search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
match_asm_constraints: Use copy_rtx where needed (PR88001)
[official-gcc.git] / gcc / asan.c
blob98a42721f8f6dbccb7a2e7c056874164c5d3a331
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2018 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
11
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21
22 #include "config.h"
23 #include "system.h"
24 #include "coretypes.h"
25 #include "backend.h"
26 #include "target.h"
27 #include "rtl.h"
28 #include "tree.h"
29 #include "gimple.h"
30 #include "cfghooks.h"
31 #include "alloc-pool.h"
32 #include "tree-pass.h"
33 #include "memmodel.h"
34 #include "tm_p.h"
35 #include "ssa.h"
36 #include "stringpool.h"
37 #include "tree-ssanames.h"
38 #include "optabs.h"
39 #include "emit-rtl.h"
40 #include "cgraph.h"
41 #include "gimple-pretty-print.h"
42 #include "alias.h"
43 #include "fold-const.h"
44 #include "cfganal.h"
45 #include "gimplify.h"
46 #include "gimple-iterator.h"
47 #include "varasm.h"
48 #include "stor-layout.h"
49 #include "tree-iterator.h"
50 #include "stringpool.h"
51 #include "attribs.h"
52 #include "asan.h"
53 #include "dojump.h"
54 #include "explow.h"
55 #include "expr.h"
56 #include "output.h"
57 #include "langhooks.h"
58 #include "cfgloop.h"
59 #include "gimple-builder.h"
60 #include "gimple-fold.h"
61 #include "ubsan.h"
62 #include "params.h"
63 #include "builtins.h"
64 #include "fnmatch.h"
65 #include "tree-inline.h"
66
67 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
68 with <2x slowdown on average.
69
70 The tool consists of two parts:
71 instrumentation module (this file) and a run-time library.
72 The instrumentation module adds a run-time check before every memory insn.
73 For a 8- or 16- byte load accessing address X:
74 ShadowAddr = (X >> 3) + Offset
75 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
76 if (ShadowValue)
77 __asan_report_load8(X);
78 For a load of N bytes (N=1, 2 or 4) from address X:
79 ShadowAddr = (X >> 3) + Offset
80 ShadowValue = *(char*)ShadowAddr;
81 if (ShadowValue)
82 if ((X & 7) + N - 1 > ShadowValue)
83 __asan_report_loadN(X);
84 Stores are instrumented similarly, but using __asan_report_storeN functions.
85 A call too __asan_init_vN() is inserted to the list of module CTORs.
86 N is the version number of the AddressSanitizer API. The changes between the
87 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
88
89 The run-time library redefines malloc (so that redzone are inserted around
90 the allocated memory) and free (so that reuse of free-ed memory is delayed),
91 provides __asan_report* and __asan_init_vN functions.
92
93 Read more:
94 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
95
96 The current implementation supports detection of out-of-bounds and
97 use-after-free in the heap, on the stack and for global variables.
98
99 [Protection of stack variables]
100
101 To understand how detection of out-of-bounds and use-after-free works
102 for stack variables, lets look at this example on x86_64 where the
103 stack grows downward:
104
105 int
106 foo ()
107 {
108 char a[23] = {0};
109 int b[2] = {0};
110
111 a[5] = 1;
112 b[1] = 2;
113
114 return a[5] + b[1];
115 }
116
117 For this function, the stack protected by asan will be organized as
118 follows, from the top of the stack to the bottom:
119
120 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
121
122 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
123 the next slot be 32 bytes aligned; this one is called Partial
124 Redzone; this 32 bytes alignment is an asan constraint]
125
126 Slot 3/ [24 bytes for variable 'a']
127
128 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
129
130 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
131
132 Slot 6/ [8 bytes for variable 'b']
133
134 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
135 'LEFT RedZone']
136
137 The 32 bytes of LEFT red zone at the bottom of the stack can be
138 decomposed as such:
139
140 1/ The first 8 bytes contain a magical asan number that is always
141 0x41B58AB3.
142
143 2/ The following 8 bytes contains a pointer to a string (to be
144 parsed at runtime by the runtime asan library), which format is
145 the following:
146
147 "<function-name> <space> <num-of-variables-on-the-stack>
148 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
149 <length-of-var-in-bytes> ){n} "
150
151 where '(...){n}' means the content inside the parenthesis occurs 'n'
152 times, with 'n' being the number of variables on the stack.
153
154 3/ The following 8 bytes contain the PC of the current function which
155 will be used by the run-time library to print an error message.
156
157 4/ The following 8 bytes are reserved for internal use by the run-time.
158
159 The shadow memory for that stack layout is going to look like this:
160
161 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
162 The F1 byte pattern is a magic number called
163 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
164 the memory for that shadow byte is part of a the LEFT red zone
165 intended to seat at the bottom of the variables on the stack.
166
167 - content of shadow memory 8 bytes for slots 6 and 5:
168 0xF4F4F400. The F4 byte pattern is a magic number
169 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
170 memory region for this shadow byte is a PARTIAL red zone
171 intended to pad a variable A, so that the slot following
172 {A,padding} is 32 bytes aligned.
173
174 Note that the fact that the least significant byte of this
175 shadow memory content is 00 means that 8 bytes of its
176 corresponding memory (which corresponds to the memory of
177 variable 'b') is addressable.
178
179 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
180 The F2 byte pattern is a magic number called
181 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
182 region for this shadow byte is a MIDDLE red zone intended to
183 seat between two 32 aligned slots of {variable,padding}.
184
185 - content of shadow memory 8 bytes for slot 3 and 2:
186 0xF4000000. This represents is the concatenation of
187 variable 'a' and the partial red zone following it, like what we
188 had for variable 'b'. The least significant 3 bytes being 00
189 means that the 3 bytes of variable 'a' are addressable.
190
191 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
192 The F3 byte pattern is a magic number called
193 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
194 region for this shadow byte is a RIGHT red zone intended to seat
195 at the top of the variables of the stack.
196
197 Note that the real variable layout is done in expand_used_vars in
198 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
199 stack variables as well as the different red zones, emits some
200 prologue code to populate the shadow memory as to poison (mark as
201 non-accessible) the regions of the red zones and mark the regions of
202 stack variables as accessible, and emit some epilogue code to
203 un-poison (mark as accessible) the regions of red zones right before
204 the function exits.
205
206 [Protection of global variables]
207
208 The basic idea is to insert a red zone between two global variables
209 and install a constructor function that calls the asan runtime to do
210 the populating of the relevant shadow memory regions at load time.
211
212 So the global variables are laid out as to insert a red zone between
213 them. The size of the red zones is so that each variable starts on a
214 32 bytes boundary.
215
216 Then a constructor function is installed so that, for each global
217 variable, it calls the runtime asan library function
218 __asan_register_globals_with an instance of this type:
219
220 struct __asan_global
221 {
222 // Address of the beginning of the global variable.
223 const void *__beg;
224
225 // Initial size of the global variable.
226 uptr __size;
227
228 // Size of the global variable + size of the red zone. This
229 // size is 32 bytes aligned.
230 uptr __size_with_redzone;
231
232 // Name of the global variable.
233 const void *__name;
234
235 // Name of the module where the global variable is declared.
236 const void *__module_name;
237
238 // 1 if it has dynamic initialization, 0 otherwise.
239 uptr __has_dynamic_init;
240
241 // A pointer to struct that contains source location, could be NULL.
242 __asan_global_source_location *__location;
243 }
244
245 A destructor function that calls the runtime asan library function
246 _asan_unregister_globals is also installed. */
247
248 static unsigned HOST_WIDE_INT asan_shadow_offset_value;
249 static bool asan_shadow_offset_computed;
250 static vec<char *> sanitized_sections;
251 static tree last_alloca_addr;
252
253 /* Set of variable declarations that are going to be guarded by
254 use-after-scope sanitizer. */
255
256 hash_set<tree> *asan_handled_variables = NULL;
257
258 hash_set <tree> *asan_used_labels = NULL;
259
260 /* Sets shadow offset to value in string VAL. */
261
262 bool
263 set_asan_shadow_offset (const char *val)
264 {
265 char *endp;
266
267 errno = 0;
268 #ifdef HAVE_LONG_LONG
269 asan_shadow_offset_value = strtoull (val, &endp, 0);
270 #else
271 asan_shadow_offset_value = strtoul (val, &endp, 0);
272 #endif
273 if (!(*val != '\0' && *endp == '\0' && errno == 0))
274 return false;
275
276 asan_shadow_offset_computed = true;
277
278 return true;
279 }
280
281 /* Set list of user-defined sections that need to be sanitized. */
282
283 void
284 set_sanitized_sections (const char *sections)
285 {
286 char *pat;
287 unsigned i;
288 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
289 free (pat);
290 sanitized_sections.truncate (0);
291
292 for (const char *s = sections; *s; )
293 {
294 const char *end;
295 for (end = s; *end && *end != ','; ++end);
296 size_t len = end - s;
297 sanitized_sections.safe_push (xstrndup (s, len));
298 s = *end ? end + 1 : end;
299 }
300 }
301
302 bool
303 asan_mark_p (gimple *stmt, enum asan_mark_flags flag)
304 {
305 return (gimple_call_internal_p (stmt, IFN_ASAN_MARK)
306 && tree_to_uhwi (gimple_call_arg (stmt, 0)) == flag);
307 }
308
309 bool
310 asan_sanitize_stack_p (void)
311 {
312 return (sanitize_flags_p (SANITIZE_ADDRESS) && ASAN_STACK);
313 }
314
315 bool
316 asan_sanitize_allocas_p (void)
317 {
318 return (asan_sanitize_stack_p () && ASAN_PROTECT_ALLOCAS);
319 }
320
321 /* Checks whether section SEC should be sanitized. */
322
323 static bool
324 section_sanitized_p (const char *sec)
325 {
326 char *pat;
327 unsigned i;
328 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
329 if (fnmatch (pat, sec, FNM_PERIOD) == 0)
330 return true;
331 return false;
332 }
333
334 /* Returns Asan shadow offset. */
335
336 static unsigned HOST_WIDE_INT
337 asan_shadow_offset ()
338 {
339 if (!asan_shadow_offset_computed)
340 {
341 asan_shadow_offset_computed = true;
342 asan_shadow_offset_value = targetm.asan_shadow_offset ();
343 }
344 return asan_shadow_offset_value;
345 }
346
347 alias_set_type asan_shadow_set = -1;
348
349 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
350 alias set is used for all shadow memory accesses. */
351 static GTY(()) tree shadow_ptr_types[3];
352
353 /* Decl for __asan_option_detect_stack_use_after_return. */
354 static GTY(()) tree asan_detect_stack_use_after_return;
355
356 /* Hashtable support for memory references used by gimple
357 statements. */
358
359 /* This type represents a reference to a memory region. */
360 struct asan_mem_ref
361 {
362 /* The expression of the beginning of the memory region. */
363 tree start;
364
365 /* The size of the access. */
366 HOST_WIDE_INT access_size;
367 };
368
369 object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref");
370
371 /* Initializes an instance of asan_mem_ref. */
372
373 static void
374 asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size)
375 {
376 ref->start = start;
377 ref->access_size = access_size;
378 }
379
380 /* Allocates memory for an instance of asan_mem_ref into the memory
381 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
382 START is the address of (or the expression pointing to) the
383 beginning of memory reference. ACCESS_SIZE is the size of the
384 access to the referenced memory. */
385
386 static asan_mem_ref*
387 asan_mem_ref_new (tree start, HOST_WIDE_INT access_size)
388 {
389 asan_mem_ref *ref = asan_mem_ref_pool.allocate ();
390
391 asan_mem_ref_init (ref, start, access_size);
392 return ref;
393 }
394
395 /* This builds and returns a pointer to the end of the memory region
396 that starts at START and of length LEN. */
397
398 tree
399 asan_mem_ref_get_end (tree start, tree len)
400 {
401 if (len == NULL_TREE || integer_zerop (len))
402 return start;
403
404 if (!ptrofftype_p (len))
405 len = convert_to_ptrofftype (len);
406
407 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
408 }
409
410 /* Return a tree expression that represents the end of the referenced
411 memory region. Beware that this function can actually build a new
412 tree expression. */
413
414 tree
415 asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
416 {
417 return asan_mem_ref_get_end (ref->start, len);
418 }
419
420 struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref>
421 {
422 static inline hashval_t hash (const asan_mem_ref *);
423 static inline bool equal (const asan_mem_ref *, const asan_mem_ref *);
424 };
425
426 /* Hash a memory reference. */
427
428 inline hashval_t
429 asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
430 {
431 return iterative_hash_expr (mem_ref->start, 0);
432 }
433
434 /* Compare two memory references. We accept the length of either
435 memory references to be NULL_TREE. */
436
437 inline bool
438 asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
439 const asan_mem_ref *m2)
440 {
441 return operand_equal_p (m1->start, m2->start, 0);
442 }
443
444 static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht;
445
446 /* Returns a reference to the hash table containing memory references.
447 This function ensures that the hash table is created. Note that
448 this hash table is updated by the function
449 update_mem_ref_hash_table. */
450
451 static hash_table<asan_mem_ref_hasher> *
452 get_mem_ref_hash_table ()
453 {
454 if (!asan_mem_ref_ht)
455 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10);
456
457 return asan_mem_ref_ht;
458 }
459
460 /* Clear all entries from the memory references hash table. */
461
462 static void
463 empty_mem_ref_hash_table ()
464 {
465 if (asan_mem_ref_ht)
466 asan_mem_ref_ht->empty ();
467 }
468
469 /* Free the memory references hash table. */
470
471 static void
472 free_mem_ref_resources ()
473 {
474 delete asan_mem_ref_ht;
475 asan_mem_ref_ht = NULL;
476
477 asan_mem_ref_pool.release ();
478 }
479
480 /* Return true iff the memory reference REF has been instrumented. */
481
482 static bool
483 has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size)
484 {
485 asan_mem_ref r;
486 asan_mem_ref_init (&r, ref, access_size);
487
488 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r);
489 return saved_ref && saved_ref->access_size >= access_size;
490 }
491
492 /* Return true iff the memory reference REF has been instrumented. */
493
494 static bool
495 has_mem_ref_been_instrumented (const asan_mem_ref *ref)
496 {
497 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
498 }
499
500 /* Return true iff access to memory region starting at REF and of
501 length LEN has been instrumented. */
502
503 static bool
504 has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
505 {
506 HOST_WIDE_INT size_in_bytes
507 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
508
509 return size_in_bytes != -1
510 && has_mem_ref_been_instrumented (ref->start, size_in_bytes);
511 }
512
513 /* Set REF to the memory reference present in a gimple assignment
514 ASSIGNMENT. Return true upon successful completion, false
515 otherwise. */
516
517 static bool
518 get_mem_ref_of_assignment (const gassign *assignment,
519 asan_mem_ref *ref,
520 bool *ref_is_store)
521 {
522 gcc_assert (gimple_assign_single_p (assignment));
523
524 if (gimple_store_p (assignment)
525 && !gimple_clobber_p (assignment))
526 {
527 ref->start = gimple_assign_lhs (assignment);
528 *ref_is_store = true;
529 }
530 else if (gimple_assign_load_p (assignment))
531 {
532 ref->start = gimple_assign_rhs1 (assignment);
533 *ref_is_store = false;
534 }
535 else
536 return false;
537
538 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
539 return true;
540 }
541
542 /* Return address of last allocated dynamic alloca. */
543
544 static tree
545 get_last_alloca_addr ()
546 {
547 if (last_alloca_addr)
548 return last_alloca_addr;
549
550 last_alloca_addr = create_tmp_reg (ptr_type_node, "last_alloca_addr");
551 gassign *g = gimple_build_assign (last_alloca_addr, null_pointer_node);
552 edge e = single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun));
553 gsi_insert_on_edge_immediate (e, g);
554 return last_alloca_addr;
555 }
556
557 /* Insert __asan_allocas_unpoison (top, bottom) call before
558 __builtin_stack_restore (new_sp) call.
559 The pseudocode of this routine should look like this:
560 top = last_alloca_addr;
561 bot = new_sp;
562 __asan_allocas_unpoison (top, bot);
563 last_alloca_addr = new_sp;
564 __builtin_stack_restore (new_sp);
565 In general, we can't use new_sp as bot parameter because on some
566 architectures SP has non zero offset from dynamic stack area. Moreover, on
567 some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each
568 particular function only after all callees were expanded to rtl.
