search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Daily bump.
[official-gcc.git] / gcc / asan.c
blob95004d734a5556c0b5ef938401b42a3ab4f5ae5d
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2017 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
11
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21
22 #include "config.h"
23 #include "system.h"
24 #include "coretypes.h"
25 #include "backend.h"
26 #include "target.h"
27 #include "rtl.h"
28 #include "tree.h"
29 #include "gimple.h"
30 #include "cfghooks.h"
31 #include "alloc-pool.h"
32 #include "tree-pass.h"
33 #include "memmodel.h"
34 #include "tm_p.h"
35 #include "ssa.h"
36 #include "stringpool.h"
37 #include "tree-ssanames.h"
38 #include "optabs.h"
39 #include "emit-rtl.h"
40 #include "cgraph.h"
41 #include "gimple-pretty-print.h"
42 #include "alias.h"
43 #include "fold-const.h"
44 #include "cfganal.h"
45 #include "gimplify.h"
46 #include "gimple-iterator.h"
47 #include "varasm.h"
48 #include "stor-layout.h"
49 #include "tree-iterator.h"
50 #include "asan.h"
51 #include "dojump.h"
52 #include "explow.h"
53 #include "expr.h"
54 #include "output.h"
55 #include "langhooks.h"
56 #include "cfgloop.h"
57 #include "gimple-builder.h"
58 #include "gimple-fold.h"
59 #include "ubsan.h"
60 #include "params.h"
61 #include "builtins.h"
62 #include "fnmatch.h"
63 #include "tree-inline.h"
64
65 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
66 with <2x slowdown on average.
67
68 The tool consists of two parts:
69 instrumentation module (this file) and a run-time library.
70 The instrumentation module adds a run-time check before every memory insn.
71 For a 8- or 16- byte load accessing address X:
72 ShadowAddr = (X >> 3) + Offset
73 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
74 if (ShadowValue)
75 __asan_report_load8(X);
76 For a load of N bytes (N=1, 2 or 4) from address X:
77 ShadowAddr = (X >> 3) + Offset
78 ShadowValue = *(char*)ShadowAddr;
79 if (ShadowValue)
80 if ((X & 7) + N - 1 > ShadowValue)
81 __asan_report_loadN(X);
82 Stores are instrumented similarly, but using __asan_report_storeN functions.
83 A call too __asan_init_vN() is inserted to the list of module CTORs.
84 N is the version number of the AddressSanitizer API. The changes between the
85 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
86
87 The run-time library redefines malloc (so that redzone are inserted around
88 the allocated memory) and free (so that reuse of free-ed memory is delayed),
89 provides __asan_report* and __asan_init_vN functions.
90
91 Read more:
92 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
93
94 The current implementation supports detection of out-of-bounds and
95 use-after-free in the heap, on the stack and for global variables.
96
97 [Protection of stack variables]
98
99 To understand how detection of out-of-bounds and use-after-free works
100 for stack variables, lets look at this example on x86_64 where the
101 stack grows downward:
102
103 int
104 foo ()
105 {
106 char a[23] = {0};
107 int b[2] = {0};
108
109 a[5] = 1;
110 b[1] = 2;
111
112 return a[5] + b[1];
113 }
114
115 For this function, the stack protected by asan will be organized as
116 follows, from the top of the stack to the bottom:
117
118 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
119
120 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
121 the next slot be 32 bytes aligned; this one is called Partial
122 Redzone; this 32 bytes alignment is an asan constraint]
123
124 Slot 3/ [24 bytes for variable 'a']
125
126 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
127
128 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
129
130 Slot 6/ [8 bytes for variable 'b']
131
132 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
133 'LEFT RedZone']
134
135 The 32 bytes of LEFT red zone at the bottom of the stack can be
136 decomposed as such:
137
138 1/ The first 8 bytes contain a magical asan number that is always
139 0x41B58AB3.
140
141 2/ The following 8 bytes contains a pointer to a string (to be
142 parsed at runtime by the runtime asan library), which format is
143 the following:
144
145 "<function-name> <space> <num-of-variables-on-the-stack>
146 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
147 <length-of-var-in-bytes> ){n} "
148
149 where '(...){n}' means the content inside the parenthesis occurs 'n'
150 times, with 'n' being the number of variables on the stack.
151
152 3/ The following 8 bytes contain the PC of the current function which
153 will be used by the run-time library to print an error message.
154
155 4/ The following 8 bytes are reserved for internal use by the run-time.
156
157 The shadow memory for that stack layout is going to look like this:
158
159 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
160 The F1 byte pattern is a magic number called
161 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
162 the memory for that shadow byte is part of a the LEFT red zone
163 intended to seat at the bottom of the variables on the stack.
164
165 - content of shadow memory 8 bytes for slots 6 and 5:
166 0xF4F4F400. The F4 byte pattern is a magic number
167 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
168 memory region for this shadow byte is a PARTIAL red zone
169 intended to pad a variable A, so that the slot following
170 {A,padding} is 32 bytes aligned.
171
172 Note that the fact that the least significant byte of this
173 shadow memory content is 00 means that 8 bytes of its
174 corresponding memory (which corresponds to the memory of
175 variable 'b') is addressable.
176
177 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
178 The F2 byte pattern is a magic number called
179 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
180 region for this shadow byte is a MIDDLE red zone intended to
181 seat between two 32 aligned slots of {variable,padding}.
182
183 - content of shadow memory 8 bytes for slot 3 and 2:
184 0xF4000000. This represents is the concatenation of
185 variable 'a' and the partial red zone following it, like what we
186 had for variable 'b'. The least significant 3 bytes being 00
187 means that the 3 bytes of variable 'a' are addressable.
188
189 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
190 The F3 byte pattern is a magic number called
191 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
192 region for this shadow byte is a RIGHT red zone intended to seat
193 at the top of the variables of the stack.
194
195 Note that the real variable layout is done in expand_used_vars in
196 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
197 stack variables as well as the different red zones, emits some
198 prologue code to populate the shadow memory as to poison (mark as
199 non-accessible) the regions of the red zones and mark the regions of
200 stack variables as accessible, and emit some epilogue code to
201 un-poison (mark as accessible) the regions of red zones right before
202 the function exits.
203
204 [Protection of global variables]
205
206 The basic idea is to insert a red zone between two global variables
207 and install a constructor function that calls the asan runtime to do
208 the populating of the relevant shadow memory regions at load time.
209
210 So the global variables are laid out as to insert a red zone between
211 them. The size of the red zones is so that each variable starts on a
212 32 bytes boundary.
213
214 Then a constructor function is installed so that, for each global
215 variable, it calls the runtime asan library function
216 __asan_register_globals_with an instance of this type:
217
218 struct __asan_global
219 {
220 // Address of the beginning of the global variable.
221 const void *__beg;
222
223 // Initial size of the global variable.
224 uptr __size;
225
226 // Size of the global variable + size of the red zone. This
227 // size is 32 bytes aligned.
228 uptr __size_with_redzone;
229
230 // Name of the global variable.
231 const void *__name;
232
233 // Name of the module where the global variable is declared.
234 const void *__module_name;
235
236 // 1 if it has dynamic initialization, 0 otherwise.
237 uptr __has_dynamic_init;
238
239 // A pointer to struct that contains source location, could be NULL.
240 __asan_global_source_location *__location;
241 }
242
243 A destructor function that calls the runtime asan library function
244 _asan_unregister_globals is also installed. */
245
246 static unsigned HOST_WIDE_INT asan_shadow_offset_value;
247 static bool asan_shadow_offset_computed;
248 static vec<char *> sanitized_sections;
249 static tree last_alloca_addr;
250
251 /* Set of variable declarations that are going to be guarded by
252 use-after-scope sanitizer. */
253
254 static hash_set<tree> *asan_handled_variables = NULL;
255
256 hash_set <tree> *asan_used_labels = NULL;
257
258 /* Sets shadow offset to value in string VAL. */
259
260 bool
261 set_asan_shadow_offset (const char *val)
262 {
263 char *endp;
264
265 errno = 0;
266 #ifdef HAVE_LONG_LONG
267 asan_shadow_offset_value = strtoull (val, &endp, 0);
268 #else
269 asan_shadow_offset_value = strtoul (val, &endp, 0);
270 #endif
271 if (!(*val != '\0' && *endp == '\0' && errno == 0))
272 return false;
273
274 asan_shadow_offset_computed = true;
275
276 return true;
277 }
278
279 /* Set list of user-defined sections that need to be sanitized. */
280
281 void
282 set_sanitized_sections (const char *sections)
283 {
284 char *pat;
285 unsigned i;
286 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
287 free (pat);
288 sanitized_sections.truncate (0);
289
290 for (const char *s = sections; *s; )
291 {
292 const char *end;
293 for (end = s; *end && *end != ','; ++end);
294 size_t len = end - s;
295 sanitized_sections.safe_push (xstrndup (s, len));
296 s = *end ? end + 1 : end;
297 }
298 }
299
300 bool
301 asan_mark_p (gimple *stmt, enum asan_mark_flags flag)
302 {
303 return (gimple_call_internal_p (stmt, IFN_ASAN_MARK)
304 && tree_to_uhwi (gimple_call_arg (stmt, 0)) == flag);
305 }
306
307 bool
308 asan_sanitize_stack_p (void)
309 {
310 return (sanitize_flags_p (SANITIZE_ADDRESS) && ASAN_STACK);
311 }
312
313 bool
314 asan_sanitize_allocas_p (void)
315 {
316 return (asan_sanitize_stack_p () && ASAN_PROTECT_ALLOCAS);
317 }
318
319 /* Checks whether section SEC should be sanitized. */
320
321 static bool
322 section_sanitized_p (const char *sec)
323 {
324 char *pat;
325 unsigned i;
326 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
327 if (fnmatch (pat, sec, FNM_PERIOD) == 0)
328 return true;
329 return false;
330 }
331
332 /* Returns Asan shadow offset. */
333
334 static unsigned HOST_WIDE_INT
335 asan_shadow_offset ()
336 {
337 if (!asan_shadow_offset_computed)
338 {
339 asan_shadow_offset_computed = true;
340 asan_shadow_offset_value = targetm.asan_shadow_offset ();
341 }
342 return asan_shadow_offset_value;
343 }
344
345 alias_set_type asan_shadow_set = -1;
346
347 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
348 alias set is used for all shadow memory accesses. */
349 static GTY(()) tree shadow_ptr_types[3];
350
351 /* Decl for __asan_option_detect_stack_use_after_return. */
352 static GTY(()) tree asan_detect_stack_use_after_return;
353
354 /* Hashtable support for memory references used by gimple
355 statements. */
356
357 /* This type represents a reference to a memory region. */
358 struct asan_mem_ref
359 {
360 /* The expression of the beginning of the memory region. */
361 tree start;
362
363 /* The size of the access. */
364 HOST_WIDE_INT access_size;
365 };
366
367 object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref");
368
369 /* Initializes an instance of asan_mem_ref. */
370
371 static void
372 asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size)
373 {
374 ref->start = start;
375 ref->access_size = access_size;
376 }
377
378 /* Allocates memory for an instance of asan_mem_ref into the memory
379 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
380 START is the address of (or the expression pointing to) the
381 beginning of memory reference. ACCESS_SIZE is the size of the
382 access to the referenced memory. */
383
384 static asan_mem_ref*
385 asan_mem_ref_new (tree start, HOST_WIDE_INT access_size)
386 {
387 asan_mem_ref *ref = asan_mem_ref_pool.allocate ();
388
389 asan_mem_ref_init (ref, start, access_size);
390 return ref;
391 }
392
393 /* This builds and returns a pointer to the end of the memory region
394 that starts at START and of length LEN. */
395
396 tree
397 asan_mem_ref_get_end (tree start, tree len)
398 {
399 if (len == NULL_TREE || integer_zerop (len))
400 return start;
401
402 if (!ptrofftype_p (len))
403 len = convert_to_ptrofftype (len);
404
405 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
406 }
407
408 /* Return a tree expression that represents the end of the referenced
409 memory region. Beware that this function can actually build a new
410 tree expression. */
411
412 tree
413 asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
414 {
415 return asan_mem_ref_get_end (ref->start, len);
416 }
417
418 struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref>
419 {
420 static inline hashval_t hash (const asan_mem_ref *);
421 static inline bool equal (const asan_mem_ref *, const asan_mem_ref *);
422 };
423
424 /* Hash a memory reference. */
425
426 inline hashval_t
427 asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
428 {
429 return iterative_hash_expr (mem_ref->start, 0);
430 }
431
432 /* Compare two memory references. We accept the length of either
433 memory references to be NULL_TREE. */
434
435 inline bool
436 asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
437 const asan_mem_ref *m2)
438 {
439 return operand_equal_p (m1->start, m2->start, 0);
440 }
441
442 static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht;
443
444 /* Returns a reference to the hash table containing memory references.
445 This function ensures that the hash table is created. Note that
446 this hash table is updated by the function
447 update_mem_ref_hash_table. */
448
449 static hash_table<asan_mem_ref_hasher> *
450 get_mem_ref_hash_table ()
451 {
452 if (!asan_mem_ref_ht)
453 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10);
454
455 return asan_mem_ref_ht;
456 }
457
458 /* Clear all entries from the memory references hash table. */
459
460 static void
461 empty_mem_ref_hash_table ()
462 {
463 if (asan_mem_ref_ht)
464 asan_mem_ref_ht->empty ();
465 }
466
467 /* Free the memory references hash table. */
468
469 static void
470 free_mem_ref_resources ()
471 {
472 delete asan_mem_ref_ht;
473 asan_mem_ref_ht = NULL;
474
475 asan_mem_ref_pool.release ();
476 }
477
478 /* Return true iff the memory reference REF has been instrumented. */
479
480 static bool
481 has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size)
482 {
483 asan_mem_ref r;
484 asan_mem_ref_init (&r, ref, access_size);
485
486 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r);
487 return saved_ref && saved_ref->access_size >= access_size;
488 }
489
490 /* Return true iff the memory reference REF has been instrumented. */
491
492 static bool
493 has_mem_ref_been_instrumented (const asan_mem_ref *ref)
494 {
495 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
496 }
497
498 /* Return true iff access to memory region starting at REF and of
499 length LEN has been instrumented. */
500
501 static bool
502 has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
503 {
504 HOST_WIDE_INT size_in_bytes
505 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
506
507 return size_in_bytes != -1
508 && has_mem_ref_been_instrumented (ref->start, size_in_bytes);
509 }
510
511 /* Set REF to the memory reference present in a gimple assignment
512 ASSIGNMENT. Return true upon successful completion, false
513 otherwise. */
514
515 static bool
516 get_mem_ref_of_assignment (const gassign *assignment,
517 asan_mem_ref *ref,
518 bool *ref_is_store)
519 {
520 gcc_assert (gimple_assign_single_p (assignment));
521
522 if (gimple_store_p (assignment)
523 && !gimple_clobber_p (assignment))
524 {
525 ref->start = gimple_assign_lhs (assignment);
526 *ref_is_store = true;
527 }
528 else if (gimple_assign_load_p (assignment))
529 {
530 ref->start = gimple_assign_rhs1 (assignment);
531 *ref_is_store = false;
532 }
533 else
534 return false;
535
536 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
537 return true;
538 }
539
540 /* Return address of last allocated dynamic alloca. */
541
542 static tree
543 get_last_alloca_addr ()
544 {
545 if (last_alloca_addr)
546 return last_alloca_addr;
547
548 last_alloca_addr = create_tmp_reg (ptr_type_node, "last_alloca_addr");
549 gassign *g = gimple_build_assign (last_alloca_addr, null_pointer_node);
550 edge e = single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun));
551 gsi_insert_on_edge_immediate (e, g);
552 return last_alloca_addr;
553 }
554
555 /* Insert __asan_allocas_unpoison (top, bottom) call after
556 __builtin_stack_restore (new_sp) call.
