asan.cc revision 1.1.1.1
1 /* AddressSanitizer, a fast memory error detector. 2 Copyright (C) 2012-2022 Free Software Foundation, Inc. 3 Contributed by Kostya Serebryany <kcc (at) google.com> 4 5 This file is part of GCC. 6 7 GCC is free software; you can redistribute it and/or modify it under 8 the terms of the GNU General Public License as published by the Free 9 Software Foundation; either version 3, or (at your option) any later 10 version. 11 12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY 13 WARRANTY; without even the implied warranty of MERCHANTABILITY or 14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 15 for more details. 16 17 You should have received a copy of the GNU General Public License 18 along with GCC; see the file COPYING3. If not see 19 <http://www.gnu.org/licenses/>. */ 20 21 22 #include "config.h" 23 #include "system.h" 24 #include "coretypes.h" 25 #include "backend.h" 26 #include "target.h" 27 #include "rtl.h" 28 #include "tree.h" 29 #include "gimple.h" 30 #include "cfghooks.h" 31 #include "alloc-pool.h" 32 #include "tree-pass.h" 33 #include "memmodel.h" 34 #include "tm_p.h" 35 #include "ssa.h" 36 #include "stringpool.h" 37 #include "tree-ssanames.h" 38 #include "optabs.h" 39 #include "emit-rtl.h" 40 #include "cgraph.h" 41 #include "gimple-pretty-print.h" 42 #include "alias.h" 43 #include "fold-const.h" 44 #include "cfganal.h" 45 #include "gimplify.h" 46 #include "gimple-iterator.h" 47 #include "varasm.h" 48 #include "stor-layout.h" 49 #include "tree-iterator.h" 50 #include "stringpool.h" 51 #include "attribs.h" 52 #include "asan.h" 53 #include "dojump.h" 54 #include "explow.h" 55 #include "expr.h" 56 #include "output.h" 57 #include "langhooks.h" 58 #include "cfgloop.h" 59 #include "gimple-builder.h" 60 #include "gimple-fold.h" 61 #include "ubsan.h" 62 #include "builtins.h" 63 #include "fnmatch.h" 64 #include "tree-inline.h" 65 #include "tree-ssa.h" 66 #include "tree-eh.h" 67 #include "diagnostic-core.h" 68 69 /* AddressSanitizer finds out-of-bounds and use-after-free bugs 70 with <2x slowdown on average. 71 72 The tool consists of two parts: 73 instrumentation module (this file) and a run-time library. 74 The instrumentation module adds a run-time check before every memory insn. 75 For a 8- or 16- byte load accessing address X: 76 ShadowAddr = (X >> 3) + Offset 77 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access. 78 if (ShadowValue) 79 __asan_report_load8(X); 80 For a load of N bytes (N=1, 2 or 4) from address X: 81 ShadowAddr = (X >> 3) + Offset 82 ShadowValue = *(char*)ShadowAddr; 83 if (ShadowValue) 84 if ((X & 7) + N - 1 > ShadowValue) 85 __asan_report_loadN(X); 86 Stores are instrumented similarly, but using __asan_report_storeN functions. 87 A call too __asan_init_vN() is inserted to the list of module CTORs. 88 N is the version number of the AddressSanitizer API. The changes between the 89 API versions are listed in libsanitizer/asan/asan_interface_internal.h. 90 91 The run-time library redefines malloc (so that redzone are inserted around 92 the allocated memory) and free (so that reuse of free-ed memory is delayed), 93 provides __asan_report* and __asan_init_vN functions. 94 95 Read more: 96 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 97 98 The current implementation supports detection of out-of-bounds and 99 use-after-free in the heap, on the stack and for global variables. 100 101 [Protection of stack variables] 102 103 To understand how detection of out-of-bounds and use-after-free works 104 for stack variables, lets look at this example on x86_64 where the 105 stack grows downward: 106 107 int 108 foo () 109 { 110 char a[24] = {0}; 111 int b[2] = {0}; 112 113 a[5] = 1; 114 b[1] = 2; 115 116 return a[5] + b[1]; 117 } 118 119 For this function, the stack protected by asan will be organized as 120 follows, from the top of the stack to the bottom: 121 122 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone'] 123 124 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make 125 the next slot be 32 bytes aligned; this one is called Partial 126 Redzone; this 32 bytes alignment is an asan constraint] 127 128 Slot 3/ [24 bytes for variable 'a'] 129 130 Slot 4/ [red zone of 32 bytes called 'Middle RedZone'] 131 132 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2] 133 134 Slot 6/ [8 bytes for variable 'b'] 135 136 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called 137 'LEFT RedZone'] 138 139 The 32 bytes of LEFT red zone at the bottom of the stack can be 140 decomposed as such: 141 142 1/ The first 8 bytes contain a magical asan number that is always 143 0x41B58AB3. 144 145 2/ The following 8 bytes contains a pointer to a string (to be 146 parsed at runtime by the runtime asan library), which format is 147 the following: 148 149 "<function-name> <space> <num-of-variables-on-the-stack> 150 (<32-bytes-aligned-offset-in-bytes-of-variable> <space> 151 <length-of-var-in-bytes> ){n} " 152 153 where '(...){n}' means the content inside the parenthesis occurs 'n' 154 times, with 'n' being the number of variables on the stack. 155 156 3/ The following 8 bytes contain the PC of the current function which 157 will be used by the run-time library to print an error message. 158 159 4/ The following 8 bytes are reserved for internal use by the run-time. 160 161 The shadow memory for that stack layout is going to look like this: 162 163 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1. 164 The F1 byte pattern is a magic number called 165 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that 166 the memory for that shadow byte is part of a the LEFT red zone 167 intended to seat at the bottom of the variables on the stack. 168 169 - content of shadow memory 8 bytes for slots 6 and 5: 170 0xF4F4F400. The F4 byte pattern is a magic number 171 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the 172 memory region for this shadow byte is a PARTIAL red zone 173 intended to pad a variable A, so that the slot following 174 {A,padding} is 32 bytes aligned. 175 176 Note that the fact that the least significant byte of this 177 shadow memory content is 00 means that 8 bytes of its 178 corresponding memory (which corresponds to the memory of 179 variable 'b') is addressable. 180 181 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2. 182 The F2 byte pattern is a magic number called 183 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory 184 region for this shadow byte is a MIDDLE red zone intended to 185 seat between two 32 aligned slots of {variable,padding}. 186 187 - content of shadow memory 8 bytes for slot 3 and 2: 188 0xF4000000. This represents is the concatenation of 189 variable 'a' and the partial red zone following it, like what we 190 had for variable 'b'. The least significant 3 bytes being 00 191 means that the 3 bytes of variable 'a' are addressable. 192 193 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3. 194 The F3 byte pattern is a magic number called 195 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory 196 region for this shadow byte is a RIGHT red zone intended to seat 197 at the top of the variables of the stack. 198 199 Note that the real variable layout is done in expand_used_vars in 200 cfgexpand.cc. As far as Address Sanitizer is concerned, it lays out 201 stack variables as well as the different red zones, emits some 202 prologue code to populate the shadow memory as to poison (mark as 203 non-accessible) the regions of the red zones and mark the regions of 204 stack variables as accessible, and emit some epilogue code to 205 un-poison (mark as accessible) the regions of red zones right before 206 the function exits. 207 208 [Protection of global variables] 209 210 The basic idea is to insert a red zone between two global variables 211 and install a constructor function that calls the asan runtime to do 212 the populating of the relevant shadow memory regions at load time. 213 214 So the global variables are laid out as to insert a red zone between 215 them. The size of the red zones is so that each variable starts on a 216 32 bytes boundary. 217 218 Then a constructor function is installed so that, for each global 219 variable, it calls the runtime asan library function 220 __asan_register_globals_with an instance of this type: 221 222 struct __asan_global 223 { 224 // Address of the beginning of the global variable. 225 const void *__beg; 226 227 // Initial size of the global variable. 228 uptr __size; 229 230 // Size of the global variable + size of the red zone. This 231 // size is 32 bytes aligned. 232 uptr __size_with_redzone; 233 234 // Name of the global variable. 235 const void *__name; 236 237 // Name of the module where the global variable is declared. 238 const void *__module_name; 239 240 // 1 if it has dynamic initialization, 0 otherwise. 241 uptr __has_dynamic_init; 242 243 // A pointer to struct that contains source location, could be NULL. 244 __asan_global_source_location *__location; 245 } 246 247 A destructor function that calls the runtime asan library function 248 _asan_unregister_globals is also installed. */ 249 250 static unsigned HOST_WIDE_INT asan_shadow_offset_value; 251 static bool asan_shadow_offset_computed; 252 static vec<char *> sanitized_sections; 253 static tree last_alloca_addr; 254 255 /* Set of variable declarations that are going to be guarded by 256 use-after-scope sanitizer. */ 257 258 hash_set<tree> *asan_handled_variables = NULL; 259 260 hash_set <tree> *asan_used_labels = NULL; 261 262 /* Global variables for HWASAN stack tagging. */ 263 /* hwasan_frame_tag_offset records the offset from the frame base tag that the 264 next object should have. */ 265 static uint8_t hwasan_frame_tag_offset = 0; 266 /* hwasan_frame_base_ptr is a pointer with the same address as 267 `virtual_stack_vars_rtx` for the current frame, and with the frame base tag 268 stored in it. N.b. this global RTX does not need to be marked GTY, but is 269 done so anyway. The need is not there since all uses are in just one pass 270 (cfgexpand) and there are no calls to ggc_collect between the uses. We mark 271 it GTY(()) anyway to allow the use of the variable later on if needed by 272 future features. */ 273 static GTY(()) rtx hwasan_frame_base_ptr = NULL_RTX; 274 /* hwasan_frame_base_init_seq is the sequence of RTL insns that will initialize 275 the hwasan_frame_base_ptr. When the hwasan_frame_base_ptr is requested, we 276 generate this sequence but do not emit it. If the sequence was created it 277 is emitted once the function body has been expanded. 278 279 This delay is because the frame base pointer may be needed anywhere in the 280 function body, or needed by the expand_used_vars function. Emitting once in 281 a known place is simpler than requiring the emission of the instructions to 282 be know where it should go depending on the first place the hwasan frame 283 base is needed. */ 284 static GTY(()) rtx_insn *hwasan_frame_base_init_seq = NULL; 285 286 /* Structure defining the extent of one object on the stack that HWASAN needs 287 to tag in the corresponding shadow stack space. 288 289 The range this object spans on the stack is between `untagged_base + 290 nearest_offset` and `untagged_base + farthest_offset`. 291 `tagged_base` is an rtx containing the same value as `untagged_base` but 292 with a random tag stored in the top byte. We record both `untagged_base` 293 and `tagged_base` so that `hwasan_emit_prologue` can use both without having 294 to emit RTL into the instruction stream to re-calculate one from the other. 295 (`hwasan_emit_prologue` needs to use both bases since the 296 __hwasan_tag_memory call it emits uses an untagged value, and it calculates 297 the tag to store in shadow memory based on the tag_offset plus the tag in 298 tagged_base). */ 299 struct hwasan_stack_var 300 { 301 rtx untagged_base; 302 rtx tagged_base; 303 poly_int64 nearest_offset; 304 poly_int64 farthest_offset; 305 uint8_t tag_offset; 306 }; 307 308 /* Variable recording all stack variables that HWASAN needs to tag. 309 Does not need to be marked as GTY(()) since every use is in the cfgexpand 310 pass and gcc_collect is not called in the middle of that pass. */ 311 static vec<hwasan_stack_var> hwasan_tagged_stack_vars; 312 313 314 /* Sets shadow offset to value in string VAL. */ 315 316 bool 317 set_asan_shadow_offset (const char *val) 318 { 319 char *endp; 320 321 errno = 0; 322 #ifdef HAVE_LONG_LONG 323 asan_shadow_offset_value = strtoull (val, &endp, 0); 324 #else 325 asan_shadow_offset_value = strtoul (val, &endp, 0); 326 #endif 327 if (!(*val != '\0' && *endp == '\0' && errno == 0)) 328 return false; 329 330 asan_shadow_offset_computed = true; 331 332 return true; 333 } 334 335 /* Set list of user-defined sections that need to be sanitized. */ 336 337 void 338 set_sanitized_sections (const char *sections) 339 { 340 char *pat; 341 unsigned i; 342 FOR_EACH_VEC_ELT (sanitized_sections, i, pat) 343 free (pat); 344 sanitized_sections.truncate (0); 345 346 for (const char *s = sections; *s; ) 347 { 348 const char *end; 349 for (end = s; *end && *end != ','; ++end); 350 size_t len = end - s; 351 sanitized_sections.safe_push (xstrndup (s, len)); 352 s = *end ? end + 1 : end; 353 } 354 } 355 356 bool 357 asan_mark_p (gimple *stmt, enum asan_mark_flags flag) 358 { 359 return (gimple_call_internal_p (stmt, IFN_ASAN_MARK) 360 && tree_to_uhwi (gimple_call_arg (stmt, 0)) == flag); 361 } 362 363 bool 364 asan_sanitize_stack_p (void) 365 { 366 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_stack); 367 } 368 369 bool 370 asan_sanitize_allocas_p (void) 371 { 372 return (asan_sanitize_stack_p () && param_asan_protect_allocas); 373 } 374 375 bool 376 asan_instrument_reads (void) 377 { 378 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_instrument_reads); 379 } 380 381 bool 382 asan_instrument_writes (void) 383 { 384 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_instrument_writes); 385 } 386 387 bool 388 asan_memintrin (void) 389 { 390 return (sanitize_flags_p (SANITIZE_ADDRESS) && param_asan_memintrin); 391 } 392 393 394 /* Checks whether section SEC should be sanitized. */ 395 396 static bool 397 section_sanitized_p (const char *sec) 398 { 399 char *pat; 400 unsigned i; 401 FOR_EACH_VEC_ELT (sanitized_sections, i, pat) 402 if (fnmatch (pat, sec, FNM_PERIOD) == 0) 403 return true; 404 return false; 405 } 406 407 /* Returns Asan shadow offset. */ 408 409 static unsigned HOST_WIDE_INT 410 asan_shadow_offset () 411 { 412 if (!asan_shadow_offset_computed) 413 { 414 asan_shadow_offset_computed = true; 415 asan_shadow_offset_value = targetm.asan_shadow_offset (); 416 } 417 return asan_shadow_offset_value; 418 } 419 420 /* Returns Asan shadow offset has been set. */ 421 bool 422 asan_shadow_offset_set_p () 423 { 424 return asan_shadow_offset_computed; 425 } 426 427 alias_set_type asan_shadow_set = -1; 428 429 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate 430 alias set is used for all shadow memory accesses. */ 431 static GTY(()) tree shadow_ptr_types[3]; 432 433 /* Decl for __asan_option_detect_stack_use_after_return. */ 434 static GTY(()) tree asan_detect_stack_use_after_return; 435 436 /* Hashtable support for memory references used by gimple 437 statements. */ 438 439 /* This type represents a reference to a memory region. */ 440 struct asan_mem_ref 441 { 442 /* The expression of the beginning of the memory region. */ 443 tree start; 444 445 /* The size of the access. */ 446 HOST_WIDE_INT access_size; 447 }; 448 449 object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref"); 450 451 /* Initializes an instance of asan_mem_ref. */ 452 453 static void 454 asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size) 455 { 456 ref->start = start; 457 ref->access_size = access_size; 458 } 459 460 /* Allocates memory for an instance of asan_mem_ref into the memory 461 pool returned by asan_mem_ref_get_alloc_pool and initialize it. 462 START is the address of (or the expression pointing to) the 463 beginning of memory reference. ACCESS_SIZE is the size of the 464 access to the referenced memory. */ 465 466 static asan_mem_ref* 467 asan_mem_ref_new (tree start, HOST_WIDE_INT access_size) 468 { 469 asan_mem_ref *ref = asan_mem_ref_pool.allocate (); 470 471 asan_mem_ref_init (ref, start, access_size); 472 return ref; 473 } 474 475 /* This builds and returns a pointer to the end of the memory region 476 that starts at START and of length LEN. */ 477 478 tree 479 asan_mem_ref_get_end (tree start, tree len) 480 { 481 if (len == NULL_TREE || integer_zerop (len)) 482 return start; 483 484 if (!ptrofftype_p (len)) 485 len = convert_to_ptrofftype (len); 486 487 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len); 488 } 489 490 /* Return a tree expression that represents the end of the referenced 491 memory region. Beware that this function can actually build a new 492 tree expression. */ 493 494 tree 495 asan_mem_ref_get_end (const asan_mem_ref *ref, tree len) 496 { 497 return asan_mem_ref_get_end (ref->start, len); 498 } 499 500 struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref> 501 { 502 static inline hashval_t hash (const asan_mem_ref *); 503 static inline bool equal (const asan_mem_ref *, const asan_mem_ref *); 504 }; 505 506 /* Hash a memory reference. */ 507 508 inline hashval_t 509 asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref) 510 { 511 return iterative_hash_expr (mem_ref->start, 0); 512 } 513 514 /* Compare two memory references. We accept the length of either 515 memory references to be NULL_TREE. */ 516 517 inline bool 518 asan_mem_ref_hasher::equal (const asan_mem_ref *m1, 519 const asan_mem_ref *m2) 520 { 521 return operand_equal_p (m1->start, m2->start, 0); 522 } 523 524 static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht; 525 526 /* Returns a reference to the hash table containing memory references. 527 This function ensures that the hash table is created. Note that 528 this hash table is updated by the function 529 update_mem_ref_hash_table. */ 530 531 static hash_table<asan_mem_ref_hasher> * 532 get_mem_ref_hash_table () 533 { 534 if (!asan_mem_ref_ht) 535 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10); 536 537 return asan_mem_ref_ht; 538 } 539 540 /* Clear all entries from the memory references hash table. */ 541 542 static void 543 empty_mem_ref_hash_table () 544 { 545 if (asan_mem_ref_ht) 546 asan_mem_ref_ht->empty (); 547 } 548 549 /* Free the memory references hash table. */ 550 551 static void 552 free_mem_ref_resources () 553 { 554 delete asan_mem_ref_ht; 555 asan_mem_ref_ht = NULL; 556 557 asan_mem_ref_pool.release (); 558 } 559 560 /* Return true iff the memory reference REF has been instrumented. */ 561 562 static bool 563 has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size) 564 { 565 asan_mem_ref r; 566 asan_mem_ref_init (&r, ref, access_size); 567 568 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r); 569 return saved_ref && saved_ref->access_size >= access_size; 570 } 571 572 /* Return true iff the memory reference REF has been instrumented. */ 573 574 static bool 575 has_mem_ref_been_instrumented (const asan_mem_ref *ref) 576 { 577 return has_mem_ref_been_instrumented (ref->start, ref->access_size); 578 } 579 580 /* Return true iff access to memory region starting at REF and of 581 length LEN has been instrumented. */ 582 583 static bool 584 has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len) 585 { 586 HOST_WIDE_INT size_in_bytes 587 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1; 588 589 return size_in_bytes != -1 590 && has_mem_ref_been_instrumented (ref->start, size_in_bytes); 591 } 592 593 /* Set REF to the memory reference present in a gimple assignment 594 ASSIGNMENT. Return true upon successful completion, false 595 otherwise. */ 596 597 static bool 598 get_mem_ref_of_assignment (const gassign *assignment, 599 asan_mem_ref *ref, 600 bool *ref_is_store) 601 { 602 gcc_assert (gimple_assign_single_p (assignment)); 603 604 if (gimple_store_p (assignment) 605 && !gimple_clobber_p (assignment)) 606 { 607 ref->start = gimple_assign_lhs (assignment); 608 *ref_is_store = true; 609 } 610 else if (gimple_assign_load_p (assignment)) 611 { 612 ref->start = gimple_assign_rhs1 (assignment); 613 *ref_is_store = false; 614 } 615 else 616 return false; 617 618 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start)); 619 return true; 620 } 621 622 /* Return address of last allocated dynamic alloca. */ 623 624 static tree 625 get_last_alloca_addr () 626 { 627 if (last_alloca_addr) 628 return last_alloca_addr; 629 630 last_alloca_addr = create_tmp_reg (ptr_type_node, "last_alloca_addr"); 631 gassign *g = gimple_build_assign (last_alloca_addr, null_pointer_node); 632 edge e = single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun)); 633 gsi_insert_on_edge_immediate (e, g); 634 return last_alloca_addr; 635 } 636 637 /* Insert __asan_allocas_unpoison (top, bottom) call before 638 __builtin_stack_restore (new_sp) call. 639 The pseudocode of this routine should look like this: 640 top = last_alloca_addr; 641 bot = new_sp; 642 __asan_allocas_unpoison (top, bot); 643 last_alloca_addr = new_sp; 644 __builtin_stack_restore (new_sp); 645 In general, we can't use new_sp as bot parameter because on some 646 architectures SP has non zero offset from dynamic stack area. Moreover, on 647 some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each 648 particular function only after all callees were expanded to rtl. 649 The most noticeable example is PowerPC{,64}, see 650 http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK. 651 To overcome the issue we use following trick: pass new_sp as a second 652 parameter to __asan_allocas_unpoison and rewrite it during expansion with 653 new_sp + (virtual_dynamic_stack_rtx - sp) later in 654 expand_asan_emit_allocas_unpoison function. 