569 The most noticeable example is PowerPC{,64}, see
570 http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK.
571 To overcome the issue we use following trick: pass new_sp as a second
572 parameter to __asan_allocas_unpoison and rewrite it during expansion with
573 new_sp + (virtual_dynamic_stack_rtx - sp) later in
574 expand_asan_emit_allocas_unpoison function. */
575
576 static void
577 handle_builtin_stack_restore (gcall *call, gimple_stmt_iterator *iter)
578 {
579 if (!iter || !asan_sanitize_allocas_p ())
580 return;
581
582 tree last_alloca = get_last_alloca_addr ();
583 tree restored_stack = gimple_call_arg (call, 0);
584 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCAS_UNPOISON);
585 gimple *g = gimple_build_call (fn, 2, last_alloca, restored_stack);
586 gsi_insert_before (iter, g, GSI_SAME_STMT);
587 g = gimple_build_assign (last_alloca, restored_stack);
588 gsi_insert_before (iter, g, GSI_SAME_STMT);
589 }
590
591 /* Deploy and poison redzones around __builtin_alloca call. To do this, we
592 should replace this call with another one with changed parameters and
593 replace all its uses with new address, so
594 addr = __builtin_alloca (old_size, align);
595 is replaced by
596 left_redzone_size = max (align, ASAN_RED_ZONE_SIZE);
597 Following two statements are optimized out if we know that
598 old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial
599 redzone.
600 misalign = old_size & (ASAN_RED_ZONE_SIZE - 1);
601 partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign;
602 right_redzone_size = ASAN_RED_ZONE_SIZE;
603 additional_size = left_redzone_size + partial_redzone_size +
604 right_redzone_size;
605 new_size = old_size + additional_size;
606 new_alloca = __builtin_alloca (new_size, max (align, 32))
607 __asan_alloca_poison (new_alloca, old_size)
608 addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE);
609 last_alloca_addr = new_alloca;
610 ADDITIONAL_SIZE is added to make new memory allocation contain not only
611 requested memory, but also left, partial and right redzones as well as some
612 additional space, required by alignment. */
613
614 static void
615 handle_builtin_alloca (gcall *call, gimple_stmt_iterator *iter)
616 {
617 if (!iter || !asan_sanitize_allocas_p ())
618 return;
619
620 gassign *g;
621 gcall *gg;
622 const HOST_WIDE_INT redzone_mask = ASAN_RED_ZONE_SIZE - 1;
623
624 tree last_alloca = get_last_alloca_addr ();
625 tree callee = gimple_call_fndecl (call);
626 tree old_size = gimple_call_arg (call, 0);
627 tree ptr_type = gimple_call_lhs (call) ? TREE_TYPE (gimple_call_lhs (call))
628 : ptr_type_node;
629 tree partial_size = NULL_TREE;
630 unsigned int align
631 = DECL_FUNCTION_CODE (callee) == BUILT_IN_ALLOCA
632 ? 0 : tree_to_uhwi (gimple_call_arg (call, 1));
633
634 /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN
635 bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE
636 manually. */
637 align = MAX (align, ASAN_RED_ZONE_SIZE * BITS_PER_UNIT);
638
639 tree alloca_rz_mask = build_int_cst (size_type_node, redzone_mask);
640 tree redzone_size = build_int_cst (size_type_node, ASAN_RED_ZONE_SIZE);
641
642 /* Extract lower bits from old_size. */
643 wide_int size_nonzero_bits = get_nonzero_bits (old_size);
644 wide_int rz_mask
645 = wi::uhwi (redzone_mask, wi::get_precision (size_nonzero_bits));
646 wide_int old_size_lower_bits = wi::bit_and (size_nonzero_bits, rz_mask);
647
648 /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial
649 redzone. Otherwise, compute its size here. */
650 if (wi::ne_p (old_size_lower_bits, 0))
651 {
652 /* misalign = size & (ASAN_RED_ZONE_SIZE - 1)
653 partial_size = ASAN_RED_ZONE_SIZE - misalign. */
654 g = gimple_build_assign (make_ssa_name (size_type_node, NULL),
655 BIT_AND_EXPR, old_size, alloca_rz_mask);
656 gsi_insert_before (iter, g, GSI_SAME_STMT);
657 tree misalign = gimple_assign_lhs (g);
658 g = gimple_build_assign (make_ssa_name (size_type_node, NULL), MINUS_EXPR,
659 redzone_size, misalign);
660 gsi_insert_before (iter, g, GSI_SAME_STMT);
661 partial_size = gimple_assign_lhs (g);
662 }
663
664 /* additional_size = align + ASAN_RED_ZONE_SIZE. */
665 tree additional_size = build_int_cst (size_type_node, align / BITS_PER_UNIT
666 + ASAN_RED_ZONE_SIZE);
667 /* If alloca has partial redzone, include it to additional_size too. */
668 if (partial_size)
669 {
670 /* additional_size += partial_size. */
671 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR,
672 partial_size, additional_size);
673 gsi_insert_before (iter, g, GSI_SAME_STMT);
674 additional_size = gimple_assign_lhs (g);
675 }
676
677 /* new_size = old_size + additional_size. */
678 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR, old_size,
679 additional_size);
680 gsi_insert_before (iter, g, GSI_SAME_STMT);
681 tree new_size = gimple_assign_lhs (g);
682
683 /* Build new __builtin_alloca call:
684 new_alloca_with_rz = __builtin_alloca (new_size, align). */
685 tree fn = builtin_decl_implicit (BUILT_IN_ALLOCA_WITH_ALIGN);
686 gg = gimple_build_call (fn, 2, new_size,
687 build_int_cst (size_type_node, align));
688 tree new_alloca_with_rz = make_ssa_name (ptr_type, gg);
689 gimple_call_set_lhs (gg, new_alloca_with_rz);
690 gsi_insert_before (iter, gg, GSI_SAME_STMT);
691
692 /* new_alloca = new_alloca_with_rz + align. */
693 g = gimple_build_assign (make_ssa_name (ptr_type), POINTER_PLUS_EXPR,
694 new_alloca_with_rz,
695 build_int_cst (size_type_node,
696 align / BITS_PER_UNIT));
697 gsi_insert_before (iter, g, GSI_SAME_STMT);
698 tree new_alloca = gimple_assign_lhs (g);
699
700 /* Poison newly created alloca redzones:
701 __asan_alloca_poison (new_alloca, old_size). */
702 fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCA_POISON);
703 gg = gimple_build_call (fn, 2, new_alloca, old_size);
704 gsi_insert_before (iter, gg, GSI_SAME_STMT);
705
706 /* Save new_alloca_with_rz value into last_alloca to use it during
707 allocas unpoisoning. */
708 g = gimple_build_assign (last_alloca, new_alloca_with_rz);
709 gsi_insert_before (iter, g, GSI_SAME_STMT);
710
711 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
712 replace_call_with_value (iter, new_alloca);
713 }
714
715 /* Return the memory references contained in a gimple statement
716 representing a builtin call that has to do with memory access. */
717
718 static bool
719 get_mem_refs_of_builtin_call (gcall *call,
720 asan_mem_ref *src0,
721 tree *src0_len,
722 bool *src0_is_store,
723 asan_mem_ref *src1,
724 tree *src1_len,
725 bool *src1_is_store,
726 asan_mem_ref *dst,
727 tree *dst_len,
728 bool *dst_is_store,
729 bool *dest_is_deref,
730 bool *intercepted_p,
731 gimple_stmt_iterator *iter = NULL)
732 {
733 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
734
735 tree callee = gimple_call_fndecl (call);
736 tree source0 = NULL_TREE, source1 = NULL_TREE,
737 dest = NULL_TREE, len = NULL_TREE;
738 bool is_store = true, got_reference_p = false;
739 HOST_WIDE_INT access_size = 1;
740
741 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee)));
742
743 switch (DECL_FUNCTION_CODE (callee))
744 {
745 /* (s, s, n) style memops. */
746 case BUILT_IN_BCMP:
747 case BUILT_IN_MEMCMP:
748 source0 = gimple_call_arg (call, 0);
749 source1 = gimple_call_arg (call, 1);
750 len = gimple_call_arg (call, 2);
751 break;
752
753 /* (src, dest, n) style memops. */
754 case BUILT_IN_BCOPY:
755 source0 = gimple_call_arg (call, 0);
756 dest = gimple_call_arg (call, 1);
757 len = gimple_call_arg (call, 2);
758 break;
759
760 /* (dest, src, n) style memops. */
761 case BUILT_IN_MEMCPY:
762 case BUILT_IN_MEMCPY_CHK:
763 case BUILT_IN_MEMMOVE:
764 case BUILT_IN_MEMMOVE_CHK:
765 case BUILT_IN_MEMPCPY:
766 case BUILT_IN_MEMPCPY_CHK:
767 dest = gimple_call_arg (call, 0);
768 source0 = gimple_call_arg (call, 1);
769 len = gimple_call_arg (call, 2);
770 break;
771
772 /* (dest, n) style memops. */
773 case BUILT_IN_BZERO:
774 dest = gimple_call_arg (call, 0);
775 len = gimple_call_arg (call, 1);
776 break;
777
778 /* (dest, x, n) style memops*/
779 case BUILT_IN_MEMSET:
780 case BUILT_IN_MEMSET_CHK:
781 dest = gimple_call_arg (call, 0);
782 len = gimple_call_arg (call, 2);
783 break;
784
785 case BUILT_IN_STRLEN:
786 source0 = gimple_call_arg (call, 0);
787 len = gimple_call_lhs (call);
788 break;
789
790 case BUILT_IN_STACK_RESTORE:
791 handle_builtin_stack_restore (call, iter);
792 break;
793
794 CASE_BUILT_IN_ALLOCA:
795 handle_builtin_alloca (call, iter);
796 break;
797 /* And now the __atomic* and __sync builtins.
798 These are handled differently from the classical memory memory
799 access builtins above. */
800
801 case BUILT_IN_ATOMIC_LOAD_1:
802 is_store = false;
803 /* FALLTHRU */
804 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
805 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
806 case BUILT_IN_SYNC_FETCH_AND_OR_1:
807 case BUILT_IN_SYNC_FETCH_AND_AND_1:
808 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
809 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
810 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
811 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
812 case BUILT_IN_SYNC_OR_AND_FETCH_1:
813 case BUILT_IN_SYNC_AND_AND_FETCH_1:
814 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
815 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
816 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
817 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
818 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
819 case BUILT_IN_SYNC_LOCK_RELEASE_1:
820 case BUILT_IN_ATOMIC_EXCHANGE_1:
821 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
822 case BUILT_IN_ATOMIC_STORE_1:
823 case BUILT_IN_ATOMIC_ADD_FETCH_1:
824 case BUILT_IN_ATOMIC_SUB_FETCH_1:
825 case BUILT_IN_ATOMIC_AND_FETCH_1:
826 case BUILT_IN_ATOMIC_NAND_FETCH_1:
827 case BUILT_IN_ATOMIC_XOR_FETCH_1:
828 case BUILT_IN_ATOMIC_OR_FETCH_1:
829 case BUILT_IN_ATOMIC_FETCH_ADD_1:
830 case BUILT_IN_ATOMIC_FETCH_SUB_1:
831 case BUILT_IN_ATOMIC_FETCH_AND_1:
832 case BUILT_IN_ATOMIC_FETCH_NAND_1:
833 case BUILT_IN_ATOMIC_FETCH_XOR_1:
834 case BUILT_IN_ATOMIC_FETCH_OR_1:
835 access_size = 1;
836 goto do_atomic;
837
838 case BUILT_IN_ATOMIC_LOAD_2:
839 is_store = false;
840 /* FALLTHRU */
841 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
842 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
843 case BUILT_IN_SYNC_FETCH_AND_OR_2:
844 case BUILT_IN_SYNC_FETCH_AND_AND_2:
845 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
846 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
847 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
848 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
849 case BUILT_IN_SYNC_OR_AND_FETCH_2:
850 case BUILT_IN_SYNC_AND_AND_FETCH_2:
851 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
852 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
853 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
854 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
855 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
856 case BUILT_IN_SYNC_LOCK_RELEASE_2:
857 case BUILT_IN_ATOMIC_EXCHANGE_2:
858 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
859 case BUILT_IN_ATOMIC_STORE_2:
860 case BUILT_IN_ATOMIC_ADD_FETCH_2:
861 case BUILT_IN_ATOMIC_SUB_FETCH_2:
862 case BUILT_IN_ATOMIC_AND_FETCH_2:
863 case BUILT_IN_ATOMIC_NAND_FETCH_2:
864 case BUILT_IN_ATOMIC_XOR_FETCH_2:
865 case BUILT_IN_ATOMIC_OR_FETCH_2:
866 case BUILT_IN_ATOMIC_FETCH_ADD_2:
867 case BUILT_IN_ATOMIC_FETCH_SUB_2:
868 case BUILT_IN_ATOMIC_FETCH_AND_2:
869 case BUILT_IN_ATOMIC_FETCH_NAND_2:
870 case BUILT_IN_ATOMIC_FETCH_XOR_2:
871 case BUILT_IN_ATOMIC_FETCH_OR_2:
872 access_size = 2;
873 goto do_atomic;
874
875 case BUILT_IN_ATOMIC_LOAD_4:
876 is_store = false;
877 /* FALLTHRU */
878 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
879 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
880 case BUILT_IN_SYNC_FETCH_AND_OR_4:
881 case BUILT_IN_SYNC_FETCH_AND_AND_4:
882 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
883 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
884 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
885 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
886 case BUILT_IN_SYNC_OR_AND_FETCH_4:
887 case BUILT_IN_SYNC_AND_AND_FETCH_4:
888 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
889 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
890 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
891 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
892 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
893 case BUILT_IN_SYNC_LOCK_RELEASE_4:
894 case BUILT_IN_ATOMIC_EXCHANGE_4:
895 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
896 case BUILT_IN_ATOMIC_STORE_4:
897 case BUILT_IN_ATOMIC_ADD_FETCH_4:
898 case BUILT_IN_ATOMIC_SUB_FETCH_4:
899 case BUILT_IN_ATOMIC_AND_FETCH_4:
900 case BUILT_IN_ATOMIC_NAND_FETCH_4:
901 case BUILT_IN_ATOMIC_XOR_FETCH_4:
902 case BUILT_IN_ATOMIC_OR_FETCH_4:
903 case BUILT_IN_ATOMIC_FETCH_ADD_4:
904 case BUILT_IN_ATOMIC_FETCH_SUB_4:
905 case BUILT_IN_ATOMIC_FETCH_AND_4:
906 case BUILT_IN_ATOMIC_FETCH_NAND_4:
907 case BUILT_IN_ATOMIC_FETCH_XOR_4:
908 case BUILT_IN_ATOMIC_FETCH_OR_4:
909 access_size = 4;
910 goto do_atomic;
911
912 case BUILT_IN_ATOMIC_LOAD_8:
913 is_store = false;
914 /* FALLTHRU */
915 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
916 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
917 case BUILT_IN_SYNC_FETCH_AND_OR_8:
918 case BUILT_IN_SYNC_FETCH_AND_AND_8:
919 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
920 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
921 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
922 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
923 case BUILT_IN_SYNC_OR_AND_FETCH_8:
924 case BUILT_IN_SYNC_AND_AND_FETCH_8:
925 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
926 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
927 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
928 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
929 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
930 case BUILT_IN_SYNC_LOCK_RELEASE_8:
931 case BUILT_IN_ATOMIC_EXCHANGE_8:
932 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
933 case BUILT_IN_ATOMIC_STORE_8:
934 case BUILT_IN_ATOMIC_ADD_FETCH_8:
935 case BUILT_IN_ATOMIC_SUB_FETCH_8:
936 case BUILT_IN_ATOMIC_AND_FETCH_8:
937 case BUILT_IN_ATOMIC_NAND_FETCH_8:
938 case BUILT_IN_ATOMIC_XOR_FETCH_8:
939 case BUILT_IN_ATOMIC_OR_FETCH_8:
940 case BUILT_IN_ATOMIC_FETCH_ADD_8:
941 case BUILT_IN_ATOMIC_FETCH_SUB_8:
942 case BUILT_IN_ATOMIC_FETCH_AND_8:
943 case BUILT_IN_ATOMIC_FETCH_NAND_8:
944 case BUILT_IN_ATOMIC_FETCH_XOR_8:
945 case BUILT_IN_ATOMIC_FETCH_OR_8:
946 access_size = 8;
947 goto do_atomic;
948
949 case BUILT_IN_ATOMIC_LOAD_16:
950 is_store = false;
951 /* FALLTHRU */
952 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
953 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
954 case BUILT_IN_SYNC_FETCH_AND_OR_16:
955 case BUILT_IN_SYNC_FETCH_AND_AND_16:
956 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
957 case BUILT_IN_SYNC_FETCH_AND_NAND_16:
958 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
959 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
960 case BUILT_IN_SYNC_OR_AND_FETCH_16:
961 case BUILT_IN_SYNC_AND_AND_FETCH_16:
962 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
963 case BUILT_IN_SYNC_NAND_AND_FETCH_16:
964 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
965 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
966 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
967 case BUILT_IN_SYNC_LOCK_RELEASE_16:
968 case BUILT_IN_ATOMIC_EXCHANGE_16:
969 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
970 case BUILT_IN_ATOMIC_STORE_16:
971 case BUILT_IN_ATOMIC_ADD_FETCH_16:
972 case BUILT_IN_ATOMIC_SUB_FETCH_16:
973 case BUILT_IN_ATOMIC_AND_FETCH_16:
974 case BUILT_IN_ATOMIC_NAND_FETCH_16:
975 case BUILT_IN_ATOMIC_XOR_FETCH_16:
976 case BUILT_IN_ATOMIC_OR_FETCH_16:
977 case BUILT_IN_ATOMIC_FETCH_ADD_16:
978 case BUILT_IN_ATOMIC_FETCH_SUB_16:
979 case BUILT_IN_ATOMIC_FETCH_AND_16:
980 case BUILT_IN_ATOMIC_FETCH_NAND_16:
981 case BUILT_IN_ATOMIC_FETCH_XOR_16:
982 case BUILT_IN_ATOMIC_FETCH_OR_16:
983 access_size = 16;
984 /* FALLTHRU */
985 do_atomic:
986 {
987 dest = gimple_call_arg (call, 0);
988 /* DEST represents the address of a memory location.
