| blob | 3e386918e014bd420e8cd0b5fe95231be91d6b33 |
1 /* Pointer Bounds Checker insrumentation pass.
2 Copyright (C) 2014 Free Software Foundation, Inc.
3 Contributed by Ilya Enkovich (ilya.enkovich@intel.com)
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
73 /* Pointer Bounds Checker instruments code with memory checks to find
74 out-of-bounds memory accesses. Checks are performed by computing
75 bounds for each pointer and then comparing address of accessed
76 memory before pointer dereferencing.
78 1. Function clones.
80 See ipa-chkp.c.
82 2. Instrumentation.
84 There are few things to instrument:
86 a) Memory accesses - add checker calls to check address of accessed memory
87 against bounds of dereferenced pointer. Obviously safe memory
88 accesses like static variable access does not have to be instrumented
89 with checks.
91 Example:
93 val_2 = *p_1;
95 with 4 bytes access is transformed into:
97 __builtin___chkp_bndcl (__bound_tmp.1_3, p_1);
98 D.1_4 = p_1 + 3;
99 __builtin___chkp_bndcu (__bound_tmp.1_3, D.1_4);
100 val_2 = *p_1;
102 where __bound_tmp.1_3 are bounds computed for pointer p_1,
103 __builtin___chkp_bndcl is a lower bound check and
104 __builtin___chkp_bndcu is an upper bound check.
106 b) Pointer stores.
108 When pointer is stored in memory we need to store its bounds. To
109 achieve compatibility of instrumented code with regular codes
110 we have to keep data layout and store bounds in special bound tables
111 via special checker call. Implementation of bounds table may vary for
112 different platforms. It has to associate pointer value and its
113 location (it is required because we may have two equal pointers
114 with different bounds stored in different places) with bounds.
115 Another checker builtin allows to get bounds for specified pointer
116 loaded from specified location.
118 Example:
120 buf1[i_1] = &buf2;
122 is transformed into:
124 buf1[i_1] = &buf2;
125 D.1_2 = &buf1[i_1];
126 __builtin___chkp_bndstx (D.1_2, &buf2, __bound_tmp.1_2);
128 where __bound_tmp.1_2 are bounds of &buf2.
130 c) Static initialization.
132 The special case of pointer store is static pointer initialization.
133 Bounds initialization is performed in a few steps:
134 - register all static initializations in front-end using
135 chkp_register_var_initializer
136 - when file compilation finishes we create functions with special
137 attribute 'chkp ctor' and put explicit initialization code
138 (assignments) for all statically initialized pointers.
139 - when checker constructor is compiled checker pass adds required
140 bounds initialization for all statically initialized pointers
141 - since we do not actually need excess pointers initialization
142 in checker constructor we remove such assignments from them
144 d) Calls.
146 For each call in the code we add additional arguments to pass
147 bounds for pointer arguments. We determine type of call arguments
148 using arguments list from function declaration; if function
149 declaration is not available we use function type; otherwise
150 (e.g. for unnamed arguments) we use type of passed value. Function
151 declaration/type is replaced with the instrumented one.
153 Example:
155 val_1 = foo (&buf1, &buf2, &buf1, 0);
157 is translated into:
159 val_1 = foo.chkp (&buf1, __bound_tmp.1_2, &buf2, __bound_tmp.1_3,
160 &buf1, __bound_tmp.1_2, 0);
162 e) Returns.
164 If function returns a pointer value we have to return bounds also.
165 A new operand was added for return statement to hold returned bounds.
167 Example:
169 return &_buf1;
171 is transformed into
173 return &_buf1, __bound_tmp.1_1;
175 3. Bounds computation.
177 Compiler is fully responsible for computing bounds to be used for each
178 memory access. The first step for bounds computation is to find the
179 origin of pointer dereferenced for memory access. Basing on pointer
180 origin we define a way to compute its bounds. There are just few
181 possible cases:
183 a) Pointer is returned by call.
185 In this case we use corresponding checker builtin method to obtain returned
186 bounds.
188 Example:
190 buf_1 = malloc (size_2);
191 foo (buf_1);
193 is translated into:
195 buf_1 = malloc (size_2);
196 __bound_tmp.1_3 = __builtin___chkp_bndret (buf_1);
197 foo (buf_1, __bound_tmp.1_3);
199 b) Pointer is an address of an object.
201 In this case compiler tries to compute objects size and create corresponding
202 bounds. If object has incomplete type then special checker builtin is used to
203 obtain its size at runtime.
205 Example:
207 foo ()
208 {
209 <unnamed type> __bound_tmp.3;
210 static int buf[100];
212 <bb 3>:
213 __bound_tmp.3_2 = __builtin___chkp_bndmk (&buf, 400);
215 <bb 2>:
216 return &buf, __bound_tmp.3_2;
217 }
219 Example:
221 Address of an object 'extern int buf[]' with incomplete type is
222 returned.
224 foo ()
225 {
226 <unnamed type> __bound_tmp.4;
227 long unsigned int __size_tmp.3;
229 <bb 3>:
230 __size_tmp.3_4 = __builtin_ia32_sizeof (buf);
231 __bound_tmp.4_3 = __builtin_ia32_bndmk (&buf, __size_tmp.3_4);
233 <bb 2>:
234 return &buf, __bound_tmp.4_3;
235 }
237 c) Pointer is the result of object narrowing.
239 It happens when we use pointer to an object to compute pointer to a part
240 of an object. E.g. we take pointer to a field of a structure. In this
241 case we perform bounds intersection using bounds of original object and
242 bounds of object's part (which are computed basing on its type).
244 There may be some debatable questions about when narrowing should occur
245 and when it should not. To avoid false bound violations in correct
246 programs we do not perform narrowing when address of an array element is
247 obtained (it has address of the whole array) and when address of the first
248 structure field is obtained (because it is guaranteed to be equal to
249 address of the whole structure and it is legal to cast it back to structure).
