| blob | 398b83775e6a3c36f8113858349c1719bac9d373 |
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
33 /*
34 AddressSanitizer finds out-of-bounds and use-after-free bugs
35 with <2x slowdown on average.
37 The tool consists of two parts:
38 instrumentation module (this file) and a run-time library.
39 The instrumentation module adds a run-time check before every memory insn.
40 For a 8- or 16- byte load accessing address X:
41 ShadowAddr = (X >> 3) + Offset
42 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
43 if (ShadowValue)
44 __asan_report_load8(X);
45 For a load of N bytes (N=1, 2 or 4) from address X:
46 ShadowAddr = (X >> 3) + Offset
47 ShadowValue = *(char*)ShadowAddr;
48 if (ShadowValue)
49 if ((X & 7) + N - 1 > ShadowValue)
50 __asan_report_loadN(X);
51 Stores are instrumented similarly, but using __asan_report_storeN functions.
52 A call too __asan_init() is inserted to the list of module CTORs.
54 The run-time library redefines malloc (so that redzone are inserted around
55 the allocated memory) and free (so that reuse of free-ed memory is delayed),
56 provides __asan_report* and __asan_init functions.
58 Read more:
59 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
61 Future work:
62 The current implementation supports only detection of out-of-bounds and
63 use-after-free bugs in heap.
64 In order to support out-of-bounds for stack and globals we will need
65 to create redzones for stack and global object and poison them.
66 */
68 /* Pointer types to 1 resp. 2 byte integers in shadow memory. A separate
69 alias set is used for all shadow memory accesses. */
72 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16}.
73 IS_STORE is either 1 (for a store) or 0 (for a load).
74 SIZE_IN_BYTES is one of 1, 2, 4, 8, 16. */
76 static tree
78 {
79 tree fn_type;
80 tree def;
93 }
95 /* Construct a function tree for __asan_init(). */
97 static tree
99 {
100 tree fn_type;
101 tree def;
108 }
111 #define PROB_VERY_UNLIKELY (REG_BR_PROB_BASE / 2000 - 1)
112 #define PROB_ALWAYS (REG_BR_PROB_BASE)
114 /* Instrument the memory access instruction BASE.
115 Insert new statements before ITER.
116 LOCATION is source code location.
117 IS_STORE is either 1 (for a store) or 0 (for a load).
118 SIZE_IN_BYTES is one of 1, 2, 4, 8, 16. */
120 static void
124 {
125 gimple_stmt_iterator gsi;
127 edge e;
129 gimple g;
132 tree uintptr_type
135 /* We first need to split the current basic block, and start altering
136 the CFG. This allows us to insert the statements we're about to
137 construct into the right basic blocks. */
144 else
149 /* A recap at this point: else_bb is the basic block at whose head
150 is the gimple statement for which this check expression is being
151 built. cond_bb is the (possibly new, synthetic) basic block the
152 end of which will contain the cache-lookup code, and a
153 conditional that jumps to the cache-miss code or, much more
154 likely, over to else_bb. */
156 /* Create the bb that contains the crash block. */
162 /* Mark the pseudo-fallthrough edge from cond_bb to else_bb. */
168 /* Update dominance info. Note that bb_join's data was
169 updated by split_block. */
171 {
174 }
192 /* Build
193 (base_addr >> ASAN_SHADOW_SHIFT) + targetm.asan_shadow_offset (). */
225 {
226 /* Slow path for 1, 2 and 4 byte accesses.
227 Test (shadow != 0)
228 & ((base_addr & 7) + (size_in_bytes - 1)) >= shadow). */
231 NULL),
232 shadow,
240 NULL),
241 base_addr,
248 NULL),
254 {
257 NULL),
263 }
267 NULL),
269 shadow);
275 NULL),
280 }
281 else
289 /* Generate call to the run-time library (e.g. __asan_report_load8). */
297 }
299 /* If T represents a memory access, add instrumentation code before ITER.
300 LOCATION is source code location.
301 IS_STORE is either 1 (for a store) or 0 (for a load). */
303 static void
306 {
308 HOST_WIDE_INT size_in_bytes;
312 {
320 }
327 /* For now just avoid instrumenting bit field acceses.
328 Fixing it is doable, but expected to be messy. */
331 tree offset;
341 }
343 /* asan: this looks too complex. Can this be done simpler? */
344 /* Transform
345 1) Memory references.
346 2) BUILTIN_ALLOCA calls.
347 */
349 static void
351 {
352 basic_block bb;
353 gimple_stmt_iterator i;
357 {
360 {
368 }
369 }
370 }
372 /* Module-level instrumentation.
373 - Insert __asan_init() into the list of CTORs.
374 - TODO: insert redzones around globals.
375 */
377 void
379 {
385 }
387 /* Initialize shadow_ptr_types array. */
389 static void
391 {
399 }
401 /* Instrument the current function. */
403 static unsigned int
405 {
410 }
412 static bool
414 {
416 }
419 {
420 {
421 GIMPLE_PASS,
434 TODO_verify_flow | TODO_verify_stmts
436 }
437 };
439 static bool
441 {
443 }
446 {
447 {
448 GIMPLE_PASS,
461 TODO_verify_flow | TODO_verify_stmts
463 }
464 };