search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[doc] Correct optimisation levels documentation for -fstore-merging
[official-gcc.git] / gcc / asan.c
blob9098121be8bcaaa197ce778d227ca646c09568b1
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2017 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
11
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21
22 #include "config.h"
23 #include "system.h"
24 #include "coretypes.h"
25 #include "backend.h"
26 #include "target.h"
27 #include "rtl.h"
28 #include "tree.h"
29 #include "gimple.h"
30 #include "cfghooks.h"
31 #include "alloc-pool.h"
32 #include "tree-pass.h"
33 #include "memmodel.h"
34 #include "tm_p.h"
35 #include "ssa.h"
36 #include "stringpool.h"
37 #include "tree-ssanames.h"
38 #include "optabs.h"
39 #include "emit-rtl.h"
40 #include "cgraph.h"
41 #include "gimple-pretty-print.h"
42 #include "alias.h"
43 #include "fold-const.h"
44 #include "cfganal.h"
45 #include "gimplify.h"
46 #include "gimple-iterator.h"
47 #include "varasm.h"
48 #include "stor-layout.h"
49 #include "tree-iterator.h"
50 #include "asan.h"
51 #include "dojump.h"
52 #include "explow.h"
53 #include "expr.h"
54 #include "output.h"
55 #include "langhooks.h"
56 #include "cfgloop.h"
57 #include "gimple-builder.h"
58 #include "ubsan.h"
59 #include "params.h"
60 #include "builtins.h"
61 #include "fnmatch.h"
62 #include "tree-inline.h"
63
64 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
65 with <2x slowdown on average.
66
67 The tool consists of two parts:
68 instrumentation module (this file) and a run-time library.
69 The instrumentation module adds a run-time check before every memory insn.
70 For a 8- or 16- byte load accessing address X:
71 ShadowAddr = (X >> 3) + Offset
72 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
73 if (ShadowValue)
74 __asan_report_load8(X);
75 For a load of N bytes (N=1, 2 or 4) from address X:
76 ShadowAddr = (X >> 3) + Offset
77 ShadowValue = *(char*)ShadowAddr;
78 if (ShadowValue)
79 if ((X & 7) + N - 1 > ShadowValue)
80 __asan_report_loadN(X);
81 Stores are instrumented similarly, but using __asan_report_storeN functions.
82 A call too __asan_init_vN() is inserted to the list of module CTORs.
83 N is the version number of the AddressSanitizer API. The changes between the
84 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
85
86 The run-time library redefines malloc (so that redzone are inserted around
87 the allocated memory) and free (so that reuse of free-ed memory is delayed),
88 provides __asan_report* and __asan_init_vN functions.
89
90 Read more:
91 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
92
93 The current implementation supports detection of out-of-bounds and
94 use-after-free in the heap, on the stack and for global variables.
95
96 [Protection of stack variables]
97
98 To understand how detection of out-of-bounds and use-after-free works
99 for stack variables, lets look at this example on x86_64 where the
100 stack grows downward:
101
102 int
103 foo ()
104 {
105 char a[23] = {0};
106 int b[2] = {0};
107
108 a[5] = 1;
109 b[1] = 2;
110
111 return a[5] + b[1];
112 }
113
114 For this function, the stack protected by asan will be organized as
115 follows, from the top of the stack to the bottom:
116
117 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
118
119 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
120 the next slot be 32 bytes aligned; this one is called Partial
121 Redzone; this 32 bytes alignment is an asan constraint]
122
123 Slot 3/ [24 bytes for variable 'a']
124
125 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
126
127 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
128
129 Slot 6/ [8 bytes for variable 'b']
130
131 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
132 'LEFT RedZone']
133
134 The 32 bytes of LEFT red zone at the bottom of the stack can be
135 decomposed as such:
136
137 1/ The first 8 bytes contain a magical asan number that is always
138 0x41B58AB3.
139
140 2/ The following 8 bytes contains a pointer to a string (to be
141 parsed at runtime by the runtime asan library), which format is
142 the following:
143
144 "<function-name> <space> <num-of-variables-on-the-stack>
145 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
146 <length-of-var-in-bytes> ){n} "
147
148 where '(...){n}' means the content inside the parenthesis occurs 'n'
149 times, with 'n' being the number of variables on the stack.
150
151 3/ The following 8 bytes contain the PC of the current function which
152 will be used by the run-time library to print an error message.
153
154 4/ The following 8 bytes are reserved for internal use by the run-time.
155
156 The shadow memory for that stack layout is going to look like this:
157
158 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
159 The F1 byte pattern is a magic number called
160 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
161 the memory for that shadow byte is part of a the LEFT red zone
162 intended to seat at the bottom of the variables on the stack.
163
164 - content of shadow memory 8 bytes for slots 6 and 5:
165 0xF4F4F400. The F4 byte pattern is a magic number
166 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
167 memory region for this shadow byte is a PARTIAL red zone
168 intended to pad a variable A, so that the slot following
169 {A,padding} is 32 bytes aligned.
170
171 Note that the fact that the least significant byte of this
172 shadow memory content is 00 means that 8 bytes of its
173 corresponding memory (which corresponds to the memory of
174 variable 'b') is addressable.
175
176 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
177 The F2 byte pattern is a magic number called
178 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
179 region for this shadow byte is a MIDDLE red zone intended to
180 seat between two 32 aligned slots of {variable,padding}.
181
182 - content of shadow memory 8 bytes for slot 3 and 2:
183 0xF4000000. This represents is the concatenation of
184 variable 'a' and the partial red zone following it, like what we
185 had for variable 'b'. The least significant 3 bytes being 00
186 means that the 3 bytes of variable 'a' are addressable.
187
188 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
189 The F3 byte pattern is a magic number called
190 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
191 region for this shadow byte is a RIGHT red zone intended to seat
192 at the top of the variables of the stack.
193
194 Note that the real variable layout is done in expand_used_vars in
195 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
196 stack variables as well as the different red zones, emits some
197 prologue code to populate the shadow memory as to poison (mark as
198 non-accessible) the regions of the red zones and mark the regions of
199 stack variables as accessible, and emit some epilogue code to
200 un-poison (mark as accessible) the regions of red zones right before
201 the function exits.
202
203 [Protection of global variables]
204
205 The basic idea is to insert a red zone between two global variables
206 and install a constructor function that calls the asan runtime to do
207 the populating of the relevant shadow memory regions at load time.
208
209 So the global variables are laid out as to insert a red zone between
210 them. The size of the red zones is so that each variable starts on a
211 32 bytes boundary.
212
213 Then a constructor function is installed so that, for each global
214 variable, it calls the runtime asan library function
215 __asan_register_globals_with an instance of this type:
216
217 struct __asan_global
218 {
219 // Address of the beginning of the global variable.
220 const void *__beg;
221
222 // Initial size of the global variable.
223 uptr __size;
224
225 // Size of the global variable + size of the red zone. This
226 // size is 32 bytes aligned.
227 uptr __size_with_redzone;
228
229 // Name of the global variable.
230 const void *__name;
231
232 // Name of the module where the global variable is declared.
233 const void *__module_name;
234
235 // 1 if it has dynamic initialization, 0 otherwise.
236 uptr __has_dynamic_init;
237
238 // A pointer to struct that contains source location, could be NULL.
239 __asan_global_source_location *__location;
240 }
241
242 A destructor function that calls the runtime asan library function
243 _asan_unregister_globals is also installed. */
244
245 static unsigned HOST_WIDE_INT asan_shadow_offset_value;
246 static bool asan_shadow_offset_computed;
247 static vec<char *> sanitized_sections;
248
249 /* Set of variable declarations that are going to be guarded by
250 use-after-scope sanitizer. */
251
252 static hash_set<tree> *asan_handled_variables = NULL;
253
254 hash_set <tree> *asan_used_labels = NULL;
255
256 /* Sets shadow offset to value in string VAL. */
257
258 bool
259 set_asan_shadow_offset (const char *val)
260 {
261 char *endp;
262
263 errno = 0;
264 #ifdef HAVE_LONG_LONG
265 asan_shadow_offset_value = strtoull (val, &endp, 0);
266 #else
267 asan_shadow_offset_value = strtoul (val, &endp, 0);
268 #endif
269 if (!(*val != '\0' && *endp == '\0' && errno == 0))
270 return false;
271
272 asan_shadow_offset_computed = true;
273
274 return true;
275 }
276
277 /* Set list of user-defined sections that need to be sanitized. */
278
279 void
280 set_sanitized_sections (const char *sections)
281 {
282 char *pat;
283 unsigned i;
284 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
285 free (pat);
286 sanitized_sections.truncate (0);
287
288 for (const char *s = sections; *s; )
289 {
290 const char *end;
291 for (end = s; *end && *end != ','; ++end);
292 size_t len = end - s;
293 sanitized_sections.safe_push (xstrndup (s, len));
294 s = *end ? end + 1 : end;
295 }
296 }
297
298 bool
299 asan_mark_p (gimple *stmt, enum asan_mark_flags flag)
300 {
301 return (gimple_call_internal_p (stmt, IFN_ASAN_MARK)
302 && tree_to_uhwi (gimple_call_arg (stmt, 0)) == flag);
303 }
304
305 bool
306 asan_sanitize_stack_p (void)
307 {
308 return ((flag_sanitize & SANITIZE_ADDRESS)
309 && ASAN_STACK
310 && !asan_no_sanitize_address_p ());
311 }
312
313 /* Checks whether section SEC should be sanitized. */
314
315 static bool
316 section_sanitized_p (const char *sec)
317 {
318 char *pat;
319 unsigned i;
320 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
321 if (fnmatch (pat, sec, FNM_PERIOD) == 0)
322 return true;
323 return false;
324 }
325
326 /* Returns Asan shadow offset. */
327
328 static unsigned HOST_WIDE_INT
329 asan_shadow_offset ()
330 {
331 if (!asan_shadow_offset_computed)
332 {
333 asan_shadow_offset_computed = true;
334 asan_shadow_offset_value = targetm.asan_shadow_offset ();
335 }
336 return asan_shadow_offset_value;
337 }
338
339 alias_set_type asan_shadow_set = -1;
340
341 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
342 alias set is used for all shadow memory accesses. */
343 static GTY(()) tree shadow_ptr_types[3];
344
345 /* Decl for __asan_option_detect_stack_use_after_return. */
346 static GTY(()) tree asan_detect_stack_use_after_return;
347
348 /* Hashtable support for memory references used by gimple
349 statements. */
350
351 /* This type represents a reference to a memory region. */
352 struct asan_mem_ref
353 {
354 /* The expression of the beginning of the memory region. */
355 tree start;
356
357 /* The size of the access. */
358 HOST_WIDE_INT access_size;
359 };
360
361 object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref");
362
363 /* Initializes an instance of asan_mem_ref. */
364
365 static void
366 asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size)
367 {
368 ref->start = start;
369 ref->access_size = access_size;
370 }
371
372 /* Allocates memory for an instance of asan_mem_ref into the memory
373 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
374 START is the address of (or the expression pointing to) the
375 beginning of memory reference. ACCESS_SIZE is the size of the
376 access to the referenced memory. */
377
378 static asan_mem_ref*
379 asan_mem_ref_new (tree start, HOST_WIDE_INT access_size)
380 {
381 asan_mem_ref *ref = asan_mem_ref_pool.allocate ();
382
383 asan_mem_ref_init (ref, start, access_size);
384 return ref;
385 }
386
387 /* This builds and returns a pointer to the end of the memory region
388 that starts at START and of length LEN. */
389
390 tree
391 asan_mem_ref_get_end (tree start, tree len)
392 {
393 if (len == NULL_TREE || integer_zerop (len))
394 return start;
395
396 if (!ptrofftype_p (len))
397 len = convert_to_ptrofftype (len);
398
399 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
400 }
401
402 /* Return a tree expression that represents the end of the referenced
403 memory region. Beware that this function can actually build a new
404 tree expression. */
405
406 tree
407 asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
408 {
409 return asan_mem_ref_get_end (ref->start, len);
410 }
411
412 struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref>
413 {
414 static inline hashval_t hash (const asan_mem_ref *);
415 static inline bool equal (const asan_mem_ref *, const asan_mem_ref *);
416 };
417
418 /* Hash a memory reference. */
419
420 inline hashval_t
421 asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
422 {
423 return iterative_hash_expr (mem_ref->start, 0);
424 }
425
426 /* Compare two memory references. We accept the length of either
427 memory references to be NULL_TREE. */
428
429 inline bool
430 asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
431 const asan_mem_ref *m2)
432 {
433 return operand_equal_p (m1->start, m2->start, 0);
434 }
435
436 static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht;
437
438 /* Returns a reference to the hash table containing memory references.
