search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Define arm_arch_core_flags in a single file
[official-gcc.git] / gcc / asan.c
blob5af95472db9cafc08321fe805f4912f47d0b078a
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2016 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
11
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21
22 #include "config.h"
23 #include "system.h"
24 #include "coretypes.h"
25 #include "backend.h"
26 #include "target.h"
27 #include "rtl.h"
28 #include "tree.h"
29 #include "gimple.h"
30 #include "cfghooks.h"
31 #include "alloc-pool.h"
32 #include "tree-pass.h"
33 #include "memmodel.h"
34 #include "tm_p.h"
35 #include "stringpool.h"
36 #include "tree-vrp.h"
37 #include "tree-ssanames.h"
38 #include "optabs.h"
39 #include "emit-rtl.h"
40 #include "cgraph.h"
41 #include "gimple-pretty-print.h"
42 #include "alias.h"
43 #include "fold-const.h"
44 #include "cfganal.h"
45 #include "gimplify.h"
46 #include "gimple-iterator.h"
47 #include "varasm.h"
48 #include "stor-layout.h"
49 #include "tree-iterator.h"
50 #include "asan.h"
51 #include "dojump.h"
52 #include "explow.h"
53 #include "expr.h"
54 #include "output.h"
55 #include "langhooks.h"
56 #include "cfgloop.h"
57 #include "gimple-builder.h"
58 #include "ubsan.h"
59 #include "params.h"
60 #include "builtins.h"
61 #include "fnmatch.h"
62
63 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
64 with <2x slowdown on average.
65
66 The tool consists of two parts:
67 instrumentation module (this file) and a run-time library.
68 The instrumentation module adds a run-time check before every memory insn.
69 For a 8- or 16- byte load accessing address X:
70 ShadowAddr = (X >> 3) + Offset
71 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
72 if (ShadowValue)
73 __asan_report_load8(X);
74 For a load of N bytes (N=1, 2 or 4) from address X:
75 ShadowAddr = (X >> 3) + Offset
76 ShadowValue = *(char*)ShadowAddr;
77 if (ShadowValue)
78 if ((X & 7) + N - 1 > ShadowValue)
79 __asan_report_loadN(X);
80 Stores are instrumented similarly, but using __asan_report_storeN functions.
81 A call too __asan_init_vN() is inserted to the list of module CTORs.
82 N is the version number of the AddressSanitizer API. The changes between the
83 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
84
85 The run-time library redefines malloc (so that redzone are inserted around
86 the allocated memory) and free (so that reuse of free-ed memory is delayed),
87 provides __asan_report* and __asan_init_vN functions.
88
89 Read more:
90 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
91
92 The current implementation supports detection of out-of-bounds and
93 use-after-free in the heap, on the stack and for global variables.
94
95 [Protection of stack variables]
96
97 To understand how detection of out-of-bounds and use-after-free works
98 for stack variables, lets look at this example on x86_64 where the
99 stack grows downward:
100
101 int
102 foo ()
103 {
104 char a[23] = {0};
105 int b[2] = {0};
106
107 a[5] = 1;
108 b[1] = 2;
109
110 return a[5] + b[1];
111 }
112
113 For this function, the stack protected by asan will be organized as
114 follows, from the top of the stack to the bottom:
115
116 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
117
118 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
119 the next slot be 32 bytes aligned; this one is called Partial
120 Redzone; this 32 bytes alignment is an asan constraint]
121
122 Slot 3/ [24 bytes for variable 'a']
123
124 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
125
126 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
127
128 Slot 6/ [8 bytes for variable 'b']
129
130 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
131 'LEFT RedZone']
132
133 The 32 bytes of LEFT red zone at the bottom of the stack can be
134 decomposed as such:
135
136 1/ The first 8 bytes contain a magical asan number that is always
137 0x41B58AB3.
138
139 2/ The following 8 bytes contains a pointer to a string (to be
140 parsed at runtime by the runtime asan library), which format is
141 the following:
142
143 "<function-name> <space> <num-of-variables-on-the-stack>
144 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
145 <length-of-var-in-bytes> ){n} "
146
147 where '(...){n}' means the content inside the parenthesis occurs 'n'
148 times, with 'n' being the number of variables on the stack.
149
150 3/ The following 8 bytes contain the PC of the current function which
151 will be used by the run-time library to print an error message.
152
153 4/ The following 8 bytes are reserved for internal use by the run-time.
154
155 The shadow memory for that stack layout is going to look like this:
156
157 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
158 The F1 byte pattern is a magic number called
159 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
160 the memory for that shadow byte is part of a the LEFT red zone
161 intended to seat at the bottom of the variables on the stack.
162
163 - content of shadow memory 8 bytes for slots 6 and 5:
164 0xF4F4F400. The F4 byte pattern is a magic number
165 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
166 memory region for this shadow byte is a PARTIAL red zone
167 intended to pad a variable A, so that the slot following
168 {A,padding} is 32 bytes aligned.
169
170 Note that the fact that the least significant byte of this
171 shadow memory content is 00 means that 8 bytes of its
172 corresponding memory (which corresponds to the memory of
173 variable 'b') is addressable.
174
175 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
176 The F2 byte pattern is a magic number called
177 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
178 region for this shadow byte is a MIDDLE red zone intended to
179 seat between two 32 aligned slots of {variable,padding}.
180
181 - content of shadow memory 8 bytes for slot 3 and 2:
182 0xF4000000. This represents is the concatenation of
183 variable 'a' and the partial red zone following it, like what we
184 had for variable 'b'. The least significant 3 bytes being 00
185 means that the 3 bytes of variable 'a' are addressable.
186
187 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
188 The F3 byte pattern is a magic number called
189 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
190 region for this shadow byte is a RIGHT red zone intended to seat
191 at the top of the variables of the stack.
192
193 Note that the real variable layout is done in expand_used_vars in
194 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
195 stack variables as well as the different red zones, emits some
196 prologue code to populate the shadow memory as to poison (mark as
197 non-accessible) the regions of the red zones and mark the regions of
198 stack variables as accessible, and emit some epilogue code to
199 un-poison (mark as accessible) the regions of red zones right before
200 the function exits.
201
202 [Protection of global variables]
203
204 The basic idea is to insert a red zone between two global variables
205 and install a constructor function that calls the asan runtime to do
206 the populating of the relevant shadow memory regions at load time.
207
208 So the global variables are laid out as to insert a red zone between
209 them. The size of the red zones is so that each variable starts on a
210 32 bytes boundary.
211
212 Then a constructor function is installed so that, for each global
213 variable, it calls the runtime asan library function
214 __asan_register_globals_with an instance of this type:
215
216 struct __asan_global
217 {
218 // Address of the beginning of the global variable.
219 const void *__beg;
220
221 // Initial size of the global variable.
222 uptr __size;
223
224 // Size of the global variable + size of the red zone. This
225 // size is 32 bytes aligned.
226 uptr __size_with_redzone;
227
228 // Name of the global variable.
229 const void *__name;
230
231 // Name of the module where the global variable is declared.
232 const void *__module_name;
233
234 // 1 if it has dynamic initialization, 0 otherwise.
235 uptr __has_dynamic_init;
236
237 // A pointer to struct that contains source location, could be NULL.
238 __asan_global_source_location *__location;
239 }
240
241 A destructor function that calls the runtime asan library function
242 _asan_unregister_globals is also installed. */
243
244 static unsigned HOST_WIDE_INT asan_shadow_offset_value;
245 static bool asan_shadow_offset_computed;
246 static vec<char *> sanitized_sections;
247
248 /* Return true if STMT is ASAN_MARK poisoning internal function call. */
249 static inline bool
250 asan_mark_poison_p (gimple *stmt)
251 {
252 return (gimple_call_internal_p (stmt, IFN_ASAN_MARK)
253 && tree_to_uhwi (gimple_call_arg (stmt, 0)) == ASAN_MARK_CLOBBER);
254
255 }
256
257 /* Set of variable declarations that are going to be guarded by
258 use-after-scope sanitizer. */
259
260 static hash_set<tree> *asan_handled_variables = NULL;
261
262 hash_set <tree> *asan_used_labels = NULL;
263
264 /* Sets shadow offset to value in string VAL. */
265
266 bool
267 set_asan_shadow_offset (const char *val)
268 {
269 char *endp;
270
271 errno = 0;
272 #ifdef HAVE_LONG_LONG
273 asan_shadow_offset_value = strtoull (val, &endp, 0);
274 #else
275 asan_shadow_offset_value = strtoul (val, &endp, 0);
276 #endif
277 if (!(*val != '\0' && *endp == '\0' && errno == 0))
278 return false;
279
280 asan_shadow_offset_computed = true;
281
282 return true;
283 }
284
285 /* Set list of user-defined sections that need to be sanitized. */
286
287 void
288 set_sanitized_sections (const char *sections)
289 {
290 char *pat;
291 unsigned i;
292 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
293 free (pat);
294 sanitized_sections.truncate (0);
295
296 for (const char *s = sections; *s; )
297 {
298 const char *end;
299 for (end = s; *end && *end != ','; ++end);
300 size_t len = end - s;
301 sanitized_sections.safe_push (xstrndup (s, len));
302 s = *end ? end + 1 : end;
303 }
304 }
305
306 bool
307 asan_sanitize_stack_p (void)
308 {
309 return ((flag_sanitize & SANITIZE_ADDRESS)
310 && ASAN_STACK
311 && !asan_no_sanitize_address_p ());
312 }
313
314 /* Checks whether section SEC should be sanitized. */
315
316 static bool
317 section_sanitized_p (const char *sec)
318 {
319 char *pat;
320 unsigned i;
321 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
322 if (fnmatch (pat, sec, FNM_PERIOD) == 0)
323 return true;
324 return false;
325 }
326
327 /* Returns Asan shadow offset. */
328
329 static unsigned HOST_WIDE_INT
330 asan_shadow_offset ()
331 {
332 if (!asan_shadow_offset_computed)
333 {
334 asan_shadow_offset_computed = true;
335 asan_shadow_offset_value = targetm.asan_shadow_offset ();
336 }
337 return asan_shadow_offset_value;
338 }
339
340 alias_set_type asan_shadow_set = -1;
341
342 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
343 alias set is used for all shadow memory accesses. */
344 static GTY(()) tree shadow_ptr_types[3];
345
346 /* Decl for __asan_option_detect_stack_use_after_return. */
347 static GTY(()) tree asan_detect_stack_use_after_return;
348
349 /* Hashtable support for memory references used by gimple
350 statements. */
351
352 /* This type represents a reference to a memory region. */
353 struct asan_mem_ref
354 {
355 /* The expression of the beginning of the memory region. */
356 tree start;
357
358 /* The size of the access. */
359 HOST_WIDE_INT access_size;
360 };
361
362 object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref");
363
364 /* Initializes an instance of asan_mem_ref. */
365
366 static void
367 asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size)
368 {
369 ref->start = start;
370 ref->access_size = access_size;
371 }
372
373 /* Allocates memory for an instance of asan_mem_ref into the memory
374 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
375 START is the address of (or the expression pointing to) the
376 beginning of memory reference. ACCESS_SIZE is the size of the
377 access to the referenced memory. */
378
379 static asan_mem_ref*
380 asan_mem_ref_new (tree start, HOST_WIDE_INT access_size)
381 {
382 asan_mem_ref *ref = asan_mem_ref_pool.allocate ();
383
384 asan_mem_ref_init (ref, start, access_size);
385 return ref;
386 }
387
388 /* This builds and returns a pointer to the end of the memory region
389 that starts at START and of length LEN. */
390
391 tree
392 asan_mem_ref_get_end (tree start, tree len)
393 {
394 if (len == NULL_TREE || integer_zerop (len))
395 return start;
396
397 if (!ptrofftype_p (len))
398 len = convert_to_ptrofftype (len);
399
400 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
401 }
402
403 /* Return a tree expression that represents the end of the referenced
404 memory region. Beware that this function can actually build a new
405 tree expression. */
406
407 tree
408 asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
409 {
410 return asan_mem_ref_get_end (ref->start, len);
411 }
412
413 struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref>
414 {
415 static inline hashval_t hash (const asan_mem_ref *);
416 static inline bool equal (const asan_mem_ref *, const asan_mem_ref *);
417 };
418
419 /* Hash a memory reference. */
420
421 inline hashval_t
422 asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
423 {
424 return iterative_hash_expr (mem_ref->start, 0);
425 }
426
427 /* Compare two memory references. We accept the length of either
428 memory references to be NULL_TREE. */
429
430 inline bool
431 asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
432 const asan_mem_ref *m2)
433 {
434 return operand_equal_p (m1->start, m2->start, 0);
435 }
436
437 static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht;
438
439 /* Returns a reference to the hash table containing memory references.
