1 //===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file is a part of AddressSanitizer, an address sanity checker. 11 // Details of the algorithm: 12 // http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13 // 14 //===----------------------------------------------------------------------===// 15 16 #define DEBUG_TYPE "asan" 17 18 #include "FunctionBlackList.h" 19 #include "llvm/ADT/ArrayRef.h" 20 #include "llvm/ADT/OwningPtr.h" 21 #include "llvm/ADT/SmallSet.h" 22 #include "llvm/ADT/SmallString.h" 23 #include "llvm/ADT/SmallVector.h" 24 #include "llvm/ADT/StringExtras.h" 25 #include "llvm/ADT/Triple.h" 26 #include "llvm/Function.h" 27 #include "llvm/IntrinsicInst.h" 28 #include "llvm/LLVMContext.h" 29 #include "llvm/Module.h" 30 #include "llvm/Support/CommandLine.h" 31 #include "llvm/Support/DataTypes.h" 32 #include "llvm/Support/Debug.h" 33 #include "llvm/Support/IRBuilder.h" 34 #include "llvm/Support/raw_ostream.h" 35 #include "llvm/Support/system_error.h" 36 #include "llvm/Target/TargetData.h" 37 #include "llvm/Target/TargetMachine.h" 38 #include "llvm/Transforms/Instrumentation.h" 39 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 40 #include "llvm/Transforms/Utils/ModuleUtils.h" 41 #include "llvm/Type.h" 42 43 #include <string> 44 #include <algorithm> 45 46 using namespace llvm; 47 48 static const uint64_t kDefaultShadowScale = 3; 49 static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 50 static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 51 static const uint64_t kDefaultShadowOffsetAndroid = 0; 52 53 static const size_t kMaxStackMallocSize = 1 << 16; // 64K 54 static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 55 static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 56 57 static const char *kAsanModuleCtorName = "asan.module_ctor"; 58 static const char *kAsanModuleDtorName = "asan.module_dtor"; 59 static const int kAsanCtorAndCtorPriority = 1; 60 static const char *kAsanReportErrorTemplate = "__asan_report_"; 61 static const char *kAsanRegisterGlobalsName = "__asan_register_globals"; 62 static const char *kAsanUnregisterGlobalsName = "__asan_unregister_globals"; 63 static const char *kAsanInitName = "__asan_init"; 64 static const char *kAsanHandleNoReturnName = "__asan_handle_no_return"; 65 static const char *kAsanMappingOffsetName = "__asan_mapping_offset"; 66 static const char *kAsanMappingScaleName = "__asan_mapping_scale"; 67 static const char *kAsanStackMallocName = "__asan_stack_malloc"; 68 static const char *kAsanStackFreeName = "__asan_stack_free"; 69 70 static const int kAsanStackLeftRedzoneMagic = 0xf1; 71 static const int kAsanStackMidRedzoneMagic = 0xf2; 72 static const int kAsanStackRightRedzoneMagic = 0xf3; 73 static const int kAsanStackPartialRedzoneMagic = 0xf4; 74 75 // Command-line flags. 76 77 // This flag may need to be replaced with -f[no-]asan-reads. 78 static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 79 cl::desc("instrument read instructions"), cl::Hidden, cl::init(true)); 80 static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes", 81 cl::desc("instrument write instructions"), cl::Hidden, cl::init(true)); 82 // This flag may need to be replaced with -f[no]asan-stack. 83 static cl::opt<bool> ClStack("asan-stack", 84 cl::desc("Handle stack memory"), cl::Hidden, cl::init(true)); 85 // This flag may need to be replaced with -f[no]asan-use-after-return. 86 static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 87 cl::desc("Check return-after-free"), cl::Hidden, cl::init(false)); 88 // This flag may need to be replaced with -f[no]asan-globals. 89 static cl::opt<bool> ClGlobals("asan-globals", 90 cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); 91 static cl::opt<bool> ClMemIntrin("asan-memintrin", 92 cl::desc("Handle memset/memcpy/memmove"), cl::Hidden, cl::init(true)); 93 // This flag may need to be replaced with -fasan-blacklist. 94 static cl::opt<std::string> ClBlackListFile("asan-blacklist", 95 cl::desc("File containing the list of functions to ignore " 96 "during instrumentation"), cl::Hidden); 97 98 // These flags allow to change the shadow mapping. 