439 This function ensures that the hash table is created. Note that
440 this hash table is updated by the function
441 update_mem_ref_hash_table. */
442
443 static hash_table<asan_mem_ref_hasher> *
444 get_mem_ref_hash_table ()
445 {
446 if (!asan_mem_ref_ht)
447 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10);
448
449 return asan_mem_ref_ht;
450 }
451
452 /* Clear all entries from the memory references hash table. */
453
454 static void
455 empty_mem_ref_hash_table ()
456 {
457 if (asan_mem_ref_ht)
458 asan_mem_ref_ht->empty ();
459 }
460
461 /* Free the memory references hash table. */
462
463 static void
464 free_mem_ref_resources ()
465 {
466 delete asan_mem_ref_ht;
467 asan_mem_ref_ht = NULL;
468
469 asan_mem_ref_pool.release ();
470 }
471
472 /* Return true iff the memory reference REF has been instrumented. */
473
474 static bool
475 has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size)
476 {
477 asan_mem_ref r;
478 asan_mem_ref_init (&r, ref, access_size);
479
480 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r);
481 return saved_ref && saved_ref->access_size >= access_size;
482 }
483
484 /* Return true iff the memory reference REF has been instrumented. */
485
486 static bool
487 has_mem_ref_been_instrumented (const asan_mem_ref *ref)
488 {
489 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
490 }
491
492 /* Return true iff access to memory region starting at REF and of
493 length LEN has been instrumented. */
494
495 static bool
496 has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
497 {
498 HOST_WIDE_INT size_in_bytes
499 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
500
501 return size_in_bytes != -1
502 && has_mem_ref_been_instrumented (ref->start, size_in_bytes);
503 }
504
505 /* Set REF to the memory reference present in a gimple assignment
506 ASSIGNMENT. Return true upon successful completion, false
507 otherwise. */
508
509 static bool
510 get_mem_ref_of_assignment (const gassign *assignment,
511 asan_mem_ref *ref,
512 bool *ref_is_store)
513 {
514 gcc_assert (gimple_assign_single_p (assignment));
515
516 if (gimple_store_p (assignment)
517 && !gimple_clobber_p (assignment))
518 {
519 ref->start = gimple_assign_lhs (assignment);
520 *ref_is_store = true;
521 }
522 else if (gimple_assign_load_p (assignment))
523 {
524 ref->start = gimple_assign_rhs1 (assignment);
525 *ref_is_store = false;
526 }
527 else
528 return false;
529
530 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
531 return true;
532 }
533
534 /* Return the memory references contained in a gimple statement
535 representing a builtin call that has to do with memory access. */
536
537 static bool
538 get_mem_refs_of_builtin_call (const gcall *call,
539 asan_mem_ref *src0,
540 tree *src0_len,
541 bool *src0_is_store,
542 asan_mem_ref *src1,
543 tree *src1_len,
544 bool *src1_is_store,
545 asan_mem_ref *dst,
546 tree *dst_len,
547 bool *dst_is_store,
548 bool *dest_is_deref,
549 bool *intercepted_p)
550 {
551 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
552
553 tree callee = gimple_call_fndecl (call);
554 tree source0 = NULL_TREE, source1 = NULL_TREE,
555 dest = NULL_TREE, len = NULL_TREE;
556 bool is_store = true, got_reference_p = false;
557 HOST_WIDE_INT access_size = 1;
558
559 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee)));
560
561 switch (DECL_FUNCTION_CODE (callee))
562 {
563 /* (s, s, n) style memops. */
564 case BUILT_IN_BCMP:
565 case BUILT_IN_MEMCMP:
566 source0 = gimple_call_arg (call, 0);
567 source1 = gimple_call_arg (call, 1);
568 len = gimple_call_arg (call, 2);
569 break;
570
571 /* (src, dest, n) style memops. */
572 case BUILT_IN_BCOPY:
573 source0 = gimple_call_arg (call, 0);
574 dest = gimple_call_arg (call, 1);
575 len = gimple_call_arg (call, 2);
576 break;
577
578 /* (dest, src, n) style memops. */
579 case BUILT_IN_MEMCPY:
580 case BUILT_IN_MEMCPY_CHK:
581 case BUILT_IN_MEMMOVE:
582 case BUILT_IN_MEMMOVE_CHK:
583 case BUILT_IN_MEMPCPY:
584 case BUILT_IN_MEMPCPY_CHK:
585 dest = gimple_call_arg (call, 0);
586 source0 = gimple_call_arg (call, 1);
587 len = gimple_call_arg (call, 2);
588 break;
589
590 /* (dest, n) style memops. */
591 case BUILT_IN_BZERO:
592 dest = gimple_call_arg (call, 0);
593 len = gimple_call_arg (call, 1);
594 break;
595
596 /* (dest, x, n) style memops*/
597 case BUILT_IN_MEMSET:
598 case BUILT_IN_MEMSET_CHK:
599 dest = gimple_call_arg (call, 0);
600 len = gimple_call_arg (call, 2);
601 break;
602
603 case BUILT_IN_STRLEN:
604 source0 = gimple_call_arg (call, 0);
605 len = gimple_call_lhs (call);
606 break ;
607
608 /* And now the __atomic* and __sync builtins.
609 These are handled differently from the classical memory memory
610 access builtins above. */
611
612 case BUILT_IN_ATOMIC_LOAD_1:
613 case BUILT_IN_ATOMIC_LOAD_2:
614 case BUILT_IN_ATOMIC_LOAD_4:
615 case BUILT_IN_ATOMIC_LOAD_8:
616 case BUILT_IN_ATOMIC_LOAD_16:
617 is_store = false;
618 /* fall through. */
619
620 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
621 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
622 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
623 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
624 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
625
626 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
627 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
628 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
629 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
630 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
631
632 case BUILT_IN_SYNC_FETCH_AND_OR_1:
633 case BUILT_IN_SYNC_FETCH_AND_OR_2:
634 case BUILT_IN_SYNC_FETCH_AND_OR_4:
635 case BUILT_IN_SYNC_FETCH_AND_OR_8:
636 case BUILT_IN_SYNC_FETCH_AND_OR_16:
637
638 case BUILT_IN_SYNC_FETCH_AND_AND_1:
639 case BUILT_IN_SYNC_FETCH_AND_AND_2:
640 case BUILT_IN_SYNC_FETCH_AND_AND_4:
641 case BUILT_IN_SYNC_FETCH_AND_AND_8:
642 case BUILT_IN_SYNC_FETCH_AND_AND_16:
643
644 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
645 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
646 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
647 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
648 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
649
650 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
651 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
652 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
653 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
654
655 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
656 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
657 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
658 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
659 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
660
661 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
662 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
663 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
664 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
665 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
666
667 case BUILT_IN_SYNC_OR_AND_FETCH_1:
668 case BUILT_IN_SYNC_OR_AND_FETCH_2:
669 case BUILT_IN_SYNC_OR_AND_FETCH_4:
670 case BUILT_IN_SYNC_OR_AND_FETCH_8:
671 case BUILT_IN_SYNC_OR_AND_FETCH_16:
672
673 case BUILT_IN_SYNC_AND_AND_FETCH_1:
674 case BUILT_IN_SYNC_AND_AND_FETCH_2:
675 case BUILT_IN_SYNC_AND_AND_FETCH_4:
676 case BUILT_IN_SYNC_AND_AND_FETCH_8:
677 case BUILT_IN_SYNC_AND_AND_FETCH_16:
678
679 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
680 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
681 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
682 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
683 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
684
685 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
686 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
687 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
688 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
689
690 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
691 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
692 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
693 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
694 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
695
696 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
697 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
698 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
699 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
700 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
701
702 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
703 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
704 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
705 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
706 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
707
708 case BUILT_IN_SYNC_LOCK_RELEASE_1:
709 case BUILT_IN_SYNC_LOCK_RELEASE_2:
710 case BUILT_IN_SYNC_LOCK_RELEASE_4:
711 case BUILT_IN_SYNC_LOCK_RELEASE_8:
712 case BUILT_IN_SYNC_LOCK_RELEASE_16:
713
714 case BUILT_IN_ATOMIC_EXCHANGE_1:
715 case BUILT_IN_ATOMIC_EXCHANGE_2:
716 case BUILT_IN_ATOMIC_EXCHANGE_4:
717 case BUILT_IN_ATOMIC_EXCHANGE_8:
718 case BUILT_IN_ATOMIC_EXCHANGE_16:
719
720 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
721 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
722 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
723 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
724 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
725
726 case BUILT_IN_ATOMIC_STORE_1:
727 case BUILT_IN_ATOMIC_STORE_2:
728 case BUILT_IN_ATOMIC_STORE_4:
729 case BUILT_IN_ATOMIC_STORE_8:
730 case BUILT_IN_ATOMIC_STORE_16:
731
732 case BUILT_IN_ATOMIC_ADD_FETCH_1:
733 case BUILT_IN_ATOMIC_ADD_FETCH_2:
734 case BUILT_IN_ATOMIC_ADD_FETCH_4:
735 case BUILT_IN_ATOMIC_ADD_FETCH_8:
736 case BUILT_IN_ATOMIC_ADD_FETCH_16:
737
738 case BUILT_IN_ATOMIC_SUB_FETCH_1:
739 case BUILT_IN_ATOMIC_SUB_FETCH_2:
740 case BUILT_IN_ATOMIC_SUB_FETCH_4:
741 case BUILT_IN_ATOMIC_SUB_FETCH_8:
742 case BUILT_IN_ATOMIC_SUB_FETCH_16:
743
744 case BUILT_IN_ATOMIC_AND_FETCH_1:
745 case BUILT_IN_ATOMIC_AND_FETCH_2:
746 case BUILT_IN_ATOMIC_AND_FETCH_4:
747 case BUILT_IN_ATOMIC_AND_FETCH_8:
748 case BUILT_IN_ATOMIC_AND_FETCH_16:
749
750 case BUILT_IN_ATOMIC_NAND_FETCH_1:
751 case BUILT_IN_ATOMIC_NAND_FETCH_2:
752 case BUILT_IN_ATOMIC_NAND_FETCH_4:
753 case BUILT_IN_ATOMIC_NAND_FETCH_8:
754 case BUILT_IN_ATOMIC_NAND_FETCH_16:
755
756 case BUILT_IN_ATOMIC_XOR_FETCH_1:
757 case BUILT_IN_ATOMIC_XOR_FETCH_2:
758 case BUILT_IN_ATOMIC_XOR_FETCH_4:
759 case BUILT_IN_ATOMIC_XOR_FETCH_8:
760 case BUILT_IN_ATOMIC_XOR_FETCH_16:
761
762 case BUILT_IN_ATOMIC_OR_FETCH_1:
763 case BUILT_IN_ATOMIC_OR_FETCH_2:
764 case BUILT_IN_ATOMIC_OR_FETCH_4:
765 case BUILT_IN_ATOMIC_OR_FETCH_8:
766 case BUILT_IN_ATOMIC_OR_FETCH_16:
767
768 case BUILT_IN_ATOMIC_FETCH_ADD_1:
769 case BUILT_IN_ATOMIC_FETCH_ADD_2:
770 case BUILT_IN_ATOMIC_FETCH_ADD_4:
771 case BUILT_IN_ATOMIC_FETCH_ADD_8:
772 case BUILT_IN_ATOMIC_FETCH_ADD_16:
773
774 case BUILT_IN_ATOMIC_FETCH_SUB_1:
775 case BUILT_IN_ATOMIC_FETCH_SUB_2:
776 case BUILT_IN_ATOMIC_FETCH_SUB_4:
777 case BUILT_IN_ATOMIC_FETCH_SUB_8:
778 case BUILT_IN_ATOMIC_FETCH_SUB_16:
779
780 case BUILT_IN_ATOMIC_FETCH_AND_1:
781 case BUILT_IN_ATOMIC_FETCH_AND_2:
782 case BUILT_IN_ATOMIC_FETCH_AND_4:
783 case BUILT_IN_ATOMIC_FETCH_AND_8:
784 case BUILT_IN_ATOMIC_FETCH_AND_16:
785
786 case BUILT_IN_ATOMIC_FETCH_NAND_1:
787 case BUILT_IN_ATOMIC_FETCH_NAND_2:
788 case BUILT_IN_ATOMIC_FETCH_NAND_4:
789 case BUILT_IN_ATOMIC_FETCH_NAND_8:
790 case BUILT_IN_ATOMIC_FETCH_NAND_16:
791
792 case BUILT_IN_ATOMIC_FETCH_XOR_1:
793 case BUILT_IN_ATOMIC_FETCH_XOR_2:
794 case BUILT_IN_ATOMIC_FETCH_XOR_4:
795 case BUILT_IN_ATOMIC_FETCH_XOR_8:
796 case BUILT_IN_ATOMIC_FETCH_XOR_16:
797
798 case BUILT_IN_ATOMIC_FETCH_OR_1:
799 case BUILT_IN_ATOMIC_FETCH_OR_2:
800 case BUILT_IN_ATOMIC_FETCH_OR_4:
801 case BUILT_IN_ATOMIC_FETCH_OR_8:
802 case BUILT_IN_ATOMIC_FETCH_OR_16:
803 {
804 dest = gimple_call_arg (call, 0);
805 /* DEST represents the address of a memory location.
806 instrument_derefs wants the memory location, so lets
807 dereference the address DEST before handing it to
808 instrument_derefs. */
809 if (TREE_CODE (dest) == ADDR_EXPR)
810 dest = TREE_OPERAND (dest, 0);
811 else if (TREE_CODE (dest) == SSA_NAME || TREE_CODE (dest) == INTEGER_CST)
812 dest = build2 (MEM_REF, TREE_TYPE (TREE_TYPE (dest)),
813 dest, build_int_cst (TREE_TYPE (dest), 0));
814 else
815 gcc_unreachable ();
816
817 access_size = int_size_in_bytes (TREE_TYPE (dest));
818 }
819
820 default:
821 /* The other builtins memory access are not instrumented in this
822 function because they either don't have any length parameter,
823 or their length parameter is just a limit. */
824 break;
825 }
826
827 if (len != NULL_TREE)
828 {
829 if (source0 != NULL_TREE)
830 {
831 src0->start = source0;
832 src0->access_size = access_size;
833 *src0_len = len;
834 *src0_is_store = false;
835 }
836
837 if (source1 != NULL_TREE)
838 {
839 src1->start = source1;
840 src1->access_size = access_size;
841 *src1_len = len;
842 *src1_is_store = false;
843 }
844
845 if (dest != NULL_TREE)
846 {
847 dst->start = dest;
848 dst->access_size = access_size;
849 *dst_len = len;
850 *dst_is_store = true;
851 }
852
853 got_reference_p = true;
854 }
855 else if (dest)
856 {
857 dst->start = dest;
858 dst->access_size = access_size;
859 *dst_len = NULL_TREE;
860 *dst_is_store = is_store;
861 *dest_is_deref = true;
862 got_reference_p = true;
863 }
864
865 return got_reference_p;
866 }
867
868 /* Return true iff a given gimple statement has been instrumented.