440 This function ensures that the hash table is created. Note that
441 this hash table is updated by the function
442 update_mem_ref_hash_table. */
443
444 static hash_table<asan_mem_ref_hasher> *
445 get_mem_ref_hash_table ()
446 {
447 if (!asan_mem_ref_ht)
448 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10);
449
450 return asan_mem_ref_ht;
451 }
452
453 /* Clear all entries from the memory references hash table. */
454
455 static void
456 empty_mem_ref_hash_table ()
457 {
458 if (asan_mem_ref_ht)
459 asan_mem_ref_ht->empty ();
460 }
461
462 /* Free the memory references hash table. */
463
464 static void
465 free_mem_ref_resources ()
466 {
467 delete asan_mem_ref_ht;
468 asan_mem_ref_ht = NULL;
469
470 asan_mem_ref_pool.release ();
471 }
472
473 /* Return true iff the memory reference REF has been instrumented. */
474
475 static bool
476 has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size)
477 {
478 asan_mem_ref r;
479 asan_mem_ref_init (&r, ref, access_size);
480
481 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r);
482 return saved_ref && saved_ref->access_size >= access_size;
483 }
484
485 /* Return true iff the memory reference REF has been instrumented. */
486
487 static bool
488 has_mem_ref_been_instrumented (const asan_mem_ref *ref)
489 {
490 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
491 }
492
493 /* Return true iff access to memory region starting at REF and of
494 length LEN has been instrumented. */
495
496 static bool
497 has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
498 {
499 HOST_WIDE_INT size_in_bytes
500 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
501
502 return size_in_bytes != -1
503 && has_mem_ref_been_instrumented (ref->start, size_in_bytes);
504 }
505
506 /* Set REF to the memory reference present in a gimple assignment
507 ASSIGNMENT. Return true upon successful completion, false
508 otherwise. */
509
510 static bool
511 get_mem_ref_of_assignment (const gassign *assignment,
512 asan_mem_ref *ref,
513 bool *ref_is_store)
514 {
515 gcc_assert (gimple_assign_single_p (assignment));
516
517 if (gimple_store_p (assignment)
518 && !gimple_clobber_p (assignment))
519 {
520 ref->start = gimple_assign_lhs (assignment);
521 *ref_is_store = true;
522 }
523 else if (gimple_assign_load_p (assignment))
524 {
525 ref->start = gimple_assign_rhs1 (assignment);
526 *ref_is_store = false;
527 }
528 else
529 return false;
530
531 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
532 return true;
533 }
534
535 /* Return the memory references contained in a gimple statement
536 representing a builtin call that has to do with memory access. */
537
538 static bool
539 get_mem_refs_of_builtin_call (const gcall *call,
540 asan_mem_ref *src0,
541 tree *src0_len,
542 bool *src0_is_store,
543 asan_mem_ref *src1,
544 tree *src1_len,
545 bool *src1_is_store,
546 asan_mem_ref *dst,
547 tree *dst_len,
548 bool *dst_is_store,
549 bool *dest_is_deref,
550 bool *intercepted_p)
551 {
552 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
553
554 tree callee = gimple_call_fndecl (call);
555 tree source0 = NULL_TREE, source1 = NULL_TREE,
556 dest = NULL_TREE, len = NULL_TREE;
557 bool is_store = true, got_reference_p = false;
558 HOST_WIDE_INT access_size = 1;
559
560 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee)));
561
562 switch (DECL_FUNCTION_CODE (callee))
563 {
564 /* (s, s, n) style memops. */
565 case BUILT_IN_BCMP:
566 case BUILT_IN_MEMCMP:
567 source0 = gimple_call_arg (call, 0);
568 source1 = gimple_call_arg (call, 1);
569 len = gimple_call_arg (call, 2);
570 break;
571
572 /* (src, dest, n) style memops. */
573 case BUILT_IN_BCOPY:
574 source0 = gimple_call_arg (call, 0);
575 dest = gimple_call_arg (call, 1);
576 len = gimple_call_arg (call, 2);
577 break;
578
579 /* (dest, src, n) style memops. */
580 case BUILT_IN_MEMCPY:
581 case BUILT_IN_MEMCPY_CHK:
582 case BUILT_IN_MEMMOVE:
583 case BUILT_IN_MEMMOVE_CHK:
584 case BUILT_IN_MEMPCPY:
585 case BUILT_IN_MEMPCPY_CHK:
586 dest = gimple_call_arg (call, 0);
587 source0 = gimple_call_arg (call, 1);
588 len = gimple_call_arg (call, 2);
589 break;
590
591 /* (dest, n) style memops. */
592 case BUILT_IN_BZERO:
593 dest = gimple_call_arg (call, 0);
594 len = gimple_call_arg (call, 1);
595 break;
596
597 /* (dest, x, n) style memops*/
598 case BUILT_IN_MEMSET:
599 case BUILT_IN_MEMSET_CHK:
600 dest = gimple_call_arg (call, 0);
601 len = gimple_call_arg (call, 2);
602 break;
603
604 case BUILT_IN_STRLEN:
605 source0 = gimple_call_arg (call, 0);
606 len = gimple_call_lhs (call);
607 break ;
608
609 /* And now the __atomic* and __sync builtins.
610 These are handled differently from the classical memory memory
611 access builtins above. */
612
613 case BUILT_IN_ATOMIC_LOAD_1:
614 case BUILT_IN_ATOMIC_LOAD_2:
615 case BUILT_IN_ATOMIC_LOAD_4:
616 case BUILT_IN_ATOMIC_LOAD_8:
617 case BUILT_IN_ATOMIC_LOAD_16:
618 is_store = false;
619 /* fall through. */
620
621 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
622 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
623 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
624 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
625 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
626
627 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
628 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
629 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
630 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
631 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
632
633 case BUILT_IN_SYNC_FETCH_AND_OR_1:
634 case BUILT_IN_SYNC_FETCH_AND_OR_2:
635 case BUILT_IN_SYNC_FETCH_AND_OR_4:
636 case BUILT_IN_SYNC_FETCH_AND_OR_8:
637 case BUILT_IN_SYNC_FETCH_AND_OR_16:
638
639 case BUILT_IN_SYNC_FETCH_AND_AND_1:
640 case BUILT_IN_SYNC_FETCH_AND_AND_2:
641 case BUILT_IN_SYNC_FETCH_AND_AND_4:
642 case BUILT_IN_SYNC_FETCH_AND_AND_8:
643 case BUILT_IN_SYNC_FETCH_AND_AND_16:
644
645 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
646 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
647 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
648 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
649 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
650
651 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
652 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
653 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
654 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
655
656 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
657 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
658 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
659 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
660 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
661
662 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
663 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
664 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
665 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
666 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
667
668 case BUILT_IN_SYNC_OR_AND_FETCH_1:
669 case BUILT_IN_SYNC_OR_AND_FETCH_2:
670 case BUILT_IN_SYNC_OR_AND_FETCH_4:
671 case BUILT_IN_SYNC_OR_AND_FETCH_8:
672 case BUILT_IN_SYNC_OR_AND_FETCH_16:
673
674 case BUILT_IN_SYNC_AND_AND_FETCH_1:
675 case BUILT_IN_SYNC_AND_AND_FETCH_2:
676 case BUILT_IN_SYNC_AND_AND_FETCH_4:
677 case BUILT_IN_SYNC_AND_AND_FETCH_8:
678 case BUILT_IN_SYNC_AND_AND_FETCH_16:
679
680 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
681 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
682 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
683 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
684 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
685
686 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
687 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
688 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
689 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
690
691 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
692 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
693 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
694 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
695 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
696
697 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
698 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
699 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
700 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
701 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
702
703 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
704 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
705 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
706 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
707 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
708
709 case BUILT_IN_SYNC_LOCK_RELEASE_1:
710 case BUILT_IN_SYNC_LOCK_RELEASE_2:
711 case BUILT_IN_SYNC_LOCK_RELEASE_4:
712 case BUILT_IN_SYNC_LOCK_RELEASE_8:
713 case BUILT_IN_SYNC_LOCK_RELEASE_16:
714
715 case BUILT_IN_ATOMIC_EXCHANGE_1:
716 case BUILT_IN_ATOMIC_EXCHANGE_2:
717 case BUILT_IN_ATOMIC_EXCHANGE_4:
718 case BUILT_IN_ATOMIC_EXCHANGE_8:
719 case BUILT_IN_ATOMIC_EXCHANGE_16:
720
721 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
722 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
723 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
724 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
725 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
726
727 case BUILT_IN_ATOMIC_STORE_1:
728 case BUILT_IN_ATOMIC_STORE_2:
729 case BUILT_IN_ATOMIC_STORE_4:
730 case BUILT_IN_ATOMIC_STORE_8:
731 case BUILT_IN_ATOMIC_STORE_16:
732
733 case BUILT_IN_ATOMIC_ADD_FETCH_1:
734 case BUILT_IN_ATOMIC_ADD_FETCH_2:
735 case BUILT_IN_ATOMIC_ADD_FETCH_4:
736 case BUILT_IN_ATOMIC_ADD_FETCH_8:
737 case BUILT_IN_ATOMIC_ADD_FETCH_16:
738
739 case BUILT_IN_ATOMIC_SUB_FETCH_1:
740 case BUILT_IN_ATOMIC_SUB_FETCH_2:
741 case BUILT_IN_ATOMIC_SUB_FETCH_4:
742 case BUILT_IN_ATOMIC_SUB_FETCH_8:
743 case BUILT_IN_ATOMIC_SUB_FETCH_16:
744
745 case BUILT_IN_ATOMIC_AND_FETCH_1:
746 case BUILT_IN_ATOMIC_AND_FETCH_2:
747 case BUILT_IN_ATOMIC_AND_FETCH_4:
748 case BUILT_IN_ATOMIC_AND_FETCH_8:
749 case BUILT_IN_ATOMIC_AND_FETCH_16:
750
751 case BUILT_IN_ATOMIC_NAND_FETCH_1:
752 case BUILT_IN_ATOMIC_NAND_FETCH_2:
753 case BUILT_IN_ATOMIC_NAND_FETCH_4:
754 case BUILT_IN_ATOMIC_NAND_FETCH_8:
755 case BUILT_IN_ATOMIC_NAND_FETCH_16:
756
757 case BUILT_IN_ATOMIC_XOR_FETCH_1:
758 case BUILT_IN_ATOMIC_XOR_FETCH_2:
759 case BUILT_IN_ATOMIC_XOR_FETCH_4:
760 case BUILT_IN_ATOMIC_XOR_FETCH_8:
761 case BUILT_IN_ATOMIC_XOR_FETCH_16:
762
763 case BUILT_IN_ATOMIC_OR_FETCH_1:
764 case BUILT_IN_ATOMIC_OR_FETCH_2:
765 case BUILT_IN_ATOMIC_OR_FETCH_4:
766 case BUILT_IN_ATOMIC_OR_FETCH_8:
767 case BUILT_IN_ATOMIC_OR_FETCH_16:
768
769 case BUILT_IN_ATOMIC_FETCH_ADD_1:
770 case BUILT_IN_ATOMIC_FETCH_ADD_2:
771 case BUILT_IN_ATOMIC_FETCH_ADD_4:
772 case BUILT_IN_ATOMIC_FETCH_ADD_8:
773 case BUILT_IN_ATOMIC_FETCH_ADD_16:
774
775 case BUILT_IN_ATOMIC_FETCH_SUB_1:
776 case BUILT_IN_ATOMIC_FETCH_SUB_2:
777 case BUILT_IN_ATOMIC_FETCH_SUB_4:
778 case BUILT_IN_ATOMIC_FETCH_SUB_8:
779 case BUILT_IN_ATOMIC_FETCH_SUB_16:
780
781 case BUILT_IN_ATOMIC_FETCH_AND_1:
782 case BUILT_IN_ATOMIC_FETCH_AND_2:
783 case BUILT_IN_ATOMIC_FETCH_AND_4:
784 case BUILT_IN_ATOMIC_FETCH_AND_8:
785 case BUILT_IN_ATOMIC_FETCH_AND_16:
786
787 case BUILT_IN_ATOMIC_FETCH_NAND_1:
788 case BUILT_IN_ATOMIC_FETCH_NAND_2:
789 case BUILT_IN_ATOMIC_FETCH_NAND_4:
790 case BUILT_IN_ATOMIC_FETCH_NAND_8:
791 case BUILT_IN_ATOMIC_FETCH_NAND_16:
792
793 case BUILT_IN_ATOMIC_FETCH_XOR_1:
794 case BUILT_IN_ATOMIC_FETCH_XOR_2:
795 case BUILT_IN_ATOMIC_FETCH_XOR_4:
796 case BUILT_IN_ATOMIC_FETCH_XOR_8:
797 case BUILT_IN_ATOMIC_FETCH_XOR_16:
798
799 case BUILT_IN_ATOMIC_FETCH_OR_1:
800 case BUILT_IN_ATOMIC_FETCH_OR_2:
801 case BUILT_IN_ATOMIC_FETCH_OR_4:
802 case BUILT_IN_ATOMIC_FETCH_OR_8:
803 case BUILT_IN_ATOMIC_FETCH_OR_16:
804 {
805 dest = gimple_call_arg (call, 0);
806 /* DEST represents the address of a memory location.
807 instrument_derefs wants the memory location, so lets
808 dereference the address DEST before handing it to
809 instrument_derefs. */
810 if (TREE_CODE (dest) == ADDR_EXPR)
811 dest = TREE_OPERAND (dest, 0);
812 else if (TREE_CODE (dest) == SSA_NAME || TREE_CODE (dest) == INTEGER_CST)
813 dest = build2 (MEM_REF, TREE_TYPE (TREE_TYPE (dest)),
814 dest, build_int_cst (TREE_TYPE (dest), 0));
815 else
816 gcc_unreachable ();
817
818 access_size = int_size_in_bytes (TREE_TYPE (dest));
819 }
820
821 default:
822 /* The other builtins memory access are not instrumented in this
823 function because they either don't have any length parameter,
824 or their length parameter is just a limit. */
825 break;
826 }
827
828 if (len != NULL_TREE)
829 {
830 if (source0 != NULL_TREE)
831 {
832 src0->start = source0;
833 src0->access_size = access_size;
834 *src0_len = len;
835 *src0_is_store = false;
836 }
837
838 if (source1 != NULL_TREE)
839 {
840 src1->start = source1;
841 src1->access_size = access_size;
842 *src1_len = len;
843 *src1_is_store = false;
844 }
845
846 if (dest != NULL_TREE)
847 {
848 dst->start = dest;
849 dst->access_size = access_size;
850 *dst_len = len;
851 *dst_is_store = true;
852 }
853
854 got_reference_p = true;
855 }
856 else if (dest)
857 {
858 dst->start = dest;
859 dst->access_size = access_size;
860 *dst_len = NULL_TREE;
861 *dst_is_store = is_store;
862 *dest_is_deref = true;
863 got_reference_p = true;
864 }
865
866 return got_reference_p;
867 }
868
869 /* Return true iff a given gimple statement has been instrumented.