99 // The shadow mapping looks like 100 // Shadow = (Mem >> scale) + (1 << offset_log) 101 static cl::opt<int> ClMappingScale("asan-mapping-scale", 102 cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0)); 103 static cl::opt<int> ClMappingOffsetLog("asan-mapping-offset-log", 104 cl::desc("offset of asan shadow mapping"), cl::Hidden, cl::init(-1)); 105 106 // Optimization flags. Not user visible, used mostly for testing 107 // and benchmarking the tool. 108 static cl::opt<bool> ClOpt("asan-opt", 109 cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true)); 110 static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp", 111 cl::desc("Instrument the same temp just once"), cl::Hidden, 112 cl::init(true)); 113 static cl::opt<bool> ClOptGlobals("asan-opt-globals", 114 cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); 115 116 // Debug flags. 117 static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 118 cl::init(0)); 119 static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 120 cl::Hidden, cl::init(0)); 121 static cl::opt<std::string> ClDebugFunc("asan-debug-func", 122 cl::Hidden, cl::desc("Debug func")); 123 static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 124 cl::Hidden, cl::init(-1)); 125 static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), 126 cl::Hidden, cl::init(-1)); 127 128 namespace { 129 130 /// AddressSanitizer: instrument the code in module to find memory bugs. 131 struct AddressSanitizer : public ModulePass { 132 AddressSanitizer(); 133 virtual const char *getPassName() const; 134 void instrumentMop(Instruction *I); 135 void instrumentAddress(Instruction *OrigIns, IRBuilder<> &IRB, 136 Value *Addr, uint32_t TypeSize, bool IsWrite); 137 Instruction *generateCrashCode(IRBuilder<> &IRB, Value *Addr, 138 bool IsWrite, uint32_t TypeSize); 139 bool instrumentMemIntrinsic(MemIntrinsic *MI); 140 void instrumentMemIntrinsicParam(Instruction *OrigIns, Value *Addr, 141 Value *Size, 142 Instruction *InsertBefore, bool IsWrite); 143 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 144 bool handleFunction(Module &M, Function &F); 145 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 146 bool poisonStackInFunction(Module &M, Function &F); 147 virtual bool runOnModule(Module &M); 148 bool insertGlobalRedzones(Module &M); 149 BranchInst *splitBlockAndInsertIfThen(Instruction *SplitBefore, Value *Cmp); 150 static char ID; // Pass identification, replacement for typeid 151 152 private: 153 154 uint64_t getAllocaSizeInBytes(AllocaInst *AI) { 155 Type *Ty = AI->getAllocatedType(); 156 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 157 return SizeInBytes; 158 } 159 uint64_t getAlignedSize(uint64_t SizeInBytes) { 160 return ((SizeInBytes + RedzoneSize - 1) 161 / RedzoneSize) * RedzoneSize; 162 } 163 uint64_t getAlignedAllocaSize(AllocaInst *AI) { 164 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 165 return getAlignedSize(SizeInBytes); 166 } 167 168 void PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, 169 Value *ShadowBase, bool DoPoison); 170 bool LooksLikeCodeInBug11395(Instruction *I); 171 172 Module *CurrentModule; 173 LLVMContext *C; 174 TargetData *TD; 175 uint64_t MappingOffset; 176 int MappingScale; 177 size_t RedzoneSize; 178 int LongSize; 179 Type *IntptrTy; 180 Type *IntptrPtrTy; 181 Function *AsanCtorFunction; 182 Function *AsanInitFunction; 183 Instruction *CtorInsertBefore; 184 OwningPtr<FunctionBlackList> BL; 185 }; 186 } // namespace 187 188 char AddressSanitizer::ID = 0; 189 INITIALIZE_PASS(AddressSanitizer, "asan", 190 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", 191 false, false) 192 AddressSanitizer::AddressSanitizer() : ModulePass(ID) { } 193 ModulePass *llvm::createAddressSanitizerPass() { 194 return new AddressSanitizer(); 195 } 196 197 const char *AddressSanitizer::getPassName() const { 198 return "AddressSanitizer"; 199 } 200 201 // Create a constant for Str so that we can pass it to the run-time lib. 202 static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str) { 203 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 204 return new GlobalVariable(M, StrConst->getType(), true, 205 GlobalValue::PrivateLinkage, StrConst, ""); 206 } 207 208 // Split the basic block and insert an if-then code. 209 // Before: 210 // Head 211 // SplitBefore 212 // Tail 213 // After: 214 // Head 215 // if (Cmp) 216 // NewBasicBlock 217 // SplitBefore 218 // Tail 219 // 220 // Returns the NewBasicBlock's terminator. 