1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2022 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
24 #include "coretypes.h"
31 #include "alloc-pool.h"
32 #include "tree-pass.h"
36 #include "stringpool.h"
37 #include "tree-ssanames.h"
41 #include "gimple-pretty-print.h"
43 #include "fold-const.h"
46 #include "gimple-iterator.h"
48 #include "stor-layout.h"
49 #include "tree-iterator.h"
50 #include "stringpool.h"
57 #include "langhooks.h"
59 #include "gimple-builder.h"
60 #include "gimple-fold.h"
64 #include "tree-inline.h"
67 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
68 with <2x slowdown on average.
70 The tool consists of two parts:
71 instrumentation module (this file) and a run-time library.
72 The instrumentation module adds a run-time check before every memory insn.
73 For a 8- or 16- byte load accessing address X:
74 ShadowAddr = (X >> 3) + Offset
75 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
77 __asan_report_load8(X);
78 For a load of N bytes (N=1, 2 or 4) from address X:
79 ShadowAddr = (X >> 3) + Offset
80 ShadowValue = *(char*)ShadowAddr;
82 if ((X & 7) + N - 1 > ShadowValue)
83 __asan_report_loadN(X);
84 Stores are instrumented similarly, but using __asan_report_storeN functions.
85 A call too __asan_init_vN() is inserted to the list of module CTORs.
86 N is the version number of the AddressSanitizer API. The changes between the
87 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
89 The run-time library redefines malloc (so that redzone are inserted around
90 the allocated memory) and free (so that reuse of free-ed memory is delayed),
91 provides __asan_report* and __asan_init_vN functions.
94 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
96 The current implementation supports detection of out-of-bounds and
97 use-after-free in the heap, on the stack and for global variables.
99 [Protection of stack variables]
101 To understand how detection of out-of-bounds and use-after-free works
102 for stack variables, lets look at this example on x86_64 where the
103 stack grows downward:
117 For this function, the stack protected by asan will be organized as
118 follows, from the top of the stack to the bottom:
120 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
122 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
123 the next slot be 32 bytes aligned; this one is called Partial
124 Redzone; this 32 bytes alignment is an asan constraint]
126 Slot 3/ [24 bytes for variable 'a']
128 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
130 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
132 Slot 6/ [8 bytes for variable 'b']
134 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
137 The 32 bytes of LEFT red zone at the bottom of the stack can be
140 1/ The first 8 bytes contain a magical asan number that is always
143 2/ The following 8 bytes contains a pointer to a string (to be
144 parsed at runtime by the runtime asan library), which format is
147 "<function-name> <space> <num-of-variables-on-the-stack>
148 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
149 <length-of-var-in-bytes> ){n} "
151 where '(...){n}' means the content inside the parenthesis occurs 'n'
152 times, with 'n' being the number of variables on the stack.
154 3/ The following 8 bytes contain the PC of the current function which
155 will be used by the run-time library to print an error message.
157 4/ The following 8 bytes are reserved for internal use by the run-time.
159 The shadow memory for that stack layout is going to look like this:
161 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
162 The F1 byte pattern is a magic number called
163 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
164 the memory for that shadow byte is part of a the LEFT red zone
165 intended to seat at the bottom of the variables on the stack.
167 - content of shadow memory 8 bytes for slots 6 and 5:
168 0xF4F4F400. The F4 byte pattern is a magic number
169 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
170 memory region for this shadow byte is a PARTIAL red zone
171 intended to pad a variable A, so that the slot following
172 {A,padding} is 32 bytes aligned.
174 Note that the fact that the least significant byte of this
175 shadow memory content is 00 means that 8 bytes of its
176 corresponding memory (which corresponds to the memory of
177 variable 'b') is addressable.
179 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
180 The F2 byte pattern is a magic number called
181 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
182 region for this shadow byte is a MIDDLE red zone intended to
183 seat between two 32 aligned slots of {variable,padding}.
185 - content of shadow memory 8 bytes for slot 3 and 2:
186 0xF4000000. This represents is the concatenation of
187 variable 'a' and the partial red zone following it, like what we
188 had for variable 'b'. The least significant 3 bytes being 00
189 means that the 3 bytes of variable 'a' are addressable.
191 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
192 The F3 byte pattern is a magic number called
193 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
194 region for this shadow byte is a RIGHT red zone intended to seat
195 at the top of the variables of the stack.
197 Note that the real variable layout is done in expand_used_vars in
198 cfgexpand.cc. As far as Address Sanitizer is concerned, it lays out
199 stack variables as well as the different red zones, emits some
200 prologue code to populate the shadow memory as to poison (mark as
201 non-accessible) the regions of the red zones and mark the regions of
202 stack variables as accessible, and emit some epilogue code to
203 un-poison (mark as accessible) the regions of red zones right before
206 [Protection of global variables]
208 The basic idea is to insert a red zone between two global variables
209 and install a constructor function that calls the asan runtime to do
210 the populating of the relevant shadow memory regions at load time.
212 So the global variables are laid out as to insert a red zone between
213 them. The size of the red zones is so that each variable starts on a
216 Then a constructor function is installed so that, for each global
217 variable, it calls the runtime asan library function
218 __asan_register_globals_with an instance of this type:
222 // Address of the beginning of the global variable.
225 // Initial size of the global variable.
228 // Size of the global variable + size of the red zone. This
229 // size is 32 bytes aligned.
230 uptr __size_with_redzone;
232 // Name of the global variable.
235 // Name of the module where the global variable is declared.
236 const void *__module_name;
238 // 1 if it has dynamic initialization, 0 otherwise.
239 uptr __has_dynamic_init;
241 // A pointer to struct that contains source location, could be NULL.
242 __asan_global_source_location *__location;
245 A destructor function that calls the runtime asan library function
246 _asan_unregister_globals is also installed. */
248 static unsigned HOST_WIDE_INT asan_shadow_offset_value
;
249 static bool asan_shadow_offset_computed
;
250 static vec
<char *> sanitized_sections
;
251 static tree last_alloca_addr
;
253 /* Set of variable declarations that are going to be guarded by
254 use-after-scope sanitizer. */
256 hash_set
<tree
> *asan_handled_variables
= NULL
;
258 hash_set
<tree
> *asan_used_labels
= NULL
;
260 /* Global variables for HWASAN stack tagging. */
261 /* hwasan_frame_tag_offset records the offset from the frame base tag that the
262 next object should have. */
263 static uint8_t hwasan_frame_tag_offset
= 0;
264 /* hwasan_frame_base_ptr is a pointer with the same address as
265 `virtual_stack_vars_rtx` for the current frame, and with the frame base tag
266 stored in it. N.b. this global RTX does not need to be marked GTY, but is
267 done so anyway. The need is not there since all uses are in just one pass
268 (cfgexpand) and there are no calls to ggc_collect between the uses. We mark
269 it GTY(()) anyway to allow the use of the variable later on if needed by
271 static GTY(()) rtx hwasan_frame_base_ptr
= NULL_RTX
;
272 /* hwasan_frame_base_init_seq is the sequence of RTL insns that will initialize
273 the hwasan_frame_base_ptr. When the hwasan_frame_base_ptr is requested, we
274 generate this sequence but do not emit it. If the sequence was created it
275 is emitted once the function body has been expanded.
277 This delay is because the frame base pointer may be needed anywhere in the
278 function body, or needed by the expand_used_vars function. Emitting once in
279 a known place is simpler than requiring the emission of the instructions to
280 be know where it should go depending on the first place the hwasan frame
282 static GTY(()) rtx_insn
*hwasan_frame_base_init_seq
= NULL
;
284 /* Structure defining the extent of one object on the stack that HWASAN needs
285 to tag in the corresponding shadow stack space.
287 The range this object spans on the stack is between `untagged_base +
288 nearest_offset` and `untagged_base + farthest_offset`.
289 `tagged_base` is an rtx containing the same value as `untagged_base` but
290 with a random tag stored in the top byte. We record both `untagged_base`
291 and `tagged_base` so that `hwasan_emit_prologue` can use both without having
292 to emit RTL into the instruction stream to re-calculate one from the other.
293 (`hwasan_emit_prologue` needs to use both bases since the
294 __hwasan_tag_memory call it emits uses an untagged value, and it calculates
295 the tag to store in shadow memory based on the tag_offset plus the tag in
297 struct hwasan_stack_var
301 poly_int64 nearest_offset
;
302 poly_int64 farthest_offset
;
306 /* Variable recording all stack variables that HWASAN needs to tag.
307 Does not need to be marked as GTY(()) since every use is in the cfgexpand
308 pass and gcc_collect is not called in the middle of that pass. */
309 static vec
<hwasan_stack_var
> hwasan_tagged_stack_vars
;
312 /* Sets shadow offset to value in string VAL. */
315 set_asan_shadow_offset (const char *val
)
320 #ifdef HAVE_LONG_LONG
321 asan_shadow_offset_value
= strtoull (val
, &endp
, 0);
323 asan_shadow_offset_value
= strtoul (val
, &endp
, 0);
325 if (!(*val
!= '\0' && *endp
== '\0' && errno
== 0))
328 asan_shadow_offset_computed
= true;
333 /* Set list of user-defined sections that need to be sanitized. */
336 set_sanitized_sections (const char *sections
)
340 FOR_EACH_VEC_ELT (sanitized_sections
, i
, pat
)
342 sanitized_sections
.truncate (0);
344 for (const char *s
= sections
; *s
; )
347 for (end
= s
; *end
&& *end
!= ','; ++end
);
348 size_t len
= end
- s
;
349 sanitized_sections
.safe_push (xstrndup (s
, len
));
350 s
= *end
? end
+ 1 : end
;
355 asan_mark_p (gimple
*stmt
, enum asan_mark_flags flag
)
357 return (gimple_call_internal_p (stmt
, IFN_ASAN_MARK
)
358 && tree_to_uhwi (gimple_call_arg (stmt
, 0)) == flag
);
362 asan_sanitize_stack_p (void)
364 return (sanitize_flags_p (SANITIZE_ADDRESS
) && param_asan_stack
);
368 asan_sanitize_allocas_p (void)
370 return (asan_sanitize_stack_p () && param_asan_protect_allocas
);
374 asan_instrument_reads (void)
376 return (sanitize_flags_p (SANITIZE_ADDRESS
) && param_asan_instrument_reads
);
380 asan_instrument_writes (void)
382 return (sanitize_flags_p (SANITIZE_ADDRESS
) && param_asan_instrument_writes
);
386 asan_memintrin (void)
388 return (sanitize_flags_p (SANITIZE_ADDRESS
) && param_asan_memintrin
);
392 /* Checks whether section SEC should be sanitized. */
395 section_sanitized_p (const char *sec
)
399 FOR_EACH_VEC_ELT (sanitized_sections
, i
, pat
)
400 if (fnmatch (pat
, sec
, FNM_PERIOD
) == 0)
405 /* Returns Asan shadow offset. */
407 static unsigned HOST_WIDE_INT
408 asan_shadow_offset ()
410 if (!asan_shadow_offset_computed
)
412 asan_shadow_offset_computed
= true;
413 asan_shadow_offset_value
= targetm
.asan_shadow_offset ();
415 return asan_shadow_offset_value
;
418 /* Returns Asan shadow offset has been set. */
420 asan_shadow_offset_set_p ()
422 return asan_shadow_offset_computed
;
425 alias_set_type asan_shadow_set
= -1;
427 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
428 alias set is used for all shadow memory accesses. */
429 static GTY(()) tree shadow_ptr_types
[3];
431 /* Decl for __asan_option_detect_stack_use_after_return. */
432 static GTY(()) tree asan_detect_stack_use_after_return
;
434 /* Hashtable support for memory references used by gimple
437 /* This type represents a reference to a memory region. */
440 /* The expression of the beginning of the memory region. */
443 /* The size of the access. */
444 HOST_WIDE_INT access_size
;
447 object_allocator
<asan_mem_ref
> asan_mem_ref_pool ("asan_mem_ref");
449 /* Initializes an instance of asan_mem_ref. */
452 asan_mem_ref_init (asan_mem_ref
*ref
, tree start
, HOST_WIDE_INT access_size
)
455 ref
->access_size
= access_size
;
458 /* Allocates memory for an instance of asan_mem_ref into the memory
459 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
460 START is the address of (or the expression pointing to) the
461 beginning of memory reference. ACCESS_SIZE is the size of the
462 access to the referenced memory. */
465 asan_mem_ref_new (tree start
, HOST_WIDE_INT access_size
)
467 asan_mem_ref
*ref
= asan_mem_ref_pool
.allocate ();
469 asan_mem_ref_init (ref
, start
, access_size
);
473 /* This builds and returns a pointer to the end of the memory region
474 that starts at START and of length LEN. */
477 asan_mem_ref_get_end (tree start
, tree len
)
479 if (len
== NULL_TREE
|| integer_zerop (len
))
482 if (!ptrofftype_p (len
))
483 len
= convert_to_ptrofftype (len
);
485 return fold_build2 (POINTER_PLUS_EXPR
, TREE_TYPE (start
), start
, len
);
488 /* Return a tree expression that represents the end of the referenced
489 memory region. Beware that this function can actually build a new
493 asan_mem_ref_get_end (const asan_mem_ref
*ref
, tree len
)
495 return asan_mem_ref_get_end (ref
->start
, len
);
498 struct asan_mem_ref_hasher
: nofree_ptr_hash
<asan_mem_ref
>
500 static inline hashval_t
hash (const asan_mem_ref
*);
501 static inline bool equal (const asan_mem_ref
*, const asan_mem_ref
*);
504 /* Hash a memory reference. */
507 asan_mem_ref_hasher::hash (const asan_mem_ref
*mem_ref
)
509 return iterative_hash_expr (mem_ref
->start
, 0);
512 /* Compare two memory references. We accept the length of either
513 memory references to be NULL_TREE. */
516 asan_mem_ref_hasher::equal (const asan_mem_ref
*m1
,
517 const asan_mem_ref
*m2
)
519 return operand_equal_p (m1
->start
, m2
->start
, 0);
522 static hash_table
<asan_mem_ref_hasher
> *asan_mem_ref_ht
;
524 /* Returns a reference to the hash table containing memory references.
525 This function ensures that the hash table is created. Note that
526 this hash table is updated by the function
527 update_mem_ref_hash_table. */
529 static hash_table
<asan_mem_ref_hasher
> *
530 get_mem_ref_hash_table ()
532 if (!asan_mem_ref_ht
)
533 asan_mem_ref_ht
= new hash_table
<asan_mem_ref_hasher
> (10);
535 return asan_mem_ref_ht
;
538 /* Clear all entries from the memory references hash table. */
541 empty_mem_ref_hash_table ()
544 asan_mem_ref_ht
->empty ();
547 /* Free the memory references hash table. */
550 free_mem_ref_resources ()
552 delete asan_mem_ref_ht
;
553 asan_mem_ref_ht
= NULL
;
555 asan_mem_ref_pool
.release ();
558 /* Return true iff the memory reference REF has been instrumented. */
561 has_mem_ref_been_instrumented (tree ref
, HOST_WIDE_INT access_size
)
564 asan_mem_ref_init (&r
, ref
, access_size
);
566 asan_mem_ref
*saved_ref
= get_mem_ref_hash_table ()->find (&r
);
567 return saved_ref
&& saved_ref
->access_size
>= access_size
;
570 /* Return true iff the memory reference REF has been instrumented. */
573 has_mem_ref_been_instrumented (const asan_mem_ref
*ref
)
575 return has_mem_ref_been_instrumented (ref
->start
, ref
->access_size
);
578 /* Return true iff access to memory region starting at REF and of
579 length LEN has been instrumented. */
582 has_mem_ref_been_instrumented (const asan_mem_ref
*ref
, tree len
)
584 HOST_WIDE_INT size_in_bytes
585 = tree_fits_shwi_p (len
) ? tree_to_shwi (len
) : -1;
587 return size_in_bytes
!= -1
588 && has_mem_ref_been_instrumented (ref
->start
, size_in_bytes
);
591 /* Set REF to the memory reference present in a gimple assignment
592 ASSIGNMENT. Return true upon successful completion, false
596 get_mem_ref_of_assignment (const gassign
*assignment
,
600 gcc_assert (gimple_assign_single_p (assignment
));
602 if (gimple_store_p (assignment
)
603 && !gimple_clobber_p (assignment
))
605 ref
->start
= gimple_assign_lhs (assignment
);
606 *ref_is_store
= true;
608 else if (gimple_assign_load_p (assignment
))
610 ref
->start
= gimple_assign_rhs1 (assignment
);
611 *ref_is_store
= false;
616 ref
->access_size
= int_size_in_bytes (TREE_TYPE (ref
->start
));
620 /* Return address of last allocated dynamic alloca. */
623 get_last_alloca_addr ()
625 if (last_alloca_addr
)
626 return last_alloca_addr
;
628 last_alloca_addr
= create_tmp_reg (ptr_type_node
, "last_alloca_addr");
629 gassign
*g
= gimple_build_assign (last_alloca_addr
, null_pointer_node
);
630 edge e
= single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun
));
631 gsi_insert_on_edge_immediate (e
, g
);
632 return last_alloca_addr
;
635 /* Insert __asan_allocas_unpoison (top, bottom) call before
636 __builtin_stack_restore (new_sp) call.
637 The pseudocode of this routine should look like this:
638 top = last_alloca_addr;
640 __asan_allocas_unpoison (top, bot);
641 last_alloca_addr = new_sp;
642 __builtin_stack_restore (new_sp);
643 In general, we can't use new_sp as bot parameter because on some
644 architectures SP has non zero offset from dynamic stack area. Moreover, on
645 some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each
646 particular function only after all callees were expanded to rtl.
647 The most noticeable example is PowerPC{,64}, see
648 http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK.
649 To overcome the issue we use following trick: pass new_sp as a second
650 parameter to __asan_allocas_unpoison and rewrite it during expansion with
651 new_sp + (virtual_dynamic_stack_rtx - sp) later in
652 expand_asan_emit_allocas_unpoison function.
654 HWASAN needs to do very similar, the eventual pseudocode should be:
655 __hwasan_tag_memory (virtual_stack_dynamic_rtx,
658 __builtin_stack_restore (new_sp)
660 Need to use the same trick to handle STACK_DYNAMIC_OFFSET as described
664 handle_builtin_stack_restore (gcall
*call
, gimple_stmt_iterator
*iter
)
667 || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ()))
670 tree restored_stack
= gimple_call_arg (call
, 0);
674 if (hwasan_sanitize_allocas_p ())
676 enum internal_fn fn
= IFN_HWASAN_ALLOCA_UNPOISON
;
677 /* There is only one piece of information `expand_HWASAN_ALLOCA_UNPOISON`
678 needs to work. This is the length of the area that we're
679 deallocating. Since the stack pointer is known at expand time, the
680 position of the new stack pointer after deallocation is enough
681 information to calculate this length. */
682 g
= gimple_build_call_internal (fn
, 1, restored_stack
);
686 tree last_alloca
= get_last_alloca_addr ();
687 tree fn
= builtin_decl_implicit (BUILT_IN_ASAN_ALLOCAS_UNPOISON
);
688 g
= gimple_build_call (fn
, 2, last_alloca
, restored_stack
);
689 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
690 g
= gimple_build_assign (last_alloca
, restored_stack
);
693 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
696 /* Deploy and poison redzones around __builtin_alloca call. To do this, we
697 should replace this call with another one with changed parameters and
698 replace all its uses with new address, so
699 addr = __builtin_alloca (old_size, align);
701 left_redzone_size = max (align, ASAN_RED_ZONE_SIZE);
702 Following two statements are optimized out if we know that
703 old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial
705 misalign = old_size & (ASAN_RED_ZONE_SIZE - 1);
706 partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign;
707 right_redzone_size = ASAN_RED_ZONE_SIZE;
708 additional_size = left_redzone_size + partial_redzone_size +
710 new_size = old_size + additional_size;
711 new_alloca = __builtin_alloca (new_size, max (align, 32))
712 __asan_alloca_poison (new_alloca, old_size)
713 addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE);
714 last_alloca_addr = new_alloca;
715 ADDITIONAL_SIZE is added to make new memory allocation contain not only
716 requested memory, but also left, partial and right redzones as well as some
717 additional space, required by alignment. */
720 handle_builtin_alloca (gcall
*call
, gimple_stmt_iterator
*iter
)
723 || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ()))
728 tree callee
= gimple_call_fndecl (call
);
729 tree old_size
= gimple_call_arg (call
, 0);
730 tree ptr_type
= gimple_call_lhs (call
) ? TREE_TYPE (gimple_call_lhs (call
))
732 tree partial_size
= NULL_TREE
;
734 = DECL_FUNCTION_CODE (callee
) == BUILT_IN_ALLOCA
735 ? 0 : tree_to_uhwi (gimple_call_arg (call
, 1));
737 if (hwasan_sanitize_allocas_p ())
739 gimple_seq stmts
= NULL
;
740 location_t loc
= gimple_location (gsi_stmt (*iter
));
742 HWASAN needs a different expansion.
744 addr = __builtin_alloca (size, align);
746 should be replaced by
748 new_size = size rounded up to HWASAN_TAG_GRANULE_SIZE byte alignment;
749 untagged_addr = __builtin_alloca (new_size, align);
750 tag = __hwasan_choose_alloca_tag ();
751 addr = ifn_HWASAN_SET_TAG (untagged_addr, tag);
752 __hwasan_tag_memory (untagged_addr, tag, new_size);
754 /* Ensure alignment at least HWASAN_TAG_GRANULE_SIZE bytes so we start on
756 align
= align
> HWASAN_TAG_GRANULE_SIZE
? align
: HWASAN_TAG_GRANULE_SIZE
;
758 tree old_size
= gimple_call_arg (call
, 0);
759 tree new_size
= gimple_build_round_up (&stmts
, loc
, size_type_node
,
761 HWASAN_TAG_GRANULE_SIZE
);
763 /* Make the alloca call */
765 = gimple_build (&stmts
, loc
,
766 as_combined_fn (BUILT_IN_ALLOCA_WITH_ALIGN
), ptr_type
,
767 new_size
, build_int_cst (size_type_node
, align
));
770 Here we use an internal function so we can choose the tag at expand
771 time. We need the decision to be made after stack variables have been
772 assigned their tag (i.e. once the hwasan_frame_tag_offset variable has
773 been set to one after the last stack variables tag). */
774 tree tag
= gimple_build (&stmts
, loc
, CFN_HWASAN_CHOOSE_TAG
,
775 unsigned_char_type_node
);
777 /* Add tag to pointer. */
779 = gimple_build (&stmts
, loc
, CFN_HWASAN_SET_TAG
, ptr_type
,
782 /* Tag shadow memory.
