1 /* UndefinedBehaviorSanitizer, undefined behavior detector.
2 Copyright (C) 2013-2014 Free Software Foundation, Inc.
3 Contributed by Marek Polacek <polacek@redhat.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
23 #include "coretypes.h"
25 #include "stor-layout.h"
26 #include "stringpool.h"
28 #include "tree-pass.h"
29 #include "tree-ssa-alias.h"
30 #include "tree-pretty-print.h"
31 #include "internal-fn.h"
32 #include "gimple-expr.h"
34 #include "gimple-iterator.h"
35 #include "gimple-ssa.h"
36 #include "gimple-walk.h"
43 #include "c-family/c-common.h"
46 #include "tree-ssanames.h"
48 #include "gimplify-me.h"
53 /* Map from a tree to a VAR_DECL tree. */
55 struct GTY(()) tree_type_map
{
56 struct tree_map_base type
;
60 #define tree_type_map_eq tree_map_base_eq
61 #define tree_type_map_marked_p tree_map_base_marked_p
63 /* Hash from a tree in a tree_type_map. */
66 tree_type_map_hash (const void *item
)
68 return TYPE_UID (((const struct tree_type_map
*)item
)->type
.from
);
71 static GTY ((if_marked ("tree_type_map_marked_p"), param_is (struct tree_type_map
)))
72 htab_t decl_tree_for_type
;
74 /* Lookup a VAR_DECL for TYPE, and return it if we find one. */
77 decl_for_type_lookup (tree type
)
79 /* If the hash table is not initialized yet, create it now. */
80 if (decl_tree_for_type
== NULL
)
82 decl_tree_for_type
= htab_create_ggc (10, tree_type_map_hash
,
84 /* That also means we don't have to bother with the lookup. */
88 struct tree_type_map
*h
, in
;
91 h
= (struct tree_type_map
*)
92 htab_find_with_hash (decl_tree_for_type
, &in
, TYPE_UID (type
));
93 return h
? h
->decl
: NULL_TREE
;
96 /* Insert a mapping TYPE->DECL in the VAR_DECL for type hashtable. */
99 decl_for_type_insert (tree type
, tree decl
)
101 struct tree_type_map
*h
;
104 h
= ggc_alloc
<tree_type_map
> ();
107 slot
= htab_find_slot_with_hash (decl_tree_for_type
, h
, TYPE_UID (type
),
109 *(struct tree_type_map
**) slot
= h
;
112 /* Helper routine, which encodes a value in the pointer_sized_int_node.
113 Arguments with precision <= POINTER_SIZE are passed directly,
114 the rest is passed by reference. T is a value we are to encode.
115 IN_EXPAND_P is true if this function is called during expansion. */
118 ubsan_encode_value (tree t
, bool in_expand_p
)
120 tree type
= TREE_TYPE (t
);
121 const unsigned int bitsize
= GET_MODE_BITSIZE (TYPE_MODE (type
));
122 if (bitsize
<= POINTER_SIZE
)
123 switch (TREE_CODE (type
))
128 return fold_build1 (NOP_EXPR
, pointer_sized_int_node
, t
);
131 tree itype
= build_nonstandard_integer_type (bitsize
, true);
132 t
= fold_build1 (VIEW_CONVERT_EXPR
, itype
, t
);
133 return fold_convert (pointer_sized_int_node
, t
);
140 if (!DECL_P (t
) || !TREE_ADDRESSABLE (t
))
142 /* The reason for this is that we don't want to pessimize
143 code by making vars unnecessarily addressable. */
144 tree var
= create_tmp_var (type
, NULL
);
145 tree tem
= build2 (MODIFY_EXPR
, void_type_node
, var
, t
);
149 = assign_stack_temp_for_type (TYPE_MODE (type
),
150 GET_MODE_SIZE (TYPE_MODE (type
)),
152 SET_DECL_RTL (var
, mem
);
153 expand_assignment (var
, t
, false);
154 return build_fold_addr_expr (var
);
156 t
= build_fold_addr_expr (var
);
157 return build2 (COMPOUND_EXPR
, TREE_TYPE (t
), tem
, t
);
160 return build_fold_addr_expr (t
);
165 struct __ubsan_type_descriptor
167 unsigned short __typekind;
168 unsigned short __typeinfo;
174 ubsan_type_descriptor_type (void)
176 static const char *field_names
[3]
177 = { "__typekind", "__typeinfo", "__typename" };
179 tree itype
= build_range_type (sizetype
, size_zero_node
, NULL_TREE
);
180 tree flex_arr_type
= build_array_type (char_type_node
, itype
);
182 ret
= make_node (RECORD_TYPE
);
183 for (int i
= 0; i
< 3; i
++)
185 fields
[i
] = build_decl (UNKNOWN_LOCATION
, FIELD_DECL
,
186 get_identifier (field_names
[i
]),
187 (i
== 2) ? flex_arr_type
188 : short_unsigned_type_node
);
189 DECL_CONTEXT (fields
[i
]) = ret
;
191 DECL_CHAIN (fields
[i
- 1]) = fields
[i
];
193 TYPE_FIELDS (ret
) = fields
[0];
194 TYPE_NAME (ret
) = get_identifier ("__ubsan_type_descriptor");
200 struct __ubsan_source_location
202 const char *__filename;
204 unsigned int __column;
209 ubsan_source_location_type (void)
211 static const char *field_names
[3]
212 = { "__filename", "__line", "__column" };
214 tree const_char_type
= build_qualified_type (char_type_node
,
217 ret
= make_node (RECORD_TYPE
);
218 for (int i
= 0; i
< 3; i
++)
220 fields
[i
] = build_decl (UNKNOWN_LOCATION
, FIELD_DECL
,
221 get_identifier (field_names