655 656 HWASAN needs to do very similar, the eventual pseudocode should be: 657 __hwasan_tag_memory (virtual_stack_dynamic_rtx, 658 0, 659 new_sp - sp); 660 __builtin_stack_restore (new_sp) 661 662 Need to use the same trick to handle STACK_DYNAMIC_OFFSET as described 663 above. */ 664 665 static void 666 handle_builtin_stack_restore (gcall *call, gimple_stmt_iterator *iter) 667 { 668 if (!iter 669 || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ())) 670 return; 671 672 tree restored_stack = gimple_call_arg (call, 0); 673 674 gimple *g; 675 676 if (hwasan_sanitize_allocas_p ()) 677 { 678 enum internal_fn fn = IFN_HWASAN_ALLOCA_UNPOISON; 679 /* There is only one piece of information `expand_HWASAN_ALLOCA_UNPOISON` 680 needs to work. This is the length of the area that we're 681 deallocating. Since the stack pointer is known at expand time, the 682 position of the new stack pointer after deallocation is enough 683 information to calculate this length. */ 684 g = gimple_build_call_internal (fn, 1, restored_stack); 685 } 686 else 687 { 688 tree last_alloca = get_last_alloca_addr (); 689 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCAS_UNPOISON); 690 g = gimple_build_call (fn, 2, last_alloca, restored_stack); 691 gsi_insert_before (iter, g, GSI_SAME_STMT); 692 g = gimple_build_assign (last_alloca, restored_stack); 693 } 694 695 gsi_insert_before (iter, g, GSI_SAME_STMT); 696 } 697 698 /* Deploy and poison redzones around __builtin_alloca call. To do this, we 699 should replace this call with another one with changed parameters and 700 replace all its uses with new address, so 701 addr = __builtin_alloca (old_size, align); 702 is replaced by 703 left_redzone_size = max (align, ASAN_RED_ZONE_SIZE); 704 Following two statements are optimized out if we know that 705 old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial 706 redzone. 707 misalign = old_size & (ASAN_RED_ZONE_SIZE - 1); 708 partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign; 709 right_redzone_size = ASAN_RED_ZONE_SIZE; 710 additional_size = left_redzone_size + partial_redzone_size + 711 right_redzone_size; 712 new_size = old_size + additional_size; 713 new_alloca = __builtin_alloca (new_size, max (align, 32)) 714 __asan_alloca_poison (new_alloca, old_size) 715 addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE); 716 last_alloca_addr = new_alloca; 717 ADDITIONAL_SIZE is added to make new memory allocation contain not only 718 requested memory, but also left, partial and right redzones as well as some 719 additional space, required by alignment. */ 720 721 static void 722 handle_builtin_alloca (gcall *call, gimple_stmt_iterator *iter) 723 { 724 if (!iter 725 || !(asan_sanitize_allocas_p () || hwasan_sanitize_allocas_p ())) 726 return; 727 728 gassign *g; 729 gcall *gg; 730 tree callee = gimple_call_fndecl (call); 731 tree lhs = gimple_call_lhs (call); 732 tree old_size = gimple_call_arg (call, 0); 733 tree ptr_type = lhs ? TREE_TYPE (lhs) : ptr_type_node; 734 tree partial_size = NULL_TREE; 735 unsigned int align 736 = DECL_FUNCTION_CODE (callee) == BUILT_IN_ALLOCA 737 ? 0 : tree_to_uhwi (gimple_call_arg (call, 1)); 738 739 bool throws = false; 740 edge e = NULL; 741 if (stmt_can_throw_internal (cfun, call)) 742 { 743 if (!lhs) 744 return; 745 throws = true; 746 e = find_fallthru_edge (gsi_bb (*iter)->succs); 747 } 748 749 if (hwasan_sanitize_allocas_p ()) 750 { 751 gimple_seq stmts = NULL; 752 location_t loc = gimple_location (gsi_stmt (*iter)); 753 /* 754 HWASAN needs a different expansion. 755 756 addr = __builtin_alloca (size, align); 757 758 should be replaced by 759 760 new_size = size rounded up to HWASAN_TAG_GRANULE_SIZE byte alignment; 761 untagged_addr = __builtin_alloca (new_size, align); 762 tag = __hwasan_choose_alloca_tag (); 763 addr = ifn_HWASAN_SET_TAG (untagged_addr, tag); 764 __hwasan_tag_memory (untagged_addr, tag, new_size); 765 */ 766 /* Ensure alignment at least HWASAN_TAG_GRANULE_SIZE bytes so we start on 767 a tag granule. */ 768 align = align > HWASAN_TAG_GRANULE_SIZE ? align : HWASAN_TAG_GRANULE_SIZE; 769 770 tree old_size = gimple_call_arg (call, 0); 771 tree new_size = gimple_build_round_up (&stmts, loc, size_type_node, 772 old_size, 773 HWASAN_TAG_GRANULE_SIZE); 774 775 /* Make the alloca call */ 776 tree untagged_addr 777 = gimple_build (&stmts, loc, 778 as_combined_fn (BUILT_IN_ALLOCA_WITH_ALIGN), ptr_type, 779 new_size, build_int_cst (size_type_node, align)); 780 781 /* Choose the tag. 782 Here we use an internal function so we can choose the tag at expand 783 time. We need the decision to be made after stack variables have been 784 assigned their tag (i.e. once the hwasan_frame_tag_offset variable has 785 been set to one after the last stack variables tag). */ 786 tree tag = gimple_build (&stmts, loc, CFN_HWASAN_CHOOSE_TAG, 787 unsigned_char_type_node); 788 789 /* Add tag to pointer. */ 790 tree addr 791 = gimple_build (&stmts, loc, CFN_HWASAN_SET_TAG, ptr_type, 792 untagged_addr, tag); 793 794 /* Tag shadow memory. 795 NOTE: require using `untagged_addr` here for libhwasan API. */ 796 gimple_build (&stmts, loc, as_combined_fn (BUILT_IN_HWASAN_TAG_MEM), 797 void_type_node, untagged_addr, tag, new_size); 798 799 /* Insert the built up code sequence into the original instruction stream 800 the iterator points to. */ 801 gsi_insert_seq_before (iter, stmts, GSI_SAME_STMT); 802 803 /* Finally, replace old alloca ptr with NEW_ALLOCA. */ 804 replace_call_with_value (iter, addr); 805 return; 806 } 807 808 tree last_alloca = get_last_alloca_addr (); 809 const HOST_WIDE_INT redzone_mask = ASAN_RED_ZONE_SIZE - 1; 810 811 /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN 812 bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE 813 manually. */ 814 align = MAX (align, ASAN_RED_ZONE_SIZE * BITS_PER_UNIT); 815 816 tree alloca_rz_mask = build_int_cst (size_type_node, redzone_mask); 817 tree redzone_size = build_int_cst (size_type_node, ASAN_RED_ZONE_SIZE); 818 819 /* Extract lower bits from old_size. */ 820 wide_int size_nonzero_bits = get_nonzero_bits (old_size); 821 wide_int rz_mask 822 = wi::uhwi (redzone_mask, wi::get_precision (size_nonzero_bits)); 823 wide_int old_size_lower_bits = wi::bit_and (size_nonzero_bits, rz_mask); 824 825 /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial 826 redzone. Otherwise, compute its size here. */ 827 if (wi::ne_p (old_size_lower_bits, 0)) 828 { 829 /* misalign = size & (ASAN_RED_ZONE_SIZE - 1) 830 partial_size = ASAN_RED_ZONE_SIZE - misalign. */ 831 g = gimple_build_assign (make_ssa_name (size_type_node, NULL), 832 BIT_AND_EXPR, old_size, alloca_rz_mask); 833 gsi_insert_before (iter, g, GSI_SAME_STMT); 834 tree misalign = gimple_assign_lhs (g); 835 g = gimple_build_assign (make_ssa_name (size_type_node, NULL), MINUS_EXPR, 836 redzone_size, misalign); 837 gsi_insert_before (iter, g, GSI_SAME_STMT); 838 partial_size = gimple_assign_lhs (g); 839 } 840 841 /* additional_size = align + ASAN_RED_ZONE_SIZE. */ 842 tree additional_size = build_int_cst (size_type_node, align / BITS_PER_UNIT 843 + ASAN_RED_ZONE_SIZE); 844 /* If alloca has partial redzone, include it to additional_size too. */ 845 if (partial_size) 846 { 847 /* additional_size += partial_size. */ 848 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR, 849 partial_size, additional_size); 850 gsi_insert_before (iter, g, GSI_SAME_STMT); 851 additional_size = gimple_assign_lhs (g); 852 } 853 854 /* new_size = old_size + additional_size. */ 855 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR, old_size, 856 additional_size); 857 gsi_insert_before (iter, g, GSI_SAME_STMT); 858 tree new_size = gimple_assign_lhs (g); 859 860 /* Build new __builtin_alloca call: 861 new_alloca_with_rz = __builtin_alloca (new_size, align). */ 862 tree fn = builtin_decl_implicit (BUILT_IN_ALLOCA_WITH_ALIGN); 863 gg = gimple_build_call (fn, 2, new_size, 864 build_int_cst (size_type_node, align)); 865 tree new_alloca_with_rz = make_ssa_name (ptr_type, gg); 866 gimple_call_set_lhs (gg, new_alloca_with_rz); 867 if (throws) 868 { 869 gimple_call_set_lhs (call, NULL); 870 gsi_replace (iter, gg, true); 871 } 872 else 873 gsi_insert_before (iter, gg, GSI_SAME_STMT); 874 875 /* new_alloca = new_alloca_with_rz + align. */ 876 g = gimple_build_assign (make_ssa_name (ptr_type), POINTER_PLUS_EXPR, 877 new_alloca_with_rz, 878 build_int_cst (size_type_node, 879 align / BITS_PER_UNIT)); 880 gimple_stmt_iterator gsi = gsi_none (); 881 if (throws) 882 { 883 gsi_insert_on_edge_immediate (e, g); 884 gsi = gsi_for_stmt (g); 885 } 886 else 887 gsi_insert_before (iter, g, GSI_SAME_STMT); 888 tree new_alloca = gimple_assign_lhs (g); 889 890 /* Poison newly created alloca redzones: 891 __asan_alloca_poison (new_alloca, old_size). */ 892 fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCA_POISON); 893 gg = gimple_build_call (fn, 2, new_alloca, old_size); 894 if (throws) 895 gsi_insert_after (&gsi, gg, GSI_NEW_STMT); 896 else 897 gsi_insert_before (iter, gg, GSI_SAME_STMT); 898 899 /* Save new_alloca_with_rz value into last_alloca to use it during 900 allocas unpoisoning. */ 901 g = gimple_build_assign (last_alloca, new_alloca_with_rz); 902 if (throws) 903 gsi_insert_after (&gsi, g, GSI_NEW_STMT); 904 else 905 gsi_insert_before (iter, g, GSI_SAME_STMT); 906 907 /* Finally, replace old alloca ptr with NEW_ALLOCA. */ 908 if (throws) 909 { 910 g = gimple_build_assign (lhs, new_alloca); 911 gsi_insert_after (&gsi, g, GSI_NEW_STMT); 912 } 913 else 914 replace_call_with_value (iter, new_alloca); 915 } 916 917 /* Return the memory references contained in a gimple statement 918 representing a builtin call that has to do with memory access. */ 919 920 static bool 921 get_mem_refs_of_builtin_call (gcall *call, 922 asan_mem_ref *src0, 923 tree *src0_len, 924 bool *src0_is_store, 925 asan_mem_ref *src1, 926 tree *src1_len, 927 bool *src1_is_store, 928 asan_mem_ref *dst, 929 tree *dst_len, 930 bool *dst_is_store, 931 bool *dest_is_deref, 932 bool *intercepted_p, 933 gimple_stmt_iterator *iter = NULL) 934 { 935 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL)); 936 937 tree callee = gimple_call_fndecl (call); 938 tree source0 = NULL_TREE, source1 = NULL_TREE, 939 dest = NULL_TREE, len = NULL_TREE; 940 bool is_store = true, got_reference_p = false; 941 HOST_WIDE_INT access_size = 1; 942 943 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee))); 944 945 switch (DECL_FUNCTION_CODE (callee)) 946 { 947 /* (s, s, n) style memops. */ 948 case BUILT_IN_BCMP: 949 case BUILT_IN_MEMCMP: 950 source0 = gimple_call_arg (call, 0); 951 source1 = gimple_call_arg (call, 1); 952 len = gimple_call_arg (call, 2); 953 break; 954 955 /* (src, dest, n) style memops. */ 956 case BUILT_IN_BCOPY: 957 source0 = gimple_call_arg (call, 0); 958 dest = gimple_call_arg (call, 1); 959 len = gimple_call_arg (call, 2); 960 break; 961 962 /* (dest, src, n) style memops. */ 963 case BUILT_IN_MEMCPY: 964 case BUILT_IN_MEMCPY_CHK: 965 case BUILT_IN_MEMMOVE: 966 case BUILT_IN_MEMMOVE_CHK: 967 case BUILT_IN_MEMPCPY: 968 case BUILT_IN_MEMPCPY_CHK: 969 dest = gimple_call_arg (call, 0); 970 source0 = gimple_call_arg (call, 1); 971 len = gimple_call_arg (call, 2); 972 break; 973 974 /* (dest, n) style memops. */ 975 case BUILT_IN_BZERO: 976 dest = gimple_call_arg (call, 0); 977 len = gimple_call_arg (call, 1); 978 break; 979 980 /* (dest, x, n) style memops*/ 981 case BUILT_IN_MEMSET: 982 case BUILT_IN_MEMSET_CHK: 983 dest = gimple_call_arg (call, 0); 984 len = gimple_call_arg (call, 2); 985 break; 986 987 case BUILT_IN_STRLEN: 988 /* Special case strlen here since its length is taken from its return 989 value. 990 991 The approach taken by the sanitizers is to check a memory access 992 before it's taken. For ASAN strlen is intercepted by libasan, so no 993 check is inserted by the compiler. 994 995 This function still returns `true` and provides a length to the rest 996 of the ASAN pass in order to record what areas have been checked, 997 avoiding superfluous checks later on. 998 999 HWASAN does not intercept any of these internal functions. 1000 This means that checks for memory accesses must be inserted by the 1001 compiler. 1002 strlen is a special case, because we can tell the length from the 1003 return of the function, but that is not known until after the function 1004 has returned. 1005 1006 Hence we can't check the memory access before it happens. 1007 We could check the memory access after it has already happened, but 1008 for now we choose to just ignore `strlen` calls. 1009 This decision was simply made because that means the special case is 1010 limited to this one case of this one function. */ 1011 if (hwasan_sanitize_p ()) 1012 return false; 1013 source0 = gimple_call_arg (call, 0); 1014 len = gimple_call_lhs (call); 1015 break; 1016 1017 case BUILT_IN_STACK_RESTORE: 1018 handle_builtin_stack_restore (call, iter); 1019 break; 1020 1021 CASE_BUILT_IN_ALLOCA: 1022 handle_builtin_alloca (call, iter); 1023 break; 1024 /* And now the __atomic* and __sync builtins. 1025 These are handled differently from the classical memory 1026 access builtins above. */ 1027 1028 case BUILT_IN_ATOMIC_LOAD_1: 1029 is_store = false; 1030 /* FALLTHRU */ 1031 case BUILT_IN_SYNC_FETCH_AND_ADD_1: 1032 case BUILT_IN_SYNC_FETCH_AND_SUB_1: 1033 case BUILT_IN_SYNC_FETCH_AND_OR_1: 1034 case BUILT_IN_SYNC_FETCH_AND_AND_1: 1035 case BUILT_IN_SYNC_FETCH_AND_XOR_1: 1036 case BUILT_IN_SYNC_FETCH_AND_NAND_1: 1037 case BUILT_IN_SYNC_ADD_AND_FETCH_1: 1038 case BUILT_IN_SYNC_SUB_AND_FETCH_1: 1039 case BUILT_IN_SYNC_OR_AND_FETCH_1: 1040 case BUILT_IN_SYNC_AND_AND_FETCH_1: 1041 case BUILT_IN_SYNC_XOR_AND_FETCH_1: 1042 case BUILT_IN_SYNC_NAND_AND_FETCH_1: 1043 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1: 1044 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1: 1045 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1: 1046 case BUILT_IN_SYNC_LOCK_RELEASE_1: 1047 case BUILT_IN_ATOMIC_EXCHANGE_1: 1048 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1: 1049 case BUILT_IN_ATOMIC_STORE_1: 1050 case BUILT_IN_ATOMIC_ADD_FETCH_1: 1051 case BUILT_IN_ATOMIC_SUB_FETCH_1: 1052 case BUILT_IN_ATOMIC_AND_FETCH_1: 1053 case BUILT_IN_ATOMIC_NAND_FETCH_1: 1054 case BUILT_IN_ATOMIC_XOR_FETCH_1: 1055 case BUILT_IN_ATOMIC_OR_FETCH_1: 1056 case BUILT_IN_ATOMIC_FETCH_ADD_1: 1057 case BUILT_IN_ATOMIC_FETCH_SUB_1: 1058 case BUILT_IN_ATOMIC_FETCH_AND_1: 1059 case BUILT_IN_ATOMIC_FETCH_NAND_1: 1060 case BUILT_IN_ATOMIC_FETCH_XOR_1: 1061 case BUILT_IN_ATOMIC_FETCH_OR_1: 1062 access_size = 1; 1063 goto do_atomic; 1064 1065 case BUILT_IN_ATOMIC_LOAD_2: 1066 is_store = false; 1067 /* FALLTHRU */ 1068 case BUILT_IN_SYNC_FETCH_AND_ADD_2: 1069 case BUILT_IN_SYNC_FETCH_AND_SUB_2: 1070 case BUILT_IN_SYNC_FETCH_AND_OR_2: 1071 case BUILT_IN_SYNC_FETCH_AND_AND_2: 1072 case BUILT_IN_SYNC_FETCH_AND_XOR_2: 1073 case BUILT_IN_SYNC_FETCH_AND_NAND_2: 1074 case BUILT_IN_SYNC_ADD_AND_FETCH_2: 1075 case BUILT_IN_SYNC_SUB_AND_FETCH_2: 1076 case BUILT_IN_SYNC_OR_AND_FETCH_2: 1077 case BUILT_IN_SYNC_AND_AND_FETCH_2: 1078 case BUILT_IN_SYNC_XOR_AND_FETCH_2: 1079 case BUILT_IN_SYNC_NAND_AND_FETCH_2: 1080 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2: 1081 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2: 1082 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2: 1083 case BUILT_IN_SYNC_LOCK_RELEASE_2: 1084 case BUILT_IN_ATOMIC_EXCHANGE_2: 1085 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2: 1086 case BUILT_IN_ATOMIC_STORE_2: 1087 case BUILT_IN_ATOMIC_ADD_FETCH_2: 1088 case BUILT_IN_ATOMIC_SUB_FETCH_2: 1089 case BUILT_IN_ATOMIC_AND_FETCH_2: 1090 case BUILT_IN_ATOMIC_NAND_FETCH_2: 1091 case BUILT_IN_ATOMIC_XOR_FETCH_2: 1092 case BUILT_IN_ATOMIC_OR_FETCH_2: 1093 case BUILT_IN_ATOMIC_FETCH_ADD_2: 1094 case BUILT_IN_ATOMIC_FETCH_SUB_2: 1095 case BUILT_IN_ATOMIC_FETCH_AND_2: 1096 case BUILT_IN_ATOMIC_FETCH_NAND_2: 1097 case BUILT_IN_ATOMIC_FETCH_XOR_2: 1098 case BUILT_IN_ATOMIC_FETCH_OR_2: 1099 access_size = 2; 1100 goto do_atomic; 1101 1102 case BUILT_IN_ATOMIC_LOAD_4: 1103 is_store = false; 1104 /* FALLTHRU */ 1105 case BUILT_IN_SYNC_FETCH_AND_ADD_4: 1106 case BUILT_IN_SYNC_FETCH_AND_SUB_4: 1107 case BUILT_IN_SYNC_FETCH_AND_OR_4: 1108 case BUILT_IN_SYNC_FETCH_AND_AND_4: 1109 case BUILT_IN_SYNC_FETCH_AND_XOR_4: 1110 case BUILT_IN_SYNC_FETCH_AND_NAND_4: 1111 case BUILT_IN_SYNC_ADD_AND_FETCH_4: 1112 case BUILT_IN_SYNC_SUB_AND_FETCH_4: 1113 case BUILT_IN_SYNC_OR_AND_FETCH_4: 1114 case BUILT_IN_SYNC_AND_AND_FETCH_4: 1115 case BUILT_IN_SYNC_XOR_AND_FETCH_4: 1116 case BUILT_IN_SYNC_NAND_AND_FETCH_4: 1117 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4: 1118 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4: 1119 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4: 1120 case BUILT_IN_SYNC_LOCK_RELEASE_4: 1121 case BUILT_IN_ATOMIC_EXCHANGE_4: 1122 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4: 1123 case BUILT_IN_ATOMIC_STORE_4: 1124 case BUILT_IN_ATOMIC_ADD_FETCH_4: 1125 case BUILT_IN_ATOMIC_SUB_FETCH_4: 1126 case BUILT_IN_ATOMIC_AND_FETCH_4: 1127 case BUILT_IN_ATOMIC_NAND_FETCH_4: 1128 case BUILT_IN_ATOMIC_XOR_FETCH_4: 1129 case BUILT_IN_ATOMIC_OR_FETCH_4: 1130 case BUILT_IN_ATOMIC_FETCH_ADD_4: 1131 case BUILT_IN_ATOMIC_FETCH_SUB_4: 1132 case BUILT_IN_ATOMIC_FETCH_AND_4: 1133 case BUILT_IN_ATOMIC_FETCH_NAND_4: 1134 case BUILT_IN_ATOMIC_FETCH_XOR_4: 1135 case BUILT_IN_ATOMIC_FETCH_OR_4: 1136 access_size = 4; 1137 goto do_atomic; 1138 1139 case BUILT_IN_ATOMIC_LOAD_8: 1140 is_store = false; 1141 /* FALLTHRU */ 1142 case BUILT_IN_SYNC_FETCH_AND_ADD_8: 1143 case BUILT_IN_SYNC_FETCH_AND_SUB_8: 1144 case BUILT_IN_SYNC_FETCH_AND_OR_8: 1145 case BUILT_IN_SYNC_FETCH_AND_AND_8: 1146 case BUILT_IN_SYNC_FETCH_AND_XOR_8: 1147 case BUILT_IN_SYNC_FETCH_AND_NAND_8: 1148 case BUILT_IN_SYNC_ADD_AND_FETCH_8: 1149 case BUILT_IN_SYNC_SUB_AND_FETCH_8: 1150 case BUILT_IN_SYNC_OR_AND_FETCH_8: 1151 case BUILT_IN_SYNC_AND_AND_FETCH_8: 1152 case BUILT_IN_SYNC_XOR_AND_FETCH_8: 1153 case BUILT_IN_SYNC_NAND_AND_FETCH_8: 1154 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8: 1155 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8: 1156 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8: 1157 case BUILT_IN_SYNC_LOCK_RELEASE_8: 1158 case BUILT_IN_ATOMIC_EXCHANGE_8: 1159 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8: 1160 case BUILT_IN_ATOMIC_STORE_8: 1161 case BUILT_IN_ATOMIC_ADD_FETCH_8: 1162 case BUILT_IN_ATOMIC_SUB_FETCH_8: 1163 case BUILT_IN_ATOMIC_AND_FETCH_8: 1164 case BUILT_IN_ATOMIC_NAND_FETCH_8: 1165 case BUILT_IN_ATOMIC_XOR_FETCH_8: 1166 case BUILT_IN_ATOMIC_OR_FETCH_8: 1167 case BUILT_IN_ATOMIC_FETCH_ADD_8: 1168 case BUILT_IN_ATOMIC_FETCH_SUB_8: 1169 case BUILT_IN_ATOMIC_FETCH_AND_8: 1170 case BUILT_IN_ATOMIC_FETCH_NAND_8: 1171 case BUILT_IN_ATOMIC_FETCH_XOR_8: 1172 case BUILT_IN_ATOMIC_FETCH_OR_8: 1173 access_size = 8; 1174 goto do_atomic; 1175 1176 case BUILT_IN_ATOMIC_LOAD_16: 1177 is_store = false; 1178 /* FALLTHRU */ 1179 case BUILT_IN_SYNC_FETCH_AND_ADD_16: 1180 case BUILT_IN_SYNC_FETCH_AND_SUB_16: 1181 case BUILT_IN_SYNC_FETCH_AND_OR_16: 1182 case BUILT_IN_SYNC_FETCH_AND_AND_16: 1183 case BUILT_IN_SYNC_FETCH_AND_XOR_16: 1184 case BUILT_IN_SYNC_FETCH_AND_NAND_16: 1185 case BUILT_IN_SYNC_ADD_AND_FETCH_16: 1186 case BUILT_IN_SYNC_SUB_AND_FETCH_16: 1187 case BUILT_IN_SYNC_OR_AND_FETCH_16: 1188 case BUILT_IN_SYNC_AND_AND_FETCH_16: 1189 case BUILT_IN_SYNC_XOR_AND_FETCH_16: 1190 case BUILT_IN_SYNC_NAND_AND_FETCH_16: 1191 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16: 1192 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16: 1193 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16: 1194 case BUILT_IN_SYNC_LOCK_RELEASE_16: 1195 case BUILT_IN_ATOMIC_EXCHANGE_16: 1196 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16: 1197 case BUILT_IN_ATOMIC_STORE_16: 1198 case BUILT_IN_ATOMIC_ADD_FETCH_16: 1199 case BUILT_IN_ATOMIC_SUB_FETCH_16: 1200 case BUILT_IN_ATOMIC_AND_FETCH_16: 1201 case BUILT_IN_ATOMIC_NAND_FETCH_16: 1202 case BUILT_IN_ATOMIC_XOR_FETCH_16: 1203 case BUILT_IN_ATOMIC_OR_FETCH_16: 1204 case BUILT_IN_ATOMIC_FETCH_ADD_16: 1205 case BUILT_IN_ATOMIC_FETCH_SUB_16: 1206 case BUILT_IN_ATOMIC_FETCH_AND_16: 1207 case BUILT_IN_ATOMIC_FETCH_NAND_16: 1208 case BUILT_IN_ATOMIC_FETCH_XOR_16: 1209 case BUILT_IN_ATOMIC_FETCH_OR_16: 1210 access_size = 16; 1211 /* FALLTHRU */ 1212 do_atomic: 1213 { 1214 dest = gimple_call_arg (call, 0); 1215 /* DEST represents the address of a memory location. 