251 Default narrowing behavior may be changed using compiler flags.
253 Example:
255 In this example address of the second structure field is returned.
257 foo (struct A * p, __bounds_type __bounds_of_p)
258 {
259 <unnamed type> __bound_tmp.3;
260 int * _2;
261 int * _5;
263 <bb 2>:
264 _5 = &p_1(D)->second_field;
265 __bound_tmp.3_6 = __builtin___chkp_bndmk (_5, 4);
266 __bound_tmp.3_8 = __builtin___chkp_intersect (__bound_tmp.3_6,
267 __bounds_of_p_3(D));
268 _2 = &p_1(D)->second_field;
269 return _2, __bound_tmp.3_8;
270 }
272 Example:
274 In this example address of the first field of array element is returned.
276 foo (struct A * p, __bounds_type __bounds_of_p, int i)
277 {
278 long unsigned int _3;
279 long unsigned int _4;
280 struct A * _6;
281 int * _7;
283 <bb 2>:
284 _3 = (long unsigned int) i_1(D);
285 _4 = _3 * 8;
286 _6 = p_5(D) + _4;
287 _7 = &_6->first_field;
288 return _7, __bounds_of_p_2(D);
289 }
292 d) Pointer is the result of pointer arithmetic or type cast.
294 In this case bounds of the base pointer are used. In case of binary
295 operation producing a pointer we are analyzing data flow further
296 looking for operand's bounds. One operand is considered as a base
297 if it has some valid bounds. If we fall into a case when none of
298 operands (or both of them) has valid bounds, a default bounds value
299 is used.
301 Trying to find out bounds for binary operations we may fall into
302 cyclic dependencies for pointers. To avoid infinite recursion all
303 walked phi nodes instantly obtain corresponding bounds but created
304 bounds are marked as incomplete. It helps us to stop DF walk during
305 bounds search.
307 When we reach pointer source, some args of incomplete bounds phi obtain
308 valid bounds and those values are propagated further through phi nodes.
309 If no valid bounds were found for phi node then we mark its result as
310 invalid bounds. Process stops when all incomplete bounds become either
311 valid or invalid and we are able to choose a pointer base.
313 e) Pointer is loaded from the memory.
315 In this case we just need to load bounds from the bounds table.
317 Example:
319 foo ()
320 {
321 <unnamed type> __bound_tmp.3;
322 static int * buf;
323 int * _2;
325 <bb 2>:
326 _2 = buf;
327 __bound_tmp.3_4 = __builtin___chkp_bndldx (&buf, _2);
328 return _2, __bound_tmp.3_4;
329 }
331 */
346 #define chkp_bndldx_fndecl \
347 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDLDX))
348 #define chkp_bndstx_fndecl \
349 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDSTX))
350 #define chkp_checkl_fndecl \
351 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDCL))
352 #define chkp_checku_fndecl \
353 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDCU))
354 #define chkp_bndmk_fndecl \
355 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDMK))
356 #define chkp_ret_bnd_fndecl \
357 (targetm.builtin_chkp_function (BUILT_IN_CHKP_BNDRET))
358 #define chkp_intersect_fndecl \
359 (targetm.builtin_chkp_function (BUILT_IN_CHKP_INTERSECT))
360 #define chkp_narrow_bounds_fndecl \
361 (targetm.builtin_chkp_function (BUILT_IN_CHKP_NARROW))
362 #define chkp_sizeof_fndecl \
363 (targetm.builtin_chkp_function (BUILT_IN_CHKP_SIZEOF))
364 #define chkp_extract_lower_fndecl \
365 (targetm.builtin_chkp_function (BUILT_IN_CHKP_EXTRACT_LOWER))
366 #define chkp_extract_upper_fndecl \
367 (targetm.builtin_chkp_function (BUILT_IN_CHKP_EXTRACT_UPPER))
401 /* Static checker constructors may become very large and their
402 compilation with optimization may take too much time.
403 Therefore we put a limit to number of statements in one
404 constructor. Tests with 100 000 statically initialized
405 pointers showed following compilation times on Sandy Bridge
406 server (used -O2):
407 limit 100 => ~18 sec.
408 limit 300 => ~22 sec.
409 limit 1000 => ~30 sec.
410 limit 3000 => ~49 sec.
411 limit 5000 => ~55 sec.
412 limit 10000 => ~76 sec.
413 limit 100000 => ~532 sec. */
414 #define MAX_STMTS_IN_STATIC_CHKP_CTOR (PARAM_VALUE (PARAM_CHKP_MAX_CTOR_SIZE))
416 struct chkp_ctor_stmt_list
417 {
418 tree stmts;
420 };
422 /* Return 1 if function FNDECL is instrumented by Pointer
423 Bounds Checker. */
424 bool
426 {
427 return fndecl
429 }
431 /* Mark function FNDECL as instrumented. */
432 void
434 {
441 }
443 /* Return true when STMT is builtin call to instrumentation function
444 corresponding to CODE. */
446 bool
449 {
450 tree fndecl;
456 }
458 /* Emit code to store zero bounds for PTR located at MEM. */
459 void
461 {
466 else
468 integer_zero_node);
477 }
479 /* Mark statement S to not be instrumented. */
480 static void
482 {
484 }
486 /* Mark statement S to be instrumented. */
487 static void
489 {
491 }
493 /* Return 1 if statement S should not be instrumented. */
494 static bool
496 {
498 }
500 /* Get var to be used for bound temps. */
501 static tree
503 {
508 }
510 /* Get SSA_NAME to be used as temp. */
511 static tree
513 {
518 CHKP_BOUND_TMP_NAME);
519 }
521 /* Get var to be used for size temps. */
522 static tree
524 {
529 }
531 /* Register bounds BND for address of OBJ. */
532 static void
534 {
541 {
547 }
548 }
550 /* Return bounds registered for address of OBJ. */
551 static tree
553 {
556 }
558 /* Mark BOUNDS as completed. */
559 static void
561 {
565 {
569 }
570 }
572 /* Return 1 if BOUNDS were marked as completed and 0 otherwise. */
573 static bool
575 {
577 }
579 /* Clear comleted bound marks. */
580 static void
582 {
585 }
587 /* Mark BOUNDS associated with PTR as incomplete. */
588 static void
590 {
594 {
600 }
601 }
603 /* Return 1 if BOUNDS are incomplete and 0 otherwise. */
604 static bool
606 {
614 }
616 /* Clear incomleted bound marks. */
617 static void
619 {
622 }
624 /* Build and return bndmk call which creates bounds for structure
625 pointed by PTR. Structure should have complete type. */
626 tree
628 {
630 tree size;
641 }
643 /* Traversal function for chkp_may_finish_incomplete_bounds.