870 Note that the statement is "defined" by the memory references it
871 contains. */
872
873 static bool
874 has_stmt_been_instrumented_p (gimple *stmt)
875 {
876 if (gimple_assign_single_p (stmt))
877 {
878 bool r_is_store;
879 asan_mem_ref r;
880 asan_mem_ref_init (&r, NULL, 1);
881
882 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r,
883 &r_is_store))
884 return has_mem_ref_been_instrumented (&r);
885 }
886 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
887 {
888 asan_mem_ref src0, src1, dest;
889 asan_mem_ref_init (&src0, NULL, 1);
890 asan_mem_ref_init (&src1, NULL, 1);
891 asan_mem_ref_init (&dest, NULL, 1);
892
893 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
894 bool src0_is_store = false, src1_is_store = false,
895 dest_is_store = false, dest_is_deref = false, intercepted_p = true;
896 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt),
897 &src0, &src0_len, &src0_is_store,
898 &src1, &src1_len, &src1_is_store,
899 &dest, &dest_len, &dest_is_store,
900 &dest_is_deref, &intercepted_p))
901 {
902 if (src0.start != NULL_TREE
903 && !has_mem_ref_been_instrumented (&src0, src0_len))
904 return false;
905
906 if (src1.start != NULL_TREE
907 && !has_mem_ref_been_instrumented (&src1, src1_len))
908 return false;
909
910 if (dest.start != NULL_TREE
911 && !has_mem_ref_been_instrumented (&dest, dest_len))
912 return false;
913
914 return true;
915 }
916 }
917 else if (is_gimple_call (stmt) && gimple_store_p (stmt))
918 {
919 asan_mem_ref r;
920 asan_mem_ref_init (&r, NULL, 1);
921
922 r.start = gimple_call_lhs (stmt);
923 r.access_size = int_size_in_bytes (TREE_TYPE (r.start));
924 return has_mem_ref_been_instrumented (&r);
925 }
926
927 return false;
928 }
929
930 /* Insert a memory reference into the hash table. */
931
932 static void
933 update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size)
934 {
935 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table ();
936
937 asan_mem_ref r;
938 asan_mem_ref_init (&r, ref, access_size);
939
940 asan_mem_ref **slot = ht->find_slot (&r, INSERT);
941 if (*slot == NULL || (*slot)->access_size < access_size)
942 *slot = asan_mem_ref_new (ref, access_size);
943 }
944
945 /* Initialize shadow_ptr_types array. */
946
947 static void
948 asan_init_shadow_ptr_types (void)
949 {
950 asan_shadow_set = new_alias_set ();
951 tree types[3] = { signed_char_type_node, short_integer_type_node,
952 integer_type_node };
953
954 for (unsigned i = 0; i < 3; i++)
955 {
956 shadow_ptr_types[i] = build_distinct_type_copy (types[i]);
957 TYPE_ALIAS_SET (shadow_ptr_types[i]) = asan_shadow_set;
958 shadow_ptr_types[i] = build_pointer_type (shadow_ptr_types[i]);
959 }
960
961 initialize_sanitizer_builtins ();
962 }
963
964 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
965
966 static tree
967 asan_pp_string (pretty_printer *pp)
968 {
969 const char *buf = pp_formatted_text (pp);
970 size_t len = strlen (buf);
971 tree ret = build_string (len + 1, buf);
972 TREE_TYPE (ret)
973 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
974 build_index_type (size_int (len)));
975 TREE_READONLY (ret) = 1;
976 TREE_STATIC (ret) = 1;
977 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
978 }
979
980 /* Return a CONST_INT representing 4 subsequent shadow memory bytes. */
981
982 static rtx
983 asan_shadow_cst (unsigned char shadow_bytes[4])
984 {
985 int i;
986 unsigned HOST_WIDE_INT val = 0;
987 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
988 for (i = 0; i < 4; i++)
989 val |= (unsigned HOST_WIDE_INT) shadow_bytes[BYTES_BIG_ENDIAN ? 3 - i : i]
990 << (BITS_PER_UNIT * i);
991 return gen_int_mode (val, SImode);
992 }
993
994 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
995 though. */
996
997 static void
998 asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
999 {
1000 rtx_insn *insn, *insns, *jump;
1001 rtx_code_label *top_label;
1002 rtx end, addr, tmp;
1003
1004 start_sequence ();
1005 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
1006 insns = get_insns ();
1007 end_sequence ();
1008 for (insn = insns; insn; insn = NEXT_INSN (insn))
1009 if (CALL_P (insn))
1010 break;
1011 if (insn == NULL_RTX)
1012 {
1013 emit_insn (insns);
1014 return;
1015 }
1016
1017 gcc_assert ((len & 3) == 0);
1018 top_label = gen_label_rtx ();
1019 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
1020 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
1021 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
1022 emit_label (top_label);
1023
1024 emit_move_insn (shadow_mem, const0_rtx);
1025 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
1026 true, OPTAB_LIB_WIDEN);
1027 if (tmp != addr)
1028 emit_move_insn (addr, tmp);
1029 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
1030 jump = get_last_insn ();
1031 gcc_assert (JUMP_P (jump));
1032 add_int_reg_note (jump, REG_BR_PROB, REG_BR_PROB_BASE * 80 / 100);
1033 }
1034
1035 void
1036 asan_function_start (void)
1037 {
1038 section *fnsec = function_section (current_function_decl);
1039 switch_to_section (fnsec);
1040 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC",
1041 current_function_funcdef_no);
1042 }
1043
1044 /* Return number of shadow bytes that are occupied by a local variable
1045 of SIZE bytes. */
1046
1047 static unsigned HOST_WIDE_INT
1048 shadow_mem_size (unsigned HOST_WIDE_INT size)
1049 {
1050 return ROUND_UP (size, ASAN_SHADOW_GRANULARITY) / ASAN_SHADOW_GRANULARITY;
1051 }
1052
1053 /* Insert code to protect stack vars. The prologue sequence should be emitted
1054 directly, epilogue sequence returned. BASE is the register holding the
1055 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1056 array contains pairs of offsets in reverse order, always the end offset
1057 of some gap that needs protection followed by starting offset,
1058 and DECLS is an array of representative decls for each var partition.
1059 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1060 elements long (OFFSETS include gap before the first variable as well
1061 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1062 register which stack vars DECL_RTLs are based on. Either BASE should be
1063 assigned to PBASE, when not doing use after return protection, or
1064 corresponding address based on __asan_stack_malloc* return value. */
1065
1066 rtx_insn *
1067 asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
1068 HOST_WIDE_INT *offsets, tree *decls, int length)
1069 {
1070 rtx shadow_base, shadow_mem, ret, mem, orig_base;
1071 rtx_code_label *lab;
1072 rtx_insn *insns;
1073 char buf[30];
1074 unsigned char shadow_bytes[4];
1075 HOST_WIDE_INT base_offset = offsets[length - 1];
1076 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
1077 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
1078 HOST_WIDE_INT last_offset;
1079 int l;
1080 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
1081 tree str_cst, decl, id;
1082 int use_after_return_class = -1;
1083
1084 if (shadow_ptr_types[0] == NULL_TREE)
1085 asan_init_shadow_ptr_types ();
1086
1087 /* First of all, prepare the description string. */
1088 pretty_printer asan_pp;
1089
1090 pp_decimal_int (&asan_pp, length / 2 - 1);
1091 pp_space (&asan_pp);
1092 for (l = length - 2; l; l -= 2)
1093 {
1094 tree decl = decls[l / 2 - 1];
1095 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
1096 pp_space (&asan_pp);
1097 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
1098 pp_space (&asan_pp);
1099 if (DECL_P (decl) && DECL_NAME (decl))
1100 {
1101 pp_decimal_int (&asan_pp, IDENTIFIER_LENGTH (DECL_NAME (decl)));
1102 pp_space (&asan_pp);
1103 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
1104 }
1105 else
1106 pp_string (&asan_pp, "9 <unknown>");
1107 pp_space (&asan_pp);
1108 }
1109 str_cst = asan_pp_string (&asan_pp);
1110
1111 /* Emit the prologue sequence. */
1112 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
1113 && ASAN_USE_AFTER_RETURN)
1114 {
1115 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1116 /* __asan_stack_malloc_N guarantees alignment
1117 N < 6 ? (64 << N) : 4096 bytes. */
1118 if (alignb > (use_after_return_class < 6
1119 ? (64U << use_after_return_class) : 4096U))
1120 use_after_return_class = -1;
1121 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1122 base_align_bias = ((asan_frame_size + alignb - 1)
1123 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1124 }
1125 /* Align base if target is STRICT_ALIGNMENT. */
1126 if (STRICT_ALIGNMENT)
1127 base = expand_binop (Pmode, and_optab, base,
1128 gen_int_mode (-((GET_MODE_ALIGNMENT (SImode)
1129 << ASAN_SHADOW_SHIFT)
1130 / BITS_PER_UNIT), Pmode), NULL_RTX,
1131 1, OPTAB_DIRECT);
1132
1133 if (use_after_return_class == -1 && pbase)
1134 emit_move_insn (pbase, base);
1135
1136 base = expand_binop (Pmode, add_optab, base,
1137 gen_int_mode (base_offset - base_align_bias, Pmode),
1138 NULL_RTX, 1, OPTAB_DIRECT);
1139 orig_base = NULL_RTX;
1140 if (use_after_return_class != -1)
1141 {
1142 if (asan_detect_stack_use_after_return == NULL_TREE)
1143 {
1144 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1145 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1146 integer_type_node);
1147 SET_DECL_ASSEMBLER_NAME (decl, id);
1148 TREE_ADDRESSABLE (decl) = 1;
1149 DECL_ARTIFICIAL (decl) = 1;
1150 DECL_IGNORED_P (decl) = 1;
1151 DECL_EXTERNAL (decl) = 1;
1152 TREE_STATIC (decl) = 1;
1153 TREE_PUBLIC (decl) = 1;
1154 TREE_USED (decl) = 1;
1155 asan_detect_stack_use_after_return = decl;
1156 }
1157 orig_base = gen_reg_rtx (Pmode);
1158 emit_move_insn (orig_base, base);
1159 ret = expand_normal (asan_detect_stack_use_after_return);
1160 lab = gen_label_rtx ();
1161 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1162 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1163 VOIDmode, 0, lab, very_likely);
1164 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1165 use_after_return_class);
1166 ret = init_one_libfunc (buf);
1167 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode, 1,
1168 GEN_INT (asan_frame_size
1169 + base_align_bias),
1170 TYPE_MODE (pointer_sized_int_node));
1171 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1172 and NULL otherwise. Check RET value is NULL here and jump over the
1173 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1174 int very_unlikely = REG_BR_PROB_BASE / 2000 - 1;
1175 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1176 VOIDmode, 0, lab, very_unlikely);
1177 ret = convert_memory_address (Pmode, ret);
1178 emit_move_insn (base, ret);
1179 emit_label (lab);
1180 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1181 gen_int_mode (base_align_bias
1182 - base_offset, Pmode),
1183 NULL_RTX, 1, OPTAB_DIRECT));
1184 }
1185 mem = gen_rtx_MEM (ptr_mode, base);
1186 mem = adjust_address (mem, VOIDmode, base_align_bias);
1187 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
1188 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1189 emit_move_insn (mem, expand_normal (str_cst));
1190 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1191 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1192 id = get_identifier (buf);
1193 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
1194 VAR_DECL, id, char_type_node);
1195 SET_DECL_ASSEMBLER_NAME (decl, id);
1196 TREE_ADDRESSABLE (decl) = 1;
1197 TREE_READONLY (decl) = 1;
1198 DECL_ARTIFICIAL (decl) = 1;
1199 DECL_IGNORED_P (decl) = 1;
1200 TREE_STATIC (decl) = 1;
1201 TREE_PUBLIC (decl) = 0;
1202 TREE_USED (decl) = 1;
1203 DECL_INITIAL (decl) = decl;
1204 TREE_ASM_WRITTEN (decl) = 1;
1205 TREE_ASM_WRITTEN (id) = 1;
1206 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
1207 shadow_base = expand_binop (Pmode, lshr_optab, base,
1208 GEN_INT (ASAN_SHADOW_SHIFT),
1209 NULL_RTX, 1, OPTAB_DIRECT);
1210 shadow_base
1211 = plus_constant (Pmode, shadow_base,
1212 asan_shadow_offset ()
1213 + (base_align_bias >> ASAN_SHADOW_SHIFT));
1214 gcc_assert (asan_shadow_set != -1
1215 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
1216 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
1217 set_mem_alias_set (shadow_mem, asan_shadow_set);
1218 if (STRICT_ALIGNMENT)
1219 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1220 prev_offset = base_offset;
1221 for (l = length; l; l -= 2)
1222 {
1223 if (l == 2)
1224 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
1225 offset = offsets[l - 1];
1226 if ((offset - base_offset) & (ASAN_RED_ZONE_SIZE - 1))
1227 {
1228 int i;
1229 HOST_WIDE_INT aoff
1230 = base_offset + ((offset - base_offset)
1231 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1232 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1233 (aoff - prev_offset)
1234 >> ASAN_SHADOW_SHIFT);
1235 prev_offset = aoff;
1236 for (i = 0; i < 4; i++, aoff += ASAN_SHADOW_GRANULARITY)
1237 if (aoff < offset)
1238 {
1239 if (aoff < offset - (HOST_WIDE_INT)ASAN_SHADOW_GRANULARITY + 1)
1240 shadow_bytes[i] = 0;
1241 else
1242 shadow_bytes[i] = offset - aoff;
1243 }
1244 else
1245 shadow_bytes[i] = ASAN_STACK_MAGIC_MIDDLE;
1246 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1247 offset = aoff;
1248 }
1249 while (offset <= offsets[l - 2] - ASAN_RED_ZONE_SIZE)
1250 {
1251 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1252 (offset - prev_offset)
1253 >> ASAN_SHADOW_SHIFT);
1254 prev_offset = offset;
1255 memset (shadow_bytes, cur_shadow_byte, 4);
1256 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1257 offset += ASAN_RED_ZONE_SIZE;
1258 }
1259 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
1260 }
1261 do_pending_stack_adjust ();
1262
1263 /* Construct epilogue sequence. */
1264 start_sequence ();
1265
1266 lab = NULL;
1267 if (use_after_return_class != -1)
1268 {
1269 rtx_code_label *lab2 = gen_label_rtx ();
1270 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
1271 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1272 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
1273 VOIDmode, 0, lab2, very_likely);
1274 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1275 set_mem_alias_set (shadow_mem, asan_shadow_set);
1276 mem = gen_rtx_MEM (ptr_mode, base);
1277 mem = adjust_address (mem, VOIDmode, base_align_bias);
1278 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
1279 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
1280 if (use_after_return_class < 5
1281 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
1282 BITS_PER_UNIT, true))
1283 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
1284 BITS_PER_UNIT, true, 0);
1285 else if (use_after_return_class >= 5
1286 || !set_storage_via_setmem (shadow_mem,
1287 GEN_INT (sz),
1288 gen_int_mode (c, QImode),
1289 BITS_PER_UNIT, BITS_PER_UNIT,
1290 -1, sz, sz, sz))
1291 {
1292 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
1293 use_after_return_class);
1294 ret = init_one_libfunc (buf);
1295 rtx addr = convert_memory_address (ptr_mode, base);
1296 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
1297 emit_library_call (ret, LCT_NORMAL, ptr_mode, 3, addr, ptr_mode,
1298 GEN_INT (asan_frame_size + base_align_bias),
1299 TYPE_MODE (pointer_sized_int_node),
1300 orig_addr, ptr_mode);
1301 }
1302 lab = gen_label_rtx ();
1303 emit_jump (lab);
1304 emit_label (lab2);
1305 }
1306
1307 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1308 set_mem_alias_set (shadow_mem, asan_shadow_set);
1309
1310 if (STRICT_ALIGNMENT)
1311 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1312
1313 /* Unpoison shadow memory of a stack at the very end of a function.
