search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Make build_check_stmt accept an SSA_NAME for its base
[official-gcc.git] / gcc / asan.c
blobc3913d6553a1e0a9d0e7e38c48bcc62b3a7fdbae
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
11
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21
22 #include "config.h"
23 #include "system.h"
24 #include "coretypes.h"
25 #include "gimple.h"
26 #include "tree-iterator.h"
27 #include "tree-flow.h"
28 #include "tree-pass.h"
29 #include "asan.h"
30 #include "gimple-pretty-print.h"
31 #include "target.h"
32 #include "expr.h"
33 #include "optabs.h"
34 #include "output.h"
35
36 /*
37 AddressSanitizer finds out-of-bounds and use-after-free bugs
38 with <2x slowdown on average.
39
40 The tool consists of two parts:
41 instrumentation module (this file) and a run-time library.
42 The instrumentation module adds a run-time check before every memory insn.
43 For a 8- or 16- byte load accessing address X:
44 ShadowAddr = (X >> 3) + Offset
45 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
46 if (ShadowValue)
47 __asan_report_load8(X);
48 For a load of N bytes (N=1, 2 or 4) from address X:
49 ShadowAddr = (X >> 3) + Offset
50 ShadowValue = *(char*)ShadowAddr;
51 if (ShadowValue)
52 if ((X & 7) + N - 1 > ShadowValue)
53 __asan_report_loadN(X);
54 Stores are instrumented similarly, but using __asan_report_storeN functions.
55 A call too __asan_init() is inserted to the list of module CTORs.
56
57 The run-time library redefines malloc (so that redzone are inserted around
58 the allocated memory) and free (so that reuse of free-ed memory is delayed),
59 provides __asan_report* and __asan_init functions.
60
61 Read more:
62 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
63
64 The current implementation supports detection of out-of-bounds and
65 use-after-free in the heap, on the stack and for global variables.
66
67 [Protection of stack variables]
68
69 To understand how detection of out-of-bounds and use-after-free works
70 for stack variables, lets look at this example on x86_64 where the
71 stack grows downward:
72
73 int
74 foo ()
75 {
76 char a[23] = {0};
77 int b[2] = {0};
78
79 a[5] = 1;
80 b[1] = 2;
81
82 return a[5] + b[1];
83 }
84
85 For this function, the stack protected by asan will be organized as
86 follows, from the top of the stack to the bottom:
87
88 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
89
90 Slot 2/ [24 bytes for variable 'a']
91
92 Slot 3/ [8 bytes of red zone, that adds up to the space of 'a' to make
93 the next slot be 32 bytes aligned; this one is called Partial
94 Redzone; this 32 bytes alignment is an asan constraint]
95
96 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
97
98 Slot 5/ [8 bytes for variable 'b']
99
100 Slot 6/ [24 bytes of Partial Red Zone (similar to slot 3]
101
102 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called 'LEFT
103 RedZone']
104
105 The 32 bytes of LEFT red zone at the bottom of the stack can be
106 decomposed as such:
107
108 1/ The first 8 bytes contain a magical asan number that is always
109 0x41B58AB3.
110
111 2/ The following 8 bytes contains a pointer to a string (to be
112 parsed at runtime by the runtime asan library), which format is
113 the following:
114
115 "<function-name> <space> <num-of-variables-on-the-stack>
116 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
117 <length-of-var-in-bytes> ){n} "
118
119 where '(...){n}' means the content inside the parenthesis occurs 'n'
120 times, with 'n' being the number of variables on the stack.
121
122 3/ The following 16 bytes of the red zone have no particular
123 format.
124
125 The shadow memory for that stack layout is going to look like this:
126
127 - content of shadow memory 8 bytes for slot 7: 0xFFFFFFFFF1F1F1F1.
128 The F1 byte pattern is a magic number called
129 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
130 the memory for that shadow byte is part of a the LEFT red zone
131 intended to seat at the bottom of the variables on the stack.
132
133 - content of shadow memory 8 bytes for slots 6 and 5:
134 0xFFFFFFFFF4F4F400. The F4 byte pattern is a magic number
135 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
136 memory region for this shadow byte is a PARTIAL red zone
137 intended to pad a variable A, so that the slot following
138 {A,padding} is 32 bytes aligned.
139
140 Note that the fact that the least significant byte of this
141 shadow memory content is 00 means that 8 bytes of its
142 corresponding memory (which corresponds to the memory of
143 variable 'b') is addressable.
144
145 - content of shadow memory 8 bytes for slot 4: 0xFFFFFFFFF2F2F2F2.
146 The F2 byte pattern is a magic number called
147 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
148 region for this shadow byte is a MIDDLE red zone intended to
149 seat between two 32 aligned slots of {variable,padding}.