783 NOTE: require using `untagged_addr` here for libhwasan API. */
784 gimple_build (&stmts
, loc
, as_combined_fn (BUILT_IN_HWASAN_TAG_MEM
),
785 void_type_node
, untagged_addr
, tag
, new_size
);
787 /* Insert the built up code sequence into the original instruction stream
788 the iterator points to. */
789 gsi_insert_seq_before (iter
, stmts
, GSI_SAME_STMT
);
791 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
792 replace_call_with_value (iter
, addr
);
796 tree last_alloca
= get_last_alloca_addr ();
797 const HOST_WIDE_INT redzone_mask
= ASAN_RED_ZONE_SIZE
- 1;
799 /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN
800 bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE
802 align
= MAX (align
, ASAN_RED_ZONE_SIZE
* BITS_PER_UNIT
);
804 tree alloca_rz_mask
= build_int_cst (size_type_node
, redzone_mask
);
805 tree redzone_size
= build_int_cst (size_type_node
, ASAN_RED_ZONE_SIZE
);
807 /* Extract lower bits from old_size. */
808 wide_int size_nonzero_bits
= get_nonzero_bits (old_size
);
810 = wi::uhwi (redzone_mask
, wi::get_precision (size_nonzero_bits
));
811 wide_int old_size_lower_bits
= wi::bit_and (size_nonzero_bits
, rz_mask
);
813 /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial
814 redzone. Otherwise, compute its size here. */
815 if (wi::ne_p (old_size_lower_bits
, 0))
817 /* misalign = size & (ASAN_RED_ZONE_SIZE - 1)
818 partial_size = ASAN_RED_ZONE_SIZE - misalign. */
819 g
= gimple_build_assign (make_ssa_name (size_type_node
, NULL
),
820 BIT_AND_EXPR
, old_size
, alloca_rz_mask
);
821 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
822 tree misalign
= gimple_assign_lhs (g
);
823 g
= gimple_build_assign (make_ssa_name (size_type_node
, NULL
), MINUS_EXPR
,
824 redzone_size
, misalign
);
825 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
826 partial_size
= gimple_assign_lhs (g
);
829 /* additional_size = align + ASAN_RED_ZONE_SIZE. */
830 tree additional_size
= build_int_cst (size_type_node
, align
/ BITS_PER_UNIT
831 + ASAN_RED_ZONE_SIZE
);
832 /* If alloca has partial redzone, include it to additional_size too. */
835 /* additional_size += partial_size. */
836 g
= gimple_build_assign (make_ssa_name (size_type_node
), PLUS_EXPR
,
837 partial_size
, additional_size
);
838 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
839 additional_size
= gimple_assign_lhs (g
);
842 /* new_size = old_size + additional_size. */
843 g
= gimple_build_assign (make_ssa_name (size_type_node
), PLUS_EXPR
, old_size
,
845 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
846 tree new_size
= gimple_assign_lhs (g
);
848 /* Build new __builtin_alloca call:
849 new_alloca_with_rz = __builtin_alloca (new_size, align). */
850 tree fn
= builtin_decl_implicit (BUILT_IN_ALLOCA_WITH_ALIGN
);
851 gg
= gimple_build_call (fn
, 2, new_size
,
852 build_int_cst (size_type_node
, align
));
853 tree new_alloca_with_rz
= make_ssa_name (ptr_type
, gg
);
854 gimple_call_set_lhs (gg
, new_alloca_with_rz
);
855 gsi_insert_before (iter
, gg
, GSI_SAME_STMT
);
857 /* new_alloca = new_alloca_with_rz + align. */
858 g
= gimple_build_assign (make_ssa_name (ptr_type
), POINTER_PLUS_EXPR
,
860 build_int_cst (size_type_node
,
861 align
/ BITS_PER_UNIT
));
862 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
863 tree new_alloca
= gimple_assign_lhs (g
);
865 /* Poison newly created alloca redzones:
866 __asan_alloca_poison (new_alloca, old_size). */
867 fn
= builtin_decl_implicit (BUILT_IN_ASAN_ALLOCA_POISON
);
868 gg
= gimple_build_call (fn
, 2, new_alloca
, old_size
);
869 gsi_insert_before (iter
, gg
, GSI_SAME_STMT
);
871 /* Save new_alloca_with_rz value into last_alloca to use it during
872 allocas unpoisoning. */
873 g
= gimple_build_assign (last_alloca
, new_alloca_with_rz
);
874 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
876 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
877 replace_call_with_value (iter
, new_alloca
);
880 /* Return the memory references contained in a gimple statement
881 representing a builtin call that has to do with memory access. */
884 get_mem_refs_of_builtin_call (gcall
*call
,
896 gimple_stmt_iterator
*iter
= NULL
)
898 gcc_checking_assert (gimple_call_builtin_p (call
, BUILT_IN_NORMAL
));
900 tree callee
= gimple_call_fndecl (call
);
901 tree source0
= NULL_TREE
, source1
= NULL_TREE
,
902 dest
= NULL_TREE
, len
= NULL_TREE
;
903 bool is_store
= true, got_reference_p
= false;
904 HOST_WIDE_INT access_size
= 1;
906 *intercepted_p
= asan_intercepted_p ((DECL_FUNCTION_CODE (callee
)));
908 switch (DECL_FUNCTION_CODE (callee
))
910 /* (s, s, n) style memops. */
912 case BUILT_IN_MEMCMP
:
913 source0
= gimple_call_arg (call
, 0);
914 source1
= gimple_call_arg (call
, 1);
915 len
= gimple_call_arg (call
, 2);
918 /* (src, dest, n) style memops. */
920 source0
= gimple_call_arg (call
, 0);
921 dest
= gimple_call_arg (call
, 1);
922 len
= gimple_call_arg (call
, 2);
925 /* (dest, src, n) style memops. */
926 case BUILT_IN_MEMCPY
:
927 case BUILT_IN_MEMCPY_CHK
:
928 case BUILT_IN_MEMMOVE
:
929 case BUILT_IN_MEMMOVE_CHK
:
930 case BUILT_IN_MEMPCPY
:
931 case BUILT_IN_MEMPCPY_CHK
:
932 dest
= gimple_call_arg (call
, 0);
933 source0
= gimple_call_arg (call
, 1);
934 len
= gimple_call_arg (call
, 2);
937 /* (dest, n) style memops. */
939 dest
= gimple_call_arg (call
, 0);
940 len
= gimple_call_arg (call
, 1);
943 /* (dest, x, n) style memops*/
944 case BUILT_IN_MEMSET
:
945 case BUILT_IN_MEMSET_CHK
:
946 dest
= gimple_call_arg (call
, 0);
947 len
= gimple_call_arg (call
, 2);
950 case BUILT_IN_STRLEN
:
951 /* Special case strlen here since its length is taken from its return
954 The approach taken by the sanitizers is to check a memory access
955 before it's taken. For ASAN strlen is intercepted by libasan, so no
956 check is inserted by the compiler.
958 This function still returns `true` and provides a length to the rest
959 of the ASAN pass in order to record what areas have been checked,
960 avoiding superfluous checks later on.
962 HWASAN does not intercept any of these internal functions.
963 This means that checks for memory accesses must be inserted by the
965 strlen is a special case, because we can tell the length from the
966 return of the function, but that is not known until after the function
969 Hence we can't check the memory access before it happens.
970 We could check the memory access after it has already happened, but
971 for now we choose to just ignore `strlen` calls.
972 This decision was simply made because that means the special case is
973 limited to this one case of this one function. */
974 if (hwasan_sanitize_p ())
976 source0
= gimple_call_arg (call
, 0);
977 len
= gimple_call_lhs (call
);
980 case BUILT_IN_STACK_RESTORE
:
981 handle_builtin_stack_restore (call
, iter
);
984 CASE_BUILT_IN_ALLOCA
:
985 handle_builtin_alloca (call
, iter
);
987 /* And now the __atomic* and __sync builtins.
988 These are handled differently from the classical memory
989 access builtins above. */
991 case BUILT_IN_ATOMIC_LOAD_1
:
994 case BUILT_IN_SYNC_FETCH_AND_ADD_1
:
995 case BUILT_IN_SYNC_FETCH_AND_SUB_1
:
996 case BUILT_IN_SYNC_FETCH_AND_OR_1
:
997 case BUILT_IN_SYNC_FETCH_AND_AND_1
:
998 case BUILT_IN_SYNC_FETCH_AND_XOR_1
:
999 case BUILT_IN_SYNC_FETCH_AND_NAND_1
:
1000 case BUILT_IN_SYNC_ADD_AND_FETCH_1
:
1001 case BUILT_IN_SYNC_SUB_AND_FETCH_1
:
1002 case BUILT_IN_SYNC_OR_AND_FETCH_1
:
1003 case BUILT_IN_SYNC_AND_AND_FETCH_1
:
1004 case BUILT_IN_SYNC_XOR_AND_FETCH_1
:
1005 case BUILT_IN_SYNC_NAND_AND_FETCH_1
:
1006 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1
:
1007 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1
:
1008 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1
:
1009 case BUILT_IN_SYNC_LOCK_RELEASE_1
:
1010 case BUILT_IN_ATOMIC_EXCHANGE_1
:
1011 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1
:
1012 case BUILT_IN_ATOMIC_STORE_1
:
1013 case BUILT_IN_ATOMIC_ADD_FETCH_1
:
1014 case BUILT_IN_ATOMIC_SUB_FETCH_1
:
1015 case BUILT_IN_ATOMIC_AND_FETCH_1
:
1016 case BUILT_IN_ATOMIC_NAND_FETCH_1
:
1017 case BUILT_IN_ATOMIC_XOR_FETCH_1
:
1018 case BUILT_IN_ATOMIC_OR_FETCH_1
:
1019 case BUILT_IN_ATOMIC_FETCH_ADD_1
:
1020 case BUILT_IN_ATOMIC_FETCH_SUB_1
:
1021 case BUILT_IN_ATOMIC_FETCH_AND_1
:
1022 case BUILT_IN_ATOMIC_FETCH_NAND_1
:
1023 case BUILT_IN_ATOMIC_FETCH_XOR_1
:
1024 case BUILT_IN_ATOMIC_FETCH_OR_1
:
1028 case BUILT_IN_ATOMIC_LOAD_2
:
1031 case BUILT_IN_SYNC_FETCH_AND_ADD_2
:
1032 case BUILT_IN_SYNC_FETCH_AND_SUB_2
:
1033 case BUILT_IN_SYNC_FETCH_AND_OR_2
:
1034 case BUILT_IN_SYNC_FETCH_AND_AND_2
:
1035 case BUILT_IN_SYNC_FETCH_AND_XOR_2
:
1036 case BUILT_IN_SYNC_FETCH_AND_NAND_2
:
1037 case BUILT_IN_SYNC_ADD_AND_FETCH_2
:
1038 case BUILT_IN_SYNC_SUB_AND_FETCH_2
:
1039 case BUILT_IN_SYNC_OR_AND_FETCH_2
:
1040 case BUILT_IN_SYNC_AND_AND_FETCH_2
:
1041 case BUILT_IN_SYNC_XOR_AND_FETCH_2
:
1042 case BUILT_IN_SYNC_NAND_AND_FETCH_2
:
1043 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2
:
1044 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2
:
1045 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2
:
1046 case BUILT_IN_SYNC_LOCK_RELEASE_2
:
1047 case BUILT_IN_ATOMIC_EXCHANGE_2
:
1048 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2
:
1049 case BUILT_IN_ATOMIC_STORE_2
:
1050 case BUILT_IN_ATOMIC_ADD_FETCH_2
:
1051 case BUILT_IN_ATOMIC_SUB_FETCH_2
:
1052 case BUILT_IN_ATOMIC_AND_FETCH_2
:
1053 case BUILT_IN_ATOMIC_NAND_FETCH_2
:
1054 case BUILT_IN_ATOMIC_XOR_FETCH_2
:
1055 case BUILT_IN_ATOMIC_OR_FETCH_2
:
1056 case BUILT_IN_ATOMIC_FETCH_ADD_2
:
1057 case BUILT_IN_ATOMIC_FETCH_SUB_2
:
1058 case BUILT_IN_ATOMIC_FETCH_AND_2
:
1059 case BUILT_IN_ATOMIC_FETCH_NAND_2
:
1060 case BUILT_IN_ATOMIC_FETCH_XOR_2
:
1061 case BUILT_IN_ATOMIC_FETCH_OR_2
:
1065 case BUILT_IN_ATOMIC_LOAD_4
:
1068 case BUILT_IN_SYNC_FETCH_AND_ADD_4
:
1069 case BUILT_IN_SYNC_FETCH_AND_SUB_4
:
1070 case BUILT_IN_SYNC_FETCH_AND_OR_4
:
1071 case BUILT_IN_SYNC_FETCH_AND_AND_4
:
1072 case BUILT_IN_SYNC_FETCH_AND_XOR_4
:
1073 case BUILT_IN_SYNC_FETCH_AND_NAND_4
:
1074 case BUILT_IN_SYNC_ADD_AND_FETCH_4
:
1075 case BUILT_IN_SYNC_SUB_AND_FETCH_4
:
1076 case BUILT_IN_SYNC_OR_AND_FETCH_4
:
1077 case BUILT_IN_SYNC_AND_AND_FETCH_4
:
1078 case BUILT_IN_SYNC_XOR_AND_FETCH_4
:
1079 case BUILT_IN_SYNC_NAND_AND_FETCH_4
:
1080 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4
:
1081 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4
:
1082 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4
:
1083 case BUILT_IN_SYNC_LOCK_RELEASE_4
:
1084 case BUILT_IN_ATOMIC_EXCHANGE_4
:
1085 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4
:
1086 case BUILT_IN_ATOMIC_STORE_4
:
1087 case BUILT_IN_ATOMIC_ADD_FETCH_4
:
1088 case BUILT_IN_ATOMIC_SUB_FETCH_4
:
1089 case BUILT_IN_ATOMIC_AND_FETCH_4
:
1090 case BUILT_IN_ATOMIC_NAND_FETCH_4
:
1091 case BUILT_IN_ATOMIC_XOR_FETCH_4
:
1092 case BUILT_IN_ATOMIC_OR_FETCH_4
:
1093 case BUILT_IN_ATOMIC_FETCH_ADD_4
:
1094 case BUILT_IN_ATOMIC_FETCH_SUB_4
:
1095 case BUILT_IN_ATOMIC_FETCH_AND_4
:
1096 case BUILT_IN_ATOMIC_FETCH_NAND_4
:
1097 case BUILT_IN_ATOMIC_FETCH_XOR_4
:
1098 case BUILT_IN_ATOMIC_FETCH_OR_4
:
1102 case BUILT_IN_ATOMIC_LOAD_8
:
1105 case BUILT_IN_SYNC_FETCH_AND_ADD_8
:
1106 case BUILT_IN_SYNC_FETCH_AND_SUB_8
:
1107 case BUILT_IN_SYNC_FETCH_AND_OR_8
:
1108 case BUILT_IN_SYNC_FETCH_AND_AND_8
:
1109 case BUILT_IN_SYNC_FETCH_AND_XOR_8
:
1110 case BUILT_IN_SYNC_FETCH_AND_NAND_8
:
1111 case BUILT_IN_SYNC_ADD_AND_FETCH_8
:
1112 case BUILT_IN_SYNC_SUB_AND_FETCH_8
:
1113 case BUILT_IN_SYNC_OR_AND_FETCH_8
:
1114 case BUILT_IN_SYNC_AND_AND_FETCH_8
:
1115 case BUILT_IN_SYNC_XOR_AND_FETCH_8
:
1116 case BUILT_IN_SYNC_NAND_AND_FETCH_8
:
1117 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8
:
1118 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8
:
1119 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8
:
1120 case BUILT_IN_SYNC_LOCK_RELEASE_8
:
1121 case BUILT_IN_ATOMIC_EXCHANGE_8
:
1122 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8
:
1123 case BUILT_IN_ATOMIC_STORE_8
:
1124 case BUILT_IN_ATOMIC_ADD_FETCH_8
:
1125 case BUILT_IN_ATOMIC_SUB_FETCH_8
:
1126 case BUILT_IN_ATOMIC_AND_FETCH_8
:
1127 case BUILT_IN_ATOMIC_NAND_FETCH_8
:
1128 case BUILT_IN_ATOMIC_XOR_FETCH_8
:
1129 case BUILT_IN_ATOMIC_OR_FETCH_8
:
1130 case BUILT_IN_ATOMIC_FETCH_ADD_8
:
1131 case BUILT_IN_ATOMIC_FETCH_SUB_8
:
1132 case BUILT_IN_ATOMIC_FETCH_AND_8
:
1133 case BUILT_IN_ATOMIC_FETCH_NAND_8
:
1134 case BUILT_IN_ATOMIC_FETCH_XOR_8
:
1135 case BUILT_IN_ATOMIC_FETCH_OR_8
:
1139 case BUILT_IN_ATOMIC_LOAD_16
:
1142 case BUILT_IN_SYNC_FETCH_AND_ADD_16
:
1143 case BUILT_IN_SYNC_FETCH_AND_SUB_16
:
1144 case BUILT_IN_SYNC_FETCH_AND_OR_16
:
1145 case BUILT_IN_SYNC_FETCH_AND_AND_16
:
1146 case BUILT_IN_SYNC_FETCH_AND_XOR_16
:
1147 case BUILT_IN_SYNC_FETCH_AND_NAND_16
:
1148 case BUILT_IN_SYNC_ADD_AND_FETCH_16
:
1149 case BUILT_IN_SYNC_SUB_AND_FETCH_16
:
1150 case BUILT_IN_SYNC_OR_AND_FETCH_16
:
1151 case BUILT_IN_SYNC_AND_AND_FETCH_16
:
1152 case BUILT_IN_SYNC_XOR_AND_FETCH_16
:
1153 case BUILT_IN_SYNC_NAND_AND_FETCH_16
:
1154 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16
:
1155 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16
:
1156 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16
:
1157 case BUILT_IN_SYNC_LOCK_RELEASE_16
:
1158 case BUILT_IN_ATOMIC_EXCHANGE_16
:
1159 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16
:
1160 case BUILT_IN_ATOMIC_STORE_16
:
1161 case BUILT_IN_ATOMIC_ADD_FETCH_16
:
1162 case BUILT_IN_ATOMIC_SUB_FETCH_16
:
1163 case BUILT_IN_ATOMIC_AND_FETCH_16
:
1164 case BUILT_IN_ATOMIC_NAND_FETCH_16
:
1165 case BUILT_IN_ATOMIC_XOR_FETCH_16
:
1166 case BUILT_IN_ATOMIC_OR_FETCH_16
:
1167 case BUILT_IN_ATOMIC_FETCH_ADD_16
:
1168 case BUILT_IN_ATOMIC_FETCH_SUB_16
:
1169 case BUILT_IN_ATOMIC_FETCH_AND_16
:
1170 case BUILT_IN_ATOMIC_FETCH_NAND_16
:
1171 case BUILT_IN_ATOMIC_FETCH_XOR_16
:
1172 case BUILT_IN_ATOMIC_FETCH_OR_16
:
1177 dest
= gimple_call_arg (call
, 0);
1178 /* DEST represents the address of a memory location.
1179 instrument_derefs wants the memory location, so lets
1180 dereference the address DEST before handing it to
1181 instrument_derefs. */
1182 tree type
= build_nonstandard_integer_type (access_size
1183 * BITS_PER_UNIT
, 1);
1184 dest
= build2 (MEM_REF
, type
, dest
,
1185 build_int_cst (build_pointer_type (char_type_node
), 0));
1190 /* The other builtins memory access are not instrumented in this
1191 function because they either don't have any length parameter,
1192 or their length parameter is just a limit. */
1196 if (len
!= NULL_TREE
)
1198 if (source0
!= NULL_TREE
)
1200 src0
->start
= source0
;
1201 src0
->access_size
= access_size
;
1203 *src0_is_store
= false;
1206 if (source1
!= NULL_TREE
)
1208 src1
->start
= source1
;
1209 src1
->access_size
= access_size
;
1211 *src1_is_store
= false;
1214 if (dest
!= NULL_TREE
)
1217 dst
->access_size
= access_size
;
1219 *dst_is_store
= true;
1222 got_reference_p
= true;
1227 dst
->access_size
= access_size
;
1228 *dst_len
= NULL_TREE
;
1229 *dst_is_store
= is_store
;
1230 *dest_is_deref
= true;
1231 got_reference_p
= true;
1234 return got_reference_p
;
1237 /* Return true iff a given gimple statement has been instrumented.