989 instrument_derefs wants the memory location, so lets
990 dereference the address DEST before handing it to
991 instrument_derefs. */
992 tree type = build_nonstandard_integer_type (access_size
993 * BITS_PER_UNIT, 1);
994 dest = build2 (MEM_REF, type, dest,
995 build_int_cst (build_pointer_type (char_type_node), 0));
996 break;
997 }
998
999 default:
1000 /* The other builtins memory access are not instrumented in this
1001 function because they either don't have any length parameter,
1002 or their length parameter is just a limit. */
1003 break;
1004 }
1005
1006 if (len != NULL_TREE)
1007 {
1008 if (source0 != NULL_TREE)
1009 {
1010 src0->start = source0;
1011 src0->access_size = access_size;
1012 *src0_len = len;
1013 *src0_is_store = false;
1014 }
1015
1016 if (source1 != NULL_TREE)
1017 {
1018 src1->start = source1;
1019 src1->access_size = access_size;
1020 *src1_len = len;
1021 *src1_is_store = false;
1022 }
1023
1024 if (dest != NULL_TREE)
1025 {
1026 dst->start = dest;
1027 dst->access_size = access_size;
1028 *dst_len = len;
1029 *dst_is_store = true;
1030 }
1031
1032 got_reference_p = true;
1033 }
1034 else if (dest)
1035 {
1036 dst->start = dest;
1037 dst->access_size = access_size;
1038 *dst_len = NULL_TREE;
1039 *dst_is_store = is_store;
1040 *dest_is_deref = true;
1041 got_reference_p = true;
1042 }
1043
1044 return got_reference_p;
1045 }
1046
1047 /* Return true iff a given gimple statement has been instrumented.
1048 Note that the statement is "defined" by the memory references it
1049 contains. */
1050
1051 static bool
1052 has_stmt_been_instrumented_p (gimple *stmt)
1053 {
1054 if (gimple_assign_single_p (stmt))
1055 {
1056 bool r_is_store;
1057 asan_mem_ref r;
1058 asan_mem_ref_init (&r, NULL, 1);
1059
1060 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r,
1061 &r_is_store))
1062 return has_mem_ref_been_instrumented (&r);
1063 }
1064 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
1065 {
1066 asan_mem_ref src0, src1, dest;
1067 asan_mem_ref_init (&src0, NULL, 1);
1068 asan_mem_ref_init (&src1, NULL, 1);
1069 asan_mem_ref_init (&dest, NULL, 1);
1070
1071 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
1072 bool src0_is_store = false, src1_is_store = false,
1073 dest_is_store = false, dest_is_deref = false, intercepted_p = true;
1074 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt),
1075 &src0, &src0_len, &src0_is_store,
1076 &src1, &src1_len, &src1_is_store,
1077 &dest, &dest_len, &dest_is_store,
1078 &dest_is_deref, &intercepted_p))
1079 {
1080 if (src0.start != NULL_TREE
1081 && !has_mem_ref_been_instrumented (&src0, src0_len))
1082 return false;
1083
1084 if (src1.start != NULL_TREE
1085 && !has_mem_ref_been_instrumented (&src1, src1_len))
1086 return false;
1087
1088 if (dest.start != NULL_TREE
1089 && !has_mem_ref_been_instrumented (&dest, dest_len))
1090 return false;
1091
1092 return true;
1093 }
1094 }
1095 else if (is_gimple_call (stmt) && gimple_store_p (stmt))
1096 {
1097 asan_mem_ref r;
1098 asan_mem_ref_init (&r, NULL, 1);
1099
1100 r.start = gimple_call_lhs (stmt);
1101 r.access_size = int_size_in_bytes (TREE_TYPE (r.start));
1102 return has_mem_ref_been_instrumented (&r);
1103 }
1104
1105 return false;
1106 }
1107
1108 /* Insert a memory reference into the hash table. */
1109
1110 static void
1111 update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size)
1112 {
1113 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table ();
1114
1115 asan_mem_ref r;
1116 asan_mem_ref_init (&r, ref, access_size);
1117
1118 asan_mem_ref **slot = ht->find_slot (&r, INSERT);
1119 if (*slot == NULL || (*slot)->access_size < access_size)
1120 *slot = asan_mem_ref_new (ref, access_size);
1121 }
1122
1123 /* Initialize shadow_ptr_types array. */
1124
1125 static void
1126 asan_init_shadow_ptr_types (void)
1127 {
1128 asan_shadow_set = new_alias_set ();
1129 tree types[3] = { signed_char_type_node, short_integer_type_node,
1130 integer_type_node };
1131
1132 for (unsigned i = 0; i < 3; i++)
1133 {
1134 shadow_ptr_types[i] = build_distinct_type_copy (types[i]);
1135 TYPE_ALIAS_SET (shadow_ptr_types[i]) = asan_shadow_set;
1136 shadow_ptr_types[i] = build_pointer_type (shadow_ptr_types[i]);
1137 }
1138
1139 initialize_sanitizer_builtins ();
1140 }
1141
1142 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
1143
1144 static tree
1145 asan_pp_string (pretty_printer *pp)
1146 {
1147 const char *buf = pp_formatted_text (pp);
1148 size_t len = strlen (buf);
1149 tree ret = build_string (len + 1, buf);
1150 TREE_TYPE (ret)
1151 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
1152 build_index_type (size_int (len)));
1153 TREE_READONLY (ret) = 1;
1154 TREE_STATIC (ret) = 1;
1155 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
1156 }
1157
1158 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
1159 though. */
1160
1161 static void
1162 asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
1163 {
1164 rtx_insn *insn, *insns, *jump;
1165 rtx_code_label *top_label;
1166 rtx end, addr, tmp;
1167
1168 gcc_assert ((len & 3) == 0);
1169 start_sequence ();
1170 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
1171 insns = get_insns ();
1172 end_sequence ();
1173 for (insn = insns; insn; insn = NEXT_INSN (insn))
1174 if (CALL_P (insn))
1175 break;
1176 if (insn == NULL_RTX)
1177 {
1178 emit_insn (insns);
1179 return;
1180 }
1181
1182 top_label = gen_label_rtx ();
1183 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
1184 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
1185 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
1186 emit_label (top_label);
1187
1188 emit_move_insn (shadow_mem, const0_rtx);
1189 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
1190 true, OPTAB_LIB_WIDEN);
1191 if (tmp != addr)
1192 emit_move_insn (addr, tmp);
1193 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
1194 jump = get_last_insn ();
1195 gcc_assert (JUMP_P (jump));
1196 add_reg_br_prob_note (jump,
1197 profile_probability::guessed_always ()
1198 .apply_scale (80, 100));
1199 }
1200
1201 void
1202 asan_function_start (void)
1203 {
1204 section *fnsec = function_section (current_function_decl);
1205 switch_to_section (fnsec);
1206 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC",
1207 current_function_funcdef_no);
1208 }
1209
1210 /* Return number of shadow bytes that are occupied by a local variable
1211 of SIZE bytes. */
1212
1213 static unsigned HOST_WIDE_INT
1214 shadow_mem_size (unsigned HOST_WIDE_INT size)
1215 {
1216 /* It must be possible to align stack variables to granularity
1217 of shadow memory. */
1218 gcc_assert (BITS_PER_UNIT
1219 * ASAN_SHADOW_GRANULARITY <= MAX_SUPPORTED_STACK_ALIGNMENT);
1220
1221 return ROUND_UP (size, ASAN_SHADOW_GRANULARITY) / ASAN_SHADOW_GRANULARITY;
1222 }
1223
1224 /* Always emit 4 bytes at a time. */
1225 #define RZ_BUFFER_SIZE 4
1226
1227 /* ASAN redzone buffer container that handles emission of shadow bytes. */
1228 struct asan_redzone_buffer
1229 {
1230 /* Constructor. */
1231 asan_redzone_buffer (rtx shadow_mem, HOST_WIDE_INT prev_offset):
1232 m_shadow_mem (shadow_mem), m_prev_offset (prev_offset),
1233 m_original_offset (prev_offset), m_shadow_bytes (RZ_BUFFER_SIZE)
1234 {}
1235
1236 /* Emit VALUE shadow byte at a given OFFSET. */
1237 void emit_redzone_byte (HOST_WIDE_INT offset, unsigned char value);
1238
1239 /* Emit RTX emission of the content of the buffer. */
1240 void flush_redzone_payload (void);
1241
1242 private:
1243 /* Flush if the content of the buffer is full
1244 (equal to RZ_BUFFER_SIZE). */
1245 void flush_if_full (void);
1246
1247 /* Memory where we last emitted a redzone payload. */
1248 rtx m_shadow_mem;
1249
1250 /* Relative offset where we last emitted a redzone payload. */
1251 HOST_WIDE_INT m_prev_offset;
1252
1253 /* Relative original offset. Used for checking only. */
1254 HOST_WIDE_INT m_original_offset;
1255
1256 public:
1257 /* Buffer with redzone payload. */
1258 auto_vec<unsigned char> m_shadow_bytes;
1259 };
1260
1261 /* Emit VALUE shadow byte at a given OFFSET. */
1262
1263 void
1264 asan_redzone_buffer::emit_redzone_byte (HOST_WIDE_INT offset,
1265 unsigned char value)
1266 {
1267 gcc_assert ((offset & (ASAN_SHADOW_GRANULARITY - 1)) == 0);
1268 gcc_assert (offset >= m_prev_offset);
1269
1270 HOST_WIDE_INT off
1271 = m_prev_offset + ASAN_SHADOW_GRANULARITY * m_shadow_bytes.length ();
1272 if (off == offset)
1273 {
1274 /* Consecutive shadow memory byte. */
1275 m_shadow_bytes.safe_push (value);
1276 flush_if_full ();
1277 }
1278 else
1279 {
1280 if (!m_shadow_bytes.is_empty ())
1281 flush_redzone_payload ();
1282
1283 /* Maybe start earlier in order to use aligned store. */
1284 HOST_WIDE_INT align = (offset - m_prev_offset) % ASAN_RED_ZONE_SIZE;
1285 if (align)
1286 {
1287 offset -= align;
1288 for (unsigned i = 0; i < align / BITS_PER_UNIT; i++)
1289 m_shadow_bytes.safe_push (0);
1290 }
1291
1292 /* Adjust m_prev_offset and m_shadow_mem. */
1293 HOST_WIDE_INT diff = offset - m_prev_offset;
1294 m_shadow_mem = adjust_address (m_shadow_mem, VOIDmode,
1295 diff >> ASAN_SHADOW_SHIFT);
1296 m_prev_offset = offset;
1297 m_shadow_bytes.safe_push (value);
1298 flush_if_full ();
1299 }
1300 }
1301
1302 /* Emit RTX emission of the content of the buffer. */
1303
1304 void
1305 asan_redzone_buffer::flush_redzone_payload (void)
1306 {
1307 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
1308
1309 if (m_shadow_bytes.is_empty ())
1310 return;
1311
1312 /* Be sure we always emit to an aligned address. */
1313 gcc_assert (((m_prev_offset - m_original_offset)
1314 & (ASAN_RED_ZONE_SIZE - 1)) == 0);
1315
1316 /* Fill it to RZ_BUFFER_SIZE bytes with zeros if needed. */
1317 unsigned l = m_shadow_bytes.length ();
1318 for (unsigned i = 0; i <= RZ_BUFFER_SIZE - l; i++)
1319 m_shadow_bytes.safe_push (0);
1320
1321 if (dump_file && (dump_flags & TDF_DETAILS))
1322 fprintf (dump_file,
1323 "Flushing rzbuffer at offset %" PRId64 " with: ", m_prev_offset);
1324
1325 unsigned HOST_WIDE_INT val = 0;
1326 for (unsigned i = 0; i < RZ_BUFFER_SIZE; i++)
1327 {
1328 unsigned char v
1329 = m_shadow_bytes[BYTES_BIG_ENDIAN ? RZ_BUFFER_SIZE - i - 1 : i];
1330 val |= (unsigned HOST_WIDE_INT)v << (BITS_PER_UNIT * i);
1331 if (dump_file && (dump_flags & TDF_DETAILS))
1332 fprintf (dump_file, "%02x ", v);
1333 }
1334
1335 if (dump_file && (dump_flags & TDF_DETAILS))
1336 fprintf (dump_file, "\n");
1337
1338 rtx c = gen_int_mode (val, SImode);
1339 m_shadow_mem = adjust_address (m_shadow_mem, SImode, 0);
1340 emit_move_insn (m_shadow_mem, c);
1341 m_shadow_bytes.truncate (0);
1342 }
1343
1344 /* Flush if the content of the buffer is full
1345 (equal to RZ_BUFFER_SIZE). */
1346
1347 void
1348 asan_redzone_buffer::flush_if_full (void)
1349 {
1350 if (m_shadow_bytes.length () == RZ_BUFFER_SIZE)
1351 flush_redzone_payload ();
1352 }
1353
1354 /* Insert code to protect stack vars. The prologue sequence should be emitted
1355 directly, epilogue sequence returned. BASE is the register holding the
1356 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1357 array contains pairs of offsets in reverse order, always the end offset
1358 of some gap that needs protection followed by starting offset,
1359 and DECLS is an array of representative decls for each var partition.