557 The pseudocode of this routine should look like this:
558 __builtin_stack_restore (new_sp);
559 top = last_alloca_addr;
560 bot = new_sp;
561 __asan_allocas_unpoison (top, bot);
562 last_alloca_addr = new_sp;
563 In general, we can't use new_sp as bot parameter because on some
564 architectures SP has non zero offset from dynamic stack area. Moreover, on
565 some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each
566 particular function only after all callees were expanded to rtl.
567 The most noticeable example is PowerPC{,64}, see
568 http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK.
569 To overcome the issue we use following trick: pass new_sp as a second
570 parameter to __asan_allocas_unpoison and rewrite it during expansion with
571 virtual_dynamic_stack_rtx later in expand_asan_emit_allocas_unpoison
572 function.
573 */
574
575 static void
576 handle_builtin_stack_restore (gcall *call, gimple_stmt_iterator *iter)
577 {
578 if (!iter || !asan_sanitize_allocas_p ())
579 return;
580
581 tree last_alloca = get_last_alloca_addr ();
582 tree restored_stack = gimple_call_arg (call, 0);
583 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCAS_UNPOISON);
584 gimple *g = gimple_build_call (fn, 2, last_alloca, restored_stack);
585 gsi_insert_after (iter, g, GSI_NEW_STMT);
586 g = gimple_build_assign (last_alloca, restored_stack);
587 gsi_insert_after (iter, g, GSI_NEW_STMT);
588 }
589
590 /* Deploy and poison redzones around __builtin_alloca call. To do this, we
591 should replace this call with another one with changed parameters and
592 replace all its uses with new address, so
593 addr = __builtin_alloca (old_size, align);
594 is replaced by
595 left_redzone_size = max (align, ASAN_RED_ZONE_SIZE);
596 Following two statements are optimized out if we know that
597 old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial
598 redzone.
599 misalign = old_size & (ASAN_RED_ZONE_SIZE - 1);
600 partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign;
601 right_redzone_size = ASAN_RED_ZONE_SIZE;
602 additional_size = left_redzone_size + partial_redzone_size +
603 right_redzone_size;
604 new_size = old_size + additional_size;
605 new_alloca = __builtin_alloca (new_size, max (align, 32))
606 __asan_alloca_poison (new_alloca, old_size)
607 addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE);
608 last_alloca_addr = new_alloca;
609 ADDITIONAL_SIZE is added to make new memory allocation contain not only
610 requested memory, but also left, partial and right redzones as well as some
611 additional space, required by alignment. */
612
613 static void
614 handle_builtin_alloca (gcall *call, gimple_stmt_iterator *iter)
615 {
616 if (!iter || !asan_sanitize_allocas_p ())
617 return;
618
619 gassign *g;
620 gcall *gg;
621 const HOST_WIDE_INT redzone_mask = ASAN_RED_ZONE_SIZE - 1;
622
623 tree last_alloca = get_last_alloca_addr ();
624 tree callee = gimple_call_fndecl (call);
625 tree old_size = gimple_call_arg (call, 0);
626 tree ptr_type = gimple_call_lhs (call) ? TREE_TYPE (gimple_call_lhs (call))
627 : ptr_type_node;
628 tree partial_size = NULL_TREE;
629 bool alloca_with_align
630 = DECL_FUNCTION_CODE (callee) == BUILT_IN_ALLOCA_WITH_ALIGN;
631 unsigned int align
632 = alloca_with_align ? tree_to_uhwi (gimple_call_arg (call, 1)) : 0;
633
634 /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN
635 bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE
636 manually. */
637 align = MAX (align, ASAN_RED_ZONE_SIZE * BITS_PER_UNIT);
638
639 tree alloca_rz_mask = build_int_cst (size_type_node, redzone_mask);
640 tree redzone_size = build_int_cst (size_type_node, ASAN_RED_ZONE_SIZE);
641
642 /* Extract lower bits from old_size. */
643 wide_int size_nonzero_bits = get_nonzero_bits (old_size);
644 wide_int rz_mask
645 = wi::uhwi (redzone_mask, wi::get_precision (size_nonzero_bits));
646 wide_int old_size_lower_bits = wi::bit_and (size_nonzero_bits, rz_mask);
647
648 /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial
649 redzone. Otherwise, compute its size here. */
650 if (wi::ne_p (old_size_lower_bits, 0))
651 {
652 /* misalign = size & (ASAN_RED_ZONE_SIZE - 1)
653 partial_size = ASAN_RED_ZONE_SIZE - misalign. */
654 g = gimple_build_assign (make_ssa_name (size_type_node, NULL),
655 BIT_AND_EXPR, old_size, alloca_rz_mask);
656 gsi_insert_before (iter, g, GSI_SAME_STMT);
657 tree misalign = gimple_assign_lhs (g);
658 g = gimple_build_assign (make_ssa_name (size_type_node, NULL), MINUS_EXPR,
659 redzone_size, misalign);
660 gsi_insert_before (iter, g, GSI_SAME_STMT);
661 partial_size = gimple_assign_lhs (g);
662 }
663
664 /* additional_size = align + ASAN_RED_ZONE_SIZE. */
665 tree additional_size = build_int_cst (size_type_node, align / BITS_PER_UNIT
666 + ASAN_RED_ZONE_SIZE);
667 /* If alloca has partial redzone, include it to additional_size too. */
668 if (partial_size)
669 {
670 /* additional_size += partial_size. */
671 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR,
672 partial_size, additional_size);
673 gsi_insert_before (iter, g, GSI_SAME_STMT);
674 additional_size = gimple_assign_lhs (g);
675 }
676
677 /* new_size = old_size + additional_size. */
678 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR, old_size,
679 additional_size);
680 gsi_insert_before (iter, g, GSI_SAME_STMT);
681 tree new_size = gimple_assign_lhs (g);
682
683 /* Build new __builtin_alloca call:
684 new_alloca_with_rz = __builtin_alloca (new_size, align). */
685 tree fn = builtin_decl_implicit (BUILT_IN_ALLOCA_WITH_ALIGN);
686 gg = gimple_build_call (fn, 2, new_size,
687 build_int_cst (size_type_node, align));
688 tree new_alloca_with_rz = make_ssa_name (ptr_type, gg);
689 gimple_call_set_lhs (gg, new_alloca_with_rz);
690 gsi_insert_before (iter, gg, GSI_SAME_STMT);
691
692 /* new_alloca = new_alloca_with_rz + align. */
693 g = gimple_build_assign (make_ssa_name (ptr_type), POINTER_PLUS_EXPR,
694 new_alloca_with_rz,
695 build_int_cst (size_type_node,
696 align / BITS_PER_UNIT));
697 gsi_insert_before (iter, g, GSI_SAME_STMT);
698 tree new_alloca = gimple_assign_lhs (g);
699
700 /* Poison newly created alloca redzones:
701 __asan_alloca_poison (new_alloca, old_size). */
702 fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCA_POISON);
703 gg = gimple_build_call (fn, 2, new_alloca, old_size);
704 gsi_insert_before (iter, gg, GSI_SAME_STMT);
705
706 /* Save new_alloca_with_rz value into last_alloca to use it during
707 allocas unpoisoning. */
708 g = gimple_build_assign (last_alloca, new_alloca_with_rz);
709 gsi_insert_before (iter, g, GSI_SAME_STMT);
710
711 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
712 replace_call_with_value (iter, new_alloca);
713 }
714
715 /* Return the memory references contained in a gimple statement
716 representing a builtin call that has to do with memory access. */
717
718 static bool
719 get_mem_refs_of_builtin_call (gcall *call,
720 asan_mem_ref *src0,
721 tree *src0_len,
722 bool *src0_is_store,
723 asan_mem_ref *src1,
724 tree *src1_len,
725 bool *src1_is_store,
726 asan_mem_ref *dst,
727 tree *dst_len,
728 bool *dst_is_store,
729 bool *dest_is_deref,
730 bool *intercepted_p,
731 gimple_stmt_iterator *iter = NULL)
732 {
733 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
734
735 tree callee = gimple_call_fndecl (call);
736 tree source0 = NULL_TREE, source1 = NULL_TREE,
737 dest = NULL_TREE, len = NULL_TREE;
738 bool is_store = true, got_reference_p = false;
739 HOST_WIDE_INT access_size = 1;
740
741 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee)));
742
743 switch (DECL_FUNCTION_CODE (callee))
744 {
745 /* (s, s, n) style memops. */
746 case BUILT_IN_BCMP:
747 case BUILT_IN_MEMCMP:
748 source0 = gimple_call_arg (call, 0);
749 source1 = gimple_call_arg (call, 1);
750 len = gimple_call_arg (call, 2);
751 break;
752
753 /* (src, dest, n) style memops. */
754 case BUILT_IN_BCOPY:
755 source0 = gimple_call_arg (call, 0);
756 dest = gimple_call_arg (call, 1);
757 len = gimple_call_arg (call, 2);
758 break;
759
760 /* (dest, src, n) style memops. */
761 case BUILT_IN_MEMCPY:
762 case BUILT_IN_MEMCPY_CHK:
763 case BUILT_IN_MEMMOVE:
764 case BUILT_IN_MEMMOVE_CHK:
765 case BUILT_IN_MEMPCPY:
766 case BUILT_IN_MEMPCPY_CHK:
767 dest = gimple_call_arg (call, 0);
768 source0 = gimple_call_arg (call, 1);
769 len = gimple_call_arg (call, 2);
770 break;
771
772 /* (dest, n) style memops. */
773 case BUILT_IN_BZERO:
774 dest = gimple_call_arg (call, 0);
775 len = gimple_call_arg (call, 1);
776 break;
777
778 /* (dest, x, n) style memops*/
779 case BUILT_IN_MEMSET:
780 case BUILT_IN_MEMSET_CHK:
781 dest = gimple_call_arg (call, 0);
782 len = gimple_call_arg (call, 2);
783 break;
784
785 case BUILT_IN_STRLEN:
786 source0 = gimple_call_arg (call, 0);
787 len = gimple_call_lhs (call);
788 break;
789
790 case BUILT_IN_STACK_RESTORE:
791 handle_builtin_stack_restore (call, iter);
792 break;
793
794 case BUILT_IN_ALLOCA_WITH_ALIGN:
795 case BUILT_IN_ALLOCA:
796 handle_builtin_alloca (call, iter);
797 break;
798 /* And now the __atomic* and __sync builtins.
799 These are handled differently from the classical memory memory
800 access builtins above. */
801
802 case BUILT_IN_ATOMIC_LOAD_1:
803 is_store = false;
804 /* FALLTHRU */
805 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
806 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
807 case BUILT_IN_SYNC_FETCH_AND_OR_1:
808 case BUILT_IN_SYNC_FETCH_AND_AND_1:
809 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
810 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
811 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
812 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
813 case BUILT_IN_SYNC_OR_AND_FETCH_1:
814 case BUILT_IN_SYNC_AND_AND_FETCH_1:
815 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
816 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
817 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
818 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
819 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
820 case BUILT_IN_SYNC_LOCK_RELEASE_1:
821 case BUILT_IN_ATOMIC_EXCHANGE_1:
822 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
823 case BUILT_IN_ATOMIC_STORE_1:
824 case BUILT_IN_ATOMIC_ADD_FETCH_1:
825 case BUILT_IN_ATOMIC_SUB_FETCH_1:
826 case BUILT_IN_ATOMIC_AND_FETCH_1:
827 case BUILT_IN_ATOMIC_NAND_FETCH_1:
828 case BUILT_IN_ATOMIC_XOR_FETCH_1:
829 case BUILT_IN_ATOMIC_OR_FETCH_1:
830 case BUILT_IN_ATOMIC_FETCH_ADD_1:
831 case BUILT_IN_ATOMIC_FETCH_SUB_1:
832 case BUILT_IN_ATOMIC_FETCH_AND_1:
833 case BUILT_IN_ATOMIC_FETCH_NAND_1:
834 case BUILT_IN_ATOMIC_FETCH_XOR_1:
835 case BUILT_IN_ATOMIC_FETCH_OR_1:
836 access_size = 1;
837 goto do_atomic;
838
839 case BUILT_IN_ATOMIC_LOAD_2:
840 is_store = false;
841 /* FALLTHRU */
842 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
843 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
844 case BUILT_IN_SYNC_FETCH_AND_OR_2:
845 case BUILT_IN_SYNC_FETCH_AND_AND_2:
846 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
847 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
848 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
849 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
850 case BUILT_IN_SYNC_OR_AND_FETCH_2:
851 case BUILT_IN_SYNC_AND_AND_FETCH_2:
852 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
853 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
854 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
855 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
856 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
857 case BUILT_IN_SYNC_LOCK_RELEASE_2:
858 case BUILT_IN_ATOMIC_EXCHANGE_2:
859 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
860 case BUILT_IN_ATOMIC_STORE_2:
861 case BUILT_IN_ATOMIC_ADD_FETCH_2:
862 case BUILT_IN_ATOMIC_SUB_FETCH_2:
863 case BUILT_IN_ATOMIC_AND_FETCH_2:
864 case BUILT_IN_ATOMIC_NAND_FETCH_2:
865 case BUILT_IN_ATOMIC_XOR_FETCH_2:
866 case BUILT_IN_ATOMIC_OR_FETCH_2:
867 case BUILT_IN_ATOMIC_FETCH_ADD_2:
868 case BUILT_IN_ATOMIC_FETCH_SUB_2:
869 case BUILT_IN_ATOMIC_FETCH_AND_2:
870 case BUILT_IN_ATOMIC_FETCH_NAND_2:
871 case BUILT_IN_ATOMIC_FETCH_XOR_2:
872 case BUILT_IN_ATOMIC_FETCH_OR_2:
873 access_size = 2;
874 goto do_atomic;
875
876 case BUILT_IN_ATOMIC_LOAD_4:
877 is_store = false;
878 /* FALLTHRU */
879 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
880 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
881 case BUILT_IN_SYNC_FETCH_AND_OR_4:
882 case BUILT_IN_SYNC_FETCH_AND_AND_4:
883 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
884 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
885 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
886 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
887 case BUILT_IN_SYNC_OR_AND_FETCH_4:
888 case BUILT_IN_SYNC_AND_AND_FETCH_4:
889 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
890 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
891 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
892 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
893 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
894 case BUILT_IN_SYNC_LOCK_RELEASE_4:
895 case BUILT_IN_ATOMIC_EXCHANGE_4:
896 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
897 case BUILT_IN_ATOMIC_STORE_4:
898 case BUILT_IN_ATOMIC_ADD_FETCH_4:
899 case BUILT_IN_ATOMIC_SUB_FETCH_4:
900 case BUILT_IN_ATOMIC_AND_FETCH_4:
901 case BUILT_IN_ATOMIC_NAND_FETCH_4:
902 case BUILT_IN_ATOMIC_XOR_FETCH_4:
903 case BUILT_IN_ATOMIC_OR_FETCH_4:
904 case BUILT_IN_ATOMIC_FETCH_ADD_4:
905 case BUILT_IN_ATOMIC_FETCH_SUB_4:
906 case BUILT_IN_ATOMIC_FETCH_AND_4:
907 case BUILT_IN_ATOMIC_FETCH_NAND_4:
908 case BUILT_IN_ATOMIC_FETCH_XOR_4:
909 case BUILT_IN_ATOMIC_FETCH_OR_4:
910 access_size = 4;
911 goto do_atomic;
912
913 case BUILT_IN_ATOMIC_LOAD_8:
914 is_store = false;
915 /* FALLTHRU */
916 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
917 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
918 case BUILT_IN_SYNC_FETCH_AND_OR_8:
919 case BUILT_IN_SYNC_FETCH_AND_AND_8:
920 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
921 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
922 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
923 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
924 case BUILT_IN_SYNC_OR_AND_FETCH_8:
925 case BUILT_IN_SYNC_AND_AND_FETCH_8:
926 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
927 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
928 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
929 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
930 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
931 case BUILT_IN_SYNC_LOCK_RELEASE_8:
932 case BUILT_IN_ATOMIC_EXCHANGE_8:
933 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
934 case BUILT_IN_ATOMIC_STORE_8:
935 case BUILT_IN_ATOMIC_ADD_FETCH_8:
936 case BUILT_IN_ATOMIC_SUB_FETCH_8:
937 case BUILT_IN_ATOMIC_AND_FETCH_8:
938 case BUILT_IN_ATOMIC_NAND_FETCH_8:
939 case BUILT_IN_ATOMIC_XOR_FETCH_8:
940 case BUILT_IN_ATOMIC_OR_FETCH_8:
941 case BUILT_IN_ATOMIC_FETCH_ADD_8:
942 case BUILT_IN_ATOMIC_FETCH_SUB_8:
943 case BUILT_IN_ATOMIC_FETCH_AND_8:
944 case BUILT_IN_ATOMIC_FETCH_NAND_8:
945 case BUILT_IN_ATOMIC_FETCH_XOR_8:
946 case BUILT_IN_ATOMIC_FETCH_OR_8:
947 access_size = 8;
948 goto do_atomic;
949
950 case BUILT_IN_ATOMIC_LOAD_16:
951 is_store = false;
952 /* FALLTHRU */
953 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
954 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
955 case BUILT_IN_SYNC_FETCH_AND_OR_16:
956 case BUILT_IN_SYNC_FETCH_AND_AND_16:
957 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
958 case BUILT_IN_SYNC_FETCH_AND_NAND_16:
959 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
960 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
961 case BUILT_IN_SYNC_OR_AND_FETCH_16:
962 case BUILT_IN_SYNC_AND_AND_FETCH_16:
963 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
964 case BUILT_IN_SYNC_NAND_AND_FETCH_16:
965 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
966 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
967 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
968 case BUILT_IN_SYNC_LOCK_RELEASE_16:
969 case BUILT_IN_ATOMIC_EXCHANGE_16:
970 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
971 case BUILT_IN_ATOMIC_STORE_16:
972 case BUILT_IN_ATOMIC_ADD_FETCH_16:
973 case BUILT_IN_ATOMIC_SUB_FETCH_16:
974 case BUILT_IN_ATOMIC_AND_FETCH_16:
975 case BUILT_IN_ATOMIC_NAND_FETCH_16:
976 case BUILT_IN_ATOMIC_XOR_FETCH_16:
977 case BUILT_IN_ATOMIC_OR_FETCH_16:
978 case BUILT_IN_ATOMIC_FETCH_ADD_16:
979 case BUILT_IN_ATOMIC_FETCH_SUB_16:
980 case BUILT_IN_ATOMIC_FETCH_AND_16:
981 case BUILT_IN_ATOMIC_FETCH_NAND_16:
982 case BUILT_IN_ATOMIC_FETCH_XOR_16:
983 case BUILT_IN_ATOMIC_FETCH_OR_16:
984 access_size = 16;
985 /* FALLTHRU */
986 do_atomic:
987 {
988 dest = gimple_call_arg (call, 0);
989 /* DEST represents the address of a memory location.