150
151 - content of shadow memory 8 bytes for slot 3 and 2:
152 0xFFFFFFFFF4000000. This represents is the concatenation of
153 variable 'a' and the partial red zone following it, like what we
154 had for variable 'b'. The least significant 3 bytes being 00
155 means that the 3 bytes of variable 'a' are addressable.
156
157 - content of shadow memory 8 bytes for slot 1: 0xFFFFFFFFF3F3F3F3.
158 The F3 byte pattern is a magic number called
159 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
160 region for this shadow byte is a RIGHT red zone intended to seat
161 at the top of the variables of the stack.
162
163 Note that the real variable layout is done in expand_used_vars in
164 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
165 stack variables as well as the different red zones, emits some
166 prologue code to populate the shadow memory as to poison (mark as
167 non-accessible) the regions of the red zones and mark the regions of
168 stack variables as accessible, and emit some epilogue code to
169 un-poison (mark as accessible) the regions of red zones right before
170 the function exits.
171
172 [Protection of global variables]
173
174 The basic idea is to insert a red zone between two global variables
175 and install a constructor function that calls the asan runtime to do
176 the populating of the relevant shadow memory regions at load time.
177
178 So the global variables are laid out as to insert a red zone between
179 them. The size of the red zones is so that each variable starts on a
180 32 bytes boundary.
181
182 Then a constructor function is installed so that, for each global
183 variable, it calls the runtime asan library function
184 __asan_register_globals_with an instance of this type:
185
186 struct __asan_global
187 {
188 // Address of the beginning of the global variable.
189 const void *__beg;
190
191 // Initial size of the global variable.
192 uptr __size;
193
194 // Size of the global variable + size of the red zone. This
195 // size is 32 bytes aligned.
196 uptr __size_with_redzone;
197
198 // Name of the global variable.
199 const void *__name;
200
201 // This is always set to NULL for now.
202 uptr __has_dynamic_init;
203 }
204
205 A destructor function that calls the runtime asan library function
206 _asan_unregister_globals is also installed. */
207
208 alias_set_type asan_shadow_set = -1;
209
210 /* Pointer types to 1 resp. 2 byte integers in shadow memory. A separate
211 alias set is used for all shadow memory accesses. */
212 static GTY(()) tree shadow_ptr_types[2];
213
214 /* Asan pretty-printer, used for buidling of the description STRING_CSTs. */
215 static pretty_printer asan_pp;
216 static bool asan_pp_initialized;
217
218 /* Initialize asan_pp. */
219
220 static void
221 asan_pp_initialize (void)
222 {
223 pp_construct (&asan_pp, /* prefix */NULL, /* line-width */0);
224 asan_pp_initialized = true;
225 }
226
227 /* Create ADDR_EXPR of STRING_CST with asan_pp text. */
228
229 static tree
230 asan_pp_string (void)
231 {
232 const char *buf = pp_base_formatted_text (&asan_pp);
233 size_t len = strlen (buf);
234 tree ret = build_string (len + 1, buf);
235 TREE_TYPE (ret)
236 = build_array_type (char_type_node, build_index_type (size_int (len)));
237 TREE_READONLY (ret) = 1;
238 TREE_STATIC (ret) = 1;
239 return build1 (ADDR_EXPR, build_pointer_type (char_type_node), ret);
240 }
241
242 /* Return a CONST_INT representing 4 subsequent shadow memory bytes. */
243
244 static rtx
245 asan_shadow_cst (unsigned char shadow_bytes[4])
246 {
247 int i;
248 unsigned HOST_WIDE_INT val = 0;
249 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
250 for (i = 0; i < 4; i++)
251 val |= (unsigned HOST_WIDE_INT) shadow_bytes[BYTES_BIG_ENDIAN ? 3 - i : i]
252 << (BITS_PER_UNIT * i);
253 return GEN_INT (trunc_int_for_mode (val, SImode));
254 }
255
256 /* Insert code to protect stack vars. The prologue sequence should be emitted
257 directly, epilogue sequence returned. BASE is the register holding the
258 stack base, against which OFFSETS array offsets are relative to, OFFSETS
259 array contains pairs of offsets in reverse order, always the end offset
260 of some gap that needs protection followed by starting offset,
261 and DECLS is an array of representative decls for each var partition.