221 BranchInst *AddressSanitizer::splitBlockAndInsertIfThen( 222 Instruction *SplitBefore, Value *Cmp) { 223 BasicBlock *Head = SplitBefore->getParent(); 224 BasicBlock *Tail = Head->splitBasicBlock(SplitBefore); 225 TerminatorInst *HeadOldTerm = Head->getTerminator(); 226 BasicBlock *NewBasicBlock = 227 BasicBlock::Create(*C, "", Head->getParent()); 228 BranchInst *HeadNewTerm = BranchInst::Create(/*ifTrue*/NewBasicBlock, 229 /*ifFalse*/Tail, 230 Cmp); 231 ReplaceInstWithInst(HeadOldTerm, HeadNewTerm); 232 233 BranchInst *CheckTerm = BranchInst::Create(Tail, NewBasicBlock); 234 return CheckTerm; 235 } 236 237 Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 238 // Shadow >> scale 239 Shadow = IRB.CreateLShr(Shadow, MappingScale); 240 if (MappingOffset == 0) 241 return Shadow; 242 // (Shadow >> scale) | offset 243 return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, 244 MappingOffset)); 245 } 246 247 void AddressSanitizer::instrumentMemIntrinsicParam(Instruction *OrigIns, 248 Value *Addr, Value *Size, Instruction *InsertBefore, bool IsWrite) { 249 // Check the first byte. 250 { 251 IRBuilder<> IRB(InsertBefore); 252 instrumentAddress(OrigIns, IRB, Addr, 8, IsWrite); 253 } 254 // Check the last byte. 255 { 256 IRBuilder<> IRB(InsertBefore); 257 Value *SizeMinusOne = IRB.CreateSub( 258 Size, ConstantInt::get(Size->getType(), 1)); 259 SizeMinusOne = IRB.CreateIntCast(SizeMinusOne, IntptrTy, false); 260 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 261 Value *AddrPlusSizeMinisOne = IRB.CreateAdd(AddrLong, SizeMinusOne); 262 instrumentAddress(OrigIns, IRB, AddrPlusSizeMinisOne, 8, IsWrite); 263 } 264 } 265 266 // Instrument memset/memmove/memcpy 267 bool AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 268 Value *Dst = MI->getDest(); 269 MemTransferInst *MemTran = dyn_cast<MemTransferInst>(MI); 270 Value *Src = MemTran ? MemTran->getSource() : NULL; 271 Value *Length = MI->getLength(); 272 273 Constant *ConstLength = dyn_cast<Constant>(Length); 274 Instruction *InsertBefore = MI; 275 if (ConstLength) { 276 if (ConstLength->isNullValue()) return false; 277 } else { 278 // The size is not a constant so it could be zero -- check at run-time. 279 IRBuilder<> IRB(InsertBefore); 280 281 Value *Cmp = IRB.CreateICmpNE(Length, 282 Constant::getNullValue(Length->getType())); 283 InsertBefore = splitBlockAndInsertIfThen(InsertBefore, Cmp); 284 } 285 286 instrumentMemIntrinsicParam(MI, Dst, Length, InsertBefore, true); 287 if (Src) 288 instrumentMemIntrinsicParam(MI, Src, Length, InsertBefore, false); 289 return true; 290 } 291 292 static Value *getLDSTOperand(Instruction *I) { 293 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 294 return LI->getPointerOperand(); 295 } 296 return cast<StoreInst>(*I).getPointerOperand(); 297 } 298 299 void AddressSanitizer::instrumentMop(Instruction *I) { 300 int IsWrite = isa<StoreInst>(*I); 301 Value *Addr = getLDSTOperand(I); 302 if (ClOpt && ClOptGlobals && isa<GlobalVariable>(Addr)) { 303 // We are accessing a global scalar variable. Nothing to catch here. 304 return; 305 } 306 Type *OrigPtrTy = Addr->getType(); 307 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 308 309 assert(OrigTy->isSized()); 310 uint32_t TypeSize = TD->getTypeStoreSizeInBits(OrigTy); 311 312 if (TypeSize != 8 && TypeSize != 16 && 313 TypeSize != 32 && TypeSize != 64 && TypeSize != 128) { 314 // Ignore all unusual sizes. 315 return; 316 } 317 318 IRBuilder<> IRB(I); 319 instrumentAddress(I, IRB, Addr, TypeSize, IsWrite); 320 } 321 322 Instruction *AddressSanitizer::generateCrashCode( 323 IRBuilder<> &IRB, Value *Addr, bool IsWrite, uint32_t TypeSize) { 324 // IsWrite and TypeSize are encoded in the function name. 325 std::string FunctionName = std::string(kAsanReportErrorTemplate) + 326 (IsWrite ? "store" : "load") + itostr(TypeSize / 8); 327 Value *ReportWarningFunc = CurrentModule->getOrInsertFunction( 328 FunctionName, IRB.getVoidTy(), IntptrTy, NULL); 329 CallInst *Call = IRB.CreateCall(ReportWarningFunc, Addr); 330 Call->setDoesNotReturn(); 331 return Call; 332 } 333 334 void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 335 IRBuilder<> &IRB, Value *Addr, 336 uint32_t TypeSize, bool IsWrite) { 337 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 338 339 Type *ShadowTy = IntegerType::get( 340 *C, std::max(8U, TypeSize >> MappingScale)); 341 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 342 Value *ShadowPtr = memToShadow(AddrLong, IRB); 343 Value *CmpVal = Constant::getNullValue(ShadowTy); 344 Value *ShadowValue = IRB.CreateLoad( 345 IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 346 347 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 348 349 Instruction *CheckTerm = splitBlockAndInsertIfThen( 350 cast<Instruction>(Cmp)->getNextNode(), Cmp); 351 