1216 instrument_derefs wants the memory location, so lets 1217 dereference the address DEST before handing it to 1218 instrument_derefs. */ 1219 tree type = build_nonstandard_integer_type (access_size 1220 * BITS_PER_UNIT, 1); 1221 dest = build2 (MEM_REF, type, dest, 1222 build_int_cst (build_pointer_type (char_type_node), 0)); 1223 break; 1224 } 1225 1226 default: 1227 /* The other builtins memory access are not instrumented in this 1228 function because they either don't have any length parameter, 1229 or their length parameter is just a limit. */ 1230 break; 1231 } 1232 1233 if (len != NULL_TREE) 1234 { 1235 if (source0 != NULL_TREE) 1236 { 1237 src0->start = source0; 1238 src0->access_size = access_size; 1239 *src0_len = len; 1240 *src0_is_store = false; 1241 } 1242 1243 if (source1 != NULL_TREE) 1244 { 1245 src1->start = source1; 1246 src1->access_size = access_size; 1247 *src1_len = len; 1248 *src1_is_store = false; 1249 } 1250 1251 if (dest != NULL_TREE) 1252 { 1253 dst->start = dest; 1254 dst->access_size = access_size; 1255 *dst_len = len; 1256 *dst_is_store = true; 1257 } 1258 1259 got_reference_p = true; 1260 } 1261 else if (dest) 1262 { 1263 dst->start = dest; 1264 dst->access_size = access_size; 1265 *dst_len = NULL_TREE; 1266 *dst_is_store = is_store; 1267 *dest_is_deref = true; 1268 got_reference_p = true; 1269 } 1270 1271 return got_reference_p; 1272 } 1273 1274 /* Return true iff a given gimple statement has been instrumented. 1275 Note that the statement is "defined" by the memory references it 1276 contains. */ 1277 1278 static bool 1279 has_stmt_been_instrumented_p (gimple *stmt) 1280 { 1281 if (gimple_assign_single_p (stmt)) 1282 { 1283 bool r_is_store; 1284 asan_mem_ref r; 1285 asan_mem_ref_init (&r, NULL, 1); 1286 1287 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r, 1288 &r_is_store)) 1289 { 1290 if (!has_mem_ref_been_instrumented (&r)) 1291 return false; 1292 if (r_is_store && gimple_assign_load_p (stmt)) 1293 { 1294 asan_mem_ref src; 1295 asan_mem_ref_init (&src, NULL, 1); 1296 src.start = gimple_assign_rhs1 (stmt); 1297 src.access_size = int_size_in_bytes (TREE_TYPE (src.start)); 1298 if (!has_mem_ref_been_instrumented (&src)) 1299 return false; 1300 } 1301 return true; 1302 } 1303 } 1304 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL)) 1305 { 1306 asan_mem_ref src0, src1, dest; 1307 asan_mem_ref_init (&src0, NULL, 1); 1308 asan_mem_ref_init (&src1, NULL, 1); 1309 asan_mem_ref_init (&dest, NULL, 1); 1310 1311 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE; 1312 bool src0_is_store = false, src1_is_store = false, 1313 dest_is_store = false, dest_is_deref = false, intercepted_p = true; 1314 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt), 1315 &src0, &src0_len, &src0_is_store, 1316 &src1, &src1_len, &src1_is_store, 1317 &dest, &dest_len, &dest_is_store, 1318 &dest_is_deref, &intercepted_p)) 1319 { 1320 if (src0.start != NULL_TREE 1321 && !has_mem_ref_been_instrumented (&src0, src0_len)) 1322 return false; 1323 1324 if (src1.start != NULL_TREE 1325 && !has_mem_ref_been_instrumented (&src1, src1_len)) 1326 return false; 1327 1328 if (dest.start != NULL_TREE 1329 && !has_mem_ref_been_instrumented (&dest, dest_len)) 1330 return false; 1331 1332 return true; 1333 } 1334 } 1335 else if (is_gimple_call (stmt) && gimple_store_p (stmt)) 1336 { 1337 asan_mem_ref r; 1338 asan_mem_ref_init (&r, NULL, 1); 1339 1340 r.start = gimple_call_lhs (stmt); 1341 r.access_size = int_size_in_bytes (TREE_TYPE (r.start)); 1342 return has_mem_ref_been_instrumented (&r); 1343 } 1344 1345 return false; 1346 } 1347 1348 /* Insert a memory reference into the hash table. */ 1349 1350 static void 1351 update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size) 1352 { 1353 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table (); 1354 1355 asan_mem_ref r; 1356 asan_mem_ref_init (&r, ref, access_size); 1357 1358 asan_mem_ref **slot = ht->find_slot (&r, INSERT); 1359 if (*slot == NULL || (*slot)->access_size < access_size) 1360 *slot = asan_mem_ref_new (ref, access_size); 1361 } 1362 1363 /* Initialize shadow_ptr_types array. */ 1364 1365 static void 1366 asan_init_shadow_ptr_types (void) 1367 { 1368 asan_shadow_set = new_alias_set (); 1369 tree types[3] = { signed_char_type_node, short_integer_type_node, 1370 integer_type_node }; 1371 1372 for (unsigned i = 0; i < 3; i++) 1373 { 1374 shadow_ptr_types[i] = build_distinct_type_copy (types[i]); 1375 TYPE_ALIAS_SET (shadow_ptr_types[i]) = asan_shadow_set; 1376 shadow_ptr_types[i] = build_pointer_type (shadow_ptr_types[i]); 1377 } 1378 1379 initialize_sanitizer_builtins (); 1380 } 1381 1382 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */ 1383 1384 static tree 1385 asan_pp_string (pretty_printer *pp) 1386 { 1387 const char *buf = pp_formatted_text (pp); 1388 size_t len = strlen (buf); 1389 tree ret = build_string (len + 1, buf); 1390 TREE_TYPE (ret) 1391 = build_array_type (TREE_TYPE (shadow_ptr_types[0]), 1392 build_index_type (size_int (len))); 1393 TREE_READONLY (ret) = 1; 1394 TREE_STATIC (ret) = 1; 1395 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret); 1396 } 1397 1398 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here 1399 though. */ 1400 1401 static void 1402 asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len) 1403 { 1404 rtx_insn *insn, *insns, *jump; 1405 rtx_code_label *top_label; 1406 rtx end, addr, tmp; 1407 1408 gcc_assert ((len & 3) == 0); 1409 start_sequence (); 1410 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL); 1411 insns = get_insns (); 1412 end_sequence (); 1413 for (insn = insns; insn; insn = NEXT_INSN (insn)) 1414 if (CALL_P (insn)) 1415 break; 1416 if (insn == NULL_RTX) 1417 { 1418 emit_insn (insns); 1419 return; 1420 } 1421 1422 top_label = gen_label_rtx (); 1423 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0)); 1424 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0); 1425 end = force_reg (Pmode, plus_constant (Pmode, addr, len)); 1426 emit_label (top_label); 1427 1428 emit_move_insn (shadow_mem, const0_rtx); 1429 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr, 1430 true, OPTAB_LIB_WIDEN); 1431 if (tmp != addr) 1432 emit_move_insn (addr, tmp); 1433 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label); 1434 jump = get_last_insn (); 1435 gcc_assert (JUMP_P (jump)); 1436 add_reg_br_prob_note (jump, 1437 profile_probability::guessed_always () 1438 .apply_scale (80, 100)); 1439 } 1440 1441 void 1442 asan_function_start (void) 1443 { 1444 section *fnsec = function_section (current_function_decl); 1445 switch_to_section (fnsec); 1446 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC", 1447 current_function_funcdef_no); 1448 } 1449 1450 /* Return number of shadow bytes that are occupied by a local variable 1451 of SIZE bytes. */ 1452 1453 static unsigned HOST_WIDE_INT 1454 shadow_mem_size (unsigned HOST_WIDE_INT size) 1455 { 1456 /* It must be possible to align stack variables to granularity 1457 of shadow memory. */ 1458 gcc_assert (BITS_PER_UNIT 1459 * ASAN_SHADOW_GRANULARITY <= MAX_SUPPORTED_STACK_ALIGNMENT); 1460 1461 return ROUND_UP (size, ASAN_SHADOW_GRANULARITY) / ASAN_SHADOW_GRANULARITY; 1462 } 1463 1464 /* Always emit 4 bytes at a time. */ 1465 #define RZ_BUFFER_SIZE 4 1466 1467 /* ASAN redzone buffer container that handles emission of shadow bytes. */ 1468 class asan_redzone_buffer 1469 { 1470 public: 1471 /* Constructor. */ 1472 asan_redzone_buffer (rtx shadow_mem, HOST_WIDE_INT prev_offset): 1473 m_shadow_mem (shadow_mem), m_prev_offset (prev_offset), 1474 m_original_offset (prev_offset), m_shadow_bytes (RZ_BUFFER_SIZE) 1475 {} 1476 1477 /* Emit VALUE shadow byte at a given OFFSET. */ 1478 void emit_redzone_byte (HOST_WIDE_INT offset, unsigned char value); 1479 1480 /* Emit RTX emission of the content of the buffer. */ 1481 void flush_redzone_payload (void); 1482 1483 private: 1484 /* Flush if the content of the buffer is full 1485 (equal to RZ_BUFFER_SIZE). */ 1486 void flush_if_full (void); 1487 1488 /* Memory where we last emitted a redzone payload. */ 1489 rtx m_shadow_mem; 1490 1491 /* Relative offset where we last emitted a redzone payload. */ 1492 HOST_WIDE_INT m_prev_offset; 1493 1494 /* Relative original offset. Used for checking only. */ 1495 HOST_WIDE_INT m_original_offset; 1496 1497 public: 1498 /* Buffer with redzone payload. */ 1499 auto_vec<unsigned char> m_shadow_bytes; 1500 }; 1501 1502 /* Emit VALUE shadow byte at a given OFFSET. */ 1503 1504 void 1505 asan_redzone_buffer::emit_redzone_byte (HOST_WIDE_INT offset, 1506 unsigned char value) 1507 { 1508 gcc_assert ((offset & (ASAN_SHADOW_GRANULARITY - 1)) == 0); 1509 gcc_assert (offset >= m_prev_offset); 1510 1511 HOST_WIDE_INT off 1512 = m_prev_offset + ASAN_SHADOW_GRANULARITY * m_shadow_bytes.length (); 1513 if (off == offset) 1514 /* Consecutive shadow memory byte. */; 1515 else if (offset < m_prev_offset + (HOST_WIDE_INT) (ASAN_SHADOW_GRANULARITY 1516 * RZ_BUFFER_SIZE) 1517 && !m_shadow_bytes.is_empty ()) 1518 { 1519 /* Shadow memory byte with a small gap. */ 1520 for (; off < offset; off += ASAN_SHADOW_GRANULARITY) 1521 m_shadow_bytes.safe_push (0); 1522 } 1523 else 1524 { 1525 if (!m_shadow_bytes.is_empty ()) 1526 flush_redzone_payload (); 1527 1528 /* Maybe start earlier in order to use aligned store. */ 1529 HOST_WIDE_INT align = (offset - m_prev_offset) % ASAN_RED_ZONE_SIZE; 1530 if (align) 1531 { 1532 offset -= align; 1533 for (unsigned i = 0; i < align / BITS_PER_UNIT; i++) 1534 m_shadow_bytes.safe_push (0); 1535 } 1536 1537 /* Adjust m_prev_offset and m_shadow_mem. */ 1538 HOST_WIDE_INT diff = offset - m_prev_offset; 1539 m_shadow_mem = adjust_address (m_shadow_mem, VOIDmode, 1540 diff >> ASAN_SHADOW_SHIFT); 1541 m_prev_offset = offset; 1542 } 1543 m_shadow_bytes.safe_push (value); 1544 flush_if_full (); 1545 } 1546 1547 /* Emit RTX emission of the content of the buffer. */ 1548 1549 void 1550 asan_redzone_buffer::flush_redzone_payload (void) 1551 { 1552 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN); 1553 1554 if (m_shadow_bytes.is_empty ()) 1555 return; 1556 1557 /* Be sure we always emit to an aligned address. */ 1558 gcc_assert (((m_prev_offset - m_original_offset) 1559 & (ASAN_RED_ZONE_SIZE - 1)) == 0); 1560 1561 /* Fill it to RZ_BUFFER_SIZE bytes with zeros if needed. */ 1562 unsigned l = m_shadow_bytes.length (); 1563 for (unsigned i = 0; i <= RZ_BUFFER_SIZE - l; i++) 1564 m_shadow_bytes.safe_push (0); 1565 1566 if (dump_file && (dump_flags & TDF_DETAILS)) 1567 fprintf (dump_file, 1568 "Flushing rzbuffer at offset %" PRId64 " with: ", m_prev_offset); 1569 1570 unsigned HOST_WIDE_INT val = 0; 1571 for (unsigned i = 0; i < RZ_BUFFER_SIZE; i++) 1572 { 1573 unsigned char v 1574 = m_shadow_bytes[BYTES_BIG_ENDIAN ? RZ_BUFFER_SIZE - i - 1 : i]; 1575 val |= (unsigned HOST_WIDE_INT)v << (BITS_PER_UNIT * i); 1576 if (dump_file && (dump_flags & TDF_DETAILS)) 1577 fprintf (dump_file, "%02x ", v); 1578 } 1579 1580 if (dump_file && (dump_flags & TDF_DETAILS)) 1581 fprintf (dump_file, "\n"); 1582 1583 rtx c = gen_int_mode (val, SImode); 1584 m_shadow_mem = adjust_address (m_shadow_mem, SImode, 0); 1585 emit_move_insn (m_shadow_mem, c); 1586 m_shadow_bytes.truncate (0); 1587 } 1588 1589 /* Flush if the content of the buffer is full 1590 (equal to RZ_BUFFER_SIZE). */ 1591 1592 void 1593 asan_redzone_buffer::flush_if_full (void) 1594 { 1595 if (m_shadow_bytes.length () == RZ_BUFFER_SIZE) 1596 flush_redzone_payload (); 1597 } 1598 1599 1600 /* HWAddressSanitizer (hwasan) is a probabilistic method for detecting 1601 out-of-bounds and use-after-free bugs. 1602 Read more: 1603 http://code.google.com/p/address-sanitizer/ 1604 1605 Similar to AddressSanitizer (asan) it consists of two parts: the 1606 instrumentation module in this file, and a run-time library. 1607 1608 The instrumentation module adds a run-time check before every memory insn in 1609 the same manner as asan (see the block comment for AddressSanitizer above). 1610 Currently, hwasan only adds out-of-line instrumentation, where each check is 1611 implemented as a function call to the run-time library. Hence a check for a 1612 load of N bytes from address X would be implemented with a function call to 1613 __hwasan_loadN(X), and checking a store of N bytes from address X would be 1614 implemented with a function call to __hwasan_storeN(X). 1615 1616 The main difference between hwasan and asan is in the information stored to 1617 help this checking. Both sanitizers use a shadow memory area which stores 1618 data recording the state of main memory at a corresponding address. 1619 1620 For hwasan, each 16 byte granule in main memory has a corresponding 1 byte 1621 in shadow memory. This shadow address can be calculated with equation: 1622 (addr >> log_2(HWASAN_TAG_GRANULE_SIZE)) 1623 + __hwasan_shadow_memory_dynamic_address; 1624 The conversion between real and shadow memory for asan is given in the block 1625 comment at the top of this file. 1626 The description of how this shadow memory is laid out for asan is in the 1627 block comment at the top of this file, here we describe how this shadow 1628 memory is used for hwasan. 1629 1630 For hwasan, each variable is assigned a byte-sized 'tag'. The extent of 1631 the shadow memory for that variable is filled with the assigned tag, and 1632 every pointer referencing that variable has its top byte set to the same 1633 tag. The run-time library redefines malloc so that every allocation returns 1634 a tagged pointer and tags the corresponding shadow memory with the same tag. 1635 1636 On each pointer dereference the tag found in the pointer is compared to the 1637 tag found in the shadow memory corresponding to the accessed memory address. 1638 If these tags are found to differ then this memory access is judged to be 1639 invalid and a report is generated. 1640 1641 This method of bug detection is not perfect -- it can not catch every bad 1642 access -- but catches them probabilistically instead. There is always the 1643 possibility that an invalid memory access will happen to access memory 1644 tagged with the same tag as the pointer that this access used. 1645 The chances of this are approx. 0.4% for any two uncorrelated objects. 1646 1647 Random tag generation can mitigate this problem by decreasing the 1648 probability that an invalid access will be missed in the same manner over 1649 multiple runs. i.e. if two objects are tagged the same in one run of the 1650 binary they are unlikely to be tagged the same in the next run. 1651 Both heap and stack allocated objects have random tags by default. 1652 1653 [16 byte granule implications] 1654 Since the shadow memory only has a resolution on real memory of 16 bytes, 1655 invalid accesses that are within the same 16 byte granule as a valid 1656 address will not be caught. 1657 1658 There is a "short-granule" feature in the runtime library which does catch 1659 such accesses, but this feature is not implemented for stack objects (since 1660 stack objects are allocated and tagged by compiler instrumentation, and 1661 this feature has not yet been implemented in GCC instrumentation). 1662 1663 Another outcome of this 16 byte resolution is that each tagged object must 1664 be 16 byte aligned. If two objects were to share any 16 byte granule in 1665 memory, then they both would have to be given the same tag, and invalid 1666 accesses to one using a pointer to the other would be undetectable. 1667 1668 [Compiler instrumentation] 1669 Compiler instrumentation ensures that two adjacent buffers on the stack are 1670 given different tags, this means an access to one buffer using a pointer 1671 generated from the other (e.g. through buffer overrun) will have mismatched 1672 tags and be caught by hwasan. 1673 1674 We don't randomly tag every object on the stack, since that would require 1675 keeping many registers to record each tag. Instead we randomly generate a 1676 tag for each function frame, and each new stack object uses a tag offset 1677 from that frame tag. 1678 i.e. each object is tagged as RFT + offset, where RFT is the "random frame 1679 tag" generated for this frame. 1680 This means that randomisation does not peturb the difference between tags 1681 on tagged stack objects within a frame, but this is mitigated by the fact 1682 that objects with the same tag within a frame are very far apart 1683 (approx. 2^HWASAN_TAG_SIZE objects apart). 1684 1685 As a demonstration, using the same example program as in the asan block 1686 comment above: 1687 1688 int 1689 foo () 1690 { 1691 char a[24] = {0}; 1692 int b[2] = {0}; 1693 1694 a[5] = 1; 1695 b[1] = 2; 1696 1697 return a[5] + b[1]; 1698 } 1699 1700 On AArch64 the stack will be ordered as follows for the above function: 1701 1702 Slot 1/ [24 bytes for variable 'a'] 1703 Slot 2/ [8 bytes padding for alignment] 1704 Slot 3/ [8 bytes for variable 'b'] 1705 Slot 4/ [8 bytes padding for alignment] 1706 1707 (The padding is there to ensure 16 byte alignment as described in the 16 1708 byte granule implications). 1709 1710 While the shadow memory will be ordered as follows: 1711 1712 - 2 bytes (representing 32 bytes in real memory) tagged with RFT + 1. 1713 - 1 byte (representing 16 bytes in real memory) tagged with RFT + 2. 1714 1715 And any pointer to "a" will have the tag RFT + 1, and any pointer to "b" 1716 will have the tag RFT + 2. 1717 1718 [Top Byte Ignore requirements] 1719 Hwasan requires the ability to store an 8 bit tag in every pointer. There 1720 is no instrumentation done to remove this tag from pointers before 1721 dereferencing, which means the hardware must ignore this tag during memory 1722 accesses. 1723 1724 Architectures where this feature is available should indicate this using 1725 the TARGET_MEMTAG_CAN_TAG_ADDRESSES hook. 1726 1727 [Stack requires cleanup on unwinding] 1728 During normal operation of a hwasan sanitized program more space in the 1729 shadow memory becomes tagged as the stack grows. As the stack shrinks this 1730 shadow memory space must become untagged. If it is not untagged then when 1731 the stack grows again (during other function calls later on in the program) 1732 objects on the stack that are usually not tagged (e.g. parameters passed on 1733 the stack) can be placed in memory whose shadow space is tagged with 1734 something else, and accesses can cause false positive reports. 1735 1736 Hence we place untagging code on every epilogue of functions which tag some 1737 stack objects. 1738 1739 Moreover, the run-time library intercepts longjmp & setjmp to untag when 1740 the stack is unwound this way. 1741 1742 C++ exceptions are not yet handled, which means this sanitizer can not 1743 handle C++ code that throws exceptions -- it will give false positives 1744 after an exception has been thrown. The implementation that the hwasan 1745 library has for handling these relies on the frame pointer being after any 1746 local variables. This is not generally the case for GCC. */ 1747 1748 1749 /* Returns whether we are tagging pointers and checking those tags on memory 1750 access. */ 1751 bool 1752 hwasan_sanitize_p () 1753 { 1754 return sanitize_flags_p (SANITIZE_HWADDRESS); 1755 } 1756 1757 /* Are we tagging the stack? */ 1758 bool 1759 hwasan_sanitize_stack_p () 1760 { 1761 return (hwasan_sanitize_p () && param_hwasan_instrument_stack); 1762 } 1763 1764 /* Are we tagging alloca objects? */ 1765 bool 1766 hwasan_sanitize_allocas_p (void) 1767 { 1768 return (hwasan_sanitize_stack_p () && param_hwasan_instrument_allocas); 1769 } 1770 1771 /* Should we instrument reads? */ 1772 bool 1773 hwasan_instrument_reads (void) 1774 { 1775 return (hwasan_sanitize_p () && param_hwasan_instrument_reads); 1776 } 1777 1778 /* Should we instrument writes? */ 1779 bool 1780 hwasan_instrument_writes (void) 1781 { 1782 return (hwasan_sanitize_p () && param_hwasan_instrument_writes); 1783 } 1784 1785 /* Should we instrument builtin calls? */ 1786 bool 1787 hwasan_memintrin (void) 1788 { 1789 return (hwasan_sanitize_p () && param_hwasan_instrument_mem_intrinsics); 1790 } 1791 1792 /* Insert code to protect stack vars. The prologue sequence should be emitted 1793 directly, epilogue sequence returned. BASE is the register holding the 1794 stack base, against which OFFSETS array offsets are relative to, OFFSETS 1795 array contains pairs of offsets in reverse order, always the end offset 1796 of some gap that needs protection followed by starting offset, 1797 and DECLS is an array of representative decls for each var partition. 