[Ada] Fix internal error on iterated array aggregate
[official-gcc.git] / gcc / asan.cc
blob4b583e54efd417d581266a228a23bfebd1842c3a
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2022 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
22 #include "config.h"
23 #include "system.h"
24 #include "coretypes.h"
25 #include "backend.h"
26 #include "target.h"
27 #include "rtl.h"
28 #include "tree.h"
29 #include "gimple.h"
30 #include "cfghooks.h"
31 #include "alloc-pool.h"
32 #include "tree-pass.h"
33 #include "memmodel.h"
34 #include "tm_p.h"
35 #include "ssa.h"
36 #include "stringpool.h"
37 #include "tree-ssanames.h"
38 #include "optabs.h"
39 #include "emit-rtl.h"
40 #include "cgraph.h"
41 #include "gimple-pretty-print.h"
42 #include "alias.h"
43 #include "fold-const.h"
44 #include "cfganal.h"
45 #include "gimplify.h"
46 #include "gimple-iterator.h"
47 #include "varasm.h"
48 #include "stor-layout.h"
49 #include "tree-iterator.h"
50 #include "stringpool.h"
51 #include "attribs.h"
52 #include "asan.h"
53 #include "dojump.h"
54 #include "explow.h"
55 #include "expr.h"
56 #include "output.h"
57 #include "langhooks.h"
58 #include "cfgloop.h"
59 #include "gimple-builder.h"
60 #include "gimple-fold.h"
61 #include "ubsan.h"
62 #include "builtins.h"
63 #include "fnmatch.h"
64 #include "tree-inline.h"
65 #include "tree-ssa.h"
66 #include "tree-eh.h"
68 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
69 with <2x slowdown on average.
71 The tool consists of two parts:
72 instrumentation module (this file) and a run-time library.
73 The instrumentation module adds a run-time check before every memory insn.
74 For a 8- or 16- byte load accessing address X:
75 ShadowAddr = (X >> 3) + Offset
76 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
77 if (ShadowValue)
78 __asan_report_load8(X);
79 For a load of N bytes (N=1, 2 or 4) from address X:
80 ShadowAddr = (X >> 3) + Offset
81 ShadowValue = *(char*)ShadowAddr;
82 if (ShadowValue)
83 if ((X & 7) + N - 1 > ShadowValue)
84 __asan_report_loadN(X);
85 Stores are instrumented similarly, but using __asan_report_storeN functions.
86 A call too __asan_init_vN() is inserted to the list of module CTORs.
87 N is the version number of the AddressSanitizer API. The changes between the
88 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
90 The run-time library redefines malloc (so that redzone are inserted around
91 the allocated memory) and free (so that reuse of free-ed memory is delayed),
92 provides __asan_report* and __asan_init_vN functions.
94 Read more:
95 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
97 The current implementation supports detection of out-of-bounds and
98 use-after-free in the heap, on the stack and for global variables.
100 [Protection of stack variables]
102 To understand how detection of out-of-bounds and use-after-free works
103 for stack variables, lets look at this example on x86_64 where the
104 stack grows downward:
107 foo ()
109 char a[24] = {0};
110 int b[2] = {0};
112 a[5] = 1;
113 b[1] = 2;
115 return a[5] + b[1];
118 For this function, the stack protected by asan will be organized as
119 follows, from the top of the stack to the bottom:
121 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
123 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
124 the next slot be 32 bytes aligned; this one is called Partial
125 Redzone; this 32 bytes alignment is an asan constraint]
127 Slot 3/ [24 bytes for variable 'a']
129 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
131 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
133 Slot 6/ [8 bytes for variable 'b']
135 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
136 'LEFT RedZone']
138 The 32 bytes of LEFT red zone at the bottom of the stack can be
139 decomposed as such:
141 1/ The first 8 bytes contain a magical asan number that is always
142 0x41B58AB3.
144 2/ The following 8 bytes contains a pointer to a string (to be
145 parsed at runtime by the runtime asan library), which format is
146 the following:
148 "<function-name> <space> <num-of-variables-on-the-stack>
149 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
150 <length-of-var-in-bytes> ){n} "
152 where '(...){n}' means the content inside the parenthesis occurs 'n'
153 times, with 'n' being the number of variables on the stack.
155 3/ The following 8 bytes contain the PC of the current function which
156 will be used by the run-time library to print an error message.
158 4/ The following 8 bytes are reserved for internal use by the run-time.
160 The shadow memory for that stack layout is going to look like this:
162 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
163 The F1 byte pattern is a magic number called
164 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
165 the memory for that shadow byte is part of a the LEFT red zone
166 intended to seat at the bottom of the variables on the stack.
168 - content of shadow memory 8 bytes for slots 6 and 5:
169 0xF4F4F400. The F4 byte pattern is a magic number
170 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
171 memory region for this shadow byte is a PARTIAL red zone
172 intended to pad a variable A, so that the slot following
173 {A,padding} is 32 bytes aligned.
175 Note that the fact that the least significant byte of this
176 shadow memory content is 00 means that 8 bytes of its
177 corresponding memory (which corresponds to the memory of
178 variable 'b') is addressable.
180 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
181 The F2 byte pattern is a magic number called
182 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
183 region for this shadow byte is a MIDDLE red zone intended to
184 seat between two 32 aligned slots of {variable,padding}.
186 - content of shadow memory 8 bytes for slot 3 and 2:
187 0xF4000000. This represents is the concatenation of
188 variable 'a' and the partial red zone following it, like what we
189 had for variable 'b'. The least significant 3 bytes being 00
190 means that the 3 bytes of variable 'a' are addressable.
192 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
193 The F3 byte pattern is a magic number called
194 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
195 region for this shadow byte is a RIGHT red zone intended to seat
196 at the top of the variables of the stack.
198 Note that the real variable layout is done in expand_used_vars in
199 cfgexpand.cc. As far as Address Sanitizer is concerned, it lays out
200 stack variables as well as the different red zones, emits some
201 prologue code to populate the shadow memory as to poison (mark as
202 non-accessible) the regions of the red zones and mark the regions of
203 stack variables as accessible, and emit some epilogue code to
204 un-poison (mark as accessible) the regions of red zones right before
205 the function exits.
207 [Protection of global variables]
209 The basic idea is to insert a red zone between two global variables
210 and install a constructor function that calls the asan runtime to do
211 the populating of the relevant shadow memory regions at load time.
213 So the global variables are laid out as to insert a red zone between
214 them. The size of the red zones is so that each variable starts on a
215 32 bytes boundary.
217 Then a constructor function is installed so that, for each global
218 variable, it calls the runtime asan library function
219 __asan_register_globals_with an instance of this type:
221 struct __asan_global
223 // Address of the beginning of the global variable.
224 const void *__beg;
226 // Initial size of the global variable.
227 uptr __size;
229 // Size of the global variable + size of the red zone. This
230 // size is 32 bytes aligned.
231 uptr __size_with_redzone;
233 // Name of the global variable.
234 const void *__name;
236 // Name of the module where the global variable is declared.
237 const void *__module_name;
239 // 1 if it has dynamic initialization, 0 otherwise.
240 uptr __has_dynamic_init;
242 // A pointer to struct that contains source location, could be NULL.
243 __asan_global_source_location *__location;
246 A destructor function that calls the runtime asan library function
247 _asan_unregister_globals is also installed. */
249 static unsigned HOST_WIDE_INT asan_shadow_offset_value;
250 static bool asan_shadow_offset_computed;
251 static vec<char *> sanitized_sections;
252 static tree last_alloca_addr;
254 /* Set of variable declarations that are going to be guarded by
255 use-after-scope sanitizer. */
257 hash_set<tree> *asan_handled_variables = NULL;
259 hash_set <tree> *asan_used_labels = NULL;
261 /* Global variables for HWASAN stack tagging. */
262 /* hwasan_frame_tag_offset records the offset from the frame base tag that the
263 next object should have. */
264 static uint8_t hwasan_frame_tag_offset = 0;
265 /* hwasan_frame_base_ptr is a pointer with the same address as
266 `virtual_stack_vars_rtx` for the current frame, and with the frame base tag
267 stored in it. N.b. this global RTX does not need to be marked GTY, but is
268 done so anyway. The need is not there since all uses are in just one pass
269 (cfgexpand) and there are no calls to ggc_collect between the uses. We mark
270 it GTY(()) anyway to allow the use of the variable later on if needed by
271 future features. */
272 static GTY(()) rtx hwasan_frame_base_ptr = NULL_RTX;
273 /* hwasan_frame_base_init_seq is the sequence of RTL insns that will initialize
274 the hwasan_frame_base_ptr. When the hwasan_frame_base_ptr is requested, we
275 generate this sequence but do not emit it. If the sequence was created it
276 is emitted once the function body has been expanded.
278 This delay is because the frame base pointer may be needed anywhere in the
279 function body, or needed by the expand_used_vars function. Emitting once in
280 a known place is simpler than requiring the emission of the instructions to
281 be know where it should go depending on the first place the hwasan frame
282 base is needed. */
283 static GTY(()) rtx_insn *hwasan_frame_base_init_seq = NULL;
285 /* Structure defining the extent of one object on the stack that HWASAN needs
286 to tag in the corresponding shadow stack space.
288 The range this object spans on the stack is between `untagged_base +
289 nearest_offset` and `untagged_base + farthest_offset`.
290 `tagged_base` is an rtx containing the same value as `untagged_base` but
291 with a random tag stored in the top byte. We record both `untagged_base`
292 and `tagged_base` so that `hwasan_emit_prologue` can use both without having
293 to emit RTL into the instruction stream to re-calculate one from the other.
294 (`hwasan_emit_prologue` needs to use both bases since the
295 __hwasan_tag_memory call it emits uses an untagged value, and it calculates
296 the tag to store in shadow memory based on the tag_offset plus the tag in
297 tagged_base). */
298 struct hwasan_stack_var
300 rtx untagged_base;
301 rtx tagged_base;
302 poly_int64 nearest_offset;
303 poly_int64 farthest_offset;
304 uint8_t tag_offset;
307 /* Variable recording all stack variables that HWASAN needs to tag.
308 Does not need to be marked as GTY(()) since every use is in the cfgexpand
309 pass and gcc_collect is not called in the middle of that pass. */
310 static vec<hwasan_stack_var> hwasan_tagged_stack_vars;
313 /* Sets shadow offset to value in string VAL. */
315 bool
316 set_asan_shadow_offset (const char *val)
318 char *endp;
320 errno = 0;
321 #ifdef HAVE_LONG_LONG
322 asan_shadow_offset_value = strtoull (val, &endp, 0);
323 #else
324 asan_shadow_offset_value = strtoul (val, &endp, 0);
325 #endif
326 if (!(*val != '\0' && *endp == '\0' && errno == 0))
327 return false;
329 asan_shadow_offset_computed = true;
331 return true;
334 /* Set list of user-defined sections that need to be sanitized. */
336 void
337 set_sanitized_sections (const char *sections)
339 char *pat;
340 unsigned i;
341 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
342 free (pat);
343 sanitized_sections.truncate (0);
345 for (const char *s = sections; *s; )
347 const char *end;
348 for (end = s; *end && *end != ','; ++end);
349 size_t len = end - s;
350 sanitized_sections.safe_push (xstrndup (s, len));
351 s = *end ? end + 1 : end;
355 bool
356 asan_mark_p (gimple *stmt, enum asan_mark_flags flag)
358 return (gimple_call_internal_p (stmt, IFN_ASAN_MARK)
359 && tree_to_uhwi (gimple_call_arg (stmt, 0)) == flag);
362 bool
363 asan_sanitize_stack_p (void)
365 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_stack);
368 bool
369 asan_sanitize_allocas_p (void)
371 return (asan_sanitize_stack_p () && param_asan_protect_allocas);
374 bool
375 asan_instrument_reads (void)
377 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_instrument_reads);
380 bool
381 asan_instrument_writes (void)
383 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_instrument_writes);
386 bool
387 asan_memintrin (void)
389 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_memintrin);
393 /* Checks whether section SEC should be sanitized. */
395 static bool
396 section_sanitized_p (const char *sec)
398 char *pat;
399 unsigned i;
400 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
401 if (fnmatch (pat, sec, FNM_PERIOD) == 0)
402 return true;
403 return false;
406 /* Returns Asan shadow offset. */
408 static unsigned HOST_WIDE_INT
409 asan_shadow_offset ()
411 if (!asan_shadow_offset_computed)
413 asan_shadow_offset_computed = true;
414 asan_shadow_offset_value = targetm.asan_shadow_offset ();
416 return asan_shadow_offset_value;
419 /* Returns Asan shadow offset has been set. */
420 bool
421 asan_shadow_offset_set_p ()
423 return asan_shadow_offset_computed;
426 alias_set_type asan_shadow_set = -1;
428 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
429 alias set is used for all shadow memory accesses. */
430 static GTY(()) tree shadow_ptr_types[3];
432 /* Decl for __asan_option_detect_stack_use_after_return. */
433 static GTY(()) tree asan_detect_stack_use_after_return;
435 /* Hashtable support for memory references used by gimple
436 statements. */
438 /* This type represents a reference to a memory region. */
439 struct asan_mem_ref
441 /* The expression of the beginning of the memory region. */
442 tree start;
444 /* The size of the access. */
445 HOST_WIDE_INT access_size;
448 object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref");
450 /* Initializes an instance of asan_mem_ref. */
452 static void
453 asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size)
455 ref->start = start;
456 ref->access_size = access_size;
459 /* Allocates memory for an instance of asan_mem_ref into the memory
460 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
461 START is the address of (or the expression pointing to) the
462 beginning of memory reference. ACCESS_SIZE is the size of the
463 access to the referenced memory. */
465 static asan_mem_ref*
466 asan_mem_ref_new (tree start, HOST_WIDE_INT access_size)
468 asan_mem_ref *ref = asan_mem_ref_pool.allocate ();
470 asan_mem_ref_init (ref, start, access_size);
471 return ref;
474 /* This builds and returns a pointer to the end of the memory region
475 that starts at START and of length LEN. */
477 tree
478 asan_mem_ref_get_end (tree start, tree len)
480 if (len == NULL_TREE || integer_zerop (len))
481 return start;
483 if (!ptrofftype_p (len))
484 len = convert_to_ptrofftype (len);
486 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
489 /* Return a tree expression that represents the end of the referenced
490 memory region. Beware that this function can actually build a new
491 tree expression. */
493 tree
494 asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
496 return asan_mem_ref_get_end (ref->start, len);
499 struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref>
501 static inline hashval_t hash (const asan_mem_ref *);
502 static inline bool equal (const asan_mem_ref *, const asan_mem_ref *);
505 /* Hash a memory reference. */
507 inline hashval_t
508 asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
510 return iterative_hash_expr (mem_ref->start, 0);
513 /* Compare two memory references. We accept the length of either
514 memory references to be NULL_TREE. */
516 inline bool
517 asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
518 const asan_mem_ref *m2)
520 return operand_equal_p (m1->start, m2->start, 0);
523 static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht;
525 /* Returns a reference to the hash table containing memory references.
526 This function ensures that the hash table is created. Note that
527 this hash table is updated by the function
528 update_mem_ref_hash_table. */
530 static hash_table<asan_mem_ref_hasher> *
531 get_mem_ref_hash_table ()
533 if (!asan_mem_ref_ht)
534 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10);
536 return asan_mem_ref_ht;
539 /* Clear all entries from the memory references hash table. */
541 static void
542 empty_mem_ref_hash_table ()
544 if (asan_mem_ref_ht)
545 asan_mem_ref_ht->empty ();
548 /* Free the memory references hash table. */
550 static void
551 free_mem_ref_resources ()
553 delete asan_mem_ref_ht;
554 asan_mem_ref_ht = NULL;
556 asan_mem_ref_pool.release ();
559 /* Return true iff the memory reference REF has been instrumented. */
561 static bool
562 has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size)
564 asan_mem_ref r;
565 asan_mem_ref_init (&r, ref, access_size);
567 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r);
568 return saved_ref && saved_ref->access_size >= access_size;
571 /* Return true iff the memory reference REF has been instrumented. */
573 static bool
574 has_mem_ref_been_instrumented (const asan_mem_ref *ref)
576 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
579 /* Return true iff access to memory region starting at REF and of
580 length LEN has been instrumented. */
582 static bool
583 has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
585 HOST_WIDE_INT size_in_bytes
586 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
588 return size_in_bytes != -1
589 && has_mem_ref_been_instrumented (ref->start, size_in_bytes);
592 /* Set REF to the memory reference present in a gimple assignment
593 ASSIGNMENT. Return true upon successful completion, false
594 otherwise. */
596 static bool
597 get_mem_ref_of_assignment (const gassign *assignment,
598 asan_mem_ref *ref,
599 bool *ref_is_store)
601 gcc_assert (gimple_assign_single_p (assignment));
603 if (gimple_store_p (assignment)
604 && !gimple_clobber_p (assignment))
606 ref->start = gimple_assign_lhs (assignment);
607 *ref_is_store = true;
609 else if (gimple_assign_load_p (assignment))
611 ref->start = gimple_assign_rhs1 (assignment);
612 *ref_is_store = false;
614 else
615 return false;
617 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
618 return true;
621 /* Return address of last allocated dynamic alloca. */
623 static tree
624 get_last_alloca_addr ()
626 if (last_alloca_addr)
627 return last_alloca_addr;
629 last_alloca_addr = create_tmp_reg (ptr_type_node, "last_alloca_addr");
630 gassign *g = gimple_build_assign (last_alloca_addr, null_pointer_node);
631 edge e = single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun));
632 gsi_insert_on_edge_immediate (e, g);
633 return last_alloca_addr;
636 /* Insert __asan_allocas_unpoison (top, bottom) call before
637 __builtin_stack_restore (new_sp) call.
638 The pseudocode of this routine should look like this:
639 top = last_alloca_addr;
640 bot = new_sp;
641 __asan_allocas_unpoison (top, bot);
642 last_alloca_addr = new_sp;
643 __builtin_stack_restore (new_sp);
644 In general, we can't use new_sp as bot parameter because on some
645 architectures SP has non zero offset from dynamic stack area. Moreover, on
646 some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each
647 particular function only after all callees were expanded to rtl.
648 The most noticeable example is PowerPC{,64}, see
649 http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK.
650 To overcome the issue we use following trick: pass new_sp as a second
651 parameter to __asan_allocas_unpoison and rewrite it during expansion with
652 new_sp + (virtual_dynamic_stack_rtx - sp) later in
653 expand_asan_emit_allocas_unpoison function.
655 HWASAN needs to do very similar, the eventual pseudocode should be:
656 __hwasan_tag_memory (virtual_stack_dynamic_rtx,
658 new_sp - sp);
659 __builtin_stack_restore (new_sp)
661 Need to use the same trick to handle STACK_DYNAMIC_OFFSET as described
662 above. */
664 static void
665 handle_builtin_stack_restore (gcall *call, gimple_stmt_iterator *iter)
667 if (!iter
668 || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ()))
669 return;
671 tree restored_stack = gimple_call_arg (call, 0);
673 gimple *g;
675 if (hwasan_sanitize_allocas_p ())
677 enum internal_fn fn = IFN_HWASAN_ALLOCA_UNPOISON;
678 /* There is only one piece of information `expand_HWASAN_ALLOCA_UNPOISON`
679 needs to work. This is the length of the area that we're
680 deallocating. Since the stack pointer is known at expand time, the
681 position of the new stack pointer after deallocation is enough
682 information to calculate this length. */
683 g = gimple_build_call_internal (fn, 1, restored_stack);
685 else
687 tree last_alloca = get_last_alloca_addr ();
688 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCAS_UNPOISON);
689 g = gimple_build_call (fn, 2, last_alloca, restored_stack);
690 gsi_insert_before (iter, g, GSI_SAME_STMT);
691 g = gimple_build_assign (last_alloca, restored_stack);
694 gsi_insert_before (iter, g, GSI_SAME_STMT);
697 /* Deploy and poison redzones around __builtin_alloca call. To do this, we
698 should replace this call with another one with changed parameters and
699 replace all its uses with new address, so
700 addr = __builtin_alloca (old_size, align);
701 is replaced by
702 left_redzone_size = max (align, ASAN_RED_ZONE_SIZE);
703 Following two statements are optimized out if we know that
704 old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial
705 redzone.