869 Note that the statement is "defined" by the memory references it
870 contains. */
871
872 static bool
873 has_stmt_been_instrumented_p (gimple *stmt)
874 {
875 if (gimple_assign_single_p (stmt))
876 {
877 bool r_is_store;
878 asan_mem_ref r;
879 asan_mem_ref_init (&r, NULL, 1);
880
881 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r,
882 &r_is_store))
883 return has_mem_ref_been_instrumented (&r);
884 }
885 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
886 {
887 asan_mem_ref src0, src1, dest;
888 asan_mem_ref_init (&src0, NULL, 1);
889 asan_mem_ref_init (&src1, NULL, 1);
890 asan_mem_ref_init (&dest, NULL, 1);
891
892 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
893 bool src0_is_store = false, src1_is_store = false,
894 dest_is_store = false, dest_is_deref = false, intercepted_p = true;
895 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt),
896 &src0, &src0_len, &src0_is_store,
897 &src1, &src1_len, &src1_is_store,
898 &dest, &dest_len, &dest_is_store,
899 &dest_is_deref, &intercepted_p))
900 {
901 if (src0.start != NULL_TREE
902 && !has_mem_ref_been_instrumented (&src0, src0_len))
903 return false;
904
905 if (src1.start != NULL_TREE
906 && !has_mem_ref_been_instrumented (&src1, src1_len))
907 return false;
908
909 if (dest.start != NULL_TREE
910 && !has_mem_ref_been_instrumented (&dest, dest_len))
911 return false;
912
913 return true;
914 }
915 }
916 else if (is_gimple_call (stmt) && gimple_store_p (stmt))
917 {
918 asan_mem_ref r;
919 asan_mem_ref_init (&r, NULL, 1);
920
921 r.start = gimple_call_lhs (stmt);
922 r.access_size = int_size_in_bytes (TREE_TYPE (r.start));
923 return has_mem_ref_been_instrumented (&r);
924 }
925
926 return false;
927 }
928
929 /* Insert a memory reference into the hash table. */
930
931 static void
932 update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size)
933 {
934 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table ();
935
936 asan_mem_ref r;
937 asan_mem_ref_init (&r, ref, access_size);
938
939 asan_mem_ref **slot = ht->find_slot (&r, INSERT);
940 if (*slot == NULL || (*slot)->access_size < access_size)
941 *slot = asan_mem_ref_new (ref, access_size);
942 }
943
944 /* Initialize shadow_ptr_types array. */
945
946 static void
947 asan_init_shadow_ptr_types (void)
948 {
949 asan_shadow_set = new_alias_set ();
950 tree types[3] = { signed_char_type_node, short_integer_type_node,
951 integer_type_node };
952
953 for (unsigned i = 0; i < 3; i++)
954 {
955 shadow_ptr_types[i] = build_distinct_type_copy (types[i]);
956 TYPE_ALIAS_SET (shadow_ptr_types[i]) = asan_shadow_set;
957 shadow_ptr_types[i] = build_pointer_type (shadow_ptr_types[i]);
958 }
959
960 initialize_sanitizer_builtins ();
961 }
962
963 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
964
965 static tree
966 asan_pp_string (pretty_printer *pp)
967 {
968 const char *buf = pp_formatted_text (pp);
969 size_t len = strlen (buf);
970 tree ret = build_string (len + 1, buf);
971 TREE_TYPE (ret)
972 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
973 build_index_type (size_int (len)));
974 TREE_READONLY (ret) = 1;
975 TREE_STATIC (ret) = 1;
976 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
977 }
978
979 /* Return a CONST_INT representing 4 subsequent shadow memory bytes. */
980
981 static rtx
982 asan_shadow_cst (unsigned char shadow_bytes[4])
983 {
984 int i;
985 unsigned HOST_WIDE_INT val = 0;
986 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
987 for (i = 0; i < 4; i++)
988 val |= (unsigned HOST_WIDE_INT) shadow_bytes[BYTES_BIG_ENDIAN ? 3 - i : i]
989 << (BITS_PER_UNIT * i);
990 return gen_int_mode (val, SImode);
991 }
992
993 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
994 though. */
995
996 static void
997 asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
998 {
999 rtx_insn *insn, *insns, *jump;
1000 rtx_code_label *top_label;
1001 rtx end, addr, tmp;
1002
1003 start_sequence ();
1004 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
1005 insns = get_insns ();
1006 end_sequence ();
1007 for (insn = insns; insn; insn = NEXT_INSN (insn))
1008 if (CALL_P (insn))
1009 break;
1010 if (insn == NULL_RTX)
1011 {
1012 emit_insn (insns);
1013 return;
1014 }
1015
1016 gcc_assert ((len & 3) == 0);
1017 top_label = gen_label_rtx ();
1018 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
1019 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
1020 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
1021 emit_label (top_label);
1022
1023 emit_move_insn (shadow_mem, const0_rtx);
1024 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
1025 true, OPTAB_LIB_WIDEN);
1026 if (tmp != addr)
1027 emit_move_insn (addr, tmp);
1028 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
1029 jump = get_last_insn ();
1030 gcc_assert (JUMP_P (jump));
1031 add_int_reg_note (jump, REG_BR_PROB, REG_BR_PROB_BASE * 80 / 100);
1032 }
1033
1034 void
1035 asan_function_start (void)
1036 {
1037 section *fnsec = function_section (current_function_decl);
1038 switch_to_section (fnsec);
1039 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC",
1040 current_function_funcdef_no);
1041 }
1042
1043 /* Return number of shadow bytes that are occupied by a local variable
1044 of SIZE bytes. */
1045
1046 static unsigned HOST_WIDE_INT
1047 shadow_mem_size (unsigned HOST_WIDE_INT size)
1048 {
1049 return ROUND_UP (size, ASAN_SHADOW_GRANULARITY) / ASAN_SHADOW_GRANULARITY;
1050 }
1051
1052 /* Insert code to protect stack vars. The prologue sequence should be emitted
1053 directly, epilogue sequence returned. BASE is the register holding the
1054 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1055 array contains pairs of offsets in reverse order, always the end offset
1056 of some gap that needs protection followed by starting offset,
1057 and DECLS is an array of representative decls for each var partition.
1058 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1059 elements long (OFFSETS include gap before the first variable as well
1060 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1061 register which stack vars DECL_RTLs are based on. Either BASE should be
1062 assigned to PBASE, when not doing use after return protection, or
1063 corresponding address based on __asan_stack_malloc* return value. */
1064
1065 rtx_insn *
1066 asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
1067 HOST_WIDE_INT *offsets, tree *decls, int length)
1068 {
1069 rtx shadow_base, shadow_mem, ret, mem, orig_base;
1070 rtx_code_label *lab;
1071 rtx_insn *insns;
1072 char buf[32];
1073 unsigned char shadow_bytes[4];
1074 HOST_WIDE_INT base_offset = offsets[length - 1];
1075 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
1076 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
1077 HOST_WIDE_INT last_offset;
1078 int l;
1079 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
1080 tree str_cst, decl, id;
1081 int use_after_return_class = -1;
1082
1083 if (shadow_ptr_types[0] == NULL_TREE)
1084 asan_init_shadow_ptr_types ();
1085
1086 /* First of all, prepare the description string. */
1087 pretty_printer asan_pp;
1088
1089 pp_decimal_int (&asan_pp, length / 2 - 1);
1090 pp_space (&asan_pp);
1091 for (l = length - 2; l; l -= 2)
1092 {
1093 tree decl = decls[l / 2 - 1];
1094 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
1095 pp_space (&asan_pp);
1096 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
1097 pp_space (&asan_pp);
1098 if (DECL_P (decl) && DECL_NAME (decl))
1099 {
1100 pp_decimal_int (&asan_pp, IDENTIFIER_LENGTH (DECL_NAME (decl)));
1101 pp_space (&asan_pp);
1102 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
1103 }
1104 else
1105 pp_string (&asan_pp, "9 <unknown>");
1106 pp_space (&asan_pp);
1107 }
1108 str_cst = asan_pp_string (&asan_pp);
1109
1110 /* Emit the prologue sequence. */
1111 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
1112 && ASAN_USE_AFTER_RETURN)
1113 {
1114 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1115 /* __asan_stack_malloc_N guarantees alignment
1116 N < 6 ? (64 << N) : 4096 bytes. */
1117 if (alignb > (use_after_return_class < 6
1118 ? (64U << use_after_return_class) : 4096U))
1119 use_after_return_class = -1;
1120 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1121 base_align_bias = ((asan_frame_size + alignb - 1)
1122 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1123 }
1124 /* Align base if target is STRICT_ALIGNMENT. */
1125 if (STRICT_ALIGNMENT)
1126 base = expand_binop (Pmode, and_optab, base,
1127 gen_int_mode (-((GET_MODE_ALIGNMENT (SImode)
1128 << ASAN_SHADOW_SHIFT)
1129 / BITS_PER_UNIT), Pmode), NULL_RTX,
1130 1, OPTAB_DIRECT);
1131
1132 if (use_after_return_class == -1 && pbase)
1133 emit_move_insn (pbase, base);
1134
1135 base = expand_binop (Pmode, add_optab, base,
1136 gen_int_mode (base_offset - base_align_bias, Pmode),
1137 NULL_RTX, 1, OPTAB_DIRECT);
1138 orig_base = NULL_RTX;
1139 if (use_after_return_class != -1)
1140 {
1141 if (asan_detect_stack_use_after_return == NULL_TREE)
1142 {
1143 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1144 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1145 integer_type_node);
1146 SET_DECL_ASSEMBLER_NAME (decl, id);
1147 TREE_ADDRESSABLE (decl) = 1;
1148 DECL_ARTIFICIAL (decl) = 1;
1149 DECL_IGNORED_P (decl) = 1;
1150 DECL_EXTERNAL (decl) = 1;
1151 TREE_STATIC (decl) = 1;
1152 TREE_PUBLIC (decl) = 1;
1153 TREE_USED (decl) = 1;
1154 asan_detect_stack_use_after_return = decl;
1155 }
1156 orig_base = gen_reg_rtx (Pmode);
1157 emit_move_insn (orig_base, base);
1158 ret = expand_normal (asan_detect_stack_use_after_return);
1159 lab = gen_label_rtx ();
1160 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1161 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1162 VOIDmode, 0, lab, very_likely);
1163 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1164 use_after_return_class);
1165 ret = init_one_libfunc (buf);
1166 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode, 1,
1167 GEN_INT (asan_frame_size
1168 + base_align_bias),
1169 TYPE_MODE (pointer_sized_int_node));
1170 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1171 and NULL otherwise. Check RET value is NULL here and jump over the
1172 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1173 int very_unlikely = REG_BR_PROB_BASE / 2000 - 1;
1174 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1175 VOIDmode, 0, lab, very_unlikely);
1176 ret = convert_memory_address (Pmode, ret);
1177 emit_move_insn (base, ret);
1178 emit_label (lab);
1179 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1180 gen_int_mode (base_align_bias
1181 - base_offset, Pmode),
1182 NULL_RTX, 1, OPTAB_DIRECT));
1183 }
1184 mem = gen_rtx_MEM (ptr_mode, base);
1185 mem = adjust_address (mem, VOIDmode, base_align_bias);
1186 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
1187 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1188 emit_move_insn (mem, expand_normal (str_cst));
1189 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1190 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1191 id = get_identifier (buf);
1192 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
1193 VAR_DECL, id, char_type_node);
1194 SET_DECL_ASSEMBLER_NAME (decl, id);
1195 TREE_ADDRESSABLE (decl) = 1;
1196 TREE_READONLY (decl) = 1;
1197 DECL_ARTIFICIAL (decl) = 1;
1198 DECL_IGNORED_P (decl) = 1;
1199 TREE_STATIC (decl) = 1;
1200 TREE_PUBLIC (decl) = 0;
1201 TREE_USED (decl) = 1;
1202 DECL_INITIAL (decl) = decl;
1203 TREE_ASM_WRITTEN (decl) = 1;
1204 TREE_ASM_WRITTEN (id) = 1;
1205 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
1206 shadow_base = expand_binop (Pmode, lshr_optab, base,
1207 GEN_INT (ASAN_SHADOW_SHIFT),
1208 NULL_RTX, 1, OPTAB_DIRECT);
1209 shadow_base
1210 = plus_constant (Pmode, shadow_base,
1211 asan_shadow_offset ()
1212 + (base_align_bias >> ASAN_SHADOW_SHIFT));
1213 gcc_assert (asan_shadow_set != -1
1214 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
1215 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
1216 set_mem_alias_set (shadow_mem, asan_shadow_set);
1217 if (STRICT_ALIGNMENT)
1218 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1219 prev_offset = base_offset;
1220 for (l = length; l; l -= 2)
1221 {
1222 if (l == 2)
1223 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
1224 offset = offsets[l - 1];
1225 if ((offset - base_offset) & (ASAN_RED_ZONE_SIZE - 1))
1226 {
1227 int i;
1228 HOST_WIDE_INT aoff
1229 = base_offset + ((offset - base_offset)
1230 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1231 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1232 (aoff - prev_offset)
1233 >> ASAN_SHADOW_SHIFT);
1234 prev_offset = aoff;
1235 for (i = 0; i < 4; i++, aoff += ASAN_SHADOW_GRANULARITY)
1236 if (aoff < offset)
1237 {
1238 if (aoff < offset - (HOST_WIDE_INT)ASAN_SHADOW_GRANULARITY + 1)
1239 shadow_bytes[i] = 0;
1240 else
1241 shadow_bytes[i] = offset - aoff;
1242 }
1243 else
1244 shadow_bytes[i] = ASAN_STACK_MAGIC_MIDDLE;
1245 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1246 offset = aoff;
1247 }
1248 while (offset <= offsets[l - 2] - ASAN_RED_ZONE_SIZE)
1249 {
1250 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1251 (offset - prev_offset)
1252 >> ASAN_SHADOW_SHIFT);
1253 prev_offset = offset;
1254 memset (shadow_bytes, cur_shadow_byte, 4);
1255 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1256 offset += ASAN_RED_ZONE_SIZE;
1257 }
1258 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
1259 }
1260 do_pending_stack_adjust ();
1261
1262 /* Construct epilogue sequence. */
1263 start_sequence ();
1264
1265 lab = NULL;
1266 if (use_after_return_class != -1)
1267 {
1268 rtx_code_label *lab2 = gen_label_rtx ();
1269 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
1270 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1271 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
1272 VOIDmode, 0, lab2, very_likely);
1273 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1274 set_mem_alias_set (shadow_mem, asan_shadow_set);
1275 mem = gen_rtx_MEM (ptr_mode, base);
1276 mem = adjust_address (mem, VOIDmode, base_align_bias);
1277 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
1278 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
1279 if (use_after_return_class < 5
1280 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
1281 BITS_PER_UNIT, true))
1282 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
1283 BITS_PER_UNIT, true, 0);
1284 else if (use_after_return_class >= 5
1285 || !set_storage_via_setmem (shadow_mem,
1286 GEN_INT (sz),
1287 gen_int_mode (c, QImode),
1288 BITS_PER_UNIT, BITS_PER_UNIT,
1289 -1, sz, sz, sz))
1290 {
1291 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
1292 use_after_return_class);
1293 ret = init_one_libfunc (buf);
1294 rtx addr = convert_memory_address (ptr_mode, base);
1295 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
1296 emit_library_call (ret, LCT_NORMAL, ptr_mode, 3, addr, ptr_mode,
1297 GEN_INT (asan_frame_size + base_align_bias),
1298 TYPE_MODE (pointer_sized_int_node),
1299 orig_addr, ptr_mode);
1300 }
1301 lab = gen_label_rtx ();
1302 emit_jump (lab);
1303 emit_label (lab2);
1304 }
1305
1306 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1307 set_mem_alias_set (shadow_mem, asan_shadow_set);
1308
1309 if (STRICT_ALIGNMENT)
1310 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1311
1312 /* Unpoison shadow memory of a stack at the very end of a function.