1314 As we're poisoning stack variables at the end of their scope,
1315 shadow memory must be properly unpoisoned here. The easiest approach
1316 would be to collect all variables that should not be unpoisoned and
1317 we unpoison shadow memory of the whole stack except ranges
1318 occupied by these variables. */
1319 last_offset = base_offset;
1320 HOST_WIDE_INT current_offset = last_offset;
1321 if (length)
1322 {
1323 HOST_WIDE_INT var_end_offset = 0;
1324 HOST_WIDE_INT stack_start = offsets[length - 1];
1325 gcc_assert (last_offset == stack_start);
1326
1327 for (int l = length - 2; l > 0; l -= 2)
1328 {
1329 HOST_WIDE_INT var_offset = offsets[l];
1330 current_offset = var_offset;
1331 var_end_offset = offsets[l - 1];
1332 HOST_WIDE_INT rounded_size = ROUND_UP (var_end_offset - var_offset,
1333 BITS_PER_UNIT);
1334
1335 /* Should we unpoison the variable? */
1336 if (asan_handled_variables != NULL
1337 && asan_handled_variables->contains (decl))
1338 {
1339 if (dump_file && (dump_flags & TDF_DETAILS))
1340 {
1341 const char *n = (DECL_NAME (decl)
1342 ? IDENTIFIER_POINTER (DECL_NAME (decl))
1343 : "<unknown>");
1344 fprintf (dump_file, "Unpoisoning shadow stack for variable: "
1345 "%s (%" PRId64 "B)\n", n,
1346 var_end_offset - var_offset);
1347 }
1348
1349 unsigned HOST_WIDE_INT s
1350 = shadow_mem_size (current_offset - last_offset);
1351 asan_clear_shadow (shadow_mem, s);
1352 HOST_WIDE_INT shift
1353 = shadow_mem_size (current_offset - last_offset + rounded_size);
1354 shadow_mem = adjust_address (shadow_mem, VOIDmode, shift);
1355 last_offset = var_offset + rounded_size;
1356 current_offset = last_offset;
1357 }
1358
1359 }
1360
1361 /* Handle last redzone. */
1362 current_offset = offsets[0];
1363 asan_clear_shadow (shadow_mem,
1364 shadow_mem_size (current_offset - last_offset));
1365 }
1366
1367 /* Clean-up set with instrumented stack variables. */
1368 delete asan_handled_variables;
1369 asan_handled_variables = NULL;
1370 delete asan_used_labels;
1371 asan_used_labels = NULL;
1372
1373 do_pending_stack_adjust ();
1374 if (lab)
1375 emit_label (lab);
1376
1377 insns = get_insns ();
1378 end_sequence ();
1379 return insns;
1380 }
1381
1382 /* Return true if DECL, a global var, might be overridden and needs
1383 therefore a local alias. */
1384
1385 static bool
1386 asan_needs_local_alias (tree decl)
1387 {
1388 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
1389 }
1390
1391 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
1392 therefore doesn't need protection. */
1393
1394 static bool
1395 is_odr_indicator (tree decl)
1396 {
1397 return (DECL_ARTIFICIAL (decl)
1398 && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl)));
1399 }
1400
1401 /* Return true if DECL is a VAR_DECL that should be protected
1402 by Address Sanitizer, by appending a red zone with protected
1403 shadow memory after it and aligning it to at least
1404 ASAN_RED_ZONE_SIZE bytes. */
1405
1406 bool
1407 asan_protect_global (tree decl)
1408 {
1409 if (!ASAN_GLOBALS)
1410 return false;
1411
1412 rtx rtl, symbol;
1413
1414 if (TREE_CODE (decl) == STRING_CST)
1415 {
1416 /* Instrument all STRING_CSTs except those created
1417 by asan_pp_string here. */
1418 if (shadow_ptr_types[0] != NULL_TREE
1419 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
1420 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
1421 return false;
1422 return true;
1423 }
1424 if (!VAR_P (decl)
1425 /* TLS vars aren't statically protectable. */
1426 || DECL_THREAD_LOCAL_P (decl)
1427 /* Externs will be protected elsewhere. */
1428 || DECL_EXTERNAL (decl)
1429 || !DECL_RTL_SET_P (decl)
1430 /* Comdat vars pose an ABI problem, we can't know if
1431 the var that is selected by the linker will have
1432 padding or not. */
1433 || DECL_ONE_ONLY (decl)
1434 /* Similarly for common vars. People can use -fno-common.
1435 Note: Linux kernel is built with -fno-common, so we do instrument
1436 globals there even if it is C. */
1437 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
1438 /* Don't protect if using user section, often vars placed
1439 into user section from multiple TUs are then assumed
1440 to be an array of such vars, putting padding in there
1441 breaks this assumption. */
1442 || (DECL_SECTION_NAME (decl) != NULL
1443 && !symtab_node::get (decl)->implicit_section
1444 && !section_sanitized_p (DECL_SECTION_NAME (decl)))
1445 || DECL_SIZE (decl) == 0
1446 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
1447 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
1448 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE
1449 || TREE_TYPE (decl) == ubsan_get_source_location_type ()
1450 || is_odr_indicator (decl))
1451 return false;
1452
1453 rtl = DECL_RTL (decl);
1454 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
1455 return false;
1456 symbol = XEXP (rtl, 0);
1457
1458 if (CONSTANT_POOL_ADDRESS_P (symbol)
1459 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
1460 return false;
1461
1462 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
1463 return false;
1464
1465 #ifndef ASM_OUTPUT_DEF
1466 if (asan_needs_local_alias (decl))
1467 return false;
1468 #endif
1469
1470 return true;
1471 }
1472
1473 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
1474 IS_STORE is either 1 (for a store) or 0 (for a load). */
1475
1476 static tree
1477 report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1478 int *nargs)
1479 {
1480 static enum built_in_function report[2][2][6]
1481 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
1482 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
1483 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N },
1484 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
1485 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
1486 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } },
1487 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT,
1488 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
1489 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
1490 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
1491 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
1492 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
1493 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT,
1494 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
1495 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
1496 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
1497 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
1498 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
1499 if (size_in_bytes == -1)
1500 {
1501 *nargs = 2;
1502 return builtin_decl_implicit (report[recover_p][is_store][5]);
1503 }
1504 *nargs = 1;
1505 int size_log2 = exact_log2 (size_in_bytes);
1506 return builtin_decl_implicit (report[recover_p][is_store][size_log2]);
1507 }
1508
1509 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
1510 IS_STORE is either 1 (for a store) or 0 (for a load). */
1511
1512 static tree
1513 check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1514 int *nargs)
1515 {
1516 static enum built_in_function check[2][2][6]
1517 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2,
1518 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8,
1519 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN },
1520 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2,
1521 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8,
1522 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } },
1523 { { BUILT_IN_ASAN_LOAD1_NOABORT,
1524 BUILT_IN_ASAN_LOAD2_NOABORT,
1525 BUILT_IN_ASAN_LOAD4_NOABORT,
1526 BUILT_IN_ASAN_LOAD8_NOABORT,
1527 BUILT_IN_ASAN_LOAD16_NOABORT,
1528 BUILT_IN_ASAN_LOADN_NOABORT },
1529 { BUILT_IN_ASAN_STORE1_NOABORT,
1530 BUILT_IN_ASAN_STORE2_NOABORT,
1531 BUILT_IN_ASAN_STORE4_NOABORT,
1532 BUILT_IN_ASAN_STORE8_NOABORT,
1533 BUILT_IN_ASAN_STORE16_NOABORT,
1534 BUILT_IN_ASAN_STOREN_NOABORT } } };
1535 if (size_in_bytes == -1)
1536 {
1537 *nargs = 2;
1538 return builtin_decl_implicit (check[recover_p][is_store][5]);
1539 }
1540 *nargs = 1;
1541 int size_log2 = exact_log2 (size_in_bytes);
1542 return builtin_decl_implicit (check[recover_p][is_store][size_log2]);
1543 }
1544
1545 /* Split the current basic block and create a condition statement
1546 insertion point right before or after the statement pointed to by
1547 ITER. Return an iterator to the point at which the caller might
1548 safely insert the condition statement.
1549
1550 THEN_BLOCK must be set to the address of an uninitialized instance
1551 of basic_block. The function will then set *THEN_BLOCK to the
1552 'then block' of the condition statement to be inserted by the
1553 caller.
1554
1555 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1556 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1557
1558 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1559 block' of the condition statement to be inserted by the caller.
1560
1561 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1562 statements starting from *ITER, and *THEN_BLOCK is a new empty
1563 block.
1564
1565 *ITER is adjusted to point to always point to the first statement
1566 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1567 same as what ITER was pointing to prior to calling this function,
1568 if BEFORE_P is true; otherwise, it is its following statement. */
1569
1570 gimple_stmt_iterator
1571 create_cond_insert_point (gimple_stmt_iterator *iter,
1572 bool before_p,
1573 bool then_more_likely_p,
1574 bool create_then_fallthru_edge,
1575 basic_block *then_block,
1576 basic_block *fallthrough_block)
1577 {
1578 gimple_stmt_iterator gsi = *iter;
1579
1580 if (!gsi_end_p (gsi) && before_p)
1581 gsi_prev (&gsi);
1582
1583 basic_block cur_bb = gsi_bb (*iter);
1584
1585 edge e = split_block (cur_bb, gsi_stmt (gsi));
1586
1587 /* Get a hold on the 'condition block', the 'then block' and the
1588 'else block'. */
1589 basic_block cond_bb = e->src;
1590 basic_block fallthru_bb = e->dest;
1591 basic_block then_bb = create_empty_bb (cond_bb);
1592 if (current_loops)
1593 {
1594 add_bb_to_loop (then_bb, cond_bb->loop_father);
1595 loops_state_set (LOOPS_NEED_FIXUP);
1596 }
1597
1598 /* Set up the newly created 'then block'. */
1599 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
1600 int fallthrough_probability
1601 = then_more_likely_p
1602 ? PROB_VERY_UNLIKELY
1603 : PROB_ALWAYS - PROB_VERY_UNLIKELY;
1604 e->probability = PROB_ALWAYS - fallthrough_probability;
1605 if (create_then_fallthru_edge)
1606 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
1607
1608 /* Set up the fallthrough basic block. */
1609 e = find_edge (cond_bb, fallthru_bb);
1610 e->flags = EDGE_FALSE_VALUE;
1611 e->count = cond_bb->count;
1612 e->probability = fallthrough_probability;
1613
1614 /* Update dominance info for the newly created then_bb; note that
1615 fallthru_bb's dominance info has already been updated by
1616 split_bock. */
1617 if (dom_info_available_p (CDI_DOMINATORS))
1618 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
1619
1620 *then_block = then_bb;
1621 *fallthrough_block = fallthru_bb;
1622 *iter = gsi_start_bb (fallthru_bb);
1623
1624 return gsi_last_bb (cond_bb);
1625 }
1626
1627 /* Insert an if condition followed by a 'then block' right before the
1628 statement pointed to by ITER. The fallthrough block -- which is the
1629 else block of the condition as well as the destination of the
1630 outcoming edge of the 'then block' -- starts with the statement
1631 pointed to by ITER.