262 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
263 elements long (OFFSETS include gap before the first variable as well
264 as gaps after each stack variable). */
265
266 rtx
267 asan_emit_stack_protection (rtx base, HOST_WIDE_INT *offsets, tree *decls,
268 int length)
269 {
270 rtx shadow_base, shadow_mem, ret, mem;
271 unsigned char shadow_bytes[4];
272 HOST_WIDE_INT base_offset = offsets[length - 1], offset, prev_offset;
273 HOST_WIDE_INT last_offset, last_size;
274 int l;
275 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
276 tree str_cst;
277
278 /* First of all, prepare the description string. */
279 if (!asan_pp_initialized)
280 asan_pp_initialize ();
281
282 pp_clear_output_area (&asan_pp);
283 if (DECL_NAME (current_function_decl))
284 pp_base_tree_identifier (&asan_pp, DECL_NAME (current_function_decl));
285 else
286 pp_string (&asan_pp, "<unknown>");
287 pp_space (&asan_pp);
288 pp_decimal_int (&asan_pp, length / 2 - 1);
289 pp_space (&asan_pp);
290 for (l = length - 2; l; l -= 2)
291 {
292 tree decl = decls[l / 2 - 1];
293 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
294 pp_space (&asan_pp);
295 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
296 pp_space (&asan_pp);
297 if (DECL_P (decl) && DECL_NAME (decl))
298 {
299 pp_decimal_int (&asan_pp, IDENTIFIER_LENGTH (DECL_NAME (decl)));
300 pp_space (&asan_pp);
301 pp_base_tree_identifier (&asan_pp, DECL_NAME (decl));
302 }
303 else
304 pp_string (&asan_pp, "9 <unknown>");
305 pp_space (&asan_pp);
306 }
307 str_cst = asan_pp_string ();
308
309 /* Emit the prologue sequence. */
310 base = expand_binop (Pmode, add_optab, base, GEN_INT (base_offset),
311 NULL_RTX, 1, OPTAB_DIRECT);
312 mem = gen_rtx_MEM (ptr_mode, base);
313 emit_move_insn (mem, GEN_INT (ASAN_STACK_FRAME_MAGIC));
314 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
315 emit_move_insn (mem, expand_normal (str_cst));
316 shadow_base = expand_binop (Pmode, lshr_optab, base,
317 GEN_INT (ASAN_SHADOW_SHIFT),
318 NULL_RTX, 1, OPTAB_DIRECT);
319 shadow_base = expand_binop (Pmode, add_optab, shadow_base,
320 GEN_INT (targetm.asan_shadow_offset ()),
321 NULL_RTX, 1, OPTAB_DIRECT);
322 gcc_assert (asan_shadow_set != -1
323 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
324 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
325 set_mem_alias_set (shadow_mem, asan_shadow_set);
326 prev_offset = base_offset;
327 for (l = length; l; l -= 2)
328 {
329 if (l == 2)
330 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
331 offset = offsets[l - 1];
332 if ((offset - base_offset) & (ASAN_RED_ZONE_SIZE - 1))
333 {
334 int i;
335 HOST_WIDE_INT aoff
336 = base_offset + ((offset - base_offset)
337 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
338 shadow_mem = adjust_address (shadow_mem, VOIDmode,
339 (aoff - prev_offset)
340 >> ASAN_SHADOW_SHIFT);
341 prev_offset = aoff;
342 for (i = 0; i < 4; i++, aoff += (1 << ASAN_SHADOW_SHIFT))
343 if (aoff < offset)
344 {
345 if (aoff < offset - (1 << ASAN_SHADOW_SHIFT) + 1)
346 shadow_bytes[i] = 0;
347 else
348 shadow_bytes[i] = offset - aoff;
349 }
350 else
351 shadow_bytes[i] = ASAN_STACK_MAGIC_PARTIAL;
352 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
353 offset = aoff;
354 }
355 while (offset <= offsets[l - 2] - ASAN_RED_ZONE_SIZE)
356 {
357 shadow_mem = adjust_address (shadow_mem, VOIDmode,
358 (offset - prev_offset)
359 >> ASAN_SHADOW_SHIFT);
360 prev_offset = offset;
361 memset (shadow_bytes, cur_shadow_byte, 4);
362 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
363 offset += ASAN_RED_ZONE_SIZE;
364 }
365 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
366 }
367 do_pending_stack_adjust ();
368
369 /* Construct epilogue sequence. */
370 start_sequence ();
371
372 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
373 set_mem_alias_set (shadow_mem, asan_shadow_set);
374 prev_offset = base_offset;
375 last_offset = base_offset;
376 last_size = 0;
377 for (l = length; l; l -= 2)
378 {
379 offset = base_offset + ((offsets[l - 1] - base_offset)
380 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
381 if (last_offset + last_size != offset)
382 {
383 shadow_mem = adjust_address (shadow_mem, VOIDmode,