[i
]),
222 (i
== 0) ? build_pointer_type (const_char_type
)
223 : unsigned_type_node
);
224 DECL_CONTEXT (fields
[i
]) = ret
;
226 DECL_CHAIN (fields
[i
- 1]) = fields
[i
];
228 TYPE_FIELDS (ret
) = fields
[0];
229 TYPE_NAME (ret
) = get_identifier ("__ubsan_source_location");
234 /* Helper routine that returns a CONSTRUCTOR of __ubsan_source_location
235 type with its fields filled from a location_t LOC. */
238 ubsan_source_location (location_t loc
)
240 expanded_location xloc
;
241 tree type
= ubsan_source_location_type ();
243 xloc
= expand_location (loc
);
244 if (xloc
.file
== NULL
)
245 xloc
.file
= "<unknown>";
247 /* Fill in the values from LOC. */
248 size_t len
= strlen (xloc
.file
);
249 tree str
= build_string (len
+ 1, xloc
.file
);
250 TREE_TYPE (str
) = build_array_type (char_type_node
,
251 build_index_type (size_int (len
)));
252 TREE_READONLY (str
) = 1;
253 TREE_STATIC (str
) = 1;
254 str
= build_fold_addr_expr (str
);
255 tree ctor
= build_constructor_va (type
, 3, NULL_TREE
, str
, NULL_TREE
,
256 build_int_cst (unsigned_type_node
,
257 xloc
.line
), NULL_TREE
,
258 build_int_cst (unsigned_type_node
,
260 TREE_CONSTANT (ctor
) = 1;
261 TREE_STATIC (ctor
) = 1;
266 /* This routine returns a magic number for TYPE. */
268 static unsigned short
269 get_ubsan_type_info_for_type (tree type
)
271 gcc_assert (TYPE_SIZE (type
) && tree_fits_uhwi_p (TYPE_SIZE (type
)));
272 if (TREE_CODE (type
) == REAL_TYPE
)
273 return tree_to_uhwi (TYPE_SIZE (type
));
274 else if (INTEGRAL_TYPE_P (type
))
276 int prec
= exact_log2 (tree_to_uhwi (TYPE_SIZE (type
)));
277 gcc_assert (prec
!= -1);
278 return (prec
<< 1) | !TYPE_UNSIGNED (type
);
284 /* Helper routine that returns ADDR_EXPR of a VAR_DECL of a type
285 descriptor. It first looks into the hash table; if not found,
286 create the VAR_DECL, put it into the hash table and return the
287 ADDR_EXPR of it. TYPE describes a particular type. PSTYLE is
288 an enum controlling how we want to print the type. */
291 ubsan_type_descriptor (tree type
, enum ubsan_print_style pstyle
)
293 /* See through any typedefs. */
294 type
= TYPE_MAIN_VARIANT (type
);
296 tree decl
= decl_for_type_lookup (type
);
297 /* It is possible that some of the earlier created DECLs were found
298 unused, in that case they weren't emitted and varpool_get_node
299 returns NULL node on them. But now we really need them. Thus,
301 if (decl
!= NULL_TREE
&& varpool_get_node (decl
))
302 return build_fold_addr_expr (decl
);
304 tree dtype
= ubsan_type_descriptor_type ();
306 const char *tname
= NULL
;
308 unsigned char deref_depth
= 0;
309 unsigned short tkind
, tinfo
;
311 /* Get the name of the type, or the name of the pointer type. */
312 if (pstyle
== UBSAN_PRINT_POINTER
)
314 gcc_assert (POINTER_TYPE_P (type
));
315 type2
= TREE_TYPE (type
);
317 /* Remove any '*' operators from TYPE. */
318 while (POINTER_TYPE_P (type2
))
319 deref_depth
++, type2
= TREE_TYPE (type2
);
321 if (TREE_CODE (type2
) == METHOD_TYPE
)
322 type2
= TYPE_METHOD_BASETYPE (type2
);
325 /* If an array, get its type. */
326 type2
= strip_array_types (type2
);
328 if (pstyle
== UBSAN_PRINT_ARRAY
)
330 while (POINTER_TYPE_P (type2
))
331 deref_depth
++, type2
= TREE_TYPE (type2
);
334 if (TYPE_NAME (type2
) != NULL
)
336 if (TREE_CODE (TYPE_NAME (type2
)) == IDENTIFIER_NODE
)
337 tname
= IDENTIFIER_POINTER (TYPE_NAME (type2
));
338 else if (DECL_NAME (TYPE_NAME (type2
)) != NULL
)
339 tname
= IDENTIFIER_POINTER (DECL_NAME (TYPE_NAME (type2
)));
343 /* We weren't able to determine the type name. */
346 /* Decorate the type name with '', '*', "struct", or "union". */
347 pretty_name
= (char *) alloca (strlen (tname
) + 16 + deref_depth
);
348 if (pstyle
== UBSAN_PRINT_POINTER
)
350 int pos
= sprintf (pretty_name
, "'%s%s%s%s%s%s%s",
351 TYPE_VOLATILE (type2
) ? "volatile " : "",
352 TYPE_READONLY (type2
) ? "const " : "",
353 TYPE_RESTRICT (type2
) ? "restrict " : "",
354 TYPE_ATOMIC (type2
) ? "_Atomic " : "",
355 TREE_CODE (type2
) == RECORD_TYPE
357 : TREE_CODE (type2
) == UNION_TYPE
358 ? "union " : "", tname
,
359 deref_depth
== 0 ? "" : " ");
360 while (deref_depth
-- > 0)
361 pretty_name
[pos
++] = '*';
362 pretty_name
[pos
++] = '\'';
363 pretty_name
[pos
] = '\0';
365 else if (pstyle
== UBSAN_PRINT_ARRAY
)
367 /* Pretty print the array dimensions. */
368 gcc_assert (TREE_CODE (type
) == ARRAY_TYPE
);
370 int pos
= sprintf (pretty_name
, "'%s ", tname
);
371 while (deref_depth
-- > 0)
372 pretty_name
[pos
++] = '*';
373 while (TREE_CODE (t