706 misalign = old_size & (ASAN_RED_ZONE_SIZE - 1);
707 partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign;
708 right_redzone_size = ASAN_RED_ZONE_SIZE;
709 additional_size = left_redzone_size + partial_redzone_size +
710 right_redzone_size;
711 new_size = old_size + additional_size;
712 new_alloca = __builtin_alloca (new_size, max (align, 32))
713 __asan_alloca_poison (new_alloca, old_size)
714 addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE);
715 last_alloca_addr = new_alloca;
716 ADDITIONAL_SIZE is added to make new memory allocation contain not only
717 requested memory, but also left, partial and right redzones as well as some
718 additional space, required by alignment. */
720 static void
721 handle_builtin_alloca (gcall *call, gimple_stmt_iterator *iter)
723 if (!iter
724 || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ()))
725 return;
727 gassign *g;
728 gcall *gg;
729 tree callee = gimple_call_fndecl (call);
730 tree lhs = gimple_call_lhs (call);
731 tree old_size = gimple_call_arg (call, 0);
732 tree ptr_type = lhs ? TREE_TYPE (lhs) : ptr_type_node;
733 tree partial_size = NULL_TREE;
734 unsigned int align
735 = DECL_FUNCTION_CODE (callee) == BUILT_IN_ALLOCA
736 ? 0 : tree_to_uhwi (gimple_call_arg (call, 1));
738 bool throws = false;
739 edge e = NULL;
740 if (stmt_can_throw_internal (cfun, call))
742 if (!lhs)
743 return;
744 throws = true;
745 e = find_fallthru_edge (gsi_bb (*iter)->succs);
748 if (hwasan_sanitize_allocas_p ())
750 gimple_seq stmts = NULL;
751 location_t loc = gimple_location (gsi_stmt (*iter));
753 HWASAN needs a different expansion.
755 addr = __builtin_alloca (size, align);
757 should be replaced by
759 new_size = size rounded up to HWASAN_TAG_GRANULE_SIZE byte alignment;
760 untagged_addr = __builtin_alloca (new_size, align);
761 tag = __hwasan_choose_alloca_tag ();
762 addr = ifn_HWASAN_SET_TAG (untagged_addr, tag);
763 __hwasan_tag_memory (untagged_addr, tag, new_size);
765 /* Ensure alignment at least HWASAN_TAG_GRANULE_SIZE bytes so we start on
766 a tag granule. */
767 align = align > HWASAN_TAG_GRANULE_SIZE ? align : HWASAN_TAG_GRANULE_SIZE;
769 tree old_size = gimple_call_arg (call, 0);
770 tree new_size = gimple_build_round_up (&stmts, loc, size_type_node,
771 old_size,
772 HWASAN_TAG_GRANULE_SIZE);
774 /* Make the alloca call */
775 tree untagged_addr
776 = gimple_build (&stmts, loc,
777 as_combined_fn (BUILT_IN_ALLOCA_WITH_ALIGN), ptr_type,
778 new_size, build_int_cst (size_type_node, align));
780 /* Choose the tag.
781 Here we use an internal function so we can choose the tag at expand
782 time. We need the decision to be made after stack variables have been
783 assigned their tag (i.e. once the hwasan_frame_tag_offset variable has
784 been set to one after the last stack variables tag). */
785 tree tag = gimple_build (&stmts, loc, CFN_HWASAN_CHOOSE_TAG,
786 unsigned_char_type_node);
788 /* Add tag to pointer. */
789 tree addr
790 = gimple_build (&stmts, loc, CFN_HWASAN_SET_TAG, ptr_type,
791 untagged_addr, tag);
793 /* Tag shadow memory.
794 NOTE: require using `untagged_addr` here for libhwasan API. */
795 gimple_build (&stmts, loc, as_combined_fn (BUILT_IN_HWASAN_TAG_MEM),
796 void_type_node, untagged_addr, tag, new_size);
798 /* Insert the built up code sequence into the original instruction stream
799 the iterator points to. */
800 gsi_insert_seq_before (iter, stmts, GSI_SAME_STMT);
802 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
803 replace_call_with_value (iter, addr);
804 return;
807 tree last_alloca = get_last_alloca_addr ();
808 const HOST_WIDE_INT redzone_mask = ASAN_RED_ZONE_SIZE - 1;
810 /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN
811 bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE
812 manually. */
813 align = MAX (align, ASAN_RED_ZONE_SIZE * BITS_PER_UNIT);
815 tree alloca_rz_mask = build_int_cst (size_type_node, redzone_mask);
816 tree redzone_size = build_int_cst (size_type_node, ASAN_RED_ZONE_SIZE);
818 /* Extract lower bits from old_size. */
819 wide_int size_nonzero_bits = get_nonzero_bits (old_size);
820 wide_int rz_mask
821 = wi::uhwi (redzone_mask, wi::get_precision (size_nonzero_bits));
822 wide_int old_size_lower_bits = wi::bit_and (size_nonzero_bits, rz_mask);
824 /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial
825 redzone. Otherwise, compute its size here. */
826 if (wi::ne_p (old_size_lower_bits, 0))
828 /* misalign = size & (ASAN_RED_ZONE_SIZE - 1)
829 partial_size = ASAN_RED_ZONE_SIZE - misalign. */
830 g = gimple_build_assign (make_ssa_name (size_type_node, NULL),
831 BIT_AND_EXPR, old_size, alloca_rz_mask);
832 gsi_insert_before (iter, g, GSI_SAME_STMT);
833 tree misalign = gimple_assign_lhs (g);
834 g = gimple_build_assign (make_ssa_name (size_type_node, NULL), MINUS_EXPR,
835 redzone_size, misalign);
836 gsi_insert_before (iter, g, GSI_SAME_STMT);
837 partial_size = gimple_assign_lhs (g);
840 /* additional_size = align + ASAN_RED_ZONE_SIZE. */
841 tree additional_size = build_int_cst (size_type_node, align / BITS_PER_UNIT
842 + ASAN_RED_ZONE_SIZE);
843 /* If alloca has partial redzone, include it to additional_size too. */
844 if (partial_size)
846 /* additional_size += partial_size. */
847 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR,
848 partial_size, additional_size);
849 gsi_insert_before (iter, g, GSI_SAME_STMT);
850 additional_size = gimple_assign_lhs (g);
853 /* new_size = old_size + additional_size. */
854 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR, old_size,
855 additional_size);
856 gsi_insert_before (iter, g, GSI_SAME_STMT);
857 tree new_size = gimple_assign_lhs (g);
859 /* Build new __builtin_alloca call:
860 new_alloca_with_rz = __builtin_alloca (new_size, align). */
861 tree fn = builtin_decl_implicit (BUILT_IN_ALLOCA_WITH_ALIGN);
862 gg = gimple_build_call (fn, 2, new_size,
863 build_int_cst (size_type_node, align));
864 tree new_alloca_with_rz = make_ssa_name (ptr_type, gg);
865 gimple_call_set_lhs (gg, new_alloca_with_rz);
866 if (throws)
868 gimple_call_set_lhs (call, NULL);
869 gsi_replace (iter, gg, true);
871 else
872 gsi_insert_before (iter, gg, GSI_SAME_STMT);
874 /* new_alloca = new_alloca_with_rz + align. */
875 g = gimple_build_assign (make_ssa_name (ptr_type), POINTER_PLUS_EXPR,
876 new_alloca_with_rz,
877 build_int_cst (size_type_node,
878 align / BITS_PER_UNIT));
879 gimple_stmt_iterator gsi = gsi_none ();
880 if (throws)
882 gsi_insert_on_edge_immediate (e, g);
883 gsi = gsi_for_stmt (g);
885 else
886 gsi_insert_before (iter, g, GSI_SAME_STMT);
887 tree new_alloca = gimple_assign_lhs (g);
889 /* Poison newly created alloca redzones:
890 __asan_alloca_poison (new_alloca, old_size). */
891 fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCA_POISON);
892 gg = gimple_build_call (fn, 2, new_alloca, old_size);
893 if (throws)
894 gsi_insert_after (&gsi, gg, GSI_NEW_STMT);
895 else
896 gsi_insert_before (iter, gg, GSI_SAME_STMT);
898 /* Save new_alloca_with_rz value into last_alloca to use it during
899 allocas unpoisoning. */
900 g = gimple_build_assign (last_alloca, new_alloca_with_rz);
901 if (throws)
902 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
903 else
904 gsi_insert_before (iter, g, GSI_SAME_STMT);
906 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
907 if (throws)
909 g = gimple_build_assign (lhs, new_alloca);
910 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
912 else
913 replace_call_with_value (iter, new_alloca);
916 /* Return the memory references contained in a gimple statement
917 representing a builtin call that has to do with memory access. */
919 static bool
920 get_mem_refs_of_builtin_call (gcall *call,
921 asan_mem_ref *src0,
922 tree *src0_len,
923 bool *src0_is_store,
924 asan_mem_ref *src1,
925 tree *src1_len,
926 bool *src1_is_store,
927 asan_mem_ref *dst,
928 tree *dst_len,
929 bool *dst_is_store,
930 bool *dest_is_deref,
931 bool *intercepted_p,
932 gimple_stmt_iterator *iter = NULL)
934 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
936 tree callee = gimple_call_fndecl (call);
937 tree source0 = NULL_TREE, source1 = NULL_TREE,
938 dest = NULL_TREE, len = NULL_TREE;
939 bool is_store = true, got_reference_p = false;
940 HOST_WIDE_INT access_size = 1;
942 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee)));
944 switch (DECL_FUNCTION_CODE (callee))
946 /* (s, s, n) style memops. */
947 case BUILT_IN_BCMP:
948 case BUILT_IN_MEMCMP:
949 source0 = gimple_call_arg (call, 0);
950 source1 = gimple_call_arg (call, 1);
951 len = gimple_call_arg (call, 2);
952 break;
954 /* (src, dest, n) style memops. */
955 case BUILT_IN_BCOPY:
956 source0 = gimple_call_arg (call, 0);
957 dest = gimple_call_arg (call, 1);
958 len = gimple_call_arg (call, 2);
959 break;
961 /* (dest, src, n) style memops. */
962 case BUILT_IN_MEMCPY:
963 case BUILT_IN_MEMCPY_CHK:
964 case BUILT_IN_MEMMOVE:
965 case BUILT_IN_MEMMOVE_CHK:
966 case BUILT_IN_MEMPCPY:
967 case BUILT_IN_MEMPCPY_CHK:
968 dest = gimple_call_arg (call, 0);
969 source0 = gimple_call_arg (call, 1);
970 len = gimple_call_arg (call, 2);
971 break;
973 /* (dest, n) style memops. */
974 case BUILT_IN_BZERO:
975 dest = gimple_call_arg (call, 0);
976 len = gimple_call_arg (call, 1);
977 break;
979 /* (dest, x, n) style memops*/
980 case BUILT_IN_MEMSET:
981 case BUILT_IN_MEMSET_CHK:
982 dest = gimple_call_arg (call, 0);
983 len = gimple_call_arg (call, 2);
984 break;
986 case BUILT_IN_STRLEN:
987 /* Special case strlen here since its length is taken from its return
988 value.
990 The approach taken by the sanitizers is to check a memory access
991 before it's taken. For ASAN strlen is intercepted by libasan, so no
992 check is inserted by the compiler.
994 This function still returns `true` and provides a length to the rest
995 of the ASAN pass in order to record what areas have been checked,
996 avoiding superfluous checks later on.
998 HWASAN does not intercept any of these internal functions.
999 This means that checks for memory accesses must be inserted by the
1000 compiler.
1001 strlen is a special case, because we can tell the length from the
1002 return of the function, but that is not known until after the function
1003 has returned.
1005 Hence we can't check the memory access before it happens.
1006 We could check the memory access after it has already happened, but
1007 for now we choose to just ignore `strlen` calls.
1008 This decision was simply made because that means the special case is
1009 limited to this one case of this one function. */
1010 if (hwasan_sanitize_p ())
1011 return false;
1012 source0 = gimple_call_arg (call, 0);
1013 len = gimple_call_lhs (call);
1014 break;
1016 case BUILT_IN_STACK_RESTORE:
1017 handle_builtin_stack_restore (call, iter);
1018 break;
1020 CASE_BUILT_IN_ALLOCA:
1021 handle_builtin_alloca (call, iter);
1022 break;
1023 /* And now the __atomic* and __sync builtins.
1024 These are handled differently from the classical memory
1025 access builtins above. */
1027 case BUILT_IN_ATOMIC_LOAD_1:
1028 is_store = false;
1029 /* FALLTHRU */
1030 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
1031 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
1032 case BUILT_IN_SYNC_FETCH_AND_OR_1:
1033 case BUILT_IN_SYNC_FETCH_AND_AND_1:
1034 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
1035 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
1036 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
1037 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
1038 case BUILT_IN_SYNC_OR_AND_FETCH_1:
1039 case BUILT_IN_SYNC_AND_AND_FETCH_1:
1040 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
1041 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
1042 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
1043 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
1044 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
1045 case BUILT_IN_SYNC_LOCK_RELEASE_1:
1046 case BUILT_IN_ATOMIC_EXCHANGE_1:
1047 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
1048 case BUILT_IN_ATOMIC_STORE_1:
1049 case BUILT_IN_ATOMIC_ADD_FETCH_1:
1050 case BUILT_IN_ATOMIC_SUB_FETCH_1:
1051 case BUILT_IN_ATOMIC_AND_FETCH_1:
1052 case BUILT_IN_ATOMIC_NAND_FETCH_1:
1053 case BUILT_IN_ATOMIC_XOR_FETCH_1:
1054 case BUILT_IN_ATOMIC_OR_FETCH_1:
1055 case BUILT_IN_ATOMIC_FETCH_ADD_1:
1056 case BUILT_IN_ATOMIC_FETCH_SUB_1:
1057 case BUILT_IN_ATOMIC_FETCH_AND_1:
1058 case BUILT_IN_ATOMIC_FETCH_NAND_1:
1059 case BUILT_IN_ATOMIC_FETCH_XOR_1:
1060 case BUILT_IN_ATOMIC_FETCH_OR_1:
1061 access_size = 1;
1062 goto do_atomic;
1064 case BUILT_IN_ATOMIC_LOAD_2:
1065 is_store = false;
1066 /* FALLTHRU */
1067 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
1068 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
1069 case BUILT_IN_SYNC_FETCH_AND_OR_2:
1070 case BUILT_IN_SYNC_FETCH_AND_AND_2:
1071 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
1072 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
1073 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
1074 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
1075 case BUILT_IN_SYNC_OR_AND_FETCH_2:
1076 case BUILT_IN_SYNC_AND_AND_FETCH_2:
1077 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
1078 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
1079 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
1080 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
1081 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
1082 case BUILT_IN_SYNC_LOCK_RELEASE_2:
1083 case BUILT_IN_ATOMIC_EXCHANGE_2:
1084 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
1085 case BUILT_IN_ATOMIC_STORE_2:
1086 case BUILT_IN_ATOMIC_ADD_FETCH_2:
1087 case BUILT_IN_ATOMIC_SUB_FETCH_2:
1088 case BUILT_IN_ATOMIC_AND_FETCH_2:
1089 case BUILT_IN_ATOMIC_NAND_FETCH_2:
1090 case BUILT_IN_ATOMIC_XOR_FETCH_2:
1091 case BUILT_IN_ATOMIC_OR_FETCH_2:
1092 case BUILT_IN_ATOMIC_FETCH_ADD_2:
1093 case BUILT_IN_ATOMIC_FETCH_SUB_2:
1094 case BUILT_IN_ATOMIC_FETCH_AND_2:
1095 case BUILT_IN_ATOMIC_FETCH_NAND_2:
1096 case BUILT_IN_ATOMIC_FETCH_XOR_2:
1097 case BUILT_IN_ATOMIC_FETCH_OR_2:
1098 access_size = 2;
1099 goto do_atomic;
1101 case BUILT_IN_ATOMIC_LOAD_4:
1102 is_store = false;
1103 /* FALLTHRU */
1104 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
1105 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
1106 case BUILT_IN_SYNC_FETCH_AND_OR_4:
1107 case BUILT_IN_SYNC_FETCH_AND_AND_4:
1108 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
1109 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
1110 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
1111 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
1112 case BUILT_IN_SYNC_OR_AND_FETCH_4:
1113 case BUILT_IN_SYNC_AND_AND_FETCH_4:
1114 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
1115 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
1116 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
1117 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
1118 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
1119 case BUILT_IN_SYNC_LOCK_RELEASE_4:
1120 case BUILT_IN_ATOMIC_EXCHANGE_4:
1121 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
1122 case BUILT_IN_ATOMIC_STORE_4:
1123 case BUILT_IN_ATOMIC_ADD_FETCH_4:
1124 case BUILT_IN_ATOMIC_SUB_FETCH_4:
1125 case BUILT_IN_ATOMIC_AND_FETCH_4:
1126 case BUILT_IN_ATOMIC_NAND_FETCH_4:
1127 case BUILT_IN_ATOMIC_XOR_FETCH_4:
1128 case BUILT_IN_ATOMIC_OR_FETCH_4:
1129 case BUILT_IN_ATOMIC_FETCH_ADD_4:
1130 case BUILT_IN_ATOMIC_FETCH_SUB_4:
1131 case BUILT_IN_ATOMIC_FETCH_AND_4:
1132 case BUILT_IN_ATOMIC_FETCH_NAND_4:
1133 case BUILT_IN_ATOMIC_FETCH_XOR_4:
1134 case BUILT_IN_ATOMIC_FETCH_OR_4:
1135 access_size = 4;
1136 goto do_atomic;
1138 case BUILT_IN_ATOMIC_LOAD_8:
1139 is_store = false;
1140 /* FALLTHRU */
1141 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
1142 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
1143 case BUILT_IN_SYNC_FETCH_AND_OR_8:
1144 case BUILT_IN_SYNC_FETCH_AND_AND_8:
1145 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
1146 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
1147 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
1148 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
1149 case BUILT_IN_SYNC_OR_AND_FETCH_8:
1150 case BUILT_IN_SYNC_AND_AND_FETCH_8:
1151 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
1152 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
1153 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
1154 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
1155 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
1156 case BUILT_IN_SYNC_LOCK_RELEASE_8:
1157 case BUILT_IN_ATOMIC_EXCHANGE_8:
1158 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
1159 case BUILT_IN_ATOMIC_STORE_8:
1160 case BUILT_IN_ATOMIC_ADD_FETCH_8:
1161 case BUILT_IN_ATOMIC_SUB_FETCH_8:
1162 case BUILT_IN_ATOMIC_AND_FETCH_8:
1163 case BUILT_IN_ATOMIC_NAND_FETCH_8:
1164 case BUILT_IN_ATOMIC_XOR_FETCH_8:
1165 case BUILT_IN_ATOMIC_OR_FETCH_8:
1166 case BUILT_IN_ATOMIC_FETCH_ADD_8:
1167 case BUILT_IN_ATOMIC_FETCH_SUB_8:
1168 case BUILT_IN_ATOMIC_FETCH_AND_8:
1169 case BUILT_IN_ATOMIC_FETCH_NAND_8:
1170 case BUILT_IN_ATOMIC_FETCH_XOR_8:
1171 case BUILT_IN_ATOMIC_FETCH_OR_8:
1172 access_size = 8;
1173 goto do_atomic;
1175 case BUILT_IN_ATOMIC_LOAD_16:
1176 is_store = false;
1177 /* FALLTHRU */
1178 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
1179 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
1180 case BUILT_IN_SYNC_FETCH_AND_OR_16:
1181 case BUILT_IN_SYNC_FETCH_AND_AND_16:
1182 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
1183 case BUILT_IN_SYNC_FETCH_AND_NAND_16:
1184 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
1185 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
1186 case BUILT_IN_SYNC_OR_AND_FETCH_16:
1187 case BUILT_IN_SYNC_AND_AND_FETCH_16:
1188 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
1189 case BUILT_IN_SYNC_NAND_AND_FETCH_16:
1190 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
1191 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
1192 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
1193 case BUILT_IN_SYNC_LOCK_RELEASE_16:
1194 case BUILT_IN_ATOMIC_EXCHANGE_16:
1195 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
1196 case BUILT_IN_ATOMIC_STORE_16:
1197 case BUILT_IN_ATOMIC_ADD_FETCH_16:
1198 case BUILT_IN_ATOMIC_SUB_FETCH_16:
1199 case BUILT_IN_ATOMIC_AND_FETCH_16:
1200 case BUILT_IN_ATOMIC_NAND_FETCH_16:
1201 case BUILT_IN_ATOMIC_XOR_FETCH_16:
1202 case BUILT_IN_ATOMIC_OR_FETCH_16:
1203 case BUILT_IN_ATOMIC_FETCH_ADD_16:
1204 case BUILT_IN_ATOMIC_FETCH_SUB_16:
1205 case BUILT_IN_ATOMIC_FETCH_AND_16:
1206 case BUILT_IN_ATOMIC_FETCH_NAND_16:
1207 case BUILT_IN_ATOMIC_FETCH_XOR_16:
1208 case BUILT_IN_ATOMIC_FETCH_OR_16:
1209 access_size = 16;
1210 /* FALLTHRU */
1211 do_atomic:
1213 dest = gimple_call_arg (call, 0);
1214 /* DEST represents the address of a memory location.