384 (last_offset - prev_offset)
385 >> ASAN_SHADOW_SHIFT);
386 prev_offset = last_offset;
387 clear_storage (shadow_mem, GEN_INT (last_size >> ASAN_SHADOW_SHIFT),
388 BLOCK_OP_NORMAL);
389 last_offset = offset;
390 last_size = 0;
391 }
392 last_size += base_offset + ((offsets[l - 2] - base_offset)
393 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
394 - offset;
395 }
396 if (last_size)
397 {
398 shadow_mem = adjust_address (shadow_mem, VOIDmode,
399 (last_offset - prev_offset)
400 >> ASAN_SHADOW_SHIFT);
401 clear_storage (shadow_mem, GEN_INT (last_size >> ASAN_SHADOW_SHIFT),
402 BLOCK_OP_NORMAL);
403 }
404
405 do_pending_stack_adjust ();
406
407 ret = get_insns ();
408 end_sequence ();
409 return ret;
410 }
411
412 /* Return true if DECL, a global var, might be overridden and needs
413 therefore a local alias. */
414
415 static bool
416 asan_needs_local_alias (tree decl)
417 {
418 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
419 }
420
421 /* Return true if DECL is a VAR_DECL that should be protected
422 by Address Sanitizer, by appending a red zone with protected
423 shadow memory after it and aligning it to at least
424 ASAN_RED_ZONE_SIZE bytes. */
425
426 bool
427 asan_protect_global (tree decl)
428 {
429 rtx rtl, symbol;
430 section *sect;
431
432 if (TREE_CODE (decl) != VAR_DECL
433 /* TLS vars aren't statically protectable. */
434 || DECL_THREAD_LOCAL_P (decl)
435 /* Externs will be protected elsewhere. */
436 || DECL_EXTERNAL (decl)
437 || !TREE_ASM_WRITTEN (decl)
438 || !DECL_RTL_SET_P (decl)
439 /* Comdat vars pose an ABI problem, we can't know if
440 the var that is selected by the linker will have
441 padding or not. */
442 || DECL_ONE_ONLY (decl)
443 /* Similarly for common vars. People can use -fno-common. */
444 || DECL_COMMON (decl)
445 /* Don't protect if using user section, often vars placed
446 into user section from multiple TUs are then assumed
447 to be an array of such vars, putting padding in there
448 breaks this assumption. */
449 || (DECL_SECTION_NAME (decl) != NULL_TREE
450 && !DECL_HAS_IMPLICIT_SECTION_NAME_P (decl))
451 || DECL_SIZE (decl) == 0
452 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
453 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
454 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE)
455 return false;
456
457 rtl = DECL_RTL (decl);
458 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
459 return false;
460 symbol = XEXP (rtl, 0);
461
462 if (CONSTANT_POOL_ADDRESS_P (symbol)
463 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
464 return false;
465
466 sect = get_variable_section (decl, false);
467 if (sect->common.flags & SECTION_COMMON)
468 return false;
469
470 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
471 return false;
472
473 #ifndef ASM_OUTPUT_DEF
474 if (asan_needs_local_alias (decl))
475 return false;
476 #endif
477
478 return true;
479 }
480
481 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16}.
482 IS_STORE is either 1 (for a store) or 0 (for a load).
483 SIZE_IN_BYTES is one of 1, 2, 4, 8, 16. */
484
485 static tree
486 report_error_func (bool is_store, int size_in_bytes)
487 {
488 tree fn_type;
489 tree def;
490 char name[100];
491
492 sprintf (name, "__asan_report_%s%d",
493 is_store ? "store" : "load", size_in_bytes);
494 fn_type = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
495 def = build_fn_decl (name, fn_type);
496 TREE_NOTHROW (def) = 1;
497 TREE_THIS_VOLATILE (def) = 1; /* Attribute noreturn. Surprise! */
498 DECL_ATTRIBUTES (def) = tree_cons (get_identifier ("leaf"),
499 NULL, DECL_ATTRIBUTES (def));
500 DECL_ASSEMBLER_NAME (def);
501 return def;
502 }
503
504 /* Construct a function tree for __asan_init(). */
505
506 static tree
507 asan_init_func (void)
508 {
509 tree fn_type;
510 tree def;
511
512 fn_type = build_function_type_list (void_type_node, NULL_TREE);
513 def = build_fn_decl ("__asan_init", fn_type);
514 TREE_NOTHROW (def) = 1;
515 DECL_ASSEMBLER_NAME (def);
516 return def;
517 }
518
519
520 #define PROB_VERY_UNLIKELY (REG_BR_PROB_BASE / 2000 - 1)
521 #define PROB_ALWAYS (REG_BR_PROB_BASE)
522
523 /* Instrument the memory access instruction BASE. Insert new
524 statements before ITER.