990 instrument_derefs wants the memory location, so lets
991 dereference the address DEST before handing it to
992 instrument_derefs. */
993 tree type = build_nonstandard_integer_type (access_size
994 * BITS_PER_UNIT, 1);
995 dest = build2 (MEM_REF, type, dest,
996 build_int_cst (build_pointer_type (char_type_node), 0));
997 break;
998 }
999
1000 default:
1001 /* The other builtins memory access are not instrumented in this
1002 function because they either don't have any length parameter,
1003 or their length parameter is just a limit. */
1004 break;
1005 }
1006
1007 if (len != NULL_TREE)
1008 {
1009 if (source0 != NULL_TREE)
1010 {
1011 src0->start = source0;
1012 src0->access_size = access_size;
1013 *src0_len = len;
1014 *src0_is_store = false;
1015 }
1016
1017 if (source1 != NULL_TREE)
1018 {
1019 src1->start = source1;
1020 src1->access_size = access_size;
1021 *src1_len = len;
1022 *src1_is_store = false;
1023 }
1024
1025 if (dest != NULL_TREE)
1026 {
1027 dst->start = dest;
1028 dst->access_size = access_size;
1029 *dst_len = len;
1030 *dst_is_store = true;
1031 }
1032
1033 got_reference_p = true;
1034 }
1035 else if (dest)
1036 {
1037 dst->start = dest;
1038 dst->access_size = access_size;
1039 *dst_len = NULL_TREE;
1040 *dst_is_store = is_store;
1041 *dest_is_deref = true;
1042 got_reference_p = true;
1043 }
1044
1045 return got_reference_p;
1046 }
1047
1048 /* Return true iff a given gimple statement has been instrumented.
1049 Note that the statement is "defined" by the memory references it
1050 contains. */
1051
1052 static bool
1053 has_stmt_been_instrumented_p (gimple *stmt)
1054 {
1055 if (gimple_assign_single_p (stmt))
1056 {
1057 bool r_is_store;
1058 asan_mem_ref r;
1059 asan_mem_ref_init (&r, NULL, 1);
1060
1061 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r,
1062 &r_is_store))
1063 return has_mem_ref_been_instrumented (&r);
1064 }
1065 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
1066 {
1067 asan_mem_ref src0, src1, dest;
1068 asan_mem_ref_init (&src0, NULL, 1);
1069 asan_mem_ref_init (&src1, NULL, 1);
1070 asan_mem_ref_init (&dest, NULL, 1);
1071
1072 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
1073 bool src0_is_store = false, src1_is_store = false,
1074 dest_is_store = false, dest_is_deref = false, intercepted_p = true;
1075 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt),
1076 &src0, &src0_len, &src0_is_store,
1077 &src1, &src1_len, &src1_is_store,
1078 &dest, &dest_len, &dest_is_store,
1079 &dest_is_deref, &intercepted_p))
1080 {
1081 if (src0.start != NULL_TREE
1082 && !has_mem_ref_been_instrumented (&src0, src0_len))
1083 return false;
1084
1085 if (src1.start != NULL_TREE
1086 && !has_mem_ref_been_instrumented (&src1, src1_len))
1087 return false;
1088
1089 if (dest.start != NULL_TREE
1090 && !has_mem_ref_been_instrumented (&dest, dest_len))
1091 return false;
1092
1093 return true;
1094 }
1095 }
1096 else if (is_gimple_call (stmt) && gimple_store_p (stmt))
1097 {
1098 asan_mem_ref r;
1099 asan_mem_ref_init (&r, NULL, 1);
1100
1101 r.start = gimple_call_lhs (stmt);
1102 r.access_size = int_size_in_bytes (TREE_TYPE (r.start));
1103 return has_mem_ref_been_instrumented (&r);
1104 }
1105
1106 return false;
1107 }
1108
1109 /* Insert a memory reference into the hash table. */
1110
1111 static void
1112 update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size)
1113 {
1114 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table ();
1115
1116 asan_mem_ref r;
1117 asan_mem_ref_init (&r, ref, access_size);
1118
1119 asan_mem_ref **slot = ht->find_slot (&r, INSERT);
1120 if (*slot == NULL || (*slot)->access_size < access_size)
1121 *slot = asan_mem_ref_new (ref, access_size);
1122 }
1123
1124 /* Initialize shadow_ptr_types array. */
1125
1126 static void
1127 asan_init_shadow_ptr_types (void)
1128 {
1129 asan_shadow_set = new_alias_set ();
1130 tree types[3] = { signed_char_type_node, short_integer_type_node,
1131 integer_type_node };
1132
1133 for (unsigned i = 0; i < 3; i++)
1134 {
1135 shadow_ptr_types[i] = build_distinct_type_copy (types[i]);
1136 TYPE_ALIAS_SET (shadow_ptr_types[i]) = asan_shadow_set;
1137 shadow_ptr_types[i] = build_pointer_type (shadow_ptr_types[i]);
1138 }
1139
1140 initialize_sanitizer_builtins ();
1141 }
1142
1143 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
1144
1145 static tree
1146 asan_pp_string (pretty_printer *pp)
1147 {
1148 const char *buf = pp_formatted_text (pp);
1149 size_t len = strlen (buf);
1150 tree ret = build_string (len + 1, buf);
1151 TREE_TYPE (ret)
1152 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
1153 build_index_type (size_int (len)));
1154 TREE_READONLY (ret) = 1;
1155 TREE_STATIC (ret) = 1;
1156 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
1157 }
1158
1159 /* Return a CONST_INT representing 4 subsequent shadow memory bytes. */
1160
1161 static rtx
1162 asan_shadow_cst (unsigned char shadow_bytes[4])
1163 {
1164 int i;
1165 unsigned HOST_WIDE_INT val = 0;
1166 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
1167 for (i = 0; i < 4; i++)
1168 val |= (unsigned HOST_WIDE_INT) shadow_bytes[BYTES_BIG_ENDIAN ? 3 - i : i]
1169 << (BITS_PER_UNIT * i);
1170 return gen_int_mode (val, SImode);
1171 }
1172
1173 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
1174 though. */
1175
1176 static void
1177 asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
1178 {
1179 rtx_insn *insn, *insns, *jump;
1180 rtx_code_label *top_label;
1181 rtx end, addr, tmp;
1182
1183 start_sequence ();
1184 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
1185 insns = get_insns ();
1186 end_sequence ();
1187 for (insn = insns; insn; insn = NEXT_INSN (insn))
1188 if (CALL_P (insn))
1189 break;
1190 if (insn == NULL_RTX)
1191 {
1192 emit_insn (insns);
1193 return;
1194 }
1195
1196 gcc_assert ((len & 3) == 0);
1197 top_label = gen_label_rtx ();
1198 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
1199 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
1200 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
1201 emit_label (top_label);
1202
1203 emit_move_insn (shadow_mem, const0_rtx);
1204 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
1205 true, OPTAB_LIB_WIDEN);
1206 if (tmp != addr)
1207 emit_move_insn (addr, tmp);
1208 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
1209 jump = get_last_insn ();
1210 gcc_assert (JUMP_P (jump));
1211 add_int_reg_note (jump, REG_BR_PROB, REG_BR_PROB_BASE * 80 / 100);
1212 }
1213
1214 void
1215 asan_function_start (void)
1216 {
1217 section *fnsec = function_section (current_function_decl);
1218 switch_to_section (fnsec);
1219 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC",
1220 current_function_funcdef_no);
1221 }
1222
1223 /* Return number of shadow bytes that are occupied by a local variable
1224 of SIZE bytes. */
1225
1226 static unsigned HOST_WIDE_INT
1227 shadow_mem_size (unsigned HOST_WIDE_INT size)
1228 {
1229 return ROUND_UP (size, ASAN_SHADOW_GRANULARITY) / ASAN_SHADOW_GRANULARITY;
1230 }
1231
1232 /* Insert code to protect stack vars. The prologue sequence should be emitted
1233 directly, epilogue sequence returned. BASE is the register holding the
1234 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1235 array contains pairs of offsets in reverse order, always the end offset
1236 of some gap that needs protection followed by starting offset,
1237 and DECLS is an array of representative decls for each var partition.