644 Set RES to 0 if at least one argument of phi statement
645 defining bounds (passed in KEY arg) is unknown.
646 Traversal stops when first unknown phi argument is found. */
647 bool
650 {
651 gimple phi;
661 {
664 {
666 /* Do not need to traverse further. */
668 }
669 }
672 }
674 /* Return 1 if all phi nodes created for bounds have their
675 arguments computed. */
676 static bool
678 {
681 chkp_incomplete_bounds_map
685 }
687 /* Helper function for chkp_finish_incomplete_bounds.
688 Recompute args for bounds phi node. */
689 bool
692 {
705 {
711 UNKNOWN_LOCATION);
712 }
715 }
717 /* Mark BOUNDS as invalid. */
718 static void
720 {
724 {
728 }
729 }
731 /* Return 1 if BOUNDS were marked as invalid and 0 otherwise. */
732 static bool
734 {
739 }
741 /* Helper function for chkp_finish_incomplete_bounds.
742 Check all arguments of phi nodes trying to find
743 valid completed bounds. If there is at least one
744 such arg then bounds produced by phi node are marked
745 as valid completed bounds and all phi args are
746 recomputed. */
747 bool
749 {
750 gimple phi;
763 {
769 {
774 }
775 }
778 }
780 /* Helper function for chkp_finish_incomplete_bounds.
781 Marks all incompleted bounds as invalid. */
782 bool
786 {
788 {
791 }
793 }
795 /* When all bound phi nodes have all their args computed
796 we have enough info to find valid bounds. We iterate
797 through all incompleted bounds searching for valid
798 bounds. Found valid bounds are marked as completed
799 and all remaining incompleted bounds are recomputed.
800 Process continues until no new valid bounds may be
801 found. All remained incompleted bounds are marked as
802 invalid (i.e. have no valid source of bounds). */
803 static void
805 {
809 {
812 chkp_incomplete_bounds_map->
816 chkp_incomplete_bounds_map->
818 }
820 chkp_incomplete_bounds_map->
822 chkp_incomplete_bounds_map->
827 }
829 /* Return 1 if type TYPE is a pointer type or a
830 structure having a pointer type as one of its fields.
831 Otherwise return 0. */
832 bool
834 {
840 {
841 tree field;
846 }
851 }
853 unsigned
855 {
863 {
864 bitmap have_bound;
872 }
875 }
877 /* Get bounds associated with NODE via
878 chkp_set_bounds call. */
879 tree
881 {
889 }
891 /* Associate bounds VAL with NODE. */
892 void
894 {
899 }
901 /* Check if statically initialized variable VAR require
902 static bounds initialization. If VAR is added into
903 bounds initlization list then 1 is returned. Otherwise
904 return 0. */
907 {
917 {
920 }
923 }
925 /* Helper function for chkp_finish_file.
927 Add new modification statement (RHS is assigned to LHS)
928 into list of static initializer statementes (passed in ARG).
929 If statements list becomes too big, emit checker constructor
930 and start the new one. */
931 static void
933 tree rhs,
935 {
937 tree modify;
946 }
948 /* Build and return ADDR_EXPR for specified object OBJ. */
949 static tree
951 {
955 }
957 /* Helper function for chkp_finish_file.
958 Initialize bound variable BND_VAR with bounds of variable
959 VAR to statements list STMTS. If statements list becomes
960 too big, emit checker constructor and start the new one. */
961 static void
964 {
968 {
971 }
974 {
975 /* Compute bounds using statically known size. */
978 }
979 else
980 {
981 /* Compute bounds using dynamic size. */
982 tree call;
987 chkp_sizeof_fndecl);
992 {
998 }
1001 }
1007 {
1012 }
1013 }
1015 /* Return entry block to be used for checker initilization code.
1016 Create new block if required. */
1017 static basic_block
1019 {
1024 }
1026 /* Return a bounds var to be used for pointer var PTR_VAR. */
1027 static tree
1029 {
1030 tree bnd_var;
1036 else
1037 {
1039 CHKP_BOUND_TMP_NAME);
1041 }
1044 }
1048 /* Register bounds BND for object PTR in global bounds table.
1049 A copy of bounds may be created for abnormal ssa names.
1050 Returns bounds to use for PTR. */
1051 static tree
1053 {
1059 /* Do nothing if bounds are incomplete_bounds
1060 because it means bounds will be recomputed. */
1068 /* A single bounds value may be reused multiple times for
1069 different pointer values. It may cause coalescing issues
1070 for abnormal SSA names. To avoid it we create a bounds
1071 copy in case it is computed for abnormal SSA name.