1798 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1 1799 elements long (OFFSETS include gap before the first variable as well 1800 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo 1801 register which stack vars DECL_RTLs are based on. Either BASE should be 1802 assigned to PBASE, when not doing use after return protection, or 1803 corresponding address based on __asan_stack_malloc* return value. */ 1804 1805 rtx_insn * 1806 asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb, 1807 HOST_WIDE_INT *offsets, tree *decls, int length) 1808 { 1809 rtx shadow_base, shadow_mem, ret, mem, orig_base; 1810 rtx_code_label *lab; 1811 rtx_insn *insns; 1812 char buf[32]; 1813 HOST_WIDE_INT base_offset = offsets[length - 1]; 1814 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset; 1815 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset; 1816 HOST_WIDE_INT last_offset, last_size, last_size_aligned; 1817 int l; 1818 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT; 1819 tree str_cst, decl, id; 1820 int use_after_return_class = -1; 1821 1822 /* Don't emit anything when doing error recovery, the assertions 1823 might fail e.g. if a function had a frame offset overflow. */ 1824 if (seen_error ()) 1825 return NULL; 1826 1827 if (shadow_ptr_types[0] == NULL_TREE) 1828 asan_init_shadow_ptr_types (); 1829 1830 expanded_location cfun_xloc 1831 = expand_location (DECL_SOURCE_LOCATION (current_function_decl)); 1832 1833 /* First of all, prepare the description string. */ 1834 pretty_printer asan_pp; 1835 1836 pp_decimal_int (&asan_pp, length / 2 - 1); 1837 pp_space (&asan_pp); 1838 for (l = length - 2; l; l -= 2) 1839 { 1840 tree decl = decls[l / 2 - 1]; 1841 pp_wide_integer (&asan_pp, offsets[l] - base_offset); 1842 pp_space (&asan_pp); 1843 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]); 1844 pp_space (&asan_pp); 1845 1846 expanded_location xloc 1847 = expand_location (DECL_SOURCE_LOCATION (decl)); 1848 char location[32]; 1849 1850 if (xloc.file == cfun_xloc.file) 1851 sprintf (location, ":%d", xloc.line); 1852 else 1853 location[0] = '\0'; 1854 1855 if (DECL_P (decl) && DECL_NAME (decl)) 1856 { 1857 unsigned idlen 1858 = IDENTIFIER_LENGTH (DECL_NAME (decl)) + strlen (location); 1859 pp_decimal_int (&asan_pp, idlen); 1860 pp_space (&asan_pp); 1861 pp_tree_identifier (&asan_pp, DECL_NAME (decl)); 1862 pp_string (&asan_pp, location); 1863 } 1864 else 1865 pp_string (&asan_pp, "9 <unknown>"); 1866 1867 if (l > 2) 1868 pp_space (&asan_pp); 1869 } 1870 str_cst = asan_pp_string (&asan_pp); 1871 1872 gcc_checking_assert (offsets[0] == (crtl->stack_protect_guard 1873 ? -ASAN_RED_ZONE_SIZE : 0)); 1874 /* Emit the prologue sequence. */ 1875 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase 1876 && param_asan_use_after_return) 1877 { 1878 HOST_WIDE_INT adjusted_frame_size = asan_frame_size; 1879 /* The stack protector guard is allocated at the top of the frame 1880 and cfgexpand.cc then uses align_frame_offset (ASAN_RED_ZONE_SIZE); 1881 while in that case we can still use asan_frame_size, we need to take 1882 that into account when computing base_align_bias. */ 1883 if (alignb > ASAN_RED_ZONE_SIZE && crtl->stack_protect_guard) 1884 adjusted_frame_size += ASAN_RED_ZONE_SIZE; 1885 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5; 1886 /* __asan_stack_malloc_N guarantees alignment 1887 N < 6 ? (64 << N) : 4096 bytes. */ 1888 if (alignb > (use_after_return_class < 6 1889 ? (64U << use_after_return_class) : 4096U)) 1890 use_after_return_class = -1; 1891 else if (alignb > ASAN_RED_ZONE_SIZE 1892 && (adjusted_frame_size & (alignb - 1))) 1893 { 1894 base_align_bias 1895 = ((adjusted_frame_size + alignb - 1) 1896 & ~(alignb - HOST_WIDE_INT_1)) - adjusted_frame_size; 1897 use_after_return_class 1898 = floor_log2 (asan_frame_size + base_align_bias - 1) - 5; 1899 if (use_after_return_class > 10) 1900 { 1901 base_align_bias = 0; 1902 use_after_return_class = -1; 1903 } 1904 } 1905 } 1906 1907 /* Align base if target is STRICT_ALIGNMENT. */ 1908 if (STRICT_ALIGNMENT) 1909 { 1910 const HOST_WIDE_INT align 1911 = (GET_MODE_ALIGNMENT (SImode) / BITS_PER_UNIT) << ASAN_SHADOW_SHIFT; 1912 base = expand_binop (Pmode, and_optab, base, gen_int_mode (-align, Pmode), 1913 NULL_RTX, 1, OPTAB_DIRECT); 1914 } 1915 1916 if (use_after_return_class == -1 && pbase) 1917 emit_move_insn (pbase, base); 1918 1919 base = expand_binop (Pmode, add_optab, base, 1920 gen_int_mode (base_offset - base_align_bias, Pmode), 1921 NULL_RTX, 1, OPTAB_DIRECT); 1922 orig_base = NULL_RTX; 1923 if (use_after_return_class != -1) 1924 { 1925 if (asan_detect_stack_use_after_return == NULL_TREE) 1926 { 1927 id = get_identifier ("__asan_option_detect_stack_use_after_return"); 1928 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id, 1929 integer_type_node); 1930 SET_DECL_ASSEMBLER_NAME (decl, id); 1931 TREE_ADDRESSABLE (decl) = 1; 1932 DECL_ARTIFICIAL (decl) = 1; 1933 DECL_IGNORED_P (decl) = 1; 1934 DECL_EXTERNAL (decl) = 1; 1935 TREE_STATIC (decl) = 1; 1936 TREE_PUBLIC (decl) = 1; 1937 TREE_USED (decl) = 1; 1938 asan_detect_stack_use_after_return = decl; 1939 } 1940 orig_base = gen_reg_rtx (Pmode); 1941 emit_move_insn (orig_base, base); 1942 ret = expand_normal (asan_detect_stack_use_after_return); 1943 lab = gen_label_rtx (); 1944 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX, 1945 VOIDmode, 0, lab, 1946 profile_probability::very_likely ()); 1947 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d", 1948 use_after_return_class); 1949 ret = init_one_libfunc (buf); 1950 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode, 1951 GEN_INT (asan_frame_size 1952 + base_align_bias), 1953 TYPE_MODE (pointer_sized_int_node)); 1954 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded 1955 and NULL otherwise. Check RET value is NULL here and jump over the 1956 BASE reassignment in this case. Otherwise, reassign BASE to RET. */ 1957 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX, 1958 VOIDmode, 0, lab, 1959 profile_probability:: very_unlikely ()); 1960 ret = convert_memory_address (Pmode, ret); 1961 emit_move_insn (base, ret); 1962 emit_label (lab); 1963 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base, 1964 gen_int_mode (base_align_bias 1965 - base_offset, Pmode), 1966 NULL_RTX, 1, OPTAB_DIRECT)); 1967 } 1968 mem = gen_rtx_MEM (ptr_mode, base); 1969 mem = adjust_address (mem, VOIDmode, base_align_bias); 1970 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode)); 1971 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode)); 1972 emit_move_insn (mem, expand_normal (str_cst)); 1973 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode)); 1974 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no); 1975 id = get_identifier (buf); 1976 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl), 1977 VAR_DECL, id, char_type_node); 1978 SET_DECL_ASSEMBLER_NAME (decl, id); 1979 TREE_ADDRESSABLE (decl) = 1; 1980 TREE_READONLY (decl) = 1; 1981 DECL_ARTIFICIAL (decl) = 1; 1982 DECL_IGNORED_P (decl) = 1; 1983 TREE_STATIC (decl) = 1; 1984 TREE_PUBLIC (decl) = 0; 1985 TREE_USED (decl) = 1; 1986 DECL_INITIAL (decl) = decl; 1987 TREE_ASM_WRITTEN (decl) = 1; 1988 TREE_ASM_WRITTEN (id) = 1; 1989 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl))); 1990 shadow_base = expand_binop (Pmode, lshr_optab, base, 1991 gen_int_shift_amount (Pmode, ASAN_SHADOW_SHIFT), 1992 NULL_RTX, 1, OPTAB_DIRECT); 1993 shadow_base 1994 = plus_constant (Pmode, shadow_base, 1995 asan_shadow_offset () 1996 + (base_align_bias >> ASAN_SHADOW_SHIFT)); 1997 gcc_assert (asan_shadow_set != -1 1998 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4); 1999 shadow_mem = gen_rtx_MEM (SImode, shadow_base); 2000 set_mem_alias_set (shadow_mem, asan_shadow_set); 2001 if (STRICT_ALIGNMENT) 2002 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode))); 2003 prev_offset = base_offset; 2004 2005 asan_redzone_buffer rz_buffer (shadow_mem, prev_offset); 2006 for (l = length; l; l -= 2) 2007 { 2008 if (l == 2) 2009 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT; 2010 offset = offsets[l - 1]; 2011 2012 bool extra_byte = (offset - base_offset) & (ASAN_SHADOW_GRANULARITY - 1); 2013 /* If a red-zone is not aligned to ASAN_SHADOW_GRANULARITY then 2014 the previous stack variable has size % ASAN_SHADOW_GRANULARITY != 0. 2015 In that case we have to emit one extra byte that will describe 2016 how many bytes (our of ASAN_SHADOW_GRANULARITY) can be accessed. */ 2017 if (extra_byte) 2018 { 2019 HOST_WIDE_INT aoff 2020 = base_offset + ((offset - base_offset) 2021 & ~(ASAN_SHADOW_GRANULARITY - HOST_WIDE_INT_1)); 2022 rz_buffer.emit_redzone_byte (aoff, offset - aoff); 2023 offset = aoff + ASAN_SHADOW_GRANULARITY; 2024 } 2025 2026 /* Calculate size of red zone payload. */ 2027 while (offset < offsets[l - 2]) 2028 { 2029 rz_buffer.emit_redzone_byte (offset, cur_shadow_byte); 2030 offset += ASAN_SHADOW_GRANULARITY; 2031 } 2032 2033 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE; 2034 } 2035 2036 /* As the automatic variables are aligned to 2037 ASAN_RED_ZONE_SIZE / ASAN_SHADOW_GRANULARITY, the buffer should be 2038 flushed here. */ 2039 gcc_assert (rz_buffer.m_shadow_bytes.is_empty ()); 2040 2041 do_pending_stack_adjust (); 2042 2043 /* Construct epilogue sequence. */ 2044 start_sequence (); 2045 2046 lab = NULL; 2047 if (use_after_return_class != -1) 2048 { 2049 rtx_code_label *lab2 = gen_label_rtx (); 2050 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET; 2051 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX, 2052 VOIDmode, 0, lab2, 2053 profile_probability::very_likely ()); 2054 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base); 2055 set_mem_alias_set (shadow_mem, asan_shadow_set); 2056 mem = gen_rtx_MEM (ptr_mode, base); 2057 mem = adjust_address (mem, VOIDmode, base_align_bias); 2058 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode)); 2059 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT; 2060 if (use_after_return_class < 5 2061 && can_store_by_pieces (sz, builtin_memset_read_str, &c, 2062 BITS_PER_UNIT, true)) 2063 { 2064 /* Emit: 2065 memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize); 2066 **SavedFlagPtr(FakeStack, class_id) = 0 2067 */ 2068 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c, 2069 BITS_PER_UNIT, true, RETURN_BEGIN); 2070 2071 unsigned HOST_WIDE_INT offset 2072 = (1 << (use_after_return_class + 6)); 2073 offset -= GET_MODE_SIZE (ptr_mode); 2074 mem = gen_rtx_MEM (ptr_mode, base); 2075 mem = adjust_address (mem, ptr_mode, offset); 2076 rtx addr = gen_reg_rtx (ptr_mode); 2077 emit_move_insn (addr, mem); 2078 addr = convert_memory_address (Pmode, addr); 2079 mem = gen_rtx_MEM (QImode, addr); 2080 emit_move_insn (mem, const0_rtx); 2081 } 2082 else if (use_after_return_class >= 5 2083 || !set_storage_via_setmem (shadow_mem, 2084 GEN_INT (sz), 2085 gen_int_mode (c, QImode), 2086 BITS_PER_UNIT, BITS_PER_UNIT, 2087 -1, sz, sz, sz)) 2088 { 2089 snprintf (buf, sizeof buf, "__asan_stack_free_%d", 2090 use_after_return_class); 2091 ret = init_one_libfunc (buf); 2092 rtx addr = convert_memory_address (ptr_mode, base); 2093 rtx orig_addr = convert_memory_address (ptr_mode, orig_base); 2094 emit_library_call (ret, LCT_NORMAL, ptr_mode, addr, ptr_mode, 2095 GEN_INT (asan_frame_size + base_align_bias), 2096 TYPE_MODE (pointer_sized_int_node), 2097 orig_addr, ptr_mode); 2098 } 2099 lab = gen_label_rtx (); 2100 emit_jump (lab); 2101 emit_label (lab2); 2102 } 2103 2104 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base); 2105 set_mem_alias_set (shadow_mem, asan_shadow_set); 2106 2107 if (STRICT_ALIGNMENT) 2108 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode))); 2109 2110 prev_offset = base_offset; 2111 last_offset = base_offset; 2112 last_size = 0; 2113 last_size_aligned = 0; 2114 for (l = length; l; l -= 2) 2115 { 2116 offset = base_offset + ((offsets[l - 1] - base_offset) 2117 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1)); 2118 if (last_offset + last_size_aligned < offset) 2119 { 2120 shadow_mem = adjust_address (shadow_mem, VOIDmode, 2121 (last_offset - prev_offset) 2122 >> ASAN_SHADOW_SHIFT); 2123 prev_offset = last_offset; 2124 asan_clear_shadow (shadow_mem, last_size_aligned >> ASAN_SHADOW_SHIFT); 2125 last_offset = offset; 2126 last_size = 0; 2127 } 2128 else 2129 last_size = offset - last_offset; 2130 last_size += base_offset + ((offsets[l - 2] - base_offset) 2131 & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1)) 2132 - offset; 2133 2134 /* Unpoison shadow memory that corresponds to a variable that is 2135 is subject of use-after-return sanitization. */ 2136 if (l > 2) 2137 { 2138 decl = decls[l / 2 - 2]; 2139 if (asan_handled_variables != NULL 2140 && asan_handled_variables->contains (decl)) 2141 { 2142 HOST_WIDE_INT size = offsets[l - 3] - offsets[l - 2]; 2143 if (dump_file && (dump_flags & TDF_DETAILS)) 2144 { 2145 const char *n = (DECL_NAME (decl) 2146 ? IDENTIFIER_POINTER (DECL_NAME (decl)) 2147 : "<unknown>"); 2148 fprintf (dump_file, "Unpoisoning shadow stack for variable: " 2149 "%s (%" PRId64 " B)\n", n, size); 2150 } 2151 2152 last_size += size & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1); 2153 } 2154 } 2155 last_size_aligned 2156 = ((last_size + (ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1)) 2157 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1)); 2158 } 2159 if (last_size_aligned) 2160 { 2161 shadow_mem = adjust_address (shadow_mem, VOIDmode, 2162 (last_offset - prev_offset) 2163 >> ASAN_SHADOW_SHIFT); 2164 asan_clear_shadow (shadow_mem, last_size_aligned >> ASAN_SHADOW_SHIFT); 2165 } 2166 2167 /* Clean-up set with instrumented stack variables. */ 2168 delete asan_handled_variables; 2169 asan_handled_variables = NULL; 2170 delete asan_used_labels; 2171 asan_used_labels = NULL; 2172 2173 do_pending_stack_adjust (); 2174 if (lab) 2175 emit_label (lab); 2176 2177 insns = get_insns (); 2178 end_sequence (); 2179 return insns; 2180 } 2181 2182 /* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds 2183 to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE 2184 indicates whether we're emitting new instructions sequence or not. */ 2185 2186 rtx_insn * 2187 asan_emit_allocas_unpoison (rtx top, rtx bot, rtx_insn *before) 2188 { 2189 if (before) 2190 push_to_sequence (before); 2191 else 2192 start_sequence (); 2193 rtx ret = init_one_libfunc ("__asan_allocas_unpoison"); 2194 top = convert_memory_address (ptr_mode, top); 2195 bot = convert_memory_address (ptr_mode, bot); 2196 emit_library_call (ret, LCT_NORMAL, ptr_mode, 2197 top, ptr_mode, bot, ptr_mode); 2198 2199 do_pending_stack_adjust (); 2200 rtx_insn *insns = get_insns (); 2201 end_sequence (); 2202 return insns; 2203 } 2204 2205 /* Return true if DECL, a global var, might be overridden and needs 2206 therefore a local alias. */ 2207 2208 static bool 2209 asan_needs_local_alias (tree decl) 2210 { 2211 return DECL_WEAK (decl) || !targetm.binds_local_p (decl); 2212 } 2213 2214 /* Return true if DECL, a global var, is an artificial ODR indicator symbol 2215 therefore doesn't need protection. */ 2216 2217 static bool 2218 is_odr_indicator (tree decl) 2219 { 2220 return (DECL_ARTIFICIAL (decl) 2221 && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl))); 2222 } 2223 2224 /* Return true if DECL is a VAR_DECL that should be protected 2225 by Address Sanitizer, by appending a red zone with protected 2226 shadow memory after it and aligning it to at least 2227 ASAN_RED_ZONE_SIZE bytes. */ 2228 2229 bool 2230 asan_protect_global (tree decl, bool ignore_decl_rtl_set_p) 2231 { 2232 if (!param_asan_globals) 2233 return false; 2234 2235 rtx rtl, symbol; 2236 2237 if (TREE_CODE (decl) == STRING_CST) 2238 { 2239 /* Instrument all STRING_CSTs except those created 2240 by asan_pp_string here. */ 2241 if (shadow_ptr_types[0] != NULL_TREE 2242 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE 2243 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0])) 2244 return false; 2245 return true; 2246 } 2247 if (!VAR_P (decl) 2248 /* TLS vars aren't statically protectable. */ 2249 || DECL_THREAD_LOCAL_P (decl) 2250 /* Externs will be protected elsewhere. */ 2251 || DECL_EXTERNAL (decl) 2252 /* PR sanitizer/81697: For architectures that use section anchors first 2253 call to asan_protect_global may occur before DECL_RTL (decl) is set. 2254 We should ignore DECL_RTL_SET_P then, because otherwise the first call 2255 to asan_protect_global will return FALSE and the following calls on the 2256 same decl after setting DECL_RTL (decl) will return TRUE and we'll end 2257 up with inconsistency at runtime. */ 2258 || (!DECL_RTL_SET_P (decl) && !ignore_decl_rtl_set_p) 2259 /* Comdat vars pose an ABI problem, we can't know if 2260 the var that is selected by the linker will have 2261 padding or not. */ 2262 || DECL_ONE_ONLY (decl) 2263 /* Similarly for common vars. People can use -fno-common. 2264 Note: Linux kernel is built with -fno-common, so we do instrument 2265 globals there even if it is C. */ 2266 || (DECL_COMMON (decl) && TREE_PUBLIC (decl)) 2267 /* Don't protect if using user section, often vars placed 2268 into user section from multiple TUs are then assumed 2269 to be an array of such vars, putting padding in there 2270 breaks this assumption. */ 2271 || (DECL_SECTION_NAME (decl) != NULL 2272 && !symtab_node::get (decl)->implicit_section 2273 && !section_sanitized_p (DECL_SECTION_NAME (decl))) 2274 /* Don't protect variables in non-generic address-space. */ 2275 || !ADDR_SPACE_GENERIC_P (TYPE_ADDR_SPACE (TREE_TYPE (decl))) 2276 || DECL_SIZE (decl) == 0 2277 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT 2278 || TREE_CODE (DECL_SIZE_UNIT (decl)) != INTEGER_CST 2279 || !valid_constant_size_p (DECL_SIZE_UNIT (decl)) 2280 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE 2281 || TREE_TYPE (decl) == ubsan_get_source_location_type () 2282 || is_odr_indicator (decl)) 2283 return false; 2284 2285 if (!ignore_decl_rtl_set_p || DECL_RTL_SET_P (decl)) 2286 { 2287 2288 rtl = DECL_RTL (decl); 2289 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF) 2290 return false; 2291 symbol = XEXP (rtl, 0); 2292 2293 if (CONSTANT_POOL_ADDRESS_P (symbol) 2294 || TREE_CONSTANT_POOL_ADDRESS_P (symbol)) 2295 return false; 2296 } 2297 2298 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl))) 2299 return false; 2300 2301 if (!TARGET_SUPPORTS_ALIASES && asan_needs_local_alias (decl)) 2302 return false; 2303 2304 return true; 2305 } 2306 2307 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}. 2308 IS_STORE is either 1 (for a store) or 0 (for a load). */ 2309 2310 static tree 2311 report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes, 2312 int *nargs) 2313 { 2314 gcc_assert (!hwasan_sanitize_p ()); 2315 2316 static enum built_in_function report[2][2][6] 2317 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2, 2318 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8, 2319 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N }, 2320 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2, 2321 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8, 2322 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } }, 2323 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT, 2324 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT, 2325 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT, 2326 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT, 2327 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT, 2328 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT }, 2329 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT, 2330 BUILT_IN_ASAN_REPORT_STORE2_NOABORT, 2331 BUILT_IN_ASAN_REPORT_STORE4_NOABORT, 2332 BUILT_IN_ASAN_REPORT_STORE8_NOABORT, 2333 BUILT_IN_ASAN_REPORT_STORE16_NOABORT, 2334 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } }; 2335 if (size_in_bytes == -1) 2336 { 2337 *nargs = 2; 2338 return builtin_decl_implicit (report[recover_p][is_store][5]); 2339 } 2340 *nargs = 1; 2341 int size_log2 = exact_log2 (size_in_bytes); 2342 return builtin_decl_implicit (report[recover_p][is_store][size_log2]); 2343 } 2344 2345 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}. 2346 IS_STORE is either 1 (for a store) or 0 (for a load). */ 2347 2348 static tree 2349 check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes, 2350 int *nargs) 2351 { 2352 static enum built_in_function check[2][2][6] 2353 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2, 2354 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8, 2355 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN }, 2356 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2, 2357 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8, 2358 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } }, 2359 { { BUILT_IN_ASAN_LOAD1_NOABORT, 2360 BUILT_IN_ASAN_LOAD2_NOABORT, 2361 BUILT_IN_ASAN_LOAD4_NOABORT, 2362 BUILT_IN_ASAN_LOAD8_NOABORT, 2363 BUILT_IN_ASAN_LOAD16_NOABORT, 2364 BUILT_IN_ASAN_LOADN_NOABORT }, 2365 { BUILT_IN_ASAN_STORE1_NOABORT, 2366 BUILT_IN_ASAN_STORE2_NOABORT, 2367 BUILT_IN_ASAN_STORE4_NOABORT, 2368 BUILT_IN_ASAN_STORE8_NOABORT, 2369 BUILT_IN_ASAN_STORE16_NOABORT, 2370 BUILT_IN_ASAN_STOREN_NOABORT } } }; 2371 if (size_in_bytes == -1) 2372 { 2373 *nargs = 2; 2374 return builtin_decl_implicit (check[recover_p][is_store][5]); 2375 } 2376 *nargs = 1; 2377 int size_log2 = exact_log2 (size_in_bytes); 2378 return builtin_decl_implicit (check[recover_p][is_store][size_log2]); 2379 } 2380 2381 /* Split the current basic block and create a condition statement 2382 insertion point right before or after the statement pointed to by 2383 ITER. Return an iterator to the point at which the caller might 2384 safely insert the condition statement. 