1632
1633 COND is the condition of the if.
1634
1635 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1636 'then block' is higher than the probability of the edge to the
1637 fallthrough block.
1638
1639 Upon completion of the function, *THEN_BB is set to the newly
1640 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1641 fallthrough block.
1642
1643 *ITER is adjusted to still point to the same statement it was
1644 pointing to initially. */
1645
1646 static void
1647 insert_if_then_before_iter (gcond *cond,
1648 gimple_stmt_iterator *iter,
1649 bool then_more_likely_p,
1650 basic_block *then_bb,
1651 basic_block *fallthrough_bb)
1652 {
1653 gimple_stmt_iterator cond_insert_point =
1654 create_cond_insert_point (iter,
1655 /*before_p=*/true,
1656 then_more_likely_p,
1657 /*create_then_fallthru_edge=*/true,
1658 then_bb,
1659 fallthrough_bb);
1660 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
1661 }
1662
1663 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
1664 If RETURN_ADDRESS is set to true, return memory location instread
1665 of a value in the shadow memory. */
1666
1667 static tree
1668 build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location,
1669 tree base_addr, tree shadow_ptr_type,
1670 bool return_address = false)
1671 {
1672 tree t, uintptr_type = TREE_TYPE (base_addr);
1673 tree shadow_type = TREE_TYPE (shadow_ptr_type);
1674 gimple *g;
1675
1676 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
1677 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR,
1678 base_addr, t);
1679 gimple_set_location (g, location);
1680 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1681
1682 t = build_int_cst (uintptr_type, asan_shadow_offset ());
1683 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR,
1684 gimple_assign_lhs (g), t);
1685 gimple_set_location (g, location);
1686 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1687
1688 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR,
1689 gimple_assign_lhs (g));
1690 gimple_set_location (g, location);
1691 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1692
1693 if (!return_address)
1694 {
1695 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
1696 build_int_cst (shadow_ptr_type, 0));
1697 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t);
1698 gimple_set_location (g, location);
1699 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1700 }
1701
1702 return gimple_assign_lhs (g);
1703 }
1704
1705 /* BASE can already be an SSA_NAME; in that case, do not create a
1706 new SSA_NAME for it. */
1707
1708 static tree
1709 maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter,
1710 bool before_p)
1711 {
1712 if (TREE_CODE (base) == SSA_NAME)
1713 return base;
1714 gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)),
1715 TREE_CODE (base), base);
1716 gimple_set_location (g, loc);
1717 if (before_p)
1718 gsi_insert_before (iter, g, GSI_SAME_STMT);
1719 else
1720 gsi_insert_after (iter, g, GSI_NEW_STMT);
1721 return gimple_assign_lhs (g);
1722 }
1723
1724 /* LEN can already have necessary size and precision;
1725 in that case, do not create a new variable. */
1726
1727 tree
1728 maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter,
1729 bool before_p)
1730 {
1731 if (ptrofftype_p (len))
1732 return len;
1733 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
1734 NOP_EXPR, len);
1735 gimple_set_location (g, loc);
1736 if (before_p)
1737 gsi_insert_before (iter, g, GSI_SAME_STMT);
1738 else
1739 gsi_insert_after (iter, g, GSI_NEW_STMT);
1740 return gimple_assign_lhs (g);
1741 }
1742
1743 /* Instrument the memory access instruction BASE. Insert new
1744 statements before or after ITER.
1745
1746 Note that the memory access represented by BASE can be either an
1747 SSA_NAME, or a non-SSA expression. LOCATION is the source code
1748 location. IS_STORE is TRUE for a store, FALSE for a load.
1749 BEFORE_P is TRUE for inserting the instrumentation code before
1750 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
1751 for a scalar memory access and FALSE for memory region access.
1752 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
1753 length. ALIGN tells alignment of accessed memory object.
1754
1755 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
1756 memory region have already been instrumented.
1757
1758 If BEFORE_P is TRUE, *ITER is arranged to still point to the
1759 statement it was pointing to prior to calling this function,
1760 otherwise, it points to the statement logically following it. */
1761
1762 static void
1763 build_check_stmt (location_t loc, tree base, tree len,
1764 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter,
1765 bool is_non_zero_len, bool before_p, bool is_store,
1766 bool is_scalar_access, unsigned int align = 0)
1767 {
1768 gimple_stmt_iterator gsi = *iter;
1769 gimple *g;
1770
1771 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len));
1772
1773 gsi = *iter;
1774
1775 base = unshare_expr (base);
1776 base = maybe_create_ssa_name (loc, base, &gsi, before_p);
1777
1778 if (len)
1779 {
1780 len = unshare_expr (len);
1781 len = maybe_cast_to_ptrmode (loc, len, iter, before_p);
1782 }
1783 else
1784 {
1785 gcc_assert (size_in_bytes != -1);
1786 len = build_int_cst (pointer_sized_int_node, size_in_bytes);
1787 }
1788
1789 if (size_in_bytes > 1)
1790 {
1791 if ((size_in_bytes & (size_in_bytes - 1)) != 0
1792 || size_in_bytes > 16)
1793 is_scalar_access = false;
1794 else if (align && align < size_in_bytes * BITS_PER_UNIT)
1795 {
1796 /* On non-strict alignment targets, if
1797 16-byte access is just 8-byte aligned,
1798 this will result in misaligned shadow
1799 memory 2 byte load, but otherwise can
1800 be handled using one read. */
1801 if (size_in_bytes != 16
1802 || STRICT_ALIGNMENT
1803 || align < 8 * BITS_PER_UNIT)
1804 is_scalar_access = false;
1805 }
1806 }
1807
1808 HOST_WIDE_INT flags = 0;
1809 if (is_store)
1810 flags |= ASAN_CHECK_STORE;
1811 if (is_non_zero_len)
1812 flags |= ASAN_CHECK_NON_ZERO_LEN;
1813 if (is_scalar_access)
1814 flags |= ASAN_CHECK_SCALAR_ACCESS;
1815
1816 g = gimple_build_call_internal (IFN_ASAN_CHECK, 4,
1817 build_int_cst (integer_type_node, flags),
1818 base, len,
1819 build_int_cst (integer_type_node,
1820 align / BITS_PER_UNIT));
1821 gimple_set_location (g, loc);
1822 if (before_p)
1823 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
1824 else
1825 {
1826 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
1827 gsi_next (&gsi);
1828 *iter = gsi;
1829 }
1830 }
1831
1832 /* If T represents a memory access, add instrumentation code before ITER.
1833 LOCATION is source code location.
1834 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
1835
1836 static void
1837 instrument_derefs (gimple_stmt_iterator *iter, tree t,
1838 location_t location, bool is_store)
1839 {
1840 if (is_store && !ASAN_INSTRUMENT_WRITES)
1841 return;
1842 if (!is_store && !ASAN_INSTRUMENT_READS)
1843 return;
1844
1845 tree type, base;
1846 HOST_WIDE_INT size_in_bytes;
1847 if (location == UNKNOWN_LOCATION)
1848 location = EXPR_LOCATION (t);
1849
1850 type = TREE_TYPE (t);
1851 switch (TREE_CODE (t))
1852 {
1853 case ARRAY_REF:
1854 case COMPONENT_REF:
1855 case INDIRECT_REF:
1856 case MEM_REF:
1857 case VAR_DECL:
1858 case BIT_FIELD_REF:
1859 break;
1860 /* FALLTHRU */
1861 default:
1862 return;
1863 }
1864
1865 size_in_bytes = int_size_in_bytes (type);
1866 if (size_in_bytes <= 0)
1867 return;
1868
1869 HOST_WIDE_INT bitsize, bitpos;
1870 tree offset;
1871 machine_mode mode;
1872 int unsignedp, reversep, volatilep = 0;
1873 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
1874 &unsignedp, &reversep, &volatilep);
1875
1876 if (TREE_CODE (t) == COMPONENT_REF
1877 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
1878 {
1879 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
1880 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
1881 TREE_OPERAND (t, 0), repr,
1882 NULL_TREE), location, is_store);
1883 return;
1884 }
1885
1886 if (bitpos % BITS_PER_UNIT
1887 || bitsize != size_in_bytes * BITS_PER_UNIT)
1888 return;
1889
1890 if (VAR_P (inner)
1891 && offset == NULL_TREE
1892 && bitpos >= 0
1893 && DECL_SIZE (inner)
1894 && tree_fits_shwi_p (DECL_SIZE (inner))
1895 && bitpos + bitsize <= tree_to_shwi (DECL_SIZE (inner)))
1896 {
1897 if (DECL_THREAD_LOCAL_P (inner))
1898 return;
1899 if (!ASAN_GLOBALS && is_global_var (inner))
1900 return;
1901 if (!TREE_STATIC (inner))
1902 {
1903 /* Automatic vars in the current function will be always
1904 accessible. */
1905 if (decl_function_context (inner) == current_function_decl
1906 && (!asan_sanitize_use_after_scope ()
1907 || !TREE_ADDRESSABLE (inner)))
1908 return;
1909 }
1910 /* Always instrument external vars, they might be dynamically
1911 initialized. */
1912 else if (!DECL_EXTERNAL (inner))
1913 {
1914 /* For static vars if they are known not to be dynamically
1915 initialized, they will be always accessible. */
1916 varpool_node *vnode = varpool_node::get (inner);
1917 if (vnode && !vnode->dynamically_initialized)
1918 return;
1919 }
1920 }
1921
1922 base = build_fold_addr_expr (t);
1923 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
1924 {
1925 unsigned int align = get_object_alignment (t);
1926 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter,
1927 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true,
1928 is_store, /*is_scalar_access*/true, align);
1929 update_mem_ref_hash_table (base, size_in_bytes);
1930 update_mem_ref_hash_table (t, size_in_bytes);
1931 }
1932
1933 }
1934
1935 /* Insert a memory reference into the hash table if access length
1936 can be determined in compile time. */
1937
1938 static void
1939 maybe_update_mem_ref_hash_table (tree base, tree len)
1940 {
1941 if (!POINTER_TYPE_P (TREE_TYPE (base))
1942 || !INTEGRAL_TYPE_P (TREE_TYPE (len)))
1943 return;
1944
1945 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
1946
1947 if (size_in_bytes != -1)
1948 update_mem_ref_hash_table (base, size_in_bytes);
1949 }
1950
1951 /* Instrument an access to a contiguous memory region that starts at
1952 the address pointed to by BASE, over a length of LEN (expressed in
1953 the sizeof (*BASE) bytes). ITER points to the instruction before
1954 which the instrumentation instructions must be inserted. LOCATION
1955 is the source location that the instrumentation instructions must
1956 have. If IS_STORE is true, then the memory access is a store;
1957 otherwise, it's a load. */
1958
1959 static void
1960 instrument_mem_region_access (tree base, tree len,
1961 gimple_stmt_iterator *iter,
1962 location_t location, bool is_store)
1963 {
1964 if (!POINTER_TYPE_P (TREE_TYPE (base))
1965 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
1966 || integer_zerop (len))
1967 return;
1968
1969 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
1970
1971 if ((size_in_bytes == -1)
1972 || !has_mem_ref_been_instrumented (base, size_in_bytes))
1973 {
1974 build_check_stmt (location, base, len, size_in_bytes, iter,
1975 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true,
1976 is_store, /*is_scalar_access*/false, /*align*/0);
1977 }
1978
1979 maybe_update_mem_ref_hash_table (base, len);
1980 *iter = gsi_for_stmt (gsi_stmt (*iter));
1981 }
1982
1983 /* Instrument the call to a built-in memory access function that is
1984 pointed to by the iterator ITER.