1238 Note that the statement is "defined" by the memory references it
1242 has_stmt_been_instrumented_p (gimple
*stmt
)
1244 if (gimple_assign_single_p (stmt
))
1248 asan_mem_ref_init (&r
, NULL
, 1);
1250 if (get_mem_ref_of_assignment (as_a
<gassign
*> (stmt
), &r
,
1252 return has_mem_ref_been_instrumented (&r
);
1254 else if (gimple_call_builtin_p (stmt
, BUILT_IN_NORMAL
))
1256 asan_mem_ref src0
, src1
, dest
;
1257 asan_mem_ref_init (&src0
, NULL
, 1);
1258 asan_mem_ref_init (&src1
, NULL
, 1);
1259 asan_mem_ref_init (&dest
, NULL
, 1);
1261 tree src0_len
= NULL_TREE
, src1_len
= NULL_TREE
, dest_len
= NULL_TREE
;
1262 bool src0_is_store
= false, src1_is_store
= false,
1263 dest_is_store
= false, dest_is_deref
= false, intercepted_p
= true;
1264 if (get_mem_refs_of_builtin_call (as_a
<gcall
*> (stmt
),
1265 &src0
, &src0_len
, &src0_is_store
,
1266 &src1
, &src1_len
, &src1_is_store
,
1267 &dest
, &dest_len
, &dest_is_store
,
1268 &dest_is_deref
, &intercepted_p
))
1270 if (src0
.start
!= NULL_TREE
1271 && !has_mem_ref_been_instrumented (&src0
, src0_len
))
1274 if (src1
.start
!= NULL_TREE
1275 && !has_mem_ref_been_instrumented (&src1
, src1_len
))
1278 if (dest
.start
!= NULL_TREE
1279 && !has_mem_ref_been_instrumented (&dest
, dest_len
))
1285 else if (is_gimple_call (stmt
) && gimple_store_p (stmt
))
1288 asan_mem_ref_init (&r
, NULL
, 1);
1290 r
.start
= gimple_call_lhs (stmt
);
1291 r
.access_size
= int_size_in_bytes (TREE_TYPE (r
.start
));
1292 return has_mem_ref_been_instrumented (&r
);
1298 /* Insert a memory reference into the hash table. */
1301 update_mem_ref_hash_table (tree ref
, HOST_WIDE_INT access_size
)
1303 hash_table
<asan_mem_ref_hasher
> *ht
= get_mem_ref_hash_table ();
1306 asan_mem_ref_init (&r
, ref
, access_size
);
1308 asan_mem_ref
**slot
= ht
->find_slot (&r
, INSERT
);
1309 if (*slot
== NULL
|| (*slot
)->access_size
< access_size
)
1310 *slot
= asan_mem_ref_new (ref
, access_size
);
1313 /* Initialize shadow_ptr_types array. */
1316 asan_init_shadow_ptr_types (void)
1318 asan_shadow_set
= new_alias_set ();
1319 tree types
[3] = { signed_char_type_node
, short_integer_type_node
,
1320 integer_type_node
};
1322 for (unsigned i
= 0; i
< 3; i
++)
1324 shadow_ptr_types
[i
] = build_distinct_type_copy (types
[i
]);
1325 TYPE_ALIAS_SET (shadow_ptr_types
[i
]) = asan_shadow_set
;
1326 shadow_ptr_types
[i
] = build_pointer_type (shadow_ptr_types
[i
]);
1329 initialize_sanitizer_builtins ();
1332 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
1335 asan_pp_string (pretty_printer
*pp
)
1337 const char *buf
= pp_formatted_text (pp
);
1338 size_t len
= strlen (buf
);
1339 tree ret
= build_string (len
+ 1, buf
);
1341 = build_array_type (TREE_TYPE (shadow_ptr_types
[0]),
1342 build_index_type (size_int (len
)));
1343 TREE_READONLY (ret
) = 1;
1344 TREE_STATIC (ret
) = 1;
1345 return build1 (ADDR_EXPR
, shadow_ptr_types
[0], ret
);
1348 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
1352 asan_clear_shadow (rtx shadow_mem
, HOST_WIDE_INT len
)
1354 rtx_insn
*insn
, *insns
, *jump
;
1355 rtx_code_label
*top_label
;
1358 gcc_assert ((len
& 3) == 0);
1360 clear_storage (shadow_mem
, GEN_INT (len
), BLOCK_OP_NORMAL
);
1361 insns
= get_insns ();
1363 for (insn
= insns
; insn
; insn
= NEXT_INSN (insn
))
1366 if (insn
== NULL_RTX
)
1372 top_label
= gen_label_rtx ();
1373 addr
= copy_to_mode_reg (Pmode
, XEXP (shadow_mem
, 0));
1374 shadow_mem
= adjust_automodify_address (shadow_mem
, SImode
, addr
, 0);
1375 end
= force_reg (Pmode
, plus_constant (Pmode
, addr
, len
));
1376 emit_label (top_label
);
1378 emit_move_insn (shadow_mem
, const0_rtx
);
1379 tmp
= expand_simple_binop (Pmode
, PLUS
, addr
, gen_int_mode (4, Pmode
), addr
,
1380 true, OPTAB_LIB_WIDEN
);
1382 emit_move_insn (addr
, tmp
);
1383 emit_cmp_and_jump_insns (addr
, end
, LT
, NULL_RTX
, Pmode
, true, top_label
);
1384 jump
= get_last_insn ();
1385 gcc_assert (JUMP_P (jump
));
1386 add_reg_br_prob_note (jump
,
1387 profile_probability::guessed_always ()
1388 .apply_scale (80, 100));
1392 asan_function_start (void)
1394 section
*fnsec
= function_section (current_function_decl
);
1395 switch_to_section (fnsec
);
1396 ASM_OUTPUT_DEBUG_LABEL (asm_out_file
, "LASANPC",
1397 current_function_funcdef_no
);
1400 /* Return number of shadow bytes that are occupied by a local variable
1403 static unsigned HOST_WIDE_INT
1404 shadow_mem_size (unsigned HOST_WIDE_INT size
)
1406 /* It must be possible to align stack variables to granularity
1407 of shadow memory. */
1408 gcc_assert (BITS_PER_UNIT
1409 * ASAN_SHADOW_GRANULARITY
<= MAX_SUPPORTED_STACK_ALIGNMENT
);
1411 return ROUND_UP (size
, ASAN_SHADOW_GRANULARITY
) / ASAN_SHADOW_GRANULARITY
;
1414 /* Always emit 4 bytes at a time. */
1415 #define RZ_BUFFER_SIZE 4
1417 /* ASAN redzone buffer container that handles emission of shadow bytes. */
1418 class asan_redzone_buffer
1422 asan_redzone_buffer (rtx shadow_mem
, HOST_WIDE_INT prev_offset
):
1423 m_shadow_mem (shadow_mem
), m_prev_offset (prev_offset
),
1424 m_original_offset (prev_offset
), m_shadow_bytes (RZ_BUFFER_SIZE
)
1427 /* Emit VALUE shadow byte at a given OFFSET. */
1428 void emit_redzone_byte (HOST_WIDE_INT offset
, unsigned char value
);
1430 /* Emit RTX emission of the content of the buffer. */
1431 void flush_redzone_payload (void);
1434 /* Flush if the content of the buffer is full
1435 (equal to RZ_BUFFER_SIZE). */
1436 void flush_if_full (void);
1438 /* Memory where we last emitted a redzone payload. */
1441 /* Relative offset where we last emitted a redzone payload. */
1442 HOST_WIDE_INT m_prev_offset
;
1444 /* Relative original offset. Used for checking only. */
1445 HOST_WIDE_INT m_original_offset
;
1448 /* Buffer with redzone payload. */
1449 auto_vec
<unsigned char> m_shadow_bytes
;
1452 /* Emit VALUE shadow byte at a given OFFSET. */
1455 asan_redzone_buffer::emit_redzone_byte (HOST_WIDE_INT offset
,
1456 unsigned char value
)
1458 gcc_assert ((offset
& (ASAN_SHADOW_GRANULARITY
- 1)) == 0);
1459 gcc_assert (offset
>= m_prev_offset
);
1462 = m_prev_offset
+ ASAN_SHADOW_GRANULARITY
* m_shadow_bytes
.length ();
1465 /* Consecutive shadow memory byte. */
1466 m_shadow_bytes
.safe_push (value
);
1471 if (!m_shadow_bytes
.is_empty ())
1472 flush_redzone_payload ();
1474 /* Maybe start earlier in order to use aligned store. */
1475 HOST_WIDE_INT align
= (offset
- m_prev_offset
) % ASAN_RED_ZONE_SIZE
;
1479 for (unsigned i
= 0; i
< align
/ BITS_PER_UNIT
; i
++)
1480 m_shadow_bytes
.safe_push (0);
1483 /* Adjust m_prev_offset and m_shadow_mem. */
1484 HOST_WIDE_INT diff
= offset
- m_prev_offset
;
1485 m_shadow_mem
= adjust_address (m_shadow_mem
, VOIDmode
,
1486 diff
>> ASAN_SHADOW_SHIFT
);
1487 m_prev_offset
= offset
;
1488 m_shadow_bytes
.safe_push (value
);
1493 /* Emit RTX emission of the content of the buffer. */
1496 asan_redzone_buffer::flush_redzone_payload (void)
1498 gcc_assert (WORDS_BIG_ENDIAN
== BYTES_BIG_ENDIAN
);
1500 if (m_shadow_bytes
.is_empty ())
1503 /* Be sure we always emit to an aligned address. */
1504 gcc_assert (((m_prev_offset
- m_original_offset
)
1505 & (ASAN_RED_ZONE_SIZE
- 1)) == 0);
1507 /* Fill it to RZ_BUFFER_SIZE bytes with zeros if needed. */
1508 unsigned l
= m_shadow_bytes
.length ();
1509 for (unsigned i
= 0; i
<= RZ_BUFFER_SIZE
- l
; i
++)
1510 m_shadow_bytes
.safe_push (0);
1512 if (dump_file
&& (dump_flags
& TDF_DETAILS
))
1514 "Flushing rzbuffer at offset %" PRId64
" with: ", m_prev_offset
);
1516 unsigned HOST_WIDE_INT val
= 0;
1517 for (unsigned i
= 0; i
< RZ_BUFFER_SIZE
; i
++)
1520 = m_shadow_bytes
[BYTES_BIG_ENDIAN
? RZ_BUFFER_SIZE
- i
- 1 : i
];
1521 val
|= (unsigned HOST_WIDE_INT
)v
<< (BITS_PER_UNIT
* i
);
1522 if (dump_file
&& (dump_flags
& TDF_DETAILS
))
1523 fprintf (dump_file
, "%02x ", v
);
1526 if (dump_file
&& (dump_flags
& TDF_DETAILS
))
1527 fprintf (dump_file
, "\n");
1529 rtx c
= gen_int_mode (val
, SImode
);
1530 m_shadow_mem
= adjust_address (m_shadow_mem
, SImode
, 0);
1531 emit_move_insn (m_shadow_mem
, c
);
1532 m_shadow_bytes
.truncate (0);
1535 /* Flush if the content of the buffer is full
1536 (equal to RZ_BUFFER_SIZE). */
1539 asan_redzone_buffer::flush_if_full (void)
1541 if (m_shadow_bytes
.length () == RZ_BUFFER_SIZE
)
1542 flush_redzone_payload ();
1546 /* HWAddressSanitizer (hwasan) is a probabilistic method for detecting
1547 out-of-bounds and use-after-free bugs.
1549 http://code.google.com/p/address-sanitizer/
1551 Similar to AddressSanitizer (asan) it consists of two parts: the
1552 instrumentation module in this file, and a run-time library.
1554 The instrumentation module adds a run-time check before every memory insn in
1555 the same manner as asan (see the block comment for AddressSanitizer above).
1556 Currently, hwasan only adds out-of-line instrumentation, where each check is
1557 implemented as a function call to the run-time library. Hence a check for a
1558 load of N bytes from address X would be implemented with a function call to
1559 __hwasan_loadN(X), and checking a store of N bytes from address X would be
1560 implemented with a function call to __hwasan_storeN(X).
1562 The main difference between hwasan and asan is in the information stored to
1563 help this checking. Both sanitizers use a shadow memory area which stores
1564 data recording the state of main memory at a corresponding address.
1566 For hwasan, each 16 byte granule in main memory has a corresponding 1 byte
1567 in shadow memory. This shadow address can be calculated with equation:
1568 (addr >> log_2(HWASAN_TAG_GRANULE_SIZE))
1569 + __hwasan_shadow_memory_dynamic_address;
1570 The conversion between real and shadow memory for asan is given in the block
1571 comment at the top of this file.
1572 The description of how this shadow memory is laid out for asan is in the
1573 block comment at the top of this file, here we describe how this shadow
1574 memory is used for hwasan.
1576 For hwasan, each variable is assigned a byte-sized 'tag'. The extent of
1577 the shadow memory for that variable is filled with the assigned tag, and
1578 every pointer referencing that variable has its top byte set to the same
1579 tag. The run-time library redefines malloc so that every allocation returns
1580 a tagged pointer and tags the corresponding shadow memory with the same tag.
1582 On each pointer dereference the tag found in the pointer is compared to the
1583 tag found in the shadow memory corresponding to the accessed memory address.
1584 If these tags are found to differ then this memory access is judged to be
1585 invalid and a report is generated.
1587 This method of bug detection is not perfect -- it can not catch every bad
1588 access -- but catches them probabilistically instead. There is always the
1589 possibility that an invalid memory access will happen to access memory
1590 tagged with the same tag as the pointer that this access used.
1591 The chances of this are approx. 0.4% for any two uncorrelated objects.
1593 Random tag generation can mitigate this problem by decreasing the
1594 probability that an invalid access will be missed in the same manner over
1595 multiple runs. i.e. if two objects are tagged the same in one run of the
1596 binary they are unlikely to be tagged the same in the next run.
1597 Both heap and stack allocated objects have random tags by default.
1599 [16 byte granule implications]
1600 Since the shadow memory only has a resolution on real memory of 16 bytes,
1601 invalid accesses that are within the same 16 byte granule as a valid
1602 address will not be caught.
1604 There is a "short-granule" feature in the runtime library which does catch
1605 such accesses, but this feature is not implemented for stack objects (since
1606 stack objects are allocated and tagged by compiler instrumentation, and
1607 this feature has not yet been implemented in GCC instrumentation).
1609 Another outcome of this 16 byte resolution is that each tagged object must
1610 be 16 byte aligned. If two objects were to share any 16 byte granule in
1611 memory, then they both would have to be given the same tag, and invalid
1612 accesses to one using a pointer to the other would be undetectable.
1614 [Compiler instrumentation]
1615 Compiler instrumentation ensures that two adjacent buffers on the stack are
1616 given different tags, this means an access to one buffer using a pointer
1617 generated from the other (e.g. through buffer overrun) will have mismatched
1618 tags and be caught by hwasan.
1620 We don't randomly tag every object on the stack, since that would require
1621 keeping many registers to record each tag. Instead we randomly generate a
1622 tag for each function frame, and each new stack object uses a tag offset
1623 from that frame tag.
1624 i.e. each object is tagged as RFT + offset, where RFT is the "random frame
1625 tag" generated for this frame.
1626 This means that randomisation does not peturb the difference between tags
1627 on tagged stack objects within a frame, but this is mitigated by the fact
1628 that objects with the same tag within a frame are very far apart
1629 (approx. 2^HWASAN_TAG_SIZE objects apart).
1631 As a demonstration, using the same example program as in the asan block
1646 On AArch64 the stack will be ordered as follows for the above function:
1648 Slot 1/ [24 bytes for variable 'a']
1649 Slot 2/ [8 bytes padding for alignment]
1650 Slot 3/ [8 bytes for variable 'b']
1651 Slot 4/ [8 bytes padding for alignment]
1653 (The padding is there to ensure 16 byte alignment as described in the 16
1654 byte granule implications).
1656 While the shadow memory will be ordered as follows:
1658 - 2 bytes (representing 32 bytes in real memory) tagged with RFT + 1.
1659 - 1 byte (representing 16 bytes in real memory) tagged with RFT + 2.
1661 And any pointer to "a" will have the tag RFT + 1, and any pointer to "b"
1662 will have the tag RFT + 2.
1664 [Top Byte Ignore requirements]
1665 Hwasan requires the ability to store an 8 bit tag in every pointer. There
1666 is no instrumentation done to remove this tag from pointers before
1667 dereferencing, which means the hardware must ignore this tag during memory
1670 Architectures where this feature is available should indicate this using
1671 the TARGET_MEMTAG_CAN_TAG_ADDRESSES hook.
1673 [Stack requires cleanup on unwinding]
1674 During normal operation of a hwasan sanitized program more space in the
1675 shadow memory becomes tagged as the stack grows. As the stack shrinks this
1676 shadow memory space must become untagged. If it is not untagged then when
1677 the stack grows again (during other function calls later on in the program)
1678 objects on the stack that are usually not tagged (e.g. parameters passed on
1679 the stack) can be placed in memory whose shadow space is tagged with
1680 something else, and accesses can cause false positive reports.
1682 Hence we place untagging code on every epilogue of functions which tag some
1685 Moreover, the run-time library intercepts longjmp & setjmp to untag when
1686 the stack is unwound this way.
1688 C++ exceptions are not yet handled, which means this sanitizer can not
1689 handle C++ code that throws exceptions -- it will give false positives
1690 after an exception has been thrown. The implementation that the hwasan
1691 library has for handling these relies on the frame pointer being after any
1692 local variables. This is not generally the case for GCC. */
1695 /* Returns whether we are tagging pointers and checking those tags on memory
1698 hwasan_sanitize_p ()
1700 return sanitize_flags_p (SANITIZE_HWADDRESS
);
1703 /* Are we tagging the stack? */
1705 hwasan_sanitize_stack_p ()
1707 return (hwasan_sanitize_p () && param_hwasan_instrument_stack
);
1710 /* Are we tagging alloca objects? */
1712 hwasan_sanitize_allocas_p (void)
1714 return (hwasan_sanitize_stack_p () && param_hwasan_instrument_allocas
);
1717 /* Should we instrument reads? */
1719 hwasan_instrument_reads (void)
1721 return (hwasan_sanitize_p () && param_hwasan_instrument_reads
);
1724 /* Should we instrument writes? */
1726 hwasan_instrument_writes (void)
1728 return (hwasan_sanitize_p () && param_hwasan_instrument_writes
);
1731 /* Should we instrument builtin calls? */
1733 hwasan_memintrin (void)
1735 return (hwasan_sanitize_p () && param_hwasan_instrument_mem_intrinsics
);
1738 /* Insert code to protect stack vars. The prologue sequence should be emitted
1739 directly, epilogue sequence returned. BASE is the register holding the
1740 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1741 array contains pairs of offsets in reverse order, always the end offset
1742 of some gap that needs protection followed by starting offset,
1743 and DECLS is an array of representative decls for each var partition.