1238 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1239 elements long (OFFSETS include gap before the first variable as well
1240 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1241 register which stack vars DECL_RTLs are based on. Either BASE should be
1242 assigned to PBASE, when not doing use after return protection, or
1243 corresponding address based on __asan_stack_malloc* return value. */
1244
1245 rtx_insn *
1246 asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
1247 HOST_WIDE_INT *offsets, tree *decls, int length)
1248 {
1249 rtx shadow_base, shadow_mem, ret, mem, orig_base;
1250 rtx_code_label *lab;
1251 rtx_insn *insns;
1252 char buf[32];
1253 unsigned char shadow_bytes[4];
1254 HOST_WIDE_INT base_offset = offsets[length - 1];
1255 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
1256 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
1257 HOST_WIDE_INT last_offset, last_size;
1258 int l;
1259 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
1260 tree str_cst, decl, id;
1261 int use_after_return_class = -1;
1262
1263 if (shadow_ptr_types[0] == NULL_TREE)
1264 asan_init_shadow_ptr_types ();
1265
1266 /* First of all, prepare the description string. */
1267 pretty_printer asan_pp;
1268
1269 pp_decimal_int (&asan_pp, length / 2 - 1);
1270 pp_space (&asan_pp);
1271 for (l = length - 2; l; l -= 2)
1272 {
1273 tree decl = decls[l / 2 - 1];
1274 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
1275 pp_space (&asan_pp);
1276 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
1277 pp_space (&asan_pp);
1278 if (DECL_P (decl) && DECL_NAME (decl))
1279 {
1280 pp_decimal_int (&asan_pp, IDENTIFIER_LENGTH (DECL_NAME (decl)));
1281 pp_space (&asan_pp);
1282 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
1283 }
1284 else
1285 pp_string (&asan_pp, "9 <unknown>");
1286 pp_space (&asan_pp);
1287 }
1288 str_cst = asan_pp_string (&asan_pp);
1289
1290 /* Emit the prologue sequence. */
1291 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
1292 && ASAN_USE_AFTER_RETURN)
1293 {
1294 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1295 /* __asan_stack_malloc_N guarantees alignment
1296 N < 6 ? (64 << N) : 4096 bytes. */
1297 if (alignb > (use_after_return_class < 6
1298 ? (64U << use_after_return_class) : 4096U))
1299 use_after_return_class = -1;
1300 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1301 base_align_bias = ((asan_frame_size + alignb - 1)
1302 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1303 }
1304 /* Align base if target is STRICT_ALIGNMENT. */
1305 if (STRICT_ALIGNMENT)
1306 base = expand_binop (Pmode, and_optab, base,
1307 gen_int_mode (-((GET_MODE_ALIGNMENT (SImode)
1308 << ASAN_SHADOW_SHIFT)
1309 / BITS_PER_UNIT), Pmode), NULL_RTX,
1310 1, OPTAB_DIRECT);
1311
1312 if (use_after_return_class == -1 && pbase)
1313 emit_move_insn (pbase, base);
1314
1315 base = expand_binop (Pmode, add_optab, base,
1316 gen_int_mode (base_offset - base_align_bias, Pmode),
1317 NULL_RTX, 1, OPTAB_DIRECT);
1318 orig_base = NULL_RTX;
1319 if (use_after_return_class != -1)
1320 {
1321 if (asan_detect_stack_use_after_return == NULL_TREE)
1322 {
1323 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1324 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1325 integer_type_node);
1326 SET_DECL_ASSEMBLER_NAME (decl, id);
1327 TREE_ADDRESSABLE (decl) = 1;
1328 DECL_ARTIFICIAL (decl) = 1;
1329 DECL_IGNORED_P (decl) = 1;
1330 DECL_EXTERNAL (decl) = 1;
1331 TREE_STATIC (decl) = 1;
1332 TREE_PUBLIC (decl) = 1;
1333 TREE_USED (decl) = 1;
1334 asan_detect_stack_use_after_return = decl;
1335 }
1336 orig_base = gen_reg_rtx (Pmode);
1337 emit_move_insn (orig_base, base);
1338 ret = expand_normal (asan_detect_stack_use_after_return);
1339 lab = gen_label_rtx ();
1340 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1341 VOIDmode, 0, lab,
1342 profile_probability::very_likely ());
1343 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1344 use_after_return_class);
1345 ret = init_one_libfunc (buf);
1346 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode, 1,
1347 GEN_INT (asan_frame_size
1348 + base_align_bias),
1349 TYPE_MODE (pointer_sized_int_node));
1350 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1351 and NULL otherwise. Check RET value is NULL here and jump over the
1352 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1353 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1354 VOIDmode, 0, lab,
1355 profile_probability:: very_unlikely ());
1356 ret = convert_memory_address (Pmode, ret);
1357 emit_move_insn (base, ret);
1358 emit_label (lab);
1359 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1360 gen_int_mode (base_align_bias
1361 - base_offset, Pmode),
1362 NULL_RTX, 1, OPTAB_DIRECT));
1363 }
1364 mem = gen_rtx_MEM (ptr_mode, base);
1365 mem = adjust_address (mem, VOIDmode, base_align_bias);
1366 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
1367 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1368 emit_move_insn (mem, expand_normal (str_cst));
1369 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1370 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1371 id = get_identifier (buf);
1372 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
1373 VAR_DECL, id, char_type_node);
1374 SET_DECL_ASSEMBLER_NAME (decl, id);
1375 TREE_ADDRESSABLE (decl) = 1;
1376 TREE_READONLY (decl) = 1;
1377 DECL_ARTIFICIAL (decl) = 1;
1378 DECL_IGNORED_P (decl) = 1;
1379 TREE_STATIC (decl) = 1;
1380 TREE_PUBLIC (decl) = 0;
1381 TREE_USED (decl) = 1;
1382 DECL_INITIAL (decl) = decl;
1383 TREE_ASM_WRITTEN (decl) = 1;
1384 TREE_ASM_WRITTEN (id) = 1;
1385 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
1386 shadow_base = expand_binop (Pmode, lshr_optab, base,
1387 GEN_INT (ASAN_SHADOW_SHIFT),
1388 NULL_RTX, 1, OPTAB_DIRECT);
1389 shadow_base
1390 = plus_constant (Pmode, shadow_base,
1391 asan_shadow_offset ()
1392 + (base_align_bias >> ASAN_SHADOW_SHIFT));
1393 gcc_assert (asan_shadow_set != -1
1394 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
1395 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
1396 set_mem_alias_set (shadow_mem, asan_shadow_set);
1397 if (STRICT_ALIGNMENT)
1398 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1399 prev_offset = base_offset;
1400 for (l = length; l; l -= 2)
1401 {
1402 if (l == 2)
1403 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
1404 offset = offsets[l - 1];
1405 if ((offset - base_offset) & (ASAN_RED_ZONE_SIZE - 1))
1406 {
1407 int i;
1408 HOST_WIDE_INT aoff
1409 = base_offset + ((offset - base_offset)
1410 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1411 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1412 (aoff - prev_offset)
1413 >> ASAN_SHADOW_SHIFT);
1414 prev_offset = aoff;
1415 for (i = 0; i < 4; i++, aoff += ASAN_SHADOW_GRANULARITY)
1416 if (aoff < offset)
1417 {
1418 if (aoff < offset - (HOST_WIDE_INT)ASAN_SHADOW_GRANULARITY + 1)
1419 shadow_bytes[i] = 0;
1420 else
1421 shadow_bytes[i] = offset - aoff;
1422 }
1423 else
1424 shadow_bytes[i] = ASAN_STACK_MAGIC_MIDDLE;
1425 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1426 offset = aoff;
1427 }
1428 while (offset <= offsets[l - 2] - ASAN_RED_ZONE_SIZE)
1429 {
1430 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1431 (offset - prev_offset)
1432 >> ASAN_SHADOW_SHIFT);
1433 prev_offset = offset;
1434 memset (shadow_bytes, cur_shadow_byte, 4);
1435 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1436 offset += ASAN_RED_ZONE_SIZE;
1437 }
1438 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
1439 }
1440 do_pending_stack_adjust ();
1441
1442 /* Construct epilogue sequence. */
1443 start_sequence ();
1444
1445 lab = NULL;
1446 if (use_after_return_class != -1)
1447 {
1448 rtx_code_label *lab2 = gen_label_rtx ();
1449 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
1450 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
1451 VOIDmode, 0, lab2,
1452 profile_probability::very_likely ());
1453 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1454 set_mem_alias_set (shadow_mem, asan_shadow_set);
1455 mem = gen_rtx_MEM (ptr_mode, base);
1456 mem = adjust_address (mem, VOIDmode, base_align_bias);
1457 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
1458 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
1459 if (use_after_return_class < 5
1460 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
1461 BITS_PER_UNIT, true))
1462 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
1463 BITS_PER_UNIT, true, 0);
1464 else if (use_after_return_class >= 5
1465 || !set_storage_via_setmem (shadow_mem,
1466 GEN_INT (sz),
1467 gen_int_mode (c, QImode),
1468 BITS_PER_UNIT, BITS_PER_UNIT,
1469 -1, sz, sz, sz))
1470 {
1471 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
1472 use_after_return_class);
1473 ret = init_one_libfunc (buf);
1474 rtx addr = convert_memory_address (ptr_mode, base);
1475 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
1476 emit_library_call (ret, LCT_NORMAL, ptr_mode, 3, addr, ptr_mode,
1477 GEN_INT (asan_frame_size + base_align_bias),
1478 TYPE_MODE (pointer_sized_int_node),
1479 orig_addr, ptr_mode);
1480 }
1481 lab = gen_label_rtx ();
1482 emit_jump (lab);
1483 emit_label (lab2);
1484 }
1485
1486 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1487 set_mem_alias_set (shadow_mem, asan_shadow_set);
1488
1489 if (STRICT_ALIGNMENT)
1490 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1491
1492 prev_offset = base_offset;
1493 last_offset = base_offset;
1494 last_size = 0;
1495 for (l = length; l; l -= 2)
1496 {
1497 offset = base_offset + ((offsets[l - 1] - base_offset)
1498 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1499 if (last_offset + last_size != offset)
1500 {
1501 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1502 (last_offset - prev_offset)
1503 >> ASAN_SHADOW_SHIFT);
1504 prev_offset = last_offset;
1505 asan_clear_shadow (shadow_mem, last_size >> ASAN_SHADOW_SHIFT);
1506 last_offset = offset;
1507 last_size = 0;
1508 }
1509 last_size += base_offset + ((offsets[l - 2] - base_offset)
1510 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
1511 - offset;
1512
1513 /* Unpoison shadow memory that corresponds to a variable that is
1514 is subject of use-after-return sanitization. */
1515 if (l > 2)
1516 {
1517 decl = decls[l / 2 - 2];
1518 if (asan_handled_variables != NULL
1519 && asan_handled_variables->contains (decl))
1520 {
1521 HOST_WIDE_INT size = offsets[l - 3] - offsets[l - 2];
1522 if (dump_file && (dump_flags & TDF_DETAILS))
1523 {
1524 const char *n = (DECL_NAME (decl)
1525 ? IDENTIFIER_POINTER (DECL_NAME (decl))
1526 : "<unknown>");
1527 fprintf (dump_file, "Unpoisoning shadow stack for variable: "
1528 "%s (%" PRId64 " B)\n", n, size);
1529 }
1530
1531 last_size += size & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1);
1532 }
1533 }
1534 }
1535 if (last_size)
1536 {
1537 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1538 (last_offset - prev_offset)
1539 >> ASAN_SHADOW_SHIFT);
1540 asan_clear_shadow (shadow_mem, last_size >> ASAN_SHADOW_SHIFT);
1541 }
1542
1543 /* Clean-up set with instrumented stack variables. */
1544 delete asan_handled_variables;
1545 asan_handled_variables = NULL;
1546 delete asan_used_labels;
1547 asan_used_labels = NULL;
1548
1549 do_pending_stack_adjust ();
1550 if (lab)
1551 emit_label (lab);
1552
1553 insns = get_insns ();
1554 end_sequence ();
1555 return insns;
1556 }
1557
1558 /* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds
1559 to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE
1560 indicates whether we're emitting new instructions sequence or not. */
1561
1562 rtx_insn *
1563 asan_emit_allocas_unpoison (rtx top, rtx bot, rtx_insn *before)
1564 {
1565 if (before)
1566 push_to_sequence (before);
1567 else
1568 start_sequence ();
1569 rtx ret = init_one_libfunc ("__asan_allocas_unpoison");
1570 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode, 2, top,
1571 TYPE_MODE (pointer_sized_int_node), bot,
1572 TYPE_MODE (pointer_sized_int_node));
1573
1574 do_pending_stack_adjust ();
1575 rtx_insn *insns = get_insns ();
1576 end_sequence ();
1577 return insns;
1578 }
1579
1580 /* Return true if DECL, a global var, might be overridden and needs
1581 therefore a local alias. */
1582
1583 static bool
1584 asan_needs_local_alias (tree decl)
1585 {
1586 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
1587 }
1588
1589 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
1590 therefore doesn't need protection. */
1591
1592 static bool
1593 is_odr_indicator (tree decl)
1594 {
1595 return (DECL_ARTIFICIAL (decl)
1596 && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl)));
1597 }
1598
1599 /* Return true if DECL is a VAR_DECL that should be protected
1600 by Address Sanitizer, by appending a red zone with protected
1601 shadow memory after it and aligning it to at least
1602 ASAN_RED_ZONE_SIZE bytes. */
1603
1604 bool
1605 asan_protect_global (tree decl)
1606 {
1607 if (!ASAN_GLOBALS)
1608 return false;
1609
1610 rtx rtl, symbol;
1611
1612 if (TREE_CODE (decl) == STRING_CST)
1613 {
1614 /* Instrument all STRING_CSTs except those created
1615 by asan_pp_string here. */
1616 if (shadow_ptr_types[0] != NULL_TREE
1617 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
1618 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
1619 return false;
1620 return true;
1621 }
1622 if (!VAR_P (decl)
1623 /* TLS vars aren't statically protectable. */
1624 || DECL_THREAD_LOCAL_P (decl)
1625 /* Externs will be protected elsewhere. */
1626 || DECL_EXTERNAL (decl)
1627 || !DECL_RTL_SET_P (decl)
1628 /* Comdat vars pose an ABI problem, we can't know if
1629 the var that is selected by the linker will have
1630 padding or not. */
1631 || DECL_ONE_ONLY (decl)
1632 /* Similarly for common vars. People can use -fno-common.
1633 Note: Linux kernel is built with -fno-common, so we do instrument
1634 globals there even if it is C. */
1635 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
1636 /* Don't protect if using user section, often vars placed
1637 into user section from multiple TUs are then assumed
1638 to be an array of such vars, putting padding in there
1639 breaks this assumption. */
1640 || (DECL_SECTION_NAME (decl) != NULL
1641 && !symtab_node::get (decl)->implicit_section
1642 && !section_sanitized_p (DECL_SECTION_NAME (decl)))
1643 || DECL_SIZE (decl) == 0
1644 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
1645 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
1646 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE
1647 || TREE_TYPE (decl) == ubsan_get_source_location_type ()
1648 || is_odr_indicator (decl))
1649 return false;
1650
1651 rtl = DECL_RTL (decl);
1652 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
1653 return false;
1654 symbol = XEXP (rtl, 0);
1655
1656 if (CONSTANT_POOL_ADDRESS_P (symbol)
1657 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
1658 return false;
1659
1660 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
1661 return false;
1662
1663 #ifndef ASM_OUTPUT_DEF
1664 if (asan_needs_local_alias (decl))
1665 return false;
1666 #endif
1667
1668 return true;
1669 }
1670
1671 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
1672 IS_STORE is either 1 (for a store) or 0 (for a load). */
1673
1674 static tree
1675 report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1676 int *nargs)
1677 {
1678 static enum built_in_function report[2][2][6]
1679 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
1680 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
1681 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N },
1682 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
1683 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
1684 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } },
1685 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT,
1686 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
1687 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
1688 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
1689 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
1690 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
1691 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT,
1692 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
1693 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
1694 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
1695 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
1696 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
1697 if (size_in_bytes == -1)
1698 {
1699 *nargs = 2;
1700 return builtin_decl_implicit (report[recover_p][is_store][5]);
1701 }
1702 *nargs = 1;
1703 int size_log2 = exact_log2 (size_in_bytes);
1704 return builtin_decl_implicit (report[recover_p][is_store][size_log2]);
1705 }
1706
1707 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
1708 IS_STORE is either 1 (for a store) or 0 (for a load). */
1709
1710 static tree
1711 check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1712 int *nargs)
1713 {
1714 static enum built_in_function check[2][2][6]
1715 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2,
1716 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8,
1717 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN },
1718 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2,
1719 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8,
1720 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } },
1721 { { BUILT_IN_ASAN_LOAD1_NOABORT,
1722 BUILT_IN_ASAN_LOAD2_NOABORT,
1723 BUILT_IN_ASAN_LOAD4_NOABORT,
1724 BUILT_IN_ASAN_LOAD8_NOABORT,
1725 BUILT_IN_ASAN_LOAD16_NOABORT,
1726 BUILT_IN_ASAN_LOADN_NOABORT },
1727 { BUILT_IN_ASAN_STORE1_NOABORT,
1728 BUILT_IN_ASAN_STORE2_NOABORT,
1729 BUILT_IN_ASAN_STORE4_NOABORT,
1730 BUILT_IN_ASAN_STORE8_NOABORT,
1731 BUILT_IN_ASAN_STORE16_NOABORT,
1732 BUILT_IN_ASAN_STOREN_NOABORT } } };
1733 if (size_in_bytes == -1)
1734 {
1735 *nargs = 2;
1736 return builtin_decl_implicit (check[recover_p][is_store][5]);
1737 }
1738 *nargs = 1;
1739 int size_log2 = exact_log2 (size_in_bytes);
1740 return builtin_decl_implicit (check[recover_p][is_store][size_log2]);
1741 }
1742
1743 /* Split the current basic block and create a condition statement
1744 insertion point right before or after the statement pointed to by
1745 ITER. Return an iterator to the point at which the caller might
1746 safely insert the condition statement.
1747
1748 THEN_BLOCK must be set to the address of an uninitialized instance
1749 of basic_block. The function will then set *THEN_BLOCK to the
1750 'then block' of the condition statement to be inserted by the
1751 caller.
1752
1753 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1754 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1755
1756 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1757 block' of the condition statement to be inserted by the caller.
