PR libstdc++/67078
[official-gcc.git] / gcc / sanopt.c
blob269c11d31a7b3d800617a69732b77788dccebdc7
1 /* Optimize and expand sanitizer functions.
2 Copyright (C) 2014-2015 Free Software Foundation, Inc.
3 Contributed by Marek Polacek <polacek@redhat.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
21 #include "config.h"
22 #include "system.h"
23 #include "coretypes.h"
24 #include "alias.h"
25 #include "backend.h"
26 #include "tree.h"
27 #include "gimple.h"
28 #include "hard-reg-set.h"
29 #include "options.h"
30 #include "fold-const.h"
31 #include "internal-fn.h"
32 #include "gimplify.h"
33 #include "gimple-iterator.h"
34 #include "tree-pass.h"
35 #include "asan.h"
36 #include "gimple-pretty-print.h"
37 #include "tm_p.h"
38 #include "langhooks.h"
39 #include "ubsan.h"
40 #include "params.h"
41 #include "tree-ssa-operands.h"
42 #include "tree-hash-traits.h"
45 /* This is used to carry information about basic blocks. It is
46 attached to the AUX field of the standard CFG block. */
48 struct sanopt_info
50 /* True if this BB might call (directly or indirectly) free/munmap
51 or similar operation. */
52 bool has_freeing_call_p;
54 /* True if HAS_FREEING_CALL_P flag has been computed. */
55 bool has_freeing_call_computed_p;
57 /* True if there is a block with HAS_FREEING_CALL_P flag set
58 on any path between an immediate dominator of BB, denoted
59 imm(BB), and BB. */
60 bool imm_dom_path_with_freeing_call_p;
62 /* True if IMM_DOM_PATH_WITH_FREEING_CALL_P has been computed. */
63 bool imm_dom_path_with_freeing_call_computed_p;
65 /* Number of possibly freeing calls encountered in this bb
66 (so far). */
67 uint64_t freeing_call_events;
69 /* True if BB is currently being visited during computation
70 of IMM_DOM_PATH_WITH_FREEING_CALL_P flag. */
71 bool being_visited_p;
73 /* True if this BB has been visited in the dominator walk. */
74 bool visited_p;
77 /* If T has a single definition of form T = T2, return T2. */
79 static tree
80 maybe_get_single_definition (tree t)
82 if (TREE_CODE (t) == SSA_NAME)
84 gimple g = SSA_NAME_DEF_STMT (t);
85 if (gimple_assign_single_p (g))
86 return gimple_assign_rhs1 (g);
88 return NULL_TREE;
91 /* Tree triplet for vptr_check_map. */
92 struct sanopt_tree_triplet
94 tree t1, t2, t3;
97 /* Traits class for tree triplet hash maps below. */
99 struct sanopt_tree_triplet_hash : typed_noop_remove <sanopt_tree_triplet>
101 typedef sanopt_tree_triplet value_type;
102 typedef sanopt_tree_triplet compare_type;
104 static inline hashval_t
105 hash (const sanopt_tree_triplet &ref)
107 inchash::hash hstate (0);
108 inchash::add_expr (ref.t1, hstate);
109 inchash::add_expr (ref.t2, hstate);
110 inchash::add_expr (ref.t3, hstate);
111 return hstate.end ();
114 static inline bool
115 equal (const sanopt_tree_triplet &ref1, const sanopt_tree_triplet &ref2)
117 return operand_equal_p (ref1.t1, ref2.t1, 0)
118 && operand_equal_p (ref1.t2, ref2.t2, 0)
119 && operand_equal_p (ref1.t3, ref2.t3, 0);
122 static inline void
123 mark_deleted (sanopt_tree_triplet &ref)
125 ref.t1 = reinterpret_cast<tree> (1);
128 static inline void
129 mark_empty (sanopt_tree_triplet &ref)
131 ref.t1 = NULL;
134 static inline bool
135 is_deleted (const sanopt_tree_triplet &ref)
137 return ref.t1 == (void *) 1;
140 static inline bool
141 is_empty (const sanopt_tree_triplet &ref)