1360 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1361 elements long (OFFSETS include gap before the first variable as well
1362 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1363 register which stack vars DECL_RTLs are based on. Either BASE should be
1364 assigned to PBASE, when not doing use after return protection, or
1365 corresponding address based on __asan_stack_malloc* return value. */
1366
1367 rtx_insn *
1368 asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
1369 HOST_WIDE_INT *offsets, tree *decls, int length)
1370 {
1371 rtx shadow_base, shadow_mem, ret, mem, orig_base;
1372 rtx_code_label *lab;
1373 rtx_insn *insns;
1374 char buf[32];
1375 HOST_WIDE_INT base_offset = offsets[length - 1];
1376 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
1377 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
1378 HOST_WIDE_INT last_offset, last_size, last_size_aligned;
1379 int l;
1380 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
1381 tree str_cst, decl, id;
1382 int use_after_return_class = -1;
1383
1384 if (shadow_ptr_types[0] == NULL_TREE)
1385 asan_init_shadow_ptr_types ();
1386
1387 expanded_location cfun_xloc
1388 = expand_location (DECL_SOURCE_LOCATION (current_function_decl));
1389
1390 /* First of all, prepare the description string. */
1391 pretty_printer asan_pp;
1392
1393 pp_decimal_int (&asan_pp, length / 2 - 1);
1394 pp_space (&asan_pp);
1395 for (l = length - 2; l; l -= 2)
1396 {
1397 tree decl = decls[l / 2 - 1];
1398 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
1399 pp_space (&asan_pp);
1400 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
1401 pp_space (&asan_pp);
1402
1403 expanded_location xloc
1404 = expand_location (DECL_SOURCE_LOCATION (decl));
1405 char location[32];
1406
1407 if (xloc.file == cfun_xloc.file)
1408 sprintf (location, ":%d", xloc.line);
1409 else
1410 location[0] = '\0';
1411
1412 if (DECL_P (decl) && DECL_NAME (decl))
1413 {
1414 unsigned idlen
1415 = IDENTIFIER_LENGTH (DECL_NAME (decl)) + strlen (location);
1416 pp_decimal_int (&asan_pp, idlen);
1417 pp_space (&asan_pp);
1418 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
1419 pp_string (&asan_pp, location);
1420 }
1421 else
1422 pp_string (&asan_pp, "9 <unknown>");
1423
1424 if (l > 2)
1425 pp_space (&asan_pp);
1426 }
1427 str_cst = asan_pp_string (&asan_pp);
1428
1429 /* Emit the prologue sequence. */
1430 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
1431 && ASAN_USE_AFTER_RETURN)
1432 {
1433 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1434 /* __asan_stack_malloc_N guarantees alignment
1435 N < 6 ? (64 << N) : 4096 bytes. */
1436 if (alignb > (use_after_return_class < 6
1437 ? (64U << use_after_return_class) : 4096U))
1438 use_after_return_class = -1;
1439 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1440 base_align_bias = ((asan_frame_size + alignb - 1)
1441 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1442 }
1443 /* Align base if target is STRICT_ALIGNMENT. */
1444 if (STRICT_ALIGNMENT)
1445 base = expand_binop (Pmode, and_optab, base,
1446 gen_int_mode (-((GET_MODE_ALIGNMENT (SImode)
1447 << ASAN_SHADOW_SHIFT)
1448 / BITS_PER_UNIT), Pmode), NULL_RTX,
1449 1, OPTAB_DIRECT);
1450
1451 if (use_after_return_class == -1 && pbase)
1452 emit_move_insn (pbase, base);
1453
1454 base = expand_binop (Pmode, add_optab, base,
1455 gen_int_mode (base_offset - base_align_bias, Pmode),
1456 NULL_RTX, 1, OPTAB_DIRECT);
1457 orig_base = NULL_RTX;
1458 if (use_after_return_class != -1)
1459 {
1460 if (asan_detect_stack_use_after_return == NULL_TREE)
1461 {
1462 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1463 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1464 integer_type_node);
1465 SET_DECL_ASSEMBLER_NAME (decl, id);
1466 TREE_ADDRESSABLE (decl) = 1;
1467 DECL_ARTIFICIAL (decl) = 1;
1468 DECL_IGNORED_P (decl) = 1;
1469 DECL_EXTERNAL (decl) = 1;
1470 TREE_STATIC (decl) = 1;
1471 TREE_PUBLIC (decl) = 1;
1472 TREE_USED (decl) = 1;
1473 asan_detect_stack_use_after_return = decl;
1474 }
1475 orig_base = gen_reg_rtx (Pmode);
1476 emit_move_insn (orig_base, base);
1477 ret = expand_normal (asan_detect_stack_use_after_return);
1478 lab = gen_label_rtx ();
1479 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1480 VOIDmode, 0, lab,
1481 profile_probability::very_likely ());
1482 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1483 use_after_return_class);
1484 ret = init_one_libfunc (buf);
1485 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode,
1486 GEN_INT (asan_frame_size
1487 + base_align_bias),
1488 TYPE_MODE (pointer_sized_int_node));
1489 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1490 and NULL otherwise. Check RET value is NULL here and jump over the
1491 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1492 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1493 VOIDmode, 0, lab,
1494 profile_probability:: very_unlikely ());
1495 ret = convert_memory_address (Pmode, ret);
1496 emit_move_insn (base, ret);
1497 emit_label (lab);
1498 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1499 gen_int_mode (base_align_bias
1500 - base_offset, Pmode),
1501 NULL_RTX, 1, OPTAB_DIRECT));
1502 }
1503 mem = gen_rtx_MEM (ptr_mode, base);
1504 mem = adjust_address (mem, VOIDmode, base_align_bias);
1505 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
1506 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1507 emit_move_insn (mem, expand_normal (str_cst));
1508 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1509 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1510 id = get_identifier (buf);
1511 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
1512 VAR_DECL, id, char_type_node);
1513 SET_DECL_ASSEMBLER_NAME (decl, id);
1514 TREE_ADDRESSABLE (decl) = 1;
1515 TREE_READONLY (decl) = 1;
1516 DECL_ARTIFICIAL (decl) = 1;
1517 DECL_IGNORED_P (decl) = 1;
1518 TREE_STATIC (decl) = 1;
1519 TREE_PUBLIC (decl) = 0;
1520 TREE_USED (decl) = 1;
1521 DECL_INITIAL (decl) = decl;
1522 TREE_ASM_WRITTEN (decl) = 1;
1523 TREE_ASM_WRITTEN (id) = 1;
1524 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
1525 shadow_base = expand_binop (Pmode, lshr_optab, base,
1526 gen_int_shift_amount (Pmode, ASAN_SHADOW_SHIFT),
1527 NULL_RTX, 1, OPTAB_DIRECT);
1528 shadow_base
1529 = plus_constant (Pmode, shadow_base,
1530 asan_shadow_offset ()
1531 + (base_align_bias >> ASAN_SHADOW_SHIFT));
1532 gcc_assert (asan_shadow_set != -1
1533 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
1534 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
1535 set_mem_alias_set (shadow_mem, asan_shadow_set);
1536 if (STRICT_ALIGNMENT)
1537 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1538 prev_offset = base_offset;
1539
1540 asan_redzone_buffer rz_buffer (shadow_mem, prev_offset);
1541 for (l = length; l; l -= 2)
1542 {
1543 if (l == 2)
1544 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
1545 offset = offsets[l - 1];
1546
1547 bool extra_byte = (offset - base_offset) & (ASAN_SHADOW_GRANULARITY - 1);
1548 /* If a red-zone is not aligned to ASAN_SHADOW_GRANULARITY then
1549 the previous stack variable has size % ASAN_SHADOW_GRANULARITY != 0.
1550 In that case we have to emit one extra byte that will describe
1551 how many bytes (our of ASAN_SHADOW_GRANULARITY) can be accessed. */
1552 if (extra_byte)
1553 {
1554 HOST_WIDE_INT aoff
1555 = base_offset + ((offset - base_offset)
1556 & ~(ASAN_SHADOW_GRANULARITY - HOST_WIDE_INT_1));
1557 rz_buffer.emit_redzone_byte (aoff, offset - aoff);
1558 offset = aoff + ASAN_SHADOW_GRANULARITY;
1559 }
1560
1561 /* Calculate size of red zone payload. */
1562 while (offset < offsets[l - 2])
1563 {
1564 rz_buffer.emit_redzone_byte (offset, cur_shadow_byte);
1565 offset += ASAN_SHADOW_GRANULARITY;
1566 }
1567
1568 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
1569 }
1570
1571 /* As the automatic variables are aligned to
1572 ASAN_RED_ZONE_SIZE / ASAN_SHADOW_GRANULARITY, the buffer should be
1573 flushed here. */
1574 gcc_assert (rz_buffer.m_shadow_bytes.is_empty ());
1575
1576 do_pending_stack_adjust ();
1577
1578 /* Construct epilogue sequence. */
1579 start_sequence ();
1580
1581 lab = NULL;
1582 if (use_after_return_class != -1)
1583 {
1584 rtx_code_label *lab2 = gen_label_rtx ();
1585 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
1586 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
1587 VOIDmode, 0, lab2,
1588 profile_probability::very_likely ());
1589 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1590 set_mem_alias_set (shadow_mem, asan_shadow_set);
1591 mem = gen_rtx_MEM (ptr_mode, base);
1592 mem = adjust_address (mem, VOIDmode, base_align_bias);
1593 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
1594 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
1595 if (use_after_return_class < 5
1596 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
1597 BITS_PER_UNIT, true))
1598 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
1599 BITS_PER_UNIT, true, RETURN_BEGIN);
1600 else if (use_after_return_class >= 5
1601 || !set_storage_via_setmem (shadow_mem,
1602 GEN_INT (sz),
1603 gen_int_mode (c, QImode),
1604 BITS_PER_UNIT, BITS_PER_UNIT,
1605 -1, sz, sz, sz))
1606 {
1607 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
1608 use_after_return_class);
1609 ret = init_one_libfunc (buf);
1610 rtx addr = convert_memory_address (ptr_mode, base);
1611 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
1612 emit_library_call (ret, LCT_NORMAL, ptr_mode, addr, ptr_mode,
1613 GEN_INT (asan_frame_size + base_align_bias),
1614 TYPE_MODE (pointer_sized_int_node),
1615 orig_addr, ptr_mode);
1616 }
1617 lab = gen_label_rtx ();
1618 emit_jump (lab);
1619 emit_label (lab2);
1620 }
1621
1622 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1623 set_mem_alias_set (shadow_mem, asan_shadow_set);
1624
1625 if (STRICT_ALIGNMENT)
1626 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1627
1628 prev_offset = base_offset;
1629 last_offset = base_offset;
1630 last_size = 0;
1631 last_size_aligned = 0;
1632 for (l = length; l; l -= 2)
1633 {
1634 offset = base_offset + ((offsets[l - 1] - base_offset)
1635 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1636 if (last_offset + last_size_aligned < offset)
1637 {
1638 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1639 (last_offset - prev_offset)
1640 >> ASAN_SHADOW_SHIFT);
1641 prev_offset = last_offset;
1642 asan_clear_shadow (shadow_mem, last_size_aligned >> ASAN_SHADOW_SHIFT);
1643 last_offset = offset;
1644 last_size = 0;
1645 }
1646 else
1647 last_size = offset - last_offset;
1648 last_size += base_offset + ((offsets[l - 2] - base_offset)
1649 & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
1650 - offset;
1651
1652 /* Unpoison shadow memory that corresponds to a variable that is
1653 is subject of use-after-return sanitization. */
1654 if (l > 2)
1655 {
1656 decl = decls[l / 2 - 2];
1657 if (asan_handled_variables != NULL
1658 && asan_handled_variables->contains (decl))
1659 {
1660 HOST_WIDE_INT size = offsets[l - 3] - offsets[l - 2];
1661 if (dump_file && (dump_flags & TDF_DETAILS))
1662 {
1663 const char *n = (DECL_NAME (decl)
1664 ? IDENTIFIER_POINTER (DECL_NAME (decl))
1665 : "<unknown>");
1666 fprintf (dump_file, "Unpoisoning shadow stack for variable: "
1667 "%s (%" PRId64 " B)\n", n, size);
1668 }
1669
1670 last_size += size & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1);
1671 }
1672 }
1673 last_size_aligned
1674 = ((last_size + (ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
1675 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1676 }
1677 if (last_size_aligned)
1678 {
1679 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1680 (last_offset - prev_offset)
1681 >> ASAN_SHADOW_SHIFT);
1682 asan_clear_shadow (shadow_mem, last_size_aligned >> ASAN_SHADOW_SHIFT);
1683 }
1684
1685 /* Clean-up set with instrumented stack variables. */
1686 delete asan_handled_variables;
1687 asan_handled_variables = NULL;
1688 delete asan_used_labels;
1689 asan_used_labels = NULL;
1690
1691 do_pending_stack_adjust ();
1692 if (lab)
1693 emit_label (lab);
1694
1695 insns = get_insns ();
1696 end_sequence ();
1697 return insns;
1698 }
1699
1700 /* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds
1701 to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE
1702 indicates whether we're emitting new instructions sequence or not. */
1703
1704 rtx_insn *
1705 asan_emit_allocas_unpoison (rtx top, rtx bot, rtx_insn *before)
1706 {
1707 if (before)
1708 push_to_sequence (before);
1709 else
1710 start_sequence ();
1711 rtx ret = init_one_libfunc ("__asan_allocas_unpoison");
1712 top = convert_memory_address (ptr_mode, top);
1713 bot = convert_memory_address (ptr_mode, bot);
1714 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode,
1715 top, ptr_mode, bot, ptr_mode);
1716
1717 do_pending_stack_adjust ();
1718 rtx_insn *insns = get_insns ();
1719 end_sequence ();
1720 return insns;
1721 }
1722
1723 /* Return true if DECL, a global var, might be overridden and needs
1724 therefore a local alias. */
1725
1726 static bool
1727 asan_needs_local_alias (tree decl)
1728 {
1729 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
1730 }
1731
1732 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
1733 therefore doesn't need protection. */
1734
1735 static bool
1736 is_odr_indicator (tree decl)
1737 {
1738 return (DECL_ARTIFICIAL (decl)
1739 && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl)));
1740 }
1741
1742 /* Return true if DECL is a VAR_DECL that should be protected
1743 by Address Sanitizer, by appending a red zone with protected
1744 shadow memory after it and aligning it to at least
1745 ASAN_RED_ZONE_SIZE bytes. */
1746
1747 bool
1748 asan_protect_global (tree decl, bool ignore_decl_rtl_set_p)
1749 {
1750 if (!ASAN_GLOBALS)
1751 return false;
1752
1753 rtx rtl, symbol;
1754
1755 if (TREE_CODE (decl) == STRING_CST)
1756 {
1757 /* Instrument all STRING_CSTs except those created
1758 by asan_pp_string here. */
1759 if (shadow_ptr_types[0] != NULL_TREE
1760 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
1761 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
1762 return false;
1763 return true;
1764 }
1765 if (!VAR_P (decl)
1766 /* TLS vars aren't statically protectable. */
1767 || DECL_THREAD_LOCAL_P (decl)
1768 /* Externs will be protected elsewhere. */
1769 || DECL_EXTERNAL (decl)
1770 /* PR sanitizer/81697: For architectures that use section anchors first
1771 call to asan_protect_global may occur before DECL_RTL (decl) is set.
1772 We should ignore DECL_RTL_SET_P then, because otherwise the first call
1773 to asan_protect_global will return FALSE and the following calls on the
1774 same decl after setting DECL_RTL (decl) will return TRUE and we'll end
1775 up with inconsistency at runtime. */
1776 || (!DECL_RTL_SET_P (decl) && !ignore_decl_rtl_set_p)
1777 /* Comdat vars pose an ABI problem, we can't know if
1778 the var that is selected by the linker will have
1779 padding or not. */
1780 || DECL_ONE_ONLY (decl)
1781 /* Similarly for common vars. People can use -fno-common.