1744 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1745 elements long (OFFSETS include gap before the first variable as well
1746 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1747 register which stack vars DECL_RTLs are based on. Either BASE should be
1748 assigned to PBASE, when not doing use after return protection, or
1749 corresponding address based on __asan_stack_malloc* return value. */
1752 asan_emit_stack_protection (rtx base
, rtx pbase
, unsigned int alignb
,
1753 HOST_WIDE_INT
*offsets
, tree
*decls
, int length
)
1755 rtx shadow_base
, shadow_mem
, ret
, mem
, orig_base
;
1756 rtx_code_label
*lab
;
1759 HOST_WIDE_INT base_offset
= offsets
[length
- 1];
1760 HOST_WIDE_INT base_align_bias
= 0, offset
, prev_offset
;
1761 HOST_WIDE_INT asan_frame_size
= offsets
[0] - base_offset
;
1762 HOST_WIDE_INT last_offset
, last_size
, last_size_aligned
;
1764 unsigned char cur_shadow_byte
= ASAN_STACK_MAGIC_LEFT
;
1765 tree str_cst
, decl
, id
;
1766 int use_after_return_class
= -1;
1768 if (shadow_ptr_types
[0] == NULL_TREE
)
1769 asan_init_shadow_ptr_types ();
1771 expanded_location cfun_xloc
1772 = expand_location (DECL_SOURCE_LOCATION (current_function_decl
));
1774 /* First of all, prepare the description string. */
1775 pretty_printer asan_pp
;
1777 pp_decimal_int (&asan_pp
, length
/ 2 - 1);
1778 pp_space (&asan_pp
);
1779 for (l
= length
- 2; l
; l
-= 2)
1781 tree decl
= decls
[l
/ 2 - 1];
1782 pp_wide_integer (&asan_pp
, offsets
[l
] - base_offset
);
1783 pp_space (&asan_pp
);
1784 pp_wide_integer (&asan_pp
, offsets
[l
- 1] - offsets
[l
]);
1785 pp_space (&asan_pp
);
1787 expanded_location xloc
1788 = expand_location (DECL_SOURCE_LOCATION (decl
));
1791 if (xloc
.file
== cfun_xloc
.file
)
1792 sprintf (location
, ":%d", xloc
.line
);
1796 if (DECL_P (decl
) && DECL_NAME (decl
))
1799 = IDENTIFIER_LENGTH (DECL_NAME (decl
)) + strlen (location
);
1800 pp_decimal_int (&asan_pp
, idlen
);
1801 pp_space (&asan_pp
);
1802 pp_tree_identifier (&asan_pp
, DECL_NAME (decl
));
1803 pp_string (&asan_pp
, location
);
1806 pp_string (&asan_pp
, "9 <unknown>");
1809 pp_space (&asan_pp
);
1811 str_cst
= asan_pp_string (&asan_pp
);
1813 /* Emit the prologue sequence. */
1814 if (asan_frame_size
> 32 && asan_frame_size
<= 65536 && pbase
1815 && param_asan_use_after_return
)
1817 use_after_return_class
= floor_log2 (asan_frame_size
- 1) - 5;
1818 /* __asan_stack_malloc_N guarantees alignment
1819 N < 6 ? (64 << N) : 4096 bytes. */
1820 if (alignb
> (use_after_return_class
< 6
1821 ? (64U << use_after_return_class
) : 4096U))
1822 use_after_return_class
= -1;
1823 else if (alignb
> ASAN_RED_ZONE_SIZE
&& (asan_frame_size
& (alignb
- 1)))
1824 base_align_bias
= ((asan_frame_size
+ alignb
- 1)
1825 & ~(alignb
- HOST_WIDE_INT_1
)) - asan_frame_size
;
1828 /* Align base if target is STRICT_ALIGNMENT. */
1829 if (STRICT_ALIGNMENT
)
1831 const HOST_WIDE_INT align
1832 = (GET_MODE_ALIGNMENT (SImode
) / BITS_PER_UNIT
) << ASAN_SHADOW_SHIFT
;
1833 base
= expand_binop (Pmode
, and_optab
, base
, gen_int_mode (-align
, Pmode
),
1834 NULL_RTX
, 1, OPTAB_DIRECT
);
1837 if (use_after_return_class
== -1 && pbase
)
1838 emit_move_insn (pbase
, base
);
1840 base
= expand_binop (Pmode
, add_optab
, base
,
1841 gen_int_mode (base_offset
- base_align_bias
, Pmode
),
1842 NULL_RTX
, 1, OPTAB_DIRECT
);
1843 orig_base
= NULL_RTX
;
1844 if (use_after_return_class
!= -1)
1846 if (asan_detect_stack_use_after_return
== NULL_TREE
)
1848 id
= get_identifier ("__asan_option_detect_stack_use_after_return");
1849 decl
= build_decl (BUILTINS_LOCATION
, VAR_DECL
, id
,
1851 SET_DECL_ASSEMBLER_NAME (decl
, id
);
1852 TREE_ADDRESSABLE (decl
) = 1;
1853 DECL_ARTIFICIAL (decl
) = 1;
1854 DECL_IGNORED_P (decl
) = 1;
1855 DECL_EXTERNAL (decl
) = 1;
1856 TREE_STATIC (decl
) = 1;
1857 TREE_PUBLIC (decl
) = 1;
1858 TREE_USED (decl
) = 1;
1859 asan_detect_stack_use_after_return
= decl
;
1861 orig_base
= gen_reg_rtx (Pmode
);
1862 emit_move_insn (orig_base
, base
);
1863 ret
= expand_normal (asan_detect_stack_use_after_return
);
1864 lab
= gen_label_rtx ();
1865 emit_cmp_and_jump_insns (ret
, const0_rtx
, EQ
, NULL_RTX
,
1867 profile_probability::very_likely ());
1868 snprintf (buf
, sizeof buf
, "__asan_stack_malloc_%d",
1869 use_after_return_class
);
1870 ret
= init_one_libfunc (buf
);
1871 ret
= emit_library_call_value (ret
, NULL_RTX
, LCT_NORMAL
, ptr_mode
,
1872 GEN_INT (asan_frame_size
1874 TYPE_MODE (pointer_sized_int_node
));
1875 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1876 and NULL otherwise. Check RET value is NULL here and jump over the
1877 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1878 emit_cmp_and_jump_insns (ret
, const0_rtx
, EQ
, NULL_RTX
,
1880 profile_probability:: very_unlikely ());
1881 ret
= convert_memory_address (Pmode
, ret
);
1882 emit_move_insn (base
, ret
);
1884 emit_move_insn (pbase
, expand_binop (Pmode
, add_optab
, base
,
1885 gen_int_mode (base_align_bias
1886 - base_offset
, Pmode
),
1887 NULL_RTX
, 1, OPTAB_DIRECT
));
1889 mem
= gen_rtx_MEM (ptr_mode
, base
);
1890 mem
= adjust_address (mem
, VOIDmode
, base_align_bias
);
1891 emit_move_insn (mem
, gen_int_mode (ASAN_STACK_FRAME_MAGIC
, ptr_mode
));
1892 mem
= adjust_address (mem
, VOIDmode
, GET_MODE_SIZE (ptr_mode
));
1893 emit_move_insn (mem
, expand_normal (str_cst
));
1894 mem
= adjust_address (mem
, VOIDmode
, GET_MODE_SIZE (ptr_mode
));
1895 ASM_GENERATE_INTERNAL_LABEL (buf
, "LASANPC", current_function_funcdef_no
);
1896 id
= get_identifier (buf
);
1897 decl
= build_decl (DECL_SOURCE_LOCATION (current_function_decl
),
1898 VAR_DECL
, id
, char_type_node
);
1899 SET_DECL_ASSEMBLER_NAME (decl
, id
);
1900 TREE_ADDRESSABLE (decl
) = 1;
1901 TREE_READONLY (decl
) = 1;
1902 DECL_ARTIFICIAL (decl
) = 1;
1903 DECL_IGNORED_P (decl
) = 1;
1904 TREE_STATIC (decl
) = 1;
1905 TREE_PUBLIC (decl
) = 0;
1906 TREE_USED (decl
) = 1;
1907 DECL_INITIAL (decl
) = decl
;
1908 TREE_ASM_WRITTEN (decl
) = 1;
1909 TREE_ASM_WRITTEN (id
) = 1;
1910 emit_move_insn (mem
, expand_normal (build_fold_addr_expr (decl
)));
1911 shadow_base
= expand_binop (Pmode
, lshr_optab
, base
,
1912 gen_int_shift_amount (Pmode
, ASAN_SHADOW_SHIFT
),
1913 NULL_RTX
, 1, OPTAB_DIRECT
);
1915 = plus_constant (Pmode
, shadow_base
,
1916 asan_shadow_offset ()
1917 + (base_align_bias
>> ASAN_SHADOW_SHIFT
));
1918 gcc_assert (asan_shadow_set
!= -1
1919 && (ASAN_RED_ZONE_SIZE
>> ASAN_SHADOW_SHIFT
) == 4);
1920 shadow_mem
= gen_rtx_MEM (SImode
, shadow_base
);
1921 set_mem_alias_set (shadow_mem
, asan_shadow_set
);
1922 if (STRICT_ALIGNMENT
)
1923 set_mem_align (shadow_mem
, (GET_MODE_ALIGNMENT (SImode
)));
1924 prev_offset
= base_offset
;
1926 asan_redzone_buffer
rz_buffer (shadow_mem
, prev_offset
);
1927 for (l
= length
; l
; l
-= 2)
1930 cur_shadow_byte
= ASAN_STACK_MAGIC_RIGHT
;
1931 offset
= offsets
[l
- 1];
1933 bool extra_byte
= (offset
- base_offset
) & (ASAN_SHADOW_GRANULARITY
- 1);
1934 /* If a red-zone is not aligned to ASAN_SHADOW_GRANULARITY then
1935 the previous stack variable has size % ASAN_SHADOW_GRANULARITY != 0.
1936 In that case we have to emit one extra byte that will describe
1937 how many bytes (our of ASAN_SHADOW_GRANULARITY) can be accessed. */
1941 = base_offset
+ ((offset
- base_offset
)
1942 & ~(ASAN_SHADOW_GRANULARITY
- HOST_WIDE_INT_1
));
1943 rz_buffer
.emit_redzone_byte (aoff
, offset
- aoff
);
1944 offset
= aoff
+ ASAN_SHADOW_GRANULARITY
;
1947 /* Calculate size of red zone payload. */
1948 while (offset
< offsets
[l
- 2])
1950 rz_buffer
.emit_redzone_byte (offset
, cur_shadow_byte
);
1951 offset
+= ASAN_SHADOW_GRANULARITY
;
1954 cur_shadow_byte
= ASAN_STACK_MAGIC_MIDDLE
;
1957 /* As the automatic variables are aligned to
1958 ASAN_RED_ZONE_SIZE / ASAN_SHADOW_GRANULARITY, the buffer should be
1960 gcc_assert (rz_buffer
.m_shadow_bytes
.is_empty ());
1962 do_pending_stack_adjust ();
1964 /* Construct epilogue sequence. */
1968 if (use_after_return_class
!= -1)
1970 rtx_code_label
*lab2
= gen_label_rtx ();
1971 char c
= (char) ASAN_STACK_MAGIC_USE_AFTER_RET
;
1972 emit_cmp_and_jump_insns (orig_base
, base
, EQ
, NULL_RTX
,
1974 profile_probability::very_likely ());
1975 shadow_mem
= gen_rtx_MEM (BLKmode
, shadow_base
);
1976 set_mem_alias_set (shadow_mem
, asan_shadow_set
);
1977 mem
= gen_rtx_MEM (ptr_mode
, base
);
1978 mem
= adjust_address (mem
, VOIDmode
, base_align_bias
);
1979 emit_move_insn (mem
, gen_int_mode (ASAN_STACK_RETIRED_MAGIC
, ptr_mode
));
1980 unsigned HOST_WIDE_INT sz
= asan_frame_size
>> ASAN_SHADOW_SHIFT
;
1981 if (use_after_return_class
< 5
1982 && can_store_by_pieces (sz
, builtin_memset_read_str
, &c
,
1983 BITS_PER_UNIT
, true))
1986 memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize);
1987 **SavedFlagPtr(FakeStack, class_id) = 0
1989 store_by_pieces (shadow_mem
, sz
, builtin_memset_read_str
, &c
,
1990 BITS_PER_UNIT
, true, RETURN_BEGIN
);
1992 unsigned HOST_WIDE_INT offset
1993 = (1 << (use_after_return_class
+ 6));
1994 offset
-= GET_MODE_SIZE (ptr_mode
);
1995 mem
= gen_rtx_MEM (ptr_mode
, base
);
1996 mem
= adjust_address (mem
, ptr_mode
, offset
);
1997 rtx addr
= gen_reg_rtx (ptr_mode
);
1998 emit_move_insn (addr
, mem
);
1999 addr
= convert_memory_address (Pmode
, addr
);
2000 mem
= gen_rtx_MEM (QImode
, addr
);
2001 emit_move_insn (mem
, const0_rtx
);
2003 else if (use_after_return_class
>= 5
2004 || !set_storage_via_setmem (shadow_mem
,
2006 gen_int_mode (c
, QImode
),
2007 BITS_PER_UNIT
, BITS_PER_UNIT
,
2010 snprintf (buf
, sizeof buf
, "__asan_stack_free_%d",
2011 use_after_return_class
);
2012 ret
= init_one_libfunc (buf
);
2013 rtx addr
= convert_memory_address (ptr_mode
, base
);
2014 rtx orig_addr
= convert_memory_address (ptr_mode
, orig_base
);
2015 emit_library_call (ret
, LCT_NORMAL
, ptr_mode
, addr
, ptr_mode
,
2016 GEN_INT (asan_frame_size
+ base_align_bias
),
2017 TYPE_MODE (pointer_sized_int_node
),
2018 orig_addr
, ptr_mode
);
2020 lab
= gen_label_rtx ();
2025 shadow_mem
= gen_rtx_MEM (BLKmode
, shadow_base
);
2026 set_mem_alias_set (shadow_mem
, asan_shadow_set
);
2028 if (STRICT_ALIGNMENT
)
2029 set_mem_align (shadow_mem
, (GET_MODE_ALIGNMENT (SImode
)));
2031 prev_offset
= base_offset
;
2032 last_offset
= base_offset
;
2034 last_size_aligned
= 0;
2035 for (l
= length
; l
; l
-= 2)
2037 offset
= base_offset
+ ((offsets
[l
- 1] - base_offset
)
2038 & ~(ASAN_RED_ZONE_SIZE
- HOST_WIDE_INT_1
));
2039 if (last_offset
+ last_size_aligned
< offset
)
2041 shadow_mem
= adjust_address (shadow_mem
, VOIDmode
,
2042 (last_offset
- prev_offset
)
2043 >> ASAN_SHADOW_SHIFT
);
2044 prev_offset
= last_offset
;
2045 asan_clear_shadow (shadow_mem
, last_size_aligned
>> ASAN_SHADOW_SHIFT
);
2046 last_offset
= offset
;
2050 last_size
= offset
- last_offset
;
2051 last_size
+= base_offset
+ ((offsets
[l
- 2] - base_offset
)
2052 & ~(ASAN_MIN_RED_ZONE_SIZE
- HOST_WIDE_INT_1
))
2055 /* Unpoison shadow memory that corresponds to a variable that is
2056 is subject of use-after-return sanitization. */
2059 decl
= decls
[l
/ 2 - 2];
2060 if (asan_handled_variables
!= NULL
2061 && asan_handled_variables
->contains (decl
))
2063 HOST_WIDE_INT size
= offsets
[l
- 3] - offsets
[l
- 2];
2064 if (dump_file
&& (dump_flags
& TDF_DETAILS
))
2066 const char *n
= (DECL_NAME (decl
)
2067 ? IDENTIFIER_POINTER (DECL_NAME (decl
))
2069 fprintf (dump_file
, "Unpoisoning shadow stack for variable: "
2070 "%s (%" PRId64
" B)\n", n
, size
);
2073 last_size
+= size
& ~(ASAN_MIN_RED_ZONE_SIZE
- HOST_WIDE_INT_1
);
2077 = ((last_size
+ (ASAN_RED_ZONE_SIZE
- HOST_WIDE_INT_1
))
2078 & ~(ASAN_RED_ZONE_SIZE
- HOST_WIDE_INT_1
));
2080 if (last_size_aligned
)
2082 shadow_mem
= adjust_address (shadow_mem
, VOIDmode
,
2083 (last_offset
- prev_offset
)
2084 >> ASAN_SHADOW_SHIFT
);
2085 asan_clear_shadow (shadow_mem
, last_size_aligned
>> ASAN_SHADOW_SHIFT
);
2088 /* Clean-up set with instrumented stack variables. */
2089 delete asan_handled_variables
;
2090 asan_handled_variables
= NULL
;
2091 delete asan_used_labels
;
2092 asan_used_labels
= NULL
;
2094 do_pending_stack_adjust ();
2098 insns
= get_insns ();
2103 /* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds
2104 to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE
2105 indicates whether we're emitting new instructions sequence or not. */
2108 asan_emit_allocas_unpoison (rtx top
, rtx bot
, rtx_insn
*before
)
2111 push_to_sequence (before
);
2114 rtx ret
= init_one_libfunc ("__asan_allocas_unpoison");
2115 top
= convert_memory_address (ptr_mode
, top
);
2116 bot
= convert_memory_address (ptr_mode
, bot
);
2117 emit_library_call (ret
, LCT_NORMAL
, ptr_mode
,
2118 top
, ptr_mode
, bot
, ptr_mode
);
2120 do_pending_stack_adjust ();
2121 rtx_insn
*insns
= get_insns ();
2126 /* Return true if DECL, a global var, might be overridden and needs
2127 therefore a local alias. */
2130 asan_needs_local_alias (tree decl
)
2132 return DECL_WEAK (decl
) || !targetm
.binds_local_p (decl
);
2135 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
2136 therefore doesn't need protection. */
2139 is_odr_indicator (tree decl
)
2141 return (DECL_ARTIFICIAL (decl
)
2142 && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl
)));
2145 /* Return true if DECL is a VAR_DECL that should be protected
2146 by Address Sanitizer, by appending a red zone with protected
2147 shadow memory after it and aligning it to at least
2148 ASAN_RED_ZONE_SIZE bytes. */
2151 asan_protect_global (tree decl
, bool ignore_decl_rtl_set_p
)
2153 if (!param_asan_globals
)
2158 if (TREE_CODE (decl
) == STRING_CST
)
2160 /* Instrument all STRING_CSTs except those created
2161 by asan_pp_string here. */
2162 if (shadow_ptr_types
[0] != NULL_TREE
2163 && TREE_CODE (TREE_TYPE (decl
)) == ARRAY_TYPE
2164 && TREE_TYPE (TREE_TYPE (decl
)) == TREE_TYPE (shadow_ptr_types
[0]))
2169 /* TLS vars aren't statically protectable. */
2170 || DECL_THREAD_LOCAL_P (decl
)
2171 /* Externs will be protected elsewhere. */
2172 || DECL_EXTERNAL (decl
)
2173 /* PR sanitizer/81697: For architectures that use section anchors first
2174 call to asan_protect_global may occur before DECL_RTL (decl) is set.
2175 We should ignore DECL_RTL_SET_P then, because otherwise the first call
2176 to asan_protect_global will return FALSE and the following calls on the
2177 same decl after setting DECL_RTL (decl) will return TRUE and we'll end
2178 up with inconsistency at runtime. */
2179 || (!DECL_RTL_SET_P (decl
) && !ignore_decl_rtl_set_p
)
2180 /* Comdat vars pose an ABI problem, we can't know if
2181 the var that is selected by the linker will have
2183 || DECL_ONE_ONLY (decl
)
2184 /* Similarly for common vars. People can use -fno-common.
2185 Note: Linux kernel is built with -fno-common, so we do instrument
2186 globals there even if it is C. */
2187 || (DECL_COMMON (decl
) && TREE_PUBLIC (decl
))
2188 /* Don't protect if using user section, often vars placed
2189 into user section from multiple TUs are then assumed
2190 to be an array of such vars, putting padding in there
2191 breaks this assumption. */
2192 || (DECL_SECTION_NAME (decl
) != NULL
2193 && !symtab_node::get (decl
)->implicit_section
2194 && !section_sanitized_p (DECL_SECTION_NAME (decl
)))
2195 || DECL_SIZE (decl
) == 0
2196 || ASAN_RED_ZONE_SIZE
* BITS_PER_UNIT
> MAX_OFILE_ALIGNMENT
2197 || TREE_CODE (DECL_SIZE_UNIT (decl
)) != INTEGER_CST
2198 || !valid_constant_size_p (DECL_SIZE_UNIT (decl
))
2199 || DECL_ALIGN_UNIT (decl
) > 2 * ASAN_RED_ZONE_SIZE
2200 || TREE_TYPE (decl
) == ubsan_get_source_location_type ()
2201 || is_odr_indicator (decl
))
2204 if (!ignore_decl_rtl_set_p
|| DECL_RTL_SET_P (decl
))
2207 rtl
= DECL_RTL (decl
);
2208 if (!MEM_P (rtl
) || GET_CODE (XEXP (rtl
, 0)) != SYMBOL_REF
)
2210 symbol
= XEXP (rtl
, 0);
2212 if (CONSTANT_POOL_ADDRESS_P (symbol
)
2213 || TREE_CONSTANT_POOL_ADDRESS_P (symbol
))
2217 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl
)))
2220 if (!TARGET_SUPPORTS_ALIASES
&& asan_needs_local_alias (decl
))
2226 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
2227 IS_STORE is either 1 (for a store) or 0 (for a load). */
2230 report_error_func (bool is_store
, bool recover_p
, HOST_WIDE_INT size_in_bytes
,
2233 gcc_assert (!hwasan_sanitize_p ());
2235 static enum built_in_function report
[2][2][6]
2236 = { { { BUILT_IN_ASAN_REPORT_LOAD1
, BUILT_IN_ASAN_REPORT_LOAD2
,
2237 BUILT_IN_ASAN_REPORT_LOAD4
, BUILT_IN_ASAN_REPORT_LOAD8
,
2238 BUILT_IN_ASAN_REPORT_LOAD16
, BUILT_IN_ASAN_REPORT_LOAD_N
},
2239 { BUILT_IN_ASAN_REPORT_STORE1
, BUILT_IN_ASAN_REPORT_STORE2
,
2240 BUILT_IN_ASAN_REPORT_STORE4
, BUILT_IN_ASAN_REPORT_STORE8
,
2241 BUILT_IN_ASAN_REPORT_STORE16
, BUILT_IN_ASAN_REPORT_STORE_N
} },
2242 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT
,
2243 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT
,
2244 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT
,
2245 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT
,
2246 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT
,
2247 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT
},
2248 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT
,
2249 BUILT_IN_ASAN_REPORT_STORE2_NOABORT
,
2250 BUILT_IN_ASAN_REPORT_STORE4_NOABORT
,
2251 BUILT_IN_ASAN_REPORT_STORE8_NOABORT
,
2252 BUILT_IN_ASAN_REPORT_STORE16_NOABORT
,
2253 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT
} } };
2254 if (size_in_bytes
== -1)
2257 return builtin_decl_implicit (report
[recover_p
][is_store
][5]);
2260 int size_log2
= exact_log2 (size_in_bytes
);
2261 return builtin_decl_implicit (report
[recover_p
][is_store
][size_log2
]);
2264 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
2265 IS_STORE is either 1 (for a store) or 0 (for a load). */
2268 check_func (bool is_store
, bool recover_p
, HOST_WIDE_INT size_in_bytes
,
2271 static enum built_in_function check
[2][2][6]
2272 = { { { BUILT_IN_ASAN_LOAD1
, BUILT_IN_ASAN_LOAD2
,
2273 BUILT_IN_ASAN_LOAD4
, BUILT_IN_ASAN_LOAD8
,
2274 BUILT_IN_ASAN_LOAD16
, BUILT_IN_ASAN_LOADN
},
2275 { BUILT_IN_ASAN_STORE1
, BUILT_IN_ASAN_STORE2
,
2276 BUILT_IN_ASAN_STORE4
, BUILT_IN_ASAN_STORE8
,
2277 BUILT_IN_ASAN_STORE16
, BUILT_IN_ASAN_STOREN
} },
2278 { { BUILT_IN_ASAN_LOAD1_NOABORT
,
2279 BUILT_IN_ASAN_LOAD2_NOABORT
,
2280 BUILT_IN_ASAN_LOAD4_NOABORT
,
2281 BUILT_IN_ASAN_LOAD8_NOABORT
,
2282 BUILT_IN_ASAN_LOAD16_NOABORT
,
2283 BUILT_IN_ASAN_LOADN_NOABORT
},
2284 { BUILT_IN_ASAN_STORE1_NOABORT
,
2285 BUILT_IN_ASAN_STORE2_NOABORT
,
2286 BUILT_IN_ASAN_STORE4_NOABORT
,
2287 BUILT_IN_ASAN_STORE8_NOABORT
,
2288 BUILT_IN_ASAN_STORE16_NOABORT
,
2289 BUILT_IN_ASAN_STOREN_NOABORT
} } };
2290 if (size_in_bytes
== -1)
2293 return builtin_decl_implicit (check
[recover_p
][is_store
][5]);
2296 int size_log2
= exact_log2 (size_in_bytes
);
2297 return builtin_decl_implicit (check
[recover_p
][is_store
][size_log2
]);
2300 /* Split the current basic block and create a condition statement
2301 insertion point right before or after the statement pointed to by
2302 ITER. Return an iterator to the point at which the caller might
2303 safely insert the condition statement.
2305 THEN_BLOCK must be set to the address of an uninitialized instance
2306 of basic_block. The function will then set *THEN_BLOCK to the
2307 'then block' of the condition statement to be inserted by the
2310 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
2311 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
2313 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
2314 block' of the condition statement to be inserted by the caller.