1215 instrument_derefs wants the memory location, so lets
1216 dereference the address DEST before handing it to
1217 instrument_derefs. */
1218 tree type = build_nonstandard_integer_type (access_size
1219 * BITS_PER_UNIT, 1);
1220 dest = build2 (MEM_REF, type, dest,
1221 build_int_cst (build_pointer_type (char_type_node), 0));
1222 break;
1225 default:
1226 /* The other builtins memory access are not instrumented in this
1227 function because they either don't have any length parameter,
1228 or their length parameter is just a limit. */
1229 break;
1232 if (len != NULL_TREE)
1234 if (source0 != NULL_TREE)
1236 src0->start = source0;
1237 src0->access_size = access_size;
1238 *src0_len = len;
1239 *src0_is_store = false;
1242 if (source1 != NULL_TREE)
1244 src1->start = source1;
1245 src1->access_size = access_size;
1246 *src1_len = len;
1247 *src1_is_store = false;
1250 if (dest != NULL_TREE)
1252 dst->start = dest;
1253 dst->access_size = access_size;
1254 *dst_len = len;
1255 *dst_is_store = true;
1258 got_reference_p = true;
1260 else if (dest)
1262 dst->start = dest;
1263 dst->access_size = access_size;
1264 *dst_len = NULL_TREE;
1265 *dst_is_store = is_store;
1266 *dest_is_deref = true;
1267 got_reference_p = true;
1270 return got_reference_p;
1273 /* Return true iff a given gimple statement has been instrumented.
1274 Note that the statement is "defined" by the memory references it
1275 contains. */
1277 static bool
1278 has_stmt_been_instrumented_p (gimple *stmt)
1280 if (gimple_assign_single_p (stmt))
1282 bool r_is_store;
1283 asan_mem_ref r;
1284 asan_mem_ref_init (&r, NULL, 1);
1286 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r,
1287 &r_is_store))
1288 return has_mem_ref_been_instrumented (&r);
1290 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
1292 asan_mem_ref src0, src1, dest;
1293 asan_mem_ref_init (&src0, NULL, 1);
1294 asan_mem_ref_init (&src1, NULL, 1);
1295 asan_mem_ref_init (&dest, NULL, 1);
1297 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
1298 bool src0_is_store = false, src1_is_store = false,
1299 dest_is_store = false, dest_is_deref = false, intercepted_p = true;
1300 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt),
1301 &src0, &src0_len, &src0_is_store,
1302 &src1, &src1_len, &src1_is_store,
1303 &dest, &dest_len, &dest_is_store,
1304 &dest_is_deref, &intercepted_p))
1306 if (src0.start != NULL_TREE
1307 && !has_mem_ref_been_instrumented (&src0, src0_len))
1308 return false;
1310 if (src1.start != NULL_TREE
1311 && !has_mem_ref_been_instrumented (&src1, src1_len))
1312 return false;
1314 if (dest.start != NULL_TREE
1315 && !has_mem_ref_been_instrumented (&dest, dest_len))
1316 return false;
1318 return true;
1321 else if (is_gimple_call (stmt) && gimple_store_p (stmt))
1323 asan_mem_ref r;
1324 asan_mem_ref_init (&r, NULL, 1);
1326 r.start = gimple_call_lhs (stmt);
1327 r.access_size = int_size_in_bytes (TREE_TYPE (r.start));
1328 return has_mem_ref_been_instrumented (&r);
1331 return false;
1334 /* Insert a memory reference into the hash table. */
1336 static void
1337 update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size)
1339 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table ();
1341 asan_mem_ref r;
1342 asan_mem_ref_init (&r, ref, access_size);
1344 asan_mem_ref **slot = ht->find_slot (&r, INSERT);
1345 if (*slot == NULL || (*slot)->access_size < access_size)
1346 *slot = asan_mem_ref_new (ref, access_size);
1349 /* Initialize shadow_ptr_types array. */
1351 static void
1352 asan_init_shadow_ptr_types (void)
1354 asan_shadow_set = new_alias_set ();
1355 tree types[3] = { signed_char_type_node, short_integer_type_node,
1356 integer_type_node };
1358 for (unsigned i = 0; i < 3; i++)
1360 shadow_ptr_types[i] = build_distinct_type_copy (types[i]);
1361 TYPE_ALIAS_SET (shadow_ptr_types[i]) = asan_shadow_set;
1362 shadow_ptr_types[i] = build_pointer_type (shadow_ptr_types[i]);
1365 initialize_sanitizer_builtins ();
1368 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
1370 static tree
1371 asan_pp_string (pretty_printer *pp)
1373 const char *buf = pp_formatted_text (pp);
1374 size_t len = strlen (buf);
1375 tree ret = build_string (len + 1, buf);
1376 TREE_TYPE (ret)
1377 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
1378 build_index_type (size_int (len)));
1379 TREE_READONLY (ret) = 1;
1380 TREE_STATIC (ret) = 1;
1381 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
1384 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
1385 though. */
1387 static void
1388 asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
1390 rtx_insn *insn, *insns, *jump;
1391 rtx_code_label *top_label;
1392 rtx end, addr, tmp;
1394 gcc_assert ((len & 3) == 0);
1395 start_sequence ();
1396 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
1397 insns = get_insns ();
1398 end_sequence ();
1399 for (insn = insns; insn; insn = NEXT_INSN (insn))
1400 if (CALL_P (insn))
1401 break;
1402 if (insn == NULL_RTX)
1404 emit_insn (insns);
1405 return;
1408 top_label = gen_label_rtx ();
1409 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
1410 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
1411 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
1412 emit_label (top_label);
1414 emit_move_insn (shadow_mem, const0_rtx);
1415 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
1416 true, OPTAB_LIB_WIDEN);
1417 if (tmp != addr)
1418 emit_move_insn (addr, tmp);
1419 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
1420 jump = get_last_insn ();
1421 gcc_assert (JUMP_P (jump));
1422 add_reg_br_prob_note (jump,
1423 profile_probability::guessed_always ()
1424 .apply_scale (80, 100));
1427 void
1428 asan_function_start (void)
1430 section *fnsec = function_section (current_function_decl);
1431 switch_to_section (fnsec);
1432 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC",
1433 current_function_funcdef_no);
1436 /* Return number of shadow bytes that are occupied by a local variable
1437 of SIZE bytes. */
1439 static unsigned HOST_WIDE_INT
1440 shadow_mem_size (unsigned HOST_WIDE_INT size)
1442 /* It must be possible to align stack variables to granularity
1443 of shadow memory. */
1444 gcc_assert (BITS_PER_UNIT
1445 * ASAN_SHADOW_GRANULARITY <= MAX_SUPPORTED_STACK_ALIGNMENT);
1447 return ROUND_UP (size, ASAN_SHADOW_GRANULARITY) / ASAN_SHADOW_GRANULARITY;
1450 /* Always emit 4 bytes at a time. */
1451 #define RZ_BUFFER_SIZE 4
1453 /* ASAN redzone buffer container that handles emission of shadow bytes. */
1454 class asan_redzone_buffer
1456 public:
1457 /* Constructor. */
1458 asan_redzone_buffer (rtx shadow_mem, HOST_WIDE_INT prev_offset):
1459 m_shadow_mem (shadow_mem), m_prev_offset (prev_offset),
1460 m_original_offset (prev_offset), m_shadow_bytes (RZ_BUFFER_SIZE)
1463 /* Emit VALUE shadow byte at a given OFFSET. */
1464 void emit_redzone_byte (HOST_WIDE_INT offset, unsigned char value);
1466 /* Emit RTX emission of the content of the buffer. */
1467 void flush_redzone_payload (void);
1469 private:
1470 /* Flush if the content of the buffer is full
1471 (equal to RZ_BUFFER_SIZE). */
1472 void flush_if_full (void);
1474 /* Memory where we last emitted a redzone payload. */
1475 rtx m_shadow_mem;
1477 /* Relative offset where we last emitted a redzone payload. */
1478 HOST_WIDE_INT m_prev_offset;
1480 /* Relative original offset. Used for checking only. */
1481 HOST_WIDE_INT m_original_offset;
1483 public:
1484 /* Buffer with redzone payload. */
1485 auto_vec<unsigned char> m_shadow_bytes;
1488 /* Emit VALUE shadow byte at a given OFFSET. */
1490 void
1491 asan_redzone_buffer::emit_redzone_byte (HOST_WIDE_INT offset,
1492 unsigned char value)
1494 gcc_assert ((offset & (ASAN_SHADOW_GRANULARITY - 1)) == 0);
1495 gcc_assert (offset >= m_prev_offset);
1497 HOST_WIDE_INT off
1498 = m_prev_offset + ASAN_SHADOW_GRANULARITY * m_shadow_bytes.length ();
1499 if (off == offset)
1500 /* Consecutive shadow memory byte. */;
1501 else if (offset < m_prev_offset + (HOST_WIDE_INT) (ASAN_SHADOW_GRANULARITY
1502 * RZ_BUFFER_SIZE)
1503 && !m_shadow_bytes.is_empty ())
1505 /* Shadow memory byte with a small gap. */
1506 for (; off < offset; off += ASAN_SHADOW_GRANULARITY)
1507 m_shadow_bytes.safe_push (0);
1509 else
1511 if (!m_shadow_bytes.is_empty ())
1512 flush_redzone_payload ();
1514 /* Maybe start earlier in order to use aligned store. */
1515 HOST_WIDE_INT align = (offset - m_prev_offset) % ASAN_RED_ZONE_SIZE;
1516 if (align)
1518 offset -= align;
1519 for (unsigned i = 0; i < align / BITS_PER_UNIT; i++)
1520 m_shadow_bytes.safe_push (0);
1523 /* Adjust m_prev_offset and m_shadow_mem. */
1524 HOST_WIDE_INT diff = offset - m_prev_offset;
1525 m_shadow_mem = adjust_address (m_shadow_mem, VOIDmode,
1526 diff >> ASAN_SHADOW_SHIFT);
1527 m_prev_offset = offset;
1529 m_shadow_bytes.safe_push (value);
1530 flush_if_full ();
1533 /* Emit RTX emission of the content of the buffer. */
1535 void
1536 asan_redzone_buffer::flush_redzone_payload (void)
1538 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
1540 if (m_shadow_bytes.is_empty ())
1541 return;
1543 /* Be sure we always emit to an aligned address. */
1544 gcc_assert (((m_prev_offset - m_original_offset)
1545 & (ASAN_RED_ZONE_SIZE - 1)) == 0);
1547 /* Fill it to RZ_BUFFER_SIZE bytes with zeros if needed. */
1548 unsigned l = m_shadow_bytes.length ();
1549 for (unsigned i = 0; i <= RZ_BUFFER_SIZE - l; i++)
1550 m_shadow_bytes.safe_push (0);
1552 if (dump_file && (dump_flags & TDF_DETAILS))
1553 fprintf (dump_file,
1554 "Flushing rzbuffer at offset %" PRId64 " with: ", m_prev_offset);
1556 unsigned HOST_WIDE_INT val = 0;
1557 for (unsigned i = 0; i < RZ_BUFFER_SIZE; i++)
1559 unsigned char v
1560 = m_shadow_bytes[BYTES_BIG_ENDIAN ? RZ_BUFFER_SIZE - i - 1 : i];
1561 val |= (unsigned HOST_WIDE_INT)v << (BITS_PER_UNIT * i);
1562 if (dump_file && (dump_flags & TDF_DETAILS))
1563 fprintf (dump_file, "%02x ", v);
1566 if (dump_file && (dump_flags & TDF_DETAILS))
1567 fprintf (dump_file, "\n");
1569 rtx c = gen_int_mode (val, SImode);
1570 m_shadow_mem = adjust_address (m_shadow_mem, SImode, 0);
1571 emit_move_insn (m_shadow_mem, c);
1572 m_shadow_bytes.truncate (0);
1575 /* Flush if the content of the buffer is full
1576 (equal to RZ_BUFFER_SIZE). */
1578 void
1579 asan_redzone_buffer::flush_if_full (void)
1581 if (m_shadow_bytes.length () == RZ_BUFFER_SIZE)
1582 flush_redzone_payload ();
1586 /* HWAddressSanitizer (hwasan) is a probabilistic method for detecting
1587 out-of-bounds and use-after-free bugs.
1588 Read more:
1589 http://code.google.com/p/address-sanitizer/
1591 Similar to AddressSanitizer (asan) it consists of two parts: the
1592 instrumentation module in this file, and a run-time library.
1594 The instrumentation module adds a run-time check before every memory insn in
1595 the same manner as asan (see the block comment for AddressSanitizer above).
1596 Currently, hwasan only adds out-of-line instrumentation, where each check is
1597 implemented as a function call to the run-time library. Hence a check for a
1598 load of N bytes from address X would be implemented with a function call to
1599 __hwasan_loadN(X), and checking a store of N bytes from address X would be
1600 implemented with a function call to __hwasan_storeN(X).
1602 The main difference between hwasan and asan is in the information stored to
1603 help this checking. Both sanitizers use a shadow memory area which stores
1604 data recording the state of main memory at a corresponding address.
1606 For hwasan, each 16 byte granule in main memory has a corresponding 1 byte
1607 in shadow memory. This shadow address can be calculated with equation:
1608 (addr >> log_2(HWASAN_TAG_GRANULE_SIZE))
1609 + __hwasan_shadow_memory_dynamic_address;
1610 The conversion between real and shadow memory for asan is given in the block
1611 comment at the top of this file.
1612 The description of how this shadow memory is laid out for asan is in the
1613 block comment at the top of this file, here we describe how this shadow
1614 memory is used for hwasan.
1616 For hwasan, each variable is assigned a byte-sized 'tag'. The extent of
1617 the shadow memory for that variable is filled with the assigned tag, and
1618 every pointer referencing that variable has its top byte set to the same
1619 tag. The run-time library redefines malloc so that every allocation returns
1620 a tagged pointer and tags the corresponding shadow memory with the same tag.
1622 On each pointer dereference the tag found in the pointer is compared to the
1623 tag found in the shadow memory corresponding to the accessed memory address.
1624 If these tags are found to differ then this memory access is judged to be
1625 invalid and a report is generated.
1627 This method of bug detection is not perfect -- it can not catch every bad
1628 access -- but catches them probabilistically instead. There is always the
1629 possibility that an invalid memory access will happen to access memory
1630 tagged with the same tag as the pointer that this access used.
1631 The chances of this are approx. 0.4% for any two uncorrelated objects.
1633 Random tag generation can mitigate this problem by decreasing the
1634 probability that an invalid access will be missed in the same manner over
1635 multiple runs. i.e. if two objects are tagged the same in one run of the
1636 binary they are unlikely to be tagged the same in the next run.
1637 Both heap and stack allocated objects have random tags by default.
1639 [16 byte granule implications]
1640 Since the shadow memory only has a resolution on real memory of 16 bytes,
1641 invalid accesses that are within the same 16 byte granule as a valid
1642 address will not be caught.
1644 There is a "short-granule" feature in the runtime library which does catch
1645 such accesses, but this feature is not implemented for stack objects (since
1646 stack objects are allocated and tagged by compiler instrumentation, and
1647 this feature has not yet been implemented in GCC instrumentation).
1649 Another outcome of this 16 byte resolution is that each tagged object must
1650 be 16 byte aligned. If two objects were to share any 16 byte granule in
1651 memory, then they both would have to be given the same tag, and invalid
1652 accesses to one using a pointer to the other would be undetectable.
1654 [Compiler instrumentation]
1655 Compiler instrumentation ensures that two adjacent buffers on the stack are
1656 given different tags, this means an access to one buffer using a pointer
1657 generated from the other (e.g. through buffer overrun) will have mismatched
1658 tags and be caught by hwasan.
1660 We don't randomly tag every object on the stack, since that would require
1661 keeping many registers to record each tag. Instead we randomly generate a
1662 tag for each function frame, and each new stack object uses a tag offset
1663 from that frame tag.
1664 i.e. each object is tagged as RFT + offset, where RFT is the "random frame
1665 tag" generated for this frame.
1666 This means that randomisation does not peturb the difference between tags
1667 on tagged stack objects within a frame, but this is mitigated by the fact
1668 that objects with the same tag within a frame are very far apart
1669 (approx. 2^HWASAN_TAG_SIZE objects apart).
1671 As a demonstration, using the same example program as in the asan block
1672 comment above:
1675 foo ()
1677 char a[24] = {0};
1678 int b[2] = {0};
1680 a[5] = 1;
1681 b[1] = 2;
1683 return a[5] + b[1];
1686 On AArch64 the stack will be ordered as follows for the above function:
1688 Slot 1/ [24 bytes for variable 'a']
1689 Slot 2/ [8 bytes padding for alignment]
1690 Slot 3/ [8 bytes for variable 'b']
1691 Slot 4/ [8 bytes padding for alignment]
1693 (The padding is there to ensure 16 byte alignment as described in the 16
1694 byte granule implications).
1696 While the shadow memory will be ordered as follows:
1698 - 2 bytes (representing 32 bytes in real memory) tagged with RFT + 1.
1699 - 1 byte (representing 16 bytes in real memory) tagged with RFT + 2.
1701 And any pointer to "a" will have the tag RFT + 1, and any pointer to "b"
1702 will have the tag RFT + 2.
1704 [Top Byte Ignore requirements]
1705 Hwasan requires the ability to store an 8 bit tag in every pointer. There
1706 is no instrumentation done to remove this tag from pointers before
1707 dereferencing, which means the hardware must ignore this tag during memory
1708 accesses.
1710 Architectures where this feature is available should indicate this using
1711 the TARGET_MEMTAG_CAN_TAG_ADDRESSES hook.
1713 [Stack requires cleanup on unwinding]
1714 During normal operation of a hwasan sanitized program more space in the
1715 shadow memory becomes tagged as the stack grows. As the stack shrinks this
1716 shadow memory space must become untagged. If it is not untagged then when
1717 the stack grows again (during other function calls later on in the program)
1718 objects on the stack that are usually not tagged (e.g. parameters passed on
1719 the stack) can be placed in memory whose shadow space is tagged with
1720 something else, and accesses can cause false positive reports.
1722 Hence we place untagging code on every epilogue of functions which tag some
1723 stack objects.
1725 Moreover, the run-time library intercepts longjmp & setjmp to untag when
1726 the stack is unwound this way.
1728 C++ exceptions are not yet handled, which means this sanitizer can not
1729 handle C++ code that throws exceptions -- it will give false positives
1730 after an exception has been thrown. The implementation that the hwasan
1731 library has for handling these relies on the frame pointer being after any
1732 local variables. This is not generally the case for GCC. */
1735 /* Returns whether we are tagging pointers and checking those tags on memory
1736 access. */
1737 bool
1738 hwasan_sanitize_p ()
1740 return sanitize_flags_p (SANITIZE_HWADDRESS);
1743 /* Are we tagging the stack? */
1744 bool
1745 hwasan_sanitize_stack_p ()
1747 return (hwasan_sanitize_p () && param_hwasan_instrument_stack);
1750 /* Are we tagging alloca objects? */
1751 bool
1752 hwasan_sanitize_allocas_p (void)
1754 return (hwasan_sanitize_stack_p () && param_hwasan_instrument_allocas);
1757 /* Should we instrument reads? */
1758 bool
1759 hwasan_instrument_reads (void)
1761 return (hwasan_sanitize_p () && param_hwasan_instrument_reads);
1764 /* Should we instrument writes? */
1765 bool
1766 hwasan_instrument_writes (void)
1768 return (hwasan_sanitize_p () && param_hwasan_instrument_writes);
1771 /* Should we instrument builtin calls? */
1772 bool
1773 hwasan_memintrin (void)
1775 return (hwasan_sanitize_p () && param_hwasan_instrument_mem_intrinsics);
1778 /* Insert code to protect stack vars. The prologue sequence should be emitted
1779 directly, epilogue sequence returned. BASE is the register holding the
1780 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1781 array contains pairs of offsets in reverse order, always the end offset
1782 of some gap that needs protection followed by starting offset,
1783 and DECLS is an array of representative decls for each var partition.