1782 Note: Linux kernel is built with -fno-common, so we do instrument
1783 globals there even if it is C. */
1784 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
1785 /* Don't protect if using user section, often vars placed
1786 into user section from multiple TUs are then assumed
1787 to be an array of such vars, putting padding in there
1788 breaks this assumption. */
1789 || (DECL_SECTION_NAME (decl) != NULL
1790 && !symtab_node::get (decl)->implicit_section
1791 && !section_sanitized_p (DECL_SECTION_NAME (decl)))
1792 || DECL_SIZE (decl) == 0
1793 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
1794 || TREE_CODE (DECL_SIZE_UNIT (decl)) != INTEGER_CST
1795 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
1796 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE
1797 || TREE_TYPE (decl) == ubsan_get_source_location_type ()
1798 || is_odr_indicator (decl))
1799 return false;
1800
1801 if (!ignore_decl_rtl_set_p || DECL_RTL_SET_P (decl))
1802 {
1803
1804 rtl = DECL_RTL (decl);
1805 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
1806 return false;
1807 symbol = XEXP (rtl, 0);
1808
1809 if (CONSTANT_POOL_ADDRESS_P (symbol)
1810 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
1811 return false;
1812 }
1813
1814 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
1815 return false;
1816
1817 if (!TARGET_SUPPORTS_ALIASES && asan_needs_local_alias (decl))
1818 return false;
1819
1820 return true;
1821 }
1822
1823 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
1824 IS_STORE is either 1 (for a store) or 0 (for a load). */
1825
1826 static tree
1827 report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1828 int *nargs)
1829 {
1830 static enum built_in_function report[2][2][6]
1831 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
1832 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
1833 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N },
1834 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
1835 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
1836 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } },
1837 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT,
1838 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
1839 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
1840 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
1841 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
1842 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
1843 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT,
1844 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
1845 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
1846 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
1847 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
1848 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
1849 if (size_in_bytes == -1)
1850 {
1851 *nargs = 2;
1852 return builtin_decl_implicit (report[recover_p][is_store][5]);
1853 }
1854 *nargs = 1;
1855 int size_log2 = exact_log2 (size_in_bytes);
1856 return builtin_decl_implicit (report[recover_p][is_store][size_log2]);
1857 }
1858
1859 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
1860 IS_STORE is either 1 (for a store) or 0 (for a load). */
1861
1862 static tree
1863 check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1864 int *nargs)
1865 {
1866 static enum built_in_function check[2][2][6]
1867 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2,
1868 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8,
1869 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN },
1870 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2,
1871 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8,
1872 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } },
1873 { { BUILT_IN_ASAN_LOAD1_NOABORT,
1874 BUILT_IN_ASAN_LOAD2_NOABORT,
1875 BUILT_IN_ASAN_LOAD4_NOABORT,
1876 BUILT_IN_ASAN_LOAD8_NOABORT,
1877 BUILT_IN_ASAN_LOAD16_NOABORT,
1878 BUILT_IN_ASAN_LOADN_NOABORT },
1879 { BUILT_IN_ASAN_STORE1_NOABORT,
1880 BUILT_IN_ASAN_STORE2_NOABORT,
1881 BUILT_IN_ASAN_STORE4_NOABORT,
1882 BUILT_IN_ASAN_STORE8_NOABORT,
1883 BUILT_IN_ASAN_STORE16_NOABORT,
1884 BUILT_IN_ASAN_STOREN_NOABORT } } };
1885 if (size_in_bytes == -1)
1886 {
1887 *nargs = 2;
1888 return builtin_decl_implicit (check[recover_p][is_store][5]);
1889 }
1890 *nargs = 1;
1891 int size_log2 = exact_log2 (size_in_bytes);
1892 return builtin_decl_implicit (check[recover_p][is_store][size_log2]);
1893 }
1894
1895 /* Split the current basic block and create a condition statement
1896 insertion point right before or after the statement pointed to by
1897 ITER. Return an iterator to the point at which the caller might
1898 safely insert the condition statement.
1899
1900 THEN_BLOCK must be set to the address of an uninitialized instance
1901 of basic_block. The function will then set *THEN_BLOCK to the
1902 'then block' of the condition statement to be inserted by the
1903 caller.
1904
1905 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1906 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1907
1908 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1909 block' of the condition statement to be inserted by the caller.
1910
1911 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1912 statements starting from *ITER, and *THEN_BLOCK is a new empty
1913 block.
1914
1915 *ITER is adjusted to point to always point to the first statement
1916 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1917 same as what ITER was pointing to prior to calling this function,
1918 if BEFORE_P is true; otherwise, it is its following statement. */
1919
1920 gimple_stmt_iterator
1921 create_cond_insert_point (gimple_stmt_iterator *iter,
1922 bool before_p,
1923 bool then_more_likely_p,
1924 bool create_then_fallthru_edge,
1925 basic_block *then_block,
1926 basic_block *fallthrough_block)
1927 {
1928 gimple_stmt_iterator gsi = *iter;
1929
1930 if (!gsi_end_p (gsi) && before_p)
1931 gsi_prev (&gsi);
1932
1933 basic_block cur_bb = gsi_bb (*iter);
1934
1935 edge e = split_block (cur_bb, gsi_stmt (gsi));
1936
1937 /* Get a hold on the 'condition block', the 'then block' and the
1938 'else block'. */
1939 basic_block cond_bb = e->src;
1940 basic_block fallthru_bb = e->dest;
1941 basic_block then_bb = create_empty_bb (cond_bb);
1942 if (current_loops)
1943 {
1944 add_bb_to_loop (then_bb, cond_bb->loop_father);
1945 loops_state_set (LOOPS_NEED_FIXUP);
1946 }
1947
1948 /* Set up the newly created 'then block'. */
1949 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
1950 profile_probability fallthrough_probability
1951 = then_more_likely_p
1952 ? profile_probability::very_unlikely ()
1953 : profile_probability::very_likely ();
1954 e->probability = fallthrough_probability.invert ();
1955 then_bb->count = e->count ();
1956 if (create_then_fallthru_edge)
1957 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
1958
1959 /* Set up the fallthrough basic block. */
1960 e = find_edge (cond_bb, fallthru_bb);
1961 e->flags = EDGE_FALSE_VALUE;
1962 e->probability = fallthrough_probability;
1963
1964 /* Update dominance info for the newly created then_bb; note that
1965 fallthru_bb's dominance info has already been updated by
1966 split_bock. */
1967 if (dom_info_available_p (CDI_DOMINATORS))
1968 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
1969
1970 *then_block = then_bb;
1971 *fallthrough_block = fallthru_bb;
1972 *iter = gsi_start_bb (fallthru_bb);
1973
1974 return gsi_last_bb (cond_bb);
1975 }
1976
1977 /* Insert an if condition followed by a 'then block' right before the
1978 statement pointed to by ITER. The fallthrough block -- which is the
1979 else block of the condition as well as the destination of the
1980 outcoming edge of the 'then block' -- starts with the statement
1981 pointed to by ITER.
1982
1983 COND is the condition of the if.
1984
1985 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1986 'then block' is higher than the probability of the edge to the
1987 fallthrough block.
1988
1989 Upon completion of the function, *THEN_BB is set to the newly
1990 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1991 fallthrough block.
1992
1993 *ITER is adjusted to still point to the same statement it was
1994 pointing to initially. */
1995
1996 static void
1997 insert_if_then_before_iter (gcond *cond,
1998 gimple_stmt_iterator *iter,
1999 bool then_more_likely_p,
2000 basic_block *then_bb,
2001 basic_block *fallthrough_bb)
2002 {
2003 gimple_stmt_iterator cond_insert_point =
2004 create_cond_insert_point (iter,
2005 /*before_p=*/true,
2006 then_more_likely_p,
2007 /*create_then_fallthru_edge=*/true,
2008 then_bb,
2009 fallthrough_bb);
2010 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
2011 }
2012
2013 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
2014 If RETURN_ADDRESS is set to true, return memory location instread
2015 of a value in the shadow memory. */
2016
2017 static tree
2018 build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location,
2019 tree base_addr, tree shadow_ptr_type,
2020 bool return_address = false)
2021 {
2022 tree t, uintptr_type = TREE_TYPE (base_addr);
2023 tree shadow_type = TREE_TYPE (shadow_ptr_type);
2024 gimple *g;
2025
2026 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
2027 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR,
2028 base_addr, t);
2029 gimple_set_location (g, location);
2030 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2031
2032 t = build_int_cst (uintptr_type, asan_shadow_offset ());
2033 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR,
2034 gimple_assign_lhs (g), t);
2035 gimple_set_location (g, location);
2036 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2037
2038 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR,
2039 gimple_assign_lhs (g));
2040 gimple_set_location (g, location);
2041 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2042
2043 if (!return_address)
2044 {
2045 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
2046 build_int_cst (shadow_ptr_type, 0));
2047 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t);
2048 gimple_set_location (g, location);
2049 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2050 }
2051
2052 return gimple_assign_lhs (g);
2053 }
2054
2055 /* BASE can already be an SSA_NAME; in that case, do not create a
2056 new SSA_NAME for it. */
2057
2058 static tree
2059 maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter,
2060 bool before_p)
2061 {
2062 if (TREE_CODE (base) == SSA_NAME)
2063 return base;
2064 gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)),
2065 TREE_CODE (base), base);
2066 gimple_set_location (g, loc);
2067 if (before_p)
2068 gsi_insert_before (iter, g, GSI_SAME_STMT);
2069 else
2070 gsi_insert_after (iter, g, GSI_NEW_STMT);
2071 return gimple_assign_lhs (g);
2072 }
2073
2074 /* LEN can already have necessary size and precision;
2075 in that case, do not create a new variable. */
2076
2077 tree
2078 maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter,
2079 bool before_p)
2080 {
2081 if (ptrofftype_p (len))
2082 return len;
2083 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2084 NOP_EXPR, len);
2085 gimple_set_location (g, loc);
2086 if (before_p)
2087 gsi_insert_before (iter, g, GSI_SAME_STMT);
2088 else
2089 gsi_insert_after (iter, g, GSI_NEW_STMT);
2090 return gimple_assign_lhs (g);
2091 }
2092
2093 /* Instrument the memory access instruction BASE. Insert new
2094 statements before or after ITER.
2095
2096 Note that the memory access represented by BASE can be either an
2097 SSA_NAME, or a non-SSA expression. LOCATION is the source code
2098 location. IS_STORE is TRUE for a store, FALSE for a load.
2099 BEFORE_P is TRUE for inserting the instrumentation code before
2100 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
2101 for a scalar memory access and FALSE for memory region access.
2102 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
2103 length. ALIGN tells alignment of accessed memory object.
2104
2105 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
2106 memory region have already been instrumented.
2107
2108 If BEFORE_P is TRUE, *ITER is arranged to still point to the
2109 statement it was pointing to prior to calling this function,
2110 otherwise, it points to the statement logically following it. */
2111
2112 static void
2113 build_check_stmt (location_t loc, tree base, tree len,
2114 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter,
2115 bool is_non_zero_len, bool before_p, bool is_store,
2116 bool is_scalar_access, unsigned int align = 0)
2117 {
2118 gimple_stmt_iterator gsi = *iter;
2119 gimple *g;
2120
2121 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len));
2122
2123 gsi = *iter;
2124
2125 base = unshare_expr (base);
2126 base = maybe_create_ssa_name (loc, base, &gsi, before_p);
2127
2128 if (len)
2129 {
2130 len = unshare_expr (len);
2131 len = maybe_cast_to_ptrmode (loc, len, iter, before_p);
2132 }
2133 else
2134 {
2135 gcc_assert (size_in_bytes != -1);
2136 len = build_int_cst (pointer_sized_int_node, size_in_bytes);
2137 }
2138
2139 if (size_in_bytes > 1)
2140 {
2141 if ((size_in_bytes & (size_in_bytes - 1)) != 0
2142 || size_in_bytes > 16)
2143 is_scalar_access = false;
2144 else if (align && align < size_in_bytes * BITS_PER_UNIT)
2145 {
2146 /* On non-strict alignment targets, if
2147 16-byte access is just 8-byte aligned,
2148 this will result in misaligned shadow
2149 memory 2 byte load, but otherwise can
2150 be handled using one read. */
2151 if (size_in_bytes != 16
2152 || STRICT_ALIGNMENT
2153 || align < 8 * BITS_PER_UNIT)
2154 is_scalar_access = false;
2155 }
2156 }
2157
2158 HOST_WIDE_INT flags = 0;
2159 if (is_store)
2160 flags |= ASAN_CHECK_STORE;
2161 if (is_non_zero_len)
2162 flags |= ASAN_CHECK_NON_ZERO_LEN;
2163 if (is_scalar_access)
2164 flags |= ASAN_CHECK_SCALAR_ACCESS;
2165
2166 g = gimple_build_call_internal (IFN_ASAN_CHECK, 4,
2167 build_int_cst (integer_type_node, flags),
2168 base, len,
2169 build_int_cst (integer_type_node,
2170 align / BITS_PER_UNIT));
2171 gimple_set_location (g, loc);
2172 if (before_p)
2173 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
2174 else
2175 {
2176 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2177 gsi_next (&gsi);
2178 *iter = gsi;
2179 }
2180 }
2181
2182 /* If T represents a memory access, add instrumentation code before ITER.
2183 LOCATION is source code location.
2184 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
2185
2186 static void
2187 instrument_derefs (gimple_stmt_iterator *iter, tree t,
2188 location_t location, bool is_store)
2189 {
2190 if (is_store && !ASAN_INSTRUMENT_WRITES)
2191 return;
2192 if (!is_store && !ASAN_INSTRUMENT_READS)
2193 return;
2194
2195 tree type, base;
2196 HOST_WIDE_INT size_in_bytes;
2197 if (location == UNKNOWN_LOCATION)
2198 location = EXPR_LOCATION (t);
2199
2200 type = TREE_TYPE (t);
2201 switch (TREE_CODE (t))
2202 {
2203 case ARRAY_REF:
2204 case COMPONENT_REF:
2205 case INDIRECT_REF:
2206 case MEM_REF:
2207 case VAR_DECL:
2208 case BIT_FIELD_REF:
2209 break;
2210 /* FALLTHRU */
2211 default:
2212 return;
2213 }
2214
2215 size_in_bytes = int_size_in_bytes (type);
2216 if (size_in_bytes <= 0)
2217 return;
2218
2219 poly_int64 bitsize, bitpos;
2220 tree offset;
2221 machine_mode mode;
2222 int unsignedp, reversep, volatilep = 0;
2223 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
2224 &unsignedp, &reversep, &volatilep);
2225
2226 if (TREE_CODE (t) == COMPONENT_REF
2227 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
2228 {
2229 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
2230 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
2231 TREE_OPERAND (t, 0), repr,
2232 TREE_OPERAND (t, 2)),
2233 location, is_store);
2234 return;
2235 }
2236
2237 if (!multiple_p (bitpos, BITS_PER_UNIT)
2238 || maybe_ne (bitsize, size_in_bytes * BITS_PER_UNIT))
2239 return;
2240
2241 if (VAR_P (inner) && DECL_HARD_REGISTER (inner))
2242 return;
2243
2244 poly_int64 decl_size;
2245 if (VAR_P (inner)
2246 && offset == NULL_TREE
2247 && DECL_SIZE (inner)
2248 && poly_int_tree_p (DECL_SIZE (inner), &decl_size)
2249 && known_subrange_p (bitpos, bitsize, 0, decl_size))
2250 {
2251 if (DECL_THREAD_LOCAL_P (inner))
2252 return;
2253 if (!ASAN_GLOBALS && is_global_var (inner))
2254 return;
2255 if (!TREE_STATIC (inner))
2256 {
2257 /* Automatic vars in the current function will be always
2258 accessible. */
2259 if (decl_function_context (inner) == current_function_decl
2260 && (!asan_sanitize_use_after_scope ()
2261 || !TREE_ADDRESSABLE (inner)))
2262 return;
2263 }
2264 /* Always instrument external vars, they might be dynamically
2265 initialized. */
2266 else if (!DECL_EXTERNAL (inner))
2267 {
2268 /* For static vars if they are known not to be dynamically
2269 initialized, they will be always accessible. */
2270 varpool_node *vnode = varpool_node::get (inner);
2271 if (vnode && !vnode->dynamically_initialized)
2272 return;
2273 }
2274 }
2275
2276 base = build_fold_addr_expr (t);
2277 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
2278 {
2279 unsigned int align = get_object_alignment (t);
2280 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter,
2281 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true,
2282 is_store, /*is_scalar_access*/true, align);
2283 update_mem_ref_hash_table (base, size_in_bytes);
2284 update_mem_ref_hash_table (t, size_in_bytes);
2285 }
2286
2287 }
2288
2289 /* Insert a memory reference into the hash table if access length
2290 can be determined in compile time. */
2291
2292 static void
2293 maybe_update_mem_ref_hash_table (tree base, tree len)
2294 {
2295 if (!POINTER_TYPE_P (TREE_TYPE (base))
2296 || !INTEGRAL_TYPE_P (TREE_TYPE (len)))
2297 return;
2298
2299 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2300
2301 if (size_in_bytes != -1)
2302 update_mem_ref_hash_table (base, size_in_bytes);
2303 }
2304
2305 /* Instrument an access to a contiguous memory region that starts at
2306 the address pointed to by BASE, over a length of LEN (expressed in
2307 the sizeof (*BASE) bytes). ITER points to the instruction before
2308 which the instrumentation instructions must be inserted. LOCATION
2309 is the source location that the instrumentation instructions must
2310 have. If IS_STORE is true, then the memory access is a store;
2311 otherwise, it's a load. */
2312
2313 static void
2314 instrument_mem_region_access (tree base, tree len,
2315 gimple_stmt_iterator *iter,
2316 location_t location, bool is_store)
2317 {
2318 if (!POINTER_TYPE_P (TREE_TYPE (base))
2319 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
2320 || integer_zerop (len))
2321 return;
2322
2323 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2324
2325 if ((size_in_bytes == -1)
2326 || !has_mem_ref_been_instrumented (base, size_in_bytes))
2327 {
2328 build_check_stmt (location, base, len, size_in_bytes, iter,
2329 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true,
2330 is_store, /*is_scalar_access*/false, /*align*/0);
2331 }
2332
2333 maybe_update_mem_ref_hash_table (base, len);
2334 *iter = gsi_for_stmt (gsi_stmt (*iter));
2335 }
2336
2337 /* Instrument the call to a built-in memory access function that is
2338 pointed to by the iterator ITER.