IRBuilder<> IRB2(CheckTerm); 352 353 size_t Granularity = 1 << MappingScale; 354 if (TypeSize < 8 * Granularity) { 355 // Addr & (Granularity - 1) 356 Value *Lower3Bits = IRB2.CreateAnd( 357 AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 358 // (Addr & (Granularity - 1)) + size - 1 359 Value *LastAccessedByte = IRB2.CreateAdd( 360 Lower3Bits, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 361 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 362 LastAccessedByte = IRB2.CreateIntCast( 363 LastAccessedByte, IRB.getInt8Ty(), false); 364 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 365 Value *Cmp2 = IRB2.CreateICmpSGE(LastAccessedByte, ShadowValue); 366 367 CheckTerm = splitBlockAndInsertIfThen(CheckTerm, Cmp2); 368 } 369 370 IRBuilder<> IRB1(CheckTerm); 371 Instruction *Crash = generateCrashCode(IRB1, AddrLong, IsWrite, TypeSize); 372 Crash->setDebugLoc(OrigIns->getDebugLoc()); 373 ReplaceInstWithInst(CheckTerm, new UnreachableInst(*C)); 374 } 375 376 // This function replaces all global variables with new variables that have 377 // trailing redzones. It also creates a function that poisons 378 // redzones and inserts this function into llvm.global_ctors. 379 bool AddressSanitizer::insertGlobalRedzones(Module &M) { 380 SmallVector<GlobalVariable *, 16> GlobalsToChange; 381 382 for (Module::GlobalListType::iterator G = M.getGlobalList().begin(), 383 E = M.getGlobalList().end(); G != E; ++G) { 384 Type *Ty = cast<PointerType>(G->getType())->getElementType(); 385 DEBUG(dbgs() << "GLOBAL: " << *G); 386 387 if (!Ty->isSized()) continue; 388 if (!G->hasInitializer()) continue; 389 // Touch only those globals that will not be defined in other modules. 390 // Don't handle ODR type linkages since other modules may be built w/o asan. 391 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 392 G->getLinkage() != GlobalVariable::PrivateLinkage && 393 G->getLinkage() != GlobalVariable::InternalLinkage) 394 continue; 395 // Two problems with thread-locals: 396 // - The address of the main thread's copy can't be computed at link-time. 397 // - Need to poison all copies, not just the main thread's one. 398 if (G->isThreadLocal()) 399 continue; 400 // For now, just ignore this Alloca if the alignment is large. 401 if (G->getAlignment() > RedzoneSize) continue; 402 403 // Ignore all the globals with the names starting with "\01L_OBJC_". 404 // Many of those are put into the .cstring section. The linker compresses 405 // that section by removing the spare \0s after the string terminator, so 406 // our redzones get broken. 407 if ((G->getName().find("\01L_OBJC_") == 0) || 408 (G->getName().find("\01l_OBJC_") == 0)) { 409 DEBUG(dbgs() << "Ignoring \\01L_OBJC_* global: " << *G); 410 continue; 411 } 412 413 if (G->hasSection()) { 414 StringRef Section(G->getSection()); 415 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 416 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 417 // them. 418 if ((Section.find("__OBJC,") == 0) || 419 (Section.find("__DATA, __objc_") == 0)) { 420 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G); 421 continue; 422 } 423 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 424 // Constant CFString instances are compiled in the following way: 425 // -- the string buffer is emitted into 426 // __TEXT,__cstring,cstring_literals 427 // -- the constant NSConstantString structure referencing that buffer 428 // is placed into __DATA,__cfstring 429 // Therefore there's no point in placing redzones into __DATA,__cfstring. 430 // Moreover, it causes the linker to crash on OS X 10.7 431 if (Section.find("__DATA,__cfstring") == 0) { 432 DEBUG(dbgs() << "Ignoring CFString: " << *G); 433 continue; 434 } 435 } 436 437 GlobalsToChange.push_back(G); 438 } 439 440 size_t n = GlobalsToChange.size(); 441 if (n == 0) return false; 442 443 // A global is described by a structure 444 // size_t beg; 445 // size_t size; 446 // size_t size_with_redzone; 447 // const char *name; 448 // We initialize an array of such structures and pass it to a run-time call. 449 StructType *GlobalStructTy = StructType::get(IntptrTy, IntptrTy, 450 IntptrTy, IntptrTy, NULL); 451 SmallVector<Constant *, 16> Initializers(n); 452 453 IRBuilder<> IRB(CtorInsertBefore); 454 455 for (size_t i = 0; i < n; i++) { 456 GlobalVariable *G = GlobalsToChange[i]; 457 PointerType *PtrTy = cast<PointerType>(G->getType()); 458 Type *Ty = PtrTy->getElementType(); 459 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 