2385 2386 THEN_BLOCK must be set to the address of an uninitialized instance 2387 of basic_block. The function will then set *THEN_BLOCK to the 2388 'then block' of the condition statement to be inserted by the 2389 caller. 2390 2391 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from 2392 *THEN_BLOCK to *FALLTHROUGH_BLOCK. 2393 2394 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else 2395 block' of the condition statement to be inserted by the caller. 2396 2397 Note that *FALLTHROUGH_BLOCK is a new block that contains the 2398 statements starting from *ITER, and *THEN_BLOCK is a new empty 2399 block. 2400 2401 *ITER is adjusted to point to always point to the first statement 2402 of the basic block * FALLTHROUGH_BLOCK. That statement is the 2403 same as what ITER was pointing to prior to calling this function, 2404 if BEFORE_P is true; otherwise, it is its following statement. */ 2405 2406 gimple_stmt_iterator 2407 create_cond_insert_point (gimple_stmt_iterator *iter, 2408 bool before_p, 2409 bool then_more_likely_p, 2410 bool create_then_fallthru_edge, 2411 basic_block *then_block, 2412 basic_block *fallthrough_block) 2413 { 2414 gimple_stmt_iterator gsi = *iter; 2415 2416 if (!gsi_end_p (gsi) && before_p) 2417 gsi_prev (&gsi); 2418 2419 basic_block cur_bb = gsi_bb (*iter); 2420 2421 edge e = split_block (cur_bb, gsi_stmt (gsi)); 2422 2423 /* Get a hold on the 'condition block', the 'then block' and the 2424 'else block'. */ 2425 basic_block cond_bb = e->src; 2426 basic_block fallthru_bb = e->dest; 2427 basic_block then_bb = create_empty_bb (cond_bb); 2428 if (current_loops) 2429 { 2430 add_bb_to_loop (then_bb, cond_bb->loop_father); 2431 loops_state_set (LOOPS_NEED_FIXUP); 2432 } 2433 2434 /* Set up the newly created 'then block'. */ 2435 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE); 2436 profile_probability fallthrough_probability 2437 = then_more_likely_p 2438 ? profile_probability::very_unlikely () 2439 : profile_probability::very_likely (); 2440 e->probability = fallthrough_probability.invert (); 2441 then_bb->count = e->count (); 2442 if (create_then_fallthru_edge) 2443 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU); 2444 2445 /* Set up the fallthrough basic block. */ 2446 e = find_edge (cond_bb, fallthru_bb); 2447 e->flags = EDGE_FALSE_VALUE; 2448 e->probability = fallthrough_probability; 2449 2450 /* Update dominance info for the newly created then_bb; note that 2451 fallthru_bb's dominance info has already been updated by 2452 split_bock. */ 2453 if (dom_info_available_p (CDI_DOMINATORS)) 2454 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb); 2455 2456 *then_block = then_bb; 2457 *fallthrough_block = fallthru_bb; 2458 *iter = gsi_start_bb (fallthru_bb); 2459 2460 return gsi_last_bb (cond_bb); 2461 } 2462 2463 /* Insert an if condition followed by a 'then block' right before the 2464 statement pointed to by ITER. The fallthrough block -- which is the 2465 else block of the condition as well as the destination of the 2466 outcoming edge of the 'then block' -- starts with the statement 2467 pointed to by ITER. 2468 2469 COND is the condition of the if. 2470 2471 If THEN_MORE_LIKELY_P is true, the probability of the edge to the 2472 'then block' is higher than the probability of the edge to the 2473 fallthrough block. 2474 2475 Upon completion of the function, *THEN_BB is set to the newly 2476 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the 2477 fallthrough block. 2478 2479 *ITER is adjusted to still point to the same statement it was 2480 pointing to initially. */ 2481 2482 static void 2483 insert_if_then_before_iter (gcond *cond, 2484 gimple_stmt_iterator *iter, 2485 bool then_more_likely_p, 2486 basic_block *then_bb, 2487 basic_block *fallthrough_bb) 2488 { 2489 gimple_stmt_iterator cond_insert_point = 2490 create_cond_insert_point (iter, 2491 /*before_p=*/true, 2492 then_more_likely_p, 2493 /*create_then_fallthru_edge=*/true, 2494 then_bb, 2495 fallthrough_bb); 2496 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT); 2497 } 2498 2499 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset (). 2500 If RETURN_ADDRESS is set to true, return memory location instread 2501 of a value in the shadow memory. */ 2502 2503 static tree 2504 build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location, 2505 tree base_addr, tree shadow_ptr_type, 2506 bool return_address = false) 2507 { 2508 tree t, uintptr_type = TREE_TYPE (base_addr); 2509 tree shadow_type = TREE_TYPE (shadow_ptr_type); 2510 gimple *g; 2511 2512 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT); 2513 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR, 2514 base_addr, t); 2515 gimple_set_location (g, location); 2516 gsi_insert_after (gsi, g, GSI_NEW_STMT); 2517 2518 t = build_int_cst (uintptr_type, asan_shadow_offset ()); 2519 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR, 2520 gimple_assign_lhs (g), t); 2521 gimple_set_location (g, location); 2522 gsi_insert_after (gsi, g, GSI_NEW_STMT); 2523 2524 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR, 2525 gimple_assign_lhs (g)); 2526 gimple_set_location (g, location); 2527 gsi_insert_after (gsi, g, GSI_NEW_STMT); 2528 2529 if (!return_address) 2530 { 2531 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g), 2532 build_int_cst (shadow_ptr_type, 0)); 2533 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t); 2534 gimple_set_location (g, location); 2535 gsi_insert_after (gsi, g, GSI_NEW_STMT); 2536 } 2537 2538 return gimple_assign_lhs (g); 2539 } 2540 2541 /* BASE can already be an SSA_NAME; in that case, do not create a 2542 new SSA_NAME for it. */ 2543 2544 static tree 2545 maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter, 2546 bool before_p) 2547 { 2548 STRIP_USELESS_TYPE_CONVERSION (base); 2549 if (TREE_CODE (base) == SSA_NAME) 2550 return base; 2551 gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)), base); 2552 gimple_set_location (g, loc); 2553 if (before_p) 2554 gsi_insert_before (iter, g, GSI_SAME_STMT); 2555 else 2556 gsi_insert_after (iter, g, GSI_NEW_STMT); 2557 return gimple_assign_lhs (g); 2558 } 2559 2560 /* LEN can already have necessary size and precision; 2561 in that case, do not create a new variable. */ 2562 2563 tree 2564 maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter, 2565 bool before_p) 2566 { 2567 if (ptrofftype_p (len)) 2568 return len; 2569 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), 2570 NOP_EXPR, len); 2571 gimple_set_location (g, loc); 2572 if (before_p) 2573 gsi_insert_before (iter, g, GSI_SAME_STMT); 2574 else 2575 gsi_insert_after (iter, g, GSI_NEW_STMT); 2576 return gimple_assign_lhs (g); 2577 } 2578 2579 /* Instrument the memory access instruction BASE. Insert new 2580 statements before or after ITER. 2581 2582 Note that the memory access represented by BASE can be either an 2583 SSA_NAME, or a non-SSA expression. LOCATION is the source code 2584 location. IS_STORE is TRUE for a store, FALSE for a load. 2585 BEFORE_P is TRUE for inserting the instrumentation code before 2586 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE 2587 for a scalar memory access and FALSE for memory region access. 2588 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero 2589 length. ALIGN tells alignment of accessed memory object. 2590 2591 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of 2592 memory region have already been instrumented. 2593 2594 If BEFORE_P is TRUE, *ITER is arranged to still point to the 2595 statement it was pointing to prior to calling this function, 2596 otherwise, it points to the statement logically following it. */ 2597 2598 static void 2599 build_check_stmt (location_t loc, tree base, tree len, 2600 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter, 2601 bool is_non_zero_len, bool before_p, bool is_store, 2602 bool is_scalar_access, unsigned int align = 0) 2603 { 2604 gimple_stmt_iterator gsi = *iter; 2605 gimple *g; 2606 2607 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len)); 2608 gcc_assert (size_in_bytes == -1 || size_in_bytes >= 1); 2609 2610 gsi = *iter; 2611 2612 base = unshare_expr (base); 2613 base = maybe_create_ssa_name (loc, base, &gsi, before_p); 2614 2615 if (len) 2616 { 2617 len = unshare_expr (len); 2618 len = maybe_cast_to_ptrmode (loc, len, iter, before_p); 2619 } 2620 else 2621 { 2622 gcc_assert (size_in_bytes != -1); 2623 len = build_int_cst (pointer_sized_int_node, size_in_bytes); 2624 } 2625 2626 if (size_in_bytes > 1) 2627 { 2628 if ((size_in_bytes & (size_in_bytes - 1)) != 0 2629 || size_in_bytes > 16) 2630 is_scalar_access = false; 2631 else if (align && align < size_in_bytes * BITS_PER_UNIT) 2632 { 2633 /* On non-strict alignment targets, if 2634 16-byte access is just 8-byte aligned, 2635 this will result in misaligned shadow 2636 memory 2 byte load, but otherwise can 2637 be handled using one read. */ 2638 if (size_in_bytes != 16 2639 || STRICT_ALIGNMENT 2640 || align < 8 * BITS_PER_UNIT) 2641 is_scalar_access = false; 2642 } 2643 } 2644 2645 HOST_WIDE_INT flags = 0; 2646 if (is_store) 2647 flags |= ASAN_CHECK_STORE; 2648 if (is_non_zero_len) 2649 flags |= ASAN_CHECK_NON_ZERO_LEN; 2650 if (is_scalar_access) 2651 flags |= ASAN_CHECK_SCALAR_ACCESS; 2652 2653 enum internal_fn fn = hwasan_sanitize_p () 2654 ? IFN_HWASAN_CHECK 2655 : IFN_ASAN_CHECK; 2656 2657 g = gimple_build_call_internal (fn, 4, 2658 build_int_cst (integer_type_node, flags), 2659 base, len, 2660 build_int_cst (integer_type_node, 2661 align / BITS_PER_UNIT)); 2662 gimple_set_location (g, loc); 2663 if (before_p) 2664 gsi_insert_before (&gsi, g, GSI_SAME_STMT); 2665 else 2666 { 2667 gsi_insert_after (&gsi, g, GSI_NEW_STMT); 2668 gsi_next (&gsi); 2669 *iter = gsi; 2670 } 2671 } 2672 2673 /* If T represents a memory access, add instrumentation code before ITER. 2674 LOCATION is source code location. 2675 IS_STORE is either TRUE (for a store) or FALSE (for a load). */ 2676 2677 static void 2678 instrument_derefs (gimple_stmt_iterator *iter, tree t, 2679 location_t location, bool is_store) 2680 { 2681 if (is_store && !(asan_instrument_writes () || hwasan_instrument_writes ())) 2682 return; 2683 if (!is_store && !(asan_instrument_reads () || hwasan_instrument_reads ())) 2684 return; 2685 2686 tree type, base; 2687 HOST_WIDE_INT size_in_bytes; 2688 if (location == UNKNOWN_LOCATION) 2689 location = EXPR_LOCATION (t); 2690 2691 type = TREE_TYPE (t); 2692 switch (TREE_CODE (t)) 2693 { 2694 case ARRAY_REF: 2695 case COMPONENT_REF: 2696 case INDIRECT_REF: 2697 case MEM_REF: 2698 case VAR_DECL: 2699 case BIT_FIELD_REF: 2700 break; 2701 /* FALLTHRU */ 2702 default: 2703 return; 2704 } 2705 2706 size_in_bytes = int_size_in_bytes (type); 2707 if (size_in_bytes <= 0) 2708 return; 2709 2710 poly_int64 bitsize, bitpos; 2711 tree offset; 2712 machine_mode mode; 2713 int unsignedp, reversep, volatilep = 0; 2714 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode, 2715 &unsignedp, &reversep, &volatilep); 2716 2717 if (TREE_CODE (t) == COMPONENT_REF 2718 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE) 2719 { 2720 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)); 2721 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr), 2722 TREE_OPERAND (t, 0), repr, 2723 TREE_OPERAND (t, 2)), 2724 location, is_store); 2725 return; 2726 } 2727 2728 if (!multiple_p (bitpos, BITS_PER_UNIT) 2729 || maybe_ne (bitsize, size_in_bytes * BITS_PER_UNIT)) 2730 return; 2731 2732 if (VAR_P (inner) && DECL_HARD_REGISTER (inner)) 2733 return; 2734 2735 /* Accesses to non-generic address-spaces should not be instrumented. */ 2736 if (!ADDR_SPACE_GENERIC_P (TYPE_ADDR_SPACE (TREE_TYPE (inner)))) 2737 return; 2738 2739 poly_int64 decl_size; 2740 if ((VAR_P (inner) || TREE_CODE (inner) == RESULT_DECL) 2741 && offset == NULL_TREE 2742 && DECL_SIZE (inner) 2743 && poly_int_tree_p (DECL_SIZE (inner), &decl_size) 2744 && known_subrange_p (bitpos, bitsize, 0, decl_size)) 2745 { 2746 if (VAR_P (inner) && DECL_THREAD_LOCAL_P (inner)) 2747 return; 2748 /* If we're not sanitizing globals and we can tell statically that this 2749 access is inside a global variable, then there's no point adding 2750 instrumentation to check the access. N.b. hwasan currently never 2751 sanitizes globals. */ 2752 if ((hwasan_sanitize_p () || !param_asan_globals) 2753 && is_global_var (inner)) 2754 return; 2755 if (!TREE_STATIC (inner)) 2756 { 2757 /* Automatic vars in the current function will be always 2758 accessible. */ 2759 if (decl_function_context (inner) == current_function_decl 2760 && (!asan_sanitize_use_after_scope () 2761 || !TREE_ADDRESSABLE (inner))) 2762 return; 2763 } 2764 /* Always instrument external vars, they might be dynamically 2765 initialized. */ 2766 else if (!DECL_EXTERNAL (inner)) 2767 { 2768 /* For static vars if they are known not to be dynamically 2769 initialized, they will be always accessible. */ 2770 varpool_node *vnode = varpool_node::get (inner); 2771 if (vnode && !vnode->dynamically_initialized) 2772 return; 2773 } 2774 } 2775 2776 if (DECL_P (inner) 2777 && decl_function_context (inner) == current_function_decl 2778 && !TREE_ADDRESSABLE (inner)) 2779 mark_addressable (inner); 2780 2781 base = build_fold_addr_expr (t); 2782 if (!has_mem_ref_been_instrumented (base, size_in_bytes)) 2783 { 2784 unsigned int align = get_object_alignment (t); 2785 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter, 2786 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true, 2787 is_store, /*is_scalar_access*/true, align); 2788 update_mem_ref_hash_table (base, size_in_bytes); 2789 update_mem_ref_hash_table (t, size_in_bytes); 2790 } 2791 2792 } 2793 2794 /* Insert a memory reference into the hash table if access length 2795 can be determined in compile time. */ 2796 2797 static void 2798 maybe_update_mem_ref_hash_table (tree base, tree len) 2799 { 2800 if (!POINTER_TYPE_P (TREE_TYPE (base)) 2801 || !INTEGRAL_TYPE_P (TREE_TYPE (len))) 2802 return; 2803 2804 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1; 2805 2806 if (size_in_bytes != -1) 2807 update_mem_ref_hash_table (base, size_in_bytes); 2808 } 2809 2810 /* Instrument an access to a contiguous memory region that starts at 2811 the address pointed to by BASE, over a length of LEN (expressed in 2812 the sizeof (*BASE) bytes). ITER points to the instruction before 2813 which the instrumentation instructions must be inserted. LOCATION 2814 is the source location that the instrumentation instructions must 2815 have. If IS_STORE is true, then the memory access is a store; 2816 otherwise, it's a load. */ 2817 2818 static void 2819 instrument_mem_region_access (tree base, tree len, 2820 gimple_stmt_iterator *iter, 2821 location_t location, bool is_store) 2822 { 2823 if (!POINTER_TYPE_P (TREE_TYPE (base)) 2824 || !INTEGRAL_TYPE_P (TREE_TYPE (len)) 2825 || integer_zerop (len)) 2826 return; 2827 2828 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1; 2829 2830 if ((size_in_bytes == -1) 2831 || !has_mem_ref_been_instrumented (base, size_in_bytes)) 2832 { 2833 build_check_stmt (location, base, len, size_in_bytes, iter, 2834 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true, 2835 is_store, /*is_scalar_access*/false, /*align*/0); 2836 } 2837 2838 maybe_update_mem_ref_hash_table (base, len); 2839 *iter = gsi_for_stmt (gsi_stmt (*iter)); 2840 } 2841 2842 /* Instrument the call to a built-in memory access function that is 2843 pointed to by the iterator ITER. 2844 2845 Upon completion, return TRUE iff *ITER has been advanced to the 2846 statement following the one it was originally pointing to. */ 2847 2848 static bool 2849 instrument_builtin_call (gimple_stmt_iterator *iter) 2850 { 2851 if (!(asan_memintrin () || hwasan_memintrin ())) 2852 return false; 2853 2854 bool iter_advanced_p = false; 2855 gcall *call = as_a <gcall *> (gsi_stmt (*iter)); 2856 2857 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL)); 2858 2859 location_t loc = gimple_location (call); 2860 2861 asan_mem_ref src0, src1, dest; 2862 asan_mem_ref_init (&src0, NULL, 1); 2863 asan_mem_ref_init (&src1, NULL, 1); 2864 asan_mem_ref_init (&dest, NULL, 1); 2865 2866 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE; 2867 bool src0_is_store = false, src1_is_store = false, dest_is_store = false, 2868 dest_is_deref = false, intercepted_p = true; 2869 2870 if (get_mem_refs_of_builtin_call (call, 2871 &src0, &src0_len, &src0_is_store, 2872 &src1, &src1_len, &src1_is_store, 2873 &dest, &dest_len, &dest_is_store, 2874 &dest_is_deref, &intercepted_p, iter)) 2875 { 2876 if (dest_is_deref) 2877 { 2878 instrument_derefs (iter, dest.start, loc, dest_is_store); 2879 gsi_next (iter); 2880 iter_advanced_p = true; 2881 } 2882 else if (!intercepted_p 2883 && (src0_len || src1_len || dest_len)) 2884 { 2885 if (src0.start != NULL_TREE) 2886 instrument_mem_region_access (src0.start, src0_len, 2887 iter, loc, /*is_store=*/false); 2888 if (src1.start != NULL_TREE) 2889 instrument_mem_region_access (src1.start, src1_len, 2890 iter, loc, /*is_store=*/false); 2891 if (dest.start != NULL_TREE) 2892 instrument_mem_region_access (dest.start, dest_len, 2893 iter, loc, /*is_store=*/true); 2894 2895 *iter = gsi_for_stmt (call); 2896 gsi_next (iter); 2897 iter_advanced_p = true; 2898 } 2899 else 2900 { 2901 if (src0.start != NULL_TREE) 2902 maybe_update_mem_ref_hash_table (src0.start, src0_len); 2903 if (src1.start != NULL_TREE) 2904 maybe_update_mem_ref_hash_table (src1.start, src1_len); 2905 if (dest.start != NULL_TREE) 2906 maybe_update_mem_ref_hash_table (dest.start, dest_len); 2907 } 2908 } 2909 return iter_advanced_p; 2910 } 2911 2912 /* Instrument the assignment statement ITER if it is subject to 2913 instrumentation. Return TRUE iff instrumentation actually 2914 happened. In that case, the iterator ITER is advanced to the next 2915 logical expression following the one initially pointed to by ITER, 2916 and the relevant memory reference that which access has been 2917 instrumented is added to the memory references hash table. */ 2918 2919 static bool 2920 maybe_instrument_assignment (gimple_stmt_iterator *iter) 2921 { 2922 gimple *s = gsi_stmt (*iter); 2923 2924 gcc_assert (gimple_assign_single_p (s)); 2925 2926 tree ref_expr = NULL_TREE; 2927 bool is_store, is_instrumented = false; 2928 2929 if (gimple_store_p (s)) 2930 { 2931 ref_expr = gimple_assign_lhs (s); 2932 is_store = true; 2933 instrument_derefs (iter, ref_expr, 2934 gimple_location (s), 2935 is_store); 2936 is_instrumented = true; 2937 } 2938 2939 if (gimple_assign_load_p (s)) 2940 { 2941 ref_expr = gimple_assign_rhs1 (s); 2942 is_store = false; 2943 instrument_derefs (iter, ref_expr, 2944 gimple_location (s), 2945 is_store); 2946 is_instrumented = true; 2947 } 2948 2949 if (is_instrumented) 2950 gsi_next (iter); 2951 2952 return is_instrumented; 2953 } 2954 2955 /* Instrument the function call pointed to by the iterator ITER, if it 2956 is subject to instrumentation. At the moment, the only function 2957 calls that are instrumented are some built-in functions that access 2958 memory. Look at instrument_builtin_call to learn more. 2959 2960 Upon completion return TRUE iff *ITER was advanced to the statement 2961 following the one it was originally pointing to. */ 2962 2963 static bool 2964 maybe_instrument_call (gimple_stmt_iterator *iter) 2965 { 2966 gimple *stmt = gsi_stmt (*iter); 2967 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL); 2968 2969 if (is_builtin && instrument_builtin_call (iter)) 2970 return true; 2971 2972 if (gimple_call_noreturn_p (stmt)) 2973 { 2974 if (is_builtin) 2975 { 2976 tree callee = gimple_call_fndecl (stmt); 2977 switch (DECL_FUNCTION_CODE (callee)) 2978 { 2979 case BUILT_IN_UNREACHABLE: 2980 case BUILT_IN_TRAP: 2981 /* Don't instrument these. */ 2982 return false; 2983 default: 2984 break; 2985 } 2986 } 2987 /* If a function does not return, then we must handle clearing up the 2988 shadow stack accordingly. For ASAN we can simply set the entire stack 2989 to "valid" for accesses by setting the shadow space to 0 and all 2990 accesses will pass checks. That means that some bad accesses may be 2991 missed, but we will not report any false positives. 