525
526 Note that the memory access represented by BASE can be either an
527 SSA_NAME, or a non-SSA expression. LOCATION is the source code
528 location. IS_STORE is TRUE for a store, FALSE for a load.
529 SIZE_IN_BYTES is one of 1, 2, 4, 8, 16. */
530
531 static void
532 build_check_stmt (tree base, gimple_stmt_iterator *iter,
533 location_t location, bool is_store,
534 int size_in_bytes)
535 {
536 gimple_stmt_iterator gsi;
537 basic_block cond_bb, then_bb, else_bb;
538 edge e;
539 tree t, base_addr, shadow;
540 gimple g;
541 tree shadow_ptr_type = shadow_ptr_types[size_in_bytes == 16 ? 1 : 0];
542 tree shadow_type = TREE_TYPE (shadow_ptr_type);
543 tree uintptr_type
544 = build_nonstandard_integer_type (TYPE_PRECISION (TREE_TYPE (base)), 1);
545 tree base_ssa = base;
546
547 /* We first need to split the current basic block, and start altering
548 the CFG. This allows us to insert the statements we're about to
549 construct into the right basic blocks. */
550
551 cond_bb = gimple_bb (gsi_stmt (*iter));
552 gsi = *iter;
553 gsi_prev (&gsi);
554 if (!gsi_end_p (gsi))
555 e = split_block (cond_bb, gsi_stmt (gsi));
556 else
557 e = split_block_after_labels (cond_bb);
558 cond_bb = e->src;
559 else_bb = e->dest;
560
561 /* A recap at this point: else_bb is the basic block at whose head
562 is the gimple statement for which this check expression is being
563 built. cond_bb is the (possibly new, synthetic) basic block the
564 end of which will contain the cache-lookup code, and a
565 conditional that jumps to the cache-miss code or, much more
566 likely, over to else_bb. */
567
568 /* Create the bb that contains the crash block. */
569 then_bb = create_empty_bb (cond_bb);
570 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
571 e->probability = PROB_VERY_UNLIKELY;
572 make_single_succ_edge (then_bb, else_bb, EDGE_FALLTHRU);
573
574 /* Mark the pseudo-fallthrough edge from cond_bb to else_bb. */
575 e = find_edge (cond_bb, else_bb);
576 e->flags = EDGE_FALSE_VALUE;
577 e->count = cond_bb->count;
578 e->probability = PROB_ALWAYS - PROB_VERY_UNLIKELY;
579
580 /* Update dominance info. Note that bb_join's data was
581 updated by split_block. */
582 if (dom_info_available_p (CDI_DOMINATORS))
583 {
584 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
585 set_immediate_dominator (CDI_DOMINATORS, else_bb, cond_bb);
586 }
587
588 base = unshare_expr (base);
589
590 gsi = gsi_last_bb (cond_bb);
591
592 /* BASE can already be an SSA_NAME; in that case, do not create a
593 new SSA_NAME for it. */
594 if (TREE_CODE (base) != SSA_NAME)
595 {
596 g = gimple_build_assign_with_ops (TREE_CODE (base),
597 make_ssa_name (TREE_TYPE (base), NULL),
598 base, NULL_TREE);
599 gimple_set_location (g, location);
600 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
601 base_ssa = gimple_assign_lhs (g);
602 }
603
604 g = gimple_build_assign_with_ops (NOP_EXPR,
605 make_ssa_name (uintptr_type, NULL),
606 base_ssa, NULL_TREE);
607 gimple_set_location (g, location);
608 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
609 base_addr = gimple_assign_lhs (g);
610
611 /* Build
612 (base_addr >> ASAN_SHADOW_SHIFT) + targetm.asan_shadow_offset (). */
613
614 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
615 g = gimple_build_assign_with_ops (RSHIFT_EXPR,
616 make_ssa_name (uintptr_type, NULL),
617 base_addr, t);
618 gimple_set_location (g, location);
619 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
620
621 t = build_int_cst (uintptr_type, targetm.asan_shadow_offset ());
622 g = gimple_build_assign_with_ops (PLUS_EXPR,
623 make_ssa_name (uintptr_type, NULL),
624 gimple_assign_lhs (g), t);
625 gimple_set_location (g, location);
626 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
627
628 g = gimple_build_assign_with_ops (NOP_EXPR,
629 make_ssa_name (shadow_ptr_type, NULL),
630 gimple_assign_lhs (g), NULL_TREE);
631 gimple_set_location (g, location);
632 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
633
634 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
635 build_int_cst (shadow_ptr_type, 0));
636 g = gimple_build_assign_with_ops (MEM_REF,
637 make_ssa_name (shadow_type, NULL),
638 t, NULL_TREE);
639 gimple_set_location (g, location);
640 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
641 shadow = gimple_assign_lhs (g);
642
643 if (size_in_bytes < 8)
644 {
645 /* Slow path for 1, 2 and 4 byte accesses.