1073 We also cannot reuse such created copies for other pointers */
1076 {
1080 {
1083 }
1084 else
1087 /* For abnormal copies we may just find original
1088 bounds and use them. */
1090 {
1094 }
1095 /* For undefined values we usually use none bounds
1096 value but in case of abnormal edge it may cause
1097 coalescing failures. Use default definition of
1098 bounds variable instead to avoid it. */
1101 {
1105 {
1111 }
1112 }
1113 else
1114 {
1115 tree copy;
1117 gimple assign;
1118 gimple_stmt_iterator gsi;
1122 else
1125 CHKP_BOUND_TMP_NAME);
1129 {
1135 }
1138 {
1142 else
1144 }
1145 else
1146 {
1148 /* Sometimes (e.g. when we load a pointer from a
1149 memory) bounds are produced later than a pointer.
1150 We need to insert bounds copy appropriately. */
1154 else
1157 }
1160 }
1164 }
1169 {
1175 }
1178 }
1180 /* Get bounds registered for object PTR in global bounds table. */
1181 static tree
1183 {
1191 }
1193 /* Add bound retvals to return statement pointed by GSI. */
1195 static void
1197 {
1201 tree bounds;
1207 {
1211 }
1214 }
1216 /* Force OP to be suitable for using as an argument for call.
1217 New statements (if any) go to SEQ. */
1218 static tree
1220 {
1221 gimple_seq stmts;
1222 gimple_stmt_iterator si;
1232 }
1234 /* Generate lower bound check for memory access by ADDR.
1235 Check is inserted before the position pointed by ITER.
1236 DIRFLAG indicates whether memory access is load or store. */
1237 static void
1239 gimple_stmt_iterator iter,
1240 location_t location,
1241 tree dirflag)
1242 {
1243 gimple_seq seq;
1244 gimple check;
1245 tree node;
1271 {
1277 }
1278 }
1280 /* Generate upper bound check for memory access by ADDR.
1281 Check is inserted before the position pointed by ITER.
1282 DIRFLAG indicates whether memory access is load or store. */
1283 static void
1285 gimple_stmt_iterator iter,
1286 location_t location,
1287 tree dirflag)
1288 {
1289 gimple_seq seq;
1290 gimple check;
1291 tree node;
1317 {
1323 }
1324 }
1326 /* Generate lower and upper bound checks for memory access
1327 to memory slot [FIRST, LAST] againsr BOUNDS. Checks
1328 are inserted before the position pointed by ITER.
1329 DIRFLAG indicates whether memory access is load or store. */
1330 void
1332 gimple_stmt_iterator iter,
1333 location_t location,
1334 tree dirflag)
1335 {
1338 }
1340 /* Replace call to _bnd_chk_* pointed by GSI with
1341 bndcu and bndcl calls. DIRFLAG determines whether
1342 check is for read or write. */
1344 void
1346 tree dirflag)
1347 {
1362 {
1367 }
1370 }
1372 /* Replace call to _bnd_get_ptr_* pointed by GSI with
1373 corresponding bounds extract call. */
1375 void
1377 {
1382 gimple extract;
1388 else
1396 }
1398 /* Return COMPONENT_REF accessing FIELD in OBJ. */
1399 static tree
1401 {
1402 tree res;
1404 /* If object is TMR then we do not use component_ref but
1405 add offset instead. We need it to be able to get addr
1406 of the reasult later. */
1408 {
1418 }
1419 else
1423 }
1425 /* Return ARRAY_REF for array ARR and index IDX with
1426 specified element type ETYPE and element size ESIZE. */
1427 static tree
1430 {
1432 tree res;
1434 /* If object is TMR then we do not use array_ref but
1435 add offset instead. We need it to be able to get addr
1436 of the reasult later. */
1438 {
1452 }
1453 else
1457 }
1459 /* Helper function for chkp_add_bounds_to_call_stmt.
1460 Fill ALL_BOUNDS output array with created bounds.
1462 OFFS is used for recursive calls and holds basic
1463 offset of TYPE in outer structure in bits.
1465 ITER points a position where bounds are searched.
1467 ALL_BOUNDS[i] is filled with elem bounds if there
1468 is a field in TYPE which has pointer type and offset
1469 equal to i * POINTER_SIZE in bits. */
1470 static void
1472 HOST_WIDE_INT offs,
1474 {
1478 {
1480 {
1483 gimple_stmt_iterator gsi;
1489 }
1490 }
1492 {
1493 tree field;
1497 {
1500 HOST_WIDE_INT field_offs
1507 }
1508 }
1510 {
1520 {
1524 cur);
1526 iter);
1527 }
1528 }
1529 }
1531 /* Fill HAVE_BOUND output bitmap with information about
1532 bounds requred for object of type TYPE.
1534 OFFS is used for recursive calls and holds basic
1535 offset of TYPE in outer structure in bits.
1537 HAVE_BOUND[i] is set to 1 if there is a field
1538 in TYPE which has pointer type and offset
1539 equal to i * POINTER_SIZE - OFFS in bits. */
1540 void
1542 HOST_WIDE_INT offs)
1543 {
1547 {
1548 tree field;
1552 {
1553 HOST_WIDE_INT field_offs
1559 }
1560 }
1562 {
1573 }
1574 }
1576 /* Fill bitmap RES with information about bounds for
1577 type TYPE. See chkp_find_bound_slots_1 for more
1578 details. */
1579 void
1581 {
1584 }
1586 /* Return 1 if call to FNDECL should be instrumented
1587 and 0 otherwise. */
1589 static bool
1591 {
1593 {
1627 }
1628 }
1630 /* Add bound arguments to call statement pointed by GSI.