) == ARRAY_TYPE
)
375 pretty_name
[pos
++] = '[';
376 tree dom
= TYPE_DOMAIN (t
);
377 if (dom
&& TREE_CODE (TYPE_MAX_VALUE (dom
)) == INTEGER_CST
)
378 pos
+= sprintf (&pretty_name
[pos
], HOST_WIDE_INT_PRINT_DEC
,
379 tree_to_shwi (TYPE_MAX_VALUE (dom
)) + 1);
381 /* ??? We can't determine the variable name; print VLA unspec. */
382 pretty_name
[pos
++] = '*';
383 pretty_name
[pos
++] = ']';
386 pretty_name
[pos
++] = '\'';
387 pretty_name
[pos
] = '\0';
389 /* Save the tree with stripped types. */
393 sprintf (pretty_name
, "'%s'", tname
);
395 switch (TREE_CODE (type
))
403 /* FIXME: libubsan right now only supports float, double and
404 long double type formats. */
405 if (TYPE_MODE (type
) == TYPE_MODE (float_type_node
)
406 || TYPE_MODE (type
) == TYPE_MODE (double_type_node
)
407 || TYPE_MODE (type
) == TYPE_MODE (long_double_type_node
))
416 tinfo
= get_ubsan_type_info_for_type (type
);
418 /* Create a new VAR_DECL of type descriptor. */
420 static unsigned int type_var_id_num
;
421 ASM_GENERATE_INTERNAL_LABEL (tmp_name
, "Lubsan_type", type_var_id_num
++);
422 decl
= build_decl (UNKNOWN_LOCATION
, VAR_DECL
, get_identifier (tmp_name
),
424 TREE_STATIC (decl
) = 1;
425 TREE_PUBLIC (decl
) = 0;
426 DECL_ARTIFICIAL (decl
) = 1;
427 DECL_IGNORED_P (decl
) = 1;
428 DECL_EXTERNAL (decl
) = 0;
430 size_t len
= strlen (pretty_name
);
431 tree str
= build_string (len
+ 1, pretty_name
);
432 TREE_TYPE (str
) = build_array_type (char_type_node
,
433 build_index_type (size_int (len
)));
434 TREE_READONLY (str
) = 1;
435 TREE_STATIC (str
) = 1;
436 tree ctor
= build_constructor_va (dtype
, 3, NULL_TREE
,
437 build_int_cst (short_unsigned_type_node
,
439 build_int_cst (short_unsigned_type_node
,
440 tinfo
), NULL_TREE
, str
);
441 TREE_CONSTANT (ctor
) = 1;
442 TREE_STATIC (ctor
) = 1;
443 DECL_INITIAL (decl
) = ctor
;
444 varpool_finalize_decl (decl
);
446 /* Save the VAR_DECL into the hash table. */
447 decl_for_type_insert (type
, decl
);
449 return build_fold_addr_expr (decl
);
452 /* Create a structure for the ubsan library. NAME is a name of the new
453 structure. The arguments in ... are of __ubsan_type_descriptor type
454 and there are at most two of them. MISMATCH are data used by ubsan
458 ubsan_create_data (const char *name
, const location_t
*ploc
,
459 const struct ubsan_mismatch_data
*mismatch
, ...)
464 vec
<tree
, va_gc
> *saved_args
= NULL
;
466 location_t loc
= UNKNOWN_LOCATION
;
468 /* Firstly, create a pointer to type descriptor type. */
469 tree td_type
= ubsan_type_descriptor_type ();
470 TYPE_READONLY (td_type
) = 1;
471 td_type
= build_pointer_type (td_type
);
473 /* Create the structure type. */
474 ret
= make_node (RECORD_TYPE
);
477 loc
= LOCATION_LOCUS (*ploc
);
478 fields
[i
] = build_decl (UNKNOWN_LOCATION
, FIELD_DECL
, NULL_TREE
,
479 ubsan_source_location_type ());
480 DECL_CONTEXT (fields
[i
]) = ret
;
484 va_start (args
, mismatch
);
485 for (t
= va_arg (args
, tree
); t
!= NULL_TREE
;
486 i
++, t
= va_arg (args
, tree
))
488 gcc_checking_assert (i
< 3);
489 /* Save the tree arguments for later use. */
490 vec_safe_push (saved_args
, t
);
491 fields
[i
] = build_decl (UNKNOWN_LOCATION
, FIELD_DECL
, NULL_TREE
,
493 DECL_CONTEXT (fields
[i
]) = ret
;
495 DECL_CHAIN (fields
[i
- 1]) = fields
[i
];
499 if (mismatch
!= NULL
)
501 /* We have to add two more decls. */
502 fields
[i
] = build_decl (UNKNOWN_LOCATION
, FIELD_DECL
, NULL_TREE
,
503 pointer_sized_int_node
);
504 DECL_CONTEXT (fields
[i
]) = ret
;
505 DECL_CHAIN (fields
[i
- 1]) = fields
[i
];
508 fields
[i
] = build_decl (UNKNOWN_LOCATION
, FIELD_DECL
, NULL_TREE
,
509 unsigned_char_type_node
);
510 DECL_CONTEXT (fields
[i
]) = ret
;
511 DECL_CHAIN (fields
[i
- 1]) = fields
[i
];
515 TYPE_FIELDS (ret
) = fields
[0];
516 TYPE_NAME (ret
) = get_identifier (name
);
519 /* Now, fill in the type. */
521 static unsigned int ubsan_var_id_num
;
522 ASM_GENERATE_INTERNAL_LABEL (tmp_name
, "Lubsan_data", ubsan_var_id_num
++);
523 tree var
= build_decl (UNKNOWN_LOCATION
, VAR_DECL
, get_identifier (tmp_name
),
525 TREE_STATIC (var
) = 1;
526 TREE_PUBLIC (var
) = 0;
527 DECL_ARTIFICIAL (var
) = 1;
528 DECL_IGNORED_P (var
) = 1;
529 DECL_EXTERNAL (var
) = 0;
531 vec
<constructor_elt
, va_gc
> *v
;
533 tree ctor
= build_constructor (ret
, v
);
535 /* If desirable, set the __ubsan_source_location element. */
537 CONSTRUCTOR_APPEND_ELT (v
, NULL_TREE
, ubsan_source_location (loc
));
539 size_t nelts
= vec_safe_length (saved_args
);
540 for (i
= 0; i
< nelts
; i
++)
542 t
= (*saved_args