1313 As we're poisoning stack variables at the end of their scope,
1314 shadow memory must be properly unpoisoned here. The easiest approach
1315 would be to collect all variables that should not be unpoisoned and
1316 we unpoison shadow memory of the whole stack except ranges
1317 occupied by these variables. */
1318 last_offset = base_offset;
1319 HOST_WIDE_INT current_offset = last_offset;
1320 if (length)
1321 {
1322 HOST_WIDE_INT var_end_offset = 0;
1323 HOST_WIDE_INT stack_start = offsets[length - 1];
1324 gcc_assert (last_offset == stack_start);
1325
1326 for (int l = length - 2; l > 0; l -= 2)
1327 {
1328 HOST_WIDE_INT var_offset = offsets[l];
1329 current_offset = var_offset;
1330 var_end_offset = offsets[l - 1];
1331 HOST_WIDE_INT rounded_size = ROUND_UP (var_end_offset - var_offset,
1332 BITS_PER_UNIT);
1333
1334 /* Should we unpoison the variable? */
1335 if (asan_handled_variables != NULL
1336 && asan_handled_variables->contains (decl))
1337 {
1338 if (dump_file && (dump_flags & TDF_DETAILS))
1339 {
1340 const char *n = (DECL_NAME (decl)
1341 ? IDENTIFIER_POINTER (DECL_NAME (decl))
1342 : "<unknown>");
1343 fprintf (dump_file, "Unpoisoning shadow stack for variable: "
1344 "%s (%" PRId64 "B)\n", n,
1345 var_end_offset - var_offset);
1346 }
1347
1348 unsigned HOST_WIDE_INT s
1349 = shadow_mem_size (current_offset - last_offset);
1350 asan_clear_shadow (shadow_mem, s);
1351 HOST_WIDE_INT shift
1352 = shadow_mem_size (current_offset - last_offset + rounded_size);
1353 shadow_mem = adjust_address (shadow_mem, VOIDmode, shift);
1354 last_offset = var_offset + rounded_size;
1355 current_offset = last_offset;
1356 }
1357
1358 }
1359
1360 /* Handle last redzone. */
1361 current_offset = offsets[0];
1362 asan_clear_shadow (shadow_mem,
1363 shadow_mem_size (current_offset - last_offset));
1364 }
1365
1366 /* Clean-up set with instrumented stack variables. */
1367 delete asan_handled_variables;
1368 asan_handled_variables = NULL;
1369 delete asan_used_labels;
1370 asan_used_labels = NULL;
1371
1372 do_pending_stack_adjust ();
1373 if (lab)
1374 emit_label (lab);
1375
1376 insns = get_insns ();
1377 end_sequence ();
1378 return insns;
1379 }
1380
1381 /* Return true if DECL, a global var, might be overridden and needs
1382 therefore a local alias. */
1383
1384 static bool
1385 asan_needs_local_alias (tree decl)
1386 {
1387 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
1388 }
1389
1390 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
1391 therefore doesn't need protection. */
1392
1393 static bool
1394 is_odr_indicator (tree decl)
1395 {
1396 return (DECL_ARTIFICIAL (decl)
1397 && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl)));
1398 }
1399
1400 /* Return true if DECL is a VAR_DECL that should be protected
1401 by Address Sanitizer, by appending a red zone with protected
1402 shadow memory after it and aligning it to at least
1403 ASAN_RED_ZONE_SIZE bytes. */
1404
1405 bool
1406 asan_protect_global (tree decl)
1407 {
1408 if (!ASAN_GLOBALS)
1409 return false;
1410
1411 rtx rtl, symbol;
1412
1413 if (TREE_CODE (decl) == STRING_CST)
1414 {
1415 /* Instrument all STRING_CSTs except those created
1416 by asan_pp_string here. */
1417 if (shadow_ptr_types[0] != NULL_TREE
1418 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
1419 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
1420 return false;
1421 return true;
1422 }
1423 if (!VAR_P (decl)
1424 /* TLS vars aren't statically protectable. */
1425 || DECL_THREAD_LOCAL_P (decl)
1426 /* Externs will be protected elsewhere. */
1427 || DECL_EXTERNAL (decl)
1428 || !DECL_RTL_SET_P (decl)
1429 /* Comdat vars pose an ABI problem, we can't know if
1430 the var that is selected by the linker will have
1431 padding or not. */
1432 || DECL_ONE_ONLY (decl)
1433 /* Similarly for common vars. People can use -fno-common.
1434 Note: Linux kernel is built with -fno-common, so we do instrument
1435 globals there even if it is C. */
1436 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
1437 /* Don't protect if using user section, often vars placed
1438 into user section from multiple TUs are then assumed
1439 to be an array of such vars, putting padding in there
1440 breaks this assumption. */
1441 || (DECL_SECTION_NAME (decl) != NULL
1442 && !symtab_node::get (decl)->implicit_section
1443 && !section_sanitized_p (DECL_SECTION_NAME (decl)))
1444 || DECL_SIZE (decl) == 0
1445 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
1446 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
1447 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE
1448 || TREE_TYPE (decl) == ubsan_get_source_location_type ()
1449 || is_odr_indicator (decl))
1450 return false;
1451
1452 rtl = DECL_RTL (decl);
1453 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
1454 return false;
1455 symbol = XEXP (rtl, 0);
1456
1457 if (CONSTANT_POOL_ADDRESS_P (symbol)
1458 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
1459 return false;
1460
1461 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
1462 return false;
1463
1464 #ifndef ASM_OUTPUT_DEF
1465 if (asan_needs_local_alias (decl))
1466 return false;
1467 #endif
1468
1469 return true;
1470 }
1471
1472 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
1473 IS_STORE is either 1 (for a store) or 0 (for a load). */
1474
1475 static tree
1476 report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1477 int *nargs)
1478 {
1479 static enum built_in_function report[2][2][6]
1480 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
1481 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
1482 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N },
1483 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
1484 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
1485 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } },
1486 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT,
1487 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
1488 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
1489 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
1490 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
1491 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
1492 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT,
1493 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
1494 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
1495 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
1496 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
1497 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
1498 if (size_in_bytes == -1)
1499 {
1500 *nargs = 2;
1501 return builtin_decl_implicit (report[recover_p][is_store][5]);
1502 }
1503 *nargs = 1;
1504 int size_log2 = exact_log2 (size_in_bytes);
1505 return builtin_decl_implicit (report[recover_p][is_store][size_log2]);
1506 }
1507
1508 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
1509 IS_STORE is either 1 (for a store) or 0 (for a load). */
1510
1511 static tree
1512 check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1513 int *nargs)
1514 {
1515 static enum built_in_function check[2][2][6]
1516 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2,
1517 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8,
1518 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN },
1519 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2,
1520 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8,
1521 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } },
1522 { { BUILT_IN_ASAN_LOAD1_NOABORT,
1523 BUILT_IN_ASAN_LOAD2_NOABORT,
1524 BUILT_IN_ASAN_LOAD4_NOABORT,
1525 BUILT_IN_ASAN_LOAD8_NOABORT,
1526 BUILT_IN_ASAN_LOAD16_NOABORT,
1527 BUILT_IN_ASAN_LOADN_NOABORT },
1528 { BUILT_IN_ASAN_STORE1_NOABORT,
1529 BUILT_IN_ASAN_STORE2_NOABORT,
1530 BUILT_IN_ASAN_STORE4_NOABORT,
1531 BUILT_IN_ASAN_STORE8_NOABORT,
1532 BUILT_IN_ASAN_STORE16_NOABORT,
1533 BUILT_IN_ASAN_STOREN_NOABORT } } };
1534 if (size_in_bytes == -1)
1535 {
1536 *nargs = 2;
1537 return builtin_decl_implicit (check[recover_p][is_store][5]);
1538 }
1539 *nargs = 1;
1540 int size_log2 = exact_log2 (size_in_bytes);
1541 return builtin_decl_implicit (check[recover_p][is_store][size_log2]);
1542 }
1543
1544 /* Split the current basic block and create a condition statement
1545 insertion point right before or after the statement pointed to by
1546 ITER. Return an iterator to the point at which the caller might
1547 safely insert the condition statement.
1548
1549 THEN_BLOCK must be set to the address of an uninitialized instance
1550 of basic_block. The function will then set *THEN_BLOCK to the
1551 'then block' of the condition statement to be inserted by the
1552 caller.
1553
1554 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1555 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1556
1557 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1558 block' of the condition statement to be inserted by the caller.
1559
1560 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1561 statements starting from *ITER, and *THEN_BLOCK is a new empty
1562 block.
1563
1564 *ITER is adjusted to point to always point to the first statement
1565 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1566 same as what ITER was pointing to prior to calling this function,
1567 if BEFORE_P is true; otherwise, it is its following statement. */
1568
1569 gimple_stmt_iterator
1570 create_cond_insert_point (gimple_stmt_iterator *iter,
1571 bool before_p,
1572 bool then_more_likely_p,
1573 bool create_then_fallthru_edge,
1574 basic_block *then_block,
1575 basic_block *fallthrough_block)
1576 {
1577 gimple_stmt_iterator gsi = *iter;
1578
1579 if (!gsi_end_p (gsi) && before_p)
1580 gsi_prev (&gsi);
1581
1582 basic_block cur_bb = gsi_bb (*iter);
1583
1584 edge e = split_block (cur_bb, gsi_stmt (gsi));
1585
1586 /* Get a hold on the 'condition block', the 'then block' and the
1587 'else block'. */
1588 basic_block cond_bb = e->src;
1589 basic_block fallthru_bb = e->dest;
1590 basic_block then_bb = create_empty_bb (cond_bb);
1591 if (current_loops)
1592 {
1593 add_bb_to_loop (then_bb, cond_bb->loop_father);
1594 loops_state_set (LOOPS_NEED_FIXUP);
1595 }
1596
1597 /* Set up the newly created 'then block'. */
1598 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
1599 int fallthrough_probability
1600 = then_more_likely_p
1601 ? PROB_VERY_UNLIKELY
1602 : PROB_ALWAYS - PROB_VERY_UNLIKELY;
1603 e->probability = PROB_ALWAYS - fallthrough_probability;
1604 if (create_then_fallthru_edge)
1605 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
1606
1607 /* Set up the fallthrough basic block. */
1608 e = find_edge (cond_bb, fallthru_bb);
1609 e->flags = EDGE_FALSE_VALUE;
1610 e->count = cond_bb->count;
1611 e->probability = fallthrough_probability;
1612
1613 /* Update dominance info for the newly created then_bb; note that
1614 fallthru_bb's dominance info has already been updated by
1615 split_bock. */
1616 if (dom_info_available_p (CDI_DOMINATORS))
1617 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
1618
1619 *then_block = then_bb;
1620 *fallthrough_block = fallthru_bb;
1621 *iter = gsi_start_bb (fallthru_bb);
1622
1623 return gsi_last_bb (cond_bb);
1624 }
1625
1626 /* Insert an if condition followed by a 'then block' right before the
1627 statement pointed to by ITER. The fallthrough block -- which is the
1628 else block of the condition as well as the destination of the
1629 outcoming edge of the 'then block' -- starts with the statement
1630 pointed to by ITER.
1631
1632 COND is the condition of the if.
1633
1634 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1635 'then block' is higher than the probability of the edge to the
1636 fallthrough block.
1637
1638 Upon completion of the function, *THEN_BB is set to the newly
1639 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1640 fallthrough block.
1641
1642 *ITER is adjusted to still point to the same statement it was
1643 pointing to initially. */
1644
1645 static void
1646 insert_if_then_before_iter (gcond *cond,
1647 gimple_stmt_iterator *iter,
1648 bool then_more_likely_p,
1649 basic_block *then_bb,
1650 basic_block *fallthrough_bb)
1651 {
1652 gimple_stmt_iterator cond_insert_point =
1653 create_cond_insert_point (iter,
1654 /*before_p=*/true,
1655 then_more_likely_p,
1656 /*create_then_fallthru_edge=*/true,
1657 then_bb,
1658 fallthrough_bb);
1659 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
1660 }
1661
1662 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
1663 If RETURN_ADDRESS is set to true, return memory location instread
1664 of a value in the shadow memory. */
1665
1666 static tree
1667 build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location,
1668 tree base_addr, tree shadow_ptr_type,
1669 bool return_address = false)
1670 {
1671 tree t, uintptr_type = TREE_TYPE (base_addr);
1672 tree shadow_type = TREE_TYPE (shadow_ptr_type);
1673 gimple *g;
1674
1675 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
1676 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR,
1677 base_addr, t);
1678 gimple_set_location (g, location);
1679 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1680
1681 t = build_int_cst (uintptr_type, asan_shadow_offset ());
1682 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR,
1683 gimple_assign_lhs (g), t);
1684 gimple_set_location (g, location);
1685 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1686
1687 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR,
1688 gimple_assign_lhs (g));
1689 gimple_set_location (g, location);
1690 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1691
1692 if (!return_address)
1693 {
1694 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
1695 build_int_cst (shadow_ptr_type, 0));
1696 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t);
1697 gimple_set_location (g, location);
1698 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1699 }
1700
1701 return gimple_assign_lhs (g);
1702 }
1703
1704 /* BASE can already be an SSA_NAME; in that case, do not create a
1705 new SSA_NAME for it. */
1706
1707 static tree
1708 maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter,
1709 bool before_p)
1710 {
1711 if (TREE_CODE (base) == SSA_NAME)
1712 return base;
1713 gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)),
1714 TREE_CODE (base), base);
1715 gimple_set_location (g, loc);
1716 if (before_p)
1717 gsi_insert_before (iter, g, GSI_SAME_STMT);
1718 else
1719 gsi_insert_after (iter, g, GSI_NEW_STMT);
1720 return gimple_assign_lhs (g);
1721 }
1722
1723 /* LEN can already have necessary size and precision;
1724 in that case, do not create a new variable. */
1725
1726 tree
1727 maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter,
1728 bool before_p)
1729 {
1730 if (ptrofftype_p (len))
1731 return len;
1732 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
1733 NOP_EXPR, len);
1734 gimple_set_location (g, loc);
1735 if (before_p)
1736 gsi_insert_before (iter, g, GSI_SAME_STMT);
1737 else
1738 gsi_insert_after (iter, g, GSI_NEW_STMT);
1739 return gimple_assign_lhs (g);
1740 }
1741
1742 /* Instrument the memory access instruction BASE. Insert new
1743 statements before or after ITER.