1631 Also performs a replacement of user checker builtins calls
1632 with internal ones. */
1634 static void
1636 {
1640 tree fntype;
1641 tree first_formal_arg;
1642 tree arg;
1644 tree op;
1645 ssa_op_iter iter;
1648 /* Do nothing for internal functions. */
1654 /* Do nothing if back-end builtin is called. */
1658 /* Do nothing for some middle-end builtins. */
1663 /* Do nothing for calls to legacy functions. */
1668 /* Ignore CHKP_INIT_PTR_BOUNDS, CHKP_NULL_PTR_BOUNDS
1669 and CHKP_COPY_PTR_BOUNDS. */
1677 /* Check user builtins are replaced with checks. */
1682 {
1685 }
1687 /* Check user builtins are replaced with bound extract. */
1691 {
1694 }
1696 /* BUILT_IN_CHKP_NARROW_PTR_BOUNDS call is replaced with
1697 target narrow bounds call. */
1700 {
1709 }
1711 /* BUILT_IN_CHKP_STORE_PTR_BOUNDS call is replaced with
1712 bndstx call. */
1715 {
1725 }
1730 /* We instrument only some subset of builtins. We also instrument
1731 builtin calls to be inlined. */
1735 {
1743 }
1745 /* If function decl is available then use it for
1746 formal arguments list. Otherwise use function type. */
1749 else
1750 {
1753 }
1755 /* Fill vector of new call args. */
1760 {
1762 tree type;
1764 /* Get arg type using formal argument description
1765 or actual argument type. */
1769 {
1772 }
1773 else
1775 else
1776 {
1779 }
1780 else
1789 {
1790 HOST_WIDE_INT max_bounds
1793 HOST_WIDE_INT bnd_no;
1804 }
1805 }
1809 else
1810 {
1814 }
1817 /* For direct calls fndecl is replaced with instrumented version. */
1819 {
1823 }
1824 /* For indirect call we should fix function pointer type if
1825 pass some bounds. */
1827 {
1831 }
1833 /* replace old call statement with the new one. */
1835 {
1837 {
1839 }
1841 }
1842 else
1846 }
1848 /* Return constant static bounds var with specified LB and UB
1849 if such var exists in varpool. Return NULL otherwise. */
1850 static tree
1852 HOST_WIDE_INT ub)
1853 {
1857 /* We expect bounds constant is represented as a complex value
1858 of two pointer sized integers. */
1873 }
1875 /* Return constant static bounds var with specified bounds LB and UB.
1876 If such var does not exists then new var is created with specified NAME. */
1877 static tree
1879 HOST_WIDE_INT ub,
1881 {
1882 tree var;
1884 /* With LTO we may have constant bounds already in varpool.
1885 Try to find it. */
1901 /* We may use this symbol during ctors generation in chkp_finish_file
1902 when all symbols are emitted. Force output to avoid undefined
1903 symbols in ctors. */
1905 {
1910 }
1911 else
1916 }
1918 /* Generate code to make bounds with specified lower bound LB and SIZE.
1919 if AFTER is 1 then code is inserted after position pointed by ITER
1920 otherwise code is inserted before position pointed by ITER.
1921 If ITER is NULL then code is added to entry block. */
1922 static tree
1924 {
1925 gimple_seq seq;
1926 gimple_stmt_iterator gsi;
1927 gimple stmt;
1928 tree bounds;
1932 else
1950 else
1954 {
1958 {
1961 }
1962 else
1964 }
1966 /* update_stmt (stmt); */
1969 }
1971 /* Return var holding zero bounds. */
1972 tree
1974 {
1976 {
1981 }
1984 chkp_zero_bounds_var
1986 CHKP_ZERO_BOUNDS_VAR_NAME);
1988 }
1990 /* Return var holding none bounds. */
1991 tree
1993 {
1995 {
2000 }
2003 chkp_none_bounds_var
2005 CHKP_NONE_BOUNDS_VAR_NAME);
2007 }
2009 /* Return SSA_NAME used to represent zero bounds. */
2010 static tree
2012 {
2021 {
2023 gimple stmt;
2028 }
2029 else
2031 integer_zero_node,
2032 NULL,
2036 }
2038 /* Return SSA_NAME used to represent none bounds. */
2039 static tree
2041 {
2051 {
2053 gimple stmt;
2058 }
2059 else
2062 NULL,
2066 }
2068 /* Return bounds to be used as a result of operation which
2069 should not create poiunter (e.g. MULT_EXPR). */
2070 static tree
2072 {
2074 }
2076 /* Return bounds to be used for loads of non-pointer values. */
2077 static tree
2079 {
2081 }
2083 /* Build bounds returned by CALL. */
2084 static tree
2086 {
2087 gimple_stmt_iterator gsi;
2088 tree bounds;
2089 gimple stmt;
2092 /* To avoid fixing alloca expands in targets we handle
2093 it separately. */
2098 {
2103 }
2104 /* We know bounds returned by set_bounds builtin call. */
2108 {
2113 }
2114 /* Detect bounds initialization calls. */
2119 /* Detect bounds nullification calls. */
2124 /* Detect bounds copy calls. */
2128 {
2131 }
2132 /* Do not use retbnd when returned bounds are equal to some
2133 of passed bounds. */
2136 {
2142 {
2145 {
2147 retarg--;
2148 else
2150 }
2151 }
2152 else
2156 }
2157 else
2158 {
2161 /* In general case build checker builtin call to
2162 obtain returned bounds. */
2174 }
2177 {
2182 }
2187 }
2189 /* Return bounds used as returned by call
2190 which produced SSA name VAL. */
2191 gcall *
2193 {
2199 imm_use_iterator use_iter;
2200 use_operand_p use_p;
2207 }
2209 /* Check the next parameter for the given PARM is bounds
2210 and return it's default SSA_NAME (create if required). */
2211 static tree
2213 {
2218 {
2221 }
2223 }
2225 /* Return bounds to be used for input argument PARM. */
2226 static tree
2228 {
2230 tree bounds;
2240 {
2243 /* For static chain param we return zero bounds
2244 because currently we do not check dereferences
2245 of this pointer. */
2248 /* If non instrumented runtime is used then it may be useful
2249 to use zero bounds for input arguments of main
2250 function. */
2256 {
2261 {
2266 }
2267 }
2268 else
2270 }
2276 {
2284 }
2287 }
2289 /* Build and return CALL_EXPR for bndstx builtin with specified
2290 arguments. */
2291 tree
2293 {
2296 chkp_bndldx_fndecl);
2301 }
2303 /* Insert code to load bounds for PTR located by ADDR.