)[i
];
543 CONSTRUCTOR_APPEND_ELT (v
, NULL_TREE
, t
);
546 if (mismatch
!= NULL
)
548 /* Append the pointer data. */
549 CONSTRUCTOR_APPEND_ELT (v
, NULL_TREE
, mismatch
->align
);
550 CONSTRUCTOR_APPEND_ELT (v
, NULL_TREE
, mismatch
->ckind
);
553 TREE_CONSTANT (ctor
) = 1;
554 TREE_STATIC (ctor
) = 1;
555 DECL_INITIAL (var
) = ctor
;
556 varpool_finalize_decl (var
);
561 /* Instrument the __builtin_unreachable call. We just call the libubsan
565 ubsan_instrument_unreachable (location_t loc
)
567 if (flag_sanitize_undefined_trap_on_error
)
568 return build_call_expr_loc (loc
, builtin_decl_explicit (BUILT_IN_TRAP
), 0);
570 initialize_sanitizer_builtins ();
571 tree data
= ubsan_create_data ("__ubsan_unreachable_data", &loc
, NULL
,
573 tree t
= builtin_decl_explicit (BUILT_IN_UBSAN_HANDLE_BUILTIN_UNREACHABLE
);
574 return build_call_expr_loc (loc
, t
, 1, build_fold_addr_expr_loc (loc
, data
));
577 /* Return true if T is a call to a libubsan routine. */
580 is_ubsan_builtin_p (tree t
)
582 return TREE_CODE (t
) == FUNCTION_DECL
583 && strncmp (IDENTIFIER_POINTER (DECL_NAME (t
)),
584 "__builtin___ubsan_", 18) == 0;
587 /* Expand the UBSAN_BOUNDS special builtin function. */
590 ubsan_expand_bounds_ifn (gimple_stmt_iterator
*gsi
)
592 gimple stmt
= gsi_stmt (*gsi
);
593 location_t loc
= gimple_location (stmt
);
594 gcc_assert (gimple_call_num_args (stmt
) == 3);
596 /* Pick up the arguments of the UBSAN_BOUNDS call. */
597 tree type
= TREE_TYPE (TREE_TYPE (gimple_call_arg (stmt
, 0)));
598 tree index
= gimple_call_arg (stmt
, 1);
599 tree orig_index_type
= TREE_TYPE (index
);
600 tree bound
= gimple_call_arg (stmt
, 2);
602 gimple_stmt_iterator gsi_orig
= *gsi
;
604 /* Create condition "if (index > bound)". */
605 basic_block then_bb
, fallthru_bb
;
606 gimple_stmt_iterator cond_insert_point
607 = create_cond_insert_point (gsi
, 0/*before_p*/, false, true,
608 &then_bb
, &fallthru_bb
);
609 index
= fold_convert (TREE_TYPE (bound
), index
);
610 index
= force_gimple_operand_gsi (&cond_insert_point
, index
,
611 true/*simple_p*/, NULL_TREE
,
612 false/*before*/, GSI_NEW_STMT
);
613 gimple g
= gimple_build_cond (GT_EXPR
, index
, bound
, NULL_TREE
, NULL_TREE
);
614 gimple_set_location (g
, loc
);
615 gsi_insert_after (&cond_insert_point
, g
, GSI_NEW_STMT
);
617 /* Generate __ubsan_handle_out_of_bounds call. */
618 *gsi
= gsi_after_labels (then_bb
);
619 if (flag_sanitize_undefined_trap_on_error
)
620 g
= gimple_build_call (builtin_decl_explicit (BUILT_IN_TRAP
), 0);
624 = ubsan_create_data ("__ubsan_out_of_bounds_data", &loc
, NULL
,
625 ubsan_type_descriptor (type
, UBSAN_PRINT_ARRAY
),
626 ubsan_type_descriptor (orig_index_type
),
628 data
= build_fold_addr_expr_loc (loc
, data
);
629 enum built_in_function bcode
630 = flag_sanitize_recover
631 ? BUILT_IN_UBSAN_HANDLE_OUT_OF_BOUNDS
632 : BUILT_IN_UBSAN_HANDLE_OUT_OF_BOUNDS_ABORT
;
633 tree fn
= builtin_decl_explicit (bcode
);
634 tree val
= force_gimple_operand_gsi (gsi
, ubsan_encode_value (index
),
635 true, NULL_TREE
, true,
637 g
= gimple_build_call (fn
, 2, data
, val
);
639 gimple_set_location (g
, loc
);
640 gsi_insert_before (gsi
, g
, GSI_SAME_STMT
);
642 /* Get rid of the UBSAN_BOUNDS call from the IR. */
643 unlink_stmt_vdef (stmt
);
644 gsi_remove (&gsi_orig
, true);
646 /* Point GSI to next logical statement. */
647 *gsi
= gsi_start_bb (fallthru_bb
);
650 /* Expand UBSAN_NULL internal call. */
653 ubsan_expand_null_ifn (gimple_stmt_iterator gsi
)
655 gimple stmt
= gsi_stmt (gsi
);
656 location_t loc
= gimple_location (stmt
);
657 gcc_assert (gimple_call_num_args (stmt
) == 2);
658 tree ptr
= gimple_call_arg (stmt
, 0);
659 tree ckind
= gimple_call_arg (stmt
, 1);
661 basic_block cur_bb
= gsi_bb (gsi
);
663 /* Split the original block holding the pointer dereference. */
664 edge e
= split_block (cur_bb
, stmt
);
666 /* Get a hold on the 'condition block', the 'then block' and the
668 basic_block cond_bb
= e
->src
;
669 basic_block fallthru_bb
= e
->dest
;
670 basic_block then_bb
= create_empty_bb (cond_bb
);
671 add_bb_to_loop (then_bb
, cond_bb
->loop_father
);
672 loops_state_set (LOOPS_NEED_FIXUP
);
674 /* Make an edge coming from the 'cond block' into the 'then block';
675 this edge is unlikely taken, so set up the probability accordingly. */
676 e
= make_edge (cond_bb
, then_bb
, EDGE_TRUE_VALUE
);
677 e
->probability
= PROB_VERY_UNLIKELY
;
679 /* Connect 'then block' with the 'else block'. This is needed
680 as the ubsan routines we call in the 'then block' are not noreturn.