1784 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1785 elements long (OFFSETS include gap before the first variable as well
1786 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1787 register which stack vars DECL_RTLs are based on. Either BASE should be
1788 assigned to PBASE, when not doing use after return protection, or
1789 corresponding address based on __asan_stack_malloc* return value. */
1791 rtx_insn *
1792 asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
1793 HOST_WIDE_INT *offsets, tree *decls, int length)
1795 rtx shadow_base, shadow_mem, ret, mem, orig_base;
1796 rtx_code_label *lab;
1797 rtx_insn *insns;
1798 char buf[32];
1799 HOST_WIDE_INT base_offset = offsets[length - 1];
1800 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
1801 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
1802 HOST_WIDE_INT last_offset, last_size, last_size_aligned;
1803 int l;
1804 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
1805 tree str_cst, decl, id;
1806 int use_after_return_class = -1;
1808 if (shadow_ptr_types[0] == NULL_TREE)
1809 asan_init_shadow_ptr_types ();
1811 expanded_location cfun_xloc
1812 = expand_location (DECL_SOURCE_LOCATION (current_function_decl));
1814 /* First of all, prepare the description string. */
1815 pretty_printer asan_pp;
1817 pp_decimal_int (&asan_pp, length / 2 - 1);
1818 pp_space (&asan_pp);
1819 for (l = length - 2; l; l -= 2)
1821 tree decl = decls[l / 2 - 1];
1822 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
1823 pp_space (&asan_pp);
1824 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
1825 pp_space (&asan_pp);
1827 expanded_location xloc
1828 = expand_location (DECL_SOURCE_LOCATION (decl));
1829 char location[32];
1831 if (xloc.file == cfun_xloc.file)
1832 sprintf (location, ":%d", xloc.line);
1833 else
1834 location[0] = '\0';
1836 if (DECL_P (decl) && DECL_NAME (decl))
1838 unsigned idlen
1839 = IDENTIFIER_LENGTH (DECL_NAME (decl)) + strlen (location);
1840 pp_decimal_int (&asan_pp, idlen);
1841 pp_space (&asan_pp);
1842 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
1843 pp_string (&asan_pp, location);
1845 else
1846 pp_string (&asan_pp, "9 <unknown>");
1848 if (l > 2)
1849 pp_space (&asan_pp);
1851 str_cst = asan_pp_string (&asan_pp);
1853 /* Emit the prologue sequence. */
1854 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
1855 && param_asan_use_after_return)
1857 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1858 /* __asan_stack_malloc_N guarantees alignment
1859 N < 6 ? (64 << N) : 4096 bytes. */
1860 if (alignb > (use_after_return_class < 6
1861 ? (64U << use_after_return_class) : 4096U))
1862 use_after_return_class = -1;
1863 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1864 base_align_bias = ((asan_frame_size + alignb - 1)
1865 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1868 /* Align base if target is STRICT_ALIGNMENT. */
1869 if (STRICT_ALIGNMENT)
1871 const HOST_WIDE_INT align
1872 = (GET_MODE_ALIGNMENT (SImode) / BITS_PER_UNIT) << ASAN_SHADOW_SHIFT;
1873 base = expand_binop (Pmode, and_optab, base, gen_int_mode (-align, Pmode),
1874 NULL_RTX, 1, OPTAB_DIRECT);
1877 if (use_after_return_class == -1 && pbase)
1878 emit_move_insn (pbase, base);
1880 base = expand_binop (Pmode, add_optab, base,
1881 gen_int_mode (base_offset - base_align_bias, Pmode),
1882 NULL_RTX, 1, OPTAB_DIRECT);
1883 orig_base = NULL_RTX;
1884 if (use_after_return_class != -1)
1886 if (asan_detect_stack_use_after_return == NULL_TREE)
1888 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1889 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1890 integer_type_node);
1891 SET_DECL_ASSEMBLER_NAME (decl, id);
1892 TREE_ADDRESSABLE (decl) = 1;
1893 DECL_ARTIFICIAL (decl) = 1;
1894 DECL_IGNORED_P (decl) = 1;
1895 DECL_EXTERNAL (decl) = 1;
1896 TREE_STATIC (decl) = 1;
1897 TREE_PUBLIC (decl) = 1;
1898 TREE_USED (decl) = 1;
1899 asan_detect_stack_use_after_return = decl;
1901 orig_base = gen_reg_rtx (Pmode);
1902 emit_move_insn (orig_base, base);
1903 ret = expand_normal (asan_detect_stack_use_after_return);
1904 lab = gen_label_rtx ();
1905 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1906 VOIDmode, 0, lab,
1907 profile_probability::very_likely ());
1908 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1909 use_after_return_class);
1910 ret = init_one_libfunc (buf);
1911 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode,
1912 GEN_INT (asan_frame_size
1913 + base_align_bias),
1914 TYPE_MODE (pointer_sized_int_node));
1915 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1916 and NULL otherwise. Check RET value is NULL here and jump over the
1917 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1918 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1919 VOIDmode, 0, lab,
1920 profile_probability:: very_unlikely ());
1921 ret = convert_memory_address (Pmode, ret);
1922 emit_move_insn (base, ret);
1923 emit_label (lab);
1924 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1925 gen_int_mode (base_align_bias
1926 - base_offset, Pmode),
1927 NULL_RTX, 1, OPTAB_DIRECT));
1929 mem = gen_rtx_MEM (ptr_mode, base);
1930 mem = adjust_address (mem, VOIDmode, base_align_bias);
1931 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
1932 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1933 emit_move_insn (mem, expand_normal (str_cst));
1934 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1935 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1936 id = get_identifier (buf);
1937 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
1938 VAR_DECL, id, char_type_node);
1939 SET_DECL_ASSEMBLER_NAME (decl, id);
1940 TREE_ADDRESSABLE (decl) = 1;
1941 TREE_READONLY (decl) = 1;
1942 DECL_ARTIFICIAL (decl) = 1;
1943 DECL_IGNORED_P (decl) = 1;
1944 TREE_STATIC (decl) = 1;
1945 TREE_PUBLIC (decl) = 0;
1946 TREE_USED (decl) = 1;
1947 DECL_INITIAL (decl) = decl;
1948 TREE_ASM_WRITTEN (decl) = 1;
1949 TREE_ASM_WRITTEN (id) = 1;
1950 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
1951 shadow_base = expand_binop (Pmode, lshr_optab, base,
1952 gen_int_shift_amount (Pmode, ASAN_SHADOW_SHIFT),
1953 NULL_RTX, 1, OPTAB_DIRECT);
1954 shadow_base
1955 = plus_constant (Pmode, shadow_base,
1956 asan_shadow_offset ()
1957 + (base_align_bias >> ASAN_SHADOW_SHIFT));
1958 gcc_assert (asan_shadow_set != -1
1959 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
1960 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
1961 set_mem_alias_set (shadow_mem, asan_shadow_set);
1962 if (STRICT_ALIGNMENT)
1963 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1964 prev_offset = base_offset;
1966 asan_redzone_buffer rz_buffer (shadow_mem, prev_offset);
1967 for (l = length; l; l -= 2)
1969 if (l == 2)
1970 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
1971 offset = offsets[l - 1];
1973 bool extra_byte = (offset - base_offset) & (ASAN_SHADOW_GRANULARITY - 1);
1974 /* If a red-zone is not aligned to ASAN_SHADOW_GRANULARITY then
1975 the previous stack variable has size % ASAN_SHADOW_GRANULARITY != 0.
1976 In that case we have to emit one extra byte that will describe
1977 how many bytes (our of ASAN_SHADOW_GRANULARITY) can be accessed. */
1978 if (extra_byte)
1980 HOST_WIDE_INT aoff
1981 = base_offset + ((offset - base_offset)
1982 & ~(ASAN_SHADOW_GRANULARITY - HOST_WIDE_INT_1));
1983 rz_buffer.emit_redzone_byte (aoff, offset - aoff);
1984 offset = aoff + ASAN_SHADOW_GRANULARITY;
1987 /* Calculate size of red zone payload. */
1988 while (offset < offsets[l - 2])
1990 rz_buffer.emit_redzone_byte (offset, cur_shadow_byte);
1991 offset += ASAN_SHADOW_GRANULARITY;
1994 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
1997 /* As the automatic variables are aligned to
1998 ASAN_RED_ZONE_SIZE / ASAN_SHADOW_GRANULARITY, the buffer should be
1999 flushed here. */
2000 gcc_assert (rz_buffer.m_shadow_bytes.is_empty ());
2002 do_pending_stack_adjust ();
2004 /* Construct epilogue sequence. */
2005 start_sequence ();
2007 lab = NULL;
2008 if (use_after_return_class != -1)
2010 rtx_code_label *lab2 = gen_label_rtx ();
2011 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
2012 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
2013 VOIDmode, 0, lab2,
2014 profile_probability::very_likely ());
2015 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
2016 set_mem_alias_set (shadow_mem, asan_shadow_set);
2017 mem = gen_rtx_MEM (ptr_mode, base);
2018 mem = adjust_address (mem, VOIDmode, base_align_bias);
2019 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
2020 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
2021 if (use_after_return_class < 5
2022 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
2023 BITS_PER_UNIT, true))
2025 /* Emit:
2026 memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize);
2027 **SavedFlagPtr(FakeStack, class_id) = 0
2029 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
2030 BITS_PER_UNIT, true, RETURN_BEGIN);
2032 unsigned HOST_WIDE_INT offset
2033 = (1 << (use_after_return_class + 6));
2034 offset -= GET_MODE_SIZE (ptr_mode);
2035 mem = gen_rtx_MEM (ptr_mode, base);
2036 mem = adjust_address (mem, ptr_mode, offset);
2037 rtx addr = gen_reg_rtx (ptr_mode);
2038 emit_move_insn (addr, mem);
2039 addr = convert_memory_address (Pmode, addr);
2040 mem = gen_rtx_MEM (QImode, addr);
2041 emit_move_insn (mem, const0_rtx);
2043 else if (use_after_return_class >= 5
2044 || !set_storage_via_setmem (shadow_mem,
2045 GEN_INT (sz),
2046 gen_int_mode (c, QImode),
2047 BITS_PER_UNIT, BITS_PER_UNIT,
2048 -1, sz, sz, sz))
2050 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
2051 use_after_return_class);
2052 ret = init_one_libfunc (buf);
2053 rtx addr = convert_memory_address (ptr_mode, base);
2054 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
2055 emit_library_call (ret, LCT_NORMAL, ptr_mode, addr, ptr_mode,
2056 GEN_INT (asan_frame_size + base_align_bias),
2057 TYPE_MODE (pointer_sized_int_node),
2058 orig_addr, ptr_mode);
2060 lab = gen_label_rtx ();
2061 emit_jump (lab);
2062 emit_label (lab2);
2065 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
2066 set_mem_alias_set (shadow_mem, asan_shadow_set);
2068 if (STRICT_ALIGNMENT)
2069 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
2071 prev_offset = base_offset;
2072 last_offset = base_offset;
2073 last_size = 0;
2074 last_size_aligned = 0;
2075 for (l = length; l; l -= 2)
2077 offset = base_offset + ((offsets[l - 1] - base_offset)
2078 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
2079 if (last_offset + last_size_aligned < offset)
2081 shadow_mem = adjust_address (shadow_mem, VOIDmode,
2082 (last_offset - prev_offset)
2083 >> ASAN_SHADOW_SHIFT);
2084 prev_offset = last_offset;
2085 asan_clear_shadow (shadow_mem, last_size_aligned >> ASAN_SHADOW_SHIFT);
2086 last_offset = offset;
2087 last_size = 0;
2089 else
2090 last_size = offset - last_offset;
2091 last_size += base_offset + ((offsets[l - 2] - base_offset)
2092 & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
2093 - offset;
2095 /* Unpoison shadow memory that corresponds to a variable that is
2096 is subject of use-after-return sanitization. */
2097 if (l > 2)
2099 decl = decls[l / 2 - 2];
2100 if (asan_handled_variables != NULL
2101 && asan_handled_variables->contains (decl))
2103 HOST_WIDE_INT size = offsets[l - 3] - offsets[l - 2];
2104 if (dump_file && (dump_flags & TDF_DETAILS))
2106 const char *n = (DECL_NAME (decl)
2107 ? IDENTIFIER_POINTER (DECL_NAME (decl))
2108 : "<unknown>");
2109 fprintf (dump_file, "Unpoisoning shadow stack for variable: "
2110 "%s (%" PRId64 " B)\n", n, size);
2113 last_size += size & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1);
2116 last_size_aligned
2117 = ((last_size + (ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
2118 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
2120 if (last_size_aligned)
2122 shadow_mem = adjust_address (shadow_mem, VOIDmode,
2123 (last_offset - prev_offset)
2124 >> ASAN_SHADOW_SHIFT);
2125 asan_clear_shadow (shadow_mem, last_size_aligned >> ASAN_SHADOW_SHIFT);
2128 /* Clean-up set with instrumented stack variables. */
2129 delete asan_handled_variables;
2130 asan_handled_variables = NULL;
2131 delete asan_used_labels;
2132 asan_used_labels = NULL;
2134 do_pending_stack_adjust ();
2135 if (lab)
2136 emit_label (lab);
2138 insns = get_insns ();
2139 end_sequence ();
2140 return insns;
2143 /* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds
2144 to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE
2145 indicates whether we're emitting new instructions sequence or not. */
2147 rtx_insn *
2148 asan_emit_allocas_unpoison (rtx top, rtx bot, rtx_insn *before)
2150 if (before)
2151 push_to_sequence (before);
2152 else
2153 start_sequence ();
2154 rtx ret = init_one_libfunc ("__asan_allocas_unpoison");
2155 top = convert_memory_address (ptr_mode, top);
2156 bot = convert_memory_address (ptr_mode, bot);
2157 emit_library_call (ret, LCT_NORMAL, ptr_mode,
2158 top, ptr_mode, bot, ptr_mode);
2160 do_pending_stack_adjust ();
2161 rtx_insn *insns = get_insns ();
2162 end_sequence ();
2163 return insns;
2166 /* Return true if DECL, a global var, might be overridden and needs
2167 therefore a local alias. */
2169 static bool
2170 asan_needs_local_alias (tree decl)
2172 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
2175 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
2176 therefore doesn't need protection. */
2178 static bool
2179 is_odr_indicator (tree decl)
2181 return (DECL_ARTIFICIAL (decl)
2182 && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl)));
2185 /* Return true if DECL is a VAR_DECL that should be protected
2186 by Address Sanitizer, by appending a red zone with protected
2187 shadow memory after it and aligning it to at least
2188 ASAN_RED_ZONE_SIZE bytes. */
2190 bool
2191 asan_protect_global (tree decl, bool ignore_decl_rtl_set_p)
2193 if (!param_asan_globals)
2194 return false;
2196 rtx rtl, symbol;
2198 if (TREE_CODE (decl) == STRING_CST)
2200 /* Instrument all STRING_CSTs except those created
2201 by asan_pp_string here. */
2202 if (shadow_ptr_types[0] != NULL_TREE
2203 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
2204 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
2205 return false;
2206 return true;
2208 if (!VAR_P (decl)
2209 /* TLS vars aren't statically protectable. */
2210 || DECL_THREAD_LOCAL_P (decl)
2211 /* Externs will be protected elsewhere. */
2212 || DECL_EXTERNAL (decl)
2213 /* PR sanitizer/81697: For architectures that use section anchors first
2214 call to asan_protect_global may occur before DECL_RTL (decl) is set.
2215 We should ignore DECL_RTL_SET_P then, because otherwise the first call
2216 to asan_protect_global will return FALSE and the following calls on the
2217 same decl after setting DECL_RTL (decl) will return TRUE and we'll end
2218 up with inconsistency at runtime. */
2219 || (!DECL_RTL_SET_P (decl) && !ignore_decl_rtl_set_p)
2220 /* Comdat vars pose an ABI problem, we can't know if
2221 the var that is selected by the linker will have
2222 padding or not. */
2223 || DECL_ONE_ONLY (decl)
2224 /* Similarly for common vars. People can use -fno-common.
2225 Note: Linux kernel is built with -fno-common, so we do instrument
2226 globals there even if it is C. */
2227 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
2228 /* Don't protect if using user section, often vars placed
2229 into user section from multiple TUs are then assumed
2230 to be an array of such vars, putting padding in there
2231 breaks this assumption. */
2232 || (DECL_SECTION_NAME (decl) != NULL
2233 && !symtab_node::get (decl)->implicit_section
2234 && !section_sanitized_p (DECL_SECTION_NAME (decl)))
2235 || DECL_SIZE (decl) == 0
2236 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
2237 || TREE_CODE (DECL_SIZE_UNIT (decl)) != INTEGER_CST
2238 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
2239 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE
2240 || TREE_TYPE (decl) == ubsan_get_source_location_type ()
2241 || is_odr_indicator (decl))
2242 return false;
2244 if (!ignore_decl_rtl_set_p || DECL_RTL_SET_P (decl))
2247 rtl = DECL_RTL (decl);
2248 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
2249 return false;
2250 symbol = XEXP (rtl, 0);
2252 if (CONSTANT_POOL_ADDRESS_P (symbol)
2253 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
2254 return false;
2257 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
2258 return false;
2260 if (!TARGET_SUPPORTS_ALIASES && asan_needs_local_alias (decl))
2261 return false;
2263 return true;
2266 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
2267 IS_STORE is either 1 (for a store) or 0 (for a load). */
2269 static tree
2270 report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
2271 int *nargs)
2273 gcc_assert (!hwasan_sanitize_p ());
2275 static enum built_in_function report[2][2][6]
2276 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
2277 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
2278 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N },
2279 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
2280 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
2281 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } },
2282 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT,
2283 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
2284 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
2285 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
2286 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
2287 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
2288 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT,
2289 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
2290 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
2291 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
2292 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
2293 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
2294 if (size_in_bytes == -1)
2296 *nargs = 2;
2297 return builtin_decl_implicit (report[recover_p][is_store][5]);
2299 *nargs = 1;
2300 int size_log2 = exact_log2 (size_in_bytes);
2301 return builtin_decl_implicit (report[recover_p][is_store][size_log2]);
2304 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
2305 IS_STORE is either 1 (for a store) or 0 (for a load). */
2307 static tree
2308 check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
2309 int *nargs)
2311 static enum built_in_function check[2][2][6]
2312 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2,
2313 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8,
2314 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN },
2315 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2,
2316 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8,
2317 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } },
2318 { { BUILT_IN_ASAN_LOAD1_NOABORT,
2319 BUILT_IN_ASAN_LOAD2_NOABORT,
2320 BUILT_IN_ASAN_LOAD4_NOABORT,
2321 BUILT_IN_ASAN_LOAD8_NOABORT,
2322 BUILT_IN_ASAN_LOAD16_NOABORT,
2323 BUILT_IN_ASAN_LOADN_NOABORT },
2324 { BUILT_IN_ASAN_STORE1_NOABORT,
2325 BUILT_IN_ASAN_STORE2_NOABORT,
2326 BUILT_IN_ASAN_STORE4_NOABORT,
2327 BUILT_IN_ASAN_STORE8_NOABORT,
2328 BUILT_IN_ASAN_STORE16_NOABORT,
2329 BUILT_IN_ASAN_STOREN_NOABORT } } };
2330 if (size_in_bytes == -1)
2332 *nargs = 2;
2333 return builtin_decl_implicit (check[recover_p][is_store][5]);
2335 *nargs = 1;
2336 int size_log2 = exact_log2 (size_in_bytes);
2337 return builtin_decl_implicit (check[recover_p][is_store][size_log2]);
2340 /* Split the current basic block and create a condition statement
2341 insertion point right before or after the statement pointed to by
2342 ITER. Return an iterator to the point at which the caller might
2343 safely insert the condition statement.
2345 THEN_BLOCK must be set to the address of an uninitialized instance
2346 of basic_block. The function will then set *THEN_BLOCK to the
2347 'then block' of the condition statement to be inserted by the
2348 caller.
2350 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
2351 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
2353 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
2354 block' of the condition statement to be inserted by the caller.
2356 Note that *FALLTHROUGH_BLOCK is a new block that contains the
2357 statements starting from *ITER, and *THEN_BLOCK is a new empty
2358 block.
2360 *ITER is adjusted to point to always point to the first statement
2361 of the basic block * FALLTHROUGH_BLOCK. That statement is the
2362 same as what ITER was pointing to prior to calling this function,
2363 if BEFORE_P is true; otherwise, it is its following statement. */
2365 gimple_stmt_iterator
2366 create_cond_insert_point (gimple_stmt_iterator *iter,
2367 bool before_p,
2368 bool then_more_likely_p,
2369 bool create_then_fallthru_edge,
2370 basic_block *then_block,
2371 basic_block *fallthrough_block)
2373 gimple_stmt_iterator gsi = *iter;
2375 if (!gsi_end_p (gsi) && before_p)
2376 gsi_prev (&gsi);
2378 basic_block cur_bb = gsi_bb (*iter);
2380 edge e = split_block (cur_bb, gsi_stmt (gsi));
2382 /* Get a hold on the 'condition block', the 'then block' and the
2383 'else block'. */
2384 basic_block cond_bb = e->src;
2385 basic_block fallthru_bb = e->dest;
2386 basic_block then_bb = create_empty_bb (cond_bb);
2387 if (current_loops)
2389 add_bb_to_loop (then_bb, cond_bb->loop_father);
2390 loops_state_set (LOOPS_NEED_FIXUP);
2393 /* Set up the newly created 'then block'. */
2394 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
2395 profile_probability fallthrough_probability
2396 = then_more_likely_p
2397 ? profile_probability::very_unlikely ()
2398 : profile_probability::very_likely ();
2399 e->probability = fallthrough_probability.invert ();
2400 then_bb->count = e->count ();
2401 if (create_then_fallthru_edge)
2402 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
2404 /* Set up the fallthrough basic block. */
2405 e = find_edge (cond_bb, fallthru_bb);
2406 e->flags = EDGE_FALSE_VALUE;
2407 e->probability = fallthrough_probability;
2409 /* Update dominance info for the newly created then_bb; note that
2410 fallthru_bb's dominance info has already been updated by
2411 split_bock. */
2412 if (dom_info_available_p (CDI_DOMINATORS))
2413 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
2415 *then_block = then_bb;
2416 *fallthrough_block = fallthru_bb;
2417 *iter = gsi_start_bb (fallthru_bb);
2419 return gsi_last_bb (cond_bb);
2422 /* Insert an if condition followed by a 'then block' right before the
2423 statement pointed to by ITER. The fallthrough block -- which is the
2424 else block of the condition as well as the destination of the
2425 outcoming edge of the 'then block' -- starts with the statement
2426 pointed to by ITER.