2304 Code is inserted after position pointed by GSI.
2305 Loaded bounds are returned. */
2306 static tree
2308 {
2309 gimple_seq seq;
2310 gimple stmt;
2311 tree bounds;
2328 {
2333 }
2336 }
2338 /* Build and return CALL_EXPR for bndstx builtin with specified
2339 arguments. */
2340 tree
2342 {
2345 chkp_bndstx_fndecl);
2350 }
2352 /* Insert code to store BOUNDS for PTR stored by ADDR.
2353 New statements are inserted after position pointed
2354 by GSI. */
2355 void
2358 {
2359 gimple_seq seq;
2360 gimple stmt;
2376 {
2380 }
2381 }
2383 /* Compute bounds for pointer NODE which was assigned in
2384 assignment statement ASSIGN. Return computed bounds. */
2385 static tree
2387 {
2394 {
2397 }
2400 {
2405 /* We need to load bounds from the bounds table. */
2416 /* Bounds are just propagated from RHS. */
2421 /* Bounds are just propagated from RHS. */
2427 {
2428 /* We need to load bounds from the bounds table. */
2432 }
2433 else
2442 {
2447 /* First we try to check types of operands. If it
2448 does not help then look at bound values.
2450 If some bounds are incomplete and other are
2451 not proven to be valid (i.e. also incomplete
2452 or invalid because value is not pointer) then
2453 resulting value is incomplete and will be
2454 recomputed later in chkp_finish_incomplete_bounds. */
2466 else
2472 else
2479 else
2483 else
2484 /* Seems both operands may have valid bounds
2485 (e.g. pointer minus pointer). In such case
2486 use default invalid op bounds. */
2488 }
2518 /* No valid bounds may be produced by these exprs. */
2523 {
2528 gimple stmt;
2534 else
2535 {
2545 }
2546 }
2551 {
2560 else
2561 {
2562 gimple stmt;
2573 }
2574 }
2581 }
2589 }
2591 /* Compute bounds for ssa name NODE defined by DEF_STMT pointed by ITER.
2593 There are just few statement codes allowed: NOP (for default ssa names),
2594 ASSIGN, CALL, PHI, ASM.
2596 Return computed bounds. */
2597 static tree
2600 {
2606 {
2612 }
2615 {
2619 {
2625 /* For uninitialized pointers use none bounds. */
2631 {
2632 tree base_type;
2645 }
2650 {
2653 }
2656 }
2671 else
2674 CHKP_BOUND_TMP_NAME);
2675 else
2683 /* Created bounds do not have all phi args computed and
2684 therefore we do not know if there is a valid source
2685 of bounds for that node. Therefore we mark bounds
2686 as incomplete and then recompute them when all phi
2687 args are computed. */
2699 }
2702 }
2704 /* Return CALL_EXPR for bndmk with specified LOWER_BOUND and SIZE. */
2705 tree
2707 {
2710 chkp_bndmk_fndecl);
2713 }
2715 /* Create static bounds var of specfified OBJ which is
2716 is either VAR_DECL or string constant. */
2717 static tree
2719 {
2725 tree bnd_var;
2727 /* First check if we already have required var. */
2729 {
2733 }
2735 /* Build decl for bounds var. */
2737 {
2739 {
2742 }
2743 else
2744 {
2747 /* For hidden symbols we want to skip first '*' char. */
2749 var_name++;
2755 }
2759 pointer_bounds_type_node);
2761 /* Address of the obj will be used as lower bound. */
2763 }
2764 else
2765 {
2771 pointer_bounds_type_node);
2772 }
2784 /* Force output similar to constant bounds.
2785 See chkp_make_static_const_bounds. */
2787 /* Mark symbol as requiring bounds initialization. */
2791 /* Add created var to the map to use it for other references
2792 to obj. */
2799 }
2801 /* When var has incomplete type we cannot get size to
2802 compute its bounds. In such cases we use checker
2803 builtin call which determines object size at runtime. */
2804 static tree
2806 {
2808 gimple_stmt_iterator gsi;
2810 gimple stmt;
2812 /* If instrumentation is not enabled for vars having
2813 incomplete type then just return zero bounds to avoid
2814 checks for this var. */
2819 {
2823 }
2836 {
2837 /* We should check that size relocation was resolved.
2838 If it was not then use maximum possible size for the var. */
2847 }
2848 else
2849 {
2852 }
2860 }
2862 /* Return 1 if TYPE has fields with zero size or fields
2863 marked with chkp_variable_size attribute. */
2864 bool
2866 {
2868 tree field;
2872 {
2874 res = res
2877 }
2878 else
2884 }
2886 /* Compute and return bounds for address of DECL which is
2887 one of VAR_DECL, PARM_DECL, RESULT_DECL. */
2888 static tree
2890 {
2891 tree bounds;
2903 {
2907 }
2909 /* Use zero bounds if size is unknown and checks for
2910 unknown sizes are restricted. */
2925 {
2928 gimple stmt;
2933 }
2939 {
2942 }
2943 else
2944 {
2947 }
2950 }
2952 /* Compute and return bounds for constant string. */
2953 static tree
2955 {
2956 tree bounds;
2957 tree lb;
2958 tree size;
2969 {
2972 gimple stmt;
2977 }
2978 else
2979 {
2983 }
2988 }
2990 /* Generate code to instersect bounds BOUNDS1 and BOUNDS2 and
2991 return the result. if ITER is not NULL then Code is inserted
2992 before position pointed by ITER. Otherwise code is added to
2993 entry block. */
2994 static tree
2996 {
3001 else
3002 {
3003 gimple_seq seq;
3004 gimple stmt;
3005 tree bounds;
3017 /* We are probably doing narrowing for constant expression.