1744
1745 Note that the memory access represented by BASE can be either an
1746 SSA_NAME, or a non-SSA expression. LOCATION is the source code
1747 location. IS_STORE is TRUE for a store, FALSE for a load.
1748 BEFORE_P is TRUE for inserting the instrumentation code before
1749 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
1750 for a scalar memory access and FALSE for memory region access.
1751 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
1752 length. ALIGN tells alignment of accessed memory object.
1753
1754 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
1755 memory region have already been instrumented.
1756
1757 If BEFORE_P is TRUE, *ITER is arranged to still point to the
1758 statement it was pointing to prior to calling this function,
1759 otherwise, it points to the statement logically following it. */
1760
1761 static void
1762 build_check_stmt (location_t loc, tree base, tree len,
1763 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter,
1764 bool is_non_zero_len, bool before_p, bool is_store,
1765 bool is_scalar_access, unsigned int align = 0)
1766 {
1767 gimple_stmt_iterator gsi = *iter;
1768 gimple *g;
1769
1770 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len));
1771
1772 gsi = *iter;
1773
1774 base = unshare_expr (base);
1775 base = maybe_create_ssa_name (loc, base, &gsi, before_p);
1776
1777 if (len)
1778 {
1779 len = unshare_expr (len);
1780 len = maybe_cast_to_ptrmode (loc, len, iter, before_p);
1781 }
1782 else
1783 {
1784 gcc_assert (size_in_bytes != -1);
1785 len = build_int_cst (pointer_sized_int_node, size_in_bytes);
1786 }
1787
1788 if (size_in_bytes > 1)
1789 {
1790 if ((size_in_bytes & (size_in_bytes - 1)) != 0
1791 || size_in_bytes > 16)
1792 is_scalar_access = false;
1793 else if (align && align < size_in_bytes * BITS_PER_UNIT)
1794 {
1795 /* On non-strict alignment targets, if
1796 16-byte access is just 8-byte aligned,
1797 this will result in misaligned shadow
1798 memory 2 byte load, but otherwise can
1799 be handled using one read. */
1800 if (size_in_bytes != 16
1801 || STRICT_ALIGNMENT
1802 || align < 8 * BITS_PER_UNIT)
1803 is_scalar_access = false;
1804 }
1805 }
1806
1807 HOST_WIDE_INT flags = 0;
1808 if (is_store)
1809 flags |= ASAN_CHECK_STORE;
1810 if (is_non_zero_len)
1811 flags |= ASAN_CHECK_NON_ZERO_LEN;
1812 if (is_scalar_access)
1813 flags |= ASAN_CHECK_SCALAR_ACCESS;
1814
1815 g = gimple_build_call_internal (IFN_ASAN_CHECK, 4,
1816 build_int_cst (integer_type_node, flags),
1817 base, len,
1818 build_int_cst (integer_type_node,
1819 align / BITS_PER_UNIT));
1820 gimple_set_location (g, loc);
1821 if (before_p)
1822 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
1823 else
1824 {
1825 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
1826 gsi_next (&gsi);
1827 *iter = gsi;
1828 }
1829 }
1830
1831 /* If T represents a memory access, add instrumentation code before ITER.
1832 LOCATION is source code location.
1833 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
1834
1835 static void
1836 instrument_derefs (gimple_stmt_iterator *iter, tree t,
1837 location_t location, bool is_store)
1838 {
1839 if (is_store && !ASAN_INSTRUMENT_WRITES)
1840 return;
1841 if (!is_store && !ASAN_INSTRUMENT_READS)
1842 return;
1843
1844 tree type, base;
1845 HOST_WIDE_INT size_in_bytes;
1846 if (location == UNKNOWN_LOCATION)
1847 location = EXPR_LOCATION (t);
1848
1849 type = TREE_TYPE (t);
1850 switch (TREE_CODE (t))
1851 {
1852 case ARRAY_REF:
1853 case COMPONENT_REF:
1854 case INDIRECT_REF:
1855 case MEM_REF:
1856 case VAR_DECL:
1857 case BIT_FIELD_REF:
1858 break;
1859 /* FALLTHRU */
1860 default:
1861 return;
1862 }
1863
1864 size_in_bytes = int_size_in_bytes (type);
1865 if (size_in_bytes <= 0)
1866 return;
1867
1868 HOST_WIDE_INT bitsize, bitpos;
1869 tree offset;
1870 machine_mode mode;
1871 int unsignedp, reversep, volatilep = 0;
1872 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
1873 &unsignedp, &reversep, &volatilep);
1874
1875 if (TREE_CODE (t) == COMPONENT_REF
1876 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
1877 {
1878 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
1879 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
1880 TREE_OPERAND (t, 0), repr,
1881 NULL_TREE), location, is_store);
1882 return;
1883 }
1884
1885 if (bitpos % BITS_PER_UNIT
1886 || bitsize != size_in_bytes * BITS_PER_UNIT)
1887 return;
1888
1889 if (VAR_P (inner)
1890 && offset == NULL_TREE
1891 && bitpos >= 0
1892 && DECL_SIZE (inner)
1893 && tree_fits_shwi_p (DECL_SIZE (inner))
1894 && bitpos + bitsize <= tree_to_shwi (DECL_SIZE (inner)))
1895 {
1896 if (DECL_THREAD_LOCAL_P (inner))
1897 return;
1898 if (!ASAN_GLOBALS && is_global_var (inner))
1899 return;
1900 if (!TREE_STATIC (inner))
1901 {
1902 /* Automatic vars in the current function will be always
1903 accessible. */
1904 if (decl_function_context (inner) == current_function_decl
1905 && (!asan_sanitize_use_after_scope ()
1906 || !TREE_ADDRESSABLE (inner)))
1907 return;
1908 }
1909 /* Always instrument external vars, they might be dynamically
1910 initialized. */
1911 else if (!DECL_EXTERNAL (inner))
1912 {
1913 /* For static vars if they are known not to be dynamically
1914 initialized, they will be always accessible. */
1915 varpool_node *vnode = varpool_node::get (inner);
1916 if (vnode && !vnode->dynamically_initialized)
1917 return;
1918 }
1919 }
1920
1921 base = build_fold_addr_expr (t);
1922 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
1923 {
1924 unsigned int align = get_object_alignment (t);
1925 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter,
1926 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true,
1927 is_store, /*is_scalar_access*/true, align);
1928 update_mem_ref_hash_table (base, size_in_bytes);
1929 update_mem_ref_hash_table (t, size_in_bytes);
1930 }
1931
1932 }
1933
1934 /* Insert a memory reference into the hash table if access length
1935 can be determined in compile time. */
1936
1937 static void
1938 maybe_update_mem_ref_hash_table (tree base, tree len)
1939 {
1940 if (!POINTER_TYPE_P (TREE_TYPE (base))
1941 || !INTEGRAL_TYPE_P (TREE_TYPE (len)))
1942 return;
1943
1944 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
1945
1946 if (size_in_bytes != -1)
1947 update_mem_ref_hash_table (base, size_in_bytes);
1948 }
1949
1950 /* Instrument an access to a contiguous memory region that starts at
1951 the address pointed to by BASE, over a length of LEN (expressed in
1952 the sizeof (*BASE) bytes). ITER points to the instruction before
1953 which the instrumentation instructions must be inserted. LOCATION
1954 is the source location that the instrumentation instructions must
1955 have. If IS_STORE is true, then the memory access is a store;
1956 otherwise, it's a load. */
1957
1958 static void
1959 instrument_mem_region_access (tree base, tree len,
1960 gimple_stmt_iterator *iter,
1961 location_t location, bool is_store)
1962 {
1963 if (!POINTER_TYPE_P (TREE_TYPE (base))
1964 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
1965 || integer_zerop (len))
1966 return;
1967
1968 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
1969
1970 if ((size_in_bytes == -1)
1971 || !has_mem_ref_been_instrumented (base, size_in_bytes))
1972 {
1973 build_check_stmt (location, base, len, size_in_bytes, iter,
1974 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true,
1975 is_store, /*is_scalar_access*/false, /*align*/0);
1976 }
1977
1978 maybe_update_mem_ref_hash_table (base, len);
1979 *iter = gsi_for_stmt (gsi_stmt (*iter));
1980 }
1981
1982 /* Instrument the call to a built-in memory access function that is
1983 pointed to by the iterator ITER.
1984
1985 Upon completion, return TRUE iff *ITER has been advanced to the
1986 statement following the one it was originally pointing to. */
1987
1988 static bool
1989 instrument_builtin_call (gimple_stmt_iterator *iter)
1990 {
1991 if (!ASAN_MEMINTRIN)
1992 return false;
1993
1994 bool iter_advanced_p = false;
1995 gcall *call = as_a <gcall *> (gsi_stmt (*iter));
1996
1997 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
1998
1999 location_t loc = gimple_location (call);
2000
2001 asan_mem_ref src0, src1, dest;
2002 asan_mem_ref_init (&src0, NULL, 1);
2003 asan_mem_ref_init (&src1, NULL, 1);
2004 asan_mem_ref_init (&dest, NULL, 1);
2005
2006 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
2007 bool src0_is_store = false, src1_is_store = false, dest_is_store = false,
2008 dest_is_deref = false, intercepted_p = true;
2009
2010 if (get_mem_refs_of_builtin_call (call,
2011 &src0, &src0_len, &src0_is_store,
2012 &src1, &src1_len, &src1_is_store,
2013 &dest, &dest_len, &dest_is_store,
2014 &dest_is_deref, &intercepted_p))
2015 {
2016 if (dest_is_deref)
2017 {
2018 instrument_derefs (iter, dest.start, loc, dest_is_store);
2019 gsi_next (iter);
2020 iter_advanced_p = true;
2021 }
2022 else if (!intercepted_p
2023 && (src0_len || src1_len || dest_len))
2024 {
2025 if (src0.start != NULL_TREE)
2026 instrument_mem_region_access (src0.start, src0_len,
2027 iter, loc, /*is_store=*/false);
2028 if (src1.start != NULL_TREE)
2029 instrument_mem_region_access (src1.start, src1_len,
2030 iter, loc, /*is_store=*/false);
2031 if (dest.start != NULL_TREE)
2032 instrument_mem_region_access (dest.start, dest_len,
2033 iter, loc, /*is_store=*/true);
2034
2035 *iter = gsi_for_stmt (call);
2036 gsi_next (iter);
2037 iter_advanced_p = true;
2038 }
2039 else
2040 {
2041 if (src0.start != NULL_TREE)
2042 maybe_update_mem_ref_hash_table (src0.start, src0_len);
2043 if (src1.start != NULL_TREE)
2044 maybe_update_mem_ref_hash_table (src1.start, src1_len);
2045 if (dest.start != NULL_TREE)
2046 maybe_update_mem_ref_hash_table (dest.start, dest_len);
2047 }
2048 }
2049 return iter_advanced_p;
2050 }
2051
2052 /* Instrument the assignment statement ITER if it is subject to
2053 instrumentation. Return TRUE iff instrumentation actually
2054 happened. In that case, the iterator ITER is advanced to the next
2055 logical expression following the one initially pointed to by ITER,
2056 and the relevant memory reference that which access has been
2057 instrumented is added to the memory references hash table. */
2058
2059 static bool
2060 maybe_instrument_assignment (gimple_stmt_iterator *iter)
2061 {
2062 gimple *s = gsi_stmt (*iter);
2063
2064 gcc_assert (gimple_assign_single_p (s));
2065
2066 tree ref_expr = NULL_TREE;
2067 bool is_store, is_instrumented = false;
2068
2069 if (gimple_store_p (s))
2070 {
2071 ref_expr = gimple_assign_lhs (s);
2072 is_store = true;
2073 instrument_derefs (iter, ref_expr,
2074 gimple_location (s),
2075 is_store);
2076 is_instrumented = true;
2077 }
2078
2079 if (gimple_assign_load_p (s))
2080 {
2081 ref_expr = gimple_assign_rhs1 (s);
2082 is_store = false;
2083 instrument_derefs (iter, ref_expr,
2084 gimple_location (s),
2085 is_store);
2086 is_instrumented = true;
2087 }
2088
2089 if (is_instrumented)
2090 gsi_next (iter);
2091
2092 return is_instrumented;
2093 }
2094
2095 /* Instrument the function call pointed to by the iterator ITER, if it
2096 is subject to instrumentation. At the moment, the only function
2097 calls that are instrumented are some built-in functions that access
2098 memory. Look at instrument_builtin_call to learn more.