2316 Note that *FALLTHROUGH_BLOCK is a new block that contains the
2317 statements starting from *ITER, and *THEN_BLOCK is a new empty
2320 *ITER is adjusted to point to always point to the first statement
2321 of the basic block * FALLTHROUGH_BLOCK. That statement is the
2322 same as what ITER was pointing to prior to calling this function,
2323 if BEFORE_P is true; otherwise, it is its following statement. */
2325 gimple_stmt_iterator
2326 create_cond_insert_point (gimple_stmt_iterator
*iter
,
2328 bool then_more_likely_p
,
2329 bool create_then_fallthru_edge
,
2330 basic_block
*then_block
,
2331 basic_block
*fallthrough_block
)
2333 gimple_stmt_iterator gsi
= *iter
;
2335 if (!gsi_end_p (gsi
) && before_p
)
2338 basic_block cur_bb
= gsi_bb (*iter
);
2340 edge e
= split_block (cur_bb
, gsi_stmt (gsi
));
2342 /* Get a hold on the 'condition block', the 'then block' and the
2344 basic_block cond_bb
= e
->src
;
2345 basic_block fallthru_bb
= e
->dest
;
2346 basic_block then_bb
= create_empty_bb (cond_bb
);
2349 add_bb_to_loop (then_bb
, cond_bb
->loop_father
);
2350 loops_state_set (LOOPS_NEED_FIXUP
);
2353 /* Set up the newly created 'then block'. */
2354 e
= make_edge (cond_bb
, then_bb
, EDGE_TRUE_VALUE
);
2355 profile_probability fallthrough_probability
2356 = then_more_likely_p
2357 ? profile_probability::very_unlikely ()
2358 : profile_probability::very_likely ();
2359 e
->probability
= fallthrough_probability
.invert ();
2360 then_bb
->count
= e
->count ();
2361 if (create_then_fallthru_edge
)
2362 make_single_succ_edge (then_bb
, fallthru_bb
, EDGE_FALLTHRU
);
2364 /* Set up the fallthrough basic block. */
2365 e
= find_edge (cond_bb
, fallthru_bb
);
2366 e
->flags
= EDGE_FALSE_VALUE
;
2367 e
->probability
= fallthrough_probability
;
2369 /* Update dominance info for the newly created then_bb; note that
2370 fallthru_bb's dominance info has already been updated by
2372 if (dom_info_available_p (CDI_DOMINATORS
))
2373 set_immediate_dominator (CDI_DOMINATORS
, then_bb
, cond_bb
);
2375 *then_block
= then_bb
;
2376 *fallthrough_block
= fallthru_bb
;
2377 *iter
= gsi_start_bb (fallthru_bb
);
2379 return gsi_last_bb (cond_bb
);
2382 /* Insert an if condition followed by a 'then block' right before the
2383 statement pointed to by ITER. The fallthrough block -- which is the
2384 else block of the condition as well as the destination of the
2385 outcoming edge of the 'then block' -- starts with the statement
2388 COND is the condition of the if.
2390 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
2391 'then block' is higher than the probability of the edge to the
2394 Upon completion of the function, *THEN_BB is set to the newly
2395 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
2398 *ITER is adjusted to still point to the same statement it was
2399 pointing to initially. */
2402 insert_if_then_before_iter (gcond
*cond
,
2403 gimple_stmt_iterator
*iter
,
2404 bool then_more_likely_p
,
2405 basic_block
*then_bb
,
2406 basic_block
*fallthrough_bb
)
2408 gimple_stmt_iterator cond_insert_point
=
2409 create_cond_insert_point (iter
,
2412 /*create_then_fallthru_edge=*/true,
2415 gsi_insert_after (&cond_insert_point
, cond
, GSI_NEW_STMT
);
2418 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
2419 If RETURN_ADDRESS is set to true, return memory location instread
2420 of a value in the shadow memory. */
2423 build_shadow_mem_access (gimple_stmt_iterator
*gsi
, location_t location
,
2424 tree base_addr
, tree shadow_ptr_type
,
2425 bool return_address
= false)
2427 tree t
, uintptr_type
= TREE_TYPE (base_addr
);
2428 tree shadow_type
= TREE_TYPE (shadow_ptr_type
);
2431 t
= build_int_cst (uintptr_type
, ASAN_SHADOW_SHIFT
);
2432 g
= gimple_build_assign (make_ssa_name (uintptr_type
), RSHIFT_EXPR
,
2434 gimple_set_location (g
, location
);
2435 gsi_insert_after (gsi
, g
, GSI_NEW_STMT
);
2437 t
= build_int_cst (uintptr_type
, asan_shadow_offset ());
2438 g
= gimple_build_assign (make_ssa_name (uintptr_type
), PLUS_EXPR
,
2439 gimple_assign_lhs (g
), t
);
2440 gimple_set_location (g
, location
);
2441 gsi_insert_after (gsi
, g
, GSI_NEW_STMT
);
2443 g
= gimple_build_assign (make_ssa_name (shadow_ptr_type
), NOP_EXPR
,
2444 gimple_assign_lhs (g
));
2445 gimple_set_location (g
, location
);
2446 gsi_insert_after (gsi
, g
, GSI_NEW_STMT
);
2448 if (!return_address
)
2450 t
= build2 (MEM_REF
, shadow_type
, gimple_assign_lhs (g
),
2451 build_int_cst (shadow_ptr_type
, 0));
2452 g
= gimple_build_assign (make_ssa_name (shadow_type
), MEM_REF
, t
);
2453 gimple_set_location (g
, location
);
2454 gsi_insert_after (gsi
, g
, GSI_NEW_STMT
);
2457 return gimple_assign_lhs (g
);
2460 /* BASE can already be an SSA_NAME; in that case, do not create a
2461 new SSA_NAME for it. */
2464 maybe_create_ssa_name (location_t loc
, tree base
, gimple_stmt_iterator
*iter
,
2467 STRIP_USELESS_TYPE_CONVERSION (base
);
2468 if (TREE_CODE (base
) == SSA_NAME
)
2470 gimple
*g
= gimple_build_assign (make_ssa_name (TREE_TYPE (base
)), base
);
2471 gimple_set_location (g
, loc
);
2473 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
2475 gsi_insert_after (iter
, g
, GSI_NEW_STMT
);
2476 return gimple_assign_lhs (g
);
2479 /* LEN can already have necessary size and precision;
2480 in that case, do not create a new variable. */
2483 maybe_cast_to_ptrmode (location_t loc
, tree len
, gimple_stmt_iterator
*iter
,
2486 if (ptrofftype_p (len
))
2488 gimple
*g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
2490 gimple_set_location (g
, loc
);
2492 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
2494 gsi_insert_after (iter
, g
, GSI_NEW_STMT
);
2495 return gimple_assign_lhs (g
);
2498 /* Instrument the memory access instruction BASE. Insert new
2499 statements before or after ITER.
2501 Note that the memory access represented by BASE can be either an
2502 SSA_NAME, or a non-SSA expression. LOCATION is the source code
2503 location. IS_STORE is TRUE for a store, FALSE for a load.
2504 BEFORE_P is TRUE for inserting the instrumentation code before
2505 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
2506 for a scalar memory access and FALSE for memory region access.
2507 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
2508 length. ALIGN tells alignment of accessed memory object.
2510 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
2511 memory region have already been instrumented.
2513 If BEFORE_P is TRUE, *ITER is arranged to still point to the
2514 statement it was pointing to prior to calling this function,
2515 otherwise, it points to the statement logically following it. */
2518 build_check_stmt (location_t loc
, tree base
, tree len
,
2519 HOST_WIDE_INT size_in_bytes
, gimple_stmt_iterator
*iter
,
2520 bool is_non_zero_len
, bool before_p
, bool is_store
,
2521 bool is_scalar_access
, unsigned int align
= 0)
2523 gimple_stmt_iterator gsi
= *iter
;
2526 gcc_assert (!(size_in_bytes
> 0 && !is_non_zero_len
));
2527 gcc_assert (size_in_bytes
== -1 || size_in_bytes
>= 1);
2531 base
= unshare_expr (base
);
2532 base
= maybe_create_ssa_name (loc
, base
, &gsi
, before_p
);
2536 len
= unshare_expr (len
);
2537 len
= maybe_cast_to_ptrmode (loc
, len
, iter
, before_p
);
2541 gcc_assert (size_in_bytes
!= -1);
2542 len
= build_int_cst (pointer_sized_int_node
, size_in_bytes
);
2545 if (size_in_bytes
> 1)
2547 if ((size_in_bytes
& (size_in_bytes
- 1)) != 0
2548 || size_in_bytes
> 16)
2549 is_scalar_access
= false;
2550 else if (align
&& align
< size_in_bytes
* BITS_PER_UNIT
)
2552 /* On non-strict alignment targets, if
2553 16-byte access is just 8-byte aligned,
2554 this will result in misaligned shadow
2555 memory 2 byte load, but otherwise can
2556 be handled using one read. */
2557 if (size_in_bytes
!= 16
2559 || align
< 8 * BITS_PER_UNIT
)
2560 is_scalar_access
= false;
2564 HOST_WIDE_INT flags
= 0;
2566 flags
|= ASAN_CHECK_STORE
;
2567 if (is_non_zero_len
)
2568 flags
|= ASAN_CHECK_NON_ZERO_LEN
;
2569 if (is_scalar_access
)
2570 flags
|= ASAN_CHECK_SCALAR_ACCESS
;
2572 enum internal_fn fn
= hwasan_sanitize_p ()
2576 g
= gimple_build_call_internal (fn
, 4,
2577 build_int_cst (integer_type_node
, flags
),
2579 build_int_cst (integer_type_node
,
2580 align
/ BITS_PER_UNIT
));
2581 gimple_set_location (g
, loc
);
2583 gsi_insert_before (&gsi
, g
, GSI_SAME_STMT
);
2586 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
2592 /* If T represents a memory access, add instrumentation code before ITER.
2593 LOCATION is source code location.
2594 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
2597 instrument_derefs (gimple_stmt_iterator
*iter
, tree t
,
2598 location_t location
, bool is_store
)
2600 if (is_store
&& !(asan_instrument_writes () || hwasan_instrument_writes ()))
2602 if (!is_store
&& !(asan_instrument_reads () || hwasan_instrument_reads ()))
2606 HOST_WIDE_INT size_in_bytes
;
2607 if (location
== UNKNOWN_LOCATION
)
2608 location
= EXPR_LOCATION (t
);
2610 type
= TREE_TYPE (t
);
2611 switch (TREE_CODE (t
))
2625 size_in_bytes
= int_size_in_bytes (type
);
2626 if (size_in_bytes
<= 0)
2629 poly_int64 bitsize
, bitpos
;
2632 int unsignedp
, reversep
, volatilep
= 0;
2633 tree inner
= get_inner_reference (t
, &bitsize
, &bitpos
, &offset
, &mode
,
2634 &unsignedp
, &reversep
, &volatilep
);
2636 if (TREE_CODE (t
) == COMPONENT_REF
2637 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t
, 1)) != NULL_TREE
)
2639 tree repr
= DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t
, 1));
2640 instrument_derefs (iter
, build3 (COMPONENT_REF
, TREE_TYPE (repr
),
2641 TREE_OPERAND (t
, 0), repr
,
2642 TREE_OPERAND (t
, 2)),
2643 location
, is_store
);
2647 if (!multiple_p (bitpos
, BITS_PER_UNIT
)
2648 || maybe_ne (bitsize
, size_in_bytes
* BITS_PER_UNIT
))
2651 if (VAR_P (inner
) && DECL_HARD_REGISTER (inner
))
2654 poly_int64 decl_size
;
2656 && offset
== NULL_TREE
2657 && DECL_SIZE (inner
)
2658 && poly_int_tree_p (DECL_SIZE (inner
), &decl_size
)
2659 && known_subrange_p (bitpos
, bitsize
, 0, decl_size
))
2661 if (DECL_THREAD_LOCAL_P (inner
))
2663 /* If we're not sanitizing globals and we can tell statically that this
2664 access is inside a global variable, then there's no point adding
2665 instrumentation to check the access. N.b. hwasan currently never
2666 sanitizes globals. */
2667 if ((hwasan_sanitize_p () || !param_asan_globals
)
2668 && is_global_var (inner
))
2670 if (!TREE_STATIC (inner
))
2672 /* Automatic vars in the current function will be always
2674 if (decl_function_context (inner
) == current_function_decl
2675 && (!asan_sanitize_use_after_scope ()
2676 || !TREE_ADDRESSABLE (inner
)))
2679 /* Always instrument external vars, they might be dynamically
2681 else if (!DECL_EXTERNAL (inner
))
2683 /* For static vars if they are known not to be dynamically
2684 initialized, they will be always accessible. */
2685 varpool_node
*vnode
= varpool_node::get (inner
);
2686 if (vnode
&& !vnode
->dynamically_initialized
)
2691 base
= build_fold_addr_expr (t
);
2692 if (!has_mem_ref_been_instrumented (base
, size_in_bytes
))
2694 unsigned int align
= get_object_alignment (t
);
2695 build_check_stmt (location
, base
, NULL_TREE
, size_in_bytes
, iter
,
2696 /*is_non_zero_len*/size_in_bytes
> 0, /*before_p=*/true,
2697 is_store
, /*is_scalar_access*/true, align
);
2698 update_mem_ref_hash_table (base
, size_in_bytes
);
2699 update_mem_ref_hash_table (t
, size_in_bytes
);
2704 /* Insert a memory reference into the hash table if access length
2705 can be determined in compile time. */
2708 maybe_update_mem_ref_hash_table (tree base
, tree len
)
2710 if (!POINTER_TYPE_P (TREE_TYPE (base
))
2711 || !INTEGRAL_TYPE_P (TREE_TYPE (len
)))
2714 HOST_WIDE_INT size_in_bytes
= tree_fits_shwi_p (len
) ? tree_to_shwi (len
) : -1;
2716 if (size_in_bytes
!= -1)
2717 update_mem_ref_hash_table (base
, size_in_bytes
);
2720 /* Instrument an access to a contiguous memory region that starts at
2721 the address pointed to by BASE, over a length of LEN (expressed in
2722 the sizeof (*BASE) bytes). ITER points to the instruction before
2723 which the instrumentation instructions must be inserted. LOCATION
2724 is the source location that the instrumentation instructions must
2725 have. If IS_STORE is true, then the memory access is a store;
2726 otherwise, it's a load. */
2729 instrument_mem_region_access (tree base
, tree len
,
2730 gimple_stmt_iterator
*iter
,
2731 location_t location
, bool is_store
)
2733 if (!POINTER_TYPE_P (TREE_TYPE (base
))
2734 || !INTEGRAL_TYPE_P (TREE_TYPE (len
))
2735 || integer_zerop (len
))
2738 HOST_WIDE_INT size_in_bytes
= tree_fits_shwi_p (len
) ? tree_to_shwi (len
) : -1;
2740 if ((size_in_bytes
== -1)
2741 || !has_mem_ref_been_instrumented (base
, size_in_bytes
))
2743 build_check_stmt (location
, base
, len
, size_in_bytes
, iter
,
2744 /*is_non_zero_len*/size_in_bytes
> 0, /*before_p*/true,
2745 is_store
, /*is_scalar_access*/false, /*align*/0);
2748 maybe_update_mem_ref_hash_table (base
, len
);
2749 *iter
= gsi_for_stmt (gsi_stmt (*iter
));
2752 /* Instrument the call to a built-in memory access function that is
2753 pointed to by the iterator ITER.
2755 Upon completion, return TRUE iff *ITER has been advanced to the
2756 statement following the one it was originally pointing to. */
2759 instrument_builtin_call (gimple_stmt_iterator
*iter
)
2761 if (!(asan_memintrin () || hwasan_memintrin ()))
2764 bool iter_advanced_p
= false;
2765 gcall
*call
= as_a
<gcall
*> (gsi_stmt (*iter
));
2767 gcc_checking_assert (gimple_call_builtin_p (call
, BUILT_IN_NORMAL
));
2769 location_t loc
= gimple_location (call
);
2771 asan_mem_ref src0
, src1
, dest
;
2772 asan_mem_ref_init (&src0
, NULL
, 1);
2773 asan_mem_ref_init (&src1
, NULL
, 1);
2774 asan_mem_ref_init (&dest
, NULL
, 1);
2776 tree src0_len
= NULL_TREE
, src1_len
= NULL_TREE
, dest_len
= NULL_TREE
;
2777 bool src0_is_store
= false, src1_is_store
= false, dest_is_store
= false,
2778 dest_is_deref
= false, intercepted_p
= true;
2780 if (get_mem_refs_of_builtin_call (call
,
2781 &src0
, &src0_len
, &src0_is_store
,
2782 &src1
, &src1_len
, &src1_is_store
,
2783 &dest
, &dest_len
, &dest_is_store
,
2784 &dest_is_deref
, &intercepted_p
, iter
))
2788 instrument_derefs (iter
, dest
.start
, loc
, dest_is_store
);
2790 iter_advanced_p
= true;
2792 else if (!intercepted_p
2793 && (src0_len
|| src1_len
|| dest_len
))
2795 if (src0
.start
!= NULL_TREE
)
2796 instrument_mem_region_access (src0
.start
, src0_len
,
2797 iter
, loc
, /*is_store=*/false);
2798 if (src1
.start
!= NULL_TREE
)
2799 instrument_mem_region_access (src1
.start
, src1_len
,
2800 iter
, loc
, /*is_store=*/false);
2801 if (dest
.start
!= NULL_TREE
)
2802 instrument_mem_region_access (dest
.start
, dest_len
,
2803 iter
, loc
, /*is_store=*/true);
2805 *iter
= gsi_for_stmt (call
);
2807 iter_advanced_p
= true;
2811 if (src0
.start
!= NULL_TREE
)
2812 maybe_update_mem_ref_hash_table (src0
.start
, src0_len
);
2813 if (src1
.start
!= NULL_TREE
)
2814 maybe_update_mem_ref_hash_table (src1
.start
, src1_len
);
2815 if (dest
.start
!= NULL_TREE
)
2816 maybe_update_mem_ref_hash_table (dest
.start
, dest_len
);
2819 return iter_advanced_p
;
2822 /* Instrument the assignment statement ITER if it is subject to
2823 instrumentation. Return TRUE iff instrumentation actually
2824 happened. In that case, the iterator ITER is advanced to the next
2825 logical expression following the one initially pointed to by ITER,
2826 and the relevant memory reference that which access has been
2827 instrumented is added to the memory references hash table. */
2830 maybe_instrument_assignment (gimple_stmt_iterator
*iter
)
2832 gimple
*s
= gsi_stmt (*iter
);
2834 gcc_assert (gimple_assign_single_p (s
));
2836 tree ref_expr
= NULL_TREE
;
2837 bool is_store
, is_instrumented
= false;
2839 if (gimple_store_p (s
))
2841 ref_expr
= gimple_assign_lhs (s
);
2843 instrument_derefs (iter
, ref_expr
,
2844 gimple_location (s
),
2846 is_instrumented
= true;
2849 if (gimple_assign_load_p (s
))
2851 ref_expr
= gimple_assign_rhs1 (s
);
2853 instrument_derefs (iter
, ref_expr
,
2854 gimple_location (s
),
2856 is_instrumented
= true;
2859 if (is_instrumented
)
2862 return is_instrumented
;
2865 /* Instrument the function call pointed to by the iterator ITER, if it
2866 is subject to instrumentation. At the moment, the only function
2867 calls that are instrumented are some built-in functions that access
2868 memory. Look at instrument_builtin_call to learn more.
2870 Upon completion return TRUE iff *ITER was advanced to the statement
2871 following the one it was originally pointing to. */
2874 maybe_instrument_call (gimple_stmt_iterator
*iter
)
2876 gimple
*stmt
= gsi_stmt (*iter
);
2877 bool is_builtin
= gimple_call_builtin_p (stmt
, BUILT_IN_NORMAL
);
2879 if (is_builtin
&& instrument_builtin_call (iter
))
2882 if (gimple_call_noreturn_p (stmt
))
2886 tree callee
= gimple_call_fndecl (stmt
);
2887 switch (DECL_FUNCTION_CODE (callee
))
2889 case BUILT_IN_UNREACHABLE
:
2891 /* Don't instrument these. */
2897 /* If a function does not return, then we must handle clearing up the
2898 shadow stack accordingly. For ASAN we can simply set the entire stack
2899 to "valid" for accesses by setting the shadow space to 0 and all
2900 accesses will pass checks. That means that some bad accesses may be
2901 missed, but we will not report any false positives.
2903 This is not possible for HWASAN. Since there is no "always valid" tag
2904 we can not set any space to "always valid". If we were to clear the
2905 entire shadow stack then code resuming from `longjmp` or a caught
2906 exception would trigger false positives when correctly accessing
2907 variables on the stack. Hence we need to handle things like
2908 `longjmp`, thread exit, and exceptions in a different way. These
2909 problems must be handled externally to the compiler, e.g. in the
2910 language runtime. */
2911 if (! hwasan_sanitize_p ())
2913 tree decl
= builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN
);
2914 gimple
*g
= gimple_build_call (decl
, 0);
2915 gimple_set_location (g
, gimple_location (stmt
));
2916 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
2920 bool instrumented
= false;
2921 if (gimple_store_p (stmt
))
2923 tree ref_expr
= gimple_call_lhs (stmt
);
2924 instrument_derefs (iter
, ref_expr
,
2925 gimple_location (stmt
),
2928 instrumented
= true;
2931 /* Walk through gimple_call arguments and check them id needed. */
2932 unsigned args_num
= gimple_call_num_args (stmt
);
2933 for (unsigned i
= 0; i
< args_num
; ++i
)
2935 tree arg
= gimple_call_arg (stmt
, i
);
2936 /* If ARG is not a non-aggregate register variable, compiler in general
2937 creates temporary for it and pass it as argument to gimple call.
2938 But in some cases, e.g. when we pass by value a small structure that
2939 fits to register, compiler can avoid extra overhead by pulling out
2940 these temporaries. In this case, we should check the argument. */
2941 if (!is_gimple_reg (arg
) && !is_gimple_min_invariant (arg
))
2943 instrument_derefs (iter
, arg
,
2944 gimple_location (stmt
),
2945 /*is_store=*/false);
2946 instrumented
= true;
2951 return instrumented
;
2954 /* Walk each instruction of all basic block and instrument those that
2955 represent memory references: loads, stores, or function calls.
2956 In a given basic block, this function avoids instrumenting memory
2957 references that have already been instrumented. */
2960 transform_statements (void)
2962 basic_block bb
, last_bb
= NULL
;
2963 gimple_stmt_iterator i
;
2964 int saved_last_basic_block
= last_basic_block_for_fn (cfun
);
2966 FOR_EACH_BB_FN (bb
, cfun
)
2968 basic_block prev_bb
= bb
;
2970 if (bb
->index
>= saved_last_basic_block
) continue;
2972 /* Flush the mem ref hash table, if current bb doesn't have
2973 exactly one predecessor, or if that predecessor (skipping
2974 over asan created basic blocks) isn't the last processed
2975 basic block. Thus we effectively flush on extended basic
2976 block boundaries. */
2977 while (single_pred_p (prev_bb
))
2979 prev_bb
= single_pred (prev_bb
);
2980 if (prev_bb
->index
< saved_last_basic_block
)
2983 if (prev_bb
!= last_bb
)
2984 empty_mem_ref_hash_table ();
2987 for (i
= gsi_start_bb (bb
); !gsi_end_p (i
);)
2989 gimple
*s
= gsi_stmt (i
);
2991 if (has_stmt_been_instrumented_p (s
))
2993 else if (gimple_assign_single_p (s
)
2994 && !gimple_clobber_p (s
)
2995 && maybe_instrument_assignment (&i
))
2996 /* Nothing to do as maybe_instrument_assignment advanced
2998 else if (is_gimple_call (s
) && maybe_instrument_call (&i
))
2999 /* Nothing to do as maybe_instrument_call
3000 advanced the iterator I. */;
3003 /* No instrumentation happened.