1758
1759 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1760 statements starting from *ITER, and *THEN_BLOCK is a new empty
1761 block.
1762
1763 *ITER is adjusted to point to always point to the first statement
1764 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1765 same as what ITER was pointing to prior to calling this function,
1766 if BEFORE_P is true; otherwise, it is its following statement. */
1767
1768 gimple_stmt_iterator
1769 create_cond_insert_point (gimple_stmt_iterator *iter,
1770 bool before_p,
1771 bool then_more_likely_p,
1772 bool create_then_fallthru_edge,
1773 basic_block *then_block,
1774 basic_block *fallthrough_block)
1775 {
1776 gimple_stmt_iterator gsi = *iter;
1777
1778 if (!gsi_end_p (gsi) && before_p)
1779 gsi_prev (&gsi);
1780
1781 basic_block cur_bb = gsi_bb (*iter);
1782
1783 edge e = split_block (cur_bb, gsi_stmt (gsi));
1784
1785 /* Get a hold on the 'condition block', the 'then block' and the
1786 'else block'. */
1787 basic_block cond_bb = e->src;
1788 basic_block fallthru_bb = e->dest;
1789 basic_block then_bb = create_empty_bb (cond_bb);
1790 if (current_loops)
1791 {
1792 add_bb_to_loop (then_bb, cond_bb->loop_father);
1793 loops_state_set (LOOPS_NEED_FIXUP);
1794 }
1795
1796 /* Set up the newly created 'then block'. */
1797 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
1798 int fallthrough_probability
1799 = then_more_likely_p
1800 ? PROB_VERY_UNLIKELY
1801 : PROB_ALWAYS - PROB_VERY_UNLIKELY;
1802 e->probability = profile_probability::from_reg_br_prob_base
1803 (PROB_ALWAYS - fallthrough_probability);
1804 if (create_then_fallthru_edge)
1805 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
1806
1807 /* Set up the fallthrough basic block. */
1808 e = find_edge (cond_bb, fallthru_bb);
1809 e->flags = EDGE_FALSE_VALUE;
1810 e->count = cond_bb->count;
1811 e->probability
1812 = profile_probability::from_reg_br_prob_base (fallthrough_probability);
1813
1814 /* Update dominance info for the newly created then_bb; note that
1815 fallthru_bb's dominance info has already been updated by
1816 split_bock. */
1817 if (dom_info_available_p (CDI_DOMINATORS))
1818 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
1819
1820 *then_block = then_bb;
1821 *fallthrough_block = fallthru_bb;
1822 *iter = gsi_start_bb (fallthru_bb);
1823
1824 return gsi_last_bb (cond_bb);
1825 }
1826
1827 /* Insert an if condition followed by a 'then block' right before the
1828 statement pointed to by ITER. The fallthrough block -- which is the
1829 else block of the condition as well as the destination of the
1830 outcoming edge of the 'then block' -- starts with the statement
1831 pointed to by ITER.
1832
1833 COND is the condition of the if.
1834
1835 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1836 'then block' is higher than the probability of the edge to the
1837 fallthrough block.
1838
1839 Upon completion of the function, *THEN_BB is set to the newly
1840 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1841 fallthrough block.
1842
1843 *ITER is adjusted to still point to the same statement it was
1844 pointing to initially. */
1845
1846 static void
1847 insert_if_then_before_iter (gcond *cond,
1848 gimple_stmt_iterator *iter,
1849 bool then_more_likely_p,
1850 basic_block *then_bb,
1851 basic_block *fallthrough_bb)
1852 {
1853 gimple_stmt_iterator cond_insert_point =
1854 create_cond_insert_point (iter,
1855 /*before_p=*/true,
1856 then_more_likely_p,
1857 /*create_then_fallthru_edge=*/true,
1858 then_bb,
1859 fallthrough_bb);
1860 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
1861 }
1862
1863 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
1864 If RETURN_ADDRESS is set to true, return memory location instread
1865 of a value in the shadow memory. */
1866
1867 static tree
1868 build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location,
1869 tree base_addr, tree shadow_ptr_type,
1870 bool return_address = false)
1871 {
1872 tree t, uintptr_type = TREE_TYPE (base_addr);
1873 tree shadow_type = TREE_TYPE (shadow_ptr_type);
1874 gimple *g;
1875
1876 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
1877 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR,
1878 base_addr, t);
1879 gimple_set_location (g, location);
1880 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1881
1882 t = build_int_cst (uintptr_type, asan_shadow_offset ());
1883 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR,
1884 gimple_assign_lhs (g), t);
1885 gimple_set_location (g, location);
1886 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1887
1888 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR,
1889 gimple_assign_lhs (g));
1890 gimple_set_location (g, location);
1891 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1892
1893 if (!return_address)
1894 {
1895 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
1896 build_int_cst (shadow_ptr_type, 0));
1897 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t);
1898 gimple_set_location (g, location);
1899 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1900 }
1901
1902 return gimple_assign_lhs (g);
1903 }
1904
1905 /* BASE can already be an SSA_NAME; in that case, do not create a
1906 new SSA_NAME for it. */
1907
1908 static tree
1909 maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter,
1910 bool before_p)
1911 {
1912 if (TREE_CODE (base) == SSA_NAME)
1913 return base;
1914 gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)),
1915 TREE_CODE (base), base);
1916 gimple_set_location (g, loc);
1917 if (before_p)
1918 gsi_insert_before (iter, g, GSI_SAME_STMT);
1919 else
1920 gsi_insert_after (iter, g, GSI_NEW_STMT);
1921 return gimple_assign_lhs (g);
1922 }
1923
1924 /* LEN can already have necessary size and precision;
1925 in that case, do not create a new variable. */
1926
1927 tree
1928 maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter,
1929 bool before_p)
1930 {
1931 if (ptrofftype_p (len))
1932 return len;
1933 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
1934 NOP_EXPR, len);
1935 gimple_set_location (g, loc);
1936 if (before_p)
1937 gsi_insert_before (iter, g, GSI_SAME_STMT);
1938 else
1939 gsi_insert_after (iter, g, GSI_NEW_STMT);
1940 return gimple_assign_lhs (g);
1941 }
1942
1943 /* Instrument the memory access instruction BASE. Insert new
1944 statements before or after ITER.
1945
1946 Note that the memory access represented by BASE can be either an
1947 SSA_NAME, or a non-SSA expression. LOCATION is the source code
1948 location. IS_STORE is TRUE for a store, FALSE for a load.
1949 BEFORE_P is TRUE for inserting the instrumentation code before
1950 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
1951 for a scalar memory access and FALSE for memory region access.
1952 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
1953 length. ALIGN tells alignment of accessed memory object.
1954
1955 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
1956 memory region have already been instrumented.
1957
1958 If BEFORE_P is TRUE, *ITER is arranged to still point to the
1959 statement it was pointing to prior to calling this function,
1960 otherwise, it points to the statement logically following it. */
1961
1962 static void
1963 build_check_stmt (location_t loc, tree base, tree len,
1964 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter,
1965 bool is_non_zero_len, bool before_p, bool is_store,
1966 bool is_scalar_access, unsigned int align = 0)
1967 {
1968 gimple_stmt_iterator gsi = *iter;
1969 gimple *g;
1970
1971 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len));
1972
1973 gsi = *iter;
1974
1975 base = unshare_expr (base);
1976 base = maybe_create_ssa_name (loc, base, &gsi, before_p);
1977
1978 if (len)
1979 {
1980 len = unshare_expr (len);
1981 len = maybe_cast_to_ptrmode (loc, len, iter, before_p);
1982 }
1983 else
1984 {
1985 gcc_assert (size_in_bytes != -1);
1986 len = build_int_cst (pointer_sized_int_node, size_in_bytes);
1987 }
1988
1989 if (size_in_bytes > 1)
1990 {
1991 if ((size_in_bytes & (size_in_bytes - 1)) != 0
1992 || size_in_bytes > 16)
1993 is_scalar_access = false;
1994 else if (align && align < size_in_bytes * BITS_PER_UNIT)
1995 {
1996 /* On non-strict alignment targets, if
1997 16-byte access is just 8-byte aligned,
1998 this will result in misaligned shadow
1999 memory 2 byte load, but otherwise can
2000 be handled using one read. */
2001 if (size_in_bytes != 16
2002 || STRICT_ALIGNMENT
2003 || align < 8 * BITS_PER_UNIT)
2004 is_scalar_access = false;
2005 }
2006 }
2007
2008 HOST_WIDE_INT flags = 0;
2009 if (is_store)
2010 flags |= ASAN_CHECK_STORE;
2011 if (is_non_zero_len)
2012 flags |= ASAN_CHECK_NON_ZERO_LEN;
2013 if (is_scalar_access)
2014 flags |= ASAN_CHECK_SCALAR_ACCESS;
2015
2016 g = gimple_build_call_internal (IFN_ASAN_CHECK, 4,
2017 build_int_cst (integer_type_node, flags),
2018 base, len,
2019 build_int_cst (integer_type_node,
2020 align / BITS_PER_UNIT));
2021 gimple_set_location (g, loc);
2022 if (before_p)
2023 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
2024 else
2025 {
2026 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2027 gsi_next (&gsi);
2028 *iter = gsi;
2029 }
2030 }
2031
2032 /* If T represents a memory access, add instrumentation code before ITER.
2033 LOCATION is source code location.
2034 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
2035
2036 static void
2037 instrument_derefs (gimple_stmt_iterator *iter, tree t,
2038 location_t location, bool is_store)
2039 {
2040 if (is_store && !ASAN_INSTRUMENT_WRITES)
2041 return;
2042 if (!is_store && !ASAN_INSTRUMENT_READS)
2043 return;
2044
2045 tree type, base;
2046 HOST_WIDE_INT size_in_bytes;
2047 if (location == UNKNOWN_LOCATION)
2048 location = EXPR_LOCATION (t);
2049
2050 type = TREE_TYPE (t);
2051 switch (TREE_CODE (t))
2052 {
2053 case ARRAY_REF:
2054 case COMPONENT_REF:
2055 case INDIRECT_REF:
2056 case MEM_REF:
2057 case VAR_DECL:
2058 case BIT_FIELD_REF:
2059 break;
2060 /* FALLTHRU */
2061 default:
2062 return;
2063 }
2064
2065 size_in_bytes = int_size_in_bytes (type);
2066 if (size_in_bytes <= 0)
2067 return;
2068
2069 HOST_WIDE_INT bitsize, bitpos;
2070 tree offset;
2071 machine_mode mode;
2072 int unsignedp, reversep, volatilep = 0;
2073 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
2074 &unsignedp, &reversep, &volatilep);
2075
2076 if (TREE_CODE (t) == COMPONENT_REF
2077 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
2078 {
2079 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
2080 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
2081 TREE_OPERAND (t, 0), repr,
2082 TREE_OPERAND (t, 2)),
2083 location, is_store);
2084 return;
2085 }
2086
2087 if (bitpos % BITS_PER_UNIT
2088 || bitsize != size_in_bytes * BITS_PER_UNIT)
2089 return;
2090
2091 if (VAR_P (inner) && DECL_HARD_REGISTER (inner))
2092 return;
2093
2094 if (VAR_P (inner)
2095 && offset == NULL_TREE
2096 && bitpos >= 0
2097 && DECL_SIZE (inner)
2098 && tree_fits_shwi_p (DECL_SIZE (inner))
2099 && bitpos + bitsize <= tree_to_shwi (DECL_SIZE (inner)))
2100 {
2101 if (DECL_THREAD_LOCAL_P (inner))
2102 return;
2103 if (!ASAN_GLOBALS && is_global_var (inner))
2104 return;
2105 if (!TREE_STATIC (inner))
2106 {
2107 /* Automatic vars in the current function will be always
2108 accessible. */
2109 if (decl_function_context (inner) == current_function_decl
2110 && (!asan_sanitize_use_after_scope ()
2111 || !TREE_ADDRESSABLE (inner)))
2112 return;
2113 }
2114 /* Always instrument external vars, they might be dynamically
2115 initialized. */
2116 else if (!DECL_EXTERNAL (inner))
2117 {
2118 /* For static vars if they are known not to be dynamically
2119 initialized, they will be always accessible. */
2120 varpool_node *vnode = varpool_node::get (inner);
2121 if (vnode && !vnode->dynamically_initialized)
2122 return;
2123 }
2124 }
2125
2126 base = build_fold_addr_expr (t);
2127 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
2128 {
2129 unsigned int align = get_object_alignment (t);
2130 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter,
2131 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true,
2132 is_store, /*is_scalar_access*/true, align);
2133 update_mem_ref_hash_table (base, size_in_bytes);
2134 update_mem_ref_hash_table (t, size_in_bytes);
2135 }
2136
2137 }
2138
2139 /* Insert a memory reference into the hash table if access length
2140 can be determined in compile time. */
2141
2142 static void
2143 maybe_update_mem_ref_hash_table (tree base, tree len)
2144 {
2145 if (!POINTER_TYPE_P (TREE_TYPE (base))
2146 || !INTEGRAL_TYPE_P (TREE_TYPE (len)))
2147 return;
2148
2149 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2150
2151 if (size_in_bytes != -1)
2152 update_mem_ref_hash_table (base, size_in_bytes);
2153 }
2154
2155 /* Instrument an access to a contiguous memory region that starts at
2156 the address pointed to by BASE, over a length of LEN (expressed in
2157 the sizeof (*BASE) bytes). ITER points to the instruction before
2158 which the instrumentation instructions must be inserted. LOCATION
2159 is the source location that the instrumentation instructions must
2160 have. If IS_STORE is true, then the memory access is a store;
2161 otherwise, it's a load. */
2162
2163 static void
2164 instrument_mem_region_access (tree base, tree len,
2165 gimple_stmt_iterator *iter,
2166 location_t location, bool is_store)
2167 {
2168 if (!POINTER_TYPE_P (TREE_TYPE (base))
2169 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
2170 || integer_zerop (len))
2171 return;
2172
2173 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2174
2175 if ((size_in_bytes == -1)
2176 || !has_mem_ref_been_instrumented (base, size_in_bytes))
2177 {
2178 build_check_stmt (location, base, len, size_in_bytes, iter,
2179 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true,
2180 is_store, /*is_scalar_access*/false, /*align*/0);
2181 }
2182
2183 maybe_update_mem_ref_hash_table (base, len);
2184 *iter = gsi_for_stmt (gsi_stmt (*iter));
2185 }
2186
2187 /* Instrument the call to a built-in memory access function that is
2188 pointed to by the iterator ITER.