460 uint64_t RightRedzoneSize = RedzoneSize + 461 (RedzoneSize - (SizeInBytes % RedzoneSize)); 462 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 463 464 StructType *NewTy = StructType::get(Ty, RightRedZoneTy, NULL); 465 Constant *NewInitializer = ConstantStruct::get( 466 NewTy, G->getInitializer(), 467 Constant::getNullValue(RightRedZoneTy), NULL); 468 469 SmallString<2048> DescriptionOfGlobal = G->getName(); 470 DescriptionOfGlobal += " ("; 471 DescriptionOfGlobal += M.getModuleIdentifier(); 472 DescriptionOfGlobal += ")"; 473 GlobalVariable *Name = createPrivateGlobalForString(M, DescriptionOfGlobal); 474 475 // Create a new global variable with enough space for a redzone. 476 GlobalVariable *NewGlobal = new GlobalVariable( 477 M, NewTy, G->isConstant(), G->getLinkage(), 478 NewInitializer, "", G, G->isThreadLocal()); 479 NewGlobal->copyAttributesFrom(G); 480 NewGlobal->setAlignment(RedzoneSize); 481 482 Value *Indices2[2]; 483 Indices2[0] = IRB.getInt32(0); 484 Indices2[1] = IRB.getInt32(0); 485 486 G->replaceAllUsesWith( 487 ConstantExpr::getGetElementPtr(NewGlobal, Indices2, true)); 488 NewGlobal->takeName(G); 489 G->eraseFromParent(); 490 491 Initializers[i] = ConstantStruct::get( 492 GlobalStructTy, 493 ConstantExpr::getPointerCast(NewGlobal, IntptrTy), 494 ConstantInt::get(IntptrTy, SizeInBytes), 495 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 496 ConstantExpr::getPointerCast(Name, IntptrTy), 497 NULL); 498 DEBUG(dbgs() << "NEW GLOBAL:\n" << *NewGlobal); 499 } 500 501 ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); 502 GlobalVariable *AllGlobals = new GlobalVariable( 503 M, ArrayOfGlobalStructTy, false, GlobalVariable::PrivateLinkage, 504 ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); 505 506 Function *AsanRegisterGlobals = cast<Function>(M.getOrInsertFunction( 507 kAsanRegisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 508 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 509 510 IRB.CreateCall2(AsanRegisterGlobals, 511 IRB.CreatePointerCast(AllGlobals, IntptrTy), 512 ConstantInt::get(IntptrTy, n)); 513 514 // We also need to unregister globals at the end, e.g. when a shared library 515 // gets closed. 516 Function *AsanDtorFunction = Function::Create( 517 FunctionType::get(Type::getVoidTy(*C), false), 518 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 519 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 520 IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); 521 Function *AsanUnregisterGlobals = cast<Function>(M.getOrInsertFunction( 522 kAsanUnregisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 523 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 524 525 IRB_Dtor.CreateCall2(AsanUnregisterGlobals, 526 IRB.CreatePointerCast(AllGlobals, IntptrTy), 527 ConstantInt::get(IntptrTy, n)); 528 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndCtorPriority); 529 530 DEBUG(dbgs() << M); 531 return true; 532 } 533 534 // virtual 535 bool AddressSanitizer::runOnModule(Module &M) { 536 // Initialize the private fields. No one has accessed them before. 537 TD = getAnalysisIfAvailable<TargetData>(); 538 if (!TD) 539 return false; 540 BL.reset(new FunctionBlackList(ClBlackListFile)); 541 542 CurrentModule = &M; 543 C = &(M.getContext()); 544 LongSize = TD->getPointerSizeInBits(); 545 IntptrTy = Type::getIntNTy(*C, LongSize); 546 IntptrPtrTy = PointerType::get(IntptrTy, 0); 547 548 AsanCtorFunction = Function::Create( 549 FunctionType::get(Type::getVoidTy(*C), false), 550 GlobalValue::InternalLinkage, kAsanModuleCtorName, &M); 551 BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction); 552 CtorInsertBefore = ReturnInst::Create(*C, AsanCtorBB); 553 554 // call __asan_init in the module ctor. 555 IRBuilder<> IRB(CtorInsertBefore); 556 AsanInitFunction = cast<Function>( 557 M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), NULL)); 558 AsanInitFunction->setLinkage(Function::ExternalLinkage); 559 IRB.CreateCall(AsanInitFunction); 560 561 llvm::Triple targetTriple(M.getTargetTriple()); 562 bool isAndroid = targetTriple.getEnvironment() == llvm::Triple::ANDROIDEABI; 563 564 MappingOffset = isAndroid ? kDefaultShadowOffsetAndroid : 565 (LongSize == 32 ? kDefaultShadowOffset32 : kDefaultShadowOffset64); 566 if (ClMappingOffsetLog >= 0) { 567 if (ClMappingOffsetLog == 0) { 568 // special case 569 MappingOffset = 0; 570 } else { 571 MappingOffset = 1ULL << ClMappingOffsetLog; 572 } 573 } 574 MappingScale = kDefaultShadowScale; 575 if (ClMappingScale) { 576 MappingScale = ClMappingScale; 577 } 578 // Redzone used for stack and globals is at least 32 bytes. 