681 The 'then block' only has one outcoming edge. */
682 make_single_succ_edge (then_bb
, fallthru_bb
, EDGE_FALLTHRU
);
684 /* Set up the fallthrough basic block. */
685 e
= find_edge (cond_bb
, fallthru_bb
);
686 e
->flags
= EDGE_FALSE_VALUE
;
687 e
->count
= cond_bb
->count
;
688 e
->probability
= REG_BR_PROB_BASE
- PROB_VERY_UNLIKELY
;
690 /* Update dominance info for the newly created then_bb; note that
691 fallthru_bb's dominance info has already been updated by
693 if (dom_info_available_p (CDI_DOMINATORS
))
694 set_immediate_dominator (CDI_DOMINATORS
, then_bb
, cond_bb
);
696 /* Put the ubsan builtin call into the newly created BB. */
698 if (flag_sanitize_undefined_trap_on_error
)
699 g
= gimple_build_call (builtin_decl_implicit (BUILT_IN_TRAP
), 0);
702 enum built_in_function bcode
703 = flag_sanitize_recover
704 ? BUILT_IN_UBSAN_HANDLE_TYPE_MISMATCH
705 : BUILT_IN_UBSAN_HANDLE_TYPE_MISMATCH_ABORT
;
706 tree fn
= builtin_decl_implicit (bcode
);
707 const struct ubsan_mismatch_data m
708 = { build_zero_cst (pointer_sized_int_node
), ckind
};
710 = ubsan_create_data ("__ubsan_null_data", &loc
, &m
,
711 ubsan_type_descriptor (TREE_TYPE (ptr
),
712 UBSAN_PRINT_POINTER
),
714 data
= build_fold_addr_expr_loc (loc
, data
);
715 g
= gimple_build_call (fn
, 2, data
,
716 build_zero_cst (pointer_sized_int_node
));
718 gimple_set_location (g
, loc
);
719 gimple_stmt_iterator gsi2
= gsi_start_bb (then_bb
);
720 gsi_insert_after (&gsi2
, g
, GSI_NEW_STMT
);
722 /* Unlink the UBSAN_NULLs vops before replacing it. */
723 unlink_stmt_vdef (stmt
);
725 g
= gimple_build_cond (EQ_EXPR
, ptr
, build_int_cst (TREE_TYPE (ptr
), 0),
726 NULL_TREE
, NULL_TREE
);
727 gimple_set_location (g
, loc
);
729 /* Replace the UBSAN_NULL with a GIMPLE_COND stmt. */
730 gsi_replace (&gsi
, g
, false);
733 /* Instrument a member call. We check whether 'this' is NULL. */
736 instrument_member_call (gimple_stmt_iterator
*iter
)
738 tree this_parm
= gimple_call_arg (gsi_stmt (*iter
), 0);
739 tree kind
= build_int_cst (unsigned_char_type_node
, UBSAN_MEMBER_CALL
);
740 gimple g
= gimple_build_call_internal (IFN_UBSAN_NULL
, 2, this_parm
, kind
);
741 gimple_set_location (g
, gimple_location (gsi_stmt (*iter
)));
742 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
745 /* Instrument a memory reference. T is the pointer, IS_LHS says
746 whether the pointer is on the left hand side of the assignment. */
749 instrument_mem_ref (tree t
, gimple_stmt_iterator
*iter
, bool is_lhs
)
751 enum ubsan_null_ckind ikind
= is_lhs
? UBSAN_STORE_OF
: UBSAN_LOAD_OF
;
752 if (RECORD_OR_UNION_TYPE_P (TREE_TYPE (TREE_TYPE (t
))))
753 ikind
= UBSAN_MEMBER_ACCESS
;
754 tree kind
= build_int_cst (unsigned_char_type_node
, ikind
);
755 gimple g
= gimple_build_call_internal (IFN_UBSAN_NULL
, 2, t
, kind
);
756 gimple_set_location (g
, gimple_location (gsi_stmt (*iter
)));
757 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
760 /* Perform the pointer instrumentation. */
763 instrument_null (gimple_stmt_iterator gsi
, bool is_lhs
)
765 gimple stmt
= gsi_stmt (gsi
);
766 tree t
= is_lhs
? gimple_get_lhs (stmt
) : gimple_assign_rhs1 (stmt
);
767 t
= get_base_address (t
);
768 const enum tree_code code
= TREE_CODE (t
);
770 && TREE_CODE (TREE_OPERAND (t
, 0)) == SSA_NAME
)
771 instrument_mem_ref (TREE_OPERAND (t
, 0), &gsi
, is_lhs
);
772 else if (code
== ADDR_EXPR
773 && POINTER_TYPE_P (TREE_TYPE (t
))
774 && TREE_CODE (TREE_TYPE (TREE_TYPE (t
))) == METHOD_TYPE
)
775 instrument_member_call (&gsi
);
778 /* Build an ubsan builtin call for the signed-integer-overflow
779 sanitization. CODE says what kind of builtin are we building,
780 LOC is a location, LHSTYPE is the type of LHS, OP0 and OP1
781 are operands of the binary operation. */
784 ubsan_build_overflow_builtin (tree_code code
, location_t loc
, tree lhstype
,
787 if (flag_sanitize_undefined_trap_on_error
)
788 return build_call_expr_loc (loc
, builtin_decl_explicit (BUILT_IN_TRAP
), 0);
790 tree data
= ubsan_create_data ("__ubsan_overflow_data", &loc
, NULL
,
791 ubsan_type_descriptor (lhstype