1985
1986 Upon completion, return TRUE iff *ITER has been advanced to the
1987 statement following the one it was originally pointing to. */
1988
1989 static bool
1990 instrument_builtin_call (gimple_stmt_iterator *iter)
1991 {
1992 if (!ASAN_MEMINTRIN)
1993 return false;
1994
1995 bool iter_advanced_p = false;
1996 gcall *call = as_a <gcall *> (gsi_stmt (*iter));
1997
1998 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
1999
2000 location_t loc = gimple_location (call);
2001
2002 asan_mem_ref src0, src1, dest;
2003 asan_mem_ref_init (&src0, NULL, 1);
2004 asan_mem_ref_init (&src1, NULL, 1);
2005 asan_mem_ref_init (&dest, NULL, 1);
2006
2007 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
2008 bool src0_is_store = false, src1_is_store = false, dest_is_store = false,
2009 dest_is_deref = false, intercepted_p = true;
2010
2011 if (get_mem_refs_of_builtin_call (call,
2012 &src0, &src0_len, &src0_is_store,
2013 &src1, &src1_len, &src1_is_store,
2014 &dest, &dest_len, &dest_is_store,
2015 &dest_is_deref, &intercepted_p))
2016 {
2017 if (dest_is_deref)
2018 {
2019 instrument_derefs (iter, dest.start, loc, dest_is_store);
2020 gsi_next (iter);
2021 iter_advanced_p = true;
2022 }
2023 else if (!intercepted_p
2024 && (src0_len || src1_len || dest_len))
2025 {
2026 if (src0.start != NULL_TREE)
2027 instrument_mem_region_access (src0.start, src0_len,
2028 iter, loc, /*is_store=*/false);
2029 if (src1.start != NULL_TREE)
2030 instrument_mem_region_access (src1.start, src1_len,
2031 iter, loc, /*is_store=*/false);
2032 if (dest.start != NULL_TREE)
2033 instrument_mem_region_access (dest.start, dest_len,
2034 iter, loc, /*is_store=*/true);
2035
2036 *iter = gsi_for_stmt (call);
2037 gsi_next (iter);
2038 iter_advanced_p = true;
2039 }
2040 else
2041 {
2042 if (src0.start != NULL_TREE)
2043 maybe_update_mem_ref_hash_table (src0.start, src0_len);
2044 if (src1.start != NULL_TREE)
2045 maybe_update_mem_ref_hash_table (src1.start, src1_len);
2046 if (dest.start != NULL_TREE)
2047 maybe_update_mem_ref_hash_table (dest.start, dest_len);
2048 }
2049 }
2050 return iter_advanced_p;
2051 }
2052
2053 /* Instrument the assignment statement ITER if it is subject to
2054 instrumentation. Return TRUE iff instrumentation actually
2055 happened. In that case, the iterator ITER is advanced to the next
2056 logical expression following the one initially pointed to by ITER,
2057 and the relevant memory reference that which access has been
2058 instrumented is added to the memory references hash table. */
2059
2060 static bool
2061 maybe_instrument_assignment (gimple_stmt_iterator *iter)
2062 {
2063 gimple *s = gsi_stmt (*iter);
2064
2065 gcc_assert (gimple_assign_single_p (s));
2066
2067 tree ref_expr = NULL_TREE;
2068 bool is_store, is_instrumented = false;
2069
2070 if (gimple_store_p (s))
2071 {
2072 ref_expr = gimple_assign_lhs (s);
2073 is_store = true;
2074 instrument_derefs (iter, ref_expr,
2075 gimple_location (s),
2076 is_store);
2077 is_instrumented = true;
2078 }
2079
2080 if (gimple_assign_load_p (s))
2081 {
2082 ref_expr = gimple_assign_rhs1 (s);
2083 is_store = false;
2084 instrument_derefs (iter, ref_expr,
2085 gimple_location (s),
2086 is_store);
2087 is_instrumented = true;
2088 }
2089
2090 if (is_instrumented)
2091 gsi_next (iter);
2092
2093 return is_instrumented;
2094 }
2095
2096 /* Instrument the function call pointed to by the iterator ITER, if it
2097 is subject to instrumentation. At the moment, the only function
2098 calls that are instrumented are some built-in functions that access
2099 memory. Look at instrument_builtin_call to learn more.
2100
2101 Upon completion return TRUE iff *ITER was advanced to the statement
2102 following the one it was originally pointing to. */
2103
2104 static bool
2105 maybe_instrument_call (gimple_stmt_iterator *iter)
2106 {
2107 gimple *stmt = gsi_stmt (*iter);
2108 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2109
2110 if (is_builtin && instrument_builtin_call (iter))
2111 return true;
2112
2113 if (gimple_call_noreturn_p (stmt))
2114 {
2115 if (is_builtin)
2116 {
2117 tree callee = gimple_call_fndecl (stmt);
2118 switch (DECL_FUNCTION_CODE (callee))
2119 {
2120 case BUILT_IN_UNREACHABLE:
2121 case BUILT_IN_TRAP:
2122 /* Don't instrument these. */
2123 return false;
2124 default:
2125 break;
2126 }
2127 }
2128 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
2129 gimple *g = gimple_build_call (decl, 0);
2130 gimple_set_location (g, gimple_location (stmt));
2131 gsi_insert_before (iter, g, GSI_SAME_STMT);
2132 }
2133
2134 bool instrumented = false;
2135 if (gimple_store_p (stmt))
2136 {
2137 tree ref_expr = gimple_call_lhs (stmt);
2138 instrument_derefs (iter, ref_expr,
2139 gimple_location (stmt),
2140 /*is_store=*/true);
2141
2142 instrumented = true;
2143 }
2144
2145 /* Walk through gimple_call arguments and check them id needed. */
2146 unsigned args_num = gimple_call_num_args (stmt);
2147 for (unsigned i = 0; i < args_num; ++i)
2148 {
2149 tree arg = gimple_call_arg (stmt, i);
2150 /* If ARG is not a non-aggregate register variable, compiler in general
2151 creates temporary for it and pass it as argument to gimple call.
2152 But in some cases, e.g. when we pass by value a small structure that
2153 fits to register, compiler can avoid extra overhead by pulling out
2154 these temporaries. In this case, we should check the argument. */
2155 if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg))
2156 {
2157 instrument_derefs (iter, arg,
2158 gimple_location (stmt),
2159 /*is_store=*/false);
2160 instrumented = true;
2161 }
2162 }
2163 if (instrumented)
2164 gsi_next (iter);
2165 return instrumented;
2166 }
2167
2168 /* Walk each instruction of all basic block and instrument those that
2169 represent memory references: loads, stores, or function calls.
2170 In a given basic block, this function avoids instrumenting memory
2171 references that have already been instrumented. */
2172
2173 static void
2174 transform_statements (void)
2175 {
2176 basic_block bb, last_bb = NULL;
2177 gimple_stmt_iterator i;
2178 int saved_last_basic_block = last_basic_block_for_fn (cfun);
2179
2180 FOR_EACH_BB_FN (bb, cfun)
2181 {
2182 basic_block prev_bb = bb;
2183
2184 if (bb->index >= saved_last_basic_block) continue;
2185
2186 /* Flush the mem ref hash table, if current bb doesn't have
2187 exactly one predecessor, or if that predecessor (skipping
2188 over asan created basic blocks) isn't the last processed
2189 basic block. Thus we effectively flush on extended basic
2190 block boundaries. */
2191 while (single_pred_p (prev_bb))
2192 {
2193 prev_bb = single_pred (prev_bb);
2194 if (prev_bb->index < saved_last_basic_block)
2195 break;
2196 }
2197 if (prev_bb != last_bb)
2198 empty_mem_ref_hash_table ();
2199 last_bb = bb;
2200
2201 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
2202 {
2203 gimple *s = gsi_stmt (i);
2204
2205 if (has_stmt_been_instrumented_p (s))
2206 gsi_next (&i);
2207 else if (gimple_assign_single_p (s)
2208 && !gimple_clobber_p (s)
2209 && maybe_instrument_assignment (&i))
2210 /* Nothing to do as maybe_instrument_assignment advanced
2211 the iterator I. */;
2212 else if (is_gimple_call (s) && maybe_instrument_call (&i))
2213 /* Nothing to do as maybe_instrument_call
2214 advanced the iterator I. */;
2215 else
2216 {
2217 /* No instrumentation happened.
2218
2219 If the current instruction is a function call that
2220 might free something, let's forget about the memory
2221 references that got instrumented. Otherwise we might
2222 miss some instrumentation opportunities. Do the same
2223 for a ASAN_MARK poisoning internal function. */
2224 if (is_gimple_call (s)
2225 && (!nonfreeing_call_p (s) || asan_mark_poison_p (s)))
2226 empty_mem_ref_hash_table ();
2227
2228 gsi_next (&i);
2229 }
2230 }
2231 }
2232 free_mem_ref_resources ();
2233 }
2234
2235 /* Build
2236 __asan_before_dynamic_init (module_name)
2237 or
2238 __asan_after_dynamic_init ()
2239 call. */
2240
2241 tree
2242 asan_dynamic_init_call (bool after_p)
2243 {
2244 if (shadow_ptr_types[0] == NULL_TREE)
2245 asan_init_shadow_ptr_types ();
2246
2247 tree fn = builtin_decl_implicit (after_p
2248 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
2249 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
2250 tree module_name_cst = NULL_TREE;
2251 if (!after_p)
2252 {
2253 pretty_printer module_name_pp;
2254 pp_string (&module_name_pp, main_input_filename);
2255
2256 module_name_cst = asan_pp_string (&module_name_pp);
2257 module_name_cst = fold_convert (const_ptr_type_node,
2258 module_name_cst);
2259 }
2260
2261 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
2262 }
2263
2264 /* Build
2265 struct __asan_global
2266 {
2267 const void *__beg;
2268 uptr __size;
2269 uptr __size_with_redzone;
2270 const void *__name;
2271 const void *__module_name;
2272 uptr __has_dynamic_init;
2273 __asan_global_source_location *__location;
2274 char *__odr_indicator;
2275 } type. */
2276
2277 static tree
2278 asan_global_struct (void)
2279 {
2280 static const char *field_names[]
2281 = { "__beg", "__size", "__size_with_redzone",
2282 "__name", "__module_name", "__has_dynamic_init", "__location",
2283 "__odr_indicator" };
2284 tree fields[ARRAY_SIZE (field_names)], ret;
2285 unsigned i;
2286
2287 ret = make_node (RECORD_TYPE);
2288 for (i = 0; i < ARRAY_SIZE (field_names); i++)
2289 {
2290 fields[i]
2291 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
2292 get_identifier (field_names[i]),
2293 (i == 0 || i == 3) ? const_ptr_type_node
2294 : pointer_sized_int_node);
2295 DECL_CONTEXT (fields[i]) = ret;
2296 if (i)
2297 DECL_CHAIN (fields[i - 1]) = fields[i];
2298 }
2299 tree type_decl = build_decl (input_location, TYPE_DECL,
2300 get_identifier ("__asan_global"), ret);
2301 DECL_IGNORED_P (type_decl) = 1;
2302 DECL_ARTIFICIAL (type_decl) = 1;
2303 TYPE_FIELDS (ret) = fields[0];
2304 TYPE_NAME (ret) = type_decl;
2305 TYPE_STUB_DECL (ret) = type_decl;
2306 layout_type (ret);
2307 return ret;
2308 }
2309
2310 /* Create and return odr indicator symbol for DECL.
2311 TYPE is __asan_global struct type as returned by asan_global_struct. */
2312
2313 static tree
2314 create_odr_indicator (tree decl, tree type)
2315 {
2316 char *name;
2317 tree uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2318 tree decl_name
2319 = (HAS_DECL_ASSEMBLER_NAME_P (decl) ? DECL_ASSEMBLER_NAME (decl)
2320 : DECL_NAME (decl));
2321 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
2322 if (decl_name == NULL_TREE)
2323 return build_int_cst (uptr, 0);
2324 size_t len = strlen (IDENTIFIER_POINTER (decl_name)) + sizeof ("__odr_asan_");
2325 name = XALLOCAVEC (char, len);
2326 snprintf (name, len, "__odr_asan_%s", IDENTIFIER_POINTER (decl_name));
2327 #ifndef NO_DOT_IN_LABEL
2328 name[sizeof ("__odr_asan") - 1] = '.';
2329 #elif !defined(NO_DOLLAR_IN_LABEL)
2330 name[sizeof ("__odr_asan") - 1] = '$';
2331 #endif
2332 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (name),
2333 char_type_node);
2334 TREE_ADDRESSABLE (var) = 1;
2335 TREE_READONLY (var) = 0;
2336 TREE_THIS_VOLATILE (var) = 1;
2337 DECL_GIMPLE_REG_P (var) = 0;
2338 DECL_ARTIFICIAL (var) = 1;
2339 DECL_IGNORED_P (var) = 1;
2340 TREE_STATIC (var) = 1;
2341 TREE_PUBLIC (var) = 1;
2342 DECL_VISIBILITY (var) = DECL_VISIBILITY (decl);
2343 DECL_VISIBILITY_SPECIFIED (var) = DECL_VISIBILITY_SPECIFIED (decl);
2344
2345 TREE_USED (var) = 1;
2346 tree ctor = build_constructor_va (TREE_TYPE (var), 1, NULL_TREE,
2347 build_int_cst (unsigned_type_node, 0));
2348 TREE_CONSTANT (ctor) = 1;
2349 TREE_STATIC (ctor) = 1;
2350 DECL_INITIAL (var) = ctor;
2351 DECL_ATTRIBUTES (var) = tree_cons (get_identifier ("asan odr indicator"),
2352 NULL, DECL_ATTRIBUTES (var));
2353 make_decl_rtl (var);
2354 varpool_node::finalize_decl (var);
2355 return fold_convert (uptr, build_fold_addr_expr (var));
2356 }
2357
2358 /* Return true if DECL, a global var, might be overridden and needs
2359 an additional odr indicator symbol. */
2360
2361 static bool
2362 asan_needs_odr_indicator_p (tree decl)
2363 {
2364 return !DECL_ARTIFICIAL (decl) && !DECL_WEAK (decl) && TREE_PUBLIC (decl);
2365 }
2366
2367 /* Append description of a single global DECL into vector V.