2099
2100 Upon completion return TRUE iff *ITER was advanced to the statement
2101 following the one it was originally pointing to. */
2102
2103 static bool
2104 maybe_instrument_call (gimple_stmt_iterator *iter)
2105 {
2106 gimple *stmt = gsi_stmt (*iter);
2107 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2108
2109 if (is_builtin && instrument_builtin_call (iter))
2110 return true;
2111
2112 if (gimple_call_noreturn_p (stmt))
2113 {
2114 if (is_builtin)
2115 {
2116 tree callee = gimple_call_fndecl (stmt);
2117 switch (DECL_FUNCTION_CODE (callee))
2118 {
2119 case BUILT_IN_UNREACHABLE:
2120 case BUILT_IN_TRAP:
2121 /* Don't instrument these. */
2122 return false;
2123 default:
2124 break;
2125 }
2126 }
2127 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
2128 gimple *g = gimple_build_call (decl, 0);
2129 gimple_set_location (g, gimple_location (stmt));
2130 gsi_insert_before (iter, g, GSI_SAME_STMT);
2131 }
2132
2133 bool instrumented = false;
2134 if (gimple_store_p (stmt))
2135 {
2136 tree ref_expr = gimple_call_lhs (stmt);
2137 instrument_derefs (iter, ref_expr,
2138 gimple_location (stmt),
2139 /*is_store=*/true);
2140
2141 instrumented = true;
2142 }
2143
2144 /* Walk through gimple_call arguments and check them id needed. */
2145 unsigned args_num = gimple_call_num_args (stmt);
2146 for (unsigned i = 0; i < args_num; ++i)
2147 {
2148 tree arg = gimple_call_arg (stmt, i);
2149 /* If ARG is not a non-aggregate register variable, compiler in general
2150 creates temporary for it and pass it as argument to gimple call.
2151 But in some cases, e.g. when we pass by value a small structure that
2152 fits to register, compiler can avoid extra overhead by pulling out
2153 these temporaries. In this case, we should check the argument. */
2154 if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg))
2155 {
2156 instrument_derefs (iter, arg,
2157 gimple_location (stmt),
2158 /*is_store=*/false);
2159 instrumented = true;
2160 }
2161 }
2162 if (instrumented)
2163 gsi_next (iter);
2164 return instrumented;
2165 }
2166
2167 /* Walk each instruction of all basic block and instrument those that
2168 represent memory references: loads, stores, or function calls.
2169 In a given basic block, this function avoids instrumenting memory
2170 references that have already been instrumented. */
2171
2172 static void
2173 transform_statements (void)
2174 {
2175 basic_block bb, last_bb = NULL;
2176 gimple_stmt_iterator i;
2177 int saved_last_basic_block = last_basic_block_for_fn (cfun);
2178
2179 FOR_EACH_BB_FN (bb, cfun)
2180 {
2181 basic_block prev_bb = bb;
2182
2183 if (bb->index >= saved_last_basic_block) continue;
2184
2185 /* Flush the mem ref hash table, if current bb doesn't have
2186 exactly one predecessor, or if that predecessor (skipping
2187 over asan created basic blocks) isn't the last processed
2188 basic block. Thus we effectively flush on extended basic
2189 block boundaries. */
2190 while (single_pred_p (prev_bb))
2191 {
2192 prev_bb = single_pred (prev_bb);
2193 if (prev_bb->index < saved_last_basic_block)
2194 break;
2195 }
2196 if (prev_bb != last_bb)
2197 empty_mem_ref_hash_table ();
2198 last_bb = bb;
2199
2200 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
2201 {
2202 gimple *s = gsi_stmt (i);
2203
2204 if (has_stmt_been_instrumented_p (s))
2205 gsi_next (&i);
2206 else if (gimple_assign_single_p (s)
2207 && !gimple_clobber_p (s)
2208 && maybe_instrument_assignment (&i))
2209 /* Nothing to do as maybe_instrument_assignment advanced
2210 the iterator I. */;
2211 else if (is_gimple_call (s) && maybe_instrument_call (&i))
2212 /* Nothing to do as maybe_instrument_call
2213 advanced the iterator I. */;
2214 else
2215 {
2216 /* No instrumentation happened.
2217
2218 If the current instruction is a function call that
2219 might free something, let's forget about the memory
2220 references that got instrumented. Otherwise we might
2221 miss some instrumentation opportunities. Do the same
2222 for a ASAN_MARK poisoning internal function. */
2223 if (is_gimple_call (s)
2224 && (!nonfreeing_call_p (s)
2225 || asan_mark_p (s, ASAN_MARK_POISON)))
2226 empty_mem_ref_hash_table ();
2227
2228 gsi_next (&i);
2229 }
2230 }
2231 }
2232 free_mem_ref_resources ();
2233 }
2234
2235 /* Build
2236 __asan_before_dynamic_init (module_name)
2237 or
2238 __asan_after_dynamic_init ()
2239 call. */
2240
2241 tree
2242 asan_dynamic_init_call (bool after_p)
2243 {
2244 if (shadow_ptr_types[0] == NULL_TREE)
2245 asan_init_shadow_ptr_types ();
2246
2247 tree fn = builtin_decl_implicit (after_p
2248 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
2249 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
2250 tree module_name_cst = NULL_TREE;
2251 if (!after_p)
2252 {
2253 pretty_printer module_name_pp;
2254 pp_string (&module_name_pp, main_input_filename);
2255
2256 module_name_cst = asan_pp_string (&module_name_pp);
2257 module_name_cst = fold_convert (const_ptr_type_node,
2258 module_name_cst);
2259 }
2260
2261 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
2262 }
2263
2264 /* Build
2265 struct __asan_global
2266 {
2267 const void *__beg;
2268 uptr __size;
2269 uptr __size_with_redzone;
2270 const void *__name;
2271 const void *__module_name;
2272 uptr __has_dynamic_init;
2273 __asan_global_source_location *__location;
2274 char *__odr_indicator;
2275 } type. */
2276
2277 static tree
2278 asan_global_struct (void)
2279 {
2280 static const char *field_names[]
2281 = { "__beg", "__size", "__size_with_redzone",
2282 "__name", "__module_name", "__has_dynamic_init", "__location",
2283 "__odr_indicator" };
2284 tree fields[ARRAY_SIZE (field_names)], ret;
2285 unsigned i;
2286
2287 ret = make_node (RECORD_TYPE);
2288 for (i = 0; i < ARRAY_SIZE (field_names); i++)
2289 {
2290 fields[i]
2291 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
2292 get_identifier (field_names[i]),
2293 (i == 0 || i == 3) ? const_ptr_type_node
2294 : pointer_sized_int_node);
2295 DECL_CONTEXT (fields[i]) = ret;
2296 if (i)
2297 DECL_CHAIN (fields[i - 1]) = fields[i];
2298 }
2299 tree type_decl = build_decl (input_location, TYPE_DECL,
2300 get_identifier ("__asan_global"), ret);
2301 DECL_IGNORED_P (type_decl) = 1;
2302 DECL_ARTIFICIAL (type_decl) = 1;
2303 TYPE_FIELDS (ret) = fields[0];
2304 TYPE_NAME (ret) = type_decl;
2305 TYPE_STUB_DECL (ret) = type_decl;
2306 layout_type (ret);
2307 return ret;
2308 }
2309
2310 /* Create and return odr indicator symbol for DECL.
2311 TYPE is __asan_global struct type as returned by asan_global_struct. */
2312
2313 static tree
2314 create_odr_indicator (tree decl, tree type)
2315 {
2316 char *name;
2317 tree uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2318 tree decl_name
2319 = (HAS_DECL_ASSEMBLER_NAME_P (decl) ? DECL_ASSEMBLER_NAME (decl)
2320 : DECL_NAME (decl));
2321 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
2322 if (decl_name == NULL_TREE)
2323 return build_int_cst (uptr, 0);
2324 size_t len = strlen (IDENTIFIER_POINTER (decl_name)) + sizeof ("__odr_asan_");
2325 name = XALLOCAVEC (char, len);
2326 snprintf (name, len, "__odr_asan_%s", IDENTIFIER_POINTER (decl_name));
2327 #ifndef NO_DOT_IN_LABEL
2328 name[sizeof ("__odr_asan") - 1] = '.';
2329 #elif !defined(NO_DOLLAR_IN_LABEL)
2330 name[sizeof ("__odr_asan") - 1] = '$';
2331 #endif
2332 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (name),
2333 char_type_node);
2334 TREE_ADDRESSABLE (var) = 1;
2335 TREE_READONLY (var) = 0;
2336 TREE_THIS_VOLATILE (var) = 1;
2337 DECL_GIMPLE_REG_P (var) = 0;
2338 DECL_ARTIFICIAL (var) = 1;
2339 DECL_IGNORED_P (var) = 1;
2340 TREE_STATIC (var) = 1;
2341 TREE_PUBLIC (var) = 1;
2342 DECL_VISIBILITY (var) = DECL_VISIBILITY (decl);
2343 DECL_VISIBILITY_SPECIFIED (var) = DECL_VISIBILITY_SPECIFIED (decl);
2344
2345 TREE_USED (var) = 1;
2346 tree ctor = build_constructor_va (TREE_TYPE (var), 1, NULL_TREE,
2347 build_int_cst (unsigned_type_node, 0));
2348 TREE_CONSTANT (ctor) = 1;
2349 TREE_STATIC (ctor) = 1;
2350 DECL_INITIAL (var) = ctor;
2351 DECL_ATTRIBUTES (var) = tree_cons (get_identifier ("asan odr indicator"),
2352 NULL, DECL_ATTRIBUTES (var));
2353 make_decl_rtl (var);
2354 varpool_node::finalize_decl (var);
2355 return fold_convert (uptr, build_fold_addr_expr (var));
2356 }
2357
2358 /* Return true if DECL, a global var, might be overridden and needs
2359 an additional odr indicator symbol. */
2360
2361 static bool
2362 asan_needs_odr_indicator_p (tree decl)
2363 {
2364 /* Don't emit ODR indicators for kernel because:
2365 a) Kernel is written in C thus doesn't need ODR indicators.
2366 b) Some kernel code may have assumptions about symbols containing specific
2367 patterns in their names. Since ODR indicators contain original names
2368 of symbols they are emitted for, these assumptions would be broken for
2369 ODR indicator symbols. */
2370 return (!(flag_sanitize & SANITIZE_KERNEL_ADDRESS)
2371 && !DECL_ARTIFICIAL (decl)
2372 && !DECL_WEAK (decl)
2373 && TREE_PUBLIC (decl));
2374 }
2375
2376 /* For given DECL return its corresponding TRANSLATION_UNIT_DECL. */
2377
2378 static const_tree
2379 get_translation_unit_decl (tree decl)
2380 {
2381 const_tree context = decl;
2382 while (context && TREE_CODE (context) != TRANSLATION_UNIT_DECL)
2383 {
2384 if (TREE_CODE (context) == BLOCK)
2385 context = BLOCK_SUPERCONTEXT (context);
2386 else
2387 context = get_containing_scope (context);
2388 }
2389 return context;
2390 }
2391
2392 /* Append description of a single global DECL into vector V.