646 Test (shadow != 0)
647 & ((base_addr & 7) + (size_in_bytes - 1)) >= shadow). */
648 g = gimple_build_assign_with_ops (NE_EXPR,
649 make_ssa_name (boolean_type_node,
650 NULL),
651 shadow,
652 build_int_cst (shadow_type, 0));
653 gimple_set_location (g, location);
654 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
655 t = gimple_assign_lhs (g);
656
657 g = gimple_build_assign_with_ops (BIT_AND_EXPR,
658 make_ssa_name (uintptr_type,
659 NULL),
660 base_addr,
661 build_int_cst (uintptr_type, 7));
662 gimple_set_location (g, location);
663 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
664
665 g = gimple_build_assign_with_ops (NOP_EXPR,
666 make_ssa_name (shadow_type,
667 NULL),
668 gimple_assign_lhs (g), NULL_TREE);
669 gimple_set_location (g, location);
670 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
671
672 if (size_in_bytes > 1)
673 {
674 g = gimple_build_assign_with_ops (PLUS_EXPR,
675 make_ssa_name (shadow_type,
676 NULL),
677 gimple_assign_lhs (g),
678 build_int_cst (shadow_type,
679 size_in_bytes - 1));
680 gimple_set_location (g, location);
681 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
682 }
683
684 g = gimple_build_assign_with_ops (GE_EXPR,
685 make_ssa_name (boolean_type_node,
686 NULL),
687 gimple_assign_lhs (g),
688 shadow);
689 gimple_set_location (g, location);
690 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
691
692 g = gimple_build_assign_with_ops (BIT_AND_EXPR,
693 make_ssa_name (boolean_type_node,
694 NULL),
695 t, gimple_assign_lhs (g));
696 gimple_set_location (g, location);
697 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
698 t = gimple_assign_lhs (g);
699 }
700 else
701 t = shadow;
702
703 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
704 NULL_TREE, NULL_TREE);
705 gimple_set_location (g, location);
706 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
707
708 /* Generate call to the run-time library (e.g. __asan_report_load8). */
709 gsi = gsi_start_bb (then_bb);
710 g = gimple_build_call (report_error_func (is_store, size_in_bytes),
711 1, base_addr);
712 gimple_set_location (g, location);
713 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
714
715 *iter = gsi_start_bb (else_bb);
716 }
717
718 /* If T represents a memory access, add instrumentation code before ITER.
719 LOCATION is source code location.
720 IS_STORE is either 1 (for a store) or 0 (for a load). */
721
722 static void
723 instrument_derefs (gimple_stmt_iterator *iter, tree t,
724 location_t location, bool is_store)
725 {
726 tree type, base;
727 HOST_WIDE_INT size_in_bytes;
728
729 type = TREE_TYPE (t);
730 switch (TREE_CODE (t))
731 {
732 case ARRAY_REF:
733 case COMPONENT_REF:
734 case INDIRECT_REF:
735 case MEM_REF:
736 break;
737 default:
738 return;
739 }
740
741 size_in_bytes = int_size_in_bytes (type);
742 if ((size_in_bytes & (size_in_bytes - 1)) != 0
743 || (unsigned HOST_WIDE_INT) size_in_bytes - 1 >= 16)
744 return;
745
746 /* For now just avoid instrumenting bit field acceses.
747 Fixing it is doable, but expected to be messy. */
748
749 HOST_WIDE_INT bitsize, bitpos;
750 tree offset;
751 enum machine_mode mode;
752 int volatilep = 0, unsignedp = 0;
753 get_inner_reference (t, &bitsize, &bitpos, &offset,
754 &mode, &unsignedp, &volatilep, false);
755 if (bitpos != 0 || bitsize != size_in_bytes * BITS_PER_UNIT)
756 return;
757
758 base = build_fold_addr_expr (t);
759 build_check_stmt (base, iter, location, is_store, size_in_bytes);
760 }
761
762 /* asan: this looks too complex. Can this be done simpler? */
763 /* Transform
764 1) Memory references.
765 2) BUILTIN_ALLOCA calls.