2368 TYPE is __asan_global struct type as returned by asan_global_struct. */
2369
2370 static void
2371 asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
2372 {
2373 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2374 unsigned HOST_WIDE_INT size;
2375 tree str_cst, module_name_cst, refdecl = decl;
2376 vec<constructor_elt, va_gc> *vinner = NULL;
2377
2378 pretty_printer asan_pp, module_name_pp;
2379
2380 if (DECL_NAME (decl))
2381 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
2382 else
2383 pp_string (&asan_pp, "<unknown>");
2384 str_cst = asan_pp_string (&asan_pp);
2385
2386 pp_string (&module_name_pp, main_input_filename);
2387 module_name_cst = asan_pp_string (&module_name_pp);
2388
2389 if (asan_needs_local_alias (decl))
2390 {
2391 char buf[20];
2392 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
2393 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
2394 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
2395 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
2396 TREE_READONLY (refdecl) = TREE_READONLY (decl);
2397 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
2398 DECL_GIMPLE_REG_P (refdecl) = DECL_GIMPLE_REG_P (decl);
2399 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
2400 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
2401 TREE_STATIC (refdecl) = 1;
2402 TREE_PUBLIC (refdecl) = 0;
2403 TREE_USED (refdecl) = 1;
2404 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
2405 }
2406
2407 tree odr_indicator_ptr
2408 = (asan_needs_odr_indicator_p (decl) ? create_odr_indicator (decl, type)
2409 : build_int_cst (uptr, 0));
2410 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2411 fold_convert (const_ptr_type_node,
2412 build_fold_addr_expr (refdecl)));
2413 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
2414 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2415 size += asan_red_zone_size (size);
2416 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2417 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2418 fold_convert (const_ptr_type_node, str_cst));
2419 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2420 fold_convert (const_ptr_type_node, module_name_cst));
2421 varpool_node *vnode = varpool_node::get (decl);
2422 int has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
2423 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2424 build_int_cst (uptr, has_dynamic_init));
2425 tree locptr = NULL_TREE;
2426 location_t loc = DECL_SOURCE_LOCATION (decl);
2427 expanded_location xloc = expand_location (loc);
2428 if (xloc.file != NULL)
2429 {
2430 static int lasanloccnt = 0;
2431 char buf[25];
2432 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt);
2433 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2434 ubsan_get_source_location_type ());
2435 TREE_STATIC (var) = 1;
2436 TREE_PUBLIC (var) = 0;
2437 DECL_ARTIFICIAL (var) = 1;
2438 DECL_IGNORED_P (var) = 1;
2439 pretty_printer filename_pp;
2440 pp_string (&filename_pp, xloc.file);
2441 tree str = asan_pp_string (&filename_pp);
2442 tree ctor = build_constructor_va (TREE_TYPE (var), 3,
2443 NULL_TREE, str, NULL_TREE,
2444 build_int_cst (unsigned_type_node,
2445 xloc.line), NULL_TREE,
2446 build_int_cst (unsigned_type_node,
2447 xloc.column));
2448 TREE_CONSTANT (ctor) = 1;
2449 TREE_STATIC (ctor) = 1;
2450 DECL_INITIAL (var) = ctor;
2451 varpool_node::finalize_decl (var);
2452 locptr = fold_convert (uptr, build_fold_addr_expr (var));
2453 }
2454 else
2455 locptr = build_int_cst (uptr, 0);
2456 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr);
2457 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, odr_indicator_ptr);
2458 init = build_constructor (type, vinner);
2459 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
2460 }
2461
2462 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2463 void
2464 initialize_sanitizer_builtins (void)
2465 {
2466 tree decl;
2467
2468 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
2469 return;
2470
2471 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
2472 tree BT_FN_VOID_PTR
2473 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
2474 tree BT_FN_VOID_CONST_PTR
2475 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
2476 tree BT_FN_VOID_PTR_PTR
2477 = build_function_type_list (void_type_node, ptr_type_node,
2478 ptr_type_node, NULL_TREE);
2479 tree BT_FN_VOID_PTR_PTR_PTR
2480 = build_function_type_list (void_type_node, ptr_type_node,
2481 ptr_type_node, ptr_type_node, NULL_TREE);
2482 tree BT_FN_VOID_PTR_PTRMODE
2483 = build_function_type_list (void_type_node, ptr_type_node,
2484 pointer_sized_int_node, NULL_TREE);
2485 tree BT_FN_VOID_INT
2486 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
2487 tree BT_FN_SIZE_CONST_PTR_INT
2488 = build_function_type_list (size_type_node, const_ptr_type_node,
2489 integer_type_node, NULL_TREE);
2490 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
2491 tree BT_FN_IX_CONST_VPTR_INT[5];
2492 tree BT_FN_IX_VPTR_IX_INT[5];
2493 tree BT_FN_VOID_VPTR_IX_INT[5];
2494 tree vptr
2495 = build_pointer_type (build_qualified_type (void_type_node,
2496 TYPE_QUAL_VOLATILE));
2497 tree cvptr
2498 = build_pointer_type (build_qualified_type (void_type_node,
2499 TYPE_QUAL_VOLATILE
2500 |TYPE_QUAL_CONST));
2501 tree boolt
2502 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
2503 int i;
2504 for (i = 0; i < 5; i++)
2505 {
2506 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
2507 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
2508 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
2509 integer_type_node, integer_type_node,
2510 NULL_TREE);
2511 BT_FN_IX_CONST_VPTR_INT[i]
2512 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
2513 BT_FN_IX_VPTR_IX_INT[i]
2514 = build_function_type_list (ix, vptr, ix, integer_type_node,
2515 NULL_TREE);
2516 BT_FN_VOID_VPTR_IX_INT[i]
2517 = build_function_type_list (void_type_node, vptr, ix,
2518 integer_type_node, NULL_TREE);
2519 }
2520 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2521 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2522 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2523 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2524 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2525 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2526 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2527 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2528 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2529 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2530 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2531 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2532 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2533 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2534 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2535 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2536 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2537 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2538 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2539 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
2540 #undef ATTR_NOTHROW_LEAF_LIST
2541 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
2542 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2543 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
2544 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2545 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
2546 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2547 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
2548 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
2549 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2550 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2551 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
2552 #undef ATTR_COLD_NOTHROW_LEAF_LIST
2553 #define ATTR_COLD_NOTHROW_LEAF_LIST \
2554 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
2555 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2556 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2557 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
2558 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
2559 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
2560 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2561 #undef ATTR_PURE_NOTHROW_LEAF_LIST
2562 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
2563 #undef DEF_BUILTIN_STUB
2564 #define DEF_BUILTIN_STUB(ENUM, NAME)
2565 #undef DEF_SANITIZER_BUILTIN
2566 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2567 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
2568 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2569 set_call_expr_flags (decl, ATTRS); \
2570 set_builtin_decl (ENUM, decl, true);
2571
2572 #include "sanitizer.def"
2573
2574 /* -fsanitize=object-size uses __builtin_object_size, but that might
2575 not be available for e.g. Fortran at this point. We use
2576 DEF_SANITIZER_BUILTIN here only as a convenience macro. */
2577 if ((flag_sanitize & SANITIZE_OBJECT_SIZE)
2578 && !builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE))
2579 DEF_SANITIZER_BUILTIN (BUILT_IN_OBJECT_SIZE, "object_size",
2580 BT_FN_SIZE_CONST_PTR_INT,
2581 ATTR_PURE_NOTHROW_LEAF_LIST)
2582
2583 #undef DEF_SANITIZER_BUILTIN
2584 #undef DEF_BUILTIN_STUB
2585 }
2586
2587 /* Called via htab_traverse. Count number of emitted
2588 STRING_CSTs in the constant hash table. */
2589
2590 int
2591 count_string_csts (constant_descriptor_tree **slot,
2592 unsigned HOST_WIDE_INT *data)
2593 {
2594 struct constant_descriptor_tree *desc = *slot;
2595 if (TREE_CODE (desc->value) == STRING_CST
2596 && TREE_ASM_WRITTEN (desc->value)
2597 && asan_protect_global (desc->value))
2598 ++*data;
2599 return 1;
2600 }
2601
2602 /* Helper structure to pass two parameters to
2603 add_string_csts. */
2604
2605 struct asan_add_string_csts_data
2606 {
2607 tree type;
2608 vec<constructor_elt, va_gc> *v;
2609 };
2610
2611 /* Called via hash_table::traverse. Call asan_add_global
2612 on emitted STRING_CSTs from the constant hash table. */
2613
2614 int
2615 add_string_csts (constant_descriptor_tree **slot,
2616 asan_add_string_csts_data *aascd)
2617 {
2618 struct constant_descriptor_tree *desc = *slot;
2619 if (TREE_CODE (desc->value) == STRING_CST
2620 && TREE_ASM_WRITTEN (desc->value)
2621 && asan_protect_global (desc->value))
2622 {
2623 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
2624 aascd->type, aascd->v);
2625 }
2626 return 1;
2627 }
2628
2629 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
2630 invoke ggc_collect. */
2631 static GTY(()) tree asan_ctor_statements;
2632
2633 /* Module-level instrumentation.
2634 - Insert __asan_init_vN() into the list of CTORs.
2635 - TODO: insert redzones around globals.
2636 */
2637
2638 void
2639 asan_finish_file (void)
2640 {
2641 varpool_node *vnode;
2642 unsigned HOST_WIDE_INT gcount = 0;
2643
2644 if (shadow_ptr_types[0] == NULL_TREE)
2645 asan_init_shadow_ptr_types ();
2646 /* Avoid instrumenting code in the asan ctors/dtors.
2647 We don't need to insert padding after the description strings,
2648 nor after .LASAN* array. */
2649 flag_sanitize &= ~SANITIZE_ADDRESS;
2650
2651 /* For user-space we want asan constructors to run first.
2652 Linux kernel does not support priorities other than default, and the only
2653 other user of constructors is coverage. So we run with the default
2654 priority. */
2655 int priority = flag_sanitize & SANITIZE_USER_ADDRESS
2656 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY;
2657
2658 if (flag_sanitize & SANITIZE_USER_ADDRESS)
2659 {
2660 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
2661 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2662 fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK);
2663 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2664 }
2665 FOR_EACH_DEFINED_VARIABLE (vnode)
2666 if (TREE_ASM_WRITTEN (vnode->decl)
2667 && asan_protect_global (vnode->decl))
2668 ++gcount;
2669 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab ();
2670 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts>
2671 (&gcount);
2672 if (gcount)
2673 {
2674 tree type = asan_global_struct (), var, ctor;
2675 tree dtor_statements = NULL_TREE;
2676 vec<constructor_elt, va_gc> *v;
2677 char buf[20];
2678
2679 type = build_array_type_nelts (type, gcount);
2680 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
2681 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2682 type);
2683 TREE_STATIC (var) = 1;
2684 TREE_PUBLIC (var) = 0;
2685 DECL_ARTIFICIAL (var) = 1;
2686 DECL_IGNORED_P (var) = 1;
2687 vec_alloc (v, gcount);
2688 FOR_EACH_DEFINED_VARIABLE (vnode)
2689 if (TREE_ASM_WRITTEN (vnode->decl)
2690 && asan_protect_global (vnode->decl))
2691 asan_add_global (vnode->decl, TREE_TYPE (type), v);
2692 struct asan_add_string_csts_data aascd;
2693 aascd.type = TREE_TYPE (type);
2694 aascd.v = v;
2695 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts>
2696 (&aascd);
2697 ctor = build_constructor (type, v);
2698 TREE_CONSTANT (ctor) = 1;
2699 TREE_STATIC (ctor) = 1;
2700 DECL_INITIAL (var) = ctor;
2701 varpool_node::finalize_decl (var);
2702
2703 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
2704 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
2705 append_to_statement_list (build_call_expr (fn, 2,
2706 build_fold_addr_expr (var),
2707 gcount_tree),
2708 &asan_ctor_statements);
2709
2710 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
2711 append_to_statement_list (build_call_expr (fn, 2,
2712 build_fold_addr_expr (var),
2713 gcount_tree),
2714 &dtor_statements);
2715 cgraph_build_static_cdtor ('D', dtor_statements, priority);
2716 }
2717 if (asan_ctor_statements)
2718 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority);
2719 flag_sanitize |= SANITIZE_ADDRESS;
2720 }
2721