143 return ref.t1 == NULL;
147 /* This is used to carry various hash maps and variables used
148 in sanopt_optimize_walker. */
150 struct sanopt_ctx
152 /* This map maps a pointer (the first argument of UBSAN_NULL) to
153 a vector of UBSAN_NULL call statements that check this pointer. */
154 hash_map<tree, auto_vec<gimple> > null_check_map;
156 /* This map maps a pointer (the second argument of ASAN_CHECK) to
157 a vector of ASAN_CHECK call statements that check the access. */
158 hash_map<tree_operand_hash, auto_vec<gimple> > asan_check_map;
160 /* This map maps a tree triplet (the first, second and fourth argument
161 of UBSAN_VPTR) to a vector of UBSAN_VPTR call statements that check
162 that virtual table pointer. */
163 hash_map<sanopt_tree_triplet_hash, auto_vec<gimple> > vptr_check_map;
165 /* Number of IFN_ASAN_CHECK statements. */
166 int asan_num_accesses;
170 /* Return true if there might be any call to free/munmap operation
171 on any path in between DOM (which should be imm(BB)) and BB. */
173 static bool
174 imm_dom_path_with_freeing_call (basic_block bb, basic_block dom)
176 sanopt_info *info = (sanopt_info *) bb->aux;
177 edge e;
178 edge_iterator ei;
180 if (info->imm_dom_path_with_freeing_call_computed_p)
181 return info->imm_dom_path_with_freeing_call_p;
183 info->being_visited_p = true;
185 FOR_EACH_EDGE (e, ei, bb->preds)
187 sanopt_info *pred_info = (sanopt_info *) e->src->aux;
189 if (e->src == dom)
190 continue;
192 if ((pred_info->imm_dom_path_with_freeing_call_computed_p
193 && pred_info->imm_dom_path_with_freeing_call_p)
194 || (pred_info->has_freeing_call_computed_p
195 && pred_info->has_freeing_call_p))
197 info->imm_dom_path_with_freeing_call_computed_p = true;
198 info->imm_dom_path_with_freeing_call_p = true;
199 info->being_visited_p = false;
200 return true;
204 FOR_EACH_EDGE (e, ei, bb->preds)
206 sanopt_info *pred_info = (sanopt_info *) e->src->aux;
208 if (e->src == dom)
209 continue;
211 if (pred_info->has_freeing_call_computed_p)
212 continue;
214 gimple_stmt_iterator gsi;
215 for (gsi = gsi_start_bb (e->src); !gsi_end_p (gsi); gsi_next (&gsi))
217 gimple stmt = gsi_stmt (gsi);
219 if (is_gimple_call (stmt) && !nonfreeing_call_p (stmt))
221 pred_info->has_freeing_call_p = true;
222 break;
226 pred_info->has_freeing_call_computed_p = true;
227 if (pred_info->has_freeing_call_p)
229 info->imm_dom_path_with_freeing_call_computed_p = true;
230 info->imm_dom_path_with_freeing_call_p = true;
231 info->being_visited_p = false;
232 return true;
236 FOR_EACH_EDGE (e, ei, bb->preds)
238 if (e->src == dom)
239 continue;
241 basic_block src;
242 for (src = e->src; src != dom; )
244 sanopt_info *pred_info = (sanopt_info *) src->aux;
245 if (pred_info->being_visited_p)
246 break;
247 basic_block imm = get_immediate_dominator (CDI_DOMINATORS, src);
248 if (imm_dom_path_with_freeing_call (src, imm))
250 info->imm_dom_path_with_freeing_call_computed_p = true;
251 info->imm_dom_path_with_freeing_call_p = true;
252 info->being_visited_p = false;
253 return true;
255 src = imm;
259 info->imm_dom_path_with_freeing_call_computed_p = true;
260 info->imm_dom_path_with_freeing_call_p = false;
261 info->being_visited_p = false;
262 return false;
265 /* Get the first dominating check from the list of stored checks.