2393 TYPE is __asan_global struct type as returned by asan_global_struct. */
2394
2395 static void
2396 asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
2397 {
2398 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2399 unsigned HOST_WIDE_INT size;
2400 tree str_cst, module_name_cst, refdecl = decl;
2401 vec<constructor_elt, va_gc> *vinner = NULL;
2402
2403 pretty_printer asan_pp, module_name_pp;
2404
2405 if (DECL_NAME (decl))
2406 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
2407 else
2408 pp_string (&asan_pp, "<unknown>");
2409 str_cst = asan_pp_string (&asan_pp);
2410
2411 const char *filename = main_input_filename;
2412 if (in_lto_p)
2413 {
2414 const_tree translation_unit_decl = get_translation_unit_decl (decl);
2415 if (translation_unit_decl && DECL_NAME (translation_unit_decl) != NULL)
2416 filename = IDENTIFIER_POINTER (DECL_NAME (translation_unit_decl));
2417 }
2418 pp_string (&module_name_pp, filename);
2419 module_name_cst = asan_pp_string (&module_name_pp);
2420
2421 if (asan_needs_local_alias (decl))
2422 {
2423 char buf[20];
2424 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
2425 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
2426 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
2427 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
2428 TREE_READONLY (refdecl) = TREE_READONLY (decl);
2429 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
2430 DECL_GIMPLE_REG_P (refdecl) = DECL_GIMPLE_REG_P (decl);
2431 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
2432 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
2433 TREE_STATIC (refdecl) = 1;
2434 TREE_PUBLIC (refdecl) = 0;
2435 TREE_USED (refdecl) = 1;
2436 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
2437 }
2438
2439 tree odr_indicator_ptr
2440 = (asan_needs_odr_indicator_p (decl) ? create_odr_indicator (decl, type)
2441 : build_int_cst (uptr, 0));
2442 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2443 fold_convert (const_ptr_type_node,
2444 build_fold_addr_expr (refdecl)));
2445 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
2446 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2447 size += asan_red_zone_size (size);
2448 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2449 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2450 fold_convert (const_ptr_type_node, str_cst));
2451 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2452 fold_convert (const_ptr_type_node, module_name_cst));
2453 varpool_node *vnode = varpool_node::get (decl);
2454 int has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
2455 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2456 build_int_cst (uptr, has_dynamic_init));
2457 tree locptr = NULL_TREE;
2458 location_t loc = DECL_SOURCE_LOCATION (decl);
2459 expanded_location xloc = expand_location (loc);
2460 if (xloc.file != NULL)
2461 {
2462 static int lasanloccnt = 0;
2463 char buf[25];
2464 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt);
2465 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2466 ubsan_get_source_location_type ());
2467 TREE_STATIC (var) = 1;
2468 TREE_PUBLIC (var) = 0;
2469 DECL_ARTIFICIAL (var) = 1;
2470 DECL_IGNORED_P (var) = 1;
2471 pretty_printer filename_pp;
2472 pp_string (&filename_pp, xloc.file);
2473 tree str = asan_pp_string (&filename_pp);
2474 tree ctor = build_constructor_va (TREE_TYPE (var), 3,
2475 NULL_TREE, str, NULL_TREE,
2476 build_int_cst (unsigned_type_node,
2477 xloc.line), NULL_TREE,
2478 build_int_cst (unsigned_type_node,
2479 xloc.column));
2480 TREE_CONSTANT (ctor) = 1;
2481 TREE_STATIC (ctor) = 1;
2482 DECL_INITIAL (var) = ctor;
2483 varpool_node::finalize_decl (var);
2484 locptr = fold_convert (uptr, build_fold_addr_expr (var));
2485 }
2486 else
2487 locptr = build_int_cst (uptr, 0);
2488 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr);
2489 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, odr_indicator_ptr);
2490 init = build_constructor (type, vinner);
2491 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
2492 }
2493
2494 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2495 void
2496 initialize_sanitizer_builtins (void)
2497 {
2498 tree decl;
2499
2500 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
2501 return;
2502
2503 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
2504 tree BT_FN_VOID_PTR
2505 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
2506 tree BT_FN_VOID_CONST_PTR
2507 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
2508 tree BT_FN_VOID_PTR_PTR
2509 = build_function_type_list (void_type_node, ptr_type_node,
2510 ptr_type_node, NULL_TREE);
2511 tree BT_FN_VOID_PTR_PTR_PTR
2512 = build_function_type_list (void_type_node, ptr_type_node,
2513 ptr_type_node, ptr_type_node, NULL_TREE);
2514 tree BT_FN_VOID_PTR_PTRMODE
2515 = build_function_type_list (void_type_node, ptr_type_node,
2516 pointer_sized_int_node, NULL_TREE);
2517 tree BT_FN_VOID_INT
2518 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
2519 tree BT_FN_SIZE_CONST_PTR_INT
2520 = build_function_type_list (size_type_node, const_ptr_type_node,
2521 integer_type_node, NULL_TREE);
2522 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
2523 tree BT_FN_IX_CONST_VPTR_INT[5];
2524 tree BT_FN_IX_VPTR_IX_INT[5];
2525 tree BT_FN_VOID_VPTR_IX_INT[5];
2526 tree vptr
2527 = build_pointer_type (build_qualified_type (void_type_node,
2528 TYPE_QUAL_VOLATILE));
2529 tree cvptr
2530 = build_pointer_type (build_qualified_type (void_type_node,
2531 TYPE_QUAL_VOLATILE
2532 |TYPE_QUAL_CONST));
2533 tree boolt
2534 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
2535 int i;
2536 for (i = 0; i < 5; i++)
2537 {
2538 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
2539 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
2540 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
2541 integer_type_node, integer_type_node,
2542 NULL_TREE);
2543 BT_FN_IX_CONST_VPTR_INT[i]
2544 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
2545 BT_FN_IX_VPTR_IX_INT[i]
2546 = build_function_type_list (ix, vptr, ix, integer_type_node,
2547 NULL_TREE);
2548 BT_FN_VOID_VPTR_IX_INT[i]
2549 = build_function_type_list (void_type_node, vptr, ix,
2550 integer_type_node, NULL_TREE);
2551 }
2552 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2553 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2554 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2555 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2556 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2557 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2558 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2559 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2560 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2561 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2562 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2563 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2564 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2565 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2566 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2567 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2568 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2569 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2570 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2571 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
2572 #undef ATTR_NOTHROW_LEAF_LIST
2573 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
2574 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2575 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
2576 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2577 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
2578 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2579 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
2580 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
2581 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2582 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2583 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
2584 #undef ATTR_COLD_NOTHROW_LEAF_LIST
2585 #define ATTR_COLD_NOTHROW_LEAF_LIST \
2586 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
2587 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2588 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2589 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
2590 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
2591 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
2592 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2593 #undef ATTR_PURE_NOTHROW_LEAF_LIST
2594 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
2595 #undef DEF_BUILTIN_STUB
2596 #define DEF_BUILTIN_STUB(ENUM, NAME)
2597 #undef DEF_SANITIZER_BUILTIN
2598 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2599 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
2600 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2601 set_call_expr_flags (decl, ATTRS); \
2602 set_builtin_decl (ENUM, decl, true);
2603
2604 #include "sanitizer.def"
2605
2606 /* -fsanitize=object-size uses __builtin_object_size, but that might
2607 not be available for e.g. Fortran at this point. We use
2608 DEF_SANITIZER_BUILTIN here only as a convenience macro. */
2609 if ((flag_sanitize & SANITIZE_OBJECT_SIZE)
2610 && !builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE))
2611 DEF_SANITIZER_BUILTIN (BUILT_IN_OBJECT_SIZE, "object_size",
2612 BT_FN_SIZE_CONST_PTR_INT,
2613 ATTR_PURE_NOTHROW_LEAF_LIST)
2614
2615 #undef DEF_SANITIZER_BUILTIN
2616 #undef DEF_BUILTIN_STUB
2617 }
2618
2619 /* Called via htab_traverse. Count number of emitted
2620 STRING_CSTs in the constant hash table. */
2621
2622 int
2623 count_string_csts (constant_descriptor_tree **slot,
2624 unsigned HOST_WIDE_INT *data)
2625 {
2626 struct constant_descriptor_tree *desc = *slot;
2627 if (TREE_CODE (desc->value) == STRING_CST
2628 && TREE_ASM_WRITTEN (desc->value)
2629 && asan_protect_global (desc->value))
2630 ++*data;
2631 return 1;
2632 }
2633
2634 /* Helper structure to pass two parameters to
2635 add_string_csts. */
2636
2637 struct asan_add_string_csts_data
2638 {
2639 tree type;
2640 vec<constructor_elt, va_gc> *v;
2641 };
2642
2643 /* Called via hash_table::traverse. Call asan_add_global
2644 on emitted STRING_CSTs from the constant hash table. */
2645
2646 int
2647 add_string_csts (constant_descriptor_tree **slot,
2648 asan_add_string_csts_data *aascd)
2649 {
2650 struct constant_descriptor_tree *desc = *slot;
2651 if (TREE_CODE (desc->value) == STRING_CST
2652 && TREE_ASM_WRITTEN (desc->value)
2653 && asan_protect_global (desc->value))
2654 {
2655 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
2656 aascd->type, aascd->v);
2657 }
2658 return 1;
2659 }
2660
2661 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
2662 invoke ggc_collect. */
2663 static GTY(()) tree asan_ctor_statements;
2664
2665 /* Module-level instrumentation.
2666 - Insert __asan_init_vN() into the list of CTORs.
2667 - TODO: insert redzones around globals.
2668 */
2669
2670 void
2671 asan_finish_file (void)
2672 {
2673 varpool_node *vnode;
2674 unsigned HOST_WIDE_INT gcount = 0;
2675
2676 if (shadow_ptr_types[0] == NULL_TREE)
2677 asan_init_shadow_ptr_types ();
2678 /* Avoid instrumenting code in the asan ctors/dtors.
2679 We don't need to insert padding after the description strings,
2680 nor after .LASAN* array. */
2681 flag_sanitize &= ~SANITIZE_ADDRESS;
2682
2683 /* For user-space we want asan constructors to run first.
2684 Linux kernel does not support priorities other than default, and the only
2685 other user of constructors is coverage. So we run with the default
2686 priority. */
2687 int priority = flag_sanitize & SANITIZE_USER_ADDRESS
2688 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY;
2689
2690 if (flag_sanitize & SANITIZE_USER_ADDRESS)
2691 {
2692 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
2693 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2694 fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK);
2695 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2696 }
2697 FOR_EACH_DEFINED_VARIABLE (vnode)
2698 if (TREE_ASM_WRITTEN (vnode->decl)
2699 && asan_protect_global (vnode->decl))
2700 ++gcount;
2701 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab ();
2702 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts>
2703 (&gcount);
2704 if (gcount)
2705 {
2706 tree type = asan_global_struct (), var, ctor;
2707 tree dtor_statements = NULL_TREE;
2708 vec<constructor_elt, va_gc> *v;
2709 char buf[20];
2710
2711 type = build_array_type_nelts (type, gcount);
2712 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
2713 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2714 type);
2715 TREE_STATIC (var) = 1;
2716 TREE_PUBLIC (var) = 0;
2717 DECL_ARTIFICIAL (var) = 1;
2718 DECL_IGNORED_P (var) = 1;
2719 vec_alloc (v, gcount);
2720 FOR_EACH_DEFINED_VARIABLE (vnode)
2721 if (TREE_ASM_WRITTEN (vnode->decl)
2722 && asan_protect_global (vnode->decl))
2723 asan_add_global (vnode->decl, TREE_TYPE (type), v);
2724 struct asan_add_string_csts_data aascd;
2725 aascd.type = TREE_TYPE (type);
2726 aascd.v = v;
2727 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts>
2728 (&aascd);
2729 ctor = build_constructor (type, v);
2730 TREE_CONSTANT (ctor) = 1;
2731 TREE_STATIC (ctor) = 1;
2732 DECL_INITIAL (var) = ctor;
2733 varpool_node::finalize_decl (var);
2734
2735 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
2736 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
2737 append_to_statement_list (build_call_expr (fn, 2,
2738 build_fold_addr_expr (var),
2739 gcount_tree),
2740 &asan_ctor_statements);
2741
2742 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
2743 append_to_statement_list (build_call_expr (fn, 2,
2744 build_fold_addr_expr (var),
2745 gcount_tree),
2746 &dtor_statements);
2747 cgraph_build_static_cdtor ('D', dtor_statements, priority);
2748 }
2749 if (asan_ctor_statements)
2750 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority);
2751 flag_sanitize |= SANITIZE_ADDRESS;
2752 }
2753
2754 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
2755 on SHADOW address. Newly added statements will be added to ITER with
2756 given location LOC. We mark SIZE bytes in shadow memory, where
2757 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
2758 end of a variable. */
2759
2760 static void
2761 asan_store_shadow_bytes (gimple_stmt_iterator *iter, location_t loc,
2762 tree shadow,
2763 unsigned HOST_WIDE_INT base_addr_offset,
2764 bool is_clobber, unsigned size,
2765 unsigned last_chunk_size)
2766 {
2767 tree shadow_ptr_type;
2768
2769 switch (size)
2770 {
2771 case 1:
2772 shadow_ptr_type = shadow_ptr_types[0];
2773 break;
2774 case 2:
2775 shadow_ptr_type = shadow_ptr_types[1];
2776 break;
2777 case 4:
2778 shadow_ptr_type = shadow_ptr_types[2];
2779 break;
2780 default:
2781 gcc_unreachable ();
2782 }
2783
2784 unsigned char c = (char) is_clobber ? ASAN_STACK_MAGIC_USE_AFTER_SCOPE : 0;
2785 unsigned HOST_WIDE_INT val = 0;
2786 for (unsigned i = 0; i < size; ++i)
2787 {
2788 unsigned char shadow_c = c;
2789 if (i == size - 1 && last_chunk_size && !is_clobber)
2790 shadow_c = last_chunk_size;
2791 val |= (unsigned HOST_WIDE_INT) shadow_c << (BITS_PER_UNIT * i);
2792 }
2793
2794 /* Handle last chunk in unpoisoning. */
2795 tree magic = build_int_cst (TREE_TYPE (shadow_ptr_type), val);
2796
2797 tree dest = build2 (MEM_REF, TREE_TYPE (shadow_ptr_type), shadow,
2798 build_int_cst (shadow_ptr_type, base_addr_offset));
2799
2800 gimple *g = gimple_build_assign (dest, magic);
2801 gimple_set_location (g, loc);
2802 gsi_insert_after (iter, g, GSI_NEW_STMT);
2803 }
2804
2805 /* Expand the ASAN_MARK builtins. */
2806
2807 bool
2808 asan_expand_mark_ifn (gimple_stmt_iterator *iter)
2809 {
2810 gimple *g = gsi_stmt (*iter);
2811 location_t loc = gimple_location (g);
2812 HOST_WIDE_INT flag = tree_to_shwi (gimple_call_arg (g, 0));
2813 bool is_poison = ((asan_mark_flags)flag) == ASAN_MARK_POISON;
2814
2815 tree base = gimple_call_arg (g, 1);
2816 gcc_checking_assert (TREE_CODE (base) == ADDR_EXPR);
2817 tree decl = TREE_OPERAND (base, 0);
2818
2819 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
2820 if (TREE_CODE (decl) == COMPONENT_REF
2821 && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl, 0)))
2822 decl = TREE_OPERAND (decl, 0);
2823
2824 gcc_checking_assert (TREE_CODE (decl) == VAR_DECL);
2825 if (asan_handled_variables == NULL)
2826 asan_handled_variables = new hash_set<tree> (16);
2827 asan_handled_variables->add (decl);
2828 tree len = gimple_call_arg (g, 2);
2829
2830 gcc_assert (tree_fits_shwi_p (len));
2831 unsigned HOST_WIDE_INT size_in_bytes = tree_to_shwi (len);
2832 gcc_assert (size_in_bytes);
2833
2834 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2835 NOP_EXPR, base);
2836 gimple_set_location (g, loc);
2837 gsi_replace (iter, g, false);
2838 tree base_addr = gimple_assign_lhs (g);
2839
2840 /* Generate direct emission if size_in_bytes is small. */
2841 if (size_in_bytes <= ASAN_PARAM_USE_AFTER_SCOPE_DIRECT_EMISSION_THRESHOLD)
2842 {
2843 unsigned HOST_WIDE_INT shadow_size = shadow_mem_size (size_in_bytes);
2844
2845 tree shadow = build_shadow_mem_access (iter, loc, base_addr,
2846 shadow_ptr_types[0], true);
2847
2848 for (unsigned HOST_WIDE_INT offset = 0; offset < shadow_size;)
2849 {
2850 unsigned size = 1;
2851 if (shadow_size - offset >= 4)
2852 size = 4;
2853 else if (shadow_size - offset >= 2)
2854 size = 2;
2855
2856 unsigned HOST_WIDE_INT last_chunk_size = 0;
2857 unsigned HOST_WIDE_INT s = (offset + size) * ASAN_SHADOW_GRANULARITY;
2858 if (s > size_in_bytes)
2859 last_chunk_size = ASAN_SHADOW_GRANULARITY - (s - size_in_bytes);
2860
2861 asan_store_shadow_bytes (iter, loc, shadow, offset, is_poison,
2862 size, last_chunk_size);
2863 offset += size;
2864 }
2865 }
2866 else
2867 {
2868 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2869 NOP_EXPR, len);
2870 gimple_set_location (g, loc);
2871 gsi_insert_before (iter, g, GSI_SAME_STMT);
2872 tree sz_arg = gimple_assign_lhs (g);
2873
2874 tree fun
2875 = builtin_decl_implicit (is_poison ? BUILT_IN_ASAN_POISON_STACK_MEMORY
2876 : BUILT_IN_ASAN_UNPOISON_STACK_MEMORY);
2877 g = gimple_build_call (fun, 2, base_addr, sz_arg);
2878 gimple_set_location (g, loc);
2879 gsi_insert_after (iter, g, GSI_NEW_STMT);
2880 }
2881
2882 return false;
2883 }
2884
2885 /* Expand the ASAN_{LOAD,STORE} builtins. */
2886
2887 bool
2888 asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls)
2889 {
2890 gimple *g = gsi_stmt (*iter);
2891 location_t loc = gimple_location (g);
2892 bool recover_p;
2893 if (flag_sanitize & SANITIZE_USER_ADDRESS)
2894 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
2895 else
2896 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
2897
2898 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
2899 gcc_assert (flags < ASAN_CHECK_LAST);
2900 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
2901 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
2902 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
2903
2904 tree base = gimple_call_arg (g, 1);
2905 tree len = gimple_call_arg (g, 2);
2906 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3));
2907
2908 HOST_WIDE_INT size_in_bytes
2909 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2910
2911 if (use_calls)
2912 {
2913 /* Instrument using callbacks. */
2914 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2915 NOP_EXPR, base);
2916 gimple_set_location (g, loc);
2917 gsi_insert_before (iter, g, GSI_SAME_STMT);
2918 tree base_addr = gimple_assign_lhs (g);
2919
2920 int nargs;
2921 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs);
2922 if (nargs == 1)
2923 g = gimple_build_call (fun, 1, base_addr);
2924 else
2925 {
2926 gcc_assert (nargs == 2);
2927 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2928 NOP_EXPR, len);
2929 gimple_set_location (g, loc);
2930 gsi_insert_before (iter, g, GSI_SAME_STMT);
2931 tree sz_arg = gimple_assign_lhs (g);
2932 g = gimple_build_call (fun, nargs, base_addr, sz_arg);
2933 }
2934 gimple_set_location (g, loc);
2935 gsi_replace (iter, g, false);
2936 return false;
2937 }
2938
2939 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes;
2940
2941 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0];
2942 tree shadow_type = TREE_TYPE (shadow_ptr_type);
2943
2944 gimple_stmt_iterator gsi = *iter;
2945
2946 if (!is_non_zero_len)
2947 {
2948 /* So, the length of the memory area to asan-protect is
2949 non-constant. Let's guard the generated instrumentation code
2950 like:
2951
2952 if (len != 0)
2953 {
2954 //asan instrumentation code goes here.