766 */
767
768 static void
769 transform_statements (void)
770 {
771 basic_block bb;
772 gimple_stmt_iterator i;
773 int saved_last_basic_block = last_basic_block;
774
775 FOR_EACH_BB (bb)
776 {
777 if (bb->index >= saved_last_basic_block) continue;
778 for (i = gsi_start_bb (bb); !gsi_end_p (i); gsi_next (&i))
779 {
780 gimple s = gsi_stmt (i);
781 if (!gimple_assign_single_p (s))
782 continue;
783 instrument_derefs (&i, gimple_assign_lhs (s),
784 gimple_location (s), true);
785 instrument_derefs (&i, gimple_assign_rhs1 (s),
786 gimple_location (s), false);
787 }
788 }
789 }
790
791 /* Build
792 struct __asan_global
793 {
794 const void *__beg;
795 uptr __size;
796 uptr __size_with_redzone;
797 const void *__name;
798 uptr __has_dynamic_init;
799 } type. */
800
801 static tree
802 asan_global_struct (void)
803 {
804 static const char *field_names[5]
805 = { "__beg", "__size", "__size_with_redzone",
806 "__name", "__has_dynamic_init" };
807 tree fields[5], ret;
808 int i;
809
810 ret = make_node (RECORD_TYPE);
811 for (i = 0; i < 5; i++)
812 {
813 fields[i]
814 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
815 get_identifier (field_names[i]),
816 (i == 0 || i == 3) ? const_ptr_type_node
817 : build_nonstandard_integer_type (POINTER_SIZE, 1));
818 DECL_CONTEXT (fields[i]) = ret;
819 if (i)
820 DECL_CHAIN (fields[i - 1]) = fields[i];
821 }
822 TYPE_FIELDS (ret) = fields[0];
823 TYPE_NAME (ret) = get_identifier ("__asan_global");
824 layout_type (ret);
825 return ret;
826 }
827
828 /* Append description of a single global DECL into vector V.
829 TYPE is __asan_global struct type as returned by asan_global_struct. */
830
831 static void
832 asan_add_global (tree decl, tree type, VEC(constructor_elt, gc) *v)
833 {
834 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
835 unsigned HOST_WIDE_INT size;
836 tree str_cst, refdecl = decl;
837 VEC(constructor_elt, gc) *vinner = NULL;
838
839 if (!asan_pp_initialized)
840 asan_pp_initialize ();
841
842 pp_clear_output_area (&asan_pp);
843 if (DECL_NAME (decl))
844 pp_base_tree_identifier (&asan_pp, DECL_NAME (decl));
845 else
846 pp_string (&asan_pp, "<unknown>");
847 pp_space (&asan_pp);
848 pp_left_paren (&asan_pp);
849 pp_string (&asan_pp, main_input_filename);
850 pp_right_paren (&asan_pp);
851 str_cst = asan_pp_string ();
852
853 if (asan_needs_local_alias (decl))
854 {
855 char buf[20];
856 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN",
857 VEC_length (constructor_elt, v) + 1);
858 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
859 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
860 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
861 TREE_READONLY (refdecl) = TREE_READONLY (decl);
862 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
863 DECL_GIMPLE_REG_P (refdecl) = DECL_GIMPLE_REG_P (decl);
864 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
865 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
866 TREE_STATIC (refdecl) = 1;
867 TREE_PUBLIC (refdecl) = 0;
868 TREE_USED (refdecl) = 1;
869 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
870 }
871
872 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
873 fold_convert (const_ptr_type_node,
874 build_fold_addr_expr (refdecl)));
875 size = tree_low_cst (DECL_SIZE_UNIT (decl), 1);
876 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
877 size += asan_red_zone_size (size);
878 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
879 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
880 fold_convert (const_ptr_type_node, str_cst));
881 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, 0));
882 init = build_constructor (type, vinner);
883 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
884 }
885
886 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
887 invoke ggc_collect. */
888 static GTY(()) tree asan_ctor_statements;
889
890 /* Module-level instrumentation.
891 - Insert __asan_init() into the list of CTORs.
892 - TODO: insert redzones around globals.