266 Non-dominating checks are silently dropped. */
268 static gimple
269 maybe_get_dominating_check (auto_vec<gimple> &v)
271 for (; !v.is_empty (); v.pop ())
273 gimple g = v.last ();
274 sanopt_info *si = (sanopt_info *) gimple_bb (g)->aux;
275 if (!si->visited_p)
276 /* At this point we shouldn't have any statements
277 that aren't dominating the current BB. */
278 return g;
280 return NULL;
283 /* Optimize away redundant UBSAN_NULL calls. */
285 static bool
286 maybe_optimize_ubsan_null_ifn (struct sanopt_ctx *ctx, gimple stmt)
288 gcc_assert (gimple_call_num_args (stmt) == 3);
289 tree ptr = gimple_call_arg (stmt, 0);
290 tree cur_align = gimple_call_arg (stmt, 2);
291 gcc_assert (TREE_CODE (cur_align) == INTEGER_CST);
292 bool remove = false;
294 auto_vec<gimple> &v = ctx->null_check_map.get_or_insert (ptr);
295 gimple g = maybe_get_dominating_check (v);
296 if (!g)
298 /* For this PTR we don't have any UBSAN_NULL stmts recorded, so there's
299 nothing to optimize yet. */
300 v.safe_push (stmt);
301 return false;
304 /* We already have recorded a UBSAN_NULL check for this pointer. Perhaps we
305 can drop this one. But only if this check doesn't specify stricter
306 alignment. */
308 tree align = gimple_call_arg (g, 2);
309 int kind = tree_to_shwi (gimple_call_arg (g, 1));
310 /* If this is a NULL pointer check where we had segv anyway, we can
311 remove it. */
312 if (integer_zerop (align)
313 && (kind == UBSAN_LOAD_OF
314 || kind == UBSAN_STORE_OF
315 || kind == UBSAN_MEMBER_ACCESS))
316 remove = true;
317 /* Otherwise remove the check in non-recovering mode, or if the
318 stmts have same location. */
319 else if (integer_zerop (align))
320 remove = (flag_sanitize_recover & SANITIZE_NULL) == 0
321 || flag_sanitize_undefined_trap_on_error
322 || gimple_location (g) == gimple_location (stmt);
323 else if (tree_int_cst_le (cur_align, align))
324 remove = (flag_sanitize_recover & SANITIZE_ALIGNMENT) == 0
325 || flag_sanitize_undefined_trap_on_error
326 || gimple_location (g) == gimple_location (stmt);
328 if (!remove && gimple_bb (g) == gimple_bb (stmt)
329 && tree_int_cst_compare (cur_align, align) == 0)
330 v.pop ();
332 if (!remove)
333 v.safe_push (stmt);
334 return remove;
337 /* Optimize away redundant UBSAN_VPTR calls. The second argument
338 is the value loaded from the virtual table, so rely on FRE to find out
339 when we can actually optimize. */
341 static bool
342 maybe_optimize_ubsan_vptr_ifn (struct sanopt_ctx *ctx, gimple stmt)
344 gcc_assert (gimple_call_num_args (stmt) == 5);
345 sanopt_tree_triplet triplet;
346 triplet.t1 = gimple_call_arg (stmt, 0);
347 triplet.t2 = gimple_call_arg (stmt, 1);
348 triplet.t3 = gimple_call_arg (stmt, 3);
350 auto_vec<gimple> &v = ctx->vptr_check_map.get_or_insert (triplet);
351 gimple g = maybe_get_dominating_check (v);
352 if (!g)
354 /* For this PTR we don't have any UBSAN_VPTR stmts recorded, so there's
355 nothing to optimize yet. */
356 v.safe_push (stmt);
357 return false;
360 return true;
363 /* Returns TRUE if ASan check of length LEN in block BB can be removed
364 if preceded by checks in V. */
366 static bool
367 can_remove_asan_check (auto_vec<gimple> &v, tree len, basic_block bb)
369 unsigned int i;
370 gimple g;
371 gimple to_pop = NULL;
372 bool remove = false;
373 basic_block last_bb = bb;
374 bool cleanup = false;
376 FOR_EACH_VEC_ELT_REVERSE (v, i, g)
378 basic_block gbb = gimple_bb (g);
379 sanopt_info *si = (sanopt_info *) gbb->aux;
380 if (gimple_uid (g) < si->freeing_call_events)
382 /* If there is a potentially freeing call after g in gbb, we should
383 remove it from the vector, can't use in optimization. */
384 cleanup = true;
385 continue;
388 tree glen = gimple_call_arg (g, 2);
389 gcc_assert (TREE_CODE (glen) == INTEGER_CST);
391 /* If we've checked only smaller length than we want to check now,
392 we can't remove the current stmt. If g is in the same basic block,
393 we want to remove it though, as the current stmt is better. */
394 if (tree_int_cst_lt (glen, len))
396 if (gbb == bb)
398 to_pop = g;
399 cleanup = true;
401 continue;
404 while (last_bb != gbb)
406 /* Paths from last_bb to bb have been checked before.