2992 2993 This is not possible for HWASAN. Since there is no "always valid" tag 2994 we can not set any space to "always valid". If we were to clear the 2995 entire shadow stack then code resuming from `longjmp` or a caught 2996 exception would trigger false positives when correctly accessing 2997 variables on the stack. Hence we need to handle things like 2998 `longjmp`, thread exit, and exceptions in a different way. These 2999 problems must be handled externally to the compiler, e.g. in the 3000 language runtime. */ 3001 if (! hwasan_sanitize_p ()) 3002 { 3003 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN); 3004 gimple *g = gimple_build_call (decl, 0); 3005 gimple_set_location (g, gimple_location (stmt)); 3006 gsi_insert_before (iter, g, GSI_SAME_STMT); 3007 } 3008 } 3009 3010 bool instrumented = false; 3011 if (gimple_store_p (stmt)) 3012 { 3013 tree ref_expr = gimple_call_lhs (stmt); 3014 instrument_derefs (iter, ref_expr, 3015 gimple_location (stmt), 3016 /*is_store=*/true); 3017 3018 instrumented = true; 3019 } 3020 3021 /* Walk through gimple_call arguments and check them id needed. */ 3022 unsigned args_num = gimple_call_num_args (stmt); 3023 for (unsigned i = 0; i < args_num; ++i) 3024 { 3025 tree arg = gimple_call_arg (stmt, i); 3026 /* If ARG is not a non-aggregate register variable, compiler in general 3027 creates temporary for it and pass it as argument to gimple call. 3028 But in some cases, e.g. when we pass by value a small structure that 3029 fits to register, compiler can avoid extra overhead by pulling out 3030 these temporaries. In this case, we should check the argument. */ 3031 if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg)) 3032 { 3033 instrument_derefs (iter, arg, 3034 gimple_location (stmt), 3035 /*is_store=*/false); 3036 instrumented = true; 3037 } 3038 } 3039 if (instrumented) 3040 gsi_next (iter); 3041 return instrumented; 3042 } 3043 3044 /* Walk each instruction of all basic block and instrument those that 3045 represent memory references: loads, stores, or function calls. 3046 In a given basic block, this function avoids instrumenting memory 3047 references that have already been instrumented. */ 3048 3049 static void 3050 transform_statements (void) 3051 { 3052 basic_block bb, last_bb = NULL; 3053 gimple_stmt_iterator i; 3054 int saved_last_basic_block = last_basic_block_for_fn (cfun); 3055 3056 FOR_EACH_BB_FN (bb, cfun) 3057 { 3058 basic_block prev_bb = bb; 3059 3060 if (bb->index >= saved_last_basic_block) continue; 3061 3062 /* Flush the mem ref hash table, if current bb doesn't have 3063 exactly one predecessor, or if that predecessor (skipping 3064 over asan created basic blocks) isn't the last processed 3065 basic block. Thus we effectively flush on extended basic 3066 block boundaries. */ 3067 while (single_pred_p (prev_bb)) 3068 { 3069 prev_bb = single_pred (prev_bb); 3070 if (prev_bb->index < saved_last_basic_block) 3071 break; 3072 } 3073 if (prev_bb != last_bb) 3074 empty_mem_ref_hash_table (); 3075 last_bb = bb; 3076 3077 for (i = gsi_start_bb (bb); !gsi_end_p (i);) 3078 { 3079 gimple *s = gsi_stmt (i); 3080 3081 if (has_stmt_been_instrumented_p (s)) 3082 gsi_next (&i); 3083 else if (gimple_assign_single_p (s) 3084 && !gimple_clobber_p (s) 3085 && maybe_instrument_assignment (&i)) 3086 /* Nothing to do as maybe_instrument_assignment advanced 3087 the iterator I. */; 3088 else if (is_gimple_call (s) && maybe_instrument_call (&i)) 3089 /* Nothing to do as maybe_instrument_call 3090 advanced the iterator I. */; 3091 else 3092 { 3093 /* No instrumentation happened. 3094 3095 If the current instruction is a function call that 3096 might free something, let's forget about the memory 3097 references that got instrumented. Otherwise we might 3098 miss some instrumentation opportunities. Do the same 3099 for a ASAN_MARK poisoning internal function. */ 3100 if (is_gimple_call (s) 3101 && (!nonfreeing_call_p (s) 3102 || asan_mark_p (s, ASAN_MARK_POISON))) 3103 empty_mem_ref_hash_table (); 3104 3105 gsi_next (&i); 3106 } 3107 } 3108 } 3109 free_mem_ref_resources (); 3110 } 3111 3112 /* Build 3113 __asan_before_dynamic_init (module_name) 3114 or 3115 __asan_after_dynamic_init () 3116 call. */ 3117 3118 tree 3119 asan_dynamic_init_call (bool after_p) 3120 { 3121 if (shadow_ptr_types[0] == NULL_TREE) 3122 asan_init_shadow_ptr_types (); 3123 3124 tree fn = builtin_decl_implicit (after_p 3125 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT 3126 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT); 3127 tree module_name_cst = NULL_TREE; 3128 if (!after_p) 3129 { 3130 pretty_printer module_name_pp; 3131 pp_string (&module_name_pp, main_input_filename); 3132 3133 module_name_cst = asan_pp_string (&module_name_pp); 3134 module_name_cst = fold_convert (const_ptr_type_node, 3135 module_name_cst); 3136 } 3137 3138 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst); 3139 } 3140 3141 /* Build 3142 struct __asan_global 3143 { 3144 const void *__beg; 3145 uptr __size; 3146 uptr __size_with_redzone; 3147 const void *__name; 3148 const void *__module_name; 3149 uptr __has_dynamic_init; 3150 __asan_global_source_location *__location; 3151 char *__odr_indicator; 3152 } type. */ 3153 3154 static tree 3155 asan_global_struct (void) 3156 { 3157 static const char *field_names[] 3158 = { "__beg", "__size", "__size_with_redzone", 3159 "__name", "__module_name", "__has_dynamic_init", "__location", 3160 "__odr_indicator" }; 3161 tree fields[ARRAY_SIZE (field_names)], ret; 3162 unsigned i; 3163 3164 ret = make_node (RECORD_TYPE); 3165 for (i = 0; i < ARRAY_SIZE (field_names); i++) 3166 { 3167 fields[i] 3168 = build_decl (UNKNOWN_LOCATION, FIELD_DECL, 3169 get_identifier (field_names[i]), 3170 (i == 0 || i == 3) ? const_ptr_type_node 3171 : pointer_sized_int_node); 3172 DECL_CONTEXT (fields[i]) = ret; 3173 if (i) 3174 DECL_CHAIN (fields[i - 1]) = fields[i]; 3175 } 3176 tree type_decl = build_decl (input_location, TYPE_DECL, 3177 get_identifier ("__asan_global"), ret); 3178 DECL_IGNORED_P (type_decl) = 1; 3179 DECL_ARTIFICIAL (type_decl) = 1; 3180 TYPE_FIELDS (ret) = fields[0]; 3181 TYPE_NAME (ret) = type_decl; 3182 TYPE_STUB_DECL (ret) = type_decl; 3183 TYPE_ARTIFICIAL (ret) = 1; 3184 layout_type (ret); 3185 return ret; 3186 } 3187 3188 /* Create and return odr indicator symbol for DECL. 3189 TYPE is __asan_global struct type as returned by asan_global_struct. */ 3190 3191 static tree 3192 create_odr_indicator (tree decl, tree type) 3193 { 3194 char *name; 3195 tree uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type))); 3196 tree decl_name 3197 = (HAS_DECL_ASSEMBLER_NAME_P (decl) ? DECL_ASSEMBLER_NAME (decl) 3198 : DECL_NAME (decl)); 3199 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */ 3200 if (decl_name == NULL_TREE) 3201 return build_int_cst (uptr, 0); 3202 const char *dname = IDENTIFIER_POINTER (decl_name); 3203 if (HAS_DECL_ASSEMBLER_NAME_P (decl)) 3204 dname = targetm.strip_name_encoding (dname); 3205 size_t len = strlen (dname) + sizeof ("__odr_asan_"); 3206 name = XALLOCAVEC (char, len); 3207 snprintf (name, len, "__odr_asan_%s", dname); 3208 #ifndef NO_DOT_IN_LABEL 3209 name[sizeof ("__odr_asan") - 1] = '.'; 3210 #elif !defined(NO_DOLLAR_IN_LABEL) 3211 name[sizeof ("__odr_asan") - 1] = '$'; 3212 #endif 3213 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (name), 3214 char_type_node); 3215 TREE_ADDRESSABLE (var) = 1; 3216 TREE_READONLY (var) = 0; 3217 TREE_THIS_VOLATILE (var) = 1; 3218 DECL_ARTIFICIAL (var) = 1; 3219 DECL_IGNORED_P (var) = 1; 3220 TREE_STATIC (var) = 1; 3221 TREE_PUBLIC (var) = 1; 3222 DECL_VISIBILITY (var) = DECL_VISIBILITY (decl); 3223 DECL_VISIBILITY_SPECIFIED (var) = DECL_VISIBILITY_SPECIFIED (decl); 3224 3225 TREE_USED (var) = 1; 3226 tree ctor = build_constructor_va (TREE_TYPE (var), 1, NULL_TREE, 3227 build_int_cst (unsigned_type_node, 0)); 3228 TREE_CONSTANT (ctor) = 1; 3229 TREE_STATIC (ctor) = 1; 3230 DECL_INITIAL (var) = ctor; 3231 DECL_ATTRIBUTES (var) = tree_cons (get_identifier ("asan odr indicator"), 3232 NULL, DECL_ATTRIBUTES (var)); 3233 make_decl_rtl (var); 3234 varpool_node::finalize_decl (var); 3235 return fold_convert (uptr, build_fold_addr_expr (var)); 3236 } 3237 3238 /* Return true if DECL, a global var, might be overridden and needs 3239 an additional odr indicator symbol. */ 3240 3241 static bool 3242 asan_needs_odr_indicator_p (tree decl) 3243 { 3244 /* Don't emit ODR indicators for kernel because: 3245 a) Kernel is written in C thus doesn't need ODR indicators. 3246 b) Some kernel code may have assumptions about symbols containing specific 3247 patterns in their names. Since ODR indicators contain original names 3248 of symbols they are emitted for, these assumptions would be broken for 3249 ODR indicator symbols. */ 3250 return (!(flag_sanitize & SANITIZE_KERNEL_ADDRESS) 3251 && !DECL_ARTIFICIAL (decl) 3252 && !DECL_WEAK (decl) 3253 && TREE_PUBLIC (decl)); 3254 } 3255 3256 /* Append description of a single global DECL into vector V. 3257 TYPE is __asan_global struct type as returned by asan_global_struct. */ 3258 3259 static void 3260 asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v) 3261 { 3262 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type))); 3263 unsigned HOST_WIDE_INT size; 3264 tree str_cst, module_name_cst, refdecl = decl; 3265 vec<constructor_elt, va_gc> *vinner = NULL; 3266 3267 pretty_printer asan_pp, module_name_pp; 3268 3269 if (DECL_NAME (decl)) 3270 pp_tree_identifier (&asan_pp, DECL_NAME (decl)); 3271 else 3272 pp_string (&asan_pp, "<unknown>"); 3273 str_cst = asan_pp_string (&asan_pp); 3274 3275 if (!in_lto_p) 3276 pp_string (&module_name_pp, main_input_filename); 3277 else 3278 { 3279 const_tree tu = get_ultimate_context ((const_tree)decl); 3280 if (tu != NULL_TREE) 3281 pp_string (&module_name_pp, IDENTIFIER_POINTER (DECL_NAME (tu))); 3282 else 3283 pp_string (&module_name_pp, aux_base_name); 3284 } 3285 3286 module_name_cst = asan_pp_string (&module_name_pp); 3287 3288 if (asan_needs_local_alias (decl)) 3289 { 3290 char buf[20]; 3291 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1); 3292 refdecl = build_decl (DECL_SOURCE_LOCATION (decl), 3293 VAR_DECL, get_identifier (buf), TREE_TYPE (decl)); 3294 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl); 3295 TREE_READONLY (refdecl) = TREE_READONLY (decl); 3296 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl); 3297 DECL_NOT_GIMPLE_REG_P (refdecl) = DECL_NOT_GIMPLE_REG_P (decl); 3298 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl); 3299 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl); 3300 TREE_STATIC (refdecl) = 1; 3301 TREE_PUBLIC (refdecl) = 0; 3302 TREE_USED (refdecl) = 1; 3303 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl)); 3304 } 3305 3306 tree odr_indicator_ptr 3307 = (asan_needs_odr_indicator_p (decl) ? create_odr_indicator (decl, type) 3308 : build_int_cst (uptr, 0)); 3309 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, 3310 fold_convert (const_ptr_type_node, 3311 build_fold_addr_expr (refdecl))); 3312 size = tree_to_uhwi (DECL_SIZE_UNIT (decl)); 3313 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size)); 3314 size += asan_red_zone_size (size); 3315 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size)); 3316 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, 3317 fold_convert (const_ptr_type_node, str_cst)); 3318 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, 3319 fold_convert (const_ptr_type_node, module_name_cst)); 3320 varpool_node *vnode = varpool_node::get (decl); 3321 int has_dynamic_init = 0; 3322 /* FIXME: Enable initialization order fiasco detection in LTO mode once 3323 proper fix for PR 79061 will be applied. */ 3324 if (!in_lto_p) 3325 has_dynamic_init = vnode ? vnode->dynamically_initialized : 0; 3326 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, 3327 build_int_cst (uptr, has_dynamic_init)); 3328 tree locptr = NULL_TREE; 3329 location_t loc = DECL_SOURCE_LOCATION (decl); 3330 expanded_location xloc = expand_location (loc); 3331 if (xloc.file != NULL) 3332 { 3333 static int lasanloccnt = 0; 3334 char buf[25]; 3335 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt); 3336 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf), 3337 ubsan_get_source_location_type ()); 3338 TREE_STATIC (var) = 1; 3339 TREE_PUBLIC (var) = 0; 3340 DECL_ARTIFICIAL (var) = 1; 3341 DECL_IGNORED_P (var) = 1; 3342 pretty_printer filename_pp; 3343 pp_string (&filename_pp, xloc.file); 3344 tree str = asan_pp_string (&filename_pp); 3345 tree ctor = build_constructor_va (TREE_TYPE (var), 3, 3346 NULL_TREE, str, NULL_TREE, 3347 build_int_cst (unsigned_type_node, 3348 xloc.line), NULL_TREE, 3349 build_int_cst (unsigned_type_node, 3350 xloc.column)); 3351 TREE_CONSTANT (ctor) = 1; 3352 TREE_STATIC (ctor) = 1; 3353 DECL_INITIAL (var) = ctor; 3354 varpool_node::finalize_decl (var); 3355 locptr = fold_convert (uptr, build_fold_addr_expr (var)); 3356 } 3357 else 3358 locptr = build_int_cst (uptr, 0); 3359 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr); 3360 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, odr_indicator_ptr); 3361 init = build_constructor (type, vinner); 3362 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init); 3363 } 3364 3365 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */ 3366 void 3367 initialize_sanitizer_builtins (void) 3368 { 3369 tree decl; 3370 3371 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT)) 3372 return; 3373 3374 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE); 3375 tree BT_FN_VOID_PTR 3376 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE); 3377 tree BT_FN_VOID_CONST_PTR 3378 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE); 3379 tree BT_FN_VOID_PTR_PTR 3380 = build_function_type_list (void_type_node, ptr_type_node, 3381 ptr_type_node, NULL_TREE); 3382 tree BT_FN_VOID_PTR_PTR_PTR 3383 = build_function_type_list (void_type_node, ptr_type_node, 3384 ptr_type_node, ptr_type_node, NULL_TREE); 3385 tree BT_FN_VOID_PTR_PTRMODE 3386 = build_function_type_list (void_type_node, ptr_type_node, 3387 pointer_sized_int_node, NULL_TREE); 3388 tree BT_FN_VOID_INT 3389 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE); 3390 tree BT_FN_SIZE_CONST_PTR_INT 3391 = build_function_type_list (size_type_node, const_ptr_type_node, 3392 integer_type_node, NULL_TREE); 3393 3394 tree BT_FN_VOID_UINT8_UINT8 3395 = build_function_type_list (void_type_node, unsigned_char_type_node, 3396 unsigned_char_type_node, NULL_TREE); 3397 tree BT_FN_VOID_UINT16_UINT16 3398 = build_function_type_list (void_type_node, uint16_type_node, 3399 uint16_type_node, NULL_TREE); 3400 tree BT_FN_VOID_UINT32_UINT32 3401 = build_function_type_list (void_type_node, uint32_type_node, 3402 uint32_type_node, NULL_TREE); 3403 tree BT_FN_VOID_UINT64_UINT64 3404 = build_function_type_list (void_type_node, uint64_type_node, 3405 uint64_type_node, NULL_TREE); 3406 tree BT_FN_VOID_FLOAT_FLOAT 3407 = build_function_type_list (void_type_node, float_type_node, 3408 float_type_node, NULL_TREE); 3409 tree BT_FN_VOID_DOUBLE_DOUBLE 3410 = build_function_type_list (void_type_node, double_type_node, 3411 double_type_node, NULL_TREE); 3412 tree BT_FN_VOID_UINT64_PTR 3413 = build_function_type_list (void_type_node, uint64_type_node, 3414 ptr_type_node, NULL_TREE); 3415 3416 tree BT_FN_PTR_CONST_PTR_UINT8 3417 = build_function_type_list (ptr_type_node, const_ptr_type_node, 3418 unsigned_char_type_node, NULL_TREE); 3419 tree BT_FN_VOID_PTR_UINT8_PTRMODE 3420 = build_function_type_list (void_type_node, ptr_type_node, 3421 unsigned_char_type_node, 3422 pointer_sized_int_node, NULL_TREE); 3423 3424 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5]; 3425 tree BT_FN_IX_CONST_VPTR_INT[5]; 3426 tree BT_FN_IX_VPTR_IX_INT[5]; 3427 tree BT_FN_VOID_VPTR_IX_INT[5]; 3428 tree vptr 3429 = build_pointer_type (build_qualified_type (void_type_node, 3430 TYPE_QUAL_VOLATILE)); 3431 tree cvptr 3432 = build_pointer_type (build_qualified_type (void_type_node, 3433 TYPE_QUAL_VOLATILE 3434 |TYPE_QUAL_CONST)); 3435 tree boolt 3436 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1); 3437 int i; 3438 for (i = 0; i < 5; i++) 3439 { 3440 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1); 3441 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i] 3442 = build_function_type_list (boolt, vptr, ptr_type_node, ix, 3443 integer_type_node, integer_type_node, 3444 NULL_TREE); 3445 BT_FN_IX_CONST_VPTR_INT[i] 3446 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE); 3447 BT_FN_IX_VPTR_IX_INT[i] 3448 = build_function_type_list (ix, vptr, ix, integer_type_node, 3449 NULL_TREE); 3450 BT_FN_VOID_VPTR_IX_INT[i] 3451 = build_function_type_list (void_type_node, vptr, ix, 3452 integer_type_node, NULL_TREE); 3453 } 3454 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0] 3455 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0] 3456 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0] 3457 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0] 3458 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1] 3459 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1] 3460 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1] 3461 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1] 3462 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2] 3463 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2] 3464 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2] 3465 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2] 3466 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3] 3467 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3] 3468 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3] 3469 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3] 3470 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4] 3471 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4] 3472 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4] 3473 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4] 3474 #undef ATTR_NOTHROW_LIST 3475 #define ATTR_NOTHROW_LIST ECF_NOTHROW 3476 #undef ATTR_NOTHROW_LEAF_LIST 3477 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF 3478 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST 3479 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST 3480 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST 3481 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST 3482 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST 3483 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \ 3484 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST 3485 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST 3486 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \ 3487 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST 3488 #undef ATTR_COLD_NOTHROW_LEAF_LIST 3489 #define ATTR_COLD_NOTHROW_LEAF_LIST \ 3490 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST 3491 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST 3492 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \ 3493 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST 3494 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST 3495 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \ 3496 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST 3497 #undef ATTR_PURE_NOTHROW_LEAF_LIST 3498 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST 3499 #undef DEF_BUILTIN_STUB 3500 #define DEF_BUILTIN_STUB(ENUM, NAME) 3501 #undef DEF_SANITIZER_BUILTIN_1 3502 #define DEF_SANITIZER_BUILTIN_1(ENUM, NAME, TYPE, ATTRS) \ 3503 do { \ 3504 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \ 3505 BUILT_IN_NORMAL, NAME, NULL_TREE); \ 3506 set_call_expr_flags (decl, ATTRS); \ 3507 set_builtin_decl (ENUM, decl, true); \ 3508 } while (0) 3509 #undef DEF_SANITIZER_BUILTIN 3510 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \ 3511 DEF_SANITIZER_BUILTIN_1 (ENUM, NAME, TYPE, ATTRS); 3512 3513 #include "sanitizer.def" 3514 3515 /* -fsanitize=object-size uses __builtin_object_size, but that might 3516 not be available for e.g. Fortran at this point. We use 3517 DEF_SANITIZER_BUILTIN here only as a convenience macro. */ 3518 if ((flag_sanitize & SANITIZE_OBJECT_SIZE) 3519 && !builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE)) 3520 DEF_SANITIZER_BUILTIN_1 (BUILT_IN_OBJECT_SIZE, "object_size", 3521 BT_FN_SIZE_CONST_PTR_INT, 3522 ATTR_PURE_NOTHROW_LEAF_LIST); 3523 3524 #undef DEF_SANITIZER_BUILTIN_1 3525 #undef DEF_SANITIZER_BUILTIN 3526 #undef DEF_BUILTIN_STUB 3527 } 3528 3529 /* Called via htab_traverse. Count number of emitted 3530 STRING_CSTs in the constant hash table. */ 3531 3532 int 3533 count_string_csts (constant_descriptor_tree **slot, 3534 unsigned HOST_WIDE_INT *data) 3535 { 3536 struct constant_descriptor_tree *desc = *slot; 3537 if (TREE_CODE (desc->value) == STRING_CST 3538 && TREE_ASM_WRITTEN (desc->value) 3539 && asan_protect_global (desc->value)) 3540 ++*data; 3541 return 1; 3542 } 3543 3544 /* Helper structure to pass two parameters to 3545 add_string_csts. */ 3546 3547 struct asan_add_string_csts_data 3548 { 3549 tree type; 3550 vec<constructor_elt, va_gc> *v; 3551 }; 3552 3553 /* Called via hash_table::traverse. Call asan_add_global 3554 on emitted STRING_CSTs from the constant hash table. */ 3555 3556 int 3557 add_string_csts (constant_descriptor_tree **slot, 3558 asan_add_string_csts_data *aascd) 3559 { 3560 struct constant_descriptor_tree *desc = *slot; 3561 if (TREE_CODE (desc->value) == STRING_CST 3562 && TREE_ASM_WRITTEN (desc->value) 3563 && asan_protect_global (desc->value)) 3564 { 3565 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)), 3566 aascd->type, aascd->v); 3567 } 3568 return 1; 3569 } 3570 3571 /* Needs to be GTY(()), because cgraph_build_static_cdtor may 3572 invoke ggc_collect. */ 3573 static GTY(()) tree asan_ctor_statements; 3574 3575 /* Module-level instrumentation. 