579 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 580 RedzoneSize = std::max(32, (int)(1 << MappingScale)); 581 582 bool Res = false; 583 584 if (ClGlobals) 585 Res |= insertGlobalRedzones(M); 586 587 if (ClMappingOffsetLog >= 0) { 588 // Tell the run-time the current values of mapping offset and scale. 589 GlobalValue *asan_mapping_offset = 590 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 591 ConstantInt::get(IntptrTy, MappingOffset), 592 kAsanMappingOffsetName); 593 // Read the global, otherwise it may be optimized away. 594 IRB.CreateLoad(asan_mapping_offset, true); 595 } 596 if (ClMappingScale) { 597 GlobalValue *asan_mapping_scale = 598 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 599 ConstantInt::get(IntptrTy, MappingScale), 600 kAsanMappingScaleName); 601 // Read the global, otherwise it may be optimized away. 602 IRB.CreateLoad(asan_mapping_scale, true); 603 } 604 605 606 for (Module::iterator F = M.begin(), E = M.end(); F != E; ++F) { 607 if (F->isDeclaration()) continue; 608 Res |= handleFunction(M, *F); 609 } 610 611 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndCtorPriority); 612 613 return Res; 614 } 615 616 bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 617 // For each NSObject descendant having a +load method, this method is invoked 618 // by the ObjC runtime before any of the static constructors is called. 619 // Therefore we need to instrument such methods with a call to __asan_init 620 // at the beginning in order to initialize our runtime before any access to 621 // the shadow memory. 622 // We cannot just ignore these methods, because they may call other 623 // instrumented functions. 624 if (F.getName().find(" load]") != std::string::npos) { 625 IRBuilder<> IRB(F.begin()->begin()); 626 IRB.CreateCall(AsanInitFunction); 627 return true; 628 } 629 return false; 630 } 631 632 bool AddressSanitizer::handleFunction(Module &M, Function &F) { 633 if (BL->isIn(F)) return false; 634 if (&F == AsanCtorFunction) return false; 635 636 // If needed, insert __asan_init before checking for AddressSafety attr. 637 maybeInsertAsanInitAtFunctionEntry(F); 638 639 if (!F.hasFnAttr(Attribute::AddressSafety)) return false; 640 641 if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) 642 return false; 643 // We want to instrument every address only once per basic block 644 // (unless there are calls between uses). 645 SmallSet<Value*, 16> TempsToInstrument; 646 SmallVector<Instruction*, 16> ToInstrument; 647 SmallVector<Instruction*, 8> NoReturnCalls; 648 649 // Fill the set of memory operations to instrument. 650 for (Function::iterator FI = F.begin(), FE = F.end(); 651 FI != FE; ++FI) { 652 TempsToInstrument.clear(); 653 for (BasicBlock::iterator BI = FI->begin(), BE = FI->end(); 654 BI != BE; ++BI) { 655 if (LooksLikeCodeInBug11395(BI)) return false; 656 if ((isa<LoadInst>(BI) && ClInstrumentReads) || 657 (isa<StoreInst>(BI) && ClInstrumentWrites)) { 658 Value *Addr = getLDSTOperand(BI); 659 if (ClOpt && ClOptSameTemp) { 660 if (!TempsToInstrument.insert(Addr)) 661 continue; // We've seen this temp in the current BB. 662 } 663 } else if (isa<MemIntrinsic>(BI) && ClMemIntrin) { 664 // ok, take it. 665 } else { 666 if (CallInst *CI = dyn_cast<CallInst>(BI)) { 667 // A call inside BB. 668 TempsToInstrument.clear(); 669 if (CI->doesNotReturn()) { 670 NoReturnCalls.push_back(CI); 671 } 672 } 673 continue; 674 } 675 ToInstrument.push_back(BI); 676 } 677 } 678 679 // Instrument. 680 int NumInstrumented = 0; 681 for (size_t i = 0, n = ToInstrument.size(); i != n; i++) { 682 Instruction *Inst = ToInstrument[i]; 683 if (ClDebugMin < 0 || ClDebugMax < 0 || 684 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 685 if (isa<StoreInst>(Inst) || isa<LoadInst>(Inst)) 686 instrumentMop(Inst); 687 else 688 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 689 } 690 NumInstrumented++; 691 } 692 693 DEBUG(dbgs() << F); 694 695 bool ChangedStack = poisonStackInFunction(M, F); 696 697 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 698 // See e.g. http://code.google.com/p/address-sanitizer/issues/detail?id=37 699 for (size_t i = 0, n = NoReturnCalls.size(); i != n; i++) { 700 Instruction *CI = NoReturnCalls[i]; 701 IRBuilder<> IRB(CI); 702 IRB.CreateCall(M.getOrInsertFunction(kAsanHandleNoReturnName, 703 