407 gbb is necessarily a dominator of last_bb, but not necessarily
408 immediate dominator. */
409 if (((sanopt_info *) last_bb->aux)->freeing_call_events)
410 break;
412 basic_block imm = get_immediate_dominator (CDI_DOMINATORS, last_bb);
413 gcc_assert (imm);
414 if (imm_dom_path_with_freeing_call (last_bb, imm))
415 break;
417 last_bb = imm;
419 if (last_bb == gbb)
420 remove = true;
421 break;
424 if (cleanup)
426 unsigned int j = 0, l = v.length ();
427 for (i = 0; i < l; i++)
428 if (v[i] != to_pop
429 && (gimple_uid (v[i])
430 == ((sanopt_info *)
431 gimple_bb (v[i])->aux)->freeing_call_events))
433 if (i != j)
434 v[j] = v[i];
435 j++;
437 v.truncate (j);
440 return remove;
443 /* Optimize away redundant ASAN_CHECK calls. */
445 static bool
446 maybe_optimize_asan_check_ifn (struct sanopt_ctx *ctx, gimple stmt)
448 gcc_assert (gimple_call_num_args (stmt) == 4);
449 tree ptr = gimple_call_arg (stmt, 1);
450 tree len = gimple_call_arg (stmt, 2);
451 basic_block bb = gimple_bb (stmt);
452 sanopt_info *info = (sanopt_info *) bb->aux;
454 if (TREE_CODE (len) != INTEGER_CST)
455 return false;
456 if (integer_zerop (len))
457 return false;
459 gimple_set_uid (stmt, info->freeing_call_events);
461 auto_vec<gimple> *ptr_checks = &ctx->asan_check_map.get_or_insert (ptr);
463 tree base_addr = maybe_get_single_definition (ptr);
464 auto_vec<gimple> *base_checks = NULL;
465 if (base_addr)
467 base_checks = &ctx->asan_check_map.get_or_insert (base_addr);
468 /* Original pointer might have been invalidated. */
469 ptr_checks = ctx->asan_check_map.get (ptr);
472 gimple g = maybe_get_dominating_check (*ptr_checks);
473 gimple g2 = NULL;
475 if (base_checks)
476 /* Try with base address as well. */
477 g2 = maybe_get_dominating_check (*base_checks);
479 if (g == NULL && g2 == NULL)
481 /* For this PTR we don't have any ASAN_CHECK stmts recorded, so there's
482 nothing to optimize yet. */
483 ptr_checks->safe_push (stmt);
484 if (base_checks)
485 base_checks->safe_push (stmt);
486 return false;
489 bool remove = false;
491 if (ptr_checks)
492 remove = can_remove_asan_check (*ptr_checks, len, bb);
494 if (!remove && base_checks)
495 /* Try with base address as well. */
496 remove = can_remove_asan_check (*base_checks, len, bb);
498 if (!remove)
500 ptr_checks->safe_push (stmt);
501 if (base_checks)
502 base_checks->safe_push (stmt);
505 return remove;
508 /* Try to optimize away redundant UBSAN_NULL and ASAN_CHECK calls.
