the kernel. As mentioned at the beginning of this
4432 comment the background tag of the stack is zero by definition, which means
4433 that for the kernel we should skip offsets of both 0 and 1 from the stack
4434 pointer. Avoiding the offset of 0 ensures we use a tag which will be
4435 checked, avoiding the offset of 1 ensures we use a tag that is not the
4436 same as the background. */
4442 }
4444 /* Clear internal state for the next function.
4445 This function is called before variables on the stack get expanded, in
4446 `init_vars_expansion`. */
4447 void
4449 {
4453 /* If this isn't the case then some stack variable was recorded *before*
4454 hwasan_record_frame_init is called, yet *after* the hwasan prologue for
4455 the previous frame was emitted. Such stack variables would not have
4456 their shadow stack filled in. */
4461 /* When not using a random frame tag we can avoid the background stack
4462 color which gives the user a little better debug output upon a crash.
4463 Meanwhile, when using a random frame tag it will be nice to avoid adding
4464 tags for the first object since that is unnecessary extra work.
4465 Hence set the initial hwasan_frame_tag_offset to be 0 if using a random
4466 frame tag and 1 otherwise.
4468 As described in hwasan_increment_frame_tag, in the kernel the stack
4469 pointer has the tag 0xff. That means that to avoid 0xff and 0 (the tag
4470 which the kernel does not check and the background tag respectively) we
4471 start with a tag offset of 2. */
4472 hwasan_frame_tag_offset = param_hwasan_random_frame_tag
4475 }
4477 /* For stack tagging:
4478 (Emits HWASAN equivalent of what is emitted by
4479 `asan_emit_stack_protection`).
4481 Emits the extra prologue code to set the shadow stack as required for HWASAN
4482 stack instrumentation.
4484 Uses the vector of recorded stack variables hwasan_tagged_stack_vars. When
4485 this function has completed hwasan_tagged_stack_vars is empty and all
4486 objects it had pointed to are deallocated. */
4487 void
4489 {
4490 /* We need untagged base pointers since libhwasan only accepts untagged
4491 pointers in __hwasan_tag_memory. We need the tagged base pointer to obtain
4492 the base tag for an offset. */
4499 {
4504 {
4507 }
4508 else
4509 {
4510 /* Given how these values are calculated, one must be known greater
4511 than the other. */
4515 }
4518 /* Assert the edge of each variable is aligned to the HWASAN tag granule
4519 size. */
4532 bot));
4537 }
4538 /* Clear the stack vars, we've emitted the prologue for them all now. */
4540 }
4542 /* For stack tagging:
4544 Return RTL insns to clear the tags between DYNAMIC and VARS pointers
4545 into the stack. These instructions should be emitted at the end of
4546 every function.
4548 If `dynamic` is NULL_RTX then no insns are returned. */
4549 rtx_insn *
4551 {
4560 rtx top_rtx;
4561 rtx bot_rtx;
4563 {
4566 }
4567 else
4568 {
4571 }
4575 OPTAB_DIRECT);
4587 }
4589 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
4590 invoke ggc_collect. */
4593 /* Insert module initialization into this TU. This initialization calls the
4594 initialization code for libhwasan. */
4595 void
4597 {
4598 /* Do not emit constructor initialization for the kernel.
4599 (the kernel has its own initialization already). */
4603 /* Avoid instrumenting code in the hwasan constructors/destructors. */
4610 }
4612 /* For stack tagging:
4614 Truncate `tag` to the number of bits that a tag uses (i.e. to
4615 HWASAN_TAG_SIZE). Store the result in `target` if it's convenient. */
4616 rtx
4618 {
4621 {
4624 QImode);
4628 }
4630 }
4632 /* Construct a function tree for __hwasan_{load,store}{1,2,4,8,16,_n}.
4633 IS_STORE is either 1 (for a store) or 0 (for a load). */
4634 static combined_fn
4637 {
4646 BUILT_IN_HWASAN_LOAD2_NOABORT,
4647 BUILT_IN_HWASAN_LOAD4_NOABORT,
4648 BUILT_IN_HWASAN_LOAD8_NOABORT,
4649 BUILT_IN_HWASAN_LOAD16_NOABORT,
4650 BUILT_IN_HWASAN_LOADN_NOABORT },
4652 BUILT_IN_HWASAN_STORE2_NOABORT,
4653 BUILT_IN_HWASAN_STORE4_NOABORT,
4654 BUILT_IN_HWASAN_STORE8_NOABORT,
4655 BUILT_IN_HWASAN_STORE16_NOABORT,
4656 BUILT_IN_HWASAN_STOREN_NOABORT } } };
4658 {
4661 }
4666 }
4668 /* Expand the HWASAN_{LOAD,STORE} builtins. */
4669 bool
4671 {
4677 else
4689 /* `align` is unused for HWASAN_CHECK, but we pass the argument anyway
4690 since that way the arguments match ASAN_CHECK. */
4691 /* HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3)); */
4693 unsigned HOST_WIDE_INT size_in_bytes
4699 {
4700 /* So, the length of the memory area to hwasan-protect is
4701 non-constant. Let's guard the generated instrumentation code
4702 like:
4704 if (len != 0)
4705 {
4706 // hwasan instrumentation code goes here.
4707 }
4708 // falltrough instructions, starting with *ITER. */
4711 len,
4720 /* Note that fallthrough_bb starts with the statement that was
4721 pointed to by ITER. */
4723 /* The 'then block' of the 'if (len != 0) condition is where
4724 we'll generate the hwasan instrumentation code now. */
4726 }
4733 combined_fn fn
4737 else
4738 {
4743 }
4749 }
4751 /* For stack tagging:
4753 Dummy: the HWASAN_MARK internal function should only ever be in the code
4754 after the sanopt pass. */
4755 bool
4757 {
4759 }
4761 bool
4763 {
4765 }