2189
2190 Upon completion, return TRUE iff *ITER has been advanced to the
2191 statement following the one it was originally pointing to. */
2192
2193 static bool
2194 instrument_builtin_call (gimple_stmt_iterator *iter)
2195 {
2196 if (!ASAN_MEMINTRIN)
2197 return false;
2198
2199 bool iter_advanced_p = false;
2200 gcall *call = as_a <gcall *> (gsi_stmt (*iter));
2201
2202 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
2203
2204 location_t loc = gimple_location (call);
2205
2206 asan_mem_ref src0, src1, dest;
2207 asan_mem_ref_init (&src0, NULL, 1);
2208 asan_mem_ref_init (&src1, NULL, 1);
2209 asan_mem_ref_init (&dest, NULL, 1);
2210
2211 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
2212 bool src0_is_store = false, src1_is_store = false, dest_is_store = false,
2213 dest_is_deref = false, intercepted_p = true;
2214
2215 if (get_mem_refs_of_builtin_call (call,
2216 &src0, &src0_len, &src0_is_store,
2217 &src1, &src1_len, &src1_is_store,
2218 &dest, &dest_len, &dest_is_store,
2219 &dest_is_deref, &intercepted_p, iter))
2220 {
2221 if (dest_is_deref)
2222 {
2223 instrument_derefs (iter, dest.start, loc, dest_is_store);
2224 gsi_next (iter);
2225 iter_advanced_p = true;
2226 }
2227 else if (!intercepted_p
2228 && (src0_len || src1_len || dest_len))
2229 {
2230 if (src0.start != NULL_TREE)
2231 instrument_mem_region_access (src0.start, src0_len,
2232 iter, loc, /*is_store=*/false);
2233 if (src1.start != NULL_TREE)
2234 instrument_mem_region_access (src1.start, src1_len,
2235 iter, loc, /*is_store=*/false);
2236 if (dest.start != NULL_TREE)
2237 instrument_mem_region_access (dest.start, dest_len,
2238 iter, loc, /*is_store=*/true);
2239
2240 *iter = gsi_for_stmt (call);
2241 gsi_next (iter);
2242 iter_advanced_p = true;
2243 }
2244 else
2245 {
2246 if (src0.start != NULL_TREE)
2247 maybe_update_mem_ref_hash_table (src0.start, src0_len);
2248 if (src1.start != NULL_TREE)
2249 maybe_update_mem_ref_hash_table (src1.start, src1_len);
2250 if (dest.start != NULL_TREE)
2251 maybe_update_mem_ref_hash_table (dest.start, dest_len);
2252 }
2253 }
2254 return iter_advanced_p;
2255 }
2256
2257 /* Instrument the assignment statement ITER if it is subject to
2258 instrumentation. Return TRUE iff instrumentation actually
2259 happened. In that case, the iterator ITER is advanced to the next
2260 logical expression following the one initially pointed to by ITER,
2261 and the relevant memory reference that which access has been
2262 instrumented is added to the memory references hash table. */
2263
2264 static bool
2265 maybe_instrument_assignment (gimple_stmt_iterator *iter)
2266 {
2267 gimple *s = gsi_stmt (*iter);
2268
2269 gcc_assert (gimple_assign_single_p (s));
2270
2271 tree ref_expr = NULL_TREE;
2272 bool is_store, is_instrumented = false;
2273
2274 if (gimple_store_p (s))
2275 {
2276 ref_expr = gimple_assign_lhs (s);
2277 is_store = true;
2278 instrument_derefs (iter, ref_expr,
2279 gimple_location (s),
2280 is_store);
2281 is_instrumented = true;
2282 }
2283
2284 if (gimple_assign_load_p (s))
2285 {
2286 ref_expr = gimple_assign_rhs1 (s);
2287 is_store = false;
2288 instrument_derefs (iter, ref_expr,
2289 gimple_location (s),
2290 is_store);
2291 is_instrumented = true;
2292 }
2293
2294 if (is_instrumented)
2295 gsi_next (iter);
2296
2297 return is_instrumented;
2298 }
2299
2300 /* Instrument the function call pointed to by the iterator ITER, if it
2301 is subject to instrumentation. At the moment, the only function
2302 calls that are instrumented are some built-in functions that access
2303 memory. Look at instrument_builtin_call to learn more.
2304
2305 Upon completion return TRUE iff *ITER was advanced to the statement
2306 following the one it was originally pointing to. */
2307
2308 static bool
2309 maybe_instrument_call (gimple_stmt_iterator *iter)
2310 {
2311 gimple *stmt = gsi_stmt (*iter);
2312 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2313
2314 if (is_builtin && instrument_builtin_call (iter))
2315 return true;
2316
2317 if (gimple_call_noreturn_p (stmt))
2318 {
2319 if (is_builtin)
2320 {
2321 tree callee = gimple_call_fndecl (stmt);
2322 switch (DECL_FUNCTION_CODE (callee))
2323 {
2324 case BUILT_IN_UNREACHABLE:
2325 case BUILT_IN_TRAP:
2326 /* Don't instrument these. */
2327 return false;
2328 default:
2329 break;
2330 }
2331 }
2332 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
2333 gimple *g = gimple_build_call (decl, 0);
2334 gimple_set_location (g, gimple_location (stmt));
2335 gsi_insert_before (iter, g, GSI_SAME_STMT);
2336 }
2337
2338 bool instrumented = false;
2339 if (gimple_store_p (stmt))
2340 {
2341 tree ref_expr = gimple_call_lhs (stmt);
2342 instrument_derefs (iter, ref_expr,
2343 gimple_location (stmt),
2344 /*is_store=*/true);
2345
2346 instrumented = true;
2347 }
2348
2349 /* Walk through gimple_call arguments and check them id needed. */
2350 unsigned args_num = gimple_call_num_args (stmt);
2351 for (unsigned i = 0; i < args_num; ++i)
2352 {
2353 tree arg = gimple_call_arg (stmt, i);
2354 /* If ARG is not a non-aggregate register variable, compiler in general
2355 creates temporary for it and pass it as argument to gimple call.
2356 But in some cases, e.g. when we pass by value a small structure that
2357 fits to register, compiler can avoid extra overhead by pulling out
2358 these temporaries. In this case, we should check the argument. */
2359 if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg))
2360 {
2361 instrument_derefs (iter, arg,
2362 gimple_location (stmt),
2363 /*is_store=*/false);
2364 instrumented = true;
2365 }
2366 }
2367 if (instrumented)
2368 gsi_next (iter);
2369 return instrumented;
2370 }
2371
2372 /* Walk each instruction of all basic block and instrument those that
2373 represent memory references: loads, stores, or function calls.
2374 In a given basic block, this function avoids instrumenting memory
2375 references that have already been instrumented. */
2376
2377 static void
2378 transform_statements (void)
2379 {
2380 basic_block bb, last_bb = NULL;
2381 gimple_stmt_iterator i;
2382 int saved_last_basic_block = last_basic_block_for_fn (cfun);
2383
2384 FOR_EACH_BB_FN (bb, cfun)
2385 {
2386 basic_block prev_bb = bb;
2387
2388 if (bb->index >= saved_last_basic_block) continue;
2389
2390 /* Flush the mem ref hash table, if current bb doesn't have
2391 exactly one predecessor, or if that predecessor (skipping
2392 over asan created basic blocks) isn't the last processed
2393 basic block. Thus we effectively flush on extended basic
2394 block boundaries. */
2395 while (single_pred_p (prev_bb))
2396 {
2397 prev_bb = single_pred (prev_bb);
2398 if (prev_bb->index < saved_last_basic_block)
2399 break;
2400 }
2401 if (prev_bb != last_bb)
2402 empty_mem_ref_hash_table ();
2403 last_bb = bb;
2404
2405 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
2406 {
2407 gimple *s = gsi_stmt (i);
2408
2409 if (has_stmt_been_instrumented_p (s))
2410 gsi_next (&i);
2411 else if (gimple_assign_single_p (s)
2412 && !gimple_clobber_p (s)
2413 && maybe_instrument_assignment (&i))
2414 /* Nothing to do as maybe_instrument_assignment advanced
2415 the iterator I. */;
2416 else if (is_gimple_call (s) && maybe_instrument_call (&i))
2417 /* Nothing to do as maybe_instrument_call
2418 advanced the iterator I. */;
2419 else
2420 {
2421 /* No instrumentation happened.
2422
2423 If the current instruction is a function call that
2424 might free something, let's forget about the memory
2425 references that got instrumented. Otherwise we might
2426 miss some instrumentation opportunities. Do the same
2427 for a ASAN_MARK poisoning internal function. */
2428 if (is_gimple_call (s)
2429 && (!nonfreeing_call_p (s)
2430 || asan_mark_p (s, ASAN_MARK_POISON)))
2431 empty_mem_ref_hash_table ();
2432
2433 gsi_next (&i);
2434 }
2435 }
2436 }
2437 free_mem_ref_resources ();
2438 }
2439
2440 /* Build
2441 __asan_before_dynamic_init (module_name)
2442 or
2443 __asan_after_dynamic_init ()
2444 call. */
2445
2446 tree
2447 asan_dynamic_init_call (bool after_p)
2448 {
2449 if (shadow_ptr_types[0] == NULL_TREE)
2450 asan_init_shadow_ptr_types ();
2451
2452 tree fn = builtin_decl_implicit (after_p
2453 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
2454 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
2455 tree module_name_cst = NULL_TREE;
2456 if (!after_p)
2457 {
2458 pretty_printer module_name_pp;
2459 pp_string (&module_name_pp, main_input_filename);
2460
2461 module_name_cst = asan_pp_string (&module_name_pp);
2462 module_name_cst = fold_convert (const_ptr_type_node,
2463 module_name_cst);
2464 }
2465
2466 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
2467 }
2468
2469 /* Build
2470 struct __asan_global
2471 {
2472 const void *__beg;
2473 uptr __size;
2474 uptr __size_with_redzone;
2475 const void *__name;
2476 const void *__module_name;
2477 uptr __has_dynamic_init;
2478 __asan_global_source_location *__location;
2479 char *__odr_indicator;
2480 } type. */
2481
2482 static tree
2483 asan_global_struct (void)
2484 {
2485 static const char *field_names[]
2486 = { "__beg", "__size", "__size_with_redzone",
2487 "__name", "__module_name", "__has_dynamic_init", "__location",
2488 "__odr_indicator" };
2489 tree fields[ARRAY_SIZE (field_names)], ret;
2490 unsigned i;
2491
2492 ret = make_node (RECORD_TYPE);
2493 for (i = 0; i < ARRAY_SIZE (field_names); i++)
2494 {
2495 fields[i]
2496 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
2497 get_identifier (field_names[i]),
2498 (i == 0 || i == 3) ? const_ptr_type_node
2499 : pointer_sized_int_node);
2500 DECL_CONTEXT (fields[i]) = ret;
2501 if (i)
2502 DECL_CHAIN (fields[i - 1]) = fields[i];
2503 }
2504 tree type_decl = build_decl (input_location, TYPE_DECL,
2505 get_identifier ("__asan_global"), ret);
2506 DECL_IGNORED_P (type_decl) = 1;
2507 DECL_ARTIFICIAL (type_decl) = 1;
2508 TYPE_FIELDS (ret) = fields[0];
2509 TYPE_NAME (ret) = type_decl;
2510 TYPE_STUB_DECL (ret) = type_decl;
2511 layout_type (ret);
2512 return ret;
2513 }
2514
2515 /* Create and return odr indicator symbol for DECL.
2516 TYPE is __asan_global struct type as returned by asan_global_struct. */
2517
2518 static tree
2519 create_odr_indicator (tree decl, tree type)
2520 {
2521 char *name;
2522 tree uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2523 tree decl_name
2524 = (HAS_DECL_ASSEMBLER_NAME_P (decl) ? DECL_ASSEMBLER_NAME (decl)
2525 : DECL_NAME (decl));
2526 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
2527 if (decl_name == NULL_TREE)
2528 return build_int_cst (uptr, 0);
2529 size_t len = strlen (IDENTIFIER_POINTER (decl_name)) + sizeof ("__odr_asan_");
2530 name = XALLOCAVEC (char, len);
2531 snprintf (name, len, "__odr_asan_%s", IDENTIFIER_POINTER (decl_name));
2532 #ifndef NO_DOT_IN_LABEL
2533 name[sizeof ("__odr_asan") - 1] = '.';
2534 #elif !defined(NO_DOLLAR_IN_LABEL)
2535 name[sizeof ("__odr_asan") - 1] = '$';
2536 #endif
2537 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (name),
2538 char_type_node);
2539 TREE_ADDRESSABLE (var) = 1;
2540 TREE_READONLY (var) = 0;
2541 TREE_THIS_VOLATILE (var) = 1;
2542 DECL_GIMPLE_REG_P (var) = 0;
2543 DECL_ARTIFICIAL (var) = 1;
2544 DECL_IGNORED_P (var) = 1;
2545 TREE_STATIC (var) = 1;
2546 TREE_PUBLIC (var) = 1;
2547 DECL_VISIBILITY (var) = DECL_VISIBILITY (decl);
2548 DECL_VISIBILITY_SPECIFIED (var) = DECL_VISIBILITY_SPECIFIED (decl);
2549
2550 TREE_USED (var) = 1;
2551 tree ctor = build_constructor_va (TREE_TYPE (var), 1, NULL_TREE,
2552 build_int_cst (unsigned_type_node, 0));
2553 TREE_CONSTANT (ctor) = 1;
2554 TREE_STATIC (ctor) = 1;
2555 DECL_INITIAL (var) = ctor;
2556 DECL_ATTRIBUTES (var) = tree_cons (get_identifier ("asan odr indicator"),
2557 NULL, DECL_ATTRIBUTES (var));
2558 make_decl_rtl (var);
2559 varpool_node::finalize_decl (var);
2560 return fold_convert (uptr, build_fold_addr_expr (var));
2561 }
2562
2563 /* Return true if DECL, a global var, might be overridden and needs
2564 an additional odr indicator symbol. */
2565
2566 static bool
2567 asan_needs_odr_indicator_p (tree decl)
2568 {
2569 /* Don't emit ODR indicators for kernel because:
2570 a) Kernel is written in C thus doesn't need ODR indicators.
2571 b) Some kernel code may have assumptions about symbols containing specific
2572 patterns in their names. Since ODR indicators contain original names
2573 of symbols they are emitted for, these assumptions would be broken for
2574 ODR indicator symbols. */
2575 return (!(flag_sanitize & SANITIZE_KERNEL_ADDRESS)
2576 && !DECL_ARTIFICIAL (decl)
2577 && !DECL_WEAK (decl)
2578 && TREE_PUBLIC (decl));
2579 }
2580
2581 /* Append description of a single global DECL into vector V.