2722 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
2723 on SHADOW address. Newly added statements will be added to ITER with
2724 given location LOC. We mark SIZE bytes in shadow memory, where
2725 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
2726 end of a variable. */
2727
2728 static void
2729 asan_store_shadow_bytes (gimple_stmt_iterator *iter, location_t loc,
2730 tree shadow,
2731 unsigned HOST_WIDE_INT base_addr_offset,
2732 bool is_clobber, unsigned size,
2733 unsigned last_chunk_size)
2734 {
2735 tree shadow_ptr_type;
2736
2737 switch (size)
2738 {
2739 case 1:
2740 shadow_ptr_type = shadow_ptr_types[0];
2741 break;
2742 case 2:
2743 shadow_ptr_type = shadow_ptr_types[1];
2744 break;
2745 case 4:
2746 shadow_ptr_type = shadow_ptr_types[2];
2747 break;
2748 default:
2749 gcc_unreachable ();
2750 }
2751
2752 unsigned char c = (char) is_clobber ? ASAN_STACK_MAGIC_USE_AFTER_SCOPE : 0;
2753 unsigned HOST_WIDE_INT val = 0;
2754 for (unsigned i = 0; i < size; ++i)
2755 {
2756 unsigned char shadow_c = c;
2757 if (i == size - 1 && last_chunk_size && !is_clobber)
2758 shadow_c = last_chunk_size;
2759 val |= (unsigned HOST_WIDE_INT) shadow_c << (BITS_PER_UNIT * i);
2760 }
2761
2762 /* Handle last chunk in unpoisoning. */
2763 tree magic = build_int_cst (TREE_TYPE (shadow_ptr_type), val);
2764
2765 tree dest = build2 (MEM_REF, TREE_TYPE (shadow_ptr_type), shadow,
2766 build_int_cst (shadow_ptr_type, base_addr_offset));
2767
2768 gimple *g = gimple_build_assign (dest, magic);
2769 gimple_set_location (g, loc);
2770 gsi_insert_after (iter, g, GSI_NEW_STMT);
2771 }
2772
2773 /* Expand the ASAN_MARK builtins. */
2774
2775 bool
2776 asan_expand_mark_ifn (gimple_stmt_iterator *iter)
2777 {
2778 gimple *g = gsi_stmt (*iter);
2779 location_t loc = gimple_location (g);
2780 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
2781 gcc_assert (flags < ASAN_MARK_LAST);
2782 bool is_clobber = (flags & ASAN_MARK_CLOBBER) != 0;
2783
2784 tree base = gimple_call_arg (g, 1);
2785 gcc_checking_assert (TREE_CODE (base) == ADDR_EXPR);
2786 tree decl = TREE_OPERAND (base, 0);
2787
2788 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
2789 if (TREE_CODE (decl) == COMPONENT_REF
2790 && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl, 0)))
2791 decl = TREE_OPERAND (decl, 0);
2792
2793 gcc_checking_assert (TREE_CODE (decl) == VAR_DECL);
2794 if (asan_handled_variables == NULL)
2795 asan_handled_variables = new hash_set<tree> (16);
2796 asan_handled_variables->add (decl);
2797 tree len = gimple_call_arg (g, 2);
2798
2799 gcc_assert (tree_fits_shwi_p (len));
2800 unsigned HOST_WIDE_INT size_in_bytes = tree_to_shwi (len);
2801 gcc_assert (size_in_bytes);
2802
2803 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2804 NOP_EXPR, base);
2805 gimple_set_location (g, loc);
2806 gsi_replace (iter, g, false);
2807 tree base_addr = gimple_assign_lhs (g);
2808
2809 /* Generate direct emission if size_in_bytes is small. */
2810 if (size_in_bytes <= ASAN_PARAM_USE_AFTER_SCOPE_DIRECT_EMISSION_THRESHOLD)
2811 {
2812 unsigned HOST_WIDE_INT shadow_size = shadow_mem_size (size_in_bytes);
2813
2814 tree shadow = build_shadow_mem_access (iter, loc, base_addr,
2815 shadow_ptr_types[0], true);
2816
2817 for (unsigned HOST_WIDE_INT offset = 0; offset < shadow_size;)
2818 {
2819 unsigned size = 1;
2820 if (shadow_size - offset >= 4)
2821 size = 4;
2822 else if (shadow_size - offset >= 2)
2823 size = 2;
2824
2825 unsigned HOST_WIDE_INT last_chunk_size = 0;
2826 unsigned HOST_WIDE_INT s = (offset + size) * ASAN_SHADOW_GRANULARITY;
2827 if (s > size_in_bytes)
2828 last_chunk_size = ASAN_SHADOW_GRANULARITY - (s - size_in_bytes);
2829
2830 asan_store_shadow_bytes (iter, loc, shadow, offset, is_clobber,
2831 size, last_chunk_size);
2832 offset += size;
2833 }
2834 }
2835 else
2836 {
2837 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2838 NOP_EXPR, len);
2839 gimple_set_location (g, loc);
2840 gsi_insert_before (iter, g, GSI_SAME_STMT);
2841 tree sz_arg = gimple_assign_lhs (g);
2842
2843 tree fun = builtin_decl_implicit (is_clobber ? BUILT_IN_ASAN_CLOBBER_N
2844 : BUILT_IN_ASAN_UNCLOBBER_N);
2845 g = gimple_build_call (fun, 2, base_addr, sz_arg);
2846 gimple_set_location (g, loc);
2847 gsi_insert_after (iter, g, GSI_NEW_STMT);
2848 }
2849
2850 return false;
2851 }
2852
2853 /* Expand the ASAN_{LOAD,STORE} builtins. */
2854
2855 bool
2856 asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls)
2857 {
2858 gimple *g = gsi_stmt (*iter);
2859 location_t loc = gimple_location (g);
2860 bool recover_p;
2861 if (flag_sanitize & SANITIZE_USER_ADDRESS)
2862 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
2863 else
2864 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
2865
2866 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
2867 gcc_assert (flags < ASAN_CHECK_LAST);
2868 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
2869 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
2870 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
2871
2872 tree base = gimple_call_arg (g, 1);
2873 tree len = gimple_call_arg (g, 2);
2874 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3));
2875
2876 HOST_WIDE_INT size_in_bytes
2877 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2878
2879 if (use_calls)
2880 {
2881 /* Instrument using callbacks. */
2882 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2883 NOP_EXPR, base);
2884 gimple_set_location (g, loc);
2885 gsi_insert_before (iter, g, GSI_SAME_STMT);
2886 tree base_addr = gimple_assign_lhs (g);
2887
2888 int nargs;
2889 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs);
2890 if (nargs == 1)
2891 g = gimple_build_call (fun, 1, base_addr);
2892 else
2893 {
2894 gcc_assert (nargs == 2);
2895 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2896 NOP_EXPR, len);
2897 gimple_set_location (g, loc);
2898 gsi_insert_before (iter, g, GSI_SAME_STMT);
2899 tree sz_arg = gimple_assign_lhs (g);
2900 g = gimple_build_call (fun, nargs, base_addr, sz_arg);
2901 }
2902 gimple_set_location (g, loc);
2903 gsi_replace (iter, g, false);
2904 return false;
2905 }
2906
2907 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes;
2908
2909 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0];
2910 tree shadow_type = TREE_TYPE (shadow_ptr_type);
2911
2912 gimple_stmt_iterator gsi = *iter;
2913
2914 if (!is_non_zero_len)
2915 {
2916 /* So, the length of the memory area to asan-protect is
2917 non-constant. Let's guard the generated instrumentation code
2918 like:
2919
2920 if (len != 0)
2921 {
2922 //asan instrumentation code goes here.
2923 }
2924 // falltrough instructions, starting with *ITER. */
2925
2926 g = gimple_build_cond (NE_EXPR,
2927 len,
2928 build_int_cst (TREE_TYPE (len), 0),
2929 NULL_TREE, NULL_TREE);
2930 gimple_set_location (g, loc);
2931
2932 basic_block then_bb, fallthrough_bb;
2933 insert_if_then_before_iter (as_a <gcond *> (g), iter,
2934 /*then_more_likely_p=*/true,
2935 &then_bb, &fallthrough_bb);
2936 /* Note that fallthrough_bb starts with the statement that was
2937 pointed to by ITER. */
2938
2939 /* The 'then block' of the 'if (len != 0) condition is where
2940 we'll generate the asan instrumentation code now. */
2941 gsi = gsi_last_bb (then_bb);
2942 }
2943
2944 /* Get an iterator on the point where we can add the condition
2945 statement for the instrumentation. */
2946 basic_block then_bb, else_bb;
2947 gsi = create_cond_insert_point (&gsi, /*before_p*/false,
2948 /*then_more_likely_p=*/false,
2949 /*create_then_fallthru_edge*/recover_p,
2950 &then_bb,
2951 &else_bb);
2952
2953 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2954 NOP_EXPR, base);
2955 gimple_set_location (g, loc);
2956 gsi_insert_before (&gsi, g, GSI_NEW_STMT);
2957 tree base_addr = gimple_assign_lhs (g);
2958
2959 tree t = NULL_TREE;
2960 if (real_size_in_bytes >= 8)
2961 {
2962 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
2963 shadow_ptr_type);
2964 t = shadow;
2965 }
2966 else
2967 {
2968 /* Slow path for 1, 2 and 4 byte accesses. */
2969 /* Test (shadow != 0)
2970 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
2971 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
2972 shadow_ptr_type);
2973 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
2974 gimple_seq seq = NULL;
2975 gimple_seq_add_stmt (&seq, shadow_test);
2976 /* Aligned (>= 8 bytes) can test just
2977 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
2978 to be 0. */
2979 if (align < 8)
2980 {
2981 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
2982 base_addr, 7));
2983 gimple_seq_add_stmt (&seq,
2984 build_type_cast (shadow_type,
2985 gimple_seq_last (seq)));
2986 if (real_size_in_bytes > 1)
2987 gimple_seq_add_stmt (&seq,
2988 build_assign (PLUS_EXPR,
2989 gimple_seq_last (seq),
2990 real_size_in_bytes - 1));
2991 t = gimple_assign_lhs (gimple_seq_last_stmt (seq));
2992 }
2993 else
2994 t = build_int_cst (shadow_type, real_size_in_bytes - 1);
2995 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow));
2996 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
2997 gimple_seq_last (seq)));
2998 t = gimple_assign_lhs (gimple_seq_last (seq));
2999 gimple_seq_set_location (seq, loc);
3000 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3001
3002 /* For non-constant, misaligned or otherwise weird access sizes,
3003 check first and last byte. */
3004 if (size_in_bytes == -1)
3005 {
3006 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3007 MINUS_EXPR, len,
3008 build_int_cst (pointer_sized_int_node, 1));
3009 gimple_set_location (g, loc);
3010 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3011 tree last = gimple_assign_lhs (g);
3012 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3013 PLUS_EXPR, base_addr, last);
3014 gimple_set_location (g, loc);
3015 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3016 tree base_end_addr = gimple_assign_lhs (g);
3017
3018 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr,
3019 shadow_ptr_type);
3020 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3021 gimple_seq seq = NULL;
3022 gimple_seq_add_stmt (&seq, shadow_test);
3023 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3024 base_end_addr, 7));
3025 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
3026 gimple_seq_last (seq)));
3027 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR,
3028 gimple_seq_last (seq),
3029 shadow));
3030 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3031 gimple_seq_last (seq)));
3032 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t,
3033 gimple_seq_last (seq)));
3034 t = gimple_assign_lhs (gimple_seq_last (seq));
3035 gimple_seq_set_location (seq, loc);
3036 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3037 }
3038 }
3039
3040 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
3041 NULL_TREE, NULL_TREE);
3042 gimple_set_location (g, loc);
3043 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3044
3045 /* Generate call to the run-time library (e.g. __asan_report_load8). */
3046 gsi = gsi_start_bb (then_bb);
3047 int nargs;
3048 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs);
3049 g = gimple_build_call (fun, nargs, base_addr, len);
3050 gimple_set_location (g, loc);
3051 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3052
3053 gsi_remove (iter, true);
3054 *iter = gsi_start_bb (else_bb);
3055
3056 return true;
3057 }
3058
3059 /* Instrument the current function. */
3060
3061 static unsigned int
3062 asan_instrument (void)
3063 {
3064 if (shadow_ptr_types[0] == NULL_TREE)
3065 asan_init_shadow_ptr_types ();
3066 transform_statements ();
3067 return 0;
3068 }
3069
3070 static bool
3071 gate_asan (void)
3072 {
3073 return (flag_sanitize & SANITIZE_ADDRESS) != 0
3074 && !lookup_attribute ("no_sanitize_address",
3075 DECL_ATTRIBUTES (current_function_decl));
3076 }
3077
3078 namespace {
3079
3080 const pass_data pass_data_asan =
3081 {
3082 GIMPLE_PASS, /* type */
3083 "asan", /* name */
3084 OPTGROUP_NONE, /* optinfo_flags */
3085 TV_NONE, /* tv_id */
3086 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3087 0, /* properties_provided */
3088 0, /* properties_destroyed */
3089 0, /* todo_flags_start */
3090 TODO_update_ssa, /* todo_flags_finish */
3091 };
3092
3093 class pass_asan : public gimple_opt_pass
3094 {
3095 public:
3096 pass_asan (gcc::context *ctxt)
3097 : gimple_opt_pass (pass_data_asan, ctxt)
3098 {}
3099
3100 /* opt_pass methods: */
3101 opt_pass * clone () { return new pass_asan (m_ctxt); }
3102 virtual bool gate (function *) { return gate_asan (); }
3103 virtual unsigned int execute (function *) { return asan_instrument (); }
3104
3105 }; // class pass_asan
3106
3107 } // anon namespace
3108
3109 gimple_opt_pass *
3110 make_pass_asan (gcc::context *ctxt)
3111 {
3112 return new pass_asan (ctxt);
3113 }
3114
3115 namespace {
3116
3117 const pass_data pass_data_asan_O0 =
3118 {
3119 GIMPLE_PASS, /* type */
3120 "asan0", /* name */
3121 OPTGROUP_NONE, /* optinfo_flags */
3122 TV_NONE, /* tv_id */
3123 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3124 0, /* properties_provided */
3125 0, /* properties_destroyed */
3126 0, /* todo_flags_start */
3127 TODO_update_ssa, /* todo_flags_finish */
3128 };
3129
3130 class pass_asan_O0 : public gimple_opt_pass
3131 {
3132 public:
3133 pass_asan_O0 (gcc::context *ctxt)
3134 : gimple_opt_pass (pass_data_asan_O0, ctxt)
3135 {}
3136
3137 /* opt_pass methods: */
3138 virtual bool gate (function *) { return !optimize && gate_asan (); }
3139 virtual unsigned int execute (function *) { return asan_instrument (); }
3140
3141 }; // class pass_asan_O0
3142
3143 } // anon namespace
3144
3145 gimple_opt_pass *
3146 make_pass_asan_O0 (gcc::context *ctxt)
3147 {
3148 return new pass_asan_O0 (ctxt);
3149 }
3150
3151 #include "gt-asan.h"
Mirror of the offical gcc git repository hosted at gcc.gnu.org