2339
2340 Upon completion, return TRUE iff *ITER has been advanced to the
2341 statement following the one it was originally pointing to. */
2342
2343 static bool
2344 instrument_builtin_call (gimple_stmt_iterator *iter)
2345 {
2346 if (!ASAN_MEMINTRIN)
2347 return false;
2348
2349 bool iter_advanced_p = false;
2350 gcall *call = as_a <gcall *> (gsi_stmt (*iter));
2351
2352 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
2353
2354 location_t loc = gimple_location (call);
2355
2356 asan_mem_ref src0, src1, dest;
2357 asan_mem_ref_init (&src0, NULL, 1);
2358 asan_mem_ref_init (&src1, NULL, 1);
2359 asan_mem_ref_init (&dest, NULL, 1);
2360
2361 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
2362 bool src0_is_store = false, src1_is_store = false, dest_is_store = false,
2363 dest_is_deref = false, intercepted_p = true;
2364
2365 if (get_mem_refs_of_builtin_call (call,
2366 &src0, &src0_len, &src0_is_store,
2367 &src1, &src1_len, &src1_is_store,
2368 &dest, &dest_len, &dest_is_store,
2369 &dest_is_deref, &intercepted_p, iter))
2370 {
2371 if (dest_is_deref)
2372 {
2373 instrument_derefs (iter, dest.start, loc, dest_is_store);
2374 gsi_next (iter);
2375 iter_advanced_p = true;
2376 }
2377 else if (!intercepted_p
2378 && (src0_len || src1_len || dest_len))
2379 {
2380 if (src0.start != NULL_TREE)
2381 instrument_mem_region_access (src0.start, src0_len,
2382 iter, loc, /*is_store=*/false);
2383 if (src1.start != NULL_TREE)
2384 instrument_mem_region_access (src1.start, src1_len,
2385 iter, loc, /*is_store=*/false);
2386 if (dest.start != NULL_TREE)
2387 instrument_mem_region_access (dest.start, dest_len,
2388 iter, loc, /*is_store=*/true);
2389
2390 *iter = gsi_for_stmt (call);
2391 gsi_next (iter);
2392 iter_advanced_p = true;
2393 }
2394 else
2395 {
2396 if (src0.start != NULL_TREE)
2397 maybe_update_mem_ref_hash_table (src0.start, src0_len);
2398 if (src1.start != NULL_TREE)
2399 maybe_update_mem_ref_hash_table (src1.start, src1_len);
2400 if (dest.start != NULL_TREE)
2401 maybe_update_mem_ref_hash_table (dest.start, dest_len);
2402 }
2403 }
2404 return iter_advanced_p;
2405 }
2406
2407 /* Instrument the assignment statement ITER if it is subject to
2408 instrumentation. Return TRUE iff instrumentation actually
2409 happened. In that case, the iterator ITER is advanced to the next
2410 logical expression following the one initially pointed to by ITER,
2411 and the relevant memory reference that which access has been
2412 instrumented is added to the memory references hash table. */
2413
2414 static bool
2415 maybe_instrument_assignment (gimple_stmt_iterator *iter)
2416 {
2417 gimple *s = gsi_stmt (*iter);
2418
2419 gcc_assert (gimple_assign_single_p (s));
2420
2421 tree ref_expr = NULL_TREE;
2422 bool is_store, is_instrumented = false;
2423
2424 if (gimple_store_p (s))
2425 {
2426 ref_expr = gimple_assign_lhs (s);
2427 is_store = true;
2428 instrument_derefs (iter, ref_expr,
2429 gimple_location (s),
2430 is_store);
2431 is_instrumented = true;
2432 }
2433
2434 if (gimple_assign_load_p (s))
2435 {
2436 ref_expr = gimple_assign_rhs1 (s);
2437 is_store = false;
2438 instrument_derefs (iter, ref_expr,
2439 gimple_location (s),
2440 is_store);
2441 is_instrumented = true;
2442 }
2443
2444 if (is_instrumented)
2445 gsi_next (iter);
2446
2447 return is_instrumented;
2448 }
2449
2450 /* Instrument the function call pointed to by the iterator ITER, if it
2451 is subject to instrumentation. At the moment, the only function
2452 calls that are instrumented are some built-in functions that access
2453 memory. Look at instrument_builtin_call to learn more.
2454
2455 Upon completion return TRUE iff *ITER was advanced to the statement
2456 following the one it was originally pointing to. */
2457
2458 static bool
2459 maybe_instrument_call (gimple_stmt_iterator *iter)
2460 {
2461 gimple *stmt = gsi_stmt (*iter);
2462 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2463
2464 if (is_builtin && instrument_builtin_call (iter))
2465 return true;
2466
2467 if (gimple_call_noreturn_p (stmt))
2468 {
2469 if (is_builtin)
2470 {
2471 tree callee = gimple_call_fndecl (stmt);
2472 switch (DECL_FUNCTION_CODE (callee))
2473 {
2474 case BUILT_IN_UNREACHABLE:
2475 case BUILT_IN_TRAP:
2476 /* Don't instrument these. */
2477 return false;
2478 default:
2479 break;
2480 }
2481 }
2482 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
2483 gimple *g = gimple_build_call (decl, 0);
2484 gimple_set_location (g, gimple_location (stmt));
2485 gsi_insert_before (iter, g, GSI_SAME_STMT);
2486 }
2487
2488 bool instrumented = false;
2489 if (gimple_store_p (stmt))
2490 {
2491 tree ref_expr = gimple_call_lhs (stmt);
2492 instrument_derefs (iter, ref_expr,
2493 gimple_location (stmt),
2494 /*is_store=*/true);
2495
2496 instrumented = true;
2497 }
2498
2499 /* Walk through gimple_call arguments and check them id needed. */
2500 unsigned args_num = gimple_call_num_args (stmt);
2501 for (unsigned i = 0; i < args_num; ++i)
2502 {
2503 tree arg = gimple_call_arg (stmt, i);
2504 /* If ARG is not a non-aggregate register variable, compiler in general
2505 creates temporary for it and pass it as argument to gimple call.
2506 But in some cases, e.g. when we pass by value a small structure that
2507 fits to register, compiler can avoid extra overhead by pulling out
2508 these temporaries. In this case, we should check the argument. */
2509 if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg))
2510 {
2511 instrument_derefs (iter, arg,
2512 gimple_location (stmt),
2513 /*is_store=*/false);
2514 instrumented = true;
2515 }
2516 }
2517 if (instrumented)
2518 gsi_next (iter);
2519 return instrumented;
2520 }
2521
2522 /* Walk each instruction of all basic block and instrument those that
2523 represent memory references: loads, stores, or function calls.
2524 In a given basic block, this function avoids instrumenting memory
2525 references that have already been instrumented. */
2526
2527 static void
2528 transform_statements (void)
2529 {
2530 basic_block bb, last_bb = NULL;
2531 gimple_stmt_iterator i;
2532 int saved_last_basic_block = last_basic_block_for_fn (cfun);
2533
2534 FOR_EACH_BB_FN (bb, cfun)
2535 {
2536 basic_block prev_bb = bb;
2537
2538 if (bb->index >= saved_last_basic_block) continue;
2539
2540 /* Flush the mem ref hash table, if current bb doesn't have
2541 exactly one predecessor, or if that predecessor (skipping
2542 over asan created basic blocks) isn't the last processed
2543 basic block. Thus we effectively flush on extended basic
2544 block boundaries. */
2545 while (single_pred_p (prev_bb))
2546 {
2547 prev_bb = single_pred (prev_bb);
2548 if (prev_bb->index < saved_last_basic_block)
2549 break;
2550 }
2551 if (prev_bb != last_bb)
2552 empty_mem_ref_hash_table ();
2553 last_bb = bb;
2554
2555 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
2556 {
2557 gimple *s = gsi_stmt (i);
2558
2559 if (has_stmt_been_instrumented_p (s))
2560 gsi_next (&i);
2561 else if (gimple_assign_single_p (s)
2562 && !gimple_clobber_p (s)
2563 && maybe_instrument_assignment (&i))
2564 /* Nothing to do as maybe_instrument_assignment advanced
2565 the iterator I. */;
2566 else if (is_gimple_call (s) && maybe_instrument_call (&i))
2567 /* Nothing to do as maybe_instrument_call
2568 advanced the iterator I. */;
2569 else
2570 {
2571 /* No instrumentation happened.
2572
2573 If the current instruction is a function call that
2574 might free something, let's forget about the memory
2575 references that got instrumented. Otherwise we might
2576 miss some instrumentation opportunities. Do the same
2577 for a ASAN_MARK poisoning internal function. */
2578 if (is_gimple_call (s)
2579 && (!nonfreeing_call_p (s)
2580 || asan_mark_p (s, ASAN_MARK_POISON)))
2581 empty_mem_ref_hash_table ();
2582
2583 gsi_next (&i);
2584 }
2585 }
2586 }
2587 free_mem_ref_resources ();
2588 }
2589
2590 /* Build
2591 __asan_before_dynamic_init (module_name)
2592 or
2593 __asan_after_dynamic_init ()
2594 call. */
2595
2596 tree
2597 asan_dynamic_init_call (bool after_p)
2598 {
2599 if (shadow_ptr_types[0] == NULL_TREE)
2600 asan_init_shadow_ptr_types ();
2601
2602 tree fn = builtin_decl_implicit (after_p
2603 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
2604 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
2605 tree module_name_cst = NULL_TREE;
2606 if (!after_p)
2607 {
2608 pretty_printer module_name_pp;
2609 pp_string (&module_name_pp, main_input_filename);
2610
2611 module_name_cst = asan_pp_string (&module_name_pp);
2612 module_name_cst = fold_convert (const_ptr_type_node,
2613 module_name_cst);
2614 }
2615
2616 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
2617 }
2618
2619 /* Build
2620 struct __asan_global
2621 {
2622 const void *__beg;
2623 uptr __size;
2624 uptr __size_with_redzone;
2625 const void *__name;
2626 const void *__module_name;
2627 uptr __has_dynamic_init;
2628 __asan_global_source_location *__location;
2629 char *__odr_indicator;
2630 } type. */
2631
2632 static tree
2633 asan_global_struct (void)
2634 {
2635 static const char *field_names[]
2636 = { "__beg", "__size", "__size_with_redzone",
2637 "__name", "__module_name", "__has_dynamic_init", "__location",
2638 "__odr_indicator" };
2639 tree fields[ARRAY_SIZE (field_names)], ret;
2640 unsigned i;
2641
2642 ret = make_node (RECORD_TYPE);
2643 for (i = 0; i < ARRAY_SIZE (field_names); i++)
2644 {
2645 fields[i]
2646 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
2647 get_identifier (field_names[i]),
2648 (i == 0 || i == 3) ? const_ptr_type_node
2649 : pointer_sized_int_node);
2650 DECL_CONTEXT (fields[i]) = ret;
2651 if (i)
2652 DECL_CHAIN (fields[i - 1]) = fields[i];
2653 }
2654 tree type_decl = build_decl (input_location, TYPE_DECL,
2655 get_identifier ("__asan_global"), ret);
2656 DECL_IGNORED_P (type_decl) = 1;
2657 DECL_ARTIFICIAL (type_decl) = 1;
2658 TYPE_FIELDS (ret) = fields[0];
2659 TYPE_NAME (ret) = type_decl;
2660 TYPE_STUB_DECL (ret) = type_decl;
2661 layout_type (ret);
2662 return ret;
2663 }
2664
2665 /* Create and return odr indicator symbol for DECL.
2666 TYPE is __asan_global struct type as returned by asan_global_struct. */
2667
2668 static tree
2669 create_odr_indicator (tree decl, tree type)
2670 {
2671 char *name;
2672 tree uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2673 tree decl_name
2674 = (HAS_DECL_ASSEMBLER_NAME_P (decl) ? DECL_ASSEMBLER_NAME (decl)
2675 : DECL_NAME (decl));
2676 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
2677 if (decl_name == NULL_TREE)
2678 return build_int_cst (uptr, 0);
2679 const char *dname = IDENTIFIER_POINTER (decl_name);
2680 if (HAS_DECL_ASSEMBLER_NAME_P (decl))
2681 dname = targetm.strip_name_encoding (dname);
2682 size_t len = strlen (dname) + sizeof ("__odr_asan_");
2683 name = XALLOCAVEC (char, len);
2684 snprintf (name, len, "__odr_asan_%s", dname);
2685 #ifndef NO_DOT_IN_LABEL
2686 name[sizeof ("__odr_asan") - 1] = '.';
2687 #elif !defined(NO_DOLLAR_IN_LABEL)
2688 name[sizeof ("__odr_asan") - 1] = '$';
2689 #endif
2690 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (name),
2691 char_type_node);
2692 TREE_ADDRESSABLE (var) = 1;
2693 TREE_READONLY (var) = 0;
2694 TREE_THIS_VOLATILE (var) = 1;
2695 DECL_GIMPLE_REG_P (var) = 0;
2696 DECL_ARTIFICIAL (var) = 1;
2697 DECL_IGNORED_P (var) = 1;
2698 TREE_STATIC (var) = 1;
2699 TREE_PUBLIC (var) = 1;
2700 DECL_VISIBILITY (var) = DECL_VISIBILITY (decl);
2701 DECL_VISIBILITY_SPECIFIED (var) = DECL_VISIBILITY_SPECIFIED (decl);
2702
2703 TREE_USED (var) = 1;
2704 tree ctor = build_constructor_va (TREE_TYPE (var), 1, NULL_TREE,
2705 build_int_cst (unsigned_type_node, 0));
2706 TREE_CONSTANT (ctor) = 1;
2707 TREE_STATIC (ctor) = 1;
2708 DECL_INITIAL (var) = ctor;
2709 DECL_ATTRIBUTES (var) = tree_cons (get_identifier ("asan odr indicator"),
2710 NULL, DECL_ATTRIBUTES (var));
2711 make_decl_rtl (var);
2712 varpool_node::finalize_decl (var);
2713 return fold_convert (uptr, build_fold_addr_expr (var));
2714 }
2715
2716 /* Return true if DECL, a global var, might be overridden and needs
2717 an additional odr indicator symbol. */
2718
2719 static bool
2720 asan_needs_odr_indicator_p (tree decl)
2721 {
2722 /* Don't emit ODR indicators for kernel because:
2723 a) Kernel is written in C thus doesn't need ODR indicators.
2724 b) Some kernel code may have assumptions about symbols containing specific
2725 patterns in their names. Since ODR indicators contain original names
2726 of symbols they are emitted for, these assumptions would be broken for
2727 ODR indicator symbols. */
2728 return (!(flag_sanitize & SANITIZE_KERNEL_ADDRESS)
2729 && !DECL_ARTIFICIAL (decl)
2730 && !DECL_WEAK (decl)
2731 && TREE_PUBLIC (decl));
2732 }
2733
2734 /* Append description of a single global DECL into vector V.