2582 TYPE is __asan_global struct type as returned by asan_global_struct. */
2583
2584 static void
2585 asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
2586 {
2587 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2588 unsigned HOST_WIDE_INT size;
2589 tree str_cst, module_name_cst, refdecl = decl;
2590 vec<constructor_elt, va_gc> *vinner = NULL;
2591
2592 pretty_printer asan_pp, module_name_pp;
2593
2594 if (DECL_NAME (decl))
2595 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
2596 else
2597 pp_string (&asan_pp, "<unknown>");
2598 str_cst = asan_pp_string (&asan_pp);
2599
2600 pp_string (&module_name_pp, main_input_filename);
2601 module_name_cst = asan_pp_string (&module_name_pp);
2602
2603 if (asan_needs_local_alias (decl))
2604 {
2605 char buf[20];
2606 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
2607 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
2608 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
2609 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
2610 TREE_READONLY (refdecl) = TREE_READONLY (decl);
2611 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
2612 DECL_GIMPLE_REG_P (refdecl) = DECL_GIMPLE_REG_P (decl);
2613 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
2614 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
2615 TREE_STATIC (refdecl) = 1;
2616 TREE_PUBLIC (refdecl) = 0;
2617 TREE_USED (refdecl) = 1;
2618 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
2619 }
2620
2621 tree odr_indicator_ptr
2622 = (asan_needs_odr_indicator_p (decl) ? create_odr_indicator (decl, type)
2623 : build_int_cst (uptr, 0));
2624 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2625 fold_convert (const_ptr_type_node,
2626 build_fold_addr_expr (refdecl)));
2627 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
2628 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2629 size += asan_red_zone_size (size);
2630 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2631 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2632 fold_convert (const_ptr_type_node, str_cst));
2633 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2634 fold_convert (const_ptr_type_node, module_name_cst));
2635 varpool_node *vnode = varpool_node::get (decl);
2636 int has_dynamic_init = 0;
2637 /* FIXME: Enable initialization order fiasco detection in LTO mode once
2638 proper fix for PR 79061 will be applied. */
2639 if (!in_lto_p)
2640 has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
2641 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2642 build_int_cst (uptr, has_dynamic_init));
2643 tree locptr = NULL_TREE;
2644 location_t loc = DECL_SOURCE_LOCATION (decl);
2645 expanded_location xloc = expand_location (loc);
2646 if (xloc.file != NULL)
2647 {
2648 static int lasanloccnt = 0;
2649 char buf[25];
2650 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt);
2651 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2652 ubsan_get_source_location_type ());
2653 TREE_STATIC (var) = 1;
2654 TREE_PUBLIC (var) = 0;
2655 DECL_ARTIFICIAL (var) = 1;
2656 DECL_IGNORED_P (var) = 1;
2657 pretty_printer filename_pp;
2658 pp_string (&filename_pp, xloc.file);
2659 tree str = asan_pp_string (&filename_pp);
2660 tree ctor = build_constructor_va (TREE_TYPE (var), 3,
2661 NULL_TREE, str, NULL_TREE,
2662 build_int_cst (unsigned_type_node,
2663 xloc.line), NULL_TREE,
2664 build_int_cst (unsigned_type_node,
2665 xloc.column));
2666 TREE_CONSTANT (ctor) = 1;
2667 TREE_STATIC (ctor) = 1;
2668 DECL_INITIAL (var) = ctor;
2669 varpool_node::finalize_decl (var);
2670 locptr = fold_convert (uptr, build_fold_addr_expr (var));
2671 }
2672 else
2673 locptr = build_int_cst (uptr, 0);
2674 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr);
2675 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, odr_indicator_ptr);
2676 init = build_constructor (type, vinner);
2677 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
2678 }
2679
2680 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2681 void
2682 initialize_sanitizer_builtins (void)
2683 {
2684 tree decl;
2685
2686 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
2687 return;
2688
2689 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
2690 tree BT_FN_VOID_PTR
2691 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
2692 tree BT_FN_VOID_CONST_PTR
2693 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
2694 tree BT_FN_VOID_PTR_PTR
2695 = build_function_type_list (void_type_node, ptr_type_node,
2696 ptr_type_node, NULL_TREE);
2697 tree BT_FN_VOID_PTR_PTR_PTR
2698 = build_function_type_list (void_type_node, ptr_type_node,
2699 ptr_type_node, ptr_type_node, NULL_TREE);
2700 tree BT_FN_VOID_PTR_PTRMODE
2701 = build_function_type_list (void_type_node, ptr_type_node,
2702 pointer_sized_int_node, NULL_TREE);
2703 tree BT_FN_VOID_INT
2704 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
2705 tree BT_FN_SIZE_CONST_PTR_INT
2706 = build_function_type_list (size_type_node, const_ptr_type_node,
2707 integer_type_node, NULL_TREE);
2708 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
2709 tree BT_FN_IX_CONST_VPTR_INT[5];
2710 tree BT_FN_IX_VPTR_IX_INT[5];
2711 tree BT_FN_VOID_VPTR_IX_INT[5];
2712 tree vptr
2713 = build_pointer_type (build_qualified_type (void_type_node,
2714 TYPE_QUAL_VOLATILE));
2715 tree cvptr
2716 = build_pointer_type (build_qualified_type (void_type_node,
2717 TYPE_QUAL_VOLATILE
2718 |TYPE_QUAL_CONST));
2719 tree boolt
2720 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
2721 int i;
2722 for (i = 0; i < 5; i++)
2723 {
2724 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
2725 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
2726 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
2727 integer_type_node, integer_type_node,
2728 NULL_TREE);
2729 BT_FN_IX_CONST_VPTR_INT[i]
2730 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
2731 BT_FN_IX_VPTR_IX_INT[i]
2732 = build_function_type_list (ix, vptr, ix, integer_type_node,
2733 NULL_TREE);
2734 BT_FN_VOID_VPTR_IX_INT[i]
2735 = build_function_type_list (void_type_node, vptr, ix,
2736 integer_type_node, NULL_TREE);
2737 }
2738 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2739 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2740 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2741 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2742 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2743 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2744 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2745 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2746 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2747 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2748 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2749 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2750 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2751 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2752 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2753 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2754 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2755 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2756 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2757 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
2758 #undef ATTR_NOTHROW_LEAF_LIST
2759 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
2760 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2761 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
2762 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2763 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
2764 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2765 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
2766 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
2767 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2768 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2769 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
2770 #undef ATTR_COLD_NOTHROW_LEAF_LIST
2771 #define ATTR_COLD_NOTHROW_LEAF_LIST \
2772 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
2773 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2774 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2775 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
2776 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
2777 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
2778 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2779 #undef ATTR_PURE_NOTHROW_LEAF_LIST
2780 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
2781 #undef DEF_BUILTIN_STUB
2782 #define DEF_BUILTIN_STUB(ENUM, NAME)
2783 #undef DEF_SANITIZER_BUILTIN
2784 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2785 do { \
2786 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
2787 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2788 set_call_expr_flags (decl, ATTRS); \
2789 set_builtin_decl (ENUM, decl, true); \
2790 } while (0);
2791
2792 #include "sanitizer.def"
2793
2794 /* -fsanitize=object-size uses __builtin_object_size, but that might
2795 not be available for e.g. Fortran at this point. We use
2796 DEF_SANITIZER_BUILTIN here only as a convenience macro. */
2797 if ((flag_sanitize & SANITIZE_OBJECT_SIZE)
2798 && !builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE))
2799 DEF_SANITIZER_BUILTIN (BUILT_IN_OBJECT_SIZE, "object_size",
2800 BT_FN_SIZE_CONST_PTR_INT,
2801 ATTR_PURE_NOTHROW_LEAF_LIST)
2802
2803 #undef DEF_SANITIZER_BUILTIN
2804 #undef DEF_BUILTIN_STUB
2805 }
2806
2807 /* Called via htab_traverse. Count number of emitted
2808 STRING_CSTs in the constant hash table. */
2809
2810 int
2811 count_string_csts (constant_descriptor_tree **slot,
2812 unsigned HOST_WIDE_INT *data)
2813 {
2814 struct constant_descriptor_tree *desc = *slot;
2815 if (TREE_CODE (desc->value) == STRING_CST
2816 && TREE_ASM_WRITTEN (desc->value)
2817 && asan_protect_global (desc->value))
2818 ++*data;
2819 return 1;
2820 }
2821
2822 /* Helper structure to pass two parameters to
2823 add_string_csts. */
2824
2825 struct asan_add_string_csts_data
2826 {
2827 tree type;
2828 vec<constructor_elt, va_gc> *v;
2829 };
2830
2831 /* Called via hash_table::traverse. Call asan_add_global
2832 on emitted STRING_CSTs from the constant hash table. */
2833
2834 int
2835 add_string_csts (constant_descriptor_tree **slot,
2836 asan_add_string_csts_data *aascd)
2837 {
2838 struct constant_descriptor_tree *desc = *slot;
2839 if (TREE_CODE (desc->value) == STRING_CST
2840 && TREE_ASM_WRITTEN (desc->value)
2841 && asan_protect_global (desc->value))
2842 {
2843 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
2844 aascd->type, aascd->v);
2845 }
2846 return 1;
2847 }
2848
2849 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
2850 invoke ggc_collect. */
2851 static GTY(()) tree asan_ctor_statements;
2852
2853 /* Module-level instrumentation.
2854 - Insert __asan_init_vN() into the list of CTORs.
2855 - TODO: insert redzones around globals.
2856 */
2857
2858 void
2859 asan_finish_file (void)
2860 {
2861 varpool_node *vnode;
2862 unsigned HOST_WIDE_INT gcount = 0;
2863
2864 if (shadow_ptr_types[0] == NULL_TREE)
2865 asan_init_shadow_ptr_types ();
2866 /* Avoid instrumenting code in the asan ctors/dtors.
2867 We don't need to insert padding after the description strings,
2868 nor after .LASAN* array. */
2869 flag_sanitize &= ~SANITIZE_ADDRESS;
2870
2871 /* For user-space we want asan constructors to run first.
2872 Linux kernel does not support priorities other than default, and the only
2873 other user of constructors is coverage. So we run with the default
2874 priority. */
2875 int priority = flag_sanitize & SANITIZE_USER_ADDRESS
2876 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY;
2877
2878 if (flag_sanitize & SANITIZE_USER_ADDRESS)
2879 {
2880 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
2881 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2882 fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK);
2883 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2884 }
2885 FOR_EACH_DEFINED_VARIABLE (vnode)
2886 if (TREE_ASM_WRITTEN (vnode->decl)
2887 && asan_protect_global (vnode->decl))
2888 ++gcount;
2889 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab ();
2890 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts>
2891 (&gcount);
2892 if (gcount)
2893 {
2894 tree type = asan_global_struct (), var, ctor;
2895 tree dtor_statements = NULL_TREE;
2896 vec<constructor_elt, va_gc> *v;
2897 char buf[20];
2898
2899 type = build_array_type_nelts (type, gcount);
2900 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
2901 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2902 type);
2903 TREE_STATIC (var) = 1;
2904 TREE_PUBLIC (var) = 0;
2905 DECL_ARTIFICIAL (var) = 1;
2906 DECL_IGNORED_P (var) = 1;
2907 vec_alloc (v, gcount);
2908 FOR_EACH_DEFINED_VARIABLE (vnode)
2909 if (TREE_ASM_WRITTEN (vnode->decl)
2910 && asan_protect_global (vnode->decl))
2911 asan_add_global (vnode->decl, TREE_TYPE (type), v);
2912 struct asan_add_string_csts_data aascd;
2913 aascd.type = TREE_TYPE (type);
2914 aascd.v = v;
2915 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts>
2916 (&aascd);
2917 ctor = build_constructor (type, v);
2918 TREE_CONSTANT (ctor) = 1;
2919 TREE_STATIC (ctor) = 1;
2920 DECL_INITIAL (var) = ctor;
2921 varpool_node::finalize_decl (var);
2922
2923 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
2924 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
2925 append_to_statement_list (build_call_expr (fn, 2,
2926 build_fold_addr_expr (var),
2927 gcount_tree),
2928 &asan_ctor_statements);
2929
2930 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
2931 append_to_statement_list (build_call_expr (fn, 2,
2932 build_fold_addr_expr (var),
2933 gcount_tree),
2934 &dtor_statements);
2935 cgraph_build_static_cdtor ('D', dtor_statements, priority);
2936 }
2937 if (asan_ctor_statements)
2938 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority);
2939 flag_sanitize |= SANITIZE_ADDRESS;
2940 }
2941
2942 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
2943 on SHADOW address. Newly added statements will be added to ITER with
2944 given location LOC. We mark SIZE bytes in shadow memory, where
2945 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
2946 end of a variable. */
2947
2948 static void
2949 asan_store_shadow_bytes (gimple_stmt_iterator *iter, location_t loc,
2950 tree shadow,
2951 unsigned HOST_WIDE_INT base_addr_offset,
2952 bool is_clobber, unsigned size,
2953 unsigned last_chunk_size)
2954 {
2955 tree shadow_ptr_type;
2956
2957 switch (size)
2958 {
2959 case 1:
2960 shadow_ptr_type = shadow_ptr_types[0];
2961 break;
2962 case 2:
2963 shadow_ptr_type = shadow_ptr_types[1];
2964 break;
2965 case 4:
2966 shadow_ptr_type = shadow_ptr_types[2];
2967 break;
2968 default:
2969 gcc_unreachable ();
2970 }
2971
2972 unsigned char c = (char) is_clobber ? ASAN_STACK_MAGIC_USE_AFTER_SCOPE : 0;
2973 unsigned HOST_WIDE_INT val = 0;
2974 unsigned last_pos = size;
2975 if (last_chunk_size && !is_clobber)
2976 last_pos = BYTES_BIG_ENDIAN ? 0 : size - 1;
2977 for (unsigned i = 0; i < size; ++i)
2978 {
2979 unsigned char shadow_c = c;
2980 if (i == last_pos)
2981 shadow_c = last_chunk_size;
2982 val |= (unsigned HOST_WIDE_INT) shadow_c << (BITS_PER_UNIT * i);
2983 }
2984
2985 /* Handle last chunk in unpoisoning. */
2986 tree magic = build_int_cst (TREE_TYPE (shadow_ptr_type), val);
2987
2988 tree dest = build2 (MEM_REF, TREE_TYPE (shadow_ptr_type), shadow,
2989 build_int_cst (shadow_ptr_type, base_addr_offset));
2990
2991 gimple *g = gimple_build_assign (dest, magic);
2992 gimple_set_location (g, loc);
2993 gsi_insert_after (iter, g, GSI_NEW_STMT);
2994 }
2995
2996 /* Expand the ASAN_MARK builtins. */
2997
2998 bool
2999 asan_expand_mark_ifn (gimple_stmt_iterator *iter)
3000 {
3001 gimple *g = gsi_stmt (*iter);
3002 location_t loc = gimple_location (g);
3003 HOST_WIDE_INT flag = tree_to_shwi (gimple_call_arg (g, 0));
3004 bool is_poison = ((asan_mark_flags)flag) == ASAN_MARK_POISON;
3005
3006 tree base = gimple_call_arg (g, 1);
3007 gcc_checking_assert (TREE_CODE (base) == ADDR_EXPR);
3008 tree decl = TREE_OPERAND (base, 0);
3009
3010 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
3011 if (TREE_CODE (decl) == COMPONENT_REF
3012 && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl, 0)))
3013 decl = TREE_OPERAND (decl, 0);
3014
3015 gcc_checking_assert (TREE_CODE (decl) == VAR_DECL);
3016
3017 if (is_poison)
3018 {
3019 if (asan_handled_variables == NULL)
3020 asan_handled_variables = new hash_set<tree> (16);
3021 asan_handled_variables->add (decl);
3022 }
3023 tree len = gimple_call_arg (g, 2);
3024
3025 gcc_assert (tree_fits_shwi_p (len));
3026 unsigned HOST_WIDE_INT size_in_bytes = tree_to_shwi (len);
3027 gcc_assert (size_in_bytes);
3028
3029 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3030 NOP_EXPR, base);
3031 gimple_set_location (g, loc);
3032 gsi_replace (iter, g, false);
3033 tree base_addr = gimple_assign_lhs (g);
3034
3035 /* Generate direct emission if size_in_bytes is small. */
3036 if (size_in_bytes <= ASAN_PARAM_USE_AFTER_SCOPE_DIRECT_EMISSION_THRESHOLD)
3037 {
3038 unsigned HOST_WIDE_INT shadow_size = shadow_mem_size (size_in_bytes);
3039
3040 tree shadow = build_shadow_mem_access (iter, loc, base_addr,
3041 shadow_ptr_types[0], true);
3042
3043 for (unsigned HOST_WIDE_INT offset = 0; offset < shadow_size;)
3044 {
3045 unsigned size = 1;
3046 if (shadow_size - offset >= 4)
3047 size = 4;
3048 else if (shadow_size - offset >= 2)
3049 size = 2;
3050
3051 unsigned HOST_WIDE_INT last_chunk_size = 0;
3052 unsigned HOST_WIDE_INT s = (offset + size) * ASAN_SHADOW_GRANULARITY;
3053 if (s > size_in_bytes)
3054 last_chunk_size = ASAN_SHADOW_GRANULARITY - (s - size_in_bytes);
3055
3056 asan_store_shadow_bytes (iter, loc, shadow, offset, is_poison,
3057 size, last_chunk_size);
3058 offset += size;
3059 }
3060 }
3061 else
3062 {
3063 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3064 NOP_EXPR, len);
3065 gimple_set_location (g, loc);
3066 gsi_insert_before (iter, g, GSI_SAME_STMT);
3067 tree sz_arg = gimple_assign_lhs (g);
3068
3069 tree fun
3070 = builtin_decl_implicit (is_poison ? BUILT_IN_ASAN_POISON_STACK_MEMORY
3071 : BUILT_IN_ASAN_UNPOISON_STACK_MEMORY);
3072 g = gimple_build_call (fun, 2, base_addr, sz_arg);
3073 gimple_set_location (g, loc);
3074 gsi_insert_after (iter, g, GSI_NEW_STMT);
3075 }
3076
3077 return false;
3078 }
3079
3080 /* Expand the ASAN_{LOAD,STORE} builtins. */
3081
3082 bool
3083 asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls)
3084 {
3085 gimple *g = gsi_stmt (*iter);
3086 location_t loc = gimple_location (g);
3087 bool recover_p;
3088 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3089 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
3090 else
3091 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
3092
3093 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
3094 gcc_assert (flags < ASAN_CHECK_LAST);
3095 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
3096 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
3097 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
3098
3099 tree base = gimple_call_arg (g, 1);
3100 tree len = gimple_call_arg (g, 2);
3101 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3));
3102
3103 HOST_WIDE_INT size_in_bytes
3104 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
3105
3106 if (use_calls)
3107 {
3108 /* Instrument using callbacks. */
3109 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3110 NOP_EXPR, base);
3111 gimple_set_location (g, loc);
3112 gsi_insert_before (iter, g, GSI_SAME_STMT);
3113 tree base_addr = gimple_assign_lhs (g);
3114
3115 int nargs;
3116 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs);
3117 if (nargs == 1)
3118 g = gimple_build_call (fun, 1, base_addr);
3119 else
3120 {
3121 gcc_assert (nargs == 2);
3122 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3123 NOP_EXPR, len);
3124 gimple_set_location (g, loc);
3125 gsi_insert_before (iter, g, GSI_SAME_STMT);
3126 tree sz_arg = gimple_assign_lhs (g);
3127 g = gimple_build_call (fun, nargs, base_addr, sz_arg);
3128 }
3129 gimple_set_location (g, loc);
3130 gsi_replace (iter, g, false);
3131 return false;
3132 }
3133
3134 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes;
3135
3136 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0];
3137 tree shadow_type = TREE_TYPE (shadow_ptr_type);
3138
3139 gimple_stmt_iterator gsi = *iter;
3140
3141 if (!is_non_zero_len)
3142 {
3143 /* So, the length of the memory area to asan-protect is
3144 non-constant. Let's guard the generated instrumentation code
3145 like:
3146
3147 if (len != 0)
3148 {
3149 //asan instrumentation code goes here.