IRB.getVoidTy(), NULL)); 704 } 705 706 return NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); 707 } 708 709 static uint64_t ValueForPoison(uint64_t PoisonByte, size_t ShadowRedzoneSize) { 710 if (ShadowRedzoneSize == 1) return PoisonByte; 711 if (ShadowRedzoneSize == 2) return (PoisonByte << 8) + PoisonByte; 712 if (ShadowRedzoneSize == 4) 713 return (PoisonByte << 24) + (PoisonByte << 16) + 714 (PoisonByte << 8) + (PoisonByte); 715 llvm_unreachable("ShadowRedzoneSize is either 1, 2 or 4"); 716 } 717 718 static void PoisonShadowPartialRightRedzone(uint8_t *Shadow, 719 size_t Size, 720 size_t RedzoneSize, 721 size_t ShadowGranularity, 722 uint8_t Magic) { 723 for (size_t i = 0; i < RedzoneSize; 724 i+= ShadowGranularity, Shadow++) { 725 if (i + ShadowGranularity <= Size) { 726 *Shadow = 0; // fully addressable 727 } else if (i >= Size) { 728 *Shadow = Magic; // unaddressable 729 } else { 730 *Shadow = Size - i; // first Size-i bytes are addressable 731 } 732 } 733 } 734 735 void AddressSanitizer::PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, 736 IRBuilder<> IRB, 737 Value *ShadowBase, bool DoPoison) { 738 size_t ShadowRZSize = RedzoneSize >> MappingScale; 739 assert(ShadowRZSize >= 1 && ShadowRZSize <= 4); 740 Type *RZTy = Type::getIntNTy(*C, ShadowRZSize * 8); 741 Type *RZPtrTy = PointerType::get(RZTy, 0); 742 743 Value *PoisonLeft = ConstantInt::get(RZTy, 744 ValueForPoison(DoPoison ? kAsanStackLeftRedzoneMagic : 0LL, ShadowRZSize)); 745 Value *PoisonMid = ConstantInt::get(RZTy, 746 ValueForPoison(DoPoison ? kAsanStackMidRedzoneMagic : 0LL, ShadowRZSize)); 747 Value *PoisonRight = ConstantInt::get(RZTy, 748 ValueForPoison(DoPoison ? kAsanStackRightRedzoneMagic : 0LL, ShadowRZSize)); 749 750 // poison the first red zone. 751 IRB.CreateStore(PoisonLeft, IRB.CreateIntToPtr(ShadowBase, RZPtrTy)); 752 753 // poison all other red zones. 754 uint64_t Pos = RedzoneSize; 755 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 756 AllocaInst *AI = AllocaVec[i]; 757 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 758 uint64_t AlignedSize = getAlignedAllocaSize(AI); 759 assert(AlignedSize - SizeInBytes < RedzoneSize); 760 Value *Ptr = NULL; 761 762 Pos += AlignedSize; 763 764 assert(ShadowBase->getType() == IntptrTy); 765 if (SizeInBytes < AlignedSize) { 766 // Poison the partial redzone at right 767 Ptr = IRB.CreateAdd( 768 ShadowBase, ConstantInt::get(IntptrTy, 769 (Pos >> MappingScale) - ShadowRZSize)); 770 size_t AddressableBytes = RedzoneSize - (AlignedSize - SizeInBytes); 771 uint32_t Poison = 0; 772 if (DoPoison) { 773 PoisonShadowPartialRightRedzone((uint8_t*)&Poison, AddressableBytes, 774 RedzoneSize, 775 1ULL << MappingScale, 776 kAsanStackPartialRedzoneMagic); 777 } 778 Value *PartialPoison = ConstantInt::get(RZTy, Poison); 779 IRB.CreateStore(PartialPoison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 780 } 781 782 // Poison the full redzone at right. 783 Ptr = IRB.CreateAdd(ShadowBase, 784 ConstantInt::get(IntptrTy, Pos >> MappingScale)); 785 Value *Poison = i == AllocaVec.size() - 1 ? PoisonRight : PoisonMid; 786 IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 787 788 Pos += RedzoneSize; 789 } 790 } 791 792 // Workaround for bug 11395: we don't want to instrument stack in functions 793 // with large assembly blobs (32-bit only), otherwise reg alloc may crash. 794 // FIXME: remove once the bug 11395 is fixed. 795 bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 796 if (LongSize != 32) return false; 797 CallInst *CI = dyn_cast<CallInst>(I); 798 if (!CI || !CI->isInlineAsm()) return false; 799 if (CI->getNumArgOperands() <= 5) return false; 800 // We have inline assembly with quite a few arguments. 801 return true; 802 } 803 804 // Find all static Alloca instructions and put 805 // poisoned red zones around all of them. 806 // Then unpoison everything back before the function returns. 807 // 808 // Stack poisoning does not play well with exception handling. 809 // When an exception is thrown, we essentially bypass the code 810 // that unpoisones the stack. This is why the run-time library has 811 // to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 812 // stack in the interceptor. This however does not work inside the 813 // actual function which catches the exception. Most likely because the 814 // compiler hoists the load of the shadow value somewhere too high. 815 // This causes asan to report a non-existing bug on 453.povray. 