893 */
894
895 void
896 asan_finish_file (void)
897 {
898 struct varpool_node *vnode;
899 unsigned HOST_WIDE_INT gcount = 0;
900
901 append_to_statement_list (build_call_expr (asan_init_func (), 0),
902 &asan_ctor_statements);
903 FOR_EACH_DEFINED_VARIABLE (vnode)
904 if (asan_protect_global (vnode->symbol.decl))
905 ++gcount;
906 if (gcount)
907 {
908 tree type = asan_global_struct (), var, ctor, decl;
909 tree uptr = build_nonstandard_integer_type (POINTER_SIZE, 1);
910 tree dtor_statements = NULL_TREE;
911 VEC(constructor_elt, gc) *v;
912 char buf[20];
913
914 type = build_array_type_nelts (type, gcount);
915 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
916 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
917 type);
918 TREE_STATIC (var) = 1;
919 TREE_PUBLIC (var) = 0;
920 DECL_ARTIFICIAL (var) = 1;
921 DECL_IGNORED_P (var) = 1;
922 v = VEC_alloc (constructor_elt, gc, gcount);
923 FOR_EACH_DEFINED_VARIABLE (vnode)
924 if (asan_protect_global (vnode->symbol.decl))
925 asan_add_global (vnode->symbol.decl, TREE_TYPE (type), v);
926 ctor = build_constructor (type, v);
927 TREE_CONSTANT (ctor) = 1;
928 TREE_STATIC (ctor) = 1;
929 DECL_INITIAL (var) = ctor;
930 varpool_assemble_decl (varpool_node_for_decl (var));
931
932 type = build_function_type_list (void_type_node,
933 build_pointer_type (TREE_TYPE (type)),
934 uptr, NULL_TREE);
935 decl = build_fn_decl ("__asan_register_globals", type);
936 TREE_NOTHROW (decl) = 1;
937 append_to_statement_list (build_call_expr (decl, 2,
938 build_fold_addr_expr (var),
939 build_int_cst (uptr, gcount)),
940 &asan_ctor_statements);
941
942 decl = build_fn_decl ("__asan_unregister_globals", type);
943 TREE_NOTHROW (decl) = 1;
944 append_to_statement_list (build_call_expr (decl, 2,
945 build_fold_addr_expr (var),
946 build_int_cst (uptr, gcount)),
947 &dtor_statements);
948 cgraph_build_static_cdtor ('D', dtor_statements,
949 MAX_RESERVED_INIT_PRIORITY - 1);
950 }
951 cgraph_build_static_cdtor ('I', asan_ctor_statements,
952 MAX_RESERVED_INIT_PRIORITY - 1);
953 }
954
955 /* Initialize shadow_ptr_types array. */
956
957 static void
958 asan_init_shadow_ptr_types (void)
959 {
960 asan_shadow_set = new_alias_set ();
961 shadow_ptr_types[0] = build_distinct_type_copy (signed_char_type_node);
962 TYPE_ALIAS_SET (shadow_ptr_types[0]) = asan_shadow_set;
963 shadow_ptr_types[0] = build_pointer_type (shadow_ptr_types[0]);
964 shadow_ptr_types[1] = build_distinct_type_copy (short_integer_type_node);
965 TYPE_ALIAS_SET (shadow_ptr_types[1]) = asan_shadow_set;
966 shadow_ptr_types[1] = build_pointer_type (shadow_ptr_types[1]);
967 }
968
969 /* Instrument the current function. */
970
971 static unsigned int
972 asan_instrument (void)
973 {
974 if (shadow_ptr_types[0] == NULL_TREE)
975 asan_init_shadow_ptr_types ();
976 transform_statements ();
977 return 0;
978 }
979
980 static bool
981 gate_asan (void)
982 {
983 return flag_asan != 0;
984 }
985
986 struct gimple_opt_pass pass_asan =
987 {
988 {
989 GIMPLE_PASS,
990 "asan", /* name */
991 OPTGROUP_NONE, /* optinfo_flags */
992 gate_asan, /* gate */
993 asan_instrument, /* execute */
994 NULL, /* sub */
995 NULL, /* next */
996 0, /* static_pass_number */
997 TV_NONE, /* tv_id */
998 PROP_ssa | PROP_cfg | PROP_gimple_leh,/* properties_required */
999 0, /* properties_provided */
1000 0, /* properties_destroyed */
1001 0, /* todo_flags_start */
1002 TODO_verify_flow | TODO_verify_stmts
1003 | TODO_update_ssa /* todo_flags_finish */
1004 }
1005 };
1006
1007 static bool
1008 gate_asan_O0 (void)
1009 {
1010 return flag_asan != 0 && !optimize;
1011 }
1012
1013 struct gimple_opt_pass pass_asan_O0 =
1014 {
1015 {
1016 GIMPLE_PASS,
1017 "asan0", /* name */
1018 OPTGROUP_NONE, /* optinfo_flags */
1019 gate_asan_O0, /* gate */
1020 asan_instrument, /* execute */
1021 NULL, /* sub */
1022 NULL, /* next */
1023 0, /* static_pass_number */
1024 TV_NONE, /* tv_id */
1025 PROP_ssa | PROP_cfg | PROP_gimple_leh,/* properties_required */
1026 0, /* properties_provided */
1027 0, /* properties_destroyed */
1028 0, /* todo_flags_start */
1029 TODO_verify_flow | TODO_verify_stmts
1030 | TODO_update_ssa /* todo_flags_finish */
1031 }
1032 };
1033
1034 #include "gt-asan.h"
Mirror of the offical gcc git repository hosted at gcc.gnu.org