), NULL_TREE
);
792 enum built_in_function fn_code
;
797 fn_code
= flag_sanitize_recover
798 ? BUILT_IN_UBSAN_HANDLE_ADD_OVERFLOW
799 : BUILT_IN_UBSAN_HANDLE_ADD_OVERFLOW_ABORT
;
802 fn_code
= flag_sanitize_recover
803 ? BUILT_IN_UBSAN_HANDLE_SUB_OVERFLOW
804 : BUILT_IN_UBSAN_HANDLE_SUB_OVERFLOW_ABORT
;
807 fn_code
= flag_sanitize_recover
808 ? BUILT_IN_UBSAN_HANDLE_MUL_OVERFLOW
809 : BUILT_IN_UBSAN_HANDLE_MUL_OVERFLOW_ABORT
;
812 fn_code
= flag_sanitize_recover
813 ? BUILT_IN_UBSAN_HANDLE_NEGATE_OVERFLOW
814 : BUILT_IN_UBSAN_HANDLE_NEGATE_OVERFLOW_ABORT
;
819 tree fn
= builtin_decl_explicit (fn_code
);
820 return build_call_expr_loc (loc
, fn
, 2 + (code
!= NEGATE_EXPR
),
821 build_fold_addr_expr_loc (loc
, data
),
822 ubsan_encode_value (op0
, true),
823 op1
? ubsan_encode_value (op1
, true)
827 /* Perform the signed integer instrumentation. GSI is the iterator
828 pointing at statement we are trying to instrument. */
831 instrument_si_overflow (gimple_stmt_iterator gsi
)
833 gimple stmt
= gsi_stmt (gsi
);
834 tree_code code
= gimple_assign_rhs_code (stmt
);
835 tree lhs
= gimple_assign_lhs (stmt
);
836 tree lhstype
= TREE_TYPE (lhs
);
840 /* If this is not a signed operation, don't instrument anything here.
841 Also punt on bit-fields. */
842 if (!INTEGRAL_TYPE_P (lhstype
)
843 || TYPE_OVERFLOW_WRAPS (lhstype
)
844 || GET_MODE_BITSIZE (TYPE_MODE (lhstype
)) != TYPE_PRECISION (lhstype
))
855 i = UBSAN_CHECK_{ADD,SUB,MUL} (u, 5); */
856 a
= gimple_assign_rhs1 (stmt
);
857 b
= gimple_assign_rhs2 (stmt
);
858 g
= gimple_build_call_internal (code
== PLUS_EXPR
859 ? IFN_UBSAN_CHECK_ADD
861 ? IFN_UBSAN_CHECK_SUB
862 : IFN_UBSAN_CHECK_MUL
, 2, a
, b
);
863 gimple_call_set_lhs (g
, lhs
);
864 gsi_replace (&gsi
, g
, false);
869 i = UBSAN_CHECK_SUB (0, u); */
870 a
= build_int_cst (lhstype
, 0);
871 b
= gimple_assign_rhs1 (stmt
);
872 g
= gimple_build_call_internal (IFN_UBSAN_CHECK_SUB
, 2, a
, b
);
873 gimple_call_set_lhs (g
, lhs
);
874 gsi_replace (&gsi
, g
, false);
877 /* Transform i = ABS_EXPR<u>;
879 _N = UBSAN_CHECK_SUB (0, u);
881 a
= build_int_cst (lhstype
, 0);
882 b
= gimple_assign_rhs1 (stmt
);
883 g
= gimple_build_call_internal (IFN_UBSAN_CHECK_SUB
, 2, a
, b
);
884 a
= make_ssa_name (lhstype
, NULL
);
885 gimple_call_set_lhs (g
, a
);
886 gimple_set_location (g
, gimple_location (stmt
));
887 gsi_insert_before (&gsi
, g
, GSI_SAME_STMT
);
888 gimple_assign_set_rhs1 (stmt
, a
);
896 /* Instrument loads from (non-bitfield) bool and C++ enum values
897 to check if the memory value is outside of the range of the valid
901 instrument_bool_enum_load (gimple_stmt_iterator
*gsi
)
903 gimple stmt
= gsi_stmt (*gsi
);
904 tree rhs
= gimple_assign_rhs1 (stmt
);
905 tree type
= TREE_TYPE (rhs
);
906 tree minv
= NULL_TREE
, maxv
= NULL_TREE
;
908 if (TREE_CODE (type
) == BOOLEAN_TYPE
&& (flag_sanitize
& SANITIZE_BOOL
))
910 minv
= boolean_false_node
;
911 maxv
= boolean_true_node
;
913 else if (TREE_CODE (type
) == ENUMERAL_TYPE
914 && (flag_sanitize
& SANITIZE_ENUM
)
915 && TREE_TYPE (type
) != NULL_TREE
916 && TREE_CODE (TREE_TYPE (type
)) == INTEGER_TYPE
917 && (TYPE_PRECISION (TREE_TYPE (type
))
918 < GET_MODE_PRECISION (TYPE_MODE (type
))))
920 minv
= TYPE_MIN_VALUE (TREE_TYPE (type
));
921 maxv
= TYPE_MAX_VALUE (TREE_TYPE (type
));
926 int modebitsize
= GET_MODE_BITSIZE (TYPE_MODE (type
));
927 HOST_WIDE_INT bitsize
, bitpos
;
929 enum machine_mode mode
;
930 int volatilep
= 0, unsignedp
= 0;
931 tree base
= get_inner_reference (rhs
, &bitsize
, &bitpos
, &offset
, &mode
,
932 &unsignedp
, &volatilep
, false);
933 tree utype
= build_nonstandard_integer_type (modebitsize
, 1);
935 if ((TREE_CODE (base
) == VAR_DECL
&& DECL_HARD_REGISTER (base
))
936 || (bitpos
% modebitsize
) != 0
937 || bitsize
!= modebitsize
938 || GET_MODE_BITSIZE (TYPE_MODE (utype
)) != modebitsize
939 || TREE_CODE (gimple_assign_lhs (stmt
)) != SSA_NAME
)
942 location_t loc
= gimple_location (stmt
);
943 tree ptype
= build_pointer_type (TREE_TYPE (rhs
));
944 tree atype
= reference_alias_ptr_type (rhs
);
945 gimple g
= gimple_build_assign (make_ssa_name (ptype