510 We walk blocks in the CFG via a depth first search of the dominator
511 tree; we push unique UBSAN_NULL or ASAN_CHECK statements into a vector
512 in the NULL_CHECK_MAP or ASAN_CHECK_MAP hash maps as we enter the
513 blocks. When leaving a block, we mark the block as visited; then
514 when checking the statements in the vector, we ignore statements that
515 are coming from already visited blocks, because these cannot dominate
516 anything anymore. CTX is a sanopt context. */
518 static void
519 sanopt_optimize_walker (basic_block bb, struct sanopt_ctx *ctx)
521 basic_block son;
522 gimple_stmt_iterator gsi;
523 sanopt_info *info = (sanopt_info *) bb->aux;
524 bool asan_check_optimize = (flag_sanitize & SANITIZE_ADDRESS) != 0;
526 for (gsi = gsi_start_bb (bb); !gsi_end_p (gsi);)
528 gimple stmt = gsi_stmt (gsi);
529 bool remove = false;
531 if (!is_gimple_call (stmt))
533 /* Handle asm volatile or asm with "memory" clobber
534 the same as potentionally freeing call. */
535 gasm *asm_stmt = dyn_cast <gasm *> (stmt);
536 if (asm_stmt
537 && asan_check_optimize
538 && (gimple_asm_clobbers_memory_p (asm_stmt)
539 || gimple_asm_volatile_p (asm_stmt)))
540 info->freeing_call_events++;
541 gsi_next (&gsi);
542 continue;
545 if (asan_check_optimize && !nonfreeing_call_p (stmt))
546 info->freeing_call_events++;
548 if (gimple_call_internal_p (stmt))
549 switch (gimple_call_internal_fn (stmt))
551 case IFN_UBSAN_NULL:
552 remove = maybe_optimize_ubsan_null_ifn (ctx, stmt);
553 break;
554 case IFN_UBSAN_VPTR:
555 remove = maybe_optimize_ubsan_vptr_ifn (ctx, stmt);
556 break;
557 case IFN_ASAN_CHECK:
558 if (asan_check_optimize)
559 remove = maybe_optimize_asan_check_ifn (ctx, stmt);
560 if (!remove)
561 ctx->asan_num_accesses++;
562 break;
563 default:
564 break;
567 if (remove)
569 /* Drop this check. */
570 if (dump_file && (dump_flags & TDF_DETAILS))
572 fprintf (dump_file, "Optimizing out\n ");
573 print_gimple_stmt (dump_file, stmt, 0, dump_flags);
574 fprintf (dump_file, "\n");
576 unlink_stmt_vdef (stmt);
577 gsi_remove (&gsi, true);
579 else
580 gsi_next (&gsi);
583 if (asan_check_optimize)
585 info->has_freeing_call_p = info->freeing_call_events != 0;
586 info->has_freeing_call_computed_p = true;
589 for (son = first_dom_son (CDI_DOMINATORS, bb);
590 son;
591 son = next_dom_son (CDI_DOMINATORS, son))
592 sanopt_optimize_walker (son, ctx);
594 /* We're leaving this BB, so mark it to that effect. */
595 info->visited_p = true;
598 /* Try to remove redundant sanitizer checks in function FUN. */
600 static int
601 sanopt_optimize (function *fun)
603 struct sanopt_ctx ctx;
604 ctx.asan_num_accesses = 0;
606 /* Set up block info for each basic block. */
607 alloc_aux_for_blocks (sizeof (sanopt_info));
609 /* We're going to do a dominator walk, so ensure that we have
610 dominance information. */
611 calculate_dominance_info (CDI_DOMINATORS);
613 /* Recursively walk the dominator tree optimizing away
614 redundant checks. */
615 sanopt_optimize_walker (ENTRY_BLOCK_PTR_FOR_FN (fun), &ctx);
617 free_aux_for_blocks ();
619 return ctx.asan_num_accesses;