3005 If the current instruction is a function call that
3006 might free something, let's forget about the memory
3007 references that got instrumented. Otherwise we might
3008 miss some instrumentation opportunities. Do the same
3009 for a ASAN_MARK poisoning internal function. */
3010 if (is_gimple_call (s
)
3011 && (!nonfreeing_call_p (s
)
3012 || asan_mark_p (s
, ASAN_MARK_POISON
)))
3013 empty_mem_ref_hash_table ();
3019 free_mem_ref_resources ();
3023 __asan_before_dynamic_init (module_name)
3025 __asan_after_dynamic_init ()
3029 asan_dynamic_init_call (bool after_p
)
3031 if (shadow_ptr_types
[0] == NULL_TREE
)
3032 asan_init_shadow_ptr_types ();
3034 tree fn
= builtin_decl_implicit (after_p
3035 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
3036 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT
);
3037 tree module_name_cst
= NULL_TREE
;
3040 pretty_printer module_name_pp
;
3041 pp_string (&module_name_pp
, main_input_filename
);
3043 module_name_cst
= asan_pp_string (&module_name_pp
);
3044 module_name_cst
= fold_convert (const_ptr_type_node
,
3048 return build_call_expr (fn
, after_p
? 0 : 1, module_name_cst
);
3052 struct __asan_global
3056 uptr __size_with_redzone;
3058 const void *__module_name;
3059 uptr __has_dynamic_init;
3060 __asan_global_source_location *__location;
3061 char *__odr_indicator;
3065 asan_global_struct (void)
3067 static const char *field_names
[]
3068 = { "__beg", "__size", "__size_with_redzone",
3069 "__name", "__module_name", "__has_dynamic_init", "__location",
3070 "__odr_indicator" };
3071 tree fields
[ARRAY_SIZE (field_names
)], ret
;
3074 ret
= make_node (RECORD_TYPE
);
3075 for (i
= 0; i
< ARRAY_SIZE (field_names
); i
++)
3078 = build_decl (UNKNOWN_LOCATION
, FIELD_DECL
,
3079 get_identifier (field_names
[i
]),
3080 (i
== 0 || i
== 3) ? const_ptr_type_node
3081 : pointer_sized_int_node
);
3082 DECL_CONTEXT (fields
[i
]) = ret
;
3084 DECL_CHAIN (fields
[i
- 1]) = fields
[i
];
3086 tree type_decl
= build_decl (input_location
, TYPE_DECL
,
3087 get_identifier ("__asan_global"), ret
);
3088 DECL_IGNORED_P (type_decl
) = 1;
3089 DECL_ARTIFICIAL (type_decl
) = 1;
3090 TYPE_FIELDS (ret
) = fields
[0];
3091 TYPE_NAME (ret
) = type_decl
;
3092 TYPE_STUB_DECL (ret
) = type_decl
;
3093 TYPE_ARTIFICIAL (ret
) = 1;
3098 /* Create and return odr indicator symbol for DECL.
3099 TYPE is __asan_global struct type as returned by asan_global_struct. */
3102 create_odr_indicator (tree decl
, tree type
)
3105 tree uptr
= TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type
)));
3107 = (HAS_DECL_ASSEMBLER_NAME_P (decl
) ? DECL_ASSEMBLER_NAME (decl
)
3108 : DECL_NAME (decl
));
3109 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
3110 if (decl_name
== NULL_TREE
)
3111 return build_int_cst (uptr
, 0);
3112 const char *dname
= IDENTIFIER_POINTER (decl_name
);
3113 if (HAS_DECL_ASSEMBLER_NAME_P (decl
))
3114 dname
= targetm
.strip_name_encoding (dname
);
3115 size_t len
= strlen (dname
) + sizeof ("__odr_asan_");
3116 name
= XALLOCAVEC (char, len
);
3117 snprintf (name
, len
, "__odr_asan_%s", dname
);
3118 #ifndef NO_DOT_IN_LABEL
3119 name
[sizeof ("__odr_asan") - 1] = '.';
3120 #elif !defined(NO_DOLLAR_IN_LABEL)
3121 name
[sizeof ("__odr_asan") - 1] = '$';
3123 tree var
= build_decl (UNKNOWN_LOCATION
, VAR_DECL
, get_identifier (name
),
3125 TREE_ADDRESSABLE (var
) = 1;
3126 TREE_READONLY (var
) = 0;
3127 TREE_THIS_VOLATILE (var
) = 1;
3128 DECL_ARTIFICIAL (var
) = 1;
3129 DECL_IGNORED_P (var
) = 1;
3130 TREE_STATIC (var
) = 1;
3131 TREE_PUBLIC (var
) = 1;
3132 DECL_VISIBILITY (var
) = DECL_VISIBILITY (decl
);
3133 DECL_VISIBILITY_SPECIFIED (var
) = DECL_VISIBILITY_SPECIFIED (decl
);
3135 TREE_USED (var
) = 1;
3136 tree ctor
= build_constructor_va (TREE_TYPE (var
), 1, NULL_TREE
,
3137 build_int_cst (unsigned_type_node
, 0));
3138 TREE_CONSTANT (ctor
) = 1;
3139 TREE_STATIC (ctor
) = 1;
3140 DECL_INITIAL (var
) = ctor
;
3141 DECL_ATTRIBUTES (var
) = tree_cons (get_identifier ("asan odr indicator"),
3142 NULL
, DECL_ATTRIBUTES (var
));
3143 make_decl_rtl (var
);
3144 varpool_node::finalize_decl (var
);
3145 return fold_convert (uptr
, build_fold_addr_expr (var
));
3148 /* Return true if DECL, a global var, might be overridden and needs
3149 an additional odr indicator symbol. */
3152 asan_needs_odr_indicator_p (tree decl
)
3154 /* Don't emit ODR indicators for kernel because:
3155 a) Kernel is written in C thus doesn't need ODR indicators.
3156 b) Some kernel code may have assumptions about symbols containing specific
3157 patterns in their names. Since ODR indicators contain original names
3158 of symbols they are emitted for, these assumptions would be broken for
3159 ODR indicator symbols. */
3160 return (!(flag_sanitize
& SANITIZE_KERNEL_ADDRESS
)
3161 && !DECL_ARTIFICIAL (decl
)
3162 && !DECL_WEAK (decl
)
3163 && TREE_PUBLIC (decl
));
3166 /* Append description of a single global DECL into vector V.
3167 TYPE is __asan_global struct type as returned by asan_global_struct. */
3170 asan_add_global (tree decl
, tree type
, vec
<constructor_elt
, va_gc
> *v
)
3172 tree init
, uptr
= TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type
)));
3173 unsigned HOST_WIDE_INT size
;
3174 tree str_cst
, module_name_cst
, refdecl
= decl
;
3175 vec
<constructor_elt
, va_gc
> *vinner
= NULL
;
3177 pretty_printer asan_pp
, module_name_pp
;
3179 if (DECL_NAME (decl
))
3180 pp_tree_identifier (&asan_pp
, DECL_NAME (decl
));
3182 pp_string (&asan_pp
, "<unknown>");
3183 str_cst
= asan_pp_string (&asan_pp
);
3185 pp_string (&module_name_pp
, main_input_filename
);
3186 module_name_cst
= asan_pp_string (&module_name_pp
);
3188 if (asan_needs_local_alias (decl
))
3191 ASM_GENERATE_INTERNAL_LABEL (buf
, "LASAN", vec_safe_length (v
) + 1);
3192 refdecl
= build_decl (DECL_SOURCE_LOCATION (decl
),
3193 VAR_DECL
, get_identifier (buf
), TREE_TYPE (decl
));
3194 TREE_ADDRESSABLE (refdecl
) = TREE_ADDRESSABLE (decl
);
3195 TREE_READONLY (refdecl
) = TREE_READONLY (decl
);
3196 TREE_THIS_VOLATILE (refdecl
) = TREE_THIS_VOLATILE (decl
);
3197 DECL_NOT_GIMPLE_REG_P (refdecl
) = DECL_NOT_GIMPLE_REG_P (decl
);
3198 DECL_ARTIFICIAL (refdecl
) = DECL_ARTIFICIAL (decl
);
3199 DECL_IGNORED_P (refdecl
) = DECL_IGNORED_P (decl
);
3200 TREE_STATIC (refdecl
) = 1;
3201 TREE_PUBLIC (refdecl
) = 0;
3202 TREE_USED (refdecl
) = 1;
3203 assemble_alias (refdecl
, DECL_ASSEMBLER_NAME (decl
));
3206 tree odr_indicator_ptr
3207 = (asan_needs_odr_indicator_p (decl
) ? create_odr_indicator (decl
, type
)
3208 : build_int_cst (uptr
, 0));
3209 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
,
3210 fold_convert (const_ptr_type_node
,
3211 build_fold_addr_expr (refdecl
)));
3212 size
= tree_to_uhwi (DECL_SIZE_UNIT (decl
));
3213 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
, build_int_cst (uptr
, size
));
3214 size
+= asan_red_zone_size (size
);
3215 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
, build_int_cst (uptr
, size
));
3216 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
,
3217 fold_convert (const_ptr_type_node
, str_cst
));
3218 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
,
3219 fold_convert (const_ptr_type_node
, module_name_cst
));
3220 varpool_node
*vnode
= varpool_node::get (decl
);
3221 int has_dynamic_init
= 0;
3222 /* FIXME: Enable initialization order fiasco detection in LTO mode once
3223 proper fix for PR 79061 will be applied. */
3225 has_dynamic_init
= vnode
? vnode
->dynamically_initialized
: 0;
3226 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
,
3227 build_int_cst (uptr
, has_dynamic_init
));
3228 tree locptr
= NULL_TREE
;
3229 location_t loc
= DECL_SOURCE_LOCATION (decl
);
3230 expanded_location xloc
= expand_location (loc
);
3231 if (xloc
.file
!= NULL
)
3233 static int lasanloccnt
= 0;
3235 ASM_GENERATE_INTERNAL_LABEL (buf
, "LASANLOC", ++lasanloccnt
);
3236 tree var
= build_decl (UNKNOWN_LOCATION
, VAR_DECL
, get_identifier (buf
),
3237 ubsan_get_source_location_type ());
3238 TREE_STATIC (var
) = 1;
3239 TREE_PUBLIC (var
) = 0;
3240 DECL_ARTIFICIAL (var
) = 1;
3241 DECL_IGNORED_P (var
) = 1;
3242 pretty_printer filename_pp
;
3243 pp_string (&filename_pp
, xloc
.file
);
3244 tree str
= asan_pp_string (&filename_pp
);
3245 tree ctor
= build_constructor_va (TREE_TYPE (var
), 3,
3246 NULL_TREE
, str
, NULL_TREE
,
3247 build_int_cst (unsigned_type_node
,
3248 xloc
.line
), NULL_TREE
,
3249 build_int_cst (unsigned_type_node
,
3251 TREE_CONSTANT (ctor
) = 1;
3252 TREE_STATIC (ctor
) = 1;
3253 DECL_INITIAL (var
) = ctor
;
3254 varpool_node::finalize_decl (var
);
3255 locptr
= fold_convert (uptr
, build_fold_addr_expr (var
));
3258 locptr
= build_int_cst (uptr
, 0);
3259 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
, locptr
);
3260 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
, odr_indicator_ptr
);
3261 init
= build_constructor (type
, vinner
);
3262 CONSTRUCTOR_APPEND_ELT (v
, NULL_TREE
, init
);
3265 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
3267 initialize_sanitizer_builtins (void)
3271 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT
))
3274 tree BT_FN_VOID
= build_function_type_list (void_type_node
, NULL_TREE
);
3276 = build_function_type_list (void_type_node
, ptr_type_node
, NULL_TREE
);
3277 tree BT_FN_VOID_CONST_PTR
3278 = build_function_type_list (void_type_node
, const_ptr_type_node
, NULL_TREE
);
3279 tree BT_FN_VOID_PTR_PTR
3280 = build_function_type_list (void_type_node
, ptr_type_node
,
3281 ptr_type_node
, NULL_TREE
);
3282 tree BT_FN_VOID_PTR_PTR_PTR
3283 = build_function_type_list (void_type_node
, ptr_type_node
,
3284 ptr_type_node
, ptr_type_node
, NULL_TREE
);
3285 tree BT_FN_VOID_PTR_PTRMODE
3286 = build_function_type_list (void_type_node
, ptr_type_node
,
3287 pointer_sized_int_node
, NULL_TREE
);
3289 = build_function_type_list (void_type_node
, integer_type_node
, NULL_TREE
);
3290 tree BT_FN_SIZE_CONST_PTR_INT
3291 = build_function_type_list (size_type_node
, const_ptr_type_node
,
3292 integer_type_node
, NULL_TREE
);
3294 tree BT_FN_VOID_UINT8_UINT8
3295 = build_function_type_list (void_type_node
, unsigned_char_type_node
,
3296 unsigned_char_type_node
, NULL_TREE
);
3297 tree BT_FN_VOID_UINT16_UINT16
3298 = build_function_type_list (void_type_node
, uint16_type_node
,
3299 uint16_type_node
, NULL_TREE
);
3300 tree BT_FN_VOID_UINT32_UINT32
3301 = build_function_type_list (void_type_node
, uint32_type_node
,
3302 uint32_type_node
, NULL_TREE
);
3303 tree BT_FN_VOID_UINT64_UINT64
3304 = build_function_type_list (void_type_node
, uint64_type_node
,
3305 uint64_type_node
, NULL_TREE
);
3306 tree BT_FN_VOID_FLOAT_FLOAT
3307 = build_function_type_list (void_type_node
, float_type_node
,
3308 float_type_node
, NULL_TREE
);
3309 tree BT_FN_VOID_DOUBLE_DOUBLE
3310 = build_function_type_list (void_type_node
, double_type_node
,
3311 double_type_node
, NULL_TREE
);
3312 tree BT_FN_VOID_UINT64_PTR
3313 = build_function_type_list (void_type_node
, uint64_type_node
,
3314 ptr_type_node
, NULL_TREE
);
3316 tree BT_FN_PTR_CONST_PTR_UINT8
3317 = build_function_type_list (ptr_type_node
, const_ptr_type_node
,
3318 unsigned_char_type_node
, NULL_TREE
);
3319 tree BT_FN_VOID_PTR_UINT8_PTRMODE
3320 = build_function_type_list (void_type_node
, ptr_type_node
,
3321 unsigned_char_type_node
,
3322 pointer_sized_int_node
, NULL_TREE
);
3324 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT
[5];
3325 tree BT_FN_IX_CONST_VPTR_INT
[5];
3326 tree BT_FN_IX_VPTR_IX_INT
[5];
3327 tree BT_FN_VOID_VPTR_IX_INT
[5];
3329 = build_pointer_type (build_qualified_type (void_type_node
,
3330 TYPE_QUAL_VOLATILE
));
3332 = build_pointer_type (build_qualified_type (void_type_node
,
3336 = lang_hooks
.types
.type_for_size (BOOL_TYPE_SIZE
, 1);
3338 for (i
= 0; i
< 5; i
++)
3340 tree ix
= build_nonstandard_integer_type (BITS_PER_UNIT
* (1 << i
), 1);
3341 BT_FN_BOOL_VPTR_PTR_IX_INT_INT
[i
]
3342 = build_function_type_list (boolt
, vptr
, ptr_type_node
, ix
,
3343 integer_type_node
, integer_type_node
,
3345 BT_FN_IX_CONST_VPTR_INT
[i
]
3346 = build_function_type_list (ix
, cvptr
, integer_type_node
, NULL_TREE
);
3347 BT_FN_IX_VPTR_IX_INT
[i
]
3348 = build_function_type_list (ix
, vptr
, ix
, integer_type_node
,
3350 BT_FN_VOID_VPTR_IX_INT
[i
]
3351 = build_function_type_list (void_type_node
, vptr
, ix
,
3352 integer_type_node
, NULL_TREE
);
3354 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
3355 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
3356 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
3357 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
3358 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
3359 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
3360 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
3361 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
3362 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
3363 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
3364 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
3365 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
3366 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
3367 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
3368 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
3369 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
3370 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
3371 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
3372 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
3373 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
3374 #undef ATTR_NOTHROW_LIST
3375 #define ATTR_NOTHROW_LIST ECF_NOTHROW
3376 #undef ATTR_NOTHROW_LEAF_LIST
3377 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
3378 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
3379 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
3380 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
3381 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
3382 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
3383 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
3384 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
3385 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
3386 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
3387 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
3388 #undef ATTR_COLD_NOTHROW_LEAF_LIST
3389 #define ATTR_COLD_NOTHROW_LEAF_LIST \
3390 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
3391 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
3392 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
3393 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
3394 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
3395 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
3396 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
3397 #undef ATTR_PURE_NOTHROW_LEAF_LIST
3398 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
3399 #undef DEF_BUILTIN_STUB
3400 #define DEF_BUILTIN_STUB(ENUM, NAME)
3401 #undef DEF_SANITIZER_BUILTIN_1
3402 #define DEF_SANITIZER_BUILTIN_1(ENUM, NAME, TYPE, ATTRS) \
3404 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
3405 BUILT_IN_NORMAL, NAME, NULL_TREE); \
3406 set_call_expr_flags (decl, ATTRS); \
3407 set_builtin_decl (ENUM, decl, true); \
3409 #undef DEF_SANITIZER_BUILTIN
3410 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
3411 DEF_SANITIZER_BUILTIN_1 (ENUM, NAME, TYPE, ATTRS);
3413 #include "sanitizer.def"
3415 /* -fsanitize=object-size uses __builtin_object_size, but that might
3416 not be available for e.g. Fortran at this point. We use
3417 DEF_SANITIZER_BUILTIN here only as a convenience macro. */
3418 if ((flag_sanitize
& SANITIZE_OBJECT_SIZE
)
3419 && !builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE
))
3420 DEF_SANITIZER_BUILTIN_1 (BUILT_IN_OBJECT_SIZE
, "object_size",
3421 BT_FN_SIZE_CONST_PTR_INT
,
3422 ATTR_PURE_NOTHROW_LEAF_LIST
);
3424 #undef DEF_SANITIZER_BUILTIN_1
3425 #undef DEF_SANITIZER_BUILTIN
3426 #undef DEF_BUILTIN_STUB
3429 /* Called via htab_traverse. Count number of emitted
3430 STRING_CSTs in the constant hash table. */
3433 count_string_csts (constant_descriptor_tree
**slot
,
3434 unsigned HOST_WIDE_INT
*data
)
3436 struct constant_descriptor_tree
*desc
= *slot
;
3437 if (TREE_CODE (desc
->value
) == STRING_CST
3438 && TREE_ASM_WRITTEN (desc
->value
)
3439 && asan_protect_global (desc
->value
))
3444 /* Helper structure to pass two parameters to
3447 struct asan_add_string_csts_data
3450 vec
<constructor_elt
, va_gc
> *v
;
3453 /* Called via hash_table::traverse. Call asan_add_global
3454 on emitted STRING_CSTs from the constant hash table. */
3457 add_string_csts (constant_descriptor_tree
**slot
,
3458 asan_add_string_csts_data
*aascd
)
3460 struct constant_descriptor_tree
*desc
= *slot
;
3461 if (TREE_CODE (desc
->value
) == STRING_CST
3462 && TREE_ASM_WRITTEN (desc
->value
)
3463 && asan_protect_global (desc
->value
))
3465 asan_add_global (SYMBOL_REF_DECL (XEXP (desc
->rtl
, 0)),
3466 aascd
->type
, aascd
->v
);
3471 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
3472 invoke ggc_collect. */
3473 static GTY(()) tree asan_ctor_statements
;
3475 /* Module-level instrumentation.
3476 - Insert __asan_init_vN() into the list of CTORs.
3477 - TODO: insert redzones around globals.
3481 asan_finish_file (void)
3483 varpool_node
*vnode
;
3484 unsigned HOST_WIDE_INT gcount
= 0;
3486 if (shadow_ptr_types
[0] == NULL_TREE
)
3487 asan_init_shadow_ptr_types ();
3488 /* Avoid instrumenting code in the asan ctors/dtors.
3489 We don't need to insert padding after the description strings,
3490 nor after .LASAN* array. */
3491 flag_sanitize
&= ~SANITIZE_ADDRESS
;
3493 /* For user-space we want asan constructors to run first.