, NULL
),
946 build_fold_addr_expr (rhs
));
947 gimple_set_location (g
, loc
);
948 gsi_insert_before (gsi
, g
, GSI_SAME_STMT
);
949 tree mem
= build2 (MEM_REF
, utype
, gimple_assign_lhs (g
),
950 build_int_cst (atype
, 0));
951 tree urhs
= make_ssa_name (utype
, NULL
);
952 g
= gimple_build_assign (urhs
, mem
);
953 gimple_set_location (g
, loc
);
954 gsi_insert_before (gsi
, g
, GSI_SAME_STMT
);
955 minv
= fold_convert (utype
, minv
);
956 maxv
= fold_convert (utype
, maxv
);
957 if (!integer_zerop (minv
))
959 g
= gimple_build_assign_with_ops (MINUS_EXPR
,
960 make_ssa_name (utype
, NULL
),
962 gimple_set_location (g
, loc
);
963 gsi_insert_before (gsi
, g
, GSI_SAME_STMT
);
966 gimple_stmt_iterator gsi2
= *gsi
;
967 basic_block then_bb
, fallthru_bb
;
968 *gsi
= create_cond_insert_point (gsi
, true, false, true,
969 &then_bb
, &fallthru_bb
);
970 g
= gimple_build_cond (GT_EXPR
, gimple_assign_lhs (g
),
971 int_const_binop (MINUS_EXPR
, maxv
, minv
),
972 NULL_TREE
, NULL_TREE
);
973 gimple_set_location (g
, loc
);
974 gsi_insert_after (gsi
, g
, GSI_NEW_STMT
);
976 gimple_assign_set_rhs_with_ops (&gsi2
, NOP_EXPR
, urhs
, NULL_TREE
);
979 gsi2
= gsi_after_labels (then_bb
);
980 if (flag_sanitize_undefined_trap_on_error
)
981 g
= gimple_build_call (builtin_decl_explicit (BUILT_IN_TRAP
), 0);
984 tree data
= ubsan_create_data ("__ubsan_invalid_value_data", &loc
, NULL
,
985 ubsan_type_descriptor (type
), NULL_TREE
);
986 data
= build_fold_addr_expr_loc (loc
, data
);
987 enum built_in_function bcode
988 = flag_sanitize_recover
989 ? BUILT_IN_UBSAN_HANDLE_LOAD_INVALID_VALUE
990 : BUILT_IN_UBSAN_HANDLE_LOAD_INVALID_VALUE_ABORT
;
991 tree fn
= builtin_decl_explicit (bcode
);
993 tree val
= force_gimple_operand_gsi (&gsi2
, ubsan_encode_value (urhs
),
994 true, NULL_TREE
, true,
996 g
= gimple_build_call (fn
, 2, data
, val
);
998 gimple_set_location (g
, loc
);
999 gsi_insert_before (&gsi2
, g
, GSI_SAME_STMT
);
1002 /* Instrument float point-to-integer conversion. TYPE is an integer type of
1003 destination, EXPR is floating-point expression. */
1006 ubsan_instrument_float_cast (location_t loc
, tree type
, tree expr
)
1008 tree expr_type
= TREE_TYPE (expr
);
1009 tree t
, tt
, fn
, min
, max
;
1010 enum machine_mode mode
= TYPE_MODE (expr_type
);
1011 int prec
= TYPE_PRECISION (type
);
1012 bool uns_p
= TYPE_UNSIGNED (type
);
1014 /* Float to integer conversion first truncates toward zero, so
1015 even signed char c = 127.875f; is not problematic.
1016 Therefore, we should complain only if EXPR is unordered or smaller
1017 or equal than TYPE_MIN_VALUE - 1.0 or greater or equal than
1018 TYPE_MAX_VALUE + 1.0. */
1019 if (REAL_MODE_FORMAT (mode
)->b
== 2)
1021 /* For maximum, TYPE_MAX_VALUE might not be representable
1022 in EXPR_TYPE, e.g. if TYPE is 64-bit long long and
1023 EXPR_TYPE is IEEE single float, but TYPE_MAX_VALUE + 1.0 is
1024 either representable or infinity. */
1025 REAL_VALUE_TYPE maxval
= dconst1
;
1026 SET_REAL_EXP (&maxval
, REAL_EXP (&maxval
) + prec
- !uns_p
);
1027 real_convert (&maxval
, mode
, &maxval
);
1028 max
= build_real (expr_type
, maxval
);
1030 /* For unsigned, assume -1.0 is always representable. */
1032 min
= build_minus_one_cst (expr_type
);
1035 /* TYPE_MIN_VALUE is generally representable (or -inf),
1036 but TYPE_MIN_VALUE - 1.0 might not be. */
1037 REAL_VALUE_TYPE minval
= dconstm1
, minval2
;
1038 SET_REAL_EXP (&minval
, REAL_EXP (&minval
) + prec
- 1);
1039 real_convert (&minval
, mode
, &minval
);
1040 real_arithmetic (&minval2
, MINUS_EXPR
, &minval
, &dconst1
);
1041 real_convert (&minval2
, mode
, &minval2
);
1042 if (real_compare (EQ_EXPR
, &minval
, &minval2
)
1043 && !real_isinf (&minval
))
1045 /* If TYPE_MIN_VALUE - 1.0 is not representable and
1046 rounds to TYPE_MIN_VALUE, we need to subtract
1047 more. As REAL_MODE_FORMAT (mode)->p is the number
1048 of base digits, we want to subtract a number that
1049 will be 1 << (REAL_MODE_FORMAT (mode)->p - 1)
1050 times smaller than minval. */
1052 gcc_assert (prec
> REAL_MODE_FORMAT (mode
)->p
);