3018 In such case iter may be undefined. */
3020 {
3024 }
3025 else
3029 {
3035 }
3038 }
3039 }
3041 /* Return 1 if we are allowed to narrow bounds for addressed FIELD
3042 and 0 othersize. */
3043 static bool
3045 {
3054 }
3056 /* Return 1 if bounds for FIELD should be narrowed to
3057 field's own size. */
3058 static bool
3060 {
3061 HOST_WIDE_INT offs;
3062 HOST_WIDE_INT bit_offs;
3067 /* Accesse to compiler generated fields should not cause
3068 bounds narrowing. */
3076 && (flag_chkp_first_field_has_own_bounds
3077 || offs
3079 }
3081 /* Perform narrowing for BOUNDS using bounds computed for field
3082 access COMPONENT. ITER meaning is the same as for
3083 chkp_intersect_bounds. */
3084 static tree
3087 {
3091 tree field_bounds;
3096 }
3098 /* Parse field or array access NODE.
3100 PTR ouput parameter holds a pointer to the outermost
3101 object.
3103 BITFIELD output parameter is set to 1 if bitfield is
3104 accessed and to 0 otherwise. If it is 1 then ELT holds
3105 outer component for accessed bit field.
3107 SAFE outer parameter is set to 1 if access is safe and
3108 checks are not required.
3110 BOUNDS outer parameter holds bounds to be used to check
3111 access (may be NULL).
3113 If INNERMOST_BOUNDS is 1 then try to narrow bounds to the
3114 innermost accessed component. */
3115 static void
3122 {
3127 tree var;
3131 /* Compute tree height for expression. */
3137 {
3139 len++;
3140 }
3144 /* It is more convenient for us to scan left-to-right,
3145 so walk tree again and put all node to nodes vector
3146 in reversed order. */
3157 /* To get bitfield address we will need outer elemnt. */
3160 else
3163 /* If we have indirection in expression then compute
3164 outermost structure bounds. Computed bounds may be
3165 narrowed later. */
3167 {
3172 }
3173 else
3174 {
3182 }
3184 /* In this loop we are trying to find a field access
3185 requiring narrowing. There are two simple rules
3186 for search:
3187 1. Leftmost array_ref is chosen if any.
3188 2. Rightmost suitable component_ref is chosen if innermost
3189 bounds are required and no array_ref exists. */
3191 {
3195 {
3199 && !flag_chkp_narrow_to_innermost_arrray
3200 && (!last_comp
3202 {
3205 }
3206 }
3208 {
3212 && !array_ref_found
3218 && flag_chkp_narrow_to_innermost_arrray
3220 {
3224 }
3225 }
3227 /* Nothing to do for it. */
3228 ;
3229 else
3231 }
3238 }
3240 /* Compute and return bounds for address of OBJ. */
3241 static tree
3243 {
3250 {
3263 {
3264 tree elt;
3265 tree ptr;
3273 }
3292 {
3297 }
3301 }
3306 }
3308 /* Compute bounds for pointer PTR loaded from PTR_SRC. Generate statements
3309 to compute bounds if required. Computed bounds should be available at
3310 position pointed by ITER.
3312 If PTR_SRC is NULL_TREE then pointer definition is identified.
3314 If PTR_SRC is not NULL_TREE then ITER points to statements which loads
3315 PTR. If PTR is a any memory reference then ITER points to a statement
3316 after which bndldx will be inserterd. In both cases ITER will be updated
3317 to point to the inserted bndldx statement. */
3319 static tree
3321 {
3334 {
3340 else
3341 {
3344 }
3345 else
3355 {
3359 else
3360 {
3363 }
3364 else
3366 }
3367 else
3368 {
3371 }
3387 {
3389 gphi_iterator phi_iter;
3396 {
3400 {
3402 tree arg_bnd;
3407 /* chkp_get_bounds_by_definition created new phi
3408 statement and phi_iter points to it.
3410 Previous call to chkp_find_bounds could create
3411 new basic block and therefore change phi statement
3412 phi_iter points to. */
3417 UNKNOWN_LOCATION);
3418 }
3420 /* If all bound phi nodes have their arg computed
3421 then we may finish its computation. See
3422 chkp_finish_incomplete_bounds for more details. */
3425 }
3429 }
3439 else
3445 {
3449 }
3452 }
3455 {
3457 {
3460 }
3462 }
3465 }
3467 /* Normal case for bounds search without forced narrowing. */
3468 static tree
3470 {
3472 }
3474 /* Search bounds for pointer PTR loaded from PTR_SRC
3475 by statement *ITER points to. */
3476 static tree
3478 {
3480 }
3482 /* Helper function which checks type of RHS and finds all pointers in
3483 it. For each found pointer we build it's accesses in LHS and RHS
3484 objects and then call HANDLER for them. Function is used to copy
3485 or initilize bounds for copied object. */
3486 static void
3488 assign_handler handler)
3489 {
3492 /* We have nothing to do with clobbers. */
3499 {
3500 tree field;
3503 {
3505 tree val;
3508 {
3510 {
3513 }
3514 }
3515 }
3516 else
3520 {
3524 }
3525 }
3527 {
3534 {
3539 {
3541 {
3547 cur++)
3548 {
3551 }
3552 }
3553 else
3554 {
3556 {
3559 }
3564 }
3565 }
3566 }
3567 /* Copy array only when size is known. */
3570 {
3574 }
3575 }
3576 else
3579 }
3581 /* Add code to copy bounds for assignment of RHS to LHS.