2428 COND is the condition of the if.
2430 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
2431 'then block' is higher than the probability of the edge to the
2432 fallthrough block.
2434 Upon completion of the function, *THEN_BB is set to the newly
2435 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
2436 fallthrough block.
2438 *ITER is adjusted to still point to the same statement it was
2439 pointing to initially. */
2441 static void
2442 insert_if_then_before_iter (gcond *cond,
2443 gimple_stmt_iterator *iter,
2444 bool then_more_likely_p,
2445 basic_block *then_bb,
2446 basic_block *fallthrough_bb)
2448 gimple_stmt_iterator cond_insert_point =
2449 create_cond_insert_point (iter,
2450 /*before_p=*/true,
2451 then_more_likely_p,
2452 /*create_then_fallthru_edge=*/true,
2453 then_bb,
2454 fallthrough_bb);
2455 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
2458 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
2459 If RETURN_ADDRESS is set to true, return memory location instread
2460 of a value in the shadow memory. */
2462 static tree
2463 build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location,
2464 tree base_addr, tree shadow_ptr_type,
2465 bool return_address = false)
2467 tree t, uintptr_type = TREE_TYPE (base_addr);
2468 tree shadow_type = TREE_TYPE (shadow_ptr_type);
2469 gimple *g;
2471 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
2472 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR,
2473 base_addr, t);
2474 gimple_set_location (g, location);
2475 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2477 t = build_int_cst (uintptr_type, asan_shadow_offset ());
2478 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR,
2479 gimple_assign_lhs (g), t);
2480 gimple_set_location (g, location);
2481 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2483 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR,
2484 gimple_assign_lhs (g));
2485 gimple_set_location (g, location);
2486 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2488 if (!return_address)
2490 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
2491 build_int_cst (shadow_ptr_type, 0));
2492 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t);
2493 gimple_set_location (g, location);
2494 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2497 return gimple_assign_lhs (g);
2500 /* BASE can already be an SSA_NAME; in that case, do not create a
2501 new SSA_NAME for it. */
2503 static tree
2504 maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter,
2505 bool before_p)
2507 STRIP_USELESS_TYPE_CONVERSION (base);
2508 if (TREE_CODE (base) == SSA_NAME)
2509 return base;
2510 gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)), base);
2511 gimple_set_location (g, loc);
2512 if (before_p)
2513 gsi_insert_before (iter, g, GSI_SAME_STMT);
2514 else
2515 gsi_insert_after (iter, g, GSI_NEW_STMT);
2516 return gimple_assign_lhs (g);
2519 /* LEN can already have necessary size and precision;
2520 in that case, do not create a new variable. */
2522 tree
2523 maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter,
2524 bool before_p)
2526 if (ptrofftype_p (len))
2527 return len;
2528 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2529 NOP_EXPR, len);
2530 gimple_set_location (g, loc);
2531 if (before_p)
2532 gsi_insert_before (iter, g, GSI_SAME_STMT);
2533 else
2534 gsi_insert_after (iter, g, GSI_NEW_STMT);
2535 return gimple_assign_lhs (g);
2538 /* Instrument the memory access instruction BASE. Insert new
2539 statements before or after ITER.
2541 Note that the memory access represented by BASE can be either an
2542 SSA_NAME, or a non-SSA expression. LOCATION is the source code
2543 location. IS_STORE is TRUE for a store, FALSE for a load.
2544 BEFORE_P is TRUE for inserting the instrumentation code before
2545 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
2546 for a scalar memory access and FALSE for memory region access.
2547 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
2548 length. ALIGN tells alignment of accessed memory object.
2550 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
2551 memory region have already been instrumented.
2553 If BEFORE_P is TRUE, *ITER is arranged to still point to the
2554 statement it was pointing to prior to calling this function,
2555 otherwise, it points to the statement logically following it. */
2557 static void
2558 build_check_stmt (location_t loc, tree base, tree len,
2559 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter,
2560 bool is_non_zero_len, bool before_p, bool is_store,
2561 bool is_scalar_access, unsigned int align = 0)
2563 gimple_stmt_iterator gsi = *iter;
2564 gimple *g;
2566 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len));
2567 gcc_assert (size_in_bytes == -1 || size_in_bytes >= 1);
2569 gsi = *iter;
2571 base = unshare_expr (base);
2572 base = maybe_create_ssa_name (loc, base, &gsi, before_p);
2574 if (len)
2576 len = unshare_expr (len);
2577 len = maybe_cast_to_ptrmode (loc, len, iter, before_p);
2579 else
2581 gcc_assert (size_in_bytes != -1);
2582 len = build_int_cst (pointer_sized_int_node, size_in_bytes);
2585 if (size_in_bytes > 1)
2587 if ((size_in_bytes & (size_in_bytes - 1)) != 0
2588 || size_in_bytes > 16)
2589 is_scalar_access = false;
2590 else if (align && align < size_in_bytes * BITS_PER_UNIT)
2592 /* On non-strict alignment targets, if
2593 16-byte access is just 8-byte aligned,
2594 this will result in misaligned shadow
2595 memory 2 byte load, but otherwise can
2596 be handled using one read. */
2597 if (size_in_bytes != 16
2598 || STRICT_ALIGNMENT
2599 || align < 8 * BITS_PER_UNIT)
2600 is_scalar_access = false;
2604 HOST_WIDE_INT flags = 0;
2605 if (is_store)
2606 flags |= ASAN_CHECK_STORE;
2607 if (is_non_zero_len)
2608 flags |= ASAN_CHECK_NON_ZERO_LEN;
2609 if (is_scalar_access)
2610 flags |= ASAN_CHECK_SCALAR_ACCESS;
2612 enum internal_fn fn = hwasan_sanitize_p ()
2613 ? IFN_HWASAN_CHECK
2614 : IFN_ASAN_CHECK;
2616 g = gimple_build_call_internal (fn, 4,
2617 build_int_cst (integer_type_node, flags),
2618 base, len,
2619 build_int_cst (integer_type_node,
2620 align / BITS_PER_UNIT));
2621 gimple_set_location (g, loc);
2622 if (before_p)
2623 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
2624 else
2626 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2627 gsi_next (&gsi);
2628 *iter = gsi;
2632 /* If T represents a memory access, add instrumentation code before ITER.
2633 LOCATION is source code location.
2634 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
2636 static void
2637 instrument_derefs (gimple_stmt_iterator *iter, tree t,
2638 location_t location, bool is_store)
2640 if (is_store && !(asan_instrument_writes () || hwasan_instrument_writes ()))
2641 return;
2642 if (!is_store && !(asan_instrument_reads () || hwasan_instrument_reads ()))
2643 return;
2645 tree type, base;
2646 HOST_WIDE_INT size_in_bytes;
2647 if (location == UNKNOWN_LOCATION)
2648 location = EXPR_LOCATION (t);
2650 type = TREE_TYPE (t);
2651 switch (TREE_CODE (t))
2653 case ARRAY_REF:
2654 case COMPONENT_REF:
2655 case INDIRECT_REF:
2656 case MEM_REF:
2657 case VAR_DECL:
2658 case BIT_FIELD_REF:
2659 break;
2660 /* FALLTHRU */
2661 default:
2662 return;
2665 size_in_bytes = int_size_in_bytes (type);
2666 if (size_in_bytes <= 0)
2667 return;
2669 poly_int64 bitsize, bitpos;
2670 tree offset;
2671 machine_mode mode;
2672 int unsignedp, reversep, volatilep = 0;
2673 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
2674 &unsignedp, &reversep, &volatilep);
2676 if (TREE_CODE (t) == COMPONENT_REF
2677 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
2679 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
2680 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
2681 TREE_OPERAND (t, 0), repr,
2682 TREE_OPERAND (t, 2)),
2683 location, is_store);
2684 return;
2687 if (!multiple_p (bitpos, BITS_PER_UNIT)
2688 || maybe_ne (bitsize, size_in_bytes * BITS_PER_UNIT))
2689 return;
2691 if (VAR_P (inner) && DECL_HARD_REGISTER (inner))
2692 return;
2694 poly_int64 decl_size;
2695 if ((VAR_P (inner) || TREE_CODE (inner) == RESULT_DECL)
2696 && offset == NULL_TREE
2697 && DECL_SIZE (inner)
2698 && poly_int_tree_p (DECL_SIZE (inner), &decl_size)
2699 && known_subrange_p (bitpos, bitsize, 0, decl_size))
2701 if (VAR_P (inner) && DECL_THREAD_LOCAL_P (inner))
2702 return;
2703 /* If we're not sanitizing globals and we can tell statically that this
2704 access is inside a global variable, then there's no point adding
2705 instrumentation to check the access. N.b. hwasan currently never
2706 sanitizes globals. */
2707 if ((hwasan_sanitize_p () || !param_asan_globals)
2708 && is_global_var (inner))
2709 return;
2710 if (!TREE_STATIC (inner))
2712 /* Automatic vars in the current function will be always
2713 accessible. */
2714 if (decl_function_context (inner) == current_function_decl
2715 && (!asan_sanitize_use_after_scope ()
2716 || !TREE_ADDRESSABLE (inner)))
2717 return;
2719 /* Always instrument external vars, they might be dynamically
2720 initialized. */
2721 else if (!DECL_EXTERNAL (inner))
2723 /* For static vars if they are known not to be dynamically
2724 initialized, they will be always accessible. */
2725 varpool_node *vnode = varpool_node::get (inner);
2726 if (vnode && !vnode->dynamically_initialized)
2727 return;
2731 if (DECL_P (inner)
2732 && decl_function_context (inner) == current_function_decl
2733 && !TREE_ADDRESSABLE (inner))
2734 mark_addressable (inner);
2736 base = build_fold_addr_expr (t);
2737 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
2739 unsigned int align = get_object_alignment (t);
2740 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter,
2741 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true,
2742 is_store, /*is_scalar_access*/true, align);
2743 update_mem_ref_hash_table (base, size_in_bytes);
2744 update_mem_ref_hash_table (t, size_in_bytes);
2749 /* Insert a memory reference into the hash table if access length
2750 can be determined in compile time. */
2752 static void
2753 maybe_update_mem_ref_hash_table (tree base, tree len)
2755 if (!POINTER_TYPE_P (TREE_TYPE (base))
2756 || !INTEGRAL_TYPE_P (TREE_TYPE (len)))
2757 return;
2759 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2761 if (size_in_bytes != -1)
2762 update_mem_ref_hash_table (base, size_in_bytes);
2765 /* Instrument an access to a contiguous memory region that starts at
2766 the address pointed to by BASE, over a length of LEN (expressed in
2767 the sizeof (*BASE) bytes). ITER points to the instruction before
2768 which the instrumentation instructions must be inserted. LOCATION
2769 is the source location that the instrumentation instructions must
2770 have. If IS_STORE is true, then the memory access is a store;
2771 otherwise, it's a load. */
2773 static void
2774 instrument_mem_region_access (tree base, tree len,
2775 gimple_stmt_iterator *iter,
2776 location_t location, bool is_store)
2778 if (!POINTER_TYPE_P (TREE_TYPE (base))
2779 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
2780 || integer_zerop (len))
2781 return;
2783 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2785 if ((size_in_bytes == -1)
2786 || !has_mem_ref_been_instrumented (base, size_in_bytes))
2788 build_check_stmt (location, base, len, size_in_bytes, iter,
2789 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true,
2790 is_store, /*is_scalar_access*/false, /*align*/0);
2793 maybe_update_mem_ref_hash_table (base, len);
2794 *iter = gsi_for_stmt (gsi_stmt (*iter));
2797 /* Instrument the call to a built-in memory access function that is
2798 pointed to by the iterator ITER.
2800 Upon completion, return TRUE iff *ITER has been advanced to the
2801 statement following the one it was originally pointing to. */
2803 static bool
2804 instrument_builtin_call (gimple_stmt_iterator *iter)
2806 if (!(asan_memintrin () || hwasan_memintrin ()))
2807 return false;
2809 bool iter_advanced_p = false;
2810 gcall *call = as_a <gcall *> (gsi_stmt (*iter));
2812 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
2814 location_t loc = gimple_location (call);
2816 asan_mem_ref src0, src1, dest;
2817 asan_mem_ref_init (&src0, NULL, 1);
2818 asan_mem_ref_init (&src1, NULL, 1);
2819 asan_mem_ref_init (&dest, NULL, 1);
2821 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
2822 bool src0_is_store = false, src1_is_store = false, dest_is_store = false,
2823 dest_is_deref = false, intercepted_p = true;
2825 if (get_mem_refs_of_builtin_call (call,
2826 &src0, &src0_len, &src0_is_store,
2827 &src1, &src1_len, &src1_is_store,
2828 &dest, &dest_len, &dest_is_store,
2829 &dest_is_deref, &intercepted_p, iter))
2831 if (dest_is_deref)
2833 instrument_derefs (iter, dest.start, loc, dest_is_store);
2834 gsi_next (iter);
2835 iter_advanced_p = true;
2837 else if (!intercepted_p
2838 && (src0_len || src1_len || dest_len))
2840 if (src0.start != NULL_TREE)
2841 instrument_mem_region_access (src0.start, src0_len,
2842 iter, loc, /*is_store=*/false);
2843 if (src1.start != NULL_TREE)
2844 instrument_mem_region_access (src1.start, src1_len,
2845 iter, loc, /*is_store=*/false);
2846 if (dest.start != NULL_TREE)
2847 instrument_mem_region_access (dest.start, dest_len,
2848 iter, loc, /*is_store=*/true);
2850 *iter = gsi_for_stmt (call);
2851 gsi_next (iter);
2852 iter_advanced_p = true;
2854 else
2856 if (src0.start != NULL_TREE)
2857 maybe_update_mem_ref_hash_table (src0.start, src0_len);
2858 if (src1.start != NULL_TREE)
2859 maybe_update_mem_ref_hash_table (src1.start, src1_len);
2860 if (dest.start != NULL_TREE)
2861 maybe_update_mem_ref_hash_table (dest.start, dest_len);
2864 return iter_advanced_p;
2867 /* Instrument the assignment statement ITER if it is subject to
2868 instrumentation. Return TRUE iff instrumentation actually
2869 happened. In that case, the iterator ITER is advanced to the next
2870 logical expression following the one initially pointed to by ITER,
2871 and the relevant memory reference that which access has been
2872 instrumented is added to the memory references hash table. */
2874 static bool
2875 maybe_instrument_assignment (gimple_stmt_iterator *iter)
2877 gimple *s = gsi_stmt (*iter);
2879 gcc_assert (gimple_assign_single_p (s));
2881 tree ref_expr = NULL_TREE;
2882 bool is_store, is_instrumented = false;
2884 if (gimple_store_p (s))
2886 ref_expr = gimple_assign_lhs (s);
2887 is_store = true;
2888 instrument_derefs (iter, ref_expr,
2889 gimple_location (s),
2890 is_store);
2891 is_instrumented = true;
2894 if (gimple_assign_load_p (s))
2896 ref_expr = gimple_assign_rhs1 (s);
2897 is_store = false;
2898 instrument_derefs (iter, ref_expr,
2899 gimple_location (s),
2900 is_store);
2901 is_instrumented = true;
2904 if (is_instrumented)
2905 gsi_next (iter);
2907 return is_instrumented;
2910 /* Instrument the function call pointed to by the iterator ITER, if it
2911 is subject to instrumentation. At the moment, the only function
2912 calls that are instrumented are some built-in functions that access
2913 memory. Look at instrument_builtin_call to learn more.
2915 Upon completion return TRUE iff *ITER was advanced to the statement
2916 following the one it was originally pointing to. */
2918 static bool
2919 maybe_instrument_call (gimple_stmt_iterator *iter)
2921 gimple *stmt = gsi_stmt (*iter);
2922 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2924 if (is_builtin && instrument_builtin_call (iter))
2925 return true;
2927 if (gimple_call_noreturn_p (stmt))
2929 if (is_builtin)
2931 tree callee = gimple_call_fndecl (stmt);
2932 switch (DECL_FUNCTION_CODE (callee))
2934 case BUILT_IN_UNREACHABLE:
2935 case BUILT_IN_TRAP:
2936 /* Don't instrument these. */
2937 return false;
2938 default:
2939 break;
2942 /* If a function does not return, then we must handle clearing up the
2943 shadow stack accordingly. For ASAN we can simply set the entire stack
2944 to "valid" for accesses by setting the shadow space to 0 and all
2945 accesses will pass checks. That means that some bad accesses may be
2946 missed, but we will not report any false positives.
2948 This is not possible for HWASAN. Since there is no "always valid" tag
2949 we can not set any space to "always valid". If we were to clear the
2950 entire shadow stack then code resuming from `longjmp` or a caught
2951 exception would trigger false positives when correctly accessing
2952 variables on the stack. Hence we need to handle things like
2953 `longjmp`, thread exit, and exceptions in a different way. These
2954 problems must be handled externally to the compiler, e.g. in the
2955 language runtime. */
2956 if (! hwasan_sanitize_p ())
2958 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
2959 gimple *g = gimple_build_call (decl, 0);
2960 gimple_set_location (g, gimple_location (stmt));
2961 gsi_insert_before (iter, g, GSI_SAME_STMT);
2965 bool instrumented = false;
2966 if (gimple_store_p (stmt))
2968 tree ref_expr = gimple_call_lhs (stmt);
2969 instrument_derefs (iter, ref_expr,
2970 gimple_location (stmt),
2971 /*is_store=*/true);
2973 instrumented = true;
2976 /* Walk through gimple_call arguments and check them id needed. */
2977 unsigned args_num = gimple_call_num_args (stmt);
2978 for (unsigned i = 0; i < args_num; ++i)
2980 tree arg = gimple_call_arg (stmt, i);
2981 /* If ARG is not a non-aggregate register variable, compiler in general
2982 creates temporary for it and pass it as argument to gimple call.
2983 But in some cases, e.g. when we pass by value a small structure that
2984 fits to register, compiler can avoid extra overhead by pulling out
2985 these temporaries. In this case, we should check the argument. */
2986 if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg))
2988 instrument_derefs (iter, arg,
2989 gimple_location (stmt),
2990 /*is_store=*/false);
2991 instrumented = true;
2994 if (instrumented)
2995 gsi_next (iter);
2996 return instrumented;
2999 /* Walk each instruction of all basic block and instrument those that
3000 represent memory references: loads, stores, or function calls.
3001 In a given basic block, this function avoids instrumenting memory
3002 references that have already been instrumented. */
3004 static void
3005 transform_statements (void)
3007 basic_block bb, last_bb = NULL;
3008 gimple_stmt_iterator i;
3009 int saved_last_basic_block = last_basic_block_for_fn (cfun);
3011 FOR_EACH_BB_FN (bb, cfun)
3013 basic_block prev_bb = bb;
3015 if (bb->index >= saved_last_basic_block) continue;
3017 /* Flush the mem ref hash table, if current bb doesn't have
3018 exactly one predecessor, or if that predecessor (skipping
3019 over asan created basic blocks) isn't the last processed
3020 basic block. Thus we effectively flush on extended basic
3021 block boundaries. */
3022 while (single_pred_p (prev_bb))
3024 prev_bb = single_pred (prev_bb);
3025 if (prev_bb->index < saved_last_basic_block)
3026 break;
3028 if (prev_bb != last_bb)
3029 empty_mem_ref_hash_table ();
3030 last_bb = bb;
3032 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
3034 gimple *s = gsi_stmt (i);
3036 if (has_stmt_been_instrumented_p (s))
3037 gsi_next (&i);
3038 else if (gimple_assign_single_p (s)
3039 && !gimple_clobber_p (s)
3040 && maybe_instrument_assignment (&i))
3041 /* Nothing to do as maybe_instrument_assignment advanced
3042 the iterator I. */;
3043 else if (is_gimple_call (s) && maybe_instrument_call (&i))
3044 /* Nothing to do as maybe_instrument_call
3045 advanced the iterator I. */;
3046 else
3048 /* No instrumentation happened.