3494 Linux kernel does not support priorities other than default, and the only
3495 other user of constructors is coverage. So we run with the default
3497 int priority
= flag_sanitize
& SANITIZE_USER_ADDRESS
3498 ? MAX_RESERVED_INIT_PRIORITY
- 1 : DEFAULT_INIT_PRIORITY
;
3500 if (flag_sanitize
& SANITIZE_USER_ADDRESS
)
3502 tree fn
= builtin_decl_implicit (BUILT_IN_ASAN_INIT
);
3503 append_to_statement_list (build_call_expr (fn
, 0), &asan_ctor_statements
);
3504 fn
= builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK
);
3505 append_to_statement_list (build_call_expr (fn
, 0), &asan_ctor_statements
);
3507 FOR_EACH_DEFINED_VARIABLE (vnode
)
3508 if (TREE_ASM_WRITTEN (vnode
->decl
)
3509 && asan_protect_global (vnode
->decl
))
3511 hash_table
<tree_descriptor_hasher
> *const_desc_htab
= constant_pool_htab ();
3512 const_desc_htab
->traverse
<unsigned HOST_WIDE_INT
*, count_string_csts
>
3516 tree type
= asan_global_struct (), var
, ctor
;
3517 tree dtor_statements
= NULL_TREE
;
3518 vec
<constructor_elt
, va_gc
> *v
;
3521 type
= build_array_type_nelts (type
, gcount
);
3522 ASM_GENERATE_INTERNAL_LABEL (buf
, "LASAN", 0);
3523 var
= build_decl (UNKNOWN_LOCATION
, VAR_DECL
, get_identifier (buf
),
3525 TREE_STATIC (var
) = 1;
3526 TREE_PUBLIC (var
) = 0;
3527 DECL_ARTIFICIAL (var
) = 1;
3528 DECL_IGNORED_P (var
) = 1;
3529 vec_alloc (v
, gcount
);
3530 FOR_EACH_DEFINED_VARIABLE (vnode
)
3531 if (TREE_ASM_WRITTEN (vnode
->decl
)
3532 && asan_protect_global (vnode
->decl
))
3533 asan_add_global (vnode
->decl
, TREE_TYPE (type
), v
);
3534 struct asan_add_string_csts_data aascd
;
3535 aascd
.type
= TREE_TYPE (type
);
3537 const_desc_htab
->traverse
<asan_add_string_csts_data
*, add_string_csts
>
3539 ctor
= build_constructor (type
, v
);
3540 TREE_CONSTANT (ctor
) = 1;
3541 TREE_STATIC (ctor
) = 1;
3542 DECL_INITIAL (var
) = ctor
;
3543 SET_DECL_ALIGN (var
, MAX (DECL_ALIGN (var
),
3544 ASAN_SHADOW_GRANULARITY
* BITS_PER_UNIT
));
3546 varpool_node::finalize_decl (var
);
3548 tree fn
= builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS
);
3549 tree gcount_tree
= build_int_cst (pointer_sized_int_node
, gcount
);
3550 append_to_statement_list (build_call_expr (fn
, 2,
3551 build_fold_addr_expr (var
),
3553 &asan_ctor_statements
);
3555 fn
= builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS
);
3556 append_to_statement_list (build_call_expr (fn
, 2,
3557 build_fold_addr_expr (var
),
3560 cgraph_build_static_cdtor ('D', dtor_statements
, priority
);
3562 if (asan_ctor_statements
)
3563 cgraph_build_static_cdtor ('I', asan_ctor_statements
, priority
);
3564 flag_sanitize
|= SANITIZE_ADDRESS
;
3567 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
3568 on SHADOW address. Newly added statements will be added to ITER with
3569 given location LOC. We mark SIZE bytes in shadow memory, where
3570 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
3571 end of a variable. */
3574 asan_store_shadow_bytes (gimple_stmt_iterator
*iter
, location_t loc
,
3576 unsigned HOST_WIDE_INT base_addr_offset
,
3577 bool is_clobber
, unsigned size
,
3578 unsigned last_chunk_size
)
3580 tree shadow_ptr_type
;
3585 shadow_ptr_type
= shadow_ptr_types
[0];
3588 shadow_ptr_type
= shadow_ptr_types
[1];
3591 shadow_ptr_type
= shadow_ptr_types
[2];
3597 unsigned char c
= (char) is_clobber
? ASAN_STACK_MAGIC_USE_AFTER_SCOPE
: 0;
3598 unsigned HOST_WIDE_INT val
= 0;
3599 unsigned last_pos
= size
;
3600 if (last_chunk_size
&& !is_clobber
)
3601 last_pos
= BYTES_BIG_ENDIAN
? 0 : size
- 1;
3602 for (unsigned i
= 0; i
< size
; ++i
)
3604 unsigned char shadow_c
= c
;
3606 shadow_c
= last_chunk_size
;
3607 val
|= (unsigned HOST_WIDE_INT
) shadow_c
<< (BITS_PER_UNIT
* i
);
3610 /* Handle last chunk in unpoisoning. */
3611 tree magic
= build_int_cst (TREE_TYPE (shadow_ptr_type
), val
);
3613 tree dest
= build2 (MEM_REF
, TREE_TYPE (shadow_ptr_type
), shadow
,
3614 build_int_cst (shadow_ptr_type
, base_addr_offset
));
3616 gimple
*g
= gimple_build_assign (dest
, magic
);
3617 gimple_set_location (g
, loc
);
3618 gsi_insert_after (iter
, g
, GSI_NEW_STMT
);
3621 /* Expand the ASAN_MARK builtins. */
3624 asan_expand_mark_ifn (gimple_stmt_iterator
*iter
)
3626 gimple
*g
= gsi_stmt (*iter
);
3627 location_t loc
= gimple_location (g
);
3628 HOST_WIDE_INT flag
= tree_to_shwi (gimple_call_arg (g
, 0));
3629 bool is_poison
= ((asan_mark_flags
)flag
) == ASAN_MARK_POISON
;
3631 tree base
= gimple_call_arg (g
, 1);
3632 gcc_checking_assert (TREE_CODE (base
) == ADDR_EXPR
);
3633 tree decl
= TREE_OPERAND (base
, 0);
3635 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
3636 if (TREE_CODE (decl
) == COMPONENT_REF
3637 && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl
, 0)))
3638 decl
= TREE_OPERAND (decl
, 0);
3640 gcc_checking_assert (TREE_CODE (decl
) == VAR_DECL
);
3642 if (hwasan_sanitize_p ())
3644 gcc_assert (param_hwasan_instrument_stack
);
3645 gimple_seq stmts
= NULL
;
3646 /* Here we swap ASAN_MARK calls for HWASAN_MARK.
3647 This is because we are using the approach of using ASAN_MARK as a
3649 That approach means we don't yet have to duplicate all the special
3650 cases for ASAN_MARK and ASAN_POISON with the exact same handling but
3651 called HWASAN_MARK etc.
3653 N.b. __asan_poison_stack_memory (which implements ASAN_MARK for ASAN)
3654 rounds the size up to its shadow memory granularity, while
3655 __hwasan_tag_memory (which implements the same for HWASAN) does not.
3656 Hence we emit HWASAN_MARK with an aligned size unlike ASAN_MARK. */
3657 tree len
= gimple_call_arg (g
, 2);
3658 tree new_len
= gimple_build_round_up (&stmts
, loc
, size_type_node
, len
,
3659 HWASAN_TAG_GRANULE_SIZE
);
3660 gimple_build (&stmts
, loc
, CFN_HWASAN_MARK
,
3661 void_type_node
, gimple_call_arg (g
, 0),
3663 gsi_replace_with_seq (iter
, stmts
, true);
3669 if (asan_handled_variables
== NULL
)
3670 asan_handled_variables
= new hash_set
<tree
> (16);
3671 asan_handled_variables
->add (decl
);
3673 tree len
= gimple_call_arg (g
, 2);
3675 gcc_assert (tree_fits_shwi_p (len
));
3676 unsigned HOST_WIDE_INT size_in_bytes
= tree_to_shwi (len
);
3677 gcc_assert (size_in_bytes
);
3679 g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
3681 gimple_set_location (g
, loc
);
3682 gsi_replace (iter
, g
, false);
3683 tree base_addr
= gimple_assign_lhs (g
);
3685 /* Generate direct emission if size_in_bytes is small. */
3687 <= (unsigned)param_use_after_scope_direct_emission_threshold
)
3689 const unsigned HOST_WIDE_INT shadow_size
3690 = shadow_mem_size (size_in_bytes
);
3691 const unsigned int shadow_align
3692 = (get_pointer_alignment (base
) / BITS_PER_UNIT
) >> ASAN_SHADOW_SHIFT
;
3694 tree shadow
= build_shadow_mem_access (iter
, loc
, base_addr
,
3695 shadow_ptr_types
[0], true);
3697 for (unsigned HOST_WIDE_INT offset
= 0; offset
< shadow_size
;)
3700 if (shadow_size
- offset
>= 4
3701 && (!STRICT_ALIGNMENT
|| shadow_align
>= 4))
3703 else if (shadow_size
- offset
>= 2
3704 && (!STRICT_ALIGNMENT
|| shadow_align
>= 2))
3707 unsigned HOST_WIDE_INT last_chunk_size
= 0;
3708 unsigned HOST_WIDE_INT s
= (offset
+ size
) * ASAN_SHADOW_GRANULARITY
;
3709 if (s
> size_in_bytes
)
3710 last_chunk_size
= ASAN_SHADOW_GRANULARITY
- (s
- size_in_bytes
);
3712 asan_store_shadow_bytes (iter
, loc
, shadow
, offset
, is_poison
,
3713 size
, last_chunk_size
);
3719 g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
3721 gimple_set_location (g
, loc
);
3722 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
3723 tree sz_arg
= gimple_assign_lhs (g
);
3726 = builtin_decl_implicit (is_poison
? BUILT_IN_ASAN_POISON_STACK_MEMORY
3727 : BUILT_IN_ASAN_UNPOISON_STACK_MEMORY
);
3728 g
= gimple_build_call (fun
, 2, base_addr
, sz_arg
);
3729 gimple_set_location (g
, loc
);
3730 gsi_insert_after (iter
, g
, GSI_NEW_STMT
);
3736 /* Expand the ASAN_{LOAD,STORE} builtins. */
3739 asan_expand_check_ifn (gimple_stmt_iterator
*iter
, bool use_calls
)
3741 gcc_assert (!hwasan_sanitize_p ());
3742 gimple
*g
= gsi_stmt (*iter
);
3743 location_t loc
= gimple_location (g
);
3745 if (flag_sanitize
& SANITIZE_USER_ADDRESS
)
3746 recover_p
= (flag_sanitize_recover
& SANITIZE_USER_ADDRESS
) != 0;
3748 recover_p
= (flag_sanitize_recover
& SANITIZE_KERNEL_ADDRESS
) != 0;
3750 HOST_WIDE_INT flags
= tree_to_shwi (gimple_call_arg (g
, 0));
3751 gcc_assert (flags
< ASAN_CHECK_LAST
);
3752 bool is_scalar_access
= (flags
& ASAN_CHECK_SCALAR_ACCESS
) != 0;
3753 bool is_store
= (flags
& ASAN_CHECK_STORE
) != 0;
3754 bool is_non_zero_len
= (flags
& ASAN_CHECK_NON_ZERO_LEN
) != 0;
3756 tree base
= gimple_call_arg (g
, 1);
3757 tree len
= gimple_call_arg (g
, 2);
3758 HOST_WIDE_INT align
= tree_to_shwi (gimple_call_arg (g
, 3));
3760 HOST_WIDE_INT size_in_bytes
3761 = is_scalar_access
&& tree_fits_shwi_p (len
) ? tree_to_shwi (len
) : -1;
3765 /* Instrument using callbacks. */
3766 gimple
*g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
3768 gimple_set_location (g
, loc
);
3769 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
3770 tree base_addr
= gimple_assign_lhs (g
);
3773 tree fun
= check_func (is_store
, recover_p
, size_in_bytes
, &nargs
);
3775 g
= gimple_build_call (fun
, 1, base_addr
);
3778 gcc_assert (nargs
== 2);
3779 g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
3781 gimple_set_location (g
, loc
);
3782 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
3783 tree sz_arg
= gimple_assign_lhs (g
);
3784 g
= gimple_build_call (fun
, nargs
, base_addr
, sz_arg
);
3786 gimple_set_location (g
, loc
);
3787 gsi_replace (iter
, g
, false);
3791 HOST_WIDE_INT real_size_in_bytes
= size_in_bytes
== -1 ? 1 : size_in_bytes
;
3793 tree shadow_ptr_type
= shadow_ptr_types
[real_size_in_bytes
== 16 ? 1 : 0];
3794 tree shadow_type
= TREE_TYPE (shadow_ptr_type
);
3796 gimple_stmt_iterator gsi
= *iter
;
3798 if (!is_non_zero_len
)
3800 /* So, the length of the memory area to asan-protect is
3801 non-constant. Let's guard the generated instrumentation code
3806 //asan instrumentation code goes here.
3808 // falltrough instructions, starting with *ITER. */
3810 g
= gimple_build_cond (NE_EXPR
,
3812 build_int_cst (TREE_TYPE (len
), 0),
3813 NULL_TREE
, NULL_TREE
);
3814 gimple_set_location (g
, loc
);
3816 basic_block then_bb
, fallthrough_bb
;
3817 insert_if_then_before_iter (as_a
<gcond
*> (g
), iter
,
3818 /*then_more_likely_p=*/true,
3819 &then_bb
, &fallthrough_bb
);
3820 /* Note that fallthrough_bb starts with the statement that was
3821 pointed to by ITER. */
3823 /* The 'then block' of the 'if (len != 0) condition is where
3824 we'll generate the asan instrumentation code now. */
3825 gsi
= gsi_last_bb (then_bb
);
3828 /* Get an iterator on the point where we can add the condition
3829 statement for the instrumentation. */
3830 basic_block then_bb
, else_bb
;
3831 gsi
= create_cond_insert_point (&gsi
, /*before_p*/false,
3832 /*then_more_likely_p=*/false,
3833 /*create_then_fallthru_edge*/recover_p
,
3837 g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
3839 gimple_set_location (g
, loc
);
3840 gsi_insert_before (&gsi
, g
, GSI_NEW_STMT
);
3841 tree base_addr
= gimple_assign_lhs (g
);
3844 if (real_size_in_bytes
>= 8)
3846 tree shadow
= build_shadow_mem_access (&gsi
, loc
, base_addr
,
3852 /* Slow path for 1, 2 and 4 byte accesses. */
3853 /* Test (shadow != 0)
3854 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
3855 tree shadow
= build_shadow_mem_access (&gsi
, loc
, base_addr
,
3857 gimple
*shadow_test
= build_assign (NE_EXPR
, shadow
, 0);
3858 gimple_seq seq
= NULL
;
3859 gimple_seq_add_stmt (&seq
, shadow_test
);
3860 /* Aligned (>= 8 bytes) can test just
3861 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
3865 gimple_seq_add_stmt (&seq
, build_assign (BIT_AND_EXPR
,
3867 gimple_seq_add_stmt (&seq
,
3868 build_type_cast (shadow_type
,
3869 gimple_seq_last (seq
)));
3870 if (real_size_in_bytes
> 1)
3871 gimple_seq_add_stmt (&seq
,
3872 build_assign (PLUS_EXPR
,
3873 gimple_seq_last (seq
),
3874 real_size_in_bytes
- 1));
3875 t
= gimple_assign_lhs (gimple_seq_last_stmt (seq
));
3878 t
= build_int_cst (shadow_type
, real_size_in_bytes
- 1);
3879 gimple_seq_add_stmt (&seq
, build_assign (GE_EXPR
, t
, shadow
));
3880 gimple_seq_add_stmt (&seq
, build_assign (BIT_AND_EXPR
, shadow_test
,
3881 gimple_seq_last (seq
)));
3882 t
= gimple_assign_lhs (gimple_seq_last (seq
));
3883 gimple_seq_set_location (seq
, loc
);
3884 gsi_insert_seq_after (&gsi
, seq
, GSI_CONTINUE_LINKING
);
3886 /* For non-constant, misaligned or otherwise weird access sizes,
3887 check first and last byte. */
3888 if (size_in_bytes
== -1)
3890 g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
3892 build_int_cst (pointer_sized_int_node
, 1));
3893 gimple_set_location (g
, loc
);
3894 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
3895 tree last
= gimple_assign_lhs (g
);
3896 g
= gimple_build_assign (make_ssa_name (pointer_sized_int_node
),
3897 PLUS_EXPR
, base_addr
, last
);
3898 gimple_set_location (g
, loc
);
3899 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
3900 tree base_end_addr
= gimple_assign_lhs (g
);
3902 tree shadow
= build_shadow_mem_access (&gsi
, loc
, base_end_addr
,
3904 gimple
*shadow_test
= build_assign (NE_EXPR
, shadow
, 0);
3905 gimple_seq seq
= NULL
;
3906 gimple_seq_add_stmt (&seq
, shadow_test
);
3907 gimple_seq_add_stmt (&seq
, build_assign (BIT_AND_EXPR
,
3909 gimple_seq_add_stmt (&seq
, build_type_cast (shadow_type
,
3910 gimple_seq_last (seq
)));
3911 gimple_seq_add_stmt (&seq
, build_assign (GE_EXPR
,
3912 gimple_seq_last (seq
),
3914 gimple_seq_add_stmt (&seq
, build_assign (BIT_AND_EXPR
, shadow_test
,
3915 gimple_seq_last (seq
)));
3916 gimple_seq_add_stmt (&seq
, build_assign (BIT_IOR_EXPR
, t
,
3917 gimple_seq_last (seq
)));
3918 t
= gimple_assign_lhs (gimple_seq_last (seq
));
3919 gimple_seq_set_location (seq
, loc
);
3920 gsi_insert_seq_after (&gsi
, seq
, GSI_CONTINUE_LINKING
);
3924 g
= gimple_build_cond (NE_EXPR
, t
, build_int_cst (TREE_TYPE (t
), 0),
3925 NULL_TREE
, NULL_TREE
);
3926 gimple_set_location (g
, loc
);
3927 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
3929 /* Generate call to the run-time library (e.g. __asan_report_load8). */
3930 gsi
= gsi_start_bb (then_bb
);
3932 tree fun
= report_error_func (is_store
, recover_p
, size_in_bytes
, &nargs
);
3933 g
= gimple_build_call (fun
, nargs
, base_addr
, len
);
3934 gimple_set_location (g
, loc
);
3935 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
3937 gsi_remove (iter
, true);
3938 *iter
= gsi_start_bb (else_bb
);
3943 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten
3944 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
3947 create_asan_shadow_var (tree var_decl
,
3948 hash_map
<tree
, tree
> &shadow_vars_mapping
)
3950 tree
*slot
= shadow_vars_mapping
.get (var_decl
);
3953 tree shadow_var
= copy_node (var_decl
);
3956 memset (&id
, 0, sizeof (copy_body_data
));
3957 id
.src_fn
= id
.dst_fn
= current_function_decl
;
3958 copy_decl_for_dup_finish (&id
, var_decl
, shadow_var
);
3960 DECL_ARTIFICIAL (shadow_var
) = 1;
3961 DECL_IGNORED_P (shadow_var
) = 1;
3962 DECL_SEEN_IN_BIND_EXPR_P (shadow_var
) = 0;
3963 gimple_add_tmp_var (shadow_var
);
3965 shadow_vars_mapping
.put (var_decl
, shadow_var
);
3972 /* Expand ASAN_POISON ifn. */
3975 asan_expand_poison_ifn (gimple_stmt_iterator
*iter
,
3976 bool *need_commit_edge_insert
,
3977 hash_map
<tree
, tree
> &shadow_vars_mapping
)
3979 gimple
*g
= gsi_stmt (*iter
);
3980 tree poisoned_var
= gimple_call_lhs (g
);
3981 if (!poisoned_var
|| has_zero_uses (poisoned_var
))
3983 gsi_remove (iter
, true);
3987 if (SSA_NAME_VAR (poisoned_var
) == NULL_TREE
)
3988 SET_SSA_NAME_VAR_OR_IDENTIFIER (poisoned_var
,
3989 create_tmp_var (TREE_TYPE (poisoned_var
)));
3991 tree shadow_var
= create_asan_shadow_var (SSA_NAME_VAR (poisoned_var
),
3992 shadow_vars_mapping
);
3995 if (flag_sanitize
& SANITIZE_USER_ADDRESS
)
3996 recover_p
= (flag_sanitize_recover
& SANITIZE_USER_ADDRESS
) != 0;
3998 recover_p
= (flag_sanitize_recover
& SANITIZE_KERNEL_ADDRESS
) != 0;
3999 tree size
= DECL_SIZE_UNIT (shadow_var
);
4001 = gimple_build_call_internal (IFN_ASAN_MARK
, 3,
4002 build_int_cst (integer_type_node
,
4004 build_fold_addr_expr (shadow_var
), size
);
4007 imm_use_iterator imm_iter
;
4008 FOR_EACH_IMM_USE_STMT (use
, imm_iter
, poisoned_var
)
4010 if (is_gimple_debug (use
))
4014 bool store_p
= gimple_call_internal_p (use
, IFN_ASAN_POISON_USE
);
4016 if (hwasan_sanitize_p ())
4018 tree fun
= builtin_decl_implicit (BUILT_IN_HWASAN_TAG_MISMATCH4
);
4019 /* NOTE: hwasan has no __hwasan_report_* functions like asan does.
4020 We use __hwasan_tag_mismatch4 with arguments that tell it the
4021 size of access and load to report all tag mismatches.
4023 The arguments to this function are:
4024 Address of invalid access.
4025 Bitfield containing information about the access
4027 Pointer to a frame of registers
4028 (for use in printing the contents of registers in a dump)
4029 Not used yet -- to be used by inline instrumentation.
4032 The access_info bitfield encodes the following pieces of
4034 - Is this a store or load?
4035 access_info & 0x10 => store
4036 - Should the program continue after reporting the error?
4037 access_info & 0x20 => recover
4038 - What size access is this (not used here since we can always
4039 pass the size in the last argument)
4041 if (access_info & 0xf == 0xf)
4042 size is taken from last argument.
4044 size == 1 << (access_info & 0xf)
4046 The last argument contains the size of the access iff the
4047 access_info size indicator is 0xf (we always use this argument
4048 rather than storing the size in the access_info bitfield).
4050 See the function definition `__hwasan_tag_mismatch4` in
4051 libsanitizer/hwasan for the full definition.