2735 TYPE is __asan_global struct type as returned by asan_global_struct. */
2736
2737 static void
2738 asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
2739 {
2740 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2741 unsigned HOST_WIDE_INT size;
2742 tree str_cst, module_name_cst, refdecl = decl;
2743 vec<constructor_elt, va_gc> *vinner = NULL;
2744
2745 pretty_printer asan_pp, module_name_pp;
2746
2747 if (DECL_NAME (decl))
2748 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
2749 else
2750 pp_string (&asan_pp, "<unknown>");
2751 str_cst = asan_pp_string (&asan_pp);
2752
2753 pp_string (&module_name_pp, main_input_filename);
2754 module_name_cst = asan_pp_string (&module_name_pp);
2755
2756 if (asan_needs_local_alias (decl))
2757 {
2758 char buf[20];
2759 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
2760 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
2761 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
2762 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
2763 TREE_READONLY (refdecl) = TREE_READONLY (decl);
2764 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
2765 DECL_GIMPLE_REG_P (refdecl) = DECL_GIMPLE_REG_P (decl);
2766 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
2767 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
2768 TREE_STATIC (refdecl) = 1;
2769 TREE_PUBLIC (refdecl) = 0;
2770 TREE_USED (refdecl) = 1;
2771 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
2772 }
2773
2774 tree odr_indicator_ptr
2775 = (asan_needs_odr_indicator_p (decl) ? create_odr_indicator (decl, type)
2776 : build_int_cst (uptr, 0));
2777 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2778 fold_convert (const_ptr_type_node,
2779 build_fold_addr_expr (refdecl)));
2780 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
2781 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2782 size += asan_red_zone_size (size);
2783 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2784 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2785 fold_convert (const_ptr_type_node, str_cst));
2786 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2787 fold_convert (const_ptr_type_node, module_name_cst));
2788 varpool_node *vnode = varpool_node::get (decl);
2789 int has_dynamic_init = 0;
2790 /* FIXME: Enable initialization order fiasco detection in LTO mode once
2791 proper fix for PR 79061 will be applied. */
2792 if (!in_lto_p)
2793 has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
2794 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2795 build_int_cst (uptr, has_dynamic_init));
2796 tree locptr = NULL_TREE;
2797 location_t loc = DECL_SOURCE_LOCATION (decl);
2798 expanded_location xloc = expand_location (loc);
2799 if (xloc.file != NULL)
2800 {
2801 static int lasanloccnt = 0;
2802 char buf[25];
2803 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt);
2804 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2805 ubsan_get_source_location_type ());
2806 TREE_STATIC (var) = 1;
2807 TREE_PUBLIC (var) = 0;
2808 DECL_ARTIFICIAL (var) = 1;
2809 DECL_IGNORED_P (var) = 1;
2810 pretty_printer filename_pp;
2811 pp_string (&filename_pp, xloc.file);
2812 tree str = asan_pp_string (&filename_pp);
2813 tree ctor = build_constructor_va (TREE_TYPE (var), 3,
2814 NULL_TREE, str, NULL_TREE,
2815 build_int_cst (unsigned_type_node,
2816 xloc.line), NULL_TREE,
2817 build_int_cst (unsigned_type_node,
2818 xloc.column));
2819 TREE_CONSTANT (ctor) = 1;
2820 TREE_STATIC (ctor) = 1;
2821 DECL_INITIAL (var) = ctor;
2822 varpool_node::finalize_decl (var);
2823 locptr = fold_convert (uptr, build_fold_addr_expr (var));
2824 }
2825 else
2826 locptr = build_int_cst (uptr, 0);
2827 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr);
2828 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, odr_indicator_ptr);
2829 init = build_constructor (type, vinner);
2830 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
2831 }
2832
2833 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2834 void
2835 initialize_sanitizer_builtins (void)
2836 {
2837 tree decl;
2838
2839 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
2840 return;
2841
2842 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
2843 tree BT_FN_VOID_PTR
2844 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
2845 tree BT_FN_VOID_CONST_PTR
2846 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
2847 tree BT_FN_VOID_PTR_PTR
2848 = build_function_type_list (void_type_node, ptr_type_node,
2849 ptr_type_node, NULL_TREE);
2850 tree BT_FN_VOID_PTR_PTR_PTR
2851 = build_function_type_list (void_type_node, ptr_type_node,
2852 ptr_type_node, ptr_type_node, NULL_TREE);
2853 tree BT_FN_VOID_PTR_PTRMODE
2854 = build_function_type_list (void_type_node, ptr_type_node,
2855 pointer_sized_int_node, NULL_TREE);
2856 tree BT_FN_VOID_INT
2857 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
2858 tree BT_FN_SIZE_CONST_PTR_INT
2859 = build_function_type_list (size_type_node, const_ptr_type_node,
2860 integer_type_node, NULL_TREE);
2861
2862 tree BT_FN_VOID_UINT8_UINT8
2863 = build_function_type_list (void_type_node, unsigned_char_type_node,
2864 unsigned_char_type_node, NULL_TREE);
2865 tree BT_FN_VOID_UINT16_UINT16
2866 = build_function_type_list (void_type_node, uint16_type_node,
2867 uint16_type_node, NULL_TREE);
2868 tree BT_FN_VOID_UINT32_UINT32
2869 = build_function_type_list (void_type_node, uint32_type_node,
2870 uint32_type_node, NULL_TREE);
2871 tree BT_FN_VOID_UINT64_UINT64
2872 = build_function_type_list (void_type_node, uint64_type_node,
2873 uint64_type_node, NULL_TREE);
2874 tree BT_FN_VOID_FLOAT_FLOAT
2875 = build_function_type_list (void_type_node, float_type_node,
2876 float_type_node, NULL_TREE);
2877 tree BT_FN_VOID_DOUBLE_DOUBLE
2878 = build_function_type_list (void_type_node, double_type_node,
2879 double_type_node, NULL_TREE);
2880 tree BT_FN_VOID_UINT64_PTR
2881 = build_function_type_list (void_type_node, uint64_type_node,
2882 ptr_type_node, NULL_TREE);
2883
2884 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
2885 tree BT_FN_IX_CONST_VPTR_INT[5];
2886 tree BT_FN_IX_VPTR_IX_INT[5];
2887 tree BT_FN_VOID_VPTR_IX_INT[5];
2888 tree vptr
2889 = build_pointer_type (build_qualified_type (void_type_node,
2890 TYPE_QUAL_VOLATILE));
2891 tree cvptr
2892 = build_pointer_type (build_qualified_type (void_type_node,
2893 TYPE_QUAL_VOLATILE
2894 |TYPE_QUAL_CONST));
2895 tree boolt
2896 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
2897 int i;
2898 for (i = 0; i < 5; i++)
2899 {
2900 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
2901 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
2902 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
2903 integer_type_node, integer_type_node,
2904 NULL_TREE);
2905 BT_FN_IX_CONST_VPTR_INT[i]
2906 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
2907 BT_FN_IX_VPTR_IX_INT[i]
2908 = build_function_type_list (ix, vptr, ix, integer_type_node,
2909 NULL_TREE);
2910 BT_FN_VOID_VPTR_IX_INT[i]
2911 = build_function_type_list (void_type_node, vptr, ix,
2912 integer_type_node, NULL_TREE);
2913 }
2914 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2915 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2916 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2917 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2918 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2919 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2920 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2921 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2922 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2923 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2924 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2925 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2926 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2927 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2928 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2929 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2930 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2931 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2932 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2933 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
2934 #undef ATTR_NOTHROW_LEAF_LIST
2935 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
2936 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2937 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
2938 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2939 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
2940 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2941 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
2942 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
2943 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2944 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2945 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
2946 #undef ATTR_COLD_NOTHROW_LEAF_LIST
2947 #define ATTR_COLD_NOTHROW_LEAF_LIST \
2948 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
2949 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2950 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2951 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
2952 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
2953 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
2954 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2955 #undef ATTR_PURE_NOTHROW_LEAF_LIST
2956 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
2957 #undef DEF_BUILTIN_STUB
2958 #define DEF_BUILTIN_STUB(ENUM, NAME)
2959 #undef DEF_SANITIZER_BUILTIN_1
2960 #define DEF_SANITIZER_BUILTIN_1(ENUM, NAME, TYPE, ATTRS) \
2961 do { \
2962 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
2963 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2964 set_call_expr_flags (decl, ATTRS); \
2965 set_builtin_decl (ENUM, decl, true); \
2966 } while (0)
2967 #undef DEF_SANITIZER_BUILTIN
2968 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2969 DEF_SANITIZER_BUILTIN_1 (ENUM, NAME, TYPE, ATTRS);
2970
2971 #include "sanitizer.def"
2972
2973 /* -fsanitize=object-size uses __builtin_object_size, but that might
2974 not be available for e.g. Fortran at this point. We use
2975 DEF_SANITIZER_BUILTIN here only as a convenience macro. */
2976 if ((flag_sanitize & SANITIZE_OBJECT_SIZE)
2977 && !builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE))
2978 DEF_SANITIZER_BUILTIN_1 (BUILT_IN_OBJECT_SIZE, "object_size",
2979 BT_FN_SIZE_CONST_PTR_INT,
2980 ATTR_PURE_NOTHROW_LEAF_LIST);
2981
2982 #undef DEF_SANITIZER_BUILTIN_1
2983 #undef DEF_SANITIZER_BUILTIN
2984 #undef DEF_BUILTIN_STUB
2985 }
2986
2987 /* Called via htab_traverse. Count number of emitted
2988 STRING_CSTs in the constant hash table. */
2989
2990 int
2991 count_string_csts (constant_descriptor_tree **slot,
2992 unsigned HOST_WIDE_INT *data)
2993 {
2994 struct constant_descriptor_tree *desc = *slot;
2995 if (TREE_CODE (desc->value) == STRING_CST
2996 && TREE_ASM_WRITTEN (desc->value)
2997 && asan_protect_global (desc->value))
2998 ++*data;
2999 return 1;
3000 }
3001
3002 /* Helper structure to pass two parameters to
3003 add_string_csts. */
3004
3005 struct asan_add_string_csts_data
3006 {
3007 tree type;
3008 vec<constructor_elt, va_gc> *v;
3009 };
3010
3011 /* Called via hash_table::traverse. Call asan_add_global
3012 on emitted STRING_CSTs from the constant hash table. */
3013
3014 int
3015 add_string_csts (constant_descriptor_tree **slot,
3016 asan_add_string_csts_data *aascd)
3017 {
3018 struct constant_descriptor_tree *desc = *slot;
3019 if (TREE_CODE (desc->value) == STRING_CST
3020 && TREE_ASM_WRITTEN (desc->value)
3021 && asan_protect_global (desc->value))
3022 {
3023 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
3024 aascd->type, aascd->v);
3025 }
3026 return 1;
3027 }
3028
3029 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
3030 invoke ggc_collect. */
3031 static GTY(()) tree asan_ctor_statements;
3032
3033 /* Module-level instrumentation.
3034 - Insert __asan_init_vN() into the list of CTORs.
3035 - TODO: insert redzones around globals.
3036 */
3037
3038 void
3039 asan_finish_file (void)
3040 {
3041 varpool_node *vnode;
3042 unsigned HOST_WIDE_INT gcount = 0;
3043
3044 if (shadow_ptr_types[0] == NULL_TREE)
3045 asan_init_shadow_ptr_types ();
3046 /* Avoid instrumenting code in the asan ctors/dtors.
3047 We don't need to insert padding after the description strings,
3048 nor after .LASAN* array. */
3049 flag_sanitize &= ~SANITIZE_ADDRESS;
3050
3051 /* For user-space we want asan constructors to run first.
3052 Linux kernel does not support priorities other than default, and the only
3053 other user of constructors is coverage. So we run with the default
3054 priority. */
3055 int priority = flag_sanitize & SANITIZE_USER_ADDRESS
3056 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY;
3057
3058 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3059 {
3060 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
3061 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
3062 fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK);
3063 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
3064 }
3065 FOR_EACH_DEFINED_VARIABLE (vnode)
3066 if (TREE_ASM_WRITTEN (vnode->decl)
3067 && asan_protect_global (vnode->decl))
3068 ++gcount;
3069 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab ();
3070 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts>
3071 (&gcount);
3072 if (gcount)
3073 {
3074 tree type = asan_global_struct (), var, ctor;
3075 tree dtor_statements = NULL_TREE;
3076 vec<constructor_elt, va_gc> *v;
3077 char buf[20];
3078
3079 type = build_array_type_nelts (type, gcount);
3080 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
3081 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
3082 type);
3083 TREE_STATIC (var) = 1;
3084 TREE_PUBLIC (var) = 0;
3085 DECL_ARTIFICIAL (var) = 1;
3086 DECL_IGNORED_P (var) = 1;
3087 vec_alloc (v, gcount);
3088 FOR_EACH_DEFINED_VARIABLE (vnode)
3089 if (TREE_ASM_WRITTEN (vnode->decl)
3090 && asan_protect_global (vnode->decl))
3091 asan_add_global (vnode->decl, TREE_TYPE (type), v);
3092 struct asan_add_string_csts_data aascd;
3093 aascd.type = TREE_TYPE (type);
3094 aascd.v = v;
3095 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts>
3096 (&aascd);
3097 ctor = build_constructor (type, v);
3098 TREE_CONSTANT (ctor) = 1;
3099 TREE_STATIC (ctor) = 1;
3100 DECL_INITIAL (var) = ctor;
3101 SET_DECL_ALIGN (var, MAX (DECL_ALIGN (var),
3102 ASAN_SHADOW_GRANULARITY * BITS_PER_UNIT));
3103
3104 varpool_node::finalize_decl (var);
3105
3106 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
3107 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
3108 append_to_statement_list (build_call_expr (fn, 2,
3109 build_fold_addr_expr (var),
3110 gcount_tree),
3111 &asan_ctor_statements);
3112
3113 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
3114 append_to_statement_list (build_call_expr (fn, 2,
3115 build_fold_addr_expr (var),
3116 gcount_tree),
3117 &dtor_statements);
3118 cgraph_build_static_cdtor ('D', dtor_statements, priority);
3119 }
3120 if (asan_ctor_statements)
3121 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority);
3122 flag_sanitize |= SANITIZE_ADDRESS;
3123 }
3124
3125 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
3126 on SHADOW address. Newly added statements will be added to ITER with
3127 given location LOC. We mark SIZE bytes in shadow memory, where
3128 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
3129 end of a variable. */
3130
3131 static void
3132 asan_store_shadow_bytes (gimple_stmt_iterator *iter, location_t loc,
3133 tree shadow,
3134 unsigned HOST_WIDE_INT base_addr_offset,
3135 bool is_clobber, unsigned size,
3136 unsigned last_chunk_size)
3137 {
3138 tree shadow_ptr_type;
3139
3140 switch (size)
3141 {
3142 case 1:
3143 shadow_ptr_type = shadow_ptr_types[0];
3144 break;
3145 case 2:
3146 shadow_ptr_type = shadow_ptr_types[1];
3147 break;
3148 case 4:
3149 shadow_ptr_type = shadow_ptr_types[2];
3150 break;
3151 default:
3152 gcc_unreachable ();
3153 }
3154
3155 unsigned char c = (char) is_clobber ? ASAN_STACK_MAGIC_USE_AFTER_SCOPE : 0;
3156 unsigned HOST_WIDE_INT val = 0;
3157 unsigned last_pos = size;
3158 if (last_chunk_size && !is_clobber)
3159 last_pos = BYTES_BIG_ENDIAN ? 0 : size - 1;
3160 for (unsigned i = 0; i < size; ++i)
3161 {
3162 unsigned char shadow_c = c;
3163 if (i == last_pos)
3164 shadow_c = last_chunk_size;
3165 val |= (unsigned HOST_WIDE_INT) shadow_c << (BITS_PER_UNIT * i);
3166 }
3167
3168 /* Handle last chunk in unpoisoning. */
3169 tree magic = build_int_cst (TREE_TYPE (shadow_ptr_type), val);
3170
3171 tree dest = build2 (MEM_REF, TREE_TYPE (shadow_ptr_type), shadow,
3172 build_int_cst (shadow_ptr_type, base_addr_offset));
3173
3174 gimple *g = gimple_build_assign (dest, magic);
3175 gimple_set_location (g, loc);
3176 gsi_insert_after (iter, g, GSI_NEW_STMT);
3177 }
3178
3179 /* Expand the ASAN_MARK builtins. */
3180
3181 bool
3182 asan_expand_mark_ifn (gimple_stmt_iterator *iter)
3183 {
3184 gimple *g = gsi_stmt (*iter);
3185 location_t loc = gimple_location (g);
3186 HOST_WIDE_INT flag = tree_to_shwi (gimple_call_arg (g, 0));
3187 bool is_poison = ((asan_mark_flags)flag) == ASAN_MARK_POISON;
3188
3189 tree base = gimple_call_arg (g, 1);
3190 gcc_checking_assert (TREE_CODE (base) == ADDR_EXPR);
3191 tree decl = TREE_OPERAND (base, 0);
3192
3193 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
3194 if (TREE_CODE (decl) == COMPONENT_REF
3195 && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl, 0)))
3196 decl = TREE_OPERAND (decl, 0);
3197
3198 gcc_checking_assert (TREE_CODE (decl) == VAR_DECL);
3199
3200 if (is_poison)
3201 {
3202 if (asan_handled_variables == NULL)
3203 asan_handled_variables = new hash_set<tree> (16);
3204 asan_handled_variables->add (decl);
3205 }
3206 tree len = gimple_call_arg (g, 2);
3207
3208 gcc_assert (tree_fits_shwi_p (len));
3209 unsigned HOST_WIDE_INT size_in_bytes = tree_to_shwi (len);
3210 gcc_assert (size_in_bytes);
3211
3212 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3213 NOP_EXPR, base);
3214 gimple_set_location (g, loc);
3215 gsi_replace (iter, g, false);
3216 tree base_addr = gimple_assign_lhs (g);
3217
3218 /* Generate direct emission if size_in_bytes is small. */
3219 if (size_in_bytes <= ASAN_PARAM_USE_AFTER_SCOPE_DIRECT_EMISSION_THRESHOLD)
3220 {
3221 unsigned HOST_WIDE_INT shadow_size = shadow_mem_size (size_in_bytes);
3222
3223 tree shadow = build_shadow_mem_access (iter, loc, base_addr,
3224 shadow_ptr_types[0], true);
3225
3226 for (unsigned HOST_WIDE_INT offset = 0; offset < shadow_size;)
3227 {
3228 unsigned size = 1;
3229 if (shadow_size - offset >= 4)
3230 size = 4;
3231 else if (shadow_size - offset >= 2)
3232 size = 2;
3233
3234 unsigned HOST_WIDE_INT last_chunk_size = 0;
3235 unsigned HOST_WIDE_INT s = (offset + size) * ASAN_SHADOW_GRANULARITY;
3236 if (s > size_in_bytes)
3237 last_chunk_size = ASAN_SHADOW_GRANULARITY - (s - size_in_bytes);
3238
3239 asan_store_shadow_bytes (iter, loc, shadow, offset, is_poison,
3240 size, last_chunk_size);
3241 offset += size;
3242 }
3243 }
3244 else
3245 {
3246 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3247 NOP_EXPR, len);
3248 gimple_set_location (g, loc);
3249 gsi_insert_before (iter, g, GSI_SAME_STMT);
3250 tree sz_arg = gimple_assign_lhs (g);
3251
3252 tree fun
3253 = builtin_decl_implicit (is_poison ? BUILT_IN_ASAN_POISON_STACK_MEMORY
3254 : BUILT_IN_ASAN_UNPOISON_STACK_MEMORY);
3255 g = gimple_build_call (fun, 2, base_addr, sz_arg);
3256 gimple_set_location (g, loc);
3257 gsi_insert_after (iter, g, GSI_NEW_STMT);
3258 }
3259
3260 return false;
3261 }
3262
3263 /* Expand the ASAN_{LOAD,STORE} builtins. */
3264
3265 bool
3266 asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls)
3267 {
3268 gimple *g = gsi_stmt (*iter);
3269 location_t loc = gimple_location (g);
3270 bool recover_p;
3271 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3272 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
3273 else
3274 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
3275
3276 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
3277 gcc_assert (flags < ASAN_CHECK_LAST);
3278 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
3279 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
3280 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
3281
3282 tree base = gimple_call_arg (g, 1);
3283 tree len = gimple_call_arg (g, 2);
3284 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3));
3285
3286 HOST_WIDE_INT size_in_bytes
3287 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
3288
3289 if (use_calls)
3290 {
3291 /* Instrument using callbacks. */
3292 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3293 NOP_EXPR, base);
3294 gimple_set_location (g, loc);
3295 gsi_insert_before (iter, g, GSI_SAME_STMT);
3296 tree base_addr = gimple_assign_lhs (g);
3297
3298 int nargs;
3299 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs);
3300 if (nargs == 1)
3301 g = gimple_build_call (fun, 1, base_addr);
3302 else
3303 {
3304 gcc_assert (nargs == 2);
3305 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3306 NOP_EXPR, len);
3307 gimple_set_location (g, loc);
3308 gsi_insert_before (iter, g, GSI_SAME_STMT);
3309 tree sz_arg = gimple_assign_lhs (g);
3310 g = gimple_build_call (fun, nargs, base_addr, sz_arg);
3311 }
3312 gimple_set_location (g, loc);
3313 gsi_replace (iter, g, false);
3314 return false;
3315 }
3316
3317 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes;
3318
3319 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0];
3320 tree shadow_type = TREE_TYPE (shadow_ptr_type);
3321
3322 gimple_stmt_iterator gsi = *iter;
3323
3324 if (!is_non_zero_len)
3325 {
3326 /* So, the length of the memory area to asan-protect is
3327 non-constant. Let's guard the generated instrumentation code
3328 like:
3329
3330 if (len != 0)
3331 {
3332 //asan instrumentation code goes here.