816 // It sounds like an LLVM bug. 817 bool AddressSanitizer::poisonStackInFunction(Module &M, Function &F) { 818 if (!ClStack) return false; 819 SmallVector<AllocaInst*, 16> AllocaVec; 820 SmallVector<Instruction*, 8> RetVec; 821 uint64_t TotalSize = 0; 822 823 // Filter out Alloca instructions we want (and can) handle. 824 // Collect Ret instructions. 825 for (Function::iterator FI = F.begin(), FE = F.end(); 826 FI != FE; ++FI) { 827 BasicBlock &BB = *FI; 828 for (BasicBlock::iterator BI = BB.begin(), BE = BB.end(); 829 BI != BE; ++BI) { 830 if (isa<ReturnInst>(BI)) { 831 RetVec.push_back(BI); 832 continue; 833 } 834 835 AllocaInst *AI = dyn_cast<AllocaInst>(BI); 836 if (!AI) continue; 837 if (AI->isArrayAllocation()) continue; 838 if (!AI->isStaticAlloca()) continue; 839 if (!AI->getAllocatedType()->isSized()) continue; 840 if (AI->getAlignment() > RedzoneSize) continue; 841 AllocaVec.push_back(AI); 842 uint64_t AlignedSize = getAlignedAllocaSize(AI); 843 TotalSize += AlignedSize; 844 } 845 } 846 847 if (AllocaVec.empty()) return false; 848 849 uint64_t LocalStackSize = TotalSize + (AllocaVec.size() + 1) * RedzoneSize; 850 851 bool DoStackMalloc = ClUseAfterReturn 852 && LocalStackSize <= kMaxStackMallocSize; 853 854 Instruction *InsBefore = AllocaVec[0]; 855 IRBuilder<> IRB(InsBefore); 856 857 858 Type *ByteArrayTy = ArrayType::get(IRB.getInt8Ty(), LocalStackSize); 859 AllocaInst *MyAlloca = 860 new AllocaInst(ByteArrayTy, "MyAlloca", InsBefore); 861 MyAlloca->setAlignment(RedzoneSize); 862 assert(MyAlloca->isStaticAlloca()); 863 Value *OrigStackBase = IRB.CreatePointerCast(MyAlloca, IntptrTy); 864 Value *LocalStackBase = OrigStackBase; 865 866 if (DoStackMalloc) { 867 Value *AsanStackMallocFunc = M.getOrInsertFunction( 868 kAsanStackMallocName, IntptrTy, IntptrTy, IntptrTy, NULL); 869 LocalStackBase = IRB.CreateCall2(AsanStackMallocFunc, 870 ConstantInt::get(IntptrTy, LocalStackSize), OrigStackBase); 871 } 872 873 // This string will be parsed by the run-time (DescribeStackAddress). 874 SmallString<2048> StackDescriptionStorage; 875 raw_svector_ostream StackDescription(StackDescriptionStorage); 876 StackDescription << F.getName() << " " << AllocaVec.size() << " "; 877 878 uint64_t Pos = RedzoneSize; 879 // Replace Alloca instructions with base+offset. 880 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 881 AllocaInst *AI = AllocaVec[i]; 882 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 883 StringRef Name = AI->getName(); 884 StackDescription << Pos << " " << SizeInBytes << " " 885 << Name.size() << " " << Name << " "; 886 uint64_t AlignedSize = getAlignedAllocaSize(AI); 887 assert((AlignedSize % RedzoneSize) == 0); 888 AI->replaceAllUsesWith( 889 IRB.CreateIntToPtr( 890 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Pos)), 891 AI->getType())); 892 Pos += AlignedSize + RedzoneSize; 893 } 894 assert(Pos == LocalStackSize); 895 896 // Write the Magic value and the frame description constant to the redzone. 897 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 898 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 899 BasePlus0); 900 Value *BasePlus1 = IRB.CreateAdd(LocalStackBase, 901 ConstantInt::get(IntptrTy, LongSize/8)); 902 BasePlus1 = IRB.CreateIntToPtr(BasePlus1, IntptrPtrTy); 903 Value *Description = IRB.CreatePointerCast( 904 createPrivateGlobalForString(M, StackDescription.str()), 905 IntptrTy); 906 IRB.CreateStore(Description, BasePlus1); 907 908 // Poison the stack redzones at the entry. 909 Value *ShadowBase = memToShadow(LocalStackBase, IRB); 910 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRB, ShadowBase, true); 911 912 Value *AsanStackFreeFunc = NULL; 913 if (DoStackMalloc) { 914 AsanStackFreeFunc = M.getOrInsertFunction( 915 kAsanStackFreeName, IRB.getVoidTy(), 916 IntptrTy, IntptrTy, IntptrTy, NULL); 917 } 918 919 // Unpoison the stack before all ret instructions. 920 for (size_t i = 0, n = RetVec.size(); i < n; i++) { 921 Instruction *Ret = RetVec[i]; 922 IRBuilder<> IRBRet(Ret); 923 924 // Mark the current frame as retired. 925 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 926 BasePlus0); 927 // Unpoison the stack. 928 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRBRet, ShadowBase, false); 929 930 if (DoStackMalloc) { 931 IRBRet.CreateCall3(AsanStackFreeFunc, LocalStackBase, 932 ConstantInt::get(IntptrTy, LocalStackSize), 933 OrigStackBase); 934 } 935 } 936 937 if (ClDebugStack) { 938 DEBUG(dbgs() << F); 939 } 940 941 return true; 942 } 943