622 /* Perform optimization of sanitize functions. */
624 namespace {
626 const pass_data pass_data_sanopt =
628 GIMPLE_PASS, /* type */
629 "sanopt", /* name */
630 OPTGROUP_NONE, /* optinfo_flags */
631 TV_NONE, /* tv_id */
632 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
633 0, /* properties_provided */
634 0, /* properties_destroyed */
635 0, /* todo_flags_start */
636 TODO_update_ssa, /* todo_flags_finish */
639 class pass_sanopt : public gimple_opt_pass
641 public:
642 pass_sanopt (gcc::context *ctxt)
643 : gimple_opt_pass (pass_data_sanopt, ctxt)
646 /* opt_pass methods: */
647 virtual bool gate (function *) { return flag_sanitize; }
648 virtual unsigned int execute (function *);
650 }; // class pass_sanopt
652 unsigned int
653 pass_sanopt::execute (function *fun)
655 basic_block bb;
656 int asan_num_accesses = 0;
658 /* Try to remove redundant checks. */
659 if (optimize
660 && (flag_sanitize
661 & (SANITIZE_NULL | SANITIZE_ALIGNMENT
662 | SANITIZE_ADDRESS | SANITIZE_VPTR)))
663 asan_num_accesses = sanopt_optimize (fun);
664 else if (flag_sanitize & SANITIZE_ADDRESS)
666 gimple_stmt_iterator gsi;
667 FOR_EACH_BB_FN (bb, fun)
668 for (gsi = gsi_start_bb (bb); !gsi_end_p (gsi); gsi_next (&gsi))
670 gimple stmt = gsi_stmt (gsi);
671 if (is_gimple_call (stmt) && gimple_call_internal_p (stmt)
672 && gimple_call_internal_fn (stmt) == IFN_ASAN_CHECK)
673 ++asan_num_accesses;
677 bool use_calls = ASAN_INSTRUMENTATION_WITH_CALL_THRESHOLD < INT_MAX
678 && asan_num_accesses >= ASAN_INSTRUMENTATION_WITH_CALL_THRESHOLD;
680 FOR_EACH_BB_FN (bb, fun)
682 gimple_stmt_iterator gsi;
683 for (gsi = gsi_start_bb (bb); !gsi_end_p (gsi); )
685 gimple stmt = gsi_stmt (gsi);
686 bool no_next = false;
688 if (!is_gimple_call (stmt))
690 gsi_next (&gsi);
691 continue;
694 if (gimple_call_internal_p (stmt))
696 enum internal_fn ifn = gimple_call_internal_fn (stmt);
697 switch (ifn)
699 case IFN_UBSAN_NULL:
700 no_next = ubsan_expand_null_ifn (&gsi);
701 break;
702 case IFN_UBSAN_BOUNDS:
703 no_next = ubsan_expand_bounds_ifn (&gsi);
704 break;
705 case IFN_UBSAN_OBJECT_SIZE:
706 no_next = ubsan_expand_objsize_ifn (&gsi);
707 break;
708 case IFN_UBSAN_VPTR:
709 no_next = ubsan_expand_vptr_ifn (&gsi);
710 break;
711 case IFN_ASAN_CHECK:
712 no_next = asan_expand_check_ifn (&gsi, use_calls);
713 break;
714 default:
715 break;
718 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
720 tree callee = gimple_call_fndecl (stmt);
721 switch (DECL_FUNCTION_CODE (callee))
723 case BUILT_IN_UNREACHABLE:
724 if (flag_sanitize & SANITIZE_UNREACHABLE
725 && !lookup_attribute ("no_sanitize_undefined",
726 DECL_ATTRIBUTES (fun->decl)))
727 no_next = ubsan_instrument_unreachable (&gsi);
728 break;
729 default:
730 break;
734 if (dump_file && (dump_flags & TDF_DETAILS))
736 fprintf (dump_file, "Expanded\n ");
737 print_gimple_stmt (dump_file, stmt, 0, dump_flags);
738 fprintf (dump_file, "\n");
741 if (!no_next)
742 gsi_next (&gsi);
745 return 0;
748 } // anon namespace
750 gimple_opt_pass *
751 make_pass_sanopt (gcc::context *ctxt)
753 return new pass_sanopt (ctxt);