3582 ARG is an iterator pointing ne code position. */
3583 static void
3585 {
3591 }
3593 /* Emit static bound initilizers and size vars. */
3594 void
3596 {
3603 /* Iterate through varpool and generate bounds initialization
3604 constructors for all statically initialized pointers. */
3608 /* Check that var is actually emitted and we need and may initialize
3609 its bounds. */
3615 {
3619 chkp_add_modification_to_stmt_list);
3622 {
3627 }
3628 }
3634 /* Iterate through varpool and generate bounds initialization
3635 constructors for all static bounds vars. */
3642 {
3644 tree var;
3651 }
3659 }
3661 /* An instrumentation function which is called for each statement
3662 having memory access we want to instrument. It inserts check
3663 code and bounds copy code.
3665 ITER points to statement to instrument.
3667 NODE holds memory access in statement to check.
3669 LOC holds the location information for statement.
3671 DIRFLAGS determines whether access is read or write.
3673 ACCESS_OFFS should be added to address used in NODE
3674 before check.
3676 ACCESS_SIZE holds size of checked access.
3678 SAFE indicates if NODE access is safe and should not be
3679 checked. */
3680 static void
3685 {
3693 /* We do not need instrumentation for clobbers. */
3700 {
3703 {
3705 tree elt;
3708 {
3709 /* We are not going to generate any checks, so do not
3710 generate bounds as well. */
3713 }
3718 /* Break if there is no dereference and operation is safe. */
3721 {
3731 addr_first,
3733 }
3734 else
3736 }
3762 {
3781 }
3797 }
3799 /* If addr_last was not computed then use (addr_first + size - 1)
3800 expression to compute it. */
3802 {
3805 }
3807 /* Shift both first_addr and last_addr by access_offs if specified. */
3809 {
3812 }
3814 /* Generate bndcl/bndcu checks if memory access is not safe. */
3816 {
3824 }
3826 /* We need to store bounds in case pointer is stored. */
3830 {
3837 chkp_copy_bounds_for_elem);
3838 else
3839 {
3842 }
3843 }
3844 }
3846 /* Add code to copy bounds for all pointers copied
3847 in ASSIGN created during inline of EDGE. */
3848 void
3850 {
3860 /* We should create edges for all created calls to bndldx and bndstx. */
3862 {
3865 {
3880 }
3882 }
3883 }
3885 /* Some code transformation made during instrumentation pass
3886 may put code into inconsistent state. Here we find and fix
3887 such flaws. */
3888 void
3890 {
3891 basic_block bb;
3892 gimple_stmt_iterator i;
3894 /* We could insert some code right after stmt which ends bb.
3895 We wanted to put this code on fallthru edge but did not
3896 add new edges from the beginning because it may cause new
3897 phi node creation which may be incorrect due to incomplete
3898 bound phi nodes. */
3901 {
3909 {
3916 /* We cannot split abnormal edge. Therefore we
3917 store its params, make it regular and then
3918 rebuild abnormal edge after split. */
3920 {
3925 }
3928 {
3932 }
3936 /* Re-create abnormal edge. */
3939 }
3940 }
3941 }
3943 /* Walker callback for chkp_replace_function_pointers. Replaces
3944 function pointer in the specified operand with pointer to the
3945 instrumented function version. */
3946 static tree
3949 {
3953 /* For builtins we replace pointers only for selected
3954 function and functions having definitions. */
3958 {
3968 }
3971 }
3973 /* This function searches for function pointers in statement
3974 pointed by GSI and replaces them with pointers to instrumented
3975 function versions. */
3976 static void
3978 {
3980 /* For calls we want to walk call args only. */
3982 {
3987 }
3988 else
3990 }
3992 /* This function instruments all statements working with memory,
3993 calls and rets.
3995 It also removes excess statements from static initializers. */
3996 static void
3998 {
4000 gimple_stmt_iterator i;
4005 do
4006 {
4009 {
4012 /* Skip statement marked to not be instrumented. */
4014 {
4017 }
4022 {
4038 {
4041 {
4044 integer_zero_node,
4047 /* Additionally we need to add bounds
4048 to return statement. */
4050 }
4051 }
4059 ;
4060 }
4064 /* We do not need any actual pointer stores in checker
4065 static initializer. */
4069 {
4074 }
4075 }
4077 }
4080 /* Some input params may have bounds and be address taken. In this case
4081 we should store incoming bounds into bounds table. */
4082 tree arg;
4086 {
4088 {
4091 gimple_stmt_iterator iter
4097 /* Skip bounds arg. */
4099 }
4101 {
4104 gimple_stmt_iterator iter
4106 bitmap_iterator bi;
4112 {
4122 }
4124 }
4125 }
4126 }
4128 /* Find init/null/copy_ptr_bounds calls and replace them
4129 with assignments. It should allow better code
4130 optimization. */
4132 static void
4134 {
4135 basic_block bb;
4136 gimple_stmt_iterator gsi;
4139 {
4141 {
4143 tree fndecl;
4146 /* Find builtins returning first arg and replace
4147 them with assignments. */
4156 {
4161 }
4162 }
4163 }
4164 }
4166 /* Initialize pass. */
4167 static void
4169 {
4170 basic_block bb;
4171 gimple_stmt_iterator i;
4200 /* We create these constant bounds once for each object file.
4201 These symbols go to comdat section and result in single copy
4202 of each one in the final binary. */
4210 }
4212 /* Finalize instrumentation pass. */
4213 static void
4215 {
4227 }
4229 /* Main instrumentation pass function. */
4230 static unsigned int
4232 {
4246 }
4248 /* Instrumentation pass gate. */
4249 static bool
4251 {
4254 }
4259 {
4268 TODO_verify_il
4270 };
4273 {
4277 {}
4279 /* opt_pass methods: */
4281 {
4283 }
4286 {
4288 }
4291 {
4293 }
4299 gimple_opt_pass *
4301 {
4303 }