3576 - Insert __asan_init_vN() into the list of CTORs. 3577 - TODO: insert redzones around globals. 3578 */ 3579 3580 void 3581 asan_finish_file (void) 3582 { 3583 varpool_node *vnode; 3584 unsigned HOST_WIDE_INT gcount = 0; 3585 3586 if (shadow_ptr_types[0] == NULL_TREE) 3587 asan_init_shadow_ptr_types (); 3588 /* Avoid instrumenting code in the asan ctors/dtors. 3589 We don't need to insert padding after the description strings, 3590 nor after .LASAN* array. */ 3591 flag_sanitize &= ~SANITIZE_ADDRESS; 3592 3593 /* For user-space we want asan constructors to run first. 3594 Linux kernel does not support priorities other than default, and the only 3595 other user of constructors is coverage. So we run with the default 3596 priority. */ 3597 int priority = flag_sanitize & SANITIZE_USER_ADDRESS 3598 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY; 3599 3600 if (flag_sanitize & SANITIZE_USER_ADDRESS) 3601 { 3602 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT); 3603 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements); 3604 fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK); 3605 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements); 3606 } 3607 FOR_EACH_DEFINED_VARIABLE (vnode) 3608 if (TREE_ASM_WRITTEN (vnode->decl) 3609 && asan_protect_global (vnode->decl)) 3610 ++gcount; 3611 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab (); 3612 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts> 3613 (&gcount); 3614 if (gcount) 3615 { 3616 tree type = asan_global_struct (), var, ctor; 3617 tree dtor_statements = NULL_TREE; 3618 vec<constructor_elt, va_gc> *v; 3619 char buf[20]; 3620 3621 type = build_array_type_nelts (type, gcount); 3622 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0); 3623 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf), 3624 type); 3625 TREE_STATIC (var) = 1; 3626 TREE_PUBLIC (var) = 0; 3627 DECL_ARTIFICIAL (var) = 1; 3628 DECL_IGNORED_P (var) = 1; 3629 vec_alloc (v, gcount); 3630 FOR_EACH_DEFINED_VARIABLE (vnode) 3631 if (TREE_ASM_WRITTEN (vnode->decl) 3632 && asan_protect_global (vnode->decl)) 3633 asan_add_global (vnode->decl, TREE_TYPE (type), v); 3634 struct asan_add_string_csts_data aascd; 3635 aascd.type = TREE_TYPE (type); 3636 aascd.v = v; 3637 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts> 3638 (&aascd); 3639 ctor = build_constructor (type, v); 3640 TREE_CONSTANT (ctor) = 1; 3641 TREE_STATIC (ctor) = 1; 3642 DECL_INITIAL (var) = ctor; 3643 SET_DECL_ALIGN (var, MAX (DECL_ALIGN (var), 3644 ASAN_SHADOW_GRANULARITY * BITS_PER_UNIT)); 3645 3646 varpool_node::finalize_decl (var); 3647 3648 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS); 3649 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount); 3650 append_to_statement_list (build_call_expr (fn, 2, 3651 build_fold_addr_expr (var), 3652 gcount_tree), 3653 &asan_ctor_statements); 3654 3655 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS); 3656 append_to_statement_list (build_call_expr (fn, 2, 3657 build_fold_addr_expr (var), 3658 gcount_tree), 3659 &dtor_statements); 3660 cgraph_build_static_cdtor ('D', dtor_statements, priority); 3661 } 3662 if (asan_ctor_statements) 3663 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority); 3664 flag_sanitize |= SANITIZE_ADDRESS; 3665 } 3666 3667 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based 3668 on SHADOW address. Newly added statements will be added to ITER with 3669 given location LOC. We mark SIZE bytes in shadow memory, where 3670 LAST_CHUNK_SIZE is greater than zero in situation where we are at the 3671 end of a variable. */ 3672 3673 static void 3674 asan_store_shadow_bytes (gimple_stmt_iterator *iter, location_t loc, 3675 tree shadow, 3676 unsigned HOST_WIDE_INT base_addr_offset, 3677 bool is_clobber, unsigned size, 3678 unsigned last_chunk_size) 3679 { 3680 tree shadow_ptr_type; 3681 3682 switch (size) 3683 { 3684 case 1: 3685 shadow_ptr_type = shadow_ptr_types[0]; 3686 break; 3687 case 2: 3688 shadow_ptr_type = shadow_ptr_types[1]; 3689 break; 3690 case 4: 3691 shadow_ptr_type = shadow_ptr_types[2]; 3692 break; 3693 default: 3694 gcc_unreachable (); 3695 } 3696 3697 unsigned char c = (char) is_clobber ? ASAN_STACK_MAGIC_USE_AFTER_SCOPE : 0; 3698 unsigned HOST_WIDE_INT val = 0; 3699 unsigned last_pos = size; 3700 if (last_chunk_size && !is_clobber) 3701 last_pos = BYTES_BIG_ENDIAN ? 0 : size - 1; 3702 for (unsigned i = 0; i < size; ++i) 3703 { 3704 unsigned char shadow_c = c; 3705 if (i == last_pos) 3706 shadow_c = last_chunk_size; 3707 val |= (unsigned HOST_WIDE_INT) shadow_c << (BITS_PER_UNIT * i); 3708 } 3709 3710 /* Handle last chunk in unpoisoning. */ 3711 tree magic = build_int_cst (TREE_TYPE (shadow_ptr_type), val); 3712 3713 tree dest = build2 (MEM_REF, TREE_TYPE (shadow_ptr_type), shadow, 3714 build_int_cst (shadow_ptr_type, base_addr_offset)); 3715 3716 gimple *g = gimple_build_assign (dest, magic); 3717 gimple_set_location (g, loc); 3718 gsi_insert_after (iter, g, GSI_NEW_STMT); 3719 } 3720 3721 /* Expand the ASAN_MARK builtins. */ 3722 3723 bool 3724 asan_expand_mark_ifn (gimple_stmt_iterator *iter) 3725 { 3726 gimple *g = gsi_stmt (*iter); 3727 location_t loc = gimple_location (g); 3728 HOST_WIDE_INT flag = tree_to_shwi (gimple_call_arg (g, 0)); 3729 bool is_poison = ((asan_mark_flags)flag) == ASAN_MARK_POISON; 3730 3731 tree base = gimple_call_arg (g, 1); 3732 gcc_checking_assert (TREE_CODE (base) == ADDR_EXPR); 3733 tree decl = TREE_OPERAND (base, 0); 3734 3735 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */ 3736 if (TREE_CODE (decl) == COMPONENT_REF 3737 && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl, 0))) 3738 decl = TREE_OPERAND (decl, 0); 3739 3740 gcc_checking_assert (TREE_CODE (decl) == VAR_DECL); 3741 3742 if (hwasan_sanitize_p ()) 3743 { 3744 gcc_assert (param_hwasan_instrument_stack); 3745 gimple_seq stmts = NULL; 3746 /* Here we swap ASAN_MARK calls for HWASAN_MARK. 3747 This is because we are using the approach of using ASAN_MARK as a 3748 synonym until here. 3749 That approach means we don't yet have to duplicate all the special 3750 cases for ASAN_MARK and ASAN_POISON with the exact same handling but 3751 called HWASAN_MARK etc. 3752 3753 N.b. __asan_poison_stack_memory (which implements ASAN_MARK for ASAN) 3754 rounds the size up to its shadow memory granularity, while 3755 __hwasan_tag_memory (which implements the same for HWASAN) does not. 3756 Hence we emit HWASAN_MARK with an aligned size unlike ASAN_MARK. */ 3757 tree len = gimple_call_arg (g, 2); 3758 tree new_len = gimple_build_round_up (&stmts, loc, size_type_node, len, 3759 HWASAN_TAG_GRANULE_SIZE); 3760 gimple_build (&stmts, loc, CFN_HWASAN_MARK, 3761 void_type_node, gimple_call_arg (g, 0), 3762 base, new_len); 3763 gsi_replace_with_seq (iter, stmts, true); 3764 return false; 3765 } 3766 3767 if (is_poison) 3768 { 3769 if (asan_handled_variables == NULL) 3770 asan_handled_variables = new hash_set<tree> (16); 3771 asan_handled_variables->add (decl); 3772 } 3773 tree len = gimple_call_arg (g, 2); 3774 3775 gcc_assert (poly_int_tree_p (len)); 3776 3777 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), 3778 NOP_EXPR, base); 3779 gimple_set_location (g, loc); 3780 gsi_replace (iter, g, false); 3781 tree base_addr = gimple_assign_lhs (g); 3782 3783 /* Generate direct emission if size_in_bytes is small. */ 3784 unsigned threshold = param_use_after_scope_direct_emission_threshold; 3785 if (tree_fits_uhwi_p (len) && tree_to_uhwi (len) <= threshold) 3786 { 3787 unsigned HOST_WIDE_INT size_in_bytes = tree_to_uhwi (len); 3788 const unsigned HOST_WIDE_INT shadow_size 3789 = shadow_mem_size (size_in_bytes); 3790 const unsigned int shadow_align 3791 = (get_pointer_alignment (base) / BITS_PER_UNIT) >> ASAN_SHADOW_SHIFT; 3792 3793 tree shadow = build_shadow_mem_access (iter, loc, base_addr, 3794 shadow_ptr_types[0], true); 3795 3796 for (unsigned HOST_WIDE_INT offset = 0; offset < shadow_size;) 3797 { 3798 unsigned size = 1; 3799 if (shadow_size - offset >= 4 3800 && (!STRICT_ALIGNMENT || shadow_align >= 4)) 3801 size = 4; 3802 else if (shadow_size - offset >= 2 3803 && (!STRICT_ALIGNMENT || shadow_align >= 2)) 3804 size = 2; 3805 3806 unsigned HOST_WIDE_INT last_chunk_size = 0; 3807 unsigned HOST_WIDE_INT s = (offset + size) * ASAN_SHADOW_GRANULARITY; 3808 if (s > size_in_bytes) 3809 last_chunk_size = ASAN_SHADOW_GRANULARITY - (s - size_in_bytes); 3810 3811 asan_store_shadow_bytes (iter, loc, shadow, offset, is_poison, 3812 size, last_chunk_size); 3813 offset += size; 3814 } 3815 } 3816 else 3817 { 3818 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), 3819 NOP_EXPR, len); 3820 gimple_set_location (g, loc); 3821 gsi_insert_before (iter, g, GSI_SAME_STMT); 3822 tree sz_arg = gimple_assign_lhs (g); 3823 3824 tree fun 3825 = builtin_decl_implicit (is_poison ? BUILT_IN_ASAN_POISON_STACK_MEMORY 3826 : BUILT_IN_ASAN_UNPOISON_STACK_MEMORY); 3827 g = gimple_build_call (fun, 2, base_addr, sz_arg); 3828 gimple_set_location (g, loc); 3829 gsi_insert_after (iter, g, GSI_NEW_STMT); 3830 } 3831 3832 return false; 3833 } 3834 3835 /* Expand the ASAN_{LOAD,STORE} builtins. */ 3836 3837 bool 3838 asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls) 3839 { 3840 gcc_assert (!hwasan_sanitize_p ()); 3841 gimple *g = gsi_stmt (*iter); 3842 location_t loc = gimple_location (g); 3843 bool recover_p; 3844 if (flag_sanitize & SANITIZE_USER_ADDRESS) 3845 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0; 3846 else 3847 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0; 3848 3849 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0)); 3850 gcc_assert (flags < ASAN_CHECK_LAST); 3851 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0; 3852 bool is_store = (flags & ASAN_CHECK_STORE) != 0; 3853 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0; 3854 3855 tree base = gimple_call_arg (g, 1); 3856 tree len = gimple_call_arg (g, 2); 3857 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3)); 3858 3859 HOST_WIDE_INT size_in_bytes 3860 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1; 3861 3862 if (use_calls) 3863 { 3864 /* Instrument using callbacks. */ 3865 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), 3866 NOP_EXPR, base); 3867 gimple_set_location (g, loc); 3868 gsi_insert_before (iter, g, GSI_SAME_STMT); 3869 tree base_addr = gimple_assign_lhs (g); 3870 3871 int nargs; 3872 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs); 3873 if (nargs == 1) 3874 g = gimple_build_call (fun, 1, base_addr); 3875 else 3876 { 3877 gcc_assert (nargs == 2); 3878 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), 3879 NOP_EXPR, len); 3880 gimple_set_location (g, loc); 3881 gsi_insert_before (iter, g, GSI_SAME_STMT); 3882 tree sz_arg = gimple_assign_lhs (g); 3883 g = gimple_build_call (fun, nargs, base_addr, sz_arg); 3884 } 3885 gimple_set_location (g, loc); 3886 gsi_replace (iter, g, false); 3887 return false; 3888 } 3889 3890 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes; 3891 3892 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0]; 3893 tree shadow_type = TREE_TYPE (shadow_ptr_type); 3894 3895 gimple_stmt_iterator gsi = *iter; 3896 3897 if (!is_non_zero_len) 3898 { 3899 /* So, the length of the memory area to asan-protect is 3900 non-constant. Let's guard the generated instrumentation code 3901 like: 3902 3903 if (len != 0) 3904 { 3905 //asan instrumentation code goes here. 3906 } 3907 // falltrough instructions, starting with *ITER. */ 3908 3909 g = gimple_build_cond (NE_EXPR, 3910 len, 3911 build_int_cst (TREE_TYPE (len), 0), 3912 NULL_TREE, NULL_TREE); 3913 gimple_set_location (g, loc); 3914 3915 basic_block then_bb, fallthrough_bb; 3916 insert_if_then_before_iter (as_a <gcond *> (g), iter, 3917 /*then_more_likely_p=*/true, 3918 &then_bb, &fallthrough_bb); 3919 /* Note that fallthrough_bb starts with the statement that was 3920 pointed to by ITER. */ 3921 3922 /* The 'then block' of the 'if (len != 0) condition is where 3923 we'll generate the asan instrumentation code now. */ 3924 gsi = gsi_last_bb (then_bb); 3925 } 3926 3927 /* Get an iterator on the point where we can add the condition 3928 statement for the instrumentation. */ 3929 basic_block then_bb, else_bb; 3930 gsi = create_cond_insert_point (&gsi, /*before_p*/false, 3931 /*then_more_likely_p=*/false, 3932 /*create_then_fallthru_edge*/recover_p, 3933 &then_bb, 3934 &else_bb); 3935 3936 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), 3937 NOP_EXPR, base); 3938 gimple_set_location (g, loc); 3939 gsi_insert_before (&gsi, g, GSI_NEW_STMT); 3940 tree base_addr = gimple_assign_lhs (g); 3941 3942 tree t = NULL_TREE; 3943 if (real_size_in_bytes >= 8) 3944 { 3945 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr, 3946 shadow_ptr_type); 3947 t = shadow; 3948 } 3949 else 3950 { 3951 /* Slow path for 1, 2 and 4 byte accesses. */ 3952 /* Test (shadow != 0) 3953 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */ 3954 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr, 3955 shadow_ptr_type); 3956 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0); 3957 gimple_seq seq = NULL; 3958 gimple_seq_add_stmt (&seq, shadow_test); 3959 /* Aligned (>= 8 bytes) can test just 3960 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known 3961 to be 0. */ 3962 if (align < 8) 3963 { 3964 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, 3965 base_addr, 7)); 3966 gimple_seq_add_stmt (&seq, 3967 build_type_cast (shadow_type, 3968 gimple_seq_last (seq))); 3969 if (real_size_in_bytes > 1) 3970 gimple_seq_add_stmt (&seq, 3971 build_assign (PLUS_EXPR, 3972 gimple_seq_last (seq), 3973 real_size_in_bytes - 1)); 3974 t = gimple_assign_lhs (gimple_seq_last_stmt (seq)); 3975 } 3976 else 3977 t = build_int_cst (shadow_type, real_size_in_bytes - 1); 3978 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow)); 3979 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test, 3980 gimple_seq_last (seq))); 3981 t = gimple_assign_lhs (gimple_seq_last (seq)); 3982 gimple_seq_set_location (seq, loc); 3983 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING); 3984 3985 /* For non-constant, misaligned or otherwise weird access sizes, 3986 check first and last byte. */ 3987 if (size_in_bytes == -1) 3988 { 3989 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), 3990 MINUS_EXPR, len, 3991 build_int_cst (pointer_sized_int_node, 1)); 3992 gimple_set_location (g, loc); 3993 gsi_insert_after (&gsi, g, GSI_NEW_STMT); 3994 tree last = gimple_assign_lhs (g); 3995 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node), 3996 PLUS_EXPR, base_addr, last); 3997 gimple_set_location (g, loc); 3998 gsi_insert_after (&gsi, g, GSI_NEW_STMT); 3999 tree base_end_addr = gimple_assign_lhs (g); 4000 4001 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr, 4002 shadow_ptr_type); 4003 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0); 4004 gimple_seq seq = NULL; 4005 gimple_seq_add_stmt (&seq, shadow_test); 4006 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, 4007 base_end_addr, 7)); 4008 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type, 4009 gimple_seq_last (seq))); 4010 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, 4011 gimple_seq_last (seq), 4012 shadow)); 4013 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test, 4014 gimple_seq_last (seq))); 4015 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t, 4016 gimple_seq_last (seq))); 4017 t = gimple_assign_lhs (gimple_seq_last (seq)); 4018 gimple_seq_set_location (seq, loc); 4019 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING); 4020 } 4021 } 4022 4023 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0), 4024 NULL_TREE, NULL_TREE); 4025 gimple_set_location (g, loc); 4026 gsi_insert_after (&gsi, g, GSI_NEW_STMT); 4027 4028 /* Generate call to the run-time library (e.g. __asan_report_load8). */ 4029 gsi = gsi_start_bb (then_bb); 4030 int nargs; 4031 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs); 4032 g = gimple_build_call (fun, nargs, base_addr, len); 4033 gimple_set_location (g, loc); 4034 gsi_insert_after (&gsi, g, GSI_NEW_STMT); 4035 4036 gsi_remove (iter, true); 4037 *iter = gsi_start_bb (else_bb); 4038 4039 return true; 4040 } 4041 4042 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten 4043 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */ 4044 4045 static tree 4046 create_asan_shadow_var (tree var_decl, 4047 hash_map<tree, tree> &shadow_vars_mapping) 4048 { 4049 tree *slot = shadow_vars_mapping.get (var_decl); 4050 if (slot == NULL) 4051 { 4052 tree shadow_var = copy_node (var_decl); 4053 4054 copy_body_data id; 4055 memset (&id, 0, sizeof (copy_body_data)); 4056 id.src_fn = id.dst_fn = current_function_decl; 4057 copy_decl_for_dup_finish (&id, var_decl, shadow_var); 4058 4059 DECL_ARTIFICIAL (shadow_var) = 1; 4060 DECL_IGNORED_P (shadow_var) = 1; 4061 DECL_SEEN_IN_BIND_EXPR_P (shadow_var) = 0; 4062 gimple_add_tmp_var (shadow_var); 4063 4064 shadow_vars_mapping.put (var_decl, shadow_var); 4065 return shadow_var; 4066 } 4067 else 4068 return *slot; 4069 } 4070 4071 /* Expand ASAN_POISON ifn. */ 4072 4073 bool 4074 asan_expand_poison_ifn (gimple_stmt_iterator *iter, 4075 bool *need_commit_edge_insert, 4076 hash_map<tree, tree> &shadow_vars_mapping) 4077 { 4078 gimple *g = gsi_stmt (*iter); 4079 tree poisoned_var = gimple_call_lhs (g); 4080 if (!poisoned_var || has_zero_uses (poisoned_var)) 4081 { 4082 gsi_remove (iter, true); 4083 return true; 4084 } 4085 4086 if (SSA_NAME_VAR (poisoned_var) == NULL_TREE) 4087 SET_SSA_NAME_VAR_OR_IDENTIFIER (poisoned_var, 4088 create_tmp_var (TREE_TYPE (poisoned_var))); 4089 4090 tree shadow_var = create_asan_shadow_var (SSA_NAME_VAR (poisoned_var), 4091 shadow_vars_mapping); 4092 4093 bool recover_p; 4094 if (flag_sanitize & SANITIZE_USER_ADDRESS) 4095 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0; 4096 else 4097 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0; 4098 tree size = DECL_SIZE_UNIT (shadow_var); 4099 gimple *poison_call 4100 = gimple_build_call_internal (IFN_ASAN_MARK, 3, 4101 build_int_cst (integer_type_node, 4102 ASAN_MARK_POISON), 4103 build_fold_addr_expr (shadow_var), size); 4104 4105 gimple *use; 4106 imm_use_iterator imm_iter; 4107 FOR_EACH_IMM_USE_STMT (use, imm_iter, poisoned_var) 4108 { 4109 if (is_gimple_debug (use)) 4110 continue; 4111 4112 int nargs; 4113 bool store_p = gimple_call_internal_p (use, IFN_ASAN_POISON_USE); 4114 gcall *call; 4115 if (hwasan_sanitize_p ()) 4116 { 4117 tree fun = builtin_decl_implicit (BUILT_IN_HWASAN_TAG_MISMATCH4); 4118 /* NOTE: hwasan has no __hwasan_report_* functions like asan does. 4119 We use __hwasan_tag_mismatch4 with arguments that tell it the 4120 size of access and load to report all tag mismatches. 4121 4122 The arguments to this function are: 4123 Address of invalid access. 4124 Bitfield containing information about the access 4125 (access_info) 4126 Pointer to a frame of registers 4127 (for use in printing the contents of registers in a dump) 4128 Not used yet -- to be used by inline instrumentation. 4129 Size of access. 4130 4131 The access_info bitfield encodes the following pieces of 4132 information: 4133 - Is this a store or load? 4134 access_info & 0x10 => store 4135 - Should the program continue after reporting the error? 4136 access_info & 0x20 => recover 4137 - What size access is this (not used here since we can always 4138 pass the size in the last argument) 4139 4140 if (access_info & 0xf == 0xf) 4141 size is taken from last argument. 4142 else 4143 size == 1 << (access_info & 0xf) 4144 4145 The last argument contains the size of the access iff the 4146 access_info size indicator is 0xf (we always use this argument 4147 rather than storing the size in the access_info bitfield). 4148 4149 See the function definition `__hwasan_tag_mismatch4` in 4150 libsanitizer/hwasan for the full definition. 