1053 SET_REAL_EXP (&minval2
,
1054 REAL_EXP (&minval2
) + prec
- 1
1055 - REAL_MODE_FORMAT (mode
)->p
+ 1);
1056 real_arithmetic (&minval2
, MINUS_EXPR
, &minval
, &minval2
);
1057 real_convert (&minval2
, mode
, &minval2
);
1059 min
= build_real (expr_type
, minval2
);
1062 else if (REAL_MODE_FORMAT (mode
)->b
== 10)
1064 /* For _Decimal128 up to 34 decimal digits, - sign,
1065 dot, e, exponent. */
1068 int p
= REAL_MODE_FORMAT (mode
)->p
;
1069 REAL_VALUE_TYPE maxval
, minval
;
1071 /* Use mpfr_snprintf rounding to compute the smallest
1072 representable decimal number greater or equal than
1073 1 << (prec - !uns_p). */
1074 mpfr_init2 (m
, prec
+ 2);
1075 mpfr_set_ui_2exp (m
, 1, prec
- !uns_p
, GMP_RNDN
);
1076 mpfr_snprintf (buf
, sizeof buf
, "%.*RUe", p
- 1, m
);
1077 decimal_real_from_string (&maxval
, buf
);
1078 max
= build_real (expr_type
, maxval
);
1080 /* For unsigned, assume -1.0 is always representable. */
1082 min
= build_minus_one_cst (expr_type
);
1085 /* Use mpfr_snprintf rounding to compute the largest
1086 representable decimal number less or equal than
1087 (-1 << (prec - 1)) - 1. */
1088 mpfr_set_si_2exp (m
, -1, prec
- 1, GMP_RNDN
);
1089 mpfr_sub_ui (m
, m
, 1, GMP_RNDN
);
1090 mpfr_snprintf (buf
, sizeof buf
, "%.*RDe", p
- 1, m
);
1091 decimal_real_from_string (&minval
, buf
);
1092 min
= build_real (expr_type
, minval
);
1099 if (flag_sanitize_undefined_trap_on_error
)
1100 fn
= build_call_expr_loc (loc
, builtin_decl_explicit (BUILT_IN_TRAP
), 0);
1103 /* Create the __ubsan_handle_float_cast_overflow fn call. */
1104 tree data
= ubsan_create_data ("__ubsan_float_cast_overflow_data", NULL
,
1105 NULL
, ubsan_type_descriptor (expr_type
),
1106 ubsan_type_descriptor (type
), NULL_TREE
);
1107 enum built_in_function bcode
1108 = flag_sanitize_recover
1109 ? BUILT_IN_UBSAN_HANDLE_FLOAT_CAST_OVERFLOW
1110 : BUILT_IN_UBSAN_HANDLE_FLOAT_CAST_OVERFLOW_ABORT
;
1111 fn
= builtin_decl_explicit (bcode
);
1112 fn
= build_call_expr_loc (loc
, fn
, 2,
1113 build_fold_addr_expr_loc (loc
, data
),
1114 ubsan_encode_value (expr
, false));
1117 t
= fold_build2 (UNLE_EXPR
, boolean_type_node
, expr
, min
);
1118 tt
= fold_build2 (UNGE_EXPR
, boolean_type_node
, expr
, max
);
1119 return fold_build3 (COND_EXPR
, void_type_node
,
1120 fold_build2 (TRUTH_OR_EXPR
, boolean_type_node
, t
, tt
),
1121 fn
, integer_zero_node
);
1126 const pass_data pass_data_ubsan
=
1128 GIMPLE_PASS
, /* type */
1130 OPTGROUP_NONE
, /* optinfo_flags */
1131 TV_TREE_UBSAN
, /* tv_id */
1132 ( PROP_cfg
| PROP_ssa
), /* properties_required */
1133 0, /* properties_provided */
1134 0, /* properties_destroyed */
1135 0, /* todo_flags_start */
1136 TODO_update_ssa
, /* todo_flags_finish */
1139 class pass_ubsan
: public gimple_opt_pass
1142 pass_ubsan (gcc::context
*ctxt
)
1143 : gimple_opt_pass (pass_data_ubsan
, ctxt
)
1146 /* opt_pass methods: */
1147 virtual bool gate (function
*)
1149 return flag_sanitize
& (SANITIZE_NULL
| SANITIZE_SI_OVERFLOW
1150 | SANITIZE_BOOL
| SANITIZE_ENUM
)
1151 && current_function_decl
!= NULL_TREE
1152 && !lookup_attribute ("no_sanitize_undefined",
1153 DECL_ATTRIBUTES (current_function_decl
));
1156 virtual unsigned int execute (function
*);
1158 }; // class pass_ubsan
1161 pass_ubsan::execute (function
*fun
)
1164 gimple_stmt_iterator gsi
;
1166 initialize_sanitizer_builtins ();
1168 FOR_EACH_BB_FN (bb
, fun
)
1170 for (gsi
= gsi_start_bb (bb
); !gsi_end_p (gsi
);)
1172 gimple stmt
= gsi_stmt (gsi
);
1173 if (is_gimple_debug (stmt
) || gimple_clobber_p (stmt
))
1179 if ((flag_sanitize
& SANITIZE_SI_OVERFLOW
)
1180 && is_gimple_assign (stmt
))
1181 instrument_si_overflow (gsi
);
1183 if (flag_sanitize
& SANITIZE_NULL
)
1185 if (gimple_store_p (stmt
))
1186 instrument_null (gsi
, true);
1187 if (gimple_assign_load_p (stmt
))
1188 instrument_null (gsi
, false);
1191 if (flag_sanitize
& (SANITIZE_BOOL
| SANITIZE_ENUM
)
1192 && gimple_assign_load_p (stmt
))
1193 instrument_bool_enum_load (&gsi
);
1204 make_pass_ubsan (gcc::context
*ctxt
)
1206 return new pass_ubsan (ctxt
);
1209 #include "gt-ubsan.h"