3050 If the current instruction is a function call that
3051 might free something, let's forget about the memory
3052 references that got instrumented. Otherwise we might
3053 miss some instrumentation opportunities. Do the same
3054 for a ASAN_MARK poisoning internal function. */
3055 if (is_gimple_call (s)
3056 && (!nonfreeing_call_p (s)
3057 || asan_mark_p (s, ASAN_MARK_POISON)))
3058 empty_mem_ref_hash_table ();
3060 gsi_next (&i);
3064 free_mem_ref_resources ();
3067 /* Build
3068 __asan_before_dynamic_init (module_name)
3070 __asan_after_dynamic_init ()
3071 call. */
3073 tree
3074 asan_dynamic_init_call (bool after_p)
3076 if (shadow_ptr_types[0] == NULL_TREE)
3077 asan_init_shadow_ptr_types ();
3079 tree fn = builtin_decl_implicit (after_p
3080 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
3081 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
3082 tree module_name_cst = NULL_TREE;
3083 if (!after_p)
3085 pretty_printer module_name_pp;
3086 pp_string (&module_name_pp, main_input_filename);
3088 module_name_cst = asan_pp_string (&module_name_pp);
3089 module_name_cst = fold_convert (const_ptr_type_node,
3090 module_name_cst);
3093 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
3096 /* Build
3097 struct __asan_global
3099 const void *__beg;
3100 uptr __size;
3101 uptr __size_with_redzone;
3102 const void *__name;
3103 const void *__module_name;
3104 uptr __has_dynamic_init;
3105 __asan_global_source_location *__location;
3106 char *__odr_indicator;
3107 } type. */
3109 static tree
3110 asan_global_struct (void)
3112 static const char *field_names[]
3113 = { "__beg", "__size", "__size_with_redzone",
3114 "__name", "__module_name", "__has_dynamic_init", "__location",
3115 "__odr_indicator" };
3116 tree fields[ARRAY_SIZE (field_names)], ret;
3117 unsigned i;
3119 ret = make_node (RECORD_TYPE);
3120 for (i = 0; i < ARRAY_SIZE (field_names); i++)
3122 fields[i]
3123 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
3124 get_identifier (field_names[i]),
3125 (i == 0 || i == 3) ? const_ptr_type_node
3126 : pointer_sized_int_node);
3127 DECL_CONTEXT (fields[i]) = ret;
3128 if (i)
3129 DECL_CHAIN (fields[i - 1]) = fields[i];
3131 tree type_decl = build_decl (input_location, TYPE_DECL,
3132 get_identifier ("__asan_global"), ret);
3133 DECL_IGNORED_P (type_decl) = 1;
3134 DECL_ARTIFICIAL (type_decl) = 1;
3135 TYPE_FIELDS (ret) = fields[0];
3136 TYPE_NAME (ret) = type_decl;
3137 TYPE_STUB_DECL (ret) = type_decl;
3138 TYPE_ARTIFICIAL (ret) = 1;
3139 layout_type (ret);
3140 return ret;
3143 /* Create and return odr indicator symbol for DECL.
3144 TYPE is __asan_global struct type as returned by asan_global_struct. */
3146 static tree
3147 create_odr_indicator (tree decl, tree type)
3149 char *name;
3150 tree uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
3151 tree decl_name
3152 = (HAS_DECL_ASSEMBLER_NAME_P (decl) ? DECL_ASSEMBLER_NAME (decl)
3153 : DECL_NAME (decl));
3154 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
3155 if (decl_name == NULL_TREE)
3156 return build_int_cst (uptr, 0);
3157 const char *dname = IDENTIFIER_POINTER (decl_name);
3158 if (HAS_DECL_ASSEMBLER_NAME_P (decl))
3159 dname = targetm.strip_name_encoding (dname);
3160 size_t len = strlen (dname) + sizeof ("__odr_asan_");
3161 name = XALLOCAVEC (char, len);
3162 snprintf (name, len, "__odr_asan_%s", dname);
3163 #ifndef NO_DOT_IN_LABEL
3164 name[sizeof ("__odr_asan") - 1] = '.';
3165 #elif !defined(NO_DOLLAR_IN_LABEL)
3166 name[sizeof ("__odr_asan") - 1] = '$';
3167 #endif
3168 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (name),
3169 char_type_node);
3170 TREE_ADDRESSABLE (var) = 1;
3171 TREE_READONLY (var) = 0;
3172 TREE_THIS_VOLATILE (var) = 1;
3173 DECL_ARTIFICIAL (var) = 1;
3174 DECL_IGNORED_P (var) = 1;
3175 TREE_STATIC (var) = 1;
3176 TREE_PUBLIC (var) = 1;
3177 DECL_VISIBILITY (var) = DECL_VISIBILITY (decl);
3178 DECL_VISIBILITY_SPECIFIED (var) = DECL_VISIBILITY_SPECIFIED (decl);
3180 TREE_USED (var) = 1;
3181 tree ctor = build_constructor_va (TREE_TYPE (var), 1, NULL_TREE,
3182 build_int_cst (unsigned_type_node, 0));
3183 TREE_CONSTANT (ctor) = 1;
3184 TREE_STATIC (ctor) = 1;
3185 DECL_INITIAL (var) = ctor;
3186 DECL_ATTRIBUTES (var) = tree_cons (get_identifier ("asan odr indicator"),
3187 NULL, DECL_ATTRIBUTES (var));
3188 make_decl_rtl (var);
3189 varpool_node::finalize_decl (var);
3190 return fold_convert (uptr, build_fold_addr_expr (var));
3193 /* Return true if DECL, a global var, might be overridden and needs
3194 an additional odr indicator symbol. */
3196 static bool
3197 asan_needs_odr_indicator_p (tree decl)
3199 /* Don't emit ODR indicators for kernel because:
3200 a) Kernel is written in C thus doesn't need ODR indicators.
3201 b) Some kernel code may have assumptions about symbols containing specific
3202 patterns in their names. Since ODR indicators contain original names
3203 of symbols they are emitted for, these assumptions would be broken for
3204 ODR indicator symbols. */
3205 return (!(flag_sanitize & SANITIZE_KERNEL_ADDRESS)
3206 && !DECL_ARTIFICIAL (decl)
3207 && !DECL_WEAK (decl)
3208 && TREE_PUBLIC (decl));
3211 /* Append description of a single global DECL into vector V.
3212 TYPE is __asan_global struct type as returned by asan_global_struct. */
3214 static void
3215 asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
3217 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
3218 unsigned HOST_WIDE_INT size;
3219 tree str_cst, module_name_cst, refdecl = decl;
3220 vec<constructor_elt, va_gc> *vinner = NULL;
3222 pretty_printer asan_pp, module_name_pp;
3224 if (DECL_NAME (decl))
3225 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
3226 else
3227 pp_string (&asan_pp, "<unknown>");
3228 str_cst = asan_pp_string (&asan_pp);
3230 pp_string (&module_name_pp, main_input_filename);
3231 module_name_cst = asan_pp_string (&module_name_pp);
3233 if (asan_needs_local_alias (decl))
3235 char buf[20];
3236 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
3237 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
3238 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
3239 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
3240 TREE_READONLY (refdecl) = TREE_READONLY (decl);
3241 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
3242 DECL_NOT_GIMPLE_REG_P (refdecl) = DECL_NOT_GIMPLE_REG_P (decl);
3243 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
3244 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
3245 TREE_STATIC (refdecl) = 1;
3246 TREE_PUBLIC (refdecl) = 0;
3247 TREE_USED (refdecl) = 1;
3248 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
3251 tree odr_indicator_ptr
3252 = (asan_needs_odr_indicator_p (decl) ? create_odr_indicator (decl, type)
3253 : build_int_cst (uptr, 0));
3254 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
3255 fold_convert (const_ptr_type_node,
3256 build_fold_addr_expr (refdecl)));
3257 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
3258 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
3259 size += asan_red_zone_size (size);
3260 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
3261 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
3262 fold_convert (const_ptr_type_node, str_cst));
3263 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
3264 fold_convert (const_ptr_type_node, module_name_cst));
3265 varpool_node *vnode = varpool_node::get (decl);
3266 int has_dynamic_init = 0;
3267 /* FIXME: Enable initialization order fiasco detection in LTO mode once
3268 proper fix for PR 79061 will be applied. */
3269 if (!in_lto_p)
3270 has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
3271 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
3272 build_int_cst (uptr, has_dynamic_init));
3273 tree locptr = NULL_TREE;
3274 location_t loc = DECL_SOURCE_LOCATION (decl);
3275 expanded_location xloc = expand_location (loc);
3276 if (xloc.file != NULL)
3278 static int lasanloccnt = 0;
3279 char buf[25];
3280 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt);
3281 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
3282 ubsan_get_source_location_type ());
3283 TREE_STATIC (var) = 1;
3284 TREE_PUBLIC (var) = 0;
3285 DECL_ARTIFICIAL (var) = 1;
3286 DECL_IGNORED_P (var) = 1;
3287 pretty_printer filename_pp;
3288 pp_string (&filename_pp, xloc.file);
3289 tree str = asan_pp_string (&filename_pp);
3290 tree ctor = build_constructor_va (TREE_TYPE (var), 3,
3291 NULL_TREE, str, NULL_TREE,
3292 build_int_cst (unsigned_type_node,
3293 xloc.line), NULL_TREE,
3294 build_int_cst (unsigned_type_node,
3295 xloc.column));
3296 TREE_CONSTANT (ctor) = 1;
3297 TREE_STATIC (ctor) = 1;
3298 DECL_INITIAL (var) = ctor;
3299 varpool_node::finalize_decl (var);
3300 locptr = fold_convert (uptr, build_fold_addr_expr (var));
3302 else
3303 locptr = build_int_cst (uptr, 0);
3304 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr);
3305 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, odr_indicator_ptr);
3306 init = build_constructor (type, vinner);
3307 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
3310 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
3311 void
3312 initialize_sanitizer_builtins (void)
3314 tree decl;
3316 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
3317 return;
3319 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
3320 tree BT_FN_VOID_PTR
3321 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
3322 tree BT_FN_VOID_CONST_PTR
3323 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
3324 tree BT_FN_VOID_PTR_PTR
3325 = build_function_type_list (void_type_node, ptr_type_node,
3326 ptr_type_node, NULL_TREE);
3327 tree BT_FN_VOID_PTR_PTR_PTR
3328 = build_function_type_list (void_type_node, ptr_type_node,
3329 ptr_type_node, ptr_type_node, NULL_TREE);
3330 tree BT_FN_VOID_PTR_PTRMODE
3331 = build_function_type_list (void_type_node, ptr_type_node,
3332 pointer_sized_int_node, NULL_TREE);
3333 tree BT_FN_VOID_INT
3334 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
3335 tree BT_FN_SIZE_CONST_PTR_INT
3336 = build_function_type_list (size_type_node, const_ptr_type_node,
3337 integer_type_node, NULL_TREE);
3339 tree BT_FN_VOID_UINT8_UINT8
3340 = build_function_type_list (void_type_node, unsigned_char_type_node,
3341 unsigned_char_type_node, NULL_TREE);
3342 tree BT_FN_VOID_UINT16_UINT16
3343 = build_function_type_list (void_type_node, uint16_type_node,
3344 uint16_type_node, NULL_TREE);
3345 tree BT_FN_VOID_UINT32_UINT32
3346 = build_function_type_list (void_type_node, uint32_type_node,
3347 uint32_type_node, NULL_TREE);
3348 tree BT_FN_VOID_UINT64_UINT64
3349 = build_function_type_list (void_type_node, uint64_type_node,
3350 uint64_type_node, NULL_TREE);
3351 tree BT_FN_VOID_FLOAT_FLOAT
3352 = build_function_type_list (void_type_node, float_type_node,
3353 float_type_node, NULL_TREE);
3354 tree BT_FN_VOID_DOUBLE_DOUBLE
3355 = build_function_type_list (void_type_node, double_type_node,
3356 double_type_node, NULL_TREE);
3357 tree BT_FN_VOID_UINT64_PTR
3358 = build_function_type_list (void_type_node, uint64_type_node,
3359 ptr_type_node, NULL_TREE);
3361 tree BT_FN_PTR_CONST_PTR_UINT8
3362 = build_function_type_list (ptr_type_node, const_ptr_type_node,
3363 unsigned_char_type_node, NULL_TREE);
3364 tree BT_FN_VOID_PTR_UINT8_PTRMODE
3365 = build_function_type_list (void_type_node, ptr_type_node,
3366 unsigned_char_type_node,
3367 pointer_sized_int_node, NULL_TREE);
3369 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
3370 tree BT_FN_IX_CONST_VPTR_INT[5];
3371 tree BT_FN_IX_VPTR_IX_INT[5];
3372 tree BT_FN_VOID_VPTR_IX_INT[5];
3373 tree vptr
3374 = build_pointer_type (build_qualified_type (void_type_node,
3375 TYPE_QUAL_VOLATILE));
3376 tree cvptr
3377 = build_pointer_type (build_qualified_type (void_type_node,
3378 TYPE_QUAL_VOLATILE
3379 |TYPE_QUAL_CONST));
3380 tree boolt
3381 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
3382 int i;
3383 for (i = 0; i < 5; i++)
3385 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
3386 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
3387 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
3388 integer_type_node, integer_type_node,
3389 NULL_TREE);
3390 BT_FN_IX_CONST_VPTR_INT[i]
3391 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
3392 BT_FN_IX_VPTR_IX_INT[i]
3393 = build_function_type_list (ix, vptr, ix, integer_type_node,
3394 NULL_TREE);
3395 BT_FN_VOID_VPTR_IX_INT[i]
3396 = build_function_type_list (void_type_node, vptr, ix,
3397 integer_type_node, NULL_TREE);
3399 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
3400 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
3401 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
3402 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
3403 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
3404 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
3405 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
3406 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
3407 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
3408 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
3409 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
3410 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
3411 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
3412 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
3413 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
3414 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
3415 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
3416 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
3417 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
3418 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
3419 #undef ATTR_NOTHROW_LIST
3420 #define ATTR_NOTHROW_LIST ECF_NOTHROW
3421 #undef ATTR_NOTHROW_LEAF_LIST
3422 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
3423 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
3424 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
3425 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
3426 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
3427 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
3428 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
3429 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
3430 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
3431 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
3432 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
3433 #undef ATTR_COLD_NOTHROW_LEAF_LIST
3434 #define ATTR_COLD_NOTHROW_LEAF_LIST \
3435 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
3436 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
3437 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
3438 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
3439 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
3440 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
3441 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
3442 #undef ATTR_PURE_NOTHROW_LEAF_LIST
3443 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
3444 #undef DEF_BUILTIN_STUB
3445 #define DEF_BUILTIN_STUB(ENUM, NAME)
3446 #undef DEF_SANITIZER_BUILTIN_1
3447 #define DEF_SANITIZER_BUILTIN_1(ENUM, NAME, TYPE, ATTRS) \
3448 do { \
3449 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
3450 BUILT_IN_NORMAL, NAME, NULL_TREE); \
3451 set_call_expr_flags (decl, ATTRS); \
3452 set_builtin_decl (ENUM, decl, true); \
3453 } while (0)
3454 #undef DEF_SANITIZER_BUILTIN
3455 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
3456 DEF_SANITIZER_BUILTIN_1 (ENUM, NAME, TYPE, ATTRS);
3458 #include "sanitizer.def"
3460 /* -fsanitize=object-size uses __builtin_dynamic_object_size and
3461 __builtin_object_size, but they might not be available for e.g. Fortran at
3462 this point. We use DEF_SANITIZER_BUILTIN here only as a convenience
3463 macro. */
3464 if (flag_sanitize & SANITIZE_OBJECT_SIZE)
3466 if (!builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE))
3467 DEF_SANITIZER_BUILTIN_1 (BUILT_IN_OBJECT_SIZE, "object_size",
3468 BT_FN_SIZE_CONST_PTR_INT,
3469 ATTR_PURE_NOTHROW_LEAF_LIST);
3470 if (!builtin_decl_implicit_p (BUILT_IN_DYNAMIC_OBJECT_SIZE))
3471 DEF_SANITIZER_BUILTIN_1 (BUILT_IN_DYNAMIC_OBJECT_SIZE,
3472 "dynamic_object_size",
3473 BT_FN_SIZE_CONST_PTR_INT,
3474 ATTR_PURE_NOTHROW_LEAF_LIST);
3477 #undef DEF_SANITIZER_BUILTIN_1
3478 #undef DEF_SANITIZER_BUILTIN
3479 #undef DEF_BUILTIN_STUB
3482 /* Called via htab_traverse. Count number of emitted
3483 STRING_CSTs in the constant hash table. */
3486 count_string_csts (constant_descriptor_tree **slot,
3487 unsigned HOST_WIDE_INT *data)
3489 struct constant_descriptor_tree *desc = *slot;
3490 if (TREE_CODE (desc->value) == STRING_CST
3491 && TREE_ASM_WRITTEN (desc->value)
3492 && asan_protect_global (desc->value))
3493 ++*data;
3494 return 1;
3497 /* Helper structure to pass two parameters to
3498 add_string_csts. */
3500 struct asan_add_string_csts_data
3502 tree type;
3503 vec<constructor_elt, va_gc> *v;
3506 /* Called via hash_table::traverse. Call asan_add_global
3507 on emitted STRING_CSTs from the constant hash table. */
3510 add_string_csts (constant_descriptor_tree **slot,
3511 asan_add_string_csts_data *aascd)
3513 struct constant_descriptor_tree *desc = *slot;
3514 if (TREE_CODE (desc->value) == STRING_CST
3515 && TREE_ASM_WRITTEN (desc->value)
3516 && asan_protect_global (desc->value))
3518 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
3519 aascd->type, aascd->v);
3521 return 1;
3524 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
3525 invoke ggc_collect. */
3526 static GTY(()) tree asan_ctor_statements;
3528 /* Module-level instrumentation.
3529 - Insert __asan_init_vN() into the list of CTORs.
3530 - TODO: insert redzones around globals.
3533 void
3534 asan_finish_file (void)
3536 varpool_node *vnode;
3537 unsigned HOST_WIDE_INT gcount = 0;
3539 if (shadow_ptr_types[0] == NULL_TREE)
3540 asan_init_shadow_ptr_types ();
3541 /* Avoid instrumenting code in the asan ctors/dtors.
3542 We don't need to insert padding after the description strings,
3543 nor after .LASAN* array. */
3544 flag_sanitize &= ~SANITIZE_ADDRESS;
3546 /* For user-space we want asan constructors to run first.