4053 unsigned access_info
= (0x20 * recover_p
)
4056 call
= gimple_build_call (fun
, 4,
4057 build_fold_addr_expr (shadow_var
),
4058 build_int_cst (pointer_sized_int_node
,
4060 build_int_cst (pointer_sized_int_node
, 0),
4065 tree fun
= report_error_func (store_p
, recover_p
, tree_to_uhwi (size
),
4067 call
= gimple_build_call (fun
, 1,
4068 build_fold_addr_expr (shadow_var
));
4070 gimple_set_location (call
, gimple_location (use
));
4071 gimple
*call_to_insert
= call
;
4073 /* The USE can be a gimple PHI node. If so, insert the call on
4074 all edges leading to the PHI node. */
4075 if (is_a
<gphi
*> (use
))
4077 gphi
*phi
= dyn_cast
<gphi
*> (use
);
4078 for (unsigned i
= 0; i
< gimple_phi_num_args (phi
); ++i
)
4079 if (gimple_phi_arg_def (phi
, i
) == poisoned_var
)
4081 edge e
= gimple_phi_arg_edge (phi
, i
);
4083 /* Do not insert on an edge we can't split. */
4084 if (e
->flags
& EDGE_ABNORMAL
)
4087 if (call_to_insert
== NULL
)
4088 call_to_insert
= gimple_copy (call
);
4090 gsi_insert_seq_on_edge (e
, call_to_insert
);
4091 *need_commit_edge_insert
= true;
4092 call_to_insert
= NULL
;
4097 gimple_stmt_iterator gsi
= gsi_for_stmt (use
);
4099 gsi_replace (&gsi
, call
, true);
4101 gsi_insert_before (&gsi
, call
, GSI_NEW_STMT
);
4105 SSA_NAME_IS_DEFAULT_DEF (poisoned_var
) = true;
4106 SSA_NAME_DEF_STMT (poisoned_var
) = gimple_build_nop ();
4107 gsi_replace (iter
, poison_call
, false);
4112 /* Instrument the current function. */
4115 asan_instrument (void)
4117 if (hwasan_sanitize_p ())
4119 transform_statements ();
4123 if (shadow_ptr_types
[0] == NULL_TREE
)
4124 asan_init_shadow_ptr_types ();
4125 transform_statements ();
4126 last_alloca_addr
= NULL_TREE
;
4133 return sanitize_flags_p (SANITIZE_ADDRESS
);
4138 const pass_data pass_data_asan
=
4140 GIMPLE_PASS
, /* type */
4142 OPTGROUP_NONE
, /* optinfo_flags */
4143 TV_NONE
, /* tv_id */
4144 ( PROP_ssa
| PROP_cfg
| PROP_gimple_leh
), /* properties_required */
4145 0, /* properties_provided */
4146 0, /* properties_destroyed */
4147 0, /* todo_flags_start */
4148 TODO_update_ssa
, /* todo_flags_finish */
4151 class pass_asan
: public gimple_opt_pass
4154 pass_asan (gcc::context
*ctxt
)
4155 : gimple_opt_pass (pass_data_asan
, ctxt
)
4158 /* opt_pass methods: */
4159 opt_pass
* clone () { return new pass_asan (m_ctxt
); }
4160 virtual bool gate (function
*) { return gate_asan () || gate_hwasan (); }
4161 virtual unsigned int execute (function
*) { return asan_instrument (); }
4163 }; // class pass_asan
4168 make_pass_asan (gcc::context
*ctxt
)
4170 return new pass_asan (ctxt
);
4175 const pass_data pass_data_asan_O0
=
4177 GIMPLE_PASS
, /* type */
4179 OPTGROUP_NONE
, /* optinfo_flags */
4180 TV_NONE
, /* tv_id */
4181 ( PROP_ssa
| PROP_cfg
| PROP_gimple_leh
), /* properties_required */
4182 0, /* properties_provided */
4183 0, /* properties_destroyed */
4184 0, /* todo_flags_start */
4185 TODO_update_ssa
, /* todo_flags_finish */
4188 class pass_asan_O0
: public gimple_opt_pass
4191 pass_asan_O0 (gcc::context
*ctxt
)
4192 : gimple_opt_pass (pass_data_asan_O0
, ctxt
)
4195 /* opt_pass methods: */
4196 virtual bool gate (function
*)
4198 return !optimize
&& (gate_asan () || gate_hwasan ());
4200 virtual unsigned int execute (function
*) { return asan_instrument (); }
4202 }; // class pass_asan_O0
4207 make_pass_asan_O0 (gcc::context
*ctxt
)
4209 return new pass_asan_O0 (ctxt
);
4214 /* For stack tagging:
4216 Return the offset from the frame base tag that the "next" expanded object
4219 hwasan_current_frame_tag ()
4221 return hwasan_frame_tag_offset
;
4224 /* For stack tagging:
4226 Return the 'base pointer' for this function. If that base pointer has not
4227 yet been created then we create a register to hold it and record the insns
4228 to initialize the register in `hwasan_frame_base_init_seq` for later
4231 hwasan_frame_base ()
4233 if (! hwasan_frame_base_ptr
)
4236 hwasan_frame_base_ptr
4238 targetm
.memtag
.insert_random_tag (virtual_stack_vars_rtx
,
4240 hwasan_frame_base_init_seq
= get_insns ();
4244 return hwasan_frame_base_ptr
;
4247 /* For stack tagging:
4249 Check whether this RTX is a standard pointer addressing the base of the
4250 stack variables for this frame. Returns true if the RTX is either
4251 virtual_stack_vars_rtx or hwasan_frame_base_ptr. */
4253 stack_vars_base_reg_p (rtx base
)
4255 return base
== virtual_stack_vars_rtx
|| base
== hwasan_frame_base_ptr
;
4258 /* For stack tagging:
4260 Emit frame base initialisation.
4261 If hwasan_frame_base has been used before here then
4262 hwasan_frame_base_init_seq contains the sequence of instructions to
4263 initialize it. This must be put just before the hwasan prologue, so we emit
4264 the insns before parm_birth_insn (which will point to the first instruction
4265 of the hwasan prologue if it exists).
4267 We update `parm_birth_insn` to point to the start of this initialisation
4268 since that represents the end of the initialisation done by
4269 expand_function_{start,end} functions and we want to maintain that. */
4271 hwasan_maybe_emit_frame_base_init ()
4273 if (! hwasan_frame_base_init_seq
)
4275 emit_insn_before (hwasan_frame_base_init_seq
, parm_birth_insn
);
4276 parm_birth_insn
= hwasan_frame_base_init_seq
;
4279 /* Record a compile-time constant size stack variable that HWASAN will need to
4280 tag. This record of the range of a stack variable will be used by
4281 `hwasan_emit_prologue` to emit the RTL at the start of each frame which will
4282 set tags in the shadow memory according to the assigned tag for each object.
4284 The range that the object spans in stack space should be described by the
4285 bounds `untagged_base + nearest_offset` and
4286 `untagged_base + farthest_offset`.
4287 `tagged_base` is the base address which contains the "base frame tag" for
4288 this frame, and from which the value to address this object with will be
4291 We record the `untagged_base` since the functions in the hwasan library we
4292 use to tag memory take pointers without a tag. */
4294 hwasan_record_stack_var (rtx untagged_base
, rtx tagged_base
,
4295 poly_int64 nearest_offset
, poly_int64 farthest_offset
)
4297 hwasan_stack_var cur_var
;
4298 cur_var
.untagged_base
= untagged_base
;
4299 cur_var
.tagged_base
= tagged_base
;
4300 cur_var
.nearest_offset
= nearest_offset
;
4301 cur_var
.farthest_offset
= farthest_offset
;
4302 cur_var
.tag_offset
= hwasan_current_frame_tag ();
4304 hwasan_tagged_stack_vars
.safe_push (cur_var
);
4307 /* Return the RTX representing the farthest extent of the statically allocated
4308 stack objects for this frame. If hwasan_frame_base_ptr has not been
4309 initialized then we are not storing any static variables on the stack in
4310 this frame. In this case we return NULL_RTX to represent that.
4312 Otherwise simply return virtual_stack_vars_rtx + frame_offset. */
4314 hwasan_get_frame_extent ()
4316 return (hwasan_frame_base_ptr
4317 ? plus_constant (Pmode
, virtual_stack_vars_rtx
, frame_offset
)
4321 /* For stack tagging:
4323 Increment the frame tag offset modulo the size a tag can represent. */
4325 hwasan_increment_frame_tag ()
4327 uint8_t tag_bits
= HWASAN_TAG_SIZE
;
4328 gcc_assert (HWASAN_TAG_SIZE
4329 <= sizeof (hwasan_frame_tag_offset
) * CHAR_BIT
);
4330 hwasan_frame_tag_offset
= (hwasan_frame_tag_offset
+ 1) % (1 << tag_bits
);
4331 /* The "background tag" of the stack is zero by definition.
4332 This is the tag that objects like parameters passed on the stack and
4333 spilled registers are given. It is handy to avoid this tag for objects
4334 whose tags we decide ourselves, partly to ensure that buffer overruns
4335 can't affect these important variables (e.g. saved link register, saved
4336 stack pointer etc) and partly to make debugging easier (everything with a
4337 tag of zero is space allocated automatically by the compiler).
4339 This is not feasible when using random frame tags (the default
4340 configuration for hwasan) since the tag for the given frame is randomly
4341 chosen at runtime. In order to avoid any tags matching the stack
4342 background we would need to decide tag offsets at runtime instead of
4343 compile time (and pay the resulting performance cost).
4345 When not using random base tags for each frame (i.e. when compiled with
4346 `--param hwasan-random-frame-tag=0`) the base tag for each frame is zero.
4347 This means the tag that each object gets is equal to the
4348 hwasan_frame_tag_offset used in determining it.
4349 When this is the case we *can* ensure no object gets the tag of zero by
4350 simply ensuring no object has the hwasan_frame_tag_offset of zero.
4352 There is the extra complication that we only record the
4353 hwasan_frame_tag_offset here (which is the offset from the tag stored in
4354 the stack pointer). In the kernel, the tag in the stack pointer is 0xff
4355 rather than zero. This does not cause problems since tags of 0xff are
4356 never checked in the kernel. As mentioned at the beginning of this
4357 comment the background tag of the stack is zero by definition, which means
4358 that for the kernel we should skip offsets of both 0 and 1 from the stack
4359 pointer. Avoiding the offset of 0 ensures we use a tag which will be
4360 checked, avoiding the offset of 1 ensures we use a tag that is not the
4361 same as the background. */
4362 if (hwasan_frame_tag_offset
== 0 && ! param_hwasan_random_frame_tag
)
4363 hwasan_frame_tag_offset
+= 1;
4364 if (hwasan_frame_tag_offset
== 1 && ! param_hwasan_random_frame_tag
4365 && sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS
))
4366 hwasan_frame_tag_offset
+= 1;
4369 /* Clear internal state for the next function.
4370 This function is called before variables on the stack get expanded, in
4371 `init_vars_expansion`. */
4373 hwasan_record_frame_init ()
4375 delete asan_used_labels
;
4376 asan_used_labels
= NULL
;
4378 /* If this isn't the case then some stack variable was recorded *before*
4379 hwasan_record_frame_init is called, yet *after* the hwasan prologue for
4380 the previous frame was emitted. Such stack variables would not have
4381 their shadow stack filled in. */
4382 gcc_assert (hwasan_tagged_stack_vars
.is_empty ());
4383 hwasan_frame_base_ptr
= NULL_RTX
;
4384 hwasan_frame_base_init_seq
= NULL
;
4386 /* When not using a random frame tag we can avoid the background stack
4387 color which gives the user a little better debug output upon a crash.
4388 Meanwhile, when using a random frame tag it will be nice to avoid adding
4389 tags for the first object since that is unnecessary extra work.
4390 Hence set the initial hwasan_frame_tag_offset to be 0 if using a random
4391 frame tag and 1 otherwise.
4393 As described in hwasan_increment_frame_tag, in the kernel the stack
4394 pointer has the tag 0xff. That means that to avoid 0xff and 0 (the tag
4395 which the kernel does not check and the background tag respectively) we
4396 start with a tag offset of 2. */
4397 hwasan_frame_tag_offset
= param_hwasan_random_frame_tag
4399 : sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS
) ? 2 : 1;
4402 /* For stack tagging:
4403 (Emits HWASAN equivalent of what is emitted by
4404 `asan_emit_stack_protection`).
4406 Emits the extra prologue code to set the shadow stack as required for HWASAN
4407 stack instrumentation.
4409 Uses the vector of recorded stack variables hwasan_tagged_stack_vars. When
4410 this function has completed hwasan_tagged_stack_vars is empty and all
4411 objects it had pointed to are deallocated. */
4413 hwasan_emit_prologue ()
4415 /* We need untagged base pointers since libhwasan only accepts untagged
4416 pointers in __hwasan_tag_memory. We need the tagged base pointer to obtain
4417 the base tag for an offset. */
4419 if (hwasan_tagged_stack_vars
.is_empty ())
4422 poly_int64 bot
= 0, top
= 0;
4423 for (hwasan_stack_var
&cur
: hwasan_tagged_stack_vars
)
4425 poly_int64 nearest
= cur
.nearest_offset
;
4426 poly_int64 farthest
= cur
.farthest_offset
;
4428 if (known_ge (nearest
, farthest
))
4435 /* Given how these values are calculated, one must be known greater
4437 gcc_assert (known_le (nearest
, farthest
));
4441 poly_int64 size
= (top
- bot
);
4443 /* Assert the edge of each variable is aligned to the HWASAN tag granule
4445 gcc_assert (multiple_p (top
, HWASAN_TAG_GRANULE_SIZE
));
4446 gcc_assert (multiple_p (bot
, HWASAN_TAG_GRANULE_SIZE
));
4447 gcc_assert (multiple_p (size
, HWASAN_TAG_GRANULE_SIZE
));
4449 rtx fn
= init_one_libfunc ("__hwasan_tag_memory");
4450 rtx base_tag
= targetm
.memtag
.extract_tag (cur
.tagged_base
, NULL_RTX
);
4451 rtx tag
= plus_constant (QImode
, base_tag
, cur
.tag_offset
);
4452 tag
= hwasan_truncate_to_tag_size (tag
, NULL_RTX
);
4454 rtx bottom
= convert_memory_address (ptr_mode
,
4455 plus_constant (Pmode
,
4458 emit_library_call (fn
, LCT_NORMAL
, VOIDmode
,
4461 gen_int_mode (size
, ptr_mode
), ptr_mode
);
4463 /* Clear the stack vars, we've emitted the prologue for them all now. */
4464 hwasan_tagged_stack_vars
.truncate (0);
4467 /* For stack tagging:
4469 Return RTL insns to clear the tags between DYNAMIC and VARS pointers
4470 into the stack. These instructions should be emitted at the end of
4473 If `dynamic` is NULL_RTX then no insns are returned. */
4475 hwasan_emit_untag_frame (rtx dynamic
, rtx vars
)
4482 dynamic
= convert_memory_address (ptr_mode
, dynamic
);
4483 vars
= convert_memory_address (ptr_mode
, vars
);
4487 if (FRAME_GROWS_DOWNWARD
)
4498 rtx size_rtx
= expand_simple_binop (ptr_mode
, MINUS
, top_rtx
, bot_rtx
,
4499 NULL_RTX
, /* unsignedp = */0,
4502 rtx fn
= init_one_libfunc ("__hwasan_tag_memory");
4503 emit_library_call (fn
, LCT_NORMAL
, VOIDmode
,
4505 HWASAN_STACK_BACKGROUND
, QImode
,
4506 size_rtx
, ptr_mode
);
4508 do_pending_stack_adjust ();
4509 rtx_insn
*insns
= get_insns ();
4514 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
4515 invoke ggc_collect. */
4516 static GTY(()) tree hwasan_ctor_statements
;
4518 /* Insert module initialization into this TU. This initialization calls the
4519 initialization code for libhwasan. */
4521 hwasan_finish_file (void)
4523 /* Do not emit constructor initialization for the kernel.
4524 (the kernel has its own initialization already). */
4525 if (flag_sanitize
& SANITIZE_KERNEL_HWADDRESS
)
4528 /* Avoid instrumenting code in the hwasan constructors/destructors. */
4529 flag_sanitize
&= ~SANITIZE_HWADDRESS
;
4530 int priority
= MAX_RESERVED_INIT_PRIORITY
- 1;
4531 tree fn
= builtin_decl_implicit (BUILT_IN_HWASAN_INIT
);
4532 append_to_statement_list (build_call_expr (fn
, 0), &hwasan_ctor_statements
);
4533 cgraph_build_static_cdtor ('I', hwasan_ctor_statements
, priority
);
4534 flag_sanitize
|= SANITIZE_HWADDRESS
;
4537 /* For stack tagging:
4539 Truncate `tag` to the number of bits that a tag uses (i.e. to
4540 HWASAN_TAG_SIZE). Store the result in `target` if it's convenient. */
4542 hwasan_truncate_to_tag_size (rtx tag
, rtx target
)
4544 gcc_assert (GET_MODE (tag
) == QImode
);
4545 if (HWASAN_TAG_SIZE
!= GET_MODE_PRECISION (QImode
))
4547 gcc_assert (GET_MODE_PRECISION (QImode
) > HWASAN_TAG_SIZE
);
4548 rtx mask
= gen_int_mode ((HOST_WIDE_INT_1U
<< HWASAN_TAG_SIZE
) - 1,
4550 tag
= expand_simple_binop (QImode
, AND
, tag
, mask
, target
,
4551 /* unsignedp = */1, OPTAB_WIDEN
);
4557 /* Construct a function tree for __hwasan_{load,store}{1,2,4,8,16,_n}.
4558 IS_STORE is either 1 (for a store) or 0 (for a load). */
4560 hwasan_check_func (bool is_store
, bool recover_p
, HOST_WIDE_INT size_in_bytes
,
4563 static enum built_in_function check
[2][2][6]
4564 = { { { BUILT_IN_HWASAN_LOAD1
, BUILT_IN_HWASAN_LOAD2
,
4565 BUILT_IN_HWASAN_LOAD4
, BUILT_IN_HWASAN_LOAD8
,
4566 BUILT_IN_HWASAN_LOAD16
, BUILT_IN_HWASAN_LOADN
},
4567 { BUILT_IN_HWASAN_STORE1
, BUILT_IN_HWASAN_STORE2
,
4568 BUILT_IN_HWASAN_STORE4
, BUILT_IN_HWASAN_STORE8
,
4569 BUILT_IN_HWASAN_STORE16
, BUILT_IN_HWASAN_STOREN
} },
4570 { { BUILT_IN_HWASAN_LOAD1_NOABORT
,
4571 BUILT_IN_HWASAN_LOAD2_NOABORT
,
4572 BUILT_IN_HWASAN_LOAD4_NOABORT
,
4573 BUILT_IN_HWASAN_LOAD8_NOABORT
,
4574 BUILT_IN_HWASAN_LOAD16_NOABORT
,
4575 BUILT_IN_HWASAN_LOADN_NOABORT
},
4576 { BUILT_IN_HWASAN_STORE1_NOABORT
,
4577 BUILT_IN_HWASAN_STORE2_NOABORT
,
4578 BUILT_IN_HWASAN_STORE4_NOABORT
,
4579 BUILT_IN_HWASAN_STORE8_NOABORT
,
4580 BUILT_IN_HWASAN_STORE16_NOABORT
,
4581 BUILT_IN_HWASAN_STOREN_NOABORT
} } };
4582 if (size_in_bytes
== -1)
4585 return as_combined_fn (check
[recover_p
][is_store
][5]);
4588 int size_log2
= exact_log2 (size_in_bytes
);
4589 gcc_assert (size_log2
>= 0 && size_log2
<= 5);
4590 return as_combined_fn (check
[recover_p
][is_store
][size_log2
]);
4593 /* Expand the HWASAN_{LOAD,STORE} builtins. */
4595 hwasan_expand_check_ifn (gimple_stmt_iterator
*iter
, bool)
4597 gimple
*g
= gsi_stmt (*iter
);
4598 location_t loc
= gimple_location (g
);
4600 if (flag_sanitize
& SANITIZE_USER_HWADDRESS
)
4601 recover_p
= (flag_sanitize_recover
& SANITIZE_USER_HWADDRESS
) != 0;
4603 recover_p
= (flag_sanitize_recover
& SANITIZE_KERNEL_HWADDRESS
) != 0;
4605 HOST_WIDE_INT flags
= tree_to_shwi (gimple_call_arg (g
, 0));
4606 gcc_assert (flags
< ASAN_CHECK_LAST
);
4607 bool is_scalar_access
= (flags
& ASAN_CHECK_SCALAR_ACCESS
) != 0;
4608 bool is_store
= (flags
& ASAN_CHECK_STORE
) != 0;
4609 bool is_non_zero_len
= (flags
& ASAN_CHECK_NON_ZERO_LEN
) != 0;
4611 tree base
= gimple_call_arg (g
, 1);
4612 tree len
= gimple_call_arg (g
, 2);
4614 /* `align` is unused for HWASAN_CHECK, but we pass the argument anyway
4615 since that way the arguments match ASAN_CHECK. */
4616 /* HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3)); */
4618 unsigned HOST_WIDE_INT size_in_bytes
4619 = is_scalar_access
? tree_to_shwi (len
) : -1;
4621 gimple_stmt_iterator gsi
= *iter
;
4623 if (!is_non_zero_len
)
4625 /* So, the length of the memory area to hwasan-protect is
4626 non-constant. Let's guard the generated instrumentation code
4631 // hwasan instrumentation code goes here.
4633 // falltrough instructions, starting with *ITER. */
4635 g
= gimple_build_cond (NE_EXPR
,
4637 build_int_cst (TREE_TYPE (len
), 0),
4638 NULL_TREE
, NULL_TREE
);
4639 gimple_set_location (g
, loc
);
4641 basic_block then_bb
, fallthrough_bb
;
4642 insert_if_then_before_iter (as_a
<gcond
*> (g
), iter
,
4643 /*then_more_likely_p=*/true,
4644 &then_bb
, &fallthrough_bb
);
4645 /* Note that fallthrough_bb starts with the statement that was
4646 pointed to by ITER. */
4648 /* The 'then block' of the 'if (len != 0) condition is where
4649 we'll generate the hwasan instrumentation code now. */
4650 gsi
= gsi_last_bb (then_bb
);
4653 gimple_seq stmts
= NULL
;
4654 tree base_addr
= gimple_build (&stmts
, loc
, NOP_EXPR
,
4655 pointer_sized_int_node
, base
);
4659 = hwasan_check_func (is_store
, recover_p
, size_in_bytes
, &nargs
);
4661 gimple_build (&stmts
, loc
, fn
, void_type_node
, base_addr
);
4664 gcc_assert (nargs
== 2);
4665 tree sz_arg
= gimple_build (&stmts
, loc
, NOP_EXPR
,
4666 pointer_sized_int_node
, len
);
4667 gimple_build (&stmts
, loc
, fn
, void_type_node
, base_addr
, sz_arg
);
4670 gsi_insert_seq_after (&gsi
, stmts
, GSI_NEW_STMT
);
4671 gsi_remove (iter
, true);
4676 /* For stack tagging:
4678 Dummy: the HWASAN_MARK internal function should only ever be in the code
4679 after the sanopt pass. */
4681 hwasan_expand_mark_ifn (gimple_stmt_iterator
*)
4689 return hwasan_sanitize_p ();
4692 #include "gt-asan.h"