4151 */ 4152 unsigned access_info = (0x20 * recover_p) 4153 + (0x10 * store_p) 4154 + (0xf); 4155 call = gimple_build_call (fun, 4, 4156 build_fold_addr_expr (shadow_var), 4157 build_int_cst (pointer_sized_int_node, 4158 access_info), 4159 build_int_cst (pointer_sized_int_node, 0), 4160 size); 4161 } 4162 else 4163 { 4164 tree fun = report_error_func (store_p, recover_p, tree_to_uhwi (size), 4165 &nargs); 4166 call = gimple_build_call (fun, 1, 4167 build_fold_addr_expr (shadow_var)); 4168 } 4169 gimple_set_location (call, gimple_location (use)); 4170 gimple *call_to_insert = call; 4171 4172 /* The USE can be a gimple PHI node. If so, insert the call on 4173 all edges leading to the PHI node. */ 4174 if (is_a <gphi *> (use)) 4175 { 4176 gphi *phi = dyn_cast<gphi *> (use); 4177 for (unsigned i = 0; i < gimple_phi_num_args (phi); ++i) 4178 if (gimple_phi_arg_def (phi, i) == poisoned_var) 4179 { 4180 edge e = gimple_phi_arg_edge (phi, i); 4181 4182 /* Do not insert on an edge we can't split. */ 4183 if (e->flags & EDGE_ABNORMAL) 4184 continue; 4185 4186 if (call_to_insert == NULL) 4187 call_to_insert = gimple_copy (call); 4188 4189 gsi_insert_seq_on_edge (e, call_to_insert); 4190 *need_commit_edge_insert = true; 4191 call_to_insert = NULL; 4192 } 4193 } 4194 else 4195 { 4196 gimple_stmt_iterator gsi = gsi_for_stmt (use); 4197 if (store_p) 4198 gsi_replace (&gsi, call, true); 4199 else 4200 gsi_insert_before (&gsi, call, GSI_NEW_STMT); 4201 } 4202 } 4203 4204 SSA_NAME_IS_DEFAULT_DEF (poisoned_var) = true; 4205 SSA_NAME_DEF_STMT (poisoned_var) = gimple_build_nop (); 4206 gsi_replace (iter, poison_call, false); 4207 4208 return true; 4209 } 4210 4211 /* Instrument the current function. */ 4212 4213 static unsigned int 4214 asan_instrument (void) 4215 { 4216 if (hwasan_sanitize_p ()) 4217 { 4218 transform_statements (); 4219 return 0; 4220 } 4221 4222 if (shadow_ptr_types[0] == NULL_TREE) 4223 asan_init_shadow_ptr_types (); 4224 transform_statements (); 4225 last_alloca_addr = NULL_TREE; 4226 return 0; 4227 } 4228 4229 static bool 4230 gate_asan (void) 4231 { 4232 return sanitize_flags_p (SANITIZE_ADDRESS); 4233 } 4234 4235 namespace { 4236 4237 const pass_data pass_data_asan = 4238 { 4239 GIMPLE_PASS, /* type */ 4240 "asan", /* name */ 4241 OPTGROUP_NONE, /* optinfo_flags */ 4242 TV_NONE, /* tv_id */ 4243 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */ 4244 0, /* properties_provided */ 4245 0, /* properties_destroyed */ 4246 0, /* todo_flags_start */ 4247 TODO_update_ssa, /* todo_flags_finish */ 4248 }; 4249 4250 class pass_asan : public gimple_opt_pass 4251 { 4252 public: 4253 pass_asan (gcc::context *ctxt) 4254 : gimple_opt_pass (pass_data_asan, ctxt) 4255 {} 4256 4257 /* opt_pass methods: */ 4258 opt_pass * clone () { return new pass_asan (m_ctxt); } 4259 virtual bool gate (function *) { return gate_asan () || gate_hwasan (); } 4260 virtual unsigned int execute (function *) { return asan_instrument (); } 4261 4262 }; // class pass_asan 4263 4264 } // anon namespace 4265 4266 gimple_opt_pass * 4267 make_pass_asan (gcc::context *ctxt) 4268 { 4269 return new pass_asan (ctxt); 4270 } 4271 4272 namespace { 4273 4274 const pass_data pass_data_asan_O0 = 4275 { 4276 GIMPLE_PASS, /* type */ 4277 "asan0", /* name */ 4278 OPTGROUP_NONE, /* optinfo_flags */ 4279 TV_NONE, /* tv_id */ 4280 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */ 4281 0, /* properties_provided */ 4282 0, /* properties_destroyed */ 4283 0, /* todo_flags_start */ 4284 TODO_update_ssa, /* todo_flags_finish */ 4285 }; 4286 4287 class pass_asan_O0 : public gimple_opt_pass 4288 { 4289 public: 4290 pass_asan_O0 (gcc::context *ctxt) 4291 : gimple_opt_pass (pass_data_asan_O0, ctxt) 4292 {} 4293 4294 /* opt_pass methods: */ 4295 virtual bool gate (function *) 4296 { 4297 return !optimize && (gate_asan () || gate_hwasan ()); 4298 } 4299 virtual unsigned int execute (function *) { return asan_instrument (); } 4300 4301 }; // class pass_asan_O0 4302 4303 } // anon namespace 4304 4305 gimple_opt_pass * 4306 make_pass_asan_O0 (gcc::context *ctxt) 4307 { 4308 return new pass_asan_O0 (ctxt); 4309 } 4310 4311 /* HWASAN */ 4312 4313 /* For stack tagging: 4314 4315 Return the offset from the frame base tag that the "next" expanded object 4316 should have. */ 4317 uint8_t 4318 hwasan_current_frame_tag () 4319 { 4320 return hwasan_frame_tag_offset; 4321 } 4322 4323 /* For stack tagging: 4324 4325 Return the 'base pointer' for this function. If that base pointer has not 4326 yet been created then we create a register to hold it and record the insns 4327 to initialize the register in `hwasan_frame_base_init_seq` for later 4328 emission. */ 4329 rtx 4330 hwasan_frame_base () 4331 { 4332 if (! hwasan_frame_base_ptr) 4333 { 4334 start_sequence (); 4335 hwasan_frame_base_ptr 4336 = force_reg (Pmode, 4337 targetm.memtag.insert_random_tag (virtual_stack_vars_rtx, 4338 NULL_RTX)); 4339 hwasan_frame_base_init_seq = get_insns (); 4340 end_sequence (); 4341 } 4342 4343 return hwasan_frame_base_ptr; 4344 } 4345 4346 /* For stack tagging: 4347 4348 Check whether this RTX is a standard pointer addressing the base of the 4349 stack variables for this frame. Returns true if the RTX is either 4350 virtual_stack_vars_rtx or hwasan_frame_base_ptr. */ 4351 bool 4352 stack_vars_base_reg_p (rtx base) 4353 { 4354 return base == virtual_stack_vars_rtx || base == hwasan_frame_base_ptr; 4355 } 4356 4357 /* For stack tagging: 4358 4359 Emit frame base initialisation. 4360 If hwasan_frame_base has been used before here then 4361 hwasan_frame_base_init_seq contains the sequence of instructions to 4362 initialize it. This must be put just before the hwasan prologue, so we emit 4363 the insns before parm_birth_insn (which will point to the first instruction 4364 of the hwasan prologue if it exists). 4365 4366 We update `parm_birth_insn` to point to the start of this initialisation 4367 since that represents the end of the initialisation done by 4368 expand_function_{start,end} functions and we want to maintain that. */ 4369 void 4370 hwasan_maybe_emit_frame_base_init () 4371 { 4372 if (! hwasan_frame_base_init_seq) 4373 return; 4374 emit_insn_before (hwasan_frame_base_init_seq, parm_birth_insn); 4375 parm_birth_insn = hwasan_frame_base_init_seq; 4376 } 4377 4378 /* Record a compile-time constant size stack variable that HWASAN will need to 4379 tag. This record of the range of a stack variable will be used by 4380 `hwasan_emit_prologue` to emit the RTL at the start of each frame which will 4381 set tags in the shadow memory according to the assigned tag for each object. 4382 4383 The range that the object spans in stack space should be described by the 4384 bounds `untagged_base + nearest_offset` and 4385 `untagged_base + farthest_offset`. 4386 `tagged_base` is the base address which contains the "base frame tag" for 4387 this frame, and from which the value to address this object with will be 4388 calculated. 4389 4390 We record the `untagged_base` since the functions in the hwasan library we 4391 use to tag memory take pointers without a tag. */ 4392 void 4393 hwasan_record_stack_var (rtx untagged_base, rtx tagged_base, 4394 poly_int64 nearest_offset, poly_int64 farthest_offset) 4395 { 4396 hwasan_stack_var cur_var; 4397 cur_var.untagged_base = untagged_base; 4398 cur_var.tagged_base = tagged_base; 4399 cur_var.nearest_offset = nearest_offset; 4400 cur_var.farthest_offset = farthest_offset; 4401 cur_var.tag_offset = hwasan_current_frame_tag (); 4402 4403 hwasan_tagged_stack_vars.safe_push (cur_var); 4404 } 4405 4406 /* Return the RTX representing the farthest extent of the statically allocated 4407 stack objects for this frame. If hwasan_frame_base_ptr has not been 4408 initialized then we are not storing any static variables on the stack in 4409 this frame. In this case we return NULL_RTX to represent that. 4410 4411 Otherwise simply return virtual_stack_vars_rtx + frame_offset. */ 4412 rtx 4413 hwasan_get_frame_extent () 4414 { 4415 return (hwasan_frame_base_ptr 4416 ? plus_constant (Pmode, virtual_stack_vars_rtx, frame_offset) 4417 : NULL_RTX); 4418 } 4419 4420 /* For stack tagging: 4421 4422 Increment the frame tag offset modulo the size a tag can represent. */ 4423 void 4424 hwasan_increment_frame_tag () 4425 { 4426 uint8_t tag_bits = HWASAN_TAG_SIZE; 4427 gcc_assert (HWASAN_TAG_SIZE 4428 <= sizeof (hwasan_frame_tag_offset) * CHAR_BIT); 4429 hwasan_frame_tag_offset = (hwasan_frame_tag_offset + 1) % (1 << tag_bits); 4430 /* The "background tag" of the stack is zero by definition. 4431 This is the tag that objects like parameters passed on the stack and 4432 spilled registers are given. It is handy to avoid this tag for objects 4433 whose tags we decide ourselves, partly to ensure that buffer overruns 4434 can't affect these important variables (e.g. saved link register, saved 4435 stack pointer etc) and partly to make debugging easier (everything with a 4436 tag of zero is space allocated automatically by the compiler). 4437 4438 This is not feasible when using random frame tags (the default 4439 configuration for hwasan) since the tag for the given frame is randomly 4440 chosen at runtime. In order to avoid any tags matching the stack 4441 background we would need to decide tag offsets at runtime instead of 4442 compile time (and pay the resulting performance cost). 4443 4444 When not using random base tags for each frame (i.e. when compiled with 4445 `--param hwasan-random-frame-tag=0`) the base tag for each frame is zero. 4446 This means the tag that each object gets is equal to the 4447 hwasan_frame_tag_offset used in determining it. 4448 When this is the case we *can* ensure no object gets the tag of zero by 4449 simply ensuring no object has the hwasan_frame_tag_offset of zero. 4450 4451 There is the extra complication that we only record the 4452 hwasan_frame_tag_offset here (which is the offset from the tag stored in 4453 the stack pointer). In the kernel, the tag in the stack pointer is 0xff 4454 rather than zero. This does not cause problems since tags of 0xff are 4455 never checked in the kernel. As mentioned at the beginning of this 4456 comment the background tag of the stack is zero by definition, which means 4457 that for the kernel we should skip offsets of both 0 and 1 from the stack 4458 pointer. Avoiding the offset of 0 ensures we use a tag which will be 4459 checked, avoiding the offset of 1 ensures we use a tag that is not the 4460 same as the background. */ 4461 if (hwasan_frame_tag_offset == 0 && ! param_hwasan_random_frame_tag) 4462 hwasan_frame_tag_offset += 1; 4463 if (hwasan_frame_tag_offset == 1 && ! param_hwasan_random_frame_tag 4464 && sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS)) 4465 hwasan_frame_tag_offset += 1; 4466 } 4467 4468 /* Clear internal state for the next function. 4469 This function is called before variables on the stack get expanded, in 4470 `init_vars_expansion`. */ 4471 void 4472 hwasan_record_frame_init () 4473 { 4474 delete asan_used_labels; 4475 asan_used_labels = NULL; 4476 4477 /* If this isn't the case then some stack variable was recorded *before* 4478 hwasan_record_frame_init is called, yet *after* the hwasan prologue for 4479 the previous frame was emitted. Such stack variables would not have 4480 their shadow stack filled in. */ 4481 gcc_assert (hwasan_tagged_stack_vars.is_empty ()); 4482 hwasan_frame_base_ptr = NULL_RTX; 4483 hwasan_frame_base_init_seq = NULL; 4484 4485 /* When not using a random frame tag we can avoid the background stack 4486 color which gives the user a little better debug output upon a crash. 4487 Meanwhile, when using a random frame tag it will be nice to avoid adding 4488 tags for the first object since that is unnecessary extra work. 4489 Hence set the initial hwasan_frame_tag_offset to be 0 if using a random 4490 frame tag and 1 otherwise. 4491 4492 As described in hwasan_increment_frame_tag, in the kernel the stack 4493 pointer has the tag 0xff. That means that to avoid 0xff and 0 (the tag 4494 which the kernel does not check and the background tag respectively) we 4495 start with a tag offset of 2. */ 4496 hwasan_frame_tag_offset = param_hwasan_random_frame_tag 4497 ? 0 4498 : sanitize_flags_p (SANITIZE_KERNEL_HWADDRESS) ? 2 : 1; 4499 } 4500 4501 /* For stack tagging: 4502 (Emits HWASAN equivalent of what is emitted by 4503 `asan_emit_stack_protection`). 4504 4505 Emits the extra prologue code to set the shadow stack as required for HWASAN 4506 stack instrumentation. 4507 4508 Uses the vector of recorded stack variables hwasan_tagged_stack_vars. When 4509 this function has completed hwasan_tagged_stack_vars is empty and all 4510 objects it had pointed to are deallocated. */ 4511 void 4512 hwasan_emit_prologue () 4513 { 4514 /* We need untagged base pointers since libhwasan only accepts untagged 4515 pointers in __hwasan_tag_memory. We need the tagged base pointer to obtain 4516 the base tag for an offset. */ 4517 4518 if (hwasan_tagged_stack_vars.is_empty ()) 4519 return; 4520 4521 poly_int64 bot = 0, top = 0; 4522 for (hwasan_stack_var &cur : hwasan_tagged_stack_vars) 4523 { 4524 poly_int64 nearest = cur.nearest_offset; 4525 poly_int64 farthest = cur.farthest_offset; 4526 4527 if (known_ge (nearest, farthest)) 4528 { 4529 top = nearest; 4530 bot = farthest; 4531 } 4532 else 4533 { 4534 /* Given how these values are calculated, one must be known greater 4535 than the other. */ 4536 gcc_assert (known_le (nearest, farthest)); 4537 top = farthest; 4538 bot = nearest; 4539 } 4540 poly_int64 size = (top - bot); 4541 4542 /* Assert the edge of each variable is aligned to the HWASAN tag granule 4543 size. */ 4544 gcc_assert (multiple_p (top, HWASAN_TAG_GRANULE_SIZE)); 4545 gcc_assert (multiple_p (bot, HWASAN_TAG_GRANULE_SIZE)); 4546 gcc_assert (multiple_p (size, HWASAN_TAG_GRANULE_SIZE)); 4547 4548 rtx fn = init_one_libfunc ("__hwasan_tag_memory"); 4549 rtx base_tag = targetm.memtag.extract_tag (cur.tagged_base, NULL_RTX); 4550 rtx tag = plus_constant (QImode, base_tag, cur.tag_offset); 4551 tag = hwasan_truncate_to_tag_size (tag, NULL_RTX); 4552 4553 rtx bottom = convert_memory_address (ptr_mode, 4554 plus_constant (Pmode, 4555 cur.untagged_base, 4556 bot)); 4557 emit_library_call (fn, LCT_NORMAL, VOIDmode, 4558 bottom, ptr_mode, 4559 tag, QImode, 4560 gen_int_mode (size, ptr_mode), ptr_mode); 4561 } 4562 /* Clear the stack vars, we've emitted the prologue for them all now. */ 4563 hwasan_tagged_stack_vars.truncate (0); 4564 } 4565 4566 /* For stack tagging: 4567 4568 Return RTL insns to clear the tags between DYNAMIC and VARS pointers 4569 into the stack. These instructions should be emitted at the end of 4570 every function. 4571 4572 If `dynamic` is NULL_RTX then no insns are returned. */ 4573 rtx_insn * 4574 hwasan_emit_untag_frame (rtx dynamic, rtx vars) 4575 { 4576 if (! dynamic) 4577 return NULL; 4578 4579 start_sequence (); 4580 4581 dynamic = convert_memory_address (ptr_mode, dynamic); 4582 vars = convert_memory_address (ptr_mode, vars); 4583 4584 rtx top_rtx; 4585 rtx bot_rtx; 4586 if (FRAME_GROWS_DOWNWARD) 4587 { 4588 top_rtx = vars; 4589 bot_rtx = dynamic; 4590 } 4591 else 4592 { 4593 top_rtx = dynamic; 4594 bot_rtx = vars; 4595 } 4596 4597 rtx size_rtx = expand_simple_binop (ptr_mode, MINUS, top_rtx, bot_rtx, 4598 NULL_RTX, /* unsignedp = */0, 4599 OPTAB_DIRECT); 4600 4601 rtx fn = init_one_libfunc ("__hwasan_tag_memory"); 4602 emit_library_call (fn, LCT_NORMAL, VOIDmode, 4603 bot_rtx, ptr_mode, 4604 HWASAN_STACK_BACKGROUND, QImode, 4605 size_rtx, ptr_mode); 4606 4607 do_pending_stack_adjust (); 4608 rtx_insn *insns = get_insns (); 4609 end_sequence (); 4610 return insns; 4611 } 4612 4613 /* Needs to be GTY(()), because cgraph_build_static_cdtor may 4614 invoke ggc_collect. */ 4615 static GTY(()) tree hwasan_ctor_statements; 4616 4617 /* Insert module initialization into this TU. This initialization calls the 4618 initialization code for libhwasan. */ 4619 void 4620 hwasan_finish_file (void) 4621 { 4622 /* Do not emit constructor initialization for the kernel. 4623 (the kernel has its own initialization already). */ 4624 if (flag_sanitize & SANITIZE_KERNEL_HWADDRESS) 4625 return; 4626 4627 /* Avoid instrumenting code in the hwasan constructors/destructors. */ 4628 flag_sanitize &= ~SANITIZE_HWADDRESS; 4629 int priority = MAX_RESERVED_INIT_PRIORITY - 1; 4630 tree fn = builtin_decl_implicit (BUILT_IN_HWASAN_INIT); 4631 append_to_statement_list (build_call_expr (fn, 0), &hwasan_ctor_statements); 4632 cgraph_build_static_cdtor ('I', hwasan_ctor_statements, priority); 4633 flag_sanitize |= SANITIZE_HWADDRESS; 4634 } 4635 4636 /* For stack tagging: 4637 4638 Truncate `tag` to the number of bits that a tag uses (i.e. to 4639 HWASAN_TAG_SIZE). Store the result in `target` if it's convenient. */ 4640 rtx 4641 hwasan_truncate_to_tag_size (rtx tag, rtx target) 4642 { 4643 gcc_assert (GET_MODE (tag) == QImode); 4644 if (HWASAN_TAG_SIZE != GET_MODE_PRECISION (QImode)) 4645 { 4646 gcc_assert (GET_MODE_PRECISION (QImode) > HWASAN_TAG_SIZE); 4647 rtx mask = gen_int_mode ((HOST_WIDE_INT_1U << HWASAN_TAG_SIZE) - 1, 4648 QImode); 4649 tag = expand_simple_binop (QImode, AND, tag, mask, target, 4650 /* unsignedp = */1, OPTAB_WIDEN); 4651 gcc_assert (tag); 4652 } 4653 return tag; 4654 } 4655 4656 /* Construct a function tree for __hwasan_{load,store}{1,2,4,8,16,_n}. 4657 IS_STORE is either 1 (for a store) or 0 (for a load). */ 4658 static combined_fn 4659 hwasan_check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes, 4660 int *nargs) 4661 { 4662 static enum built_in_function check[2][2][6] 4663 = { { { BUILT_IN_HWASAN_LOAD1, BUILT_IN_HWASAN_LOAD2, 4664 BUILT_IN_HWASAN_LOAD4, BUILT_IN_HWASAN_LOAD8, 4665 BUILT_IN_HWASAN_LOAD16, BUILT_IN_HWASAN_LOADN }, 4666 { BUILT_IN_HWASAN_STORE1, BUILT_IN_HWASAN_STORE2, 4667 BUILT_IN_HWASAN_STORE4, BUILT_IN_HWASAN_STORE8, 4668 BUILT_IN_HWASAN_STORE16, BUILT_IN_HWASAN_STOREN } }, 4669 { { BUILT_IN_HWASAN_LOAD1_NOABORT, 4670 BUILT_IN_HWASAN_LOAD2_NOABORT, 4671 BUILT_IN_HWASAN_LOAD4_NOABORT, 4672 BUILT_IN_HWASAN_LOAD8_NOABORT, 4673 BUILT_IN_HWASAN_LOAD16_NOABORT, 4674 BUILT_IN_HWASAN_LOADN_NOABORT }, 4675 { BUILT_IN_HWASAN_STORE1_NOABORT, 4676 BUILT_IN_HWASAN_STORE2_NOABORT, 4677 BUILT_IN_HWASAN_STORE4_NOABORT, 4678 BUILT_IN_HWASAN_STORE8_NOABORT, 4679 BUILT_IN_HWASAN_STORE16_NOABORT, 4680 BUILT_IN_HWASAN_STOREN_NOABORT } } }; 4681 if (size_in_bytes == -1) 4682 { 4683 *nargs = 2; 4684 return as_combined_fn (check[recover_p][is_store][5]); 4685 } 4686 *nargs = 1; 4687 int size_log2 = exact_log2 (size_in_bytes); 4688 gcc_assert (size_log2 >= 0 && size_log2 <= 5); 4689 return as_combined_fn (check[recover_p][is_store][size_log2]); 4690 } 4691 4692 /* Expand the HWASAN_{LOAD,STORE} builtins. */ 4693 bool 4694 hwasan_expand_check_ifn (gimple_stmt_iterator *iter, bool) 4695 { 4696 gimple *g = gsi_stmt (*iter); 4697 location_t loc = gimple_location (g); 4698 bool recover_p; 4699 if (flag_sanitize & SANITIZE_USER_HWADDRESS) 4700 recover_p = (flag_sanitize_recover & SANITIZE_USER_HWADDRESS) != 0; 4701 else 4702 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_HWADDRESS) != 0; 4703 4704 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0)); 4705 gcc_assert (flags < ASAN_CHECK_LAST); 4706 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0; 4707 bool is_store = (flags & ASAN_CHECK_STORE) != 0; 4708 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0; 4709 4710 tree base = gimple_call_arg (g, 1); 4711 tree len = gimple_call_arg (g, 2); 4712 4713 /* `align` is unused for HWASAN_CHECK, but we pass the argument anyway 4714 since that way the arguments match ASAN_CHECK. */ 4715 /* HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3)); */ 4716 4717 unsigned HOST_WIDE_INT size_in_bytes 4718 = is_scalar_access ? tree_to_shwi (len) : -1; 4719 4720 gimple_stmt_iterator gsi = *iter; 4721 4722 if (!is_non_zero_len) 4723 { 4724 /* So, the length of the memory area to hwasan-protect is 4725 non-constant. Let's guard the generated instrumentation code 4726 like: 4727 4728 if (len != 0) 4729 { 4730 // hwasan instrumentation code goes here. 4731 } 4732 // falltrough instructions, starting with *ITER. */ 4733 4734 g = gimple_build_cond (NE_EXPR, 4735 len, 4736 build_int_cst (TREE_TYPE (len), 0), 4737 NULL_TREE, NULL_TREE); 4738 gimple_set_location (g, loc); 4739 4740 basic_block then_bb, fallthrough_bb; 4741 insert_if_then_before_iter (as_a <gcond *> (g), iter, 4742 /*then_more_likely_p=*/true, 4743 &then_bb, &fallthrough_bb); 4744 /* Note that fallthrough_bb starts with the statement that was 4745 pointed to by ITER. */ 4746 4747 /* The 'then block' of the 'if (len != 0) condition is where 4748 we'll generate the hwasan instrumentation code now. */ 4749 gsi = gsi_last_bb (then_bb); 4750 } 4751 4752 gimple_seq stmts = NULL; 4753 tree base_addr = gimple_build (&stmts, loc, NOP_EXPR, 4754 pointer_sized_int_node, base); 4755 4756 int nargs = 0; 4757 combined_fn fn 4758 = hwasan_check_func (is_store, recover_p, size_in_bytes, &nargs); 4759 if (nargs == 1) 4760 gimple_build (&stmts, loc, fn, void_type_node, base_addr); 4761 else 4762 { 4763 gcc_assert (nargs == 2); 4764 tree sz_arg = gimple_build (&stmts, loc, NOP_EXPR, 4765 pointer_sized_int_node, len); 4766 gimple_build (&stmts, loc, fn, void_type_node, base_addr, sz_arg); 4767 } 4768 4769 gsi_insert_seq_after (&gsi, stmts, GSI_NEW_STMT); 4770 gsi_remove (iter, true); 4771 *iter = gsi; 4772 return false; 4773 } 4774 4775 /* For stack tagging: 4776 4777 Dummy: the HWASAN_MARK internal function should only ever be in the code 4778 after the sanopt pass. */ 4779 bool 4780 hwasan_expand_mark_ifn (gimple_stmt_iterator *) 4781 { 4782 gcc_unreachable (); 4783 } 4784 4785 bool 4786 gate_hwasan () 4787 { 4788 return hwasan_sanitize_p (); 4789 } 4790 4791 #include "gt-asan.h" 4792
Indexes created Fri Mar 27 00:22:57 UTC 2026