3547 Linux kernel does not support priorities other than default, and the only
3548 other user of constructors is coverage. So we run with the default
3549 priority. */
3550 int priority = flag_sanitize & SANITIZE_USER_ADDRESS
3551 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY;
3553 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3555 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
3556 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
3557 fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK);
3558 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
3560 FOR_EACH_DEFINED_VARIABLE (vnode)
3561 if (TREE_ASM_WRITTEN (vnode->decl)
3562 && asan_protect_global (vnode->decl))
3563 ++gcount;
3564 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab ();
3565 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts>
3566 (&gcount);
3567 if (gcount)
3569 tree type = asan_global_struct (), var, ctor;
3570 tree dtor_statements = NULL_TREE;
3571 vec<constructor_elt, va_gc> *v;
3572 char buf[20];
3574 type = build_array_type_nelts (type, gcount);
3575 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
3576 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
3577 type);
3578 TREE_STATIC (var) = 1;
3579 TREE_PUBLIC (var) = 0;
3580 DECL_ARTIFICIAL (var) = 1;
3581 DECL_IGNORED_P (var) = 1;
3582 vec_alloc (v, gcount);
3583 FOR_EACH_DEFINED_VARIABLE (vnode)
3584 if (TREE_ASM_WRITTEN (vnode->decl)
3585 && asan_protect_global (vnode->decl))
3586 asan_add_global (vnode->decl, TREE_TYPE (type), v);
3587 struct asan_add_string_csts_data aascd;
3588 aascd.type = TREE_TYPE (type);
3589 aascd.v = v;
3590 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts>
3591 (&aascd);
3592 ctor = build_constructor (type, v);
3593 TREE_CONSTANT (ctor) = 1;
3594 TREE_STATIC (ctor) = 1;
3595 DECL_INITIAL (var) = ctor;
3596 SET_DECL_ALIGN (var, MAX (DECL_ALIGN (var),
3597 ASAN_SHADOW_GRANULARITY * BITS_PER_UNIT));
3599 varpool_node::finalize_decl (var);
3601 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
3602 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
3603 append_to_statement_list (build_call_expr (fn, 2,
3604 build_fold_addr_expr (var),
3605 gcount_tree),
3606 &asan_ctor_statements);
3608 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
3609 append_to_statement_list (build_call_expr (fn, 2,
3610 build_fold_addr_expr (var),
3611 gcount_tree),
3612 &dtor_statements);
3613 cgraph_build_static_cdtor ('D', dtor_statements, priority);
3615 if (asan_ctor_statements)
3616 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority);
3617 flag_sanitize |= SANITIZE_ADDRESS;
3620 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
3621 on SHADOW address. Newly added statements will be added to ITER with
3622 given location LOC. We mark SIZE bytes in shadow memory, where
3623 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
3624 end of a variable. */
3626 static void
3627 asan_store_shadow_bytes (gimple_stmt_iterator *iter, location_t loc,
3628 tree shadow,
3629 unsigned HOST_WIDE_INT base_addr_offset,
3630 bool is_clobber, unsigned size,
3631 unsigned last_chunk_size)
3633 tree shadow_ptr_type;
3635 switch (size)
3637 case 1:
3638 shadow_ptr_type = shadow_ptr_types[0];
3639 break;
3640 case 2:
3641 shadow_ptr_type = shadow_ptr_types[1];
3642 break;
3643 case 4:
3644 shadow_ptr_type = shadow_ptr_types[2];
3645 break;
3646 default:
3647 gcc_unreachable ();
3650 unsigned char c = (char) is_clobber ? ASAN_STACK_MAGIC_USE_AFTER_SCOPE : 0;
3651 unsigned HOST_WIDE_INT val = 0;
3652 unsigned last_pos = size;
3653 if (last_chunk_size && !is_clobber)
3654 last_pos = BYTES_BIG_ENDIAN ? 0 : size - 1;
3655 for (unsigned i = 0; i < size; ++i)
3657 unsigned char shadow_c = c;
3658 if (i == last_pos)
3659 shadow_c = last_chunk_size;
3660 val |= (unsigned HOST_WIDE_INT) shadow_c << (BITS_PER_UNIT * i);
3663 /* Handle last chunk in unpoisoning. */
3664 tree magic = build_int_cst (TREE_TYPE (shadow_ptr_type), val);
3666 tree dest = build2 (MEM_REF, TREE_TYPE (shadow_ptr_type), shadow,
3667 build_int_cst (shadow_ptr_type, base_addr_offset));
3669 gimple *g = gimple_build_assign (dest, magic);
3670 gimple_set_location (g, loc);
3671 gsi_insert_after (iter, g, GSI_NEW_STMT);
3674 /* Expand the ASAN_MARK builtins. */
3676 bool
3677 asan_expand_mark_ifn (gimple_stmt_iterator *iter)
3679 gimple *g = gsi_stmt (*iter);
3680 location_t loc = gimple_location (g);
3681 HOST_WIDE_INT flag = tree_to_shwi (gimple_call_arg (g, 0));
3682 bool is_poison = ((asan_mark_flags)flag) == ASAN_MARK_POISON;
3684 tree base = gimple_call_arg (g, 1);
3685 gcc_checking_assert (TREE_CODE (base) == ADDR_EXPR);
3686 tree decl = TREE_OPERAND (base, 0);
3688 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
3689 if (TREE_CODE (decl) == COMPONENT_REF
3690 && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl, 0)))
3691 decl = TREE_OPERAND (decl, 0);
3693 gcc_checking_assert (TREE_CODE (decl) == VAR_DECL);
3695 if (hwasan_sanitize_p ())
3697 gcc_assert (param_hwasan_instrument_stack);
3698 gimple_seq stmts = NULL;
3699 /* Here we swap ASAN_MARK calls for HWASAN_MARK.
3700 This is because we are using the approach of using ASAN_MARK as a
3701 synonym until here.
3702 That approach means we don't yet have to duplicate all the special
3703 cases for ASAN_MARK and ASAN_POISON with the exact same handling but
3704 called HWASAN_MARK etc.
3706 N.b. __asan_poison_stack_memory (which implements ASAN_MARK for ASAN)
3707 rounds the size up to its shadow memory granularity, while
3708 __hwasan_tag_memory (which implements the same for HWASAN) does not.
3709 Hence we emit HWASAN_MARK with an aligned size unlike ASAN_MARK. */
3710 tree len = gimple_call_arg (g, 2);
3711 tree new_len = gimple_build_round_up (&stmts, loc, size_type_node, len,
3712 HWASAN_TAG_GRANULE_SIZE);
3713 gimple_build (&stmts, loc, CFN_HWASAN_MARK,
3714 void_type_node, gimple_call_arg (g, 0),
3715 base, new_len);
3716 gsi_replace_with_seq (iter, stmts, true);
3717 return false;
3720 if (is_poison)
3722 if (asan_handled_variables == NULL)
3723 asan_handled_variables = new hash_set<tree> (16);
3724 asan_handled_variables->add (decl);
3726 tree len = gimple_call_arg (g, 2);
3728 gcc_assert (tree_fits_shwi_p (len));
3729 unsigned HOST_WIDE_INT size_in_bytes = tree_to_shwi (len);
3730 gcc_assert (size_in_bytes);
3732 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3733 NOP_EXPR, base);
3734 gimple_set_location (g, loc);
3735 gsi_replace (iter, g, false);
3736 tree base_addr = gimple_assign_lhs (g);
3738 /* Generate direct emission if size_in_bytes is small. */
3739 if (size_in_bytes
3740 <= (unsigned)param_use_after_scope_direct_emission_threshold)
3742 const unsigned HOST_WIDE_INT shadow_size
3743 = shadow_mem_size (size_in_bytes);
3744 const unsigned int shadow_align
3745 = (get_pointer_alignment (base) / BITS_PER_UNIT) >> ASAN_SHADOW_SHIFT;
3747 tree shadow = build_shadow_mem_access (iter, loc, base_addr,
3748 shadow_ptr_types[0], true);
3750 for (unsigned HOST_WIDE_INT offset = 0; offset < shadow_size;)
3752 unsigned size = 1;
3753 if (shadow_size - offset >= 4
3754 && (!STRICT_ALIGNMENT || shadow_align >= 4))
3755 size = 4;
3756 else if (shadow_size - offset >= 2
3757 && (!STRICT_ALIGNMENT || shadow_align >= 2))
3758 size = 2;
3760 unsigned HOST_WIDE_INT last_chunk_size = 0;
3761 unsigned HOST_WIDE_INT s = (offset + size) * ASAN_SHADOW_GRANULARITY;
3762 if (s > size_in_bytes)
3763 last_chunk_size = ASAN_SHADOW_GRANULARITY - (s - size_in_bytes);
3765 asan_store_shadow_bytes (iter, loc, shadow, offset, is_poison,
3766 size, last_chunk_size);
3767 offset += size;
3770 else
3772 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3773 NOP_EXPR, len);
3774 gimple_set_location (g, loc);
3775 gsi_insert_before (iter, g, GSI_SAME_STMT);
3776 tree sz_arg = gimple_assign_lhs (g);
3778 tree fun
3779 = builtin_decl_implicit (is_poison ? BUILT_IN_ASAN_POISON_STACK_MEMORY
3780 : BUILT_IN_ASAN_UNPOISON_STACK_MEMORY);
3781 g = gimple_build_call (fun, 2, base_addr, sz_arg);
3782 gimple_set_location (g, loc);
3783 gsi_insert_after (iter, g, GSI_NEW_STMT);
3786 return false;
3789 /* Expand the ASAN_{LOAD,STORE} builtins. */
3791 bool
3792 asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls)
3794 gcc_assert (!hwasan_sanitize_p ());
3795 gimple *g = gsi_stmt (*iter);
3796 location_t loc = gimple_location (g);
3797 bool recover_p;
3798 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3799 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
3800 else
3801 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
3803 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
3804 gcc_assert (flags < ASAN_CHECK_LAST);
3805 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
3806 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
3807 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
3809 tree base = gimple_call_arg (g, 1);
3810 tree len = gimple_call_arg (g, 2);
3811 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3));
3813 HOST_WIDE_INT size_in_bytes
3814 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
3816 if (use_calls)
3818 /* Instrument using callbacks. */
3819 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3820 NOP_EXPR, base);
3821 gimple_set_location (g, loc);
3822 gsi_insert_before (iter, g, GSI_SAME_STMT);
3823 tree base_addr = gimple_assign_lhs (g);
3825 int nargs;
3826 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs);
3827 if (nargs == 1)
3828 g = gimple_build_call (fun, 1, base_addr);
3829 else
3831 gcc_assert (nargs == 2);
3832 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3833 NOP_EXPR, len);
3834 gimple_set_location (g, loc);
3835 gsi_insert_before (iter, g, GSI_SAME_STMT);
3836 tree sz_arg = gimple_assign_lhs (g);
3837 g = gimple_build_call (fun, nargs, base_addr, sz_arg);
3839 gimple_set_location (g, loc);
3840 gsi_replace (iter, g, false);
3841 return false;
3844 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes;
3846 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0];
3847 tree shadow_type = TREE_TYPE (shadow_ptr_type);
3849 gimple_stmt_iterator gsi = *iter;
3851 if (!is_non_zero_len)
3853 /* So, the length of the memory area to asan-protect is
3854 non-constant. Let's guard the generated instrumentation code
3855 like:
3857 if (len != 0)
3859 //asan instrumentation code goes here.
3861 // falltrough instructions, starting with *ITER. */
3863 g = gimple_build_cond (NE_EXPR,
3864 len,
3865 build_int_cst (TREE_TYPE (len), 0),
3866 NULL_TREE, NULL_TREE);
3867 gimple_set_location (g, loc);
3869 basic_block then_bb, fallthrough_bb;
3870 insert_if_then_before_iter (as_a <gcond *> (g), iter,
3871 /*then_more_likely_p=*/true,
3872 &then_bb, &fallthrough_bb);
3873 /* Note that fallthrough_bb starts with the statement that was
3874 pointed to by ITER. */
3876 /* The 'then block' of the 'if (len != 0) condition is where
3877 we'll generate the asan instrumentation code now. */
3878 gsi = gsi_last_bb (then_bb);
3881 /* Get an iterator on the point where we can add the condition
3882 statement for the instrumentation. */
3883 basic_block then_bb, else_bb;
3884 gsi = create_cond_insert_point (&gsi, /*before_p*/false,
3885 /*then_more_likely_p=*/false,
3886 /*create_then_fallthru_edge*/recover_p,
3887 &then_bb,
3888 &else_bb);
3890 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3891 NOP_EXPR, base);
3892 gimple_set_location (g, loc);
3893 gsi_insert_before (&gsi, g, GSI_NEW_STMT);
3894 tree base_addr = gimple_assign_lhs (g);
3896 tree t = NULL_TREE;
3897 if (real_size_in_bytes >= 8)
3899 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3900 shadow_ptr_type);
3901 t = shadow;
3903 else
3905 /* Slow path for 1, 2 and 4 byte accesses. */
3906 /* Test (shadow != 0)
3907 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
3908 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3909 shadow_ptr_type);
3910 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3911 gimple_seq seq = NULL;
3912 gimple_seq_add_stmt (&seq, shadow_test);
3913 /* Aligned (>= 8 bytes) can test just
3914 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
3915 to be 0. */
3916 if (align < 8)
3918 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3919 base_addr, 7));
3920 gimple_seq_add_stmt (&seq,
3921 build_type_cast (shadow_type,
3922 gimple_seq_last (seq)));
3923 if (real_size_in_bytes > 1)
3924 gimple_seq_add_stmt (&seq,
3925 build_assign (PLUS_EXPR,
3926 gimple_seq_last (seq),
3927 real_size_in_bytes - 1));
3928 t = gimple_assign_lhs (gimple_seq_last_stmt (seq));
3930 else
3931 t = build_int_cst (shadow_type, real_size_in_bytes - 1);
3932 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow));
3933 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3934 gimple_seq_last (seq)));
3935 t = gimple_assign_lhs (gimple_seq_last (seq));
3936 gimple_seq_set_location (seq, loc);
3937 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3939 /* For non-constant, misaligned or otherwise weird access sizes,
3940 check first and last byte. */
3941 if (size_in_bytes == -1)
3943 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3944 MINUS_EXPR, len,
3945 build_int_cst (pointer_sized_int_node, 1));
3946 gimple_set_location (g, loc);
3947 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3948 tree last = gimple_assign_lhs (g);
3949 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3950 PLUS_EXPR, base_addr, last);
3951 gimple_set_location (g, loc);
3952 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3953 tree base_end_addr = gimple_assign_lhs (g);
3955 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr,
3956 shadow_ptr_type);
3957 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3958 gimple_seq seq = NULL;
3959 gimple_seq_add_stmt (&seq, shadow_test);
3960 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3961 base_end_addr, 7));
3962 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
3963 gimple_seq_last (seq)));
3964 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR,
3965 gimple_seq_last (seq),
3966 shadow));
3967 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3968 gimple_seq_last (seq)));
3969 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t,
3970 gimple_seq_last (seq)));
3971 t = gimple_assign_lhs (gimple_seq_last (seq));
3972 gimple_seq_set_location (seq, loc);
3973 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3977 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
3978 NULL_TREE, NULL_TREE);
3979 gimple_set_location (g, loc);
3980 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3982 /* Generate call to the run-time library (e.g. __asan_report_load8). */
3983 gsi = gsi_start_bb (then_bb);
3984 int nargs;
3985 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs);
3986 g = gimple_build_call (fun, nargs, base_addr, len);
3987 gimple_set_location (g, loc);
3988 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3990 gsi_remove (iter, true);
3991 *iter = gsi_start_bb (else_bb);
3993 return true;
3996 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten
3997 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
3999 static tree
4000 create_asan_shadow_var (tree var_decl,
4001 hash_map<tree, tree> &shadow_vars_mapping)
4003 tree *slot = shadow_vars_mapping.get (var_decl);
4004 if (slot == NULL)
4006 tree shadow_var = copy_node (var_decl);
4008 copy_body_data id;
4009 memset (&id, 0, sizeof (copy_body_data));
4010 id.src_fn = id.dst_fn = current_function_decl;
4011 copy_decl_for_dup_finish (&id, var_decl, shadow_var);
4013 DECL_ARTIFICIAL (shadow_var) = 1;
4014 DECL_IGNORED_P (shadow_var) = 1;
4015 DECL_SEEN_IN_BIND_EXPR_P (shadow_var) = 0;
4016 gimple_add_tmp_var (shadow_var);
4018 shadow_vars_mapping.put (var_decl, shadow_var);
4019 return shadow_var;
4021 else
4022 return *slot;
4025 /* Expand ASAN_POISON ifn. */
4027 bool
4028 asan_expand_poison_ifn (gimple_stmt_iterator *iter,
4029 bool *need_commit_edge_insert,
4030 hash_map<tree, tree> &shadow_vars_mapping)
4032 gimple *g = gsi_stmt (*iter);
4033 tree poisoned_var = gimple_call_lhs (g);
4034 if (!poisoned_var || has_zero_uses (poisoned_var))
4036 gsi_remove (iter, true);
4037 return true;
4040 if (SSA_NAME_VAR (poisoned_var) == NULL_TREE)
4041 SET_SSA_NAME_VAR_OR_IDENTIFIER (poisoned_var,
4042 create_tmp_var (TREE_TYPE (poisoned_var)));
4044 tree shadow_var = create_asan_shadow_var (SSA_NAME_VAR (poisoned_var),
4045 shadow_vars_mapping);
4047 bool recover_p;
4048 if (flag_sanitize & SANITIZE_USER_ADDRESS)
4049 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
4050 else
4051 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
4052 tree size = DECL_SIZE_UNIT (shadow_var);
4053 gimple *poison_call
4054 = gimple_build_call_internal (IFN_ASAN_MARK, 3,
4055 build_int_cst (integer_type_node,
4056 ASAN_MARK_POISON),
4057 build_fold_addr_expr (shadow_var), size);
4059 gimple *use;
4060 imm_use_iterator imm_iter;
4061 FOR_EACH_IMM_USE_STMT (use, imm_iter, poisoned_var)
4063 if (is_gimple_debug (use))
4064 continue;
4066 int nargs;
4067 bool store_p = gimple_call_internal_p (use, IFN_ASAN_POISON_USE);
4068 gcall *call;
4069 if (hwasan_sanitize_p ())
4071 tree fun = builtin_decl_implicit (BUILT_IN_HWASAN_TAG_MISMATCH4);
4072 /* NOTE: hwasan has no __hwasan_report_* functions like asan does.
4073 We use __hwasan_tag_mismatch4 with arguments that tell it the
4074 size of access and load to report all tag mismatches.
4076 The arguments to this function are:
4077 Address of invalid access.
4078 Bitfield containing information about the access
4079 (access_info)
4080 Pointer to a frame of registers
4081 (for use in printing the contents of registers in a dump)
4082 Not used yet -- to be used by inline instrumentation.
4083 Size of access.
4085 The access_info bitfield encodes the following pieces of
4086 information:
4087 - Is this a store or load?
4088 access_info & 0x10 => store
4089 - Should the program continue after reporting the error?
4090 access_info & 0x20 => recover
4091 - What size access is this (not used here since we can always
4092 pass the size in the last argument)
4094 if (access_info & 0xf == 0xf)
4095 size is taken from last argument.
4096 else
4097 size == 1 << (access_info & 0xf)
4099 The last argument contains the size of the access iff the
4100 access_info size indicator is 0xf (we always use this argument
4101 rather than storing the size in the access_info bitfield).
4103 See the function definition `__hwasan_tag_mismatch4` in
4104 libsanitizer/hwasan for the full definition.
4106 unsigned access_info = (0x20 * recover_p)
4107 + (0x10 * store_p)
4108 + (0xf);
4109 call = gimple_build_call (fun, 4,
4110 build_fold_addr_expr (shadow_var),
4111 build_int_cst (pointer_sized_int_node,
4112 access_info),
4113 build_int_cst (pointer_sized_int_node, 0),
4114 size);
4116 else
4118 tree fun = report_error_func (store_p, recover_p, tree_to_uhwi (size),
4119 &nargs);
4120 call = gimple_build_call (fun, 1,
4121 build_fold_addr_expr (shadow_var));
4123 gimple_set_location (call, gimple_location (use));
4124 gimple *call_to_insert = call;
4126 /* The USE can be a gimple PHI node. If so, insert the call on
4127 all edges leading to the PHI node. */
4128 if (is_a <gphi *> (use))
4130 gphi *phi = dyn_cast<gphi *> (use);
4131 for (unsigned i = 0; i < gimple_phi_num_args (phi); ++i)
4132 if (gimple_phi_arg_def (phi, i) == poisoned_var)
4134 edge e = gimple_phi_arg_edge (phi, i);
4136 /* Do not insert on an edge we can't split. */
4137 if (e->flags & EDGE_ABNORMAL)
4138 continue;
4140 if (call_to_insert == NULL)
4141 call_to_insert = gimple_copy (call);
4143 gsi_insert_seq_on_edge (e, call_to_insert);
4144 *need_commit_edge_insert = true;
4145 call_to_insert = NULL;
4148 else
4150 gimple_stmt_iterator gsi = gsi_for_stmt (use);
4151 if (store_p)
4152 gsi_replace (&gsi, call, true);
4153 else
4154 gsi_insert_before (&gsi, call, GSI_NEW_STMT);
4158 SSA_NAME_IS_DEFAULT_DEF (poisoned_var) = true;
4159 SSA_NAME_DEF_STMT (poisoned_var) = gimple_build_nop ();
4160 gsi_replace (iter, poison_call, false);
4162 return true;
4165 /* Instrument the current function. */
4167 static unsigned int
4168 asan_instrument (void)
4170 if (hwasan_sanitize_p ())
4172 transform_statements ();
4173 return 0;
4176 if (shadow_ptr_types[0] == NULL_TREE)
4177 asan_init_shadow_ptr_types ();
4178 transform_statements ();
4179 last_alloca_addr = NULL_TREE;
4180 return 0;
4183 static bool
4184 gate_asan (void)
4186 return sanitize_flags_p (SANITIZE_ADDRESS);
4189 namespace {
4191 const pass_data pass_data_asan =
4193 GIMPLE_PASS, /* type */
4194 "asan", /* name */
4195 OPTGROUP_NONE, /* optinfo_flags */
4196 TV_NONE, /* tv_id */
4197 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
4198 0, /* properties_provided */
4199 0, /* properties_destroyed */
4200 0, /* todo_flags_start */
4201 TODO_update_ssa, /* todo_flags_finish */
4204 class pass_asan : public gimple_opt_pass
4206 public:
4207 pass_asan (gcc::context *ctxt)
4208 : gimple_opt_pass (pass_data_asan, ctxt)
4211 /* opt_pass methods: */
4212 opt_pass * clone () { return new pass_asan (m_ctxt); }
4213 virtual bool gate (function *) { return gate_asan () || gate_hwasan (); }
4214 virtual unsigned int execute (function *) { return asan_instrument (); }
4216 }; // class pass_asan
4218 } // anon namespace
4220 gimple_opt_pass *
4221 make_pass_asan (gcc::context *ctxt)
4223 return new pass_asan (ctxt);
4226 namespace {
4228 const pass_data pass_data_asan_O0 =
4230 GIMPLE_PASS, /* type */
4231 "asan0", /* name */
4232 OPTGROUP_NONE, /* optinfo_flags */
4233 TV_NONE, /* tv_id */
4234 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
4235 0, /* properties_provided */
4236 0, /* properties_destroyed */
4237 0, /* todo_flags_start */
4238 TODO_update_ssa, /* todo_flags_finish */
4241 class pass_asan_O0 : public gimple_opt_pass
4243 public:
4244 pass_asan_O0 (gcc::context *ctxt)
4245 : gimple_opt_pass (pass_data_asan_O0, ctxt)
4248 /* opt_pass methods: */
4249 virtual bool gate (function *)
4251 return !optimize && (gate_asan () || gate_hwasan ());
4253 virtual unsigned int execute (function *) { return asan_instrument (); }
4255 }; // class pass_asan_O0
4257 } // anon namespace
4259 gimple_opt_pass *
4260 make_pass_asan_O0 (gcc::context *ctxt)
4262 return new pass_asan_O0 (ctxt);
4265 /* HWASAN */
4267 /* For stack tagging:
4269 Return the offset from the frame base tag that the "next" expanded object
4270 should have. */
4271 uint8_t
4272 hwasan_current_frame_tag ()
4274 return hwasan_frame_tag_offset;
4277 /* For stack tagging:
4279 Return the 'base pointer' for this function. If that base pointer has not
4280 yet been created then we create a register to hold it and record the insns
4281 to initialize the register in `hwasan_frame_base_init_seq` for later
4282 emission. */
4284 hwasan_frame_base ()
4286 if (! hwasan_frame_base_ptr)
4288 start_sequence ();
4289 hwasan_frame_base_ptr
4290 = force_reg (Pmode,
4291 targetm.memtag.insert_random_tag (virtual_stack_vars_rtx,
4292 NULL_RTX));
4293 hwasan_frame_base_init_seq = get_insns ();
4294 end_sequence ();
4297 return hwasan_frame_base_ptr;
4300 /* For stack tagging:
4302 Check whether this RTX is a standard pointer addressing the base of the
4303 stack variables for this frame. Returns true if the RTX is either
4304 virtual_stack_vars_rtx or hwasan_frame_base_ptr. */
4305 bool
4306 stack_vars_base_reg_p (rtx base)
4308 return base == virtual_stack_vars_rtx || base == hwasan_frame_base_ptr;
4311 /* For stack tagging:
4313 Emit frame base initialisation.
4314 If hwasan_frame_base has been used before here then
4315 hwasan_frame_base_init_seq contains the sequence of instructions to
4316 initialize it. This must be put just before the hwasan prologue, so we emit
4317 the insns before parm_birth_insn (which will point to the first instruction
4318 of the hwasan prologue if it exists).