3150 }
3151 // falltrough instructions, starting with *ITER. */
3152
3153 g = gimple_build_cond (NE_EXPR,
3154 len,
3155 build_int_cst (TREE_TYPE (len), 0),
3156 NULL_TREE, NULL_TREE);
3157 gimple_set_location (g, loc);
3158
3159 basic_block then_bb, fallthrough_bb;
3160 insert_if_then_before_iter (as_a <gcond *> (g), iter,
3161 /*then_more_likely_p=*/true,
3162 &then_bb, &fallthrough_bb);
3163 /* Note that fallthrough_bb starts with the statement that was
3164 pointed to by ITER. */
3165
3166 /* The 'then block' of the 'if (len != 0) condition is where
3167 we'll generate the asan instrumentation code now. */
3168 gsi = gsi_last_bb (then_bb);
3169 }
3170
3171 /* Get an iterator on the point where we can add the condition
3172 statement for the instrumentation. */
3173 basic_block then_bb, else_bb;
3174 gsi = create_cond_insert_point (&gsi, /*before_p*/false,
3175 /*then_more_likely_p=*/false,
3176 /*create_then_fallthru_edge*/recover_p,
3177 &then_bb,
3178 &else_bb);
3179
3180 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3181 NOP_EXPR, base);
3182 gimple_set_location (g, loc);
3183 gsi_insert_before (&gsi, g, GSI_NEW_STMT);
3184 tree base_addr = gimple_assign_lhs (g);
3185
3186 tree t = NULL_TREE;
3187 if (real_size_in_bytes >= 8)
3188 {
3189 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3190 shadow_ptr_type);
3191 t = shadow;
3192 }
3193 else
3194 {
3195 /* Slow path for 1, 2 and 4 byte accesses. */
3196 /* Test (shadow != 0)
3197 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
3198 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3199 shadow_ptr_type);
3200 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3201 gimple_seq seq = NULL;
3202 gimple_seq_add_stmt (&seq, shadow_test);
3203 /* Aligned (>= 8 bytes) can test just
3204 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
3205 to be 0. */
3206 if (align < 8)
3207 {
3208 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3209 base_addr, 7));
3210 gimple_seq_add_stmt (&seq,
3211 build_type_cast (shadow_type,
3212 gimple_seq_last (seq)));
3213 if (real_size_in_bytes > 1)
3214 gimple_seq_add_stmt (&seq,
3215 build_assign (PLUS_EXPR,
3216 gimple_seq_last (seq),
3217 real_size_in_bytes - 1));
3218 t = gimple_assign_lhs (gimple_seq_last_stmt (seq));
3219 }
3220 else
3221 t = build_int_cst (shadow_type, real_size_in_bytes - 1);
3222 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow));
3223 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3224 gimple_seq_last (seq)));
3225 t = gimple_assign_lhs (gimple_seq_last (seq));
3226 gimple_seq_set_location (seq, loc);
3227 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3228
3229 /* For non-constant, misaligned or otherwise weird access sizes,
3230 check first and last byte. */
3231 if (size_in_bytes == -1)
3232 {
3233 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3234 MINUS_EXPR, len,
3235 build_int_cst (pointer_sized_int_node, 1));
3236 gimple_set_location (g, loc);
3237 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3238 tree last = gimple_assign_lhs (g);
3239 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3240 PLUS_EXPR, base_addr, last);
3241 gimple_set_location (g, loc);
3242 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3243 tree base_end_addr = gimple_assign_lhs (g);
3244
3245 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr,
3246 shadow_ptr_type);
3247 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3248 gimple_seq seq = NULL;
3249 gimple_seq_add_stmt (&seq, shadow_test);
3250 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3251 base_end_addr, 7));
3252 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
3253 gimple_seq_last (seq)));
3254 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR,
3255 gimple_seq_last (seq),
3256 shadow));
3257 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3258 gimple_seq_last (seq)));
3259 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t,
3260 gimple_seq_last (seq)));
3261 t = gimple_assign_lhs (gimple_seq_last (seq));
3262 gimple_seq_set_location (seq, loc);
3263 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3264 }
3265 }
3266
3267 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
3268 NULL_TREE, NULL_TREE);
3269 gimple_set_location (g, loc);
3270 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3271
3272 /* Generate call to the run-time library (e.g. __asan_report_load8). */
3273 gsi = gsi_start_bb (then_bb);
3274 int nargs;
3275 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs);
3276 g = gimple_build_call (fun, nargs, base_addr, len);
3277 gimple_set_location (g, loc);
3278 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3279
3280 gsi_remove (iter, true);
3281 *iter = gsi_start_bb (else_bb);
3282
3283 return true;
3284 }
3285
3286 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten
3287 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
3288
3289 static tree
3290 create_asan_shadow_var (tree var_decl,
3291 hash_map<tree, tree> &shadow_vars_mapping)
3292 {
3293 tree *slot = shadow_vars_mapping.get (var_decl);
3294 if (slot == NULL)
3295 {
3296 tree shadow_var = copy_node (var_decl);
3297
3298 copy_body_data id;
3299 memset (&id, 0, sizeof (copy_body_data));
3300 id.src_fn = id.dst_fn = current_function_decl;
3301 copy_decl_for_dup_finish (&id, var_decl, shadow_var);
3302
3303 DECL_ARTIFICIAL (shadow_var) = 1;
3304 DECL_IGNORED_P (shadow_var) = 1;
3305 DECL_SEEN_IN_BIND_EXPR_P (shadow_var) = 0;
3306 gimple_add_tmp_var (shadow_var);
3307
3308 shadow_vars_mapping.put (var_decl, shadow_var);
3309 return shadow_var;
3310 }
3311 else
3312 return *slot;
3313 }
3314
3315 /* Expand ASAN_POISON ifn. */
3316
3317 bool
3318 asan_expand_poison_ifn (gimple_stmt_iterator *iter,
3319 bool *need_commit_edge_insert,
3320 hash_map<tree, tree> &shadow_vars_mapping)
3321 {
3322 gimple *g = gsi_stmt (*iter);
3323 tree poisoned_var = gimple_call_lhs (g);
3324 if (!poisoned_var || has_zero_uses (poisoned_var))
3325 {
3326 gsi_remove (iter, true);
3327 return true;
3328 }
3329
3330 if (SSA_NAME_VAR (poisoned_var) == NULL_TREE)
3331 SET_SSA_NAME_VAR_OR_IDENTIFIER (poisoned_var,
3332 create_tmp_var (TREE_TYPE (poisoned_var)));
3333
3334 tree shadow_var = create_asan_shadow_var (SSA_NAME_VAR (poisoned_var),
3335 shadow_vars_mapping);
3336
3337 bool recover_p;
3338 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3339 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
3340 else
3341 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
3342 tree size = DECL_SIZE_UNIT (shadow_var);
3343 gimple *poison_call
3344 = gimple_build_call_internal (IFN_ASAN_MARK, 3,
3345 build_int_cst (integer_type_node,
3346 ASAN_MARK_POISON),
3347 build_fold_addr_expr (shadow_var), size);
3348
3349 gimple *use;
3350 imm_use_iterator imm_iter;
3351 FOR_EACH_IMM_USE_STMT (use, imm_iter, poisoned_var)
3352 {
3353 if (is_gimple_debug (use))
3354 continue;
3355
3356 int nargs;
3357 bool store_p = gimple_call_internal_p (use, IFN_ASAN_POISON_USE);
3358 tree fun = report_error_func (store_p, recover_p, tree_to_uhwi (size),
3359 &nargs);
3360
3361 gcall *call = gimple_build_call (fun, 1,
3362 build_fold_addr_expr (shadow_var));
3363 gimple_set_location (call, gimple_location (use));
3364 gimple *call_to_insert = call;
3365
3366 /* The USE can be a gimple PHI node. If so, insert the call on
3367 all edges leading to the PHI node. */
3368 if (is_a <gphi *> (use))
3369 {
3370 gphi *phi = dyn_cast<gphi *> (use);
3371 for (unsigned i = 0; i < gimple_phi_num_args (phi); ++i)
3372 if (gimple_phi_arg_def (phi, i) == poisoned_var)
3373 {
3374 edge e = gimple_phi_arg_edge (phi, i);
3375
3376 if (call_to_insert == NULL)
3377 call_to_insert = gimple_copy (call);
3378
3379 gsi_insert_seq_on_edge (e, call_to_insert);
3380 *need_commit_edge_insert = true;
3381 call_to_insert = NULL;
3382 }
3383 }
3384 else
3385 {
3386 gimple_stmt_iterator gsi = gsi_for_stmt (use);
3387 if (store_p)
3388 gsi_replace (&gsi, call, true);
3389 else
3390 gsi_insert_before (&gsi, call, GSI_NEW_STMT);
3391 }
3392 }
3393
3394 SSA_NAME_IS_DEFAULT_DEF (poisoned_var) = true;
3395 SSA_NAME_DEF_STMT (poisoned_var) = gimple_build_nop ();
3396 gsi_replace (iter, poison_call, false);
3397
3398 return true;
3399 }
3400
3401 /* Instrument the current function. */
3402
3403 static unsigned int
3404 asan_instrument (void)
3405 {
3406 if (shadow_ptr_types[0] == NULL_TREE)
3407 asan_init_shadow_ptr_types ();
3408 transform_statements ();
3409 last_alloca_addr = NULL_TREE;
3410 return 0;
3411 }
3412
3413 static bool
3414 gate_asan (void)
3415 {
3416 return sanitize_flags_p (SANITIZE_ADDRESS);
3417 }
3418
3419 namespace {
3420
3421 const pass_data pass_data_asan =
3422 {
3423 GIMPLE_PASS, /* type */
3424 "asan", /* name */
3425 OPTGROUP_NONE, /* optinfo_flags */
3426 TV_NONE, /* tv_id */
3427 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3428 0, /* properties_provided */
3429 0, /* properties_destroyed */
3430 0, /* todo_flags_start */
3431 TODO_update_ssa, /* todo_flags_finish */
3432 };
3433
3434 class pass_asan : public gimple_opt_pass
3435 {
3436 public:
3437 pass_asan (gcc::context *ctxt)
3438 : gimple_opt_pass (pass_data_asan, ctxt)
3439 {}
3440
3441 /* opt_pass methods: */
3442 opt_pass * clone () { return new pass_asan (m_ctxt); }
3443 virtual bool gate (function *) { return gate_asan (); }
3444 virtual unsigned int execute (function *) { return asan_instrument (); }
3445
3446 }; // class pass_asan
3447
3448 } // anon namespace
3449
3450 gimple_opt_pass *
3451 make_pass_asan (gcc::context *ctxt)
3452 {
3453 return new pass_asan (ctxt);
3454 }
3455
3456 namespace {
3457
3458 const pass_data pass_data_asan_O0 =
3459 {
3460 GIMPLE_PASS, /* type */
3461 "asan0", /* name */
3462 OPTGROUP_NONE, /* optinfo_flags */
3463 TV_NONE, /* tv_id */
3464 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3465 0, /* properties_provided */
3466 0, /* properties_destroyed */
3467 0, /* todo_flags_start */
3468 TODO_update_ssa, /* todo_flags_finish */
3469 };
3470
3471 class pass_asan_O0 : public gimple_opt_pass
3472 {
3473 public:
3474 pass_asan_O0 (gcc::context *ctxt)
3475 : gimple_opt_pass (pass_data_asan_O0, ctxt)
3476 {}
3477
3478 /* opt_pass methods: */
3479 virtual bool gate (function *) { return !optimize && gate_asan (); }
3480 virtual unsigned int execute (function *) { return asan_instrument (); }
3481
3482 }; // class pass_asan_O0
3483
3484 } // anon namespace
3485
3486 gimple_opt_pass *
3487 make_pass_asan_O0 (gcc::context *ctxt)
3488 {
3489 return new pass_asan_O0 (ctxt);
3490 }
3491
3492 #include "gt-asan.h"
Mirror of the offical gcc git repository hosted at gcc.gnu.org