3333 }
3334 // falltrough instructions, starting with *ITER. */
3335
3336 g = gimple_build_cond (NE_EXPR,
3337 len,
3338 build_int_cst (TREE_TYPE (len), 0),
3339 NULL_TREE, NULL_TREE);
3340 gimple_set_location (g, loc);
3341
3342 basic_block then_bb, fallthrough_bb;
3343 insert_if_then_before_iter (as_a <gcond *> (g), iter,
3344 /*then_more_likely_p=*/true,
3345 &then_bb, &fallthrough_bb);
3346 /* Note that fallthrough_bb starts with the statement that was
3347 pointed to by ITER. */
3348
3349 /* The 'then block' of the 'if (len != 0) condition is where
3350 we'll generate the asan instrumentation code now. */
3351 gsi = gsi_last_bb (then_bb);
3352 }
3353
3354 /* Get an iterator on the point where we can add the condition
3355 statement for the instrumentation. */
3356 basic_block then_bb, else_bb;
3357 gsi = create_cond_insert_point (&gsi, /*before_p*/false,
3358 /*then_more_likely_p=*/false,
3359 /*create_then_fallthru_edge*/recover_p,
3360 &then_bb,
3361 &else_bb);
3362
3363 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3364 NOP_EXPR, base);
3365 gimple_set_location (g, loc);
3366 gsi_insert_before (&gsi, g, GSI_NEW_STMT);
3367 tree base_addr = gimple_assign_lhs (g);
3368
3369 tree t = NULL_TREE;
3370 if (real_size_in_bytes >= 8)
3371 {
3372 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3373 shadow_ptr_type);
3374 t = shadow;
3375 }
3376 else
3377 {
3378 /* Slow path for 1, 2 and 4 byte accesses. */
3379 /* Test (shadow != 0)
3380 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
3381 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3382 shadow_ptr_type);
3383 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3384 gimple_seq seq = NULL;
3385 gimple_seq_add_stmt (&seq, shadow_test);
3386 /* Aligned (>= 8 bytes) can test just
3387 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
3388 to be 0. */
3389 if (align < 8)
3390 {
3391 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3392 base_addr, 7));
3393 gimple_seq_add_stmt (&seq,
3394 build_type_cast (shadow_type,
3395 gimple_seq_last (seq)));
3396 if (real_size_in_bytes > 1)
3397 gimple_seq_add_stmt (&seq,
3398 build_assign (PLUS_EXPR,
3399 gimple_seq_last (seq),
3400 real_size_in_bytes - 1));
3401 t = gimple_assign_lhs (gimple_seq_last_stmt (seq));
3402 }
3403 else
3404 t = build_int_cst (shadow_type, real_size_in_bytes - 1);
3405 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow));
3406 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3407 gimple_seq_last (seq)));
3408 t = gimple_assign_lhs (gimple_seq_last (seq));
3409 gimple_seq_set_location (seq, loc);
3410 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3411
3412 /* For non-constant, misaligned or otherwise weird access sizes,
3413 check first and last byte. */
3414 if (size_in_bytes == -1)
3415 {
3416 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3417 MINUS_EXPR, len,
3418 build_int_cst (pointer_sized_int_node, 1));
3419 gimple_set_location (g, loc);
3420 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3421 tree last = gimple_assign_lhs (g);
3422 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3423 PLUS_EXPR, base_addr, last);
3424 gimple_set_location (g, loc);
3425 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3426 tree base_end_addr = gimple_assign_lhs (g);
3427
3428 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr,
3429 shadow_ptr_type);
3430 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3431 gimple_seq seq = NULL;
3432 gimple_seq_add_stmt (&seq, shadow_test);
3433 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3434 base_end_addr, 7));
3435 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
3436 gimple_seq_last (seq)));
3437 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR,
3438 gimple_seq_last (seq),
3439 shadow));
3440 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3441 gimple_seq_last (seq)));
3442 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t,
3443 gimple_seq_last (seq)));
3444 t = gimple_assign_lhs (gimple_seq_last (seq));
3445 gimple_seq_set_location (seq, loc);
3446 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3447 }
3448 }
3449
3450 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
3451 NULL_TREE, NULL_TREE);
3452 gimple_set_location (g, loc);
3453 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3454
3455 /* Generate call to the run-time library (e.g. __asan_report_load8). */
3456 gsi = gsi_start_bb (then_bb);
3457 int nargs;
3458 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs);
3459 g = gimple_build_call (fun, nargs, base_addr, len);
3460 gimple_set_location (g, loc);
3461 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3462
3463 gsi_remove (iter, true);
3464 *iter = gsi_start_bb (else_bb);
3465
3466 return true;
3467 }
3468
3469 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten
3470 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
3471
3472 static tree
3473 create_asan_shadow_var (tree var_decl,
3474 hash_map<tree, tree> &shadow_vars_mapping)
3475 {
3476 tree *slot = shadow_vars_mapping.get (var_decl);
3477 if (slot == NULL)
3478 {
3479 tree shadow_var = copy_node (var_decl);
3480
3481 copy_body_data id;
3482 memset (&id, 0, sizeof (copy_body_data));
3483 id.src_fn = id.dst_fn = current_function_decl;
3484 copy_decl_for_dup_finish (&id, var_decl, shadow_var);
3485
3486 DECL_ARTIFICIAL (shadow_var) = 1;
3487 DECL_IGNORED_P (shadow_var) = 1;
3488 DECL_SEEN_IN_BIND_EXPR_P (shadow_var) = 0;
3489 gimple_add_tmp_var (shadow_var);
3490
3491 shadow_vars_mapping.put (var_decl, shadow_var);
3492 return shadow_var;
3493 }
3494 else
3495 return *slot;
3496 }
3497
3498 /* Expand ASAN_POISON ifn. */
3499
3500 bool
3501 asan_expand_poison_ifn (gimple_stmt_iterator *iter,
3502 bool *need_commit_edge_insert,
3503 hash_map<tree, tree> &shadow_vars_mapping)
3504 {
3505 gimple *g = gsi_stmt (*iter);
3506 tree poisoned_var = gimple_call_lhs (g);
3507 if (!poisoned_var || has_zero_uses (poisoned_var))
3508 {
3509 gsi_remove (iter, true);
3510 return true;
3511 }
3512
3513 if (SSA_NAME_VAR (poisoned_var) == NULL_TREE)
3514 SET_SSA_NAME_VAR_OR_IDENTIFIER (poisoned_var,
3515 create_tmp_var (TREE_TYPE (poisoned_var)));
3516
3517 tree shadow_var = create_asan_shadow_var (SSA_NAME_VAR (poisoned_var),
3518 shadow_vars_mapping);
3519
3520 bool recover_p;
3521 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3522 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
3523 else
3524 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
3525 tree size = DECL_SIZE_UNIT (shadow_var);
3526 gimple *poison_call
3527 = gimple_build_call_internal (IFN_ASAN_MARK, 3,
3528 build_int_cst (integer_type_node,
3529 ASAN_MARK_POISON),
3530 build_fold_addr_expr (shadow_var), size);
3531
3532 gimple *use;
3533 imm_use_iterator imm_iter;
3534 FOR_EACH_IMM_USE_STMT (use, imm_iter, poisoned_var)
3535 {
3536 if (is_gimple_debug (use))
3537 continue;
3538
3539 int nargs;
3540 bool store_p = gimple_call_internal_p (use, IFN_ASAN_POISON_USE);
3541 tree fun = report_error_func (store_p, recover_p, tree_to_uhwi (size),
3542 &nargs);
3543
3544 gcall *call = gimple_build_call (fun, 1,
3545 build_fold_addr_expr (shadow_var));
3546 gimple_set_location (call, gimple_location (use));
3547 gimple *call_to_insert = call;
3548
3549 /* The USE can be a gimple PHI node. If so, insert the call on
3550 all edges leading to the PHI node. */
3551 if (is_a <gphi *> (use))
3552 {
3553 gphi *phi = dyn_cast<gphi *> (use);
3554 for (unsigned i = 0; i < gimple_phi_num_args (phi); ++i)
3555 if (gimple_phi_arg_def (phi, i) == poisoned_var)
3556 {
3557 edge e = gimple_phi_arg_edge (phi, i);
3558
3559 /* Do not insert on an edge we can't split. */
3560 if (e->flags & EDGE_ABNORMAL)
3561 continue;
3562
3563 if (call_to_insert == NULL)
3564 call_to_insert = gimple_copy (call);
3565
3566 gsi_insert_seq_on_edge (e, call_to_insert);
3567 *need_commit_edge_insert = true;
3568 call_to_insert = NULL;
3569 }
3570 }
3571 else
3572 {
3573 gimple_stmt_iterator gsi = gsi_for_stmt (use);
3574 if (store_p)
3575 gsi_replace (&gsi, call, true);
3576 else
3577 gsi_insert_before (&gsi, call, GSI_NEW_STMT);
3578 }
3579 }
3580
3581 SSA_NAME_IS_DEFAULT_DEF (poisoned_var) = true;
3582 SSA_NAME_DEF_STMT (poisoned_var) = gimple_build_nop ();
3583 gsi_replace (iter, poison_call, false);
3584
3585 return true;
3586 }
3587
3588 /* Instrument the current function. */
3589
3590 static unsigned int
3591 asan_instrument (void)
3592 {
3593 if (shadow_ptr_types[0] == NULL_TREE)
3594 asan_init_shadow_ptr_types ();
3595 transform_statements ();
3596 last_alloca_addr = NULL_TREE;
3597 return 0;
3598 }
3599
3600 static bool
3601 gate_asan (void)
3602 {
3603 return sanitize_flags_p (SANITIZE_ADDRESS);
3604 }
3605
3606 namespace {
3607
3608 const pass_data pass_data_asan =
3609 {
3610 GIMPLE_PASS, /* type */
3611 "asan", /* name */
3612 OPTGROUP_NONE, /* optinfo_flags */
3613 TV_NONE, /* tv_id */
3614 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3615 0, /* properties_provided */
3616 0, /* properties_destroyed */
3617 0, /* todo_flags_start */
3618 TODO_update_ssa, /* todo_flags_finish */
3619 };
3620
3621 class pass_asan : public gimple_opt_pass
3622 {
3623 public:
3624 pass_asan (gcc::context *ctxt)
3625 : gimple_opt_pass (pass_data_asan, ctxt)
3626 {}
3627
3628 /* opt_pass methods: */
3629 opt_pass * clone () { return new pass_asan (m_ctxt); }
3630 virtual bool gate (function *) { return gate_asan (); }
3631 virtual unsigned int execute (function *) { return asan_instrument (); }
3632
3633 }; // class pass_asan
3634
3635 } // anon namespace
3636
3637 gimple_opt_pass *
3638 make_pass_asan (gcc::context *ctxt)
3639 {
3640 return new pass_asan (ctxt);
3641 }
3642
3643 namespace {
3644
3645 const pass_data pass_data_asan_O0 =
3646 {
3647 GIMPLE_PASS, /* type */
3648 "asan0", /* name */
3649 OPTGROUP_NONE, /* optinfo_flags */
3650 TV_NONE, /* tv_id */
3651 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3652 0, /* properties_provided */
3653 0, /* properties_destroyed */
3654 0, /* todo_flags_start */
3655 TODO_update_ssa, /* todo_flags_finish */
3656 };
3657
3658 class pass_asan_O0 : public gimple_opt_pass
3659 {
3660 public:
3661 pass_asan_O0 (gcc::context *ctxt)
3662 : gimple_opt_pass (pass_data_asan_O0, ctxt)
3663 {}
3664
3665 /* opt_pass methods: */
3666 virtual bool gate (function *) { return !optimize && gate_asan (); }
3667 virtual unsigned int execute (function *) { return asan_instrument (); }
3668
3669 }; // class pass_asan_O0
3670
3671 } // anon namespace
3672
3673 gimple_opt_pass *
3674 make_pass_asan_O0 (gcc::context *ctxt)
3675 {
3676 return new pass_asan_O0 (ctxt);
3677 }
3678
3679 #include "gt-asan.h"
Mirror of the offical gcc git repository hosted at gcc.gnu.org