4320 We update `parm_birth_insn` to point to the start of this initialisation
4321 since that represents the end of the initialisation done by
4322 expand_function_{start,end} functions and we want to maintain that. */
4323 void
4324 hwasan_maybe_emit_frame_base_init ()
4326 if (! hwasan_frame_base_init_seq)
4327 return;
4328 emit_insn_before (hwasan_frame_base_init_seq, parm_birth_insn);
4329 parm_birth_insn = hwasan_frame_base_init_seq;
4332 /* Record a compile-time constant size stack variable that HWASAN will need to
4333 tag. This record of the range of a stack variable will be used by
4334 `hwasan_emit_prologue` to emit the RTL at the start of each frame which will
4335 set tags in the shadow memory according to the assigned tag for each object.
4337 The range that the object spans in stack space should be described by the
4338 bounds `untagged_base + nearest_offset` and
4339 `untagged_base + farthest_offset`.
4340 `tagged_base` is the base address which contains the "base frame tag" for
4341 this frame, and from which the value to address this object with will be
4342 calculated.
4344 We record the `untagged_base` since the functions in the hwasan library we
4345 use to tag memory take pointers without a tag. */
4346 void
4347 hwasan_record_stack_var (rtx untagged_base, rtx tagged_base,
4348 poly_int64 nearest_offset, poly_int64 farthest_offset)
4350 hwasan_stack_var cur_var;
4351 cur_var.untagged_base = untagged_base;
4352 cur_var.tagged_base = tagged_base;
4353 cur_var.nearest_offset = nearest_offset;
4354 cur_var.farthest_offset = farthest_offset;
4355 cur_var.tag_offset = hwasan_current_frame_tag ();
4357 hwasan_tagged_stack_vars.safe_push (cur_var);
4360 /* Return the RTX representing the farthest extent of the statically allocated
4361 stack objects for this frame. If hwasan_frame_base_ptr has not been
4362 initialized then we are not storing any static variables on the stack in
4363 this frame. In this case we return NULL_RTX to represent that.
4365 Otherwise simply return virtual_stack_vars_rtx + frame_offset. */
4367 hwasan_get_frame_extent ()
4369 return (hwasan_frame_base_ptr
4370 ? plus_constant (Pmode, virtual_stack_vars_rtx, frame_offset)
4371 : NULL_RTX);
4374 /* For stack tagging:
4376 Increment the frame tag offset modulo the size a tag can represent. */
4377 void
4378 hwasan_increment_frame_tag ()
4380 uint8_t tag_bits = HWASAN_TAG_SIZE;
4381 gcc_assert (HWASAN_TAG_SIZE
4382 <= sizeof (hwasan_frame_tag_offset) * CHAR_BIT);
4383 hwasan_frame_tag_offset = (hwasan_frame_tag_offset + 1) % (1 << tag_bits);
4384 /* The "background tag" of the stack is zero by definition.
4385 This is the tag that objects like parameters passed on the stack and
4386 spilled registers are given. It is handy to avoid this tag for objects
4387 whose tags we decide ourselves, partly to ensure that buffer overruns
4388 can't affect these important variables (e.g. saved link register, saved
4389 stack pointer etc) and partly to make debugging easier (everything with a
4390 tag of zero is space allocated automatically by the compiler).
4392 This is not feasible when using random frame tags (the default
4393 configuration for hwasan) since the tag for the given frame is randomly
4394 chosen at runtime. In order to avoid any tags matching the stack
4395 background we would need to decide tag offsets at runtime instead of
4396 compile time (and pay the resulting performance cost).
4398 When not using random base tags for each frame (i.e. when compiled with
4399 `--param hwasan-random-frame-tag=0`) the base tag for each frame is zero.
4400 This means the tag that each object gets is equal to the
4401 hwasan_frame_tag_offset used in determining it.
4402 When this is the case we *can* ensure no object gets the tag of zero by
4403 simply ensuring no object has the hwasan_frame_tag_offset of zero.
4405 There is the extra complication that we only record the
4406 hwasan_frame_tag_offset here (which is the offset from the tag stored in
4407 the stack pointer). In the kernel, the tag in the stack pointer is 0xff
4408 rather than zero. This does not cause problems since tags of 0xff are
4409 never checked in the kernel. As mentioned at the beginning of this
4410 comment the background tag of the stack is zero by definition, which means
4411 that for the kernel we should skip offsets of both 0 and 1 from the stack
4412 pointer. Avoiding the offset of 0 ensures we use a tag which will be
4413 checked, avoiding the offset of 1 ensures we use a tag that is not the
4414 same as the background. */
4415 if (hwasan_frame_tag_offset == 0 && ! param_hwasan_random_frame_tag)
4416 hwasan_frame_tag_offset += 1;
4417 if (hwasan_frame_tag_offset == 1 && ! param_hwasan_random_frame_tag
4418 && sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS))
4419 hwasan_frame_tag_offset += 1;
4422 /* Clear internal state for the next function.
4423 This function is called before variables on the stack get expanded, in
4424 `init_vars_expansion`. */
4425 void
4426 hwasan_record_frame_init ()
4428 delete asan_used_labels;
4429 asan_used_labels = NULL;
4431 /* If this isn't the case then some stack variable was recorded *before*
4432 hwasan_record_frame_init is called, yet *after* the hwasan prologue for
4433 the previous frame was emitted. Such stack variables would not have
4434 their shadow stack filled in. */
4435 gcc_assert (hwasan_tagged_stack_vars.is_empty ());
4436 hwasan_frame_base_ptr = NULL_RTX;
4437 hwasan_frame_base_init_seq = NULL;
4439 /* When not using a random frame tag we can avoid the background stack
4440 color which gives the user a little better debug output upon a crash.
4441 Meanwhile, when using a random frame tag it will be nice to avoid adding
4442 tags for the first object since that is unnecessary extra work.
4443 Hence set the initial hwasan_frame_tag_offset to be 0 if using a random
4444 frame tag and 1 otherwise.
4446 As described in hwasan_increment_frame_tag, in the kernel the stack
4447 pointer has the tag 0xff. That means that to avoid 0xff and 0 (the tag
4448 which the kernel does not check and the background tag respectively) we
4449 start with a tag offset of 2. */
4450 hwasan_frame_tag_offset = param_hwasan_random_frame_tag
4452 : sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS) ? 2 : 1;
4455 /* For stack tagging:
4456 (Emits HWASAN equivalent of what is emitted by
4457 `asan_emit_stack_protection`).
4459 Emits the extra prologue code to set the shadow stack as required for HWASAN
4460 stack instrumentation.
4462 Uses the vector of recorded stack variables hwasan_tagged_stack_vars. When
4463 this function has completed hwasan_tagged_stack_vars is empty and all
4464 objects it had pointed to are deallocated. */
4465 void
4466 hwasan_emit_prologue ()
4468 /* We need untagged base pointers since libhwasan only accepts untagged
4469 pointers in __hwasan_tag_memory. We need the tagged base pointer to obtain
4470 the base tag for an offset. */
4472 if (hwasan_tagged_stack_vars.is_empty ())
4473 return;
4475 poly_int64 bot = 0, top = 0;
4476 for (hwasan_stack_var &cur : hwasan_tagged_stack_vars)
4478 poly_int64 nearest = cur.nearest_offset;
4479 poly_int64 farthest = cur.farthest_offset;
4481 if (known_ge (nearest, farthest))
4483 top = nearest;
4484 bot = farthest;
4486 else
4488 /* Given how these values are calculated, one must be known greater
4489 than the other. */
4490 gcc_assert (known_le (nearest, farthest));
4491 top = farthest;
4492 bot = nearest;
4494 poly_int64 size = (top - bot);
4496 /* Assert the edge of each variable is aligned to the HWASAN tag granule
4497 size. */
4498 gcc_assert (multiple_p (top, HWASAN_TAG_GRANULE_SIZE));
4499 gcc_assert (multiple_p (bot, HWASAN_TAG_GRANULE_SIZE));
4500 gcc_assert (multiple_p (size, HWASAN_TAG_GRANULE_SIZE));
4502 rtx fn = init_one_libfunc ("__hwasan_tag_memory");
4503 rtx base_tag = targetm.memtag.extract_tag (cur.tagged_base, NULL_RTX);
4504 rtx tag = plus_constant (QImode, base_tag, cur.tag_offset);
4505 tag = hwasan_truncate_to_tag_size (tag, NULL_RTX);
4507 rtx bottom = convert_memory_address (ptr_mode,
4508 plus_constant (Pmode,
4509 cur.untagged_base,
4510 bot));
4511 emit_library_call (fn, LCT_NORMAL, VOIDmode,
4512 bottom, ptr_mode,
4513 tag, QImode,
4514 gen_int_mode (size, ptr_mode), ptr_mode);
4516 /* Clear the stack vars, we've emitted the prologue for them all now. */
4517 hwasan_tagged_stack_vars.truncate (0);
4520 /* For stack tagging:
4522 Return RTL insns to clear the tags between DYNAMIC and VARS pointers
4523 into the stack. These instructions should be emitted at the end of
4524 every function.
4526 If `dynamic` is NULL_RTX then no insns are returned. */
4527 rtx_insn *
4528 hwasan_emit_untag_frame (rtx dynamic, rtx vars)
4530 if (! dynamic)
4531 return NULL;
4533 start_sequence ();
4535 dynamic = convert_memory_address (ptr_mode, dynamic);
4536 vars = convert_memory_address (ptr_mode, vars);
4538 rtx top_rtx;
4539 rtx bot_rtx;
4540 if (FRAME_GROWS_DOWNWARD)
4542 top_rtx = vars;
4543 bot_rtx = dynamic;
4545 else
4547 top_rtx = dynamic;
4548 bot_rtx = vars;
4551 rtx size_rtx = expand_simple_binop (ptr_mode, MINUS, top_rtx, bot_rtx,
4552 NULL_RTX, /* unsignedp = */0,
4553 OPTAB_DIRECT);
4555 rtx fn = init_one_libfunc ("__hwasan_tag_memory");
4556 emit_library_call (fn, LCT_NORMAL, VOIDmode,
4557 bot_rtx, ptr_mode,
4558 HWASAN_STACK_BACKGROUND, QImode,
4559 size_rtx, ptr_mode);
4561 do_pending_stack_adjust ();
4562 rtx_insn *insns = get_insns ();
4563 end_sequence ();
4564 return insns;
4567 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
4568 invoke ggc_collect. */
4569 static GTY(()) tree hwasan_ctor_statements;
4571 /* Insert module initialization into this TU. This initialization calls the
4572 initialization code for libhwasan. */
4573 void
4574 hwasan_finish_file (void)
4576 /* Do not emit constructor initialization for the kernel.
4577 (the kernel has its own initialization already). */
4578 if (flag_sanitize & SANITIZE_KERNEL_HWADDRESS)
4579 return;
4581 /* Avoid instrumenting code in the hwasan constructors/destructors. */
4582 flag_sanitize &= ~SANITIZE_HWADDRESS;
4583 int priority = MAX_RESERVED_INIT_PRIORITY - 1;
4584 tree fn = builtin_decl_implicit (BUILT_IN_HWASAN_INIT);
4585 append_to_statement_list (build_call_expr (fn, 0), &hwasan_ctor_statements);
4586 cgraph_build_static_cdtor ('I', hwasan_ctor_statements, priority);
4587 flag_sanitize |= SANITIZE_HWADDRESS;
4590 /* For stack tagging:
4592 Truncate `tag` to the number of bits that a tag uses (i.e. to
4593 HWASAN_TAG_SIZE). Store the result in `target` if it's convenient. */
4595 hwasan_truncate_to_tag_size (rtx tag, rtx target)
4597 gcc_assert (GET_MODE (tag) == QImode);
4598 if (HWASAN_TAG_SIZE != GET_MODE_PRECISION (QImode))
4600 gcc_assert (GET_MODE_PRECISION (QImode) > HWASAN_TAG_SIZE);
4601 rtx mask = gen_int_mode ((HOST_WIDE_INT_1U << HWASAN_TAG_SIZE) - 1,
4602 QImode);
4603 tag = expand_simple_binop (QImode, AND, tag, mask, target,
4604 /* unsignedp = */1, OPTAB_WIDEN);
4605 gcc_assert (tag);
4607 return tag;
4610 /* Construct a function tree for __hwasan_{load,store}{1,2,4,8,16,_n}.
4611 IS_STORE is either 1 (for a store) or 0 (for a load). */
4612 static combined_fn
4613 hwasan_check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
4614 int *nargs)
4616 static enum built_in_function check[2][2][6]
4617 = { { { BUILT_IN_HWASAN_LOAD1, BUILT_IN_HWASAN_LOAD2,
4618 BUILT_IN_HWASAN_LOAD4, BUILT_IN_HWASAN_LOAD8,
4619 BUILT_IN_HWASAN_LOAD16, BUILT_IN_HWASAN_LOADN },
4620 { BUILT_IN_HWASAN_STORE1, BUILT_IN_HWASAN_STORE2,
4621 BUILT_IN_HWASAN_STORE4, BUILT_IN_HWASAN_STORE8,
4622 BUILT_IN_HWASAN_STORE16, BUILT_IN_HWASAN_STOREN } },
4623 { { BUILT_IN_HWASAN_LOAD1_NOABORT,
4624 BUILT_IN_HWASAN_LOAD2_NOABORT,
4625 BUILT_IN_HWASAN_LOAD4_NOABORT,
4626 BUILT_IN_HWASAN_LOAD8_NOABORT,
4627 BUILT_IN_HWASAN_LOAD16_NOABORT,
4628 BUILT_IN_HWASAN_LOADN_NOABORT },
4629 { BUILT_IN_HWASAN_STORE1_NOABORT,
4630 BUILT_IN_HWASAN_STORE2_NOABORT,
4631 BUILT_IN_HWASAN_STORE4_NOABORT,
4632 BUILT_IN_HWASAN_STORE8_NOABORT,
4633 BUILT_IN_HWASAN_STORE16_NOABORT,
4634 BUILT_IN_HWASAN_STOREN_NOABORT } } };
4635 if (size_in_bytes == -1)
4637 *nargs = 2;
4638 return as_combined_fn (check[recover_p][is_store][5]);
4640 *nargs = 1;
4641 int size_log2 = exact_log2 (size_in_bytes);
4642 gcc_assert (size_log2 >= 0 && size_log2 <= 5);
4643 return as_combined_fn (check[recover_p][is_store][size_log2]);
4646 /* Expand the HWASAN_{LOAD,STORE} builtins. */
4647 bool
4648 hwasan_expand_check_ifn (gimple_stmt_iterator *iter, bool)
4650 gimple *g = gsi_stmt (*iter);
4651 location_t loc = gimple_location (g);
4652 bool recover_p;
4653 if (flag_sanitize & SANITIZE_USER_HWADDRESS)
4654 recover_p = (flag_sanitize_recover & SANITIZE_USER_HWADDRESS) != 0;
4655 else
4656 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_HWADDRESS) != 0;
4658 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
4659 gcc_assert (flags < ASAN_CHECK_LAST);
4660 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
4661 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
4662 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
4664 tree base = gimple_call_arg (g, 1);
4665 tree len = gimple_call_arg (g, 2);
4667 /* `align` is unused for HWASAN_CHECK, but we pass the argument anyway
4668 since that way the arguments match ASAN_CHECK. */
4669 /* HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3)); */
4671 unsigned HOST_WIDE_INT size_in_bytes
4672 = is_scalar_access ? tree_to_shwi (len) : -1;
4674 gimple_stmt_iterator gsi = *iter;
4676 if (!is_non_zero_len)
4678 /* So, the length of the memory area to hwasan-protect is
4679 non-constant. Let's guard the generated instrumentation code
4680 like:
4682 if (len != 0)
4684 // hwasan instrumentation code goes here.
4686 // falltrough instructions, starting with *ITER. */
4688 g = gimple_build_cond (NE_EXPR,
4689 len,
4690 build_int_cst (TREE_TYPE (len), 0),
4691 NULL_TREE, NULL_TREE);
4692 gimple_set_location (g, loc);
4694 basic_block then_bb, fallthrough_bb;
4695 insert_if_then_before_iter (as_a <gcond *> (g), iter,
4696 /*then_more_likely_p=*/true,
4697 &then_bb, &fallthrough_bb);
4698 /* Note that fallthrough_bb starts with the statement that was
4699 pointed to by ITER. */
4701 /* The 'then block' of the 'if (len != 0) condition is where
4702 we'll generate the hwasan instrumentation code now. */
4703 gsi = gsi_last_bb (then_bb);
4706 gimple_seq stmts = NULL;
4707 tree base_addr = gimple_build (&stmts, loc, NOP_EXPR,
4708 pointer_sized_int_node, base);
4710 int nargs = 0;
4711 combined_fn fn
4712 = hwasan_check_func (is_store, recover_p, size_in_bytes, &nargs);
4713 if (nargs == 1)
4714 gimple_build (&stmts, loc, fn, void_type_node, base_addr);
4715 else
4717 gcc_assert (nargs == 2);
4718 tree sz_arg = gimple_build (&stmts, loc, NOP_EXPR,
4719 pointer_sized_int_node, len);
4720 gimple_build (&stmts, loc, fn, void_type_node, base_addr, sz_arg);
4723 gsi_insert_seq_after (&gsi, stmts, GSI_NEW_STMT);
4724 gsi_remove (iter, true);
4725 *iter = gsi;
4726 return false;
4729 /* For stack tagging:
4731 Dummy: the HWASAN_MARK internal function should only ever be in the code
4732 after the sanopt pass. */
4733 bool
4734 hwasan_expand_mark_ifn (gimple_stmt_iterator *)
4736 gcc_unreachable ();
4739 bool
4740 gate_hwasan ()
4742 return hwasan_sanitize_p ();
4745 #include "gt-asan.h"