2955 }
2956 // falltrough instructions, starting with *ITER. */
2957
2958 g = gimple_build_cond (NE_EXPR,
2959 len,
2960 build_int_cst (TREE_TYPE (len), 0),
2961 NULL_TREE, NULL_TREE);
2962 gimple_set_location (g, loc);
2963
2964 basic_block then_bb, fallthrough_bb;
2965 insert_if_then_before_iter (as_a <gcond *> (g), iter,
2966 /*then_more_likely_p=*/true,
2967 &then_bb, &fallthrough_bb);
2968 /* Note that fallthrough_bb starts with the statement that was
2969 pointed to by ITER. */
2970
2971 /* The 'then block' of the 'if (len != 0) condition is where
2972 we'll generate the asan instrumentation code now. */
2973 gsi = gsi_last_bb (then_bb);
2974 }
2975
2976 /* Get an iterator on the point where we can add the condition
2977 statement for the instrumentation. */
2978 basic_block then_bb, else_bb;
2979 gsi = create_cond_insert_point (&gsi, /*before_p*/false,
2980 /*then_more_likely_p=*/false,
2981 /*create_then_fallthru_edge*/recover_p,
2982 &then_bb,
2983 &else_bb);
2984
2985 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2986 NOP_EXPR, base);
2987 gimple_set_location (g, loc);
2988 gsi_insert_before (&gsi, g, GSI_NEW_STMT);
2989 tree base_addr = gimple_assign_lhs (g);
2990
2991 tree t = NULL_TREE;
2992 if (real_size_in_bytes >= 8)
2993 {
2994 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
2995 shadow_ptr_type);
2996 t = shadow;
2997 }
2998 else
2999 {
3000 /* Slow path for 1, 2 and 4 byte accesses. */
3001 /* Test (shadow != 0)
3002 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
3003 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3004 shadow_ptr_type);
3005 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3006 gimple_seq seq = NULL;
3007 gimple_seq_add_stmt (&seq, shadow_test);
3008 /* Aligned (>= 8 bytes) can test just
3009 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
3010 to be 0. */
3011 if (align < 8)
3012 {
3013 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3014 base_addr, 7));
3015 gimple_seq_add_stmt (&seq,
3016 build_type_cast (shadow_type,
3017 gimple_seq_last (seq)));
3018 if (real_size_in_bytes > 1)
3019 gimple_seq_add_stmt (&seq,
3020 build_assign (PLUS_EXPR,
3021 gimple_seq_last (seq),
3022 real_size_in_bytes - 1));
3023 t = gimple_assign_lhs (gimple_seq_last_stmt (seq));
3024 }
3025 else
3026 t = build_int_cst (shadow_type, real_size_in_bytes - 1);
3027 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow));
3028 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3029 gimple_seq_last (seq)));
3030 t = gimple_assign_lhs (gimple_seq_last (seq));
3031 gimple_seq_set_location (seq, loc);
3032 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3033
3034 /* For non-constant, misaligned or otherwise weird access sizes,
3035 check first and last byte. */
3036 if (size_in_bytes == -1)
3037 {
3038 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3039 MINUS_EXPR, len,
3040 build_int_cst (pointer_sized_int_node, 1));
3041 gimple_set_location (g, loc);
3042 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3043 tree last = gimple_assign_lhs (g);
3044 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3045 PLUS_EXPR, base_addr, last);
3046 gimple_set_location (g, loc);
3047 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3048 tree base_end_addr = gimple_assign_lhs (g);
3049
3050 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr,
3051 shadow_ptr_type);
3052 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3053 gimple_seq seq = NULL;
3054 gimple_seq_add_stmt (&seq, shadow_test);
3055 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3056 base_end_addr, 7));
3057 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
3058 gimple_seq_last (seq)));
3059 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR,
3060 gimple_seq_last (seq),
3061 shadow));
3062 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3063 gimple_seq_last (seq)));
3064 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t,
3065 gimple_seq_last (seq)));
3066 t = gimple_assign_lhs (gimple_seq_last (seq));
3067 gimple_seq_set_location (seq, loc);
3068 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3069 }
3070 }
3071
3072 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
3073 NULL_TREE, NULL_TREE);
3074 gimple_set_location (g, loc);
3075 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3076
3077 /* Generate call to the run-time library (e.g. __asan_report_load8). */
3078 gsi = gsi_start_bb (then_bb);
3079 int nargs;
3080 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs);
3081 g = gimple_build_call (fun, nargs, base_addr, len);
3082 gimple_set_location (g, loc);
3083 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3084
3085 gsi_remove (iter, true);
3086 *iter = gsi_start_bb (else_bb);
3087
3088 return true;
3089 }
3090
3091 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten
3092 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
3093
3094 static tree
3095 create_asan_shadow_var (tree var_decl,
3096 hash_map<tree, tree> &shadow_vars_mapping)
3097 {
3098 tree *slot = shadow_vars_mapping.get (var_decl);
3099 if (slot == NULL)
3100 {
3101 tree shadow_var = copy_node (var_decl);
3102
3103 copy_body_data id;
3104 memset (&id, 0, sizeof (copy_body_data));
3105 id.src_fn = id.dst_fn = current_function_decl;
3106 copy_decl_for_dup_finish (&id, var_decl, shadow_var);
3107
3108 DECL_ARTIFICIAL (shadow_var) = 1;
3109 DECL_IGNORED_P (shadow_var) = 1;
3110 DECL_SEEN_IN_BIND_EXPR_P (shadow_var) = 0;
3111 gimple_add_tmp_var (shadow_var);
3112
3113 shadow_vars_mapping.put (var_decl, shadow_var);
3114 return shadow_var;
3115 }
3116 else
3117 return *slot;
3118 }
3119
3120 /* Expand ASAN_POISON ifn. */
3121
3122 bool
3123 asan_expand_poison_ifn (gimple_stmt_iterator *iter,
3124 bool *need_commit_edge_insert,
3125 hash_map<tree, tree> &shadow_vars_mapping)
3126 {
3127 gimple *g = gsi_stmt (*iter);
3128 tree poisoned_var = gimple_call_lhs (g);
3129 if (!poisoned_var)
3130 {
3131 gsi_remove (iter, true);
3132 return true;
3133 }
3134
3135 tree shadow_var = create_asan_shadow_var (SSA_NAME_VAR (poisoned_var),
3136 shadow_vars_mapping);
3137
3138 bool recover_p;
3139 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3140 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
3141 else
3142 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
3143 tree size = DECL_SIZE_UNIT (shadow_var);
3144 gimple *poison_call
3145 = gimple_build_call_internal (IFN_ASAN_MARK, 3,
3146 build_int_cst (integer_type_node,
3147 ASAN_MARK_POISON),
3148 build_fold_addr_expr (shadow_var), size);
3149
3150 gimple *use;
3151 imm_use_iterator imm_iter;
3152 FOR_EACH_IMM_USE_STMT (use, imm_iter, poisoned_var)
3153 {
3154 if (is_gimple_debug (use))
3155 continue;
3156
3157 int nargs;
3158 bool store_p = gimple_call_internal_p (use, IFN_ASAN_POISON_USE);
3159 tree fun = report_error_func (store_p, recover_p, tree_to_uhwi (size),
3160 &nargs);
3161
3162 gcall *call = gimple_build_call (fun, 1,
3163 build_fold_addr_expr (shadow_var));
3164 gimple_set_location (call, gimple_location (use));
3165 gimple *call_to_insert = call;
3166
3167 /* The USE can be a gimple PHI node. If so, insert the call on
3168 all edges leading to the PHI node. */
3169 if (is_a <gphi *> (use))
3170 {
3171 gphi *phi = dyn_cast<gphi *> (use);
3172 for (unsigned i = 0; i < gimple_phi_num_args (phi); ++i)
3173 if (gimple_phi_arg_def (phi, i) == poisoned_var)
3174 {
3175 edge e = gimple_phi_arg_edge (phi, i);
3176
3177 if (call_to_insert == NULL)
3178 call_to_insert = gimple_copy (call);
3179
3180 gsi_insert_seq_on_edge (e, call_to_insert);
3181 *need_commit_edge_insert = true;
3182 call_to_insert = NULL;
3183 }
3184 }
3185 else
3186 {
3187 gimple_stmt_iterator gsi = gsi_for_stmt (use);
3188 if (store_p)
3189 gsi_replace (&gsi, call, true);
3190 else
3191 gsi_insert_before (&gsi, call, GSI_NEW_STMT);
3192 }
3193 }
3194
3195 SSA_NAME_IS_DEFAULT_DEF (poisoned_var) = true;
3196 SSA_NAME_DEF_STMT (poisoned_var) = gimple_build_nop ();
3197 gsi_replace (iter, poison_call, false);
3198
3199 return true;
3200 }
3201
3202 /* Instrument the current function. */
3203
3204 static unsigned int
3205 asan_instrument (void)
3206 {
3207 if (shadow_ptr_types[0] == NULL_TREE)
3208 asan_init_shadow_ptr_types ();
3209 transform_statements ();
3210 return 0;
3211 }
3212
3213 static bool
3214 gate_asan (void)
3215 {
3216 return (flag_sanitize & SANITIZE_ADDRESS) != 0
3217 && !lookup_attribute ("no_sanitize_address",
3218 DECL_ATTRIBUTES (current_function_decl));
3219 }
3220
3221 namespace {
3222
3223 const pass_data pass_data_asan =
3224 {
3225 GIMPLE_PASS, /* type */
3226 "asan", /* name */
3227 OPTGROUP_NONE, /* optinfo_flags */
3228 TV_NONE, /* tv_id */
3229 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3230 0, /* properties_provided */
3231 0, /* properties_destroyed */
3232 0, /* todo_flags_start */
3233 TODO_update_ssa, /* todo_flags_finish */
3234 };
3235
3236 class pass_asan : public gimple_opt_pass
3237 {
3238 public:
3239 pass_asan (gcc::context *ctxt)
3240 : gimple_opt_pass (pass_data_asan, ctxt)
3241 {}
3242
3243 /* opt_pass methods: */
3244 opt_pass * clone () { return new pass_asan (m_ctxt); }
3245 virtual bool gate (function *) { return gate_asan (); }
3246 virtual unsigned int execute (function *) { return asan_instrument (); }
3247
3248 }; // class pass_asan
3249
3250 } // anon namespace
3251
3252 gimple_opt_pass *
3253 make_pass_asan (gcc::context *ctxt)
3254 {
3255 return new pass_asan (ctxt);
3256 }
3257
3258 namespace {
3259
3260 const pass_data pass_data_asan_O0 =
3261 {
3262 GIMPLE_PASS, /* type */
3263 "asan0", /* name */
3264 OPTGROUP_NONE, /* optinfo_flags */
3265 TV_NONE, /* tv_id */
3266 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3267 0, /* properties_provided */
3268 0, /* properties_destroyed */
3269 0, /* todo_flags_start */
3270 TODO_update_ssa, /* todo_flags_finish */
3271 };
3272
3273 class pass_asan_O0 : public gimple_opt_pass
3274 {
3275 public:
3276 pass_asan_O0 (gcc::context *ctxt)
3277 : gimple_opt_pass (pass_data_asan_O0, ctxt)
3278 {}
3279
3280 /* opt_pass methods: */
3281 virtual bool gate (function *) { return !optimize && gate_asan (); }
3282 virtual unsigned int execute (function *) { return asan_instrument (); }
3283
3284 }; // class pass_asan_O0
3285
3286 } // anon namespace
3287
3288 gimple_opt_pass *
3289 make_pass_asan_O0 (gcc::context *ctxt)
3290 {
3291 return new pass_asan_O0 (ctxt);
3292 }
3293
3294 #include "gt-asan.h"
Mirror of the offical gcc git repository hosted at gcc.gnu.org